From ecaf5866106b8f08bdb7c1b4f489ef4dfd01278a Mon Sep 17 00:00:00 2001 From: Apple Date: Wed, 15 Aug 2018 19:08:10 +0000 Subject: [PATCH] Security-58286.51.6.tar.gz --- .../Clients/SOSAnalytics.h | 46 +- Analytics/Clients/SOSAnalytics.m | 76 + Analytics/SFAnalytics+Internal.h | 38 + Analytics/SFAnalytics.h | 87 + Analytics/SFAnalytics.m | 530 + Analytics/SFAnalytics.plist | 26 + .../SFAnalyticsActivityTracker+Internal.h | 39 + Analytics/SFAnalyticsActivityTracker.h | 42 + Analytics/SFAnalyticsActivityTracker.m | 103 + Analytics/SFAnalyticsDefines.h | 72 + Analytics/SFAnalyticsLogger.h | 72 - Analytics/SFAnalyticsLogger.m | 985 - Analytics/SFAnalyticsLogging.plist | 16 - Analytics/SFAnalyticsMultiSampler+Internal.h | 39 + Analytics/SFAnalyticsMultiSampler.h | 43 + Analytics/SFAnalyticsMultiSampler.m | 176 + Analytics/SFAnalyticsSQLiteStore.h | 54 + Analytics/SFAnalyticsSQLiteStore.m | 262 + Analytics/SFAnalyticsSampler+Internal.h | 37 + Analytics/SFAnalyticsSampler.h | 43 + Analytics/SFAnalyticsSampler.m | 167 + Analytics/SQLite/SFObjCType.h | 4 + Analytics/SQLite/SFObjCType.m | 5 +- Analytics/SQLite/SFSQLite.h | 7 +- Analytics/SQLite/SFSQLite.m | 61 +- Analytics/SQLite/SFSQLiteStatement.h | 4 + Analytics/SQLite/SFSQLiteStatement.m | 15 +- CSSMOID.exp-in | 127 + CircleJoinRequested/Applicant.m | 4 +- CircleJoinRequested/CircleJoinRequested.m | 7 +- KVSKeychainSyncingProxy/CKDKVSProxy.h | 3 + KVSKeychainSyncingProxy/CKDKVSProxy.m | 54 +- KVSKeychainSyncingProxy/CKDKVSStore.m | 43 +- KVSKeychainSyncingProxy/CKDLockMonitor.h | 4 +- KVSKeychainSyncingProxy/CKDStore.h | 2 +- .../XPCNotificationDispatcher.h | 2 +- KVSKeychainSyncingProxy/cloudkeychainproxy.m | 8 +- KeychainCircle/KCJoiningAcceptSession.m | 15 +- KeychainCircle/KCJoiningRequestSession.m | 4 + KeychainCircle/KCJoiningSession.h | 8 +- KeychainCircle/PairingChannel.m | 10 +- KeychainCircle/Tests/KCAESGCMTest.m | 8 +- KeychainCircle/Tests/KCJoiningSessionTest.m | 20 +- KeychainCircle/Tests/KCPairingTest.m | 6 +- .../KeychainSyncAccountNotification.m | 91 +- KeychainSyncingOverIDSProxy/IDSProxy.h | 14 +- KeychainSyncingOverIDSProxy/IDSProxy.m | 33 +- ...ychainSyncingOverIDSProxy+ReceiveMessage.h | 2 +- ...ychainSyncingOverIDSProxy+ReceiveMessage.m | 76 +- .../KeychainSyncingOverIDSProxy+SendMessage.h | 4 +- .../KeychainSyncingOverIDSProxy+SendMessage.m | 94 +- .../keychainsyncingoveridsproxy.m | 40 +- .../SecurityTests-Entitlements.plist | 14 +- OSX/authd/authorization.plist | 22 +- OSX/authd/engine.c | 14 +- OSX/config/lib.xcconfig | 2 +- OSX/config/security_framework_macos.xcconfig | 8 + OSX/config/security_macos.xcconfig | 3 - OSX/lib/generateErrStrings.pl | 223 +- .../lib/clNssUtils.cpp | 1 - .../lib/AuthSession.h | 4 +- .../lib/AuthorizationPlugin.h | 19 +- .../lib/osxverifier.h | 1 + OSX/libsecurity_cms/lib/CMSDecoder.cpp | 52 +- OSX/libsecurity_cms/lib/CMSEncoder.cpp | 27 + OSX/libsecurity_cms/lib/CMSEncoder.h | 3 +- OSX/libsecurity_cms/lib/CMSPrivate.h | 26 + .../libsecurity_cms.xcodeproj/project.pbxproj | 13 +- .../regressions/cms-hashagility-test.h | 180 + ...hagility-test.c => cms-hashagility-test.m} | 202 +- OSX/libsecurity_codesigning/lib/CSCommon.h | 4 +- OSX/libsecurity_codesigning/lib/Code.cpp | 2 + OSX/libsecurity_codesigning/lib/SecCode.cpp | 2 + OSX/libsecurity_codesigning/lib/SecCode.h | 2 + OSX/libsecurity_codesigning/lib/SecCodePriv.h | 2 + OSX/libsecurity_codesigning/lib/policydb.cpp | 2 +- .../lib/policyengine.cpp | 35 +- .../lib/policyengine.h | 5 +- OSX/libsecurity_codesigning/lib/requirement.h | 1 + OSX/libsecurity_cryptkit/lib/CryptKit.h | 28 - OSX/libsecurity_cryptkit/lib/CryptKitSA.h | 23 - OSX/libsecurity_cryptkit/lib/NSCipherFile.h | 111 - OSX/libsecurity_cryptkit/lib/NSCipherFile.m | 360 - OSX/libsecurity_cryptkit/lib/NSCryptors.h | 83 - OSX/libsecurity_cryptkit/lib/NSDESCryptor.h | 39 - OSX/libsecurity_cryptkit/lib/NSDESCryptor.m | 130 - OSX/libsecurity_cryptkit/lib/NSFEEPublicKey.h | 74 - OSX/libsecurity_cryptkit/lib/NSFEEPublicKey.m | 496 - .../lib/NSFEEPublicKeyPrivate.h | 36 - OSX/libsecurity_cryptkit/lib/NSMD5Hash.h | 34 - OSX/libsecurity_cryptkit/lib/NSMD5Hash.m | 79 - .../lib/NSRandomNumberGenerator.h | 36 - .../lib/NSRandomNumberGenerator.m | 83 - OSX/libsecurity_cryptkit/lib/mutils.h | 36 - OSX/libsecurity_cryptkit/lib/mutils.m | 44 - OSX/libsecurity_cssm/lib/cssmerr.h | 969 +- OSX/libsecurity_cssm/lib/cssmkrapi.h | 132 - OSX/libsecurity_cssm/lib/cssmspi.h | 33 - OSX/libsecurity_cssm/lib/cssmtype.h | 2 +- OSX/libsecurity_cssm/lib/eisl.h | 287 - OSX/libsecurity_cssm/lib/emmspi.h | 7 - OSX/libsecurity_keychain/lib/Item.cpp | 10 +- .../lib/MacOSErrorStrings.h | 2 +- OSX/libsecurity_keychain/lib/SecACL.cpp | 3 - OSX/libsecurity_keychain/lib/SecAsn1TypesP.h | 241 - OSX/libsecurity_keychain/lib/SecBase.cpp | 2 +- OSX/libsecurity_keychain/lib/SecBaseP.h | 91 - OSX/libsecurity_keychain/lib/SecFrameworkP.h | 64 - OSX/libsecurity_keychain/lib/SecIdentity.cpp | 3 - .../lib/SecIdentitySearch.cpp | 3 - OSX/libsecurity_keychain/lib/SecItem.cpp | 76 - OSX/libsecurity_keychain/lib/SecKeychain.cpp | 6 +- .../lib/SecKeychainPriv.h | 2 - OSX/libsecurity_keychain/lib/SecPolicy.cpp | 2 +- OSX/libsecurity_keychain/lib/SecRSAKeyP.h | 60 - OSX/libsecurity_keychain/lib/SecTrust.cpp | 5 +- .../lib/SecTrustOSXEntryPoints.cpp | 12 +- .../lib/SecTrustSettings.cpp | 8 +- .../lib/StorageManager.cpp | 2 +- OSX/libsecurity_keychain/lib/TokenLogin.cpp | 3 +- .../lib/certextensionsP.h | 546 - OSX/libsecurity_keychain/libDER/.gitignore | 3 - OSX/libsecurity_keychain/libDER/README.txt | 34 - .../certsCrls/EndCertificateCP.01.01.crt | Bin 650 -> 0 bytes .../libDER/Tests/certsCrls/Test_CRL_CA1.crl | Bin 483 -> 0 bytes .../Tests/certsCrls/Test_CRL_CA1.crl.pem | 13 - .../Tests/certsCrls/TrustAnchorCP.01.01.crt | Bin 624 -> 0 bytes .../certsCrls/TrustAnchorCRLCP.01.01.crl | Bin 371 -> 0 bytes .../libDER/Tests/certsCrls/apple_v3.000.cer | Bin 1158 -> 0 bytes .../libDER/Tests/certsCrls/apple_v3.001.cer | Bin 903 -> 0 bytes .../libDER/Tests/certsCrls/entrust_v3.100.cer | Bin 1351 -> 0 bytes .../libDER/Tests/certsCrls/entrust_v3.101.cer | Bin 1244 -> 0 bytes .../libDER/Tests/certsCrls/keybank_v3.100.cer | Bin 1131 -> 0 bytes .../libDER/Tests/certsCrls/keybank_v3.101.cer | Bin 903 -> 0 bytes .../libDER/Tests/certsCrls/keybank_v3.102.cer | Bin 576 -> 0 bytes .../libDER/libDER/DER_CertCrl.c | 370 - .../libDER/libDER/DER_CertCrl.h | 275 - .../libDER/libDER/DER_Decode.c | 759 - .../libDER/libDER/DER_Decode.h | 242 - .../libDER/libDER/DER_Digest.c | 183 - .../libDER/libDER/DER_Digest.h | 91 - .../libDER/libDER/DER_Encode.c | 366 - .../libDER/libDER/DER_Encode.h | 119 - .../libDER/libDER/DER_Keys.c | 188 - .../libDER/libDER/DER_Keys.h | 121 - .../libDER/libDER/asn1Types.h | 113 - .../libDER/libDER/libDER.h | 75 - .../libDER/libDER/libDER_config.h | 110 - .../libDER/libDER/module.modulemap | 3 - OSX/libsecurity_keychain/libDER/libDER/oids.c | 853 - .../libDER/libDER/oidsPriv.h | 99 - .../kc-12-key-create-symmetric-and-use.m | 2 +- .../regressions/kc-23-key-export-symmetric.m | 2 +- .../regressions/kc-26-key-import-public.m | 16 +- .../regressions/kc-30-xara-helpers.h | 6 +- .../regressions/kc-42-trust-revocation.c | 255 +- .../regressions/kc-43-seckey-interop.m | 6 - OSX/libsecurity_smime/lib/SecCMS.c | 8 + OSX/libsecurity_smime/lib/SecCMS.h | 1 + OSX/libsecurity_smime/lib/SecCmsBase.h | 3 +- OSX/libsecurity_smime/lib/SecCmsSignerInfo.h | 29 +- OSX/libsecurity_smime/lib/cmsattr.c | 17 +- OSX/libsecurity_smime/lib/cmsdecode.c | 13 +- OSX/libsecurity_smime/lib/cmsencode.c | 22 +- OSX/libsecurity_smime/lib/cmspubkey.c | 33 +- OSX/libsecurity_smime/lib/cmssiginfo.c | 236 +- OSX/libsecurity_smime/lib/cmstpriv.h | 2 + OSX/libsecurity_smime/lib/secoid.c | 5 +- OSX/libsecurity_smime/lib/tsaSupport.c | 24 +- .../project.pbxproj | 10 +- OSX/libsecurity_ssl/lib/SecureTransport.h | 20 + .../lib/SecDigestTransform.h | 2 +- .../lib/SecEncryptTransform.cpp | 1 + .../lib/SecEncryptTransform.h | 4 +- .../lib/SecTransformInternal.h | 1 - OSX/libsecurity_utilities/lib/alloc.h | 17 +- OSX/libsecurity_utilities/lib/debugging.h | 1 - OSX/libsecurity_utilities/lib/pcsc++.h | 1 + .../lib/threading_internal.h | 6 +- OSX/libsecurityd/lib/SharedMemoryClient.cpp | 2 + OSX/macos_tapi_hacks.h | 89 + OSX/regressions/test/testcert.h | 1 + .../CKBridge/SOSCloudKeychainClient.c | 64 +- .../CKBridge/SOSCloudKeychainClient.h | 11 +- .../CKBridge/SOSCloudKeychainConstants.c | 1 + .../CKBridge/SOSCloudKeychainConstants.h | 1 + .../SOSCircle/Regressions/SOSTestDataSource.c | 7 + OSX/sec/SOSCircle/Regressions/SOSTestDevice.c | 8 +- .../Regressions/sc-153-backupslicekeybag.c | 2 +- .../SOSCircle/SecureObjectSync/SOSAccount.h | 10 +- .../SOSCircle/SecureObjectSync/SOSAccount.m | 296 +- .../SecureObjectSync/SOSAccountBackup.m | 6 +- .../SecureObjectSync/SOSAccountCircles.m | 4 +- .../SecureObjectSync/SOSAccountCredentials.m | 29 +- .../SecureObjectSync/SOSAccountFullPeerInfo.m | 6 +- .../SecureObjectSync/SOSAccountGhost.h | 2 +- .../SecureObjectSync/SOSAccountGhost.m | 2 +- .../SecureObjectSync/SOSAccountPeers.m | 2 +- .../SecureObjectSync/SOSAccountPersistence.m | 12 +- .../SecureObjectSync/SOSAccountPriv.h | 15 +- .../SecureObjectSync/SOSAccountRingUpdate.m | 16 - .../SecureObjectSync/SOSAccountRings.m | 1 + .../SecureObjectSync/SOSAccountSync.m | 3 +- .../SecureObjectSync/SOSAccountTransaction.h | 6 +- .../SecureObjectSync/SOSAccountTransaction.m | 77 +- .../SecureObjectSync/SOSAccountTrust.h | 6 + .../SecureObjectSync/SOSAccountTrust.m | 11 + .../SOSAccountTrustClassic+Circle.m | 57 +- .../SOSAccountTrustClassic+Expansion.m | 19 +- .../SOSAccountTrustClassic+Identity.h | 2 +- .../SOSAccountTrustClassic+Identity.m | 128 +- .../SecureObjectSync/SOSAccountTrustClassic.h | 1 - .../SecureObjectSync/SOSAccountTrustClassic.m | 20 +- .../SecureObjectSync/SOSAccountUpdate.m | 24 +- .../SecureObjectSync/SOSBackupSliceKeyBag.h | 2 - .../SOSCircle/SecureObjectSync/SOSCircle.c | 14 +- .../SOSCircle/SecureObjectSync/SOSCircle.h | 4 +- .../SecureObjectSync/SOSCloudCircle.h | 5 + .../SecureObjectSync/SOSCloudCircle.m | 69 +- .../SecureObjectSync/SOSCloudCircleInternal.h | 2 - .../SecureObjectSync/SOSControlServer.h | 6 + .../SecureObjectSync/SOSControlServer.m | 184 + .../SOSCircle/SecureObjectSync/SOSEngine.c | 218 +- .../SOSCircle/SecureObjectSync/SOSEngine.h | 24 +- .../SecureObjectSync/SOSEnsureBackup.m | 26 +- .../SecureObjectSync/SOSExports.exp-in | 320 +- .../SecureObjectSync/SOSFullPeerInfo.h | 7 +- .../SecureObjectSync/SOSFullPeerInfo.m | 11 +- .../SOSCircle/SecureObjectSync/SOSInternal.h | 4 +- .../SOSCircle/SecureObjectSync/SOSInternal.m | 3 + .../SOSCircle/SecureObjectSync/SOSKVSKeys.h | 3 +- .../SOSCircle/SecureObjectSync/SOSKVSKeys.m | 13 +- .../SOSCircle/SecureObjectSync/SOSMessage.c | 17 + OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.m | 3 +- .../SOSCircle/SecureObjectSync/SOSPeerCoder.h | 6 +- .../SOSCircle/SecureObjectSync/SOSPeerCoder.m | 25 +- .../SOSCircle/SecureObjectSync/SOSPeerInfo.h | 4 +- .../SOSCircle/SecureObjectSync/SOSPeerInfo.m | 28 +- .../SecureObjectSync/SOSPeerInfoPriv.h | 2 +- .../SecureObjectSync/SOSPeerInfoV2.m | 31 +- .../SecureObjectSync/SOSPeerOTRTimer.h | 3 - .../SecureObjectSync/SOSPeerOTRTimer.m | 233 +- .../SecureObjectSync/SOSPeerRateLimiter.m | 2 +- .../SOSCircle/SecureObjectSync/SOSPiggyback.m | 2 +- .../SecureObjectSync/SOSRecoveryKeyBag.m | 2 + .../SOSCircle/SecureObjectSync/SOSRingBasic.m | 2 +- .../SOSCircle/SecureObjectSync/SOSRingUtils.c | 136 +- .../SOSCircle/SecureObjectSync/SOSRingUtils.h | 2 +- .../SecureObjectSync/SOSSysdiagnose.h | 11 +- .../SecureObjectSync/SOSSysdiagnose.m | 11 +- .../SOSCircle/SecureObjectSync/SOSTransport.m | 23 +- .../SecureObjectSync/SOSTransportCircle.h | 2 +- .../SecureObjectSync/SOSTransportCircleCK.m | 2 +- .../SecureObjectSync/SOSTransportCircleKVS.h | 1 - .../SecureObjectSync/SOSTransportCircleKVS.m | 9 +- .../SecureObjectSync/SOSTransportMessage.m | 32 +- .../SecureObjectSync/SOSTransportMessageIDS.h | 2 +- .../SecureObjectSync/SOSTransportMessageIDS.m | 29 +- .../SecureObjectSync/SOSTransportMessageKVS.m | 7 + OSX/sec/SOSCircle/SecureObjectSync/SOSTypes.h | 3 +- .../SecureObjectSync/SOSUserKeygen.h | 2 +- .../SecureObjectSync/SOSUserKeygen.m | 12 +- .../SOSCircle/Tool/accountCirclesViewsPrint.h | 31 +- .../SOSCircle/Tool/accountCirclesViewsPrint.m | 66 +- OSX/sec/SOSCircle/Tool/keychain_log.m | 379 +- OSX/sec/SOSCircle/Tool/keychain_sync.m | 379 +- OSX/sec/SOSCircle/Tool/keychain_sync_test.m | 2 +- OSX/sec/SOSCircle/Tool/recovery_key.m | 20 +- OSX/sec/SOSCircle/Tool/syncbackup.m | 2 +- OSX/sec/Security/Regressions/otr/otr-otrdh.c | 2 + .../Regressions/secitem/si-10-find-internet.c | 1 + .../Regressions/secitem/si-15-certificate.c | 65 +- .../secitem/si-18-certificate-parse.m | 2 +- .../Regressions/secitem/si-20-sectrust.c | 258 +- .../Regressions/secitem/si-22-sectrust-iap.c | 15 +- .../Regressions/secitem/si-23-sectrust-ocsp.c | 10 +- .../secitem/si-32-sectrust-pinning-required.m | 15 +- .../Security/Regressions/secitem/si-60-cms.c | 91 +- .../secitem/{si-62-csr.c => si-62-csr.m} | 191 +- .../secitem/{si-63-scep.c => si-63-scep.m} | 146 +- .../Regressions/secitem/si-66-smime.c | 8 +- .../Regressions/secitem/si-72-syncableitems.c | 3 + .../secitem/si-87-sectrust-name-constraints.m | 284 +- .../secitem/si-89-cms-hash-agility.c | 301 - .../secitem/si-89-cms-hash-agility.h | 180 + .../secitem/si-89-cms-hash-agility.m | 565 + .../Regressions/secitem/si-95-cms-basic.c | 5 +- .../secitem/si_77_SecAccessControl.c | 58 +- .../sec/Security/SFKeychainControl.h | 11 +- OSX/sec/Security/SecAccessControl.c | 62 +- .../Security/SecAccessControlExports.exp-in | 2 + OSX/sec/Security/SecAccessControlPriv.h | 16 +- OSX/sec/Security/SecCMS.c | 11 +- OSX/sec/Security/SecCMS.h | 1 + OSX/sec/Security/SecCertificate.c | 954 +- OSX/sec/Security/SecCertificateInternal.h | 37 +- OSX/sec/Security/SecCertificatePath.c | 2 +- OSX/sec/Security/SecCertificatePath.h | 80 - OSX/sec/Security/SecCertificateRequest.c | 652 +- OSX/sec/Security/SecExports.exp-in | 427 +- OSX/sec/Security/SecFramework.c | 56 +- OSX/sec/Security/SecFrameworkStrings.h | 141 +- OSX/sec/Security/SecImportExport.c | 2 +- OSX/sec/Security/SecItem.c | 16 +- OSX/sec/Security/SecItem.m | 50 +- OSX/sec/Security/SecItemBackup.c | 17 +- OSX/sec/Security/SecKey.c | 57 +- OSX/sec/Security/SecOTRIdentityPriv.h | 4 - OSX/sec/Security/SecOTRMath.c | 30 +- OSX/sec/Security/SecOTRMath.h | 15 +- OSX/sec/Security/SecOTRPackets.c | 4 +- OSX/sec/Security/SecOTRSession.c | 3 +- OSX/sec/Security/SecOTRSessionPriv.h | 2 +- OSX/sec/Security/SecPasswordGenerate.c | 2 + OSX/sec/Security/SecPolicy.c | 770 +- OSX/sec/Security/SecPolicy.list | 91 + OSX/sec/Security/SecPolicyChecks.list | 95 + OSX/sec/Security/SecPolicyInternal.h | 140 +- OSX/sec/Security/SecPolicyLeafCallbacks.c | 130 +- OSX/sec/Security/SecRecoveryKey.m | 2 +- OSX/sec/Security/SecSCEP.c | 58 +- OSX/sec/Security/SecSCEP.h | 18 +- OSX/sec/Security/SecTrust.c | 643 +- OSX/sec/Security/SecTrustInternal.h | 3 + OSX/sec/Security/SecTrustStatusCodes.c | 51 +- OSX/sec/Security/SecTrustStore.c | 60 +- OSX/sec/Security/SecuritydXPC.c | 17 +- OSX/sec/Security/Tool/SecurityCommands.h | 21 +- OSX/sec/Security/Tool/add_internet_password.c | 4 +- OSX/sec/Security/Tool/codesign.c | 4 +- OSX/sec/Security/Tool/keychain_add.c | 6 +- OSX/sec/Security/Tool/keychain_backup.c | 12 +- OSX/sec/Security/Tool/keychain_find.m | 10 +- OSX/sec/Security/Tool/pkcs12_util.c | 4 +- OSX/sec/Security/Tool/scep.c | 7 +- OSX/sec/Security/Tool/show_certificates.c | 91 +- OSX/sec/Security/Tool/spc.c | 6 +- OSX/sec/Security/Tool/trust_update.m | 81 + OSX/sec/Security/Tool/verify_cert.c | 7 +- OSX/sec/Security/ios_tapi_hacks.h | 83 + OSX/sec/Security/oids.c | 448 + OSX/sec/Security/p12import.c | 2 +- OSX/sec/Security/so_01_serverencryption.c | 1 + .../sec/SecurityTool/KeychainCheck.h | 9 +- OSX/sec/SecurityTool/KeychainCheck.m | 125 + OSX/sec/SecurityTool/SecurityTool.c | 3 +- OSX/sec/SecurityTool/builtin_commands.h | 8 + OSX/sec/SecurityTool/digest_calc.c | 4 +- OSX/sec/SecurityTool/entitlements.plist | 2 + OSX/sec/SecurityTool/sos.m | 32 +- OSX/sec/SharedWebCredential/swcagent.m | 6 +- OSX/sec/ipc/client.c | 59 +- OSX/sec/ipc/client_endpoint.m | 41 +- OSX/sec/ipc/com.apple.secd.plist | 8 + OSX/sec/ipc/com.apple.securityd.plist | 8 + OSX/sec/ipc/securityd_client.h | 40 +- OSX/sec/ipc/server.c | 88 +- OSX/sec/ipc/server_endpoint.m | 15 +- OSX/sec/ipc/server_security_helpers.h | 2 +- OSX/sec/ipc/server_xpc.m | 158 +- OSX/sec/os_log/com.apple.securityd.plist | 29 + OSX/sec/securityd/OTATrustUtilities.c | 1519 - OSX/sec/securityd/OTATrustUtilities.h | 48 +- OSX/sec/securityd/OTATrustUtilities.m | 1797 + .../securityd/Regressions/SOSAccountTesting.h | 11 +- .../Regressions/SOSTransportTestTransports.m | 34 +- OSX/sec/securityd/Regressions/secd-01-items.m | 2 + .../secd-155-otr-negotiation-monitor.m | 4 +- .../Regressions/secd-20-keychain_upgrade.m | 2 + .../Regressions/secd-21-transmogrify.m | 8 + .../Regressions/secd-36-ks-encrypt.m | 9 +- .../securityd/Regressions/secd-50-message.m | 4 + .../secd-52-offering-gencount-reset.m | 3 +- .../secd-55-account-incompatibility.m | 3 +- .../secd-60-account-cloud-identity.m | 6 + OSX/sec/securityd/Regressions/secd-700-sftm.m | 66 + .../Regressions/secd-76-idstransport.m | 2 +- .../Regressions/secd-81-item-acl-stress.m | 2 + .../securityd/Regressions/secd-81-item-acl.m | 4 + .../secd60-account-cloud-exposure.m | 13 +- .../Regressions/secd_77_ids_messaging.m | 4 +- .../securityd/Regressions/secd_regressions.h | 1 + OSX/sec/securityd/SFKeychainControlManager.h | 48 + OSX/sec/securityd/SFKeychainControlManager.m | 214 + OSX/sec/securityd/SOSCloudCircleServer.h | 7 +- OSX/sec/securityd/SOSCloudCircleServer.m | 179 +- OSX/sec/securityd/SecCAIssuerCache.c | 18 +- OSX/sec/securityd/SecCAIssuerRequest.c | 43 +- OSX/sec/securityd/SecCertificateServer.c | 71 +- OSX/sec/securityd/SecCertificateServer.h | 12 +- OSX/sec/securityd/SecCertificateSource.c | 1 + OSX/sec/securityd/SecDbItem.c | 36 +- OSX/sec/securityd/SecDbItem.h | 5 +- OSX/sec/securityd/SecDbKeychainItem.h | 12 +- ...ecDbKeychainItem.c => SecDbKeychainItem.m} | 184 +- OSX/sec/securityd/SecDbKeychainItemV7.h | 81 + OSX/sec/securityd/SecDbKeychainItemV7.m | 1134 + ...SecDbKeychainAKSSerializedWrappedKey.proto | 7 + .../SecDbKeychainSerializedAKSWrappedKey.h | 41 + .../SecDbKeychainSerializedAKSWrappedKey.m | 168 + .../SecDbKeychainSerializedItemV7.h | 81 + .../SecDbKeychainSerializedItemV7.m | 167 + .../SecDbKeychainSerializedItemV7.proto | 17 + .../SecDbKeychainSerializedMetadata.h | 40 + .../SecDbKeychainSerializedMetadata.m | 167 + .../SecDbKeychainSerializedMetadata.proto | 7 + .../SecDbKeychainSerializedSecretData.h | 40 + .../SecDbKeychainSerializedSecretData.m | 167 + .../SecDbKeychainSerializedSecretData.proto | 7 + OSX/sec/securityd/SecDbQuery.c | 2 +- OSX/sec/securityd/SecItemBackupServer.c | 2 +- OSX/sec/securityd/SecItemDataSource.c | 38 +- OSX/sec/securityd/SecItemDb.c | 148 +- OSX/sec/securityd/SecItemDb.h | 5 +- OSX/sec/securityd/SecItemSchema.c | 154 +- OSX/sec/securityd/SecItemServer.c | 191 +- OSX/sec/securityd/SecItemServer.h | 7 +- OSX/sec/securityd/SecKeybagSupport.c | 4 +- OSX/sec/securityd/SecKeybagSupport.h | 3 + OSX/sec/securityd/SecOCSPCache.c | 148 +- OSX/sec/securityd/SecOCSPCache.h | 10 +- OSX/sec/securityd/SecOCSPResponse.c | 25 +- OSX/sec/securityd/SecOCSPResponse.h | 3 +- OSX/sec/securityd/SecOTRRemote.m | 1 + OSX/sec/securityd/SecPinningDb.h | 7 + OSX/sec/securityd/SecPinningDb.m | 409 +- OSX/sec/securityd/SecPolicyServer.c | 556 +- OSX/sec/securityd/SecPolicyServer.h | 14 +- OSX/sec/securityd/SecRevocationDb.c | 895 +- OSX/sec/securityd/SecRevocationDb.h | 32 +- OSX/sec/securityd/SecRevocationNetworking.m | 12 +- OSX/sec/securityd/SecRevocationServer.c | 279 +- OSX/sec/securityd/SecRevocationServer.h | 21 +- ...oggingServer.c => SecTrustLoggingServer.m} | 1 + OSX/sec/securityd/SecTrustServer.c | 74 +- OSX/sec/securityd/SecTrustServer.h | 76 +- OSX/sec/securityd/SecTrustStoreServer.c | 76 +- OSX/sec/securityd/asynchttp.c | 3 + OSX/sec/securityd/asynchttp.h | 1 + OSX/sec/securityd/com.apple.secd.sb | 5 + OSX/sec/securityd/entitlements.plist | 4 + OSX/sec/securityd/policytree.c | 2 +- OSX/sec/securityd/spi.c | 6 +- OSX/sectests/SecurityTests-Entitlements.plist | 12 - OSX/shared_regressions/shared_regressions.h | 1 + .../PinningPolicyTrustTest.plist | 8 +- .../si-20-sectrust-policies.m | 6 +- OSX/shared_regressions/si-88-sectrust-valid.m | 149 + OSX/trustd/iOS/entitlements.plist | 1 + OSX/trustd/macOS/SecTrustOSXEntryPoints.h | 1 + OSX/trustd/macOS/entitlements.plist | 1 + OSX/trustd/trustd.c | 206 +- .../SecurityTool/security_tool_commands.h | 2 +- OSX/utilities/src/SecCFError.c | 8 + OSX/utilities/src/SecCFWrappers.h | 2 +- OSX/utilities/src/SecDb.c | 64 +- OSX/utilities/src/SecDb.h | 2 + OSX/utilities/src/debugging.h | 5 +- OTAPKIAssetTool/OTAPKIAssetTool.xcconfig | 16 - OTAPKIAssetTool/OTAServiceApp.h | 46 - OTAPKIAssetTool/OTAServiceApp.m | 1403 - OTAPKIAssetTool/OTAServicemain.m | 50 - .../com.apple.OTAPKIAssetTool.plist | 37 - RegressionTests/Security.plist | 9 + .../secitemfunctionality.m | 4 + SOSCCAuthPlugin/SOSCCAuthPlugin.m | 23 +- Security.exp-in | 382 +- Security.xcodeproj/project.pbxproj | 4367 +- .../xcshareddata/xcschemes/CKKSTests.xcscheme | 18 +- .../xcschemes/TrustedPeers.xcscheme | 2 + .../xcschemes/ios - Debug.xcscheme | 78 +- .../xcschemes/ios - Release.xcscheme | 6 + .../xcschemes/ios - secdtests.xcscheme | 44 +- .../xcschemes/osx - World.xcscheme | 26 +- .../xcschemes/osx - secdtests.xcscheme | 10 +- .../xcschemes/osx - sectests.xcscheme | 2 + .../contents.xcworkspacedata | 4 + .../SecurityTests-Entitlements.plist | 8 +- .../TestCertificates | Bin 0 -> 7116800 bytes .../expects.plist | 92437 ++++++++++++++++ .../manifest.plist | 77526 +++++++++++++ .../si-87-sectrust-name-constraints/root.cer | Bin 0 -> 992 bytes .../si-88-sectrust-valid-data/ca-na.pem | 25 + .../si-88-sectrust-valid-data/ca-nb.pem | 25 + .../si-88-sectrust-valid-data/leaf-na-ok1.pem | 27 + .../si-88-sectrust-valid-data/leaf-na-ok2.pem | 27 + .../si-88-sectrust-valid-data/leaf-nb-ok1.pem | 27 + .../si-88-sectrust-valid-data/leaf-nb-ok2.pem | 27 + .../leaf-nb-revoked1.pem | 27 + .../si-88-sectrust-valid-data/root.pem | 23 + SecurityTests/testmain.c | 2 + SecurityTool/authz.c | 24 +- SecurityTool/createFVMaster.c | 6 +- SecurityTool/db_commands.cpp | 4 +- SecurityTool/entitlements.plist | 2 + SecurityTool/identity_find.m | 2 +- SecurityTool/identity_prefs.c | 6 +- SecurityTool/key_create.c | 10 +- SecurityTool/keychain_add.c | 6 +- SecurityTool/keychain_create.c | 2 +- SecurityTool/keychain_delete.c | 4 +- SecurityTool/keychain_export.m | 12 +- SecurityTool/keychain_find.c | 4 +- SecurityTool/keychain_list.c | 16 +- SecurityTool/keychain_lock.c | 4 +- SecurityTool/keychain_recode.c | 4 +- SecurityTool/keychain_show_info.c | 2 +- SecurityTool/keychain_unlock.c | 4 +- SecurityTool/mds_install.cpp | 3 +- SecurityTool/security.c | 2 +- SecurityTool/security_tool.h | 2 + SecurityTool/smartcards.m | 3 +- SecurityTool/translocate.c | 9 +- SecurityTool/trust_settings_impexp.c | 12 +- SecurityTool/trusted_cert_add.c | 24 +- SecurityTool/trusted_cert_dump.c | 6 +- SecurityTool/user_trust_enable.cpp | 5 +- SecurityTool/verify_cert.c | 3 +- base/SecBase.h | 38 +- base/SecBasePriv.h | 13 +- base/SecSignpost.h | 96 + base/SecurityCustomSignposts.plist | 207 + cssm/cssmapple.h | 297 +- header_symlinks/Security/CSCommon.h | 1 + header_symlinks/Security/CSCommonPriv.h | 1 + header_symlinks/Security/CodeSigning.h | 1 + header_symlinks/Security/SecCode.h | 1 + header_symlinks/Security/SecCodeHost.h | 1 + header_symlinks/Security/SecCodePriv.h | 1 + header_symlinks/Security/SecCodeSigner.h | 1 + .../Security/SecRandomP.h | 0 header_symlinks/Security/SecRequirement.h | 1 + header_symlinks/Security/SecRequirementPriv.h | 1 + header_symlinks/Security/SecSignpost.h | 1 + header_symlinks/Security/SecStaticCode.h | 1 + header_symlinks/Security/SecStaticCodePriv.h | 1 + header_symlinks/Security/X509Templates.h | 1 + header_symlinks/Security/keyTemplates.h | 1 + header_symlinks/Security/nameTemplates.h | 1 + header_symlinks/Security/oids.h | 1 + header_symlinks/Security/oidsattr.h | 1 + header_symlinks/iOS/Security/CSCommon.h | 1 - header_symlinks/iOS/Security/CSCommonPriv.h | 1 - header_symlinks/iOS/Security/CodeSigning.h | 1 - header_symlinks/iOS/Security/SecCode.h | 1 - header_symlinks/iOS/Security/SecCodeHost.h | 1 - header_symlinks/iOS/Security/SecCodePriv.h | 1 - header_symlinks/iOS/Security/SecCodeSigner.h | 1 - header_symlinks/iOS/Security/SecRequirement.h | 1 - .../iOS/Security/SecRequirementPriv.h | 1 - header_symlinks/iOS/Security/SecStaticCode.h | 1 - .../iOS/Security/SecStaticCodePriv.h | 1 - header_symlinks/iOS/Security/X509Templates.h | 1 - header_symlinks/iOS/Security/keyTemplates.h | 1 - header_symlinks/iOS/Security/nameTemplates.h | 1 - header_symlinks/iOS/Security/oidsattr.h | 1 - header_symlinks/macOS/Security/AuthSession.h | 1 + .../macOS/Security/Authorization.h | 1 + .../macOS/Security/AuthorizationDB.h | 1 + .../macOS/Security/AuthorizationPlugin.h | 1 + .../macOS/Security/AuthorizationPriv.h | 1 + .../macOS/Security/AuthorizationTags.h | 1 + .../macOS/Security/AuthorizationTagsPriv.h | 1 + header_symlinks/macOS/Security/CMSDecoder.h | 1 + header_symlinks/macOS/Security/CMSEncoder.h | 1 + header_symlinks/macOS/Security/CMSPrivate.h | 1 + header_symlinks/macOS/Security/CipherSuite.h | 1 + header_symlinks/macOS/Security/SecACL.h | 1 + header_symlinks/macOS/Security/SecASN1Coder.h | 1 + .../macOS/Security/SecASN1Templates.h | 1 + header_symlinks/macOS/Security/SecAccess.h | 1 + .../macOS/Security/SecAccessControl.h | 1 + .../macOS/Security/SecAccessPriv.h | 1 + .../macOS/Security/SecCertificateBundle.h | 1 + .../macOS/Security/SecCertificateOIDs.h | 1 + .../macOS/Security/SecCmsDigestedData.h | 1 + .../macOS/Security/SecCmsEncryptedData.h | 1 + .../macOS/Security/SecCustomTransform.h | 1 + .../macOS/Security/SecDecodeTransform.h | 1 + .../macOS/Security/SecDigestTransform.h | 1 + .../macOS/Security/SecEncodeTransform.h | 1 + .../macOS/Security/SecEncryptTransform.h | 1 + .../macOS/Security/SecIdentitySearch.h | 1 + .../macOS/Security/SecIdentitySearchPriv.h | 1 + header_symlinks/macOS/Security/SecKeychain.h | 1 + .../macOS/Security/SecKeychainItem.h | 1 + .../macOS/Security/SecKeychainItemPriv.h | 1 + .../macOS/Security/SecKeychainPriv.h | 1 + .../macOS/Security/SecKeychainSearch.h | 1 + .../macOS/Security/SecKeychainSearchPriv.h | 1 + .../macOS/Security/SecPolicySearch.h | 1 + .../macOS/Security/SecReadTransform.h | 1 + header_symlinks/macOS/Security/SecSMIME.h | 1 + .../macOS/Security/SecSignVerifyTransform.h | 1 + header_symlinks/macOS/Security/SecTransform.h | 1 + .../Security/SecTransformReadTransform.h | 1 + .../macOS/Security/SecTrustedApplication.h | 1 + .../Security/SecTrustedApplicationPriv.h | 1 + .../macOS/Security/SecureTransport.h | 1 + .../macOS/Security/TrustSettingsSchema.h | 1 + .../macOS/Security/certExtensionTemplates.h | 1 + header_symlinks/macOS/Security/checkpw.h | 1 + header_symlinks/macOS/Security/csrTemplates.h | 1 + header_symlinks/macOS/Security/cssm.h | 1 + header_symlinks/macOS/Security/cssmaci.h | 1 + header_symlinks/macOS/Security/cssmapi.h | 1 + header_symlinks/macOS/Security/cssmapple.h | 1 + .../macOS/Security/cssmapplePriv.h | 1 + header_symlinks/macOS/Security/cssmcli.h | 1 + header_symlinks/macOS/Security/cssmconfig.h | 1 + header_symlinks/macOS/Security/cssmcspi.h | 1 + header_symlinks/macOS/Security/cssmdli.h | 1 + header_symlinks/macOS/Security/cssmerr.h | 1 + header_symlinks/macOS/Security/cssmkrapi.h | 1 + header_symlinks/macOS/Security/cssmkrspi.h | 1 + header_symlinks/macOS/Security/cssmspi.h | 1 + header_symlinks/macOS/Security/cssmtpi.h | 1 + header_symlinks/macOS/Security/cssmtype.h | 1 + header_symlinks/macOS/Security/emmspi.h | 1 + header_symlinks/macOS/Security/emmtype.h | 1 + header_symlinks/macOS/Security/mds.h | 1 + header_symlinks/macOS/Security/mds_schema.h | 1 + header_symlinks/macOS/Security/mdspriv.h | 1 + .../macOS/Security/ocspTemplates.h | 1 + header_symlinks/macOS/Security/oids.h | 1 + header_symlinks/macOS/Security/oidsalg.h | 1 + header_symlinks/macOS/Security/oidscert.h | 1 + header_symlinks/macOS/Security/oidscrl.h | 1 + .../macOS/Security/osKeyTemplates.h | 1 + header_symlinks/macOS/Security/secasn1t.h | 1 + header_symlinks/macOS/Security/tsaTemplates.h | 1 + header_symlinks/macOS/Security/x509defs.h | 1 + keychain/SecAccessControl.h | 57 +- keychain/SecImportExport.h | 30 +- keychain/SecItem.h | 328 +- keychain/SecItemPriv.h | 13 +- keychain/SecKeyPriv.h | 34 +- keychain/Signin Metrics/SFTransactionMetric.h | 68 + keychain/Signin Metrics/SFTransactionMetric.m | 127 + keychain/analytics/CKKSPowerCollection.h | 21 + keychain/analytics/CKKSPowerCollection.m | 34 + keychain/behavior/SFBehavior.h | 72 + keychain/behavior/SFBehavior.m | 140 + keychain/ckks/CKKS.h | 68 +- keychain/ckks/CKKS.m | 122 +- keychain/ckks/CKKSAPSReceiver.h | 2 +- keychain/ckks/CKKSAPSReceiver.m | 2 +- keychain/ckks/CKKSAnalytics.h | 130 + keychain/ckks/CKKSAnalytics.m | 302 + keychain/ckks/CKKSAnalyticsLogger.h | 63 - keychain/ckks/CKKSAnalyticsLogger.m | 170 - keychain/ckks/CKKSCKAccountStateTracker.h | 6 +- keychain/ckks/CKKSCKAccountStateTracker.m | 113 +- keychain/ckks/CKKSControl.h | 14 +- keychain/ckks/CKKSControl.m | 75 +- keychain/ckks/CKKSControlProtocol.h | 6 +- keychain/ckks/CKKSControlProtocol.m | 4 +- keychain/ckks/CKKSControlServer.h | 12 + keychain/ckks/CKKSControlServer.m | 60 + keychain/ckks/CKKSCurrentKeyPointer.m | 31 + keychain/ckks/CKKSDeviceStateEntry.h | 33 +- keychain/ckks/CKKSDeviceStateEntry.m | 42 +- .../CKKSFetchAllRecordZoneChangesOperation.h | 7 +- .../CKKSFetchAllRecordZoneChangesOperation.m | 33 +- keychain/ckks/CKKSGroupOperation.h | 4 + keychain/ckks/CKKSGroupOperation.m | 44 +- keychain/ckks/CKKSHealKeyHierarchyOperation.m | 58 +- keychain/ckks/CKKSHealTLKSharesOperation.m | 5 +- keychain/ckks/CKKSIncomingQueueEntry.h | 3 +- keychain/ckks/CKKSIncomingQueueEntry.m | 18 +- keychain/ckks/CKKSIncomingQueueOperation.m | 26 +- keychain/ckks/CKKSItem.m | 42 +- keychain/ckks/CKKSKey.m | 44 +- keychain/ckks/CKKSKeychainView.h | 32 +- keychain/ckks/CKKSKeychainView.m | 1457 +- keychain/ckks/CKKSLocalSynchronizeOperation.m | 9 +- keychain/ckks/CKKSLockStateTracker.h | 14 +- keychain/ckks/CKKSLockStateTracker.m | 61 +- keychain/ckks/CKKSLogger.h | 64 - keychain/ckks/CKKSLogger.m | 706 - keychain/ckks/CKKSLogging.plist | 16 - keychain/ckks/CKKSManifest.m | 3 +- keychain/ckks/CKKSNearFutureScheduler.h | 11 +- keychain/ckks/CKKSNearFutureScheduler.m | 31 +- keychain/ckks/CKKSNewTLKOperation.m | 8 +- keychain/ckks/CKKSNotifier.h | 2 +- keychain/ckks/CKKSOutgoingQueueEntry.h | 3 +- keychain/ckks/CKKSOutgoingQueueEntry.m | 19 +- keychain/ckks/CKKSOutgoingQueueOperation.m | 174 +- keychain/ckks/CKKSPeer.h | 7 +- keychain/ckks/CKKSPeer.m | 24 +- .../ckks/CKKSProcessReceivedKeysOperation.m | 39 +- keychain/ckks/CKKSReachabilityTracker.h | 44 + keychain/ckks/CKKSReachabilityTracker.m | 212 + keychain/ckks/CKKSRecordHolder.m | 10 +- .../CKKSReencryptOutgoingItemsOperation.m | 6 +- keychain/ckks/CKKSResultOperation.h | 17 +- keychain/ckks/CKKSResultOperation.m | 72 +- keychain/ckks/CKKSScanLocalItemsOperation.h | 2 + keychain/ckks/CKKSScanLocalItemsOperation.m | 57 +- keychain/ckks/CKKSSynchronizeOperation.m | 8 +- keychain/ckks/CKKSTLKShare.h | 2 + keychain/ckks/CKKSTLKShare.m | 52 +- .../CKKSUpdateCurrentItemPointerOperation.h | 23 +- .../CKKSUpdateCurrentItemPointerOperation.m | 225 +- .../ckks/CKKSUpdateDeviceStateOperation.m | 1 - keychain/ckks/CKKSViewManager.h | 16 +- keychain/ckks/CKKSViewManager.m | 644 +- keychain/ckks/CKKSZone.h | 14 +- keychain/ckks/CKKSZone.m | 100 +- keychain/ckks/CKKSZoneChangeFetcher.h | 6 +- keychain/ckks/CKKSZoneChangeFetcher.m | 64 +- keychain/ckks/CKKSZoneStateEntry.m | 11 +- keychain/ckks/CloudKitDependencies.h | 2 + keychain/ckks/NSOperationCategories.h | 3 + keychain/ckks/NSOperationCategories.m | 12 + keychain/ckks/tests/CKKSCloudKitTests.m | 1 + keychain/ckks/tests/CKKSConditionTests.m | 5 +- .../ckks/tests/CKKSDeviceStateUploadTests.m | 622 + keychain/ckks/tests/CKKSLoggerTests.m | 161 +- keychain/ckks/tests/CKKSManifestTests.m | 4 +- .../ckks/tests/CKKSNearFutureSchedulerTests.m | 73 +- keychain/ckks/tests/CKKSOperationTests.m | 66 +- keychain/ckks/tests/CKKSRateLimiterTests.m | 9 +- keychain/ckks/tests/CKKSSOSTests.m | 10 + keychain/ckks/tests/CKKSSQLTests.m | 2 + keychain/ckks/tests/CKKSTLKSharingTests.m | 534 +- keychain/ckks/tests/CKKSTests+API.h | 2 +- keychain/ckks/tests/CKKSTests+API.m | 488 +- .../ckks/tests/CKKSTests+CurrentPointerAPI.m | 196 +- keychain/ckks/tests/CKKSTests.h | 21 +- keychain/ckks/tests/CKKSTests.m | 1349 +- .../tests/CloudKitKeychainSyncingFixupTests.m | 7 +- .../tests/CloudKitKeychainSyncingMockXCTest.h | 20 +- .../tests/CloudKitKeychainSyncingMockXCTest.m | 208 +- .../tests/CloudKitKeychainSyncingTestsBase.h | 58 + .../tests/CloudKitKeychainSyncingTestsBase.m | 96 + keychain/ckks/tests/CloudKitMockXCTest.h | 17 + keychain/ckks/tests/CloudKitMockXCTest.m | 60 +- keychain/ckks/tests/MockCloudKit.h | 4 + keychain/ckks/tests/MockCloudKit.m | 17 +- keychain/ckks/tests/RateLimiterTests.m | 11 +- keychain/ckksctl/ckksctl.m | 192 +- .../TPDummyDecrypter.h => ot/OT.h} | 19 +- .../{trust/TrustedPeers/TPUtils.m => ot/OT.m} | 36 +- keychain/ot/OTAuthenticatedCiphertext+SF.h | 42 + .../OTAuthenticatedCiphertext+SF.m} | 30 +- keychain/ot/OTBottledPeer.h | 59 + keychain/ot/OTBottledPeer.m | 196 + .../OTBottledPeerRecord.h} | 35 +- .../OTBottledPeerRecord.m} | 36 +- keychain/ot/OTBottledPeerSigned.h | 64 + keychain/ot/OTBottledPeerSigned.m | 166 + keychain/ot/OTCloudStore.h | 85 + keychain/ot/OTCloudStore.m | 763 + keychain/ot/OTCloudStoreState.h | 57 + keychain/ot/OTCloudStoreState.m | 155 + keychain/ot/OTConstants.h | 31 + keychain/ot/OTConstants.m | 28 + keychain/ot/OTContext.h | 79 + keychain/ot/OTContext.m | 557 + .../TPHash.h => ot/OTContextRecord.h} | 46 +- .../OTContextRecord.m} | 29 +- keychain/ot/OTControl.h | 69 + keychain/ot/OTControl.m | 177 + keychain/ot/OTControlProtocol.h | 53 + keychain/ot/OTControlProtocol.m | 89 + keychain/ot/OTDefines.h | 80 + keychain/ot/OTEscrowKeys.h | 64 + keychain/ot/OTEscrowKeys.m | 335 + keychain/ot/OTIdentity.h | 58 + keychain/ot/OTIdentity.m | 214 + keychain/ot/OTLocalStore.h | 77 + keychain/ot/OTLocalStore.m | 684 + .../TPDummySigningKey.h => ot/OTManager.h} | 42 +- keychain/ot/OTManager.m | 888 + keychain/ot/OTPreflightInfo.h | 40 + keychain/ot/OTPreflightInfo.m | 32 + .../OTPrivateKey+SF.h} | 15 +- keychain/ot/OTPrivateKey+SF.m | 51 + keychain/ot/OTRamping.h | 59 + keychain/ot/OTRamping.m | 282 + keychain/ot/OctagonControlServer.h | 30 + keychain/ot/OctagonControlServer.m | 84 + keychain/ot/SFECPublicKey+SPKI.m | 53 + .../TPEncrypter.h => ot/SFPublicKey+SPKI.h} | 12 +- .../ot/proto/OTAuthenticatedCiphertext.proto | 35 + .../proto/OTBottle.proto} | 61 +- .../proto/OTBottleContents.proto} | 23 +- keychain/ot/proto/OTPrivateKey.proto | 38 + .../proto/source/OTAuthenticatedCiphertext.h | 41 + .../proto/source/OTAuthenticatedCiphertext.m | 167 + keychain/ot/proto/source/OTBottle.h | 88 + keychain/ot/proto/source/OTBottle.m | 527 + keychain/ot/proto/source/OTBottleContents.h | 52 + keychain/ot/proto/source/OTBottleContents.m | 263 + keychain/ot/proto/source/OTPrivateKey.h | 62 + keychain/ot/proto/source/OTPrivateKey.m | 141 + keychain/ot/tests/OTBottledPeerTLK.m | 162 + keychain/ot/tests/OTBottledPeerTests.m | 149 + keychain/ot/tests/OTCloudStoreTests.m | 298 + keychain/ot/tests/OTContextTests.m | 240 + keychain/ot/tests/OTEscrowKeyTests.m | 153 + keychain/ot/tests/OTLocalStoreTests.m | 266 + .../ot/tests/OTLockStateNetworkingTests.m | 654 + keychain/ot/tests/OTRampingTests.m | 377 + .../tests/OTTests-Info.plist} | 0 keychain/ot/tests/OTTestsBase.h | 94 + keychain/ot/tests/OTTestsBase.m | 311 + .../otctl/otctl-Entitlements.plist | 6 +- keychain/otctl/otctl.m | 529 + keychain/trust/TrustedPeers/TPCategoryRule.h | 47 - keychain/trust/TrustedPeers/TPCircle.h | 66 - keychain/trust/TrustedPeers/TPCircle.m | 123 - keychain/trust/TrustedPeers/TPHash.m | 175 - keychain/trust/TrustedPeers/TPModel.h | 253 - keychain/trust/TrustedPeers/TPModel.m | 730 - keychain/trust/TrustedPeers/TPPeer.h | 68 - keychain/trust/TrustedPeers/TPPeer.m | 108 - .../trust/TrustedPeers/TPPeerDynamicInfo.h | 67 - .../trust/TrustedPeers/TPPeerDynamicInfo.m | 131 - .../trust/TrustedPeers/TPPeerPermanentInfo.h | 68 - .../trust/TrustedPeers/TPPeerPermanentInfo.m | 151 - .../trust/TrustedPeers/TPPeerStableInfo.h | 68 - .../trust/TrustedPeers/TPPeerStableInfo.m | 144 - keychain/trust/TrustedPeers/TPPolicy.h | 55 - keychain/trust/TrustedPeers/TPPolicy.m | 70 - .../trust/TrustedPeers/TPPolicyDocument.h | 68 - .../trust/TrustedPeers/TPPolicyDocument.m | 335 - keychain/trust/TrustedPeers/TPVoucher.h | 72 - keychain/trust/TrustedPeers/TPVoucher.m | 129 - .../trust/TrustedPeersTests/TPCircleTests.m | 52 - .../TrustedPeersTests/TPDummySigningKey.m | 85 - .../trust/TrustedPeersTests/TPHashTests.m | 92 - .../trust/TrustedPeersTests/TPModelTests.m | 831 - .../TPPeerPermanentInfoTests.m | 209 - .../TrustedPeersTests/TPPeerStableInfoTests.m | 131 - .../trust/TrustedPeersTests/TPPeerTests.m | 119 - .../TrustedPeersTests/TPPolicyDocumentTests.m | 68 - .../trust/TrustedPeersTests/TPVoucherTests.m | 103 - lib/SecArgParse.c | 7 +- libsecurity_smime/lib/CMSDecoder.c | 52 +- libsecurity_smime/lib/CMSDecoder.h | 17 +- libsecurity_smime/lib/CMSEncoder.c | 27 + libsecurity_smime/lib/CMSEncoder.h | 15 +- libsecurity_smime/lib/CMSUtils.c | 1 + libsecurity_smime/lib/SecCmsBase.h | 3 +- libsecurity_smime/lib/SecCmsSignerInfo.h | 23 +- libsecurity_smime/lib/cmsattr.c | 17 +- libsecurity_smime/lib/cmscinfo.c | 7 +- libsecurity_smime/lib/cmsdecode.c | 13 +- libsecurity_smime/lib/cmsencode.c | 18 +- libsecurity_smime/lib/cmssiginfo.c | 219 +- libsecurity_smime/lib/cmstpriv.h | 1 + libsecurity_smime/lib/secoid.c | 4 + libsecurity_smime/lib/smimeutil.c | 8 +- .../libCMS.xcodeproj/project.pbxproj | 18 +- resources/English.lproj/Certificate.strings | Bin 25744 -> 25772 bytes resources/English.lproj/CloudKeychain.strings | Bin 11502 -> 11506 bytes resources/English.lproj/Trust.strings | Bin 0 -> 15832 bytes secdtests/secdtests-entitlements.plist | 14 +- .../TrustedPeers => secdxctests}/Info.plist | 10 +- secdxctests/KeychainAPITests.m | 133 + secdxctests/KeychainCryptoTests.m | 769 + secdxctests/KeychainXCTest.h | 55 + secdxctests/KeychainXCTest.m | 219 + sectask/SecEntitlements.h | 11 + .../security-sysdiagnose.entitlements.plist | 2 + security-sysdiagnose/security-sysdiagnose.m | 62 +- securityd/etc/com.apple.securityd.plist | 2 - .../securityd_service/main.c | 24 +- .../securityd_service/service.entitlements | 2 + securityd/src/agentquery.cpp | 11 +- securityd/src/transition.cpp | 2 + supd/Info.plist | 29 + supd/Tests/Info.plist | 22 + supd/Tests/SFAnalyticsTests.m | 767 + supd/Tests/SupdTests.m | 757 + supd/main.m | 73 + supd/securityuploadd-Entitlements.plist | 18 + supd/securityuploadd-ios.plist | 48 + supd/securityuploadd-osx.plist | 46 + supd/securityuploadd.8 | 9 + supd/supd.h | 82 + supd/supd.m | 1499 + supd/supdProtocol.h | 30 + supdctl/main.m | 161 + supdctl/supdctl-Entitlements.plist | 8 + tests/secdmockaks/Info.plist | 22 + tests/secdmockaks/mockaks.h | 35 + tests/secdmockaks/mockaks.m | 368 + tests/secdmockaks/secdmock_db_version_10_5.h | 169 + tests/secdmockaks/secdmockaks.m | 429 + tests/secdmockaks/testPlistDER.m | 118 + trust/SecCertificatePriv.h | 23 + trust/SecCertificateRequest.h | 167 +- trust/SecPolicy.h | 2 +- trust/SecPolicyPriv.h | 232 +- trust/SecTrustPriv.h | 65 +- .../libDER/libDER => trust}/oids.h | 10 +- xcconfig/PlatformFeatures.xcconfig | 2 +- xcconfig/PlatformLibraries.xcconfig | 34 +- xcconfig/Security.xcconfig | 25 +- xcconfig/lib_ios.xcconfig | 2 +- xcconfig/macos_legacy_lib.xcconfig | 2 +- 905 files changed, 217548 insertions(+), 28988 deletions(-) rename keychain/trust/TrustedPeers/TrustedPeers.h => Analytics/Clients/SOSAnalytics.h (53%) create mode 100644 Analytics/Clients/SOSAnalytics.m create mode 100644 Analytics/SFAnalytics+Internal.h create mode 100644 Analytics/SFAnalytics.h create mode 100644 Analytics/SFAnalytics.m create mode 100644 Analytics/SFAnalytics.plist create mode 100644 Analytics/SFAnalyticsActivityTracker+Internal.h create mode 100644 Analytics/SFAnalyticsActivityTracker.h create mode 100644 Analytics/SFAnalyticsActivityTracker.m create mode 100644 Analytics/SFAnalyticsDefines.h delete mode 100644 Analytics/SFAnalyticsLogger.h delete mode 100644 Analytics/SFAnalyticsLogger.m delete mode 100644 Analytics/SFAnalyticsLogging.plist create mode 100644 Analytics/SFAnalyticsMultiSampler+Internal.h create mode 100644 Analytics/SFAnalyticsMultiSampler.h create mode 100644 Analytics/SFAnalyticsMultiSampler.m create mode 100644 Analytics/SFAnalyticsSQLiteStore.h create mode 100644 Analytics/SFAnalyticsSQLiteStore.m create mode 100644 Analytics/SFAnalyticsSampler+Internal.h create mode 100644 Analytics/SFAnalyticsSampler.h create mode 100644 Analytics/SFAnalyticsSampler.m rename OSX/libsecurity_cms/regressions/{cms-hashagility-test.c => cms-hashagility-test.m} (50%) delete mode 100644 OSX/libsecurity_cryptkit/lib/CryptKit.h delete mode 100644 OSX/libsecurity_cryptkit/lib/CryptKitSA.h delete mode 100644 OSX/libsecurity_cryptkit/lib/NSCipherFile.h delete mode 100644 OSX/libsecurity_cryptkit/lib/NSCipherFile.m delete mode 100644 OSX/libsecurity_cryptkit/lib/NSCryptors.h delete mode 100644 OSX/libsecurity_cryptkit/lib/NSDESCryptor.h delete mode 100644 OSX/libsecurity_cryptkit/lib/NSDESCryptor.m delete mode 100644 OSX/libsecurity_cryptkit/lib/NSFEEPublicKey.h delete mode 100644 OSX/libsecurity_cryptkit/lib/NSFEEPublicKey.m delete mode 100644 OSX/libsecurity_cryptkit/lib/NSFEEPublicKeyPrivate.h delete mode 100644 OSX/libsecurity_cryptkit/lib/NSMD5Hash.h delete mode 100644 OSX/libsecurity_cryptkit/lib/NSMD5Hash.m delete mode 100644 OSX/libsecurity_cryptkit/lib/NSRandomNumberGenerator.h delete mode 100644 OSX/libsecurity_cryptkit/lib/NSRandomNumberGenerator.m delete mode 100644 OSX/libsecurity_cryptkit/lib/mutils.h delete mode 100644 OSX/libsecurity_cryptkit/lib/mutils.m delete mode 100644 OSX/libsecurity_keychain/lib/SecAsn1TypesP.h delete mode 100644 OSX/libsecurity_keychain/lib/SecBaseP.h delete mode 100644 OSX/libsecurity_keychain/lib/SecFrameworkP.h delete mode 100644 OSX/libsecurity_keychain/lib/SecRSAKeyP.h delete mode 100644 OSX/libsecurity_keychain/lib/certextensionsP.h delete mode 100644 OSX/libsecurity_keychain/libDER/.gitignore delete mode 100644 OSX/libsecurity_keychain/libDER/README.txt delete mode 100644 OSX/libsecurity_keychain/libDER/Tests/certsCrls/EndCertificateCP.01.01.crt delete mode 100644 OSX/libsecurity_keychain/libDER/Tests/certsCrls/Test_CRL_CA1.crl delete mode 100644 OSX/libsecurity_keychain/libDER/Tests/certsCrls/Test_CRL_CA1.crl.pem delete mode 100644 OSX/libsecurity_keychain/libDER/Tests/certsCrls/TrustAnchorCP.01.01.crt delete mode 100644 OSX/libsecurity_keychain/libDER/Tests/certsCrls/TrustAnchorCRLCP.01.01.crl delete mode 100644 OSX/libsecurity_keychain/libDER/Tests/certsCrls/apple_v3.000.cer delete mode 100644 OSX/libsecurity_keychain/libDER/Tests/certsCrls/apple_v3.001.cer delete mode 100644 OSX/libsecurity_keychain/libDER/Tests/certsCrls/entrust_v3.100.cer delete mode 100644 OSX/libsecurity_keychain/libDER/Tests/certsCrls/entrust_v3.101.cer delete mode 100644 OSX/libsecurity_keychain/libDER/Tests/certsCrls/keybank_v3.100.cer delete mode 100644 OSX/libsecurity_keychain/libDER/Tests/certsCrls/keybank_v3.101.cer delete mode 100644 OSX/libsecurity_keychain/libDER/Tests/certsCrls/keybank_v3.102.cer delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/DER_CertCrl.c delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/DER_CertCrl.h delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/DER_Decode.c delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/DER_Decode.h delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/DER_Digest.c delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/DER_Digest.h delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/DER_Encode.c delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/DER_Encode.h delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/DER_Keys.c delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/DER_Keys.h delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/asn1Types.h delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/libDER.h delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/libDER_config.h delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/module.modulemap delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/oids.c delete mode 100644 OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h delete mode 120000 OSX/libsecurity_utilities/lib/debugging.h create mode 100644 OSX/macos_tapi_hacks.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSControlServer.h create mode 100644 OSX/sec/SOSCircle/SecureObjectSync/SOSControlServer.m rename keychain/trust/TrustedPeers/TPTypes.h => OSX/sec/SOSCircle/SecureObjectSync/SOSSysdiagnose.h (86%) rename OSX/sec/Security/Regressions/secitem/{si-62-csr.c => si-62-csr.m} (62%) rename OSX/sec/Security/Regressions/secitem/{si-63-scep.c => si-63-scep.m} (91%) delete mode 100644 OSX/sec/Security/Regressions/secitem/si-89-cms-hash-agility.c create mode 100644 OSX/sec/Security/Regressions/secitem/si-89-cms-hash-agility.m rename keychain/trust/TrustedPeers/TPDecrypter.h => OSX/sec/Security/SFKeychainControl.h (81%) delete mode 100644 OSX/sec/Security/SecCertificatePath.h create mode 100644 OSX/sec/Security/SecPolicy.list create mode 100644 OSX/sec/Security/SecPolicyChecks.list create mode 100644 OSX/sec/Security/Tool/trust_update.m create mode 100644 OSX/sec/Security/ios_tapi_hacks.h create mode 100644 OSX/sec/Security/oids.c rename keychain/trust/TrustedPeers/TPUtils.h => OSX/sec/SecurityTool/KeychainCheck.h (87%) create mode 100644 OSX/sec/SecurityTool/KeychainCheck.m delete mode 100644 OSX/sec/securityd/OTATrustUtilities.c create mode 100644 OSX/sec/securityd/OTATrustUtilities.m create mode 100644 OSX/sec/securityd/Regressions/secd-700-sftm.m create mode 100644 OSX/sec/securityd/SFKeychainControlManager.h create mode 100644 OSX/sec/securityd/SFKeychainControlManager.m rename OSX/sec/securityd/{SecDbKeychainItem.c => SecDbKeychainItem.m} (88%) create mode 100644 OSX/sec/securityd/SecDbKeychainItemV7.h create mode 100644 OSX/sec/securityd/SecDbKeychainItemV7.m create mode 100644 OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainAKSSerializedWrappedKey.proto create mode 100644 OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedAKSWrappedKey.h create mode 100644 OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedAKSWrappedKey.m create mode 100644 OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedItemV7.h create mode 100644 OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedItemV7.m create mode 100644 OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedItemV7.proto create mode 100644 OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedMetadata.h create mode 100644 OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedMetadata.m create mode 100644 OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedMetadata.proto create mode 100644 OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedSecretData.h create mode 100644 OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedSecretData.m create mode 100644 OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedSecretData.proto rename OSX/sec/securityd/{SecTrustLoggingServer.c => SecTrustLoggingServer.m} (97%) create mode 100644 OSX/shared_regressions/si-88-sectrust-valid.m delete mode 100644 OTAPKIAssetTool/OTAPKIAssetTool.xcconfig delete mode 100644 OTAPKIAssetTool/OTAServiceApp.h delete mode 100644 OTAPKIAssetTool/OTAServiceApp.m delete mode 100644 OTAPKIAssetTool/OTAServicemain.m delete mode 100644 OTAPKIAssetTool/com.apple.OTAPKIAssetTool.plist create mode 100644 Security/Security.xcodeproj/project.xcworkspace/contents.xcworkspacedata create mode 100644 SecurityTests/si-87-sectrust-name-constraints/TestCertificates create mode 100644 SecurityTests/si-87-sectrust-name-constraints/expects.plist create mode 100644 SecurityTests/si-87-sectrust-name-constraints/manifest.plist create mode 100644 SecurityTests/si-87-sectrust-name-constraints/root.cer create mode 100644 SecurityTests/si-88-sectrust-valid-data/ca-na.pem create mode 100644 SecurityTests/si-88-sectrust-valid-data/ca-nb.pem create mode 100644 SecurityTests/si-88-sectrust-valid-data/leaf-na-ok1.pem create mode 100644 SecurityTests/si-88-sectrust-valid-data/leaf-na-ok2.pem create mode 100644 SecurityTests/si-88-sectrust-valid-data/leaf-nb-ok1.pem create mode 100644 SecurityTests/si-88-sectrust-valid-data/leaf-nb-ok2.pem create mode 100644 SecurityTests/si-88-sectrust-valid-data/leaf-nb-revoked1.pem create mode 100644 SecurityTests/si-88-sectrust-valid-data/root.pem create mode 100644 base/SecSignpost.h create mode 100644 base/SecurityCustomSignposts.plist create mode 120000 header_symlinks/Security/CSCommon.h create mode 120000 header_symlinks/Security/CSCommonPriv.h create mode 120000 header_symlinks/Security/CodeSigning.h create mode 120000 header_symlinks/Security/SecCode.h create mode 120000 header_symlinks/Security/SecCodeHost.h create mode 120000 header_symlinks/Security/SecCodePriv.h create mode 120000 header_symlinks/Security/SecCodeSigner.h rename keychain/trust/.open_source_exclude => header_symlinks/Security/SecRandomP.h (100%) create mode 120000 header_symlinks/Security/SecRequirement.h create mode 120000 header_symlinks/Security/SecRequirementPriv.h create mode 120000 header_symlinks/Security/SecSignpost.h create mode 120000 header_symlinks/Security/SecStaticCode.h create mode 120000 header_symlinks/Security/SecStaticCodePriv.h create mode 120000 header_symlinks/Security/X509Templates.h create mode 120000 header_symlinks/Security/keyTemplates.h create mode 120000 header_symlinks/Security/nameTemplates.h create mode 120000 header_symlinks/Security/oids.h create mode 120000 header_symlinks/Security/oidsattr.h delete mode 120000 header_symlinks/iOS/Security/CSCommon.h delete mode 120000 header_symlinks/iOS/Security/CSCommonPriv.h delete mode 120000 header_symlinks/iOS/Security/CodeSigning.h delete mode 120000 header_symlinks/iOS/Security/SecCode.h delete mode 120000 header_symlinks/iOS/Security/SecCodeHost.h delete mode 120000 header_symlinks/iOS/Security/SecCodePriv.h delete mode 120000 header_symlinks/iOS/Security/SecCodeSigner.h delete mode 120000 header_symlinks/iOS/Security/SecRequirement.h delete mode 120000 header_symlinks/iOS/Security/SecRequirementPriv.h delete mode 120000 header_symlinks/iOS/Security/SecStaticCode.h delete mode 120000 header_symlinks/iOS/Security/SecStaticCodePriv.h delete mode 120000 header_symlinks/iOS/Security/X509Templates.h delete mode 120000 header_symlinks/iOS/Security/keyTemplates.h delete mode 120000 header_symlinks/iOS/Security/nameTemplates.h delete mode 120000 header_symlinks/iOS/Security/oidsattr.h create mode 120000 header_symlinks/macOS/Security/AuthSession.h create mode 120000 header_symlinks/macOS/Security/Authorization.h create mode 120000 header_symlinks/macOS/Security/AuthorizationDB.h create mode 120000 header_symlinks/macOS/Security/AuthorizationPlugin.h create mode 120000 header_symlinks/macOS/Security/AuthorizationPriv.h create mode 120000 header_symlinks/macOS/Security/AuthorizationTags.h create mode 120000 header_symlinks/macOS/Security/AuthorizationTagsPriv.h create mode 120000 header_symlinks/macOS/Security/CMSDecoder.h create mode 120000 header_symlinks/macOS/Security/CMSEncoder.h create mode 120000 header_symlinks/macOS/Security/CMSPrivate.h create mode 120000 header_symlinks/macOS/Security/CipherSuite.h create mode 120000 header_symlinks/macOS/Security/SecACL.h create mode 120000 header_symlinks/macOS/Security/SecASN1Coder.h create mode 120000 header_symlinks/macOS/Security/SecASN1Templates.h create mode 120000 header_symlinks/macOS/Security/SecAccess.h create mode 120000 header_symlinks/macOS/Security/SecAccessControl.h create mode 120000 header_symlinks/macOS/Security/SecAccessPriv.h create mode 120000 header_symlinks/macOS/Security/SecCertificateBundle.h create mode 120000 header_symlinks/macOS/Security/SecCertificateOIDs.h create mode 120000 header_symlinks/macOS/Security/SecCmsDigestedData.h create mode 120000 header_symlinks/macOS/Security/SecCmsEncryptedData.h create mode 120000 header_symlinks/macOS/Security/SecCustomTransform.h create mode 120000 header_symlinks/macOS/Security/SecDecodeTransform.h create mode 120000 header_symlinks/macOS/Security/SecDigestTransform.h create mode 120000 header_symlinks/macOS/Security/SecEncodeTransform.h create mode 120000 header_symlinks/macOS/Security/SecEncryptTransform.h create mode 120000 header_symlinks/macOS/Security/SecIdentitySearch.h create mode 120000 header_symlinks/macOS/Security/SecIdentitySearchPriv.h create mode 120000 header_symlinks/macOS/Security/SecKeychain.h create mode 120000 header_symlinks/macOS/Security/SecKeychainItem.h create mode 120000 header_symlinks/macOS/Security/SecKeychainItemPriv.h create mode 120000 header_symlinks/macOS/Security/SecKeychainPriv.h create mode 120000 header_symlinks/macOS/Security/SecKeychainSearch.h create mode 120000 header_symlinks/macOS/Security/SecKeychainSearchPriv.h create mode 120000 header_symlinks/macOS/Security/SecPolicySearch.h create mode 120000 header_symlinks/macOS/Security/SecReadTransform.h create mode 120000 header_symlinks/macOS/Security/SecSMIME.h create mode 120000 header_symlinks/macOS/Security/SecSignVerifyTransform.h create mode 120000 header_symlinks/macOS/Security/SecTransform.h create mode 120000 header_symlinks/macOS/Security/SecTransformReadTransform.h create mode 120000 header_symlinks/macOS/Security/SecTrustedApplication.h create mode 120000 header_symlinks/macOS/Security/SecTrustedApplicationPriv.h create mode 120000 header_symlinks/macOS/Security/SecureTransport.h create mode 120000 header_symlinks/macOS/Security/TrustSettingsSchema.h create mode 120000 header_symlinks/macOS/Security/certExtensionTemplates.h create mode 120000 header_symlinks/macOS/Security/checkpw.h create mode 120000 header_symlinks/macOS/Security/csrTemplates.h create mode 120000 header_symlinks/macOS/Security/cssm.h create mode 120000 header_symlinks/macOS/Security/cssmaci.h create mode 120000 header_symlinks/macOS/Security/cssmapi.h create mode 120000 header_symlinks/macOS/Security/cssmapple.h create mode 120000 header_symlinks/macOS/Security/cssmapplePriv.h create mode 120000 header_symlinks/macOS/Security/cssmcli.h create mode 120000 header_symlinks/macOS/Security/cssmconfig.h create mode 120000 header_symlinks/macOS/Security/cssmcspi.h create mode 120000 header_symlinks/macOS/Security/cssmdli.h create mode 120000 header_symlinks/macOS/Security/cssmerr.h create mode 120000 header_symlinks/macOS/Security/cssmkrapi.h create mode 120000 header_symlinks/macOS/Security/cssmkrspi.h create mode 120000 header_symlinks/macOS/Security/cssmspi.h create mode 120000 header_symlinks/macOS/Security/cssmtpi.h create mode 120000 header_symlinks/macOS/Security/cssmtype.h create mode 120000 header_symlinks/macOS/Security/emmspi.h create mode 120000 header_symlinks/macOS/Security/emmtype.h create mode 120000 header_symlinks/macOS/Security/mds.h create mode 120000 header_symlinks/macOS/Security/mds_schema.h create mode 120000 header_symlinks/macOS/Security/mdspriv.h create mode 120000 header_symlinks/macOS/Security/ocspTemplates.h create mode 120000 header_symlinks/macOS/Security/oids.h create mode 120000 header_symlinks/macOS/Security/oidsalg.h create mode 120000 header_symlinks/macOS/Security/oidscert.h create mode 120000 header_symlinks/macOS/Security/oidscrl.h create mode 120000 header_symlinks/macOS/Security/osKeyTemplates.h create mode 120000 header_symlinks/macOS/Security/secasn1t.h create mode 120000 header_symlinks/macOS/Security/tsaTemplates.h create mode 120000 header_symlinks/macOS/Security/x509defs.h create mode 100644 keychain/Signin Metrics/SFTransactionMetric.h create mode 100644 keychain/Signin Metrics/SFTransactionMetric.m create mode 100644 keychain/behavior/SFBehavior.h create mode 100644 keychain/behavior/SFBehavior.m create mode 100644 keychain/ckks/CKKSAnalytics.h create mode 100644 keychain/ckks/CKKSAnalytics.m delete mode 100644 keychain/ckks/CKKSAnalyticsLogger.h delete mode 100644 keychain/ckks/CKKSAnalyticsLogger.m create mode 100644 keychain/ckks/CKKSControlServer.h create mode 100644 keychain/ckks/CKKSControlServer.m delete mode 100644 keychain/ckks/CKKSLogger.h delete mode 100644 keychain/ckks/CKKSLogger.m delete mode 100644 keychain/ckks/CKKSLogging.plist create mode 100644 keychain/ckks/CKKSReachabilityTracker.h create mode 100644 keychain/ckks/CKKSReachabilityTracker.m create mode 100644 keychain/ckks/tests/CKKSDeviceStateUploadTests.m create mode 100644 keychain/ckks/tests/CloudKitKeychainSyncingTestsBase.h create mode 100644 keychain/ckks/tests/CloudKitKeychainSyncingTestsBase.m rename keychain/{trust/TrustedPeersTests/TPDummyDecrypter.h => ot/OT.h} (87%) rename keychain/{trust/TrustedPeers/TPUtils.m => ot/OT.m} (51%) create mode 100644 keychain/ot/OTAuthenticatedCiphertext+SF.h rename keychain/{trust/TrustedPeersTests/TPDummyEncrypter.m => ot/OTAuthenticatedCiphertext+SF.m} (56%) create mode 100644 keychain/ot/OTBottledPeer.h create mode 100644 keychain/ot/OTBottledPeer.m rename keychain/{trust/TrustedPeers/TPSigningKey.h => ot/OTBottledPeerRecord.h} (57%) rename keychain/{trust/TrustedPeersTests/TPDummyDecrypter.m => ot/OTBottledPeerRecord.m} (53%) create mode 100644 keychain/ot/OTBottledPeerSigned.h create mode 100644 keychain/ot/OTBottledPeerSigned.m create mode 100644 keychain/ot/OTCloudStore.h create mode 100644 keychain/ot/OTCloudStore.m create mode 100644 keychain/ot/OTCloudStoreState.h create mode 100644 keychain/ot/OTCloudStoreState.m create mode 100644 keychain/ot/OTConstants.h create mode 100644 keychain/ot/OTConstants.m create mode 100644 keychain/ot/OTContext.h create mode 100644 keychain/ot/OTContext.m rename keychain/{trust/TrustedPeers/TPHash.h => ot/OTContextRecord.h} (56%) rename keychain/{trust/TrustedPeersTests/TPDummySigningKeyTests.m => ot/OTContextRecord.m} (64%) create mode 100644 keychain/ot/OTControl.h create mode 100644 keychain/ot/OTControl.m create mode 100644 keychain/ot/OTControlProtocol.h create mode 100644 keychain/ot/OTControlProtocol.m create mode 100644 keychain/ot/OTDefines.h create mode 100644 keychain/ot/OTEscrowKeys.h create mode 100644 keychain/ot/OTEscrowKeys.m create mode 100644 keychain/ot/OTIdentity.h create mode 100644 keychain/ot/OTIdentity.m create mode 100644 keychain/ot/OTLocalStore.h create mode 100644 keychain/ot/OTLocalStore.m rename keychain/{trust/TrustedPeersTests/TPDummySigningKey.h => ot/OTManager.h} (55%) create mode 100644 keychain/ot/OTManager.m create mode 100644 keychain/ot/OTPreflightInfo.h create mode 100644 keychain/ot/OTPreflightInfo.m rename keychain/{trust/TrustedPeersTests/TPDummyEncrypter.h => ot/OTPrivateKey+SF.h} (85%) create mode 100644 keychain/ot/OTPrivateKey+SF.m create mode 100644 keychain/ot/OTRamping.h create mode 100644 keychain/ot/OTRamping.m create mode 100644 keychain/ot/OctagonControlServer.h create mode 100644 keychain/ot/OctagonControlServer.m create mode 100644 keychain/ot/SFECPublicKey+SPKI.m rename keychain/{trust/TrustedPeers/TPEncrypter.h => ot/SFPublicKey+SPKI.h} (83%) create mode 100644 keychain/ot/proto/OTAuthenticatedCiphertext.proto rename keychain/{trust/TrustedPeers/TPCategoryRule.m => ot/proto/OTBottle.proto} (50%) rename keychain/{trust/TrustedPeersTests/TPUtilsTests.m => ot/proto/OTBottleContents.proto} (68%) create mode 100644 keychain/ot/proto/OTPrivateKey.proto create mode 100644 keychain/ot/proto/source/OTAuthenticatedCiphertext.h create mode 100644 keychain/ot/proto/source/OTAuthenticatedCiphertext.m create mode 100644 keychain/ot/proto/source/OTBottle.h create mode 100644 keychain/ot/proto/source/OTBottle.m create mode 100644 keychain/ot/proto/source/OTBottleContents.h create mode 100644 keychain/ot/proto/source/OTBottleContents.m create mode 100644 keychain/ot/proto/source/OTPrivateKey.h create mode 100644 keychain/ot/proto/source/OTPrivateKey.m create mode 100644 keychain/ot/tests/OTBottledPeerTLK.m create mode 100644 keychain/ot/tests/OTBottledPeerTests.m create mode 100644 keychain/ot/tests/OTCloudStoreTests.m create mode 100644 keychain/ot/tests/OTContextTests.m create mode 100644 keychain/ot/tests/OTEscrowKeyTests.m create mode 100644 keychain/ot/tests/OTLocalStoreTests.m create mode 100644 keychain/ot/tests/OTLockStateNetworkingTests.m create mode 100644 keychain/ot/tests/OTRampingTests.m rename keychain/{trust/TrustedPeersTests/Info.plist => ot/tests/OTTests-Info.plist} (100%) create mode 100644 keychain/ot/tests/OTTestsBase.h create mode 100644 keychain/ot/tests/OTTestsBase.m rename OTAPKIAssetTool/OTAPKIAssetTool-entitlements.plist => keychain/otctl/otctl-Entitlements.plist (55%) create mode 100644 keychain/otctl/otctl.m delete mode 100644 keychain/trust/TrustedPeers/TPCategoryRule.h delete mode 100644 keychain/trust/TrustedPeers/TPCircle.h delete mode 100644 keychain/trust/TrustedPeers/TPCircle.m delete mode 100644 keychain/trust/TrustedPeers/TPHash.m delete mode 100644 keychain/trust/TrustedPeers/TPModel.h delete mode 100644 keychain/trust/TrustedPeers/TPModel.m delete mode 100644 keychain/trust/TrustedPeers/TPPeer.h delete mode 100644 keychain/trust/TrustedPeers/TPPeer.m delete mode 100644 keychain/trust/TrustedPeers/TPPeerDynamicInfo.h delete mode 100644 keychain/trust/TrustedPeers/TPPeerDynamicInfo.m delete mode 100644 keychain/trust/TrustedPeers/TPPeerPermanentInfo.h delete mode 100644 keychain/trust/TrustedPeers/TPPeerPermanentInfo.m delete mode 100644 keychain/trust/TrustedPeers/TPPeerStableInfo.h delete mode 100644 keychain/trust/TrustedPeers/TPPeerStableInfo.m delete mode 100644 keychain/trust/TrustedPeers/TPPolicy.h delete mode 100644 keychain/trust/TrustedPeers/TPPolicy.m delete mode 100644 keychain/trust/TrustedPeers/TPPolicyDocument.h delete mode 100644 keychain/trust/TrustedPeers/TPPolicyDocument.m delete mode 100644 keychain/trust/TrustedPeers/TPVoucher.h delete mode 100644 keychain/trust/TrustedPeers/TPVoucher.m delete mode 100644 keychain/trust/TrustedPeersTests/TPCircleTests.m delete mode 100644 keychain/trust/TrustedPeersTests/TPDummySigningKey.m delete mode 100644 keychain/trust/TrustedPeersTests/TPHashTests.m delete mode 100644 keychain/trust/TrustedPeersTests/TPModelTests.m delete mode 100644 keychain/trust/TrustedPeersTests/TPPeerPermanentInfoTests.m delete mode 100644 keychain/trust/TrustedPeersTests/TPPeerStableInfoTests.m delete mode 100644 keychain/trust/TrustedPeersTests/TPPeerTests.m delete mode 100644 keychain/trust/TrustedPeersTests/TPPolicyDocumentTests.m delete mode 100644 keychain/trust/TrustedPeersTests/TPVoucherTests.m create mode 100644 resources/English.lproj/Trust.strings rename {keychain/trust/TrustedPeers => secdxctests}/Info.plist (71%) create mode 100644 secdxctests/KeychainAPITests.m create mode 100644 secdxctests/KeychainCryptoTests.m create mode 100644 secdxctests/KeychainXCTest.h create mode 100644 secdxctests/KeychainXCTest.m create mode 100644 supd/Info.plist create mode 100644 supd/Tests/Info.plist create mode 100644 supd/Tests/SFAnalyticsTests.m create mode 100644 supd/Tests/SupdTests.m create mode 100644 supd/main.m create mode 100644 supd/securityuploadd-Entitlements.plist create mode 100644 supd/securityuploadd-ios.plist create mode 100644 supd/securityuploadd-osx.plist create mode 100644 supd/securityuploadd.8 create mode 100644 supd/supd.h create mode 100644 supd/supd.m create mode 100644 supd/supdProtocol.h create mode 100644 supdctl/main.m create mode 100644 supdctl/supdctl-Entitlements.plist create mode 100644 tests/secdmockaks/Info.plist create mode 100644 tests/secdmockaks/mockaks.h create mode 100644 tests/secdmockaks/mockaks.m create mode 100644 tests/secdmockaks/secdmock_db_version_10_5.h create mode 100644 tests/secdmockaks/secdmockaks.m create mode 100644 tests/secdmockaks/testPlistDER.m rename {OSX/libsecurity_keychain/libDER/libDER => trust}/oids.h (94%) diff --git a/keychain/trust/TrustedPeers/TrustedPeers.h b/Analytics/Clients/SOSAnalytics.h similarity index 53% rename from keychain/trust/TrustedPeers/TrustedPeers.h rename to Analytics/Clients/SOSAnalytics.h index 0d85290f..53e81312 100644 --- a/keychain/trust/TrustedPeers/TrustedPeers.h +++ b/Analytics/Clients/SOSAnalytics.h @@ -21,25 +21,31 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if __OBJC2__ +#ifndef SOSAnalytics_h +#define SOSAnalytics_h + #import +#import "Analytics/SFAnalytics.h" + +extern NSString* const CKDKVSPerformanceCountersSampler; + +@protocol CKDKVSPerformanceCounter +@end +typedef NSString CKDKVSPerformanceCounter; +extern CKDKVSPerformanceCounter* const CKDKVSPerfCounterSynchronize; +extern CKDKVSPerformanceCounter* const CKDKVSPerfCounterSynchronizeWithCompletionHandler; +extern CKDKVSPerformanceCounter* const CKDKVSPerfCounterIncomingMessages; +extern CKDKVSPerformanceCounter* const CKDKVSPerfCounterOutgoingMessages; +extern CKDKVSPerformanceCounter* const CKDKVSPerfCounterTotalWaitTimeSynchronize; +extern CKDKVSPerformanceCounter* const CKDKVSPerfCounterLongestWaitTimeSynchronize; +extern CKDKVSPerformanceCounter* const CKDKVSPerfCounterSynchronizeFailures; + +@interface SOSAnalytics : SFAnalytics + ++ (instancetype)logger; + +@end -//! Project version number for TrustedPeers. -FOUNDATION_EXPORT double TrustedPeersVersionNumber; - -//! Project version string for TrustedPeers. -FOUNDATION_EXPORT const unsigned char TrustedPeersVersionString[]; - -#import -#import -#import -#import -#import -#import -#import -#import -#import -#import -#import -#import -#import -#import +#endif +#endif diff --git a/Analytics/Clients/SOSAnalytics.m b/Analytics/Clients/SOSAnalytics.m new file mode 100644 index 00000000..fb680277 --- /dev/null +++ b/Analytics/Clients/SOSAnalytics.m @@ -0,0 +1,76 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ + +#import "SOSAnalytics.h" +#include +#include + +NSString* const CKDKVSPerformanceCountersSampler = @"CKDKVSPerformanceCounterSampler"; + +CKDKVSPerformanceCounter* const CKDKVSPerfCounterSynchronize = (CKDKVSPerformanceCounter*)@"CKDKVS-synchronize"; +CKDKVSPerformanceCounter* const CKDKVSPerfCounterSynchronizeWithCompletionHandler = (CKDKVSPerformanceCounter*)@"CKDKVS-synchronizeWithCompletionHandler"; +CKDKVSPerformanceCounter* const CKDKVSPerfCounterIncomingMessages = (CKDKVSPerformanceCounter*)@"CKDKVS-incomingMessages"; +CKDKVSPerformanceCounter* const CKDKVSPerfCounterOutgoingMessages = (CKDKVSPerformanceCounter*)@"CKDKVS-outgoingMessages"; +CKDKVSPerformanceCounter* const CKDKVSPerfCounterTotalWaitTimeSynchronize = (CKDKVSPerformanceCounter*)@"CKDKVS-totalWaittimeSynchronize"; +CKDKVSPerformanceCounter* const CKDKVSPerfCounterLongestWaitTimeSynchronize = (CKDKVSPerformanceCounter*)@"CKDKVS-longestWaittimeSynchronize"; +CKDKVSPerformanceCounter* const CKDKVSPerfCounterSynchronizeFailures = (CKDKVSPerformanceCounter*)@"CKDKVS-synchronizeFailures"; + +@implementation SOSAnalytics + ++ (NSString*)databasePath +{ + // This block exists because we moved database locations in 11.3 for easier sandboxing, so we're cleaning up. + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + WithPathInKeychainDirectory(CFSTR("sos_analytics.db"), ^(const char *filename) { + remove(filename); + }); + WithPathInKeychainDirectory(CFSTR("sos_analytics.db-wal"), ^(const char *filename) { + remove(filename); + }); + WithPathInKeychainDirectory(CFSTR("sos_analytics.db-shm"), ^(const char *filename) { + remove(filename); + }); + }); + WithPathInKeychainDirectory(CFSTR("Analytics"), ^(const char *path) { +#if TARGET_OS_IPHONE + mode_t permissions = 0775; +#else + mode_t permissions = 0700; +#endif // TARGET_OS_IPHONE + mkpath_np(path, permissions); + chmod(path, permissions); + }); + return [(__bridge_transfer NSURL*)SecCopyURLForFileInKeychainDirectory((__bridge CFStringRef)@"Analytics/sos_analytics.db") path]; +} + ++ (instancetype)logger +{ + return [super logger]; +} + +@end + +#endif diff --git a/Analytics/SFAnalytics+Internal.h b/Analytics/SFAnalytics+Internal.h new file mode 100644 index 00000000..05aa19a7 --- /dev/null +++ b/Analytics/SFAnalytics+Internal.h @@ -0,0 +1,38 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef SFAnalytics_Internal_h +#define SFAnalytics_Internal_h + +#if __OBJC2__ + +#import "SFAnalytics.h" + +@interface SFAnalytics (Internal) + +- (void)logMetric:(NSNumber*)metric withName:(NSString*)metricName oncePerReport:(BOOL)once; + +@end + +#endif // objc2 +#endif /* SFAnalytics_Internal_h */ diff --git a/Analytics/SFAnalytics.h b/Analytics/SFAnalytics.h new file mode 100644 index 00000000..66b0fe36 --- /dev/null +++ b/Analytics/SFAnalytics.h @@ -0,0 +1,87 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ +#ifndef SFAnalytics_h +#define SFAnalytics_h + +#import +#import "SFAnalyticsSampler.h" +#import "SFAnalyticsMultiSampler.h" +#import "SFAnalyticsActivityTracker.h" + +// this sampling interval will cause the sampler to run only at data reporting time +extern const NSTimeInterval SFAnalyticsSamplerIntervalOncePerReport; + +@interface SFAnalytics : NSObject + ++ (instancetype)logger; + ++ (NSInteger)fuzzyDaysSinceDate:(NSDate*)date; ++ (void)addOSVersionToEvent:(NSMutableDictionary*)event; + +// Log event-based metrics: create an event corresponding to some event in your feature +// and call the appropriate method based on the successfulness of that event +- (void)logSuccessForEventNamed:(NSString*)eventName; +- (void)logHardFailureForEventNamed:(NSString*)eventName withAttributes:(NSDictionary*)attributes; +- (void)logSoftFailureForEventNamed:(NSString*)eventName withAttributes:(NSDictionary*)attributes; +// or just log an event if it is not failable +- (void)noteEventNamed:(NSString*)eventName; + +- (void)logResultForEvent:(NSString*)eventName hardFailure:(bool)hardFailure result:(NSError*)eventResultError; + +// Track the state of a named value over time +- (SFAnalyticsSampler*)addMetricSamplerForName:(NSString*)samplerName withTimeInterval:(NSTimeInterval)timeInterval block:(NSNumber* (^)(void))block; +- (SFAnalyticsSampler*)existingMetricSamplerForName:(NSString*)samplerName; +- (void)removeMetricSamplerForName:(NSString*)samplerName; +// Same idea, but log multiple named values in a single block +- (SFAnalyticsMultiSampler*)AddMultiSamplerForName:(NSString*)samplerName withTimeInterval:(NSTimeInterval)timeInterval block:(NSDictionary* (^)(void))block; +- (SFAnalyticsMultiSampler*)existingMultiSamplerForName:(NSString*)samplerName; +- (void)removeMultiSamplerForName:(NSString*)samplerName; + +// Log measurements of arbitrary things +// System metrics measures how much time it takes to complete the action - possibly more in the future. The return value can be ignored if you only need to execute 1 block for your activity +- (SFAnalyticsActivityTracker*)logSystemMetricsForActivityNamed:(NSString*)eventName withAction:(void (^)(void))action; +- (void)logMetric:(NSNumber*)metric withName:(NSString*)metricName; + + + +// -------------------------------- +// Things below are for subclasses + +// Override to create a concrete logger instance +@property (readonly, class) NSString* databasePath; + +// Storing dates +- (void)setDateProperty:(NSDate*)date forKey:(NSString*)key; +- (NSDate*)datePropertyForKey:(NSString*)key; + +// -------------------------------- +// Things below are for unit testing + +- (void)removeState; // removes DB object and any samplers + +@end + +#endif +#endif diff --git a/Analytics/SFAnalytics.m b/Analytics/SFAnalytics.m new file mode 100644 index 00000000..af07dd86 --- /dev/null +++ b/Analytics/SFAnalytics.m @@ -0,0 +1,530 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ + +#import "SFAnalytics+Internal.h" +#import "SFAnalyticsDefines.h" +#import "SFAnalyticsActivityTracker+Internal.h" +#import "SFAnalyticsSampler+Internal.h" +#import "SFAnalyticsMultiSampler+Internal.h" +#import "SFAnalyticsSQLiteStore.h" +#import "utilities/debugging.h" +#import +#import + +// SFAnalyticsDefines constants +NSString* const SFAnalyticsTableSuccessCount = @"success_count"; +NSString* const SFAnalyticsTableHardFailures = @"hard_failures"; +NSString* const SFAnalyticsTableSoftFailures = @"soft_failures"; +NSString* const SFAnalyticsTableSamples = @"samples"; +NSString* const SFAnalyticsTableAllEvents = @"all_events"; + +NSString* const SFAnalyticsColumnSuccessCount = @"success_count"; +NSString* const SFAnalyticsColumnHardFailureCount = @"hard_failure_count"; +NSString* const SFAnalyticsColumnSoftFailureCount = @"soft_failure_count"; +NSString* const SFAnalyticsColumnSampleValue = @"value"; +NSString* const SFAnalyticsColumnSampleName = @"name"; + +NSString* const SFAnalyticsEventTime = @"eventTime"; +NSString* const SFAnalyticsEventType = @"eventType"; +NSString* const SFAnalyticsEventClassKey = @"eventClass"; + +NSString* const SFAnalyticsAttributeErrorUnderlyingChain = @"errorChain"; +NSString* const SFAnalyticsAttributeErrorDomain = @"errorDomain"; +NSString* const SFAnalyticsAttributeErrorCode = @"errorCode"; + +NSString* const SFAnalyticsUserDefaultsSuite = @"com.apple.security.analytics"; + +char* const SFAnalyticsFireSamplersNotification = "com.apple.security.sfanalytics.samplers"; + +NSString* const SFAnalyticsTopicKeySync = @"KeySyncTopic"; +NSString* const SFAnaltyicsTopicTrust = @"TrustTopic"; + +NSString* const SFAnalyticsTableSchema = @"CREATE TABLE IF NOT EXISTS hard_failures (\n" + @"id INTEGER PRIMARY KEY AUTOINCREMENT,\n" + @"timestamp REAL," + @"data BLOB\n" + @");\n" + @"CREATE TRIGGER IF NOT EXISTS maintain_ring_buffer_hard_failures AFTER INSERT ON hard_failures\n" + @"BEGIN\n" + @"DELETE FROM hard_failures WHERE id != NEW.id AND id % 1000 = NEW.id % 1000;\n" + @"END;\n" + @"CREATE TABLE IF NOT EXISTS soft_failures (\n" + @"id INTEGER PRIMARY KEY AUTOINCREMENT,\n" + @"timestamp REAL," + @"data BLOB\n" + @");\n" + @"CREATE TRIGGER IF NOT EXISTS maintain_ring_buffer_soft_failures AFTER INSERT ON soft_failures\n" + @"BEGIN\n" + @"DELETE FROM soft_failures WHERE id != NEW.id AND id % 1000 = NEW.id % 1000;\n" + @"END;\n" + @"CREATE TABLE IF NOT EXISTS all_events (\n" + @"id INTEGER PRIMARY KEY AUTOINCREMENT,\n" + @"timestamp REAL," + @"data BLOB\n" + @");\n" + @"CREATE TRIGGER IF NOT EXISTS maintain_ring_buffer_all_events AFTER INSERT ON all_events\n" + @"BEGIN\n" + @"DELETE FROM all_events WHERE id != NEW.id AND id % 10000 = NEW.id % 10000;\n" + @"END;\n" + @"CREATE TABLE IF NOT EXISTS samples (\n" + @"id INTEGER PRIMARY KEY AUTOINCREMENT,\n" + @"timestamp REAL,\n" + @"name STRING,\n" + @"value REAL\n" + @");\n" + @"CREATE TRIGGER IF NOT EXISTS maintain_ring_buffer_samples AFTER INSERT ON samples\n" + @"BEGIN\n" + @"DELETE FROM samples WHERE id != NEW.id AND id % 1000 = NEW.id % 1000;\n" + @"END;\n" + @"CREATE TABLE IF NOT EXISTS success_count (\n" + @"event_type STRING PRIMARY KEY,\n" + @"success_count INTEGER,\n" + @"hard_failure_count INTEGER,\n" + @"soft_failure_count INTEGER\n" + @");\n"; + +NSUInteger const SFAnalyticsMaxEventsToReport = 1000; + +// Local constants +NSString* const SFAnalyticsEventBuild = @"build"; +NSString* const SFAnalyticsEventProduct = @"product"; +const NSTimeInterval SFAnalyticsSamplerIntervalOncePerReport = -1.0; + +@interface SFAnalytics () +@property (nonatomic) SFAnalyticsSQLiteStore* database; +@end + +@implementation SFAnalytics { + SFAnalyticsSQLiteStore* _database; + dispatch_queue_t _queue; + NSMutableDictionary* _samplers; + NSMutableDictionary* _multisamplers; + unsigned int _disableLogging:1; +} + ++ (instancetype)logger +{ +#if TARGET_OS_SIMULATOR + return nil; +#else + + if (self == [SFAnalytics class]) { + secerror("attempt to instatiate abstract class SFAnalytics"); + return nil; + } + + SFAnalytics* logger = nil; + @synchronized(self) { + logger = objc_getAssociatedObject(self, "SFAnalyticsInstance"); + if (!logger) { + logger = [[self alloc] init]; + objc_setAssociatedObject(self, "SFAnalyticsInstance", logger, OBJC_ASSOCIATION_RETAIN); + } + } + + [logger database]; // For unit testing so there's always a database. DB shouldn't be nilled in production though + return logger; +#endif +} + ++ (NSString*)databasePath +{ + return nil; +} + ++ (NSInteger)fuzzyDaysSinceDate:(NSDate*)date +{ + // Sentinel: it didn't happen at all + if (!date) { + return -1; + } + + // Sentinel: it happened but we don't know when because the date doesn't make sense + // Magic number represents January 1, 2017. + if ([date compare:[NSDate dateWithTimeIntervalSince1970:1483228800]] == NSOrderedAscending) { + return 1000; + } + + NSInteger secondsPerDay = 60 * 60 * 24; + + NSTimeInterval timeIntervalSinceDate = [[NSDate date] timeIntervalSinceDate:date]; + if (timeIntervalSinceDate < secondsPerDay) { + return 0; + } + else if (timeIntervalSinceDate < (secondsPerDay * 7)) { + return 1; + } + else if (timeIntervalSinceDate < (secondsPerDay * 30)) { + return 7; + } + else if (timeIntervalSinceDate < (secondsPerDay * 365)) { + return 30; + } + else { + return 365; + } +} + +// Instantiate lazily so unit tests can have clean databases each +- (SFAnalyticsSQLiteStore*)database +{ + if (!_database) { + _database = [SFAnalyticsSQLiteStore storeWithPath:self.class.databasePath schema:SFAnalyticsTableSchema]; + } + return _database; +} + +- (void)removeState +{ + [_samplers removeAllObjects]; + [_multisamplers removeAllObjects]; + + __weak __typeof(self) weakSelf = self; + dispatch_sync(_queue, ^{ + __strong __typeof(self) strongSelf = weakSelf; + if (strongSelf) { + [strongSelf.database close]; + strongSelf->_database = nil; + } + }); +} + +- (void)setDateProperty:(NSDate*)date forKey:(NSString*)key +{ + __weak __typeof(self) weakSelf = self; + dispatch_sync(_queue, ^{ + __strong __typeof(self) strongSelf = weakSelf; + if (strongSelf) { + [strongSelf.database setDateProperty:date forKey:key]; + } + }); +} + +- (NSDate*)datePropertyForKey:(NSString*)key +{ + __block NSDate* result = nil; + __weak __typeof(self) weakSelf = self; + dispatch_sync(_queue, ^{ + __strong __typeof(self) strongSelf = weakSelf; + if (strongSelf) { + result = [strongSelf.database datePropertyForKey:key]; + } + }); + return result; +} + ++ (void)addOSVersionToEvent:(NSMutableDictionary*)eventDict { + static dispatch_once_t onceToken; + static NSString *build = NULL; + static NSString *product = NULL; + dispatch_once(&onceToken, ^{ + NSDictionary *version = CFBridgingRelease(_CFCopySystemVersionDictionary()); + if (version == NULL) + return; + build = version[(__bridge NSString *)_kCFSystemVersionBuildVersionKey]; + product = version[(__bridge NSString *)_kCFSystemVersionProductNameKey]; + }); + if (build) { + eventDict[SFAnalyticsEventBuild] = build; + } + if (product) { + eventDict[SFAnalyticsEventProduct] = product; + } +} + +- (instancetype)init +{ + if (self = [super init]) { + _queue = dispatch_queue_create("SFAnalytics data access queue", DISPATCH_QUEUE_SERIAL_WITH_AUTORELEASE_POOL); + _samplers = [NSMutableDictionary new]; + _multisamplers = [NSMutableDictionary new]; + [self database]; // for side effect of instantiating DB object. Used for testing. + } + + return self; +} + +// MARK: Event logging + +- (void)logSuccessForEventNamed:(NSString*)eventName +{ + [self logEventNamed:eventName class:SFAnalyticsEventClassSuccess attributes:nil]; +} + +- (void)logHardFailureForEventNamed:(NSString*)eventName withAttributes:(NSDictionary*)attributes +{ + [self logEventNamed:eventName class:SFAnalyticsEventClassHardFailure attributes:attributes]; +} + +- (void)logSoftFailureForEventNamed:(NSString*)eventName withAttributes:(NSDictionary*)attributes +{ + [self logEventNamed:eventName class:SFAnalyticsEventClassSoftFailure attributes:attributes]; +} + +- (void)logResultForEvent:(NSString*)eventName hardFailure:(bool)hardFailure result:(NSError*)eventResultError +{ + if(!eventResultError) { + [self logSuccessForEventNamed:eventName]; + } else { + // Make an Attributes dictionary + NSMutableDictionary* eventAttributes = [NSMutableDictionary dictionary]; + + /* if we have underlying errors, capture the chain below the top-most error */ + NSError *underlyingError = eventResultError.userInfo[NSUnderlyingErrorKey]; + if ([underlyingError isKindOfClass:[NSError class]]) { + NSMutableString *chain = [NSMutableString string]; + int count = 0; + do { + [chain appendFormat:@"%@-%ld:", underlyingError.domain, (long)underlyingError.code]; + underlyingError = underlyingError.userInfo[NSUnderlyingErrorKey]; + } while (count++ < 5 && [underlyingError isKindOfClass:[NSError class]]); + + eventAttributes[SFAnalyticsAttributeErrorUnderlyingChain] = chain; + } + + eventAttributes[SFAnalyticsAttributeErrorDomain] = eventResultError.domain; + eventAttributes[SFAnalyticsAttributeErrorCode] = @(eventResultError.code); + + if(hardFailure) { + [self logHardFailureForEventNamed:eventName withAttributes:eventAttributes]; + } else { + [self logSoftFailureForEventNamed:eventName withAttributes:eventAttributes]; + } + } +} + +- (void)noteEventNamed:(NSString*)eventName +{ + [self logEventNamed:eventName class:SFAnalyticsEventClassNote attributes:nil]; +} + +- (void)logEventNamed:(NSString*)eventName class:(SFAnalyticsEventClass)class attributes:(NSDictionary*)attributes +{ + if (!eventName) { + secerror("SFAnalytics: attempt to log an event with no name"); + return; + } + + __weak __typeof(self) weakSelf = self; + dispatch_sync(_queue, ^{ + __strong __typeof(self) strongSelf = weakSelf; + if (!strongSelf || strongSelf->_disableLogging) { + return; + } + + NSDictionary* eventDict = [self eventDictForEventName:eventName withAttributes:attributes eventClass:class]; + [strongSelf.database addEventDict:eventDict toTable:SFAnalyticsTableAllEvents]; + + if (class == SFAnalyticsEventClassHardFailure) { + [strongSelf.database addEventDict:eventDict toTable:SFAnalyticsTableHardFailures]; + [strongSelf.database incrementHardFailureCountForEventType:eventName]; + } + else if (class == SFAnalyticsEventClassSoftFailure) { + [strongSelf.database addEventDict:eventDict toTable:SFAnalyticsTableSoftFailures]; + [strongSelf.database incrementSoftFailureCountForEventType:eventName]; + } + else if (class == SFAnalyticsEventClassSuccess || class == SFAnalyticsEventClassNote) { + [strongSelf.database incrementSuccessCountForEventType:eventName]; + } + }); +} + +- (NSDictionary*)eventDictForEventName:(NSString*)eventName withAttributes:(NSDictionary*)attributes eventClass:(SFAnalyticsEventClass)eventClass +{ + NSMutableDictionary* eventDict = attributes ? attributes.mutableCopy : [NSMutableDictionary dictionary]; + eventDict[SFAnalyticsEventType] = eventName; + // our backend wants timestamps in milliseconds + eventDict[SFAnalyticsEventTime] = @([[NSDate date] timeIntervalSince1970] * 1000); + eventDict[SFAnalyticsEventClassKey] = @(eventClass); + [SFAnalytics addOSVersionToEvent:eventDict]; + + return eventDict; +} + +// MARK: Sampling + +- (SFAnalyticsSampler*)addMetricSamplerForName:(NSString *)samplerName withTimeInterval:(NSTimeInterval)timeInterval block:(NSNumber *(^)(void))block +{ + if (!samplerName) { + secerror("SFAnalytics: cannot add sampler without name"); + return nil; + } + if (timeInterval < 1.0f && timeInterval != SFAnalyticsSamplerIntervalOncePerReport) { + secerror("SFAnalytics: cannot add sampler with interval %f", timeInterval); + return nil; + } + if (!block) { + secerror("SFAnalytics: cannot add sampler without block"); + return nil; + } + + __block SFAnalyticsSampler* sampler = nil; + + __weak __typeof(self) weakSelf = self; + dispatch_sync(_queue, ^{ + __strong __typeof(self) strongSelf = weakSelf; + if (strongSelf->_samplers[samplerName]) { + secerror("SFAnalytics: sampler \"%@\" already exists", samplerName); + } else { + sampler = [[SFAnalyticsSampler alloc] initWithName:samplerName interval:timeInterval block:block clientClass:[self class]]; + strongSelf->_samplers[samplerName] = sampler; // If sampler did not init because of bad data this 'removes' it from the dict, so a noop + } + }); + + return sampler; +} + +- (SFAnalyticsMultiSampler*)AddMultiSamplerForName:(NSString *)samplerName withTimeInterval:(NSTimeInterval)timeInterval block:(NSDictionary *(^)(void))block +{ + if (!samplerName) { + secerror("SFAnalytics: cannot add sampler without name"); + return nil; + } + if (timeInterval < 1.0f && timeInterval != SFAnalyticsSamplerIntervalOncePerReport) { + secerror("SFAnalytics: cannot add sampler with interval %f", timeInterval); + return nil; + } + if (!block) { + secerror("SFAnalytics: cannot add sampler without block"); + return nil; + } + + __block SFAnalyticsMultiSampler* sampler = nil; + __weak __typeof(self) weakSelf = self; + dispatch_sync(_queue, ^{ + __strong __typeof(self) strongSelf = weakSelf; + if (strongSelf->_multisamplers[samplerName]) { + secerror("SFAnalytics: multisampler \"%@\" already exists", samplerName); + } else { + sampler = [[SFAnalyticsMultiSampler alloc] initWithName:samplerName interval:timeInterval block:block clientClass:[self class]]; + strongSelf->_multisamplers[samplerName] = sampler; + } + + }); + + return sampler; +} + +- (SFAnalyticsSampler*)existingMetricSamplerForName:(NSString *)samplerName +{ + __block SFAnalyticsSampler* sampler = nil; + + __weak __typeof(self) weakSelf = self; + dispatch_sync(_queue, ^{ + __strong __typeof(self) strongSelf = weakSelf; + if (strongSelf) { + sampler = strongSelf->_samplers[samplerName]; + } + }); + return sampler; +} + +- (SFAnalyticsMultiSampler*)existingMultiSamplerForName:(NSString *)samplerName +{ + __block SFAnalyticsMultiSampler* sampler = nil; + + __weak __typeof(self) weakSelf = self; + dispatch_sync(_queue, ^{ + __strong __typeof(self) strongSelf = weakSelf; + if (strongSelf) { + sampler = strongSelf->_multisamplers[samplerName]; + } + }); + return sampler; +} + +- (void)removeMetricSamplerForName:(NSString *)samplerName +{ + if (!samplerName) { + secerror("Attempt to remove sampler without specifying samplerName"); + return; + } + + __weak __typeof(self) weakSelf = self; + dispatch_sync(_queue, ^{ + __strong __typeof(self) strongSelf = weakSelf; + if (strongSelf) { + [strongSelf->_samplers[samplerName] pauseSampling]; // when dealloced it would also stop, but we're not sure when that is so let's stop it right away + [strongSelf->_samplers removeObjectForKey:samplerName]; + } + }); +} + +- (void)removeMultiSamplerForName:(NSString *)samplerName +{ + if (!samplerName) { + secerror("Attempt to remove multisampler without specifying samplerName"); + return; + } + + __weak __typeof(self) weakSelf = self; + dispatch_sync(_queue, ^{ + __strong __typeof(self) strongSelf = weakSelf; + if (strongSelf) { + [strongSelf->_multisamplers[samplerName] pauseSampling]; // when dealloced it would also stop, but we're not sure when that is so let's stop it right away + [strongSelf->_multisamplers removeObjectForKey:samplerName]; + } + }); +} + +- (SFAnalyticsActivityTracker*)logSystemMetricsForActivityNamed:(NSString *)eventName withAction:(void (^)(void))action +{ + if (![eventName isKindOfClass:[NSString class]]) { + secerror("Cannot log system metrics without name"); + return nil; + } + SFAnalyticsActivityTracker* tracker = [[SFAnalyticsActivityTracker alloc] initWithName:eventName clientClass:[self class]]; + if (action) + [tracker performAction:action]; + return tracker; +} + +- (void)logMetric:(NSNumber *)metric withName:(NSString *)metricName +{ + [self logMetric:metric withName:metricName oncePerReport:NO]; +} + +- (void)logMetric:(NSNumber*)metric withName:(NSString*)metricName oncePerReport:(BOOL)once +{ + if (![metric isKindOfClass:[NSNumber class]] || ![metricName isKindOfClass:[NSString class]]) { + secerror("SFAnalytics: Need a valid result and name to log result"); + return; + } + + __weak __typeof(self) weakSelf = self; + dispatch_sync(_queue, ^{ + __strong __typeof(self) strongSelf = weakSelf; + if (strongSelf && !strongSelf->_disableLogging) { + if (once) { + [strongSelf.database removeAllSamplesForName:metricName]; + } + [strongSelf.database addSample:metric forName:metricName]; + } + }); +} + +@end + +#endif // __OBJC2__ diff --git a/Analytics/SFAnalytics.plist b/Analytics/SFAnalytics.plist new file mode 100644 index 00000000..964747db --- /dev/null +++ b/Analytics/SFAnalytics.plist @@ -0,0 +1,26 @@ + + + + + KeySyncTopic + + splunk_allowInsecureCertificate + + splunk_topic + xp_sear_keysync + splunk_bagURL + https://xp.apple.com/config/1/report/xp_sear_keysync + + TrustTopic + + splunk_allowInsecureCertificate + + splunk_topic + xp_sear_trust + splunk_bagURL + https://xp.apple.com/config/1/report/xp_sear_trust + disableClientId + + + + diff --git a/Analytics/SFAnalyticsActivityTracker+Internal.h b/Analytics/SFAnalyticsActivityTracker+Internal.h new file mode 100644 index 00000000..3d24b00c --- /dev/null +++ b/Analytics/SFAnalyticsActivityTracker+Internal.h @@ -0,0 +1,39 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef SFAnalyticsActivityTracker_Internal_h +#define SFAnalyticsActivityTracker_Internal_h + +#if __OBJC2__ + +#import "SFAnalyticsActivityTracker.h" + +@interface SFAnalyticsActivityTracker(Internal) + +- (instancetype)initWithName:(NSString*)name clientClass:(Class)className; + +@end + +#endif // objc2 + +#endif /* SFAnalyticsActivityTracker_private_h */ diff --git a/Analytics/SFAnalyticsActivityTracker.h b/Analytics/SFAnalyticsActivityTracker.h new file mode 100644 index 00000000..5f5c9360 --- /dev/null +++ b/Analytics/SFAnalyticsActivityTracker.h @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ +#ifndef SFAnalyticsActivityTracker_h +#define SFAnalyticsActivityTracker_h + +#import + +@interface SFAnalyticsActivityTracker : NSObject + +- (instancetype)init NS_UNAVAILABLE; +- (void)performAction:(void (^)(void))action; +- (void)cancel; + +- (void)start; +- (void)stop; + +@end + +#endif +#endif diff --git a/Analytics/SFAnalyticsActivityTracker.m b/Analytics/SFAnalyticsActivityTracker.m new file mode 100644 index 00000000..f2c628a2 --- /dev/null +++ b/Analytics/SFAnalyticsActivityTracker.m @@ -0,0 +1,103 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ + +#import "SFAnalyticsActivityTracker.h" +#import "SFAnalyticsActivityTracker+Internal.h" +#import "SFAnalytics.h" +#import +#import "utilities/debugging.h" + +@implementation SFAnalyticsActivityTracker { + dispatch_queue_t _queue; + NSString* _name; + Class _clientClass; + NSNumber* _measurement; + uint64_t _start; + BOOL _canceled; +} + +- (instancetype)initWithName:(NSString*)name clientClass:(Class)className { + if (![name isKindOfClass:[NSString class]] || ![className isSubclassOfClass:[SFAnalytics class]] ) { + secerror("Cannot instantiate SFActivityTracker without name and client class"); + return nil; + } + + if (self = [super init]) { + _queue = dispatch_queue_create("SFAnalyticsActivityTracker queue", DISPATCH_QUEUE_SERIAL); + _name = name; + _clientClass = className; + _measurement = nil; + _canceled = NO; + _start = 0; + } + return self; +} + +- (void)performAction:(void (^)(void))action +{ + _start = mach_absolute_time(); + action(); + [self stop]; +} + +- (void)start +{ + if (_canceled) + return; + NSAssert(_start == 0, @"SFAnalyticsActivityTracker user called start twice"); + _start = mach_absolute_time(); +} + +- (void)stop +{ + uint64_t end = mach_absolute_time(); + static mach_timebase_info_data_t sTimebaseInfo; + if ( sTimebaseInfo.denom == 0 ) { + (void)mach_timebase_info(&sTimebaseInfo); + } + if (_canceled) + return; + + NSAssert(_start != 0, @"SFAnalyticsActivityTracker user called stop w/o calling start"); + + _measurement = @([_measurement doubleValue] + (1.0f * (end - _start) * (1.0f * sTimebaseInfo.numer / sTimebaseInfo.denom))); + _start = 0; +} + +- (void)cancel +{ + _canceled = YES; +} + +- (void)dealloc +{ + if (!_canceled && _measurement != nil) { + [[_clientClass logger] logMetric:_measurement withName:_name]; + } +} + +@end + +#endif diff --git a/Analytics/SFAnalyticsDefines.h b/Analytics/SFAnalyticsDefines.h new file mode 100644 index 00000000..aa6af75c --- /dev/null +++ b/Analytics/SFAnalyticsDefines.h @@ -0,0 +1,72 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef SFAnalyticsDefines_h +#define SFAnalyticsDefines_h + +#if __OBJC2__ + +extern NSString* const SFAnalyticsTableSuccessCount; +extern NSString* const SFAnalyticsTableHardFailures; +extern NSString* const SFAnalyticsTableSoftFailures; +extern NSString* const SFAnalyticsTableSamples; +extern NSString* const SFAnalyticsTableAllEvents; + +extern NSString* const SFAnalyticsColumnSuccessCount; +extern NSString* const SFAnalyticsColumnHardFailureCount; +extern NSString* const SFAnalyticsColumnSoftFailureCount; +extern NSString* const SFAnalyticsColumnSampleValue; +extern NSString* const SFAnalyticsColumnSampleName; + +extern NSString* const SFAnalyticsEventTime; +extern NSString* const SFAnalyticsEventType; +extern NSString* const SFAnalyticsEventClassKey; + +// Helpers for logging NSErrors +extern NSString* const SFAnalyticsAttributeErrorUnderlyingChain; +extern NSString* const SFAnalyticsAttributeErrorDomain; +extern NSString* const SFAnalyticsAttributeErrorCode; + +extern NSString* const SFAnalyticsUserDefaultsSuite; + +extern char* const SFAnalyticsFireSamplersNotification; + +/* Internal Topic Names */ +extern NSString* const SFAnalyticsTopicKeySync; +extern NSString* const SFAnaltyicsTopicTrust; + +typedef NS_ENUM(NSInteger, SFAnalyticsEventClass) { + SFAnalyticsEventClassSuccess, + SFAnalyticsEventClassHardFailure, + SFAnalyticsEventClassSoftFailure, + SFAnalyticsEventClassNote +}; + +extern NSString* const SFAnalyticsTableSchema; + +// We can only send this many events in total to splunk per upload +extern NSUInteger const SFAnalyticsMaxEventsToReport; + +#endif /* __OBJC2__ */ + +#endif /* SFAnalyticsDefines_h */ diff --git a/Analytics/SFAnalyticsLogger.h b/Analytics/SFAnalyticsLogger.h deleted file mode 100644 index 6dfed9ff..00000000 --- a/Analytics/SFAnalyticsLogger.h +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import - -#if __OBJC2__ - -@interface SFAnalyticsLogger : NSObject - -+ (instancetype)logger; - -+ (NSInteger)fuzzyDaysSinceDate:(NSDate*)date; - -- (void)logSuccessForEventNamed:(NSString*)eventName; -- (void)logHardFailureForEventNamed:(NSString*)eventName withAttributes:(NSDictionary*)attributes; -- (void)logSoftFailureForEventNamed:(NSString*)eventName withAttributes:(NSDictionary*)attributes; - -- (void)noteEventNamed:(NSString*)eventName; - -// -------------------------------- -// Things below are for subclasses - -// Override to create a concrete logger instance -@property (readonly, class) NSString* databasePath; - -// Storing dates -- (void)setDateProperty:(NSDate*)date forKey:(NSString*)key; -- (NSDate*)datePropertyForKey:(NSString*)key; - -- (NSDictionary*)extraValuesToUploadToServer; -- (NSString*)sysdiagnoseStringForEventRecord:(NSDictionary*)eventRecord; - -// -------------------------------- -// Things below are for utilities to drive and/or test the system - -- (NSString*)getSysdiagnoseDumpWithError:(NSError**)error; -- (NSData*)getLoggingJSON:(bool)pretty error:(NSError**)error; -- (BOOL)forceUploadWithError:(NSError**)error; - -// -------------------------------- -// Things below are for unit testing - -@property (readonly) dispatch_queue_t splunkLoggingQueue; -@property (readonly) NSURL* splunkUploadURL; -@property (readonly) NSString* splunkTopicName; -@property (readonly) NSURL* splunkBagURL; -@property (readonly) BOOL allowsInsecureSplunkCert; -@property BOOL ignoreServerDisablingMessages; - -@end - -#endif diff --git a/Analytics/SFAnalyticsLogger.m b/Analytics/SFAnalyticsLogger.m deleted file mode 100644 index 2bc376f9..00000000 --- a/Analytics/SFAnalyticsLogger.m +++ /dev/null @@ -1,985 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#if __OBJC2__ - -#import "SFAnalyticsLogger.h" -#import "SFSQLite.h" -#import "CKKSViewManager.h" -#import "debugging.h" -#import -#import -#import - -NSString* const SFAnalyticsLoggerTableSuccessCount = @"success_count"; -NSString* const SFAnalyticsLoggerColumnEventType = @"event_type"; -NSString* const SFAnalyticsLoggerColumnSuccessCount = @"success_count"; -NSString* const SFAnalyticsLoggerColumnHardFailureCount = @"hard_failure_count"; -NSString* const SFAnalyticsLoggerColumnSoftFailureCount = @"soft_failure_count"; - -NSString* const SFAnalyticsLoggerTableHardFailures = @"hard_failures"; -NSString* const SFAnalyticsLoggerTableSoftFailures = @"soft_failures"; -NSString* const SFAnalyticsLoggerTableAllEvents = @"all_events"; -NSString* const SFAnalyticsLoggerColumnDate = @"timestamp"; -NSString* const SFAnalyticsLoggerColumnData = @"data"; - -NSString* const SFAnalyticsLoggerUploadDate = @"upload_date"; - -NSString* const SFAnalyticsLoggerSplunkTopic = @"topic"; -NSString* const SFAnalyticsLoggerSplunkEventTime = @"eventTime"; -NSString* const SFAnalyticsLoggerSplunkPostTime = @"postTime"; -NSString* const SFAnalyticsLoggerSplunkEventType = @"eventType"; -NSString* const SFAnalyticsLoggerSplunkEventBuild = @"build"; -NSString* const SFAnalyticsLoggerSplunkEventProduct = @"product"; - -NSString* const SFAnalyticsLoggerMetricsBase = @"metricsBase"; -NSString* const SFAnalyticsLoggerEventClassKey = @"eventClass"; - - -NSString* const SFAnalyticsUserDefaultsSuite = @"com.apple.security.analytics"; - -static NSString* const SFAnalyticsLoggerTableSchema = @"CREATE TABLE IF NOT EXISTS hard_failures (\n" - @"id INTEGER PRIMARY KEY AUTOINCREMENT,\n" - @"timestamp REAL," - @"data BLOB\n" - @");\n" - @"CREATE TRIGGER IF NOT EXISTS maintain_ring_buffer_hard_failures AFTER INSERT ON hard_failures\n" - @"BEGIN\n" - @"DELETE FROM hard_failures WHERE id != NEW.id AND id % 999 = NEW.id % 999;\n" - @"END;\n" - @"CREATE TABLE IF NOT EXISTS soft_failures (\n" - @"id INTEGER PRIMARY KEY AUTOINCREMENT,\n" - @"timestamp REAL," - @"data BLOB\n" - @");\n" - @"CREATE TRIGGER IF NOT EXISTS maintain_ring_buffer_soft_failures AFTER INSERT ON soft_failures\n" - @"BEGIN\n" - @"DELETE FROM soft_failures WHERE id != NEW.id AND id % 999 = NEW.id % 999;\n" - @"END;\n" - @"CREATE TABLE IF NOT EXISTS all_events (\n" - @"id INTEGER PRIMARY KEY AUTOINCREMENT,\n" - @"timestamp REAL," - @"data BLOB\n" - @");\n" - @"CREATE TRIGGER IF NOT EXISTS maintain_ring_buffer_all_events AFTER INSERT ON all_events\n" - @"BEGIN\n" - @"DELETE FROM all_events WHERE id != NEW.id AND id % 10000 = NEW.id % 10000;\n" - @"END;\n" - @"CREATE TABLE IF NOT EXISTS success_count (\n" - @"event_type STRING PRIMARY KEY,\n" - @"success_count INTEGER,\n" - @"hard_failure_count INTEGER,\n" - @"soft_failure_count INTEGER\n" - @");\n"; - -#define SFANALYTICS_SPLUNK_DEV 0 -#define SFANALYTICS_MAX_EVENTS_TO_REPORT 999 - -#define SECONDS_PER_DAY (60 * 60 * 24) - -#if SFANALYTICS_SPLUNK_DEV -#define SECONDS_BETWEEN_UPLOADS_CUSTOMER 10 -#define SECONDS_BETWEEN_UPLOADS_INTERNAL 10 -#else -#define SECONDS_BETWEEN_UPLOADS_CUSTOMER (3 * SECONDS_PER_DAY) -#define SECONDS_BETWEEN_UPLOADS_INTERNAL (SECONDS_PER_DAY) -#endif - -typedef NS_ENUM(NSInteger, SFAnalyticsEventClass) { - SFAnalyticsEventClassSuccess, - SFAnalyticsEventClassHardFailure, - SFAnalyticsEventClassSoftFailure, - SFAnalyticsEventClassNote -}; - -@interface SFAnalyticsLoggerSQLiteStore : SFSQLite - -@property (readonly, strong) NSArray* failureRecords; -@property (readonly, strong) NSArray* allEvents; -@property (readwrite, strong) NSDate* uploadDate; - -+ (instancetype)storeWithPath:(NSString*)path schema:(NSString*)schema; - -- (void)incrementSuccessCountForEventType:(NSString*)eventType; -- (void)incrementHardFailureCountForEventType:(NSString*)eventType; -- (void)incrementSoftFailureCountForEventType:(NSString*)eventType; -- (NSInteger)successCountForEventType:(NSString*)eventType; -- (NSInteger)hardFailureCountForEventType:(NSString*)eventType; -- (NSInteger)softFailureCountForEventType:(NSString*)eventType; -- (void)addEventDict:(NSDictionary*)eventDict toTable:(NSString*)table; -- (void)clearAllData; -- (BOOL)tryToOpenDatabase; - -- (NSDictionary*)summaryCounts; - -@end - -@implementation SFAnalyticsLogger { - SFAnalyticsLoggerSQLiteStore* _database; - NSURL* _splunkUploadURL; - NSString* _splunkTopicName; - NSURL* _splunkBagURL; - dispatch_queue_t _queue; - NSInteger _secondsBetweenUploads; - NSDictionary* _metricsBase; // data the server provides and wants us to send back - NSArray* _blacklistedFields; - NSArray* _blacklistedEvents; - - unsigned int _allowInsecureSplunkCert:1; - unsigned int _disableLogging:1; - unsigned int _disableUploads:1; - unsigned int _ignoreServersMessagesTellingUsToGoAway:1; -} - -@synthesize splunkUploadURL = _splunkUploadURL; -@synthesize splunkBagURL = _splunkBagURL; -@synthesize splunkTopicName = _splunkTopicName; -@synthesize splunkLoggingQueue = _queue; - -+ (instancetype)logger -{ -#if TARGET_OS_SIMULATOR - return nil; -#else - - if (self == [SFAnalyticsLogger class]) { - secerror("attempt to instatiate abstract class SFAnalyticsLogger"); - return nil; - } - - SFAnalyticsLogger* logger = nil; - @synchronized(self) { - logger = objc_getAssociatedObject(self, "SFAnalyticsLoggerInstance"); - if (!logger) { - logger = [[self alloc] init]; - objc_setAssociatedObject(self, "SFAnalyticsLoggerInstance", logger, OBJC_ASSOCIATION_RETAIN); - } - } - return logger; -#endif -} - -+ (NSString*)databasePath -{ - return nil; -} - -+ (NSInteger)fuzzyDaysSinceDate:(NSDate*)date -{ - NSTimeInterval timeIntervalSinceDate = [[NSDate date] timeIntervalSinceDate:date]; - if (timeIntervalSinceDate < SECONDS_PER_DAY) { - return 0; - } - else if (timeIntervalSinceDate < (SECONDS_PER_DAY * 7)) { - return 1; - } - else if (timeIntervalSinceDate < (SECONDS_PER_DAY * 30)) { - return 7; - } - else if (timeIntervalSinceDate < (SECONDS_PER_DAY * 365)) { - return 30; - } - else { - return 365; - } -} - -- (instancetype)init -{ - if (self = [super init]) { - _database = [SFAnalyticsLoggerSQLiteStore storeWithPath:self.class.databasePath schema:SFAnalyticsLoggerTableSchema]; - _queue = dispatch_queue_create("com.apple.security.analytics", DISPATCH_QUEUE_SERIAL_WITH_AUTORELEASE_POOL); - - if (os_variant_has_internal_diagnostics("Security")) { - _secondsBetweenUploads = SECONDS_BETWEEN_UPLOADS_INTERNAL; - } else { - _secondsBetweenUploads = SECONDS_BETWEEN_UPLOADS_CUSTOMER; - } - - NSDictionary* systemDefaultValues = [NSDictionary dictionaryWithContentsOfFile:[[NSBundle bundleWithPath:@"/System/Library/Frameworks/Security.framework"] pathForResource:@"SFAnalyticsLogging" ofType:@"plist"]]; - _splunkTopicName = systemDefaultValues[@"splunk_topic"]; - _splunkUploadURL = [NSURL URLWithString:systemDefaultValues[@"splunk_uploadURL"]]; - _splunkBagURL = [NSURL URLWithString:systemDefaultValues[@"splunk_bagURL"]]; - _allowInsecureSplunkCert = [[systemDefaultValues valueForKey:@"splunk_allowInsecureCertificate"] boolValue]; - NSString* splunkEndpoint = systemDefaultValues[@"splunk_endpointDomain"]; - - NSUserDefaults* defaults = [[NSUserDefaults alloc] initWithSuiteName:SFAnalyticsUserDefaultsSuite]; - NSString* userDefaultsSplunkTopic = [defaults stringForKey:@"splunk_topic"]; - if (userDefaultsSplunkTopic) { - _splunkTopicName = userDefaultsSplunkTopic; - } - - NSURL* userDefaultsSplunkUploadURL = [NSURL URLWithString:[defaults stringForKey:@"splunk_uploadURL"]]; - if (userDefaultsSplunkUploadURL) { - _splunkUploadURL = userDefaultsSplunkUploadURL; - } - - NSURL* userDefaultsSplunkBagURL = [NSURL URLWithString:[defaults stringForKey:@"splunk_bagURL"]]; - if (userDefaultsSplunkUploadURL) { - _splunkBagURL = userDefaultsSplunkBagURL; - } - - BOOL userDefaultsAllowInsecureSplunkCert = [defaults boolForKey:@"splunk_allowInsecureCertificate"]; - _allowInsecureSplunkCert |= userDefaultsAllowInsecureSplunkCert; - - NSString* userDefaultsSplunkEndpoint = [defaults stringForKey:@"splunk_endpointDomain"]; - if (userDefaultsSplunkEndpoint) { - splunkEndpoint = userDefaultsSplunkEndpoint; - } - -#if SFANALYTICS_SPLUNK_DEV - _ignoreServersMessagesTellingUsToGoAway = YES; - - if (!_splunkUploadURL && splunkEndpoint) { - NSString* urlString = [NSString stringWithFormat:@"https://%@/report/2/%@", splunkEndpoint, _splunkTopicName]; - _splunkUploadURL = [NSURL URLWithString:urlString]; - } -#else - (void)splunkEndpoint; -#endif - } - - return self; -} - -- (void)logSuccessForEventNamed:(NSString*)eventName -{ - [self logEventNamed:eventName class:SFAnalyticsEventClassSuccess attributes:nil]; -} - -- (void)logHardFailureForEventNamed:(NSString*)eventName withAttributes:(NSDictionary*)attributes -{ - [self logEventNamed:eventName class:SFAnalyticsEventClassHardFailure attributes:attributes]; -} - -- (void)logSoftFailureForEventNamed:(NSString*)eventName withAttributes:(NSDictionary*)attributes -{ - [self logEventNamed:eventName class:SFAnalyticsEventClassSoftFailure attributes:attributes]; -} - -- (void)noteEventNamed:(NSString*)eventName -{ - [self logEventNamed:eventName class:SFAnalyticsEventClassNote attributes:nil]; -} - -- (void)logEventNamed:(NSString*)eventName class:(SFAnalyticsEventClass)class attributes:(NSDictionary*)attributes -{ - if (!eventName) { - secinfo("SFAnalytics", "attempt to log an event with no name"); - return; - } - - __block NSDate* uploadDate = nil; - __weak __typeof(self) weakSelf = self; - dispatch_sync(_queue, ^{ - __strong __typeof(self) strongSelf = weakSelf; - if (!strongSelf || strongSelf->_disableLogging || [strongSelf->_blacklistedEvents containsObject:eventName]) { - return; - } - - NSDictionary* eventDict = [self eventDictForEventName:eventName withAttributes:attributes eventClass:class]; - [strongSelf->_database addEventDict:eventDict toTable:SFAnalyticsLoggerTableAllEvents]; - - if (class == SFAnalyticsEventClassHardFailure) { - NSDictionary* strippedDict = [self eventDictWithBlacklistedFieldsStrippedFrom:eventDict]; - [strongSelf->_database addEventDict:strippedDict toTable:SFAnalyticsLoggerTableHardFailures]; - [strongSelf->_database incrementHardFailureCountForEventType:eventName]; - } - else if (class == SFAnalyticsEventClassSoftFailure) { - NSDictionary* strippedDict = [self eventDictWithBlacklistedFieldsStrippedFrom:eventDict]; - [strongSelf->_database addEventDict:strippedDict toTable:SFAnalyticsLoggerTableSoftFailures]; - [strongSelf->_database incrementSoftFailureCountForEventType:eventName]; - } - else if (class == SFAnalyticsEventClassSuccess || class == SFAnalyticsEventClassNote) { - [strongSelf->_database incrementSuccessCountForEventType:eventName]; - } - - uploadDate = strongSelf->_database.uploadDate; - }); - - NSDate* nowDate = [NSDate date]; - if (uploadDate) { - if ([nowDate compare:uploadDate] == NSOrderedDescending) { - NSError* error = nil; - BOOL uploadSuccess = [self forceUploadWithError:&error]; - if (uploadSuccess) { - secinfo("SFAnalytics", "uploaded sync health data"); - [self resetUploadDate:YES]; - } - - if (error) { - secerror("SFAnalytics: failed to upload json to analytics server with error: %@", error); - } - } - } - else { - [self resetUploadDate:NO]; - } -} - -- (void)resetUploadDate:(BOOL)clearData -{ - __weak __typeof(self) weakSelf = self; - dispatch_sync(_queue, ^{ - __strong __typeof(self) strongSelf = weakSelf; - if (!strongSelf) { - return; - } - - if (clearData) { - [strongSelf->_database clearAllData]; - } - strongSelf->_database.uploadDate = [NSDate dateWithTimeIntervalSinceNow:strongSelf->_secondsBetweenUploads]; - }); -} - -- (NSDictionary*)eventDictForEventName:(NSString*)eventName withAttributes:(NSDictionary*)attributes eventClass:(SFAnalyticsEventClass)eventClass -{ - NSMutableDictionary* eventDict = attributes ? attributes.mutableCopy : [NSMutableDictionary dictionary]; - eventDict[SFAnalyticsLoggerSplunkTopic] = _splunkTopicName; - eventDict[SFAnalyticsLoggerSplunkEventType] = eventName; - eventDict[SFAnalyticsLoggerSplunkEventTime] = @([[NSDate date] timeIntervalSince1970] * 1000); - eventDict[SFAnalyticsLoggerEventClassKey] = @(eventClass); - - [_metricsBase enumerateKeysAndObjectsUsingBlock:^(NSString* key, id object, BOOL* stop) { - if (!eventDict[key]) { - eventDict[key] = object; - } - }]; - - return eventDict; -} - -- (NSDictionary*)eventDictWithBlacklistedFieldsStrippedFrom:(NSDictionary*)eventDict -{ - NSMutableDictionary* strippedDict = eventDict.mutableCopy; - for (NSString* blacklistedField in _blacklistedFields) { - [strippedDict removeObjectForKey:blacklistedField]; - } - return strippedDict; -} - -- (void)setDateProperty:(NSDate*)date forKey:(NSString*)key -{ - dispatch_sync(_queue, ^{ - [self->_database setDateProperty:date forKey:key]; - }); -} - -- (NSDate*)datePropertyForKey:(NSString*)key -{ - __block NSDate* result = nil; - dispatch_sync(_queue, ^{ - result = [self->_database datePropertyForKey:key]; - }); - return result; -} - -- (NSDictionary*)extraValuesToUploadToServer -{ - return [NSDictionary dictionary]; -} - -// this method is kind of evil for the fact that it has side-effects in pulling other things besides the metricsURL from the server, and as such should NOT be memoized. -// TODO redo this, probably to return a dictionary. -- (NSURL*)splunkUploadURL -{ - dispatch_assert_queue(_queue); - - if (_splunkUploadURL) { - return _splunkUploadURL; - } - - __weak __typeof(self) weakSelf = self; - dispatch_semaphore_t sem = dispatch_semaphore_create(0); - - __block NSError* error = nil; - NSURLSessionConfiguration *configuration = [NSURLSessionConfiguration ephemeralSessionConfiguration]; - - configuration.HTTPAdditionalHeaders = @{ @"User-Agent" : [NSString stringWithFormat:@"securityd/%s", SECURITY_BUILD_VERSION]}; - - NSURLSession* storeBagSession = [NSURLSession sessionWithConfiguration:configuration - delegate:self - delegateQueue:nil]; - - NSURL* requestEndpoint = _splunkBagURL; - __block NSURL* result = nil; - NSURLSessionDataTask* storeBagTask = [storeBagSession dataTaskWithURL:requestEndpoint completionHandler:^(NSData * _Nullable data, - NSURLResponse * _Nullable __unused response, - NSError * _Nullable responseError) { - - __strong __typeof(self) strongSelf = weakSelf; - if (!strongSelf) { - return; - } - - if (data && !responseError) { - NSData *responseData = data; // shut up compiler - NSDictionary* responseDict = [NSJSONSerialization JSONObjectWithData:responseData options:0 error:&error]; - if([responseDict isKindOfClass:NSDictionary.class] && !error) { - if (!self->_ignoreServersMessagesTellingUsToGoAway) { - strongSelf->_disableLogging = [[responseDict valueForKey:@"disabled"] boolValue]; - if (strongSelf->_disableLogging || [[responseDict valueForKey:@"sendDisabled"] boolValue]) { - // then don't upload anything right now - secerror("not returning a splunk URL because uploads are disabled"); - dispatch_semaphore_signal(sem); - return; - } - - NSUInteger millisecondsBetweenUploads = [[responseDict valueForKey:@"postFrequency"] unsignedIntegerValue] / 1000; - if (millisecondsBetweenUploads > 0) { - strongSelf->_secondsBetweenUploads = millisecondsBetweenUploads; - } - - strongSelf->_blacklistedEvents = responseDict[@"blacklistedEvents"]; - strongSelf->_blacklistedFields = responseDict[@"blacklistedFields"]; - } - - strongSelf->_metricsBase = responseDict[@"metricsBase"]; - - NSString* metricsEndpoint = responseDict[@"metricsUrl"]; - if([metricsEndpoint isKindOfClass:NSString.class]) { - /* Lives our URL */ - NSString* endpoint = [metricsEndpoint stringByAppendingFormat:@"/2/%@", strongSelf->_splunkTopicName]; - secnotice("ckks", "got metrics endpoint: %@", endpoint); - NSURL* endpointURL = [NSURL URLWithString:endpoint]; - if([endpointURL.scheme isEqualToString:@"https"]) { - result = endpointURL; - } - } - } - } - else { - error = responseError; - } - if(error) { - secnotice("ckks", "Unable to fetch splunk endpoint at URL: %@ -- error: %@", requestEndpoint, error.description); - } - else if(!result) { - secnotice("ckks", "Malformed iTunes config payload!"); - } - - dispatch_semaphore_signal(sem); - }]; - - [storeBagTask resume]; - dispatch_semaphore_wait(sem, DISPATCH_TIME_FOREVER); - - return result; -} - -- (BOOL)forceUploadWithError:(NSError**)error -{ - __block BOOL result = NO; - NSData* json = [self getLoggingJSON:false error: error]; - dispatch_sync(_queue, ^{ - if (json && [self _onQueuePostJSON:json error:error]) { - secinfo("ckks", "uploading sync health data: %@", json); - - [self->_database clearAllData]; - self->_database.uploadDate = [NSDate dateWithTimeIntervalSinceNow:self->_secondsBetweenUploads]; - result = YES; - } - else { - result = NO; - } - }); - - return result; -} - -- (BOOL)_onQueuePostJSON:(NSData*)json error:(NSError**)error -{ - dispatch_assert_queue(_queue); - - /* - * Create the NSURLSession - * We use the ephemeral session config because we don't need cookies or cache - */ - NSURLSessionConfiguration *configuration = [NSURLSessionConfiguration ephemeralSessionConfiguration]; - - configuration.HTTPAdditionalHeaders = @{ @"User-Agent" : [NSString stringWithFormat:@"securityd/%s", SECURITY_BUILD_VERSION]}; - - NSURLSession* postSession = [NSURLSession sessionWithConfiguration:configuration - delegate:self - delegateQueue:nil]; - - /* - * Create the request - */ - NSURL* postEndpoint = self.splunkUploadURL; - if (!postEndpoint) { - secerror("failed to get a splunk upload endpoint - not uploading"); - return NO; - } - - NSMutableURLRequest* postRequest = [[NSMutableURLRequest alloc] init]; - postRequest.URL = postEndpoint; - postRequest.HTTPMethod = @"POST"; - postRequest.HTTPBody = json; - - /* - * Create the upload task. - */ - dispatch_semaphore_t sem = dispatch_semaphore_create(0); - __block BOOL uploadSuccess = NO; - NSURLSessionDataTask* uploadTask = [postSession dataTaskWithRequest:postRequest - completionHandler:^(NSData * _Nullable __unused data, NSURLResponse * _Nullable response, NSError * _Nullable requestError) { - if(requestError) { - secerror("Error in uploading the events to splunk: %@", requestError); - } - else if (![response isKindOfClass:NSHTTPURLResponse.class]){ - Class class = response.class; - secerror("Received the wrong kind of response: %@", NSStringFromClass(class)); - } - else { - NSHTTPURLResponse* httpResponse = (NSHTTPURLResponse*)response; - if(httpResponse.statusCode >= 200 && httpResponse.statusCode < 300) { - /* Success */ - uploadSuccess = YES; - secnotice("ckks", "Splunk upload success"); - } - else { - secnotice("ckks", "Splunk upload unexpected status to URL: %@ -- status: %d", postEndpoint, (int)(httpResponse.statusCode)); - } - } - dispatch_semaphore_signal(sem); - }]; - - secnotice("ckks", "Splunk upload start"); - [uploadTask resume]; - dispatch_semaphore_wait(sem, DISPATCH_TIME_FOREVER); - return uploadSuccess; -} - -- (NSString*)stringForEventClass:(SFAnalyticsEventClass)eventClass -{ - if (eventClass == SFAnalyticsEventClassNote) { - return @"EventNote"; - } - else if (eventClass == SFAnalyticsEventClassSuccess) { - return @"EventSuccess"; - } - else if (eventClass == SFAnalyticsEventClassHardFailure) { - return @"EventHardFailure"; - } - else if (eventClass == SFAnalyticsEventClassSoftFailure) { - return @"EventSoftFailure"; - } - else { - return @"EventUnknown"; - } -} - -- (NSString*)sysdiagnoseStringForEventRecord:(NSDictionary*)eventRecord -{ - NSMutableDictionary* mutableEventRecord = eventRecord.mutableCopy; - [mutableEventRecord removeObjectForKey:SFAnalyticsLoggerSplunkTopic]; - - NSDate* eventDate = [NSDate dateWithTimeIntervalSince1970:[[eventRecord valueForKey:SFAnalyticsLoggerSplunkEventTime] doubleValue] / 1000]; - [mutableEventRecord removeObjectForKey:SFAnalyticsLoggerSplunkEventTime]; - - NSString* eventName = eventRecord[SFAnalyticsLoggerSplunkEventType]; - [mutableEventRecord removeObjectForKey:SFAnalyticsLoggerSplunkEventType]; - - SFAnalyticsEventClass eventClass = [[eventRecord valueForKey:SFAnalyticsLoggerEventClassKey] integerValue]; - NSString* eventClassString = [self stringForEventClass:eventClass]; - [mutableEventRecord removeObjectForKey:SFAnalyticsLoggerEventClassKey]; - - NSMutableString* additionalAttributesString = [NSMutableString string]; - if (mutableEventRecord.count > 0) { - [additionalAttributesString appendString:@" - Attributes: {" ]; - __block BOOL firstAttribute = YES; - [mutableEventRecord enumerateKeysAndObjectsUsingBlock:^(NSString* key, id object, BOOL* stop) { - NSString* openingString = firstAttribute ? @"" : @", "; - [additionalAttributesString appendString:[NSString stringWithFormat:@"%@%@ : %@", openingString, key, object]]; - firstAttribute = NO; - }]; - [additionalAttributesString appendString:@" }"]; - } - - return [NSString stringWithFormat:@"%@ %@: %@%@", eventDate, eventClassString, eventName, additionalAttributesString]; -} - -- (NSString*)getSysdiagnoseDumpWithError:(NSError**)error -{ - NSMutableString* sysdiagnose = [[NSMutableString alloc] init]; - NSDictionary* extraValues = self.extraValuesToUploadToServer; - [extraValues enumerateKeysAndObjectsUsingBlock:^(NSString* key, id object, BOOL* stop) { - [sysdiagnose appendFormat:@"Key: %@, Value: %@\n", key, object]; - }]; - - [sysdiagnose appendString:@"\n"]; - - dispatch_sync(_queue, ^{ - NSArray* allEvents = self->_database.allEvents; - for (NSDictionary* eventRecord in allEvents) { - [sysdiagnose appendFormat:@"%@\n", [self sysdiagnoseStringForEventRecord:eventRecord]]; - } - }); - - return sysdiagnose; -} - -+ (void)addOSVersion:(NSMutableDictionary *)event -{ - static dispatch_once_t onceToken; - static NSString *build = NULL; - static NSString *product = NULL; - dispatch_once(&onceToken, ^{ - NSDictionary *version = CFBridgingRelease(_CFCopySystemVersionDictionary()); - if (version == NULL) - return; - build = version[(__bridge NSString *)_kCFSystemVersionBuildVersionKey]; - product = version[(__bridge NSString *)_kCFSystemVersionProductNameKey]; - }); - if (build) - event[SFAnalyticsLoggerSplunkEventBuild] = build; - if (product) - event[SFAnalyticsLoggerSplunkEventProduct] = product; -} - -- (NSData*)getLoggingJSON:(bool)pretty error:(NSError**)error -{ - __block NSData* json = nil; - NSDictionary* extraValues = self.extraValuesToUploadToServer; - dispatch_sync(_queue, ^{ - if (![self->_database tryToOpenDatabase]) { - // we should not even be here because uploadDate was nil. But since we are, let's get out of here. - // Returning nil here will abort the upload (but again, the uploadDate should've done that already) - secerror("can't get logging JSON because database is not openable"); - if (error) { - *error = [NSError errorWithDomain:@"SFAnalyticsLogger" code:-1 userInfo:@{NSLocalizedDescriptionKey : @"could not open db to read and process metrics (device in class D?)"}]; - } - return; - } - - NSArray* failureRecords = self->_database.failureRecords; - - NSDictionary* successCounts = self->_database.summaryCounts; - NSInteger totalSuccessCount = 0; - NSInteger totalHardFailureCount = 0; - NSInteger totalSoftFailureCount = 0; - for (NSDictionary* perEventTypeSuccessCounts in successCounts.objectEnumerator) { - totalSuccessCount += [perEventTypeSuccessCounts[SFAnalyticsLoggerColumnSuccessCount] integerValue]; - totalHardFailureCount += [perEventTypeSuccessCounts[SFAnalyticsLoggerColumnHardFailureCount] integerValue]; - totalSoftFailureCount += [perEventTypeSuccessCounts[SFAnalyticsLoggerColumnSoftFailureCount] integerValue]; - } - - NSDate* now = [NSDate date]; - - NSMutableDictionary* healthSummaryEvent = extraValues ? extraValues.mutableCopy : [[NSMutableDictionary alloc] init]; - healthSummaryEvent[SFAnalyticsLoggerSplunkTopic] = self->_splunkTopicName ?: [NSNull null]; - healthSummaryEvent[SFAnalyticsLoggerSplunkEventTime] = @([now timeIntervalSince1970] * 1000); - healthSummaryEvent[SFAnalyticsLoggerSplunkEventType] = @"ckksHealthSummary"; - healthSummaryEvent[SFAnalyticsLoggerColumnSuccessCount] = @(totalSuccessCount); - healthSummaryEvent[SFAnalyticsLoggerColumnHardFailureCount] = @(totalHardFailureCount); - healthSummaryEvent[SFAnalyticsLoggerColumnSoftFailureCount] = @(totalSoftFailureCount); - [SFAnalyticsLogger addOSVersion:healthSummaryEvent]; - - NSMutableArray* splunkRecords = failureRecords.mutableCopy; - [splunkRecords addObject:healthSummaryEvent]; - - NSDictionary* jsonDict = @{ - SFAnalyticsLoggerSplunkPostTime : @([now timeIntervalSince1970] * 1000), - @"events" : splunkRecords - }; - - json = [NSJSONSerialization dataWithJSONObject:jsonDict - options:(pretty ? NSJSONWritingPrettyPrinted : 0) - error:error]; - }); - - return json; -} - -- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge - completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler { - assert(completionHandler); - (void)session; - secnotice("ckks", "Splunk upload challenge"); - NSURLCredential *cred = nil; - SecTrustResultType result = kSecTrustResultInvalid; - - if ([challenge previousFailureCount] > 0) { - // Previous failures occurred, bail - completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil); - - } else if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { - /* - * Evaluate trust for the certificate - */ - - SecTrustRef serverTrust = challenge.protectionSpace.serverTrust; - SecTrustEvaluate(serverTrust, &result); - if (_allowInsecureSplunkCert || (result == kSecTrustResultProceed) || (result == kSecTrustResultUnspecified)) { - /* - * All is well, accept the credentials - */ - if(_allowInsecureSplunkCert) { - secnotice("ckks", "Force Accepting Splunk Credential"); - } - cred = [NSURLCredential credentialForTrust:serverTrust]; - completionHandler(NSURLSessionAuthChallengeUseCredential, cred); - - } else { - /* - * An error occurred in evaluating trust, bail - */ - completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil); - } - } else { - /* - * Just perform the default handling - */ - completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil); - } - -} - -- (BOOL)ignoreServerDisablingMessages -{ - return _ignoreServersMessagesTellingUsToGoAway; -} - -- (void)setIgnoreServerDisablingMessages:(BOOL)ignoreServer -{ - _ignoreServersMessagesTellingUsToGoAway = ignoreServer ? YES : NO; -} - -- (BOOL)allowsInsecureSplunkCert -{ - return _allowInsecureSplunkCert; -} - -- (void)setAllowsInsecureSplunkCert:(BOOL)allowsInsecureSplunkCert -{ - _allowInsecureSplunkCert = allowsInsecureSplunkCert ? YES : NO; -} - -@end - -@implementation SFAnalyticsLoggerSQLiteStore - -+ (instancetype)storeWithPath:(NSString*)path schema:(NSString*)schema -{ - SFAnalyticsLoggerSQLiteStore* store = nil; - @synchronized([SFAnalyticsLoggerSQLiteStore class]) { - static NSMutableDictionary* loggingStores = nil; - static dispatch_once_t onceToken; - dispatch_once(&onceToken, ^{ - loggingStores = [[NSMutableDictionary alloc] init]; - }); - - NSString* standardizedPath = path.stringByStandardizingPath; - store = loggingStores[standardizedPath]; - if (!store) { - store = [[self alloc] initWithPath:standardizedPath schema:schema]; - loggingStores[standardizedPath] = store; - } - - NSError* error = nil; - if (![store openWithError:&error]) { - secerror("SFAnalyticsLogger: could not open db at init, will try again later. Error: %@", error); - } - - } - - return store; -} - -- (void)dealloc -{ - [self close]; -} - -- (BOOL)tryToOpenDatabase -{ - if (!self.isOpen) { - secwarning("SFAnalyticsLogger: db is closed, attempting to open"); - NSError* error = nil; - if (![self openWithError:&error]) { - secerror("SFAnalyticsLogger: failed to open db with error %@", error); - return NO; - } - } - return YES; -} - -- (NSInteger)successCountForEventType:(NSString*)eventType -{ - if ([self tryToOpenDatabase]) { - return [[[[self select:@[SFAnalyticsLoggerColumnSuccessCount] from:SFAnalyticsLoggerTableSuccessCount where:@"event_type = ?" bindings:@[eventType]] firstObject] valueForKey:SFAnalyticsLoggerColumnSuccessCount] integerValue]; - } - return 0; -} - -- (void)incrementSuccessCountForEventType:(NSString*)eventType -{ - if ([self tryToOpenDatabase]) { - NSInteger successCount = [self successCountForEventType:eventType]; - NSInteger hardFailureCount = [self hardFailureCountForEventType:eventType]; - NSInteger softFailureCount = [self softFailureCountForEventType:eventType]; - [self insertOrReplaceInto:SFAnalyticsLoggerTableSuccessCount values:@{SFAnalyticsLoggerColumnEventType : eventType, SFAnalyticsLoggerColumnSuccessCount : @(successCount + 1), SFAnalyticsLoggerColumnHardFailureCount : @(hardFailureCount), SFAnalyticsLoggerColumnSoftFailureCount : @(softFailureCount)}]; - } -} - -- (NSInteger)hardFailureCountForEventType:(NSString*)eventType -{ - if ([self tryToOpenDatabase]) { - return [[[[self select:@[SFAnalyticsLoggerColumnHardFailureCount] from:SFAnalyticsLoggerTableSuccessCount where:@"event_type = ?" bindings:@[eventType]] firstObject] valueForKey:SFAnalyticsLoggerColumnHardFailureCount] integerValue]; - } - return 0; -} - -- (NSInteger)softFailureCountForEventType:(NSString*)eventType -{ - if ([self tryToOpenDatabase]) { - return [[[[self select:@[SFAnalyticsLoggerColumnSoftFailureCount] from:SFAnalyticsLoggerTableSuccessCount where:@"event_type = ?" bindings:@[eventType]] firstObject] valueForKey:SFAnalyticsLoggerColumnSoftFailureCount] integerValue]; - } - return 0; -} - -- (void)incrementHardFailureCountForEventType:(NSString*)eventType -{ - if ([self tryToOpenDatabase]) { - NSInteger successCount = [self successCountForEventType:eventType]; - NSInteger hardFailureCount = [self hardFailureCountForEventType:eventType]; - NSInteger softFailureCount = [self softFailureCountForEventType:eventType]; - [self insertOrReplaceInto:SFAnalyticsLoggerTableSuccessCount values:@{SFAnalyticsLoggerColumnEventType : eventType, SFAnalyticsLoggerColumnSuccessCount : @(successCount), SFAnalyticsLoggerColumnHardFailureCount : @(hardFailureCount + 1), SFAnalyticsLoggerColumnSoftFailureCount : @(softFailureCount)}]; - } -} - -- (void)incrementSoftFailureCountForEventType:(NSString*)eventType -{ - if ([self tryToOpenDatabase]) { - NSInteger successCount = [self successCountForEventType:eventType]; - NSInteger hardFailureCount = [self hardFailureCountForEventType:eventType]; - NSInteger softFailureCount = [self softFailureCountForEventType:eventType]; - [self insertOrReplaceInto:SFAnalyticsLoggerTableSuccessCount values:@{SFAnalyticsLoggerColumnEventType : eventType, SFAnalyticsLoggerColumnSuccessCount : @(successCount), SFAnalyticsLoggerColumnHardFailureCount : @(hardFailureCount), SFAnalyticsLoggerColumnSoftFailureCount : @(softFailureCount + 1)}]; - } -} - -- (NSDictionary*)summaryCounts -{ - if ([self tryToOpenDatabase]) { - NSMutableDictionary* successCountsDict = [NSMutableDictionary dictionary]; - NSArray* rows = [self selectAllFrom:SFAnalyticsLoggerTableSuccessCount where:nil bindings:nil]; - for (NSDictionary* rowDict in rows) { - NSString* eventName = rowDict[SFAnalyticsLoggerColumnEventType]; - if (!eventName) { - secinfo("SFAnalytics", "ignoring entry in success counts table without an event name"); - continue; - } - - successCountsDict[eventName] = @{SFAnalyticsLoggerTableSuccessCount : rowDict[SFAnalyticsLoggerColumnSuccessCount], SFAnalyticsLoggerColumnHardFailureCount : rowDict[SFAnalyticsLoggerColumnHardFailureCount], SFAnalyticsLoggerColumnSoftFailureCount : rowDict[SFAnalyticsLoggerColumnSoftFailureCount]}; - } - return successCountsDict; - } - return [NSDictionary new]; -} - -- (NSArray*)failureRecords -{ - if ([self tryToOpenDatabase]) { - NSArray* recordBlobs = [self select:@[SFAnalyticsLoggerColumnData] from:SFAnalyticsLoggerTableHardFailures]; - if (recordBlobs.count < SFANALYTICS_MAX_EVENTS_TO_REPORT) { - NSArray* softFailureBlobs = [self select:@[SFAnalyticsLoggerColumnData] from:SFAnalyticsLoggerTableSoftFailures]; - if (softFailureBlobs.count > 0) { - NSUInteger numSoftFailuresToReport = SFANALYTICS_MAX_EVENTS_TO_REPORT - recordBlobs.count; - if (numSoftFailuresToReport > softFailureBlobs.count) - numSoftFailuresToReport = softFailureBlobs.count; - - recordBlobs = [recordBlobs arrayByAddingObjectsFromArray:[softFailureBlobs subarrayWithRange:NSMakeRange(softFailureBlobs.count - numSoftFailuresToReport, numSoftFailuresToReport)]]; - } - } - - NSMutableArray* failureRecords = [[NSMutableArray alloc] init]; - for (NSDictionary* row in recordBlobs) { - NSMutableDictionary* deserializedRecord = [NSPropertyListSerialization propertyListWithData:row[SFAnalyticsLoggerColumnData] options:NSPropertyListMutableContainers format:nil error:nil]; - [SFAnalyticsLogger addOSVersion:deserializedRecord]; - [failureRecords addObject:deserializedRecord]; - } - return failureRecords; - } - return [NSArray new]; -} - -- (NSArray*)allEvents -{ - if ([self tryToOpenDatabase]) { - NSArray* recordBlobs = [self select:@[SFAnalyticsLoggerColumnData] from:SFAnalyticsLoggerTableAllEvents]; - NSMutableArray* records = [[NSMutableArray alloc] init]; - for (NSDictionary* row in recordBlobs) { - NSDictionary* deserializedRecord = [NSPropertyListSerialization propertyListWithData:row[SFAnalyticsLoggerColumnData] options:0 format:nil error:nil]; - [records addObject:deserializedRecord]; - } - return records; - } - return [NSArray new]; -} - -- (void)addEventDict:(NSDictionary*)eventDict toTable:(NSString*)table -{ - if ([self tryToOpenDatabase]) { - NSError* error = nil; - NSData* serializedRecord = [NSPropertyListSerialization dataWithPropertyList:eventDict format:NSPropertyListBinaryFormat_v1_0 options:0 error:&error]; - if(!error && serializedRecord) { - [self insertOrReplaceInto:table values:@{SFAnalyticsLoggerColumnDate : [NSDate date], SFAnalyticsLoggerColumnData : serializedRecord}]; - } - if(error && !serializedRecord) { - secerror("Couldn't serialize failure record: %@", error); - } - } -} - -// the other returning methods give default values in case of closed db, -// but this needs to be nil so the comparison to 'now' fails and we don't upload -- (NSDate*)uploadDate -{ - if ([self tryToOpenDatabase]) { - return [self datePropertyForKey:SFAnalyticsLoggerUploadDate]; - } - return nil; -} - -- (void)setUploadDate:(NSDate*)uploadDate -{ - if ([self tryToOpenDatabase]) { - [self setDateProperty:uploadDate forKey:SFAnalyticsLoggerUploadDate]; - } -} - -- (void)clearAllData -{ - if ([self tryToOpenDatabase]) { - [self deleteFrom:SFAnalyticsLoggerTableSuccessCount where:@"event_type like ?" bindings:@[@"%"]]; - [self deleteFrom:SFAnalyticsLoggerTableHardFailures where:@"id >= 0" bindings:nil]; - [self deleteFrom:SFAnalyticsLoggerTableSoftFailures where:@"id >= 0" bindings:nil]; - [self deleteFrom:SFAnalyticsLoggerTableAllEvents where:@"id >= 0" bindings:nil]; - } -} - -@end - -#endif // __OBJC2__ diff --git a/Analytics/SFAnalyticsLogging.plist b/Analytics/SFAnalyticsLogging.plist deleted file mode 100644 index 060222c3..00000000 --- a/Analytics/SFAnalyticsLogging.plist +++ /dev/null @@ -1,16 +0,0 @@ - - - - - splunk_topic - xp_sear_keysync - splunk_allowInsecureCertificate - - splunk_bagURL - https://xp.apple.com/config/1/report/xp_sear_keysync - SyncManifests - - EnforceManifests - - - diff --git a/Analytics/SFAnalyticsMultiSampler+Internal.h b/Analytics/SFAnalyticsMultiSampler+Internal.h new file mode 100644 index 00000000..cc365744 --- /dev/null +++ b/Analytics/SFAnalyticsMultiSampler+Internal.h @@ -0,0 +1,39 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef SFAnalyticsMultiSampler_Internal_h +#define SFAnalyticsMultiSampler_Internal_h + +#if __OBJC2__ + +#import "SFAnalyticsMultiSampler.h" + +typedef NSDictionary* MultiSamplerDictionary; + +@interface SFAnalyticsMultiSampler(Internal) +- (instancetype)initWithName:(NSString*)name interval:(NSTimeInterval)interval block:(MultiSamplerDictionary (^)(void))block clientClass:(Class)clientClass; +@end + +#endif // objc2 + +#endif /* SFAnalyticsSampler_private_h */ diff --git a/Analytics/SFAnalyticsMultiSampler.h b/Analytics/SFAnalyticsMultiSampler.h new file mode 100644 index 00000000..93284f06 --- /dev/null +++ b/Analytics/SFAnalyticsMultiSampler.h @@ -0,0 +1,43 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ +#ifndef SFAnalyticsMultiSampler_h +#define SFAnalyticsMultiSampler_h + +#import + +@interface SFAnalyticsMultiSampler : NSObject + +@property (nonatomic) NSTimeInterval samplingInterval; +@property (nonatomic, readonly) NSString* name; + +- (instancetype)init NS_UNAVAILABLE; +- (NSDictionary*)sampleNow; +- (void)pauseSampling; +- (void)resumeSampling; + +@end + +#endif +#endif diff --git a/Analytics/SFAnalyticsMultiSampler.m b/Analytics/SFAnalyticsMultiSampler.m new file mode 100644 index 00000000..638f338f --- /dev/null +++ b/Analytics/SFAnalyticsMultiSampler.m @@ -0,0 +1,176 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ + +#import "SFAnalyticsMultiSampler+Internal.h" +#import "SFAnalytics+Internal.h" +#import "SFAnalyticsDefines.h" +#import "utilities/debugging.h" +#include +#include + +@implementation SFAnalyticsMultiSampler { + NSTimeInterval _samplingInterval; + dispatch_source_t _timer; + NSString* _name; + MultiSamplerDictionary (^_block)(void); + int _notificationToken; + Class _clientClass; + BOOL _oncePerReport; + BOOL _activeTimer; +} + +@synthesize name = _name; +@synthesize samplingInterval = _samplingInterval; + +- (instancetype)initWithName:(NSString*)name interval:(NSTimeInterval)interval block:(MultiSamplerDictionary (^)(void))block clientClass:(Class)clientClass +{ + if (self = [super init]) { + if (![clientClass isSubclassOfClass:[SFAnalytics class]]) { + secerror("SFAnalyticsSampler created without valid client class (%@)", clientClass); + return nil; + } + + if (!name || (interval < 1.0f && interval != SFAnalyticsSamplerIntervalOncePerReport) || !block) { + secerror("SFAnalyticsSampler created without proper data"); + return nil; + } + + _clientClass = clientClass; + _block = block; + _name = name; + _samplingInterval = interval; + [self newTimer]; + } + return self; +} + +- (void)newTimer +{ + if (_activeTimer) { + [self pauseSampling]; + } + + _oncePerReport = (_samplingInterval == SFAnalyticsSamplerIntervalOncePerReport); + if (_oncePerReport) { + [self setupOnceTimer]; + } else { + [self setupPeriodicTimer]; + } +} + +- (void)setupOnceTimer +{ + __weak __typeof(self) weakSelf = self; + notify_register_dispatch(SFAnalyticsFireSamplersNotification, &_notificationToken, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(int token) { + __strong __typeof(self) strongSelf = weakSelf; + if (!strongSelf) { + secnotice("SFAnalyticsSampler", "sampler went away before we could run its once-per-report block"); + notify_cancel(token); + return; + } + + MultiSamplerDictionary data = strongSelf->_block(); + [data enumerateKeysAndObjectsUsingBlock:^(NSString * _Nonnull key, NSNumber * _Nonnull obj, BOOL * _Nonnull stop) { + [[strongSelf->_clientClass logger] logMetric:obj withName:key oncePerReport:strongSelf->_oncePerReport]; + }]; + }); + _activeTimer = YES; +} + +- (void)setupPeriodicTimer +{ + _timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0)); + dispatch_source_set_timer(_timer, dispatch_walltime(0, _samplingInterval * NSEC_PER_SEC), _samplingInterval * NSEC_PER_SEC, _samplingInterval * NSEC_PER_SEC / 50.0); // give 2% leeway on timer + + __weak __typeof(self) weakSelf = self; + dispatch_source_set_event_handler(_timer, ^{ + __strong __typeof(self) strongSelf = weakSelf; + if (!strongSelf) { + secnotice("SFAnalyticsSampler", "sampler went away before we could run its once-per-report block"); + return; + } + + MultiSamplerDictionary data = strongSelf->_block(); + [data enumerateKeysAndObjectsUsingBlock:^(NSString * _Nonnull key, NSNumber * _Nonnull obj, BOOL * _Nonnull stop) { + [[strongSelf->_clientClass logger] logMetric:obj withName:key oncePerReport:strongSelf->_oncePerReport]; + }]; + }); + dispatch_resume(_timer); + + _activeTimer = YES; +} + +- (void)setSamplingInterval:(NSTimeInterval)interval +{ + if (interval < 1.0f && !(interval == SFAnalyticsSamplerIntervalOncePerReport)) { + secerror("SFAnalyticsSampler: interval %f is not supported", interval); + return; + } + + _samplingInterval = interval; + [self newTimer]; +} + +- (NSTimeInterval)samplingInterval { + return _samplingInterval; +} + +- (MultiSamplerDictionary)sampleNow +{ + MultiSamplerDictionary data = _block(); + [data enumerateKeysAndObjectsUsingBlock:^(NSString * _Nonnull key, NSNumber * _Nonnull obj, BOOL * _Nonnull stop) { + [[self->_clientClass logger] logMetric:obj withName:key oncePerReport:self->_oncePerReport]; + }]; + return data; +} + +- (void)pauseSampling +{ + if (!_activeTimer) { + return; + } + + if (_oncePerReport) { + notify_cancel(_notificationToken); + _notificationToken = 0; + } else { + dispatch_source_cancel(_timer); + } + _activeTimer = NO; +} + +- (void)resumeSampling +{ + [self newTimer]; +} + +- (void)dealloc +{ + [self pauseSampling]; +} + +@end + +#endif diff --git a/Analytics/SFAnalyticsSQLiteStore.h b/Analytics/SFAnalyticsSQLiteStore.h new file mode 100644 index 00000000..3cecef1e --- /dev/null +++ b/Analytics/SFAnalyticsSQLiteStore.h @@ -0,0 +1,54 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ + +#import "SFSQLite.h" + +@interface SFAnalyticsSQLiteStore : SFSQLite + +@property (readonly, strong) NSArray* hardFailures; +@property (readonly, strong) NSArray* softFailures; +@property (readonly, strong) NSArray* allEvents; +@property (readonly, strong) NSArray* samples; +@property (readwrite, strong) NSDate* uploadDate; + ++ (instancetype)storeWithPath:(NSString*)path schema:(NSString*)schema; + +- (BOOL)tryToOpenDatabase; +- (void)incrementSuccessCountForEventType:(NSString*)eventType; +- (void)incrementHardFailureCountForEventType:(NSString*)eventType; +- (void)incrementSoftFailureCountForEventType:(NSString*)eventType; +- (NSInteger)successCountForEventType:(NSString*)eventType; +- (NSInteger)hardFailureCountForEventType:(NSString*)eventType; +- (NSInteger)softFailureCountForEventType:(NSString*)eventType; +- (void)addEventDict:(NSDictionary*)eventDict toTable:(NSString*)table; +- (void)addSample:(NSNumber*)value forName:(NSString*)name; +- (void)removeAllSamplesForName:(NSString*)name; +- (void)clearAllData; + +- (NSDictionary*)summaryCounts; + +@end + +#endif diff --git a/Analytics/SFAnalyticsSQLiteStore.m b/Analytics/SFAnalyticsSQLiteStore.m new file mode 100644 index 00000000..f779d289 --- /dev/null +++ b/Analytics/SFAnalyticsSQLiteStore.m @@ -0,0 +1,262 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ + +#import "SFAnalyticsSQLiteStore.h" +#import "SFAnalyticsDefines.h" +#import "debugging.h" + +NSString* const SFAnalyticsColumnEventType = @"event_type"; +NSString* const SFAnalyticsColumnDate = @"timestamp"; +NSString* const SFAnalyticsColumnData = @"data"; +NSString* const SFAnalyticsUploadDate = @"upload_date"; + +@implementation SFAnalyticsSQLiteStore + ++ (instancetype)storeWithPath:(NSString*)path schema:(NSString*)schema +{ + SFAnalyticsSQLiteStore* store = nil; + @synchronized([SFAnalyticsSQLiteStore class]) { + static NSMutableDictionary* loggingStores = nil; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + loggingStores = [[NSMutableDictionary alloc] init]; + }); + + NSString* standardizedPath = path.stringByStandardizingPath; + store = loggingStores[standardizedPath]; + if (!store) { + store = [[self alloc] initWithPath:standardizedPath schema:schema]; + loggingStores[standardizedPath] = store; + } + NSError* error = nil; + if (![store openWithError:&error] && !(error && error.code == SQLITE_AUTH)) { + secerror("SFAnalytics: could not open db at init, will try again later. Error: %@", error); + } + } + + return store; +} + +- (void)dealloc +{ + [self close]; +} + +- (BOOL)tryToOpenDatabase +{ + if (!self.isOpen) { + NSError* error = nil; + if (![self openWithError:&error]) { + return NO; + } + secnotice("SFAnalytics", "successfully opened analytics db"); + } + return YES; +} + +- (NSInteger)successCountForEventType:(NSString*)eventType +{ + if (![self tryToOpenDatabase]) { + return 0; + } + return [[[[self select:@[SFAnalyticsColumnSuccessCount] from:SFAnalyticsTableSuccessCount where:@"event_type = ?" bindings:@[eventType]] firstObject] valueForKey:SFAnalyticsColumnSuccessCount] integerValue]; +} + +- (void)incrementSuccessCountForEventType:(NSString*)eventType +{ + if (![self tryToOpenDatabase]) { + return; + } + NSInteger successCount = [self successCountForEventType:eventType]; + NSInteger hardFailureCount = [self hardFailureCountForEventType:eventType]; + NSInteger softFailureCount = [self softFailureCountForEventType:eventType]; + [self insertOrReplaceInto:SFAnalyticsTableSuccessCount values:@{SFAnalyticsColumnEventType : eventType, SFAnalyticsColumnSuccessCount : @(successCount + 1), SFAnalyticsColumnHardFailureCount : @(hardFailureCount), SFAnalyticsColumnSoftFailureCount : @(softFailureCount)}]; +} + +- (NSInteger)hardFailureCountForEventType:(NSString*)eventType +{ + if (![self tryToOpenDatabase]) { + return 0; + } + return [[[[self select:@[SFAnalyticsColumnHardFailureCount] from:SFAnalyticsTableSuccessCount where:@"event_type = ?" bindings:@[eventType]] firstObject] valueForKey:SFAnalyticsColumnHardFailureCount] integerValue]; +} + +- (NSInteger)softFailureCountForEventType:(NSString*)eventType +{ + if (![self tryToOpenDatabase]) { + return 0; + } + return [[[[self select:@[SFAnalyticsColumnSoftFailureCount] from:SFAnalyticsTableSuccessCount where:@"event_type = ?" bindings:@[eventType]] firstObject] valueForKey:SFAnalyticsColumnSoftFailureCount] integerValue]; +} + +- (void)incrementHardFailureCountForEventType:(NSString*)eventType +{ + if (![self tryToOpenDatabase]) { + return; + } + NSInteger successCount = [self successCountForEventType:eventType]; + NSInteger hardFailureCount = [self hardFailureCountForEventType:eventType]; + NSInteger softFailureCount = [self softFailureCountForEventType:eventType]; + [self insertOrReplaceInto:SFAnalyticsTableSuccessCount values:@{SFAnalyticsColumnEventType : eventType, SFAnalyticsColumnSuccessCount : @(successCount), SFAnalyticsColumnHardFailureCount : @(hardFailureCount + 1), SFAnalyticsColumnSoftFailureCount : @(softFailureCount)}]; +} + +- (void)incrementSoftFailureCountForEventType:(NSString*)eventType +{ + if (![self tryToOpenDatabase]) { + return; + } + NSInteger successCount = [self successCountForEventType:eventType]; + NSInteger hardFailureCount = [self hardFailureCountForEventType:eventType]; + NSInteger softFailureCount = [self softFailureCountForEventType:eventType]; + [self insertOrReplaceInto:SFAnalyticsTableSuccessCount values:@{SFAnalyticsColumnEventType : eventType, SFAnalyticsColumnSuccessCount : @(successCount), SFAnalyticsColumnHardFailureCount : @(hardFailureCount), SFAnalyticsColumnSoftFailureCount : @(softFailureCount + 1)}]; +} + +- (NSDictionary*)summaryCounts +{ + if (![self tryToOpenDatabase]) { + return [NSDictionary new]; + } + NSMutableDictionary* successCountsDict = [NSMutableDictionary dictionary]; + NSArray* rows = [self selectAllFrom:SFAnalyticsTableSuccessCount where:nil bindings:nil]; + for (NSDictionary* rowDict in rows) { + NSString* eventName = rowDict[SFAnalyticsColumnEventType]; + if (!eventName) { + secinfo("SFAnalytics", "ignoring entry in success counts table without an event name"); + continue; + } + + successCountsDict[eventName] = @{SFAnalyticsTableSuccessCount : rowDict[SFAnalyticsColumnSuccessCount], SFAnalyticsColumnHardFailureCount : rowDict[SFAnalyticsColumnHardFailureCount], SFAnalyticsColumnSoftFailureCount : rowDict[SFAnalyticsColumnSoftFailureCount]}; + } + + return successCountsDict; +} + +- (NSArray*)deserializedRecords:(NSArray*)recordBlobs +{ + if (![self tryToOpenDatabase]) { + return [NSArray new]; + } + NSMutableArray* records = [NSMutableArray new]; + for (NSDictionary* row in recordBlobs) { + NSMutableDictionary* deserializedRecord = [NSPropertyListSerialization propertyListWithData:row[SFAnalyticsColumnData] options:NSPropertyListMutableContainers format:nil error:nil]; + [records addObject:deserializedRecord]; + } + return records; +} + +- (NSArray*)hardFailures +{ + if (![self tryToOpenDatabase]) { + return [NSArray new]; + } + return [self deserializedRecords:[self select:@[SFAnalyticsColumnData] from:SFAnalyticsTableHardFailures]]; +} + +- (NSArray*)softFailures +{ + if (![self tryToOpenDatabase]) { + return [NSArray new]; + } + return [self deserializedRecords:[self select:@[SFAnalyticsColumnData] from:SFAnalyticsTableSoftFailures]]; +} + +- (NSArray*)allEvents +{ + if (![self tryToOpenDatabase]) { + return [NSArray new]; + } + return [self deserializedRecords:[self select:@[SFAnalyticsColumnData] from:SFAnalyticsTableAllEvents]]; +} + +- (NSArray*)samples +{ + if (![self tryToOpenDatabase]) { + return [NSArray new]; + } + return [self select:@[SFAnalyticsColumnSampleName, SFAnalyticsColumnSampleValue] from:SFAnalyticsTableSamples]; +} + +- (void)addEventDict:(NSDictionary*)eventDict toTable:(NSString*)table +{ + if (![self tryToOpenDatabase]) { + return; + } + NSError* error = nil; + NSData* serializedRecord = [NSPropertyListSerialization dataWithPropertyList:eventDict format:NSPropertyListBinaryFormat_v1_0 options:0 error:&error]; + if(!error && serializedRecord) { + [self insertOrReplaceInto:table values:@{SFAnalyticsColumnDate : @([[NSDate date] timeIntervalSince1970]), SFAnalyticsColumnData : serializedRecord}]; + } + if(error && !serializedRecord) { + secerror("Couldn't serialize failure record: %@", error); + } +} + +- (void)addSample:(NSNumber*)value forName:(NSString*)name +{ + if (![self tryToOpenDatabase]) { + return; + } + [self insertOrReplaceInto:SFAnalyticsTableSamples values:@{SFAnalyticsColumnDate : @([[NSDate date] timeIntervalSince1970]), SFAnalyticsColumnSampleName : name, SFAnalyticsColumnSampleValue : value}]; +} + +- (void)removeAllSamplesForName:(NSString*)name +{ + if (![self tryToOpenDatabase]) { + return; + } + [self deleteFrom:SFAnalyticsTableSamples where:[NSString stringWithFormat:@"name == '%@'", name] bindings:nil]; +} + +- (NSDate*)uploadDate +{ + if (![self tryToOpenDatabase]) { + return nil; // In other cases return default object but nil is better here to avoid entering the upload flow + } + return [self datePropertyForKey:SFAnalyticsUploadDate]; +} + +- (void)setUploadDate:(NSDate*)uploadDate +{ + if (![self tryToOpenDatabase]) { + return; + } + [self setDateProperty:uploadDate forKey:SFAnalyticsUploadDate]; +} + +- (void)clearAllData +{ + if (![self tryToOpenDatabase]) { + return; + } + [self deleteFrom:SFAnalyticsTableSuccessCount where:@"event_type like ?" bindings:@[@"%"]]; + [self deleteFrom:SFAnalyticsTableHardFailures where:@"id >= 0" bindings:nil]; + [self deleteFrom:SFAnalyticsTableSoftFailures where:@"id >= 0" bindings:nil]; + [self deleteFrom:SFAnalyticsTableSamples where:@"id >= 0" bindings:nil]; + [self deleteFrom:SFAnalyticsTableAllEvents where:@"id >= 0" bindings:nil]; +} + +@end + +#endif // OBJC2 diff --git a/Analytics/SFAnalyticsSampler+Internal.h b/Analytics/SFAnalyticsSampler+Internal.h new file mode 100644 index 00000000..fdf3d3d1 --- /dev/null +++ b/Analytics/SFAnalyticsSampler+Internal.h @@ -0,0 +1,37 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef SFAnalyticsSampler_Internal_h +#define SFAnalyticsSampler_Internal_h + +#if __OBJC2__ + +#import "SFAnalyticsSampler.h" + +@interface SFAnalyticsSampler(Internal) +- (instancetype)initWithName:(NSString*)name interval:(NSTimeInterval)interval block:(NSNumber* (^)(void))block clientClass:(Class)clientClass; +@end + +#endif // objc2 + +#endif /* SFAnalyticsSampler_private_h */ diff --git a/Analytics/SFAnalyticsSampler.h b/Analytics/SFAnalyticsSampler.h new file mode 100644 index 00000000..3844d8f4 --- /dev/null +++ b/Analytics/SFAnalyticsSampler.h @@ -0,0 +1,43 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ +#ifndef SFAnalyticsSampler_h +#define SFAnalyticsSampler_h + +#import + +@interface SFAnalyticsSampler : NSObject + +@property (nonatomic) NSTimeInterval samplingInterval; +@property (nonatomic, readonly) NSString* name; + +- (instancetype)init NS_UNAVAILABLE; +- (NSNumber*)sampleNow; +- (void)pauseSampling; +- (void)resumeSampling; + +@end + +#endif +#endif diff --git a/Analytics/SFAnalyticsSampler.m b/Analytics/SFAnalyticsSampler.m new file mode 100644 index 00000000..bd887abf --- /dev/null +++ b/Analytics/SFAnalyticsSampler.m @@ -0,0 +1,167 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ + +#import "SFAnalyticsSampler+Internal.h" +#import "SFAnalytics+Internal.h" +#import "SFAnalyticsDefines.h" +#import "utilities/debugging.h" +#include +#include + +@implementation SFAnalyticsSampler { + NSTimeInterval _samplingInterval; + dispatch_source_t _timer; + NSString* _name; + NSNumber* (^_block)(void); + int _notificationToken; + Class _clientClass; + BOOL _oncePerReport; + BOOL _activeTimer; +} + +@synthesize name = _name; +@synthesize samplingInterval = _samplingInterval; + +- (instancetype)initWithName:(NSString*)name interval:(NSTimeInterval)interval block:(NSNumber* (^)(void))block clientClass:(Class)clientClass +{ + if (self = [super init]) { + if (![clientClass isSubclassOfClass:[SFAnalytics class]]) { + secerror("SFAnalyticsSampler created without valid client class (%@)", clientClass); + return nil; + } + + if (!name || (interval < 1.0f && interval != SFAnalyticsSamplerIntervalOncePerReport) || !block) { + secerror("SFAnalyticsSampler created without proper data"); + return nil; + } + + _clientClass = clientClass; + _block = block; + _name = name; + _samplingInterval = interval; + [self newTimer]; + } + return self; +} + +- (void)newTimer +{ + if (_activeTimer) { + [self pauseSampling]; + } + + _oncePerReport = (_samplingInterval == SFAnalyticsSamplerIntervalOncePerReport); + if (_oncePerReport) { + [self setupOnceTimer]; + } else { + [self setupPeriodicTimer]; + } +} + +- (void)setupOnceTimer +{ + __weak __typeof(self) weakSelf = self; + notify_register_dispatch(SFAnalyticsFireSamplersNotification, &_notificationToken, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(int token) { + __strong __typeof(self) strongSelf = weakSelf; + if (!strongSelf) { + secnotice("SFAnalyticsSampler", "sampler went away before we could run its once-per-report block"); + notify_cancel(token); + return; + } + [[strongSelf->_clientClass logger] logMetric:strongSelf->_block() withName:strongSelf->_name oncePerReport:strongSelf->_oncePerReport]; + }); + _activeTimer = YES; +} + +- (void)setupPeriodicTimer +{ + _timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0)); + dispatch_source_set_timer(_timer, dispatch_walltime(0, _samplingInterval * NSEC_PER_SEC), _samplingInterval * NSEC_PER_SEC, _samplingInterval * NSEC_PER_SEC / 50.0); // give 2% leeway on timer + + __weak __typeof(self) weakSelf = self; + dispatch_source_set_event_handler(_timer, ^{ + __strong __typeof(self) strongSelf = weakSelf; + if (!strongSelf) { + // TODO: can we cancel this thing from here? + secnotice("SFAnalyticsSampler", "sampler went away before we could run its once-per-report block"); + return; + } + [[strongSelf->_clientClass logger] logMetric:strongSelf->_block() withName:strongSelf->_name oncePerReport:strongSelf->_oncePerReport]; + }); + dispatch_resume(_timer); + + _activeTimer = YES; +} + +- (void)setSamplingInterval:(NSTimeInterval)interval +{ + if (interval < 1.0f && !(interval == SFAnalyticsSamplerIntervalOncePerReport)) { + secerror("SFAnalyticsSampler: interval %f is not supported", interval); + return; + } + + _samplingInterval = interval; + [self newTimer]; +} + +- (NSTimeInterval)samplingInterval { + return _samplingInterval; +} + +- (NSNumber*)sampleNow +{ + NSNumber* result = _block(); + [[_clientClass logger] logMetric:result withName:_name oncePerReport:_oncePerReport]; + return result; +} + +- (void)pauseSampling +{ + if (!_activeTimer) { + return; + } + + if (_oncePerReport) { + notify_cancel(_notificationToken); + _notificationToken = 0; + } else { + dispatch_source_cancel(_timer); + } + _activeTimer = NO; +} + +- (void)resumeSampling +{ + [self newTimer]; +} + +- (void)dealloc +{ + [self pauseSampling]; +} + +@end + +#endif diff --git a/Analytics/SQLite/SFObjCType.h b/Analytics/SQLite/SFObjCType.h index 61acd4b6..50400597 100644 --- a/Analytics/SQLite/SFObjCType.h +++ b/Analytics/SQLite/SFObjCType.h @@ -21,6 +21,8 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if __OBJC2__ + #import typedef NS_ENUM(NSInteger, SFObjCTypeCode) { @@ -86,3 +88,5 @@ typedef NS_ENUM(NSInteger, SFObjCTypeFlag) { - (void)getBytes:(void *)bytes forObject:(id)object; @end + +#endif diff --git a/Analytics/SQLite/SFObjCType.m b/Analytics/SQLite/SFObjCType.m index 98257f2b..dcc27ff5 100644 --- a/Analytics/SQLite/SFObjCType.m +++ b/Analytics/SQLite/SFObjCType.m @@ -21,8 +21,9 @@ * @APPLE_LICENSE_HEADER_END@ */ -#import "SFObjCType.h" +#if __OBJC2__ +#import "SFObjCType.h" static NSArray *_SFObjCTypesByCode = nil; @@ -167,3 +168,5 @@ static NSArray *_SFObjCTypesByCode = nil; } @end + +#endif diff --git a/Analytics/SQLite/SFSQLite.h b/Analytics/SQLite/SFSQLite.h index cb6a80df..4eda2730 100644 --- a/Analytics/SQLite/SFSQLite.h +++ b/Analytics/SQLite/SFSQLite.h @@ -23,6 +23,8 @@ // Header exposed for unit testing only +#if __OBJC2__ + #import #import @@ -39,7 +41,7 @@ typedef NS_ENUM(NSInteger, SFSQLiteSynchronousMode) { SFSQLiteSynchronousModeFull = 2 }; -@protocol SFSQLiteDelegate +@protocol SFSQLiteDelegate @property (nonatomic, readonly) SInt32 userVersion; - (BOOL)migrateDatabase:(SFSQLite *)db fromVersion:(SInt32)version; @@ -47,6 +49,7 @@ typedef NS_ENUM(NSInteger, SFSQLiteSynchronousMode) { // Wrapper around the SQLite API. Typically subclassed to add table accessor methods. @interface SFSQLite : NSObject { +@private id _delegate; NSString* _path; NSString* _schema; @@ -147,3 +150,5 @@ typedef NS_ENUM(NSInteger, SFSQLiteSynchronousMode) { - (SInt32)dbUserVersion; @end + +#endif diff --git a/Analytics/SQLite/SFSQLite.m b/Analytics/SQLite/SFSQLite.m index f83444e1..b7512c12 100644 --- a/Analytics/SQLite/SFSQLite.m +++ b/Analytics/SQLite/SFSQLite.m @@ -21,11 +21,14 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if __OBJC2__ + #import "SFSQLite.h" #import "SFSQLiteStatement.h" #include #include #import "debugging.h" +#include #define kSFSQLiteBusyTimeout (5*60*1000) @@ -292,13 +295,39 @@ allDone: // https://sqlite.org/pragma.html#pragma_auto_vacuum NSDate *lastVacuumDate = [NSDate dateWithTimeIntervalSinceReferenceDate:[[self propertyForKey:kSFSQLiteLastVacuumKey] floatValue]]; if ([lastVacuumDate timeIntervalSinceNow] < -(kCKSQLVacuumInterval)) { - [self executeSQL:@"VACUUM"]; - - NSString *vacuumDateString = [NSString stringWithFormat:@"%f", [[NSDate date] timeIntervalSinceReferenceDate]]; - [self setProperty:vacuumDateString forKey:kSFSQLiteLastVacuumKey]; + @autoreleasepool { + os_transaction_t transaction = os_transaction_create("SFSQLITE DB Vacuum"); + secnotice("SFSQLITE", "performing periodic vacuum"); + [self executeSQL:@"VACUUM"]; + (void)transaction; // dead store + + NSString *vacuumDateString = [NSString stringWithFormat:@"%f", [[NSDate date] timeIntervalSinceReferenceDate]]; + [self setProperty:vacuumDateString forKey:kSFSQLiteLastVacuumKey]; + } } } +/* + Best-effort attempts to set/correct filesystem permissions. + May fail when we don't own DB which means we must wait for them to update permissions, + or file does not exist yet which is okay because db will exist and the aux files inherit permissions +*/ +- (void)attemptProperDatabasePermissions +{ +#if TARGET_OS_IPHONE + NSFileManager* fm = [NSFileManager defaultManager]; + [fm setAttributes:@{NSFilePosixPermissions : [NSNumber numberWithShort:0666]} + ofItemAtPath:_path + error:nil]; + [fm setAttributes:@{NSFilePosixPermissions : [NSNumber numberWithShort:0666]} + ofItemAtPath:[NSString stringWithFormat:@"%@-wal",_path] + error:nil]; + [fm setAttributes:@{NSFilePosixPermissions : [NSNumber numberWithShort:0666]} + ofItemAtPath:[NSString stringWithFormat:@"%@-shm",_path] + error:nil]; +#endif +} + - (BOOL)openWithError:(NSError **)error { BOOL success = NO; NSError *localError; @@ -325,9 +354,13 @@ allDone: #endif int rc = sqlite3_open_v2([arcSafePath fileSystemRepresentation], &_db, flags, NULL); if (rc != SQLITE_OK) { - localError = [NSError errorWithDomain:NSCocoaErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey : [NSString stringWithFormat:@"Error opening db at %@, rc=%d(0x%x)", _path, rc, rc]}]; + localError = [NSError errorWithDomain:NSCocoaErrorDomain code:rc userInfo:@{NSLocalizedDescriptionKey : [NSString stringWithFormat:@"Error opening db at %@, rc=%d(0x%x)", _path, rc, rc]}]; goto done; } + + // Filesystem foo for multiple daemons from different users + [self attemptProperDatabasePermissions]; + sqlite3_extended_result_codes(_db, 1); rc = sqlite3_busy_timeout(_db, kSFSQLiteBusyTimeout); if (rc != SQLITE_OK) { @@ -419,7 +452,7 @@ done: if (!success && error) { if (!localError) { - localError = [NSError errorWithDomain:NSCocoaErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey : [NSString stringWithFormat:@"Error opening db at %@, ", _path]}]; + localError = [NSError errorWithDomain:NSCocoaErrorDomain code:0 userInfo:@{NSLocalizedDescriptionKey : [NSString stringWithFormat:@"Error opening db at %@", _path]}]; } *error = localError; } @@ -428,7 +461,7 @@ done: - (void)open { NSError *error; - if (![self openWithError:&error]) { + if (![self openWithError:&error] && !(error && error.code == SQLITE_AUTH)) { secerror("sfsqlite: Error opening db at %@: %@", self.path, error); return; } @@ -515,7 +548,9 @@ done: } int execRet = sqlite3_exec(_db, [SQL UTF8String], NULL, NULL, NULL); if (execRet != SQLITE_OK) { - secerror("sfsqlite: Error executing SQL: \"%@\" (%d)", SQL, execRet); + if (execRet != SQLITE_AUTH && execRet != SQLITE_READONLY) { + secerror("sfsqlite: Error executing SQL: \"%@\" (%d)", SQL, execRet); + } return NO; } @@ -684,7 +719,7 @@ done: NSString *orderByString = [orderBy componentsJoinedByString:@", "]; [SQL appendFormat:@" order by %@", orderByString]; } - if (limit) { + if (limit != nil) { [SQL appendFormat:@" limit %ld", (long)limit.integerValue]; } @@ -721,7 +756,7 @@ done: NSString *orderByString = [orderBy componentsJoinedByString:@", "]; [SQL appendFormat:@" order by %@", orderByString]; } - if (limit) { + if (limit != nil) { [SQL appendFormat:@" limit %ld", (long)limit.integerValue]; } @@ -753,7 +788,7 @@ done: if (whereSQL.length) { [SQL appendFormat:@" where %@", whereSQL]; } - if (limit) { + if (limit != nil) { [SQL appendFormat:@" limit %ld", (long)limit.integerValue]; } @@ -779,7 +814,7 @@ done: if (whereSQL.length) { [SQL appendFormat:@" where %@", whereSQL]; } - if (limit) { + if (limit != nil) { [SQL appendFormat:@" limit %ld", (long)limit.integerValue]; } @@ -884,3 +919,5 @@ done: } @end + +#endif diff --git a/Analytics/SQLite/SFSQLiteStatement.h b/Analytics/SQLite/SFSQLiteStatement.h index 15ddb278..cdace807 100644 --- a/Analytics/SQLite/SFSQLiteStatement.h +++ b/Analytics/SQLite/SFSQLiteStatement.h @@ -21,6 +21,8 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if __OBJC2__ + #import #import @@ -70,3 +72,5 @@ - (NSDictionary *)allObjectsByColumnName; @end + +#endif diff --git a/Analytics/SQLite/SFSQLiteStatement.m b/Analytics/SQLite/SFSQLiteStatement.m index a142bc9f..bbc58697 100644 --- a/Analytics/SQLite/SFSQLiteStatement.m +++ b/Analytics/SQLite/SFSQLiteStatement.m @@ -21,6 +21,9 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if __OBJC2__ + +#import #import "SFSQLite.h" #import "SFSQLiteStatement.h" #import "SFObjCType.h" @@ -199,12 +202,8 @@ } } else { NSAssert(type.isFloatingPointNumber, @"Expected number type to be either integer or floating point"); - if (type.code == SFObjCTypeFloat) { - [self bindInt:[value intValue] atIndex:index]; - } else { - NSAssert(type.code == SFObjCTypeDouble, @"Unexpected floating point number type: %@", type); - [self bindInt64:[value longLongValue] atIndex:index]; - } + NSAssert(type.code == SFObjCTypeDouble || type.code == SFObjCTypeFloat, @"Unexpected floating point number type: %@", type); + [self bindDouble:[value doubleValue] atIndex:index]; } } else if ([value isKindOfClass:[NSData class]]) { [self bindBlob:value atIndex:index]; @@ -219,7 +218,7 @@ } else if ([value isKindOfClass:[NSDate class]]) { [self bindDouble:[(NSDate *)value timeIntervalSinceReferenceDate] atIndex:index]; } else if ([value isKindOfClass:[NSError class]]) { - [self bindBlob:[self retainedTemporaryBoundObject:[NSKeyedArchiver archivedDataWithRootObject:value]] atIndex:index]; + [self bindBlob:[self retainedTemporaryBoundObject:[NSKeyedArchiver archivedDataWithRootObject:value requiringSecureCoding:YES error:nil]] atIndex:index]; } else if ([value isKindOfClass:[NSURL class]]) { [self bindText:[self retainedTemporaryBoundObject:[value absoluteString]] atIndex:index]; } else { @@ -340,3 +339,5 @@ } @end + +#endif diff --git a/CSSMOID.exp-in b/CSSMOID.exp-in index 9704e53c..531b3558 100644 --- a/CSSMOID.exp-in +++ b/CSSMOID.exp-in @@ -8,6 +8,125 @@ _CSSMOID_ECDSA_WithSHA1 _CSSMOID_ECDSA_WithSHA256 _CSSMOID_ECDSA_WithSHA384 _CSSMOID_PKCS5_HMAC_SHA1 + +_CSSMOID_ANSI_DH_EPHEM +_CSSMOID_ANSI_DH_EPHEM_SHA1 +_CSSMOID_ANSI_DH_HYBRID1 +_CSSMOID_ANSI_DH_HYBRID1_SHA1 +_CSSMOID_ANSI_DH_HYBRID2 +_CSSMOID_ANSI_DH_HYBRID2_SHA1 +_CSSMOID_ANSI_DH_HYBRID_ONEFLOW +_CSSMOID_ANSI_DH_ONE_FLOW +_CSSMOID_ANSI_DH_ONE_FLOW_SHA1 +_CSSMOID_ANSI_DH_PUB_NUMBER +_CSSMOID_ANSI_DH_STATIC +_CSSMOID_ANSI_DH_STATIC_SHA1 +_CSSMOID_ANSI_MQV1 +_CSSMOID_ANSI_MQV1_SHA1 +_CSSMOID_ANSI_MQV2 +_CSSMOID_ANSI_MQV2_SHA1 +_CSSMOID_APPLE_ASC +_CSSMOID_APPLE_ECDSA +_CSSMOID_APPLE_FEE +_CSSMOID_APPLE_FEED +_CSSMOID_APPLE_FEEDEXP +_CSSMOID_APPLE_FEE_MD5 +_CSSMOID_APPLE_FEE_SHA1 +_CSSMOID_APPLE_ISIGN +_CSSMOID_APPLE_TP_APPLEID_SHARING +_CSSMOID_APPLE_TP_CODE_SIGN +_CSSMOID_APPLE_TP_CODE_SIGNING +_CSSMOID_APPLE_TP_CSR_GEN +_CSSMOID_APPLE_TP_EAP +_CSSMOID_APPLE_TP_ESCROW_SERVICE +_CSSMOID_APPLE_TP_ICHAT +_CSSMOID_APPLE_TP_IP_SEC +_CSSMOID_APPLE_TP_LOCAL_CERT_GEN +_CSSMOID_APPLE_TP_MACAPPSTORE_RECEIPT +_CSSMOID_APPLE_TP_MOBILE_STORE +_CSSMOID_APPLE_TP_PACKAGE_SIGNING +_CSSMOID_APPLE_TP_PASSBOOK_SIGNING +_CSSMOID_APPLE_TP_PCS_ESCROW_SERVICE +_CSSMOID_APPLE_TP_PKINIT_CLIENT +_CSSMOID_APPLE_TP_PKINIT_SERVER +_CSSMOID_APPLE_TP_PROFILE_SIGNING +_CSSMOID_APPLE_TP_PROVISIONING_PROFILE_SIGNING +_CSSMOID_APPLE_TP_QA_PROFILE_SIGNING +_CSSMOID_APPLE_TP_RESOURCE_SIGN +_CSSMOID_APPLE_TP_REVOCATION +_CSSMOID_APPLE_TP_REVOCATION_CRL +_CSSMOID_APPLE_TP_REVOCATION_OCSP +_CSSMOID_APPLE_TP_SMIME +_CSSMOID_APPLE_TP_SSL +_CSSMOID_APPLE_TP_SW_UPDATE_SIGNING +_CSSMOID_APPLE_TP_TEST_MOBILE_STORE +_CSSMOID_APPLE_TP_TIMESTAMPING +_CSSMOID_APPLE_X509_BASIC +_CSSMOID_DES_CBC +_CSSMOID_DH +_CSSMOID_DOTMAC_CERT +_CSSMOID_DOTMAC_CERT_REQ +_CSSMOID_DOTMAC_CERT_REQ_ARCHIVE_FETCH +_CSSMOID_DOTMAC_CERT_REQ_ARCHIVE_LIST +_CSSMOID_DOTMAC_CERT_REQ_ARCHIVE_REMOVE +_CSSMOID_DOTMAC_CERT_REQ_ARCHIVE_STORE +_CSSMOID_DOTMAC_CERT_REQ_EMAIL_ENCRYPT +_CSSMOID_DOTMAC_CERT_REQ_EMAIL_SIGN +_CSSMOID_DOTMAC_CERT_REQ_IDENTITY +_CSSMOID_DOTMAC_CERT_REQ_SHARED_SERVICES +_CSSMOID_DOTMAC_CERT_REQ_VALUE_ASYNC +_CSSMOID_DOTMAC_CERT_REQ_VALUE_HOSTNAME +_CSSMOID_DOTMAC_CERT_REQ_VALUE_IS_PENDING +_CSSMOID_DOTMAC_CERT_REQ_VALUE_PASSWORD +_CSSMOID_DOTMAC_CERT_REQ_VALUE_RENEW +_CSSMOID_DOTMAC_CERT_REQ_VALUE_USERNAME +_CSSMOID_DSA +_CSSMOID_DSA_CMS +_CSSMOID_DSA_JDK +_CSSMOID_ECDSA_WithSHA224 +_CSSMOID_ECDSA_WithSHA512 +_CSSMOID_ECDSA_WithSpecified +_CSSMOID_MD2 +_CSSMOID_MD2WithRSA +_CSSMOID_MD4 +_CSSMOID_MD4WithRSA +_CSSMOID_MD5 +_CSSMOID_OAEP_ID_PSPECIFIED +_CSSMOID_OAEP_MGF1 +_CSSMOID_PKCS12_pbeWithSHAAnd128BitRC2CBC +_CSSMOID_PKCS12_pbeWithSHAAnd128BitRC4 +_CSSMOID_PKCS12_pbeWithSHAAnd2Key3DESCBC +_CSSMOID_PKCS12_pbeWithSHAAnd3Key3DESCBC +_CSSMOID_PKCS12_pbeWithSHAAnd40BitRC4 +_CSSMOID_PKCS12_pbewithSHAAnd40BitRC2CBC +_CSSMOID_PKCS3 +_CSSMOID_PKCS5_DES_EDE3_CBC +_CSSMOID_PKCS5_DIGEST_ALG +_CSSMOID_PKCS5_ENCRYPT_ALG +_CSSMOID_PKCS5_PBES2 +_CSSMOID_PKCS5_PBKDF2 +_CSSMOID_PKCS5_PBMAC1 +_CSSMOID_PKCS5_RC2_CBC +_CSSMOID_PKCS5_RC5_CBC +_CSSMOID_PKCS5_pbeWithMD2AndDES +_CSSMOID_PKCS5_pbeWithMD2AndRC2 +_CSSMOID_PKCS5_pbeWithMD5AndDES +_CSSMOID_PKCS5_pbeWithMD5AndRC2 +_CSSMOID_PKCS5_pbeWithSHA1AndDES +_CSSMOID_PKCS5_pbeWithSHA1AndRC2 +_CSSMOID_RSA +_CSSMOID_RSAWithOAEP +_CSSMOID_SHA1WithDSA +_CSSMOID_SHA1WithDSA_CMS +_CSSMOID_SHA1WithDSA_JDK +_CSSMOID_SHA1WithRSA_OIW +_CSSMOID_SHA224 +_CSSMOID_SHA224WithRSA +_CSSMOID_SHA256 +_CSSMOID_SHA384 +_CSSMOID_SHA512 +_CSSMOID_SHA512WithRSA +_CSSMOID_ecPublicKey #endif #if TARGET_OS_OSX @@ -109,6 +228,7 @@ _CSSMOID_EmailProtection _CSSMOID_EnhancedSearchGuide _CSSMOID_ExtendedCertificateAttributes _CSSMOID_ExtendedKeyUsage +_CSSMOID_InhibitAnyPolicy _CSSMOID_AuthorityInfoAccess _CSSMOID_BiometricInfo _CSSMOID_QC_Statements @@ -243,6 +363,7 @@ _CSSMOID_SHA256WithRSA _CSSMOID_SHA384WithRSA _CSSMOID_SHA512WithRSA _CSSMOID_SHA1WithRSA_OIW +_CSSMOID_DES_CBC _CSSMOID_RSAWithOAEP _CSSMOID_OAEP_MGF1 _CSSMOID_OAEP_ID_PSPECIFIED @@ -273,6 +394,7 @@ _CSSMOID_UnstructuredName _CSSMOID_UseExemptions _CSSMOID_UserCertificate _CSSMOID_UserID +_CSSMOID_DomainComponent _CSSMOID_UserPassword _CSSMOID_X509V1CRLIssuerNameCStruct _CSSMOID_X509V1CRLIssuerNameLDAP @@ -398,7 +520,12 @@ _CSSMOID_APPLE_EXTENSION_AAI_INTERMEDIATE _CSSMOID_APPLE_EXTENSION_APPLEID_INTERMEDIATE _CSSMOID_APPLE_EXTENSION_APPLEID_SHARING _CSSMOID_APPLE_EXTENSION_SYSINT2_INTERMEDIATE +_CSSMOID_APPLE_EXTENSION_DEVELOPER_AUTHENTICATION +_CSSMOID_APPLE_EXTENSION_PROVISIONING_PROFILE_SIGNING +_CSSMOID_APPLE_EXTENSION_SERVER_AUTHENTICATION _CSSMOID_APPLE_EXTENSION_ESCROW_SERVICE +_CSSMOID_APPLE_TP_PCS_ESCROW_SERVICE +_CSSMOID_APPLE_TP_PROVISIONING_PROFILE_SIGNING _CSSMOID_PKIX_OCSP _CSSMOID_PKIX_OCSP_ARCHIVE_CUTOFF _CSSMOID_PKIX_OCSP_BASIC diff --git a/CircleJoinRequested/Applicant.m b/CircleJoinRequested/Applicant.m index 84ada23b..5cce5177 100644 --- a/CircleJoinRequested/Applicant.m +++ b/CircleJoinRequested/Applicant.m @@ -36,8 +36,8 @@ -(void)dealloc { - if (self.rawPeerInfo) { - CFRelease(self.rawPeerInfo); + if (self->_rawPeerInfo) { + CFRelease(self->_rawPeerInfo); } } diff --git a/CircleJoinRequested/CircleJoinRequested.m b/CircleJoinRequested/CircleJoinRequested.m index 19f2a4b6..4f6ed2e2 100644 --- a/CircleJoinRequested/CircleJoinRequested.m +++ b/CircleJoinRequested/CircleJoinRequested.m @@ -82,7 +82,7 @@ bool processApplicantsAfterUnlock = false; bool _unlockedSinceBoot = false; bool _hasPostedFollowupAndStillInError = false; bool _isAccountICDP = false; - +bool _executeProcessEventsOnce = false; NSString *castleKeychainUrl = @"prefs:root=APPLE_ACCOUNT&path=ICLOUD_SERVICE/com.apple.Dataclass.KeychainSync/ADVANCED"; NSString *rejoinICDPUrl = @"prefs:root=APPLE_ACCOUNT&aaaction=CDP&command=rejoin"; @@ -808,14 +808,17 @@ static bool processEvents() } }); state.lastCircleStatus = circleStatus; + _executeProcessEventsOnce = true; return false; } else if(circleStatus == kSOSCCInCircle){ secnotice("cjr", "follow up should be resolved"); + _executeProcessEventsOnce = true; _hasPostedFollowupAndStillInError = false; } else{ secnotice("cjr", "followup not resolved"); + _executeProcessEventsOnce = true; return false; } } @@ -1059,7 +1062,7 @@ int main (int argc, const char * argv[]) { }); int falseInARow = 0; - while (falseInARow < 2) { + while (falseInARow < 2 && !_executeProcessEventsOnce) { if (processEvents()) { secnotice("cjr", "Processed events!!!"); falseInARow = 0; diff --git a/KVSKeychainSyncingProxy/CKDKVSProxy.h b/KVSKeychainSyncingProxy/CKDKVSProxy.h index 23dc1994..a955f796 100644 --- a/KVSKeychainSyncingProxy/CKDKVSProxy.h +++ b/KVSKeychainSyncingProxy/CKDKVSProxy.h @@ -76,6 +76,9 @@ typedef void (^FreshnessResponseBlock)(bool success, NSError *err); @property (retain, nonatomic) NSMutableSet* shadowPendingSyncBackupPeerIDs; @property (atomic) bool ensurePeerRegistration; +@property (atomic) bool ensurePeerRegistrationEnqueuedButNotStarted; + +// Another version of ensurePeerRegistration due to legacy code structure @property (atomic) bool shadowEnsurePeerRegistration; @property (atomic) bool inCallout; diff --git a/KVSKeychainSyncingProxy/CKDKVSProxy.m b/KVSKeychainSyncingProxy/CKDKVSProxy.m index 9b74ef60..a9e8a776 100644 --- a/KVSKeychainSyncingProxy/CKDKVSProxy.m +++ b/KVSKeychainSyncingProxy/CKDKVSProxy.m @@ -617,9 +617,8 @@ const CFStringRef kSOSKVSOfficialDSIDKey = CFSTR("^OfficialDSID"); self->_ensurePeerRegistration = ((self->_ensurePeerRegistration && !handledEnsurePeerRegistration) || self->_shadowEnsurePeerRegistration); self->_shadowEnsurePeerRegistration = NO; - - if(self->_ensurePeerRegistration && ![self.lockMonitor locked]) - [self doEnsurePeerRegistration]; + + [self handlePendingEnsurePeerRegistrationRequests:true]; bool hadShadowPeerIDs = ![self->_shadowPendingSyncPeerIDs isEmpty] || ![self->_shadowPendingSyncBackupPeerIDs isEmpty]; @@ -666,8 +665,12 @@ const CFStringRef kSOSKVSOfficialDSIDKey = CFSTR("^OfficialDSID"); // Handle shadow pended stuff // We only kick off another sync if we got new stuff during handling - if (hadShadowPeerIDs && ![self.lockMonitor locked]) - [self newPeersToSyncWith]; + if (hadShadowPeerIDs && ![self.lockMonitor locked]) { + secnotice("event", "%@ syncWithPeersPending: %d inCallout: %d isLocked: %d", self, [self hasPendingSyncIDs], self->_inCallout, [self.lockMonitor locked]); + if ([self hasPendingSyncIDs] && !self->_inCallout && ![self.lockMonitor locked]){ + [self doSyncWithPendingPeers]; + } + } /* We don't want to call processKeyChangedEvent if we failed to handle pending keys and the device didn't unlock nor receive @@ -713,11 +716,28 @@ const CFStringRef kSOSKVSOfficialDSIDKey = CFSTR("^OfficialDSID"); }]; } +- (void)handlePendingEnsurePeerRegistrationRequests:(bool)onlyIfUnlocked +{ + // doEnsurePeerRegistration's callback will be run on _calloutQueue, so we should check the 'are we running yet' flags on that queue + dispatch_async(_calloutQueue, ^{ + if(self.ensurePeerRegistration && (!onlyIfUnlocked || ![self.lockMonitor locked])) { + if(self.ensurePeerRegistrationEnqueuedButNotStarted) { + secnotice("EnsurePeerRegistration", "%@ ensurePeerRegistration block already enqueued, not starting a new one", self); + return; + } + + [self doEnsurePeerRegistration]; + } + }); +} + - (void) doEnsurePeerRegistration { NSObject* accountDelegate = [self account]; + self.ensurePeerRegistrationEnqueuedButNotStarted = true; [self calloutWith:^(NSSet *pending, NSSet* pendingSyncIDs, NSSet* pendingBackupSyncIDs, bool ensurePeerRegistration, dispatch_queue_t queue, void(^done)(NSSet *handledKeys, NSSet *handledSyncs, bool handledEnsurePeerRegistration, NSError* error)) { NSError* error = nil; + self.ensurePeerRegistrationEnqueuedButNotStarted = false; bool handledEnsurePeerRegistration = [accountDelegate ensurePeerRegistration:&error]; secnotice("EnsurePeerRegistration", "%@ ensurePeerRegistration called, %@ (%@)", self, handledEnsurePeerRegistration ? @"success" : @"failure", error); if (!handledEnsurePeerRegistration) { @@ -766,17 +786,6 @@ const CFStringRef kSOSKVSOfficialDSIDKey = CFSTR("^OfficialDSID"); }]; } -- (void)newPeersToSyncWith -{ - secnotice("event", "%@ syncWithPeersPending: %d inCallout: %d isLocked: %d", self, [self hasPendingSyncIDs], _inCallout, [self.lockMonitor locked]); - if(_ensurePeerRegistration){ - [self doEnsurePeerRegistration]; - } - if ([self hasPendingSyncIDs] && !_inCallout && ![self.lockMonitor locked]){ - [self doSyncWithPendingPeers]; - } -} - - (bool)hasPendingNonShadowSyncIDs { return ![_pendingSyncPeerIDs isEmpty] || ![_pendingSyncBackupPeerIDs isEmpty]; } @@ -815,9 +824,8 @@ const CFStringRef kSOSKVSOfficialDSIDKey = CFSTR("^OfficialDSID"); [self persistState]; - if(_ensurePeerRegistration){ - [self doEnsurePeerRegistration]; - } + [self handlePendingEnsurePeerRegistrationRequests:true]; + if ([self hasPendingSyncIDs] && !_inCallout && ![self.lockMonitor locked]){ [self doSyncWithPendingPeers]; } @@ -843,9 +851,7 @@ const CFStringRef kSOSKVSOfficialDSIDKey = CFSTR("^OfficialDSID"); _shadowEnsurePeerRegistration = YES; } else { _ensurePeerRegistration = YES; - if (![self.lockMonitor locked]){ - [self doEnsurePeerRegistration]; - } + [self handlePendingEnsurePeerRegistrationRequests:true]; [self persistState]; } @@ -864,9 +870,7 @@ const CFStringRef kSOSKVSOfficialDSIDKey = CFSTR("^OfficialDSID"); dispatch_assert_queue(_ckdkvsproxy_queue); secnotice("event", "%@ Unlocked", self); - if (_ensurePeerRegistration) { - [self doEnsurePeerRegistration]; - } + [self handlePendingEnsurePeerRegistrationRequests:false]; // First send changed keys to securityd so it can proccess updates [self processPendingKeysForCurrentLockState]; diff --git a/KVSKeychainSyncingProxy/CKDKVSStore.m b/KVSKeychainSyncingProxy/CKDKVSStore.m index 89bdd329..03386203 100644 --- a/KVSKeychainSyncingProxy/CKDKVSStore.m +++ b/KVSKeychainSyncingProxy/CKDKVSStore.m @@ -17,6 +17,8 @@ #import "SyncedDefaults/SYDConstants.h" #include +#import "Analytics/Clients/SOSAnalytics.h" + struct CKDKVSCounters { uint64_t synchronize; uint64_t synchronizeWithCompletionHandler; @@ -32,7 +34,7 @@ struct CKDKVSCounters { @interface CKDKVSStore () @property (readwrite, weak) UbiqitousKVSProxy* proxy; @property (readwrite) NSUbiquitousKeyValueStore* cloudStore; -@property (assign,readwrite) struct CKDKVSCounters *perfCounters; +@property (assign,readwrite) struct CKDKVSCounters* perfCounters; @property dispatch_queue_t perfQueue; @end @@ -55,6 +57,7 @@ struct CKDKVSCounters { self.perfQueue = dispatch_queue_create("CKDKVSStorePerfQueue", NULL); self.perfCounters = calloc(1, sizeof(struct CKDKVSCounters)); + [self setupSamplers]; return self; } @@ -232,17 +235,41 @@ struct CKDKVSCounters { { dispatch_async(self.perfQueue, ^{ callback(@{ - @"CKDKVS-synchronize" : @(self.perfCounters->synchronize), - @"CKDKVS-synchronizeWithCompletionHandler" : @(self.perfCounters->synchronizeWithCompletionHandler), - @"CKDKVS-incomingMessages" : @(self.perfCounters->incomingMessages), - @"CKDKVS-outgoingMessages" : @(self.perfCounters->outgoingMessages), - @"CKDKVS-totalWaittimeSynchronize" : @(self.perfCounters->totalWaittimeSynchronize), - @"CKDKVS-longestWaittimeSynchronize" : @(self.perfCounters->longestWaittimeSynchronize), - @"CKDKVS-synchronizeFailures" : @(self.perfCounters->synchronizeFailures), + CKDKVSPerfCounterSynchronize : @(self.perfCounters->synchronize), + CKDKVSPerfCounterSynchronizeWithCompletionHandler : @(self.perfCounters->synchronizeWithCompletionHandler), + CKDKVSPerfCounterIncomingMessages : @(self.perfCounters->incomingMessages), + CKDKVSPerfCounterOutgoingMessages : @(self.perfCounters->outgoingMessages), + CKDKVSPerfCounterTotalWaitTimeSynchronize : @(self.perfCounters->totalWaittimeSynchronize), + CKDKVSPerfCounterLongestWaitTimeSynchronize : @(self.perfCounters->longestWaittimeSynchronize), + CKDKVSPerfCounterSynchronizeFailures : @(self.perfCounters->synchronizeFailures), }); }); } +#if __OBJC2__ +- (void)setupSamplers +{ + [[SOSAnalytics logger] AddMultiSamplerForName:CKDKVSPerformanceCountersSampler + withTimeInterval:SFAnalyticsSamplerIntervalOncePerReport + block:^NSDictionary *{ + __block NSDictionary* data; + [self perfCounters:^(NSDictionary *counters) { + data = counters; + }]; + + dispatch_sync(self.perfQueue, ^{ + memset(self.perfCounters, 0, sizeof(struct CKDKVSCounters)); + }); + return data; + }]; +} +#else +- (void)setupSamplers +{ + // SFA is only for 64 bit cool kids +} +#endif + - (void)addOneToOutGoing { dispatch_async(self.perfQueue, ^{ diff --git a/KVSKeychainSyncingProxy/CKDLockMonitor.h b/KVSKeychainSyncingProxy/CKDLockMonitor.h index 83ab5c29..36cf8e90 100644 --- a/KVSKeychainSyncingProxy/CKDLockMonitor.h +++ b/KVSKeychainSyncingProxy/CKDLockMonitor.h @@ -5,14 +5,14 @@ #import "CKDLockMonitor.h" -@protocol CKDLockListener +@protocol CKDLockListener - (void) unlocked; - (void) locked; @end -@protocol CKDLockMonitor +@protocol CKDLockMonitor @property (readonly) BOOL unlockedSinceBoot; @property (readonly) BOOL locked; diff --git a/KVSKeychainSyncingProxy/CKDStore.h b/KVSKeychainSyncingProxy/CKDStore.h index 46b8a031..ec68f709 100644 --- a/KVSKeychainSyncingProxy/CKDStore.h +++ b/KVSKeychainSyncingProxy/CKDStore.h @@ -8,7 +8,7 @@ @class UbiqitousKVSProxy; -@protocol CKDStore +@protocol CKDStore - (void)connectToProxy: (UbiqitousKVSProxy*) proxy; diff --git a/KVSKeychainSyncingProxy/XPCNotificationDispatcher.h b/KVSKeychainSyncingProxy/XPCNotificationDispatcher.h index 3fc9c4c4..6b1b6243 100644 --- a/KVSKeychainSyncingProxy/XPCNotificationDispatcher.h +++ b/KVSKeychainSyncingProxy/XPCNotificationDispatcher.h @@ -6,7 +6,7 @@ #import -@protocol XPCNotificationListener +@protocol XPCNotificationListener - (void) handleNotification: (const char *) name; @end diff --git a/KVSKeychainSyncingProxy/cloudkeychainproxy.m b/KVSKeychainSyncingProxy/cloudkeychainproxy.m index 29ea3024..ece3bb25 100644 --- a/KVSKeychainSyncingProxy/cloudkeychainproxy.m +++ b/KVSKeychainSyncingProxy/cloudkeychainproxy.m @@ -330,7 +330,6 @@ void finalize_connection(void *not_used) static bool operation_put_dictionary(xpc_object_t event) { // PUT a set of objects into the KVS store. Return false if error - describeXPCObject("operation_put_dictionary event: ", event); xpc_object_t xvalue = xpc_dictionary_get_value(event, kMessageKeyValue); if (!xvalue) { return false; @@ -349,9 +348,7 @@ static bool operation_put_dictionary(xpc_object_t event) static bool operation_get_v2(xpc_connection_t peer, xpc_object_t event) { - // GET a set of objects from the KVS store. Return false if error - describeXPCObject("operation_get_v2 event: ", event); - + // GET a set of objects from the KVS store. Return false if error xpc_object_t replyMessage = xpc_dictionary_create_reply(event); if (!replyMessage) { @@ -393,7 +390,6 @@ static bool operation_get_v2(xpc_connection_t peer, xpc_object_t event) secdebug(PROXYXPCSCOPE, "get: key: %@, object: %@", key, object); xpc_object_t xobject = object ? _CFXPCCreateXPCObjectFromCFObject((__bridge CFTypeRef)object) : xpc_null_create(); xpc_dictionary_set_value(returnedValues, [key UTF8String], xobject); - describeXPCObject("operation_get_v2: value from kvs: ", xobject); }]; } else // get all values from kvs @@ -425,8 +421,6 @@ static void cloudkeychainproxy_event_handler(xpc_connection_t peer) xpc_connection_set_target_queue(peer, [SharedProxy() ckdkvsproxy_queue]); xpc_connection_set_event_handler(peer, ^(xpc_object_t event) { - describeXPCObject("peer: ", peer); // Only describes under debug - // We could handle other peer events (e.g.) disconnects, // but we don't keep per-client state so there is no need. if (xpc_get_type(event) == XPC_TYPE_DICTIONARY) { diff --git a/KeychainCircle/KCJoiningAcceptSession.m b/KeychainCircle/KCJoiningAcceptSession.m index ec8b8b90..3c216c0b 100644 --- a/KeychainCircle/KCJoiningAcceptSession.m +++ b/KeychainCircle/KCJoiningAcceptSession.m @@ -210,15 +210,26 @@ typedef enum { } NSData* joinData = [self.circleDelegate circleJoinDataFor:ref error:error]; + if(ref) { + CFRelease(ref); + ref = NULL; + } + if (joinData == nil) return nil; if(self->_piggy_version == kPiggyV1){ - //grab iCloud Identity, TLK, BackupV0 thing + //grab iCloud Identities, TLKs secnotice("acceptor", "piggy version is 1"); - NSData* initialSyncData = [self.circleDelegate circleGetInitialSyncViews:error]; + NSError *localV1Error = nil; + NSData* initialSyncData = [self.circleDelegate circleGetInitialSyncViews:&localV1Error]; + if(localV1Error){ + secnotice("piggy", "PB v1 threw an error: %@", localV1Error); + } + NSMutableData* growPacket = [[NSMutableData alloc] initWithData:joinData]; [growPacket appendData:initialSyncData]; joinData = growPacket; + } NSData* encryptedOutgoing = [self.session encrypt:joinData error:error]; diff --git a/KeychainCircle/KCJoiningRequestSession.m b/KeychainCircle/KCJoiningRequestSession.m index 731a11c8..e3be618e 100644 --- a/KeychainCircle/KCJoiningRequestSession.m +++ b/KeychainCircle/KCJoiningRequestSession.m @@ -308,6 +308,10 @@ static const uint64_t KCProtocolVersion = kPiggyV1; if (us == NULL) return nil; CFErrorRef cfError = NULL; NSData* piEncoded = (__bridge_transfer NSData*) SOSPeerInfoCopyEncodedData(us, NULL, &cfError); + if(us) { + CFRelease(us); + us = NULL; + } if (piEncoded == nil) { if (error != nil) { diff --git a/KeychainCircle/KCJoiningSession.h b/KeychainCircle/KCJoiningSession.h index 5c251ed5..2eb96b16 100644 --- a/KeychainCircle/KCJoiningSession.h +++ b/KeychainCircle/KCJoiningSession.h @@ -11,7 +11,7 @@ NS_ASSUME_NONNULL_BEGIN -@protocol KCJoiningRequestCircleDelegate +@protocol KCJoiningRequestCircleDelegate /*! Get this devices peer info (As Application) @@ -34,7 +34,7 @@ NS_ASSUME_NONNULL_BEGIN @end -@protocol KCJoiningRequestSecretDelegate +@protocol KCJoiningRequestSecretDelegate /*! Get the shared secret for this session. Not called during creation or initialMessage: to allow the initial message to be sent before @@ -108,7 +108,7 @@ NS_ASSUME_NONNULL_BEGIN @end -@protocol KCJoiningAcceptCircleDelegate +@protocol KCJoiningAcceptCircleDelegate /*! Handle the request's peer info and get the blob they can use to get in circle @param peer @@ -137,7 +137,7 @@ typedef enum { kKCRetryWithNewChallenge } KCRetryOrNot; -@protocol KCJoiningAcceptSecretDelegate +@protocol KCJoiningAcceptSecretDelegate /*! Get the shared secret for this session @result diff --git a/KeychainCircle/PairingChannel.m b/KeychainCircle/PairingChannel.m index 7d353e57..b1160b75 100644 --- a/KeychainCircle/PairingChannel.m +++ b/KeychainCircle/PairingChannel.m @@ -11,6 +11,7 @@ #import #import #import +#import #import #if TARGET_OS_EMBEDDED @@ -402,16 +403,9 @@ const compression_algorithm pairingCompression = COMPRESSION_LZFSE; if (self.connection) return true; - xpc_endpoint_t endpoint = _SecSecuritydCopySOSStatusEndpoint(NULL); - if (endpoint == NULL) - return false; - NSXPCInterface *interface = [NSXPCInterface interfaceWithProtocol:@protocol(SOSControlProtocol)]; - NSXPCListenerEndpoint *listenerEndpoint = [[NSXPCListenerEndpoint alloc] init]; - - [listenerEndpoint _setEndpoint:endpoint]; - self.connection = [[NSXPCConnection alloc] initWithListenerEndpoint:listenerEndpoint]; + self.connection = [[NSXPCConnection alloc] initWithMachServiceName:@(kSecuritydSOSServiceName) options:0]; if (self.connection == NULL) return false; diff --git a/KeychainCircle/Tests/KCAESGCMTest.m b/KeychainCircle/Tests/KCAESGCMTest.m index 708a53a7..602e5afb 100644 --- a/KeychainCircle/Tests/KCAESGCMTest.m +++ b/KeychainCircle/Tests/KCAESGCMTest.m @@ -8,6 +8,7 @@ #import #import +#import @interface KCAESGCMTest : XCTestCase @@ -66,13 +67,10 @@ } - (KCAESGCMDuplexSession*) archiveDearchive: (KCAESGCMDuplexSession*) original { - NSMutableData *data = [NSMutableData data]; - NSKeyedArchiver *archiver = [[NSKeyedArchiver alloc] initForWritingWithMutableData:data]; + NSKeyedArchiver *archiver = [[NSKeyedArchiver alloc] initRequiringSecureCoding:YES]; [archiver encodeObject:original forKey:@"Top"]; - [archiver finishEncoding]; - NSKeyedUnarchiver *unarchiver = [[NSKeyedUnarchiver alloc] initForReadingWithData:data]; - unarchiver.requiresSecureCoding = YES; + NSKeyedUnarchiver *unarchiver = [[NSKeyedUnarchiver alloc] initForReadingFromData:archiver.encodedData error:nil]; // Customize the unarchiver. KCAESGCMDuplexSession *result = [unarchiver decodeObjectForKey:@"Top"]; diff --git a/KeychainCircle/Tests/KCJoiningSessionTest.m b/KeychainCircle/Tests/KCJoiningSessionTest.m index 7a437f07..6d1d06db 100644 --- a/KeychainCircle/Tests/KCJoiningSessionTest.m +++ b/KeychainCircle/Tests/KCJoiningSessionTest.m @@ -82,6 +82,12 @@ static SecKeyRef GenerateFullECKey(int keySize, NSError** error) { @implementation KCJoiningRequestTestDelegate +- (void)dealloc { + if(_peerInfo) { + CFRelease(_peerInfo); + } +} + + (id) requestDelegateWithSecret:(NSString*) secret { return [[KCJoiningRequestTestDelegate alloc] initWithSecret:secret incorrectSecret:@"" @@ -106,10 +112,14 @@ static SecKeyRef GenerateFullECKey(int keySize, NSError** error) { SecKeyRef octagonSigningKey = GenerateFullECKey(384, NULL); SecKeyRef octagonEncryptionKey = GenerateFullECKey(384, NULL); - self.peerInfo = SOSPeerInfoCreate(NULL, (__bridge CFDictionaryRef) @{(__bridge NSString*)kPIUserDefinedDeviceNameKey:@"Fakey"}, NULL, signingKey, octagonSigningKey, octagonEncryptionKey, NULL); + SOSPeerInfoRef newPeerInfo = SOSPeerInfoCreate(NULL, (__bridge CFDictionaryRef) @{(__bridge NSString*)kPIUserDefinedDeviceNameKey:@"Fakey"}, NULL, signingKey, octagonSigningKey, octagonEncryptionKey, NULL); - if (self.peerInfo == NULL) + if (newPeerInfo == NULL) { return nil; + } + self.peerInfo = newPeerInfo; + CFRelease(newPeerInfo); + newPeerInfo = NULL; self.sharedSecret = secret; self.incorrectSecret = incorrectSecret; @@ -135,7 +145,11 @@ static SecKeyRef GenerateFullECKey(int keySize, NSError** error) { } - (SOSPeerInfoRef) copyPeerInfoError: (NSError**) error { - return self.peerInfo; + if(!self.peerInfo) { + return NULL; + } + + return (SOSPeerInfoRef) CFRetain(self.peerInfo); } - (bool) processCircleJoinData: (NSData*) circleJoinData version:(PiggyBackProtocolVersion)version error: (NSError**)error { diff --git a/KeychainCircle/Tests/KCPairingTest.m b/KeychainCircle/Tests/KCPairingTest.m index 7e106ada..19694e48 100644 --- a/KeychainCircle/Tests/KCPairingTest.m +++ b/KeychainCircle/Tests/KCPairingTest.m @@ -289,6 +289,10 @@ abort(); signature = SOSCircleCopyNextGenSignatureWithPeerAdded(prunedCircle, applicant, _deviceKey, &error); + if(applicant) { + CFRelease(applicant); + applicant = NULL; + } NSData *pbblob = CFBridgingRelease(SOSPiggyBackBlobCopyEncodedData(gencount, _deviceKey, signature, &error)); @@ -343,8 +347,6 @@ // intentionally left blank // these are used by the security/2 tool and are only declared here to make the compiler happy about conforming the protocol we shoved the methods into } - - @end @implementation KCPairingTest diff --git a/KeychainSyncAccountNotification/KeychainSyncAccountNotification.m b/KeychainSyncAccountNotification/KeychainSyncAccountNotification.m index 2aeb9955..09cbfb96 100644 --- a/KeychainSyncAccountNotification/KeychainSyncAccountNotification.m +++ b/KeychainSyncAccountNotification/KeychainSyncAccountNotification.m @@ -13,9 +13,37 @@ #endif #import #import - +#if OCTAGON +#import +#include +#endif #import "utilities/debugging.h" +#if OCTAGON + +static bool SecOTIsEnabled(void) +{ + bool userDefaultsShouldBottledPeer = true; + CFBooleanRef enabled = (CFBooleanRef)CFPreferencesCopyValue(CFSTR("EnableOTRestore"), + CFSTR("com.apple.security"), + kCFPreferencesAnyUser, kCFPreferencesAnyHost); + if(enabled && CFGetTypeID(enabled) == CFBooleanGetTypeID()){ + if(enabled == kCFBooleanFalse){ + secnotice("octagon", "Octagon Restore Disabled"); + userDefaultsShouldBottledPeer = false; + } + if(enabled == kCFBooleanTrue){ + secnotice("octagon", "Octagon Restore Enabled"); + userDefaultsShouldBottledPeer = true; + } + } + + CFReleaseNull(enabled); + return userDefaultsShouldBottledPeer; +} + +#endif + @implementation KeychainSyncAccountNotification - (bool)accountIsPrimary:(ACAccount *)account @@ -31,6 +59,39 @@ NSString* oldAccountIdentifier = oldAccount.identifier; NSString* accountIdentifier = account.identifier; + if((changeType == kACAccountChangeTypeAdded) && + [account.accountType.identifier isEqualToString: ACAccountTypeIdentifierAppleAccount] && + [self accountIsPrimary:account]) { +#if OCTAGON + if(SecOTIsEnabled()){ + __block NSError* error = nil; + NSString *dsid = account.accountProperties[@"personID"]; + OTControl* otcontrol = [OTControl controlObject:&error]; + + if (nil == otcontrol) { + secerror("octagon: Failed to get OTControl: %@", error.localizedDescription); + } else { + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + + [otcontrol signIn:dsid reply:^(BOOL result, NSError * _Nullable signedInError) { + if(!result || signedInError){ + secerror("octagon: error signing in: %s", [[signedInError description] UTF8String]); + } + else{ + secnotice("octagon", "signed into octagon trust"); + } + dispatch_semaphore_signal(sema); + + }]; + if (0 != dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60 * 5))) { + secerror("octagon: Timed out signing in"); + } + } + }else{ + secerror("Octagon not enabled!"); + } +#endif + } if ((changeType == kACAccountChangeTypeDeleted) && [oldAccount.accountType.identifier isEqualToString:ACAccountTypeIdentifierAppleAccount]) { if(oldAccountIdentifier != NULL && oldAccount.username !=NULL) { if ([self accountIsPrimary:oldAccount]) { @@ -41,6 +102,34 @@ if (!SOSCCLoggedOutOfAccount(&removalError)) { secerror("Account %@ could not leave the SOS circle: %@", oldAccountIdentifier, removalError); } +#if OCTAGON + if(SecOTIsEnabled()){ + __block NSError* error = nil; + OTControl* otcontrol = [OTControl controlObject:&error]; + + if (nil == otcontrol) { + secerror("octagon: Failed to get OTControl: %@", error.localizedDescription); + } else { + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + + [otcontrol signOut:^(BOOL result, NSError * _Nullable signedOutError) { + if(!result || signedOutError){ + secerror("octagon: error signing out: %s", [[signedOutError description] UTF8String]); + } + else{ + secnotice("octagon", "signed out of octagon trust"); + } + dispatch_semaphore_signal(sema); + }]; + if (0 != dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60 * 5))) { + secerror("octagon: Timed out signing out"); + } + } + } + else{ + secerror("Octagon not enabled!"); + } +#endif } else { secinfo("accounts", "NOT performing SOS circle credential removal for secondary account %@: %@", accountIdentifier, account.username); } diff --git a/KeychainSyncingOverIDSProxy/IDSProxy.h b/KeychainSyncingOverIDSProxy/IDSProxy.h index 9985fe04..ec09a8fe 100644 --- a/KeychainSyncingOverIDSProxy/IDSProxy.h +++ b/KeychainSyncingOverIDSProxy/IDSProxy.h @@ -56,10 +56,7 @@ typedef enum { // Only touch these three dictionaries from the dataQueue or you will crash, eventually. @property (retain, nonatomic) NSMutableDictionary *messagesInFlight; @property (retain, nonatomic) NSMutableDictionary *unhandledMessageBuffer; -@property (retain, nonatomic) NSMutableDictionary *monitor; - -@property (retain, nonatomic) NSArray* listOfDevices; - +@property (retain, nonatomic) NSMutableDictionary *monitor; @property (atomic) dispatch_source_t penaltyTimer; @property (atomic) bool penaltyTimerScheduled; @property (retain, atomic) NSDictionary *queuedMessages; @@ -68,6 +65,10 @@ typedef enum { @property (atomic) NSInteger outgoingMessages; @property (atomic) NSInteger incomingMessages; + + + + @property (atomic) bool isIDSInitDone; @property (atomic) bool shadowDoInitializeIDSService; @property (atomic) bool isSecDRunningAsRoot; @@ -88,6 +89,7 @@ typedef enum { @property (atomic) bool handleAllPendingMessages; @property (atomic) bool shadowHandleAllPendingMessages; @property (atomic) bool sendRestoredMessages; +@property (atomic) bool allowKVSFallBack; + (KeychainSyncingOverIDSProxy *) idsProxy; @@ -109,7 +111,11 @@ typedef enum { - (NSDictionary*) collectStats; - (void) scheduleRetryRequestTimer; - (BOOL) haveMessagesInFlight; +-(void) printMessage:(NSDictionary*) message state:(NSString*)state; + @end NSString* createErrorString(NSString* format, ...) NS_FORMAT_FUNCTION(1, 2); + + diff --git a/KeychainSyncingOverIDSProxy/IDSProxy.m b/KeychainSyncingOverIDSProxy/IDSProxy.m index c6cbe5bb..0f09c6e9 100644 --- a/KeychainSyncingOverIDSProxy/IDSProxy.m +++ b/KeychainSyncingOverIDSProxy/IDSProxy.m @@ -56,6 +56,8 @@ static NSString *kExportUnhandledMessages = @"UnhandledMessages"; static NSString *kMessagesInFlight = @"MessagesInFlight"; static const char *kStreamName = "com.apple.notifyd.matching"; static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; +static NSString *const kIDSNumberOfFragments = @"NumberOfIDSMessageFragments"; +static NSString *const kIDSFragmentIndex = @"kFragmentIndex"; static NSString *const kOutgoingMessages = @"IDS Outgoing Messages"; static NSString *const kIncomingMessages = @"IDS Incoming Messages"; @@ -169,7 +171,7 @@ CFIndex SECD_RUN_AS_ROOT_ERROR = 1041; NSString *peerID = (NSString*)[idsMessage objectForKey:(__bridge NSString*)kIDSMessageRecipientPeerID]; NSString *ID = (NSString*)[idsMessage objectForKey:(__bridge NSString*)kIDSMessageRecipientDeviceID]; - + NSString *senderDeviceID = (NSString*)[idsMessage objectForKey:(__bridge NSString*)kIDSMessageSenderDeviceID]; dispatch_sync(self.dataQueue, ^{ [self.messagesInFlight removeObjectForKey:key]; }); @@ -177,10 +179,11 @@ CFIndex SECD_RUN_AS_ROOT_ERROR = 1041; if (!peerID || !ID) { return; } - secnotice("IDS Transport", "sending this message: %@", idsMessage); - if([self sendIDSMessage:idsMessage name:ID peer:peerID]){ + [self printMessage:idsMessage state:@"sending persisted message"]; + + if([self sendIDSMessage:idsMessage name:ID peer:peerID senderDeviceID:senderDeviceID]){ NSString *useAckModel = [idsMessage objectForKey:kIDSMessageUseACKModel]; - if([useAckModel compare:@"YES"] == NSOrderedSame){ + if([useAckModel compare:@"YES"] == NSOrderedSame && [KeychainSyncingOverIDSProxy idsProxy].allowKVSFallBack){ secnotice("IDS Transport", "setting timer!"); [self setMessageTimer:uniqueMessageID deviceID:ID message:idsMessage]; } @@ -204,11 +207,11 @@ CFIndex SECD_RUN_AS_ROOT_ERROR = 1041; deviceIDFromAuthToken = [[NSMutableDictionary alloc] init]; _peerNextSendCache = [[NSMutableDictionary alloc] init]; _counterValues = [[NSMutableDictionary alloc] init]; - _listOfDevices = [[NSMutableArray alloc] init]; _outgoingMessages = 0; _incomingMessages = 0; _isSecDRunningAsRoot = false; _doesSecDHavePeer = true; + _allowKVSFallBack = true; secdebug(IDSPROXYSCOPE, "%@ done", self); [self doIDSInitialization]; @@ -388,15 +391,6 @@ CFIndex SECD_RUN_AS_ROOT_ERROR = 1041; self->_isIDSInitDone = true; if(self->_isSecDRunningAsRoot == false) [self doSetIDSDeviceID]; - - NSArray *ListOfIDSDevices = [self->_service devices]; - self.listOfDevices = ListOfIDSDevices; - - for(NSUInteger i = 0; i < [ self.listOfDevices count ]; i++){ - IDSDevice *device = self.listOfDevices[i]; - NSString *authToken = IDSCopyIDForDevice(device); - [self.deviceIDFromAuthToken setObject:device.uniqueID forKey:authToken]; - } } }); } @@ -554,5 +548,16 @@ NSString* createErrorString(NSString* format, ...) return _counterValues; } +-(void) printMessage:(NSDictionary*) message state:(NSString*)state +{ + secnotice("IDS Transport", "message state: %@", state); + secnotice("IDS Transport", "msg id: %@", message[(__bridge NSString*)kIDSMessageUniqueID]); + secnotice("IDS Transport", "receiver ids device id: %@", message[(__bridge NSString*)kIDSMessageRecipientDeviceID]); + secnotice("IDS Transport", "sender device id: %@", message[(__bridge NSString*)kIDSMessageSenderDeviceID]); + secnotice("IDS Transport", "receiver peer id: %@", message[(__bridge NSString*)kIDSMessageRecipientPeerID]); + secnotice("IDS Transport", "fragment index: %@", (NSNumber*)message[kIDSFragmentIndex]); + secnotice("IDS Transport", "total number of fragments: %@", (NSNumber*)message[kIDSNumberOfFragments]); + secnotice("IDS Transport", "%@ data: %@", state, message[(__bridge NSString*)kIDSMessageToSendKey]); +} @end diff --git a/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+ReceiveMessage.h b/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+ReceiveMessage.h index 297e4e47..1a2f70a0 100644 --- a/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+ReceiveMessage.h +++ b/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+ReceiveMessage.h @@ -29,7 +29,7 @@ -(BOOL) checkForFragmentation:(NSDictionary*)message id:(NSString*)fromID data:(NSData*)messageData; -(NSMutableDictionary*) combineMessage:(NSString*)deviceID peerID:(NSString*)peerID uuid:(NSString*)uuid; - (void)service:(IDSService *)service account:(IDSAccount *)account incomingMessage:(NSDictionary *)message fromID:(NSString *)fromID context:(IDSMessageContext *)context; -- (void)sendMessageToSecurity:(NSMutableDictionary*)messageAndFromID fromID:(NSString*)fromID; +-(void)sendMessageToSecurity:(NSMutableDictionary*)messageAndFromID fromID:(NSString*)fromID shouldSendAck:(NSString *)useAck peerID:(NSString*)peerID messageID:(NSString*)messageID deviceID:(NSString*)deviceID; - (void) handleAllPendingMessage; @end diff --git a/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+ReceiveMessage.m b/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+ReceiveMessage.m index 05d2f626..d3e0317a 100644 --- a/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+ReceiveMessage.m +++ b/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+ReceiveMessage.m @@ -49,14 +49,15 @@ #import "KeychainSyncingOverIDSProxy+SendMessage.h" #import "IDSProxy.h" + static NSString *const kIDSNumberOfFragments = @"NumberOfIDSMessageFragments"; static NSString *const kIDSFragmentIndex = @"kFragmentIndex"; static NSString *const kIDSMessageRecipientID = @"RecipientPeerID"; static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; +static NSString *const kIDSMessageSendersDeviceID = @"SendersDeviceID"; @implementation KeychainSyncingOverIDSProxy (ReceiveMessage) - -(int) countNumberOfValidObjects:(NSMutableArray*)fragmentsForDeviceID { __block int count = 0; @@ -71,19 +72,19 @@ static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; -(BOOL) checkForFragmentation:(NSDictionary*)message id:(NSString*)fromID data:(NSData*)messageData { BOOL handOffMessage = false; - + if([message valueForKey:kIDSNumberOfFragments] != nil){ NSNumber *idsNumberOfFragments = [message objectForKey:kIDSNumberOfFragments]; NSNumber *index = [message objectForKey:kIDSFragmentIndex]; NSString *uuidString = [message objectForKey:(__bridge NSString*)kIDSMessageUniqueID]; - + if([KeychainSyncingOverIDSProxy idsProxy].allFragmentedMessages == nil) [KeychainSyncingOverIDSProxy idsProxy].allFragmentedMessages = [NSMutableDictionary dictionary]; - + NSMutableDictionary *uniqueMessages = [[KeychainSyncingOverIDSProxy idsProxy].allFragmentedMessages objectForKey: fromID]; if(uniqueMessages == nil) uniqueMessages = [NSMutableDictionary dictionary]; - + NSMutableArray *fragmentsForDeviceID = [uniqueMessages objectForKey: uuidString]; if(fragmentsForDeviceID == nil){ fragmentsForDeviceID = [ [NSMutableArray alloc] initWithCapacity: [idsNumberOfFragments longValue]]; @@ -91,22 +92,22 @@ static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; [fragmentsForDeviceID addObject:[NSNull null]]; } } - + [fragmentsForDeviceID replaceObjectAtIndex: [index intValue] withObject:messageData ]; [uniqueMessages setObject: fragmentsForDeviceID forKey:uuidString]; [[KeychainSyncingOverIDSProxy idsProxy].allFragmentedMessages setObject:uniqueMessages forKey: fromID]; - + if([self countNumberOfValidObjects:fragmentsForDeviceID] == [idsNumberOfFragments longValue]) handOffMessage = true; else handOffMessage = false; - + } else //no fragmentation in the message, ready to hand off to securityd handOffMessage = true; - + return handOffMessage; - + } -(NSMutableDictionary*) combineMessage:(NSString*)ID peerID:(NSString*)peerID uuid:(NSString*)uuid @@ -114,7 +115,7 @@ static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; NSString *dataKey = [ NSString stringWithUTF8String: kMessageKeyIDSDataMessage ]; NSString *deviceIDKey = [ NSString stringWithUTF8String: kMessageKeyDeviceID ]; NSString *peerIDKey = [ NSString stringWithUTF8String: kMessageKeyPeerID ]; - + NSMutableDictionary *arrayOfFragmentedMessagesByUUID = [[KeychainSyncingOverIDSProxy idsProxy].allFragmentedMessages objectForKey:ID]; NSMutableArray *messagesForUUID = [arrayOfFragmentedMessagesByUUID objectForKey:uuid]; NSMutableData* completeMessage = [NSMutableData data]; @@ -127,7 +128,7 @@ static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; //we've combined the message, now remove it from the fragmented messages dictionary [arrayOfFragmentedMessagesByUUID removeObjectForKey:uuid]; - return [NSMutableDictionary dictionaryWithObjectsAndKeys: completeMessage, dataKey, deviceID, deviceIDKey, peerID, peerIDKey, nil]; + return [NSMutableDictionary dictionaryWithObjectsAndKeys: completeMessage, dataKey, ID, deviceIDKey, peerID, peerIDKey, nil]; } -(void) handleTestMessage:(NSString*)operation id:(NSString*)ID messageID:(NSString*)uniqueID senderPeerID:(NSString*)senderPeerID @@ -168,7 +169,7 @@ static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; NSDictionary* messsageDictionary = @{(__bridge NSString*)kIDSOperationType:operationString, (__bridge NSString*)kIDSMessageToSendKey:messageString}; // We can always hold on to a message and our remote peers would bother everyone - [self sendIDSMessage:messsageDictionary name:ID peer:@"me"]; + [self sendIDSMessage:messsageDictionary name:ID peer:@"me" senderDeviceID:NULL]; free(messageCharS); @@ -207,7 +208,7 @@ static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; } } -- (void)sendACK:(NSString*)ID peerID:(NSString*)sendersPeerID uniqueID:(NSString*)uniqueID +- (void)sendACK:(NSString*)ID peerID:(NSString*)sendersPeerID uniqueID:(NSString*)uniqueID senderDeviceID:(NSString*)senderDeviceID { char* messageCharS; NSString* messageString = @"ACK"; @@ -217,7 +218,7 @@ static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; NSDictionary* messageDictionary = @{(__bridge NSString*)kIDSOperationType:operationString, (__bridge NSString*)kIDSMessageToSendKey:messageString, (__bridge NSString*)kIDSMessageUniqueID:uniqueID}; - [self sendIDSMessage:messageDictionary name:ID peer:sendersPeerID]; + [self sendIDSMessage:messageDictionary name:ID peer:sendersPeerID senderDeviceID:senderDeviceID]; free(messageCharS); @@ -249,23 +250,26 @@ static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; NSString* operationTypeAsString = nil; NSMutableDictionary *messageDictionary = nil; NSString *useAck = nil; - NSString *ID = nil; + NSString *senderDeviceID = nil; NSArray *devices = [self->_service devices]; for(NSUInteger i = 0; i < [ devices count ]; i++){ IDSDevice *device = devices[i]; if( [(IDSCopyIDForDevice(device)) containsString: fromID] == YES){ - ID = device.uniqueID; + senderDeviceID = device.uniqueID; break; } } - secnotice("IDS Transport", "Received message from: %@: %@ ", ID, message); + [[KeychainSyncingOverIDSProxy idsProxy] printMessage:message state:[NSString stringWithFormat:@"received message from: %@", senderDeviceID]]; NSString *sendersPeerID = [message objectForKey: sendersPeerIDKey]; if(sendersPeerID == nil) sendersPeerID = [NSString string]; - - - require_action_quiet(ID, fail, hadError = true; errorMessage = CFSTR("require the sender's device ID")); + + if(!senderDeviceID){ + senderDeviceID = message[kIDSMessageSendersDeviceID]; + secnotice("IDS Transport", "Their device ID!: %@", senderDeviceID); + } + require_action_quiet(senderDeviceID, fail, hadError = true; errorMessage = CFSTR("require the sender's device ID")); operationTypeAsString = [message objectForKey: (__bridge NSString*)kIDSOperationType]; messageDictionary = [message objectForKey: (__bridge NSString*)kIDSMessageToSendKey]; @@ -276,12 +280,12 @@ static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; if(useAck != nil && [useAck compare:@"YES"] == NSOrderedSame) require_quiet(messageID != nil, fail); - secnotice("IDS Transport","from peer %@, operation type as string: %@, as integer: %d", ID, operationTypeAsString, [operationTypeAsString intValue]); + secnotice("IDS Transport","from peer %@, operation: %@", senderDeviceID, operationTypeAsString); operationType = [operationTypeAsString intValue]; if(operationType != kIDSKeychainSyncIDSFragmentation) { - [self handleTestMessage:operationTypeAsString id:ID messageID:messageID senderPeerID:sendersPeerID]; + [self handleTestMessage:operationTypeAsString id:senderDeviceID messageID:messageID senderPeerID:sendersPeerID]; } else{ @@ -289,20 +293,19 @@ static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; myPeerID = (NSString*)key; messageData = (NSData*)obj; }]; - - if(useAck != nil && [useAck compare:@"YES"] == NSOrderedSame) - [self sendACK:ID peerID:myPeerID uniqueID:messageID]; - - BOOL readyToHandOffToSecD = [self checkForFragmentation:message id:ID data:messageData]; + + BOOL readyToHandOffToSecD = [self checkForFragmentation:message id:senderDeviceID data:messageData]; NSMutableDictionary *messageAndFromID = nil; if(readyToHandOffToSecD && ([message objectForKey:kIDSFragmentIndex])!= nil){ + secnotice("IDS Transport", "combing message"); NSString* uuid = [message objectForKey:(__bridge NSString*)kIDSMessageUniqueID]; - messageAndFromID = [self combineMessage:ID peerID:myPeerID uuid:uuid]; + messageAndFromID = [self combineMessage:senderDeviceID peerID:myPeerID uuid:uuid]; + //update next sequence number } else if(readyToHandOffToSecD){ - messageAndFromID = [NSMutableDictionary dictionaryWithObjectsAndKeys: messageData, dataKey, ID, deviceIDKey, myPeerID, peerIDKey, nil]; + messageAndFromID = [NSMutableDictionary dictionaryWithObjectsAndKeys: messageData, dataKey, senderDeviceID, deviceIDKey, myPeerID, peerIDKey, nil]; } else return; @@ -316,8 +319,10 @@ static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; [self.unhandledMessageBuffer setObject: messageAndFromID forKey: fromID]; }); } - else - [self sendMessageToSecurity:messageAndFromID fromID:fromID]; + else{ + [self sendMessageToSecurity:messageAndFromID fromID:fromID shouldSendAck:useAck peerID:myPeerID messageID:messageID deviceID:senderDeviceID]; + + } } fail: @@ -347,7 +352,7 @@ static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; dispatch_sync(self.dataQueue, ^{ [self.unhandledMessageBuffer removeObjectForKey: fromID]; }); - [self sendMessageToSecurity:messageAndFromID fromID:fromID]; + [self sendMessageToSecurity:messageAndFromID fromID:fromID shouldSendAck:nil peerID:nil messageID:nil deviceID:nil]; }]; } @@ -365,7 +370,7 @@ static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; return true; } --(void)sendMessageToSecurity:(NSMutableDictionary*)messageAndFromID fromID:(NSString*)fromID +-(void)sendMessageToSecurity:(NSMutableDictionary*)messageAndFromID fromID:(NSString*)fromID shouldSendAck:(NSString *)useAck peerID:(NSString*)peerID messageID:(NSString*)messageID deviceID:(NSString*)senderDeviceID { __block CFErrorRef cf_error = NULL; __block HandleIDSMessageReason success = kHandleIDSMessageSuccess; @@ -428,6 +433,9 @@ static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; } else{ secnotice("IDS Transport","IDSProxy handled this message %@, from: %@", messageAndFromID, fromID); + + if(useAck != nil && [useAck compare:@"YES"] == NSOrderedSame) + [self sendACK:senderDeviceID peerID:peerID uniqueID:messageID senderDeviceID:senderDeviceID]; return (NSMutableDictionary*)messageAndFromID; } diff --git a/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+SendMessage.h b/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+SendMessage.h index 0de3f5b3..22a7da7e 100644 --- a/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+SendMessage.h +++ b/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+SendMessage.h @@ -25,8 +25,8 @@ #import "IDSProxy.h" @interface KeychainSyncingOverIDSProxy (SendMessage) --(BOOL) sendFragmentedIDSMessages:(NSDictionary*)data name:(NSString*) deviceName peer:(NSString*) ourPeerID error:(NSError**) error; --(BOOL) sendIDSMessage:(NSDictionary*)data name:(NSString*) deviceName peer:(NSString*) peerID; +-(BOOL) sendFragmentedIDSMessages:(NSDictionary*)data name:(NSString*) deviceName peer:(NSString*) ourPeerID senderDeviceID:(NSString*)senderDeviceID error:(NSError**) error; +-(BOOL) sendIDSMessage:(NSDictionary*)data name:(NSString*) deviceName peer:(NSString*) peerID senderDeviceID:(NSString*)senderDeviceID; -(void) ackTimerFired:(NSString*)identifier deviceID:(NSString*)deviceID; -(void) setMessageTimer:(NSString*)identifier deviceID:(NSString*)deviceID message:(NSDictionary*)message; - (void)pingTimerFired:(NSString*)deviceID peerID:(NSString*)peerID identifier:(NSString*)identifier; diff --git a/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+SendMessage.m b/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+SendMessage.m index 168f2518..dd382a3b 100644 --- a/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+SendMessage.m +++ b/KeychainSyncingOverIDSProxy/KeychainSyncingOverIDSProxy+SendMessage.m @@ -54,19 +54,19 @@ static NSString *const IDSSendMessageOptionForceEncryptionOffKey = @"IDSSendMess static NSString *const kIDSNumberOfFragments = @"NumberOfIDSMessageFragments"; static NSString *const kIDSFragmentIndex = @"kFragmentIndex"; static NSString *const kIDSMessageUseACKModel = @"UsesAckModel"; -static NSString *const kIDSDeviceID = @"deviceID"; +static NSString *const kIDSMessageSendersDeviceID = @"SendersDeviceID"; +static NSString *const kIDSDeviceID = @"deviceID"; static const int64_t kRetryTimerLeeway = (NSEC_PER_MSEC * 250); // 250ms leeway for handling unhandled messages. -static const int64_t timeout = 3ull; +static const int64_t timeout = 5ull; static const int64_t KVS_BACKOFF = 5; static const NSUInteger kMaxIDSMessagePayloadSize = 64000; - @implementation KeychainSyncingOverIDSProxy (SendMessage) - --(bool) chunkAndSendKeychainPayload:(NSData*)keychainData deviceID:(NSString*)deviceName ourPeerID:(NSString*)ourPeerID theirPeerID:(NSString*) theirPeerID operation:(NSString*)operationTypeAsString uuid:(NSString*)uuidString error:(NSError**) error +-(bool) chunkAndSendKeychainPayload:(NSData*)keychainData deviceID:(NSString*)deviceName ourPeerID:(NSString*)ourPeerID theirPeerID:(NSString*) theirPeerID operation:(NSString*)operationTypeAsString uuid:(NSString*)uuidString senderDeviceID:(NSString*)senderDeviceID + error:(NSError**) error { __block BOOL result = true; @@ -97,7 +97,7 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; [fragmentDictionary setObject:[NSNumber numberWithInt:fragmentIndex] forKey:kIDSFragmentIndex]; - result = [self sendIDSMessage:fragmentDictionary name:deviceName peer:ourPeerID]; + result = [self sendIDSMessage:fragmentDictionary name:deviceName peer:ourPeerID senderDeviceID:senderDeviceID]; if(!result) secerror("Could not send fragmented message"); @@ -117,10 +117,10 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; bool success = SOSCCRequestSyncWithPeerOverKVS(((__bridge CFStringRef)theirPeerID), (__bridge CFDataRef)message, &cf_error); if(success){ - secnotice("IDSPing", "sent peerID: %@ to securityd to sync over KVS", theirPeerID); + secnotice("IDS Transport", "rerouting message %@", message); } else{ - secerror("Could not hand peerID: %@ to securityd, error: %@", theirPeerID, cf_error); + secerror("could not route message to %@, error: %@", theirPeerID, cf_error); } CFReleaseNull(cf_error); @@ -163,7 +163,7 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; success = SOSCCRequestSyncWithPeerOverKVSUsingIDOnly(((__bridge CFStringRef)IDSid), &cf_error); if(success){ - secnotice("IDSPing", "sent peerID: %@ to securityd to sync over KVS", IDSid); + secnotice("IDS Transport", "rerouting message for %@", peerID); } else{ secerror("Could not hand peerID: %@ to securityd, error: %@", IDSid, cf_error); @@ -184,7 +184,7 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; bool result = false; secnotice("IDS Transport", "sending to id: %@", IDSid); - result = [self sendIDSMessage:messageDictionary name:IDSid peer:peerID]; + result = [self sendIDSMessage:messageDictionary name:IDSid peer:peerID senderDeviceID:[NSString string]]; if(!result){ secerror("Could not send message over IDS"); @@ -193,7 +193,7 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; bool success = SOSCCRequestSyncWithPeerOverKVSUsingIDOnly(((__bridge CFStringRef)IDSid), &kvsError); if(success){ - secnotice("IDSPing", "sent peerID: %@ to securityd to sync over KVS", IDSid); + secnotice("IDS Transport", "sent peerID: %@ to securityd to sync over KVS", IDSid); } else{ secerror("Could not hand peerID: %@ to securityd, error: %@", IDSid, kvsError); @@ -263,7 +263,7 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; return isPingMessage; } --(BOOL) sendFragmentedIDSMessages:(NSDictionary*)data name:(NSString*) deviceName peer:(NSString*) ourPeerID error:(NSError**) error +-(BOOL) sendFragmentedIDSMessages:(NSDictionary*)data name:(NSString*) deviceName peer:(NSString*) ourPeerID senderDeviceID:(NSString*)senderDeviceID error:(NSError**) error { BOOL result = false; BOOL isPingMessage = false; @@ -278,14 +278,13 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; //check the peer cache for the next time to send timestamp //if the timestamp is set in the future, reroute the message to KVS //otherwise send the message over IDS - if(![self shouldProxySendMessage:deviceName]) - { + if(![self shouldProxySendMessage:deviceName] && [KeychainSyncingOverIDSProxy idsProxy].allowKVSFallBack) + { if(isPingMessage){ secnotice("IDS Transport", "peer negative cache check: peer cannot send yet. not sending ping message"); return true; } else{ - secnotice("IDS Transport", "peer negative cache check: peer cannot send yet. rerouting message to be sent over KVS: %@", messageDictionary); [self sendMessageToKVS:messageDictionary]; return true; } @@ -294,7 +293,8 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; if(isPingMessage){ //foward the ping message, no processing result = [self sendIDSMessage:data name:deviceName - peer:ourPeerID]; + peer:ourPeerID + senderDeviceID:senderDeviceID]; if(!result){ secerror("Could not send ping message"); } @@ -325,21 +325,24 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; theirPeerID:theirPeerID operation:operationTypeAsString uuid:localMessageIdentifier + senderDeviceID:senderDeviceID error:&localError]; } else{ NSMutableDictionary* dataCopy = [NSMutableDictionary dictionaryWithDictionary:data]; [dataCopy setObject:localMessageIdentifier forKey:(__bridge NSString*)kIDSMessageUniqueID]; + result = [self sendIDSMessage:dataCopy name:deviceName - peer:ourPeerID]; + peer:ourPeerID + senderDeviceID:senderDeviceID]; } - if(result && useAckModel){ + if(result && useAckModel && [KeychainSyncingOverIDSProxy idsProxy].allowKVSFallBack){ secnotice("IDS Transport", "setting ack timer"); [self setMessageTimer:localMessageIdentifier deviceID:deviceName message:data]; } - + secnotice("IDS Transport","returning result: %d, error: %@", result, error ? *error : nil); return result; } @@ -367,9 +370,10 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; if(!message){ return; } - NSDictionary *encapsulatedKeychainMessage = [message objectForKey:(__bridge NSString*)kIDSMessageToSendKey]; + NSDictionary *mesageInFlight = [message objectForKey:(__bridge NSString*)kIDSMessageToSendKey]; + + [[KeychainSyncingOverIDSProxy idsProxy] printMessage:mesageInFlight state:@"timeout occured, rerouting to KVS"]; - secnotice("IDS Transport", "Encapsulated message: %@", encapsulatedKeychainMessage); //cleanup timers dispatch_async(self.pingQueue, ^{ dispatch_source_t timer = [[KeychainSyncingOverIDSProxy idsProxy].pingTimers objectForKey:identifier]; //remove timer @@ -378,7 +382,7 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; [[KeychainSyncingOverIDSProxy idsProxy].pingTimers removeObjectForKey:identifier]; }); - [self sendMessageToKVS:encapsulatedKeychainMessage]; + [self sendMessageToKVS:mesageInFlight]; //setting next time to send [self updateNextTimeToSendFor5Minutes:ID]; @@ -397,7 +401,6 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; dispatch_resume(timer); //restructure message in flight - //set the timer for message id dispatch_async(self.pingQueue, ^{ @@ -426,9 +429,7 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; secnotice("IDS Transport", "no message for identifier: %@", messageIdentifier); return; } - secnotice("IDS Transport", "sending over KVS: %@", messageToSendToKVS); - - + [[KeychainSyncingOverIDSProxy idsProxy] printMessage:messageToSendToKVS state:@"IDS rejected send, message rerouted to KVS"]; //cleanup timer for message dispatch_async(self.pingQueue, ^{ @@ -439,16 +440,15 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; }); } - NSDictionary *encapsulatedKeychainMessage = [messageToSendToKVS objectForKey:(__bridge NSString*)kIDSMessageToSendKey]; - - if([encapsulatedKeychainMessage isKindOfClass:[NSDictionary class]]){ - secnotice("IDS Transport", "Encapsulated message: %@", encapsulatedKeychainMessage); - [self sendMessageToKVS:encapsulatedKeychainMessage]; + NSDictionary *messageInFlight = [messageToSendToKVS objectForKey:(__bridge NSString*)kIDSMessageToSendKey]; + if([messageInFlight isKindOfClass:[NSDictionary class]]){ + [[KeychainSyncingOverIDSProxy idsProxy] printMessage:messageInFlight state:@"IDS rejected send, message rerouted to KVS"]; + [self sendMessageToKVS:messageInFlight]; } } --(BOOL) sendIDSMessage:(NSDictionary*)data name:(NSString*) deviceName peer:(NSString*) peerID +-(BOOL) sendIDSMessage:(NSDictionary*)data name:(NSString*) deviceName peer:(NSString*) peerID senderDeviceID:(NSString*)senderDeviceID { if(!self->_service){ @@ -456,38 +456,48 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; return NO; } + NSMutableDictionary *dataCopy = [NSMutableDictionary dictionaryWithDictionary: data]; + + __block NSString* senderDeviceIDCopy = nil; + if(senderDeviceID){ + senderDeviceIDCopy = [[NSString alloc]initWithString:senderDeviceID]; + } + else{ + secnotice("IDS Transport", "device id doesn't exist for peer:%@", peerID); + senderDeviceIDCopy = [NSString string]; + } + dispatch_async(self.calloutQueue, ^{ IDSMessagePriority priority = IDSMessagePriorityHigh; BOOL encryptionOff = YES; NSString *sendersPeerIDKey = [ NSString stringWithUTF8String: kMessageKeySendersPeerID]; - secnotice("backoff","!!writing these keys to IDS!!: %@", data); - NSDictionary *options = @{IDSSendMessageOptionForceEncryptionOffKey : [NSNumber numberWithBool:encryptionOff] }; - NSMutableDictionary *dataCopy = [NSMutableDictionary dictionaryWithDictionary: data]; - //set our peer id and a unique id for this message [dataCopy setObject:peerID forKey:sendersPeerIDKey]; - secnotice("IDS Transport", "%@ sending message %@ to: %@", peerID, data, deviceName); + [dataCopy setObject:senderDeviceIDCopy forKey:kIDSMessageSendersDeviceID]; + secnotice("IDS Transport","Our device Name: %@", senderDeviceID); + [[KeychainSyncingOverIDSProxy idsProxy] printMessage:dataCopy state:@"sending"]; NSDictionary *info; NSInteger errorCode = 0; - NSInteger numberOfDevices = 0; + NSUInteger numberOfDevices = 0; NSString *errMessage = nil; NSMutableSet *destinations = nil; NSError *localError = nil; NSString *identifier = nil; IDSDevice *device = nil; - numberOfDevices = [self.listOfDevices count]; + NSArray* listOfDevices = [self->_service devices]; + numberOfDevices = [listOfDevices count]; require_action_quiet(numberOfDevices > 0, fail, errorCode = kSecIDSErrorNotRegistered; errMessage=createErrorString(@"Could not send message to peer: %@: IDS devices are not registered yet", deviceName)); secnotice("IDS Transport","List of devices: %@", [self->_service devices]); destinations = [NSMutableSet set]; - for(NSUInteger i = 0; i < [ self.listOfDevices count ]; i++){ - device = self.listOfDevices[i]; + for(NSUInteger i = 0; i < numberOfDevices; i++){ + device = listOfDevices[i]; if( [ deviceName compare:device.uniqueID ] == 0){ [destinations addObject: IDSCopyIDForDevice(device)]; } @@ -499,7 +509,7 @@ static const NSUInteger kMaxIDSMessagePayloadSize = 64000; [KeychainSyncingOverIDSProxy idsProxy].outgoingMessages++; require_action_quiet(localError == nil && result, fail, errorCode = kSecIDSErrorFailedToSend; errMessage = createErrorString(@"Had an error sending IDS message to peer: %@", deviceName)); - secnotice("IDS Transport","successfully sent to peer:%@, message: %@", deviceName, dataCopy); + [[KeychainSyncingOverIDSProxy idsProxy] printMessage:dataCopy state:@"sent!"]; fail: if(errMessage != nil){ diff --git a/KeychainSyncingOverIDSProxy/keychainsyncingoveridsproxy.m b/KeychainSyncingOverIDSProxy/keychainsyncingoveridsproxy.m index 810d4b8f..b045d443 100644 --- a/KeychainSyncingOverIDSProxy/keychainsyncingoveridsproxy.m +++ b/KeychainSyncingOverIDSProxy/keychainsyncingoveridsproxy.m @@ -131,21 +131,26 @@ static void idskeychainsyncingproxy_peer_dictionary_handler(const xpc_connection xpc_object_t xidsMessageData = xpc_dictionary_get_value(event, kMessageKeyValue); xpc_object_t xDeviceName = xpc_dictionary_get_value(event, kMessageKeyDeviceName); xpc_object_t xPeerID = xpc_dictionary_get_value(event, kMessageKeyPeerID); + xpc_object_t xSenderDeviceID = xpc_dictionary_get_value(event, kMessageKeyDeviceID); BOOL object = false; NSString *deviceName = (__bridge_transfer NSString*)(_CFXPCCreateCFObjectFromXPCObject(xDeviceName)); NSString *peerID = (__bridge_transfer NSString*)(_CFXPCCreateCFObjectFromXPCObject(xPeerID)); NSDictionary *messageDictionary = (__bridge_transfer NSDictionary*)(_CFXPCCreateCFObjectFromXPCObject(xidsMessageData)); + NSString *senderDeviceID = (__bridge_transfer NSString*)(_CFXPCCreateCFObjectFromXPCObject(xSenderDeviceID)); + NSError *error = NULL; bool isNameString = (CFGetTypeID((__bridge CFTypeRef)(deviceName)) == CFStringGetTypeID()); bool isPeerIDString = (CFGetTypeID((__bridge CFTypeRef)(peerID)) == CFStringGetTypeID()); bool isMessageDictionary = (CFGetTypeID((__bridge CFTypeRef)(messageDictionary)) == CFDictionaryGetTypeID()); + bool isDeviceIDString = (CFGetTypeID((__bridge CFTypeRef)(senderDeviceID)) == CFStringGetTypeID()); require_quiet(isNameString, xit); require_quiet(isPeerIDString, xit); + require_quiet(isDeviceIDString, xit); require_quiet(isMessageDictionary, xit); - object = [[KeychainSyncingOverIDSProxy idsProxy] sendFragmentedIDSMessages:messageDictionary name:deviceName peer:peerID error:&error]; + object = [[KeychainSyncingOverIDSProxy idsProxy] sendFragmentedIDSMessages:messageDictionary name:deviceName peer:peerID senderDeviceID:senderDeviceID error:&error]; xpc_object_t replyMessage = xpc_dictionary_create_reply(event); xpc_dictionary_set_bool(replyMessage, kMessageKeyValue, object); @@ -162,30 +167,36 @@ static void idskeychainsyncingproxy_peer_dictionary_handler(const xpc_connection xpc_object_t xidsMessageData = xpc_dictionary_get_value(event, kMessageKeyValue); xpc_object_t xDeviceName = xpc_dictionary_get_value(event, kMessageKeyDeviceName); xpc_object_t xPeerID = xpc_dictionary_get_value(event, kMessageKeyPeerID); + xpc_object_t xSenderDeviceID = xpc_dictionary_get_value(event, kMessageKeyDeviceID); + BOOL object = false; NSString *deviceName = (__bridge_transfer NSString*)(_CFXPCCreateCFObjectFromXPCObject(xDeviceName)); NSString *peerID = (__bridge_transfer NSString*)(_CFXPCCreateCFObjectFromXPCObject(xPeerID)); NSDictionary *messageDictionary = (__bridge_transfer NSDictionary*)(_CFXPCCreateCFObjectFromXPCObject(xidsMessageData)); + NSString *senderDeviceID = (__bridge_transfer NSString*)(_CFXPCCreateCFObjectFromXPCObject(xSenderDeviceID)); + CFErrorRef error = NULL; bool isNameString = (CFGetTypeID((__bridge CFTypeRef)(deviceName)) == CFStringGetTypeID()); bool isPeerIDString = (CFGetTypeID((__bridge CFTypeRef)(peerID)) == CFStringGetTypeID()); bool isMessageDictionary = (CFGetTypeID((__bridge CFTypeRef)(messageDictionary)) == CFDictionaryGetTypeID()); - + bool isDeviceIDString = (CFGetTypeID((__bridge CFTypeRef)(senderDeviceID)) == CFStringGetTypeID()); + require_quiet(isNameString, xit); require_quiet(isPeerIDString, xit); require_quiet(isMessageDictionary, xit); - + require_quiet(isDeviceIDString, xit); + NSString *localMessageIdentifier = [[NSUUID UUID] UUIDString]; NSMutableDictionary* messageDictionaryCopy = [NSMutableDictionary dictionaryWithDictionary:messageDictionary]; [messageDictionaryCopy setObject:localMessageIdentifier forKey:(__bridge NSString*)(kIDSMessageUniqueID)]; - if([[KeychainSyncingOverIDSProxy idsProxy] sendIDSMessage:messageDictionaryCopy name:deviceName peer:peerID]) + if([[KeychainSyncingOverIDSProxy idsProxy] sendIDSMessage:messageDictionaryCopy name:deviceName peer:peerID senderDeviceID:senderDeviceID]) { object = true; NSString *useAckModel = [messageDictionaryCopy objectForKey:(__bridge NSString*)(kIDSMessageUsesAckModel)]; - if(object && [useAckModel compare:@"YES"] == NSOrderedSame){ + if(object && [useAckModel compare:@"YES"] == NSOrderedSame && [KeychainSyncingOverIDSProxy idsProxy].allowKVSFallBack){ secnotice("IDS Transport", "setting timer!"); [[KeychainSyncingOverIDSProxy idsProxy] setMessageTimer:localMessageIdentifier deviceID:deviceName message:messageDictionaryCopy]; } @@ -221,7 +232,6 @@ xit: static void idskeychainsyncingproxy_peer_event_handler(xpc_connection_t peer, xpc_object_t event) { - describeXPCObject("peer: ", peer); xpc_type_t type = xpc_get_type(event); if (type == XPC_TYPE_ERROR) { if (event == XPC_ERROR_CONNECTION_INVALID) { @@ -235,8 +245,6 @@ static void idskeychainsyncingproxy_peer_event_handler(xpc_connection_t peer, xp } } else { assert(type == XPC_TYPE_DICTIONARY); - // Handle the message. - // describeXPCObject("dictionary:", event); dispatch_async(dispatch_get_main_queue(), ^{ idskeychainsyncingproxy_peer_dictionary_handler(peer, event); }); @@ -265,6 +273,20 @@ static void idskeychainsyncingproxy_event_handler(xpc_connection_t peer) xpc_connection_resume(peer); } +static bool kvsFallbackFromDefaultsWrite(void) +{ + bool kvsFallbackEnabled = true; + + //defaults write ~/Library/Preferences/com.apple.security allowKVSFallback -bool + CFBooleanRef value = (CFBooleanRef)CFPreferencesCopyValue(CFSTR("allowKVSFallback"), CFSTR("com.apple.security"), kCFPreferencesAnyUser, kCFPreferencesCurrentHost); + if ( value ) + { + kvsFallbackEnabled = CFBooleanGetValue(value); + CFReleaseNull(value); + } + return kvsFallbackEnabled; +} + int idsproxymain(int argc, const char *argv[]) { secdebug(PROXYXPCSCOPE, "Starting IDSProxy"); @@ -289,6 +311,8 @@ int idsproxymain(int argc, const char *argv[]) [KeychainSyncingOverIDSProxy idsProxy].sendRestoredMessages = false; } + [KeychainSyncingOverIDSProxy idsProxy].allowKVSFallBack = kvsFallbackFromDefaultsWrite(); + // It looks to me like there is insufficient locking to allow a request to come in on the XPC connection while doing the initial all items. // Therefore I'm leaving the XPC connection suspended until that has time to process. xpc_connection_resume(listener); diff --git a/OSX/SecurityTestsOSX/SecurityTests-Entitlements.plist b/OSX/SecurityTestsOSX/SecurityTests-Entitlements.plist index 44259696..39da8b2f 100644 --- a/OSX/SecurityTestsOSX/SecurityTests-Entitlements.plist +++ b/OSX/SecurityTestsOSX/SecurityTests-Entitlements.plist @@ -26,6 +26,8 @@ com.apple.security.regressions com.apple.private.uninstall.deletion + com.apple.private.security.delete.all + keychain-access-groups com.apple.security.regressions @@ -36,17 +38,5 @@ 123456.test.group2 com.apple.bluetooth - com.apple.private.ubiquity-kvstore-access - - com.apple.securityd - - com.apple.developer.ubiquity-kvstore-identifier - com.apple.security.cloudkeychainproxy3 - com.apple.developer.ubiquity-container-identifiers - - com.apple.security.cloudkeychainproxy3 - com.apple.security.cloudkeychain - CloudKeychainProxy.xpc - diff --git a/OSX/authd/authorization.plist b/OSX/authd/authorization.plist index f4f68f3b..179b0d5d 100644 --- a/OSX/authd/authorization.plist +++ b/OSX/authd/authorization.plist @@ -1286,22 +1286,20 @@ See remaining rules for examples. system.services.directory.configure - allow-root - - authenticate-user - class - user + rule + k-of-n + 1 + rule + + is-root + entitled + authenticate-admin-nonshared + comment For making Directory Services changes. - group - admin - session-owner - - shared - version - 2 + 3 system.services.networkextension.filtering diff --git a/OSX/authd/engine.c b/OSX/authd/engine.c index 7991cff5..2a3de5c0 100644 --- a/OSX/authd/engine.c +++ b/OSX/authd/engine.c @@ -434,6 +434,9 @@ _extract_password_from_la(engine_t engine) if (passdata) { if (CFDataGetBytePtr(passdata)) { auth_items_set_data(engine->context, kAuthorizationEnvironmentPassword, CFDataGetBytePtr(passdata), CFDataGetLength(passdata)); + } else { + const char *empty_pass = "\0"; // authd code is unable to process empty strings so passing empty string as terminator only + auth_items_set_data(engine->context, kAuthorizationEnvironmentPassword, empty_pass, 1); } CFRelease(passdata); } @@ -879,7 +882,7 @@ _evaluate_class_rule(engine_t engine, rule_t rule, bool *save_pwd) uint32_t total = (uint32_t)rule_get_delegates_count(rule); __block uint32_t success_count = 0; __block uint32_t count = 0; - os_log_debug(AUTHD_LOG, "engine: ** rule %{public}s has %zi delegates kofn = %lli",rule_get_name(rule), total, kofn); + os_log_debug(AUTHD_LOG, "engine: ** rule %{public}s has %u delegates kofn = %lli",rule_get_name(rule), total, kofn); rule_delegates_iterator(rule, ^bool(rule_t delegate) { count++; @@ -1388,11 +1391,11 @@ OSStatus engine_authorize(engine_t engine, auth_rights_t rights, auth_items_t en save_password = true; } const char *user = auth_items_get_string(environment, kAuthorizationEnvironmentUsername); - require(user, done); + require_action(user, done, os_log_debug(AUTHD_LOG, "engine: Missing username"); status = errAuthorizationDenied); auth_items_set_string(engine->context, kAuthorizationEnvironmentUsername, user); struct passwd *pwd = getpwnam(user); - require(pwd, done); + require_action(pwd, done, os_log_debug(AUTHD_LOG, "engine: Invalid username %s", user); status = errAuthorizationDenied); auth_items_set_uint(engine->context, "sheet-uid", pwd->pw_uid); // move sheet-specific items from hints to context @@ -1810,10 +1813,11 @@ CFTypeRef engine_copy_context(engine_t engine, auth_items_t source) bool engine_acquire_sheet_data(engine_t engine) { - uid_t uid = auth_items_get_int(engine->context, "sheet-uid"); - if (!uid) + if (!auth_items_exist(engine->context, "sheet-uid")) return false; + uid_t uid = auth_items_get_uint(engine->context, "sheet-uid"); + CFReleaseSafe(engine->la_context); engine->la_context = engine_copy_context(engine, engine->hints); if (engine->la_context) { diff --git a/OSX/config/lib.xcconfig b/OSX/config/lib.xcconfig index fdb54902..0a9bbcb5 100644 --- a/OSX/config/lib.xcconfig +++ b/OSX/config/lib.xcconfig @@ -5,7 +5,7 @@ EXECUTABLE_PREFIX = CODE_SIGN_IDENTITY = -HEADER_SEARCH_PATHS = $(PROJECT_DIR)/../ $(PROJECT_DIR)/../include $(BUILT_PRODUCTS_DIR)/derived_src $(BUILT_PRODUCTS_DIR) $(PROJECT_DIR)/lib $(PROJECT_DIR)/../utilities $(inherited) +HEADER_SEARCH_PATHS = $(PROJECT_DIR)/../ $(PROJECT_DIR)/../include $(BUILT_PRODUCTS_DIR)/derived_src $(BUILT_PRODUCTS_DIR) $(PROJECT_DIR)/lib $(PROJECT_DIR)/../utilities $(PROJECT_DIR)/../../header_symlinks/macOS $(PROJECT_DIR)/../../header_symlinks/ $(inherited) SKIP_INSTALL = YES diff --git a/OSX/config/security_framework_macos.xcconfig b/OSX/config/security_framework_macos.xcconfig index 2e878c70..2dff3356 100644 --- a/OSX/config/security_framework_macos.xcconfig +++ b/OSX/config/security_framework_macos.xcconfig @@ -24,3 +24,11 @@ APPLY_RULES_IN_COPY_FILES = NO // Not entirely sure what this is for, but, okay. INSTALLHDRS_SCRIPT_PHASE = YES + +// Adding things here is against the spirit of TAPI. If something is in the framework, it should be in the framework headers. +// Don't add things. +OTHER_TAPI_FLAGS_TRUST = -extra-private-header $(PROJECT_DIR)/OSX/trustd/macOS/SecTrustOSXEntryPoints.h -extra-private-header $(PROJECT_DIR)/OSX/sec/Security/SecCertificateInternal.h +OTHER_TAPI_FLAGS_USR_LIB_HEADERS = -extra-private-header $(PROJECT_DIR)/OSX/utilities/src/debugging.h +OTHER_TAPI_FLAGS_HACKS = -exclude-public-header $(BUILT_PRODUCTS_DIR)/Security.framework/Versions/A/Headers/AuthorizationPlugin.h -extra-public-header $(PROJECT_DIR)/OSX/macos_tapi_hacks.h -D SECURITY_PROJECT_TAPI_HACKS=1 + +OTHER_TAPI_FLAGS = $(inherited) $(OTHER_TAPI_FLAGS_SECURITY_FRAMEWORK) -I$(PROJECT_DIR)/header_symlinks/ $(OTHER_TAPI_FLAGS_TRUST) $(OTHER_TAPI_FLAGS_USR_LIB_HEADERS) $(OTHER_TAPI_FLAGS_HACKS) diff --git a/OSX/config/security_macos.xcconfig b/OSX/config/security_macos.xcconfig index 0a2b9ed2..a7acee1d 100644 --- a/OSX/config/security_macos.xcconfig +++ b/OSX/config/security_macos.xcconfig @@ -14,9 +14,6 @@ DEPLOYMENT_POSTPROCESSING = NO GCC_C_LANGUAGE_STANDARD = gnu99 SUPPORTED_PLATFORMS = macOS -// Don't use the inherited cflags; they set SEC_IOS_ON_OSX -GCC_PREPROCESSOR_DEFINITIONS = SECURITY_BUILD_VERSION=\"$(SECURITY_BUILD_VERSION)\" - GCC_TREAT_WARNINGS_AS_ERRORS = YES GCC_WARN_ABOUT_DEPRECATED_FUNCTIONS = NO GCC_SYMBOLS_PRIVATE_EXTERN = NO diff --git a/OSX/lib/generateErrStrings.pl b/OSX/lib/generateErrStrings.pl index 509bb088..1aa92e2b 100644 --- a/OSX/lib/generateErrStrings.pl +++ b/OSX/lib/generateErrStrings.pl @@ -72,7 +72,7 @@ # CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 0x10, # CSSMERR_CSSM_SCOPE_NOT_SUPPORTED = CSSM_CSSM_BASE_CSSM_ERROR + 1, # -# Style A has the comment after the comment. Style has the comment before the value, +# Style A has the comment after the value. Style has the comment before the value, # and Style C has no comment. In cases where both Style A and B apply, the # comment at the end of the line is used. # @@ -116,13 +116,9 @@ $TARGETSTR=$ARGV[2]; # path of .strings file, e.g. $#INPUTFILES = $#ARGV - 3; # truncate to actual number of files print "gend: $GENDEBUGSTRINGS, tmpdir: $TMPDIR, targetstr: $TARGETSTR\n"; -$PROGNAME="${TMPDIR}/generateErrStrings.mm"; -open PROGRAM,"> $PROGNAME" or die "can't open $PROGNAME: $!"; -select PROGRAM; - -printAdditionalIncludes(); -printInputIncludes(); -printMainProgram(); +open STRINGFILE, "> $TARGETSTR" or die "can't open $TARGETSTR: $!"; +select STRINGFILE; +binmode STRINGFILE, ":encoding(UTF-16)"; # ----------------------------------------------------------------------------------- # Parse error headers and build array of all relevant lines @@ -132,12 +128,6 @@ processInput(); close(ERR); # ----------------------------------------------------------------------------------- -printTrailer(); -select STDOUT; -close PROGRAM; - -compileLinkAndRun(); - # 4: Done! exit; @@ -147,53 +137,55 @@ exit; sub processInput { - # 3: Read input, process each line, output it. - while ( $line = ) - { - ($enum) = ($line =~ /\n\s*(?:enum|CF_ENUM\(OSStatus\))\s*{\s*([^}]*)};/); - while ($enum ne '') #basic filter for badly formed enums - { - #Drop leading whitespace - $enum =~ s/^\s+//; - # print "A:", $enum,"\n"; - ($leadingcomment) = ($enum =~ m%^(/\*([^*]|[\r\n]|(\*+([^*/]|[\r\n])))*\*+/)|(//.*)%); - if ($leadingcomment ne '') - { - $enum = substr($enum, length($leadingcomment)); - $leadingcomment = substr($leadingcomment, 2); # drop leading "/*" - $leadingcomment = substr($leadingcomment, 0, -2); # drop trailing "*/" - $leadingcomment = cleanupComment($leadingcomment); - } - next if ($enum eq ''); #basic filter for badly formed enums - - # Check for C++ style comments at start of line - if ($enum =~ /\s*(\/\/)/) - { - #Drop everything before the end of line - $enum =~ s/[^\n]*[\n]*//; - next; - } - ($identifier) = ($enum =~ /\s*([_A-Za-z][_A-Za-z0-9]*)/); - -# print "identifier: ", $identifier,"\n" if ($identifier ne ''); - - #Drop everything before the comma, end of line or trailing comment + # 3: Read input, process each line, output it. + while ( $line = ) + { + ($enum) = ($line =~ /\n\s*(?:enum|CF_ENUM\(OSStatus\))\s*{\s*([^}]*)};/); + while ($enum ne '') #basic filter for badly formed enums + { + #Drop leading whitespace + $enum =~ s/^\s+//; + + ($leadingcomment) = ($enum =~ m%^(/\*([^*]|[\r\n]|(\*+([^*/]|[\r\n])))*\*+/)|(//.*)%); + if ($leadingcomment ne '') + { + $enum = substr($enum, length($leadingcomment)); + $leadingcomment = substr($leadingcomment, 2); # drop leading "/*" + $leadingcomment = substr($leadingcomment, 0, -2); # drop trailing "*/" + $leadingcomment = cleanupComment($leadingcomment); + } + next if ($enum eq ''); #basic filter for badly formed enums + + # Check for C++ style comments at start of line + if ($enum =~ /\s*(\/\/)/) + { + #Drop everything before the end of line + $enum =~ s/[^\n]*[\n]*//; + next; + } + ($identifier) = ($enum =~ /\s*([_A-Za-z][_A-Za-z0-9]*)/); + #print "identifier: ", $identifier,"\n" if ($identifier ne ''); + + ($value) = ($enum =~ /\s*[_A-Za-z][_A-Za-z0-9]*\s*=\s*(-?[0-9]*),/); + #print "value: ", $value,"\n" if ($value ne ''); + + #Drop everything before the comma, end of line or trailing comment $enum =~ s/[^,]*(,|\n|(\/\*))//; - - # Now look for trailing comment. We only consider them - # trailing if they come before the end of the line - ($trailingcomment) = ($enum =~ /^[ \t]*\/\*((.)*)?\*\//); - $trailingcomment = cleanupComment($trailingcomment); - - #Drop everything before the end of line - $enum =~ s/[^\n]*[\n]*//; - # print "B:", $enum,"\n"; - # print "lc:$leadingcomment, id:$identifier, tc:$trailingcomment\n"; - # print "===========================================\n"; - - writecomment($leadingcomment, $identifier, $trailingcomment); - } - } + + # Now look for trailing comment. We only consider them + # trailing if they come before the end of the line + ($trailingcomment) = ($enum =~ /^[ \t]*\/\*((.)*)?\*\//); + $trailingcomment = cleanupComment($trailingcomment); + + #Drop everything before the end of line + $enum =~ s/[^\n]*[\n]*//; + + #print "lc:$leadingcomment, id:$identifier, v:$value, tc:$trailingcomment\n"; + #print "===========================================\n"; + + writecomment($leadingcomment, $identifier, $trailingcomment, $value); + } + } } sub writecomment @@ -205,7 +197,7 @@ sub writecomment # tmp << "/* errAuthorizationSuccess */\n\"" << errAuthorizationSuccess # << "\" = \"The operation completed successfully.\"\n" << endl; - my($mylc,$myid,$mytc) = @_; + my($mylc,$myid,$mytc,$myvalue) = @_; if ($myid =~ /(CSSM_ERRCODE|CSSMERR_|errSec|errCS|errAuth|errSSL)[_A-Za-z][_A-Za-z0-9]*/) { $errormessage = ''; @@ -218,89 +210,13 @@ sub writecomment if ($errormessage ne '') { - print "\ttmp << \"/* ", $myid, " */\\n\\\"\" << "; - print $myid, " << \"\\\" = \\\""; - print $errormessage, "\\\";\\n\" << endl;\n"; + print "/* ", $myid, " */\n\""; + print $myvalue, "\" = \""; + print $errormessage, "\";\n\n"; } } }; - -sub printAdditionalIncludes -{ - #This uses the "here" construct to dump out lines verbatim - print <<"AdditionalIncludes"; - -#include -#include -#include -#include - -using namespace std; -AdditionalIncludes -} - -sub printInputIncludes -{ - #Now "#include" each of the input files - print "\n#include \"$_\"" foreach @INPUTFILES; - print "\n"; -} - -sub printMainProgram -{ - #Output the main part of the program using the "here" construct - print <<"MAINPROGRAM"; - -void writeStrings(const char *stringsFileName); -void createStringsTemp(); - -int main (int argc, char * const argv[]) -{ - const char *stringsFileName = NULL; - - if (argc == 2) - stringsFileName = argv[1]; - else - if (argc == 1) - stringsFileName = "SecErrorMessages.strings"; - else - return -1; - - cout << "Strings file to create: " << stringsFileName << endl; - createStringsTemp(); - writeStrings(stringsFileName); -} - -void writeStrings(const char *stringsFileName) -{ - NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init]; - NSFileHandle *fh = [NSFileHandle fileHandleForReadingAtPath:@"generateErrStrings.tmp"]; - NSData *rawstrings = [fh readDataToEndOfFile]; - UInt32 encoding = CFStringConvertEncodingToNSStringEncoding (kCFStringEncodingUTF8); - NSString *instring = [[NSString alloc] initWithData:rawstrings encoding:(NSStringEncoding)encoding]; - - if (instring) - { - NSString *path = [NSString stringWithUTF8String:stringsFileName]; - NSFileManager *fm = [NSFileManager defaultManager]; - if ([fm fileExistsAtPath:path]) - [fm removeItemAtPath:path error:NULL]; - BOOL bx = [fm createFileAtPath:path contents:nil attributes:nil]; - NSFileHandle *fs = [NSFileHandle fileHandleForWritingAtPath:path]; - [fs writeData:[instring dataUsingEncoding:NSUnicodeStringEncoding]]; - } - - [pool release]; -} - -void createStringsTemp() -{ - ofstream tmp("generateErrStrings.tmp") ; - -MAINPROGRAM -} - sub cleanupComment { my $comment = shift @_; @@ -310,33 +226,8 @@ sub cleanupComment $comment =~ s/\s\s+/ /g; # Squeeze multiple spaces to one $comment =~ s/^\s+//; # Drop leading whitespace $comment =~ s/\s+$//; # Drop trailing whitespace - $comment =~ s/[\"]/\\\\\\"/g; # Replace double quotes with \" (backslash is sextupled to make it through regex and printf) + $comment =~ s/[\"]/\\\"/g; # Replace double quotes with \" (backslash is sextupled to make it through regex and printf) } # print "B:",$comment,"\n"; $comment; -} - -sub printTrailer -{ - print " tmp.close();\n"; - print "}\n"; } - -sub compileLinkAndRun -{ - $status = system( <<"MAINPROGRAM"); -(cd ${TMPDIR} ; /usr/bin/cc -x objective-c++ -pipe -Wno-trigraphs -fpascal-strings -fasm-blocks -g -O0 -Wreturn-type -fmessage-length=0 -F$ENV{'BUILT_PRODUCTS_DIR'} -I$ENV{'BUILT_PRODUCTS_DIR'}/SecurityPieces/Headers -I$ENV{'BUILT_PRODUCTS_DIR'}/SecurityPieces/PrivateHeaders -c generateErrStrings.mm -o generateErrStrings.o) -MAINPROGRAM - die "$compile exited funny: $?" unless $status == 0; - - $status = system( <<"LINKERSTEP"); -(cd ${TMPDIR} ; /usr/bin/clang++ -o generateErrStrings generateErrStrings.o -framework Foundation ) -LINKERSTEP - die "$linker exited funny: $?" unless $status == 0; - - $status = system( <<"RUNSTEP"); -(cd ${TMPDIR} ; ./generateErrStrings $TARGETSTR ) -RUNSTEP - die "$built program exited funny: $?" unless $status == 0; -} - diff --git a/OSX/libsecurity_apple_x509_cl/lib/clNssUtils.cpp b/OSX/libsecurity_apple_x509_cl/lib/clNssUtils.cpp index bee31697..d94b373d 100644 --- a/OSX/libsecurity_apple_x509_cl/lib/clNssUtils.cpp +++ b/OSX/libsecurity_apple_x509_cl/lib/clNssUtils.cpp @@ -50,7 +50,6 @@ void *ArenaAllocator::malloc(size_t len) throw(std::bad_alloc) /* intentionally not implemented, should never be called */ void ArenaAllocator::free(void *p) throw() { - throw std::bad_alloc(); } void *ArenaAllocator::realloc(void *p, size_t len) throw(std::bad_alloc) diff --git a/OSX/libsecurity_authorization/lib/AuthSession.h b/OSX/libsecurity_authorization/lib/AuthSession.h index d8542ed8..53ef4855 100644 --- a/OSX/libsecurity_authorization/lib/AuthSession.h +++ b/OSX/libsecurity_authorization/lib/AuthSession.h @@ -119,8 +119,8 @@ CF_ENUM(OSStatus) { errSessionAuthorizationDenied = -60502, /* you are not allowed to do this */ errSessionValueNotSet = -60503, /* the session attribute you requested has not been set */ - errSessionInternal = errAuthorizationInternal, /* internal error */ - errSessionInvalidFlags = errAuthorizationInvalidFlags /* invalid flags/options */ + errSessionInternal = -60008, /* internal error */ + errSessionInvalidFlags = -60011, /* invalid flags/options */ }; diff --git a/OSX/libsecurity_authorization/lib/AuthorizationPlugin.h b/OSX/libsecurity_authorization/lib/AuthorizationPlugin.h index f34c2366..baed6963 100644 --- a/OSX/libsecurity_authorization/lib/AuthorizationPlugin.h +++ b/OSX/libsecurity_authorization/lib/AuthorizationPlugin.h @@ -176,7 +176,7 @@ enum { interface. */ enum { - kAuthorizationCallbacksVersion = 2 + kAuthorizationCallbacksVersion = 3 }; @@ -194,8 +194,9 @@ enum { @field SetHintValue Write value to hints. AuthorizationValue and data are copied. @field GetArguments Read arguments passed. AuthorizationValueVector does not own data. @field GetSessionId Read SessionId. - @field GetLAContext Returns authenticated LAContext which can be used for operations with Tokens which would normally require PIN. Caller owns returned context and is responsible for release. - @field GetTokenIdentities Returns array of identities. Caller owns returned array and is reponsible for release. + @field GetLAContext Returns LAContext which will have LACredentialCTKPIN credential set if PIN is available otherwise context without credentials is returned. LAContext can be used for operations with Tokens which would normally require PIN. Caller owns returned context and is responsible for release. + @field GetTokenIdentities Returns array of identities. Caller owns returned array and is reponsible for release. + @field GetTKTokenWatcher Returns TKTokenWatcher object. Caller owns returned context and is responsible for release. */ typedef struct AuthorizationCallbacks { @@ -254,19 +255,25 @@ typedef struct AuthorizationCallbacks { userful for kSecUseAuthenticationContext for SecItem calls. Caller is responsible for outValue release */ OSStatus (*GetLAContext)(AuthorizationEngineRef inEngine, - CFTypeRef __nullable * __nullable outValue) __OSX_AVAILABLE_STARTING(__MAC_10_13, __PHONE_NA); + CFTypeRef __nullable * __nullable outValue) __OSX_AVAILABLE_STARTING(__MAC_10_13, __PHONE_NA); /* Available only on systems with callback version 2 or higher Returns array of available identities available on tokens. Each array item consists of two elements. The first one is SecIdentityRef and the second one is textual description of that identity - context parameter may contain CFTypeRef returned by GetLAContext. Returned identities - will contain PIN in such case so crypto operations won't display PIN prompt. + context parameter may contain CFTypeRef returned by GetLAContext. Caller is responsible for outValue release */ OSStatus (*GetTokenIdentities)(AuthorizationEngineRef inEngine, CFTypeRef context, CFArrayRef __nullable * __nullable outValue) __OSX_AVAILABLE_STARTING(__MAC_10_13, __PHONE_NA); + /* + Available only on systems with callback version 3 or higher + Constructs TKTokenWatcher object. + Caller is responsible for outValue release */ + OSStatus (*GetTKTokenWatcher)(AuthorizationEngineRef inEngine, + CFTypeRef __nullable * __nullable outValue) __OSX_AVAILABLE_STARTING(__MAC_10_13_4, __PHONE_NA); + } AuthorizationCallbacks; diff --git a/OSX/libsecurity_cdsa_utilities/lib/osxverifier.h b/OSX/libsecurity_cdsa_utilities/lib/osxverifier.h index 0703c57d..596e65b5 100644 --- a/OSX/libsecurity_cdsa_utilities/lib/osxverifier.h +++ b/OSX/libsecurity_cdsa_utilities/lib/osxverifier.h @@ -25,6 +25,7 @@ #include #include #include +#include #include #include #include diff --git a/OSX/libsecurity_cms/lib/CMSDecoder.cpp b/OSX/libsecurity_cms/lib/CMSDecoder.cpp index 83775b23..bcf4e5d6 100644 --- a/OSX/libsecurity_cms/lib/CMSDecoder.cpp +++ b/OSX/libsecurity_cms/lib/CMSDecoder.cpp @@ -1003,8 +1003,8 @@ OSStatus CMSDecoderCopySignerAppleCodesigningHashAgility( int numContentInfos = 0; CFDataRef returnedValue = NULL; - require(cmsDecoder && hashAgilityAttrValue, xit); - require_noerr(CMSDecoderGetCmsMessage(cmsDecoder, &cmsg), xit); + require(cmsDecoder && hashAgilityAttrValue, exit); + require_noerr(CMSDecoderGetCmsMessage(cmsDecoder, &cmsg), exit); numContentInfos = SecCmsMessageContentLevelCount(cmsg); for (int dex = 0; !signedData && dex < numContentInfos; dex++) { @@ -1018,7 +1018,7 @@ OSStatus CMSDecoderCopySignerAppleCodesigningHashAgility( break; } } -xit: +exit: if (status == errSecSuccess && returnedValue) { *hashAgilityAttrValue = (CFDataRef) CFRetain(returnedValue); } else { @@ -1026,3 +1026,49 @@ xit: } return status; } + +/* + * Obtain the Hash Agility V2 attribute value of signer 'signerIndex' + * of a CMS message, if present. + * + * Returns errSecParam if the CMS message was not signed or if signerIndex + * is greater than the number of signers of the message minus one. + * + * This cannot be called until after CMSDecoderFinalizeMessage() is called. + */ +OSStatus CMSDecoderCopySignerAppleCodesigningHashAgilityV2( + CMSDecoderRef cmsDecoder, + size_t signerIndex, /* usually 0 */ + CFDictionaryRef CF_RETURNS_RETAINED *hashAgilityV2AttrValues) /* RETURNED */ +{ + OSStatus status = errSecParam; + SecCmsMessageRef cmsg; + SecCmsSignedDataRef signedData = NULL; + int numContentInfos = 0; + CFDictionaryRef returnedValue = NULL; + + require(cmsDecoder && hashAgilityV2AttrValues, exit); + require_noerr(CMSDecoderGetCmsMessage(cmsDecoder, &cmsg), exit); + numContentInfos = SecCmsMessageContentLevelCount(cmsg); + for (int dex = 0; !signedData && dex < numContentInfos; dex++) + { + SecCmsContentInfoRef ci = SecCmsMessageContentLevel(cmsg, dex); + SECOidTag tag = SecCmsContentInfoGetContentTypeTag(ci); + if (tag == SEC_OID_PKCS7_SIGNED_DATA) + if ((signedData = (SecCmsSignedDataRef)SecCmsContentInfoGetContent(ci))) { + SecCmsSignerInfoRef signerInfo = SecCmsSignedDataGetSignerInfo(signedData, (int)signerIndex); + if (signerInfo) + { + status = SecCmsSignerInfoGetAppleCodesigningHashAgilityV2(signerInfo, &returnedValue); + break; + } + } + } +exit: + if (status == errSecSuccess && returnedValue) { + *hashAgilityV2AttrValues = (CFDictionaryRef) CFRetain(returnedValue); + } else { + *hashAgilityV2AttrValues = NULL; + } + return status; +} diff --git a/OSX/libsecurity_cms/lib/CMSEncoder.cpp b/OSX/libsecurity_cms/lib/CMSEncoder.cpp index c3f43147..f8cb11be 100644 --- a/OSX/libsecurity_cms/lib/CMSEncoder.cpp +++ b/OSX/libsecurity_cms/lib/CMSEncoder.cpp @@ -98,6 +98,7 @@ struct _CMSEncoder { CMSCertificateChainMode chainMode; CFDataRef hashAgilityAttrValue; + CFDictionaryRef hashAgilityV2AttrValues; }; static void cmsEncoderInit(CFTypeRef enc); @@ -532,6 +533,16 @@ static OSStatus cmsSetupForSignedData( break; } } + if(cmsEncoder->signedAttributes & kCMSAttrAppleCodesigningHashAgilityV2) { + ortn = SecCmsSignerInfoAddAppleCodesigningHashAgilityV2(signerInfo, cmsEncoder->hashAgilityV2AttrValues); + /* libsecurity_smime made a copy of the attribute value. We don't need it anymore. */ + CFReleaseNull(cmsEncoder->hashAgilityV2AttrValues); + if(ortn) { + ortn = cmsRtnToOSStatus(ortn); + CSSM_PERROR("SecCmsSignerInfoAddAppleCodesigningHashAgilityV2", ortn); + break; + } + } ortn = SecCmsSignedDataAddSignerInfo(signedData, signerInfo); if(ortn) { @@ -1024,6 +1035,22 @@ OSStatus CMSEncoderSetAppleCodesigningHashAgility( return errSecSuccess; } +/* + * Set the hash agility attribute for a CMSEncoder. + * This is only used if the kCMSAttrAppleCodesigningHashAgilityV2 attribute + * is included. + */ +OSStatus CMSEncoderSetAppleCodesigningHashAgilityV2( + CMSEncoderRef cmsEncoder, + CFDictionaryRef hashAgilityV2AttrValues) +{ + if (cmsEncoder == NULL || cmsEncoder->encState != ES_Init) { + return errSecParam; + } + cmsEncoder->hashAgilityV2AttrValues = CFRetainSafe(hashAgilityV2AttrValues); + return errSecSuccess; +} + OSStatus CMSEncoderSetCertificateChainMode( CMSEncoderRef cmsEncoder, CMSCertificateChainMode chainMode) diff --git a/OSX/libsecurity_cms/lib/CMSEncoder.h b/OSX/libsecurity_cms/lib/CMSEncoder.h index 7bb5596c..a39bcbb9 100644 --- a/OSX/libsecurity_cms/lib/CMSEncoder.h +++ b/OSX/libsecurity_cms/lib/CMSEncoder.h @@ -266,7 +266,8 @@ typedef CF_OPTIONS(uint32_t, CMSSignedAttributes) { /* * Include the Apple Codesigning Hash Agility. */ - kCMSAttrAppleCodesigningHashAgility = 0x0010 + kCMSAttrAppleCodesigningHashAgility = 0x0010, + kCMSAttrAppleCodesigningHashAgilityV2 = 0x0020, }; /* diff --git a/OSX/libsecurity_cms/lib/CMSPrivate.h b/OSX/libsecurity_cms/lib/CMSPrivate.h index b61296b2..8278dbf5 100644 --- a/OSX/libsecurity_cms/lib/CMSPrivate.h +++ b/OSX/libsecurity_cms/lib/CMSPrivate.h @@ -92,6 +92,18 @@ OSStatus CMSEncoderSetAppleCodesigningHashAgility( CMSEncoderRef cmsEncoder, CFDataRef hashAgilityAttrValue); +/* + * Set the hash agility attribute for a CMSEncoder. + * This is only used if the kCMSAttrAppleCodesigningHashAgilityV2 attribute + * is included. V2 encodes the hash agility values using DER. + * The dictionary should have CFNumberRef keys, corresponding to SECOidTags + * (from SecCmsBase.h) for digest algorithms, and CFDataRef values, + * corresponding to the digest value for that digest algorithm. + */ +OSStatus CMSEncoderSetAppleCodesigningHashAgilityV2( + CMSEncoderRef cmsEncoder, + CFDictionaryRef hashAgilityV2AttrValues); + void CmsMessageSetTSAContext(CMSEncoderRef cmsEncoder, CFTypeRef tsaContext); @@ -147,6 +159,20 @@ OSStatus CMSDecoderCopySignerAppleCodesigningHashAgility( CMSDecoderRef cmsDecoder, size_t signerIndex, /* usually 0 */ CFDataRef CF_RETURNS_RETAINED *hashAgilityAttrValue); /* RETURNED */ + +/* + * Obtain the Hash Agility v2 attribute value of signer 'signerIndex' + * of a CMS message, if present. V2 encodes the hash agility values using DER. + * + * Returns errSecParam if the CMS message was not signed or if signerIndex + * is greater than the number of signers of the message minus one. + * + * This cannot be called until after CMSDecoderFinalizeMessage() is called. + */ +OSStatus CMSDecoderCopySignerAppleCodesigningHashAgilityV2( + CMSDecoderRef cmsDecoder, + size_t signerIndex, /* usually 0 */ + CFDictionaryRef CF_RETURNS_RETAINED * hashAgilityAttrValues); /* RETURNED */ #ifdef __cplusplus } diff --git a/OSX/libsecurity_cms/libsecurity_cms.xcodeproj/project.pbxproj b/OSX/libsecurity_cms/libsecurity_cms.xcodeproj/project.pbxproj index 85031b83..93dc2f9c 100644 --- a/OSX/libsecurity_cms/libsecurity_cms.xcodeproj/project.pbxproj +++ b/OSX/libsecurity_cms/libsecurity_cms.xcodeproj/project.pbxproj @@ -17,7 +17,7 @@ D43B9E7E1D064F0B00B9DDDA /* cms-trust-settings-test.c in Sources */ = {isa = PBXBuildFile; fileRef = D43B9E7C1D064F0B00B9DDDA /* cms-trust-settings-test.c */; }; D43B9E7F1D064F0B00B9DDDA /* cms-trust-settings-test.h in Headers */ = {isa = PBXBuildFile; fileRef = D43B9E7D1D064F0B00B9DDDA /* cms-trust-settings-test.h */; }; D4C334601BE2A2B900D8C1EF /* cms_regressions.h in Headers */ = {isa = PBXBuildFile; fileRef = D4C334571BE29F5200D8C1EF /* cms_regressions.h */; }; - D4C334631BE2A31200D8C1EF /* cms-hashagility-test.c in Sources */ = {isa = PBXBuildFile; fileRef = D4C334611BE2A31200D8C1EF /* cms-hashagility-test.c */; }; + D4C334631BE2A31200D8C1EF /* cms-hashagility-test.m in Sources */ = {isa = PBXBuildFile; fileRef = D4C334611BE2A31200D8C1EF /* cms-hashagility-test.m */; }; D4C334641BE2A31200D8C1EF /* cms-hashagility-test.h in Headers */ = {isa = PBXBuildFile; fileRef = D4C334621BE2A31200D8C1EF /* cms-hashagility-test.h */; }; /* End PBXBuildFile section */ @@ -38,7 +38,7 @@ D43B9E7D1D064F0B00B9DDDA /* cms-trust-settings-test.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "cms-trust-settings-test.h"; path = "regressions/cms-trust-settings-test.h"; sourceTree = ""; }; D4C334571BE29F5200D8C1EF /* cms_regressions.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = cms_regressions.h; path = regressions/cms_regressions.h; sourceTree = ""; }; D4C3345C1BE2A2B100D8C1EF /* libsecurity_cms_regressions.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libsecurity_cms_regressions.a; sourceTree = BUILT_PRODUCTS_DIR; }; - D4C334611BE2A31200D8C1EF /* cms-hashagility-test.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "cms-hashagility-test.c"; path = "regressions/cms-hashagility-test.c"; sourceTree = ""; }; + D4C334611BE2A31200D8C1EF /* cms-hashagility-test.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "cms-hashagility-test.m"; path = "regressions/cms-hashagility-test.m"; sourceTree = ""; }; D4C334621BE2A31200D8C1EF /* cms-hashagility-test.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "cms-hashagility-test.h"; path = "regressions/cms-hashagility-test.h"; sourceTree = ""; }; /* End PBXFileReference section */ @@ -111,7 +111,7 @@ D4C334571BE29F5200D8C1EF /* cms_regressions.h */, D43B9E7C1D064F0B00B9DDDA /* cms-trust-settings-test.c */, D43B9E7D1D064F0B00B9DDDA /* cms-trust-settings-test.h */, - D4C334611BE2A31200D8C1EF /* cms-hashagility-test.c */, + D4C334611BE2A31200D8C1EF /* cms-hashagility-test.m */, D4C334621BE2A31200D8C1EF /* cms-hashagility-test.h */, ); name = regressions; @@ -224,7 +224,7 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( - D4C334631BE2A31200D8C1EF /* cms-hashagility-test.c in Sources */, + D4C334631BE2A31200D8C1EF /* cms-hashagility-test.m in Sources */, D43B9E7E1D064F0B00B9DDDA /* cms-trust-settings-test.c in Sources */, ); runOnlyForDeploymentPostprocessing = 0; @@ -300,6 +300,7 @@ isa = XCBuildConfiguration; buildSettings = { ALWAYS_SEARCH_USER_PATHS = NO; + "ARCHS[sdk=macosx*]" = "$(ARCHS_STANDARD)"; CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; CLANG_CXX_LIBRARY = "libc++"; CLANG_ENABLE_OBJC_ARC = YES; @@ -326,9 +327,7 @@ GCC_WARN_UNUSED_FUNCTION = YES; GCC_WARN_UNUSED_VARIABLE = YES; MTL_ENABLE_DEBUG_INFO = YES; - ONLY_ACTIVE_ARCH = YES; PRODUCT_NAME = "$(TARGET_NAME)"; - SDKROOT = macosx.internal; }; name = Debug; }; @@ -336,6 +335,7 @@ isa = XCBuildConfiguration; buildSettings = { ALWAYS_SEARCH_USER_PATHS = NO; + "ARCHS[sdk=macosx*]" = "$(ARCHS_STANDARD)"; CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; CLANG_CXX_LIBRARY = "libc++"; CLANG_ENABLE_OBJC_ARC = YES; @@ -357,7 +357,6 @@ GCC_WARN_UNUSED_VARIABLE = YES; MTL_ENABLE_DEBUG_INFO = NO; PRODUCT_NAME = "$(TARGET_NAME)"; - SDKROOT = macosx.internal; }; name = Release; }; diff --git a/OSX/libsecurity_cms/regressions/cms-hashagility-test.h b/OSX/libsecurity_cms/regressions/cms-hashagility-test.h index 27bf5ee3..f58da959 100644 --- a/OSX/libsecurity_cms/regressions/cms-hashagility-test.h +++ b/OSX/libsecurity_cms/regressions/cms-hashagility-test.h @@ -324,6 +324,14 @@ uint8_t attribute[32] = { 0x87, 0xa0, 0x4e, 0x80, 0xf4, 0xf3, 0x5d, 0xd2, 0x68, 0x08, 0x58, 0xe6 }; +/* Random data for hash agility V2 attribute */ +unsigned char _attributev2[64] = { + 0x28, 0x4f, 0x7f, 0xf5, 0xf8, 0x14, 0x80, 0xa6, 0x6b, 0x37, 0x44, 0xeb, 0xed, 0x1e, 0xf1, 0x3d, + 0x35, 0x4e, 0x02, 0x21, 0xdc, 0x26, 0x61, 0x33, 0x71, 0x57, 0x18, 0xc7, 0xdd, 0xc2, 0x50, 0xbf, + 0xfc, 0x9d, 0x6f, 0x8e, 0x8b, 0xe2, 0x3d, 0x1d, 0x41, 0xbf, 0xe6, 0xd1, 0x7a, 0xc9, 0x3f, 0xc9, + 0x4d, 0xdd, 0x38, 0x35, 0xbd, 0xdf, 0x98, 0x95, 0x0a, 0x00, 0xc6, 0x6d, 0x30, 0xe2, 0x37, 0x3b +}; + /* Valid CMS message on content with hash agility attribute */ uint8_t valid_message[] = { 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, @@ -837,4 +845,176 @@ unsigned char valid_no_attr[] = { 0x00 }; +unsigned char _V2_valid_message[] = { + 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, + 0x80, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x07, 0x01, 0x00, 0x00, 0xa0, 0x82, 0x06, 0xb4, 0x30, 0x82, 0x06, 0xb0, 0x30, 0x82, 0x04, 0x98, + 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xdd, 0x3f, 0x19, 0x90, 0xd8, 0x99, 0xba, 0x86, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, + 0x81, 0x96, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, + 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, + 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, + 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, + 0x0a, 0x13, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, + 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, + 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, + 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x18, + 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0f, 0x43, 0x4d, 0x53, 0x20, 0x54, 0x65, 0x73, + 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x65, 0x72, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x31, 0x30, + 0x32, 0x39, 0x32, 0x31, 0x35, 0x35, 0x35, 0x38, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x32, + 0x38, 0x32, 0x31, 0x35, 0x35, 0x35, 0x38, 0x5a, 0x30, 0x81, 0x96, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, + 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, + 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, + 0x6f, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x41, 0x70, 0x70, 0x6c, + 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, + 0x13, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, + 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, + 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x13, 0x0f, 0x43, 0x4d, 0x53, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x65, + 0x72, 0x30, 0x82, 0x02, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0f, 0x00, 0x30, 0x82, 0x02, 0x0a, 0x02, 0x82, 0x02, + 0x01, 0x00, 0xc4, 0x2a, 0x38, 0x4b, 0xdd, 0x1c, 0xc7, 0x39, 0x47, 0xba, 0xbc, 0x5d, 0xd2, 0xcc, + 0x6e, 0x9e, 0x2c, 0x81, 0x26, 0x18, 0x59, 0x18, 0xb8, 0x45, 0x0c, 0xde, 0x5b, 0xbc, 0x25, 0xa4, + 0x78, 0x0b, 0x16, 0x3d, 0x3d, 0x10, 0x34, 0x48, 0xcf, 0x1f, 0x40, 0xaa, 0x4b, 0xb5, 0xbc, 0xf0, + 0x81, 0x5e, 0xa8, 0x72, 0xed, 0x6a, 0x8c, 0xf0, 0x4a, 0x9a, 0x80, 0x09, 0x3b, 0x89, 0xed, 0xad, + 0x2b, 0xb5, 0x5b, 0x0f, 0xe4, 0x3f, 0x6b, 0xc5, 0x15, 0x33, 0x5e, 0xdd, 0xa4, 0xac, 0x2f, 0xa5, + 0x13, 0x0f, 0x3c, 0xfc, 0xd8, 0xca, 0xb8, 0x88, 0x67, 0x75, 0xc4, 0x9a, 0x4c, 0x18, 0x9a, 0x38, + 0x68, 0xaa, 0x4c, 0x94, 0x35, 0xed, 0xa4, 0x0b, 0x80, 0x2b, 0xa9, 0x4d, 0xa4, 0x57, 0x22, 0xfc, + 0xd2, 0xc3, 0x12, 0x0b, 0x8a, 0x3c, 0xd7, 0x6d, 0x8b, 0x47, 0x4f, 0x24, 0xe5, 0xea, 0x1b, 0x03, + 0x78, 0xa2, 0x12, 0x36, 0x3f, 0x92, 0x16, 0x36, 0xff, 0xc5, 0xaf, 0xc3, 0xec, 0x4b, 0x6c, 0x23, + 0x04, 0x1b, 0xa9, 0xce, 0x3a, 0xa1, 0xa5, 0xe0, 0x54, 0x13, 0x43, 0x13, 0x29, 0x95, 0x5b, 0xcb, + 0x97, 0x74, 0x01, 0xbc, 0x3c, 0xb8, 0xa1, 0xb0, 0xf3, 0x3c, 0xfa, 0x21, 0x7a, 0x89, 0x90, 0x2b, + 0x1f, 0x20, 0x3f, 0xc1, 0x22, 0xda, 0x8d, 0xa5, 0x30, 0x57, 0x6d, 0xd4, 0x40, 0x99, 0x08, 0x0d, + 0xef, 0x36, 0x16, 0xa6, 0xec, 0xcf, 0x26, 0x78, 0x7c, 0x77, 0x7e, 0x50, 0x2a, 0xe3, 0xdf, 0x28, + 0xff, 0xd0, 0xc7, 0x0e, 0x8b, 0x6b, 0x56, 0x62, 0x53, 0x37, 0x5a, 0x1a, 0x85, 0x50, 0xec, 0x6a, + 0x6b, 0x2e, 0xd1, 0x35, 0x6e, 0x5d, 0x92, 0x30, 0x39, 0x82, 0x40, 0x7b, 0x6d, 0x89, 0x5b, 0x4d, + 0x30, 0x6d, 0x2e, 0x68, 0x16, 0x24, 0x63, 0x32, 0x24, 0xdc, 0x3e, 0x5b, 0x4a, 0xc4, 0x41, 0xfc, + 0x76, 0x07, 0xe6, 0xa3, 0x1b, 0x18, 0xec, 0x59, 0xed, 0x13, 0x0b, 0x2d, 0xe9, 0x86, 0x89, 0x2c, + 0x0a, 0xb0, 0x19, 0x97, 0x4d, 0x1b, 0xfb, 0xd4, 0xef, 0x54, 0xcd, 0xe5, 0xb2, 0x22, 0x70, 0x3a, + 0x50, 0x03, 0xaa, 0xc0, 0xf8, 0xb4, 0x8e, 0x16, 0xd8, 0x2a, 0xc1, 0xd1, 0x2d, 0xa0, 0x27, 0x59, + 0x63, 0x70, 0xc3, 0x74, 0x14, 0xee, 0xde, 0xa9, 0xd9, 0x73, 0xdb, 0x16, 0x6d, 0xef, 0x7f, 0x50, + 0xb6, 0xd2, 0x54, 0x0d, 0x4d, 0x31, 0x5f, 0x23, 0x2c, 0xfd, 0x8f, 0x67, 0x7c, 0xe9, 0xaa, 0x1c, + 0x29, 0xf5, 0x83, 0x1b, 0x2b, 0x0e, 0x66, 0x0e, 0x5c, 0xfe, 0xc9, 0x38, 0xb0, 0x90, 0xfa, 0x31, + 0x4c, 0xb1, 0xef, 0xea, 0xd0, 0x47, 0x17, 0xde, 0x45, 0xc1, 0x93, 0xef, 0xba, 0xde, 0x9f, 0x69, + 0xc7, 0xa6, 0x14, 0x23, 0xb1, 0x8b, 0xaa, 0xbf, 0x61, 0x37, 0x57, 0x11, 0x6a, 0xb2, 0xf7, 0xec, + 0x52, 0x7e, 0x65, 0x80, 0xff, 0xa1, 0xa8, 0x20, 0x7e, 0x0b, 0xae, 0x21, 0xfa, 0xe8, 0x20, 0x52, + 0x93, 0xc5, 0xe9, 0x39, 0x5b, 0x8e, 0xab, 0xef, 0x86, 0xa6, 0xd8, 0x43, 0x7e, 0xa9, 0x5c, 0x6d, + 0x91, 0xd8, 0x5c, 0xa4, 0x2a, 0xed, 0x26, 0xa8, 0x1b, 0xaa, 0x3b, 0xfa, 0x86, 0x75, 0x37, 0xc6, + 0x70, 0x12, 0x2b, 0x8c, 0x55, 0x96, 0x76, 0x04, 0xf6, 0xe3, 0xf9, 0xe2, 0x0d, 0x2e, 0xe0, 0x23, + 0xdf, 0xfa, 0xe0, 0x9c, 0x11, 0xf9, 0xd4, 0x51, 0x05, 0xed, 0x2b, 0x3f, 0xa3, 0x3f, 0xa2, 0xe6, + 0x30, 0x81, 0x17, 0x00, 0x8f, 0x15, 0x91, 0xfb, 0x21, 0x62, 0xf4, 0xff, 0x93, 0x1a, 0x2e, 0xfe, + 0x1a, 0xcb, 0x93, 0x3d, 0xd4, 0x6e, 0x3a, 0xb8, 0x70, 0xdf, 0x93, 0xb4, 0x02, 0xc4, 0x8c, 0x54, + 0x92, 0xde, 0xa7, 0x32, 0x65, 0x1c, 0x85, 0x95, 0x34, 0xf8, 0x8d, 0x06, 0x5b, 0x7d, 0x72, 0x00, + 0xd8, 0x31, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xfe, 0x30, 0x81, 0xfb, 0x30, 0x1d, 0x06, + 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xee, 0x16, 0xde, 0xfd, 0x11, 0xd3, 0x88, 0xfb, + 0xef, 0xfb, 0x19, 0x23, 0x8a, 0x23, 0x85, 0x7b, 0xe8, 0x41, 0x26, 0xa1, 0x30, 0x81, 0xcb, 0x06, + 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0xc3, 0x30, 0x81, 0xc0, 0x80, 0x14, 0xee, 0x16, 0xde, 0xfd, + 0x11, 0xd3, 0x88, 0xfb, 0xef, 0xfb, 0x19, 0x23, 0x8a, 0x23, 0x85, 0x7b, 0xe8, 0x41, 0x26, 0xa1, + 0xa1, 0x81, 0x9c, 0xa4, 0x81, 0x99, 0x30, 0x81, 0x96, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, + 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, + 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, + 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, + 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, + 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x25, + 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, + 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, + 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0f, + 0x43, 0x4d, 0x53, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x65, 0x72, 0x82, + 0x09, 0x00, 0xdd, 0x3f, 0x19, 0x90, 0xd8, 0x99, 0xba, 0x86, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, + 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x0c, 0x0f, 0x08, 0x79, + 0x6f, 0x56, 0x21, 0xdf, 0xdd, 0xf5, 0x97, 0x8d, 0xdc, 0x97, 0x06, 0xfb, 0x2e, 0xe0, 0x21, 0x60, + 0xc3, 0x02, 0xf4, 0x41, 0x79, 0x79, 0xc2, 0x23, 0x9a, 0x8a, 0x54, 0x2e, 0x66, 0xab, 0xc0, 0x21, + 0xf6, 0x9f, 0xc5, 0x2e, 0x41, 0xb8, 0xa3, 0x32, 0x9f, 0x3d, 0x4e, 0xf4, 0x83, 0xee, 0xcc, 0x60, + 0xf6, 0x82, 0x3d, 0xb4, 0xa9, 0x9d, 0xcd, 0xa0, 0x02, 0x89, 0xb0, 0x32, 0x1b, 0xb5, 0x7c, 0xf4, + 0x8f, 0xbc, 0x9b, 0x24, 0xc2, 0xe2, 0x81, 0xd6, 0x6f, 0x0e, 0x22, 0x5e, 0x50, 0xd9, 0x5b, 0x2e, + 0x89, 0xbf, 0xa4, 0xfe, 0xa8, 0xc2, 0x9a, 0xf4, 0xec, 0x70, 0x66, 0x01, 0x4b, 0x50, 0x30, 0x97, + 0x0a, 0xcc, 0x9f, 0xac, 0xe4, 0x89, 0x1c, 0x8d, 0x88, 0x0d, 0xdb, 0x21, 0xbd, 0x2f, 0x24, 0x8e, + 0x83, 0xf9, 0xe6, 0x71, 0xed, 0x71, 0x26, 0x31, 0x99, 0x9d, 0x04, 0xeb, 0x34, 0xea, 0x6d, 0x65, + 0xb8, 0x02, 0x83, 0x57, 0x78, 0x36, 0x3a, 0x0b, 0xc7, 0x41, 0x63, 0xb5, 0xf6, 0x1c, 0xd2, 0x01, + 0x86, 0x04, 0x58, 0x40, 0x3e, 0x91, 0x98, 0x39, 0x72, 0x75, 0x11, 0xca, 0x14, 0x73, 0x90, 0x34, + 0x8b, 0x21, 0xa4, 0xd0, 0xba, 0xe7, 0x33, 0x03, 0x22, 0x0f, 0x1a, 0xf7, 0x10, 0x2b, 0x69, 0x4c, + 0x73, 0xef, 0x04, 0x18, 0xf9, 0xe1, 0x11, 0xa8, 0xb8, 0x1b, 0x57, 0x0b, 0x03, 0x10, 0x1c, 0xce, + 0x13, 0xca, 0xe4, 0xde, 0x8c, 0xf4, 0xcf, 0xf5, 0xb7, 0x80, 0x3e, 0xbc, 0x1f, 0x51, 0x9b, 0x20, + 0x8c, 0xb0, 0x2d, 0x67, 0x1c, 0x84, 0x25, 0x4c, 0x8b, 0xd3, 0xa7, 0x09, 0x8e, 0x60, 0xe2, 0x99, + 0x0d, 0x10, 0x12, 0x14, 0xfc, 0x17, 0x62, 0x69, 0xcd, 0xa4, 0x64, 0xf0, 0x7e, 0xba, 0xe0, 0xc9, + 0x51, 0x78, 0xf8, 0xb4, 0x0d, 0x7d, 0xb8, 0xa0, 0xee, 0x9c, 0x9e, 0x84, 0xd5, 0xa4, 0x02, 0xe5, + 0x7a, 0x1c, 0x65, 0xe1, 0x20, 0xfb, 0x4d, 0x61, 0x7a, 0x47, 0x25, 0x06, 0x95, 0x17, 0x62, 0x60, + 0x4b, 0x0b, 0xc6, 0xca, 0xa7, 0x35, 0x8f, 0xd4, 0x63, 0x3e, 0x5e, 0x92, 0x1a, 0x08, 0x7c, 0x6b, + 0x15, 0x41, 0x95, 0x76, 0x7d, 0x39, 0x28, 0xec, 0x3e, 0x1f, 0x49, 0xd5, 0xd5, 0x89, 0xf9, 0x5f, + 0x14, 0x02, 0x2f, 0x27, 0xb0, 0x39, 0xba, 0xf7, 0x91, 0x53, 0x75, 0x77, 0xab, 0x88, 0x40, 0x1d, + 0x77, 0xaf, 0x79, 0xfd, 0xdc, 0xac, 0x99, 0x82, 0xf2, 0x46, 0x05, 0x97, 0x60, 0xef, 0x7b, 0xf5, + 0x34, 0x38, 0xbf, 0xd7, 0x42, 0x3e, 0x8b, 0x5a, 0x4a, 0x0c, 0x22, 0x7e, 0x4d, 0x4e, 0xf6, 0xf7, + 0xcc, 0x6e, 0x31, 0x33, 0x1a, 0x84, 0xbe, 0x07, 0xf7, 0xe8, 0xe2, 0x43, 0x00, 0x54, 0x4a, 0x38, + 0xda, 0x98, 0xe3, 0x84, 0xb2, 0xd0, 0x76, 0x79, 0x94, 0x11, 0x7e, 0xa8, 0xca, 0x56, 0xa0, 0xfd, + 0x4b, 0xba, 0x7c, 0x0a, 0xa4, 0x34, 0x01, 0xad, 0xf4, 0x37, 0x4f, 0x38, 0x33, 0x9f, 0x71, 0xdc, + 0xc4, 0x4c, 0x96, 0xb0, 0x8a, 0x86, 0xe5, 0x8d, 0xd2, 0x44, 0xe3, 0x18, 0xcb, 0x81, 0xa6, 0x7c, + 0xaf, 0x8e, 0xfb, 0x41, 0x6e, 0xc5, 0x82, 0xf0, 0x51, 0xb7, 0x0f, 0x23, 0x9b, 0x77, 0xed, 0x9a, + 0x06, 0x6b, 0x77, 0x7c, 0x8e, 0xc4, 0xdf, 0x50, 0xa0, 0xd2, 0x81, 0x3e, 0x65, 0xbe, 0xe5, 0x51, + 0x79, 0x93, 0x24, 0x8e, 0xb3, 0xb5, 0x25, 0x48, 0x76, 0x0e, 0x75, 0x94, 0xef, 0x9a, 0x9d, 0xc7, + 0x95, 0x08, 0xca, 0x35, 0x6b, 0x73, 0xbc, 0x4b, 0x93, 0x7a, 0x93, 0x55, 0x2d, 0xe4, 0x5f, 0xcf, + 0x11, 0x31, 0x94, 0xb2, 0x5a, 0x05, 0x80, 0xd7, 0x59, 0x79, 0x14, 0x8a, 0x2a, 0xb9, 0xd7, 0x3d, + 0x33, 0x69, 0xa9, 0xab, 0xaa, 0xb8, 0x4c, 0x73, 0xb6, 0x71, 0x2c, 0x6f, 0x31, 0x82, 0x03, 0x99, + 0x30, 0x82, 0x03, 0x95, 0x02, 0x01, 0x01, 0x30, 0x81, 0xa4, 0x30, 0x81, 0x96, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, + 0x55, 0x04, 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, + 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, + 0x69, 0x6e, 0x6f, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x41, 0x70, + 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, + 0x04, 0x0b, 0x13, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, + 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, + 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x13, 0x0f, 0x43, 0x4d, 0x53, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x69, 0x67, + 0x6e, 0x65, 0x72, 0x02, 0x09, 0x00, 0xdd, 0x3f, 0x19, 0x90, 0xd8, 0x99, 0xba, 0x86, 0x30, 0x0d, + 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa0, 0x81, 0xc6, + 0x30, 0x18, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x03, 0x31, 0x0b, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x05, 0x31, 0x0f, 0x17, 0x0d, 0x31, 0x37, 0x31, 0x30, 0x32, + 0x36, 0x30, 0x38, 0x34, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x2f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x04, 0x31, 0x22, 0x04, 0x20, 0x30, 0x9e, 0x11, 0x91, 0x83, 0x14, 0xd8, + 0xb9, 0xd6, 0x24, 0x8e, 0x04, 0x7e, 0x31, 0xa7, 0x66, 0xf7, 0x3c, 0x96, 0xc6, 0x23, 0x60, 0x2e, + 0xec, 0x9e, 0x0c, 0xda, 0xab, 0x25, 0x58, 0x02, 0xf2, 0x30, 0x5b, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x63, 0x64, 0x09, 0x02, 0x31, 0x4e, 0x30, 0x2d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x65, 0x03, 0x04, 0x02, 0x01, 0x04, 0x20, 0xfc, 0x9d, 0x6f, 0x8e, 0x8b, 0xe2, 0x3d, 0x1d, 0x41, + 0xbf, 0xe6, 0xd1, 0x7a, 0xc9, 0x3f, 0xc9, 0x4d, 0xdd, 0x38, 0x35, 0xbd, 0xdf, 0x98, 0x95, 0x0a, + 0x00, 0xc6, 0x6d, 0x30, 0xe2, 0x37, 0x3b, 0x30, 0x1d, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, + 0x04, 0x14, 0x28, 0x4f, 0x7f, 0xf5, 0xf8, 0x14, 0x80, 0xa6, 0x6b, 0x37, 0x44, 0xeb, 0xed, 0x1e, + 0xf1, 0x3d, 0x35, 0x4e, 0x02, 0x21, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x02, 0x00, 0x7c, 0x31, 0x1c, 0x96, 0xbd, 0x0a, 0xe5, + 0x47, 0xab, 0xa0, 0xb4, 0x29, 0x0f, 0x3e, 0xe7, 0x7a, 0x81, 0x87, 0x7e, 0x04, 0x30, 0xf3, 0x95, + 0xe7, 0x54, 0x68, 0xe9, 0x97, 0xae, 0xdc, 0x5a, 0x5d, 0x52, 0xc8, 0x82, 0x27, 0x3b, 0x0a, 0x7c, + 0xe1, 0x69, 0x2f, 0x46, 0x8d, 0xca, 0x77, 0xf3, 0xbf, 0x68, 0xd3, 0xda, 0xcb, 0xb3, 0x11, 0x93, + 0x81, 0x37, 0x22, 0x42, 0xbd, 0x6a, 0x55, 0x02, 0xe7, 0x85, 0x4c, 0x09, 0x5a, 0x02, 0x73, 0x98, + 0xdd, 0x7c, 0x03, 0x00, 0x53, 0xd2, 0x2e, 0x0a, 0x6f, 0x51, 0x8e, 0x95, 0x24, 0xdd, 0x32, 0x9c, + 0x4a, 0x22, 0x38, 0x7f, 0x65, 0x49, 0x17, 0xeb, 0x43, 0x0b, 0xbe, 0x8d, 0x14, 0xdc, 0xde, 0x48, + 0x74, 0x16, 0xbf, 0xe8, 0xed, 0x34, 0x67, 0x62, 0xca, 0x64, 0x57, 0xc4, 0x61, 0xf7, 0xf7, 0xfb, + 0xf2, 0xd0, 0xd1, 0xfd, 0x2e, 0x05, 0xe7, 0xd7, 0x99, 0x75, 0xa8, 0x76, 0x4e, 0xd4, 0x22, 0x67, + 0x2d, 0x34, 0xf6, 0x71, 0x48, 0x4f, 0x78, 0x8e, 0xe1, 0xb9, 0x55, 0x4d, 0x55, 0x87, 0x08, 0xc9, + 0xab, 0xbd, 0xb8, 0x87, 0x2c, 0x27, 0xef, 0x89, 0x93, 0x9c, 0xc0, 0xc1, 0xec, 0x89, 0x0f, 0xc2, + 0xe3, 0x55, 0x6a, 0x1d, 0xd9, 0x96, 0x1d, 0xa4, 0xdf, 0x50, 0x3d, 0x36, 0x25, 0x3e, 0xd4, 0x3e, + 0x1f, 0x44, 0x97, 0xe0, 0x46, 0xe7, 0xb7, 0x81, 0x7d, 0xc3, 0xd5, 0x36, 0xe7, 0x04, 0x34, 0xab, + 0x60, 0x27, 0xc9, 0x00, 0xdd, 0xfa, 0x7c, 0x32, 0x90, 0xa1, 0x62, 0xe4, 0x51, 0x8f, 0x54, 0x81, + 0xa6, 0x5c, 0xcd, 0xaf, 0x3b, 0xb7, 0x12, 0xa6, 0x87, 0x0a, 0x36, 0x5d, 0xc9, 0x77, 0xc3, 0x50, + 0xc6, 0x97, 0x14, 0x43, 0x36, 0x20, 0x6f, 0x40, 0xb3, 0x1f, 0x50, 0x87, 0x24, 0x47, 0x79, 0x93, + 0x9a, 0xc1, 0x61, 0x83, 0xae, 0xc8, 0x00, 0x56, 0x3c, 0x5b, 0x5f, 0xbb, 0x9b, 0xdf, 0x75, 0xea, + 0xc2, 0x3d, 0xf1, 0xd7, 0x26, 0xe5, 0x6b, 0xa1, 0x75, 0x01, 0x0a, 0x3f, 0xae, 0x43, 0x37, 0xdd, + 0xbf, 0x7a, 0x83, 0xa1, 0xb6, 0xc2, 0xb7, 0x2b, 0xda, 0x99, 0xa6, 0x75, 0xb8, 0xc6, 0xf0, 0xc4, + 0x6b, 0x6a, 0xe4, 0xda, 0xac, 0xab, 0x7c, 0xef, 0x6f, 0x7c, 0x73, 0xca, 0x22, 0x33, 0xdd, 0xee, + 0x05, 0xfc, 0x05, 0x90, 0xc5, 0x3f, 0xdd, 0xa6, 0x6f, 0x5b, 0x2d, 0xaf, 0x99, 0x89, 0x93, 0xf0, + 0xfa, 0xb0, 0x8e, 0xcf, 0x39, 0xf1, 0x03, 0xfe, 0x0c, 0x8a, 0x6d, 0x30, 0x6c, 0x2b, 0x67, 0x84, + 0x60, 0x2d, 0x98, 0x80, 0x6c, 0xa7, 0x3e, 0x44, 0xda, 0x44, 0x42, 0x22, 0x7d, 0xcc, 0x43, 0x1c, + 0x7a, 0x89, 0x8c, 0xa0, 0x07, 0xd0, 0x08, 0x45, 0xe0, 0x18, 0x6b, 0x58, 0xb1, 0x66, 0x49, 0x97, + 0xdd, 0xde, 0xa2, 0x73, 0xaf, 0x55, 0xdc, 0x9f, 0xe6, 0x82, 0x67, 0xdf, 0x14, 0x29, 0x90, 0x1a, + 0x00, 0xa8, 0x0a, 0x59, 0xa0, 0xef, 0x97, 0x3d, 0x09, 0x54, 0x0c, 0xe4, 0xa8, 0x3b, 0xdd, 0x08, + 0xb0, 0x9e, 0x48, 0x93, 0xa7, 0xea, 0xaa, 0xe2, 0x55, 0xca, 0x1b, 0xe8, 0xb0, 0x25, 0xa4, 0xf4, + 0x79, 0xad, 0x03, 0xe1, 0xa3, 0xb9, 0x9a, 0x27, 0x12, 0xe5, 0xe8, 0x08, 0x28, 0x36, 0xb2, 0x93, + 0x3a, 0xf8, 0x45, 0x38, 0xea, 0xd7, 0x2f, 0xa7, 0x37, 0xd1, 0xcf, 0x35, 0xef, 0xaf, 0x51, 0x76, + 0xc3, 0xf9, 0x9a, 0xc8, 0x7c, 0x17, 0x00, 0x48, 0xa0, 0x16, 0x10, 0x1c, 0x3f, 0xeb, 0xca, 0xa0, + 0xb5, 0xb7, 0x0b, 0xc1, 0xb8, 0xcf, 0x3a, 0xbd, 0xeb, 0xab, 0x1a, 0xf7, 0x00, 0x78, 0x34, 0xbd, + 0xe0, 0xfd, 0xc4, 0x8e, 0x51, 0x2e, 0x2e, 0x45, 0x18, 0x5e, 0x87, 0x33, 0xbb, 0x26, 0x71, 0x3f, + 0xad, 0x79, 0xc5, 0x60, 0x9c, 0xda, 0xc3, 0xff, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; + #endif /* cms_hashagility_test_h */ diff --git a/OSX/libsecurity_cms/regressions/cms-hashagility-test.c b/OSX/libsecurity_cms/regressions/cms-hashagility-test.m similarity index 50% rename from OSX/libsecurity_cms/regressions/cms-hashagility-test.c rename to OSX/libsecurity_cms/regressions/cms-hashagility-test.m index 80e9779a..7657edc7 100644 --- a/OSX/libsecurity_cms/regressions/cms-hashagility-test.c +++ b/OSX/libsecurity_cms/regressions/cms-hashagility-test.m @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015 Apple Inc. All Rights Reserved. + * Copyright (c) 2015-2017 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -21,7 +21,8 @@ * @APPLE_LICENSE_HEADER_END@ */ -#include "cms-hashagility-test.h" +#import +#include #include #include @@ -35,6 +36,8 @@ #include #include +#include "cms-hashagility-test.h" + #define TMP_KEYCHAIN_PATH "/tmp/cms_signer.keychain" /* encode test */ @@ -219,14 +222,201 @@ static void decode_no_attr_test(void) CFReleaseNull(attrValue); } -int cms_hash_agility_test(int argc, char *const *argv) -{ - plan_tests(24+13+8+10); - +static void macOS_shim_tests(void) { encode_test(); decode_positive_test(); decode_negative_test(); decode_no_attr_test(); +} + +static void encode_V2_test(void) { + CMSEncoderRef encoder = NULL; + CMSDecoderRef decoder = NULL; + NSData *p12Data = nil; + CFArrayRef tmp_imported_items = NULL; + NSArray *imported_items = nil; + SecIdentityRef identity = NULL; + CFDataRef message = NULL; + NSDictionary *attrValues = nil, *options = @{ (__bridge NSString *)kSecImportExportPassphrase : @"password" }; + + /* Create encoder */ + require_noerr_string(CMSEncoderCreate(&encoder), exit, "Failed to create CMS encoder"); + require_noerr_string(CMSEncoderSetSignerAlgorithm(encoder, kCMSEncoderDigestAlgorithmSHA256), exit, + "Failed to set digest algorithm to SHA256"); + + /* Load identity and set as signer */ + p12Data = [NSData dataWithBytes:signing_identity_p12 length:sizeof(signing_identity_p12)]; + require_noerr_string(SecPKCS12Import((__bridge CFDataRef)p12Data, (__bridge CFDictionaryRef)options, + &tmp_imported_items), exit, + "Failed to import identity"); + imported_items = CFBridgingRelease(tmp_imported_items); + require_noerr_string([imported_items count] == 0 && + [imported_items[0] isKindOfClass:[NSDictionary class]], exit, + "Wrong imported items output"); + identity = (SecIdentityRef)CFBridgingRetain(imported_items[0][(__bridge NSString*)kSecImportItemIdentity]); + require_string(identity, exit, "Failed to get identity"); + require_noerr_string(CMSEncoderAddSigners(encoder, identity), exit, "Failed to add signer identity"); + + /* Add signing time attribute for 26 October 2017 */ + require_noerr_string(CMSEncoderAddSignedAttributes(encoder, kCMSAttrSigningTime), exit, + "Failed to set signing time flag"); + require_noerr_string(CMSEncoderSetSigningTime(encoder, 530700000.0), exit, "Failed to set signing time"); + + /* Add hash agility attribute */ + attrValues = @{ @(SEC_OID_SHA1) : [NSData dataWithBytes:_attributev2 length:20], + @(SEC_OID_SHA256) : [NSData dataWithBytes:(_attributev2 + 32) length:32], + }; + ok_status(CMSEncoderAddSignedAttributes(encoder, kCMSAttrAppleCodesigningHashAgilityV2), + "Set hash agility flag"); + ok_status(CMSEncoderSetAppleCodesigningHashAgilityV2(encoder, (__bridge CFDictionaryRef)attrValues), + "Set hash agility data"); + + /* Load content */ + require_noerr_string(CMSEncoderSetHasDetachedContent(encoder, true), exit, "Failed to set detached content"); + require_noerr_string(CMSEncoderUpdateContent(encoder, content, sizeof(content)), exit, "Failed to set content"); + + /* output cms message */ + ok_status(CMSEncoderCopyEncodedContent(encoder, &message), "Finish encoding and output message"); + isnt(message, NULL, "Encoded message exists"); + + /* decode message */ + require_noerr_string(CMSDecoderCreate(&decoder), exit, "Create CMS decoder"); + require_noerr_string(CMSDecoderUpdateMessage(decoder, CFDataGetBytePtr(message), + CFDataGetLength(message)), exit, + "Update decoder with CMS message"); + require_noerr_string(CMSDecoderSetDetachedContent(decoder, (__bridge CFDataRef)[NSData dataWithBytes:content + length:sizeof(content)]), + exit, "Set detached content"); + ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); + +exit: + CFReleaseNull(encoder); + CFReleaseNull(identity); + CFReleaseNull(message); + CFReleaseNull(decoder); +} + +/* macOS shim test - decode positive */ +static void decode_V2_positive_test(void) { + CMSDecoderRef decoder = NULL; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CMSSignerStatus signerStatus; + NSData *contentData = nil; + CFDictionaryRef tmpAttrValue = NULL; + NSDictionary *attrValue = nil; + + /* Create decoder and decode */ + require_noerr_string(CMSDecoderCreate(&decoder), exit, "Failed to create CMS decoder"); + require_noerr_string(CMSDecoderUpdateMessage(decoder, _V2_valid_message, sizeof(_V2_valid_message)), exit, + "Failed to update decoder with CMS message"); + contentData = [NSData dataWithBytes:content length:sizeof(content)]; + require_noerr_string(CMSDecoderSetDetachedContent(decoder, (__bridge CFDataRef)contentData), exit, + "Failed to set detached content"); + ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); + + /* Get signer status */ + require_string(policy = SecPolicyCreateBasicX509(), exit, "Failed to Create policy"); + ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, false, &signerStatus, &trust, NULL), + "Copy Signer status"); + is(signerStatus, kCMSSignerValid, "Valid signature"); + + /* Get Hash Agility Attribute value */ + ok_status(CMSDecoderCopySignerAppleCodesigningHashAgilityV2(decoder, 0, &tmpAttrValue), + "Copy hash agility attribute value"); + attrValue = CFBridgingRelease(tmpAttrValue); + ok([attrValue[@(SEC_OID_SHA1)] isEqualToData:[NSData dataWithBytes:_attributev2 length:20]], + "Got wrong SHA1 agility value"); + ok([attrValue[@(SEC_OID_SHA256)] isEqualToData:[NSData dataWithBytes:(_attributev2+32) length:32]], + "Got wrong SHA256 agility value"); + +exit: + CFReleaseNull(decoder); + CFReleaseNull(policy); + CFReleaseNull(trust); +} + +/* macOS shim test - decode negative */ +static void decode_V2_negative_test(void) { + CMSDecoderRef decoder = NULL; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CMSSignerStatus signerStatus; + NSData *contentData = nil; + NSMutableData *invalid_message = nil; + + /* Create decoder and decode */ + invalid_message = [NSMutableData dataWithBytes:_V2_valid_message length:sizeof(_V2_valid_message)]; + [invalid_message resetBytesInRange:NSMakeRange(2110, 1)]; /* reset byte in hash agility attribute */ + require_noerr_string(CMSDecoderCreate(&decoder), exit, "Failed to create CMS decoder"); + require_noerr_string(CMSDecoderUpdateMessage(decoder, [invalid_message bytes], [invalid_message length]), exit, + "Failed to update decoder with CMS message"); + contentData = [NSData dataWithBytes:content length:sizeof(content)]; + require_noerr_string(CMSDecoderSetDetachedContent(decoder, (__bridge CFDataRef)contentData), exit, + "Failed to set detached content"); + ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); + + /* Get signer status */ + require_string(policy = SecPolicyCreateBasicX509(), exit, "Failed to Create policy"); + ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, false, &signerStatus, &trust, NULL), + "Copy Signer status"); + is(signerStatus, kCMSSignerInvalidSignature, "Valid signature"); + +exit: + CFReleaseNull(decoder); + CFReleaseNull(policy); + CFReleaseNull(trust); +} + +/* macOS shim test - no attribute */ +static void decodeV2_no_attr_test(void) { + CMSDecoderRef decoder = NULL; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CMSSignerStatus signerStatus; + NSData *contentData = nil; + CFDictionaryRef attrValue = NULL; + + /* Create decoder and decode */ + require_noerr_string(CMSDecoderCreate(&decoder), exit, "Failed to create CMS decoder"); + require_noerr_string(CMSDecoderUpdateMessage(decoder, valid_message, sizeof(valid_message)), exit, + "Failed to update decoder with CMS message"); + contentData = [NSData dataWithBytes:content length:sizeof(content)]; + require_noerr_string(CMSDecoderSetDetachedContent(decoder, (__bridge CFDataRef)contentData), exit, + "Failed to set detached content"); + ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); + + /* Get signer status */ + require_string(policy = SecPolicyCreateBasicX509(), exit, "Failed to Create policy"); + ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, false, &signerStatus, &trust, NULL), + "Copy Signer status"); + is(signerStatus, kCMSSignerValid, "Valid signature"); + + /* Get Hash Agility Attribute value */ + ok_status(CMSDecoderCopySignerAppleCodesigningHashAgilityV2(decoder, 0, &attrValue), + "Copy hash agility attribute value"); + is(attrValue, NULL, "NULL attribute value"); + +exit: + CFReleaseNull(decoder); + CFReleaseNull(policy); + CFReleaseNull(trust); + CFReleaseNull(attrValue); +} + +static void macOS_shim_V2_tests(void) { + encode_V2_test(); + decode_V2_positive_test(); + decode_V2_negative_test(); + decodeV2_no_attr_test(); +} + +int cms_hash_agility_test(int argc, char *const *argv) +{ + plan_tests(74); + + macOS_shim_tests(); + macOS_shim_V2_tests(); return 0; } diff --git a/OSX/libsecurity_codesigning/lib/CSCommon.h b/OSX/libsecurity_codesigning/lib/CSCommon.h index 6aeef649..3ede88d9 100644 --- a/OSX/libsecurity_codesigning/lib/CSCommon.h +++ b/OSX/libsecurity_codesigning/lib/CSCommon.h @@ -84,8 +84,8 @@ CF_ENUM(OSStatus) { errSecCSStaticCodeChanged = -67034, /* the code on disk does not match what is running */ errSecCSDBDenied = -67033, /* permission to use a database denied */ errSecCSDBAccess = -67032, /* cannot access a database */ - errSecCSSigDBDenied = errSecCSDBDenied, - errSecCSSigDBAccess = errSecCSDBAccess, + errSecCSSigDBDenied = -67033, /* permission to use a database denied */ + errSecCSSigDBAccess = -67032, /* cannot access a database */ errSecCSHostProtocolInvalidAttribute = -67031, /* host returned invalid or inconsistent guest attributes */ errSecCSInfoPlistFailed = -67030, /* invalid Info.plist (plist or signature have been modified) */ errSecCSNoMainExecutable = -67029, /* the code has no main executable file */ diff --git a/OSX/libsecurity_codesigning/lib/Code.cpp b/OSX/libsecurity_codesigning/lib/Code.cpp index d5de3047..8de98a37 100644 --- a/OSX/libsecurity_codesigning/lib/Code.cpp +++ b/OSX/libsecurity_codesigning/lib/Code.cpp @@ -255,6 +255,7 @@ void SecCode::changeGuestStatus(SecCode *guest, SecCodeStatusOperation operation // SecCode *SecCode::autoLocateGuest(CFDictionaryRef attributes, SecCSFlags flags) { +#if TARGET_OS_OSX // special case: with no attributes at all, return the root of trust if (CFDictionaryGetCount(attributes) == 0) return KernelCode::active()->retain(); @@ -280,6 +281,7 @@ SecCode *SecCode::autoLocateGuest(CFDictionaryRef attributes, SecCSFlags flags) return code.yield(); } } +#endif // TARGET_OS_OSX MacOSError::throwMe(errSecCSNoSuchCode); } diff --git a/OSX/libsecurity_codesigning/lib/SecCode.cpp b/OSX/libsecurity_codesigning/lib/SecCode.cpp index 7cf85740..3d918e4b 100644 --- a/OSX/libsecurity_codesigning/lib/SecCode.cpp +++ b/OSX/libsecurity_codesigning/lib/SecCode.cpp @@ -159,6 +159,7 @@ const CFStringRef kSecGuestAttributeDynamicCodeInfoPlist = CFSTR("dynamicCodeInf const CFStringRef kSecGuestAttributeArchitecture = CFSTR("architecture"); const CFStringRef kSecGuestAttributeSubarchitecture = CFSTR("subarchitecture"); +#if TARGET_OS_OSX OSStatus SecCodeCopyGuestWithAttributes(SecCodeRef hostRef, CFDictionaryRef attributes, SecCSFlags flags, SecCodeRef *guestRef) { @@ -192,6 +193,7 @@ OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *processRe END_CSAPI } +#endif // TARGET_OS_OSX // diff --git a/OSX/libsecurity_codesigning/lib/SecCode.h b/OSX/libsecurity_codesigning/lib/SecCode.h index 1f0f831d..20ba29f4 100644 --- a/OSX/libsecurity_codesigning/lib/SecCode.h +++ b/OSX/libsecurity_codesigning/lib/SecCode.h @@ -131,6 +131,7 @@ extern const CFStringRef kSecGuestAttributeDynamicCodeInfoPlist; extern const CFStringRef kSecGuestAttributeArchitecture; extern const CFStringRef kSecGuestAttributeSubarchitecture; +#if TARGET_OS_OSX /*! @function SecCodeCopyGuestWithAttributes This is the omnibus API function for obtaining dynamic code references. @@ -188,6 +189,7 @@ extern const CFStringRef kSecGuestAttributeSubarchitecture; OSStatus SecCodeCopyGuestWithAttributes(SecCodeRef __nullable host, CFDictionaryRef __nullable attributes, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED guest); +#endif // TARGET_OS_OSX /*! diff --git a/OSX/libsecurity_codesigning/lib/SecCodePriv.h b/OSX/libsecurity_codesigning/lib/SecCodePriv.h index 81038342..7faa3634 100644 --- a/OSX/libsecurity_codesigning/lib/SecCodePriv.h +++ b/OSX/libsecurity_codesigning/lib/SecCodePriv.h @@ -126,6 +126,7 @@ OSStatus SecCodeCopyInternalRequirement(SecStaticCodeRef code, SecRequirementTyp SecCSFlags flags, SecRequirementRef *requirement); +#if TARGET_OS_OSX /*! @function SecCodeCreateWithPID Asks the kernel to return a SecCode object for a process identified @@ -144,6 +145,7 @@ OSStatus SecCodeCopyInternalRequirement(SecStaticCodeRef code, SecRequirementTyp */ OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *process) AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_6; +#endif /* diff --git a/OSX/libsecurity_codesigning/lib/policydb.cpp b/OSX/libsecurity_codesigning/lib/policydb.cpp index 94d1bbc8..b3398c26 100644 --- a/OSX/libsecurity_codesigning/lib/policydb.cpp +++ b/OSX/libsecurity_codesigning/lib/policydb.cpp @@ -461,7 +461,7 @@ void setAssessment(bool masterSwitch) { MutableDictionary *prefsDict = MutableDictionary::CreateMutableDictionary(prefsFile); if (prefsDict == NULL) - prefsDict = new MutableDictionary::MutableDictionary(); + prefsDict = new MutableDictionary(); prefsDict->setValue(SP_ENABLE_KEY, masterSwitch ? SP_ENABLED : SP_DISABLED); prefsDict->writePlistToFile(prefsFile); delete prefsDict; diff --git a/OSX/libsecurity_codesigning/lib/policyengine.cpp b/OSX/libsecurity_codesigning/lib/policyengine.cpp index 1335f687..fa2a971a 100644 --- a/OSX/libsecurity_codesigning/lib/policyengine.cpp +++ b/OSX/libsecurity_codesigning/lib/policyengine.cpp @@ -73,10 +73,18 @@ static CFTypeRef installerPolicy() CF_RETURNS_RETAINED; PolicyEngine::PolicyEngine() : PolicyDatabase(NULL, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE) { + try { + mOpaqueWhitelist = new OpaqueWhitelist(); + } catch (...) { + mOpaqueWhitelist = NULL; + secerror("Failed opening the gkopaque database."); + } } PolicyEngine::~PolicyEngine() -{ } +{ + delete mOpaqueWhitelist; +} // @@ -262,11 +270,27 @@ void PolicyEngine::evaluateCodeItem(SecStaticCodeRef code, CFURLRef path, Author cfadd(result, "{%O=%B}", kSecAssessmentAssessmentVerdict, false); addAuthority(flags, result, latentLabel.c_str(), latentID); } - + +CFDictionaryRef PolicyEngine::opaqueWhitelistValidationConditionsFor(SecStaticCodeRef code) +{ + return (mOpaqueWhitelist != NULL) ? mOpaqueWhitelist->validationConditionsFor(code) : NULL; +} + +bool PolicyEngine::opaqueWhiteListContains(SecStaticCodeRef code, SecAssessmentFeedback feedback, OSStatus reason) +{ + return (mOpaqueWhitelist != NULL) ? mOpaqueWhitelist->contains(code, feedback, reason) : false; +} + +void PolicyEngine::opaqueWhitelistAdd(SecStaticCodeRef code) +{ + if (mOpaqueWhitelist) { + mOpaqueWhitelist->add(code); + } +} void PolicyEngine::adjustValidation(SecStaticCodeRef code) { - CFRef conditions = mOpaqueWhitelist.validationConditionsFor(code); + CFRef conditions = opaqueWhitelistValidationConditionsFor(code); SecStaticCodeSetValidationConditions(code, conditions); } @@ -465,8 +489,9 @@ void PolicyEngine::evaluateCode(CFURLRef path, AuthorityType type, SecAssessment if (CFEqual(verdict, kCFBooleanFalse)) // nested code rejected by rule book; result was filled out there return; if (CFEqual(verdict, kCFBooleanTrue) && !(flags & kSecAssessmentFlagIgnoreWhitelist)) - if (mOpaqueWhitelist.contains(code, feedback, rc)) + if (opaqueWhiteListContains(code, feedback, rc)) { allow = true; + } } if (allow) { label = "allowed cdhash"; @@ -1144,7 +1169,7 @@ void PolicyEngine::normalizeTarget(CFRef &target, AuthorityType type, CFStringRef edit = CFStringRef(context.get(kSecAssessmentContextKeyUpdate)); if (type == kAuthorityExecute && CFEqual(edit, kSecAssessmentUpdateOperationAdd)) { // implicitly whitelist the code - mOpaqueWhitelist.add(code); + opaqueWhitelistAdd(code); } } } diff --git a/OSX/libsecurity_codesigning/lib/policyengine.h b/OSX/libsecurity_codesigning/lib/policyengine.h index 9ba82dc2..87b10df7 100644 --- a/OSX/libsecurity_codesigning/lib/policyengine.h +++ b/OSX/libsecurity_codesigning/lib/policyengine.h @@ -88,7 +88,10 @@ private: void recordOutcome(SecStaticCodeRef code, bool allow, AuthorityType type, double expires, SQLite::int64 authority); private: - OpaqueWhitelist mOpaqueWhitelist; + OpaqueWhitelist* mOpaqueWhitelist; + CFDictionaryRef opaqueWhitelistValidationConditionsFor(SecStaticCodeRef code); + bool opaqueWhiteListContains(SecStaticCodeRef code, SecAssessmentFeedback feedback, OSStatus reason); + void opaqueWhitelistAdd(SecStaticCodeRef code); friend class EvaluationManager; friend class EvaluationTask; diff --git a/OSX/libsecurity_codesigning/lib/requirement.h b/OSX/libsecurity_codesigning/lib/requirement.h index da9175d4..64cbb93a 100644 --- a/OSX/libsecurity_codesigning/lib/requirement.h +++ b/OSX/libsecurity_codesigning/lib/requirement.h @@ -30,6 +30,7 @@ #include #include #include +#include #include #include "codedirectory.h" #include diff --git a/OSX/libsecurity_cryptkit/lib/CryptKit.h b/OSX/libsecurity_cryptkit/lib/CryptKit.h deleted file mode 100644 index 6c6f2bc5..00000000 --- a/OSX/libsecurity_cryptkit/lib/CryptKit.h +++ /dev/null @@ -1,28 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * CryptKit.h created by blaine on Thu 22-Feb-1996 - */ - -// Encryption related protocols and types -#include -#include - -// Classes -#include -#include -#include -#include -#include - -// Misc. Functions -#include -#include -#include diff --git a/OSX/libsecurity_cryptkit/lib/CryptKitSA.h b/OSX/libsecurity_cryptkit/lib/CryptKitSA.h deleted file mode 100644 index b5a902c8..00000000 --- a/OSX/libsecurity_cryptkit/lib/CryptKitSA.h +++ /dev/null @@ -1,23 +0,0 @@ -/* Copyright (c) 1998-2004,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - ***************************************************************************/ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include diff --git a/OSX/libsecurity_cryptkit/lib/NSCipherFile.h b/OSX/libsecurity_cryptkit/lib/NSCipherFile.h deleted file mode 100644 index 13f103c5..00000000 --- a/OSX/libsecurity_cryptkit/lib/NSCipherFile.h +++ /dev/null @@ -1,111 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * NSCipherFile.h - ObjC wrapper for feeCipherFile - * - * Revision History - * ---------------- - * 28 Oct 96 at NeXT - * Created. - */ - -#import -#import - -@interface NSCipherFile : NSObject -{ - void *_priv; -} - -/* - * Alloc and return an autoreleased NSCipherFile object associated with - * the specified data. - */ -+ newFromCipherText : (NSData *)cipherText - encrType : (cipherFileEncrType)encrType - sendPubKeyData : (NSData *)sendPubKeyData - otherKeyData : (NSData *)otherKeyData - sigData : (NSData *)sigData // optional; nil means no signature - userData : (unsigned)userData; // for caller's convenience - -/* - * Obtain the contents of a feeCipherFile as NSData. - */ -- (NSData *)dataRepresentation; - -/* - * Alloc and return an autoreleased NSCipherFile object given a data - * representation. - */ -+ newFromDataRepresentation : (NSData *)dataRep; - -/* - * Given an NSCipherFile object, obtain its constituent parts. - */ -- (cipherFileEncrType)encryptionType; -- (NSData *)cipherText; -- (NSData *)sendPubKeyData; -- (NSData *)otherKeyData; -- (NSData *)sigData; -- (unsigned)userData; - -/* - * High-level cipherFile support. - */ - -/* - * Obtain the data representation of a NSCipherFile given the specified - * plainText and cipherFileEncrType. - * Receiver's public key is required for all encrTypes; sender's private - * key is required for signature generation and also for encrType - * CFE_PublicDES and CFE_FEED. - */ -+(feeReturn)createCipherFileForPrivKey : (NSFEEPublicKey *)sendPrivKey - recvPubKey : (NSFEEPublicKey *)recvPubKey - encrType : (cipherFileEncrType)encrType - plainText : (NSData *)plainText - genSig : (BOOL)genSig - doEnc64 : (BOOL)doEnc64 // YES ==> perform enc64 - userData : (unsigned)userData // for caller's convenience - cipherFileData : (NSData **)cipherFileData; // RETURNED - -/* - * Parse and decrypt a data representation of an NSCipherFile object. - * - * recvPrivKey is required in all cases. If sendPubKey is present, - * sendPubKey - rather than the embedded sender's public key - will be - * used for signature validation. - */ -+ (feeReturn)parseCipherFileData : (NSFEEPublicKey *)recvPrivKey - sendPubKey : (NSFEEPublicKey *)sendPubKey - cipherFileData : (NSData *)cipherFileData - doDec64 : (BOOL)doDec64 - encrType : (cipherFileEncrType *)encrType // RETURNED - plainText : (NSData **)plainText // RETURNED - sigStatus : (feeSigStatus *)sigStatus // RETURNED - sigSigner : (NSString **)sigSigner // RETURNED - userData : (unsigned *)userData; // RETURNED - -/* - * Parse and decrypt an NSCipherFile object obtained via - * +newFromDataRepresentation. - * - * recvPrivKey is required in all cases. If sendPubKey is present, - * sendPubKey - rather than the embedded sender's public key - will be - * used for signature validation. - */ -- (feeReturn)decryptCipherFileData : (NSFEEPublicKey *)recvPrivKey - sendPubKey : (NSFEEPublicKey *)sendPubKey - plainText : (NSData **)plainText // RETURNED - sigStatus : (feeSigStatus *)sigStatus // RETURNED - sigSigner : (NSString **)sigSigner; // RETURNED - - -@end diff --git a/OSX/libsecurity_cryptkit/lib/NSCipherFile.m b/OSX/libsecurity_cryptkit/lib/NSCipherFile.m deleted file mode 100644 index 93598d72..00000000 --- a/OSX/libsecurity_cryptkit/lib/NSCipherFile.m +++ /dev/null @@ -1,360 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * NSCipherFile.m - ObjC wrapper for feeCipherFile - * - * Revision History - * ---------------- - * 28 Oct 96 at NeXT - * Created. - */ - -#import "NSCipherFile.h" -#import "feeCipherFile.h" -#import "falloc.h" -#import "NSFEEPublicKeyPrivate.h" /* for -feePubKey */ - -/* - * Private instance data. - */ -typedef struct { - feeCipherFile cfile; -} _cfPriv; - -@implementation NSCipherFile - -- (void)dealloc -{ - if(_priv) { - _cfPriv *cfPriv = _priv; - if(cfPriv->cfile) { - feeCFileFree(cfPriv->cfile); - } - } - [super dealloc]; -} - -/* - * Alloc and return an autoreleased NSCipherFile object associated with - * the specified data. - */ -+ newFromCipherText : (NSData *)cipherText - encrType : (cipherFileEncrType)encrType - sendPubKeyData : (NSData *)sendPubKeyData - otherKeyData : (NSData *)otherKeyData - sigData : (NSData *)sigData // optional; nil means no signature - userData : (unsigned)userData // for caller's convenience -{ - NSCipherFile *result; - _cfPriv *cfPriv; - - result = [[self alloc] autorelease]; - result->_priv = cfPriv = fmalloc(sizeof(_cfPriv)); - cfPriv->cfile = feeCFileNewFromCipherText(encrType, - [cipherText bytes], - [cipherText length], - [sendPubKeyData bytes], - [sendPubKeyData length], - [otherKeyData bytes], - [otherKeyData length], - [sigData bytes], - [sigData length], - userData); - if(cfPriv->cfile) { - return result; - } - else { - return nil; - } -} - -/* - * Obtain the contents of a feeCipherFile as NSData. - */ -- (NSData *)dataRepresentation -{ - _cfPriv *cfPriv = _priv; - NSData *result; - const unsigned char *rep; - unsigned repLen; - feeReturn frtn; - - if(cfPriv == NULL) { - return nil; - } - frtn = feeCFileDataRepresentation(cfPriv->cfile, - &rep, - &repLen); - if(frtn) { - return nil; - } - result = [NSData dataWithBytesNoCopy:(unsigned char *)rep - length:repLen]; - return result; -} - -/* - * Alloc and return an autoreleased NSCipherFile object given a data - * representation. - */ -+ newFromDataRepresentation : (NSData *)dataRep -{ - NSCipherFile *result; - _cfPriv *cfPriv; - feeReturn frtn; - - result = [[self alloc] autorelease]; - result->_priv = cfPriv = fmalloc(sizeof(_cfPriv)); - frtn = feeCFileNewFromDataRep([dataRep bytes], - [dataRep length], - &cfPriv->cfile); - if(frtn) { - return nil; - } - else { - return result; - } -} - -/* - * Given an NSCipherFile object, obtain its constituent parts. - */ -- (cipherFileEncrType)encryptionType -{ - _cfPriv *cfPriv = _priv; - - if(cfPriv == NULL) { - return CFE_Other; - } - return feeCFileEncrType(cfPriv->cfile); -} - -- (NSData *)cipherText -{ - _cfPriv *cfPriv = _priv; - const unsigned char *ctext; - unsigned ctextLen; - - if(cfPriv == NULL) { - return nil; - } - ctext = feeCFileCipherText(cfPriv->cfile, &ctextLen); - return [NSData dataWithBytesNoCopy:(unsigned char *)ctext - length:ctextLen]; -} - -- (NSData *)sendPubKeyData -{ - _cfPriv *cfPriv = _priv; - const unsigned char *key; - unsigned keyLen; - - if(cfPriv == NULL) { - return nil; - } - key = feeCFileSendPubKeyData(cfPriv->cfile, &keyLen); - if(key) { - return [NSData dataWithBytesNoCopy:(unsigned char *)key - length:keyLen]; - } - else { - return nil; - } -} - -- (NSData *)otherKeyData -{ - _cfPriv *cfPriv = _priv; - const unsigned char *key; - unsigned keyLen; - - if(cfPriv == NULL) { - return nil; - } - key = feeCFileOtherKeyData(cfPriv->cfile, &keyLen); - if(key) { - return [NSData dataWithBytesNoCopy:(unsigned char *)key - length:keyLen]; - } - else { - return nil; - } -} - -- (NSData *)sigData -{ - _cfPriv *cfPriv = _priv; - const unsigned char *sig; - unsigned sigLen; - - if(cfPriv == NULL) { - return nil; - } - sig = feeCFileSigData(cfPriv->cfile, &sigLen); - if(sig) { - return [NSData dataWithBytesNoCopy:(unsigned char *)sig - length:sigLen]; - } - else { - return nil; - } -} - -- (unsigned)userData -{ - _cfPriv *cfPriv = _priv; - - if(cfPriv == NULL) { - return 0; - } - return feeCFileUserData(cfPriv->cfile); -} - -/* - * High-level cipherFile support. - */ - -/* - * Create a cipherfile of specified cipherFileEncrType for given plaintext. - */ -+(feeReturn)createCipherFileForPrivKey : (NSFEEPublicKey *)sendPrivKey - recvPubKey : (NSFEEPublicKey *)recvPubKey - encrType : (cipherFileEncrType)encrType - plainText : (NSData *)plainText - genSig : (BOOL)genSig - doEnc64 : (BOOL)doEnc64 // YES ==> perform enc64 - userData : (unsigned)userData // for caller's convenience - cipherFileData : (NSData **)cipherFileData // RETURNED -{ - feeReturn frtn; - unsigned char *cfileData; - unsigned cfileDataLen; - feePubKey privKey = NULL; - - if(sendPrivKey) { - privKey = [sendPrivKey feePubKey]; - } - frtn = createCipherFile(privKey, - [recvPubKey feePubKey], - encrType, - [plainText bytes], - [plainText length], - genSig, - doEnc64, - userData, - &cfileData, - &cfileDataLen); - if(frtn) { - return frtn; - } - *cipherFileData = - [NSData dataWithBytesNoCopy:(unsigned char *)cfileData - length:cfileDataLen]; - return frtn; -} - -/* - * Parse and decrypt a data representation of an NSCipherFile object. - */ -+ (feeReturn)parseCipherFileData : (NSFEEPublicKey *)recvPrivKey - sendPubKey : (NSFEEPublicKey *)sendPubKey - cipherFileData : (NSData *)cipherFileData - doDec64 : (BOOL)doDec64 - encrType : (cipherFileEncrType *)encrType // RETURNED - plainText : (NSData **)plainText // RETURNED - sigStatus : (feeSigStatus *)sigStatus // RETURNED - sigSigner : (NSString **)sigSigner // RETURNED - userData : (unsigned *)userData // RETURNED -{ - feeReturn frtn; - unsigned char *ptext; - unsigned ptextLen; - feeUnichar *signer; - unsigned signerLen; - feePubKey _pubKey = NULL; - - if(recvPrivKey == nil) { - return FR_IllegalArg; // always required - } - if(sendPubKey) { - _pubKey = [sendPubKey feePubKey]; - } - - frtn = parseCipherFile([recvPrivKey feePubKey], - _pubKey, - [cipherFileData bytes], - [cipherFileData length], - doDec64, - encrType, - &ptext, - &ptextLen, - sigStatus, - &signer, - &signerLen, - userData); - if(frtn) { - return frtn; - } - *plainText = [NSData dataWithBytesNoCopy:ptext length:ptextLen]; - *sigSigner = [NSString stringWithCharacters:signer length:signerLen]; - ffree(signer); - return frtn; -} - -/* - * Parse and decrypt an NSCipherFile object obtained via - * +newFromDataRepresentation. - * - * recvPrivKey is required in all cases. If sendPubKey is present, - * sendPubKey - rather than the embedded sender's public key - will be - * used for signature validation. - */ -- (feeReturn)decryptCipherFileData : (NSFEEPublicKey *)recvPrivKey - sendPubKey : (NSFEEPublicKey *)sendPubKey - plainText : (NSData **)plainText // RETURNED - sigStatus : (feeSigStatus *)sigStatus // RETURNED - sigSigner : (NSString **)sigSigner // RETURNED -{ - _cfPriv *cfPriv = _priv; - feeReturn frtn; - unsigned char *ptext; - unsigned ptextLen; - feeUnichar *signer; - unsigned signerLen; - feePubKey _pubKey = NULL; - - if(cfPriv == NULL) { - return FR_IllegalArg; - } - if(recvPrivKey == nil) { - return FR_IllegalArg; // always required - } - if(sendPubKey) { - _pubKey = [sendPubKey feePubKey]; - } - - frtn = decryptCipherFile(cfPriv->cfile, - [recvPrivKey feePubKey], - _pubKey, - &ptext, - &ptextLen, - sigStatus, - &signer, - &signerLen); - if(frtn) { - return frtn; - } - *plainText = [NSData dataWithBytesNoCopy:ptext length:ptextLen]; - *sigSigner = [NSString stringWithCharacters:signer length:signerLen]; - ffree(signer); - return frtn; - -} -@end diff --git a/OSX/libsecurity_cryptkit/lib/NSCryptors.h b/OSX/libsecurity_cryptkit/lib/NSCryptors.h deleted file mode 100644 index 33935a7d..00000000 --- a/OSX/libsecurity_cryptkit/lib/NSCryptors.h +++ /dev/null @@ -1,83 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * NSCryptors.h - common cryptographic protocols - * - * Revision History - * ---------------- - * ??? 1994 Blaine Garst at NeXT - * Created. - */ - - -#import -#import -#import - - -/************ Utilities ******************************************/ - -#ifdef NeXT - -NSString *NSPromptForPassPhrase(NSString *prompt); - // useful for command line (/dev/tty) programs - -#endif NeXT - -/************ Data Hashing Protocol *****************/ - -@protocol NSDataDigester -+ digester; // provides a concrete digester - -// primitives -- (void)digestData:(NSData *)data; // use for multi-bite messages -- (NSData *)messageDigest; // provide digest; re-init - -// conveniences that only use the above primitives -// all in one gulp (eats salt first, if present) -- (NSData *)digestData:(NSData *)data withSalt:(NSData *)salt; - -@end - - -/****** Encryption/Decryption Protocol ***********/ - -@protocol NSCryptor -- (NSData *)encryptData:(NSData *)input; -- (NSData *)decryptData:(NSData *)input; -- (unsigned)keyBitsize; -@end - - -/*************** Public Key Services *************/ - -@protocol NSPublicKey -- (NSString *)publicKeyString; -- (NSString *)algorithmName; // "Diffie-Hellman" "FEE" ... -- (NSString *)usageName; // "Blaine Garst - home" -- (NSData *)padWithPublicKey:(id )otherKey; -- (unsigned)keyBitsize; -@end - -/********* Key Ring ************************/ - -@protocol NSKeyRing -- keyForUsageName:(NSString *)user; -@end - -/********** Digital Signatures **************/ - -// protocol adapted by various signature schemes (FEE, DSA, RSA...) -@protocol NSDigitalSignature -- (NSData *)digitalSignatureForData:(NSData *)message; - // generate a signature for the data - -- (BOOL)isValidDigitalSignature:(NSData *)sig forData:(NSData *)data; -@end diff --git a/OSX/libsecurity_cryptkit/lib/NSDESCryptor.h b/OSX/libsecurity_cryptkit/lib/NSDESCryptor.h deleted file mode 100644 index 6f3ed08b..00000000 --- a/OSX/libsecurity_cryptkit/lib/NSDESCryptor.h +++ /dev/null @@ -1,39 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * NSDESCryptor.h created by blaine on Thu 22-Feb-1996 - */ - -#import "NSCryptors.h" - -/****** Digital Encryption Standard/Algorithm ********/ - -@interface NSDESCryptor : NSObject -{ - void *_priv; -} - -+ cryptorWithState:(NSData *)s; - -- initWithState:(NSData *)state; - // designated initializer - // 8 bytes with most sig bit ignored: 56 bits - -- (void)setCryptorState:(NSData *)state; // reset -- (void)setBlockMode:(BOOL)yorn; // default is chaining mode - -/* - * NSCryptor methods - */ -- (NSData *)encryptData:(NSData *)input; -- (NSData *)decryptData:(NSData *)input; -- (unsigned)keyBitsize; - -@end diff --git a/OSX/libsecurity_cryptkit/lib/NSDESCryptor.m b/OSX/libsecurity_cryptkit/lib/NSDESCryptor.m deleted file mode 100644 index 2e071b2e..00000000 --- a/OSX/libsecurity_cryptkit/lib/NSDESCryptor.m +++ /dev/null @@ -1,130 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * NSDESCryptor.m - DES encrypt/decrypt class - * - * Revision History - * ---------------- - * 28 Mar 97 at Apple - * Rewrote using feeDES module. - * 22 Feb 96 at NeXT - * Created. - */ - -#import -#import "NSDESCryptor.h" -#import "feeDES.h" -#import "falloc.h" -#import "ckutilities.h" -#import "feeFunctions.h" - -/* - * Note: Our _priv ivar is actuall a feeDES pointer. - */ -@implementation NSDESCryptor - -+ cryptorWithState:(NSData *)s { - return [[[self alloc] initWithState:s] autorelease]; -} - -- (void)setCryptorState:(NSData *)state { - if(_priv == NULL) { - return; - } - feeDESSetState(_priv, [state bytes], [state length]); -} - -- initWithState:(NSData *)state { - feeReturn frtn; - - if(_priv == NULL) { - _priv = feeDESNewWithState([state bytes], [state length]); - } - else { - frtn = feeDESSetState(_priv, [state bytes], [state length]); - if(frtn) { - NSLog(@"NSDESCryptor: bad initial state\n"); - return nil; - } - } - return self; -} - -- (void)dealloc -{ - if(_priv) { - feeDESFree(_priv); - } - [super dealloc]; -} - -- (void)setBlockMode:(BOOL)yorn { - if(_priv == NULL) { - return; - } - if(yorn) { - feeDESSetBlockMode(_priv); - } - else { - feeDESSetChainMode(_priv); - } -} - -- (NSData *)encryptData:(NSData *)input { - NSData *result; - feeReturn frtn; - unsigned char *cipherText; - unsigned cipherTextLen; - - if(_priv == NULL) { - return nil; - } - frtn = feeDESEncrypt(_priv, - [input bytes], - [input length], - &cipherText, - &cipherTextLen); - if(frtn) { - NSLog(@"NSDESCryptor encrypt: %s", feeReturnString(frtn)); - return nil; - } - result = [NSData dataWithBytes:cipherText length:cipherTextLen]; - ffree(cipherText); - return result; -} - -- (NSData *)decryptData:(NSData *)input { - NSData *result; - feeReturn frtn; - unsigned char *plainText; - unsigned plainTextLen; - - if(_priv == NULL) { - return nil; - } - frtn = feeDESDecrypt(_priv, - [input bytes], - [input length], - &plainText, - &plainTextLen); - if(frtn) { - NSLog(@"NSDESCryptor decrypt: %s", feeReturnString(frtn)); - return nil; - } - result = [NSData dataWithBytes:plainText length:plainTextLen]; - ffree(plainText); - return result; -} - -- (unsigned)keyBitsize { - return feeDESKeySize(_priv); -} - -@end diff --git a/OSX/libsecurity_cryptkit/lib/NSFEEPublicKey.h b/OSX/libsecurity_cryptkit/lib/NSFEEPublicKey.h deleted file mode 100644 index 42377a28..00000000 --- a/OSX/libsecurity_cryptkit/lib/NSFEEPublicKey.h +++ /dev/null @@ -1,74 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * NSFEEPublicKey.h - * - * Revision History - * ---------------- - * 27 Feb 1997 at Apple - * Broke out from NSCryptors.h. - */ - -#import - -@interface NSFEEPublicKey : NSObject - { -@private - void *_pubKey; -} - -+ keyWithPrivateData:(NSData *)private - depth:(unsigned)depth // depth is in range 0-23 - usageName:(NSString *)uname; - // able to encrypt/decrypt data - // able to create/verify digital signatures - -+ keyWithPublicKeyString:(NSString *)hexstr; - // able to encrypt data - // able to verify digital signatures - -/* - * Create new key with curve parameters matching existing oldKey. - */ -+ keyWithPrivateData:(NSData *)passwd - andKey:(NSFEEPublicKey *)oldKey - usageName:(NSString *)uname; - -/* - * Convenience methods. The first three use the default depth - * (FEE_DEPTH_DEFAULT). - */ -+ keyWithPrivateData:(NSData *)passwd - usageName:(NSString *)uname; -+ keyWithPrivateString:(NSString *)private - usageName:(NSString *)uname; -+ keyWithPrivateString:(NSString *)private - andKey:(NSFEEPublicKey *)oldKey - usageName:(NSString *)uname; - -+ keyWithPrivateString:(NSString *)private - depth:(unsigned)depth - usageName:(NSString *)uname; - -/* - * NSCryptor protocol - */ -- (NSData *)encryptData:(NSData *)data; // done with public knowledge -- (NSData *)decryptData:(NSData *)data; // done with private knowledge - -/* - * NSDigitalSignature protocol - */ -- (NSData *)digitalSignatureForData:(NSData *)data; - // data is hashed with MD5 and then signed with private knowledge -- (BOOL)isValidDigitalSignature:(NSData *)sig forData:(NSData *)data; - // data is hashed with MD5 and then verified with public knowledge - -@end diff --git a/OSX/libsecurity_cryptkit/lib/NSFEEPublicKey.m b/OSX/libsecurity_cryptkit/lib/NSFEEPublicKey.m deleted file mode 100644 index 034af79d..00000000 --- a/OSX/libsecurity_cryptkit/lib/NSFEEPublicKey.m +++ /dev/null @@ -1,496 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * NSFEEPublicKey.m - NSFEEPublicKey class implementation - * - * Revision History - * ---------------- - * 17 Jul 97 at Apple - * Added ECDSA signature routines. - * 21 Aug 96 at NeXT - * Modified to use C-only FeePublicKey module. - * ???? 1994 Blaine Garst at NeXT - * Created. - */ - -#import -#import - -#import "NSCryptors.h" -#import "NSFEEPublicKeyPrivate.h" -#import "feePublicKey.h" -#import "feePublicKeyPrivate.h" -#import "ckutilities.h" -#import "mutils.h" -#import "feeTypes.h" -#import "curveParams.h" -#import "falloc.h" -#import "feeDigitalSignature.h" -#import "feeHash.h" -#import "feeFunctions.h" -#import "feeFEEDExp.h" - -/* - Elliptic curve algebra over finite fields F(p**k), where p = 2**q -1 is a - Mersenne prime. - q is bit-depth. - A private key (a) is a large integer that when multiplied by an initial - curve point P yields the public key aP. - Public keys can be used to generate one-time pads because multiplication - is commutative: - - a(bP) == b(aP) - */ - -@implementation NSFEEPublicKey - -/* - * Root method to create new public key from private "password" data. - */ -+ keyWithPrivateData:(NSData *)passwd - depth:(unsigned)depth - usageName:(NSString *)uname -{ - NSFEEPublicKey *result; - feeReturn frtn; - unichar *uc; - - result = [[self alloc] autorelease]; - result->_pubKey = feePubKeyAlloc(); - uc = fmalloc([uname length] * sizeof(unichar)); - [uname getCharacters:uc]; - frtn = feePubKeyInitFromPrivData(result->_pubKey, - [passwd bytes], [passwd length], - uc, [uname length], - depth); - ffree(uc); - if(frtn) { - NSLog(@"keyWithPrivateData: %s\n", feeReturnString(frtn)); - return nil; - } - return result; -} - -/* - * Create new key with curve parameters matching existing oldKey. - */ -+ keyWithPrivateData:(NSData *)passwd - andKey:(NSFEEPublicKey *)oldKey - usageName:(NSString *)uname -{ - NSFEEPublicKey *result; - feeReturn frtn; - unichar *uc; - - result = [[self alloc] autorelease]; - result->_pubKey = feePubKeyAlloc(); - uc = fmalloc([uname length] * sizeof(unichar)); - [uname getCharacters:uc]; - frtn = feePubKeyInitFromKey(result->_pubKey, - [passwd bytes], [passwd length], - uc, [uname length], - oldKey->_pubKey); - ffree(uc); - if(frtn) { - NSLog(@"keyWithPrivateData:andKey: %s\n", - feeReturnString(frtn)); - return nil; - } - return result; -} - -+ keyWithPrivateData:(NSData *)passwd - usageName:(NSString *)uname -{ - // 4 gives 127 bits of protection - // although the RSA challenge number of 127 bits has been - // broken, FEE is much stronger at the same length - return [self keyWithPrivateData:passwd - depth:FEE_DEPTH_DEFAULT - usageName:uname]; -} - -/* - * The standard way of creating a new key given a private "password" string. - */ -+ keyWithPrivateString:(NSString *)private - usageName:(NSString *)uname -{ - NSData *pdata; - id result; - - /* - * FIXME - handle other encodings? - */ - pdata = [private dataUsingEncoding:NSUTF8StringEncoding]; - result = [self keyWithPrivateData:pdata usageName:uname]; - return result; -} - -+ keyWithPrivateString:(NSString *)private - andKey:(NSFEEPublicKey *)oldKey - usageName:(NSString *)uname -{ - NSData *pdata; - id result; - - if (!uname) return nil; - - pdata = [private dataUsingEncoding:NSUTF8StringEncoding]; - result = [self keyWithPrivateData:pdata andKey:oldKey usageName:uname]; - return result; -} - -+ keyWithPrivateString:(NSString *)private - depth:(unsigned)depth - usageName:(NSString *)uname -{ - NSData *pdata; - id result; - - if (!uname) return nil; - - pdata = [private dataUsingEncoding:NSUTF8StringEncoding]; - result = [self keyWithPrivateData:pdata depth:depth usageName:uname]; - return result; -} - -/* - * The standard way of creating a new key given a public key string. - */ -+ keyWithPublicKeyString:(NSString *)hexstr -{ - NSFEEPublicKey *result; - feeReturn frtn; - NSStringEncoding defEndoding; - const char *s; - - /* - * Protect against gross errors in the key string formatting... - */ - defEndoding = [NSString defaultCStringEncoding]; - if([hexstr canBeConvertedToEncoding:defEndoding] == NO) { - NSLog(@"NSFEEPublicKey: Bad Public Key String Format (1)\n"); - return nil; - } - - /* - * FIXME - docs say this string is "autoreleased". How is a cString - * autoreleased? - */ - s = [hexstr cString]; - result = [[self alloc] autorelease]; - result->_pubKey = feePubKeyAlloc(); - - frtn = feePubKeyInitFromKeyString(result->_pubKey, - s, strlen(s)); - if(frtn) { - NSLog(@"keyWithPublicKeyString:andKey: %s\n", - feeReturnString(frtn)); - return nil; - } - return result; -} - -- (void)dealloc -{ - if(_pubKey) { - feePubKeyFree(_pubKey); - } - [super dealloc]; -} - -/* - * Create a public key in the form of a string. This string contains an - * encoded version of all of our ivars except for _private. - * - * See KeyStringFormat.doc for info on the format of the public key string; - * PLEASE UPDATE THIS DOCUMENT WHEN YOU MAKE CHANGES TO THE STRING FORMAT. - */ -- (NSString *)publicKeyString -{ - char *keyStr; - unsigned keyStrLen; - feeReturn frtn; - NSString *result; - - if(_pubKey == NULL) { - return nil; - } - frtn = feePubKeyCreateKeyString(_pubKey, &keyStr, &keyStrLen); - if(frtn) { - NSLog(@"publicKeyString: %s\n", - feeReturnString(frtn)); - return nil; - } - result = [NSString stringWithCString:keyStr]; - ffree((void *)keyStr); - return result; -} - -- (BOOL)isEqual:(NSFEEPublicKey *)other -{ - if((other == nil) || (other->_pubKey == NULL) || (_pubKey == NULL)) { - return NO; - } - if(feePubKeyIsEqual(_pubKey, other->_pubKey)) { - return YES; - } - else { - return NO; - } -} - -- (unsigned)keyBitsize -{ - if(_pubKey == NULL) { - return 0; - } - return feePubKeyBitsize(_pubKey); -} - -- (NSString *)algorithmName -{ - return [NSString stringWithCString:feePubKeyAlgorithmName()]; -} - -- (NSString *)usageName -{ - unsigned unameLen; - const feeUnichar *uname; - NSString *result; - - if(_pubKey == NULL) { - return nil; - } - uname = feePubKeyUsageName(_pubKey, &unameLen); - result = [NSString stringWithCharacters:uname length:unameLen]; - return result; -} - -- (NSString *)signer -{ - return [self usageName]; -} - -- (NSData *)padWithPublicKey:(id )otherKey -{ - NSFEEPublicKey *other; - NSMutableData *result; - feeReturn frtn; - unsigned char *padData; - unsigned padDataLen; - - if(_pubKey == NULL) { - return nil; - } - if (![otherKey isMemberOfClass:isa]) { - return nil; - } - other = otherKey; - if(other->_pubKey == NULL) { - return nil; - } - frtn = feePubKeyCreatePad(_pubKey, - other->_pubKey, - &padData, - &padDataLen); - if(frtn) { - NSLog(@"padWithPublicKey: %s\n", feeReturnString(frtn)); - return nil; - } - result = [NSData dataWithBytesNoCopy:padData length:padDataLen]; - return result; -} - -- (NSData *)encryptData:(NSData *)data -{ - feeFEEDExp feed; - NSData *result; - feeReturn frtn; - unsigned char *ctext; - unsigned ctextLen; - - if(_pubKey == NULL) { - return nil; - } - feed = feeFEEDExpNewWithPubKey(_pubKey); - frtn = feeFEEDExpEncrypt(feed, - [data bytes], - [data length], - &ctext, - &ctextLen); - if(frtn == FR_Success) { - result = [NSData dataWithBytesNoCopy:ctext length:ctextLen]; - } - else { - NSLog(@"feeFEEDEncrypt: %s\n", feeReturnString(frtn)); - result = nil; - } - feeFEEDExpFree(feed); - return result; -} - -- (NSData *)decryptData:(NSData *)data -{ - feeFEEDExp feed; - NSData *result; - feeReturn frtn; - unsigned char *ptext; - unsigned ptextLen; - - if(_pubKey == NULL) { - return nil; - } - feed = feeFEEDExpNewWithPubKey(_pubKey); - frtn = feeFEEDExpDecrypt(feed, - [data bytes], - [data length], - &ptext, - &ptextLen); - if(frtn == FR_Success) { - result = [NSData dataWithBytesNoCopy:ptext length:ptextLen]; - } - else { - NSLog(@"feeFEEDDecrypt: %s\n", feeReturnString(frtn)); - result = nil; - } - feeFEEDExpFree(feed); - return result; -} - -/* - * When 1, we use ECDSA unless we're using a depth which does not - * have curve orders. - * WARNING - enabling ECDSA by default breaks ICE and compatibility - * with Java signatures, at least until we have a Java ECDSA - * implementation. - */ -#define ECDSA_SIG_DEFAULT 0 - -- (NSData *)digitalSignatureForData:(NSData *)data -{ - NSData *result; - unsigned char *sig; - unsigned sigLen; - feeReturn frtn; - curveParams *cp; - - if(_pubKey == NULL) { - return nil; - } - cp = feePubKeyCurveParams(_pubKey); - if(!ECDSA_SIG_DEFAULT || isZero(cp->x1OrderPlus)) { - frtn = feePubKeyCreateSignature(_pubKey, - [data bytes], - [data length], - &sig, - &sigLen); - } - else { - frtn = feePubKeyCreateECDSASignature(_pubKey, - [data bytes], - [data length], - &sig, - &sigLen); - } - if(frtn) { - NSLog(@"digitalSignatureForData: %s\n", feeReturnString(frtn)); - return nil; - } - result = [NSData dataWithBytesNoCopy:sig length:sigLen]; - return result; -} - -- (BOOL)isValidDigitalSignature:(NSData *)signa - forData:(NSData *)data -{ - feeReturn frtn; - feeUnichar *sigSigner; - unsigned sigSignerLen; - curveParams *cp; - - if(_pubKey == NULL) { - return NO; - } - cp = feePubKeyCurveParams(_pubKey); - if(!ECDSA_SIG_DEFAULT || isZero(cp->x1OrderPlus)) { - frtn = feePubKeyVerifySignature(_pubKey, - [data bytes], - [data length], - [signa bytes], - [signa length], - &sigSigner, - &sigSignerLen); - } - else { - frtn = feePubKeyVerifyECDSASignature(_pubKey, - [data bytes], - [data length], - [signa bytes], - [signa length], - &sigSigner, - &sigSignerLen); - } - - /* - * FIXME - We just throw away the signer for now... - */ - if(sigSignerLen) { - ffree(sigSigner); - } - - switch(frtn) { - case FR_Success: - return YES; - case FR_InvalidSignature: - return NO; - default: - /* - * Something other than simple signature mismatch... - */ - NSLog(@"isValidDigitalSignature: %s\n", feeReturnString(frtn)); - return NO; - } -} - -@end - -@implementation NSFEEPublicKey(Private) - -- (key)minus -{ - if(_pubKey == NULL) { - return NULL; - } - return feePubKeyMinusCurve(_pubKey); -} - -- (key)plus -{ - if(_pubKey == NULL) { - return NULL; - } - return feePubKeyPlusCurve(_pubKey); -} - -- (feePubKey)feePubKey -{ - return _pubKey; -} - -#if FEE_DEBUG -- (void)dump -{ - printPubKey(_pubKey); -} -#endif FEE_DEBUG - -@end diff --git a/OSX/libsecurity_cryptkit/lib/NSFEEPublicKeyPrivate.h b/OSX/libsecurity_cryptkit/lib/NSFEEPublicKeyPrivate.h deleted file mode 100644 index 37576972..00000000 --- a/OSX/libsecurity_cryptkit/lib/NSFEEPublicKeyPrivate.h +++ /dev/null @@ -1,36 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * NSFEEPublicKeyPrivate.h - * - * Revision History - * ---------------- - * 21 Aug 96 at NeXT - * Created. - */ - -#import "NSFEEPublicKey.h" -#import "elliptic.h" -#import "feeDebug.h" -#import "feePublicKey.h" - -@interface NSFEEPublicKey(Private) - -- (key)minus; -- (key)plus; -#if 0 -- (NSData *)privData; -#endif 0 -- (feePubKey)feePubKey; - -#if FEE_DEBUG -- (void)dump; -#endif FEE_DEBUG -@end diff --git a/OSX/libsecurity_cryptkit/lib/NSMD5Hash.h b/OSX/libsecurity_cryptkit/lib/NSMD5Hash.h deleted file mode 100644 index 1553a496..00000000 --- a/OSX/libsecurity_cryptkit/lib/NSMD5Hash.h +++ /dev/null @@ -1,34 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * NSMD5Hash.h - * - * Revision History - * ---------------- - * 28 Mar 97 at Apple - * Created. - */ - -#import -#import - -@interface NSMD5Hash : NSObject - -{ - void *_priv; -} - -+ digester; // provides a concrete digester -- init; // reusable -- (void)digestData:(NSData *)data; -- (NSData *)messageDigest; // provide digest; re-init -- (NSData *)digestData:(NSData *)data withSalt:(NSData *)salt; - -@end diff --git a/OSX/libsecurity_cryptkit/lib/NSMD5Hash.m b/OSX/libsecurity_cryptkit/lib/NSMD5Hash.m deleted file mode 100644 index 8e372be7..00000000 --- a/OSX/libsecurity_cryptkit/lib/NSMD5Hash.m +++ /dev/null @@ -1,79 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * NSMD5Hash.h - * - * Revision History - * ---------------- - * 28 Mar 97 at Apple - * Created. - */ - -/* - * Note: our _priv ivar is actually a feeHash pointer. - */ -#import "NSCryptors.h" -#import "NSMD5Hash.h" -#import "feeHash.h" -#import "falloc.h" - -@implementation NSMD5Hash - -+ digester -{ - return [[self alloc] init]; -} - -- init -{ - if(_priv == NULL) { - _priv = feeHashAlloc(); - } - else { - feeHashReinit(_priv); - } - return self; -} - -- (void)digestData:(NSData *)data -{ - if(_priv == NULL) { - return; - } - feeHashAddData(_priv, [data bytes], [data length]); -} - -- (NSData *)messageDigest -{ - unsigned char *cp; - NSData *md; - - if(_priv == NULL) { - return nil; - } - cp = feeHashDigest(_priv); - md = [NSData dataWithBytes:cp length:feeHashDigestLen()]; - feeHashReinit(_priv); - return md; -} - -- (NSData *)digestData:(NSData *)data withSalt:(NSData *)salt -{ - if(_priv == NULL) { - return nil; - } - if(salt != nil) { - [self digestData:salt]; - } - [self digestData:data]; - return [self messageDigest]; -} - -@end diff --git a/OSX/libsecurity_cryptkit/lib/NSRandomNumberGenerator.h b/OSX/libsecurity_cryptkit/lib/NSRandomNumberGenerator.h deleted file mode 100644 index 1de469cd..00000000 --- a/OSX/libsecurity_cryptkit/lib/NSRandomNumberGenerator.h +++ /dev/null @@ -1,36 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * NSRandomNumberGenerator.h - * - * Revision History - * ---------------- - * 28 Mar 97 at Apple - * Simplified. - * ?? 96 Blaine Garst at NeXT - * Created. - */ - -#import - -@interface NSRandomNumberGenerator : NSObject -{ - void *_priv; -} - -- initWithSeed:(unsigned)seed; // designated initializer -- init; // we'll come up with the best seed - // we can - -- (unsigned)nextNumber; -- (unsigned)nextNumberInRange:(NSRange)range; -- (NSData *)randomDataWithLength:(unsigned)l; - -@end diff --git a/OSX/libsecurity_cryptkit/lib/NSRandomNumberGenerator.m b/OSX/libsecurity_cryptkit/lib/NSRandomNumberGenerator.m deleted file mode 100644 index 4d92fc55..00000000 --- a/OSX/libsecurity_cryptkit/lib/NSRandomNumberGenerator.m +++ /dev/null @@ -1,83 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * NSRandomNumberGenerator.m - * - * Revision History - * ---------------- - * 28 Mar 97 at Apple - * Rewrote using feeRandom module. - * ?? 96 Blaine Garst at NeXT - * Created. - */ - -/* - * Note: out _priv ivar is actually a feeRand pointer. - */ - -#import -#import "NSRandomNumberGenerator.h" -#import "feeRandom.h" -#import "falloc.h" - -@implementation NSRandomNumberGenerator - -- init -{ - if(_priv == NULL) { - _priv = feeRandAlloc(); - } - /* - * else no need to re-init - */ - return self; -} - -- initWithSeed:(unsigned)seed -{ - if(_priv != NULL) { - /* - * Free & re-init to use new seed - */ - feeRandFree(_priv); - } - _priv = feeRandAllocWithSeed(seed); - return self; -} - -- (unsigned)nextNumber -{ - if(_priv == NULL) { - return 0; - } - return feeRandNextNum(_priv); -} - -- (unsigned)nextNumberInRange:(NSRange)range -{ - if(_priv == NULL) { - return 0; - } - return range.location + ([self nextNumber] % range.length); -} - -- (NSData *)randomDataWithLength:(unsigned)l -{ - unsigned char *cp; - - if(_priv == NULL) { - return nil; - } - cp = fmalloc(l); - feeRandBytes(_priv, cp, l); - return [NSData dataWithBytesNoCopy:cp length:l]; -} - -@end diff --git a/OSX/libsecurity_cryptkit/lib/mutils.h b/OSX/libsecurity_cryptkit/lib/mutils.h deleted file mode 100644 index 57023f74..00000000 --- a/OSX/libsecurity_cryptkit/lib/mutils.h +++ /dev/null @@ -1,36 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * mutils.h - general private ObjC routine declarations - * - * Revision History - * ---------------- - * 2 Aug 96 at NeXT - * Broke out from Blaine Garst's original NSCryptors.m - */ - -#ifndef _CK_MUTILS_H_ -#define _CK_MUTILS_H_ - -#include -#include "giantIntegers.h" - -#ifdef __cplusplus -extern "C" { -#endif - -extern NSMutableData *data_with_giant(giant u); -extern void canonicalize_data(NSMutableData *data); - -#ifdef __cplusplus -} -#endif - -#endif /*_CK_MUTILS_H_*/ diff --git a/OSX/libsecurity_cryptkit/lib/mutils.m b/OSX/libsecurity_cryptkit/lib/mutils.m deleted file mode 100644 index 129c905c..00000000 --- a/OSX/libsecurity_cryptkit/lib/mutils.m +++ /dev/null @@ -1,44 +0,0 @@ -/* Copyright (c) 1998,2011,2014 Apple Inc. All Rights Reserved. - * - * NOTICE: USE OF THE MATERIALS ACCOMPANYING THIS NOTICE IS SUBJECT - * TO THE TERMS OF THE SIGNED "FAST ELLIPTIC ENCRYPTION (FEE) REFERENCE - * SOURCE CODE EVALUATION AGREEMENT" BETWEEN APPLE, INC. AND THE - * ORIGINAL LICENSEE THAT OBTAINED THESE MATERIALS FROM APPLE, - * INC. ANY USE OF THESE MATERIALS NOT PERMITTED BY SUCH AGREEMENT WILL - * EXPOSE YOU TO LIABILITY. - *************************************************************************** - * - * mutils.m - general private ObjC routine declarations - * - * Revision History - * ---------------- - * 2 Aug 96 at NeXT - * Broke out from Blaine Garst's original NSCryptors.m - */ - -#import -#import "giantIntegers.h" -#import "ckutilities.h" -#import "mutils.h" -#import "feeFunctions.h" -#import - -#if defined(NeXT) && !defined(WIN32) - -/* - * Public, declared in NSCryptors.h - */ -NSString *NSPromptForPassPhrase(NSString *prompt) { - // useful for command line (/dev/tty) programs - char buffer[PHRASELEN]; - NSString *result; - - getpassword([prompt cString], buffer); - if (buffer[0] == 0) return nil; - result = [NSString stringWithCString:buffer]; - bzero(buffer, PHRASELEN); - return result; -} - - -#endif NeXT diff --git a/OSX/libsecurity_cssm/lib/cssmerr.h b/OSX/libsecurity_cssm/lib/cssmerr.h index 9d518fd5..4465dbc0 100644 --- a/OSX/libsecurity_cssm/lib/cssmerr.h +++ b/OSX/libsecurity_cssm/lib/cssmerr.h @@ -89,16 +89,11 @@ enum { /* General Error Values. */ enum { - CSSMERR_CSSM_INVALID_ADDIN_HANDLE = - CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 1, - CSSMERR_CSSM_NOT_INITIALIZED = - CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 2, - CSSMERR_CSSM_INVALID_HANDLE_USAGE = - CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 3, - CSSMERR_CSSM_PVC_REFERENT_NOT_FOUND = - CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 4, - CSSMERR_CSSM_FUNCTION_INTEGRITY_FAIL = - CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 5 + CSSMERR_CSSM_INVALID_ADDIN_HANDLE = -2147417855, + CSSMERR_CSSM_NOT_INITIALIZED = -2147417854, + CSSMERR_CSSM_INVALID_HANDLE_USAGE = -2147417853, + CSSMERR_CSSM_PVC_REFERENT_NOT_FOUND = -2147417852, + CSSMERR_CSSM_FUNCTION_INTEGRITY_FAIL = -2147417851, }; /* Common Error Codes For All Module Types. */ @@ -175,155 +170,102 @@ enum { /* CSSM Error Values Derived from Common Error Codes For All Module Types. */ enum { - CSSMERR_CSSM_INTERNAL_ERROR = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR, - CSSMERR_CSSM_MEMORY_ERROR = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR, - CSSMERR_CSSM_MDS_ERROR = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR, - CSSMERR_CSSM_INVALID_POINTER = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER, - CSSMERR_CSSM_INVALID_INPUT_POINTER = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER, - CSSMERR_CSSM_INVALID_OUTPUT_POINTER = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER, - CSSMERR_CSSM_FUNCTION_NOT_IMPLEMENTED = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED, - CSSMERR_CSSM_SELF_CHECK_FAILED = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED, - CSSMERR_CSSM_OS_ACCESS_DENIED = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED, - CSSMERR_CSSM_FUNCTION_FAILED = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED, - CSSMERR_CSSM_MODULE_MANIFEST_VERIFY_FAILED = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_MODULE_MANIFEST_VERIFY_FAILED, - CSSMERR_CSSM_INVALID_GUID = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_GUID + CSSMERR_CSSM_INTERNAL_ERROR = -2147418111, + CSSMERR_CSSM_MEMORY_ERROR = -2147418110, + CSSMERR_CSSM_MDS_ERROR = -2147418109, + CSSMERR_CSSM_INVALID_POINTER = -2147418108, + CSSMERR_CSSM_INVALID_INPUT_POINTER = -2147418107, + CSSMERR_CSSM_INVALID_OUTPUT_POINTER = -2147418106, + CSSMERR_CSSM_FUNCTION_NOT_IMPLEMENTED = -2147418105, + CSSMERR_CSSM_SELF_CHECK_FAILED = -2147418104, + CSSMERR_CSSM_OS_ACCESS_DENIED = -2147418103, + CSSMERR_CSSM_FUNCTION_FAILED = -2147418102, + CSSMERR_CSSM_MODULE_MANIFEST_VERIFY_FAILED = -2147418101, + CSSMERR_CSSM_INVALID_GUID = -2147418100, }; /* CSSM Error Values for Specific Data Types. */ enum { - CSSMERR_CSSM_INVALID_CONTEXT_HANDLE = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE, - CSSMERR_CSSM_INCOMPATIBLE_VERSION = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INCOMPATIBLE_VERSION, - CSSMERR_CSSM_PRIVILEGE_NOT_GRANTED = - CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_PRIVILEGE_NOT_GRANTED + CSSMERR_CSSM_INVALID_CONTEXT_HANDLE = -2147418048, + CSSMERR_CSSM_INCOMPATIBLE_VERSION = -2147418047, + CSSMERR_CSSM_PRIVILEGE_NOT_GRANTED = -2147418037, }; /* CSSM Module-Specific Error Values */ enum { CSSM_CSSM_BASE_CSSM_ERROR = CSSM_CSSM_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT + 0x10, - CSSMERR_CSSM_SCOPE_NOT_SUPPORTED = CSSM_CSSM_BASE_CSSM_ERROR + 1, - CSSMERR_CSSM_PVC_ALREADY_CONFIGURED = CSSM_CSSM_BASE_CSSM_ERROR + 2, - CSSMERR_CSSM_INVALID_PVC = CSSM_CSSM_BASE_CSSM_ERROR + 3, - CSSMERR_CSSM_EMM_LOAD_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 4, - CSSMERR_CSSM_EMM_UNLOAD_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 5, - CSSMERR_CSSM_ADDIN_LOAD_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 6, - CSSMERR_CSSM_INVALID_KEY_HIERARCHY = CSSM_CSSM_BASE_CSSM_ERROR + 7, - CSSMERR_CSSM_ADDIN_UNLOAD_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 8, - CSSMERR_CSSM_LIB_REF_NOT_FOUND = CSSM_CSSM_BASE_CSSM_ERROR + 9, - CSSMERR_CSSM_INVALID_ADDIN_FUNCTION_TABLE = CSSM_CSSM_BASE_CSSM_ERROR + 10, - CSSMERR_CSSM_EMM_AUTHENTICATE_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 11, - CSSMERR_CSSM_ADDIN_AUTHENTICATE_FAILED = CSSM_CSSM_BASE_CSSM_ERROR + 12, - CSSMERR_CSSM_INVALID_SERVICE_MASK = CSSM_CSSM_BASE_CSSM_ERROR + 13, - CSSMERR_CSSM_MODULE_NOT_LOADED = CSSM_CSSM_BASE_CSSM_ERROR + 14, - CSSMERR_CSSM_INVALID_SUBSERVICEID = CSSM_CSSM_BASE_CSSM_ERROR + 15, - CSSMERR_CSSM_BUFFER_TOO_SMALL = CSSM_CSSM_BASE_CSSM_ERROR + 16, - CSSMERR_CSSM_INVALID_ATTRIBUTE = CSSM_CSSM_BASE_CSSM_ERROR + 17, - CSSMERR_CSSM_ATTRIBUTE_NOT_IN_CONTEXT = CSSM_CSSM_BASE_CSSM_ERROR + 18, - CSSMERR_CSSM_MODULE_MANAGER_INITIALIZE_FAIL = CSSM_CSSM_BASE_CSSM_ERROR + 19, - CSSMERR_CSSM_MODULE_MANAGER_NOT_FOUND = CSSM_CSSM_BASE_CSSM_ERROR + 20, - CSSMERR_CSSM_EVENT_NOTIFICATION_CALLBACK_NOT_FOUND = CSSM_CSSM_BASE_CSSM_ERROR + 21 + CSSMERR_CSSM_SCOPE_NOT_SUPPORTED = -2147417839, + CSSMERR_CSSM_PVC_ALREADY_CONFIGURED = -2147417838, + CSSMERR_CSSM_INVALID_PVC = -2147417837, + CSSMERR_CSSM_EMM_LOAD_FAILED = -2147417836, + CSSMERR_CSSM_EMM_UNLOAD_FAILED = -2147417835, + CSSMERR_CSSM_ADDIN_LOAD_FAILED = -2147417834, + CSSMERR_CSSM_INVALID_KEY_HIERARCHY = -2147417833, + CSSMERR_CSSM_ADDIN_UNLOAD_FAILED = -2147417832, + CSSMERR_CSSM_LIB_REF_NOT_FOUND = -2147417831, + CSSMERR_CSSM_INVALID_ADDIN_FUNCTION_TABLE = -2147417830, + CSSMERR_CSSM_EMM_AUTHENTICATE_FAILED = -2147417829, + CSSMERR_CSSM_ADDIN_AUTHENTICATE_FAILED = -2147417828, + CSSMERR_CSSM_INVALID_SERVICE_MASK = -2147417827, + CSSMERR_CSSM_MODULE_NOT_LOADED = -2147417826, + CSSMERR_CSSM_INVALID_SUBSERVICEID = -2147417825, + CSSMERR_CSSM_BUFFER_TOO_SMALL = -2147417824, + CSSMERR_CSSM_INVALID_ATTRIBUTE = -2147417823, + CSSMERR_CSSM_ATTRIBUTE_NOT_IN_CONTEXT = -2147417822, + CSSMERR_CSSM_MODULE_MANAGER_INITIALIZE_FAIL = -2147417821, + CSSMERR_CSSM_MODULE_MANAGER_NOT_FOUND = -2147417820, + CSSMERR_CSSM_EVENT_NOTIFICATION_CALLBACK_NOT_FOUND = -2147417819, }; /* CSP Error Values Derived from Common Error Codes For All Module Types. */ enum { - CSSMERR_CSP_INTERNAL_ERROR = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR, - CSSMERR_CSP_MEMORY_ERROR = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR, - CSSMERR_CSP_MDS_ERROR = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR, - CSSMERR_CSP_INVALID_POINTER = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER, - CSSMERR_CSP_INVALID_INPUT_POINTER = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER, - CSSMERR_CSP_INVALID_OUTPUT_POINTER = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER, - CSSMERR_CSP_FUNCTION_NOT_IMPLEMENTED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED, - CSSMERR_CSP_SELF_CHECK_FAILED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED, - CSSMERR_CSP_OS_ACCESS_DENIED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED, - CSSMERR_CSP_FUNCTION_FAILED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED + CSSMERR_CSP_INTERNAL_ERROR = -2147416063, + CSSMERR_CSP_MEMORY_ERROR = -2147416062, + CSSMERR_CSP_MDS_ERROR = -2147416061, + CSSMERR_CSP_INVALID_POINTER = -2147416060, + CSSMERR_CSP_INVALID_INPUT_POINTER = -2147416059, + CSSMERR_CSP_INVALID_OUTPUT_POINTER = -2147416058, + CSSMERR_CSP_FUNCTION_NOT_IMPLEMENTED = -2147416057, + CSSMERR_CSP_SELF_CHECK_FAILED = -2147416056, + CSSMERR_CSP_OS_ACCESS_DENIED = -2147416055, + CSSMERR_CSP_FUNCTION_FAILED = -2147416054, }; /* CSP Error Values Derived from ACL-based Error Codes. */ enum { - CSSMERR_CSP_OPERATION_AUTH_DENIED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OPERATION_AUTH_DENIED, - CSSMERR_CSP_OBJECT_USE_AUTH_DENIED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OBJECT_USE_AUTH_DENIED, - CSSMERR_CSP_OBJECT_MANIP_AUTH_DENIED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OBJECT_MANIP_AUTH_DENIED, - CSSMERR_CSP_OBJECT_ACL_NOT_SUPPORTED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED, - CSSMERR_CSP_OBJECT_ACL_REQUIRED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_OBJECT_ACL_REQUIRED, - CSSMERR_CSP_INVALID_ACCESS_CREDENTIALS = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACCESS_CREDENTIALS, - CSSMERR_CSP_INVALID_ACL_BASE_CERTS = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_BASE_CERTS, - CSSMERR_CSP_ACL_BASE_CERTS_NOT_SUPPORTED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_BASE_CERTS_NOT_SUPPORTED, - CSSMERR_CSP_INVALID_SAMPLE_VALUE = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_SAMPLE_VALUE, - CSSMERR_CSP_SAMPLE_VALUE_NOT_SUPPORTED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED, - CSSMERR_CSP_INVALID_ACL_SUBJECT_VALUE = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE, - CSSMERR_CSP_ACL_SUBJECT_TYPE_NOT_SUPPORTED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED, - CSSMERR_CSP_INVALID_ACL_CHALLENGE_CALLBACK = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_CHALLENGE_CALLBACK, - CSSMERR_CSP_ACL_CHALLENGE_CALLBACK_FAILED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_CHALLENGE_CALLBACK_FAILED, - CSSMERR_CSP_INVALID_ACL_ENTRY_TAG = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_ENTRY_TAG, - CSSMERR_CSP_ACL_ENTRY_TAG_NOT_FOUND = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_ENTRY_TAG_NOT_FOUND, - CSSMERR_CSP_INVALID_ACL_EDIT_MODE = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_EDIT_MODE, - CSSMERR_CSP_ACL_CHANGE_FAILED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_CHANGE_FAILED, - CSSMERR_CSP_INVALID_NEW_ACL_ENTRY = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_NEW_ACL_ENTRY, - CSSMERR_CSP_INVALID_NEW_ACL_OWNER = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_NEW_ACL_OWNER, - CSSMERR_CSP_ACL_DELETE_FAILED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_DELETE_FAILED, - CSSMERR_CSP_ACL_REPLACE_FAILED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_REPLACE_FAILED, - CSSMERR_CSP_ACL_ADD_FAILED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_ACL_ADD_FAILED + CSSMERR_CSP_OPERATION_AUTH_DENIED = -2147416032, + CSSMERR_CSP_OBJECT_USE_AUTH_DENIED = -2147416031, + CSSMERR_CSP_OBJECT_MANIP_AUTH_DENIED = -2147416030, + CSSMERR_CSP_OBJECT_ACL_NOT_SUPPORTED = -2147416029, + CSSMERR_CSP_OBJECT_ACL_REQUIRED = -2147416028, + CSSMERR_CSP_INVALID_ACCESS_CREDENTIALS = -2147416027, + CSSMERR_CSP_INVALID_ACL_BASE_CERTS = -2147416026, + CSSMERR_CSP_ACL_BASE_CERTS_NOT_SUPPORTED = -2147416025, + CSSMERR_CSP_INVALID_SAMPLE_VALUE = -2147416024, + CSSMERR_CSP_SAMPLE_VALUE_NOT_SUPPORTED = -2147416023, + CSSMERR_CSP_INVALID_ACL_SUBJECT_VALUE = -2147416022, + CSSMERR_CSP_ACL_SUBJECT_TYPE_NOT_SUPPORTED = -2147416021, + CSSMERR_CSP_INVALID_ACL_CHALLENGE_CALLBACK = -2147416020, + CSSMERR_CSP_ACL_CHALLENGE_CALLBACK_FAILED = -2147416019, + CSSMERR_CSP_INVALID_ACL_ENTRY_TAG = -2147416018, + CSSMERR_CSP_ACL_ENTRY_TAG_NOT_FOUND = -2147416017, + CSSMERR_CSP_INVALID_ACL_EDIT_MODE = -2147416016, + CSSMERR_CSP_ACL_CHANGE_FAILED = -2147416015, + CSSMERR_CSP_INVALID_NEW_ACL_ENTRY = -2147416014, + CSSMERR_CSP_INVALID_NEW_ACL_OWNER = -2147416013, + CSSMERR_CSP_ACL_DELETE_FAILED = -2147416012, + CSSMERR_CSP_ACL_REPLACE_FAILED = -2147416011, + CSSMERR_CSP_ACL_ADD_FAILED = -2147416010, }; /* CSP Error Values for Specific Data Types. */ enum { - CSSMERR_CSP_INVALID_CONTEXT_HANDLE = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE, - CSSMERR_CSP_PRIVILEGE_NOT_GRANTED = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_PRIVILEGE_NOT_GRANTED, - CSSMERR_CSP_INVALID_DATA = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_DATA, - CSSMERR_CSP_INVALID_PASSTHROUGH_ID = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID, - CSSMERR_CSP_INVALID_CRYPTO_DATA = - CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INVALID_CRYPTO_DATA + CSSMERR_CSP_INVALID_CONTEXT_HANDLE = -2147416000, + CSSMERR_CSP_PRIVILEGE_NOT_GRANTED = -2147415989, + CSSMERR_CSP_INVALID_DATA = -2147415994, + CSSMERR_CSP_INVALID_PASSTHROUGH_ID = -2147415978, + CSSMERR_CSP_INVALID_CRYPTO_DATA = -2147415976, }; /* CSP Module-Specific Error Values */ @@ -331,488 +273,375 @@ enum { /* General CSP Error Values */ CSSM_CSP_BASE_CSP_ERROR = CSSM_CSP_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT, - CSSMERR_CSP_INPUT_LENGTH_ERROR = CSSM_CSP_BASE_CSP_ERROR + 1, - CSSMERR_CSP_OUTPUT_LENGTH_ERROR = CSSM_CSP_BASE_CSP_ERROR + 2, - CSSMERR_CSP_PRIVILEGE_NOT_SUPPORTED = CSSM_CSP_BASE_CSP_ERROR + 3, - CSSMERR_CSP_DEVICE_ERROR = CSSM_CSP_BASE_CSP_ERROR + 4, - CSSMERR_CSP_DEVICE_MEMORY_ERROR = CSSM_CSP_BASE_CSP_ERROR + 5, - CSSMERR_CSP_ATTACH_HANDLE_BUSY = CSSM_CSP_BASE_CSP_ERROR + 6, - CSSMERR_CSP_NOT_LOGGED_IN = CSSM_CSP_BASE_CSP_ERROR + 7, - CSSMERR_CSP_INVALID_KEY = CSSM_CSP_BASE_CSP_ERROR + 16, - CSSMERR_CSP_INVALID_KEY_REFERENCE = CSSM_CSP_BASE_CSP_ERROR + 17, - CSSMERR_CSP_INVALID_KEY_CLASS = CSSM_CSP_BASE_CSP_ERROR + 18, - CSSMERR_CSP_ALGID_MISMATCH = CSSM_CSP_BASE_CSP_ERROR + 19, - CSSMERR_CSP_KEY_USAGE_INCORRECT = CSSM_CSP_BASE_CSP_ERROR + 20, - CSSMERR_CSP_KEY_BLOB_TYPE_INCORRECT = CSSM_CSP_BASE_CSP_ERROR + 21, - CSSMERR_CSP_KEY_HEADER_INCONSISTENT = CSSM_CSP_BASE_CSP_ERROR + 22, - CSSMERR_CSP_UNSUPPORTED_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 23, - CSSMERR_CSP_UNSUPPORTED_KEY_SIZE = CSSM_CSP_BASE_CSP_ERROR + 24, - CSSMERR_CSP_INVALID_KEY_POINTER = CSSM_CSP_BASE_CSP_ERROR + 25, - CSSMERR_CSP_INVALID_KEYUSAGE_MASK = CSSM_CSP_BASE_CSP_ERROR + 26, - CSSMERR_CSP_UNSUPPORTED_KEYUSAGE_MASK = CSSM_CSP_BASE_CSP_ERROR + 27, - CSSMERR_CSP_INVALID_KEYATTR_MASK = CSSM_CSP_BASE_CSP_ERROR + 28, - CSSMERR_CSP_UNSUPPORTED_KEYATTR_MASK = CSSM_CSP_BASE_CSP_ERROR + 29, - CSSMERR_CSP_INVALID_KEY_LABEL = CSSM_CSP_BASE_CSP_ERROR + 30, - CSSMERR_CSP_UNSUPPORTED_KEY_LABEL = CSSM_CSP_BASE_CSP_ERROR + 31, - CSSMERR_CSP_INVALID_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 32, - - /* CSP Vector of Buffers Error Values. */ - CSSMERR_CSP_INVALID_DATA_COUNT = CSSM_CSP_BASE_CSP_ERROR + 40, - CSSMERR_CSP_VECTOR_OF_BUFS_UNSUPPORTED = CSSM_CSP_BASE_CSP_ERROR + 41, - CSSMERR_CSP_INVALID_INPUT_VECTOR = CSSM_CSP_BASE_CSP_ERROR + 42, - CSSMERR_CSP_INVALID_OUTPUT_VECTOR = CSSM_CSP_BASE_CSP_ERROR + 43, - - /* CSP Cryptographic Context Error Values. */ - CSSMERR_CSP_INVALID_CONTEXT = CSSM_CSP_BASE_CSP_ERROR + 48, - CSSMERR_CSP_INVALID_ALGORITHM = CSSM_CSP_BASE_CSP_ERROR + 49, - CSSMERR_CSP_INVALID_ATTR_KEY = CSSM_CSP_BASE_CSP_ERROR + 54, - CSSMERR_CSP_MISSING_ATTR_KEY = CSSM_CSP_BASE_CSP_ERROR + 55, - CSSMERR_CSP_INVALID_ATTR_INIT_VECTOR = CSSM_CSP_BASE_CSP_ERROR + 56, - CSSMERR_CSP_MISSING_ATTR_INIT_VECTOR = CSSM_CSP_BASE_CSP_ERROR + 57, - CSSMERR_CSP_INVALID_ATTR_SALT = CSSM_CSP_BASE_CSP_ERROR + 58, - CSSMERR_CSP_MISSING_ATTR_SALT = CSSM_CSP_BASE_CSP_ERROR + 59, - CSSMERR_CSP_INVALID_ATTR_PADDING = CSSM_CSP_BASE_CSP_ERROR + 60, - CSSMERR_CSP_MISSING_ATTR_PADDING = CSSM_CSP_BASE_CSP_ERROR + 61, - CSSMERR_CSP_INVALID_ATTR_RANDOM = CSSM_CSP_BASE_CSP_ERROR + 62, - CSSMERR_CSP_MISSING_ATTR_RANDOM = CSSM_CSP_BASE_CSP_ERROR + 63, - CSSMERR_CSP_INVALID_ATTR_SEED = CSSM_CSP_BASE_CSP_ERROR + 64, - CSSMERR_CSP_MISSING_ATTR_SEED = CSSM_CSP_BASE_CSP_ERROR + 65, - CSSMERR_CSP_INVALID_ATTR_PASSPHRASE = CSSM_CSP_BASE_CSP_ERROR + 66, - CSSMERR_CSP_MISSING_ATTR_PASSPHRASE = CSSM_CSP_BASE_CSP_ERROR + 67, - CSSMERR_CSP_INVALID_ATTR_KEY_LENGTH = CSSM_CSP_BASE_CSP_ERROR + 68, - CSSMERR_CSP_MISSING_ATTR_KEY_LENGTH = CSSM_CSP_BASE_CSP_ERROR + 69, - CSSMERR_CSP_INVALID_ATTR_BLOCK_SIZE = CSSM_CSP_BASE_CSP_ERROR + 70, - CSSMERR_CSP_MISSING_ATTR_BLOCK_SIZE = CSSM_CSP_BASE_CSP_ERROR + 71, - CSSMERR_CSP_INVALID_ATTR_OUTPUT_SIZE = CSSM_CSP_BASE_CSP_ERROR + 100, - CSSMERR_CSP_MISSING_ATTR_OUTPUT_SIZE = CSSM_CSP_BASE_CSP_ERROR + 101, - CSSMERR_CSP_INVALID_ATTR_ROUNDS = CSSM_CSP_BASE_CSP_ERROR + 102, - CSSMERR_CSP_MISSING_ATTR_ROUNDS = CSSM_CSP_BASE_CSP_ERROR + 103, - CSSMERR_CSP_INVALID_ATTR_ALG_PARAMS = CSSM_CSP_BASE_CSP_ERROR + 104, - CSSMERR_CSP_MISSING_ATTR_ALG_PARAMS = CSSM_CSP_BASE_CSP_ERROR + 105, - CSSMERR_CSP_INVALID_ATTR_LABEL = CSSM_CSP_BASE_CSP_ERROR + 106, - CSSMERR_CSP_MISSING_ATTR_LABEL = CSSM_CSP_BASE_CSP_ERROR + 107, - CSSMERR_CSP_INVALID_ATTR_KEY_TYPE = CSSM_CSP_BASE_CSP_ERROR + 108, - CSSMERR_CSP_MISSING_ATTR_KEY_TYPE = CSSM_CSP_BASE_CSP_ERROR + 109, - CSSMERR_CSP_INVALID_ATTR_MODE = CSSM_CSP_BASE_CSP_ERROR + 110, - CSSMERR_CSP_MISSING_ATTR_MODE = CSSM_CSP_BASE_CSP_ERROR + 111, - CSSMERR_CSP_INVALID_ATTR_EFFECTIVE_BITS = CSSM_CSP_BASE_CSP_ERROR + 112, - CSSMERR_CSP_MISSING_ATTR_EFFECTIVE_BITS = CSSM_CSP_BASE_CSP_ERROR + 113, - CSSMERR_CSP_INVALID_ATTR_START_DATE = CSSM_CSP_BASE_CSP_ERROR + 114, - CSSMERR_CSP_MISSING_ATTR_START_DATE = CSSM_CSP_BASE_CSP_ERROR + 115, - CSSMERR_CSP_INVALID_ATTR_END_DATE = CSSM_CSP_BASE_CSP_ERROR + 116, - CSSMERR_CSP_MISSING_ATTR_END_DATE = CSSM_CSP_BASE_CSP_ERROR + 117, - CSSMERR_CSP_INVALID_ATTR_VERSION = CSSM_CSP_BASE_CSP_ERROR + 118, - CSSMERR_CSP_MISSING_ATTR_VERSION = CSSM_CSP_BASE_CSP_ERROR + 119, - CSSMERR_CSP_INVALID_ATTR_PRIME = CSSM_CSP_BASE_CSP_ERROR + 120, - CSSMERR_CSP_MISSING_ATTR_PRIME = CSSM_CSP_BASE_CSP_ERROR + 121, - CSSMERR_CSP_INVALID_ATTR_BASE = CSSM_CSP_BASE_CSP_ERROR + 122, - CSSMERR_CSP_MISSING_ATTR_BASE = CSSM_CSP_BASE_CSP_ERROR + 123, - CSSMERR_CSP_INVALID_ATTR_SUBPRIME = CSSM_CSP_BASE_CSP_ERROR + 124, - CSSMERR_CSP_MISSING_ATTR_SUBPRIME = CSSM_CSP_BASE_CSP_ERROR + 125, - CSSMERR_CSP_INVALID_ATTR_ITERATION_COUNT = CSSM_CSP_BASE_CSP_ERROR + 126, - CSSMERR_CSP_MISSING_ATTR_ITERATION_COUNT = CSSM_CSP_BASE_CSP_ERROR + 127, - CSSMERR_CSP_INVALID_ATTR_DL_DB_HANDLE = CSSM_CSP_BASE_CSP_ERROR + 128, - CSSMERR_CSP_MISSING_ATTR_DL_DB_HANDLE = CSSM_CSP_BASE_CSP_ERROR + 129, - CSSMERR_CSP_INVALID_ATTR_ACCESS_CREDENTIALS = CSSM_CSP_BASE_CSP_ERROR + 130, - CSSMERR_CSP_MISSING_ATTR_ACCESS_CREDENTIALS = CSSM_CSP_BASE_CSP_ERROR + 131, - CSSMERR_CSP_INVALID_ATTR_PUBLIC_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 132, - CSSMERR_CSP_MISSING_ATTR_PUBLIC_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 133, - CSSMERR_CSP_INVALID_ATTR_PRIVATE_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 134, - CSSMERR_CSP_MISSING_ATTR_PRIVATE_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 135, - CSSMERR_CSP_INVALID_ATTR_SYMMETRIC_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 136, - CSSMERR_CSP_MISSING_ATTR_SYMMETRIC_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 137, - CSSMERR_CSP_INVALID_ATTR_WRAPPED_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 138, - CSSMERR_CSP_MISSING_ATTR_WRAPPED_KEY_FORMAT = CSSM_CSP_BASE_CSP_ERROR + 139, - - /* CSP Staged Cryptographic API Error Values. */ - CSSMERR_CSP_STAGED_OPERATION_IN_PROGRESS = CSSM_CSP_BASE_CSP_ERROR + 72, - CSSMERR_CSP_STAGED_OPERATION_NOT_STARTED = CSSM_CSP_BASE_CSP_ERROR + 73, - CSSMERR_CSP_VERIFY_FAILED = CSSM_CSP_BASE_CSP_ERROR + 74, - CSSMERR_CSP_INVALID_SIGNATURE = CSSM_CSP_BASE_CSP_ERROR + 75, - CSSMERR_CSP_QUERY_SIZE_UNKNOWN = CSSM_CSP_BASE_CSP_ERROR + 76, - CSSMERR_CSP_BLOCK_SIZE_MISMATCH = CSSM_CSP_BASE_CSP_ERROR + 77, - CSSMERR_CSP_PRIVATE_KEY_NOT_FOUND = CSSM_CSP_BASE_CSP_ERROR + 78, - CSSMERR_CSP_PUBLIC_KEY_INCONSISTENT = CSSM_CSP_BASE_CSP_ERROR + 79, - CSSMERR_CSP_DEVICE_VERIFY_FAILED = CSSM_CSP_BASE_CSP_ERROR + 80, - CSSMERR_CSP_INVALID_LOGIN_NAME = CSSM_CSP_BASE_CSP_ERROR + 81, - CSSMERR_CSP_ALREADY_LOGGED_IN = CSSM_CSP_BASE_CSP_ERROR + 82, - CSSMERR_CSP_PRIVATE_KEY_ALREADY_EXISTS = CSSM_CSP_BASE_CSP_ERROR + 83, - CSSMERR_CSP_KEY_LABEL_ALREADY_EXISTS = CSSM_CSP_BASE_CSP_ERROR + 84, - CSSMERR_CSP_INVALID_DIGEST_ALGORITHM = CSSM_CSP_BASE_CSP_ERROR + 85, - CSSMERR_CSP_CRYPTO_DATA_CALLBACK_FAILED = CSSM_CSP_BASE_CSP_ERROR + 86 + CSSMERR_CSP_INPUT_LENGTH_ERROR = -2147415807, + CSSMERR_CSP_OUTPUT_LENGTH_ERROR = -2147415806, + CSSMERR_CSP_PRIVILEGE_NOT_SUPPORTED = -2147415805, + CSSMERR_CSP_DEVICE_ERROR = -2147415804, + CSSMERR_CSP_DEVICE_MEMORY_ERROR = -2147415803, + CSSMERR_CSP_ATTACH_HANDLE_BUSY = -2147415802, + CSSMERR_CSP_NOT_LOGGED_IN = -2147415801, + CSSMERR_CSP_INVALID_KEY = -2147415792, + CSSMERR_CSP_INVALID_KEY_REFERENCE = -2147415791, + CSSMERR_CSP_INVALID_KEY_CLASS = -2147415790, + CSSMERR_CSP_ALGID_MISMATCH = -2147415789, + CSSMERR_CSP_KEY_USAGE_INCORRECT = -2147415788, + CSSMERR_CSP_KEY_BLOB_TYPE_INCORRECT = -2147415787, + CSSMERR_CSP_KEY_HEADER_INCONSISTENT = -2147415786, + CSSMERR_CSP_UNSUPPORTED_KEY_FORMAT = -2147415785, + CSSMERR_CSP_UNSUPPORTED_KEY_SIZE = -2147415784, + CSSMERR_CSP_INVALID_KEY_POINTER = -2147415783, + CSSMERR_CSP_INVALID_KEYUSAGE_MASK = -2147415782, + CSSMERR_CSP_UNSUPPORTED_KEYUSAGE_MASK = -2147415781, + CSSMERR_CSP_INVALID_KEYATTR_MASK = -2147415780, + CSSMERR_CSP_UNSUPPORTED_KEYATTR_MASK = -2147415779, + CSSMERR_CSP_INVALID_KEY_LABEL = -2147415778, + CSSMERR_CSP_UNSUPPORTED_KEY_LABEL = -2147415777, + CSSMERR_CSP_INVALID_KEY_FORMAT = -2147415776, + + CSSMERR_CSP_INVALID_DATA_COUNT = -2147415768, + CSSMERR_CSP_VECTOR_OF_BUFS_UNSUPPORTED = -2147415767, + CSSMERR_CSP_INVALID_INPUT_VECTOR = -2147415766, + CSSMERR_CSP_INVALID_OUTPUT_VECTOR = -2147415765, + + CSSMERR_CSP_INVALID_CONTEXT = -2147415760, + CSSMERR_CSP_INVALID_ALGORITHM = -2147415759, + CSSMERR_CSP_INVALID_ATTR_KEY = -2147415754, + CSSMERR_CSP_MISSING_ATTR_KEY = -2147415753, + CSSMERR_CSP_INVALID_ATTR_INIT_VECTOR = -2147415752, + CSSMERR_CSP_MISSING_ATTR_INIT_VECTOR = -2147415751, + CSSMERR_CSP_INVALID_ATTR_SALT = -2147415750, + CSSMERR_CSP_MISSING_ATTR_SALT = -2147415749, + CSSMERR_CSP_INVALID_ATTR_PADDING = -2147415748, + CSSMERR_CSP_MISSING_ATTR_PADDING = -2147415747, + CSSMERR_CSP_INVALID_ATTR_RANDOM = -2147415746, + CSSMERR_CSP_MISSING_ATTR_RANDOM = -2147415745, + CSSMERR_CSP_INVALID_ATTR_SEED = -2147415744, + CSSMERR_CSP_MISSING_ATTR_SEED = -2147415743, + CSSMERR_CSP_INVALID_ATTR_PASSPHRASE = -2147415742, + CSSMERR_CSP_MISSING_ATTR_PASSPHRASE = -2147415741, + CSSMERR_CSP_INVALID_ATTR_KEY_LENGTH = -2147415740, + CSSMERR_CSP_MISSING_ATTR_KEY_LENGTH = -2147415739, + CSSMERR_CSP_INVALID_ATTR_BLOCK_SIZE = -2147415738, + CSSMERR_CSP_MISSING_ATTR_BLOCK_SIZE = -2147415737, + CSSMERR_CSP_INVALID_ATTR_OUTPUT_SIZE = -2147415708, + CSSMERR_CSP_MISSING_ATTR_OUTPUT_SIZE = -2147415707, + CSSMERR_CSP_INVALID_ATTR_ROUNDS = -2147415706, + CSSMERR_CSP_MISSING_ATTR_ROUNDS = -2147415705, + CSSMERR_CSP_INVALID_ATTR_ALG_PARAMS = -2147415704, + CSSMERR_CSP_MISSING_ATTR_ALG_PARAMS = -2147415703, + CSSMERR_CSP_INVALID_ATTR_LABEL = -2147415702, + CSSMERR_CSP_MISSING_ATTR_LABEL = -2147415701, + CSSMERR_CSP_INVALID_ATTR_KEY_TYPE = -2147415700, + CSSMERR_CSP_MISSING_ATTR_KEY_TYPE = -2147415699, + CSSMERR_CSP_INVALID_ATTR_MODE = -2147415698, + CSSMERR_CSP_MISSING_ATTR_MODE = -2147415697, + CSSMERR_CSP_INVALID_ATTR_EFFECTIVE_BITS = -2147415696, + CSSMERR_CSP_MISSING_ATTR_EFFECTIVE_BITS = -2147415695, + CSSMERR_CSP_INVALID_ATTR_START_DATE = -2147415694, + CSSMERR_CSP_MISSING_ATTR_START_DATE = -2147415693, + CSSMERR_CSP_INVALID_ATTR_END_DATE = -2147415692, + CSSMERR_CSP_MISSING_ATTR_END_DATE = -2147415691, + CSSMERR_CSP_INVALID_ATTR_VERSION = -2147415690, + CSSMERR_CSP_MISSING_ATTR_VERSION = -2147415689, + CSSMERR_CSP_INVALID_ATTR_PRIME = -2147415688, + CSSMERR_CSP_MISSING_ATTR_PRIME = -2147415687, + CSSMERR_CSP_INVALID_ATTR_BASE = -2147415686, + CSSMERR_CSP_MISSING_ATTR_BASE = -2147415685, + CSSMERR_CSP_INVALID_ATTR_SUBPRIME = -2147415684, + CSSMERR_CSP_MISSING_ATTR_SUBPRIME = -2147415683, + CSSMERR_CSP_INVALID_ATTR_ITERATION_COUNT = -2147415682, + CSSMERR_CSP_MISSING_ATTR_ITERATION_COUNT = -2147415681, + CSSMERR_CSP_INVALID_ATTR_DL_DB_HANDLE = -2147415680, + CSSMERR_CSP_MISSING_ATTR_DL_DB_HANDLE = -2147415679, + CSSMERR_CSP_INVALID_ATTR_ACCESS_CREDENTIALS = -2147415678, + CSSMERR_CSP_MISSING_ATTR_ACCESS_CREDENTIALS = -2147415677, + CSSMERR_CSP_INVALID_ATTR_PUBLIC_KEY_FORMAT = -2147415676, + CSSMERR_CSP_MISSING_ATTR_PUBLIC_KEY_FORMAT = -2147415675, + CSSMERR_CSP_INVALID_ATTR_PRIVATE_KEY_FORMAT = -2147415674, + CSSMERR_CSP_MISSING_ATTR_PRIVATE_KEY_FORMAT = -2147415673, + CSSMERR_CSP_INVALID_ATTR_SYMMETRIC_KEY_FORMAT = -2147415672, + CSSMERR_CSP_MISSING_ATTR_SYMMETRIC_KEY_FORMAT = -2147415671, + CSSMERR_CSP_INVALID_ATTR_WRAPPED_KEY_FORMAT = -2147415670, + CSSMERR_CSP_MISSING_ATTR_WRAPPED_KEY_FORMAT = -2147415669, + + CSSMERR_CSP_STAGED_OPERATION_IN_PROGRESS = -2147415736, + CSSMERR_CSP_STAGED_OPERATION_NOT_STARTED = -2147415735, + CSSMERR_CSP_VERIFY_FAILED = -2147415734, + CSSMERR_CSP_INVALID_SIGNATURE = -2147415733, + CSSMERR_CSP_QUERY_SIZE_UNKNOWN = -2147415732, + CSSMERR_CSP_BLOCK_SIZE_MISMATCH = -2147415731, + CSSMERR_CSP_PRIVATE_KEY_NOT_FOUND = -2147415730, + CSSMERR_CSP_PUBLIC_KEY_INCONSISTENT = -2147415729, + CSSMERR_CSP_DEVICE_VERIFY_FAILED = -2147415728, + CSSMERR_CSP_INVALID_LOGIN_NAME = -2147415727, + CSSMERR_CSP_ALREADY_LOGGED_IN = -2147415726, + CSSMERR_CSP_PRIVATE_KEY_ALREADY_EXISTS = -2147415725, + CSSMERR_CSP_KEY_LABEL_ALREADY_EXISTS = -2147415724, + CSSMERR_CSP_INVALID_DIGEST_ALGORITHM = -2147415723, + CSSMERR_CSP_CRYPTO_DATA_CALLBACK_FAILED = -2147415722, }; /* TP Error Values Derived from Common Error Codes For All Module Types. */ enum { - CSSMERR_TP_INTERNAL_ERROR = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR, - CSSMERR_TP_MEMORY_ERROR = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR, - CSSMERR_TP_MDS_ERROR = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR, - CSSMERR_TP_INVALID_POINTER = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER, - CSSMERR_TP_INVALID_INPUT_POINTER = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER, - CSSMERR_TP_INVALID_OUTPUT_POINTER = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER, - CSSMERR_TP_FUNCTION_NOT_IMPLEMENTED = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED, - CSSMERR_TP_SELF_CHECK_FAILED = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED, - CSSMERR_TP_OS_ACCESS_DENIED = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED, - CSSMERR_TP_FUNCTION_FAILED = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED, - CSSMERR_TP_INVALID_CONTEXT_HANDLE = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE, - CSSMERR_TP_INVALID_DATA = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DATA, - CSSMERR_TP_INVALID_DB_LIST = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST, - CSSMERR_TP_INVALID_CERTGROUP_POINTER = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CERTGROUP_POINTER, - CSSMERR_TP_INVALID_CERT_POINTER = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CERT_POINTER, - CSSMERR_TP_INVALID_CRL_POINTER = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CRL_POINTER, - CSSMERR_TP_INVALID_FIELD_POINTER = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_FIELD_POINTER, - CSSMERR_TP_INVALID_NETWORK_ADDR = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_NETWORK_ADDR, - CSSMERR_TP_CRL_ALREADY_SIGNED = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_CRL_ALREADY_SIGNED, - CSSMERR_TP_INVALID_NUMBER_OF_FIELDS = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_NUMBER_OF_FIELDS, - CSSMERR_TP_VERIFICATION_FAILURE = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_VERIFICATION_FAILURE, - CSSMERR_TP_INVALID_DB_HANDLE = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_HANDLE, - CSSMERR_TP_UNKNOWN_FORMAT = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_UNKNOWN_FORMAT, - CSSMERR_TP_UNKNOWN_TAG = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_UNKNOWN_TAG, - CSSMERR_TP_INVALID_PASSTHROUGH_ID = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID, - CSSMERR_TP_INVALID_CSP_HANDLE = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CSP_HANDLE, - CSSMERR_TP_INVALID_DL_HANDLE = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DL_HANDLE, - CSSMERR_TP_INVALID_CL_HANDLE = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_CL_HANDLE, - CSSMERR_TP_INVALID_DB_LIST_POINTER = - CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST_POINTER + CSSMERR_TP_INTERNAL_ERROR = -2147409919, + CSSMERR_TP_MEMORY_ERROR = -2147409918, + CSSMERR_TP_MDS_ERROR = -2147409917, + CSSMERR_TP_INVALID_POINTER = -2147409916, + CSSMERR_TP_INVALID_INPUT_POINTER = -2147409915, + CSSMERR_TP_INVALID_OUTPUT_POINTER = -2147409914, + CSSMERR_TP_FUNCTION_NOT_IMPLEMENTED = -2147409913, + CSSMERR_TP_SELF_CHECK_FAILED = -2147409912, + CSSMERR_TP_OS_ACCESS_DENIED = -2147409911, + CSSMERR_TP_FUNCTION_FAILED = -2147409910, + CSSMERR_TP_INVALID_CONTEXT_HANDLE = -2147409856, + CSSMERR_TP_INVALID_DATA = -2147409850, + CSSMERR_TP_INVALID_DB_LIST = -2147409844, + CSSMERR_TP_INVALID_CERTGROUP_POINTER = -2147409854, + CSSMERR_TP_INVALID_CERT_POINTER = -2147409853, + CSSMERR_TP_INVALID_CRL_POINTER = -2147409852, + CSSMERR_TP_INVALID_FIELD_POINTER = -2147409851, + CSSMERR_TP_INVALID_NETWORK_ADDR = -2147409833, + CSSMERR_TP_CRL_ALREADY_SIGNED = -2147409849, + CSSMERR_TP_INVALID_NUMBER_OF_FIELDS = -2147409848, + CSSMERR_TP_VERIFICATION_FAILURE = -2147409847, + CSSMERR_TP_INVALID_DB_HANDLE = -2147409846, + CSSMERR_TP_UNKNOWN_FORMAT = -2147409842, + CSSMERR_TP_UNKNOWN_TAG = -2147409841, + CSSMERR_TP_INVALID_PASSTHROUGH_ID = -2147409834, + CSSMERR_TP_INVALID_CSP_HANDLE = -2147409840, + CSSMERR_TP_INVALID_DL_HANDLE = -2147409839, + CSSMERR_TP_INVALID_CL_HANDLE = -2147409838, + CSSMERR_TP_INVALID_DB_LIST_POINTER = -2147409843, }; /* TP Module-Specific Error Values */ enum { CSSM_TP_BASE_TP_ERROR = CSSM_TP_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT, - CSSMERR_TP_INVALID_CALLERAUTH_CONTEXT_POINTER = CSSM_TP_BASE_TP_ERROR + 1, - CSSMERR_TP_INVALID_IDENTIFIER_POINTER = CSSM_TP_BASE_TP_ERROR + 2, - CSSMERR_TP_INVALID_KEYCACHE_HANDLE = CSSM_TP_BASE_TP_ERROR + 3, - CSSMERR_TP_INVALID_CERTGROUP = CSSM_TP_BASE_TP_ERROR + 4, - CSSMERR_TP_INVALID_CRLGROUP = CSSM_TP_BASE_TP_ERROR + 5, - CSSMERR_TP_INVALID_CRLGROUP_POINTER = CSSM_TP_BASE_TP_ERROR + 6, - CSSMERR_TP_AUTHENTICATION_FAILED = CSSM_TP_BASE_TP_ERROR + 7, - CSSMERR_TP_CERTGROUP_INCOMPLETE = CSSM_TP_BASE_TP_ERROR + 8, - CSSMERR_TP_CERTIFICATE_CANT_OPERATE = CSSM_TP_BASE_TP_ERROR + 9, - CSSMERR_TP_CERT_EXPIRED = CSSM_TP_BASE_TP_ERROR + 10, - CSSMERR_TP_CERT_NOT_VALID_YET = CSSM_TP_BASE_TP_ERROR + 11, - CSSMERR_TP_CERT_REVOKED = CSSM_TP_BASE_TP_ERROR + 12, - CSSMERR_TP_CERT_SUSPENDED = CSSM_TP_BASE_TP_ERROR + 13, - CSSMERR_TP_INSUFFICIENT_CREDENTIALS = CSSM_TP_BASE_TP_ERROR + 14, - CSSMERR_TP_INVALID_ACTION = CSSM_TP_BASE_TP_ERROR + 15, - CSSMERR_TP_INVALID_ACTION_DATA = CSSM_TP_BASE_TP_ERROR + 16, - CSSMERR_TP_INVALID_ANCHOR_CERT = CSSM_TP_BASE_TP_ERROR + 18, - CSSMERR_TP_INVALID_AUTHORITY = CSSM_TP_BASE_TP_ERROR + 19, - CSSMERR_TP_VERIFY_ACTION_FAILED = CSSM_TP_BASE_TP_ERROR + 20, - CSSMERR_TP_INVALID_CERTIFICATE = CSSM_TP_BASE_TP_ERROR + 21, - CSSMERR_TP_INVALID_CERT_AUTHORITY = CSSM_TP_BASE_TP_ERROR + 22, - CSSMERR_TP_INVALID_CRL_AUTHORITY = CSSM_TP_BASE_TP_ERROR + 23, - CSSMERR_TP_INVALID_CRL_ENCODING = CSSM_TP_BASE_TP_ERROR + 24, - CSSMERR_TP_INVALID_CRL_TYPE = CSSM_TP_BASE_TP_ERROR + 25, - CSSMERR_TP_INVALID_CRL = CSSM_TP_BASE_TP_ERROR + 26, - CSSMERR_TP_INVALID_FORM_TYPE = CSSM_TP_BASE_TP_ERROR + 27, - CSSMERR_TP_INVALID_ID = CSSM_TP_BASE_TP_ERROR + 28, - CSSMERR_TP_INVALID_IDENTIFIER = CSSM_TP_BASE_TP_ERROR + 29, - CSSMERR_TP_INVALID_INDEX = CSSM_TP_BASE_TP_ERROR + 30, - CSSMERR_TP_INVALID_NAME = CSSM_TP_BASE_TP_ERROR + 31, - CSSMERR_TP_INVALID_POLICY_IDENTIFIERS = CSSM_TP_BASE_TP_ERROR + 32, - CSSMERR_TP_INVALID_TIMESTRING = CSSM_TP_BASE_TP_ERROR + 33, - CSSMERR_TP_INVALID_REASON = CSSM_TP_BASE_TP_ERROR + 34, - CSSMERR_TP_INVALID_REQUEST_INPUTS = CSSM_TP_BASE_TP_ERROR + 35, - CSSMERR_TP_INVALID_RESPONSE_VECTOR = CSSM_TP_BASE_TP_ERROR + 36, - CSSMERR_TP_INVALID_SIGNATURE = CSSM_TP_BASE_TP_ERROR + 37, - CSSMERR_TP_INVALID_STOP_ON_POLICY = CSSM_TP_BASE_TP_ERROR + 38, - CSSMERR_TP_INVALID_CALLBACK = CSSM_TP_BASE_TP_ERROR + 39, - CSSMERR_TP_INVALID_TUPLE = CSSM_TP_BASE_TP_ERROR + 40, - CSSMERR_TP_NOT_SIGNER = CSSM_TP_BASE_TP_ERROR + 41, - CSSMERR_TP_NOT_TRUSTED = CSSM_TP_BASE_TP_ERROR + 42, - CSSMERR_TP_NO_DEFAULT_AUTHORITY = CSSM_TP_BASE_TP_ERROR + 43, - CSSMERR_TP_REJECTED_FORM = CSSM_TP_BASE_TP_ERROR + 44, - CSSMERR_TP_REQUEST_LOST = CSSM_TP_BASE_TP_ERROR + 45, - CSSMERR_TP_REQUEST_REJECTED = CSSM_TP_BASE_TP_ERROR + 46, - CSSMERR_TP_UNSUPPORTED_ADDR_TYPE = CSSM_TP_BASE_TP_ERROR + 47, - CSSMERR_TP_UNSUPPORTED_SERVICE = CSSM_TP_BASE_TP_ERROR + 48, - CSSMERR_TP_INVALID_TUPLEGROUP_POINTER = CSSM_TP_BASE_TP_ERROR + 49, - CSSMERR_TP_INVALID_TUPLEGROUP = CSSM_TP_BASE_TP_ERROR + 50 + CSSMERR_TP_INVALID_CALLERAUTH_CONTEXT_POINTER = -2147409663, + CSSMERR_TP_INVALID_IDENTIFIER_POINTER = -2147409662, + CSSMERR_TP_INVALID_KEYCACHE_HANDLE = -2147409661, + CSSMERR_TP_INVALID_CERTGROUP = -2147409660, + CSSMERR_TP_INVALID_CRLGROUP = -2147409659, + CSSMERR_TP_INVALID_CRLGROUP_POINTER = -2147409658, + CSSMERR_TP_AUTHENTICATION_FAILED = -2147409657, + CSSMERR_TP_CERTGROUP_INCOMPLETE = -2147409656, + CSSMERR_TP_CERTIFICATE_CANT_OPERATE = -2147409655, + CSSMERR_TP_CERT_EXPIRED = -2147409654, + CSSMERR_TP_CERT_NOT_VALID_YET = -2147409653, + CSSMERR_TP_CERT_REVOKED = -2147409652, + CSSMERR_TP_CERT_SUSPENDED = -2147409651, + CSSMERR_TP_INSUFFICIENT_CREDENTIALS = -2147409650, + CSSMERR_TP_INVALID_ACTION = -2147409649, + CSSMERR_TP_INVALID_ACTION_DATA = -2147409648, + CSSMERR_TP_INVALID_ANCHOR_CERT = -2147409646, + CSSMERR_TP_INVALID_AUTHORITY = -2147409645, + CSSMERR_TP_VERIFY_ACTION_FAILED = -2147409644, + CSSMERR_TP_INVALID_CERTIFICATE = -2147409643, + CSSMERR_TP_INVALID_CERT_AUTHORITY = -2147409642, + CSSMERR_TP_INVALID_CRL_AUTHORITY = -2147409641, + CSSMERR_TP_INVALID_CRL_ENCODING = -2147409640, + CSSMERR_TP_INVALID_CRL_TYPE = -2147409639, + CSSMERR_TP_INVALID_CRL = -2147409638, + CSSMERR_TP_INVALID_FORM_TYPE = -2147409637, + CSSMERR_TP_INVALID_ID = -2147409636, + CSSMERR_TP_INVALID_IDENTIFIER = -2147409635, + CSSMERR_TP_INVALID_INDEX = -2147409634, + CSSMERR_TP_INVALID_NAME = -2147409633, + CSSMERR_TP_INVALID_POLICY_IDENTIFIERS = -2147409632, + CSSMERR_TP_INVALID_TIMESTRING = -2147409631, + CSSMERR_TP_INVALID_REASON = -2147409630, + CSSMERR_TP_INVALID_REQUEST_INPUTS = -2147409629, + CSSMERR_TP_INVALID_RESPONSE_VECTOR = -2147409628, + CSSMERR_TP_INVALID_SIGNATURE = -2147409627, + CSSMERR_TP_INVALID_STOP_ON_POLICY = -2147409626, + CSSMERR_TP_INVALID_CALLBACK = -2147409625, + CSSMERR_TP_INVALID_TUPLE = -2147409624, + CSSMERR_TP_NOT_SIGNER = -2147409623, + CSSMERR_TP_NOT_TRUSTED = -2147409622, + CSSMERR_TP_NO_DEFAULT_AUTHORITY = -2147409621, + CSSMERR_TP_REJECTED_FORM = -2147409620, + CSSMERR_TP_REQUEST_LOST = -2147409619, + CSSMERR_TP_REQUEST_REJECTED = -2147409618, + CSSMERR_TP_UNSUPPORTED_ADDR_TYPE = -2147409617, + CSSMERR_TP_UNSUPPORTED_SERVICE = -2147409616, + CSSMERR_TP_INVALID_TUPLEGROUP_POINTER = -2147409615, + CSSMERR_TP_INVALID_TUPLEGROUP = -2147409614, }; /* AC Error Values Derived from Common Error Codes For All Module Types. */ enum { - CSSMERR_AC_INTERNAL_ERROR = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR, - CSSMERR_AC_MEMORY_ERROR = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR, - CSSMERR_AC_MDS_ERROR = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR, - CSSMERR_AC_INVALID_POINTER = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER, - CSSMERR_AC_INVALID_INPUT_POINTER = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER, - CSSMERR_AC_INVALID_OUTPUT_POINTER = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER, - CSSMERR_AC_FUNCTION_NOT_IMPLEMENTED = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED, - CSSMERR_AC_SELF_CHECK_FAILED = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED, - CSSMERR_AC_OS_ACCESS_DENIED = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED, - CSSMERR_AC_FUNCTION_FAILED = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED, - CSSMERR_AC_INVALID_CONTEXT_HANDLE = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE, - CSSMERR_AC_INVALID_DATA = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DATA, - CSSMERR_AC_INVALID_DB_LIST = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST, - CSSMERR_AC_INVALID_PASSTHROUGH_ID = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID, - CSSMERR_AC_INVALID_DL_HANDLE = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DL_HANDLE, - CSSMERR_AC_INVALID_CL_HANDLE = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_CL_HANDLE, - CSSMERR_AC_INVALID_TP_HANDLE = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_TP_HANDLE, - CSSMERR_AC_INVALID_DB_HANDLE = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_HANDLE, - CSSMERR_AC_INVALID_DB_LIST_POINTER = - CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST_POINTER + CSSMERR_AC_INTERNAL_ERROR = -2147405823, + CSSMERR_AC_MEMORY_ERROR = -2147405822, + CSSMERR_AC_MDS_ERROR = -2147405821, + CSSMERR_AC_INVALID_POINTER = -2147405820, + CSSMERR_AC_INVALID_INPUT_POINTER = -2147405819, + CSSMERR_AC_INVALID_OUTPUT_POINTER = -2147405818, + CSSMERR_AC_FUNCTION_NOT_IMPLEMENTED = -2147405817, + CSSMERR_AC_SELF_CHECK_FAILED = -2147405816, + CSSMERR_AC_OS_ACCESS_DENIED = -2147405815, + CSSMERR_AC_FUNCTION_FAILED = -2147405814, + CSSMERR_AC_INVALID_CONTEXT_HANDLE = -2147405760, + CSSMERR_AC_INVALID_DATA = -2147405754, + CSSMERR_AC_INVALID_DB_LIST = -2147405748, + CSSMERR_AC_INVALID_PASSTHROUGH_ID = -2147405738, + CSSMERR_AC_INVALID_DL_HANDLE = -2147405743, + CSSMERR_AC_INVALID_CL_HANDLE = -2147405742, + CSSMERR_AC_INVALID_TP_HANDLE = -2147405741, + CSSMERR_AC_INVALID_DB_HANDLE = -2147405750, + CSSMERR_AC_INVALID_DB_LIST_POINTER = -2147405747, }; /* AC Module-Specific Error Values */ enum { CSSM_AC_BASE_AC_ERROR = CSSM_AC_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT, - CSSMERR_AC_INVALID_BASE_ACLS = CSSM_AC_BASE_AC_ERROR + 1, - CSSMERR_AC_INVALID_TUPLE_CREDENTIALS = CSSM_AC_BASE_AC_ERROR + 2, - CSSMERR_AC_INVALID_ENCODING = CSSM_AC_BASE_AC_ERROR + 3, - CSSMERR_AC_INVALID_VALIDITY_PERIOD = CSSM_AC_BASE_AC_ERROR + 4, - CSSMERR_AC_INVALID_REQUESTOR = CSSM_AC_BASE_AC_ERROR + 5, - CSSMERR_AC_INVALID_REQUEST_DESCRIPTOR = CSSM_AC_BASE_AC_ERROR + 6 + CSSMERR_AC_INVALID_BASE_ACLS = -2147405567, + CSSMERR_AC_INVALID_TUPLE_CREDENTIALS = -2147405566, + CSSMERR_AC_INVALID_ENCODING = -2147405565, + CSSMERR_AC_INVALID_VALIDITY_PERIOD = -2147405564, + CSSMERR_AC_INVALID_REQUESTOR = -2147405563, + CSSMERR_AC_INVALID_REQUEST_DESCRIPTOR = -2147405562, }; /* CL Error Values Derived from Common Error Codes For All Module Types. */ enum { - CSSMERR_CL_INTERNAL_ERROR = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR, - CSSMERR_CL_MEMORY_ERROR = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR, - CSSMERR_CL_MDS_ERROR = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR, - CSSMERR_CL_INVALID_POINTER = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER, - CSSMERR_CL_INVALID_INPUT_POINTER = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER, - CSSMERR_CL_INVALID_OUTPUT_POINTER = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER, - CSSMERR_CL_FUNCTION_NOT_IMPLEMENTED = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED, - CSSMERR_CL_SELF_CHECK_FAILED = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED, - CSSMERR_CL_OS_ACCESS_DENIED = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED, - CSSMERR_CL_FUNCTION_FAILED = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED, - CSSMERR_CL_INVALID_CONTEXT_HANDLE = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_CONTEXT_HANDLE, - CSSMERR_CL_INVALID_CERTGROUP_POINTER = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_CERTGROUP_POINTER, - CSSMERR_CL_INVALID_CERT_POINTER = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_CERT_POINTER, - CSSMERR_CL_INVALID_CRL_POINTER = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_CRL_POINTER, - CSSMERR_CL_INVALID_FIELD_POINTER = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_FIELD_POINTER, - CSSMERR_CL_INVALID_DATA = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_DATA, - CSSMERR_CL_CRL_ALREADY_SIGNED = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_CRL_ALREADY_SIGNED, - CSSMERR_CL_INVALID_NUMBER_OF_FIELDS = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_NUMBER_OF_FIELDS, - CSSMERR_CL_VERIFICATION_FAILURE = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_VERIFICATION_FAILURE, - CSSMERR_CL_UNKNOWN_FORMAT = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_UNKNOWN_FORMAT, - CSSMERR_CL_UNKNOWN_TAG = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_UNKNOWN_TAG, - CSSMERR_CL_INVALID_PASSTHROUGH_ID = - CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID + CSSMERR_CL_INTERNAL_ERROR = -2147411967, + CSSMERR_CL_MEMORY_ERROR = -2147411966, + CSSMERR_CL_MDS_ERROR = -2147411965, + CSSMERR_CL_INVALID_POINTER = -2147411964, + CSSMERR_CL_INVALID_INPUT_POINTER = -2147411963, + CSSMERR_CL_INVALID_OUTPUT_POINTER = -2147411962, + CSSMERR_CL_FUNCTION_NOT_IMPLEMENTED = -2147411961, + CSSMERR_CL_SELF_CHECK_FAILED = -2147411960, + CSSMERR_CL_OS_ACCESS_DENIED = -2147411959, + CSSMERR_CL_FUNCTION_FAILED = -2147411958, + CSSMERR_CL_INVALID_CONTEXT_HANDLE = -2147411904, + CSSMERR_CL_INVALID_CERTGROUP_POINTER = -2147411902, + CSSMERR_CL_INVALID_CERT_POINTER = -2147411901, + CSSMERR_CL_INVALID_CRL_POINTER = -2147411900, + CSSMERR_CL_INVALID_FIELD_POINTER = -2147411899, + CSSMERR_CL_INVALID_DATA = -2147411898, + CSSMERR_CL_CRL_ALREADY_SIGNED = -2147411897, + CSSMERR_CL_INVALID_NUMBER_OF_FIELDS = -2147411896, + CSSMERR_CL_VERIFICATION_FAILURE = -2147411895, + CSSMERR_CL_UNKNOWN_FORMAT = -2147411890, + CSSMERR_CL_UNKNOWN_TAG = -2147411889, + CSSMERR_CL_INVALID_PASSTHROUGH_ID = -2147411882, }; /* CL Module-Specific Error Values */ enum { CSSM_CL_BASE_CL_ERROR = CSSM_CL_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT, - CSSMERR_CL_INVALID_BUNDLE_POINTER = CSSM_CL_BASE_CL_ERROR + 1, - CSSMERR_CL_INVALID_CACHE_HANDLE = CSSM_CL_BASE_CL_ERROR + 2, - CSSMERR_CL_INVALID_RESULTS_HANDLE = CSSM_CL_BASE_CL_ERROR + 3, - CSSMERR_CL_INVALID_BUNDLE_INFO = CSSM_CL_BASE_CL_ERROR + 4, - CSSMERR_CL_INVALID_CRL_INDEX = CSSM_CL_BASE_CL_ERROR + 5, - CSSMERR_CL_INVALID_SCOPE = CSSM_CL_BASE_CL_ERROR + 6, - CSSMERR_CL_NO_FIELD_VALUES = CSSM_CL_BASE_CL_ERROR + 7, - CSSMERR_CL_SCOPE_NOT_SUPPORTED = CSSM_CL_BASE_CL_ERROR + 8 + CSSMERR_CL_INVALID_BUNDLE_POINTER = -2147411711, + CSSMERR_CL_INVALID_CACHE_HANDLE = -2147411710, + CSSMERR_CL_INVALID_RESULTS_HANDLE = -2147411709, + CSSMERR_CL_INVALID_BUNDLE_INFO = -2147411708, + CSSMERR_CL_INVALID_CRL_INDEX = -2147411707, + CSSMERR_CL_INVALID_SCOPE = -2147411706, + CSSMERR_CL_NO_FIELD_VALUES = -2147411705, + CSSMERR_CL_SCOPE_NOT_SUPPORTED = -2147411704, }; /* DL Error Values Derived from Common Error Codes For All Module Types. */ enum { - CSSMERR_DL_INTERNAL_ERROR = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INTERNAL_ERROR, - CSSMERR_DL_MEMORY_ERROR = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_MEMORY_ERROR, - CSSMERR_DL_MDS_ERROR = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_MDS_ERROR, - CSSMERR_DL_INVALID_POINTER = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_POINTER, - CSSMERR_DL_INVALID_INPUT_POINTER = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_INPUT_POINTER, - CSSMERR_DL_INVALID_OUTPUT_POINTER = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_OUTPUT_POINTER, - CSSMERR_DL_FUNCTION_NOT_IMPLEMENTED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_FUNCTION_NOT_IMPLEMENTED, - CSSMERR_DL_SELF_CHECK_FAILED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_SELF_CHECK_FAILED, - CSSMERR_DL_OS_ACCESS_DENIED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OS_ACCESS_DENIED, - CSSMERR_DL_FUNCTION_FAILED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_FUNCTION_FAILED, - CSSMERR_DL_INVALID_CSP_HANDLE = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_CSP_HANDLE, - CSSMERR_DL_INVALID_DL_HANDLE = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_DL_HANDLE, - CSSMERR_DL_INVALID_CL_HANDLE = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_CL_HANDLE, - CSSMERR_DL_INVALID_DB_LIST_POINTER = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_LIST_POINTER + CSSMERR_DL_INTERNAL_ERROR = -2147414015, + CSSMERR_DL_MEMORY_ERROR = -2147414014, + CSSMERR_DL_MDS_ERROR = -2147414013, + CSSMERR_DL_INVALID_POINTER = -2147414012, + CSSMERR_DL_INVALID_INPUT_POINTER = -2147414011, + CSSMERR_DL_INVALID_OUTPUT_POINTER = -2147414010, + CSSMERR_DL_FUNCTION_NOT_IMPLEMENTED = -2147414009, + CSSMERR_DL_SELF_CHECK_FAILED = -2147414008, + CSSMERR_DL_OS_ACCESS_DENIED = -2147414007, + CSSMERR_DL_FUNCTION_FAILED = -2147414006, + CSSMERR_DL_INVALID_CSP_HANDLE = -2147413936, + CSSMERR_DL_INVALID_DL_HANDLE = -2147413935, + CSSMERR_DL_INVALID_CL_HANDLE = -2147413934, + CSSMERR_DL_INVALID_DB_LIST_POINTER = -2147413939, }; /* DL Error Values Derived from ACL-based Error Codes. */ enum { - CSSMERR_DL_OPERATION_AUTH_DENIED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OPERATION_AUTH_DENIED, - CSSMERR_DL_OBJECT_USE_AUTH_DENIED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OBJECT_USE_AUTH_DENIED, - CSSMERR_DL_OBJECT_MANIP_AUTH_DENIED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OBJECT_MANIP_AUTH_DENIED, - CSSMERR_DL_OBJECT_ACL_NOT_SUPPORTED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OBJECT_ACL_NOT_SUPPORTED, - CSSMERR_DL_OBJECT_ACL_REQUIRED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_OBJECT_ACL_REQUIRED, - CSSMERR_DL_INVALID_ACCESS_CREDENTIALS = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACCESS_CREDENTIALS, - CSSMERR_DL_INVALID_ACL_BASE_CERTS = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_BASE_CERTS, - CSSMERR_DL_ACL_BASE_CERTS_NOT_SUPPORTED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_BASE_CERTS_NOT_SUPPORTED, - CSSMERR_DL_INVALID_SAMPLE_VALUE = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_SAMPLE_VALUE, - CSSMERR_DL_SAMPLE_VALUE_NOT_SUPPORTED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_SAMPLE_VALUE_NOT_SUPPORTED, - CSSMERR_DL_INVALID_ACL_SUBJECT_VALUE = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_SUBJECT_VALUE, - CSSMERR_DL_ACL_SUBJECT_TYPE_NOT_SUPPORTED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_SUBJECT_TYPE_NOT_SUPPORTED, - CSSMERR_DL_INVALID_ACL_CHALLENGE_CALLBACK = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_CHALLENGE_CALLBACK, - CSSMERR_DL_ACL_CHALLENGE_CALLBACK_FAILED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_CHALLENGE_CALLBACK_FAILED, - CSSMERR_DL_INVALID_ACL_ENTRY_TAG = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_ENTRY_TAG, - CSSMERR_DL_ACL_ENTRY_TAG_NOT_FOUND = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_ENTRY_TAG_NOT_FOUND, - CSSMERR_DL_INVALID_ACL_EDIT_MODE = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_ACL_EDIT_MODE, - CSSMERR_DL_ACL_CHANGE_FAILED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_CHANGE_FAILED, - CSSMERR_DL_INVALID_NEW_ACL_ENTRY = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_NEW_ACL_ENTRY, - CSSMERR_DL_INVALID_NEW_ACL_OWNER = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_NEW_ACL_OWNER, - CSSMERR_DL_ACL_DELETE_FAILED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_DELETE_FAILED, - CSSMERR_DL_ACL_REPLACE_FAILED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_REPLACE_FAILED, - CSSMERR_DL_ACL_ADD_FAILED = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_ACL_ADD_FAILED + CSSMERR_DL_OPERATION_AUTH_DENIED = -2147413984, + CSSMERR_DL_OBJECT_USE_AUTH_DENIED = -2147413983, + CSSMERR_DL_OBJECT_MANIP_AUTH_DENIED = -2147413982, + CSSMERR_DL_OBJECT_ACL_NOT_SUPPORTED = -2147413981, + CSSMERR_DL_OBJECT_ACL_REQUIRED = -2147413980, + CSSMERR_DL_INVALID_ACCESS_CREDENTIALS = -2147413979, + CSSMERR_DL_INVALID_ACL_BASE_CERTS = -2147413978, + CSSMERR_DL_ACL_BASE_CERTS_NOT_SUPPORTED = -2147413977, + CSSMERR_DL_INVALID_SAMPLE_VALUE = -2147413976, + CSSMERR_DL_SAMPLE_VALUE_NOT_SUPPORTED = -2147413975, + CSSMERR_DL_INVALID_ACL_SUBJECT_VALUE = -2147413974, + CSSMERR_DL_ACL_SUBJECT_TYPE_NOT_SUPPORTED = -2147413973, + CSSMERR_DL_INVALID_ACL_CHALLENGE_CALLBACK = -2147413972, + CSSMERR_DL_ACL_CHALLENGE_CALLBACK_FAILED = -2147413971, + CSSMERR_DL_INVALID_ACL_ENTRY_TAG = -2147413970, + CSSMERR_DL_ACL_ENTRY_TAG_NOT_FOUND = -2147413969, + CSSMERR_DL_INVALID_ACL_EDIT_MODE = -2147413968, + CSSMERR_DL_ACL_CHANGE_FAILED = -2147413967, + CSSMERR_DL_INVALID_NEW_ACL_ENTRY = -2147413966, + CSSMERR_DL_INVALID_NEW_ACL_OWNER = -2147413965, + CSSMERR_DL_ACL_DELETE_FAILED = -2147413964, + CSSMERR_DL_ACL_REPLACE_FAILED = -2147413963, + CSSMERR_DL_ACL_ADD_FAILED = -2147413962, }; /* DL Error Values for Specific Data Types. */ enum { - CSSMERR_DL_INVALID_DB_HANDLE = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_DB_HANDLE, - CSSMERR_DL_INVALID_PASSTHROUGH_ID = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_PASSTHROUGH_ID, - CSSMERR_DL_INVALID_NETWORK_ADDR = - CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INVALID_NETWORK_ADDR + CSSMERR_DL_INVALID_DB_HANDLE = -2147413942, + CSSMERR_DL_INVALID_PASSTHROUGH_ID = -2147413930, + CSSMERR_DL_INVALID_NETWORK_ADDR = -2147413929, }; /* DL Module-Specific Error Values */ enum { CSSM_DL_BASE_DL_ERROR = CSSM_DL_BASE_ERROR + CSSM_ERRORCODE_COMMON_EXTENT, - CSSMERR_DL_DATABASE_CORRUPT = CSSM_DL_BASE_DL_ERROR + 1, - CSSMERR_DL_INVALID_RECORD_INDEX = CSSM_DL_BASE_DL_ERROR + 8, - CSSMERR_DL_INVALID_RECORDTYPE = CSSM_DL_BASE_DL_ERROR + 9, - CSSMERR_DL_INVALID_FIELD_NAME = CSSM_DL_BASE_DL_ERROR + 10, - CSSMERR_DL_UNSUPPORTED_FIELD_FORMAT = CSSM_DL_BASE_DL_ERROR + 11, - CSSMERR_DL_UNSUPPORTED_INDEX_INFO = CSSM_DL_BASE_DL_ERROR + 12, - CSSMERR_DL_UNSUPPORTED_LOCALITY = CSSM_DL_BASE_DL_ERROR + 13, - CSSMERR_DL_UNSUPPORTED_NUM_ATTRIBUTES = CSSM_DL_BASE_DL_ERROR + 14, - CSSMERR_DL_UNSUPPORTED_NUM_INDEXES = CSSM_DL_BASE_DL_ERROR + 15, - CSSMERR_DL_UNSUPPORTED_NUM_RECORDTYPES = CSSM_DL_BASE_DL_ERROR + 16, - CSSMERR_DL_UNSUPPORTED_RECORDTYPE = CSSM_DL_BASE_DL_ERROR + 17, - CSSMERR_DL_FIELD_SPECIFIED_MULTIPLE = CSSM_DL_BASE_DL_ERROR + 18, - CSSMERR_DL_INCOMPATIBLE_FIELD_FORMAT = CSSM_DL_BASE_DL_ERROR + 19, - CSSMERR_DL_INVALID_PARSING_MODULE = CSSM_DL_BASE_DL_ERROR + 20, - CSSMERR_DL_INVALID_DB_NAME = CSSM_DL_BASE_DL_ERROR + 22, - CSSMERR_DL_DATASTORE_DOESNOT_EXIST = CSSM_DL_BASE_DL_ERROR + 23, - CSSMERR_DL_DATASTORE_ALREADY_EXISTS = CSSM_DL_BASE_DL_ERROR + 24, - CSSMERR_DL_DB_LOCKED = CSSM_DL_BASE_DL_ERROR + 25, - CSSMERR_DL_DATASTORE_IS_OPEN = CSSM_DL_BASE_DL_ERROR + 26, - CSSMERR_DL_RECORD_NOT_FOUND = CSSM_DL_BASE_DL_ERROR + 27, - CSSMERR_DL_MISSING_VALUE = CSSM_DL_BASE_DL_ERROR + 28, - CSSMERR_DL_UNSUPPORTED_QUERY = CSSM_DL_BASE_DL_ERROR + 29, - CSSMERR_DL_UNSUPPORTED_QUERY_LIMITS = CSSM_DL_BASE_DL_ERROR + 30, - CSSMERR_DL_UNSUPPORTED_NUM_SELECTION_PREDS = CSSM_DL_BASE_DL_ERROR + 31, - CSSMERR_DL_UNSUPPORTED_OPERATOR = CSSM_DL_BASE_DL_ERROR + 33, - CSSMERR_DL_INVALID_RESULTS_HANDLE = CSSM_DL_BASE_DL_ERROR + 34, - CSSMERR_DL_INVALID_DB_LOCATION = CSSM_DL_BASE_DL_ERROR + 35, - CSSMERR_DL_INVALID_ACCESS_REQUEST = CSSM_DL_BASE_DL_ERROR + 36, - CSSMERR_DL_INVALID_INDEX_INFO = CSSM_DL_BASE_DL_ERROR + 37, - CSSMERR_DL_INVALID_SELECTION_TAG = CSSM_DL_BASE_DL_ERROR + 38, - CSSMERR_DL_INVALID_NEW_OWNER = CSSM_DL_BASE_DL_ERROR + 39, - CSSMERR_DL_INVALID_RECORD_UID = CSSM_DL_BASE_DL_ERROR + 40, - CSSMERR_DL_INVALID_UNIQUE_INDEX_DATA = CSSM_DL_BASE_DL_ERROR + 41, - CSSMERR_DL_INVALID_MODIFY_MODE = CSSM_DL_BASE_DL_ERROR + 42, - CSSMERR_DL_INVALID_OPEN_PARAMETERS = CSSM_DL_BASE_DL_ERROR + 43, - CSSMERR_DL_RECORD_MODIFIED = CSSM_DL_BASE_DL_ERROR + 44, - CSSMERR_DL_ENDOFDATA = CSSM_DL_BASE_DL_ERROR + 45, - CSSMERR_DL_INVALID_QUERY = CSSM_DL_BASE_DL_ERROR + 46, - CSSMERR_DL_INVALID_VALUE = CSSM_DL_BASE_DL_ERROR + 47, - CSSMERR_DL_MULTIPLE_VALUES_UNSUPPORTED = CSSM_DL_BASE_DL_ERROR + 48, - CSSMERR_DL_STALE_UNIQUE_RECORD = CSSM_DL_BASE_DL_ERROR + 49 + CSSMERR_DL_DATABASE_CORRUPT = -2147413759, + CSSMERR_DL_INVALID_RECORD_INDEX = -2147413752, + CSSMERR_DL_INVALID_RECORDTYPE = -2147413751, + CSSMERR_DL_INVALID_FIELD_NAME = -2147413750, + CSSMERR_DL_UNSUPPORTED_FIELD_FORMAT = -2147413749, + CSSMERR_DL_UNSUPPORTED_INDEX_INFO = -2147413748, + CSSMERR_DL_UNSUPPORTED_LOCALITY = -2147413747, + CSSMERR_DL_UNSUPPORTED_NUM_ATTRIBUTES = -2147413746, + CSSMERR_DL_UNSUPPORTED_NUM_INDEXES = -2147413745, + CSSMERR_DL_UNSUPPORTED_NUM_RECORDTYPES = -2147413744, + CSSMERR_DL_UNSUPPORTED_RECORDTYPE = -2147413743, + CSSMERR_DL_FIELD_SPECIFIED_MULTIPLE = -2147413742, + CSSMERR_DL_INCOMPATIBLE_FIELD_FORMAT = -2147413741, + CSSMERR_DL_INVALID_PARSING_MODULE = -2147413740, + CSSMERR_DL_INVALID_DB_NAME = -2147413738, + CSSMERR_DL_DATASTORE_DOESNOT_EXIST = -2147413737, + CSSMERR_DL_DATASTORE_ALREADY_EXISTS = -2147413736, + CSSMERR_DL_DB_LOCKED = -2147413735, + CSSMERR_DL_DATASTORE_IS_OPEN = -2147413734, + CSSMERR_DL_RECORD_NOT_FOUND = -2147413733, + CSSMERR_DL_MISSING_VALUE = -2147413732, + CSSMERR_DL_UNSUPPORTED_QUERY = -2147413731, + CSSMERR_DL_UNSUPPORTED_QUERY_LIMITS = -2147413730, + CSSMERR_DL_UNSUPPORTED_NUM_SELECTION_PREDS = -2147413729, + CSSMERR_DL_UNSUPPORTED_OPERATOR = -2147413727, + CSSMERR_DL_INVALID_RESULTS_HANDLE = -2147413726, + CSSMERR_DL_INVALID_DB_LOCATION = -2147413725, + CSSMERR_DL_INVALID_ACCESS_REQUEST = -2147413724, + CSSMERR_DL_INVALID_INDEX_INFO = -2147413723, + CSSMERR_DL_INVALID_SELECTION_TAG = -2147413722, + CSSMERR_DL_INVALID_NEW_OWNER = -2147413721, + CSSMERR_DL_INVALID_RECORD_UID = -2147413720, + CSSMERR_DL_INVALID_UNIQUE_INDEX_DATA = -2147413719, + CSSMERR_DL_INVALID_MODIFY_MODE = -2147413718, + CSSMERR_DL_INVALID_OPEN_PARAMETERS = -2147413717, + CSSMERR_DL_RECORD_MODIFIED = -2147413716, + CSSMERR_DL_ENDOFDATA = -2147413715, + CSSMERR_DL_INVALID_QUERY = -2147413714, + CSSMERR_DL_INVALID_VALUE = -2147413713, + CSSMERR_DL_MULTIPLE_VALUES_UNSUPPORTED = -2147413712, + CSSMERR_DL_STALE_UNIQUE_RECORD = -2147413711, }; diff --git a/OSX/libsecurity_cssm/lib/cssmkrapi.h b/OSX/libsecurity_cssm/lib/cssmkrapi.h index 06adece6..47375c15 100644 --- a/OSX/libsecurity_cssm/lib/cssmkrapi.h +++ b/OSX/libsecurity_cssm/lib/cssmkrapi.h @@ -107,138 +107,6 @@ typedef struct cssm_kr_policy_info { } CSSM_KR_POLICY_INFO DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_KR_POLICY_INFO_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; -/* Key Recovery Module Mangement Operations */ - -CSSM_RETURN CSSMAPI -CSSM_KR_SetEnterpriseRecoveryPolicy (const CSSM_DATA *RecoveryPolicyFileName, - const CSSM_ACCESS_CREDENTIALS *OldPassPhrase, - const CSSM_ACCESS_CREDENTIALS *NewPassPhrase) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - - -/* Key Recovery Context Operations */ - -CSSM_RETURN CSSMAPI -CSSM_KR_CreateRecoveryRegistrationContext (CSSM_KRSP_HANDLE KRSPHandle, - CSSM_CC_HANDLE *NewContext) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - -CSSM_RETURN CSSMAPI -CSSM_KR_CreateRecoveryEnablementContext (CSSM_KRSP_HANDLE KRSPHandle, - const CSSM_KR_PROFILE *LocalProfile, - const CSSM_KR_PROFILE *RemoteProfile, - CSSM_CC_HANDLE *NewContext) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - -CSSM_RETURN CSSMAPI -CSSM_KR_CreateRecoveryRequestContext (CSSM_KRSP_HANDLE KRSPHandle, - const CSSM_KR_PROFILE *LocalProfile, - CSSM_CC_HANDLE *NewContext) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - -CSSM_RETURN CSSMAPI -CSSM_KR_GetPolicyInfo (CSSM_CC_HANDLE CCHandle, - CSSM_KR_POLICY_FLAGS *EncryptionProhibited, - uint32 *WorkFactor) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - - -/* Key Recovery Registration Operations */ - -CSSM_RETURN CSSMAPI -CSSM_KR_RegistrationRequest (CSSM_CC_HANDLE RecoveryRegistrationContext, - const CSSM_DATA *KRInData, - const CSSM_ACCESS_CREDENTIALS *AccessCredentials, - CSSM_KR_POLICY_FLAGS KRFlags, - sint32 *EstimatedTime, - CSSM_HANDLE_PTR ReferenceHandle) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - -CSSM_RETURN CSSMAPI -CSSM_KR_RegistrationRetrieve (CSSM_KRSP_HANDLE KRSPHandle, - CSSM_HANDLE ReferenceHandle, - const CSSM_ACCESS_CREDENTIALS *AccessCredentials, - sint32 *EstimatedTime, - CSSM_KR_PROFILE_PTR KRProfile) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - - -/* Key Recovery Enablement Operations */ - -CSSM_RETURN CSSMAPI -CSSM_KR_GenerateRecoveryFields (CSSM_CC_HANDLE KeyRecoveryContext, - CSSM_CC_HANDLE CCHandle, - const CSSM_DATA *KRSPOptions, - CSSM_KR_POLICY_FLAGS KRFlags, - CSSM_DATA_PTR KRFields, - CSSM_CC_HANDLE *NewCCHandle) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - -CSSM_RETURN CSSMAPI -CSSM_KR_ProcessRecoveryFields (CSSM_CC_HANDLE KeyRecoveryContext, - CSSM_CC_HANDLE CryptoContext, - const CSSM_DATA *KRSPOptions, - CSSM_KR_POLICY_FLAGS KRFlags, - const CSSM_DATA *KRFields, - CSSM_CC_HANDLE *NewCryptoContext) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - - -/* Key Recovery Request Operations */ - -CSSM_RETURN CSSMAPI -CSSM_KR_RecoveryRequest (CSSM_CC_HANDLE RecoveryRequestContext, - const CSSM_DATA *KRInData, - const CSSM_ACCESS_CREDENTIALS *AccessCredentials, - sint32 *EstimatedTime, - CSSM_HANDLE_PTR ReferenceHandle) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - -CSSM_RETURN CSSMAPI -CSSM_KR_RecoveryRetrieve (CSSM_KRSP_HANDLE KRSPHandle, - CSSM_HANDLE ReferenceHandle, - const CSSM_ACCESS_CREDENTIALS *AccessCredentials, - sint32 *EstimatedTime, - CSSM_HANDLE_PTR CacheHandle, - uint32 *NumberOfRecoveredKeys) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - -CSSM_RETURN CSSMAPI -CSSM_KR_GetRecoveredObject (CSSM_KRSP_HANDLE KRSPHandle, - CSSM_HANDLE CacheHandle, - uint32 IndexInResults, - CSSM_CSP_HANDLE CSPHandle, - const CSSM_RESOURCE_CONTROL_CONTEXT *CredAndAclEntry, - uint32 Flags, - CSSM_KEY_PTR RecoveredKey, - CSSM_DATA_PTR OtherInfo) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - -CSSM_RETURN CSSMAPI -CSSM_KR_RecoveryRequestAbort (CSSM_KRSP_HANDLE KRSPHandle, - CSSM_HANDLE CacheHandle) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - -CSSM_RETURN CSSMAPI -CSSM_KR_QueryPolicyInfo (CSSM_KRSP_HANDLE KRSPHandle, - CSSM_ALGORITHMS AlgorithmID, - CSSM_ENCRYPT_MODE Mode, - CSSM_CONTEXT_TYPE Class, - CSSM_KR_POLICY_INFO_PTR *PolicyInfoData) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - - -/* Extensibility Functions */ - -CSSM_RETURN CSSMAPI -CSSM_KR_PassThrough (CSSM_KRSP_HANDLE KRSPHandle, - CSSM_CC_HANDLE KeyRecoveryContext, - CSSM_CC_HANDLE CryptoContext, - uint32 PassThroughId, - const void *InputParams, - void **OutputParams) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - #pragma clang diagnostic pop #ifdef __cplusplus diff --git a/OSX/libsecurity_cssm/lib/cssmspi.h b/OSX/libsecurity_cssm/lib/cssmspi.h index e91e553e..782f3c58 100644 --- a/OSX/libsecurity_cssm/lib/cssmspi.h +++ b/OSX/libsecurity_cssm/lib/cssmspi.h @@ -95,39 +95,6 @@ typedef struct cssm_upcalls { uint32 NumFunctions); } CSSM_UPCALLS DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER, *CSSM_UPCALLS_PTR DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; -CSSM_RETURN CSSMSPI -CSSM_SPI_ModuleLoad (const CSSM_GUID *CssmGuid, - const CSSM_GUID *ModuleGuid, - CSSM_SPI_ModuleEventHandler CssmNotifyCallback, - void *CssmNotifyCallbackCtx) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - -CSSM_RETURN CSSMSPI -CSSM_SPI_ModuleUnload (const CSSM_GUID *CssmGuid, - const CSSM_GUID *ModuleGuid, - CSSM_SPI_ModuleEventHandler CssmNotifyCallback, - void *CssmNotifyCallbackCtx) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - -CSSM_RETURN CSSMSPI -CSSM_SPI_ModuleAttach (const CSSM_GUID *ModuleGuid, - const CSSM_VERSION *Version, - uint32 SubserviceID, - CSSM_SERVICE_TYPE SubServiceType, - CSSM_ATTACH_FLAGS AttachFlags, - CSSM_MODULE_HANDLE ModuleHandle, - CSSM_KEY_HIERARCHY KeyHierarchy, - const CSSM_GUID *CssmGuid, - const CSSM_GUID *ModuleManagerGuid, - const CSSM_GUID *CallerGuid, - const CSSM_UPCALLS *Upcalls, - CSSM_MODULE_FUNCS_PTR *FuncTbl) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - -CSSM_RETURN CSSMSPI -CSSM_SPI_ModuleDetach (CSSM_MODULE_HANDLE ModuleHandle) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - #pragma clang diagnostic pop #ifdef __cplusplus diff --git a/OSX/libsecurity_cssm/lib/cssmtype.h b/OSX/libsecurity_cssm/lib/cssmtype.h index 1cddc3e4..57481d1c 100644 --- a/OSX/libsecurity_cssm/lib/cssmtype.h +++ b/OSX/libsecurity_cssm/lib/cssmtype.h @@ -695,7 +695,7 @@ typedef struct cssm_acl_edit { #if defined(WIN32) typedef FARPROC CSSM_PROC_ADDR; #else -typedef void (CSSMAPI *CSSM_PROC_ADDR) (); +typedef void (CSSMAPI *CSSM_PROC_ADDR) (void); #endif typedef CSSM_PROC_ADDR *CSSM_PROC_ADDR_PTR; diff --git a/OSX/libsecurity_cssm/lib/eisl.h b/OSX/libsecurity_cssm/lib/eisl.h index 7c8fa941..83f02f46 100644 --- a/OSX/libsecurity_cssm/lib/eisl.h +++ b/OSX/libsecurity_cssm/lib/eisl.h @@ -32,293 +32,6 @@ extern "C" { #endif -/* Data Types for Embedded Integrity Services Library */ - -typedef const void *ISL_ITERATOR_PTR; - -typedef const void *ISL_VERIFIED_SIGNATURE_ROOT_PTR; - -typedef const void *ISL_VERIFIED_CERTIFICATE_CHAIN_PTR; - -typedef const void *ISL_VERIFIED_CERTIFICATE_PTR; - -typedef const void *ISL_MANIFEST_SECTION_PTR; - -typedef const void *ISL_VERIFIED_MODULE_PTR; - -typedef void (*ISL_FUNCTION_PTR)(void); - -typedef struct isl_data { - CSSM_SIZE Length; /* in bytes */ - uint8 *Data; -} ISL_DATA, *ISL_DATA_PTR; - -typedef struct isl_const_data { - CSSM_SIZE Length; /* in bytes */ - const uint8 *Data; -} ISL_CONST_DATA, *ISL_CONST_DATA_PTR; - -typedef enum isl_status { - ISL_OK = 0, - ISL_FAIL = -1 -} ISL_STATUS; - - -/* Embedded Integrity Services Library Functions */ - -ISL_VERIFIED_MODULE_PTR -EISL_SelfCheck (); - -ISL_VERIFIED_MODULE_PTR -EISL_VerifyAndLoadModuleAndCredentialData (const ISL_CONST_DATA CredentialsImage, - const ISL_CONST_DATA ModuleSearchPath, - const ISL_CONST_DATA Name, - const ISL_CONST_DATA Signer, - const ISL_CONST_DATA PublicKey); - -ISL_VERIFIED_MODULE_PTR -EISL_VerifyAndLoadModuleAndCredentialDataWithCertificate (const ISL_CONST_DATA CredentialsImage, - const ISL_CONST_DATA ModuleSearchPath, - const ISL_CONST_DATA Name, - const ISL_CONST_DATA Signer, - const ISL_CONST_DATA Certificate); - -ISL_VERIFIED_MODULE_PTR -EISL_VerifyAndLoadModuleAndCredentials (ISL_CONST_DATA Credentials, - ISL_CONST_DATA Name, - ISL_CONST_DATA Signer, - ISL_CONST_DATA PublicKey); - -ISL_VERIFIED_MODULE_PTR -EISL_VerifyAndLoadModuleAndCredentialsWithCertificate (const ISL_CONST_DATA Credentials, - const ISL_CONST_DATA Name, - const ISL_CONST_DATA Signer, - const ISL_CONST_DATA Certificate); - -ISL_VERIFIED_MODULE_PTR -EISL_VerifyLoadedModuleAndCredentialData (const ISL_CONST_DATA CredentialsImage, - const ISL_CONST_DATA ModuleSearchPath, - const ISL_CONST_DATA Name, - const ISL_CONST_DATA Signer, - const ISL_CONST_DATA PublicKey); - -ISL_VERIFIED_MODULE_PTR -EISL_VerifyLoadedModuleAndCredentialDataWithCertificate (const ISL_CONST_DATA CredentialsImage, - const ISL_CONST_DATA ModuleSearchPath, - const ISL_CONST_DATA Name, - const ISL_CONST_DATA Signer, - const ISL_CONST_DATA Certificate); - -ISL_VERIFIED_MODULE_PTR -EISL_VerifyLoadedModuleAndCredentials (ISL_CONST_DATA Credentials, - ISL_CONST_DATA Name, - ISL_CONST_DATA Signer, - ISL_CONST_DATA PublicKey); - -ISL_VERIFIED_MODULE_PTR -EISL_VerifyLoadedModuleAndCredentialsWithCertificate (const ISL_CONST_DATA Credentials, - const ISL_CONST_DATA Name, - const ISL_CONST_DATA Signer, - const ISL_CONST_DATA Certificate); - -ISL_VERIFIED_CERTIFICATE_CHAIN_PTR -EISL_GetCertificateChain (ISL_VERIFIED_MODULE_PTR Module); - -uint32 -EISL_ContinueVerification (ISL_VERIFIED_MODULE_PTR Module, - uint32 WorkFactor); - -ISL_VERIFIED_MODULE_PTR -EISL_DuplicateVerifiedModulePtr (ISL_VERIFIED_MODULE_PTR Module); - -ISL_STATUS -EISL_RecycleVerifiedModuleCredentials (ISL_VERIFIED_MODULE_PTR Verification); - - -/* Signature Root Methods */ - -ISL_VERIFIED_SIGNATURE_ROOT_PTR -EISL_CreateVerifiedSignatureRootWithCredentialData (const ISL_CONST_DATA CredentialsImage, - const ISL_CONST_DATA ModuleSearchPath, - const ISL_CONST_DATA Signer, - const ISL_CONST_DATA PublicKey); - -ISL_VERIFIED_SIGNATURE_ROOT_PTR -EISL_CreateVerifiedSignatureRootWithCredentialDataAndCertificate (const ISL_CONST_DATA CredentialsImage, - const ISL_CONST_DATA ModuleSearchPath, - ISL_VERIFIED_CERTIFICATE_PTR Cert); - -ISL_VERIFIED_SIGNATURE_ROOT_PTR -EISL_CreateVerfiedSignatureRoot (ISL_CONST_DATA Credentials, - ISL_CONST_DATA Signer, - ISL_CONST_DATA PublicKey); - -ISL_VERIFIED_SIGNATURE_ROOT_PTR -EISL_CreateVerfiedSignatureRootWithCertificate (ISL_CONST_DATA Credentials, - ISL_VERIFIED_CERTIFICATE_PTR Cert); - -ISL_MANIFEST_SECTION_PTR -EISL_FindManifestSection (ISL_VERIFIED_SIGNATURE_ROOT_PTR Root, - ISL_CONST_DATA Name); - -ISL_ITERATOR_PTR -EISL_CreateManifestSectionEnumerator (ISL_VERIFIED_SIGNATURE_ROOT_PTR Root); - -ISL_MANIFEST_SECTION_PTR -EISL_GetNextManifestSection (ISL_ITERATOR_PTR Iterator); - -ISL_STATUS -EISL_RecycleManifestSectionEnumerator (ISL_ITERATOR_PTR Iterator); - -ISL_STATUS -EISL_FindManifestAttribute (ISL_VERIFIED_SIGNATURE_ROOT_PTR Context, - ISL_CONST_DATA Name, - ISL_CONST_DATA_PTR Value); - -ISL_ITERATOR_PTR -EISL_CreateManifestAttributeEnumerator (ISL_VERIFIED_SIGNATURE_ROOT_PTR Context); - -ISL_STATUS -EISL_FindSignerInfoAttribute (ISL_VERIFIED_SIGNATURE_ROOT_PTR Context, - ISL_CONST_DATA Name, - ISL_CONST_DATA_PTR Value); - -ISL_ITERATOR_PTR -EISL_CreateSignerInfoAttributeEnumerator (ISL_VERIFIED_SIGNATURE_ROOT_PTR Context); - -ISL_STATUS -EISL_GetNextAttribute (ISL_ITERATOR_PTR Iterator, - ISL_CONST_DATA_PTR Name, - ISL_CONST_DATA_PTR Value); - -ISL_STATUS -EISL_RecycleAttributeEnumerator (ISL_ITERATOR_PTR Iterator); - -ISL_STATUS -EISL_FindSignatureAttribute (ISL_VERIFIED_SIGNATURE_ROOT_PTR Root, - ISL_CONST_DATA Name, - ISL_CONST_DATA_PTR Value); - -ISL_ITERATOR_PTR -EISL_CreateSignatureAttributeEnumerator (ISL_VERIFIED_SIGNATURE_ROOT_PTR Root); - -ISL_STATUS -EISL_GetNextSignatureAttribute (ISL_ITERATOR_PTR Iterator, - ISL_CONST_DATA_PTR Name, - ISL_CONST_DATA_PTR Value); - -ISL_STATUS -EISL_RecycleSignatureAttributeEnumerator (ISL_ITERATOR_PTR Iterator); - -ISL_STATUS -EISL_RecycleVerifiedSignatureRoot (ISL_VERIFIED_SIGNATURE_ROOT_PTR Root); - - -/* Certificate Chain Methods */ - -ISL_VERIFIED_CERTIFICATE_CHAIN_PTR -EISL_CreateCertificateChainWithCredentialData (const ISL_CONST_DATA RootIssuer, - const ISL_CONST_DATA PublicKey, - const ISL_CONST_DATA CredentialsImage, - const ISL_CONST_DATA ModuleSearchPath); - -ISL_VERIFIED_CERTIFICATE_CHAIN_PTR -EISL_CreateCertificateChainWithCredentialDataAndCertificate (const ISL_CONST_DATA Certificate, - const ISL_CONST_DATA CredentialsImage, - const ISL_CONST_DATA ModuleSearchPath); - -ISL_VERIFIED_CERTIFICATE_CHAIN_PTR -EISL_CreateCertificateChain (ISL_CONST_DATA RootIssuer, - ISL_CONST_DATA PublicKey, - ISL_CONST_DATA Credential); - -ISL_VERIFIED_CERTIFICATE_CHAIN_PTR -EISL_CreateCertificateChainWithCertificate (const ISL_CONST_DATA Certificate, - const ISL_CONST_DATA Credential); - -uint32 -EISL_CopyCertificateChain (ISL_VERIFIED_CERTIFICATE_CHAIN_PTR Verification, - ISL_VERIFIED_CERTIFICATE_PTR Certs[], - uint32 MaxCertificates); - -ISL_STATUS -EISL_RecycleVerifiedCertificateChain (ISL_VERIFIED_CERTIFICATE_CHAIN_PTR Chain); - - -/* Certificate Attribute Methods */ - -ISL_STATUS -EISL_FindCertificateAttribute (ISL_VERIFIED_CERTIFICATE_PTR Cert, - ISL_CONST_DATA Name, - ISL_CONST_DATA_PTR Value); - -ISL_ITERATOR_PTR -EISL_CreateCertificateAttributeEnumerator (ISL_VERIFIED_CERTIFICATE_PTR Cert); - -ISL_STATUS -EISL_GetNextCertificateAttribute (ISL_ITERATOR_PTR CertIterator, - ISL_CONST_DATA_PTR Name, - ISL_CONST_DATA_PTR Value); - -ISL_STATUS -EISL_RecycleCertificateAttributeEnumerator (ISL_ITERATOR_PTR CertIterator); - - -/* Manifest Section Object Methods */ - -ISL_VERIFIED_SIGNATURE_ROOT_PTR -EISL_GetManifestSignatureRoot (ISL_MANIFEST_SECTION_PTR Section); - -ISL_VERIFIED_MODULE_PTR -EISL_VerifyAndLoadModule (ISL_MANIFEST_SECTION_PTR Section); - -ISL_VERIFIED_MODULE_PTR -EISL_VerifyLoadedModule (ISL_MANIFEST_SECTION_PTR Section); - -ISL_STATUS -EISL_FindManifestSectionAttribute (ISL_MANIFEST_SECTION_PTR Section, - ISL_CONST_DATA Name, - ISL_CONST_DATA_PTR Value); - -ISL_ITERATOR_PTR -EISL_CreateManifestSectionAttributeEnumerator (ISL_MANIFEST_SECTION_PTR Section); - -ISL_STATUS -EISL_GetNextManifestSectionAttribute (ISL_ITERATOR_PTR Iterator, - ISL_CONST_DATA_PTR Name, - ISL_CONST_DATA_PTR Value); - -ISL_STATUS -EISL_RecycleManifestSectionAttributeEnumerator (ISL_ITERATOR_PTR Iterator); - -ISL_MANIFEST_SECTION_PTR -EISL_GetModuleManifestSection (ISL_VERIFIED_MODULE_PTR Module); - - -/* Secure Linkage Services */ - -ISL_FUNCTION_PTR -EISL_LocateProcedureAddress (ISL_VERIFIED_MODULE_PTR Module, - ISL_CONST_DATA Name); - -#ifdef MACOSX -#define EISL_GetReturnAddress(Address) \ -{\ - /* Platform specific code in here */ \ -} -#endif - -ISL_STATUS -EISL_CheckAddressWithinModule (ISL_VERIFIED_MODULE_PTR Verification, - ISL_FUNCTION_PTR Address); - -ISL_STATUS -EISL_CheckDataAddressWithinModule (ISL_VERIFIED_MODULE_PTR Verification, - const void *Address); - -void * -EISL_GetLibHandle (ISL_VERIFIED_MODULE_PTR Verification); - #ifdef __cplusplus } #endif diff --git a/OSX/libsecurity_cssm/lib/emmspi.h b/OSX/libsecurity_cssm/lib/emmspi.h index a618be9e..762972f2 100644 --- a/OSX/libsecurity_cssm/lib/emmspi.h +++ b/OSX/libsecurity_cssm/lib/emmspi.h @@ -85,13 +85,6 @@ enum { CSSM_HINT_ADDRESS_SP = 1 << 1 }; -CSSM_RETURN CSSMAPI -ModuleManagerAuthenticate (CSSM_KEY_HIERARCHY KeyHierarchy, - const CSSM_GUID *CssmGuid, - const CSSM_GUID *AppGuid, - CSSM_MANAGER_REGISTRATION_INFO_PTR FunctionTable) - DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; - #pragma clang diagnostic pop #ifdef __cplusplus diff --git a/OSX/libsecurity_keychain/lib/Item.cpp b/OSX/libsecurity_keychain/lib/Item.cpp index ff064c1a..2ec227ef 100644 --- a/OSX/libsecurity_keychain/lib/Item.cpp +++ b/OSX/libsecurity_keychain/lib/Item.cpp @@ -196,14 +196,22 @@ ItemImpl::ItemImpl(ItemImpl &item) : } ItemImpl::~ItemImpl() -{ +try { if (secd_PersistentRef) { CFRelease(secd_PersistentRef); } +} catch (...) { +#ifndef NDEBUG + /* if we get an exception in destructor, presumably the mutex, lets throw if we + * are in a debug build (ie reach end of block) */ +#else + return; +#endif } + Mutex* ItemImpl::getMutexForObject() const { diff --git a/OSX/libsecurity_keychain/lib/MacOSErrorStrings.h b/OSX/libsecurity_keychain/lib/MacOSErrorStrings.h index 02e6195b..fb9ef2fd 100644 --- a/OSX/libsecurity_keychain/lib/MacOSErrorStrings.h +++ b/OSX/libsecurity_keychain/lib/MacOSErrorStrings.h @@ -56,6 +56,6 @@ enum errSecMisc_cantGetFlavorErr = -1854, /* The location (URL) of this item is missing or improperly formatted. */ errSecMisc_afpAccessDenied = -5000, /* Access to this item was denied. */ errSecMisc_afpUserNotAuth = -5023, /* Authentication failed. The password for this server may have changed since the item was added to the keychain. */ - errSecMisc_afpPwdPolicyErr = -5046 /* This AppleShare IP server is configured to not allow users to save passwords for automatic login. Contact the server administrator for more information. */ + errSecMisc_afpPwdPolicyErr = -5046, /* This AppleShare IP server is configured to not allow users to save passwords for automatic login. Contact the server administrator for more information. */ }; diff --git a/OSX/libsecurity_keychain/lib/SecACL.cpp b/OSX/libsecurity_keychain/lib/SecACL.cpp index d91458b3..5e5dbb7b 100644 --- a/OSX/libsecurity_keychain/lib/SecACL.cpp +++ b/OSX/libsecurity_keychain/lib/SecACL.cpp @@ -50,9 +50,6 @@ CFTypeID SecACLGetTypeID(void) { BEGIN_SECAPI - os_activity_t activity = os_activity_create("SecACLGetTypeID", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); - os_activity_scope(activity); - os_release(activity); return gTypes().ACL.typeID; diff --git a/OSX/libsecurity_keychain/lib/SecAsn1TypesP.h b/OSX/libsecurity_keychain/lib/SecAsn1TypesP.h deleted file mode 100644 index 2a027acb..00000000 --- a/OSX/libsecurity_keychain/lib/SecAsn1TypesP.h +++ /dev/null @@ -1,241 +0,0 @@ -/* - * The contents of this file are subject to the Mozilla Public - * License Version 1.1 (the "License"); you may not use this file - * except in compliance with the License. You may obtain a copy of - * the License at http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS - * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - * implied. See the License for the specific language governing - * rights and limitations under the License. - * - * The Original Code is the Netscape security libraries. - * - * The Initial Developer of the Original Code is Netscape - * Communications Corporation. Portions created by Netscape are - * Copyright (C) 1994-2000 Netscape Communications Corporation. All - * Rights Reserved. - * - * Contributor(s): - * - * Alternatively, the contents of this file may be used under the - * terms of the GNU General Public License Version 2 or later (the - * "GPL"), in which case the provisions of the GPL are applicable - * instead of those above. If you wish to allow use of your - * version of this file only under the terms of the GPL and not to - * allow others to use your version of this file under the MPL, - * indicate your decision by deleting the provisions above and - * replace them with the notice and other provisions required by - * the GPL. If you do not delete the provisions above, a recipient - * may use your version of this file under either the MPL or the - * GPL. - */ - -/* - * Types for encoding/decoding of ASN.1 using BER/DER (Basic/Distinguished - * Encoding Rules). - */ - -#ifndef _SEC_ASN1_TYPES_H_ -#define _SEC_ASN1_TYPES_H_ - -#include /* Boolean */ -#include -#include - -#include -#if 1 /* TARGET_OS_EMBEDDED */ -/* @@@ We need something that tells us which platform we are building - for that let's us distinguish if we are doing an emulator build. */ - -typedef struct { - size_t Length; - uint8_t *Data; -} SecAsn1Item, SecAsn1Oid; - -typedef struct { - SecAsn1Oid algorithm; - SecAsn1Item parameters; -} SecAsn1AlgId; - -typedef struct { - SecAsn1AlgId algorithm; - SecAsn1Item subjectPublicKey; -} SecAsn1PubKeyInfo; - -#else -#include -#include - -typedef CSSM_DATA SecAsn1Item; -typedef CSSM_OID SecAsn1Oid; -typedef CSSM_X509_ALGORITHM_IDENTIFIER SecAsn1AlgId; -typedef CSSM_X509_SUBJECT_PUBLIC_KEY_INFO SecAsn1PubKeyInfo; - -#endif - -/* - * An array of these structures defines a BER/DER encoding for an object. - * - * The array usually starts with a dummy entry whose kind is SEC_ASN1_SEQUENCE; - * such an array is terminated with an entry where kind == 0. (An array - * which consists of a single component does not require a second dummy - * entry -- the array is only searched as long as previous component(s) - * instruct it.) - */ -typedef struct SecAsn1Template_struct { - /* - * Kind of item being decoded/encoded, including tags and modifiers. - */ - uint32_t kind; - - /* - * This value is the offset from the base of the structure (i.e., the - * (void *) passed as 'src' to SecAsn1EncodeItem, or the 'dst' argument - * passed to SecAsn1CoderRef()) to the field that holds the value being - * decoded/encoded. - */ - uint32_t offset; - - /* - * When kind suggests it (e.g., SEC_ASN1_POINTER, SEC_ASN1_GROUP, - * SEC_ASN1_INLINE, or a component that is *not* a SEC_ASN1_UNIVERSAL), - * this points to a sub-template for nested encoding/decoding. - * OR, iff SEC_ASN1_DYNAMIC is set, then this is a pointer to a pointer - * to a function which will return the appropriate template when called - * at runtime. NOTE! that explicit level of indirection, which is - * necessary because ANSI does not allow you to store a function - * pointer directly as a "void *" so we must store it separately and - * dereference it to get at the function pointer itself. - */ - const void *sub; - - /* - * In the first element of a template array, the value is the size - * of the structure to allocate when this template is being referenced - * by another template via SEC_ASN1_POINTER or SEC_ASN1_GROUP. - * In all other cases, the value is ignored. - */ - uint32_t size; -} SecAsn1Template; - - -/* - * BER/DER values for ASN.1 identifier octets. - */ -#define SEC_ASN1_TAG_MASK 0xff - -/* - * BER/DER universal type tag numbers. - */ -#define SEC_ASN1_TAGNUM_MASK 0x1f -#define SEC_ASN1_BOOLEAN 0x01 -#define SEC_ASN1_INTEGER 0x02 -#define SEC_ASN1_BIT_STRING 0x03 -#define SEC_ASN1_OCTET_STRING 0x04 -#define SEC_ASN1_NULL 0x05 -#define SEC_ASN1_OBJECT_ID 0x06 -#define SEC_ASN1_OBJECT_DESCRIPTOR 0x07 -/* External type and instance-of type 0x08 */ -#define SEC_ASN1_REAL 0x09 -#define SEC_ASN1_ENUMERATED 0x0a -#define SEC_ASN1_EMBEDDED_PDV 0x0b -#define SEC_ASN1_UTF8_STRING 0x0c -/* not used 0x0d */ -/* not used 0x0e */ -/* not used 0x0f */ -#define SEC_ASN1_SEQUENCE 0x10 -#define SEC_ASN1_SET 0x11 -#define SEC_ASN1_NUMERIC_STRING 0x12 -#define SEC_ASN1_PRINTABLE_STRING 0x13 -#define SEC_ASN1_T61_STRING 0x14 -#define SEC_ASN1_VIDEOTEX_STRING 0x15 -#define SEC_ASN1_IA5_STRING 0x16 -#define SEC_ASN1_UTC_TIME 0x17 -#define SEC_ASN1_GENERALIZED_TIME 0x18 -#define SEC_ASN1_GRAPHIC_STRING 0x19 -#define SEC_ASN1_VISIBLE_STRING 0x1a -#define SEC_ASN1_GENERAL_STRING 0x1b -#define SEC_ASN1_UNIVERSAL_STRING 0x1c -/* not used 0x1d */ -#define SEC_ASN1_BMP_STRING 0x1e -#define SEC_ASN1_HIGH_TAG_NUMBER 0x1f -#define SEC_ASN1_TELETEX_STRING SEC_ASN1_T61_STRING - -/* - * Modifiers to type tags. These are also specified by a/the - * standard, and must not be changed. - */ -#define SEC_ASN1_METHOD_MASK 0x20 -#define SEC_ASN1_PRIMITIVE 0x00 -#define SEC_ASN1_CONSTRUCTED 0x20 - -#define SEC_ASN1_CLASS_MASK 0xc0 -#define SEC_ASN1_UNIVERSAL 0x00 -#define SEC_ASN1_APPLICATION 0x40 -#define SEC_ASN1_CONTEXT_SPECIFIC 0x80 -#define SEC_ASN1_PRIVATE 0xc0 - -/* - * Our additions, used for templates. - * These are not defined by any standard; the values are used internally only. - * Just be careful to keep them out of the low 8 bits. - */ -#define SEC_ASN1_OPTIONAL 0x00100 -#define SEC_ASN1_EXPLICIT 0x00200 -#define SEC_ASN1_ANY 0x00400 -#define SEC_ASN1_INLINE 0x00800 -#define SEC_ASN1_POINTER 0x01000 -#define SEC_ASN1_GROUP 0x02000 /* with SET or SEQUENCE means - * SET OF or SEQUENCE OF */ -#define SEC_ASN1_DYNAMIC 0x04000 /* subtemplate is found by calling - * a function at runtime */ -#define SEC_ASN1_SKIP 0x08000 /* skip a field; only for decoding */ -#define SEC_ASN1_INNER 0x10000 /* with ANY means capture the - * contents only (not the id, len, - * or eoc); only for decoding */ -#define SEC_ASN1_SAVE 0x20000 /* stash away the encoded bytes first; - * only for decoding */ -#define SEC_ASN1_SKIP_REST 0x80000 /* skip all following fields; - * only for decoding */ -#define SEC_ASN1_CHOICE 0x100000 /* pick one from a template */ - -/* - * Indicate that a type SEC_ASN1_INTEGER is actually signed. - * The default is unsigned, which causes a leading zero to be - * encoded if the MS bit of the source data is 1. - */ -#define SEC_ASN1_SIGNED_INT 0X800000 - -/* Shorthand/Aliases */ -#define SEC_ASN1_SEQUENCE_OF (SEC_ASN1_GROUP | SEC_ASN1_SEQUENCE) -#define SEC_ASN1_SET_OF (SEC_ASN1_GROUP | SEC_ASN1_SET) -#define SEC_ASN1_ANY_CONTENTS (SEC_ASN1_ANY | SEC_ASN1_INNER) - -/* - * Function used for SEC_ASN1_DYNAMIC. - * "arg" is a pointer to the top-level structure being encoded or - * decoded. - * - * "enc" when true, means that we are encoding (false means decoding) - * - * "buf" For decode only; points to the start of the decoded data for - * the current template. Callee can use the tag at this location - * to infer the returned template. Not used on encode. - * - * "Dest" points to the template-specific item being decoded to - * or encoded from. (This is as opposed to arg, which - * points to the start of the struct associated with the - * current array of templates). - */ - -typedef const SecAsn1Template * SecAsn1TemplateChooser( - void *arg, - Boolean enc, - const char *buf, - void *dest); - -typedef SecAsn1TemplateChooser * SecAsn1TemplateChooserPtr; - - -#endif /* _SEC_ASN1_TYPES_H_ */ diff --git a/OSX/libsecurity_keychain/lib/SecBase.cpp b/OSX/libsecurity_keychain/lib/SecBase.cpp index 096349ed..b9633314 100644 --- a/OSX/libsecurity_keychain/lib/SecBase.cpp +++ b/OSX/libsecurity_keychain/lib/SecBase.cpp @@ -98,7 +98,7 @@ cssmErrorString(CSSM_RETURN error) CFStringRef result = copyErrorMessageFromBundle(error,CFSTR("SecErrorMessages")); if (result == NULL) result = copyErrorMessageFromBundle(error,CFSTR("SecDebugErrorMessages")); - err = cfString(result, true); + err = cfString(result, errSecErrorStringNotAvailable); CFReleaseSafe(result); } diff --git a/OSX/libsecurity_keychain/lib/SecBaseP.h b/OSX/libsecurity_keychain/lib/SecBaseP.h deleted file mode 100644 index dc4f9cd1..00000000 --- a/OSX/libsecurity_keychain/lib/SecBaseP.h +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Copyright (c) 2000-2009,2011 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -/*! - @header SecBase - SecBase contains common declarations for the Security functions. -*/ - -#ifndef _SECURITY_SECBASEP_H_ -#define _SECURITY_SECBASEP_H_ - -#include - -#if defined(__cplusplus) -extern "C" { -#endif - -/*! - @typedef SecCertificateRef - @abstract CFType representing a X.509 certificate, see - SecCertificate.h for details. -*/ -typedef struct __SecCertificate *SecCertificateRefP; - -/*! - @typedef SecIdentityRef - @abstract CFType representing an identity, which contains - a SecKeyRef and an ascociated SecCertificateRef, see - SecIdentity.h for details. -*/ -typedef struct __SecIdentity *SecIdentityRefP; - -/*! - @typedef SecKeyRef - @abstract CFType representing an asymetric key, see - SecKey.h for details. -*/ -typedef struct __SecKey *SecKeyRefP; - -/*********************************************** - *** OSStatus values unique to Security APIs *** - ***********************************************/ - -/* - Note: the comments that appear after these errors are used to create - SecErrorMessages.strings. The comments must not be multi-line, and - should be in a form meaningful to an end user. If a different or - additional comment is needed, it can be put in the header doc format, - or on a line that does not start with errZZZ. -*/ - -#if 0 -enum -{ - errSecSuccess = 0, /* No error. */ - errSecUnimplemented = -4, /* Function or operation not implemented. */ - errSecParam = -50, /* One or more parameters passed to a function where not valid. */ - errSecAllocate = -108, /* Failed to allocate memory. */ - errSecNotAvailable = -25291, /* No keychain is available. You may need to restart your computer. */ - errSecDuplicateItem = -25299, /* The specified item already exists in the keychain. */ - errSecItemNotFound = -25300, /* The specified item could not be found in the keychain. */ - errSecInteractionNotAllowed = -25308, /* User interaction is not allowed. */ - errSecDecode = -26275, /* Unable to decode the provided data. */ -}; -#endif - -#if defined(__cplusplus) -} -#endif - -#endif /* !_SECURITY_SECBASEP_H_ */ diff --git a/OSX/libsecurity_keychain/lib/SecFrameworkP.h b/OSX/libsecurity_keychain/lib/SecFrameworkP.h deleted file mode 100644 index da08583a..00000000 --- a/OSX/libsecurity_keychain/lib/SecFrameworkP.h +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (c) 2006-2007,2009-2011 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -/*! - @header SecFramework - The functions provided in SecFramework.h implement generic non API class - specific functionality. -*/ - -#ifndef _SECURITY_SECFRAMEWORK_H_ -#define _SECURITY_SECFRAMEWORK_H_ - -#include -#include -#include "SecAsn1TypesP.h" - -#if defined(__cplusplus) -extern "C" { -#endif - -CFStringRef SecFrameworkCopyLocalizedString(CFStringRef key, - CFStringRef tableName) CF_FORMAT_ARGUMENT(1); - -CFURLRef SecFrameworkCopyResourceURL(CFStringRef resourceName, - CFStringRef resourceType, CFStringRef subDirName); - -CFDataRef SecFrameworkCopyResourceContents(CFStringRef resourceName, - CFStringRef resourceType, CFStringRef subDirName); - -/* Return the SHA1 digest of a chunk of data as newly allocated CFDataRef. */ -CFDataRef SecSHA1DigestCreate(CFAllocatorRef allocator, - const UInt8 *data, CFIndex length); - -/* Return the digest of a chunk of data as newly allocated CFDataRef, the - algorithm is selected based on the algorithm and params passed in. */ -CFDataRef SecDigestCreate(CFAllocatorRef allocator, - const SecAsn1Oid *algorithm, const SecAsn1Item *params, - const UInt8 *data, CFIndex length); - -#if defined(__cplusplus) -} -#endif - -#endif /* !_SECURITY_SECFRAMEWORK_H_ */ diff --git a/OSX/libsecurity_keychain/lib/SecIdentity.cpp b/OSX/libsecurity_keychain/lib/SecIdentity.cpp index 1cb7b595..79818db9 100644 --- a/OSX/libsecurity_keychain/lib/SecIdentity.cpp +++ b/OSX/libsecurity_keychain/lib/SecIdentity.cpp @@ -109,9 +109,6 @@ CFTypeID SecIdentityGetTypeID(void) { BEGIN_SECAPI - os_activity_t activity = os_activity_create("SecIdentityGetTypeID", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); - os_activity_scope(activity); - os_release(activity); return gTypes().Identity.typeID; diff --git a/OSX/libsecurity_keychain/lib/SecIdentitySearch.cpp b/OSX/libsecurity_keychain/lib/SecIdentitySearch.cpp index 589fa93e..b3f58d60 100644 --- a/OSX/libsecurity_keychain/lib/SecIdentitySearch.cpp +++ b/OSX/libsecurity_keychain/lib/SecIdentitySearch.cpp @@ -35,9 +35,6 @@ CFTypeID SecIdentitySearchGetTypeID(void) { BEGIN_SECAPI - os_activity_t activity = os_activity_create("SecIdentitySearchGetTypeID", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_IF_NONE_PRESENT); - os_activity_scope(activity); - os_release(activity); return gTypes().IdentityCursor.typeID; diff --git a/OSX/libsecurity_keychain/lib/SecItem.cpp b/OSX/libsecurity_keychain/lib/SecItem.cpp index a59b18b5..ac9a9e6f 100644 --- a/OSX/libsecurity_keychain/lib/SecItem.cpp +++ b/OSX/libsecurity_keychain/lib/SecItem.cpp @@ -4749,45 +4749,6 @@ SecItemMergeResults(bool can_target_ios, OSStatus status_ios, CFTypeRef result_i } } -static bool -ShouldTryUnlockKeybag(CFDictionaryRef query, OSErr status) -{ - static __typeof(SASSessionStateForUser) *soft_SASSessionStateForUser = NULL; - static dispatch_once_t onceToken; - static void *framework; - - if (status != errSecInteractionNotAllowed) - return false; - - // If the query disabled authUI, respect it. - CFTypeRef authUI = NULL; - if (query) { - authUI = CFDictionaryGetValue(query, kSecUseAuthenticationUI); - if (authUI == NULL) { - authUI = CFDictionaryGetValue(query, kSecUseNoAuthenticationUI); - authUI = (authUI != NULL && CFEqual(authUI, kCFBooleanTrue)) ? kSecUseAuthenticationUIFail : NULL; - } - } - if (authUI && !CFEqual(authUI, kSecUseAuthenticationUIAllow)) - return false; - - dispatch_once(&onceToken, ^{ - framework = dlopen("/System/Library/PrivateFrameworks/login.framework/login", RTLD_LAZY); - if (framework == NULL) - return; - soft_SASSessionStateForUser = (__typeof(soft_SASSessionStateForUser)) dlsym(framework, "SASSessionStateForUser"); - }); - - if (soft_SASSessionStateForUser == NULL) - return false; - - SessionAgentState sessionState = soft_SASSessionStateForUser(getuid()); - if(sessionState != kSA_state_desktopshowing) - return false; - - return true; -} - OSStatus SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result) { @@ -4816,14 +4777,6 @@ SecItemCopyMatching(CFDictionaryRef query, CFTypeRef *result) } else { status_ios = SecItemCopyMatching_ios(attrs_ios, &result_ios); - if(ShouldTryUnlockKeybag(query, status_ios)) { - // The keybag is locked. Attempt to unlock it... - secitemlog(LOG_WARNING, "SecItemCopyMatching triggering SecurityAgent"); - if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) { - CFReleaseNull(result_ios); - status_ios = SecItemCopyMatching_ios(attrs_ios, &result_ios); - } - } CFRelease(attrs_ios); } secitemlog(LOG_NOTICE, "SecItemCopyMatching_ios result: %d", status_ios); @@ -4880,14 +4833,6 @@ SecItemAdd(CFDictionaryRef attributes, CFTypeRef *result) status = errSecParam; } else { status = SecItemAdd_ios(attrs_ios, &result_ios); - if(ShouldTryUnlockKeybag(attributes, status)) { - // The keybag is locked. Attempt to unlock it... - secitemlog(LOG_WARNING, "SecItemAdd triggering SecurityAgent"); - if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(3)) { - CFReleaseNull(result_ios); - status = SecItemAdd_ios(attrs_ios, &result_ios); - } - } CFRelease(attrs_ios); } secitemlog(LOG_NOTICE, "SecItemAdd_ios result: %d", status); @@ -4937,22 +4882,8 @@ SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate) else { if (SecItemHasSynchronizableUpdate(true, attributesToUpdate)) { status_ios = SecItemChangeSynchronizability(attrs_ios, attributesToUpdate, false); - if(ShouldTryUnlockKeybag(query, status_ios)) { - // The keybag is locked. Attempt to unlock it... - secitemlog(LOG_WARNING, "SecItemUpdate triggering SecurityAgent"); - if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) { - status_ios = SecItemChangeSynchronizability(attrs_ios, attributesToUpdate, false); - } - } } else { status_ios = SecItemUpdate_ios(attrs_ios, attributesToUpdate); - if(ShouldTryUnlockKeybag(query, status_ios)) { - // The keybag is locked. Attempt to unlock it... - secitemlog(LOG_WARNING, "SecItemUpdate triggering SecurityAgent"); - if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) { - status_ios = SecItemUpdate_ios(attrs_ios, attributesToUpdate); - } - } } CFRelease(attrs_ios); } @@ -5035,13 +4966,6 @@ OSStatus SecItemUpdateTokenItems(CFTypeRef tokenID, CFArrayRef tokenItemsAttributes) { OSStatus status = SecItemUpdateTokenItems_ios(tokenID, tokenItemsAttributes); - if(ShouldTryUnlockKeybag(NULL, status)) { - // The keybag is locked. Attempt to unlock it... - if(errSecSuccess == SecKeychainVerifyKeyStorePassphrase(1)) { - secitemlog(LOG_WARNING, "SecItemUpdateTokenItems triggering SecurityAgent"); - status = SecItemUpdateTokenItems_ios(tokenID, tokenItemsAttributes); - } - } secitemlog(LOG_NOTICE, "SecItemUpdateTokenItems_ios result: %d", status); return status; } diff --git a/OSX/libsecurity_keychain/lib/SecKeychain.cpp b/OSX/libsecurity_keychain/lib/SecKeychain.cpp index c6427967..71485cdf 100644 --- a/OSX/libsecurity_keychain/lib/SecKeychain.cpp +++ b/OSX/libsecurity_keychain/lib/SecKeychain.cpp @@ -273,10 +273,12 @@ OSStatus SecKeychainResetLogin(UInt32 passwordLength, const void* password, Bool endpwent(); } if ( userName.length() == 0 ) // did we ultimately get one? + { MacOSError::throwMe(errAuthorizationInternal); + } SecurityServer::ClientSession().resetKeyStorePassphrase(password ? CssmData(const_cast(password), passwordLength) : CssmData()); - + secwarning("SecKeychainResetLogin: reset AKS passphrase"); if (password) { // Clear the plist and move aside (rename) the existing login.keychain @@ -295,11 +297,13 @@ OSStatus SecKeychainResetLogin(UInt32 passwordLength, const void* password, Bool // (implicitly calls resetKeychain, login, and defaultKeychain) globals().storageManager.makeLoginAuthUI(NULL, true); } + secwarning("SecKeychainResetLogin: reset osx keychain"); // Post a "list changed" event after a reset, so apps can refresh their list. // Make sure we are not holding mLock when we post this event. KCEventNotifier::PostKeychainEvent(kSecKeychainListChangedEvent); + END_SECAPI } diff --git a/OSX/libsecurity_keychain/lib/SecKeychainPriv.h b/OSX/libsecurity_keychain/lib/SecKeychainPriv.h index d504b4a1..0847e8d5 100644 --- a/OSX/libsecurity_keychain/lib/SecKeychainPriv.h +++ b/OSX/libsecurity_keychain/lib/SecKeychainPriv.h @@ -114,8 +114,6 @@ OSStatus SecKeychainSystemKeychainCheckWouldDeadlock() __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); OSStatus SecKeychainStoreUnlockKey(SecKeychainRef userKeychainRef, SecKeychainRef systemKeychainRef, CFStringRef username, CFStringRef password) __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_NA); -OSStatus SecKeychainEraseUnlockKey(SecKeychainRef systemKeychainRef, CFStringRef username) - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_NA); /* Token login support */ OSStatus SecKeychainStoreUnlockKeyWithPubKeyHash(CFDataRef pubKeyHash, CFStringRef tokenID, CFDataRef wrapPubKeyHash, SecKeychainRef userKeychain, CFStringRef password) diff --git a/OSX/libsecurity_keychain/lib/SecPolicy.cpp b/OSX/libsecurity_keychain/lib/SecPolicy.cpp index f4d09996..35ec80ec 100644 --- a/OSX/libsecurity_keychain/lib/SecPolicy.cpp +++ b/OSX/libsecurity_keychain/lib/SecPolicy.cpp @@ -276,7 +276,7 @@ SecPolicyGetValue(SecPolicyRef policyRef, CSSM_DATA* value) (const void **)&name) && name) { break; } - if (CFDictionaryGetValueIfPresent(options, CFSTR("email") /*kSecPolicyCheckEmail*/, + if (CFDictionaryGetValueIfPresent(options, CFSTR("Email") /*kSecPolicyCheckEmail*/, (const void **)&name) && name) { break; } diff --git a/OSX/libsecurity_keychain/lib/SecRSAKeyP.h b/OSX/libsecurity_keychain/lib/SecRSAKeyP.h deleted file mode 100644 index c7fb515b..00000000 --- a/OSX/libsecurity_keychain/lib/SecRSAKeyP.h +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (c) 2006-2008,2010-2012 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -/*! - @header SecRSAKey - The functions provided in SecRSAKey.h implement and manage a rsa - public or private key. -*/ - -#ifndef _SECURITY_SECRSAKEY_H_ -#define _SECURITY_SECRSAKEY_H_ - -#include -#include -#include - -#if defined(__cplusplus) -extern "C" { -#endif - -/* Given an RSA public key in encoded form return a SecKeyRef representing - that key. Supported encodings are kSecKeyEncodingPkcs1. */ -SecKeyRef SecKeyCreateRSAPublicKey(CFAllocatorRef allocator, - const uint8_t *keyData, CFIndex keyDataLength, - SecKeyEncoding encoding); - -CFDataRef SecKeyCopyModulus(SecKeyRef rsaPublicKey); -CFDataRef SecKeyCopyExponent(SecKeyRef rsaPublicKey); - -/* Given an RSA private key in encoded form return a SecKeyRef representing - that key. Supported encodings are kSecKeyEncodingPkcs1. */ -SecKeyRef SecKeyCreateRSAPrivateKey(CFAllocatorRef allocator, - const uint8_t *keyData, CFIndex keyDataLength, - SecKeyEncoding encoding); - -#if defined(__cplusplus) -} -#endif - -#endif /* !_SECURITY_SECRSAKEY_H_ */ diff --git a/OSX/libsecurity_keychain/lib/SecTrust.cpp b/OSX/libsecurity_keychain/lib/SecTrust.cpp index 502d187f..a710f92a 100644 --- a/OSX/libsecurity_keychain/lib/SecTrust.cpp +++ b/OSX/libsecurity_keychain/lib/SecTrust.cpp @@ -21,6 +21,9 @@ * @APPLE_LICENSE_HEADER_END@ */ +#include +#include + #include "SecTrust.h" #include "SecTrustPriv.h" #include "Trust.h" @@ -189,8 +192,6 @@ static uint8_t convertCssmResultToPriority(CSSM_RETURN resultCode) { } } -#include -#include static bool isSoftwareUpdateDevelopment(SecTrustRef trust) { bool isPolicy = false, isEKU = false; CFArrayRef policies = NULL; diff --git a/OSX/libsecurity_keychain/lib/SecTrustOSXEntryPoints.cpp b/OSX/libsecurity_keychain/lib/SecTrustOSXEntryPoints.cpp index ffe7e3a1..f994ea1c 100644 --- a/OSX/libsecurity_keychain/lib/SecTrustOSXEntryPoints.cpp +++ b/OSX/libsecurity_keychain/lib/SecTrustOSXEntryPoints.cpp @@ -28,6 +28,12 @@ #include "SecTrustOSXEntryPoints.h" +#include +#include +#include +#include +#include + #include #include #include @@ -42,11 +48,6 @@ #include #include -#include -#include -#include -#include - void SecTrustLegacySourcesListenForKeychainEvents(void) { /* Register for CertificateTrustNotification */ @@ -229,6 +230,7 @@ static void async_ocspd_complete(async_ocspd_t *ocspd) { bool SecTrustLegacyCRLFetch(async_ocspd_t *ocspd, CFURLRef currCRLDP, CFAbsoluteTime verifyTime, SecCertificateRef cert, CFArrayRef chain) { + ocspd->start_time = mach_absolute_time(); dispatch_async(ocspd->queue, ^ { OSStatus status = fetchCRL(currCRLDP, verifyTime); switch (status) { diff --git a/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp b/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp index 8b25b2de..a59873d6 100644 --- a/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp +++ b/OSX/libsecurity_keychain/lib/SecTrustSettings.cpp @@ -433,7 +433,7 @@ static OSStatus tsCopyCertsCommon( static void tsAddConditionalCerts(CFMutableArrayRef certArray) { -#if TARGET_OS_MAC && !TARGET_IPHONE_SIMULATOR && !TARGET_OS_IPHONE && !TARGET_OS_NANO +#if TARGET_OS_OSX struct certmap_entry_s { CFStringRef bundleId; const UInt8* data; @@ -1079,10 +1079,8 @@ void SecTrustSettingsSetTrustedCertificateForSSLHost( Boolean hasPolicyConstraint = false; Boolean hasPolicyValue = false; Boolean policyConstraintChanged = false; - Boolean changed = false; CFIndex indexOfEntryWithAllowedErrorForExpiredCert = kCFNotFound; CFIndex indexOfEntryWithAllowedErrorForHostnameMismatch = kCFNotFound; - CFIndex indexOfEntryWithAllowedErrorNotSet = kCFNotFound; CFIndex i, count; int32_t trustSettingsResultCode = kSecTrustSettingsResultTrustAsRoot; OSStatus status = errSecSuccess; @@ -1166,11 +1164,9 @@ void SecTrustSettingsSetTrustedCertificateForSSLHost( indexOfEntryWithAllowedErrorForExpiredCert = i; } else if (eOld == CSSMERR_APPLETP_HOSTNAME_MISMATCH) { indexOfEntryWithAllowedErrorForHostnameMismatch = i; - } else if (eOld == CSSM_OK) { - indexOfEntryWithAllowedErrorNotSet = i; } if (trustSettingsResultCode != rOld) { - changed = policyConstraintChanged = true; // we are changing existing policy constraint's result + policyConstraintChanged = true; // we are changing existing policy constraint's result } } } diff --git a/OSX/libsecurity_keychain/lib/StorageManager.cpp b/OSX/libsecurity_keychain/lib/StorageManager.cpp index 810f4c11..0bd0760e 100644 --- a/OSX/libsecurity_keychain/lib/StorageManager.cpp +++ b/OSX/libsecurity_keychain/lib/StorageManager.cpp @@ -1382,7 +1382,7 @@ void StorageManager::login(UInt32 nameLength, const void *name, secnotice("KCLogin", "StorageManager::login: invalid argument (NULL uid)"); MacOSError::throwMe(errSecParam); } - char *userName = pw->pw_name; + std::string userName = pw->pw_name; // make keychain path strings std::string keychainPath = DLDbListCFPref::ExpandTildesInPath(kLoginKeychainPathPrefix); diff --git a/OSX/libsecurity_keychain/lib/TokenLogin.cpp b/OSX/libsecurity_keychain/lib/TokenLogin.cpp index 64b45fc9..f0ec1fef 100644 --- a/OSX/libsecurity_keychain/lib/TokenLogin.cpp +++ b/OSX/libsecurity_keychain/lib/TokenLogin.cpp @@ -122,8 +122,7 @@ static OSStatus privKeyForPubKeyHash(CFDictionaryRef context, SecKeyRef *privKey CFStringRef pin = getPin(context); if (pin) { - CFRef LAParams = makeCFDictionary(1, CFSTR("useDaemon"), kCFBooleanFalse); - CFRef LAContext = LACreateNewContextWithACMContext(LAParams.as(), error.take()); + CFRef LAContext = LACreateNewContextWithACMContext(NULL, error.take()); if (!LAContext) { secinfo("TokenLogin", "Failed to LA Context: %@", error.get()); return errSecParam; diff --git a/OSX/libsecurity_keychain/lib/certextensionsP.h b/OSX/libsecurity_keychain/lib/certextensionsP.h deleted file mode 100644 index 93cb28fa..00000000 --- a/OSX/libsecurity_keychain/lib/certextensionsP.h +++ /dev/null @@ -1,546 +0,0 @@ -/* - * Copyright (c) 2000-2009,2011 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - * - * CertExtensions.h -- X.509 Cert Extensions as C structs - */ - -#ifndef _CERT_EXTENSIONS_H_ -#define _CERT_EXTENSIONS_H_ - -#include -#include -//#include - -/*** - *** Structs for declaring extension-specific data. - ***/ - -/* - * GeneralName, used in AuthorityKeyID, SubjectAltName, and - * IssuerAltName. - * - * For now, we just provide explicit support for the types which are - * represented as IA5Strings, OIDs, and octet strings. Constructed types - * such as EDIPartyName and x400Address are not explicitly handled - * right now and must be encoded and decoded by the caller. (See exception - * for Name and OtherName, below). In those cases the SecCEGeneralName.name.Data field - * represents the BER contents octets; SecCEGeneralName.name.Length is the - * length of the contents; the tag of the field is not needed - the BER - * encoding uses context-specific implicit tagging. The berEncoded field - * is set to true in these case. Simple types have berEncoded = false. - * - * In the case of a GeneralName in the form of a Name, we parse the Name - * into a CSSM_X509_NAME and place a pointer to the CSSM_X509_NAME in the - * SecCEGeneralName.name.Data field. SecCEGeneralName.name.Length is set to - * sizeof(CSSM_X509_NAME). In this case berEncoded is false. - * - * In the case of a GeneralName in the form of a OtherName, we parse the fields - * into a SecCEOtherName and place a pointer to the SecCEOtherName in the - * SecCEGeneralName.name.Data field. SecCEGeneralName.name.Length is set to - * sizeof(SecCEOtherName). In this case berEncoded is false. - * - * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName - * - * GeneralName ::= CHOICE { - * otherName [0] OtherName - * rfc822Name [1] IA5String, - * dNSName [2] IA5String, - * x400Address [3] ORAddress, - * directoryName [4] Name, - * ediPartyName [5] EDIPartyName, - * uniformResourceIdentifier [6] IA5String, - * iPAddress [7] OCTET STRING, - * registeredID [8] OBJECT IDENTIFIER} - * - * OtherName ::= SEQUENCE { - * type-id OBJECT IDENTIFIER, - * value [0] EXPLICIT ANY DEFINED BY type-id } - * - * EDIPartyName ::= SEQUENCE { - * nameAssigner [0] DirectoryString OPTIONAL, - * partyName [1] DirectoryString } - */ -typedef enum { - GNT_OtherName = 0, - GNT_RFC822Name, - GNT_DNSName, - GNT_X400Address, - GNT_DirectoryName, - GNT_EdiPartyName, - GNT_URI, - GNT_IPAddress, - GNT_RegisteredID -} SecCEGeneralNameType; - -typedef struct { - DERItem typeId; - DERItem value; // unparsed, BER-encoded -} SecCEOtherName; - -typedef struct { - SecCEGeneralNameType nameType; // GNT_RFC822Name, etc. - bool berEncoded; - DERItem name; -} SecCEGeneralName; - -typedef struct { - uint32_t numNames; - SecCEGeneralName *generalName; -} SecCEGeneralNames; - -/* - * id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 } - * - * AuthorityKeyIdentifier ::= SEQUENCE { - * keyIdentifier [0] KeyIdentifier OPTIONAL, - * authorityCertIssuer [1] GeneralNames OPTIONAL, - * authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } - * - * KeyIdentifier ::= OCTET STRING - * - * CSSM OID = CSSMOID_AuthorityKeyIdentifier - */ -typedef struct { - bool keyIdentifierPresent; - DERItem keyIdentifier; - bool generalNamesPresent; - SecCEGeneralNames *generalNames; - bool serialNumberPresent; - DERItem serialNumber; -} SecCEAuthorityKeyID; - -/* - * id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 14 } - * SubjectKeyIdentifier ::= KeyIdentifier - * - * CSSM OID = CSSMOID_SubjectKeyIdentifier - */ -typedef DERItem SecCESubjectKeyID; - -/* - * id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 } - * - * KeyUsage ::= BIT STRING { - * digitalSignature (0), - * nonRepudiation (1), - * keyEncipherment (2), - * dataEncipherment (3), - * keyAgreement (4), - * keyCertSign (5), - * cRLSign (6), - * encipherOnly (7), - * decipherOnly (8) } - * - * CSSM OID = CSSMOID_KeyUsage - * - */ -typedef uint16_t SecCEKeyUsage; - -#define SecCEKU_DigitalSignature 0x8000 -#define SecCEKU_NonRepudiation 0x4000 -#define SecCEKU_KeyEncipherment 0x2000 -#define SecCEKU_DataEncipherment 0x1000 -#define SecCEKU_KeyAgreement 0x0800 -#define SecCEKU_KeyCertSign 0x0400 -#define SecCEKU_CRLSign 0x0200 -#define SecCEKU_EncipherOnly 0x0100 -#define SecCEKU_DecipherOnly 0x0080 - -/* - * id-ce-cRLReason OBJECT IDENTIFIER ::= { id-ce 21 } - * - * -- reasonCode ::= { CRLReason } - * - * CRLReason ::= ENUMERATED { - * unspecified (0), - * keyCompromise (1), - * cACompromise (2), - * affiliationChanged (3), - * superseded (4), - * cessationOfOperation (5), - * certificateHold (6), - * removeFromCRL (8) } - * - * CSSM OID = CSSMOID_CrlReason - * - */ -typedef uint32_t SecCECrlReason; - -#define SecCECR_Unspecified 0 -#define SecCECR_KeyCompromise 1 -#define SecCECR_CACompromise 2 -#define SecCECR_AffiliationChanged 3 -#define SecCECR_Superseded 4 -#define SecCECR_CessationOfOperation 5 -#define SecCECR_CertificateHold 6 -#define SecCECR_RemoveFromCRL 8 - -/* - * id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } - * - * SubjectAltName ::= GeneralNames - * - * CSSM OID = CSSMOID_SubjectAltName - * - * GeneralNames defined above. - */ - -/* - * id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} - * - * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId* - * - * KeyPurposeId ::= OBJECT IDENTIFIER - * - * CSSM OID = CSSMOID_ExtendedKeyUsage - */ -typedef struct { - uint32_t numPurposes; - DERItem *purposes; // in Intel pre-encoded format -} SecCEExtendedKeyUsage; - -/* - * id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } - * - * BasicConstraints ::= SEQUENCE { - * cA BOOLEAN DEFAULT FALSE, - * pathLenConstraint INTEGER (0..MAX) OPTIONAL } - * - * CSSM OID = CSSMOID_BasicConstraints - */ -typedef struct { - bool present; - bool critical; - bool isCA; - bool pathLenConstraintPresent; - uint32_t pathLenConstraint; -} SecCEBasicConstraints; - -typedef struct { - bool present; - bool critical; - bool requireExplicitPolicyPresent; - uint32_t requireExplicitPolicy; - bool inhibitPolicyMappingPresent; - uint32_t inhibitPolicyMapping; -} SecCEPolicyConstraints; - -/* - * id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 } - * - * certificatePolicies ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation - * - * PolicyInformation ::= SEQUENCE { - * policyIdentifier CertPolicyId, - * policyQualifiers SEQUENCE SIZE (1..MAX) OF - * PolicyQualifierInfo OPTIONAL } - * - * CertPolicyId ::= OBJECT IDENTIFIER - * - * PolicyQualifierInfo ::= SEQUENCE { - * policyQualifierId PolicyQualifierId, - * qualifier ANY DEFINED BY policyQualifierId } - * - * -- policyQualifierIds for Internet policy qualifiers - * - * id-qt OBJECT IDENTIFIER ::= { id-pkix 2 } - * id-qt-cps OBJECT IDENTIFIER ::= { id-qt 1 } - * id-qt-unotice OBJECT IDENTIFIER ::= { id-qt 2 } - * - * PolicyQualifierId ::= - * OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice ) - * - * Qualifier ::= CHOICE { - * cPSuri CPSuri, - * userNotice UserNotice } - * - * CPSuri ::= IA5String - * - * UserNotice ::= SEQUENCE { - * noticeRef NoticeReference OPTIONAL, - * explicitText DisplayText OPTIONAL} - * - * NoticeReference ::= SEQUENCE { - * organization DisplayText, - * noticeNumbers SEQUENCE OF INTEGER } - * - * DisplayText ::= CHOICE { - * visibleString VisibleString (SIZE (1..200)), - * bmpString BMPString (SIZE (1..200)), - * utf8String UTF8String (SIZE (1..200)) } - * - * CSSM OID = CSSMOID_CertificatePolicies - * - * We only support down to the level of Qualifier, and then only the CPSuri - * choice. UserNotice is transmitted to and from this library as a raw - * CSSM_DATA containing the BER-encoded UserNotice sequence. - */ -#if 0 -typedef struct { - DERItem policyQualifierId; // CSSMOID_QT_CPS, CSSMOID_QT_UNOTICE - DERItem qualifier; // CSSMOID_QT_CPS: IA5String contents - // CSSMOID_QT_UNOTICE : Sequence contents -} SecCEPolicyQualifierInfo; -#endif - -typedef struct { - DERItem policyIdentifier; - DERItem policyQualifiers; -} SecCEPolicyInformation; - -typedef struct { - bool present; - bool critical; - uint32_t numPolicies; // size of *policies; - SecCEPolicyInformation *policies; -} SecCECertificatePolicies; - -typedef struct { - DERItem issuerDomainPolicy; - DERItem subjectDomainPolicy; -} SecCEPolicyMapping; - -/* - PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { - issuerDomainPolicy CertPolicyId, - subjectDomainPolicy CertPolicyId } -*/ -typedef struct { - bool present; - bool critical; - uint32_t numMappings; // size of *mappings; - SecCEPolicyMapping *mappings; -} SecCEPolicyMappings; - -#if 0 -typedef struct { - bool present; - bool critical; - uint32_t skipCerts; -} SecCEInhibitAnyPolicy; - -/* - * netscape-cert-type, a bit string. - * - * CSSM OID = CSSMOID_NetscapeCertType - * - * Bit fields defined in oidsattr.h: SecCENCT_SSL_Client, etc. - */ -typedef uint16_t SecCENetscapeCertType; - -/* - * CRLDistributionPoints. - * - * id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= { id-ce 31 } - * - * cRLDistributionPoints ::= { - * CRLDistPointsSyntax } - * - * CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint - * - * NOTE: RFC 2459 claims that the tag for the optional DistributionPointName - * is IMPLICIT as shown here, but in practice it is EXPLICIT. It has to be - - * because the underlying type also uses an implicit tag for distinguish - * between CHOICEs. - * - * DistributionPoint ::= SEQUENCE { - * distributionPoint [0] DistributionPointName OPTIONAL, - * reasons [1] ReasonFlags OPTIONAL, - * cRLIssuer [2] GeneralNames OPTIONAL } - * - * DistributionPointName ::= CHOICE { - * fullName [0] GeneralNames, - * nameRelativeToCRLIssuer [1] RelativeDistinguishedName } - * - * ReasonFlags ::= BIT STRING { - * unused (0), - * keyCompromise (1), - * cACompromise (2), - * affiliationChanged (3), - * superseded (4), - * cessationOfOperation (5), - * certificateHold (6) } - * - * CSSM OID = CSSMOID_CrlDistributionPoints - */ - -/* - * Note that this looks similar to SecCECrlReason, but that's an enum and this - * is an OR-able bit string. - */ -typedef uint8_t SecCECrlDistReasonFlags; - -#define SecCECD_Unspecified 0x80 -#define SecCECD_KeyCompromise 0x40 -#define SecCECD_CACompromise 0x20 -#define SecCECD_AffiliationChanged 0x10 -#define SecCECD_Superseded 0x08 -#define SecCECD_CessationOfOperation 0x04 -#define SecCECD_CertificateHold 0x02 - -typedef enum { - SecCECDNT_FullName, - SecCECDNT_NameRelativeToCrlIssuer -} SecCECrlDistributionPointNameType; - -typedef struct { - SecCECrlDistributionPointNameType nameType; - union { - SecCEGeneralNames *fullName; - CSSM_X509_RDN_PTR rdn; - } dpn; -} SecCEDistributionPointName; - -/* - * The top-level CRLDistributionPoint. - * All fields are optional; NULL pointers indicate absence. - */ -typedef struct { - SecCEDistributionPointName *distPointName; - bool reasonsPresent; - SecCECrlDistReasonFlags reasons; - SecCEGeneralNames *crlIssuer; -} SecCECRLDistributionPoint; - -typedef struct { - uint32_t numDistPoints; - SecCECRLDistributionPoint *distPoints; -} SecCECRLDistPointsSyntax; - -/* - * Authority Information Access and Subject Information Access. - * - * CSSM OID = CSSMOID_AuthorityInfoAccess - * CSSM OID = CSSMOID_SubjectInfoAccess - * - * SubjAuthInfoAccessSyntax ::= - * SEQUENCE SIZE (1..MAX) OF AccessDescription - * - * AccessDescription ::= SEQUENCE { - * accessMethod OBJECT IDENTIFIER, - * accessLocation GeneralName } - */ -typedef struct { - DERItem accessMethod; - SecCEGeneralName accessLocation; -} SecCEAccessDescription; - -typedef struct { - uint32_t numAccessDescriptions; - SecCEAccessDescription *accessDescriptions; -} SecCEAuthorityInfoAccess; - -/*** CRL extensions ***/ - -/* - * cRLNumber, an integer. - * - * CSSM OID = CSSMOID_CrlNumber - */ -typedef uint32_t SecCECrlNumber; - -/* - * deltaCRLIndicator, an integer. - * - * CSSM OID = CSSMOID_DeltaCrlIndicator - */ -typedef uint32_t SecCEDeltaCrl; - -/* - * IssuingDistributionPoint - * - * id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= { id-ce 28 } - * - * issuingDistributionPoint ::= SEQUENCE { - * distributionPoint [0] DistributionPointName OPTIONAL, - * onlyContainsUserCerts [1] BOOLEAN DEFAULT FALSE, - * onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, - * onlySomeReasons [3] ReasonFlags OPTIONAL, - * indirectCRL [4] BOOLEAN DEFAULT FALSE } - * - * CSSM OID = CSSMOID_IssuingDistributionPoint - */ -typedef struct { - SecCEDistributionPointName *distPointName; // optional - bool onlyUserCertsPresent; - bool onlyUserCerts; - bool onlyCACertsPresent; - bool onlyCACerts; - bool onlySomeReasonsPresent; - SecCECrlDistReasonFlags onlySomeReasons; - bool indirectCrlPresent; - bool indirectCrl; -} SecCEIssuingDistributionPoint; - -/* - * An enumerated list identifying one of the above per-extension - * structs. - */ -typedef enum { - DT_AuthorityKeyID, // SecCEAuthorityKeyID - DT_SubjectKeyID, // SecCESubjectKeyID - DT_KeyUsage, // SecCEKeyUsage - DT_SubjectAltName, // implies SecCEGeneralName - DT_IssuerAltName, // implies SecCEGeneralName - DT_ExtendedKeyUsage, // SecCEExtendedKeyUsage - DT_BasicConstraints, // SecCEBasicConstraints - DT_CertPolicies, // SecCECertPolicies - DT_NetscapeCertType, // SecCENetscapeCertType - DT_CrlNumber, // SecCECrlNumber - DT_DeltaCrl, // SecCEDeltaCrl - DT_CrlReason, // SecCECrlReason - DT_CrlDistributionPoints, // SecCECRLDistPointsSyntax - DT_IssuingDistributionPoint,// SecCEIssuingDistributionPoint - DT_AuthorityInfoAccess, // SecCEAuthorityInfoAccess - DT_Other // unknown, raw data as a CSSM_DATA -} SecCEDataType; - -/* - * One unified representation of all the cert adn CRL extensions we know about. - */ -typedef union { - SecCEAuthorityKeyID authorityKeyID; - SecCESubjectKeyID subjectKeyID; - SecCEKeyUsage keyUsage; - SecCEGeneralNames subjectAltName; - SecCEGeneralNames issuerAltName; - SecCEExtendedKeyUsage extendedKeyUsage; - SecCEBasicConstraints basicConstraints; - SecCECertPolicies certPolicies; - SecCENetscapeCertType netscapeCertType; - SecCECrlNumber crlNumber; - SecCEDeltaCrl deltaCrl; - SecCECrlReason crlReason; - SecCECRLDistPointsSyntax crlDistPoints; - SecCEIssuingDistributionPoint issuingDistPoint; - SecCEAuthorityInfoAccess authorityInfoAccess; - DERItem rawData; // unknown, not decoded -} SecCEData; - -typedef struct { - SecCEDataType type; - SecCEData extension; - bool critical; -} SecCEDataAndType; -#endif /* 0 */ - -#endif /* _CERT_EXTENSIONS_H_ */ diff --git a/OSX/libsecurity_keychain/libDER/.gitignore b/OSX/libsecurity_keychain/libDER/.gitignore deleted file mode 100644 index 35cfb4d3..00000000 --- a/OSX/libsecurity_keychain/libDER/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -.DS_Store -xcuserdata -project.xcworkspace diff --git a/OSX/libsecurity_keychain/libDER/README.txt b/OSX/libsecurity_keychain/libDER/README.txt deleted file mode 100644 index e3e6fb18..00000000 --- a/OSX/libsecurity_keychain/libDER/README.txt +++ /dev/null @@ -1,34 +0,0 @@ - libDER Library Notes - Last update to this file Jan. 26 2006 by dmitch - -This module is a very lightweight implementation of a DER encoder and -decoder. Unlike most other DER packages, this one does no malloc or -copies when it encodes or decodes; decoding an item yields a pointer -and a byte count which refer to memory inside of the "thing" being -decoded. Likewise, when encoding, the caller mustsupply a target buffer -to which the encoded item is written. - -Support for encoding sequences and for decoding sequences and sets of -known items is also included; when you decode a sequence, you get a -sequence of pointers and byte counts - again, no mallocs or copies occur. - -The directory libDER contains the DER decoding library proper. The main -API is in DER_Decode.h. Support for RSA keys, X509 certs, X509 CRLs, and -miscellaneous OIDs can also be found in libDER. - -Command line programs to parse and display the contents of X509 certificates -and CRLs, using libDER, can be found in the Tests directory. - -Revision History ----------------- - - Date svk tag Changes --------- ----------- ---------------------------------------- -01/26/06 libDER-5 Avoid varargs macros for portability. -01/03/06 libDER-4 Initial distribution in RSACertLib. -12/23/05 libDER-3 Fix DER_DECODE_ENABLE ifdef for DER_Decode.c. - Add MD2, MD5 OID and DigestInfo capabilities. -12/13/05 libDER-2 Added Apple Custom RSA public key formats. - Added PKCS1 RSA private keys. -11/28/05 libDER-1 Initial tag. - diff --git a/OSX/libsecurity_keychain/libDER/Tests/certsCrls/EndCertificateCP.01.01.crt b/OSX/libsecurity_keychain/libDER/Tests/certsCrls/EndCertificateCP.01.01.crt deleted file mode 100644 index d7e64d6de14e15ff446e6b7579cd0e13aeaf6a06..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 650 zcmXqLVrnyJVtl`VnTe5!iILHOmyJ`a&7D}zCtA-4f18*?ZNn=n&ou%U#3 z7>L6q%pa;3tf%0fUzS>wmz$bbV#s5_1(M+wW_HPUF%&T1gYeixQj1G6^U@7P4TM1= z%)&e&MWw|h3XXZn8Tmy9a^k#}76yg}hK5E!(jZEl*94hskU%Z_#SKIu_Va}nrxqFN zItS<(7y^+&<9uX4GqN%;H}*0ZG-En=&qMl=y$p-FYc<<-9enI@TiB|#Se%Zw+KSb$T%LE_ aS^9zF(~m_J>$YY#Tnj&^;=NrcehvVq6xFu? diff --git a/OSX/libsecurity_keychain/libDER/Tests/certsCrls/Test_CRL_CA1.crl b/OSX/libsecurity_keychain/libDER/Tests/certsCrls/Test_CRL_CA1.crl deleted file mode 100644 index 66510d35b13488f0820a1d30d841c1e0f7c7a6d8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 483 zcmXqLV!UtAc*1~}jZ>@5qwPB{BO?ndgF(I_w*e;`b0`a&FjGpZp@M-Nh{Gi;?wMDd znp|3x8j@OE;+$Gkl9`s7oLG`-C~hDMQo$_D=ayfj0Fo_M@XyPsG*mTEh8xYvC?=K( zHNc?+s74RQ6X!KBG_WuH?ZRNj>XHs_NwKHo44_`1|vlwsfN7dMjI z+_>yMmD_*ru*p-pa@3^tW3+{T;Pa;5thL|!jl1-&z22=SlJ0&wPccfsf9ZBtO_z-< zjxJ|E{fy+ZVgDi_xM}**wkVxtF;#0;Y1>>(yZ+oe`}2IKX}4zY&Y2~``tL_0Ba1<` zT5HnPoq4m^Ryt1xS8`~!piSGIl5uXiZ00h}6 diff --git a/OSX/libsecurity_keychain/libDER/Tests/certsCrls/Test_CRL_CA1.crl.pem b/OSX/libsecurity_keychain/libDER/Tests/certsCrls/Test_CRL_CA1.crl.pem deleted file mode 100644 index 6a4ed3f1..00000000 --- a/OSX/libsecurity_keychain/libDER/Tests/certsCrls/Test_CRL_CA1.crl.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN X509 CRL----- -MIIB3zCByDANBgkqhkiG9w0BAQQFADBvMQswCQYDVQQGEwJkZTEgMB4GA1UEChMX -SW5zZWN1cmVUZXN0Q2VydGlmaWNhdGUxFzAVBgNVBAMTDkZvciBUZXN0cyBPbmx5 -MSUwIwYJKoZIhvcNAQkBFhZpbnNlY3VyZUB0ZXN0Lmluc2VjdXJlFw0wMTA4MTcx -MTEyMDNaFw0wNjA4MTYxMTEyMDNaMCgwEgIBAxcNMDEwODE3MTExMDM5WjASAgEF -Fw0wMTA4MTcxMTExNTlaMA0GCSqGSIb3DQEBBAUAA4IBAQB47lMVCKlPoBAgLway -76eNRq1749jt/7g/Ouh06isNM66/CgzVL2xKSC3s2FX4xKg320niWI6Dvm4H3M6I -7RvuoCvZBVpu1MA8z2No89g2UPWlSxUAvuvo2GOGRgo+8nc/84g8biLUxTSF8Vs4 -T1Hngo1qrfePM4ou1uu7LhRnR8tuIVoQT6W3RSlEsQRBRM3y+VkOPAf0GBGyl6WG -WiymXHqsqis80WbX50tr859Cltqbu2yaFAX++IEBBDB7JoVi1blumgarqfXYkoUW -n9d3F8qySNjsfhOV613fXpmfXFZ33uTFsLSoihP8f6+Cusx2rfuGap7jOPv7j7sj -l2Y1 ------END X509 CRL----- diff --git a/OSX/libsecurity_keychain/libDER/Tests/certsCrls/TrustAnchorCP.01.01.crt b/OSX/libsecurity_keychain/libDER/Tests/certsCrls/TrustAnchorCP.01.01.crt deleted file mode 100644 index d7dfd9d48f0460a72466c63c92a3ca4f8ce85c70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 624 zcmXqLV#+aSV!XP5nTe5!iJ7r&z5y>Ar&gOs+jm|@Mpjk^gE&KO15P&PP!={}rqEzR z2?H?@hfA10R4-Uh!9Bk$wJ0w)HLt{w$AAkY!!6A0lJ8^^Tkg-6(V)r2(@D`ahOZ->w_RB(EIHoIWyO8^g zqMcjA8s1e*m5}<9T%cw-TT-E=cXv|!eVv82f21#1?Y?nF+DvHC>a}*y9tLeG6&8G> ZK6P30`O9a%_}$pGW9`~AQmM>;VeC7F5YhN1?-AQ5I^o{*x_ z;t~bNyyT4hB5__zO9Mj#Lqj7VX%HpOYhr=KHBd58U}989Qe*&BWB{>BR+NRAi;;1G zvVkJlYFQB$W{?L!*2pTe02MWGte*Ay=b`5z{b;^oZfs=W-kFuozF1Xsx6_~F*W-T| zwsYUxHmBi?`<*XS{yl$xVyAVMNZn6q_pCkpBOk1Hy|a1Fjt&ccNj43=sH^^~4i{~> z`8#5lyhCf$?=Oe%+Apm>9Ku_Zm$R{WNiI&Ts22MIDp6 Tx^k7bFjlxZtkivWmP-r(p|o-l diff --git a/OSX/libsecurity_keychain/libDER/Tests/certsCrls/apple_v3.000.cer b/OSX/libsecurity_keychain/libDER/Tests/certsCrls/apple_v3.000.cer deleted file mode 100644 index f8705ff171d6a7cc85eb214ef3603e6c6c90da36..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1158 zcmXqLVrepHVt&1VnTe5!Nx&uGnex}VV*ej8vhRLR&uKH@W#iOp^Jx3d%gD&e%3#pA z%TV4xmW?@-g-cj0EVU>zI5Ry@A*86ZxJ1D(wWK`1DBDonKoq2aTbK`~Ku5tdFImsf z*uW4Xp#_rwikGAo$8b7D?r zT7FSpW}=~xfdEL5U4+xQv>>&pBr`AHP}V>iB*rBo;#g3Sld9mHpIcB0^cd9N3I=i@ zX>Jj5h&060sU=|lW+tZ=!$U?yD*6u@t!)5jrwy7bOi64UVL}ys`(^8wzSPB=gfS=dF;rw zXGz%&RfSjeIGJ0GcqtPZepx7Xksh{hqkOR3zGqZ0XNVyvivM8%uK8c4BS8* zc@}#ETLbF_mJ7_=OfyPK3as??lZ$fD5&kNHWp`Dm8EcnWMl0G{wM@jXR;u zgR$+0D8^#RVvSFvx|eV&q{-G>BgqyCB*i(jeR*RE#q- zH!(d`KRq+e0BE}bI~%JuA2X8_i%9>|%TjG?di$~upKr*z;vu0^EvaXqDy9szBPTyS zAH@#+vSP3p$RyM}%?wNwjB)NZ@fQBRDIbl6FQ0Gt*)e&SOZA7n3DYcB94(VzT+STa zJ?Yl;RjtRj*G4pFc-;)Cs9*51|L7L0?KTSw9M&8<7QMG%!p>v0b)HZ59*mXZpT{-% z@A0bcIf;oTOlLCgYHRLk?yc%p+9_9Q6?N>^=Jo5j9mQ^4>N|Vzfb*Zt0^8LAnx%39 diff --git a/OSX/libsecurity_keychain/libDER/Tests/certsCrls/apple_v3.001.cer b/OSX/libsecurity_keychain/libDER/Tests/certsCrls/apple_v3.001.cer deleted file mode 100644 index 1c84d8b541b4514e216e61d43a5e7f5644757ded..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 903 zcmXqLVs18QVtTWHnTe5!NkG-RtJT8k%;Sh3NAIpv%3ET<%f_kI=F#?@mywZ`mBAq1 zklTQhjX9KsO_(V(*ihU+6vW{Y<_k+L$_&m-&(l%x%uCiYG&e8>NpK76Ip-u67b_Sm z1e7M_WF{*F6lLZn7F8-ZrxulDre!84mSpDVDL9svWaJlRmQ)(ZiSt^T8<+qM0D~xT zUPD7e10xe7V^d30%P51!U54@ovJgwfV3sO`6qOd2DEOt8l;;;^!(7FU;VNSTLx`)i z;5t3?N>YpRz^+KlQ3y^gDoZU=aCTJCRe(C&(9^&jqRFAWyj%|`ommX@r(SY?uD)|X zFvz?4MFo0El?p+rX?hAio{mnQKAs_w3O*q&dK$@^mgWjD%M2RlBZns=D+6<5FM~m2 zCsSi1!;Pkf7uO`2YUNucEL9h!YCqh6h4u2DXJ*!`KKSHBZ+pJVrr0%f)5pE9raQfz zWx^$TWo67)2i3bb*$*0RD$O}^YWL!QVd{m>tCGJO*iF`W`s*X7_2=!rewN>3Jfn6T zl)b#E>tBJvRHxJbv;(`NY^;7N`A^uyv^;o@zsd8}ESswHnV1xVpxIw!3Sy+Gxl+8d8 zu8NTnDg=sBS$P(qLk!dws4P%wQvf*v=!WE?9MtG4NKQ1?1BxO?0x(fC14EyK@y(Nr zDa=kEi$5wavby*3*MN0jZ_UY*afGG6^^4vPr885{S{j{K{_?=-a!KPl>Ud3$k< z0;lf7Zx1C|EjHNl&#(V6kLgYuQ(K~+T72C6Npd_YOTJzx5I(PV*xA-oc3zWSQ2ZXd dV`-X?0_jh-?$Cip~rh2SPIdtD`1l`1qwyj61iSq>|yD3cUKt8 zWV?!;xM&m?_9KB2`D1F-s2E-5Ml>v$KSI>R_{WxM22PEN%#CbrQ}n&EF=pl;m)!H* z^L^iYp7-;8Va(`;G5XC>iX=#qc0AhVg6XD|wQ*1UN;*LpjRvSqa;Y%IL^abUhHUn7 zS#X6On3>d?uqsCtl?@}6tAb8Fo66XGdU{xN>r1J--V4OAAjuIH_Ez{r7*;?a3T`Zt z4pVhSDnr-0s~fmNn6HNvlg$ePQUYvXNyG|L7t{_fKMcZXptKk8feetEW|$~@>7=%O zuQ>OU&r_Jw{b0WB?BT7Qc^4X{KDp?e-!L$9-s2nGJaXdduI$yDVhf`=jfb{6#?38d zC+DV)j$Ae#IP005YWu$SZ{zgLxobyW>p1rOsmbnFI<&dGol>A?>gekWaqn1Dam~;p zA7u9JS(qOzdOT(Q&tGQmI<&+6_Qbm+MHq;&7`Y9`$gV_N1s0m7NaH9h!A%w1MX!eU z?zY(BZDZH;#BGDmG^Mo1Jw*J^jRc|VO&cJi>(|g}&}>RBF<}UkC<4Zapq>VFjCcYE zTkzAe2zY2TxPEEgwPok;?^F&%;_>zx%kYW)2m5|ZOOwu@>Ggd+H}hf1{J{fPXTSUF z{l{9zPW$Rdeglo$!^ejI(7x~l7Tz1rZXGf2s6Dmuv$}n0Uzfe{Vyo+$jM=JJ8~5&O d|K;0ZL*e=dR=j-LdT#po#WO$jfBdV~|1Teex4{4a diff --git a/OSX/libsecurity_keychain/libDER/Tests/certsCrls/entrust_v3.101.cer b/OSX/libsecurity_keychain/libDER/Tests/certsCrls/entrust_v3.101.cer deleted file mode 100644 index 4e45016bc65443725631e342046aeceff57a1183..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1244 zcmXqLV!2_^#NxPsnTe5!iN)OOlCuFX8>d#AN85K^Mn+av27|`KhTI06Y|No7Y{E>T z!Gd`TrU+NqwgFLtdNs zP?Vacr=XFOnVVTstdNtLn53s^sA`}L(JZ5ptf^pVX=$l|WVV72NO5Y4p_PFJNEx%R zA+l_6YI12&szPvTQCVt{f^%w7NoHDRa$-qlex8D3X-P(YQD#Y{ft)z6rKN$Xk*T4X zfu)H-lsK;;lxqy)4ijHC&P9$rMpg#q#%^E?wlg(0GMv?DHVKjL{LH`Je4^q1^@a&2 zSG?FHknwi@^T}o(xl(q!e`OK3S9bS3sxH~6#uHM++o5|?ewNVuJ(~+JH%QvMr&afu zYFygMbzkMyoNEDH$CYiW1WZN@mCPwDPO^nwKniww|2(ob|w0SVL{cvJrWMN@uVqgafO9CTTR-UDa zQ2@x{F=)KEpz-#C#v4l-uNpL78U|_5kk^14l73m7gM17PG#98ZP;FDrC@Cqh($~kx zHbFl6pp2!LT$E#=4GJ0o78L`f27XZXKuXAs{6+?_qzq2kU`u5ALBYz%W*`sJsmvl_ zAl4xAK|Dz~)OPcKE{5#i0WH%%zfHOzWgrVuz{euSf?b*iBrVLsYQW6M_}@ShQZ#(4 zWp`v?;W6NnW(hOVGhk+7nSh+`fTadAFu_f@W5Dz)rR30ZuBA1Ky(Z!-e!KJiSFPz4 z=KB3)#@6>eKaL9UexJ1OV!p6|nTe5!NkCG+AdZvE*muU_pq-fl*EbvRvTfHT%zEYT2h{0lx-+(APQ2zEzAc~prhcKm#k-K zY+wkH(1J+-#Y<9)@)Aoj^YapO6oONW%2JCIoE;T(6`XSti;ESE4LuFqA(|Y@%ggnE z(wW6TEA^7|bM>7Af%ePKkNhFd=Rcj^y&Bg3JN~bGXMvv_evg za*Gx6(-caJQxy_R6fpc$RFJ3ubhd$kp`3vX$Y^E}(ZuBB{L;LVVk5om)XF5F9U$Ku zG|oqk97a|K=Eh!N1a&esHZttomA~rk;%weIHP_QO+&ABGvxVngOHYHn6#td}-rs-x zDhq8C6lO+scIh^~_*&6jecCIvQDv1WQ|||-(DqP{+BiRxk58ZO>^Z*d>Y}R7b9SKu z0V)4(Pl&g@pthr;TdelLbk$HJ%?+aFX^S5Ie)8btn_dY{Q}>-Nx((lEMyd0iWnyMz zU|ih9SZUD2SPBkOSz#6?0|sz_%JQ?YFf*|(FmMCEu%$cc;zu^7pD`i*j|WoWw0W!)&(72{48K_;Wc_TsCc~ z-!*0Zb$zdUS&Z~2YApC?zIVNW;iPo0ALsi&U1Bzr*wk^{e3I8nztXq|-9275a)sSF g5i$pa)IFOPUcB6LA*J|n>Dg^x)Z-U3pA4J<0O4j`UH||9 diff --git a/OSX/libsecurity_keychain/libDER/Tests/certsCrls/keybank_v3.101.cer b/OSX/libsecurity_keychain/libDER/Tests/certsCrls/keybank_v3.101.cer deleted file mode 100644 index 1c84d8b541b4514e216e61d43a5e7f5644757ded..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 903 zcmXqLVs18QVtTWHnTe5!NkG-RtJT8k%;Sh3NAIpv%3ET<%f_kI=F#?@mywZ`mBAq1 zklTQhjX9KsO_(V(*ihU+6vW{Y<_k+L$_&m-&(l%x%uCiYG&e8>NpK76Ip-u67b_Sm z1e7M_WF{*F6lLZn7F8-ZrxulDre!84mSpDVDL9svWaJlRmQ)(ZiSt^T8<+qM0D~xT zUPD7e10xe7V^d30%P51!U54@ovJgwfV3sO`6qOd2DEOt8l;;;^!(7FU;VNSTLx`)i z;5t3?N>YpRz^+KlQ3y^gDoZU=aCTJCRe(C&(9^&jqRFAWyj%|`ommX@r(SY?uD)|X zFvz?4MFo0El?p+rX?hAio{mnQKAs_w3O*q&dK$@^mgWjD%M2RlBZns=D+6<5FM~m2 zCsSi1!;Pkf7uO`2YUNucEL9h!YCqh6h4u2DXJ*!`KKSHBZ+pJVrr0%f)5pE9raQfz zWx^$TWo67)2i3bb*$*0RD$O}^YWL!QVd{m>tCGJO*iF`W`s*X7_2=!rewN>3Jfn6T zl)b#E>tBJvRHxJbv;(`NY^;7N`A^uyv^;o@zsd8}ESswHnV1xVpxIw!3Sy+Gxl+8d8 zu8NTnDg=sBS$P(qLk!dws4P%wQvf*v=!WE?9MtG4NKQ1?1BxO?0x(fC14EyK@y(Nr zDa=kEi$5wavby*3*MN0jZ_UY*afGG6^^4vPr885{S{j{K{_?=-a!KPl>Ud3$k< z0;lf7Zx1C|EjHNl&#(V6kLgYuQ(K~+T72C6Npd_YOTJzx5I(PV*xA-oc3zWSQ2ZXd dV`-Xm?<>aP~1Qi#NiU=3rj7^49-l?(^2ruOV%?qH!uZBa0}}>=Oh*vD;O&TlqTh5 zCMyIKW#%RpRVp~A7L{bCWhN(#8@*@)h;-ChwfZuu8f1+M3oy$*#wX)X#kJIaXSD z$@0Cw(}&XgToaD&+;(5>tbZ!5#&^m@-|{ai zOz}z8Ys_$6&cw{fz=-TTV3aTe-L>0CNc+5w8iT)x@ZDv<|8NPm^nBKkNuQ)&v+d}w z`yXCR-6Pwdqq8FLO!18+2ZBHNT~j+y#u(l>DNga@#f|@;Ur>xVn<@U-MP`nqi)Clb zojDBrVZBT<-!7Wq>hol`z!KXJM$CL4&;59DGO*`a()?%h57cfinsd_3Dto@)ivKCR FDFB5J(X9Xg diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_CertCrl.c b/OSX/libsecurity_keychain/libDER/libDER/DER_CertCrl.c deleted file mode 100644 index d971650b..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/DER_CertCrl.c +++ /dev/null @@ -1,370 +0,0 @@ -/* - * Copyright (c) 2005-2009,2011,2014 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - - -/* - * DER_Cert.c - support for decoding X509 certificates - * - */ - -#include -#include -#include -#include - -/* - * DERItemSpecs for X509 certificates. - */ - -/* top level cert with three components */ -const DERItemSpec DERSignedCertCrlItemSpecs[] = -{ - { DER_OFFSET(DERSignedCertCrl, tbs), - ASN1_CONSTR_SEQUENCE, - DER_DEC_NO_OPTS | DER_DEC_SAVE_DER}, - { DER_OFFSET(DERSignedCertCrl, sigAlg), - ASN1_CONSTR_SEQUENCE, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERSignedCertCrl, sig), - ASN1_BIT_STRING, - DER_DEC_NO_OPTS } -}; - -const DERSize DERNumSignedCertCrlItemSpecs = - sizeof(DERSignedCertCrlItemSpecs) / sizeof(DERItemSpec); - -/* TBS cert */ -const DERItemSpec DERTBSCertItemSpecs[] = -{ - { DER_OFFSET(DERTBSCert, version), - ASN1_CONSTRUCTED | ASN1_CONTEXT_SPECIFIC | 0, - DER_DEC_OPTIONAL }, /* version - EXPLICIT */ - { DER_OFFSET(DERTBSCert, serialNum), - ASN1_INTEGER, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERTBSCert, tbsSigAlg), - ASN1_CONSTR_SEQUENCE, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERTBSCert, issuer), - ASN1_CONSTR_SEQUENCE, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERTBSCert, validity), - ASN1_CONSTR_SEQUENCE, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERTBSCert, subject), - ASN1_CONSTR_SEQUENCE, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERTBSCert, subjectPubKey), - ASN1_CONSTR_SEQUENCE, - DER_DEC_NO_OPTS | DER_DEC_SAVE_DER | DER_ENC_WRITE_DER }, - /* libsecurity_asn1 has these two as CONSTRUCTED, but the ASN.1 spec - * doesn't look that way to me. I don't have any certs that have these - * fields.... */ - { DER_OFFSET(DERTBSCert, issuerID), - ASN1_CONTEXT_SPECIFIC | 1, - DER_DEC_OPTIONAL }, - { DER_OFFSET(DERTBSCert, subjectID), - ASN1_CONTEXT_SPECIFIC | 2, - DER_DEC_OPTIONAL }, - { DER_OFFSET(DERTBSCert, extensions), - ASN1_CONSTRUCTED | ASN1_CONTEXT_SPECIFIC | 3, - DER_DEC_OPTIONAL } -}; -const DERSize DERNumTBSCertItemSpecs = sizeof(DERTBSCertItemSpecs) / sizeof(DERItemSpec); - -/* DERValidity */ -const DERItemSpec DERValidityItemSpecs[] = -{ - { DER_OFFSET(DERValidity, notBefore), - 0, /* no tag - ANY */ - DER_DEC_ASN_ANY | DER_DEC_SAVE_DER }, - { DER_OFFSET(DERValidity, notAfter), - 0, /* no tag - ANY */ - DER_DEC_ASN_ANY | DER_DEC_SAVE_DER } -}; -const DERSize DERNumValidityItemSpecs = - sizeof(DERValidityItemSpecs) / sizeof(DERItemSpec); - -/* DERAttributeTypeAndValue */ -const DERItemSpec DERAttributeTypeAndValueItemSpecs[] = { - { DER_OFFSET(DERAttributeTypeAndValue, type), - ASN1_OBJECT_ID, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERAttributeTypeAndValue, value), - 0, /* no tag - ANY */ - DER_DEC_ASN_ANY | DER_DEC_SAVE_DER } -}; - -const DERSize DERNumAttributeTypeAndValueItemSpecs = - sizeof(DERAttributeTypeAndValueItemSpecs) / sizeof(DERItemSpec); - -/* DERExtension */ -const DERItemSpec DERExtensionItemSpecs[] = -{ - { DER_OFFSET(DERExtension, extnID), - ASN1_OBJECT_ID, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERExtension, critical), - ASN1_BOOLEAN, - DER_DEC_OPTIONAL }, - { DER_OFFSET(DERExtension, extnValue), - ASN1_OCTET_STRING, - DER_DEC_NO_OPTS } -}; -const DERSize DERNumExtensionItemSpecs = - sizeof(DERExtensionItemSpecs) / sizeof(DERItemSpec); - -/* DERBasicConstraints */ -const DERItemSpec DERBasicConstraintsItemSpecs[] = -{ - { DER_OFFSET(DERBasicConstraints, cA), - ASN1_BOOLEAN, - DER_DEC_OPTIONAL }, - { DER_OFFSET(DERBasicConstraints, pathLenConstraint), - ASN1_INTEGER, - DER_DEC_OPTIONAL } -}; -const DERSize DERNumBasicConstraintsItemSpecs = - sizeof(DERBasicConstraintsItemSpecs) / sizeof(DERItemSpec); - -/* DERNameConstraints. */ -const DERItemSpec DERNameConstraintsItemSpecs[] = -{ - { DER_OFFSET(DERNameConstraints, permittedSubtrees), - ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0, - DER_DEC_OPTIONAL }, - { DER_OFFSET(DERNameConstraints, excludedSubtrees), - ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1, - DER_DEC_OPTIONAL } -}; -const DERSize DERNumNameConstraintsItemSpecs = -sizeof(DERNameConstraintsItemSpecs) /sizeof(DERItemSpec); - -/* DERGeneralSubtree. */ -const DERItemSpec DERGeneralSubtreeItemSpecs[] = -{ - { DER_OFFSET(DERGeneralSubtree, generalName), - 0, /* no tag - ANY */ - DER_DEC_ASN_ANY | DER_DEC_SAVE_DER}, - { DER_OFFSET(DERGeneralSubtree, minimum), - ASN1_CONTEXT_SPECIFIC | 0, - DER_DEC_OPTIONAL}, - { DER_OFFSET(DERGeneralSubtree, maximum), - ASN1_CONTEXT_SPECIFIC | 1, - DER_DEC_OPTIONAL } -}; -const DERSize DERNumGeneralSubtreeItemSpecs = -sizeof(DERGeneralSubtreeItemSpecs) /sizeof(DERItemSpec); - -/* DERPrivateKeyUsagePeriod. */ -const DERItemSpec DERPrivateKeyUsagePeriodItemSpecs[] = -{ - { DER_OFFSET(DERPrivateKeyUsagePeriod, notBefore), - ASN1_CONTEXT_SPECIFIC | 0, - DER_DEC_OPTIONAL }, - { DER_OFFSET(DERPrivateKeyUsagePeriod, notAfter), - ASN1_CONTEXT_SPECIFIC | 1, - DER_DEC_OPTIONAL } -}; -const DERSize DERNumPrivateKeyUsagePeriodItemSpecs = - sizeof(DERPrivateKeyUsagePeriodItemSpecs) / sizeof(DERItemSpec); - -/* DERDistributionPoint. */ -const DERItemSpec DERDistributionPointItemSpecs[] = -{ - { DER_OFFSET(DERDistributionPoint, distributionPoint), - ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0, - DER_DEC_OPTIONAL }, - { DER_OFFSET(DERDistributionPoint, reasons), - ASN1_CONTEXT_SPECIFIC | 1, - DER_DEC_OPTIONAL }, - { DER_OFFSET(DERDistributionPoint, cRLIssuer), - ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 2, - DER_DEC_OPTIONAL } -}; -const DERSize DERNumDistributionPointItemSpecs = - sizeof(DERDistributionPointItemSpecs) / sizeof(DERItemSpec); - -/* DERPolicyInformation. */ -const DERItemSpec DERPolicyInformationItemSpecs[] = -{ - { DER_OFFSET(DERPolicyInformation, policyIdentifier), - ASN1_OBJECT_ID, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERPolicyInformation, policyQualifiers), - ASN1_CONSTR_SEQUENCE, - DER_DEC_OPTIONAL } -}; -const DERSize DERNumPolicyInformationItemSpecs = - sizeof(DERPolicyInformationItemSpecs) / sizeof(DERItemSpec); - -/* DERPolicyQualifierInfo. */ -const DERItemSpec DERPolicyQualifierInfoItemSpecs[] = -{ - { DER_OFFSET(DERPolicyQualifierInfo, policyQualifierID), - ASN1_OBJECT_ID, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERPolicyQualifierInfo, qualifier), - 0, /* no tag - ANY */ - DER_DEC_ASN_ANY | DER_DEC_SAVE_DER } -}; -const DERSize DERNumPolicyQualifierInfoItemSpecs = - sizeof(DERPolicyQualifierInfoItemSpecs) / sizeof(DERItemSpec); - -/* DERUserNotice. */ -const DERItemSpec DERUserNoticeItemSpecs[] = -{ - { DER_OFFSET(DERUserNotice, noticeRef), - ASN1_CONSTR_SEQUENCE, - DER_DEC_OPTIONAL }, - { DER_OFFSET(DERUserNotice, explicitText), - 0, /* no tag - ANY */ - DER_DEC_ASN_ANY | DER_DEC_OPTIONAL | DER_DEC_SAVE_DER } -}; -const DERSize DERNumUserNoticeItemSpecs = - sizeof(DERUserNoticeItemSpecs) / sizeof(DERItemSpec); - -/* DERNoticeReference. */ -const DERItemSpec DERNoticeReferenceItemSpecs[] = -{ - { DER_OFFSET(DERNoticeReference, organization), - 0, /* no tag - ANY */ - DER_DEC_ASN_ANY | DER_DEC_SAVE_DER }, - { DER_OFFSET(DERNoticeReference, noticeNumbers), - ASN1_CONSTR_SEQUENCE, - DER_DEC_NO_OPTS } -}; -const DERSize DERNumNoticeReferenceItemSpecs = - sizeof(DERNoticeReferenceItemSpecs) / sizeof(DERItemSpec); - -/* DERPolicyMapping. */ -const DERItemSpec DERPolicyMappingItemSpecs[] = -{ - { DER_OFFSET(DERPolicyMapping, issuerDomainPolicy), - ASN1_OBJECT_ID, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERPolicyMapping, subjectDomainPolicy), - ASN1_OBJECT_ID, - DER_DEC_NO_OPTS } -}; -const DERSize DERNumPolicyMappingItemSpecs = - sizeof(DERPolicyMappingItemSpecs) / sizeof(DERItemSpec); - -/* DERAccessDescription. */ -const DERItemSpec DERAccessDescriptionItemSpecs[] = -{ - { DER_OFFSET(DERAccessDescription, accessMethod), - ASN1_OBJECT_ID, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERAccessDescription, accessLocation), - 0, /* no tag - ANY */ - DER_DEC_ASN_ANY | DER_DEC_SAVE_DER } -}; -const DERSize DERNumAccessDescriptionItemSpecs = - sizeof(DERAccessDescriptionItemSpecs) / sizeof(DERItemSpec); - -/* DERAuthorityKeyIdentifier. */ -const DERItemSpec DERAuthorityKeyIdentifierItemSpecs[] = -{ - { DER_OFFSET(DERAuthorityKeyIdentifier, keyIdentifier), - ASN1_CONTEXT_SPECIFIC | 0, - DER_DEC_OPTIONAL }, - { DER_OFFSET(DERAuthorityKeyIdentifier, authorityCertIssuer), - ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1, - DER_DEC_OPTIONAL }, - { DER_OFFSET(DERAuthorityKeyIdentifier, authorityCertSerialNumber), - ASN1_CONTEXT_SPECIFIC | 2, - DER_DEC_OPTIONAL } -}; -const DERSize DERNumAuthorityKeyIdentifierItemSpecs = - sizeof(DERAuthorityKeyIdentifierItemSpecs) / sizeof(DERItemSpec); - -/* DEROtherName. */ -const DERItemSpec DEROtherNameItemSpecs[] = -{ - { DER_OFFSET(DEROtherName, typeIdentifier), - ASN1_OBJECT_ID, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DEROtherName, value), - ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0, - DER_DEC_NO_OPTS }, -}; -const DERSize DERNumOtherNameItemSpecs = - sizeof(DEROtherNameItemSpecs) / sizeof(DERItemSpec); - -/* DERPolicyConstraints. */ -const DERItemSpec DERPolicyConstraintsItemSpecs[] = -{ - { DER_OFFSET(DERPolicyConstraints, requireExplicitPolicy), - ASN1_CONTEXT_SPECIFIC | 0, - DER_DEC_OPTIONAL }, - { DER_OFFSET(DERPolicyConstraints, inhibitPolicyMapping), - ASN1_CONTEXT_SPECIFIC | 1, - DER_DEC_OPTIONAL } -}; -const DERSize DERNumPolicyConstraintsItemSpecs = - sizeof(DERPolicyConstraintsItemSpecs) / sizeof(DERItemSpec); - -/* DERTBSCrl */ -const DERItemSpec DERTBSCrlItemSpecs[] = -{ - { DER_OFFSET(DERTBSCrl, version), - ASN1_INTEGER, - DER_DEC_OPTIONAL }, - { DER_OFFSET(DERTBSCrl, tbsSigAlg), - ASN1_CONSTR_SEQUENCE, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERTBSCrl, issuer), - ASN1_CONSTR_SEQUENCE, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERTBSCrl, thisUpdate), - 0, /* no tag - ANY */ - DER_DEC_ASN_ANY | DER_DEC_SAVE_DER }, - { DER_OFFSET(DERTBSCrl, nextUpdate), - 0, /* no tag - ANY */ - DER_DEC_ASN_ANY | DER_DEC_SAVE_DER }, - { DER_OFFSET(DERTBSCrl, revokedCerts), - ASN1_CONSTR_SEQUENCE, - DER_DEC_OPTIONAL }, - { DER_OFFSET(DERTBSCrl, extensions), - ASN1_CONSTRUCTED | ASN1_CONTEXT_SPECIFIC | 0, - DER_DEC_OPTIONAL } -}; -const DERSize DERNumTBSCrlItemSpecs = sizeof(DERTBSCrlItemSpecs) / sizeof(DERItemSpec); - -/* DERRevokedCert */ -const DERItemSpec DERRevokedCertItemSpecs[] = -{ - { DER_OFFSET(DERRevokedCert, serialNum), - ASN1_INTEGER, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERRevokedCert, revocationDate), - 0, /* no tag - ANY */ - DER_DEC_ASN_ANY | DER_DEC_SAVE_DER }, - { DER_OFFSET(DERRevokedCert, extensions), - ASN1_CONSTR_SEQUENCE, - DER_DEC_OPTIONAL } -}; - -const DERSize DERNumRevokedCertItemSpecs = - sizeof(DERRevokedCertItemSpecs) / sizeof(DERItemSpec); diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_CertCrl.h b/OSX/libsecurity_keychain/libDER/libDER/DER_CertCrl.h deleted file mode 100644 index db36e5cc..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/DER_CertCrl.h +++ /dev/null @@ -1,275 +0,0 @@ -/* - * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - - -/* - * DER_CertCrl.h - support for decoding X509 certificates and CRLs - * - */ - -#ifndef _DER_CERT_CRL_H_ -#define _DER_CERT_CRL_H_ - -#include -#include - -__BEGIN_DECLS - -/* - * Top level cert or CRL - the two are identical at this level - three - * components. The tbs field is saved in full DER form for sig verify. - */ -typedef struct { - DERItem tbs; /* sequence, DERTBSCert, DER_DEC_SAVE_DER */ - DERItem sigAlg; /* sequence, DERAlgorithmId */ - DERItem sig; /* bit string */ -} DERSignedCertCrl; - -/* DERItemSpecs to decode into a DERSignedCertCrl */ -extern const DERItemSpec DERSignedCertCrlItemSpecs[]; -extern const DERSize DERNumSignedCertCrlItemSpecs; - -/* TBS cert components */ -typedef struct { - DERItem version; /* integer, optional, EXPLICIT */ - DERItem serialNum; /* integer */ - DERItem tbsSigAlg; /* sequence, DERAlgorithmId */ - DERItem issuer; /* sequence, TBD */ - DERItem validity; /* sequence, DERValidity */ - DERItem subject; /* sequence, TBD */ - DERItem subjectPubKey; /* sequence, DERSubjPubKeyInfo */ - DERItem issuerID; /* bit string, optional */ - DERItem subjectID; /* bit string, optional */ - DERItem extensions; /* sequence, optional, EXPLICIT */ -} DERTBSCert; - -/* DERItemSpecs to decode into a DERTBSCert */ -extern const DERItemSpec DERTBSCertItemSpecs[]; -extern const DERSize DERNumTBSCertItemSpecs; - -/* - * validity - components can be either UTC or generalized time. - * Both are ASN_ANY with DER_DEC_SAVE_DER. - */ -typedef struct { - DERItem notBefore; - DERItem notAfter; -} DERValidity; - -/* DERItemSpecs to decode into a DERValidity */ -extern const DERItemSpec DERValidityItemSpecs[]; -extern const DERSize DERNumValidityItemSpecs; - -/* AttributeTypeAndValue components. */ -typedef struct { - DERItem type; - DERItem value; -} DERAttributeTypeAndValue; - -/* DERItemSpecs to decode into DERAttributeTypeAndValue */ -extern const DERItemSpec DERAttributeTypeAndValueItemSpecs[]; -extern const DERSize DERNumAttributeTypeAndValueItemSpecs; - -/* Extension components */ -typedef struct { - DERItem extnID; - DERItem critical; - DERItem extnValue; -} DERExtension; - -/* DERItemSpecs to decode into DERExtension */ -extern const DERItemSpec DERExtensionItemSpecs[]; -extern const DERSize DERNumExtensionItemSpecs; - -/* BasicConstraints components. */ -typedef struct { - DERItem cA; - DERItem pathLenConstraint; -} DERBasicConstraints; - -/* DERItemSpecs to decode into DERBasicConstraints */ -extern const DERItemSpec DERBasicConstraintsItemSpecs[]; -extern const DERSize DERNumBasicConstraintsItemSpecs; - -/* NameConstraints components. */ -typedef struct { - DERItem permittedSubtrees; - DERItem excludedSubtrees; -} DERNameConstraints; - -/* DERItemSpecs to decode into a DERNameConstraints */ -extern const DERItemSpec DERNameConstraintsItemSpecs[]; -extern const DERSize DERNumNameConstraintsItemSpecs; - -/* GeneralSubtree components. */ -typedef struct { - DERItem generalName; - DERItem minimum; - DERItem maximum; -} DERGeneralSubtree; - -/* DERItemSpecs to decode into a DERGeneralSubtree */ -extern const DERItemSpec DERGeneralSubtreeItemSpecs[]; -extern const DERSize DERNumGeneralSubtreeItemSpecs; - -/* PrivateKeyUsagePeriod components. */ -typedef struct { - DERItem notBefore; - DERItem notAfter; -} DERPrivateKeyUsagePeriod; - -/* DERItemSpecs to decode into a DERPrivateKeyUsagePeriod */ -extern const DERItemSpec DERPrivateKeyUsagePeriodItemSpecs[]; -extern const DERSize DERNumPrivateKeyUsagePeriodItemSpecs; - -/* DistributionPoint components. */ -typedef struct { - DERItem distributionPoint; - DERItem reasons; - DERItem cRLIssuer; -} DERDistributionPoint; - -/* DERItemSpecs to decode into a DERDistributionPoint */ -extern const DERItemSpec DERDistributionPointItemSpecs[]; -extern const DERSize DERNumDistributionPointItemSpecs; - -/* PolicyInformation components. */ -typedef struct { - DERItem policyIdentifier; - DERItem policyQualifiers; -} DERPolicyInformation; - -/* DERItemSpecs to decode into a DERPolicyInformation */ -extern const DERItemSpec DERPolicyInformationItemSpecs[]; -extern const DERSize DERNumPolicyInformationItemSpecs; - -/* PolicyQualifierInfo components. */ -typedef struct { - DERItem policyQualifierID; - DERItem qualifier; -} DERPolicyQualifierInfo; - -/* DERItemSpecs to decode into a DERPolicyQualifierInfo */ -extern const DERItemSpec DERPolicyQualifierInfoItemSpecs[]; -extern const DERSize DERNumPolicyQualifierInfoItemSpecs; - -/* UserNotice components. */ -typedef struct { - DERItem noticeRef; - DERItem explicitText; -} DERUserNotice; - -/* DERItemSpecs to decode into a DERUserNotice */ -extern const DERItemSpec DERUserNoticeItemSpecs[]; -extern const DERSize DERNumUserNoticeItemSpecs; - -/* NoticeReference components. */ -typedef struct { - DERItem organization; - DERItem noticeNumbers; -} DERNoticeReference; - -/* DERItemSpecs to decode into a DERNoticeReference */ -extern const DERItemSpec DERNoticeReferenceItemSpecs[]; -extern const DERSize DERNumNoticeReferenceItemSpecs; - -/* PolicyMapping components. */ -typedef struct { - DERItem issuerDomainPolicy; - DERItem subjectDomainPolicy; -} DERPolicyMapping; - -/* DERItemSpecs to decode into a DERPolicyMapping */ -extern const DERItemSpec DERPolicyMappingItemSpecs[]; -extern const DERSize DERNumPolicyMappingItemSpecs; - -/* AccessDescription components. */ -typedef struct { - DERItem accessMethod; - DERItem accessLocation; -} DERAccessDescription; - -/* DERItemSpecs to decode into a DERAccessDescription */ -extern const DERItemSpec DERAccessDescriptionItemSpecs[]; -extern const DERSize DERNumAccessDescriptionItemSpecs; - -/* AuthorityKeyIdentifier components. */ -typedef struct { - DERItem keyIdentifier; - DERItem authorityCertIssuer; - DERItem authorityCertSerialNumber; -} DERAuthorityKeyIdentifier; - -/* DERItemSpecs to decode into a DERAuthorityKeyIdentifier */ -extern const DERItemSpec DERAuthorityKeyIdentifierItemSpecs[]; -extern const DERSize DERNumAuthorityKeyIdentifierItemSpecs; - -/* OtherName components. */ -typedef struct { - DERItem typeIdentifier; - DERItem value; -} DEROtherName; - -/* DERItemSpecs to decode into a DEROtherName */ -extern const DERItemSpec DEROtherNameItemSpecs[]; -extern const DERSize DERNumOtherNameItemSpecs; - -/* PolicyConstraints components. */ -typedef struct { - DERItem requireExplicitPolicy; - DERItem inhibitPolicyMapping; -} DERPolicyConstraints; - -/* DERItemSpecs to decode into a DERPolicyConstraints */ -extern const DERItemSpec DERPolicyConstraintsItemSpecs[]; -extern const DERSize DERNumPolicyConstraintsItemSpecs; - -/* TBS CRL */ -typedef struct { - DERItem version; /* integer, optional */ - DERItem tbsSigAlg; /* sequence, DERAlgorithmId */ - DERItem issuer; /* sequence, TBD */ - DERItem thisUpdate; /* ASN_ANY, SAVE_DER */ - DERItem nextUpdate; /* ASN_ANY, SAVE_DER */ - DERItem revokedCerts; /* sequence of DERRevokedCert, optional */ - DERItem extensions; /* sequence, optional, EXPLICIT */ -} DERTBSCrl; - -/* DERItemSpecs to decode into a DERTBSCrl */ -extern const DERItemSpec DERTBSCrlItemSpecs[]; -extern const DERSize DERNumTBSCrlItemSpecs; - -typedef struct { - DERItem serialNum; /* integer */ - DERItem revocationDate; /* time - ASN_ANY, SAVE_DER */ - DERItem extensions; /* sequence, optional, EXPLICIT */ -} DERRevokedCert; - -/* DERItemSpecs to decode into a DERRevokedCert */ -extern const DERItemSpec DERRevokedCertItemSpecs[]; -extern const DERSize DERNumRevokedCertItemSpecs; - -__END_DECLS - -#endif /* _DER_CERT_CRL_H_ */ - diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_Decode.c b/OSX/libsecurity_keychain/libDER/libDER/DER_Decode.c deleted file mode 100644 index 04374a35..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/DER_Decode.c +++ /dev/null @@ -1,759 +0,0 @@ -/* - * Copyright (c) 2005-2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -/* - * DER_Decode.c - DER decoding routines - */ - -#include -#include - -#include - -#ifndef DER_DECODE_ENABLE -#error Please define DER_DECODE_ENABLE. -#endif - -#if DER_DECODE_ENABLE - -#define DER_DECODE_DEBUG 0 -#if DER_DECODE_DEBUG -#include -#define derDecDbg(a) printf(a) -#define derDecDbg1(a, b) printf(a, b) -#define derDecDbg2(a, b, c) printf(a, b, c) -#define derDecDbg3(a, b, c, d) printf(a, b, c, d) -#else -#define derDecDbg(a) -#define derDecDbg1(a, b) -#define derDecDbg2(a, b, c) -#define derDecDbg3(a, b, c, d) -#endif /* DER_DECODE_DEBUG */ - -/* - * Basic decoding primitive. Only works with: - * - * -- definite length encoding - * -- one-byte tags (unless DER_MULTIBYTE_TAGS is defined) - * -- max content length fits in a DERSize - * - * No malloc or copy of the contents is performed; the returned - * content->content.data is a pointer into the incoming der data. - */ -DERReturn DERDecodeItem( - const DERItem *der, /* data to decode */ - DERDecodedInfo *decoded) /* RETURNED */ -{ - return DERDecodeItemPartialBufferGetLength(der, decoded, NULL); -} - -/* - * Basic decoding primitive. Allows for decoding with a partial buffer. - * if allowPartialBuffer is true. A partial buffer would normally fail - * because the encoded length would be greater than the size of the buffer passed in. - * Only works with: - * - * -- definite length encoding - * -- one-byte tags (unless DER_MULTIBYTE_TAGS is defined) - * -- max content length fits in a DERSize - * - * No malloc or copy of the contents is performed; the returned - * content->content.data is a pointer into the incoming der data. - * - * WARNING: Using a partial buffer can return a DERDecodedInfo object with - * a length larger than the buffer. It is recommended to instead use - * DERDecodeItemPartialBufferGetLength if you need partial buffers. - * - */ -DERReturn DERDecodeItemPartialBuffer( - const DERItem *der, /* data to decode */ - DERDecodedInfo *decoded, /* RETURNED */ - bool allowPartialBuffer) -{ - DERByte tag1; /* first tag byte */ - DERByte len1; /* first length byte */ - DERTag tagNumber; /* tag number without class and method bits */ - DERByte *derPtr = der->data; - DERSize derLen = der->length; - - /* The tag decoding below is fully BER complient. We support a max tag - value of 2 ^ ((sizeof(DERTag) * 8) - 3) - 1 so for tag size 1 byte we - support tag values from 0 - 0x1F. For tag size 2 tag values - from 0 - 0x1FFF and for tag size 4 values from 0 - 0x1FFFFFFF. */ - if(derLen < 2) { - return DR_DecodeError; - } - /* Grab the first byte of the tag. */ - tag1 = *derPtr++; - derLen--; - tagNumber = tag1 & 0x1F; - if(tagNumber == 0x1F) { -#ifdef DER_MULTIBYTE_TAGS - /* Long tag form: bit 8 of each octet shall be set to one unless it is - the last octet of the tag */ - const DERTag overflowMask = ((DERTag)0x7F << (sizeof(DERTag) * 8 - 7)); - DERByte tagByte; - tagNumber = 0; - if (*derPtr == 0x80 || *derPtr < 0x1F) - return DR_DecodeError; - do { - if(derLen < 2 || (tagNumber & overflowMask) != 0) { - return DR_DecodeError; - } - tagByte = *derPtr++; - derLen--; - tagNumber = (tagNumber << 7) | (tagByte & 0x7F); - } while((tagByte & 0x80) != 0); - - /* Check for any of the top 3 reserved bits being set. */ - if ((tagNumber & (overflowMask << 4)) != 0) -#endif - return DR_DecodeError; - } - /* Returned tag, top 3 bits are class/method remaining bits are number. */ - decoded->tag = ((DERTag)(tag1 & 0xE0) << ((sizeof(DERTag) - 1) * 8)) | tagNumber; - - /* Tag decoding above ensured we have at least one more input byte left. */ - len1 = *derPtr++; - derLen--; - if(len1 & 0x80) { - /* long length form - first byte is length of length */ - DERSize longLen = 0; /* long form length */ - - unsigned dex; - len1 &= 0x7f; - if((len1 > sizeof(DERSize)) || (len1 > derLen) || len1 == 0 || *derPtr == 0) { - /* no can do */ - return DR_DecodeError; - } - for(dex=0; dex derLen && !allowPartialBuffer) { - /* not enough data left for this encoding */ - return DR_DecodeError; - } - decoded->content.data = derPtr; - decoded->content.length = longLen; - } - else { - /* short length form, len1 is the length */ - if(len1 > derLen && !allowPartialBuffer) { - /* not enough data left for this encoding */ - return DR_DecodeError; - } - decoded->content.data = derPtr; - decoded->content.length = len1; - } - - return DR_Success; -} - -/* - * Same as above, but returns a DERDecodedInfo with a length no larger than the buffer. - * The actual encoded length can be retrieved from encodedLength parameter. - * encodedLength can be NULL to achieve the same behavior as DERDecodeItemPartialBuffer, - * with allowPartialBuffer=false - * - * NOTE: The DERDecoded length will never be larger than the input buffer. - * This is a key difference from DERDecodeItemPartialBuffer which could return invalid length. - * - */ -DERReturn DERDecodeItemPartialBufferGetLength( - const DERItem *der, /* data to decode */ - DERDecodedInfo *decoded, /* RETURNED */ - DERSize *encodedLength) -{ - DERByte tag1; /* first tag byte */ - DERByte len1; /* first length byte */ - DERTag tagNumber; /* tag number without class and method bits */ - DERByte *derPtr = der->data; - DERSize derLen = der->length; - - /* The tag decoding below is fully BER complient. We support a max tag - value of 2 ^ ((sizeof(DERTag) * 8) - 3) - 1 so for tag size 1 byte we - support tag values from 0 - 0x1F. For tag size 2 tag values - from 0 - 0x1FFF and for tag size 4 values from 0 - 0x1FFFFFFF. */ - if(derLen < 2) { - return DR_DecodeError; - } - /* Grab the first byte of the tag. */ - tag1 = *derPtr++; - derLen--; - tagNumber = tag1 & 0x1F; - if(tagNumber == 0x1F) { -#ifdef DER_MULTIBYTE_TAGS - /* Long tag form: bit 8 of each octet shall be set to one unless it is - the last octet of the tag */ - const DERTag overflowMask = ((DERTag)0x7F << (sizeof(DERTag) * 8 - 7)); - DERByte tagByte; - tagNumber = 0; - if (*derPtr == 0x80 || *derPtr < 0x1F) - return DR_DecodeError; - do { - if(derLen < 2 || (tagNumber & overflowMask) != 0) { - return DR_DecodeError; - } - tagByte = *derPtr++; - derLen--; - tagNumber = (tagNumber << 7) | (tagByte & 0x7F); - } while((tagByte & 0x80) != 0); - - /* Check for any of the top 3 reserved bits being set. */ - if ((tagNumber & (overflowMask << 4)) != 0) -#endif - return DR_DecodeError; - } - /* Returned tag, top 3 bits are class/method remaining bits are number. */ - decoded->tag = ((DERTag)(tag1 & 0xE0) << ((sizeof(DERTag) - 1) * 8)) | tagNumber; - - /* Tag decoding above ensured we have at least one more input byte left. */ - len1 = *derPtr++; - derLen--; - if(len1 & 0x80) { - /* long length form - first byte is length of length */ - DERSize longLen = 0; /* long form length */ - unsigned dex; - - len1 &= 0x7f; - if((len1 > sizeof(DERSize)) || (len1 > derLen) || len1 == 0 || *derPtr == 0) { - /* no can do */ - return DR_DecodeError; - } - for(dex=0; dex derLen && !encodedLength) { - /* not enough data left for this encoding */ - return DR_DecodeError; - } - if (longLencontent.data = derPtr; - decoded->content.length = derLen; - if (encodedLength) { - *encodedLength = longLen; - } - } - else { - /* short length form, len1 is the length */ - if(len1 > derLen && !encodedLength) { - /* not enough data left for this encoding */ - return DR_DecodeError; - } - if (len1content.data = derPtr; - decoded->content.length = derLen; - if (encodedLength) { - *encodedLength = len1; - } - } - - return DR_Success; -} - -/* - * Given a BIT_STRING, in the form of its raw content bytes, - * obtain the number of unused bits and the raw bit string bytes. - */ -DERReturn DERParseBitString( - const DERItem *contents, - DERItem *bitStringBytes, /* RETURNED */ - DERByte *numUnusedBits) /* RETURNED */ -{ - if(contents->length < 2) { - /* not enough room for actual bits after the unused bits field */ - *numUnusedBits = 0; - bitStringBytes->data = NULL; - bitStringBytes->length = 0; - return DR_Success; - } - *numUnusedBits = contents->data[0]; - bitStringBytes->data = contents->data + 1; - bitStringBytes->length = contents->length - 1; - return DR_Success; -} - -/* - * Given a BOOLEAN, in the form of its raw content bytes, - * obtain it's value. - */ -DERReturn DERParseBoolean( - const DERItem *contents, - bool *value) { /* RETURNED */ - if (contents->length != 1 || - (contents->data[0] != 0 && contents->data[0] != 0xFF)) - return DR_DecodeError; - - *value = contents->data[0] != 0; - return DR_Success; -} - -/* - * Given a BOOLEAN, in the form of its raw content bytes, - * obtain it's value. - */ -DERReturn DERParseBooleanWithDefault( - const DERItem *contents, - bool defaultValue, - bool *value) { /* RETURNED */ - if (contents->length == 0) { - *value = defaultValue; - return DR_Success; - } - return DERParseBoolean(contents, value); -} - - -DERReturn DERParseInteger( - const DERItem *contents, - uint32_t *result) { /* RETURNED */ - uint64_t value; - DERReturn drtn = DERParseInteger64(contents, &value); - if (drtn == DR_Success) { - if (value > UINT32_MAX) - drtn = DR_BufOverflow; - else - *result = (uint32_t)value; - } - return drtn; -} - -DERReturn DERParseInteger64( - const DERItem *contents, - uint64_t *result) { /* RETURNED */ - DERSize ix, length = contents->length; - if (length == 0) - return DR_DecodeError; - if (contents->data[0] & 0x80) - return DR_DecodeError; - if (contents->data[0] == 0) { - if (length > 1 && (contents->data[1] & 0x80) == 0) - return DR_DecodeError; - if (length > sizeof(*result) + 1) - return DR_BufOverflow; - } else if (length > sizeof(*result)) { - return DR_BufOverflow; - } - uint64_t value = 0; - for (ix = 0; ix < length; ++ix) { - value <<= 8; - value += contents->data[ix]; - } - *result = value; - return DR_Success; -} - -/* Sequence/set support */ - -/* - * To decode a set or sequence, call DERDecodeSeqInit once, then - * call DERDecodeSeqNext to get each enclosed item. - * DERDecodeSeqNext returns DR_EndOfSequence when no more - * items are available. - */ -DERReturn DERDecodeSeqInit( - const DERItem *der, /* data to decode */ - DERTag *tag, /* RETURNED tag of sequence/set. This will be - * either ASN1_CONSTR_SEQUENCE or ASN1_CONSTR_SET. */ - DERSequence *derSeq) /* RETURNED, to use in DERDecodeSeqNext */ -{ - DERDecodedInfo decoded; - DERReturn drtn; - - drtn = DERDecodeItem(der, &decoded); - if(drtn) { - return drtn; - } - *tag = decoded.tag; - switch(decoded.tag) { - case ASN1_CONSTR_SEQUENCE: - case ASN1_CONSTR_SET: - break; - default: - return DR_UnexpectedTag; - } - derSeq->nextItem = decoded.content.data; - derSeq->end = decoded.content.data + decoded.content.length; - return DR_Success; -} - -/* - * Use this to start in on decoding a sequence's content, when - * the top-level tag and content have already been decoded. - */ -DERReturn DERDecodeSeqContentInit( - const DERItem *content, - DERSequence *derSeq) /* RETURNED, to use in DERDecodeSeqNext */ -{ - /* just prepare for decoding items in content */ - derSeq->nextItem = content->data; - derSeq->end = content->data + content->length; - return DR_Success; -} - -DERReturn DERDecodeSeqNext( - DERSequence *derSeq, - DERDecodedInfo *decoded) /* RETURNED */ -{ - DERReturn drtn; - DERItem item; - - if(derSeq->nextItem >= derSeq->end) { - /* normal termination, contents all used up */ - return DR_EndOfSequence; - } - - /* decode next item */ - item.data = derSeq->nextItem; - item.length = (DERSize) (derSeq->end - derSeq->nextItem); - drtn = DERDecodeItem(&item, decoded); - if(drtn) { - return drtn; - } - - /* skip over the item we just decoded */ - derSeq->nextItem = decoded->content.data + decoded->content.length; - return DR_Success; -} - -/* - * High level sequence parse, starting with top-level tag and content. - * Top level tag must be ASN1_CONSTR_SEQUENCE - if it's not, and that's - * OK, use DERParseSequenceContent(). - */ -DERReturn DERParseSequence( - const DERItem *der, - DERShort numItems, /* size of itemSpecs[] */ - const DERItemSpec *itemSpecs, - void *dest, /* DERDecodedInfo(s) here RETURNED */ - DERSize sizeToZero) /* optional */ -{ - DERReturn drtn; - DERDecodedInfo topDecode; - - drtn = DERDecodeItem(der, &topDecode); - if(drtn) { - return drtn; - } - if(topDecode.tag != ASN1_CONSTR_SEQUENCE) { - return DR_UnexpectedTag; - } - return DERParseSequenceContent(&topDecode.content, - numItems, itemSpecs, dest, sizeToZero); -} - -/* high level sequence parse, starting with sequence's content */ -DERReturn DERParseSequenceContent( - const DERItem *content, - DERShort numItems, /* size of itemSpecs[] */ - const DERItemSpec *itemSpecs, - void *dest, /* DERDecodedInfo(s) here RETURNED */ - DERSize sizeToZero) /* optional */ -{ - DERSequence derSeq; - DERReturn drtn; - DERShort itemDex; - DERByte *currDER; /* full DER encoding of current item */ - - if(sizeToZero) { - DERMemset(dest, 0, sizeToZero); - } - - drtn = DERDecodeSeqContentInit(content, &derSeq); - if(drtn) { - return drtn; - } - - /* main loop */ - for(itemDex=0 ; itemDexoptions; - derDecDbg3("--- currItem %u expectTag 0x%llx currOptions 0x%x\n", - i, currItemSpec->tag, currOptions); - - if((currOptions & DER_DEC_ASN_ANY) || - (foundTag == currItemSpec->tag)) { - /* - * We're good with this one. Cook up destination address - * as appropriate. - */ - if(!(currOptions & DER_DEC_SKIP)) { - derDecDbg1("--- MATCH at currItem %u\n", i); - DERByte *byteDst = (DERByte *)dest + currItemSpec->offset; - DERItem *dst = (DERItem *)byteDst; - *dst = currDecoded.content; - if(currOptions & DER_DEC_SAVE_DER) { - /* recreate full DER encoding of this item */ - derDecDbg1("--- SAVE_DER at currItem %u\n", i); - dst->data = currDER; - dst->length += (currDecoded.content.data - currDER); - } - } - - /* on to next item */ - itemDex = i + 1; - - /* is this the end? */ - if(itemDex == numItems) { - /* normal termination if we consumed everything */ - if (currDecoded.content.data + currDecoded.content.length == content->data + content->length) - return DR_Success; - else - return DR_DecodeError; - } - else { - /* on to next item */ - foundMatch = 1; - break; - } - } /* ASN_ANY, or match */ - - /* - * If current itemSpec isn't optional, abort - else on to - * next item - */ - if(!(currOptions & DER_DEC_OPTIONAL)) { - derDecDbg1("--- MISMATCH at currItem %u, !OPTIONAL, abort\n", i); - return DR_UnexpectedTag; - } - - /* else this was optional, on to next item */ - } /* searching for tag match */ - - if(foundMatch == 0) { - /* - * Found an item we couldn't match to any tag spec and we're at - * the end. - */ - derDecDbg("--- TAG NOT FOUND, abort\n"); - return DR_UnexpectedTag; - } - - /* else on to next item */ - } /* main loop */ - - /* Template has 0 items if we get here. */ - /* normal termination if we consumed everything, (the sequence was empty) */ - if (derSeq.nextItem == derSeq.end) - return DR_Success; - else - return DR_DecodeError; -} - -#if 0 -/* - * High level sequence parse, starting with top-level tag and content. - * Top level tag must be ASN1_CONSTR_SEQUENCE - if it's not, and that's - * OK, use DERParseSequenceContent(). - */ -DERReturn DERParseSequenceOf( - const DERItem *der, - DERShort numItems, /* size of itemSpecs[] */ - const DERItemSpec *itemSpecs, - void *dest, /* DERDecodedInfo(s) here RETURNED */ - DERSize *numDestItems) /* output */ -{ - DERReturn drtn; - DERDecodedInfo topDecode; - - drtn = DERDecodeItem(der, &topDecode); - if(drtn) { - return drtn; - } - if(topDecode.tag != ASN1_CONSTR_SEQUENCE) { - return DR_UnexpectedTag; - } - return DERParseSequenceContent(&topDecode.content, - numItems, itemSpecs, dest, sizeToZero); -} - -/* - * High level set of parse, starting with top-level tag and content. - * Top level tag must be ASN1_CONSTR_SET - if it's not, and that's - * OK, use DERParseSetOrSequenceOfContent(). - */ -DERReturn DERParseSetOf( - const DERItem *der, - DERShort numItems, /* size of itemSpecs[] */ - const DERItemSpec *itemSpecs, - void *dest, /* DERDecodedInfo(s) here RETURNED */ - DERSize *numDestItems) /* output */ -{ - DERReturn drtn; - DERDecodedInfo topDecode; - - drtn = DERDecodeItem(der, &topDecode); - if(drtn) { - return drtn; - } - if(topDecode.tag != ASN1_CONSTR_SET) { - return DR_UnexpectedTag; - } - return DERParseSetOrSequenceOfContent(&topDecode.content, - numItems, itemSpecs, dest, numDestItems); -} - -/* High level set of or sequence of parse, starting with set or - sequence's content */ -DERReturn DERParseSetOrSequenceOfContent( - const DERItem *content, - void(*itemHandeler)(void *, const DERDecodedInfo *) - void *itemHandelerContext); -{ - DERSequence derSeq; - DERShort itemDex; - - drtn = DERDecodeSeqContentInit(content, &derSeq); - require_noerr_quiet(drtn, badCert); - - /* main loop */ - for (;;) { - DERDecodedInfo currDecoded; - DERShort i; - DERByte foundTag; - char foundMatch = 0; - - drtn = DERDecodeSeqNext(&derSeq, &currDecoded); - if(drtn) { - /* The only legal error here is DR_EndOfSequence. */ - if(drtn == DR_EndOfSequence) { - /* no more items left in the sequence; success */ - return DR_Success; - } - else { - /* any other error is fatal */ - require_noerr_quiet(drtn, badCert); - } - } /* decode error */ - - /* Each element can be anything. */ - foundTag = currDecoded.tag; - - /* - * We're good with this one. Cook up destination address - * as appropriate. - */ - DERByte *byteDst = (DERByte *)dest + currItemSpec->offset; - DERItem *dst = (DERItem *)byteDst; - *dst = currDecoded.content; - if(currOptions & DER_DEC_SAVE_DER) { - /* recreate full DER encoding of this item */ - derDecDbg1("--- SAVE_DER at currItem %u\n", i); - dst->data = currDER; - dst->length += (currDecoded.content.data - currDER); - } - - /* on to next item */ - itemDex = i + 1; - - /* is this the end? */ - if(itemDex == numItems) { - /* normal termination */ - return DR_Success; - } - else { - /* on to next item */ - foundMatch = 1; - break; - } - - /* - * If current itemSpec isn't optional, abort - else on to - * next item - */ - if(!(currOptions & DER_DEC_OPTIONAL)) { - derDecDbg1("--- MISMATCH at currItem %u, !OPTIONAL, abort\n", i); - return DR_UnexpectedTag; - } - - /* else this was optional, on to next item */ - } /* searching for tag match */ - - if(foundMatch == 0) { - /* - * Found an item we couldn't match to any tag spec and we're at - * the end. - */ - derDecDbg("--- TAG NOT FOUND, abort\n"); - return DR_UnexpectedTag; - } - - /* else on to next item */ - } /* main loop */ - - /* - * If we get here, there appears to be more to process, but we've - * given the caller everything they want. - */ - return DR_Success; - } -} -#endif - -#endif /* DER_DECODE_ENABLE */ diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_Decode.h b/OSX/libsecurity_keychain/libDER/libDER/DER_Decode.h deleted file mode 100644 index 4f2c915c..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/DER_Decode.h +++ /dev/null @@ -1,242 +0,0 @@ -/* - * Copyright (c) 2005-2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -/* - * DER_Decode.h - DER decoding routines - */ - -#ifndef _DER_DECODE_H_ -#define _DER_DECODE_H_ - -#include -#include - -__BEGIN_DECLS - -/* - * Decoding one item consists of extracting its tag, a pointer - * to the actual content, and the length of the content. Those - * three are represented by a DERDecodedInfo. - */ -typedef struct { - DERTag tag; - DERItem content; -} DERDecodedInfo; - -/* - * Basic decoding primitive. Only works with: - * - * -- definite length encoding - * -- one-byte tags - * -- max content length fits in a DERSize - * - * No malloc or copy of the contents is performed; the returned - * content->content.data is a pointer into the incoming der data. - */ -DERReturn DERDecodeItem( - const DERItem *der, /* data to decode */ - DERDecodedInfo *decoded); /* RETURNED */ - -/* - * Basic decoding primitive. Allows for decoding with a partial buffer. - * if allowPartialBuffer is true. A partial buffer would normally fail - * because the encoded length would be greater than the size of the buffer passed in. - * Only works with: - * - * -- definite length encoding - * -- one-byte tags (unless DER_MULTIBYTE_TAGS is defined) - * -- max content length fits in a DERSize - * - * No malloc or copy of the contents is performed; the returned - * content->content.data is a pointer into the incoming der data. - * - * WARNING: Using a partial buffer can return a DERDecodedInfo object with - * a length larger than the buffer. It is recommended to instead use - * DERDecodeItemPartialBufferGetLength if you need partial buffers. - * - */ -DERReturn DERDecodeItemPartialBuffer( - const DERItem *der, /* data to decode */ - DERDecodedInfo *decoded, /* RETURNED */ - bool allowPartialBuffer); - -/* - * Same as above, but returns a DERDecodedInfo with a length no larger than the buffer. - * The actual encoded length can be retrieved from encodedLength parameter. - * encodedLength can be NULL to achieve the same behavior as DERDecodeItemPartialBuffer, - * with allowPartialBuffer=false - * - * NOTE: The DERDecoded length will never be larger than the input buffer. - * This is a key difference from DERDecodeItemPartialBuffer which could return invalid length. - * - */ -DERReturn DERDecodeItemPartialBufferGetLength( - const DERItem *der, /* data to decode */ - DERDecodedInfo *decoded, /* RETURNED */ - DERSize *encodedLength); - -/* - * Given a BIT_STRING, in the form of its raw content bytes, - * obtain the number of unused bits and the raw bit string bytes. - */ -DERReturn DERParseBitString( - const DERItem *contents, - DERItem *bitStringBytes, /* RETURNED */ - DERByte *numUnusedBits); /* RETURNED */ - -/* - * Given a BOOLEAN, in the form of its raw content bytes, - * obtain it's value. - */ -DERReturn DERParseBoolean( - const DERItem *contents, - bool *value); /* RETURNED */ - -DERReturn DERParseBooleanWithDefault( - const DERItem *contents, - bool defaultValue, - bool *value); /* RETURNED */ -/* - * Given a positive INTEGER, in the form of its raw content bytes, - * obtain it's value as a 32 bit or 64 bit quantity. - * Returns DR_BufOverflow if the value is too large to fit in the return type - */ - -DERReturn DERParseInteger( - const DERItem *contents, - uint32_t *value); /* RETURNED */ - -DERReturn DERParseInteger64( - const DERItem *contents, - uint64_t *value); /* RETURNED */ - -/* - * Sequence/set decode support. - */ - -/* state representing a sequence or set being decoded */ -typedef struct { - DERByte *nextItem; - DERByte *end; -} DERSequence; - -/* - * To decode a set or sequence, call DERDecodeSeqInit or - * DERDecodeSeqContentInit once, then call DERDecodeSeqNext to - * get each enclosed item. - * - * DERDecodeSeqNext returns DR_EndOfSequence when no more - * items are available. - */ - -/* - * Use this to parse the top level sequence's tag and content length. - */ -DERReturn DERDecodeSeqInit( - const DERItem *der, /* data to decode */ - DERTag *tag, /* RETURNED tag of sequence/set. This will be - * either ASN1_CONSTR_SEQUENCE or - * ASN1_CONSTR_SET. */ - DERSequence *derSeq); /* RETURNED, to use in DERDecodeSeqNext */ - -/* - * Use this to start in on decoding a sequence's content, when - * the top-level tag and content have already been decoded. - */ -DERReturn DERDecodeSeqContentInit( - const DERItem *content, - DERSequence *derSeq); /* RETURNED, to use in DERDecodeSeqNext */ - -/* obtain the next decoded item in a sequence or set */ -DERReturn DERDecodeSeqNext( - DERSequence *derSeq, - DERDecodedInfo *decoded); /* RETURNED */ - -/* - * High level sequence decode. - */ - -/* - * Per-item decode options. - */ - -/* Explicit default, no options */ -#define DER_DEC_NO_OPTS 0x0000 - -/* This item optional, can be skipped during decode */ -#define DER_DEC_OPTIONAL 0x0001 - -/* Skip the tag check; accept anything. */ -#define DER_DEC_ASN_ANY 0x0002 - -/* Skip item, no write to DERDecodedInfo (but tag check still performed) */ -#define DER_DEC_SKIP 0x0004 - -/* Save full DER encoding in DERDecodedInfo, including tag and length. Normally - * only the content is saved. */ -#define DER_DEC_SAVE_DER 0x0008 - -/* - * High level sequence parse, starting with top-level tag and content. - * Top level tag must be ASN1_CONSTR_SEQUENCE - if it's not, and that's - * OK, use DERParseSequenceContent(). - * - * These never return DR_EndOfSequence - if an *unexpected* end of sequence - * occurs, return DR_IncompleteSeq. - * - * Results of the decoding of one item are placed in a DERItem whose address - * is the dest arg plus the offset value in the associated DERItemSpec. - * - * Items which are optional (DER_DEC_OPTIONAL) and which are not found, - * leave their associated DERDecodedInfos unmodified. - * - * Processing of a sequence ends on detection of any error or after the - * last DERItemSpec is processed. - * - * The sizeToZero argument, if nonzero, indicates the number of bytes - * starting at dest to zero before processing the sequence. This is - * generally desirable, particularly if there are any DER_DEC_OPTIONAL - * items in the sequence; skipped optional items are detected by the - * caller via a NULL DERDecodedInfo.content.data; if this hasn't been - * explicitly zeroed (generally, by passing a nonzero value of sizeToZero), - * skipped items can't be detected. - */ -DERReturn DERParseSequence( - const DERItem *der, - DERShort numItems, /* size of itemSpecs[] */ - const DERItemSpec *itemSpecs, - void *dest, /* DERDecodedInfo(s) here RETURNED */ - DERSize sizeToZero); /* optional */ - -/* high level sequence parse, starting with sequence's content */ -DERReturn DERParseSequenceContent( - const DERItem *content, - DERShort numItems, /* size of itemSpecs[] */ - const DERItemSpec *itemSpecs, - void *dest, /* DERDecodedInfo(s) here RETURNED */ - DERSize sizeToZero); /* optional */ - -__END_DECLS - -#endif /* _DER_DECODE_H_ */ - diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_Digest.c b/OSX/libsecurity_keychain/libDER/libDER/DER_Digest.c deleted file mode 100644 index 86e67c18..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/DER_Digest.c +++ /dev/null @@ -1,183 +0,0 @@ -/* - * Copyright (c) 2005-2008,2010-2011,2014 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - - -/* - * DER_Digest.h - DER encode a DigestInfo - * - */ - -#include - -/* - * Create an encoded DigestInfo based on the specified SHA1 digest. - * The digest must be 20 bytes long. - * - * Result is placed in caller's buffer, which must be at least of - * length DER_DIGEST_INFO_LEN bytes. - * - * The *resultLen parameter is the available size in the result - * buffer on input, and the actual length of the encoded DigestInfo - * on output. - * - * In the interest of saving code space, this just drops the caller's - * digest into an otherwise hard-coded, fixed, encoded SHA1 DigestInfo. - * Nothing is variable so we know the whole thing. It looks like this: - * - * SEQUENCE OF <33> { - * SEQUENCE OF <9> { - * OID <5>: OID : < 06 05 2B 0E 03 02 1A > - * NULL - * } - * OCTET STRING <20>: - * 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 - * 55 55 55 55 - * } - * - * - * tower.local:digestInfo> hexdump -x /tmp/encodedDigest - * 0000000 3021 3009 0605 2b0e 0302 1a05 0004 1455 - * 0000010 5555 5555 5555 5555 5555 5555 5555 5555 - * * - * 0000020 - */ - -static const unsigned char encodedSha1Digest[] = -{ - 0x30, 0x21, /* top level sequence length 33 */ - 0x30, 0x09, /* algorithm ID, sequence length 9 */ - 0x06, 0x05, /* alg OID, length 5, SHA1 */ - 0x2b, 0x0e, 0x03, 0x02, 0x1a, - 0x05, 0x00, /* NULL parameters */ - 0x04, 0x14 /* integer length 20 */ - /* digest follows */ -}; - -DERReturn DEREncodeSHA1DigestInfo( - const DERByte *sha1Digest, - DERSize sha1DigestLen, - DERByte *result, /* encoded result RETURNED here */ - DERSize *resultLen) /* IN/OUT */ -{ - DERSize totalLen = sizeof(encodedSha1Digest) + DER_SHA1_DIGEST_LEN; - - if((sha1Digest == NULL) || (sha1DigestLen != DER_SHA1_DIGEST_LEN) || - (result == NULL) || (resultLen == NULL)) { - return DR_ParamErr; - } - if(*resultLen < DER_SHA1_DIGEST_INFO_LEN) { - return DR_BufOverflow; - } - DERMemmove(result, encodedSha1Digest, sizeof(encodedSha1Digest)); - DERMemmove(result + sizeof(encodedSha1Digest), sha1Digest, DER_SHA1_DIGEST_LEN); - *resultLen = totalLen; - return DR_Success; -} - -/* - joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) - csor(3) nistalgorithm(4) hashAlgs(2) sha256(1) - - future ones to add: sha384(2) sha512(3) sha224(4) -*/ -static const unsigned char encodedSha256Digest[] = -{ - 0x30, 0x31, /* top level sequence length 49 */ - 0x30, 0x0d, /* algorithm ID, sequence length 13 */ - 0x06, 0x09, - 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, - 0x05, 0x00, /* NULL parameters */ - 0x04, 0x20 /* integer length 32 */ - /* digest follows */ -}; - -DERReturn DEREncodeSHA256DigestInfo( - const DERByte *sha256Digest, - DERSize sha256DigestLen, - DERByte *result, /* encoded result RETURNED here */ - DERSize *resultLen) /* IN/OUT */ -{ - DERSize totalLen = sizeof(encodedSha256Digest) + DER_SHA256_DIGEST_LEN; - - if((sha256Digest == NULL) || (sha256DigestLen != DER_SHA256_DIGEST_LEN) || - (result == NULL) || (resultLen == NULL)) { - return DR_ParamErr; - } - if(*resultLen < DER_SHA256_DIGEST_INFO_LEN) { - return DR_BufOverflow; - } - DERMemmove(result, encodedSha256Digest, sizeof(encodedSha256Digest)); - DERMemmove(result + sizeof(encodedSha256Digest), sha256Digest, DER_SHA256_DIGEST_LEN); - *resultLen = totalLen; - return DR_Success; -} - - -/* Same thing, MD5/MD2 */ -static const unsigned char encodedMdDigest[] = -{ - 0x30, 0x20, /* top level sequence length 32 */ - 0x30, 0x0c, /* algorithm ID, sequence length 12 */ - 0x06, 0x08, /* alg OID, length 8, MD2/MD5 */ - 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, - 0x05, /* 5 = MD5, 2 = MD2 */ - 0x05, 0x00, /* NULL parameters */ - 0x04, 0x10 /* integer length 16 */ - /* digest follows */ -}; - -#define WHICH_DIGEST_INDEX 13 -#define WHICH_DIGEST_MD2 2 -#define WHICH_DIGEST_MD5 5 - -DERReturn DEREncodeMDDigestInfo( - WhichDigest whichDigest, - const DERByte *mdDigest, - DERSize mdDigestLen, - DERByte *result, /* encoded result RETURNED here */ - DERSize *resultLen) /* IN/OUT */ -{ - DERSize totalLen = sizeof(encodedMdDigest) + DER_MD_DIGEST_LEN; - - if((mdDigest == NULL) || (mdDigestLen != DER_MD_DIGEST_LEN) || - (result == NULL) || (resultLen == NULL)) { - return DR_ParamErr; - } - if(*resultLen < totalLen) { - return DR_BufOverflow; - } - DERMemmove(result, encodedMdDigest, sizeof(encodedMdDigest)); - DERMemmove(result + sizeof(encodedMdDigest), mdDigest, DER_MD_DIGEST_LEN); - switch(whichDigest) { - case WD_MD2: - result[WHICH_DIGEST_INDEX] = WHICH_DIGEST_MD2; - break; - case WD_MD5: - result[WHICH_DIGEST_INDEX] = WHICH_DIGEST_MD5; - break; - default: - return DR_ParamErr; - } - *resultLen = totalLen; - return DR_Success; -} diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_Digest.h b/OSX/libsecurity_keychain/libDER/libDER/DER_Digest.h deleted file mode 100644 index 734d752c..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/DER_Digest.h +++ /dev/null @@ -1,91 +0,0 @@ -/* - * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - - -/* - * DER_Digest.h - DER encode a DigestInfo - * - */ - -#ifndef _DER_DIGEST_H_ -#define _DER_DIGEST_H_ - -#include - -__BEGIN_DECLS - -/* - * Create an encoded DigestInfo based on the specified SHA1 digest. - * The incoming digest must be 20 bytes long. - * - * Result is placed in caller's buffer, which must be at least of - * length DER_SHA1_DIGEST_INFO_LEN bytes. - * - * The *resultLen parameter is the available size in the result - * buffer on input, and the actual length of the encoded DigestInfo - * on output. - */ -#define DER_SHA1_DIGEST_LEN 20 -#define DER_SHA1_DIGEST_INFO_LEN 35 - -DERReturn DEREncodeSHA1DigestInfo( - const DERByte *sha1Digest, - DERSize sha1DigestLen, - DERByte *result, /* encoded result RETURNED here */ - DERSize *resultLen); /* IN/OUT */ - -#define DER_SHA256_DIGEST_LEN 32 -#define DER_SHA256_DIGEST_INFO_LEN 51 - -DERReturn DEREncodeSHA256DigestInfo( - const DERByte *sha256Digest, - DERSize sha256DigestLen, - DERByte *result, /* encoded result RETURNED here */ - DERSize *resultLen); /* IN/OUT */ - -/* - * Likewise, create an encoded DIgestInfo for specified MD5 or MD2 digest. - */ -#define DER_MD_DIGEST_LEN 16 -#define DER_MD_DIGEST_INFO_LEN 34 - -typedef enum { - WD_MD2 = 1, - WD_MD5 = 2 -} WhichDigest; - -DERReturn DEREncodeMDDigestInfo( - WhichDigest whichDigest, - const DERByte *mdDigest, - DERSize mdDigestLen, - DERByte *result, /* encoded result RETURNED here */ - DERSize *resultLen); /* IN/OUT */ - -/* max sizes you'll need in the general cases */ -#define DER_MAX_DIGEST_LEN DER_SHA256_DIGEST_LEN -#define DER_MAX_ENCODED_INFO_LEN DER_SHA256_DIGEST_INFO_LEN - -__END_DECLS - -#endif /* _DER_DIGEST_H_ */ - diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_Encode.c b/OSX/libsecurity_keychain/libDER/libDER/DER_Encode.c deleted file mode 100644 index bd8e607a..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/DER_Encode.c +++ /dev/null @@ -1,366 +0,0 @@ -/* - * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - - -/* - * DER_Encode.h - DER encoding routines - * - */ - -#include -#include -#include -#include - -#ifndef DER_ENCODE_ENABLE -#error Please define DER_ENCODE_ENABLE. -#endif - -#if DER_ENCODE_ENABLE - -/* calculate size of encoded tag */ -static DERSize DERLengthOfTag( - DERTag tag) -{ - DERSize rtn = 1; - - tag &= ASN1_TAGNUM_MASK; - if (tag >= 0x1F) { - /* Shift 7-bit digits out of the tag integer until it's zero. */ - while(tag != 0) { - rtn++; - tag >>= 7; - } - } - - return rtn; -} - -/* encode tag */ -static DERReturn DEREncodeTag( - DERTag tag, - DERByte *buf, /* encoded length goes here */ - DERSize *inOutLen) /* IN/OUT */ -{ - DERSize outLen = DERLengthOfTag(tag); - DERTag tagNumber = tag & ASN1_TAGNUM_MASK; - DERByte tag1 = (tag >> (sizeof(DERTag) * 8 - 8)) & 0xE0; - - if(outLen > *inOutLen) { - return DR_BufOverflow; - } - - if(outLen == 1) { - /* short form */ - *buf = (DERByte)(tag1 | tagNumber); - } - else { - /* long form */ - DERByte *tagBytes = buf + outLen; // l.s. digit of tag - *buf = tag1 | 0x1F; // tag class / method indicator - *--tagBytes = tagNumber & 0x7F; - tagNumber >>= 7; - while(tagNumber != 0) { - *--tagBytes = (tagNumber & 0x7F) | 0x80; - tagNumber >>= 7; - } - } - *inOutLen = outLen; - return DR_Success; -} - -/* calculate size of encoded length */ -DERSize DERLengthOfLength( - DERSize length) -{ - DERSize rtn; - - if(length < 0x80) { - /* short form length */ - return 1; - } - - /* long form - one length-of-length byte plus length bytes */ - rtn = 1; - while(length != 0) { - rtn++; - length >>= 8; - } - return rtn; -} - -/* encode length */ -DERReturn DEREncodeLength( - DERSize length, - DERByte *buf, /* encoded length goes here */ - DERSize *inOutLen) /* IN/OUT */ -{ - DERByte *lenBytes; - DERSize outLen = DERLengthOfLength(length); - - if(outLen > *inOutLen) { - return DR_BufOverflow; - } - - if(length < 0x80) { - /* short form */ - *buf = (DERByte)length; - *inOutLen = 1; - return DR_Success; - } - - /* long form */ - *buf = (outLen - 1) | 0x80; // length of length, long form indicator - lenBytes = buf + outLen - 1; // l.s. digit of length - while(length != 0) { - *lenBytes-- = (DERByte)length; - length >>= 8; - } - *inOutLen = outLen; - return DR_Success; -} - -DERSize DERLengthOfItem( - DERTag tag, - DERSize length) -{ - return DERLengthOfTag(tag) + DERLengthOfLength(length) + length; -} - -DERReturn DEREncodeItem( - DERTag tag, - DERSize length, - const DERByte *src, - DERByte *derOut, /* encoded item goes here */ - DERSize *inOutLen) /* IN/OUT */ -{ - DERReturn drtn; - DERSize itemLen; - DERByte *currPtr = derOut; - DERSize bytesLeft = DERLengthOfItem(tag, length); - if(bytesLeft > *inOutLen) { - return DR_BufOverflow; - } - *inOutLen = bytesLeft; - - /* top level tag */ - itemLen = bytesLeft; - drtn = DEREncodeTag(tag, currPtr, &itemLen); - if(drtn) { - return drtn; - } - currPtr += itemLen; - bytesLeft -= itemLen; - itemLen = bytesLeft; - drtn = DEREncodeLength(length, currPtr, &itemLen); - if(drtn) { - return drtn; - } - currPtr += itemLen; - bytesLeft -= itemLen; - DERMemmove(currPtr, src, length); - - // Silence unused variable warning. - (void) bytesLeft; - - return DR_Success; -} - -static /* calculate the content length of an encoded sequence */ -DERSize DERContentLengthOfEncodedSequence( - const void *src, /* generally a ptr to a struct full of - * DERItems */ - DERShort numItems, /* size of itemSpecs[] */ - const DERItemSpec *itemSpecs) -{ - DERSize contentLen = 0; - unsigned dex; - DERSize thisContentLen; - - /* find length of each item */ - for(dex=0; dexoptions; - const DERByte *byteSrc = (const DERByte *)src + currItemSpec->offset; - const DERItem *itemSrc = (const DERItem *)byteSrc; - - if(currOptions & DER_ENC_WRITE_DER) { - /* easy case - no encode */ - contentLen += itemSrc->length; - continue; - } - - if ((currOptions & DER_DEC_OPTIONAL) && itemSrc->length == 0) { - /* If an optional item isn't present we don't encode a - tag and len. */ - continue; - } - - /* - * length of this item = - * tag (one byte) + - * length of length + - * content length + - * optional zero byte for signed integer - */ - contentLen += DERLengthOfTag(currItemSpec->tag); - - /* check need for pad byte before calculating lengthOfLength... */ - thisContentLen = itemSrc->length; - if((currOptions & DER_ENC_SIGNED_INT) && - (itemSrc->length != 0)) { - if(itemSrc->data[0] & 0x80) { - /* insert zero keep it positive */ - thisContentLen++; - } - } - contentLen += DERLengthOfLength(thisContentLen); - contentLen += thisContentLen; - } - return contentLen; -} - -DERReturn DEREncodeSequence( - DERTag topTag, /* ASN1_CONSTR_SEQUENCE, ASN1_CONSTR_SET */ - const void *src, /* generally a ptr to a struct full of - * DERItems */ - DERShort numItems, /* size of itemSpecs[] */ - const DERItemSpec *itemSpecs, - DERByte *derOut, /* encoded data written here */ - DERSize *inOutLen) /* IN/OUT */ -{ - const DERByte *endPtr = derOut + *inOutLen; - DERByte *currPtr = derOut; - DERSize bytesLeft = *inOutLen; - DERSize contentLen; - DERReturn drtn; - DERSize itemLen; - unsigned dex; - - /* top level tag */ - itemLen = bytesLeft; - drtn = DEREncodeTag(topTag, currPtr, &itemLen); - if(drtn) { - return drtn; - } - currPtr += itemLen; - bytesLeft -= itemLen; - if(currPtr >= endPtr) { - return DR_BufOverflow; - } - - /* content length */ - contentLen = DERContentLengthOfEncodedSequence(src, numItems, itemSpecs); - itemLen = bytesLeft; - drtn = DEREncodeLength(contentLen, currPtr, &itemLen); - if(drtn) { - return drtn; - } - currPtr += itemLen; - bytesLeft -= itemLen; - if(currPtr + contentLen > endPtr) { - return DR_BufOverflow; - } - /* we don't have to check for overflow any more */ - - /* grind thru the items */ - for(dex=0; dexoptions; - const DERByte *byteSrc = (const DERByte *)src + currItemSpec->offset; - const DERItem *itemSrc = (const DERItem *)byteSrc; - int prependZero = 0; - - if(currOptions & DER_ENC_WRITE_DER) { - /* easy case */ - DERMemmove(currPtr, itemSrc->data, itemSrc->length); - currPtr += itemSrc->length; - bytesLeft -= itemSrc->length; - continue; - } - - if ((currOptions & DER_DEC_OPTIONAL) && itemSrc->length == 0) { - /* If an optional item isn't present we skip it. */ - continue; - } - - /* encode one item: first the tag */ - itemLen = bytesLeft; - drtn = DEREncodeTag(currItemSpec->tag, currPtr, &itemLen); - if(drtn) { - return drtn; - } - currPtr += itemLen; - bytesLeft -= itemLen; - - /* do we need to prepend a zero to content? */ - contentLen = itemSrc->length; - if((currOptions & DER_ENC_SIGNED_INT) && - (itemSrc->length != 0)) { - if(itemSrc->data[0] & 0x80) { - /* insert zero keep it positive */ - contentLen++; - prependZero = 1; - } - } - - /* encode content length */ - itemLen = bytesLeft; - drtn = DEREncodeLength(contentLen, currPtr, &itemLen); - if(drtn) { - return drtn; - } - currPtr += itemLen; - bytesLeft -= itemLen; - - /* now the content, with possible leading zero added */ - if(prependZero) { - *currPtr++ = 0; - bytesLeft--; - } - DERMemmove(currPtr, itemSrc->data, itemSrc->length); - currPtr += itemSrc->length; - bytesLeft -= itemSrc->length; - } - *inOutLen = (DERSize)(currPtr - derOut); - return DR_Success; -} - -/* calculate the length of an encoded sequence. */ -DERSize DERLengthOfEncodedSequence( - DERTag topTag, - const void *src, /* generally a ptr to a struct full of - * DERItems */ - DERShort numItems, /* size of itemSpecs[] */ - const DERItemSpec *itemSpecs) -{ - DERSize contentLen = DERContentLengthOfEncodedSequence( - src, numItems, itemSpecs); - - return DERLengthOfTag(topTag) + - DERLengthOfLength(contentLen) + - contentLen; -} - -#endif /* DER_ENCODE_ENABLE */ - diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_Encode.h b/OSX/libsecurity_keychain/libDER/libDER/DER_Encode.h deleted file mode 100644 index bcde9757..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/DER_Encode.h +++ /dev/null @@ -1,119 +0,0 @@ -/* - * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - - -/* - * DER_Encode.h - DER encoding routines - * - */ - -#ifndef _DER_ENCODE_H_ -#define _DER_ENCODE_H_ - -#include - -__BEGIN_DECLS - -/* - * Max size of an encoded item given its length. - * This includes a possible leading zero prepended to a signed integer - * (see DER_ENC_SIGNED_INT below). - */ -#define DER_MAX_ENCODED_SIZE(len) \ - ( 1 + /* tag */ \ - 5 + /* max length */ \ - 1 + /* possible prepended zero */ \ - len) - -/* calculate size of encoded length */ -DERSize DERLengthOfLength( - DERSize length); - -/* encode length */ -DERReturn DEREncodeLength( - DERSize length, - DERByte *buf, /* encoded length goes here */ - DERSize *inOutLen); /* IN/OUT */ - -/* calculate size of encoded length */ -DERSize DERLengthOfItem( - DERTag tag, - DERSize length); - -/* encode item */ -DERReturn DEREncodeItem( - DERTag tag, - DERSize length, - const DERByte *src, - DERByte *derOut, /* encoded item goes here */ - DERSize *inOutLen); /* IN/OUT */ - -/* - * Per-item encode options. - */ - -/* explicit default, no options */ -#define DER_ENC_NO_OPTS 0x0000 - -/* signed integer check: if incoming m.s. bit is 1, prepend a zero */ -#define DER_ENC_SIGNED_INT 0x0100 - -/* DERItem contains fully encoded item - copy, don't encode */ -#define DER_ENC_WRITE_DER 0x0200 - - -/* - * High-level sequence or set encode support. - * - * The outgoing sequence is expressed as an array of DERItemSpecs, each - * of which corresponds to one item in the encoded sequence. - * - * Normally the tag of the encoded item comes from the associated - * DERItemSpec, and the content comes from the DERItem whose address is - * the src arg plus the offset value in the associated DERItemSpec. - * - * If the DER_ENC_WRITE_DER option is true for a given DERItemSpec then - * no per-item encoding is done; the DER - with tag, length, and content - - * is taken en masse from the associated DERItem. - */ -DERReturn DEREncodeSequence( - DERTag topTag, /* ASN1_CONSTR_SEQUENCE, ASN1_CONSTR_SET */ - const void *src, /* generally a ptr to a struct full of - * DERItems */ - DERShort numItems, /* size of itemSpecs[] */ - const DERItemSpec *itemSpecs, - DERByte *derOut, /* encoded data written here */ - DERSize *inOutLen); /* IN/OUT */ - -/* precalculate the length of an encoded sequence. */ -DERSize DERLengthOfEncodedSequence( - DERTag topTag, /* ASN1_CONSTR_SEQUENCE, ASN1_CONSTR_SET */ - const void *src, /* generally a ptr to a struct full of - * DERItems */ - DERShort numItems, /* size of itemSpecs[] */ - const DERItemSpec *itemSpecs); - - -__END_DECLS - -#endif /* _DER_ENCODE_H_ */ diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_Keys.c b/OSX/libsecurity_keychain/libDER/libDER/DER_Keys.c deleted file mode 100644 index 0d41496f..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/DER_Keys.c +++ /dev/null @@ -1,188 +0,0 @@ -/* - * Copyright (c) 2005-2007,2011,2014 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - - -/* - * DER_Cert.c - support for decoding RSA keys - * - */ - -#include -#include -#include -#include -#include - -#ifndef DER_DECODE_ENABLE -#error Please define DER_DECODE_ENABLE. -#endif -#if DER_DECODE_ENABLE - -/* - * DERItemSpecs for decoding RSA keys. - */ - -/* Algorithm Identifier */ -const DERItemSpec DERAlgorithmIdItemSpecs[] = -{ - { DER_OFFSET(DERAlgorithmId, oid), - ASN1_OBJECT_ID, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERAlgorithmId, params), - 0, /* no tag - any */ - DER_DEC_ASN_ANY | DER_DEC_OPTIONAL | DER_DEC_SAVE_DER } -}; -const DERSize DERNumAlgorithmIdItemSpecs = - sizeof(DERAlgorithmIdItemSpecs) / sizeof(DERItemSpec); - -/* X509 SubjectPublicKeyInfo */ -const DERItemSpec DERSubjPubKeyInfoItemSpecs[] = -{ - { DER_OFFSET(DERSubjPubKeyInfo, algId), - ASN1_CONSTR_SEQUENCE, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERSubjPubKeyInfo, pubKey), - ASN1_BIT_STRING, - DER_DEC_NO_OPTS }, - -}; -const DERSize DERNumSubjPubKeyInfoItemSpecs = - sizeof(DERSubjPubKeyInfoItemSpecs) / sizeof(DERItemSpec); - -/* - * RSA private key in CRT format - */ -const DERItemSpec DERRSAPrivKeyCRTItemSpecs[] = -{ - /* version, n, e, d - skip */ - { 0, - ASN1_INTEGER, - DER_DEC_SKIP }, - { 0, - ASN1_INTEGER, - DER_DEC_SKIP }, - { 0, - ASN1_INTEGER, - DER_DEC_SKIP }, - { 0, - ASN1_INTEGER, - DER_DEC_SKIP }, - { DER_OFFSET(DERRSAPrivKeyCRT, p), - ASN1_INTEGER, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERRSAPrivKeyCRT, q), - ASN1_INTEGER, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERRSAPrivKeyCRT, dp), - ASN1_INTEGER, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERRSAPrivKeyCRT, dq), - ASN1_INTEGER, - DER_DEC_NO_OPTS }, - { DER_OFFSET(DERRSAPrivKeyCRT, qInv), - ASN1_INTEGER, - DER_DEC_NO_OPTS }, - /* ignore the (optional) rest */ -}; -const DERSize DERNumRSAPrivKeyCRTItemSpecs = - sizeof(DERRSAPrivKeyCRTItemSpecs) / sizeof(DERItemSpec); - -#endif /* DER_DECODE_ENABLE */ - -#if DER_DECODE_ENABLE || DER_ENCODE_ENABLE - -/* RSA public key in PKCS1 format - encode and decode */ -const DERItemSpec DERRSAPubKeyPKCS1ItemSpecs[] = -{ - { DER_OFFSET(DERRSAPubKeyPKCS1, modulus), - ASN1_INTEGER, - DER_DEC_NO_OPTS | DER_ENC_SIGNED_INT }, - { DER_OFFSET(DERRSAPubKeyPKCS1, pubExponent), - ASN1_INTEGER, - DER_DEC_NO_OPTS | DER_ENC_SIGNED_INT }, -}; -const DERSize DERNumRSAPubKeyPKCS1ItemSpecs = - sizeof(DERRSAPubKeyPKCS1ItemSpecs) / sizeof(DERItemSpec); - -/* RSA public key in Apple custome format with reciprocal - encode and decode */ -const DERItemSpec DERRSAPubKeyAppleItemSpecs[] = -{ - { DER_OFFSET(DERRSAPubKeyApple, modulus), - ASN1_INTEGER, - DER_DEC_NO_OPTS | DER_ENC_SIGNED_INT }, - { DER_OFFSET(DERRSAPubKeyApple, reciprocal), - ASN1_INTEGER, - DER_DEC_NO_OPTS | DER_ENC_SIGNED_INT }, - { DER_OFFSET(DERRSAPubKeyApple, pubExponent), - ASN1_INTEGER, - DER_DEC_NO_OPTS | DER_ENC_SIGNED_INT }, -}; -const DERSize DERNumRSAPubKeyAppleItemSpecs = - sizeof(DERRSAPubKeyAppleItemSpecs) / sizeof(DERItemSpec); - - -#endif /* DER_DECODE_ENABLE || DER_ENCODE_ENABLE */ - -#ifndef DER_ENCODE_ENABLE -#error Please define DER_ENCODE_ENABLE. -#endif - -#if DER_ENCODE_ENABLE - -/* RSA Key Pair, encode only */ -const DERItemSpec DERRSAKeyPairItemSpecs[] = -{ - { DER_OFFSET(DERRSAKeyPair, version), - ASN1_INTEGER, - DER_ENC_SIGNED_INT }, - { DER_OFFSET(DERRSAKeyPair, n), - ASN1_INTEGER, - DER_ENC_SIGNED_INT }, - { DER_OFFSET(DERRSAKeyPair, e), - ASN1_INTEGER, - DER_ENC_SIGNED_INT }, - { DER_OFFSET(DERRSAKeyPair, d), - ASN1_INTEGER, - DER_ENC_SIGNED_INT }, - { DER_OFFSET(DERRSAKeyPair, p), - ASN1_INTEGER, - DER_ENC_SIGNED_INT }, - { DER_OFFSET(DERRSAKeyPair, q), - ASN1_INTEGER, - DER_ENC_SIGNED_INT }, - { DER_OFFSET(DERRSAKeyPair, dp), - ASN1_INTEGER, - DER_ENC_SIGNED_INT }, - { DER_OFFSET(DERRSAKeyPair, dq), - ASN1_INTEGER, - DER_ENC_SIGNED_INT }, - { DER_OFFSET(DERRSAKeyPair, qInv), - ASN1_INTEGER, - DER_ENC_SIGNED_INT }, -}; - -const DERSize DERNumRSAKeyPairItemSpecs = - sizeof(DERRSAKeyPairItemSpecs) / sizeof(DERItemSpec); - -#endif /* DER_ENCODE_ENABLE */ - diff --git a/OSX/libsecurity_keychain/libDER/libDER/DER_Keys.h b/OSX/libsecurity_keychain/libDER/libDER/DER_Keys.h deleted file mode 100644 index 41f24d67..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/DER_Keys.h +++ /dev/null @@ -1,121 +0,0 @@ -/* - * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - - -/* - * DER_Keys.h - support for decoding RSA keys - * - */ - -#ifndef _DER_KEYS_H_ -#define _DER_KEYS_H_ - -#include -#include - -__BEGIN_DECLS - -/* Algorithm Identifier components */ -typedef struct { - DERItem oid; /* OID */ - DERItem params; /* ASN_ANY, optional, DER_DEC_SAVE_DER */ -} DERAlgorithmId; - -/* DERItemSpecs to decode into a DERAlgorithmId */ -extern const DERItemSpec DERAlgorithmIdItemSpecs[]; -extern const DERSize DERNumAlgorithmIdItemSpecs; - -/* X509 SubjectPublicKeyInfo */ -typedef struct { - DERItem algId; /* sequence, DERAlgorithmId */ - DERItem pubKey; /* BIT STRING */ -} DERSubjPubKeyInfo; - -/* DERItemSpecs to decode into a DERSubjPubKeyInfo */ -extern const DERItemSpec DERSubjPubKeyInfoItemSpecs[]; -extern const DERSize DERNumSubjPubKeyInfoItemSpecs; - -/* - * RSA public key in PKCS1 format; this is inside the BIT_STRING in - * DERSubjPubKeyInfo.pubKey. - */ -typedef struct { - DERItem modulus; /* n - INTEGER */ - DERItem pubExponent; /* e - INTEGER */ -} DERRSAPubKeyPKCS1; - -/* DERItemSpecs to decode/encode into/from a DERRSAPubKeyPKCS1 */ -extern const DERItemSpec DERRSAPubKeyPKCS1ItemSpecs[]; -extern const DERSize DERNumRSAPubKeyPKCS1ItemSpecs; - -/* - * RSA public key in custom (to this library) format, including - * the reciprocal. All fields are integers. - */ -typedef struct { - DERItem modulus; /* n */ - DERItem reciprocal; /* reciprocal of modulus */ - DERItem pubExponent; /* e */ -} DERRSAPubKeyApple; - -/* DERItemSpecs to decode/encode into/from a DERRSAPubKeyApple */ -extern const DERItemSpec DERRSAPubKeyAppleItemSpecs[]; -extern const DERSize DERNumRSAPubKeyAppleItemSpecs; - -/* - * RSA Private key, PKCS1 format, CRT option. - * All fields are integers. - */ -typedef struct { - DERItem p; /* p * q = n */ - DERItem q; - DERItem dp; /* d mod (p-1) */ - DERItem dq; /* d mod (q-1) */ - DERItem qInv; -} DERRSAPrivKeyCRT; - -/* DERItemSpecs to decode into a DERRSAPrivKeyCRT */ -extern const DERItemSpec DERRSAPrivKeyCRTItemSpecs[]; -extern const DERSize DERNumRSAPrivKeyCRTItemSpecs; - -/* Fully formed RSA key pair, for generating a PKCS1 private key */ -typedef struct { - DERItem version; - DERItem n; /* modulus */ - DERItem e; /* public exponent */ - DERItem d; /* private exponent */ - DERItem p; /* n = p*q */ - DERItem q; - DERItem dp; /* d mod (p-1) */ - DERItem dq; /* d mod (q-1) */ - DERItem qInv; /* q^(-1) mod p */ -} DERRSAKeyPair; - -/* DERItemSpecs to encode a DERRSAKeyPair */ -extern const DERItemSpec DERRSAKeyPairItemSpecs[]; -extern const DERSize DERNumRSAKeyPairItemSpecs; - -__END_DECLS - -#endif /* _DER_KEYS_H_ */ - diff --git a/OSX/libsecurity_keychain/libDER/libDER/asn1Types.h b/OSX/libsecurity_keychain/libDER/libDER/asn1Types.h deleted file mode 100644 index db992d79..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/asn1Types.h +++ /dev/null @@ -1,113 +0,0 @@ -/* - * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - - -/* - * asn1Types.h - ASN.1/DER #defines - strictly hard coded per the real world - * - */ - -#ifndef _ASN1_TYPES_H_ -#define _ASN1_TYPES_H_ - -#if !defined(__WIN32__) -#include -#endif - -#include - -__BEGIN_DECLS - -/* copied from libsecurity_asn1 project */ - -/* Type tag numbers */ -#define ASN1_BOOLEAN 0x01 -#define ASN1_INTEGER 0x02 -#define ASN1_BIT_STRING 0x03 -#define ASN1_OCTET_STRING 0x04 -#define ASN1_NULL 0x05 -#define ASN1_OBJECT_ID 0x06 -#define ASN1_OBJECT_DESCRIPTOR 0x07 -/* External type and instance-of type 0x08 */ -#define ASN1_REAL 0x09 -#define ASN1_ENUMERATED 0x0a -#define ASN1_EMBEDDED_PDV 0x0b -#define ASN1_UTF8_STRING 0x0c -/* 0x0d */ -/* 0x0e */ -/* 0x0f */ -#define ASN1_SEQUENCE 0x10 -#define ASN1_SET 0x11 -#define ASN1_NUMERIC_STRING 0x12 -#define ASN1_PRINTABLE_STRING 0x13 -#define ASN1_T61_STRING 0x14 -#define ASN1_VIDEOTEX_STRING 0x15 -#define ASN1_IA5_STRING 0x16 -#define ASN1_UTC_TIME 0x17 -#define ASN1_GENERALIZED_TIME 0x18 -#define ASN1_GRAPHIC_STRING 0x19 -#define ASN1_VISIBLE_STRING 0x1a -#define ASN1_GENERAL_STRING 0x1b -#define ASN1_UNIVERSAL_STRING 0x1c -/* 0x1d */ -#define ASN1_BMP_STRING 0x1e -#define ASN1_HIGH_TAG_NUMBER 0x1f -#define ASN1_TELETEX_STRING ASN1_T61_STRING - -/* Tag modifiers */ -#define ASN1_TAG_MASK ((DERTag)~0) -#define ASN1_TAGNUM_MASK ((DERTag)~((DERTag)7 << (sizeof(DERTag) * 8 - 3))) - -#define ASN1_METHOD_MASK ((DERTag)1 << (sizeof(DERTag) * 8 - 3)) -#define ASN1_PRIMITIVE ((DERTag)0 << (sizeof(DERTag) * 8 - 3)) -#define ASN1_CONSTRUCTED ((DERTag)1 << (sizeof(DERTag) * 8 - 3)) - -#define ASN1_CLASS_MASK ((DERTag)3 << (sizeof(DERTag) * 8 - 2)) -#define ASN1_UNIVERSAL ((DERTag)0 << (sizeof(DERTag) * 8 - 2)) -#define ASN1_APPLICATION ((DERTag)1 << (sizeof(DERTag) * 8 - 2)) -#define ASN1_CONTEXT_SPECIFIC ((DERTag)2 << (sizeof(DERTag) * 8 - 2)) -#define ASN1_PRIVATE ((DERTag)3 << (sizeof(DERTag) * 8 - 2)) - -/* One-byte tag modifiers */ -#define ONE_BYTE_ASN1_TAG_MASK 0xff -#define ONE_BYTE_ASN1_TAGNUM_MASK 0x1f -#define ONE_BYTE_ASN1_METHOD_MASK 0x20 -#define ONE_BYTE_ASN1_PRIMITIVE 0x00 -#define ONE_BYTE_ASN1_CONSTRUCTED 0x20 - -#define ONE_BYTE_ASN1_CLASS_MASK 0xc0 -#define ONE_BYTE_ASN1_UNIVERSAL 0x00 -#define ONE_BYTE_ASN1_APPLICATION 0x40 -#define ONE_BYTE_ASN1_CONTEXT_SPECIFIC 0x80 -#define ONE_BYTE_ASN1_PRIVATE 0xc0 - -/* sequence and set appear as the following */ -#define ASN1_CONSTR_SEQUENCE ((DERTag)(ASN1_CONSTRUCTED | ASN1_SEQUENCE)) -#define ASN1_CONSTR_SET ((DERTag)(ASN1_CONSTRUCTED | ASN1_SET)) - -#define ONE_BYTE_ASN1_CONSTR_SEQUENCE ((uint8_t)(ONE_BYTE_ASN1_CONSTRUCTED | ASN1_SEQUENCE)) -#define ONE_BYTE_ASN1_CONSTR_SET ((uint8_t)(ONE_BYTE_ASN1_CONSTRUCTED | ASN1_SET)) - -__END_DECLS - -#endif /* _ASN1_TYPES_H_ */ diff --git a/OSX/libsecurity_keychain/libDER/libDER/libDER.h b/OSX/libsecurity_keychain/libDER/libDER/libDER.h deleted file mode 100644 index e5e4b127..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/libDER.h +++ /dev/null @@ -1,75 +0,0 @@ -/* - * Copyright (c) 2005-2016 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - - -/* - * libDER.h - main header for libDER, a ROM-capable DER decoding library. - * - */ - -#ifndef _LIB_DER_H_ -#define _LIB_DER_H_ - -#include - -__BEGIN_DECLS - -/* - * Error returns generated by this library. - */ -typedef enum { - DR_Success = 0, - DR_EndOfSequence, /* end of sequence or set */ - DR_UnexpectedTag, /* unexpected tag found while decoding */ - DR_DecodeError, /* misc. decoding error (badly formatted DER) */ - DR_Unimplemented, /* function not implemented in this configuration */ - DR_IncompleteSeq, /* incomplete sequence */ - DR_ParamErr, /* incoming parameter error */ - DR_BufOverflow /* buffer overflow */ - /* etc. */ -} DERReturn; - -/* - * The structure of a sequence during decode or encode is expressed as - * an array of DERItemSpecs. While decoding or encoding a sequence, - * each item in the sequence corresponds to one DERItemSpec. - */ -typedef struct { - DERSize offset; /* offset of destination DERItem */ - DERTag tag; /* DER tag */ - DERShort options; /* DER_DEC_xxx or DER_ENC_xxx */ -} DERItemSpec; - -/* - * Macro to obtain offset of a DERDecodedInfo within a struct. - * FIXME this is going to need reworking to avoid compiler warnings - * on 64-bit compiles. It'll work OK as long as an offset can't be larger - * than a DERSize, but the cast from a pointer to a DERSize may - * provoke compiler warnings. - */ -#define DER_OFFSET(type, field) ((DERSize)(&((type *)0)->field)) - -__END_DECLS - -#endif /* _LIB_DER_H_ */ - diff --git a/OSX/libsecurity_keychain/libDER/libDER/libDER_config.h b/OSX/libsecurity_keychain/libDER/libDER/libDER_config.h deleted file mode 100644 index 6280ee3f..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/libDER_config.h +++ /dev/null @@ -1,110 +0,0 @@ -/* - * Copyright (c) 2005-2007,2011-2012,2014 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - - -/* - * libDER_config.h - platform dependent #defines and typedefs for libDER - * - */ - -#ifndef _LIB_DER_CONFIG_H_ -#define _LIB_DER_CONFIG_H_ - -#include -#include - -/* include defintion of DERSize and DERByte */ -#include "libDER/oids.h" - -__BEGIN_DECLS - -/* - * Basic data types: unsigned 8-bit integer, unsigned 32-bit integer - */ -typedef uint16_t DERShort; - - -/* - * Use these #defines of you have memset, memmove, and memcmp; else - * write your own equivalents. - */ - -#define DERMemset(ptr, c, len) memset(ptr, c, len) -#define DERMemmove(dst, src, len) memmove(dst, src, len) -#define DERMemcmp(b1, b2, len) memcmp(b1, b2, len) - - -/*** - *** Compile time options to trim size of the library. - ***/ - -/* enable general DER encode */ -#define DER_ENCODE_ENABLE 1 - -/* enable general DER decode */ -#define DER_DECODE_ENABLE 1 - -#ifndef DER_MULTIBYTE_TAGS -/* enable multibyte tag support. */ -#define DER_MULTIBYTE_TAGS 1 -#endif - -#ifndef DER_TAG_SIZE -/* Iff DER_MULTIBYTE_TAGS is 1 this is the sizeof(DERTag) in bytes. Note that - tags are still encoded and decoded from a minimally encoded DER - represantation. This value maintains compatibility with libImg4Decode/Encode. */ -#define DER_TAG_SIZE 8 -#endif - - -/* ---------------------- Do not edit below this line ---------------------- */ - -/* - * Logical representation of a tag (the encoded representation is always in - * the minimal number of bytes). The top 3 bits encode class and method - * The remaining bits encode the tag value. To obtain smaller DERItemSpecs - * sizes, choose the smallest type that fits your needs. Most standard ASN.1 - * usage only needs single byte tags, but ocasionally custom applications - * require a larger tag namespace. - */ -#if DER_MULTIBYTE_TAGS - -#if DER_TAG_SIZE == 1 -typedef uint8_t DERTag; -#elif DER_TAG_SIZE == 2 -typedef uint16_t DERTag; -#elif DER_TAG_SIZE == 4 -typedef uint32_t DERTag; -#elif DER_TAG_SIZE == 8 -typedef uint64_t DERTag; -#else -#error DER_TAG_SIZE invalid -#endif - -#else /* DER_MULTIBYTE_TAGS */ -typedef DERByte DERTag; -#endif /* !DER_MULTIBYTE_TAGS */ - -__END_DECLS - -#endif /* _LIB_DER_CONFIG_H_ */ diff --git a/OSX/libsecurity_keychain/libDER/libDER/module.modulemap b/OSX/libsecurity_keychain/libDER/libDER/module.modulemap deleted file mode 100644 index af2d15b0..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/module.modulemap +++ /dev/null @@ -1,3 +0,0 @@ -module libDER [extern_c] { - header "libDER.h" -} diff --git a/OSX/libsecurity_keychain/libDER/libDER/oids.c b/OSX/libsecurity_keychain/libDER/libDER/oids.c deleted file mode 100644 index 990941f7..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/oids.c +++ /dev/null @@ -1,853 +0,0 @@ -/* - * Copyright (c) 2005-2009,2011-2016 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - - -/* - * oids.c - OID consts - * - */ - -#include -#include - -#define OID_ISO_CCITT_DIR_SERVICE 85 -#define OID_DS OID_ISO_CCITT_DIR_SERVICE -#define OID_ATTR_TYPE OID_DS, 4 -#define OID_EXTENSION OID_DS, 29 -#define OID_ISO_STANDARD 40 -#define OID_ISO_MEMBER 42 -#define OID_US OID_ISO_MEMBER, 134, 72 - -#define OID_ISO_IDENTIFIED_ORG 43 -#define OID_OSINET OID_ISO_IDENTIFIED_ORG, 4 -#define OID_GOSIP OID_ISO_IDENTIFIED_ORG, 5 -#define OID_DOD OID_ISO_IDENTIFIED_ORG, 6 -#define OID_OIW OID_ISO_IDENTIFIED_ORG, 14 - -/* From the PKCS Standards */ -#define OID_RSA OID_US, 134, 247, 13 -#define OID_RSA_HASH OID_RSA, 2 -#define OID_RSA_ENCRYPT OID_RSA, 3 -#define OID_PKCS OID_RSA, 1 -#define OID_PKCS_1 OID_PKCS, 1 -#define OID_PKCS_2 OID_PKCS, 2 -#define OID_PKCS_3 OID_PKCS, 3 -#define OID_PKCS_4 OID_PKCS, 4 -#define OID_PKCS_5 OID_PKCS, 5 -#define OID_PKCS_6 OID_PKCS, 6 -#define OID_PKCS_7 OID_PKCS, 7 -#define OID_PKCS_8 OID_PKCS, 8 -#define OID_PKCS_9 OID_PKCS, 9 -#define OID_PKCS_10 OID_PKCS, 10 -#define OID_PKCS_11 OID_PKCS, 11 -#define OID_PKCS_12 OID_PKCS, 12 - -/* ANSI X9.62 */ -#define OID_ANSI_X9_62 OID_US, 206, 61 -#define OID_PUBLIC_KEY_TYPE OID_ANSI_X9_62, 2 -#define OID_EC_CURVE OID_ANSI_X9_62, 3, 1 -#define OID_EC_SIG_TYPE OID_ANSI_X9_62, 4 -#define OID_ECDSA_WITH_SHA2 OID_EC_SIG_TYPE, 3 - -/* Certicom */ -#define OID_CERTICOM OID_ISO_IDENTIFIED_ORG, 132 -#define OID_CERTICOM_EC_CURVE OID_CERTICOM, 0 - -/* ANSI X9.42 */ -#define OID_ANSI_X9_42 OID_US, 206, 62, 2 -#define OID_ANSI_X9_42_SCHEME OID_ANSI_X9_42, 3 -#define OID_ANSI_X9_42_NAMED_SCHEME OID_ANSI_X9_42, 4 - -/* ANSI X9.57 */ -#define OID_ANSI_X9_57 OID_US, 206, 56 -#define OID_ANSI_X9_57_ALGORITHM OID_ANSI_X9_57, 4 - -/* DOD IANA Security related objects. */ -#define OID_IANA OID_DOD, 1, 5 - -/* Kerberos PKINIT */ -#define OID_KERBv5 OID_IANA, 2 -#define OID_KERBv5_PKINIT OID_KERBv5, 3 - -/* DOD IANA Mechanisms. */ -#define OID_MECHANISMS OID_IANA, 5 - -/* PKIX */ -#define OID_PKIX OID_MECHANISMS, 7 -#define OID_PE OID_PKIX, 1 -#define OID_QT OID_PKIX, 2 -#define OID_KP OID_PKIX, 3 -#define OID_OTHER_NAME OID_PKIX, 8 -#define OID_PDA OID_PKIX, 9 -#define OID_QCS OID_PKIX, 11 -#define OID_AD OID_PKIX, 48 -#define OID_AD_OCSP OID_AD, 1 -#define OID_AD_CAISSUERS OID_AD, 2 - -/* ISAKMP */ -#define OID_ISAKMP OID_MECHANISMS, 8 - -/* ETSI */ -#define OID_ETSI 0x04, 0x00 -#define OID_ETSI_QCS 0x04, 0x00, 0x8E, 0x46, 0x01 - -#define OID_OIW_SECSIG OID_OIW, 3 - -#define OID_OIW_ALGORITHM OID_OIW_SECSIG, 2 - -/* NIST defined digest algorithm arc (2, 16, 840, 1, 101, 3, 4, 2) */ -#define OID_NIST_HASHALG 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02 - -/* - * Apple-specific OID bases - */ - -/* - * apple OBJECT IDENTIFIER ::= - * { iso(1) member-body(2) US(840) 113635 } - * - * BER = 06 06 2A 86 48 86 F7 63 - */ -#define APPLE_OID OID_US, 0x86, 0xf7, 0x63 - -/* appleDataSecurity OBJECT IDENTIFIER ::= - * { apple 100 } - * { 1 2 840 113635 100 } - * - * BER = 06 07 2A 86 48 86 F7 63 64 - */ -#define APPLE_ADS_OID APPLE_OID, 0x64 - -/* - * appleTrustPolicy OBJECT IDENTIFIER ::= - * { appleDataSecurity 1 } - * { 1 2 840 113635 100 1 } - * - * BER = 06 08 2A 86 48 86 F7 63 64 01 - */ -#define APPLE_TP_OID APPLE_ADS_OID, 1 - -/* - * appleSecurityAlgorithm OBJECT IDENTIFIER ::= - * { appleDataSecurity 2 } - * { 1 2 840 113635 100 2 } - * - * BER = 06 08 2A 86 48 86 F7 63 64 02 - */ -#define APPLE_ALG_OID APPLE_ADS_OID, 2 - -/* - * appleDotMacCertificate OBJECT IDENTIFIER ::= - * { appleDataSecurity 3 } - * { 1 2 840 113635 100 3 } - */ -#define APPLE_DOTMAC_CERT_OID APPLE_ADS_OID, 3 - -/* - * Basis of Policy OIDs for .mac TP requests - * - * dotMacCertificateRequest OBJECT IDENTIFIER ::= - * { appleDotMacCertificate 1 } - * { 1 2 840 113635 100 3 1 } - */ -#define APPLE_DOTMAC_CERT_REQ_OID APPLE_DOTMAC_CERT_OID, 1 - -/* - * Basis of .mac Certificate Extensions - * - * dotMacCertificateExtension OBJECT IDENTIFIER ::= - * { appleDotMacCertificate 2 } - * { 1 2 840 113635 100 3 2 } - */ -#define APPLE_DOTMAC_CERT_EXTEN_OID APPLE_DOTMAC_CERT_OID, 2 - -/* - * Basis of .mac Certificate request OID/value identitifiers - * - * dotMacCertificateRequestValues OBJECT IDENTIFIER ::= - * { appleDotMacCertificate 3 } - * { 1 2 840 113635 100 3 3 } - */ -#define APPLE_DOTMAC_CERT_REQ_VALUE_OID APPLE_DOTMAC_CERT_OID, 3 - -/* - * Basis of Apple-specific extended key usages - * - * appleExtendedKeyUsage OBJECT IDENTIFIER ::= - * { appleDataSecurity 4 } - * { 1 2 840 113635 100 4 } - */ -#define APPLE_EKU_OID APPLE_ADS_OID, 4 - -/* - * Basis of Apple Code Signing extended key usages - * appleCodeSigning OBJECT IDENTIFIER ::= - * { appleExtendedKeyUsage 1 } - * { 1 2 840 113635 100 4 1} - */ -#define APPLE_EKU_CODE_SIGNING APPLE_EKU_OID, 1 -#define APPLE_EKU_APPLE_ID APPLE_EKU_OID, 7 -#define APPLE_EKU_PASSBOOK APPLE_EKU_OID, 14 -#define APPLE_EKU_PROFILE_SIGNING APPLE_EKU_OID, 16 -#define APPLE_EKU_QA_PROFILE_SIGNING APPLE_EKU_OID, 17 - - -/* - * Basis of Apple-specific Certificate Policy IDs. - * appleCertificatePolicies OBJECT IDENTIFIER ::= - * { appleDataSecurity 5 } - * { 1 2 840 113635 100 5 } - */ -#define APPLE_CERT_POLICIES APPLE_ADS_OID, 5 - -#define APPLE_CERT_POLICY_MOBILE_STORE APPLE_CERT_POLICIES, 12 - -#define APPLE_CERT_POLICY_MOBILE_STORE_PRODQA APPLE_CERT_POLICY_MOBILE_STORE, 1 - -/* - * Basis of Apple-specific Signing extensions - * { appleDataSecurity 6 } - */ -#define APPLE_CERT_EXT APPLE_ADS_OID, 6 - -/* Apple Intermediate Marker OIDs */ -#define APPLE_CERT_EXT_INTERMEDIATE_MARKER APPLE_CERT_EXT, 2 - -/* Apple Worldwide Developer Relations Certification Authority */ -/* 1.2.840.113635.100.6.2.1 */ -#define APPLE_CERT_EXT_INTERMEDIATE_MARKER_WWDR APPLE_CERT_EXT_INTERMEDIATE_MARKER, 1 - -/* Apple Apple ID Intermediate Marker */ -#define APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLEID APPLE_CERT_EXT_INTERMEDIATE_MARKER, 3 - -/* - * Apple Apple ID Intermediate Marker (New subCA, no longer shared with push notification server cert issuer - * - * appleCertificateExtensionAppleIDIntermediate ::= - * { appleCertificateExtensionIntermediateMarker 7 } - * { 1 2 840 113635 100 6 2 7 } - */ -#define APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLEID_2 APPLE_CERT_EXT_INTERMEDIATE_MARKER, 7 - -#define APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLEID_SYSTEM_INTEGRATION_2 APPLE_CERT_EXT_INTERMEDIATE_MARKER, 10 - -#define APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLEID_SYSTEM_INTEGRATION_G3 APPLE_CERT_EXT_INTERMEDIATE_MARKER, 13 - -#define APPLE_CERT_EXT_APPLE_PUSH_MARKER APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLEID, 2 - - -#define APPLE_CERT_EXTENSION_CODESIGNING APPLE_CERT_EXT, 1 - -/* Secure Boot Embedded Image3 value, - co-opted by desktop for "Apple Released Code Signature", without value */ -#define APPLE_SBOOT_CERT_EXTEN_SBOOT_SPEC_OID APPLE_CERT_EXTENSION_CODESIGNING, 1 -#define APPLE_SBOOT_CERT_EXTEN_SBOOT_TICKET_SPEC_OID APPLE_CERT_EXTENSION_CODESIGNING, 11 -#define APPLE_SBOOT_CERT_EXTEN_IMG4_MANIFEST_SPEC_OID APPLE_CERT_EXTENSION_CODESIGNING, 15 - -/* iPhone Provisioning Profile Signing leaf - on the intermediate marker arc? */ -#define APPLE_PROVISIONING_PROFILE_OID APPLE_CERT_EXT_INTERMEDIATE_MARKER, 1 -/* iPhone Application Signing leaf */ -#define APPLE_APP_SIGNING_OID APPLE_CERT_EXTENSION_CODESIGNING, 3 - -#define APPLE_INSTALLER_PACKAGE_SIGNING_EXTERNAL_OID APPLE_CERT_EXTENSION_CODESIGNING, 16 - -/* Apple TVOS Application Signing leaf, production */ -/* 1.2.840.113635.100.6.1.24 */ -#define APPLE_TVOS_APP_SIGNING_PROD_OID APPLE_CERT_EXTENSION_CODESIGNING, 24 - -/* Apple TVOS Application Signing leaf, QA */ -/* 1.2.840.113635.100.6.1.24.1 */ - -#define APPLE_TVOS_APP_SIGNING_PRODQA_OID APPLE_CERT_EXTENSION_CODESIGNING, 24, 1 - -#define APPLE_ESCROW_ARC APPLE_CERT_EXT, 23 - -#define APPLE_ESCROW_POLICY_OID APPLE_ESCROW_ARC, 1 - -#define APPLE_CERT_EXT_APPLE_ID_VALIDATION_RECORD_SIGNING APPLE_CERT_EXT, 25 - -#define APPLE_SERVER_AUTHENTICATION APPLE_CERT_EXT, 27 -#define APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION APPLE_SERVER_AUTHENTICATION, 1 -#define APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION_PPQ_PRODQA APPLE_SERVER_AUTHENTICATION, 3, 1 -#define APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION_PPQ_PROD APPLE_SERVER_AUTHENTICATION, 3, 2 -#define APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION_IDS_PRODQA APPLE_SERVER_AUTHENTICATION, 4, 1 -#define APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION_IDS_PROD APPLE_SERVER_AUTHENTICATION, 4, 2 -#define APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION_APN_PRODQA APPLE_SERVER_AUTHENTICATION, 5, 1 -#define APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION_APN_PROD APPLE_SERVER_AUTHENTICATION, 5, 2 - -#define APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION_GS APPLE_SERVER_AUTHENTICATION, 2 - - -#define APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLE_SERVER_AUTHENTICATION APPLE_CERT_EXT_INTERMEDIATE_MARKER, 12 - -#define APPLE_CERT_EXT_APPLE_SMP_ENCRYPTION APPLE_CERT_EXT, 30 - -/* UPP fraud detection (Provisioning Profile Query) CMS signing */ - -#define APPLE_CERT_EXT_APPLE_PPQ_SIGNING_PRODQA APPLE_CERT_EXT, 38, 1 -#define APPLE_CERT_EXT_APPLE_PPQ_SIGNING_PROD APPLE_CERT_EXT, 38, 2 - -/* AppleTVOS Application Signing */ -#define APPLE_ATV_APP_SIGNING_OID APPLE_CERT_EXTENSION_CODESIGNING, 24 -#define APPLE_ATV_APP_SIGNING_OID_PRODQA APPLE_ATV_APP_SIGNING_OID, 1 - -/* Apple Pay Issuer Encryption */ -#define APPLE_CERT_EXT_CRYPTO_SERVICES_EXT_ENCRYPTION APPLE_CERT_EXT, 39 - -/* Apple OS X Provisioning Profile Signing */ -/* (note this OID is unfortunately used as a cert extension even though it's under the EKU arc) */ -#define APPLE_CERT_EXT_OSX_PROVISIONING_PROFILE_SIGNING APPLE_EKU_OID, 11 - -/* AppleTV VPN Profile Signing 1.2.840.113635.100.6.43 */ -#define APPLE_CERT_EXT_APPLE_ATV_VPN_PROFILE_SIGNING APPLE_CERT_EXT, 43 - -/* AST2 Diagnostics Server Authentication - * QA Marker OID 1.2.840.113635.100.6.27.8.1 - * Prod Marker OID 1.2.840.113635.100.6.27.8.2 - */ -#define APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_PRODQA APPLE_SERVER_AUTHENTICATION, 8, 1 -#define APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_PROD APPLE_SERVER_AUTHENTICATION, 8, 2 - -/* Escrow Proxy Server Authentication - * QA Marker OID 1.2.840.113635.100.6.27.7.1 - * Prod Marker OID 1.2.840.113635.100.6.27.7.2 - */ -#define APPLE_CERT_EXT_ESCROW_PROXY_SERVER_AUTH_PRODQA APPLE_SERVER_AUTHENTICATION, 7, 1 -#define APPLE_CERT_EXT_ESCROW_PROXY_SERVER_AUTH_PROD APPLE_SERVER_AUTHENTICATION, 7, 2 - -/* FMiP Server Authentication - * QA Marker OID 1.2.840.113635.100.6.27.6.1 - * Prod Marker OID 1.2.840.113635.100.6.27.6.2 - */ -#define APPLE_CERT_EXT_FMIP_SERVER_AUTH_PRODQA APPLE_SERVER_AUTHENTICATION, 6, 1 -#define APPLE_CERT_EXT_FMIP_SERVER_AUTH_PROD APPLE_SERVER_AUTHENTICATION, 6, 2 - -/* HomeKit Server Authentication - * Intermediate Marker OID: 1.2.840.113635.100.6.2.16 - * Leaf Marker OID: 1.2.840.113635.100.6.27.9 - */ -#define APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLE_HOME_KIT_SERVER_AUTH APPLE_CERT_EXT_INTERMEDIATE_MARKER, 16 -#define APPLE_CERT_EXT_HOME_KIT_SERVER_AUTH APPLE_SERVER_AUTHENTICATION, 9 - -/* MMCS Server Authentication - * QA Marker OID 1.2.840.113635.100.6.27.11.1 - * Prod Marker OID 1.2.840.113635.100.6.27.11.2 - */ -#define APPLE_CERT_EXT_MMCS_SERVER_AUTH_PRODQA APPLE_SERVER_AUTHENTICATION, 11, 1 -#define APPLE_CERT_EXT_MMCS_SERVER_AUTH_PROD APPLE_SERVER_AUTHENTICATION, 11, 2 - -/* iCloud Setup Authentication - * QA Marker OID 1.2.840.113635.100.6.27.15.1 - * Prod Marker OID 1.2.840.113635.100.6.27.15.2 - */ -#define APPLE_CERT_EXT_ICLOUD_SETUP_SERVER_AUTH_PRODQA APPLE_SERVER_AUTHENTICATION, 15, 1 -#define APPLE_CERT_EXT_ICLOUD_SETUP_SERVER_AUTH_PROD APPLE_SERVER_AUTHENTICATION, 15, 2 - -/* - * Netscape OIDs. - */ -#define NETSCAPE_BASE_OID 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42 - -/* - * Netscape cert extension. - * - * netscape-cert-extension OBJECT IDENTIFIER ::= - * { 2 16 840 1 113730 1 } - * - * BER = 06 08 60 86 48 01 86 F8 42 01 - */ -#define NETSCAPE_CERT_EXTEN NETSCAPE_BASE_OID, 0x01 - -#define NETSCAPE_CERT_POLICY NETSCAPE_BASE_OID, 0x04 - -/* Entrust OIDs. */ -#define ENTRUST_BASE_OID OID_US, 0x86, 0xf6, 0x7d - -/* - * Entrust cert extension. - * - * entrust-cert-extension OBJECT IDENTIFIER ::= - * { 1 2 840 113533 7 65 } - * - * BER = 06 08 2A 86 48 86 F6 7D 07 41 - */ -#define ENTRUST_CERT_EXTEN ENTRUST_BASE_OID, 0x07, 0x41 - -/* Microsoft OIDs. */ -#define MICROSOFT_BASE_OID OID_DOD, 0x01, 0x04, 0x01, 0x82, 0x37 -#define MICROSOFT_ENROLLMENT_OID MICROSOFT_BASE_OID, 0x14 - -/* Google OIDs: 1.3.6.1.4.1.11129. - */ -#define GOOGLE_BASE_OID OID_DOD, 0x01, 0x04, 0x01, 0xD6, 0x79 -#define GOOGLE_EMBEDDED_SCT_OID GOOGLE_BASE_OID, 0x02, 0x04, 0x02 -#define GOOGLE_OCSP_SCT_OID GOOGLE_BASE_OID, 0x02, 0x04, 0x05 - - -/* Algorithm OIDs. */ -static const DERByte - _oidRsa[] = { OID_PKCS_1, 1 }, - _oidMd2Rsa[] = { OID_PKCS_1, 2 }, - _oidMd4Rsa[] = { OID_PKCS_1, 3 }, - _oidMd5Rsa[] = { OID_PKCS_1, 4 }, - _oidSha1Rsa[] = { OID_PKCS_1, 5 }, - _oidSha256Rsa[] = { OID_PKCS_1, 11 }, /* rfc5754 */ - _oidSha384Rsa[] = { OID_PKCS_1, 12 }, /* rfc5754 */ - _oidSha512Rsa[] = { OID_PKCS_1, 13 }, /* rfc5754 */ - _oidSha224Rsa[] = { OID_PKCS_1, 14 }, /* rfc5754 */ - _oidEcPubKey[] = { OID_PUBLIC_KEY_TYPE, 1 }, - _oidSha1Ecdsa[] = { OID_EC_SIG_TYPE, 1 }, /* rfc3279 */ - _oidSha224Ecdsa[] = { OID_ECDSA_WITH_SHA2, 1 }, /* rfc5758 */ - _oidSha256Ecdsa[] = { OID_ECDSA_WITH_SHA2, 2 }, /* rfc5758 */ - _oidSha384Ecdsa[] = { OID_ECDSA_WITH_SHA2, 3 }, /* rfc5758 */ - _oidSha512Ecdsa[] = { OID_ECDSA_WITH_SHA2, 4 }, /* rfc5758 */ - _oidSha1Dsa[] = { OID_ANSI_X9_57_ALGORITHM, 3 }, - _oidMd2[] = { OID_RSA_HASH, 2 }, - _oidMd4[] = { OID_RSA_HASH, 4 }, - _oidMd5[] = { OID_RSA_HASH, 5 }, - _oidSha1[] = { OID_OIW_ALGORITHM, 26 }, - _oidSha1DsaOIW[] = { OID_OIW_ALGORITHM, 27 }, - _oidSha1DsaCommonOIW[] = { OID_OIW_ALGORITHM, 28 }, - _oidSha1RsaOIW[] = { OID_OIW_ALGORITHM, 29 }, - _oidSha256[] = { OID_NIST_HASHALG, 1 }, - _oidSha384[] = { OID_NIST_HASHALG, 2 }, - _oidSha512[] = { OID_NIST_HASHALG, 3 }, - _oidSha224[] = { OID_NIST_HASHALG, 4 }, - _oidFee[] = { APPLE_ALG_OID, 1 }, - _oidMd5Fee[] = { APPLE_ALG_OID, 3 }, - _oidSha1Fee[] = { APPLE_ALG_OID, 4 }, - _oidEcPrime192v1[] = { OID_EC_CURVE, 1 }, - _oidEcPrime256v1[] = { OID_EC_CURVE, 7 }, - _oidAnsip384r1[] = { OID_CERTICOM_EC_CURVE, 34 }, - _oidAnsip521r1[] = { OID_CERTICOM_EC_CURVE, 35 }; - -const DERItem - oidRsa = { (DERByte *)_oidRsa, - sizeof(_oidRsa) }, - oidMd2Rsa = { (DERByte *)_oidMd2Rsa, - sizeof(_oidMd2Rsa) }, - oidMd4Rsa = { (DERByte *)_oidMd4Rsa, - sizeof(_oidMd4Rsa) }, - oidMd5Rsa = { (DERByte *)_oidMd5Rsa, - sizeof(_oidMd5Rsa) }, - oidSha1Rsa = { (DERByte *)_oidSha1Rsa, - sizeof(_oidSha1Rsa) }, - oidSha256Rsa = { (DERByte *)_oidSha256Rsa, - sizeof(_oidSha256Rsa) }, - oidSha384Rsa = { (DERByte *)_oidSha384Rsa, - sizeof(_oidSha384Rsa) }, - oidSha512Rsa = { (DERByte *)_oidSha512Rsa, - sizeof(_oidSha512Rsa) }, - oidSha224Rsa = { (DERByte *)_oidSha224Rsa, - sizeof(_oidSha224Rsa) }, - oidEcPubKey = { (DERByte *)_oidEcPubKey, - sizeof(_oidEcPubKey) }, - oidSha1Ecdsa = { (DERByte *)_oidSha1Ecdsa, - sizeof(_oidSha1Ecdsa) }, - oidSha224Ecdsa = { (DERByte *)_oidSha224Ecdsa, - sizeof(_oidSha224Ecdsa) }, - oidSha256Ecdsa = { (DERByte *)_oidSha256Ecdsa, - sizeof(_oidSha256Ecdsa) }, - oidSha384Ecdsa = { (DERByte *)_oidSha384Ecdsa, - sizeof(_oidSha384Ecdsa) }, - oidSha512Ecdsa = { (DERByte *)_oidSha512Ecdsa, - sizeof(_oidSha512Ecdsa) }, - oidSha1Dsa = { (DERByte *)_oidSha1Dsa, - sizeof(_oidSha1Dsa) }, - oidMd2 = { (DERByte *)_oidMd2, - sizeof(_oidMd2) }, - oidMd4 = { (DERByte *)_oidMd4, - sizeof(_oidMd4) }, - oidMd5 = { (DERByte *)_oidMd5, - sizeof(_oidMd5) }, - oidSha1 = { (DERByte *)_oidSha1, - sizeof(_oidSha1) }, - oidSha1RsaOIW = { (DERByte *)_oidSha1RsaOIW, - sizeof(_oidSha1RsaOIW) }, - oidSha1DsaOIW = { (DERByte *)_oidSha1DsaOIW, - sizeof(_oidSha1DsaOIW) }, - oidSha1DsaCommonOIW = { (DERByte *)_oidSha1DsaCommonOIW, - sizeof(_oidSha1DsaCommonOIW) }, - oidSha256 = { (DERByte *)_oidSha256, - sizeof(_oidSha256) }, - oidSha384 = { (DERByte *)_oidSha384, - sizeof(_oidSha384) }, - oidSha512 = { (DERByte *)_oidSha512, - sizeof(_oidSha512) }, - oidSha224 = { (DERByte *)_oidSha224, - sizeof(_oidSha224) }, - oidFee = { (DERByte *)_oidFee, - sizeof(_oidFee) }, - oidMd5Fee = { (DERByte *)_oidMd5Fee, - sizeof(_oidMd5Fee) }, - oidSha1Fee = { (DERByte *)_oidSha1Fee, - sizeof(_oidSha1Fee) }, - oidEcPrime192v1 = { (DERByte *)_oidEcPrime192v1, - sizeof(_oidEcPrime192v1) }, - oidEcPrime256v1 = { (DERByte *)_oidEcPrime256v1, - sizeof(_oidEcPrime256v1) }, - oidAnsip384r1 = { (DERByte *)_oidAnsip384r1, - sizeof(_oidAnsip384r1) }, - oidAnsip521r1 = { (DERByte *)_oidAnsip521r1, - sizeof(_oidAnsip521r1) }; - - -/* Extension OIDs. */ -__unused static const DERByte - _oidSubjectKeyIdentifier[] = { OID_EXTENSION, 14 }, - _oidKeyUsage[] = { OID_EXTENSION, 15 }, - _oidPrivateKeyUsagePeriod[] = { OID_EXTENSION, 16 }, - _oidSubjectAltName[] = { OID_EXTENSION, 17 }, - _oidIssuerAltName[] = { OID_EXTENSION, 18 }, - _oidBasicConstraints[] = { OID_EXTENSION, 19 }, - _oidNameConstraints[] = { OID_EXTENSION, 30 }, - _oidCrlDistributionPoints[] = { OID_EXTENSION, 31 }, - _oidCertificatePolicies[] = { OID_EXTENSION, 32 }, - _oidAnyPolicy[] = { OID_EXTENSION, 32, 0 }, - _oidPolicyMappings[] = { OID_EXTENSION, 33 }, - _oidAuthorityKeyIdentifier[] = { OID_EXTENSION, 35 }, - _oidPolicyConstraints[] = { OID_EXTENSION, 36 }, - _oidExtendedKeyUsage[] = { OID_EXTENSION, 37 }, - _oidAnyExtendedKeyUsage[] = { OID_EXTENSION, 37, 0 }, - _oidInhibitAnyPolicy[] = { OID_EXTENSION, 54 }, - _oidAuthorityInfoAccess[] = { OID_PE, 1 }, - _oidSubjectInfoAccess[] = { OID_PE, 11 }, - _oidAdOCSP[] = { OID_AD_OCSP }, - _oidAdCAIssuer[] = { OID_AD_CAISSUERS }, - _oidNetscapeCertType[] = { NETSCAPE_CERT_EXTEN, 1 }, - _oidEntrustVersInfo[] = { ENTRUST_CERT_EXTEN, 0 }, - _oidMSNTPrincipalName[] = { MICROSOFT_ENROLLMENT_OID, 2, 3 }, - /* Policy Qualifier IDs for Internet policy qualifiers. */ - _oidQtCps[] = { OID_QT, 1 }, - _oidQtUNotice[] = { OID_QT, 2 }, - /* X.501 Name IDs. */ - _oidCommonName[] = { OID_ATTR_TYPE, 3 }, - _oidCountryName[] = { OID_ATTR_TYPE, 6 }, - _oidLocalityName[] = { OID_ATTR_TYPE, 7 }, - _oidStateOrProvinceName[] = { OID_ATTR_TYPE, 8 }, - _oidOrganizationName[] = { OID_ATTR_TYPE, 10 }, - _oidOrganizationalUnitName[] = { OID_ATTR_TYPE, 11 }, - _oidDescription[] = { OID_ATTR_TYPE, 13 }, - _oidEmailAddress[] = { OID_PKCS_9, 1 }, - _oidFriendlyName[] = { OID_PKCS_9, 20 }, - _oidLocalKeyId[] = { OID_PKCS_9, 21 }, - _oidExtendedKeyUsageServerAuth[] = { OID_KP, 1 }, - _oidExtendedKeyUsageClientAuth[] = { OID_KP, 2 }, - _oidExtendedKeyUsageCodeSigning[] = { OID_KP, 3 }, - _oidExtendedKeyUsageEmailProtection[] = { OID_KP, 4 }, - _oidExtendedKeyUsageTimeStamping[] = { OID_KP, 8 }, - _oidExtendedKeyUsageOCSPSigning[] = { OID_KP, 9 }, - _oidExtendedKeyUsageIPSec[] = { OID_ISAKMP, 2, 2 }, - _oidExtendedKeyUsageMicrosoftSGC[] = { MICROSOFT_BASE_OID, 10, 3, 3 }, - _oidExtendedKeyUsageNetscapeSGC[] = { NETSCAPE_CERT_POLICY, 1 }, - _oidAppleSecureBootCertSpec[] = { APPLE_SBOOT_CERT_EXTEN_SBOOT_SPEC_OID }, - _oidAppleSecureBootTicketCertSpec[] = { APPLE_SBOOT_CERT_EXTEN_SBOOT_TICKET_SPEC_OID }, - _oidAppleImg4ManifestCertSpec[] = { APPLE_SBOOT_CERT_EXTEN_IMG4_MANIFEST_SPEC_OID }, - _oidAppleProvisioningProfile[] = {APPLE_PROVISIONING_PROFILE_OID }, - _oidAppleApplicationSigning[] = { APPLE_APP_SIGNING_OID }, - _oidAppleInstallerPackagingSigningExternal[] = { APPLE_INSTALLER_PACKAGE_SIGNING_EXTERNAL_OID }, - _oidAppleTVOSApplicationSigningProd[] = { APPLE_TVOS_APP_SIGNING_PROD_OID }, - _oidAppleTVOSApplicationSigningProdQA[] = { APPLE_TVOS_APP_SIGNING_PRODQA_OID }, - _oidAppleExtendedKeyUsageCodeSigning[] = { APPLE_EKU_CODE_SIGNING }, - _oidAppleExtendedKeyUsageCodeSigningDev[] = { APPLE_EKU_CODE_SIGNING, 1 }, - _oidAppleExtendedKeyUsageAppleID[] = { APPLE_EKU_APPLE_ID }, - _oidAppleExtendedKeyUsagePassbook[] = { APPLE_EKU_PASSBOOK }, - _oidAppleExtendedKeyUsageProfileSigning[] = { APPLE_EKU_PROFILE_SIGNING }, - _oidAppleExtendedKeyUsageQAProfileSigning[] = { APPLE_EKU_QA_PROFILE_SIGNING }, - _oidAppleIntmMarkerAppleWWDR[] = { APPLE_CERT_EXT_INTERMEDIATE_MARKER_WWDR }, - _oidAppleIntmMarkerAppleID[] = { APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLEID }, - _oidAppleIntmMarkerAppleID2[] = {APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLEID_2 }, - _oidApplePushServiceClient[] = { APPLE_CERT_EXT_APPLE_PUSH_MARKER, 2 }, - _oidApplePolicyMobileStore[] = { APPLE_CERT_POLICY_MOBILE_STORE }, - _oidApplePolicyMobileStoreProdQA[] = { APPLE_CERT_POLICY_MOBILE_STORE_PRODQA }, - _oidApplePolicyEscrowService[] = { APPLE_ESCROW_POLICY_OID }, - _oidAppleCertExtensionAppleIDRecordValidationSigning[] = { APPLE_CERT_EXT_APPLE_ID_VALIDATION_RECORD_SIGNING }, - _oidAppleCertExtOSXProvisioningProfileSigning[] = { APPLE_CERT_EXT_OSX_PROVISIONING_PROFILE_SIGNING }, - _oidAppleIntmMarkerAppleSystemIntg2[] = {APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLEID_SYSTEM_INTEGRATION_2}, - _oidAppleIntmMarkerAppleSystemIntgG3[] = {APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLEID_SYSTEM_INTEGRATION_G3}, - _oidAppleCertExtAppleSMPEncryption[] = {APPLE_CERT_EXT_APPLE_SMP_ENCRYPTION}, - _oidAppleCertExtAppleServerAuthentication[] = {APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION}, - _oidAppleCertExtAppleServerAuthenticationPPQProdQA[] = {APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION_PPQ_PRODQA}, - _oidAppleCertExtAppleServerAuthenticationPPQProd[] = {APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION_PPQ_PROD}, - _oidAppleCertExtAppleServerAuthenticationIDSProdQA[] = {APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION_IDS_PRODQA}, - _oidAppleCertExtAppleServerAuthenticationIDSProd[] = {APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION_IDS_PROD}, - _oidAppleCertExtAppleServerAuthenticationAPNProdQA[] = {APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION_APN_PRODQA}, - _oidAppleCertExtAppleServerAuthenticationAPNProd[] = {APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION_APN_PROD}, - _oidAppleCertExtAppleServerAuthenticationGS[] = {APPLE_CERT_EXT_APPLE_SERVER_AUTHENTICATION_GS}, - _oidAppleIntmMarkerAppleServerAuthentication[] = {APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLE_SERVER_AUTHENTICATION}, - _oidAppleCertExtApplePPQSigningProdQA[] = {APPLE_CERT_EXT_APPLE_PPQ_SIGNING_PRODQA}, - _oidAppleCertExtApplePPQSigningProd[] = {APPLE_CERT_EXT_APPLE_PPQ_SIGNING_PROD}, - _oidGoogleEmbeddedSignedCertificateTimestamp[] = {GOOGLE_EMBEDDED_SCT_OID}, - _oidGoogleOCSPSignedCertificateTimestamp[] = {GOOGLE_OCSP_SCT_OID}, - _oidAppleCertExtATVAppSigningProdQA[] = {APPLE_ATV_APP_SIGNING_OID_PRODQA}, - _oidAppleCertExtATVAppSigningProd[] = {APPLE_ATV_APP_SIGNING_OID}, - _oidAppleCertExtATVVPNProfileSigning[] = {APPLE_CERT_EXT_APPLE_ATV_VPN_PROFILE_SIGNING}, - _oidAppleCertExtCryptoServicesExtEncryption[] = {APPLE_CERT_EXT_CRYPTO_SERVICES_EXT_ENCRYPTION}, - _oidAppleCertExtAST2DiagnosticsServerAuthProdQA[] = {APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_PRODQA}, - _oidAppleCertExtAST2DiagnosticsServerAuthProd[] = {APPLE_CERT_EXT_AST2_DIAGNOSTICS_SERVER_AUTH_PROD}, - _oidAppleCertExtEscrowProxyServerAuthProdQA[] = {APPLE_CERT_EXT_ESCROW_PROXY_SERVER_AUTH_PRODQA}, - _oidAppleCertExtEscrowProxyServerAuthProd[] = {APPLE_CERT_EXT_ESCROW_PROXY_SERVER_AUTH_PROD}, - _oidAppleCertExtFMiPServerAuthProdQA[] = {APPLE_CERT_EXT_FMIP_SERVER_AUTH_PRODQA}, - _oidAppleCertExtFMiPServerAuthProd[] = {APPLE_CERT_EXT_FMIP_SERVER_AUTH_PROD}, - _oidAppleCertExtHomeKitServerAuth[] = {APPLE_CERT_EXT_HOME_KIT_SERVER_AUTH}, - _oidAppleIntmMarkerAppleHomeKitServerCA[] = {APPLE_CERT_EXT_INTERMEDIATE_MARKER_APPLE_HOME_KIT_SERVER_AUTH}, - _oidAppleCertExtMMCSServerAuthProdQA[] = {APPLE_CERT_EXT_MMCS_SERVER_AUTH_PRODQA}, - _oidAppleCertExtMMCSServerAuthProd[] = {APPLE_CERT_EXT_MMCS_SERVER_AUTH_PROD}, - _oidAppleCertExtiCloudSetupServerAuthProdQA[] = {APPLE_CERT_EXT_ICLOUD_SETUP_SERVER_AUTH_PRODQA}, - _oidAppleCertExtiCloudSetupServerAuthProd[] = {APPLE_CERT_EXT_ICLOUD_SETUP_SERVER_AUTH_PROD}; - -__unused const DERItem - oidSubjectKeyIdentifier = { (DERByte *)_oidSubjectKeyIdentifier, - sizeof(_oidSubjectKeyIdentifier) }, - oidKeyUsage = { (DERByte *)_oidKeyUsage, - sizeof(_oidKeyUsage) }, - oidPrivateKeyUsagePeriod = { (DERByte *)_oidPrivateKeyUsagePeriod, - sizeof(_oidPrivateKeyUsagePeriod) }, - oidSubjectAltName = { (DERByte *)_oidSubjectAltName, - sizeof(_oidSubjectAltName) }, - oidIssuerAltName = { (DERByte *)_oidIssuerAltName, - sizeof(_oidIssuerAltName) }, - oidBasicConstraints = { (DERByte *)_oidBasicConstraints, - sizeof(_oidBasicConstraints) }, - oidNameConstraints = { (DERByte *)_oidNameConstraints, - sizeof(_oidNameConstraints) }, - oidCrlDistributionPoints = { (DERByte *)_oidCrlDistributionPoints, - sizeof(_oidCrlDistributionPoints) }, - oidCertificatePolicies = { (DERByte *)_oidCertificatePolicies, - sizeof(_oidCertificatePolicies) }, - oidAnyPolicy = { (DERByte *)_oidAnyPolicy, - sizeof(_oidAnyPolicy) }, - oidPolicyMappings = { (DERByte *)_oidPolicyMappings, - sizeof(_oidPolicyMappings) }, - oidAuthorityKeyIdentifier = { (DERByte *)_oidAuthorityKeyIdentifier, - sizeof(_oidAuthorityKeyIdentifier) }, - oidPolicyConstraints = { (DERByte *)_oidPolicyConstraints, - sizeof(_oidPolicyConstraints) }, - oidExtendedKeyUsage = { (DERByte *)_oidExtendedKeyUsage, - sizeof(_oidExtendedKeyUsage) }, - oidAnyExtendedKeyUsage = { (DERByte *)_oidAnyExtendedKeyUsage, - sizeof(_oidAnyExtendedKeyUsage) }, - oidInhibitAnyPolicy = { (DERByte *)_oidInhibitAnyPolicy, - sizeof(_oidInhibitAnyPolicy) }, - oidAuthorityInfoAccess = { (DERByte *)_oidAuthorityInfoAccess, - sizeof(_oidAuthorityInfoAccess) }, - oidSubjectInfoAccess = { (DERByte *)_oidSubjectInfoAccess, - sizeof(_oidSubjectInfoAccess) }, - oidAdOCSP = { (DERByte *)_oidAdOCSP, - sizeof(_oidAdOCSP) }, - oidAdCAIssuer = { (DERByte *)_oidAdCAIssuer, - sizeof(_oidAdCAIssuer) }, - oidNetscapeCertType = { (DERByte *)_oidNetscapeCertType, - sizeof(_oidNetscapeCertType) }, - oidEntrustVersInfo = { (DERByte *)_oidEntrustVersInfo, - sizeof(_oidEntrustVersInfo) }, - oidMSNTPrincipalName = { (DERByte *)_oidMSNTPrincipalName, - sizeof(_oidMSNTPrincipalName) }, - /* Policy Qualifier IDs for Internet policy qualifiers. */ - oidQtCps = { (DERByte *)_oidQtCps, - sizeof(_oidQtCps) }, - oidQtUNotice = { (DERByte *)_oidQtUNotice, - sizeof(_oidQtUNotice) }, - /* X.501 Name IDs. */ - oidCommonName = { (DERByte *)_oidCommonName, - sizeof(_oidCommonName) }, - oidCountryName = { (DERByte *)_oidCountryName, - sizeof(_oidCountryName) }, - oidLocalityName = { (DERByte *)_oidLocalityName, - sizeof(_oidLocalityName) }, - oidStateOrProvinceName = { (DERByte *)_oidStateOrProvinceName, - sizeof(_oidStateOrProvinceName) }, - oidOrganizationName = { (DERByte *)_oidOrganizationName, - sizeof(_oidOrganizationName) }, - oidOrganizationalUnitName = { (DERByte *)_oidOrganizationalUnitName, - sizeof(_oidOrganizationalUnitName) }, - oidDescription = { (DERByte *)_oidDescription, - sizeof(_oidDescription) }, - oidEmailAddress = { (DERByte *)_oidEmailAddress, - sizeof(_oidEmailAddress) }, - oidFriendlyName = { (DERByte *)_oidFriendlyName, - sizeof(_oidFriendlyName) }, - oidLocalKeyId = { (DERByte *)_oidLocalKeyId, - sizeof(_oidLocalKeyId) }, - oidExtendedKeyUsageServerAuth = { (DERByte *)_oidExtendedKeyUsageServerAuth, - sizeof(_oidExtendedKeyUsageServerAuth) }, - oidExtendedKeyUsageClientAuth = { (DERByte *)_oidExtendedKeyUsageClientAuth, - sizeof(_oidExtendedKeyUsageClientAuth) }, - oidExtendedKeyUsageCodeSigning = { (DERByte *)_oidExtendedKeyUsageCodeSigning, - sizeof(_oidExtendedKeyUsageCodeSigning) }, - oidExtendedKeyUsageEmailProtection = { (DERByte *)_oidExtendedKeyUsageEmailProtection, - sizeof(_oidExtendedKeyUsageEmailProtection) }, - oidExtendedKeyUsageTimeStamping = { (DERByte *)_oidExtendedKeyUsageTimeStamping, - sizeof(_oidExtendedKeyUsageTimeStamping) }, - oidExtendedKeyUsageOCSPSigning = { (DERByte *)_oidExtendedKeyUsageOCSPSigning, - sizeof(_oidExtendedKeyUsageOCSPSigning) }, - oidExtendedKeyUsageIPSec = { (DERByte *)_oidExtendedKeyUsageIPSec, - sizeof(_oidExtendedKeyUsageIPSec) }, - oidExtendedKeyUsageMicrosoftSGC = { (DERByte *)_oidExtendedKeyUsageMicrosoftSGC, - sizeof(_oidExtendedKeyUsageMicrosoftSGC) }, - oidExtendedKeyUsageNetscapeSGC = { (DERByte *)_oidExtendedKeyUsageNetscapeSGC, - sizeof(_oidExtendedKeyUsageNetscapeSGC) }, - oidAppleSecureBootCertSpec = { (DERByte *)_oidAppleSecureBootCertSpec, - sizeof(_oidAppleSecureBootCertSpec) }, - oidAppleSecureBootTicketCertSpec = { (DERByte *)_oidAppleSecureBootTicketCertSpec, - sizeof(_oidAppleSecureBootTicketCertSpec) }, - oidAppleImg4ManifestCertSpec = { (DERByte *)_oidAppleImg4ManifestCertSpec, - sizeof(_oidAppleImg4ManifestCertSpec) }, - oidAppleProvisioningProfile = { (DERByte *)_oidAppleProvisioningProfile, - sizeof(_oidAppleProvisioningProfile) }, - oidAppleApplicationSigning = { (DERByte *)_oidAppleApplicationSigning, - sizeof(_oidAppleApplicationSigning) }, - oidAppleInstallerPackagingSigningExternal = { (DERByte *)_oidAppleInstallerPackagingSigningExternal, - sizeof(_oidAppleInstallerPackagingSigningExternal) }, - oidAppleTVOSApplicationSigningProd = { (DERByte *)_oidAppleTVOSApplicationSigningProd, - sizeof(_oidAppleTVOSApplicationSigningProd) }, - oidAppleTVOSApplicationSigningProdQA = { (DERByte *)_oidAppleTVOSApplicationSigningProdQA, - sizeof(_oidAppleTVOSApplicationSigningProdQA) }, - oidAppleExtendedKeyUsageCodeSigning = { (DERByte *)_oidAppleExtendedKeyUsageCodeSigning, - sizeof(_oidAppleExtendedKeyUsageCodeSigning) }, - oidAppleExtendedKeyUsageCodeSigningDev = { (DERByte *)_oidAppleExtendedKeyUsageCodeSigningDev, - sizeof(_oidAppleExtendedKeyUsageCodeSigningDev) }, - oidAppleExtendedKeyUsageAppleID = { (DERByte *)_oidAppleExtendedKeyUsageAppleID, - sizeof(_oidAppleExtendedKeyUsageAppleID) }, - oidAppleExtendedKeyUsagePassbook = { (DERByte *)_oidAppleExtendedKeyUsagePassbook, - sizeof(_oidAppleExtendedKeyUsagePassbook) }, - oidAppleExtendedKeyUsageProfileSigning - = { (DERByte *)_oidAppleExtendedKeyUsageProfileSigning, - sizeof(_oidAppleExtendedKeyUsageProfileSigning) }, - oidAppleExtendedKeyUsageQAProfileSigning - = { (DERByte *)_oidAppleExtendedKeyUsageQAProfileSigning, - sizeof(_oidAppleExtendedKeyUsageQAProfileSigning) }, - oidAppleIntmMarkerAppleWWDR = { (DERByte *)_oidAppleIntmMarkerAppleWWDR, - sizeof(_oidAppleIntmMarkerAppleWWDR) }, - oidAppleIntmMarkerAppleID = { (DERByte *)_oidAppleIntmMarkerAppleID, - sizeof(_oidAppleIntmMarkerAppleID) }, - oidAppleIntmMarkerAppleID2 = { (DERByte *)_oidAppleIntmMarkerAppleID2, - sizeof(_oidAppleIntmMarkerAppleID2) }, - oidApplePushServiceClient = { (DERByte *)_oidAppleIntmMarkerAppleID2, - sizeof(_oidAppleIntmMarkerAppleID2) }, - oidApplePolicyMobileStore = { (DERByte *)_oidApplePolicyMobileStore, - sizeof(_oidApplePolicyMobileStore)}, - oidApplePolicyMobileStoreProdQA = { (DERByte *)_oidApplePolicyMobileStoreProdQA, - sizeof(_oidApplePolicyMobileStoreProdQA)}, - oidApplePolicyEscrowService = { (DERByte *)_oidApplePolicyEscrowService, - sizeof(_oidApplePolicyEscrowService)}, - oidAppleCertExtensionAppleIDRecordValidationSigning = { (DERByte *)_oidAppleCertExtensionAppleIDRecordValidationSigning, - sizeof(_oidAppleCertExtensionAppleIDRecordValidationSigning)}, - oidAppleCertExtOSXProvisioningProfileSigning = { (DERByte *)_oidAppleCertExtOSXProvisioningProfileSigning, - sizeof(_oidAppleCertExtOSXProvisioningProfileSigning) }, - oidAppleIntmMarkerAppleSystemIntg2 = { (DERByte *) _oidAppleIntmMarkerAppleSystemIntg2, - sizeof(_oidAppleIntmMarkerAppleSystemIntg2)}, - oidAppleIntmMarkerAppleSystemIntgG3 = { (DERByte *) _oidAppleIntmMarkerAppleSystemIntgG3, - sizeof(_oidAppleIntmMarkerAppleSystemIntgG3)}, - oidAppleCertExtAppleSMPEncryption = { (DERByte *)_oidAppleCertExtAppleSMPEncryption, - sizeof(_oidAppleCertExtAppleSMPEncryption)}, - oidAppleCertExtAppleServerAuthentication - = { (DERByte *)_oidAppleCertExtAppleServerAuthentication, - sizeof(_oidAppleCertExtAppleServerAuthentication) }, - oidAppleCertExtAppleServerAuthenticationIDSProdQA - = { (DERByte *)_oidAppleCertExtAppleServerAuthenticationIDSProdQA, - sizeof(_oidAppleCertExtAppleServerAuthenticationIDSProdQA) }, - oidAppleCertExtAppleServerAuthenticationIDSProd - = { (DERByte *)_oidAppleCertExtAppleServerAuthenticationIDSProd, - sizeof(_oidAppleCertExtAppleServerAuthenticationIDSProd) }, - oidAppleCertExtAppleServerAuthenticationAPNProdQA - = { (DERByte *)_oidAppleCertExtAppleServerAuthenticationAPNProdQA, - sizeof(_oidAppleCertExtAppleServerAuthenticationAPNProdQA) }, - oidAppleCertExtAppleServerAuthenticationAPNProd - = { (DERByte *)_oidAppleCertExtAppleServerAuthenticationAPNProd, - sizeof(_oidAppleCertExtAppleServerAuthenticationAPNProd) }, - oidAppleCertExtAppleServerAuthenticationGS - = { (DERByte *)_oidAppleCertExtAppleServerAuthenticationGS, - sizeof(_oidAppleCertExtAppleServerAuthenticationGS) }, - oidAppleCertExtAppleServerAuthenticationPPQProdQA - = { (DERByte *)_oidAppleCertExtAppleServerAuthenticationPPQProdQA, - sizeof(_oidAppleCertExtAppleServerAuthenticationPPQProdQA) }, - oidAppleCertExtAppleServerAuthenticationPPQProd - = { (DERByte *)_oidAppleCertExtAppleServerAuthenticationPPQProd, - sizeof(_oidAppleCertExtAppleServerAuthenticationPPQProd) }, - oidAppleIntmMarkerAppleServerAuthentication - = { (DERByte *)_oidAppleIntmMarkerAppleServerAuthentication, - sizeof(_oidAppleIntmMarkerAppleServerAuthentication) }, - oidAppleCertExtApplePPQSigningProd = { (DERByte *)_oidAppleCertExtApplePPQSigningProd, - sizeof(_oidAppleCertExtApplePPQSigningProd)}, - oidAppleCertExtApplePPQSigningProdQA = { (DERByte *)_oidAppleCertExtApplePPQSigningProdQA, - sizeof(_oidAppleCertExtApplePPQSigningProdQA)}, - oidGoogleEmbeddedSignedCertificateTimestamp - = { (DERByte *)_oidGoogleEmbeddedSignedCertificateTimestamp, - sizeof(_oidGoogleEmbeddedSignedCertificateTimestamp) }, - oidGoogleOCSPSignedCertificateTimestamp - = { (DERByte *)_oidGoogleOCSPSignedCertificateTimestamp, - sizeof(_oidGoogleOCSPSignedCertificateTimestamp) }, - oidAppleCertExtATVAppSigningProd = { (DERByte *)_oidAppleCertExtATVAppSigningProd, - sizeof(_oidAppleCertExtATVAppSigningProd)}, - oidAppleCertExtATVAppSigningProdQA = { (DERByte *)_oidAppleCertExtATVAppSigningProdQA, - sizeof(_oidAppleCertExtATVAppSigningProdQA)}, - oidAppleCertExtATVVPNProfileSigning = { (DERByte *) _oidAppleCertExtATVVPNProfileSigning, - sizeof(_oidAppleCertExtATVVPNProfileSigning)}, - oidAppleCertExtCryptoServicesExtEncryption = { (DERByte *)_oidAppleCertExtCryptoServicesExtEncryption, - sizeof(_oidAppleCertExtCryptoServicesExtEncryption)}, - oidAppleCertExtAST2DiagnosticsServerAuthProdQA = { (DERByte *)_oidAppleCertExtAST2DiagnosticsServerAuthProdQA, - sizeof(_oidAppleCertExtAST2DiagnosticsServerAuthProdQA)}, - oidAppleCertExtAST2DiagnosticsServerAuthProd = { (DERByte *)_oidAppleCertExtAST2DiagnosticsServerAuthProd, - sizeof(_oidAppleCertExtAST2DiagnosticsServerAuthProd)}, - oidAppleCertExtEscrowProxyServerAuthProdQA = { (DERByte *)_oidAppleCertExtEscrowProxyServerAuthProdQA, - sizeof(_oidAppleCertExtEscrowProxyServerAuthProdQA)}, - oidAppleCertExtEscrowProxyServerAuthProd = { (DERByte *)_oidAppleCertExtEscrowProxyServerAuthProd, - sizeof(_oidAppleCertExtEscrowProxyServerAuthProd)}, - oidAppleCertExtFMiPServerAuthProdQA = { (DERByte *)_oidAppleCertExtFMiPServerAuthProdQA, - sizeof(_oidAppleCertExtFMiPServerAuthProdQA)}, - oidAppleCertExtFMiPServerAuthProd = { (DERByte *)_oidAppleCertExtFMiPServerAuthProd, - sizeof(_oidAppleCertExtFMiPServerAuthProd)}, - oidAppleCertExtHomeKitServerAuth = { (DERByte *)_oidAppleCertExtHomeKitServerAuth, - sizeof(_oidAppleCertExtHomeKitServerAuth)}, - oidAppleIntmMarkerAppleHomeKitServerCA = { (DERByte *)_oidAppleIntmMarkerAppleHomeKitServerCA, - sizeof(_oidAppleIntmMarkerAppleHomeKitServerCA) }, - oidAppleCertExtAppleServerAuthenticationMMCSProdQA - = { (DERByte *)_oidAppleCertExtMMCSServerAuthProdQA, - sizeof(_oidAppleCertExtMMCSServerAuthProdQA) }, - oidAppleCertExtAppleServerAuthenticationMMCSProd - = { (DERByte *)_oidAppleCertExtMMCSServerAuthProd, - sizeof(_oidAppleCertExtMMCSServerAuthProd) }, - oidAppleCertExtAppleServerAuthenticationiCloudSetupProdQA - = { (DERByte *)_oidAppleCertExtiCloudSetupServerAuthProdQA, - sizeof(_oidAppleCertExtiCloudSetupServerAuthProdQA) }, - oidAppleCertExtAppleServerAuthenticationiCloudSetupProd - = { (DERByte *)_oidAppleCertExtiCloudSetupServerAuthProd, - sizeof(_oidAppleCertExtiCloudSetupServerAuthProd) }; - - - - -bool DEROidCompare(const DERItem *oid1, const DERItem *oid2) { - if ((oid1 == NULL) || (oid2 == NULL)) { - return false; - } - if (oid1->length != oid2->length) { - return false; - } - if (!DERMemcmp(oid1->data, oid2->data, oid1->length)) { - return true; - } else { - return false; - } -} diff --git a/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h b/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h deleted file mode 100644 index 3d64f628..00000000 --- a/OSX/libsecurity_keychain/libDER/libDER/oidsPriv.h +++ /dev/null @@ -1,99 +0,0 @@ -/* - * Copyright (c) 2005-2009,2011-2016 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - - -/* - * oids.h - declaration of OID consts - * - */ - -#ifndef _LIB_DER_OIDSPRIV_H_ -#define _LIB_DER_OIDSPRIV_H_ - -#include -#include - -__BEGIN_DECLS - -/* Apple Oids */ -extern const DERItem - oidAppleSecureBootCertSpec, - oidAppleSecureBootTicketCertSpec, - oidAppleImg4ManifestCertSpec, - oidAppleProvisioningProfile, - oidAppleApplicationSigning, - oidAppleTVOSApplicationSigningProd, - oidAppleTVOSApplicationSigningProdQA, - oidAppleInstallerPackagingSigningExternal, - oidAppleExtendedKeyUsageCodeSigning, - oidAppleExtendedKeyUsageCodeSigningDev, - oidAppleExtendedKeyUsageAppleID, - oidAppleExtendedKeyUsagePassbook, - oidAppleExtendedKeyUsageProfileSigning, - oidAppleExtendedKeyUsageQAProfileSigning, - oidAppleIntmMarkerAppleWWDR, - oidAppleIntmMarkerAppleID, - oidAppleIntmMarkerAppleID2, - oidApplePushServiceClient, - oidApplePolicyMobileStore, - oidApplePolicyMobileStoreProdQA, - oidApplePolicyEscrowService, - oidAppleCertExtensionAppleIDRecordValidationSigning, - oidAppleCertExtOSXProvisioningProfileSigning, - oidAppleIntmMarkerAppleSystemIntg2, - oidAppleIntmMarkerAppleSystemIntgG3, - oidAppleCertExtAppleSMPEncryption, - oidAppleCertExtAppleServerAuthentication, - oidAppleCertExtAppleServerAuthenticationIDSProdQA, - oidAppleCertExtAppleServerAuthenticationIDSProd, - oidAppleCertExtAppleServerAuthenticationAPNProdQA, - oidAppleCertExtAppleServerAuthenticationAPNProd, - oidAppleCertExtAppleServerAuthenticationGS, - oidAppleCertExtAppleServerAuthenticationPPQProdQA, - oidAppleCertExtAppleServerAuthenticationPPQProd, - oidAppleIntmMarkerAppleServerAuthentication, - oidAppleCertExtApplePPQSigningProd, - oidAppleCertExtApplePPQSigningProdQA, - oidAppleCertExtATVAppSigningProd, - oidAppleCertExtATVAppSigningProdQA, - oidAppleCertExtATVVPNProfileSigning, - oidAppleCertExtCryptoServicesExtEncryption, - oidAppleCertExtAST2DiagnosticsServerAuthProdQA, - oidAppleCertExtAST2DiagnosticsServerAuthProd, - oidAppleCertExtEscrowProxyServerAuthProdQA, - oidAppleCertExtEscrowProxyServerAuthProd, - oidAppleCertExtFMiPServerAuthProdQA, - oidAppleCertExtFMiPServerAuthProd, - oidAppleCertExtHomeKitServerAuth, - oidAppleIntmMarkerAppleHomeKitServerCA, - oidAppleCertExtAppleServerAuthenticationMMCSProdQA, - oidAppleCertExtAppleServerAuthenticationMMCSProd, - oidAppleCertExtAppleServerAuthenticationiCloudSetupProdQA, - oidAppleCertExtAppleServerAuthenticationiCloudSetupProd; - - /* Compare two decoded OIDs. Returns true iff they are equivalent. */ - bool DEROidCompare(const DERItem *oid1, const DERItem *oid2); - -__END_DECLS - -#endif /* _LIB_DER_UTILS_H_ */ diff --git a/OSX/libsecurity_keychain/regressions/kc-12-key-create-symmetric-and-use.m b/OSX/libsecurity_keychain/regressions/kc-12-key-create-symmetric-and-use.m index a6074bb8..d5b37eed 100644 --- a/OSX/libsecurity_keychain/regressions/kc-12-key-create-symmetric-and-use.m +++ b/OSX/libsecurity_keychain/regressions/kc-12-key-create-symmetric-and-use.m @@ -137,7 +137,7 @@ static SecKeyRef findExistingEncryptionKey(SecKeychainRef kc) return nullptr; } -static SecKeyRef generateEncryptionKey(SecKeychainRef kc) +static CF_RETURNS_RETAINED SecKeyRef generateEncryptionKey(SecKeychainRef kc) { SecAccessRef access = createAccess(nil, EncryptionKeyLabel, false); if (!access) { diff --git a/OSX/libsecurity_keychain/regressions/kc-23-key-export-symmetric.m b/OSX/libsecurity_keychain/regressions/kc-23-key-export-symmetric.m index 81e9bafc..7e9b69bc 100644 --- a/OSX/libsecurity_keychain/regressions/kc-23-key-export-symmetric.m +++ b/OSX/libsecurity_keychain/regressions/kc-23-key-export-symmetric.m @@ -59,7 +59,7 @@ static void checkCryptoError(OSStatus status, NSString *functionName) { } #endif -static SecKeyRef generateSymmetricKey(SecKeychainRef keychainRef, CFStringRef label) +static CF_RETURNS_RETAINED SecKeyRef generateSymmetricKey(SecKeychainRef keychainRef, CFStringRef label) { CFMutableDictionaryRef parameters; int32_t rawnum; diff --git a/OSX/libsecurity_keychain/regressions/kc-26-key-import-public.m b/OSX/libsecurity_keychain/regressions/kc-26-key-import-public.m index 7a85ff7d..00ba7f7d 100644 --- a/OSX/libsecurity_keychain/regressions/kc-26-key-import-public.m +++ b/OSX/libsecurity_keychain/regressions/kc-26-key-import-public.m @@ -21,6 +21,13 @@ * @APPLE_LICENSE_HEADER_END@ */ +#include +#include +#include +#include + +#import + #import #import @@ -36,15 +43,6 @@ // // -#import -#import - -#include -#include -#include -#include - - /* test RSA public key to import */ static const uint8_t kPublicKey[] = { diff --git a/OSX/libsecurity_keychain/regressions/kc-30-xara-helpers.h b/OSX/libsecurity_keychain/regressions/kc-30-xara-helpers.h index 5d461e64..affd4fc6 100644 --- a/OSX/libsecurity_keychain/regressions/kc-30-xara-helpers.h +++ b/OSX/libsecurity_keychain/regressions/kc-30-xara-helpers.h @@ -37,7 +37,7 @@ #pragma clang diagnostic ignored "-Wunused-function" /* name is the name of the test, not the name of the keychain */ -static SecKeychainRef newKeychain(const char * name) { +static CF_RETURNS_RETAINED SecKeychainRef newKeychain(const char * name) { SecKeychainRef kc = NULL; char* password = "password"; @@ -74,7 +74,7 @@ static SecKeychainRef newCustomKeychain(const char * name, const char * path, co } #define newCustomKeychainTests 1 -static SecKeychainRef openCustomKeychain(const char * name, const char * path, const char * password) { +static CF_RETURNS_RETAINED SecKeychainRef openCustomKeychain(const char * name, const char * path, const char * password) { SecKeychainRef kc = NULL; ok_status(SecKeychainOpen(path, &kc), "%s: SecKeychainOpen", name); @@ -88,7 +88,7 @@ static SecKeychainRef openCustomKeychain(const char * name, const char * path, c } #define openCustomKeychainTests 2 -static SecKeychainRef openKeychain(const char * name) { +static CF_RETURNS_RETAINED SecKeychainRef openKeychain(const char * name) { return openCustomKeychain(name, keychainName, NULL); } #define openKeychainTests (openCustomKeychainTests) diff --git a/OSX/libsecurity_keychain/regressions/kc-42-trust-revocation.c b/OSX/libsecurity_keychain/regressions/kc-42-trust-revocation.c index 6fafcc22..7c6d545d 100644 --- a/OSX/libsecurity_keychain/regressions/kc-42-trust-revocation.c +++ b/OSX/libsecurity_keychain/regressions/kc-42-trust-revocation.c @@ -31,128 +31,129 @@ /* s:/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=3014267/C=US/postalCode=95131-2021/ST=California/L=San Jose/street=2211 N 1st St/O=PayPal, Inc./OU=CDN Support/CN=www.paypal.com */ /* i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 */ -/* SHA1 Fingerprint=A5:AF:1D:73:96:A7:74:F8:8B:B7:43:FD:07:7A:97:47:D3:FA:EF:2F */ -/* EXPIRES Oct 30 23:59:59 2017 GMT */ - -unsigned char leaf_certificate[1873]={ - 0x30,0x82,0x07,0x4D,0x30,0x82,0x06,0x35,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x7F, - 0xC0,0x32,0xB3,0x6F,0x9F,0x9E,0x1A,0xC1,0xED,0xAB,0x97,0x13,0x65,0x29,0x35,0x30, - 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x77, - 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x1D,0x30, - 0x1B,0x06,0x03,0x55,0x04,0x0A,0x13,0x14,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63, - 0x20,0x43,0x6F,0x72,0x70,0x6F,0x72,0x61,0x74,0x69,0x6F,0x6E,0x31,0x1F,0x30,0x1D, - 0x06,0x03,0x55,0x04,0x0B,0x13,0x16,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63,0x20, - 0x54,0x72,0x75,0x73,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x31,0x28,0x30, - 0x26,0x06,0x03,0x55,0x04,0x03,0x13,0x1F,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63, - 0x20,0x43,0x6C,0x61,0x73,0x73,0x20,0x33,0x20,0x45,0x56,0x20,0x53,0x53,0x4C,0x20, - 0x43,0x41,0x20,0x2D,0x20,0x47,0x33,0x30,0x1E,0x17,0x0D,0x31,0x35,0x30,0x39,0x30, - 0x32,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x31,0x37,0x31,0x30,0x33,0x30, - 0x32,0x33,0x35,0x39,0x35,0x39,0x5A,0x30,0x82,0x01,0x09,0x31,0x13,0x30,0x11,0x06, - 0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x03,0x13,0x02,0x55,0x53, - 0x31,0x19,0x30,0x17,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01, - 0x02,0x0C,0x08,0x44,0x65,0x6C,0x61,0x77,0x61,0x72,0x65,0x31,0x1D,0x30,0x1B,0x06, - 0x03,0x55,0x04,0x0F,0x13,0x14,0x50,0x72,0x69,0x76,0x61,0x74,0x65,0x20,0x4F,0x72, - 0x67,0x61,0x6E,0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x31,0x10,0x30,0x0E,0x06,0x03, - 0x55,0x04,0x05,0x13,0x07,0x33,0x30,0x31,0x34,0x32,0x36,0x37,0x31,0x0B,0x30,0x09, - 0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55, - 0x04,0x11,0x0C,0x0A,0x39,0x35,0x31,0x33,0x31,0x2D,0x32,0x30,0x32,0x31,0x31,0x13, - 0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72, - 0x6E,0x69,0x61,0x31,0x11,0x30,0x0F,0x06,0x03,0x55,0x04,0x07,0x0C,0x08,0x53,0x61, - 0x6E,0x20,0x4A,0x6F,0x73,0x65,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x09,0x0C, - 0x0D,0x32,0x32,0x31,0x31,0x20,0x4E,0x20,0x31,0x73,0x74,0x20,0x53,0x74,0x31,0x15, - 0x30,0x13,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0C,0x50,0x61,0x79,0x50,0x61,0x6C,0x2C, - 0x20,0x49,0x6E,0x63,0x2E,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0B,0x0C,0x0B, - 0x43,0x44,0x4E,0x20,0x53,0x75,0x70,0x70,0x6F,0x72,0x74,0x31,0x17,0x30,0x15,0x06, - 0x03,0x55,0x04,0x03,0x0C,0x0E,0x77,0x77,0x77,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C, - 0x2E,0x63,0x6F,0x6D,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86, - 0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A, - 0x02,0x82,0x01,0x01,0x00,0xDC,0x6F,0x1C,0x60,0xDA,0x9C,0x32,0xF8,0x82,0x72,0x77, - 0xFD,0x51,0x80,0x59,0x6B,0xDB,0xC5,0x6A,0x36,0x4D,0x6E,0x8A,0x49,0x83,0xDE,0x75, - 0x1F,0x90,0xCB,0xB6,0x53,0xB9,0x3C,0x42,0xB9,0x1C,0xB5,0x53,0xAF,0x50,0x88,0x8D, - 0xE8,0xA8,0x7F,0xA6,0xA6,0x1F,0x0D,0x21,0xD4,0x5C,0x6F,0x0C,0x33,0x7E,0x3A,0x19, - 0x58,0xD9,0x5D,0x01,0xD3,0x08,0xE2,0xD2,0x59,0x54,0xA9,0xC7,0xAB,0x4D,0xC6,0xFF, - 0x05,0xA6,0x0B,0xBF,0xB6,0x11,0x12,0x34,0xEA,0xD7,0x23,0xCE,0x3E,0x60,0x21,0xBE, - 0xFE,0xCD,0xDB,0x65,0x1C,0xAF,0x62,0x96,0x3E,0x73,0xBD,0x08,0x05,0x6E,0xEA,0x33, - 0x1E,0xD5,0x59,0xC2,0x71,0xA5,0xE5,0x22,0xCE,0xD0,0x17,0xA5,0xD2,0xAC,0x7C,0xDC, - 0xEA,0xE8,0xBA,0x70,0x16,0x8B,0xE5,0x90,0x6C,0x7C,0xA0,0xB4,0x79,0x73,0x50,0x5E, - 0x26,0x88,0xA3,0x5F,0xF8,0x47,0x63,0x73,0x52,0x62,0x1F,0xC6,0xE2,0xEA,0xF5,0xF6, - 0x21,0x40,0x5D,0xF2,0x19,0xF2,0x73,0x05,0x25,0x39,0xEF,0x6F,0xCF,0xA0,0x84,0xE9, - 0xA4,0xEF,0x57,0xAC,0x6C,0x25,0xCD,0x7C,0x7C,0xD4,0x34,0x24,0x20,0x07,0xDD,0x0D, - 0x09,0x45,0xBD,0x98,0xA9,0xEE,0x83,0xD5,0xF2,0x8B,0x05,0xA2,0x29,0x37,0x0C,0xF4, - 0x62,0x17,0xC2,0x27,0x57,0x9D,0xE3,0x03,0xE3,0xAB,0x02,0x9D,0xFA,0xC9,0xFF,0x81, - 0x16,0xAB,0x2A,0x94,0x9B,0x3E,0x04,0xB7,0x78,0x2F,0xE9,0x7D,0x76,0x3B,0x22,0x85, - 0xB6,0x45,0x9F,0x42,0x55,0x36,0x2A,0xCB,0x49,0x0A,0xC0,0xFB,0xB8,0x0F,0x5B,0x85, - 0xD1,0x87,0x26,0x1B,0xE9,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x03,0x3F,0x30,0x82, - 0x03,0x3B,0x30,0x6E,0x06,0x03,0x55,0x1D,0x11,0x04,0x67,0x30,0x65,0x82,0x0C,0x63, - 0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,0x6D,0x82,0x0D,0x63,0x36,0x2E, - 0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,0x6D,0x82,0x14,0x64,0x65,0x76,0x65, - 0x6C,0x6F,0x70,0x65,0x72,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,0x6D, - 0x82,0x12,0x68,0x69,0x73,0x74,0x6F,0x72,0x79,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C, - 0x2E,0x63,0x6F,0x6D,0x82,0x0C,0x74,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63, - 0x6F,0x6D,0x82,0x0E,0x77,0x77,0x77,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63, - 0x6F,0x6D,0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,0x30,0x00,0x30,0x0E,0x06, - 0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06, - 0x03,0x55,0x1D,0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07, - 0x03,0x01,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x30,0x66,0x06,0x03, - 0x55,0x1D,0x20,0x04,0x5F,0x30,0x5D,0x30,0x5B,0x06,0x0B,0x60,0x86,0x48,0x01,0x86, - 0xF8,0x45,0x01,0x07,0x17,0x06,0x30,0x4C,0x30,0x23,0x06,0x08,0x2B,0x06,0x01,0x05, - 0x05,0x07,0x02,0x01,0x16,0x17,0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F,0x64,0x2E, - 0x73,0x79,0x6D,0x63,0x62,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x70,0x73,0x30,0x25,0x06, - 0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x02,0x30,0x19,0x1A,0x17,0x68,0x74,0x74, - 0x70,0x73,0x3A,0x2F,0x2F,0x64,0x2E,0x73,0x79,0x6D,0x63,0x62,0x2E,0x63,0x6F,0x6D, - 0x2F,0x72,0x70,0x61,0x30,0x1F,0x06,0x03,0x55,0x1D,0x23,0x04,0x18,0x30,0x16,0x80, - 0x14,0x01,0x59,0xAB,0xE7,0xDD,0x3A,0x0B,0x59,0xA6,0x64,0x63,0xD6,0xCF,0x20,0x07, - 0x57,0xD5,0x91,0xE7,0x6A,0x30,0x2B,0x06,0x03,0x55,0x1D,0x1F,0x04,0x24,0x30,0x22, - 0x30,0x20,0xA0,0x1E,0xA0,0x1C,0x86,0x1A,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73, - 0x72,0x2E,0x73,0x79,0x6D,0x63,0x62,0x2E,0x63,0x6F,0x6D,0x2F,0x73,0x72,0x2E,0x63, - 0x72,0x6C,0x30,0x57,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x4B, - 0x30,0x49,0x30,0x1F,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x13, - 0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x72,0x2E,0x73,0x79,0x6D,0x63,0x64,0x2E, - 0x63,0x6F,0x6D,0x30,0x26,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x30,0x02,0x86, - 0x1A,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x72,0x2E,0x73,0x79,0x6D,0x63,0x62, - 0x2E,0x63,0x6F,0x6D,0x2F,0x73,0x72,0x2E,0x63,0x72,0x74,0x30,0x82,0x01,0x7E,0x06, - 0x0A,0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x02,0x04,0x82,0x01,0x6E,0x04, - 0x82,0x01,0x6A,0x01,0x68,0x00,0x76,0x00,0xA4,0xB9,0x09,0x90,0xB4,0x18,0x58,0x14, - 0x87,0xBB,0x13,0xA2,0xCC,0x67,0x70,0x0A,0x3C,0x35,0x98,0x04,0xF9,0x1B,0xDF,0xB8, - 0xE3,0x77,0xCD,0x0E,0xC8,0x0D,0xDC,0x10,0x00,0x00,0x01,0x4F,0x90,0x71,0x2A,0x7C, - 0x00,0x00,0x04,0x03,0x00,0x47,0x30,0x45,0x02,0x21,0x00,0xB4,0x81,0x1F,0xE7,0x9F, - 0xB6,0xA2,0x06,0xC9,0x0B,0x93,0xBB,0x21,0x87,0x27,0x65,0x05,0x01,0x2D,0x66,0x40, - 0x64,0x14,0x1F,0x13,0x6D,0xF1,0x4B,0x9A,0x91,0x4F,0x53,0x02,0x20,0x37,0x17,0x0D, - 0xF8,0x66,0xBD,0xFD,0x6C,0xFE,0x55,0x62,0x2D,0xCD,0xBC,0x79,0x0B,0x0A,0x3F,0x81, - 0x91,0xCE,0xD5,0x86,0x27,0x11,0xA1,0x18,0x62,0x57,0x54,0xEB,0x8F,0x00,0x76,0x00, - 0x56,0x14,0x06,0x9A,0x2F,0xD7,0xC2,0xEC,0xD3,0xF5,0xE1,0xBD,0x44,0xB2,0x3E,0xC7, - 0x46,0x76,0xB9,0xBC,0x99,0x11,0x5C,0xC0,0xEF,0x94,0x98,0x55,0xD6,0x89,0xD0,0xDD, - 0x00,0x00,0x01,0x4F,0x90,0x71,0x2A,0xDB,0x00,0x00,0x04,0x03,0x00,0x47,0x30,0x45, - 0x02,0x21,0x00,0xE8,0xAA,0x58,0x90,0x87,0x74,0x96,0x5C,0xFB,0x69,0x28,0x83,0xEF, - 0x2E,0x40,0xD5,0x57,0xFF,0x5A,0x84,0x65,0x65,0x2E,0x27,0x4C,0x4C,0x91,0xE5,0x14, - 0xB1,0xBF,0xF8,0x02,0x20,0x0F,0x13,0x6B,0xF9,0x53,0x98,0xC9,0xAC,0x81,0xA0,0x09, - 0x52,0xDD,0x85,0x07,0xB7,0xD5,0x83,0x70,0xDF,0x68,0x96,0xA1,0x4D,0xFC,0x80,0x03, - 0xEC,0x68,0x88,0x5F,0xB5,0x00,0x76,0x00,0x68,0xF6,0x98,0xF8,0x1F,0x64,0x82,0xBE, - 0x3A,0x8C,0xEE,0xB9,0x28,0x1D,0x4C,0xFC,0x71,0x51,0x5D,0x67,0x93,0xD4,0x44,0xD1, - 0x0A,0x67,0xAC,0xBB,0x4F,0x4F,0xFB,0xC4,0x00,0x00,0x01,0x4F,0x90,0x71,0x2A,0x71, - 0x00,0x00,0x04,0x03,0x00,0x47,0x30,0x45,0x02,0x21,0x00,0xB5,0x0A,0x2B,0x5C,0x21, - 0x90,0x66,0x47,0x9C,0x12,0x8D,0xD4,0x5C,0x8E,0x98,0x5B,0x35,0x48,0x8D,0x0C,0xB9, - 0x77,0xB2,0x36,0xBB,0xEE,0x0C,0x62,0x7F,0x04,0x3D,0xBC,0x02,0x20,0x5A,0xCA,0xCD, - 0x03,0xF8,0x6D,0xAF,0x25,0x75,0x15,0x0B,0xA4,0x95,0x47,0x9A,0x04,0x24,0x49,0xCB, - 0x79,0x18,0x87,0xC1,0x28,0x75,0x5D,0x47,0x37,0x45,0x06,0x1B,0x6B,0x30,0x0D,0x06, - 0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03,0x82,0x01,0x01, - 0x00,0x9B,0x81,0x01,0x7F,0xE6,0x12,0x3B,0x64,0x51,0xBF,0x25,0xFF,0x1A,0xF9,0x2C, - 0x8F,0x11,0xEC,0x15,0x5B,0xC8,0x7C,0xA1,0x7C,0xCB,0xB9,0x37,0xA4,0xAA,0x8B,0xE5, - 0x15,0xAE,0x1F,0xCC,0x2E,0x6F,0xEA,0xA0,0xD0,0x22,0x97,0x04,0xAE,0x34,0xB8,0xC1, - 0x78,0xEE,0x67,0x06,0xE2,0x8E,0xDC,0x28,0x48,0xD8,0xDD,0x6A,0xF1,0xAE,0xEB,0xBA, - 0xB8,0xEF,0x1B,0x1B,0x6D,0xEE,0xF4,0xF9,0xF3,0x93,0x2F,0x48,0xD7,0x05,0xC7,0x08, - 0x49,0x42,0x5B,0x98,0xDA,0xFC,0xC6,0x7E,0xA0,0xAB,0xC8,0xC5,0xF6,0x0B,0x6C,0x1B, - 0x5F,0x43,0x56,0x8B,0x90,0x3E,0xF7,0xC7,0x23,0xF5,0xA8,0xC4,0x21,0xFA,0x80,0x70, - 0x8E,0xD9,0xF5,0xF5,0x41,0x9E,0xBF,0x5A,0x8B,0xBC,0xEA,0xE6,0xCA,0xE8,0x0A,0x0D, - 0x58,0xDC,0xB1,0xA3,0xFD,0x58,0x3D,0x4C,0xDD,0x65,0x1C,0x43,0x13,0xE9,0x38,0x9F, - 0x43,0xC7,0x72,0xB2,0x19,0xEF,0x2A,0x52,0xE3,0x87,0xD4,0x63,0xE9,0x5A,0x37,0xEB, - 0xDE,0x21,0xCF,0xC5,0x10,0xED,0x71,0xE8,0xEF,0x74,0xA2,0xD6,0xBC,0x1F,0xCA,0xDA, - 0x50,0x9F,0x79,0xFF,0x13,0x5D,0x28,0xDA,0xF9,0xAE,0x66,0x97,0x40,0x13,0x60,0xD4, - 0x03,0x44,0x9C,0x26,0x64,0x5C,0xE8,0x6C,0xCF,0xC6,0x2E,0xB9,0x78,0x9A,0x87,0x64, - 0x25,0xD2,0x06,0xB8,0x98,0x70,0x1A,0x3B,0xD8,0xBD,0x57,0xE0,0x94,0x9F,0x9D,0x5C, - 0x41,0x5C,0x4E,0x16,0xFB,0xEA,0x52,0x75,0xFC,0x0D,0xE9,0xE6,0x27,0x92,0x36,0x93, - 0xC2,0x8C,0x80,0x40,0x2B,0x44,0xE8,0xD5,0x14,0xBF,0x45,0x18,0x8D,0x59,0xC7,0xC8, - 0x9C, +/* SHA1 Fingerprint=BB:20:B0:3F:FB:93:E1:77:FF:23:A7:43:89:49:60:1A:41:AE:C6:1C */ +/* EXPIRES Oct 30 23:59:59 2019 GMT */ + +unsigned char leaf_certificate[1896]={ + 0x30,0x82,0x07,0x64,0x30,0x82,0x06,0x4C,0xA0,0x03,0x02,0x01,0x02,0x02,0x10,0x57, + 0xCB,0x7E,0x15,0xE2,0xE3,0xE2,0x44,0xD8,0x2B,0x01,0x63,0x29,0x46,0xEB,0xF0,0x30, + 0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x77, + 0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x1D,0x30, + 0x1B,0x06,0x03,0x55,0x04,0x0A,0x13,0x14,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63, + 0x20,0x43,0x6F,0x72,0x70,0x6F,0x72,0x61,0x74,0x69,0x6F,0x6E,0x31,0x1F,0x30,0x1D, + 0x06,0x03,0x55,0x04,0x0B,0x13,0x16,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63,0x20, + 0x54,0x72,0x75,0x73,0x74,0x20,0x4E,0x65,0x74,0x77,0x6F,0x72,0x6B,0x31,0x28,0x30, + 0x26,0x06,0x03,0x55,0x04,0x03,0x13,0x1F,0x53,0x79,0x6D,0x61,0x6E,0x74,0x65,0x63, + 0x20,0x43,0x6C,0x61,0x73,0x73,0x20,0x33,0x20,0x45,0x56,0x20,0x53,0x53,0x4C,0x20, + 0x43,0x41,0x20,0x2D,0x20,0x47,0x33,0x30,0x1E,0x17,0x0D,0x31,0x37,0x30,0x39,0x32, + 0x32,0x30,0x30,0x30,0x30,0x30,0x30,0x5A,0x17,0x0D,0x31,0x39,0x31,0x30,0x33,0x30, + 0x32,0x33,0x35,0x39,0x35,0x39,0x5A,0x30,0x82,0x01,0x09,0x31,0x13,0x30,0x11,0x06, + 0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x03,0x13,0x02,0x55,0x53, + 0x31,0x19,0x30,0x17,0x06,0x0B,0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01, + 0x02,0x0C,0x08,0x44,0x65,0x6C,0x61,0x77,0x61,0x72,0x65,0x31,0x1D,0x30,0x1B,0x06, + 0x03,0x55,0x04,0x0F,0x13,0x14,0x50,0x72,0x69,0x76,0x61,0x74,0x65,0x20,0x4F,0x72, + 0x67,0x61,0x6E,0x69,0x7A,0x61,0x74,0x69,0x6F,0x6E,0x31,0x10,0x30,0x0E,0x06,0x03, + 0x55,0x04,0x05,0x13,0x07,0x33,0x30,0x31,0x34,0x32,0x36,0x37,0x31,0x0B,0x30,0x09, + 0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55, + 0x04,0x11,0x0C,0x0A,0x39,0x35,0x31,0x33,0x31,0x2D,0x32,0x30,0x32,0x31,0x31,0x13, + 0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72, + 0x6E,0x69,0x61,0x31,0x11,0x30,0x0F,0x06,0x03,0x55,0x04,0x07,0x0C,0x08,0x53,0x61, + 0x6E,0x20,0x4A,0x6F,0x73,0x65,0x31,0x16,0x30,0x14,0x06,0x03,0x55,0x04,0x09,0x0C, + 0x0D,0x32,0x32,0x31,0x31,0x20,0x4E,0x20,0x31,0x73,0x74,0x20,0x53,0x74,0x31,0x15, + 0x30,0x13,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0C,0x50,0x61,0x79,0x50,0x61,0x6C,0x2C, + 0x20,0x49,0x6E,0x63,0x2E,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x0B,0x0C,0x0B, + 0x43,0x44,0x4E,0x20,0x53,0x75,0x70,0x70,0x6F,0x72,0x74,0x31,0x17,0x30,0x15,0x06, + 0x03,0x55,0x04,0x03,0x0C,0x0E,0x77,0x77,0x77,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C, + 0x2E,0x63,0x6F,0x6D,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86, + 0xF7,0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A, + 0x02,0x82,0x01,0x01,0x00,0xBF,0xF7,0x98,0x4B,0x4E,0xAA,0xF2,0x2F,0xC6,0x77,0xAB, + 0x26,0x76,0x60,0x2E,0xAB,0x50,0xBD,0x47,0xFF,0x8B,0x7C,0xB7,0x4A,0x75,0x0D,0x81, + 0xF7,0x46,0xE2,0x6B,0x03,0x9F,0xE4,0x07,0xFF,0xC0,0xAC,0xE5,0x15,0x7C,0x0B,0x81, + 0xAA,0xD0,0x32,0x88,0xB0,0x58,0x4E,0xEB,0xC1,0x13,0xCC,0x27,0xDD,0x1A,0x27,0x40, + 0xE8,0xF8,0x16,0x39,0x9A,0x4D,0x55,0xD5,0x0D,0x47,0x7C,0xD1,0x58,0xDB,0x41,0x8E, + 0x41,0x0E,0x3E,0xF2,0x3B,0x05,0x78,0x5D,0x8B,0xBF,0x28,0x71,0x41,0x11,0xC9,0x14, + 0xDB,0xE5,0xE2,0xAA,0x80,0x84,0xD0,0xE8,0xA7,0x2C,0xAA,0xC2,0x06,0xC8,0xDC,0xD3, + 0x18,0x35,0x42,0xA0,0x47,0xD5,0xB5,0xBA,0x57,0x66,0xC3,0x01,0x1F,0xC1,0x3A,0x58, + 0xE8,0x39,0x94,0xF5,0x5E,0x50,0x73,0x7E,0xB6,0x84,0x45,0x27,0xFC,0x52,0x4C,0xEF, + 0x1E,0x32,0x30,0x13,0x0C,0xF5,0x93,0xE5,0xB9,0xA8,0xA0,0x1C,0x05,0xA9,0x69,0xB7, + 0xA4,0x07,0x27,0xB9,0x6E,0x30,0x99,0x3A,0x6F,0x33,0xD7,0xFF,0x24,0xAE,0x02,0x12, + 0x08,0xF8,0x55,0x3F,0x30,0xEC,0xA2,0x5F,0x93,0x34,0x8B,0xAB,0x05,0xE6,0x8D,0xD5, + 0x93,0xBE,0x93,0x78,0x3E,0x97,0xA8,0x66,0xDC,0xA9,0x25,0x9B,0xF0,0x18,0x1A,0xFA, + 0xAE,0x80,0x99,0xC6,0x0F,0xE2,0x67,0xAA,0x26,0xA8,0xED,0xE8,0xFF,0x45,0x8F,0x45, + 0x0E,0xC8,0xC3,0x28,0x51,0x12,0xA6,0x17,0x1E,0x27,0xC8,0x61,0x71,0xC7,0x34,0x40, + 0xD0,0xC9,0xBA,0x49,0x72,0x9B,0xBD,0x57,0xCD,0xEA,0xD5,0x86,0x63,0x51,0x1D,0x48, + 0x14,0x70,0xBE,0xD4,0xD5,0x02,0x03,0x01,0x00,0x01,0xA3,0x82,0x03,0x56,0x30,0x82, + 0x03,0x52,0x30,0x7C,0x06,0x03,0x55,0x1D,0x11,0x04,0x75,0x30,0x73,0x82,0x12,0x68, + 0x69,0x73,0x74,0x6F,0x72,0x79,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F, + 0x6D,0x82,0x0C,0x74,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,0x6D,0x82, + 0x0C,0x63,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,0x6D,0x82,0x0D,0x63, + 0x36,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,0x6D,0x82,0x14,0x64,0x65, + 0x76,0x65,0x6C,0x6F,0x70,0x65,0x72,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63, + 0x6F,0x6D,0x82,0x0C,0x70,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,0x6D, + 0x82,0x0E,0x77,0x77,0x77,0x2E,0x70,0x61,0x79,0x70,0x61,0x6C,0x2E,0x63,0x6F,0x6D, + 0x30,0x09,0x06,0x03,0x55,0x1D,0x13,0x04,0x02,0x30,0x00,0x30,0x0E,0x06,0x03,0x55, + 0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x05,0xA0,0x30,0x1D,0x06,0x03,0x55, + 0x1D,0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x01, + 0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x30,0x6F,0x06,0x03,0x55,0x1D, + 0x20,0x04,0x68,0x30,0x66,0x30,0x5B,0x06,0x0B,0x60,0x86,0x48,0x01,0x86,0xF8,0x45, + 0x01,0x07,0x17,0x06,0x30,0x4C,0x30,0x23,0x06,0x08,0x2B,0x06,0x01,0x05,0x05,0x07, + 0x02,0x01,0x16,0x17,0x68,0x74,0x74,0x70,0x73,0x3A,0x2F,0x2F,0x64,0x2E,0x73,0x79, + 0x6D,0x63,0x62,0x2E,0x63,0x6F,0x6D,0x2F,0x63,0x70,0x73,0x30,0x25,0x06,0x08,0x2B, + 0x06,0x01,0x05,0x05,0x07,0x02,0x02,0x30,0x19,0x0C,0x17,0x68,0x74,0x74,0x70,0x73, + 0x3A,0x2F,0x2F,0x64,0x2E,0x73,0x79,0x6D,0x63,0x62,0x2E,0x63,0x6F,0x6D,0x2F,0x72, + 0x70,0x61,0x30,0x07,0x06,0x05,0x67,0x81,0x0C,0x01,0x01,0x30,0x1F,0x06,0x03,0x55, + 0x1D,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x01,0x59,0xAB,0xE7,0xDD,0x3A,0x0B,0x59, + 0xA6,0x64,0x63,0xD6,0xCF,0x20,0x07,0x57,0xD5,0x91,0xE7,0x6A,0x30,0x2B,0x06,0x03, + 0x55,0x1D,0x1F,0x04,0x24,0x30,0x22,0x30,0x20,0xA0,0x1E,0xA0,0x1C,0x86,0x1A,0x68, + 0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x72,0x2E,0x73,0x79,0x6D,0x63,0x62,0x2E,0x63, + 0x6F,0x6D,0x2F,0x73,0x72,0x2E,0x63,0x72,0x6C,0x30,0x57,0x06,0x08,0x2B,0x06,0x01, + 0x05,0x05,0x07,0x01,0x01,0x04,0x4B,0x30,0x49,0x30,0x1F,0x06,0x08,0x2B,0x06,0x01, + 0x05,0x05,0x07,0x30,0x01,0x86,0x13,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73,0x72, + 0x2E,0x73,0x79,0x6D,0x63,0x64,0x2E,0x63,0x6F,0x6D,0x30,0x26,0x06,0x08,0x2B,0x06, + 0x01,0x05,0x05,0x07,0x30,0x02,0x86,0x1A,0x68,0x74,0x74,0x70,0x3A,0x2F,0x2F,0x73, + 0x72,0x2E,0x73,0x79,0x6D,0x63,0x62,0x2E,0x63,0x6F,0x6D,0x2F,0x73,0x72,0x2E,0x63, + 0x72,0x74,0x30,0x82,0x01,0x7E,0x06,0x0A,0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02, + 0x04,0x02,0x04,0x82,0x01,0x6E,0x04,0x82,0x01,0x6A,0x01,0x68,0x00,0x75,0x00,0xDD, + 0xEB,0x1D,0x2B,0x7A,0x0D,0x4F,0xA6,0x20,0x8B,0x81,0xAD,0x81,0x68,0x70,0x7E,0x2E, + 0x8E,0x9D,0x01,0xD5,0x5C,0x88,0x8D,0x3D,0x11,0xC4,0xCD,0xB6,0xEC,0xBE,0xCC,0x00, + 0x00,0x01,0x5E,0xAB,0x85,0x57,0xB1,0x00,0x00,0x04,0x03,0x00,0x46,0x30,0x44,0x02, + 0x20,0x07,0xE3,0x40,0xE7,0x2A,0x3C,0x38,0xEC,0xF4,0xFB,0x7D,0xBC,0x99,0x23,0xBA, + 0xD6,0x39,0x0D,0x7B,0x87,0x4C,0xF0,0x8B,0xAC,0x88,0x76,0x16,0x98,0xAD,0xED,0xAC, + 0x34,0x02,0x20,0x5E,0xA4,0x5A,0xF6,0xBD,0xD0,0xF2,0x4D,0x77,0x31,0x31,0x65,0x94, + 0xC1,0x2C,0x2D,0x16,0x2D,0x4C,0x8A,0xF3,0xAA,0x2C,0x63,0x3A,0x26,0x94,0x8F,0x5C, + 0x04,0x32,0xB4,0x00,0x77,0x00,0xA4,0xB9,0x09,0x90,0xB4,0x18,0x58,0x14,0x87,0xBB, + 0x13,0xA2,0xCC,0x67,0x70,0x0A,0x3C,0x35,0x98,0x04,0xF9,0x1B,0xDF,0xB8,0xE3,0x77, + 0xCD,0x0E,0xC8,0x0D,0xDC,0x10,0x00,0x00,0x01,0x5E,0xAB,0x85,0x57,0xEC,0x00,0x00, + 0x04,0x03,0x00,0x48,0x30,0x46,0x02,0x21,0x00,0xE4,0x54,0x30,0xB7,0x22,0x75,0x2E, + 0x6B,0x3F,0xE9,0x65,0x5D,0x59,0x8B,0x0E,0x9F,0x44,0x9D,0x8C,0x05,0xB1,0xFB,0x11, + 0xD7,0x59,0x98,0x3C,0x35,0xEA,0x52,0xEA,0x9E,0x02,0x21,0x00,0xBD,0x07,0x6C,0x78, + 0x5B,0x81,0xFF,0x45,0x6E,0x8C,0x68,0x99,0x41,0x72,0xC1,0xE5,0x36,0x71,0x81,0x00, + 0x85,0x1D,0x2A,0xC4,0xFD,0x9E,0x7D,0x85,0xC0,0xD5,0x8F,0x6A,0x00,0x76,0x00,0xEE, + 0x4B,0xBD,0xB7,0x75,0xCE,0x60,0xBA,0xE1,0x42,0x69,0x1F,0xAB,0xE1,0x9E,0x66,0xA3, + 0x0F,0x7E,0x5F,0xB0,0x72,0xD8,0x83,0x00,0xC4,0x7B,0x89,0x7A,0xA8,0xFD,0xCB,0x00, + 0x00,0x01,0x5E,0xAB,0x85,0x59,0xB0,0x00,0x00,0x04,0x03,0x00,0x47,0x30,0x45,0x02, + 0x21,0x00,0xD5,0x8C,0xD3,0x11,0xE6,0x08,0xAA,0xCC,0x98,0x35,0xFC,0xED,0x49,0xF0, + 0x34,0x8B,0xE2,0x68,0x0D,0x66,0x65,0x8F,0x1D,0x56,0x7A,0x7E,0xC7,0x35,0x19,0xD1, + 0xB7,0x0A,0x02,0x20,0x6A,0x96,0x22,0xEC,0x63,0x63,0x79,0xE5,0x5E,0x27,0x98,0x19, + 0xDE,0x4F,0xFC,0x69,0x0A,0x22,0x64,0x97,0x70,0x92,0x67,0x9C,0x7C,0xF4,0x00,0xD1, + 0xDF,0xC2,0x61,0xE6,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01, + 0x0B,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x88,0x75,0x7C,0xEE,0x8C,0x6F,0x9E,0xE3, + 0xDA,0xB9,0x40,0x53,0x78,0xED,0x57,0x11,0x4C,0xE4,0x3F,0x11,0x4A,0xC3,0xDA,0x80, + 0x97,0xF4,0xF8,0x8E,0x0F,0x8E,0xB1,0x73,0x67,0x83,0xDE,0x3E,0x9E,0x2C,0x85,0x6B, + 0x02,0xB5,0x73,0x48,0x26,0x4D,0x43,0xD7,0x04,0xBD,0xC7,0x7D,0xC4,0xDC,0x03,0xB8, + 0x0B,0x35,0x7C,0x39,0x2C,0x42,0x24,0xB3,0xDC,0x15,0x78,0xF6,0x54,0x70,0xFC,0xE0, + 0x9B,0xF5,0x9F,0x30,0x08,0xB0,0x2F,0x4B,0xF1,0xA1,0x49,0x96,0x08,0x76,0x5C,0xAE, + 0xDC,0x3E,0x95,0x0D,0x1A,0x89,0x0C,0xDA,0x32,0xAD,0x2A,0x4B,0xD7,0x63,0x50,0x8C, + 0x0C,0xE3,0x08,0xEC,0x6F,0x78,0x55,0x67,0x05,0x68,0x65,0x22,0x39,0xE3,0x7E,0x36, + 0xD9,0x90,0xD2,0x3D,0x06,0x36,0xC7,0xDE,0xEE,0xF4,0xD6,0xDD,0xDA,0xC3,0xFB,0xAC, + 0x43,0xFE,0x2F,0x1C,0x64,0x9B,0xE2,0xDD,0xC0,0x89,0x8B,0x52,0x98,0x8D,0x0E,0xF6, + 0x09,0x2D,0xE4,0x4D,0x62,0x9C,0x16,0x22,0x96,0xFB,0x68,0x5B,0x94,0x87,0x87,0xCE, + 0x18,0x7E,0x41,0x60,0x79,0xA4,0x17,0x3E,0x71,0xF2,0xB1,0xA2,0x06,0xD8,0x71,0xD8, + 0x33,0x0B,0x6A,0xD4,0x67,0x68,0x24,0x3E,0xBA,0xC6,0x21,0x94,0x5D,0x6A,0xF6,0x21, + 0x84,0x5F,0xD0,0xFF,0xAC,0xE4,0x3D,0xAA,0xAD,0x95,0x85,0xFC,0x4B,0x69,0x30,0x72, + 0xB7,0xBA,0x4D,0xDA,0x3A,0xED,0xD9,0x7D,0x40,0x1D,0x02,0x29,0xB8,0xD5,0x0C,0x09, + 0x9E,0x0D,0x74,0x8B,0xFA,0x62,0x02,0x4A,0x88,0x6E,0x7C,0x13,0x56,0xBA,0x99,0x3F, + 0x13,0x78,0x48,0x82,0xAC,0x43,0x8E,0x61, }; /* s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 */ @@ -691,7 +692,7 @@ static void tests(void) CFDateRef VerifyDate; isnt(VerifyDate = CFDateCreate(NULL, 332900000.0), NULL, "Create verify date"); - // Standard evaluation should succeed for the given verify date + // Standard evaluation for the given verify date { SecTrustRef trust = NULL; SecTrustResultType trust_result; @@ -704,7 +705,9 @@ static void tests(void) ok_status(status = SecTrustEvaluate(trust, &trust_result), "SecTrustEvaluate"); // Check results - is_status(trust_result, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified"); + // %%% This is now expected to fail, since the "TC TrustCenter Class 1 L1 CA IX" CA is revoked + // and the revocation information is present in the Valid database. + is_status(trust_result, kSecTrustResultFatalTrustFailure, "trust is kSecTrustResultFatalTrustFailure"); CFReleaseNull(trust); } @@ -723,7 +726,9 @@ static void tests(void) ok_status(status = SecTrustEvaluate(trust, &trust_result), "SecTrustEvaluate"); // Check results - is_status(trust_result, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultRecoverableTrustFailure"); + // %%% This is now expected to fail, since the "TC TrustCenter Class 1 L1 CA IX" CA is revoked + // and the revocation information is present in the Valid database. + is_status(trust_result, kSecTrustResultFatalTrustFailure, "trust is kSecTrustResultFatalTrustFailure"); CFReleaseNull(trust); } diff --git a/OSX/libsecurity_keychain/regressions/kc-43-seckey-interop.m b/OSX/libsecurity_keychain/regressions/kc-43-seckey-interop.m index 1e75f44e..7577325a 100644 --- a/OSX/libsecurity_keychain/regressions/kc-43-seckey-interop.m +++ b/OSX/libsecurity_keychain/regressions/kc-43-seckey-interop.m @@ -117,7 +117,6 @@ static void test_generate_nolegacy() { CFReleaseNull(pubKey); } -#if !RC_HIDE_J79 && !RC_HIDE_J80 static const int kTestGenerateAccessControlCount = 4; static void test_generate_access_control() { SecAccessControlRef ac = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleAlways, @@ -149,9 +148,6 @@ static void test_generate_access_control() { CFReleaseSafe(privKey); CFReleaseSafe(pubKey); } -#else -static const int kTestGenerateAccessControlCount = 0; -#endif static const int kTestAddIOSKeyCount = 6; static void test_add_ios_key() { @@ -624,9 +620,7 @@ int kc_43_seckey_interop(int argc, char *const *argv) { plan_tests(kTestCount); test_generate_nolegacy(); -#if !RC_HIDE_J79 && !RC_HIDE_J80 test_generate_access_control(); -#endif test_add_ios_key(); test_store_cert_to_ios(); test_store_identity_to_ios(); diff --git a/OSX/libsecurity_smime/lib/SecCMS.c b/OSX/libsecurity_smime/lib/SecCMS.c index 11026ca4..9cfc874e 100644 --- a/OSX/libsecurity_smime/lib/SecCMS.c +++ b/OSX/libsecurity_smime/lib/SecCMS.c @@ -55,6 +55,7 @@ CFTypeRef kSecCMSSignedAttributes = CFSTR("kSecCMSSignedAttributes"); CFTypeRef kSecCMSSignDate = CFSTR("kSecCMSSignDate"); CFTypeRef kSecCMSAllCerts = CFSTR("kSecCMSAllCerts"); CFTypeRef kSecCMSHashAgility = CFSTR("kSecCMSHashAgility"); +CFTypeRef kSecCMSHashAgilityV2 = CFSTR("kSecCMSHashAgilityV2"); CFTypeRef kSecCMSBulkEncryptionAlgorithm = CFSTR("kSecCMSBulkEncryptionAlgorithm"); CFTypeRef kSecCMSEncryptionAlgorithmDESCBC = CFSTR("kSecCMSEncryptionAlgorithmDESCBC"); @@ -394,6 +395,13 @@ static OSStatus SecCMSVerifySignedData_internal(CFDataRef message, CFDataRef det CFDictionarySetValue(attrs, kSecCMSHashAgility, hash_agility_value); } } + + CFDictionaryRef hash_agility_values = NULL; + if (errSecSuccess == SecCmsSignerInfoGetAppleCodesigningHashAgilityV2(sigd->signerInfos[0], &hash_agility_values)) { + if (hash_agility_values) { + CFDictionarySetValue(attrs, kSecCMSHashAgilityV2, hash_agility_values); + } + } *signed_attributes = attrs; if (certs) CFRelease(certs); diff --git a/OSX/libsecurity_smime/lib/SecCMS.h b/OSX/libsecurity_smime/lib/SecCMS.h index 3c07a0ad..de9a7520 100644 --- a/OSX/libsecurity_smime/lib/SecCMS.h +++ b/OSX/libsecurity_smime/lib/SecCMS.h @@ -38,6 +38,7 @@ extern const void * kSecCMSSignedAttributes; extern const void * kSecCMSSignDate; extern const void * kSecCMSAllCerts; extern const void * kSecCMSHashAgility; +extern const void * kSecCMSHashAgilityV2; extern const void * kSecCMSHashingAlgorithmSHA1; extern const void * kSecCMSHashingAlgorithmSHA256; diff --git a/OSX/libsecurity_smime/lib/SecCmsBase.h b/OSX/libsecurity_smime/lib/SecCmsBase.h index 69c3ed86..ae85fe2a 100644 --- a/OSX/libsecurity_smime/lib/SecCmsBase.h +++ b/OSX/libsecurity_smime/lib/SecCmsBase.h @@ -484,8 +484,9 @@ typedef enum { SEC_OID_ECDSA_WITH_SHA384 = 212, SEC_OID_ECDSA_WITH_SHA512 = 213, - /* Apple CMS Attribute */ + /* Apple CMS Attributes */ SEC_OID_APPLE_HASH_AGILITY = 214, + SEC_OID_APPLE_HASH_AGILITY_V2 = 215, SEC_OID_TOTAL } SECOidTag; diff --git a/OSX/libsecurity_smime/lib/SecCmsSignerInfo.h b/OSX/libsecurity_smime/lib/SecCmsSignerInfo.h index 49894c45..f72605fb 100644 --- a/OSX/libsecurity_smime/lib/SecCmsSignerInfo.h +++ b/OSX/libsecurity_smime/lib/SecCmsSignerInfo.h @@ -112,6 +112,12 @@ SecCmsSignerInfoGetCertList(SecCmsSignerInfoRef signerinfo); extern CFArrayRef SecCmsSignerInfoGetTimestampCertList(SecCmsSignerInfoRef signerinfo); +/*! + @function + */ +extern SecCertificateRef +SecCmsSignerInfoGetTimestampSigningCert(SecCmsSignerInfoRef signerinfo); + /*! @function @abstract Return the signing time, in UTCTime format, of a CMS signerInfo. @@ -152,6 +158,17 @@ SecCmsSignerInfoGetTimestampTimeWithPolicy(SecCmsSignerInfoRef sinfo, CFTypeRef OSStatus SecCmsSignerInfoGetAppleCodesigningHashAgility(SecCmsSignerInfoRef sinfo, CFDataRef *sdata); +/*! + @function + @abstract Return the data in the signed Codesigning Hash Agility V2 attribute. + @param sinfo SignerInfo data for this signer, pointer to a CFDictionaryRef for attribute values + @discussion Returns a CFDictionaryRef containing the values of the attribute. V2 encodes the hash + agility values using DER. + @result A return value of SECFailure is an error. + */ +extern OSStatus +SecCmsSignerInfoGetAppleCodesigningHashAgilityV2(SecCmsSignerInfoRef sinfo, CFDictionaryRef *sdict); + /*! @function @abstract Return the signing cert of a CMS signerInfo. @@ -237,11 +254,21 @@ SecCmsSignerInfoAddCounterSignature(SecCmsSignerInfoRef signerinfo, /*! @function @abstract Add the Apple Codesigning Hash Agility attribute to the authenticated (i.e. signed) attributes of "signerinfo". - @discussion This is expected to be included in outgoing signed Apple code signatures. + @discussion This is expected to be included in outgoing Apple code signatures. */ OSStatus SecCmsSignerInfoAddAppleCodesigningHashAgility(SecCmsSignerInfoRef signerinfo, CFDataRef attrValue); +/*! + @function + @abstract Add the Apple Codesigning Hash Agility V2 attribute to the authenticated (i.e. signed) attributes of "signerinfo". + @discussion This is expected to be included in outgoing Apple code signatures. V2 encodes the hash agility values using DER. + The dictionary should have CFNumberRef keys, corresponding to SECOidTags for digest algorithms, and CFDataRef values, + corresponding to the digest value for that digest algorithm. + */ +OSStatus +SecCmsSignerInfoAddAppleCodesigningHashAgilityV2(SecCmsSignerInfoRef signerinfo, CFDictionaryRef attrValues); + /*! @function @abstract The following needs to be done in the S/MIME layer code after signature of a signerinfo has been verified. diff --git a/OSX/libsecurity_smime/lib/cmsattr.c b/OSX/libsecurity_smime/lib/cmsattr.c index 39c72172..28e9ba11 100644 --- a/OSX/libsecurity_smime/lib/cmsattr.c +++ b/OSX/libsecurity_smime/lib/cmsattr.c @@ -111,19 +111,23 @@ loser: OSStatus SecCmsAttributeAddValue(PLArenaPool *poolp, SecCmsAttribute *attr, CSSM_DATA_PTR value) { - CSSM_DATA copiedvalue; + CSSM_DATA_PTR copiedvalue; void *mark; PORT_Assert (poolp != NULL); mark = PORT_ArenaMark(poolp); - /* XXX we need an object memory model #$%#$%! */ - if (SECITEM_CopyItem(poolp, &copiedvalue, value) != SECSuccess) - goto loser; + if (value != NULL) { + if ((copiedvalue = SECITEM_AllocItem(poolp, NULL, value->Length)) == NULL) + goto loser; - if (SecCmsArrayAdd(poolp, (void ***)&(attr->values), (void *)&copiedvalue) != SECSuccess) - goto loser; + if (SECITEM_CopyItem(poolp, copiedvalue, value) != SECSuccess) + goto loser; + + if (SecCmsArrayAdd(poolp, (void ***)&(attr->values), (void *)copiedvalue) != SECSuccess) + goto loser; + } PORT_ArenaUnmark(poolp, mark); return SECSuccess; @@ -234,6 +238,7 @@ cms_attr_choose_attr_value_template(void *src_or_dest, Boolean encoding, const c switch (oiddata->offset) { case SEC_OID_PKCS9_SMIME_CAPABILITIES: case SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE: + case SEC_OID_APPLE_HASH_AGILITY_V2: /* these guys need to stay DER-encoded */ default: /* same goes for OIDs that are not handled here */ diff --git a/OSX/libsecurity_smime/lib/cmsdecode.c b/OSX/libsecurity_smime/lib/cmsdecode.c index 42107222..fdc69f3f 100644 --- a/OSX/libsecurity_smime/lib/cmsdecode.c +++ b/OSX/libsecurity_smime/lib/cmsdecode.c @@ -177,12 +177,15 @@ nss_cms_decoder_notify(void *arg, Boolean before, void *dest, int depth) if (nss_cms_before_data(p7dcx) != SECSuccess) { SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); /* stop all processing */ p7dcx->error = PORT_GetError(); + PORT_SetError(0); // Clean the thread error since we've returned the error } } if (after && dest == &(cinfo->rawContent)) { /* we're right after of the data */ - if (nss_cms_after_data(p7dcx) != SECSuccess) + if (nss_cms_after_data(p7dcx) != SECSuccess) { p7dcx->error = PORT_GetError(); + PORT_SetError(0); // Clean the thread error since we've returned the error + } /* we don't need to see the contents anymore */ SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); @@ -485,6 +488,7 @@ nss_cms_decoder_work_data(SecCmsDecoderRef p7dcx, data, len, final); if (rv != SECSuccess) { p7dcx->error = PORT_GetError(); + PORT_SetError(0); // Clean the thread error since we've returned the error goto loser; } @@ -600,6 +604,9 @@ SecCmsDecoderCreate(SecArenaPoolRef pool, SecCmsMessageRef cmsg; OSStatus result; + /* Clear the thread error to clean up dirty threads */ + PORT_SetError(0); + cmsg = SecCmsMessageCreate(pool); if (cmsg == NULL) goto loser; @@ -633,6 +640,7 @@ SecCmsDecoderCreate(SecArenaPoolRef pool, loser: result = PORT_GetError(); + PORT_SetError(0); // Clean the thread error since we've returned the error return result; } @@ -664,7 +672,7 @@ SecCmsDecoderUpdate(SecCmsDecoderRef p7dcx, const void *buf, CFIndex len) (void) SEC_ASN1DecoderFinish (p7dcx->dcx); p7dcx->dcx = NULL; } - PORT_SetError (p7dcx->error); + PORT_SetError (0); // Clean the thread error since we've returned the error return p7dcx->error; } @@ -719,6 +727,7 @@ loser: p7dcx->dcx = NULL; p7dcx->childp7dcx = NULL; PORT_Free(p7dcx); + PORT_SetError(0); // Clean the thread error since we've returned the error return result; } diff --git a/OSX/libsecurity_smime/lib/cmsencode.c b/OSX/libsecurity_smime/lib/cmsencode.c index 9d2db04e..04d20168 100644 --- a/OSX/libsecurity_smime/lib/cmsencode.c +++ b/OSX/libsecurity_smime/lib/cmsencode.c @@ -193,8 +193,10 @@ nss_cms_encoder_notify(void *arg, Boolean before, void *dest, int depth) /* we're right before encoding the data (if we have some or not) */ /* (for encrypted data, we're right before the contentEncAlg which may change */ /* in nss_cms_before_data because of IV calculation when setting up encryption) */ - if (nss_cms_before_data(p7ecx) != SECSuccess) - p7ecx->error = PORT_GetError(); + if (nss_cms_before_data(p7ecx) != SECSuccess) { + p7ecx->error = PORT_GetError(); + PORT_SetError(0); // Clean the thread error since we've returned the error + } } if (before && dest == &(cinfo->rawContent)) { if ( ((childtype == SEC_OID_PKCS7_DATA) || (childtype == SEC_OID_OTHER)) && @@ -206,8 +208,10 @@ nss_cms_encoder_notify(void *arg, Boolean before, void *dest, int depth) SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx); } if (after && dest == &(cinfo->rawContent)) { - if (nss_cms_after_data(p7ecx) != SECSuccess) - p7ecx->error = PORT_GetError(); + if (nss_cms_after_data(p7ecx) != SECSuccess) { + p7ecx->error = PORT_GetError(); + PORT_SetError(0); // Clean the thread error since we've returned the error + } SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx); /* no need to get notified anymore */ } break; @@ -528,6 +532,9 @@ SecCmsEncoderCreate(SecCmsMessageRef cmsg, OSStatus result; SecCmsContentInfoRef cinfo; + /* Clear the thread error to clean up dirty threads */ + PORT_SetError(0); + SecCmsMessageSetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg, detached_digestalgs, detached_digests); @@ -577,6 +584,7 @@ SecCmsEncoderCreate(SecCmsMessageRef cmsg, if (p7ecx->ecx == NULL) { result = PORT_GetError(); PORT_Free(p7ecx); + PORT_SetError(0); // Clean the thread error since we've returned the error goto loser; } p7ecx->ecxupdated = PR_FALSE; @@ -598,6 +606,7 @@ SecCmsEncoderCreate(SecCmsMessageRef cmsg, if (SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0) != SECSuccess) { result = PORT_GetError(); PORT_Free(p7ecx); + PORT_SetError(0); // Clean the thread error since we've returned the error goto loser; } @@ -647,8 +656,10 @@ SecCmsEncoderUpdate(SecCmsEncoderRef p7ecx, const void *data, CFIndex len) /* hand it the data so it can encode it (let DER trickle up the chain) */ result = nss_cms_encoder_work_data(p7ecx, NULL, (const unsigned char *)data, len, PR_FALSE, PR_TRUE); - if (result) + if (result) { result = PORT_GetError(); + PORT_SetError(0); // Clean the thread error since we've returned the error + } } return result; } @@ -754,6 +765,7 @@ SecCmsEncoderFinish(SecCmsEncoderRef p7ecx) loser: SEC_ASN1EncoderFinish(p7ecx->ecx); PORT_Free (p7ecx); + PORT_SetError(0); // Clean the thread error since we've returned the error return result; } diff --git a/OSX/libsecurity_smime/lib/cmspubkey.c b/OSX/libsecurity_smime/lib/cmspubkey.c index 19ff2065..ea27d7ce 100644 --- a/OSX/libsecurity_smime/lib/cmspubkey.c +++ b/OSX/libsecurity_smime/lib/cmspubkey.c @@ -65,22 +65,15 @@ * according to PKCS#1 and RFC2633 (S/MIME) */ OSStatus -SecCmsUtilEncryptSymKeyRSA(PLArenaPool *poolp, SecCertificateRef cert, +SecCmsUtilEncryptSymKeyRSA(PLArenaPool *poolp, SecCertificateRef cert, SecSymmetricKeyRef bulkkey, CSSM_DATA_PTR encKey) { - OSStatus rv; - SecPublicKeyRef publickey; - -#if TARGET_OS_MAC && !TARGET_OS_IPHONE - rv = SecCertificateCopyPublicKey(cert,&publickey); -#else - publickey = SecCertificateCopyPublicKey(cert); -#endif + SecPublicKeyRef publickey = SecCertificateCopyPublicKey_ios(cert); if (publickey == NULL) return SECFailure; - rv = SecCmsUtilEncryptSymKeyRSAPubKey(poolp, publickey, bulkkey, encKey); + OSStatus rv = SecCmsUtilEncryptSymKeyRSAPubKey(poolp, publickey, bulkkey, encKey); CFRelease(publickey); return rv; } @@ -94,6 +87,7 @@ SecCmsUtilEncryptSymKeyRSAPubKey(PLArenaPool *poolp, unsigned int data_len; //KeyType keyType; void *mark = NULL; + CFDictionaryRef theirKeyAttrs = NULL; mark = PORT_ArenaMark(poolp); if (!mark) @@ -108,15 +102,17 @@ SecCmsUtilEncryptSymKeyRSAPubKey(PLArenaPool *poolp, } #endif /* allocate memory for the encrypted key */ -#if TARGET_OS_MAC && !TARGET_OS_IPHONE - rv = SecKeyGetStrengthInBits(publickey, NULL, &data_len); - if (rv) + theirKeyAttrs = SecKeyCopyAttributes(publickey); + if (!theirKeyAttrs) { + goto loser; + } + + CFNumberRef keySizeNum = CFDictionaryGetValue(theirKeyAttrs, kSecAttrKeySizeInBits); + if (!CFNumberGetValue(keySizeNum, kCFNumberIntType, &data_len)) { goto loser; + } // Convert length to bytes; - data_len = data_len / 8; -#else - data_len = SecKeyGetSize(publickey, kSecKeyEncryptedDataSize); -#endif + data_len /= 8; encKey->Data = (unsigned char*)PORT_ArenaAlloc(poolp, data_len); encKey->Length = data_len; @@ -132,6 +128,9 @@ SecCmsUtilEncryptSymKeyRSAPubKey(PLArenaPool *poolp, return SECSuccess; loser: + if (theirKeyAttrs) { + CFRelease(theirKeyAttrs); + } if (mark) { PORT_ArenaRelease(poolp, mark); } diff --git a/OSX/libsecurity_smime/lib/cmssiginfo.c b/OSX/libsecurity_smime/lib/cmssiginfo.c index ac389d3c..ea597eeb 100644 --- a/OSX/libsecurity_smime/lib/cmssiginfo.c +++ b/OSX/libsecurity_smime/lib/cmssiginfo.c @@ -338,11 +338,21 @@ SecCmsSignerInfoDestroy(SecCmsSignerInfoRef si) (int)CFGetRetainCount(si->timestampCertList)); CFRelease(si->timestampCertList); } + if (si->timestampCert != NULL) { + dprintfRC("SecCmsSignerInfoDestroy top: timestampCert.rc %d\n", + (int)CFGetRetainCount(si->timestampCert)); + CFRelease(si->timestampCert); + } if (si->hashAgilityAttrValue != NULL) { dprintfRC("SecCmsSignerInfoDestroy top: hashAgilityAttrValue.rc %d\n", (int)CFGetRetainCount(si->hashAgilityAttrValue)); CFRelease(si->hashAgilityAttrValue); } + if (si->hashAgilityV2AttrValues != NULL) { + dprintfRC("SecCmsSignerInfoDestroy top: hashAgilityV2AttrValues.rc %d\n", + (int)CFGetRetainCount(si->hashAgilityV2AttrValues)); + CFRelease(si->hashAgilityV2AttrValues); + } /* XXX storage ??? */ } @@ -856,12 +866,18 @@ SecCmsSignerInfoGetCertList(SecCmsSignerInfoRef signerinfo) CFArrayRef SecCmsSignerInfoGetTimestampCertList(SecCmsSignerInfoRef signerinfo) { - dprintfRC("SecCmsSignerInfoGetCertList: timestampCertList.rc %d\n", + dprintfRC("SecCmsSignerInfoGetTimestampCertList: timestampCertList.rc %d\n", (int)CFGetRetainCount(signerinfo->timestampCertList)); return signerinfo->timestampCertList; } - +SecCertificateRef +SecCmsSignerInfoGetTimestampSigningCert(SecCmsSignerInfoRef signerinfo) +{ + dprintfRC("SecCmsSignerInfoGetTimestampSigningCert: timestampCert.rc %d\n", + (int)CFGetRetainCount(signerinfo->timestampCert)); + return signerinfo->timestampCert; +} int SecCmsSignerInfoGetVersion(SecCmsSignerInfoRef signerinfo) @@ -972,6 +988,113 @@ SecCmsSignerInfoGetAppleCodesigningHashAgility(SecCmsSignerInfoRef sinfo, CFData return errSecAllocate; } +/* AgileHash ::= SEQUENCE { + hashType OBJECT IDENTIFIER, + hashValues OCTET STRING } + */ +typedef struct { + SecAsn1Item digestOID; + SecAsn1Item digestValue; +} CMSAppleAgileHash; + +static const SecAsn1Template CMSAppleAgileHashTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(CMSAppleAgileHash) }, + { SEC_ASN1_OBJECT_ID, + offsetof(CMSAppleAgileHash, digestOID), }, + { SEC_ASN1_OCTET_STRING, + offsetof(CMSAppleAgileHash, digestValue), }, + { 0, } +}; + +static OSStatus CMSAddAgileHashToDictionary(CFMutableDictionaryRef dictionary, SecAsn1Item *DERAgileHash) { + PLArenaPool *tmppoolp = NULL; + OSStatus status = errSecSuccess; + CMSAppleAgileHash agileHash; + CFDataRef digestValue = NULL; + CFNumberRef digestTag = NULL; + + tmppoolp = PORT_NewArena(1024); + if (tmppoolp == NULL) { + return errSecAllocate; + } + + if ((status = SEC_ASN1DecodeItem(tmppoolp, &agileHash, CMSAppleAgileHashTemplate, DERAgileHash)) != errSecSuccess) { + goto loser; + } + + int64_t tag = SECOID_FindOIDTag(&agileHash.digestOID); + digestTag = CFNumberCreate(NULL, kCFNumberSInt64Type, &tag); + digestValue = CFDataCreate(NULL, agileHash.digestValue.Data, agileHash.digestValue.Length); + CFDictionaryAddValue(dictionary, digestTag, digestValue); + +loser: + CFReleaseNull(digestValue); + CFReleaseNull(digestTag); + if (tmppoolp) { + PORT_FreeArena(tmppoolp, PR_FALSE); + } + return status; +} + +/*! + @function + @abstract Return the data in the signed Codesigning Hash Agility V2 attribute. + @param sinfo SignerInfo data for this signer, pointer to a CFDictionaryRef for attribute values + @discussion Returns a CFDictionaryRef containing the values of the attribute + @result A return value of errSecInternal is an error trying to look up the oid. + A status value of success with null result data indicates the attribute was not present. + */ +OSStatus +SecCmsSignerInfoGetAppleCodesigningHashAgilityV2(SecCmsSignerInfoRef sinfo, CFDictionaryRef *sdict) +{ + SecCmsAttribute *attr; + + if (sinfo == NULL || sdict == NULL) { + return errSecParam; + } + + *sdict = NULL; + + if (sinfo->hashAgilityV2AttrValues != NULL) { + *sdict = sinfo->hashAgilityV2AttrValues; /* cached copy */ + return SECSuccess; + } + + attr = SecCmsAttributeArrayFindAttrByOidTag(sinfo->authAttr, SEC_OID_APPLE_HASH_AGILITY_V2, PR_TRUE); + + /* attribute not found */ + if (attr == NULL) { + return SECSuccess; + } + + /* attrValues SET OF AttributeValue + * AttributeValue ::= ANY + */ + CSSM_DATA_PTR *values = attr->values; + if (values == NULL) { /* There must be values */ + return errSecDecode; + } + + CFMutableDictionaryRef agileHashValues = CFDictionaryCreateMutable(NULL, SecCmsArrayCount((void **)values), + &kCFTypeDictionaryKeyCallBacks, + &kCFTypeDictionaryValueCallBacks); + while (*values != NULL) { + (void)CMSAddAgileHashToDictionary(agileHashValues, *values++); + } + if (CFDictionaryGetCount(agileHashValues) != SecCmsArrayCount((void **)attr->values)) { + CFReleaseNull(agileHashValues); + return errSecDecode; + } + + sinfo->hashAgilityV2AttrValues = agileHashValues; /* make cached copy */ + if (sinfo->hashAgilityV2AttrValues) { + *sdict = sinfo->hashAgilityV2AttrValues; + return SECSuccess; + } + return errSecAllocate; +} + /* * Return the signing cert of a CMS signerInfo. * @@ -1241,7 +1364,7 @@ loser: /* * SecCmsSignerInfoAddMSSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the - * authenticated (i.e. signed) attributes of "signerinfo", using the OID prefered by Microsoft. + * authenticated (i.e. signed) attributes of "signerinfo", using the OID preferred by Microsoft. * * This is expected to be included in outgoing signed messages for email (S/MIME), * if compatibility with Microsoft mail clients is wanted. @@ -1369,7 +1492,7 @@ SecCmsSignerInfoAddCounterSignature(SecCmsSignerInfoRef signerinfo, /*! @function @abstract Add the Apple Codesigning Hash Agility attribute to the authenticated (i.e. signed) attributes of "signerinfo". - @discussion This is expected to be included in outgoing signed Apple code signatures. + @discussion This is expected to be included in outgoing Apple code signatures. */ OSStatus SecCmsSignerInfoAddAppleCodesigningHashAgility(SecCmsSignerInfoRef signerinfo, CFDataRef attrValue) @@ -1414,6 +1537,91 @@ loser: return status; } +static OSStatus CMSAddAgileHashToAttribute(PLArenaPool *poolp, SecCmsAttribute *attr, CFNumberRef cftag, CFDataRef value) { + PLArenaPool *tmppoolp = NULL; + int64_t tag; + SECOidData *digestOid = NULL; + CMSAppleAgileHash agileHash; + SecAsn1Item attrValue = { .Data = NULL, .Length = 0 }; + OSStatus status = errSecSuccess; + + memset(&agileHash, 0, sizeof(agileHash)); + + if(!CFNumberGetValue(cftag, kCFNumberSInt64Type, &tag)) { + return errSecParam; + } + digestOid = SECOID_FindOIDByTag((SECOidTag)tag); + + agileHash.digestValue.Data = (uint8_t *)CFDataGetBytePtr(value); + agileHash.digestValue.Length = CFDataGetLength(value); + agileHash.digestOID.Data = digestOid->oid.Data; + agileHash.digestOID.Length = digestOid->oid.Length; + + tmppoolp = PORT_NewArena(1024); + if (tmppoolp == NULL) { + return errSecAllocate; + } + + if (SEC_ASN1EncodeItem(tmppoolp, &attrValue, &agileHash, CMSAppleAgileHashTemplate) == NULL) { + status = errSecParam; + goto loser; + } + + status = SecCmsAttributeAddValue(poolp, attr, &attrValue); + +loser: + if (tmppoolp) { + PORT_FreeArena(tmppoolp, PR_FALSE); + } + return status; +} + +/*! + @function + @abstract Add the Apple Codesigning Hash Agility attribute to the authenticated (i.e. signed) attributes of "signerinfo". + @discussion This is expected to be included in outgoing Apple code signatures. + */ +OSStatus +SecCmsSignerInfoAddAppleCodesigningHashAgilityV2(SecCmsSignerInfoRef signerinfo, CFDictionaryRef attrValues) +{ + __block SecCmsAttribute *attr; + __block PLArenaPool *poolp = signerinfo->cmsg->poolp; + void *mark = PORT_ArenaMark(poolp); + OSStatus status = SECFailure; + + /* The value is required for this attribute. */ + if (!attrValues) { + status = errSecParam; + goto loser; + } + + if ((attr = SecCmsAttributeCreate(poolp, SEC_OID_APPLE_HASH_AGILITY_V2, + NULL, PR_TRUE)) == NULL) { + status = errSecAllocate; + goto loser; + } + + CFDictionaryForEach(attrValues, ^(const void *key, const void *value) { + if (!isNumber(key) || !isData(value)) { + return; + } + (void)CMSAddAgileHashToAttribute(poolp, attr, (CFNumberRef)key, (CFDataRef)value); + }); + + if (SecCmsSignerInfoAddAuthAttr(signerinfo, attr) != SECSuccess) { + status = errSecInternal; + goto loser; + } + + PORT_ArenaUnmark(poolp, mark); + return SECSuccess; + +loser: + PORT_ArenaRelease(poolp, mark); + return status; +} + + SecCertificateRef SecCmsSignerInfoCopyCertFromEncryptionKeyPreference(SecCmsSignerInfoRef signerinfo) { SecCertificateRef cert = NULL; SecCmsAttribute *attr; @@ -1426,6 +1634,12 @@ SecCertificateRef SecCmsSignerInfoCopyCertFromEncryptionKeyPreference(SecCmsSign if (signerinfo->verificationStatus != SecCmsVSGoodSignature) return NULL; + /* Prep the raw certs */ + CSSM_DATA_PTR *rawCerts = NULL; + if (signerinfo->sigd) { + rawCerts = signerinfo->sigd->rawCerts; + } + /* find preferred encryption cert */ if (!SecCmsArrayIsEmpty((void **)signerinfo->authAttr) && (attr = SecCmsAttributeArrayFindAttrByOidTag(signerinfo->authAttr, @@ -1434,11 +1648,17 @@ SecCertificateRef SecCmsSignerInfoCopyCertFromEncryptionKeyPreference(SecCmsSign ekp = SecCmsAttributeGetValue(attr); if (ekp == NULL) return NULL; + cert = SecSMIMEGetCertFromEncryptionKeyPreference(keychainOrArray, rawCerts, ekp); + } + if(cert) return cert; - CSSM_DATA_PTR *rawCerts = NULL; - if (signerinfo->sigd) { - rawCerts = signerinfo->sigd->rawCerts; - } + if (!SecCmsArrayIsEmpty((void **)signerinfo->authAttr) && + (attr = SecCmsAttributeArrayFindAttrByOidTag(signerinfo->authAttr, + SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE, PR_TRUE)) != NULL) + { /* we have a MS_SMIME_ENCRYPTION_KEY_PREFERENCE attribute! Find the cert. */ + ekp = SecCmsAttributeGetValue(attr); + if (ekp == NULL) + return NULL; cert = SecSMIMEGetCertFromEncryptionKeyPreference(keychainOrArray, rawCerts, ekp); } return cert; diff --git a/OSX/libsecurity_smime/lib/cmstpriv.h b/OSX/libsecurity_smime/lib/cmstpriv.h index 012ff496..483c1985 100644 --- a/OSX/libsecurity_smime/lib/cmstpriv.h +++ b/OSX/libsecurity_smime/lib/cmstpriv.h @@ -226,7 +226,9 @@ struct SecCmsSignerInfoStr { CFAbsoluteTime tsaLeafNotBefore; /* Start date for Timestamp Authority leaf */ CFAbsoluteTime tsaLeafNotAfter; /* Expiration date for Timestamp Authority leaf */ CFMutableArrayRef timestampCertList; + SecCertificateRef timestampCert; CFDataRef hashAgilityAttrValue; + CFDictionaryRef hashAgilityV2AttrValues; }; #define SEC_CMS_SIGNER_INFO_VERSION_ISSUERSN 1 /* what we *create* */ #define SEC_CMS_SIGNER_INFO_VERSION_SUBJKEY 3 /* what we *create* */ diff --git a/OSX/libsecurity_smime/lib/secoid.c b/OSX/libsecurity_smime/lib/secoid.c index d5bdd5cc..54904fb8 100644 --- a/OSX/libsecurity_smime/lib/secoid.c +++ b/OSX/libsecurity_smime/lib/secoid.c @@ -475,6 +475,7 @@ CONST_OID mqvSinglePassSha1kdf[] = {ANSI_X9_63_SCHEME, 4 }; /* Apple Hash Agility */ CONST_OID appleHashAgility[] = {APPLE_CMS_ATTRIBUTES, 1}; +CONST_OID appleHashAgilityV2[] = {APPLE_CMS_ATTRIBUTES, 2}; /* a special case: always associated with a caller-specified OID */ CONST_OID noOid[] = { 0 }; @@ -1151,7 +1152,9 @@ const static SECOidData oids[] = { OD( appleHashAgility, SEC_OID_APPLE_HASH_AGILITY, "appleCodesigningHashAgilityAttribute", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), - + OD( appleHashAgilityV2, SEC_OID_APPLE_HASH_AGILITY_V2, + "appleCodesigningHashAgilityAttribute", CSSM_ALGID_NONE, + INVALID_CERT_EXTENSION), }; /* diff --git a/OSX/libsecurity_smime/lib/tsaSupport.c b/OSX/libsecurity_smime/lib/tsaSupport.c index f2faff0e..bf92c7bd 100644 --- a/OSX/libsecurity_smime/lib/tsaSupport.c +++ b/OSX/libsecurity_smime/lib/tsaSupport.c @@ -165,8 +165,7 @@ static void printDataAsHex(const char *title, const CSSM_DATA *d, unsigned maxTo int offset, sz = 0; const int wrapwid = 24; // large enough so SHA-1 hashes fit on one line... - if ((maxToPrint != 0) && (len > maxToPrint)) - { + if ((maxToPrint != 0) && (len > maxToPrint)) { len = maxToPrint; more = true; } @@ -178,22 +177,19 @@ static void printDataAsHex(const char *title, const CSSM_DATA *d, unsigned maxTo dtprintf("%s", buffer); offset = 0; - for (i=0; (i < len) && (offset+3 < bufferSize); i++, offset += sz) - { + for (i=0; (i < len) && (offset+3 < bufferSize); i++, offset += sz) { sz = sprintf(buffer + offset, " %02x", (unsigned int)cp[i] & 0xff); - if ((i % wrapwid) == (wrapwid-1)) - { - dtprintf("%s", buffer); + if ((i % wrapwid) == (wrapwid-1)) { + dtprintf("%s\n", buffer); offset = 0; sz = 0; } } sz=sprintf(buffer + offset, more?" ...\n":"\n"); - offset += sz; + offset += sz; buffer[offset+1]=0; -// fprintf(stderr, "%s", buffer); dtprintf("%s", buffer); free(buffer); @@ -1244,8 +1240,9 @@ OSStatus decodeTimeStampTokenWithPolicy(SecCmsSignerInfoRef signerinfo, CFTypeRe inData comes from the unAuthAttr section of the CMS message These are set in signerinfo as side effects: - timestampTime - + timestampTime timestampCertList + timestampCert */ SecCmsDecoderRef decoderContext = NULL; @@ -1349,6 +1346,11 @@ OSStatus decodeTimeStampTokenWithPolicy(SecCmsSignerInfoRef signerinfo, CFTypeRe int numberOfSigners = SecCmsSignedDataSignerInfoCount (signedData); + if (numberOfSigners > 0) { + /* @@@ assume there's only one signer since SecCms can't handle multiple signers anyway */ + signerinfo->timestampCert = CFRetainSafe(SecCmsSignerInfoGetSigningCertificate(signedData->signerInfos[0], NULL)); + } + result = verifySigners(signedData, numberOfSigners, timeStampPolicy); if (result) dtprintf("verifySigners failed: %ld\n", (long)result); // warning @@ -1368,7 +1370,7 @@ OSStatus decodeTimeStampTokenWithPolicy(SecCmsSignerInfoRef signerinfo, CFTypeRe case SEC_OID_PKCS9_ID_CT_TSTInfo: { SecAsn1TSATSTInfo tstInfo = {{0},}; - SecCertificateRef signerCert = SecCmsSignerInfoGetSigningCertificate(signerinfo, NULL); + SecCertificateRef signerCert = SecCmsSignerInfoGetTimestampSigningCert(signerinfo); result = verifyTSTInfo(contentInfo->rawContent, signerCert, &tstInfo, &signerinfo->timestampTime, expectedNonce); if (signerinfo->timestampTime) { diff --git a/OSX/libsecurity_smime/libsecurity_smime.xcodeproj/project.pbxproj b/OSX/libsecurity_smime/libsecurity_smime.xcodeproj/project.pbxproj index 7d783184..d8597b00 100644 --- a/OSX/libsecurity_smime/libsecurity_smime.xcodeproj/project.pbxproj +++ b/OSX/libsecurity_smime/libsecurity_smime.xcodeproj/project.pbxproj @@ -69,11 +69,11 @@ 4CDA0D6604200AE000CA2E66 /* cmssiginfo.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C27420403E9FC5B00A80181 /* cmssiginfo.c */; }; 4CDA0D6704200B0F00CA2E66 /* smimeutil.c in Sources */ = {isa = PBXBuildFile; fileRef = 4C27420F03E9FC5B00A80181 /* smimeutil.c */; }; 4CEC5CDF042A721300CA2E66 /* cmspriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CEC5CDE042A721300CA2E66 /* cmspriv.h */; }; - 4CEC5CE1042A722000CA2E66 /* cmstpriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CEC5CE0042A722000CA2E66 /* cmstpriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 4CEC5CE1042A722000CA2E66 /* cmstpriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CEC5CE0042A722000CA2E66 /* cmstpriv.h */; }; 4CEDC82106371B1700B7E254 /* SecCmsEncryptedData.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CEDC82006371B1700B7E254 /* SecCmsEncryptedData.h */; settings = {ATTRIBUTES = (); }; }; - 5232A822150AD71A00E6BB48 /* tsaSupportPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 5232A821150AD71A00E6BB48 /* tsaSupportPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 5232A822150AD71A00E6BB48 /* tsaSupportPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 5232A821150AD71A00E6BB48 /* tsaSupportPriv.h */; }; 52B609D514F4665700134209 /* tsaTemplates.c in Sources */ = {isa = PBXBuildFile; fileRef = 52B609D314F4665700134209 /* tsaTemplates.c */; }; - 52B609D614F4665700134209 /* tsaTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 52B609D414F4665700134209 /* tsaTemplates.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 52B609D614F4665700134209 /* tsaTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = 52B609D414F4665700134209 /* tsaTemplates.h */; }; 52D7A24A15092A0600CF48F7 /* tsaSupport.c in Sources */ = {isa = PBXBuildFile; fileRef = 52D7A24915092A0600CF48F7 /* tsaSupport.c */; }; 52D7A24D15094B8B00CF48F7 /* tsaSupport.h in Headers */ = {isa = PBXBuildFile; fileRef = 52D7A24C15092AAD00CF48F7 /* tsaSupport.h */; settings = {ATTRIBUTES = (Private, ); }; }; AC62F5F418B4358B00704BBD /* smime-cms-test.c in Sources */ = {isa = PBXBuildFile; fileRef = ACBEE91018B420BC0021712D /* smime-cms-test.c */; }; @@ -337,6 +337,7 @@ 4CEC5CDF042A721300CA2E66 /* cmspriv.h in Headers */, 4C27422203E9FC7600A80181 /* cmsreclist.h in Headers */, 4CEC5CE1042A722000CA2E66 /* cmstpriv.h in Headers */, + 5232A822150AD71A00E6BB48 /* tsaSupportPriv.h in Headers */, 4CA51CE00420246F00CA2E66 /* cryptohi.h in Headers */, 4C8E16750438EF5700CA2E66 /* plhash.h in Headers */, 4CCC260E0635F1A200CBF0D4 /* SecCmsBase.h in Headers */, @@ -355,10 +356,9 @@ 4C8E167A0438EFD700CA2E66 /* secitem.h in Headers */, 4C8E16700438EEE700CA2E66 /* secoid.h in Headers */, 4C424BE8063F28F600E9831A /* SecSMIMEPriv.h in Headers */, - 52B609D614F4665700134209 /* tsaTemplates.h in Headers */, 52D7A24D15094B8B00CF48F7 /* tsaSupport.h in Headers */, ACBEE90E18B415B60021712D /* SecCMS.h in Headers */, - 5232A822150AD71A00E6BB48 /* tsaSupportPriv.h in Headers */, + 52B609D614F4665700134209 /* tsaTemplates.h in Headers */, ); runOnlyForDeploymentPostprocessing = 0; }; diff --git a/OSX/libsecurity_ssl/lib/SecureTransport.h b/OSX/libsecurity_ssl/lib/SecureTransport.h index c753a278..f884dee9 100644 --- a/OSX/libsecurity_ssl/lib/SecureTransport.h +++ b/OSX/libsecurity_ssl/lib/SecureTransport.h @@ -290,6 +290,26 @@ CF_ENUM(OSStatus) { /* non-fatal result codes */ errSSLClientHelloReceived = -9851, /* SNI */ + + /* fatal errors resulting from transport or networking errors */ + errSSLTransportReset = -9852, /* transport (socket) shutdown, e.g., TCP RST or FIN. */ + errSSLNetworkTimeout = -9853, /* network timeout triggered */ + + /* fatal errors resulting from software misconfiguration */ + errSSLConfigurationFailed = -9854, /* TLS configuration failed */ + + /* additional errors */ + errSSLUnsupportedExtension = -9855, /* unsupported TLS extension */ + errSSLUnexpectedMessage = -9856, /* peer rejected unexpected message */ + errSSLDecompressFail = -9857, /* decompression failed */ + errSSLHandshakeFail = -9858, /* handshake failed */ + errSSLDecodeError = -9859, /* decode failed */ + errSSLInappropriateFallback = -9860, /* inappropriate fallback */ + errSSLMissingExtension = -9861, /* missing extension */ + errSSLBadCertificateStatusResponse = -9862, /* bad OCSP response */ + errSSLCertificateRequired = -9863, /* certificate required */ + errSSLUnknownPSKIdentity = -9864, /* unknown PSK identity */ + errSSLUnrecognizedName = -9865, /* unknown or unrecognized name */ }; /* DEPRECATED aliases for errSSLPeerAuthCompleted */ diff --git a/OSX/libsecurity_transform/lib/SecDigestTransform.h b/OSX/libsecurity_transform/lib/SecDigestTransform.h index 83415105..d61f6e2d 100644 --- a/OSX/libsecurity_transform/lib/SecDigestTransform.h +++ b/OSX/libsecurity_transform/lib/SecDigestTransform.h @@ -140,7 +140,7 @@ SecTransformRef SecDigestTransformCreate(CFTypeRef __nullable digestType, @result The CFTypeID */ -CFTypeID SecDigestTransformGetTypeID() + CFTypeID SecDigestTransformGetTypeID(void) __OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); CF_IMPLICIT_BRIDGING_DISABLED diff --git a/OSX/libsecurity_transform/lib/SecEncryptTransform.cpp b/OSX/libsecurity_transform/lib/SecEncryptTransform.cpp index 5ee1c15d..8a2703a3 100644 --- a/OSX/libsecurity_transform/lib/SecEncryptTransform.cpp +++ b/OSX/libsecurity_transform/lib/SecEncryptTransform.cpp @@ -24,6 +24,7 @@ #include "SecEncryptTransform.h" #include "SecTransformInternal.h" #include "EncryptTransform.h" +#include /* -------------------------------------------------------------------------- Create the declared CFStringRefs diff --git a/OSX/libsecurity_transform/lib/SecEncryptTransform.h b/OSX/libsecurity_transform/lib/SecEncryptTransform.h index 00bdff8d..0a744fcf 100644 --- a/OSX/libsecurity_transform/lib/SecEncryptTransform.h +++ b/OSX/libsecurity_transform/lib/SecEncryptTransform.h @@ -172,7 +172,7 @@ CF_IMPLICIT_BRIDGING_ENABLED @return the CFTypeID */ - CFTypeID SecDecryptTransformGetTypeID() + CFTypeID SecDecryptTransformGetTypeID(void) __OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); /*! @@ -181,7 +181,7 @@ CF_IMPLICIT_BRIDGING_ENABLED @return the CFTypeID */ - CFTypeID SecEncryptTransformGetTypeID() + CFTypeID SecEncryptTransformGetTypeID(void) __OSX_AVAILABLE_STARTING(__MAC_10_7,__IPHONE_NA); CF_IMPLICIT_BRIDGING_DISABLED diff --git a/OSX/libsecurity_transform/lib/SecTransformInternal.h b/OSX/libsecurity_transform/lib/SecTransformInternal.h index b339ff8d..8eac2905 100644 --- a/OSX/libsecurity_transform/lib/SecTransformInternal.h +++ b/OSX/libsecurity_transform/lib/SecTransformInternal.h @@ -7,7 +7,6 @@ extern "C" { #endif #include "SecTransform.h" -#include "SecCFRelease.h" CFErrorRef SecTransformConnectTransformsInternal(SecGroupTransformRef groupRef, SecTransformRef sourceTransformRef, CFStringRef sourceAttributeName, SecTransformRef destinationTransformRef, CFStringRef destinationAttributeName); diff --git a/OSX/libsecurity_utilities/lib/alloc.h b/OSX/libsecurity_utilities/lib/alloc.h index 411b58cb..8d276227 100644 --- a/OSX/libsecurity_utilities/lib/alloc.h +++ b/OSX/libsecurity_utilities/lib/alloc.h @@ -55,10 +55,23 @@ public: { return reinterpret_cast(malloc(sizeof(T))); } template T *alloc(UInt32 count) throw(std::bad_alloc) - { return reinterpret_cast(malloc(sizeof(T) * count)); } + { + size_t bytes = 0; + if (__builtin_mul_overflow(sizeof(T), count, &bytes)) { + throw std::bad_alloc(); + } + return reinterpret_cast(malloc(bytes)); + + } template T *alloc(T *old, UInt32 count) throw(std::bad_alloc) - { return reinterpret_cast(realloc(old, sizeof(T) * count)); } + { + size_t bytes = 0; + if (__builtin_mul_overflow(sizeof(T), count, &bytes)) { + throw std::bad_alloc(); + } + return reinterpret_cast(realloc(old, bytes)); + } // diff --git a/OSX/libsecurity_utilities/lib/debugging.h b/OSX/libsecurity_utilities/lib/debugging.h deleted file mode 120000 index ac6a54fc..00000000 --- a/OSX/libsecurity_utilities/lib/debugging.h +++ /dev/null @@ -1 +0,0 @@ -./../utilities/src/debugging.h \ No newline at end of file diff --git a/OSX/libsecurity_utilities/lib/pcsc++.h b/OSX/libsecurity_utilities/lib/pcsc++.h index 46e045d1..5ca469d7 100644 --- a/OSX/libsecurity_utilities/lib/pcsc++.h +++ b/OSX/libsecurity_utilities/lib/pcsc++.h @@ -38,6 +38,7 @@ #include #include #include +#include #include #include #include diff --git a/OSX/libsecurity_utilities/lib/threading_internal.h b/OSX/libsecurity_utilities/lib/threading_internal.h index dc7af307..03c8076f 100644 --- a/OSX/libsecurity_utilities/lib/threading_internal.h +++ b/OSX/libsecurity_utilities/lib/threading_internal.h @@ -38,7 +38,11 @@ namespace Security { // // Do we have 64-bit atomic operations? // -#define _HAVE_64BIT_ATOMIC (defined(__ppc64__) || defined(__i386__) || defined(__x86_64__)) +#if (defined(__ppc64__) || defined(__i386__) || defined(__x86_64__)) +#define _HAVE_64BIT_ATOMIC 1 +#else +#define _HAVE_64BIT_ATOMIC 0 +#endif // diff --git a/OSX/libsecurityd/lib/SharedMemoryClient.cpp b/OSX/libsecurityd/lib/SharedMemoryClient.cpp index 3acb37d2..2a54ec17 100644 --- a/OSX/libsecurityd/lib/SharedMemoryClient.cpp +++ b/OSX/libsecurityd/lib/SharedMemoryClient.cpp @@ -17,6 +17,7 @@ using namespace Security; // SharedMemoryClient //================================================================================= +#if !defined(NDEBUG) static std::string unixerrorstr(int errnum) { string errstr; char buf[1024]; @@ -26,6 +27,7 @@ static std::string unixerrorstr(int errnum) { errstr += "(" + to_string(errnum) + ")"; return errstr; } +#endif SharedMemoryClient::SharedMemoryClient (const char* segmentName, SegmentOffsetType segmentSize, uid_t uid) { diff --git a/OSX/macos_tapi_hacks.h b/OSX/macos_tapi_hacks.h new file mode 100644 index 00000000..c5b25793 --- /dev/null +++ b/OSX/macos_tapi_hacks.h @@ -0,0 +1,89 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#ifndef macos_tapi_hack_h +#define macos_tapi_hack_h + +// This file is to work around TAPI's insistence that every exported symbol is in a header file. +// The Security project just simply rejects such ideas, so this is the pressure valve: +// +// One-offs in header files that shouldn't be exported in the real-live macOS Security framework +// can be added here, and TAPI will accept them. +// +// Please don't add anything here. + +#ifndef SECURITY_PROJECT_TAPI_HACKS +#error This header is not for inclusion; it's a nasty hack to get the macOS Security framework to build with TAPI. +#endif + +#include +#include + +CFDataRef SecDistinguishedNameCopyNormalizedContent(CFDataRef distinguished_name); +CFDataRef _SecItemCreatePersistentRef(CFTypeRef iclass, sqlite_int64 rowid, CFDictionaryRef attributes); +CFDictionaryRef SecTokenItemValueCopy(CFDataRef db_value, CFErrorRef *error); +CFArrayRef SecTrustCopyProperties_ios(SecTrustRef trust); +CFArrayRef SecItemCopyParentCertificates_ios(CFDataRef normalizedIssuer, CFArrayRef accessGroups, CFErrorRef *error); +bool SecItemCertificateExists(CFDataRef normalizedIssuer, CFDataRef serialNumber, CFArrayRef accessGroups, CFErrorRef *error); +bool _SecItemParsePersistentRef(CFDataRef persistent_ref, CFStringRef *return_class, + sqlite_int64 *return_rowid, CFDictionaryRef *return_token_attrs); + +// iOS-only SecKey functions +size_t SecKeyGetSize(SecKeyRef key, int whichSize); +CFDataRef SecKeyCopyPublicKeyHash(SecKeyRef key); + +// SecItemPriv.h +extern const CFStringRef kSecUseSystemKeychain; + +// securityd_client.h + +typedef struct SecurityClient { +} SecurityClient; + +extern struct securityd *gSecurityd; +extern struct trustd *gTrustd; +extern SecurityClient * SecSecurityClientGet(void); +bool securityd_send_sync_and_do(enum SecXPCOperation op, CFErrorRef *error, + bool (^add_to_message)(xpc_object_t message, CFErrorRef* error), + bool (^handle_response)(xpc_object_t response, CFErrorRef* error)); +XPC_RETURNS_RETAINED xpc_object_t securityd_message_with_reply_sync(xpc_object_t message, CFErrorRef *error); +XPC_RETURNS_RETAINED xpc_object_t securityd_create_message(enum SecXPCOperation op, CFErrorRef *error); +bool securityd_message_no_error(xpc_object_t message, CFErrorRef *error); + +@interface SecuritydXPCClient : NSObject +@end + +void SecAccessGroupsSetCurrent(CFArrayRef accessGroups); +CFArrayRef SecAccessGroupsGetCurrent(void); + +// checkpw.c +int checkpw_internal( const struct passwd* pw, const char* password ); + +// SecFramework.h +CFDataRef SecDigestCreate(CFAllocatorRef allocator, + const SecAsn1Oid *algorithm, const SecAsn1Item *params, + const UInt8 *data, CFIndex length); +CFDataRef SecSHA256DigestCreateFromData(CFAllocatorRef allocator, CFDataRef data); +CFStringRef SecFrameworkCopyLocalizedString(CFStringRef key, + CFStringRef tableName); + +#endif /* macos_tapi_hack_h */ diff --git a/OSX/regressions/test/testcert.h b/OSX/regressions/test/testcert.h index 0babe8db..b06b07df 100644 --- a/OSX/regressions/test/testcert.h +++ b/OSX/regressions/test/testcert.h @@ -35,6 +35,7 @@ SecIdentityRef test_cert_create_root_certificate(CFStringRef subject, SecKeyRef public_key, SecKeyRef private_key); +CF_RETURNS_RETAINED SecCertificateRef test_cert_issue_certificate(SecIdentityRef ca_identity, SecKeyRef public_key, CFStringRef subject, diff --git a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.c b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.c index dcce498e..771179a5 100644 --- a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.c +++ b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.c @@ -67,15 +67,8 @@ static CFStringRef sErrorDomain = CFSTR("com.apple.security.sos.transport.error" // MARK: ---------- SOSCloudTransport ---------- -/* SOSCloudTransport, a statically initialized transport singleton. */ -static SOSCloudTransportRef sTransport = NULL; - static SOSCloudTransportRef SOSCloudTransportCreateXPCTransport(void); -void SOSCloudKeychainSetTransport(SOSCloudTransportRef transport) { - sTransport = transport; -} - void SOSCloudTransportGet(SOSCloudTransportRef transport, CFArrayRef keysToGet, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); @@ -141,9 +134,9 @@ errOut: static SOSCloudTransportRef SOSCloudTransportDefaultTransport(void) { static dispatch_once_t sTransportOnce; + static SOSCloudTransportRef sTransport = NULL; dispatch_once(&sTransportOnce, ^{ - if (!sTransport) - SOSCloudKeychainSetTransport(SOSCloudTransportCreateXPCTransport()); + sTransport = SOSCloudTransportCreateXPCTransport(); // provide state handler to sysdiagnose and logging os_state_add_handler(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), kvsStateBlock); }); @@ -222,11 +215,6 @@ static bool xpc_event_filter(const xpc_connection_t peer, xpc_object_t event, CF // The client of an XPC service does not get connection events // For now, we log this and keep going describeXPCObject("handle_xpc_event: XPC_TYPE_CONNECTION, obj : ", event); -#if 0 - if (error) - *error = makeError(kSOSOUnexpectedConnectionEvent); // FIX - assert(true); -#endif } else if (XPC_TYPE_ERROR == xtype) @@ -234,17 +222,7 @@ static bool xpc_event_filter(const xpc_connection_t peer, xpc_object_t event, CF #ifndef NDEBUG const char *estr = xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION); #endif - secdebug(SOSCKCSCOPE, "default: xpc error: %s\n", estr); -#if 0 // just log for now - CFStringRef errStr = CFStringCreateWithCString(kCFAllocatorDefault, estr, kCFStringEncodingUTF8); - CFMutableDictionaryRef userInfo = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); - if (errStr) - CFDictionaryAddValue(userInfo, kCFErrorLocalizedDescriptionKey, errStr); - if (error) - *error = CFErrorCreate(kCFAllocatorDefault, sErrorDomain, kSOSOXPCErrorEvent, userInfo); - CFReleaseSafe(errStr); - CFReleaseSafe(userInfo); -#endif + secdebug(SOSCKCSCOPE, "default: xpc error: %s\n", estr); } else if (XPC_TYPE_DICTIONARY == xtype) @@ -277,12 +255,12 @@ static void setupIDSProxyServiceConnection(SOSXPCCloudTransportRef transport) }); xpc_connection_activate(transport->idsProxyServiceConnection); - xpc_retain(transport->idsProxyServiceConnection); } static void teardownIDSProxyServiceConnection(SOSXPCCloudTransportRef transport) { secnotice(SOSCKCSCOPE, "IDS Transport: tearing down xpc connection"); + dispatch_assert_queue(transport->xpc_queue); xpc_release(transport->idsProxyServiceConnection); transport->idsProxyServiceConnection = NULL; } @@ -302,12 +280,12 @@ static void setupServiceConnection(SOSXPCCloudTransportRef transport) }); xpc_connection_activate(transport->serviceConnection); - xpc_retain(transport->serviceConnection); } static void teardownServiceConnection(SOSXPCCloudTransportRef transport) { secnotice(SOSCKCSCOPE, "CKP Transport: tearing down xpc connection"); + dispatch_assert_queue(transport->xpc_queue); xpc_release(transport->serviceConnection); transport->serviceConnection = NULL; } @@ -347,13 +325,11 @@ static void talkWithIDS(SOSXPCCloudTransportRef transport, xpc_object_t message, CFTypeRef object = NULL; if (xpc_event_filter(transport->idsProxyServiceConnection, reply, &serverError) && reply) { - describeXPCObject("IDS Proxy: reply : ", reply); if (serverError) secerror("Error from xpc_event_filter: %@", serverError); xpc_object_t xrv = xpc_dictionary_get_value(reply, kMessageKeyValue); if (xrv) { - describeXPCObject("talkwithIDS: xrv: ", xrv); /* * The given XPC object must be one that was previously returned by * _CFXPCCreateXPCMessageWithCFObject(). @@ -397,13 +373,15 @@ xit: typedef void (^ProxyReplyBlock)(xpc_object_t reply); static bool messageToProxy(SOSXPCCloudTransportRef transport, xpc_object_t message, CFErrorRef *error, dispatch_queue_t processQueue, ProxyReplyBlock replyBlock) { - CFErrorRef connectionError = NULL; - - require_action(transport->serviceConnection, xit, connectionError = makeError(kSOSConnectionNotOpen)); - require_action(message, xit, connectionError = makeError(kSOSObjectNotFoundError)); + __block CFErrorRef connectionError = NULL; - xpc_connection_send_message_with_reply(transport->serviceConnection, message, processQueue, replyBlock); -xit: + dispatch_sync(transport->xpc_queue, ^{ + if (transport->serviceConnection && message) { + xpc_connection_send_message_with_reply(transport->serviceConnection, message, processQueue, replyBlock); + } else { + connectionError = makeError(kSOSConnectionNotOpen); + } + }); return CFErrorPropagate(connectionError, error); } @@ -417,19 +395,16 @@ static void talkWithKVS(SOSXPCCloudTransportRef transport, xpc_object_t message, CFTypeRef object = NULL; if (xpc_event_filter(transport->serviceConnection, reply, &serverError) && reply) { - describeXPCObject("getValuesFromKVS: reply : ", reply); if (serverError) secerror("Error from xpc_event_filter: %@", serverError); xpc_object_t xrv = xpc_dictionary_get_value(reply, kMessageKeyValue); if (xrv) { - describeXPCObject("talkWithKVS: xrv: ", xrv); /* * The given XPC object must be one that was previously returned by * _CFXPCCreateXPCMessageWithCFObject(). */ object = _CFXPCCreateCFObjectFromXPCObject(xrv); // CF object is retained; release in callback - secnotice("talkwithkvs", "converted CF object: %@", object); } else secerror("missing value reply"); @@ -575,7 +550,7 @@ static void SOSCloudTransportGetPerformanceStats(SOSCloudTransportRef transport, xpc_release(message); } -static void SOSCloudTransportSendFragmentedIDSMessage(SOSCloudTransportRef transport, CFDictionaryRef messageData, CFStringRef deviceName, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock){ +static void SOSCloudTransportSendFragmentedIDSMessage(SOSCloudTransportRef transport, CFDictionaryRef messageData, CFStringRef deviceName, CFStringRef peerID, CFStringRef myDeviceID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock){ SOSXPCCloudTransportRef xpcTransport = (SOSXPCCloudTransportRef)transport; xpc_object_t xmessageData = _CFXPCCreateXPCObjectFromCFObject(messageData); @@ -587,6 +562,8 @@ static void SOSCloudTransportSendFragmentedIDSMessage(SOSCloudTransportRef trans xpc_dictionary_set_value(message, kMessageKeyValue, xmessageData); SecXPCDictionarySetCFObject(message, kMessageKeyDeviceName, deviceName); SecXPCDictionarySetCFObject(message, kMessageKeyPeerID, peerID); + SecXPCDictionarySetCFObject(message, kMessageKeyDeviceID, myDeviceID); + talkWithIDS(xpcTransport, message, processQueue, replyBlock); xpc_release(xmessageData); @@ -627,7 +604,7 @@ static void SOSCloudTransportCheckIDSDeviceIDAvailability(SOSCloudTransportRef t } -static void SOSCloudTransportSendIDSMessage(SOSCloudTransportRef transport, CFDictionaryRef messageData, CFStringRef deviceName, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock){ +static void SOSCloudTransportSendIDSMessage(SOSCloudTransportRef transport, CFDictionaryRef messageData, CFStringRef deviceName, CFStringRef peerID, CFStringRef myDeviceID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock){ SOSXPCCloudTransportRef xpcTransport = (SOSXPCCloudTransportRef)transport; xpc_object_t xmessageData = _CFXPCCreateXPCObjectFromCFObject(messageData); @@ -639,6 +616,7 @@ static void SOSCloudTransportSendIDSMessage(SOSCloudTransportRef transport, CFDi xpc_dictionary_set_value(message, kMessageKeyValue, xmessageData); SecXPCDictionarySetCFObject(message, kMessageKeyDeviceName, deviceName); SecXPCDictionarySetCFObject(message, kMessageKeyPeerID, peerID); + SecXPCDictionarySetCFObject(message, kMessageKeyDeviceID, myDeviceID); talkWithIDS(xpcTransport, message, processQueue, replyBlock); xpc_release(xmessageData); @@ -915,14 +893,14 @@ void SOSCloudKeychainRemoveKeys(CFArrayRef keys, CFStringRef accountUUID, dispat cTransportRef->removeKeys(cTransportRef, keys, accountUUID, processQueue, replyBlock); } -void SOSCloudKeychainSendIDSMessage(CFDictionaryRef message, CFStringRef deviceName, CFStringRef peerID, dispatch_queue_t processQueue, CFBooleanRef fragmentation, CloudKeychainReplyBlock replyBlock) +void SOSCloudKeychainSendIDSMessage(CFDictionaryRef message, CFStringRef deviceName, CFStringRef peerID, CFStringRef myDeviceID, dispatch_queue_t processQueue, CFBooleanRef fragmentation, CloudKeychainReplyBlock replyBlock) { SOSCloudTransportRef cTransportRef = SOSCloudTransportDefaultTransport(); if(cTransportRef && fragmentation == kCFBooleanTrue) - cTransportRef->sendFragmentedIDSMessage(cTransportRef, message, deviceName, peerID, processQueue, replyBlock); + cTransportRef->sendFragmentedIDSMessage(cTransportRef, message, deviceName, peerID, myDeviceID, processQueue, replyBlock); else if(cTransportRef) - cTransportRef->sendIDSMessage(cTransportRef, message, deviceName, peerID, processQueue, replyBlock); + cTransportRef->sendIDSMessage(cTransportRef, message, deviceName, peerID, myDeviceID, processQueue, replyBlock); } diff --git a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.h b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.h index ee8174e8..b3e2ffd0 100644 --- a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.h +++ b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.h @@ -67,8 +67,8 @@ struct SOSCloudTransport void (*put)(SOSCloudTransportRef transport, CFDictionaryRef valuesToPut, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); void (*updateKeys)(SOSCloudTransportRef transport, CFDictionaryRef keys, CFStringRef accountUUID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); - void (*sendIDSMessage)(SOSCloudTransportRef transport, CFDictionaryRef data, CFStringRef deviceName, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); - void (*sendFragmentedIDSMessage)(SOSCloudTransportRef transport, CFDictionaryRef data, CFStringRef deviceName, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); + void (*sendIDSMessage)(SOSCloudTransportRef transport, CFDictionaryRef data, CFStringRef deviceName, CFStringRef peerID, CFStringRef myDeviceID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); + void (*sendFragmentedIDSMessage)(SOSCloudTransportRef transport, CFDictionaryRef data, CFStringRef deviceName, CFStringRef peerID, CFStringRef myDeviceID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); void (*retrieveMessages) (SOSCloudTransportRef transport, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); void (*getDeviceID)(SOSCloudTransportRef transport, CloudKeychainReplyBlock replyBlock); @@ -96,16 +96,10 @@ struct SOSCloudTransport }; -/* Call this function before calling any other function in this header to provide - an alternate transport, the default transport talks to CloudKeychainProxy via xpc. */ -void SOSCloudKeychainSetTransport(SOSCloudTransportRef transport); - void SOSCloudKeychainGetIDSDeviceID(CloudKeychainReplyBlock replyBlock); -void SOSCloudKeychainSendIDSMessage(CFDictionaryRef message, CFStringRef deviceName, CFStringRef peerID, dispatch_queue_t processQueue, CFBooleanRef fragmentation, CloudKeychainReplyBlock replyBlock); void SOSCloudKeychainRetrievePendingMessageFromProxy(dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); void SOSCloudKeychainUpdateKeys(CFDictionaryRef keys, CFStringRef accountUUID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); -void SOSCloudKeychainUnRegisterKeys(CFArrayRef keysToUnregister, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); void SOSCloudKeychainPutObjectsInCloud(CFDictionaryRef objects, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); @@ -133,6 +127,7 @@ CFDictionaryRef SOSCloudCopyKVSState(void); void SOSCloudKeychainGetIDSDeviceAvailability(CFArrayRef ids, CFStringRef peerID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); void SOSCloudKeychainRemoveKeys(CFArrayRef keys, CFStringRef accountUUID, dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); void SOSCloudKeychainRetrieveCountersFromIDSProxy(dispatch_queue_t processQueue, CloudKeychainReplyBlock replyBlock); +void SOSCloudKeychainSendIDSMessage(CFDictionaryRef message, CFStringRef deviceName, CFStringRef peerID, CFStringRef myDeviceID, dispatch_queue_t processQueue, CFBooleanRef fragmentation, CloudKeychainReplyBlock replyBlock); __END_DECLS diff --git a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.c b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.c index a2099527..fed2fc46 100644 --- a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.c +++ b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.c @@ -73,6 +73,7 @@ const char *kMessageKeyDeviceID = "deviceID"; const char *kMessageKeyPeerID = "peerID"; const char *kMessageKeySendersPeerID = "sendersPeerID"; const char *kMessageKeyAccountUUID = "AcctUUID"; +const char *kMessageKeySenderDeviceID = "SendersDeviceID"; const char *kMessageOperationItemChanged = "ItemChanged"; diff --git a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.h b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.h index e4a3c6cf..46879416 100644 --- a/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.h +++ b/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainConstants.h @@ -54,6 +54,7 @@ extern const char *kMessageKeyPeerID; extern const char *kMessageKeySendersPeerID; extern const char *kMessageKeyAccountUUID; extern const char *kOperationSendDeviceList; +extern const char *kMessageKeySenderDeviceID; extern const char *kMessageContext; extern const char *kMessageKeyParameter; diff --git a/OSX/sec/SOSCircle/Regressions/SOSTestDataSource.c b/OSX/sec/SOSCircle/Regressions/SOSTestDataSource.c index 79a61542..0ab10983 100644 --- a/OSX/sec/SOSCircle/Regressions/SOSTestDataSource.c +++ b/OSX/sec/SOSCircle/Regressions/SOSTestDataSource.c @@ -484,6 +484,12 @@ SOSObjectRef SOSDataSourceCreateGenericItemWithData(SOSDataSourceRef ds, CFStrin CFNumberRef one = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &value); CFAbsoluteTime timestamp = 3700000 + (is_tomb ? 1 : 0); CFDateRef now = CFDateCreate(kCFAllocatorDefault, timestamp); + + CFDataRef defaultData = NULL; + if (!is_tomb && !data) { + defaultData = CFDataCreate(NULL, (UInt8*)"some data", 9); + data = defaultData; + } CFDictionaryRef dict = CFDictionaryCreateForCFTypes(kCFAllocatorDefault, kSecClass, kSecClassGenericPassword, kSecAttrSynchronizable, one, @@ -499,6 +505,7 @@ SOSObjectRef SOSDataSourceCreateGenericItemWithData(SOSDataSourceRef ds, CFStrin CFRelease(one); CFRelease(zero); CFReleaseSafe(now); + CFReleaseNull(defaultData); CFErrorRef localError = NULL; SOSObjectRef object = ds->objectCreateWithPropertyList(dict, &localError); if (!object) { diff --git a/OSX/sec/SOSCircle/Regressions/SOSTestDevice.c b/OSX/sec/SOSCircle/Regressions/SOSTestDevice.c index f803683b..74147521 100644 --- a/OSX/sec/SOSCircle/Regressions/SOSTestDevice.c +++ b/OSX/sec/SOSCircle/Regressions/SOSTestDevice.c @@ -255,15 +255,15 @@ bool SOSTestDeviceEngineLoad(SOSTestDeviceRef td, CFErrorRef *error) { CFDataRef SOSTestDeviceCreateMessage(SOSTestDeviceRef td, CFStringRef peerID) { setup("create message"); CFErrorRef error = NULL; - SOSEnginePeerMessageSentBlock sent = NULL; + SOSEnginePeerMessageSentCallback* sent = NULL; CFDataRef msgData; CFMutableArrayRef attributeList = NULL; ok(msgData = SOSEngineCreateMessageToSyncToPeer(td->ds->engine, peerID, &attributeList, &sent, &error), "create message to %@: %@", peerID, error); - if (sent) - sent(true); - Block_release(sent); + SOSEngineMessageCallCallback(sent, true); + SOSEngineFreeMessageCallback(sent); + return msgData; } diff --git a/OSX/sec/SOSCircle/Regressions/sc-153-backupslicekeybag.c b/OSX/sec/SOSCircle/Regressions/sc-153-backupslicekeybag.c index 3bf87c7a..c037d864 100644 --- a/OSX/sec/SOSCircle/Regressions/sc-153-backupslicekeybag.c +++ b/OSX/sec/SOSCircle/Regressions/sc-153-backupslicekeybag.c @@ -34,7 +34,7 @@ #define encode_decode_count 2 #if !TARGET_IPHONE_SIMULATOR -static SOSBackupSliceKeyBagRef EncodeDecode(SOSBackupSliceKeyBagRef bag) +static CF_RETURNS_RETAINED SOSBackupSliceKeyBagRef EncodeDecode(SOSBackupSliceKeyBagRef bag) { SOSBackupSliceKeyBagRef result = NULL; CFErrorRef localError = NULL; diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.h index 9c21a109..a0baeb5d 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.h @@ -137,7 +137,7 @@ CFArrayRef SOSAccountCopyRetired(SOSAccount* account, CFErrorRef *error); CFArrayRef SOSAccountCopyViewUnaware(SOSAccount* account, CFErrorRef *error); CFArrayRef SOSAccountCopyPeers(SOSAccount* account, CFErrorRef *error); CFArrayRef SOSAccountCopyActivePeers(SOSAccount* account, CFErrorRef *error); -CFArrayRef SOSAccountCopyActiveValidPeers(SOSAccount* account, CFErrorRef *error); +CFArrayRef CF_RETURNS_RETAINED SOSAccountCopyActiveValidPeers(SOSAccount* account, CFErrorRef *error); CFArrayRef SOSAccountCopyConcurringPeers(SOSAccount* account, CFErrorRef *error); bool SOSAccountIsAccountIdentity(SOSAccount* account, SOSPeerInfoRef peer_info, CFErrorRef *error); @@ -198,7 +198,7 @@ bool SOSAccountSyncWithKVSUsingIDSID(SOSAccount* account, CFStringRef deviceID, // bool SOSAccountScanForRetired(SOSAccount* account, SOSCircleRef circle, CFErrorRef *error); -SOSCircleRef SOSAccountCloneCircleWithRetirement(SOSAccount* account, SOSCircleRef starting_circle, CFErrorRef *error); +CF_RETURNS_RETAINED SOSCircleRef SOSAccountCloneCircleWithRetirement(SOSAccount* account, SOSCircleRef starting_circle, CFErrorRef *error); // // MARK: Version incompatibility Functions @@ -216,7 +216,7 @@ bool SOSAccountSetBackupPublicKey(SOSAccountTransaction* aTxn, CFDataRef backupK bool SOSAccountRemoveBackupPublickey(SOSAccountTransaction* aTxn, CFErrorRef *error); bool SOSAccountSetBSKBagForAllSlices(SOSAccount* account, CFDataRef backupSlice, bool setupV0Only, CFErrorRef *error); -SOSBackupSliceKeyBagRef SOSAccountBackupSliceKeyBagForView(SOSAccount* account, CFStringRef viewName, CFErrorRef* error); +CF_RETURNS_RETAINED SOSBackupSliceKeyBagRef SOSAccountBackupSliceKeyBagForView(SOSAccount* account, CFStringRef viewName, CFErrorRef* error); bool SOSAccountIsLastBackupPeer(SOSAccount* account, CFErrorRef *error); @@ -293,11 +293,11 @@ bool SOSAccountSendToPeerIsPending(SOSAccountTransaction* txn, SOSPeerInfoRef pe // // MARK: OTR // -void SOSAccountResetOTRNegotiationCoder(SOSAccountTransaction* txn, CFStringRef peerid); +void SOSAccountResetOTRNegotiationCoder(SOSAccount* account, CFStringRef peerid); void SOSAccountTimerFiredSendNextMessage(SOSAccountTransaction* txn, NSString* peerid, NSString* accessGroup); NSMutableArray* SOSAccountGetAllTLKs(void); -CFMutableArrayRef SOSAccountCopyiCloudIdentities(SOSAccount* account); +CF_RETURNS_RETAINED CFMutableArrayRef SOSAccountCopyiCloudIdentities(SOSAccount* account); __END_DECLS diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.m index b76fbef8..c289643a 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccount.m @@ -8,9 +8,6 @@ */ #import -#import -#import - #include #include @@ -44,8 +41,11 @@ #import "Security/SecureObjectSync/SOSPeerOTRTimer.h" #import "Security/SecureObjectSync/SOSPeerRateLimiter.h" #import "Security/SecureObjectSync/SOSTypes.h" +#if OCTAGON #import "keychain/ckks/CKKSViewManager.h" - +#import "keychain/ckks/CKKSLockStateTracker.h" +#import "keychain/ot/OTContext.h" +#endif #include #include #include @@ -67,7 +67,6 @@ #include #include -const CFStringRef kSOSDSIDKey = CFSTR("AccountDSID"); const CFStringRef kSOSEscrowRecord = CFSTR("EscrowRecord"); const CFStringRef kSOSUnsyncedViewsKey = CFSTR("unsynced"); const CFStringRef kSOSInitialSyncTimeoutV0 = CFSTR("initialsynctimeout"); @@ -92,143 +91,6 @@ const uint64_t max_packet_size_over_idms = 500; #define DATE_LENGTH 25 const CFStringRef kSOSAccountDebugScope = CFSTR("Scope"); -@interface SOSAccount () -@property (retain,nonnull) NSXPCListener *listener; -@end - - -@interface SOSClient : NSObject -@property (weak) NSXPCConnection * connection; -@property (strong) SOSAccount * account; - -- (instancetype)initWithConnection:(NSXPCConnection *)connection account:(SOSAccount *)account; -@end - -@implementation SOSClient - -@synthesize account = _account; -@synthesize connection = _connection; - -- (instancetype)initWithConnection:(NSXPCConnection *)connection account:(SOSAccount *)account -{ - if ((self = [super init])) { - _connection = connection; - _account = account; - } - return self; -} - -- (bool)checkEntitlement:(NSString *)entitlement -{ - NSXPCConnection *strongConnection = _connection; - - NSNumber *num = [strongConnection valueForEntitlement:entitlement]; - if (![num isKindOfClass:[NSNumber class]] || ![num boolValue]) { - secinfo("sos", "Client pid: %d doesn't have entitlement: %@", - [strongConnection processIdentifier], entitlement); - return false; - } - return true; -} - -- (void)userPublicKey:(void ((^))(BOOL trusted, NSData *spki, NSError *error))reply -{ - [self.account userPublicKey:reply]; -} - -- (void)kvsPerformanceCounters:(void(^)(NSDictionary *))reply -{ - [self.account kvsPerformanceCounters:reply]; -} - -- (void)idsPerformanceCounters:(void(^)(NSDictionary *))reply -{ - [self.account idsPerformanceCounters:reply]; -} - -- (void)rateLimitingPerformanceCounters:(void(^)(NSDictionary *))reply -{ - [self.account rateLimitingPerformanceCounters:reply]; -} - -- (void)stashedCredentialPublicKey:(void(^)(NSData *, NSError *error))reply -{ - [self.account stashedCredentialPublicKey:reply]; -} - -- (void)assertStashedAccountCredential:(void(^)(BOOL result, NSError *error))reply -{ - [self.account assertStashedAccountCredential:reply]; -} - -- (void)validatedStashedAccountCredential:(void(^)(NSData *credential, NSError *error))complete -{ - [self.account validatedStashedAccountCredential:complete]; -} - -- (void)stashAccountCredential:(NSData *)credential complete:(void(^)(bool success, NSError *error))complete -{ - [self.account stashAccountCredential:credential complete:complete]; -} - -- (void)myPeerInfo:(void (^)(NSData *, NSError *))complete -{ - [self.account myPeerInfo:complete]; -} - -- (void)circleJoiningBlob:(NSData *)applicant complete:(void (^)(NSData *blob, NSError *))complete -{ - [self.account circleJoiningBlob:applicant complete:complete]; -} - -- (void)joinCircleWithBlob:(NSData *)blob version:(PiggyBackProtocolVersion)version complete:(void (^)(bool success, NSError *))complete -{ - [self.account joinCircleWithBlob:blob version:version complete:complete]; -} - -- (void)initialSyncCredentials:(uint32_t)flags complete:(void (^)(NSArray *, NSError *))complete -{ - if (![self checkEntitlement:(__bridge NSString *)kSecEntitlementKeychainInitialSync]) { - complete(@[], [NSError errorWithDomain:(__bridge NSString *)kSOSErrorDomain code:kSOSEntitlementMissing userInfo:NULL]); - return; - } - - [self.account initialSyncCredentials:flags complete:complete]; -} - -- (void)importInitialSyncCredentials:(NSArray *)items complete:(void (^)(bool success, NSError *))complete -{ - if (![self checkEntitlement:(__bridge NSString *)kSecEntitlementKeychainInitialSync]) { - complete(false, [NSError errorWithDomain:(__bridge NSString *)kSOSErrorDomain code:kSOSEntitlementMissing userInfo:NULL]); - return; - } - - [self.account importInitialSyncCredentials:items complete:complete]; -} - -- (void)triggerSync:(NSArray *)peers complete:(void(^)(bool success, NSError *))complete -{ - if (![self checkEntitlement:(__bridge NSString *)kSecEntitlementKeychainCloudCircle]) { - complete(false, [NSError errorWithDomain:(__bridge NSString *)kSOSErrorDomain code:kSOSEntitlementMissing userInfo:NULL]); - return; - } - - [self.account triggerSync:peers complete:complete]; -} - -- (void)getWatchdogParameters:(void (^)(NSDictionary* parameters, NSError* error))complete -{ - [self.account getWatchdogParameters:complete]; -} - -- (void)setWatchdogParmeters:(NSDictionary*)parameters complete:(void (^)(NSError* error))complete -{ - [self.account setWatchdogParmeters:parameters complete:complete]; -} - -@end - - @implementation SOSAccount // Auto synthesis for most fields works great. @@ -275,20 +137,16 @@ const CFStringRef kSOSAccountDebugScope = CFSTR("Scope"); self.previousAccountKey = NULL; self.saveBlock = nil; - - self.listener = [NSXPCListener anonymousListener]; - self.listener.delegate = self; - [self.listener resume]; } return self; } -- (void) finalize { - // All the CF objects stored here need clearing (implicitly releasing them). - self.accountKey = NULL; - self.accountPrivateKey = NULL; - self.previousAccountKey = NULL; - [super finalize]; +- (void)dealloc { + if(self) { + CFReleaseNull(self->_accountKey); + CFReleaseNull(self->_accountPrivateKey); + CFReleaseNull(self->_previousAccountKey); + } } @synthesize accountKey = _accountKey; @@ -327,33 +185,6 @@ const CFStringRef kSOSAccountDebugScope = CFSTR("Scope"); return self.trust.peerID; } - -- (xpc_endpoint_t)xpcControlEndpoint { - return [self.listener.endpoint _endpoint]; -} - -- (BOOL)listener:(__unused NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection -{ - NSNumber *num = [newConnection valueForEntitlement:(__bridge NSString *)kSecEntitlementKeychainCloudCircle]; - if (![num isKindOfClass:[NSNumber class]] || ![num boolValue]) { - secinfo("sos", "Client pid: %d doesn't have entitlement: %@", - [newConnection processIdentifier], kSecEntitlementKeychainCloudCircle); - return NO; - } - - - SOSClient *sosClient = [[SOSClient alloc] initWithConnection:newConnection account:self]; - - newConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(SOSControlProtocol)]; - _SOSControlSetupInterface(newConnection.exportedInterface); - newConnection.exportedObject = sosClient; - - [newConnection resume]; - - return YES; -} - - -(bool) ensureFactoryCircles { if (!self){ @@ -370,14 +201,19 @@ const CFStringRef kSOSAccountDebugScope = CFSTR("Scope"); return false; } - SOSAccountEnsureCircle(self, (__bridge CFStringRef) circle_name, NULL); + CFReleaseSafe(SOSAccountEnsureCircle(self, (__bridge CFStringRef) circle_name, NULL)); return SOSAccountInflateTransports(self, (__bridge CFStringRef) circle_name, NULL); } -(void)ensureOctagonPeerKeys { - [self.trust ensureOctagonPeerKeys:self.circle_transport]; +#if OCTAGON + CKKSLockStateTracker *tracker = [CKKSViewManager manager].lockStateTracker; + if (tracker && tracker.isLocked == false) { + [self.trust ensureOctagonPeerKeys:self.circle_transport]; + } +#endif } -(id) initWithGestalt:(CFDictionaryRef)newGestalt factory:(SOSDataSourceFactoryRef)f @@ -424,10 +260,6 @@ const CFStringRef kSOSAccountDebugScope = CFSTR("Scope"); self.previousAccountKey = NULL; self.saveBlock = nil; - - self.listener = [NSXPCListener anonymousListener]; - self.listener.delegate = self; - [self.listener resume]; } return self; } @@ -802,7 +634,6 @@ static bool Flush(CFErrorRef *error) { } } - // // MARK: Save Block // @@ -880,6 +711,7 @@ SOSAccount* SOSAccountCreate(CFAllocatorRef allocator, SOSAccount* a = [[SOSAccount alloc] initWithGestalt:gestalt factory:factory]; [a ensureFactoryCircles]; SOSAccountEnsureUUID(a); + secnotice("circleop", "Setting account.key_interests_need_updating to true in SOSAccountCreate"); a.key_interests_need_updating = true; return a; @@ -1020,7 +852,7 @@ void SOSAccountSetToNew(SOSAccount* a) // By resetting our expansion dictionary we've reset our UUID, so we'll be notified properly SOSAccountEnsureUUID(a); - + secnotice("circleop", "Setting account.key_interests_need_updating to true in SOSAccountSetToNew"); a.key_interests_need_updating = true; } @@ -1044,16 +876,6 @@ bool SOSAccountIsNew(SOSAccount* account, CFErrorRef *error){ return result; } -CFStringRef SOSAccountCreateCompactDescription(SOSAccount* a) { - - CFStringRef gestaltDescription = CFDictionaryCopySuperCompactDescription((__bridge CFDictionaryRef)(a.gestalt)); - - CFStringRef result = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@"), gestaltDescription); - - CFReleaseNull(gestaltDescription); - - return result; -} dispatch_queue_t SOSAccountGetQueue(SOSAccount* account) { return account.queue; } @@ -1064,12 +886,19 @@ void SOSAccountSetUserPublicTrustedForTesting(SOSAccount* account){ -(SOSCCStatus) getCircleStatus:(CFErrorRef*) error { - SOSCCStatus circleStatus = kSOSCCError; - if (SOSAccountHasPublicKey(self, error)) { - circleStatus = [self.trust getCircleStatus:error]; + SOSCCStatus circleStatus = [self.trust getCircleStatus:error]; + if (!SOSAccountHasPublicKey(self, error)) { + if(circleStatus == kSOSCCInCircle) { + if(error) { + CFReleaseNull(*error); + SOSCreateError(kSOSErrorPublicKeyAbsent, CFSTR("Public Key isn't available, this peer is in the circle, but invalid. The iCloud Password must be provided to keychain syncing subsystem to repair this."), NULL, error); + } + } + circleStatus = kSOSCCError; } return circleStatus; } + bool SOSAccountScanForRetired(SOSAccount* account, SOSCircleRef circle, CFErrorRef *error) { SOSAccountTrustClassic *trust = account.trust; @@ -1126,7 +955,7 @@ SOSCircleRef SOSAccountCloneCircleWithRetirement(SOSAccount* account, SOSCircle } } else { // This case is when we aren't an applicant and the circle is retirement-empty. - secnotice("resetToEmpty", "Reset to empty with last retirement"); + secnotice("circleOps", "Reset to empty with last retirement"); SOSCircleResetToEmpty(new_circle, NULL); } } @@ -1366,21 +1195,24 @@ bool SOSAccountEnsureInBackupRings(SOSAccount* account) { return SOSFullPeerInfoUpdateBackupKey(fpi, (__bridge CFDataRef)(account.backup_key), error); }); if (!result) { - secnotice("backupkey", "Failed to setup backup public key: %@", error ? (CFTypeRef) error : (CFTypeRef) CFSTR("No error space provided")); + secnotice("backupkey", "Failed to setup backup public key: %@", error); + CFReleaseNull(error); return result; } } if(!account.backup_key) { if (!result) { - secnotice("backupkey", "Failed to setup backup public key: %@", error ? (CFTypeRef) error : (CFTypeRef) CFSTR("No error space provided")); + secnotice("backupkey", "Failed to setup backup public key: %@", error); } + CFReleaseNull(error); return result; } if(!SOSBSKBIsGoodBackupPublic((__bridge CFDataRef)account.backup_key, &error)){ if (!result) { - secnotice("backupkey", "Failed to setup backup public key: %@", error ? (CFTypeRef) error : (CFTypeRef) CFSTR("No error space provided")); + secnotice("backupkey", "Failed to setup backup public key: %@", error); } + CFReleaseNull(error); return result; } @@ -1406,8 +1238,9 @@ bool SOSAccountEnsureInBackupRings(SOSAccount* account) { } if (!result) { - secnotice("backupkey", "Failed to setup backup public key: %@", error ? (CFTypeRef) error : (CFTypeRef) CFSTR("No error space provided")); + secnotice("backupkey", "Failed to setup backup public key: %@", error); } + CFReleaseNull(error); return result; } @@ -1529,7 +1362,7 @@ done: } bool SOSAccountJoinCircles(SOSAccountTransaction* aTxn, CFErrorRef* error) { - secnotice("circleJoin", "Normal path circle join (SOSAccountJoinCircles)"); + secnotice("circleOps", "Normal path circle join (SOSAccountJoinCircles)"); return SOSAccountJoinCircles_internal(aTxn, false, error); } @@ -1560,7 +1393,7 @@ bool SOSAccountSetMyDSID(SOSAccountTransaction* txn, CFStringRef IDS, CFErrorRef result = [trust modifyCircle:account.circle_transport err:error action:^bool(SOSCircleRef circle) { SOSFullPeerInfoUpdateDeviceID(trust.fullPeerInfo, IDS, error); - SOSFullPeerInfoUpdateTransportType(trust.fullPeerInfo, SOSTransportMessageTypeIDSV2, error); + SOSFullPeerInfoUpdateTransportType(trust.fullPeerInfo, SOSTransportMessageTypeKVS, error); SOSFullPeerInfoUpdateTransportPreference(trust.fullPeerInfo, kCFBooleanFalse, error); SOSFullPeerInfoUpdateTransportFragmentationPreference(trust.fullPeerInfo, kCFBooleanTrue, error); SOSFullPeerInfoUpdateTransportAckModelPreference(trust.fullPeerInfo, kCFBooleanTrue, error); @@ -1665,7 +1498,7 @@ bool SOSAccountRetrieveDeviceIDFromKeychainSyncingOverIDSProxy(SOSAccount* acco } bool SOSAccountJoinCirclesAfterRestore(SOSAccountTransaction* aTxn, CFErrorRef* error) { - secnotice("circleJoin", "Joining after restore (SOSAccountJoinCirclesAfterRestore)"); + secnotice("circleOps", "Joining after restore (SOSAccountJoinCirclesAfterRestore)"); return SOSAccountJoinCircles_internal(aTxn, true, error); } @@ -1675,14 +1508,14 @@ bool SOSAccountRemovePeersFromCircle(SOSAccount* account, CFArrayRef peers, CFE CFMutableSetRef peersToRemove = NULL; SecKeyRef user_key = SOSAccountGetPrivateCredential(account, error); if(!user_key){ - secnotice("removePeers", "Can't remove without userKey"); + secnotice("circleOps", "Can't remove without userKey"); return result; } SOSFullPeerInfoRef me_full = account.fullPeerInfo; SOSPeerInfoRef me = account.peerInfo; if(!(me_full && me)) { - secnotice("removePeers", "Can't remove without being active peer"); + secnotice("circleOps", "Can't remove without being active peer"); SOSErrorCreate(kSOSErrorPeerNotFound, error, NULL, CFSTR("Can't remove without being active peer")); return result; } @@ -1693,7 +1526,7 @@ bool SOSAccountRemovePeersFromCircle(SOSAccount* account, CFArrayRef peers, CFE if(!peersToRemove) { CFReleaseNull(peersToRemove); - secnotice("removePeers", "No peerSet to remove"); + secnotice("circleOps", "No peerSet to remove"); return result; } @@ -1710,7 +1543,7 @@ bool SOSAccountRemovePeersFromCircle(SOSAccount* account, CFArrayRef peers, CFE } else success = true; if (success && leaveCircle) { - secnotice("leaveCircle", "Leaving circle by client request"); + secnotice("circleOps", "Leaving circle by client request (SOSAccountRemovePeersFromCircle)"); success = sosAccountLeaveCircle(account, circle, error); } @@ -1718,6 +1551,12 @@ bool SOSAccountRemovePeersFromCircle(SOSAccount* account, CFArrayRef peers, CFE return success; }]; + + if(result) { + CFStringSetPerformWithDescription(peersToRemove, ^(CFStringRef description) { + secnotice("circleOps", "Removed Peers from circle %@", description); + }); + } CFReleaseNull(peersToRemove); return result; @@ -1733,7 +1572,7 @@ bool SOSAccountBail(SOSAccount* account, uint64_t limit_in_seconds, CFErrorRef* // Add a task to the group dispatch_group_async(group, queue, ^{ [trust modifyCircle:account.circle_transport err:error action:^(SOSCircleRef circle) { - secnotice("leaveCircle", "Leaving circle by client request"); + secnotice("circleOps", "Leaving circle by client request (Bail)"); return sosAccountLeaveCircle(account, circle, error); }]; }); @@ -2024,7 +1863,6 @@ static CFDictionaryRef SOSAccountGetObjectsFromCloud(dispatch_queue_t processQue CloudKeychainReplyBlock replyBlock = ^ (CFDictionaryRef returnedValues, CFErrorRef error) { - secnotice("key-cleanup", "SOSCloudKeychainGetObjectsFromCloud returned: %@", returnedValues); object = returnedValues; if (object) CFRetain(object); @@ -2032,7 +1870,6 @@ static CFDictionaryRef SOSAccountGetObjectsFromCloud(dispatch_queue_t processQue { secerror("SOSCloudKeychainGetObjectsFromCloud returned error: %@", error); } - secnotice("key-cleanup", "SOSCloudKeychainGetObjectsFromCloud block exit: %@", object); dispatch_semaphore_signal(waitSemaphore); }; @@ -2044,8 +1881,7 @@ static CFDictionaryRef SOSAccountGetObjectsFromCloud(dispatch_queue_t processQue CFRelease(object); object = NULL; } - secnotice("key-cleanup", "returned: %@", object); - return asDictionary(object, error); + return asDictionary(object, NULL); // don't propogate "NULL is not a dictionary" errors } @@ -2064,7 +1900,7 @@ static void SOSAccountRemoveKVSKeys(SOSAccount* account, NSArray* keysToRemove, SOSCloudKeychainRemoveKeys((__bridge CFArrayRef)(keysToRemove), uuid, processQueue, replyBlock); dispatch_semaphore_wait(waitSemaphore, finishTime); - + CFReleaseNull(uuid); } static void SOSAccountWriteLastCleanupTimestampToKVS(SOSAccount* account) @@ -2080,6 +1916,7 @@ static void SOSAccountWriteLastCleanupTimestampToKVS(SOSAccount* account) CFStringAppend(timeDescription, CFSTR("]")); [writeTimestamp setObject:(__bridge NSString*)(timeDescription) forKey:(__bridge NSString*)kSOSKVSLastCleanupTimestampKey]; + CFReleaseNull(timeDescription); dispatch_semaphore_t waitSemaphore = dispatch_semaphore_create(0); dispatch_time_t finishTime = dispatch_time(DISPATCH_TIME_NOW, maxTimeToWaitInSeconds); @@ -2104,8 +1941,9 @@ bool SOSAccountCleanupAllKVSKeys(SOSAccount* account, CFErrorRef* error) NSDictionary *keysAndValues = (__bridge_transfer NSDictionary*)SOSAccountGetObjectsFromCloud(processQueue, error); NSMutableArray *peerIDs = [NSMutableArray array]; NSMutableArray *keysToRemove = [NSMutableArray array]; - - CFArrayForEach(SOSAccountCopyActiveValidPeers(account, error), ^(const void *value) { + + CFArrayRef peers = SOSAccountCopyActiveValidPeers(account, error); + CFArrayForEach(peers, ^(const void *value) { SOSPeerInfoRef peer = (SOSPeerInfoRef)value; NSString* peerID = (__bridge NSString*) SOSPeerInfoGetPeerID(peer); @@ -2113,6 +1951,7 @@ bool SOSAccountCleanupAllKVSKeys(SOSAccount* account, CFErrorRef* error) if(![[account.trust peerID] isEqualToString:peerID]) [peerIDs addObject:peerID]; }); + CFReleaseNull(peers); [keysAndValues enumerateKeysAndObjectsUsingBlock:^(NSString * KVSKey, NSNumber * KVSValue, BOOL *stop) { __block bool keyMatchesPeerID = false; @@ -2525,7 +2364,7 @@ SOSPiggyCreateInitialSyncData(NSArray* identities, NSArray -#include +#include #include #include @@ -58,7 +58,6 @@ extern const CFStringRef kSOSTestV2Settings; extern const CFStringRef kSOSRateLimitingCounters; extern const CFStringRef kSOSAccountPeerLastSentTimestamp; extern const CFStringRef kSOSAccountRenegotiationRetryCount; -extern const CFStringRef kOTRConfigVersion; extern const CFStringRef kSOSInitialSyncTimeoutV0; #define kSecServerPeerInfoAvailable "com.apple.security.fpiAvailable" @@ -73,7 +72,7 @@ typedef void (^SOSAccountSaveBlock)(CFDataRef flattenedAccount, CFErrorRef flatt @class SOSCircleStorageTransport; @class SOSCKCircleStorage; -@interface SOSAccount : NSObject +@interface SOSAccount : NSObject @property (nonatomic, retain) NSDictionary *gestalt; @property (nonatomic, retain) NSData *backup_key; @@ -124,7 +123,6 @@ typedef void (^SOSAccountSaveBlock)(CFDataRef flattenedAccount, CFErrorRef flatt -(id) init; -(id) initWithGestalt:(CFDictionaryRef)gestalt factory:(SOSDataSourceFactoryRef)factory; -- (xpc_endpoint_t)xpcControlEndpoint; void SOSAccountAddSyncablePeerBlock(SOSAccount* a, CFStringRef ds_name, @@ -207,7 +205,6 @@ bool SOSAccountIsPeerInBackupAndCurrentInView(SOSAccount* account, SOSPeerInfoRe bool SOSDeleteV0Keybag(CFErrorRef *error); void SOSAccountForEachBackupView(SOSAccount* account, void (^operation)(const void *value)); bool SOSAccountUpdatePeerInfo(SOSAccount* account, CFStringRef updateDescription, CFErrorRef *error, bool (^update)(SOSFullPeerInfoRef fpi, CFErrorRef *error)); -CFStringRef SOSAccountCreateCompactDescription(SOSAccount* a); // Currently permitted backup rings. void SOSAccountForEachBackupRingName(SOSAccount* account, void (^operation)(CFStringRef value)); @@ -215,7 +212,7 @@ void SOSAccountForEachRingName(SOSAccount* account, void (^operation)(CFStringRe // My Circle bool SOSAccountHasCircle(SOSAccount* account, CFErrorRef* error); -SOSCircleRef SOSAccountEnsureCircle(SOSAccount* a, CFStringRef name, CFErrorRef *error); +SOSCircleRef CF_RETURNS_RETAINED SOSAccountEnsureCircle(SOSAccount* a, CFStringRef name, CFErrorRef *error); void AppendCircleKeyName(CFMutableArrayRef array, CFStringRef name); @@ -227,7 +224,7 @@ SOSFullPeerInfoRef CopyCloudKeychainIdentity(SOSPeerInfoRef cloudPeer, CFErrorRe bool SOSAccountIsAccountIdentity(SOSAccount* account, SOSPeerInfoRef peer_info, CFErrorRef *error); bool SOSAccountFullPeerInfoVerify(SOSAccount* account, SecKeyRef privKey, CFErrorRef *error); -SOSPeerInfoRef GenerateNewCloudIdentityPeerInfo(CFErrorRef *error); +CF_RETURNS_RETAINED SOSPeerInfoRef GenerateNewCloudIdentityPeerInfo(CFErrorRef *error); // Credentials bool SOSAccountHasPublicKey(SOSAccount* account, CFErrorRef* error); @@ -244,7 +241,7 @@ void SOSAccountAssertDSID(SOSAccount* account, CFStringRef dsid); // SecKeyRef SOSAccountCopyDeviceKey(SOSAccount* account, CFErrorRef *error); -SecKeyRef GeneratePermanentFullECKey(int keySize, CFStringRef name, CFErrorRef* error); +SecKeyRef CF_RETURNS_RETAINED GeneratePermanentFullECKey(int keySize, CFStringRef name, CFErrorRef* error); // Testing void SOSAccountSetLastDepartureReason(SOSAccount* account, enum DepartureReason reason); @@ -312,7 +309,7 @@ bool SOSAccountIsNew(SOSAccount* account, CFErrorRef *error); bool SOSAccountCheckForAlwaysOnViews(SOSAccount* account); // UUID, no setter just getter and ensuring value. void SOSAccountEnsureUUID(SOSAccount* account); -CFStringRef SOSAccountCopyUUID(SOSAccount* account); +CFStringRef CF_RETURNS_RETAINED SOSAccountCopyUUID(SOSAccount* account); const uint8_t* der_decode_cloud_parameters(CFAllocatorRef allocator, CFIndex algorithmID, SecKeyRef* publicKey, CFDataRef *parameters, diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRingUpdate.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRingUpdate.m index b50d0bf8..d7409e06 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRingUpdate.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRingUpdate.m @@ -15,22 +15,6 @@ #include #import -static const char * __unused concordstring[] = { - "kSOSConcordanceTrusted", - "kSOSConcordanceGenOld", // kSOSErrorReplay - "kSOSConcordanceNoUserSig", // kSOSErrorBadSignature - "kSOSConcordanceNoUserKey", // kSOSErrorNoKey - "kSOSConcordanceNoPeer", // kSOSErrorPeerNotFound - "kSOSConcordanceBadUserSig", // kSOSErrorBadSignature - "kSOSConcordanceBadPeerSig", // kSOSErrorBadSignature - "kSOSConcordanceNoPeerSig", - "kSOSConcordanceWeSigned", - "kSOSConcordanceInvalidMembership", - "kSOSConcordanceMissingMe", - "kSOSConcordanceImNotWorthy", -}; - - bool SOSAccountIsPeerRetired(SOSAccount* account, CFSetRef peers){ CFMutableArrayRef peerInfos = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault); bool result = false; diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRings.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRings.m index 83551638..680c174c 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRings.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountRings.m @@ -170,6 +170,7 @@ SOSRingRef SOSAccountCopyRingNamed(SOSAccount* a, CFStringRef ringName, CFErrorR secerror("Non ring in ring table: %@, purging!", found); SOSAccountRemoveRing(a, ringName); } + CFReleaseNull(found); // I'm very skeptical of this function... found = NULL; return found; } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountSync.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountSync.m index 993d7db8..461d3b54 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountSync.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountSync.m @@ -20,6 +20,7 @@ #import #include #include +#include #include @@ -355,7 +356,7 @@ CF_RETURNS_RETAINED CFMutableSetRef SOSAccountSyncWithPeers(SOSAccountTransactio peerInfo = SOSCircleCopyPeerWithID(circle, peerID, NULL); if (peerInfo && SOSCircleHasValidSyncingPeer(circle, peerInfo, account.accountKey, NULL)) { - if (canUseIDS && SOSPeerInfoShouldUseIDSTransport(myPeerInfo, peerInfo) && SOSPeerInfoShouldUseACKModel(myPeerInfo, peerInfo)) { + if (ENABLE_IDS && canUseIDS && SOSPeerInfoShouldUseIDSTransport(myPeerInfo, peerInfo) && SOSPeerInfoShouldUseACKModel(myPeerInfo, peerInfo)) { CFSetAddValue(peersForIDS, peerID); } else { CFSetAddValue(peersForKVS, peerID); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.h index 061c17ea..d31c4212 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.h @@ -18,7 +18,7 @@ NS_ASSUME_NONNULL_BEGIN @interface SOSAccount (Transaction) -+ (void)performOnAccountQueue:(void (^)(void))action; ++ (void)performOnQuietAccountQueue:(void (^)(void))action; + (void)performWhileHoldingAccountQueue:(void (^)(void))action; - (void) performTransaction: (void (^)(SOSAccountTransaction* txn)) action; @@ -28,10 +28,8 @@ NS_ASSUME_NONNULL_BEGIN @interface SOSAccountTransaction : NSObject -+ (instancetype) transactionWithAccount: (SOSAccount*) account; - - (instancetype) init NS_UNAVAILABLE; -- (instancetype) initWithAccount: (SOSAccount*) account NS_DESIGNATED_INITIALIZER; +- (instancetype) initWithAccount: (SOSAccount*) account quiet:(bool)quiet NS_DESIGNATED_INITIALIZER; - (void) finish; - (void) restart; diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.m index 09e6fbe8..f1003698 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTransaction.m @@ -21,6 +21,7 @@ #import "Security/SecureObjectSync/SOSTransportMessageKVS.h" #include + #define kPublicKeyNotAvailable "com.apple.security.publickeynotavailable" // Account dumping state stuff @@ -38,6 +39,8 @@ @property BOOL initialTrusted; @property NSData* initialKeyParameters; +@property bool quiet; + @property NSMutableSet* peersToRequestSync; - (void) start; @@ -48,18 +51,15 @@ @implementation SOSAccountTransaction -+ (instancetype) transactionWithAccount: (SOSAccount*) account { - return [[SOSAccountTransaction new] initWithAccount: account]; -} - - (NSString*) description { return [NSString stringWithFormat:@"", self, (unsigned long)(self.initialViews ? [self.initialViews count] : 0)]; } -- (instancetype) initWithAccount:(SOSAccount *)account { +- (instancetype) initWithAccount:(SOSAccount *)account quiet:(bool)quiet { if (self = [super init]) { self.account = account; + _quiet = quiet; [self start]; } return self; @@ -83,9 +83,11 @@ } self.peersToRequestSync = nil; - CFStringSetPerformWithDescription((__bridge CFSetRef) self.initialViews, ^(CFStringRef description) { - secnotice("acct-txn", "Starting as:%s v:%@", self.initialInCircle ? "member" : "non-member", description); - }); + if(!self.quiet) { + CFStringSetPerformWithDescription((__bridge CFSetRef) self.initialViews, ^(CFStringRef description) { + secnotice("acct-txn", "Starting as:%s v:%@", self.initialInCircle ? "member" : "non-member", description); + }); + } } - (void) restart { @@ -96,6 +98,9 @@ - (void) finish { static int do_account_state_at_zero = 0; + bool doCircleChanged = false; + bool doViewChanged = false; + CFErrorRef localError = NULL; bool notifyEngines = false; @@ -184,9 +189,11 @@ mpi = self.account.peerInfo; CFSetRef views = mpi ? SOSPeerInfoCopyEnabledViews(mpi) : NULL; - CFStringSetPerformWithDescription(views, ^(CFStringRef description) { - secnotice("acct-txn", "Finished as:%s v:%@", isInCircle ? "member" : "non-member", description); - }); + if(!self.quiet) { + CFStringSetPerformWithDescription(views, ^(CFStringRef description) { + secnotice("acct-txn", "Finished as:%s v:%@", isInCircle ? "member" : "non-member", description); + }); + } // This is the logic to detect a new userKey: bool userKeyChanged = !NSIsEqualSafe(self.initialKeyParameters, self.account.accountKeyDerivationParamters); @@ -198,19 +205,21 @@ self.account.accountKeyIsTrusted); if(self.initialInCircle != isInCircle) { - notify_post(kSOSCCCircleChangedNotification); - notify_post(kSOSCCViewMembershipChangedNotification); + doCircleChanged = true; + doViewChanged = true; do_account_state_at_zero = 0; secnotice("secdNotify", "Notified clients of kSOSCCCircleChangedNotification && kSOSCCViewMembershipChangedNotification for circle/view change"); } else if(isInCircle && !NSIsEqualSafe(self.initialViews, (__bridge NSSet*)views)) { - notify_post(kSOSCCViewMembershipChangedNotification); + doViewChanged = true; do_account_state_at_zero = 0; secnotice("secdNotify", "Notified clients of kSOSCCViewMembershipChangedNotification for viewchange(only)"); } else if(weInitiatedKeyChange) { // We consider this a circleChange so (PCS) can tell the userkey trust changed. - notify_post(kSOSCCCircleChangedNotification); + doCircleChanged = true; do_account_state_at_zero = 0; secnotice("secdNotify", "Notified clients of kSOSCCCircleChangedNotification for userKey change"); } + + // This is the case of we used to trust the key, were in the circle, the key changed, we don't trust it now. bool fellOutOfTrust = (self.initialTrusted && @@ -221,8 +230,20 @@ if(fellOutOfTrust) { secnotice("userKeyTrust", "No longer trust user public key - prompting for password."); notify_post(kPublicKeyNotAvailable); + doCircleChanged = true; do_account_state_at_zero = 0; } + + bool userKeyTrustChangedToTrueAndNowInCircle = (!self.initialTrusted && self.account.accountKeyIsTrusted && isInCircle); + + if(userKeyTrustChangedToTrueAndNowInCircle) { + secnotice("userKeyTrust", "UserKey is once again trusted and we're valid in circle."); + doCircleChanged = true; + doViewChanged = true; + } + + if(doCircleChanged) notify_post(kSOSCCCircleChangedNotification); + if(doViewChanged) notify_post(kSOSCCViewMembershipChangedNotification); if(do_account_state_at_zero <= 0) { SOSAccountLogState(self.account); @@ -269,28 +290,40 @@ __thread bool __hasAccountQueue = false; __hasAccountQueue = hadAccountQueue; } -+ (void)performOnAccountQueue:(void (^)(void))action ++ (void)performOnQuietAccountQueue:(void (^)(void))action { SOSAccount* account = (__bridge SOSAccount*)GetSharedAccountRef(); - [account performTransaction:^(SOSAccountTransaction * _Nonnull txn) { + [account performTransaction:true action:^(SOSAccountTransaction * _Nonnull txn) { action(); }]; } - (void) performTransaction_Locked: (void (^)(SOSAccountTransaction* txn)) action { - SOSAccountTransaction* transaction = [SOSAccountTransaction transactionWithAccount:self]; - action(transaction); - [transaction finish]; + [self performTransaction_Locked:false action:action]; +} + +- (void) performTransaction_Locked:(bool)quiet action:(void (^)(SOSAccountTransaction* txn))action { + @autoreleasepool { + SOSAccountTransaction* transaction = [[SOSAccountTransaction new] initWithAccount:self quiet:quiet]; + action(transaction); + [transaction finish]; + } } - (void) performTransaction: (void (^)(SOSAccountTransaction* txn)) action { + [self performTransaction:false action:action]; +} + +- (void)performTransaction:(bool)quiet action:(void (^)(SOSAccountTransaction* txn))action { + if (__hasAccountQueue) { - [self performTransaction_Locked:action]; + // Be quiet; we're already in a transaction + [self performTransaction_Locked:true action:action]; } else { dispatch_sync(self.queue, ^{ __hasAccountQueue = true; - [self performTransaction_Locked:action]; + [self performTransaction_Locked:quiet action:action]; __hasAccountQueue = false; }); } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrust.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrust.h index fcd013be..4a87ee90 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrust.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrust.h @@ -28,6 +28,9 @@ typedef void (^SOSModifyPeersInCircleBlock)(SOSCircleRef circle, CFMutableArrayR SOSCircleRef trustedCircle; NSMutableSet * retirees; enum DepartureReason departureCode; + + SecKeyRef _cachedOctagonSigningKey; + SecKeyRef _cachedOctagonEncryptionKey; } @property (strong, nonatomic) NSMutableDictionary * expansion; @@ -42,6 +45,9 @@ typedef void (^SOSModifyPeersInCircleBlock)(SOSCircleRef circle, CFMutableArrayR @property (strong, nonatomic) NSMutableSet * retirees; @property (nonatomic) enum DepartureReason departureCode; +@property (assign) SecKeyRef cachedOctagonSigningKey; +@property (assign) SecKeyRef cachedOctagonEncryptionKey; + +(instancetype)trust; -(id)init; diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrust.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrust.m index 00ef816f..9fa0ce11 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrust.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrust.m @@ -6,6 +6,8 @@ #import "Security/SecureObjectSync/SOSAccountTrust.h" @implementation SOSAccountTrust +@synthesize cachedOctagonEncryptionKey = _cachedOctagonEncryptionKey; +@synthesize cachedOctagonSigningKey = _cachedOctagonSigningKey; +(instancetype)trust { @@ -41,6 +43,15 @@ } return self; } +- (void)dealloc { + if(self) { + CFReleaseNull(self->fullPeerInfo); + CFReleaseNull(self->peerInfo); + CFReleaseNull(self->trustedCircle); + CFReleaseNull(self->_cachedOctagonSigningKey); + CFReleaseNull(self->_cachedOctagonEncryptionKey); + } +} - (SOSPeerInfoRef) peerInfo { return SOSFullPeerInfoGetPeerInfo(self.fullPeerInfo); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Circle.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Circle.m index e699457e..662d5dd2 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Circle.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Circle.m @@ -16,18 +16,6 @@ #import "Security/SecureObjectSync/SOSAccountGhost.h" #import "Security/SecureObjectSync/SOSViews.h" -static const char *concordstring[] = { - "kSOSConcordanceTrusted", - "kSOSConcordanceGenOld", // kSOSErrorReplay - "kSOSConcordanceNoUserSig", // kSOSErrorBadSignature - "kSOSConcordanceNoUserKey", // kSOSErrorNoKey - "kSOSConcordanceNoPeer", // kSOSErrorPeerNotFound - "kSOSConcordanceBadUserSig", // kSOSErrorBadSignature - "kSOSConcordanceBadPeerSig", // kSOSErrorBadSignature - "kSOSConcordanceNoPeerSig", - "kSOSConcordanceWeSigned", -}; - @implementation SOSAccountTrustClassic (Circle) -(bool) isInCircle:(CFErrorRef *)error @@ -96,7 +84,10 @@ fail: { CFErrorRef localError = NULL; if (self.trustedCircle == NULL) { - self.trustedCircle = SOSCircleCreate(NULL, name, NULL); + SOSCircleRef newCircle = SOSCircleCreate(NULL, name, NULL); + self.trustedCircle = newCircle; // Note that this setter adds a retain + CFReleaseNull(newCircle); + secnotice("circleop", "Setting key_interests_need_updating to true in ensureCircle"); a.key_interests_need_updating = true; } @@ -161,8 +152,10 @@ fail: if(!myPubKey) return false; if(SOSCircleVerify(prospective_circle, myPubKey, NULL) && SOSCircleIsOlderGeneration(self.trustedCircle, prospective_circle)) { [self setTrustedCircle:prospective_circle]; + CFReleaseNull(myPubKey); return true; } + CFReleaseNull(myPubKey); return false; } @@ -188,10 +181,24 @@ static bool SOSCirclePeerOctagonKeysChanged(SOSPeerInfoRef oldPeer, SOSPeerInfoR if(!oldHasOctagonBits && !newHasOctagonBits) { // both peers have no keys: no change return false; + } + SecKeyRef oldSigningKey = SOSPeerInfoCopyOctagonSigningPublicKey(oldPeer, NULL); + SecKeyRef newSigningKey = SOSPeerInfoCopyOctagonSigningPublicKey(newPeer, NULL); + + bool signingKeyChanged = CFEqualSafe(oldSigningKey, newSigningKey); + + CFReleaseNull(oldSigningKey); + CFReleaseNull(newSigningKey); + - bool signingKeyChanged = CFEqualSafe(SOSPeerInfoCopyOctagonSigningPublicKey(oldPeer, NULL), SOSPeerInfoCopyOctagonSigningPublicKey(newPeer, NULL)); - bool encryptionKeyChanged = CFEqualSafe(SOSPeerInfoCopyOctagonEncryptionPublicKey(oldPeer, NULL), SOSPeerInfoCopyOctagonEncryptionPublicKey(newPeer, NULL)); + SecKeyRef oldEncryptionKey = SOSPeerInfoCopyOctagonEncryptionPublicKey(oldPeer, NULL); + SecKeyRef newEncryptionKey = SOSPeerInfoCopyOctagonEncryptionPublicKey(newPeer, NULL); + + bool encryptionKeyChanged = CFEqualSafe(oldEncryptionKey, newEncryptionKey); + + CFReleaseNull(oldEncryptionKey); + CFReleaseNull(newEncryptionKey); return signingKeyChanged || encryptionKeyChanged; } @@ -203,11 +210,13 @@ static bool SOSCircleHasUpdatedPeerInfoWithOctagonKey(SOSCircleRef oldCircle, SO SOSCircleForEachPeer(oldCircle, ^(SOSPeerInfoRef oldPeer) { SOSPeerInfoRef equivalentNewPeer = SOSCircleCopyPeerWithID(newCircle, SOSPeerInfoGetPeerID(oldPeer), NULL); hasUpdated |= SOSCirclePeerOctagonKeysChanged(oldPeer, equivalentNewPeer); + CFReleaseNull(equivalentNewPeer); }); SOSCircleForEachPeer(newCircle, ^(SOSPeerInfoRef newPeer) { SOSPeerInfoRef equivalentOldPeer = SOSCircleCopyPeerWithID(oldCircle, SOSPeerInfoGetPeerID(newPeer), NULL); hasUpdated |= SOSCirclePeerOctagonKeysChanged(equivalentOldPeer, newPeer); + CFReleaseNull(equivalentOldPeer); }); return hasUpdated; @@ -236,6 +245,7 @@ static bool SOSCircleHasUpdatedPeerInfoWithOctagonKey(SOSCircleRef oldCircle, SO // sponsored the only signer. if(!writeUpdate && [ self checkForSponsorshipTrust: prospective_circle ]){ SOSCCEnsurePeerRegistration(); + secnotice("circleop", "Setting key_interests_need_updating to true in handleUpdateCircle"); account.key_interests_need_updating = true; return true; @@ -352,7 +362,7 @@ static bool SOSCircleHasUpdatedPeerInfoWithOctagonKey(SOSCircleRef oldCircle, SO break; } - secnotice("signing", "Decided on action [%s] based on concordance state [%s] and [%s] circle. My PeerID is %@", actionstring[circle_action], concordstring[concstat], userTrustedOldCircle ? "trusted" : "untrusted", myPeerID); + secnotice("signing", "Decided on action [%s] based on concordance state [%@] and [%s] circle. My PeerID is %@", actionstring[circle_action], concStr, userTrustedOldCircle ? "trusted" : "untrusted", myPeerID); SOSCircleRef circleToPush = NULL; @@ -368,7 +378,7 @@ static bool SOSCircleHasUpdatedPeerInfoWithOctagonKey(SOSCircleRef oldCircle, SO account.accountKey, account.previousAccountKey, old_circle_key); if (sosAccountLeaveCircle(account, newCircle, error)) { - secnotice("leaveCircle", "Leaving circle by newcircle state"); + secnotice("circleOps", "Leaving circle by newcircle state"); circleToPush = newCircle; } else { secnotice("signing", "Can't leave circle, but dumping identities"); @@ -418,7 +428,7 @@ static bool SOSCircleHasUpdatedPeerInfoWithOctagonKey(SOSCircleRef oldCircle, SO if (me && SOSCircleHasActivePeer(oldCircle, me, NULL) && !SOSCircleHasPeer(newCircle, me, NULL)) { // Don't destroy evidence of other code determining reason for leaving. if(![self hasLeft]) self.departureCode = kSOSMembershipRevoked; - secnotice("account", "Member of old circle but not of new circle"); + secnotice("circleOps", "Member of old circle but not of new circle (%d)", self.departureCode); debugDumpCircle(CFSTR("oldCircle"), oldCircle); debugDumpCircle(CFSTR("newCircle"), newCircle); } @@ -451,6 +461,7 @@ static bool SOSCircleHasUpdatedPeerInfoWithOctagonKey(SOSCircleRef oldCircle, SO SOSCircleRequestReadmission(newCircle, account.accountKey, me, NULL); writeUpdate = true; } + CFReleaseNull(reject); } CFRetainSafe(oldCircle); @@ -484,6 +495,7 @@ static bool SOSCircleHasUpdatedPeerInfoWithOctagonKey(SOSCircleRef oldCircle, SO if (writeUpdate) circleToPush = newCircle; + secnotice("circleop", "Setting key_interests_need_updating to true in handleUpdateCircle"); account.key_interests_need_updating = true; } @@ -517,7 +529,7 @@ static bool SOSCircleHasUpdatedPeerInfoWithOctagonKey(SOSCircleRef oldCircle, SO //posting new circle to peers success &= [circleTransport postCircle:SOSCircleGetName(circleToPush) circleData:circle_data err:error]; //cleanup old KVS keys - SOSAccountCleanupAllKVSKeys(account, error); + (void) SOSAccountCleanupAllKVSKeys(account, NULL); } else { success = false; } @@ -526,6 +538,11 @@ static bool SOSCircleHasUpdatedPeerInfoWithOctagonKey(SOSCircleRef oldCircle, SO CFReleaseSafe(newCircle); CFReleaseNull(emptyCircle); + // There are errors collected above that are soft (worked around) + if(success && error && *error) { + CFReleaseNull(*error); + } + return success; } @@ -601,7 +618,7 @@ fail: -(bool) leaveCircle:(SOSAccount*)account err:(CFErrorRef*) error { bool result = true; - secnotice("leaveCircle", "Leaving circle by client request"); + secnotice("circleOps", "Leaving circle by client request"); result &= [self modifyCircle:account.circle_transport err:error action:^(SOSCircleRef circle) { return sosAccountLeaveCircle(account, circle, error); }]; diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Expansion.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Expansion.m index 08ce8cc4..f59341ab 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Expansion.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Expansion.m @@ -25,18 +25,6 @@ typedef enum { } ringAction_t; #if !defined(NDEBUG) -static const char *concordstring[] = { - "kSOSConcordanceTrusted", - "kSOSConcordanceGenOld", // kSOSErrorReplay - "kSOSConcordanceNoUserSig", // kSOSErrorBadSignature - "kSOSConcordanceNoUserKey", // kSOSErrorNoKey - "kSOSConcordanceNoPeer", // kSOSErrorPeerNotFound - "kSOSConcordanceBadUserSig", // kSOSErrorBadSignature - "kSOSConcordanceBadPeerSig", // kSOSErrorBadSignature - "kSOSConcordanceNoPeerSig", - "kSOSConcordanceWeSigned", -}; - static const char * __unused actionstring[] = { "accept", "countersign", "leave", "revert", "modify", "ignore", }; @@ -222,7 +210,7 @@ errOut: self.fullPeerInfo = nil; self.departureCode = kSOSWithdrewMembership; - secnotice("resetToEmpty", "Reset Circle to empty by client request"); + secnotice("circleOps", "Reset Circle to empty by client request"); result &= [self modifyCircle:circleTransport err:error action:^bool(SOSCircleRef circle) { result = SOSCircleResetToEmpty(circle, error); @@ -401,7 +389,8 @@ static bool SOSAccountBackupSliceKeyBagNeedsFix(SOSAccount* account, SOSBackupSl (void)concStr; - secdebug("ringSigning", "Decided on action [%s] based on concordance state [%s] and [%s] circle.", actionstring[ringAction], concordstring[concstat], userTrustedoldRing ? "trusted" : "untrusted"); + secdebug("ringSigning", "Decided on action [%s] based on concordance state [%@] and [%s] circle.", + actionstring[ringAction], concStr, userTrustedoldRing ? "trusted" : "untrusted"); SOSRingRef ringToPush = NULL; bool iWasInOldRing = peerID && SOSRingHasPeerID(oldRing, peerID); @@ -519,6 +508,7 @@ static bool SOSAccountBackupSliceKeyBagNeedsFix(SOSAccount* account, SOSBackupSl if (writeUpdate) ringToPush = newRing; + secnotice("circleop", "Setting account.key_interests_need_updating to true in handleUpdateRing"); account.key_interests_need_updating = true; } @@ -594,6 +584,7 @@ errOut: CFReleaseNull(ring); retval = SOSAccountUpdateRing(account, newring, error); errOut: + CFReleaseNull(ring); CFReleaseNull(newring); return retval; } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Identity.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Identity.h index 9f06f2a2..e7e78c2f 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Identity.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Identity.h @@ -16,7 +16,7 @@ -(SOSFullPeerInfoRef) getMyFullPeerInfo; -(bool) fullPeerInfoVerify:(SecKeyRef) privKey err:(CFErrorRef *)error; -(bool) hasFullPeerInfo:(CFErrorRef*) error; --(SOSFullPeerInfoRef) CopyAccountIdentityPeerInfo; +-(SOSFullPeerInfoRef) CopyAccountIdentityPeerInfo CF_RETURNS_RETAINED; -(bool) ensureFullPeerAvailable:(CFDictionaryRef)gestalt deviceID:(CFStringRef)deviceID backupKey:(CFDataRef)backup err:(CFErrorRef *) error; -(bool) isMyPeerActive:(CFErrorRef*) error; -(void) purgeIdentity; diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Identity.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Identity.m index 6c8a90fe..1d22def5 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Identity.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic+Identity.m @@ -1,4 +1,4 @@ - // +// // SOSAccountTrustClassicIdentity.m // Security // @@ -10,11 +10,20 @@ #import "Security/SecureObjectSync/SOSAccountTrustClassic+Expansion.h" #import "Security/SecureObjectSync/SOSAccountTrustClassic+Identity.h" #import "Security/SecureObjectSync/SOSAccountTrustClassic+Circle.h" +#if __OBJC2__ +#import "Analytics/Clients/SOSAnalytics.h" +#endif // __OBJC2__ #import "Security/SecureObjectSync/SOSViews.h" @implementation SOSAccountTrustClassic (Identity) +-(bool)isLockedError:(NSError *)error { + return error && + ([error.domain isEqualToString:(__bridge NSString*)kSecErrorDomain]) + && error.code == errSecInteractionNotAllowed; +} + -(bool) updateFullPeerInfo:(SOSAccount*)account minimum:(CFSetRef)minimumViews excluded:(CFSetRef)excludedViews { if (self.trustedCircle && self.fullPeerInfo) { @@ -62,80 +71,150 @@ return SOSFullPeerInfoCopyFullPeerInfo(self.fullPeerInfo); } -- (SecKeyRef)randomPermanentFullECKey:(int)keysize name:(NSString *)name error:(CFErrorRef*)cferror +- (SecKeyRef)randomPermanentFullECKey:(int)keysize name:(NSString *)name error:(CFErrorRef*)cferror CF_RETURNS_RETAINED { return GeneratePermanentFullECKey(keysize, (__bridge CFStringRef)name, cferror); } +// Check that cached values of what is in keychain with what we have in the peer info, +// if they ware the same, we could read the items while this process was alive, assume +// all is swell. +#if OCTAGON +- (bool)haveConfirmedOctagonKeys +{ + bool haveSigningKey = false; + bool haveEncryptionKey = false; + + SecKeyRef signingKey = SOSFullPeerInfoCopyOctagonPublicSigningKey(self.fullPeerInfo, NULL); + if (self.cachedOctagonSigningKey && CFEqualSafe(signingKey, self.cachedOctagonSigningKey)) { + haveSigningKey = true; + } else { + secerror("circleChange: No extant octagon signing key"); + } + + SecKeyRef encrytionKey = SOSFullPeerInfoCopyOctagonPublicEncryptionKey(self.fullPeerInfo, NULL); + if (self.cachedOctagonEncryptionKey && CFEqualSafe(encrytionKey, self.cachedOctagonEncryptionKey)) { + haveEncryptionKey = true; + } else { + secerror("circleChange: No extant octagon encryption key"); + } + + CFReleaseNull(signingKey); + CFReleaseNull(encrytionKey); + + return haveSigningKey && haveEncryptionKey; +} +#endif + - (void)ensureOctagonPeerKeys:(SOSKVSCircleStorageTransport*)circleTransport { +#if OCTAGON NSString* octagonKeyName; - SecKeyRef publicKey; + SecKeyRef octagonSigningFullKey = NULL; + SecKeyRef octagonEncryptionFullKey = NULL; - if (SOSFullPeerInfoHaveOctagonKeys(self.fullPeerInfo)) { + // check if we already confirmed the keys + if ([self haveConfirmedOctagonKeys]) { return; } bool changedSelf = false; CFErrorRef copyError = NULL; - publicKey = SOSFullPeerInfoCopyOctagonSigningKey(self.fullPeerInfo, ©Error); - if(copyError) { + octagonSigningFullKey = SOSFullPeerInfoCopyOctagonSigningKey(self.fullPeerInfo, ©Error); + if(copyError && ![self isLockedError:(__bridge NSError *)copyError]) { secerror("circleChange: Error fetching Octagon signing key: %@", copyError); - CFReleaseNull(copyError); } - if (publicKey == NULL) { + // Cache that public key we found, to so that we don't need to make the roundtrip though + // keychain to get them item, if we don't find a key, try to create a new key if the error + // is specifically "couldn't find key", "couldn't read key", or "something went very very wrong". + // Otherwise, log a fatal error. + + if (octagonSigningFullKey) { + secnotice("circleChange", "Already have Octagon signing key"); + CFReleaseNull(self->_cachedOctagonSigningKey); + _cachedOctagonSigningKey = SecKeyCopyPublicKey(octagonSigningFullKey); + } else if (octagonSigningFullKey == NULL && copyError && + ((CFEqualSafe(CFErrorGetDomain(copyError), kCFErrorDomainOSStatus) && CFErrorGetCode(copyError) == errSecItemNotFound) || + (CFEqualSafe(CFErrorGetDomain(copyError), kCFErrorDomainOSStatus) && CFErrorGetCode(copyError) == errSecDecode) || + (CFEqualSafe(CFErrorGetDomain(copyError), kCFErrorDomainOSStatus) && CFErrorGetCode(copyError) == errSecParam))) + { octagonKeyName = [NSString stringWithFormat:@"Octagon Peer Signing ID for %@", SOSCircleGetName(self.trustedCircle)]; CFErrorRef cferror = NULL; - SecKeyRef octagonSigningFullKey = [self randomPermanentFullECKey:384 name:octagonKeyName error:&cferror]; + octagonSigningFullKey = [self randomPermanentFullECKey:384 name:octagonKeyName error:&cferror]; if(cferror || !octagonSigningFullKey) { - secerror("circleChange: Error upgrading Octagon signing key: %@", cferror); + secerror("circleChange: Error creating Octagon signing key: %@", cferror); } else { SOSFullPeerInfoUpdateOctagonSigningKey(self.fullPeerInfo, octagonSigningFullKey, &cferror); if(cferror) { secerror("circleChange: Error upgrading Octagon signing key: %@", cferror); + } else { + secnotice("circleChange", "Successfully created new Octagon signing key"); } changedSelf = true; } CFReleaseNull(cferror); - CFReleaseNull(octagonSigningFullKey); + } else if((octagonSigningFullKey == NULL || copyError) && ![self isLockedError:(__bridge NSError *)copyError]) { + secerror("error is too scary, not creating new Octagon signing key: %@", copyError); +#if __OBJC2__ + [[SOSAnalytics logger] logResultForEvent:@"SOSCheckOctagonSigningKey" hardFailure:true result:(__bridge NSError*)copyError]; +#endif // __OBJC2__ } - CFReleaseNull(publicKey); CFReleaseNull(copyError); - publicKey = SOSFullPeerInfoCopyOctagonEncryptionKey(self.fullPeerInfo, ©Error); - if(copyError) { + CFReleaseNull(octagonSigningFullKey); + + // Now do the same thing for encryption key + + CFReleaseNull(copyError); + octagonEncryptionFullKey = SOSFullPeerInfoCopyOctagonEncryptionKey(self.fullPeerInfo, ©Error); + if(copyError && ![self isLockedError:(__bridge NSError *)copyError]) { secerror("circleChange: Error fetching Octagon encryption key: %@", copyError); - CFReleaseNull(copyError); } - if (publicKey == NULL) { + if (octagonEncryptionFullKey) { + secnotice("circleChange", "Already have Octagon encryption key"); + CFReleaseNull(self->_cachedOctagonEncryptionKey); + _cachedOctagonEncryptionKey = SecKeyCopyPublicKey(octagonEncryptionFullKey); + } else if (octagonEncryptionFullKey == NULL && copyError && + ((CFEqualSafe(CFErrorGetDomain(copyError), kCFErrorDomainOSStatus) && CFErrorGetCode(copyError) == errSecItemNotFound) || + (CFEqualSafe(CFErrorGetDomain(copyError), kCFErrorDomainOSStatus) && CFErrorGetCode(copyError) == errSecDecode) || + (CFEqualSafe(CFErrorGetDomain(copyError), kCFErrorDomainOSStatus) && CFErrorGetCode(copyError) == errSecParam))) + { octagonKeyName = [NSString stringWithFormat:@"Octagon Peer Encryption ID for %@", SOSCircleGetName(self.trustedCircle)]; CFErrorRef cferror = NULL; - SecKeyRef octagonEncryptionFullKey = [self randomPermanentFullECKey:384 name:octagonKeyName error:&cferror]; + octagonEncryptionFullKey = [self randomPermanentFullECKey:384 name:octagonKeyName error:&cferror]; if(cferror || !octagonEncryptionFullKey) { - secerror("circleChange: Error upgrading Octagon encryption key: %@", cferror); + secerror("circleChange: Error creating Octagon encryption key: %@", cferror); } else { - SOSFullPeerInfoUpdateOctagonEncryptionKey(self.fullPeerInfo, octagonEncryptionFullKey, &cferror); if(cferror) { secerror("circleChange: Error upgrading Octagon encryption key: %@", cferror); + } else { + secnotice("circleChange", "Successfully created new Octagon encryption key"); } changedSelf = true; } CFReleaseNull(cferror); - CFReleaseNull(octagonEncryptionFullKey); + + } else if((octagonEncryptionFullKey == NULL || copyError) && ![self isLockedError:(__bridge NSError *)copyError]) { + secerror("error is too scary, not creating new Octagon encryption key: %@", copyError); +#if __OBJC2__ + [[SOSAnalytics logger] logResultForEvent:@"SOSCheckOctagonEncryptionKey" hardFailure:true result:(__bridge NSError*)copyError]; +#endif } - CFReleaseNull(publicKey); + CFReleaseNull(copyError); + CFReleaseNull(octagonEncryptionFullKey); if(changedSelf) { [self modifyCircle:circleTransport err:NULL action:^bool (SOSCircleRef circle_to_change) { return SOSCircleUpdatePeerInfo(circle_to_change, SOSFullPeerInfoGetPeerInfo(self.fullPeerInfo)); }]; } +#endif /* OCTAGON */ } -(bool) ensureFullPeerAvailable:(CFDictionaryRef)gestalt deviceID:(CFStringRef)deviceID backupKey:(CFDataRef)backup err:(CFErrorRef *) error @@ -157,12 +236,15 @@ CFSetRef initialViews = SOSViewCopyViewSet(kViewSetInitial); self.fullPeerInfo = nil; - self.fullPeerInfo = SOSFullPeerInfoCreateWithViews(kCFAllocatorDefault, gestalt, backup, initialViews, full_key, octagonSigningFullKey, octagonEncryptionFullKey, error); + + // setting fullPeerInfo takes an extra ref, so... + SOSFullPeerInfoRef fpi = SOSFullPeerInfoCreateWithViews(kCFAllocatorDefault, gestalt, backup, initialViews, full_key, octagonSigningFullKey, octagonEncryptionFullKey, error); + self.fullPeerInfo = fpi; + CFReleaseNull(fpi); CFDictionaryRef v2dictionaryTestUpdates = [self getValueFromExpansion:kSOSTestV2Settings err:NULL]; if(v2dictionaryTestUpdates) SOSFullPeerInfoUpdateV2Dictionary(self.fullPeerInfo, v2dictionaryTestUpdates, NULL); CFReleaseNull(initialViews); - CFReleaseNull(full_key); CFSetRef pendingDefaultViews = SOSViewCopyViewSet(kViewSetDefault); [self pendEnableViewSet:pendingDefaultViews]; diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic.h index 28c0cfb7..6b6895bd 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic.h @@ -39,7 +39,6 @@ -(SOSViewResultCode) viewStatus:(SOSAccount*)account name:(CFStringRef) viewname err:(CFErrorRef *)error; -(bool) updateViewSets:(SOSAccount*)account enabled:(CFSetRef) origEnabledViews disabled:(CFSetRef) origDisabledViews; -(CFSetRef) copyPeerSetForView:(CFStringRef) viewName; --(void) peerGotInSync:(SOSAccountTransaction*) aTxn peerID:(CFStringRef) peerID views:(CFSetRef) views; //DER -(size_t) getDEREncodedSize:(SOSAccount*)account err:(NSError**)error; diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic.m index 7c401525..0fa63766 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountTrustClassic.m @@ -21,6 +21,7 @@ #include #include #include +#include #include #include @@ -465,13 +466,6 @@ fail: } //Views --(void) peerGotInSync:(SOSAccountTransaction*) aTxn peerID:(CFStringRef) peerID views:(CFSetRef) views -{ - secnotice("initial-sync", "Peer %@ synced views: %@", peerID, views); - if (self.trustedCircle && [self isInCircle:NULL] && SOSCircleHasActivePeerWithID(self.trustedCircle, peerID, NULL)) { - SOSAccountUpdateOutOfSyncViews(aTxn, views); - } -} -(void) removeInvalidApplications:(SOSCircleRef) circle userPublic:(SecKeyRef)userPublic { CFMutableSetRef peersToRemove = CFSetCreateMutableForSOSPeerInfosByID(kCFAllocatorDefault); @@ -495,6 +489,7 @@ fail: require_quiet(SOSFullPeerInfoUpgradeSignatures(cloud_fpi, privKey, NULL), errOut); retval = SOSCircleUpdatePeerInfo(circle, SOSFullPeerInfoGetPeerInfo(cloud_fpi)); errOut: + CFReleaseNull(cloud_fpi); return retval; } const CFStringRef kSOSHsaPreApprovedPeerKeyInfo = CFSTR("HSAPreApprovedPeer"); @@ -523,12 +518,15 @@ const CFStringRef kSOSHsaPreApprovedPeerKeyInfo = CFSTR("HSAPreApprovedPeer"); CFReleaseNull(cloud_peer); if(!cloud_identity) return result; - if(!SOSCircleRequestAdmission(circle, userKey, cloud_identity, error)) + if(!SOSCircleRequestAdmission(circle, userKey, cloud_identity, error)) { + CFReleaseNull(cloud_identity); return result; + } require_quiet(SOSCircleAcceptRequest(circle, userKey, self.fullPeerInfo, SOSFullPeerInfoGetPeerInfo(cloud_identity), error), err_out); result = true; err_out: + CFReleaseNull(cloud_identity); return result; } -(bool) addEscrowToPeerInfo:(SOSFullPeerInfoRef) myPeer err:(CFErrorRef *)error @@ -643,8 +641,10 @@ static uint8_t* der_encode_data_optional(CFDataRef data, CFErrorRef *error, SOSAccount* account = txn.account; // Kick getting our device ID if we don't have it, and find out if we're setup to use IDS. + [account.ids_message_transport SOSTransportMessageIDSGetIDSDeviceID:account]; + bool canUseIDS = [account.ids_message_transport SOSTransportMessageIDSGetIDSDeviceID:account]; - + if(![self isInCircle:error]) { handledPeerIDs = CFSetCreateMutableCopy(kCFAllocatorDefault, 0, peerIDs); @@ -680,7 +680,7 @@ static uint8_t* der_encode_data_optional(CFDataRef data, CFErrorRef *error, peerInfo = SOSCircleCopyPeerWithID(self.trustedCircle, peerID, NULL); if (peerInfo && SOSCircleHasValidSyncingPeer(self.trustedCircle, peerInfo, account.accountKey, NULL)) { - if (canUseIDS && SOSPeerInfoShouldUseIDSTransport(myPeerInfo, peerInfo)) { + if (ENABLE_IDS && canUseIDS && SOSPeerInfoShouldUseIDSTransport(myPeerInfo, peerInfo)) { CFSetAddValue(peersForIDS, peerID); } else { CFSetAddValue(peersForKVS, peerID); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountUpdate.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountUpdate.m index 9978c662..d5ac122f 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountUpdate.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSAccountUpdate.m @@ -275,7 +275,7 @@ CFDictionaryRef SOSAccountHandleRetirementMessages(SOSAccount* account, CFDictio if(!trust.trustedCircle) // We don't fail, we intentionally handle nothing. return CFDictionaryCreateForCFTypes(kCFAllocatorDefault, NULL); - CFDictionaryRef retirement_dictionary = asDictionary(CFDictionaryGetValue(circle_retirement_messages, circle_name), error); + CFDictionaryRef retirement_dictionary = asDictionary(CFDictionaryGetValue(circle_retirement_messages, circle_name), NULL); if(!retirement_dictionary) return CFDictionaryCreateForCFTypes(kCFAllocatorDefault, NULL); @@ -312,7 +312,7 @@ CFDictionaryRef SOSAccountHandleRetirementMessages(SOSAccount* account, CFDictio static SOSCircleRef SOSAccountCreateCircleFrom(CFStringRef circleName, CFTypeRef value, CFErrorRef *error) { if (value && !isData(value) && !isNull(value)) { - secnotice("circleCreat", "Value provided not appropriate for a circle"); + secnotice("circleOps", "Value provided not appropriate for a circle"); CFStringRef description = CFCopyTypeIDDescription(CFGetTypeID(value)); SOSCreateErrorWithFormat(kSOSErrorUnexpectedType, NULL, error, NULL, CFSTR("Expected data or NULL got %@"), description); @@ -322,20 +322,20 @@ static SOSCircleRef SOSAccountCreateCircleFrom(CFStringRef circleName, CFTypeRef SOSCircleRef circle = NULL; if (!value || isNull(value)) { - secnotice("circleCreat", "No circle found in data: %@", value); + secnotice("circleOps", "No circle found in data: %@", value); circle = NULL; } else { circle = SOSCircleCreateFromData(NULL, (CFDataRef) value, error); if (circle) { CFStringRef name = SOSCircleGetName(circle); if (!CFEqualSafe(name, circleName)) { - secnotice("circleCreat", "Expected circle named %@, got %@", circleName, name); + secnotice("circleOps", "Expected circle named %@, got %@", circleName, name); SOSCreateErrorWithFormat(kSOSErrorNameMismatch, NULL, error, NULL, CFSTR("Expected circle named %@, got %@"), circleName, name); CFReleaseNull(circle); } } else { - secnotice("circleCreat", "SOSCircleCreateFromData returned NULL."); + secnotice("circleOps", "SOSCircleCreateFromData returned NULL."); } } return circle; @@ -379,27 +379,27 @@ bool SOSAccountHandleParametersChange(SOSAccount* account, CFDataRef parameters, if(SOSAccountRetrieveCloudParameters(account, &newKey, parameters, &newParameters, error)) { debugDumpUserParameters(CFSTR("SOSAccountHandleParametersChange got new user key parameters:"), parameters); - secnotice("keygen", "SOSAccountHandleParametersChange got new public key: %@", newKey); + secnotice("circleOps", "SOSAccountHandleParametersChange got new public key: %@", newKey); if (CFEqualSafe(account.accountKey, newKey)) { - secnotice("updates", "Got same public key sent our way. Ignoring."); + secnotice("circleOps", "Got same public key sent our way. Ignoring."); success = true; } else if (CFEqualSafe(account.previousAccountKey, newKey)) { - secnotice("updates", "Got previous public key repeated. Ignoring."); + secnotice("circleOps", "Got previous public key repeated. Ignoring."); success = true; } else { SOSAccountSetUnTrustedUserPublicKey(account, newKey); + CFReleaseNull(newKey); SOSAccountSetParameters(account, newParameters); - newKey = NULL; if(SOSAccountRetryUserCredentials(account)) { - secnotice("keygen", "Successfully used cached password with new parameters"); + secnotice("circleOps", "Successfully used cached password with new parameters"); SOSAccountGenerationSignatureUpdate(account, error); } else { - secnotice("keygen", "Got new parameters for public key - could not find or use cached password"); + secnotice("circleOps", "Got new parameters for public key - could not find or use cached password"); SOSAccountPurgePrivateCredential(account); } - + secnotice("circleop", "Setting account.key_interests_need_updating to true in SOSAccountHandleParametersChange"); account.circle_rings_retirements_need_attention = true; account.key_interests_need_updating = true; diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.h index 0376e096..1b9a40c5 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.h @@ -39,8 +39,6 @@ typedef int32_t bskb_keybag_handle_t; typedef struct CF_BRIDGED_TYPE(id) __OpaqueSOSBackupSliceKeyBag *SOSBackupSliceKeyBagRef; -CFTypeRef SOSBackupSliceKeyBageGetTypeID(void); - SOSBackupSliceKeyBagRef SOSBackupSliceKeyBagCreate(CFAllocatorRef allocator, CFSetRef peers, CFErrorRef* error); SOSBackupSliceKeyBagRef SOSBackupSliceKeyBagCreateDirect(CFAllocatorRef allocator, CFDataRef aks_bag, CFErrorRef *error); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.c index 98b3db56..8df24f6d 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.c +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.c @@ -449,8 +449,9 @@ errOut: static bool SOSCircleGenerationSign_Internal(SOSCircleRef circle, SecKeyRef userKey, SOSFullPeerInfoRef fpi, CFErrorRef *error) { // require_quiet(SOSCircleEnsureRingConsistency(circle, error), fail); Placeholder - this was never implemented bool retval = false; + SecKeyRef ourKey = NULL; if (SOSCircleCountPeers(circle) != 0) { - SecKeyRef ourKey = SOSFullPeerInfoCopyDeviceKey(fpi, error); + ourKey = SOSFullPeerInfoCopyDeviceKey(fpi, error); require_quiet(ourKey, errOut); // Check if we're using an invalid peerinfo for this op. There are cases where we might not be "upgraded". @@ -463,6 +464,7 @@ static bool SOSCircleGenerationSign_Internal(SOSCircleRef circle, SecKeyRef user retval = true; errOut: + CFReleaseNull(ourKey); return retval; } @@ -1260,7 +1262,7 @@ void SOSCircleForEachiCloudIdentityPeer(SOSCircleRef circle, void (^action)(SOSP SOSCircleForEachPeerMatching(circle, action, ^bool(SOSPeerInfoRef peer) { return SOSPeerInfoIsCloudIdentity(peer); }); -} +} void SOSCircleForEachActivePeer(SOSCircleRef circle, void (^action)(SOSPeerInfoRef peer)) { @@ -1433,20 +1435,20 @@ bool SOSCircleAcceptPeerFromHSA2(SOSCircleRef circle, SecKeyRef userKey, SOSGenC // Gen sign first, then add signature from our approver - remember gensign removes all existing sigs. res = SOSCircleGenerationSignWithGenCount(circle, userKey, fpi, gencount, error); if (!res) { - secnotice("circleJoin", "Failed to regenerate circle with new gen count: %@", error ? *error : NULL); + secnotice("circleOps", "Failed to regenerate circle with new gen count: %@", error ? *error : NULL); return res; } res = SOSCircleSetSignature(circle, pPubKey, signature, error); if (!res) { - secnotice("circleJoin", "Failed to set signature: %@", error ? *error : NULL); + secnotice("circleOps", "Failed to set signature: %@", error ? *error : NULL); return res; } res = SOSCircleVerify(circle, pPubKey, error); if (!res) { - secnotice("circleJoin", "Circle failed to validate after peer signature: %@", error ? *error : NULL); + secnotice("circleOps", "Circle failed to validate after peer signature: %@", error ? *error : NULL); return res; } - secnotice("circleJoin", "Circle accepted successfullyed"); + secnotice("circleOps", "Circle accepted successfully"); return true; } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.h index e43c0adb..9de6fb18 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.h @@ -44,7 +44,7 @@ __BEGIN_DECLS typedef struct __OpaqueSOSCircle *SOSCircleRef; -CFTypeID SOSCircleGetTypeID(); +CFTypeID SOSCircleGetTypeID(void); SOSCircleRef SOSCircleCreate(CFAllocatorRef allocator, CFStringRef circleName, CFErrorRef *error); SOSCircleRef SOSCircleCreateFromDER(CFAllocatorRef allocator, CFErrorRef* error, @@ -150,7 +150,7 @@ bool SOSCircleAcceptRequests(SOSCircleRef circle, SecKeyRef user_privkey, SOSFul // Stuff above this line is really SOSCircleInfo below the line is the active SOSCircle functionality -SOSFullPeerInfoRef SOSCircleCopyiCloudFullPeerInfoRef(SOSCircleRef circle, CFErrorRef *error); +CF_RETURNS_RETAINED SOSFullPeerInfoRef SOSCircleCopyiCloudFullPeerInfoRef(SOSCircleRef circle, CFErrorRef *error); bool SOSCircleConcordanceSign(SOSCircleRef circle, SOSFullPeerInfoRef peerinfo, CFErrorRef *error); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.h index ed513c96..ba1ecd99 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.h @@ -129,6 +129,11 @@ bool SOSCCSetUserCredentialsAndDSID(CFStringRef user_label, CFDataRef user_passw bool SOSCCTryUserCredentials(CFStringRef user_label, CFDataRef user_password, CFErrorRef* error); +/*! + This variant adds the dsid to the call + */ + +bool SOSCCTryUserCredentialsAndDSID(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error); /*! @function SOSCCCopyDeviceID @abstract Retrieves this device's IDS device ID diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.m index 824a84b4..1e006242 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.m @@ -365,7 +365,7 @@ static int simple_int_error_request(enum SecXPCOperation op, CFErrorRef* error) return result; } -static SOSPeerInfoRef peer_info_error_request(enum SecXPCOperation op, CFErrorRef* error) +static CF_RETURNS_RETAINED SOSPeerInfoRef peer_info_error_request(enum SecXPCOperation op, CFErrorRef* error) { SOSPeerInfoRef result = NULL; __block CFDataRef data = NULL; @@ -559,11 +559,11 @@ static bool cfstring_and_cfdata_to_cfdata_cfdata_error_request(enum SecXPCOperat result = xpc_dictionary_get_bool(response, kSecXPCKeyResult); xpc_object_t temp_result = xpc_dictionary_get_value(response, kSecXPCData); - if (response && (NULL != temp_result) && data) { + if ((NULL != temp_result) && data) { *data = _CFXPCCreateCFObjectFromXPCObject(temp_result); } temp_result = xpc_dictionary_get_value(response, kSecXPCKeyKeybag); - if (response && (NULL != temp_result) && data2) { + if ((NULL != temp_result) && data2) { *data2 = _CFXPCCreateCFObjectFromXPCObject(temp_result); } @@ -1075,8 +1075,11 @@ static CF_RETURNS_RETAINED SOSPeerInfoRef SOSSetNewPublicBackupKey(CFDataRef pub } SOSPeerInfoRef SOSCCCopyMyPeerWithNewDeviceRecoverySecret(CFDataRef secret, CFErrorRef *error){ + secnotice("devRecovery", "Enter SOSCCCopyMyPeerWithNewDeviceRecoverySecret()"); CFDataRef publicKeyData = SOSCopyDeviceBackupPublicKey(secret, error); + secnotice("devRecovery", "SOSCopyDeviceBackupPublicKey (%@)", publicKeyData); SOSPeerInfoRef copiedPeer = publicKeyData ? SOSSetNewPublicBackupKey(publicKeyData, error) : NULL; + secnotice("devRecovery", "SOSSetNewPublicBackupKey (%@)", copiedPeer); CFReleaseNull(publicKeyData); return copiedPeer; } @@ -1228,13 +1231,13 @@ static bool idscommand_to_bool_error_request(enum SecXPCOperation op, bool SOSCCRegisterUserCredentials(CFStringRef user_label, CFDataRef user_password, CFErrorRef* error) { - secnotice("sosops", "SOSCCRegisterUserCredentials - calling SOSCCSetUserCredentials!! %@\n", user_label); + secnotice("circleOps", "SOSCCRegisterUserCredentials - calling SOSCCSetUserCredentials for %@\n", user_label); return SOSCCSetUserCredentials(user_label, user_password, error); } bool SOSCCSetUserCredentials(CFStringRef user_label, CFDataRef user_password, CFErrorRef* error) { - secnotice("sosops", "SOSCCSetUserCredentials!! %@\n", user_label); + secnotice("circleOps", "SOSCCSetUserCredentials for %@\n", user_label); sec_trace_enter_api(CFSTR("user_label=%@"), user_label); sec_trace_return_bool_api(^{ do_if_registered(soscc_SetUserCredentials, user_label, user_password, error); @@ -1245,7 +1248,7 @@ bool SOSCCSetUserCredentials(CFStringRef user_label, CFDataRef user_password, CF bool SOSCCSetUserCredentialsAndDSID(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error) { - secnotice("sosops", "SOSCCSetUserCredentialsAndDSID!! %@\n", user_label); + secnotice("circleOps", "SOSCCSetUserCredentialsAndDSID for %@\n", user_label); sec_trace_enter_api(CFSTR("user_label=%@"), user_label); sec_trace_return_bool_api(^{ do_if_registered(soscc_SetUserCredentialsAndDSID, user_label, user_password, dsid, error); @@ -1265,6 +1268,8 @@ bool SOSCCSetUserCredentialsAndDSID(CFStringRef user_label, CFDataRef user_passw }, NULL) } + + bool SOSCCSetDeviceID(CFStringRef IDS, CFErrorRef* error) { secnotice("sosops", "SOSCCSetDeviceID!! %@\n", IDS); @@ -1347,14 +1352,41 @@ bool SOSCCRequestSyncWithPeerOverKVS(CFStringRef peerID, CFDataRef message, CFEr }, NULL) } -bool SOSCCTryUserCredentials(CFStringRef user_label, CFDataRef user_password, CFErrorRef* error) -{ - sec_trace_enter_api(CFSTR("user_label=%@"), user_label); +static bool SOSCCTryUserCredentialsAndDSID_internal(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error) { sec_trace_return_bool_api(^{ - do_if_registered(soscc_TryUserCredentials, user_label, user_password, error); - - return label_and_password_to_bool_error_request(kSecXPCOpTryUserCredentials, user_label, user_password, error); + do_if_registered(soscc_TryUserCredentials, user_label, user_password, dsid, error); + + bool result = false; + __block CFStringRef account_dsid = dsid; + + require_action_quiet(user_label, out, SOSErrorCreate(kSOSErrorParam, error, NULL, CFSTR("user_label is nil"))); + require_action_quiet(user_password, out, SOSErrorCreate(kSOSErrorParam, error, NULL, CFSTR("user_password is nil"))); + + if(account_dsid == NULL){ + account_dsid = CFSTR(""); + } + + return label_and_password_and_dsid_to_bool_error_request(kSecXPCOpTryUserCredentials, user_label, user_password, account_dsid, error); + out: + return result; + }, NULL) + +} + +bool SOSCCTryUserCredentialsAndDSID(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error) +{ + secnotice("sosops", "SOSCCTryUserCredentialsAndDSID!! %@\n", user_label); + require_action_quiet(user_label, out, SOSErrorCreate(kSOSErrorParam, error, NULL, CFSTR("user_label is nil"))); + require_action_quiet(user_password, out, SOSErrorCreate(kSOSErrorParam, error, NULL, CFSTR("user_password is nil"))); + CFStringRef account_dsid = (dsid != NULL) ? dsid: CFSTR(""); + return SOSCCTryUserCredentialsAndDSID_internal(user_label, user_password, account_dsid, error); +out: + return false; +} + +bool SOSCCTryUserCredentials(CFStringRef user_label, CFDataRef user_password, CFErrorRef* error) { + return SOSCCTryUserCredentialsAndDSID_internal(user_label, user_password, NULL, error); } @@ -1829,18 +1861,15 @@ bool SOSCCSendToPeerIsPending(SOSPeerInfoRef peer, CFErrorRef *error) { @implementation SecSOSStatus @synthesize connection = _connection; -- (instancetype) initWithEndpoint:(xpc_endpoint_t)endpoint +- (instancetype) init { if ((self = [super init]) == NULL) return NULL; NSXPCInterface *interface = [NSXPCInterface interfaceWithProtocol:@protocol(SOSControlProtocol)]; _SOSControlSetupInterface(interface); - NSXPCListenerEndpoint *listenerEndpoint = [[NSXPCListenerEndpoint alloc] init]; - - [listenerEndpoint _setEndpoint:endpoint]; - self.connection = [[NSXPCConnection alloc] initWithListenerEndpoint:listenerEndpoint]; + self.connection = [[NSXPCConnection alloc] initWithMachServiceName:@(kSecuritydSOSServiceName) options:0]; if (self.connection == NULL) return NULL; @@ -1862,11 +1891,7 @@ SOSCCGetStatusObject(CFErrorRef *error) static SecSOSStatus *control; static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ - xpc_endpoint_t endpoint = _SecSecuritydCopySOSStatusEndpoint(error); - if (endpoint == NULL) - return; - - control = [[SecSOSStatus alloc] initWithEndpoint:endpoint]; + control = [[SecSOSStatus alloc] init]; }); return control.connection.remoteObjectProxy; } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircleInternal.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircleInternal.h index c901d102..5a0e01f0 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircleInternal.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircleInternal.h @@ -149,8 +149,6 @@ CFDictionaryRef SOSCCCopyBackupInformation(CFErrorRef *error); bool SOSCCRequestSyncWithPeerOverKVSUsingIDOnly(CFStringRef peerID, CFErrorRef *error); bool SOSCCTestPopulateKVSWithBadKeys(CFErrorRef *error); CFDataRef SOSCCCopyInitialSyncData(CFErrorRef *error); - -char *SOSCCSysdiagnose(const char *directoryname); void SOSCCForEachEngineStateAsStringFromArray(CFArrayRef states, void (^block)(CFStringRef oneStateString)); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSControlServer.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSControlServer.h new file mode 100644 index 00000000..e1c217af --- /dev/null +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSControlServer.h @@ -0,0 +1,6 @@ +#ifndef _SOSCONTROLSERVER_H_ +#define _SOSCONTROLSERVER_H_ + +void SOSControlServerInitialize(void); + +#endif /* !_SOSCONTROLSERVER_H_ */ diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSControlServer.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSControlServer.m new file mode 100644 index 00000000..237e7b13 --- /dev/null +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSControlServer.m @@ -0,0 +1,184 @@ +#import +#import +#import +#import +#import "SOSAccount.h" +#import "SOSControlHelper.h" +#import "SOSControlServer.h" + +@interface SOSControlServer : NSObject +@end + +@interface SOSClient : NSObject +@property (weak) NSXPCConnection * connection; +@property (strong) SOSAccount * account; + +- (instancetype)initWithConnection:(NSXPCConnection *)connection account:(SOSAccount *)account; +@end + +@implementation SOSControlServer + +- (BOOL)listener:(__unused NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection +{ + NSNumber *num = [newConnection valueForEntitlement:(__bridge NSString *)kSecEntitlementKeychainCloudCircle]; + if (![num isKindOfClass:[NSNumber class]] || ![num boolValue]) { + secerror("sos: Client pid: %d doesn't have entitlement: %@", + [newConnection processIdentifier], kSecEntitlementKeychainCloudCircle); + return NO; + } + + + SOSClient *sosClient = [[SOSClient alloc] initWithConnection:newConnection account:(__bridge SOSAccount *)SOSKeychainAccountGetSharedAccount()]; + + newConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(SOSControlProtocol)]; + _SOSControlSetupInterface(newConnection.exportedInterface); + newConnection.exportedObject = sosClient; + + [newConnection resume]; + + return YES; +} + +@end + +@implementation SOSClient + +@synthesize account = _account; +@synthesize connection = _connection; + +- (instancetype)initWithConnection:(NSXPCConnection *)connection account:(SOSAccount *)account +{ + if ((self = [super init])) { + _connection = connection; + _account = account; + } + return self; +} + +- (bool)checkEntitlement:(NSString *)entitlement +{ + NSXPCConnection *strongConnection = _connection; + + NSNumber *num = [strongConnection valueForEntitlement:entitlement]; + if (![num isKindOfClass:[NSNumber class]] || ![num boolValue]) { + secerror("sos: Client pid: %d doesn't have entitlement: %@", + [strongConnection processIdentifier], entitlement); + return false; + } + return true; +} + +- (void)userPublicKey:(void ((^))(BOOL trusted, NSData *spki, NSError *error))reply +{ + [self.account userPublicKey:reply]; +} + +- (void)kvsPerformanceCounters:(void(^)(NSDictionary *))reply +{ + [self.account kvsPerformanceCounters:reply]; +} + +- (void)idsPerformanceCounters:(void(^)(NSDictionary *))reply +{ + [self.account idsPerformanceCounters:reply]; +} + +- (void)rateLimitingPerformanceCounters:(void(^)(NSDictionary *))reply +{ + [self.account rateLimitingPerformanceCounters:reply]; +} + +- (void)stashedCredentialPublicKey:(void(^)(NSData *, NSError *error))reply +{ + [self.account stashedCredentialPublicKey:reply]; +} + +- (void)assertStashedAccountCredential:(void(^)(BOOL result, NSError *error))reply +{ + [self.account assertStashedAccountCredential:reply]; +} + +- (void)validatedStashedAccountCredential:(void(^)(NSData *credential, NSError *error))complete +{ + [self.account validatedStashedAccountCredential:complete]; +} + +- (void)stashAccountCredential:(NSData *)credential complete:(void(^)(bool success, NSError *error))complete +{ + [self.account stashAccountCredential:credential complete:complete]; +} + +- (void)myPeerInfo:(void (^)(NSData *, NSError *))complete +{ + [self.account myPeerInfo:complete]; +} + +- (void)circleJoiningBlob:(NSData *)applicant complete:(void (^)(NSData *blob, NSError *))complete +{ + [self.account circleJoiningBlob:applicant complete:complete]; +} + +- (void)joinCircleWithBlob:(NSData *)blob version:(PiggyBackProtocolVersion)version complete:(void (^)(bool success, NSError *))complete +{ + [self.account joinCircleWithBlob:blob version:version complete:complete]; +} + +- (void)initialSyncCredentials:(uint32_t)flags complete:(void (^)(NSArray *, NSError *))complete +{ + if (![self checkEntitlement:(__bridge NSString *)kSecEntitlementKeychainInitialSync]) { + complete(@[], [NSError errorWithDomain:(__bridge NSString *)kSOSErrorDomain code:kSOSEntitlementMissing userInfo:NULL]); + return; + } + + [self.account initialSyncCredentials:flags complete:complete]; +} + +- (void)importInitialSyncCredentials:(NSArray *)items complete:(void (^)(bool success, NSError *))complete +{ + if (![self checkEntitlement:(__bridge NSString *)kSecEntitlementKeychainInitialSync]) { + complete(false, [NSError errorWithDomain:(__bridge NSString *)kSOSErrorDomain code:kSOSEntitlementMissing userInfo:NULL]); + return; + } + + [self.account importInitialSyncCredentials:items complete:complete]; +} + +- (void)triggerSync:(NSArray *)peers complete:(void(^)(bool success, NSError *))complete +{ + if (![self checkEntitlement:(__bridge NSString *)kSecEntitlementKeychainCloudCircle]) { + complete(false, [NSError errorWithDomain:(__bridge NSString *)kSOSErrorDomain code:kSOSEntitlementMissing userInfo:NULL]); + return; + } + + [self.account triggerSync:peers complete:complete]; +} + +- (void)getWatchdogParameters:(void (^)(NSDictionary* parameters, NSError* error))complete +{ + [self.account getWatchdogParameters:complete]; +} + +- (void)setWatchdogParmeters:(NSDictionary*)parameters complete:(void (^)(NSError* error))complete +{ + [self.account setWatchdogParmeters:parameters complete:complete]; +} + +@end + +void +SOSControlServerInitialize(void) +{ + static dispatch_once_t once; + static SOSControlServer *server; + static NSXPCListener *listener; + + dispatch_once(&once, ^{ + @autoreleasepool { + server = [SOSControlServer new]; + + listener = [[NSXPCListener alloc] initWithMachServiceName:@(kSecuritydSOSServiceName)]; + listener.delegate = server; + [listener resume]; + } + }); +} diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.c index 733795d6..0730e7f9 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.c +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.c @@ -714,6 +714,7 @@ bool TestSOSEngineLoadCoders(CFTypeRef engine, SOSTransactionRef txn, CFErrorRef static bool SOSEngineLoadCoders(SOSEngineRef engine, SOSTransactionRef txn, CFErrorRef *error) { // Read the serialized engine state from the datasource (aka keychain) and populate the in-memory engine + __block bool needPeerRegistration = false; bool ok = true; CFDataRef derCoders = NULL; CFMutableDictionaryRef codersDict = NULL; @@ -721,37 +722,59 @@ static bool SOSEngineLoadCoders(SOSEngineRef engine, SOSTransactionRef txn, CFEr require_quiet(derCoders, xit); codersDict = derStateToDictionaryCopy(derCoders, error); require_quiet(codersDict, xit); + + /* + * Make sure all peer have coders + */ CFDictionaryForEach(engine->peerMap, ^(const void *peerID, const void *peerState) { - if (peerID) { - CFTypeRef coderRef = CFDictionaryGetValue(codersDict, peerID); - if (coderRef) { - CFDataRef coderData = asData(coderRef, NULL); - if (coderData) { - CFErrorRef createError = NULL; - SOSCoderRef coder = SOSCoderCreateFromData(coderData, &createError); - if (coder) { - CFDictionaryAddValue(engine->coders, peerID, coder); - secnotice("coder", "adding coder: %@ for peerid: %@", coder, peerID); - } else { - secnotice("coder", "Coder for '%@' failed to create: %@", peerID, createError); - } - CFReleaseNull(createError); - CFReleaseNull(coder); + /* + * Skip backup peer since they will never have coders + */ + if (isString(peerID) && CFStringHasSuffix(peerID, CFSTR("-tomb"))) { + secnotice("coder", "Skipping coder check for peer: %@", peerID); + return; + } + + CFTypeRef coderRef = CFDictionaryGetValue(codersDict, peerID); + if (coderRef) { + CFDataRef coderData = asData(coderRef, NULL); + if (coderData) { + CFErrorRef createError = NULL; + SOSCoderRef coder = SOSCoderCreateFromData(coderData, &createError); + if (coder) { + CFDictionaryAddValue(engine->coders, peerID, coder); + secnotice("coder", "adding coder: %@ for peerid: %@", coder, peerID); } else { - // Needed a coder, didn't find one, notify the account to help us out. - // Next attempt to sync will fix this - secnotice("coder", "coder for %@ was not cf data: %@", peerID, coderData); - SOSCCEnsurePeerRegistration(); + secnotice("coder", "Coder for '%@' failed to create: %@", peerID, createError); } + CFReleaseNull(createError); + CFReleaseNull(coder); + } else { + // Needed a coder, didn't find one, notify the account to help us out. + // Next attempt to sync will fix this + secnotice("coder", "coder for %@ was not cf data: %@", peerID, coderData); + needPeerRegistration = true; } - else{ - secnotice("coder", "didn't find coder for peer: %@ engine dictionary: %@", peerID, codersDict); - SOSCCEnsurePeerRegistration(); - } - + } else{ + secnotice("coder", "didn't find coder for peer: %@ engine dictionary: %@", peerID, codersDict); + needPeerRegistration = true; } }); + secnotice("coder", "Will force peer registration: %s",needPeerRegistration ? "yes" : "no"); + + if (needPeerRegistration) { + dispatch_queue_t queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0); + + dispatch_async(queue, ^{ + CFErrorRef eprError = NULL; + if (!SOSCCProcessEnsurePeerRegistration_Server(&eprError)) { + secnotice("coder", "SOSCCProcessEnsurePeerRegistration failed with: %@", eprError); + } + CFReleaseNull(eprError); + }); + } + engine->haveLoadedCoders = true; xit: @@ -1954,10 +1977,17 @@ bool SOSEngineHandleMessage_locked(SOSEngineRef engine, CFStringRef peerID, SOSM #endif base = SOSPeerCopyManifestForDigest(peer, baseDigest); + + // Note that the sender digest will only exist if we receive a SOSManifestDigestMessageType (since we never receive v2 messages) confirmed = SOSPeerCopyManifestForDigest(peer, SOSMessageGetSenderDigest(message)); if (!confirmed) { if (SOSManifestGetCount(SOSMessageGetRemovals(message)) || SOSManifestGetCount(allAdditions)) { if (base || !baseDigest) { + + secnotice("engine", "SOSEngineHandleMessage_locked (%@): creating a confirmed manifest via a patch (base %zu %@, +%zu, -%zu)", SOSPeerGetID(peer), + SOSManifestGetCount(base), SOSManifestGetDigest(base, NULL), + SOSManifestGetCount(allAdditions), SOSManifestGetCount(SOSMessageGetRemovals(message))); + confirmed = SOSManifestCreateWithPatch(base, SOSMessageGetRemovals(message), allAdditions, error); } if (!confirmed) { @@ -1968,6 +1998,9 @@ bool SOSEngineHandleMessage_locked(SOSEngineRef engine, CFStringRef peerID, SOSM confirmed = CFRetainSafe(base); secerror("%@:%@ Protocol error send L00 - figure out later base: %@", engine->myID, peerID, base); } + + } else { + secnotice("engine", "SOSEngineHandleMessage_locked (%@): got a confirmed manifest by digest: (%zu, %@)", SOSPeerGetID(peer), SOSManifestGetCount(confirmed), SOSMessageGetSenderDigest(message)); } secnoticeq("engine", "%@:%@ confirmed: %@ base: %@", engine->myID, peerID, confirmed, base); if (confirmed) { @@ -1975,13 +2008,27 @@ bool SOSEngineHandleMessage_locked(SOSEngineRef engine, CFStringRef peerID, SOSM if (SOSManifestGetCount(SOSMessageGetRemovals(message))) CFAssignRetained(confirmedRemovals, SOSManifestCreateUnion(confirmedRemovals, SOSMessageGetRemovals(message), error)); } - if (SOSManifestGetCount(confirmedRemovals) || SOSManifestGetCount(confirmedAdditions) || SOSManifestGetCount(unwanted)) + if (SOSManifestGetCount(confirmedRemovals) || SOSManifestGetCount(confirmedAdditions) || SOSManifestGetCount(unwanted)) { ok &= SOSPeerDidReceiveRemovalsAndAdditions(peer, confirmedRemovals, confirmedAdditions, unwanted, localManifest, error); + } + + // TODO: We should probably remove the if below and always call SOSPeerSetConfirmedManifest, // since having a NULL confirmed will force us to send a manifest message to get in sync again. - if (confirmed) + if (confirmed) { + + SOSManifestRef previousConfirmedManifest = SOSPeerGetConfirmedManifest(peer); + if(previousConfirmedManifest) { + secnotice("engine", "SOSEngineHandleMessage_locked (%@): new confirmed manifest (%zu, %@) will replace existing confirmed manifest (%zu, %@)", SOSPeerGetID(peer), + SOSManifestGetCount(confirmed), SOSManifestGetDigest(confirmed, NULL), + SOSManifestGetCount(previousConfirmedManifest), SOSManifestGetDigest(previousConfirmedManifest, NULL)); + } else { + secnotice("engine", "SOSEngineHandleMessage_locked (%@): new confirmed manifest (%zu, %@) is first manifest for peer", SOSPeerGetID(peer), + SOSManifestGetCount(confirmed), SOSManifestGetDigest(confirmed, NULL)); + } + SOSPeerSetConfirmedManifest(peer, confirmed); - else if (SOSPeerGetConfirmedManifest(peer)) { + } else if (SOSPeerGetConfirmedManifest(peer)) { secnoticeq("engine", "%@:%@ unable to find confirmed in %@, sync protocol reset", engine->myID, peer, message); SOSPeerSetConfirmedManifest(peer, NULL); @@ -2202,7 +2249,10 @@ static __unused bool SOSEngineCheckPeerIntegrity(SOSEngineRef engine, SOSPeerRef CFReleaseSafe(AunionT); CFReleaseSafe(MunionU); + CFReleaseSafe(CunionU); + CFReleaseNull(SunionAunionT); + CFReleaseNull(SunionMunionU); CFReleaseSafe(A); CFReleaseSafe(M); @@ -2247,7 +2297,7 @@ static void SOSEngineCompletedSyncWithPeer(SOSEngineRef engine, SOSPeerRef peer) CFDataRef SOSEngineCreateMessage_locked(SOSEngineRef engine, SOSTransactionRef txn, SOSPeerRef peer, - CFMutableArrayRef *attributeList, CFErrorRef *error, SOSEnginePeerMessageSentBlock *sent) { + CFMutableArrayRef *attributeList, CFErrorRef *error, SOSEnginePeerMessageSentCallback **sent) { SOSManifestRef local = SOSEngineCopyLocalPeerManifest_locked(engine, peer, error); __block SOSMessageRef message = SOSMessageCreate(kCFAllocatorDefault, SOSPeerGetMessageVersion(peer), error); SOSManifestRef confirmed = SOSPeerGetConfirmedManifest(peer); @@ -2299,12 +2349,14 @@ CFDataRef SOSEngineCreateMessage_locked(SOSEngineRef engine, SOSTransactionRef t CFReleaseNull(allMissing); CFReleaseNull(excessUnwanted); - secnoticeq("engine", "%@:%@: send state for peer [%s%s%s][%s%s] P:%zu, E:%zu, M:%zu U:%zu", engine->myID, SOSPeerGetID(peer), + secnoticeq("engine", "%@:%@: send state for peer [%s%s%s][%s%s] local:%zu confirmed:%zu pending:%zu, extra:%zu, missing:%zu unwanted:%zu", engine->myID, SOSPeerGetID(peer), local ? "L":"l", confirmed ? "C":"0", pendingObjects ? "P":"0", SOSPeerSendObjects(peer) ? "O":"o", SOSPeerMustSendMessage(peer) ? "S":"s", + SOSManifestGetCount(local), + SOSManifestGetCount(confirmed), SOSManifestGetCount(pendingObjects), SOSManifestGetCount(extra), SOSManifestGetCount(missing), @@ -2337,8 +2389,8 @@ CFDataRef SOSEngineCreateMessage_locked(SOSEngineRef engine, SOSTransactionRef t send = true; } if (!send) { - CFReleaseSafe(local); - CFReleaseSafe(message); + CFReleaseNull(local); + CFReleaseNull(message); CFReleaseNull(extra); CFReleaseNull(missing); return CFDataCreate(kCFAllocatorDefault, NULL, 0); @@ -2401,8 +2453,9 @@ CFDataRef SOSEngineCreateMessage_locked(SOSEngineRef engine, SOSTransactionRef t *attributeList = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault); CFDictionaryRef itemPlist = SOSObjectCopyPropertyList(engine->dataSource, object, &localError); if(itemPlist && !CFArrayContainsValue(*attributeList, CFRangeMake(0, CFArrayGetCount(*attributeList)), (CFStringRef)CFDictionaryGetValue(itemPlist, kSecAttrAccessGroup))){ - CFArrayAppendValue(*attributeList, (CFStringRef)CFDictionaryGetValue(itemPlist, kSecAttrAccessGroup)); - }//copy access group to array + CFArrayAppendValue(*attributeList, (CFStringRef)CFDictionaryGetValue(itemPlist, kSecAttrAccessGroup)); + }//copy access group to array + CFReleaseNull(itemPlist); } else { const uint8_t *d = CFDataGetBytePtr(digest); CFStringRef hexder = CFDataCopyHexString(der); @@ -2471,42 +2524,89 @@ CFDataRef SOSEngineCreateMessage_locked(SOSEngineRef engine, SOSTransactionRef t } if (result) { - // Capture the peer in our block (SOSEnginePeerMessageSentBlock) - CFRetainSafe(peer); - *sent = Block_copy(^(bool success) { - dispatch_async(engine->queue, ^{ - if (success) { - SOSPeerSetMustSendMessage(peer, false); - if (!confirmed && !proposed) { - SOSPeerSetSendObjects(peer, true); - secnoticeq("engine", "%@:%@ sendObjects=true L:%@", engine->myID, SOSPeerGetID(peer), local); + SOSEnginePeerMessageSentCallback* pmsc = malloc(sizeof(SOSEnginePeerMessageSentCallback)); + memset(pmsc, 0, sizeof(SOSEnginePeerMessageSentCallback)); + pmsc->engine = engine; CFRetain(pmsc->engine); + pmsc->peer = CFRetainSafe(peer); + pmsc->local = CFRetainSafe(local); + pmsc->proposed = CFRetainSafe(proposed); + pmsc->message = CFRetainSafe(message); + pmsc->confirmed = CFRetainSafe(confirmed); + + SOSEngineMessageCallbackSetCallback(pmsc, ^(bool success) { + // Have to copy pmsc so it'll still be around during the dispatch_async + SOSEnginePeerMessageSentCallback* pmsc2 = malloc(sizeof(SOSEnginePeerMessageSentCallback)); + memset(pmsc2, 0, sizeof(SOSEnginePeerMessageSentCallback)); + pmsc2->engine = pmsc->engine; CFRetain(pmsc2->engine); + pmsc2->peer = CFRetainSafe(pmsc->peer); + pmsc2->local = CFRetainSafe(pmsc->local); + pmsc2->proposed = CFRetainSafe(pmsc->proposed); + pmsc2->message = CFRetainSafe(pmsc->message); + pmsc2->confirmed = CFRetainSafe(pmsc->confirmed); + + dispatch_async(pmsc->engine->queue, ^{ + if (success) { + SOSPeerSetMustSendMessage(pmsc2->peer, false); + if (!pmsc2->confirmed && !pmsc2->proposed) { + SOSPeerSetSendObjects(pmsc2->peer, true); + secnoticeq("engine", "%@:%@ sendObjects=true L:%@", pmsc2->engine->myID, SOSPeerGetID(pmsc2->peer), pmsc2->local); + } + SOSPeerAddLocalManifest(pmsc2->peer, pmsc2->local); + SOSPeerAddProposedManifest(pmsc2->peer, pmsc2->proposed); + secnoticeq("engine", "send %@:%@ %@", pmsc2->engine->myID, SOSPeerGetID(pmsc2->peer), pmsc2->message); + //SOSEngineCheckPeerIntegrity(engine, peer, NULL); + } else { + secerror("%@:%@ failed to send %@", pmsc2->engine->myID, SOSPeerGetID(pmsc2->peer), pmsc2->message); } - SOSPeerAddLocalManifest(peer, local); - SOSPeerAddProposedManifest(peer, proposed); - secnoticeq("engine", "send %@:%@ %@", engine->myID, SOSPeerGetID(peer), message); - //SOSEngineCheckPeerIntegrity(engine, peer, NULL); - } else { - secerror("%@:%@ failed to send %@", engine->myID, SOSPeerGetID(peer), message); - } - CFReleaseSafe(peer); - CFReleaseSafe(local); - CFReleaseSafe(proposed); - CFReleaseSafe(message); + SOSEngineFreeMessageCallback(pmsc2); }); }); - } else { - CFReleaseSafe(local); - CFReleaseSafe(proposed); - CFReleaseSafe(message); + + *sent = pmsc; } + + CFReleaseNull(local); CFReleaseNull(extra); CFReleaseNull(missing); + CFReleaseNull(message); + CFReleaseNull(proposed); if (error && *error) secerror("%@:%@ error in send: %@", engine->myID, SOSPeerGetID(peer), *error); return result; } +void SOSEngineMessageCallbackSetCallback(SOSEnginePeerMessageSentCallback *sent, SOSEnginePeerMessageSentBlock block) { + if(sent) { + sent->block = Block_copy(block); + } +} + + +void SOSEngineMessageCallCallback(SOSEnginePeerMessageSentCallback *sent, bool ok) { + if (sent && sent->block) { + (sent->block)(ok); + } +} + +void SOSEngineFreeMessageCallback(SOSEnginePeerMessageSentCallback* psmc) { + if(psmc) { + CFReleaseNull(psmc->engine); + CFReleaseNull(psmc->peer); + CFReleaseNull(psmc->coder); + CFReleaseNull(psmc->local); + CFReleaseNull(psmc->proposed); + CFReleaseNull(psmc->message); + CFReleaseNull(psmc->confirmed); + + if(psmc->block) { + Block_release(psmc->block); + } + + free(psmc); + } +} + static void SOSEngineLogItemError(SOSEngineRef engine, CFStringRef peerID, CFDataRef key, CFDataRef optionalDigest, const char *where, CFErrorRef error) { if (!optionalDigest) { const uint8_t *d = CFDataGetBytePtr(key); @@ -2848,10 +2948,10 @@ bool SOSEngineWithPeerID(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *er return result; } -CFDataRef SOSEngineCreateMessageToSyncToPeer(SOSEngineRef engine, CFStringRef peerID, CFMutableArrayRef *attributeList, SOSEnginePeerMessageSentBlock *sentBlock, CFErrorRef *error){ +CFDataRef SOSEngineCreateMessageToSyncToPeer(SOSEngineRef engine, CFStringRef peerID, CFMutableArrayRef *attributeList, SOSEnginePeerMessageSentCallback **sentCallback, CFErrorRef *error){ __block CFDataRef message = NULL; SOSEngineForPeerID(engine, peerID, error, ^(SOSTransactionRef txn, SOSPeerRef peer) { - message = SOSEngineCreateMessage_locked(engine, txn, peer, attributeList, error, sentBlock); + message = SOSEngineCreateMessage_locked(engine, txn, peer, attributeList, error, sentCallback); }); return message; } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.h index 1325e5fb..755732be 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSEngine.h @@ -37,9 +37,24 @@ __BEGIN_DECLS -// TODO: Move this to SOSPeer.h? typedef void (^SOSEnginePeerMessageSentBlock)(bool success); +typedef struct { + __unsafe_unretained SOSEnginePeerMessageSentBlock block; + SOSEngineRef engine; + SOSPeerRef peer; + SOSCoderRef coder; + SOSManifestRef local; + SOSManifestRef proposed; + SOSManifestRef confirmed; + SOSMessageRef message; +} SOSEnginePeerMessageSentCallback; +void SOSEngineMessageCallCallback(SOSEnginePeerMessageSentCallback *sent, bool ok); + +// Must always be in C or obj-c; splitting is unwise +void SOSEngineMessageCallbackSetCallback(SOSEnginePeerMessageSentCallback *sent, SOSEnginePeerMessageSentBlock block); + + // Return a new engine instance for a given data source. SOSEngineRef SOSEngineCreate(SOSDataSourceRef dataSource, CFErrorRef *error); @@ -93,7 +108,10 @@ bool SOSEngineHandleMessage_locked(SOSEngineRef engine, CFStringRef peerID, SOSM SOSTransactionRef txn, bool *commit, bool *somethingChanged, CFErrorRef *error); CFDataRef SOSEngineCreateMessage_locked(SOSEngineRef engine, SOSTransactionRef txn, SOSPeerRef peer, - CFMutableArrayRef *attributeList, CFErrorRef *error, SOSEnginePeerMessageSentBlock *sent); + CFMutableArrayRef *attributeList, CFErrorRef *error, SOSEnginePeerMessageSentCallback **sentCallback); + +// When you're done with the *sent parameter from SOSEngineCreateMessage_locked, you must call this on the returned object +void SOSEngineFreeMessageCallback(SOSEnginePeerMessageSentCallback* sentCallback); // Return a SOSPeerRef for a given peer_id. SOSPeerRef SOSEngineCopyPeerWithID(SOSEngineRef engine, CFStringRef peer_id, CFErrorRef *error); @@ -110,7 +128,7 @@ bool SOSEngineInitializePeerCoder(SOSEngineRef engine, SOSFullPeerInfoRef myPeer // return a zero length CFDataRef if there is nothing to send. // If *ProposedManifest is set the caller is responsible for updating their // proposed manifest upon successful transmission of the message. -CFDataRef SOSEngineCreateMessageToSyncToPeer(SOSEngineRef engine, CFStringRef peerID, CFMutableArrayRef *attributeList, SOSEnginePeerMessageSentBlock *sentBlock, CFErrorRef *error); +CFDataRef SOSEngineCreateMessageToSyncToPeer(SOSEngineRef engine, CFStringRef peerID, CFMutableArrayRef *attributeList, SOSEnginePeerMessageSentCallback **sentBlock, CFErrorRef *error); CFStringRef SOSEngineGetMyID(SOSEngineRef engine); bool SOSEnginePeerDidConnect(SOSEngineRef engine, CFStringRef peerID, CFErrorRef *error); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSEnsureBackup.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSEnsureBackup.m index 710ed742..b32f3e01 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSEnsureBackup.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSEnsureBackup.m @@ -25,8 +25,9 @@ #import "SOSEnsureBackup.h" #include -#if TARGET_OS_OSX || TARGET_OS_IOS +#if OCTAGON #import "keychain/ckks/CKKSLockStateTracker.h" +#import "keychain/ckks/NSOperationCategories.h" #include #import #import "keychain/analytics/awd/AWDMetricIds_Keychain.h" @@ -50,19 +51,20 @@ void SOSEnsureBackupWhileUnlocked(void) { NSBlockOperation *backupOperation = [NSBlockOperation blockOperationWithBlock:^{ secnotice("engine", "Performing keychain backup after unlock because backing up while locked failed"); SOSAccount *account = (__bridge SOSAccount *)(SOSKeychainAccountGetSharedAccount()); - SOSAccountTransaction* transaction = [SOSAccountTransaction transactionWithAccount:account]; - CFErrorRef error = NULL; - CFSetRef set = SOSAccountCopyBackupPeersAndForceSync(transaction, &error); - if (set) { - secnotice("engine", "SOSEnsureBackup: SOS made a backup of views: %@", set); - } else { - secerror("engine: SOSEnsureBackup: encountered an error while making backup (%@)", error); - } - CFReleaseNull(error); - CFReleaseNull(set); + [account performTransaction:^(SOSAccountTransaction *transaction) { + CFErrorRef error = NULL; + NSSet* set = CFBridgingRelease(SOSAccountCopyBackupPeersAndForceSync(transaction, &error)); + if (set) { + secnotice("engine", "SOSEnsureBackup: SOS made a backup of views: %@", set); + } else { + secerror("engine: SOSEnsureBackup: encountered an error while making backup (%@)", error); + } + + CFReleaseNull(error); + }]; }]; - [backupOperation addDependency:lockStateTracker.unlockDependency]; + [backupOperation addNullableDependency:lockStateTracker.unlockDependency]; [backupOperationQueue addOperation:backupOperation]; AWDPostSimpleMetric(AWDMetricId_Keychain_SOSKeychainBackupFailed); } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSExports.exp-in b/OSX/sec/SOSCircle/SecureObjectSync/SOSExports.exp-in index 1434f14d..d55aa5a2 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSExports.exp-in +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSExports.exp-in @@ -6,6 +6,7 @@ // _SOSCCAcceptApplicants +_SOSCCAccountGetAccountPrivateCredential _SOSCCAccountGetPublicKey _SOSCCAccountGetKeyCircleGeneration _SOSCCAccountHasPublicKey @@ -84,9 +85,9 @@ _SOSCCSetLastDepartureReason _SOSCCSetUserCredentials _SOSCCSetUserCredentialsAndDSID _SOSCCSignedOut -_SOSCCSysdiagnose _SOSCCThisDeviceIsInCircle _SOSCCTryUserCredentials +_SOSCCTryUserCredentialsAndDSID _SOSCCValidateUserPublic _SOSCCView _SOSCCViewSet @@ -99,8 +100,6 @@ _kSOSCCEngineStateManifestHashKey _kSOSCCEngineStatePeerIDKey _kSOSCCEngineStateSyncSetKey -_UserParametersDescription - _kSOSCCCircleChangedNotification _kSOSCCViewMembershipChangedNotification _kSOSCCInitialSyncChangedNotification @@ -112,10 +111,6 @@ _kSOSCCCircleOctagonKeysChangedNotification _SOSCCSetLastDepartureReason _SOSCCAccountSetToNew -_SOSCCDumpCircleInformation -_SOSCCDumpCircleKVSInformation - - // // Peer Info interfaces for SPI // @@ -123,12 +118,24 @@ _SOSCCDumpCircleKVSInformation _SOSPeerInfoApplicationVerify _SOSPeerInfoCompareByID _SOSPeerInfoCopyAsApplication +_SOSPeerInfoCopyBackupKey +_SOSPeerInfoCopyDeviceID +_SOSPeerInfoCopyEnabledViews _SOSPeerInfoCopyEncodedData +_SOSPeerInfoCopyEscrowRecord +_SOSPeerInfoCopyIDSACKModelPreference +_SOSPeerInfoCopyIDSFragmentationPreference +_SOSPeerInfoCopyIDSPreference +_SOSPeerInfoCopyOctagonSigningPublicKey +_SOSPeerInfoCopyOctagonEncryptionPublicKey _SOSPeerInfoCopyPeerGestalt _SOSPeerInfoCopyPubKey +_SOSPeerInfoCopyTransportType _SOSPeerInfoCopyWithBackupKeyUpdate _SOSPeerInfoCopyWithEscrowRecordUpdate _SOSPeerInfoCopyWithGestaltUpdate +_SOSPeerInfoCopyWithPing +_SOSPeerInfoCopyWithReplacedEscrowRecords _SOSPeerInfoCopyWithSecurityPropertyChange _SOSPeerInfoCopyWithViewsChange _SOSPeerInfoCopyTransportType @@ -137,17 +144,18 @@ _SOSPeerInfoCopyOSVersion _SOSPeerInfoCreate _SOSPeerInfoCreateCloudIdentity _SOSPeerInfoCreateCopy +_SOSPeerInfoCreateCurrentCopy _SOSPeerInfoCreateFromDER _SOSPeerInfoCreateFromData _SOSPeerInfoCreateRetirementTicket +_SOSPeerInfoCreateWithTransportAndViews +_SOSPeerInfoCopyData _SOSPeerInfoEncodeToDER +_SOSPeerInfoExpandV2Data _SOSPeerInfoGetApplicationDate _SOSPeerInfoGetAutoAcceptInfo -_SOSPeerInfoCopyBackupKey +_SOSPeerInfoGetClass _SOSPeerInfoGetDEREncodedSize -_SOSPeerInfoCopyDeviceID -_SOSPeerInfoCopyEnabledViews -_SOSPeerInfoCopyIDSPreference _SOSPeerInfoGetPeerDeviceType _SOSPeerInfoGetPeerID _SOSPeerInfoGetPeerName @@ -158,22 +166,36 @@ _SOSPeerInfoGetTypeID _SOSPeerInfoGetVersion _SOSPeerInfoHasBackupKey _SOSPeerInfoHasDeviceID +_SOSPeerInfoHasOctagonEncryptionPubKey +_SOSPeerInfoHasOctagonSigningPubKey _SOSPeerInfoInspectRetirementTicket _SOSPeerInfoIsCloudIdentity +_SOSPeerInfoIsEnabledView _SOSPeerInfoIsRetirementTicket +_SOSPeerInfoKVSOnly +_SOSPeerInfoLogState _SOSPeerInfoLookupGestaltValue _SOSPeerInfoPeerIDEqual _SOSPeerInfoRetireRetirementTicket _SOSPeerInfoSecurityPropertyStatus _SOSPeerInfoSetDeviceID +_SOSPeerInfoSetIDSACKModelPreference +_SOSPeerInfoSetIDSFragmentationPreference _SOSPeerInfoSetIDSPreference +_SOSPeerInfoSetOctagonEncryptionKey +_SOSPeerInfoSetOctagonSigningKey _SOSPeerInfoSetTransportType +_SOSPeerInfoShouldUseACKModel +_SOSPeerInfoShouldUseIDSMessageFragmentation _SOSPeerInfoShouldUseIDSTransport +_SOSPeerInfoTransportTypeIs _SOSPeerInfoUpdateDigestWithDescription _SOSPeerInfoUpdateDigestWithPublicKeyBytes _SOSPeerInfoUpgradeSignatures +_SOSPeerInfoVersionHasV2Data +_SOSPeerInfoVersionIsCurrent _SOSPeerInfoViewStatus -_SOSPeerInfoExpandV2Data +_SOSPeerInfoWithEnabledViewSet _SOSFullPeerInfoCreate @@ -195,17 +217,22 @@ _SOSCCEnableRing _SOSCCIsThisDeviceLastBackup _SOSCloudKeychainSendIDSMessage +_SOSCloudKeychainRemoveKeys +_SOSCloudKeychainRetrieveCountersFromIDSProxy _CFArrayOfSOSPeerInfosSortByID _CFSetCreateMutableForSOSPeerInfosByID +_CFSetCreateMutableForSOSPeerInfosByIDWithArray _CreateArrayOfPeerInfoWithXPCObject _CreateXPCObjectWithArrayOfPeerInfo +_kSOSPeerSetCallbacks _SOSPeerInfoArrayCreateFromDER _SOSPeerInfoArrayEncodeToDER _SOSPeerInfoArrayGetDEREncodedSize _SOSPeerInfoSetContainsIdenticalPeers _SOSPeerInfoSetCreateFromArrayDER _SOSPeerInfoSetEncodeToArrayDER +_SOSPeerInfoSetFindByID _SOSPeerInfoSetGetDEREncodedArraySize _SecCreateCFErrorWithXPCObject @@ -215,23 +242,29 @@ _SecCreateXPCObjectWithCFError // Backup Key Bag SPI // +_SOSBKSBKeyIsInKeyBag +_SOSBKSBPrefixedKeyIsInKeyBag _SOSBSKBCopyAKSBag _SOSBSKBCopyEncoded -_SOSBSKBIsDirect -_SOSBSKBGetPeers _SOSBSKBCopyRecoveryKey - -_SOSBSKBLoadLocked +_SOSBSKBCountPeers +_SOSBSKBGetPeers +_SOSBSKBIsDirect +_SOSBSKBIsGoodBackupPublic _SOSBSKBLoadAndUnlockWithDirectSecret +_SOSBSKBLoadAndUnlockWithPeerIDAndSecret _SOSBSKBLoadAndUnlockWithPeerSecret _SOSBSKBLoadAndUnlockWithWrappingSecret +_SOSBSKBLoadLocked +_SOSBSKBPeerIsInKeyBag _SOSBackupSliceKeyBagCreate _SOSBackupSliceKeyBagCreateDirect _SOSBackupSliceKeyBagCreateFromData -_SOSBackupSliceKeyBagGetTypeID +_SOSBackupSliceKeyBagCreateWithAdditionalKeys _der_decode_BackupSliceKeyBag _der_encode_BackupSliceKeyBag _der_sizeof_BackupSliceKeyBag +_bskbRkbgPrefix _SOSWrapToBackupSliceKeyBagForView _SOSBSKBHasRecoveryKey @@ -245,6 +278,23 @@ _SOSViewCopyViewSet _SOSViewsGetAllCurrent +_SOSViewHintInCKKSSystem +_SOSViewHintInSOSSystem +_SOSViewInSOSSystem +_SOSViewSetDisable +_SOSViewSetEnable +_SOSViewsDisable +_SOSViewsEnable +_SOSViewsForEachDefaultEnabledViewName +_SOSViewsGetV0BackupBagViewSet +_SOSViewsGetV0BackupViewSet +_SOSViewsGetV0SubviewSet +_SOSViewsGetV0ViewSet +_SOSViewsIsV0Subview +_SOSViewsQuery +_SOSViewsSetTestViewsSet +_SOSViewsXlateAction + // // Preferred symbols for viewHints // @@ -253,6 +303,29 @@ _SOSViewsGetAllCurrent _kSecUseSyncBubbleKeychain +// +// Deprecated viewHints (but still in headers) +// +_kSOSViewAutofillPasswords_tomb +_kSOSViewBackupBagV0_tomb +_kSOSViewHintAppleTV +_kSOSViewHintHomeKit +_kSOSViewHintPCSCloudKit +_kSOSViewHintPCSEscrow +_kSOSViewHintPCSFDE +_kSOSViewHintPCSMailDrop +_kSOSViewHintPCSMasterKey +_kSOSViewHintPCSNotes +_kSOSViewHintPCSPhotos +_kSOSViewHintPCSiCloudBackup +_kSOSViewHintPCSiCloudDrive +_kSOSViewHintPCSiMessage +_kSOSViewKeychainV0_tomb +_kSOSViewOtherSyncable_tomb +_kSOSViewSafariCreditCards_tomb +_kSOSViewWiFi_tomb +_kSOSViewiCloudIdentity_tomb + // // Exported for testing/tools (?) // @@ -275,13 +348,132 @@ _SOSCircleRequestAdmission _SOSCircleAcceptRequest _SOSCircleHasPeer +_SOSGenCountCreateFromDER +_SOSGenCountEncodeToDER +_SOSGenCountGetDEREncodedSize +_SOSGenerationCopy +_SOSGenerationCountWithDescription +_SOSGenerationCreate +_SOSGenerationCreateWithBaseline +_SOSGenerationCreateWithValue +_SOSGenerationIsOlder +_SOSGetGenerationSint + +_SOSCircleAcceptRequests +_SOSCircleAppendConcurringPeers +_SOSCircleConcordanceSign +_SOSCircleConcordanceTrust +_SOSCircleCopyAllSignatures +_SOSCircleCopyApplicants +_SOSCircleCopyConcurringPeers +_SOSCircleCopyEncodedData +_SOSCircleCopyPeerWithID +_SOSCircleCopyPeers +_SOSCircleCopyRejectedApplicant +_SOSCircleCopyRejectedApplicants +_SOSCircleCopyiCloudFullPeerInfoRef +_SOSCircleCountActivePeers +_SOSCircleCountActiveValidPeers +_SOSCircleCountApplicants +_SOSCircleCountPeers +_SOSCircleCountRejectedApplicants +_SOSCircleCountRetiredPeers +_SOSCircleCountValidSyncingPeers +_SOSCircleCreateFromDER +_SOSCircleCreateIncompatibleCircleDER +_SOSCircleEncodeToDER +_SOSCircleForEachActivePeer +_SOSCircleForEachActiveValidPeer +_SOSCircleForEachApplicant +_SOSCircleForEachPeer +_SOSCircleForEachRetiredPeer +_SOSCircleForEachValidPeer +_SOSCircleForEachValidSyncingPeer +_SOSCircleForEachiCloudIdentityPeer +_SOSCircleGenerationSign +_SOSCircleGetDEREncodedSize +_SOSCircleGetName +_SOSCircleGetNameC +_SOSCircleGetSignature +_SOSCircleGetTypeID +_SOSCircleHasActivePeer +_SOSCircleHasActivePeerWithID +_SOSCircleHasActiveValidPeer +_SOSCircleHasActiveValidPeerWithID +_SOSCircleHasApplicant +_SOSCircleHasPeerWithID +_SOSCircleHasRejectedApplicant +_SOSCircleHasValidSyncingPeer +_SOSCircleIsOlderGeneration +_SOSCircleLogState +_SOSCirclePeerSigUpdate +_SOSCircleRejectRequest +_SOSCircleRemovePeer +_SOSCircleRemovePeers +_SOSCircleRemovePeersByID +_SOSCircleRemovePeersByIDUnsigned +_SOSCircleRemoveRejectedPeer +_SOSCircleRemoveRetired +_SOSCircleRequestReadmission +_SOSCircleResetToEmpty +_SOSCircleResetToEmptyWithSameGeneration +_SOSCircleResetToOffering +_SOSCircleSetGeneration +_SOSCircleSetSignature +_SOSCircleSharedTrustedPeers +_SOSCircleSign +_SOSCircleSignOldStyleResetToOfferingCircle +_SOSCircleUpdatePeerInfo +_SOSCircleVerify +_SOSCircleVerifyPeerSigned +_SOSCircleVerifySignatureExists +_SOSCircleWithdrawRequest +_debugDumpCircle + +_SOSFullPeerInfoAddEscrowRecord +_SOSFullPeerInfoCopyDeviceKey +_SOSFullPeerInfoCopyEncodedData +_SOSFullPeerInfoCopyFullPeerInfo _SOSFullPeerInfoCopyOctagonSigningKey _SOSFullPeerInfoCopyOctagonEncryptionKey _SOSFullPeerInfoCopyOctagonPublicEncryptionKey _SOSFullPeerInfoCopyOctagonPublicSigningKey - +_SOSFullPeerInfoCopyPubKey +_SOSFullPeerInfoCreateCloudIdentity +_SOSFullPeerInfoCreateFromDER +_SOSFullPeerInfoCreateFromData +_SOSFullPeerInfoCreateWithViews +_SOSFullPeerInfoEncodeToDER +_SOSFullPeerInfoGetDEREncodedSize +_SOSFullPeerInfoHaveOctagonKeys +_SOSFullPeerInfoPing +_SOSFullPeerInfoPrivKeyExists +_SOSFullPeerInfoPromoteToRetiredAndCopy +_SOSFullPeerInfoPurgePersistentKey +_SOSFullPeerInfoReplaceEscrowRecords +_SOSFullPeerInfoSecurityPropertyStatus +_SOSFullPeerInfoUpdateBackupKey +_SOSFullPeerInfoUpdateDeviceID +_SOSFullPeerInfoUpdateGestalt +_SOSFullPeerInfoUpdateOctagonEncryptionKey +_SOSFullPeerInfoUpdateOctagonSigningKey +_SOSFullPeerInfoUpdateSecurityProperty +_SOSFullPeerInfoUpdateToCurrent +_SOSFullPeerInfoUpdateToThisPeer +_SOSFullPeerInfoUpdateTransportAckModelPreference +_SOSFullPeerInfoUpdateTransportFragmentationPreference +_SOSFullPeerInfoUpdateTransportPreference +_SOSFullPeerInfoUpdateTransportType +_SOSFullPeerInfoUpdateV2Dictionary +_SOSFullPeerInfoUpdateViews +_SOSFullPeerInfoUpgradeSignatures +_SOSFullPeerInfoValidate +_SOSFullPeerInfoViewStatus + +_SOSPiggyBackBlobCreateFromDER _SOSPiggyBackBlobCreateFromData _SOSPiggyBackBlobCopyEncodedData +_SOSPiggyBackAddToKeychain _SOSCloudKeychainRetrievePendingMessageFromProxy _SOSCloudKeychainClearAll @@ -291,8 +483,71 @@ _SOSCloudKeychainPutObjectsInCloud _SOSCloudKeychainSetItemsChangedBlock _SOSCloudKeychainSynchronizeAndWait _SOSCloudKeychainUpdateKeys +_SOSCloudCopyKVSState +_SOSCloudKeychainFlush +_SOSCloudKeychainGetIDSDeviceAvailability +_SOSCloudKeychainGetIDSDeviceID +_SOSCloudKeychainHandleUpdateMessage +_SOSCloudKeychainHasPendingKey +_SOSCloudKeychainHasPendingSyncWithPeer +_SOSCloudKeychainRequestEnsurePeerRegistration +_SOSCloudKeychainRequestPerfCounters +_SOSCloudKeychainRequestSyncWithPeers +_SOSCloudKeychainSynchronize + + +_SOSCircleKeyCopyCircleName +_SOSCircleKeyCreateWithCircle +_SOSCircleKeyCreateWithName +_SOSDebugInfoKeyCreateWithTypeName +_SOSKVSKeyGetKeyTypeAndParse +_SOSKVSKeyParse +_SOSLastKeyParametersPushedKeyCreateWithAccountGestalt +_SOSLastKeyParametersPushedKeyCreateWithPeerID +_SOSMessageKeyCopyCircleName +_SOSMessageKeyCopyFromPeerName +_SOSMessageKeyCreateFromPeerToTransport +_SOSMessageKeyCreateFromTransportToPeer +_SOSMessageKeyCreateWithCircleAndPeerInfos +_SOSMessageKeyCreateWithCircleAndPeerNames +_SOSMessageKeyCreateWithCircleNameAndPeerNames +_SOSMessageKeyCreateWithCircleNameAndTransportType +_SOSRetirementKeyCreateWithCircleAndPeer +_SOSRetirementKeyCreateWithCircleNameAndPeer +_SOSRingKeyCreateWithName +_SOSRingKeyCreateWithRingName +_kSOSKVSKeyParametersKey +_sCirclePrefix +_sDebugInfoPrefix +_sLastKeyParametersPushedPrefix +_sRetirementPrefix + + + +_CFDataCreateWithDER +_GenerateECPair +_GeneratePermanentECPair +_SOSCopyDeviceBackupPublicKey +_SOSCopyECUnwrappedData +_SOSCopyECWrappedData +_SOSCopyIDOfDataBuffer +_SOSCopyIDOfDataBufferWithLength +_SOSCopyIDOfKey +_SOSCopyIDOfKeyWithLength +_SOSCreateError +_SOSCreateErrorWithFormat +_SOSCreateErrorWithFormatAndArguments +_SOSDateCreate +_SOSErrorCreate +_SOSGenerateDeviceBackupFullKey +_SOSGetBackupKeyCurveParameters +_SOSItemsChangedCopyDescription +_SOSPerformWithDeviceBackupFullKey +_SOSPerformWithUnwrappedData +_SOSTransportMessageTypeIDSV2 +_SOSTransportMessageTypeKVS +_kSOSDSIDKey -_SOSKVSKeyGetKeyType _SOSPeerGestaltGetAnswer _SOSPeerGestaltGetName @@ -300,7 +555,7 @@ _SOSPeerGetGestalt _SecCreateCFErrorWithXPCObject _SecCreateXPCObjectWithCFError -_SecOTRPacketTypeString +_CreateXPCObjectWithCFSetRef _kSOSErrorDomain _kSecIDSErrorDomain @@ -330,6 +585,10 @@ _sPreferIDS _sPreferIDSFragmentation _sPreferIDSACKModel _sDeviceID +_sRingState +_sV2DictionaryKey +_sBackupKeyKey +_sEscrowRecord _sTransportType _sSecurityPropertiesKey _kIDSOperationType @@ -339,8 +598,27 @@ _kIDSMessageRecipientPeerID _kIDSMessageRecipientDeviceID _kIDSMessageUsesAckModel _SOSGenerationCountCopyDescription +_kIDSMessageSenderDeviceID -_SOSLogSetOutputTo +_kSOSHsaCrKeyDictionary +_SOSPeerInfoCopySerialNumber +_SOSPeerInfoCopyWithV2DictionaryUpdate +_SOSPeerInfoPackV2Data +_SOSPeerInfoSerialNumberIsSet +_SOSPeerInfoSetSerialNumber +_SOSPeerInfoSetTestSerialNumber +_SOSPeerInfoUpdateToV2 +_SOSPeerInfoV2DictionaryCopyDictionary +_SOSPeerInfoV2DictionaryForEachSetValue +_SOSPeerInfoV2DictionaryHasBoolean +_SOSPeerInfoV2DictionaryHasData +_SOSPeerInfoV2DictionaryHasSet +_SOSPeerInfoV2DictionaryHasSetContaining +_SOSPeerInfoV2DictionaryHasString +_SOSPeerInfoV2DictionaryHasStringValue +_SOSPeerInfoV2DictionaryRemoveValue +_SOSPeerInfoV2DictionarySetValue +_SOSPeerInfoV2DictionaryWithSet _der_sizeof_data_or_null _der_encode_data_or_null diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.h index d969cf45..096c0128 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.h @@ -53,7 +53,10 @@ SOSFullPeerInfoRef SOSFullPeerInfoCreateCloudIdentity(CFAllocatorRef allocator, SOSPeerInfoRef SOSFullPeerInfoGetPeerInfo(SOSFullPeerInfoRef fullPeer); SecKeyRef SOSFullPeerInfoCopyDeviceKey(SOSFullPeerInfoRef fullPeer, CFErrorRef* error); -SecKeyRef SOSFullPeerInfoCopyPubKey(SOSFullPeerInfoRef fpi, CFErrorRef *error); + +CF_RETURNS_RETAINED +SecKeyRef +SOSFullPeerInfoCopyPubKey(SOSFullPeerInfoRef fpi, CFErrorRef *error); /* octagon keys */ SecKeyRef SOSFullPeerInfoCopyOctagonPublicSigningKey(SOSFullPeerInfoRef fullPeer, CFErrorRef* error); @@ -72,8 +75,6 @@ bool SOSFullPeerInfoValidate(SOSFullPeerInfoRef peer, CFErrorRef* error); bool SOSFullPeerInfoPrivKeyExists(SOSFullPeerInfoRef peer); -bool SOSFullPeerInfoOctagonPrivKeyExists(SOSFullPeerInfoRef peer); - bool SOSFullPeerInfoUpdateGestalt(SOSFullPeerInfoRef peer, CFDictionaryRef gestalt, CFErrorRef* error); bool SOSFullPeerInfoUpdateV2Dictionary(SOSFullPeerInfoRef peer, CFDictionaryRef newv2dict, CFErrorRef* error); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.m index d698f2d5..fe1416c2 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.m @@ -102,9 +102,8 @@ static bool SOSFullPeerInfoUpdate(SOSFullPeerInfoRef fullPeerInfo, CFErrorRef *e newPeer = create_modification(fullPeerInfo->peer_info, device_key, error); require_quiet(newPeer, fail); - + CFTransferRetained(fullPeerInfo->peer_info, newPeer); - result = true; fail: @@ -140,7 +139,7 @@ SOSFullPeerInfoRef SOSFullPeerInfoCreateWithViews(CFAllocatorRef allocator, SOSFullPeerInfoRef fpi = CFTypeAllocate(SOSFullPeerInfo, struct __OpaqueSOSFullPeerInfo, allocator); CFStringRef IDSID = CFSTR(""); - CFStringRef transportType = SOSTransportMessageTypeIDSV2; + CFStringRef transportType = SOSTransportMessageTypeKVS; CFBooleanRef preferIDS = kCFBooleanFalse; CFBooleanRef preferIDSFragmentation = kCFBooleanTrue; CFBooleanRef preferACKModel = kCFBooleanTrue; @@ -175,7 +174,7 @@ SOSFullPeerInfoRef SOSFullPeerInfoCopyFullPeerInfo(SOSFullPeerInfoRef toCopy) { require_quiet(fpi, errOut); fpi->peer_info = SOSPeerInfoCreateCopy(kCFAllocatorDefault, piToCopy, NULL); require_quiet(fpi->peer_info, errOut); - fpi->key_ref = toCopy->key_ref; + fpi->key_ref = CFRetainSafe(toCopy->key_ref); CFTransferRetained(retval, fpi); errOut: @@ -252,6 +251,7 @@ CFDataRef SOSPeerInfoCopyData(SOSPeerInfoRef pi, CFErrorRef *error) exit: CFReleaseNull(query); + CFReleaseNull(pubKey); secnotice("fpi","no private key found"); return (CFDataRef)vData; @@ -360,8 +360,7 @@ static CFStringRef SOSFullPeerInfoCopyFormatDescription(CFTypeRef aObj, CFDictio bool SOSFullPeerInfoUpdateGestalt(SOSFullPeerInfoRef peer, CFDictionaryRef gestalt, CFErrorRef* error) { return SOSFullPeerInfoUpdate(peer, error, ^SOSPeerInfoRef(SOSPeerInfoRef peer, SecKeyRef key, CFErrorRef *error) { - return SOSPeerInfoCopyWithGestaltUpdate(kCFAllocatorDefault, peer, - gestalt, key, error); + return SOSPeerInfoCopyWithGestaltUpdate(kCFAllocatorDefault, peer, gestalt, key, error); }); } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.h index e1722f56..88f754b8 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.h @@ -37,6 +37,8 @@ __BEGIN_DECLS +#define ENABLE_IDS 0 + enum { // Public errors are first (See SOSCloudCircle) @@ -85,7 +87,6 @@ typedef enum { extern const CFStringRef SOSTransportMessageTypeIDSV2; extern const CFStringRef SOSTransportMessageTypeKVS; -extern const CFStringRef SOSTransportMessageTypeIDS; extern const CFStringRef kSOSDSIDKey; // Returns false unless errorCode is 0. @@ -165,6 +166,7 @@ extern const CFStringRef kIDSMessageUniqueID; extern const CFStringRef kIDSMessageRecipientPeerID; extern const CFStringRef kIDSMessageRecipientDeviceID; extern const CFStringRef kIDSMessageUsesAckModel; +extern const CFStringRef kIDSMessageSenderDeviceID; __END_DECLS diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.m index 4aac04d1..adcf8165 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.m @@ -58,8 +58,11 @@ const CFStringRef kIDSMessageToSendKey = CFSTR("MessageToSendKey"); const CFStringRef kIDSMessageUniqueID = CFSTR("MessageID"); const CFStringRef kIDSMessageRecipientPeerID = CFSTR("RecipientPeerID"); const CFStringRef kIDSMessageRecipientDeviceID = CFSTR("RecipientDeviceID"); +const CFStringRef kIDSMessageSenderDeviceID = CFSTR("SendersDeviceID"); + const CFStringRef kIDSMessageUsesAckModel = CFSTR("UsesAckModel"); const CFStringRef kSOSErrorDomain = CFSTR("com.apple.security.sos.error"); +const CFStringRef kSOSDSIDKey = CFSTR("AccountDSID"); const CFStringRef SOSTransportMessageTypeIDSV2 = CFSTR("IDS2.0"); const CFStringRef SOSTransportMessageTypeKVS = CFSTR("KVS"); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.h index 7dd56944..079be6dc 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.h @@ -3,7 +3,7 @@ #ifndef SOSKVSKEYS_H #define SOSKVSKEYS_H -#include "SOSCircle.h" +#include #include #include // @@ -21,7 +21,6 @@ typedef enum { kRingKey, kLastCircleKey, kLastKeyParameterKey, - kOTRConfig, kUnknownKey, } SOSKVSKeyType; diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.m index 2699dfd4..58f7a78e 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.m @@ -77,7 +77,6 @@ SOSKVSKeyType SOSKVSKeyGetKeyType(CFStringRef key) { else if(CFStringHasPrefix(key, kSOSKVSAccountChangedKey)) retval = kAccountChangedKey; else if(CFStringHasPrefix(key, sDebugInfoPrefix)) retval = kDebugInfoKey; else if(CFStringHasPrefix(key, sLastKeyParametersPushedPrefix)) retval = kLastKeyParameterKey; - else if(CFStringHasPrefix(key, kSOSKVSOTRConfigVersion)) retval = kOTRConfig; else retval = kMessageKey; return retval; @@ -150,7 +149,6 @@ bool SOSKVSKeyParse(SOSKVSKeyType keyType, CFStringRef key, CFStringRef *circle, case kParametersKey: case kInitialSyncKey: case kUnknownKey: - case kOTRConfig: break; case kLastKeyParameterKey: if(from) { @@ -315,6 +313,17 @@ CFStringRef SOSRetirementKeyCreateWithCircleAndPeer(SOSCircleRef circle, CFStrin return SOSRetirementKeyCreateWithCircleNameAndPeer(SOSCircleGetName(circle), retirement_peer_name); } +static CFStringRef SOSAccountCreateCompactDescription(SOSAccount* a) { + + CFStringRef gestaltDescription = CFDictionaryCopySuperCompactDescription((__bridge CFDictionaryRef)(a.gestalt)); + + CFStringRef result = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@"), gestaltDescription); + + CFReleaseNull(gestaltDescription); + + return result; +} + //should be >KeyParameters|ourPeerID CFStringRef SOSLastKeyParametersPushedKeyCreateWithPeerID(CFStringRef peerID){ diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSMessage.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSMessage.c index 3e98390d..4bc308db 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSMessage.c +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSMessage.c @@ -409,8 +409,12 @@ bool SOSMessageSetManifests(SOSMessageRef message, SOSManifestRef sender, // TODO: Check at v2 encoding time // if (!sender) return (SOSMessageRef)SOSErrorCreate(kSOSErrorProcessingFailure, error, NULL, CFSTR("no sender manifest specified for SOSMessage")); message->baseDigest = CFRetainSafe(SOSManifestGetDigest(base, NULL)); + secinfo("engine", "SOSMessageSetManifests: setting base digest to %@ %zu", message->baseDigest, SOSManifestGetCount(base)); message->proposedDigest = CFRetainSafe(SOSManifestGetDigest(proposed, NULL)); + secinfo("engine", "SOSMessageSetManifests: setting proposed digest to %@ %zu", message->proposedDigest, SOSManifestGetCount(proposed)); message->senderDigest = CFRetainSafe(SOSManifestGetDigest(sender, NULL)); + secinfo("engine", "SOSMessageSetManifests: setting sender digest to %@ %zu", message->senderDigest, SOSManifestGetCount(sender)); + if (includeManifestDeltas) { SOSManifestRef additions = NULL; ok = SOSManifestDiff(base, proposed, &message->removals, &additions, error); @@ -641,6 +645,7 @@ static size_t der_sizeof_manifest_digest_message(SOSMessageRef message, CFErrorR } static uint8_t *der_encode_manifest_digest_message(SOSMessageRef message, CFErrorRef *error, const uint8_t *der, uint8_t *der_end) { + secinfo("engine", "der_encode_manifest_digest_message: encoded sender digest as %@", message->senderDigest); return ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, der_end, der, ccder_encode_uint64(SOSManifestDigestMessageType, der, ccder_encode_raw_octet_string(SOSDigestSize, CFDataGetBytePtr(message->senderDigest), der, der_end))); @@ -658,6 +663,7 @@ static size_t der_sizeof_manifest_message(SOSMessageRef message, CFErrorRef *err } static uint8_t *der_encode_manifest_message(SOSMessageRef message, CFErrorRef *error, const uint8_t *der, uint8_t *der_end) { + secinfo("engine", "der_encode_manifest_message: encoded message additions as (%zu, %@)", SOSManifestGetCount(message->additions), SOSManifestGetDigest(message->additions, NULL)); return ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, der_end, der, ccder_encode_uint64(SOSManifestMessageType, der, der_encode_implicit_data(CCDER_OCTET_STRING, SOSManifestGetData(message->additions), der, der_end))); @@ -680,6 +686,7 @@ static size_t der_sizeof_manifest_and_objects_message(SOSMessageRef message, CFE } static uint8_t *der_encode_manifest_and_objects_message(SOSMessageRef message, CFErrorRef *error, const uint8_t *der, uint8_t *der_end) { + secinfo("engine", "der_encode_manifest_and_objects_message: encoded base digest as %@", message->baseDigest); return ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, der_end, der, ccder_encode_uint64(SOSManifestDeltaAndObjectsMessageType, der, ccder_encode_constructed_tl(CCDER_CONSTRUCTED_SEQUENCE, der_end, der, @@ -996,8 +1003,14 @@ static const uint8_t *der_decode_message_header(SOSMessageRef message, CFErrorRe message->flags = flags[0]; der = der_decode_implicit_data(CCDER_OCTET_STRING, &message->senderDigest, der, der_end); + secinfo("engine", "der_decode_message_header: decoded sender digest as %@", message->senderDigest); + der = der_decode_optional_implicit_data(0 | CCDER_CONTEXT_SPECIFIC, &message->baseDigest, der, der_end); + secinfo("engine", "der_decode_message_header: decoded base digest as %@", message->baseDigest); + der = der_decode_optional_implicit_data(1 | CCDER_CONTEXT_SPECIFIC, &message->proposedDigest, der, der_end); + secinfo("engine", "der_decode_message_header: decoded proposed digest as %@", message->proposedDigest); + return der; } @@ -1013,6 +1026,8 @@ der_decode_manifest_and_objects_message(SOSMessageRef message, return NULL; } der = der_decode_implicit_data(CCDER_OCTET_STRING, &message->baseDigest, der, body_end); + secinfo("engine", "der_decode_manifest_and_objects_message: decoded base digest as %@", message->baseDigest); + der = der_decode_deltas_body(message, error, der, body_end); // Remember a pointer into message->der where objects starts. der = message->objectsDer = ccder_decode_tl(CCDER_CONSTRUCTED_SEQUENCE, &objects_len, der, body_end); @@ -1028,6 +1043,7 @@ static const uint8_t *der_decode_v0_message_body(SOSMessageRef message, CFErrorR case SOSManifestDigestMessageType: { der = der_decode_implicit_data(CCDER_OCTET_STRING, &message->senderDigest, der, der_end); + secinfo("engine", "der_decode_v0_message_body: received a DigestMessage with sender digest: %@", message->senderDigest); break; } case SOSManifestMessageType: @@ -1039,6 +1055,7 @@ static const uint8_t *der_decode_v0_message_body(SOSMessageRef message, CFErrorR secwarning("%td trailing bytes after deltas DER", der_end - der); } message->additions = SOSManifestCreateWithData(manifestBody, error); + secinfo("engine", "der_decode_v0_message_body: received a ManifestMessage with (%zu, %@)", SOSManifestGetCount(message->additions), SOSManifestGetDigest(message->additions, NULL)); CFReleaseSafe(manifestBody); break; } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.m index 0251c73e..8c01228d 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeer.m @@ -649,6 +649,7 @@ static void SOSPeerDestroy(CFTypeRef cf) { CFReleaseNull(peer->localManifests); CFReleaseNull(peer->otrTimers); CFReleaseNull(peer->limiter); + CFReleaseNull(peer->_keyBag); } bool SOSPeerDidConnect(SOSPeerRef peer) { @@ -846,7 +847,7 @@ bool SOSPeerTimerForPeerExist(SOSPeerRef peer){ return timer ? true : false; } void SOSPeerSetOTRTimer(SOSPeerRef peer, dispatch_source_t timer){ - NSMutableDictionary* timers = (__bridge NSMutableDictionary*)peer->otrTimers; + NSMutableDictionary* timers = (NSMutableDictionary*)CFBridgingRelease(peer->otrTimers); if(!timers) timers = [[NSMutableDictionary alloc]init]; diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.h index 20654ffd..302b117f 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.h @@ -33,12 +33,10 @@ enum SOSCoderUnwrapStatus{ SOSCoderUnwrapHandled = 2 }; -bool SOSPeerCoderSendMessageIfNeeded(SOSAccount* account, SOSEngineRef engine, SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder, CFDataRef *message_to_send, CFStringRef peer_id, CFMutableArrayRef *attributeList, SOSEnginePeerMessageSentBlock *sent, CFErrorRef *error); +bool SOSPeerCoderSendMessageIfNeeded(SOSAccount* account, SOSEngineRef engine, SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder, CFDataRef *message_to_send, CFStringRef peer_id, CFMutableArrayRef *attributeList, SOSEnginePeerMessageSentCallback **sentCallback, CFErrorRef *error); enum SOSCoderUnwrapStatus SOSPeerHandleCoderMessage(SOSPeerRef peer, SOSCoderRef coder, CFStringRef peer_id, CFDataRef codedMessage, CFDataRef *decodedMessage, bool *forceSave, CFErrorRef *error); -bool SOSPeerSendMessageIfNeeded(SOSPeerRef peer, CFDataRef *message, CFDataRef *message_to_send, SOSCoderRef *coder, CFStringRef circle_id, CFStringRef peer_id, SOSEnginePeerMessageSentBlock *sent, CFErrorRef *error); - -void SOSPeerCoderConsume(SOSEnginePeerMessageSentBlock *sent, bool ok); +bool SOSPeerSendMessageIfNeeded(SOSPeerRef peer, CFDataRef *message, CFDataRef *message_to_send, SOSCoderRef *coder, CFStringRef circle_id, CFStringRef peer_id, SOSEnginePeerMessageSentCallback **sentCallback, CFErrorRef *error); #endif diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.m index 421f9262..863ec788 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerCoder.m @@ -40,11 +40,6 @@ #include #include "SOSInternal.h" -void SOSPeerCoderConsume(SOSEnginePeerMessageSentBlock *sent, bool ok) { - if (*sent) - (*sent)(ok); -} - enum SOSCoderUnwrapStatus SOSPeerHandleCoderMessage(SOSPeerRef peer, SOSCoderRef coder, CFStringRef peer_id, CFDataRef codedMessage, CFDataRef *decodedMessage, bool *forceSave, CFErrorRef *error) { enum SOSCoderUnwrapStatus result = SOSCoderUnwrapError; @@ -112,7 +107,7 @@ enum SOSCoderUnwrapStatus SOSPeerHandleCoderMessage(SOSPeerRef peer, SOSCoderRef xit: return result; } -bool SOSPeerCoderSendMessageIfNeeded(SOSAccount* account, SOSEngineRef engine, SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder, CFDataRef *message_to_send, CFStringRef peer_id, CFMutableArrayRef *attributeList, SOSEnginePeerMessageSentBlock *sent, CFErrorRef *error) { +bool SOSPeerCoderSendMessageIfNeeded(SOSAccount* account, SOSEngineRef engine, SOSTransactionRef txn, SOSPeerRef peer, SOSCoderRef coder, CFDataRef *message_to_send, CFStringRef peer_id, CFMutableArrayRef *attributeList, SOSEnginePeerMessageSentCallback **sentCallback, CFErrorRef *error) { bool ok = false; secnotice("transport", "coder state: %@", coder); require_action_quiet(coder, xit, secerror("%@ getCoder: %@", peer_id, error ? *error : NULL)); @@ -120,7 +115,7 @@ bool SOSPeerCoderSendMessageIfNeeded(SOSAccount* account, SOSEngineRef engine, S if (SOSCoderCanWrap(coder)) { secinfo("transport", "%@ Coder can wrap, getting message from engine", peer_id); CFMutableDataRef codedMessage = NULL; - CFDataRef message = SOSEngineCreateMessage_locked(engine, txn, peer, attributeList, error, sent); + CFDataRef message = SOSEngineCreateMessage_locked(engine, txn, peer, attributeList, error, sentCallback); if (!message) { secnotice("transport", "%@ SOSEngineCreateMessage_locked failed: %@", peer_id, *error); } else if (CFDataGetLength(message) || SOSPeerMustSendMessage(peer)) { @@ -143,10 +138,18 @@ bool SOSPeerCoderSendMessageIfNeeded(SOSAccount* account, SOSEngineRef engine, S *message_to_send = SOSCoderCopyPendingResponse(coder); SOSEngineSetCodersNeedSaving(engine, true); secinfo("transport", "%@ negotiating, %@", peer_id, (message_to_send && *message_to_send) ? CFSTR("sending negotiation message.") : CFSTR("waiting for negotiation message.")); - *sent = ^(bool wasSent){ - if (wasSent) - SOSCoderConsumeResponse(coder); - }; + + SOSEnginePeerMessageSentCallback* pmsc = malloc(sizeof(SOSEnginePeerMessageSentCallback)); + memset(pmsc, 0, sizeof(SOSEnginePeerMessageSentCallback)); + + pmsc->coder = CFRetainSafe(coder); + SOSEngineMessageCallbackSetCallback(pmsc, ^(bool wasSent){ + if (wasSent) { + SOSCoderConsumeResponse(pmsc->coder); + } + }); + + *sentCallback = pmsc; ok = true; } /*if coder state is in awaiting for message, then set a timer and restart if failure*/ diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.h index 6bb92ea0..c25d8eb3 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.h @@ -193,7 +193,7 @@ bool SOSPeerInfoIsRetirementTicket(SOSPeerInfoRef pi); bool SOSPeerInfoIsCloudIdentity(SOSPeerInfoRef pi); -SOSPeerInfoRef SOSPeerInfoUpgradeSignatures(CFAllocatorRef allocator, SecKeyRef privKey, SecKeyRef perKey, SOSPeerInfoRef peer, CFErrorRef *error); +CF_RETURNS_RETAINED SOSPeerInfoRef SOSPeerInfoUpgradeSignatures(CFAllocatorRef allocator, SecKeyRef privKey, SecKeyRef perKey, SOSPeerInfoRef peer, CFErrorRef *error); SOSViewResultCode SOSPeerInfoViewStatus(SOSPeerInfoRef pi, CFStringRef view, CFErrorRef *error); @@ -211,7 +211,7 @@ SOSPeerInfoRef SOSPeerInfoSetIDSPreference(CFAllocatorRef allocator, SOSPeerInfo CFBooleanRef SOSPeerInfoCopyIDSFragmentationPreference(SOSPeerInfoRef peer); CFBooleanRef SOSPeerInfoCopyIDSACKModelPreference(SOSPeerInfoRef peer); SOSPeerInfoRef SOSPeerInfoSetIDSFragmentationPreference(CFAllocatorRef allocator, SOSPeerInfoRef toCopy, CFBooleanRef preference, SecKeyRef signingKey, CFErrorRef *error); -SOSPeerInfoRef SOSPeerInfoSetIDSACKModelPreference(CFAllocatorRef allocator, SOSPeerInfoRef toCopy, CFBooleanRef preference, SecKeyRef signingKey, CFErrorRef *error); +SOSPeerInfoRef CF_RETURNS_RETAINED SOSPeerInfoSetIDSACKModelPreference(CFAllocatorRef allocator, SOSPeerInfoRef toCopy, CFBooleanRef preference, SecKeyRef signingKey, CFErrorRef *error); CFStringRef SOSPeerInfoCopyTransportType(SOSPeerInfoRef peer); bool SOSPeerInfoTransportTypeIs(SOSPeerInfoRef pi, CFStringRef transportType); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.m index b1b72e75..8a2dbf3a 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.m @@ -311,11 +311,8 @@ static SOSPeerInfoRef SOSPeerInfoCreate_Internal(CFAllocatorRef allocator, description_modifier(pi->description); - pi->peerID = SOSCopyIDOfKey(publicKey, error); - CFReleaseNull(publicKey); - require_quiet(pi->peerID, exit); // ================ V2 Additions Start @@ -343,6 +340,7 @@ static SOSPeerInfoRef SOSPeerInfoCreate_Internal(CFAllocatorRef allocator, exit: CFReleaseNull(versionNumber); + CFReleaseNull(publicKey); CFReleaseNull(publicBytes); CFReleaseNull(octagonPeerSigningPublicBytes); CFReleaseNull(octagonPeerEncryptionPublicBytes); @@ -797,16 +795,28 @@ bool SOSPeerInfoUpdateDigestWithDescription(SOSPeerInfoRef peer, const struct cc ccdigest_ctx_t ctx, CFErrorRef *error) { if(SOSPeerInfoVersionHasV2Data(peer)) SOSPeerInfoPackV2Data(peer); size_t description_size = der_sizeof_plist(peer->description, error); - uint8_t data_begin[description_size]; - uint8_t *data_end = data_begin + description_size; - uint8_t *encoded = der_encode_plist(peer->description, error, data_begin, data_end); + if (description_size == 0) { + SOSCreateErrorWithFormat(kSOSErrorEncodeFailure, NULL, error, NULL, CFSTR("Description length failed")); + return false; + } + + uint8_t * data = malloc(description_size); + if (data == NULL) { + SOSCreateErrorWithFormat(kSOSErrorEncodeFailure, NULL, error, NULL, CFSTR("Description alloc failed")); + return false; + } + uint8_t *data_end = data + description_size; + uint8_t *encoded = der_encode_plist(peer->description, error, data, data_end); if(!encoded) { + free(data); SOSCreateErrorWithFormat(kSOSErrorEncodeFailure, NULL, error, NULL, CFSTR("Description encode failed")); return false; } - ccdigest_update(di, ctx, description_size, data_begin); + ccdigest_update(di, ctx, description_size, data); + + free(data); return true; } @@ -1025,7 +1035,7 @@ CFBooleanRef SOSPeerInfoCopyIDSACKModelPreference(SOSPeerInfoRef peer){ return (preference ? preference : CFRetain(kCFBooleanFalse)); } -SOSPeerInfoRef SOSPeerInfoSetIDSFragmentationPreference(CFAllocatorRef allocator, SOSPeerInfoRef toCopy, CFBooleanRef preference, SecKeyRef signingKey, CFErrorRef *error){ +SOSPeerInfoRef CF_RETURNS_RETAINED SOSPeerInfoSetIDSFragmentationPreference(CFAllocatorRef allocator, SOSPeerInfoRef toCopy, CFBooleanRef preference, SecKeyRef signingKey, CFErrorRef *error){ return SOSPeerInfoCopyWithModification(allocator, toCopy, signingKey, error, ^bool(SOSPeerInfoRef peerToModify, CFErrorRef *error) { SOSPeerInfoV2DictionarySetValue(peerToModify, sPreferIDSFragmentation, preference); @@ -1033,7 +1043,7 @@ SOSPeerInfoRef SOSPeerInfoSetIDSFragmentationPreference(CFAllocatorRef allocator }); } -SOSPeerInfoRef SOSPeerInfoSetIDSACKModelPreference(CFAllocatorRef allocator, SOSPeerInfoRef toCopy, CFBooleanRef preference, SecKeyRef signingKey, CFErrorRef *error){ +SOSPeerInfoRef CF_RETURNS_RETAINED SOSPeerInfoSetIDSACKModelPreference(CFAllocatorRef allocator, SOSPeerInfoRef toCopy, CFBooleanRef preference, SecKeyRef signingKey, CFErrorRef *error){ return SOSPeerInfoCopyWithModification(allocator, toCopy, signingKey, error, ^bool(SOSPeerInfoRef peerToModify, CFErrorRef *error) { SOSPeerInfoV2DictionarySetValue(peerToModify, sPreferIDSACKModel, preference); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoPriv.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoPriv.h index c5cb8390..28b34561 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoPriv.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoPriv.h @@ -27,7 +27,7 @@ struct __OpaqueSOSPeerInfo { CFMutableDictionaryRef v2Dictionary; }; -SOSPeerInfoRef SOSPeerInfoAllocate(CFAllocatorRef allocator); +CF_RETURNS_RETAINED SOSPeerInfoRef SOSPeerInfoAllocate(CFAllocatorRef allocator); bool SOSPeerInfoSign(SecKeyRef privKey, SOSPeerInfoRef peer, CFErrorRef *error); bool SOSPeerInfoVerify(SOSPeerInfoRef peer, CFErrorRef *error); void SOSPeerInfoSetVersionNumber(SOSPeerInfoRef pi, int version); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.m index 4dd77fdc..dbdf0934 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.m @@ -110,7 +110,6 @@ static CFDataRef SOSPeerInfoGetV2Data(SOSPeerInfoRef pi) { } static CFMutableDictionaryRef SOSCreateDictionaryFromDER(CFDataRef v2Data, CFErrorRef *error) { - CFMutableDictionaryRef retval = NULL; CFPropertyListRef pl = NULL; if(!v2Data) { @@ -137,26 +136,33 @@ static CFMutableDictionaryRef SOSCreateDictionaryFromDER(CFDataRef v2Data, CFErr CFStringRef description = CFCopyTypeIDDescription(CFGetTypeID(pl)); SOSCreateErrorWithFormat(kSOSErrorUnexpectedType, NULL, error, NULL, CFSTR("Expected dictionary got %@"), description); - CFReleaseSafe(description); - CFReleaseSafe(pl); + CFReleaseNull(description); + CFReleaseNull(pl); goto fail; } - retval = (CFMutableDictionaryRef) pl; - return retval; - + return (CFMutableDictionaryRef) pl; + fail: - CFReleaseNull(retval); + CFReleaseNull(pl); return NULL; } static CFDataRef SOSCreateDERFromDictionary(CFDictionaryRef di, CFErrorRef *error) { size_t size = der_sizeof_plist(di, error); - if (size == 0) return NULL; - uint8_t der[size]; - der_encode_plist(di, error, der, der+size); - return CFDataCreate(kCFAllocatorDefault, der, size); + if (size == 0) { + return NULL; + } + uint8_t *der = malloc(size); + if (der == NULL) { + return NULL; + } + if (der_encode_plist(di, error, der, der+size) == NULL) { + free(der); + return NULL; + } + return CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, der, size, kCFAllocatorMalloc); } @@ -173,7 +179,7 @@ bool SOSPeerInfoUpdateToV2(SOSPeerInfoRef pi, CFErrorRef *error) { CFDictionaryAddValue(v2Dictionary, sSecurityPropertiesKey, secproperties); CFDictionaryAddValue(v2Dictionary, sDeviceID, CFSTR("")); - CFDictionaryAddValue(v2Dictionary, sTransportType, SOSTransportMessageTypeIDSV2); + CFDictionaryAddValue(v2Dictionary, sTransportType, SOSTransportMessageTypeKVS); CFDictionaryAddValue(v2Dictionary, sPreferIDS, kCFBooleanFalse); CFDictionaryAddValue(v2Dictionary, sPreferIDSFragmentation, kCFBooleanTrue); CFDictionaryAddValue(v2Dictionary, sPreferIDSACKModel, kCFBooleanTrue); @@ -188,6 +194,7 @@ out: CFReleaseNull(views); CFReleaseNull(v2data); CFReleaseNull(v2Dictionary); + CFReleaseNull(secproperties); return retval; } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerOTRTimer.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerOTRTimer.h index 8dc9a775..df65540c 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerOTRTimer.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerOTRTimer.h @@ -9,9 +9,6 @@ void SOSPeerOTRTimerFired(SOSAccount* account, SOSPeerRef peer, SOSEngineRef eng int SOSPeerOTRTimerTimeoutValue(SOSAccount* account, SOSPeerRef peer); void SOSPeerOTRTimerSetupAwaitingTimer(SOSAccount* account, SOSPeerRef peer, SOSEngineRef engine, SOSCoderRef coder); -//KVS global config -void SOSPeerOTRTimerCreateKVSConfigDict(SOSAccount* account, CFNumberRef timeout, CFStringRef peerid); - //functions to handle max retry counter void SOSPeerOTRTimerIncreaseOTRNegotiationRetryCount(SOSAccount* account, NSString* peerid); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerOTRTimer.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerOTRTimer.m index 0cbb885b..03ca8a6c 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerOTRTimer.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerOTRTimer.m @@ -25,10 +25,6 @@ //AGGD NSString* const SecSOSAggdMaxRenegotiation = @"com.apple.security.sos.otrrenegotiationmaxretries"; - -static const CFStringRef OTRTimeoutsPerPeer = CFSTR("OTRTimeoutsPerPeer"); -static const CFStringRef OTRConfigVersion = CFSTR("OTRConfigVersion"); - __unused static int initialOTRTimeoutValue = 60; //best round trip time in KVS plus extra for good measure static int maxRetryCount = 7; //max number of times to attempt restarting OTR negotiation @@ -118,240 +114,21 @@ void SOSPeerOTRTimerIncreaseOTRNegotiationRetryCount(SOSAccount* account, NSStri SOSAccountSetValue(account, kSOSAccountRenegotiationRetryCount, (__bridge CFMutableDictionaryRef)attemptsPerPeer, NULL); } -static CFNumberRef SOSPeerOTRTimerCopyConfigVersion(SOSAccount* account) -{ - uint64_t v = 0; - CFNumberRef versionFromAccount = NULL; - CFNumberRef version = (CFNumberRef)SOSAccountGetValue(account, OTRConfigVersion, NULL); - - if(!version){ - versionFromAccount = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt64Type, &v); - SOSAccountSetValue(account, OTRConfigVersion, versionFromAccount, NULL); - } - else{ - versionFromAccount = CFRetainSafe(version); - } - return versionFromAccount; -} - -void SOSPeerOTRTimerCreateKVSConfigDict(SOSAccount* account, CFNumberRef timeout, CFStringRef peerid) -{ - CFMutableDictionaryRef peerToTimeout = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault); - CFDictionaryAddValue(peerToTimeout, peerid, timeout); - - CFNumberRef versionFromAccount = SOSPeerOTRTimerCopyConfigVersion(account); - - CFMutableDictionaryRef peerTimeOutsAndVersion = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault); - CFDictionaryAddValue(peerTimeOutsAndVersion, OTRTimeoutsPerPeer, peerToTimeout); - CFDictionaryAddValue(peerTimeOutsAndVersion, OTRConfigVersion, versionFromAccount); - - CFMutableDictionaryRef myPeerChanges = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault); - CFStringRef myPeerID = (__bridge CFStringRef) account.peerID; - CFDictionaryAddValue(myPeerChanges, myPeerID, peerTimeOutsAndVersion); - - CFMutableDictionaryRef otrConfig = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault); - CFDictionaryAddValue(otrConfig, kSOSKVSOTRConfigVersion, myPeerChanges); - - SOSCloudKeychainPutObjectsInCloud(otrConfig, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(CFDictionaryRef returnedValues __unused, CFErrorRef block_error) { - if (block_error) { - secerror("Error putting: %@", block_error); - } - }); - secnotice("kvsconfig", "submitting config to KVS: %@", otrConfig); - CFReleaseNull(myPeerChanges); - CFReleaseNull(peerToTimeout); - CFReleaseNull(versionFromAccount); - CFReleaseNull(otrConfig); -} - -//grab existing key from KVS -__unused __unused static CFDictionaryRef SOSPeerOTRTimerCopyConfigFromKVS() -{ - CFErrorRef error = NULL; - __block CFTypeRef object = NULL; - - dispatch_semaphore_t waitSemaphore = dispatch_semaphore_create(0); - const uint64_t maxTimeToWaitInSeconds = 5ull * NSEC_PER_SEC; - - dispatch_time_t finishTime = dispatch_time(DISPATCH_TIME_NOW, maxTimeToWaitInSeconds); - - SOSCloudKeychainGetAllObjectsFromCloud(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^(CFDictionaryRef returnedValues, CFErrorRef block_error) { - secnotice("otrtimer", "SOSCloudKeychainGetObjectsFromCloud returned: %@", returnedValues); - object = returnedValues; - if (object) - CFRetain(object); - if (error) - { - secerror("SOSCloudKeychainGetObjectsFromCloud returned error: %@", error); - } - secnotice("otrtimer", "SOSCloudKeychainGetObjectsFromCloud block exit: %@", object); - dispatch_semaphore_signal(waitSemaphore); - }); - - dispatch_semaphore_wait(waitSemaphore, finishTime); - if (object && (CFGetTypeID(object) == CFNullGetTypeID())) // return a NULL instead of a CFNull - { - CFRelease(object); - object = NULL; - return NULL; - } - if(isDictionary(object)) - { - return CFRetainSafe((CFDictionaryRef)object); - } - return NULL; -} - -__unused static bool SOSPeerOTRTimerShouldWriteConfig(CFDictionaryRef config, CFStringRef myID, CFStringRef peerid, CFNumberRef currentConfigVersion, CFNumberRef localTimeout) -{ - bool result = true; - secnotice("otrtimer", "grabbed config from KVS: %@", config); - CFDictionaryRef myPeerConfigSettings = NULL; - CFNumberRef versionFromKVS = NULL; - CFDictionaryRef peerToTimeouts = NULL; - CFNumberRef timeoutInKVS = NULL; - CFDictionaryRef otrConfig = NULL; - - require_action_quiet(currentConfigVersion, fail, secnotice("otrtimer","current config version is null")); - require_action_quiet(localTimeout, fail, secnotice("otrtimer", "local timeout is null")); - - otrConfig = CFDictionaryGetValue(config, kSOSKVSOTRConfigVersion); - require_action_quiet(otrConfig, fail, secnotice("otrtimer","otr config does not exist")); - - myPeerConfigSettings = CFDictionaryGetValue(otrConfig, myID); - require_action_quiet(myPeerConfigSettings, fail, secnotice("otrtimer","my peer config settings dictionary is null")); - - versionFromKVS = CFDictionaryGetValue(myPeerConfigSettings, OTRConfigVersion); - require_action_quiet(versionFromKVS, fail, secnotice("otrtimer", "version from KVS is null")); - - peerToTimeouts = CFDictionaryGetValue(myPeerConfigSettings, OTRTimeoutsPerPeer); - require_action_quiet(peerToTimeouts, fail, secnotice("otrtimer", "dictionary of peerids and timeout values is null")); - - timeoutInKVS = CFDictionaryGetValue(peerToTimeouts, peerid); - require_action_quiet(timeoutInKVS, fail, secnotice("otrtimer", "timeout value from kvs is null")); - - if(kCFCompareEqualTo == CFNumberCompare(currentConfigVersion, versionFromKVS, NULL) && - (CFNumberCompare(timeoutInKVS, localTimeout, NULL) == kCFCompareEqualTo)){ - secnotice("otrtimer", "versions match, can write new config"); - }else if(CFNumberCompare(versionFromKVS, currentConfigVersion, NULL) == kCFCompareGreaterThan){ - result = false; - secnotice("otrtimer", "versions do not match, cannot write a new config"); - }else{ - secnotice("otrtimer", "config versions match, going to write current configuration of peerids to timeouts to KVS"); - } - -fail: - return result; - -} - -__unused static CFNumberRef SOSPeerOTRTimerCopyOTRConfigVersionFromAccount(SOSAccount* account) -{ - CFNumberRef version = SOSAccountGetValue(account, OTRConfigVersion, NULL); - if(!version){ - uint64_t v = 0; - version = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt64Type, &v); - SOSAccountSetValue(account, OTRConfigVersion, version, NULL); - }else{ - return CFRetainSafe(version); - } - - return version; -} - -__unused static bool SOSPeerOTRTimerShouldUseTimeoutValueFromKVS(CFDictionaryRef otrConfigFromKVS, CFStringRef myID, CFNumberRef localConfigVersion){ - bool shouldUseTimeoutFromKVS = false; - CFDictionaryRef otrConfig = NULL; - CFDictionaryRef myPeerConfigSettings = NULL; - CFNumberRef versionFromKVS = NULL; - - require_action_quiet(otrConfigFromKVS, xit, secnotice("otrtimer", "configuration file from kvs does not exist")); - - otrConfig = CFDictionaryGetValue(otrConfigFromKVS, kSOSKVSOTRConfigVersion); - require_action_quiet(otrConfig, xit, secnotice("otrtimer", "configuration file from kvs does not exist")); - - myPeerConfigSettings = CFDictionaryGetValue(otrConfig, myID); - require_action_quiet(myPeerConfigSettings, xit, secnotice("otrtimer", "configuration file from kvs does not exist")); - - versionFromKVS = CFDictionaryGetValue(myPeerConfigSettings, OTRConfigVersion); - require_action_quiet(versionFromKVS && (CFGetTypeID(versionFromKVS) != CFNullGetTypeID()), xit, secnotice("otrtimer", "configuration file from kvs does not exist")); - - if(CFNumberCompare(versionFromKVS, localConfigVersion, NULL) == kCFCompareGreaterThan){ - secnotice("otrtimer", "should use timeout from kvs"); - shouldUseTimeoutFromKVS = true; - } - -xit: - return shouldUseTimeoutFromKVS; -} - -__unused static CFNumberRef SOSPeerOTRTimerTimeoutFromKVS(CFDictionaryRef otrConfigFromKVS, CFStringRef myID, CFStringRef peerID) -{ - CFNumberRef timeout = NULL; - CFDictionaryRef otrConfig = NULL; - CFDictionaryRef myPeerConfigSettings = NULL; - CFDictionaryRef peerToTimeoutDictionary = NULL; - - require_action_quiet(otrConfigFromKVS, xit, secnotice("otrtimer", "configuration file from kvs does not exist")); - - otrConfig = CFDictionaryGetValue(otrConfigFromKVS, kSOSKVSOTRConfigVersion); - require_action_quiet(otrConfig, xit, secnotice("otrtimer", "configuration file from kvs does not exist")); - - myPeerConfigSettings = CFDictionaryGetValue(otrConfig, myID); - require_action_quiet(myPeerConfigSettings, xit, secnotice("otrtimer", "configuration file from kvs does not exist")); - - peerToTimeoutDictionary = CFDictionaryGetValue(myPeerConfigSettings, OTRTimeoutsPerPeer); - require_action_quiet(peerToTimeoutDictionary, xit, secnotice("otrtimer", "configuration file from kvs does not exist")); - - timeout = CFDictionaryGetValue(peerToTimeoutDictionary, peerID); -xit: - return timeout; -} - int SOSPeerOTRTimerTimeoutValue(SOSAccount* account, SOSPeerRef peer) { CFErrorRef error = NULL; - //bool shouldWriteConfig = true; - //bool shouldUseTimeoutFromKVS = false; int timeoutIntValue = 0; - - //CFDictionaryRef configFromKVS = SOSPeerOTRTimerCopyConfigFromKVS(); - - //CFNumberRef configVersion = SOSPeerOTRTimerCopyOTRConfigVersionFromAccount(account); - //shouldUseTimeoutFromKVS = SOSPeerOTRTimerShouldUseTimeoutValueFromKVS(configFromKVS, (__bridge CFStringRef)account.peerID,configVersion); - //CFReleaseNull(configVersion); - - //if(shouldUseTimeoutFromKVS){ - // secnotice("otrtimer", "using timeout from kvs"); - //CFNumberRef timeoutFromKVS = SOSPeerOTRTimerTimeoutFromKVS(configFromKVS, (__bridge CFStringRef)account.peerID, //SOSPeerGetID(peer)); - //CFReleaseNull(configFromKVS); - //return [(__bridge NSNumber*)timeoutFromKVS intValue]; - // } - + CFMutableDictionaryRef timeouts = (CFMutableDictionaryRef)asDictionary(SOSAccountGetValue(account, kSOSAccountPeerNegotiationTimeouts, &error), NULL); require_action_quiet(timeouts, xit, secnotice("otrtimer","deadline value not available yet")); - + CFNumberRef timeout = CFDictionaryGetValue(timeouts, SOSPeerGetID(peer)); require_action_quiet(timeout, xit, secnotice("otrtimer","deadline value not available yet")); - + secnotice("otrtimer", "decided to wait %d before restarting negotiation", [(__bridge NSNumber*)timeout intValue]); timeoutIntValue = [(__bridge NSNumber*)timeout intValue]; - - //CFNumberRef localConfigVersion = SOSPeerOTRTimerCopyOTRConfigVersionFromAccount(account); - /* - if(localConfigVersion){ - shouldWriteConfig = SOSPeerOTRTimerShouldWriteConfig(configFromKVS, (__bridge CFStringRef)account.peerID, SOSPeerGetID(peer), localConfigVersion, timeout); - } - - if(shouldWriteConfig) - SOSPeerOTRTimerCreateKVSConfigDict(account, timeout, SOSPeerGetID(peer)); - */ - + xit: - // CFReleaseNull(configVersion); - //CFReleaseNull(localConfigVersion); - //CFReleaseNull(configFromKVS); - return timeoutIntValue; } @@ -360,7 +137,7 @@ void SOSPeerOTRTimerSetupAwaitingTimer(SOSAccount* account, SOSPeerRef peer, SOS //check which timeout value to use int timeoutValue = SOSPeerOTRTimerTimeoutValue(account, peer); CFStringRef peerid = CFRetainSafe(SOSPeerGetID(peer)); - + secnotice("otrtimer", "setting timer for peer: %@", peer); __block dispatch_source_t timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dispatch_get_main_queue()); dispatch_source_set_timer(timer, dispatch_time(DISPATCH_TIME_NOW, timeoutValue * NSEC_PER_SEC), DISPATCH_TIME_FOREVER, 0); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerRateLimiter.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerRateLimiter.m index 22f4bba7..c67b3fd3 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerRateLimiter.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerRateLimiter.m @@ -54,7 +54,7 @@ property\ accessGroup\ capacity\ - 20\ + 50\ rate\ 900\ badness\ diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSPiggyback.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSPiggyback.m index 23377ed9..237a5224 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSPiggyback.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSPiggyback.m @@ -392,9 +392,9 @@ SOSPiggyBackBlobCreateFromDER(SOSGenCountRef *retGencount, errOut: if(!res) { CFReleaseNull(gencount); - CFReleaseNull(publicBytes); CFReleaseNull(signature); } + CFReleaseNull(publicBytes); return res; } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSRecoveryKeyBag.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSRecoveryKeyBag.m index 6883a312..e0ceca74 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSRecoveryKeyBag.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSRecoveryKeyBag.m @@ -171,6 +171,8 @@ SOSRecoveryKeyBagRef SOSRecoveryKeyBagCreateForAccount(CFAllocatorRef allocator, require_action_quiet(account, errOut, SOSCreateError(kSOSErrorEncodeFailure, CFSTR("Null Account Object"), NULL, error)); CFStringRef dsid = NULL; dsid = asString(SOSAccountGetValue((__bridge SOSAccount*)account, kSOSDSIDKey, NULL), error); + require_action_quiet(dsid, errOut, SOSCreateError(kSOSErrorEncodeFailure, CFSTR("Couldn't get dsid for recovery keybag components"), NULL, error)); + gencount = SOSGenerationCreate(); require_action_quiet(pubData && dsid && gencount, errOut, SOSCreateError(kSOSErrorEncodeFailure, CFSTR("Couldn't get recovery keybag components"), NULL, error)); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingBasic.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingBasic.m index 673eddae..e92abdf9 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingBasic.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingBasic.m @@ -67,8 +67,8 @@ bool SOSRingApply_Basic(SOSRingRef ring, SecKeyRef user_pubkey, SOSFullPeerInfoR SOSRingAddPeerID(ring, myPeerID) && SOSRingSetLastModifier(ring, myPeerID) && SOSRingGenerationSign_Internal(ring, priv, error); - CFReleaseNull(priv); errOut: + CFReleaseNull(priv); return retval; } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.c b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.c index 8483a72f..a83f8c47 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.c +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.c @@ -219,14 +219,6 @@ bool SOSRingIsSame(SOSRingRef ring1, SOSRingRef ring2) { require_action_quiet(name1 && name2, errOut, secnotice("ring", "Cannot get both names to consider rings the same")); if(CFEqualSafe(name1, name2) != true) return false; -#if 0 - // Not considering this for now - upgraded version can still be the "same ring". - uint32_t version1 = SOSRingGetVersion(ring1); - uint32_t version2 = SOSRingGetVersion(ring2); - require_action_quiet(version1 && version2, errOut, secnotice("ring", "Cannot get both versions to consider rings the same")); - if(version1 != version2) return false; -#endif - uint32_t type1 = SOSRingGetType(ring1); uint32_t type2 = SOSRingGetVersion(ring2); require_action_quiet(type1 && type2, errOut, secnotice("ring", "Cannot get both types to consider rings the same")); @@ -579,12 +571,6 @@ bool SOSRingResetToEmpty_Internal(SOSRingRef ring, CFErrorRef *error) { // MARK: PeerIDs in Ring -#if 0 -static inline bool isHiddenPeer(SOSPeerInfoRef peer) { - return SOSPeerInfoIsRetirementTicket(peer) || SOSPeerInfoIsCloudIdentity(peer); -} -#endif - int SOSRingCountPeers(SOSRingRef ring) { SOSRingAssertStable(ring); return (int) CFSetGetCount(SOSRingGetPeerIDs(ring)); @@ -618,10 +604,17 @@ static CFDataRef SOSRingCreateHash(const struct ccdigest_info *di, SOSRingRef ri if(dersize == 0) { return false; } - uint8_t der[dersize]; - der_encode_plist(ring->signedInformation, error, der, der+dersize); + uint8_t *der = malloc(dersize); + if (der == NULL) { + return false; + } + if (der_encode_plist(ring->signedInformation, error, der, der+dersize) == NULL) { + free(der); + return false; + } ccdigest(di, dersize, der, hash_result); + free(der); return CFDataCreate(NULL, hash_result, di->output_size); } @@ -828,117 +821,6 @@ static CFStringRef SOSRingCopyFormatDescription(CFTypeRef aObj, CFDictionaryRef return description; } -// -// Peer Retirement -// - #define SIGLEN 128 -#if 0 -static CFDataRef sosSignHash(SecKeyRef privkey, const struct ccdigest_info *di, uint8_t *hbuf) { - OSStatus stat; - size_t siglen = SIGLEN; - uint8_t sig[siglen]; - if((stat = SecKeyRawSign(privkey, kSecPaddingNone, hbuf, di->output_size, sig, &siglen)) != 0) { - return NULL; - } - return CFDataCreate(NULL, sig, (CFIndex)siglen); -} -#endif -#if 0 -static void WithBufferSpace(size_t space, void (^action)(uint8_t *buffer, size_t length)) { - if (space == 0) { - action(NULL, space); - } else if (space <= 2048) { - uint8_t buffer[space]; - action(buffer, space); - } else { - uint8_t* buffer = malloc(space); - - action(buffer, space); - - free(buffer); - } -} - -static CFDataRef CFDictionaryHashCreate(CFDictionaryRef dict, CFErrorRef *error) { - - __block CFDataRef result = NULL; - - require_quiet(dict, errOut); - - WithBufferSpace(der_sizeof_dictionary(dict, error), ^(uint8_t *der, size_t len) { - if (len > 0) { - const struct ccdigest_info *di = ccsha256_di(); - uint8_t hash_result[di->output_size]; - der_encode_dictionary(dict, error, der, der+len); - - ccdigest(di, len, der, hash_result); - result = CFDataCreate(ALLOCATOR, hash_result, di->output_size); - } - }); -errOut: - return NULL; -} -#endif -/* - CFDictionary: - signatures: CFDictionary of key = hash(pubkey), value = signature(privkey, (DER(payload)) - payload: CFDictionary passed in - - - */ -#if 0 -static CFStringRef sPayload = CFSTR("payload"); -static CFStringRef sSignature = CFSTR("signature"); - -static bool SOSCFSignedDictionarySetSignature(SecKeyRef priv, CFDictionaryRef sd, CFErrorRef *error) { - CFDictionaryRef payload = CFDictionaryGetValue(sd, sPayload); - CFMutableDictionaryRef signatures = (CFMutableDictionaryRef) CFDictionaryGetValue(sd, sSignature); - CFDataRef hash = CFDictionaryHashCreate(payload, error); - CFDataRef signature = SOSHashSign(priv, hash, error); - CFReleaseNull(hash); - CFStringRef pubhash = SOSCopyIDOfKey(priv, error); - require_quiet(signature && pubhash, errOut); - CFDictionaryAddValue(signatures, pubhash, signature); - return true; -errOut: - return false; -} -#endif -#if 0 -static CFDictionaryRef SOSCFSignedDictionaryCreate(SecKeyRef priv, CFDictionaryRef payload, CFErrorRef *error) { - CFMutableDictionaryRef signatures = CFDictionaryCreateMutableForCFTypes(ALLOCATOR); - CFMutableDictionaryRef retval = CFDictionaryCreateMutableForCFTypes(ALLOCATOR); - require_quiet(signatures && retval, errOut); - - CFDictionaryAddValue(retval, sSignature, signatures); - CFDictionaryAddValue(retval, sPayload, payload); - SOSCFSignedDictionarySetSignature(priv, retval, error); - return retval; -errOut: - CFReleaseNull(signatures); - CFReleaseNull(retval); - return NULL; -} -#endif - -#if 0 -CFDictionaryRef SOSRingCreateRetirementTicket(SOSFullPeerInfoRef fpi, CFErrorRef *error) { - CFDictionaryRef retval = NULL; - CFStringRef myPeerID = SOSPeerInfoGetPeerID(SOSFullPeerInfoGetPeerInfo(fpi)); - SecKeyRef priv = SOSFullPeerInfoCopyDeviceKey(fpi, error); - CFDataRef resignationDate = SOSDateCreate(); - GENCOUNT!!! - - CFDataRef sig = SOSDERAndSignStuff(priv, keys, values, 2, error); - retval = CFDictionaryCreate(ALLOCATOR, <#const void **keys#>, <#const void **values#>, <#CFIndex numValues#>, <#const CFDictionaryKeyCallBacks *keyCallBacks#>, <#const CFDictionaryValueCallBacks *valueCallBacks#>) - return pi; - -exit_stage_right: - CFReleaseNull(priv); - CFReleaseNull(resignationDate); - return retval; -} -#endif diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.h index 0b97e463..2354ed50 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSRingUtils.h @@ -56,7 +56,7 @@ extern CFStringRef sGenerationKey; extern CFStringRef sPeerIDsKey; extern CFStringRef sRingVersionKey; -SOSRingRef SOSRingAllocate(void); +CF_RETURNS_RETAINED SOSRingRef SOSRingAllocate(void); SOSRingRef SOSRingCreate_Internal(CFStringRef name, SOSRingType type, CFErrorRef *error); SOSRingRef SOSRingCopyRing(SOSRingRef original, CFErrorRef *error); diff --git a/keychain/trust/TrustedPeers/TPTypes.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSSysdiagnose.h similarity index 86% rename from keychain/trust/TrustedPeers/TPTypes.h rename to OSX/sec/SOSCircle/SecureObjectSync/SOSSysdiagnose.h index 14893c59..031a4606 100644 --- a/keychain/trust/TrustedPeers/TPTypes.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSSysdiagnose.h @@ -21,10 +21,9 @@ * @APPLE_LICENSE_HEADER_END@ */ -typedef unsigned long long TPCounter; +#ifndef SOSSysdiagnose_h +#define SOSSysdiagnose_h -typedef NS_ENUM(NSInteger, TPResult) { - TPResultOk, - TPResultSignatureMismatch, - TPResultClockViolation, -}; +char *SOSCCSysdiagnose(const char *directoryname); + +#endif /* SOSSysdiagnose_h */ diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSSysdiagnose.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSSysdiagnose.m index 780651d9..0e7b6ae3 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSSysdiagnose.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSSysdiagnose.m @@ -39,6 +39,7 @@ #include +#include "SOSSysdiagnose.h" #include "keychain_log.h" #include "secToolFileIO.h" #include "secViewDisplay.h" @@ -87,7 +88,10 @@ static char *assemblePath(char *dir, char *fname) { size_t length = strlen(dir) + strlen(fname) + 2; char *outputDir = malloc(length); int status = snprintf(outputDir, length, "%s/%s", dir, fname); - if(status < 0) return NULL; + if(status < 0) { + if(outputDir) free(outputDir); + return NULL; + } return outputDir; } @@ -117,7 +121,10 @@ static char *sysdiagnose_dir(const char *passedIn, const char *hostname, const c length = strlen(outputParent) + strlen(outputBase) + 2; char *outputDir = malloc(length); status = snprintf(outputDir, length, "%s/%s", outputParent, outputBase); - if(status < 0) return NULL; + if(status < 0) { + if(outputDir) free(outputDir); + return NULL; + } return outputDir; } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransport.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransport.m index 127bd0a1..41787724 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransport.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransport.m @@ -154,9 +154,6 @@ void SOSUpdateKeyInterest(SOSAccount* account) secerror("Error getting debug key interests %@", localError); } - if(![tkvs kvsAppendConfigKeyInterest:alwaysKeys firstUnlock:afterFirstUnlockKeys unlocked:whenUnlockedKeys err:&localError]) { - secerror("Error getting config key interests %@", localError); - } CFReleaseNull(localError); } @@ -310,7 +307,6 @@ CFMutableArrayRef SOSTransportDispatchMessages(SOSAccountTransaction* txn, CFDic __block bool new_account = false; CFDictionaryForEach(updates, ^(const void *key, const void *value) { - CFErrorRef localError = NULL; CFStringRef circle_name = NULL; CFStringRef ring_name = NULL; CFStringRef peer_info_name = NULL; @@ -351,11 +347,6 @@ CFMutableArrayRef SOSTransportDispatchMessages(SOSAccountTransaction* txn, CFDic case kDebugInfoKey: CFDictionarySetValue(debug_info_message_table, peer_info_name, value); break; - case kOTRConfig: - if(isDictionary(value)){ - config_message_table = CFRetainSafe((CFMutableDictionaryRef)(value)); - } - break; case kLastCircleKey: case kLastKeyParameterKey: case kUnknownKey: @@ -373,10 +364,6 @@ CFMutableArrayRef SOSTransportDispatchMessages(SOSAccountTransaction* txn, CFDic if (error && *error) secerror("Peer message processing error for: %@ -> %@ (%@)", key, value, *error); - if (localError) - secerror("Peer message local processing error for: %@ -> %@ (%@)", key, value, localError); - - CFReleaseNull(localError); }); @@ -396,12 +383,7 @@ CFMutableArrayRef SOSTransportDispatchMessages(SOSAccountTransaction* txn, CFDic if(initial_sync){ CFArrayAppendValue(handledKeys, kSOSKVSInitialSyncKey); } - - if(CFDictionaryGetCount(config_message_table)){ - secnotice("otrtimer","got the config table: %@", config_message_table); - CFArrayAppendValue(handledKeys, kOTRConfigVersion); - } - + if(CFDictionaryGetCount(debug_info_message_table)) { /* check for a newly set circle debug scope */ CFTypeRef debugScope = CFDictionaryGetValue(debug_info_message_table, kSOSAccountDebugScope); @@ -509,7 +491,8 @@ CFMutableArrayRef SOSTransportDispatchMessages(SOSAccountTransaction* txn, CFDic CFReleaseNull(keyHandled); }); } - + + CFReleaseNull(handleCircleMessages); CFReleaseNull(localError); } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircle.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircle.h index efba0f77..95992173 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircle.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircle.h @@ -26,7 +26,7 @@ -(bool) postRetirement:(CFStringRef) circleName peer:(SOSPeerInfoRef) peer err:(CFErrorRef *)error; -(CFDictionaryRef) CF_RETURNS_RETAINED handleRetirementMessages:(CFMutableDictionaryRef) circle_retirement_messages_table err:(CFErrorRef *)error; --(CFArrayRef) handleCircleMessagesAndReturnHandledCopy:(CFMutableDictionaryRef) circle_circle_messages_table err:(CFErrorRef *)error; +-(CFArrayRef)CF_RETURNS_RETAINED handleCircleMessagesAndReturnHandledCopy:(CFMutableDictionaryRef) circle_circle_messages_table err:(CFErrorRef *)error; @end #endif diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleCK.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleCK.m index 99f352cb..822abcc5 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleCK.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleCK.m @@ -63,7 +63,7 @@ { return NULL; } --(CFArrayRef) handleCircleMessagesAndReturnHandledCopy:(CFMutableDictionaryRef) circle_circle_messages_table err:(CFErrorRef *)error +-(CFArrayRef)CF_RETURNS_RETAINED handleCircleMessagesAndReturnHandledCopy:(CFMutableDictionaryRef) circle_circle_messages_table err:(CFErrorRef *)error { return NULL; } diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.h index 998bd928..82f2809c 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.h @@ -27,7 +27,6 @@ -(bool)kvsAppendKeyInterest:(CFMutableArrayRef) alwaysKeys firstUnlock:(CFMutableArrayRef) afterFirstUnlockKeys unlocked:(CFMutableArrayRef)unlockedKeys err:(CFErrorRef *)error; -(bool)kvsAppendRingKeyInterest:(CFMutableArrayRef) alwaysKeys firstUnlock:(CFMutableArrayRef)afterFirstUnlockKeys unlocked:(CFMutableArrayRef) unlockedKeys err:(CFErrorRef *)error; -(bool)kvsAppendDebugKeyInterest:(CFMutableArrayRef) alwaysKeys firstUnlock:(CFMutableArrayRef)afterFirstUnlockKeys unlocked:(CFMutableArrayRef) unlockedKeys err:(CFErrorRef *)error; --(bool)kvsAppendConfigKeyInterest:(CFMutableArrayRef) alwaysKeys firstUnlock:(CFMutableArrayRef)afterFirstUnlockKeys unlocked:(CFMutableArrayRef) unlockedKeys err:(CFErrorRef *)error; -(bool) kvsRingFlushChanges:(CFErrorRef*) error; -(bool) kvsRingPostRing:(CFStringRef) ringName ring:(CFDataRef) ring err:(CFErrorRef *)error; diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.m index e253420c..56aaa5af 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportCircleKVS.m @@ -158,7 +158,7 @@ static bool SOSTransportCircleKVSUpdateRetirementRecords(CFDictionaryRef updates return SOSAccountHandleRetirementMessages(self.account, circle_retirement_messages_table, error); } --(CFArrayRef) handleCircleMessagesAndReturnHandledCopy:(CFMutableDictionaryRef) circle_circle_messages_table err:(CFErrorRef *)error +-(CFArrayRef)CF_RETURNS_RETAINED handleCircleMessagesAndReturnHandledCopy:(CFMutableDictionaryRef) circle_circle_messages_table err:(CFErrorRef *)error { CFMutableArrayRef handledKeys = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault); CFDictionaryForEach(circle_circle_messages_table, ^(const void *key, const void *value) { @@ -238,13 +238,6 @@ fail: return true; } -//register otr config --(bool)kvsAppendConfigKeyInterest:(CFMutableArrayRef) alwaysKeys firstUnlock:(CFMutableArrayRef)afterFirstUnlockKeys unlocked:(CFMutableArrayRef) unlockedKeys err:(CFErrorRef *)error -{ - CFArrayAppendValue(alwaysKeys, kSOSKVSOTRConfigVersion); - return true; -} - //send debug info over KVS -(bool) kvssendDebugInfo:(CFStringRef) type debug:(CFTypeRef) debugInfo err:(CFErrorRef *)error { diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.m index f94eeca5..bbc7eac0 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessage.m @@ -15,7 +15,10 @@ #include #include // TODO: Remove this layer violation. -NSString* const SecSOSMessageRTT = @"com.apple.security.sos.messagertt"; +static const CFStringRef kSecSOSMessageRTT = CFSTR("com.apple.security.sos.messagertt"); +static const CFStringRef kSecAccessGroupSecureBackupd = CFSTR("com.apple.securebackupd"); +static const CFStringRef kSecAccessGroupSBD = CFSTR("com.apple.sbd"); +static const CFStringRef kSecAccessGroupCKKS = CFSTR("com.apple.security.ckks"); @class SOSMessage; @@ -171,7 +174,7 @@ bool SOSEngineHandleCodedMessage(SOSAccount* account, SOSEngineRef engine, CFStr secnotice("otrtimer", "rtt: %d", rtt); [self SOSTransportMessageCalculateNextTimer:account rtt:rtt peerid:peerid]; - SecADClientPushValueForDistributionKey((__bridge CFStringRef) SecSOSMessageRTT, rtt); + SecADClientPushValueForDistributionKey(kSecSOSMessageRTT, rtt); [peerToTimeLastSentDict removeObjectForKey:peerid]; //remove last sent message date SOSAccountSetValue(account, kSOSAccountPeerLastSentTimestamp, (__bridge CFMutableDictionaryRef)peerToTimeLastSentDict, NULL); } @@ -366,28 +369,38 @@ static void SOSTransportSendPendingMessage(CFArrayRef attributes, SOSMessage* tr ok &= SOSEngineWithPeerID((SOSEngineRef)transport.engine, peer_id, error, ^(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState) { // Now under engine lock do stuff CFDataRef message_to_send = NULL; - SOSEnginePeerMessageSentBlock sent = NULL; + SOSEnginePeerMessageSentCallback* sentCallback = NULL; CFMutableArrayRef attributes = NULL; - ok = SOSPeerCoderSendMessageIfNeeded([transport SOSTransportMessageGetAccount],(SOSEngineRef)transport.engine, txn, peer, coder, &message_to_send, peer_id, &attributes, &sent, error); + ok = SOSPeerCoderSendMessageIfNeeded([transport SOSTransportMessageGetAccount],(SOSEngineRef)transport.engine, txn, peer, coder, &message_to_send, peer_id, &attributes, &sentCallback, error); secnotice("ratelimit","attribute list: %@", attributes); bool shouldSend = true; - + if(attributes == NULL){ //no attribute but still should be rate limited attributes = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault); CFArrayAppendValue(attributes, CFSTR("NoAttribute")); } + if(initialSync){ secnotice("ratelimit","not going to rate limit, currently in initial sync"); } if(!initialSync && message_to_send){ //need to judge the message if not in initial sync secnotice("ratelimit","not in initial sync!"); shouldSend = SOSPeerShouldSend(attributes, peer, transport, message_to_send); - secnotice("ratelimit","should send? : %d", shouldSend); + CFRange range = CFRangeMake(0, CFArrayGetCount(attributes)); + if(CFArrayContainsValue(attributes, range, kSecAccessGroupCKKS) || + CFArrayContainsValue(attributes, range, kSecAccessGroupSBD) || + CFArrayContainsValue(attributes, range, kSecAccessGroupSecureBackupd)){ + shouldSend = true; + } + + secnotice("ratelimit","should send? : %@", shouldSend ? @"YES" : @"NO"); } if (shouldSend && message_to_send) { SOSTransportSendPendingMessage(attributes, transport, peer); ok = ok && [transport SOSTransportMessageSendMessage:transport id:peer_id messageToSend:message_to_send err:error]; - SOSPeerCoderConsume(&sent, ok); + + SOSEngineMessageCallCallback(sentCallback, ok); + [transport SOSTransportMessageUpdateLastMessageSentTimetstamp:account peer:peer]; }else if(!shouldSend){ @@ -395,8 +408,11 @@ static void SOSTransportSendPendingMessage(CFArrayRef attributes, SOSMessage* tr }else{ secnotice("transport", "no message to send to peer: %@", peer_id); } - sent = NULL; + + SOSEngineFreeMessageCallback(sentCallback); + sentCallback = NULL; CFReleaseSafe(message_to_send); + CFReleaseNull(attributes); *forceSaveState = ok; }); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.h index 97506591..2f31a754 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.h @@ -27,7 +27,7 @@ extern const CFStringRef kIDSMessageUniqueID; extern const CFStringRef kIDSMessageRecipientPeerID; extern const CFStringRef kIDSMessageRecipientDeviceID; extern const CFStringRef kIDSMessageUsesAckModel; - +extern const CFStringRef kIDSMessageSenderDeviceID;; @interface SOSMessageIDS : SOSMessage { diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.m index baccac59..0d4425fc 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageIDS.m @@ -82,6 +82,7 @@ static HandleIDSMessageReason checkMessageValidity(SOSAccount* account, CFString return; } else if(CFStringCompare(fromDeviceID, deviceID, 0) != 0){ //IDSids do not match, ghost + secnotice("ids transport", "deviceIDMisMatch"); reason = kHandleIDSmessageDeviceIDMismatch; CFReleaseNull(deviceID); return; @@ -93,6 +94,9 @@ static HandleIDSMessageReason checkMessageValidity(SOSAccount* account, CFString reason = kHandleIDSMessageSuccess; return; } + else{ + secerror("?? deviceID:%@, pID: %@, fromPeerID: %@, fromDeviceID: %@", deviceID, pID, fromPeerID, fromDeviceID); + } } } CFReleaseNull(deviceID); @@ -109,6 +113,7 @@ static HandleIDSMessageReason checkMessageValidity(SOSAccount* account, CFString CFStringRef deviceIDKey = CFStringCreateWithCString(kCFAllocatorDefault, kMessageKeyDeviceID, kCFStringEncodingASCII); CFStringRef sendersPeerIDKey = CFStringCreateWithCString(kCFAllocatorDefault, kMessageKeySendersPeerID, kCFStringEncodingASCII); CFStringRef ourPeerIdKey = CFStringCreateWithCString(kCFAllocatorDefault, kMessageKeyPeerID, kCFStringEncodingASCII); + NSString *errMessage = nil; HandleIDSMessageReason result = kHandleIDSMessageSuccess; @@ -120,10 +125,10 @@ static HandleIDSMessageReason checkMessageValidity(SOSAccount* account, CFString CFStringRef peerID = NULL; SOSPeerInfoRef theirPeer = NULL; - require_action_quiet(fromDeviceID, exit, result = kHandleIDSMessageDontHandle); - require_action_quiet(fromPeerID, exit, result = kHandleIDSMessageDontHandle); - require_action_quiet(messageData && CFDataGetLength(messageData) != 0, exit, result = kHandleIDSMessageDontHandle); - require_action_quiet(SOSAccountHasFullPeerInfo(account, error), exit, result = kHandleIDSMessageNotReady); + require_action_quiet(fromDeviceID, exit, result = kHandleIDSMessageDontHandle; errMessage = @"Missing device name"); + require_action_quiet(fromPeerID, exit, result = kHandleIDSMessageDontHandle; errMessage = @"Missing from peer id"); + require_action_quiet(messageData && CFDataGetLength(messageData) != 0, exit, result = kHandleIDSMessageDontHandle; errMessage = @"no message data"); + require_action_quiet(SOSAccountHasFullPeerInfo(account, error), exit, result = kHandleIDSMessageNotReady; errMessage = @"no full perinfo"); require_action_quiet(ourPeerID && [account.peerID isEqual: (__bridge NSString*) ourPeerID], exit, result = kHandleIDSMessageDontHandle; secnotice("IDS Transport","ignoring message for: %@", ourPeerID)); require_quiet((result = checkMessageValidity( account, fromDeviceID, fromPeerID, &peerID, &theirPeer)) == kHandleIDSMessageSuccess, exit); @@ -170,6 +175,10 @@ static HandleIDSMessageReason checkMessageValidity(SOSAccount* account, CFString } exit: + + if(errMessage != nil){ + secerror("%@", errMessage); + } CFReleaseNull(ourPeerIdKey); CFReleaseNull(sendersPeerIDKey); CFReleaseNull(deviceIDKey); @@ -236,9 +245,15 @@ static bool sendToPeer(SOSMessageIDS* transport, bool shouldUseAckModel, CFStrin dispatch_semaphore_t wait_for = dispatch_semaphore_create(0); secnotice("IDS Transport", "Starting"); + SecADAddValueForScalarKey(CFSTR("com.apple.security.sos.sendids"), 1); - SOSCloudKeychainSendIDSMessage(messagetoSend, deviceID, ourPeerID, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), [transport SOSTransportMessageIDSGetFragmentationPreference:transport], ^(CFDictionaryRef returnedValues, CFErrorRef sync_error) { + CFStringRef myDeviceID = CFRetainSafe((__bridge CFStringRef)account.deviceID); + if(!myDeviceID){ + myDeviceID = SOSPeerInfoCopyDeviceID(account.peerInfo); + } + + SOSCloudKeychainSendIDSMessage(messagetoSend, deviceID, ourPeerID, myDeviceID, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), [transport SOSTransportMessageIDSGetFragmentationPreference:transport], ^(CFDictionaryRef returnedValues, CFErrorRef sync_error) { success = (sync_error == NULL); if (sync_error && error) { CFRetainAssign(*error, sync_error); @@ -260,7 +275,7 @@ static bool sendToPeer(SOSMessageIDS* transport, bool shouldUseAckModel, CFStrin else{ secnotice("IDS Transport", "Sent message to peer!"); } - + CFReleaseNull(myDeviceID); CFReleaseNull(messagetoSend); CFReleaseNull(operation); CFReleaseNull(operationData); @@ -357,7 +372,7 @@ static bool sendToPeer(SOSMessageIDS* transport, bool shouldUseAckModel, CFStrin { SOSAccountTrustClassic* trust = acct.trust; CFStringRef deviceID = SOSPeerInfoCopyDeviceID(trust.peerInfo); - bool hasDeviceID = deviceID != NULL && CFStringGetLength(deviceID) != 0; + bool hasDeviceID = (deviceID != NULL && CFStringGetLength(deviceID) != 0) || account.deviceID; CFReleaseNull(deviceID); if(!hasDeviceID){ diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageKVS.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageKVS.m index 0cc26cc7..22b72d82 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageKVS.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTransportMessageKVS.m @@ -28,6 +28,13 @@ return self; } +-(void)dealloc +{ + if(self) { + CFReleaseNull(self->pending_changes); + } +} + -(CFIndex) SOSTransportMessageGetTransportType { return kKVS; diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSTypes.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSTypes.h index a8a58b07..6c689bf5 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSTypes.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSTypes.h @@ -126,7 +126,7 @@ typedef int SOSSecurityPropertyActionCode; #define SOSControlInitialSyncFlagPCSNonCurrent (1 << 2) #define SOSControlInitialSyncFlagBluetoothMigration (1 << 3) -@protocol SOSControlProtocol +@protocol SOSControlProtocol - (void)userPublicKey:(void ((^))(BOOL trusted, NSData *spki, NSError *error))complete; - (void)kvsPerformanceCounters:(void(^)(NSDictionary *))reply; - (void)idsPerformanceCounters:(void(^)(NSDictionary *))reply; @@ -147,7 +147,6 @@ typedef int SOSSecurityPropertyActionCode; - (void)getWatchdogParameters:(void (^)(NSDictionary* parameters, NSError* error))complete; - (void)setWatchdogParmeters:(NSDictionary*)parameters complete:(void (^)(NSError* error))complete; - @end #endif diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.h b/OSX/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.h index a83c3756..24dc76a1 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.h +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.h @@ -28,7 +28,7 @@ #include CFDataRef SOSUserKeyCreateGenerateParameters(CFErrorRef *error); -SecKeyRef SOSUserKeygen(CFDataRef password, CFDataRef parameters, CFErrorRef *error); +CF_RETURNS_RETAINED SecKeyRef SOSUserKeygen(CFDataRef password, CFDataRef parameters, CFErrorRef *error); void debugDumpUserParameters(CFStringRef message, CFDataRef parameters); CF_RETURNS_RETAINED CFStringRef UserParametersDescription(CFDataRef parameters); diff --git a/OSX/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.m b/OSX/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.m index 5734221e..b3aa9753 100644 --- a/OSX/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.m +++ b/OSX/sec/SOSCircle/SecureObjectSync/SOSUserKeygen.m @@ -213,7 +213,7 @@ CFDataRef SOSUserKeyCreateGenerateParameters(CFErrorRef *error) { CFReleaseNull(result); if (result) { - secnotice("keygen", "Created new parameters: iterations %zd, keysize %zd: %@", iterations, keysize, result); + secnotice("circleOps", "Created new parameters: iterations %zd, keysize %zd: %@", iterations, keysize, result); } return result; @@ -266,7 +266,7 @@ SecKeyRef SOSUserKeygen(CFDataRef password, CFDataRef parameters, CFErrorRef *er ccec_full_ctx_decl_cp(cp, tmpkey); - secnotice("keygen", "Generating key for: iterations %zd, keysize %zd: %@", iterations, keysize, parameters); + secnotice("circleOps", "Generating key for: iterations %zd, keysize %zd: %@", iterations, keysize, parameters); if (ccrng_pbkdf2_prng_init(&pbkdf2_prng, maxbytes, password_length, password_bytes, @@ -297,13 +297,13 @@ void debugDumpUserParameters(CFStringRef message, CFDataRef parameters) der = der_decode_pbkdf2_params(&saltlen, &salt, &iterations, &keysize, der, der_end); if (der == NULL) { - secnotice("keygen", "failed to decode pbkdf2 params"); + secnotice("circleOps", "failed to decode pbkdf2 params"); return; } BufferPerformWithHexString(salt, saltlen, ^(CFStringRef saltHex) { CFDataPerformWithHexString(parameters, ^(CFStringRef parametersHex) { - secnotice("keygen", "%@ ]", message, iterations, keysize, saltHex, parametersHex); + secnotice("circleOps", "%@ ]", message, iterations, keysize, saltHex, parametersHex); }); }); } @@ -320,7 +320,7 @@ CF_RETURNS_RETAINED CFStringRef UserParametersDescription(CFDataRef parameters){ CFDataGetBytePtr(parameters), CFDataGetPastEndPtr(parameters)); if (parse_end != CFDataGetPastEndPtr(parameters)){ - secdebug("keygen", "failed to decode cloud parameters"); + secdebug("circleOps", "failed to decode cloud parameters"); return NULL; } @@ -335,7 +335,7 @@ CF_RETURNS_RETAINED CFStringRef UserParametersDescription(CFDataRef parameters){ der = der_decode_pbkdf2_params(&saltlen, &salt, &iterations, &keysize, der, der_end); if (der == NULL) { - secdebug("keygen", "failed to decode pbkdf2 params"); + secdebug("circleOps", "failed to decode pbkdf2 params"); return NULL; } diff --git a/OSX/sec/SOSCircle/Tool/accountCirclesViewsPrint.h b/OSX/sec/SOSCircle/Tool/accountCirclesViewsPrint.h index 2a3c4362..c9955671 100644 --- a/OSX/sec/SOSCircle/Tool/accountCirclesViewsPrint.h +++ b/OSX/sec/SOSCircle/Tool/accountCirclesViewsPrint.h @@ -1,10 +1,25 @@ -// -// accountCirclesViewsPrint.h -// Security -// -// Created by Richard Murphy on 12/8/16. -// -// +/* + * Copyright (c) 2016 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ #ifndef accountCirclesViewsPrint_h #define accountCirclesViewsPrint_h @@ -13,6 +28,8 @@ #include void SOSCCDumpCircleInformation(void); +void SOSCCDumpEngineInformation(void); +void SOSCCDumpViewUnwarePeers(void); bool SOSCCDumpCircleKVSInformation(char *itemName); #endif /* accountCirclesViewsPrint_h */ diff --git a/OSX/sec/SOSCircle/Tool/accountCirclesViewsPrint.m b/OSX/sec/SOSCircle/Tool/accountCirclesViewsPrint.m index c4fe7a2e..0ca7efe4 100644 --- a/OSX/sec/SOSCircle/Tool/accountCirclesViewsPrint.m +++ b/OSX/sec/SOSCircle/Tool/accountCirclesViewsPrint.m @@ -85,6 +85,26 @@ static const char *getSOSCCStatusDescription(SOSCCStatus ccstatus) } } +static const char * +getSOSCCLastDepartureReasonDescription(enum DepartureReason reason) +{ + switch (reason) { +#define CASE_REASON(x) case kSOS##x: return #x + CASE_REASON(DepartureReasonError); + CASE_REASON(NeverLeftCircle); + CASE_REASON(WithdrewMembership); + CASE_REASON(MembershipRevoked); + CASE_REASON(LeftUntrustedCircle); + CASE_REASON(NeverAppliedToCircle); + CASE_REASON(DiscoveredRetirement); // we should all be so lucky + CASE_REASON(LostPrivateKey); + CASE_REASON(PasswordChanged); +#undef CASE_REASON + default: + return "Unknown"; + } +} + static void printPeerInfos(char *label, CFArrayRef (^getArray)(CFErrorRef *error)) { CFErrorRef error = NULL; CFArrayRef ppi = getArray(&error); @@ -104,7 +124,6 @@ static void printPeerInfos(char *label, CFArrayRef (^getArray)(CFErrorRef *error CFStringRef deviceID = CFSTR(""); CFDictionaryRef gestalt = SOSPeerInfoCopyPeerGestalt(peer); CFStringRef osVersion = CFDictionaryGetValue(gestalt, CFSTR("OSVersion")); - CFReleaseNull(gestalt); if(version >= 2){ @@ -116,24 +135,31 @@ static void printPeerInfos(char *label, CFArrayRef (^getArray)(CFErrorRef *error char *dname = CFStringToCString(devtype); char *tname = CFStringToCString(transportType); char *iname = CFStringToCString(deviceID); - char *osname = CFStringToCString(osVersion); const char *me = CFEqualSafe(mypeerID, peerID) ? "me>" : " "; - snprintf(buf, 160, "%s %s: %-16s %-16s %-16s %-16s", me, label, pname, dname, tname, iname); + snprintf(buf, 160, "%s %s: %-16s %-16s %-16s %-36s", me, label, pname, dname, tname, iname); free(pname); free(dname); + free(tname); + free(iname); + + // %s in (Core)Foundation format strings treats the string as MacRoman, need to do this to guarantee UTF8 handling + CFStringRef bufstr = CFStringCreateWithCString(NULL, buf, kCFStringEncodingUTF8); CFStringRef pid = SOSPeerInfoGetPeerID(peer); CFIndex vers = SOSPeerInfoGetVersion(peer); - printmsg(CFSTR("%s %@ V%d OS:%s\n"), buf, pid, vers, osname); - free(osname); + printmsg(CFSTR("%@ %@ V%d OS:%@\n"), bufstr, pid, vers, osVersion ?: CFSTR("")); + CFRelease(bufstr); + + CFReleaseNull(gestalt); }); } else { printmsg(CFSTR("No %s, error: %@\n"), label, error); } CFReleaseNull(ppi); CFReleaseNull(error); + CFReleaseNull(me); } void SOSCCDumpCircleInformation() @@ -145,10 +171,21 @@ void SOSCCDumpCircleInformation() SOSCCStatus ccstatus = SOSCCThisDeviceIsInCircle(&error); printmsg(CFSTR("ccstatus: %s (%d)\n"), getSOSCCStatusDescription(ccstatus), ccstatus); + if (error != NULL) { + printmsg(CFSTR("Error checking circle status: %@\n"), error); + } + CFReleaseNull(error); + enum DepartureReason departureReason = SOSCCGetLastDepartureReason(&error); + printmsg(CFSTR("LastDepartureReason: %s (%d)\n"), getSOSCCLastDepartureReasonDescription(departureReason), departureReason); + if (error != NULL) { + printmsg(CFSTR("Error checking last departure reason error: %@\n"), error); + } + CFReleaseNull(error); + is_accountKeyIsTrusted = SOSCCValidateUserPublic(&error); if(is_accountKeyIsTrusted) - printmsg(CFSTR("Account user public is trusted%@"),CFSTR("\n")); + printmsg(CFSTR("Account user public is trusted\n")); else printmsg(CFSTR("Account user public is not trusted error:(%@)\n"), error); CFReleaseNull(error); @@ -182,8 +219,25 @@ void SOSCCDumpCircleInformation() CFReleaseNull(error); } +void +SOSCCDumpEngineInformation(void) +{ + CFErrorRef error = NULL; + printmsg(CFSTR("Engine state:\n")); + if (!SOSCCForEachEngineStateAsString(&error, ^(CFStringRef oneStateString) { + printmsg(CFSTR("%@\n"), oneStateString); + })) { + printmsg(CFSTR("No engine state, got error: %@\n"), error); + } +} +// security sync -o +void +SOSCCDumpViewUnwarePeers(void) +{ + printPeerInfos("view-unaware", ^(CFErrorRef *error) { return SOSCCCopyViewUnawarePeerInfo(error); }); +} /* KVS Dumping Support for iCloud Keychain */ diff --git a/OSX/sec/SOSCircle/Tool/keychain_log.m b/OSX/sec/SOSCircle/Tool/keychain_log.m index ba5054e4..65b4419b 100644 --- a/OSX/sec/SOSCircle/Tool/keychain_log.m +++ b/OSX/sec/SOSCircle/Tool/keychain_log.m @@ -64,9 +64,11 @@ #include #include +#include "SOSSysdiagnose.h" #include "keychain_log.h" #include "secToolFileIO.h" #include "secViewDisplay.h" +#include "accountCirclesViewsPrint.h" #include @@ -75,371 +77,6 @@ #define MAXKVSKEYTYPE kUnknownKey #define DATE_LENGTH 18 - -static const char *getSOSCCStatusDescription(SOSCCStatus ccstatus) -{ - switch (ccstatus) - { - case kSOSCCInCircle: return "In Circle"; - case kSOSCCNotInCircle: return "Not in Circle"; - case kSOSCCRequestPending: return "Request pending"; - case kSOSCCCircleAbsent: return "Circle absent"; - case kSOSCCError: return "Circle error"; - - default: - return ""; - break; - } -} - -static void printPeerInfos(char *label, CFArrayRef (^getArray)(CFErrorRef *error)) { - CFErrorRef error = NULL; - CFArrayRef ppi = getArray(&error); - SOSPeerInfoRef me = SOSCCCopyMyPeerInfo(NULL); - CFStringRef mypeerID = SOSPeerInfoGetPeerID(me); - - if(ppi) { - printmsg(CFSTR("%s count: %ld\n"), label, (long)CFArrayGetCount(ppi)); - CFArrayForEach(ppi, ^(const void *value) { - char buf[160]; - SOSPeerInfoRef peer = (SOSPeerInfoRef)value; - CFIndex version = SOSPeerInfoGetVersion(peer); - CFStringRef peerName = SOSPeerInfoGetPeerName(peer); - CFStringRef devtype = SOSPeerInfoGetPeerDeviceType(peer); - CFStringRef peerID = SOSPeerInfoGetPeerID(peer); - CFStringRef transportType = CFSTR("KVS"); - CFStringRef deviceID = CFSTR(""); - CFDictionaryRef gestalt = SOSPeerInfoCopyPeerGestalt(peer); - CFStringRef osVersion = CFDictionaryGetValue(gestalt, CFSTR("OSVersion")); - CFReleaseNull(gestalt); - - - if(version >= 2){ - CFDictionaryRef v2Dictionary = peer->v2Dictionary; - transportType = CFDictionaryGetValue(v2Dictionary, sTransportType); - deviceID = CFDictionaryGetValue(v2Dictionary, sDeviceID); - } - char *pname = CFStringToCString(peerName); - char *dname = CFStringToCString(devtype); - char *tname = CFStringToCString(transportType); - char *iname = CFStringToCString(deviceID); - char *osname = CFStringToCString(osVersion); - const char *me = CFEqualSafe(mypeerID, peerID) ? "me>" : " "; - - - snprintf(buf, 160, "%s %s: %-16s %-16s %-16s %-16s", me, label, pname, dname, tname, iname); - - free(pname); - free(dname); - CFStringRef pid = SOSPeerInfoGetPeerID(peer); - CFIndex vers = SOSPeerInfoGetVersion(peer); - printmsg(CFSTR("%s %@ V%d OS:%s\n"), buf, pid, vers, osname); - free(osname); - }); - } else { - printmsg(CFSTR("No %s, error: %@\n"), label, error); - } - CFReleaseNull(ppi); - CFReleaseNull(error); -} - -static void dumpCircleInfo() -{ - CFErrorRef error = NULL; - CFArrayRef generations = NULL; - bool is_accountKeyIsTrusted = false; - __block int count = 0; - - SOSCCStatus ccstatus = SOSCCThisDeviceIsInCircle(&error); - if(ccstatus == kSOSCCError) { - printmsg(CFSTR("End of Dump - unable to proceed due to ccstatus (%s) error: %@\n"), getSOSCCStatusDescription(ccstatus), error); - return; - } - printmsg(CFSTR("ccstatus: %s (%d)\n"), getSOSCCStatusDescription(ccstatus), ccstatus, error); - - is_accountKeyIsTrusted = SOSCCValidateUserPublic(&error); - if(is_accountKeyIsTrusted) - printmsg(CFSTR("Account user public is trusted%@"),CFSTR("\n")); - else - printmsg(CFSTR("Account user public is not trusted error:(%@)\n"), error); - CFReleaseNull(error); - - generations = SOSCCCopyGenerationPeerInfo(&error); - if(generations) { - CFArrayForEach(generations, ^(const void *value) { - count++; - if(count%2 == 0) - printmsg(CFSTR("Circle name: %@, "),value); - - if(count%2 != 0) { - CFStringRef genDesc = SOSGenerationCountCopyDescription(value); - printmsg(CFSTR("Generation Count: %@"), genDesc); - CFReleaseNull(genDesc); - } - printmsg(CFSTR("%s\n"), ""); - }); - } else { - printmsg(CFSTR("No generation count: %@\n"), error); - } - CFReleaseNull(generations); - CFReleaseNull(error); - - printPeerInfos(" Peers", ^(CFErrorRef *error) { return SOSCCCopyValidPeerPeerInfo(error); }); - printPeerInfos(" Invalid", ^(CFErrorRef *error) { return SOSCCCopyNotValidPeerPeerInfo(error); }); - printPeerInfos(" Retired", ^(CFErrorRef *error) { return SOSCCCopyRetirementPeerInfo(error); }); - printPeerInfos(" Concur", ^(CFErrorRef *error) { return SOSCCCopyConcurringPeerPeerInfo(error); }); - printPeerInfos("Applicants", ^(CFErrorRef *error) { return SOSCCCopyApplicantPeerInfo(error); }); - - if (!SOSCCForEachEngineStateAsString(&error, ^(CFStringRef oneStateString) { - printmsg(CFSTR("%@\n"), oneStateString); - })) { - printmsg(CFSTR("No engine peers: %@\n"), error); - } - - CFReleaseNull(error); -} - -static CFTypeRef getObjectsFromCloud(CFArrayRef keysToGet, dispatch_queue_t processQueue, dispatch_group_t dgroup) -{ - __block CFTypeRef object = NULL; - - const uint64_t maxTimeToWaitInSeconds = 30ull * NSEC_PER_SEC; - dispatch_semaphore_t waitSemaphore = dispatch_semaphore_create(0); - dispatch_time_t finishTime = dispatch_time(DISPATCH_TIME_NOW, maxTimeToWaitInSeconds); - - dispatch_group_enter(dgroup); - - CloudKeychainReplyBlock replyBlock = - ^ (CFDictionaryRef returnedValues, CFErrorRef error) - { - secinfo("sync", "SOSCloudKeychainGetObjectsFromCloud returned: %@", returnedValues); - object = returnedValues; - if (object) - CFRetain(object); - if (error) - { - secerror("SOSCloudKeychainGetObjectsFromCloud returned error: %@", error); - } - dispatch_group_leave(dgroup); - secinfo("sync", "SOSCloudKeychainGetObjectsFromCloud block exit: %@", object); - dispatch_semaphore_signal(waitSemaphore); - }; - - if (!keysToGet) - SOSCloudKeychainGetAllObjectsFromCloud(processQueue, replyBlock); - else - SOSCloudKeychainGetObjectsFromCloud(keysToGet, processQueue, replyBlock); - - dispatch_semaphore_wait(waitSemaphore, finishTime); - - if (object && (CFGetTypeID(object) == CFNullGetTypeID())) // return a NULL instead of a CFNull - { - CFRelease(object); - object = NULL; - } - secerror("returned: %@", object); - return object; -} - -static CFStringRef printFullDataString(CFDataRef data){ - __block CFStringRef fullData = NULL; - - BufferPerformWithHexString(CFDataGetBytePtr(data), CFDataGetLength(data), ^(CFStringRef dataHex) { - fullData = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@"), dataHex); - }); - - return fullData; -} - -static void displayLastKeyParameters(CFTypeRef key, CFTypeRef value) -{ - CFDataRef valueAsData = asData(value, NULL); - if(valueAsData){ - CFDataRef dateData = CFDataCreateCopyFromRange(kCFAllocatorDefault, valueAsData, CFRangeMake(0, DATE_LENGTH)); - CFDataRef keyParameterData = CFDataCreateCopyFromPositions(kCFAllocatorDefault, valueAsData, DATE_LENGTH, CFDataGetLength(valueAsData)); - CFStringRef dateString = CFStringCreateFromExternalRepresentation(kCFAllocatorDefault, dateData, kCFStringEncodingUTF8); - CFStringRef keyParameterDescription = UserParametersDescription(keyParameterData); - if(keyParameterDescription) - printmsg(CFSTR("%@: %@: %@\n"), key, dateString, keyParameterDescription); - else - printmsg(CFSTR("%@: %@\n"), key, printFullDataString(value)); - CFReleaseNull(dateString); - CFReleaseNull(keyParameterData); - CFReleaseNull(dateData); - CFReleaseNull(keyParameterDescription); - } - else{ - printmsg(CFSTR("%@: %@\n"), key, value); - } -} - -static void displayKeyParameters(CFTypeRef key, CFTypeRef value) -{ - if(isData(value)){ - CFStringRef keyParameterDescription = UserParametersDescription((CFDataRef)value); - - if(keyParameterDescription) - printmsg(CFSTR("%@: %@\n"), key, keyParameterDescription); - else - printmsg(CFSTR("%@: %@\n"), key, value); - - CFReleaseNull(keyParameterDescription); - } - else{ - printmsg(CFSTR("%@: %@\n"), key, value); - } -} - -static void displayLastCircle(CFTypeRef key, CFTypeRef value) -{ - CFDataRef valueAsData = asData(value, NULL); - if(valueAsData){ - CFErrorRef localError = NULL; - - CFDataRef dateData = CFDataCreateCopyFromRange(kCFAllocatorDefault, valueAsData, CFRangeMake(0, DATE_LENGTH)); - CFDataRef circleData = CFDataCreateCopyFromPositions(kCFAllocatorDefault, valueAsData, DATE_LENGTH, CFDataGetLength(valueAsData)); - CFStringRef dateString = CFStringCreateFromExternalRepresentation(kCFAllocatorDefault, dateData, kCFStringEncodingUTF8); - SOSCircleRef circle = SOSCircleCreateFromData(NULL, (CFDataRef) circleData, &localError); - - if(circle){ - CFIndex size = 5; - CFNumberRef idLength = CFNumberCreate(kCFAllocatorDefault, kCFNumberCFIndexType, &size); - CFDictionaryRef format = CFDictionaryCreateForCFTypes(kCFAllocatorDefault, CFSTR("SyncD"), CFSTR("SyncD"), CFSTR("idLength"), idLength, NULL); - printmsgWithFormatOptions(format, CFSTR("%@: %@: %@\n"), key, dateString, circle); - CFReleaseNull(idLength); - CFReleaseNull(format); - - } - else - printmsg(CFSTR("%@: %@\n"), key, printFullDataString(circleData)); - - CFReleaseNull(dateString); - CFReleaseNull(circleData); - CFReleaseSafe(circle); - CFReleaseNull(dateData); - CFReleaseNull(localError); - } - else{ - printmsg(CFSTR("%@: %@\n"), key, value); - } -} - -static void displayCircle(CFTypeRef key, CFTypeRef value) -{ - CFDataRef circleData = (CFDataRef)value; - - CFErrorRef localError = NULL; - if (isData(circleData)) - { - CFIndex size = 5; - CFNumberRef idLength = CFNumberCreate(kCFAllocatorDefault, kCFNumberCFIndexType, &size); - CFDictionaryRef format = CFDictionaryCreateForCFTypes(kCFAllocatorDefault, CFSTR("SyncD"), CFSTR("SyncD"), CFSTR("idLength"), idLength, NULL); - SOSCircleRef circle = SOSCircleCreateFromData(NULL, circleData, &localError); - printmsgWithFormatOptions(format, CFSTR("%@: %@\n"), key, circle); - CFReleaseSafe(circle); - CFReleaseNull(idLength); - CFReleaseNull(format); - - } - else - printmsg(CFSTR("%@: %@\n"), key, value); -} - -static void displayMessage(CFTypeRef key, CFTypeRef value) -{ - CFDataRef message = (CFDataRef)value; - if(isData(message)){ - const char* messageType = SecOTRPacketTypeString(message); - printmsg(CFSTR("%@: %s: %ld\n"), key, messageType, CFDataGetLength(message)); - } - else - printmsg(CFSTR("%@: %@\n"), key, value); -} - -static void printEverything(CFTypeRef objects) -{ - CFDictionaryForEach(objects, ^(const void *key, const void *value) { - if (isData(value)) - { - printmsg(CFSTR("%@: %@\n\n"), key, printFullDataString(value)); - } - else - printmsg(CFSTR("%@: %@\n"), key, value); - }); - -} - -static void decodeForKeyType(CFTypeRef key, CFTypeRef value, SOSKVSKeyType type){ - switch (type) { - case kCircleKey: - displayCircle(key, value); - break; - case kRetirementKey: - case kMessageKey: - displayMessage(key, value); - break; - case kParametersKey: - displayKeyParameters(key, value); - break; - case kLastKeyParameterKey: - displayLastKeyParameters(key, value); - break; - case kLastCircleKey: - displayLastCircle(key, value); - break; - case kInitialSyncKey: - case kAccountChangedKey: - case kDebugInfoKey: - case kRingKey: - default: - printmsg(CFSTR("%@: %@\n"), key, value); - break; - } -} - -static void decodeAllTheValues(CFTypeRef objects){ - SOSKVSKeyType keyType = 0; - __block bool didPrint = false; - - for (keyType = 0; keyType <= MAXKVSKEYTYPE; keyType++){ - CFDictionaryForEach(objects, ^(const void *key, const void *value) { - if(SOSKVSKeyGetKeyType(key) == keyType){ - decodeForKeyType(key, value, keyType); - didPrint = true; - } - }); - if(didPrint) - printmsg(CFSTR("%@\n"), CFSTR("")); - didPrint = false; - } -} -static bool dumpKVS(char *itemName, CFErrorRef *err) -{ - CFArrayRef keysToGet = NULL; - if (itemName) - { - CFStringRef itemStr = CFStringCreateWithCString(kCFAllocatorDefault, itemName, kCFStringEncodingUTF8); - fprintf(outFile, "Retrieving %s from KVS\n", itemName); - keysToGet = CFArrayCreateForCFTypes(kCFAllocatorDefault, itemStr, NULL); - CFReleaseSafe(itemStr); - } - dispatch_queue_t generalq = dispatch_queue_create("general", DISPATCH_QUEUE_SERIAL); - dispatch_group_t work_group = dispatch_group_create(); - CFTypeRef objects = getObjectsFromCloud(keysToGet, generalq, work_group); - CFReleaseSafe(keysToGet); - if (objects) - { - fprintf(outFile, "All keys and values straight from KVS\n"); - printEverything(objects); - fprintf(outFile, "\nAll values in decoded form...\n"); - decodeAllTheValues(objects); - } - fprintf(outFile, "\n"); - return true; -} - - - #define USE_NEW_SPI 1 #if ! USE_NEW_SPI @@ -542,12 +179,13 @@ static void sysdiagnose_dump() { SOSLogSetOutputTo(outputDir, "syncD.log"); // do sync -D - dumpKVS(optarg, NULL); + SOSCCDumpCircleKVSInformation(optarg); closeOutput(); SOSLogSetOutputTo(outputDir, "synci.log"); // do sync -i - dumpCircleInfo(); + SOSCCDumpCircleInformation(); + SOSCCDumpEngineInformation(); closeOutput(); SOSLogSetOutputTo(outputDir, "syncL.log"); @@ -603,7 +241,8 @@ keychain_log(int argc, char * const *argv) switch (ch) { case 'i': - dumpCircleInfo(); + SOSCCDumpCircleInformation(); + SOSCCDumpEngineInformation(); break; @@ -612,7 +251,7 @@ keychain_log(int argc, char * const *argv) break; case 'D': - hadError = !dumpKVS(optarg, &error); + (void)SOSCCDumpCircleKVSInformation(optarg); break; case 'L': @@ -625,7 +264,7 @@ keychain_log(int argc, char * const *argv) case '?': default: - return 2; /* Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } if (hadError) diff --git a/OSX/sec/SOSCircle/Tool/keychain_sync.m b/OSX/sec/SOSCircle/Tool/keychain_sync.m index 73f00ac7..32136f94 100644 --- a/OSX/sec/SOSCircle/Tool/keychain_sync.m +++ b/OSX/sec/SOSCircle/Tool/keychain_sync.m @@ -61,6 +61,7 @@ #include "secToolFileIO.h" #include "secViewDisplay.h" +#include "accountCirclesViewsPrint.h" #include @@ -87,131 +88,6 @@ static bool clearAllKVS(CFErrorRef *error) return result; } -static const char *getSOSCCStatusDescription(SOSCCStatus ccstatus) -{ - switch (ccstatus) - { - case kSOSCCInCircle: return "In Circle"; - case kSOSCCNotInCircle: return "Not in Circle"; - case kSOSCCRequestPending: return "Request pending"; - case kSOSCCCircleAbsent: return "Circle absent"; - case kSOSCCError: return "Circle error"; - - default: - return ""; - break; - } -} - -static void printPeerInfos(char *label, CFArrayRef (^getArray)(CFErrorRef *error)) { - CFErrorRef error = NULL; - CFArrayRef ppi = getArray(&error); - SOSPeerInfoRef me = SOSCCCopyMyPeerInfo(NULL); - CFStringRef mypeerID = SOSPeerInfoGetPeerID(me); - - if(ppi) { - printmsg(CFSTR("%s count: %ld\n"), label, (long)CFArrayGetCount(ppi)); - CFArrayForEach(ppi, ^(const void *value) { - char buf[160]; - SOSPeerInfoRef peer = (SOSPeerInfoRef)value; - CFIndex version = SOSPeerInfoGetVersion(peer); - CFStringRef peerName = SOSPeerInfoGetPeerName(peer); - CFStringRef devtype = SOSPeerInfoGetPeerDeviceType(peer); - CFStringRef peerID = SOSPeerInfoGetPeerID(peer); - CFStringRef transportType = CFSTR("KVS"); - CFStringRef deviceID = CFSTR(""); - CFDictionaryRef gestalt = SOSPeerInfoCopyPeerGestalt(peer); - CFStringRef osVersion = CFDictionaryGetValue(gestalt, CFSTR("OSVersion")); - CFReleaseNull(gestalt); - - - if(version >= 2){ - CFDictionaryRef v2Dictionary = peer->v2Dictionary; - transportType = CFDictionaryGetValue(v2Dictionary, sTransportType); - deviceID = CFDictionaryGetValue(v2Dictionary, sDeviceID); - } - char *pname = CFStringToCString(peerName); - char *dname = CFStringToCString(devtype); - char *tname = CFStringToCString(transportType); - char *iname = CFStringToCString(deviceID); - char *osname = CFStringToCString(osVersion); - const char *me = CFEqualSafe(mypeerID, peerID) ? "me>" : " "; - - - snprintf(buf, 160, "%s %s: %-16s %-16s %-16s %-16s", me, label, pname, dname, tname, iname); - - free(pname); - free(dname); - CFStringRef pid = SOSPeerInfoGetPeerID(peer); - CFIndex vers = SOSPeerInfoGetVersion(peer); - printmsg(CFSTR("%s %@ V%d OS:%s\n"), buf, pid, vers, osname); - free(osname); - }); - } else { - printmsg(CFSTR("No %s, error: %@\n"), label, error); - } - CFReleaseNull(ppi); - CFReleaseNull(error); -} - -static void dumpCircleInfo() -{ - CFErrorRef error = NULL; - CFArrayRef generations = NULL; - CFArrayRef confirmedDigests = NULL; - bool is_accountKeyIsTrusted = false; - __block int count = 0; - - SOSCCStatus ccstatus = SOSCCThisDeviceIsInCircle(&error); - if(ccstatus == kSOSCCError) { - printmsg(CFSTR("End of Dump - unable to proceed due to ccstatus (%s) error: %@\n"), getSOSCCStatusDescription(ccstatus), error); - return; - } - printmsg(CFSTR("ccstatus: %s (%d)\n"), getSOSCCStatusDescription(ccstatus), ccstatus, error); - - is_accountKeyIsTrusted = SOSCCValidateUserPublic(&error); - if(is_accountKeyIsTrusted) - printmsg(CFSTR("Account user public is trusted%@"),CFSTR("\n")); - else - printmsg(CFSTR("Account user public is not trusted error:(%@)\n"), error); - CFReleaseNull(error); - - generations = SOSCCCopyGenerationPeerInfo(&error); - if(generations) { - CFArrayForEach(generations, ^(const void *value) { - count++; - if(count%2 == 0) - printmsg(CFSTR("Circle name: %@, "),value); - - if(count%2 != 0) { - CFStringRef genDesc = SOSGenerationCountCopyDescription(value); - printmsg(CFSTR("Generation Count: %@"), genDesc); - CFReleaseNull(genDesc); - } - printmsg(CFSTR("%s\n"), ""); - }); - } else { - printmsg(CFSTR("No generation count: %@\n"), error); - } - CFReleaseNull(generations); - CFReleaseNull(error); - - printPeerInfos(" Peers", ^(CFErrorRef *error) { return SOSCCCopyValidPeerPeerInfo(error); }); - printPeerInfos(" Invalid", ^(CFErrorRef *error) { return SOSCCCopyNotValidPeerPeerInfo(error); }); - printPeerInfos(" Retired", ^(CFErrorRef *error) { return SOSCCCopyRetirementPeerInfo(error); }); - printPeerInfos(" Concur", ^(CFErrorRef *error) { return SOSCCCopyConcurringPeerPeerInfo(error); }); - printPeerInfos("Applicants", ^(CFErrorRef *error) { return SOSCCCopyApplicantPeerInfo(error); }); - - if (!SOSCCForEachEngineStateAsString(&error, ^(CFStringRef oneStateString) { - printmsg(CFSTR("%@\n"), oneStateString); - })) { - printmsg(CFSTR("No engine peers: %@\n"), error); - } - - CFReleaseNull(error); - CFReleaseNull(confirmedDigests); -} - static bool enableDefaultViews() { bool result = false; @@ -277,244 +153,6 @@ static bool tryPassword(char *labelAndPassword, CFErrorRef *err) return returned; } -static CFTypeRef getObjectsFromCloud(CFArrayRef keysToGet, dispatch_queue_t processQueue, dispatch_group_t dgroup) -{ - __block CFTypeRef object = NULL; - - const uint64_t maxTimeToWaitInSeconds = 30ull * NSEC_PER_SEC; - dispatch_semaphore_t waitSemaphore = dispatch_semaphore_create(0); - dispatch_time_t finishTime = dispatch_time(DISPATCH_TIME_NOW, maxTimeToWaitInSeconds); - - dispatch_group_enter(dgroup); - - CloudKeychainReplyBlock replyBlock = - ^ (CFDictionaryRef returnedValues, CFErrorRef error) - { - secinfo("sync", "SOSCloudKeychainGetObjectsFromCloud returned: %@", returnedValues); - object = returnedValues; - if (object) - CFRetain(object); - if (error) - { - secerror("SOSCloudKeychainGetObjectsFromCloud returned error: %@", error); - } - dispatch_group_leave(dgroup); - secinfo("sync", "SOSCloudKeychainGetObjectsFromCloud block exit: %@", object); - dispatch_semaphore_signal(waitSemaphore); - }; - - if (!keysToGet) - SOSCloudKeychainGetAllObjectsFromCloud(processQueue, replyBlock); - else - SOSCloudKeychainGetObjectsFromCloud(keysToGet, processQueue, replyBlock); - - dispatch_semaphore_wait(waitSemaphore, finishTime); - if (object && (CFGetTypeID(object) == CFNullGetTypeID())) // return a NULL instead of a CFNull - { - CFRelease(object); - object = NULL; - } - secerror("returned: %@", object); - return object; -} - -static CFStringRef printFullDataString(CFDataRef data){ - __block CFStringRef fullData = NULL; - - BufferPerformWithHexString(CFDataGetBytePtr(data), CFDataGetLength(data), ^(CFStringRef dataHex) { - fullData = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%@"), dataHex); - }); - - return fullData; -} - -static void displayLastKeyParameters(CFTypeRef key, CFTypeRef value) -{ - CFDataRef valueAsData = asData(value, NULL); - if(valueAsData){ - CFDataRef dateData = CFDataCreateCopyFromRange(kCFAllocatorDefault, valueAsData, CFRangeMake(0, DATE_LENGTH)); - CFDataRef keyParameterData = CFDataCreateCopyFromPositions(kCFAllocatorDefault, valueAsData, DATE_LENGTH, CFDataGetLength(valueAsData)); - CFStringRef dateString = CFStringCreateFromExternalRepresentation(kCFAllocatorDefault, dateData, kCFStringEncodingUTF8); - CFStringRef keyParameterDescription = UserParametersDescription(keyParameterData); - if(keyParameterDescription) - printmsg(CFSTR("%@: %@: %@\n"), key, dateString, keyParameterDescription); - else - printmsg(CFSTR("%@: %@\n"), key, printFullDataString(value)); - CFReleaseNull(dateString); - CFReleaseNull(keyParameterData); - CFReleaseNull(dateData); - CFReleaseNull(keyParameterDescription); - } - else{ - printmsg(CFSTR("%@: %@\n"), key, value); - } -} - -static void displayKeyParameters(CFTypeRef key, CFTypeRef value) -{ - if(isData(value)){ - CFStringRef keyParameterDescription = UserParametersDescription((CFDataRef)value); - - if(keyParameterDescription) - printmsg(CFSTR("%@: %@\n"), key, keyParameterDescription); - else - printmsg(CFSTR("%@: %@\n"), key, value); - - CFReleaseNull(keyParameterDescription); - } - else{ - printmsg(CFSTR("%@: %@\n"), key, value); - } -} - -static void displayLastCircle(CFTypeRef key, CFTypeRef value) -{ - CFDataRef valueAsData = asData(value, NULL); - if(valueAsData){ - CFErrorRef localError = NULL; - - CFDataRef dateData = CFDataCreateCopyFromRange(kCFAllocatorDefault, valueAsData, CFRangeMake(0, DATE_LENGTH)); - CFDataRef circleData = CFDataCreateCopyFromPositions(kCFAllocatorDefault, valueAsData, DATE_LENGTH, CFDataGetLength(valueAsData)); - CFStringRef dateString = CFStringCreateFromExternalRepresentation(kCFAllocatorDefault, dateData, kCFStringEncodingUTF8); - SOSCircleRef circle = SOSCircleCreateFromData(NULL, (CFDataRef) circleData, &localError); - - if(circle){ - CFIndex size = 5; - CFNumberRef idLength = CFNumberCreate(kCFAllocatorDefault, kCFNumberCFIndexType, &size); - CFDictionaryRef format = CFDictionaryCreateForCFTypes(kCFAllocatorDefault, CFSTR("SyncD"), CFSTR("SyncD"), CFSTR("idLength"), idLength, NULL); - printmsgWithFormatOptions(format, CFSTR("%@: %@: %@\n"), key, dateString, circle); - CFReleaseNull(idLength); - CFReleaseNull(format); - - } - else - printmsg(CFSTR("%@: %@\n"), key, printFullDataString(circleData)); - - CFReleaseNull(dateString); - CFReleaseNull(circleData); - CFReleaseSafe(circle); - CFReleaseNull(dateData); - CFReleaseNull(localError); - } - else{ - printmsg(CFSTR("%@: %@\n"), key, value); - } -} - -static void displayCircle(CFTypeRef key, CFTypeRef value) -{ - CFDataRef circleData = (CFDataRef)value; - - CFErrorRef localError = NULL; - if (isData(circleData)) - { - CFIndex size = 5; - CFNumberRef idLength = CFNumberCreate(kCFAllocatorDefault, kCFNumberCFIndexType, &size); - CFDictionaryRef format = CFDictionaryCreateForCFTypes(kCFAllocatorDefault, CFSTR("SyncD"), CFSTR("SyncD"), CFSTR("idLength"), idLength, NULL); - SOSCircleRef circle = SOSCircleCreateFromData(NULL, circleData, &localError); - printmsgWithFormatOptions(format, CFSTR("%@: %@\n"), key, circle); - CFReleaseSafe(circle); - CFReleaseNull(idLength); - CFReleaseNull(format); - - } - else - printmsg(CFSTR("%@: %@\n"), key, value); -} - -static void displayMessage(CFTypeRef key, CFTypeRef value) -{ - CFDataRef message = (CFDataRef)value; - if(isData(message)){ - const char* messageType = SecOTRPacketTypeString(message); - printmsg(CFSTR("%@: %s: %ld\n"), key, messageType, CFDataGetLength(message)); - } - else - printmsg(CFSTR("%@: %@\n"), key, value); -} - -static void printEverything(CFTypeRef objects) -{ - CFDictionaryForEach(objects, ^(const void *key, const void *value) { - if (isData(value)) - { - printmsg(CFSTR("%@: %@\n\n"), key, printFullDataString(value)); - } - else - printmsg(CFSTR("%@: %@\n"), key, value); - }); - -} - -static void decodeForKeyType(CFTypeRef key, CFTypeRef value, SOSKVSKeyType type){ - switch (type) { - case kCircleKey: - displayCircle(key, value); - break; - case kRetirementKey: - case kMessageKey: - displayMessage(key, value); - break; - case kParametersKey: - displayKeyParameters(key, value); - break; - case kLastKeyParameterKey: - displayLastKeyParameters(key, value); - break; - case kLastCircleKey: - displayLastCircle(key, value); - break; - case kInitialSyncKey: - case kAccountChangedKey: - case kDebugInfoKey: - case kRingKey: - default: - printmsg(CFSTR("%@: %@\n"), key, value); - break; - } -} - -static void decodeAllTheValues(CFTypeRef objects){ - SOSKVSKeyType keyType = 0; - __block bool didPrint = false; - - for (keyType = 0; keyType <= MAXKVSKEYTYPE; keyType++){ - CFDictionaryForEach(objects, ^(const void *key, const void *value) { - if(SOSKVSKeyGetKeyType(key) == keyType){ - decodeForKeyType(key, value, keyType); - didPrint = true; - } - }); - if(didPrint) - printmsg(CFSTR("%@\n"), CFSTR("")); - didPrint = false; - } -} -static bool dumpKVS(char *itemName, CFErrorRef *err) -{ - CFArrayRef keysToGet = NULL; - if (itemName) - { - CFStringRef itemStr = CFStringCreateWithCString(kCFAllocatorDefault, itemName, kCFStringEncodingUTF8); - fprintf(outFile, "Retrieving %s from KVS\n", itemName); - keysToGet = CFArrayCreateForCFTypes(kCFAllocatorDefault, itemStr, NULL); - CFReleaseSafe(itemStr); - } - dispatch_queue_t generalq = dispatch_queue_create("general", DISPATCH_QUEUE_SERIAL); - dispatch_group_t work_group = dispatch_group_create(); - CFTypeRef objects = getObjectsFromCloud(keysToGet, generalq, work_group); - CFReleaseSafe(keysToGet); - if (objects) - { - fprintf(outFile, "All keys and values straight from KVS\n"); - printEverything(objects); - fprintf(outFile, "\nAll values in decoded form...\n"); - decodeAllTheValues(objects); - } - fprintf(outFile, "\n"); - return true; -} - static bool syncAndWait(CFErrorRef *err) { __block CFTypeRef objects = NULL; @@ -540,7 +178,7 @@ static bool syncAndWait(CFErrorRef *err) dispatch_semaphore_wait(waitSemaphore, finishTime); - dumpKVS(NULL, NULL); + (void)SOSCCDumpCircleKVSInformation(NULL); fprintf(outFile, "\n"); return false; } @@ -670,7 +308,9 @@ static bool dumpMyPeer(CFErrorRef *error) { } - return myPeer != NULL; + bool ret = myPeer != NULL; + CFReleaseNull(myPeer); + return ret; } static bool setBag(char *itemName, CFErrorRef *err) @@ -961,7 +601,8 @@ keychain_sync(int argc, char * const *argv) } case 'i': - dumpCircleInfo(); + SOSCCDumpCircleInformation(); + SOSCCDumpEngineInformation(); break; case 'k': @@ -970,7 +611,7 @@ keychain_sync(int argc, char * const *argv) case 'o': { - printPeerInfos("view-unaware", ^(CFErrorRef *error) { return SOSCCCopyViewUnawarePeerInfo(error); }); + SOSCCDumpViewUnwarePeers(); break; } @@ -1205,7 +846,7 @@ keychain_sync(int argc, char * const *argv) break; case 'D': - hadError = !dumpKVS(optarg, &error); + (void)SOSCCDumpCircleKVSInformation(optarg); break; case 'W': @@ -1236,7 +877,7 @@ keychain_sync(int argc, char * const *argv) break; case '?': default: - return 2; /* Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } if (hadError) diff --git a/OSX/sec/SOSCircle/Tool/keychain_sync_test.m b/OSX/sec/SOSCircle/Tool/keychain_sync_test.m index 1f345865..3aed8f9d 100644 --- a/OSX/sec/SOSCircle/Tool/keychain_sync_test.m +++ b/OSX/sec/SOSCircle/Tool/keychain_sync_test.m @@ -77,7 +77,7 @@ keychain_sync_test(int argc, char * const *argv) case -1: break; default: - return 2; + return SHOW_USAGE_MESSAGE; } } diff --git a/OSX/sec/SOSCircle/Tool/recovery_key.m b/OSX/sec/SOSCircle/Tool/recovery_key.m index 882111cc..f836de1f 100644 --- a/OSX/sec/SOSCircle/Tool/recovery_key.m +++ b/OSX/sec/SOSCircle/Tool/recovery_key.m @@ -66,16 +66,16 @@ recovery_key(int argc, char * const *argv) NSError *nserror = NULL; NSString *testString = [NSString stringWithUTF8String:optarg]; if(testString == nil) - return 2; + return SHOW_USAGE_MESSAGE; SecRecoveryKey *rk = SecRKCreateRecoveryKeyWithError(testString, &nserror); if(rk == nil) { printmsg(CFSTR("SecRKCreateRecoveryKeyWithError: %@\n"), nserror); - return 2; + return SHOW_USAGE_MESSAGE; } NSData *publicKey = SecRKCopyBackupPublicKey(rk); if(publicKey == nil) - return 2; + return SHOW_USAGE_MESSAGE; printmsg(CFSTR("example (not registered) public recovery key: %@\n"), publicKey); break; @@ -83,7 +83,7 @@ recovery_key(int argc, char * const *argv) case 'R': { NSString *testString = SecRKCreateRecoveryKeyString(NULL); if(testString == nil) - return 2; + return SHOW_USAGE_MESSAGE; printmsg(CFSTR("public recovery string: %@\n"), testString); @@ -94,19 +94,19 @@ recovery_key(int argc, char * const *argv) NSError *nserror = NULL; NSString *testString = [NSString stringWithUTF8String:optarg]; if(testString == nil) - return 2; + return SHOW_USAGE_MESSAGE; SecRecoveryKey *rk = SecRKCreateRecoveryKeyWithError(testString, &nserror); if(rk == nil) { printmsg(CFSTR("SecRKCreateRecoveryKeyWithError: %@\n"), nserror); - return 2; + return SHOW_USAGE_MESSAGE; } CFErrorRef cferror = NULL; if(!SecRKRegisterBackupPublicKey(rk, &cferror)) { printmsg(CFSTR("Error from SecRKRegisterBackupPublicKey: %@\n"), cferror); CFReleaseNull(cferror); - return 2; + return SHOW_USAGE_MESSAGE; } break; } @@ -146,12 +146,12 @@ recovery_key(int argc, char * const *argv) NSString *testString = [NSString stringWithUTF8String:optarg]; NSString *fileName = [NSString stringWithFormat:@"%@.plist", testString]; if(testString == nil) - return 2; + return SHOW_USAGE_MESSAGE; NSDictionary *ver = SecRKCopyAccountRecoveryVerifier(testString, &localError); if(ver == nil) { printmsg(CFSTR("Failed to make verifier dictionary: %@\n"), localError); - return 2; + return SHOW_USAGE_MESSAGE; } printmsg(CFSTR("Verifier Dictionary: %@\n\n"), ver); @@ -169,7 +169,7 @@ recovery_key(int argc, char * const *argv) for (unsigned n = 0; n < sizeof(long_options)/sizeof(long_options[0]); n++) { printf("\t [-%c|--%s\n", long_options[n].val, long_options[n].name); } - return 2; + return SHOW_USAGE_MESSAGE; } } if (hadError) diff --git a/OSX/sec/SOSCircle/Tool/syncbackup.m b/OSX/sec/SOSCircle/Tool/syncbackup.m index d44a94d7..d2f13955 100644 --- a/OSX/sec/SOSCircle/Tool/syncbackup.m +++ b/OSX/sec/SOSCircle/Tool/syncbackup.m @@ -136,7 +136,7 @@ syncbackup(int argc, char * const *argv) case '?': default: - return 2; /* Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } if (hadError) diff --git a/OSX/sec/Security/Regressions/otr/otr-otrdh.c b/OSX/sec/Security/Regressions/otr/otr-otrdh.c index e852ff06..1a569976 100644 --- a/OSX/sec/Security/Regressions/otr/otr-otrdh.c +++ b/OSX/sec/Security/Regressions/otr/otr-otrdh.c @@ -80,7 +80,9 @@ int otr_otrdh(int argc, char *const * argv) ok(0 == memcmp(aliceMacKeys[0], bobMacKeys[1], sizeof(aliceMacKeys[0])), "Mac Keys don't match!!"); ok(0 == memcmp(aliceMacKeys[1], bobMacKeys[0], sizeof(aliceMacKeys[1])), "Mac Keys don't match!!"); CFReleaseNull(aliceCompactSerialized); + CFReleaseNull(aliceCompactDeserialized); CFReleaseNull(aliceSerialized); + CFReleaseNull(aliceDeserialized); CFReleaseNull(aliceFull); CFReleaseNull(alicePublic); CFReleaseNull(bobFull); diff --git a/OSX/sec/Security/Regressions/secitem/si-10-find-internet.c b/OSX/sec/Security/Regressions/secitem/si-10-find-internet.c index 65e28052..57694b9c 100644 --- a/OSX/sec/Security/Regressions/secitem/si-10-find-internet.c +++ b/OSX/sec/Security/Regressions/secitem/si-10-find-internet.c @@ -59,6 +59,7 @@ static void tests(void) ok_status(SecItemCopyMatching(query2, &results), "find internet password, return attributes"); CFReleaseNull(query2); query2 = CFDictionaryCreateMutableCopy(kCFAllocatorDefault, 0, results); + CFReleaseNull(results); CFDictionaryRemoveValue(query2, kSecAttrSHA1), CFDictionarySetValue(query2, kSecClass, kSecClassInternetPassword); CFDictionarySetValue(query2, kSecReturnData, kCFBooleanTrue); diff --git a/OSX/sec/Security/Regressions/secitem/si-15-certificate.c b/OSX/sec/Security/Regressions/secitem/si-15-certificate.c index 2407e3aa..bd51a64c 100644 --- a/OSX/sec/Security/Regressions/secitem/si-15-certificate.c +++ b/OSX/sec/Security/Regressions/secitem/si-15-certificate.c @@ -982,13 +982,76 @@ static void test_copy_email_addresses(void) { CFReleaseNull(array); } +static void test_copy_extension_value(void) { + SecCertificateRef cert = SecCertificateCreateWithBytes(NULL, mail_google_com, sizeof(mail_google_com)); + CFDataRef extension = NULL, expected = NULL, oid = NULL; + bool critical = false; + + /* parameter fails */ + is(extension = SecCertificateCopyExtensionValue(NULL, CFSTR("1.2.3.4"), &critical), NULL, + "NULL cert input succeeded"); + is(extension = SecCertificateCopyExtensionValue(cert, NULL, &critical), NULL, + "NULL OID input succeeded"); + + /* Extension not present */ + is(extension = SecCertificateCopyExtensionValue(cert, CFSTR("1.2.3.4"), &critical), NULL, + "Got extension value for non-present extension OID"); + + /* Using decimal OID, extension present and critical */ + isnt(extension = SecCertificateCopyExtensionValue(cert, CFSTR("2.5.29.19"), &critical), NULL, + "Failed to get extension for present extension OID"); + is(critical, true, "Got wrong criticality for critical extension"); + uint8_t basic_constraints_value[2] = { 0x30, 0x00 }; + expected = CFDataCreate(NULL, basic_constraints_value, sizeof(basic_constraints_value)); + ok(CFEqual(extension, expected), "Got wrong extension value for basic constraints"); + CFReleaseNull(extension); + CFReleaseNull(expected); + + /* Using binary OID, extension present and non critical */ + uint8_t oidExtendedKeyUsage[3] = { 0x55, 0x01d, 0x25 }; + oid = CFDataCreate(NULL, oidExtendedKeyUsage, sizeof(oidExtendedKeyUsage)); + isnt(extension = SecCertificateCopyExtensionValue(cert, oid, &critical), NULL, + "Failed to get extension for present extension OID"); + is(critical, false, "Got wrong criticality for non-critical extension"); + uint8_t eku_value[] = { + 0x30, 0x1f, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, + 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42, 0x04, + 0x01 + }; + expected = CFDataCreate(NULL, eku_value, sizeof(eku_value)); + ok(CFEqual(extension, expected), "Got wrong extension value for extended key usage"); + CFReleaseNull(oid); + CFReleaseNull(extension); + CFReleaseNull(expected); + + /* No critical output */ + isnt(extension = SecCertificateCopyExtensionValue(cert, CFSTR("2.5.29.19"), NULL), NULL, + "Failed to get extension for present extension OID"); + CFReleaseNull(extension); + + /* messed up binary OIDs */ + is(extension = SecCertificateCopyExtensionValue(cert, CFSTR("abcd"), NULL), NULL, + "letters in OID"); + is(extension = SecCertificateCopyExtensionValue(cert, CFSTR("8.1.1.2"), NULL), NULL, + "bad first arc"); + is(extension = SecCertificateCopyExtensionValue(cert, CFSTR("10.1.1.1"), NULL), NULL, + "longer bad first arc"); + is(extension = SecCertificateCopyExtensionValue(cert, CFSTR(""), NULL), NULL, + "empty string"); + is(extension = SecCertificateCopyExtensionValue(cert, CFSTR("1.2.1099511627776."), NULL), NULL, + "six byte component"); + + CFReleaseNull(cert); +} + int si_15_certificate(int argc, char *const *argv) { - plan_tests(30); + plan_tests(45); tests(); test_common_name(); test_copy_email_addresses(); + test_copy_extension_value(); return 0; } diff --git a/OSX/sec/Security/Regressions/secitem/si-18-certificate-parse.m b/OSX/sec/Security/Regressions/secitem/si-18-certificate-parse.m index 6f59d94a..bca3b341 100644 --- a/OSX/sec/Security/Regressions/secitem/si-18-certificate-parse.m +++ b/OSX/sec/Security/Regressions/secitem/si-18-certificate-parse.m @@ -142,7 +142,7 @@ static void test_path_parse_failure(void) { require_noerr_action(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)[NSDate dateWithTimeIntervalSinceReferenceDate:507200000.0]), blockOut, fail("Unable to set verify date: %@", url)); require_noerr_action(SecTrustEvaluate(trust, &trustResult), blockOut, - fail("Failed ot evaluate trust with error: %@", url)); + fail("Failed to evaluate trust with error: %@", url)); is(trustResult, kSecTrustResultRecoverableTrustFailure, "Got wrong trust result (%d) for %@", trustResult, url); require_action(cert, blockOut, diff --git a/OSX/sec/Security/Regressions/secitem/si-20-sectrust.c b/OSX/sec/Security/Regressions/secitem/si-20-sectrust.c index fc0dd486..33cc714d 100644 --- a/OSX/sec/Security/Regressions/secitem/si-20-sectrust.c +++ b/OSX/sec/Security/Regressions/secitem/si-20-sectrust.c @@ -451,7 +451,7 @@ static bool test_chain_of_three(uint8_t *cert0, size_t cert0len, ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate chain"); is(SecTrustGetCertificateCount(trust), 3, "expected chain of 3"); - bool did_succeed = (trustResult == kSecTrustResultUnspecified); + bool did_succeed = (trustResult == kSecTrustResultUnspecified || trustResult == kSecTrustResultProceed); if (failureReason && should_succeed && !did_succeed) { *failureReason = SecTrustCopyFailureDescription(trust); @@ -647,12 +647,260 @@ errOut: CFReleaseNull(date); } +static void test_evaluate_with_error(void) { +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wunguarded-availability-new" + + SecCertificateRef cert0 = NULL, cert1 = NULL, cert2 = NULL; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CFArrayRef certificates = NULL, roots = NULL; + CFDateRef date = NULL, validDate = NULL; + CFErrorRef error = NULL; + + require(cert0 = SecCertificateCreateWithBytes(NULL, _expired_badssl, sizeof(_expired_badssl)), errOut); + require(cert1 = SecCertificateCreateWithBytes(NULL, _comodo_rsa_dvss, sizeof(_comodo_rsa_dvss)), errOut); + require(cert2 = SecCertificateCreateWithBytes(NULL, _comodo_rsa_root, sizeof(_comodo_rsa_root)), errOut); + + const void *v_certs[] = { + cert0, + cert1 + }; + certificates = CFArrayCreate(NULL, v_certs, + array_size(v_certs), + &kCFTypeArrayCallBacks); + + const void *v_roots[] = { + cert2 + }; + roots = CFArrayCreate(NULL, v_roots, + array_size(v_roots), + &kCFTypeArrayCallBacks); + + require(policy = SecPolicyCreateSSL(true, CFSTR("expired.badssl.com")), errOut); + require_noerr(SecTrustCreateWithCertificates(certificates, policy, &trust), errOut); + require_noerr(SecTrustSetAnchorCertificates(trust, roots), errOut); + + /* April 10 2015 (cert expired in 2015) */ + require(validDate = CFDateCreateForGregorianZuluMoment(NULL, 2015, 4, 10, 12, 0, 0), errOut); + require_noerr(SecTrustSetVerifyDate(trust, validDate), errOut); + + is(SecTrustEvaluateWithError(trust, &error), true, "wrong result for valid cert"); + is(error, NULL, "set error for passing trust evaluation"); + CFReleaseNull(error); + + /* Mar 21 2017 (cert expired in 2015, so this will cause a validity error.) */ + require(date = CFDateCreateForGregorianZuluMoment(NULL, 2017, 3, 21, 12, 0, 0), errOut); + require_noerr(SecTrustSetVerifyDate(trust, date), errOut); + + /* expect expiration error */ + is(SecTrustEvaluateWithError(trust, &error), false, "wrong result for expired cert"); + isnt(error, NULL, "failed to set error for failing trust evaluation"); + is(CFErrorGetCode(error), errSecCertificateExpired, "Got wrong error code for evaluation"); + CFReleaseNull(error); + + CFReleaseNull(policy); + require(policy = SecPolicyCreateSSL(true, CFSTR("expired.terriblessl.com")), errOut); + require_noerr(SecTrustSetPolicies(trust, policy), errOut); + + /* expect a hostname mismatch as well as expiration; hostname mismatch must be a higher priority */ + is(SecTrustEvaluateWithError(trust, &error), false, "wrong result for expired cert with hostname mismatch"); + isnt(error, NULL, "failed to set error for failing trust evaluation"); + is(CFErrorGetCode(error), errSecHostNameMismatch, "Got wrong error code for evaluation"); + CFReleaseNull(error); + + /* expect only a hostname mismatch*/ + require_noerr(SecTrustSetVerifyDate(trust, validDate), errOut); + is(SecTrustEvaluateWithError(trust, &error), false, "wrong result for valid cert with hostname mismatch"); + isnt(error, NULL, "failed to set error for failing trust evaluation"); + is(CFErrorGetCode(error), errSecHostNameMismatch, "Got wrong error code for evaluation"); + CFReleaseNull(error); + + /* pinning failure */ + CFReleaseNull(policy); + require(policy = SecPolicyCreateAppleSSLPinned(CFSTR("test"), CFSTR("expired.badssl.com"), + NULL, CFSTR("1.2.840.113635.100.6.27.1")), errOut); + require_noerr(SecTrustSetPolicies(trust, policy), errOut); + + is(SecTrustEvaluateWithError(trust, &error), false, "wrong result for valid cert with pinning failure"); + isnt(error, NULL, "failed to set error for failing trust evaluation"); + CFIndex errorCode = CFErrorGetCode(error); + // failed checks: AnchorApple, LeafMarkerOid, or IntermediateMarkerOid + ok(errorCode == errSecMissingRequiredExtension || errorCode == errSecInvalidRoot, "Got wrong error code for evaluation"); + CFReleaseNull(error); + + /* trust nothing, trust errors higher priority than hostname mismatch */ + CFReleaseNull(policy); + require(policy = SecPolicyCreateSSL(true, CFSTR("expired.terriblessl.com")), errOut); + require_noerr(SecTrustSetPolicies(trust, policy), errOut); + + CFReleaseNull(roots); + roots = CFArrayCreate(NULL, NULL, 0, &kCFTypeArrayCallBacks); + require_noerr(SecTrustSetAnchorCertificates(trust, roots), errOut); + is(SecTrustEvaluateWithError(trust, &error), false, "wrong result for expired cert with hostname mismatch"); + isnt(error, NULL, "failed to set error for failing trust evaluation"); + is(CFErrorGetCode(error), errSecNotTrusted, "Got wrong error code for evaluation"); + CFReleaseNull(error); + +errOut: + CFReleaseNull(trust); + CFReleaseNull(cert0); + CFReleaseNull(cert1); + CFReleaseNull(cert2); + CFReleaseNull(policy); + CFReleaseNull(certificates); + CFReleaseNull(roots); + CFReleaseNull(date); + CFReleaseNull(validDate); + CFReleaseNull(error); + +#pragma clang diagnostic pop +} + +static void test_optional_policy_check(void) { + SecCertificateRef cert0 = NULL, cert1 = NULL, root = NULL; + SecTrustRef trust = NULL; + SecPolicyRef policy = NULL; + CFArrayRef certs = NULL, anchors = NULL; + CFDateRef date = NULL; + + require_action(cert0 = SecCertificateCreateWithBytes(NULL, _leaf384C, sizeof(_leaf384C)), errOut, + fail("unable to create cert")); + require_action(cert1 = SecCertificateCreateWithBytes(NULL, _int384B, sizeof(_int384B)), errOut, + fail("unable to create cert")); + require_action(root = SecCertificateCreateWithBytes(NULL, _root384, sizeof(_root384)), errOut, + fail("unable to create cert")); + + const void *v_certs[] = { cert0, cert1 }; + require_action(certs = CFArrayCreate(NULL, v_certs, array_size(v_certs), &kCFTypeArrayCallBacks), errOut, + fail("unable to create array")); + require_action(anchors = CFArrayCreate(NULL, (const void **)&root, 1, &kCFTypeArrayCallBacks), errOut, + fail("unable to create anchors array")); + require_action(date = CFDateCreate(NULL, 472100000.0), errOut, fail("unable to create date")); + + require_action(policy = SecPolicyCreateBasicX509(), errOut, fail("unable to create policy")); + SecPolicySetOptionsValue(policy, CFSTR("not-a-policy-check"), kCFBooleanTrue); + + ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "failed to create trust"); + require_noerr_action(SecTrustSetAnchorCertificates(trust, anchors), errOut, + fail("unable to set anchors")); + require_noerr_action(SecTrustSetVerifyDate(trust, date), errOut, fail("unable to set verify date")); + +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wunguarded-availability-new" +#if NDEBUG + ok(SecTrustEvaluateWithError(trust, NULL), "Trust evaluation failed"); +#else + is(SecTrustEvaluateWithError(trust, NULL), false, "Expect failure in Debug config"); +#endif +#pragma clang diagnostic pop + +errOut: + CFReleaseNull(cert0); + CFReleaseNull(cert1); + CFReleaseNull(root); + CFReleaseNull(certs); + CFReleaseNull(anchors); + CFReleaseNull(date); + CFReleaseNull(policy); + CFReleaseNull(trust); +} + +static void test_serialization(void) { + SecCertificateRef cert0 = NULL, cert1 = NULL, root = NULL; + SecTrustRef trust = NULL, deserializedTrust = NULL; + SecPolicyRef policy = NULL; + CFArrayRef certs = NULL, anchors = NULL, deserializedCerts = NULL; + CFDateRef date = NULL; + CFDataRef serializedTrust = NULL; + CFErrorRef error = NULL; + + require_action(cert0 = SecCertificateCreateWithBytes(NULL, _leaf384C, sizeof(_leaf384C)), errOut, + fail("unable to create cert")); + require_action(cert1 = SecCertificateCreateWithBytes(NULL, _int384B, sizeof(_int384B)), errOut, + fail("unable to create cert")); + require_action(root = SecCertificateCreateWithBytes(NULL, _root384, sizeof(_root384)), errOut, + fail("unable to create cert")); + + const void *v_certs[] = { cert0, cert1 }; + require_action(certs = CFArrayCreate(NULL, v_certs, array_size(v_certs), &kCFTypeArrayCallBacks), errOut, + fail("unable to create array")); + require_action(anchors = CFArrayCreate(NULL, (const void **)&root, 1, &kCFTypeArrayCallBacks), errOut, + fail("unable to create anchors array")); + require_action(date = CFDateCreate(NULL, 472100000.0), errOut, fail("unable to create date")); + + require_action(policy = SecPolicyCreateBasicX509(), errOut, fail("unable to create policy")); + + ok_status(SecTrustCreateWithCertificates(certs, policy, &trust), "failed to create trust"); + require_noerr_action(SecTrustSetAnchorCertificates(trust, anchors), errOut, + fail("unable to set anchors")); + require_noerr_action(SecTrustSetVerifyDate(trust, date), errOut, fail("unable to set verify date")); + + ok(serializedTrust = SecTrustSerialize(trust, NULL), "failed to serialize trust"); + ok(deserializedTrust = SecTrustDeserialize(serializedTrust, NULL), "Failed to deserialize trust"); + CFReleaseNull(serializedTrust); + + require_noerr_action(SecTrustCopyCustomAnchorCertificates(deserializedTrust, &deserializedCerts), errOut, + fail("unable to get anchors from deserialized trust")); + ok(CFEqual(anchors, deserializedCerts), "Failed to get the same anchors after serialization/deserialization"); + CFReleaseNull(deserializedCerts); + + require_noerr_action(SecTrustCopyInputCertificates(trust, &deserializedCerts), errOut, + fail("unable to get input certificates from deserialized trust")); + ok(CFEqual(certs, deserializedCerts), "Failed to get same input certificates after serialization/deserialization"); + CFReleaseNull(deserializedCerts); + + /* correct API behavior */ +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wnonnull" + is(SecTrustSerialize(NULL, &error), NULL, "serialize succeeded with null input"); + is(CFErrorGetCode(error), errSecParam, "Incorrect error code for bad serialization input"); + CFReleaseNull(error); + is(SecTrustDeserialize(NULL, &error), NULL, "deserialize succeeded with null input"); + is(CFErrorGetCode(error), errSecParam, "Incorrect error code for bad deserialization input"); + CFReleaseNull(error); +#pragma clang diagnostic pop + +errOut: + CFReleaseNull(cert0); + CFReleaseNull(cert1); + CFReleaseNull(root); + CFReleaseNull(certs); + CFReleaseNull(anchors); + CFReleaseNull(date); + CFReleaseNull(policy); + CFReleaseNull(trust); + CFReleaseNull(deserializedTrust); +} + +static void test_tls_analytics_report(void) +{ + xpc_object_t metric = xpc_dictionary_create(NULL, NULL, 0); + ok(metric != NULL); + + const char *TLS_METRIC_PROCESS_IDENTIFIER = "process"; + const char *TLS_METRIC_CIPHERSUITE = "cipher_name"; + const char *TLS_METRIC_PROTOCOL_VERSION = "version"; + const char *TLS_METRIC_SESSION_RESUMED = "resumed"; + + xpc_dictionary_set_string(metric, TLS_METRIC_PROCESS_IDENTIFIER, "super awesome unit tester"); + xpc_dictionary_set_uint64(metric, TLS_METRIC_CIPHERSUITE, 0x0304); + xpc_dictionary_set_uint64(metric, TLS_METRIC_PROTOCOL_VERSION, 0x0304); + xpc_dictionary_set_bool(metric, TLS_METRIC_SESSION_RESUMED, false); + // ... TLS would fill in the rest + + // Invoke the callback + CFErrorRef error = NULL; + bool reported = SecTrustReportTLSAnalytics(CFSTR("TLSConnectionEvent"), metric, &error); + ok(reported, "Failed to report analytics with error %@", error); +} + int si_20_sectrust(int argc, char *const *argv) { #if TARGET_OS_IPHONE - plan_tests(101+9+(8*13)+9+1+2); + plan_tests(101+9+(8*13)+9+1+2+17+2+9+2); #else - plan_tests(97+9+(8*13)+9+1+2+2); + plan_tests(97+9+(8*13)+9+1+2+2+17+2+9+2); #endif basic_tests(); @@ -664,6 +912,10 @@ int si_20_sectrust(int argc, char *const *argv) test_input_certificates(); test_async_trust(); test_expired_only(); + test_evaluate_with_error(); + test_optional_policy_check(); + test_serialization(); + test_tls_analytics_report(); return 0; } diff --git a/OSX/sec/Security/Regressions/secitem/si-22-sectrust-iap.c b/OSX/sec/Security/Regressions/secitem/si-22-sectrust-iap.c index e75eebb8..3f1c0bc5 100644 --- a/OSX/sec/Security/Regressions/secitem/si-22-sectrust-iap.c +++ b/OSX/sec/Security/Regressions/secitem/si-22-sectrust-iap.c @@ -1,7 +1,8 @@ /* - * Copyright (c) 2006-2016 Apple Inc. All Rights Reserved. + * Copyright (c) 2006-2017 Apple Inc. All Rights Reserved. */ +#include #include #include #include @@ -16,7 +17,7 @@ #include "si-22-sectrust-iap.h" -static void tests(void) +static void test_v1(void) { SecTrustRef trust; SecCertificateRef iAP1CA, iAP2CA, leaf0, leaf1; @@ -79,7 +80,7 @@ static void tests(void) static void test_v3(void) { SecCertificateRef v3CA = NULL, v3leaf = NULL; isnt(v3CA = SecCertificateCreateWithBytes(NULL, _v3ca, sizeof(_v3ca)), - NULL, "create v3leaf"); + NULL, "create v3 CA"); isnt(v3leaf = SecCertificateCreateWithBytes(NULL, _v3leaf, sizeof(_v3leaf)), NULL, "create v3leaf"); @@ -108,7 +109,6 @@ trustFail: CFReleaseSafe(anchors); CFReleaseSafe(date); -#if TARGET_OS_IPHONE /* Test interface for determining iAuth version */ SecCertificateRef leaf0 = NULL, leaf1 = NULL; isnt(leaf0 = SecCertificateCreateWithBytes(NULL, _leaf0, sizeof(_leaf0)), @@ -151,20 +151,15 @@ trustFail: "compare expected output"); CFReleaseNull(extensionData); CFReleaseNull(malformedV3leaf); -#endif CFReleaseSafe(v3leaf); CFReleaseSafe(v3CA); } int si_22_sectrust_iap(int argc, char *const *argv) { -#if TARGET_OS_IPHONE plan_tests(14+20); -#else - plan_tests(14+8); -#endif - tests(); + test_v1(); test_v3(); return 0; diff --git a/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.c b/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.c index d9b3ce58..df8a5cb1 100644 --- a/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.c +++ b/OSX/sec/Security/Regressions/secitem/si-23-sectrust-ocsp.c @@ -1202,7 +1202,7 @@ static void test_forced_revocation() isnt(VerifyDate = CFDateCreate(NULL, 332900000.0), NULL, "Create verify date"); if (!VerifyDate) { goto errOut; } - // Standard evaluation should succeed for the given verify date + // Standard evaluation for the given verify date { SecTrustRef trust = NULL; SecTrustResultType trust_result; @@ -1215,7 +1215,9 @@ static void test_forced_revocation() ok_status(status = SecTrustEvaluate(trust, &trust_result), "SecTrustEvaluate"); // Check results - is_status(trust_result, kSecTrustResultUnspecified, "trust is kSecTrustResultUnspecified"); + // %%% This is now expected to fail, since the "TC TrustCenter Class 1 L1 CA IX" CA is revoked + // and the revocation information is present in the Valid database. + is_status(trust_result, kSecTrustResultFatalTrustFailure, "trust is kSecTrustResultFatalTrustFailure"); CFReleaseNull(trust); } @@ -1234,7 +1236,9 @@ static void test_forced_revocation() ok_status(status = SecTrustEvaluate(trust, &trust_result), "SecTrustEvaluate"); // Check results - is_status(trust_result, kSecTrustResultRecoverableTrustFailure, "trust is kSecTrustResultRecoverableTrustFailure"); + // %%% This is now expected to fail, since the "TC TrustCenter Class 1 L1 CA IX" CA is revoked + // and the revocation information is present in the Valid database. + is_status(trust_result, kSecTrustResultFatalTrustFailure, "trust is kSecTrustResultFatalTrustFailure"); CFReleaseNull(trust); } diff --git a/OSX/sec/Security/Regressions/secitem/si-32-sectrust-pinning-required.m b/OSX/sec/Security/Regressions/secitem/si-32-sectrust-pinning-required.m index e63c9d73..7a006405 100644 --- a/OSX/sec/Security/Regressions/secitem/si-32-sectrust-pinning-required.m +++ b/OSX/sec/Security/Regressions/secitem/si-32-sectrust-pinning-required.m @@ -86,15 +86,18 @@ static void tests(void) policy = SecPolicyCreateSSL(true, CFSTR("openmarket.ess.apple.com")); SecPolicySetOptionsValue(policy, kSecPolicyCheckPinningRequired, kCFBooleanTrue); - is(test_with_policy(policy), kSecTrustResultRecoverableTrustFailure, "Unpinned connection succeeeded when pinning required"); + //%%% openmarket.ess.apple.com cert is now revoked, so expect a fatal result. + is(test_with_policy(policy), kSecTrustResultFatalTrustFailure, "Unpinned connection succeeeded when pinning required"); policy = SecPolicyCreateAppleIDSServiceContext(CFSTR("openmarket.ess.apple.com"), NULL); SecPolicySetOptionsValue(policy, kSecPolicyCheckPinningRequired, kCFBooleanTrue); - is(test_with_policy(policy), kSecTrustResultUnspecified, "Policy pinned connection failed when pinning required"); + //%%% openmarket.ess.apple.com cert is now revoked, so expect a fatal result. + is(test_with_policy(policy), kSecTrustResultFatalTrustFailure, "Policy pinned connection failed when pinning required"); policy = SecPolicyCreateSSL(true, CFSTR("profile.ess.apple.com")); + //%%% profile.ess.apple.com cert is now revoked, so expect a fatal result. SecPolicySetOptionsValue(policy, kSecPolicyCheckPinningRequired, kCFBooleanTrue); - is(test_with_policy(policy), kSecTrustResultUnspecified, "Systemwide hostname pinned connection failed when pinning required"); + is(test_with_policy(policy), kSecTrustResultFatalTrustFailure, "Systemwide hostname pinned connection failed when pinning required"); NSDictionary *policy_properties = @{ (__bridge NSString *)kSecPolicyName : @"openmarket.ess.apple.com", @@ -102,11 +105,13 @@ static void tests(void) }; policy = SecPolicyCreateWithProperties(kSecPolicyAppleSSL, (__bridge CFDictionaryRef)policy_properties); SecPolicySetOptionsValue(policy, kSecPolicyCheckPinningRequired, kCFBooleanTrue); - is(test_with_policy(policy), kSecTrustResultUnspecified, "Systemwide policy name pinned connection failed when pinning required"); + //%%% openmarket.ess.apple.com cert is now revoked, so expect a fatal result. + is(test_with_policy(policy), kSecTrustResultFatalTrustFailure, "Systemwide policy name pinned connection failed when pinning required"); policy = SecPolicyCreateSSL(true, CFSTR("openmarket.ess.apple.com")); SecPolicySetOptionsValue(policy, kSecPolicyCheckPinningRequired, kCFBooleanTrue); - is(test_with_policy_exception(policy, true), kSecTrustResultUnspecified, "Unpinned connection failed when pinning exception set"); + //%%% openmarket.ess.apple.com cert is now revoked, so expect a fatal result. + is(test_with_policy_exception(policy, true), kSecTrustResultFatalTrustFailure, "Unpinned connection failed when pinning exception set"); /* can I write an effective test for charles?? */ } diff --git a/OSX/sec/Security/Regressions/secitem/si-60-cms.c b/OSX/sec/Security/Regressions/secitem/si-60-cms.c index 0a3ba7d6..4ebc3948 100644 --- a/OSX/sec/Security/Regressions/secitem/si-60-cms.c +++ b/OSX/sec/Security/Regressions/secitem/si-60-cms.c @@ -21,6 +21,7 @@ * @APPLE_LICENSE_HEADER_END@ */ +#include #include #include @@ -1783,6 +1784,7 @@ static void tests(void) CFDataSetLength(message_data, 0); #if TARGET_OS_IPHONE + /* macOS never supported signing with MD5 */ CFMutableDictionaryRef params = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); CFDictionarySetValue(params, kSecCMSSignHashAlgorithm, kSecCMSHashingAlgorithmMD5); is(SecCMSCreateSignedData(identity, NULL, params, NULL, message_data), errSecParam, "signing md5 message should fail"); @@ -1850,15 +1852,100 @@ static void tests(void) CFReleaseNull(message_data); } +/* subject:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Neptune */ +/* issuer :/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=Security Engineering/CN=Neptune */ +/* X509v3 Key Usage: Certificate Sign, CRL Sign */ +uint8_t _cacert[964]={ + 0x30,0x82,0x03,0xC0,0x30,0x82,0x02,0xA8,0xA0,0x03,0x02,0x01,0x02,0x02,0x09,0x00, + 0xCD,0xDF,0x76,0xED,0x2A,0x08,0xF1,0x74,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86, + 0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x30,0x7C,0x31,0x0B,0x30,0x09,0x06,0x03,0x55, + 0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C, + 0x0A,0x43,0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06, + 0x03,0x55,0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31, + 0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20, + 0x49,0x6E,0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53, + 0x65,0x63,0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72, + 0x69,0x6E,0x67,0x31,0x10,0x30,0x0E,0x06,0x03,0x55,0x04,0x03,0x0C,0x07,0x4E,0x65, + 0x70,0x74,0x75,0x6E,0x65,0x30,0x1E,0x17,0x0D,0x31,0x38,0x30,0x32,0x32,0x37,0x31, + 0x39,0x35,0x39,0x32,0x31,0x5A,0x17,0x0D,0x32,0x38,0x30,0x32,0x32,0x35,0x31,0x39, + 0x35,0x39,0x32,0x31,0x5A,0x30,0x7C,0x31,0x0B,0x30,0x09,0x06,0x03,0x55,0x04,0x06, + 0x13,0x02,0x55,0x53,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x08,0x0C,0x0A,0x43, + 0x61,0x6C,0x69,0x66,0x6F,0x72,0x6E,0x69,0x61,0x31,0x12,0x30,0x10,0x06,0x03,0x55, + 0x04,0x07,0x0C,0x09,0x43,0x75,0x70,0x65,0x72,0x74,0x69,0x6E,0x6F,0x31,0x13,0x30, + 0x11,0x06,0x03,0x55,0x04,0x0A,0x0C,0x0A,0x41,0x70,0x70,0x6C,0x65,0x20,0x49,0x6E, + 0x63,0x2E,0x31,0x1D,0x30,0x1B,0x06,0x03,0x55,0x04,0x0B,0x0C,0x14,0x53,0x65,0x63, + 0x75,0x72,0x69,0x74,0x79,0x20,0x45,0x6E,0x67,0x69,0x6E,0x65,0x65,0x72,0x69,0x6E, + 0x67,0x31,0x10,0x30,0x0E,0x06,0x03,0x55,0x04,0x03,0x0C,0x07,0x4E,0x65,0x70,0x74, + 0x75,0x6E,0x65,0x30,0x82,0x01,0x22,0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7, + 0x0D,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0F,0x00,0x30,0x82,0x01,0x0A,0x02, + 0x82,0x01,0x01,0x00,0xD6,0xFA,0x29,0x49,0x27,0x13,0x4E,0x50,0x00,0x5E,0xEB,0x0E, + 0xD3,0x33,0x30,0xC6,0x47,0x76,0x9C,0xBA,0x81,0x38,0xB5,0x91,0x54,0xB2,0x28,0x95, + 0x5E,0xFA,0x9E,0xC3,0x7A,0xDC,0x90,0xA4,0xDD,0xB3,0xB4,0x3F,0x95,0x1A,0x3B,0x1A, + 0x17,0xC2,0xA2,0xDC,0x8E,0x67,0xBC,0x3D,0x28,0x53,0xC0,0xDE,0x8C,0xED,0x1F,0x70, + 0xC3,0x96,0x5C,0x46,0x90,0xA3,0xE4,0xC3,0xEC,0x78,0xBD,0x88,0x6B,0x3B,0xE3,0xC3, + 0x78,0xE3,0xA4,0x9F,0x6E,0xAE,0x67,0x0A,0xC8,0xAC,0xE3,0xD9,0xCB,0x2C,0xDE,0xB2, + 0x2A,0x72,0x2F,0x91,0x81,0x99,0xED,0xC1,0x60,0x82,0x1E,0xA3,0xE0,0x79,0x20,0x8B, + 0x7F,0xDC,0x89,0xAA,0x13,0x3B,0x7C,0x61,0x4E,0xA4,0xF1,0x8D,0xA3,0x07,0x45,0xAB, + 0x5E,0x1B,0xDB,0x12,0x34,0x24,0xF3,0x0C,0xC8,0x09,0x00,0xF1,0x02,0x9A,0x40,0xDF, + 0x2C,0xF3,0xB6,0x92,0x1E,0x5F,0x1B,0xAA,0x25,0x11,0x51,0x8C,0x9C,0x5F,0x14,0xD8, + 0x5F,0x3C,0xE8,0x94,0xC0,0xDF,0xF8,0xCF,0x72,0xE4,0xD6,0x80,0x0A,0xB1,0xFC,0x50, + 0x27,0xE5,0xB4,0xDC,0xE4,0xD8,0x8F,0xA2,0x2B,0x06,0xC5,0x74,0xC8,0x52,0x3A,0x3A, + 0x2D,0x21,0xC9,0x6E,0x48,0x1E,0xC8,0x90,0x82,0x54,0xB9,0x41,0x0C,0xBB,0x24,0xBB, + 0x7E,0x4A,0xCF,0x4F,0xBA,0xA1,0xA7,0xAA,0x67,0x1C,0xA2,0x3F,0x8B,0xB8,0xDE,0x68, + 0x2B,0x6E,0x5C,0xCE,0xD6,0xD0,0xC7,0xE5,0x13,0xE5,0x85,0x96,0xD1,0xCD,0xC2,0x77, + 0xC2,0x84,0xE0,0x78,0xE8,0x5C,0x81,0x33,0xA3,0xA1,0xAD,0xDE,0xBB,0x55,0xA3,0x49, + 0x89,0x55,0xC7,0x35,0x02,0x03,0x01,0x00,0x01,0xA3,0x45,0x30,0x43,0x30,0x12,0x06, + 0x03,0x55,0x1D,0x13,0x01,0x01,0xFF,0x04,0x08,0x30,0x06,0x01,0x01,0xFF,0x02,0x01, + 0x00,0x30,0x0E,0x06,0x03,0x55,0x1D,0x0F,0x01,0x01,0xFF,0x04,0x04,0x03,0x02,0x01, + 0x06,0x30,0x1D,0x06,0x03,0x55,0x1D,0x0E,0x04,0x16,0x04,0x14,0x88,0x51,0xE5,0x13, + 0xF5,0x10,0xCF,0xA8,0x79,0xB1,0x20,0x89,0xA4,0xBF,0x95,0xD4,0xB3,0x41,0xC8,0x2B, + 0x30,0x0D,0x06,0x09,0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0B,0x05,0x00,0x03, + 0x82,0x01,0x01,0x00,0x44,0x82,0x0F,0x82,0x37,0x2D,0xA8,0x84,0xF1,0xC5,0x11,0x5B, + 0x42,0xCD,0x55,0xC1,0x61,0xB2,0x4B,0x63,0xCE,0x8C,0xFE,0x80,0x19,0x56,0x7B,0x7C, + 0x73,0xA4,0xE7,0xA1,0x01,0xD6,0xF7,0x0E,0x9A,0xA3,0x40,0x6F,0x12,0x78,0xCE,0x4F, + 0x94,0xE9,0xC7,0x31,0x81,0x0B,0x4B,0x67,0xFF,0x6B,0xD4,0xFE,0x51,0x86,0xA3,0xD0, + 0xA2,0xEE,0x1C,0xEB,0xED,0x72,0xF9,0x76,0x9B,0x0F,0xCC,0xF0,0x20,0xE0,0x7B,0x05, + 0x39,0xDA,0x5B,0xA4,0x1F,0xD1,0x6F,0xD9,0xB0,0x5D,0x98,0xE6,0xC5,0x2B,0x80,0x0E, + 0x6C,0x2A,0x2A,0xEE,0xD2,0x1D,0xF5,0xB8,0x9A,0x1A,0x2E,0x23,0xA8,0x1E,0xFF,0xF8, + 0x90,0x84,0x4C,0x7B,0xE1,0x64,0xFB,0xD3,0x11,0x53,0x96,0x55,0x25,0xD3,0x23,0xB5, + 0x8E,0x29,0xF4,0x16,0x60,0x64,0xD1,0x52,0xF3,0x0E,0xB8,0x43,0xE3,0x72,0xE9,0xDC, + 0x33,0xA4,0x39,0xDA,0xB9,0xD0,0x48,0x5C,0x89,0xF3,0x0C,0x7C,0x8F,0xE9,0x4A,0x73, + 0x54,0x14,0x9B,0xB4,0xCF,0x3D,0xF5,0x41,0xC0,0xD8,0x01,0xB5,0x64,0x45,0x65,0x7D, + 0x77,0xA2,0x4C,0x1A,0x97,0x29,0x1A,0xD9,0x32,0x4F,0x81,0xDD,0xF9,0x30,0xEF,0xEF, + 0xA9,0x6C,0x87,0x9E,0x6B,0x1A,0xF1,0x52,0x98,0x5B,0xAC,0xF5,0x7B,0x24,0x2D,0xFB, + 0x28,0x53,0x63,0x95,0xA2,0x66,0xE7,0xE3,0x04,0xD7,0xEB,0x95,0x91,0x5E,0x24,0xE3, + 0x28,0x60,0x43,0xBF,0x8B,0x11,0xCA,0xC1,0xA6,0xC3,0xF9,0x50,0x94,0xEE,0x2D,0xCC, + 0x0D,0xE3,0x65,0xD9,0xDD,0xD5,0xD6,0x85,0x35,0x31,0xBD,0x10,0x80,0xF9,0xEB,0xEA, + 0x2E,0xA2,0x80,0x76, +}; + +static void test_key_usage_enveloped_data(void) { + SecCertificateRef cacert = SecCertificateCreateWithBytes(NULL, _cacert, sizeof(_cacert)); + CFMutableDataRef message_data = CFDataCreateMutable(kCFAllocatorDefault, 0); + const uint8_t test[] = "hoi joh"; + CFDataRef test_data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, (unsigned char *)test, sizeof(test), kCFAllocatorNull); + CFArrayRef recipients = CFArrayCreate(kCFAllocatorDefault, (const void **)&cacert, 1, &kCFTypeArrayCallBacks); + require_action(cacert && message_data && test_data && recipients, out, fail("failed to create necessary data for test")); + + ok_status(SecCMSCreateEnvelopedData(recipients, NULL, test_data, message_data), "encrypt for bad key usage recip"); + +out: + CFReleaseNull(cacert); + CFReleaseNull(message_data); + CFReleaseNull(test_data); + CFReleaseNull(recipients); +} + int si_60_cms(int argc, char *const *argv) { #if TARGET_OS_IPHONE - plan_tests(42); + plan_tests(43); #else - plan_tests(41); + plan_tests(42); #endif tests(); + test_key_usage_enveloped_data(); return 0; } diff --git a/OSX/sec/Security/Regressions/secitem/si-62-csr.c b/OSX/sec/Security/Regressions/secitem/si-62-csr.m similarity index 62% rename from OSX/sec/Security/Regressions/secitem/si-62-csr.c rename to OSX/sec/Security/Regressions/secitem/si-62-csr.m index 239c51b0..a6aa4b9d 100644 --- a/OSX/sec/Security/Regressions/secitem/si-62-csr.c +++ b/OSX/sec/Security/Regressions/secitem/si-62-csr.m @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008-2010,2012-2014 Apple Inc. All Rights Reserved. + * Copyright (c) 2008-2017 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -21,6 +21,8 @@ * @APPLE_LICENSE_HEADER_END@ */ +#import +#import #include #include @@ -63,7 +65,7 @@ static void tests(void) CFReleaseNull(key_size_num); CFMutableDictionaryRef subject_alt_names = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); - CFDictionarySetValue(subject_alt_names, CFSTR("dnsname"), CFSTR("xey.nl")); + CFDictionarySetValue(subject_alt_names, kSecSubjectAltNameDNSName, CFSTR("xey.nl")); int key_usage = kSecKeyUsageDigitalSignature | kSecKeyUsageKeyEncipherment; CFNumberRef key_usage_num = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &key_usage); @@ -151,8 +153,7 @@ static void tests(void) //dict[kSecSubjectAltName, dict[ntPrincipalName, "foo@bar.org"]] CFStringRef nt_princ_name_val = CFSTR("foo@bar.org"); - CFStringRef nt_princ_name_key = CFSTR("ntPrincipalName"); - CFDictionaryRef nt_princ = CFDictionaryCreate(NULL, (const void **)&nt_princ_name_key, (const void **)&nt_princ_name_val, 1, NULL, NULL); + CFDictionaryRef nt_princ = CFDictionaryCreate(NULL, (const void **)&kSecSubjectAltNameNTPrincipalName, (const void **)&nt_princ_name_val, 1, NULL, NULL); CFDictionaryRef params = CFDictionaryCreate(NULL, (const void **)&kSecSubjectAltName, (const void **)&nt_princ, 1, NULL, NULL); csr = SecGenerateCertificateRequestWithParameters(atvs_phone, params, phone_publicKey, phone_privateKey); @@ -293,7 +294,7 @@ static void test_ec_csr(void) { SecRDN atvs_phone[] = { cn_phone, c, st, l, o, ou, NULL }; CFMutableDictionaryRef subject_alt_names = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); - CFDictionarySetValue(subject_alt_names, CFSTR("dnsname"), CFSTR("xey.nl")); + CFDictionarySetValue(subject_alt_names, kSecSubjectAltNameDNSName, CFSTR("xey.nl")); int key_usage = kSecKeyUsageDigitalSignature | kSecKeyUsageKeyEncipherment; CFNumberRef key_usage_num = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &key_usage); @@ -327,16 +328,192 @@ static void test_ec_csr(void) { CFReleaseNull(challenge); } +static bool test_csr_create_sign_verify(SecKeyRef ca_priv, SecKeyRef leaf_priv, + CFStringRef cert_hashing_alg, CFStringRef csr_hashing_alg) { + bool status = false; + SecCertificateRef ca_cert = NULL, leaf_cert1 = NULL, leaf_cert2 = NULL; + SecIdentityRef ca_identity = NULL; + NSArray *leaf_rdns = nil, *anchors = nil; + NSDictionary *leaf_parameters = nil; + NSData *csr = nil, *serial_no = nil; + SecKeyRef csr_pub_key = NULL; + CFDataRef csr_subject = NULL, csr_extensions = NULL; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + SecTrustResultType trustResult = kSecTrustResultInvalid; + + /* Generate a self-signed cert */ + NSString *common_name = [NSString stringWithFormat:@"CSR Test Root: %@", cert_hashing_alg]; + NSArray *ca_rdns = @[ + @[@[(__bridge NSString*)kSecOidCountryName, @"US"]], + @[@[(__bridge NSString*)kSecOidOrganization, @"Apple Inc."]], + @[@[(__bridge NSString*)kSecOidCommonName, common_name]] + ]; + NSDictionary *ca_parameters = @{ + (__bridge NSString *)kSecCMSSignHashAlgorithm: (__bridge NSString*)cert_hashing_alg, + (__bridge NSString *)kSecCSRBasicContraintsPathLen: @0, + (__bridge NSString *)kSecCertificateKeyUsage: @(kSecKeyUsageKeyCertSign | kSecKeyUsageCRLSign) + }; + ca_cert = SecGenerateSelfSignedCertificate((__bridge CFArrayRef)ca_rdns, + (__bridge CFDictionaryRef)ca_parameters, + NULL, ca_priv); + require(ca_cert, out); + ca_identity = SecIdentityCreate(NULL, ca_cert, ca_priv); + require(ca_identity, out); + + /* Generate a CSR */ + leaf_rdns = @[ + @[@[(__bridge NSString*)kSecOidCountryName, @"US"]], + @[@[(__bridge NSString*)kSecOidOrganization, @"Apple Inc"]], + @[@[(__bridge NSString*)kSecOidCommonName, @"Leaf 1"]] + ]; + leaf_parameters = @{ + (__bridge NSString*)kSecCMSSignHashAlgorithm: (__bridge NSString*)csr_hashing_alg, + (__bridge NSString*)kSecSubjectAltName: @{ + (__bridge NSString*)kSecSubjectAltNameDNSName : @[ @"valid.apple.com", + @"valid-qa.apple.com", + @"valid-uat.apple.com"] + }, + (__bridge NSString*)kSecCertificateKeyUsage : @(kSecKeyUsageDigitalSignature) + }; + csr = CFBridgingRelease(SecGenerateCertificateRequest((__bridge CFArrayRef)leaf_rdns, + (__bridge CFDictionaryRef)leaf_parameters, + NULL, leaf_priv)); + require(csr, out); + + /* Verify that CSR */ + require(SecVerifyCertificateRequest((__bridge CFDataRef)csr, &csr_pub_key, NULL, &csr_subject, &csr_extensions), out); + require(csr_pub_key && csr_extensions && csr_subject, out); + + /* Sign that CSR */ + uint8_t serial_no_bytes[] = { 0xbb, 0x01 }; + serial_no = [NSData dataWithBytes:serial_no_bytes length:sizeof(serial_no_bytes)]; + leaf_cert1 = SecIdentitySignCertificateWithAlgorithm(ca_identity, (__bridge CFDataRef)serial_no, + csr_pub_key, csr_subject, csr_extensions, cert_hashing_alg); + require(leaf_cert1, out); + + CFReleaseNull(csr_pub_key); + CFReleaseNull(csr_subject); + CFReleaseNull(csr_extensions); + + /* Generate a CSR "with parameters" SPI */ + SecATV c[] = { { kSecOidCountryName, SecASN1PrintableString, CFSTR("US") }, {} }; + SecATV o[] = { { kSecOidOrganization, SecASN1PrintableString, CFSTR("Apple Inc.") }, {} }; + SecATV cn[] = { { kSecOidCommonName, SecASN1PrintableString, CFSTR("Leaf 2") }, {} }; + + SecRDN atvs_leaf2[] = { c, o, cn, NULL }; + csr = CFBridgingRelease(SecGenerateCertificateRequestWithParameters(atvs_leaf2, (__bridge CFDictionaryRef)leaf_parameters, NULL, leaf_priv)); + require(csr, out); + + /* Verify that CSR */ + require(SecVerifyCertificateRequest((__bridge CFDataRef)csr, &csr_pub_key, NULL, &csr_subject, &csr_extensions), out); + require(csr_pub_key && csr_extensions && csr_subject, out); + + /* Sign that CSR */ + uint8_t serial_no_bytes2[] = { 0xbb, 0x02 }; + serial_no = [NSData dataWithBytes:serial_no_bytes2 length:sizeof(serial_no_bytes2)]; + leaf_cert2 = SecIdentitySignCertificateWithAlgorithm(ca_identity, (__bridge CFDataRef)serial_no, + csr_pub_key, csr_subject, csr_extensions, cert_hashing_alg); + require(leaf_cert2, out); + + /* Verify the signed leaf certs chain to the root */ + require(policy = SecPolicyCreateBasicX509(), out); + require_noerr(SecTrustCreateWithCertificates(leaf_cert1, policy, &trust), out); + anchors = @[ (__bridge id)ca_cert ]; + require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out); + require_noerr(SecTrustEvaluate(trust, &trustResult), out); + require(trustResult == kSecTrustResultUnspecified || trustResult == kSecTrustResultProceed, out); + CFReleaseNull(trust); + + require_noerr(SecTrustCreateWithCertificates(leaf_cert2, policy, &trust), out); + require_noerr(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), out); + require_noerr(SecTrustEvaluate(trust, &trustResult), out); + require(trustResult == kSecTrustResultUnspecified || trustResult == kSecTrustResultProceed, out); + CFReleaseNull(trust); + + status = true; +out: + CFReleaseNull(ca_cert); + CFReleaseNull(ca_identity); + CFReleaseNull(leaf_cert1); + CFReleaseNull(leaf_cert2); + CFReleaseNull(csr_pub_key); + CFReleaseNull(csr_subject); + CFReleaseNull(csr_extensions); + CFReleaseNull(policy); + CFReleaseNull(trust); + return status; +} + +static void test_algs(void) { + SecKeyRef ca_rsa_key = NULL, ca_ec_key = NULL; + SecKeyRef leaf_rsa_key = NULL, leaf_ec_key = NULL; + SecKeyRef publicKey = NULL; + NSDictionary *rsa_parameters = nil, *ec_parameters = nil; + + rsa_parameters = @{ + (__bridge NSString*)kSecAttrKeyType: (__bridge NSString*)kSecAttrKeyTypeRSA, + (__bridge NSString*)kSecAttrKeySizeInBits : @2048, + }; + ok_status(SecKeyGeneratePair((__bridge CFDictionaryRef)rsa_parameters, &publicKey, &ca_rsa_key), + "Failed to generate CA RSA key"); + CFReleaseNull(publicKey); + ok_status(SecKeyGeneratePair((__bridge CFDictionaryRef)rsa_parameters, &publicKey, &leaf_rsa_key), + "Failed to generate leaf RSA key"); + CFReleaseNull(publicKey); + + ec_parameters = @{ + (__bridge NSString*)kSecAttrKeyType: (__bridge NSString*)kSecAttrKeyTypeECSECPrimeRandom, + (__bridge NSString*)kSecAttrKeySizeInBits : @384, + }; + ok_status(SecKeyGeneratePair((__bridge CFDictionaryRef)ec_parameters, &publicKey, &ca_ec_key), + "Failed to generate CA EC key"); + CFReleaseNull(publicKey); + ok_status(SecKeyGeneratePair((__bridge CFDictionaryRef)ec_parameters, &publicKey, &leaf_ec_key), + "Failed to generate leaf EC key"); + CFReleaseNull(publicKey); + + /* Single algorithm tests */ + ok(test_csr_create_sign_verify(ca_rsa_key, leaf_rsa_key, kSecCMSHashingAlgorithmSHA1, kSecCMSHashingAlgorithmSHA1), + "Failed to run csr test with RSA SHA-1"); + ok(test_csr_create_sign_verify(ca_rsa_key, leaf_rsa_key, kSecCMSHashingAlgorithmSHA256, kSecCMSHashingAlgorithmSHA256), + "Failed to run csr test with RSA SHA-256"); + ok(test_csr_create_sign_verify(ca_rsa_key, leaf_rsa_key, kSecCMSHashingAlgorithmSHA384, kSecCMSHashingAlgorithmSHA384), + "Failed to run csr test with RSA SHA-384"); + ok(test_csr_create_sign_verify(ca_rsa_key, leaf_rsa_key, kSecCMSHashingAlgorithmSHA512, kSecCMSHashingAlgorithmSHA512), + "Failed to run csr test with RSA SHA-512"); + ok(test_csr_create_sign_verify(ca_ec_key, leaf_ec_key, kSecCMSHashingAlgorithmSHA256, kSecCMSHashingAlgorithmSHA256), + "Failed to run csr test with EC SHA-256"); + ok(test_csr_create_sign_verify(ca_ec_key, leaf_ec_key, kSecCMSHashingAlgorithmSHA384, kSecCMSHashingAlgorithmSHA384), + "Failed to run csr test with EC SHA-384"); + ok(test_csr_create_sign_verify(ca_ec_key, leaf_ec_key, kSecCMSHashingAlgorithmSHA512, kSecCMSHashingAlgorithmSHA512), + "Failed to run csr test with EC SHA-512"); + + /* Mix and match */ + ok(test_csr_create_sign_verify(ca_rsa_key, leaf_ec_key, kSecCMSHashingAlgorithmSHA256, kSecCMSHashingAlgorithmSHA384), + "Failed to run csr test with RSA CA, EC leaf, SHA256 certs, SHA384 csrs"); + ok(test_csr_create_sign_verify(ca_rsa_key, leaf_rsa_key, kSecCMSHashingAlgorithmSHA256, kSecCMSHashingAlgorithmSHA1), + "Failed to run csr test with RSA keys, SHA256 certs, SHA1 csrs"); + ok(test_csr_create_sign_verify(ca_ec_key, leaf_ec_key, kSecCMSHashingAlgorithmSHA384, kSecCMSHashingAlgorithmSHA256), + "Failed to run csr test with EC keys, SHA384 certs, SHA256 csrs"); + + CFReleaseNull(ca_rsa_key); + CFReleaseNull(ca_ec_key); + CFReleaseNull(leaf_rsa_key); + CFReleaseNull(leaf_ec_key); +} + int si_62_csr(int argc, char *const *argv) { #if TARGET_OS_IPHONE - plan_tests(27); + plan_tests(41); #else - plan_tests(20); + plan_tests(34); #endif tests(); test_ec_csr(); + test_algs(); return 0; } diff --git a/OSX/sec/Security/Regressions/secitem/si-63-scep.c b/OSX/sec/Security/Regressions/secitem/si-63-scep.m similarity index 91% rename from OSX/sec/Security/Regressions/secitem/si-63-scep.c rename to OSX/sec/Security/Regressions/secitem/si-63-scep.m index aa2f543f..f9773ca8 100644 --- a/OSX/sec/Security/Regressions/secitem/si-63-scep.c +++ b/OSX/sec/Security/Regressions/secitem/si-63-scep.m @@ -34,6 +34,7 @@ #include #include #include +#include #include "Security_regressions.h" #include @@ -1197,6 +1198,8 @@ static void tests(void) ok_status(SecItemDelete(identity_add), "delete encryption identity from keychain"); CFReleaseSafe(identity_add); + CFReleaseNull(parameters); + CFReleaseNull(scep_ra_certificate); CFReleaseSafe(self_signed_identity); CFReleaseSafe(retry_get_cert_initial); CFReleaseSafe(server_error); @@ -1205,12 +1208,151 @@ static void tests(void) CFReleaseSafe(error_dict); } +static bool test_scep_with_keys_algorithms(SecKeyRef ca_key, SecKeyRef leaf_key, CFStringRef hash_alg) { + SecCertificateRef ca_cert = NULL; + SecIdentityRef ca_identity = NULL; + NSArray *ca_rdns = nil, *leaf_rdns = nil, *issued_certs = nil; + NSDictionary *ca_parameters = nil, *leaf_parameters = nil, *ca_item_dict = nil, *leaf_item_dict = nil; + NSData *scep_request = nil, *scep_reply = nil, *serial_no = nil; + bool status = false; + + /* Generate CA cert */ + NSString *common_name = [NSString stringWithFormat:@"SCEP Test Root: %@", hash_alg]; + ca_rdns = @[ + @[@[(__bridge NSString*)kSecOidCountryName, @"US"]], + @[@[(__bridge NSString*)kSecOidOrganization, @"Apple Inc."]], + @[@[(__bridge NSString*)kSecOidCommonName, common_name]] + ]; + ca_parameters = @{ + (__bridge NSString *)kSecCMSSignHashAlgorithm: (__bridge NSString*)hash_alg, + (__bridge NSString *)kSecCSRBasicContraintsPathLen: @0, + (__bridge NSString *)kSecCertificateKeyUsage: @(kSecKeyUsageKeyCertSign | kSecKeyUsageCRLSign) + }; + ca_cert = SecGenerateSelfSignedCertificate((__bridge CFArrayRef)ca_rdns, + (__bridge CFDictionaryRef)ca_parameters, + NULL, ca_key); + require(ca_cert, out); + ca_identity = SecIdentityCreate(NULL, ca_cert, ca_key); + require(ca_identity, out); + + /* Generate leaf request - SHA-256 csr, SHA-256 CMS */ + leaf_rdns = @[ + @[@[(__bridge NSString*)kSecOidCountryName, @"US"]], + @[@[(__bridge NSString*)kSecOidOrganization, @"Apple Inc."]], + @[@[(__bridge NSString*)kSecOidCommonName, @"SCEP SHA-2 leaf"]] + ]; + leaf_parameters = @{ + (__bridge NSString*)kSecCSRChallengePassword: @"magic", + (__bridge NSString*)kSecCMSSignHashAlgorithm: (__bridge NSString*)hash_alg, + (__bridge NSString*)kSecSubjectAltName: @{ + (__bridge NSString*)kSecSubjectAltNameEmailAddress : @"test@apple.com" + }, + (__bridge NSString*)kSecCertificateKeyUsage: @(kSecKeyUsageDigitalSignature), + (__bridge NSString*)kSecCMSBulkEncryptionAlgorithm : (__bridge NSString*)kSecCMSEncryptionAlgorithmAESCBC, + }; + scep_request = CFBridgingRelease(SecSCEPGenerateCertificateRequest((__bridge CFArrayRef)leaf_rdns, + (__bridge CFDictionaryRef)leaf_parameters, + NULL, leaf_key, NULL, ca_cert)); + require(scep_request, out); + + /* Add CA identity to keychain so CMS can decrypt */ + ca_item_dict = @{ + (__bridge NSString*)kSecValueRef : (__bridge id)ca_identity, + (__bridge NSString*)kSecAttrLabel : @"SCEP CA Identity" + }; + require_noerr(SecItemAdd((__bridge CFDictionaryRef)ca_item_dict, NULL), out); + + /* Certify the request with SHA256, AES */ + uint8_t serial_no_bytes[] = { 0x12, 0x34 }; + serial_no = [NSData dataWithBytes:serial_no_bytes length:sizeof(serial_no_bytes)]; + scep_reply = CFBridgingRelease(SecSCEPCertifyRequestWithAlgorithms((__bridge CFDataRef)scep_request, ca_identity, + (__bridge CFDataRef)serial_no, false, + hash_alg, + kSecCMSEncryptionAlgorithmAESCBC)); + require(scep_reply, out); + + /* Add leaf private key to keychain so CMS can decrypt */ + leaf_item_dict = @{ + (__bridge NSString*)kSecClass : (__bridge NSString*)kSecClassKey, + (__bridge NSString*)kSecValueRef : (__bridge id)leaf_key, + (__bridge NSString*)kSecAttrApplicationLabel : @"SCEP Leaf Key" + }; + require_noerr(SecItemAdd((__bridge CFDictionaryRef)leaf_item_dict, NULL), out); + + /* Verify the reply */ + issued_certs = CFBridgingRelease(SecSCEPVerifyReply((__bridge CFDataRef)scep_request, (__bridge CFDataRef)scep_reply, ca_cert, nil)); + require(issued_certs, out); + require([issued_certs count] == 1, out); + + status = true; + +out: + /* Remove from keychain */ + if (ca_item_dict) { SecItemDelete((__bridge CFDictionaryRef)ca_item_dict); } + if (leaf_item_dict) { SecItemDelete((__bridge CFDictionaryRef)leaf_item_dict); } + CFReleaseNull(ca_cert); + CFReleaseNull(ca_identity); + return status; +} + +static void test_SCEP_algs(void) { + SecKeyRef ca_rsa_key = NULL, ca_ec_key = NULL; + SecKeyRef leaf_rsa_key = NULL, leaf_ec_key = NULL; + SecKeyRef publicKey = NULL; + NSDictionary *rsa_parameters = nil, *ec_parameters = nil; + + rsa_parameters = @{ + (__bridge NSString*)kSecAttrKeyType: (__bridge NSString*)kSecAttrKeyTypeRSA, + (__bridge NSString*)kSecAttrKeySizeInBits : @2048, + }; + ok_status(SecKeyGeneratePair((__bridge CFDictionaryRef)rsa_parameters, &publicKey, &ca_rsa_key), + "Failed to generate CA RSA key"); + CFReleaseNull(publicKey); + ok_status(SecKeyGeneratePair((__bridge CFDictionaryRef)rsa_parameters, &publicKey, &leaf_rsa_key), + "Failed to generate leaf RSA key"); + CFReleaseNull(publicKey); + + ec_parameters = @{ + (__bridge NSString*)kSecAttrKeyType: (__bridge NSString*)kSecAttrKeyTypeECSECPrimeRandom, + (__bridge NSString*)kSecAttrKeySizeInBits : @384, + }; + ok_status(SecKeyGeneratePair((__bridge CFDictionaryRef)ec_parameters, &publicKey, &ca_ec_key), + "Failed to generate CA EC key"); + CFReleaseNull(publicKey); + ok_status(SecKeyGeneratePair((__bridge CFDictionaryRef)ec_parameters, &publicKey, &leaf_ec_key), + "Failed to generate leaf EC key"); + CFReleaseNull(publicKey); + + /* Hash algorithms */ + ok(test_scep_with_keys_algorithms(ca_rsa_key, leaf_rsa_key, kSecCMSHashingAlgorithmSHA1), + "Failed to run scep test with RSA SHA-1"); + ok(test_scep_with_keys_algorithms(ca_rsa_key, leaf_rsa_key, kSecCMSHashingAlgorithmSHA256), + "Failed to run scep test with RSA SHA-256"); + ok(test_scep_with_keys_algorithms(ca_rsa_key, leaf_rsa_key, kSecCMSHashingAlgorithmSHA384), + "Failed to run scep test with RSA SHA-256"); + ok(test_scep_with_keys_algorithms(ca_rsa_key, leaf_rsa_key, kSecCMSHashingAlgorithmSHA512), + "Failed to run scep test with RSA SHA-256"); + + /* Unsupported key algorithms */ + is(test_scep_with_keys_algorithms(ca_ec_key, leaf_ec_key, kSecCMSHashingAlgorithmSHA256), false, + "Performed scep with EC ca and leaf"); + is(test_scep_with_keys_algorithms(ca_ec_key, leaf_rsa_key, kSecCMSHashingAlgorithmSHA256), false, + "Performed scep with EC ca"); + is(test_scep_with_keys_algorithms(ca_rsa_key, leaf_ec_key, kSecCMSHashingAlgorithmSHA256), false, + "Performed scep with EC leaf"); + + CFReleaseNull(ca_rsa_key); + CFReleaseNull(ca_ec_key); + CFReleaseNull(leaf_rsa_key); + CFReleaseNull(leaf_ec_key); +} + int si_63_scep(int argc, char *const *argv) { - plan_tests(36); - + plan_tests(47); tests(); + test_SCEP_algs(); return 0; } diff --git a/OSX/sec/Security/Regressions/secitem/si-66-smime.c b/OSX/sec/Security/Regressions/secitem/si-66-smime.c index b052146e..799b1ccb 100644 --- a/OSX/sec/Security/Regressions/secitem/si-66-smime.c +++ b/OSX/sec/Security/Regressions/secitem/si-66-smime.c @@ -2484,7 +2484,7 @@ static void tests(void) CFRelease(anchor_array); ok_status(SecTrustEvaluate(trust, &result), "evaluate trust"); - ok(result == kSecTrustResultUnspecified, "private root"); + ok(result == kSecTrustResultRecoverableTrustFailure, "private root"); #if DUMP_CERTS // debug code to save a cert chain retrieved from a SecTrustRef (written to /tmp/c[0-9].cer) @@ -2496,7 +2496,7 @@ static void tests(void) if (d) { char f[12] = { '/', 't', 'm', 'p', '/', 'c', 'n', '.', 'c', 'e', 'r', 0 }; f[6] = '0' + (idx % 10); - writeFile(f, CFDataGetBytePtr(d), CFDataGetLength(d)); + writeFile(f, CFDataGetBytePtr(d), (int)CFDataGetLength(d)); CFRelease(d); } } @@ -2523,7 +2523,7 @@ static void tests(void) CFReleaseNull(parameters); CFMutableDictionaryRef subject_alt_names = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); - CFDictionarySetValue(subject_alt_names, CFSTR("rfc822name"), CFSTR("xey@nl")); + CFDictionarySetValue(subject_alt_names, kSecSubjectAltNameEmailAddress, CFSTR("xey@nl")); int key_usage = kSecKeyUsageDigitalSignature | kSecKeyUsageKeyEncipherment; CFNumberRef key_usage_num = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &key_usage); const void *self_key[] = { kSecCertificateKeyUsage, kSecSubjectAltName }; @@ -2819,7 +2819,7 @@ static void test_sign_no_priv(void) { CFReleaseNull(parameters); CFMutableDictionaryRef subject_alt_names = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); - CFDictionarySetValue(subject_alt_names, CFSTR("rfc822name"), CFSTR("xey@nl")); + CFDictionarySetValue(subject_alt_names, kSecSubjectAltNameEmailAddress, CFSTR("xey@nl")); int key_usage = kSecKeyUsageDigitalSignature | kSecKeyUsageKeyEncipherment; CFNumberRef key_usage_num = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &key_usage); const void *self_key[] = { kSecCertificateKeyUsage, kSecSubjectAltName }; diff --git a/OSX/sec/Security/Regressions/secitem/si-72-syncableitems.c b/OSX/sec/Security/Regressions/secitem/si-72-syncableitems.c index f8067051..ec5cabbd 100644 --- a/OSX/sec/Security/Regressions/secitem/si-72-syncableitems.c +++ b/OSX/sec/Security/Regressions/secitem/si-72-syncableitems.c @@ -187,6 +187,9 @@ static void tests(void) CFReleaseSafe(query); } + + CFReleaseSafe(account); + CFReleaseSafe(passwordData); } int si_72_syncableitems(int argc, char * const *argv) diff --git a/OSX/sec/Security/Regressions/secitem/si-87-sectrust-name-constraints.m b/OSX/sec/Security/Regressions/secitem/si-87-sectrust-name-constraints.m index c1423458..651ea37d 100644 --- a/OSX/sec/Security/Regressions/secitem/si-87-sectrust-name-constraints.m +++ b/OSX/sec/Security/Regressions/secitem/si-87-sectrust-name-constraints.m @@ -5,6 +5,9 @@ #include #import +#import +#import + #include #include #include @@ -72,9 +75,288 @@ errOut: CFReleaseNull(trust); } +/* MARK: BetterTLS tests */ +NSString *kSecTrustTestNameConstraintsResources = @"si-87-sectrust-name-constraints"; +NSString *kSecTrustTestCertificates = @"TestCertificates"; +NSString *kSecTrustTestIPAddress = @"52.20.118.238"; +NSString *kSecTrustTestDNSAddress = @"test.nameconstraints.bettertls.com"; +NSString *kSecTrustTestID = @"id"; +NSString *kSecTrustTestDNSResult = @"dns"; +NSString *kSecTrustTestIPResult = @"ip"; +NSString *kSecTrustTestExpect = @"expect"; +NSString *kSecTrustTestExpectFailure = @"ERROR"; +NSString *kSecTrustTestExpectSuccess = @"OK"; +NSString *kSecTrustTestExpectMaybeSuccess = @"WEAK-OK"; + +static NSArray *anchors = nil; +static NSURL *tmpCertsDir = nil; + +static NSArray *getTestsArray(void) { + NSURL *testPlist = nil; + NSDictionary *testsDict = nil; + NSArray *testsArray = nil; + + testPlist = [[NSBundle mainBundle] URLForResource:@"debugging" withExtension:@"plist" + subdirectory:kSecTrustTestNameConstraintsResources]; + if (!testPlist) { + testPlist = [[NSBundle mainBundle] URLForResource:@"expects" withExtension:@"plist" + subdirectory:kSecTrustTestNameConstraintsResources]; + } + require_action_quiet(testPlist, exit, + fail("Failed to get tests plist from %@", kSecTrustTestNameConstraintsResources)); + testsDict = [NSDictionary dictionaryWithContentsOfURL:testPlist]; + require_action_quiet(testsDict, exit, fail("Failed to decode tests plist into dictionary")); + + testsArray = testsDict[@"expects"]; + require_action_quiet(testsArray, exit, fail("Failed to get expects array from test dictionary")); + require_action_quiet([testsArray isKindOfClass:[NSArray class]], exit, fail("expected array of tests")); + +exit: + return testsArray; +} + +static NSFileHandle *openFileForWriting(const char *filename) { + NSFileHandle *fileHandle = NULL; + NSURL *file = [NSURL URLWithString:[NSString stringWithCString:filename encoding:NSUTF8StringEncoding] relativeToURL:tmpCertsDir]; + int fd; + off_t off; + fd = open([file fileSystemRepresentation], O_RDWR | O_CREAT | O_TRUNC, 0644); + if (fd < 0 || (off = lseek(fd, 0, SEEK_SET)) < 0) { + fail("unable to open file for archive"); + } + if (fd >= 0) { + close(fd); + } + + NSError *error; + fileHandle = [NSFileHandle fileHandleForWritingToURL:file error:&error]; + if (!fileHandle) { + fail("unable to get file handle for %@\n\terror:%@", file, error); + } + + return fileHandle; +} + +static BOOL +extract(NSURL *archive) { + BOOL result = NO; + int r; + struct archive_entry *entry; + + struct archive *a = archive_read_new(); + archive_read_support_compression_all(a); + archive_read_support_format_tar(a); + r = archive_read_open_filename(a, [archive fileSystemRepresentation], 16384); + if (r != ARCHIVE_OK) { + fail("unable to open archive"); + goto exit; + } + + while((r = archive_read_next_header(a, &entry)) == ARCHIVE_OK) { + @autoreleasepool { + const char *filename = archive_entry_pathname(entry); + NSFileHandle *fh = openFileForWriting(filename); + ssize_t size = 0; + size_t bufsize = 4192; + uint8_t *buf = calloc(bufsize, 1); + for (;;) { + size = archive_read_data(a, buf, bufsize); + if (size < 0) { + fail("failed to read %s from archive", filename); + [fh closeFile]; + goto exit; + } + if (size == 0) { + break; + } + [fh writeData:[NSData dataWithBytes:buf length:size]]; + } + free(buf); + [fh closeFile]; + } + } + if (r != ARCHIVE_EOF) { + fail("unable to read archive header"); + } else { + result = YES; + } + +exit: + archive_read_finish(a); + return result; +} + +static BOOL untar_test_certs(void) { + NSError *error = nil; + tmpCertsDir = [[NSURL fileURLWithPath:NSTemporaryDirectory() isDirectory:YES] URLByAppendingPathComponent:kSecTrustTestNameConstraintsResources isDirectory:YES]; + + if (![[NSFileManager defaultManager] createDirectoryAtURL:tmpCertsDir + withIntermediateDirectories:NO + attributes:NULL + error:&error]) { + fail("unable to create temporary cert directory: %@", error); + return NO; + } + + NSURL *certs_tar = [[NSBundle mainBundle] URLForResource:kSecTrustTestCertificates withExtension:nil + subdirectory:kSecTrustTestNameConstraintsResources]; + if(!extract(certs_tar)) { + return NO; + } + + return YES; +} + +static BOOL extractLeaf(NSString *filename, NSMutableArray *certs) { + NSString *fullFilename = [NSString stringWithFormat:@"%@.cer", filename]; + NSURL *leafURL = [tmpCertsDir URLByAppendingPathComponent:fullFilename]; + if (!leafURL) { + fail("Failed to get leaf certificate for test id %@", filename); + return NO; + } + NSData *leafData = [NSData dataWithContentsOfURL:leafURL]; + if (!leafData) { + fail("Failed to get leaf certificate data for URL %@", leafURL); + return NO; + } + SecCertificateRef cert = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)leafData); + if (!leafData) { + fail("Failed to create leaf cert for %@", leafURL); + return NO; + } + [certs addObject:(__bridge id)cert]; + CFReleaseNull(cert); + return YES; +} + +static BOOL extractChain(NSString *filename, NSMutableArray *certs) { + NSString *fullFilename = [NSString stringWithFormat:@"%@.chain", filename]; + NSURL *chainURL = [tmpCertsDir URLByAppendingPathComponent:fullFilename]; + if (!chainURL) { + fail("Failed to get chain URL for %@", filename); + return NO; + } + NSString *chain = [NSString stringWithContentsOfURL:chainURL encoding:NSUTF8StringEncoding error:nil]; + if (!chain) { + fail("Failed to get chain for %@", chainURL); + return NO; + } + + NSString *pattern = @"-----BEGIN CERTIFICATE-----.+?-----END CERTIFICATE-----\n"; + NSRegularExpression *regex = [NSRegularExpression regularExpressionWithPattern:pattern + options:NSRegularExpressionDotMatchesLineSeparators|NSRegularExpressionUseUnixLineSeparators + error:nil]; + [regex enumerateMatchesInString:chain options:0 range:NSMakeRange(0, [chain length]) + usingBlock:^(NSTextCheckingResult * _Nullable result, NSMatchingFlags flags, BOOL * _Nonnull stop) { + NSString *certPEMString = [chain substringWithRange:[result range]]; + NSData *certPEMData = [certPEMString dataUsingEncoding:NSUTF8StringEncoding]; + SecCertificateRef cert = SecCertificateCreateWithPEM(NULL, (__bridge CFDataRef)certPEMData); + [certs addObject:(__bridge id)cert]; + CFReleaseNull(cert); + }]; + return YES; +} + +static BOOL getAnchor(void) { + NSURL *rootURL = [[NSBundle mainBundle] URLForResource:@"root" withExtension:@"cer" + subdirectory:kSecTrustTestNameConstraintsResources]; + if (!rootURL) { + fail("Failed to get root cert"); + return NO; + } + NSData *rootData = [NSData dataWithContentsOfURL:rootURL]; + SecCertificateRef root = SecCertificateCreateWithData(NULL, (__bridge CFDataRef)rootData); + if (!root) { + fail("failed to create root cert"); + return NO; + } + anchors = [NSArray arrayWithObject:(__bridge id)root]; + CFReleaseNull(root); + return YES; +} + +static BOOL testTrust(NSArray *certs, NSString *hostname) { + if (!anchors && !getAnchor()) { + return NO; + } + BOOL result = NO; + SecPolicyRef policy = SecPolicyCreateSSL(true, (__bridge CFStringRef)hostname); + SecTrustRef trust = NULL; + NSDate *date = [NSDate dateWithTimeIntervalSinceReferenceDate:531900000.0]; /* November 8, 2017 at 10:00:00 PM PST */ + require_noerr_action(SecTrustCreateWithCertificates((__bridge CFArrayRef)certs, policy, &trust), exit, + fail("Failed to create trust ref")); + require_noerr_action(SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)anchors), exit, + fail("Failed to add anchor")); + require_noerr_action(SecTrustSetVerifyDate(trust, (__bridge CFDateRef)date), exit, + fail("Failed to set verify date")); +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wunguarded-availability-new" + result = SecTrustEvaluateWithError(trust, nil); +#pragma clang diagnostic pop + +exit: + CFReleaseNull(policy); + CFReleaseNull(trust); + return result; +} + +void (^runNameConstraintsTestForObject)(id, NSUInteger, BOOL *) = +^(NSDictionary *testDict, NSUInteger idx, BOOL *stop) { + @autoreleasepool { + /* Get the certificates */ + NSNumber *testNum = testDict[kSecTrustTestID]; + NSString *fileName = [NSString stringWithFormat:@"%@",testNum]; + NSMutableArray *certificates = [NSMutableArray array]; + if (!extractLeaf(fileName, certificates) || !extractChain(fileName, certificates)) { + return; + } + + /* Test DNS address */ + NSDictionary *dnsDict = testDict[kSecTrustTestDNSResult]; + BOOL result = testTrust(certificates, kSecTrustTestDNSAddress); + NSString *dnsExpectedResult = dnsDict[kSecTrustTestExpect]; + if ([dnsExpectedResult isEqualToString:kSecTrustTestExpectFailure]) { + is(result, NO, + "Test DNS id: %@. Expected %@. Got %d", testNum, dnsExpectedResult, result); + } else if ([dnsExpectedResult isEqualToString:kSecTrustTestExpectSuccess]) { + is(result, YES, + "Test DNS id: %@. Expected %@. Got %d", testNum, dnsExpectedResult, result); + } else if ([dnsExpectedResult isEqualToString:kSecTrustTestExpectMaybeSuccess]) { + /* These are "OK" but it's acceptable to reject them */ + pass(); + } + + /* Test IP address */ + NSDictionary *ipDict = testDict[kSecTrustTestIPResult]; + result = testTrust(certificates, kSecTrustTestIPAddress); + NSString *ipExpectedResult = ipDict[kSecTrustTestExpect]; + if ([ipExpectedResult isEqualToString:kSecTrustTestExpectFailure]) { + is(result, NO, + "Test IP id: %@. Expected %@. Got %d", testNum, ipExpectedResult, result); + } else if ([ipExpectedResult isEqualToString:kSecTrustTestExpectSuccess]) { + is(result, YES, + "Test IP id: %@. Expected %@. Got %d", testNum, ipExpectedResult, result); + } else if ([ipExpectedResult isEqualToString:kSecTrustTestExpectMaybeSuccess]) { + /* These are "OK" but it's acceptable to reject them */ + pass(); + } + } +}; + +static void cleanup(NSURL *tmpDir) { + [[NSFileManager defaultManager] removeItemAtURL:tmpDir error:nil]; +} + int si_87_sectrust_name_constraints(int argc, char *const *argv) { - plan_tests(2); + NSArray *testsArray = getTestsArray(); + plan_tests(2 + (int)(2 * [testsArray count])); tests(); + + if(untar_test_certs()) { + [testsArray enumerateObjectsUsingBlock:runNameConstraintsTestForObject]; + } + cleanup(tmpCertsDir); + return 0; } diff --git a/OSX/sec/Security/Regressions/secitem/si-89-cms-hash-agility.c b/OSX/sec/Security/Regressions/secitem/si-89-cms-hash-agility.c deleted file mode 100644 index 1133ca2d..00000000 --- a/OSX/sec/Security/Regressions/secitem/si-89-cms-hash-agility.c +++ /dev/null @@ -1,301 +0,0 @@ -/* - * Copyright (c) 2015 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#include -#include -#include -#include - -#include "Security_regressions.h" - -#include "si-89-cms-hash-agility.h" - -static void ios_shim_tests(void) -{ - CFDataRef message = NULL, contentData = NULL, hashAgilityOid = NULL, hashAgilityValue = NULL; - SecPolicyRef policy = NULL; - SecTrustRef trust = NULL; - CFDictionaryRef attrs = NULL; - CFArrayRef attrValues = NULL; - CFDateRef signingTime = NULL, expectedTime = NULL; - - ok(message = CFDataCreate(NULL, valid_message, sizeof(valid_message)), "Create valid message"); - ok(contentData = CFDataCreate(NULL, content, sizeof(content)), "Create detached content"); - ok(policy = SecPolicyCreateBasicX509(), "Create policy"); - - /* verify the valid message and copy out attributes */ - is(SecCMSVerifyCopyDataAndAttributes(message, contentData, policy, &trust, NULL, &attrs), - errSecSuccess, "Verify valid CMS message and get attributes"); - isnt(attrs, NULL, "Copy CMS attributes"); - - /* verify we can get the parsed attribute */ - uint8_t appleHashAgilityOid[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64, 0x9, 0x1 }; - ok(hashAgilityOid = CFDataCreate(NULL, appleHashAgilityOid, sizeof(appleHashAgilityOid)), - "Create oid data"); - ok(attrValues = (CFArrayRef) CFDictionaryGetValue(attrs, hashAgilityOid), - "Get hash agility value array"); - is(CFArrayGetCount(attrValues), 1, "One attribute value"); - ok(hashAgilityValue = CFArrayGetValueAtIndex(attrValues, 0), "Get hash agility value"); - is((size_t)CFDataGetLength(hashAgilityValue), sizeof(attribute), "Verify size of parsed hash agility value"); - is(memcmp(attribute, CFDataGetBytePtr(hashAgilityValue), sizeof(attribute)), 0, - "Verify correct hash agility value"); - - attrValues = NULL; - - /*verify we can get the signing time attribute */ - ok(signingTime = (CFDateRef) CFDictionaryGetValue(attrs, kSecCMSSignDate), "Get signing time"); - ok(expectedTime = CFDateCreate(NULL, 468295000.0), "Set expected signing time"); - is(CFDateCompare(signingTime, expectedTime, NULL), 0, "Verify signing time"); - - CFReleaseNull(message); - - /* verify the invalid message */ - ok(message = CFDataCreate(NULL, invalid_message, sizeof(invalid_message)), "Create invalid message"); - is(SecCMSVerify(message, contentData, policy, &trust, NULL), errSecAuthFailed, - "Verify invalid CMS message"); - - CFReleaseNull(message); - - /* verify the valid message with no hash agility attribute */ - ok(message = CFDataCreate(NULL, valid_no_attr, sizeof(valid_no_attr)), - "Create valid message with no hash agility value"); - is(SecCMSVerifyCopyDataAndAttributes(message, contentData, policy, &trust, NULL, &attrs), - errSecSuccess, "Verify 2nd valid CMS message and get attributes"); - isnt(attrs, NULL, "Copy 2nd CMS attributes"); - - /* verify we can't get the hash agility attribute */ - is((CFArrayRef) CFDictionaryGetValue(attrs, hashAgilityOid), NULL, - "Get hash agility value array"); - - - CFReleaseNull(message); - CFReleaseNull(contentData); - CFReleaseNull(hashAgilityOid); - CFReleaseNull(expectedTime); - CFReleaseNull(policy); - CFReleaseNull(trust); - CFReleaseNull(attrs); -} - -/* MARK: macOS Shim tests */ -#include -#include - -/* encode test */ -static void encode_test(void) -{ - CMSEncoderRef encoder = NULL; - CFDataRef attributeData = NULL, message = NULL, p12Data = NULL; - CFArrayRef imported_items = NULL; - SecIdentityRef identity = NULL; - CFStringRef password = CFSTR("password"); - CFDictionaryRef options = CFDictionaryCreate(NULL, - (const void **)&kSecImportExportPassphrase, - (const void **)&password, 1, - &kCFTypeDictionaryKeyCallBacks, - &kCFTypeDictionaryValueCallBacks); - CFDictionaryRef itemDict = NULL; - - - /* Create encoder */ - ok_status(CMSEncoderCreate(&encoder), "Create CMS encoder"); - ok_status(CMSEncoderSetSignerAlgorithm(encoder, kCMSEncoderDigestAlgorithmSHA256), - "Set digest algorithm to SHA256"); - - /* Load identity and set as signer */ - ok(p12Data = CFDataCreate(NULL, signing_identity_p12, sizeof(signing_identity_p12)), - "Create p12 data"); - ok_status(SecPKCS12Import(p12Data, options, &imported_items), - "Import identity"); - is(CFArrayGetCount(imported_items),1,"Imported 1 items"); - is(CFGetTypeID(CFArrayGetValueAtIndex(imported_items, 0)), CFDictionaryGetTypeID(), - "Got back a dictionary"); - ok(itemDict = CFArrayGetValueAtIndex(imported_items, 0), "Retreive item dictionary"); - is(CFGetTypeID(CFDictionaryGetValue(itemDict, kSecImportItemIdentity)), SecIdentityGetTypeID(), - "Got back an identity"); - ok(identity = (SecIdentityRef) CFRetainSafe(CFDictionaryGetValue(itemDict, kSecImportItemIdentity)), - "Retrieve identity"); - ok_status(CMSEncoderAddSigners(encoder, identity), "Set Signer identity"); - - /* Add signing time attribute for 3 November 2015 */ - ok_status(CMSEncoderAddSignedAttributes(encoder, kCMSAttrSigningTime), - "Set signing time flag"); - ok_status(CMSEncoderSetSigningTime(encoder, 468295000.0), "Set Signing time"); - - /* Add hash agility attribute */ - ok_status(CMSEncoderAddSignedAttributes(encoder, kCMSAttrAppleCodesigningHashAgility), - "Set hash agility flag"); - ok(attributeData = CFDataCreate(NULL, attribute, sizeof(attribute)), - "Create atttribute object"); - ok_status(CMSEncoderSetAppleCodesigningHashAgility(encoder, attributeData), - "Set hash agility data"); - - /* Load content */ - ok_status(CMSEncoderSetHasDetachedContent(encoder, true), "Set detached content"); - ok_status(CMSEncoderUpdateContent(encoder, content, sizeof(content)), "Set content"); - - /* output cms message */ - ok_status(CMSEncoderCopyEncodedContent(encoder, &message), "Finish encoding and output message"); - - /* decode message */ - CMSDecoderRef decoder = NULL; - CFDataRef contentData = NULL; - isnt(message, NULL, "Encoded message exists"); - ok_status(CMSDecoderCreate(&decoder), "Create CMS decoder"); - ok_status(CMSDecoderUpdateMessage(decoder, CFDataGetBytePtr(message), CFDataGetLength(message)), - "Update decoder with CMS message"); - ok(contentData = CFDataCreate(NULL, content, sizeof(content)), "Create detached content"); - ok_status(CMSDecoderSetDetachedContent(decoder, contentData), "Set detached content"); - ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); - - - CFReleaseNull(encoder); - CFReleaseNull(p12Data); - CFReleaseNull(imported_items); - CFReleaseNull(identity); - CFReleaseNull(attributeData); - CFReleaseNull(message); - CFReleaseNull(decoder); - CFReleaseNull(contentData); -} - -static void decode_positive_test(void) -{ - CMSDecoderRef decoder = NULL; - CFDataRef contentData = NULL, attrValue = NULL; - SecPolicyRef policy = NULL; - SecTrustRef trust = NULL; - CMSSignerStatus signerStatus; - CFAbsoluteTime signingTime = 0.0; - - /* Create decoder and decode */ - ok_status(CMSDecoderCreate(&decoder), "Create CMS decoder"); - ok_status(CMSDecoderUpdateMessage(decoder, valid_message, sizeof(valid_message)), - "Update decoder with CMS message"); - ok(contentData = CFDataCreate(NULL, content, sizeof(content)), "Create detached content"); - ok_status(CMSDecoderSetDetachedContent(decoder, contentData), "Set detached content"); - ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); - - /* Get signer status */ - ok(policy = SecPolicyCreateBasicX509(), "Create policy"); - ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, false, &signerStatus, &trust, NULL), - "Copy Signer status"); - is(signerStatus, kCMSSignerValid, "Valid signature"); - - /* Get Hash Agility Attribute value */ - ok_status(CMSDecoderCopySignerAppleCodesigningHashAgility(decoder, 0, &attrValue), - "Copy hash agility attribute value"); - is((size_t)CFDataGetLength(attrValue), sizeof(attribute), "Decoded attribute size"); - is(memcmp(attribute, CFDataGetBytePtr(attrValue), sizeof(attribute)), 0, - "Decoded value same as input value"); - - /* Get Signing Time Attribute value */ - ok_status(CMSDecoderCopySignerSigningTime(decoder, 0, &signingTime), - "Copy signing time attribute value"); - is(signingTime, 468295000.0, "Decoded date same as input date"); - - CFReleaseNull(decoder); - CFReleaseNull(contentData); - CFReleaseNull(policy); - CFReleaseNull(trust); - CFReleaseNull(attrValue); -} - -static void decode_negative_test(void) -{ - CMSDecoderRef decoder = NULL; - CFDataRef contentData = NULL; - SecPolicyRef policy = NULL; - SecTrustRef trust = NULL; - CMSSignerStatus signerStatus; - - /* Create decoder and decode */ - ok_status(CMSDecoderCreate(&decoder), "Create CMS decoder"); - ok_status(CMSDecoderUpdateMessage(decoder, invalid_message, sizeof(invalid_message)), - "Update decoder with CMS message"); - ok(contentData = CFDataCreate(NULL, content, sizeof(content)), "Create detached content"); - ok_status(CMSDecoderSetDetachedContent(decoder, contentData), "Set detached content"); - ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); - - /* Get signer status */ - ok(policy = SecPolicyCreateBasicX509(), "Create policy"); - ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, false, &signerStatus, &trust, NULL), - "Copy Signer status"); - is(signerStatus, kCMSSignerInvalidSignature, "Invalid signature"); - - CFReleaseNull(decoder); - CFReleaseNull(contentData); - CFReleaseNull(policy); - CFReleaseNull(trust); -} - -static void decode_no_attr_test(void) -{ - CMSDecoderRef decoder = NULL; - CFDataRef contentData = NULL, attrValue = NULL; - SecPolicyRef policy = NULL; - SecTrustRef trust = NULL; - CMSSignerStatus signerStatus; - - /* Create decoder and decode */ - ok_status(CMSDecoderCreate(&decoder), "Create CMS decoder"); - ok_status(CMSDecoderUpdateMessage(decoder, valid_no_attr, sizeof(valid_no_attr)), - "Update decoder with CMS message"); - ok(contentData = CFDataCreate(NULL, content, sizeof(content)), "Create detached content"); - ok_status(CMSDecoderSetDetachedContent(decoder, contentData), "Set detached content"); - ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); - - /* Get signer status */ - ok(policy = SecPolicyCreateBasicX509(), "Create policy"); - ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, false, &signerStatus, &trust, NULL), - "Copy Signer status"); - is(signerStatus, kCMSSignerValid, "Valid signature"); - - /* Get Hash Agility Attribute value */ - ok_status(CMSDecoderCopySignerAppleCodesigningHashAgility(decoder, 0, &attrValue), - "Copy empty hash agility attribute value"); - is(attrValue, NULL, "NULL attribute value"); - - CFReleaseNull(decoder); - CFReleaseNull(contentData); - CFReleaseNull(policy); - CFReleaseNull(trust); - CFReleaseNull(attrValue); -} - -static void macos_shim_tests(void) { - encode_test(); - decode_positive_test(); - decode_negative_test(); - decode_no_attr_test(); -} - -int si_89_cms_hash_agility(int argc, char *const *argv) -{ - plan_tests(20+24+13+8+10); - - ios_shim_tests(); - macos_shim_tests(); - - return 0; -} diff --git a/OSX/sec/Security/Regressions/secitem/si-89-cms-hash-agility.h b/OSX/sec/Security/Regressions/secitem/si-89-cms-hash-agility.h index 3b245171..a52b5fb5 100644 --- a/OSX/sec/Security/Regressions/secitem/si-89-cms-hash-agility.h +++ b/OSX/sec/Security/Regressions/secitem/si-89-cms-hash-agility.h @@ -88,6 +88,14 @@ unsigned char attribute[32] = { 0x87, 0xa0, 0x4e, 0x80, 0xf4, 0xf3, 0x5d, 0xd2, 0x68, 0x08, 0x58, 0xe6 }; +/* Random data for hash agility V2 attribute */ +unsigned char _attributev2[64] = { + 0x28, 0x4f, 0x7f, 0xf5, 0xf8, 0x14, 0x80, 0xa6, 0x6b, 0x37, 0x44, 0xeb, 0xed, 0x1e, 0xf1, 0x3d, + 0x35, 0x4e, 0x02, 0x21, 0xdc, 0x26, 0x61, 0x33, 0x71, 0x57, 0x18, 0xc7, 0xdd, 0xc2, 0x50, 0xbf, + 0xfc, 0x9d, 0x6f, 0x8e, 0x8b, 0xe2, 0x3d, 0x1d, 0x41, 0xbf, 0xe6, 0xd1, 0x7a, 0xc9, 0x3f, 0xc9, + 0x4d, 0xdd, 0x38, 0x35, 0xbd, 0xdf, 0x98, 0x95, 0x0a, 0x00, 0xc6, 0x6d, 0x30, 0xe2, 0x37, 0x3b +}; + /* Valid CMS message on content with hash agility attribute */ uint8_t valid_message[] = { 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, @@ -834,4 +842,176 @@ unsigned char signing_identity_p12[4477] = { 0xfe, 0x15, 0xb1, 0x04, 0x08, 0xdd, 0xee, 0x2c, 0x8a, 0x3d, 0x65, 0x41, 0x94, 0x02, 0x02, 0x08, 0x00 }; +unsigned char _V2_valid_message[] = { + 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x80, 0x30, + 0x80, 0x02, 0x01, 0x01, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, + 0x04, 0x02, 0x01, 0x05, 0x00, 0x30, 0x80, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x07, 0x01, 0x00, 0x00, 0xa0, 0x82, 0x06, 0xb4, 0x30, 0x82, 0x06, 0xb0, 0x30, 0x82, 0x04, 0x98, + 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xdd, 0x3f, 0x19, 0x90, 0xd8, 0x99, 0xba, 0x86, + 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, + 0x81, 0x96, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, + 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, + 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, + 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, + 0x0a, 0x13, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, + 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, + 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, + 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x18, + 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0f, 0x43, 0x4d, 0x53, 0x20, 0x54, 0x65, 0x73, + 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x65, 0x72, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x35, 0x31, 0x30, + 0x32, 0x39, 0x32, 0x31, 0x35, 0x35, 0x35, 0x38, 0x5a, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x30, 0x32, + 0x38, 0x32, 0x31, 0x35, 0x35, 0x35, 0x38, 0x5a, 0x30, 0x81, 0x96, 0x31, 0x0b, 0x30, 0x09, 0x06, + 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, + 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, + 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, + 0x6f, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x41, 0x70, 0x70, 0x6c, + 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, + 0x13, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, + 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, + 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, + 0x13, 0x0f, 0x43, 0x4d, 0x53, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x65, + 0x72, 0x30, 0x82, 0x02, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0f, 0x00, 0x30, 0x82, 0x02, 0x0a, 0x02, 0x82, 0x02, + 0x01, 0x00, 0xc4, 0x2a, 0x38, 0x4b, 0xdd, 0x1c, 0xc7, 0x39, 0x47, 0xba, 0xbc, 0x5d, 0xd2, 0xcc, + 0x6e, 0x9e, 0x2c, 0x81, 0x26, 0x18, 0x59, 0x18, 0xb8, 0x45, 0x0c, 0xde, 0x5b, 0xbc, 0x25, 0xa4, + 0x78, 0x0b, 0x16, 0x3d, 0x3d, 0x10, 0x34, 0x48, 0xcf, 0x1f, 0x40, 0xaa, 0x4b, 0xb5, 0xbc, 0xf0, + 0x81, 0x5e, 0xa8, 0x72, 0xed, 0x6a, 0x8c, 0xf0, 0x4a, 0x9a, 0x80, 0x09, 0x3b, 0x89, 0xed, 0xad, + 0x2b, 0xb5, 0x5b, 0x0f, 0xe4, 0x3f, 0x6b, 0xc5, 0x15, 0x33, 0x5e, 0xdd, 0xa4, 0xac, 0x2f, 0xa5, + 0x13, 0x0f, 0x3c, 0xfc, 0xd8, 0xca, 0xb8, 0x88, 0x67, 0x75, 0xc4, 0x9a, 0x4c, 0x18, 0x9a, 0x38, + 0x68, 0xaa, 0x4c, 0x94, 0x35, 0xed, 0xa4, 0x0b, 0x80, 0x2b, 0xa9, 0x4d, 0xa4, 0x57, 0x22, 0xfc, + 0xd2, 0xc3, 0x12, 0x0b, 0x8a, 0x3c, 0xd7, 0x6d, 0x8b, 0x47, 0x4f, 0x24, 0xe5, 0xea, 0x1b, 0x03, + 0x78, 0xa2, 0x12, 0x36, 0x3f, 0x92, 0x16, 0x36, 0xff, 0xc5, 0xaf, 0xc3, 0xec, 0x4b, 0x6c, 0x23, + 0x04, 0x1b, 0xa9, 0xce, 0x3a, 0xa1, 0xa5, 0xe0, 0x54, 0x13, 0x43, 0x13, 0x29, 0x95, 0x5b, 0xcb, + 0x97, 0x74, 0x01, 0xbc, 0x3c, 0xb8, 0xa1, 0xb0, 0xf3, 0x3c, 0xfa, 0x21, 0x7a, 0x89, 0x90, 0x2b, + 0x1f, 0x20, 0x3f, 0xc1, 0x22, 0xda, 0x8d, 0xa5, 0x30, 0x57, 0x6d, 0xd4, 0x40, 0x99, 0x08, 0x0d, + 0xef, 0x36, 0x16, 0xa6, 0xec, 0xcf, 0x26, 0x78, 0x7c, 0x77, 0x7e, 0x50, 0x2a, 0xe3, 0xdf, 0x28, + 0xff, 0xd0, 0xc7, 0x0e, 0x8b, 0x6b, 0x56, 0x62, 0x53, 0x37, 0x5a, 0x1a, 0x85, 0x50, 0xec, 0x6a, + 0x6b, 0x2e, 0xd1, 0x35, 0x6e, 0x5d, 0x92, 0x30, 0x39, 0x82, 0x40, 0x7b, 0x6d, 0x89, 0x5b, 0x4d, + 0x30, 0x6d, 0x2e, 0x68, 0x16, 0x24, 0x63, 0x32, 0x24, 0xdc, 0x3e, 0x5b, 0x4a, 0xc4, 0x41, 0xfc, + 0x76, 0x07, 0xe6, 0xa3, 0x1b, 0x18, 0xec, 0x59, 0xed, 0x13, 0x0b, 0x2d, 0xe9, 0x86, 0x89, 0x2c, + 0x0a, 0xb0, 0x19, 0x97, 0x4d, 0x1b, 0xfb, 0xd4, 0xef, 0x54, 0xcd, 0xe5, 0xb2, 0x22, 0x70, 0x3a, + 0x50, 0x03, 0xaa, 0xc0, 0xf8, 0xb4, 0x8e, 0x16, 0xd8, 0x2a, 0xc1, 0xd1, 0x2d, 0xa0, 0x27, 0x59, + 0x63, 0x70, 0xc3, 0x74, 0x14, 0xee, 0xde, 0xa9, 0xd9, 0x73, 0xdb, 0x16, 0x6d, 0xef, 0x7f, 0x50, + 0xb6, 0xd2, 0x54, 0x0d, 0x4d, 0x31, 0x5f, 0x23, 0x2c, 0xfd, 0x8f, 0x67, 0x7c, 0xe9, 0xaa, 0x1c, + 0x29, 0xf5, 0x83, 0x1b, 0x2b, 0x0e, 0x66, 0x0e, 0x5c, 0xfe, 0xc9, 0x38, 0xb0, 0x90, 0xfa, 0x31, + 0x4c, 0xb1, 0xef, 0xea, 0xd0, 0x47, 0x17, 0xde, 0x45, 0xc1, 0x93, 0xef, 0xba, 0xde, 0x9f, 0x69, + 0xc7, 0xa6, 0x14, 0x23, 0xb1, 0x8b, 0xaa, 0xbf, 0x61, 0x37, 0x57, 0x11, 0x6a, 0xb2, 0xf7, 0xec, + 0x52, 0x7e, 0x65, 0x80, 0xff, 0xa1, 0xa8, 0x20, 0x7e, 0x0b, 0xae, 0x21, 0xfa, 0xe8, 0x20, 0x52, + 0x93, 0xc5, 0xe9, 0x39, 0x5b, 0x8e, 0xab, 0xef, 0x86, 0xa6, 0xd8, 0x43, 0x7e, 0xa9, 0x5c, 0x6d, + 0x91, 0xd8, 0x5c, 0xa4, 0x2a, 0xed, 0x26, 0xa8, 0x1b, 0xaa, 0x3b, 0xfa, 0x86, 0x75, 0x37, 0xc6, + 0x70, 0x12, 0x2b, 0x8c, 0x55, 0x96, 0x76, 0x04, 0xf6, 0xe3, 0xf9, 0xe2, 0x0d, 0x2e, 0xe0, 0x23, + 0xdf, 0xfa, 0xe0, 0x9c, 0x11, 0xf9, 0xd4, 0x51, 0x05, 0xed, 0x2b, 0x3f, 0xa3, 0x3f, 0xa2, 0xe6, + 0x30, 0x81, 0x17, 0x00, 0x8f, 0x15, 0x91, 0xfb, 0x21, 0x62, 0xf4, 0xff, 0x93, 0x1a, 0x2e, 0xfe, + 0x1a, 0xcb, 0x93, 0x3d, 0xd4, 0x6e, 0x3a, 0xb8, 0x70, 0xdf, 0x93, 0xb4, 0x02, 0xc4, 0x8c, 0x54, + 0x92, 0xde, 0xa7, 0x32, 0x65, 0x1c, 0x85, 0x95, 0x34, 0xf8, 0x8d, 0x06, 0x5b, 0x7d, 0x72, 0x00, + 0xd8, 0x31, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xfe, 0x30, 0x81, 0xfb, 0x30, 0x1d, 0x06, + 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0xee, 0x16, 0xde, 0xfd, 0x11, 0xd3, 0x88, 0xfb, + 0xef, 0xfb, 0x19, 0x23, 0x8a, 0x23, 0x85, 0x7b, 0xe8, 0x41, 0x26, 0xa1, 0x30, 0x81, 0xcb, 0x06, + 0x03, 0x55, 0x1d, 0x23, 0x04, 0x81, 0xc3, 0x30, 0x81, 0xc0, 0x80, 0x14, 0xee, 0x16, 0xde, 0xfd, + 0x11, 0xd3, 0x88, 0xfb, 0xef, 0xfb, 0x19, 0x23, 0x8a, 0x23, 0x85, 0x7b, 0xe8, 0x41, 0x26, 0xa1, + 0xa1, 0x81, 0x9c, 0xa4, 0x81, 0x99, 0x30, 0x81, 0x96, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, + 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13, + 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, 0x12, 0x30, 0x10, 0x06, + 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, 0x69, 0x6e, 0x6f, 0x31, + 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x2c, + 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x25, + 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, 0x69, 0x6e, 0x65, 0x65, + 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, + 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0f, + 0x43, 0x4d, 0x53, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x65, 0x72, 0x82, + 0x09, 0x00, 0xdd, 0x3f, 0x19, 0x90, 0xd8, 0x99, 0xba, 0x86, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, + 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x0c, 0x0f, 0x08, 0x79, + 0x6f, 0x56, 0x21, 0xdf, 0xdd, 0xf5, 0x97, 0x8d, 0xdc, 0x97, 0x06, 0xfb, 0x2e, 0xe0, 0x21, 0x60, + 0xc3, 0x02, 0xf4, 0x41, 0x79, 0x79, 0xc2, 0x23, 0x9a, 0x8a, 0x54, 0x2e, 0x66, 0xab, 0xc0, 0x21, + 0xf6, 0x9f, 0xc5, 0x2e, 0x41, 0xb8, 0xa3, 0x32, 0x9f, 0x3d, 0x4e, 0xf4, 0x83, 0xee, 0xcc, 0x60, + 0xf6, 0x82, 0x3d, 0xb4, 0xa9, 0x9d, 0xcd, 0xa0, 0x02, 0x89, 0xb0, 0x32, 0x1b, 0xb5, 0x7c, 0xf4, + 0x8f, 0xbc, 0x9b, 0x24, 0xc2, 0xe2, 0x81, 0xd6, 0x6f, 0x0e, 0x22, 0x5e, 0x50, 0xd9, 0x5b, 0x2e, + 0x89, 0xbf, 0xa4, 0xfe, 0xa8, 0xc2, 0x9a, 0xf4, 0xec, 0x70, 0x66, 0x01, 0x4b, 0x50, 0x30, 0x97, + 0x0a, 0xcc, 0x9f, 0xac, 0xe4, 0x89, 0x1c, 0x8d, 0x88, 0x0d, 0xdb, 0x21, 0xbd, 0x2f, 0x24, 0x8e, + 0x83, 0xf9, 0xe6, 0x71, 0xed, 0x71, 0x26, 0x31, 0x99, 0x9d, 0x04, 0xeb, 0x34, 0xea, 0x6d, 0x65, + 0xb8, 0x02, 0x83, 0x57, 0x78, 0x36, 0x3a, 0x0b, 0xc7, 0x41, 0x63, 0xb5, 0xf6, 0x1c, 0xd2, 0x01, + 0x86, 0x04, 0x58, 0x40, 0x3e, 0x91, 0x98, 0x39, 0x72, 0x75, 0x11, 0xca, 0x14, 0x73, 0x90, 0x34, + 0x8b, 0x21, 0xa4, 0xd0, 0xba, 0xe7, 0x33, 0x03, 0x22, 0x0f, 0x1a, 0xf7, 0x10, 0x2b, 0x69, 0x4c, + 0x73, 0xef, 0x04, 0x18, 0xf9, 0xe1, 0x11, 0xa8, 0xb8, 0x1b, 0x57, 0x0b, 0x03, 0x10, 0x1c, 0xce, + 0x13, 0xca, 0xe4, 0xde, 0x8c, 0xf4, 0xcf, 0xf5, 0xb7, 0x80, 0x3e, 0xbc, 0x1f, 0x51, 0x9b, 0x20, + 0x8c, 0xb0, 0x2d, 0x67, 0x1c, 0x84, 0x25, 0x4c, 0x8b, 0xd3, 0xa7, 0x09, 0x8e, 0x60, 0xe2, 0x99, + 0x0d, 0x10, 0x12, 0x14, 0xfc, 0x17, 0x62, 0x69, 0xcd, 0xa4, 0x64, 0xf0, 0x7e, 0xba, 0xe0, 0xc9, + 0x51, 0x78, 0xf8, 0xb4, 0x0d, 0x7d, 0xb8, 0xa0, 0xee, 0x9c, 0x9e, 0x84, 0xd5, 0xa4, 0x02, 0xe5, + 0x7a, 0x1c, 0x65, 0xe1, 0x20, 0xfb, 0x4d, 0x61, 0x7a, 0x47, 0x25, 0x06, 0x95, 0x17, 0x62, 0x60, + 0x4b, 0x0b, 0xc6, 0xca, 0xa7, 0x35, 0x8f, 0xd4, 0x63, 0x3e, 0x5e, 0x92, 0x1a, 0x08, 0x7c, 0x6b, + 0x15, 0x41, 0x95, 0x76, 0x7d, 0x39, 0x28, 0xec, 0x3e, 0x1f, 0x49, 0xd5, 0xd5, 0x89, 0xf9, 0x5f, + 0x14, 0x02, 0x2f, 0x27, 0xb0, 0x39, 0xba, 0xf7, 0x91, 0x53, 0x75, 0x77, 0xab, 0x88, 0x40, 0x1d, + 0x77, 0xaf, 0x79, 0xfd, 0xdc, 0xac, 0x99, 0x82, 0xf2, 0x46, 0x05, 0x97, 0x60, 0xef, 0x7b, 0xf5, + 0x34, 0x38, 0xbf, 0xd7, 0x42, 0x3e, 0x8b, 0x5a, 0x4a, 0x0c, 0x22, 0x7e, 0x4d, 0x4e, 0xf6, 0xf7, + 0xcc, 0x6e, 0x31, 0x33, 0x1a, 0x84, 0xbe, 0x07, 0xf7, 0xe8, 0xe2, 0x43, 0x00, 0x54, 0x4a, 0x38, + 0xda, 0x98, 0xe3, 0x84, 0xb2, 0xd0, 0x76, 0x79, 0x94, 0x11, 0x7e, 0xa8, 0xca, 0x56, 0xa0, 0xfd, + 0x4b, 0xba, 0x7c, 0x0a, 0xa4, 0x34, 0x01, 0xad, 0xf4, 0x37, 0x4f, 0x38, 0x33, 0x9f, 0x71, 0xdc, + 0xc4, 0x4c, 0x96, 0xb0, 0x8a, 0x86, 0xe5, 0x8d, 0xd2, 0x44, 0xe3, 0x18, 0xcb, 0x81, 0xa6, 0x7c, + 0xaf, 0x8e, 0xfb, 0x41, 0x6e, 0xc5, 0x82, 0xf0, 0x51, 0xb7, 0x0f, 0x23, 0x9b, 0x77, 0xed, 0x9a, + 0x06, 0x6b, 0x77, 0x7c, 0x8e, 0xc4, 0xdf, 0x50, 0xa0, 0xd2, 0x81, 0x3e, 0x65, 0xbe, 0xe5, 0x51, + 0x79, 0x93, 0x24, 0x8e, 0xb3, 0xb5, 0x25, 0x48, 0x76, 0x0e, 0x75, 0x94, 0xef, 0x9a, 0x9d, 0xc7, + 0x95, 0x08, 0xca, 0x35, 0x6b, 0x73, 0xbc, 0x4b, 0x93, 0x7a, 0x93, 0x55, 0x2d, 0xe4, 0x5f, 0xcf, + 0x11, 0x31, 0x94, 0xb2, 0x5a, 0x05, 0x80, 0xd7, 0x59, 0x79, 0x14, 0x8a, 0x2a, 0xb9, 0xd7, 0x3d, + 0x33, 0x69, 0xa9, 0xab, 0xaa, 0xb8, 0x4c, 0x73, 0xb6, 0x71, 0x2c, 0x6f, 0x31, 0x82, 0x03, 0x99, + 0x30, 0x82, 0x03, 0x95, 0x02, 0x01, 0x01, 0x30, 0x81, 0xa4, 0x30, 0x81, 0x96, 0x31, 0x0b, 0x30, + 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, + 0x55, 0x04, 0x08, 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61, 0x31, + 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x09, 0x43, 0x75, 0x70, 0x65, 0x72, 0x74, + 0x69, 0x6e, 0x6f, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0b, 0x41, 0x70, + 0x70, 0x6c, 0x65, 0x2c, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x2e, 0x30, 0x2c, 0x06, 0x03, 0x55, + 0x04, 0x0b, 0x13, 0x25, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x20, 0x45, 0x6e, 0x67, + 0x69, 0x6e, 0x65, 0x65, 0x72, 0x69, 0x6e, 0x67, 0x20, 0x61, 0x6e, 0x64, 0x20, 0x41, 0x72, 0x63, + 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x75, 0x72, 0x65, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, + 0x04, 0x03, 0x13, 0x0f, 0x43, 0x4d, 0x53, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x69, 0x67, + 0x6e, 0x65, 0x72, 0x02, 0x09, 0x00, 0xdd, 0x3f, 0x19, 0x90, 0xd8, 0x99, 0xba, 0x86, 0x30, 0x0d, + 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0xa0, 0x81, 0xc6, + 0x30, 0x18, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x03, 0x31, 0x0b, 0x06, + 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x30, 0x1c, 0x06, 0x09, 0x2a, 0x86, + 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x05, 0x31, 0x0f, 0x17, 0x0d, 0x31, 0x37, 0x31, 0x30, 0x32, + 0x36, 0x30, 0x38, 0x34, 0x30, 0x30, 0x30, 0x5a, 0x30, 0x2f, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x09, 0x04, 0x31, 0x22, 0x04, 0x20, 0x30, 0x9e, 0x11, 0x91, 0x83, 0x14, 0xd8, + 0xb9, 0xd6, 0x24, 0x8e, 0x04, 0x7e, 0x31, 0xa7, 0x66, 0xf7, 0x3c, 0x96, 0xc6, 0x23, 0x60, 0x2e, + 0xec, 0x9e, 0x0c, 0xda, 0xab, 0x25, 0x58, 0x02, 0xf2, 0x30, 0x5b, 0x06, 0x09, 0x2a, 0x86, 0x48, + 0x86, 0xf7, 0x63, 0x64, 0x09, 0x02, 0x31, 0x4e, 0x30, 0x2d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, + 0x65, 0x03, 0x04, 0x02, 0x01, 0x04, 0x20, 0xfc, 0x9d, 0x6f, 0x8e, 0x8b, 0xe2, 0x3d, 0x1d, 0x41, + 0xbf, 0xe6, 0xd1, 0x7a, 0xc9, 0x3f, 0xc9, 0x4d, 0xdd, 0x38, 0x35, 0xbd, 0xdf, 0x98, 0x95, 0x0a, + 0x00, 0xc6, 0x6d, 0x30, 0xe2, 0x37, 0x3b, 0x30, 0x1d, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, + 0x04, 0x14, 0x28, 0x4f, 0x7f, 0xf5, 0xf8, 0x14, 0x80, 0xa6, 0x6b, 0x37, 0x44, 0xeb, 0xed, 0x1e, + 0xf1, 0x3d, 0x35, 0x4e, 0x02, 0x21, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82, 0x02, 0x00, 0x7c, 0x31, 0x1c, 0x96, 0xbd, 0x0a, 0xe5, + 0x47, 0xab, 0xa0, 0xb4, 0x29, 0x0f, 0x3e, 0xe7, 0x7a, 0x81, 0x87, 0x7e, 0x04, 0x30, 0xf3, 0x95, + 0xe7, 0x54, 0x68, 0xe9, 0x97, 0xae, 0xdc, 0x5a, 0x5d, 0x52, 0xc8, 0x82, 0x27, 0x3b, 0x0a, 0x7c, + 0xe1, 0x69, 0x2f, 0x46, 0x8d, 0xca, 0x77, 0xf3, 0xbf, 0x68, 0xd3, 0xda, 0xcb, 0xb3, 0x11, 0x93, + 0x81, 0x37, 0x22, 0x42, 0xbd, 0x6a, 0x55, 0x02, 0xe7, 0x85, 0x4c, 0x09, 0x5a, 0x02, 0x73, 0x98, + 0xdd, 0x7c, 0x03, 0x00, 0x53, 0xd2, 0x2e, 0x0a, 0x6f, 0x51, 0x8e, 0x95, 0x24, 0xdd, 0x32, 0x9c, + 0x4a, 0x22, 0x38, 0x7f, 0x65, 0x49, 0x17, 0xeb, 0x43, 0x0b, 0xbe, 0x8d, 0x14, 0xdc, 0xde, 0x48, + 0x74, 0x16, 0xbf, 0xe8, 0xed, 0x34, 0x67, 0x62, 0xca, 0x64, 0x57, 0xc4, 0x61, 0xf7, 0xf7, 0xfb, + 0xf2, 0xd0, 0xd1, 0xfd, 0x2e, 0x05, 0xe7, 0xd7, 0x99, 0x75, 0xa8, 0x76, 0x4e, 0xd4, 0x22, 0x67, + 0x2d, 0x34, 0xf6, 0x71, 0x48, 0x4f, 0x78, 0x8e, 0xe1, 0xb9, 0x55, 0x4d, 0x55, 0x87, 0x08, 0xc9, + 0xab, 0xbd, 0xb8, 0x87, 0x2c, 0x27, 0xef, 0x89, 0x93, 0x9c, 0xc0, 0xc1, 0xec, 0x89, 0x0f, 0xc2, + 0xe3, 0x55, 0x6a, 0x1d, 0xd9, 0x96, 0x1d, 0xa4, 0xdf, 0x50, 0x3d, 0x36, 0x25, 0x3e, 0xd4, 0x3e, + 0x1f, 0x44, 0x97, 0xe0, 0x46, 0xe7, 0xb7, 0x81, 0x7d, 0xc3, 0xd5, 0x36, 0xe7, 0x04, 0x34, 0xab, + 0x60, 0x27, 0xc9, 0x00, 0xdd, 0xfa, 0x7c, 0x32, 0x90, 0xa1, 0x62, 0xe4, 0x51, 0x8f, 0x54, 0x81, + 0xa6, 0x5c, 0xcd, 0xaf, 0x3b, 0xb7, 0x12, 0xa6, 0x87, 0x0a, 0x36, 0x5d, 0xc9, 0x77, 0xc3, 0x50, + 0xc6, 0x97, 0x14, 0x43, 0x36, 0x20, 0x6f, 0x40, 0xb3, 0x1f, 0x50, 0x87, 0x24, 0x47, 0x79, 0x93, + 0x9a, 0xc1, 0x61, 0x83, 0xae, 0xc8, 0x00, 0x56, 0x3c, 0x5b, 0x5f, 0xbb, 0x9b, 0xdf, 0x75, 0xea, + 0xc2, 0x3d, 0xf1, 0xd7, 0x26, 0xe5, 0x6b, 0xa1, 0x75, 0x01, 0x0a, 0x3f, 0xae, 0x43, 0x37, 0xdd, + 0xbf, 0x7a, 0x83, 0xa1, 0xb6, 0xc2, 0xb7, 0x2b, 0xda, 0x99, 0xa6, 0x75, 0xb8, 0xc6, 0xf0, 0xc4, + 0x6b, 0x6a, 0xe4, 0xda, 0xac, 0xab, 0x7c, 0xef, 0x6f, 0x7c, 0x73, 0xca, 0x22, 0x33, 0xdd, 0xee, + 0x05, 0xfc, 0x05, 0x90, 0xc5, 0x3f, 0xdd, 0xa6, 0x6f, 0x5b, 0x2d, 0xaf, 0x99, 0x89, 0x93, 0xf0, + 0xfa, 0xb0, 0x8e, 0xcf, 0x39, 0xf1, 0x03, 0xfe, 0x0c, 0x8a, 0x6d, 0x30, 0x6c, 0x2b, 0x67, 0x84, + 0x60, 0x2d, 0x98, 0x80, 0x6c, 0xa7, 0x3e, 0x44, 0xda, 0x44, 0x42, 0x22, 0x7d, 0xcc, 0x43, 0x1c, + 0x7a, 0x89, 0x8c, 0xa0, 0x07, 0xd0, 0x08, 0x45, 0xe0, 0x18, 0x6b, 0x58, 0xb1, 0x66, 0x49, 0x97, + 0xdd, 0xde, 0xa2, 0x73, 0xaf, 0x55, 0xdc, 0x9f, 0xe6, 0x82, 0x67, 0xdf, 0x14, 0x29, 0x90, 0x1a, + 0x00, 0xa8, 0x0a, 0x59, 0xa0, 0xef, 0x97, 0x3d, 0x09, 0x54, 0x0c, 0xe4, 0xa8, 0x3b, 0xdd, 0x08, + 0xb0, 0x9e, 0x48, 0x93, 0xa7, 0xea, 0xaa, 0xe2, 0x55, 0xca, 0x1b, 0xe8, 0xb0, 0x25, 0xa4, 0xf4, + 0x79, 0xad, 0x03, 0xe1, 0xa3, 0xb9, 0x9a, 0x27, 0x12, 0xe5, 0xe8, 0x08, 0x28, 0x36, 0xb2, 0x93, + 0x3a, 0xf8, 0x45, 0x38, 0xea, 0xd7, 0x2f, 0xa7, 0x37, 0xd1, 0xcf, 0x35, 0xef, 0xaf, 0x51, 0x76, + 0xc3, 0xf9, 0x9a, 0xc8, 0x7c, 0x17, 0x00, 0x48, 0xa0, 0x16, 0x10, 0x1c, 0x3f, 0xeb, 0xca, 0xa0, + 0xb5, 0xb7, 0x0b, 0xc1, 0xb8, 0xcf, 0x3a, 0xbd, 0xeb, 0xab, 0x1a, 0xf7, 0x00, 0x78, 0x34, 0xbd, + 0xe0, 0xfd, 0xc4, 0x8e, 0x51, 0x2e, 0x2e, 0x45, 0x18, 0x5e, 0x87, 0x33, 0xbb, 0x26, 0x71, 0x3f, + 0xad, 0x79, 0xc5, 0x60, 0x9c, 0xda, 0xc3, 0xff, 0x5a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +}; + #endif /* si_89_cms_hash_agility_h */ diff --git a/OSX/sec/Security/Regressions/secitem/si-89-cms-hash-agility.m b/OSX/sec/Security/Regressions/secitem/si-89-cms-hash-agility.m new file mode 100644 index 00000000..dbb98096 --- /dev/null +++ b/OSX/sec/Security/Regressions/secitem/si-89-cms-hash-agility.m @@ -0,0 +1,565 @@ +/* + * Copyright (c) 2015-2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import +#include +#include +#include +#include +#include +#include + +#include "Security_regressions.h" + +#include "si-89-cms-hash-agility.h" + +static void ios_shim_tests(void) +{ + CFDataRef message = NULL, contentData = NULL, hashAgilityOid = NULL, hashAgilityValue = NULL; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CFDictionaryRef attrs = NULL; + CFArrayRef attrValues = NULL; + CFDateRef signingTime = NULL, expectedTime = NULL; + + ok(message = CFDataCreate(NULL, valid_message, sizeof(valid_message)), "Create valid message"); + ok(contentData = CFDataCreate(NULL, content, sizeof(content)), "Create detached content"); + ok(policy = SecPolicyCreateBasicX509(), "Create policy"); + + /* verify the valid message and copy out attributes */ + is(SecCMSVerifyCopyDataAndAttributes(message, contentData, policy, &trust, NULL, &attrs), + errSecSuccess, "Verify valid CMS message and get attributes"); + isnt(attrs, NULL, "Copy CMS attributes"); + + /* verify we can get the parsed attribute */ + uint8_t appleHashAgilityOid[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64, 0x9, 0x1 }; + ok(hashAgilityOid = CFDataCreate(NULL, appleHashAgilityOid, sizeof(appleHashAgilityOid)), + "Create oid data"); + ok(attrValues = (CFArrayRef) CFDictionaryGetValue(attrs, hashAgilityOid), + "Get hash agility value array"); + is(CFArrayGetCount(attrValues), 1, "One attribute value"); + ok(hashAgilityValue = CFArrayGetValueAtIndex(attrValues, 0), "Get hash agility value"); + is((size_t)CFDataGetLength(hashAgilityValue), sizeof(attribute), "Verify size of parsed hash agility value"); + is(memcmp(attribute, CFDataGetBytePtr(hashAgilityValue), sizeof(attribute)), 0, + "Verify correct hash agility value"); + + /* verify we can get the "cooked" parsed attribute */ + ok(hashAgilityValue = (CFDataRef)CFDictionaryGetValue(attrs, kSecCMSHashAgility), "Get cooked hash agility value"); + is((size_t)CFDataGetLength(hashAgilityValue), sizeof(attribute), "Verify size of parsed hash agility value"); + is(memcmp(attribute, CFDataGetBytePtr(hashAgilityValue), sizeof(attribute)), 0, + "Verify correct hash agility value"); + + attrValues = NULL; + + /*verify we can get the signing time attribute */ + ok(signingTime = (CFDateRef) CFDictionaryGetValue(attrs, kSecCMSSignDate), "Get signing time"); + ok(expectedTime = CFDateCreate(NULL, 468295000.0), "Set expected signing time"); + is(CFDateCompare(signingTime, expectedTime, NULL), 0, "Verify signing time"); + + CFReleaseNull(message); + + /* verify the invalid message */ + ok(message = CFDataCreate(NULL, invalid_message, sizeof(invalid_message)), "Create invalid message"); + is(SecCMSVerify(message, contentData, policy, &trust, NULL), errSecAuthFailed, + "Verify invalid CMS message"); + + CFReleaseNull(message); + + /* verify the valid message with no hash agility attribute */ + ok(message = CFDataCreate(NULL, valid_no_attr, sizeof(valid_no_attr)), + "Create valid message with no hash agility value"); + is(SecCMSVerifyCopyDataAndAttributes(message, contentData, policy, &trust, NULL, &attrs), + errSecSuccess, "Verify 2nd valid CMS message and get attributes"); + isnt(attrs, NULL, "Copy 2nd CMS attributes"); + + /* verify we can't get the hash agility attribute */ + is((CFArrayRef) CFDictionaryGetValue(attrs, hashAgilityOid), NULL, + "Get hash agility value array"); + is((CFDataRef) CFDictionaryGetValue(attrs, kSecCMSHashAgility), NULL, + "Get cooked hash agility value"); + + + CFReleaseNull(message); + CFReleaseNull(contentData); + CFReleaseNull(hashAgilityOid); + CFReleaseNull(expectedTime); + CFReleaseNull(policy); + CFReleaseNull(trust); + CFReleaseNull(attrs); +} + +/* MARK: macOS Shim tests */ +#include +#include + +/* encode test */ +static void encode_test(void) +{ + CMSEncoderRef encoder = NULL; + CFDataRef attributeData = NULL, message = NULL, p12Data = NULL; + CFArrayRef imported_items = NULL; + SecIdentityRef identity = NULL; + CFStringRef password = CFSTR("password"); + CFDictionaryRef options = CFDictionaryCreate(NULL, + (const void **)&kSecImportExportPassphrase, + (const void **)&password, 1, + &kCFTypeDictionaryKeyCallBacks, + &kCFTypeDictionaryValueCallBacks); + CFDictionaryRef itemDict = NULL; + + + /* Create encoder */ + ok_status(CMSEncoderCreate(&encoder), "Create CMS encoder"); + ok_status(CMSEncoderSetSignerAlgorithm(encoder, kCMSEncoderDigestAlgorithmSHA256), + "Set digest algorithm to SHA256"); + + /* Load identity and set as signer */ + ok(p12Data = CFDataCreate(NULL, signing_identity_p12, sizeof(signing_identity_p12)), + "Create p12 data"); + ok_status(SecPKCS12Import(p12Data, options, &imported_items), + "Import identity"); + is(CFArrayGetCount(imported_items),1,"Imported 1 items"); + is(CFGetTypeID(CFArrayGetValueAtIndex(imported_items, 0)), CFDictionaryGetTypeID(), + "Got back a dictionary"); + ok(itemDict = CFArrayGetValueAtIndex(imported_items, 0), "Retreive item dictionary"); + is(CFGetTypeID(CFDictionaryGetValue(itemDict, kSecImportItemIdentity)), SecIdentityGetTypeID(), + "Got back an identity"); + ok(identity = (SecIdentityRef) CFRetainSafe(CFDictionaryGetValue(itemDict, kSecImportItemIdentity)), + "Retrieve identity"); + ok_status(CMSEncoderAddSigners(encoder, identity), "Set Signer identity"); + + /* Add signing time attribute for 3 November 2015 */ + ok_status(CMSEncoderAddSignedAttributes(encoder, kCMSAttrSigningTime), + "Set signing time flag"); + ok_status(CMSEncoderSetSigningTime(encoder, 468295000.0), "Set Signing time"); + + /* Add hash agility attribute */ + ok_status(CMSEncoderAddSignedAttributes(encoder, kCMSAttrAppleCodesigningHashAgility), + "Set hash agility flag"); + ok(attributeData = CFDataCreate(NULL, attribute, sizeof(attribute)), + "Create atttribute object"); + ok_status(CMSEncoderSetAppleCodesigningHashAgility(encoder, attributeData), + "Set hash agility data"); + + /* Load content */ + ok_status(CMSEncoderSetHasDetachedContent(encoder, true), "Set detached content"); + ok_status(CMSEncoderUpdateContent(encoder, content, sizeof(content)), "Set content"); + + /* output cms message */ + ok_status(CMSEncoderCopyEncodedContent(encoder, &message), "Finish encoding and output message"); + + /* decode message */ + CMSDecoderRef decoder = NULL; + CFDataRef contentData = NULL; + isnt(message, NULL, "Encoded message exists"); + ok_status(CMSDecoderCreate(&decoder), "Create CMS decoder"); + ok_status(CMSDecoderUpdateMessage(decoder, CFDataGetBytePtr(message), CFDataGetLength(message)), + "Update decoder with CMS message"); + ok(contentData = CFDataCreate(NULL, content, sizeof(content)), "Create detached content"); + ok_status(CMSDecoderSetDetachedContent(decoder, contentData), "Set detached content"); + ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); + + + CFReleaseNull(encoder); + CFReleaseNull(p12Data); + CFReleaseNull(imported_items); + CFReleaseNull(identity); + CFReleaseNull(attributeData); + CFReleaseNull(message); + CFReleaseNull(decoder); + CFReleaseNull(contentData); +} + +static void decode_positive_test(void) +{ + CMSDecoderRef decoder = NULL; + CFDataRef contentData = NULL, attrValue = NULL; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CMSSignerStatus signerStatus; + CFAbsoluteTime signingTime = 0.0; + + /* Create decoder and decode */ + ok_status(CMSDecoderCreate(&decoder), "Create CMS decoder"); + ok_status(CMSDecoderUpdateMessage(decoder, valid_message, sizeof(valid_message)), + "Update decoder with CMS message"); + ok(contentData = CFDataCreate(NULL, content, sizeof(content)), "Create detached content"); + ok_status(CMSDecoderSetDetachedContent(decoder, contentData), "Set detached content"); + ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); + + /* Get signer status */ + ok(policy = SecPolicyCreateBasicX509(), "Create policy"); + ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, false, &signerStatus, &trust, NULL), + "Copy Signer status"); + is(signerStatus, kCMSSignerValid, "Valid signature"); + + /* Get Hash Agility Attribute value */ + ok_status(CMSDecoderCopySignerAppleCodesigningHashAgility(decoder, 0, &attrValue), + "Copy hash agility attribute value"); + is((size_t)CFDataGetLength(attrValue), sizeof(attribute), "Decoded attribute size"); + is(memcmp(attribute, CFDataGetBytePtr(attrValue), sizeof(attribute)), 0, + "Decoded value same as input value"); + + /* Get Signing Time Attribute value */ + ok_status(CMSDecoderCopySignerSigningTime(decoder, 0, &signingTime), + "Copy signing time attribute value"); + is(signingTime, 468295000.0, "Decoded date same as input date"); + + CFReleaseNull(decoder); + CFReleaseNull(contentData); + CFReleaseNull(policy); + CFReleaseNull(trust); + CFReleaseNull(attrValue); +} + +static void decode_negative_test(void) +{ + CMSDecoderRef decoder = NULL; + CFDataRef contentData = NULL; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CMSSignerStatus signerStatus; + + /* Create decoder and decode */ + ok_status(CMSDecoderCreate(&decoder), "Create CMS decoder"); + ok_status(CMSDecoderUpdateMessage(decoder, invalid_message, sizeof(invalid_message)), + "Update decoder with CMS message"); + ok(contentData = CFDataCreate(NULL, content, sizeof(content)), "Create detached content"); + ok_status(CMSDecoderSetDetachedContent(decoder, contentData), "Set detached content"); + ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); + + /* Get signer status */ + ok(policy = SecPolicyCreateBasicX509(), "Create policy"); + ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, false, &signerStatus, &trust, NULL), + "Copy Signer status"); + is(signerStatus, kCMSSignerInvalidSignature, "Invalid signature"); + + CFReleaseNull(decoder); + CFReleaseNull(contentData); + CFReleaseNull(policy); + CFReleaseNull(trust); +} + +static void decode_no_attr_test(void) +{ + CMSDecoderRef decoder = NULL; + CFDataRef contentData = NULL, attrValue = NULL; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CMSSignerStatus signerStatus; + + /* Create decoder and decode */ + ok_status(CMSDecoderCreate(&decoder), "Create CMS decoder"); + ok_status(CMSDecoderUpdateMessage(decoder, valid_no_attr, sizeof(valid_no_attr)), + "Update decoder with CMS message"); + ok(contentData = CFDataCreate(NULL, content, sizeof(content)), "Create detached content"); + ok_status(CMSDecoderSetDetachedContent(decoder, contentData), "Set detached content"); + ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); + + /* Get signer status */ + ok(policy = SecPolicyCreateBasicX509(), "Create policy"); + ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, false, &signerStatus, &trust, NULL), + "Copy Signer status"); + is(signerStatus, kCMSSignerValid, "Valid signature"); + + /* Get Hash Agility Attribute value */ + ok_status(CMSDecoderCopySignerAppleCodesigningHashAgility(decoder, 0, &attrValue), + "Copy empty hash agility attribute value"); + is(attrValue, NULL, "NULL attribute value"); + + CFReleaseNull(decoder); + CFReleaseNull(contentData); + CFReleaseNull(policy); + CFReleaseNull(trust); + CFReleaseNull(attrValue); +} + +static void macos_shim_tests(void) { + encode_test(); + decode_positive_test(); + decode_negative_test(); + decode_no_attr_test(); +} + +/* MARK: V2 Attribute testing */ +static void ios_shim_V2_tests(void) { + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CFDictionaryRef tmpAttrs = NULL; + NSMutableData *message = nil; + NSData *contentData = nil, *hashAgilityV2Oid = nil; + NSDictionary *attrs = nil, *hashAgilityValue = nil; + NSArray *attrValues = nil; + NSDate *signingTime = nil; + + message = [NSMutableData dataWithBytes:_V2_valid_message length:sizeof(_V2_valid_message)]; + contentData = [NSData dataWithBytes:content length:sizeof(content)]; + policy = SecPolicyCreateBasicX509(); + + /* verify the valid message and copy out attributes */ + is(SecCMSVerifyCopyDataAndAttributes((__bridge CFDataRef)message, (__bridge CFDataRef)contentData, policy, &trust, NULL, &tmpAttrs), + errSecSuccess, "Verify valid CMS message and get attributes"); + attrs = CFBridgingRelease(tmpAttrs); + require_string(attrs, exit, "Copy CMS attributes"); + + /* verify we can get the parsed attribute */ + uint8_t appleHashAgilityOid[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, 0x64, 0x9, 0x2 }; + hashAgilityV2Oid = [NSData dataWithBytes:appleHashAgilityOid length:sizeof(appleHashAgilityOid)]; + attrValues = attrs[hashAgilityV2Oid]; + require_string([attrValues count] == (size_t)1, exit, "One attribute value"); + require_string(hashAgilityValue = attrValues[0], exit, "Get hash agility value"); + ok([hashAgilityValue[@(SEC_OID_SHA1)] isEqualToData:[NSData dataWithBytes:_attributev2 length:20]], + "Got wrong SHA1 agility value"); + ok([hashAgilityValue[@(SEC_OID_SHA256)] isEqualToData:[NSData dataWithBytes:(_attributev2+32) length:32]], + "Got wrong SHA256 agility value"); + + /* verify we can get the "cooked" parsed attribute */ + require_string(hashAgilityValue = (NSDictionary *)attrs[(__bridge NSString*)kSecCMSHashAgilityV2], exit, + "Get cooked hash agility value"); + ok([hashAgilityValue[@(SEC_OID_SHA1)] isEqualToData:[NSData dataWithBytes:_attributev2 length:20]], + "Got wrong SHA1 agility value"); + ok([hashAgilityValue[@(SEC_OID_SHA256)] isEqualToData:[NSData dataWithBytes:(_attributev2+32) length:32]], + "Got wrong SHA256 agility value"); + + attrValues = NULL; + + /*verify we can get the signing time attribute */ + require_string(signingTime = attrs[(__bridge NSString*)kSecCMSSignDate], exit, "Failed to get signing time"); + ok([signingTime isEqualToDate:[NSDate dateWithTimeIntervalSinceReferenceDate:530700000.0]], "Got wrong signing time"); + + /* verify the invalid message */ + message = [NSMutableData dataWithBytes:_V2_valid_message length:sizeof(_V2_valid_message)]; + [message resetBytesInRange:NSMakeRange(2110, 0)]; /* reset byte in hash agility attribute */ + is(SecCMSVerify((__bridge CFDataRef)message, (__bridge CFDataRef)contentData, policy, &trust, NULL), errSecAuthFailed, + "Verify invalid CMS message"); + + /* verify the valid message with no hash agility attribute */ + message = [NSMutableData dataWithBytes:valid_no_attr length:sizeof(valid_no_attr)]; + is(SecCMSVerifyCopyDataAndAttributes((__bridge CFDataRef)message, (__bridge CFDataRef)contentData, policy, &trust, NULL, &tmpAttrs), + errSecSuccess, "Verify 2nd valid CMS message and get attributes"); + attrs = CFBridgingRelease(tmpAttrs); + isnt(attrs, NULL, "Copy 2nd CMS attributes"); + + /* verify we can't get the hash agility attribute */ + is(attrs[hashAgilityV2Oid], NULL, "Got hash agility V2 attribute"); + is(attrs[(__bridge NSString*)kSecCMSHashAgilityV2], NULL, "Got cooked hash agility V2 attribute"); + +exit: + CFReleaseNull(policy); + CFReleaseNull(trust); +} + +/* macOS shim test - encode */ +static void encode_V2_test(void) { + CMSEncoderRef encoder = NULL; + CMSDecoderRef decoder = NULL; + NSData *p12Data = nil; + CFArrayRef tmp_imported_items = NULL; + NSArray *imported_items = nil; + SecIdentityRef identity = NULL; + CFDataRef message = NULL; + NSDictionary *attrValues = nil, *options = @{ (__bridge NSString *)kSecImportExportPassphrase : @"password" }; + + /* Create encoder */ + require_noerr_string(CMSEncoderCreate(&encoder), exit, "Failed to create CMS encoder"); + require_noerr_string(CMSEncoderSetSignerAlgorithm(encoder, kCMSEncoderDigestAlgorithmSHA256), exit, + "Failed to set digest algorithm to SHA256"); + + /* Load identity and set as signer */ + p12Data = [NSData dataWithBytes:signing_identity_p12 length:sizeof(signing_identity_p12)]; + require_noerr_string(SecPKCS12Import((__bridge CFDataRef)p12Data, (__bridge CFDictionaryRef)options, + &tmp_imported_items), exit, + "Failed to import identity"); + imported_items = CFBridgingRelease(tmp_imported_items); + require_noerr_string([imported_items count] == 0 && + [imported_items[0] isKindOfClass:[NSDictionary class]], exit, + "Wrong imported items output"); + identity = (SecIdentityRef)CFBridgingRetain(imported_items[0][(__bridge NSString*)kSecImportItemIdentity]); + require_string(identity, exit, "Failed to get identity"); + require_noerr_string(CMSEncoderAddSigners(encoder, identity), exit, "Failed to add signer identity"); + + /* Add signing time attribute for 26 October 2017 */ + require_noerr_string(CMSEncoderAddSignedAttributes(encoder, kCMSAttrSigningTime), exit, + "Failed to set signing time flag"); + require_noerr_string(CMSEncoderSetSigningTime(encoder, 530700000.0), exit, "Failed to set signing time"); + + /* Add hash agility attribute */ + attrValues = @{ @(SEC_OID_SHA1) : [NSData dataWithBytes:_attributev2 length:20], + @(SEC_OID_SHA256) : [NSData dataWithBytes:(_attributev2 + 32) length:32], + }; + ok_status(CMSEncoderAddSignedAttributes(encoder, kCMSAttrAppleCodesigningHashAgilityV2), + "Set hash agility flag"); + ok_status(CMSEncoderSetAppleCodesigningHashAgilityV2(encoder, (__bridge CFDictionaryRef)attrValues), + "Set hash agility data"); + + /* Load content */ + require_noerr_string(CMSEncoderSetHasDetachedContent(encoder, true), exit, "Failed to set detached content"); + require_noerr_string(CMSEncoderUpdateContent(encoder, content, sizeof(content)), exit, "Failed to set content"); + + /* output cms message */ + ok_status(CMSEncoderCopyEncodedContent(encoder, &message), "Finish encoding and output message"); + isnt(message, NULL, "Encoded message exists"); + + /* decode message */ + require_noerr_string(CMSDecoderCreate(&decoder), exit, "Create CMS decoder"); + require_noerr_string(CMSDecoderUpdateMessage(decoder, CFDataGetBytePtr(message), + CFDataGetLength(message)), exit, + "Update decoder with CMS message"); + require_noerr_string(CMSDecoderSetDetachedContent(decoder, (__bridge CFDataRef)[NSData dataWithBytes:content + length:sizeof(content)]), + exit, "Set detached content"); + ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); + +exit: + CFReleaseNull(encoder); + CFReleaseNull(identity); + CFReleaseNull(message); + CFReleaseNull(decoder); +} + +/* macOS shim test - decode positive */ +static void decode_V2_positive_test(void) { + CMSDecoderRef decoder = NULL; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CMSSignerStatus signerStatus; + NSData *contentData = nil; + CFDictionaryRef tmpAttrValue = NULL; + NSDictionary *attrValue = nil; + + /* Create decoder and decode */ + require_noerr_string(CMSDecoderCreate(&decoder), exit, "Failed to create CMS decoder"); + require_noerr_string(CMSDecoderUpdateMessage(decoder, _V2_valid_message, sizeof(_V2_valid_message)), exit, + "Failed to update decoder with CMS message"); + contentData = [NSData dataWithBytes:content length:sizeof(content)]; + require_noerr_string(CMSDecoderSetDetachedContent(decoder, (__bridge CFDataRef)contentData), exit, + "Failed to set detached content"); + ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); + + /* Get signer status */ + require_string(policy = SecPolicyCreateBasicX509(), exit, "Failed to Create policy"); + ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, false, &signerStatus, &trust, NULL), + "Copy Signer status"); + is(signerStatus, kCMSSignerValid, "Valid signature"); + + /* Get Hash Agility Attribute value */ + ok_status(CMSDecoderCopySignerAppleCodesigningHashAgilityV2(decoder, 0, &tmpAttrValue), + "Copy hash agility attribute value"); + attrValue = CFBridgingRelease(tmpAttrValue); + ok([attrValue[@(SEC_OID_SHA1)] isEqualToData:[NSData dataWithBytes:_attributev2 length:20]], + "Got wrong SHA1 agility value"); + ok([attrValue[@(SEC_OID_SHA256)] isEqualToData:[NSData dataWithBytes:(_attributev2+32) length:32]], + "Got wrong SHA256 agility value"); + +exit: + CFReleaseNull(decoder); + CFReleaseNull(policy); + CFReleaseNull(trust); +} + +/* macOS shim test - decode negative */ +static void decode_V2_negative_test(void) { + CMSDecoderRef decoder = NULL; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CMSSignerStatus signerStatus; + NSData *contentData = nil; + NSMutableData *invalid_message = nil; + + /* Create decoder and decode */ + invalid_message = [NSMutableData dataWithBytes:_V2_valid_message length:sizeof(_V2_valid_message)]; + [invalid_message resetBytesInRange:NSMakeRange(2110, 1)]; /* reset byte in hash agility attribute */ + require_noerr_string(CMSDecoderCreate(&decoder), exit, "Failed to create CMS decoder"); + require_noerr_string(CMSDecoderUpdateMessage(decoder, [invalid_message bytes], [invalid_message length]), exit, + "Failed to update decoder with CMS message"); + contentData = [NSData dataWithBytes:content length:sizeof(content)]; + require_noerr_string(CMSDecoderSetDetachedContent(decoder, (__bridge CFDataRef)contentData), exit, + "Failed to set detached content"); + ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); + + /* Get signer status */ + require_string(policy = SecPolicyCreateBasicX509(), exit, "Failed to Create policy"); + ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, false, &signerStatus, &trust, NULL), + "Copy Signer status"); + is(signerStatus, kCMSSignerInvalidSignature, "Valid signature"); + +exit: + CFReleaseNull(decoder); + CFReleaseNull(policy); + CFReleaseNull(trust); +} + +/* macOS shim test - no attribute */ +static void decodeV2_no_attr_test(void) { + CMSDecoderRef decoder = NULL; + SecPolicyRef policy = NULL; + SecTrustRef trust = NULL; + CMSSignerStatus signerStatus; + NSData *contentData = nil; + CFDictionaryRef attrValue = NULL; + + /* Create decoder and decode */ + require_noerr_string(CMSDecoderCreate(&decoder), exit, "Failed to create CMS decoder"); + require_noerr_string(CMSDecoderUpdateMessage(decoder, valid_message, sizeof(valid_message)), exit, + "Failed to update decoder with CMS message"); + contentData = [NSData dataWithBytes:content length:sizeof(content)]; + require_noerr_string(CMSDecoderSetDetachedContent(decoder, (__bridge CFDataRef)contentData), exit, + "Failed to set detached content"); + ok_status(CMSDecoderFinalizeMessage(decoder), "Finalize decoder"); + + /* Get signer status */ + require_string(policy = SecPolicyCreateBasicX509(), exit, "Failed to Create policy"); + ok_status(CMSDecoderCopySignerStatus(decoder, 0, policy, false, &signerStatus, &trust, NULL), + "Copy Signer status"); + is(signerStatus, kCMSSignerValid, "Valid signature"); + + /* Get Hash Agility Attribute value */ + ok_status(CMSDecoderCopySignerAppleCodesigningHashAgilityV2(decoder, 0, &attrValue), + "Copy hash agility attribute value"); + is(attrValue, NULL, "NULL attribute value"); + +exit: + CFReleaseNull(decoder); + CFReleaseNull(policy); + CFReleaseNull(trust); + CFReleaseNull(attrValue); +} + +static void macOS_shim_V2_tests(void) { + encode_V2_test(); + decode_V2_positive_test(); + decode_V2_negative_test(); + decodeV2_no_attr_test(); +} + +int si_89_cms_hash_agility(int argc, char *const *argv) +{ + plan_tests(99); + + ios_shim_tests(); + macos_shim_tests(); + ios_shim_V2_tests(); + macOS_shim_V2_tests(); + + return 0; +} diff --git a/OSX/sec/Security/Regressions/secitem/si-95-cms-basic.c b/OSX/sec/Security/Regressions/secitem/si-95-cms-basic.c index cc305319..04a292f3 100644 --- a/OSX/sec/Security/Regressions/secitem/si-95-cms-basic.c +++ b/OSX/sec/Security/Regressions/secitem/si-95-cms-basic.c @@ -345,7 +345,6 @@ static OSStatus decrypt_please(const uint8_t *data_to_decrypt, size_t length) { status = errSecDecode, "Unable to get message contents"); /* verify the output matches expected results */ - require_action_string(sizeof(encrypted_string) == content->Length, out, status = -1, "Output size differs from expected"); require_noerr_action_string(memcmp(encrypted_string, content->Data, content->Length), out, @@ -446,7 +445,7 @@ static void encrypt_tests(SecCertificateRef certificate) { is(encrypt_please(certificate, SEC_OID_DES_EDE3_CBC, 192), errSecSuccess, "Encrypt with 3DES"); is(encrypt_please(certificate, SEC_OID_RC2_CBC, 128), - SEC_ERROR_INVALID_ALGORITHM, "Encrypt with 128-bit RC2"); + errSecDecode, "Encrypt with 128-bit RC2"); is(encrypt_please(certificate, SEC_OID_AES_128_CBC, 128), errSecSuccess, "Encrypt with 128-bit AES"); is(encrypt_please(certificate, SEC_OID_AES_192_CBC, 192), @@ -462,7 +461,7 @@ static void decrypt_tests(bool isRsa) { errSecSuccess, "Decrypt 3DES"); is(decrypt_please((isRsa) ? rsa_RC2 : ec_RC2, (isRsa) ? sizeof(rsa_RC2) : sizeof(ec_RC2)), - SEC_ERROR_INVALID_ALGORITHM, "Decrypt 128-bit RC2"); + errSecDecode, "Decrypt 128-bit RC2"); is(decrypt_please((isRsa) ? rsa_AES_128 : ec_AES_128, (isRsa) ? sizeof(rsa_AES_128) : sizeof(ec_AES_128)), errSecSuccess, "Decrypt 128-bit AES"); diff --git a/OSX/sec/Security/Regressions/secitem/si_77_SecAccessControl.c b/OSX/sec/Security/Regressions/secitem/si_77_SecAccessControl.c index 66d6339d..a5ed23cc 100644 --- a/OSX/sec/Security/Regressions/secitem/si_77_SecAccessControl.c +++ b/OSX/sec/Security/Regressions/secitem/si_77_SecAccessControl.c @@ -77,26 +77,26 @@ static void tests(void) CFReleaseNull(error); CFReleaseNull(acl); - // ACL with protection and kSecAccessControlTouchIDCurrentSet - acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlTouchIDCurrentSet, &error); + // ACL with protection and kSecAccessControlBiometryCurrentSet + acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlBiometryCurrentSet, &error); ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error); CFReleaseNull(error); CFReleaseNull(acl); // ACL with protection and flags - acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlTouchIDAny | kSecAccessControlDevicePasscode | kSecAccessControlOr, &error); + acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlBiometryAny | kSecAccessControlDevicePasscode | kSecAccessControlOr, &error); ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error); CFReleaseNull(error); CFReleaseNull(acl); // ACL with protection and flags - acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlTouchIDAny | kSecAccessControlDevicePasscode | kSecAccessControlAnd, &error); + acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlBiometryAny | kSecAccessControlDevicePasscode | kSecAccessControlAnd, &error); ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error); CFReleaseNull(error); CFReleaseNull(acl); // ACL with protection and flags - acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlTouchIDAny | kSecAccessControlDevicePasscode | kSecAccessControlAnd | kSecAccessControlApplicationPassword, &error); + acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlBiometryAny | kSecAccessControlDevicePasscode | kSecAccessControlAnd | kSecAccessControlApplicationPassword, &error); ok(acl != NULL, "SecAccessControlCreateWithFlags: %@", error); CFReleaseNull(error); CFReleaseNull(acl); @@ -114,7 +114,7 @@ static void tests(void) CFReleaseNull(acl); // negative test of ACL with protection and, kSecAccessControlUserPresence can be in combination with kSecAccessControlApplicationPassword and kSecAccessControlPrivateKeyUsage - acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlUserPresence | kSecAccessControlTouchIDAny, &error); + acl = SecAccessControlCreateWithFlags(allocator, protection, kSecAccessControlUserPresence | kSecAccessControlBiometryAny, &error); ok(acl == NULL, "SecAccessControlCreateWithFlag wrong combination of flags"); CFReleaseNull(error); CFReleaseNull(acl); @@ -170,17 +170,17 @@ static void tests(void) CFUUIDRef uuid = CFUUIDCreate(allocator); CFStringRef uuidString = CFUUIDCreateString(allocator, uuid); CFDataRef uuidData = CFStringCreateExternalRepresentation(allocator, uuidString, kCFStringEncodingUTF8, 0); - SecAccessConstraintRef touchID = SecAccessConstraintCreateTouchIDCurrentSet(allocator, uuidData, uuidData); - // TouchID constraint - ok(touchID != NULL, "SecAccessConstraintCreateTouchID: %@", error); - ok(isDictionary(touchID), "SecAccessConstraintCreateTouchID"); - ok(CFDictionaryGetValue(touchID, CFSTR(kACMKeyAclConstraintBio)), "SecAccessConstraintCreateTouchID"); - CFDictionaryRef bioRef = CFDictionaryGetValue(touchID, CFSTR(kACMKeyAclConstraintBio)); - ok(isDictionary(bioRef), "SecAccessConstraintCreateTouchID"); - is(CFDictionaryGetValue(bioRef, CFSTR(kACMKeyAclParamBioCatacombUUID)), uuidData, "SecAccessConstraintCreateTouchID"); - is(CFDictionaryGetValue(bioRef, CFSTR(kACMKeyAclParamBioDatabaseHash)), uuidData, "SecAccessConstraintCreateTouchID"); + SecAccessConstraintRef biometry = SecAccessConstraintCreateBiometryCurrentSet(allocator, uuidData, uuidData); + // Biometry constraint + ok(biometry != NULL, "SecAccessConstraintCreateBiometry: %@", error); + ok(isDictionary(biometry), "SecAccessConstraintCreateBiometry"); + ok(CFDictionaryGetValue(biometry, CFSTR(kACMKeyAclConstraintBio)), "SecAccessConstraintCreateBiometry"); + CFDictionaryRef bioRef = CFDictionaryGetValue(biometry, CFSTR(kACMKeyAclConstraintBio)); + ok(isDictionary(bioRef), "SecAccessConstraintCreateBiometry"); + is(CFDictionaryGetValue(bioRef, CFSTR(kACMKeyAclParamBioCatacombUUID)), uuidData, "SecAccessConstraintCreateBiometry"); + is(CFDictionaryGetValue(bioRef, CFSTR(kACMKeyAclParamBioDatabaseHash)), uuidData, "SecAccessConstraintCreateBiometry"); CFReleaseNull(error); - CFReleaseNull(touchID); + CFReleaseNull(biometry); CFReleaseNull(uuidData); CFReleaseNull(uuidString); CFReleaseNull(uuid); @@ -188,22 +188,22 @@ static void tests(void) uuid = CFUUIDCreate(allocator); uuidString = CFUUIDCreateString(allocator, uuid); uuidData = CFStringCreateExternalRepresentation(allocator, uuidString, kCFStringEncodingUTF8, 0); - touchID = SecAccessConstraintCreateTouchIDAny(allocator, uuidData); - // TouchID constraint - ok(touchID != NULL, "SecAccessConstraintCreateTouchID: %@", error); - ok(isDictionary(touchID), "SecAccessConstraintCreateTouchID"); - ok(CFDictionaryGetValue(touchID, CFSTR(kACMKeyAclConstraintBio)), "SecAccessConstraintCreateTouchID"); - bioRef = CFDictionaryGetValue(touchID, CFSTR(kACMKeyAclConstraintBio)); - ok(isDictionary(bioRef), "SecAccessConstraintCreateTouchID"); - is(CFDictionaryGetValue(bioRef, CFSTR(kACMKeyAclParamBioCatacombUUID)), uuidData, "SecAccessConstraintCreateTouchID"); + biometry = SecAccessConstraintCreateBiometryAny(allocator, uuidData); + // Biometry constraint + ok(biometry != NULL, "SecAccessConstraintCreateBiometry: %@", error); + ok(isDictionary(biometry), "SecAccessConstraintCreateBiometry"); + ok(CFDictionaryGetValue(biometry, CFSTR(kACMKeyAclConstraintBio)), "SecAccessConstraintCreateBiometry"); + bioRef = CFDictionaryGetValue(biometry, CFSTR(kACMKeyAclConstraintBio)); + ok(isDictionary(bioRef), "SecAccessConstraintCreateBiometry"); + is(CFDictionaryGetValue(bioRef, CFSTR(kACMKeyAclParamBioCatacombUUID)), uuidData, "SecAccessConstraintCreateBiometry"); CFReleaseNull(error); - // CFReleaseNull(touchID); touchID will be used in later tests + // CFReleaseNull(biometry); biometry will be used in later tests CFReleaseNull(uuidData); CFReleaseNull(uuidString); CFReleaseNull(uuid); // KofN constraint - CFTypeRef constraints_array[] = { passcode, touchID }; + CFTypeRef constraints_array[] = { passcode, biometry }; CFArrayRef constraintsArray = CFArrayCreate(allocator, constraints_array, array_size(constraints_array), &kCFTypeArrayCallBacks); SecAccessConstraintRef kofn = SecAccessConstraintCreateKofN(allocator, 1, constraintsArray, &error); ok(kofn != NULL, "SecAccessConstraintCreateKofN: %@", error); @@ -221,14 +221,14 @@ static void tests(void) CFReleaseNull(passcode); // Add ACL constraint for operation - result = SecAccessControlAddConstraintForOperation(acl, kAKSKeyOpDecrypt, touchID, &error); + result = SecAccessControlAddConstraintForOperation(acl, kAKSKeyOpDecrypt, biometry, &error); ok(result, "SecAccessControlAddConstraintForOperation: %@", error); CFReleaseNull(error); // Get ACL operation constraint SecAccessConstraintRef constraint = SecAccessControlGetConstraint(acl, kAKSKeyOpDecrypt); - is(constraint, touchID, "SecAccessControlGetConstraint"); - CFReleaseNull(touchID); + is(constraint, biometry, "SecAccessControlGetConstraint"); + CFReleaseNull(biometry); // Add ACL constraint for operation (kCFBooleanTrue) result = SecAccessControlAddConstraintForOperation(acl, kAKSKeyOpDecrypt, kCFBooleanTrue, &error); diff --git a/keychain/trust/TrustedPeers/TPDecrypter.h b/OSX/sec/Security/SFKeychainControl.h similarity index 81% rename from keychain/trust/TrustedPeers/TPDecrypter.h rename to OSX/sec/Security/SFKeychainControl.h index cc523a78..0f2b7fb5 100644 --- a/keychain/trust/TrustedPeers/TPDecrypter.h +++ b/OSX/sec/Security/SFKeychainControl.h @@ -23,14 +23,9 @@ #import -NS_ASSUME_NONNULL_BEGIN +@protocol SFKeychainControl -@protocol TPDecrypter - -- (nullable NSData *)decryptData:(NSData *)ciphertext - withKey:(NSData *)key - error:(NSError **)error; +- (void)rpcFindCorruptedItemsWithReply:(void (^)(NSArray* corruptedItems, NSError* error))reply; +- (void)rpcDeleteCorruptedItemsWithReply:(void (^)(bool success, NSError* error))reply; @end - -NS_ASSUME_NONNULL_END diff --git a/OSX/sec/Security/SecAccessControl.c b/OSX/sec/Security/SecAccessControl.c index b6141fe1..8dab3c49 100644 --- a/OSX/sec/Security/SecAccessControl.c +++ b/OSX/sec/Security/SecAccessControl.c @@ -27,10 +27,10 @@ #include #include -#include -#include -#include -#include +#include "SecAccessControl.h" +#include "SecAccessControlPriv.h" +#include "SecItem.h" +#include "SecItemPriv.h" #include #include #include @@ -90,7 +90,7 @@ SecAccessControlRef SecAccessControlCreate(CFAllocatorRef allocator, CFErrorRef access_control->dict = CFDictionaryCreateMutableForCFTypes(allocator); return access_control; } -#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80) + static CFDataRef _getEmptyData() { static CFMutableDataRef emptyData = NULL; static dispatch_once_t onceToken; @@ -101,7 +101,6 @@ static CFDataRef _getEmptyData() { return emptyData; } -#endif SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CFTypeRef protection, SecAccessControlCreateFlags flags, CFErrorRef *error) { @@ -115,7 +114,6 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF goto errOut; if (flags) { -#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80) bool or = (flags & kSecAccessControlOr) ? true : false; bool and = (flags & kSecAccessControlAnd) ? true : false; @@ -124,16 +122,16 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF goto errOut; } - SecAccessControlCreateFlags maskedFlags = flags & (kSecAccessControlTouchIDAny | kSecAccessControlTouchIDCurrentSet); - if (maskedFlags && maskedFlags != kSecAccessControlTouchIDAny && maskedFlags != kSecAccessControlTouchIDCurrentSet) { +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wunguarded-availability-new" + + SecAccessControlCreateFlags maskedFlags = flags & (kSecAccessControlBiometryAny | kSecAccessControlBiometryCurrentSet); + if (maskedFlags && maskedFlags != kSecAccessControlBiometryAny && maskedFlags != kSecAccessControlBiometryCurrentSet) { SecError(errSecParam, error, CFSTR("only one bio constraint can be set")); goto errOut; } if (flags & kSecAccessControlUserPresence && flags & ~(kSecAccessControlUserPresence | kSecAccessControlApplicationPassword | kSecAccessControlPrivateKeyUsage)) { -#else - if (flags & kSecAccessControlUserPresence && flags != kSecAccessControlUserPresence) { -#endif SecError(errSecParam, error, CFSTR("kSecAccessControlUserPresence can be combined only with kSecAccessControlApplicationPassword and kSecAccessControlPrivateKeyUsage")); goto errOut; } @@ -152,25 +150,25 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF CFReleaseNull(constraint); } -#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80) - if (flags & kSecAccessControlTouchIDAny) { - require_quiet(constraint = SecAccessConstraintCreateTouchIDAny(allocator, _getEmptyData()), errOut); + if (flags & kSecAccessControlBiometryAny) { + require_quiet(constraint = SecAccessConstraintCreateBiometryAny(allocator, _getEmptyData()), errOut); CFArrayAppendValue(constraints, constraint); CFReleaseNull(constraint); } - if (flags & kSecAccessControlTouchIDCurrentSet) { - require_quiet(constraint = SecAccessConstraintCreateTouchIDCurrentSet(allocator, _getEmptyData(), _getEmptyData()), errOut); + if (flags & kSecAccessControlBiometryCurrentSet) { + require_quiet(constraint = SecAccessConstraintCreateBiometryCurrentSet(allocator, _getEmptyData(), _getEmptyData()), errOut); CFArrayAppendValue(constraints, constraint); CFReleaseNull(constraint); } +#pragma clang diagnostic pop + if (flags & kSecAccessControlApplicationPassword) { SecAccessControlSetRequirePassword(access_control, true); } -#endif + CFIndex constraints_count = CFArrayGetCount(constraints); -#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80) if (constraints_count > 1) { require_quiet(constraint = SecAccessConstraintCreateValueOfKofN(allocator, or?1:constraints_count, constraints, error), errOut); if (flags & kSecAccessControlPrivateKeyUsage) { @@ -184,25 +182,18 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF } require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDelete, kCFBooleanTrue, error), errOut); CFReleaseNull(constraint); - } else -#endif - if (constraints_count == 1) { -#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80) + } else if (constraints_count == 1) { if (flags & kSecAccessControlPrivateKeyUsage) { require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpSign, CFArrayGetValueAtIndex(constraints, 0), error), errOut); require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpComputeKey, CFArrayGetValueAtIndex(constraints, 0), error), errOut); require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpAttest, kCFBooleanTrue, error), errOut); } else { -#endif require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDecrypt, CFArrayGetValueAtIndex(constraints, 0), error), errOut); require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpEncrypt, kCFBooleanTrue, error), errOut); -#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80) } -#endif require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDelete, kCFBooleanTrue, error), errOut); } else { -#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80) if (flags & kSecAccessControlPrivateKeyUsage) { require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpSign, kCFBooleanTrue, error), errOut); require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpComputeKey, kCFBooleanTrue, error), errOut); @@ -210,11 +201,8 @@ SecAccessControlRef SecAccessControlCreateWithFlags(CFAllocatorRef allocator, CF require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDelete, kCFBooleanTrue, error), errOut); } else { -#endif require_quiet(SecAccessControlAddConstraintForOperation(access_control, kAKSKeyOpDefaultAcl, kCFBooleanTrue, error), errOut); -#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80) } -#endif } CFReleaseNull(constraints); @@ -280,14 +268,18 @@ SecAccessConstraintRef SecAccessConstraintCreatePasscode(CFAllocatorRef allocato return CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclConstraintUserPasscode), kCFBooleanTrue, NULL); } -SecAccessConstraintRef SecAccessConstraintCreateTouchIDAny(CFAllocatorRef allocator, CFDataRef catacombUUID) { +SecAccessConstraintRef SecAccessConstraintCreateBiometryAny(CFAllocatorRef allocator, CFDataRef catacombUUID) { CFMutableDictionaryRef bioDict = CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclParamBioCatacombUUID), catacombUUID, NULL); SecAccessConstraintRef constraint = CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclConstraintBio), bioDict, NULL); CFReleaseSafe(bioDict); return constraint; } -SecAccessConstraintRef SecAccessConstraintCreateTouchIDCurrentSet(CFAllocatorRef allocator, CFDataRef catacombUUID, CFDataRef bioDbHash) { +SecAccessConstraintRef SecAccessConstraintCreateTouchIDAny(CFAllocatorRef allocator, CFDataRef catacombUUID) { + return SecAccessConstraintCreateBiometryAny(allocator, catacombUUID); +} + +SecAccessConstraintRef SecAccessConstraintCreateBiometryCurrentSet(CFAllocatorRef allocator, CFDataRef catacombUUID, CFDataRef bioDbHash) { CFMutableDictionaryRef bioDict = CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclParamBioCatacombUUID), catacombUUID, NULL); CFDictionarySetValue(bioDict, CFSTR(kACMKeyAclParamBioDatabaseHash), bioDbHash); SecAccessConstraintRef constraint = CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclConstraintBio), bioDict, NULL); @@ -295,6 +287,10 @@ SecAccessConstraintRef SecAccessConstraintCreateTouchIDCurrentSet(CFAllocatorRef return constraint; } +SecAccessConstraintRef SecAccessConstraintCreateTouchIDCurrentSet(CFAllocatorRef allocator, CFDataRef catacombUUID, CFDataRef bioDbHash) { + return SecAccessConstraintCreateBiometryCurrentSet(allocator, catacombUUID, bioDbHash); +} + static SecAccessConstraintRef SecAccessConstraintCreateValueOfKofN(CFAllocatorRef allocator, size_t numRequired, CFArrayRef constraints, CFErrorRef *error) { CFNumberRef k = CFNumberCreateWithCFIndex(allocator, numRequired); CFMutableDictionaryRef kofn = CFDictionaryCreateMutableForCFTypesWith(allocator, CFSTR(kACMKeyAclParamKofN), k, NULL); @@ -342,9 +338,7 @@ errOut: bool SecAccessControlAddConstraintForOperation(SecAccessControlRef access_control, CFTypeRef operation, CFTypeRef constraint, CFErrorRef *error) { CheckItemInArray(operation, ItemArray(kAKSKeyOpEncrypt, kAKSKeyOpDecrypt, -#if TARGET_OS_IPHONE || (!RC_HIDE_J79 && !RC_HIDE_J80) kAKSKeyOpSign, kAKSKeyOpAttest, kAKSKeyOpComputeKey, -#endif kAKSKeyOpSync, kAKSKeyOpDefaultAcl, kAKSKeyOpDelete), CFSTR("SecAccessControl: invalid operation")); if (!isDictionary(constraint) && !CFEqual(constraint, kCFBooleanTrue) && !CFEqual(constraint, kCFBooleanFalse) ) { diff --git a/OSX/sec/Security/SecAccessControlExports.exp-in b/OSX/sec/Security/SecAccessControlExports.exp-in index 1ace3743..f287ba95 100644 --- a/OSX/sec/Security/SecAccessControlExports.exp-in +++ b/OSX/sec/Security/SecAccessControlExports.exp-in @@ -2,6 +2,8 @@ // sec // +_SecAccessConstraintCreateBiometryAny +_SecAccessConstraintCreateBiometryCurrentSet _SecAccessConstraintCreateKofN _SecAccessConstraintCreatePasscode _SecAccessConstraintCreatePolicy diff --git a/OSX/sec/Security/SecAccessControlPriv.h b/OSX/sec/Security/SecAccessControlPriv.h index 624bb618..9a57a15a 100644 --- a/OSX/sec/Security/SecAccessControlPriv.h +++ b/OSX/sec/Security/SecAccessControlPriv.h @@ -54,11 +54,19 @@ SecAccessConstraintRef SecAccessConstraintCreatePolicy(CFAllocatorRef allocator, /*! Creates constraint which requires passcode verification. */ SecAccessConstraintRef SecAccessConstraintCreatePasscode(CFAllocatorRef allocator); -/*! Creates constraint which requires TouchID verification.*/ -SecAccessConstraintRef SecAccessConstraintCreateTouchIDAny(CFAllocatorRef allocator, CFDataRef catacombUUID); +/*! Creates constraint which requires Touch ID or Face ID verification.*/ +SecAccessConstraintRef SecAccessConstraintCreateBiometryAny(CFAllocatorRef allocator, CFDataRef catacombUUID); -/*! Creates constraint which requires TouchID verification.*/ -SecAccessConstraintRef SecAccessConstraintCreateTouchIDCurrentSet(CFAllocatorRef allocator, CFDataRef catacombUUID, CFDataRef bioDbHash); +/*! Creates constraint which requires Touch ID verification.*/ +SecAccessConstraintRef SecAccessConstraintCreateTouchIDAny(CFAllocatorRef allocator, CFDataRef catacombUUID) +API_DEPRECATED_WITH_REPLACEMENT("SecAccessConstraintCreateBiometryAny", macos(10.12.1, 10.13.4), ios(9.0, 11.3)); + +/*! Creates constraint which requires Touch ID or Face ID verification.*/ +SecAccessConstraintRef SecAccessConstraintCreateBiometryCurrentSet(CFAllocatorRef allocator, CFDataRef catacombUUID, CFDataRef bioDbHash); + +/*! Creates constraint which requires Touch ID verification.*/ +SecAccessConstraintRef SecAccessConstraintCreateTouchIDCurrentSet(CFAllocatorRef allocator, CFDataRef catacombUUID, CFDataRef bioDbHash) +API_DEPRECATED_WITH_REPLACEMENT("SecAccessConstraintCreateBiometryCurrentSet", macos(10.12.1, 10.13.4), ios(9.0, 11.3)); /*! Creates constraint composed of other constraints. @param numRequired Number of constraints required to be satisfied in order to consider overal constraint satisfied. diff --git a/OSX/sec/Security/SecCMS.c b/OSX/sec/Security/SecCMS.c index ea18169d..f9bc72ed 100644 --- a/OSX/sec/Security/SecCMS.c +++ b/OSX/sec/Security/SecCMS.c @@ -77,6 +77,7 @@ CFTypeRef kSecCMSSignedAttributes = CFSTR("kSecCMSSignedAttributes"); CFTypeRef kSecCMSSignDate = CFSTR("kSecCMSSignDate"); CFTypeRef kSecCMSAllCerts = CFSTR("kSecCMSAllCerts"); CFTypeRef kSecCMSHashAgility = CFSTR("kSecCMSHashAgility"); +CFTypeRef kSecCMSHashAgilityV2 = CFSTR("kSecCMSHashAgilityV2"); CFTypeRef kSecCMSBulkEncryptionAlgorithm = CFSTR("kSecCMSBulkEncryptionAlgorithm"); CFTypeRef kSecCMSEncryptionAlgorithmDESCBC = CFSTR("kSecCMSEncryptionAlgorithmDESCBC"); @@ -361,8 +362,7 @@ OSStatus SecCMSCreateSignedData(SecIdentityRef identity, CFDataRef data, } else if (CFEqual(kSecCMSHashingAlgorithmSHA512, algorithm_name)) { algorithm = SEC_OID_SHA512; } else { - // signing with MD5 is no longer allowed - algorithm = SEC_OID_UNKNOWN; + return errSecParam; } } @@ -513,6 +513,13 @@ static OSStatus SecCMSVerifySignedData_internal(CFDataRef message, CFDataRef det } } + CFDictionaryRef hash_agility_values = NULL; + if (errSecSuccess == SecCmsSignerInfoGetAppleCodesigningHashAgilityV2(sigd->signerInfos[0], &hash_agility_values)) { + if (hash_agility_values) { + CFDictionarySetValue(attrs, kSecCMSHashAgilityV2, hash_agility_values); + } + } + *signed_attributes = attrs; CFReleaseSafe(certs); } diff --git a/OSX/sec/Security/SecCMS.h b/OSX/sec/Security/SecCMS.h index 224dec7d..268100ca 100644 --- a/OSX/sec/Security/SecCMS.h +++ b/OSX/sec/Security/SecCMS.h @@ -45,6 +45,7 @@ extern const void * kSecCMSSignedAttributes; extern const void * kSecCMSSignDate; extern const void * kSecCMSAllCerts; extern const void * kSecCMSHashAgility; +extern const void * kSecCMSHashAgilityV2; extern const void * kSecCMSEncryptionAlgorithmDESCBC; extern const void * kSecCMSEncryptionAlgorithmAESCBC; diff --git a/OSX/sec/Security/SecCertificate.c b/OSX/sec/Security/SecCertificate.c index 007c8008..85686e09 100644 --- a/OSX/sec/Security/SecCertificate.c +++ b/OSX/sec/Security/SecCertificate.c @@ -48,7 +48,7 @@ #include #include #include -#include +#include #include "SecBasePriv.h" #include "SecRSAKey.h" #include "SecFramework.h" @@ -109,7 +109,7 @@ struct __SecCertificate { CFAbsoluteTime _notBefore; CFAbsoluteTime _notAfter; DERItem _subject; /* Sequence of RDN. */ - DERItem _subjectPublicKeyInfo; /* SPKI */ + DERItem _subjectPublicKeyInfo; /* SPKI (without tag/length) */ DERAlgorithmId _algId; /* oid and params of _pubKeyDER. */ DERItem _pubKeyDER; /* contents of bit string */ DERItem _issuerUniqueID; /* bit string, optional */ @@ -542,10 +542,10 @@ badDER: /************************************************************************/ typedef OSStatus (*parseX501NameCallback)(void *context, const DERItem *type, - const DERItem *value, CFIndex rdnIX); + const DERItem *value, CFIndex rdnIX, bool localized); static OSStatus parseRDNContent(const DERItem *rdnSetContent, void *context, - parseX501NameCallback callback) { + parseX501NameCallback callback, bool localized) { DERSequence rdn; DERReturn drtn = DERDecodeSeqContentInit(rdnSetContent, &rdn); require_noerr_quiet(drtn, badDER); @@ -560,9 +560,10 @@ static OSStatus parseRDNContent(const DERItem *rdnSetContent, void *context, &atv, sizeof(atv)); require_noerr_quiet(drtn, badDER); require_quiet(atv.type.length != 0, badDER); - OSStatus status = callback(context, &atv.type, &atv.value, rdnIX++); - if (status) + OSStatus status = callback(context, &atv.type, &atv.value, rdnIX++, localized); + if (status) { return status; + } } require_quiet(drtn == DR_EndOfSequence, badDER); @@ -572,7 +573,7 @@ badDER: } static OSStatus parseX501NameContent(const DERItem *x501NameContent, void *context, - parseX501NameCallback callback) { + parseX501NameCallback callback, bool localized) { DERSequence derSeq; DERReturn drtn = DERDecodeSeqContentInit(x501NameContent, &derSeq); require_noerr_quiet(drtn, badDER); @@ -580,9 +581,10 @@ static OSStatus parseX501NameContent(const DERItem *x501NameContent, void *conte while ((drtn = DERDecodeSeqNext(&derSeq, &currDecoded)) == DR_Success) { require_quiet(currDecoded.tag == ASN1_CONSTR_SET, badDER); OSStatus status = parseRDNContent(&currDecoded.content, context, - callback); - if (status) + callback, localized); + if (status) { return status; + } } require_quiet(drtn == DR_EndOfSequence, badDER); @@ -593,14 +595,14 @@ badDER: } static OSStatus parseX501Name(const DERItem *x501Name, void *context, - parseX501NameCallback callback) { + parseX501NameCallback callback, bool localized) { DERDecodedInfo x501NameContent; if (DERDecodeItem(x501Name, &x501NameContent) || x501NameContent.tag != ASN1_CONSTR_SEQUENCE) { return errSecInvalidCertificate; } else { return parseX501NameContent(&x501NameContent.content, context, - callback); + callback, localized); } } @@ -1242,6 +1244,11 @@ static bool SecCEPEscrowMarker(SecCertificateRef certificate, return true; } +static bool SecCEPOCSPNoCheck(SecCertificateRef certificate, + const SecCertificateExtension *extn) { + secdebug("cert", "ocsp-nocheck critical: %s", extn->critical ? "yes" : "no"); + return true; +} /* Dictionary key callback for comparing to DERItems. */ static Boolean SecDERItemEqual(const void *value1, const void *value2) { @@ -1292,7 +1299,8 @@ static void SecCertificateInitializeExtensionParsers(void) { &oidSubjectInfoAccess, &oidNetscapeCertType, &oidEntrustVersInfo, - &oidApplePolicyEscrowService + &oidApplePolicyEscrowService, + &oidOCSPNoCheck, }; static const void *extnParsers[] = { SecCEPSubjectKeyIdentifier, @@ -1314,6 +1322,7 @@ static void SecCertificateInitializeExtensionParsers(void) { SecCEPNetscapeCertType, SecCEPEntrustVersInfo, SecCEPEscrowMarker, + SecCEPOCSPNoCheck, }; sExtensionParsers = CFDictionaryCreate(kCFAllocatorDefault, extnOIDs, extnParsers, array_size(extnOIDs), @@ -1701,9 +1710,9 @@ static bool SecCertificateParse(SecCertificateRef certificate) /* Keep the SPKI around for CT */ certificate->_subjectPublicKeyInfo = tbsCert.subjectPubKey; - /* sequence we're given: encoded DERSubjPubKeyInfo - it was saved in full DER form */ + /* sequence we're given: encoded DERSubjPubKeyInfo */ DERSubjPubKeyInfo pubKeyInfo; - drtn = DERParseSequence(&tbsCert.subjectPubKey, + drtn = DERParseSequenceContent(&tbsCert.subjectPubKey, DERNumSubjPubKeyInfoItemSpecs, DERSubjPubKeyInfoItemSpecs, &pubKeyInfo, sizeof(pubKeyInfo)); require_noerr_quiet(drtn, badCert); @@ -2081,38 +2090,47 @@ CFStringRef SecDERItemCopyOIDDecimalRepresentation(CFAllocatorRef allocator, return result; } -static CFStringRef copyLocalizedOidDescription(CFAllocatorRef allocator, - const DERItem *oid) { - if (oid->length == 0) { - return SecCopyCertString(SEC_NULL_KEY); +static CFStringRef copyOidDescription(CFAllocatorRef allocator, + const DERItem *oid, bool localized) { + if (!oid || oid->length == 0) { + return (localized) ? SecCopyCertString(SEC_NULL_KEY) : SEC_NULL_KEY; + } + + CFStringRef name = SecDERItemCopyOIDDecimalRepresentation(allocator, oid); + if (!localized) { + return name; } /* Build the key we use to lookup the localized OID description. */ CFMutableStringRef oidKey = CFStringCreateMutable(allocator, oid->length * 3 + 5); CFStringAppendFormat(oidKey, NULL, CFSTR("06 %02lX"), oid->length); - DERSize ix; - for (ix = 0; ix < oid->length; ++ix) + for (DERSize ix = 0; ix < oid->length; ++ix) { CFStringAppendFormat(oidKey, NULL, CFSTR(" %02X"), oid->data[ix]); - - CFStringRef name = SecFrameworkCopyLocalizedString(oidKey, CFSTR("OID")); - if (CFEqual(oidKey, name)) { - CFRelease(name); - name = SecDERItemCopyOIDDecimalRepresentation(allocator, oid); + } + CFStringRef locname = SecFrameworkCopyLocalizedString(oidKey, CFSTR("OID")); + if (locname && !CFEqual(oidKey, locname)) { + /* Found localized description string, so use it instead of OID. */ + CFReleaseSafe(name); + name = locname; + } else { + CFReleaseSafe(locname); } CFRelease(oidKey); return name; } -/* Return the ipAddress as a dotted quad for ipv4 or as 8 colon separated - 4 digit hex strings for ipv6. Return NULL if the passed in IP doesn't - have a length of exactly 4 or 16 octects. */ +/* Return the ipAddress as a dotted quad for ipv4, or as 8 colon separated + 4 digit hex strings for ipv6. Return NULL if the provided IP doesn't + have a length of exactly 4 or 16 octets. +*/ static CFStringRef copyIPAddressContentDescription(CFAllocatorRef allocator, const DERItem *ip) { - /* @@@ This is the IP Address as an OCTECT STRING. For IPv4 it's - 4 octects addr, or 8 octects, addr/mask for ipv6 it's - 16 octects addr, or 32 octects addr/mask. */ + /* This is the IP Address as an OCTET STRING. + For IPv4 it's 4 octets addr, or 8 octets, addr/mask. + For IPv6 it's 16 octets addr, or 32 octets addr/mask. + */ CFStringRef value = NULL; if (ip->length == 4) { value = CFStringCreateWithFormat(allocator, NULL, @@ -2132,13 +2150,16 @@ static CFStringRef copyIPAddressContentDescription(CFAllocatorRef allocator, } void appendProperty(CFMutableArrayRef properties, CFStringRef propertyType, - CFStringRef label, CFStringRef localizedLabel, CFTypeRef value) { + CFStringRef label, CFStringRef localizedLabel, CFTypeRef value, + bool localized) { CFDictionaryRef property; if (label) { - CFStringRef ll; - if (localizedLabel) { - ll = NULL; - } else { + CFStringRef ll = NULL; + if (!localized) { + /* use unlocalized label, overriding localizedLabel */ + ll = localizedLabel = (CFStringRef) CFRetainSafe(label); + } else if (!localizedLabel) { + /* copy localized label for unlocalized label */ ll = localizedLabel = SecCopyCertString(label); } const void *all_keys[4]; @@ -2367,11 +2388,12 @@ __attribute__((__nonnull__)) static bool derDateGetAbsoluteTime(const DERItem *d } static void appendDataProperty(CFMutableArrayRef properties, - CFStringRef label, CFStringRef localizedLabel, const DERItem *der_data) { + CFStringRef label, CFStringRef localizedLabel, const DERItem *der_data, + bool localized) { CFDataRef data = CFDataCreate(CFGetAllocator(properties), der_data->data, der_data->length); appendProperty(properties, kSecPropertyTypeData, label, localizedLabel, - data); + data, localized); CFRelease(data); } @@ -2379,150 +2401,163 @@ static void appendRelabeledProperty(CFMutableArrayRef properties, CFStringRef label, CFStringRef localizedLabel, const DERItem *der_data, - CFStringRef labelFormat) { + CFStringRef labelFormat, + bool localized) { CFStringRef newLabel = CFStringCreateWithFormat(CFGetAllocator(properties), NULL, labelFormat, label); - CFStringRef ll; - if (localizedLabel) { - ll = NULL; + CFStringRef ll = NULL; + CFStringRef localizedLabelFormat = NULL; + if (!localized) { + /* use provided label and format strings; do not localize */ + ll = localizedLabel = (CFStringRef) CFRetainSafe(label); + localizedLabelFormat = (CFStringRef) CFRetainSafe(labelFormat); } else { - ll = localizedLabel = SecCopyCertString(label); + if (!localizedLabel) { + /* copy localized label for provided label */ + ll = localizedLabel = SecCopyCertString(label); + } + /* copy localized format for provided format */ + localizedLabelFormat = SecCopyCertString(labelFormat); } - CFStringRef localizedLabelFormat = SecCopyCertString(labelFormat); + CFStringRef newLocalizedLabel = CFStringCreateWithFormat(CFGetAllocator(properties), NULL, localizedLabelFormat, localizedLabel); CFReleaseSafe(ll); CFReleaseSafe(localizedLabelFormat); - appendDataProperty(properties, newLabel, newLocalizedLabel, der_data); + appendDataProperty(properties, newLabel, newLocalizedLabel, der_data, localized); CFReleaseSafe(newLabel); CFReleaseSafe(newLocalizedLabel); } static void appendUnparsedProperty(CFMutableArrayRef properties, - CFStringRef label, CFStringRef localizedLabel, const DERItem *der_data) { + CFStringRef label, CFStringRef localizedLabel, + const DERItem *der_data, bool localized) { appendRelabeledProperty(properties, label, localizedLabel, der_data, - SEC_UNPARSED_KEY); + SEC_UNPARSED_KEY, localized); } static void appendInvalidProperty(CFMutableArrayRef properties, - CFStringRef label, const DERItem *der_data) { - appendRelabeledProperty(properties, label, NULL, der_data, SEC_INVALID_KEY); + CFStringRef label, const DERItem *der_data, bool localized) { + appendRelabeledProperty(properties, label, NULL, der_data, + SEC_INVALID_KEY, localized); } static void appendDateContentProperty(CFMutableArrayRef properties, CFStringRef label, DERTag tag, - const DERItem *dateContent) { + const DERItem *dateContent, bool localized) { CFAbsoluteTime absTime; if (!derDateContentGetAbsoluteTime(tag, dateContent, &absTime)) { - /* Date decode failure insert hex bytes instead. */ - return appendInvalidProperty(properties, label, dateContent); + /* Date decode failure; insert hex bytes instead. */ + return appendInvalidProperty(properties, label, dateContent, localized); } CFDateRef date = CFDateCreate(CFGetAllocator(properties), absTime); - appendProperty(properties, kSecPropertyTypeDate, label, NULL, date); + appendProperty(properties, kSecPropertyTypeDate, label, NULL, date, localized); CFRelease(date); } static void appendDateProperty(CFMutableArrayRef properties, - CFStringRef label, CFAbsoluteTime absTime) { + CFStringRef label, CFAbsoluteTime absTime, bool localized) { CFDateRef date = CFDateCreate(CFGetAllocator(properties), absTime); - appendProperty(properties, kSecPropertyTypeDate, label, NULL, date); + appendProperty(properties, kSecPropertyTypeDate, label, NULL, date, localized); CFRelease(date); } static void appendValidityPeriodProperty(CFMutableArrayRef parent, CFStringRef label, - SecCertificateRef certificate) { + SecCertificateRef certificate, bool localized) { CFAllocatorRef allocator = CFGetAllocator(parent); CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks); appendDateProperty(properties, SEC_NOT_VALID_BEFORE_KEY, - certificate->_notBefore); + certificate->_notBefore, localized); appendDateProperty(properties, SEC_NOT_VALID_AFTER_KEY, - certificate->_notAfter); + certificate->_notAfter, localized); - appendProperty(parent, kSecPropertyTypeSection, label, NULL, properties); + appendProperty(parent, kSecPropertyTypeSection, label, NULL, properties, localized); CFReleaseNull(properties); } static void appendIPAddressContentProperty(CFMutableArrayRef properties, - CFStringRef label, const DERItem *ip) { + CFStringRef label, const DERItem *ip, bool localized) { CFStringRef value = copyIPAddressContentDescription(CFGetAllocator(properties), ip); if (value) { - appendProperty(properties, kSecPropertyTypeString, label, NULL, value); + appendProperty(properties, kSecPropertyTypeString, label, NULL, value, localized); CFRelease(value); } else { - appendUnparsedProperty(properties, label, NULL, ip); + appendUnparsedProperty(properties, label, NULL, ip, localized); } } static void appendURLContentProperty(CFMutableArrayRef properties, - CFStringRef label, const DERItem *urlContent) { + CFStringRef label, const DERItem *urlContent, bool localized) { CFURLRef url = CFURLCreateWithBytes(CFGetAllocator(properties), urlContent->data, urlContent->length, kCFStringEncodingASCII, NULL); if (url) { - appendProperty(properties, kSecPropertyTypeURL, label, NULL, url); + appendProperty(properties, kSecPropertyTypeURL, label, NULL, url, localized); CFRelease(url); } else { - appendInvalidProperty(properties, label, urlContent); + appendInvalidProperty(properties, label, urlContent, localized); } } static void appendURLProperty(CFMutableArrayRef properties, - CFStringRef label, const DERItem *url) { + CFStringRef label, const DERItem *url, bool localized) { DERDecodedInfo decoded; DERReturn drtn; drtn = DERDecodeItem(url, &decoded); if (drtn || decoded.tag != ASN1_IA5_STRING) { - appendInvalidProperty(properties, label, url); + appendInvalidProperty(properties, label, url, localized); } else { - appendURLContentProperty(properties, label, &decoded.content); + appendURLContentProperty(properties, label, &decoded.content, localized); } } static void appendOIDProperty(CFMutableArrayRef properties, - CFStringRef label, CFStringRef llabel, const DERItem *oid) { + CFStringRef label, CFStringRef llabel, const DERItem *oid, bool localized) { CFStringRef oid_string = - copyLocalizedOidDescription(CFGetAllocator(properties), oid); + copyOidDescription(CFGetAllocator(properties), oid, localized); appendProperty(properties, kSecPropertyTypeString, label, llabel, - oid_string); + oid_string, localized); CFRelease(oid_string); } static void appendAlgorithmProperty(CFMutableArrayRef properties, - CFStringRef label, const DERAlgorithmId *algorithm) { + CFStringRef label, const DERAlgorithmId *algorithm, bool localized) { CFMutableArrayRef alg_props = CFArrayCreateMutable(CFGetAllocator(properties), 0, &kCFTypeArrayCallBacks); - appendOIDProperty(alg_props, SEC_ALGORITHM_KEY, NULL, &algorithm->oid); + appendOIDProperty(alg_props, SEC_ALGORITHM_KEY, NULL, + &algorithm->oid, localized); if (algorithm->params.length) { if (algorithm->params.length == 2 && algorithm->params.data[0] == ASN1_NULL && algorithm->params.data[1] == 0) { CFStringRef value = SecCopyCertString(SEC_NONE_KEY); appendProperty(alg_props, kSecPropertyTypeString, - SEC_PARAMETERS_KEY, NULL, value); + SEC_PARAMETERS_KEY, NULL, value, localized); CFRelease(value); } else { appendUnparsedProperty(alg_props, SEC_PARAMETERS_KEY, NULL, - &algorithm->params); + &algorithm->params, localized); } } - appendProperty(properties, kSecPropertyTypeSection, label, NULL, alg_props); + appendProperty(properties, kSecPropertyTypeSection, label, NULL, + alg_props, localized); CFRelease(alg_props); } static void appendPublicKeyProperty(CFMutableArrayRef parent, CFStringRef label, - SecCertificateRef certificate) { + SecCertificateRef certificate, bool localized) { CFAllocatorRef allocator = CFGetAllocator(parent); CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks); /* Public key algorithm. */ appendAlgorithmProperty(properties, SEC_PUBLIC_KEY_ALG_KEY, - &certificate->_algId); + &certificate->_algId, localized); /* Public Key Size */ #if TARGET_OS_IPHONE @@ -2536,7 +2571,7 @@ static void appendPublicKeyProperty(CFMutableArrayRef parent, CFStringRef label, CFSTR("%ld"), (sizeInBytes*8)); if (sizeInBitsString) { appendProperty(properties, kSecPropertyTypeString, SEC_PUBLIC_KEY_SIZE_KEY, - NULL, sizeInBitsString); + NULL, sizeInBitsString, localized); } CFReleaseNull(sizeInBitsString); } @@ -2545,42 +2580,46 @@ static void appendPublicKeyProperty(CFMutableArrayRef parent, CFStringRef label, /* Consider breaking down an RSA public key into modulus and exponent? */ appendDataProperty(properties, SEC_PUBLIC_KEY_DATA_KEY, NULL, - &certificate->_pubKeyDER); + &certificate->_pubKeyDER, localized); - appendProperty(parent, kSecPropertyTypeSection, label, NULL, properties); + appendProperty(parent, kSecPropertyTypeSection, label, NULL, + properties, localized); CFReleaseNull(properties); } static void appendSignatureProperty(CFMutableArrayRef parent, CFStringRef label, - SecCertificateRef certificate) { + SecCertificateRef certificate, bool localized) { CFAllocatorRef allocator = CFGetAllocator(parent); CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks); appendAlgorithmProperty(properties, SEC_SIGNATURE_ALGORITHM_KEY, - &certificate->_tbsSigAlg); + &certificate->_tbsSigAlg, localized); appendDataProperty(properties, SEC_SIGNATURE_DATA_KEY, NULL, - &certificate->_signature); + &certificate->_signature, localized); - appendProperty(parent, kSecPropertyTypeSection, label, NULL, properties); + appendProperty(parent, kSecPropertyTypeSection, label, NULL, + properties, localized); CFReleaseNull(properties); } -static void appendFingerprintsProperty(CFMutableArrayRef parent, CFStringRef label, SecCertificateRef certificate) { +static void appendFingerprintsProperty(CFMutableArrayRef parent, CFStringRef label, + SecCertificateRef certificate, bool localized) { CFAllocatorRef allocator = CFGetAllocator(parent); CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks); CFDataRef sha256Fingerprint = SecCertificateCopySHA256Digest(certificate); if (sha256Fingerprint) { appendProperty(properties, kSecPropertyTypeData, SEC_SHA2_FINGERPRINT_KEY, - NULL, sha256Fingerprint); + NULL, sha256Fingerprint, localized); } CFReleaseNull(sha256Fingerprint); appendProperty(properties, kSecPropertyTypeData, SEC_SHA1_FINGERPRINT_KEY, - NULL, SecCertificateGetSHA1Digest(certificate)); + NULL, SecCertificateGetSHA1Digest(certificate), localized); - appendProperty(parent, kSecPropertyTypeSection, label, NULL, properties); + appendProperty(parent, kSecPropertyTypeSection, label, NULL, + properties, localized); CFReleaseNull(properties); } @@ -2598,14 +2637,17 @@ static CFStringRef copyHexDescription(CFAllocatorRef allocator, return string; } -/* Returns a (localized) blob string. */ static CFStringRef copyBlobString(CFAllocatorRef allocator, - CFStringRef blobType, CFStringRef quanta, const DERItem *blob) { - CFStringRef localizedBlobType = SecCopyCertString(blobType); - CFStringRef localizedQuanta = SecCopyCertString(quanta); + CFStringRef blobType, CFStringRef quanta, + const DERItem *blob, bool localized) { + CFStringRef localizedBlobType = (localized) ? + SecCopyCertString(blobType) : (CFStringRef) CFRetainSafe(blobType); + CFStringRef localizedQuanta = (localized) ? + SecCopyCertString(quanta) : (CFStringRef) CFRetainSafe(quanta); /* "format string for encoded field data (e.g. Sequence; 128 bytes; " "data = 00 00 ...)" */ - CFStringRef blobFormat = SecCopyCertString(SEC_BLOB_KEY); + CFStringRef blobFormat = (localized) ? + SecCopyCertString(SEC_BLOB_KEY) : SEC_BLOB_KEY; CFStringRef hex = copyHexDescription(allocator, blob); CFStringRef result = CFStringCreateWithFormat(allocator, NULL, blobFormat, localizedBlobType, blob->length, localizedQuanta, hex); @@ -2658,7 +2700,8 @@ static CFStringRef copyContentString(CFAllocatorRef allocator, */ /* Return the given numeric data as a string: decimal up to 64 bits, - hex otherwise. */ + hex otherwise. +*/ static CFStringRef copyIntegerContentDescription(CFAllocatorRef allocator, const DERItem *integer) { uint64_t value = 0; @@ -2676,7 +2719,7 @@ static CFStringRef copyIntegerContentDescription(CFAllocatorRef allocator, } static CFStringRef copyDERThingContentDescription(CFAllocatorRef allocator, - DERTag tag, const DERItem *derThing, bool printableOnly) { + DERTag tag, const DERItem *derThing, bool printableOnly, bool localized) { if (!derThing) { return NULL; } switch(tag) { case ASN1_INTEGER: @@ -2698,26 +2741,27 @@ static CFStringRef copyDERThingContentDescription(CFAllocatorRef allocator, case ASN1_OCTET_STRING: return printableOnly ? NULL : copyBlobString(allocator, SEC_BYTE_STRING_KEY, SEC_BYTES_KEY, - derThing); - //return copyBlobString(BYTE_STRING_STR, BYTES_STR, derThing); + derThing, localized); case ASN1_BIT_STRING: return printableOnly ? NULL : copyBlobString(allocator, SEC_BIT_STRING_KEY, SEC_BITS_KEY, - derThing); + derThing, localized); case ASN1_CONSTR_SEQUENCE: return printableOnly ? NULL : copyBlobString(allocator, SEC_SEQUENCE_KEY, SEC_BYTES_KEY, - derThing); + derThing, localized); case ASN1_CONSTR_SET: return printableOnly ? NULL : - copyBlobString(allocator, SEC_SET_KEY, SEC_BYTES_KEY, derThing); + copyBlobString(allocator, SEC_SET_KEY, SEC_BYTES_KEY, + derThing, localized); case ASN1_OBJECT_ID: - return printableOnly ? NULL : copyLocalizedOidDescription(allocator, derThing); + return printableOnly ? NULL : copyOidDescription(allocator, derThing, localized); default: if (printableOnly) { return NULL; } else { - CFStringRef fmt = SecCopyCertString(SEC_NOT_DISPLAYED_KEY); + CFStringRef fmt = (localized) ? + SecCopyCertString(SEC_NOT_DISPLAYED_KEY) : SEC_NOT_DISPLAYED_KEY; if (!fmt) { return NULL; } CFStringRef result = CFStringCreateWithFormat(allocator, NULL, fmt, (unsigned long)tag, (unsigned long)derThing->length); @@ -2728,7 +2772,7 @@ static CFStringRef copyDERThingContentDescription(CFAllocatorRef allocator, } static CFStringRef copyDERThingDescription(CFAllocatorRef allocator, - const DERItem *derThing, bool printableOnly) { + const DERItem *derThing, bool printableOnly, bool localized) { DERDecodedInfo decoded; DERReturn drtn; @@ -2739,23 +2783,25 @@ static CFStringRef copyDERThingDescription(CFAllocatorRef allocator, return printableOnly ? NULL : copyHexDescription(allocator, derThing); } else { return copyDERThingContentDescription(allocator, decoded.tag, - &decoded.content, false); + &decoded.content, false, localized); } } static void appendDERThingProperty(CFMutableArrayRef properties, - CFStringRef label, CFStringRef localizedLabel, const DERItem *derThing) { + CFStringRef label, CFStringRef localizedLabel, + const DERItem *derThing, bool localized) { CFStringRef value = copyDERThingDescription(CFGetAllocator(properties), - derThing, false); + derThing, false, localized); if (value) { appendProperty(properties, kSecPropertyTypeString, label, localizedLabel, - value); + value, localized); } CFReleaseSafe(value); } static OSStatus appendRDNProperty(void *context, const DERItem *rdnType, - const DERItem *rdnValue, CFIndex rdnIX) { + const DERItem *rdnValue, CFIndex rdnIX, + bool localized) { CFMutableArrayRef properties = (CFMutableArrayRef)context; if (rdnIX > 0) { /* If there is more than one value pair we create a subsection for the @@ -2773,7 +2819,7 @@ static OSStatus appendRDNProperty(void *context, const DERItem *rdnType, CFArrayAppendValue(rdn_props, lastValue); CFArrayRemoveValueAtIndex(properties, lastIX); appendProperty(properties, kSecPropertyTypeSection, NULL, NULL, - rdn_props); + rdn_props, localized); properties = rdn_props; // rdn_props is now retained by the original properties array CFReleaseSafe(rdn_props); @@ -2788,25 +2834,28 @@ static OSStatus appendRDNProperty(void *context, const DERItem *rdnType, } /* Finally we append the new rdn value to the property array. */ - CFStringRef label = SecDERItemCopyOIDDecimalRepresentation(CFGetAllocator(properties), - rdnType); - CFStringRef localizedLabel = - copyLocalizedOidDescription(CFGetAllocator(properties), rdnType); - appendDERThingProperty(properties, label, localizedLabel, rdnValue); + CFStringRef label = + SecDERItemCopyOIDDecimalRepresentation(CFGetAllocator(properties), + rdnType); + CFStringRef localizedLabel = copyOidDescription(CFGetAllocator(properties), + rdnType, localized); + appendDERThingProperty(properties, label, localizedLabel, + rdnValue, localized); CFReleaseSafe(label); CFReleaseSafe(localizedLabel); return errSecSuccess; } static CFArrayRef createPropertiesForRDNContent(CFAllocatorRef allocator, - const DERItem *rdnSetContent) { + const DERItem *rdnSetContent, bool localized) { CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks); OSStatus status = parseRDNContent(rdnSetContent, properties, - appendRDNProperty); + appendRDNProperty, localized); if (status) { CFArrayRemoveAllValues(properties); - appendInvalidProperty(properties, SEC_RDN_KEY, rdnSetContent); + appendInvalidProperty(properties, SEC_RDN_KEY, rdnSetContent, + localized); } return properties; @@ -2831,68 +2880,75 @@ static CFArrayRef createPropertiesForRDNContent(CFAllocatorRef allocator, */ static CFArrayRef createPropertiesForX501NameContent(CFAllocatorRef allocator, - const DERItem *x501NameContent) { + const DERItem *x501NameContent, bool localized) { CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks); OSStatus status = parseX501NameContent(x501NameContent, properties, - appendRDNProperty); + appendRDNProperty, localized); if (status) { CFArrayRemoveAllValues(properties); - appendInvalidProperty(properties, SEC_X501_NAME_KEY, x501NameContent); + appendInvalidProperty(properties, SEC_X501_NAME_KEY, + x501NameContent, localized); } return properties; } static CFArrayRef createPropertiesForX501Name(CFAllocatorRef allocator, - const DERItem *x501Name) { + const DERItem *x501Name, bool localized) { CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks); - OSStatus status = parseX501Name(x501Name, properties, appendRDNProperty); + OSStatus status = parseX501Name(x501Name, properties, appendRDNProperty, localized); if (status) { CFArrayRemoveAllValues(properties); - appendInvalidProperty(properties, SEC_X501_NAME_KEY, x501Name); + appendInvalidProperty(properties, SEC_X501_NAME_KEY, + x501Name, localized); } return properties; } static void appendIntegerProperty(CFMutableArrayRef properties, - CFStringRef label, const DERItem *integer) { + CFStringRef label, const DERItem *integer, bool localized) { CFStringRef string = copyIntegerContentDescription( CFGetAllocator(properties), integer); - appendProperty(properties, kSecPropertyTypeString, label, NULL, string); + appendProperty(properties, kSecPropertyTypeString, label, NULL, + string, localized); CFRelease(string); } static void appendBoolProperty(CFMutableArrayRef properties, - CFStringRef label, bool boolean) { - CFStringRef value = SecCopyCertString(boolean ? SEC_YES_KEY : SEC_NO_KEY); - appendProperty(properties, kSecPropertyTypeString, label, NULL, value); + CFStringRef label, bool boolean, bool localized) { + CFStringRef key = (boolean) ? SEC_YES_KEY : SEC_NO_KEY; + CFStringRef value = (localized) ? SecCopyCertString(key) : key; + appendProperty(properties, kSecPropertyTypeString, label, NULL, + value, localized); CFRelease(value); } static void appendBooleanProperty(CFMutableArrayRef properties, - CFStringRef label, const DERItem *boolean, bool defaultValue) { + CFStringRef label, const DERItem *boolean, + bool defaultValue, bool localized) { bool result; DERReturn drtn = DERParseBooleanWithDefault(boolean, defaultValue, &result); if (drtn) { /* Couldn't parse boolean; dump the raw unparsed data as hex. */ - appendInvalidProperty(properties, label, boolean); + appendInvalidProperty(properties, label, boolean, localized); } else { - appendBoolProperty(properties, label, result); + appendBoolProperty(properties, label, result, localized); } } static void appendSerialNumberProperty(CFMutableArrayRef parent, CFStringRef label, - DERItem *serialNum) { + DERItem *serialNum, bool localized) { CFAllocatorRef allocator = CFGetAllocator(parent); CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks); if (serialNum->length) { appendIntegerProperty(properties, SEC_SERIAL_NUMBER_KEY, - serialNum); - appendProperty(parent, kSecPropertyTypeSection, label, NULL, properties); + serialNum, localized); + appendProperty(parent, kSecPropertyTypeSection, label, NULL, + properties, localized); } CFReleaseNull(properties); @@ -2900,7 +2956,8 @@ static void appendSerialNumberProperty(CFMutableArrayRef parent, CFStringRef lab static void appendBitStringContentNames(CFMutableArrayRef properties, CFStringRef label, const DERItem *bitStringContent, - const CFStringRef *names, CFIndex namesCount) { + const CFStringRef *names, CFIndex namesCount, + bool localized) { DERSize len = bitStringContent->length - 1; require_quiet(len == 1 || len == 2, badDER); DERByte numUnusedBits = bitStringContent->data[0]; @@ -2916,7 +2973,8 @@ static void appendBitStringContentNames(CFMutableArrayRef properties, mask = 0x80; } uint_fast16_t ix; - CFStringRef fmt = SecCopyCertString(SEC_STRING_LIST_KEY); + CFStringRef fmt = (localized) ? + SecCopyCertString(SEC_STRING_LIST_KEY) : SEC_STRING_LIST_KEY; CFStringRef string = NULL; for (ix = 0; ix < bits; ++ix) { if (value & mask) { @@ -2935,29 +2993,30 @@ static void appendBitStringContentNames(CFMutableArrayRef properties, } CFRelease(fmt); appendProperty(properties, kSecPropertyTypeString, label, NULL, - string ? string : CFSTR("")); + string ? string : CFSTR(""), localized); CFReleaseSafe(string); return; badDER: - appendInvalidProperty(properties, label, bitStringContent); + appendInvalidProperty(properties, label, bitStringContent, localized); } static void appendBitStringNames(CFMutableArrayRef properties, CFStringRef label, const DERItem *bitString, - const CFStringRef *names, CFIndex namesCount) { + const CFStringRef *names, CFIndex namesCount, + bool localized) { DERDecodedInfo bitStringContent; DERReturn drtn = DERDecodeItem(bitString, &bitStringContent); require_noerr_quiet(drtn, badDER); require_quiet(bitStringContent.tag == ASN1_BIT_STRING, badDER); appendBitStringContentNames(properties, label, &bitStringContent.content, - names, namesCount); + names, namesCount, localized); return; badDER: - appendInvalidProperty(properties, label, bitString); + appendInvalidProperty(properties, label, bitString, localized); } static void appendKeyUsage(CFMutableArrayRef properties, - const DERItem *extnValue) { + const DERItem *extnValue, bool localized) { static const CFStringRef usageNames[] = { SEC_DIGITAL_SIGNATURE_KEY, SEC_NON_REPUDIATION_KEY, @@ -2970,40 +3029,42 @@ static void appendKeyUsage(CFMutableArrayRef properties, SEC_DECIPHER_ONLY_KEY }; appendBitStringNames(properties, SEC_USAGE_KEY, extnValue, - usageNames, array_size(usageNames)); + usageNames, array_size(usageNames), localized); } static void appendPrivateKeyUsagePeriod(CFMutableArrayRef properties, - const DERItem *extnValue) { + const DERItem *extnValue, bool localized) { DERPrivateKeyUsagePeriod pkup; - DERReturn drtn = DERParseSequence(extnValue, + DERReturn drtn = DERParseSequence(extnValue, DERNumPrivateKeyUsagePeriodItemSpecs, DERPrivateKeyUsagePeriodItemSpecs, &pkup, sizeof(pkup)); - require_noerr_quiet(drtn, badDER); + require_noerr_quiet(drtn, badDER); if (pkup.notBefore.length) { appendDateContentProperty(properties, SEC_NOT_VALID_BEFORE_KEY, - ASN1_GENERALIZED_TIME, &pkup.notBefore); + ASN1_GENERALIZED_TIME, &pkup.notBefore, localized); } if (pkup.notAfter.length) { appendDateContentProperty(properties, SEC_NOT_VALID_AFTER_KEY, - ASN1_GENERALIZED_TIME, &pkup.notAfter); + ASN1_GENERALIZED_TIME, &pkup.notAfter, localized); } return; badDER: - appendInvalidProperty(properties, SEC_PRIVATE_KU_PERIOD_KEY, extnValue); + appendInvalidProperty(properties, SEC_PRIVATE_KU_PERIOD_KEY, + extnValue, localized); } static void appendStringContentProperty(CFMutableArrayRef properties, - CFStringRef label, const DERItem *stringContent, - CFStringEncoding encoding) { + CFStringRef label, const DERItem *stringContent, + CFStringEncoding encoding, bool localized) { CFStringRef string = CFStringCreateWithBytes(CFGetAllocator(properties), - stringContent->data, stringContent->length, encoding, FALSE); + stringContent->data, stringContent->length, encoding, FALSE); if (string) { - appendProperty(properties, kSecPropertyTypeString, label, NULL, string); + appendProperty(properties, kSecPropertyTypeString, label, NULL, + string, localized); CFRelease(string); - } else { - appendInvalidProperty(properties, label, stringContent); - } + } else { + appendInvalidProperty(properties, label, stringContent, localized); + } } /* @@ -3012,7 +3073,7 @@ static void appendStringContentProperty(CFMutableArrayRef properties, value [0] EXPLICIT ANY DEFINED BY type-id } */ static void appendOtherNameContentProperty(CFMutableArrayRef properties, - const DERItem *otherNameContent) { + const DERItem *otherNameContent, bool localized) { DEROtherName on; DERReturn drtn = DERParseSequenceContent(otherNameContent, DERNumOtherNameItemSpecs, DEROtherNameItemSpecs, @@ -3022,20 +3083,23 @@ static void appendOtherNameContentProperty(CFMutableArrayRef properties, CFStringRef label = SecDERItemCopyOIDDecimalRepresentation(allocator, &on.typeIdentifier); CFStringRef localizedLabel = - copyLocalizedOidDescription(allocator, &on.typeIdentifier); - CFStringRef value_string = copyDERThingDescription(allocator, &on.value, false); - if (value_string) + copyOidDescription(allocator, &on.typeIdentifier, localized); + CFStringRef value_string = copyDERThingDescription(allocator, &on.value, + false, localized); + if (value_string) { appendProperty(properties, kSecPropertyTypeString, label, - localizedLabel, value_string); - else - appendUnparsedProperty(properties, label, localizedLabel, &on.value); - + localizedLabel, value_string, localized); + } else { + appendUnparsedProperty(properties, label, localizedLabel, + &on.value, localized); + } CFReleaseSafe(value_string); CFReleaseSafe(label); CFReleaseSafe(localizedLabel); return; badDER: - appendInvalidProperty(properties, SEC_OTHER_NAME_KEY, otherNameContent); + appendInvalidProperty(properties, SEC_OTHER_NAME_KEY, + otherNameContent, localized); } /* @@ -3055,54 +3119,55 @@ badDER: partyName [1] DirectoryString } */ static bool appendGeneralNameContentProperty(CFMutableArrayRef properties, - DERTag tag, const DERItem *generalName) { + DERTag tag, const DERItem *generalName, bool localized) { switch (tag) { case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0: - appendOtherNameContentProperty(properties, generalName); + appendOtherNameContentProperty(properties, generalName, localized); break; case ASN1_CONTEXT_SPECIFIC | 1: /* IA5String. */ appendStringContentProperty(properties, SEC_EMAIL_ADDRESS_KEY, - generalName, kCFStringEncodingASCII); + generalName, kCFStringEncodingASCII, localized); break; case ASN1_CONTEXT_SPECIFIC | 2: /* IA5String. */ appendStringContentProperty(properties, SEC_DNS_NAME_KEY, generalName, - kCFStringEncodingASCII); + kCFStringEncodingASCII, localized); break; case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 3: appendUnparsedProperty(properties, SEC_X400_ADDRESS_KEY, NULL, - generalName); + generalName, localized); break; case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 4: { CFArrayRef directory_plist = createPropertiesForX501Name(CFGetAllocator(properties), - generalName); + generalName, localized); appendProperty(properties, kSecPropertyTypeSection, - SEC_DIRECTORY_NAME_KEY, NULL, directory_plist); + SEC_DIRECTORY_NAME_KEY, NULL, directory_plist, localized); CFRelease(directory_plist); break; } case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 5: appendUnparsedProperty(properties, SEC_EDI_PARTY_NAME_KEY, NULL, - generalName); + generalName, localized); break; case ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 6: /* Technically I don't think this is valid, but there are certs out in the wild that use a constructed IA5String. In particular the VeriSign Time Stamping Authority CA.cer does this. */ - appendURLProperty(properties, SEC_URI_KEY, generalName); + appendURLProperty(properties, SEC_URI_KEY, generalName, localized); break; case ASN1_CONTEXT_SPECIFIC | 6: - appendURLContentProperty(properties, SEC_URI_KEY, generalName); + appendURLContentProperty(properties, SEC_URI_KEY, generalName, localized); break; case ASN1_CONTEXT_SPECIFIC | 7: appendIPAddressContentProperty(properties, SEC_IP_ADDRESS_KEY, - generalName); + generalName, localized); break; case ASN1_CONTEXT_SPECIFIC | 8: - appendOIDProperty(properties, SEC_REGISTERED_ID_KEY, NULL, generalName); + appendOIDProperty(properties, SEC_REGISTERED_ID_KEY, NULL, + generalName, localized); break; default: goto badDER; @@ -3114,15 +3179,16 @@ badDER: } static void appendGeneralNameProperty(CFMutableArrayRef properties, - const DERItem *generalName) { + const DERItem *generalName, bool localized) { DERDecodedInfo generalNameContent; DERReturn drtn = DERDecodeItem(generalName, &generalNameContent); require_noerr_quiet(drtn, badDER); if (appendGeneralNameContentProperty(properties, generalNameContent.tag, - &generalNameContent.content)) + &generalNameContent.content, localized)) return; badDER: - appendInvalidProperty(properties, SEC_GENERAL_NAME_KEY, generalName); + appendInvalidProperty(properties, SEC_GENERAL_NAME_KEY, + generalName, localized); } @@ -3130,7 +3196,7 @@ badDER: GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName */ static void appendGeneralNamesContent(CFMutableArrayRef properties, - const DERItem *generalNamesContent) { + const DERItem *generalNamesContent, bool localized) { DERSequence gnSeq; DERReturn drtn = DERDecodeSeqContentInit(generalNamesContent, &gnSeq); require_noerr_quiet(drtn, badDER); @@ -3138,7 +3204,7 @@ static void appendGeneralNamesContent(CFMutableArrayRef properties, while ((drtn = DERDecodeSeqNext(&gnSeq, &generalNameContent)) == DR_Success) { if (!appendGeneralNameContentProperty(properties, - generalNameContent.tag, &generalNameContent.content)) { + generalNameContent.tag, &generalNameContent.content, localized)) { goto badDER; } } @@ -3146,29 +3212,31 @@ static void appendGeneralNamesContent(CFMutableArrayRef properties, return; badDER: appendInvalidProperty(properties, SEC_GENERAL_NAMES_KEY, - generalNamesContent); + generalNamesContent, localized); } static void appendGeneralNames(CFMutableArrayRef properties, - const DERItem *generalNames) { + const DERItem *generalNames, bool localized) { DERDecodedInfo generalNamesContent; DERReturn drtn = DERDecodeItem(generalNames, &generalNamesContent); require_noerr_quiet(drtn, badDER); require_quiet(generalNamesContent.tag == ASN1_CONSTR_SEQUENCE, badDER); - appendGeneralNamesContent(properties, &generalNamesContent.content); + appendGeneralNamesContent(properties, &generalNamesContent.content, + localized); return; badDER: - appendInvalidProperty(properties, SEC_GENERAL_NAMES_KEY, generalNames); + appendInvalidProperty(properties, SEC_GENERAL_NAMES_KEY, + generalNames, localized); } /* -BasicConstraints ::= SEQUENCE { - cA BOOLEAN DEFAULT FALSE, - pathLenConstraint INTEGER (0..MAX) OPTIONAL } + BasicConstraints ::= SEQUENCE { + cA BOOLEAN DEFAULT FALSE, + pathLenConstraint INTEGER (0..MAX) OPTIONAL } */ static void appendBasicConstraints(CFMutableArrayRef properties, - const DERItem *extnValue) { + const DERItem *extnValue, bool localized) { DERBasicConstraints basicConstraints; DERReturn drtn = DERParseSequence(extnValue, DERNumBasicConstraintsItemSpecs, DERBasicConstraintsItemSpecs, @@ -3176,15 +3244,16 @@ static void appendBasicConstraints(CFMutableArrayRef properties, require_noerr_quiet(drtn, badDER); appendBooleanProperty(properties, SEC_CERT_AUTHORITY_KEY, - &basicConstraints.cA, false); + &basicConstraints.cA, false, localized); if (basicConstraints.pathLenConstraint.length != 0) { appendIntegerProperty(properties, SEC_PATH_LEN_CONSTRAINT_KEY, - &basicConstraints.pathLenConstraint); + &basicConstraints.pathLenConstraint, localized); } return; badDER: - appendInvalidProperty(properties, SEC_BASIC_CONSTRAINTS_KEY, extnValue); + appendInvalidProperty(properties, SEC_BASIC_CONSTRAINTS_KEY, + extnValue, localized); } /* @@ -3204,7 +3273,7 @@ badDER: * BaseDistance ::= INTEGER (0..MAX) */ static void appendNameConstraints(CFMutableArrayRef properties, - const DERItem *extnValue) { + const DERItem *extnValue, bool localized) { CFAllocatorRef allocator = CFGetAllocator(properties); DERNameConstraints nc; DERReturn drtn; @@ -3226,17 +3295,19 @@ static void appendNameConstraints(CFMutableArrayRef properties, &derGS, sizeof(derGS)); require_noerr_quiet(drtn, badDER); if (derGS.minimum.length) { - appendIntegerProperty(properties, SEC_PERMITTED_MINIMUM_KEY, &derGS.minimum); + appendIntegerProperty(properties, SEC_PERMITTED_MINIMUM_KEY, + &derGS.minimum, localized); } if (derGS.maximum.length) { - appendIntegerProperty(properties, SEC_PERMITTED_MAXIMUM_KEY, &derGS.maximum); + appendIntegerProperty(properties, SEC_PERMITTED_MAXIMUM_KEY, + &derGS.maximum, localized); } if (derGS.generalName.length) { CFMutableArrayRef base = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks); appendProperty(properties, kSecPropertyTypeSection, - SEC_PERMITTED_NAME_KEY, NULL, base); - appendGeneralNameProperty(base, &derGS.generalName); + SEC_PERMITTED_NAME_KEY, NULL, base, localized); + appendGeneralNameProperty(base, &derGS.generalName, localized); CFRelease(base); } } @@ -3255,17 +3326,19 @@ static void appendNameConstraints(CFMutableArrayRef properties, &derGS, sizeof(derGS)); require_noerr_quiet(drtn, badDER); if (derGS.minimum.length) { - appendIntegerProperty(properties, SEC_EXCLUDED_MINIMUM_KEY, &derGS.minimum); + appendIntegerProperty(properties, SEC_EXCLUDED_MINIMUM_KEY, + &derGS.minimum, localized); } if (derGS.maximum.length) { - appendIntegerProperty(properties, SEC_EXCLUDED_MAXIMUM_KEY, &derGS.maximum); + appendIntegerProperty(properties, SEC_EXCLUDED_MAXIMUM_KEY, + &derGS.maximum, localized); } if (derGS.generalName.length) { CFMutableArrayRef base = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks); appendProperty(properties, kSecPropertyTypeSection, - SEC_EXCLUDED_NAME_KEY, NULL, base); - appendGeneralNameProperty(base, &derGS.generalName); + SEC_EXCLUDED_NAME_KEY, NULL, base, localized); + appendGeneralNameProperty(base, &derGS.generalName, localized); CFRelease(base); } } @@ -3274,7 +3347,8 @@ static void appendNameConstraints(CFMutableArrayRef properties, return; badDER: - appendInvalidProperty(properties, SEC_NAME_CONSTRAINTS_KEY, extnValue); + appendInvalidProperty(properties, SEC_NAME_CONSTRAINTS_KEY, + extnValue, localized); } /* @@ -3301,7 +3375,7 @@ badDER: aACompromise (8) } */ static void appendCrlDistributionPoints(CFMutableArrayRef properties, - const DERItem *extnValue) { + const DERItem *extnValue, bool localized) { CFAllocatorRef allocator = CFGetAllocator(properties); DERTag tag; DERSequence dpSeq; @@ -3325,13 +3399,13 @@ static void appendCrlDistributionPoints(CFMutableArrayRef properties, (ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 0)) { /* Full Name */ appendGeneralNamesContent(properties, - &distributionPointName.content); + &distributionPointName.content, localized); } else if (distributionPointName.tag == (ASN1_CONTEXT_SPECIFIC | ASN1_CONSTRUCTED | 1)) { CFArrayRef rdn_props = createPropertiesForRDNContent(allocator, - &dp.reasons); + &dp.reasons, localized); appendProperty(properties, kSecPropertyTypeSection, - SEC_NAME_REL_CRL_ISSUER_KEY, NULL, rdn_props); + SEC_NAME_REL_CRL_ISSUER_KEY, NULL, rdn_props, localized); CFRelease(rdn_props); } else { goto badDER; @@ -3351,33 +3425,38 @@ static void appendCrlDistributionPoints(CFMutableArrayRef properties, }; appendBitStringContentNames(properties, SEC_REASONS_KEY, &dp.reasons, - reasonNames, array_size(reasonNames)); + reasonNames, array_size(reasonNames), localized); } if (dp.cRLIssuer.length) { CFMutableArrayRef crlIssuer = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks); appendProperty(properties, kSecPropertyTypeSection, - SEC_CRL_ISSUER_KEY, NULL, crlIssuer); + SEC_CRL_ISSUER_KEY, NULL, crlIssuer, localized); CFRelease(crlIssuer); - appendGeneralNames(crlIssuer, &dp.cRLIssuer); + appendGeneralNames(crlIssuer, &dp.cRLIssuer, localized); } } require_quiet(drtn == DR_EndOfSequence, badDER); return; badDER: - appendInvalidProperty(properties, SEC_CRL_DISTR_POINTS_KEY, extnValue); + appendInvalidProperty(properties, SEC_CRL_DISTR_POINTS_KEY, + extnValue, localized); } -/* Decode a sequence of integers into a comma separated list of ints. */ +/* + Decode a sequence of integers into a comma separated list of ints. +*/ static void appendIntegerSequenceContent(CFMutableArrayRef properties, - CFStringRef label, const DERItem *intSequenceContent) { + CFStringRef label, const DERItem *intSequenceContent, + bool localized) { CFAllocatorRef allocator = CFGetAllocator(properties); DERSequence intSeq; CFStringRef fmt = NULL, value = NULL, intDesc = NULL, v = NULL; DERReturn drtn = DERDecodeSeqContentInit(intSequenceContent, &intSeq); require_noerr_quiet(drtn, badDER); DERDecodedInfo intContent; - fmt = SecCopyCertString(SEC_STRING_LIST_KEY); + fmt = (localized) ? + SecCopyCertString(SEC_STRING_LIST_KEY) : SEC_STRING_LIST_KEY; require_quiet(fmt, badDER); while ((drtn = DERDecodeSeqNext(&intSeq, &intContent)) == DR_Success) { require_quiet(intContent.tag == ASN1_INTEGER, badDER); @@ -3398,7 +3477,8 @@ static void appendIntegerSequenceContent(CFMutableArrayRef properties, CFReleaseNull(fmt); require_quiet(drtn == DR_EndOfSequence, badDER); if (value) { - appendProperty(properties, kSecPropertyTypeString, label, NULL, value); + appendProperty(properties, kSecPropertyTypeString, label, NULL, + value, localized); CFRelease(value); return; } @@ -3407,11 +3487,11 @@ badDER: CFReleaseNull(fmt); CFReleaseNull(intDesc); CFReleaseNull(value); - appendInvalidProperty(properties, label, intSequenceContent); + appendInvalidProperty(properties, label, intSequenceContent, localized); } static void appendCertificatePolicies(CFMutableArrayRef properties, - const DERItem *extnValue) { + const DERItem *extnValue, bool localized) { CFAllocatorRef allocator = CFGetAllocator(properties); CFStringRef piLabel = NULL, piFmt = NULL, lpiLabel = NULL; CFStringRef pqLabel = NULL, pqFmt = NULL, lpqLabel = NULL; @@ -3430,13 +3510,17 @@ static void appendCertificatePolicies(CFMutableArrayRef properties, DERPolicyInformationItemSpecs, &pi, sizeof(pi)); require_noerr_quiet(drtn, badDER); - require_quiet(piLabel = CFStringCreateWithFormat(allocator, NULL, - SEC_POLICY_IDENTIFIER_KEY, pin), badDER); - require_quiet(piFmt = SecCopyCertString(SEC_POLICY_IDENTIFIER_KEY), badDER); - require_quiet(lpiLabel = CFStringCreateWithFormat(allocator, NULL, - piFmt, pin++), badDER); + piLabel = CFStringCreateWithFormat(allocator, NULL, + SEC_POLICY_IDENTIFIER_KEY, pin); + require_quiet(piLabel, badDER); + piFmt = (localized) ? + SecCopyCertString(SEC_POLICY_IDENTIFIER_KEY) : SEC_POLICY_IDENTIFIER_KEY; + require_quiet(piFmt, badDER); + lpiLabel = CFStringCreateWithFormat(allocator, NULL, piFmt, pin++); + require_quiet(lpiLabel, badDER); CFReleaseNull(piFmt); - appendOIDProperty(properties, piLabel, lpiLabel, &pi.policyIdentifier); + appendOIDProperty(properties, piLabel, lpiLabel, + &pi.policyIdentifier, localized); CFReleaseNull(piLabel); CFReleaseNull(lpiLabel); if (pi.policyQualifiers.length == 0) @@ -3457,20 +3541,23 @@ static void appendCertificatePolicies(CFMutableArrayRef properties, DERDecodedInfo qualifierContent; drtn = DERDecodeItem(&pqi.qualifier, &qualifierContent); require_noerr_quiet(drtn, badDER); - require_quiet(pqLabel = CFStringCreateWithFormat(allocator, NULL, - SEC_POLICY_QUALIFIER_KEY, pqn), badDER); - require_quiet(pqFmt = SecCopyCertString(SEC_POLICY_QUALIFIER_KEY), badDER); - require_quiet(lpqLabel = CFStringCreateWithFormat(allocator, NULL, - pqFmt, pqn++), badDER); + pqLabel = CFStringCreateWithFormat(allocator, NULL, + SEC_POLICY_QUALIFIER_KEY, pqn); + require_quiet(pqLabel, badDER); + pqFmt = (localized) ? + SecCopyCertString(SEC_POLICY_QUALIFIER_KEY) : SEC_POLICY_QUALIFIER_KEY; + require_quiet(pqFmt, badDER); + lpqLabel = CFStringCreateWithFormat(allocator, NULL, pqFmt, pqn++); + require_quiet(lpqLabel, badDER); CFReleaseNull(pqFmt); appendOIDProperty(properties, pqLabel, lpqLabel, - &pqi.policyQualifierID); + &pqi.policyQualifierID, localized); CFReleaseNull(pqLabel); CFReleaseNull(lpqLabel); if (DEROidCompare(&oidQtCps, &pqi.policyQualifierID)) { require_quiet(qualifierContent.tag == ASN1_IA5_STRING, badDER); appendURLContentProperty(properties, SEC_CPS_URI_KEY, - &qualifierContent.content); + &qualifierContent.content, localized); } else if (DEROidCompare(&oidQtUNotice, &pqi.policyQualifierID)) { require_quiet(qualifierContent.tag == ASN1_CONSTR_SEQUENCE, badDER); DERUserNotice un; @@ -3488,17 +3575,17 @@ static void appendCertificatePolicies(CFMutableArrayRef properties, require_noerr_quiet(drtn, badDER); appendDERThingProperty(properties, SEC_ORGANIZATION_KEY, NULL, - &nr.organization); + &nr.organization, localized); appendIntegerSequenceContent(properties, - SEC_NOTICE_NUMBERS_KEY, &nr.noticeNumbers); + SEC_NOTICE_NUMBERS_KEY, &nr.noticeNumbers, localized); } if (un.explicitText.length) { appendDERThingProperty(properties, SEC_EXPLICIT_TEXT_KEY, - NULL, &un.explicitText); + NULL, &un.explicitText, localized); } } else { appendUnparsedProperty(properties, SEC_QUALIFIER_KEY, NULL, - &pqi.qualifier); + &pqi.qualifier, localized); } } require_quiet(drtn == DR_EndOfSequence, badDER); @@ -3512,23 +3599,24 @@ badDER: CFReleaseNull(pqFmt); CFReleaseNull(pqLabel); CFReleaseNull(lpqLabel); - appendInvalidProperty(properties, SEC_CERT_POLICIES_KEY, extnValue); + appendInvalidProperty(properties, SEC_CERT_POLICIES_KEY, + extnValue, localized); } static void appendSubjectKeyIdentifier(CFMutableArrayRef properties, - const DERItem *extnValue) { + const DERItem *extnValue, bool localized) { DERReturn drtn; DERDecodedInfo keyIdentifier; drtn = DERDecodeItem(extnValue, &keyIdentifier); require_noerr_quiet(drtn, badDER); require_quiet(keyIdentifier.tag == ASN1_OCTET_STRING, badDER); appendDataProperty(properties, SEC_KEY_IDENTIFIER_KEY, NULL, - &keyIdentifier.content); + &keyIdentifier.content, localized); return; badDER: appendInvalidProperty(properties, SEC_SUBJ_KEY_ID_KEY, - extnValue); + extnValue, localized); } /* @@ -3542,7 +3630,7 @@ AuthorityKeyIdentifier ::= SEQUENCE { KeyIdentifier ::= OCTET STRING */ static void appendAuthorityKeyIdentifier(CFMutableArrayRef properties, - const DERItem *extnValue) { + const DERItem *extnValue, bool localized) { DERAuthorityKeyIdentifier akid; DERReturn drtn; drtn = DERParseSequence(extnValue, @@ -3552,7 +3640,7 @@ static void appendAuthorityKeyIdentifier(CFMutableArrayRef properties, require_noerr_quiet(drtn, badDER); if (akid.keyIdentifier.length) { appendDataProperty(properties, SEC_KEY_IDENTIFIER_KEY, NULL, - &akid.keyIdentifier); + &akid.keyIdentifier, localized); } if (akid.authorityCertIssuer.length || akid.authorityCertSerialNumber.length) { @@ -3560,14 +3648,15 @@ static void appendAuthorityKeyIdentifier(CFMutableArrayRef properties, akid.authorityCertSerialNumber.length, badDER); /* Perhaps put in a subsection called Authority Certificate Issuer. */ appendGeneralNamesContent(properties, - &akid.authorityCertIssuer); + &akid.authorityCertIssuer, localized); appendIntegerProperty(properties, SEC_AUTH_CERT_SERIAL_KEY, - &akid.authorityCertSerialNumber); + &akid.authorityCertSerialNumber, localized); } return; badDER: - appendInvalidProperty(properties, SEC_AUTHORITY_KEY_ID_KEY, extnValue); + appendInvalidProperty(properties, SEC_AUTHORITY_KEY_ID_KEY, + extnValue, localized); } /* @@ -3578,7 +3667,7 @@ badDER: SkipCerts ::= INTEGER (0..MAX) */ static void appendPolicyConstraints(CFMutableArrayRef properties, - const DERItem *extnValue) { + const DERItem *extnValue, bool localized) { DERPolicyConstraints pc; DERReturn drtn; drtn = DERParseSequence(extnValue, @@ -3588,17 +3677,18 @@ static void appendPolicyConstraints(CFMutableArrayRef properties, require_noerr_quiet(drtn, badDER); if (pc.requireExplicitPolicy.length) { appendIntegerProperty(properties, SEC_REQUIRE_EXPL_POLICY_KEY, - &pc.requireExplicitPolicy); + &pc.requireExplicitPolicy, localized); } if (pc.inhibitPolicyMapping.length) { appendIntegerProperty(properties, SEC_INHIBIT_POLICY_MAP_KEY, - &pc.inhibitPolicyMapping); + &pc.inhibitPolicyMapping, localized); } return; badDER: - appendInvalidProperty(properties, SEC_POLICY_CONSTRAINTS_KEY, extnValue); + appendInvalidProperty(properties, SEC_POLICY_CONSTRAINTS_KEY, + extnValue, localized); } /* @@ -3609,7 +3699,7 @@ extendedKeyUsage EXTENSION ::= { KeyPurposeId ::= OBJECT IDENTIFIER */ static void appendExtendedKeyUsage(CFMutableArrayRef properties, - const DERItem *extnValue) { + const DERItem *extnValue, bool localized) { DERTag tag; DERSequence derSeq; DERReturn drtn = DERDecodeSeqInit(extnValue, &tag, &derSeq); @@ -3619,12 +3709,13 @@ static void appendExtendedKeyUsage(CFMutableArrayRef properties, while ((drtn = DERDecodeSeqNext(&derSeq, &currDecoded)) == DR_Success) { require_quiet(currDecoded.tag == ASN1_OBJECT_ID, badDER); appendOIDProperty(properties, SEC_PURPOSE_KEY, NULL, - &currDecoded.content); + &currDecoded.content, localized); } require_quiet(drtn == DR_EndOfSequence, badDER); return; badDER: - appendInvalidProperty(properties, SEC_EXTENDED_KEY_USAGE_KEY, extnValue); + appendInvalidProperty(properties, SEC_EXTENDED_KEY_USAGE_KEY, + extnValue, localized); } /* @@ -3644,7 +3735,7 @@ badDER: id-ad-ocsp OBJECT IDENTIFIER ::= { id-ad 1 } */ static void appendInfoAccess(CFMutableArrayRef properties, - const DERItem *extnValue) { + const DERItem *extnValue, bool localized) { DERTag tag; DERSequence adSeq; DERReturn drtn = DERDecodeSeqInit(extnValue, &tag, &adSeq); @@ -3660,18 +3751,19 @@ static void appendInfoAccess(CFMutableArrayRef properties, &ad, sizeof(ad)); require_noerr_quiet(drtn, badDER); appendOIDProperty(properties, SEC_ACCESS_METHOD_KEY, NULL, - &ad.accessMethod); + &ad.accessMethod, localized); //TODO: Do something with SEC_ACCESS_LOCATION_KEY - appendGeneralNameProperty(properties, &ad.accessLocation); + appendGeneralNameProperty(properties, &ad.accessLocation, localized); } require_quiet(drtn == DR_EndOfSequence, badDER); return; badDER: - appendInvalidProperty(properties, SEC_AUTH_INFO_ACCESS_KEY, extnValue); + appendInvalidProperty(properties, SEC_AUTH_INFO_ACCESS_KEY, + extnValue, localized); } static void appendNetscapeCertType(CFMutableArrayRef properties, - const DERItem *extnValue) { + const DERItem *extnValue, bool localized) { static const CFStringRef certTypes[] = { SEC_SSL_CLIENT_KEY, SEC_SSL_SERVER_KEY, @@ -3683,11 +3775,11 @@ static void appendNetscapeCertType(CFMutableArrayRef properties, SEC_OBJECT_SIGNING_CA_KEY }; appendBitStringNames(properties, SEC_USAGE_KEY, extnValue, - certTypes, array_size(certTypes)); + certTypes, array_size(certTypes), localized); } static bool appendPrintableDERSequence(CFMutableArrayRef properties, - CFStringRef label, const DERItem *sequence) { + CFStringRef label, const DERItem *sequence, bool localized) { DERTag tag; DERSequence derSeq; DERReturn drtn = DERDecodeSeqInit(sequence, &tag, &derSeq); @@ -3717,11 +3809,11 @@ static bool appendPrintableDERSequence(CFMutableArrayRef properties, { CFStringRef string = copyDERThingContentDescription(CFGetAllocator(properties), - currDecoded.tag, &currDecoded.content, false); + currDecoded.tag, &currDecoded.content, false, localized); require_quiet(string, badSequence); appendProperty(properties, kSecPropertyTypeString, label, NULL, - string); + string, localized); CFReleaseNull(string); appendedSomething = true; break; @@ -3737,7 +3829,8 @@ badSequence: } static void appendExtension(CFMutableArrayRef parent, - const SecCertificateExtension *extn) { + const SecCertificateExtension *extn, + bool localized) { CFAllocatorRef allocator = CFGetAllocator(parent); CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks); @@ -3747,7 +3840,7 @@ static void appendExtension(CFMutableArrayRef parent, CFStringRef label = NULL; CFStringRef localizedLabel = NULL; - appendBoolProperty(properties, SEC_CRITICAL_KEY, extn->critical); + appendBoolProperty(properties, SEC_CRITICAL_KEY, extn->critical, localized); require_quiet(extnID, xit); bool handled = true; @@ -3757,41 +3850,41 @@ static void appendExtension(CFMutableArrayRef parent, { switch (extnID->data[extnID->length - 1]) { case 14: /* SubjectKeyIdentifier id-ce 14 */ - appendSubjectKeyIdentifier(properties, extnValue); + appendSubjectKeyIdentifier(properties, extnValue, localized); break; case 15: /* KeyUsage id-ce 15 */ - appendKeyUsage(properties, extnValue); + appendKeyUsage(properties, extnValue, localized); break; case 16: /* PrivateKeyUsagePeriod id-ce 16 */ - appendPrivateKeyUsagePeriod(properties, extnValue); + appendPrivateKeyUsagePeriod(properties, extnValue, localized); break; case 17: /* SubjectAltName id-ce 17 */ case 18: /* IssuerAltName id-ce 18 */ - appendGeneralNames(properties, extnValue); + appendGeneralNames(properties, extnValue, localized); break; case 19: /* BasicConstraints id-ce 19 */ - appendBasicConstraints(properties, extnValue); + appendBasicConstraints(properties, extnValue, localized); break; case 30: /* NameConstraints id-ce 30 */ - appendNameConstraints(properties, extnValue); + appendNameConstraints(properties, extnValue, localized); break; case 31: /* CRLDistributionPoints id-ce 31 */ - appendCrlDistributionPoints(properties, extnValue); + appendCrlDistributionPoints(properties, extnValue, localized); break; case 32: /* CertificatePolicies id-ce 32 */ - appendCertificatePolicies(properties, extnValue); + appendCertificatePolicies(properties, extnValue, localized); break; case 33: /* PolicyMappings id-ce 33 */ handled = false; break; case 35: /* AuthorityKeyIdentifier id-ce 35 */ - appendAuthorityKeyIdentifier(properties, extnValue); + appendAuthorityKeyIdentifier(properties, extnValue, localized); break; case 36: /* PolicyConstraints id-ce 36 */ - appendPolicyConstraints(properties, extnValue); + appendPolicyConstraints(properties, extnValue, localized); break; case 37: /* ExtKeyUsage id-ce 37 */ - appendExtendedKeyUsage(properties, extnValue); + appendExtendedKeyUsage(properties, extnValue, localized); break; case 46: /* FreshestCRL id-ce 46 */ handled = false; @@ -3808,13 +3901,13 @@ static void appendExtension(CFMutableArrayRef parent, { switch (extnID->data[extnID->length - 1]) { case 1: /* AuthorityInfoAccess id-pe 1 */ - appendInfoAccess(properties, extnValue); + appendInfoAccess(properties, extnValue, localized); break; case 3: /* QCStatements id-pe 3 */ handled = false; break; case 11: /* SubjectInfoAccess id-pe 11 */ - appendInfoAccess(properties, extnValue); + appendInfoAccess(properties, extnValue, localized); break; default: handled = false; @@ -3822,24 +3915,24 @@ static void appendExtension(CFMutableArrayRef parent, } } else if (DEROidCompare(extnID, &oidNetscapeCertType)) { /* 2.16.840.1.113730.1.1 netscape 1 1 */ - appendNetscapeCertType(properties, extnValue); + appendNetscapeCertType(properties, extnValue, localized); } else { handled = false; } if (!handled) { /* Try to parse and display printable string(s). */ - if (appendPrintableDERSequence(properties, SEC_DATA_KEY, extnValue)) { + if (appendPrintableDERSequence(properties, SEC_DATA_KEY, extnValue, localized)) { /* Nothing to do here appendPrintableDERSequence did the work. */ } else { /* Couldn't parse extension; dump the raw unparsed data as hex. */ - appendUnparsedProperty(properties, SEC_DATA_KEY, NULL, extnValue); + appendUnparsedProperty(properties, SEC_DATA_KEY, NULL, extnValue, localized); } } label = SecDERItemCopyOIDDecimalRepresentation(allocator, extnID); - localizedLabel = copyLocalizedOidDescription(allocator, extnID); - appendProperty(parent, kSecPropertyTypeSection, label, localizedLabel, properties); - + localizedLabel = copyOidDescription(allocator, extnID, localized); + appendProperty(parent, kSecPropertyTypeSection, label, localizedLabel, + properties, localized); xit: CFReleaseSafe(localizedLabel); CFReleaseSafe(label); @@ -3862,7 +3955,8 @@ struct Summary { }; static OSStatus obtainSummaryFromX501Name(void *context, - const DERItem *type, const DERItem *value, CFIndex rdnIX) { + const DERItem *type, const DERItem *value, CFIndex rdnIX, + bool localized) { struct Summary *summary = (struct Summary *)context; enum SummaryType stype = kSummaryTypeNone; CFStringRef string = NULL; @@ -3873,11 +3967,14 @@ static OSStatus obtainSummaryFromX501Name(void *context, } else if (DEROidCompare(type, &oidOrganizationName)) { stype = kSummaryTypeOrganizationName; } else if (DEROidCompare(type, &oidDescription)) { - string = copyDERThingDescription(kCFAllocatorDefault, value, true); + string = copyDERThingDescription(kCFAllocatorDefault, value, + true, localized); if (string) { if (summary->description) { - CFStringRef fmt = SecCopyCertString(SEC_STRING_LIST_KEY); - CFStringRef newDescription = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, fmt, string, summary->description); + CFStringRef fmt = (localized) ? + SecCopyCertString(SEC_STRING_LIST_KEY) : SEC_STRING_LIST_KEY; + CFStringRef newDescription = CFStringCreateWithFormat(kCFAllocatorDefault, + NULL, fmt, string, summary->description); CFRelease(fmt); CFRelease(summary->description); summary->description = newDescription; @@ -3895,13 +3992,16 @@ static OSStatus obtainSummaryFromX501Name(void *context, component type in reverse order encountered comma separated list, The order of desirability is defined by enum SummaryType. */ if (summary->type <= stype) { - if (!string) - string = copyDERThingDescription(kCFAllocatorDefault, value, true); - + if (!string) { + string = copyDERThingDescription(kCFAllocatorDefault, value, + true, localized); + } if (string) { if (summary->type == stype) { - CFStringRef fmt = SecCopyCertString(SEC_STRING_LIST_KEY); - CFStringRef newSummary = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, fmt, string, summary->summary); + CFStringRef fmt = (localized) ? + SecCopyCertString(SEC_STRING_LIST_KEY) : SEC_STRING_LIST_KEY; + CFStringRef newSummary = CFStringCreateWithFormat(kCFAllocatorDefault, + NULL, fmt, string, summary->summary); CFRelease(fmt); CFRelease(string); string = newSummary; @@ -3920,7 +4020,10 @@ static OSStatus obtainSummaryFromX501Name(void *context, CFStringRef SecCertificateCopySubjectSummary(SecCertificateRef certificate) { struct Summary summary = {}; - parseX501NameContent(&certificate->_subject, &summary, obtainSummaryFromX501Name); + OSStatus status = parseX501NameContent(&certificate->_subject, &summary, obtainSummaryFromX501Name, true); + if (status != errSecSuccess) { + return NULL; + } /* If we found a description and a common name we change the summary to CommonName (Description). */ if (summary.description) { @@ -3955,7 +4058,10 @@ CFStringRef SecCertificateCopySubjectSummary(SecCertificateRef certificate) { CFStringRef SecCertificateCopyIssuerSummary(SecCertificateRef certificate) { struct Summary summary = {}; - parseX501NameContent(&certificate->_issuer, &summary, obtainSummaryFromX501Name); + OSStatus status = parseX501NameContent(&certificate->_issuer, &summary, obtainSummaryFromX501Name, true); + if (status != errSecSuccess) { + return NULL; + } /* If we found a description and a common name we change the summary to CommonName (Description). */ if (summary.description) { @@ -4027,12 +4133,13 @@ CFMutableArrayRef SecCertificateCopySummaryProperties( CFAllocatorRef allocator = CFGetAllocator(certificate); CFMutableArrayRef summary = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks); + bool localized = true; /* First we put the subject summary name. */ CFStringRef ssummary = SecCertificateCopySubjectSummary(certificate); if (ssummary) { appendProperty(summary, kSecPropertyTypeTitle, - NULL, NULL, ssummary); + NULL, NULL, ssummary, localized); CFRelease(ssummary); } @@ -4072,9 +4179,9 @@ CFMutableArrayRef SecCertificateCopySummaryProperties( } } - appendDateProperty(summary, label, when); + appendDateProperty(summary, label, when, localized); CFStringRef lmessage = SecCopyCertString(message); - appendProperty(summary, ptype, NULL, NULL, lmessage); + appendProperty(summary, ptype, NULL, NULL, lmessage, localized); CFRelease(lmessage); return summary; @@ -4093,68 +4200,68 @@ CFArrayRef SecCertificateCopyLegacyProperties(SecCertificateRef certificate) { /* Subject Name */ CFArrayRef subject_plist = createPropertiesForX501NameContent(allocator, - &certificate->_subject); + &certificate->_subject, false); appendProperty(properties, kSecPropertyTypeSection, CFSTR("Subject Name"), - NULL, subject_plist); + NULL, subject_plist, false); CFRelease(subject_plist); /* Issuer Name */ CFArrayRef issuer_plist = createPropertiesForX501NameContent(allocator, - &certificate->_issuer); + &certificate->_issuer, false); appendProperty(properties, kSecPropertyTypeSection, CFSTR("Issuer Name"), - NULL, issuer_plist); + NULL, issuer_plist, false); CFRelease(issuer_plist); /* Version */ CFStringRef versionString = CFStringCreateWithFormat(allocator, NULL, CFSTR("%d"), certificate->_version + 1); appendProperty(properties, kSecPropertyTypeString, CFSTR("Version"), - NULL, versionString); + NULL, versionString, false); CFRelease(versionString); /* Serial Number */ if (certificate->_serialNum.length) { appendIntegerProperty(properties, CFSTR("Serial Number"), - &certificate->_serialNum); + &certificate->_serialNum, false); } /* Signature Algorithm */ appendAlgorithmProperty(properties, CFSTR("Signature Algorithm"), - &certificate->_tbsSigAlg); + &certificate->_tbsSigAlg, false); /* Validity dates */ - appendDateProperty(properties, CFSTR("Not Valid Before"), certificate->_notBefore); - appendDateProperty(properties, CFSTR("Not Valid After"), certificate->_notAfter); + appendDateProperty(properties, CFSTR("Not Valid Before"), certificate->_notBefore, false); + appendDateProperty(properties, CFSTR("Not Valid After"), certificate->_notAfter, false); if (certificate->_subjectUniqueID.length) { appendDataProperty(properties, CFSTR("Subject Unique ID"), - NULL, &certificate->_subjectUniqueID); + NULL, &certificate->_subjectUniqueID, false); } if (certificate->_issuerUniqueID.length) { appendDataProperty(properties, CFSTR("Issuer Unique ID"), - NULL, &certificate->_issuerUniqueID); + NULL, &certificate->_issuerUniqueID, false); } /* Public Key Algorithm */ appendAlgorithmProperty(properties, CFSTR("Public Key Algorithm"), - &certificate->_algId); + &certificate->_algId, false); /* Public Key Data */ appendDataProperty(properties, CFSTR("Public Key Data"), - NULL, &certificate->_pubKeyDER); + NULL, &certificate->_pubKeyDER, false); /* Signature */ appendDataProperty(properties, CFSTR("Signature"), - NULL, &certificate->_signature); + NULL, &certificate->_signature, false); /* Extensions */ CFIndex ix; for (ix = 0; ix < certificate->_extensionCount; ++ix) { - appendExtension(properties, &certificate->_extensions[ix]); + appendExtension(properties, &certificate->_extensions[ix], false); } /* Fingerprints */ - appendFingerprintsProperty(properties, CFSTR("Fingerprints"), certificate); + appendFingerprintsProperty(properties, CFSTR("Fingerprints"), certificate, false); return properties; } @@ -4165,23 +4272,25 @@ CFArrayRef SecCertificateCopyProperties(SecCertificateRef certificate) { CFMutableArrayRef properties = CFArrayCreateMutable(allocator, 0, &kCFTypeArrayCallBacks); require_quiet(properties, out); - + bool localized = true; /* First we put the Subject Name in the property list. */ CFArrayRef subject_plist = createPropertiesForX501NameContent(allocator, - &certificate->_subject); + &certificate->_subject, + localized); if (subject_plist) { appendProperty(properties, kSecPropertyTypeSection, - SEC_SUBJECT_NAME_KEY, NULL, subject_plist); + SEC_SUBJECT_NAME_KEY, NULL, subject_plist, localized); } CFReleaseNull(subject_plist); /* Next we put the Issuer Name in the property list. */ CFArrayRef issuer_plist = createPropertiesForX501NameContent(allocator, - &certificate->_issuer); + &certificate->_issuer, + localized); if (issuer_plist) { appendProperty(properties, kSecPropertyTypeSection, - SEC_ISSUER_NAME_KEY, NULL, issuer_plist); + SEC_ISSUER_NAME_KEY, NULL, issuer_plist, localized); } CFReleaseNull(issuer_plist); @@ -4195,36 +4304,36 @@ CFArrayRef SecCertificateCopyProperties(SecCertificateRef certificate) { CFReleaseNull(fmt); if (versionString) { appendProperty(properties, kSecPropertyTypeString, - SEC_VERSION_KEY, NULL, versionString); + SEC_VERSION_KEY, NULL, versionString, localized); } CFReleaseNull(versionString); /* Serial Number */ - appendSerialNumberProperty(properties, SEC_SERIAL_NUMBER_KEY, &certificate->_serialNum); + appendSerialNumberProperty(properties, SEC_SERIAL_NUMBER_KEY, &certificate->_serialNum, localized); /* Validity dates. */ - appendValidityPeriodProperty(properties, SEC_VALIDITY_PERIOD_KEY, certificate); + appendValidityPeriodProperty(properties, SEC_VALIDITY_PERIOD_KEY, certificate, localized); if (certificate->_subjectUniqueID.length) { appendDataProperty(properties, SEC_SUBJECT_UNIQUE_ID_KEY, NULL, - &certificate->_subjectUniqueID); + &certificate->_subjectUniqueID, localized); } if (certificate->_issuerUniqueID.length) { appendDataProperty(properties, SEC_ISSUER_UNIQUE_ID_KEY, NULL, - &certificate->_issuerUniqueID); + &certificate->_issuerUniqueID, localized); } - appendPublicKeyProperty(properties, SEC_PUBLIC_KEY_KEY, certificate); + appendPublicKeyProperty(properties, SEC_PUBLIC_KEY_KEY, certificate, localized); CFIndex ix; for (ix = 0; ix < certificate->_extensionCount; ++ix) { - appendExtension(properties, &certificate->_extensions[ix]); + appendExtension(properties, &certificate->_extensions[ix], localized); } /* Signature */ - appendSignatureProperty(properties, SEC_SIGNATURE_KEY, certificate); + appendSignatureProperty(properties, SEC_SIGNATURE_KEY, certificate, localized); - appendFingerprintsProperty(properties, SEC_FINGERPRINTS_KEY, certificate); + appendFingerprintsProperty(properties, SEC_FINGERPRINTS_KEY, certificate, localized); certificate->_properties = properties; } @@ -4403,11 +4512,12 @@ CFArrayRef SecCertificateCopyIPAddresses(SecCertificateRef certificate) { } static OSStatus appendIPAddressesFromX501Name(void *context, const DERItem *type, - const DERItem *value, CFIndex rdnIX) { + const DERItem *value, CFIndex rdnIX, + bool localized) { CFMutableArrayRef addrs = (CFMutableArrayRef)context; if (DEROidCompare(type, &oidCommonName)) { CFStringRef string = copyDERThingDescription(kCFAllocatorDefault, - value, true); + value, true, localized); if (string) { CFDataRef data = NULL; if (convertIPAddress(string, &data)) { @@ -4426,7 +4536,7 @@ CFArrayRef SecCertificateCopyIPAddressesFromSubject(SecCertificateRef certificat CFMutableArrayRef addrs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); OSStatus status = parseX501NameContent(&certificate->_subject, addrs, - appendIPAddressesFromX501Name); + appendIPAddressesFromX501Name, true); if (status || CFArrayGetCount(addrs) == 0) { CFReleaseNull(addrs); return NULL; @@ -4534,11 +4644,11 @@ notDNS: } static OSStatus appendDNSNamesFromX501Name(void *context, const DERItem *type, - const DERItem *value, CFIndex rdnIX) { + const DERItem *value, CFIndex rdnIX, bool localized) { CFMutableArrayRef dnsNames = (CFMutableArrayRef)context; if (DEROidCompare(type, &oidCommonName)) { CFStringRef string = copyDERThingDescription(kCFAllocatorDefault, - value, true); + value, true, localized); if (string) { if (isDNSName(string)) { /* We found a common name that is formatted like a valid @@ -4557,7 +4667,7 @@ CFArrayRef SecCertificateCopyDNSNamesFromSubject(SecCertificateRef certificate) CFMutableArrayRef dnsNames = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); OSStatus status = parseX501NameContent(&certificate->_subject, dnsNames, - appendDNSNamesFromX501Name); + appendDNSNamesFromX501Name, true); if (status || CFArrayGetCount(dnsNames) == 0) { CFReleaseNull(dnsNames); return NULL; @@ -4579,18 +4689,32 @@ CFArrayRef SecCertificateCopyDNSNamesFromSubject(SecCertificateRef certificate) return result; } +CFArrayRef SecCertificateCopyDNSNamesFromSAN(SecCertificateRef certificate) { + CFMutableArrayRef dnsNames = CFArrayCreateMutable(kCFAllocatorDefault, + 0, &kCFTypeArrayCallBacks); + OSStatus status = errSecSuccess; + if (certificate->_subjectAltName) { + status = SecCertificateParseGeneralNames(&certificate->_subjectAltName->extnValue, + dnsNames, appendDNSNamesFromGeneralNames); + } + + if (status || CFArrayGetCount(dnsNames) == 0) { + CFReleaseNull(dnsNames); + } + return dnsNames; +} + /* Not everything returned by this function is going to be a proper DNS name, we also return the certificates common name entries from the subject, assuming they look like dns names as specified in RFC 1035. */ CFArrayRef SecCertificateCopyDNSNames(SecCertificateRef certificate) { /* These can exist in the subject alt name or in the subject. */ - CFMutableArrayRef dnsNames = CFArrayCreateMutable(kCFAllocatorDefault, - 0, &kCFTypeArrayCallBacks); - OSStatus status = errSecSuccess; - if (certificate->_subjectAltName) { - status = SecCertificateParseGeneralNames(&certificate->_subjectAltName->extnValue, - dnsNames, appendDNSNamesFromGeneralNames); - } + CFArrayRef sanNames = SecCertificateCopyDNSNamesFromSAN(certificate); + if (sanNames && CFArrayGetCount(sanNames) > 0) { + return sanNames; + } + CFReleaseNull(sanNames); + /* RFC 2818 section 3.1. Server Identity [...] If a subjectAltName extension of type dNSName is present, that MUST @@ -4604,15 +4728,18 @@ CFArrayRef SecCertificateCopyDNSNames(SecCertificateRef certificate) { subjectAltName, we should not use the Common Name of the subject as a DNSName. */ - if (!status && CFArrayGetCount(dnsNames) == 0) { - status = parseX501NameContent(&certificate->_subject, dnsNames, - appendDNSNamesFromX501Name); - } - if (status || CFArrayGetCount(dnsNames) == 0) { - CFRelease(dnsNames); - dnsNames = NULL; - } - return dnsNames; + + /* To preserve bug for bug compatibility, we can't use SecCertificateCopyDNSNamesFromSubject + * because that function filters out IP Addresses. This function is Private, but + * SecCertificateCopyValues uses it and that's Public. */ + CFMutableArrayRef dnsNames = CFArrayCreateMutable(kCFAllocatorDefault, + 0, &kCFTypeArrayCallBacks); + OSStatus status = parseX501NameContent(&certificate->_subject, dnsNames, + appendDNSNamesFromX501Name, true); + if (status || CFArrayGetCount(dnsNames) == 0) { + CFReleaseNull(dnsNames); + } + return dnsNames; } static OSStatus appendRFC822NamesFromGeneralNames(void *context, @@ -4633,11 +4760,11 @@ static OSStatus appendRFC822NamesFromGeneralNames(void *context, } static OSStatus appendRFC822NamesFromX501Name(void *context, const DERItem *type, - const DERItem *value, CFIndex rdnIX) { + const DERItem *value, CFIndex rdnIX, bool localized) { CFMutableArrayRef dnsNames = (CFMutableArrayRef)context; if (DEROidCompare(type, &oidEmailAddress)) { CFStringRef string = copyDERThingDescription(kCFAllocatorDefault, - value, true); + value, true, localized); if (string) { CFArrayAppendValue(dnsNames, string); CFRelease(string); @@ -4659,7 +4786,7 @@ CFArrayRef SecCertificateCopyRFC822Names(SecCertificateRef certificate) { } if (!status) { status = parseX501NameContent(&certificate->_subject, rfc822Names, - appendRFC822NamesFromX501Name); + appendRFC822NamesFromX501Name, true); } if (status || CFArrayGetCount(rfc822Names) == 0) { CFRelease(rfc822Names); @@ -4683,7 +4810,7 @@ CFArrayRef SecCertificateCopyRFC822NamesFromSubject(SecCertificateRef certificat CFMutableArrayRef rfc822Names = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); OSStatus status = parseX501NameContent(&certificate->_subject, rfc822Names, - appendRFC822NamesFromX501Name); + appendRFC822NamesFromX501Name, true); if (status || CFArrayGetCount(rfc822Names) == 0) { CFRelease(rfc822Names); rfc822Names = NULL; @@ -4692,11 +4819,11 @@ CFArrayRef SecCertificateCopyRFC822NamesFromSubject(SecCertificateRef certificat } static OSStatus appendCommonNamesFromX501Name(void *context, - const DERItem *type, const DERItem *value, CFIndex rdnIX) { + const DERItem *type, const DERItem *value, CFIndex rdnIX, bool localized) { CFMutableArrayRef commonNames = (CFMutableArrayRef)context; if (DEROidCompare(type, &oidCommonName)) { CFStringRef string = copyDERThingDescription(kCFAllocatorDefault, - value, true); + value, true, localized); if (string) { CFArrayAppendValue(commonNames, string); CFRelease(string); @@ -4712,7 +4839,7 @@ CFArrayRef SecCertificateCopyCommonNames(SecCertificateRef certificate) { 0, &kCFTypeArrayCallBacks); OSStatus status; status = parseX501NameContent(&certificate->_subject, commonNames, - appendCommonNamesFromX501Name); + appendCommonNamesFromX501Name, true); if (status || CFArrayGetCount(commonNames) == 0) { CFRelease(commonNames); commonNames = NULL; @@ -4739,11 +4866,11 @@ OSStatus SecCertificateCopyCommonName(SecCertificateRef certificate, CFStringRef } static OSStatus appendOrganizationFromX501Name(void *context, - const DERItem *type, const DERItem *value, CFIndex rdnIX) { + const DERItem *type, const DERItem *value, CFIndex rdnIX, bool localized) { CFMutableArrayRef organization = (CFMutableArrayRef)context; if (DEROidCompare(type, &oidOrganizationName)) { CFStringRef string = copyDERThingDescription(kCFAllocatorDefault, - value, true); + value, true, localized); if (string) { CFArrayAppendValue(organization, string); CFRelease(string); @@ -4759,7 +4886,7 @@ CFArrayRef SecCertificateCopyOrganization(SecCertificateRef certificate) { 0, &kCFTypeArrayCallBacks); OSStatus status; status = parseX501NameContent(&certificate->_subject, organization, - appendOrganizationFromX501Name); + appendOrganizationFromX501Name, true); if (status || CFArrayGetCount(organization) == 0) { CFRelease(organization); organization = NULL; @@ -4768,11 +4895,11 @@ CFArrayRef SecCertificateCopyOrganization(SecCertificateRef certificate) { } static OSStatus appendOrganizationalUnitFromX501Name(void *context, - const DERItem *type, const DERItem *value, CFIndex rdnIX) { + const DERItem *type, const DERItem *value, CFIndex rdnIX, bool localized) { CFMutableArrayRef organizationalUnit = (CFMutableArrayRef)context; if (DEROidCompare(type, &oidOrganizationalUnitName)) { CFStringRef string = copyDERThingDescription(kCFAllocatorDefault, - value, true); + value, true, localized); if (string) { CFArrayAppendValue(organizationalUnit, string); CFRelease(string); @@ -4788,7 +4915,7 @@ CFArrayRef SecCertificateCopyOrganizationalUnit(SecCertificateRef certificate) { 0, &kCFTypeArrayCallBacks); OSStatus status; status = parseX501NameContent(&certificate->_subject, organizationalUnit, - appendOrganizationalUnitFromX501Name); + appendOrganizationalUnitFromX501Name, true); if (status || CFArrayGetCount(organizationalUnit) == 0) { CFRelease(organizationalUnit); organizationalUnit = NULL; @@ -4797,11 +4924,11 @@ CFArrayRef SecCertificateCopyOrganizationalUnit(SecCertificateRef certificate) { } static OSStatus appendCountryFromX501Name(void *context, - const DERItem *type, const DERItem *value, CFIndex rdnIX) { + const DERItem *type, const DERItem *value, CFIndex rdnIX, bool localized) { CFMutableArrayRef countries = (CFMutableArrayRef)context; if (DEROidCompare(type, &oidCountryName)) { CFStringRef string = copyDERThingDescription(kCFAllocatorDefault, - value, true); + value, true, localized); if (string) { CFArrayAppendValue(countries, string); CFRelease(string); @@ -4817,7 +4944,7 @@ CFArrayRef SecCertificateCopyCountry(SecCertificateRef certificate) { 0, &kCFTypeArrayCallBacks); OSStatus status; status = parseX501NameContent(&certificate->_subject, countries, - appendCountryFromX501Name); + appendCountryFromX501Name, true); if (status || CFArrayGetCount(countries) == 0) { CFRelease(countries); countries = NULL; @@ -4887,7 +5014,7 @@ static OSStatus appendNTPrincipalNamesFromGeneralNames(void *context, if (DEROidCompare(&on.typeIdentifier, &oidMSNTPrincipalName)) { CFStringRef string; require_quiet(string = copyDERThingDescription(kCFAllocatorDefault, - &on.value, true), badDER); + &on.value, true, true), badDER); CFArrayAppendValue(ntPrincipalNames, string); CFRelease(string); } @@ -4915,7 +5042,7 @@ CFArrayRef SecCertificateCopyNTPrincipalNames(SecCertificateRef certificate) { } static OSStatus appendToRFC2253String(void *context, - const DERItem *type, const DERItem *value, CFIndex rdnIX) { + const DERItem *type, const DERItem *value, CFIndex rdnIX, bool localized) { CFMutableStringRef string = (CFMutableStringRef)context; /* CN commonName @@ -4967,7 +5094,7 @@ static OSStatus appendToRFC2253String(void *context, CFStringAppend(string, CFSTR("=")); CFStringRef raw = NULL; if (!oid) - raw = copyDERThingDescription(kCFAllocatorDefault, value, true); + raw = copyDERThingDescription(kCFAllocatorDefault, value, true, localized); if (raw) { /* Append raw to string while escaping: @@ -5009,7 +5136,7 @@ static OSStatus appendToRFC2253String(void *context, CFStringRef SecCertificateCopySubjectString(SecCertificateRef certificate) { CFMutableStringRef string = CFStringCreateMutable(kCFAllocatorDefault, 0); - OSStatus status = parseX501NameContent(&certificate->_subject, string, appendToRFC2253String); + OSStatus status = parseX501NameContent(&certificate->_subject, string, appendToRFC2253String, true); if (status || CFStringGetLength(string) == 0) { CFRelease(string); string = NULL; @@ -5018,7 +5145,7 @@ CFStringRef SecCertificateCopySubjectString(SecCertificateRef certificate) { } static OSStatus appendToCompanyNameString(void *context, - const DERItem *type, const DERItem *value, CFIndex rdnIX) { + const DERItem *type, const DERItem *value, CFIndex rdnIX, bool localized) { CFMutableStringRef string = (CFMutableStringRef)context; if (CFStringGetLength(string) != 0) return errSecSuccess; @@ -5027,7 +5154,7 @@ static OSStatus appendToCompanyNameString(void *context, return errSecSuccess; CFStringRef raw; - raw = copyDERThingDescription(kCFAllocatorDefault, value, true); + raw = copyDERThingDescription(kCFAllocatorDefault, value, true, localized); if (!raw) return errSecSuccess; CFStringAppend(string, raw); @@ -5039,7 +5166,7 @@ static OSStatus appendToCompanyNameString(void *context, CFStringRef SecCertificateCopyCompanyName(SecCertificateRef certificate) { CFMutableStringRef string = CFStringCreateMutable(kCFAllocatorDefault, 0); OSStatus status = parseX501NameContent(&certificate->_subject, string, - appendToCompanyNameString); + appendToCompanyNameString, true); if (status || CFStringGetLength(string) == 0) { CFRelease(string); string = NULL; @@ -5256,20 +5383,49 @@ CFDataRef SecCertificateCopyPublicKeySHA1Digest(SecCertificateRef certificate) { certificate->_pubKeyDER.data, certificate->_pubKeyDER.length); } -CFDataRef SecCertificateCopySubjectPublicKeyInfoSHA1Digest(SecCertificateRef certificate) { +static CFDataRef SecCertificateCopySPKIEncoded(SecCertificateRef certificate) { + /* SPKI is saved without the tag/length by libDER, so we need to re-encode */ if (!certificate || !certificate->_subjectPublicKeyInfo.data) { return NULL; } - return SecSHA1DigestCreate(CFGetAllocator(certificate), - certificate->_subjectPublicKeyInfo.data, certificate->_subjectPublicKeyInfo.length); + DERSize size = DERLengthOfItem(ASN1_CONSTR_SEQUENCE, certificate->_subjectPublicKeyInfo.length); + if (size < certificate->_subjectPublicKeyInfo.length) { + return NULL; + } + uint8_t *temp = malloc(size); + if (!temp) { + return NULL; + } + DERReturn drtn = DEREncodeItem(ASN1_CONSTR_SEQUENCE, + certificate->_subjectPublicKeyInfo.length, + certificate->_subjectPublicKeyInfo.data, + temp, &size); + CFDataRef encodedSPKI = NULL; + if (drtn == DR_Success) { + encodedSPKI = CFDataCreate(NULL, temp, size); + } + free(temp); + return encodedSPKI; +} + +CFDataRef SecCertificateCopySubjectPublicKeyInfoSHA1Digest(SecCertificateRef certificate) { + CFDataRef encodedSPKI = SecCertificateCopySPKIEncoded(certificate); + if (!encodedSPKI) { return NULL; } + CFDataRef hash = SecSHA1DigestCreate(CFGetAllocator(certificate), + CFDataGetBytePtr(encodedSPKI), + CFDataGetLength(encodedSPKI)); + CFReleaseNull(encodedSPKI); + return hash; } CFDataRef SecCertificateCopySubjectPublicKeyInfoSHA256Digest(SecCertificateRef certificate) { - if (!certificate || !certificate->_subjectPublicKeyInfo.data) { - return NULL; - } - return SecSHA256DigestCreate(CFGetAllocator(certificate), - certificate->_subjectPublicKeyInfo.data, certificate->_subjectPublicKeyInfo.length); + CFDataRef encodedSPKI = SecCertificateCopySPKIEncoded(certificate); + if (!encodedSPKI) { return NULL; } + CFDataRef hash = SecSHA256DigestCreate(CFGetAllocator(certificate), + CFDataGetBytePtr(encodedSPKI), + CFDataGetLength(encodedSPKI)); + CFReleaseNull(encodedSPKI); + return hash; } CFTypeRef SecCertificateCopyKeychainItem(SecCertificateRef certificate) @@ -5880,6 +6036,42 @@ DERItem *SecCertificateGetExtensionValue(SecCertificateRef certificate, CFTypeRe return NULL; } +CFDataRef SecCertificateCopyExtensionValue(SecCertificateRef certificate, CFTypeRef extensionOID, bool *isCritical) { + if (!certificate || !extensionOID) { + return NULL; + } + + CFDataRef oid = NULL, extensionValue = NULL; + if (CFGetTypeID(extensionOID) == CFDataGetTypeID()) { + oid = CFRetainSafe(extensionOID); + } else if (CFGetTypeID(extensionOID) == CFStringGetTypeID()) { + oid = SecCertificateCreateOidDataFromString(NULL, extensionOID); + } + if (!oid) { + return NULL; + } + + CFIndex ix; + const uint8_t *oid_data = CFDataGetBytePtr(oid); + size_t oid_len = CFDataGetLength(oid); + + for (ix = 0; ix < certificate->_extensionCount; ++ix) { + const SecCertificateExtension *extn = &certificate->_extensions[ix]; + if (extn->extnID.length == oid_len + && !memcmp(extn->extnID.data, oid_data, extn->extnID.length)) + { + if (isCritical) { + *isCritical = extn->critical; + } + extensionValue = CFDataCreate(NULL, extn->extnValue.data, extn->extnValue.length); + break; + } + } + + CFReleaseNull(oid); + return extensionValue; +} + CFDataRef SecCertificateCopyiAPAuthCapabilities(SecCertificateRef certificate) { if (!certificate) { return NULL; @@ -5936,8 +6128,14 @@ SeciAuthVersion SecCertificateGetiAuthVersion(SecCertificateRef certificate) { } if (NULL != SecCertificateGetExtensionValue(certificate, CFSTR("1.2.840.113635.100.6.36"))) { + /* v3 Capabilities Extension */ return kSeciAuthVersion3; } + if (NULL != SecCertificateGetExtensionValue(certificate, + CFSTR("1.2.840.113635.100.6.59.1"))) { + /* SW Auth General Capabilities Extension */ + return kSeciAuthVersionSW; + } DERItem serialNumber = certificate->_serialNum; require_quiet(serialNumber.data, out); require_quiet(serialNumber.length == 15, out); diff --git a/OSX/sec/Security/SecCertificateInternal.h b/OSX/sec/Security/SecCertificateInternal.h index 9bb87ba3..96472c93 100644 --- a/OSX/sec/Security/SecCertificateInternal.h +++ b/OSX/sec/Security/SecCertificateInternal.h @@ -28,9 +28,28 @@ #ifndef _SECURITY_SECCERTIFICATEINTERNAL_H_ #define _SECURITY_SECCERTIFICATEINTERNAL_H_ +#include +#include + +#include #include + #include -#include + +// This file can only be included under the ios view of the headers. +// If you're not under that view, we'll forward declare the things you need here. +#if SECURITY_PROJECT_TAPI_HACKS && SEC_OS_OSX +typedef enum { + NO_ENUM_VALUES, +} SecCEGeneralNameType; // The real enum values are already declared. + +typedef struct {} SecCEBasicConstraints; +typedef struct {} SecCEPolicyConstraints; +typedef struct {} SecCEPolicyMapping; +typedef struct {} SecCEPolicyMappings; +typedef struct {} SecCECertificatePolicies; +typedef struct {} SecCEInhibitAnyPolicy; +#endif __BEGIN_DECLS @@ -76,11 +95,6 @@ CFDictionaryRef SecCertificateCopyAttributeDictionary( SecCertificateRef SecCertificateCreateFromAttributeDictionary( CFDictionaryRef refAttributes); -/* Return a SecKeyRef for the public key embedded in the cert. */ -#if TARGET_OS_OSX -SecKeyRef SecCertificateCopyPublicKey_ios(SecCertificateRef certificate); -#endif - /* Return the SecCEBasicConstraints extension for this certificate if it has one. */ const SecCEBasicConstraints * @@ -133,14 +147,19 @@ CFArrayRef SecCertificateCopyLegacyProperties(SecCertificateRef certificate); OSStatus SecCertificateIsSignedBy(SecCertificateRef certificate, SecKeyRef issuerKey); +#ifndef SECURITY_PROJECT_TAPI_HACKS void appendProperty(CFMutableArrayRef properties, CFStringRef propertyType, - CFStringRef label, CFStringRef localizedLabel, CFTypeRef value); + CFStringRef label, CFStringRef localizedLabel, CFTypeRef value, bool localized); +#endif /* Utility functions. */ CFStringRef SecDERItemCopyOIDDecimalRepresentation(CFAllocatorRef allocator, const DERItem *oid); + +#ifndef SECURITY_PROJECT_TAPI_HACKS CFDataRef createNormalizedX501Name(CFAllocatorRef allocator, const DERItem *x501name); +#endif /* Decode a choice of UTCTime or GeneralizedTime to a CFAbsoluteTime. Return an absoluteTime if the date was valid and properly decoded. Return @@ -165,6 +184,7 @@ bool SecCertificateIsAtLeastMinKeySize(SecCertificateRef certificate, bool SecCertificateIsStrongKey(SecCertificateRef certificate); extern const CFStringRef kSecSignatureDigestAlgorithmUnknown; +#ifndef SECURITY_PROJECT_TAPI_HACKS extern const CFStringRef kSecSignatureDigestAlgorithmMD2; extern const CFStringRef kSecSignatureDigestAlgorithmMD4; extern const CFStringRef kSecSignatureDigestAlgorithmMD5; @@ -173,6 +193,7 @@ extern const CFStringRef kSecSignatureDigestAlgorithmSHA224; extern const CFStringRef kSecSignatureDigestAlgorithmSHA256; extern const CFStringRef kSecSignatureDigestAlgorithmSHA384; extern const CFStringRef kSecSignatureDigestAlgorithmSHA512; +#endif bool SecCertificateIsWeakHash(SecCertificateRef certificate); @@ -185,6 +206,8 @@ CFArrayRef SecCertificateCopyDNSNamesFromSubject(SecCertificateRef certificate); CFArrayRef SecCertificateCopyIPAddressesFromSubject(SecCertificateRef certificate); CFArrayRef SecCertificateCopyRFC822NamesFromSubject(SecCertificateRef certificate); +CFArrayRef SecCertificateCopyDNSNamesFromSAN(SecCertificateRef certificate); + __END_DECLS #endif /* !_SECURITY_SECCERTIFICATEINTERNAL_H_ */ diff --git a/OSX/sec/Security/SecCertificatePath.c b/OSX/sec/Security/SecCertificatePath.c index 373136d2..3ab927f7 100644 --- a/OSX/sec/Security/SecCertificatePath.c +++ b/OSX/sec/Security/SecCertificatePath.c @@ -46,7 +46,7 @@ #include #include #include "SecRSAKey.h" -#include +#include #include #include #include diff --git a/OSX/sec/Security/SecCertificatePath.h b/OSX/sec/Security/SecCertificatePath.h deleted file mode 100644 index efa8eb81..00000000 --- a/OSX/sec/Security/SecCertificatePath.h +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (c) 2007-2009,2012-2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -/*! - @header SecCertificatePath - CoreFoundation based certificate path object -*/ - -#ifndef _SECURITY_SECCERTIFICATEPATH_H_ -#define _SECURITY_SECCERTIFICATEPATH_H_ - -#include -#include -#include -#include -#include -#include - -__BEGIN_DECLS - -typedef struct SecCertificatePath *SecCertificatePathRef; - -/* SecCertificatePath API functions. */ -CFTypeID SecCertificatePathGetTypeID(void); - -/* Create a new certificate path from an xpc_array of datas. */ -SecCertificatePathRef SecCertificatePathCreateWithXPCArray(xpc_object_t xpc_path, CFErrorRef *error); - -/* Create a new certificate path from a CFArray of datas. */ -SecCertificatePathRef SecCertificatePathCreateDeserialized(CFArrayRef certificates, CFErrorRef *error); - -/* Create an array of CFDataRefs from a certificate path. */ -xpc_object_t SecCertificatePathCopyXPCArray(SecCertificatePathRef path, CFErrorRef *error); - -/* Create an array of SecCertificateRefs from a certificate path. */ -CFArrayRef SecCertificatePathCopyCertificates(SecCertificatePathRef path, CFErrorRef *error); - -/* Create a new certificate path from an array of SecCertificateRefs. */ -SecCertificatePathRef SecCertificatePathCreateWithCertificates(CFArrayRef certificates, CFErrorRef *error); - -/* Create a serialized Certificate Array from a certificate path. */ -CFArrayRef SecCertificatePathCreateSerialized(SecCertificatePathRef path, CFErrorRef *error); - -CFIndex SecCertificatePathGetCount( - SecCertificatePathRef certificatePath); - -SecCertificateRef SecCertificatePathGetCertificateAtIndex( - SecCertificatePathRef certificatePath, CFIndex ix); - -/* Return the index of certificate in path or kCFNotFound if certificate is - not in path. */ -CFIndex SecCertificatePathGetIndexOfCertificate(SecCertificatePathRef path, - SecCertificateRef certificate); - -SecKeyRef SecCertificatePathCopyPublicKeyAtIndex( - SecCertificatePathRef certificatePath, CFIndex ix); - -__END_DECLS - -#endif /* !_SECURITY_SECCERTIFICATEPATH_H_ */ diff --git a/OSX/sec/Security/SecCertificateRequest.c b/OSX/sec/Security/SecCertificateRequest.c index e24320be..47f853ea 100644 --- a/OSX/sec/Security/SecCertificateRequest.c +++ b/OSX/sec/Security/SecCertificateRequest.c @@ -54,6 +54,7 @@ OSStatus SecCmsArraySortByDER(void **objs, const SecAsn1Template *objtemplate, v #include #include #include +#include #if TARGET_OS_IPHONE #include @@ -65,18 +66,47 @@ OSStatus SecCmsArraySortByDER(void **objs, const SecAsn1Template *objtemplate, v #include "SecCertificateRequest.h" -CFTypeRef kSecOidCommonName = CFSTR("CN"); -CFTypeRef kSecOidCountryName = CFSTR("C"); -CFTypeRef kSecOidStateProvinceName = CFSTR("ST"); -CFTypeRef kSecOidLocalityName = CFSTR("L"); -CFTypeRef kSecOidOrganization = CFSTR("O"); -CFTypeRef kSecOidOrganizationalUnit = CFSTR("OU"); +/* Subject Name Attribute OID constants */ +const CFStringRef kSecOidCommonName = CFSTR("CN"); +const CFStringRef kSecOidCountryName = CFSTR("C"); +const CFStringRef kSecOidStateProvinceName = CFSTR("ST"); +const CFStringRef kSecOidLocalityName = CFSTR("L"); +const CFStringRef kSecOidOrganization = CFSTR("O"); +const CFStringRef kSecOidOrganizationalUnit = CFSTR("OU"); //CFTypeRef kSecOidEmailAddress = CFSTR("1.2.840.113549.1.9.1"); // keep natural order: C > ST > L > O > OU > CN > Email +/* Type constants */ const unsigned char SecASN1PrintableString = SEC_ASN1_PRINTABLE_STRING; const unsigned char SecASN1UTF8String = SEC_ASN1_UTF8_STRING; +/* Parameter dictionary keys */ +const CFStringRef kSecCSRChallengePassword = CFSTR("csrChallengePassword"); +const CFStringRef kSecSubjectAltName = CFSTR("subjectAltName"); +const CFStringRef kSecCertificateKeyUsage = CFSTR("keyUsage"); +const CFStringRef kSecCSRBasicContraintsPathLen = CFSTR("basicConstraints"); +const CFStringRef kSecCertificateExtensions = CFSTR("certificateExtensions"); +const CFStringRef kSecCertificateExtensionsEncoded = CFSTR("certificateExtensionsEncoded"); + +/* SubjectAltName dictionary keys */ +const CFStringRef kSecSubjectAltNameDNSName = CFSTR("dNSName"); +const CFStringRef kSecSubjectAltNameEmailAddress = CFSTR("rfc822Name"); +const CFStringRef kSecSubjectAltNameURI = CFSTR("uniformResourceIdentifier"); +const CFStringRef kSecSubjectAltNameNTPrincipalName = CFSTR("ntPrincipalName"); + +/* PKCS9 OIDs */ +static const uint8_t pkcs9ExtensionsRequested[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 14 }; +static const uint8_t pkcs9ChallengePassword[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 7 }; + +/* ASN1 BOOLEAN TRUE */ +static const uint8_t encoded_asn1_true = 0xFF; +static const SecAsn1Item asn1_true = +{ sizeof(encoded_asn1_true), (uint8_t*)&encoded_asn1_true }; + +/* ASN1 NULL */ +static const uint8_t encoded_null[2] = { SEC_ASN1_NULL, 0 }; +static const SecAsn1Item asn1_null = { sizeof(encoded_null), (uint8_t*)encoded_null }; + static uint8_t * mod128_oid_encoding_ptr(uint8_t *ptr, uint32_t src, bool final) { if (src > 128) @@ -160,7 +190,7 @@ static inline bool printable_string(CFStringRef string) } static bool make_nss_atv(PRArenaPool *poolp, - const void * oid, const void * value, const unsigned char type_in, NSS_ATV *nss_atv) + CFTypeRef oid, const void * value, const unsigned char type_in, NSS_ATV *nss_atv) { size_t length = 0; char *buffer = NULL; @@ -291,13 +321,13 @@ static void make_general_names(const void *key, const void *value, void *context } NSS_GeneralName general_name_item = { { }, -1 }; - if (kCFCompareEqualTo == CFStringCompare(CFSTR("dNSName"), key, kCFCompareCaseInsensitive)) + if (kCFCompareEqualTo == CFStringCompare(kSecSubjectAltNameDNSName, key, kCFCompareCaseInsensitive)) general_name_item.tag = NGT_DNSName; - else if (kCFCompareEqualTo == CFStringCompare(CFSTR("rfc822Name"), key, kCFCompareCaseInsensitive)) + else if (kCFCompareEqualTo == CFStringCompare(kSecSubjectAltNameEmailAddress, key, kCFCompareCaseInsensitive)) general_name_item.tag = NGT_RFC822Name; - else if (kCFCompareEqualTo == CFStringCompare(CFSTR("uniformResourceIdentifier"), key, kCFCompareCaseInsensitive)) + else if (kCFCompareEqualTo == CFStringCompare(kSecSubjectAltNameURI, key, kCFCompareCaseInsensitive)) general_name_item.tag = NGT_URI; - else if (kCFCompareEqualTo == CFStringCompare(CFSTR("ntPrincipalName"), key, kCFCompareCaseInsensitive)) + else if (kCFCompareEqualTo == CFStringCompare(kSecSubjectAltNameNTPrincipalName, key, kCFCompareCaseInsensitive)) { /* NT Principal in SubjectAltName is defined in the context of Smartcards: @@ -404,20 +434,6 @@ static SecAsn1Item make_subjectAltName_extension(PRArenaPool *poolp, CFDictionar return subjectAltExt; } -CFTypeRef kSecCSRChallengePassword = CFSTR("csrChallengePassword"); -CFTypeRef kSecSubjectAltName = CFSTR("subjectAltName"); -CFTypeRef kSecCertificateKeyUsage = CFSTR("keyUsage"); -CFTypeRef kSecCSRBasicContraintsPathLen = CFSTR("basicConstraints"); -CFTypeRef kSecCertificateExtensions = CFSTR("certificateExtensions"); -CFTypeRef kSecCertificateExtensionsEncoded = CFSTR("certificateExtensionsEncoded"); - -static const uint8_t pkcs9ExtensionsRequested[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 14 }; -static const uint8_t pkcs9ChallengePassword[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 7 }; - -static const uint8_t encoded_asn1_true = 0xFF; -static const SecAsn1Item asn1_true = - { sizeof(encoded_asn1_true), (uint8_t*)&encoded_asn1_true }; - struct add_custom_extension_args { PLArenaPool *poolp; NSS_CertExtension *csr_extension; @@ -577,8 +593,6 @@ out: return csr_extensions; } - - static NSS_Attribute **nss_attributes_from_parameters_dict(PRArenaPool *poolp, CFDictionaryRef parameters) { @@ -662,19 +676,125 @@ out: #endif } -static const uint8_t encoded_null[2] = { SEC_ASN1_NULL, 0 }; -static const SecAsn1Item asn1_null = { sizeof(encoded_null), (uint8_t*)encoded_null }; +static CF_RETURNS_RETAINED CFDataRef make_public_key (SecKeyRef publicKey, SecAsn1PubKeyInfo *publicKeyInfo, bool *allocated_parameters) { + CFDataRef publicKeyData = SecKeyCopyExternalRepresentation(publicKey, NULL); + if (!publicKeyData) { return NULL; } + uint8_t *spki_params = NULL; + + if (SecKeyGetAlgorithmId(publicKey) == kSecRSAAlgorithmID) { + publicKeyInfo->algorithm.algorithm.Length = oidRsa.length; + publicKeyInfo->algorithm.algorithm.Data = oidRsa.data; + publicKeyInfo->algorithm.parameters = asn1_null; + *allocated_parameters = false; + } else if (SecKeyGetAlgorithmId(publicKey) == kSecECDSAAlgorithmID) { + publicKeyInfo->algorithm.algorithm.Length = oidEcPubKey.length; + publicKeyInfo->algorithm.algorithm.Data = oidEcPubKey.data; + size_t parameters_size = 0; + SecECNamedCurve namedCurve = SecECKeyGetNamedCurve(publicKey); + switch (namedCurve) { + case kSecECCurveSecp256r1: + parameters_size = oidEcPrime256v1.length + 2; + spki_params = malloc(parameters_size); + memcpy(spki_params + 2, oidEcPrime256v1.data, oidEcPrime256v1.length); + break; + case kSecECCurveSecp384r1: + parameters_size = oidAnsip384r1.length + 2; + spki_params = malloc(parameters_size); + memcpy(spki_params + 2, oidAnsip384r1.data, oidAnsip384r1.length); + break; + case kSecECCurveSecp521r1: + parameters_size = oidAnsip521r1.length + 2; + spki_params = malloc(parameters_size); + memcpy(spki_params + 2, oidAnsip521r1.data, oidAnsip521r1.length); + break; + default: + CFReleaseNull(publicKeyData); + return NULL; + } + spki_params[0] = 0x06; + spki_params[1] = (uint8_t)(parameters_size - 2); + publicKeyInfo->algorithm.parameters.Length = parameters_size; + publicKeyInfo->algorithm.parameters.Data = spki_params; + *allocated_parameters = true; + } else { + CFReleaseNull(publicKeyData); + return NULL; + } + + publicKeyInfo->subjectPublicKey.Data = (uint8_t *)CFDataGetBytePtr(publicKeyData); + publicKeyInfo->subjectPublicKey.Length = CFDataGetLength(publicKeyData) * 8; + + return publicKeyData; +} + +static CF_RETURNS_RETAINED CFDataRef make_signature (void *data_pointer, size_t data_length, SecKeyRef privateKey, + CFStringRef digestAlgorithm, SecAsn1AlgId *signature_algorithm_info) { + SecKeyAlgorithm keyAlgorithm = NULL; + CFIndex keyAlgorithmId = SecKeyGetAlgorithmId(privateKey); + if (keyAlgorithmId == kSecRSAAlgorithmID) { + if (!digestAlgorithm || CFEqualSafe(digestAlgorithm, kSecCMSHashingAlgorithmSHA1)) { + /* default is SHA-1 for backwards compatibility */ + keyAlgorithm = kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1; + signature_algorithm_info->algorithm.Length = oidSha1Rsa.length; + signature_algorithm_info->algorithm.Data = oidSha1Rsa.data; + } else if (CFEqualSafe(digestAlgorithm, kSecCMSHashingAlgorithmSHA256)) { + keyAlgorithm = kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256; + signature_algorithm_info->algorithm.Length = oidSha256Rsa.length; + signature_algorithm_info->algorithm.Data = oidSha256Rsa.data; + } else if (CFEqualSafe(digestAlgorithm, kSecCMSHashingAlgorithmSHA384)) { + keyAlgorithm = kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384; + signature_algorithm_info->algorithm.Length = oidSha384Rsa.length; + signature_algorithm_info->algorithm.Data = oidSha384Rsa.data; + } else if (CFEqualSafe(digestAlgorithm, kSecCMSHashingAlgorithmSHA512)) { + keyAlgorithm = kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512; + signature_algorithm_info->algorithm.Length = oidSha512Rsa.length; + signature_algorithm_info->algorithm.Data = oidSha512Rsa.data; + } + /* All RSA signatures use NULL paramters */ + signature_algorithm_info->parameters = asn1_null; + } else if (keyAlgorithmId == kSecECDSAAlgorithmID) { + if (!digestAlgorithm || CFEqualSafe(digestAlgorithm, kSecCMSHashingAlgorithmSHA256)) { + keyAlgorithm = kSecKeyAlgorithmECDSASignatureMessageX962SHA256; + signature_algorithm_info->algorithm.Length = oidSha256Ecdsa.length; + signature_algorithm_info->algorithm.Data = oidSha256Ecdsa.data; + } else if (CFEqualSafe(digestAlgorithm, kSecCMSHashingAlgorithmSHA384)) { + keyAlgorithm = kSecKeyAlgorithmECDSASignatureMessageX962SHA384; + signature_algorithm_info->algorithm.Length = oidSha384Ecdsa.length; + signature_algorithm_info->algorithm.Data = oidSha384Ecdsa.data; + } else if (CFEqualSafe(digestAlgorithm, kSecCMSHashingAlgorithmSHA512)) { + keyAlgorithm = kSecKeyAlgorithmECDSASignatureMessageX962SHA512; + signature_algorithm_info->algorithm.Length = oidSha512Ecdsa.length; + signature_algorithm_info->algorithm.Data = oidSha512Ecdsa.data; + } + /* All EC signatures use absent paramters */ + signature_algorithm_info->parameters.Length = 0; + signature_algorithm_info->parameters.Data = NULL; + } + + if (!keyAlgorithm) { return NULL; } + + CFDataRef data = NULL, signature = NULL; + if (!data_pointer || data_length == 0) { return NULL; } + data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, data_pointer, data_length, kCFAllocatorNull); + signature = SecKeyCreateSignature(privateKey, keyAlgorithm, data, NULL); + CFReleaseSafe(data); + if (!signature) { return NULL; } + + return signature; +} CFDataRef SecGenerateCertificateRequestWithParameters(SecRDN *subject, - CFDictionaryRef parameters, SecKeyRef publicKey, SecKeyRef privateKey) + CFDictionaryRef parameters, SecKeyRef __unused publicKey, SecKeyRef privateKey) { if (subject == NULL || *subject == NULL) { return NULL; } CFDataRef csr = NULL; - CFDataRef publicKeyData= NULL; - uint8_t *signature = NULL, *spki_params = NULL; + CFDataRef publicKeyData= NULL, signature = NULL; + bool allocated_parameters = false; + SecKeyRef realPublicKey = NULL; /* We calculate this from the private key rather than + * trusting the caller to give us the right one. */ PRArenaPool *poolp = PORT_NewArena(1024); if (!poolp) @@ -723,43 +843,10 @@ CFDataRef SecGenerateCertificateRequestWithParameters(SecRDN *subject, certReq.reqInfo.subject.rdns = rdnps; /* public key info */ - if (SecKeyGetAlgorithmId(publicKey) == kSecRSAAlgorithmID) { - certReq.reqInfo.subjectPublicKeyInfo.algorithm.algorithm.Length = oidRsa.length; - certReq.reqInfo.subjectPublicKeyInfo.algorithm.algorithm.Data = oidRsa.data; - certReq.reqInfo.subjectPublicKeyInfo.algorithm.parameters = asn1_null; - } else if (SecKeyGetAlgorithmId(publicKey) == kSecECDSAAlgorithmID) { - certReq.reqInfo.subjectPublicKeyInfo.algorithm.algorithm.Length = oidEcPubKey.length; - certReq.reqInfo.subjectPublicKeyInfo.algorithm.algorithm.Data = oidEcPubKey.data; - size_t parameters_size = 0; - SecECNamedCurve namedCurve = SecECKeyGetNamedCurve(publicKey); - switch (namedCurve) { - case kSecECCurveSecp256r1: - parameters_size = oidEcPrime256v1.length + 2; - spki_params = malloc(parameters_size); - memcpy(spki_params + 2, oidEcPrime256v1.data, oidEcPrime256v1.length); - break; - case kSecECCurveSecp384r1: - parameters_size = oidAnsip384r1.length + 2; - spki_params = malloc(parameters_size); - memcpy(spki_params + 2, oidAnsip384r1.data, oidAnsip384r1.length); - break; - case kSecECCurveSecp521r1: - parameters_size = oidAnsip521r1.length + 2; - spki_params = malloc(parameters_size); - memcpy(spki_params + 2, oidAnsip521r1.data, oidAnsip521r1.length); - break; - default: - goto out; - } - spki_params[0] = 0x06; - spki_params[1] = (uint8_t)(parameters_size - 2); - certReq.reqInfo.subjectPublicKeyInfo.algorithm.parameters.Length = parameters_size; - certReq.reqInfo.subjectPublicKeyInfo.algorithm.parameters.Data = spki_params; - } - - publicKeyData = SecKeyCopyExternalRepresentation(publicKey, NULL); - certReq.reqInfo.subjectPublicKeyInfo.subjectPublicKey.Length = 8 * CFDataGetLength(publicKeyData); - certReq.reqInfo.subjectPublicKeyInfo.subjectPublicKey.Data = (uint8_t*)CFDataGetBytePtr(publicKeyData); + realPublicKey = SecKeyCopyPublicKey(privateKey); + require_quiet(realPublicKey, out); + publicKeyData = make_public_key(realPublicKey, &certReq.reqInfo.subjectPublicKeyInfo, &allocated_parameters); + require_quiet(publicKeyData, out); certReq.reqInfo.attributes = nss_attributes_from_parameters_dict(poolp, parameters); SecCmsArraySortByDER((void **)certReq.reqInfo.attributes, kSecAsn1AttributeTemplate, NULL); @@ -768,49 +855,15 @@ CFDataRef SecGenerateCertificateRequestWithParameters(SecRDN *subject, SecAsn1Item reqinfo = {}; SEC_ASN1EncodeItem(poolp, &reqinfo, &certReq.reqInfo, kSecAsn1CertRequestInfoTemplate); - /* Use SHA-1 for RSA for backwards compatbility. */ - if (SecKeyGetAlgorithmId(privateKey) == kSecRSAAlgorithmID) { - /* calculate signature */ - uint8_t reqinfo_hash[CC_SHA1_DIGEST_LENGTH]; - CCDigest(kCCDigestSHA1, reqinfo.Data, (CC_LONG)reqinfo.Length, reqinfo_hash); - CFDataRef digest = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, reqinfo_hash, CC_SHA1_DIGEST_LENGTH, kCFAllocatorNull); - CFDataRef sigData = SecKeyCreateSignature(privateKey, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1, - digest, nil); - CFReleaseNull(digest); - require_quiet(sigData, out); - size_t signature_length = (size_t)CFDataGetLength(sigData); - signature = malloc(signature_length); - memcpy(signature, CFDataGetBytePtr(sigData), CFDataGetLength(sigData)); - CFReleaseNull(sigData); - - /* signature and info */ - certReq.signatureAlgorithm.algorithm.Length = oidSha1Rsa.length; - certReq.signatureAlgorithm.algorithm.Data = oidSha1Rsa.data; - certReq.signatureAlgorithm.parameters = asn1_null; - certReq.signature.Data = signature; - certReq.signature.Length = signature_length * 8; - } else if (SecKeyGetAlgorithmId(privateKey) == kSecECDSAAlgorithmID) { - /* calculate signature */ - uint8_t reqinfo_hash[CC_SHA256_DIGEST_LENGTH]; - CCDigest(kCCDigestSHA256, reqinfo.Data, (CC_LONG)reqinfo.Length, reqinfo_hash); - CFDataRef digest = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, reqinfo_hash, CC_SHA256_DIGEST_LENGTH, kCFAllocatorNull); - CFDataRef sigData = SecKeyCreateSignature(privateKey, kSecKeyAlgorithmECDSASignatureDigestX962SHA256, - digest, nil); - CFReleaseNull(digest); - require_quiet(sigData, out); - size_t signature_length = (size_t)CFDataGetLength(sigData); - signature = malloc(signature_length); - memcpy(signature, CFDataGetBytePtr(sigData), CFDataGetLength(sigData)); - CFReleaseNull(sigData); - - /* signature and info */ - certReq.signatureAlgorithm.algorithm.Length = oidSha256Ecdsa.length; - certReq.signatureAlgorithm.algorithm.Data = oidSha256Ecdsa.data; - certReq.signatureAlgorithm.parameters.Data = NULL; - certReq.signatureAlgorithm.parameters.Length = 0; - certReq.signature.Data = signature; - certReq.signature.Length = signature_length * 8; + /* calculate signature and encode signature info */ + CFStringRef algorithm = NULL; + if (parameters) { + algorithm = CFDictionaryGetValue(parameters, kSecCMSSignHashAlgorithm); } + signature = make_signature(reqinfo.Data, reqinfo.Length, privateKey, algorithm, &certReq.signatureAlgorithm); + require_quiet(signature, out); + certReq.signature.Data = (uint8_t *)CFDataGetBytePtr(signature); + certReq.signature.Length = 8 * CFDataGetLength(signature); /* encode csr */ SecAsn1Item cert_request = {}; @@ -819,21 +872,26 @@ CFDataRef SecGenerateCertificateRequestWithParameters(SecRDN *subject, csr = CFDataCreate(kCFAllocatorDefault, cert_request.Data, cert_request.Length); out: + if (allocated_parameters) { + free(certReq.reqInfo.subjectPublicKeyInfo.algorithm.parameters.Data); + } if (poolp) PORT_FreeArena(poolp, PR_TRUE); - if (signature) { free(signature); } - if (spki_params) { free(spki_params); } + CFReleaseSafe(realPublicKey); CFReleaseSafe(publicKeyData); + CFReleaseSafe(signature); return csr; } CFDataRef SecGenerateCertificateRequest(CFArrayRef subject, - CFDictionaryRef parameters, SecKeyRef publicKey, SecKeyRef privateKey) + CFDictionaryRef parameters, SecKeyRef __unused publicKey, SecKeyRef privateKey) { CFDataRef csr = NULL; PRArenaPool *poolp = PORT_NewArena(1024); - CFDataRef publicKeyData = NULL; - uint8_t *signature = NULL; + CFDataRef publicKeyData = NULL, signature = NULL; + SecKeyRef realPublicKey = NULL; /* We calculate this from the private key rather than + * trusting the caller to give us the right one. */ + bool allocated_parameters = false; if (!poolp) return NULL; @@ -850,13 +908,10 @@ CFDataRef SecGenerateCertificateRequest(CFArrayRef subject, certReq.reqInfo.subject.rdns = make_subject(poolp, (CFArrayRef)subject); /* public key info */ - certReq.reqInfo.subjectPublicKeyInfo.algorithm.algorithm.Length = oidRsa.length; - certReq.reqInfo.subjectPublicKeyInfo.algorithm.algorithm.Data = oidRsa.data; - certReq.reqInfo.subjectPublicKeyInfo.algorithm.parameters = asn1_null; - - publicKeyData = SecKeyCopyExternalRepresentation(publicKey, NULL); - certReq.reqInfo.subjectPublicKeyInfo.subjectPublicKey.Length = 8 * CFDataGetLength(publicKeyData); - certReq.reqInfo.subjectPublicKeyInfo.subjectPublicKey.Data = (uint8_t*)CFDataGetBytePtr(publicKeyData); + realPublicKey = SecKeyCopyPublicKey(privateKey); + require_quiet(realPublicKey, out); + publicKeyData = make_public_key(realPublicKey, &certReq.reqInfo.subjectPublicKeyInfo, &allocated_parameters); + require_quiet(publicKeyData, out); certReq.reqInfo.attributes = nss_attributes_from_parameters_dict(poolp, parameters); SecCmsArraySortByDER((void **)certReq.reqInfo.attributes, kSecAsn1AttributeTemplate, NULL); @@ -865,25 +920,15 @@ CFDataRef SecGenerateCertificateRequest(CFArrayRef subject, SecAsn1Item reqinfo = {}; SEC_ASN1EncodeItem(poolp, &reqinfo, &certReq.reqInfo, kSecAsn1CertRequestInfoTemplate); - /* calculate signature */ - uint8_t reqinfo_hash[CC_SHA1_DIGEST_LENGTH]; - CCDigest(kCCDigestSHA1, reqinfo.Data, reqinfo.Length, reqinfo_hash); - CFDataRef digest = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, reqinfo_hash, CC_SHA1_DIGEST_LENGTH, kCFAllocatorNull); - CFDataRef sigData = SecKeyCreateSignature(privateKey, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1, - digest, nil); - CFReleaseNull(digest); - require_quiet(sigData, out); - size_t signature_length = (size_t)CFDataGetLength(sigData); - signature = malloc(signature_length); - memcpy(signature, CFDataGetBytePtr(sigData), CFDataGetLength(sigData)); - CFReleaseNull(sigData); - - /* signature and info */ - certReq.signatureAlgorithm.algorithm.Length = oidSha1Rsa.length; - certReq.signatureAlgorithm.algorithm.Data = oidSha1Rsa.data; - certReq.signatureAlgorithm.parameters = asn1_null; - certReq.signature.Data = signature; - certReq.signature.Length = signature_length * 8; + /* calculate signature and encode signature info */ + CFStringRef algorithm = NULL; + if (parameters) { + algorithm = CFDictionaryGetValue(parameters, kSecCMSSignHashAlgorithm); + } + signature = make_signature(reqinfo.Data, reqinfo.Length, privateKey, algorithm, &certReq.signatureAlgorithm); + require_quiet(signature, out); + certReq.signature.Data = (uint8_t *)CFDataGetBytePtr(signature); + certReq.signature.Length = 8 * CFDataGetLength(signature); /* encode csr */ SecAsn1Item cert_request = {}; @@ -892,96 +937,121 @@ CFDataRef SecGenerateCertificateRequest(CFArrayRef subject, csr = CFDataCreate(kCFAllocatorDefault, cert_request.Data, cert_request.Length); out: + if (allocated_parameters) { + free(certReq.reqInfo.subjectPublicKeyInfo.algorithm.parameters.Data); + } if (poolp) PORT_FreeArena(poolp, PR_TRUE); + CFReleaseSafe(realPublicKey); CFReleaseSafe(publicKeyData); - if (signature) { free(signature); } + CFReleaseSafe(signature); return csr; } +static SecKeyAlgorithm determine_key_algorithm(bool isRsa, SecAsn1AlgId *algId) { + SecKeyAlgorithm keyAlg = NULL; + SecAsn1Oid oid = algId->algorithm; + + /* We don't check the parameters match the algorithm OID since there was some RFC confusion + * about NULL or absent parameters. */ + if (isRsa) { + if (oid.Length == oidSha1Rsa.length && + (0 == memcmp(oidSha1Rsa.data, oid.Data, oid.Length))) { + keyAlg = kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA1; + } else if (oid.Length == oidSha256Rsa.length && + (0 == memcmp(oidSha256Rsa.data, oid.Data, oid.Length))) { + keyAlg = kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA256; + } else if (oid.Length == oidSha384Rsa.length && + (0 == memcmp(oidSha384Rsa.data, oid.Data, oid.Length))) { + keyAlg = kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA384; + } else if (oid.Length == oidSha512Rsa.length && + (0 == memcmp(oidSha512Rsa.data, oid.Data, oid.Length))) { + keyAlg = kSecKeyAlgorithmRSASignatureMessagePKCS1v15SHA512; + } + } else { + if (oid.Length == oidSha256Ecdsa.length && + (0 == memcmp(oidSha256Ecdsa.data, oid.Data, oid.Length))) { + keyAlg = kSecKeyAlgorithmECDSASignatureMessageX962SHA256; + } else if (oid.Length == oidSha384Ecdsa.length && + (0 == memcmp(oidSha384Ecdsa.data, oid.Data, oid.Length))) { + keyAlg = kSecKeyAlgorithmECDSASignatureMessageX962SHA384; + } else if (oid.Length == oidSha512Ecdsa.length && + (0 == memcmp(oidSha512Ecdsa.data, oid.Data, oid.Length))) { + keyAlg = kSecKeyAlgorithmECDSASignatureMessageX962SHA512; + } + } + + return keyAlg; +} + bool SecVerifyCertificateRequest(CFDataRef csr, SecKeyRef *publicKey, CFStringRef *challenge, CFDataRef *subject, CFDataRef *extensions) { PRArenaPool *poolp = PORT_NewArena(1024); SecKeyRef candidatePublicKey = NULL; CFMutableDictionaryRef keyAttrs = NULL; - CFDataRef keyData = NULL, hash = NULL, signature = NULL; + CFDataRef keyData = NULL, signature = NULL, data = NULL; bool valid = false; - NSSCertRequest certReq; - memset(&certReq, 0, sizeof(certReq)); + NSSCertRequest decodedCertReq; + NSS_SignedCertRequest undecodedCertReq; + memset(&decodedCertReq, 0, sizeof(decodedCertReq)); + memset(&undecodedCertReq, 0, sizeof(undecodedCertReq)); + + /* Decode the CSR */ SecAsn1Item csr_item = { CFDataGetLength(csr), (uint8_t*)CFDataGetBytePtr(csr) }; - require_noerr_quiet(SEC_ASN1DecodeItem(poolp, &certReq, kSecAsn1CertRequestTemplate, + require_noerr_quiet(SEC_ASN1DecodeItem(poolp, &decodedCertReq, kSecAsn1CertRequestTemplate, + &csr_item), out); + require_noerr_quiet(SEC_ASN1DecodeItem(poolp, &undecodedCertReq, kSecAsn1SignedCertRequestTemplate, &csr_item), out); - /* signature and info */ - require(certReq.signatureAlgorithm.algorithm.Length == oidSha1Rsa.length || - certReq.signatureAlgorithm.algorithm.Length == oidSha256Ecdsa.length, out); - require(0 == memcmp(oidSha1Rsa.data, certReq.signatureAlgorithm.algorithm.Data, - oidSha1Rsa.length) || - 0 == memcmp(oidSha256Ecdsa.data, certReq.signatureAlgorithm.algorithm.Data, - oidSha256Ecdsa.length), out); - require(certReq.signatureAlgorithm.parameters.Length == asn1_null.Length || - certReq.signatureAlgorithm.parameters.Length == 0, out); - require(certReq.signatureAlgorithm.parameters.Length == 0 || - 0 == memcmp(asn1_null.Data, certReq.signatureAlgorithm.parameters.Data, - asn1_null.Length), out); - - /* encode request info by itself to calculate signature */ - SecAsn1Item reqinfo = {}; - SEC_ASN1EncodeItem(poolp, &reqinfo, &certReq.reqInfo, kSecAsn1CertRequestInfoTemplate); - - /* calculate signature */ - uint8_t reqinfo_hash[CC_SHA256_DIGEST_LENGTH]; - CFIndex hash_size = 0; - if (0 == memcmp(oidSha1Rsa.data, certReq.signatureAlgorithm.algorithm.Data, - oidSha1Rsa.length)) { - require(reqinfo.Length<=UINT32_MAX, out); - CCDigest(kCCDigestSHA1, reqinfo.Data, (CC_LONG)reqinfo.Length, reqinfo_hash); - hash_size = CC_SHA1_DIGEST_LENGTH; - } else { - require(reqinfo.Length<=UINT32_MAX, out); - CCDigest(kCCDigestSHA256, reqinfo.Data, (CC_LONG)reqinfo.Length, reqinfo_hash); - hash_size = CC_SHA256_DIGEST_LENGTH; - } - - /* @@@ check for version 0 */ - SecKeyAlgorithm alg = NULL; - if (certReq.reqInfo.subjectPublicKeyInfo.algorithm.algorithm.Length == oidRsa.length && - 0 == memcmp(oidRsa.data, certReq.reqInfo.subjectPublicKeyInfo.algorithm.algorithm.Data, oidRsa.length)) { + /* get public key */ + bool isRsa = true; + if (decodedCertReq.reqInfo.subjectPublicKeyInfo.algorithm.algorithm.Length == oidRsa.length && + 0 == memcmp(oidRsa.data, decodedCertReq.reqInfo.subjectPublicKeyInfo.algorithm.algorithm.Data, oidRsa.length)) { require(candidatePublicKey = SecKeyCreateRSAPublicKey(kCFAllocatorDefault, - certReq.reqInfo.subjectPublicKeyInfo.subjectPublicKey.Data, - certReq.reqInfo.subjectPublicKeyInfo.subjectPublicKey.Length / 8, + decodedCertReq.reqInfo.subjectPublicKeyInfo.subjectPublicKey.Data, + decodedCertReq.reqInfo.subjectPublicKeyInfo.subjectPublicKey.Length / 8, kSecKeyEncodingPkcs1), out); - alg = kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1; - } else if (certReq.reqInfo.subjectPublicKeyInfo.algorithm.algorithm.Length == oidEcPubKey.length && - 0 == memcmp(oidEcPubKey.data, certReq.reqInfo.subjectPublicKeyInfo.algorithm.algorithm.Data, oidEcPubKey.length)) { + } else if (decodedCertReq.reqInfo.subjectPublicKeyInfo.algorithm.algorithm.Length == oidEcPubKey.length && + 0 == memcmp(oidEcPubKey.data, decodedCertReq.reqInfo.subjectPublicKeyInfo.algorithm.algorithm.Data, oidEcPubKey.length)) { keyData = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, - certReq.reqInfo.subjectPublicKeyInfo.subjectPublicKey.Data, - certReq.reqInfo.subjectPublicKeyInfo.subjectPublicKey.Length / 8, - kCFAllocatorNull); + decodedCertReq.reqInfo.subjectPublicKeyInfo.subjectPublicKey.Data, + decodedCertReq.reqInfo.subjectPublicKeyInfo.subjectPublicKey.Length / 8, + kCFAllocatorNull); keyAttrs = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, - &kCFTypeDictionaryValueCallBacks); + &kCFTypeDictionaryValueCallBacks); CFDictionaryAddValue(keyAttrs, kSecAttrKeyType, kSecAttrKeyTypeECSECPrimeRandom); CFDictionaryAddValue(keyAttrs, kSecAttrKeyClass, kSecAttrKeyClassPublic); require(candidatePublicKey = SecKeyCreateWithData(keyData, keyAttrs, NULL), out); - alg = kSecKeyAlgorithmECDSASignatureDigestX962SHA256; + isRsa = false; } else { goto out; } - hash = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, reqinfo_hash, hash_size, kCFAllocatorNull); - signature = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, certReq.signature.Data, certReq.signature.Length / 8, kCFAllocatorNull); - require_quiet(SecKeyVerifySignature(candidatePublicKey, alg, hash, signature, NULL), out); + /* get the signature algorithm */ + SecAsn1AlgId algId = decodedCertReq.signatureAlgorithm; + /* check the parameters are NULL or absent */ + require(algId.parameters.Length == asn1_null.Length || algId.parameters.Length == 0, out); + require(algId.parameters.Length == 0 || 0 == memcmp(asn1_null.Data, algId.parameters.Data, asn1_null.Length), out); + SecKeyAlgorithm alg = determine_key_algorithm(isRsa, &algId); + + /* verify signature */ + signature = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, undecodedCertReq.signature.Data, + undecodedCertReq.signature.Length / 8, kCFAllocatorNull); + data = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, undecodedCertReq.certRequestBlob.Data, + undecodedCertReq.certRequestBlob.Length, kCFAllocatorNull); + require_quiet(alg && signature && data, out); + require_quiet(SecKeyVerifySignature(candidatePublicKey, alg, data, signature, NULL), out); SecAsn1Item subject_item = { 0 }, extensions_item = { 0 }, challenge_item = { 0 }; require_quiet(SEC_ASN1EncodeItem(poolp, &subject_item, - &certReq.reqInfo.subject, kSecAsn1NameTemplate), out); + &decodedCertReq.reqInfo.subject, kSecAsn1NameTemplate), out); - if (*certReq.reqInfo.attributes) { + if (*decodedCertReq.reqInfo.attributes) { uint32_t ix; - for (ix = 0; certReq.reqInfo.attributes[ix]; ix++) { - NSS_Attribute *attr = certReq.reqInfo.attributes[ix]; + for (ix = 0; decodedCertReq.reqInfo.attributes[ix]; ix++) { + NSS_Attribute *attr = decodedCertReq.reqInfo.attributes[ix]; if ( (sizeof(pkcs9ChallengePassword) == attr->attrType.Length) && !memcmp(pkcs9ChallengePassword, attr->attrType.Data, sizeof(pkcs9ChallengePassword))) challenge_item = *attr->attrValue[0]; @@ -1014,7 +1084,7 @@ out: CFReleaseSafe(candidatePublicKey); CFReleaseNull(keyAttrs); CFReleaseNull(keyData); - CFReleaseNull(hash); + CFReleaseNull(data); CFReleaseNull(signature); if (poolp) PORT_FreeArena(poolp, PR_TRUE); @@ -1068,13 +1138,15 @@ DER_CFDateToUTCTime(PRArenaPool *poolp, CFAbsoluteTime date, SecAsn1Item * utcTi SecCertificateRef SecGenerateSelfSignedCertificate(CFArrayRef subject, CFDictionaryRef parameters, - SecKeyRef publicKey, SecKeyRef privateKey) + SecKeyRef __unused publicKey, SecKeyRef privateKey) { SecCertificateRef cert = NULL; PRArenaPool *poolp = PORT_NewArena(1024); CFDictionaryRef pubkey_attrs = NULL; - CFDataRef publicKeyData = NULL; - uint8_t *signature = NULL; + CFDataRef publicKeyData = NULL, signature = NULL; + SecKeyRef realPublicKey = NULL; /* We calculate this from the private key rather than + * trusting the caller to give us the right one. */ + bool allocated_parameters = false; if (!poolp) return NULL; @@ -1103,72 +1175,65 @@ SecGenerateSelfSignedCertificate(CFArrayRef subject, CFDictionaryRef parameters, /* extensions */ cert_tmpl.tbs.extensions = extensions_from_parameters(poolp, parameters); - /* @@@ we only handle rsa keys */ - pubkey_attrs = SecKeyCopyAttributeDictionary(publicKey); - CFTypeRef key_type = CFDictionaryGetValue(pubkey_attrs, kSecAttrKeyType); - if (key_type && CFEqual(key_type, kSecAttrKeyTypeRSA)) { - /* public key data and algorithm */ - cert_tmpl.tbs.subjectPublicKeyInfo.algorithm.algorithm = CSSMOID_RSA; - cert_tmpl.tbs.subjectPublicKeyInfo.algorithm.parameters = asn1_null; - - publicKeyData = SecKeyCopyExternalRepresentation(publicKey, NULL); - cert_tmpl.tbs.subjectPublicKeyInfo.subjectPublicKey.Length = 8 * CFDataGetLength(publicKeyData); - cert_tmpl.tbs.subjectPublicKeyInfo.subjectPublicKey.Data = (uint8_t*)CFDataGetBytePtr(publicKeyData); - - /* signature algorithm */ - cert_tmpl.tbs.signature.algorithm = CSSMOID_SHA1WithRSA; - cert_tmpl.tbs.signature.parameters = asn1_null; - cert_tmpl.signatureAlgorithm.algorithm = CSSMOID_SHA1WithRSA; - cert_tmpl.signatureAlgorithm.parameters = asn1_null; - - /* encode request info by itself to calculate signature */ - SecAsn1Item tbscert = {}; - SEC_ASN1EncodeItem(poolp, &tbscert, &cert_tmpl.tbs, kSecAsn1TBSCertificateTemplate); - - /* calculate signature */ - uint8_t tbscert_hash[CC_SHA1_DIGEST_LENGTH]; - CCDigest(kCCDigestSHA1, tbscert.Data, tbscert.Length, tbscert_hash); - CFDataRef digest = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, tbscert_hash, CC_SHA1_DIGEST_LENGTH, kCFAllocatorNull); - CFDataRef sigData = SecKeyCreateSignature(privateKey, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1, - digest, NULL); - CFReleaseNull(digest); - require_quiet(sigData, out); - size_t signature_length = (size_t)CFDataGetLength(sigData); - signature = malloc(signature_length); - memcpy(signature, CFDataGetBytePtr(sigData), CFDataGetLength(sigData)); - CFReleaseNull(sigData); - - /* signature */ - cert_tmpl.signature.Data = signature; - cert_tmpl.signature.Length = signature_length * 8; - - /* encode cert */ - SecAsn1Item signed_cert = {}; - require_quiet(SEC_ASN1EncodeItem(poolp, &signed_cert, &cert_tmpl, - kSecAsn1SignedCertTemplate), out); - cert = SecCertificateCreateWithBytes(kCFAllocatorDefault, - signed_cert.Data, signed_cert.Length); + /* encode public key */ + realPublicKey = SecKeyCopyPublicKey(privateKey); + require_quiet(realPublicKey, out); + publicKeyData = make_public_key(realPublicKey, &cert_tmpl.tbs.subjectPublicKeyInfo, &allocated_parameters); + require_quiet(publicKeyData, out); + + /* encode the signature algorithm info */ + CFStringRef algorithm = NULL; + if (parameters) { + algorithm = CFDictionaryGetValue(parameters, kSecCMSSignHashAlgorithm); } + signature = make_signature(NULL, 0, privateKey, algorithm, &cert_tmpl.tbs.signature); + CFReleaseNull(signature); + + /* encode request info by itself to calculate signature */ + SecAsn1Item tbscert = {}; + SEC_ASN1EncodeItem(poolp, &tbscert, &cert_tmpl.tbs, kSecAsn1TBSCertificateTemplate); + + /* calculate signature and encode signature algorithm info */ + signature = make_signature(tbscert.Data, tbscert.Length, privateKey, algorithm, &cert_tmpl.signatureAlgorithm); + require_quiet(signature, out); + cert_tmpl.signature.Data = (uint8_t *)CFDataGetBytePtr(signature); + cert_tmpl.signature.Length = CFDataGetLength(signature) * 8; + + /* encode cert */ + SecAsn1Item signed_cert = {}; + require_quiet(SEC_ASN1EncodeItem(poolp, &signed_cert, &cert_tmpl, + kSecAsn1SignedCertTemplate), out); + cert = SecCertificateCreateWithBytes(kCFAllocatorDefault, + signed_cert.Data, signed_cert.Length); out: + if (allocated_parameters) { + free(cert_tmpl.tbs.subjectPublicKeyInfo.algorithm.parameters.Data); + } if (poolp) PORT_FreeArena(poolp, PR_TRUE); + CFReleaseSafe(realPublicKey); CFReleaseSafe(pubkey_attrs); CFReleaseNull(publicKeyData); - if (signature) { free(signature); } + CFReleaseNull(signature); return cert; } - SecCertificateRef SecIdentitySignCertificate(SecIdentityRef issuer, CFDataRef serialno, - SecKeyRef publicKey, CFTypeRef subject, CFTypeRef extensions) + SecKeyRef publicKey, CFTypeRef subject, CFTypeRef extensions) { + return SecIdentitySignCertificateWithAlgorithm(issuer, serialno, publicKey, subject, extensions, NULL); +} + +SecCertificateRef +SecIdentitySignCertificateWithAlgorithm(SecIdentityRef issuer, CFDataRef serialno, + SecKeyRef publicKey, CFTypeRef subject, CFTypeRef extensions, CFStringRef hashingAlgorithm) { SecCertificateRef cert = NULL; SecKeyRef privateKey = NULL; - uint8_t *signature = NULL; + bool allocated_parameters = false; PRArenaPool *poolp = PORT_NewArena(1024); - CFDataRef publicKeyData = NULL; + CFDataRef publicKeyData = NULL, signature = NULL; if (!poolp) return NULL; @@ -1218,58 +1283,41 @@ SecIdentitySignCertificate(SecIdentityRef issuer, CFDataRef serialno, } } - /* @@@ we only handle rsa keys */ - if (SecKeyGetAlgorithmId(publicKey) == kSecRSAAlgorithmID) { - /* public key data and algorithm */ - cert_tmpl.tbs.subjectPublicKeyInfo.algorithm.algorithm = CSSMOID_RSA; - cert_tmpl.tbs.subjectPublicKeyInfo.algorithm.parameters = asn1_null; - - publicKeyData = SecKeyCopyExternalRepresentation(publicKey, NULL); - cert_tmpl.tbs.subjectPublicKeyInfo.subjectPublicKey.Length = 8 * CFDataGetLength(publicKeyData); - cert_tmpl.tbs.subjectPublicKeyInfo.subjectPublicKey.Data = (uint8_t*)CFDataGetBytePtr(publicKeyData); - - /* signature algorithm */ - cert_tmpl.tbs.signature.algorithm = CSSMOID_SHA1WithRSA; - cert_tmpl.tbs.signature.parameters = asn1_null; - cert_tmpl.signatureAlgorithm.algorithm = CSSMOID_SHA1WithRSA; - cert_tmpl.signatureAlgorithm.parameters = asn1_null; - - /* encode request info by itself to calculate signature */ - SecAsn1Item tbscert = {}; - SEC_ASN1EncodeItem(poolp, &tbscert, &cert_tmpl.tbs, kSecAsn1TBSCertificateTemplate); - - /* calculate signature */ - uint8_t tbscert_hash[CC_SHA1_DIGEST_LENGTH]; - CCDigest(kCCDigestSHA1, tbscert.Data, tbscert.Length, tbscert_hash); - - require_noerr_quiet(SecIdentityCopyPrivateKey(issuer, &privateKey), out); - CFDataRef digest = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, tbscert_hash, CC_SHA1_DIGEST_LENGTH, kCFAllocatorNull); - CFDataRef sigData = SecKeyCreateSignature(privateKey, kSecKeyAlgorithmRSASignatureDigestPKCS1v15SHA1, - digest, NULL); - CFReleaseNull(digest); - require_quiet(sigData, out); - size_t signature_length = (size_t)CFDataGetLength(sigData); - signature = malloc(signature_length); - memcpy(signature, CFDataGetBytePtr(sigData), CFDataGetLength(sigData)); - CFReleaseNull(sigData); - - /* signature */ - cert_tmpl.signature.Data = signature; - cert_tmpl.signature.Length = signature_length * 8; - - /* encode cert */ - SecAsn1Item signed_cert = {}; - require_quiet(SEC_ASN1EncodeItem(poolp, &signed_cert, &cert_tmpl, - kSecAsn1SignedCertTemplate), out); - cert = SecCertificateCreateWithBytes(kCFAllocatorDefault, - signed_cert.Data, signed_cert.Length); - } + /* subject public key info */ + publicKeyData = make_public_key(publicKey, &cert_tmpl.tbs.subjectPublicKeyInfo, &allocated_parameters); + require_quiet(publicKeyData, out); + + /* encode the signature algorithm info */ + require_noerr_quiet(SecIdentityCopyPrivateKey(issuer, &privateKey), out); + signature = make_signature(NULL, 0, privateKey, hashingAlgorithm, &cert_tmpl.tbs.signature); + CFReleaseNull(signature); + + /* encode request info by itself to calculate signature */ + SecAsn1Item tbscert = {}; + SEC_ASN1EncodeItem(poolp, &tbscert, &cert_tmpl.tbs, kSecAsn1TBSCertificateTemplate); + + /* calculate signature and encode signature algorithm info */ + signature = make_signature(tbscert.Data, tbscert.Length, privateKey, hashingAlgorithm, &cert_tmpl.signatureAlgorithm); + require_quiet(signature, out); + cert_tmpl.signature.Data = (uint8_t *)CFDataGetBytePtr(signature); + cert_tmpl.signature.Length = CFDataGetLength(signature) * 8; + + /* encode cert */ + SecAsn1Item signed_cert = {}; + require_quiet(SEC_ASN1EncodeItem(poolp, &signed_cert, &cert_tmpl, + kSecAsn1SignedCertTemplate), out); + cert = SecCertificateCreateWithBytes(kCFAllocatorDefault, + signed_cert.Data, signed_cert.Length); + out: - CFReleaseSafe(privateKey); + if (allocated_parameters) { + free(cert_tmpl.tbs.subjectPublicKeyInfo.algorithm.parameters.Data); + } + CFReleaseSafe(privateKey); if (poolp) PORT_FreeArena(poolp, PR_TRUE); CFReleaseSafe(publicKeyData); - if (signature) { free(signature); } + CFReleaseSafe(signature); return cert; } @@ -1283,7 +1331,7 @@ SecGenerateCertificateRequestSubject(SecCertificateRef ca_certificate, CFArrayRe return NULL; /* - Going agains the spec here: + Going against the spec here: 3.2.3. GetCertInitial diff --git a/OSX/sec/Security/SecExports.exp-in b/OSX/sec/Security/SecExports.exp-in index af8c6c75..652bc80c 100644 --- a/OSX/sec/Security/SecExports.exp-in +++ b/OSX/sec/Security/SecExports.exp-in @@ -41,9 +41,8 @@ _SecPasswordValidatePasswordFormat _SecBase64Encode _SecBase64Decode -#if TARGET_OS_IPHONE _SecBase64Encode2 -#endif +_SecBase64Decode2 // // Trust @@ -51,155 +50,55 @@ _SecBase64Encode2 _SecIsInternalRelease // Policies - -_kSecPolicyAppleAppTransportSecurity -_kSecPolicyAppleAST2DiagnosticsServerAuth -_kSecPolicyAppleATVVPNProfileSigning -_kSecPolicyAppleBasicAttestationSystem -_kSecPolicyAppleBasicAttestationUser -_kSecPolicyAppleCodeSigning -_kSecPolicyAppleEAP -_kSecPolicyAppleEscrowProxyCompatibilityServerAuth -_kSecPolicyAppleEscrowProxyServerAuth -_kSecPolicyAppleEscrowService -_kSecPolicyAppleExternalDeveloper -_kSecPolicyAppleFactoryDeviceCertificate -_kSecPolicyAppleFMiPServerAuth -_kSecPolicyAppleGenericApplePinned -_kSecPolicyAppleGenericAppleSSLPinned -_kSecPolicyAppleGSService -_kSecPolicyAppleHomeKitServerAuth -_kSecPolicyAppleiAP -_kSecPolicyAppleiCloudSetupServerAuth -_kSecPolicyAppleiCloudSetupCompatibilityServerAuth -_kSecPolicyAppleIDAuthority -_kSecPolicyAppleIDSService -_kSecPolicyAppleIDSServiceContext -_kSecPolicyAppleIDValidation -_kSecPolicyAppleIDValidationRecordSigning +// kSecPolicy constants +#undef POLICYMACRO +#define POLICYMACRO(NAME, OID, ISPUBLIC, INTNAME, IN_NAME, IN_PROPERTIES, FUNCTION) \ +_kSecPolicyApple##NAME +#include "Security/SecPolicy.list" +#undef POLICYMACRO +#define __P_DO_EXPORT_(NAME) +#define __P_DO_EXPORT_P(NAME) _kSecPolicyNameApple##NAME +#define __P_DO_EXPORT_I(NAME) _kSecPolicyName##NAME +#define POLICYMACRO(NAME, OID, ISPUBLIC, INTNAME, IN_NAME, IN_PROPERTIES, FUNCTION) \ +__P_DO_EXPORT_##ISPUBLIC(NAME) +#include "SecPolicy.list" +#if TARGET_OS_OSX +_kSecPolicyAppleiChat +#endif _kSecPolicyAppleIDValidationRecordSigningPolicy -_kSecPolicyAppleiPhoneActivation -_kSecPolicyAppleiPhoneApplicationSigning -_kSecPolicyAppleiPhoneDeviceCertificate -_kSecPolicyAppleiPhoneProfileApplicationSigning -_kSecPolicyAppleiPhoneProvisioningProfileSigning -_kSecPolicyAppleiPhoneVPNApplicationSigning -_kSecPolicyAppleIPsec -_kSecPolicyAppleiTunesStoreURLBag -_kSecPolicyAppleLegacyPushService -_kSecPolicyAppleLockdownPairing -_kSecPolicyAppleMacOSProfileApplicationSigning -_kSecPolicyAppleMMCSCompatibilityServerAuth -_kSecPolicyAppleMMCSService -_kSecPolicyAppleMobileAsset -_kSecPolicyAppleMobileAssetDevelopment -_kSecPolicyAppleMobileSoftwareUpdate -_kSecPolicyAppleMobileStore -_kSecPolicyAppleOCSPSigner -_kSecPolicyAppleOSXProvisioningProfileSigning -_kSecPolicyAppleOTAPKISigner -_kSecPolicyAppleOTATasking -_kSecPolicyApplePackageSigning -_kSecPolicyApplePassbookSigning -_kSecPolicyApplePayIssuerEncryption -_kSecPolicyApplePCSEscrowService -_kSecPolicyApplePKINITClient -_kSecPolicyApplePKINITServer -_kSecPolicyApplePPQService -_kSecPolicyApplePPQSigning -_kSecPolicyAppleProfileSigner -_kSecPolicyApplePushService -_kSecPolicyAppleQAProfileSigner -_kSecPolicyAppleRevocation -_kSecPolicyAppleSecureIOStaticAsset -_kSecPolicyAppleServerAuthentication -_kSecPolicyAppleSMIME -_kSecPolicyAppleSMPEncryption -_kSecPolicyAppleSoftwareSigning -_kSecPolicyAppleSSL -_kSecPolicyAppleSWUpdateSigning -_kSecPolicyAppleTestMobileStore -_kSecPolicyAppleTestOTAPKISigner -_kSecPolicyAppleTestPPQSigning -_kSecPolicyAppleTestSMPEncryption -_kSecPolicyAppleTimeStamping -_kSecPolicyAppleTVOSApplicationSigning -_kSecPolicyAppleUniqueDeviceIdentifierCertificate -_kSecPolicyAppleURLBag -_kSecPolicyAppleWarsaw -_kSecPolicyAppleX509Basic _kSecPolicyMacAppStoreReceipt +_kSecPolicyNameAppleAIDCService _kSecPolicyNameAppleAST2Service _kSecPolicyNameAppleEscrowProxyService _kSecPolicyNameAppleFMiPService -_kSecPolicyNameAppleGalaxyProviderService _kSecPolicyNameAppleGSService +_kSecPolicyNameAppleHealthProviderService _kSecPolicyNameAppleHomeKitService _kSecPolicyNameAppleiCloudSetupService _kSecPolicyNameAppleIDSService +_kSecPolicyNameAppleMapsService _kSecPolicyNameAppleMMCSService +_kSecPolicyNameAppleParsecService _kSecPolicyNameApplePPQService _kSecPolicyNameApplePushService +_kSecPolicyNameEAPClient +_kSecPolicyNameEAPServer +_kSecPolicyNameIPSecClient +_kSecPolicyNameIPSecServer +_kSecPolicyNameSMIME +_kSecPolicyNameSSLClient +_kSecPolicyNameSSLServer + // Policy Checks +#undef POLICYCHECKMACRO +#define POLICYCHECKMACRO(NAME, TRUSTRESULT, SUBTYPE, LEAFCHECK, PATHCHECK, LEAFONLY, CSSMERR, OSSTATUS) \ +_kSecPolicyCheck##NAME +#include "Security/SecPolicyChecks.list" _kSecPolicyAppleAnchorIncludeTestRoots -_kSecPolicyCheckAnchorSHA1 -_kSecPolicyCheckAnchorSHA256 -_kSecPolicyCheckAnchorApple -_kSecPolicyCheckAnchorTrusted -_kSecPolicyCheckBasicCertificateProcessing -_kSecPolicyCheckBasicConstraints -_kSecPolicyCheckBlackListedKey -_kSecPolicyCheckBlackListedLeaf -_kSecPolicyCheckCertificatePolicy -_kSecPolicyCheckCertificateTransparency -_kSecPolicyCheckChainLength -_kSecPolicyCheckCriticalExtensions -_kSecPolicyCheckEAPTrustedServerNames -_kSecPolicyCheckEmail -_kSecPolicyCheckExtendedKeyUsage -_kSecPolicyCheckExtendedValidation -_kSecPolicyCheckGrayListedKey -_kSecPolicyCheckGrayListedLeaf -_kSecPolicyCheckIdLinkage -_kSecPolicyCheckIntermediateCountry -_kSecPolicyCheckIntermediateEKU -_kSecPolicyCheckIntermediateMarkerOid -_kSecPolicyCheckIntermediateOrganization -_kSecPolicyCheckIntermediateSPKISHA256 -_kSecPolicyCheckIssuerCommonName -_kSecPolicyCheckKeySize -_kSecPolicyCheckKeyUsage -_kSecPolicyCheckLeafMarkerOid -_kSecPolicyCheckLeafMarkerOidWithoutValueCheck -_kSecPolicyCheckLeafMarkersProdAndQA -_kSecPolicyCheckNoNetworkAccess -_kSecPolicyCheckNonEmptySubject -_kSecPolicyCheckNotValidBefore -_kSecPolicyCheckPinningRequired -_kSecPolicyCheckQualifiedCertStatements -_kSecPolicyCheckRevocation _kSecPolicyCheckRevocationAny _kSecPolicyCheckRevocationCRL _kSecPolicyCheckRevocationOCSP -_kSecPolicyCheckRevocationOnline -_kSecPolicyCheckRevocationResponseRequired -_kSecPolicyCheckSignatureHashAlgorithms -_kSecPolicyCheckSSLHostname -_kSecPolicyCheckSubjectCommonName -_kSecPolicyCheckSubjectCommonNamePrefix -_kSecPolicyCheckSubjectCommonNameTEST -_kSecPolicyCheckSubjectOrganization -_kSecPolicyCheckSubjectOrganizationalUnit -_kSecPolicyCheckSystemTrustedWeakHash -_kSecPolicyCheckSystemTrustedWeakKey -_kSecPolicyCheckUsageConstraints -_kSecPolicyCheckValidIntermediates -_kSecPolicyCheckValidLeaf -_kSecPolicyCheckValidRoot -_kSecPolicyCheckWeakIntermediates -_kSecPolicyCheckWeakLeaf -_kSecPolicyCheckWeakRoot _kSecPolicyLeafMarkerProd _kSecPolicyLeafMarkerQA @@ -208,10 +107,12 @@ _kSecPolicyClient _kSecPolicyContext _kSecPolicyIntermediateMarkerOid _kSecPolicyLeafMarkerOid +_kSecPolicyRootDigest _kSecPolicyName _kSecPolicyOid _kSecPolicyPolicyName _kSecPolicyRevocationFlags +_kSecPolicyRootDigest _kSecPolicyTeamIdentifier #if TARGET_OS_OSX @@ -226,96 +127,16 @@ _kSecPolicyKU_KeyEncipherment _kSecPolicyKU_NonRepudiation #endif -_SecPolicyCheckCertEAPTrustedServerNames -_SecPolicyCheckCertEmail -_SecPolicyCheckCertExtendedKeyUsage -_SecPolicyCheckCertLeafMarkerOid -_SecPolicyCheckCertLeafMarkerOidWithoutValueCheck -_SecPolicyCheckCertKeyUsage -_SecPolicyCheckCertNonEmptySubject -_SecPolicyCheckCertNotValidBefore -_SecPolicyCheckCertSignatureHashAlgorithms -_SecPolicyCheckCertSSLHostname -_SecPolicyCheckCertSubjectCommonName -_SecPolicyCheckCertSubjectCommonNamePrefix -_SecPolicyCheckCertSubjectCommonNameTEST +#undef POLICYCHECKMACRO +#define __PC_DO_EXPORT_(NAME) +#define __PC_DO_EXPORT_O(NAME) _SecPolicyCheckCert##NAME +#define POLICYCHECKMACRO(NAME, TRUSTRESULT, SUBTYPE, LEAFCHECK, PATHCHECK, LEAFONLY, CSSMERR, OSSTATUS) \ +__PC_DO_EXPORT_##LEAFONLY(NAME) +#include "SecPolicyChecks.list" _SecPolicyCheckCertSubjectCountry -_SecPolicyCheckCertSubjectOrganization -_SecPolicyCheckCertSubjectOrganizationalUnit + _SecPolicyCopyProperties _SecPolicyCreate -_SecPolicyCreateAppleAppTransportSecurity -_SecPolicyCreateAppleAST2Service -_SecPolicyCreateAppleATVVPNProfileSigning -_SecPolicyCreateAppleBasicAttestationSystem -_SecPolicyCreateAppleBasicAttestationUser -_SecPolicyCreateAppleCompatibilityEscrowProxyService -_SecPolicyCreateAppleCompatibilityMMCSService -_SecPolicyCreateAppleCompatibilityiCloudSetupService -_SecPolicyCreateAppleEscrowProxyService -_SecPolicyCreateAppleExternalDeveloper -_SecPolicyCreateAppleFMiPService -_SecPolicyCreateAppleGSService -_SecPolicyCreateAppleHomeKitServerAuth -_SecPolicyCreateAppleiCloudSetupService -_SecPolicyCreateAppleIDAuthorityPolicy -_SecPolicyCreateAppleIDSService -_SecPolicyCreateAppleIDSServiceContext -_SecPolicyCreateAppleIDValidationRecordSigningPolicy -_SecPolicyCreateAppleMMCSService -_SecPolicyCreateApplePackageSigning -_SecPolicyCreateApplePayIssuerEncryption -_SecPolicyCreateApplePinned -_SecPolicyCreateApplePPQService -_SecPolicyCreateApplePPQSigning -_SecPolicyCreateApplePushService -_SecPolicyCreateApplePushServiceLegacy -_SecPolicyCreateAppleSecureIOStaticAsset -_SecPolicyCreateAppleSMPEncryption -_SecPolicyCreateAppleSoftwareSigning -_SecPolicyCreateAppleSSLPinned -_SecPolicyCreateAppleSSLService -_SecPolicyCreateAppleTimeStamping -_SecPolicyCreateAppleTVOSApplicationSigning -_SecPolicyCreateAppleWarsaw -_SecPolicyCreateBasicX509 -_SecPolicyCreateCodeSigning -_SecPolicyCreateConfigurationProfileSigner -_SecPolicyCreateEAP -_SecPolicyCreateEscrowServiceSigner -_SecPolicyCreateFactoryDeviceCertificate -_SecPolicyCreateiAP -_SecPolicyCreateiPhoneActivation -_SecPolicyCreateiPhoneApplicationSigning -_SecPolicyCreateiPhoneDeviceCertificate -_SecPolicyCreateiPhoneProfileApplicationSigning -_SecPolicyCreateiPhoneProvisioningProfileSigning -_SecPolicyCreateiPhoneVPNApplicationSigning -_SecPolicyCreateIPSec -_SecPolicyCreateiTunesStoreURLBag -_SecPolicyCreateLockdownPairing -_SecPolicyCreateMacAppStoreReceipt -_SecPolicyCreateMacOSProfileApplicationSigning -_SecPolicyCreateMobileAsset -_SecPolicyCreateMobileAssetDevelopment -_SecPolicyCreateMobileSoftwareUpdate -_SecPolicyCreateMobileStoreSigner -_SecPolicyCreateOCSPSigner -_SecPolicyCreateOSXProvisioningProfileSigning -_SecPolicyCreateOTAPKISigner -_SecPolicyCreateOTATasking -_SecPolicyCreatePassbookCardSigner -_SecPolicyCreatePCSEscrowServiceSigner -_SecPolicyCreateQAConfigurationProfileSigner -_SecPolicyCreateRevocation -_SecPolicyCreateSSL -_SecPolicyCreateSMIME -_SecPolicyCreateTestApplePPQSigning -_SecPolicyCreateTestAppleSMPEncryption -_SecPolicyCreateTestMobileStoreSigner -_SecPolicyCreateTestOTAPKISigner -_SecPolicyCreateAppleUniqueDeviceCertificate -_SecPolicyCreateURLBag _SecPolicyCreateWithProperties _SecPolicyGetName _SecPolicyGetOidString @@ -339,6 +160,11 @@ _SecPolicySetProperties _SecPolicySetValue #endif +#undef POLICYMACRO +#define POLICYMACRO(NAME, OID, ISPUBLIC, INTNAME, IN_NAME, IN_PROPERTIES, FUNCTION) \ +_SecPolicyCreate##FUNCTION +#include "SecPolicy.list" + _kSecCertificateDetailSHA1Digest _kSecCertificateDetailStatusCodes @@ -357,6 +183,7 @@ _kSecPropertyTypeURL _kSecPropertyTypeWarning _kSecSignatureDigestAlgorithmUnknown +#if TARGET_OS_IPHONE _kSecSignatureDigestAlgorithmMD2 _kSecSignatureDigestAlgorithmMD4 _kSecSignatureDigestAlgorithmMD5 @@ -365,6 +192,7 @@ _kSecSignatureDigestAlgorithmSHA224 _kSecSignatureDigestAlgorithmSHA256 _kSecSignatureDigestAlgorithmSHA384 _kSecSignatureDigestAlgorithmSHA512 +#endif _kSecTrustCertificateTransparency _kSecTrustCertificateTransparencyWhiteList @@ -400,17 +228,21 @@ _SecTrustDeserialize _SecTrustEvaluate _SecTrustEvaluateAsync _SecTrustEvaluateLeafOnly +_SecTrustEvaluateWithError +_SecTrustFlushResponseCache _SecTrustGetCertificateAtIndex _SecTrustGetCertificateCount _SecTrustGetDetails _SecTrustGetKeychainsAllowed _SecTrustGetNetworkFetchAllowed -_SecTrustGetOTAPKIAssetVersionNumber _SecTrustGetTrustResult +_SecTrustGetTrustStoreVersionNumber _SecTrustGetTypeID _SecTrustGetVerifyTime +_SecTrustGetTrustExceptionsArray _SecTrustIsExpiredOnly _SecTrustOTAPKIGetUpdatedAsset +_SecTrustReportTLSAnalytics _SecTrustSerialize _SecTrustSetAnchorCertificates _SecTrustSetAnchorCertificatesOnly @@ -427,6 +259,7 @@ _SecTrustSetVerifyDate #if TARGET_OS_OSX _SecTrustCopyAnchorCertificates _SecTrustCopyExtendedResult +_SecTrustCopyPublicKey_ios _SecTrustCopyProperties_ios _SecTrustGetCSSMAnchorCertificates _SecTrustGetCssmResult @@ -443,6 +276,8 @@ _SecTrustSetParameters _SecTrustSetUserTrust _SecTrustSetUserTrustLegacy +_SecTrustSettingsCertHashStrFromCert +_SecTrustSettingsCertHashStrFromData _SecTrustSettingsCopyCertificates _SecTrustSettingsCopyCertificatesForUserAdminDomains _SecTrustSettingsCopyModificationDate @@ -452,6 +287,7 @@ _SecTrustSettingsCopyUnrestrictedRoots _SecTrustSettingsCreateExternalRepresentation _SecTrustSettingsEvaluateCert _SecTrustSettingsImportExternalRepresentation +_SecTrustSettingsPurgeUserAdminCertsCache _SecTrustSettingsRemoveTrustSettings _SecTrustSettingsSetTrustSettings _SecTrustSettingsSetTrustSettingsExternal @@ -470,6 +306,7 @@ _SecTrustedApplicationRemoveEquivalence _SecTrustedApplicationSetData _SecTrustedApplicationUseAlternateSystem _SecTrustedApplicationValidateWithPath + #endif #if TARGET_OS_IPHONE @@ -506,11 +343,13 @@ _SecCertificateCopyCommonNames _SecCertificateCopyCompanyName _SecCertificateCopyCountry _SecCertificateCopyDNSNames +_SecCertificateCopyDNSNamesFromSAN _SecCertificateCopyDNSNamesFromSubject _SecCertificateCopyData _SecCertificateCopyEmailAddresses _SecCertificateCopyEscrowRoots _SecCertificateCopyExtendedKeyUsage +_SecCertificateCopyExtensionValue _SecCertificateCopyiAPAuthCapabilities _SecCertificateCopyIPAddresses _SecCertificateCopyIPAddressesFromSubject @@ -595,6 +434,10 @@ _SecCertificateShow _SecCertificateVersion _SecDistinguishedNameCopyNormalizedContent _SecDistinguishedNameCopyNormalizedSequence + +_SecCertificateArrayCopyXPCArray +_SecCertificateAppendToXPCArray +_SecCertificateCreateWithXPCArrayAtIndex #if TARGET_OS_OSX _SecCertificateAddToKeychain _SecCertificateCopyFieldValues @@ -605,14 +448,13 @@ _SecCertificateCopyNormalizedSubjectContent _SecCertificateCopyPreference _SecCertificateCopyPreferred _SecCertificateCopyPublicKey_ios -_SecCertificateCopyPublicKeyP _SecCertificateCopyPublicKeySHA1DigestFromCertificateData _SecCertificateCopyShortDescription _SecCertificateCopySubjectComponent _SecCertificateCopyValues _SecCertificateCreateFromData _SecCertificateCreateItemImplInstance -_SecCertificateCreateWithDataP +_SecCertificateCreateFromItemImplInstance _SecCertificateFindByEmail _SecCertificateFindByIssuerAndSN _SecCertificateFindBySubjectKeyID @@ -627,6 +469,7 @@ _SecCertificateGetSubject _SecCertificateGetType _SecCertificateInferLabel _SecCertificateIsValidX +_SecCertificateIsItemImplInstance _SecCertificateReleaseFieldValues _SecCertificateReleaseFirstFieldValue _SecCertificateSetPreference @@ -643,24 +486,13 @@ _SecCertificateBundleExport _SecCertificateBundleImport #endif /* TARGET_OS_OSX */ -// -// CertificatePath -// -_SecCertificatePathCopyPublicKeyAtIndex -_SecCertificatePathCopyXPCArray -_SecCertificatePathCreateDeserialized -_SecCertificatePathCreateSerialized -_SecCertificatePathCreateWithCertificates -_SecCertificatePathGetCertificateAtIndex -_SecCertificatePathGetCount -_SecCertificatePathGetIndexOfCertificate - #if TARGET_OS_IPHONE // // SCEP // _SecSCEPCreateTemporaryIdentity _SecSCEPCertifyRequest +_SecSCEPCertifyRequestWithAlgorithms _SecSCEPGenerateCertificateRequest _SecSCEPVerifyReply _SecSCEPValidateCACertMessage @@ -682,53 +514,97 @@ _kSecOidOrganization _kSecOidOrganizationalUnit _kSecOidStateProvinceName _kSecSubjectAltName +_kSecSubjectAltNameDNSName +_kSecSubjectAltNameEmailAddress +_kSecSubjectAltNameNTPrincipalName +_kSecSubjectAltNameURI _SecASN1PrintableString _SecASN1UTF8String _SecGenerateCertificateRequest _SecGenerateCertificateRequestWithParameters _SecGenerateSelfSignedCertificate _SecIdentitySignCertificate +_SecIdentitySignCertificateWithAlgorithm _SecVerifyCertificateRequest -#if TARGET_OS_OSX -_SecCertificateFindRequest -_SecCertificateRequestCreate -_SecCertificateRequestGetData -_SecCertificateRequestGetResult -_SecCertificateRequestGetType -_SecCertificateRequestGetTypeID -_SecCertificateRequestSubmit -#endif +_SecGenerateCertificateRequestSubject // // OTR // -#if TARGET_OS_IPHONE -_SecFDHKAppendCompactPublicSerialization -_SecFDHKAppendPublicSerialization +_SecOTRPacketTypeString +_SecOTRSEndSession +_SecOTRSPrecalculateKeys +_SecOTRSessionCreateRemote +_SecOTRSessionProcessPacketRemote -_SecOTRCopyIncomingBytes -_SecOTRDHKGenerateOTRKeys +_SecOTRAdvertiseHashes _SecOTRFIAppendSerialization _SecOTRFIPurgeAllFromKeychain _SecOTRFIPurgeFromKeychain -_SecOTRFullDHKCreate _SecOTRFullIdentityCreate _SecOTRFullIdentityCreateFromData +_SecOTRFullIdentityCreateFromBytes + _SecOTRPIAppendSerialization -_SecOTRPacketTypeString +_SecOTRPublicIdentityCopyFromPrivate +_SecOTRPublicIdentityCreateFromData +_SecOTRPublicIdentityCreateFromBytes + +#if TARGET_OS_IPHONE +_SecFDHKAppendCompactPublicSerialization +_SecFDHKAppendPublicSerialization + +_SecOTRCopyIncomingBytes +_SecOTRDHKGenerateOTRKeys +_SecOTRFullDHKCreate _SecOTRPublicDHKCreateFromCompactSerialization _SecOTRPublicDHKCreateFromFullKey _SecOTRPublicDHKCreateFromSerialization -_SecOTRPublicIdentityCopyFromPrivate -_SecOTRPublicIdentityCreateFromData -_SecOTRSEndSession _SecOTRSGetKeyID _SecOTRSGetTheirKeyID +_SOSOTRSRoll _SecOTRSKickTimeToRoll -_SecOTRSPrecalculateKeys -_SecOTRSessionCreateRemote -_SecOTRSessionProcessPacketRemote +_SecDHKIsGreater +_SecECKeyGeneratePair +_SecFDHKAppendSerialization +_SecFDHKGetHash +_SecFDHKNewKey +_SecPDHKAppendCompactSerialization +_SecPDHKAppendSerialization +_SecPDHKGetHash +_SecPDHKeyGenerateS + +_SecOTRAppendDHKeyMessage +_SecOTRAppendDHMessage +_SecOTRAppendRevealSignatureMessage +_SecOTRAppendSignatureMessage +_SecOTRCreateError +_SecOTRFIAppendPublicHash +_SecOTRFIAppendSignature +_SecOTRFIComparePublicHash +_SecOTRFICompareToPublicKey +_SecOTRFISignatureSize +_SecOTRFullDHKCreateFromBytes +_SecOTRPIAppendHash +_SecOTRPICompareHash +_SecOTRPICompareToPublicKey +_SecOTRPICopyHash +_SecOTRPIEqual +_SecOTRPIEqualToBytes +_SecOTRPISignatureSize +_SecOTRPIVerifySignature +_SecOTRPrepareOutgoingBytes +_SecOTRPublicDHKCreateFromBytes +_SecOTRSetupInitialRemoteKey + +_kOTRSignatureAlgIDPtr +_DeriveOTR128BitPairFromS +_DeriveOTR256BitsFromS +_DeriveOTR64BitsFromS +_EnsureOTRAlgIDInited +_AES_CTR_HighHalf_Transform +_AES_CTR_IV0_Transform #endif _SecOTRSessionIsSessionInAwaitingState @@ -756,9 +632,7 @@ _SecOTRSessionReset _SecDHComputeKey _SecDHCreate -#if TARGET_OS_IPHONE _SecDHCreateFromAlgorithmId -#endif _SecDHCreateFromParameters _SecDHDecodeParams _SecDHDestroy @@ -833,6 +707,7 @@ _CMSEncoderSetEncoder _CMSEncoderAddSignedAttributes _CMSEncoderSetSigningTime _CMSEncoderSetAppleCodesigningHashAgility +_CMSEncoderSetAppleCodesigningHashAgilityV2 _CMSEncoderSetCertificateChainMode _CMSEncoderGetCertificateChainMode _CMSEncoderUpdateContent @@ -855,6 +730,7 @@ _CMSDecoderCopySignerEmailAddress _CMSDecoderCopySignerCert _CMSDecoderCopySignerSigningTime _CMSDecoderCopySignerAppleCodesigningHashAgility +_CMSDecoderCopySignerAppleCodesigningHashAgilityV2 _SecCMSCertificatesOnlyMessageCopyCertificates _SecCMSCreateCertificatesOnlyMessage _SecCMSCreateCertificatesOnlyMessageIAP @@ -878,6 +754,7 @@ _SecCmsContentInfoSetContentEncAlg _SecCmsContentInfoSetContentEncAlgID _SecCmsContentInfoSetContentEncryptedData _SecCmsContentInfoSetContentEnvelopedData +_SecCmsContentInfoSetContentOther _SecCmsContentInfoSetContentSignedData _SecCmsDecoderCreate _SecCmsDecoderDestroy @@ -916,6 +793,7 @@ _SecCmsMessageIsEncrypted _SecCmsMessageIsSigned _SecCmsRecipientInfoCreate _SecCmsRecipientInfoCreateWithSubjKeyID +_SecCmsRecipientInfoCreateWithSubjKeyIDFromCert _SecCmsSignedDataAddCertChain _SecCmsSignedDataAddCertList _SecCmsSignedDataAddCertificate @@ -935,6 +813,7 @@ _SecCmsSignedDataSignerInfoCount _SecCmsSignedDataVerifyCertsOnly _SecCmsSignedDataVerifySignerInfo _SecCmsSignerInfoAddAppleCodesigningHashAgility +_SecCmsSignerInfoAddAppleCodesigningHashAgilityV2 _SecCmsSignerInfoAddCounterSignature _SecCmsSignerInfoAddMSSMIMEEncKeyPrefs _SecCmsSignerInfoAddSMIMECaps @@ -943,6 +822,7 @@ _SecCmsSignerInfoAddSigningTime _SecCmsSignerInfoCreate _SecCmsSignerInfoCreateWithSubjKeyID _SecCmsSignerInfoGetAppleCodesigningHashAgility +_SecCmsSignerInfoGetAppleCodesigningHashAgilityV2 _SecCmsSignerInfoGetCertList _SecCmsSignerInfoGetDigestAlg _SecCmsSignerInfoGetDigestAlgTag @@ -963,6 +843,7 @@ _kSecCMSCertChainModeNone _kSecCMSEncryptionAlgorithmAESCBC _kSecCMSEncryptionAlgorithmDESCBC _kSecCMSHashAgility +_kSecCMSHashAgilityV2 _kSecCMSHashingAlgorithmMD5 _kSecCMSHashingAlgorithmSHA1 _kSecCMSHashingAlgorithmSHA256 @@ -1068,15 +949,18 @@ _SecCmsSignedDataSignerInfoCount _SecCmsSignedDataVerifyCertsOnly _SecCmsSignedDataVerifySignerInfo _SecCmsSignerInfoAddAppleCodesigningHashAgility +_SecCmsSignerInfoAddAppleCodesigningHashAgilityV2 _SecCmsSignerInfoAddCounterSignature _SecCmsSignerInfoAddMSSMIMEEncKeyPrefs _SecCmsSignerInfoAddSMIMECaps _SecCmsSignerInfoAddSMIMEEncKeyPrefs _SecCmsSignerInfoAddSigningTime +_SecCmsSignerInfoAddTimeStamp _SecCmsSignerInfoCreate _SecCmsSignerInfoCreateWithSubjKeyID _SecCmsSignerInfoDestroy _SecCmsSignerInfoGetAppleCodesigningHashAgility +_SecCmsSignerInfoGetAppleCodesigningHashAgilityV2 _SecCmsSignerInfoGetCertList _SecCmsSignerInfoGetDigestAlg _SecCmsSignerInfoGetDigestAlgTag @@ -1085,15 +969,19 @@ _SecCmsSignerInfoGetSignerCommonName _SecCmsSignerInfoGetSignerEmailAddress _SecCmsSignerInfoGetSigningCertificate _SecCmsSignerInfoGetSigningTime +_SecCmsSignerInfoGetTimestampCertList +_SecCmsSignerInfoGetTimestampSigningCert _SecCmsSignerInfoGetTimestampTime +_SecCmsSignerInfoGetTimestampTimeWithPolicy _SecCmsSignerInfoGetVerificationStatus _SecCmsSignerInfoIncludeCerts _SecCmsSignerInfoSaveSMIMEProfile _SecCmsSignerInfoCopyCertFromEncryptionKeyPreference +_SecCmsSignerInfoVerifyUnAuthAttrs +_SecCmsSignerInfoVerifyUnAuthAttrsWithPolicy _SecCmsTSADefaultCallback _SecCmsTSAGetDefaultContext _SecCmsUtilVerificationStatusToString -_SecTSAResponseCopyDEREncoding _kSecCMSAdditionalCerts _kSecCMSAllCerts _kSecCMSBulkEncryptionAlgorithm @@ -1101,6 +989,7 @@ _kSecCMSCertChainMode _kSecCMSEncryptionAlgorithmAESCBC _kSecCMSEncryptionAlgorithmDESCBC _kSecCMSHashAgility +_kSecCMSHashAgilityV2 _kSecCMSHashingAlgorithmSHA1 _kSecCMSHashingAlgorithmSHA256 _kSecCMSHashingAlgorithmSHA384 @@ -1112,8 +1001,6 @@ _kSecCMSSignHashAlgorithm _kSecCMSSignedAttributes _kTSAContextKeyNoCerts _kTSAContextKeyURL -_kTSADebugContextKeyBadNonce -_kTSADebugContextKeyBadReq #endif // TARGET_OS_OSX _SecCMSVerify @@ -1151,6 +1038,9 @@ _SecECKeyGetNamedCurve _SecKeyCopyAttestationKey #if TARGET_OS_IPHONE _SecKeyCopyAttributeDictionary +_SecKeyCreatePublicFromDER +_SecKeyGeneratePrivateAttributeDictionary +_SecKeyGeneratePublicAttributeDictionary #endif /* TARGET_OS_IPHONE */ _SecKeyCopyAttributes _SecKeyCopyExponent @@ -1288,6 +1178,7 @@ _kSecKeyAlgorithmECDSASignatureMessageX962SHA256 _kSecKeyAlgorithmECDSASignatureMessageX962SHA384 _kSecKeyAlgorithmECDSASignatureMessageX962SHA512 _kSecKeyAlgorithmECDSASignatureRFC4754 +_kSecKeyAlgorithmECIESEncryptionAKSSmartCard _kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA224AESGCM _kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA256AESGCM _kSecKeyAlgorithmECIESEncryptionCofactorVariableIVX963SHA384AESGCM @@ -1697,6 +1588,7 @@ _SecItemCopyParentCertificates_ios _SecItemDelete #if TARGET_OS_IPHONE _SecItemDeleteAll +_SecItemUpdateWithError #endif _SecItemUpdate __SecItemAddAndNotifyOnSync @@ -1708,6 +1600,7 @@ __SecItemCreatePersistentRef __SecItemParsePersistentRef __SecKeychainBackupSyncable __SecKeychainCopyBackup +__SecKeychainCopyEMCSBackup __SecKeychainCopyOTABackup __SecKeychainRestoreBackup __SecKeychainRestoreBackupFromFileDescriptor @@ -1719,10 +1612,16 @@ __SecKeychainCopyKeybagUUIDFromFileDescriptor _SecItemBackupWithRegisteredBackups _SecItemBackupSetConfirmedManifest _SecItemBackupRestore +_SecBackupKeybagAdd +_SecBackupKeybagDelete _SecItemBackupCopyMatching +_SecItemBackupCreateManifest _SecItemBackupWithChanges -#if TARGET_OS_IPHONE +_SecBackupKeybagAdd +_SecBackupKeybagDelete + __SecKeychainRollKeys +#if TARGET_OS_IPHONE _SecAddSharedWebCredential _SecRequestSharedWebCredential @@ -1741,7 +1640,7 @@ _SecItemDeleteAllWithAccessGroups _SecTokenItemValueCopy __SecSecuritydCopyCKKSEndpoint -__SecSecuritydCopySOSStatusEndpoint +__SecSecuritydCopyKeychainControlEndpoint #if TARGET_OS_IPHONE _kSecXPCKeyAttributesToUpdate diff --git a/OSX/sec/Security/SecFramework.c b/OSX/sec/Security/SecFramework.c index 83d7782c..25e219d1 100644 --- a/OSX/sec/Security/SecFramework.c +++ b/OSX/sec/Security/SecFramework.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006-2010,2012-2014 Apple Inc. All Rights Reserved. + * Copyright (c) 2006-2017 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -106,6 +106,60 @@ CFDataRef SecFrameworkCopyResourceContents(CFStringRef resourceName, return data; } +static CFStringRef copyErrorMessageFromBundle(OSStatus status, CFStringRef tableName); + +// caller MUST release the string, since it is gotten with "CFCopyLocalizedStringFromTableInBundle" +// intended use of reserved param is to pass in CFStringRef with name of the Table for lookup +// Will look by default in "SecErrorMessages.strings" in the resources of Security.framework. + + +CFStringRef +SecCopyErrorMessageString(OSStatus status, void *reserved) +{ + CFStringRef result = copyErrorMessageFromBundle(status, CFSTR("SecErrorMessages")); + if (!result) + result = copyErrorMessageFromBundle(status, CFSTR("SecDebugErrorMessages")); + + if (!result) + { + // no error message found, so format a faked-up error message from the status + result = CFStringCreateWithFormat(NULL, NULL, CFSTR("OSStatus %d"), (int)status); + } + + return result; +} + +CFStringRef +copyErrorMessageFromBundle(OSStatus status,CFStringRef tableName) +{ + + CFStringRef errorString = nil; + CFStringRef keyString = nil; + CFBundleRef secBundle = NULL; + + // Make a bundle instance using the URLRef. + secBundle = CFBundleGetBundleWithIdentifier(kSecFrameworkBundleID); + if (!secBundle) + goto exit; + + // Convert status to Int32 string representation, e.g. "-25924" + keyString = CFStringCreateWithFormat (kCFAllocatorDefault, NULL, CFSTR("%d"), (int)status); + if (!keyString) + goto exit; + + errorString = CFCopyLocalizedStringFromTableInBundle(keyString, tableName, secBundle, NULL); + if (CFStringCompare(errorString, keyString, 0) == kCFCompareEqualTo) // no real error message + { + if (errorString) + CFRelease(errorString); + errorString = nil; + } +exit: + if (keyString) + CFRelease(keyString); + + return errorString; +} const SecRandomRef kSecRandomDefault = NULL; diff --git a/OSX/sec/Security/SecFrameworkStrings.h b/OSX/sec/Security/SecFrameworkStrings.h index 702093b6..8ae87f60 100644 --- a/OSX/sec/Security/SecFrameworkStrings.h +++ b/OSX/sec/Security/SecFrameworkStrings.h @@ -1,15 +1,15 @@ /* - * Copyright (c) 2009,2012-2014 Apple Inc. All Rights Reserved. + * Copyright (c) 2009,2012-2014,2018 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ - * + * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this * file. - * + * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, @@ -17,7 +17,7 @@ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. - * + * * @APPLE_LICENSE_HEADER_END@ */ @@ -39,11 +39,11 @@ __BEGIN_DECLS /* SecCertificate Strings */ #define SEC_NULL_KEY SecStringWithDefaultValue("", "Certificate", 0, "", "Value of a field if its length is 0") -#define SEC_OID_TOO_LONG_KEY SecStringWithDefaultValue("Oid too long", "Certificate", 0, "Oid too long", "value of an oid field if it's length is more than what we allow for oids") +#define SEC_OID_TOO_LONG_KEY SecStringWithDefaultValue("OID too long", "Certificate", 0, "OID too long", "value of an OID field if it's length is more than what we allow for oids") #define SEC_UNPARSED_KEY SecStringWithDefaultValue("Unparsed %@", "Certificate", 0, "Unparsed %@", "Label of a value is printed into this string if the data can not been parsed according to it's type") #define SEC_INVALID_KEY SecStringWithDefaultValue("Invalid %@", "Certificate", 0, "Invalid %@", "Label of a value is printed into this string if the data is not valid") -#define SEC_ALGORITHM_KEY SecStringWithDefaultValue("Algorithm", "Certificate", 0, "Algorithm", "Label of the algorithm subfield of an AlgorithmIdentifer") -#define SEC_PARAMETERS_KEY SecStringWithDefaultValue("Parameters", "Certificate", 0, "Parameters", "Label of the parameters subfield of an AlgorithmIdentifer") +#define SEC_ALGORITHM_KEY SecStringWithDefaultValue("Algorithm", "Certificate", 0, "Algorithm", "Label of the algorithm sub-field of an AlgorithmIdentifer") +#define SEC_PARAMETERS_KEY SecStringWithDefaultValue("Parameters", "Certificate", 0, "Parameters", "Label of the parameters sub-field of an AlgorithmIdentifer") #define SEC_NONE_KEY SecStringWithDefaultValue("none", "Certificate", 0, "none", "field value of parameters field when no parameters are present") #define SEC_BLOB_KEY SecStringWithDefaultValue("%@; %d %@; data = %@", "Certificate", 0, "%@; %d %@; data = %@", "Format string for encoded field data (e.g. Sequence; 128 bytes; data = 00 00 ...)") #define SEC_BYTE_STRING_KEY SecStringWithDefaultValue("Byte string", "Certificate", 0, "Byte string", "First argument to SEC_BLOB_KEY format string for a Byte string") @@ -58,20 +58,20 @@ __BEGIN_DECLS #define SEC_YES_KEY SecStringWithDefaultValue("Yes", "Certificate", 0, "Yes", "Value for a boolean property when it's value is true (example critical: yes)") #define SEC_NO_KEY SecStringWithDefaultValue("No", "Certificate", 0, "No", "Value for a boolean property when it's value is false (example critical: no)") #define SEC_STRING_LIST_KEY SecStringWithDefaultValue("%@, %@", "Certificate", 0, "%@, %@", "Format string used to build a list of values, first argument is list second argument is to be appended element") -#define SEC_DIGITAL_SIGNATURE_KEY SecStringWithDefaultValue("Digital Signature", "Certificate", 0, "Digital Signature", "X.509 key usage bitfield name") -#define SEC_NON_REPUDIATION_KEY SecStringWithDefaultValue("Non-Repudiation", "Certificate", 0, "Non-Repudiation", "X.509 key usage bitfield name") -#define SEC_KEY_ENCIPHERMENT_KEY SecStringWithDefaultValue("Key Encipherment", "Certificate", 0, "Key Encipherment", "X.509 key usage bitfield name") -#define SEC_DATA_ENCIPHERMENT_KEY SecStringWithDefaultValue("Data Encipherment", "Certificate", 0, "Data Encipherment", "X.509 key usage bitfield name") -#define SEC_KEY_AGREEMENT_KEY SecStringWithDefaultValue("Key Agreement", "Certificate", 0, "Key Agreement", "X.509 key usage bitfield name") -#define SEC_CERT_SIGN_KEY SecStringWithDefaultValue("Cert Sign", "Certificate", 0, "Cert Sign", "X.509 key usage bitfield name") -#define SEC_CRL_SIGN_KEY SecStringWithDefaultValue("CRL Sign", "Certificate", 0, "CRL Sign", "X.509 key usage bitfield name") -#define SEC_ENCIPHER_ONLY_KEY SecStringWithDefaultValue("Encipher Only", "Certificate", 0, "Encipher Only", "X.509 key usage bitfield name") -#define SEC_DECIPHER_ONLY_KEY SecStringWithDefaultValue("Decipher Only", "Certificate", 0, "Decipher Only", "X.509 key usage bitfield name") -#define SEC_USAGE_KEY SecStringWithDefaultValue("Usage", "Certificate", 0, "Usage", "Label for KeyUsage bitfield values") +#define SEC_DIGITAL_SIGNATURE_KEY SecStringWithDefaultValue("Digital Signature", "Certificate", 0, "Digital Signature", "X.509 key usage bit-field name") +#define SEC_NON_REPUDIATION_KEY SecStringWithDefaultValue("Non-Repudiation", "Certificate", 0, "Non-Repudiation", "X.509 key usage bit-field name") +#define SEC_KEY_ENCIPHERMENT_KEY SecStringWithDefaultValue("Key Encipherment", "Certificate", 0, "Key Encipherment", "X.509 key usage bit-field name") +#define SEC_DATA_ENCIPHERMENT_KEY SecStringWithDefaultValue("Data Encipherment", "Certificate", 0, "Data Encipherment", "X.509 key usage bit-field name") +#define SEC_KEY_AGREEMENT_KEY SecStringWithDefaultValue("Key Agreement", "Certificate", 0, "Key Agreement", "X.509 key usage bit-field name") +#define SEC_CERT_SIGN_KEY SecStringWithDefaultValue("Cert Sign", "Certificate", 0, "Cert Sign", "X.509 key usage bit-field name") +#define SEC_CRL_SIGN_KEY SecStringWithDefaultValue("CRL Sign", "Certificate", 0, "CRL Sign", "X.509 key usage bit-field name") +#define SEC_ENCIPHER_ONLY_KEY SecStringWithDefaultValue("Encipher Only", "Certificate", 0, "Encipher Only", "X.509 key usage bit-field name") +#define SEC_DECIPHER_ONLY_KEY SecStringWithDefaultValue("Decipher Only", "Certificate", 0, "Decipher Only", "X.509 key usage bit-field name") +#define SEC_USAGE_KEY SecStringWithDefaultValue("Usage", "Certificate", 0, "Usage", "Label for Key Usage bit-field values") #define SEC_NOT_VALID_BEFORE_KEY SecStringWithDefaultValue("Not Valid Before", "Certificate", 0, "Not Valid Before", "label indicating the soonest date at which something is valid") #define SEC_NOT_VALID_AFTER_KEY SecStringWithDefaultValue("Not Valid After", "Certificate", 0, "Not Valid After", "label indicating the date after which something is no longer valid") #define SEC_VALIDITY_PERIOD_KEY SecStringWithDefaultValue("Validity Period", "Certificate", 0, "Validity Period", "") -#define SEC_PRIVATE_KU_PERIOD_KEY SecStringWithDefaultValue("Private Key Usage Period", "Certificate", 0, "Private Key Usage Period", "Label for an invlaid private key se perion value") +#define SEC_PRIVATE_KU_PERIOD_KEY SecStringWithDefaultValue("Private Key Usage Period", "Certificate", 0, "Private Key Usage Period", "Label for an invalid private key usage period value") #define SEC_OTHER_NAME_KEY SecStringWithDefaultValue("Other Name", "Certificate", 0, "Other Name", "Label used for Other Name RDN when value is invalid") #define SEC_EMAIL_ADDRESS_KEY SecStringWithDefaultValue("Email Address", "Certificate", 0, "Email Address", "label for general name field value") #define SEC_DNS_NAME_KEY SecStringWithDefaultValue("DNS Name", "Certificate", 0, "DNS Name", "label for general name field value") @@ -90,10 +90,10 @@ __BEGIN_DECLS /* Name Constraints extension */ #define SEC_NAME_CONSTRAINTS_KEY SecStringWithDefaultValue("Name Constraints", "Certificate", 0, "Name Constraints", "Label used for Name Constraints when value is invalid") #define SEC_PERMITTED_MINIMUM_KEY SecStringWithDefaultValue("Permitted Subtree Minimum", "Certificate", 0, "Permitted Subtree Minimum", "Label for minimum base distance property of a permitted subtree in name constraints extension.") -#define SEC_PERMITTED_MAXIMUM_KEY SecStringWithDefaultValue("Permitted Subtree Maxmimum", "Certificate", 0, "Permitted Subtree Maximum", "Label for maximum base distance property of a permitted subtree in name constraints extension.") +#define SEC_PERMITTED_MAXIMUM_KEY SecStringWithDefaultValue("Permitted Subtree Maximum", "Certificate", 0, "Permitted Subtree Maximum", "Label for maximum base distance property of a permitted subtree in name constraints extension.") #define SEC_PERMITTED_NAME_KEY SecStringWithDefaultValue("Permitted Subtree General Name", "Certificate", 0, "Permitted Subtree General Name", "Label for general name of a permitted subtree in name constraints extension.") #define SEC_EXCLUDED_MINIMUM_KEY SecStringWithDefaultValue("Excluded Subtree Minimum", "Certificate", 0, "Excluded Subtree Minimum", "Label for minimum base distance property of an excluded subtree in name constraints extension.") -#define SEC_EXCLUDED_MAXIMUM_KEY SecStringWithDefaultValue("Excluded Subtree Maxmimum", "Certificate", 0, "Excluded Subtree Maximum", "Label for maximum base distance property of an excluded subtree in name constraints extension.") +#define SEC_EXCLUDED_MAXIMUM_KEY SecStringWithDefaultValue("Excluded Subtree Maximum", "Certificate", 0, "Excluded Subtree Maximum", "Label for maximum base distance property of an excluded subtree in name constraints extension.") #define SEC_EXCLUDED_NAME_KEY SecStringWithDefaultValue("Excluded Subtree General Name", "Certificate", 0, "Excluded Subtree General Name", "Label for general name of an excluded subtree in name constraints extension.") /* CRL Distribution Points extension */ @@ -107,7 +107,7 @@ __BEGIN_DECLS #define SEC_CERTIFICATE_HOLD_KEY SecStringWithDefaultValue("Certificate Hold", "Certificate", 0, "Certificate Hold", "CRL Distribution Points extension supported reason name") #define SEC_PRIV_WITHDRAWN_KEY SecStringWithDefaultValue("Privilege Withdrawn", "Certificate", 0, "Privilege Withdrawn", "CRL Distribution Points extension supported reason name") #define SEC_AA_COMPROMISE_KEY SecStringWithDefaultValue("AA Compromise", "Certificate", 0, "AA Compromise", "CRL Distribution Points extension supported reason name") -#define SEC_REASONS_KEY SecStringWithDefaultValue("Reasons", "Certificate", 0, "Reasons", "CRL Distribution Points extension supported reasons bitfield label") +#define SEC_REASONS_KEY SecStringWithDefaultValue("Reasons", "Certificate", 0, "Reasons", "CRL Distribution Points extension supported reasons bit-field label") #define SEC_CRL_ISSUER_KEY SecStringWithDefaultValue("CRL Issuer", "Certificate", 0, "CRL Issuer", "Label for CRL issuer field of CRL Distribution Points extension") #define SEC_CRL_DISTR_POINTS_KEY SecStringWithDefaultValue("CRL Distribution Points", "Certificate", 0, "CRL Distribution Points", "CRL Distribution Points extension label") @@ -155,7 +155,7 @@ __BEGIN_DECLS #define SEC_CRITICAL_KEY SecStringWithDefaultValue("Critical", "Certificate", 0, "Critical", "Label of field in extension that indicates whether this extension is critical") #define SEC_DATA_KEY SecStringWithDefaultValue("Data", "Certificate", 0, "Data", "Label for raw data of extension (used for unknown extensions)") -#define SEC_COMMON_NAME_DESC_KEY SecStringWithDefaultValue("%@ (%@)", "Certificate", 0, "%@ (%@)", "If a X500 name has a description and a common name we display CommonName (Description) using this format string") +#define SEC_COMMON_NAME_DESC_KEY SecStringWithDefaultValue("%@ (%@)", "Certificate", 0, "%@ (%@)", "If a X.500 name has a description and a common name we display Common Name (Description) using this format string") //#define SEC_ISSUER_SUMMARY_KEY SecStringWithDefaultValue("Issuer Summary", "Certificate", 0, "Issuer Summary", "") //#define SEC_ISSUED_BY_KEY SecStringWithDefaultValue("Issued By", "Certificate", 0, "Issued By", "") @@ -190,15 +190,7 @@ __BEGIN_DECLS #define SEC_SHA1_FINGERPRINT_KEY SecStringWithDefaultValue("SHA-1", "Certificate", 0, "SHA-1", "") #define SEC_SHA2_FINGERPRINT_KEY SecStringWithDefaultValue("SHA-256", "Certificate", 0, "SHA-256", "") -/* SecTrust Strings. */ -#define SEC_INVALID_LINKAGE_KEY SecStringWithDefaultValue("Invalid certificate chain linkage.", "Certificate", 0, "Invalid certificate chain linkage.", "") -#define SEC_BAD_CRIT_EXTN_KEY SecStringWithDefaultValue("One or more unsupported critical extensions found.", "Certificate", 0, "One or more unsupported critical extensions found.", "") -#define SEC_ROOT_UNTRUSTED_KEY SecStringWithDefaultValue("Root certificate is not trusted.", "Certificate", 0, "Root certificate is not trusted.", "") -#define SEC_HOSTNAME_MISMATCH_KEY SecStringWithDefaultValue("Hostname mismatch.", "Certificate", 0, "Hostname mismatch.", "") -#define SEC_POLICY__REQ_NOT_MET_KEY SecStringWithDefaultValue("Policy requirements not met.", "Certificate", 0, "Policy requirements not met.", "") -#define SEC_CHAIN_VALIDITY_ERR_KEY SecStringWithDefaultValue("One or more certificates have expired or are not valid yet.", "Certificate", 0, "One or more certificates have expired or are not valid yet.", "") -#define SEC_WEAK_KEY_ERR_KEY SecStringWithDefaultValue("One or more certificates is using a weak key size.", "Certificate", 0, "One or more certificates is using a weak key size.", "") - +/* Cloud Keychain Strings */ #define SEC_CK_PASSWORD_INCORRECT SecStringWithDefaultValue("Incorrect Password For “%@”", "CloudKeychain", 0, "Incorrect Password For “%@”", "Title for alert when password has been entered incorrectly") #define SEC_CK_TRY_AGAIN SecStringWithDefaultValue("Try Again", "CloudKeychain", 0, "Try Again", "Button for try again after incorrect password") #define SEC_CK_ALLOW SecStringWithDefaultValue("Allow", "CloudKeychain", 0, "Allow", "Allow button") @@ -215,7 +207,7 @@ __BEGIN_DECLS #define SEC_CK_TID_DAYS SecStringWithDefaultValue("days", "CloudKeychain", 0, "days", "More than one day") #define SEC_CK_PWD_REQUIRED_TITLE SecStringWithDefaultValue("Apple ID Password Required", "CloudKeychain", 0, "Apple ID Password Required", "Title for alert when iCloud keychain was disabled or reset") -#define SEC_CK_PWD_REQUIRED_BODY_OSX SecStringWithDefaultValue("Enter your password in iCloud Preferences.", "CloudKeychain", 0, "Enter your password in iCloud Preferences.", "OSX alert text when iCloud keychain was disabled or reset") +#define SEC_CK_PWD_REQUIRED_BODY_OSX SecStringWithDefaultValue("Enter your password in iCloud Preferences.", "CloudKeychain", 0, "Enter your password in iCloud Preferences.", "macOS alert text when iCloud keychain was disabled or reset") #define SEC_CK_PWD_REQUIRED_BODY_IOS SecStringWithDefaultValue("Enter your password in iCloud Settings.", "CloudKeychain", 0, "Enter your password in iCloud Settings.", "iOS alert text when iCloud keychain was disabled or reset") #define SEC_CK_CR_REASON_INTERNAL SecStringWithDefaultValue(" (AppleInternal: departure reason %s)", "CloudKeychain", 0, " (AppleInternal: departure reason %s)", "Display departure reason code on internal devices") #define SEC_CK_CONTINUE SecStringWithDefaultValue("Continue", "CloudKeychain", 0, "Continue", "Button text to continue to iCloud settings (iOS)") @@ -227,8 +219,8 @@ __BEGIN_DECLS #define SEC_CK_APPROVAL_BODY_OSX_IPOD SecStringWithDefaultValue("This iPod wants to use your iCloud account.", "CloudKeychain", 0, "This iPod wants to use your iCloud account.", "Body text when approving an iPod on Mac") #define SEC_CK_APPROVAL_BODY_OSX_MAC SecStringWithDefaultValue("This Mac wants to use your iCloud account.", "CloudKeychain", 0, "This Mac wants to use your iCloud account.", "Body text when approving a Mac on Mac") #define SEC_CK_APPROVAL_BODY_OSX_GENERIC SecStringWithDefaultValue("This device wants to use your iCloud account.", "CloudKeychain", 0, "This device wants to use your iCloud account.", "Body text when approving a device on Mac") -#define SEC_CK_APPROVE SecStringWithDefaultValue("Approve", "CloudKeychain", 0, "Approve", "Button text to approve icloud sign in request") -#define SEC_CK_DECLINE SecStringWithDefaultValue("Decline", "CloudKeychain", 0, "Decline", "Button text to decline icloud sign in request") +#define SEC_CK_APPROVE SecStringWithDefaultValue("Approve", "CloudKeychain", 0, "Approve", "Button text to approve iCloud sign in request") +#define SEC_CK_DECLINE SecStringWithDefaultValue("Decline", "CloudKeychain", 0, "Decline", "Button text to decline iCloud sign in request") #define SEC_CK_APPROVAL_BODY_IOS_IPAD SecStringWithDefaultValue("Enter the password for the Apple ID “%@” to allow this new iPad to use your iCloud account.", "CloudKeychain", 0, "Enter the password for the Apple ID “%@” to allow this new iPad to use your iCloud account.", "Body text when approving an iPad") #define SEC_CK_APPROVAL_BODY_IOS_IPHONE SecStringWithDefaultValue("Enter the password for the Apple ID “%@” to allow this new iPhone to use your iCloud account.", "CloudKeychain", 0, "Enter the password for the Apple ID “%@” to allow this new iPhone to use your iCloud account.", "Body text when approving an iPhone") @@ -246,6 +238,87 @@ __BEGIN_DECLS #define SEC_CK_REMINDER_BUTTON_ICSC SecStringWithDefaultValue("Use Security Code", "CloudKeychain", 0, "Use Security Code", "Button label to approve via iCSC") #define SEC_CK_REMINDER_BUTTON_OK SecStringWithDefaultValue("OK", "CloudKeychain", 0, "OK", "Button label to acknowledge/dismiss reminder alert without further action") +/* Trust errors */ +#define SEC_INVALID_LINKAGE_KEY SecStringWithDefaultValue("Invalid certificate chain linkage.", "Certificate", 0, "Invalid certificate chain linkage.", "") +#define SEC_BAD_CRIT_EXTN_KEY SecStringWithDefaultValue("One or more unsupported critical extensions found.", "Certificate", 0, "One or more unsupported critical extensions found.", "") +#define SEC_ROOT_UNTRUSTED_KEY SecStringWithDefaultValue("Root certificate is not trusted.", "Certificate", 0, "Root certificate is not trusted.", "") +#define SEC_HOSTNAME_MISMATCH_KEY SecStringWithDefaultValue("Hostname mismatch.", "Certificate", 0, "Hostname mismatch.", "") +#define SEC_POLICY__REQ_NOT_MET_KEY SecStringWithDefaultValue("Policy requirements not met.", "Certificate", 0, "Policy requirements not met.", "") +#define SEC_CHAIN_VALIDITY_ERR_KEY SecStringWithDefaultValue("One or more certificates have expired or are not valid yet.", "Certificate", 0, "One or more certificates have expired or are not valid yet.", "") +#define SEC_WEAK_KEY_ERR_KEY SecStringWithDefaultValue("One or more certificates is using a weak key size.", "Certificate", 0, "One or more certificates is using a weak key size.", "") + +#define SEC_TRUST_CERTIFICATE_ERROR SecStringWithDefaultValue("Certificate %ld “%@” has errors: ", "Trust", 0, "Certificate %ld “%@” has errors: ", "Preface for per-certificate errors") + +#define SEC_TRUST_ERROR_SUBTYPE_REVOKED SecStringWithDefaultValue("“%@” certificate is revoked", "Trust", 0, "“%@” certificate is revoked", "Error for revoked certificates") +#define SEC_TRUST_ERROR_SUBTYPE_KEYSIZE SecStringWithDefaultValue("“%@” certificate is using a broken key size", "Trust", 0, "“%@” certificate is using a broken key size", "Error for certificates with weak key sizes") +#define SEC_TRUST_ERROR_SUBTYPE_WEAKHASH SecStringWithDefaultValue("“%@” certificate is using a broken signature algorithm", "Trust", 0, "“%@” certificate is using a broken signature algorithm", "Error for certificates with weak signature algorithms") +#define SEC_TRUST_ERROR_SUBTYPE_DENIED SecStringWithDefaultValue("User or administrator set “%@” certificate as distrusted", "Trust", 0, "User or administrator set “%@” certificate as distrusted", "Error for certificates with deny trust settings") +#define SEC_TRUST_ERROR_SUBTYPE_COMPLIANCE SecStringWithDefaultValue("“%@” certificate is not standards compliant", "Trust", 0, "“%@” certificate is not standards compliant", "Error for certificates that violate standards") +#define SEC_TRUST_ERROR_SUBTYPE_EXPIRED SecStringWithDefaultValue("“%@” certificate is expired", "Trust", 0, "“%@” certificate is expired", "Error for certificates that are expired") +#define SEC_TRUST_ERROR_SUBTYPE_TRUST SecStringWithDefaultValue("“%@” certificate is not trusted", "Trust", 0, "“%@” certificate is not trusted", "Error for certificates that are not trusted") +#define SEC_TRUST_ERROR_SUBTYPE_NAME SecStringWithDefaultValue("“%@” certificate name does not match input", "Trust", 0, "“%@” certificate name does not match input", "Error for certificates whose names do not match the policy") +#define SEC_TRUST_ERROR_SUBTYPE_USAGE SecStringWithDefaultValue("“%@” certificate is not permitted for this usage", "Trust", 0, "“%@” certificate is not permitted for this usage", "Error for certificates whose usages do not match the policy") +#define SEC_TRUST_ERROR_SUBTYPE_PINNING SecStringWithDefaultValue("%@ certificates do not meet pinning requirements", "Trust", 0, "%@ certificates do not meet pinning requirements", "Error for certificates that do not meet pinning requirements") +#define SEC_TRUST_ERROR_SUBTYPE_INVALID SecStringWithDefaultValue("Unknown trust error for “%@” certificate", "Trust", 0, "Unknown trust error for “%@” certificate", "Error for unknown error") + +//Note the the following errors do not follow the casing conventions of the above so that they can be used with POLICYCHECKMACRO +#define SEC_TRUST_ERROR_SSLHostname SecStringWithDefaultValue("SSL hostname does not match name(s) in certificate", "Trust", 0, "SSL hostname does not match name(s) in certificate", "Error for SSL hostname mismatch") +#define SEC_TRUST_ERROR_Email SecStringWithDefaultValue("Email address does not match name(s) in certificate", "Trust", 0, "Email address does not match name(s) in certificate", "Error for email mismatch") +#define SEC_TRUST_ERROR_TemporalValidity SecStringWithDefaultValue("Certificate is not temporally valid", "Trust", 0, "Certificate is not temporally valid", "Error for temporal validity") +#define SEC_TRUST_ERROR_WeakKeySize SecStringWithDefaultValue("Certificate is using a broken key size", "Trust", 0, "Certificate is using a broken key size", "Error for weak keys") +#define SEC_TRUST_ERROR_WeakSignature SecStringWithDefaultValue("Certificate is using a broken signature algorithm", "Trust", 0, "Certificate is using a broken signature algorithm", "Error for weak signatures") +#define SEC_TRUST_ERROR_KeyUsage SecStringWithDefaultValue("Key usage does not match certificate usage", "Trust", 0, "Key usage does not match certificate usage", "Error for key usage mismatch") +#define SEC_TRUST_ERROR_ExtendedKeyUsage SecStringWithDefaultValue("Extended key usage does not match certificate usage", "Trust", 0, "Extended key usage does not match certificate usage", "Error for extended key usage mismatch") +#define SEC_TRUST_ERROR_SubjectCommonName SecStringWithDefaultValue("Common Name does not match expected name", "Trust", 0, "Common Name does not match expected name", "Error for subject common name mismatch") +#define SEC_TRUST_ERROR_SubjectCommonNamePrefix SecStringWithDefaultValue("Common Name does not match expected name", "Trust", 0, "Common Name does not match expected name", "Error for subject common name prefix mismatch") +#define SEC_TRUST_ERROR_SubjectCommonNameTEST SecStringWithDefaultValue("Common Name does not match expected name", "Trust", 0, "Common Name does not match expected name", "Error for subject common name mismatch, allowing test") +#define SEC_TRUST_ERROR_SubjectOrganization SecStringWithDefaultValue("Organization does not match expected name", "Trust", 0, "Organization does not match expected name", "Error for subject organization mismatch") +#define SEC_TRUST_ERROR_SubjectOrganizationalUnit SecStringWithDefaultValue("Organizational Unit does not match expected name", "Trust", 0, "Certificate Organizational Unit does not match expected name", "Error for subject organizational unit mismatch") +#define SEC_TRUST_ERROR_NotValidBefore SecStringWithDefaultValue("Certificate issued before allowed time", "Trust", 0, "Certificate issued before allowed time", "Error for not before date") +#define SEC_TRUST_ERROR_EAPTrustedServerNames SecStringWithDefaultValue("Trusted EAP hostname does not match name(s) in certificate", "Trust", 0, "Trusted EAP hostname does not match name(s) in certificate", "Error for EAP hostname mismatch") +#define SEC_TRUST_ERROR_LeafMarkerOid SecStringWithDefaultValue("Missing project-specific extension OID", "Trust", 0, "Missing project-specific extension OID", "Error for leaf marker OID") +#define SEC_TRUST_ERROR_LeafMarkerOidWithoutValueCheck SecStringWithDefaultValue("Missing project-specific extension OID", "Trust", 0, "Missing project-specific extension OID", "Error for leaf marker OID without value check") +#define SEC_TRUST_ERROR_LeafMarkersProdAndQA SecStringWithDefaultValue("Missing project-specific extension OID", "Trust", 0, "Missing project-specific extension OID", "Error for leaf marker OID allowing prod or QA") +#define SEC_TRUST_ERROR_BlackListedLeaf SecStringWithDefaultValue("Certificate is blocked", "Trust", 0, "Certificate is blocked", "Error for blocklisted certificates") +#define SEC_TRUST_ERROR_GrayListedLeaf SecStringWithDefaultValue("Certificate is listed as untrusted", "Trust", 0, "Certificate is listed as untrusted", "Error for graylisted certificates") +#define SEC_TRUST_ERROR_IssuerCommonName SecStringWithDefaultValue("Common Name does not match expected name", "Trust", 0, "Common Name does not match expected name", "Error for issuer common name mismatch") +#define SEC_TRUST_ERROR_BasicConstraints SecStringWithDefaultValue("Basic constraints are required but missing", "Trust", 0, "Basic constraints are required but missing", "Error for missing basic constraints") +#define SEC_TRUST_ERROR_BasicConstraintsCA SecStringWithDefaultValue("Non-CA certificate used as a CA", "Trust", 0, "Non-CA certificate used as a CA", "Error for CA basic constraints") +#define SEC_TRUST_ERROR_BasicConstraintsPathLen SecStringWithDefaultValue("Chain exceeded constrained path length", "Trust", 0, "Chain exceeded constrained path length", "Error for path length basic constraints") +#define SEC_TRUST_ERROR_IntermediateSPKISHA256 SecStringWithDefaultValue("Public key does not match pinned value", "Trust", 0, "Public key does not match pinned value", "Error for intermediate public key pin") +#define SEC_TRUST_ERROR_IntermediateEKU SecStringWithDefaultValue("Extended key usage does not match pinned value", "Trust", 0, "Extended key usage does not match pinned value", "Error for intermediate extended key usage pin") +#define SEC_TRUST_ERROR_IntermediateMarkerOid SecStringWithDefaultValue("Missing issuer-specific extension OID", "Trust", 0, "Missing issuer-specific extension OID", "Error for intermediate marker OID") +#define SEC_TRUST_ERROR_IntermediateOrganization SecStringWithDefaultValue("Organization does not match expected name", "Trust", 0, "Organization does not match expected name", "Error for issuer organization mismatch") +#define SEC_TRUST_ERROR_IntermediateCountry SecStringWithDefaultValue("Country does not match expected name", "Trust", 0, "Country does not match expected name", "Error for issuer country mismatch") +#define SEC_TRUST_ERROR_AnchorSHA1 SecStringWithDefaultValue("Anchor does not match pinned fingerprint", "Trust", 0, "Anchor does not match pinned fingerprint", "Error for anchor SHA-1 fingerprint pin") +#define SEC_TRUST_ERROR_AnchorSHA256 SecStringWithDefaultValue("Anchor does not match pinned fingerprint", "Trust", 0, "Anchor does not match pinned fingerprint", "Error for anchor SHA-256 fingerprint pin") +#define SEC_TRUST_ERROR_AnchorTrusted SecStringWithDefaultValue("Root is not trusted", "Trust", 0, "Root is not trusted", "Error for untrusted root") +#define SEC_TRUST_ERROR_MissingIntermediate SecStringWithDefaultValue("Unable to build chain to root (possible missing intermediate)", "Trust", 0, "Unable to build chain to root (possible missing intermediate)", "Error for missing intermediates") +#define SEC_TRUST_ERROR_AnchorApple SecStringWithDefaultValue("Anchor is not an Apple root", "Trust", 0, "Anchor is not an Apple root", "Error for Apple anchor pin") +#define SEC_TRUST_ERROR_NonEmptySubject SecStringWithDefaultValue("Certificate missing a name", "Trust", 0, "Certificate missing a name", "Error for empty subject name") +#define SEC_TRUST_ERROR_IdLinkage SecStringWithDefaultValue("SubjectKeyID/AuthorityKeyID mismatch in chain", "Trust", 0, "SubjectKeyID/AuthorityKeyID mismatch in chain", "Error for bad key ID linkage") +#define SEC_TRUST_ERROR_KeySize SecStringWithDefaultValue("Key size is not permitted for this use", "Trust", 0, "Key size is not permitted for this use", "Error for pinned key size") +#define SEC_TRUST_ERROR_SignatureHashAlgorithms SecStringWithDefaultValue("Signature hash algorithm is not permitted for this use", "Trust", 0, "Signature hash algorithm is not permitted for this use", "Error for pinned hash algorithm") +#define SEC_TRUST_ERROR_CertificatePolicy SecStringWithDefaultValue("Missing project-specific Certificate Policy OID", "Trust", 0, "Missing project-specific Certificate Policy OID", "Error for certificate policy marker OID") +#define SEC_TRUST_ERROR_ValidRoot SecStringWithDefaultValue("Root is not temporally valid", "Trust", 0, "Root is not temporally valid", "Error for root temporal validity") +#define SEC_TRUST_ERROR_CriticalExtensions SecStringWithDefaultValue("Found unknown critical extensions", "Trust", 0, "Found unknown critical extensions", "Error for unknown critical extensions") +#define SEC_TRUST_ERROR_ChainLength SecStringWithDefaultValue("Chain does not match expected path length", "Trust", 0, "Chain does not match expected path length", "Error for pinned chain length") +#define SEC_TRUST_ERROR_BasicCertificateProcessing SecStringWithDefaultValue("Certificate is not standards compliant", "Trust", 0, "Certificate is not standards compliant", "Error for certificates that violate standards") +#define SEC_TRUST_ERROR_NameConstraints SecStringWithDefaultValue("Name constraints violated", "Trust", 0, "Name constraints violated", "Error for name constraints") +#define SEC_TRUST_ERROR_PolicyConstraints SecStringWithDefaultValue("Policy constraints violated", "Trust", 0, "Policy constraints violated", "Error for policy constraints") +#define SEC_TRUST_ERROR_GrayListedKey SecStringWithDefaultValue("Key is listed as untrusted", "Trust", 0, "Key is listed as untrusted", "Error for graylisted keys") +#define SEC_TRUST_ERROR_BlackListedKey SecStringWithDefaultValue("Key is blocked", "Trust", 0, "Key is blocked", "Error for blocklisted keys") +#define SEC_TRUST_ERROR_UsageConstraints SecStringWithDefaultValue("User or administrator set certificate as distrusted", "Trust", 0, "User or administrator set certificate as distrusted", "Error for certificates with deny trust settings") +#define SEC_TRUST_ERROR_SystemTrustedWeakHash SecStringWithDefaultValue("Signature hash algorithm is not permitted for this use", "Trust", 0, "Signature hash algorithm is not permitted for this use", "Error for system-trust hash algorithm") +#define SEC_TRUST_ERROR_SystemTrustedWeakKey SecStringWithDefaultValue("Key size is not permitted for this use", "Trust", 0, "Key size is not permitted for this use", "Error for system-trust key size") +#define SEC_TRUST_ERROR_PinningRequired SecStringWithDefaultValue("Pinning required but not used", "Trust", 0, "Pinning required but not used", "Error for required pinning") +#define SEC_TRUST_ERROR_Revocation SecStringWithDefaultValue("Certificate is revoked", "Trust", 0, "Certificate is revoked", "Error for revocation") +#define SEC_TRUST_ERROR_RevocationResponseRequired SecStringWithDefaultValue("Failed to check revocation", "Trust", 0, "Failed to check revocation", "Error for revocation required") +#define SEC_TRUST_ERROR_CTRequired SecStringWithDefaultValue("CT validation required but missing", "Trust", 0, "CT validation required but missing", "Error for missing Certificate Transparency validation") +#define SEC_TRUST_ERROR_NoNetworkAccess SecStringWithDefaultValue("Unexpected error detail", "Trust", 0, "Unexpected error detail", "Error for unexpected error details") +#define SEC_TRUST_ERROR_ExtendedValidation SecStringWithDefaultValue("Unexpected error detail", "Trust", 0, "Unexpected error detail", "Error for unexpected error details") +#define SEC_TRUST_ERROR_RevocationOnline SecStringWithDefaultValue("Unexpected error detail", "Trust", 0, "Unexpected error detail", "Error for unexpected error details") + __END_DECLS #endif /* !_SECURITY_SECFRAMEWORKSTRINGS_H_ */ diff --git a/OSX/sec/Security/SecImportExport.c b/OSX/sec/Security/SecImportExport.c index 44ecf2eb..20f69d4c 100644 --- a/OSX/sec/Security/SecImportExport.c +++ b/OSX/sec/Security/SecImportExport.c @@ -31,7 +31,7 @@ #include #include #include -#include +#include #include diff --git a/OSX/sec/Security/SecItem.c b/OSX/sec/Security/SecItem.c index 6e4f032e..41a9f732 100644 --- a/OSX/sec/Security/SecItem.c +++ b/OSX/sec/Security/SecItem.c @@ -434,11 +434,16 @@ SecItemCreateFromAttributeDictionary(CFDictionaryRef refAttributes) { } else if (CFEqual(class, kSecClassIdentity)) { CFDataRef data = CFDictionaryGetValue(refAttributes, kSecAttrIdentityCertificateData); SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorDefault, data); - SecKeyRef key = SecKeyCreateFromAttributeDictionary(refAttributes); - if (key && cert) - ref = SecIdentityCreate(kCFAllocatorDefault, cert, key); + SecKeyRef key = SecKeyCreateFromAttributeDictionary(refAttributes); + if (key && cert) { + ref = SecIdentityCreate(kCFAllocatorDefault, cert, key); + } + else { + secerror("SecItem: failed to create identity"); + } + + CFReleaseSafe(key); CFReleaseSafe(cert); - CFReleaseSafe(key); #ifdef SECITEM_SHIM_OSX } else { ref = SecItemCreateFromAttributeDictionary_osx(refAttributes); @@ -1691,11 +1696,10 @@ OSStatus SecItemCopyMatching(CFDictionaryRef inQuery, CFTypeRef *result) { bool wants_data = cf_bool_value(CFDictionaryGetValue(query.dictionary, kSecReturnData)); bool wants_attributes = cf_bool_value(CFDictionaryGetValue(query.dictionary, kSecReturnAttributes)); - if ((wants_data && !wants_attributes) || (!wants_data && wants_attributes)) { + if ((wants_data && !wants_attributes)) { // When either attributes or data are requested, we need to query both, because for token based items, // both are needed in order to generate proper data and/or attributes results. CFDictionarySetValue(SecCFDictionaryCOWGetMutable(&query), kSecReturnAttributes, kCFBooleanTrue); - CFDictionarySetValue(SecCFDictionaryCOWGetMutable(&query), kSecReturnData, kCFBooleanTrue); } status = SecOSStatusWith(^bool(CFErrorRef *error) { diff --git a/OSX/sec/Security/SecItem.m b/OSX/sec/Security/SecItem.m index 7af25f37..9584ca2e 100644 --- a/OSX/sec/Security/SecItem.m +++ b/OSX/sec/Security/SecItem.m @@ -102,19 +102,21 @@ void SecItemSetCurrentItemAcrossAllDevices(CFStringRef accessGroup, os_activity_t activity = os_activity_create("SecItemSetCurrentItemAcrossAllDevices", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_DEFAULT); os_activity_scope(activity); - id rpc = SecuritydXPCProxyObject(^(NSError *error) { - complete((__bridge CFErrorRef) error); - }); - [rpc secItemSetCurrentItemAcrossAllDevices:(__bridge NSData*)newCurrentItemReference - newCurrentItemHash:(__bridge NSData*)newCurrentItemHash - accessGroup:(__bridge NSString*)accessGroup - identifier:(__bridge NSString*)identifier - viewHint:(__bridge NSString*)viewHint - oldCurrentItemReference:(__bridge NSData*)oldCurrentItemReference - oldCurrentItemHash:(__bridge NSData*)oldCurrentItemHash - complete: ^ (NSError* operror) { - complete((__bridge CFErrorRef) operror); - }]; + @autoreleasepool { + id rpc = SecuritydXPCProxyObject(^(NSError *error) { + complete((__bridge CFErrorRef) error); + }); + [rpc secItemSetCurrentItemAcrossAllDevices:(__bridge NSData*)newCurrentItemReference + newCurrentItemHash:(__bridge NSData*)newCurrentItemHash + accessGroup:(__bridge NSString*)accessGroup + identifier:(__bridge NSString*)identifier + viewHint:(__bridge NSString*)viewHint + oldCurrentItemReference:(__bridge NSData*)oldCurrentItemReference + oldCurrentItemHash:(__bridge NSData*)oldCurrentItemHash + complete: ^ (NSError* operror) { + complete((__bridge CFErrorRef) operror); + }]; + } } void SecItemFetchCurrentItemAcrossAllDevices(CFStringRef accessGroup, @@ -126,16 +128,18 @@ void SecItemFetchCurrentItemAcrossAllDevices(CFStringRef accessGroup, os_activity_t activity = os_activity_create("SecItemFetchCurrentItemAcrossAllDevices", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_DEFAULT); os_activity_scope(activity); - id rpc = SecuritydXPCProxyObject(^(NSError *error) { - complete(NULL, (__bridge CFErrorRef) error); - }); - [rpc secItemFetchCurrentItemAcrossAllDevices:(__bridge NSString*)accessGroup - identifier:(__bridge NSString*)identifier - viewHint:(__bridge NSString*)viewHint - fetchCloudValue:fetchCloudValue - complete: ^(NSData* persistentRef, NSError* operror) { - complete((__bridge CFDataRef) persistentRef, (__bridge CFErrorRef) operror); - }]; + @autoreleasepool { + id rpc = SecuritydXPCProxyObject(^(NSError *error) { + complete(NULL, (__bridge CFErrorRef) error); + }); + [rpc secItemFetchCurrentItemAcrossAllDevices:(__bridge NSString*)accessGroup + identifier:(__bridge NSString*)identifier + viewHint:(__bridge NSString*)viewHint + fetchCloudValue:fetchCloudValue + complete: ^(NSData* persistentRef, NSError* operror) { + complete((__bridge CFDataRef) persistentRef, (__bridge CFErrorRef) operror); + }]; + } } void _SecItemFetchDigests(NSString *itemClass, NSString *accessGroup, void (^complete)(NSArray *, NSError *)) diff --git a/OSX/sec/Security/SecItemBackup.c b/OSX/sec/Security/SecItemBackup.c index c55d70f0..557f9790 100644 --- a/OSX/sec/Security/SecItemBackup.c +++ b/OSX/sec/Security/SecItemBackup.c @@ -49,11 +49,12 @@ #include -static CFDataRef client_data_data_to_data_error_request(enum SecXPCOperation op, SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef *error) { +static CFDataRef client_data_data_bool_to_data_error_request(enum SecXPCOperation op, SecurityClient *client, CFDataRef keybag, CFDataRef passcode, bool emcs, CFErrorRef *error) { __block CFDataRef result = NULL; securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) { return SecXPCDictionarySetDataOptional(message, kSecXPCKeyKeybag, keybag, error) - && SecXPCDictionarySetDataOptional(message, kSecXPCKeyUserPassword, passcode, error); + && SecXPCDictionarySetDataOptional(message, kSecXPCKeyUserPassword, passcode, error) + && SecXPCDictionarySetBool(message, kSecXPCKeyEMCSBackup, emcs, NULL); }, ^bool(xpc_object_t response, CFErrorRef *error) { return (result = SecXPCDictionaryCopyData(response, kSecXPCKeyResult, error)); }); @@ -147,7 +148,7 @@ static int SecItemBackupHandoffFD(CFStringRef backupName, CFErrorRef *error) { CFDataRef _SecKeychainCopyOTABackup(void) { __block CFDataRef result; os_activity_initiate("_SecKeychainCopyOTABackup", OS_ACTIVITY_FLAG_DEFAULT, ^{ - result = SECURITYD_XPC(sec_keychain_backup, client_data_data_to_data_error_request, SecSecurityClientGet(), NULL, NULL, NULL); + result = SECURITYD_XPC(sec_keychain_backup, client_data_data_bool_to_data_error_request, SecSecurityClientGet(), NULL, NULL, false, NULL); }); return result; } @@ -155,7 +156,15 @@ CFDataRef _SecKeychainCopyOTABackup(void) { CFDataRef _SecKeychainCopyBackup(CFDataRef backupKeybag, CFDataRef password) { __block CFDataRef result; os_activity_initiate("_SecKeychainCopyBackup", OS_ACTIVITY_FLAG_DEFAULT, ^{ - result = SECURITYD_XPC(sec_keychain_backup, client_data_data_to_data_error_request, SecSecurityClientGet(), backupKeybag, password, NULL); + result = SECURITYD_XPC(sec_keychain_backup, client_data_data_bool_to_data_error_request, SecSecurityClientGet(), backupKeybag, password, false, NULL); + }); + return result; +} + +CFDataRef _SecKeychainCopyEMCSBackup(CFDataRef backupKeybag) { + __block CFDataRef result; + os_activity_initiate("_SecKeychainCopyEMCSBackup", OS_ACTIVITY_FLAG_DEFAULT, ^{ + result = SECURITYD_XPC(sec_keychain_backup, client_data_data_bool_to_data_error_request, SecSecurityClientGet(), backupKeybag, NULL, true, NULL); }); return result; } diff --git a/OSX/sec/Security/SecKey.c b/OSX/sec/Security/SecKey.c index ac6a5ef7..d8583ba4 100644 --- a/OSX/sec/Security/SecKey.c +++ b/OSX/sec/Security/SecKey.c @@ -1163,6 +1163,10 @@ SecKeyRef SecKeyCreateWithData(CFDataRef keyData, CFDictionaryRef parameters, CF if (CFDictionaryGetValue(parameters, kSecAttrTokenID) != NULL) { return SecKeyCreateCTKKey(allocator, parameters, error); } + else if (!keyData) { + SecError(errSecParam, error, CFSTR("Failed to provide key data to SecKeyCreateWithData")); + return NULL; + } /* First figure out the key type (algorithm). */ CFIndex algorithm, class; CFTypeRef ktype = CFDictionaryGetValue(parameters, kSecAttrKeyType); @@ -1231,13 +1235,33 @@ out: return key; } +// Similar to CFErrorPropagate, but does not consult input value of *error, it can contain any garbage and if overwritten, previous value is never released. +static inline bool SecKeyErrorPropagate(bool succeeded, CFErrorRef possibleError CF_CONSUMED, CFErrorRef *error) { + if (succeeded) { + return true; + } else { + if (error) { + *error = possibleError; + } else { + CFRelease(possibleError); + } + return false; + } +} + CFDataRef SecKeyCopyExternalRepresentation(SecKeyRef key, CFErrorRef *error) { if (!key->key_class->copyExternalRepresentation) { + if (error != NULL) { + *error = NULL; + } SecError(errSecUnimplemented, error, CFSTR("export not implemented for key %@"), key); return NULL; } - return key->key_class->copyExternalRepresentation(key, error); + CFErrorRef localError = NULL; + CFDataRef result = key->key_class->copyExternalRepresentation(key, &localError); + SecKeyErrorPropagate(result != NULL, localError, error); + return result; } CFDictionaryRef SecKeyCopyAttributes(SecKeyRef key) { @@ -1296,7 +1320,12 @@ fail: SecKeyRef SecKeyCreateRandomKey(CFDictionaryRef parameters, CFErrorRef *error) { SecKeyRef privKey = NULL, pubKey = NULL; OSStatus status = SecKeyGeneratePair(parameters, &pubKey, &privKey); - SecError(status, error, CFSTR("Key generation failed, error %d"), (int)status); + if (status != errSecSuccess) { + if (error != NULL) { + *error = NULL; + } + SecError(status, error, CFSTR("Key generation failed, error %d"), (int)status); + } CFReleaseSafe(pubKey); return privKey; } @@ -1311,8 +1340,14 @@ SecKeyRef SecKeyCreateDuplicate(SecKeyRef key) { Boolean SecKeySetParameter(SecKeyRef key, CFStringRef name, CFPropertyListRef value, CFErrorRef *error) { if (key->key_class->version >= 4 && key->key_class->setParameter) { - return key->key_class->setParameter(key, name, value, error); + CFErrorRef localError = NULL; + Boolean result = key->key_class->setParameter(key, name, value, &localError); + SecKeyErrorPropagate(result, localError, error); + return result; } else { + if (error != NULL) { + *error = NULL; + } return SecError(errSecUnimplemented, error, CFSTR("setParameter not implemented for %@"), key); } } @@ -1468,26 +1503,32 @@ static CFMutableArrayRef SecKeyCreateAlgorithmArray(SecKeyAlgorithm algorithm) { } CFDataRef SecKeyCreateSignature(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef dataToSign, CFErrorRef *error) { + CFErrorRef localError = NULL; SecKeyOperationContext context = { key, kSecKeyOperationTypeSign, SecKeyCreateAlgorithmArray(algorithm) }; - CFDataRef result = SecKeyRunAlgorithmAndCopyResult(&context, dataToSign, NULL, error); + CFDataRef result = SecKeyRunAlgorithmAndCopyResult(&context, dataToSign, NULL, &localError); SecKeyOperationContextDestroy(&context); + SecKeyErrorPropagate(result != NULL, localError, error); return result; } Boolean SecKeyVerifySignature(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef signedData, CFDataRef signature, CFErrorRef *error) { + CFErrorRef localError = NULL; SecKeyOperationContext context = { key, kSecKeyOperationTypeVerify, SecKeyCreateAlgorithmArray(algorithm) }; - CFTypeRef res = SecKeyRunAlgorithmAndCopyResult(&context, signedData, signature, error); + CFTypeRef res = SecKeyRunAlgorithmAndCopyResult(&context, signedData, signature, &localError); Boolean result = CFEqualSafe(res, kCFBooleanTrue); CFReleaseSafe(res); SecKeyOperationContextDestroy(&context); + SecKeyErrorPropagate(result, localError, error); return result; } CFDataRef SecKeyCreateEncryptedData(SecKeyRef key, SecKeyAlgorithm algorithm, CFDataRef plainText, CFErrorRef *error) { + CFErrorRef localError = NULL; SecKeyOperationContext context = { key, kSecKeyOperationTypeEncrypt, SecKeyCreateAlgorithmArray(algorithm) }; - CFDataRef result = SecKeyRunAlgorithmAndCopyResult(&context, plainText, NULL, error); + CFDataRef result = SecKeyRunAlgorithmAndCopyResult(&context, plainText, NULL, &localError); SecKeyOperationContextDestroy(&context); + SecKeyErrorPropagate(result, localError, error); return result; } @@ -1500,10 +1541,12 @@ CFDataRef SecKeyCreateDecryptedData(SecKeyRef key, SecKeyAlgorithm algorithm, CF CFDataRef SecKeyCopyKeyExchangeResult(SecKeyRef key, SecKeyAlgorithm algorithm, SecKeyRef publicKey, CFDictionaryRef parameters, CFErrorRef *error) { + CFErrorRef localError = NULL; CFDataRef publicKeyData = NULL, result = NULL; SecKeyOperationContext context = { key, kSecKeyOperationTypeKeyExchange, SecKeyCreateAlgorithmArray(algorithm) }; require_quiet(publicKeyData = SecKeyCopyExternalRepresentation(publicKey, error), out); - result = SecKeyRunAlgorithmAndCopyResult(&context, publicKeyData, parameters, error); + result = SecKeyRunAlgorithmAndCopyResult(&context, publicKeyData, parameters, &localError); + SecKeyErrorPropagate(result != NULL, localError, error); out: CFReleaseSafe(publicKeyData); diff --git a/OSX/sec/Security/SecOTRIdentityPriv.h b/OSX/sec/Security/SecOTRIdentityPriv.h index b747719f..8ce081c9 100644 --- a/OSX/sec/Security/SecOTRIdentityPriv.h +++ b/OSX/sec/Security/SecOTRIdentityPriv.h @@ -35,8 +35,6 @@ #include __BEGIN_DECLS - -extern CFStringRef sErrorDomain; // OAEP Padding, uses lots of space. Might need this to be data // Driven when we support more key types. @@ -78,7 +76,6 @@ extern const SecAsn1AlgId *kOTRSignatureAlgIDPtr; void EnsureOTRAlgIDInited(void); // Private functions for Public and Full IDs -SecOTRFullIdentityRef SecOTRFullIdentityCreateWithSize(CFAllocatorRef allocator, int bits); bool SecOTRFIAppendSignature(SecOTRFullIdentityRef fullID, CFDataRef dataToHash, @@ -118,7 +115,6 @@ OSStatus appendPublicOctets(SecKeyRef fromKey, CFMutableDataRef appendTo); OSStatus appendPublicOctetsAndSize(SecKeyRef fromKey, CFMutableDataRef appendTo); OSStatus appendSizeAndData(CFDataRef data, CFMutableDataRef appendTo); -SecKeyRef CreateECPrivateKeyFrom(CFAllocatorRef allocator, const uint8_t** data, size_t* limit); SecKeyRef CreateECPublicKeyFrom(CFAllocatorRef allocator, const uint8_t** data, size_t* limit); bool SecOTRCreateError(enum SecOTRError family, CFIndex errorCode, CFStringRef descriptionString, CFErrorRef previousError, CFErrorRef *newError); diff --git a/OSX/sec/Security/SecOTRMath.c b/OSX/sec/Security/SecOTRMath.c index 2106016c..0528bdef 100644 --- a/OSX/sec/Security/SecOTRMath.c +++ b/OSX/sec/Security/SecOTRMath.c @@ -43,30 +43,6 @@ // Random Number Generation // -OSStatus GetRandomBytesInLSBs(size_t bytesOfRandomness, size_t n, cc_unit* place) -{ - OSStatus result = errSecParam; - require(bytesOfRandomness * 8 <= ccn_bitsof_n(n), fail); - { - uint8_t randomBytes[bytesOfRandomness]; - - result = SecRandomCopyBytes(kSecRandomDefault, sizeof(randomBytes), randomBytes); - - require_noerr(result, fail); - - ccn_read_uint(n, place, sizeof(randomBytes), randomBytes); - - bzero(randomBytes, bytesOfRandomness); - } -fail: - return result; -} - -OSStatus FillWithRandomBytes(size_t n, cc_unit* place) -{ - return GetRandomBytesInLSBs(ccn_sizeof(n), n, place); -} - static const uint8_t kIVZero[16] = { }; @@ -122,12 +98,12 @@ static void HashMPIWithPrefix(uint8_t byte, cc_size sN, const cc_unit* s, uint8_ CFReleaseNull(dataToHash); } -void DeriveOTR256BitsFromS(KeyType whichKey, cc_size sN, const cc_unit* s, size_t keySize, uint8_t* key) +void DeriveOTR256BitsFromS(OTRKeyType whichKey, cc_size sN, const cc_unit* s, size_t keySize, uint8_t* key) { HashMPIWithPrefix(whichKey, sN, s, key); } -void DeriveOTR128BitPairFromS(KeyType whichKey, size_t sSize, const cc_unit* s, +void DeriveOTR128BitPairFromS(OTRKeyType whichKey, size_t sSize, const cc_unit* s, size_t firstKeySize, uint8_t* firstKey, size_t secondKeySize, uint8_t* secondKey) { @@ -148,7 +124,7 @@ void DeriveOTR128BitPairFromS(KeyType whichKey, size_t sSize, const cc_unit* s, } -void DeriveOTR64BitsFromS(KeyType whichKey, size_t sn, const cc_unit* s, +void DeriveOTR64BitsFromS(OTRKeyType whichKey, size_t sn, const cc_unit* s, size_t topKeySize, uint8_t* topKey) { uint8_t hashBuffer[CCSHA256_OUTPUT_SIZE]; diff --git a/OSX/sec/Security/SecOTRMath.h b/OSX/sec/Security/SecOTRMath.h index 6f966e3a..4fbc42cc 100644 --- a/OSX/sec/Security/SecOTRMath.h +++ b/OSX/sec/Security/SecOTRMath.h @@ -44,13 +44,6 @@ #define kSHA256HMAC160Bits 160 #define kSHA256HMAC160Bytes (kSHA256HMAC160Bits/8) -// Result and exponent are expected to be kExponentiationUnits big. -void OTRExponentiate(cc_unit* res, const cc_unit* base, const cc_unit* exponent); -void OTRGroupExponentiate(cc_unit* result, const cc_unit* exponent); - -OSStatus GetRandomBytesInLSBs(size_t bytesOfRandomness, size_t n, cc_unit* place); -OSStatus FillWithRandomBytes(size_t n, cc_unit* place); - typedef enum { kSSID = 0x00, kCs = 0x01, @@ -58,14 +51,14 @@ typedef enum { kM2 = 0x03, kM1Prime = 0x04, kM2Prime = 0x05 -} KeyType; +} OTRKeyType; -void DeriveOTR256BitsFromS(KeyType whichKey, size_t sSize, const cc_unit* s, size_t keySize, uint8_t* key); -void DeriveOTR128BitPairFromS(KeyType whichHalf, size_t sSize, const cc_unit* s, +void DeriveOTR256BitsFromS(OTRKeyType whichKey, size_t sSize, const cc_unit* s, size_t keySize, uint8_t* key); +void DeriveOTR128BitPairFromS(OTRKeyType whichHalf, size_t sSize, const cc_unit* s, size_t firstKeySize, uint8_t* firstKey, size_t secondKeySize, uint8_t* secondKey); -void DeriveOTR64BitsFromS(KeyType whichKey, size_t sSize, const cc_unit* s, +void DeriveOTR64BitsFromS(OTRKeyType whichKey, size_t sSize, const cc_unit* s, size_t firstKeySize, uint8_t* firstKey); diff --git a/OSX/sec/Security/SecOTRPackets.c b/OSX/sec/Security/SecOTRPackets.c index 10919429..35bdc9c4 100644 --- a/OSX/sec/Security/SecOTRPackets.c +++ b/OSX/sec/Security/SecOTRPackets.c @@ -75,7 +75,7 @@ static inline void AppendSHA256HMAC_160(CFMutableDataRef appendTo, static inline void DeriveAndAppendSHA256HMAC(CFMutableDataRef appendTo, cc_size sN, const cc_unit* s, - KeyType whichKey, + OTRKeyType whichKey, size_t howMuch, const uint8_t* from) { @@ -92,7 +92,7 @@ static inline void DeriveAndAppendSHA256HMAC(CFMutableDataRef appendTo, static inline void DeriveAndAppendSHA256HMAC_160(CFMutableDataRef appendTo, cc_size sN, const cc_unit* s, - KeyType whichKey, + OTRKeyType whichKey, size_t howMuch, const uint8_t* from) { diff --git a/OSX/sec/Security/SecOTRSession.c b/OSX/sec/Security/SecOTRSession.c index 07244b17..56480f49 100644 --- a/OSX/sec/Security/SecOTRSession.c +++ b/OSX/sec/Security/SecOTRSession.c @@ -484,6 +484,7 @@ static void SecOTRSFindKeysForMessage(SecOTRSessionRef session, emptyKeys = &session->_keyCache[0]; } + assert(emptyKeys); // Fill in the entry. memcpy(emptyKeys->_fullKeyHash, SecFDHKGetHash(myKey), CCSHA1_OUTPUT_SIZE); @@ -1026,7 +1027,7 @@ static void SecOTRAcceptNewRemoteKey(SecOTRSessionRef session, SecOTRPublicDHKey SecOTRSEnableTimeToRoll(session); } -OSStatus SecOTRSetupInitialRemoteKey(SecOTRSessionRef session, SecOTRPublicDHKeyRef initialKey) { +OSStatus SecOTRSetupInitialRemoteKey(SecOTRSessionRef session, SecOTRPublicDHKeyRef CF_CONSUMED initialKey) { bzero(session->_keyCache, sizeof(session->_keyCache)); diff --git a/OSX/sec/Security/SecOTRSessionPriv.h b/OSX/sec/Security/SecOTRSessionPriv.h index 42c24122..76e0895e 100644 --- a/OSX/sec/Security/SecOTRSessionPriv.h +++ b/OSX/sec/Security/SecOTRSessionPriv.h @@ -113,7 +113,7 @@ struct _SecOTRSession { CFDataRef SecOTRCopyIncomingBytes(CFDataRef incomingMessage); void SecOTRPrepareOutgoingBytes(CFMutableDataRef destinationMessage, CFMutableDataRef protectedMessage); -OSStatus SecOTRSetupInitialRemoteKey(SecOTRSessionRef session, SecOTRPublicDHKeyRef initialKey); +OSStatus SecOTRSetupInitialRemoteKey(SecOTRSessionRef session, SecOTRPublicDHKeyRef CF_CONSUMED initialKey); void SOSOTRSRoll(SecOTRSessionRef session); int SecOTRSGetKeyID(SecOTRSessionRef session); int SecOTRSGetTheirKeyID(SecOTRSessionRef session); diff --git a/OSX/sec/Security/SecPasswordGenerate.c b/OSX/sec/Security/SecPasswordGenerate.c index 4d4e87d9..a095a5c3 100644 --- a/OSX/sec/Security/SecPasswordGenerate.c +++ b/OSX/sec/Security/SecPasswordGenerate.c @@ -505,6 +505,8 @@ static int SecPasswordNumberOfRepeatedDigits(CFStringRef passcode){ int finalRepeating = 0; if(highest != NULL) CFNumberGetValue(highest, kCFNumberIntType, &finalRepeating); + + CFReleaseNull(highestRepeatingcount); return finalRepeating; } diff --git a/OSX/sec/Security/SecPolicy.c b/OSX/sec/Security/SecPolicy.c index 30d663c6..7d18570f 100644 --- a/OSX/sec/Security/SecPolicy.c +++ b/OSX/sec/Security/SecPolicy.c @@ -39,7 +39,7 @@ #include #include #include -#include +#include #include #include #include @@ -47,238 +47,35 @@ #include -/******************************************************** - **************** SecPolicy Constants ******************* - ********************************************************/ -// MARK: - -// MARK: SecPolicy Constants +#undef POLICYCHECKMACRO +#define POLICYCHECKMACRO(NAME, TRUSTRESULT, SUBTYPE, LEAFCHECK, PATHCHECK, LEAFONLY, CSSMERR, OSSTATUS) \ + const CFStringRef kSecPolicyCheck##NAME = CFSTR(#NAME); +#include "SecPolicyChecks.list" #define SEC_CONST_DECL(k,v) const CFStringRef k = CFSTR(v); /******************************************************** - ************** Unverified Leaf Checks ****************** + ******************* Feature toggles ******************** ********************************************************/ -SEC_CONST_DECL (kSecPolicyCheckSSLHostname, "SSLHostname"); -SEC_CONST_DECL (kSecPolicyCheckEmail, "email"); - -/* Checks that the issuer of the leaf has exactly one Common Name and that it - matches the specified string. */ -SEC_CONST_DECL (kSecPolicyCheckIssuerCommonName, "IssuerCommonName"); - -/* Checks that the leaf has exactly one Common Name and that it - matches the specified string. */ -SEC_CONST_DECL (kSecPolicyCheckSubjectCommonName, "SubjectCommonName"); - -/* Checks that the leaf has exactly one Common Name and that it has the - specified string as a prefix. */ -SEC_CONST_DECL (kSecPolicyCheckSubjectCommonNamePrefix, "SubjectCommonNamePrefix"); - -/* Checks that the leaf has exactly one Common Name and that it - matches the specified "" or "TEST TEST". */ -SEC_CONST_DECL (kSecPolicyCheckSubjectCommonNameTEST, "SubjectCommonNameTEST"); - -/* Checks that the leaf has exactly one Organization and that it - matches the specified string. */ -SEC_CONST_DECL (kSecPolicyCheckSubjectOrganization, "SubjectOrganization"); - -/* Checks that the leaf has exactly one Organizational Unit and that it - matches the specified string. */ -SEC_CONST_DECL (kSecPolicyCheckSubjectOrganizationalUnit, "SubjectOrganizationalUnit"); - -/* Check that the leaf is not valid before the specified date (or verifyDate - if none is provided?). */ -SEC_CONST_DECL (kSecPolicyCheckNotValidBefore, "NotValidBefore"); - -SEC_CONST_DECL (kSecPolicyCheckEAPTrustedServerNames, "EAPTrustedServerNames"); - -SEC_CONST_DECL (kSecPolicyCheckCertificatePolicy, "CertificatePolicy"); - -SEC_CONST_DECL (kSecPolicyCheckLeafMarkerOid, "CheckLeafMarkerOid"); -SEC_CONST_DECL (kSecPolicyCheckLeafMarkerOidWithoutValueCheck, "CheckLeafMarkerOidNoValueCheck"); -SEC_CONST_DECL (kSecPolicyCheckLeafMarkersProdAndQA, "CheckLeafMarkersProdAndQA"); +/* Option for AnchorApple */ +SEC_CONST_DECL (kSecPolicyAppleAnchorIncludeTestRoots, "AnchorAppleTestRoots"); /* options for kSecPolicyCheckLeafMarkersProdAndQA */ SEC_CONST_DECL (kSecPolicyLeafMarkerProd, "ProdMarker"); SEC_CONST_DECL (kSecPolicyLeafMarkerQA, "QAMarker"); -#if 0 -/* Check for basic constraints on leaf to be valid. (rfc5280 check) */ -SEC_CONST_DECL (kSecPolicyCheckLeafBasicConstraints, "LeafBasicContraints"); -#endif - -SEC_CONST_DECL (kSecPolicyCheckBlackListedLeaf, "BlackListedLeaf"); -SEC_CONST_DECL (kSecPolicyCheckGrayListedLeaf, "GrayListedLeaf"); - -/******************************************************** - *********** Unverified Intermediate Checks ************* - ********************************************************/ -SEC_CONST_DECL (kSecPolicyCheckKeyUsage, "KeyUsage"); /* (rfc5280 check) */ -SEC_CONST_DECL (kSecPolicyCheckExtendedKeyUsage, "ExtendedKeyUsage"); /* (rfc5280 check) */ -SEC_CONST_DECL (kSecPolicyCheckBasicConstraints, "BasicConstraints"); /* (rfc5280 check) */ -SEC_CONST_DECL (kSecPolicyCheckQualifiedCertStatements, "QualifiedCertStatements"); /* (rfc5280 check) */ -SEC_CONST_DECL (kSecPolicyCheckIntermediateSPKISHA256, "IntermediateSPKISHA256"); -SEC_CONST_DECL (kSecPolicyCheckIntermediateEKU, "IntermediateEKU"); -SEC_CONST_DECL (kSecPolicyCheckIntermediateMarkerOid, "CheckIntermediateMarkerOid"); -SEC_CONST_DECL (kSecPolicyCheckIntermediateOrganization, "CheckIntermediateOrganization"); -SEC_CONST_DECL (kSecPolicyCheckIntermediateCountry, "CheckIntermediateCountry"); - -/******************************************************** - ************** Unverified Anchor Checks **************** - ********************************************************/ -SEC_CONST_DECL (kSecPolicyCheckAnchorSHA1, "AnchorSHA1"); -SEC_CONST_DECL (kSecPolicyCheckAnchorSHA256, "AnchorSHA256"); - -/* Fake key for isAnchored check. */ -SEC_CONST_DECL (kSecPolicyCheckAnchorTrusted, "AnchorTrusted"); - -/* Anchor is one of the apple trust anchors */ -SEC_CONST_DECL (kSecPolicyCheckAnchorApple, "AnchorApple"); - -/* options for kSecPolicyCheckAnchorApple */ -SEC_CONST_DECL (kSecPolicyAppleAnchorIncludeTestRoots, "AnchorAppleTestRoots"); - -/******************************************************** - *********** Unverified Certificate Checks ************** - ********************************************************/ -/* Unverified Certificate Checks (any of the above) */ -SEC_CONST_DECL (kSecPolicyCheckNonEmptySubject, "NonEmptySubject"); -SEC_CONST_DECL (kSecPolicyCheckIdLinkage, "IdLinkage") /* (rfc5280 check) */ -SEC_CONST_DECL (kSecPolicyCheckValidIntermediates, "ValidIntermediates"); -SEC_CONST_DECL (kSecPolicyCheckValidLeaf, "ValidLeaf"); -SEC_CONST_DECL (kSecPolicyCheckValidRoot, "ValidRoot"); -SEC_CONST_DECL (kSecPolicyCheckWeakIntermediates, "WeakIntermediates"); -SEC_CONST_DECL (kSecPolicyCheckWeakLeaf, "WeakLeaf"); -SEC_CONST_DECL (kSecPolicyCheckWeakRoot, "WeakRoot"); -SEC_CONST_DECL (kSecPolicyCheckKeySize, "KeySize"); -SEC_CONST_DECL (kSecPolicyCheckSignatureHashAlgorithms, "SignatureHashAlgorithms"); - -/******************************************************** - **************** Verified Path Checks ****************** - ********************************************************/ -/* (rfc5280 check) Ideally we should dynamically track all the extensions - we processed for each certificate and fail this test if any critical - extensions remain. */ -SEC_CONST_DECL (kSecPolicyCheckCriticalExtensions, "CriticalExtensions"); - -/* Check that the certificate chain length matches the specificed CFNumberRef - length. */ -SEC_CONST_DECL (kSecPolicyCheckChainLength, "ChainLength"); - -/* (rfc5280 check) */ -SEC_CONST_DECL (kSecPolicyCheckBasicCertificateProcessing, "BasicCertificateProcessing"); - -/* Check Certificate Transparency if specified. */ -SEC_CONST_DECL (kSecPolicyCheckCertificateTransparency, "CertificateTransparency"); - -SEC_CONST_DECL (kSecPolicyCheckGrayListedKey, "GrayListedKey"); -SEC_CONST_DECL (kSecPolicyCheckBlackListedKey, "BlackListedKey"); - -SEC_CONST_DECL (kSecPolicyCheckUsageConstraints, "UsageConstraints"); - -SEC_CONST_DECL (kSecPolicyCheckSystemTrustedWeakHash, "SystemTrustedWeakHash"); -SEC_CONST_DECL (kSecPolicyCheckSystemTrustedWeakKey, "SystemTrustedWeakKey"); - -/* Binary requires pinning. */ -SEC_CONST_DECL (kSecPolicyCheckPinningRequired, "PinningRequired"); - -/******************************************************** - ******************* Feature toggles ******************** - ********************************************************/ - -/* Check revocation if specified. */ -SEC_CONST_DECL (kSecPolicyCheckExtendedValidation, "ExtendedValidation"); -SEC_CONST_DECL (kSecPolicyCheckRevocation, "Revocation"); -SEC_CONST_DECL (kSecPolicyCheckRevocationResponseRequired, "RevocationResponseRequired"); +/* Revocation toggles */ SEC_CONST_DECL (kSecPolicyCheckRevocationOCSP, "OCSP"); SEC_CONST_DECL (kSecPolicyCheckRevocationCRL, "CRL"); SEC_CONST_DECL (kSecPolicyCheckRevocationAny, "AnyRevocationMethod"); -SEC_CONST_DECL (kSecPolicyCheckRevocationOnline, "Online"); - -/* If present and true, we never go out to the network for anything - (OCSP, CRL or CA Issuer checking) but just used cached data instead. */ -SEC_CONST_DECL (kSecPolicyCheckNoNetworkAccess, "NoNetworkAccess"); - -/* Public policy names. */ -SEC_CONST_DECL (kSecPolicyAppleX509Basic, "1.2.840.113635.100.1.2"); -SEC_CONST_DECL (kSecPolicyAppleSSL, "1.2.840.113635.100.1.3"); -SEC_CONST_DECL (kSecPolicyAppleSMIME, "1.2.840.113635.100.1.8"); -SEC_CONST_DECL (kSecPolicyAppleEAP, "1.2.840.113635.100.1.9"); -SEC_CONST_DECL (kSecPolicyAppleSWUpdateSigning, "1.2.840.113635.100.1.10"); -SEC_CONST_DECL (kSecPolicyAppleIPsec, "1.2.840.113635.100.1.11"); -SEC_CONST_DECL (kSecPolicyApplePKINITClient, "1.2.840.113635.100.1.14"); -SEC_CONST_DECL (kSecPolicyApplePKINITServer, "1.2.840.113635.100.1.15"); -SEC_CONST_DECL (kSecPolicyAppleCodeSigning, "1.2.840.113635.100.1.16"); -SEC_CONST_DECL (kSecPolicyApplePackageSigning, "1.2.840.113635.100.1.17"); -SEC_CONST_DECL (kSecPolicyAppleIDValidation, "1.2.840.113635.100.1.18"); -SEC_CONST_DECL (kSecPolicyMacAppStoreReceipt, "1.2.840.113635.100.1.19"); -SEC_CONST_DECL (kSecPolicyAppleTimeStamping, "1.2.840.113635.100.1.20"); -SEC_CONST_DECL (kSecPolicyAppleRevocation, "1.2.840.113635.100.1.21"); -SEC_CONST_DECL (kSecPolicyApplePassbookSigning, "1.2.840.113635.100.1.22"); -SEC_CONST_DECL (kSecPolicyAppleMobileStore, "1.2.840.113635.100.1.23"); -SEC_CONST_DECL (kSecPolicyAppleEscrowService, "1.2.840.113635.100.1.24"); -SEC_CONST_DECL (kSecPolicyAppleProfileSigner, "1.2.840.113635.100.1.25"); -SEC_CONST_DECL (kSecPolicyAppleQAProfileSigner, "1.2.840.113635.100.1.26"); -SEC_CONST_DECL (kSecPolicyAppleTestMobileStore, "1.2.840.113635.100.1.27"); -SEC_CONST_DECL (kSecPolicyAppleOTAPKISigner, "1.2.840.113635.100.1.28"); -SEC_CONST_DECL (kSecPolicyAppleTestOTAPKISigner, "1.2.840.113635.100.1.29"); -SEC_CONST_DECL (kSecPolicyAppleIDValidationRecordSigningPolicy, "1.2.840.113635.100.1.30"); -SEC_CONST_DECL (kSecPolicyAppleIDValidationRecordSigning, "1.2.840.113635.100.1.30"); -SEC_CONST_DECL (kSecPolicyAppleSMPEncryption, "1.2.840.113635.100.1.31"); -SEC_CONST_DECL (kSecPolicyAppleTestSMPEncryption, "1.2.840.113635.100.1.32"); -SEC_CONST_DECL (kSecPolicyAppleServerAuthentication, "1.2.840.113635.100.1.33"); -SEC_CONST_DECL (kSecPolicyApplePCSEscrowService, "1.2.840.113635.100.1.34"); -SEC_CONST_DECL (kSecPolicyApplePPQSigning, "1.2.840.113635.100.1.35"); -SEC_CONST_DECL (kSecPolicyAppleTestPPQSigning, "1.2.840.113635.100.1.36"); -// Not in use. Use kSecPolicyAppleTVOSApplicationSigning instead. -// SEC_CONST_DECL (kSecPolicyAppleATVAppSigning, "1.2.840.113635.100.1.37"); -// SEC_CONST_DECL (kSecPolicyAppleTestATVAppSigning, "1.2.840.113635.100.1.38"); -SEC_CONST_DECL (kSecPolicyApplePayIssuerEncryption, "1.2.840.113635.100.1.39"); -SEC_CONST_DECL (kSecPolicyAppleOSXProvisioningProfileSigning, "1.2.840.113635.100.1.40"); -SEC_CONST_DECL (kSecPolicyAppleATVVPNProfileSigning, "1.2.840.113635.100.1.41"); -SEC_CONST_DECL (kSecPolicyAppleAST2DiagnosticsServerAuth, "1.2.840.113635.100.1.42"); -SEC_CONST_DECL (kSecPolicyAppleEscrowProxyServerAuth, "1.2.840.113635.100.1.43"); -SEC_CONST_DECL (kSecPolicyAppleFMiPServerAuth, "1.2.840.113635.100.1.44"); -SEC_CONST_DECL (kSecPolicyAppleMMCSService, "1.2.840.113635.100.1.45"); -SEC_CONST_DECL (kSecPolicyAppleGSService, "1.2.840.113635.100.1.46"); -SEC_CONST_DECL (kSecPolicyApplePPQService, "1.2.840.113635.100.1.47"); -SEC_CONST_DECL (kSecPolicyAppleHomeKitServerAuth, "1.2.840.113635.100.1.48"); -SEC_CONST_DECL (kSecPolicyAppleiPhoneActivation, "1.2.840.113635.100.1.49"); -SEC_CONST_DECL (kSecPolicyAppleiPhoneDeviceCertificate, "1.2.840.113635.100.1.50"); -SEC_CONST_DECL (kSecPolicyAppleFactoryDeviceCertificate, "1.2.840.113635.100.1.51"); -SEC_CONST_DECL (kSecPolicyAppleiAP, "1.2.840.113635.100.1.52"); -SEC_CONST_DECL (kSecPolicyAppleiTunesStoreURLBag, "1.2.840.113635.100.1.53"); -SEC_CONST_DECL (kSecPolicyAppleiPhoneApplicationSigning, "1.2.840.113635.100.1.54"); -SEC_CONST_DECL (kSecPolicyAppleiPhoneProfileApplicationSigning, "1.2.840.113635.100.1.55"); -SEC_CONST_DECL (kSecPolicyAppleiPhoneProvisioningProfileSigning, "1.2.840.113635.100.1.56"); -SEC_CONST_DECL (kSecPolicyAppleLockdownPairing, "1.2.840.113635.100.1.57"); -SEC_CONST_DECL (kSecPolicyAppleURLBag, "1.2.840.113635.100.1.58"); -SEC_CONST_DECL (kSecPolicyAppleOTATasking, "1.2.840.113635.100.1.59"); -SEC_CONST_DECL (kSecPolicyAppleMobileAsset, "1.2.840.113635.100.1.60"); -SEC_CONST_DECL (kSecPolicyAppleIDAuthority, "1.2.840.113635.100.1.61"); -SEC_CONST_DECL (kSecPolicyAppleGenericApplePinned, "1.2.840.113635.100.1.62"); -SEC_CONST_DECL (kSecPolicyAppleGenericAppleSSLPinned, "1.2.840.113635.100.1.63"); -SEC_CONST_DECL (kSecPolicyAppleSoftwareSigning, "1.2.840.113635.100.1.64"); -SEC_CONST_DECL (kSecPolicyAppleExternalDeveloper, "1.2.840.113635.100.1.65"); -SEC_CONST_DECL (kSecPolicyAppleOCSPSigner, "1.2.840.113635.100.1.66"); -SEC_CONST_DECL (kSecPolicyAppleIDSService, "1.2.840.113635.100.1.67"); -SEC_CONST_DECL (kSecPolicyAppleIDSServiceContext, "1.2.840.113635.100.1.68"); -SEC_CONST_DECL (kSecPolicyApplePushService, "1.2.840.113635.100.1.69"); -SEC_CONST_DECL (kSecPolicyAppleLegacyPushService, "1.2.840.113635.100.1.70"); -SEC_CONST_DECL (kSecPolicyAppleTVOSApplicationSigning, "1.2.840.113635.100.1.71"); -SEC_CONST_DECL (kSecPolicyAppleUniqueDeviceIdentifierCertificate, "1.2.840.113635.100.1.72"); -SEC_CONST_DECL (kSecPolicyAppleEscrowProxyCompatibilityServerAuth, "1.2.840.113635.100.1.73"); -SEC_CONST_DECL (kSecPolicyAppleMMCSCompatibilityServerAuth, "1.2.840.113635.100.1.74"); -SEC_CONST_DECL (kSecPolicyAppleSecureIOStaticAsset, "1.2.840.113635.100.1.75"); -SEC_CONST_DECL (kSecPolicyAppleWarsaw, "1.2.840.113635.100.1.76"); -SEC_CONST_DECL (kSecPolicyAppleiCloudSetupServerAuth, "1.2.840.113635.100.1.77"); -SEC_CONST_DECL (kSecPolicyAppleiCloudSetupCompatibilityServerAuth, "1.2.840.113635.100.1.78"); -SEC_CONST_DECL (kSecPolicyAppleAppTransportSecurity, "1.2.840.113635.100.1.80"); -SEC_CONST_DECL (kSecPolicyAppleMacOSProfileApplicationSigning, "1.2.840.113635.100.1.81"); -SEC_CONST_DECL (kSecPolicyAppleMobileSoftwareUpdate, "1.2.840.113635.100.1.82"); -SEC_CONST_DECL (kSecPolicyAppleMobileAssetDevelopment, "1.2.840.113635.100.1.83"); -SEC_CONST_DECL (kSecPolicyAppleBasicAttestationSystem, "1.2.840.113635.100.1.84"); -SEC_CONST_DECL (kSecPolicyAppleBasicAttestationUser, "1.2.840.113635.100.1.85"); -SEC_CONST_DECL (kSecPolicyAppleiPhoneVPNApplicationSigning, "1.2.840.113635.100.1.86"); + +/* Public policy oids. */ +#define POLICYMACRO(NAME, OID, ISPUBLIC, INTNAME, IN_NAME, IN_PROPERTIES, FUNCTION) \ +const CFStringRef kSecPolicyApple##NAME = CFSTR("1.2.840.113635.100.1."#OID); +#include "SecPolicy.list" +//Some naming exceptions +SEC_CONST_DECL(kSecPolicyMacAppStoreReceipt, "1.2.840.113635.100.1.19") +SEC_CONST_DECL(kSecPolicyAppleIDValidationRecordSigningPolicy, "1.2.840.113635.100.1.30"); SEC_CONST_DECL (kSecPolicyOid, "SecPolicyOid"); SEC_CONST_DECL (kSecPolicyName, "SecPolicyName"); @@ -302,85 +99,35 @@ SEC_CONST_DECL (kSecPolicyKU_EncipherOnly, "CE_KU_EncipherOnly"); SEC_CONST_DECL (kSecPolicyKU_DecipherOnly, "CE_KU_DecipherOnly"); /* Internal policy names */ -static CFStringRef kSecPolicyNameBasicX509 = CFSTR("basicX509"); -static CFStringRef kSecPolicyNameSSLServer = CFSTR("sslServer"); -static CFStringRef kSecPolicyNameSSLClient = CFSTR("sslClient"); -static CFStringRef kSecPolicyNameiPhoneActivation = CFSTR("iPhoneActivation"); -static CFStringRef kSecPolicyNameiPhoneDeviceCertificate = - CFSTR("iPhoneDeviceCertificate"); -static CFStringRef kSecPolicyNameFactoryDeviceCertificate = - CFSTR("FactoryDeviceCertificate"); -static CFStringRef kSecPolicyNameiAP = CFSTR("iAP"); -static CFStringRef kSecPolicyNameiTunesStoreURLBag = CFSTR("iTunesStoreURLBag"); -static CFStringRef kSecPolicyNameEAPServer = CFSTR("eapServer"); -static CFStringRef kSecPolicyNameEAPClient = CFSTR("eapClient"); -static CFStringRef kSecPolicyNameIPSecServer = CFSTR("ipsecServer"); -static CFStringRef kSecPolicyNameIPSecClient = CFSTR("ipsecClient"); -static CFStringRef kSecPolicyNameiPhoneApplicationSigning = - CFSTR("iPhoneApplicationSigning"); -static CFStringRef kSecPolicyNameiPhoneProfileApplicationSigning = - CFSTR("iPhoneProfileApplicationSigning"); -static CFStringRef kSecPolicyNameiPhoneProvisioningProfileSigning = - CFSTR("iPhoneProvisioningProfileSigning"); -static CFStringRef kSecPolicyNameAppleSWUpdateSigning = CFSTR("AppleSWUpdateSigning"); -static CFStringRef kSecPolicyNameAppleTVOSApplicationSigning = - CFSTR("AppleTVApplicationSigning"); -static CFStringRef kSecPolicyNameRevocation = CFSTR("revocation"); -static CFStringRef kSecPolicyNameOCSPSigner = CFSTR("OCSPSigner"); -static CFStringRef kSecPolicyNameSMIME = CFSTR("SMIME"); -static CFStringRef kSecPolicyNameCodeSigning = CFSTR("CodeSigning"); -static CFStringRef kSecPolicyNamePackageSigning = CFSTR("PackageSigning"); -static CFStringRef kSecPolicyNameLockdownPairing = CFSTR("LockdownPairing"); -static CFStringRef kSecPolicyNameURLBag = CFSTR("URLBag"); -static CFStringRef kSecPolicyNameOTATasking = CFSTR("OTATasking"); -static CFStringRef kSecPolicyNameMobileAsset = CFSTR("MobileAsset"); -static CFStringRef kSecPolicyNameAppleIDAuthority = CFSTR("AppleIDAuthority"); -static CFStringRef kSecPolicyNameMacAppStoreReceipt = CFSTR("MacAppStoreReceipt"); -static CFStringRef kSecPolicyNameAppleTimeStamping = CFSTR("AppleTimeStamping"); -static CFStringRef kSecPolicyNameApplePassbook = CFSTR("ApplePassbook"); -static CFStringRef kSecPolicyNameAppleMobileStore = CFSTR("AppleMobileStore"); -static CFStringRef kSecPolicyNameAppleTestMobileStore = CFSTR("AppleTestMobileStore"); -static CFStringRef kSecPolicyNameAppleEscrowService = CFSTR("AppleEscrowService"); -static CFStringRef kSecPolicyNameApplePCSEscrowService = CFSTR("ApplePCSEscrowService"); -static CFStringRef kSecPolicyNameAppleProfileSigner = CFSTR("AppleProfileSigner"); -static CFStringRef kSecPolicyNameAppleQAProfileSigner = CFSTR("AppleQAProfileSigner"); -static CFStringRef kSecPolicyNameAppleOTAPKIAssetSigner = CFSTR("AppleOTAPKIAssetSigner"); -static CFStringRef kSecPolicyNameAppleTestOTAPKIAssetSigner = CFSTR("AppleTestOTAPKIAssetSigner"); -static CFStringRef kSecPolicyNameAppleIDValidationRecordSigningPolicy = CFSTR("AppleIDValidationRecordSigningPolicy"); -static CFStringRef kSecPolicyNameApplePayIssuerEncryption = CFSTR("ApplePayIssuerEncryption"); -static CFStringRef kSecPolicyNameAppleOSXProvisioningProfileSigning = CFSTR("AppleOSXProvisioningProfileSigning"); -static CFStringRef kSecPolicyNameAppleATVVPNProfileSigning = CFSTR("AppleATVVPNProfileSigning"); -static CFStringRef kSecPolicyNameAppleExternalDeveloper = CFSTR("Developer"); -static CFStringRef kSecPolicyNameAppleSoftwareSigning = CFSTR("SoftwareSigning"); -static CFStringRef kSecPolicyNameAppleSMPEncryption = CFSTR("AppleSMPEncryption"); -static CFStringRef kSecPolicyNameAppleTestSMPEncryption = CFSTR("AppleTestSMPEncryption"); -static CFStringRef kSecPolicyNameApplePPQSigning = CFSTR("ApplePPQSigning"); -static CFStringRef kSecPolicyNameAppleTestPPQSigning = CFSTR("AppleTestPPQSigning"); -static CFStringRef kSecPolicyNameAppleLegacyPushService = CFSTR("AppleLegacyPushService"); -static CFStringRef kSecPolicyNameAppleSSLService = CFSTR("AppleSSLService"); +#undef POLICYMACRO +#define __P_DO_DECLARE_(NAME, INTNAME) static CFStringRef kSecPolicyName##NAME = CFSTR(#INTNAME); +#define __P_DO_DECLARE_P(NAME, INTNAME) const CFStringRef kSecPolicyNameApple##NAME = CFSTR(#INTNAME); +#define __P_DO_DECLARE_I(NAME, INTNAME) const CFStringRef kSecPolicyName##NAME = CFSTR(#INTNAME); +#define POLICYMACRO(NAME, OID, ISPUBLIC, INTNAME, IN_NAME, IN_PROPERTIES, FUNCTION) \ +__P_DO_DECLARE_##ISPUBLIC(NAME, INTNAME) +#include "SecPolicy.list" +//Some naming exceptions static CFStringRef kSecPolicyNameAppleIDSBag = CFSTR("IDSBag"); -static CFStringRef kSecPolicyNameAppleUniqueDeviceCertificate = CFSTR("UCRT"); -static CFStringRef kSecPolicyNameAppleSecureIOStaticAsset = CFSTR("SecureIOStaticAsset"); -static CFStringRef kSecPolicyNameAppleWarsaw = CFSTR("Warsaw"); -static CFStringRef kSecPolicyNameAppleAppTransportSecurity = CFSTR("ATS"); -static CFStringRef kSecPolicyNameMobileSoftwareUpdate = CFSTR("MobileSoftwareUpdate"); -static CFStringRef kSecPolicyNameAppleMacOSProfileApplicationSigning = CFSTR("macOSProfileApplicationSigning"); -static CFStringRef kSecPolicyNameAppleBasicAttestationSystem = CFSTR("BAA-SCRT"); -static CFStringRef kSecPolicyNameAppleBasicAttestationUser = CFSTR("BAA-UCRT"); -static CFStringRef kSecPolicyNameiPhoneVPNApplicationSigning = CFSTR("iPhoneVPNApplicationSigning"); - -/* Private policy names (SSL Pinned Services) */ + +/* External Policy Names + * These correspond to the names defined in CertificatePinning.plist + * in security_certificates */ +SEC_CONST_DECL (kSecPolicyNameSSLServer, "sslServer"); +SEC_CONST_DECL (kSecPolicyNameSSLClient, "sslClient"); +SEC_CONST_DECL (kSecPolicyNameEAPServer, "eapServer"); +SEC_CONST_DECL (kSecPolicyNameEAPClient, "eapClient"); +SEC_CONST_DECL (kSecPolicyNameIPSecServer, "ipsecServer"); +SEC_CONST_DECL (kSecPolicyNameIPSecClient, "ipsecClient"); SEC_CONST_DECL (kSecPolicyNameAppleiCloudSetupService, "iCloudSetup"); -SEC_CONST_DECL (kSecPolicyNameAppleGSService, "GS"); SEC_CONST_DECL (kSecPolicyNameAppleMMCSService, "MMCS"); -SEC_CONST_DECL (kSecPolicyNameApplePPQService, "PPQ"); -SEC_CONST_DECL (kSecPolicyNameAppleIDSService, "IDS"); -SEC_CONST_DECL (kSecPolicyNameApplePushService, "APN"); SEC_CONST_DECL (kSecPolicyNameAppleAST2Service, "AST2"); SEC_CONST_DECL (kSecPolicyNameAppleEscrowProxyService, "Escrow"); SEC_CONST_DECL (kSecPolicyNameAppleFMiPService, "FMiP"); SEC_CONST_DECL (kSecPolicyNameAppleHomeKitService, "HomeKit"); -SEC_CONST_DECL (kSecPolicyNameAppleGalaxyProviderService, "GalaxyProvider"); +SEC_CONST_DECL (kSecPolicyNameAppleAIDCService, "AIDC"); +SEC_CONST_DECL (kSecPolicyNameAppleMapsService, "Maps"); +SEC_CONST_DECL (kSecPolicyNameAppleHealthProviderService, "HealthProvider"); +SEC_CONST_DECL (kSecPolicyNameAppleParsecService, "Parsec"); #define kSecPolicySHA1Size 20 #define kSecPolicySHA256Size 32 @@ -541,306 +288,127 @@ SecPolicyRef SecPolicyCreateWithProperties(CFTypeRef policyIdentifier, goto errOut; } - /* These are in the same order as the constant declarations. */ - /* @@@ This should be turned into a table. */ - if (CFEqual(policyIdentifier, kSecPolicyAppleX509Basic)) { - policy = SecPolicyCreateBasicX509(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleSSL)) { - policy = SecPolicyCreateSSL(!client, name); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleSMIME)) { - policy = SecPolicyCreateSMIME(kSecSignSMIMEUsage | kSecAnyEncryptSMIME, name); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleEAP)) { - CFArrayRef array = NULL; - if (isString(name)) { - array = CFArrayCreate(kCFAllocatorDefault, (const void **)&name, 1, &kCFTypeArrayCallBacks); - } else if (isArray(name)) { - array = CFArrayCreateCopy(NULL, name); - } - policy = SecPolicyCreateEAP(!client, array); - CFReleaseSafe(array); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleSWUpdateSigning)) { - policy = SecPolicyCreateAppleSWUpdateSigning(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleIPsec)) { + /* What follows are all the exceptional functions that do not match the macro below */ + if (CFEqual(policyIdentifier, kSecPolicyAppleSSL)) { + policy = SecPolicyCreateSSL(!client, name); + } else if (CFEqual(policyIdentifier, kSecPolicyAppleSMIME)) { + policy = SecPolicyCreateSMIME(kSecSignSMIMEUsage | kSecAnyEncryptSMIME, name); + } else if (CFEqual(policyIdentifier, kSecPolicyAppleEAP)) { + CFArrayRef array = NULL; + if (isString(name)) { + array = CFArrayCreate(kCFAllocatorDefault, (const void **)&name, 1, &kCFTypeArrayCallBacks); + } else if (isArray(name)) { + array = CFArrayCreateCopy(NULL, name); + } + policy = SecPolicyCreateEAP(!client, array); + CFReleaseSafe(array); + } else if (CFEqual(policyIdentifier, kSecPolicyAppleIPsec)) { policy = SecPolicyCreateIPSec(!client, name); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleCodeSigning)) { - policy = SecPolicyCreateCodeSigning(); - } - else if (CFEqual(policyIdentifier, kSecPolicyApplePackageSigning)) { - policy = SecPolicyCreateApplePackageSigning(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleIDValidation)) { - policy = SecPolicyCreateAppleIDAuthorityPolicy(); - } - else if (CFEqual(policyIdentifier, kSecPolicyMacAppStoreReceipt)) { + } else if (CFEqual(policyIdentifier, kSecPolicyMacAppStoreReceipt)) { policy = SecPolicyCreateMacAppStoreReceipt(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleTimeStamping)) { - policy = SecPolicyCreateAppleTimeStamping(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleRevocation)) { - policy = SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod); - } - else if (CFEqual(policyIdentifier, kSecPolicyApplePassbookSigning)) { - policy = SecPolicyCreatePassbookCardSigner(name, teamID); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleMobileStore)) { - policy = SecPolicyCreateMobileStoreSigner(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleEscrowService)) { - policy = SecPolicyCreateEscrowServiceSigner(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleProfileSigner)) { - policy = SecPolicyCreateConfigurationProfileSigner(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleQAProfileSigner)) { - policy = SecPolicyCreateQAConfigurationProfileSigner(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleTestMobileStore)) { - policy = SecPolicyCreateTestMobileStoreSigner(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleOTAPKISigner)) { - policy = SecPolicyCreateOTAPKISigner(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleTestOTAPKISigner)) { - policy = SecPolicyCreateTestOTAPKISigner(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleIDValidationRecordSigning)) { - policy = SecPolicyCreateAppleIDValidationRecordSigningPolicy(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleSMPEncryption)) { - policy = SecPolicyCreateAppleSMPEncryption(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleTestSMPEncryption)) { - policy = SecPolicyCreateTestAppleSMPEncryption(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleServerAuthentication)) { - policy = SecPolicyCreateAppleSSLService(name); - } - else if (CFEqual(policyIdentifier, kSecPolicyApplePCSEscrowService)) { - policy = SecPolicyCreatePCSEscrowServiceSigner(); - } - else if (CFEqual(policyIdentifier, kSecPolicyApplePPQSigning)) { - policy = SecPolicyCreateApplePPQSigning(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleTestPPQSigning)) { - policy = SecPolicyCreateTestApplePPQSigning(); - } - else if (CFEqual(policyIdentifier, kSecPolicyApplePayIssuerEncryption)) { - policy = SecPolicyCreateApplePayIssuerEncryption(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleOSXProvisioningProfileSigning)) { - policy = SecPolicyCreateOSXProvisioningProfileSigning(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleATVVPNProfileSigning)) { - policy = SecPolicyCreateAppleATVVPNProfileSigning(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleAST2DiagnosticsServerAuth)) { + } else if (CFEqual(policyIdentifier, kSecPolicyAppleRevocation)) { + policy = SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod); + } else if (CFEqual(policyIdentifier, kSecPolicyApplePassbookSigning)) { + policy = SecPolicyCreatePassbookCardSigner(name, teamID); + } else if (CFEqual(policyIdentifier, kSecPolicyAppleAST2DiagnosticsServerAuth)) { if (name) { policy = SecPolicyCreateAppleAST2Service(name, context); } else { secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier); } - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleEscrowProxyServerAuth)) { + } else if (CFEqual(policyIdentifier, kSecPolicyAppleEscrowProxyServerAuth)) { if (name) { policy = SecPolicyCreateAppleEscrowProxyService(name, context); } else { secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier); } - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleFMiPServerAuth)) { + } else if (CFEqual(policyIdentifier, kSecPolicyAppleFMiPServerAuth)) { if (name) { policy = SecPolicyCreateAppleFMiPService(name, context); } else { secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier); } - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleMMCSService)) { + } else if (CFEqual(policyIdentifier, kSecPolicyAppleMMCService)) { if (name) { policy = SecPolicyCreateAppleMMCSService(name, context); } else { secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier); } - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleGSService)) { + } else if (CFEqual(policyIdentifier, kSecPolicyAppleGSService)) { if (name) { policy = SecPolicyCreateAppleGSService(name, context); } else { secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier); } - } - else if (CFEqual(policyIdentifier, kSecPolicyApplePPQService)) { + } else if (CFEqual(policyIdentifier, kSecPolicyApplePPQService)) { if (name) { policy = SecPolicyCreateApplePPQService(name, context); } else { secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier); } - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleHomeKitServerAuth)) { - policy = SecPolicyCreateAppleHomeKitServerAuth(name); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleiPhoneActivation)) { - policy = SecPolicyCreateiPhoneActivation(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleiPhoneDeviceCertificate)) { - policy = SecPolicyCreateiPhoneDeviceCertificate(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleFactoryDeviceCertificate)) { - policy = SecPolicyCreateFactoryDeviceCertificate(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleiAP)) { - policy = SecPolicyCreateiAP(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleiTunesStoreURLBag)) { - policy = SecPolicyCreateiTunesStoreURLBag(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleiPhoneApplicationSigning)) { - policy = SecPolicyCreateiPhoneApplicationSigning(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleiPhoneProfileApplicationSigning)) { - policy = SecPolicyCreateiPhoneProfileApplicationSigning(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleiPhoneProvisioningProfileSigning)) { - policy = SecPolicyCreateiPhoneProvisioningProfileSigning(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleLockdownPairing)) { - policy = SecPolicyCreateLockdownPairing(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleURLBag)) { - policy = SecPolicyCreateURLBag(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleOTATasking)) { - policy = SecPolicyCreateOTATasking(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleMobileAsset)) { - policy = SecPolicyCreateMobileAsset(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleIDAuthority)) { - policy = SecPolicyCreateAppleIDAuthorityPolicy(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleGenericApplePinned)) { + } else if (CFEqual(policyIdentifier, kSecPolicyAppleGenericApplePinned)) { if (policyName) { policy = SecPolicyCreateApplePinned(policyName, intermediateMarkerOid, leafMarkerOid); } else { secerror("policy \"%@\" requires kSecPolicyPolicyName input", policyIdentifier); } - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleGenericAppleSSLPinned)) { + } else if (CFEqual(policyIdentifier, kSecPolicyAppleGenericAppleSSLPinned)) { if (policyName) { policy = SecPolicyCreateAppleSSLPinned(policyName, name, intermediateMarkerOid, leafMarkerOid); } else { secerror("policy \"%@\" requires kSecPolicyPolicyName input", policyIdentifier); } - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleSoftwareSigning)) { - policy = SecPolicyCreateAppleSoftwareSigning(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleExternalDeveloper)) { - policy = SecPolicyCreateAppleExternalDeveloper(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleOCSPSigner)) { - policy = SecPolicyCreateOCSPSigner(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleIDSService)) { - policy = SecPolicyCreateAppleIDSService(name); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleIDSServiceContext)) { + } else if (CFEqual(policyIdentifier, kSecPolicyAppleIDSServiceContext)) { if (name) { policy = SecPolicyCreateAppleIDSServiceContext(name, context); } else { secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier); } - } - else if (CFEqual(policyIdentifier, kSecPolicyApplePushService)) { + } else if (CFEqual(policyIdentifier, kSecPolicyApplePushService)) { if (name) { policy = SecPolicyCreateApplePushService(name, context); } else { secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier); } - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleLegacyPushService)) { - if (name) { - policy = SecPolicyCreateApplePushServiceLegacy(name); - } else { - secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier); - } - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleTVOSApplicationSigning)) { - policy = SecPolicyCreateAppleTVOSApplicationSigning(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleUniqueDeviceIdentifierCertificate)) { + } else if (CFEqual(policyIdentifier, kSecPolicyAppleUniqueDeviceIdentifierCertificate)) { policy = SecPolicyCreateAppleUniqueDeviceCertificate(rootDigest); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleEscrowProxyCompatibilityServerAuth)) { - if (name) { - policy = SecPolicyCreateAppleCompatibilityEscrowProxyService(name); - } else { - secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier); - } - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleMMCSCompatibilityServerAuth)) { - if (name) { - policy = SecPolicyCreateAppleCompatibilityMMCSService(name); - } else { - secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier); - } - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleSecureIOStaticAsset)) { - policy = SecPolicyCreateAppleSecureIOStaticAsset(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleWarsaw)) { - policy = SecPolicyCreateAppleWarsaw(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleiCloudSetupServerAuth)) { + } else if (CFEqual(policyIdentifier, kSecPolicyAppleiCloudSetupServerAuth)) { if (name) { policy = SecPolicyCreateAppleiCloudSetupService(name, context); } else { secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier); } - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleiCloudSetupCompatibilityServerAuth)) { - if (name) { - policy = SecPolicyCreateAppleCompatibilityiCloudSetupService(name); - } else { - secerror("policy \"%@\" requires kSecPolicyName input", policyIdentifier); - } - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleAppTransportSecurity)) { - policy = SecPolicyCreateAppleAppTransportSecurity(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleMobileAssetDevelopment)) { - policy = SecPolicyCreateMobileAssetDevelopment(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleMobileSoftwareUpdate)) { - policy = SecPolicyCreateMobileSoftwareUpdate(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleMacOSProfileApplicationSigning)) { - policy = SecPolicyCreateMacOSProfileApplicationSigning(); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleBasicAttestationSystem)) { - policy = SecPolicyCreateAppleBasicAttestationSystem(NULL); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleBasicAttestationUser)) { - policy = SecPolicyCreateAppleBasicAttestationUser(NULL); - } - else if (CFEqual(policyIdentifier, kSecPolicyAppleiPhoneVPNApplicationSigning)) { - policy = SecPolicyCreateiPhoneVPNApplicationSigning(); - } + } else if (CFEqual(policyIdentifier, kSecPolicyAppleBasicAttestationSystem)) { + policy = SecPolicyCreateAppleBasicAttestationSystem(rootDigest); + } else if (CFEqual(policyIdentifier, kSecPolicyAppleBasicAttestationUser)) { + policy = SecPolicyCreateAppleBasicAttestationUser(rootDigest); + } + /* For a couple of common patterns we use the macro */ +#define _P_OPTION_ +#define _P_OPTION_N name +#define _P_PROPERTIES_(NAME, IN_NAME, FUNCTION) +#define _P_PROPERTIES_Y(NAME, IN_NAME, FUNCTION) else if (CFEqual(policyIdentifier, kSecPolicyApple##NAME)) { \ + policy = SecPolicyCreate##FUNCTION(_P_OPTION_##IN_NAME); \ +} +#undef POLICYMACRO +#define POLICYMACRO(NAME, OID, ISPUBLIC, INTNAME, IN_NAME, IN_PROPERTIES, FUNCTION) \ +_P_PROPERTIES_##IN_PROPERTIES(NAME, IN_NAME, FUNCTION) +#include "SecPolicy.list" else { secerror("ERROR: policy \"%@\" is unsupported", policyIdentifier); } + if (!policy) { + return NULL; + } + #ifdef TARGET_OS_OSX set_ku_from_properties(policy, properties); #endif - SecPolicySetName(policy, policyName); + if (policyName) { + SecPolicySetName(policy, policyName); + } errOut: return policy; @@ -1616,18 +1184,14 @@ static void SecPolicyAddBasicCertOptions(CFMutableDictionaryRef options) CFDictionaryAddValue(options, kSecPolicyCheckIdLinkage, kCFBooleanTrue); CFDictionaryAddValue(options, kSecPolicyCheckBasicConstraints, kCFBooleanTrue); CFDictionaryAddValue(options, kSecPolicyCheckNonEmptySubject, kCFBooleanTrue); - CFDictionaryAddValue(options, kSecPolicyCheckQualifiedCertStatements, kCFBooleanTrue); - CFDictionaryAddValue(options, kSecPolicyCheckWeakIntermediates, kCFBooleanTrue); - CFDictionaryAddValue(options, kSecPolicyCheckWeakLeaf, kCFBooleanTrue); - CFDictionaryAddValue(options, kSecPolicyCheckWeakRoot, kCFBooleanTrue); + CFDictionaryAddValue(options, kSecPolicyCheckWeakKeySize, kCFBooleanTrue); + CFDictionaryAddValue(options, kSecPolicyCheckWeakSignature, kCFBooleanTrue); } static void SecPolicyAddBasicX509Options(CFMutableDictionaryRef options) { SecPolicyAddBasicCertOptions(options); - CFDictionaryAddValue(options, kSecPolicyCheckValidIntermediates, kCFBooleanTrue); - CFDictionaryAddValue(options, kSecPolicyCheckValidLeaf, kCFBooleanTrue); - CFDictionaryAddValue(options, kSecPolicyCheckValidRoot, kCFBooleanTrue); + CFDictionaryAddValue(options, kSecPolicyCheckTemporalValidity, kCFBooleanTrue); // Make sure that black and gray leaf checks are performed for basic X509 chain building CFDictionaryAddValue(options, kSecPolicyCheckBlackListedLeaf, kCFBooleanTrue); @@ -1761,7 +1325,7 @@ SecPolicyRef SecPolicyCreateBasicX509(void) { CFDictionaryAddValue(options, kSecPolicyCheckNoNetworkAccess, kCFBooleanTrue); - require(result = SecPolicyCreate(kSecPolicyAppleX509Basic, kSecPolicyNameBasicX509, options), errOut); + require(result = SecPolicyCreate(kSecPolicyAppleX509Basic, kSecPolicyNameX509Basic, options), errOut); errOut: CFReleaseSafe(options); @@ -2336,7 +1900,7 @@ SecPolicyRef SecPolicyCreateMacOSProfileApplicationSigning(void) { /* On macOS, the cert in the provisioning profile may be one of: - leaf OID intermediate OID + leaf OID intermediate OID MAS Development .6.1.12 .6.2.1 MAS Submission .6.1.7 .6.2.1 Developer ID .6.1.13 .6.2.6 @@ -2352,7 +1916,7 @@ SecPolicyRef SecPolicyCreateMacOSProfileApplicationSigning(void) { require(result = SecPolicyCreate(kSecPolicyAppleMacOSProfileApplicationSigning, - kSecPolicyNameAppleMacOSProfileApplicationSigning, + kSecPolicyNameMacOSProfileApplicationSigning, options), errOut); errOut: @@ -2412,7 +1976,7 @@ SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void) { require(SecPolicyAddChainLengthOptions(options, 3), errOut); - require_quiet(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleTVOSApplicationSigning), + require_quiet(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameTVOSApplicationSigning), errOut); /* Check for intermediate: Apple Worldwide Developer Relations */ @@ -2428,7 +1992,7 @@ SecPolicyRef SecPolicyCreateAppleTVOSApplicationSigning(void) { add_leaf_marker(options, &oidAppleTVOSApplicationSigningProdQA); require(result = SecPolicyCreate(kSecPolicyAppleTVOSApplicationSigning, - kSecPolicyNameAppleTVOSApplicationSigning, options), + kSecPolicyNameTVOSApplicationSigning, options), errOut); errOut: @@ -2614,13 +2178,13 @@ SecPolicyRef SecPolicyCreateAppleSWUpdateSigning(void) { SecPolicyAddBasicX509Options(options); require(SecPolicyAddChainLengthOptions(options, 3), errOut); - require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleSWUpdateSigning), errOut); + require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameSWUpdateSigning), errOut); add_eku(options, &oidAppleExtendedKeyUsageCodeSigning); add_oid(options, kSecPolicyCheckIntermediateEKU, &oidAppleExtendedKeyUsageCodeSigning); require(result = SecPolicyCreate(kSecPolicyAppleSWUpdateSigning, - kSecPolicyNameAppleSWUpdateSigning, options), + kSecPolicyNameSWUpdateSigning, options), errOut); errOut: @@ -2677,11 +2241,7 @@ SecPolicyRef SecPolicyCreateLockdownPairing(void) { kCFBooleanTrue); CFDictionaryAddValue(options, kSecPolicyCheckBasicConstraints, kCFBooleanTrue); - CFDictionaryAddValue(options, kSecPolicyCheckQualifiedCertStatements, - kCFBooleanTrue); - CFDictionaryAddValue(options, kSecPolicyCheckWeakIntermediates, kCFBooleanTrue); - CFDictionaryAddValue(options, kSecPolicyCheckWeakLeaf, kCFBooleanTrue); - CFDictionaryAddValue(options, kSecPolicyCheckWeakRoot, kCFBooleanTrue); + CFDictionaryAddValue(options, kSecPolicyCheckWeakKeySize, kCFBooleanTrue); require(result = SecPolicyCreate(kSecPolicyAppleLockdownPairing, kSecPolicyNameLockdownPairing, options), errOut); @@ -2815,7 +2375,7 @@ SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void) SecPolicyAddBasicX509Options(options); // Apple CA anchored - require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleIDAuthority), out); + require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameIDAuthority), out); // with the addition of the existence check of an extension with "Apple ID Sharing Certificate" oid (1.2.840.113635.100.4.7) // NOTE: this obviously intended to have gone into Extended Key Usage, but evidence of existing certs proves the contrary. @@ -2826,7 +2386,7 @@ SecPolicyRef SecPolicyCreateAppleIDAuthorityPolicy(void) add_oid(options, kSecPolicyCheckIntermediateMarkerOid, &oidAppleIntmMarkerAppleID2); require(result = SecPolicyCreate(kSecPolicyAppleIDAuthority, - kSecPolicyNameAppleIDAuthority, options), out); + kSecPolicyNameIDAuthority, options), out); out: CFReleaseSafe(options); @@ -2879,7 +2439,7 @@ static SecPolicyRef _SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer, C &kCFTypeDictionaryValueCallBacks), out); SecPolicyAddBasicX509Options(options); - require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameApplePassbook), out); + require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNamePassbookSigning), out); // Chain length of 3 require(SecPolicyAddChainLengthOptions(options, 3), out); @@ -2906,7 +2466,7 @@ static SecPolicyRef _SecPolicyCreatePassbookCardSigner(CFStringRef cardIssuer, C add_eku(options, &oidAppleExtendedKeyUsagePassbook); require(result = SecPolicyCreate(kSecPolicyApplePassbookSigning, - kSecPolicyNameApplePassbook, options), out); + kSecPolicyNamePassbookSigning, options), out); out: CFReleaseSafe(options); @@ -2929,8 +2489,8 @@ static SecPolicyRef CreateMobileStoreSigner(Boolean forTest) &kCFTypeDictionaryValueCallBacks), errOut); SecPolicyAddBasicX509Options(options); require(SecPolicyAddAppleAnchorOptions(options, - ((forTest) ? kSecPolicyNameAppleTestMobileStore : - kSecPolicyNameAppleMobileStore)), errOut); + ((forTest) ? kSecPolicyNameTestMobileStore : + kSecPolicyNameMobileStore)), errOut); require(SecPolicyAddChainLengthOptions(options, 3), errOut); @@ -2944,7 +2504,7 @@ static SecPolicyRef CreateMobileStoreSigner(Boolean forTest) add_certificate_policy_oid(options, pOID); require(result = SecPolicyCreate((forTest) ? kSecPolicyAppleTestMobileStore : kSecPolicyAppleMobileStore, - (forTest) ? kSecPolicyNameAppleTestMobileStore : kSecPolicyNameAppleMobileStore, + (forTest) ? kSecPolicyNameTestMobileStore : kSecPolicyNameMobileStore, options), errOut); errOut: @@ -3019,7 +2579,7 @@ CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateEscrowServiceSigner(void) require(result = SecPolicyCreate(kSecPolicyAppleEscrowService, - kSecPolicyNameAppleEscrowService, options), errOut); + kSecPolicyNameEscrowService, options), errOut); errOut: CFReleaseSafe(anArray); @@ -3081,7 +2641,7 @@ CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreatePCSEscrowServiceSigner(void) require(result = SecPolicyCreate(kSecPolicyApplePCSEscrowService, - kSecPolicyNameApplePCSEscrowService, options), errOut); + kSecPolicyNamePCSEscrowService, options), errOut); errOut: CFReleaseSafe(anArray); @@ -3097,7 +2657,7 @@ static SecPolicyRef CreateConfigurationProfileSigner(bool forTest) { &kCFTypeDictionaryValueCallBacks), errOut); SecPolicyAddBasicX509Options(options); - require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleProfileSigner), errOut); + require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameProfileSigner), errOut); //Chain length 3 require(SecPolicyAddChainLengthOptions(options, 3), errOut); @@ -3110,7 +2670,7 @@ static SecPolicyRef CreateConfigurationProfileSigner(bool forTest) { add_element(options, kSecPolicyCheckIntermediateMarkerOid, CFSTR("1.2.840.113635.100.6.2.3")); require(result = SecPolicyCreate((forTest) ? kSecPolicyAppleQAProfileSigner: kSecPolicyAppleProfileSigner, - (forTest) ? kSecPolicyNameAppleQAProfileSigner : kSecPolicyNameAppleProfileSigner, + (forTest) ? kSecPolicyNameQAProfileSigner : kSecPolicyNameProfileSigner, options), errOut); errOut: @@ -3142,7 +2702,7 @@ SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void) &kCFTypeDictionaryValueCallBacks), errOut); // Require valid chain from the Apple root SecPolicyAddBasicX509Options(options); - SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleOSXProvisioningProfileSigning); + SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameOSXProvisioningProfileSigning); // Require provisioning profile leaf marker OID (1.2.840.113635.100.4.11) add_leaf_marker(options, &oidAppleCertExtOSXProvisioningProfileSigning); @@ -3157,7 +2717,7 @@ SecPolicyRef SecPolicyCreateOSXProvisioningProfileSigning(void) CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationOCSP); require(result = SecPolicyCreate(kSecPolicyAppleOSXProvisioningProfileSigning, - kSecPolicyNameAppleOSXProvisioningProfileSigning, options), errOut); + kSecPolicyNameOSXProvisioningProfileSigning, options), errOut); errOut: CFReleaseSafe(options); @@ -3178,7 +2738,7 @@ SecPolicyRef SecPolicyCreateOTAPKISigner(void) require(SecPolicyAddChainLengthOptions(options, 2), errOut); require(result = SecPolicyCreate(kSecPolicyAppleOTAPKISigner, - kSecPolicyNameAppleOTAPKIAssetSigner, options), errOut); + kSecPolicyNameOTAPKISigner, options), errOut); errOut: CFReleaseSafe(options); @@ -3205,7 +2765,7 @@ SecPolicyRef SecPolicyCreateTestOTAPKISigner(void) require(SecPolicyAddChainLengthOptions(options, 2), errOut); require(result = SecPolicyCreate(kSecPolicyAppleTestOTAPKISigner, - kSecPolicyNameAppleTestOTAPKIAssetSigner, options), errOut); + kSecPolicyNameTestOTAPKISigner, options), errOut); errOut: CFReleaseSafe(options); @@ -3229,7 +2789,7 @@ SecPolicyRef SecPolicyCreateAppleSMPEncryption(void) &kCFTypeDictionaryValueCallBacks), errOut); SecPolicyAddBasicCertOptions(options); - require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleSMPEncryption), + require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameSMPEncryption), errOut); require(SecPolicyAddChainLengthOptions(options, 3), errOut); @@ -3248,7 +2808,7 @@ SecPolicyRef SecPolicyCreateAppleSMPEncryption(void) CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationOCSP); require(result = SecPolicyCreate(kSecPolicyAppleSMPEncryption, - kSecPolicyNameAppleSMPEncryption, options), errOut); + kSecPolicyNameSMPEncryption, options), errOut); errOut: CFReleaseSafe(options); @@ -3282,7 +2842,7 @@ SecPolicyRef SecPolicyCreateTestAppleSMPEncryption(void) CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationOCSP); require(result = SecPolicyCreate(kSecPolicyAppleTestSMPEncryption, - kSecPolicyNameAppleTestSMPEncryption, options), errOut); + kSecPolicyNameTestSMPEncryption, options), errOut); errOut: CFReleaseSafe(options); @@ -3303,7 +2863,7 @@ SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void) // Apple CA anchored require(SecPolicyAddAppleAnchorOptions(options, - kSecPolicyNameAppleIDValidationRecordSigningPolicy), + kSecPolicyNameIDValidationRecordSigning), errOut); // Check for an extension with " Apple ID Validation Record Signing" oid (1.2.840.113635.100.6.25) @@ -3320,7 +2880,7 @@ SecPolicyRef SecPolicyCreateAppleIDValidationRecordSigningPolicy(void) CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationOCSP); require(result = SecPolicyCreate(kSecPolicyAppleIDValidationRecordSigning, - kSecPolicyNameAppleIDValidationRecordSigningPolicy, options), errOut); + kSecPolicyNameIDValidationRecordSigning, options), errOut); errOut: CFReleaseSafe(options); @@ -3631,7 +3191,7 @@ SecPolicyRef SecPolicyCreateApplePushServiceLegacy(CFStringRef hostname) CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny); result = SecPolicyCreate(kSecPolicyAppleLegacyPushService, - kSecPolicyNameAppleLegacyPushService, options); + kSecPolicyNameLegacyPushService, options); require(result, errOut); errOut: @@ -3646,7 +3206,7 @@ errOut: */ SecPolicyRef SecPolicyCreateAppleMMCSService(CFStringRef hostname, CFDictionaryRef context) { - return SecPolicyCreateAppleServerAuthCommon(hostname, context, kSecPolicyAppleMMCSService, + return SecPolicyCreateAppleServerAuthCommon(hostname, context, kSecPolicyAppleMMCService, kSecPolicyNameAppleMMCSService, &oidAppleCertExtAppleServerAuthenticationMMCSProd, &oidAppleCertExtAppleServerAuthenticationMMCSProdQA); @@ -3691,7 +3251,7 @@ SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname) require((options=(CFMutableDictionaryRef)policy->_options) != NULL, errOut); // Apple CA anchored - require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleSSLService), errOut); + require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameServerAuthentication), errOut); // Check leaf for Apple Server Authentication marker oid (1.2.840.113635.100.6.27.1) add_leaf_marker(options, &oidAppleCertExtAppleServerAuthentication); @@ -3706,7 +3266,7 @@ SecPolicyRef SecPolicyCreateAppleSSLService(CFStringRef hostname) CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationAny); SecPolicySetOid(policy, kSecPolicyAppleServerAuthentication); - SecPolicySetName(policy, kSecPolicyNameAppleSSLService); + SecPolicySetName(policy, kSecPolicyNameServerAuthentication); return policy; @@ -3733,7 +3293,7 @@ SecPolicyRef SecPolicyCreateApplePPQSigning(void) &kCFTypeDictionaryValueCallBacks), errOut); SecPolicyAddBasicCertOptions(options); - SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameApplePPQSigning); + SecPolicyAddAppleAnchorOptions(options, kSecPolicyNamePPQSigning); require(SecPolicyAddChainLengthOptions(options, 3), errOut); CFDictionaryAddValue(options, kSecPolicyCheckIssuerCommonName, @@ -3748,7 +3308,7 @@ SecPolicyRef SecPolicyCreateApplePPQSigning(void) add_ku(options, kSecKeyUsageDigitalSignature); require(result = SecPolicyCreate(kSecPolicyApplePPQSigning, - kSecPolicyNameApplePPQSigning, options), errOut); + kSecPolicyNamePPQSigning, options), errOut); errOut: CFReleaseSafe(options); @@ -3777,7 +3337,7 @@ SecPolicyRef SecPolicyCreateTestApplePPQSigning(void) &kCFTypeDictionaryValueCallBacks), errOut); SecPolicyAddBasicCertOptions(options); - SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleTestPPQSigning); + SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameTestPPQSigning); require(SecPolicyAddChainLengthOptions(options, 3), errOut); CFDictionaryAddValue(options, kSecPolicyCheckIssuerCommonName, @@ -3792,7 +3352,7 @@ SecPolicyRef SecPolicyCreateTestApplePPQSigning(void) add_ku(options, kSecKeyUsageDigitalSignature); require(result = SecPolicyCreate(kSecPolicyAppleTestPPQSigning, - kSecPolicyNameAppleTestPPQSigning, options), errOut); + kSecPolicyNameTestPPQSigning, options), errOut); errOut: CFReleaseSafe(options); @@ -3816,7 +3376,7 @@ SecPolicyRef SecPolicyCreateAppleTimeStamping(void) add_eku(options, &oidExtendedKeyUsageTimeStamping); require(result = SecPolicyCreate(kSecPolicyAppleTimeStamping, - kSecPolicyNameAppleTimeStamping, options), errOut); + kSecPolicyNameTimeStamping, options), errOut); errOut: CFReleaseSafe(options); @@ -3839,7 +3399,7 @@ SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void) &kCFTypeDictionaryValueCallBacks), errOut); SecPolicyAddBasicCertOptions(options); - require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameApplePayIssuerEncryption), + require(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNamePayIssuerEncryption), errOut); require(SecPolicyAddChainLengthOptions(options, 3), errOut); @@ -3852,7 +3412,7 @@ SecPolicyRef SecPolicyCreateApplePayIssuerEncryption(void) add_ku(options, kSecKeyUsageKeyEncipherment); require(result = SecPolicyCreate(kSecPolicyApplePayIssuerEncryption, - kSecPolicyNameApplePayIssuerEncryption, options), errOut); + kSecPolicyNamePayIssuerEncryption, options), errOut); errOut: CFReleaseSafe(options); @@ -3900,7 +3460,7 @@ SecPolicyRef SecPolicyCreateAppleATVVPNProfileSigning(void) CFDictionaryAddValue(options, kSecPolicyCheckRevocation, kSecPolicyCheckRevocationOCSP); require(result = SecPolicyCreate(kSecPolicyAppleATVVPNProfileSigning, - kSecPolicyNameAppleATVVPNProfileSigning, options), errOut); + kSecPolicyNameATVVPNProfileSigning, options), errOut); errOut: CFReleaseSafe(options); @@ -3958,7 +3518,7 @@ SecPolicyRef SecPolicyCreateAppleExternalDeveloper(void) { SecPolicyRef result = NULL; /* Create basic Apple pinned policy */ - require(result = SecPolicyCreateApplePinned(kSecPolicyNameAppleExternalDeveloper, + require(result = SecPolicyCreateApplePinned(kSecPolicyNameExternalDeveloper, CFSTR("1.2.840.113635.100.6.2.1"), // WWDR Intermediate OID CFSTR("1.2.840.113635.100.6.1.2")), // "iPhone Developer" leaf OID errOut); @@ -4008,7 +3568,7 @@ SecPolicyRef SecPolicyCreateAppleSoftwareSigning(void) { SecPolicyAddBasicCertOptions(options); /* Anchored to the Apple Roots */ - require_quiet(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleSoftwareSigning), + require_quiet(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameSoftwareSigning), errOut); /* Exactly 3 certs in the chain */ @@ -4030,7 +3590,7 @@ SecPolicyRef SecPolicyCreateAppleSoftwareSigning(void) { require(SecPolicyAddStrongKeySizeOptions(options), errOut); require(result = SecPolicyCreate(kSecPolicyAppleSoftwareSigning, - kSecPolicyNameAppleSoftwareSigning, options), errOut); + kSecPolicyNameSoftwareSigning, options), errOut); errOut: CFReleaseSafe(options); @@ -4087,7 +3647,7 @@ SecPolicyRef SecPolicyCreateAppleUniqueDeviceCertificate(CFDataRef testRootHash) require(result = SecPolicyCreate(kSecPolicyAppleUniqueDeviceIdentifierCertificate, - kSecPolicyNameAppleUniqueDeviceCertificate, options), errOut); + kSecPolicyNameUniqueDeviceIdentifierCertificate, options), errOut); errOut: CFReleaseSafe(options); @@ -4110,7 +3670,7 @@ SecPolicyRef SecPolicyCreateAppleWarsaw(void) { SecPolicyAddBasicX509Options(options); /* Anchored to the Apple Roots. */ - require_quiet(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleWarsaw), + require_quiet(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameWarsaw), errOut); /* Exactly 3 certs in the chain */ @@ -4129,7 +3689,7 @@ SecPolicyRef SecPolicyCreateAppleWarsaw(void) { require(SecPolicyAddStrongKeySizeOptions(options), errOut); require(result = SecPolicyCreate(kSecPolicyAppleWarsaw, - kSecPolicyNameAppleWarsaw, options), errOut); + kSecPolicyNameWarsaw, options), errOut); errOut: CFReleaseSafe(options); @@ -4159,7 +3719,7 @@ SecPolicyRef SecPolicyCreateAppleSecureIOStaticAsset(void) { add_element(options, kSecPolicyCheckAnchorApple, appleAnchorOptions); CFReleaseSafe(appleAnchorOptions); #else - require_quiet(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameAppleSecureIOStaticAsset), + require_quiet(SecPolicyAddAppleAnchorOptions(options, kSecPolicyNameSecureIOStaticAsset), errOut); #endif @@ -4176,7 +3736,7 @@ SecPolicyRef SecPolicyCreateAppleSecureIOStaticAsset(void) { require(SecPolicyAddStrongKeySizeOptions(options), errOut); require(result = SecPolicyCreate(kSecPolicyAppleSecureIOStaticAsset, - kSecPolicyNameAppleSecureIOStaticAsset, options), errOut); + kSecPolicyNameSecureIOStaticAsset, options), errOut); errOut: CFReleaseSafe(options); @@ -4205,7 +3765,7 @@ SecPolicyRef SecPolicyCreateAppleAppTransportSecurity(void) { add_element(options, kSecPolicyCheckSignatureHashAlgorithms, disallowedHashes); require_quiet(result = SecPolicyCreate(kSecPolicyAppleAppTransportSecurity, - kSecPolicyNameAppleAppTransportSecurity, + kSecPolicyNameAppTransportSecurity, options), errOut); errOut: @@ -4273,8 +3833,6 @@ const uint8_t BAUserRootCA_SHA256[kSecPolicySHA256Size] = { SecPolicyRef SecPolicyCreateAppleBasicAttestationSystem(CFDataRef testRootHash) { CFMutableDictionaryRef options = NULL; - CFDictionaryRef keySizes = NULL; - CFNumberRef ecSize = NULL; SecPolicyRef result = NULL; require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, @@ -4293,19 +3851,15 @@ SecPolicyRef SecPolicyCreateAppleBasicAttestationSystem(CFDataRef testRootHash) require(SecPolicyAddChainLengthOptions(options, 3), errOut); require(result = SecPolicyCreate(kSecPolicyAppleBasicAttestationSystem, - kSecPolicyNameAppleBasicAttestationSystem, options), errOut); + kSecPolicyNameBasicAttestationSystem, options), errOut); errOut: CFReleaseSafe(options); - CFReleaseSafe(keySizes); - CFReleaseSafe(ecSize); return result; } SecPolicyRef SecPolicyCreateAppleBasicAttestationUser(CFDataRef testRootHash) { CFMutableDictionaryRef options = NULL; - CFDictionaryRef keySizes = NULL; - CFNumberRef ecSize = NULL; SecPolicyRef result = NULL; require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, @@ -4324,11 +3878,35 @@ SecPolicyRef SecPolicyCreateAppleBasicAttestationUser(CFDataRef testRootHash) { require(SecPolicyAddChainLengthOptions(options, 3), errOut); require(result = SecPolicyCreate(kSecPolicyAppleBasicAttestationUser, - kSecPolicyNameAppleBasicAttestationUser, options), errOut); + kSecPolicyNameBasicAttestationUser, options), errOut); + +errOut: + CFReleaseSafe(options); + return result; +} + +SecPolicyRef SecPolicyCreateDemoDigitalCatalogSigning(void) { + CFMutableDictionaryRef options = NULL; + SecPolicyRef result = NULL; + + require(options = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, + &kCFTypeDictionaryKeyCallBacks, + &kCFTypeDictionaryValueCallBacks), errOut); + SecPolicyAddBasicX509Options(options); + + /* Exactly 3 certs in the chain */ + require(SecPolicyAddChainLengthOptions(options, 3), errOut); + + /* Demo Signing Extension present in leaf */ + add_element(options, kSecPolicyCheckLeafMarkerOid, CFSTR("1.2.840.113635.100.6.60")); + + /* Issuer common name is "DemoUnit CA" */ + add_element(options, kSecPolicyCheckIssuerCommonName, CFSTR("DemoUnit CA")); + + require(result = SecPolicyCreate(kSecPolicyAppleDemoDigitalCatalog, + kSecPolicyNameDemoDigitalCatalog, options), errOut); errOut: CFReleaseSafe(options); - CFReleaseSafe(keySizes); - CFReleaseSafe(ecSize); return result; } diff --git a/OSX/sec/Security/SecPolicy.list b/OSX/sec/Security/SecPolicy.list new file mode 100644 index 00000000..3206ccfc --- /dev/null +++ b/OSX/sec/Security/SecPolicy.list @@ -0,0 +1,91 @@ +// Copyright (c) 2017 Apple Inc. All Rights Reserved. +// This is the list of Policies. To add a new policy put it in this file with the POLICYMACRO defined. +// Arguments for the POLICYMACRO in arg order are: +// POLICYMACRO(NAME, OID, ISPUBLIC, INTNAME, IN_NAME, IN_PROPERTIES, FUNCTION) +// NAME: the constant name. Will be kSecPolicyApple##NAME for the exported OID and kSecPolicyName##NAME for the private name +// OID: element of policy OID arc +// ISPUBLIC: P indicates that the kSecPolicyNameApple##NAME is exported, +// I indicates that the kSecPolicyName##NAME is exported +// INTNAME: The internal string value for kSecPolicyName##NAME +// IN_NAME: N indicates that the corresponding function takes a name parameter +// IN_PROPERTIES: Y indicates that the constant uses a macro for SecPolicyCreateWithProperties +// FUNCTION: SecPolicyCreate##FUNCTION is the function call for this policy; used in exports and macro for SecPolicyCreateWithProperties + + +POLICYMACRO(X509Basic, 2 , I, basicX509, , Y, BasicX509) +POLICYMACRO(SSL, 3 , , ssl, , , SSL) +POLICYMACRO(SMIME, 8 , I, SMIME, , , SMIME) +POLICYMACRO(EAP, 9 , , eap, , , EAP) +POLICYMACRO(SWUpdateSigning, 10, , AppleSWUpdateSigning, , Y, AppleSWUpdateSigning) +POLICYMACRO(IPsec, 11, , ipsec, , , IPSec) +POLICYMACRO(PKINITClient, 14, , pkinitClient, , , ) +POLICYMACRO(PKINITServer, 15, , pkinitServer, , , ) +POLICYMACRO(CodeSigning, 16, I, CodeSigning, , Y, CodeSigning) +POLICYMACRO(PackageSigning, 17, , PackageSigning, , Y, ApplePackageSigning) +POLICYMACRO(IDValidation, 18, , AppleIDAuthority, , Y, AppleIDAuthorityPolicy) +POLICYMACRO(MacAppStoreReceipt, 19, , MacAppStoreReceipt, , , MacAppStoreReceipt) +POLICYMACRO(TimeStamping, 20, I, AppleTimeStamping, , Y, AppleTimeStamping) +POLICYMACRO(Revocation, 21, , revocation, , , Revocation) +POLICYMACRO(PassbookSigning, 22, , ApplePassbook, , , PassbookCardSigner) +POLICYMACRO(MobileStore, 23, , AppleMobileStore, , Y, MobileStoreSigner) +POLICYMACRO(EscrowService, 24, , AppleEscrowService, , Y, EscrowServiceSigner) +POLICYMACRO(ProfileSigner, 25, , AppleProfileSigner, , Y, ConfigurationProfileSigner) +POLICYMACRO(QAProfileSigner, 26, , AppleQAProfileSigner, , Y, QAConfigurationProfileSigner) +POLICYMACRO(TestMobileStore, 27, , AppleTestMobileStore, , Y, TestMobileStoreSigner) +POLICYMACRO(OTAPKISigner, 28, , AppleOTAPKIAssetSigner, , Y, OTAPKISigner) +POLICYMACRO(TestOTAPKISigner, 29, , AppleTestOTAPKIAssetSigner, , Y, TestOTAPKISigner) +POLICYMACRO(IDValidationRecordSigning, 30, , AppleIDValidationRecordSigningPolicy, , Y, AppleIDValidationRecordSigningPolicy) +POLICYMACRO(SMPEncryption, 31, , AppleSMPEncryption, , Y, AppleSMPEncryption) +POLICYMACRO(TestSMPEncryption, 32, , AppleTestSMPEncryption, , Y, TestAppleSMPEncryption) +POLICYMACRO(ServerAuthentication, 33, , AppleSSLService, N, Y, AppleSSLService) +POLICYMACRO(PCSEscrowService, 34, , ApplePCSEscrowService, , Y, PCSEscrowServiceSigner) +POLICYMACRO(PPQSigning, 35, , ApplePPQSigning, , Y, ApplePPQSigning) +POLICYMACRO(TestPPQSigning, 36, , AppleTestPPQSigning, , Y, TestApplePPQSigning) +POLICYMACRO(PayIssuerEncryption, 39, , ApplePayIssuerEncryption, , Y, ApplePayIssuerEncryption) +POLICYMACRO(OSXProvisioningProfileSigning, 40, , AppleOSXProvisioningProfileSigning, , Y, OSXProvisioningProfileSigning) +POLICYMACRO(ATVVPNProfileSigning, 41, , AppleATVVPNProfileSigning, , Y, AppleATVVPNProfileSigning) +POLICYMACRO(AST2DiagnosticsServerAuth, 42, P, AST2, , , AppleAST2Service) +POLICYMACRO(EscrowProxyServerAuth, 43, P, Escrow, , , AppleEscrowProxyService) +POLICYMACRO(FMiPServerAuth, 44, P, FMiP, , , AppleFMiPService) +POLICYMACRO(MMCService, 45, P, MMCS, , , AppleMMCSService) +POLICYMACRO(GSService, 46, P, GS, , , AppleGSService) +POLICYMACRO(PPQService, 47, P, PPQ, , , ApplePPQService) +POLICYMACRO(HomeKitServerAuth, 48, P, HomeKit, N, Y, AppleHomeKitServerAuth) +POLICYMACRO(iPhoneActivation, 49, , iPhoneActivation, , Y, iPhoneActivation) +POLICYMACRO(iPhoneDeviceCertificate, 50, , iPhoneDeviceCertificate, , Y, iPhoneDeviceCertificate) +POLICYMACRO(FactoryDeviceCertificate, 51, , FactoryDeviceCertificate, , Y, FactoryDeviceCertificate) +POLICYMACRO(iAP, 52, , iAP, , Y, iAP) +POLICYMACRO(iTunesStoreURLBag, 53, , iTunesStoreURLBag, , Y, iTunesStoreURLBag) +POLICYMACRO(iPhoneApplicationSigning, 54, , iPhoneApplicationSigning, , Y, iPhoneApplicationSigning) +POLICYMACRO(iPhoneProfileApplicationSigning, 55, , iPhoneProfileApplicationSigning, , Y, iPhoneProfileApplicationSigning) +POLICYMACRO(iPhoneProvisioningProfileSigning, 56, , iPhoneProvisioningProfileSigning, , Y, iPhoneProvisioningProfileSigning) +POLICYMACRO(LockdownPairing, 57, , LockdownPairing, , Y, LockdownPairing) +POLICYMACRO(URLBag, 58, , URLBag, , Y, URLBag) +POLICYMACRO(OTATasking, 59, , OTATasking, , Y, OTATasking) +POLICYMACRO(MobileAsset, 60, , MobileAsset, , Y, MobileAsset) +POLICYMACRO(IDAuthority, 61, , AppleIDAuthority, , Y, AppleIDAuthorityPolicy) +POLICYMACRO(GenericApplePinned, 62, , Generic, , , ApplePinned) +POLICYMACRO(GenericAppleSSLPinned, 63, , GenericSSL, , , AppleSSLPinned) +POLICYMACRO(SoftwareSigning, 64, , SoftwareSigning, , Y, AppleSoftwareSigning) +POLICYMACRO(ExternalDeveloper, 65, , Developer, , Y, AppleExternalDeveloper) +POLICYMACRO(OCSPSigner, 66, I, OCSPSigner, , Y, OCSPSigner) +POLICYMACRO(IDSService, 67, P, IDS, N, Y, AppleIDSService) +POLICYMACRO(IDSServiceContext, 68, , IDS, , , AppleIDSServiceContext) +POLICYMACRO(PushService, 69, P, APN, , , ApplePushService) +POLICYMACRO(LegacyPushService, 70, , AppleLegacyPushService, N, Y, ApplePushServiceLegacy) +POLICYMACRO(TVOSApplicationSigning, 71, , AppleTVApplicationSigning, , Y, AppleTVOSApplicationSigning) +POLICYMACRO(UniqueDeviceIdentifierCertificate, 72, , UCRT, , , AppleUniqueDeviceCertificate) +POLICYMACRO(EscrowProxyCompatibilityServerAuth, 73, , Escrow, N, Y, AppleCompatibilityEscrowProxyService) +POLICYMACRO(MMCSCompatibilityServerAuth, 74, , MMCS, N, Y, AppleCompatibilityMMCSService) +POLICYMACRO(SecureIOStaticAsset, 75, , SecureIOStaticAsset, , Y, AppleSecureIOStaticAsset) +POLICYMACRO(Warsaw, 76, , Warsaw, , Y, AppleWarsaw) +POLICYMACRO(iCloudSetupServerAuth, 77, P, iCloudSetup, , , AppleiCloudSetupService) +POLICYMACRO(iCloudSetupCompatibilityServerAuth, 78, , iCloudSetup, N, Y, AppleCompatibilityiCloudSetupService) +POLICYMACRO(AppTransportSecurity, 80, , ATS, , Y, AppleAppTransportSecurity) +POLICYMACRO(MacOSProfileApplicationSigning, 81, , macOSProfileApplicationSigning, , Y, MacOSProfileApplicationSigning) +POLICYMACRO(MobileSoftwareUpdate, 82, , MobileSoftwareUpdate, , Y, MobileSoftwareUpdate) +POLICYMACRO(MobileAssetDevelopment, 83, , MobileAsset, , Y, MobileAssetDevelopment) +POLICYMACRO(BasicAttestationSystem, 84, , BAA-SCRT, , , AppleBasicAttestationSystem) +POLICYMACRO(BasicAttestationUser, 85, , BAA-UCRT, , , AppleBasicAttestationUser) +POLICYMACRO(iPhoneVPNApplicationSigning, 86, , iPhoneVPNApplicationSigning, , Y, iPhoneVPNApplicationSigning) +POLICYMACRO(DemoDigitalCatalog, 88, , DemoCatalog, , Y, DemoDigitalCatalogSigning) diff --git a/OSX/sec/Security/SecPolicyChecks.list b/OSX/sec/Security/SecPolicyChecks.list new file mode 100644 index 00000000..53553ca7 --- /dev/null +++ b/OSX/sec/Security/SecPolicyChecks.list @@ -0,0 +1,95 @@ +// Copyright (c) 2017-2018 Apple Inc. All Rights Reserved. +// This is the list of Policy Checks. To add a new policy check put it in this file with the POLICYCHECKMACRO defined. +// Then define a new SEC_TRUST_ERROR string in SecFrameworkStrings.h +// Arguments for the POLICYCHECKMACRO in arg order are: +// POLICYCHECKMACRO(NAME, TRUSTRESULT, SUBTYPE, LEAFCHECK, PATHCHECK, LEAFONLY, CSSMERR, OSSTATUS) +// NAME: the name of the check (both its constant name and string value) +// TRUSTRESULT: the trust result this check should produce. R is Recoverable, F is Fatal, D is Deny +// SUBTYPE: the type of failure. +// N is a name failure, E is expiration, S is key size, H is weak hash, U is usage, P is pinning, V is revocation +// T is trust, C is compliance, D is denied +// LEAFCHECK: L for checks that happen in the leaf callbacks +// PATHCHECK: A for checks that happen in the path callbacks +// LEAFONLY: O for checks that are done in leaf-only trust evaluations +// CSSMERR: The CSSM error status code for this error. The constant name of this status code follows in a comment. +// OSSTATUS: the OSStatus to return for this error + +/******************************************************** +************** Unverified Leaf Checks ****************** +********************************************************/ +POLICYCHECKMACRO(SSLHostname, R, N, L, , O, 0x80012400, errSecHostNameMismatch) //CSSMERR_APPLETP_HOSTNAME_MISMATCH +POLICYCHECKMACRO(Email, R, N, L, , O, 0x80012418, errSecSMIMEEmailAddressesNotFound) //CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND +POLICYCHECKMACRO(TemporalValidity, R, E, L, A, O, 0x8001210A, errSecCertificateExpired) //CSSMERR_TP_CERT_EXPIRED +POLICYCHECKMACRO(WeakKeySize, F, S, L, A, O, 0x80012115, errSecUnsupportedKeySize) //CSSMERR_TP_INVALID_CERTIFICATE +POLICYCHECKMACRO(WeakSignature, R, H, L, A, O, 0x80010955, errSecInvalidDigestAlgorithm) //CSSMERR_CSP_INVALID_DIGEST_ALGORITHM +POLICYCHECKMACRO(KeyUsage, R, U, L, , O, 0x80012406, errSecInvalidKeyUsageForPolicy) //CSSMERR_APPLETP_INVALID_KEY_USAGE +POLICYCHECKMACRO(ExtendedKeyUsage, R, U, L, , O, 0x80012407, errSecInvalidExtendedKeyUsage) //CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE +POLICYCHECKMACRO(SubjectCommonName, R, P, L, , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING +POLICYCHECKMACRO(SubjectCommonNamePrefix, R, P, L, , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING +POLICYCHECKMACRO(SubjectCommonNameTEST, R, P, L, , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING +POLICYCHECKMACRO(SubjectOrganization, R, P, L, , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING +POLICYCHECKMACRO(SubjectOrganizationalUnit, R, P, L, , O, 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING +POLICYCHECKMACRO(NotValidBefore, R, P, L, , O, 0x8001210B, errSecCertificateNotValidYet) //CSSMERR_TP_CERT_NOT_VALID_YET +POLICYCHECKMACRO(EAPTrustedServerNames, R, N, L, , O, 0x80012400, errSecHostNameMismatch) //CSSMERR_APPLETP_HOSTNAME_MISMATCH +POLICYCHECKMACRO(LeafMarkerOid, R, P, L, , O, 0x80012439, errSecMissingRequiredExtension) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION +POLICYCHECKMACRO(LeafMarkerOidWithoutValueCheck, R, P, L, , O, 0x80012439, errSecMissingRequiredExtension) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION +POLICYCHECKMACRO(LeafMarkersProdAndQA, R, P, L, , O, 0x80012439, errSecMissingRequiredExtension) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION +POLICYCHECKMACRO(BlackListedLeaf, F, V, L, , , 0x8001210C, errSecCertificateRevoked) //CSSMERR_TP_CERT_REVOKED +POLICYCHECKMACRO(GrayListedLeaf, R, T, L, , , 0x8001212A, errSecNotTrusted) //CSSMERR_TP_NOT_TRUSTED + +/******************************************************** +*********** Unverified Intermediate Checks ************* +********************************************************/ +POLICYCHECKMACRO(IssuerCommonName, R, P, , A, , 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING +POLICYCHECKMACRO(BasicConstraints, R, C, , A, , 0x80012402, errSecNoBasicConstraints) //CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS +POLICYCHECKMACRO(BasicConstraintsCA, R, C, , , , 0x80012403, errSecNoBasicConstraintsCA) //CSSMERR_APPLETP_INVALID_CA +POLICYCHECKMACRO(BasicConstraintsPathLen, R, C, , , , 0x80012409, errSecPathLengthConstraintExceeded) //CSSMERR_APPLETP_PATH_LEN_CONSTRAINT +POLICYCHECKMACRO(IntermediateSPKISHA256, R, P, , A, , 0x8001243B, errSecPublicKeyInconsistent) //CSSMERR_APPLETP_IDENTIFIER_MISSING +POLICYCHECKMACRO(IntermediateEKU, R, P, , A, , 0x80012407, errSecInvalidExtendedKeyUsage) //CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE +POLICYCHECKMACRO(IntermediateMarkerOid, R, P, , A, , 0x80012439, errSecMissingRequiredExtension) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION +POLICYCHECKMACRO(IntermediateOrganization, R, P, , A, , 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING +POLICYCHECKMACRO(IntermediateCountry, R, P, , A, , 0x8001243B, errSecInvalidSubjectName) //CSSMERR_APPLETP_IDENTIFIER_MISSING + +/******************************************************** +************** Unverified Anchor Checks **************** +********************************************************/ +POLICYCHECKMACRO(AnchorSHA1, R, P, , A, , 0x8001243C, errSecInvalidRoot) //CSSMERR_APPLETP_CA_PIN_MISMATCH +POLICYCHECKMACRO(AnchorSHA256, R, P, , A, , 0x8001243C, errSecInvalidRoot) //CSSMERR_APPLETP_CA_PIN_MISMATCH +POLICYCHECKMACRO(AnchorTrusted, R, T, , , , 0x8001212A, errSecNotTrusted) //CSSMERR_TP_NOT_TRUSTED +POLICYCHECKMACRO(MissingIntermediate, R, T, , , , 0x8001212A, errSecCreateChainFailed) //CSSMERR_TP_NOT_TRUSTED +POLICYCHECKMACRO(AnchorApple, R, P, , A, , 0x8001243C, errSecInvalidRoot) //CSSMERR_APPLETP_CA_PIN_MISMATCH + +/******************************************************** +*********** Unverified Certificate Checks ************** +********************************************************/ +POLICYCHECKMACRO(NonEmptySubject, R, C, , A, O, 0x80012437, errSecInvalidSubjectName) //CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT +POLICYCHECKMACRO(IdLinkage, R, C, , A, , 0x80012404, errSecInvalidIDLinkage) //CSSMERR_APPLETP_INVALID_AUTHORITY_ID +POLICYCHECKMACRO(KeySize, R, P, , A, O, 0x80010918, errSecUnsupportedKeySize) //CSSMERR_CSP_UNSUPPORTED_KEY_SIZE +POLICYCHECKMACRO(SignatureHashAlgorithms, R, P, , A, O, 0x80010913, errSecInvalidDigestAlgorithm) //CSSMERR_CSP_ALGID_MISMATCH +POLICYCHECKMACRO(CertificatePolicy, R, P, , A, O, 0x80012439, errSecInvalidPolicyIdentifiers) //CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION +POLICYCHECKMACRO(ValidRoot, R, E, , , , 0x8001210A, errSecCertificateExpired) //CSSMERR_TP_CERT_EXPIRED + +/******************************************************** +**************** Verified Path Checks ****************** +********************************************************/ +POLICYCHECKMACRO(CriticalExtensions, R, C, , A, O, 0x80012401, errSecUnknownCriticalExtensionFlag) //CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN +POLICYCHECKMACRO(ChainLength, R, P, , A, , 0x80012409, errSecPathLengthConstraintExceeded) //CSSMERR_APPLETP_PATH_LEN_CONSTRAINT +POLICYCHECKMACRO(BasicCertificateProcessing, R, C, , A, , 0x80012115, errSecInvalidCertificateRef) //CSSMERR_TP_INVALID_CERTIFICATE +POLICYCHECKMACRO(NameConstraints, R, C, , , , 0x80012115, errSecInvalidName) //CSSMERR_TP_INVALID_CERTIFICATE +POLICYCHECKMACRO(PolicyConstraints, R, C, , , , 0x80012115, errSecInvalidPolicyIdentifiers) //CSSMERR_TP_INVALID_CERTIFICATE +POLICYCHECKMACRO(GrayListedKey, R, T, , , , 0x8001212A, errSecNotTrusted) //CSSMERR_TP_NOT_TRUSTED +POLICYCHECKMACRO(BlackListedKey, F, V, , , , 0x8001210C, errSecCertificateRevoked) //CSSMERR_TP_CERT_REVOKED +POLICYCHECKMACRO(UsageConstraints, D, D, , , , 0x80012436, errSecTrustSettingDeny) //CSSMERR_APPLETP_TRUST_SETTING_DENY +POLICYCHECKMACRO(SystemTrustedWeakHash, R, C, , A, , 0x80010955, errSecInvalidDigestAlgorithm) //CSSMERR_CSP_INVALID_DIGEST_ALGORITHM +POLICYCHECKMACRO(SystemTrustedWeakKey, R, C, , A, , 0x80010918, errSecUnsupportedKeySize) //CSSMERR_CSP_UNSUPPORTED_KEY_SIZE +POLICYCHECKMACRO(PinningRequired, R, P, L, , , 0x8001243C, errSecInvalidRoot) //CSSMERR_APPLETP_CA_PIN_MISMATCH +POLICYCHECKMACRO(Revocation, F, V, L, , , 0x8001210C, errSecCertificateRevoked) //CSSMERR_TP_CERT_REVOKED +POLICYCHECKMACRO(RevocationResponseRequired, R, P, L, , , 0x80012423, errSecIncompleteCertRevocationCheck) //CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK +POLICYCHECKMACRO(CTRequired, R, T, , , , 0x8001212A, errSecNotTrusted) //CSSMERR_TP_NOT_TRUSTED + +/******************************************************** +******************* Feature Toggles ********************* +********************************************************/ +POLICYCHECKMACRO(NoNetworkAccess, , , L, , , , errSecInternal) +POLICYCHECKMACRO(ExtendedValidation, , , , , , , errSecInternal) +POLICYCHECKMACRO(RevocationOnline, , , L, , , , errSecInternal) diff --git a/OSX/sec/Security/SecPolicyInternal.h b/OSX/sec/Security/SecPolicyInternal.h index 8285054c..6f6c4635 100644 --- a/OSX/sec/Security/SecPolicyInternal.h +++ b/OSX/sec/Security/SecPolicyInternal.h @@ -30,9 +30,10 @@ #ifndef _SECURITY_SECPOLICYINTERNAL_H_ #define _SECURITY_SECPOLICYINTERNAL_H_ +#include + #include #include -#include #include #include #include @@ -49,152 +50,15 @@ struct __SecPolicy { CFDictionaryRef _options; }; -/*! - @enum Policy Check Keys - @discussion Keys that represent various checks that can be done in a trust - policy. - @constant kSecPolicyCheckCriticalExtensions Ensure that no certificate in the chain has any critical extensions that we do not understand. - @constant kSecPolicyCheckIdLinkage Check that all the certificates in the chain that have a SubjectId, match the AuthorityId of the certificate they sign. This check is optional, in that if either certificate is missing the required extension the check succeeds. - @constant kSecPolicyCheckBasicConstraints Fails if the basic constraints for the certificate chain are not met, this allows for basic constraints to be non critical and doesn't require every CA certificate to have a basic constraints extension, and allows for leaf certificates to have basic constraints extensions. - @constant kSecPolicyCheckExtendedKeyUsage @@@ - @constant kSecPolicyCheckIdLinkage Fails if the AuthorityKeyID -> SubjectKeyID chaining isn't right. - @constant kSecPolicyCheckKeyUsage @@@ - @constant kSecPolicyCheckWeakIntermediates Fails if any certificates in the chain (other than the leaf and root) have a too small key size. - @constant kSecPolicyCheckWeakLeaf Fails if the leaf has a too small key size. - @constant kSecPolicyCheckWeakRoot Fails if the root has a too small key size. - @constant kSecPolicyCheckKeySize Fails if any certificates in the chain have key size smaller than the policy allows. - @constant kSecPolicyCheckSignatureHashAlgorithms Fails if any certificates in the chain use a hash algorithm disallowed by the policy. - @constant kSecPolicyCheckNonEmptySubject Perform the following check: RFC 3280, 4.1.2.6, says that an empty subject name can only appear in a leaf cert, and only if subjectAltName is present and marked critical. - @constant kSecPolicyCheckQualifiedCertStatements Perform the following check: RFC 3739: if this cert has a Qualified Cert Statements extension, and it's Critical, make sure we understand all of the extension's statementIds. - @constant kSecPolicyCheckValidIntermediates Fails if any certificates in the chain are not valid at the verify time other than the leaf and the root. - @constant kSecPolicyCheckValidLeaf Fails if the leaf certificate is not valid at the verify time. - @constant kSecPolicyCheckValidRoot Fails if the root certificate is not valid at the verify time. - @constant kSecPolicyCheckAnchorTrusted @@@. - @constant kSecPolicyCheckAnchorSHA1 @@@. - @constant kSecPolicyCheckAnchorSHA256 @@@. - @constant kSecPolicyCheckAnchorApple @@@. - @constant kSecPolicyCheckSSLHostname @@@. - @constant kSecPolicyCheckEmail @@@. - @constant kSecPolicyCheckIssuerCommonName @@@. - @constant kSecPolicyCheckSubjectCommonNamePrefix @@@. - @constant kSecPolicyCheckChainLength @@@. - @constant kSecPolicyCheckNotValidBefore @@@. - @constant kSecPolicyCheckEAPTrustedServerNames @@@. - @constant kSecPolicyCheckBasicCertificateProcessing @@@. - @constant kSecPolicyCheckExtendedValidation @@@. - @constant kSecPolicyCheckRevocation Perform a revocation check. - @constant kSecPolicyCheckRevocationResponseRequired Require positive response for revocation check. Use of thise constant indicates that the policy should "fail closed" in case of missing revocation information. - @constant kSecPolicyCheckRevocationOCSP Use OCSP to perform revocation check. - @constant kSecPolicyCheckRevocationCRL Use CRL to perform revocation check. - @constant kSecPolicyCheckRevocationAny Use any available method (OCSP or CRL) to perform revocation check. - @constant kSecPolicyCheckRevocationOnline Force an "online" OCSP check. - @constant kSecPolicyCheckNoNetworkAccess @@@. - @constant kSecPolicyCheckBlackListedLeaf @@@. - @constant kSecPolicyCheckUsageConstraints @@@. - @constant kSecPolicyCheckSystemTrustedWeakHash Check whether the leaf or intermediates are using a weak hash in chains that end with a system-trusted anchor. - @constant kSecPolicyCheckSystemTrustedWeakKey Check whether the leaf or intermediates are using a weak key in chains that end with a system-trusted anchor. - @constant kSecPolicyCheckIntermediateOrganization Fails if any (non-leaf and non-root) certificates in the chain do not have a matching Organization string. - @constant kSecPolicyCheckIntermediateCountry Fails if any (non-leaf and non-root) certificates in the chain do not have a matching Country string. - @constant kSecPolicyCheckPinningRequired Fails if the binary Info plist required pinning but no pinning policies were used. -*/ -extern const CFStringRef kSecPolicyCheckBasicConstraints; -extern const CFStringRef kSecPolicyCheckCriticalExtensions; -extern const CFStringRef kSecPolicyCheckExtendedKeyUsage; -extern const CFStringRef kSecPolicyCheckIdLinkage; -extern const CFStringRef kSecPolicyCheckWeakIntermediates; -extern const CFStringRef kSecPolicyCheckWeakLeaf; -extern const CFStringRef kSecPolicyCheckWeakRoot; -extern const CFStringRef kSecPolicyCheckKeySize; -extern const CFStringRef kSecPolicyCheckSignatureHashAlgorithms; -extern const CFStringRef kSecPolicyCheckKeyUsage; -extern const CFStringRef kSecPolicyCheckNonEmptySubject; -extern const CFStringRef kSecPolicyCheckQualifiedCertStatements; -extern const CFStringRef kSecPolicyCheckValidIntermediates; -extern const CFStringRef kSecPolicyCheckValidLeaf; -extern const CFStringRef kSecPolicyCheckValidRoot; -extern const CFStringRef kSecPolicyCheckAnchorTrusted; -extern const CFStringRef kSecPolicyCheckAnchorSHA1; -extern const CFStringRef kSecPolicyCheckAnchorSHA256; -extern const CFStringRef kSecPolicyCheckAnchorApple; -extern const CFStringRef kSecPolicyCheckSSLHostname; -extern const CFStringRef kSecPolicyCheckEmail; -extern const CFStringRef kSecPolicyCheckIssuerCommonName; -extern const CFStringRef kSecPolicyCheckSubjectCommonName; -extern const CFStringRef kSecPolicyCheckSubjectCommonNameTEST; -extern const CFStringRef kSecPolicyCheckSubjectOrganization; -extern const CFStringRef kSecPolicyCheckSubjectOrganizationalUnit; -extern const CFStringRef kSecPolicyCheckSubjectCommonNamePrefix; -extern const CFStringRef kSecPolicyCheckChainLength; -extern const CFStringRef kSecPolicyCheckNotValidBefore; -extern const CFStringRef kSecPolicyCheckEAPTrustedServerNames; -extern const CFStringRef kSecPolicyCheckCertificatePolicy; -extern const CFStringRef kSecPolicyCheckBasicCertificateProcessing; -extern const CFStringRef kSecPolicyCheckExtendedValidation; -extern const CFStringRef kSecPolicyCheckRevocation; -extern const CFStringRef kSecPolicyCheckRevocationResponseRequired; -extern const CFStringRef kSecPolicyCheckRevocationOCSP; -extern const CFStringRef kSecPolicyCheckRevocationCRL; -extern const CFStringRef kSecPolicyCheckRevocationAny; -extern const CFStringRef kSecPolicyCheckRevocationOnline; -extern const CFStringRef kSecPolicyCheckNoNetworkAccess; -extern const CFStringRef kSecPolicyCheckBlackListedLeaf; -extern const CFStringRef kSecPolicyCheckBlackListedKey; -extern const CFStringRef kSecPolicyCheckGrayListedLeaf; -extern const CFStringRef kSecPolicyCheckLeafMarkerOid; -extern const CFStringRef kSecPolicyCheckLeafMarkerOidWithoutValueCheck; -extern const CFStringRef kSecPolicyCheckLeafMarkersProdAndQA; -extern const CFStringRef kSecPolicyCheckIntermediateMarkerOid; -extern const CFStringRef kSecPolicyCheckIntermediateSPKISHA256; -extern const CFStringRef kSecPolicyCheckIntermediateEKU; -extern const CFStringRef kSecPolicyCheckGrayListedKey; -extern const CFStringRef kSecPolicyCheckCertificateTransparency; -extern const CFStringRef kSecPolicyCheckUsageConstraints; -extern const CFStringRef kSecPolicyCheckSystemTrustedWeakHash; -extern const CFStringRef kSecPolicyCheckSystemTrustedWeakKey; -extern const CFStringRef kSecPolicyCheckIntermediateOrganization; -extern const CFStringRef kSecPolicyCheckIntermediateCountry; -extern const CFStringRef kSecPolicyCheckPinningRequired; - -/* Special option for checking Apple Anchors */ -extern const CFStringRef kSecPolicyAppleAnchorIncludeTestRoots; - -/* Special option for checking Prod and QA Markers */ -extern const CFStringRef kSecPolicyLeafMarkerProd; -extern const CFStringRef kSecPolicyLeafMarkerQA; - SecPolicyRef SecPolicyCreate(CFStringRef oid, CFStringRef name, CFDictionaryRef options); CFDictionaryRef SecPolicyGetOptions(SecPolicyRef policy); -void SecPolicySetOptionsValue(SecPolicyRef policy, CFStringRef key, CFTypeRef value); -void SecPolicySetName(SecPolicyRef policy, CFStringRef policyName); xpc_object_t SecPolicyArrayCopyXPCArray(CFArrayRef policies, CFErrorRef *error); -CFArrayRef SecPolicyXPCArrayCopyArray(xpc_object_t xpc_policies, CFErrorRef *error); CFArrayRef SecPolicyArrayCreateDeserialized(CFArrayRef serializedPolicies); CFArrayRef SecPolicyArrayCreateSerialized(CFArrayRef policies); -/* - * MARK: SecPolicyCheckCert functions - */ -bool SecPolicyCheckCertKeyUsage(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertExtendedKeyUsage(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertNonEmptySubject(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertSSLHostname(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertEmail(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertSubjectCommonNamePrefix(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertSubjectCommonName(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertSubjectCommonNameTEST(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertNotValidBefore(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertSubjectOrganization(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertSubjectOrganizationalUnit(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertEAPTrustedServerNames(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertLeafMarkerOid(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertLeafMarkerOidWithoutValueCheck(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertSignatureHashAlgorithms(SecCertificateRef cert, CFTypeRef pvcValue); -bool SecPolicyCheckCertSubjectCountry(SecCertificateRef cert, CFTypeRef pvcValue); - - /* * MARK: SecLeafPVC functions */ diff --git a/OSX/sec/Security/SecPolicyLeafCallbacks.c b/OSX/sec/Security/SecPolicyLeafCallbacks.c index c8c4f6d7..bad7f8ca 100644 --- a/OSX/sec/Security/SecPolicyLeafCallbacks.c +++ b/OSX/sec/Security/SecPolicyLeafCallbacks.c @@ -27,12 +27,14 @@ #include #include +#include #include #include #include +#include #include #include -#include +#include /* * MARK: SecPolicyCheckCert Functions @@ -44,7 +46,7 @@ typedef bool (*SecPolicyCheckCertFunction)(SecCertificateRef cert, CFTypeRef pvc /* This one is different from SecPolicyCheckCriticalExtensions because that one is an empty stub. The CriticalExtensions check is done in SecPolicyCheckBasicCertificateProcessing. */ -static bool SecPolicyCheckCertCriticalExtensions(SecCertificateRef cert, CFTypeRef __unused pvcValue) { +bool SecPolicyCheckCertCriticalExtensions(SecCertificateRef cert, CFTypeRef __unused pvcValue) { if (SecCertificateHasUnknownCriticalExtension(cert)) { /* Certificate contains one or more unknown critical extensions. */ return false; @@ -152,14 +154,6 @@ bool SecPolicyCheckCertNonEmptySubject(SecCertificateRef cert, CFTypeRef __unuse return true; } - -/* This one is different from SecPolicyCheckQualifiedCertStatements because - both are empty stubs. */ -static bool SecPolicyCheckCertQualifiedCertStatements(SecCertificateRef __unused cert, - CFTypeRef __unused pvcValue) { - return true; -} - /* We have a wildcard reference identifier that looks like "*." followed by 2 or more labels. Use CFNetwork's function for determining if those labels comprise a top-level domain. We need to dlopen since CFNetwork is a client of ours. */ @@ -345,7 +339,7 @@ bool SecPolicyCheckCertEmail(SecCertificateRef cert, CFTypeRef pvcValue) { return match; } -static bool SecPolicyCheckCertValidLeaf(SecCertificateRef cert, CFTypeRef pvcValue) { +bool SecPolicyCheckCertTemporalValidity(SecCertificateRef cert, CFTypeRef pvcValue) { CFAbsoluteTime verifyTime = CFDateGetAbsoluteTime(pvcValue); if (!SecCertificateIsValid(cert, verifyTime)) { /* Leaf certificate has expired. */ @@ -557,6 +551,22 @@ bool SecPolicyCheckCertLeafMarkerOidWithoutValueCheck(SecCertificateRef cert, return false; } +/* + * The value is a dictionary. The dictionary contains keys indicating + * whether the value is for Prod or QA. The values are the same as + * in the options dictionary for SecPolicyCheckLeafMarkerOid. + */ +bool SecPolicyCheckCertLeafMarkersProdAndQA(SecCertificateRef cert, CFTypeRef pvcValue) +{ + CFTypeRef prodValue = CFDictionaryGetValue(pvcValue, kSecPolicyLeafMarkerProd); + + if (!SecPolicyCheckCertLeafMarkerOid(cert, prodValue)) { + bool result = false; + return result; + } + return true; +} + static CFSetRef copyCertificatePolicies(SecCertificateRef cert) { CFMutableSetRef policies = NULL; policies = CFSetCreateMutable(NULL, 0, &kCFTypeSetCallBacks); @@ -586,7 +596,7 @@ static bool checkPolicyOidData(SecCertificateRef cert , CFDataRef oid) { /* This one is different from SecPolicyCheckCertificatePolicyOid because that one checks the whole chain. (And uses policy_set_t...) */ -static bool SecPolicyCheckCertCertificatePolicyOid(SecCertificateRef cert, CFTypeRef pvcValue) { +bool SecPolicyCheckCertCertificatePolicy(SecCertificateRef cert, CFTypeRef pvcValue) { CFTypeRef value = pvcValue; bool result = false; @@ -603,7 +613,7 @@ static bool SecPolicyCheckCertCertificatePolicyOid(SecCertificateRef cert, CFTyp return result; } -static bool SecPolicyCheckCertWeak(SecCertificateRef cert, CFTypeRef __unused pvcValue) { +bool SecPolicyCheckCertWeakKeySize(SecCertificateRef cert, CFTypeRef __unused pvcValue) { if (cert && SecCertificateIsWeakKey(cert)) { /* Leaf certificate has a weak key. */ return false; @@ -611,7 +621,7 @@ static bool SecPolicyCheckCertWeak(SecCertificateRef cert, CFTypeRef __unused pv return true; } -static bool SecPolicyCheckCertKeySize(SecCertificateRef cert, CFTypeRef pvcValue) { +bool SecPolicyCheckCertKeySize(SecCertificateRef cert, CFTypeRef pvcValue) { CFDictionaryRef keySizes = pvcValue; if (!SecCertificateIsAtLeastMinKeySize(cert, keySizes)) { return false; @@ -619,6 +629,22 @@ static bool SecPolicyCheckCertKeySize(SecCertificateRef cert, CFTypeRef pvcValue return true; } +bool SecPolicyCheckCertWeakSignature(SecCertificateRef cert, CFTypeRef __unused pvcValue) { + bool result = true; + CFMutableSetRef disallowedHashes = CFSetCreateMutable(NULL, 3, &kCFTypeSetCallBacks); + if (!disallowedHashes) { + return result; + } + CFSetAddValue(disallowedHashes, kSecSignatureDigestAlgorithmMD2); + CFSetAddValue(disallowedHashes, kSecSignatureDigestAlgorithmMD4); + CFSetAddValue(disallowedHashes, kSecSignatureDigestAlgorithmMD5); + if (!SecPolicyCheckCertSignatureHashAlgorithms(cert, disallowedHashes)) { + result = false; + } + CFReleaseSafe(disallowedHashes); + return result; +} + static CFStringRef convertSignatureHashAlgorithm(SecSignatureHashAlgorithm algorithmEnum) { const void *digests[] = { kSecSignatureDigestAlgorithmUnknown, kSecSignatureDigestAlgorithmMD2, @@ -649,69 +675,15 @@ static CFDictionaryRef SecLeafPVCCopyCallbacks(void) { CFMutableDictionaryRef leafCallbacks = NULL; leafCallbacks = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, NULL); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckCriticalExtensions, - SecPolicyCheckCertCriticalExtensions); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckKeyUsage, - SecPolicyCheckCertKeyUsage); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckExtendedKeyUsage, - SecPolicyCheckCertExtendedKeyUsage); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckNonEmptySubject, - SecPolicyCheckCertNonEmptySubject); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckQualifiedCertStatements, - SecPolicyCheckCertQualifiedCertStatements); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckSSLHostname, - SecPolicyCheckCertSSLHostname); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckEmail, - SecPolicyCheckCertEmail); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckValidLeaf, - SecPolicyCheckCertValidLeaf); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckSubjectCommonNamePrefix, - SecPolicyCheckCertSubjectCommonNamePrefix); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckSubjectCommonName, - SecPolicyCheckCertSubjectCommonName); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckNotValidBefore, - SecPolicyCheckCertNotValidBefore); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckSubjectOrganization, - SecPolicyCheckCertSubjectOrganization); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckSubjectOrganizationalUnit, - SecPolicyCheckCertSubjectOrganizationalUnit); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckEAPTrustedServerNames, - SecPolicyCheckCertEAPTrustedServerNames); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckSubjectCommonNameTEST, - SecPolicyCheckCertSubjectCommonNameTEST); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckLeafMarkerOid, - SecPolicyCheckCertLeafMarkerOid); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckLeafMarkerOidWithoutValueCheck, - SecPolicyCheckCertLeafMarkerOidWithoutValueCheck); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckCertificatePolicy, - SecPolicyCheckCertCertificatePolicyOid); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckWeakLeaf, - SecPolicyCheckCertWeak); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckKeySize, - SecPolicyCheckCertKeySize); - CFDictionaryAddValue(leafCallbacks, - kSecPolicyCheckSignatureHashAlgorithms, - SecPolicyCheckCertSignatureHashAlgorithms); + +#undef POLICYCHECKMACRO +#define __PC_ADD_CHECK_(NAME) +#define __PC_ADD_CHECK_O(NAME) CFDictionaryAddValue(leafCallbacks, \ +kSecPolicyCheck##NAME, SecPolicyCheckCert##NAME); + +#define POLICYCHECKMACRO(NAME, TRUSTRESULT, SUBTYPE, LEAFCHECK, PATHCHECK, LEAFONLY, CSSMERR, OSSTATUS) \ +__PC_ADD_CHECK_##LEAFONLY(NAME) +#include "SecPolicyChecks.list" return leafCallbacks; } @@ -797,8 +769,8 @@ static void SecLeafPVCValidateKey(const void *key, const void *value, return; } - /* kSecPolicyCheckValidLeaf is special */ - if (CFEqual(key, kSecPolicyCheckValidLeaf)) { + /* kSecPolicyCheckTemporalValidity is special */ + if (CFEqual(key, kSecPolicyCheckTemporalValidity)) { CFDateRef verifyDate = CFDateCreate(NULL, pvc->verifyTime); if(!fcn(pvc->leaf, verifyDate)) { SecLeafPVCSetResult(pvc, key, 0, kCFBooleanFalse); diff --git a/OSX/sec/Security/SecRecoveryKey.m b/OSX/sec/Security/SecRecoveryKey.m index 261800e6..cf47781b 100644 --- a/OSX/sec/Security/SecRecoveryKey.m +++ b/OSX/sec/Security/SecRecoveryKey.m @@ -125,7 +125,7 @@ SecRKCreateRecoveryKeyWithError(NSString *masterKey, NSError **error) return NULL; } - return (__bridge SecRecoveryKey *)rk; + return (SecRecoveryKey *) CFBridgingRelease(rk); } static CFDataRef diff --git a/OSX/sec/Security/SecSCEP.c b/OSX/sec/Security/SecSCEP.c index d436bbc5..05ab7634 100644 --- a/OSX/sec/Security/SecSCEP.c +++ b/OSX/sec/Security/SecSCEP.c @@ -246,7 +246,7 @@ out: CFDataRef SecSCEPGenerateCertificateRequest(CFArrayRef subject, CFDictionaryRef parameters, - SecKeyRef publicKey, SecKeyRef privateKey, + SecKeyRef __unused publicKey, SecKeyRef privateKey, SecIdentityRef signer, CFTypeRef recipients) { CFDataRef csr = NULL; @@ -257,6 +257,8 @@ SecSCEPGenerateCertificateRequest(CFArrayRef subject, CFDictionaryRef parameters SecCertificateRef recipient = NULL; CFDataRef msgtype_value_data = NULL; CFDataRef msgtype_oid_data = NULL; + SecKeyRef realPublicKey = NULL; + SecKeyRef recipientKey = NULL; if (CFGetTypeID(recipients) == SecCertificateGetTypeID()) { recipient = (SecCertificateRef)recipients; @@ -272,7 +274,16 @@ SecSCEPGenerateCertificateRequest(CFArrayRef subject, CFDictionaryRef parameters } require(recipient, out); - require(csr = SecGenerateCertificateRequest(subject, parameters, publicKey, privateKey), out); + /* We don't support EC recipients for SCEP yet. */ +#if TARGET_OS_IPHONE + recipientKey = SecCertificateCopyPublicKey(recipient); +#else + recipientKey = SecCertificateCopyPublicKey_ios(recipient); +#endif + require(SecKeyGetAlgorithmId(recipientKey) == kSecRSAAlgorithmID, out); + + require(realPublicKey = SecKeyCopyPublicKey(privateKey), out); + require(csr = SecGenerateCertificateRequest(subject, parameters, realPublicKey, privateKey), out); require(enveloped_data = CFDataCreateMutable(kCFAllocatorDefault, 0), out); require_noerr(SecCMSCreateEnvelopedData(recipient, parameters, csr, enveloped_data), out); CFReleaseNull(csr); @@ -281,7 +292,7 @@ SecSCEPGenerateCertificateRequest(CFArrayRef subject, CFDictionaryRef parameters &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); /* generate a transaction id: hex encoded pubkey hash */ - CFDataRef public_key_hash = pubkeyhash(publicKey); + CFDataRef public_key_hash = pubkeyhash(realPublicKey); CFDataRef public_key_hash_hex = hexencode(public_key_hash); CFReleaseSafe(public_key_hash); CFDataRef transid_oid_data = scep_oid(transId); @@ -311,7 +322,7 @@ SecSCEPGenerateCertificateRequest(CFArrayRef subject, CFDictionaryRef parameters self_signed_identity = signer; CFRetain(self_signed_identity); } else { - self_signed_identity = SecSCEPCreateTemporaryIdentity(publicKey, privateKey); + self_signed_identity = SecSCEPCreateTemporaryIdentity(realPublicKey, privateKey); /* Add our temporary cert to the keychain for CMS decryption of the reply. If we happened to have picked an existing UUID @@ -331,19 +342,26 @@ SecSCEPGenerateCertificateRequest(CFArrayRef subject, CFDictionaryRef parameters out: - CFReleaseSafe(simple_attr); CFReleaseSafe(msgtype_oid_data); CFReleaseSafe(msgtype_value_data); CFReleaseSafe(self_signed_identity); CFReleaseSafe(enveloped_data); CFReleaseSafe(csr); + CFReleaseNull(realPublicKey); + CFReleaseSafe(recipientKey); return signed_request; } +CFDataRef +SecSCEPCertifyRequest(CFDataRef request, SecIdentityRef ca_identity, CFDataRef serialno, bool pend_request) { + return SecSCEPCertifyRequestWithAlgorithms(request, ca_identity, serialno, pend_request, NULL, NULL); +} + CFDataRef -SecSCEPCertifyRequest(CFDataRef request, SecIdentityRef ca_identity, CFDataRef serialno, bool pend_request) +SecSCEPCertifyRequestWithAlgorithms(CFDataRef request, SecIdentityRef ca_identity, CFDataRef serialno, bool pend_request, + CFStringRef hashingAlgorithm, CFStringRef encryptionAlgorithm) { CFDictionaryRef simple_attr = NULL; SecCertificateRef ca_certificate = NULL; @@ -363,7 +381,7 @@ SecSCEPCertifyRequest(CFDataRef request, SecIdentityRef ca_identity, CFDataRef s SecKeyRef tbsPublicKey = NULL; CFMutableDataRef encrypted_content = NULL; SecCertificateRef recipient = NULL; - CFDictionaryRef parameters = NULL; + CFMutableDictionaryRef parameters = NULL; require_noerr(SecIdentityCopyCertificate(ca_identity, &ca_certificate), out); #if TARGET_OS_IPHONE @@ -420,17 +438,28 @@ SecSCEPCertifyRequest(CFDataRef request, SecIdentityRef ca_identity, CFDataRef s require(cert_msg = CFDataCreateMutable(kCFAllocatorDefault, 0), out); if (!pend_request) { + /* We can't yet support EC recipients for SCEP, so reject now. */ + require (SecKeyGetAlgorithmId(tbsPublicKey) == kSecRSAAlgorithmID, out); + /* sign cert */ - cert = SecIdentitySignCertificate(ca_identity, serialno, - tbsPublicKey, subject, extensions); + cert = SecIdentitySignCertificateWithAlgorithm(ca_identity, serialno, + tbsPublicKey, subject, extensions, hashingAlgorithm); /* degenerate cms with cert */ require (cert_pkcs7 = SecCMSCreateCertificatesOnlyMessage(cert), out); CFReleaseNull(cert); /* envelope for client */ - require_noerr(SecCMSCreateEnvelopedData(signer_cert, NULL, cert_pkcs7, cert_msg), out); + CFDictionaryRef encryption_params = NULL; + if (encryptionAlgorithm) { + encryption_params = CFDictionaryCreate(NULL, (const void **)&kSecCMSBulkEncryptionAlgorithm, + (const void **)&encryptionAlgorithm, 1, + &kCFTypeDictionaryKeyCallBacks, + &kCFTypeDictionaryValueCallBacks); + } + require_noerr(SecCMSCreateEnvelopedData(signer_cert, encryption_params, cert_pkcs7, cert_msg), out); CFReleaseNull(cert_pkcs7); + CFReleaseNull(encryption_params); } CFDataRef pki_status_oid = scep_oid(pkiStatus); @@ -445,9 +474,12 @@ SecSCEPCertifyRequest(CFDataRef request, SecIdentityRef ca_identity, CFDataRef s /* sign with ra/ca cert and add attributes */ signed_reply = CFDataCreateMutable(kCFAllocatorDefault, 0); - const void *signing_params[] = { kSecCMSCertChainMode }; - const void *signing_params_vals[] = { kSecCMSCertChainModeNone }; - parameters = CFDictionaryCreate(kCFAllocatorDefault, signing_params, signing_params_vals, array_size(signing_params), &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + + parameters = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + CFDictionaryAddValue(parameters, kSecCMSCertChainMode, kSecCMSCertChainModeNone); + if (hashingAlgorithm) { + CFDictionaryAddValue(parameters, kSecCMSSignHashAlgorithm, hashingAlgorithm); + } require_noerr_action(SecCMSCreateSignedData(ca_identity, cert_msg, parameters, simple_attr, signed_reply), out, CFReleaseNull(signed_reply)); out: diff --git a/OSX/sec/Security/SecSCEP.h b/OSX/sec/Security/SecSCEP.h index b173b57f..b7029f0f 100644 --- a/OSX/sec/Security/SecSCEP.h +++ b/OSX/sec/Security/SecSCEP.h @@ -44,7 +44,8 @@ SecSCEPCreateTemporaryIdentity(SecKeyRef publicKey, SecKeyRef privateKey); @abstract generate a scep certificate request blob, to be presented to a scep server @param subject distinguished name to be put in the request - @param parameters additional information such as challenge and extensions + @param parameters additional information such as challenge and extensions (see SecCMS.h and + SecCertificateRequest.h for supported keys) @param publicKey public key to be certified @param privateKey accompanying private key signing the request (proof of possession) @param signer identity to sign scep request with, if NULL the keypair to be @@ -69,6 +70,21 @@ SecSCEPGenerateCertificateRequest(CFArrayRef subject, CFDictionaryRef parameters CFDataRef SecSCEPCertifyRequest(CFDataRef request, SecIdentityRef ca_identity, CFDataRef serialno, bool pend_request) CF_RETURNS_RETAINED; +/*! + @function SecSCEPCertifyRequestWithAlgorithms + @abstract take a SCEP request and issue a cert + @param request the request; the ra/ca identity needed to decrypt it needs to be + in the keychain. + @param ca_identity to sign the csr + @param serialno encoded serial number for cert to be issued + @param pend_request don't issue cert now + @param hashingAlgorithm hashing algorithm to use, see SecCMS.h + @param encryptionAlgorithm encryption algorithm to use, see SecCMS.h + */ +CFDataRef +SecSCEPCertifyRequestWithAlgorithms(CFDataRef request, SecIdentityRef ca_identity, CFDataRef serialno, bool pend_request, + CFStringRef hashingAlgorithm, CFStringRef encryptionAlgorithm) CF_RETURNS_RETAINED; + /*! @function SecSCEPVerifyReply @abstract validate a reply for a sent request and retrieve the issued diff --git a/OSX/sec/Security/SecTrust.c b/OSX/sec/Security/SecTrust.c index a4c839a7..618d0941 100644 --- a/OSX/sec/Security/SecTrust.c +++ b/OSX/sec/Security/SecTrust.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006-2017 Apple Inc. All Rights Reserved. + * Copyright (c) 2006-2018 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -29,7 +29,6 @@ #include #include #include -#include #include #include #include @@ -37,12 +36,14 @@ #include #include #include +#include #include #include #include #include #include #include +#include #include #include #include @@ -57,6 +58,7 @@ #include #include #include +#include #include "SecRSAKey.h" #include @@ -65,6 +67,8 @@ #include +#pragma clang diagnostic ignored "-Wformat=2" + #define SEC_CONST_DECL(k,v) const CFStringRef k = CFSTR(v); SEC_CONST_DECL (kSecCertificateDetailSHA1Digest, "SHA1Digest"); @@ -103,7 +107,7 @@ struct __SecTrust { CFArrayRef _SCTs; CFArrayRef _trustedLogs; CFDateRef _verifyDate; - SecCertificatePathRef _chain; + CFArrayRef _chain; SecKeyRef _publicKey; CFArrayRef _details; CFDictionaryRef _info; @@ -393,8 +397,32 @@ OSStatus SecTrustCopyCustomAnchorCertificates(SecTrustRef trust, } }); - *anchors = anchorsArray; - return errSecSuccess; + *anchors = anchorsArray; + return errSecSuccess; +} + +// Return false on error, true on success. +static bool to_bool_error_request(enum SecXPCOperation op, CFErrorRef *error) { + __block bool result = false; + securityd_send_sync_and_do(op, error, NULL, ^bool(xpc_object_t response, CFErrorRef *error) { + result = !(error && *error); + return true; + }); + return result; +} + +Boolean SecTrustFlushResponseCache(CFErrorRef *error) { + CFErrorRef localError = NULL; + os_activity_t activity = os_activity_create("SecTrustFlushResponseCache", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_DEFAULT); + os_activity_scope(activity); + bool result = TRUSTD_XPC(sec_ocsp_cache_flush, to_bool_error_request, &localError); + os_release(activity); + if (error) { + *error = localError; + } else if (localError) { + CFRelease(localError); + } + return result; } OSStatus SecTrustSetOCSPResponse(SecTrustRef trust, CFTypeRef responseData) { @@ -522,6 +550,7 @@ OSStatus SecTrustSetPinningPolicyName(SecTrustRef trust, CFStringRef policyName) CFArrayForEach(trust->_policies, ^(const void *value) { SecPolicyRef policy = (SecPolicyRef)value; SecPolicySetName(policy, policyName); + secinfo("SecPinningDb", "Set %@ as name on all policies", policyName); }); }); return errSecSuccess; @@ -762,13 +791,7 @@ Boolean SecTrustIsExpiredOnly(SecTrustRef trust) { CFIndex count = (detail) ? CFDictionaryGetCount(detail) : 0; require(count <= 1, out); if (count) { - CFStringRef key = CFSTR("ValidIntermediates"); - if (ix == 0) { - key = CFSTR("ValidLeaf"); - } else if (ix == pathLength-1) { - key = CFSTR("ValidRoot"); - } - CFBooleanRef valid = (CFBooleanRef)CFDictionaryGetValue(detail, key); + CFBooleanRef valid = (CFBooleanRef)CFDictionaryGetValue(detail, kSecPolicyCheckTemporalValidity); require(isBoolean(valid) && CFEqual(valid, kCFBooleanFalse), out); foundExpired = true; } @@ -870,10 +893,10 @@ static void cert_trust_dump(SecTrustRef trust) { secerror("leaf \"%@\"", name); secerror(": result = %d", (int) trust->_trustResult); if (trust->_chain) { - CFIndex ix, count = SecCertificatePathGetCount(trust->_chain); + CFIndex ix, count = CFArrayGetCount(trust->_chain); CFMutableArrayRef chain = CFArrayCreateMutable(kCFAllocatorDefault, count, &kCFTypeArrayCallBacks); for (ix = 0; ix < count; ix++) { - SecCertificateRef cert = SecCertificatePathGetCertificateAtIndex(trust->_chain, ix); + SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(trust->_chain, ix); if (cert) { CFArrayAppendValue(chain, cert); } @@ -922,7 +945,7 @@ OSStatus SecTrustEvaluate(SecTrustRef trust, SecTrustResultType *result) { if (trustResult != kSecTrustResultProceed && trustResult != kSecTrustResultUnspecified) { CFStringRef failureDesc = SecTrustCopyFailureDescription(trust); - secerror("%{public}@", failureDesc); + secerror("Trust evaluate failure:%{public}@", failureDesc); CFRelease(failureDesc); } @@ -934,6 +957,244 @@ OSStatus SecTrustEvaluate(SecTrustRef trust, SecTrustResultType *result) { return status; } +static CFStringRef SecTrustCopyChainSummary(SecTrustRef trust) { + CFMutableStringRef summary = CFStringCreateMutable(NULL, 0); + __block CFArrayRef chain = NULL; + dispatch_sync(trust->_trustQueue, ^{ + chain = trust->_chain; + }); + CFIndex ix, count = CFArrayGetCount(chain); + for (ix = 0; ix < count; ix++) { + if (ix != 0) { CFStringAppend(summary, CFSTR(",")); } + CFStringRef certSummary = SecCertificateCopySubjectSummary((SecCertificateRef)CFArrayGetValueAtIndex(chain, ix)); + CFStringAppendFormat(summary, NULL, CFSTR("\"%@\""), certSummary); + CFReleaseNull(certSummary); + } + return summary; +} + +typedef enum { + kSecTrustErrorSubTypeRevoked, + kSecTrustErrorSubTypeKeySize, + kSecTrustErrorSubTypeWeakHash, + kSecTrustErrorSubTypeDenied, + kSecTrustErrorSubTypeCompliance, + kSecTrustErrorSubTypePinning, + kSecTrustErrorSubTypeTrust, + kSecTrustErrorSubTypeUsage, + kSecTrustErrorSubTypeName, + kSecTrustErrorSubTypeExpired, + kSecTrustErrorSubTypeInvalid, +} SecTrustErrorSubType; + +#define SecCopyTrustString(KEY) SecFrameworkCopyLocalizedString(KEY, CFSTR("Trust")) + +struct checkmap_entry_s { + SecTrustErrorSubType type; + OSStatus status; + const CFStringRef errorKey; + +}; +typedef struct checkmap_entry_s checkmap_entry_t; + +const checkmap_entry_t checkmap[] = { +#undef POLICYCHECKMACRO +#define __PC_SUBTYPE_ kSecTrustErrorSubTypeInvalid +#define __PC_SUBTYPE_N kSecTrustErrorSubTypeName +#define __PC_SUBTYPE_E kSecTrustErrorSubTypeExpired +#define __PC_SUBTYPE_S kSecTrustErrorSubTypeKeySize +#define __PC_SUBTYPE_H kSecTrustErrorSubTypeWeakHash +#define __PC_SUBTYPE_U kSecTrustErrorSubTypeUsage +#define __PC_SUBTYPE_P kSecTrustErrorSubTypePinning +#define __PC_SUBTYPE_V kSecTrustErrorSubTypeRevoked +#define __PC_SUBTYPE_T kSecTrustErrorSubTypeTrust +#define __PC_SUBTYPE_C kSecTrustErrorSubTypeCompliance +#define __PC_SUBTYPE_D kSecTrustErrorSubTypeDenied +#define POLICYCHECKMACRO(NAME, TRUSTRESULT, SUBTYPE, LEAFCHECK, PATHCHECK, LEAFONLY, CSSMERR, OSSTATUS) \ +{ __PC_SUBTYPE_##SUBTYPE , OSSTATUS, SEC_TRUST_ERROR_##NAME }, +#include "SecPolicyChecks.list" +}; + +static OSStatus SecTrustCopyErrorStrings(SecTrustRef trust, + CFStringRef * CF_RETURNS_RETAINED simpleError, + CFStringRef * CF_RETURNS_RETAINED fullError) { + if (!simpleError || !fullError) { + return errSecParam; + } + __block CFArrayRef details = NULL; + dispatch_sync(trust->_trustQueue, ^{ + details = CFRetainSafe(trust->_details); + }); + if (!details) + return errSecInternal; + + /* We need to map the policy check constants to indexes into our checkmap table. */ + static dispatch_once_t onceToken; + static CFArrayRef policyChecks = NULL; + dispatch_once(&onceToken, ^{ + CFMutableArrayRef _policyChecks = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); + #undef POLICYCHECKMACRO + #define POLICYCHECKMACRO(NAME, TRUSTRESULT, SUBTYPE, LEAFCHECK, PATHCHECK, LEAFONLY, CSSMERR, ERRORSTRING) \ + CFArrayAppendValue(_policyChecks, kSecPolicyCheck##NAME); + #include "SecPolicyChecks.list" + policyChecks = _policyChecks; + }); + + /* Build the errors for each cert in the detailed results array */ + __block CFMutableStringRef fullMutableError = CFStringCreateMutable(NULL, 0); + __block SecTrustErrorSubType simpleErrorSubType = kSecTrustErrorSubTypeInvalid; + __block OSStatus simpleErrorStatus = errSecInternalError; + __block CFIndex simpleErrorCertIndex = kCFNotFound; + __block CFIndex ix; + CFIndex count = CFArrayGetCount(details); + for (ix = 0; ix < count; ix++) { + CFDictionaryRef perCertDetails = (CFDictionaryRef)CFArrayGetValueAtIndex(details, ix); + if (CFDictionaryGetCount(perCertDetails) == 0) { continue; } // no errors on this cert + + /* Get the cert summary and start the full error details string for this cert */ + CFStringRef certSummary = SecCertificateCopySubjectSummary(SecTrustGetCertificateAtIndex(trust, ix)); + CFStringRef format = SecCopyTrustString(SEC_TRUST_CERTIFICATE_ERROR); + CFStringAppendFormat(fullMutableError, NULL, format, + ix, certSummary); + CFReleaseNull(certSummary); + CFReleaseNull(format); + + /* Figure out the errors */ + __block bool firstError = true; + CFDictionaryForEach(perCertDetails, ^(const void *key, const void * __unused value) { + CFIndex policyCheckIndex = CFArrayGetFirstIndexOfValue(policyChecks, CFRangeMake(0, CFArrayGetCount(policyChecks)), key); + if (policyCheckIndex == kCFNotFound) { return; } + /* Keep track of the highest priority error encountered during this evaluation. + * If multiple certs have errors of the same subtype we keep the lowest indexed cert. */ + if (simpleErrorSubType > checkmap[policyCheckIndex].type) { + simpleErrorSubType = checkmap[policyCheckIndex].type; + simpleErrorCertIndex = ix; + simpleErrorStatus = checkmap[policyCheckIndex].status; + } + /* Add this error to the full error */ + if (!firstError) { CFStringAppend(fullMutableError, CFSTR(", ")); } + CFStringRef errorString = SecCopyTrustString(checkmap[policyCheckIndex].errorKey); + CFStringAppend(fullMutableError, errorString); + CFReleaseNull(errorString); + firstError = false; + }); + CFStringAppend(fullMutableError, CFSTR(";")); + } + CFReleaseNull(details); + + /* Build the simple error */ + if (simpleErrorCertIndex == kCFNotFound) { simpleErrorCertIndex = 0; } + CFStringRef format = NULL; + CFStringRef certSummary = SecCertificateCopySubjectSummary(SecTrustGetCertificateAtIndex(trust, simpleErrorCertIndex)); + switch (simpleErrorSubType) { + case kSecTrustErrorSubTypeRevoked: { + format = SecCopyTrustString(SEC_TRUST_ERROR_SUBTYPE_REVOKED); + break; + } + case kSecTrustErrorSubTypeKeySize: { + format = SecCopyTrustString(SEC_TRUST_ERROR_SUBTYPE_KEYSIZE); + break; + } + case kSecTrustErrorSubTypeWeakHash: { + format = SecCopyTrustString(SEC_TRUST_ERROR_SUBTYPE_WEAKHASH); + break; + } + case kSecTrustErrorSubTypeDenied: { + format = SecCopyTrustString(SEC_TRUST_ERROR_SUBTYPE_DENIED); + break; + } + case kSecTrustErrorSubTypeCompliance: { + format = SecCopyTrustString(SEC_TRUST_ERROR_SUBTYPE_COMPLIANCE); + break; + } + case kSecTrustErrorSubTypeExpired: { + format = SecCopyTrustString(SEC_TRUST_ERROR_SUBTYPE_EXPIRED); + break; + } + case kSecTrustErrorSubTypeTrust: { + format = SecCopyTrustString(SEC_TRUST_ERROR_SUBTYPE_TRUST); + break; + } + case kSecTrustErrorSubTypeName: { + format = SecCopyTrustString(SEC_TRUST_ERROR_SUBTYPE_NAME); + break; + } + case kSecTrustErrorSubTypeUsage: { + format = SecCopyTrustString(SEC_TRUST_ERROR_SUBTYPE_USAGE); + break; + } + case kSecTrustErrorSubTypePinning: { + format = SecCopyTrustString(SEC_TRUST_ERROR_SUBTYPE_PINNING); + CFAssignRetained(certSummary, SecTrustCopyChainSummary(trust)); + break; + } + default: { + format = SecCopyTrustString(SEC_TRUST_ERROR_SUBTYPE_INVALID); + break; + } + } + if (format && certSummary) { + *simpleError = CFStringCreateWithFormat(NULL, NULL, format, certSummary); + } + CFReleaseNull(format); + CFReleaseNull(certSummary); + *fullError = fullMutableError; + return simpleErrorStatus; +} + +static CFErrorRef SecTrustCopyError(SecTrustRef trust) { + if (!trust) { return NULL; } + (void)SecTrustEvaluateIfNecessary(trust); + OSStatus status = errSecSuccess; + __block SecTrustResultType trustResult = kSecTrustResultInvalid; + dispatch_sync(trust->_trustQueue, ^{ + trustResult = trust->_trustResult; + }); + if (trustResult == kSecTrustResultProceed || trustResult == kSecTrustResultUnspecified) { + return NULL; + } + + CFStringRef detailedError = NULL; + CFStringRef simpleError = NULL; + status = SecTrustCopyErrorStrings(trust, &simpleError, &detailedError); + CFDictionaryRef userInfo = CFDictionaryCreate(NULL, (const void **)&kCFErrorLocalizedDescriptionKey, + (const void **)&detailedError, 1, + &kCFTypeDictionaryKeyCallBacks, + &kCFTypeDictionaryValueCallBacks); + CFErrorRef underlyingError = CFErrorCreate(NULL, kCFErrorDomainOSStatus, status, userInfo); + CFReleaseNull(userInfo); + CFReleaseNull(detailedError); + + const void *keys[] = { kCFErrorLocalizedDescriptionKey, kCFErrorUnderlyingErrorKey }; + const void *values[] = { simpleError, underlyingError }; + userInfo = CFDictionaryCreate(NULL, keys, values, 2, + &kCFTypeDictionaryKeyCallBacks, + &kCFTypeDictionaryValueCallBacks); + CFErrorRef error = CFErrorCreate(NULL, kCFErrorDomainOSStatus, status, userInfo); + CFReleaseNull(userInfo); + CFReleaseNull(simpleError); + return error; +} + +bool SecTrustEvaluateWithError(SecTrustRef trust, CFErrorRef *error) { + SecTrustResultType trustResult = kSecTrustResultInvalid; + OSStatus status = SecTrustEvaluate(trust, &trustResult); + if (status == errSecSuccess && (trustResult == kSecTrustResultProceed || trustResult == kSecTrustResultUnspecified)) { + if (error) { + *error = NULL; + } + return true; + } + if (error) { + if (status != errSecSuccess) { + *error = SecCopyLastError(status); + } else { + *error = SecTrustCopyError(trust); + } + } + return false; +} + OSStatus SecTrustEvaluateAsync(SecTrustRef trust, dispatch_queue_t queue, SecTrustCallback result) { @@ -1051,14 +1312,36 @@ static bool SecXPCDictionarySetDataArray(xpc_object_t message, const char *key, return true; } -static bool SecXPCDictionaryCopyChainOptional(xpc_object_t message, const char *key, SecCertificatePathRef *path, CFErrorRef *error) { +static bool SecXPCDictionaryCopyChainOptional(xpc_object_t message, const char *key, CFArrayRef *path, CFErrorRef *error) { xpc_object_t xpc_path = xpc_dictionary_get_value(message, key); + CFMutableArrayRef output = NULL; + size_t count = 0; if (!xpc_path) { *path = NULL; return true; } - *path = SecCertificatePathCreateWithXPCArray(xpc_path, error); - return *path; + require_action_quiet(xpc_get_type(xpc_path) == XPC_TYPE_ARRAY, exit, SecError(errSecDecode, error, CFSTR("xpc_path value is not an array"))); + require_action_quiet(count = xpc_array_get_count(xpc_path), exit, SecError(errSecDecode, error, CFSTR("xpc_path array count == 0"))); + output = CFArrayCreateMutable(NULL, count, &kCFTypeArrayCallBacks); + + size_t ix; + for (ix = 0; ix < count; ++ix) { + SecCertificateRef certificate = SecCertificateCreateWithXPCArrayAtIndex(xpc_path, ix, error); + if (certificate) { + CFArrayAppendValue(output, certificate); + CFReleaseNull(certificate); + } else { + CFReleaseNull(output); + break; + } + } + +exit: + if (output) { + *path = output; + return true; + } + return false; } static int SecXPCDictionaryGetNonZeroInteger(xpc_object_t message, const char *key, CFErrorRef *error) { @@ -1074,7 +1357,7 @@ static SecTrustResultType handle_trust_evaluate_xpc(enum SecXPCOperation op, CFA bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, - CFArrayRef *details, CFDictionaryRef *info, SecCertificatePathRef *chain, CFErrorRef *error) + CFArrayRef *details, CFDictionaryRef *info, CFArrayRef *chain, CFErrorRef *error) { __block SecTrustResultType tr = kSecTrustResultInvalid; securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) { @@ -1229,8 +1512,7 @@ static OSStatus SecTrustEvaluateIfNecessary(SecTrustRef trust) { the public key from the leaf. */ SecCertificateRef leafCert = (SecCertificateRef)CFArrayGetValueAtIndex(trust->_certificates, 0); CFArrayRef leafCertArray = CFArrayCreate(NULL, (const void**)&leafCert, 1, &kCFTypeArrayCallBacks); - trust->_chain = SecCertificatePathCreateWithCertificates(leafCertArray, NULL); - CFReleaseNull(leafCertArray); + trust->_chain = leafCertArray; if (error) CFReleaseNull(*error); return true; @@ -1322,7 +1604,12 @@ SecKeyRef SecTrustCopyPublicKey(SecTrustRef trust) SecTrustEvaluateIfNecessary(trust); dispatch_sync(trust->_trustQueue, ^{ if (trust->_chain) { - trust->_publicKey = SecCertificatePathCopyPublicKeyAtIndex(trust->_chain, 0); + SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(trust->_chain, 0); +#if TARGET_OS_OSX + trust->_publicKey = SecCertificateCopyPublicKey_ios(cert); +#else + trust->_publicKey = SecCertificateCopyPublicKey(cert); +#endif publicKey = CFRetainSafe(trust->_publicKey); } }); @@ -1338,7 +1625,7 @@ CFIndex SecTrustGetCertificateCount(SecTrustRef trust) { __block CFIndex certCount = 1; dispatch_sync(trust->_trustQueue, ^{ if (trust->_chain) { - certCount = SecCertificatePathGetCount(trust->_chain); + certCount = CFArrayGetCount(trust->_chain); } }); return certCount; @@ -1359,7 +1646,7 @@ SecCertificateRef SecTrustGetCertificateAtIndex(SecTrustRef trust, SecTrustEvaluateIfNecessary(trust); dispatch_sync(trust->_trustQueue, ^{ if (trust->_chain) { - cert = SecCertificatePathGetCertificateAtIndex(trust->_chain, ix); + cert = (SecCertificateRef)CFArrayGetValueAtIndex(trust->_chain, ix); } }); return cert; @@ -1514,21 +1801,19 @@ SecTrustSetOptions(SecTrustRef trustRef, SecTrustOptionFlags options) CFMutableDictionaryRef exception_dictionary = CFDictionaryCreateMutableCopy(NULL, 0, (CFDictionaryRef)CFArrayGetValueAtIndex(old_exceptions, ix)); if (!exception_dictionary) { status = errSecAllocate; goto out; } if ((options & kSecTrustOptionAllowExpired) != 0) { - if (ix == 0) { CFDictionaryAddValue(exception_dictionary, CFSTR("ValidLeaf"), kCFBooleanFalse); } - if (ix == (count - 1)) { CFDictionaryAddValue(exception_dictionary, CFSTR("ValidRoot"), kCFBooleanFalse); } - if (ix > 0 && ix < (count - 1)) { - CFDictionaryAddValue(exception_dictionary, CFSTR("ValidIntermediates"), kCFBooleanFalse); } - } - if ((options & kSecTrustOptionAllowExpiredRoot) != 0) { - if (ix == (count - 1)) { CFDictionaryAddValue(exception_dictionary, CFSTR("ValidRoot"), kCFBooleanFalse); } + CFDictionaryAddValue(exception_dictionary, kSecPolicyCheckTemporalValidity, kCFBooleanFalse); } - if ((options & kSecTrustOptionImplicitAnchors) != 0) { - /* Check that root is self-signed. (Done by trustd for other case.) */ + if ((options & (kSecTrustOptionImplicitAnchors | kSecTrustOptionAllowExpiredRoot)) != 0) { + /* Check that root is self-signed. */ Boolean isSelfSigned = false; SecCertificateRef cert = SecTrustGetCertificateAtIndex(trustRef, ix); if (cert && (errSecSuccess == SecCertificateIsSelfSigned(cert, &isSelfSigned)) && isSelfSigned) { - CFDictionaryAddValue(exception_dictionary, CFSTR("AnchorTrusted"), kCFBooleanFalse); + if ((options & kSecTrustOptionImplicitAnchors) != 0) { + CFDictionaryAddValue(exception_dictionary, kSecPolicyCheckAnchorTrusted, kCFBooleanFalse); + } else if ((options & kSecTrustOptionAllowExpiredRoot) != 0) { + CFDictionaryAddValue(exception_dictionary, kSecPolicyCheckTemporalValidity, kCFBooleanFalse); + } } } CFArrayAppendValue(exceptions, exception_dictionary); @@ -1540,15 +1825,13 @@ SecTrustSetOptions(SecTrustRef trustRef, SecTrustOptionFlags options) &kCFTypeDictionaryValueCallBacks); if (!exception_dictionary) { status = errSecAllocate; goto out; } if ((options & kSecTrustOptionAllowExpired) != 0) { - CFDictionaryAddValue(exception_dictionary, CFSTR("ValidLeaf"), kCFBooleanFalse); - CFDictionaryAddValue(exception_dictionary, CFSTR("ValidIntermediates"), kCFBooleanFalse); - CFDictionaryAddValue(exception_dictionary, CFSTR("ValidRoot"), kCFBooleanFalse); + CFDictionaryAddValue(exception_dictionary, kSecPolicyCheckTemporalValidity, kCFBooleanFalse); } if ((options & kSecTrustOptionAllowExpiredRoot) != 0) { - CFDictionaryAddValue(exception_dictionary, CFSTR("ValidRoot"), kCFBooleanFalse); + CFDictionaryAddValue(exception_dictionary, kSecPolicyCheckValidRoot, kCFBooleanFalse); } if ((options & kSecTrustOptionImplicitAnchors) != 0) { - CFDictionaryAddValue(exception_dictionary, CFSTR("AnchorTrusted"), kCFBooleanFalse); + CFDictionaryAddValue(exception_dictionary, kSecPolicyCheckAnchorTrusted, kCFBooleanFalse); } CFArrayAppendValue(exceptions, exception_dictionary); CFReleaseNull(exception_dictionary); @@ -1586,103 +1869,6 @@ CFArrayRef SecTrustCopyDetailedPropertiesAtIndex(SecTrustRef trust, CFIndex ix) return summary; } -#if 0 - - - -/* Valid chain. - Can be on any non root cert in the chain. - Priority: Top down - Short circuit: Yes (No other errors matter after this one) - Non recoverable error - Trust UI: Invalid certificate chain linkage - Cert UI: Invalid linkage to parent certificate -*/ -CFStringRef kSecPolicyCheckIdLinkage = CFSTR("IdLinkage"); - -/* X.509 required checks. - Can be on any cert in the chain - Priority: Top down - Short circuit: Yes (No other errors matter after this one) - Non recoverable error - Trust UI: (One or more) unsupported critical extensions found. -*/ -/* If we have no names for the extention oids use: - Cert UI: One or more unsupported critical extensions found (Non recoverable error). - Cert UI: Unsupported 'foo', 'bar', baz' critical extensions found. -*/ -CFStringRef kSecPolicyCheckCriticalExtensions = CFSTR("CriticalExtensions"); -/* Cert UI: Unsupported critical Qualified Certificate Statements extension found (Non recoverable error). */ -CFStringRef kSecPolicyCheckQualifiedCertStatements = CFSTR("QualifiedCertStatements"); -/* Cert UI: Certificate has an empty subject (and no critial subjectAltname). */ - -/* Trusted root. - Only apply to the anchor. - Priority: N/A - Short circuit: No (Under discussion) - Recoverable - Trust UI: Root certificate is not trusted (for this policy/app/host/whatever?) - Cert UI: Not a valid anchor -*/ -CFStringRef kSecPolicyCheckAnchorTrusted = CFSTR("AnchorTrusted"); -CFStringRef kSecPolicyCheckAnchorSHA1 = CFSTR("AnchorSHA1"); - -CFStringRef kSecPolicyCheckAnchorApple = CFSTR("AnchorApple"); -CFStringRef kSecPolicyAppleAnchorIncludeTestRoots = CFSTR("AnchorAppleTestRoots"); - -/* Binding. - Only applies to leaf - Priority: N/A - Short Circuit: No - Recoverable - Trust UI: (Hostname|email address) mismatch -*/ -CFStringRef kSecPolicyCheckSSLHostname = CFSTR("SSLHostname"); - -/* Policy specific checks. - Can be on any cert in the chain - Priority: Top down - Short Circuit: No - Recoverable - Trust UI: Certificate chain is not valid for the current policy. - OR: (One or more) certificates in the chain are not valid for the current policy/application -*/ -CFStringRef kSecPolicyCheckNonEmptySubject = CFSTR("NonEmptySubject"); -/* Cert UI: Non CA certificate used as CA. - Cert UI: CA certificate used as leaf. - Cert UI: Cert chain length exceeded. - Cert UI: Basic constraints extension not critical (non fatal). - Cert UI: Leaf certificate has basic constraints extension (non fatal). - */ -CFStringRef kSecPolicyCheckBasicConstraints = CFSTR("BasicConstraints"); -CFStringRef kSecPolicyCheckKeyUsage = CFSTR("KeyUsage"); -CFStringRef kSecPolicyCheckExtendedKeyUsage = CFSTR("ExtendedKeyUsage"); -/* Checks that the issuer of the leaf has exactly one Common Name and that it - matches the specified string. */ -CFStringRef kSecPolicyCheckIssuerCommonName = CFSTR("IssuerCommonName"); -/* Checks that the leaf has exactly one Common Name and that it has the - specified string as a prefix. */ -CFStringRef kSecPolicyCheckSubjectCommonNamePrefix = CFSTR("SubjectCommonNamePrefix"); -/* Check that the certificate chain length matches the specificed CFNumberRef - length. */ -CFStringRef kSecPolicyCheckChainLength = CFSTR("ChainLength"); -CFStringRef kSecPolicyCheckNotValidBefore = CFSTR("NotValidBefore"); - -/* Expiration. - Can be on any cert in the chain - Priority: Top down - Short Circuit: No - Recoverable - Trust UI: One or more certificates have expired or are not valid yet. - OS: The (root|intermediate|leaf) certificate (expired on 'date'|is not valid until 'date') - Cert UI: Certificate (expired on 'date'|is not valid until 'date') -*/ -CFStringRef kSecPolicyCheckValidIntermediates = CFSTR("ValidIntermediates"); -CFStringRef kSecPolicyCheckValidLeaf = CFSTR("ValidLeaf"); -CFStringRef kSecPolicyCheckValidRoot = CFSTR("ValidRoot"); - -#endif - struct TrustFailures { bool badLinkage; bool unknownCritExtn; @@ -1691,6 +1877,7 @@ struct TrustFailures { bool policyFail; bool invalidCert; bool weakKey; + bool weakHash; bool revocation; }; @@ -1713,8 +1900,7 @@ static void applyDetailProperty(const void *_key, const void *_value, purposes. */ if (CFEqual(key, kSecPolicyCheckIdLinkage)) { tf->badLinkage = true; - } else if (CFEqual(key, kSecPolicyCheckCriticalExtensions) - || CFEqual(key, kSecPolicyCheckQualifiedCertStatements)) { + } else if (CFEqual(key, kSecPolicyCheckCriticalExtensions)) { tf->unknownCritExtn = true; } else if (CFEqual(key, kSecPolicyCheckAnchorTrusted) || CFEqual(key, kSecPolicyCheckAnchorSHA1) @@ -1723,14 +1909,12 @@ static void applyDetailProperty(const void *_key, const void *_value, tf->untrustedAnchor = true; } else if (CFEqual(key, kSecPolicyCheckSSLHostname)) { tf->hostnameMismatch = true; - } else if (CFEqual(key, kSecPolicyCheckValidIntermediates) - || CFEqual(key, kSecPolicyCheckValidLeaf) - || CFEqual(key, kSecPolicyCheckValidRoot)) { + } else if (CFEqual(key, kSecPolicyCheckTemporalValidity)) { tf->invalidCert = true; - } else if (CFEqual(key, kSecPolicyCheckWeakIntermediates) - || CFEqual(key, kSecPolicyCheckWeakLeaf) - || CFEqual(key, kSecPolicyCheckWeakRoot)) { + } else if (CFEqual(key, kSecPolicyCheckWeakKeySize)) { tf->weakKey = true; + } else if (CFEqual(key, kSecPolicyCheckWeakSignature)) { + tf->weakHash = true; } else if (CFEqual(key, kSecPolicyCheckRevocation)) { tf->revocation = true; } else @@ -1750,15 +1934,18 @@ static void applyDetailProperty(const void *_key, const void *_value, } } -static void appendError(CFMutableArrayRef properties, CFStringRef error) { - CFStringRef localizedError = SecFrameworkCopyLocalizedString(error, - CFSTR("SecCertificate")); - if (!localizedError) { - //secerror("WARNING: localized error string was not found in Security.framework"); - localizedError = CFRetain(error); +static void appendError(CFMutableArrayRef properties, CFStringRef error, bool localized) { + CFStringRef localizedError = NULL; + if (!error) { + return; + } else if (localized) { + //%%% "SecCertificate" should be changed to "Certificate": rdar://37517120 + localizedError = SecFrameworkCopyLocalizedString(error, CFSTR("SecCertificate")); + } else { + localizedError = (CFStringRef) CFRetainSafe(error); } appendProperty(properties, kSecPropertyTypeError, NULL, NULL, - localizedError); + localizedError, localized); CFReleaseNull(localizedError); } @@ -1773,6 +1960,7 @@ CFArrayRef SecTrustCopyProperties(SecTrustRef trust) return NULL; } SecTrustEvaluateIfNecessary(trust); + bool localized = true; __block CFArrayRef details = NULL; dispatch_sync(trust->_trustQueue, ^{ details = CFRetainSafe(trust->_details); @@ -1797,27 +1985,30 @@ CFArrayRef SecTrustCopyProperties(SecTrustRef trust) /* The badLinkage and unknownCritExtn failures are short circuited, since you can't recover from those errors. */ if (tf.badLinkage) { - appendError(properties, CFSTR("Invalid certificate chain linkage.")); + appendError(properties, CFSTR("Invalid certificate chain linkage."), localized); } else if (tf.unknownCritExtn) { - appendError(properties, CFSTR("One or more unsupported critical extensions found.")); + appendError(properties, CFSTR("One or more unsupported critical extensions found."), localized); } else { if (tf.untrustedAnchor) { - appendError(properties, CFSTR("Root certificate is not trusted.")); + appendError(properties, CFSTR("Root certificate is not trusted."), localized); } if (tf.hostnameMismatch) { - appendError(properties, CFSTR("Hostname mismatch.")); + appendError(properties, CFSTR("Hostname mismatch."), localized); } if (tf.policyFail) { - appendError(properties, CFSTR("Policy requirements not met.")); + appendError(properties, CFSTR("Policy requirements not met."), localized); } if (tf.invalidCert) { - appendError(properties, CFSTR("One or more certificates have expired or are not valid yet.")); + appendError(properties, CFSTR("One or more certificates have expired or are not valid yet."), localized); } if (tf.weakKey) { - appendError(properties, CFSTR("One or more certificates is using a weak key size.")); + appendError(properties, CFSTR("One or more certificates is using a weak key size."), localized); + } + if (tf.weakHash) { + appendError(properties, CFSTR("One or more certificates is using a weak signature algorithm."), localized); } if (tf.revocation) { - appendError(properties, CFSTR("One or more certificates have been revoked.")); + appendError(properties, CFSTR("One or more certificates have been revoked."), localized); } } @@ -1968,68 +2159,82 @@ CFDictionaryRef SecTrustCopyResult(SecTrustRef trust) { return results; } -// Return 0 upon error. -static int to_int_error_request(enum SecXPCOperation op, CFErrorRef *error) { - __block int64_t result = 0; - securityd_send_sync_and_do(op, error, NULL, ^bool(xpc_object_t response, CFErrorRef *error) { - result = xpc_dictionary_get_int64(response, kSecXPCKeyResult); - if (!result) - return SecError(errSecInternal, error, CFSTR("int64 missing in response")); - return true; - }); - return (int)result; +#define do_if_registered(sdp, ...) if (gTrustd && gTrustd->sdp) { return gTrustd->sdp(__VA_ARGS__); } + +static bool xpc_dictionary_entry_is_type(xpc_object_t dictionary, const char *key, xpc_type_t type) { + xpc_object_t value = xpc_dictionary_get_value(dictionary, key); + return value && (xpc_get_type(value) == type); +} + +static uint64_t do_ota_pki_op (enum SecXPCOperation op, CFErrorRef *error) { + uint64_t num = 0; + xpc_object_t message = securityd_create_message(op, error); + if (message) { + xpc_object_t response = securityd_message_with_reply_sync(message, error); + if (response && xpc_dictionary_entry_is_type(response, kSecXPCKeyResult, XPC_TYPE_UINT64)) { + num = (int64_t) xpc_dictionary_get_uint64(response, kSecXPCKeyResult); + } + if (response && error && xpc_dictionary_entry_is_type(response, kSecXPCKeyError, XPC_TYPE_DICTIONARY)) { + xpc_object_t xpc_error = xpc_dictionary_get_value(response, kSecXPCKeyError); + if (xpc_error) { + *error = SecCreateCFErrorWithXPCObject(xpc_error); + } + } + xpc_release_safe(message); + xpc_release_safe(response); + } + return num; } + // version 0 -> error, so we need to start at version 1 or later. -OSStatus SecTrustGetOTAPKIAssetVersionNumber(int* versionNumber) -{ - OSStatus result; - os_activity_t trace_activity = os_activity_start("SecTrustGetOTAPKIAssetVersionNumber", OS_ACTIVITY_FLAG_DEFAULT); - result = SecOSStatusWith(^bool(CFErrorRef *error) { - if (!versionNumber) - return SecError(errSecParam, error, CFSTR("versionNumber is NULL")); +uint64_t SecTrustGetTrustStoreVersionNumber(CFErrorRef *error) { + do_if_registered(sec_ota_pki_trust_store_version, error); - return (*versionNumber = TRUSTD_XPC(sec_ota_pki_asset_version, to_int_error_request, error)) != 0; - }); + os_activity_t activity = os_activity_create("SecTrustGetTrustStoreVersionNumber", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_DEFAULT); + os_activity_scope(activity); - os_activity_end(trace_activity); - return result; + uint64_t num = do_ota_pki_op(sec_ota_pki_trust_store_version_id, error); + + os_release(activity); + return num; } -#define do_if_registered(sdp, ...) if (gTrustd && gTrustd->sdp) { return gTrustd->sdp(__VA_ARGS__); } +uint64_t SecTrustOTAPKIGetUpdatedAsset(CFErrorRef *error) { + do_if_registered(sec_ota_pki_get_new_asset, error); -static bool xpc_dictionary_entry_is_type(xpc_object_t dictionary, const char *key, xpc_type_t type) -{ - xpc_object_t value = xpc_dictionary_get_value(dictionary, key); + os_activity_t activity = os_activity_create("SecTrustOTAPKIGetUpdatedAsset", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_DEFAULT); + os_activity_scope(activity); - return value && (xpc_get_type(value) == type); + uint64_t num = do_ota_pki_op(kSecXPCOpOTAPKIGetNewAsset, error); + + os_release(activity); + return num; } -OSStatus SecTrustOTAPKIGetUpdatedAsset(int* didUpdateAsset) -{ - CFErrorRef error = NULL; - do_if_registered(sec_ota_pki_get_new_asset, &error); +bool SecTrustReportTLSAnalytics(CFStringRef eventName, xpc_object_t eventAttributes, CFErrorRef *error) { + if (!eventName || !eventAttributes) { + return false; + } + do_if_registered(sec_tls_analytics_report, eventName, eventAttributes, error); - int64_t num = 0; - xpc_object_t message = securityd_create_message(kSecXPCOpOTAPKIGetNewAsset, &error); - if (message) - { - xpc_object_t response = securityd_message_with_reply_sync(message, &error); + os_activity_t activity = os_activity_create("SecTrustReportTLSAnalytics", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_DEFAULT); + os_activity_scope(activity); - if (response && xpc_dictionary_entry_is_type(response, kSecXPCKeyResult, XPC_TYPE_INT64)) - { - num = (int64_t) xpc_dictionary_get_int64(response, kSecXPCKeyResult); - xpc_release(response); + __block bool result = false; + securityd_send_sync_and_do(kSecXPCOpTLSAnaltyicsReport, error, ^bool(xpc_object_t message, CFErrorRef *block_error) { + if (!SecXPCDictionarySetString(message, kSecTrustEventNameKey, eventName, block_error)) { + return false; } + xpc_dictionary_set_value(message, kSecTrustEventAttributesKey, eventAttributes); + return true; + }, ^bool(xpc_object_t response, CFErrorRef *block_error) { + result = SecXPCDictionaryGetBool(response, kSecXPCKeyResult, block_error); + return true; + }); - xpc_release(message); - } - - if (NULL != didUpdateAsset) - { - *didUpdateAsset = (int)num; - } - return noErr; + os_release(activity); + return result; } /* @@ -2069,8 +2274,7 @@ OSStatus SecTrustEvaluateLeafOnly(SecTrustRef trust, SecTrustResultType *result) &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); CFMutableArrayRef leafCert = CFArrayCreateMutableCopy(NULL, 1, trust->_certificates); - trust->_chain = SecCertificatePathCreateWithCertificates(leafCert, NULL); - CFReleaseNull(leafCert); + trust->_chain = leafCert; }); SecLeafPVCDelete(&pvc); @@ -2123,7 +2327,7 @@ static void serializeCertificate(const void *value, void *context) { } } -static CFArrayRef SecCertificateArraySerialize(CFArrayRef certificates) { +static CF_RETURNS_RETAINED CFArrayRef SecCertificateArraySerialize(CFArrayRef certificates) { CFMutableArrayRef result = NULL; require_quiet(isArray(certificates), errOut); CFIndex count = CFArrayGetCount(certificates); @@ -2174,10 +2378,10 @@ static CFPropertyListRef SecTrustCopyPlist(SecTrustRef trust) { CFDictionaryAddValue(output, CFSTR(kSecTrustVerifyDateKey), trust->_verifyDate); } if (trust->_chain) { - CFArrayRef serializedChain = SecCertificatePathCreateSerialized(trust->_chain, NULL); - if (serializedChain) { - CFDictionaryAddValue(output, CFSTR(kSecTrustChainKey), serializedChain); - CFRelease(serializedChain); + CFArrayRef serializedCerts = SecCertificateArraySerialize(trust->_chain); + if (serializedCerts) { + CFDictionaryAddValue(output, CFSTR(kSecTrustChainKey), serializedCerts); + CFRelease(serializedCerts); } } if (trust->_details) { @@ -2226,14 +2430,12 @@ out: static OSStatus SecTrustCreateFromPlist(CFPropertyListRef plist, SecTrustRef CF_RETURNS_RETAINED *trust) { OSStatus status = errSecParam; SecTrustRef output = NULL; - CFTypeRef serializedCertificates = NULL, serializedPolicies = NULL, serializedAnchors = NULL, - serializedChain = NULL; + CFTypeRef serializedCertificates = NULL, serializedPolicies = NULL, serializedAnchors = NULL; CFNumberRef trustResultNum = NULL; CFArrayRef certificates = NULL, policies = NULL, anchors = NULL, responses = NULL, - SCTs = NULL, trustedLogs = NULL, details = NULL, exceptions = NULL; + SCTs = NULL, trustedLogs = NULL, details = NULL, exceptions = NULL, chain = NULL; CFDateRef verifyDate = NULL; CFDictionaryRef info = NULL; - SecCertificatePathRef chain = NULL; require_quiet(CFDictionaryGetTypeID() == CFGetTypeID(plist), out); require_quiet(serializedCertificates = CFDictionaryGetValue(plist, CFSTR(kSecTrustCertificatesKey)), out); @@ -2263,10 +2465,9 @@ static OSStatus SecTrustCreateFromPlist(CFPropertyListRef plist, SecTrustRef CF_ if (isDate(verifyDate)) { output->_verifyDate = CFRetainSafe(verifyDate); } - serializedChain = CFDictionaryGetValue(plist, CFSTR(kSecTrustChainKey)); - if (isArray(serializedChain)) { - chain = SecCertificatePathCreateDeserialized(serializedChain, NULL); - output->_chain = chain; + chain = CFDictionaryGetValue(plist, CFSTR(kSecTrustChainKey)); + if (isArray(chain)) { + output->_chain = SecCertificateArrayDeserialize(chain); } details = CFDictionaryGetValue(plist, CFSTR(kSecTrustDetailsKey)); if (isArray(details)) { diff --git a/OSX/sec/Security/SecTrustInternal.h b/OSX/sec/Security/SecTrustInternal.h index 51b174f8..fcb0962e 100644 --- a/OSX/sec/Security/SecTrustInternal.h +++ b/OSX/sec/Security/SecTrustInternal.h @@ -58,6 +58,9 @@ SecKeyRef SecTrustCopyPublicKey_ios(SecTrustRef trust); CFArrayRef SecTrustCopyProperties_ios(SecTrustRef trust); #endif +#define kSecTrustEventNameKey "eventName" +#define kSecTrustEventAttributesKey "eventAttributes" + __END_DECLS #endif /* !_SECURITY_SECTRUSTINTERNAL_H_ */ diff --git a/OSX/sec/Security/SecTrustStatusCodes.c b/OSX/sec/Security/SecTrustStatusCodes.c index 4f9f6d5a..096b3b9e 100644 --- a/OSX/sec/Security/SecTrustStatusCodes.c +++ b/OSX/sec/Security/SecTrustStatusCodes.c @@ -36,53 +36,10 @@ struct resultmap_entry_s { typedef struct resultmap_entry_s resultmap_entry_t; const resultmap_entry_t resultmap[] = { - { CFSTR("SSLHostname"), 0x80012400, /* CSSMERR_APPLETP_HOSTNAME_MISMATCH */}, - { CFSTR("email"), 0x80012418, /* CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND */}, - { CFSTR("IssuerCommonName"), 0x8001243B /* CSSMERR_APPLETP_IDENTIFIER_MISSING */}, - { CFSTR("SubjectCommonName"), 0x8001243B /* CSSMERR_APPLETP_IDENTIFIER_MISSING */}, - { CFSTR("SubjectCommonNamePrefix"), 0x8001243B /* CSSMERR_APPLETP_IDENTIFIER_MISSING */}, - { CFSTR("SubjectCommonNameTEST"), 0x8001243B /* CSSMERR_APPLETP_IDENTIFIER_MISSING */}, - { CFSTR("SubjectOrganization"), 0x8001243B /* CSSMERR_APPLETP_IDENTIFIER_MISSING */}, - { CFSTR("SubjectOrganizationalUnit"), 0x8001243B /* CSSMERR_APPLETP_IDENTIFIER_MISSING */}, - { CFSTR("EAPTrustedServerNames"), 0x80012400 /* CSSMERR_APPLETP_HOSTNAME_MISMATCH */}, - { CFSTR("CertificatePolicy"), 0x80012439 /* CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION */}, - { CFSTR("KeyUsage"), 0x80012406 /* CSSMERR_APPLETP_INVALID_KEY_USAGE */}, - { CFSTR("ExtendedKeyUsage"), 0x80012407 /* CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE */}, - { CFSTR("BasicConstraints"), 0x80012402 /* CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS */}, - { CFSTR("QualifiedCertStatements"), 0x80012438 /* CSSMERR_APPLETP_UNKNOWN_QUAL_CERT_STATEMENT */}, - { CFSTR("IntermediateSPKISHA256"), 0x8001243B /* CSSMERR_APPLETP_IDENTIFIER_MISSING */}, - { CFSTR("IntermediateEKU"), 0x80012407 /* CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE */}, - { CFSTR("AnchorSHA1"), 0x8001212A /* CSSMERR_TP_NOT_TRUSTED */}, - { CFSTR("AnchorSHA256"), 0x8001212A /* CSSMERR_TP_NOT_TRUSTED */}, - { CFSTR("AnchorTrusted"), 0x8001212A /* CSSMERR_TP_NOT_TRUSTED */}, - { CFSTR("AnchorApple"), 0x8001243C /* CSSMERR_APPLETP_CA_PIN_MISMATCH */}, - { CFSTR("NonEmptySubject"), 0x80012437 /* CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT */}, - { CFSTR("IdLinkage"), 0x80012404 /* CSSMERR_APPLETP_INVALID_AUTHORITY_ID */}, - { CFSTR("WeakIntermediates"), 0x80012115 /* CSSMERR_TP_INVALID_CERTIFICATE */}, - { CFSTR("WeakLeaf"), 0x80012115 /* CSSMERR_TP_INVALID_CERTIFICATE */}, - { CFSTR("WeakRoot"), 0x80012115 /* CSSMERR_TP_INVALID_CERTIFICATE */}, - { CFSTR("KeySize"), 0x80010918 /* CSSMERR_CSP_UNSUPPORTED_KEY_SIZE */}, - { CFSTR("SignatureHashAlgorithms"), 0x80010913 /* CSSMERR_CSP_ALGID_MISMATCH */}, - { CFSTR("SystemTrustedWeakHash"), 0x80010955 /* CSSMERR_CSP_INVALID_DIGEST_ALGORITHM */}, - { CFSTR("CriticalExtensions"), 0x80012401 /* CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN */}, - { CFSTR("ChainLength"), 0x80012409 /* CSSMERR_APPLETP_PATH_LEN_CONSTRAINT */}, - { CFSTR("BasicCertificateProcessing"), 0x80012115 /* CSSMERR_TP_INVALID_CERTIFICATE */}, - { CFSTR("ExtendedValidation"), 0x8001212A /* CSSMERR_TP_NOT_TRUSTED */}, - { CFSTR("Revocation"), 0x8001210C /* CSSMERR_TP_CERT_REVOKED */}, - { CFSTR("RevocationResponseRequired"), 0x80012423 /* CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK */}, - { CFSTR("CertificateTransparency"), 0x8001212A /* CSSMERR_TP_NOT_TRUSTED */}, - { CFSTR("BlackListedLeaf"), 0x8001210C /* CSSMERR_TP_CERT_REVOKED */}, - { CFSTR("GrayListedLeaf"), 0x8001212A /* CSSMERR_TP_NOT_TRUSTED */}, - { CFSTR("GrayListedKey"), 0x8001212A /* CSSMERR_TP_NOT_TRUSTED */}, - { CFSTR("BlackListedKey"), 0x8001210C /* CSSMERR_TP_CERT_REVOKED */}, - { CFSTR("CheckLeafMarkerOid"), 0x80012439 /* CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION */}, - { CFSTR("CheckLeafMarkerOidNoValueCheck"), 0x80012439 /* CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION */}, - { CFSTR("CheckIntermediateMarkerOid"), 0x80012439 /* CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION */}, - { CFSTR("UsageConstraints"), 0x80012436 /* CSSMERR_APPLETP_TRUST_SETTING_DENY */}, - { CFSTR("NotValidBefore"), 0x8001210B /* CSSMERR_TP_CERT_NOT_VALID_YET */}, - { CFSTR("ValidIntermediates"), 0x8001210A /* CSSMERR_TP_CERT_EXPIRED */}, - { CFSTR("ValidLeaf"), 0x8001210A /* CSSMERR_TP_CERT_EXPIRED */}, - { CFSTR("ValidRoot"), 0x8001210A /* CSSMERR_TP_CERT_EXPIRED */}, +#undef POLICYCHECKMACRO +#define POLICYCHECKMACRO(NAME, TRUSTRESULT, SUBTYPE, LEAFCHECK, PATHCHECK, LEAFONLY, CSSMERR, OSSTATUS) \ +{ CFSTR(#NAME), CSSMERR }, +#include "SecPolicyChecks.list" }; // diff --git a/OSX/sec/Security/SecTrustStore.c b/OSX/sec/Security/SecTrustStore.c index e308ffb6..d070c835 100644 --- a/OSX/sec/Security/SecTrustStore.c +++ b/OSX/sec/Security/SecTrustStore.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007-2009,2012-2015 Apple Inc. All Rights Reserved. + * Copyright (c) 2007-2018 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -72,7 +72,9 @@ static bool string_data_to_bool_error(enum SecXPCOperation op, SecTrustStoreRef static bool string_data_to_bool_bool_error(enum SecXPCOperation op, SecTrustStoreRef ts, CFDataRef digest, bool *result, CFErrorRef *error) { - return securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) { + os_activity_t activity = os_activity_create("SecTrustStoreContains", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_DEFAULT); + os_activity_scope(activity); + bool status = securityd_send_sync_and_do(op, error, ^bool(xpc_object_t message, CFErrorRef *error) { return SecXPCDictionarySetString(message, kSecXPCKeyDomain, (CFStringRef)ts, error) && SecXPCDictionarySetData(message, kSecXPCKeyDigest, digest, error); }, ^bool(xpc_object_t response, CFErrorRef *error) { @@ -80,6 +82,8 @@ static bool string_data_to_bool_bool_error(enum SecXPCOperation op, SecTrustStor *result = xpc_dictionary_get_bool(response, kSecXPCKeyResult); return true; }); + os_release(activity); + return status; } Boolean SecTrustStoreContains(SecTrustStoreRef ts, @@ -88,7 +92,6 @@ Boolean SecTrustStoreContains(SecTrustStoreRef ts, bool ok = false; __block bool contains = false; - os_activity_t trace_activity = os_activity_start("SecTrustStoreContains", OS_ACTIVITY_FLAG_DEFAULT); require(ts, errOut); require(digest = SecCertificateGetSHA1Digest(certificate), errOut); @@ -98,7 +101,6 @@ Boolean SecTrustStoreContains(SecTrustStoreRef ts, }) == errSecSuccess); errOut: - os_activity_end(trace_activity); return ok && contains; } @@ -220,8 +222,9 @@ OSStatus SecTrustStoreRemoveCertificate(SecTrustStoreRef ts, { CFDataRef digest; __block OSStatus status = errSecParam; - - os_activity_t trace_activity = os_activity_start("SecTrustStoreRemoveCertificate", OS_ACTIVITY_FLAG_DEFAULT); + + os_activity_t activity = os_activity_create("SecTrustStoreRemoveCertificate", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_DEFAULT); + os_activity_scope(activity); require(ts, errOut); require(digest = SecCertificateGetSHA1Digest(certificate), errOut); require(gTrustd || ts == (SecTrustStoreRef)kSecTrustStoreUserName, errOut); @@ -231,38 +234,27 @@ OSStatus SecTrustStoreRemoveCertificate(SecTrustStoreRef ts, }); errOut: - os_activity_end(trace_activity); + os_release(activity); return status; } -static CFIndex GetOTAAssetVersionNumber() -{ - CFIndex result = 0; - int version = 0; - - if (errSecSuccess == SecTrustGetOTAPKIAssetVersionNumber(&version)) - { - result = version; - } - - return result; -} - - - OSStatus SecTrustStoreGetSettingsVersionNumber(SecTrustSettingsVersionNumber* p_settings_version_number) { - OSStatus status = errSecParam; - if (NULL == p_settings_version_number) - { - return status; + if (NULL == p_settings_version_number) { + return errSecParam; } - - CFIndex versionNumber = GetOTAAssetVersionNumber(); + + OSStatus status = errSecSuccess; + CFErrorRef error = nil; + uint64_t versionNumber = SecTrustGetTrustStoreVersionNumber(&error); *p_settings_version_number = (SecTrustSettingsVersionNumber)versionNumber; - return errSecSuccess; + if (error) { + status = (OSStatus)CFErrorGetCode(error); + } + CFReleaseSafe(error); + return status; } static bool string_to_array_error(enum SecXPCOperation op, SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFErrorRef *error) @@ -283,7 +275,8 @@ OSStatus SecTrustStoreCopyAll(SecTrustStoreRef ts, CFArrayRef *trustStoreContent __block CFArrayRef results = NULL; OSStatus status = errSecParam; - os_activity_t trace_activity = os_activity_start("SecTrustStoreCopyAll", OS_ACTIVITY_FLAG_DEFAULT); + os_activity_t activity = os_activity_create("SecTrustStoreCopyAll", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_DEFAULT); + os_activity_scope(activity); require(ts, errOut); status = SecOSStatusWith(^bool (CFErrorRef *error) { @@ -293,7 +286,7 @@ OSStatus SecTrustStoreCopyAll(SecTrustStoreRef ts, CFArrayRef *trustStoreContent *trustStoreContents = results; errOut: - os_activity_end(trace_activity); + os_release(activity); return status; } @@ -313,7 +306,8 @@ OSStatus SecTrustStoreCopyUsageConstraints(SecTrustStoreRef ts, SecCertificateRe __block CFArrayRef results = NULL; OSStatus status = errSecParam; - os_activity_t trace_activity = os_activity_start("SecTrustStoreCopyUsageConstraints", OS_ACTIVITY_FLAG_DEFAULT); + os_activity_t activity = os_activity_create("SecTrustStoreCopyUsageConstraints", OS_ACTIVITY_CURRENT, OS_ACTIVITY_FLAG_DEFAULT); + os_activity_scope(activity); require(ts, errOut); require(certificate, errOut); require(digest = SecCertificateGetSHA1Digest(certificate), errOut); @@ -326,6 +320,6 @@ OSStatus SecTrustStoreCopyUsageConstraints(SecTrustStoreRef ts, SecCertificateRe *usageConstraints = results; errOut: - os_activity_end(trace_activity); + os_release(activity); return status; } diff --git a/OSX/sec/Security/SecuritydXPC.c b/OSX/sec/Security/SecuritydXPC.c index 721659a1..9c9fdfd1 100644 --- a/OSX/sec/Security/SecuritydXPC.c +++ b/OSX/sec/Security/SecuritydXPC.c @@ -42,6 +42,7 @@ const char *kSecXPCKeyUserLabel = "userlabel"; const char *kSecXPCKeyBackup = "backup"; const char *kSecXPCKeyKeybag = "keybag"; const char *kSecXPCKeyUserPassword = "password"; +const char *kSecXPCKeyEMCSBackup = "emcsbackup"; const char *kSecXPCKeyDSID = "dsid"; const char *kSecXPCKeyQuery = "query"; const char *kSecXPCKeyAttributesToUpdate = "attributesToUpdate"; @@ -236,8 +237,8 @@ CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op) return CFSTR("keychain_restore_syncable"); case sec_keychain_sync_update_message_id: return CFSTR("keychain_sync_update_message"); - case sec_ota_pki_asset_version_id: - return CFSTR("ota_pki_asset_version"); + case sec_ota_pki_trust_store_version_id: + return CFSTR("ota_pki_trust_store_version"); case sec_otr_session_create_remote_id: return CFSTR("otr_session_create_remote"); case sec_otr_session_process_packet_remote_id: @@ -258,6 +259,8 @@ CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op) return CFSTR("trust_store_copy_all"); case sec_trust_store_copy_usage_constraints_id: return CFSTR("trust_store_copy_usage_constraints"); + case sec_ocsp_cache_flush_id: + return CFSTR("ocsp_cache_flush"); case soscc_EnsurePeerRegistration_id: return CFSTR("EnsurePeerRegistration"); case kSecXPCOpSetEscrowRecord: @@ -298,16 +301,14 @@ CFStringRef SOSCCGetOperationDescription(enum SecXPCOperation op) return CFSTR("copy_parent_certificates"); case sec_item_certificate_exists_id: return CFSTR("certificate_exists"); - case kSecXPCOpCKKSEndpoint: - return CFSTR("CKKSEndpoint"); - case kSecXPCOpSOSEndpoint: - return CFSTR("SOSEndpoint"); - case kSecXPCOpSecuritydXPCServerEndpoint: - return CFSTR("XPCServerEndpoint"); case kSecXPCOpBackupKeybagAdd: return CFSTR("KeybagAdd"); case kSecXPCOpBackupKeybagDelete: return CFSTR("KeybagDelete"); + case kSecXPCOpKeychainControlEndpoint: + return CFSTR("KeychainControlEndpoint"); + case kSecXPCOpTLSAnaltyicsReport: + return CFSTR("TLSAnalyticsReport"); default: return CFSTR("Unknown xpc operation"); } diff --git a/OSX/sec/Security/Tool/SecurityCommands.h b/OSX/sec/Security/Tool/SecurityCommands.h index ee7dfdd0..675393cf 100644 --- a/OSX/sec/Security/Tool/SecurityCommands.h +++ b/OSX/sec/Security/Tool/SecurityCommands.h @@ -183,11 +183,16 @@ SECURITY_COMMAND_IOS("verify-cert", verify_cert, "Verify certificate(s).") SECURITY_COMMAND_IOS("trust-store", trust_store_show_certificates, - "[-p][-f][-s][-v][-t][-k]\n" - " -p Output cert in PEM format.\n" - " -f Show fingerprint (SHA1 digest certificate.)\n" - " -s Show subject.\n" - " -v Show entire certificate in text form.\n" - " -t Show trust settings for certificates.\n" - " -k Show keyid (SHA1 digest of public key)", - "Display user trust store certificates and trust settings.") + "[-p][-f][-s][-v][-t][-k]\n" + " -p Output cert in PEM format.\n" + " -f Show fingerprint (SHA1 digest certificate.)\n" + " -s Show subject.\n" + " -v Show entire certificate in text form.\n" + " -t Show trust settings for certificates.\n" + " -k Show keyid (SHA1 digest of public key)", + "Display user trust store certificates and trust settings.") + +SECURITY_COMMAND("check-trust-update", check_trust_update, + "[-s]\n" + " -s Check for Supplementals (Pinning DB and Trusted CT Logs) update\n", + "Check for data updates for trust and return current version.") diff --git a/OSX/sec/Security/Tool/add_internet_password.c b/OSX/sec/Security/Tool/add_internet_password.c index 3326df88..5758d7bf 100644 --- a/OSX/sec/Security/Tool/add_internet_password.c +++ b/OSX/sec/Security/Tool/add_internet_password.c @@ -159,7 +159,7 @@ int keychain_add_internet_password(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -176,7 +176,7 @@ int keychain_add_internet_password(int argc, char * const *argv) } } else if (argc != 0) - return 2; + return SHOW_USAGE_MESSAGE; result = do_addinternetpassword(keychainName, serverName, securityDomain, accountName, path, port, protocol,authenticationType, passwordData); diff --git a/OSX/sec/Security/Tool/codesign.c b/OSX/sec/Security/Tool/codesign.c index ab01a43b..43e5cda5 100644 --- a/OSX/sec/Security/Tool/codesign.c +++ b/OSX/sec/Security/Tool/codesign.c @@ -333,7 +333,7 @@ extern int codesign_util(int argc, char * const *argv) verbose++; break; default: - return 2; /* Trigger usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -341,7 +341,7 @@ extern int codesign_util(int argc, char * const *argv) argv += optind; if (argc != 1) - return 2; /* Trigger usage message. */ + return SHOW_USAGE_MESSAGE; CFArrayRef sigs = load_code_signatures(argv[0]); require(sigs, out); diff --git a/OSX/sec/Security/Tool/keychain_add.c b/OSX/sec/Security/Tool/keychain_add.c index b8555aec..decf795d 100644 --- a/OSX/sec/Security/Tool/keychain_add.c +++ b/OSX/sec/Security/Tool/keychain_add.c @@ -108,14 +108,14 @@ keychain_add_certificates(int argc, char * const *argv) case 'k': keychainName = optarg; if (*keychainName == '\0') - return 2; + return SHOW_USAGE_MESSAGE; break; case 't': trustSettings = true; break; case '?': default: - return 2; /* Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -123,7 +123,7 @@ keychain_add_certificates(int argc, char * const *argv) argv += optind; if (argc == 0) - return 2; + return SHOW_USAGE_MESSAGE; result = do_add_certificates(keychainName, trustSettings, argc, argv); diff --git a/OSX/sec/Security/Tool/keychain_backup.c b/OSX/sec/Security/Tool/keychain_backup.c index de2582ad..c084dd28 100644 --- a/OSX/sec/Security/Tool/keychain_backup.c +++ b/OSX/sec/Security/Tool/keychain_backup.c @@ -108,7 +108,7 @@ keychain_import(int argc, char * const *argv) password=optarg; break; default: - return 2; /* Trigger usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -117,12 +117,12 @@ keychain_import(int argc, char * const *argv) if(keybag==NULL) { sec_error("-k is required\n"); - return 2; + return SHOW_USAGE_MESSAGE; } if (argc != 1) { sec_error(" is required\n"); - return 2; /* Trigger usage message. */ + return SHOW_USAGE_MESSAGE; } return do_keychain_import(argv[0], keybag, password); @@ -150,7 +150,7 @@ keychain_export(int argc, char * const *argv) password=optarg; break; default: - return 2; /* Trigger usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -159,12 +159,12 @@ keychain_export(int argc, char * const *argv) if(keybag==NULL) { sec_error("-k is required\n"); - return 2; + return SHOW_USAGE_MESSAGE; } if (argc != 1) { sec_error(" is required\n"); - return 2; /* Trigger usage message. */ + return SHOW_USAGE_MESSAGE; } return do_keychain_export(argv[0], keybag, password); diff --git a/OSX/sec/Security/Tool/keychain_find.m b/OSX/sec/Security/Tool/keychain_find.m index 6b7f039c..c396e189 100644 --- a/OSX/sec/Security/Tool/keychain_find.m +++ b/OSX/sec/Security/Tool/keychain_find.m @@ -282,7 +282,7 @@ keychain_find_or_delete_internet_password(Boolean do_delete, int argc, char * co break; case 'g': if (do_delete) - return 2; + return SHOW_USAGE_MESSAGE; get_password = TRUE; break; case 'p': @@ -306,7 +306,7 @@ keychain_find_or_delete_internet_password(Boolean do_delete, int argc, char * co break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -537,7 +537,7 @@ keychain_find_or_delete_generic_password(Boolean do_delete, break; case 'g': if (do_delete) - return 2; + return SHOW_USAGE_MESSAGE; get_password = TRUE; break; case 's': @@ -545,7 +545,7 @@ keychain_find_or_delete_generic_password(Boolean do_delete, break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -608,7 +608,7 @@ keychain_roll_keys(int argc, char * const *argv) { force = true; break; default: - return 2; + return SHOW_USAGE_MESSAGE; } } // argc -= optind; diff --git a/OSX/sec/Security/Tool/pkcs12_util.c b/OSX/sec/Security/Tool/pkcs12_util.c index 1a33b80d..1fc1f145 100644 --- a/OSX/sec/Security/Tool/pkcs12_util.c +++ b/OSX/sec/Security/Tool/pkcs12_util.c @@ -350,7 +350,7 @@ extern int pkcs12_util(int argc, char * const *argv) verbose = true; break; default: - return 2; /* Trigger usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -358,7 +358,7 @@ extern int pkcs12_util(int argc, char * const *argv) argv += optind; if (argc != 1 || !passphrase) - return 2; /* Trigger usage message. */ + return SHOW_USAGE_MESSAGE; filename = argv[0]; array = PKCS12FileCreateArray(filename, passphrase); diff --git a/OSX/sec/Security/Tool/scep.c b/OSX/sec/Security/Tool/scep.c index a254b419..fd9e7a0e 100644 --- a/OSX/sec/Security/Tool/scep.c +++ b/OSX/sec/Security/Tool/scep.c @@ -307,7 +307,7 @@ extern int command_scep(int argc, char * const *argv) scep_capabilities = CFStringCreateWithCString(kCFAllocatorDefault, optarg, kCFStringEncodingUTF8); break; default: - return 2; /* Trigger usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -315,7 +315,7 @@ extern int command_scep(int argc, char * const *argv) argv += optind; if (argc != 1) - return 2; /* Trigger usage message. */ + return SHOW_USAGE_MESSAGE; CFDataRef scep_request = NULL; CFArrayRef issued_certs = NULL; @@ -520,9 +520,8 @@ extern int command_scep(int argc, char * const *argv) if (scep_subject_alt_name) { fprintf(stderr, "Adding subjectAltName to request\n"); - CFStringRef name = CFSTR("dnsName"); CFDictionaryRef subject_alt_name = CFDictionaryCreate(kCFAllocatorDefault, - (const void **)&name, (const void **)&scep_subject_alt_name, + (const void **)&kSecSubjectAltNameDNSName, (const void **)&scep_subject_alt_name, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); CFDictionarySetValue(csr_parameters, kSecSubjectAltName, subject_alt_name); } diff --git a/OSX/sec/Security/Tool/show_certificates.c b/OSX/sec/Security/Tool/show_certificates.c index 108885f2..8d7bb967 100644 --- a/OSX/sec/Security/Tool/show_certificates.c +++ b/OSX/sec/Security/Tool/show_certificates.c @@ -53,6 +53,7 @@ #include #include #include +#include #include @@ -172,7 +173,7 @@ int keychain_show_certificates(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -291,6 +292,64 @@ int keychain_show_certificates(int argc, char * const *argv) return result; } +static bool isSettingWithResult(CFDictionaryRef setting, SecTrustSettingsResult result) { + CFNumberRef value = CFDictionaryGetValue(setting, kSecTrustSettingsResult); + if (!isNumberOfType(value, kCFNumberSInt64Type)) { + return false; + } + int64_t setting_result = 0; + if (!CFNumberGetValue(value, kCFNumberSInt64Type, &setting_result) || + (setting_result != result)) { + return false; + } + return true; +} + +static bool isUnconstrainedSettingWithResult(CFDictionaryRef setting, SecTrustSettingsResult result) { + if (!isDictionary(setting) || (CFDictionaryGetCount(setting) != 1)) { + return false; + } + + return isSettingWithResult(setting, result); +} + +static bool isDenyTrustSetting(CFArrayRef trust_settings) { + if (CFArrayGetCount(trust_settings) != 1) { + return false; + } + + return isUnconstrainedSettingWithResult(CFArrayGetValueAtIndex(trust_settings, 0), + kSecTrustSettingsResultDeny); +} + +static bool isPartialSSLTrustSetting(CFArrayRef trust_settings) { + if (CFArrayGetCount(trust_settings) != 2) { + return false; + } + + /* Second setting is a blanket "Trust" */ + if (!isUnconstrainedSettingWithResult(CFArrayGetValueAtIndex(trust_settings, 1), + kSecTrustSettingsResultTrustRoot) && + !isUnconstrainedSettingWithResult(CFArrayGetValueAtIndex(trust_settings, 1), + kSecTrustSettingsResultTrustAsRoot)) { + return false; + } + + /* First setting is "upspecified" for SSL policy */ + CFDictionaryRef setting = CFArrayGetValueAtIndex(trust_settings, 0); + if (!isDictionary(setting) || (CFDictionaryGetCount(setting) < 2)) { + return false; + } + if (!isSettingWithResult(setting, kSecTrustSettingsResultUnspecified)) { + return false; + } + if (!CFEqualSafe(CFDictionaryGetValue(setting, kSecTrustSettingsPolicy), kSecPolicyAppleSSL)) { + return false; + } + + return true; +} + int trust_store_show_certificates(int argc, char * const *argv) { int ch, result = 0; @@ -326,7 +385,7 @@ int trust_store_show_certificates(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -402,13 +461,27 @@ int trust_store_show_certificates(int argc, char * const *argv) CFReleaseNull(cert); return 1; } - // place-holder until there are actual trust settings - CFStringRef settings = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@"), trust_settings); - char *settingsStr = NULL; - settingsStr = CFStringToCString(settings); - fprintf(stdout, "%s\n", settingsStr); - free(settingsStr); - CFRelease(settings); + + /* These are some trust settings configs used by ManagedConfiguration on iOS */ + if (CFArrayGetCount(trust_settings) == 0) { + /* Full trust */ + fprintf(stdout, "Full trust enabled\n"); + } else if (isDenyTrustSetting(trust_settings)) { + fprintf(stdout, "Administrator blacklisted\n"); + } else if (isPartialSSLTrustSetting(trust_settings)) { + fprintf(stdout, "Partial trust enabled\n"); + } else { + CFStringRef settings = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@"), trust_settings); + if (settings) { + char *settingsStr = CFStringToCString(settings); + if (settingsStr) { + fprintf(stdout, "Unknown trust settings:\n%s\n", settingsStr); + free(settingsStr); + } + CFRelease(settings); + } + } + } printf("*******************************************************\n"); diff --git a/OSX/sec/Security/Tool/spc.c b/OSX/sec/Security/Tool/spc.c index 848811d2..404454d9 100644 --- a/OSX/sec/Security/Tool/spc.c +++ b/OSX/sec/Security/Tool/spc.c @@ -648,7 +648,7 @@ extern int command_spc(int argc, char * const *argv) break; case 'h': default: - return 2; + return SHOW_USAGE_MESSAGE; } } @@ -660,11 +660,11 @@ extern int command_spc(int argc, char * const *argv) // get plist from argv[0] url } else if (argc == 0) { machine_authentication(NULL, NULL); - } else return 2; + } else return SHOW_USAGE_MESSAGE; #endif if (argc != 1) - return 2; + return SHOW_USAGE_MESSAGE; int result = -1; CFDictionaryRef dict = NULL; diff --git a/OSX/sec/Security/Tool/trust_update.m b/OSX/sec/Security/Tool/trust_update.m new file mode 100644 index 00000000..adf5453a --- /dev/null +++ b/OSX/sec/Security/Tool/trust_update.m @@ -0,0 +1,81 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + * + * trust_update.m + */ + +#import + +#import +#import + +#include "SecurityCommands.h" + +static int check_OTA_Supplementals_asset(void) { + CFErrorRef error = NULL; + uint64_t version = SecTrustOTAPKIGetUpdatedAsset(&error); + if (error) { + CFStringRef errorDescription = CFErrorCopyDescription(error); + if (errorDescription) { + char *errMsg = CFStringToCString(errorDescription); + fprintf(stdout, "Update failed: %s\n", errMsg); + if (errMsg) { free(errMsg); } + CFRelease(errorDescription); + } else { + fprintf(stdout, "Update failed: no description\n"); + } + CFRelease(error); + } else { + fprintf(stdout, "Updated succeeded\n"); + } + if (version != 0) { + fprintf(stdout, "Asset Content Version: %llu\n", version); + } else { + return 1; + } + return 0; +} + +int check_trust_update(int argc, char * const *argv) { + int arg; + bool check_trust_supplementals = false; + + if (argc == 1) { + return SHOW_USAGE_MESSAGE; + } + + while ((arg = getopt(argc, argv, "s")) != -1) { + switch(arg) { + case 's': + check_trust_supplementals = true; + break; + case '?': + default: + return SHOW_USAGE_MESSAGE; + } + } + + if (check_trust_supplementals) { + return check_OTA_Supplementals_asset(); + } + return 0; +} diff --git a/OSX/sec/Security/Tool/verify_cert.c b/OSX/sec/Security/Tool/verify_cert.c index 6ecc2aea..76b8dd59 100644 --- a/OSX/sec/Security/Tool/verify_cert.c +++ b/OSX/sec/Security/Tool/verify_cert.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003-2007,2009-2010,2013-2017 Apple Inc. All Rights Reserved. + * Copyright (c) 2003-2018 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -36,6 +36,8 @@ #include #include +#include "SecurityCommands.h" + CFStringRef policyToConstant(const char *policy); int verify_cert(int argc, char * const *argv); @@ -170,8 +172,7 @@ int verify_cert(int argc, char * const *argv) { SecTrustResultType resultType; if (argc < 2) { - /* Return 2 triggers usage message. */ - return 2; + return SHOW_USAGE_MESSAGE; } optind = 1; diff --git a/OSX/sec/Security/ios_tapi_hacks.h b/OSX/sec/Security/ios_tapi_hacks.h new file mode 100644 index 00000000..1367c4a9 --- /dev/null +++ b/OSX/sec/Security/ios_tapi_hacks.h @@ -0,0 +1,83 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#ifndef ios_tapi_hack_h +#define ios_tapi_hack_h + +// This file is to work around TAPI's insistence that every exported symbol is in a header file. +// The Security project just simply rejects such ideas, so this is the pressure valve: +// +// One-offs in header files that shouldn't be exported in the real-live iOS Security framework +// can be added here, and TAPI will accept them. +// +// Please don't add anything here. + +#ifndef SECURITY_PROJECT_TAPI_HACKS +#error This header is not for inclusion; it's a nasty hack to get the iOS Security framework to build with TAPI. +#endif + +#include +#include + +CFDataRef SecDistinguishedNameCopyNormalizedContent(CFDataRef distinguished_name); +CFDataRef _SecItemCreatePersistentRef(CFTypeRef iclass, sqlite_int64 rowid, CFDictionaryRef attributes); +CFDictionaryRef SecTokenItemValueCopy(CFDataRef db_value, CFErrorRef *error); +CFArrayRef SecItemCopyParentCertificates_ios(CFDataRef normalizedIssuer, CFArrayRef accessGroups, CFErrorRef *error); +bool SecItemCertificateExists(CFDataRef normalizedIssuer, CFDataRef serialNumber, CFArrayRef accessGroups, CFErrorRef *error); +bool _SecItemParsePersistentRef(CFDataRef persistent_ref, CFStringRef *return_class, + sqlite_int64 *return_rowid, CFDictionaryRef *return_token_attrs); + +// SecItemPriv.h +extern const CFStringRef kSecUseSystemKeychain; + +// securityd_client.h + +typedef struct SecurityClient { +} SecurityClient; + +extern struct securityd *gSecurityd; +extern struct trustd *gTrustd; +extern SecurityClient * SecSecurityClientGet(void); +bool securityd_send_sync_and_do(enum SecXPCOperation op, CFErrorRef *error, + bool (^add_to_message)(xpc_object_t message, CFErrorRef* error), + bool (^handle_response)(xpc_object_t response, CFErrorRef* error)); +XPC_RETURNS_RETAINED xpc_object_t securityd_message_with_reply_sync(xpc_object_t message, CFErrorRef *error); +XPC_RETURNS_RETAINED xpc_object_t securityd_create_message(enum SecXPCOperation op, CFErrorRef *error); +bool securityd_message_no_error(xpc_object_t message, CFErrorRef *error); + +@interface SecuritydXPCClient : NSObject +@end + +void SecAccessGroupsSetCurrent(CFArrayRef accessGroups); +CFArrayRef SecAccessGroupsGetCurrent(void); + +#include +extern os_log_t secLogObjForScope(const char *scope); +extern os_log_t secLogObjForCFScope(CFStringRef scope); +#if TARGET_OS_IOS +void SecSecuritySetMusrMode(bool mode, uid_t uid, int activeUser); +#endif // TARGET_OS_IOS + +void SecServerSetMachServiceName(const char *name); + +#endif /* ios_tapi_hacks_h */ + diff --git a/OSX/sec/Security/oids.c b/OSX/sec/Security/oids.c new file mode 100644 index 00000000..800ffc8e --- /dev/null +++ b/OSX/sec/Security/oids.c @@ -0,0 +1,448 @@ +/* + * Copyright (c) 2005-2009,2011-2016 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +/* + * oids.c - OID consts + * + */ + +#include + +#define OID_ISO_CCITT_DIR_SERVICE 85 +#define OID_DS OID_ISO_CCITT_DIR_SERVICE +#define OID_ATTR_TYPE OID_DS, 4 +#define OID_EXTENSION OID_DS, 29 +#define OID_ISO_STANDARD 40 +#define OID_ISO_MEMBER 42 +#define OID_US OID_ISO_MEMBER, 134, 72 + +#define OID_ISO_IDENTIFIED_ORG 43 +#define OID_OSINET OID_ISO_IDENTIFIED_ORG, 4 +#define OID_GOSIP OID_ISO_IDENTIFIED_ORG, 5 +#define OID_DOD OID_ISO_IDENTIFIED_ORG, 6 +#define OID_OIW OID_ISO_IDENTIFIED_ORG, 14 + +/* From the PKCS Standards */ +#define OID_RSA OID_US, 134, 247, 13 +#define OID_RSA_HASH OID_RSA, 2 +#define OID_RSA_ENCRYPT OID_RSA, 3 +#define OID_PKCS OID_RSA, 1 +#define OID_PKCS_1 OID_PKCS, 1 +#define OID_PKCS_2 OID_PKCS, 2 +#define OID_PKCS_3 OID_PKCS, 3 +#define OID_PKCS_4 OID_PKCS, 4 +#define OID_PKCS_5 OID_PKCS, 5 +#define OID_PKCS_6 OID_PKCS, 6 +#define OID_PKCS_7 OID_PKCS, 7 +#define OID_PKCS_8 OID_PKCS, 8 +#define OID_PKCS_9 OID_PKCS, 9 +#define OID_PKCS_10 OID_PKCS, 10 +#define OID_PKCS_11 OID_PKCS, 11 +#define OID_PKCS_12 OID_PKCS, 12 + +/* ANSI X9.62 */ +#define OID_ANSI_X9_62 OID_US, 206, 61 +#define OID_PUBLIC_KEY_TYPE OID_ANSI_X9_62, 2 +#define OID_EC_CURVE OID_ANSI_X9_62, 3, 1 +#define OID_EC_SIG_TYPE OID_ANSI_X9_62, 4 +#define OID_ECDSA_WITH_SHA2 OID_EC_SIG_TYPE, 3 + +/* Certicom */ +#define OID_CERTICOM OID_ISO_IDENTIFIED_ORG, 132 +#define OID_CERTICOM_EC_CURVE OID_CERTICOM, 0 + +/* ANSI X9.42 */ +#define OID_ANSI_X9_42 OID_US, 206, 62, 2 +#define OID_ANSI_X9_42_SCHEME OID_ANSI_X9_42, 3 +#define OID_ANSI_X9_42_NAMED_SCHEME OID_ANSI_X9_42, 4 + +/* ANSI X9.57 */ +#define OID_ANSI_X9_57 OID_US, 206, 56 +#define OID_ANSI_X9_57_ALGORITHM OID_ANSI_X9_57, 4 + +/* DOD IANA Security related objects. */ +#define OID_IANA OID_DOD, 1, 5 + +/* Kerberos PKINIT */ +#define OID_KERBv5 OID_IANA, 2 +#define OID_KERBv5_PKINIT OID_KERBv5, 3 + +/* DOD IANA Mechanisms. */ +#define OID_MECHANISMS OID_IANA, 5 + +/* PKIX */ +#define OID_PKIX OID_MECHANISMS, 7 +#define OID_PE OID_PKIX, 1 +#define OID_QT OID_PKIX, 2 +#define OID_KP OID_PKIX, 3 +#define OID_OTHER_NAME OID_PKIX, 8 +#define OID_PDA OID_PKIX, 9 +#define OID_QCS OID_PKIX, 11 +#define OID_AD OID_PKIX, 48 +#define OID_AD_OCSP OID_AD, 1 +#define OID_AD_CAISSUERS OID_AD, 2 + +/* ISAKMP */ +#define OID_ISAKMP OID_MECHANISMS, 8 + +/* ETSI */ +#define OID_ETSI 0x04, 0x00 +#define OID_ETSI_QCS 0x04, 0x00, 0x8E, 0x46, 0x01 + +#define OID_OIW_SECSIG OID_OIW, 3 + +#define OID_OIW_ALGORITHM OID_OIW_SECSIG, 2 + +/* NIST defined digest algorithm arc (2, 16, 840, 1, 101, 3, 4, 2) */ +#define OID_NIST_HASHALG 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02 + +/* + * Netscape OIDs. + */ +#define NETSCAPE_BASE_OID 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x42 + +/* + * Netscape cert extension. + * + * netscape-cert-extension OBJECT IDENTIFIER ::= + * { 2 16 840 1 113730 1 } + * + * BER = 06 08 60 86 48 01 86 F8 42 01 + */ +#define NETSCAPE_CERT_EXTEN NETSCAPE_BASE_OID, 0x01 + +#define NETSCAPE_CERT_POLICY NETSCAPE_BASE_OID, 0x04 + +/* + * Apple-specific OID bases + */ + +/* + * apple OBJECT IDENTIFIER ::= + * { iso(1) member-body(2) US(840) 113635 } + * + * BER = 06 06 2A 86 48 86 F7 63 + */ +#define APPLE_OID OID_US, 0x86, 0xf7, 0x63 + +/* appleDataSecurity OBJECT IDENTIFIER ::= + * { apple 100 } + * { 1 2 840 113635 100 } + * + * BER = 06 07 2A 86 48 86 F7 63 64 + */ +#define APPLE_ADS_OID APPLE_OID, 0x64 + +/* + * appleSecurityAlgorithm OBJECT IDENTIFIER ::= + * { appleDataSecurity 2 } + * { 1 2 840 113635 100 2 } + * + * BER = 06 08 2A 86 48 86 F7 63 64 02 + */ +#define APPLE_ALG_OID APPLE_ADS_OID, 2 + +/* Entrust OIDs. */ +#define ENTRUST_BASE_OID OID_US, 0x86, 0xf6, 0x7d + +/* + * Entrust cert extension. + * + * entrust-cert-extension OBJECT IDENTIFIER ::= + * { 1 2 840 113533 7 65 } + * + * BER = 06 08 2A 86 48 86 F6 7D 07 41 + */ +#define ENTRUST_CERT_EXTEN ENTRUST_BASE_OID, 0x07, 0x41 + +/* Microsoft OIDs. */ +#define MICROSOFT_BASE_OID OID_DOD, 0x01, 0x04, 0x01, 0x82, 0x37 +#define MICROSOFT_ENROLLMENT_OID MICROSOFT_BASE_OID, 0x14 + +/* Google OIDs: 1.3.6.1.4.1.11129. + */ +#define GOOGLE_BASE_OID OID_DOD, 0x01, 0x04, 0x01, 0xD6, 0x79 +#define GOOGLE_EMBEDDED_SCT_OID GOOGLE_BASE_OID, 0x02, 0x04, 0x02 +#define GOOGLE_OCSP_SCT_OID GOOGLE_BASE_OID, 0x02, 0x04, 0x05 + + +/* Algorithm OIDs. */ +static const DERByte + _oidRsa[] = { OID_PKCS_1, 1 }, + _oidMd2Rsa[] = { OID_PKCS_1, 2 }, + _oidMd4Rsa[] = { OID_PKCS_1, 3 }, + _oidMd5Rsa[] = { OID_PKCS_1, 4 }, + _oidSha1Rsa[] = { OID_PKCS_1, 5 }, + _oidSha256Rsa[] = { OID_PKCS_1, 11 }, /* rfc5754 */ + _oidSha384Rsa[] = { OID_PKCS_1, 12 }, /* rfc5754 */ + _oidSha512Rsa[] = { OID_PKCS_1, 13 }, /* rfc5754 */ + _oidSha224Rsa[] = { OID_PKCS_1, 14 }, /* rfc5754 */ + _oidEcPubKey[] = { OID_PUBLIC_KEY_TYPE, 1 }, + _oidSha1Ecdsa[] = { OID_EC_SIG_TYPE, 1 }, /* rfc3279 */ + _oidSha224Ecdsa[] = { OID_ECDSA_WITH_SHA2, 1 }, /* rfc5758 */ + _oidSha256Ecdsa[] = { OID_ECDSA_WITH_SHA2, 2 }, /* rfc5758 */ + _oidSha384Ecdsa[] = { OID_ECDSA_WITH_SHA2, 3 }, /* rfc5758 */ + _oidSha512Ecdsa[] = { OID_ECDSA_WITH_SHA2, 4 }, /* rfc5758 */ + _oidSha1Dsa[] = { OID_ANSI_X9_57_ALGORITHM, 3 }, + _oidMd2[] = { OID_RSA_HASH, 2 }, + _oidMd4[] = { OID_RSA_HASH, 4 }, + _oidMd5[] = { OID_RSA_HASH, 5 }, + _oidSha1[] = { OID_OIW_ALGORITHM, 26 }, + _oidSha1DsaOIW[] = { OID_OIW_ALGORITHM, 27 }, + _oidSha1DsaCommonOIW[] = { OID_OIW_ALGORITHM, 28 }, + _oidSha1RsaOIW[] = { OID_OIW_ALGORITHM, 29 }, + _oidSha256[] = { OID_NIST_HASHALG, 1 }, + _oidSha384[] = { OID_NIST_HASHALG, 2 }, + _oidSha512[] = { OID_NIST_HASHALG, 3 }, + _oidSha224[] = { OID_NIST_HASHALG, 4 }, + _oidFee[] = { APPLE_ALG_OID, 1 }, + _oidMd5Fee[] = { APPLE_ALG_OID, 3 }, + _oidSha1Fee[] = { APPLE_ALG_OID, 4 }, + _oidEcPrime192v1[] = { OID_EC_CURVE, 1 }, + _oidEcPrime256v1[] = { OID_EC_CURVE, 7 }, + _oidAnsip384r1[] = { OID_CERTICOM_EC_CURVE, 34 }, + _oidAnsip521r1[] = { OID_CERTICOM_EC_CURVE, 35 }; + +const DERItem + oidRsa = { (DERByte *)_oidRsa, + sizeof(_oidRsa) }, + oidMd2Rsa = { (DERByte *)_oidMd2Rsa, + sizeof(_oidMd2Rsa) }, + oidMd4Rsa = { (DERByte *)_oidMd4Rsa, + sizeof(_oidMd4Rsa) }, + oidMd5Rsa = { (DERByte *)_oidMd5Rsa, + sizeof(_oidMd5Rsa) }, + oidSha1Rsa = { (DERByte *)_oidSha1Rsa, + sizeof(_oidSha1Rsa) }, + oidSha256Rsa = { (DERByte *)_oidSha256Rsa, + sizeof(_oidSha256Rsa) }, + oidSha384Rsa = { (DERByte *)_oidSha384Rsa, + sizeof(_oidSha384Rsa) }, + oidSha512Rsa = { (DERByte *)_oidSha512Rsa, + sizeof(_oidSha512Rsa) }, + oidSha224Rsa = { (DERByte *)_oidSha224Rsa, + sizeof(_oidSha224Rsa) }, + oidEcPubKey = { (DERByte *)_oidEcPubKey, + sizeof(_oidEcPubKey) }, + oidSha1Ecdsa = { (DERByte *)_oidSha1Ecdsa, + sizeof(_oidSha1Ecdsa) }, + oidSha224Ecdsa = { (DERByte *)_oidSha224Ecdsa, + sizeof(_oidSha224Ecdsa) }, + oidSha256Ecdsa = { (DERByte *)_oidSha256Ecdsa, + sizeof(_oidSha256Ecdsa) }, + oidSha384Ecdsa = { (DERByte *)_oidSha384Ecdsa, + sizeof(_oidSha384Ecdsa) }, + oidSha512Ecdsa = { (DERByte *)_oidSha512Ecdsa, + sizeof(_oidSha512Ecdsa) }, + oidSha1Dsa = { (DERByte *)_oidSha1Dsa, + sizeof(_oidSha1Dsa) }, + oidMd2 = { (DERByte *)_oidMd2, + sizeof(_oidMd2) }, + oidMd4 = { (DERByte *)_oidMd4, + sizeof(_oidMd4) }, + oidMd5 = { (DERByte *)_oidMd5, + sizeof(_oidMd5) }, + oidSha1 = { (DERByte *)_oidSha1, + sizeof(_oidSha1) }, + oidSha1RsaOIW = { (DERByte *)_oidSha1RsaOIW, + sizeof(_oidSha1RsaOIW) }, + oidSha1DsaOIW = { (DERByte *)_oidSha1DsaOIW, + sizeof(_oidSha1DsaOIW) }, + oidSha1DsaCommonOIW = { (DERByte *)_oidSha1DsaCommonOIW, + sizeof(_oidSha1DsaCommonOIW) }, + oidSha256 = { (DERByte *)_oidSha256, + sizeof(_oidSha256) }, + oidSha384 = { (DERByte *)_oidSha384, + sizeof(_oidSha384) }, + oidSha512 = { (DERByte *)_oidSha512, + sizeof(_oidSha512) }, + oidSha224 = { (DERByte *)_oidSha224, + sizeof(_oidSha224) }, + oidFee = { (DERByte *)_oidFee, + sizeof(_oidFee) }, + oidMd5Fee = { (DERByte *)_oidMd5Fee, + sizeof(_oidMd5Fee) }, + oidSha1Fee = { (DERByte *)_oidSha1Fee, + sizeof(_oidSha1Fee) }, + oidEcPrime192v1 = { (DERByte *)_oidEcPrime192v1, + sizeof(_oidEcPrime192v1) }, + oidEcPrime256v1 = { (DERByte *)_oidEcPrime256v1, + sizeof(_oidEcPrime256v1) }, + oidAnsip384r1 = { (DERByte *)_oidAnsip384r1, + sizeof(_oidAnsip384r1) }, + oidAnsip521r1 = { (DERByte *)_oidAnsip521r1, + sizeof(_oidAnsip521r1) }; + + +/* Extension OIDs. */ +__unused static const DERByte + _oidSubjectKeyIdentifier[] = { OID_EXTENSION, 14 }, + _oidKeyUsage[] = { OID_EXTENSION, 15 }, + _oidPrivateKeyUsagePeriod[] = { OID_EXTENSION, 16 }, + _oidSubjectAltName[] = { OID_EXTENSION, 17 }, + _oidIssuerAltName[] = { OID_EXTENSION, 18 }, + _oidBasicConstraints[] = { OID_EXTENSION, 19 }, + _oidNameConstraints[] = { OID_EXTENSION, 30 }, + _oidCrlDistributionPoints[] = { OID_EXTENSION, 31 }, + _oidCertificatePolicies[] = { OID_EXTENSION, 32 }, + _oidAnyPolicy[] = { OID_EXTENSION, 32, 0 }, + _oidPolicyMappings[] = { OID_EXTENSION, 33 }, + _oidAuthorityKeyIdentifier[] = { OID_EXTENSION, 35 }, + _oidPolicyConstraints[] = { OID_EXTENSION, 36 }, + _oidExtendedKeyUsage[] = { OID_EXTENSION, 37 }, + _oidAnyExtendedKeyUsage[] = { OID_EXTENSION, 37, 0 }, + _oidInhibitAnyPolicy[] = { OID_EXTENSION, 54 }, + _oidAuthorityInfoAccess[] = { OID_PE, 1 }, + _oidSubjectInfoAccess[] = { OID_PE, 11 }, + _oidAdOCSP[] = { OID_AD_OCSP }, + _oidAdCAIssuer[] = { OID_AD_CAISSUERS }, + _oidNetscapeCertType[] = { NETSCAPE_CERT_EXTEN, 1 }, + _oidEntrustVersInfo[] = { ENTRUST_CERT_EXTEN, 0 }, + _oidMSNTPrincipalName[] = { MICROSOFT_ENROLLMENT_OID, 2, 3 }, + /* Policy Qualifier IDs for Internet policy qualifiers. */ + _oidQtCps[] = { OID_QT, 1 }, + _oidQtUNotice[] = { OID_QT, 2 }, + /* X.501 Name IDs. */ + _oidCommonName[] = { OID_ATTR_TYPE, 3 }, + _oidCountryName[] = { OID_ATTR_TYPE, 6 }, + _oidLocalityName[] = { OID_ATTR_TYPE, 7 }, + _oidStateOrProvinceName[] = { OID_ATTR_TYPE, 8 }, + _oidOrganizationName[] = { OID_ATTR_TYPE, 10 }, + _oidOrganizationalUnitName[] = { OID_ATTR_TYPE, 11 }, + _oidDescription[] = { OID_ATTR_TYPE, 13 }, + _oidEmailAddress[] = { OID_PKCS_9, 1 }, + _oidFriendlyName[] = { OID_PKCS_9, 20 }, + _oidLocalKeyId[] = { OID_PKCS_9, 21 }, + _oidExtendedKeyUsageServerAuth[] = { OID_KP, 1 }, + _oidExtendedKeyUsageClientAuth[] = { OID_KP, 2 }, + _oidExtendedKeyUsageCodeSigning[] = { OID_KP, 3 }, + _oidExtendedKeyUsageEmailProtection[] = { OID_KP, 4 }, + _oidExtendedKeyUsageTimeStamping[] = { OID_KP, 8 }, + _oidExtendedKeyUsageOCSPSigning[] = { OID_KP, 9 }, + _oidExtendedKeyUsageIPSec[] = { OID_ISAKMP, 2, 2 }, + _oidExtendedKeyUsageMicrosoftSGC[] = { MICROSOFT_BASE_OID, 10, 3, 3 }, + _oidExtendedKeyUsageNetscapeSGC[] = { NETSCAPE_CERT_POLICY, 1 }, + _oidGoogleEmbeddedSignedCertificateTimestamp[] = {GOOGLE_EMBEDDED_SCT_OID}, + _oidGoogleOCSPSignedCertificateTimestamp[] = {GOOGLE_OCSP_SCT_OID}; + +__unused const DERItem + oidSubjectKeyIdentifier = { (DERByte *)_oidSubjectKeyIdentifier, + sizeof(_oidSubjectKeyIdentifier) }, + oidKeyUsage = { (DERByte *)_oidKeyUsage, + sizeof(_oidKeyUsage) }, + oidPrivateKeyUsagePeriod = { (DERByte *)_oidPrivateKeyUsagePeriod, + sizeof(_oidPrivateKeyUsagePeriod) }, + oidSubjectAltName = { (DERByte *)_oidSubjectAltName, + sizeof(_oidSubjectAltName) }, + oidIssuerAltName = { (DERByte *)_oidIssuerAltName, + sizeof(_oidIssuerAltName) }, + oidBasicConstraints = { (DERByte *)_oidBasicConstraints, + sizeof(_oidBasicConstraints) }, + oidNameConstraints = { (DERByte *)_oidNameConstraints, + sizeof(_oidNameConstraints) }, + oidCrlDistributionPoints = { (DERByte *)_oidCrlDistributionPoints, + sizeof(_oidCrlDistributionPoints) }, + oidCertificatePolicies = { (DERByte *)_oidCertificatePolicies, + sizeof(_oidCertificatePolicies) }, + oidAnyPolicy = { (DERByte *)_oidAnyPolicy, + sizeof(_oidAnyPolicy) }, + oidPolicyMappings = { (DERByte *)_oidPolicyMappings, + sizeof(_oidPolicyMappings) }, + oidAuthorityKeyIdentifier = { (DERByte *)_oidAuthorityKeyIdentifier, + sizeof(_oidAuthorityKeyIdentifier) }, + oidPolicyConstraints = { (DERByte *)_oidPolicyConstraints, + sizeof(_oidPolicyConstraints) }, + oidExtendedKeyUsage = { (DERByte *)_oidExtendedKeyUsage, + sizeof(_oidExtendedKeyUsage) }, + oidAnyExtendedKeyUsage = { (DERByte *)_oidAnyExtendedKeyUsage, + sizeof(_oidAnyExtendedKeyUsage) }, + oidInhibitAnyPolicy = { (DERByte *)_oidInhibitAnyPolicy, + sizeof(_oidInhibitAnyPolicy) }, + oidAuthorityInfoAccess = { (DERByte *)_oidAuthorityInfoAccess, + sizeof(_oidAuthorityInfoAccess) }, + oidSubjectInfoAccess = { (DERByte *)_oidSubjectInfoAccess, + sizeof(_oidSubjectInfoAccess) }, + oidAdOCSP = { (DERByte *)_oidAdOCSP, + sizeof(_oidAdOCSP) }, + oidAdCAIssuer = { (DERByte *)_oidAdCAIssuer, + sizeof(_oidAdCAIssuer) }, + oidNetscapeCertType = { (DERByte *)_oidNetscapeCertType, + sizeof(_oidNetscapeCertType) }, + oidEntrustVersInfo = { (DERByte *)_oidEntrustVersInfo, + sizeof(_oidEntrustVersInfo) }, + oidMSNTPrincipalName = { (DERByte *)_oidMSNTPrincipalName, + sizeof(_oidMSNTPrincipalName) }, + /* Policy Qualifier IDs for Internet policy qualifiers. */ + oidQtCps = { (DERByte *)_oidQtCps, + sizeof(_oidQtCps) }, + oidQtUNotice = { (DERByte *)_oidQtUNotice, + sizeof(_oidQtUNotice) }, + /* X.501 Name IDs. */ + oidCommonName = { (DERByte *)_oidCommonName, + sizeof(_oidCommonName) }, + oidCountryName = { (DERByte *)_oidCountryName, + sizeof(_oidCountryName) }, + oidLocalityName = { (DERByte *)_oidLocalityName, + sizeof(_oidLocalityName) }, + oidStateOrProvinceName = { (DERByte *)_oidStateOrProvinceName, + sizeof(_oidStateOrProvinceName) }, + oidOrganizationName = { (DERByte *)_oidOrganizationName, + sizeof(_oidOrganizationName) }, + oidOrganizationalUnitName = { (DERByte *)_oidOrganizationalUnitName, + sizeof(_oidOrganizationalUnitName) }, + oidDescription = { (DERByte *)_oidDescription, + sizeof(_oidDescription) }, + oidEmailAddress = { (DERByte *)_oidEmailAddress, + sizeof(_oidEmailAddress) }, + oidFriendlyName = { (DERByte *)_oidFriendlyName, + sizeof(_oidFriendlyName) }, + oidLocalKeyId = { (DERByte *)_oidLocalKeyId, + sizeof(_oidLocalKeyId) }, + oidExtendedKeyUsageServerAuth = { (DERByte *)_oidExtendedKeyUsageServerAuth, + sizeof(_oidExtendedKeyUsageServerAuth) }, + oidExtendedKeyUsageClientAuth = { (DERByte *)_oidExtendedKeyUsageClientAuth, + sizeof(_oidExtendedKeyUsageClientAuth) }, + oidExtendedKeyUsageCodeSigning = { (DERByte *)_oidExtendedKeyUsageCodeSigning, + sizeof(_oidExtendedKeyUsageCodeSigning) }, + oidExtendedKeyUsageEmailProtection = { (DERByte *)_oidExtendedKeyUsageEmailProtection, + sizeof(_oidExtendedKeyUsageEmailProtection) }, + oidExtendedKeyUsageTimeStamping = { (DERByte *)_oidExtendedKeyUsageTimeStamping, + sizeof(_oidExtendedKeyUsageTimeStamping) }, + oidExtendedKeyUsageOCSPSigning = { (DERByte *)_oidExtendedKeyUsageOCSPSigning, + sizeof(_oidExtendedKeyUsageOCSPSigning) }, + oidExtendedKeyUsageIPSec = { (DERByte *)_oidExtendedKeyUsageIPSec, + sizeof(_oidExtendedKeyUsageIPSec) }, + oidExtendedKeyUsageMicrosoftSGC = { (DERByte *)_oidExtendedKeyUsageMicrosoftSGC, + sizeof(_oidExtendedKeyUsageMicrosoftSGC) }, + oidExtendedKeyUsageNetscapeSGC = { (DERByte *)_oidExtendedKeyUsageNetscapeSGC, + sizeof(_oidExtendedKeyUsageNetscapeSGC) }, + oidGoogleEmbeddedSignedCertificateTimestamp + = { (DERByte *)_oidGoogleEmbeddedSignedCertificateTimestamp, + sizeof(_oidGoogleEmbeddedSignedCertificateTimestamp) }, + oidGoogleOCSPSignedCertificateTimestamp + = { (DERByte *)_oidGoogleOCSPSignedCertificateTimestamp, + sizeof(_oidGoogleOCSPSignedCertificateTimestamp) }; + + + diff --git a/OSX/sec/Security/p12import.c b/OSX/sec/Security/p12import.c index 9afaf3b8..e4c0e36a 100644 --- a/OSX/sec/Security/p12import.c +++ b/OSX/sec/Security/p12import.c @@ -21,7 +21,7 @@ * @APPLE_LICENSE_HEADER_END@ */ -#include +#include #include #include #include diff --git a/OSX/sec/Security/so_01_serverencryption.c b/OSX/sec/Security/so_01_serverencryption.c index fb637de8..2f928996 100644 --- a/OSX/sec/Security/so_01_serverencryption.c +++ b/OSX/sec/Security/so_01_serverencryption.c @@ -124,6 +124,7 @@ static void tests(void) ok(CFEqualSafe(testData, decrypted), "round trip"); + CFReleaseNull(full_key); CFReleaseNull(cert); CFReleaseNull(certInArray); CFReleaseNull(trust); diff --git a/keychain/trust/TrustedPeers/TPUtils.h b/OSX/sec/SecurityTool/KeychainCheck.h similarity index 87% rename from keychain/trust/TrustedPeers/TPUtils.h rename to OSX/sec/SecurityTool/KeychainCheck.h index b33ae4c1..746832ae 100644 --- a/keychain/trust/TrustedPeers/TPUtils.h +++ b/OSX/sec/SecurityTool/KeychainCheck.h @@ -19,16 +19,11 @@ * limitations under the License. * * @APPLE_LICENSE_HEADER_END@ + * */ #import -NS_ASSUME_NONNULL_BEGIN - -@interface TPUtils : NSObject - -+ (NSData *)serializedPListWithDictionary:(NSDictionary *)dict; +@interface KeychainCheck : NSObject @end - -NS_ASSUME_NONNULL_END diff --git a/OSX/sec/SecurityTool/KeychainCheck.m b/OSX/sec/SecurityTool/KeychainCheck.m new file mode 100644 index 00000000..3786207d --- /dev/null +++ b/OSX/sec/SecurityTool/KeychainCheck.m @@ -0,0 +1,125 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + * + */ + +#import "KeychainCheck.h" +#import "SFKeychainControl.h" +#import "builtin_commands.h" +#import "SOSControlHelper.h" +#import "SOSTypes.h" +#import "CKKSControlProtocol.h" +#import +#import + +@interface KeychainCheck () + +- (void)checkKeychain; +- (void)cleanKeychain; + +@end + +@implementation KeychainCheck { + NSXPCConnection* _connection; +} + +- (instancetype)initWithEndpoint:(xpc_endpoint_t)endpoint +{ + if (self = [super init]) { + NSXPCListenerEndpoint* listenerEndpoint = [[NSXPCListenerEndpoint alloc] init]; + [listenerEndpoint _setEndpoint:endpoint]; + _connection = [[NSXPCConnection alloc] initWithListenerEndpoint:listenerEndpoint]; + if (!_connection) { + return nil; + } + + NSXPCInterface* interface = [NSXPCInterface interfaceWithProtocol:@protocol(SFKeychainControl)]; + _connection.remoteObjectInterface = interface; + [_connection resume]; + } + + return self; +} + +- (void)checkKeychain +{ + dispatch_semaphore_t semaphore = dispatch_semaphore_create(0); + [[_connection remoteObjectProxyWithErrorHandler:^(NSError* error) { + NSLog(@"failed to communicate with server with error: %@", error); + dispatch_semaphore_signal(semaphore); + }] rpcFindCorruptedItemsWithReply:^(NSArray* corruptedItems, NSError* error) { + if (error) { + NSLog(@"error searching keychain: %@", error.localizedDescription); + } + + if (corruptedItems.count > 0) { + NSLog(@"found %d corrupted items", (int)corruptedItems.count); + } + else { + NSLog(@"no corrupted items found"); + } + + dispatch_semaphore_signal(semaphore); + }]; + + if (dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER)) { + NSLog(@"timed out trying to communicate with server"); + } +} + +- (void)cleanKeychain +{ + dispatch_semaphore_t semaphore = dispatch_semaphore_create(0); + [[_connection remoteObjectProxyWithErrorHandler:^(NSError* error) { + NSLog(@"failed to communicate with server with error: %@", error); + dispatch_semaphore_signal(semaphore); + }] rpcDeleteCorruptedItemsWithReply:^(bool success, NSError* error) { + if (success) { + NSLog(@"successfully cleaned keychain"); + } + else { + NSLog(@"error attempting to clean keychain: %@", error); + } + + dispatch_semaphore_signal(semaphore); + }]; + + if (dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER)) { + NSLog(@"timed out trying to communicate with server"); + } +} + +@end + +int command_keychain_check(int argc, char* const* argv) +{ + KeychainCheck* keychainCheck = [[KeychainCheck alloc] initWithEndpoint:_SecSecuritydCopyKeychainControlEndpoint(NULL)]; + [keychainCheck checkKeychain]; + return 0; +} + +int command_keychain_cleanup(int argc, char* const* argv) +{ + KeychainCheck* keychainCheck = [[KeychainCheck alloc] initWithEndpoint:_SecSecuritydCopyKeychainControlEndpoint(NULL)]; + [keychainCheck cleanKeychain]; + return 0; +} diff --git a/OSX/sec/SecurityTool/SecurityTool.c b/OSX/sec/SecurityTool/SecurityTool.c index c5cb9750..571a34f9 100644 --- a/OSX/sec/SecurityTool/SecurityTool.c +++ b/OSX/sec/SecurityTool/SecurityTool.c @@ -27,6 +27,7 @@ #include "SecInternalReleasePriv.h" #include +#include "SecurityTool/security_tool_commands.h" #include "leaks.h" @@ -228,7 +229,7 @@ usage(void) " -v Be more verbose about what's going on.\n" "%s commands are:\n", getprogname(), getprogname()); help(0, NULL); - return 2; + return SHOW_USAGE_MESSAGE; } /* Execute a single command. */ diff --git a/OSX/sec/SecurityTool/builtin_commands.h b/OSX/sec/SecurityTool/builtin_commands.h index 4e6415c5..e09dfa8b 100644 --- a/OSX/sec/SecurityTool/builtin_commands.h +++ b/OSX/sec/SecurityTool/builtin_commands.h @@ -60,3 +60,11 @@ SECURITY_COMMAND("watchdog", command_watchdog, " check-period \n" " graceful-exit-time \n", "Show current watchdog parameters or set an individual parameter") + +SECURITY_COMMAND("keychain-check", command_keychain_check, + "", + "check the status of your keychain to determine if there are any items we can't decrypt") + +SECURITY_COMMAND("keychain-cleanup", command_keychain_cleanup, + "", + "attempt to remove keychain items we can no longer decrypt") diff --git a/OSX/sec/SecurityTool/digest_calc.c b/OSX/sec/SecurityTool/digest_calc.c index ed682a22..09bb7af0 100644 --- a/OSX/sec/SecurityTool/digest_calc.c +++ b/OSX/sec/SecurityTool/digest_calc.c @@ -45,7 +45,7 @@ extern int command_digest(int argc, char * const *argv) char data [getpagesize()]; if (argc < 3) - return 2; /* Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; if (strcasecmp("sha1", argv[1]) == 0) { @@ -64,7 +64,7 @@ extern int command_digest(int argc, char * const *argv) } else - return 2; /* Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; ccdigest_di_decl(di, ctx); ccdigest_init(di, ctx); diff --git a/OSX/sec/SecurityTool/entitlements.plist b/OSX/sec/SecurityTool/entitlements.plist index f54560d2..ab650a4a 100644 --- a/OSX/sec/SecurityTool/entitlements.plist +++ b/OSX/sec/SecurityTool/entitlements.plist @@ -15,5 +15,7 @@ application-identifier com.apple.security + com.apple.private.keychain.keychaincontrol + diff --git a/OSX/sec/SecurityTool/sos.m b/OSX/sec/SecurityTool/sos.m index a57ad86c..33558c8b 100644 --- a/OSX/sec/SecurityTool/sos.m +++ b/OSX/sec/SecurityTool/sos.m @@ -34,6 +34,7 @@ #import #import #import +#import #import #import @@ -48,18 +49,15 @@ @implementation SOSStatus -- (instancetype) initWithEndpoint:(xpc_endpoint_t)endpoint +- (instancetype) init { if ((self = [super init]) == NULL) return NULL; NSXPCInterface *interface = [NSXPCInterface interfaceWithProtocol:@protocol(SOSControlProtocol)]; _SOSControlSetupInterface(interface); - NSXPCListenerEndpoint *listenerEndpoint = [[NSXPCListenerEndpoint alloc] init]; - [listenerEndpoint _setEndpoint:endpoint]; - - self.connection = [[NSXPCConnection alloc] initWithListenerEndpoint:listenerEndpoint]; + self.connection = [[NSXPCConnection alloc] initWithMachServiceName:@(kSecuritydSOSServiceName) options:0]; if (self.connection == NULL) return NULL; @@ -146,11 +144,7 @@ command_sos_stats(__unused int argc, __unused char * const * argv) @autoreleasepool { int option_index = 0, ch; - xpc_endpoint_t endpoint = _SecSecuritydCopySOSStatusEndpoint(NULL); - if (endpoint == NULL) - errx(1, "no SOS endpoint"); - - SOSStatus *control = [[SOSStatus alloc] initWithEndpoint:endpoint]; + SOSStatus *control = [[SOSStatus alloc] init]; bool asPlist = false; struct option long_options[] = @@ -170,7 +164,7 @@ command_sos_stats(__unused int argc, __unused char * const * argv) default: { usage("sos-stats", long_options); - return 2; + return SHOW_USAGE_MESSAGE; } } } @@ -216,16 +210,12 @@ command_sos_control(__unused int argc, __unused char * const * argv) default: { usage("sos-control", long_options); - return 2; + return SHOW_USAGE_MESSAGE; } } } - xpc_endpoint_t endpoint = _SecSecuritydCopySOSStatusEndpoint(NULL); - if (endpoint == NULL) - errx(1, "no SOS endpoint"); - - SOSStatus *control = [[SOSStatus alloc] initWithEndpoint:endpoint]; + SOSStatus *control = [[SOSStatus alloc] init]; if (control == NULL) errx(1, "no SOS control object"); @@ -294,13 +284,7 @@ command_sos_control(__unused int argc, __unused char * const * argv) int command_watchdog(int argc, char* const * argv) { - xpc_endpoint_t endpoint = _SecSecuritydCopySOSStatusEndpoint(NULL); - if (!endpoint) { - errx(1, "no SOS endpoint"); - return 0; - } - - SOSStatus* control = [[SOSStatus alloc] initWithEndpoint:endpoint]; + SOSStatus* control = [[SOSStatus alloc] init]; dispatch_semaphore_t semaphore = dispatch_semaphore_create(0); if (argc < 3) { diff --git a/OSX/sec/SharedWebCredential/swcagent.m b/OSX/sec/SharedWebCredential/swcagent.m index 3466a748..a4cad0c8 100644 --- a/OSX/sec/SharedWebCredential/swcagent.m +++ b/OSX/sec/SharedWebCredential/swcagent.m @@ -47,7 +47,7 @@ #include #endif -#if TARGET_OS_IPHONE && !TARGET_OS_NANO +#if TARGET_OS_IPHONE && !TARGET_OS_WATCH #include #include @@ -270,7 +270,7 @@ static CFStringRef SWCAGetOperationDescription(enum SWCAXPCOperation op) } } -#if !TARGET_IPHONE_SIMULATOR && TARGET_OS_IPHONE && !TARGET_OS_NANO +#if !TARGET_IPHONE_SIMULATOR && TARGET_OS_IPHONE && !TARGET_OS_WATCH static dispatch_once_t sWBUInitializeOnce = 0; static void * sWBULibrary = NULL; static WBUAutoFillGetEnabledDataClasses_f sWBUAutoFillGetEnabledDataClasses_f = NULL; @@ -301,7 +301,7 @@ static bool SWCAIsAutofillEnabled(void) #if TARGET_IPHONE_SIMULATOR // Assume the setting's on in the simulator: WBUAutoFillGetEnabledDataClasses call failing in the Simulator return true; -#elif TARGET_OS_IPHONE && !TARGET_OS_NANO +#elif TARGET_OS_IPHONE && !TARGET_OS_WATCH OSStatus status = _SecWBUEnsuredInitialized(); if (status) { return false; } WBSAutoFillDataClasses autofill = sWBUAutoFillGetEnabledDataClasses_f(); diff --git a/OSX/sec/ipc/client.c b/OSX/sec/ipc/client.c index 58272aa6..b3f158cc 100644 --- a/OSX/sec/ipc/client.c +++ b/OSX/sec/ipc/client.c @@ -38,6 +38,8 @@ #include #include #include +#include +#include #include #include @@ -101,7 +103,7 @@ SecSecurityClientGet(void) { static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ - gClient.task = NULL, + gClient.task = NULL; gClient.accessGroups = SecServerCopyAccessGroups(); gClient.allowSystemKeychain = true; gClient.allowSyncBubbleKeychain = true; @@ -150,6 +152,15 @@ static const char *securityd_service_name(void) { return kSecuritydXPCServiceName; } +static uid_t target_uid = -1; + +void +_SecSetSecuritydTargetUID(uid_t uid) +{ + target_uid = uid; +} + + static xpc_connection_t securityd_create_connection(const char *name, uint64_t flags) { const char *serviceName = name; if (!serviceName) { @@ -161,6 +172,9 @@ static xpc_connection_t securityd_create_connection(const char *name, uint64_t f const char *description = xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION); secnotice("xpc", "got event: %s", description); }); + if (target_uid != (uid_t)-1) { + xpc_connection_set_target_uid(connection, target_uid); + } xpc_connection_resume(connection); return connection; } @@ -196,21 +210,23 @@ static xpc_connection_t trustd_connection(void) { } static bool is_trust_operation(enum SecXPCOperation op) { - switch (op) { - case sec_trust_store_contains_id: - case sec_trust_store_set_trust_settings_id: - case sec_trust_store_remove_certificate_id: - case sec_trust_evaluate_id: - case sec_trust_store_copy_all_id: - case sec_trust_store_copy_usage_constraints_id: - case sec_ota_pki_asset_version_id: + switch (op) { + case sec_trust_store_contains_id: + case sec_trust_store_set_trust_settings_id: + case sec_trust_store_remove_certificate_id: + case sec_trust_evaluate_id: + case sec_trust_store_copy_all_id: + case sec_trust_store_copy_usage_constraints_id: + case sec_ocsp_cache_flush_id: + case sec_ota_pki_trust_store_version_id: case kSecXPCOpOTAGetEscrowCertificates: case kSecXPCOpOTAPKIGetNewAsset: - return true; - default: - break; - } - return false; + case kSecXPCOpTLSAnaltyicsReport: + return true; + default: + break; + } + return false; } static xpc_connection_t securityd_connection_for_operation(enum SecXPCOperation op) { @@ -310,7 +326,9 @@ bool securityd_message_no_error(xpc_object_t message, CFErrorRef *error) { #if TARGET_OS_IPHONE secdebug("xpc", "Talking to securityd failed with error: %@", localError); #else +#if !defined(NDEBUG) uint64_t operation = xpc_dictionary_get_uint64(message, kSecXPCKeyOperation); +#endif secdebug("xpc", "Talking to %s failed with error: %@", (is_trust_operation((enum SecXPCOperation)operation)) ? "trustd" : "secd", localError); #endif @@ -325,7 +343,7 @@ bool securityd_message_no_error(xpc_object_t message, CFErrorRef *error) { bool securityd_send_sync_and_do(enum SecXPCOperation op, CFErrorRef *error, bool (^add_to_message)(xpc_object_t message, CFErrorRef* error), - bool (^handle_response)(xpc_object_t response, CFErrorRef* error)) { + bool (^handle_response)(xpc_object_t _Nonnull response, CFErrorRef* error)) { xpc_object_t message = securityd_create_message(op, error); bool ok = false; if (message) { @@ -461,16 +479,11 @@ _SecSecuritydCopyEndpoint(enum SecXPCOperation op, CFErrorRef *error) XPC_RETURNS_RETAINED xpc_endpoint_t _SecSecuritydCopyCKKSEndpoint(CFErrorRef *error) { - return _SecSecuritydCopyEndpoint(kSecXPCOpCKKSEndpoint, error); + return NULL; } XPC_RETURNS_RETAINED xpc_endpoint_t -_SecSecuritydCopySOSStatusEndpoint(CFErrorRef *error) +_SecSecuritydCopyKeychainControlEndpoint(CFErrorRef* error) { - return _SecSecuritydCopyEndpoint(kSecXPCOpSOSEndpoint, error); + return _SecSecuritydCopyEndpoint(kSecXPCOpKeychainControlEndpoint, error); } - - - - -/* vi:set ts=4 sw=4 et: */ diff --git a/OSX/sec/ipc/client_endpoint.m b/OSX/sec/ipc/client_endpoint.m index a846d682..b9957cc7 100644 --- a/OSX/sec/ipc/client_endpoint.m +++ b/OSX/sec/ipc/client_endpoint.m @@ -32,21 +32,20 @@ @implementation SecuritydXPCClient @synthesize connection = _connection; -- (instancetype) initWithEndpoint:(xpc_endpoint_t)endpoint +- (instancetype) init { if ((self = [super init])) { NSXPCInterface *interface = [NSXPCInterface interfaceWithProtocol:@protocol(SecuritydXPCProtocol)]; - NSXPCListenerEndpoint *listenerEndpoint = [[NSXPCListenerEndpoint alloc] init]; - [listenerEndpoint _setEndpoint:endpoint]; - - self.connection = [[NSXPCConnection alloc] initWithListenerEndpoint:listenerEndpoint]; + self.connection = [[NSXPCConnection alloc] initWithMachServiceName:@(kSecuritydGeneralServiceName) options:0]; if (self.connection == NULL) { return NULL; } self.connection.remoteObjectInterface = interface; [SecuritydXPCClient configureSecuritydXPCProtocol: self.connection.remoteObjectInterface]; + + [self.connection resume]; } return self; @@ -148,40 +147,16 @@ id SecuritydXPCProxyObject(void (^rpcErrorHandler)(NSError static SecuritydXPCClient* rpc; static dispatch_once_t onceToken; - static CFErrorRef cferror = NULL; - static dispatch_queue_t queue; - __block SecuritydXPCClient *result = nil; dispatch_once(&onceToken, ^{ - queue = dispatch_queue_create("SecuritydXPCProxyObject", DISPATCH_QUEUE_SERIAL); - }); - - dispatch_sync(queue, ^{ - if (rpc) { - result = rpc; - return; - } - - xpc_endpoint_t endpoint = _SecSecuritydCopyEndpoint(kSecXPCOpSecuritydXPCServerEndpoint, &cferror); - if (endpoint == NULL) { - return; - } - rpc = [[SecuritydXPCClient alloc] initWithEndpoint:endpoint]; - rpc.connection.invalidationHandler = ^{ - dispatch_sync(queue, ^{ - rpc = nil; - }); - }; - [rpc.connection resume]; - - result = rpc; + rpc = [[SecuritydXPCClient alloc] init]; }); - if (result == NULL) { - rpcErrorHandler((__bridge NSError *)cferror); + if (rpc == NULL) { + rpcErrorHandler([NSError errorWithDomain:@"securityd" code:-1 userInfo:@{ NSLocalizedDescriptionKey : @"Could not create SecuritydXPCClient" }]); return NULL; } else { - return [result.connection remoteObjectProxyWithErrorHandler: rpcErrorHandler]; + return [rpc.connection remoteObjectProxyWithErrorHandler: rpcErrorHandler]; } } diff --git a/OSX/sec/ipc/com.apple.secd.plist b/OSX/sec/ipc/com.apple.secd.plist index 2837c47d..c3470d0f 100644 --- a/OSX/sec/ipc/com.apple.secd.plist +++ b/OSX/sec/ipc/com.apple.secd.plist @@ -14,12 +14,20 @@ com.apple.secd MachServices + com.apple.security.octagon + com.apple.secd com.apple.securityd.xpc com.apple.securityd.aps + com.apple.securityd.ckks + + com.apple.securityd.general + + com.apple.securityd.sos + ProgramArguments diff --git a/OSX/sec/ipc/com.apple.securityd.plist b/OSX/sec/ipc/com.apple.securityd.plist index 4cc3c7ce..5de57431 100644 --- a/OSX/sec/ipc/com.apple.securityd.plist +++ b/OSX/sec/ipc/com.apple.securityd.plist @@ -19,10 +19,18 @@ com.apple.securityd MachServices + com.apple.security.octagon + com.apple.securityd com.apple.securityd.aps + com.apple.securityd.ckks + + com.apple.securityd.general + + com.apple.securityd.sos + ProgramArguments diff --git a/OSX/sec/ipc/securityd_client.h b/OSX/sec/ipc/securityd_client.h index 15f45496..4ed50430 100644 --- a/OSX/sec/ipc/securityd_client.h +++ b/OSX/sec/ipc/securityd_client.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007-2009,2012-2015 Apple Inc. All Rights Reserved. + * Copyright (c) 2007-2018 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -31,15 +31,11 @@ #include #ifndef MINIMIZE_INCLUDES # include -# include #else typedef struct __SecTrustStore *SecTrustStoreRef; # ifndef _SECURITY_SECCERTIFICATE_H_ typedef struct __SecCertificate *SecCertificateRef; # endif // _SECURITY_SECCERTIFICATE_H_ -# ifndef _SECURITY_SECCERTIFICATEPATH_H_ -typedef struct SecCertificatePath *SecCertificatePathRef; -# endif // _SECURITY_SECCERTIFICATEPATH_H_ #endif // MINIMIZE_INCLUDES #if TARGET_HAS_KEYSTORE @@ -70,6 +66,9 @@ typedef struct SecCertificatePath *SecCertificatePathRef; #define kTrustdXPCServiceName "com.apple.trustd" #endif // *** END TARGET_OS_OSX *** +#define kSecuritydGeneralServiceName "com.apple.securityd.general" +#define kSecuritydSOSServiceName "com.apple.securityd.sos" + // // MARK: XPC Information. // @@ -85,6 +84,7 @@ extern const char *kSecXPCKeyUserLabel; extern const char *kSecXPCKeyBackup; extern const char *kSecXPCKeyKeybag; extern const char *kSecXPCKeyUserPassword; +extern const char *kSecXPCKeyEMCSBackup; extern const char *kSecXPCKeyDSID; extern const char *kSecXPCKeyViewName; extern const char *kSecXPCKeyViewActionCode; @@ -180,11 +180,11 @@ enum SecXPCOperation { sec_item_backup_set_confirmed_manifest_id, sec_item_backup_restore_id, sec_keychain_sync_update_message_id, - sec_ota_pki_asset_version_id, + sec_ota_pki_trust_store_version_id, sec_otr_session_create_remote_id, sec_otr_session_process_packet_remote_id, - kSecXPCOpOTAPKIGetNewAsset, - kSecXPCOpOTAGetEscrowCertificates, + kSecXPCOpOTAPKIGetNewAsset, + kSecXPCOpOTAGetEscrowCertificates, kSecXPCOpProcessUnlockNotification, kSecXPCOpProcessSyncWithAllPeers, kSecXPCOpRollKeys, @@ -243,7 +243,7 @@ enum SecXPCOperation { kSecXPCOpCopyViewUnawarePeerInfo, kSecXPCOpCopyEngineState, kSecXPCOpCopyMyPeerInfo, - kSecXPCOpAccountSetToNew, + kSecXPCOpAccountSetToNew, kSecXPCOpSetNewPublicBackupKey, kSecXPCOpSetBagForAllSlices, kSecXPCOpWaitForInitialSync, @@ -276,6 +276,7 @@ enum SecXPCOperation { kSecXPCOpDeleteUserView, sec_trust_store_copy_all_id, sec_trust_store_copy_usage_constraints_id, + sec_ocsp_cache_flush_id, sec_delete_items_with_access_groups_id, kSecXPCOpIsThisDeviceLastBackup, sec_keychain_backup_keybag_uuid_id, @@ -285,11 +286,10 @@ enum SecXPCOperation { kSecXPCOpSendToPeerIsPending, sec_item_copy_parent_certificates_id, sec_item_certificate_exists_id, - kSecXPCOpCKKSEndpoint, - kSecXPCOpSOSEndpoint, - kSecXPCOpSecuritydXPCServerEndpoint, kSecXPCOpBackupKeybagAdd, kSecXPCOpBackupKeybagDelete, + kSecXPCOpKeychainControlEndpoint, + kSecXPCOpTLSAnaltyicsReport, }; @@ -327,7 +327,7 @@ struct securityd { bool (*sec_item_delete_all)(CFErrorRef* error); CFArrayRef (*sec_item_copy_parent_certificates)(CFDataRef normalizedIssuer, CFArrayRef accessGroups, CFErrorRef *error); bool (*sec_item_certificate_exists)(CFDataRef normalizedIssuer, CFDataRef serialNumber, CFArrayRef accessGroups, CFErrorRef *error); - CFDataRef (*sec_keychain_backup)(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error); + CFDataRef (*sec_keychain_backup)(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, bool emcs, CFErrorRef* error); bool (*sec_keychain_restore)(CFDataRef backup, SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error); CFDictionaryRef (*sec_keychain_backup_syncable)(CFDictionaryRef backup_in, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error); bool (*sec_keychain_restore_syncable)(CFDictionaryRef backup, CFDataRef keybag, CFDataRef passcode, CFErrorRef* error); @@ -337,7 +337,7 @@ struct securityd { bool (*sec_item_backup_restore)(CFStringRef backupName, CFStringRef peerID, CFDataRef keybag, CFDataRef secret, CFDataRef backup, CFErrorRef *error); CFDataRef (*sec_otr_session_create_remote)(CFDataRef publicPeerId, CFErrorRef* error); bool (*sec_otr_session_process_packet_remote)(CFDataRef sessionData, CFDataRef inputPacket, CFDataRef* outputSessionData, CFDataRef* outputPacket, bool *readyForMessages, CFErrorRef* error); - bool (*soscc_TryUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error); + bool (*soscc_TryUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error); bool (*soscc_SetUserCredentials)(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error); bool (*soscc_SetUserCredentialsAndDSID)(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error); bool (*soscc_CanAuthenticate)(CFErrorRef *error); @@ -437,12 +437,14 @@ struct trustd { bool (*sec_trust_store_set_trust_settings)(SecTrustStoreRef ts, SecCertificateRef certificate, CFTypeRef trustSettingsDictOrArray, CFErrorRef* error); bool (*sec_trust_store_remove_certificate)(SecTrustStoreRef ts, CFDataRef digest, CFErrorRef* error); bool (*sec_truststore_remove_all)(SecTrustStoreRef ts, CFErrorRef* error); - SecTrustResultType (*sec_trust_evaluate)(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, SecCertificatePathRef *chain, CFErrorRef *error); - int (*sec_ota_pki_asset_version)(CFErrorRef* error); + SecTrustResultType (*sec_trust_evaluate)(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, CFArrayRef *chain, CFErrorRef *error); + uint64_t (*sec_ota_pki_trust_store_version)(CFErrorRef* error); CFArrayRef (*ota_CopyEscrowCertificates)(uint32_t escrowRootType, CFErrorRef* error); - int (*sec_ota_pki_get_new_asset)(CFErrorRef* error); + uint64_t (*sec_ota_pki_get_new_asset)(CFErrorRef* error); bool (*sec_trust_store_copy_all)(SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFErrorRef *error); bool (*sec_trust_store_copy_usage_constraints)(SecTrustStoreRef ts, CFDataRef digest, CFArrayRef *usageConstraints, CFErrorRef *error); + bool (*sec_ocsp_cache_flush)(CFErrorRef *error); + bool (*sec_tls_analytics_report)(CFStringRef event_name, xpc_object_t tls_analytics_attributes, CFErrorRef *error); }; extern struct trustd *gTrustd; @@ -470,11 +472,11 @@ XPC_RETURNS_RETAINED xpc_endpoint_t _SecSecuritydCopyEndpoint(enum SecXPCOperati #import typedef void (^SecBoolNSErrorCallback) (bool, NSError*); -@protocol SecuritydXPCCallbackProtocol +@protocol SecuritydXPCCallbackProtocol - (void)callCallback: (bool) result error:(NSError*) error; @end -@protocol SecuritydXPCProtocol +@protocol SecuritydXPCProtocol - (void) SecItemAddAndNotifyOnSync:(NSDictionary*) attributes syncCallback:(id) callback complete:(void (^) (NSDictionary* opDictResult, NSArray* opArrayResult, NSError* operror)) complete; diff --git a/OSX/sec/ipc/server.c b/OSX/sec/ipc/server.c index 9e6a40aa..aa203e73 100644 --- a/OSX/sec/ipc/server.c +++ b/OSX/sec/ipc/server.c @@ -26,13 +26,14 @@ #include #include #include +#include #include #include #include #include #include #include -#include /* For SecItemDeleteAll */ +#include #include #include #include @@ -59,8 +60,11 @@ #include #include #include +#include #include +#include +#include "keychain/ot/OctagonControlServer.h" #include #include @@ -478,15 +482,30 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection, break; } case sec_delete_all_id: - xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, _SecItemDeleteAll(&error)); + { + bool retval = false; +#if TARGET_OS_IPHONE + /* buddy is temporary allowed to do this */ + CFStringRef applicationIdentifier = SecTaskCopyApplicationIdentifier(client.task); + bool isBuddy = applicationIdentifier && + CFEqual(applicationIdentifier, CFSTR("com.apple.purplebuddy")); + + if (isBuddy || EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateDeleteAll, &error)) + { + retval = _SecItemDeleteAll(&error); + } +#endif + xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, retval); break; + } case sec_keychain_backup_id: { if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementRestoreKeychain, &error)) { CFDataRef keybag = NULL, passcode = NULL; if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyKeybag, &keybag, &error)) { if (SecXPCDictionaryCopyDataOptional(event, kSecXPCKeyUserPassword, &passcode, &error)) { - CFDataRef backup = _SecServerKeychainCreateBackup(&client, keybag, passcode, &error); + bool emcs = SecXPCDictionaryGetBool(event, kSecXPCKeyEMCSBackup, NULL); + CFDataRef backup = _SecServerKeychainCreateBackup(&client, keybag, passcode, emcs, &error); if (backup) { int fd = SecXPCDictionaryDupFileDescriptor(event, kSecXPCKeyFileDescriptor, NULL); if (fd < 0) { @@ -801,9 +820,9 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection, } case kSecXPCOpTryUserCredentials: if (EntitlementPresentOrWhine(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) { - with_label_and_password(event, ^(CFStringRef label, CFDataRef password) { + with_label_and_password_and_dsid(event, ^(CFStringRef label, CFDataRef password, CFStringRef dsid) { xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, - SOSCCTryUserCredentials_Server(label, password, &error)); + SOSCCTryUserCredentials_Server(label, password, dsid, &error)); }); } break; @@ -974,6 +993,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection, CFStringRef peerID = SecXPCDictionaryCopyString(event, kSecXPCKeyDeviceID, &error); CFDataRef message = SecXPCDictionaryCopyData(event, kSecXPCKeyIDSMessage, &error); xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, SOSCCRequestSyncWithPeerOverKVS_Server(peerID, message, &error)); + CFReleaseNull(message); CFReleaseNull(peerID); } break; @@ -1373,7 +1393,7 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection, CFArrayRef viewSet = SecXPCDictionaryCopyArray(event, kSecXPCKeyArray, &error); if (viewSet) { CFBooleanRef result = SOSCCPeersHaveViewsEnabled_Server(viewSet, &error); - if (result) { + if (result != NULL) { xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result != kCFBooleanFalse); } } @@ -1595,43 +1615,6 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection, xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, result); } break; - case kSecXPCOpCKKSEndpoint: { - if(EntitlementPresentAndTrue(operation, client.task, kSecEntitlementPrivateCKKS, &error)) { - xpc_endpoint_t endpoint = SecServerCreateCKKSEndpoint(); - if (endpoint) { - xpc_dictionary_set_value(replyMessage, kSecXPCKeyEndpoint, endpoint); - xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, true); - xpc_release(endpoint); - } else { - xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false); - } - } - break; - } - case kSecXPCOpSOSEndpoint: { - if(EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainCloudCircle, &error)) { - xpc_endpoint_t endpoint = SOSCCCreateSOSEndpoint_server(&error); - if (endpoint) { - xpc_dictionary_set_value(replyMessage, kSecXPCKeyEndpoint, endpoint); - xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, true); - xpc_release(endpoint); - } else { - xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false); - } - } - break; - } - case kSecXPCOpSecuritydXPCServerEndpoint: { - xpc_endpoint_t endpoint = SecCreateSecuritydXPCServerEndpoint(&error); - if (endpoint) { - xpc_dictionary_set_value(replyMessage, kSecXPCKeyEndpoint, endpoint); - xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, true); - xpc_release(endpoint); - } else { - xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false); - } - break; - } case kSecXPCOpBackupKeybagAdd: { if (EntitlementPresentAndTrue(operation, client.task, kSecEntitlementBackupTableOperations, &error)) { CFDataRef keybag = NULL, passcode = NULL; @@ -1676,7 +1659,6 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection, } deleted = _SecServerBackupKeybagDelete(attributes, deleteAll, &error); } - CFReleaseNull(resolvedAgrp); CFReleaseNull(attributes); } } @@ -1685,6 +1667,19 @@ static void securityd_xpc_dictionary_handler(const xpc_connection_t connection, } break; } + case kSecXPCOpKeychainControlEndpoint: { + if(EntitlementPresentAndTrue(operation, client.task, kSecEntitlementKeychainControl, &error)) { + xpc_endpoint_t endpoint = SecServerCreateKeychainControlEndpoint(); + if (endpoint) { + xpc_dictionary_set_value(replyMessage, kSecXPCKeyEndpoint, endpoint); + xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, true); + xpc_release(endpoint); + } else { + xpc_dictionary_set_bool(replyMessage, kSecXPCKeyResult, false); + } + } + break; + } default: break; } @@ -1887,6 +1882,11 @@ int main(int argc, char *argv[]) securityd_init_server(); securityd_xpc_init(serviceName); + SecCreateSecuritydXPCServer(); + CKKSControlServerInitialize(); + SOSControlServerInitialize(); + OctagonControlServerInitialize(); + // 13B104+Roots:Device never moved past spinner after using approval to ENABLE icdp #if TARGET_OS_EMBEDDED securityd_soscc_lock_hack(); diff --git a/OSX/sec/ipc/server_endpoint.m b/OSX/sec/ipc/server_endpoint.m index 2ad415ad..4e9cb906 100644 --- a/OSX/sec/ipc/server_endpoint.m +++ b/OSX/sec/ipc/server_endpoint.m @@ -119,24 +119,19 @@ // Responsible for bringing up new SecuritydXPCServer objects, and configuring them with their remote connection @interface SecuritydXPCServerListener : NSObject @property (retain,nonnull) NSXPCListener *listener; -- (xpc_endpoint_t)xpcControlEndpoint; @end @implementation SecuritydXPCServerListener -(instancetype)init { if((self = [super init])){ - self.listener = [NSXPCListener anonymousListener]; + self.listener = [[NSXPCListener alloc] initWithMachServiceName:@(kSecuritydGeneralServiceName)]; self.listener.delegate = self; [self.listener resume]; } return self; } -- (xpc_endpoint_t)xpcControlEndpoint { - return [self.listener.endpoint _endpoint]; -} - - (BOOL)listener:(__unused NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection { // Anyone is allowed to get a connection to securityd, except if you have kSecEntitlementKeychainDeny entitlement @@ -157,14 +152,16 @@ } @end -XPC_RETURNS_RETAINED xpc_endpoint_t SecCreateSecuritydXPCServerEndpoint(CFErrorRef *error) +void +SecCreateSecuritydXPCServer(void) { static SecuritydXPCServerListener* listener = NULL; static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ - listener = [[SecuritydXPCServerListener alloc] init]; + @autoreleasepool { + listener = [[SecuritydXPCServerListener alloc] init]; + } }); - return [listener xpcControlEndpoint]; } id SecCreateLocalSecuritydXPCServer(void) { diff --git a/OSX/sec/ipc/server_security_helpers.h b/OSX/sec/ipc/server_security_helpers.h index 180d3aea..7f99e901 100644 --- a/OSX/sec/ipc/server_security_helpers.h +++ b/OSX/sec/ipc/server_security_helpers.h @@ -30,7 +30,7 @@ CFTypeRef SecCreateLocalCFSecuritydXPCServer(void); void SecAddLocalSecuritydXPCFakeEntitlement(CFStringRef entitlement, CFTypeRef value); void SecResetLocalSecuritydXPCFakeEntitlements(void); -XPC_RETURNS_RETAINED xpc_endpoint_t SecCreateSecuritydXPCServerEndpoint(CFErrorRef *error); +void SecCreateSecuritydXPCServer(void); void fill_security_client(SecurityClient * client, const uid_t uid, audit_token_t auditToken); CFArrayRef SecTaskCopyAccessGroups(SecTaskRef task); diff --git a/OSX/sec/ipc/server_xpc.m b/OSX/sec/ipc/server_xpc.m index 1c7a42cd..15f2d9e7 100644 --- a/OSX/sec/ipc/server_xpc.m +++ b/OSX/sec/ipc/server_xpc.m @@ -26,8 +26,10 @@ #include #include #include +#include #if OCTAGON +#include "keychain/ckks/CloudKitCategories.h" #include // If your callbacks might pass back a CK error, you should use the XPCSanitizeError() spi on all branches at this layer. // Otherwise, XPC might crash on the other side if they haven't linked CloudKit.framework. @@ -45,6 +47,20 @@ #include "keychain/ckks/CKKSViewManager.h" +@interface SecOSTransactionHolder : NSObject +@property os_transaction_t transaction; +- (instancetype)init:(os_transaction_t)transaction; +@end + +@implementation SecOSTransactionHolder +- (instancetype)init:(os_transaction_t)transaction { + if((self = [super init])) { + _transaction = transaction; + } + return self; +} +@end + @implementation SecuritydXPCServer (SecuritydXPCProtocol) - (void) SecItemAddAndNotifyOnSync:(NSDictionary*) attributes @@ -65,6 +81,11 @@ return; } +#if OCTAGON + // Wait a bit for CKKS initialization in case of daemon start, but don't bail if it isn't up + [[CKKSViewManager manager].completedSecCKKSInitialize wait:10]; +#endif + if(attributes[(id)kSecAttrDeriveSyncIDFromItemAttributes] || attributes[(id)kSecAttrPCSPlaintextServiceIdentifier] || attributes[(id)kSecAttrPCSPlaintextPublicKey] || @@ -81,14 +102,16 @@ CFTypeRef cfresult = NULL; NSMutableDictionary* callbackQuery = [attributes mutableCopy]; + + // We probably need to figure out how to call os_transaction_needs_more_time on this transaction, but as this callback passes through C code, it's quite difficult + SecOSTransactionHolder* callbackTransaction = [[SecOSTransactionHolder alloc] init:os_transaction_create("com.apple.securityd.SecItemAddAndNotifyOnSync-callback")]; callbackQuery[@"f_ckkscallback"] = ^void (bool didSync, CFErrorRef syncerror) { - [callback callCallback: didSync error: (__bridge NSError*)syncerror]; + [callback callCallback:didSync error:XPCSanitizeError((__bridge NSError*)syncerror)]; + callbackTransaction.transaction = nil; }; _SecItemAdd((__bridge CFDictionaryRef) callbackQuery, &_client, &cfresult, &cferror); - //TODO: ensure cferror can transit xpc - // SecItemAdd returns Some CF Object, but NSXPC is pretty adamant that everything be a specific NS type. Split it up here: if(!cfresult) { complete(NULL, NULL, (__bridge NSError *)(cferror)); @@ -141,90 +164,33 @@ return; } - __block SecDbItemRef newItem = NULL; - __block SecDbItemRef oldItem = NULL; - - bool ok = kc_with_dbt(false, &cferror, ^bool (SecDbConnectionRef dbt) { - // Use a DB transaction to gain synchronization with all CKKS zones. - return kc_transaction_type(dbt, kSecDbExclusiveRemoteCKKSTransactionType, &cferror, ^bool { - Query *q = query_create_with_limit( (__bridge CFDictionaryRef) @{ - (__bridge NSString *)kSecValuePersistentRef : newItemPersistentRef, - (__bridge NSString *)kSecAttrAccessGroup : accessGroup, - }, - NULL, - 1, - &cferror); - if(cferror) { - secerror("couldn't create query for new item pref: %@", cferror); - return false; - } - - if(!SecDbItemQuery(q, NULL, dbt, &cferror, ^(SecDbItemRef item, bool *stop) { - newItem = CFRetainSafe(item); - })) { - query_destroy(q, NULL); - secerror("couldn't run query for new item pref: %@", cferror); - return false; - } - - if(!query_destroy(q, &cferror)) { - secerror("couldn't destroy query for new item pref: %@", cferror); - return false; - }; - - if(oldCurrentItemPersistentRef) { - q = query_create_with_limit( (__bridge CFDictionaryRef) @{ - (__bridge NSString *)kSecValuePersistentRef : oldCurrentItemPersistentRef, - (__bridge NSString *)kSecAttrAccessGroup : accessGroup, - }, - NULL, - 1, - &cferror); - if(cferror) { - secerror("couldn't create query: %@", cferror); - return false; - } - - if(!SecDbItemQuery(q, NULL, dbt, &cferror, ^(SecDbItemRef item, bool *stop) { - oldItem = CFRetainSafe(item); - })) { - query_destroy(q, NULL); - secerror("couldn't run query for old item pref: %@", cferror); - return false; - } - - if(!query_destroy(q, &cferror)) { - secerror("couldn't destroy query for old item pref: %@", cferror); - return false; - }; - } - - CKKSViewManager* manager = [CKKSViewManager manager]; - if(!manager) { - secerror("SecItemSetCurrentItemAcrossAllDevices: no view manager?"); - cferror = (CFErrorRef) CFBridgingRetain([NSError errorWithDomain:@"securityd" code:errSecInternalError userInfo:@{NSLocalizedDescriptionKey: @"No view manager, cannot forward request"}]); - return false; - } - [manager setCurrentItemForAccessGroup:newItem - hash:newItemSHA1 - accessGroup:accessGroup - identifier:identifier - viewHint:viewHint - replacing:oldItem - hash:oldItemSHA1 - complete:complete]; - return true; - }); - }); - - CFReleaseNull(newItem); - CFReleaseNull(oldItem); - - if(!ok) { - secnotice("ckks", "SecItemSetCurrentItemAcrossAllDevices failed due to: %@", cferror); - complete((__bridge NSError*) cferror); +#if OCTAGON + // Wait a bit for CKKS initialization in case of daemon start, and bail it doesn't come up + if([[CKKSViewManager manager].completedSecCKKSInitialize wait:10] != 0) { + secerror("SecItemSetCurrentItemAcrossAllDevices: CKKSViewManager not initialized?"); + complete([NSError errorWithDomain:CKKSErrorDomain code:CKKSNotInitialized description:@"CKKS not yet initialized"]); + return; } - CFReleaseNull(cferror); +#endif + + CKKSViewManager* manager = [CKKSViewManager manager]; + if(!manager) { + secerror("SecItemSetCurrentItemAcrossAllDevices: no view manager?"); + complete([NSError errorWithDomain:CKKSErrorDomain + code:CKKSNotInitialized + description:@"No view manager, cannot forward request"]); + return; + } + + [manager setCurrentItemForAccessGroup:newItemPersistentRef + hash:newItemSHA1 + accessGroup:accessGroup + identifier:identifier + viewHint:viewHint + replacing:oldCurrentItemPersistentRef + hash:oldItemSHA1 + complete:complete]; + return; #else // ! OCTAGON xpcComplete([NSError errorWithDomain:@"securityd" code:errSecParam userInfo:@{NSLocalizedDescriptionKey: @"SecItemSetCurrentItemAcrossAllDevices not implemented on this platform"}]); #endif // OCTAGON @@ -264,6 +230,13 @@ return; } + // Wait a bit for CKKS initialization in case of daemon start, and bail it doesn't come up + if([[CKKSViewManager manager].completedSecCKKSInitialize wait:10] != 0) { + secerror("SecItemFetchCurrentItemAcrossAllDevices: CKKSViewManager not initialized?"); + complete(NULL, [NSError errorWithDomain:CKKSErrorDomain code:CKKSNotInitialized description:@"CKKS not yet initialized"]); + return; + } + [[CKKSViewManager manager] getCurrentItemForAccessGroup:accessGroup identifier:identifier viewHint:viewHint @@ -275,9 +248,11 @@ return; } - // Find the persisent ref and return it. - secnotice("ckkscurrent", "CKKS believes current item UUID for (%@,%@) is %@. Looking up persistent ref...", accessGroup, identifier, uuid); - [self findItemPersistentRefByUUID:uuid complete:complete]; + // Find the persistent ref and return it. + secinfo("ckkscurrent", "CKKS believes current item UUID for (%@,%@) is %@. Looking up persistent ref...", accessGroup, identifier, uuid); + [self findItemPersistentRefByUUID:uuid + extraLoggingString:[NSString stringWithFormat:@"%@,%@", accessGroup, identifier] + complete:complete]; }]; #else // ! OCTAGON xpcComplete(NULL, [NSError errorWithDomain:@"securityd" code:errSecParam userInfo:@{NSLocalizedDescriptionKey: @"SecItemFetchCurrentItemAcrossAllDevices not implemented on this platform"}]); @@ -285,6 +260,7 @@ } -(void)findItemPersistentRefByUUID:(NSString*)uuid + extraLoggingString:(NSString*)loggingStr complete:(void (^) (NSData* persistentref, NSError* operror))xpcComplete { // The calling client might not handle CK types well. Sanitize! @@ -329,9 +305,9 @@ } if(result && !cferror) { - secnotice("ckkscurrent", "Found current item for (%@)", uuid); + secinfo("ckkscurrent", "Found current item for (%@: %@)", loggingStr, uuid); } else { - secerror("ckkscurrent: No current item for (%@): %@ %@", uuid, result, cferror); + secerror("ckkscurrent: No current item for (%@,%@): %@ %@", loggingStr, uuid, result, cferror); } complete((__bridge NSData*) result, (__bridge NSError*) cferror); diff --git a/OSX/sec/os_log/com.apple.securityd.plist b/OSX/sec/os_log/com.apple.securityd.plist index bc357ec6..3d7b7702 100644 --- a/OSX/sec/os_log/com.apple.securityd.plist +++ b/OSX/sec/os_log/com.apple.securityd.plist @@ -31,5 +31,34 @@ 2d + circleOps + + Default-Privacy-Setting + Public + Enabled + True + Persist + True + TTL + 14 + Development + + Enabled + True + Persist + True + TTL + 14 + + Debug + + Enabled + True + Persist + True + TTL + 14 + + diff --git a/OSX/sec/securityd/OTATrustUtilities.c b/OSX/sec/securityd/OTATrustUtilities.c deleted file mode 100644 index 8b4f990f..00000000 --- a/OSX/sec/securityd/OTATrustUtilities.c +++ /dev/null @@ -1,1519 +0,0 @@ -/* - * Copyright (c) 2003-2004,2006-2010,2013-2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - * - * OTATrustUtilities.c - */ - -#include "OTATrustUtilities.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include "SecFramework.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -//#define VERBOSE_LOGGING 1 - -#if VERBOSE_LOGGING - -static void TestOTALog(const char* sz, ...) -{ - va_list va; - va_start(va, sz); - - FILE* fp = fopen("/tmp/secd_OTAUtil.log", "a"); - if (NULL != fp) - { - vfprintf(fp, sz, va); - fclose(fp); - } - va_end(va); -} - -static void TestOTAResourceLog(const char *msg, - CFStringRef resourceName, - CFStringRef resourceType, - CFStringRef subDirName, - CFURLRef url) -{ - CFStringRef tmpStr = NULL; - CFIndex maxLength = 0; - char *buf = NULL; - - tmpStr = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, - CFSTR("%s (name=%@, type=%@, subdir=%@), url=%@"), - msg, resourceName, resourceType, subDirName, url); - if (tmpStr) { - maxLength = CFStringGetMaximumSizeForEncoding(CFStringGetLength(tmpStr), kCFStringEncodingUTF8) + 1; - buf = (char*) malloc(maxLength); - } else { - TestOTALog("TestOTAResourceLog: failed to create string of length %ld\n", (long)maxLength); - } - if (buf) { - if (CFStringGetCString(tmpStr, buf, (CFIndex)maxLength, kCFStringEncodingUTF8)) { - TestOTALog("%s\n", buf); - } - free(buf); - } - CFReleaseSafe(tmpStr); -} - -#else - -#define TestOTALog(sz, ...) -#define TestOTAResourceLog(msg, resourceName, resourceType, subDirName, url) - -#endif - - -//#define NEW_LOCATION 1 - -#if NEW_LOCATION -static const char* kBaseAssetDirectory = "/var/OTAPKI/Assets"; -#else -static const char* kBaseAssetDirectory = "/var/Keychains/Assets"; -#endif - -static const char* kVersionDirectoryNamePrefix = "Version_"; -static const char* kNumberString = "%d"; - -struct index_record -{ - unsigned char hash[CC_SHA1_DIGEST_LENGTH]; - uint32_t offset; -}; -typedef struct index_record index_record; - - -struct _OpaqueSecOTAPKI -{ - CFRuntimeBase _base; - CFSetRef _blackListSet; - CFSetRef _grayListSet; - CFDictionaryRef _allowList; - CFArrayRef _trustedCTLogs; - CFArrayRef _pinningList; - CFArrayRef _escrowCertificates; - CFArrayRef _escrowPCSCertificates; - CFDictionaryRef _evPolicyToAnchorMapping; - CFDictionaryRef _anchorLookupTable; - const char* _anchorTable; - const char* _assetPath; - int _assetVersion; - const char* _validUpdateSnapshot; - const char* _validDatabaseSnapshot; - CFIndex _validSnapshotVersion; - CFIndex _validSnapshotFormat; -}; - -CFGiblisFor(SecOTAPKI) - -static CF_RETURNS_RETAINED CFStringRef SecOTAPKICopyFormatDescription(CFTypeRef cf, CFDictionaryRef formatOptions) -{ - SecOTAPKIRef otapkiRef = (SecOTAPKIRef)cf; - return CFStringCreateWithFormat(kCFAllocatorDefault,NULL,CFSTR(""), otapkiRef->_assetVersion); -} - -static void SecOTAPKIDestroy(CFTypeRef cf) -{ - SecOTAPKIRef otapkiref = (SecOTAPKIRef)cf; - - CFReleaseNull(otapkiref->_blackListSet); - CFReleaseNull(otapkiref->_grayListSet); - CFReleaseNull(otapkiref->_escrowCertificates); - CFReleaseNull(otapkiref->_escrowPCSCertificates); - - CFReleaseNull(otapkiref->_evPolicyToAnchorMapping); - CFReleaseNull(otapkiref->_anchorLookupTable); - - CFReleaseNull(otapkiref->_trustedCTLogs); - CFReleaseNull(otapkiref->_pinningList); - - if (otapkiref->_anchorTable) { - free((void *)otapkiref->_anchorTable); - otapkiref->_anchorTable = NULL; - } - if (otapkiref->_assetPath) { - free((void *)otapkiref->_assetPath); - otapkiref->_assetPath = NULL; - } - if (otapkiref->_validUpdateSnapshot) { - free((void *)otapkiref->_validUpdateSnapshot); - otapkiref->_validUpdateSnapshot = NULL; - } - if (otapkiref->_validDatabaseSnapshot) { - free((void *)otapkiref->_validDatabaseSnapshot); - otapkiref->_validDatabaseSnapshot = NULL; - } -} - -static CFDataRef SecOTACopyFileContents(const char *path) -{ - CFMutableDataRef data = NULL; - int fd = open(path, O_RDONLY, 0666); - - if (fd == -1) - { - goto badFile; - } - - off_t fsize = lseek(fd, 0, SEEK_END); - if (fsize == (off_t)-1) - { - goto badFile; - } - - if (fsize > (off_t)INT32_MAX) - { - goto badFile; - } - - data = CFDataCreateMutable(kCFAllocatorDefault, (CFIndex)fsize); - if (NULL == data) - { - goto badFile; - } - - CFDataSetLength(data, (CFIndex)fsize); - void *buf = CFDataGetMutableBytePtr(data); - if (NULL == buf) - { - goto badFile; - } - - off_t total_read = 0; - while (total_read < fsize) - { - ssize_t bytes_read; - - bytes_read = pread(fd, buf, (size_t)(fsize - total_read), total_read); - if (bytes_read == -1) - { - goto badFile; - } - if (bytes_read == 0) - { - goto badFile; - } - total_read += bytes_read; - } - - close(fd); - return data; - -badFile: - if (fd != -1) - { - close(fd); - } - - if (data) - { - CFRelease(data); - } - - return NULL; -} - -static Boolean PathExists(const char* path, size_t* pFileSize) -{ - const char *checked_path = (path) ? path : ""; - TestOTALog("In PathExists: checking path \"%s\"\n", checked_path); - Boolean result = false; - struct stat sb; - - if (NULL != pFileSize) - { - *pFileSize = 0; - } - - int stat_result = stat(checked_path, &sb); - result = (stat_result == 0); - - - if (result) - { - TestOTALog("In PathExists: stat returned 0 for \"%s\"\n", checked_path); - if (S_ISDIR(sb.st_mode)) - { - TestOTALog("In PathExists: \"%s\" is a directory\n", checked_path); - // It is a directory - ; - } - else - { - TestOTALog("In PathExists: \"%s\" is a file\n", checked_path); - // It is a file - if (NULL != pFileSize) - { - *pFileSize = (size_t)sb.st_size; - } - } - } -#if VERBOSE_LOGGING - else - { - const char *stat_prefix = "In PathExists: stat error"; - TestOTALog("%s %d for \"%s\"\n", stat_prefix, stat_result, checked_path); - int local_errno = errno; - switch(local_errno) - { - case EACCES: - TestOTALog("%s EACCES\n", stat_prefix); - break; - - case EBADF: - TestOTALog("%s EBADF\n", stat_prefix); - break; - - case EFAULT: - TestOTALog("%s EFAULT\n", stat_prefix); - break; - - case ELOOP: - TestOTALog("%s ELOOP\n", stat_prefix); - break; - - case ENAMETOOLONG: - TestOTALog("%s ENAMETOOLONG\n", stat_prefix); - break; - - case ENOENT: - TestOTALog("%s ENOENT (missing?)\n", stat_prefix); - break; - - case ENOMEM: - TestOTALog("%s ENOMEM\n", stat_prefix); - break; - - case ENOTDIR: - TestOTALog("%s ENOTDIR\n", stat_prefix); - break; - - case EOVERFLOW: - TestOTALog("%s EOVERFLOW\n", stat_prefix); - break; - - default: - TestOTALog("%s %d\n", stat_prefix, local_errno); - break; - } - } -#endif // #if VERBOSE_LOGGING - - return result; -} - -static int unlink_cb(const char *fpath, const struct stat *sb, int typeflag, struct FTW *ftwbuf) -{ - int rv = remove(fpath); - return rv; -} - -static int rmrf(char *path) -{ - const char* p1 = NULL; - char path_buffer[PATH_MAX]; - memset(path_buffer, 0, sizeof(path_buffer)); - - p1 = realpath(path, path_buffer); - if (p1 && !strncmp(path, p1, PATH_MAX)) - { - return nftw(path, unlink_cb, 64, FTW_DEPTH | FTW_PHYS); - } - return -1; -} - - -static CFStringRef kSecSystemTrustStoreBundlePath = CFSTR("/System/Library/Security/Certificates.bundle"); - -CFGiblisGetSingleton(CFBundleRef, SecSystemTrustStoreGetBundle, bundle, ^{ - CFStringRef bundlePath = NULL; -#if TARGET_IPHONE_SIMULATOR - char *simulatorRoot = getenv("SIMULATOR_ROOT"); - if (simulatorRoot) - bundlePath = CFStringCreateWithFormat(NULL, NULL, CFSTR("%s%@"), simulatorRoot, kSecSystemTrustStoreBundlePath); -#endif - if (!bundlePath) - bundlePath = CFRetainSafe(kSecSystemTrustStoreBundlePath); - TestOTAResourceLog("SecSystemTrustStoreGetBundle", bundlePath, NULL, NULL, NULL); - CFURLRef url = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, bundlePath, kCFURLPOSIXPathStyle, true); - *bundle = (url) ? CFBundleCreate(kCFAllocatorDefault, url) : NULL; - CFReleaseSafe(url); - CFReleaseSafe(bundlePath); -}) - -static CFURLRef SecSystemTrustStoreCopyResourceURL(CFStringRef resourceName, - CFStringRef resourceType, CFStringRef subDirName) -{ - CFURLRef url = NULL; - CFBundleRef bundle = SecSystemTrustStoreGetBundle(); - TestOTALog("SecSystemTrustStoreCopyResourceURL: bundle = %p\n", (void*)bundle); - if (bundle) { - url = CFBundleCopyResourceURL(bundle, resourceName, - resourceType, subDirName); - if (!url) { - secwarning("resource: %@.%@ in %@ not found", resourceName, - resourceType, subDirName); - } - } - if (!url) { - TestOTAResourceLog("SecSystemTrustStoreCopyResourceURL: unable to get URL!", - resourceName, resourceType, subDirName, url); - } else { - TestOTAResourceLog("SecSystemTrustStoreCopyResourceURL: got URL from bundle", - resourceName, resourceType, subDirName, url); - } - return url; -} - -static CFDataRef SecSystemTrustStoreCopyResourceContents(CFStringRef resourceName, - CFStringRef resourceType, CFStringRef subDirName) -{ - CFURLRef url = SecSystemTrustStoreCopyResourceURL(resourceName, resourceType, subDirName); - CFDataRef data = NULL; - if (url) { - SInt32 error; - if (!CFURLCreateDataAndPropertiesFromResource(kCFAllocatorDefault, - url, &data, NULL, NULL, &error)) { - secwarning("read: %ld", (long) error); - } - CFRelease(url); - } - TestOTALog("SecSystemTrustStoreCopyResourceContents: data = %p\n", data); - return data; -} - -static CFPropertyListRef CFPropertyListCopyFromAsset(const char *ota_assets_path, CFStringRef asset) -{ - CFPropertyListRef plist = NULL; - // Check to see if the .plist file is in the asset location - CFDataRef xmlData = NULL; - if (ota_assets_path) { - CFStringRef filePath = CFStringCreateWithFormat(kCFAllocatorDefault, NULL, CFSTR("%s/%@.%@"), ota_assets_path, asset, CFSTR("plist")); - CFURLRef url = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, filePath, kCFURLPOSIXPathStyle, false); - - plist = CFPropertyListReadFromFile(url); - CFReleaseSafe(url); - CFReleaseSafe(filePath); - } - - if (!plist) { - // no OTA asset file, so use the file in the system trust store bundle - xmlData = SecSystemTrustStoreCopyResourceContents(asset, CFSTR("plist"), NULL); - - if (xmlData) { - plist = CFPropertyListCreateWithData(kCFAllocatorDefault, xmlData, kCFPropertyListImmutable, NULL, NULL); - CFRelease(xmlData); - } - } - - return plist; -} - -static CFSetRef CFSetCreateFromPropertyList(CFPropertyListRef plist) -{ - CFSetRef result = NULL; - - if (plist) { - CFMutableSetRef tempSet = NULL; - if (CFGetTypeID(plist) == CFArrayGetTypeID()) { - tempSet = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks); - if (NULL == tempSet) { - return result; - } - CFArrayRef array = (CFArrayRef)plist; - CFIndex num_keys = CFArrayGetCount(array); - for (CFIndex idx = 0; idx < num_keys; idx++) { - CFDataRef data = (CFDataRef)CFArrayGetValueAtIndex(array, idx); - CFSetAddValue(tempSet, data); - } - } - else { - return result; - } - - if (NULL != tempSet) { - result = tempSet; - } - } - return result; -} - -static const char* InitOTADirectory(int* pAssetVersion) -{ - TestOTALog("In InitOTADirectory\n"); - const char* result = NULL; - - char buffer[PATH_MAX]; - DIR *dp; - struct dirent *ep; - int version = 0; - int current_version = 0; - int system_asset_version = 0; - CFIndex asset_number = 0; - - // Look in the system trust store for an AssetVersion.plist file. - // This is needed to ensure that a software update did not put down - // a version of the trust store that is greater than the OTA assets. - - CFDataRef assetVersionData = SecSystemTrustStoreCopyResourceContents(CFSTR("AssetVersion"), CFSTR("plist"), NULL); - if (NULL != assetVersionData) - { - CFPropertyListFormat propFormat; - CFDictionaryRef versionPlist = CFPropertyListCreateWithData(kCFAllocatorDefault, assetVersionData, 0, &propFormat, NULL); - if (NULL != versionPlist && CFDictionaryGetTypeID() == CFGetTypeID(versionPlist)) - { - CFNumberRef versionNumber = (CFNumberRef)CFDictionaryGetValue(versionPlist, (const void *)CFSTR("VersionNumber")); - if (NULL != versionNumber) - { - CFNumberGetValue(versionNumber, kCFNumberCFIndexType, &asset_number); - system_asset_version = (int)asset_number; - } - } - CFReleaseSafe(versionPlist); - CFReleaseSafe(assetVersionData); - } - - // Now check to see if the OTA asset directory exists. - // If it does, get the greatest asset number in the OTA asset directory. - - bool assetDirectoryExists = PathExists(kBaseAssetDirectory, NULL); - if (assetDirectoryExists) - { - TestOTALog("InitOTADirectory: \"%s\" exists\n", kBaseAssetDirectory); - dp = opendir (kBaseAssetDirectory); - if (NULL != dp) - { - TestOTALog("InitOTADirectory: opendir sucessfully open \"%s\"\n", kBaseAssetDirectory); - while ((ep = readdir(dp))) - { - TestOTALog("InitOTADirectory: processing name \"%s\"\n", ep->d_name); - if (strstr(ep->d_name, kVersionDirectoryNamePrefix)) - { - TestOTALog("InitOTADirectory: \"%s\" matches\n", ep->d_name); - memset(buffer, 0, sizeof(buffer)); - snprintf(buffer, sizeof(buffer), "%s%s", kVersionDirectoryNamePrefix, kNumberString); -#pragma clang diagnostic push -#pragma clang diagnostic ignored "-Wformat-nonliteral" - sscanf(ep->d_name, buffer, &version); -#pragma clang diagnostic pop - - TestOTALog("InitOTADirectory: version = %d\n", version); - - if (current_version > 0) - { - if (version > current_version) - { - // There is more than one Version_ directory. - // Delete the one with the smaller version number - memset(buffer, 0, sizeof(buffer)); - snprintf(buffer, sizeof(buffer), "%s/%s%d", kBaseAssetDirectory, kVersionDirectoryNamePrefix, current_version); - if (PathExists(buffer, NULL)) - { - rmrf(buffer); - } - current_version = version; - } - } - else - { - current_version = version; - } - } - } - closedir(dp); - } - else - { - TestOTALog("InitOTADirectory: opendir failed to open %s\n", kBaseAssetDirectory); - } - } - else - { - TestOTALog("InitOTADirectory: PathExists returned false for %s\n", kBaseAssetDirectory); - } - - // Check to see which version number is greater. - // If the current_version is greater then the OTA asset is newer. - // If the system_asset_version is greater than the system asset is newer. - if (current_version > system_asset_version) - { - // The OTA asset is newer than the system asset number - memset(buffer, 0, sizeof(buffer)); - TestOTALog("InitOTADirectory: current_version = %d\n", current_version); - snprintf(buffer, sizeof(buffer), "%s/%s%d", kBaseAssetDirectory, kVersionDirectoryNamePrefix, current_version); - size_t length = strlen(buffer); - char* temp_str = (char*)malloc(length + 1); - memset(temp_str, 0, (length + 1)); - strncpy(temp_str, buffer, length); - result = temp_str; - } - else - { - // The system asset number is newer than the OTA asset number - current_version = system_asset_version; - if (NULL != result) - { - free((void *)result); - } - result = NULL; - } - - if (NULL != pAssetVersion) - { - *pAssetVersion = current_version; - } - return result; -} - -static CF_RETURNS_RETAINED CFSetRef InitializeBlackList(const char* path_ptr) -{ - CFPropertyListRef plist = CFPropertyListCopyFromAsset(path_ptr, CFSTR("Blocked")); - CFSetRef result = CFSetCreateFromPropertyList(plist); - CFReleaseSafe(plist); - - return result; -} - -static CF_RETURNS_RETAINED CFSetRef InitializeGrayList(const char* path_ptr) -{ - CFPropertyListRef plist = CFPropertyListCopyFromAsset(path_ptr, CFSTR("GrayListedKeys")); - CFSetRef result = CFSetCreateFromPropertyList(plist); - CFReleaseSafe(plist); - - return result; -} - -static CF_RETURNS_RETAINED CFArrayRef InitializePinningList(const char* path_ptr) -{ - CFPropertyListRef list = CFPropertyListCopyFromAsset(path_ptr, CFSTR("CertificatePinning")); - - if (isArray(list)) { - return list; - } else { - CFReleaseNull(list); - return NULL; - } -} - -static CF_RETURNS_RETAINED CFDictionaryRef InitializeAllowList(const char* path_ptr) -{ - CFPropertyListRef allowList = CFPropertyListCopyFromAsset(path_ptr, CFSTR("Allowed")); - - if (allowList && (CFGetTypeID(allowList) == CFDictionaryGetTypeID())) { - return allowList; - } else { - CFReleaseNull(allowList); - return NULL; - } -} - -static CF_RETURNS_RETAINED CFArrayRef InitializeTrustedCTLogs(const char* path_ptr) -{ - CFPropertyListRef trustedCTLogs = CFPropertyListCopyFromAsset(path_ptr, CFSTR("TrustedCTLogs")); - - if (trustedCTLogs && (CFGetTypeID(trustedCTLogs) == CFArrayGetTypeID())) { - return trustedCTLogs; - } else { - CFReleaseNull(trustedCTLogs); - return NULL; - } -} - -static CF_RETURNS_RETAINED CFDictionaryRef InitializeEVPolicyToAnchorDigestsTable(const char* path_ptr) -{ - CFDictionaryRef result = NULL; - CFPropertyListRef evroots = CFPropertyListCopyFromAsset(path_ptr, CFSTR("EVRoots")); - - if (evroots) { - if (CFGetTypeID(evroots) == CFDictionaryGetTypeID()) { - /* @@@ Ensure that each dictionary key is a dotted list of digits, - each value is an NSArrayRef and each element in the array is a - 20 byte digest. */ - result = (CFDictionaryRef)evroots; - } - else { - secwarning("EVRoot.plist is wrong type."); - CFRelease(evroots); - } - } - - return result; -} - -static CFIndex InitializeValidSnapshotVersion(CFIndex *outFormat) -{ - CFIndex validVersion = 0; - CFIndex validFormat = 0; - CFDataRef validVersionData = SecSystemTrustStoreCopyResourceContents(CFSTR("ValidUpdate"), CFSTR("plist"), NULL); - if (NULL != validVersionData) - { - CFPropertyListFormat propFormat; - CFDictionaryRef versionPlist = CFPropertyListCreateWithData(kCFAllocatorDefault, validVersionData, 0, &propFormat, NULL); - if (NULL != versionPlist && CFDictionaryGetTypeID() == CFGetTypeID(versionPlist)) - { - CFNumberRef versionNumber = (CFNumberRef)CFDictionaryGetValue(versionPlist, (const void *)CFSTR("Version")); - if (NULL != versionNumber) - { - CFNumberGetValue(versionNumber, kCFNumberCFIndexType, &validVersion); - } - CFNumberRef formatNumber = (CFNumberRef)CFDictionaryGetValue(versionPlist, (const void *)CFSTR("Format")); - if (NULL != formatNumber) - { - CFNumberGetValue(formatNumber, kCFNumberCFIndexType, &validFormat); - } - } - CFReleaseSafe(versionPlist); - CFReleaseSafe(validVersionData); - } - if (outFormat) { - *outFormat = validFormat; - } - return validVersion; -} - -static const char* InitializeValidSnapshotData(CFStringRef filename_str) -{ - char *result = NULL; - const char *base_error_str = "could not get valid snapshot"; - - CFURLRef valid_url = SecSystemTrustStoreCopyResourceURL(filename_str, CFSTR("sqlite3"), NULL); - if (NULL == valid_url) { - secerror("%s", base_error_str); - } else { - CFStringRef valid_str = CFURLCopyFileSystemPath(valid_url, kCFURLPOSIXPathStyle); - char file_path_buffer[PATH_MAX]; - memset(file_path_buffer, 0, PATH_MAX); - if (NULL == valid_str) { - secerror("%s path", base_error_str); - } else { - const char *valid_cstr = CFStringGetCStringPtr(valid_str, kCFStringEncodingUTF8); - if (NULL == valid_cstr) { - if (CFStringGetCString(valid_str, file_path_buffer, PATH_MAX, kCFStringEncodingUTF8)) { - valid_cstr = file_path_buffer; - } - } - if (NULL == valid_cstr) { - secerror("%s path as UTF8 string", base_error_str); - } else { - asprintf(&result, "%s", valid_cstr); - } - } - CFReleaseSafe(valid_str); - } - CFReleaseSafe(valid_url); - if (result && !PathExists(result, NULL)) { - free(result); - result = NULL; - } - return (const char*)result; -} - -static const char* InitializeValidUpdateSnapshot() -{ - return InitializeValidSnapshotData(CFSTR("update-full")); -} - -static const char* InitializeValidDatabaseSnapshot() -{ - return InitializeValidSnapshotData(CFSTR("valid")); -} - -static void* MapFile(const char* path, int* out_fd, size_t* out_file_size) -{ - void* result = NULL; - void* temp_result = NULL; - if (NULL == path || NULL == out_fd || NULL == out_file_size) - { - return result; - } - - *out_fd = -1; - *out_file_size = 0; - - - *out_fd = open(path, O_RDONLY, 0666); - - if (*out_fd == -1) - { - return result; - } - - off_t fsize = lseek(*out_fd, 0, SEEK_END); - if (fsize == (off_t)-1) - { - return result; - } - - if (fsize > (off_t)INT32_MAX) - { - close(*out_fd); - *out_fd = -1; - return result; - } - - size_t malloc_size = (size_t)fsize; - - temp_result = malloc(malloc_size); - if (NULL == temp_result) - { - close(*out_fd); - *out_fd = -1; - return result; - } - - *out_file_size = malloc_size; - - off_t total_read = 0; - while (total_read < fsize) - { - ssize_t bytes_read; - - bytes_read = pread(*out_fd, temp_result, (size_t)(fsize - total_read), total_read); - if (bytes_read == -1) - { - free(temp_result); - temp_result = NULL; - close(*out_fd); - *out_fd = -1; - return result; - } - if (bytes_read == 0) - { - free(temp_result); - temp_result = NULL; - close(*out_fd); - *out_fd = -1; - return result; - } - total_read += bytes_read; - } - - if (NULL != temp_result) - { - result = temp_result; - } - - return result; -} - -static void UnMapFile(void* mapped_data, size_t data_size) -{ -#pragma unused(mapped_data, data_size) - if (NULL != mapped_data) - { - free((void *)mapped_data); - mapped_data = NULL; - } -} - -static bool InitializeAnchorTable(const char* path_ptr, CFDictionaryRef* pLookupTable, const char** ppAnchorTable) -{ - - bool result = false; - - if (NULL == pLookupTable || NULL == ppAnchorTable) - { - return result; - } - - *pLookupTable = NULL; - *ppAnchorTable = NULL;; - - const char* dir_path = NULL; - CFDataRef cert_index_file_data = NULL; - char file_path_buffer[PATH_MAX]; - CFURLRef table_data_url = NULL; - CFStringRef table_data_cstr_path = NULL; - const char* table_data_path = NULL; - const index_record* pIndex = NULL; - size_t index_offset = 0; - size_t index_data_size = 0; - CFMutableDictionaryRef anchorLookupTable = NULL; - uint32_t offset_int_value = 0; - CFNumberRef index_offset_value = NULL; - CFDataRef index_hash = NULL; - CFMutableArrayRef offsets = NULL; - Boolean release_offset = false; - - char* local_anchorTable = NULL; - size_t local_anchorTableSize = 0; - int local_anchorTable_fd = -1; - - // ------------------------------------------------------------------------ - // First determine if there are asset files at /var/Keychains. If there - // are files use them for the trust table. Otherwise, use the files in the - // Security.framework bundle. - // - // The anchor table file is mapped into memory. This SHOULD be OK as the - // size of the data is around 250K. - // ------------------------------------------------------------------------ - dir_path = path_ptr; - - if (NULL != dir_path) - { - // There is a set of OTA asset files - memset(file_path_buffer, 0, PATH_MAX); - snprintf(file_path_buffer, PATH_MAX, "%s/certsIndex.data", dir_path); - cert_index_file_data = SecOTACopyFileContents(file_path_buffer); - - if (NULL != cert_index_file_data) - { - memset(file_path_buffer, 0, PATH_MAX); - snprintf(file_path_buffer, PATH_MAX, "%s/certsTable.data", dir_path); - local_anchorTable = (char *)MapFile(file_path_buffer, &local_anchorTable_fd, &local_anchorTableSize); - } - - free((void *)dir_path); - dir_path = NULL; - } - - // Check to see if kAnchorTable was indeed set - if (NULL == local_anchorTable) - { - // local_anchorTable is still NULL so the asset in the system trust store bundle needs to be used. - CFReleaseSafe(cert_index_file_data); - cert_index_file_data = SecSystemTrustStoreCopyResourceContents(CFSTR("certsIndex"), CFSTR("data"), NULL); - if (!cert_index_file_data) { - secerror("could not find certsIndex"); - } - table_data_url = SecSystemTrustStoreCopyResourceURL(CFSTR("certsTable"), CFSTR("data"), NULL); - if (!table_data_url) { - secerror("could not find certsTable"); - } - - if (NULL != table_data_url) - { - table_data_cstr_path = CFURLCopyFileSystemPath(table_data_url, kCFURLPOSIXPathStyle); - if (NULL != table_data_cstr_path) - { - memset(file_path_buffer, 0, PATH_MAX); - table_data_path = CFStringGetCStringPtr(table_data_cstr_path, kCFStringEncodingUTF8); - if (NULL == table_data_path) - { - if (CFStringGetCString(table_data_cstr_path, file_path_buffer, PATH_MAX, kCFStringEncodingUTF8)) - { - table_data_path = file_path_buffer; - } - } - local_anchorTable = (char *)MapFile(table_data_path, &local_anchorTable_fd, &local_anchorTableSize); - CFReleaseSafe(table_data_cstr_path); - } - } - CFReleaseSafe(table_data_url); - } - - if (NULL == local_anchorTable || NULL == cert_index_file_data) - { - // we are in trouble - if (NULL != local_anchorTable) - { - UnMapFile(local_anchorTable, local_anchorTableSize); - local_anchorTable = NULL; - local_anchorTableSize = 0; - } - CFReleaseSafe(cert_index_file_data); - return result; - } - - // ------------------------------------------------------------------------ - // Now that the locations of the files are known and the table file has - // been mapped into memory, create a dictionary that maps the SHA1 hash of - // normalized issuer to the offset in the mapped anchor table file which - // contains a index_record to the correct certificate - // ------------------------------------------------------------------------ - pIndex = (const index_record*)CFDataGetBytePtr(cert_index_file_data); - index_data_size = CFDataGetLength(cert_index_file_data); - - anchorLookupTable = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, - &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); - - for (index_offset = index_data_size; index_offset > 0; index_offset -= sizeof(index_record), pIndex++) - { - offset_int_value = pIndex->offset; - - index_offset_value = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &offset_int_value); - index_hash = CFDataCreate(kCFAllocatorDefault, pIndex->hash, CC_SHA1_DIGEST_LENGTH); - - // see if the dictionary already has this key - release_offset = false; - offsets = (CFMutableArrayRef)CFDictionaryGetValue(anchorLookupTable, index_hash); - if (NULL == offsets) - { - offsets = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); - release_offset = true; - } - - // Add the offset - CFArrayAppendValue(offsets, index_offset_value); - - // set the key value pair in the dictionary - CFDictionarySetValue(anchorLookupTable, index_hash, offsets); - - CFRelease(index_offset_value); - CFRelease(index_hash); - if (release_offset) - { - CFRelease(offsets); - } - } - - CFRelease(cert_index_file_data); - - if (NULL != anchorLookupTable && NULL != local_anchorTable) - { - *pLookupTable = anchorLookupTable; - *ppAnchorTable = local_anchorTable; - result = true; - } - else - { - CFReleaseSafe(anchorLookupTable); - if (NULL != local_anchorTable) - { - UnMapFile(local_anchorTable, local_anchorTableSize); - //munmap(kAnchorTable, local_anchorTableSize); - local_anchorTable = NULL; - local_anchorTableSize = 0; - } - } - - return result; -} - -static void InitializeEscrowCertificates(const char* path_ptr, CFArrayRef *escrowRoots, CFArrayRef *escrowPCSRoots) -{ - CFDataRef file_data = NULL; - - const char* dir_path = path_ptr; - if (NULL == dir_path) - { - file_data = SecSystemTrustStoreCopyResourceContents(CFSTR("AppleESCertificates"), CFSTR("plist"), NULL); - } - else - { - char buffer[1024]; - memset(buffer, 0, 1024); - snprintf(buffer, 1024, "%s/AppleESCertificates.plist", dir_path); - file_data = SecOTACopyFileContents(buffer); - } - - if (NULL != file_data) - { - CFPropertyListFormat propFormat; - CFDictionaryRef certsDictionary = CFPropertyListCreateWithData(kCFAllocatorDefault, file_data, 0, &propFormat, NULL); - if (NULL != certsDictionary && CFDictionaryGetTypeID() == CFGetTypeID((CFTypeRef)certsDictionary)) - { - CFArrayRef certs = (CFArrayRef)CFDictionaryGetValue(certsDictionary, CFSTR("ProductionEscrowKey")); - if (NULL != certs && CFArrayGetTypeID() == CFGetTypeID((CFTypeRef)certs) && CFArrayGetCount(certs) > 0) - { - *escrowRoots = CFArrayCreateCopy(kCFAllocatorDefault, certs); - } - CFArrayRef pcs_certs = (CFArrayRef)CFDictionaryGetValue(certsDictionary, CFSTR("ProductionPCSEscrowKey")); - if (NULL != pcs_certs && CFArrayGetTypeID() == CFGetTypeID((CFTypeRef)pcs_certs) && CFArrayGetCount(pcs_certs) > 0) - { - *escrowPCSRoots = CFArrayCreateCopy(kCFAllocatorDefault, pcs_certs); - } - } - CFReleaseSafe(certsDictionary); - CFRelease(file_data); - } - -} - - -static SecOTAPKIRef SecOTACreate() -{ - TestOTALog("In SecOTACreate\n"); - - SecOTAPKIRef otapkiref = NULL; - - otapkiref = CFTypeAllocate(SecOTAPKI, struct _OpaqueSecOTAPKI , kCFAllocatorDefault); - - if (NULL == otapkiref) - { - return otapkiref; - } - - // Make sure that if this routine has to bail that the clean up - // will do the right thing - otapkiref->_blackListSet = NULL; - otapkiref->_grayListSet = NULL; - otapkiref->_allowList = NULL; - otapkiref->_trustedCTLogs = NULL; - otapkiref->_pinningList = NULL; - otapkiref->_escrowCertificates = NULL; - otapkiref->_escrowPCSCertificates = NULL; - otapkiref->_evPolicyToAnchorMapping = NULL; - otapkiref->_anchorLookupTable = NULL; - otapkiref->_anchorTable = NULL; - otapkiref->_assetPath = NULL; - otapkiref->_assetVersion = 0; - otapkiref->_validUpdateSnapshot = NULL; - otapkiref->_validDatabaseSnapshot = NULL; - otapkiref->_validSnapshotVersion = 0; - otapkiref->_validSnapshotFormat = 0; - - // Start off by getting the correct asset directory info - int asset_version = 0; - const char* path_ptr = InitOTADirectory(&asset_version); - otapkiref->_assetPath = path_ptr; - otapkiref->_assetVersion = asset_version; - - TestOTALog("SecOTACreate: asset_path = \"%s\"\n", (path_ptr) ? path_ptr : ""); - TestOTALog("SecOTACreate: asset_version = %d\n", asset_version); - - // Get the set of black listed keys - CFSetRef blackKeysSet = InitializeBlackList(path_ptr); - if (NULL == blackKeysSet) - { - CFReleaseNull(otapkiref); - return otapkiref; - } - otapkiref->_blackListSet = blackKeysSet; - - // Get the set of gray listed keys - CFSetRef grayKeysSet = InitializeGrayList(path_ptr); - if (NULL == grayKeysSet) - { - CFReleaseNull(otapkiref); - return otapkiref; - } - otapkiref->_grayListSet = grayKeysSet; - - // Get the allow list dictionary - // (now loaded lazily in SecOTAPKICopyAllowList) - - // Get the trusted Certificate Transparency Logs - otapkiref->_trustedCTLogs = InitializeTrustedCTLogs(path_ptr); - - // Get the pinning list - otapkiref->_pinningList = InitializePinningList(path_ptr); - - // Get the valid update snapshot version and format - CFIndex update_format = 0; - otapkiref->_validSnapshotVersion = InitializeValidSnapshotVersion(&update_format); - otapkiref->_validSnapshotFormat = update_format; - - // Get the valid update snapshot path (if it exists, NULL otherwise) - otapkiref->_validUpdateSnapshot = InitializeValidUpdateSnapshot(); - - // Get the valid database snapshot path (if it exists, NULL otherwise) - otapkiref->_validDatabaseSnapshot = InitializeValidDatabaseSnapshot(); - - CFArrayRef escrowCerts = NULL; - CFArrayRef escrowPCSCerts = NULL; - InitializeEscrowCertificates(path_ptr, &escrowCerts, &escrowPCSCerts); - if (NULL == escrowCerts || NULL == escrowPCSCerts) - { - CFReleaseNull(escrowCerts); - CFReleaseNull(escrowPCSCerts); - CFReleaseNull(otapkiref); - return otapkiref; - } - otapkiref->_escrowCertificates = escrowCerts; - otapkiref->_escrowPCSCertificates = escrowPCSCerts; - - // Get the mapping of EV Policy OIDs to Anchor digest - CFDictionaryRef evOidToAnchorDigestMap = InitializeEVPolicyToAnchorDigestsTable(path_ptr); - if (NULL == evOidToAnchorDigestMap) - { - CFReleaseNull(otapkiref); - return otapkiref; - } - otapkiref->_evPolicyToAnchorMapping = evOidToAnchorDigestMap; - - CFDictionaryRef anchorLookupTable = NULL; - const char* anchorTablePtr = NULL; - - if (!InitializeAnchorTable(path_ptr, &anchorLookupTable, &anchorTablePtr)) - { - CFReleaseSafe(anchorLookupTable); - if (anchorTablePtr) { - free((void *)anchorTablePtr); - } - CFReleaseNull(otapkiref); - return otapkiref; - } - otapkiref->_anchorLookupTable = anchorLookupTable; - otapkiref->_anchorTable = anchorTablePtr; - return otapkiref; -} - -static dispatch_once_t kInitializeOTAPKI = 0; -static const char* kOTAQueueLabel = "com.apple.security.OTAPKIQueue"; -static dispatch_queue_t kOTAQueue; -static SecOTAPKIRef kCurrentOTAPKIRef = NULL; - -SecOTAPKIRef SecOTAPKICopyCurrentOTAPKIRef() -{ - __block SecOTAPKIRef result = NULL; - dispatch_once(&kInitializeOTAPKI, - ^{ - kOTAQueue = dispatch_queue_create(kOTAQueueLabel, NULL); - kCurrentOTAPKIRef = SecOTACreate(); - }); - - dispatch_sync(kOTAQueue, - ^{ - result = kCurrentOTAPKIRef; - CFRetainSafe(result); - }); - return result; -} - - -CFSetRef SecOTAPKICopyBlackListSet(SecOTAPKIRef otapkiRef) -{ - CFSetRef result = NULL; - if (NULL == otapkiRef) - { - return result; - } - - result = otapkiRef->_blackListSet; - CFRetainSafe(result); - return result; -} - - -CFSetRef SecOTAPKICopyGrayList(SecOTAPKIRef otapkiRef) -{ - CFSetRef result = NULL; - if (NULL == otapkiRef) - { - return result; - } - - result = otapkiRef->_grayListSet; - CFRetainSafe(result); - return result; -} - -CFDictionaryRef SecOTAPKICopyAllowList(SecOTAPKIRef otapkiRef) -{ - CFDictionaryRef result = NULL; - if (NULL == otapkiRef) - { - return result; - } - - result = otapkiRef->_allowList; - if (!result) { - result = InitializeAllowList(otapkiRef->_assetPath); - otapkiRef->_allowList = result; - } - - CFRetainSafe(result); - return result; -} - -CFArrayRef SecOTAPKICopyAllowListForAuthKeyID(SecOTAPKIRef otapkiRef, CFStringRef authKeyID) -{ - // %%% temporary performance optimization: - // only load dictionary if we know an allow list exists for this key - const CFStringRef keyIDs[3] = { - CFSTR("7C724B39C7C0DB62A54F9BAA183492A2CA838259"), - CFSTR("65F231AD2AF7F7DD52960AC702C10EEFA6D53B11"), - CFSTR("D2A716207CAFD9959EEB430A19F2E0B9740EA8C7") - }; - CFArrayRef result = NULL; - bool hasAllowList = false; - CFIndex count = (sizeof(keyIDs) / sizeof(keyIDs[0])); - for (CFIndex ix=0; ix_trustedCTLogs; - CFRetainSafe(result); - return result; -} - -CFArrayRef SecOTAPKICopyPinningList(SecOTAPKIRef otapkiRef) { - CFArrayRef result = NULL; - if (NULL == otapkiRef) - { - return result; - } - - result = otapkiRef->_pinningList; - CFRetainSafe(result); - return result; -} - - -/* Returns an array of certificate data (CFDataRef) */ -CFArrayRef SecOTAPKICopyEscrowCertificates(uint32_t escrowRootType, SecOTAPKIRef otapkiRef) -{ - CFMutableArrayRef result = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); - if (NULL == otapkiRef) { - return result; - } - - switch (escrowRootType) { - // Note: we shouldn't be getting called to return baseline roots, - // since this function vends production roots by definition. - case kSecCertificateBaselineEscrowRoot: - case kSecCertificateProductionEscrowRoot: - case kSecCertificateBaselineEscrowBackupRoot: - case kSecCertificateProductionEscrowBackupRoot: - if (otapkiRef->_escrowCertificates) { - CFArrayRef escrowCerts = otapkiRef->_escrowCertificates; - CFArrayAppendArray(result, escrowCerts, CFRangeMake(0, CFArrayGetCount(escrowCerts))); - } - break; - case kSecCertificateBaselineEscrowEnrollmentRoot: - case kSecCertificateProductionEscrowEnrollmentRoot: - if (otapkiRef->_escrowCertificates) { - // for enrollment purposes, exclude the v100 root - static const unsigned char V100EscrowRoot[] = { - 0x65,0x5C,0xB0,0x3C,0x39,0x3A,0x32,0xA6,0x0B,0x96, - 0x40,0xC0,0xCA,0x73,0x41,0xFD,0xC3,0x9E,0x96,0xB3 - }; - CFArrayRef escrowCerts = otapkiRef->_escrowCertificates; - CFIndex idx, count = CFArrayGetCount(escrowCerts); - for (idx=0; idx < count; idx++) { - CFDataRef tmpData = (CFDataRef) CFArrayGetValueAtIndex(escrowCerts, idx); - SecCertificateRef tmpCert = (tmpData) ? SecCertificateCreateWithData(NULL, tmpData) : NULL; - CFDataRef sha1Hash = (tmpCert) ? SecCertificateGetSHA1Digest(tmpCert) : NULL; - const uint8_t *dp = (sha1Hash) ? CFDataGetBytePtr(sha1Hash) : NULL; - if (!(dp && !memcmp(V100EscrowRoot, dp, sizeof(V100EscrowRoot))) && tmpData) { - CFArrayAppendValue(result, tmpData); - } - CFReleaseSafe(tmpCert); - } - } - break; - case kSecCertificateBaselinePCSEscrowRoot: - case kSecCertificateProductionPCSEscrowRoot: - if (otapkiRef->_escrowPCSCertificates) { - CFArrayRef escrowPCSCerts = otapkiRef->_escrowPCSCertificates; - CFArrayAppendArray(result, escrowPCSCerts, CFRangeMake(0, CFArrayGetCount(escrowPCSCerts))); - } - break; - default: - break; - } - - return result; -} - - -CFDictionaryRef SecOTAPKICopyEVPolicyToAnchorMapping(SecOTAPKIRef otapkiRef) -{ - CFDictionaryRef result = NULL; - if (NULL == otapkiRef) - { - return result; - } - - result = otapkiRef->_evPolicyToAnchorMapping; - CFRetainSafe(result); - return result; -} - - -CFDictionaryRef SecOTAPKICopyAnchorLookupTable(SecOTAPKIRef otapkiRef) -{ - CFDictionaryRef result = NULL; - if (NULL == otapkiRef) - { - return result; - } - - result = otapkiRef->_anchorLookupTable; - CFRetainSafe(result); - return result; -} - -const char* SecOTAPKIGetAnchorTable(SecOTAPKIRef otapkiRef) -{ - const char* result = NULL; - if (NULL == otapkiRef) - { - return result; - } - - result = otapkiRef->_anchorTable; - return result; -} - -const char* SecOTAPKIGetValidUpdateSnapshot(SecOTAPKIRef otapkiRef) -{ - const char* result = NULL; - if (NULL == otapkiRef) - { - return result; - } - - result = otapkiRef->_validUpdateSnapshot; - return result; -} - -const char* SecOTAPKIGetValidDatabaseSnapshot(SecOTAPKIRef otapkiRef) -{ - const char* result = NULL; - if (NULL == otapkiRef) - { - return result; - } - - result = otapkiRef->_validDatabaseSnapshot; - return result; -} - -CFIndex SecOTAPKIGetValidSnapshotVersion(SecOTAPKIRef otapkiRef) -{ - CFIndex result = 0; - if (NULL == otapkiRef) - { - return result; - } - - result = otapkiRef->_validSnapshotVersion; - return result; -} - -CFIndex SecOTAPKIGetValidSnapshotFormat(SecOTAPKIRef otapkiRef) -{ - CFIndex result = 0; - if (NULL == otapkiRef) - { - return result; - } - - result = otapkiRef->_validSnapshotFormat; - return result; -} - -int SecOTAPKIGetAssetVersion(SecOTAPKIRef otapkiRef) -{ - int result = 0; - if (NULL == otapkiRef) - { - return result; - } - - result = otapkiRef->_assetVersion; - return result; -} - -void SecOTAPKIRefreshData() -{ - TestOTALog("In SecOTAPKIRefreshData\n"); - SecOTAPKIRef new_otaPKRef = SecOTACreate(); - dispatch_sync(kOTAQueue, - ^{ - CFReleaseSafe(kCurrentOTAPKIRef); - kCurrentOTAPKIRef = new_otaPKRef; - }); -} - -/* Returns an array of certificate data (CFDataRef) */ -CFArrayRef SecOTAPKICopyCurrentEscrowCertificates(uint32_t escrowRootType, CFErrorRef* error) -{ - CFArrayRef result = NULL; - - SecOTAPKIRef otapkiref = SecOTAPKICopyCurrentOTAPKIRef(); - if (NULL == otapkiref) - { - SecError(errSecInternal, error, CFSTR("Unable to get the current OTAPKIRef")); - return result; - } - - result = SecOTAPKICopyEscrowCertificates(escrowRootType, otapkiref); - CFRelease(otapkiref); - - if (NULL == result) - { - SecError(errSecInternal, error, CFSTR("Could not get escrow certificates from the current OTAPKIRef")); - } - return result; -} - -int SecOTAPKIGetCurrentAssetVersion(CFErrorRef* error) -{ - int result = 0; - - SecOTAPKIRef otapkiref = SecOTAPKICopyCurrentOTAPKIRef(); - if (NULL == otapkiref) - { - SecError(errSecInternal, error, CFSTR("Unable to get the current OTAPKIRef")); - return result; - } - - result = otapkiref->_assetVersion; - return result; -} - -int SecOTAPKISignalNewAsset(CFErrorRef* error) -{ - TestOTALog("SecOTAPKISignalNewAsset has been called!\n"); - SecOTAPKIRefreshData(); - return 1; -} diff --git a/OSX/sec/securityd/OTATrustUtilities.h b/OSX/sec/securityd/OTATrustUtilities.h index 6240d158..9494478b 100644 --- a/OSX/sec/securityd/OTATrustUtilities.h +++ b/OSX/sec/securityd/OTATrustUtilities.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003-2004,2006-2010,2013-2014 Apple Inc. All Rights Reserved. + * Copyright (c) 2003-2018 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -35,6 +35,9 @@ __BEGIN_DECLS // Opaque type that holds the data for a specific version of the OTA PKI assets typedef struct _OpaqueSecOTAPKI *SecOTAPKIRef; +// Returns a boolean for whether the current instance is the system trustd +bool SecOTAPKIIsSystemTrustd(void); + // Get a reference to the current OTA PKI asset data // Caller is responsible for releasing the returned SecOTAPKIRef CF_EXPORT @@ -65,10 +68,10 @@ CFArrayRef SecOTAPKICopyAllowListForAuthKeyID(SecOTAPKIRef otapkiRef, CFStringRe CF_EXPORT CFArrayRef SecOTAPKICopyTrustedCTLogs(SecOTAPKIRef otapkiRef); -// Accessor to retrieve a copy of the current pinning list. -// Caller is responsible for releasing the returned CFArrayRef +// Accessor to retrieve the path of the current pinning list. +// Caller is responsible for releasing the returned CFURLRef CF_EXPORT -CFArrayRef SecOTAPKICopyPinningList(SecOTAPKIRef otapkiRef); +CFURLRef SecOTAPKICopyPinningList(SecOTAPKIRef otapkiRef); // Accessor to retrieve the array of Escrow certificates. // Caller is responsible for releasing the returned CFArrayRef @@ -116,27 +119,46 @@ CFIndex SecOTAPKIGetValidSnapshotVersion(SecOTAPKIRef otapkiRef); CF_EXPORT CFIndex SecOTAPKIGetValidSnapshotFormat(SecOTAPKIRef otapkiRef); -// Accessor to retrieve the current OTA PKI asset version number +// Accessor to retrieve the OTAPKI trust store version +// Note: Trust store is not mutable by assets CF_EXPORT -int SecOTAPKIGetAssetVersion(SecOTAPKIRef otapkiRef); +uint64_t SecOTAPKIGetTrustStoreVersion(SecOTAPKIRef otapkiRef); -// Signal that a new OTA PKI asset version is available. This call -// will update the current SecOTAPKIRef to now reference the latest -// asset data +// Accessor to retrieve the OTAPKI asset version CF_EXPORT -void SecOTAPKIRefreshData(void); +uint64_t SecOTAPKIGetAssetVersion(SecOTAPKIRef otapkiRef); + +#if __OBJC__ +// SPI to return the current sampling rate for the event name +// This rate is actually n where we sample 1 out of every n +NSNumber *SecOTAPKIGetSamplingRateForEvent(SecOTAPKIRef otapkiRef, NSString *eventName); +#endif // __OBJC__ + +CFArrayRef SecOTAPKICopyAppleCertificateAuthorities(SecOTAPKIRef otapkiRef); // SPI to return the array of currently trusted Escrow certificates CF_EXPORT CFArrayRef SecOTAPKICopyCurrentEscrowCertificates(uint32_t escrowRootType, CFErrorRef* error); +// SPI to return the current OTA PKI trust store version +// Note: Trust store is not mutable by assets +CF_EXPORT +uint64_t SecOTAPKIGetCurrentTrustStoreVersion(CFErrorRef* CF_RETURNS_RETAINED error); + // SPI to return the current OTA PKI asset version CF_EXPORT -int SecOTAPKIGetCurrentAssetVersion(CFErrorRef* error); +uint64_t SecOTAPKIGetCurrentAssetVersion(CFErrorRef* error); + +// SPI to reset the current OTA PKI asset version to the version shipped +// with the system +CF_EXPORT +uint64_t SecOTAPKIResetCurrentAssetVersion(CFErrorRef* CF_RETURNS_RETAINED error); -// SPI to signal securityd to get a new set of trust data +// SPI to signal trustd to get a new set of trust data +// Always returns the current asset version. Returns an error with +// a reason if the update was not successful. CF_EXPORT -int SecOTAPKISignalNewAsset(CFErrorRef* error); +uint64_t SecOTAPKISignalNewAsset(CFErrorRef* CF_RETURNS_RETAINED error); __END_DECLS diff --git a/OSX/sec/securityd/OTATrustUtilities.m b/OSX/sec/securityd/OTATrustUtilities.m new file mode 100644 index 00000000..31f0bad9 --- /dev/null +++ b/OSX/sec/securityd/OTATrustUtilities.m @@ -0,0 +1,1797 @@ +/* + * Copyright (c) 2003-2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + * + * OTATrustUtilities.m + */ + +#import +#include "OTATrustUtilities.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "SecFramework.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#if !TARGET_OS_BRIDGE +#import +#import +#include +#include +#include +#import +#endif + +#if TARGET_OS_OSX +#import +#endif + +static inline bool isNSNumber(id nsType) { + return nsType && [nsType isKindOfClass:[NSNumber class]]; +} + +static inline bool isNSDictionary(id nsType) { + return nsType && [nsType isKindOfClass:[NSDictionary class]]; +} + +static inline bool isNSArray(id nsType) { + return nsType && [nsType isKindOfClass:[NSArray class]]; +} + +#define SECURITYD_ROLE_ACCOUNT 64 +#define ROOT_ACCOUNT 0 + +bool SecOTAPKIIsSystemTrustd() { + static bool result = false; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ +#ifdef NO_SERVER + // Test app running as securityd +#elif TARGET_OS_IPHONE + if (getuid() == SECURITYD_ROLE_ACCOUNT) +#else + if (getuid() == ROOT_ACCOUNT) +#endif + { + result = true; + } + }); + return result; +} + +/* MARK: - */ +/* MARK: System Trust Store */ +static CFStringRef kSecSystemTrustStoreBundlePath = CFSTR("/System/Library/Security/Certificates.bundle"); + +CFGiblisGetSingleton(CFBundleRef, SecSystemTrustStoreGetBundle, bundle, ^{ + CFStringRef bundlePath = NULL; +#if TARGET_OS_SIMULATOR + char *simulatorRoot = getenv("SIMULATOR_ROOT"); + if (simulatorRoot) + bundlePath = CFStringCreateWithFormat(NULL, NULL, CFSTR("%s%@"), simulatorRoot, kSecSystemTrustStoreBundlePath); +#endif + if (!bundlePath) + bundlePath = CFRetainSafe(kSecSystemTrustStoreBundlePath); + CFURLRef url = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, bundlePath, kCFURLPOSIXPathStyle, true); + *bundle = (url) ? CFBundleCreate(kCFAllocatorDefault, url) : NULL; + CFReleaseSafe(url); + CFReleaseSafe(bundlePath); +}) + +static CFURLRef SecSystemTrustStoreCopyResourceURL(CFStringRef resourceName, + CFStringRef resourceType, CFStringRef subDirName) { + CFURLRef url = NULL; + CFBundleRef bundle = SecSystemTrustStoreGetBundle(); + if (bundle) { + url = CFBundleCopyResourceURL(bundle, resourceName, + resourceType, subDirName); + } + if (!url) { + secwarning("resource: %@.%@ in %@ not found", resourceName, + resourceType, subDirName); + } + return url; +} + +static NSURL *SecSystemTrustStoreCopyResourceNSURL(NSString *resourceFileName) { + CFBundleRef bundle = SecSystemTrustStoreGetBundle(); + if (!bundle) { + return NULL; + } + NSURL *resourceDir = CFBridgingRelease(CFBundleCopyResourcesDirectoryURL(bundle)); + if (!resourceDir) { + return NULL; + } + NSURL *fileURL = [NSURL URLWithString:resourceFileName + relativeToURL:resourceDir]; + if (!fileURL) { + secwarning("resource: %@ not found", resourceFileName); + } + return fileURL; +} + +static CFDataRef SecSystemTrustStoreCopyResourceContents(CFStringRef resourceName, + CFStringRef resourceType, CFStringRef subDirName) { + CFURLRef url = SecSystemTrustStoreCopyResourceURL(resourceName, resourceType, subDirName); + CFDataRef data = NULL; + if (url) { + SInt32 error; + if (!CFURLCreateDataAndPropertiesFromResource(kCFAllocatorDefault, + url, &data, NULL, NULL, &error)) { + secwarning("read: %ld", (long) error); + } + CFRelease(url); + } + return data; +} + +/* MARK: - */ +/* MARK: MobileAsset Updates */ +// MARK: Forward Declarations +static uint64_t GetAssetVersion(void); +#if !TARGET_OS_BRIDGE +static BOOL UpdateFromAsset(NSURL *localURL, NSNumber *asset_version); +#endif + +// MARK: Constants +NSString *kOTATrustContentVersionKey = @"MobileAssetContentVersion"; +NSString *kOTATrustContextFilename = @"OTAPKIContext.plist"; +NSString *kOTATrustTrustedCTLogsFilename = @"TrustedCTLogs.plist"; +NSString *kOTATrustAnalyticsSamplingRatesFilename = @"AnalyticsSamplingRates.plist"; +NSString *kOTATrustAppleCertifcateAuthoritiesFilename = @"AppleCertificateAuthorities.plist"; + +#if !TARGET_OS_BRIDGE +const NSString *OTATrustMobileAssetType = @"com.apple.MobileAsset.PKITrustSupplementals"; +#define kOTATrustMobileAssetNotification "com.apple.MobileAsset.PKITrustSupplementals.cached-metadata-updated" +#define kOTATrustOnDiskAssetNotification "com.apple.trustd.asset-updated" +const NSUInteger OTATrustMobileAssetCompatibilityVersion = 1; +#define kOTATrustDefaultUpdatePeriod 60*60*12 // 12 hours +#define kOTATrustMinimumUpdatePeriod 60*5 // 5 min + +#if TARGET_OS_OSX +const CFStringRef kSecSUPrefDomain = CFSTR("com.apple.SoftwareUpdate"); +const CFStringRef kSecSUScanPrefConfigDataInstallKey = CFSTR("ConfigDataInstall"); +#endif + +// MARK: Helper functions +typedef enum { + OTATrustLogLevelDebug, + OTATrustLogLevelInfo, + OTATrustLogLevelNotice, + OTATrustLogLevelError, +} OTATrustLogLevel; + +static void MakeOTATrustError(NSError **error, OTATrustLogLevel level, OSStatus errCode, NSString *format,...) NS_FORMAT_FUNCTION(4,5); + +static void LogLocally(OTATrustLogLevel level, NSString *errorString) { + switch (level) { + case OTATrustLogLevelDebug: + secdebug("OTATrust", "%@", errorString); + break; + case OTATrustLogLevelInfo: + secinfo("OTATrust", "%@", errorString); + break; + case OTATrustLogLevelNotice: + secnotice("OTATrust", "%@", errorString); + break; + case OTATrustLogLevelError: + secerror("OTATrust: %@", errorString); + break; + } +} + +static void LogRemotely(OTATrustLogLevel level, NSError **error) { +#if ENABLE_TRUSTD_ANALYTICS + /* only report errors and notices */ + if (error && level == OTATrustLogLevelError) { + [[TrustdHealthAnalytics logger] logResultForEvent:TrustdHealthAnalyticsEventOTAPKIEvent hardFailure:YES result:*error]; + } else if (error && level == OTATrustLogLevelNotice) { + [[TrustdHealthAnalytics logger] logResultForEvent:TrustdHealthAnalyticsEventOTAPKIEvent hardFailure:NO result:*error]; + } +#endif // ENABLE_TRUSTD_ANALYTICS +} + +static void MakeOTATrustError(NSError **error, OTATrustLogLevel level, OSStatus errCode, NSString *format,...) { + va_list args; + va_start(args, format); + NSString *formattedString = nil; + if (format) { + formattedString = [[NSString alloc] initWithFormat:format arguments:args]; + } + if (error) { + NSMutableDictionary *userInfo = [[NSMutableDictionary alloc] init]; + if (format) { + [userInfo setObject:formattedString forKey:NSLocalizedDescriptionKey]; + } + + *error = [NSError errorWithDomain:NSOSStatusErrorDomain + code:errCode + userInfo:userInfo]; + } + + LogLocally(level, formattedString); + LogRemotely(level, error); + va_end(args); +} + +static BOOL CanCheckMobileAsset(void) { + BOOL result = YES; +#if TARGET_OS_OSX + /* Check the user's SU preferences to determine if "Install system data files" is off */ + if (!CFPreferencesSynchronize(kSecSUPrefDomain, kCFPreferencesAnyUser, kCFPreferencesCurrentHost)) { + secerror("OTATrust: unable to synchronize SoftwareUpdate prefs"); + return NO; + } + + id value = nil; + if (CFPreferencesAppValueIsForced(kSecSUScanPrefConfigDataInstallKey, kSecSUPrefDomain)) { + value = CFBridgingRelease(CFPreferencesCopyAppValue(kSecSUScanPrefConfigDataInstallKey, kSecSUPrefDomain)); + } else { + value = CFBridgingRelease(CFPreferencesCopyValue(kSecSUScanPrefConfigDataInstallKey, kSecSUPrefDomain, + kCFPreferencesAnyUser, kCFPreferencesCurrentHost)); + } + if (isNSNumber(value)) { + result = [value boolValue]; + } + + if (!result) { secnotice("OTATrust", "User has disabled system data installation."); } + + /* MobileAsset.framework isn't mastered into the BaseSystem. Check that the MA classes are linked. */ + if (![ASAssetQuery class] || ![ASAsset class] || ![MAAssetQuery class] || ![MAAsset class]) { + secnotice("OTATrust", "Weak-linked MobileAsset framework missing."); + result = NO; + } +#endif + return result; +} + +static BOOL ShouldUpdateWithAsset(NSNumber *asset_version) { + if (![asset_version isKindOfClass:[NSNumber class]]) { + return NO; + } + CFErrorRef error = nil; + uint64_t current_version = SecOTAPKIGetCurrentAssetVersion(&error); + if (error) { + CFReleaseNull(error); + return NO; + } + if ([asset_version compare:[NSNumber numberWithUnsignedLongLong:current_version]] == NSOrderedDescending) { + return YES; + } + return NO; +} + +static bool verify_create_path(const char *path) { + int ret = mkpath_np(path, 0755); + if (!(ret == 0 || ret == EEXIST)) { + secerror("could not create path: %s (%s)", path, strerror(ret)); + return false; + } + return true; +} + +// MARK: File management functions +static NSURL *GetAssetFileURL(NSString *filename) { + /* Make sure the /Library/Keychains directory is there */ +#if TARGET_OS_IPHONE + NSURL *keychainsDirectory = CFBridgingRelease(SecCopyURLForFileInKeychainDirectory(nil)); +#else + NSURL *keychainsDirectory = [NSURL fileURLWithFileSystemRepresentation:"/Library/Keychains/" isDirectory:YES relativeToURL:nil]; +#endif + NSURL *directory = [keychainsDirectory URLByAppendingPathComponent:@"SupplementalsAssets/" isDirectory:YES]; + if (!verify_create_path([directory fileSystemRepresentation])) { + return nil; + } + + if (filename) { + return [directory URLByAppendingPathComponent:filename]; + } else { + return directory; + } +} + +static void DeleteFileWithName(NSString *filename) { + NSFileManager *fileManager = [NSFileManager defaultManager]; + NSError *error = nil; + [fileManager removeItemAtURL:GetAssetFileURL(filename) error:&error]; + if (error) { + secerror("OTATrust: failed to remove %@: %@", filename, error); + } +} + +static void DeleteAssetFromDisk(void) { + if (SecOTAPKIIsSystemTrustd()) { + DeleteFileWithName(kOTATrustContextFilename); + DeleteFileWithName(kOTATrustTrustedCTLogsFilename); + DeleteFileWithName(kOTATrustAnalyticsSamplingRatesFilename); + DeleteFileWithName(kOTATrustAppleCertifcateAuthoritiesFilename); + } +} + +static BOOL WriteAssetVersionToDisk(NSNumber *asset_version) { + if (SecOTAPKIIsSystemTrustd()) { + NSError *error = nil; + NSDictionary *version_dict = @{ kOTATrustContentVersionKey : asset_version }; + [version_dict writeToURL:GetAssetFileURL(kOTATrustContextFilename) error:&error]; + if (error) { + secerror("OTATrust: unable to write asset version to disk: %@", error); + LogRemotely(OTATrustLogLevelError, &error); + return NO; + } + return YES; + } + return NO; +} + + +static BOOL CopyFileToDisk(NSString *filename, NSURL *localURL) { + if (SecOTAPKIIsSystemTrustd()) { + NSFileManager * fileManager = [NSFileManager defaultManager]; + NSError *error = nil; + [fileManager copyItemAtURL:localURL toURL:GetAssetFileURL(filename) error:&error]; + if (error) { + secerror("OTATrust: unable to write CT logs to disk: %@", error); + LogRemotely(OTATrustLogLevelError, &error); + return NO; + } + return YES; + } + return NO; +} + +// MARK: Fetch and Update Functions +#if TARGET_OS_IPHONE +static NSNumber *UpdateAndPurgeAsset(MAAsset *asset, NSNumber *asset_version, NSError **error) { + if (SecPinningDbUpdateFromURL((__bridge CFURLRef)[asset getLocalFileUrl]) && + UpdateFromAsset([asset getLocalFileUrl], asset_version)) { + secnotice("OTATrust", "finished update to version %@ from installed asset. purging asset.", asset_version); +#if ENABLE_TRUSTD_ANALYTICS + [[TrustdHealthAnalytics logger] logSuccessForEventNamed:TrustdHealthAnalyticsEventOTAPKIEvent]; +#endif // ENABLE_TRUSTD_ANALYTICS + [asset purge:^(MAPurgeResult purge_result) { + if (purge_result != MAPurgeSucceeded) { + secerror("OTATrust: purge failed: %ld", (long)purge_result); + } + }]; + return asset_version; + } else { + MakeOTATrustError(error, OTATrustLogLevelError, errSecCallbackFailed, + @"Failed to install new asset version %@ from %@", asset_version, [asset getLocalFileUrl]); + return nil; + } +} + +static BOOL DownloadOTATrustAsset(BOOL isLocalOnly, BOOL wait, NSError **error) { + if (!CanCheckMobileAsset()) { + MakeOTATrustError(error, OTATrustLogLevelNotice, errSecServiceNotAvailable, + @"MobileAsset disabled, skipping check."); + return NO; + } + + __block NSNumber *updated_version = nil; + __block dispatch_semaphore_t done = wait ? dispatch_semaphore_create(0) : nil; + __block NSError *ma_error = nil; + secnotice("OTATrust", "begin MobileAsset query for catalog"); + [MAAsset startCatalogDownload:(NSString *)OTATrustMobileAssetType then:^(MADownLoadResult result) { + if (result != MADownloadSucceesful) { + MakeOTATrustError(&ma_error, OTATrustLogLevelError, errSecInternal, + @"failed to download catalog: %ld", (long)result); + return; + } + MAAssetQuery *query = [[MAAssetQuery alloc] initWithType:(NSString *)OTATrustMobileAssetType]; + [query augmentResultsWithState:true]; + + secnotice("OTATrust", "begin MobileAsset metadata sync request"); + MAQueryResult queryResult = [query queryMetaDataSync]; + if (queryResult != MAQuerySucceesful) { + MakeOTATrustError(&ma_error, OTATrustLogLevelError, errSecInternal, + @"failed to query MobileAsset metadata: %ld", (long)queryResult); + return; + } + + if (!query.results) { + MakeOTATrustError(&ma_error, OTATrustLogLevelError, errSecInternal, + @"no results in MobileAsset query"); + return; + } + + bool began_async_job = false; + for (MAAsset *asset in query.results) { + /* Check Compatibility Version against this software version */ + NSNumber *compatibilityVersion = [asset assetProperty:@"_CompatibilityVersion"]; + if (!isNSNumber(compatibilityVersion) || + [compatibilityVersion unsignedIntegerValue] != OTATrustMobileAssetCompatibilityVersion) { + MakeOTATrustError(&ma_error, OTATrustLogLevelNotice, errSecIncompatibleVersion, + @"skipping asset because Compatibility Version doesn't match %@", compatibilityVersion); + continue; + } + /* Check Content Version agains the current content version */ + NSNumber *asset_version = [asset assetProperty:@"_ContentVersion"]; + if (!ShouldUpdateWithAsset(asset_version)) { + MakeOTATrustError(&ma_error, OTATrustLogLevelNotice, errSecDuplicateItem, + @"skipping asset because we already have _ContentVersion %@ (or newer)", asset_version); + continue; + } + + switch (asset.state) { + default: + MakeOTATrustError(&ma_error, OTATrustLogLevelError, errSecInternal, + @"unknown asset state %ld", (long)asset.state); + continue; + case MAInstalled: + /* The asset is already in the cache, get it from disk. */ + secdebug("OTATrust", "OTATrust asset already installed"); + updated_version = UpdateAndPurgeAsset(asset, asset_version, &ma_error); + break; + case MAUnknown: + MakeOTATrustError(&ma_error, OTATrustLogLevelError, errSecInternal, + @"asset is unknown"); + continue; + case MADownloading: + secnotice("OTATrust", "asset is downloading"); + /* fall through */ + case MANotPresent: + secnotice("OTATrust", "begin download of OTATrust asset"); + began_async_job = true; + [asset startDownload:^(MADownLoadResult downloadResult) { + if (downloadResult != MADownloadSucceesful) { + MakeOTATrustError(&ma_error, OTATrustLogLevelError, errSecInternal, + @"failed to download asset: %ld", (long)downloadResult); + return; + } + updated_version = UpdateAndPurgeAsset(asset, asset_version, &ma_error); + if (wait) { + dispatch_semaphore_signal(done); + } + }]; + break; + } /* switch (asset.state) */ + } /* for (MAAsset.. */ + if (wait && !began_async_job) { + dispatch_semaphore_signal(done); + } + }]; /* [MAAsset startCatalogDownload: ] */ + + /* If the caller is waiting for a response, wait up to one minute for the update to complete. + * If the MAAsset callback does not complete in that time, report a timeout. + * If the MAAsset callback completes and did not successfully update, it should report an error; + * forward that error to the caller. + * If the MAAsset callback completes and did not update and did not provide an error; report + * an unknown error. */ + BOOL result = NO; + if (wait) { + if (dispatch_semaphore_wait(done, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60)) != 0) { + MakeOTATrustError(error, OTATrustLogLevelError, errSecNetworkFailure, + @"Failed to get asset metadata within 1 minute."); + } else { + result = (updated_version != nil); + if (error && ma_error) { + *error = ma_error; + } else if (!result) { + MakeOTATrustError(error, OTATrustLogLevelError, errSecInternalComponent, + @"Unknown error occurred."); + } + } + } + return result; +} +#else /* !TARGET_OS_IPHONE */ +/* MobileAssetV2 fails on macOS, so use V1 */ +static NSNumber *UpdateAndPurgeAsset(ASAsset *asset, NSNumber *asset_version, NSError ** error) { + if (SecPinningDbUpdateFromURL((__bridge CFURLRef)[asset localURL]) && + UpdateFromAsset([asset localURL], asset_version)) { + secnotice("OTATrust", "finished update to version %@ from installed asset. purging asset.", asset_version); +#if ENABLE_TRUSTD_ANALYTICS + [[TrustdHealthAnalytics logger] logSuccessForEventNamed:TrustdHealthAnalyticsEventOTAPKIEvent]; +#endif // ENABLE_TRUSTD_ANALYTICS + [asset purge:^(NSError *ma_error) { + if (error) { + secerror("OTATrust: purge failed %@", ma_error); + } + }]; + return asset_version; + } else { + MakeOTATrustError(error, OTATrustLogLevelError, errSecCallbackFailed, + @"Failed to install new asset version %@ from %@", asset_version, [asset localURL]); + return nil; + } +} + +static BOOL DownloadOTATrustAsset(BOOL isLocalOnly, BOOL wait, NSError **error) { + if (!CanCheckMobileAsset()) { + MakeOTATrustError(error, OTATrustLogLevelNotice, errSecServiceNotAvailable, + @"MobileAsset disabled, skipping check."); + return NO; + } + + ASAssetQuery *query = [[ASAssetQuery alloc] initWithAssetType:(NSString *)OTATrustMobileAssetType]; + [query setQueriesLocalAssetInformationOnly:isLocalOnly]; // Omitting this leads to a notifcation loop. + NSArray*query_results = [query runQueryAndReturnError:error]; + if (!query_results) { + if (error) { + secerror("OTATrust: asset query failed: %@", *error); + LogRemotely(OTATrustLogLevelError, error); + } + return NO; + } + + __block NSNumber *updated_version = nil; + __block NSError *handler_error = nil; + __block dispatch_semaphore_t done = wait ? dispatch_semaphore_create(0) : nil; + bool began_async_job = false; + for (ASAsset *asset in query_results) { + NSDictionary *attributes = [asset attributes]; + + NSNumber *compatibilityVersion = [attributes objectForKey:ASAttributeCompatibilityVersion]; + if (!isNSNumber(compatibilityVersion) || + [compatibilityVersion unsignedIntegerValue] != OTATrustMobileAssetCompatibilityVersion) { + MakeOTATrustError(error, OTATrustLogLevelNotice, errSecIncompatibleVersion, + @"skipping asset because Compatibility Version doesn't match %@", compatibilityVersion); + continue; + } + + NSNumber *contentVersion = [attributes objectForKey:ASAttributeContentVersion]; + if (!ShouldUpdateWithAsset(contentVersion)) { + MakeOTATrustError(error, OTATrustLogLevelNotice, errSecDuplicateItem, + @"skipping asset because we already have _ContentVersion %@ (or newer)", contentVersion); + continue; + } + + ASProgressHandler OTATrustHandler = ^(NSDictionary *state, NSError *progressError){ + NSString *operationState = nil; + if (progressError) { + MakeOTATrustError(&handler_error, OTATrustLogLevelError, errSecInternal, + @"OTATrust: asset download error: %@", progressError); + if (wait) { + dispatch_semaphore_signal(done); + } + return; + } + + if (!state) { + MakeOTATrustError(&handler_error, OTATrustLogLevelError, errSecInternal, + @"OTATrust: no asset state in progress handler"); + if (wait) { + dispatch_semaphore_signal(done); + } + return; + } + + operationState = [state objectForKey:ASStateOperation]; + secdebug("OTATrust", "Asset state is %@", operationState); + + if (operationState && [operationState isEqualToString:ASOperationCompleted]) { + updated_version = UpdateAndPurgeAsset(asset, contentVersion, &handler_error); + if (wait) { + dispatch_semaphore_signal(done); + } + } + /* Other states keep calling our progress handler until so don't signal */ + }; + + switch ([asset state]) { + case ASAssetStateNotPresent: + secdebug("OTATrust", "OTATrust asset needs to be downloaded"); + asset.progressHandler= OTATrustHandler; + asset.userInitiatedDownload = YES; + [asset beginDownloadWithOptions:@{ASDownloadOptionPriority : ASDownloadPriorityNormal}]; + began_async_job = true; + break; + case ASAssetStateInstalled: + /* The asset is already in the cache, get it from disk. */ + secdebug("OTATrust", "OTATrust asset already installed"); + updated_version = UpdateAndPurgeAsset(asset, contentVersion, error); + break; + case ASAssetStatePaused: + secdebug("OTATrust", "OTATrust asset download paused"); + asset.progressHandler = OTATrustHandler; + asset.userInitiatedDownload = YES; + if (![asset resumeDownloadAndReturnError:error]) { + if (error) { + secerror("OTATrust: failed to resume download of asset: %@", *error); + LogRemotely(OTATrustLogLevelError, error); + } + } else { + began_async_job = true; + } + break; + case ASAssetStateDownloading: + secdebug("OTATrust", "OTATrust asset downloading"); + asset.progressHandler = OTATrustHandler; + asset.userInitiatedDownload = YES; + began_async_job = true; + break; + default: + MakeOTATrustError(error, OTATrustLogLevelError, errSecInternal, + @"unhandled asset state %ld", (long)asset.state); + continue; + } + } + + /* If the caller is waiting for a response, wait up to one minute for the update to complete. + * If the OTATrustHandler does not complete in the time, report a timeout. + * If the OTATrustHandler completes and did not successfully update and it reported an error; + * forward that error to the caller. */ + BOOL result = (updated_version != nil); + if (wait && began_async_job) { + if (dispatch_semaphore_wait(done, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60)) != 0) { + MakeOTATrustError(error, OTATrustLogLevelError, errSecNetworkFailure, + @"Failed to get asset metadata within 1 minute."); + } else { + /* finished an async job, update the result */ + result = (updated_version != nil); + if (error && handler_error) { + *error = handler_error; + } + } + } + + /* If we failed and don't know why, report an unknown error */ + if (!result && error && (*error == NULL)) { + MakeOTATrustError(error, OTATrustLogLevelError, errSecInternalComponent, + @"Unknown error occurred."); + } + return result; +} +#endif /* !TARGET_OS_IPHONE */ + +static void InitializeOTATrustAsset(dispatch_queue_t queue) { + /* Only the "system" trustd does updates */ + if (SecOTAPKIIsSystemTrustd()) { + /* Asynchronously ask MobileAsset for most recent asset. */ + dispatch_async(queue, ^{ + secnotice("OTATrust", "Initial check with MobileAsset for newer PKITrustSupplementals asset"); + (void)DownloadOTATrustAsset(NO, NO, nil); + }); + + /* Register for changes in our asset */ + if (CanCheckMobileAsset()) { + int out_token = 0; + notify_register_dispatch(kOTATrustMobileAssetNotification, &out_token, queue, ^(int __unused token) { + secnotice("OTATrust", "Got notification about a new PKITrustSupplementals asset from mobileassetd."); + (void)DownloadOTATrustAsset(YES, NO, nil); + }); + } + } else { + /* Register for changes signaled by the system trustd */ + secnotice("OTATrust", "Intializing listener for Asset changes from system trustd."); + int out_token = 0; + notify_register_dispatch(kOTATrustOnDiskAssetNotification, &out_token, queue, ^(int __unused token) { + secnotice("OTATrust", "Got notification about a new PKITrustSupplementals asset from system trustd."); + UpdateFromAsset(GetAssetFileURL(nil), [NSNumber numberWithUnsignedLongLong:GetAssetVersion()]); + }); + } +} + +static void TriggerPeriodicOTATrustAssetChecks(dispatch_queue_t queue) { + if (SecOTAPKIIsSystemTrustd()) { + static sec_action_t action; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + NSUserDefaults *defaults = [[NSUserDefaults alloc] initWithSuiteName:@"com.apple.security"]; + NSNumber *updateDeltas = [defaults valueForKey:@"PKITrustSupplementalsUpdatePeriod"]; + int delta = kOTATrustDefaultUpdatePeriod; + if (isNSNumber(updateDeltas)) { + delta = [updateDeltas intValue]; + if (delta < kOTATrustMinimumUpdatePeriod) { + delta = kOTATrustMinimumUpdatePeriod; + } + } + secnotice("OTATrust", "Setting periodic update delta to %d seconds", delta); + action = sec_action_create_with_queue(queue,"OTATrust", delta); + sec_action_set_handler(action, ^{ + (void)DownloadOTATrustAsset(NO, NO, nil); + }); + }); + sec_action_perform(action); + } +} +#endif /* !TARGET_OS_BRIDGE */ + +/* MARK: - */ +/* MARK: Initialization functions */ +static CFPropertyListRef CFPropertyListCopyFromSystem(CFStringRef asset) { + CFPropertyListRef plist = NULL; + CFDataRef xmlData = SecSystemTrustStoreCopyResourceContents(asset, CFSTR("plist"), NULL); + + if (xmlData) { + plist = CFPropertyListCreateWithData(kCFAllocatorDefault, xmlData, kCFPropertyListImmutable, NULL, NULL); + CFRelease(xmlData); + } + + return plist; +} + +static uint64_t GetSystemVersion(CFStringRef key) { + uint64_t system_version = 0; + int64_t asset_number = 0; + + CFDataRef assetVersionData = SecSystemTrustStoreCopyResourceContents(CFSTR("AssetVersion"), CFSTR("plist"), NULL); + if (NULL != assetVersionData) { + CFPropertyListFormat propFormat; + CFDictionaryRef versionPlist = CFPropertyListCreateWithData(kCFAllocatorDefault, assetVersionData, 0, &propFormat, NULL); + if (NULL != versionPlist && CFDictionaryGetTypeID() == CFGetTypeID(versionPlist)) { + CFNumberRef versionNumber = (CFNumberRef)CFDictionaryGetValue(versionPlist, (const void *)key); + if (NULL != versionNumber){ + CFNumberGetValue(versionNumber, kCFNumberSInt64Type, &asset_number); + if (asset_number < 0) { // Not valid + asset_number = 0; + } + system_version = (uint64_t)asset_number; + } + } + CFReleaseSafe(versionPlist); + CFReleaseSafe(assetVersionData); + } + + return system_version; +} + +static bool ShouldInitializeWithAsset(void) { + uint64_t system_version = GetSystemVersion((__bridge CFStringRef)kOTATrustContentVersionKey); + uint64_t asset_version = GetAssetVersion(); + + if (asset_version > system_version) { + secnotice("OTATrust", "Using asset v%llu instead of system v%llu", asset_version, system_version); + return true; + } + return false; +} + +static CFSetRef CFSetCreateFromPropertyList(CFPropertyListRef plist) { + CFSetRef result = NULL; + + if (plist) { + CFMutableSetRef tempSet = NULL; + if (CFGetTypeID(plist) == CFArrayGetTypeID()) { + tempSet = CFSetCreateMutable(kCFAllocatorDefault, 0, &kCFTypeSetCallBacks); + if (NULL == tempSet) { + return result; + } + CFArrayRef array = (CFArrayRef)plist; + CFIndex num_keys = CFArrayGetCount(array); + for (CFIndex idx = 0; idx < num_keys; idx++) { + CFDataRef data = (CFDataRef)CFArrayGetValueAtIndex(array, idx); + CFSetAddValue(tempSet, data); + } + } else { + return result; + } + + result = tempSet; + } + return result; +} + +static CF_RETURNS_RETAINED CFSetRef InitializeBlackList() { + CFPropertyListRef plist = CFPropertyListCopyFromSystem(CFSTR("Blocked")); + CFSetRef result = CFSetCreateFromPropertyList(plist); + CFReleaseSafe(plist); + + return result; +} + +static CF_RETURNS_RETAINED CFSetRef InitializeGrayList() { + CFPropertyListRef plist = CFPropertyListCopyFromSystem(CFSTR("GrayListedKeys")); + CFSetRef result = CFSetCreateFromPropertyList(plist); + CFReleaseSafe(plist); + + return result; +} + +static CF_RETURNS_RETAINED CFURLRef InitializePinningList() { + return SecSystemTrustStoreCopyResourceURL(CFSTR("CertificatePinning"), CFSTR("plist"), NULL); +} + +static CF_RETURNS_RETAINED CFDictionaryRef InitializeAllowList() { + CFPropertyListRef allowList = CFPropertyListCopyFromSystem(CFSTR("Allowed")); + + if (allowList && (CFGetTypeID(allowList) == CFDictionaryGetTypeID())) { + return allowList; + } else { + CFReleaseNull(allowList); + return NULL; + } +} + +static CF_RETURNS_RETAINED CFArrayRef InitializeTrustedCTLogs() { + NSArray *trustedCTLogs = nil; +#if !TARGET_OS_BRIDGE + if (ShouldInitializeWithAsset()) { + trustedCTLogs = [NSArray arrayWithContentsOfURL:GetAssetFileURL(kOTATrustTrustedCTLogsFilename)]; + if (!isNSArray(trustedCTLogs)) { + DeleteAssetFromDisk(); + } + } +#endif + if (!isNSArray(trustedCTLogs)) { + trustedCTLogs = [NSArray arrayWithContentsOfURL:SecSystemTrustStoreCopyResourceNSURL(kOTATrustTrustedCTLogsFilename)]; + } + if (isNSArray(trustedCTLogs)) { + return CFBridgingRetain(trustedCTLogs); + } + return NULL; +} + +static CF_RETURNS_RETAINED CFDictionaryRef InitializeEVPolicyToAnchorDigestsTable() { + CFDictionaryRef result = NULL; + CFPropertyListRef evroots = CFPropertyListCopyFromSystem(CFSTR("EVRoots")); + + if (evroots) { + if (CFGetTypeID(evroots) == CFDictionaryGetTypeID()) { + /* @@@ Ensure that each dictionary key is a dotted list of digits, + each value is an NSArrayRef and each element in the array is a + 20 byte digest. */ + result = (CFDictionaryRef)evroots; + } + else { + secwarning("EVRoot.plist is wrong type."); + CFRelease(evroots); + } + } + + return result; +} + +static CFIndex InitializeValidSnapshotVersion(CFIndex *outFormat) { + CFIndex validVersion = 0; + CFIndex validFormat = 0; + CFDataRef validVersionData = SecSystemTrustStoreCopyResourceContents(CFSTR("ValidUpdate"), CFSTR("plist"), NULL); + if (NULL != validVersionData) + { + CFPropertyListFormat propFormat; + CFDictionaryRef versionPlist = CFPropertyListCreateWithData(kCFAllocatorDefault, validVersionData, 0, &propFormat, NULL); + if (NULL != versionPlist && CFDictionaryGetTypeID() == CFGetTypeID(versionPlist)) + { + CFNumberRef versionNumber = (CFNumberRef)CFDictionaryGetValue(versionPlist, (const void *)CFSTR("Version")); + if (NULL != versionNumber) + { + CFNumberGetValue(versionNumber, kCFNumberCFIndexType, &validVersion); + } + CFNumberRef formatNumber = (CFNumberRef)CFDictionaryGetValue(versionPlist, (const void *)CFSTR("Format")); + if (NULL != formatNumber) + { + CFNumberGetValue(formatNumber, kCFNumberCFIndexType, &validFormat); + } + } + CFReleaseSafe(versionPlist); + CFReleaseSafe(validVersionData); + } + if (outFormat) { + *outFormat = validFormat; + } + return validVersion; +} + +static Boolean PathExists(const char* path, size_t* pFileSize) { + const char *checked_path = (path) ? path : ""; + Boolean result = false; + struct stat sb; + + if (NULL != pFileSize) { + *pFileSize = 0; + } + + int stat_result = stat(checked_path, &sb); + result = (stat_result == 0); + + if (result && !S_ISDIR(sb.st_mode)) { + // It is a file + if (NULL != pFileSize) { + *pFileSize = (size_t)sb.st_size; + } + } + + return result; +} + +static const char* InitializeValidSnapshotData(CFStringRef filename_str) { + char *result = NULL; + const char *base_error_str = "could not get valid snapshot"; + + CFURLRef valid_url = SecSystemTrustStoreCopyResourceURL(filename_str, CFSTR("sqlite3"), NULL); + if (NULL == valid_url) { + secerror("%s", base_error_str); + } else { + CFStringRef valid_str = CFURLCopyFileSystemPath(valid_url, kCFURLPOSIXPathStyle); + char file_path_buffer[PATH_MAX]; + memset(file_path_buffer, 0, PATH_MAX); + if (NULL == valid_str) { + secerror("%s path", base_error_str); + } else { + const char *valid_cstr = CFStringGetCStringPtr(valid_str, kCFStringEncodingUTF8); + if (NULL == valid_cstr) { + if (CFStringGetCString(valid_str, file_path_buffer, PATH_MAX, kCFStringEncodingUTF8)) { + valid_cstr = file_path_buffer; + } + } + if (NULL == valid_cstr) { + secerror("%s path as UTF8 string", base_error_str); + } else { + asprintf(&result, "%s", valid_cstr); + } + } + CFReleaseSafe(valid_str); + } + CFReleaseSafe(valid_url); + if (result && !PathExists(result, NULL)) { + free(result); + result = NULL; + } + return (const char*)result; +} + +static const char* InitializeValidDatabaseSnapshot() { + return InitializeValidSnapshotData(CFSTR("valid")); +} + +static const uint8_t* MapFile(const char* path, size_t* out_file_size) { + int rtn, fd; + const uint8_t *buf = NULL; + struct stat sb; + size_t size = 0; + + if (NULL == path || NULL == out_file_size) { + return NULL; + } + + *out_file_size = 0; + + fd = open(path, O_RDONLY); + if (fd < 0) { return NULL; } + rtn = fstat(fd, &sb); + if (rtn || (sb.st_size > (off_t) ((UINT32_MAX >> 1)-1))) { + close(fd); + return NULL; + } + size = (size_t)sb.st_size; + + buf = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0); + if (!buf || buf == MAP_FAILED) { + secerror("unable to map %s (errno %d)", path, errno); + close(fd); + return NULL; + } + + close(fd); + *out_file_size = size; + return buf; +} + +static void UnMapFile(void* mapped_data, size_t data_size) { + if (!mapped_data) { + return; + } + int rtn = munmap(mapped_data, data_size); + if (rtn != 0) { + secerror("unable to unmap %ld bytes at %p (error %d)", data_size, mapped_data, rtn); + } +} + +struct index_record { + unsigned char hash[CC_SHA1_DIGEST_LENGTH]; + uint32_t offset; +}; +typedef struct index_record index_record; + +static bool InitializeAnchorTable(CFDictionaryRef* pLookupTable, const char** ppAnchorTable) { + + bool result = false; + + if (NULL == pLookupTable || NULL == ppAnchorTable) { + return result; + } + + *pLookupTable = NULL; + *ppAnchorTable = NULL;; + + CFDataRef cert_index_file_data = NULL; + char file_path_buffer[PATH_MAX]; + CFURLRef table_data_url = NULL; + CFStringRef table_data_cstr_path = NULL; + const char* table_data_path = NULL; + const index_record* pIndex = NULL; + size_t index_offset = 0; + size_t index_data_size = 0; + CFMutableDictionaryRef anchorLookupTable = NULL; + uint32_t offset_int_value = 0; + CFNumberRef index_offset_value = NULL; + CFDataRef index_hash = NULL; + CFMutableArrayRef offsets = NULL; + Boolean release_offset = false; + + char* local_anchorTable = NULL; + size_t local_anchorTableSize = 0; + + // local_anchorTable is still NULL so the asset in the system trust store bundle needs to be used. + CFReleaseSafe(cert_index_file_data); + cert_index_file_data = SecSystemTrustStoreCopyResourceContents(CFSTR("certsIndex"), CFSTR("data"), NULL); + if (!cert_index_file_data) { + secerror("could not find certsIndex"); + } + table_data_url = SecSystemTrustStoreCopyResourceURL(CFSTR("certsTable"), CFSTR("data"), NULL); + if (!table_data_url) { + secerror("could not find certsTable"); + } + + if (NULL != table_data_url) { + table_data_cstr_path = CFURLCopyFileSystemPath(table_data_url, kCFURLPOSIXPathStyle); + if (NULL != table_data_cstr_path) { + memset(file_path_buffer, 0, PATH_MAX); + table_data_path = CFStringGetCStringPtr(table_data_cstr_path, kCFStringEncodingUTF8); + if (NULL == table_data_path) { + if (CFStringGetCString(table_data_cstr_path, file_path_buffer, PATH_MAX, kCFStringEncodingUTF8)) { + table_data_path = file_path_buffer; + } + } + local_anchorTable = (char *)MapFile(table_data_path, &local_anchorTableSize); + CFReleaseSafe(table_data_cstr_path); + } + } + CFReleaseSafe(table_data_url); + + if (NULL == local_anchorTable || NULL == cert_index_file_data) { + // we are in trouble + if (NULL != local_anchorTable) { + UnMapFile(local_anchorTable, local_anchorTableSize); + local_anchorTable = NULL; + local_anchorTableSize = 0; + } + CFReleaseSafe(cert_index_file_data); + return result; + } + + // ------------------------------------------------------------------------ + // Now that the locations of the files are known and the table file has + // been mapped into memory, create a dictionary that maps the SHA1 hash of + // normalized issuer to the offset in the mapped anchor table file which + // contains a index_record to the correct certificate + // ------------------------------------------------------------------------ + pIndex = (const index_record*)CFDataGetBytePtr(cert_index_file_data); + index_data_size = CFDataGetLength(cert_index_file_data); + + anchorLookupTable = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, + &kCFTypeDictionaryKeyCallBacks, + &kCFTypeDictionaryValueCallBacks); + + for (index_offset = index_data_size; index_offset > 0; index_offset -= sizeof(index_record), pIndex++) { + offset_int_value = pIndex->offset; + + index_offset_value = CFNumberCreate(kCFAllocatorDefault, kCFNumberIntType, &offset_int_value); + index_hash = CFDataCreate(kCFAllocatorDefault, pIndex->hash, CC_SHA1_DIGEST_LENGTH); + + // see if the dictionary already has this key + release_offset = false; + offsets = (CFMutableArrayRef)CFDictionaryGetValue(anchorLookupTable, index_hash); + if (NULL == offsets) { + offsets = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); + release_offset = true; + } + + // Add the offset + CFArrayAppendValue(offsets, index_offset_value); + + // set the key value pair in the dictionary + CFDictionarySetValue(anchorLookupTable, index_hash, offsets); + + CFRelease(index_offset_value); + CFRelease(index_hash); + if (release_offset) { + CFRelease(offsets); + } + } + + CFRelease(cert_index_file_data); + + if (NULL != anchorLookupTable && NULL != local_anchorTable) { + *pLookupTable = anchorLookupTable; + *ppAnchorTable = local_anchorTable; + result = true; + } else { + CFReleaseSafe(anchorLookupTable); + if (NULL != local_anchorTable) { + UnMapFile(local_anchorTable, local_anchorTableSize); + local_anchorTable = NULL; + local_anchorTableSize = 0; + } + } + + return result; +} + +static void InitializeEscrowCertificates(CFArrayRef *escrowRoots, CFArrayRef *escrowPCSRoots) { + CFDataRef file_data = SecSystemTrustStoreCopyResourceContents(CFSTR("AppleESCertificates"), CFSTR("plist"), NULL); + + if (NULL == file_data) { + return; + } + + CFPropertyListFormat propFormat; + CFDictionaryRef certsDictionary = CFPropertyListCreateWithData(kCFAllocatorDefault, file_data, 0, &propFormat, NULL); + if (NULL != certsDictionary && CFDictionaryGetTypeID() == CFGetTypeID((CFTypeRef)certsDictionary)) { + CFArrayRef certs = (CFArrayRef)CFDictionaryGetValue(certsDictionary, CFSTR("ProductionEscrowKey")); + if (NULL != certs && CFArrayGetTypeID() == CFGetTypeID((CFTypeRef)certs) && CFArrayGetCount(certs) > 0) { + *escrowRoots = CFArrayCreateCopy(kCFAllocatorDefault, certs); + } + CFArrayRef pcs_certs = (CFArrayRef)CFDictionaryGetValue(certsDictionary, CFSTR("ProductionPCSEscrowKey")); + if (NULL != pcs_certs && CFArrayGetTypeID() == CFGetTypeID((CFTypeRef)pcs_certs) && CFArrayGetCount(pcs_certs) > 0) { + *escrowPCSRoots = CFArrayCreateCopy(kCFAllocatorDefault, pcs_certs); + } + } + CFReleaseSafe(certsDictionary); + CFRelease(file_data); +} + +static CF_RETURNS_RETAINED CFDictionaryRef InitializeEventSamplingRates() { + NSDictionary *analyticsSamplingRates = nil; + NSDictionary *eventSamplingRates = nil; +#if !TARGET_OS_BRIDGE + if (ShouldInitializeWithAsset()) { + analyticsSamplingRates = [NSDictionary dictionaryWithContentsOfURL:GetAssetFileURL(kOTATrustAnalyticsSamplingRatesFilename)]; + if (!isNSDictionary(analyticsSamplingRates)) { + DeleteAssetFromDisk(); + } + eventSamplingRates = analyticsSamplingRates[@"Events"]; + } +#endif + if (!isNSDictionary(eventSamplingRates)) { + analyticsSamplingRates = [NSDictionary dictionaryWithContentsOfURL:SecSystemTrustStoreCopyResourceNSURL(kOTATrustAnalyticsSamplingRatesFilename)]; + } + if (isNSDictionary(analyticsSamplingRates)) { + eventSamplingRates = analyticsSamplingRates[@"Events"]; + if (isNSDictionary(eventSamplingRates)) { + return CFBridgingRetain(eventSamplingRates); + } + } + return NULL; +} + +static CF_RETURNS_RETAINED CFArrayRef InitializeAppleCertificateAuthorities() { + NSArray *appleCAs = nil; +#if !TARGET_OS_BRIDGE + if (ShouldInitializeWithAsset()) { + appleCAs = [NSArray arrayWithContentsOfURL:GetAssetFileURL(kOTATrustAppleCertifcateAuthoritiesFilename)]; + if (!isNSArray(appleCAs)) { + DeleteAssetFromDisk(); + } + } +#endif + if (!isNSArray(appleCAs)) { + appleCAs = [NSArray arrayWithContentsOfURL:SecSystemTrustStoreCopyResourceNSURL(kOTATrustAppleCertifcateAuthoritiesFilename)]; + } + if (isNSArray(appleCAs)) { + return CFBridgingRetain(appleCAs); + } + return NULL; +} + +/* MARK: - */ +/* MARK: SecOTA */ + +/* We keep track of one OTAPKI reference */ +static SecOTAPKIRef kCurrentOTAPKIRef = NULL; +/* This queue is for making changes to the OTAPKI reference */ +static dispatch_queue_t kOTAQueue = NULL; +/* This queue is for fetching changes to the OTAPKI reference or otherwise doing maintenance activities */ +static dispatch_queue_t kOTABackgroundQueue = NULL; + +struct _OpaqueSecOTAPKI { + CFRuntimeBase _base; + CFSetRef _blackListSet; + CFSetRef _grayListSet; + CFDictionaryRef _allowList; + CFArrayRef _trustedCTLogs; + CFURLRef _pinningList; + CFArrayRef _escrowCertificates; + CFArrayRef _escrowPCSCertificates; + CFDictionaryRef _evPolicyToAnchorMapping; + CFDictionaryRef _anchorLookupTable; + const char* _anchorTable; + uint64_t _trustStoreVersion; + const char* _validDatabaseSnapshot; + CFIndex _validSnapshotVersion; + CFIndex _validSnapshotFormat; + uint64_t _assetVersion; + CFDictionaryRef _eventSamplingRates; + CFArrayRef _appleCAs; +}; + +CFGiblisFor(SecOTAPKI) + +static CF_RETURNS_RETAINED CFStringRef SecOTAPKICopyFormatDescription(CFTypeRef cf, CFDictionaryRef formatOptions) { + SecOTAPKIRef otapkiRef = (SecOTAPKIRef)cf; + return CFStringCreateWithFormat(kCFAllocatorDefault,NULL,CFSTR(""), + otapkiRef->_trustStoreVersion, otapkiRef->_assetVersion); +} + +static void SecOTAPKIDestroy(CFTypeRef cf) { + SecOTAPKIRef otapkiref = (SecOTAPKIRef)cf; + + CFReleaseNull(otapkiref->_blackListSet); + CFReleaseNull(otapkiref->_grayListSet); + CFReleaseNull(otapkiref->_escrowCertificates); + CFReleaseNull(otapkiref->_escrowPCSCertificates); + + CFReleaseNull(otapkiref->_evPolicyToAnchorMapping); + CFReleaseNull(otapkiref->_anchorLookupTable); + + CFReleaseNull(otapkiref->_trustedCTLogs); + CFReleaseNull(otapkiref->_pinningList); + CFReleaseNull(otapkiref->_eventSamplingRates); + CFReleaseNull(otapkiref->_appleCAs); + + if (otapkiref->_anchorTable) { + free((void *)otapkiref->_anchorTable); + otapkiref->_anchorTable = NULL; + } + if (otapkiref->_validDatabaseSnapshot) { + free((void *)otapkiref->_validDatabaseSnapshot); + otapkiref->_validDatabaseSnapshot = NULL; + } +} + +static uint64_t GetSystemTrustStoreVersion(void) { + return GetSystemVersion(CFSTR("VersionNumber")); +} + +static uint64_t GetAssetVersion(void) { + @autoreleasepool { + /* Get system asset version */ + uint64_t version = GetSystemVersion((__bridge CFStringRef)kOTATrustContentVersionKey); + +#if !TARGET_OS_BRIDGE + uint64_t asset_version = 0; + NSDictionary *OTAPKIContext = [NSDictionary dictionaryWithContentsOfURL:GetAssetFileURL(kOTATrustContextFilename)]; + if (isNSDictionary(OTAPKIContext)) { + NSNumber *tmpNumber = OTAPKIContext[kOTATrustContentVersionKey]; + if (isNSNumber(tmpNumber)) { + asset_version = [tmpNumber unsignedLongLongValue]; + } + } + + if (asset_version > version) { + return asset_version; + } else { + /* Delete old data */ + DeleteAssetFromDisk(); + } +#endif + return version; + } +} + +static SecOTAPKIRef SecOTACreate() { + + SecOTAPKIRef otapkiref = NULL; + + otapkiref = CFTypeAllocate(SecOTAPKI, struct _OpaqueSecOTAPKI , kCFAllocatorDefault); + + if (NULL == otapkiref) { + return otapkiref; + } + + // Make sure that if this routine has to bail that the clean up + // will do the right thing + memset(otapkiref, 0, sizeof(*otapkiref)); + + // Start off by getting the trust store version + otapkiref->_trustStoreVersion = GetSystemTrustStoreVersion(); + + // Get the set of black listed keys + CFSetRef blackKeysSet = InitializeBlackList(); + if (NULL == blackKeysSet) { + CFReleaseNull(otapkiref); + return otapkiref; + } + otapkiref->_blackListSet = blackKeysSet; + + // Get the set of gray listed keys + CFSetRef grayKeysSet = InitializeGrayList(); + if (NULL == grayKeysSet) { + CFReleaseNull(otapkiref); + return otapkiref; + } + otapkiref->_grayListSet = grayKeysSet; + + // Get the allow list dictionary + // (now loaded lazily in SecOTAPKICopyAllowList) + + // Get the trusted Certificate Transparency Logs + otapkiref->_trustedCTLogs = InitializeTrustedCTLogs(); + + // Get the pinning list + otapkiref->_pinningList = InitializePinningList(); + + // Get the Event Sampling Rates + otapkiref->_eventSamplingRates = InitializeEventSamplingRates(); + + // Get the list of CAs used by Apple + otapkiref->_appleCAs = InitializeAppleCertificateAuthorities(); + + // Get the asset version (after possible reset due to missing asset date) + otapkiref->_assetVersion = GetAssetVersion(); + + // Get the valid update snapshot version and format + CFIndex update_format = 0; + otapkiref->_validSnapshotVersion = InitializeValidSnapshotVersion(&update_format); + otapkiref->_validSnapshotFormat = update_format; + + // Get the valid database snapshot path (if it exists, NULL otherwise) + otapkiref->_validDatabaseSnapshot = InitializeValidDatabaseSnapshot(); + + CFArrayRef escrowCerts = NULL; + CFArrayRef escrowPCSCerts = NULL; + InitializeEscrowCertificates(&escrowCerts, &escrowPCSCerts); + if (NULL == escrowCerts || NULL == escrowPCSCerts) { + CFReleaseNull(escrowCerts); + CFReleaseNull(escrowPCSCerts); + CFReleaseNull(otapkiref); + return otapkiref; + } + otapkiref->_escrowCertificates = escrowCerts; + otapkiref->_escrowPCSCertificates = escrowPCSCerts; + + // Get the mapping of EV Policy OIDs to Anchor digest + CFDictionaryRef evOidToAnchorDigestMap = InitializeEVPolicyToAnchorDigestsTable(); + if (NULL == evOidToAnchorDigestMap) { + CFReleaseNull(otapkiref); + return otapkiref; + } + otapkiref->_evPolicyToAnchorMapping = evOidToAnchorDigestMap; + + CFDictionaryRef anchorLookupTable = NULL; + const char* anchorTablePtr = NULL; + + if (!InitializeAnchorTable(&anchorLookupTable, &anchorTablePtr)) { + CFReleaseSafe(anchorLookupTable); + if (anchorTablePtr) { + free((void *)anchorTablePtr); + } + CFReleaseNull(otapkiref); + return otapkiref; + } + otapkiref->_anchorLookupTable = anchorLookupTable; + otapkiref->_anchorTable = anchorTablePtr; + +#if !TARGET_OS_BRIDGE + /* Initialize our update handling */ + InitializeOTATrustAsset(kOTABackgroundQueue); +#endif + + return otapkiref; +} + +SecOTAPKIRef SecOTAPKICopyCurrentOTAPKIRef() { + __block SecOTAPKIRef result = NULL; + static dispatch_once_t kInitializeOTAPKI = 0; + dispatch_once(&kInitializeOTAPKI, ^{ + @autoreleasepool { + kOTAQueue = dispatch_queue_create("com.apple.security.OTAPKIQueue", NULL); + dispatch_queue_attr_t attr = dispatch_queue_attr_make_with_qos_class(DISPATCH_QUEUE_SERIAL, + QOS_CLASS_BACKGROUND, 0); + attr = dispatch_queue_attr_make_with_autorelease_frequency(attr, DISPATCH_AUTORELEASE_FREQUENCY_WORK_ITEM); + kOTABackgroundQueue = dispatch_queue_create("com.apple.security.OTAPKIBackgroundQueue", attr); + kCurrentOTAPKIRef = SecOTACreate(); + if (!kOTAQueue || !kOTABackgroundQueue) { + secerror("Failed to create OTAPKI Queues. May crash later."); + } + } + }); + + dispatch_sync(kOTAQueue, ^{ + result = kCurrentOTAPKIRef; + CFRetainSafe(result); + }); + return result; +} + +#if !TARGET_OS_BRIDGE +static BOOL UpdateFromAsset(NSURL *localURL, NSNumber *asset_version) { + if (!localURL || !asset_version) { + secerror("OTATrust: missing url and version for downloaded asset"); + return NO; + } + __block NSArray *newTrustedCTLogs = NULL; + __block uint64_t version = [asset_version unsignedLongLongValue]; + __block NSDictionary *newAnalyticsSamplingRates = NULL; + __block NSArray *newAppleCAs = NULL; + + NSURL *TrustedCTLogsFileLoc = [NSURL URLWithString:kOTATrustTrustedCTLogsFilename + relativeToURL:localURL]; + newTrustedCTLogs = [NSArray arrayWithContentsOfURL:TrustedCTLogsFileLoc]; + if (!newTrustedCTLogs) { + secerror("OTATrust: unable to create TrustedCTLogs from asset file: %@", TrustedCTLogsFileLoc); + return NO; + } + + NSURL *AnalyticsSamplingRatesFileLoc = [NSURL URLWithString:kOTATrustAnalyticsSamplingRatesFilename + relativeToURL:localURL]; + newAnalyticsSamplingRates = [NSDictionary dictionaryWithContentsOfURL:AnalyticsSamplingRatesFileLoc]; + if (!newAnalyticsSamplingRates) { + secerror("OTATrust: unable to create AnalyticsSamplingRates from asset file: %@", AnalyticsSamplingRatesFileLoc); + return NO; + } + + NSURL *AppleCAsFileLoc = [NSURL URLWithString:kOTATrustAppleCertifcateAuthoritiesFilename + relativeToURL:localURL]; + newAppleCAs = [NSArray arrayWithContentsOfURL:AppleCAsFileLoc]; + if (!newAppleCAs) { + secerror("OTATrust: unable to create AppleCAs from asset file: %@", AppleCAsFileLoc); + return NO; + } + + /* Update the Current OTAPKIRef with the new data */ + dispatch_sync(kOTAQueue, ^{ + secnotice("OTATrust", "updating asset version from %llu to %llu", kCurrentOTAPKIRef->_assetVersion, version); + CFRetainAssign(kCurrentOTAPKIRef->_trustedCTLogs, (__bridge CFArrayRef)newTrustedCTLogs); + CFRetainAssign(kCurrentOTAPKIRef->_eventSamplingRates, (__bridge CFDictionaryRef)newAnalyticsSamplingRates); + CFRetainAssign(kCurrentOTAPKIRef->_appleCAs, (__bridge CFArrayRef)newAppleCAs); + kCurrentOTAPKIRef->_assetVersion = version; + }); + + /* Write the data to disk (so that we don't have to re-download the asset on re-launch) */ + DeleteAssetFromDisk(); + if (CopyFileToDisk(kOTATrustTrustedCTLogsFilename, TrustedCTLogsFileLoc) && + CopyFileToDisk(kOTATrustAnalyticsSamplingRatesFilename, AnalyticsSamplingRatesFileLoc) && + CopyFileToDisk(kOTATrustAppleCertifcateAuthoritiesFilename, AppleCAsFileLoc) && + WriteAssetVersionToDisk(asset_version)) { + /* If we successfully updated the "asset" on disk, signal the other trustds to pick up the changes */ + notify_post(kOTATrustOnDiskAssetNotification); + } + + return YES; +} +#endif // !TARGET_OS_BRIDGE + + +CFSetRef SecOTAPKICopyBlackListSet(SecOTAPKIRef otapkiRef) { + if (NULL == otapkiRef) { + return NULL; + } + + return CFRetainSafe(otapkiRef->_blackListSet); +} + + +CFSetRef SecOTAPKICopyGrayList(SecOTAPKIRef otapkiRef) { + if (NULL == otapkiRef) { + return NULL; + } + + return CFRetainSafe(otapkiRef->_grayListSet); +} + +CFDictionaryRef SecOTAPKICopyAllowList(SecOTAPKIRef otapkiRef) { + if (NULL == otapkiRef) { + return NULL; + } + + CFDictionaryRef result = otapkiRef->_allowList; + if (!result) { + result = InitializeAllowList(); + otapkiRef->_allowList = result; + } + + return CFRetainSafe(result); +} + +CFArrayRef SecOTAPKICopyAllowListForAuthKeyID(SecOTAPKIRef otapkiRef, CFStringRef authKeyID) { + // %%% temporary performance optimization: + // only load dictionary if we know an allow list exists for this key + const CFStringRef keyIDs[3] = { + CFSTR("7C724B39C7C0DB62A54F9BAA183492A2CA838259"), + CFSTR("65F231AD2AF7F7DD52960AC702C10EEFA6D53B11"), + CFSTR("D2A716207CAFD9959EEB430A19F2E0B9740EA8C7") + }; + CFArrayRef result = NULL; + bool hasAllowList = false; + CFIndex count = (sizeof(keyIDs) / sizeof(keyIDs[0])); + for (CFIndex ix=0; ix_trustedCTLogs; + CFRetainSafe(result); + return result; +} + +CFURLRef SecOTAPKICopyPinningList(SecOTAPKIRef otapkiRef) { + if (NULL == otapkiRef) { + return NULL; + } + + return CFRetainSafe(otapkiRef->_pinningList); +} + + +/* Returns an array of certificate data (CFDataRef) */ +CFArrayRef SecOTAPKICopyEscrowCertificates(uint32_t escrowRootType, SecOTAPKIRef otapkiRef) { + CFMutableArrayRef result = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); + if (NULL == otapkiRef) { + return result; + } + + switch (escrowRootType) { + // Note: we shouldn't be getting called to return baseline roots, + // since this function vends production roots by definition. + case kSecCertificateBaselineEscrowRoot: + case kSecCertificateProductionEscrowRoot: + case kSecCertificateBaselineEscrowBackupRoot: + case kSecCertificateProductionEscrowBackupRoot: + if (otapkiRef->_escrowCertificates) { + CFArrayRef escrowCerts = otapkiRef->_escrowCertificates; + CFArrayAppendArray(result, escrowCerts, CFRangeMake(0, CFArrayGetCount(escrowCerts))); + } + break; + case kSecCertificateBaselineEscrowEnrollmentRoot: + case kSecCertificateProductionEscrowEnrollmentRoot: + if (otapkiRef->_escrowCertificates) { + // for enrollment purposes, exclude the v100 root + static const unsigned char V100EscrowRoot[] = { + 0x65,0x5C,0xB0,0x3C,0x39,0x3A,0x32,0xA6,0x0B,0x96, + 0x40,0xC0,0xCA,0x73,0x41,0xFD,0xC3,0x9E,0x96,0xB3 + }; + CFArrayRef escrowCerts = otapkiRef->_escrowCertificates; + CFIndex idx, count = CFArrayGetCount(escrowCerts); + for (idx=0; idx < count; idx++) { + CFDataRef tmpData = (CFDataRef) CFArrayGetValueAtIndex(escrowCerts, idx); + SecCertificateRef tmpCert = (tmpData) ? SecCertificateCreateWithData(NULL, tmpData) : NULL; + CFDataRef sha1Hash = (tmpCert) ? SecCertificateGetSHA1Digest(tmpCert) : NULL; + const uint8_t *dp = (sha1Hash) ? CFDataGetBytePtr(sha1Hash) : NULL; + if (!(dp && !memcmp(V100EscrowRoot, dp, sizeof(V100EscrowRoot))) && tmpData) { + CFArrayAppendValue(result, tmpData); + } + CFReleaseSafe(tmpCert); + } + } + break; + case kSecCertificateBaselinePCSEscrowRoot: + case kSecCertificateProductionPCSEscrowRoot: + if (otapkiRef->_escrowPCSCertificates) { + CFArrayRef escrowPCSCerts = otapkiRef->_escrowPCSCertificates; + CFArrayAppendArray(result, escrowPCSCerts, CFRangeMake(0, CFArrayGetCount(escrowPCSCerts))); + } + break; + default: + break; + } + + return result; +} + + +CFDictionaryRef SecOTAPKICopyEVPolicyToAnchorMapping(SecOTAPKIRef otapkiRef) { + if (NULL == otapkiRef) { + return NULL; + } + + return CFRetainSafe(otapkiRef->_evPolicyToAnchorMapping); +} + + +CFDictionaryRef SecOTAPKICopyAnchorLookupTable(SecOTAPKIRef otapkiRef) { + if (NULL == otapkiRef) { + return NULL; + } + + return CFRetainSafe(otapkiRef->_anchorLookupTable); +} + +const char* SecOTAPKIGetAnchorTable(SecOTAPKIRef otapkiRef) { + if (NULL == otapkiRef) { + return NULL; + } + + return otapkiRef->_anchorTable; +} + +const char* SecOTAPKIGetValidDatabaseSnapshot(SecOTAPKIRef otapkiRef) { + if (NULL == otapkiRef) { + return NULL; + } + + return otapkiRef->_validDatabaseSnapshot; +} + +CFIndex SecOTAPKIGetValidSnapshotVersion(SecOTAPKIRef otapkiRef) { + if (NULL == otapkiRef) { + return 0; + } + + return otapkiRef->_validSnapshotVersion; +} + +CFIndex SecOTAPKIGetValidSnapshotFormat(SecOTAPKIRef otapkiRef) { + if (NULL == otapkiRef) { + return 0; + } + + return otapkiRef->_validSnapshotFormat; +} + +uint64_t SecOTAPKIGetTrustStoreVersion(SecOTAPKIRef otapkiRef) { + if (NULL == otapkiRef) { + return 0; + } + + return otapkiRef->_trustStoreVersion; +} + +uint64_t SecOTAPKIGetAssetVersion(SecOTAPKIRef otapkiRef) { + if (NULL == otapkiRef) { + return 0; + } + + return otapkiRef->_assetVersion; +} + +NSNumber *SecOTAPKIGetSamplingRateForEvent(SecOTAPKIRef otapkiRef, NSString *eventName) { + if (NULL == otapkiRef) { + return nil; + } + +#if !TARGET_OS_BRIDGE + /* Trigger periodic background MA checks in system trustd + * We also check on trustd launch and listen for notifications. */ + TriggerPeriodicOTATrustAssetChecks(kOTABackgroundQueue); +#endif + + if (otapkiRef->_eventSamplingRates) { + CFTypeRef value = CFDictionaryGetValue(otapkiRef->_eventSamplingRates, (__bridge CFStringRef)eventName); + if (isNumberOfType(value, kCFNumberSInt64Type)) { + return (__bridge NSNumber *)value; + } + } + return nil; +} + +CFArrayRef SecOTAPKICopyAppleCertificateAuthorities(SecOTAPKIRef otapkiRef) { + if (NULL == otapkiRef) { + return NULL; + } + +#if !TARGET_OS_BRIDGE + /* Trigger periodic background MA checks in system trustd + * We also check on trustd launch and listen for notifications. */ + TriggerPeriodicOTATrustAssetChecks(kOTABackgroundQueue); +#endif + + return CFRetainSafe(otapkiRef->_appleCAs); +} + +/* Returns an array of certificate data (CFDataRef) */ +CFArrayRef SecOTAPKICopyCurrentEscrowCertificates(uint32_t escrowRootType, CFErrorRef* error) { + SecOTAPKIRef otapkiref = SecOTAPKICopyCurrentOTAPKIRef(); + if (NULL == otapkiref) { + SecError(errSecInternal, error, CFSTR("Unable to get the current OTAPKIRef")); + return NULL; + } + + CFArrayRef result = SecOTAPKICopyEscrowCertificates(escrowRootType, otapkiref); + CFRelease(otapkiref); + + if (NULL == result) { + SecError(errSecInternal, error, CFSTR("Could not get escrow certificates from the current OTAPKIRef")); + } + return result; +} + +uint64_t SecOTAPKIGetCurrentTrustStoreVersion(CFErrorRef* error){ + SecOTAPKIRef otapkiref = SecOTAPKICopyCurrentOTAPKIRef(); + if (NULL == otapkiref) { + SecError(errSecInternal, error, CFSTR("Unable to get the current OTAPKIRef")); + return 0; + } + + return otapkiref->_trustStoreVersion; +} + +uint64_t SecOTAPKIGetCurrentAssetVersion(CFErrorRef* error) { + SecOTAPKIRef otapkiref = SecOTAPKICopyCurrentOTAPKIRef(); + if (NULL == otapkiref) { + SecError(errSecInternal, error, CFSTR("Unable to get the current OTAPKIRef")); + return 0; + } + + return otapkiref->_assetVersion; +} + +uint64_t SecOTAPKIResetCurrentAssetVersion(CFErrorRef* error) { + uint64_t system_version = GetSystemVersion((__bridge CFStringRef)kOTATrustContentVersionKey); + + dispatch_sync(kOTAQueue, ^{ + kCurrentOTAPKIRef->_assetVersion = system_version; + }); + +#if !TARGET_OS_BRIDGE + DeleteAssetFromDisk(); +#endif + return system_version; +} + +uint64_t SecOTAPKISignalNewAsset(CFErrorRef* error) { +#if !TARGET_OS_BRIDGE + if (SecOTAPKIIsSystemTrustd()) { + NSError *nserror = nil; + if (!DownloadOTATrustAsset(NO, YES, &nserror) && error) { + *error = CFRetainSafe((__bridge CFErrorRef)nserror); + } + } else { + SecError(errSecServiceNotAvailable, error, CFSTR("This function may ony be performed by the system trustd.")); + } + return GetAssetVersion(); +#else + SecError(errSecUnsupportedService, error, CFSTR("This function is not available on this platform")); + return GetAssetVersion(); +#endif +} diff --git a/OSX/sec/securityd/Regressions/SOSAccountTesting.h b/OSX/sec/securityd/Regressions/SOSAccountTesting.h index fee51336..47805102 100644 --- a/OSX/sec/securityd/Regressions/SOSAccountTesting.h +++ b/OSX/sec/securityd/Regressions/SOSAccountTesting.h @@ -252,12 +252,13 @@ static void accounts_agree_internal(char *label, SOSAccount* left, SOSAccount* r if (leftFullPeer) CFSetAddValue(allowed_identities, SOSFullPeerInfoGetPeerInfo(leftFullPeer)); + CFReleaseNull(leftFullPeer); - SOSFullPeerInfoRef rightFullPeer = [right.trust CopyAccountIdentityPeerInfo]; if (rightFullPeer) CFSetAddValue(allowed_identities, SOSFullPeerInfoGetPeerInfo(rightFullPeer)); + CFReleaseNull(rightFullPeer); unretired_peers_is_subset(label, leftPeers, allowed_identities); @@ -541,8 +542,10 @@ static inline void FeedChangesTo(CFMutableDictionaryRef changes, SOSAccount* acc secnotice("changes", " %@", key); }); - if(CFDictionaryGetCount(account_pending_messages) == 0) + if(CFDictionaryGetCount(account_pending_messages) == 0) { + CFReleaseNull(account_pending_messages); return; + } __block CFMutableArrayRef handled = NULL; [acct performTransaction:^(SOSAccountTransaction * _Nonnull txn) { @@ -719,7 +722,7 @@ static inline SOSAccount* CreateAccountForLocalChanges(CFStringRef name, CFStrin CFStringRef randomSerial = CFStringCreateRandomHexWithLength(8); CFStringRef randomDevID = CFStringCreateRandomHexWithLength(16); SOSAccount* retval = CreateAccountForLocalChangesWithStartingAttributes(name, data_source_name, SOSPeerInfo_iOS, randomSerial, - kCFBooleanTrue, kCFBooleanTrue, kCFBooleanTrue, SOSTransportMessageTypeIDSV2, randomDevID); + kCFBooleanTrue, kCFBooleanTrue, kCFBooleanTrue, SOSTransportMessageTypeKVS, randomDevID); CFReleaseNull(randomSerial); CFReleaseNull(randomDevID); @@ -988,7 +991,7 @@ static inline bool SOSTestJoinThroughPiggyBack(CFDataRef cfpassword, CFStringRef static inline SOSAccount* SOSTestCreateAccountAsSerialClone(CFStringRef name, SOSPeerInfoDeviceClass devClass, CFStringRef serial, CFStringRef idsID) { - return CreateAccountForLocalChangesWithStartingAttributes(name, CFSTR("TestSource"), devClass, serial, kCFBooleanTrue, kCFBooleanTrue, kCFBooleanTrue, SOSTransportMessageTypeIDSV2, idsID); + return CreateAccountForLocalChangesWithStartingAttributes(name, CFSTR("TestSource"), devClass, serial, kCFBooleanTrue, kCFBooleanTrue, kCFBooleanTrue, SOSTransportMessageTypeKVS, idsID); } static inline bool SOSTestMakeGhostInCircle(CFStringRef name, SOSPeerInfoDeviceClass devClass, CFStringRef serial, CFStringRef idsID, diff --git a/OSX/sec/securityd/Regressions/SOSTransportTestTransports.m b/OSX/sec/securityd/Regressions/SOSTransportTestTransports.m index 2adcb1d3..bd9449b3 100644 --- a/OSX/sec/securityd/Regressions/SOSTransportTestTransports.m +++ b/OSX/sec/securityd/Regressions/SOSTransportTestTransports.m @@ -46,6 +46,18 @@ CFMutableArrayRef message_transports = NULL; return self; } +-(void)dealloc { + if(self) { + CFReleaseNull(self->_changes); + CFReleaseNull(self->_circleName); + } +} + +- (void)setChanges:(CFMutableDictionaryRef)changes +{ + CFRetainAssign(self->_changes, changes); +} + -(bool) SOSTransportKeyParameterHandleKeyParameterChanges:(CKKeyParameterTest*) transport data:(CFDataRef) data err:(CFErrorRef) error { SOSAccount* acct = transport.account; @@ -268,7 +280,7 @@ bool SOSTransportCircleTestRemovePendingChange(SOSCircleStorageTransportTest* tr return SOSAccountHandleRetirementMessages(self.account, circle_retirement_messages_table, error); } --(CFArrayRef) handleCircleMessagesAndReturnHandledCopy:(CFMutableDictionaryRef) circle_circle_messages_table err:(CFErrorRef *)error +-(CFArrayRef)CF_RETURNS_RETAINED handleCircleMessagesAndReturnHandledCopy:(CFMutableDictionaryRef) circle_circle_messages_table err:(CFErrorRef *)error { CFMutableArrayRef handledKeys = CFArrayCreateMutableForCFTypes(kCFAllocatorDefault); CFDictionaryForEach(circle_circle_messages_table, ^(const void *key, const void *value) { @@ -320,6 +332,11 @@ SOSAccount* SOSTransportCircleTestGetAccount(SOSCircleStorageTransportTest* tran return self; } +- (void)setChanges:(CFMutableDictionaryRef)changes +{ + CFRetainAssign(self->_changes, changes); +} + -(CFIndex) SOSTransportMessageGetTransportType { return kKVSTest; @@ -445,15 +462,17 @@ static bool sendToPeer(SOSMessageKVSTest* transport, CFStringRef circleName, CFS if (peerID) { SOSEngineWithPeerID((SOSEngineRef)transport.engine, peerID, error, ^(SOSPeerRef peer, SOSCoderRef coder, SOSDataSourceRef dataSource, SOSTransactionRef txn, bool *forceSaveState) { - SOSEnginePeerMessageSentBlock sent = NULL; + SOSEnginePeerMessageSentCallback* sentCallback = NULL; CFDataRef message_to_send = NULL; - bool ok = SOSPeerCoderSendMessageIfNeeded([transport SOSTransportMessageGetAccount], (SOSEngineRef)transport.engine, txn, peer, coder, &message_to_send, peerID, false, &sent, error); + bool ok = SOSPeerCoderSendMessageIfNeeded([transport SOSTransportMessageGetAccount], (SOSEngineRef)transport.engine, txn, peer, coder, &message_to_send, peerID, false, &sentCallback, error); if (message_to_send) { CFDictionaryRef peer_dict = CFDictionaryCreateForCFTypes(kCFAllocatorDefault, peerID, message_to_send, NULL); CFDictionarySetValue(SOSTransportMessageKVSTestGetChanges(transport), (__bridge CFStringRef)self->circleName, peer_dict); - SOSPeerCoderConsume(&sent, ok); + SOSEngineMessageCallCallback(sentCallback, ok); CFReleaseSafe(peer_dict); } + + SOSEngineFreeMessageCallback(sentCallback); CFReleaseSafe(message_to_send); }); } @@ -842,15 +861,16 @@ void SOSAccountUpdateTestTransports(SOSAccount* account, CFDictionaryRef gestalt } -static SOSCircleRef SOSAccountEnsureCircleTest(SOSAccount* a, CFStringRef name, CFStringRef accountName) +static CF_RETURNS_RETAINED SOSCircleRef SOSAccountEnsureCircleTest(SOSAccount* a, CFStringRef name, CFStringRef accountName) { CFErrorRef localError = NULL; SOSAccountTrustClassic *trust = a.trust; - SOSCircleRef circle = [a.trust getCircle:&localError]; + SOSCircleRef circle = CFRetainSafe([a.trust getCircle:&localError]); if(!circle || isSOSErrorCoded(localError, kSOSErrorIncompatibleCircle)){ secnotice("circle", "Error retrieving the circle: %@", localError); CFReleaseNull(localError); + CFReleaseNull(circle); circle = SOSCircleCreate(kCFAllocatorDefault, name, &localError); if (circle){ @@ -883,7 +903,7 @@ bool SOSAccountEnsureFactoryCirclesTest(SOSAccount* a, CFStringRef accountName) CFStringRef circle_name = SOSDataSourceFactoryCopyName(a.factory); if(!circle_name) return result; - SOSAccountEnsureCircleTest(a, (CFStringRef)circle_name, accountName); + CFReleaseSafe(SOSAccountEnsureCircleTest(a, (CFStringRef)circle_name, accountName)); CFReleaseNull(circle_name); result = true; diff --git a/OSX/sec/securityd/Regressions/secd-01-items.m b/OSX/sec/securityd/Regressions/secd-01-items.m index a829dc49..80596f4c 100644 --- a/OSX/sec/securityd/Regressions/secd-01-items.m +++ b/OSX/sec/securityd/Regressions/secd-01-items.m @@ -77,6 +77,7 @@ int secd_01_items(int argc, char *const *argv) kSecAttrPort, kSecAttrProtocol, kSecAttrAuthenticationType, + kSecReturnData, kSecValueData }; const void *values[] = { @@ -86,6 +87,7 @@ int secd_01_items(int argc, char *const *argv) eighty, CFSTR("http"), CFSTR("dflt"), + kCFBooleanTrue, pwdata }; diff --git a/OSX/sec/securityd/Regressions/secd-155-otr-negotiation-monitor.m b/OSX/sec/securityd/Regressions/secd-155-otr-negotiation-monitor.m index 7508b9de..e02bc0fa 100644 --- a/OSX/sec/securityd/Regressions/secd-155-otr-negotiation-monitor.m +++ b/OSX/sec/securityd/Regressions/secd-155-otr-negotiation-monitor.m @@ -50,7 +50,7 @@ static bool SOSAccountIsThisPeerIDMe(SOSAccount* account, CFStringRef peerID) { return myPeerID && CFEqualSafe(myPeerID, peerID); } -static void ids_test_sync(SOSAccount* alice_account, SOSAccount* bob_account){ +__unused static void ids_test_sync(SOSAccount* alice_account, SOSAccount* bob_account){ CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault); __block bool SyncingCompletedOverIDS = false; @@ -375,7 +375,7 @@ static void tests(void) ok(SOSAccountEnsurePeerRegistration(bob_account, NULL), "ensure peer registration - bob"); - ids_test_sync(alice_account, bob_account); + // ids_test_sync(alice_account, bob_account); } int secd_155_otr_negotiation_monitor(int argc, char *const *argv) diff --git a/OSX/sec/securityd/Regressions/secd-20-keychain_upgrade.m b/OSX/sec/securityd/Regressions/secd-20-keychain_upgrade.m index 3e758520..a333f310 100644 --- a/OSX/sec/securityd/Regressions/secd-20-keychain_upgrade.m +++ b/OSX/sec/securityd/Regressions/secd-20-keychain_upgrade.m @@ -78,6 +78,7 @@ keychain_upgrade(bool musr, const char *dbname) (id)kSecClass : (id)kSecClassGenericPassword, (id)kSecAttrAccount : @"system-label-me", (id)kSecUseSystemKeychain : (id)kCFBooleanTrue, + (id)kSecValueData : [NSData dataWithBytes:"some data" length:9], }, NULL); is(res, 0, "SecItemAdd(system)"); #endif @@ -89,6 +90,7 @@ keychain_upgrade(bool musr, const char *dbname) res = SecItemAdd((CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassGenericPassword, (id)kSecAttrAccount : @"user-label-me", + (id)kSecValueData : [NSData dataWithBytes:"some data" length:9], }, NULL); is(res, 0, "SecItemAdd(user)"); diff --git a/OSX/sec/securityd/Regressions/secd-21-transmogrify.m b/OSX/sec/securityd/Regressions/secd-21-transmogrify.m index 00eeca6a..9ede92db 100644 --- a/OSX/sec/securityd/Regressions/secd-21-transmogrify.m +++ b/OSX/sec/securityd/Regressions/secd-21-transmogrify.m @@ -79,6 +79,7 @@ secd_21_transmogrify(int argc, char *const *argv) res = SecItemAdd((CFDictionaryRef)@{ (id)kSecClass : (id)kSecClassGenericPassword, (id)kSecAttrAccount : @"user-label-me", + (id)kSecValueData : [NSData dataWithBytes:"password" length:8] }, NULL); is(res, 0, "SecItemAdd(user)"); @@ -108,6 +109,7 @@ secd_21_transmogrify(int argc, char *const *argv) (id)kSecAttrAccount : @"user-label-me", (id)kSecUseSystemKeychain : (id)kCFBooleanTrue, (id)kSecReturnAttributes : (id)kCFBooleanTrue, + (id)kSecReturnData : @(YES) }, (CFTypeRef *)&result); is(res, 0, "SecItemCopyMatching(system)"); @@ -115,6 +117,9 @@ secd_21_transmogrify(int argc, char *const *argv) if (isDictionary(result)) { NSData *data = ((__bridge NSDictionary *)result)[@"musr"]; ok([data isEqual:(__bridge id)SecMUSRGetSystemKeychainUUID()], "item is system keychain"); + + NSData* passwordData = [(__bridge NSDictionary*)result valueForKey:(id)kSecValueData]; + ok([passwordData isEqual:[NSData dataWithBytes:"password" length:8]], "no data found in transmogrified item"); } else { ok(0, "returned item is: %@", result); } @@ -129,6 +134,7 @@ secd_21_transmogrify(int argc, char *const *argv) (id)kSecAttrAccessGroup : @"com.apple.ProtectedCloudStorage", (id)kSecAttrAccessible : (id)kSecAttrAccessibleAfterFirstUnlock, (id)kSecAttrAccount : @"pcs-label-me", + (id)kSecValueData : [NSData dataWithBytes:"some data" length:9], }, &client, NULL, NULL); is(res, true, "SecItemAdd(user)"); @@ -136,10 +142,12 @@ secd_21_transmogrify(int argc, char *const *argv) (id)kSecClass : (id)kSecClassGenericPassword, (id)kSecAttrAccount : @"pcs-label-me", (id)kSecReturnAttributes : (id)kCFBooleanTrue, + (id)kSecReturnData : @(YES), }, &client, (CFTypeRef *)&result, &error); is(res, true, "SecItemCopyMatching(system): %@", error); ok(isDictionary(result), "result is dictionary"); + ok([[(__bridge NSDictionary*)result valueForKey:(__bridge id)kSecValueData] isEqual:[NSData dataWithBytes:"some data" length:9]], "retrieved data matches stored data"); /* Check that data are in 502 active user keychain */ ok (CFEqualSafe(((__bridge CFDataRef)((__bridge NSDictionary *)result)[@"musr"]), musr), "not in msr 502"); diff --git a/OSX/sec/securityd/Regressions/secd-36-ks-encrypt.m b/OSX/sec/securityd/Regressions/secd-36-ks-encrypt.m index ed3cb12a..d13d6f3d 100644 --- a/OSX/sec/securityd/Regressions/secd-36-ks-encrypt.m +++ b/OSX/sec/securityd/Regressions/secd-36-ks-encrypt.m @@ -40,6 +40,8 @@ int secd_36_ks_encrypt(int argc, char *const *argv) { plan_tests(8); + secd_test_setup_temp_keychain("secd_36_ks_encrypt", NULL); + keybag_handle_t keybag; keybag_state_t state; CFDictionaryRef data = NULL; @@ -64,7 +66,7 @@ int secd_36_ks_encrypt(int argc, char *const *argv) ok(ac = SecAccessControlCreate(NULL, &error), "SecAccessControlCreate: %@", error); ok(SecAccessControlSetProtection(ac, kSecAttrAccessibleWhenUnlocked, &error), "SecAccessControlSetProtection: %@", error); - ret = ks_encrypt_data(keybag, ac, NULL, data, NULL, &enc, true, &error); + ret = ks_encrypt_data(keybag, ac, NULL, data, (__bridge CFDictionaryRef)@{@"persistref" : @"aaa-bbb-ccc"}, NULL, &enc, true, &error); is(true, ret); CFReleaseNull(ac); @@ -73,10 +75,11 @@ int secd_36_ks_encrypt(int argc, char *const *argv) CFMutableDictionaryRef attributes = NULL; uint32_t version = 0; - ret = ks_decrypt_data(keybag, kAKSKeyOpDecrypt, &ac, NULL, enc, NULL, NULL, &attributes, &version, &error); + ret = ks_decrypt_data(keybag, kAKSKeyOpDecrypt, &ac, NULL, enc, NULL, NULL, &attributes, &version, true, NULL, &error); is(true, ret, "ks_decrypt_data: %@", error); - ok(CFEqual(SecAccessControlGetProtection(ac), kSecAttrAccessibleWhenUnlocked), "AccessControl protection is: %@", SecAccessControlGetProtection(ac)); + CFTypeRef aclProtection = ac ? SecAccessControlGetProtection(ac) : NULL; + ok(aclProtection && CFEqual(aclProtection, kSecAttrAccessibleWhenUnlocked), "AccessControl protection is: %@", aclProtection); CFReleaseNull(ac); } diff --git a/OSX/sec/securityd/Regressions/secd-50-message.m b/OSX/sec/securityd/Regressions/secd-50-message.m index 14d92407..418b8133 100644 --- a/OSX/sec/securityd/Regressions/secd-50-message.m +++ b/OSX/sec/securityd/Regressions/secd-50-message.m @@ -124,6 +124,8 @@ __unused static void testDeltaManifestMessage(const char *test_directive, const CFReleaseNull(error); ok(sentMessage = SOSMessageCreateWithManifests(kCFAllocatorDefault, proposed, base, proposed, true, &error), "sentMessage create: %@", error); + CFReleaseNull(base); + CFReleaseNull(proposed); CFReleaseNull(error); ok(data = SOSMessageCreateData(sentMessage, msgid, &error), "sentMessage data create: %@ .. %@", error, sentMessage); CFReleaseNull(error); @@ -182,6 +184,8 @@ __unused static void testObjectsMessage(const char *test_directive, const char * proposed = SOSManifestCreateWithBytes((const uint8_t *)dv2.digest, dv2.count * SOSDigestSize, &error); CFReleaseNull(error); ok(sentMessage = SOSMessageCreateWithManifests(kCFAllocatorDefault, proposed, base, proposed, true, &error), "sentMessage create: %@", error); + CFReleaseNull(base); + CFReleaseNull(proposed); CFDataRef O0, O1, O2, O3; CFDataRef o0 = CFDataCreate(kCFAllocatorDefault, NULL, 0); O0 = testCopyAddedObject(sentMessage, o0); diff --git a/OSX/sec/securityd/Regressions/secd-52-offering-gencount-reset.m b/OSX/sec/securityd/Regressions/secd-52-offering-gencount-reset.m index 2368bba2..1425ec83 100644 --- a/OSX/sec/securityd/Regressions/secd-52-offering-gencount-reset.m +++ b/OSX/sec/securityd/Regressions/secd-52-offering-gencount-reset.m @@ -159,9 +159,10 @@ static void tests(void) is([alice_account getCircleStatus:&error],kSOSCCNotInCircle,"alice is not in the account (%@)", error); is([bob_account getCircleStatus:&error], kSOSCCNotInCircle,"bob is not in the account (%@)", error); is([carol_account getCircleStatus:&error], kSOSCCInCircle,"carol is in the account (%@)", error); - + CFReleaseNull(gencount); CFReleaseNull(cfpassword); + CFReleaseNull(user_privkey); alice_account = nil; bob_account = nil; carol_account = nil; diff --git a/OSX/sec/securityd/Regressions/secd-55-account-incompatibility.m b/OSX/sec/securityd/Regressions/secd-55-account-incompatibility.m index d4177ade..e5c66d62 100644 --- a/OSX/sec/securityd/Regressions/secd-55-account-incompatibility.m +++ b/OSX/sec/securityd/Regressions/secd-55-account-incompatibility.m @@ -94,7 +94,8 @@ static void tests(void) CFReleaseNull(incompatibleDER); is(ProcessChangesUntilNoChange(changes, alice_account, NULL), 1, "updates"); - + + CFReleaseNull(changes); alice_account = nil; bob_account = nil; carol_account = nil; diff --git a/OSX/sec/securityd/Regressions/secd-60-account-cloud-identity.m b/OSX/sec/securityd/Regressions/secd-60-account-cloud-identity.m index 0554e696..9bd82500 100644 --- a/OSX/sec/securityd/Regressions/secd-60-account-cloud-identity.m +++ b/OSX/sec/securityd/Regressions/secd-60-account-cloud-identity.m @@ -59,6 +59,7 @@ static bool purgeICloudIdentity(SOSAccount* account) { SOSFullPeerInfoRef icfpi = SOSCircleCopyiCloudFullPeerInfoRef([account.trust getCircle:NULL], NULL); if(!icfpi) return false; retval = SOSFullPeerInfoPurgePersistentKey(icfpi, NULL); + CFReleaseNull(icfpi); return retval; } @@ -261,11 +262,16 @@ static void tests(void) CFDataRef public_key_hash = SecKeyCopyPublicKeyHash(publicKey); ok(public_key_hash != NULL, "hash is not null"); + CFReleaseNull(publicKey); + SOSAccount* margaret_account = CreateAccountForLocalChanges(CFSTR("margaret"), CFSTR("TestSource")); ok(SOSAccountAssertUserCredentialsAndUpdate(margaret_account, cfaccount, cfpassword, &error), "Credential setting (%@)", error); ok(SOSAccountJoinCirclesAfterRestore_wTxn(margaret_account, &error), "Carole cloud identity joins (%@)", error); + CFReleaseNull(identityArray); + CFReleaseNull(changes); + CFReleaseNull(error); CFReleaseNull(public_key_hash); CFReleaseNull(cfpassword); CFReleaseNull(privKey); diff --git a/OSX/sec/securityd/Regressions/secd-700-sftm.m b/OSX/sec/securityd/Regressions/secd-700-sftm.m new file mode 100644 index 00000000..49280848 --- /dev/null +++ b/OSX/sec/securityd/Regressions/secd-700-sftm.m @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// +// secd-700-sftm.m +// + +#import +#import "secd_regressions.h" +#import "SecdTestKeychainUtilities.h" + +#import "keychain/Signin Metrics/SFTransactionMetric.h" + +static void test() +{ + SFTransactionMetric *metric = [[SFTransactionMetric alloc] initWithUUID:@"UUID" category:@"CoreCDP"]; + NSError *error = [[NSError alloc] initWithDomain:@"TestErrorDomain" code:42 userInfo:@{}]; + [metric logError:error]; + + NSDictionary* eventAttributes = @{@"wait for initial sync time" : @"90 s", @"event result" : @"success"}; + [metric logEvent:@"event" eventAttributes:eventAttributes]; + + NSDictionary *query = @{ + (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecAttrLabel : @"TestLabel", + (id)kSecAttrAccessGroup : @"com.apple.security.wiiss", + }; + + [metric timeEvent:@"Adding item to keychain" blockToTime:^{ + CFTypeRef result; + SecItemAdd((__bridge CFDictionaryRef)query, &result); + }]; + + [metric signInCompleted]; +} + +int secd_700_sftm(int argc, char *const *argv) +{ + plan_tests(1); + + secd_test_setup_temp_keychain(__FUNCTION__, NULL); + + test(); + + return 0; +} diff --git a/OSX/sec/securityd/Regressions/secd-76-idstransport.m b/OSX/sec/securityd/Regressions/secd-76-idstransport.m index 5ab0c1aa..164c56f0 100644 --- a/OSX/sec/securityd/Regressions/secd-76-idstransport.m +++ b/OSX/sec/securityd/Regressions/secd-76-idstransport.m @@ -57,7 +57,7 @@ -static int kTestTestCount = 90; +static int kTestTestCount = 73; static void tests() { diff --git a/OSX/sec/securityd/Regressions/secd-81-item-acl-stress.m b/OSX/sec/securityd/Regressions/secd-81-item-acl-stress.m index 54163ddc..921af46b 100644 --- a/OSX/sec/securityd/Regressions/secd-81-item-acl-stress.m +++ b/OSX/sec/securityd/Regressions/secd-81-item-acl-stress.m @@ -202,6 +202,8 @@ static void fillItem(CFMutableDictionaryRef item, uint32_t num) CFDictionarySetValue(item, attr, value); CFReleaseSafe(value); }); + + CFDictionarySetValue(item, kSecValueData, (__bridge CFDataRef)[NSData dataWithBytes:"some data" length:9]); } static void tests(bool isPasscodeSet) diff --git a/OSX/sec/securityd/Regressions/secd-81-item-acl.m b/OSX/sec/securityd/Regressions/secd-81-item-acl.m index a1fb2dae..4db56a5c 100644 --- a/OSX/sec/securityd/Regressions/secd-81-item-acl.m +++ b/OSX/sec/securityd/Regressions/secd-81-item-acl.m @@ -192,6 +192,8 @@ static void fillItem(CFMutableDictionaryRef item, uint32_t num) CFDictionarySetValue(item, attr, value); CFReleaseSafe(value); }); + + CFDictionarySetValue(item, kSecValueData, (__bridge CFDataRef)[NSData dataWithBytes:"some data" length:9]); } #if LA_CONTEXT_IMPLEMENTED @@ -266,7 +268,9 @@ static void item_with_application_password(uint32_t *item_num) CFDictionarySetValue(item, kSecUseCredentialReference, credRefData); ok_status(SecItemAdd(item, NULL), "add local - acl with application password and user present"); LASetErrorCodeBlock(authFailedBlock); + CFDictionarySetValue(item, kSecReturnData, kCFBooleanTrue); is_status(SecItemCopyMatching(item, NULL), errSecAuthFailed, "find local - acl with application password and user present"); + CFDictionaryRemoveValue(item, kSecReturnData); LASetErrorCodeBlock(okBlock); set_app_password(acmContext); ok_status(SecItemDelete(item), "delete local - acl with application password and user present"); diff --git a/OSX/sec/securityd/Regressions/secd60-account-cloud-exposure.m b/OSX/sec/securityd/Regressions/secd60-account-cloud-exposure.m index 23a59fb4..ca6f7fd9 100644 --- a/OSX/sec/securityd/Regressions/secd60-account-cloud-exposure.m +++ b/OSX/sec/securityd/Regressions/secd60-account-cloud-exposure.m @@ -65,9 +65,11 @@ static bool SOSAccountResetCircleToNastyOffering(SOSAccount* account, SecKeyRef SecKeyRef userPub = SecKeyCreatePublicFromPrivate(userPriv); SOSAccountTrustClassic *trust = account.trust; if(!SOSAccountHasCircle(account, error)){ + CFReleaseNull(userPub); return result; } if(![account.trust ensureFullPeerAvailable:(__bridge CFDictionaryRef)(account.gestalt) deviceID:(__bridge CFStringRef)(account.deviceID) backupKey:(__bridge CFDataRef)(account.backup_key) err:error]){ + CFReleaseNull(userPub); return result; } (void) [account.trust resetAllRings:account err:error]; @@ -88,17 +90,22 @@ static bool SOSAccountResetCircleToNastyOffering(SOSAccount* account, SecKeyRef [trust setDepartureCode:kSOSNeverLeftCircle]; result = true; - [trust setTrustedCircle:SOSCircleCopyCircle(kCFAllocatorDefault, circle, error)]; + SOSCircleRef copiedCircle = SOSCircleCopyCircle(kCFAllocatorDefault, circle, error); // I don't think this copy is necessary, but... + [trust setTrustedCircle:copiedCircle]; + CFReleaseNull(copiedCircle); SOSAccountPublishCloudParameters(account, NULL); trust.fullPeerInfo = nil; err_out: - if (result == false) - secerror("error resetting circle (%@) to offering: %@", circle, localError); + if (result == false) { + secerror("error resetting circle (%@) to offering: %@", circle, localError); + } if (localError && error && *error == NULL) { *error = localError; localError = NULL; } + + CFReleaseNull(iCloudfpi); CFReleaseNull(localError); return result; }]; diff --git a/OSX/sec/securityd/Regressions/secd_77_ids_messaging.m b/OSX/sec/securityd/Regressions/secd_77_ids_messaging.m index 862be40d..a23cdabb 100644 --- a/OSX/sec/securityd/Regressions/secd_77_ids_messaging.m +++ b/OSX/sec/securityd/Regressions/secd_77_ids_messaging.m @@ -62,7 +62,7 @@ static bool SOSAccountIsThisPeerIDMe(SOSAccount* account, CFStringRef peerID) { return myPeerID && CFEqualSafe(myPeerID, peerID); } -static void ids_test_sync(SOSAccount* alice_account, SOSAccount* bob_account){ +__unused static void ids_test_sync(SOSAccount* alice_account, SOSAccount* bob_account){ CFMutableDictionaryRef changes = CFDictionaryCreateMutableForCFTypes(kCFAllocatorDefault); __block bool SyncingCompletedOverIDS = false; @@ -275,7 +275,7 @@ static void tests() ok(SOSAccountEnsurePeerRegistration(bob_account, NULL), "ensure peer registration - bob"); - ids_test_sync(alice_account, bob_account); + //ids_test_sync(alice_account, bob_account); CFReleaseNull(bob_dsid); CFReleaseNull(alice_dsid); diff --git a/OSX/sec/securityd/Regressions/secd_regressions.h b/OSX/sec/securityd/Regressions/secd_regressions.h index 845ccbf1..70a8fe41 100644 --- a/OSX/sec/securityd/Regressions/secd_regressions.h +++ b/OSX/sec/securityd/Regressions/secd_regressions.h @@ -97,5 +97,6 @@ ONE_TEST(secd_200_logstate) ONE_TEST(secd_201_coders) ONE_TEST(secd_202_recoverykey) ONE_TEST(secd_210_keyinterest) +ONE_TEST(secd_700_sftm) DISABLED_ONE_TEST(secd_230_keybagtable) diff --git a/OSX/sec/securityd/SFKeychainControlManager.h b/OSX/sec/securityd/SFKeychainControlManager.h new file mode 100644 index 00000000..52f06c67 --- /dev/null +++ b/OSX/sec/securityd/SFKeychainControlManager.h @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include + +XPC_RETURNS_RETAINED _Nullable xpc_endpoint_t SecServerCreateKeychainControlEndpoint(void); + +#ifdef __OBJC__ + +#import "SFKeychainControl.h" +#import + +NS_ASSUME_NONNULL_BEGIN + +@interface SFKeychainControlManager : NSObject + ++ (instancetype)sharedManager; + +- (NSArray*)findCorruptedItemsWithError:(NSError**)error; +- (bool)deleteCorruptedItemsWithError:(NSError**)error; + +- (nullable xpc_endpoint_t)xpcControlEndpoint; + +NS_ASSUME_NONNULL_END + +@end + +#endif diff --git a/OSX/sec/securityd/SFKeychainControlManager.m b/OSX/sec/securityd/SFKeychainControlManager.m new file mode 100644 index 00000000..ede2edda --- /dev/null +++ b/OSX/sec/securityd/SFKeychainControlManager.m @@ -0,0 +1,214 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import "SFKeychainControlManager.h" +#import "SecCFError.h" +#import "builtin_commands.h" +#import "debugging.h" +#import +#import +#import + +NSString* kSecEntitlementKeychainControl = @"com.apple.private.keychain.keychaincontrol"; + +XPC_RETURNS_RETAINED xpc_endpoint_t SecServerCreateKeychainControlEndpoint(void) +{ + return [[SFKeychainControlManager sharedManager] xpcControlEndpoint]; +} + +@implementation SFKeychainControlManager { + NSXPCListener* _listener; +} + ++ (instancetype)sharedManager +{ + static SFKeychainControlManager* manager = nil; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + manager = [[SFKeychainControlManager alloc] _init]; + }); + + return manager; +} + +- (instancetype)_init +{ + if (self = [super init]) { + _listener = [NSXPCListener anonymousListener]; + _listener.delegate = self; + [_listener resume]; + } + + return self; +} + +- (xpc_endpoint_t)xpcControlEndpoint +{ + return [_listener.endpoint _endpoint]; +} + +- (BOOL)listener:(NSXPCListener*)listener shouldAcceptNewConnection:(NSXPCConnection*)newConnection +{ + NSNumber* entitlementValue = [newConnection valueForEntitlement:kSecEntitlementKeychainControl]; + if (![entitlementValue isKindOfClass:[NSNumber class]] || !entitlementValue.boolValue) { + secerror("SFKeychainControl: Client pid (%d) doesn't have entitlement: %@", newConnection.processIdentifier, kSecEntitlementKeychainControl); + return NO; + } + + NSXPCInterface* interface = [NSXPCInterface interfaceWithProtocol:@protocol(SFKeychainControl)]; + [interface setClass:[NSError class] forSelector:@selector(rpcFindCorruptedItemsWithReply:) argumentIndex:1 ofReply:YES]; + [interface setClass:[NSError class] forSelector:@selector(rpcDeleteCorruptedItemsWithReply:) argumentIndex:1 ofReply:YES]; + newConnection.exportedInterface = interface; + newConnection.exportedObject = self; + [newConnection resume]; + return YES; +} + +- (NSArray*)findCorruptedItemsWithError:(NSError**)error +{ + NSMutableArray* corruptedItems = [[NSMutableArray alloc] init]; + NSMutableArray* underlyingErrors = [[NSMutableArray alloc] init]; + + CFTypeRef genericPasswords = NULL; + NSDictionary* genericPasswordsQuery = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecReturnPersistentRef : @(YES), + (id)kSecAttrNoLegacy : @(YES), + (id)kSecMatchLimit : (id)kSecMatchLimitAll }; + OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)genericPasswordsQuery, &genericPasswords); + CFErrorRef genericPasswordError = NULL; + if (status != errSecItemNotFound) { + SecError(status, &genericPasswordError, CFSTR("generic password query failed")); + if (genericPasswordError) { + [underlyingErrors addObject:CFBridgingRelease(genericPasswordError)]; + } + } + + CFTypeRef internetPasswords = NULL; + NSDictionary* internetPasswordsQuery = @{ (id)kSecClass : (id)kSecClassInternetPassword, + (id)kSecReturnPersistentRef : @(YES), + (id)kSecAttrNoLegacy : @(YES), + (id)kSecMatchLimit : (id)kSecMatchLimitAll }; + status = SecItemCopyMatching((__bridge CFDictionaryRef)internetPasswordsQuery, &internetPasswords); + CFErrorRef internetPasswordError = NULL; + if (status != errSecItemNotFound) { + SecError(status, &internetPasswordError, CFSTR("internet password query failed")); + if (internetPasswordError) { + [underlyingErrors addObject:CFBridgingRelease(internetPasswordError)]; + } + } + + CFTypeRef keys = NULL; + NSDictionary* keysQuery = @{ (id)kSecClass : (id)kSecClassKey, + (id)kSecReturnPersistentRef : @(YES), + (id)kSecAttrNoLegacy : @(YES), + (id)kSecMatchLimit : (id)kSecMatchLimitAll }; + status = SecItemCopyMatching((__bridge CFDictionaryRef)keysQuery, &keys); + CFErrorRef keyError = NULL; + if (status != errSecItemNotFound) { + if (keyError) { + [underlyingErrors addObject:CFBridgingRelease(keyError)]; + } + } + + CFTypeRef certificates = NULL; + NSDictionary* certificateQuery = @{ (id)kSecClass : (id)kSecClassCertificate, + (id)kSecReturnPersistentRef : @(YES), + (id)kSecAttrNoLegacy : @(YES), + (id)kSecMatchLimit : (id)kSecMatchLimitAll }; + status = SecItemCopyMatching((__bridge CFDictionaryRef)certificateQuery, &certificates); + CFErrorRef certificateError = NULL; + if (status != errSecItemNotFound) { + SecError(status, &certificateError, CFSTR("certificate query failed")); + if (certificateError) { + [underlyingErrors addObject:CFBridgingRelease(certificateError)]; + } + } + + void (^scanArrayForCorruptedItem)(CFTypeRef, NSString*) = ^(CFTypeRef items, NSString* class) { + if ([(__bridge NSArray*)items isKindOfClass:[NSArray class]]) { + NSLog(@"scanning %d %@", (int)CFArrayGetCount(items), class); + for (NSData* persistentRef in (__bridge NSArray*)items) { + NSDictionary* itemQuery = @{ (id)kSecClass : class, + (id)kSecValuePersistentRef : persistentRef, + (id)kSecReturnAttributes : @(YES), + (id)kSecAttrNoLegacy : @(YES) }; + CFTypeRef itemAttributes = NULL; + OSStatus copyStatus = SecItemCopyMatching((__bridge CFDictionaryRef)itemQuery, &itemAttributes); + if (copyStatus != errSecSuccess && status != errSecInteractionNotAllowed) { + [corruptedItems addObject:itemQuery]; + } + } + } + }; + + scanArrayForCorruptedItem(genericPasswords, (id)kSecClassGenericPassword); + scanArrayForCorruptedItem(internetPasswords, (id)kSecClassInternetPassword); + scanArrayForCorruptedItem(keys, (id)kSecClassKey); + scanArrayForCorruptedItem(certificates, (id)kSecClassCertificate); + + if (underlyingErrors.count > 0 && error) { + *error = [NSError errorWithDomain:@"com.apple.security.keychainhealth" code:1 userInfo:@{ NSLocalizedDescriptionKey : [NSString stringWithFormat:@"encountered %d errors searching for corrupted items", (int)underlyingErrors.count], NSUnderlyingErrorKey : underlyingErrors.firstObject, @"searchingErrorCount" : @(underlyingErrors.count) }]; + } + + return corruptedItems; +} + +- (bool)deleteCorruptedItemsWithError:(NSError**)error +{ + NSError* findError = nil; + NSArray* corruptedItems = [self findCorruptedItemsWithError:&findError]; + bool success = findError == nil; + + NSMutableArray* deleteErrors = [[NSMutableArray alloc] init]; + for (NSDictionary* corruptedItem in corruptedItems) { + OSStatus status = SecItemDelete((__bridge CFDictionaryRef)corruptedItem); + if (status != errSecSuccess) { + success = false; + CFErrorRef deleteError = NULL; + SecError(status, &deleteError, CFSTR("failed to delete corrupted item")); + [deleteErrors addObject:CFBridgingRelease(deleteError)]; + } + } + + if (error && (findError || deleteErrors.count > 0)) { + *error = [NSError errorWithDomain:@"com.apple.security.keychainhealth" code:2 userInfo:@{ NSLocalizedDescriptionKey : [NSString stringWithFormat:@"encountered %@ errors searching for corrupted items and %d errors attempting to delete corrupted items", findError.userInfo[@"searchingErrorCount"], (int)deleteErrors.count]}]; + } + + return success; +} + +- (void)rpcFindCorruptedItemsWithReply:(void (^)(NSArray* corruptedItems, NSError* error))reply +{ + NSError* error = nil; + NSArray* corruptedItems = [self findCorruptedItemsWithError:&error]; + reply(corruptedItems, error); +} + +- (void)rpcDeleteCorruptedItemsWithReply:(void (^)(bool success, NSError* error))reply +{ + NSError* error = nil; + bool success = [self deleteCorruptedItemsWithError:&error]; + reply(success, error); +} + +@end diff --git a/OSX/sec/securityd/SOSCloudCircleServer.h b/OSX/sec/securityd/SOSCloudCircleServer.h index c0e0f394..81340ab4 100644 --- a/OSX/sec/securityd/SOSCloudCircleServer.h +++ b/OSX/sec/securityd/SOSCloudCircleServer.h @@ -35,7 +35,7 @@ __BEGIN_DECLS // // MARK: Server versions of our SPI // -bool SOSCCTryUserCredentials_Server(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error); +bool SOSCCTryUserCredentials_Server(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error); bool SOSCCSetUserCredentials_Server(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error); bool SOSCCSetUserCredentialsAndDSID_Server(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error); @@ -191,11 +191,14 @@ void sync_the_last_data_to_kvs(CFTypeRef account, bool waitForeverForSynchroniza bool SOSCCMessageFromPeerIsPending_Server(SOSPeerInfoRef peer, CFErrorRef *error); bool SOSCCSendToPeerIsPending_Server(SOSPeerInfoRef peer, CFErrorRef *error); -XPC_RETURNS_RETAINED xpc_endpoint_t SOSCCCreateSOSEndpoint_server(CFErrorRef *error); void SOSCCPerformWithOctagonSigningKey(void (^action)(SecKeyRef octagonPrivKey, CFErrorRef error)); +void SOSCCPerformWithOctagonSigningPublicKey(void (^action)(SecKeyRef octagonPublicKey, CFErrorRef error)); void SOSCCPerformWithOctagonEncryptionKey(void (^action)(SecKeyRef octagonPrivEncryptionKey, CFErrorRef error)); +void SOSCCPerformWithOctagonEncryptionPublicKey(void (^action)(SecKeyRef octagonPublicEncryptionKey, CFErrorRef error)); +void SOSCCPerformWithAllOctagonKeys(void (^action)(SecKeyRef octagonEncryptionKey, SecKeyRef octagonSigningKey, CFErrorRef error)); void SOSCCPerformWithTrustedPeers(void (^action)(CFSetRef sosPeerInfoRefs, CFErrorRef error)); +void SOSCCPerformWithPeerID(void (^action)(CFStringRef peerID, CFErrorRef error)); void SOSCCResetOTRNegotiation_Server(CFStringRef peerid); void SOSCCPeerRateLimiterSendNextMessage_Server(CFStringRef peerid, CFStringRef accessGroup); diff --git a/OSX/sec/securityd/SOSCloudCircleServer.m b/OSX/sec/securityd/SOSCloudCircleServer.m index b49cb6ee..c70e58dd 100644 --- a/OSX/sec/securityd/SOSCloudCircleServer.m +++ b/OSX/sec/securityd/SOSCloudCircleServer.m @@ -363,7 +363,8 @@ static void SOSCCProcessGestaltUpdate(SCDynamicStoreRef store, CFArrayRef keys, if(txn.account){ CFDictionaryRef gestalt = CreateDeviceGestaltDictionary(store, keys, context); if ([txn.account.trust updateGestalt:txn.account newGestalt:gestalt]) { - notify_post(kSOSCCCircleChangedNotification); + // we used to notify_post(kSOSCCCircleChangedNotification); + secnotice("circleOps", "Changed our peer's gestalt information. This is not a circle change."); } CFReleaseSafe(gestalt); } @@ -454,27 +455,33 @@ static SOSAccount* GetSharedAccount(void) { CFSetRef applicant_additions, CFSetRef applicant_removals) { CFErrorRef pi_error = NULL; SOSPeerInfoRef me = sSharedAccount.peerInfo; - if (!me) { - secerror("Error finding me for change: %@", pi_error); + if(!me) { + secinfo("circleOps", "Change block called with no peerInfo"); + return; + } + + if(!SOSCircleHasPeer(circle, me, NULL)) { + secinfo("circleOps", "Change block called while not in circle"); + return; + } + + // TODO: Figure out why peer_additions isn't right in some cases (like when joining a v2 circle with a v0 peer. + if (CFSetGetCount(peer_additions) != 0) { + secnotice("updates", "Requesting Ensure Peer Registration."); + SOSCloudKeychainRequestEnsurePeerRegistration(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), NULL); } else { - // TODO: Figure out why peer_additions isn't right in some cases (like when joining a v2 circle with a v0 peer. - if (SOSCircleHasPeer(circle, me, NULL) && CFSetGetCount(peer_additions) != 0) { - secnotice("updates", "Requesting Ensure Peer Registration."); - SOSCloudKeychainRequestEnsurePeerRegistration(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), NULL); - } else { - secinfo("updates", "Not requesting Ensure Peer Registration, since it's not needed"); - } - - if (CFSetContainsValue(peer_additions, me)) { - // TODO: Potentially remove from here and move this to the engine - // TODO: We also need to do this when our views change. - CFMutableSetRef peers = SOSCircleCopyPeers(circle, kCFAllocatorDefault); - CFSetRemoveValue(peers, me); - if (!CFSetIsEmpty(peers)) { - SOSCCRequestSyncWithPeers(peers); - } - CFReleaseNull(peers); + secinfo("updates", "Not requesting Ensure Peer Registration, since it's not needed"); + } + + if (CFSetContainsValue(peer_additions, me)) { + // TODO: Potentially remove from here and move this to the engine + // TODO: We also need to do this when our views change. + CFMutableSetRef peers = SOSCircleCopyPeers(circle, kCFAllocatorDefault); + CFSetRemoveValue(peers, me); + if (!CFSetIsEmpty(peers)) { + SOSCCRequestSyncWithPeers(peers); } + CFReleaseNull(peers); } CFReleaseNull(pi_error); @@ -497,6 +504,7 @@ static SOSAccount* GetSharedAccount(void) { CFReleaseNull(localError); CFReleaseNull(removed); } + secnotice("circleOps", "peer counts changed, posting kSOSCCCircleChangedNotification"); notify_post(kSOSCCCircleChangedNotification); } }); @@ -511,10 +519,10 @@ static SOSAccount* GetSharedAccount(void) { CFErrorRef error = NULL; handledKeys = SOSTransportDispatchMessages(txn, changes, &error); - if (!handledKeys) { + if (!handledKeys || error) { secerror("Error handling updates: %@", error); - CFReleaseNull(error); } + CFReleaseNull(error); }); CFReleaseSafe(changes); return handledKeys; @@ -546,12 +554,14 @@ CFTypeRef GetSharedAccountRef(void) } static void do_with_account(void (^action)(SOSAccountTransaction* txn)) { - SOSAccount* account = GetSharedAccount(); + @autoreleasepool { + SOSAccount* account = GetSharedAccount(); - if(account){ - [account performTransaction:^(SOSAccountTransaction * _Nonnull txn) { - action(txn); - }]; + if(account){ + [account performTransaction:^(SOSAccountTransaction * _Nonnull txn) { + action(txn); + }]; + } } } @@ -613,6 +623,7 @@ static bool do_with_account_if_after_first_unlock(CFErrorRef *error, bool (^acti notify_post(kSOSCCCircleChangedNotification); notify_post(kSOSCCViewMembershipChangedNotification); } + CFReleaseNull(cferror); }); }); @@ -723,10 +734,13 @@ CFTypeRef SOSKeychainAccountGetSharedAccount() // Mark: Credential processing // - -bool SOSCCTryUserCredentials_Server(CFStringRef user_label, CFDataRef user_password, CFErrorRef *error) -{ +bool SOSCCTryUserCredentials_Server(CFStringRef user_label, CFDataRef user_password, CFStringRef dsid, CFErrorRef *error) { + secnotice("updates", "Trying credentials and dsid (%@) for %@", dsid, user_label); + return do_with_account_if_after_first_unlock(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) { + if (dsid != NULL && CFStringCompare(dsid, CFSTR(""), 0) != 0) { + SOSAccountAssertDSID(txn.account, dsid); + } return SOSAccountTryUserCredentials(txn.account, user_label, user_password, block_error); }); } @@ -1226,7 +1240,7 @@ bool SOSCCRemovePeersFromCircle_Server(CFArrayRef peers, CFErrorRef* error) bool SOSCCLoggedOutOfAccount_Server(CFErrorRef *error) { return do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) { - secnotice("sosops", "Signed out of account!"); + secnotice("circleOps", "Signed out of account!"); bool waitForeverForSynchronization = true; @@ -1548,7 +1562,7 @@ CFDataRef SOSWrapToBackupSliceKeyBag(SOSBackupSliceKeyBagRef bskb, CFDataRef inp CFMutableDictionaryRef plaintext = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); CFDictionarySetValue(plaintext, CFSTR("data"), input); - require_quiet(ks_encrypt_data(bskb_handle, access, NULL, plaintext, NULL, &encrypted, false, error), exit); + require_quiet(ks_encrypt_data_legacy(bskb_handle, access, NULL, plaintext, NULL, &encrypted, false, error), exit); exit: CFReleaseNull(bskb); @@ -1788,17 +1802,20 @@ bool SOSCCDeleteEngineState_Server(CFErrorRef* error) SOSPeerInfoRef SOSCCSetNewPublicBackupKey_Server(CFDataRef newPublicBackup, CFErrorRef *error){ __block SOSPeerInfoRef result = NULL; + secnotice("devRecovery", "SOSCCSetNewPublicBackupKey_Server acquiring account lock"); (void) do_with_account_while_unlocked(error, ^bool (SOSAccountTransaction* txn, CFErrorRef* block_error) { + secnotice("devRecovery", "SOSCCSetNewPublicBackupKey_Server acquired account lock"); if(SOSAccountSetBackupPublicKey(txn,newPublicBackup, error)){ + secnotice("devRecovery", "SOSCCSetNewPublicBackupKey_Server, new public backup is set in account"); [txn restart]; // Finish the transaction to update any changes to the peer info. // Create a copy to be DERed/sent back to client result = SOSPeerInfoCreateCopy(kCFAllocatorDefault, txn.account.peerInfo, block_error); - secdebug("backup", "SOSCCSetNewPublicBackupKey_Server, new public backup is set"); + secnotice("devRecovery", "SOSCCSetNewPublicBackupKey_Server, new public backup is set and pushed"); } else { - secerror("SOSCCSetNewPublicBackupKey_Server, could not set new public backup"); + secnotice("devRecovery", "SOSCCSetNewPublicBackupKey_Server, could not set new public backup"); } return result != NULL; }); @@ -2060,12 +2077,13 @@ SOSPeerInfoRef SOSCCCopyApplication_Server(CFErrorRef *error) { } bool SOSCCCleanupKVSKeys_Server(CFErrorRef *error) { - __block bool result = false; - do_with_account_while_unlocked(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) { + bool result = do_with_account_while_unlocked(error, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) { return SOSAccountCleanupAllKVSKeys(txn.account, error); }); + if(result && error && *error) { + CFReleaseNull(*error); + } return result; - } bool SOSCCTestPopulateKVSWithBadKeys_Server(CFErrorRef *error) @@ -2147,7 +2165,7 @@ void SOSCCResetOTRNegotiation_Server(CFStringRef peerid) { CFErrorRef localError = NULL; do_with_account_while_unlocked(&localError, ^bool(SOSAccountTransaction* txn, CFErrorRef *error) { - SOSAccountResetOTRNegotiationCoder(txn, peerid); + SOSAccountResetOTRNegotiationCoder(txn.account, peerid); return true; }); if(localError) @@ -2169,19 +2187,26 @@ void SOSCCPeerRateLimiterSendNextMessage_Server(CFStringRef peerid, CFStringRef } } -XPC_RETURNS_RETAINED xpc_endpoint_t -SOSCCCreateSOSEndpoint_server(CFErrorRef *error) +void SOSCCPerformWithOctagonSigningKey(void (^action)(SecKeyRef octagonPrivSigningKey, CFErrorRef error)) { - SOSAccount* account = (__bridge SOSAccount *)(SOSKeychainAccountGetSharedAccount()); - return [account xpcControlEndpoint]; + CFErrorRef error = NULL; + do_with_account_if_after_first_unlock(&error, ^bool(SOSAccountTransaction *txn, CFErrorRef *err) { + SOSFullPeerInfoRef fpi = txn.account.trust.fullPeerInfo; + SecKeyRef signingKey = SOSFullPeerInfoCopyOctagonSigningKey(fpi, err); + CFErrorRef errorArg = err ? *err : NULL; + action(signingKey, errorArg); + CFReleaseNull(signingKey); + return true; + }); + CFReleaseNull(error); } -void SOSCCPerformWithOctagonSigningKey(void (^action)(SecKeyRef octagonPrivSigningKey, CFErrorRef error)) +void SOSCCPerformWithOctagonSigningPublicKey(void (^action)(SecKeyRef octagonPublicKey, CFErrorRef error)) { CFErrorRef error = NULL; do_with_account_if_after_first_unlock(&error, ^bool(SOSAccountTransaction *txn, CFErrorRef *err) { SOSFullPeerInfoRef fpi = txn.account.trust.fullPeerInfo; - SecKeyRef signingKey = SOSFullPeerInfoCopyOctagonSigningKey(fpi, err); + SecKeyRef signingKey = SOSFullPeerInfoCopyOctagonPublicSigningKey(fpi, err); CFErrorRef errorArg = err ? *err : NULL; action(signingKey, errorArg); CFReleaseNull(signingKey); @@ -2204,6 +2229,52 @@ void SOSCCPerformWithOctagonEncryptionKey(void (^action)(SecKeyRef octagonPrivEn CFReleaseNull(error); } +void SOSCCPerformWithOctagonEncryptionPublicKey(void (^action)(SecKeyRef octagonPublicEncryptionKey, CFErrorRef error)) +{ + CFErrorRef error = NULL; + do_with_account_if_after_first_unlock(&error, ^bool(SOSAccountTransaction *txn, CFErrorRef *err) { + SOSFullPeerInfoRef fpi = txn.account.trust.fullPeerInfo; + SecKeyRef signingKey = SOSFullPeerInfoCopyOctagonPublicEncryptionKey(fpi, err); + CFErrorRef errorArg = err ? *err : NULL; + action(signingKey, errorArg); + CFReleaseNull(signingKey); + return true; + }); + CFReleaseNull(error); +} + +void SOSCCPerformWithAllOctagonKeys(void (^action)(SecKeyRef octagonEncryptionKey, SecKeyRef octagonSigningKey, CFErrorRef error)) +{ + CFErrorRef localError = NULL; + do_with_account_if_after_first_unlock(&localError, ^bool(SOSAccountTransaction *txn, CFErrorRef *err) { + SecKeyRef encryptionKey = NULL; + SecKeyRef signingKey = NULL; + CFErrorRef errorArg = err ? *err : NULL; + + SOSFullPeerInfoRef fpi = txn.account.trust.fullPeerInfo; + require_action_quiet(fpi, fail, secerror("device does not have a peer"); SOSCreateError(kSOSErrorPeerNotFound, CFSTR("No Peer for Account"), NULL, &errorArg)); + + signingKey = SOSFullPeerInfoCopyOctagonSigningKey(fpi, &errorArg); + require_action_quiet(signingKey && !errorArg, fail, secerror("SOSCCPerformWithAllOctagonKeys signing key error: %@", errorArg)); + CFReleaseNull(errorArg); + + encryptionKey = SOSFullPeerInfoCopyOctagonEncryptionKey(fpi, &errorArg); + require_action_quiet(encryptionKey && !errorArg, fail, secerror("SOSCCPerformWithAllOctagonKeys encryption key error: %@", errorArg)); + + action(encryptionKey, signingKey, errorArg); + CFReleaseNull(signingKey); + CFReleaseNull(encryptionKey); + CFReleaseNull(errorArg); + return true; + fail: + action(NULL, NULL, errorArg); + CFReleaseNull(errorArg); + CFReleaseNull(signingKey); + CFReleaseNull(encryptionKey); + return true; + }); + CFReleaseNull(localError); +} void SOSCCPerformWithTrustedPeers(void (^action)(CFSetRef sosPeerInfoRefs, CFErrorRef error)) { CFErrorRef cfAccountError = NULL; @@ -2220,3 +2291,23 @@ void SOSCCPerformWithTrustedPeers(void (^action)(CFSetRef sosPeerInfoRefs, CFErr CFReleaseNull(cfAccountError); } +void SOSCCPerformWithPeerID(void (^action)(CFStringRef peerID, CFErrorRef error)) +{ + CFErrorRef cfAccountError = NULL; + do_with_account_if_after_first_unlock(&cfAccountError, ^bool(SOSAccountTransaction *txn, CFErrorRef *cferror) { + SOSAccount* account = txn.account; + NSString* peerID = nil; + CFErrorRef localError = nil; + + if([account getCircleStatus:nil] == kSOSCCInCircle){ + peerID = [txn.account peerID]; + } + else{ + SOSErrorCreate(kSOSErrorNoCircle, &localError, NULL, CFSTR("Not in circle")); + } + action((__bridge CFStringRef)peerID, localError); + CFReleaseNull(localError); + return true; + }); + CFReleaseNull(cfAccountError); +} diff --git a/OSX/sec/securityd/SecCAIssuerCache.c b/OSX/sec/securityd/SecCAIssuerCache.c index d5f593f7..3481cf58 100644 --- a/OSX/sec/securityd/SecCAIssuerCache.c +++ b/OSX/sec/securityd/SecCAIssuerCache.c @@ -27,6 +27,7 @@ */ #include +#include #include #include #include @@ -186,7 +187,7 @@ static int SecCAIssuerCacheCommitTxn(SecCAIssuerCacheRef this) { static SecCAIssuerCacheRef SecCAIssuerCacheCreate(const char *db_name) { SecCAIssuerCacheRef this; - int s3e; + int s3e = SQLITE_OK; bool create = true; require(this = (SecCAIssuerCacheRef)calloc(sizeof(struct __SecCAIssuerCache), 1), errOut); @@ -237,6 +238,9 @@ static SecCAIssuerCacheRef SecCAIssuerCacheCreate(const char *db_name) { return this; errOut: + if (s3e != SQLITE_OK) { + TrustdHealthAnalyticsLogErrorCodeForDatabase(TACAIssuerCache, TAOperationCreate, TAFatalError, s3e); + } if (this) { if (this->queue) dispatch_release(this->queue); @@ -295,8 +299,9 @@ static void _SecCAIssuerCacheAddCertificate(SecCAIssuerCacheRef this, require_noerr(s3e = sec_sqlite3_reset(this->insertIssuer, s3e), errOut); errOut: - if (s3e) { + if (s3e != SQLITE_OK) { secerror("caissuer cache add failed: %s", sqlite3_errmsg(this->s3h)); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TACAIssuerCache, TAOperationWrite, TAFatalError, s3e); /* TODO: Blow away the cache and create a new db. */ } } @@ -326,9 +331,10 @@ static SecCertificateRef _SecCAIssuerCacheCopyMatching(SecCAIssuerCacheRef this, require_noerr(s3e = sec_sqlite3_reset(this->selectIssuer, s3e), errOut); errOut: - if (s3e) { + if (s3e != SQLITE_OK) { if (s3e != SQLITE_DONE) { secerror("caissuer cache lookup failed: %s", sqlite3_errmsg(this->s3h)); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TACAIssuerCache, TAOperationRead, TAFatalError, s3e); /* TODO: Blow away the cache and create a new db. */ } @@ -355,8 +361,9 @@ static void _SecCAIssuerCacheGC(void *context) { require_noerr(s3e = SecCAIssuerCacheCommitTxn(this), errOut); errOut: - if (s3e) { + if (s3e != SQLITE_OK) { secerror("caissuer cache expire failed: %s", sqlite3_errmsg(this->s3h)); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TACAIssuerCache, TAOperationWrite, TAFatalError, s3e); /* TODO: Blow away the cache and create a new db. */ } } @@ -368,8 +375,9 @@ static void _SecCAIssuerCacheFlush(void *context) { secdebug("caissuercache", "flushing pending changes"); s3e = SecCAIssuerCacheCommitTxn(this); - if (s3e) { + if (s3e != SQLITE_OK) { secerror("caissuer cache flush failed: %s", sqlite3_errmsg(this->s3h)); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TACAIssuerCache, TAOperationWrite, TAFatalError, s3e); /* TODO: Blow away the cache and create a new db. */ } } diff --git a/OSX/sec/securityd/SecCAIssuerRequest.c b/OSX/sec/securityd/SecCAIssuerRequest.c index 6c3fde1e..b187a965 100644 --- a/OSX/sec/securityd/SecCAIssuerRequest.c +++ b/OSX/sec/securityd/SecCAIssuerRequest.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009-2016 Apple Inc. All Rights Reserved. + * Copyright (c) 2009-2018 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -36,7 +36,9 @@ #include #include #include +#include #include +#include #define MAX_CA_ISSUERS 3 #define CA_ISSUERS_REQUEST_THRESHOLD 10 @@ -68,6 +70,10 @@ static bool SecCAIssuerRequestIssue(SecCAIssuerRequestRef request) { SecCAIssuerRequestRelease(request); return true; } + + SecPathBuilderRef builder = (SecPathBuilderRef)request->context; + TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(builder); + while (request->issuerIX < count && request->issuerIX < MAX_CA_ISSUERS) { CFURLRef issuer = CFArrayGetValueAtIndex(request->issuers, request->issuerIX++); @@ -79,6 +85,10 @@ static bool SecCAIssuerRequestIssue(SecCAIssuerRequestRef request) { if (msg) { secinfo("caissuer", "%@", msg); bool done = asynchttp_request(msg, 0, &request->http); + if (analytics) { + /* Count each http request we made */ + analytics->ca_issuer_fetches++; + } CFRelease(msg); if (done == false) { CFRelease(scheme); @@ -123,6 +133,14 @@ static void SecCAIssuerRequestCompleted(asynchttp_t *http, CFTimeInterval maxAge) { /* Cast depends on http being first field in struct SecCAIssuerRequest. */ SecCAIssuerRequestRef request = (SecCAIssuerRequestRef)http; + + SecPathBuilderRef builder = (SecPathBuilderRef)request->context; + TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(builder); + if (analytics) { + /* Add the time this fetch took to complete to the total time */ + analytics->ca_issuer_fetch_time += (mach_absolute_time() - http->start_time); + } + CFDataRef data = (request->http.response ? CFHTTPMessageCopyBody(request->http.response) : NULL); if (data) { @@ -140,8 +158,13 @@ static void SecCAIssuerRequestCompleted(asynchttp_t *http, CFArrayRef certificates = NULL; certificates = SecCMSCertificatesOnlyMessageCopyCertificates(data); /* @@@ Technically these can have more than one certificate */ - if (certificates && CFArrayGetCount(certificates) == 1) { + if (certificates && CFArrayGetCount(certificates) >= 1) { parent = CFRetainSafe((SecCertificateRef)CFArrayGetValueAtIndex(certificates, 0)); + } else if (certificates && CFArrayGetCount(certificates) > 1) { + if (analytics) { + /* Indicate that this trust evaluation encountered a CAIssuer fetch with multiple certs */ + analytics->ca_issuer_multiple_certs = true; + } } CFReleaseNull(certificates); } @@ -170,7 +193,13 @@ static void SecCAIssuerRequestCompleted(asynchttp_t *http, SecCAIssuerRequestRelease(request); return; } + } else if (analytics) { + /* We failed to create a SecCertificateRef from the data we got */ + analytics->ca_issuer_unsupported_data = true; } + } else if (analytics) { + /* We didn't get any data back, so the fetch failed */ + analytics->ca_issuer_fetch_failed++; } secdebug("caissuer", "response: %@ not parent, trying next caissuer", @@ -211,12 +240,22 @@ bool SecCAIssuerCopyParents(SecCertificateRef certificate, dispatch_queue_t queu return true; } + SecPathBuilderRef builder = (SecPathBuilderRef)context; + TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(builder); CFArrayRef parents = SecCAIssuerRequestCacheCopyParents(certificate, issuers); if (parents) { + if (analytics) { + /* We found parents in the cache */ + analytics->ca_issuer_cache_hit = true; + } callback(context, parents); CFReleaseSafe(parents); return true; } + if (analytics) { + /* We're going to have to make a network call */ + analytics->ca_issuer_network = true; + } /* Cache miss, let's issue a network request. */ SecCAIssuerRequestRef request = diff --git a/OSX/sec/securityd/SecCertificateServer.c b/OSX/sec/securityd/SecCertificateServer.c index 7561db85..ea49d9b0 100644 --- a/OSX/sec/securityd/SecCertificateServer.c +++ b/OSX/sec/securityd/SecCertificateServer.c @@ -30,14 +30,13 @@ #include #include -#include +#include #include #include #include #include #include -#include #include #include @@ -239,27 +238,27 @@ exit: ************* SecCertificatePathVC object *************** ********************************************************/ struct SecCertificatePathVC { - CFRuntimeBase _base; - CFIndex count; + CFRuntimeBase _base; + CFIndex count; /* Index of next parent source to search for parents. */ - CFIndex nextParentSource; + CFIndex nextParentSource; - /* Index of last certificate in chain who's signature has been verified. + /* Index of last certificate in chain whose signature has been verified. 0 means nothing has been checked. 1 means the leaf has been verified - against it's issuer, etc. */ - CFIndex lastVerifiedSigner; + against its issuer, etc. */ + CFIndex lastVerifiedSigner; /* Index of first self issued certificate in the chain. -1 mean there is none. 0 means the leaf is self signed. */ - CFIndex selfIssued; + CFIndex selfIssued; /* True iff cert at index selfIssued does in fact self verify. */ - bool isSelfSigned; + bool isSelfSigned; /* True if the root of this path is an anchor. Trustedness of the * anchor is determined by the PVC. */ - bool isAnchored; + bool isAnchored; policy_tree_t policy_tree; uint8_t policy_tree_verification_result; @@ -277,7 +276,12 @@ struct SecCertificatePathVC { bool pathValidated; - SecCertificateVCRef certificates[]; + /* Enumerated value to determine whether CT is required for the leaf + * certificate (because a CA in the path has a require-ct constraint). + * If non-zero, CT is required; value indicates overridable status. */ + SecPathCTPolicy requiresCT; + + SecCertificateVCRef certificates[]; }; CFGiblisWithHashFor(SecCertificatePathVC) @@ -505,13 +509,23 @@ exit: return outCerts; } -SecCertificatePathRef SecCertificatePathVCCopyCertificatePath(SecCertificatePathVCRef path) { - CFArrayRef certs = SecCertificatePathVCCopyCertificates(path); - SecCertificatePathRef newPath = SecCertificatePathCreateWithCertificates(certs, NULL); - CFReleaseNull(certs); - return newPath; +CFArrayRef SecCertificatePathVCCreateSerialized(SecCertificatePathVCRef path) { + CFMutableArrayRef serializedCerts = NULL; + require_quiet(path, exit); + size_t count = path->count; + require_quiet(serializedCerts = CFArrayCreateMutable(NULL, count, &kCFTypeArrayCallBacks), exit); + SecCertificatePathVCForEachCertificate(path, ^(SecCertificateRef cert, bool * __unused stop) { + CFDataRef certData = SecCertificateCopyData(cert); + if (certData) { + CFArrayAppendValue(serializedCerts, certData); + CFRelease(certData); + } + }); +exit: + return serializedCerts; } + /* Record the fact that we found our own root cert as our parent certificate. */ void SecCertificatePathVCSetSelfIssued( @@ -593,8 +607,11 @@ CFIndex SecCertificatePathVCGetCount( SecCertificateRef SecCertificatePathVCGetCertificateAtIndex( SecCertificatePathVCRef certificatePath, CFIndex ix) { - check(certificatePath && ix >= 0 && ix < certificatePath->count); - return (certificatePath->certificates[ix])->certificate; + if (!certificatePath || ix < 0 || ix >= certificatePath->count) { + return NULL; + } + SecCertificateVCRef cvc = certificatePath->certificates[ix]; + return cvc ? cvc->certificate : NULL; } void SecCertificatePathVCForEachCertificate(SecCertificatePathVCRef path, void(^operation)(SecCertificateRef certificate, bool *stop)) { @@ -875,6 +892,10 @@ CFAbsoluteTime SecCertificatePathVCGetEarliestNextUpdate(SecCertificatePathVCRef continue; } } + /* Make sure to always skip roots for whom we can't check revocation */ + if (certIX == certCount - 1) { + continue; + } secdebug("rvc", "revocation checking soft failure for cert: %ld", certIX); enu = thisCertNextUpdate; @@ -935,6 +956,18 @@ void SecCertificatePathVCSetIsCT(SecCertificatePathVCRef certificatePath, bool i certificatePath->isCT = isCT; } +SecPathCTPolicy SecCertificatePathVCRequiresCT(SecCertificatePathVCRef certificatePath) { + if (!certificatePath) { return kSecPathCTNotRequired; } + return certificatePath->requiresCT; +} + +void SecCertificatePathVCSetRequiresCT(SecCertificatePathVCRef certificatePath, SecPathCTPolicy requiresCT) { + if (certificatePath->requiresCT > requiresCT) { + return; /* once set, CT policy may be only be changed to a more strict value */ + } + certificatePath->requiresCT = requiresCT; +} + bool SecCertificatePathVCIsAllowlisted(SecCertificatePathVCRef certificatePath) { if (!certificatePath) { return false; } return certificatePath->is_allowlisted; diff --git a/OSX/sec/securityd/SecCertificateServer.h b/OSX/sec/securityd/SecCertificateServer.h index 7b5a1481..7be3affa 100644 --- a/OSX/sec/securityd/SecCertificateServer.h +++ b/OSX/sec/securityd/SecCertificateServer.h @@ -33,7 +33,6 @@ #include #include -#include #include @@ -57,7 +56,8 @@ SecCertificatePathVCRef SecCertificatePathVCCopyFromParent(SecCertificatePathVCR /* Create an array of SecCertificateRefs from a certificate path. */ CFArrayRef SecCertificatePathVCCopyCertificates(SecCertificatePathVCRef path); -SecCertificatePathRef SecCertificatePathVCCopyCertificatePath(SecCertificatePathVCRef path); +/* Create an array of CFDataRefs from a certificate path. */ +CFArrayRef SecCertificatePathVCCreateSerialized(SecCertificatePathVCRef path); /* Record the fact that we found our own root cert as our parent certificate. */ @@ -143,8 +143,16 @@ void SecCertificatePathVCSetIsEV(SecCertificatePathVCRef certificatePath, bool i bool SecCertificatePathVCIsOptionallyEV(SecCertificatePathVCRef certificatePath); /* CT */ +typedef CFIndex SecPathCTPolicy; +enum { + kSecPathCTNotRequired = 0, + kSecPathCTRequiredOverridable = 1, + kSecPathCTRequired = 2 +}; bool SecCertificatePathVCIsCT(SecCertificatePathVCRef certificatePath); void SecCertificatePathVCSetIsCT(SecCertificatePathVCRef certificatePath, bool isCT); +SecPathCTPolicy SecCertificatePathVCRequiresCT(SecCertificatePathVCRef certificatePath); +void SecCertificatePathVCSetRequiresCT(SecCertificatePathVCRef certificatePath, SecPathCTPolicy requiresCT); /* Allowlist */ bool SecCertificatePathVCIsAllowlisted(SecCertificatePathVCRef certificatePath); diff --git a/OSX/sec/securityd/SecCertificateSource.c b/OSX/sec/securityd/SecCertificateSource.c index d954f64c..37c2a788 100644 --- a/OSX/sec/securityd/SecCertificateSource.c +++ b/OSX/sec/securityd/SecCertificateSource.c @@ -35,6 +35,7 @@ #include #include #include +#include #include #include diff --git a/OSX/sec/securityd/SecDbItem.c b/OSX/sec/securityd/SecDbItem.c index 2bf7414d..2eaffdae 100644 --- a/OSX/sec/securityd/SecDbItem.c +++ b/OSX/sec/securityd/SecDbItem.c @@ -367,24 +367,25 @@ CFDataRef SecDbItemCopyEncryptedDataToBackup(SecDbItemRef item, uint64_t handle, if (attributes || auth_attributes) { SecAccessControlRef access_control = SecDbItemCopyAccessControl(item, error); if (access_control) { - if (ks_encrypt_data(keybag, access_control, item->credHandle, attributes, auth_attributes, &edata, false, error)) { + if (ks_encrypt_data_legacy(keybag, access_control, item->credHandle, attributes, auth_attributes, &edata, false, error)) { item->_edataState = kSecDbItemEncrypting; } else { seccritical("ks_encrypt_data (db): failed: %@", error ? *error : (CFErrorRef)CFSTR("")); } CFRelease(access_control); } - CFReleaseSafe(attributes); - CFReleaseSafe(auth_attributes); + CFReleaseNull(attributes); + CFReleaseNull(auth_attributes); } + return edata; } -bool SecDbItemEnsureDecrypted(SecDbItemRef item, CFErrorRef *error) { +bool SecDbItemEnsureDecrypted(SecDbItemRef item, bool decryptSecretData, CFErrorRef *error) { // If we haven't yet decrypted the item, make sure we do so now bool result = true; - if (item->_edataState == kSecDbItemEncrypted) { + if (item->_edataState == kSecDbItemEncrypted || (decryptSecretData && item->_edataState == kSecDbItemSecretEncrypted)) { const SecDbAttr *attr = SecDbClassAttrWithKind(item->class, kSecDbEncryptedDataAttr, error); if (attr) { CFDataRef edata = SecDbItemGetCachedValue(item, attr); @@ -392,9 +393,9 @@ bool SecDbItemEnsureDecrypted(SecDbItemRef item, CFErrorRef *error) { return SecError(errSecInternal, error, CFSTR("state= encrypted but edata is NULL")); // Decrypt calls set value a bunch of times which clears our edata and changes our state. item->_edataState = kSecDbItemDecrypting; - result = SecDbItemDecrypt(item, edata, error); + result = SecDbItemDecrypt(item, decryptSecretData, edata, error); if (result) - item->_edataState = kSecDbItemClean; + item->_edataState = decryptSecretData ? kSecDbItemClean : kSecDbItemSecretEncrypted; else item->_edataState = kSecDbItemEncrypted; } @@ -484,8 +485,8 @@ CFTypeRef SecDbItemGetValue(SecDbItemRef item, const SecDbAttr *desc, CFErrorRef if (!desc) return NULL; - if (desc->flags & kSecDbInCryptoDataFlag || desc->flags & kSecDbInAuthenticatedDataFlag) { - if (!SecDbItemEnsureDecrypted(item, error)) + if (desc->flags & kSecDbInCryptoDataFlag || desc->flags & kSecDbInAuthenticatedDataFlag || desc->flags & kSecDbReturnDataFlag) { + if (!SecDbItemEnsureDecrypted(item, desc->flags & kSecDbReturnDataFlag, error)) return NULL; } @@ -754,7 +755,7 @@ keybag_handle_t SecDbItemGetKeybag(SecDbItemRef item) { } bool SecDbItemSetKeybag(SecDbItemRef item, keybag_handle_t keybag, CFErrorRef *error) { - if (!SecDbItemEnsureDecrypted(item, error)) + if (!SecDbItemEnsureDecrypted(item, true, error)) return false; if (item->keybag != keybag) { item->keybag = keybag; @@ -777,9 +778,11 @@ bool SecDbItemSetValue(SecDbItemRef item, const SecDbAttr *desc, CFTypeRef value if (desc->setValue) return desc->setValue(item, desc, value, error); - if (desc->flags & kSecDbInCryptoDataFlag || desc->flags & kSecDbInAuthenticatedDataFlag) - if (!SecDbItemEnsureDecrypted(item, error)) + if (desc->flags & kSecDbInCryptoDataFlag || desc->flags & kSecDbInAuthenticatedDataFlag) { + if (!SecDbItemEnsureDecrypted(item, true, error)) { return false; + } + } bool changed = false; CFTypeRef attr = NULL; @@ -849,7 +852,7 @@ bool SecDbItemSetValue(SecDbItemRef item, const SecDbAttr *desc, CFTypeRef value SecDbItemSetValue(item, SecDbClassAttrWithKind(item->class, kSecDbSHA1Attr, NULL), kCFNull, NULL); if (desc->flags & kSecDbPrimaryKeyFlag) SecDbItemSetValue(item, SecDbClassAttrWithKind(item->class, kSecDbPrimaryKeyAttr, NULL), kCFNull, NULL); - if ((desc->flags & kSecDbInCryptoDataFlag || desc->flags & kSecDbInAuthenticatedDataFlag) && item->_edataState == kSecDbItemClean) + if ((desc->flags & kSecDbInCryptoDataFlag || desc->flags & kSecDbInAuthenticatedDataFlag) && (item->_edataState == kSecDbItemClean || (item->_edataState == kSecDbItemSecretEncrypted && (desc->flags & kSecDbReturnDataFlag) == 0))) SecDbItemSetValue(item, SecDbClassAttrWithKind(item->class, kSecDbEncryptedDataAttr, NULL), kCFNull, NULL); if (desc->flags & kSecDbSHA1ValueInFlag) CFDictionaryRemoveValue(item->attributes, SecDbAttrGetHashName(desc)); @@ -1304,7 +1307,7 @@ static bool SecDbItemIsCorrupt(SecDbItemRef item, bool *is_corrupt, CFErrorRef * CFDataRef storedSHA1 = CFRetainSafe(SecDbItemGetValue(item, sha1attr, &localError)); bool akpu = false; - if (localError || !SecDbItemEnsureDecrypted(item, &localError)) { + if (localError || !SecDbItemEnsureDecrypted(item, true, &localError)) { if (SecErrorGetOSStatus(localError) == errSecDecode) { // We failed to decrypt the item const SecDbAttr *desc = SecDbClassAttrWithKind(item->class, kSecDbAccessControlAttr, &localError); @@ -1380,6 +1383,11 @@ static bool SecDbItemDoInsert(SecDbItemRef item, SecDbConnectionRef dbconn, CFEr bool (^use_attr)(const SecDbAttr *attr) = ^bool(const SecDbAttr *attr) { return (attr->flags & kSecDbInFlag); }; + + if (!SecDbItemEnsureDecrypted(item, true, error)) { + return false; + } + CFStringRef sql = SecDbItemCopyInsertSQL(item, use_attr); __block bool ok = sql; if (sql) { diff --git a/OSX/sec/securityd/SecDbItem.h b/OSX/sec/securityd/SecDbItem.h index c4132de8..97f35f69 100644 --- a/OSX/sec/securityd/SecDbItem.h +++ b/OSX/sec/securityd/SecDbItem.h @@ -132,6 +132,7 @@ enum SecDbItemState { kSecDbItemDecrypting, // Temporary state while we are decrypting so set knows not to blow away the edata. kSecDbItemEncrypting, // Temporary state while we are encrypting so set knows to move to clean. kSecDbItemAlwaysEncrypted, // As kSecDbItemEncrypted, but decryption is never attempted + kSecDbItemSecretEncrypted, // Metadata is clean, but the secret data remains encrypted }; struct SecDbItem { @@ -147,7 +148,7 @@ struct SecDbItem { }; // TODO: Make this a callback to client -bool SecDbItemDecrypt(SecDbItemRef item, CFDataRef edata, CFErrorRef *error); +bool SecDbItemDecrypt(SecDbItemRef item, bool decryptSecretData, CFDataRef edata, CFErrorRef *error); CFTypeID SecDbItemGetTypeID(void); @@ -204,7 +205,7 @@ SecDbItemRef SecDbItemCreateWithPrimaryKey(CFAllocatorRef allocator, const SecDb SecDbItemRef SecDbItemCreateWithRowId(CFAllocatorRef allocator, const SecDbClass *class, sqlite_int64 row_id, keybag_handle_t keybag, CFErrorRef *error); #endif -bool SecDbItemEnsureDecrypted(SecDbItemRef item, CFErrorRef *error); +bool SecDbItemEnsureDecrypted(SecDbItemRef item, bool decryptSecretData, CFErrorRef *error); SecDbItemRef SecDbItemCopyWithUpdates(SecDbItemRef item, CFDictionaryRef updates, CFErrorRef *error); diff --git a/OSX/sec/securityd/SecDbKeychainItem.h b/OSX/sec/securityd/SecDbKeychainItem.h index 35ebd36e..c19cd42b 100644 --- a/OSX/sec/securityd/SecDbKeychainItem.h +++ b/OSX/sec/securityd/SecDbKeychainItem.h @@ -35,12 +35,14 @@ __BEGIN_DECLS bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control, CFDataRef acm_context, - CFDictionaryRef attributes, CFDictionaryRef authenticated_attributes, CFDataRef *pBlob, bool useDefaultIV, CFErrorRef *error); -bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef operation, SecAccessControlRef *paccess_control, CFDataRef acm_context, + CFDictionaryRef secretData, CFDictionaryRef attributes, CFDictionaryRef authenticated_attributes, CFDataRef *pBlob, bool useDefaultIV, CFErrorRef *error); +bool ks_encrypt_data_legacy(keybag_handle_t keybag, SecAccessControlRef access_control, CFDataRef acm_context, + CFDictionaryRef attributes, CFDictionaryRef authenticated_attributes, CFDataRef *pBlob, bool useDefaultIV, CFErrorRef *error); // used for backup +bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessControlRef *paccess_control, CFDataRef acm_context, CFDataRef blob, const SecDbClass *db_class, CFArrayRef caller_access_groups, - CFMutableDictionaryRef *attributes_p, uint32_t *version_p, CFErrorRef *error); + CFMutableDictionaryRef *attributes_p, uint32_t *version_p, bool decryptSecretData, keyclass_t* outKeyclass, CFErrorRef *error); bool s3dl_item_from_data(CFDataRef edata, Query *q, CFArrayRef accessGroups, - CFMutableDictionaryRef *item, SecAccessControlRef *access_control, CFErrorRef *error); + CFMutableDictionaryRef *item, SecAccessControlRef *access_control, keyclass_t* keyclass, CFErrorRef *error); SecDbItemRef SecDbItemCreateWithBackupDictionary(CFAllocatorRef allocator, const SecDbClass *dbclass, CFDictionaryRef dict, keybag_handle_t src_keybag, keybag_handle_t dst_keybag, CFErrorRef *error); bool SecDbItemExtractRowIdFromBackupDictionary(SecDbItemRef item, CFDictionaryRef dict, CFErrorRef *error); bool SecDbItemInferSyncable(SecDbItemRef item, CFErrorRef *error); @@ -54,6 +56,8 @@ CFTypeRef SecDbKeychainItemCopyEncryptedData(SecDbItemRef item, const SecDbAttr SecAccessControlRef SecDbItemCopyAccessControl(SecDbItemRef item, CFErrorRef *error); bool SecDbItemSetAccessControl(SecDbItemRef item, SecAccessControlRef access_control, CFErrorRef *error); +void SecDbResetMetadataKeys(void); + __END_DECLS #endif /* _SECURITYD_SECKEYCHAINITEM_H_ */ diff --git a/OSX/sec/securityd/SecDbKeychainItem.c b/OSX/sec/securityd/SecDbKeychainItem.m similarity index 88% rename from OSX/sec/securityd/SecDbKeychainItem.c rename to OSX/sec/securityd/SecDbKeychainItem.m index 25e042d1..1530fd05 100644 --- a/OSX/sec/securityd/SecDbKeychainItem.c +++ b/OSX/sec/securityd/SecDbKeychainItem.m @@ -29,7 +29,10 @@ #include +#import "SecInternalReleasePriv.h" #include +#include +#include #include #include #include @@ -42,6 +45,7 @@ #include #include #include +#import "SecDbKeychainItemV7.h" #if USE_KEYSTORE #include @@ -64,9 +68,9 @@ static CFTypeRef kc_copy_protection_from(const uint8_t *der, const uint8_t *der_ static CF_RETURNS_RETAINED CFMutableDictionaryRef s3dl_item_v2_decode(CFDataRef plain, CFErrorRef *error); static CF_RETURNS_RETAINED CFMutableDictionaryRef s3dl_item_v3_decode(CFDataRef plain, CFErrorRef *error); #if USE_KEYSTORE -static CFDataRef kc_create_auth_data(SecAccessControlRef access_control, CFDictionaryRef auth_attributes); static bool kc_attribs_key_encrypted_data_from_blob(keybag_handle_t keybag, const SecDbClass *class, const void *blob_data, size_t blob_data_len, SecAccessControlRef access_control, uint32_t version, CFMutableDictionaryRef *authenticated_attributes, aks_ref_key_t *ref_key, CFDataRef *encrypted_data, CFErrorRef *error); +static CFDataRef kc_create_auth_data(SecAccessControlRef access_control, CFDictionaryRef auth_attributes); static CFDataRef kc_copy_access_groups_data(CFArrayRef access_groups, CFErrorRef *error); #endif @@ -104,8 +108,8 @@ static const uint8_t gcmIV[kIVSizeAESGCM] = { version || keyclass|ACL || KeyStore_WRAP(keyclass, BULK_KEY) || AES(BULK_KEY, NULL_IV, plainText || padding) */ -bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control, CFDataRef acm_context, - CFDictionaryRef attributes, CFDictionaryRef authenticated_attributes, CFDataRef *pBlob, bool useDefaultIV, CFErrorRef *error) { +bool ks_encrypt_data_legacy(keybag_handle_t keybag, SecAccessControlRef access_control, CFDataRef acm_context, + CFDictionaryRef attributes, CFDictionaryRef authenticated_attributes, CFDataRef *pBlob, bool useDefaultIV, CFErrorRef *error) { CFMutableDataRef blob = NULL; CFDataRef ac_data = NULL; bool ok = true; @@ -165,7 +169,7 @@ bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control, } #endif } - + if (!plainText || CFGetTypeID(plainText) != CFDataGetTypeID() || access_control == 0) { ok = SecError(errSecParam, error, CFSTR("ks_encrypt_data: invalid plain text")); @@ -176,7 +180,7 @@ bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control, size_t ctLen = ptLen; size_t tagLen = 16; keyclass_t actual_class = 0; - + if (SecRandomCopyBytes(kSecRandomDefault, bulkKeySize, bulkKey)) { ok = SecError(errSecAllocate, error, CFSTR("ks_encrypt_data: SecRandomCopyBytes failed")); goto out; @@ -265,30 +269,87 @@ bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control, goto out; } -out: + out: memset(bulkKey, 0, sizeof(bulkKey)); CFReleaseSafe(ac_data); CFReleaseSafe(bulkKeyWrapped); CFReleaseSafe(plainText); - if (!ok) { - CFReleaseSafe(blob); - } else { - *pBlob = blob; - } - + if (!ok) { + CFReleaseSafe(blob); + } else { + *pBlob = blob; + } + #if USE_KEYSTORE CFReleaseSafe(auth_data); #endif return ok; } +bool ks_encrypt_data(keybag_handle_t keybag, SecAccessControlRef access_control, CFDataRef acm_context, + CFDictionaryRef secretData, CFDictionaryRef attributes, CFDictionaryRef authenticated_attributes, CFDataRef *pBlob, bool useDefaultIV, CFErrorRef *error) { + if (CFDictionaryGetCount(secretData) == 0) { + secerror("SecDbKeychainItem: encrypting item with no secret data"); // not actually making this an error because it seems this is done frequently by third parties + } + + if (keybag != KEYBAG_DEVICE) { + secwarning("ks_encrypt_data: called with non-device keybag - call should be rerouted to ks_encrypt_data_legacy"); + + CFMutableDictionaryRef allAttributes = CFDictionaryCreateMutableCopy(NULL, CFDictionaryGetCount(secretData) + CFDictionaryGetCount(attributes), attributes); + CFDictionaryForEach(secretData, ^(const void *key, const void *value) { + CFDictionaryAddValue(allAttributes, key, value); + }); + bool result = ks_encrypt_data_legacy(keybag, access_control, acm_context, allAttributes, authenticated_attributes, pBlob, useDefaultIV, error); + CFReleaseNull(allAttributes); + return result; + } + + keyclass_t key_class = kc_parse_keyclass(SecAccessControlGetProtection(access_control), error); + if (!key_class) { + return false; + } + + if (SecAccessControlGetConstraints(access_control)) { + NSMutableDictionary* allAttributes = [(__bridge NSDictionary*)attributes mutableCopy]; + [allAttributes addEntriesFromDictionary:(__bridge NSDictionary*)secretData]; + return ks_encrypt_data_legacy(keybag, access_control, acm_context, (__bridge CFDictionaryRef)allAttributes, authenticated_attributes, pBlob, useDefaultIV, error); + } + + bool success = false; + @autoreleasepool { + NSMutableDictionary* metadataAttributes = attributes ? [(__bridge NSDictionary*)attributes mutableCopy] : [NSMutableDictionary dictionary]; + [metadataAttributes addEntriesFromDictionary:(__bridge NSDictionary*)authenticated_attributes]; + metadataAttributes[@"SecAccessControl"] = (__bridge_transfer NSData*)SecAccessControlCopyData(access_control); + + NSString* tamperCheck = [[NSUUID UUID] UUIDString]; // can use the item persistent reference when that starts getting filled in + SecDbKeychainItemV7* item = [[SecDbKeychainItemV7 alloc] initWithSecretAttributes:(__bridge NSDictionary*)secretData metadataAttributes:metadataAttributes tamperCheck:tamperCheck keyclass:key_class]; + + NSError* localError = nil; + NSData* encryptedBlob = [item encryptedBlobWithKeybag:keybag accessControl:access_control acmContext:(__bridge NSData*)acm_context error:&localError]; + if (encryptedBlob) { + NSMutableData* encryptedBlobWithVersion = [NSMutableData dataWithLength:encryptedBlob.length + sizeof(uint32_t)]; + *((uint32_t*)encryptedBlobWithVersion.mutableBytes) = (uint32_t)7; + memcpy((uint32_t*)encryptedBlobWithVersion.mutableBytes + 1, encryptedBlob.bytes, encryptedBlob.length); + *pBlob = (__bridge_retained CFDataRef)encryptedBlobWithVersion; + success = true; + } + else { + if (error) { + *error = (__bridge_retained CFErrorRef)localError; + } + } + } + + return success; +} + /* Given cipherText containing: version || keyclass || KeyStore_WRAP(keyclass, BULK_KEY) || AES(BULK_KEY, NULL_IV, plainText || padding) return the plainText. */ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessControlRef *paccess_control, CFDataRef acm_context, CFDataRef blob, const SecDbClass *db_class, CFArrayRef caller_access_groups, - CFMutableDictionaryRef *attributes_p, uint32_t *version_p, CFErrorRef *error) { + CFMutableDictionaryRef *attributes_p, uint32_t *version_p, bool decryptSecretData, keyclass_t* outKeyclass, CFErrorRef *error) { const uint32_t v0KeyWrapOverHead = 8; CFMutableDataRef bulkKey = CFDataCreateMutable(0, 32); /* Use 256 bit AES key for bulkKey. */ CFDataSetLength(bulkKey, 32); /* Use 256 bit AES key for bulkKey. */ @@ -344,7 +405,55 @@ bool ks_decrypt_data(keybag_handle_t keybag, CFTypeRef cryptoOp, SecAccessContro cursor += sizeof(version); blobLen -= sizeof(version); - bool hasProtectionData = (version >= 4); + bool hasProtectionData = (version >= 4 && version < 7); + + if (version >= 7) { + @autoreleasepool { + NSError* localError = nil; + NSData* encryptedBlob = [NSData dataWithBytes:cursor length:blobLen]; + SecDbKeychainItemV7* item = [[SecDbKeychainItemV7 alloc] initWithData:encryptedBlob decryptionKeybag:keybag error:&localError]; + if (outKeyclass) { + *outKeyclass = item.keyclass; + } + + NSMutableDictionary* itemAttributes = [[item metadataAttributesWithError:&localError] mutableCopy]; + if (itemAttributes && !localError) { + NSData* accessControlData = itemAttributes[@"SecAccessControl"]; + access_control = SecAccessControlCreateFromData(NULL, (__bridge CFDataRef)accessControlData, error); + [itemAttributes removeObjectForKey:@"SecAccessControl"]; + + if (decryptSecretData) { + NSDictionary* secretAttributes = [item secretAttributesWithAcmContext:(__bridge NSData*)acm_context accessControl:access_control callerAccessGroups:(__bridge NSArray*)caller_access_groups error:&localError]; + if (secretAttributes) { + [itemAttributes addEntriesFromDictionary:secretAttributes]; + + if (secretAttributes.count == 0) { + secerror("SecDbKeychainItemV7: item decrypted succussfully, but has no secret data so it's useless"); // not actually making this an error because a bunch of third parties store items with no secret data on purpose + } + } + else { + ok = false; + } + } + + if (ok) { + if (CFEqual(kAKSKeyOpDelete, cryptoOp)) { + ok = [item deleteWithAcmContext:(__bridge NSData*)acm_context accessControl:access_control callerAccessGroups:(__bridge NSArray*)caller_access_groups error:&localError]; + } + + attributes = (__bridge_retained CFMutableDictionaryRef)itemAttributes; + } + } + else { + ok = false; + } + + if (!ok && error) { + *error = (__bridge_retained CFErrorRef)localError; + } + } + goto out; + } if (hasProtectionData) { /* Deserialize SecAccessControl object from the blob. */ @@ -834,15 +943,24 @@ CFMutableDictionaryRef s3dl_item_v3_decode(CFDataRef plain, CFErrorRef *error) { } bool s3dl_item_from_data(CFDataRef edata, Query *q, CFArrayRef accessGroups, - CFMutableDictionaryRef *item, SecAccessControlRef *access_control, CFErrorRef *error) { + CFMutableDictionaryRef *item, SecAccessControlRef *access_control, keyclass_t* keyclass, CFErrorRef *error) { SecAccessControlRef ac = NULL; CFDataRef ac_data = NULL; bool ok = false; /* Decrypt and decode the item and check the decoded attributes against the query. */ uint32_t version = 0; + + bool decryptSecretData = false; + if ((q->q_return_type & kSecReturnDataMask) || (q->q_return_type & kSecReturnRefMask)) { + decryptSecretData = true; + } + else if (q->q_match_policy || q->q_match_valid_on_date || q->q_match_trusted_only) { + decryptSecretData = true; + } + require_quiet((ok = ks_decrypt_data(q->q_keybag, kAKSKeyOpDecrypt, &ac, q->q_use_cred_handle, edata, q->q_class, - q->q_caller_access_groups, item, &version, error)), out); + q->q_caller_access_groups, item, &version, decryptSecretData, keyclass, error)), out); if (version < 2) { goto out; } @@ -930,14 +1048,14 @@ static bool SecDbItemImportMigrate(SecDbItemRef item, CFErrorRef *error) { return ok; } -bool SecDbItemDecrypt(SecDbItemRef item, CFDataRef edata, CFErrorRef *error) { +bool SecDbItemDecrypt(SecDbItemRef item, bool decryptSecretData, CFDataRef edata, CFErrorRef *error) { bool ok = true; CFMutableDictionaryRef dict = NULL; SecAccessControlRef access_control = NULL; uint32_t version = 0; require_quiet(ok = ks_decrypt_data(SecDbItemGetKeybag(item), item->cryptoOp, &access_control, item->credHandle, edata, - item->class, item->callerAccessGroups, &dict, &version, error), out); + item->class, item->callerAccessGroups, &dict, &version, decryptSecretData, NULL, error), out); if (version < 2) { /* Old V4 style keychain backup being imported. */ @@ -1080,20 +1198,34 @@ CFTypeRef SecDbKeychainItemCopySHA1(SecDbItemRef item, const SecDbAttr *attr, CF CFTypeRef SecDbKeychainItemCopyEncryptedData(SecDbItemRef item, const SecDbAttr *attr, CFErrorRef *error) { CFDataRef edata = NULL; + CFMutableDictionaryRef secretStuff = SecDbItemCopyPListWithMask(item, kSecDbReturnDataFlag, error); CFMutableDictionaryRef attributes = SecDbItemCopyPListWithMask(item, kSecDbInCryptoDataFlag, error); CFMutableDictionaryRef auth_attributes = SecDbItemCopyPListWithMask(item, kSecDbInAuthenticatedDataFlag, error); - if (attributes || auth_attributes) { + if (secretStuff || attributes || auth_attributes) { SecAccessControlRef access_control = SecDbItemCopyAccessControl(item, error); - if (access_control) { - if (ks_encrypt_data(item->keybag, access_control, item->credHandle, attributes, auth_attributes, &edata, true, error)) { + CFDataRef sha1 = SecDbKeychainItemCopySHA1(item, attr, error); + if (access_control && sha1) { + if (!auth_attributes) { + auth_attributes = CFDictionaryCreateMutable(NULL, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + } + CFDictionarySetValue(auth_attributes, kSecAttrSHA1, sha1); + + CFDictionaryForEach(secretStuff, ^(const void *key, const void *value) { + CFDictionaryRemoveValue(attributes, key); + CFDictionaryRemoveValue(auth_attributes, key); + }); + + if (ks_encrypt_data(item->keybag, access_control, item->credHandle, secretStuff, attributes, auth_attributes, &edata, true, error)) { item->_edataState = kSecDbItemEncrypting; } else if (!error || !*error || CFErrorGetCode(*error) != errSecAuthNeeded || !CFEqualSafe(CFErrorGetDomain(*error), kSecErrorDomain) ) { seccritical("ks_encrypt_data (db): failed: %@", error ? *error : (CFErrorRef)CFSTR("")); } CFRelease(access_control); } - CFReleaseSafe(attributes); - CFReleaseSafe(auth_attributes); + CFReleaseNull(secretStuff); + CFReleaseNull(attributes); + CFReleaseNull(auth_attributes); + CFReleaseNull(sha1); } return edata; @@ -1370,3 +1502,9 @@ exit: return payload; } + +void SecDbResetMetadataKeys(void) { +#if !TARGET_OS_BRIDGE + [SecDbKeychainMetadataKeyStore resetSharedStore]; +#endif +} diff --git a/OSX/sec/securityd/SecDbKeychainItemV7.h b/OSX/sec/securityd/SecDbKeychainItemV7.h new file mode 100644 index 00000000..56af9f64 --- /dev/null +++ b/OSX/sec/securityd/SecDbKeychainItemV7.h @@ -0,0 +1,81 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import "SecKeybagSupport.h" +#import +#import + +NS_ASSUME_NONNULL_BEGIN + +@interface SecDbKeychainItemV7 : NSObject + +@property (nonatomic, readonly) keyclass_t keyclass; + +- (nullable instancetype)initWithData:(NSData*)data decryptionKeybag:(keybag_handle_t)decryptionKeybag error:(NSError**)error; +- (instancetype)initWithSecretAttributes:(NSDictionary*)secretAttributes metadataAttributes:(NSDictionary*)metadataAttributes tamperCheck:(NSString*)tamperCheck keyclass:(keyclass_t)keyclass; + +- (nullable NSDictionary*)metadataAttributesWithError:(NSError**)error; +- (nullable NSDictionary*)secretAttributesWithAcmContext:(NSData*)acmContext accessControl:(SecAccessControlRef)accessControl callerAccessGroups:(NSArray*)callerAccessGroups error:(NSError**)error; +- (BOOL)deleteWithAcmContext:(NSData*)acmContext accessControl:(SecAccessControlRef)accessControl callerAccessGroups:(NSArray*)callerAccessGroups error:(NSError**)error; + +- (nullable NSData*)encryptedBlobWithKeybag:(keybag_handle_t)keybag accessControl:(SecAccessControlRef)accessControl acmContext:(nullable NSData*)acmContext error:(NSError**)error; + +@end + +extern NSString* const SecDbKeychainErrorDomain; +extern const NSInteger SecDbKeychainErrorDeserializationFailed; + + +@class SecDbKeychainSerializedMetadata; +@class SecDbKeychainSerializedSecretData; + +@interface SecDbKeychainItemV7 (UnitTesting) + ++ (bool)aksEncryptWithKeybag:(keybag_handle_t)keybag keyclass:(keyclass_t)keyclass keyData:(NSData*)keyData outKeyclass:(keyclass_t* _Nullable)outKeyclass wrappedKey:(NSMutableData*)wrappedKey error:(NSError**)error; ++ (bool)aksDecryptWithKeybag:(keybag_handle_t)keybag keyclass:(keyclass_t)keyclass wrappedKeyData:(NSData*)wrappedKeyData outKeyclass:(keyclass_t* _Nullable)outKeyclass unwrappedKey:(NSMutableData*)unwrappedKey error:(NSError**)error; + ++ (bool)isKeychainUnlocked; + +@property (readonly) NSData* encryptedMetadataBlob; +@property (readonly) NSData* encryptedSecretDataBlob; + +- (BOOL)encryptMetadataWithKeybag:(keybag_handle_t)keybag error:(NSError**)error; +- (BOOL)encryptSecretDataWithKeybag:(keybag_handle_t)keybag accessControl:(SecAccessControlRef)accessControl acmContext:(nullable NSData*)acmContext error:(NSError**)error; + +@end + +// For Db resets _only_ +@interface SecDbKeychainMetadataKeyStore : NSObject + ++ (bool)cachingEnabled; + ++ (void)resetSharedStore; ++ (instancetype)sharedStore; + +- (instancetype)init NS_UNAVAILABLE; + +- (void)dropClassAKeys; + +@end + +NS_ASSUME_NONNULL_END diff --git a/OSX/sec/securityd/SecDbKeychainItemV7.m b/OSX/sec/securityd/SecDbKeychainItemV7.m new file mode 100644 index 00000000..7f9e0591 --- /dev/null +++ b/OSX/sec/securityd/SecDbKeychainItemV7.m @@ -0,0 +1,1134 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import "SecDbKeychainItemV7.h" +#import "SecKeybagSupport.h" +#import "SecItemServer.h" +#import "SecAccessControl.h" +#import "SecDbKeychainSerializedItemV7.h" +#import "SecDbKeychainSerializedAKSWrappedKey.h" +#import "SecDbKeychainSerializedMetadata.h" +#import "SecDbKeychainSerializedSecretData.h" +#import +#import +#import +#import +#import "sec_action.h" +#if !TARGET_OS_BRIDGE +#import +#import +#import +#endif +#import + +#if USE_KEYSTORE +#import +#endif + +#define KEYCHAIN_ITEM_PADDING_MODULUS 20 + +NSString* const SecDbKeychainErrorDomain = @"SecDbKeychainErrorDomain"; +const NSInteger SecDbKeychainErrorDeserializationFailed = 1; + +static NSString* const SecDBTamperCheck = @"TamperCheck"; + +#define BridgeCFErrorToNSErrorOut(nsErrorOut, CFErr) \ +{ \ + if (nsErrorOut) { \ + *nsErrorOut = CFBridgingRelease(CFErr); \ + CFErr = NULL; \ + } \ + else { \ + CFReleaseNull(CFErr); \ + } \ +} + +#if TARGET_OS_BRIDGE + +@implementation SecDbKeychainItemV7 + +- (instancetype)initWithData:(NSData*)data decryptionKeybag:(keybag_handle_t)decryptionKeybag error:(NSError**)error +{ + return nil; +} + +- (instancetype)initWithSecretAttributes:(NSDictionary*)secretAttributes metadataAttributes:(NSDictionary*)metadataAttributes tamperCheck:(NSString*)tamperCheck keyclass:(keyclass_t)keyclass +{ + return nil; +} + +- (NSDictionary*)metadataAttributesWithError:(NSError**)error +{ + return nil; +} + +- (NSDictionary*)secretAttributesWithAcmContext:(NSData*)acmContext accessControl:(SecAccessControlRef)accessControl callerAccessGroups:(NSArray*)callerAccessGroups error:(NSError**)error +{ + return nil; +} + +- (BOOL)deleteWithAcmContext:(NSData*)acmContext accessControl:(SecAccessControlRef)accessControl callerAccessGroups:(NSArray*)callerAccessGroups error:(NSError**)error +{ + return NO; +} + +- (NSData*)encryptedBlobWithKeybag:(keybag_handle_t)keybag accessControl:(SecAccessControlRef)accessControl acmContext:(NSData*)acmContext error:(NSError**)error +{ + return nil; +} + +@end + +#else + +static NSDictionary* dictionaryFromDERData(NSData* data) +{ + NSDictionary* dict = (__bridge_transfer NSDictionary*)CFPropertyListCreateWithDERData(NULL, (__bridge CFDataRef)data, 0, NULL, NULL); + return [dict isKindOfClass:[NSDictionary class]] ? dict : nil; +} + +typedef NS_ENUM(uint32_t, SecDbKeychainAKSWrappedKeyType) { + SecDbKeychainAKSWrappedKeyTypeRegular, + SecDbKeychainAKSWrappedKeyTypeRefKey +}; + +@interface SecDbKeychainAKSWrappedKey : NSObject + +@property (readonly) NSData* wrappedKey; +@property (readonly) NSData* refKeyBlob; +@property (readonly) SecDbKeychainAKSWrappedKeyType type; + +@property (readonly) NSData* serializedRepresentation; + +- (instancetype)initWithData:(NSData*)data; +- (instancetype)initRegularWrappedKeyWithData:(NSData*)wrappedKey; +- (instancetype)initRefKeyWrappedKeyWithData:(NSData*)wrappedKey refKeyBlob:(NSData*)refKeyBlob; + +@end + +@interface SecDbKeychainMetadata : NSObject + +@property (readonly) SFAuthenticatedCiphertext* ciphertext; +@property (readonly) SFAuthenticatedCiphertext* wrappedKey; +@property (readonly) NSString* tamperCheck; + +@property (readonly) NSData* serializedRepresentation; + +- (instancetype)initWithData:(NSData*)data; +- (instancetype)initWithCiphertext:(SFAuthenticatedCiphertext*)ciphertext wrappedKey:(SFAuthenticatedCiphertext*)wrappedKey tamperCheck:(NSString*)tamperCheck error:(NSError**)error; + +@end + +@interface SecDbKeychainSecretData : NSObject + +@property (readonly) SFAuthenticatedCiphertext* ciphertext; +@property (readonly) SecDbKeychainAKSWrappedKey* wrappedKey; +@property (readonly) NSString* tamperCheck; + +@property (readonly) NSData* serializedRepresentation; + +- (instancetype)initWithData:(NSData*)data; +- (instancetype)initWithCiphertext:(SFAuthenticatedCiphertext*)ciphertext wrappedKey:(SecDbKeychainAKSWrappedKey*)wrappedKey tamperCheck:(NSString*)tamperCheck error:(NSError**)error; + +@end + +@implementation SecDbKeychainAKSWrappedKey { + SecDbKeychainSerializedAKSWrappedKey* _serializedHolder; +} + +- (instancetype)initRegularWrappedKeyWithData:(NSData*)wrappedKey +{ + if (self = [super init]) { + _serializedHolder = [[SecDbKeychainSerializedAKSWrappedKey alloc] init]; + _serializedHolder.wrappedKey = wrappedKey; + _serializedHolder.type = SecDbKeychainAKSWrappedKeyTypeRegular; + } + + return self; +} + +- (instancetype)initRefKeyWrappedKeyWithData:(NSData*)wrappedKey refKeyBlob:(NSData*)refKeyBlob +{ + if (self = [super init]) { + _serializedHolder = [[SecDbKeychainSerializedAKSWrappedKey alloc] init]; + _serializedHolder.wrappedKey = wrappedKey; + _serializedHolder.refKeyBlob = refKeyBlob; + _serializedHolder.type = SecDbKeychainAKSWrappedKeyTypeRefKey; + } + + return self; +} + +- (instancetype)initWithData:(NSData*)data +{ + if (self = [super init]) { + _serializedHolder = [[SecDbKeychainSerializedAKSWrappedKey alloc] initWithData:data]; + if (!_serializedHolder.wrappedKey || (_serializedHolder.type == SecDbKeychainAKSWrappedKeyTypeRefKey && !_serializedHolder.refKeyBlob)) { + self = nil; + } + } + + return self; +} + +- (NSData*)serializedRepresentation +{ + return _serializedHolder.data; +} + +- (NSData*)wrappedKey +{ + return _serializedHolder.wrappedKey; +} + +- (NSData*)refKeyBlob +{ + return _serializedHolder.refKeyBlob; +} + +- (SecDbKeychainAKSWrappedKeyType)type +{ + return _serializedHolder.type; +} + +@end + +@implementation SecDbKeychainMetadata { + SecDbKeychainSerializedMetadata* _serializedHolder; +} + +- (instancetype)initWithCiphertext:(SFAuthenticatedCiphertext*)ciphertext wrappedKey:(SFAuthenticatedCiphertext*)wrappedKey tamperCheck:(NSString*)tamperCheck error:(NSError**)error +{ + if (self = [super init]) { + _serializedHolder = [[SecDbKeychainSerializedMetadata alloc] init]; + _serializedHolder.ciphertext = [NSKeyedArchiver archivedDataWithRootObject:ciphertext requiringSecureCoding:YES error:error]; + _serializedHolder.wrappedKey = [NSKeyedArchiver archivedDataWithRootObject:wrappedKey requiringSecureCoding:YES error:error]; + _serializedHolder.tamperCheck = tamperCheck; + if (!_serializedHolder.ciphertext || !_serializedHolder.wrappedKey || !_serializedHolder.tamperCheck) { + self = nil; + } + } + + return self; +} + +- (instancetype)initWithData:(NSData*)data +{ + if (self = [super init]) { + _serializedHolder = [[SecDbKeychainSerializedMetadata alloc] initWithData:data]; + if (!_serializedHolder.ciphertext || !_serializedHolder.wrappedKey || !_serializedHolder.tamperCheck) { + self = nil; + } + } + + return self; +} + +- (NSData*)serializedRepresentation +{ + return _serializedHolder.data; +} + +- (SFAuthenticatedCiphertext*)ciphertext +{ + NSError* error = nil; + SFAuthenticatedCiphertext* ciphertext = [NSKeyedUnarchiver unarchivedObjectOfClass:[SFAuthenticatedCiphertext class] fromData:_serializedHolder.ciphertext error:&error]; + if (!ciphertext) { + secerror("SecDbKeychainItemV7: error deserializing ciphertext from metadata: %@", error); + } + + return ciphertext; +} + +- (SFAuthenticatedCiphertext*)wrappedKey +{ + NSError* error = nil; + SFAuthenticatedCiphertext* wrappedKey = [NSKeyedUnarchiver unarchivedObjectOfClass:[SFAuthenticatedCiphertext class] fromData:_serializedHolder.wrappedKey error:&error]; + if (!wrappedKey) { + secerror("SecDbKeychainItemV7: error deserializing wrappedKey from metadata: %@", error); + } + + return wrappedKey; +} + +- (NSString*)tamperCheck +{ + return _serializedHolder.tamperCheck; +} + +@end + +@implementation SecDbKeychainSecretData { + SecDbKeychainSerializedSecretData* _serializedHolder; +} + +- (instancetype)initWithCiphertext:(SFAuthenticatedCiphertext*)ciphertext wrappedKey:(SecDbKeychainAKSWrappedKey*)wrappedKey tamperCheck:(NSString*)tamperCheck error:(NSError**)error +{ + if (self = [super init]) { + _serializedHolder = [[SecDbKeychainSerializedSecretData alloc] init]; + _serializedHolder.ciphertext = [NSKeyedArchiver archivedDataWithRootObject:ciphertext requiringSecureCoding:YES error:error]; + _serializedHolder.wrappedKey = wrappedKey.serializedRepresentation; + _serializedHolder.tamperCheck = tamperCheck; + if (!_serializedHolder.ciphertext || !_serializedHolder.wrappedKey || !_serializedHolder.tamperCheck) { + self = nil; + } + } + + return self; +} + +- (instancetype)initWithData:(NSData*)data +{ + if (self = [super init]) { + _serializedHolder = [[SecDbKeychainSerializedSecretData alloc] initWithData:data]; + if (!_serializedHolder.ciphertext || !_serializedHolder.wrappedKey || !_serializedHolder.tamperCheck) { + self = nil; + } + } + + return self; +} + +- (NSData*)serializedRepresentation +{ + return _serializedHolder.data; +} + +- (SFAuthenticatedCiphertext*)ciphertext +{ + NSError* error = nil; + SFAuthenticatedCiphertext* ciphertext = [NSKeyedUnarchiver unarchivedObjectOfClass:[SFAuthenticatedCiphertext class] fromData:_serializedHolder.ciphertext error:&error]; + if (!ciphertext) { + secerror("SecDbKeychainItemV7: error deserializing ciphertext from secret data: %@", error); + } + + return ciphertext; +} + +- (SecDbKeychainAKSWrappedKey*)wrappedKey +{ + return [[SecDbKeychainAKSWrappedKey alloc] initWithData:_serializedHolder.wrappedKey]; +} + +- (NSString*)tamperCheck +{ + return _serializedHolder.tamperCheck; +} + +@end + +////// SecDbKeychainMetadataKeyStore + +@interface SecDbKeychainMetadataKeyStore () +- (SFAESKey*)keyForKeyclass:(keyclass_t)keyClass + keybag:(keybag_handle_t)keybag + keySpecifier:(SFAESKeySpecifier*)keySpecifier + overwriteCorruptKey:(bool)overwriteCorruptKey + error:(NSError**)error; +@end + +static SecDbKeychainMetadataKeyStore* sharedStore = nil; +static dispatch_queue_t sharedMetadataStoreQueue; +static void initializeSharedMetadataStoreQueue(void) { + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + sharedMetadataStoreQueue = dispatch_queue_create("metadata_store", DISPATCH_QUEUE_SERIAL); + }); +} + +@implementation SecDbKeychainMetadataKeyStore { + NSMutableDictionary* _keysDict; + dispatch_queue_t _queue; +} + ++ (void)resetSharedStore +{ + initializeSharedMetadataStoreQueue(); + dispatch_sync(sharedMetadataStoreQueue, ^{ + if(sharedStore) { + dispatch_sync(sharedStore->_queue, ^{ + [sharedStore _onQueueDropAllKeys]; + }); + } + sharedStore = nil; + }); +} + ++ (instancetype)sharedStore +{ + __block SecDbKeychainMetadataKeyStore* ret; + initializeSharedMetadataStoreQueue(); + dispatch_sync(sharedMetadataStoreQueue, ^{ + if(!sharedStore) { + sharedStore = [[self alloc] _init]; + } + + ret = sharedStore; + }); + + return ret; +} + ++ (bool)cachingEnabled +{ + return true; +} + +- (instancetype)_init +{ + if (self = [super init]) { + _keysDict = [[NSMutableDictionary alloc] init]; + _queue = dispatch_queue_create("SecDbKeychainMetadataKeyStore", DISPATCH_QUEUE_SERIAL_WITH_AUTORELEASE_POOL); + int token = 0; + __weak __typeof(self) weakSelf = self; + notify_register_dispatch(kUserKeybagStateChangeNotification, &token, _queue, ^(int inToken) { + bool locked = true; + CFErrorRef error = NULL; + if (!SecAKSGetIsLocked(&locked, &error)) { + secerror("SecDbKeychainMetadataKeyStore: error getting lock state: %@", error); + CFReleaseNull(error); + } + + if (locked) { + [weakSelf _onQueueDropClassAKeys]; + } + }); + } + + return self; +} + +- (void)dropClassAKeys +{ + dispatch_sync(_queue, ^{ + [self _onQueueDropClassAKeys]; + }); +} + +- (void)_onQueueDropClassAKeys +{ + dispatch_assert_queue(_queue); + + secnotice("SecDbKeychainMetadataKeyStore", "dropping class A metadata keys"); + _keysDict[@(key_class_ak)] = nil; + _keysDict[@(key_class_aku)] = nil; + _keysDict[@(key_class_akpu)] = nil; +} + +- (void)_onQueueDropAllKeys +{ + dispatch_assert_queue(_queue); + + secnotice("SecDbKeychainMetadataKeyStore", "dropping all metadata keys"); + [_keysDict removeAllObjects]; +} + +- (SFAESKey*)keyForKeyclass:(keyclass_t)keyclass + keybag:(keybag_handle_t)keybag + keySpecifier:(SFAESKeySpecifier*)keySpecifier + overwriteCorruptKey:(bool)overwriteCorruptKey + error:(NSError**)error +{ + __block SFAESKey* key = nil; + __block NSError* nsErrorLocal = nil; + __block CFErrorRef cfError = NULL; + static __thread BOOL reentrant = NO; + + NSAssert(!reentrant, @"re-entering -[%@ %@] - that shouldn't happen!", NSStringFromClass(self.class), NSStringFromSelector(_cmd)); + reentrant = YES; + +#if USE_KEYSTORE + if (keyclass > key_class_last) { + // idea is that AKS may return a keyclass value with extra bits above key_class_last from aks_wrap_key, but we only keep metadata keys for the canonical key classes + // so just sanitize all our inputs to the canonical values + keyclass_t sanitizedKeyclass = keyclass & key_class_last; + secinfo("SecDbKeychainItemV7", "sanitizing request for metadata keyclass %d to keyclass %d", keyclass, sanitizedKeyclass); + keyclass = sanitizedKeyclass; + } +#endif + + dispatch_sync(_queue, ^{ + // if we think we're locked, it's possible AKS will still give us access to keys, such as during backup, + // but we should force AKS to be the truth and not used cached class A keys while locked + bool allowKeyCaching = [SecDbKeychainMetadataKeyStore cachingEnabled]; +#if 0 + // Fix keychain lock state check to be both secure and fast for EDU mode + if (![SecDbKeychainItemV7 isKeychainUnlocked]) { + [self _onQueueDropClassAKeys]; + allowKeyCaching = !(keyclass == key_class_ak || keyclass == key_class_aku || keyclass == key_class_akpu); + } +#endif + + key = allowKeyCaching ? self->_keysDict[@(keyclass)] : nil; + if (!key) { + __block bool ok = true; + __block bool metadataKeyDoesntAuthenticate = false; + ok &= kc_with_dbt_non_item_tables(true, &cfError, ^bool(SecDbConnectionRef dbt) { + __block NSString* sql = [NSString stringWithFormat:@"SELECT data, actualKeyclass FROM metadatakeys WHERE keyclass = %d", keyclass]; + ok &= SecDbPrepare(dbt, (__bridge CFStringRef)sql, &cfError, ^(sqlite3_stmt *stmt) { + ok &= SecDbStep(dbt, stmt, &cfError, ^(bool *stop) { + NSData* wrappedKeyData = [[NSData alloc] initWithBytes:sqlite3_column_blob(stmt, 0) length:sqlite3_column_bytes(stmt, 0)]; + NSMutableData* unwrappedKeyData = [NSMutableData dataWithLength:wrappedKeyData.length]; + + keyclass_t actualKeyclass = sqlite3_column_int(stmt, 1); + + keyclass_t actualKeyclassToWriteBackToDB = 0; + keyclass_t keyclassForUnwrapping = actualKeyclass == 0 ? keyclass : actualKeyclass; + ok &= [SecDbKeychainItemV7 aksDecryptWithKeybag:keybag keyclass:keyclassForUnwrapping wrappedKeyData:wrappedKeyData outKeyclass:NULL unwrappedKey:unwrappedKeyData error:&nsErrorLocal]; + if (ok) { + key = [[SFAESKey alloc] initWithData:unwrappedKeyData specifier:keySpecifier error:&nsErrorLocal]; + + if (actualKeyclass == 0) { + actualKeyclassToWriteBackToDB = keyclassForUnwrapping; + } + } +#if USE_KEYSTORE + else if (actualKeyclass == 0 && keyclass <= key_class_last) { + // in this case we might have luck decrypting with a key-rolled keyclass + keyclass_t keyrolledKeyclass = keyclass | (key_class_last + 1); + secerror("SecDbKeychainItemV7: failed to decrypt metadata key for class %d, but trying keyrolled keyclass (%d); error: %@", keyclass, keyrolledKeyclass, nsErrorLocal); + + // we don't want to pollute subsequent error-handling logic with what happens on our retry + // we'll give it a shot, and if it works, great - if it doesn't work, we'll just report that error in the log and move on + NSError* retryError = nil; + ok = [SecDbKeychainItemV7 aksDecryptWithKeybag:keybag keyclass:keyrolledKeyclass wrappedKeyData:wrappedKeyData outKeyclass:NULL unwrappedKey:unwrappedKeyData error:&retryError]; + + if (ok) { + secerror("SecDbKeychainItemV7: successfully decrypted metadata key using keyrolled keyclass %d", keyrolledKeyclass); + key = [[SFAESKey alloc] initWithData:unwrappedKeyData specifier:keySpecifier error:&retryError]; + } + else { + secerror("SecDbKeychainItemV7: failed to decrypt metadata key with keyrolled keyclass %d; error: %@", keyrolledKeyclass, retryError); + } + } +#endif + + if (ok) { + if (actualKeyclassToWriteBackToDB > 0) { + // we did not find an actualKeyclass entry in the db, so let's add one in now. + secinfo("SecDbKeychainItemV7", "saving actualKeyclass %d for metadata keyclass %d", actualKeyclassToWriteBackToDB, keyclass); + sql = @"UPDATE metadatakeys SET actualKeyclass = ? WHERE keyclass = ?"; + __block bool actualKeyWriteBackOk = true; + __block CFErrorRef actualKeyWriteBackError = NULL; + actualKeyWriteBackOk &= SecDbPrepare(dbt, (__bridge CFStringRef)sql, &actualKeyWriteBackError, ^(sqlite3_stmt* stmt) { + actualKeyWriteBackOk &= SecDbBindInt(stmt, 1, actualKeyclassToWriteBackToDB, &actualKeyWriteBackError); + actualKeyWriteBackOk &= SecDbBindInt(stmt, 2, keyclass, &actualKeyWriteBackError); + actualKeyWriteBackOk &= SecDbStep(dbt, stmt, &actualKeyWriteBackError, ^(bool* stop) { + // woohoo + }); + }); + + if (!actualKeyWriteBackOk) { + // we're not going to fail the whole metadata key fetch operation because this part failed. + // if we successfully fetched and unwrapped a key we'll go ahead and use it - we can always try this operation again in the future. + secerror("SecDbKeychainItemV7: failed to save actualKeyclass %d for metadata keyclass %d; error: %@", actualKeyclassToWriteBackToDB, keyclass, actualKeyWriteBackError); + } + } + } + else { + if (nsErrorLocal && [nsErrorLocal.domain isEqualToString:(__bridge NSString*)kSecErrorDomain] && nsErrorLocal.code == errSecInteractionNotAllowed) { + static dispatch_once_t kclockedtoken; + static sec_action_t kclockedaction; + dispatch_once(&kclockedtoken, ^{ + kclockedaction = sec_action_create("keychainlockedlogmessage", 1); + sec_action_set_handler(kclockedaction, ^{ + secerror("SecDbKeychainItemV7: failed to decrypt metadata key because the keychain is locked (%d)", (int)errSecInteractionNotAllowed); + }); + }); + sec_action_perform(kclockedaction); + } else { + secerror("SecDbKeychainItemV7: failed to decrypt metadata key for class %d; error: %@", keyclass, nsErrorLocal); + + // If this error is errSecDecode, then it's failed authentication and likely will forever. Other errors are scary. + metadataKeyDoesntAuthenticate = [nsErrorLocal.domain isEqualToString:NSOSStatusErrorDomain] && nsErrorLocal.code == errSecDecode; + } + } + }); + }); + + bool keyNotYetCreated = ok && !key; + bool forceOverwriteBadKey = !key && metadataKeyDoesntAuthenticate && overwriteCorruptKey; + + if (keyNotYetCreated || forceOverwriteBadKey) { + // we completed the database query, but no key exists or it's broken - we should create one + if(forceOverwriteBadKey) { + secerror("SecDbKeychainItemV7: metadata key is irreparably corrupt; throwing away forever"); + // TODO: track this in LocalKeychainAnalytics + } + + ok = true; // Reset 'ok': we have a second chance + + key = [[SFAESKey alloc] initRandomKeyWithSpecifier:keySpecifier error:&nsErrorLocal]; + if (key) { + NSMutableData* wrappedKey = [NSMutableData dataWithLength:key.keyData.length + 40]; + keyclass_t outKeyclass; + ok &= [SecDbKeychainItemV7 aksEncryptWithKeybag:keybag keyclass:keyclass keyData:key.keyData outKeyclass:&outKeyclass wrappedKey:wrappedKey error:&nsErrorLocal]; + if (ok) { + secinfo("SecDbKeychainItemV7", "attempting to save new metadata key for keyclass %d with actualKeyclass %d", keyclass, outKeyclass); + NSString* insertString = forceOverwriteBadKey ? @"INSERT OR REPLACE" : @"INSERT"; + sql = [NSString stringWithFormat:@"%@ into metadatakeys (keyclass, actualKeyclass, data) VALUES (?, ?, ?)", insertString]; + ok &= SecDbPrepare(dbt, (__bridge CFStringRef)sql, &cfError, ^(sqlite3_stmt* stmt) { + ok &= SecDbBindInt(stmt, 1, keyclass, &cfError); + ok &= SecDbBindInt(stmt, 2, outKeyclass, &cfError); + ok &= SecDbBindBlob(stmt, 3, wrappedKey.bytes, wrappedKey.length, SQLITE_TRANSIENT, NULL); + ok &= SecDbStep(dbt, stmt, &cfError, ^(bool *stop) { + // woohoo + }); + }); + + if (ok) { + secnotice("SecDbKeychainItemV7", "successfully saved new metadata key for keyclass %d", keyclass); + } + else { + secerror("SecDbKeychainItemV7: failed to save new metadata key for keyclass %d - probably there is already one in the database: %@", keyclass, cfError); + } + } else { + secerror("SecDbKeychainItemV7: unable to encrypt new metadata key(%d) with keybag(%d): %@", keyclass, keybag, nsErrorLocal); + } + } + else { + ok = false; + } + } + + return ok; + }); + + if (ok && key) { + if (allowKeyCaching) { + self->_keysDict[@(keyclass)] = key; + __weak __typeof(self) weakSelf = self; + dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(60 * 5 * NSEC_PER_SEC)), self->_queue, ^{ + [weakSelf _onQueueDropClassAKeys]; + }); + } + } + else { + key = nil; + } + } + }); + + reentrant = NO; + + if (error && nsErrorLocal) { + *error = nsErrorLocal; + CFReleaseNull(cfError); + } + else { + BridgeCFErrorToNSErrorOut(error, cfError); + } + + return key; +} + +@end + +@implementation SecDbKeychainItemV7 { + SecDbKeychainSecretData* _encryptedSecretData; + SecDbKeychainMetadata* _encryptedMetadata; + NSDictionary* _secretAttributes; + NSDictionary* _metadataAttributes; + NSString* _tamperCheck; + keyclass_t _keyclass; + keybag_handle_t _keybag; +} + +@synthesize keyclass = _keyclass; + ++ (bool)aksEncryptWithKeybag:(keybag_handle_t)keybag keyclass:(keyclass_t)keyclass keyData:(NSData*)keyData outKeyclass:(keyclass_t*)outKeyclass wrappedKey:(NSMutableData*)wrappedKey error:(NSError**)error +{ + CFErrorRef cfError = NULL; + bool result = ks_crypt(kAKSKeyOpEncrypt, keybag, keyclass, (uint32_t)keyData.length, keyData.bytes, outKeyclass, (__bridge CFMutableDataRef)wrappedKey, &cfError); + BridgeCFErrorToNSErrorOut(error, cfError); + return result; +} + ++ (bool)aksDecryptWithKeybag:(keybag_handle_t)keybag keyclass:(keyclass_t)keyclass wrappedKeyData:(NSData*)wrappedKeyData outKeyclass:(keyclass_t*)outKeyclass unwrappedKey:(NSMutableData*)unwrappedKey error:(NSError**)error +{ + CFErrorRef cfError = NULL; + bool result = ks_crypt(kAKSKeyOpDecrypt, keybag, keyclass, (uint32_t)wrappedKeyData.length, wrappedKeyData.bytes, outKeyclass, (__bridge CFMutableDataRef)unwrappedKey, &cfError); + BridgeCFErrorToNSErrorOut(error, cfError); + return result; +} + ++ (bool)isKeychainUnlocked +{ + return kc_is_unlocked(); +} + +- (instancetype)initWithData:(NSData*)data decryptionKeybag:(keybag_handle_t)decryptionKeybag error:(NSError**)error +{ + if (self = [super init]) { + SecDbKeychainSerializedItemV7* serializedItem = [[SecDbKeychainSerializedItemV7 alloc] initWithData:data]; + if (serializedItem) { + _keybag = decryptionKeybag; + _encryptedSecretData = [[SecDbKeychainSecretData alloc] initWithData:serializedItem.encryptedSecretData]; + _encryptedMetadata = [[SecDbKeychainMetadata alloc] initWithData:serializedItem.encryptedMetadata]; + _keyclass = serializedItem.keyclass; + if (![_encryptedSecretData.tamperCheck isEqualToString:_encryptedMetadata.tamperCheck]) { + self = nil; + } + } + else { + self = nil; + } + } + + if (!self && error) { + *error = [NSError errorWithDomain:(id)kCFErrorDomainOSStatus code:errSecItemNotFound userInfo:@{NSLocalizedDescriptionKey : @"failed to deserialize keychain item blob"}]; + } + + return self; +} + +- (instancetype)initWithSecretAttributes:(NSDictionary*)secretAttributes metadataAttributes:(NSDictionary*)metadataAttributes tamperCheck:(NSString*)tamperCheck keyclass:(keyclass_t)keyclass +{ + NSParameterAssert(tamperCheck); + + if (self = [super init]) { + _secretAttributes = secretAttributes ? secretAttributes.copy : [NSDictionary dictionary]; + _metadataAttributes = metadataAttributes ? metadataAttributes.copy : [NSDictionary dictionary]; + _tamperCheck = tamperCheck.copy; + _keyclass = keyclass; + } + + return self; +} + ++ (SFAESKeySpecifier*)keySpecifier +{ + static SFAESKeySpecifier* keySpecifier = nil; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + keySpecifier = [[SFAESKeySpecifier alloc] initWithBitSize:SFAESKeyBitSize256]; + }); + + return keySpecifier; +} + ++ (SFAuthenticatedEncryptionOperation*)encryptionOperation +{ + static SFAuthenticatedEncryptionOperation* encryptionOperation = nil; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + encryptionOperation = [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:[self keySpecifier]]; + }); + + return encryptionOperation; +} + ++ (SFAuthenticatedEncryptionOperation*)decryptionOperation +{ + static SFAuthenticatedEncryptionOperation* decryptionOperation = nil; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + decryptionOperation = [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:[self keySpecifier]]; + }); + + return decryptionOperation; +} + +- (NSDictionary*)metadataAttributesWithError:(NSError**)error +{ + if (!_metadataAttributes) { + SFAESKey* metadataClassKey = [self metadataClassKeyWithKeybag:_keybag + overwriteCorruptKey:false + error:error]; + if (metadataClassKey) { + NSError* localError = nil; + NSData* keyData = [[self.class decryptionOperation] decrypt:_encryptedMetadata.wrappedKey withKey:metadataClassKey error:&localError]; + if (!keyData) { + secerror("SecDbKeychainItemV7: error unwrapping item metadata key (class %d, bag %d): %@", (int)self.keyclass, _keybag, localError); + // TODO: track this in LocalKeychainAnalytics + if (error) { + CFErrorRef secError = (CFErrorRef)CFBridgingRetain(localError); // this makes localError become the underlying error + SecError(errSecDecode, &secError, CFSTR("failed to unwrap item metadata key")); + *error = CFBridgingRelease(secError); + } + return nil; + } + SFAESKey* key = [[SFAESKey alloc] initWithData:keyData specifier:[self.class keySpecifier] error:error]; + if (!key) { + return nil; + } + + NSData* metadata = [[self.class decryptionOperation] decrypt:_encryptedMetadata.ciphertext withKey:key error:&localError]; + if (!metadata) { + secerror("SecDbKeychainItemV7: error decrypting metadata content: %@", localError); + if (error) { + CFErrorRef secError = (CFErrorRef)CFBridgingRetain(localError); // this makes localError become the underlying error + SecError(errSecDecode, &secError, CFSTR("failed to decrypt item metadata contents")); + *error = CFBridgingRelease(secError); + } + return nil; + } + NSMutableDictionary* decryptedAttributes = dictionaryFromDERData(metadata).mutableCopy; + NSString* tamperCheck = decryptedAttributes[SecDBTamperCheck]; + if ([tamperCheck isEqualToString:_encryptedMetadata.tamperCheck]) { + [decryptedAttributes removeObjectForKey:SecDBTamperCheck]; + _metadataAttributes = decryptedAttributes; + } + else { + secerror("SecDbKeychainItemV7: tamper check failed for metadata decryption, expected %@ found %@", tamperCheck, _encryptedMetadata.tamperCheck); + if (error) { + CFErrorRef secError = NULL; + SecError(errSecDecode, &secError, CFSTR("tamper check failed for metadata decryption")); + *error = CFBridgingRelease(secError); + } + } + } + } + + return _metadataAttributes; +} + +- (NSDictionary*)secretAttributesWithAcmContext:(NSData*)acmContext accessControl:(SecAccessControlRef)accessControl callerAccessGroups:(NSArray*)callerAccessGroups error:(NSError**)error +{ + if (!_secretAttributes) { + SFAESKey* key = [self unwrapFromAKS:_encryptedSecretData.wrappedKey accessControl:accessControl acmContext:acmContext callerAccessGroups:callerAccessGroups delete:NO error:error]; + if (key) { + NSError* localError = nil; + NSData* secretDataWithPadding = [[self.class decryptionOperation] decrypt:_encryptedSecretData.ciphertext withKey:key error:&localError]; + if (!secretDataWithPadding) { + secerror("SecDbKeychainItemV7: error decrypting item secret data contents: %@", localError); + if (error) { + CFErrorRef secError = (CFErrorRef)CFBridgingRetain(localError); // this makes localError become the underlying error + SecError(errSecDecode, &secError, CFSTR("error decrypting item secret data contents")); + *error = CFBridgingRelease(secError); + } + return nil; + } + int8_t paddingLength = *((int8_t*)secretDataWithPadding.bytes + secretDataWithPadding.length - 1); + NSData* secretDataWithoutPadding = [secretDataWithPadding subdataWithRange:NSMakeRange(0, secretDataWithPadding.length - paddingLength)]; + + NSMutableDictionary* decryptedAttributes = dictionaryFromDERData(secretDataWithoutPadding).mutableCopy; + NSString* tamperCheck = decryptedAttributes[SecDBTamperCheck]; + if ([tamperCheck isEqualToString:_encryptedSecretData.tamperCheck]) { + [decryptedAttributes removeObjectForKey:SecDBTamperCheck]; + _secretAttributes = decryptedAttributes; + } + else { + secerror("SecDbKeychainItemV7: tamper check failed for secret data decryption, expected %@ found %@", tamperCheck, _encryptedMetadata.tamperCheck); + } + } + } + + return _secretAttributes; +} + +- (BOOL)deleteWithAcmContext:(NSData*)acmContext accessControl:(SecAccessControlRef)accessControl callerAccessGroups:(NSArray*)callerAccessGroups error:(NSError**)error +{ + NSError* localError = nil; + (void)[self unwrapFromAKS:_encryptedSecretData.wrappedKey accessControl:accessControl acmContext:acmContext callerAccessGroups:callerAccessGroups delete:YES error:&localError]; + if (localError) { + secerror("SecDbKeychainItemV7: failed to delete item secret key from aks"); + if (error) { + *error = localError; + } + + return NO; + } + + return YES; +} + +- (NSData*)encryptedBlobWithKeybag:(keybag_handle_t)keybag accessControl:(SecAccessControlRef)accessControl acmContext:(NSData*)acmContext error:(NSError**)error +{ + NSError* localError = nil; + BOOL success = [self encryptMetadataWithKeybag:keybag error:&localError]; + if (!success || !_encryptedMetadata || localError) { + if (error) { + *error = localError; + } + return nil; + } + + success = [self encryptSecretDataWithKeybag:keybag accessControl:accessControl acmContext:acmContext error:&localError]; + if (!success || !_encryptedSecretData || localError) { + if (error) { + *error = localError; + } + return nil; + } + + SecDbKeychainSerializedItemV7* serializedItem = [[SecDbKeychainSerializedItemV7 alloc] init]; + serializedItem.encryptedMetadata = self.encryptedMetadataBlob; + serializedItem.encryptedSecretData = self.encryptedSecretDataBlob; + serializedItem.keyclass = _keyclass; + return serializedItem.data; +} + +- (NSData*)encryptedMetadataBlob +{ + return _encryptedMetadata.serializedRepresentation; +} + +- (NSData*)encryptedSecretDataBlob +{ + return _encryptedSecretData.serializedRepresentation; +} + +- (BOOL)encryptMetadataWithKeybag:(keybag_handle_t)keybag error:(NSError**)error +{ + SFAESKey* key = [[SFAESKey alloc] initRandomKeyWithSpecifier:[self.class keySpecifier] error:error]; + if (!key) { + return NO; + } + SFAuthenticatedEncryptionOperation* encryptionOperation = [self.class encryptionOperation]; + + NSMutableDictionary* attributesToEncrypt = _metadataAttributes.mutableCopy; + attributesToEncrypt[SecDBTamperCheck] = _tamperCheck; + NSData* metadata = (__bridge_transfer NSData*)CFPropertyListCreateDERData(NULL, (__bridge CFDictionaryRef)attributesToEncrypt, NULL); + SFAuthenticatedCiphertext* ciphertext = [encryptionOperation encrypt:metadata withKey:key error:error]; + + SFAESKey* metadataClassKey = [self metadataClassKeyWithKeybag:keybag + overwriteCorruptKey:true + error:error]; + if (metadataClassKey) { + SFAuthenticatedCiphertext* wrappedKey = [encryptionOperation encrypt:key.keyData withKey:metadataClassKey error:error]; + _encryptedMetadata = [[SecDbKeychainMetadata alloc] initWithCiphertext:ciphertext wrappedKey:wrappedKey tamperCheck:_tamperCheck error:error]; + } + + return _encryptedMetadata != nil; +} + +- (BOOL)encryptSecretDataWithKeybag:(keybag_handle_t)keybag accessControl:(SecAccessControlRef)accessControl acmContext:(NSData*)acmContext error:(NSError**)error +{ + SFAESKey* key = [[SFAESKey alloc] initRandomKeyWithSpecifier:[self.class keySpecifier] error:error]; + if (!key) { + return NO; + } + SFAuthenticatedEncryptionOperation* encryptionOperation = [self.class encryptionOperation]; + + NSMutableDictionary* attributesToEncrypt = _secretAttributes.mutableCopy; + attributesToEncrypt[SecDBTamperCheck] = _tamperCheck; + NSMutableData* secretData = [(__bridge_transfer NSData*)CFPropertyListCreateDERData(NULL, (__bridge CFDictionaryRef)attributesToEncrypt, NULL) mutableCopy]; + + int8_t paddingLength = KEYCHAIN_ITEM_PADDING_MODULUS - (secretData.length % KEYCHAIN_ITEM_PADDING_MODULUS); + int8_t paddingBytes[KEYCHAIN_ITEM_PADDING_MODULUS]; + for (int i = 0; i < KEYCHAIN_ITEM_PADDING_MODULUS; i++) { + paddingBytes[i] = paddingLength; + } + [secretData appendBytes:paddingBytes length:paddingLength]; + + SFAuthenticatedCiphertext* ciphertext = [encryptionOperation encrypt:secretData withKey:key error:error]; + SecDbKeychainAKSWrappedKey* wrappedKey = [self wrapToAKS:key withKeybag:keybag accessControl:accessControl acmContext:acmContext error:error]; + + _encryptedSecretData = [[SecDbKeychainSecretData alloc] initWithCiphertext:ciphertext wrappedKey:wrappedKey tamperCheck:_tamperCheck error:error]; + return _encryptedSecretData != nil; +} + +- (SFAESKey*)metadataClassKeyWithKeybag:(keybag_handle_t)keybag + overwriteCorruptKey:(bool)force + error:(NSError**)error +{ + return [[SecDbKeychainMetadataKeyStore sharedStore] keyForKeyclass:_keyclass + keybag:keybag + keySpecifier:[self.class keySpecifier] + overwriteCorruptKey:force + error:error]; +} + +- (SecDbKeychainAKSWrappedKey*)wrapToAKS:(SFAESKey*)key withKeybag:(keybag_handle_t)keybag accessControl:(SecAccessControlRef)accessControl acmContext:(NSData*)acmContext error:(NSError**)error +{ + NSData* keyData = key.keyData; + +#if USE_KEYSTORE + NSDictionary* constraints = (__bridge NSDictionary*)SecAccessControlGetConstraints(accessControl); + if (constraints) { + aks_ref_key_t refKey = NULL; + CFErrorRef cfError = NULL; + NSData* authData = (__bridge_transfer NSData*)CFPropertyListCreateDERData(NULL, (__bridge CFDictionaryRef)@{(id)kAKSKeyAcl : constraints}, &cfError); + + if (!acmContext || !SecAccessControlIsBound(accessControl)) { + secerror("SecDbKeychainItemV7: access control error"); + if (error) { + CFDataRef accessControlData = SecAccessControlCopyData(accessControl); + ks_access_control_needed_error(&cfError, accessControlData, SecAccessControlIsBound(accessControl) ? kAKSKeyOpEncrypt : CFSTR("")); + CFReleaseNull(accessControlData); + } + + BridgeCFErrorToNSErrorOut(error, cfError); + return nil; + } + + void* aksParams = NULL; + size_t aksParamsLength = 0; + aks_operation_optional_params(0, 0, authData.bytes, authData.length, acmContext.bytes, (int)acmContext.length, &aksParams, &aksParamsLength); + + int aksResult = aks_ref_key_create(keybag, _keyclass, key_type_sym, aksParams, aksParamsLength, &refKey); + if (aksResult != 0) { + CFDataRef accessControlData = SecAccessControlCopyData(accessControl); + create_cferror_from_aks(aksResult, kAKSKeyOpEncrypt, keybag, _keyclass, accessControlData, (__bridge CFDataRef)acmContext, &cfError); + CFReleaseNull(accessControlData); + free(aksParams); + BridgeCFErrorToNSErrorOut(error, cfError); + return nil; + } + + size_t wrappedKeySize = 0; + void* wrappedKeyBytes = NULL; + aksResult = aks_ref_key_encrypt(refKey, aksParams, aksParamsLength, keyData.bytes, keyData.length, &wrappedKeyBytes, &wrappedKeySize); + if (aksResult != 0) { + CFDataRef accessControlData = SecAccessControlCopyData(accessControl); + create_cferror_from_aks(aksResult, kAKSKeyOpEncrypt, keybag, _keyclass, accessControlData, (__bridge CFDataRef)acmContext, &cfError); + CFReleaseNull(accessControlData); + free(aksParams); + aks_ref_key_free(&refKey); + BridgeCFErrorToNSErrorOut(error, cfError); + return nil; + } + free(aksParams); + + BridgeCFErrorToNSErrorOut(error, cfError); + + NSData* wrappedKey = [[NSData alloc] initWithBytesNoCopy:wrappedKeyBytes length:wrappedKeySize]; + + size_t refKeyBlobLength = 0; + const void* refKeyBlobBytes = aks_ref_key_get_blob(refKey, &refKeyBlobLength); + NSData* refKeyBlob = [[NSData alloc] initWithBytesNoCopy:(void*)refKeyBlobBytes length:refKeyBlobLength]; + aks_ref_key_free(&refKey); + return [[SecDbKeychainAKSWrappedKey alloc] initRefKeyWrappedKeyWithData:wrappedKey refKeyBlob:refKeyBlob]; + } + else { + NSMutableData* wrappedKey = [[NSMutableData alloc] initWithLength:(size_t)keyData.length + 40]; + bool success = [self.class aksEncryptWithKeybag:keybag keyclass:_keyclass keyData:keyData outKeyclass:&_keyclass wrappedKey:wrappedKey error:error]; + return success ? [[SecDbKeychainAKSWrappedKey alloc] initRegularWrappedKeyWithData:wrappedKey] : nil; + } +#else + NSMutableData* wrappedKey = [[NSMutableData alloc] initWithLength:(size_t)keyData.length + 40]; + bool success = [self.class aksEncryptWithKeybag:keybag keyclass:_keyclass keyData:keyData outKeyclass:&_keyclass wrappedKey:wrappedKey error:error]; + return success ? [[SecDbKeychainAKSWrappedKey alloc] initRegularWrappedKeyWithData:wrappedKey] : nil; +#endif +} + +- (SFAESKey*)unwrapFromAKS:(SecDbKeychainAKSWrappedKey*)wrappedKey accessControl:(SecAccessControlRef)accessControl acmContext:(NSData*)acmContext callerAccessGroups:(NSArray*)callerAccessGroups delete:(BOOL)delete error:(NSError**)error +{ + NSData* wrappedKeyData = wrappedKey.wrappedKey; + + if (wrappedKey.type == SecDbKeychainAKSWrappedKeyTypeRegular) { + NSMutableData* unwrappedKey = [NSMutableData dataWithCapacity:wrappedKeyData.length + 40]; + unwrappedKey.length = wrappedKeyData.length + 40; + bool result = [self.class aksDecryptWithKeybag:_keybag keyclass:_keyclass wrappedKeyData:wrappedKeyData outKeyclass:&_keyclass unwrappedKey:unwrappedKey error:error]; + if (result) { + return [[SFAESKey alloc] initWithData:unwrappedKey specifier:[self.class keySpecifier] error:error]; + } + else { + return nil; + } + } +#if USE_KEYSTORE + else if (wrappedKey.type == SecDbKeychainAKSWrappedKeyTypeRefKey) { + aks_ref_key_t refKey = NULL; + aks_ref_key_create_with_blob(_keybag, wrappedKey.refKeyBlob.bytes, wrappedKey.refKeyBlob.length, &refKey); + + CFErrorRef cfError = NULL; + size_t refKeyExternalDataLength = 0; + const uint8_t* refKeyExternalDataBytes = aks_ref_key_get_external_data(refKey, &refKeyExternalDataLength); + if (!refKeyExternalDataBytes) { + aks_ref_key_free(&refKey); + return nil; + } + NSDictionary* aclDict = nil; + der_decode_plist(NULL, kCFPropertyListImmutable, (CFPropertyListRef*)(void*)&aclDict, &cfError, refKeyExternalDataBytes, refKeyExternalDataBytes + refKeyExternalDataLength); + if (!aclDict) { + SecError(errSecDecode, &cfError, CFSTR("SecDbKeychainItemV7: failed to decode acl dict")); + } + SecAccessControlSetConstraints(accessControl, (__bridge CFDictionaryRef)aclDict); + if (!SecAccessControlGetConstraint(accessControl, kAKSKeyOpEncrypt)) { + SecAccessControlAddConstraintForOperation(accessControl, kAKSKeyOpEncrypt, kCFBooleanTrue, &cfError); + } + + size_t derPlistLength = der_sizeof_plist((__bridge CFPropertyListRef)callerAccessGroups, &cfError); + NSMutableData* accessGroupDERData = [[NSMutableData alloc] initWithLength:derPlistLength]; + der_encode_plist((__bridge CFPropertyListRef)callerAccessGroups, &cfError, accessGroupDERData.mutableBytes, accessGroupDERData.mutableBytes + derPlistLength); + void* aksParams = NULL; + size_t aksParamsLength = 0; + aks_operation_optional_params(accessGroupDERData.bytes, derPlistLength, NULL, 0, acmContext.bytes, (int)acmContext.length, &aksParams, &aksParamsLength); + + void* unwrappedKeyDERData = NULL; + size_t unwrappedKeyDERLength = 0; + int aksResult = aks_ref_key_decrypt(refKey, aksParams, aksParamsLength, wrappedKeyData.bytes, wrappedKeyData.length, &unwrappedKeyDERData, &unwrappedKeyDERLength); + if (aksResult != 0) { + CFDataRef accessControlData = SecAccessControlCopyData(accessControl); + create_cferror_from_aks(aksResult, kAKSKeyOpDecrypt, 0, 0, accessControlData, (__bridge CFDataRef)acmContext, &cfError); + CFReleaseNull(accessControlData); + aks_ref_key_free(&refKey); + free(aksParams); + BridgeCFErrorToNSErrorOut(error, cfError); + return nil; + } + if (!unwrappedKeyDERData) { + SecError(errSecDecode, &cfError, CFSTR("SecDbKeychainItemV7: failed to decrypt item, Item can't be decrypted due to failed decode der, so drop the item.")); + aks_ref_key_free(&refKey); + free(aksParams); + BridgeCFErrorToNSErrorOut(error, cfError); + return nil; + } + + CFPropertyListRef unwrappedKeyData = NULL; + der_decode_plist(NULL, kCFPropertyListImmutable, &unwrappedKeyData, &cfError, unwrappedKeyDERData, unwrappedKeyDERData + unwrappedKeyDERLength); + SFAESKey* result = nil; + if ([(__bridge NSData*)unwrappedKeyData isKindOfClass:[NSData class]]) { + result = [[SFAESKey alloc] initWithData:(__bridge NSData*)unwrappedKeyData specifier:[self.class keySpecifier] error:error]; + CFReleaseNull(unwrappedKeyDERData); + } + else { + SecError(errSecDecode, &cfError, CFSTR("SecDbKeychainItemV7: failed to decrypt item, Item can't be decrypted due to failed decode der, so drop the item.")); + aks_ref_key_free(&refKey); + free(aksParams); + free(unwrappedKeyDERData); + BridgeCFErrorToNSErrorOut(error, cfError); + return nil; + } + + if (delete) { + aksResult = aks_ref_key_delete(refKey, aksParams, aksParamsLength); + if (aksResult != 0) { + CFDataRef accessControlData = SecAccessControlCopyData(accessControl); + create_cferror_from_aks(aksResult, kAKSKeyOpDelete, 0, 0, accessControlData, (__bridge CFDataRef)acmContext, &cfError); + CFReleaseNull(accessControlData); + aks_ref_key_free(&refKey); + free(aksParams); + free(unwrappedKeyDERData); + BridgeCFErrorToNSErrorOut(error, cfError); + return nil; + } + } + + BridgeCFErrorToNSErrorOut(error, cfError); + aks_ref_key_free(&refKey); + free(aksParams); + free(unwrappedKeyDERData); + return result; + } +#endif + else { + return nil; + } +} + +@end + +#endif // TARGET_OS_BRIDGE diff --git a/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainAKSSerializedWrappedKey.proto b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainAKSSerializedWrappedKey.proto new file mode 100644 index 00000000..4c6db5da --- /dev/null +++ b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainAKSSerializedWrappedKey.proto @@ -0,0 +1,7 @@ +syntax = "proto2"; + +message SecDbKeychainSerializedAKSWrappedKey { + required bytes wrappedKey = 1; + optional bytes refKeyBlob = 2; + required uint32 type = 3; +} diff --git a/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedAKSWrappedKey.h b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedAKSWrappedKey.h new file mode 100644 index 00000000..a0dbbbcd --- /dev/null +++ b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedAKSWrappedKey.h @@ -0,0 +1,41 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from foo.proto + +#import +#import + +#ifdef __cplusplus +#define SECDBKEYCHAINSERIALIZEDAKSWRAPPEDKEY_FUNCTION extern "C" +#else +#define SECDBKEYCHAINSERIALIZEDAKSWRAPPEDKEY_FUNCTION extern +#endif + +@interface SecDbKeychainSerializedAKSWrappedKey : PBCodable +{ + NSData *_refKeyBlob; + uint32_t _type; + NSData *_wrappedKey; +} + + +@property (nonatomic, retain) NSData *wrappedKey; + +@property (nonatomic, readonly) BOOL hasRefKeyBlob; +@property (nonatomic, retain) NSData *refKeyBlob; + +@property (nonatomic) uint32_t type; + +// Performs a shallow copy into other +- (void)copyTo:(SecDbKeychainSerializedAKSWrappedKey *)other; + +// Performs a deep merge from other into self +// If set in other, singular values in self are replaced in self +// Singular composite values are recursively merged +// Repeated values from other are appended to repeated values in self +- (void)mergeFrom:(SecDbKeychainSerializedAKSWrappedKey *)other; + +SECDBKEYCHAINSERIALIZEDAKSWRAPPEDKEY_FUNCTION BOOL SecDbKeychainSerializedAKSWrappedKeyReadFrom(__unsafe_unretained SecDbKeychainSerializedAKSWrappedKey *self, __unsafe_unretained PBDataReader *reader); + +@end + diff --git a/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedAKSWrappedKey.m b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedAKSWrappedKey.m new file mode 100644 index 00000000..7df5d9ec --- /dev/null +++ b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedAKSWrappedKey.m @@ -0,0 +1,168 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from foo.proto + +#import "SecDbKeychainSerializedAKSWrappedKey.h" +#import +#import +#import + +#if !__has_feature(objc_arc) +# error This generated file depends on ARC but it is not enabled; turn on ARC, or use 'objc_use_arc' option to generate non-ARC code. +#endif + +@implementation SecDbKeychainSerializedAKSWrappedKey + +@synthesize wrappedKey = _wrappedKey; +- (BOOL)hasRefKeyBlob +{ + return _refKeyBlob != nil; +} +@synthesize refKeyBlob = _refKeyBlob; +@synthesize type = _type; + +- (NSString *)description +{ + return [NSString stringWithFormat:@"%@ %@", [super description], [self dictionaryRepresentation]]; +} + +- (NSDictionary *)dictionaryRepresentation +{ + NSMutableDictionary *dict = [NSMutableDictionary dictionary]; + if (self->_wrappedKey) + { + [dict setObject:self->_wrappedKey forKey:@"wrappedKey"]; + } + if (self->_refKeyBlob) + { + [dict setObject:self->_refKeyBlob forKey:@"refKeyBlob"]; + } + [dict setObject:[NSNumber numberWithUnsignedInt:self->_type] forKey:@"type"]; + return dict; +} + +BOOL SecDbKeychainSerializedAKSWrappedKeyReadFrom(__unsafe_unretained SecDbKeychainSerializedAKSWrappedKey *self, __unsafe_unretained PBDataReader *reader) { + while (PBReaderHasMoreData(reader)) { + uint32_t tag = 0; + uint8_t aType = 0; + + PBReaderReadTag32AndType(reader, &tag, &aType); + + if (PBReaderHasError(reader)) + break; + + if (aType == TYPE_END_GROUP) { + break; + } + + switch (tag) { + + case 1 /* wrappedKey */: + { + NSData *new_wrappedKey = PBReaderReadData(reader); + self->_wrappedKey = new_wrappedKey; + } + break; + case 2 /* refKeyBlob */: + { + NSData *new_refKeyBlob = PBReaderReadData(reader); + self->_refKeyBlob = new_refKeyBlob; + } + break; + case 3 /* type */: + { + self->_type = PBReaderReadUint32(reader); + } + break; + default: + if (!PBReaderSkipValueWithTag(reader, tag, aType)) + return NO; + break; + } + } + return !PBReaderHasError(reader); +} + +- (BOOL)readFrom:(PBDataReader *)reader +{ + return SecDbKeychainSerializedAKSWrappedKeyReadFrom(self, reader); +} +- (void)writeTo:(PBDataWriter *)writer +{ + /* wrappedKey */ + { + assert(nil != self->_wrappedKey); + PBDataWriterWriteDataField(writer, self->_wrappedKey, 1); + } + /* refKeyBlob */ + { + if (self->_refKeyBlob) + { + PBDataWriterWriteDataField(writer, self->_refKeyBlob, 2); + } + } + /* type */ + { + PBDataWriterWriteUint32Field(writer, self->_type, 3); + } +} + +- (void)copyTo:(SecDbKeychainSerializedAKSWrappedKey *)other +{ + other.wrappedKey = _wrappedKey; + if (_refKeyBlob) + { + other.refKeyBlob = _refKeyBlob; + } + other->_type = _type; +} + +- (id)copyWithZone:(NSZone *)zone +{ + SecDbKeychainSerializedAKSWrappedKey *copy = [[[self class] allocWithZone:zone] init]; + copy->_wrappedKey = [_wrappedKey copyWithZone:zone]; + copy->_refKeyBlob = [_refKeyBlob copyWithZone:zone]; + copy->_type = _type; + return copy; +} + +- (BOOL)isEqual:(id)object +{ + SecDbKeychainSerializedAKSWrappedKey *other = (SecDbKeychainSerializedAKSWrappedKey *)object; + return [other isMemberOfClass:[self class]] + && + ((!self->_wrappedKey && !other->_wrappedKey) || [self->_wrappedKey isEqual:other->_wrappedKey]) + && + ((!self->_refKeyBlob && !other->_refKeyBlob) || [self->_refKeyBlob isEqual:other->_refKeyBlob]) + && + self->_type == other->_type + ; +} + +- (NSUInteger)hash +{ + return 0 + ^ + [self->_wrappedKey hash] + ^ + [self->_refKeyBlob hash] + ^ + PBHashInt((NSUInteger)_type) + ; +} + +- (void)mergeFrom:(SecDbKeychainSerializedAKSWrappedKey *)other +{ + if (other->_wrappedKey) + { + [self setWrappedKey:other->_wrappedKey]; + } + if (other->_refKeyBlob) + { + [self setRefKeyBlob:other->_refKeyBlob]; + } + self->_type = other->_type; +} + +@end + diff --git a/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedItemV7.h b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedItemV7.h new file mode 100644 index 00000000..4530a8a7 --- /dev/null +++ b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedItemV7.h @@ -0,0 +1,81 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from foo.proto + +#import +#import + +typedef NS_ENUM(int32_t, SecDbKeychainSerializedItemV7_Keyclass) { + SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_AK = 6, + SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_CK = 7, + SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_DK = 8, + SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_AKU = 9, + SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_CKU = 10, + SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_DKU = 11, + SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_AKPU = 12, +}; +#ifdef __OBJC__ +NS_INLINE NSString *SecDbKeychainSerializedItemV7_KeyclassAsString(SecDbKeychainSerializedItemV7_Keyclass value) +{ + switch (value) + { + case SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_AK: return @"KEYCLASS_AK"; + case SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_CK: return @"KEYCLASS_CK"; + case SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_DK: return @"KEYCLASS_DK"; + case SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_AKU: return @"KEYCLASS_AKU"; + case SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_CKU: return @"KEYCLASS_CKU"; + case SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_DKU: return @"KEYCLASS_DKU"; + case SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_AKPU: return @"KEYCLASS_AKPU"; + default: return [NSString stringWithFormat:@"(unknown: %i)", value]; + } +} +#endif /* __OBJC__ */ +#ifdef __OBJC__ +NS_INLINE SecDbKeychainSerializedItemV7_Keyclass StringAsSecDbKeychainSerializedItemV7_Keyclass(NSString *value) +{ + if ([value isEqualToString:@"KEYCLASS_AK"]) return SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_AK; + if ([value isEqualToString:@"KEYCLASS_CK"]) return SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_CK; + if ([value isEqualToString:@"KEYCLASS_DK"]) return SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_DK; + if ([value isEqualToString:@"KEYCLASS_AKU"]) return SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_AKU; + if ([value isEqualToString:@"KEYCLASS_CKU"]) return SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_CKU; + if ([value isEqualToString:@"KEYCLASS_DKU"]) return SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_DKU; + if ([value isEqualToString:@"KEYCLASS_AKPU"]) return SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_AKPU; + return SecDbKeychainSerializedItemV7_Keyclass_KEYCLASS_AK; +} +#endif /* __OBJC__ */ + +#ifdef __cplusplus +#define SECDBKEYCHAINSERIALIZEDITEMV7_FUNCTION extern "C" +#else +#define SECDBKEYCHAINSERIALIZEDITEMV7_FUNCTION extern +#endif + +@interface SecDbKeychainSerializedItemV7 : PBCodable +{ + NSData *_encryptedMetadata; + NSData *_encryptedSecretData; + SecDbKeychainSerializedItemV7_Keyclass _keyclass; +} + + +@property (nonatomic, retain) NSData *encryptedSecretData; + +@property (nonatomic, retain) NSData *encryptedMetadata; + +@property (nonatomic) SecDbKeychainSerializedItemV7_Keyclass keyclass; +- (NSString *)keyclassAsString:(SecDbKeychainSerializedItemV7_Keyclass)value; +- (SecDbKeychainSerializedItemV7_Keyclass)StringAsKeyclass:(NSString *)str; + +// Performs a shallow copy into other +- (void)copyTo:(SecDbKeychainSerializedItemV7 *)other; + +// Performs a deep merge from other into self +// If set in other, singular values in self are replaced in self +// Singular composite values are recursively merged +// Repeated values from other are appended to repeated values in self +- (void)mergeFrom:(SecDbKeychainSerializedItemV7 *)other; + +SECDBKEYCHAINSERIALIZEDITEMV7_FUNCTION BOOL SecDbKeychainSerializedItemV7ReadFrom(__unsafe_unretained SecDbKeychainSerializedItemV7 *self, __unsafe_unretained PBDataReader *reader); + +@end + diff --git a/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedItemV7.m b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedItemV7.m new file mode 100644 index 00000000..8d7a75b7 --- /dev/null +++ b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedItemV7.m @@ -0,0 +1,167 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from foo.proto + +#import "SecDbKeychainSerializedItemV7.h" +#import +#import +#import + +#if !__has_feature(objc_arc) +# error This generated file depends on ARC but it is not enabled; turn on ARC, or use 'objc_use_arc' option to generate non-ARC code. +#endif + +@implementation SecDbKeychainSerializedItemV7 + +@synthesize encryptedSecretData = _encryptedSecretData; +@synthesize encryptedMetadata = _encryptedMetadata; +@synthesize keyclass = _keyclass; +- (NSString *)keyclassAsString:(SecDbKeychainSerializedItemV7_Keyclass)value +{ + return SecDbKeychainSerializedItemV7_KeyclassAsString(value); +} +- (SecDbKeychainSerializedItemV7_Keyclass)StringAsKeyclass:(NSString *)str +{ + return StringAsSecDbKeychainSerializedItemV7_Keyclass(str); +} + +- (NSString *)description +{ + return [NSString stringWithFormat:@"%@ %@", [super description], [self dictionaryRepresentation]]; +} + +- (NSDictionary *)dictionaryRepresentation +{ + NSMutableDictionary *dict = [NSMutableDictionary dictionary]; + if (self->_encryptedSecretData) + { + [dict setObject:self->_encryptedSecretData forKey:@"encryptedSecretData"]; + } + if (self->_encryptedMetadata) + { + [dict setObject:self->_encryptedMetadata forKey:@"encryptedMetadata"]; + } + [dict setObject:SecDbKeychainSerializedItemV7_KeyclassAsString(self->_keyclass) forKey:@"keyclass"]; + return dict; +} + +BOOL SecDbKeychainSerializedItemV7ReadFrom(__unsafe_unretained SecDbKeychainSerializedItemV7 *self, __unsafe_unretained PBDataReader *reader) { + while (PBReaderHasMoreData(reader)) { + uint32_t tag = 0; + uint8_t aType = 0; + + PBReaderReadTag32AndType(reader, &tag, &aType); + + if (PBReaderHasError(reader)) + break; + + if (aType == TYPE_END_GROUP) { + break; + } + + switch (tag) { + + case 1 /* encryptedSecretData */: + { + NSData *new_encryptedSecretData = PBReaderReadData(reader); + self->_encryptedSecretData = new_encryptedSecretData; + } + break; + case 2 /* encryptedMetadata */: + { + NSData *new_encryptedMetadata = PBReaderReadData(reader); + self->_encryptedMetadata = new_encryptedMetadata; + } + break; + case 3 /* keyclass */: + { + self->_keyclass = PBReaderReadInt32(reader); + } + break; + default: + if (!PBReaderSkipValueWithTag(reader, tag, aType)) + return NO; + break; + } + } + return !PBReaderHasError(reader); +} + +- (BOOL)readFrom:(PBDataReader *)reader +{ + return SecDbKeychainSerializedItemV7ReadFrom(self, reader); +} +- (void)writeTo:(PBDataWriter *)writer +{ + /* encryptedSecretData */ + { + assert(nil != self->_encryptedSecretData); + PBDataWriterWriteDataField(writer, self->_encryptedSecretData, 1); + } + /* encryptedMetadata */ + { + assert(nil != self->_encryptedMetadata); + PBDataWriterWriteDataField(writer, self->_encryptedMetadata, 2); + } + /* keyclass */ + { + PBDataWriterWriteInt32Field(writer, self->_keyclass, 3); + } +} + +- (void)copyTo:(SecDbKeychainSerializedItemV7 *)other +{ + other.encryptedSecretData = _encryptedSecretData; + other.encryptedMetadata = _encryptedMetadata; + other->_keyclass = _keyclass; +} + +- (id)copyWithZone:(NSZone *)zone +{ + SecDbKeychainSerializedItemV7 *copy = [[[self class] allocWithZone:zone] init]; + copy->_encryptedSecretData = [_encryptedSecretData copyWithZone:zone]; + copy->_encryptedMetadata = [_encryptedMetadata copyWithZone:zone]; + copy->_keyclass = _keyclass; + return copy; +} + +- (BOOL)isEqual:(id)object +{ + SecDbKeychainSerializedItemV7 *other = (SecDbKeychainSerializedItemV7 *)object; + return [other isMemberOfClass:[self class]] + && + ((!self->_encryptedSecretData && !other->_encryptedSecretData) || [self->_encryptedSecretData isEqual:other->_encryptedSecretData]) + && + ((!self->_encryptedMetadata && !other->_encryptedMetadata) || [self->_encryptedMetadata isEqual:other->_encryptedMetadata]) + && + self->_keyclass == other->_keyclass + ; +} + +- (NSUInteger)hash +{ + return 0 + ^ + [self->_encryptedSecretData hash] + ^ + [self->_encryptedMetadata hash] + ^ + PBHashInt((NSUInteger)_keyclass) + ; +} + +- (void)mergeFrom:(SecDbKeychainSerializedItemV7 *)other +{ + if (other->_encryptedSecretData) + { + [self setEncryptedSecretData:other->_encryptedSecretData]; + } + if (other->_encryptedMetadata) + { + [self setEncryptedMetadata:other->_encryptedMetadata]; + } + self->_keyclass = other->_keyclass; +} + +@end + diff --git a/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedItemV7.proto b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedItemV7.proto new file mode 100644 index 00000000..4138447d --- /dev/null +++ b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedItemV7.proto @@ -0,0 +1,17 @@ +syntax = "proto2"; + +message SecDbKeychainSerializedItemV7 { + required bytes encryptedSecretData = 1; + required bytes encryptedMetadata = 2; + + enum Keyclass { + KEYCLASS_AK = 6; + KEYCLASS_CK = 7; + KEYCLASS_DK = 8; + KEYCLASS_AKU = 9; + KEYCLASS_CKU = 10; + KEYCLASS_DKU = 11; + KEYCLASS_AKPU = 12; + } + required Keyclass keyclass = 3 [default = KEYCLASS_AKPU]; +} diff --git a/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedMetadata.h b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedMetadata.h new file mode 100644 index 00000000..0143c9b8 --- /dev/null +++ b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedMetadata.h @@ -0,0 +1,40 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from foo.proto + +#import +#import + +#ifdef __cplusplus +#define SECDBKEYCHAINSERIALIZEDMETADATA_FUNCTION extern "C" +#else +#define SECDBKEYCHAINSERIALIZEDMETADATA_FUNCTION extern +#endif + +@interface SecDbKeychainSerializedMetadata : PBCodable +{ + NSData *_ciphertext; + NSString *_tamperCheck; + NSData *_wrappedKey; +} + + +@property (nonatomic, retain) NSData *ciphertext; + +@property (nonatomic, retain) NSData *wrappedKey; + +@property (nonatomic, retain) NSString *tamperCheck; + +// Performs a shallow copy into other +- (void)copyTo:(SecDbKeychainSerializedMetadata *)other; + +// Performs a deep merge from other into self +// If set in other, singular values in self are replaced in self +// Singular composite values are recursively merged +// Repeated values from other are appended to repeated values in self +- (void)mergeFrom:(SecDbKeychainSerializedMetadata *)other; + +SECDBKEYCHAINSERIALIZEDMETADATA_FUNCTION BOOL SecDbKeychainSerializedMetadataReadFrom(__unsafe_unretained SecDbKeychainSerializedMetadata *self, __unsafe_unretained PBDataReader *reader); + +@end + diff --git a/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedMetadata.m b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedMetadata.m new file mode 100644 index 00000000..e53c9f88 --- /dev/null +++ b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedMetadata.m @@ -0,0 +1,167 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from foo.proto + +#import "SecDbKeychainSerializedMetadata.h" +#import +#import +#import + +#if !__has_feature(objc_arc) +# error This generated file depends on ARC but it is not enabled; turn on ARC, or use 'objc_use_arc' option to generate non-ARC code. +#endif + +@implementation SecDbKeychainSerializedMetadata + +@synthesize ciphertext = _ciphertext; +@synthesize wrappedKey = _wrappedKey; +@synthesize tamperCheck = _tamperCheck; + +- (NSString *)description +{ + return [NSString stringWithFormat:@"%@ %@", [super description], [self dictionaryRepresentation]]; +} + +- (NSDictionary *)dictionaryRepresentation +{ + NSMutableDictionary *dict = [NSMutableDictionary dictionary]; + if (self->_ciphertext) + { + [dict setObject:self->_ciphertext forKey:@"ciphertext"]; + } + if (self->_wrappedKey) + { + [dict setObject:self->_wrappedKey forKey:@"wrappedKey"]; + } + if (self->_tamperCheck) + { + [dict setObject:self->_tamperCheck forKey:@"tamperCheck"]; + } + return dict; +} + +BOOL SecDbKeychainSerializedMetadataReadFrom(__unsafe_unretained SecDbKeychainSerializedMetadata *self, __unsafe_unretained PBDataReader *reader) { + while (PBReaderHasMoreData(reader)) { + uint32_t tag = 0; + uint8_t aType = 0; + + PBReaderReadTag32AndType(reader, &tag, &aType); + + if (PBReaderHasError(reader)) + break; + + if (aType == TYPE_END_GROUP) { + break; + } + + switch (tag) { + + case 1 /* ciphertext */: + { + NSData *new_ciphertext = PBReaderReadData(reader); + self->_ciphertext = new_ciphertext; + } + break; + case 2 /* wrappedKey */: + { + NSData *new_wrappedKey = PBReaderReadData(reader); + self->_wrappedKey = new_wrappedKey; + } + break; + case 3 /* tamperCheck */: + { + NSString *new_tamperCheck = PBReaderReadString(reader); + self->_tamperCheck = new_tamperCheck; + } + break; + default: + if (!PBReaderSkipValueWithTag(reader, tag, aType)) + return NO; + break; + } + } + return !PBReaderHasError(reader); +} + +- (BOOL)readFrom:(PBDataReader *)reader +{ + return SecDbKeychainSerializedMetadataReadFrom(self, reader); +} +- (void)writeTo:(PBDataWriter *)writer +{ + /* ciphertext */ + { + assert(nil != self->_ciphertext); + PBDataWriterWriteDataField(writer, self->_ciphertext, 1); + } + /* wrappedKey */ + { + assert(nil != self->_wrappedKey); + PBDataWriterWriteDataField(writer, self->_wrappedKey, 2); + } + /* tamperCheck */ + { + assert(nil != self->_tamperCheck); + PBDataWriterWriteStringField(writer, self->_tamperCheck, 3); + } +} + +- (void)copyTo:(SecDbKeychainSerializedMetadata *)other +{ + other.ciphertext = _ciphertext; + other.wrappedKey = _wrappedKey; + other.tamperCheck = _tamperCheck; +} + +- (id)copyWithZone:(NSZone *)zone +{ + SecDbKeychainSerializedMetadata *copy = [[[self class] allocWithZone:zone] init]; + copy->_ciphertext = [_ciphertext copyWithZone:zone]; + copy->_wrappedKey = [_wrappedKey copyWithZone:zone]; + copy->_tamperCheck = [_tamperCheck copyWithZone:zone]; + return copy; +} + +- (BOOL)isEqual:(id)object +{ + SecDbKeychainSerializedMetadata *other = (SecDbKeychainSerializedMetadata *)object; + return [other isMemberOfClass:[self class]] + && + ((!self->_ciphertext && !other->_ciphertext) || [self->_ciphertext isEqual:other->_ciphertext]) + && + ((!self->_wrappedKey && !other->_wrappedKey) || [self->_wrappedKey isEqual:other->_wrappedKey]) + && + ((!self->_tamperCheck && !other->_tamperCheck) || [self->_tamperCheck isEqual:other->_tamperCheck]) + ; +} + +- (NSUInteger)hash +{ + return 0 + ^ + [self->_ciphertext hash] + ^ + [self->_wrappedKey hash] + ^ + [self->_tamperCheck hash] + ; +} + +- (void)mergeFrom:(SecDbKeychainSerializedMetadata *)other +{ + if (other->_ciphertext) + { + [self setCiphertext:other->_ciphertext]; + } + if (other->_wrappedKey) + { + [self setWrappedKey:other->_wrappedKey]; + } + if (other->_tamperCheck) + { + [self setTamperCheck:other->_tamperCheck]; + } +} + +@end + diff --git a/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedMetadata.proto b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedMetadata.proto new file mode 100644 index 00000000..f21796c2 --- /dev/null +++ b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedMetadata.proto @@ -0,0 +1,7 @@ +syntax = "proto2"; + +message SecDbKeychainSerializedMetadata { + required bytes ciphertext = 1; + required bytes wrappedKey = 2; + required string tamperCheck = 3; +} diff --git a/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedSecretData.h b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedSecretData.h new file mode 100644 index 00000000..43dfdf44 --- /dev/null +++ b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedSecretData.h @@ -0,0 +1,40 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from foo.proto + +#import +#import + +#ifdef __cplusplus +#define SECDBKEYCHAINSERIALIZEDSECRETDATA_FUNCTION extern "C" +#else +#define SECDBKEYCHAINSERIALIZEDSECRETDATA_FUNCTION extern +#endif + +@interface SecDbKeychainSerializedSecretData : PBCodable +{ + NSData *_ciphertext; + NSString *_tamperCheck; + NSData *_wrappedKey; +} + + +@property (nonatomic, retain) NSData *ciphertext; + +@property (nonatomic, retain) NSData *wrappedKey; + +@property (nonatomic, retain) NSString *tamperCheck; + +// Performs a shallow copy into other +- (void)copyTo:(SecDbKeychainSerializedSecretData *)other; + +// Performs a deep merge from other into self +// If set in other, singular values in self are replaced in self +// Singular composite values are recursively merged +// Repeated values from other are appended to repeated values in self +- (void)mergeFrom:(SecDbKeychainSerializedSecretData *)other; + +SECDBKEYCHAINSERIALIZEDSECRETDATA_FUNCTION BOOL SecDbKeychainSerializedSecretDataReadFrom(__unsafe_unretained SecDbKeychainSerializedSecretData *self, __unsafe_unretained PBDataReader *reader); + +@end + diff --git a/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedSecretData.m b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedSecretData.m new file mode 100644 index 00000000..864421a3 --- /dev/null +++ b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedSecretData.m @@ -0,0 +1,167 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from foo.proto + +#import "SecDbKeychainSerializedSecretData.h" +#import +#import +#import + +#if !__has_feature(objc_arc) +# error This generated file depends on ARC but it is not enabled; turn on ARC, or use 'objc_use_arc' option to generate non-ARC code. +#endif + +@implementation SecDbKeychainSerializedSecretData + +@synthesize ciphertext = _ciphertext; +@synthesize wrappedKey = _wrappedKey; +@synthesize tamperCheck = _tamperCheck; + +- (NSString *)description +{ + return [NSString stringWithFormat:@"%@ %@", [super description], [self dictionaryRepresentation]]; +} + +- (NSDictionary *)dictionaryRepresentation +{ + NSMutableDictionary *dict = [NSMutableDictionary dictionary]; + if (self->_ciphertext) + { + [dict setObject:self->_ciphertext forKey:@"ciphertext"]; + } + if (self->_wrappedKey) + { + [dict setObject:self->_wrappedKey forKey:@"wrappedKey"]; + } + if (self->_tamperCheck) + { + [dict setObject:self->_tamperCheck forKey:@"tamperCheck"]; + } + return dict; +} + +BOOL SecDbKeychainSerializedSecretDataReadFrom(__unsafe_unretained SecDbKeychainSerializedSecretData *self, __unsafe_unretained PBDataReader *reader) { + while (PBReaderHasMoreData(reader)) { + uint32_t tag = 0; + uint8_t aType = 0; + + PBReaderReadTag32AndType(reader, &tag, &aType); + + if (PBReaderHasError(reader)) + break; + + if (aType == TYPE_END_GROUP) { + break; + } + + switch (tag) { + + case 1 /* ciphertext */: + { + NSData *new_ciphertext = PBReaderReadData(reader); + self->_ciphertext = new_ciphertext; + } + break; + case 2 /* wrappedKey */: + { + NSData *new_wrappedKey = PBReaderReadData(reader); + self->_wrappedKey = new_wrappedKey; + } + break; + case 3 /* tamperCheck */: + { + NSString *new_tamperCheck = PBReaderReadString(reader); + self->_tamperCheck = new_tamperCheck; + } + break; + default: + if (!PBReaderSkipValueWithTag(reader, tag, aType)) + return NO; + break; + } + } + return !PBReaderHasError(reader); +} + +- (BOOL)readFrom:(PBDataReader *)reader +{ + return SecDbKeychainSerializedSecretDataReadFrom(self, reader); +} +- (void)writeTo:(PBDataWriter *)writer +{ + /* ciphertext */ + { + assert(nil != self->_ciphertext); + PBDataWriterWriteDataField(writer, self->_ciphertext, 1); + } + /* wrappedKey */ + { + assert(nil != self->_wrappedKey); + PBDataWriterWriteDataField(writer, self->_wrappedKey, 2); + } + /* tamperCheck */ + { + assert(nil != self->_tamperCheck); + PBDataWriterWriteStringField(writer, self->_tamperCheck, 3); + } +} + +- (void)copyTo:(SecDbKeychainSerializedSecretData *)other +{ + other.ciphertext = _ciphertext; + other.wrappedKey = _wrappedKey; + other.tamperCheck = _tamperCheck; +} + +- (id)copyWithZone:(NSZone *)zone +{ + SecDbKeychainSerializedSecretData *copy = [[[self class] allocWithZone:zone] init]; + copy->_ciphertext = [_ciphertext copyWithZone:zone]; + copy->_wrappedKey = [_wrappedKey copyWithZone:zone]; + copy->_tamperCheck = [_tamperCheck copyWithZone:zone]; + return copy; +} + +- (BOOL)isEqual:(id)object +{ + SecDbKeychainSerializedSecretData *other = (SecDbKeychainSerializedSecretData *)object; + return [other isMemberOfClass:[self class]] + && + ((!self->_ciphertext && !other->_ciphertext) || [self->_ciphertext isEqual:other->_ciphertext]) + && + ((!self->_wrappedKey && !other->_wrappedKey) || [self->_wrappedKey isEqual:other->_wrappedKey]) + && + ((!self->_tamperCheck && !other->_tamperCheck) || [self->_tamperCheck isEqual:other->_tamperCheck]) + ; +} + +- (NSUInteger)hash +{ + return 0 + ^ + [self->_ciphertext hash] + ^ + [self->_wrappedKey hash] + ^ + [self->_tamperCheck hash] + ; +} + +- (void)mergeFrom:(SecDbKeychainSerializedSecretData *)other +{ + if (other->_ciphertext) + { + [self setCiphertext:other->_ciphertext]; + } + if (other->_wrappedKey) + { + [self setWrappedKey:other->_wrappedKey]; + } + if (other->_tamperCheck) + { + [self setTamperCheck:other->_tamperCheck]; + } +} + +@end + diff --git a/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedSecretData.proto b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedSecretData.proto new file mode 100644 index 00000000..81b03aca --- /dev/null +++ b/OSX/sec/securityd/SecDbKeychainV7-protobufs/SecDbKeychainSerializedSecretData.proto @@ -0,0 +1,7 @@ +syntax = "proto2"; + +message SecDbKeychainSerializedSecretData { + required bytes ciphertext = 1; + required bytes wrappedKey = 2; + required string tamperCheck = 3; +} diff --git a/OSX/sec/securityd/SecDbQuery.c b/OSX/sec/securityd/SecDbQuery.c index 119f4f2e..81780ed1 100644 --- a/OSX/sec/securityd/SecDbQuery.c +++ b/OSX/sec/securityd/SecDbQuery.c @@ -41,7 +41,7 @@ #include #include #include -#include +#include #include #include #include diff --git a/OSX/sec/securityd/SecItemBackupServer.c b/OSX/sec/securityd/SecItemBackupServer.c index 66d1b998..e7a8dd17 100644 --- a/OSX/sec/securityd/SecItemBackupServer.c +++ b/OSX/sec/securityd/SecItemBackupServer.c @@ -83,7 +83,7 @@ static bool SOSDataSourceWithBackup(SOSDataSourceRef ds, CFDataRef backup, keyba __block bool ok = true; CFPropertyListRef plist = CFPropertyListCreateWithDERData(kCFAllocatorDefault, backup, kCFPropertyListImmutable, NULL, error); CFDictionaryRef bdict = asDictionary(plist, error); - ok = bdict; + ok = (bdict != NULL); if (ok) CFDictionaryForEach(bdict, ^(const void *key, const void *value) { CFStringRef className = asString(key, error); if (className) { diff --git a/OSX/sec/securityd/SecItemDataSource.c b/OSX/sec/securityd/SecItemDataSource.c index ae2686d6..a19f39b6 100644 --- a/OSX/sec/securityd/SecItemDataSource.c +++ b/OSX/sec/securityd/SecItemDataSource.c @@ -32,6 +32,7 @@ #include #include #include +#include #include #include #include @@ -122,7 +123,7 @@ static bool SecDbItemSelectSHA1(SecDbQueryRef query, SecDbConnectionRef dbconn, static SOSManifestRef SecItemDataSourceCopyManifestWithQueries(SecItemDataSourceRef ds, CFArrayRef queries, CFErrorRef *error) { __block SOSManifestRef manifest = NULL; __block CFErrorRef localError = NULL; - if (!SecDbPerformRead(ds->db, error, ^(SecDbConnectionRef dbconn) { + if (!kc_with_custom_db(false, true, ds->db, error, ^bool(SecDbConnectionRef dbconn) { __block struct SOSDigestVector dv = SOSDigestVectorInit; Query *q; bool ok = true; @@ -148,6 +149,7 @@ static SOSManifestRef SecItemDataSourceCopyManifestWithQueries(SecItemDataSource manifest = SOSManifestCreateWithDigestVector(&dv, &localError); } SOSDigestVectorFree(&dv); + return ok; })) { CFReleaseSafe(manifest); } @@ -392,7 +394,7 @@ static bool dsForEachObject(SOSDataSourceRef data_source, SOSTransactionRef txn, __block CFStringRef *sqls = select_sql; __block sqlite3_stmt **stmts = select_stmts; - void (^readBlock)(SecDbConnectionRef dbconn) = ^(SecDbConnectionRef dbconn) + bool (^readBlock)(SecDbConnectionRef dbconn) = ^bool(SecDbConnectionRef dbconn) { // Setup for (size_t class_ix = 0; class_ix < dsSyncedClassesSize; ++class_ix) { @@ -426,12 +428,14 @@ static bool dsForEachObject(SOSDataSourceRef data_source, SOSTransactionRef txn, if (queries[class_ix]) result &= query_destroy(queries[class_ix], error); } + + return true; }; if (txn) { readBlock((SecDbConnectionRef)txn); } else { - result &= SecDbPerformRead(ds->db, error, readBlock); + result &= kc_with_custom_db(false, true, ds->db, error, readBlock); } return result; @@ -476,6 +480,7 @@ static CFDateRef copyObjectModDate(SOSObjectRef object, CFErrorRef *error) { static CFDictionaryRef objectCopyPropertyList(SOSObjectRef object, CFErrorRef *error) { SecDbItemRef item = (SecDbItemRef) object; + CFMutableDictionaryRef secretDataDict = SecDbItemCopyPListWithMask(item, kSecDbReturnDataFlag, error); CFMutableDictionaryRef cryptoDataDict = SecDbItemCopyPListWithMask(item, kSecDbInCryptoDataFlag, error); CFMutableDictionaryRef authDataDict = SecDbItemCopyPListWithMask(item, kSecDbInAuthenticatedDataFlag, error); @@ -485,18 +490,24 @@ static CFDictionaryRef objectCopyPropertyList(SOSObjectRef object, CFErrorRef *e CFDictionarySetValue(cryptoDataDict, key, value); }); } + if (secretDataDict) { + CFDictionaryForEach(secretDataDict, ^(const void* key, const void* value) { + CFDictionarySetValue(cryptoDataDict, key, value); + }); + } CFDictionaryAddValue(cryptoDataDict, kSecClass, SecDbItemGetClass(item)->name); } - - CFReleaseSafe(authDataDict); + + CFReleaseNull(secretDataDict); + CFReleaseNull(authDataDict); return cryptoDataDict; } static bool dsWith(SOSDataSourceRef data_source, CFErrorRef *error, SOSDataSourceTransactionSource source, bool onCommitQueue, void(^transaction)(SOSTransactionRef txn, bool *commit)) { SecItemDataSourceRef ds = (SecItemDataSourceRef)data_source; __block bool ok = true; - ok &= SecDbPerformWrite(ds->db, error, ^(SecDbConnectionRef dbconn) { - ok &= SecDbTransaction(dbconn, + ok &= kc_with_custom_db(true, true, ds->db, error, ^bool(SecDbConnectionRef dbconn) { + return SecDbTransaction(dbconn, source == kSOSDataSourceAPITransaction ? kSecDbExclusiveTransactionType : kSecDbExclusiveRemoteSOSTransactionType, error, ^(bool *commit) { if (onCommitQueue) { @@ -514,10 +525,11 @@ static bool dsWith(SOSDataSourceRef data_source, CFErrorRef *error, SOSDataSourc static bool dsReadWith(SOSDataSourceRef data_source, CFErrorRef *error, SOSDataSourceTransactionSource source, void(^perform)(SOSTransactionRef txn)) { SecItemDataSourceRef ds = (SecItemDataSourceRef)data_source; __block bool ok = true; - ok &= SecDbPerformRead(ds->db, error, ^(SecDbConnectionRef dbconn) { + ok &= kc_with_custom_db(false, true, ds->db, error, ^bool(SecDbConnectionRef dbconn) { SecDbPerformOnCommitQueue(dbconn, false, ^{ perform((SOSTransactionRef)dbconn); }); + return true; }); return ok; } @@ -657,8 +669,8 @@ static CFDataRef dsCopyStateWithKey(SOSDataSourceRef data_source, CFStringRef ke if (query) { if (query->q_item) CFReleaseSafe(query->q_item); query->q_item = dict; - void (^read_it)(SecDbConnectionRef dbconn) = ^(SecDbConnectionRef dbconn) { - SecDbItemSelect(query, dbconn, error, NULL, ^bool(const SecDbAttr *attr) { + bool (^read_it)(SecDbConnectionRef dbconn) = ^(SecDbConnectionRef dbconn) { + return SecDbItemSelect(query, dbconn, error, NULL, ^bool(const SecDbAttr *attr) { return CFDictionaryContainsKey(dict, attr->name); }, NULL, NULL, ^(SecDbItemRef item, bool *stop) { secnotice("ds", "found item for key %@@%@", key, pdmn); @@ -668,7 +680,7 @@ static CFDataRef dsCopyStateWithKey(SOSDataSourceRef data_source, CFStringRef ke if (txn) { read_it((SecDbConnectionRef) txn); } else { - SecDbPerformRead(ds->db, error, read_it); + kc_with_custom_db(false, true, ds->db, error, read_it); } query_destroy(query, error); } else { @@ -702,8 +714,8 @@ static CFDataRef dsCopyItemDataWithKeys(SOSDataSourceRef data_source, CFDictiona if (query) { if (query->q_item) CFReleaseSafe(query->q_item); query->q_item = dict; - SecDbPerformRead(ds->db, error, ^(SecDbConnectionRef dbconn) { - SecDbItemSelect(query, dbconn, error, NULL, ^bool(const SecDbAttr *attr) { + kc_with_custom_db(false, true, ds->db, error, ^bool(SecDbConnectionRef dbconn) { + return SecDbItemSelect(query, dbconn, error, NULL, ^bool(const SecDbAttr *attr) { return CFDictionaryContainsKey(dict, attr->name); }, NULL, NULL, ^(SecDbItemRef item, bool *stop) { secnotice("ds", "found item for keys %@", keys); diff --git a/OSX/sec/securityd/SecItemDb.c b/OSX/sec/securityd/SecItemDb.c index 5ebca2b1..c2d29f91 100644 --- a/OSX/sec/securityd/SecItemDb.c +++ b/OSX/sec/securityd/SecItemDb.c @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include @@ -44,6 +45,7 @@ #include #include #include +#include "sec_action.h" #include "keychain/ckks/CKKS.h" @@ -390,11 +392,11 @@ s3dl_copy_data_from_col(sqlite3_stmt *stmt, int col, CFErrorRef *error) { static bool s3dl_item_from_col(sqlite3_stmt *stmt, Query *q, int col, CFArrayRef accessGroups, - CFMutableDictionaryRef *item, SecAccessControlRef *access_control, CFErrorRef *error) { + CFMutableDictionaryRef *item, SecAccessControlRef *access_control, keyclass_t* keyclass, CFErrorRef *error) { CFDataRef edata = NULL; bool ok = false; require(edata = s3dl_copy_data_from_col(stmt, col, error), out); - ok = s3dl_item_from_data(edata, q, accessGroups, item, access_control, error); + ok = s3dl_item_from_data(edata, q, accessGroups, item, access_control, keyclass, error); out: CFReleaseSafe(edata); @@ -453,11 +455,13 @@ handle_result(Query *q, itemRef = SecDbItemCreateWithAttributes(NULL, q->q_class, item, KEYBAG_DEVICE, &cferror); } if(!cferror && itemRef) { - CFTypeRef attrValue = attr->copyValue(itemRef, attr, &cferror); - if(!cferror && attrValue) { - CFDictionarySetValue(item, attr->name, attrValue); + if (attr->kind != kSecDbSHA1Attr || (q->q_return_type & kSecReturnDataMask)) { // we'll skip returning the sha1 attribute unless the client has also asked us to return data, because without data our sha1 could be invalid + CFTypeRef attrValue = attr->copyValue(itemRef, attr, &cferror); + if (!cferror && attrValue) { + CFDictionarySetValue(item, attr->name, attrValue); + } + CFReleaseNull(attrValue); } - CFReleaseNull(attrValue); } CFReleaseNull(cferror); } @@ -504,10 +508,14 @@ out: static void s3dl_query_row(sqlite3_stmt *stmt, void *context) { struct s3dl_query_ctx *c = context; Query *q = c->q; + ReturnTypeMask saved_mask = q->q_return_type; sqlite_int64 rowid = sqlite3_column_int64(stmt, 0); CFMutableDictionaryRef item = NULL; - bool ok = s3dl_item_from_col(stmt, q, 1, c->accessGroups, &item, NULL, &q->q_error); + bool ok; + +decode: + ok = s3dl_item_from_col(stmt, q, 1, c->accessGroups, &item, NULL, NULL, &q->q_error); if (!ok) { OSStatus status = SecErrorGetOSStatus(q->q_error); // errSecDecode means the item is corrupted, stash it for delete. @@ -526,6 +534,16 @@ static void s3dl_query_row(sqlite3_stmt *stmt, void *context) { CFReleaseNull(q->q_error); } else if (status == errSecAuthNeeded) { secwarning("Authentication is needed for %@,rowid=%" PRId64 " (%" PRIdOSStatus "): %@", q->q_class->name, rowid, status, q->q_error); + } else if (status == errSecInteractionNotAllowed) { + static dispatch_once_t kclockedtoken; + static sec_action_t kclockedaction; + dispatch_once(&kclockedtoken, ^{ + kclockedaction = sec_action_create("ratelimiterdisabledlogevent", 1); + sec_action_set_handler(kclockedaction, ^{ + secerror("decode item failed, keychain is locked (%d)", (int)errSecInteractionNotAllowed); + }); + }); + sec_action_perform(kclockedaction); } else { secerror("decode %@,rowid=%" PRId64 " failed (%" PRIdOSStatus "): %@", q->q_class->name, rowid, status, q->q_error); } @@ -536,6 +554,14 @@ static void s3dl_query_row(sqlite3_stmt *stmt, void *context) { if (!item) goto out; + if (CFDictionaryContainsKey(item, kSecAttrTokenID) && (q->q_return_type & kSecReturnDataMask) == 0) { + // For token-based items, to get really meaningful set of attributes we must provide also data field, so augment mask + // and restart item decoding cycle. + q->q_return_type |= kSecReturnDataMask; + CFReleaseNull(item); + goto decode; + } + if (q->q_token_object_id != NULL && !checkTokenObjectID(q->q_token_object_id, CFDictionaryGetValue(item, kSecValueData))) goto out; @@ -544,7 +570,7 @@ static void s3dl_query_row(sqlite3_stmt *stmt, void *context) { CFMutableDictionaryRef key; /* TODO : if there is a errSecDecode error here, we should cleanup */ - if (!s3dl_item_from_col(stmt, q, 3, c->accessGroups, &key, NULL, &q->q_error) || !key) + if (!s3dl_item_from_col(stmt, q, 3, c->accessGroups, &key, NULL, NULL, &q->q_error) || !key) goto out; CFDataRef certData = CFDictionaryGetValue(item, kSecValueData); @@ -582,6 +608,7 @@ static void s3dl_query_row(sqlite3_stmt *stmt, void *context) { } out: + q->q_return_type = saved_mask; CFReleaseSafe(item); } @@ -1110,6 +1137,7 @@ s3dl_query_update(SecDbConnectionRef dbt, Query *q, secerror("failed to delete corrupt %@,rowid=%" PRId64 " %@", q->q_class->name, SecDbItemGetRowId(item, NULL), localError); CFReleaseNull(localError); } + CFReleaseNull(new_item); return; } if (new_item != NULL && u->q_access_control != NULL) @@ -1140,7 +1168,7 @@ errOut: static bool SecDbItemNeedAuth(SecDbItemRef item, CFErrorRef *error) { CFErrorRef localError = NULL; - if (!SecDbItemEnsureDecrypted(item, &localError) && localError && CFErrorGetCode(localError) == errSecAuthNeeded) { + if (!SecDbItemEnsureDecrypted(item, true, &localError) && localError && CFErrorGetCode(localError) == errSecAuthNeeded) { if (error) *error = localError; return true; @@ -1292,6 +1320,7 @@ static bool SecItemIsSystemBound(CFDictionaryRef item, const SecDbClass *cls, bo if (multiUser && CFEqual(agrp, CFSTR("apple")) && cls == genp_class()) { static CFStringRef accountServices[] = { + /* accounts, remove with rdar://37595482 */ CFSTR("com.apple.account.AppleAccount.token"), CFSTR("com.apple.account.AppleAccount.password"), CFSTR("com.apple.account.AppleAccount.rpassword"), @@ -1302,6 +1331,7 @@ static bool SecItemIsSystemBound(CFDictionaryRef item, const SecDbClass *cls, bo CFSTR("com.apple.account.IdentityServices.password"), /* accountsd for ids */ CFSTR("com.apple.account.IdentityServices.rpassword"), CFSTR("com.apple.account.IdentityServices.token"), + /* IDS stuff */ CFSTR("BackupIDSAccountToken"), CFSTR("com.apple.ids"), CFSTR("ids"), @@ -1323,6 +1353,15 @@ static bool SecItemIsSystemBound(CFDictionaryRef item, const SecDbClass *cls, bo } } + /* accounts, remove with rdar://37595482 */ + if (multiUser && CFEqual(agrp, CFSTR("com.apple.ind")) && cls == genp_class()) { + CFStringRef service = CFDictionaryGetValue(item, kSecAttrService); + if (isString(service) && CFEqual(service, CFSTR("com.apple.ind.registration"))) { + secdebug("backup", "found exact sys_bound item: %@", item); + return true; + } + } + if (multiUser && CFEqual(agrp, CFSTR("ichat")) && cls == genp_class()) { static CFStringRef accountServices[] = { CFSTR("ids"), @@ -1446,55 +1485,68 @@ static void s3dl_export_row(sqlite3_stmt *stmt, void *context) { bool skip_akpu_or_token = c->filter == kSecBackupableItemFilter; sqlite_int64 rowid = sqlite3_column_int64(stmt, 0); - CFMutableDictionaryRef item = NULL; - bool ok = s3dl_item_from_col(stmt, q, 1, c->qc.accessGroups, &item, &access_control, &localError); + CFMutableDictionaryRef allAttributes = NULL; + CFMutableDictionaryRef metadataAttributes = NULL; + CFMutableDictionaryRef secretStuff = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); + keyclass_t keyclass = 0; + bool ok = s3dl_item_from_col(stmt, q, 1, c->qc.accessGroups, &allAttributes, &access_control, &keyclass, &localError); + + if (ok) { + metadataAttributes = CFDictionaryCreateMutableCopy(NULL, 0, allAttributes); + SecDbForEachAttrWithMask(q->q_class, desc, kSecDbReturnDataFlag) { + CFTypeRef value = CFDictionaryGetValue(metadataAttributes, desc->name); + if (value) { + CFDictionarySetValue(secretStuff, desc->name, value); + CFDictionaryRemoveValue(metadataAttributes, desc->name); + } + } + } bool is_akpu = access_control ? CFEqualSafe(SecAccessControlGetProtection(access_control), - kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly) : false; - bool is_token = (ok && item != NULL) ? CFDictionaryContainsKey(item, kSecAttrTokenID) : false; + kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly) : keyclass == key_class_akpu; + bool is_token = (ok && allAttributes != NULL) ? CFDictionaryContainsKey(allAttributes, kSecAttrTokenID) : false; - if (ok && item && !(skip_akpu_or_token && (is_akpu || is_token))) { + if (ok && allAttributes && !(skip_akpu_or_token && (is_akpu || is_token))) { /* Only export sysbound items if do_sys_bound is true, only export non sysbound items otherwise. */ bool do_sys_bound = c->filter == kSecSysBoundItemFilter; if (c->filter == kSecNoItemFilter || - SecItemIsSystemBound(item, q->q_class, c->multiUser) == do_sys_bound) { + SecItemIsSystemBound(allAttributes, q->q_class, c->multiUser) == do_sys_bound) { /* Re-encode the item. */ - secdebug("item", "export rowid %llu item: %@", rowid, item); + secdebug("item", "export rowid %llu item: %@", rowid, allAttributes); /* The code below could be moved into handle_row. */ - CFDataRef pref = _SecItemCreatePersistentRef(q->q_class->name, rowid, item); + CFDataRef pref = _SecItemCreatePersistentRef(q->q_class->name, rowid, allAttributes); if (pref) { if (c->dest_keybag != KEYBAG_NONE) { CFMutableDictionaryRef auth_attribs = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); SecDbForEachAttrWithMask(q->q_class, desc, kSecDbInAuthenticatedDataFlag) { - CFTypeRef value = CFDictionaryGetValue(item, desc->name); + CFTypeRef value = CFDictionaryGetValue(metadataAttributes, desc->name); if(value) { CFDictionaryAddValue(auth_attribs, desc->name, value); - CFDictionaryRemoveValue(item, desc->name); + CFDictionaryRemoveValue(metadataAttributes, desc->name); } } /* Encode and encrypt the item to the specified keybag. */ CFDataRef edata = NULL; - bool encrypted = ks_encrypt_data(c->dest_keybag, access_control, q->q_use_cred_handle, item, auth_attribs, &edata, false, &q->q_error); - CFDictionaryRemoveAllValues(item); + bool encrypted = ks_encrypt_data(c->dest_keybag, access_control, q->q_use_cred_handle, secretStuff, metadataAttributes, auth_attribs, &edata, false, &q->q_error); + CFDictionaryRemoveAllValues(allAttributes); CFRelease(auth_attribs); if (encrypted) { - CFDictionarySetValue(item, kSecValueData, edata); + CFDictionarySetValue(allAttributes, kSecValueData, edata); CFReleaseSafe(edata); } else { seccritical("ks_encrypt_data %@,rowid=%" PRId64 ": failed: %@", q->q_class->name, rowid, q->q_error); CFReleaseNull(q->q_error); } } - if (CFDictionaryGetCount(item)) { - CFDictionarySetValue(item, kSecValuePersistentRef, pref); - CFArrayAppendValue((CFMutableArrayRef)c->qc.result, item); + if (CFDictionaryGetCount(allAttributes)) { + CFDictionarySetValue(allAttributes, kSecValuePersistentRef, pref); + CFArrayAppendValue((CFMutableArrayRef)c->qc.result, allAttributes); c->qc.found++; } CFReleaseSafe(pref); } } - CFRelease(item); } else { OSStatus status = SecErrorGetOSStatus(localError); @@ -1514,7 +1566,10 @@ static void s3dl_export_row(sqlite3_stmt *stmt, void *context) { } } } - CFReleaseSafe(access_control); + CFReleaseNull(access_control); + CFReleaseNull(allAttributes); + CFReleaseNull(metadataAttributes); + CFReleaseNull(secretStuff); } static CFStringRef @@ -1600,8 +1655,10 @@ SecServerCopyKeychainPlist(SecDbConnectionRef dbt, CFErrorRef localError = NULL; if (s3dl_query(s3dl_export_row, &ctx, &localError)) { - if (CFArrayGetCount(ctx.qc.result)) + if (CFArrayGetCount(ctx.qc.result)) { + SecSignpostBackupCount(SecSignpostImpulseBackupClassCount, q.q_class->name, CFArrayGetCount(ctx.qc.result), filter); CFDictionaryAddValue(keychain, q.q_class->name, ctx.qc.result); + } } else { OSStatus status = (OSStatus)CFErrorGetCode(localError); @@ -1819,11 +1876,13 @@ static void SecServerImportClass(const void *key, const void *value, if (isArray(value)) { CFArrayRef items = (CFArrayRef)value; secwarning("Import %ld items of class %@ (filter %d)", (long)CFArrayGetCount(items), key, state->filter); + SecSignpostBackupCount(SecSignpostImpulseRestoreClassCount, class->name, CFArrayGetCount(items), state->filter); CFArrayApplyFunction(items, CFRangeMake(0, CFArrayGetCount(items)), SecServerImportItem, &item_state); } else if (isDictionary(value)) { CFDictionaryRef item = (CFDictionaryRef)value; - secwarning("Import %ld items of class %@ (filter %d)", (long)CFDictionaryGetCount(item), key, state->filter); + secwarning("Import %ld items of class %@ (filter %d)", (long)1, key, state->filter); + SecSignpostBackupCount(SecSignpostImpulseRestoreClassCount, class->name, 1, state->filter); SecServerImportItem(item, &item_state); } else { secwarning("Unknown value type for class %@ (filter %d)", key, state->filter); @@ -1831,8 +1890,9 @@ static void SecServerImportClass(const void *key, const void *value, } bool SecServerImportKeychainInPlist(SecDbConnectionRef dbt, SecurityClient *client, - keybag_handle_t src_keybag, keybag_handle_t dest_keybag, - CFDictionaryRef keychain, enum SecItemFilter filter, CFErrorRef *error) { + keybag_handle_t src_keybag, keybag_handle_t dest_keybag, + CFDictionaryRef keychain, enum SecItemFilter filter, + bool removeKeychainContent, CFErrorRef *error) { CFStringRef keybaguuid = NULL; bool ok = true; @@ -1858,17 +1918,22 @@ bool SecServerImportKeychainInPlist(SecDbConnectionRef dbt, SecurityClient *clie } } - /* Delete everything in the keychain. */ + /* + Delete everything in the keychain. + We don't want this if we're restoring backups because we probably already synced stuff over + */ + if (removeKeychainContent) { #if TARGET_OS_IPHONE - if (client->inMultiUser) { - CFDataRef musrView = SecMUSRCreateActiveUserUUID(client->uid); - require_action(musrView, errOut, ok = false); - require_action(ok = SecServerDeleteAllForUser(dbt, musrView, true, error), errOut, CFReleaseNull(musrView)); - CFReleaseNull(musrView); - } else + if (client->inMultiUser) { + CFDataRef musrView = SecMUSRCreateActiveUserUUID(client->uid); + require_action(musrView, errOut, ok = false); + require_action(ok = SecServerDeleteAllForUser(dbt, musrView, true, error), errOut, CFReleaseNull(musrView)); + CFReleaseNull(musrView); + } else #endif - { - require(ok = SecServerDeleteAll(dbt, error), errOut); + { + require(ok = SecServerDeleteAll(dbt, error), errOut); + } } struct SecServerImportClassState state = { @@ -2020,8 +2085,9 @@ bool s3dl_dbt_update_keys(SecDbConnectionRef dbt, SecurityClient *client, CFErro secerror("Ignoring export error: %@ during roll export", localError); CFReleaseNull(localError); } + // 'true' argument: we're replacing everything with newly wrapped entries so remove the old stuff ok = SecServerImportKeychainInPlist(dbt, client, KEYBAG_NONE, - KEYBAG_DEVICE, backup, kSecNoItemFilter, &localError); + KEYBAG_DEVICE, backup, kSecNoItemFilter, true, &localError); if (localError) { secerror("Ignoring export error: %@ during roll export", localError); CFReleaseNull(localError); diff --git a/OSX/sec/securityd/SecItemDb.h b/OSX/sec/securityd/SecItemDb.h index 6d91d921..9cca3299 100644 --- a/OSX/sec/securityd/SecItemDb.h +++ b/OSX/sec/securityd/SecItemDb.h @@ -83,6 +83,7 @@ bool SecServerImportKeychainInPlist(SecDbConnectionRef dbt, keybag_handle_t dest_keybag, CFDictionaryRef keychain, enum SecItemFilter filter, + bool removeKeychainContent, CFErrorRef *error); CFStringRef @@ -93,8 +94,8 @@ SecServerBackupGetKeybagUUID(CFDictionaryRef keychain, CFErrorRef *error); bool SecServerDeleteAllForUser(SecDbConnectionRef dbt, CFDataRef musrView, bool keepU, CFErrorRef *error); #endif -bool kc_transaction(SecDbConnectionRef dbt, CFErrorRef *error, bool(^perform)()); -bool kc_transaction_type(SecDbConnectionRef dbt, SecDbTransactionType type, CFErrorRef *error, bool(^perform)()); +bool kc_transaction(SecDbConnectionRef dbt, CFErrorRef *error, bool(^perform)(void)); +bool kc_transaction_type(SecDbConnectionRef dbt, SecDbTransactionType type, CFErrorRef *error, bool(^perform)(void)); bool s3dl_copy_matching(SecDbConnectionRef dbt, Query *q, CFTypeRef *result, CFArrayRef accessGroups, CFErrorRef *error); bool s3dl_query_add(SecDbConnectionRef dbt, Query *q, CFTypeRef *result, CFErrorRef *error); diff --git a/OSX/sec/securityd/SecItemSchema.c b/OSX/sec/securityd/SecItemSchema.c index 069180a2..f3605330 100644 --- a/OSX/sec/securityd/SecItemSchema.c +++ b/OSX/sec/securityd/SecItemSchema.c @@ -234,6 +234,51 @@ SECDB_ATTR(v10_5epoch, "epoch", Number, SecDbFlags( ,L, , , , SECDB_ATTR(v10_5signature, "signature", Blob, SecDbFlags( ,L, , , , , , , , , , , , , , ), NULL, NULL); SECDB_ATTR(v10_5version, "version", Number, SecDbFlags( ,L, , , , , , , , ,Z, ,N,U, , ), NULL, NULL); +SECDB_ATTR(v11_1osversion, "osversion", String, SecDbFlags( ,L, , , , , , , , , , , , , , ), NULL, NULL); +SECDB_ATTR(v11_1lastunlock, "lastunlock", String, SecDbFlags( ,L, , , , , , , , , , , , , , ), NULL, NULL); + +SECDB_ATTR(v11_2actualKeyclass, "actualKeyclass", String, SecDbFlags( ,L, , , , , , , , , , , , , , ), NULL, NULL); + +const SecDbClass v11_2_metadatakeys_class = { + .name = CFSTR("metadatakeys"), + .itemclass = false, + .attrs = { + &v10keyclass, + &v11_2actualKeyclass, + &v6data, + 0 + } +}; + +const SecDbClass v11_1_ckdevicestate_class = { + .name = CFSTR("ckdevicestate"), + .itemclass = false, + .attrs = { + &v10ckzone, + &v10_2device, + &v11_1osversion, + &v11_1lastunlock, + &v10_2peerid, + &v10_2circleStatus, + &v10_2keyState, + &v10_2currentTLK, + &v10_2currentClassA, + &v10_2currentClassC, + &v10_1encRecord, + 0 + } +}; + +const SecDbClass v11_metadatakeys_class = { + .name = CFSTR("metadatakeys"), + .itemclass = false, + .attrs = { + &v10keyclass, + &v6data, + 0 + } +}; + const SecDbClass v10_5_tlkshare_class = { .name = CFSTR("tlkshare"), .itemclass = false, @@ -894,6 +939,111 @@ const SecDbClass v_identity_class = { }, }; +/* + * Version 11.2 + */ +const SecDbSchema v11_2_schema = { + .majorVersion = 11, + .minorVersion = 2, + .classes = { + &v10_1_genp_class, + &v10_1_inet_class, + &v10_1_cert_class, + &v10_1_keys_class, + &v10_0_tversion_class, + &v10_2_outgoing_queue_class, + &v10_2_incoming_queue_class, + &v10_0_sync_key_class, + &v10_1_ckmirror_class, + &v10_0_current_key_class, + &v10_4_ckstate_class, + &v10_0_item_backup_class, + &v10_0_backup_keybag_class, + &v10_2_ckmanifest_class, + &v10_2_pending_manifest_class, + &v10_1_ckmanifest_leaf_class, + &v10_1_backup_keyarchive_class, + &v10_1_current_keyarchive_class, + &v10_1_current_archived_keys_class, + &v10_1_pending_manifest_leaf_class, + &v10_4_current_item_class, + &v11_1_ckdevicestate_class, + &v10_5_tlkshare_class, + &v11_2_metadatakeys_class, + 0 + } +}; + +/* + * Version 11.1 + */ +const SecDbSchema v11_1_schema = { + .majorVersion = 11, + .minorVersion = 1, + .classes = { + &v10_1_genp_class, + &v10_1_inet_class, + &v10_1_cert_class, + &v10_1_keys_class, + &v10_0_tversion_class, + &v10_2_outgoing_queue_class, + &v10_2_incoming_queue_class, + &v10_0_sync_key_class, + &v10_1_ckmirror_class, + &v10_0_current_key_class, + &v10_4_ckstate_class, + &v10_0_item_backup_class, + &v10_0_backup_keybag_class, + &v10_2_ckmanifest_class, + &v10_2_pending_manifest_class, + &v10_1_ckmanifest_leaf_class, + &v10_1_backup_keyarchive_class, + &v10_1_current_keyarchive_class, + &v10_1_current_archived_keys_class, + &v10_1_pending_manifest_leaf_class, + &v10_4_current_item_class, + &v11_1_ckdevicestate_class, + &v10_5_tlkshare_class, + &v11_metadatakeys_class, + 0 + } +}; + +/* + * Version 11 + */ +const SecDbSchema v11_schema = { + .majorVersion = 11, + .minorVersion = 0, + .classes = { + &v10_1_genp_class, + &v10_1_inet_class, + &v10_1_cert_class, + &v10_1_keys_class, + &v10_0_tversion_class, + &v10_2_outgoing_queue_class, + &v10_2_incoming_queue_class, + &v10_0_sync_key_class, + &v10_1_ckmirror_class, + &v10_0_current_key_class, + &v10_4_ckstate_class, + &v10_0_item_backup_class, + &v10_0_backup_keybag_class, + &v10_2_ckmanifest_class, + &v10_2_pending_manifest_class, + &v10_1_ckmanifest_leaf_class, + &v10_1_backup_keyarchive_class, + &v10_1_current_keyarchive_class, + &v10_1_current_archived_keys_class, + &v10_1_pending_manifest_leaf_class, + &v10_4_current_item_class, + &v10_3_ckdevicestate_class, + &v10_5_tlkshare_class, + &v11_metadatakeys_class, + 0 + } +}; + /* * Version 10.5 @@ -929,7 +1079,6 @@ const SecDbSchema v10_5_schema = { } }; - /* * Version 10.4 */ @@ -2299,6 +2448,9 @@ static const SecDbSchema v5_schema = { SecDbSchema const * const * kc_schemas = NULL; const SecDbSchema *v10_kc_schemas[] = { + &v11_2_schema, + &v11_1_schema, + &v11_schema, &v10_5_schema, &v10_4_schema, &v10_3_schema, diff --git a/OSX/sec/securityd/SecItemServer.c b/OSX/sec/securityd/SecItemServer.c index 6c7a3871..bb61f4d5 100644 --- a/OSX/sec/securityd/SecItemServer.c +++ b/OSX/sec/securityd/SecItemServer.c @@ -33,6 +33,8 @@ #include #include #include +#include +#include #include #include #include @@ -45,6 +47,7 @@ #include #include #include +#include #include @@ -107,7 +110,7 @@ void SecKeychainChanged() { } /* Return the current database version in *version. */ -static bool SecKeychainDbGetVersion(SecDbConnectionRef dbt, int *version, CFErrorRef *error) +bool SecKeychainDbGetVersion(SecDbConnectionRef dbt, int *version, CFErrorRef *error) { __block bool ok = true; __block CFErrorRef localError = NULL; @@ -354,7 +357,7 @@ static bool UpgradeSchemaPhase1(SecDbConnectionRef dbt, const SecDbSchema *oldSc if (isClassD(item)) { // Decrypt the item. - ok &= SecDbItemEnsureDecrypted(item, &localError); + ok &= SecDbItemEnsureDecrypted(item, true, &localError); require_quiet(ok, out); // Delete SHA1 field from the item, so that it is newly recalculated before storing @@ -469,8 +472,13 @@ out: return ok; } +__thread SecDbConnectionRef dbt = NULL; +__thread bool isUnlocked = false; + // Goes through all tables represented by old_schema and tries to migrate all items from them into new (current version) tables. -static bool UpgradeItemPhase2(SecDbConnectionRef dbt, bool *inProgress, CFErrorRef *error) { +static bool UpgradeItemPhase2(SecDbConnectionRef inDbt, bool *inProgress, CFErrorRef *error) { + SecDbConnectionRef oldDbt = dbt; + dbt = inDbt; __block bool ok = true; SecDbQueryRef query = NULL; #if TARGET_OS_EMBEDDED @@ -498,7 +506,7 @@ static bool UpgradeItemPhase2(SecDbConnectionRef dbt, bool *inProgress, CFErrorR query_destroy(query, NULL); } require_action_quiet(query = query_create(*class, SecMUSRGetAllViews(), NULL, error), out, ok = false); - ok = SecDbItemSelect(query, dbt, error, NULL, ^bool(const SecDbAttr *attr) { + ok &= SecDbItemSelect(query, dbt, error, NULL, ^bool(const SecDbAttr *attr) { // No simple per-attribute filtering. return false; }, ^bool(CFMutableStringRef sql, bool *needWhere) { @@ -517,7 +525,7 @@ static bool UpgradeItemPhase2(SecDbConnectionRef dbt, bool *inProgress, CFErrorR #endif // Decrypt the item. - if (SecDbItemEnsureDecrypted(item, &localError)) { + if (SecDbItemEnsureDecrypted(item, true, &localError)) { // Delete SHA1 field from the item, so that it is newly recalculated before storing // the item into the new table. @@ -541,11 +549,16 @@ static bool UpgradeItemPhase2(SecDbConnectionRef dbt, bool *inProgress, CFErrorR CFIndex status = CFErrorGetCode(localError); switch (status) { - case errSecDecode: + case errSecDecode: { // Items producing errSecDecode are silently dropped - they are not decodable and lost forever. - (void)SecDbItemDelete(item, dbt, false, error); + // make sure we use a local error so that this error is not proppaged upward and cause a + // migration failure. + CFErrorRef deleteError = NULL; + (void)SecDbItemDelete(item, dbt, false, &deleteError); + CFReleaseNull(deleteError); ok = true; break; + } case errSecInteractionNotAllowed: // If we are still not able to decrypt the item because the class key is not released yet, // remember that DB still needs phase2 migration to be run next time a connection is made. Also @@ -560,11 +573,24 @@ static bool UpgradeItemPhase2(SecDbConnectionRef dbt, bool *inProgress, CFErrorR // ACM context, which we do not have). ok = true; break; + case SQLITE_CONSTRAINT: // yeah... + if (!CFEqual(kSecDbErrorDomain, CFErrorGetDomain(localError))) { + secerror("Received SQLITE_CONSTRAINT with wrong error domain. Huh? Item: %@, error: %@", item, localError); + break; + } + case errSecDuplicateItem: + // continue to upgrade and don't propagate errors for insert failures + // that are typical of a single item failure + secnotice("upgr", "Ignoring duplicate item: %@", item); + secdebug("upgr", "Duplicate item error: %@", localError); + ok = true; + break; #if USE_KEYSTORE case kAKSReturnNotReady: case kAKSReturnTimeout: #endif case errSecNotAvailable: + *inProgress = true; // We're not done, call me again later! secnotice("upgr", "Bailing in phase 2 because AKS is unavailable: %@", localError); // FALLTHROUGH default: @@ -589,6 +615,8 @@ static bool UpgradeItemPhase2(SecDbConnectionRef dbt, bool *inProgress, CFErrorR out: if (query != NULL) query_destroy(query, NULL); + + dbt = oldDbt; return ok; } @@ -672,7 +700,10 @@ static bool SecKeychainDbUpgradeFromVersion(SecDbConnectionRef dbt, int version, secerror("no schema for version 0x%x", oldVersion)); secnotice("upgr", "Upgrading from version 0x%x to 0x%x", oldVersion, SCHEMA_VERSION(newSchema)); + SecSignpostStart(SecSignpostUpgradePhase1); + require_action(ok = UpgradeSchemaPhase1(dbt, oldSchema, &localError), out, secerror("upgrade: Upgrade phase1 failed: %@", localError)); + SecSignpostStop(SecSignpostUpgradePhase1); didPhase1 = true; } @@ -680,7 +711,9 @@ static bool SecKeychainDbUpgradeFromVersion(SecDbConnectionRef dbt, int version, { CFErrorRef phase2Error = NULL; - // Lests try to go through non-D-class items in new tables and apply decode/encode on them + SecSignpostStart(SecSignpostUpgradePhase2); + + // Lets try to go through non-D-class items in new tables and apply decode/encode on them // If this fails the error will be ignored after doing a phase1 since but not in the second // time when we are doing phase2. ok = UpgradeItemPhase2(dbt, inProgress, &phase2Error); @@ -688,11 +721,11 @@ static bool SecKeychainDbUpgradeFromVersion(SecDbConnectionRef dbt, int version, if (didPhase1) { *inProgress = true; ok = true; + CFReleaseNull(phase2Error); } else { SecErrorPropagate(phase2Error, &localError); } } - CFReleaseNull(phase2Error); require_action(ok, out, secerror("upgrade: Upgrade phase2 (%d) failed: %@", didPhase1, localError)); if (!*inProgress) { @@ -702,6 +735,7 @@ static bool SecKeychainDbUpgradeFromVersion(SecDbConnectionRef dbt, int version, oldVersion = 0; didPhase2 = true; + SecSignpostStop(SecSignpostUpgradePhase2); } } @@ -819,6 +853,9 @@ static CF_RETURNS_RETAINED CFDataRef SecServerExportBackupableKeychain(SecDbConn SecurityClient *client, keybag_handle_t src_keybag, keybag_handle_t dest_keybag, CFErrorRef *error) { CFDataRef data_out = NULL; + + SecSignpostStart(SecSignpostBackupKeychainBackupable); + /* Export everything except the items for which SecItemIsSystemBound() returns true. */ CFDictionaryRef keychain = SecServerCopyKeychainPlist(dbt, client, @@ -830,6 +867,7 @@ static CF_RETURNS_RETAINED CFDataRef SecServerExportBackupableKeychain(SecDbConn 0, error); CFRelease(keychain); } + SecSignpostStop(SecSignpostBackupKeychainBackupable); return data_out; } @@ -844,6 +882,9 @@ static bool SecServerImportBackupableKeychain(SecDbConnectionRef dbt, return kc_transaction(dbt, error, ^{ bool ok = false; CFDictionaryRef keychain; + + SecSignpostStart(SecSignpostRestoreKeychainBackupable); + keychain = CFPropertyListCreateWithData(kCFAllocatorDefault, data, kCFPropertyListImmutable, NULL, error); @@ -855,12 +896,16 @@ static bool SecServerImportBackupableKeychain(SecDbConnectionRef dbt, dest_keybag, keychain, kSecBackupableItemFilter, + false, // Restoring backup should not remove stuff that got into the keychain before us error); } else { ok = SecError(errSecParam, error, CFSTR("import: keychain is not a dictionary")); } CFRelease(keychain); } + + SecSignpostStop(SecSignpostRestoreKeychainBackupable); + return ok; }); } @@ -869,7 +914,7 @@ static bool SecServerImportBackupableKeychain(SecDbConnectionRef dbt, /* * Similar to ks_open_keybag, but goes through MKB interface */ -static bool mkb_open_keybag(CFDataRef keybag, CFDataRef password, MKBKeyBagHandleRef *handle, CFErrorRef *error) { +static bool mkb_open_keybag(CFDataRef keybag, CFDataRef password, MKBKeyBagHandleRef *handle, bool emcs, CFErrorRef *error) { kern_return_t rc; MKBKeyBagHandleRef mkbhandle = NULL; @@ -878,12 +923,14 @@ static bool mkb_open_keybag(CFDataRef keybag, CFDataRef password, MKBKeyBagHandl return SecKernError(rc, error, CFSTR("MKBKeyBagCreateWithData failed: %d"), rc); } - if (password) { + if (!emcs) { rc = MKBKeyBagUnlock(mkbhandle, password); if (rc != kMobileKeyBagSuccess) { CFRelease(mkbhandle); return SecKernError(rc, error, CFSTR("failed to unlock bag: %d"), rc); } + } else { + secnotice("keychainbackup", "skipping keybag unlock for EMCS"); } *handle = mkbhandle; @@ -894,23 +941,31 @@ static bool mkb_open_keybag(CFDataRef keybag, CFDataRef password, MKBKeyBagHandl static CFDataRef SecServerKeychainCreateBackup(SecDbConnectionRef dbt, SecurityClient *client, CFDataRef keybag, - CFDataRef password, CFErrorRef *error) { + CFDataRef password, bool emcs, CFErrorRef *error) { CFDataRef backup = NULL; keybag_handle_t backup_keybag; + + SecSignpostStart(SecSignpostBackupOpenKeybag); + #if USE_KEYSTORE MKBKeyBagHandleRef mkbhandle = NULL; - require(mkb_open_keybag(keybag, password, &mkbhandle, error), out); + require(mkb_open_keybag(keybag, password, &mkbhandle, emcs, error), out); require_noerr(MKBKeyBagGetAKSHandle(mkbhandle, &backup_keybag), out); #else backup_keybag = KEYBAG_NONE; #endif + SecSignpostStop(SecSignpostBackupOpenKeybag); + SecSignpostStart(SecSignpostBackupKeychain); + /* Export from system keybag to backup keybag. */ backup = SecServerExportBackupableKeychain(dbt, client, KEYBAG_DEVICE, backup_keybag, error); #if USE_KEYSTORE out: + SecSignpostStop(SecSignpostBackupOpenKeybag); + if (mkbhandle) CFRelease(mkbhandle); #endif @@ -926,19 +981,26 @@ static bool SecServerKeychainRestore(SecDbConnectionRef dbt, { bool ok = false; keybag_handle_t backup_keybag; + + + SecSignpostStart(SecSignpostRestoreOpenKeybag); #if USE_KEYSTORE MKBKeyBagHandleRef mkbhandle = NULL; - require(mkb_open_keybag(keybag, password, &mkbhandle, error), out); + require(mkb_open_keybag(keybag, password, &mkbhandle, false, error), out); require_noerr(MKBKeyBagGetAKSHandle(mkbhandle, &backup_keybag), out); #else backup_keybag = KEYBAG_NONE; #endif + SecSignpostStop(SecSignpostRestoreOpenKeybag); + SecSignpostStart(SecSignpostRestoreKeychain); + /* Import from backup keybag to system keybag. */ require(SecServerImportBackupableKeychain(dbt, client, backup_keybag, KEYBAG_DEVICE, backup, error), out); ok = true; out: + SecSignpostStop(SecSignpostRestoreKeychain); #if USE_KEYSTORE if (mkbhandle) CFRelease(mkbhandle); @@ -1003,6 +1065,12 @@ SecDbRef SecKeychainDbCreate(CFStringRef path, CFErrorRef* error) { return ok; }); + if (kc) { + SecDbSetCorruptionReset(kc, ^{ + SecDbResetMetadataKeys(); + }); + } + if(error) { *error = localerror; } @@ -1069,27 +1137,28 @@ static SecDbRef kc_dbhandle(CFErrorRef* error) void SecKeychainDbReset(dispatch_block_t inbetween) { dispatch_sync(get_kc_dbhandle_dispatch(), ^{ - CFStringRef dbPath = __SecKeychainCopyPath(); - if (dbPath == NULL) - abort(); - CFReleaseNull(_kc_dbhandle); + SecDbResetMetadataKeys(); if (inbetween) inbetween(); + }); +} - CFErrorRef error = NULL; - _kc_dbhandle = SecKeychainDbCreate(dbPath, &error); +static bool checkIsUnlocked() +{ + CFErrorRef aksError = NULL; + bool locked = true; - if(error) { - secerror("error resetting database: %@", error); - } + if(!SecAKSGetIsLocked(&locked, &aksError)) { + secerror("error querying lock state: %@", aksError); + CFReleaseNull(aksError); + } - CFRelease(dbPath); - }); + return !locked; } -static SecDbConnectionRef kc_acquire_dbt(bool writeAndRead, CFErrorRef *error) { +static bool kc_acquire_dbt(bool writeAndRead, SecDbConnectionRef* dbconn, CFErrorRef *error) { SecDbRef db = kc_dbhandle(error); if (db == NULL) { if(error && !(*error)) { @@ -1097,33 +1166,65 @@ static SecDbConnectionRef kc_acquire_dbt(bool writeAndRead, CFErrorRef *error) { } return NULL; } - return SecDbConnectionAcquire(db, !writeAndRead, error); + + return SecDbConnectionAcquireRefMigrationSafe(db, !writeAndRead, dbconn, error); } /* Return a per thread dbt handle for the keychain. If create is true create the database if it does not yet exist. If it is false, just return an error if it fails to auto-create. */ -__thread SecDbConnectionRef dbt = NULL; bool kc_with_dbt(bool writeAndRead, CFErrorRef *error, bool (^perform)(SecDbConnectionRef dbt)) { + return kc_with_custom_db(writeAndRead, true, NULL, error, perform); +} + +bool kc_with_dbt_non_item_tables(bool writeAndRead, CFErrorRef* error, bool (^perform)(SecDbConnectionRef dbt)) +{ + return kc_with_custom_db(writeAndRead, false, NULL, error, perform); +} + +bool kc_with_custom_db(bool writeAndRead, bool usesItemTables, SecDbRef db, CFErrorRef *error, bool (^perform)(SecDbConnectionRef dbt)) +{ + if (db && db != kc_dbhandle(error)) { + __block bool result = false; + if (writeAndRead) { + return SecDbPerformWrite(db, error, ^(SecDbConnectionRef dbconn) { + result = perform(dbconn); + }); + } + else { + return SecDbPerformRead(db, error, ^(SecDbConnectionRef dbconn) { + result = perform(dbconn); + }); + } + return result; + } + if(dbt) { // The kc_with_dbt upthread will clean this up when it's done. return perform(dbt); } - // Make sure we initialize our engines before writing to the keychain - if (writeAndRead) + + if (writeAndRead && usesItemTables) { SecItemDataSourceFactoryGetDefault(); + } bool ok = false; - dbt = kc_acquire_dbt(writeAndRead, error); - if (dbt) { + if (kc_acquire_dbt(writeAndRead, &dbt, error)) { + isUnlocked = checkIsUnlocked(); ok = perform(dbt); SecDbConnectionRelease(dbt); dbt = NULL; + isUnlocked = false; } return ok; } +bool kc_is_unlocked() +{ + return isUnlocked || checkIsUnlocked(); +} + static bool items_matching_issuer_parent(SecDbConnectionRef dbt, CFArrayRef accessGroups, CFDataRef musrView, CFDataRef issuer, CFArrayRef issuers, int recurse) @@ -1429,7 +1530,9 @@ SecItemServerCopyMatching(CFDictionaryRef query, CFTypeRef *result, SecTaskDiagnoseEntitlements(accessGroups); return SecEntitlementError(errSecMissingEntitlement, error); } - + + SecSignpostStart(SecSignpostSecItemCopyMatching); + if (client->canAccessNetworkExtensionAccessGroups) { CFDataRef persistentRef = CFDictionaryGetValue(query, kSecValuePersistentRef); CFStringRef itemClass = NULL; @@ -1508,6 +1611,8 @@ SecItemServerCopyMatching(CFDictionaryRef query, CFTypeRef *result, } CFReleaseNull(mutableAccessGroups); + SecSignpostStop(SecSignpostSecItemCopyMatching); + return ok; } @@ -1552,6 +1657,8 @@ _SecItemAdd(CFDictionaryRef attributes, SecurityClient *client, CFTypeRef *resul return SecEntitlementError(errSecMissingEntitlement, error); } + SecSignpostStart(SecSignpostSecItemAdd); + Query *q = query_create_with_limit(attributes, client->musr, 0, error); if (q) { /* Access group sanity checking. */ @@ -1631,6 +1738,9 @@ _SecItemAdd(CFDictionaryRef attributes, SecurityClient *client, CFTypeRef *resul } else { ok = false; } + + SecSignpostStop(SecSignpostSecItemAdd); + return ok; } @@ -1651,6 +1761,8 @@ _SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, return SecEntitlementError(errSecMissingEntitlement, error); } + SecSignpostStart(SecSignpostSecItemUpdate); + if (SecPLShouldLogRegisteredEvent(CFSTR("SecItem"))) { CFTypeRef agrp = CFArrayGetValueAtIndex(accessGroups, 0); CFDictionaryRef dict = CFDictionaryCreateForCFTypes(NULL, CFSTR("operation"), CFSTR("update"), CFSTR("AccessGroup"), agrp, NULL); @@ -1727,6 +1839,9 @@ _SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate, if (q) { ok = query_notify_and_destroy(q, ok, error); } + + SecSignpostStop(SecSignpostSecItemUpdate); + return ok; } @@ -1746,6 +1861,8 @@ _SecItemDelete(CFDictionaryRef query, SecurityClient *client, CFErrorRef *error) return SecEntitlementError(errSecMissingEntitlement, error); } + SecSignpostStart(SecSignpostSecItemDelete); + if (SecPLShouldLogRegisteredEvent(CFSTR("SecItem"))) { CFTypeRef agrp = CFArrayGetValueAtIndex(accessGroups, 0); CFDictionaryRef dict = CFDictionaryCreateForCFTypes(NULL, CFSTR("operation"), CFSTR("delete"), CFSTR("AccessGroup"), agrp, NULL); @@ -1799,6 +1916,9 @@ _SecItemDelete(CFDictionaryRef query, SecurityClient *client, CFErrorRef *error) } else { ok = false; } + + SecSignpostStop(SecSignpostSecItemDelete); + return ok; } @@ -2713,7 +2833,7 @@ cleanup: // MARK: Keychain backup CF_RETURNS_RETAINED CFDataRef -_SecServerKeychainCreateBackup(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef *error) { +_SecServerKeychainCreateBackup(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, bool emcs, CFErrorRef *error) { __block CFDataRef backup; kc_with_dbt(true, error, ^bool (SecDbConnectionRef dbt) { if (!dbt) @@ -2728,7 +2848,7 @@ _SecServerKeychainCreateBackup(SecurityClient *client, CFDataRef keybag, CFDataR backup = NULL; #endif /* USE_KEYSTORE */ } else { - backup = SecServerKeychainCreateBackup(dbt, client, keybag, passcode, error); + backup = SecServerKeychainCreateBackup(dbt, client, keybag, passcode, emcs, error); } return (backup != NULL); }); @@ -3559,7 +3679,6 @@ _SecServerTransmogrifyToSystemKeychain(SecurityClient *client, CFErrorRef *error out: SecErrorPropagate(localError, error); - CFReleaseSafe(localError); }); if (q) diff --git a/OSX/sec/securityd/SecItemServer.h b/OSX/sec/securityd/SecItemServer.h index a4196ce0..f3e147b6 100644 --- a/OSX/sec/securityd/SecItemServer.h +++ b/OSX/sec/securityd/SecItemServer.h @@ -49,7 +49,7 @@ bool _SecItemServerDeleteAllWithAccessGroups(CFArrayRef accessGroups, SecurityCl bool _SecServerRestoreKeychain(CFErrorRef *error); bool _SecServerMigrateKeychain(int32_t handle_in, CFDataRef data_in, int32_t *handle_out, CFDataRef *data_out, CFErrorRef *error); -CFDataRef _SecServerKeychainCreateBackup(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef *error); +CFDataRef _SecServerKeychainCreateBackup(SecurityClient *client, CFDataRef keybag, CFDataRef passcode, bool emcs, CFErrorRef *error); bool _SecServerKeychainRestore(CFDataRef backup, SecurityClient *client, CFDataRef keybag, CFDataRef passcode, CFErrorRef *error); CFStringRef _SecServerBackupCopyUUID(CFDataRef backup, CFErrorRef *error); @@ -84,6 +84,9 @@ SecDbRef SecKeychainDbCreate(CFStringRef path, CFErrorRef* error); SecDbRef SecKeychainDbInitialize(SecDbRef db); bool kc_with_dbt(bool writeAndRead, CFErrorRef *error, bool (^perform)(SecDbConnectionRef dbt)); +bool kc_with_dbt_non_item_tables(bool writeAndRead, CFErrorRef* error, bool (^perform)(SecDbConnectionRef dbt)); // can be used when only tables which don't store 'items' are accessed - avoids invoking SecItemDataSourceFactoryGetDefault() +bool kc_with_custom_db(bool writeAndRead, bool usesItemTables, SecDbRef db, CFErrorRef *error, bool (^perform)(SecDbConnectionRef dbt)); +bool kc_is_unlocked(void); /* For whitebox testing only */ @@ -125,6 +128,8 @@ bool _SecServerGetKeyStats(const SecDbClass *qclass, struct _SecServerKeyStats * CF_RETURNS_RETAINED CFArrayRef _SecItemCopyParentCertificates(CFDataRef normalizedIssuer, CFArrayRef accessGroups, CFErrorRef *error); bool _SecItemCertificateExists(CFDataRef normalizedIssuer, CFDataRef serialNumber, CFArrayRef accessGroups, CFErrorRef *error); +bool SecKeychainDbGetVersion(SecDbConnectionRef dbt, int *version, CFErrorRef *error); + // Should all be blocks called from SecItemDb bool match_item(SecDbConnectionRef dbt, Query *q, CFArrayRef accessGroups, CFDictionaryRef item); diff --git a/OSX/sec/securityd/SecKeybagSupport.c b/OSX/sec/securityd/SecKeybagSupport.c index d20ea19f..ed026e45 100644 --- a/OSX/sec/securityd/SecKeybagSupport.c +++ b/OSX/sec/securityd/SecKeybagSupport.c @@ -181,7 +181,7 @@ bool ks_crypt(CFTypeRef operation, keybag_handle_t keybag, } #if USE_KEYSTORE -static bool ks_access_control_needed_error(CFErrorRef *error, CFDataRef access_control_data, CFTypeRef operation) { +bool ks_access_control_needed_error(CFErrorRef *error, CFDataRef access_control_data, CFTypeRef operation) { if (error == NULL) return false; @@ -268,7 +268,7 @@ bool ks_separate_data_and_key(CFDictionaryRef blob_dict, CFDataRef *ed_data, CFD return ok; } -static bool create_cferror_from_aks(int aks_return, CFTypeRef operation, keybag_handle_t keybag, keyclass_t keyclass, CFDataRef access_control_data, CFDataRef acm_context_data, CFErrorRef *error) +bool create_cferror_from_aks(int aks_return, CFTypeRef operation, keybag_handle_t keybag, keyclass_t keyclass, CFDataRef access_control_data, CFDataRef acm_context_data, CFErrorRef *error) { const char *operation_string = ""; if (CFEqual(operation, kAKSKeyOpDecrypt)) { diff --git a/OSX/sec/securityd/SecKeybagSupport.h b/OSX/sec/securityd/SecKeybagSupport.h index 565952c0..6f48990d 100644 --- a/OSX/sec/securityd/SecKeybagSupport.h +++ b/OSX/sec/securityd/SecKeybagSupport.h @@ -83,6 +83,9 @@ bool ks_delete_acl(aks_ref_key_t ref_key, CFDataRef encrypted_data, const void* ks_ref_key_get_external_data(keybag_handle_t keybag, CFDataRef key_data, aks_ref_key_t *ref_key, size_t *external_data_len, CFErrorRef *error); bool ks_separate_data_and_key(CFDictionaryRef blob_dict, CFDataRef *ed_data, CFDataRef *key_data); + +bool ks_access_control_needed_error(CFErrorRef *error, CFDataRef access_control_data, CFTypeRef operation); +bool create_cferror_from_aks(int aks_return, CFTypeRef operation, keybag_handle_t keybag, keyclass_t keyclass, CFDataRef access_control_data, CFDataRef acm_context_data, CFErrorRef *error); #endif bool ks_open_keybag(CFDataRef keybag, CFDataRef password, keybag_handle_t *handle, CFErrorRef *error); bool ks_close_keybag(keybag_handle_t keybag, CFErrorRef *error); diff --git a/OSX/sec/securityd/SecOCSPCache.c b/OSX/sec/securityd/SecOCSPCache.c index 7e109eaf..1aaf7abf 100644 --- a/OSX/sec/securityd/SecOCSPCache.c +++ b/OSX/sec/securityd/SecOCSPCache.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009-2010,2012-2015 Apple Inc. All Rights Reserved. + * Copyright (c) 2009-2010,2012-2017 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -28,6 +28,7 @@ #include #include #include +#include #include #include #include @@ -37,6 +38,7 @@ #include #include #include +#include "utilities/SecCFWrappers.h" #include "utilities/SecDb.h" #include "utilities/SecFileLocations.h" #include "utilities/iOSforOSX.h" @@ -44,6 +46,7 @@ /* Note that lastUsed is actually time of insert because we don't refresh lastUsed on each SELECT. */ +#define flushSQL CFSTR("DELETE FROM responses") #define expireSQL CFSTR("DELETE FROM responses WHERE expires= 0) { - ok = SecDbWithSQL(dbconn, deleteResponseSQL, &localError, ^bool(sqlite3_stmt *deleteResponse) { - ok = SecDbBindInt64(deleteResponse, 1, responseId, &localError); + ok &= SecDbWithSQL(dbconn, deleteResponseSQL, &localError, ^bool(sqlite3_stmt *deleteResponse) { + ok &= SecDbBindInt64(deleteResponse, 1, responseId, &localError); /* Execute the delete statement. */ - if (ok) - ok = SecDbStep(dbconn, deleteResponse, &localError, NULL); + ok &= SecDbStep(dbconn, deleteResponse, &localError, NULL); return ok; }); } - if (ok) ok = SecDbWithSQL(dbconn, insertResponseSQL, &localError, ^bool(sqlite3_stmt *insertResponse) { - if (ok) - ok = SecDbBindBlob(insertResponse, 1, - CFDataGetBytePtr(responseData), - CFDataGetLength(responseData), - SQLITE_TRANSIENT, &localError); + ok &= SecDbWithSQL(dbconn, insertResponseSQL, &localError, ^bool(sqlite3_stmt *insertResponse) { + ok &= SecDbBindBlob(insertResponse, 1, + CFDataGetBytePtr(responseData), + CFDataGetLength(responseData), + SQLITE_TRANSIENT, &localError); /* responses.responderURI */ if (ok) { @@ -231,72 +240,73 @@ static void _SecOCSPCacheReplaceResponse(SecOCSPCacheRef this, } } /* responses.expires */ - if (ok) - ok = SecDbBindDouble(insertResponse, 3, - SecOCSPResponseGetExpirationTime(ocspResponse), - &localError); + ok &= SecDbBindDouble(insertResponse, 3, + SecOCSPResponseGetExpirationTime(ocspResponse), + &localError); /* responses.lastUsed */ - if (ok) - ok = SecDbBindDouble(insertResponse, 4, - verifyTime, - &localError); + ok &= SecDbBindDouble(insertResponse, 4, + verifyTime, + &localError); /* Execute the insert statement. */ - if (ok) - ok = SecDbStep(dbconn, insertResponse, &localError, NULL); + ok &= SecDbStep(dbconn, insertResponse, &localError, NULL); responseId = sqlite3_last_insert_rowid(SecDbHandle(dbconn)); return ok; }); /* Now add a link record for every singleResponse in the ocspResponse. */ - if (ok) ok = SecDbWithSQL(dbconn, insertLinkSQL, &localError, ^bool(sqlite3_stmt *insertLink) { + ok &= SecDbWithSQL(dbconn, insertLinkSQL, &localError, ^bool(sqlite3_stmt *insertLink) { SecAsn1OCSPSingleResponse **responses; for (responses = ocspResponse->responseData.responses; *responses; ++responses) { SecAsn1OCSPSingleResponse *resp = *responses; SecAsn1OCSPCertID *certId = &resp->certID; - if (ok) ok = SecDbBindBlob(insertLink, 1, - certId->algId.algorithm.Data, - certId->algId.algorithm.Length, - SQLITE_TRANSIENT, &localError); - if (ok) ok = SecDbBindBlob(insertLink, 2, - certId->issuerNameHash.Data, - certId->issuerNameHash.Length, - SQLITE_TRANSIENT, &localError); - if (ok) ok = SecDbBindBlob(insertLink, 3, - certId->issuerPubKeyHash.Data, - certId->issuerPubKeyHash.Length, - SQLITE_TRANSIENT, &localError); - if (ok) ok = SecDbBindBlob(insertLink, 4, - certId->serialNumber.Data, - certId->serialNumber.Length, - SQLITE_TRANSIENT, &localError); - if (ok) ok = SecDbBindInt64(insertLink, 5, responseId, &localError); + ok &= SecDbBindBlob(insertLink, 1, + certId->algId.algorithm.Data, + certId->algId.algorithm.Length, + SQLITE_TRANSIENT, &localError); + ok &= SecDbBindBlob(insertLink, 2, + certId->issuerNameHash.Data, + certId->issuerNameHash.Length, + SQLITE_TRANSIENT, &localError); + ok &= SecDbBindBlob(insertLink, 3, + certId->issuerPubKeyHash.Data, + certId->issuerPubKeyHash.Length, + SQLITE_TRANSIENT, &localError); + ok &= SecDbBindBlob(insertLink, 4, + certId->serialNumber.Data, + certId->serialNumber.Length, + SQLITE_TRANSIENT, &localError); + ok &= SecDbBindInt64(insertLink, 5, responseId, &localError); /* Execute the insert statement. */ - if (ok) ok = SecDbStep(dbconn, insertLink, &localError, NULL); - if (ok) ok = SecDbReset(insertLink, &localError); + ok &= SecDbStep(dbconn, insertLink, &localError, NULL); + ok &= SecDbReset(insertLink, &localError); } return ok; }); // Remove expired entries here. // TODO: Consider only doing this once per 24 hours or something. - if (ok) ok = _SecOCSPCacheExpireWithTransaction(dbconn, verifyTime, &localError); + ok &= _SecOCSPCacheExpireWithTransaction(dbconn, verifyTime, &localError); if (!ok) *commit = false; }); }); if (!ok) { secerror("_SecOCSPCacheAddResponse failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TAOCSPCache, TAOperationWrite, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); CFReleaseNull(localError); } else { // force a vacuum when we modify the database ok &= SecDbPerformWrite(this->db, &localError, ^(SecDbConnectionRef dbconn) { - ok = SecDbExec(dbconn, CFSTR("VACUUM"), &localError); + ok &= SecDbExec(dbconn, CFSTR("VACUUM"), &localError); if (!ok) { secerror("_SecOCSPCacheAddResponse VACUUM failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TAOCSPCache, TAOperationWrite, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); } }); } @@ -338,16 +348,16 @@ static SecOCSPResponseRef _SecOCSPCacheCopyMatching(SecOCSPCacheRef this, if (issuerNameHash && issuerPubKeyHash && ok) ok &= SecDbWithSQL(dbconn, selectResponseSQL, &localError, ^bool(sqlite3_stmt *selectResponse) { /* Now we have the serial, algorithm, issuerNameHash and issuerPubKeyHash so let's lookup the db entry. */ - if (ok) ok = SecDbBindDouble(selectResponse, 1, minInsertTime, &localError); - if (ok) ok = SecDbBindBlob(selectResponse, 2, CFDataGetBytePtr(issuerNameHash), - CFDataGetLength(issuerNameHash), SQLITE_TRANSIENT, &localError); - if (ok) ok = SecDbBindBlob(selectResponse, 3, CFDataGetBytePtr(issuerPubKeyHash), - CFDataGetLength(issuerPubKeyHash), SQLITE_TRANSIENT, &localError); - if (ok) ok = SecDbBindBlob(selectResponse, 4, CFDataGetBytePtr(serial), - CFDataGetLength(serial), SQLITE_TRANSIENT, &localError); - if (ok) ok = SecDbBindBlob(selectResponse, 5, algorithm.Data, - algorithm.Length, SQLITE_TRANSIENT, &localError); - if (ok) ok &= SecDbStep(dbconn, selectResponse, &localError, ^(bool *stopResponse) { + ok &= SecDbBindDouble(selectResponse, 1, minInsertTime, &localError); + ok &= SecDbBindBlob(selectResponse, 2, CFDataGetBytePtr(issuerNameHash), + CFDataGetLength(issuerNameHash), SQLITE_TRANSIENT, &localError); + ok &= SecDbBindBlob(selectResponse, 3, CFDataGetBytePtr(issuerPubKeyHash), + CFDataGetLength(issuerPubKeyHash), SQLITE_TRANSIENT, &localError); + ok &= SecDbBindBlob(selectResponse, 4, CFDataGetBytePtr(serial), + CFDataGetLength(serial), SQLITE_TRANSIENT, &localError); + ok &= SecDbBindBlob(selectResponse, 5, algorithm.Data, + algorithm.Length, SQLITE_TRANSIENT, &localError); + ok &= SecDbStep(dbconn, selectResponse, &localError, ^(bool *stopResponse) { /* Found an entry! */ secdebug("ocspcache", "found cached response"); CFDataRef resp = CFDataCreate(kCFAllocatorDefault, @@ -383,12 +393,14 @@ errOut: CFReleaseSafe(serial); CFReleaseSafe(issuer); - if (!ok) { + if (!ok || localError) { secerror("ocsp cache lookup failed: %@", localError); if (response) { SecOCSPResponseFinalize(response); response = NULL; } + TrustdHealthAnalyticsLogErrorCodeForDatabase(TAOCSPCache, TAOperationRead, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); } CFReleaseSafe(localError); @@ -397,6 +409,22 @@ errOut: return response; } +static bool _SecOCSPCacheFlush(SecOCSPCacheRef cache, CFErrorRef *error) { + __block CFErrorRef localError = NULL; + __block bool ok = true; + + ok &= SecDbPerformWrite(cache->db, &localError, ^(SecDbConnectionRef dbconn) { + ok &= SecDbExec(dbconn, flushSQL, &localError); + }); + if (!ok || localError) { + TrustdHealthAnalyticsLogErrorCodeForDatabase(TAOCSPCache, TAOperationWrite, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); + } + (void) CFErrorPropagate(localError, error); + + return ok; +} + /* Public API */ @@ -424,3 +452,11 @@ SecOCSPResponseRef SecOCSPCacheCopyMatchingWithMinInsertTime(SecOCSPRequestRef r }); return response; } + +bool SecOCSPCacheFlush(CFErrorRef *error) { + __block bool result = false; + SecOCSPCacheWith(^(SecOCSPCacheRef cache) { + result = _SecOCSPCacheFlush(cache, error); + }); + return result; +} diff --git a/OSX/sec/securityd/SecOCSPCache.h b/OSX/sec/securityd/SecOCSPCache.h index f0011134..0069a502 100644 --- a/OSX/sec/securityd/SecOCSPCache.h +++ b/OSX/sec/securityd/SecOCSPCache.h @@ -1,15 +1,15 @@ /* - * Copyright (c) 2009-2010,2012-2014 Apple Inc. All Rights Reserved. + * Copyright (c) 2009-2010,2012-2017 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ - * + * * This file contains Original Code and/or Modifications of Original Code * as defined in and that are subject to the Apple Public Source License * Version 2.0 (the 'License'). You may not use this file except in * compliance with the License. Please obtain a copy of the License at * http://www.opensource.apple.com/apsl/ and read it before using this * file. - * + * * The Original Code and all software distributed under the License are * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, @@ -17,7 +17,7 @@ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. * Please see the License for the specific language governing rights and * limitations under the License. - * + * * @APPLE_LICENSE_HEADER_END@ * */ @@ -47,6 +47,8 @@ SecOCSPResponseRef SecOCSPCacheCopyMatching(SecOCSPRequestRef request, SecOCSPResponseRef SecOCSPCacheCopyMatchingWithMinInsertTime(SecOCSPRequestRef request, CFURLRef localResponderURI, CFAbsoluteTime minInsertTime); +bool SecOCSPCacheFlush(CFErrorRef *error); + __END_DECLS #endif /* _SECURITY_SECOCSPCACHE_H_ */ diff --git a/OSX/sec/securityd/SecOCSPResponse.c b/OSX/sec/securityd/SecOCSPResponse.c index 784c65df..ba5634d9 100644 --- a/OSX/sec/securityd/SecOCSPResponse.c +++ b/OSX/sec/securityd/SecOCSPResponse.c @@ -217,7 +217,6 @@ bool SecOCSPResponseCalculateValidity(SecOCSPResponseRef this, { bool ok = false; this->latestNextUpdate = NULL_TIME; - CFStringRef hexResp = CFDataCopyHexString(this->data); if (this->producedAt > verifyTime + LEEWAY) { secnotice("ocsp", "OCSPResponse: producedAt more than 1:15 from now"); @@ -310,8 +309,12 @@ bool SecOCSPResponseCalculateValidity(SecOCSPResponseRef this, } else { /* maxAge http header attempting to make us cache the response longer than it's valid for, bad http header! Ignoring you. */ +#ifdef DEBUG + CFStringRef hexResp = CFDataCopyHexString(this->data); ocspdDebug("OCSPResponse: now + maxAge > latestNextUpdate," " using latestNextUpdate %@", hexResp); + CFReleaseSafe(hexResp); +#endif this->expireTime = this->latestNextUpdate; } } else { @@ -321,12 +324,10 @@ bool SecOCSPResponseCalculateValidity(SecOCSPResponseRef this, ok = true; exit: - CFReleaseSafe(hexResp); return ok; } SecOCSPResponseRef SecOCSPResponseCreateWithID(CFDataRef ocspResponse, int64_t responseID) { - CFStringRef hexResp = CFDataCopyHexString(ocspResponse); SecAsn1OCSPResponse topResp = {}; SecOCSPResponseRef this; @@ -353,8 +354,12 @@ SecOCSPResponseRef SecOCSPResponseCreateWithID(CFDataRef ocspResponse, int64_t r } this->responseStatus = topResp.responseStatus.Data[0]; if (this->responseStatus != kSecOCSPSuccess) { - secdebug("ocsp", "OCSPResponse: status: %d %@", this->responseStatus, hexResp); - /* not a failure of our constructor; this object is now useful, but +#ifdef DEBUG + CFStringRef hexResp = CFDataCopyHexString(this->data); + secdebug("ocsp", "OCSPResponse: status: %d %@", this->responseStatus, hexResp); + CFReleaseNull(hexResp); +#endif + /* not a failure of our constructor; this object is now useful, but * only for this one byte of status info */ goto fini; } @@ -420,11 +425,15 @@ SecOCSPResponseRef SecOCSPResponseCreateWithID(CFDataRef ocspResponse, int64_t r } fini: - CFReleaseSafe(hexResp); return this; errOut: - secdebug("ocsp", "bad ocsp response: %@", hexResp); - CFReleaseSafe(hexResp); +#ifdef DEBUG + { + CFStringRef hexResp = CFDataCopyHexString(this->data); + secdebug("ocsp", "bad ocsp response: %@", hexResp); + CFReleaseSafe(hexResp); + } +#endif if (this) { SecOCSPResponseFinalize(this); } diff --git a/OSX/sec/securityd/SecOCSPResponse.h b/OSX/sec/securityd/SecOCSPResponse.h index ae19dc71..63585a6a 100644 --- a/OSX/sec/securityd/SecOCSPResponse.h +++ b/OSX/sec/securityd/SecOCSPResponse.h @@ -36,7 +36,6 @@ #include #include #include -#include __BEGIN_DECLS @@ -154,7 +153,7 @@ CFArrayRef SecOCSPSingleResponseCopySCTs(SecOCSPSingleResponseRef this); void SecOCSPSingleResponseDestroy(SecOCSPSingleResponseRef this); -/* Returns the SecCertificatePathRef who's leaf signed this ocspResponse if +/* Returns the SecCertificateRef whose leaf signed this ocspResponse if we can find one and NULL if we can't find a valid signer. The issuerPath contains the cert chain from the anchor to the certificate that issued the leaf certificate for which this ocspResponse is supposed to be valid. */ diff --git a/OSX/sec/securityd/SecOTRRemote.m b/OSX/sec/securityd/SecOTRRemote.m index 683ec8a6..c41d1d8c 100644 --- a/OSX/sec/securityd/SecOTRRemote.m +++ b/OSX/sec/securityd/SecOTRRemote.m @@ -147,6 +147,7 @@ bool _SecOTRSessionProcessPacketRemote(CFDataRef sessionData, CFDataRef inputPac *outputPacket = negotiationResponse; *readyForMessages = SecOTRSGetIsReadyForMessages(session); + CFReleaseNull(session); return true; } diff --git a/OSX/sec/securityd/SecPinningDb.h b/OSX/sec/securityd/SecPinningDb.h index 42b1ddcd..e8e198fc 100644 --- a/OSX/sec/securityd/SecPinningDb.h +++ b/OSX/sec/securityd/SecPinningDb.h @@ -45,6 +45,13 @@ extern const CFStringRef kSecPinningDbKeyRules; CFDictionaryRef _Nullable SecPinningDbCopyMatching(CFDictionaryRef _Nonnull query); void SecPinningDbInitialize(void); +#if !TARGET_OS_BRIDGE +/* Updating the pinning DB isn't supported on BridgeOS because we treat the disk as read-only. */ +bool SecPinningDbUpdateFromURL(CFURLRef url); +#endif + +CFNumberRef SecPinningDbCopyContentVersion(void); + CF_IMPLICIT_BRIDGING_DISABLED CF_ASSUME_NONNULL_END diff --git a/OSX/sec/securityd/SecPinningDb.m b/OSX/sec/securityd/SecPinningDb.m index 0a498a7a..425adcdc 100644 --- a/OSX/sec/securityd/SecPinningDb.m +++ b/OSX/sec/securityd/SecPinningDb.m @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Apple Inc. All Rights Reserved. + * Copyright (c) 2016-2018 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -38,12 +38,14 @@ #if TARGET_OS_OSX #import +#include #endif #import #import #import +#import #include "utilities/debugging.h" #include "utilities/sqlutils.h" @@ -69,15 +71,6 @@ const CFStringRef kSecPinningDbKeyHostname = CFSTR("PinningHostname"); const CFStringRef kSecPinningDbKeyPolicyName = CFSTR("PinningPolicyName"); const CFStringRef kSecPinningDbKeyRules = CFSTR("PinningRules"); -#if !TARGET_OS_BRIDGE -const NSString *PinningDbMobileAssetType = @"com.apple.MobileAsset.CertificatePinning"; -#define kSecPinningDbMobileAssetNotification "com.apple.MobileAsset.CertificatePinning.cached-metadata-updated" -#endif - -#if TARGET_OS_OSX -const NSUInteger PinningDbMobileAssetCompatibilityVersion = 1; -#endif - @interface SecPinningDb : NSObject @property (assign) SecDbRef db; @property dispatch_queue_t queue; @@ -87,20 +80,6 @@ const NSUInteger PinningDbMobileAssetCompatibilityVersion = 1; - ( NSDictionary * _Nullable ) queryForPolicyName:(NSString *)policyName; @end -static bool isDbOwner() { -#ifdef NO_SERVER - // Test app running as securityd -#elif TARGET_OS_IPHONE - if (getuid() == 64) // _securityd -#else - if (getuid() == 0) -#endif - { - return true; - } - return false; -} - static inline bool isNSNumber(id nsType) { return nsType && [nsType isKindOfClass:[NSNumber class]]; } @@ -326,16 +305,8 @@ static inline bool isNSDictionary(id nsType) { secerror("SecPinningDb: missing url for downloaded asset"); return NO; } - NSURL* basePath = nil, *fileLoc = nil; - if (![localURL scheme]) { - /* MobileAsset provides the URL without the scheme. Fix it up. */ - NSString *pathWithScheme = [[NSString alloc] initWithFormat:@"%@",localURL]; - basePath = [NSURL fileURLWithPath:pathWithScheme isDirectory:YES]; - } else { - basePath = localURL; - } - fileLoc = [NSURL URLWithString:@"CertificatePinning.plist" - relativeToURL:basePath]; + NSURL *fileLoc = [NSURL URLWithString:@"CertificatePinning.plist" + relativeToURL:localURL]; __block NSArray *pinningList = [NSArray arrayWithContentsOfURL:fileLoc]; if (!pinningList) { secerror("SecPinningDb: unable to create pinning list from asset file: %@", fileLoc); @@ -351,271 +322,50 @@ static inline bool isNSDictionary(id nsType) { /* Update Content */ __block CFErrorRef error = NULL; __block BOOL ok = YES; - ok &= SecDbPerformWrite(_db, &error, ^(SecDbConnectionRef dbconn) { - ok &= [self updateDb:dbconn error:&error pinningList:pinningList updateSchema:NO updateContent:YES]; + dispatch_sync(self->_queue, ^{ + ok &= SecDbPerformWrite(self->_db, &error, ^(SecDbConnectionRef dbconn) { + ok &= [self updateDb:dbconn error:&error pinningList:pinningList updateSchema:NO updateContent:YES]; + }); }); - if (error) { + if (!ok || error) { secerror("SecPinningDb: error installing updated pinning list version %@: %@", [pinningList objectAtIndex:0], error); + [[TrustdHealthAnalytics logger] logHardError:(__bridge NSError *)error + withEventName:TrustdHealthAnalyticsEventDatabaseEvent + withAttributes:@{TrustdHealthAnalyticsAttributeAffectedDatabase : @(TAPinningDb), + TrustdHealthAnalyticsAttributeDatabaseOperation : @(TAOperationWrite) }]; CFReleaseNull(error); } return ok; } - -#if TARGET_OS_OSX -const CFStringRef kSecSUPrefDomain = CFSTR("com.apple.SoftwareUpdate"); -const CFStringRef kSecSUScanPrefConfigDataInstallKey = CFSTR("ConfigDataInstall"); -#endif - -static BOOL PinningDbCanCheckMobileAsset(void) { - BOOL result = YES; -#if TARGET_OS_OSX - /* Check the user's SU preferences to determine if "Install system data files" is off */ - if (!CFPreferencesSynchronize(kSecSUPrefDomain, kCFPreferencesAnyUser, kCFPreferencesCurrentHost)) { - secerror("SecPinningDb: unable to synchronize SoftwareUpdate prefs"); - return NO; - } - - id value = nil; - if (CFPreferencesAppValueIsForced(kSecSUScanPrefConfigDataInstallKey, kSecSUPrefDomain)) { - value = CFBridgingRelease(CFPreferencesCopyAppValue(kSecSUScanPrefConfigDataInstallKey, kSecSUPrefDomain)); - } else { - value = CFBridgingRelease(CFPreferencesCopyValue(kSecSUScanPrefConfigDataInstallKey, kSecSUPrefDomain, - kCFPreferencesAnyUser, kCFPreferencesCurrentHost)); - } - if (isNSNumber(value)) { - result = [value boolValue]; - } - - if (!result) { secnotice("pinningDb", "User has disabled system data installation."); } - - /* MobileAsset.framework isn't mastered into the BaseSystem. Check that the MA classes are linked. */ - if (![ASAssetQuery class] || ![ASAsset class] || ![MAAssetQuery class] || ![MAAsset class]) { - secnotice("PinningDb", "Weak linked MobileAsset framework missing."); - result = NO; - } -#endif - return result; -} - -#if TARGET_OS_IPHONE -- (void) downloadPinningAsset:(BOOL __unused)isLocalOnly { - if (!PinningDbCanCheckMobileAsset()) { - secnotice("pinningDb", "MobileAsset disabled, skipping check."); - return; - } - - secnotice("pinningDb", "begin MobileAsset query for catalog"); - [MAAsset startCatalogDownload:(NSString *)PinningDbMobileAssetType then:^(MADownLoadResult result) { - if (result != MADownloadSucceesful) { - secerror("SecPinningDb: failed to download catalog: %ld", (long)result); - return; - } - MAAssetQuery *query = [[MAAssetQuery alloc] initWithType:(NSString *)PinningDbMobileAssetType]; - [query augmentResultsWithState:true]; - - secnotice("pinningDb", "begin MobileAsset metadata sync request"); - MAQueryResult queryResult = [query queryMetaDataSync]; - if (queryResult != MAQuerySucceesful) { - secerror("SecPinningDb: failed to query MobileAsset metadata: %ld", (long)queryResult); - return; - } - - if (!query.results) { - secerror("SecPinningDb: no results in MobileAsset query"); - return; - } - - for (MAAsset *asset in query.results) { - NSNumber *asset_version = [asset assetProperty:@"_ContentVersion"]; - if (![self shouldUpdateContent:asset_version]) { - secdebug("pinningDb", "skipping asset because we already have _ContentVersion %@", asset_version); - continue; - } - switch(asset.state) { - default: - secerror("SecPinningDb: unknown asset state %ld", (long)asset.state); - continue; - case MAInstalled: - /* The asset is already in the cache, get it from disk. */ - secdebug("pinningDb", "CertificatePinning asset already installed"); - if([self installDbFromURL:[asset getLocalUrl]]) { - secnotice("pinningDb", "finished db update from installed asset. purging asset."); - [asset purge:^(MAPurgeResult purge_result) { - if (purge_result != MAPurgeSucceeded) { - secerror("SecPinningDb: purge failed: %ld", (long)purge_result); - } - }]; - } - break; - case MAUnknown: - secerror("SecPinningDb: pinning asset is unknown"); - continue; - case MADownloading: - secnotice("pinningDb", "pinning asset is downloading"); - /* fall through */ - case MANotPresent: - secnotice("pinningDb", "begin download of CertificatePinning asset"); - [asset startDownload:^(MADownLoadResult downloadResult) { - if (downloadResult != MADownloadSucceesful) { - secerror("SecPinningDb: failed to download pinning asset: %ld", (long)downloadResult); - return; - } - if([self installDbFromURL:[asset getLocalUrl]]) { - secnotice("pinningDb", "finished db update from installed asset. purging asset."); - [asset purge:^(MAPurgeResult purge_result) { - if (purge_result != MAPurgeSucceeded) { - secerror("SecPinningDb: purge failed: %ld", (long)purge_result); - } - }]; - } - }]; - break; - } - } - }]; -} -#else /* !TARGET_OS_IPHONE */ -/* MobileAssetV2 fails on macOS, so use V1 */ -- (void) downloadPinningAsset:(BOOL)isLocalOnly { - if (!PinningDbCanCheckMobileAsset()) { - secnotice("pinningDb", "MobileAsset disabled, skipping check."); - return; - } - - ASAssetQuery *query = [[ASAssetQuery alloc] initWithAssetType:(NSString *)PinningDbMobileAssetType]; - [query setQueriesLocalAssetInformationOnly:isLocalOnly]; // Omitting this leads to a notifcation loop. - NSError *error = nil; - NSArray*query_results = [query runQueryAndReturnError:&error]; - if (!query_results) { - secerror("SecPinningDb: asset query failed: %@", error); - return; - } - - for (ASAsset *asset in query_results) { - NSDictionary *attributes = [asset attributes]; - - NSNumber *compatibilityVersion = [attributes objectForKey:ASAttributeCompatibilityVersion]; - if (!isNSNumber(compatibilityVersion) || - [compatibilityVersion unsignedIntegerValue] != PinningDbMobileAssetCompatibilityVersion) { - secnotice("pinningDb", "Skipping asset with compatibility version %@", compatibilityVersion); - continue; - } - - NSNumber *contentVersion = [attributes objectForKey:ASAttributeContentVersion]; - if (!isNSNumber(contentVersion) || ![self shouldUpdateContent:contentVersion]) { - secnotice("pinningDb", "Skipping asset with content version %@", contentVersion); - continue; - } - - ASProgressHandler pinningHandler = ^(NSDictionary *state, NSError *progressError){ - if (progressError) { - secerror("SecPinningDb: asset download error: %@", progressError); - return; - } - - if (!state) { - secerror("SecPinningDb: no asset state in progress handler"); - return; - } - - NSString *operationState = [state objectForKey:ASStateOperation]; - secdebug("pinningDb", "Asset state is %@", operationState); - - if (operationState && [operationState isEqualToString:ASOperationCompleted]) { - if ([self installDbFromURL:[asset localURL]]) { - secnotice("pinningDb", "finished db update from installed asset. purging asset."); - [asset purge:^(NSError *error) { - if (error) { - secerror("SecPinningDb: purge failed %@", error); - } - }]; - } - } - }; - - switch ([asset state]) { - case ASAssetStateNotPresent: - secdebug("pinningDb", "CertificatePinning asset needs to be downloaded"); - asset.progressHandler= pinningHandler; - asset.userInitiatedDownload = YES; - [asset beginDownloadWithOptions:@{ASDownloadOptionPriority : ASDownloadPriorityNormal}]; - break; - case ASAssetStateInstalled: - /* The asset is already in the cache, get it from disk. */ - secdebug("pinningDb", "CertificatePinning asset already installed"); - if([self installDbFromURL:[asset localURL]]) { - secnotice("pinningDb", "finished db update from installed asset. purging asset."); - [asset purge:^(NSError *error) { - if (error) { - secerror("SecPinningDb: purge failed %@", error); - } - }]; - } - break; - case ASAssetStatePaused: - secdebug("pinningDb", "CertificatePinning asset download paused"); - asset.progressHandler = pinningHandler; - asset.userInitiatedDownload = YES; - if (![asset resumeDownloadAndReturnError:&error]) { - secerror("SecPinningDb: failed to resume download of asset: %@", error); - } - break; - case ASAssetStateDownloading: - secdebug("pinningDb", "CertificatePinning asset downloading"); - asset.progressHandler = pinningHandler; - asset.userInitiatedDownload = YES; - break; - default: - secerror("SecPinningDb: unhandled asset state %ld", (long)asset.state); - continue; - } - } -} -#endif /* !TARGET_OS_IPHONE */ - -- (void) downloadPinningAsset { - [self downloadPinningAsset:NO]; -} #endif /* !TARGET_OS_BRIDGE */ -- (NSArray *) copyCurrentPinningList { +- (NSArray *) copySystemPinningList { NSArray *pinningList = nil; + NSURL *pinningListURL = nil; /* Get the pinning list shipped with the OS */ SecOTAPKIRef otapkiref = SecOTAPKICopyCurrentOTAPKIRef(); if (otapkiref) { - pinningList = CFBridgingRelease(SecOTAPKICopyPinningList(otapkiref)); + pinningListURL = CFBridgingRelease(SecOTAPKICopyPinningList(otapkiref)); CFReleaseNull(otapkiref); + if (!pinningListURL) { + secerror("SecPinningDb: failed to get pinning plist URL"); + } + NSError *error = nil; + pinningList = [NSArray arrayWithContentsOfURL:pinningListURL error:&error]; if (!pinningList) { - secerror("SecPinningDb: failed to read pinning plist from bundle"); + secerror("SecPinningDb: failed to read pinning plist from bundle: %@", error); } } -#if !TARGET_OS_BRIDGE - /* Asynchronously ask MobileAsset for most recent pinning list. */ - dispatch_async(_queue, ^{ - secnotice("pinningDb", "Initial check with MobileAsset for newer pinning asset"); - [self downloadPinningAsset]; - }); - - /* Register for changes in our asset */ - if (PinningDbCanCheckMobileAsset()) { - int out_token = 0; - notify_register_dispatch(kSecPinningDbMobileAssetNotification, &out_token, self->_queue, ^(int __unused token) { - secnotice("pinningDb", "Got a notification about a new pinning asset."); - [self downloadPinningAsset:YES]; - }); - } -#endif - return pinningList; } - (BOOL) updateDb:(SecDbConnectionRef)dbconn error:(CFErrorRef *)error pinningList:(NSArray *)pinningList updateSchema:(BOOL)updateSchema updateContent:(BOOL)updateContent { - if (!isDbOwner()) { return false; } + if (!SecOTAPKIIsSystemTrustd()) { return false; } secdebug("pinningDb", "updating or creating database"); __block bool ok = true; @@ -648,13 +398,17 @@ static BOOL PinningDbCanCheckMobileAsset(void) { } - (SecDbRef) createAtPath { - bool readWrite = isDbOwner(); - mode_t mode = 0644; + bool readWrite = SecOTAPKIIsSystemTrustd(); +#if TARGET_OS_OSX + mode_t mode = 0644; // Root trustd can rw. All other trustds need to read. +#else + mode_t mode = 0600; // Only one trustd. +#endif CFStringRef path = CFStringCreateWithCString(NULL, [_dbPath fileSystemRepresentation], kCFStringEncodingUTF8); SecDbRef result = SecDbCreateWithOptions(path, mode, readWrite, readWrite, false, ^bool (SecDbRef db, SecDbConnectionRef dbconn, bool didCreate, bool *callMeAgainForNextConnection, CFErrorRef *error) { - if (!isDbOwner()) { + if (!SecOTAPKIIsSystemTrustd()) { /* Non-owner process can't update the db, but it should get a db connection. * @@@ Revisit if new schema version is needed by reader processes. */ return true; @@ -666,7 +420,7 @@ static BOOL PinningDbCanCheckMobileAsset(void) { bool updateContent = false; /* Get the pinning plist */ - NSArray *pinningList = [self copyCurrentPinningList]; + NSArray *pinningList = [self copySystemPinningList]; if (!pinningList) { secerror("SecPinningDb: failed to find pinning plist in bundle"); ok = false; @@ -680,6 +434,7 @@ static BOOL PinningDbCanCheckMobileAsset(void) { } NSNumber *plist_version = [pinningList objectAtIndex:0]; NSNumber *db_version = [self getContentVersion:dbconn error:error]; + secnotice("pinningDb", "Opening db with version %@", db_version); if (!db_version || [plist_version compare:db_version] == NSOrderedDescending) { secnotice("pinningDb", "Updating pinning database content from version %@ to version %@", db_version ? db_version : 0, plist_version); @@ -695,9 +450,16 @@ static BOOL PinningDbCanCheckMobileAsset(void) { if (updateContent || updateSchema) { ok &= [self updateDb:dbconn error:error pinningList:pinningList updateSchema:updateSchema updateContent:updateContent]; + /* Since we updated the DB to match the list that shipped with the system, + * reset the OTAPKI Asset version to the system asset version */ + (void)SecOTAPKIResetCurrentAssetVersion(NULL); } if (!ok) { secerror("SecPinningDb: %s failed: %@", didCreate ? "Create" : "Open", error ? *error : NULL); + [[TrustdHealthAnalytics logger] logHardError:(error ? (__bridge NSError *)*error : nil) + withEventName:TrustdHealthAnalyticsEventDatabaseEvent + withAttributes:@{TrustdHealthAnalyticsAttributeAffectedDatabase : @(TAPinningDb), + TrustdHealthAnalyticsAttributeDatabaseOperation : didCreate ? @(TAOperationCreate) : @(TAOperationOpen)}]; } }); return ok; @@ -765,9 +527,10 @@ static void verify_create_path(const char *path) } } + dispatch_once(&once, ^{ - /* Only log system-wide pinning status once a minute */ - action = sec_action_create("pinning logging charles", 60.0); + /* Only log system-wide pinning status once every five minutes */ + action = sec_action_create("pinning logging charles", 5*60.0); sec_action_set_handler(action, ^{ if (!SecIsInternalRelease()) { secnotice("pinningQA", "could not disable pinning: not an internal release"); @@ -845,8 +608,12 @@ static void verify_create_path(const char *path) }); }); - if (error) { + if (!ok || error) { secerror("SecPinningDb: error querying DB for hostname: %@", error); + [[TrustdHealthAnalytics logger] logHardError:(__bridge NSError *)error + withEventName:TrustdHealthAnalyticsEventDatabaseEvent + withAttributes:@{TrustdHealthAnalyticsAttributeAffectedDatabase : @(TAPinningDb), + TrustdHealthAnalyticsAttributeDatabaseOperation : @(TAOperationRead)}]; CFReleaseNull(error); } @@ -872,6 +639,8 @@ static void verify_create_path(const char *path) return nil; } + secinfo("SecPinningDb", "Fetching rules for policy named %@", policyName); + /* Perform SELECT */ __block bool ok = true; __block CFErrorRef error = NULL; @@ -895,8 +664,12 @@ static void verify_create_path(const char *path) }); }); - if (error) { + if (!ok || error) { secerror("SecPinningDb: error querying DB for policyName: %@", error); + [[TrustdHealthAnalytics logger] logHardError:(__bridge NSError *)error + withEventName:TrustdHealthAnalyticsEventDatabaseEvent + withAttributes:@{TrustdHealthAnalyticsAttributeAffectedDatabase : @(TAPinningDb), + TrustdHealthAnalyticsAttributeDatabaseOperation : @(TAOperationRead)}]; CFReleaseNull(error); } @@ -910,34 +683,70 @@ static void verify_create_path(const char *path) @end +/* C interfaces */ static SecPinningDb *pinningDb = nil; void SecPinningDbInitialize(void) { + /* Create the pinning object once per launch */ static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ - pinningDb = [[SecPinningDb alloc] init]; - __block CFErrorRef error = NULL; - BOOL ok = SecDbPerformRead([pinningDb db], &error, ^(SecDbConnectionRef dbconn) { - NSNumber *contentVersion = [pinningDb getContentVersion:dbconn error:&error]; - NSNumber *schemaVersion = [pinningDb getSchemaVersion:dbconn error:&error]; - secinfo("pinningDb", "Database Schema: %@ Content: %@", schemaVersion, contentVersion); - }); - if (!ok || error) { - secerror("SecPinningDb: unable to initialize db: %@", error); + @autoreleasepool { + pinningDb = [[SecPinningDb alloc] init]; + __block CFErrorRef error = NULL; + BOOL ok = SecDbPerformRead([pinningDb db], &error, ^(SecDbConnectionRef dbconn) { + NSNumber *contentVersion = [pinningDb getContentVersion:dbconn error:&error]; + NSNumber *schemaVersion = [pinningDb getSchemaVersion:dbconn error:&error]; + secinfo("pinningDb", "Database Schema: %@ Content: %@", schemaVersion, contentVersion); + }); + if (!ok || error) { + secerror("SecPinningDb: unable to initialize db: %@", error); + [[TrustdHealthAnalytics logger] logHardError:(__bridge NSError *)error + withEventName:TrustdHealthAnalyticsEventDatabaseEvent + withAttributes:@{TrustdHealthAnalyticsAttributeAffectedDatabase : @(TAPinningDb), + TrustdHealthAnalyticsAttributeDatabaseOperation : @(TAOperationRead)}]; + } + CFReleaseNull(error); } - CFReleaseNull(error); }); } CFDictionaryRef _Nullable SecPinningDbCopyMatching(CFDictionaryRef query) { + @autoreleasepool { + SecPinningDbInitialize(); + + NSDictionary *nsQuery = (__bridge NSDictionary*)query; + NSString *hostname = [nsQuery objectForKey:(__bridge NSString*)kSecPinningDbKeyHostname]; + + NSDictionary *results = [pinningDb queryForDomain:hostname]; + if (results) { return CFBridgingRetain(results); } + NSString *policyName = [nsQuery objectForKey:(__bridge NSString*)kSecPinningDbKeyPolicyName]; + results = [pinningDb queryForPolicyName:policyName]; + if (!results) { return nil; } + return CFBridgingRetain(results); + } +} + +#if !TARGET_OS_BRIDGE +bool SecPinningDbUpdateFromURL(CFURLRef url) { SecPinningDbInitialize(); - NSDictionary *nsQuery = (__bridge NSDictionary*)query; - NSString *hostname = [nsQuery objectForKey:(__bridge NSString*)kSecPinningDbKeyHostname]; + return [pinningDb installDbFromURL:(__bridge NSURL*)url]; +} +#endif - NSDictionary *results = [pinningDb queryForDomain:hostname]; - if (results) { return CFBridgingRetain(results); } - NSString *policyName = [nsQuery objectForKey:(__bridge NSString*)kSecPinningDbKeyPolicyName]; - results = [pinningDb queryForPolicyName:policyName]; - if (!results) { return nil; } - return CFBridgingRetain(results); +CFNumberRef SecPinningDbCopyContentVersion(void) { + @autoreleasepool { + __block CFErrorRef error = NULL; + __block NSNumber *contentVersion = nil; + BOOL ok = SecDbPerformRead([pinningDb db], &error, ^(SecDbConnectionRef dbconn) { + contentVersion = [pinningDb getContentVersion:dbconn error:&error]; + }); + if (!ok || error) { + secerror("SecPinningDb: unable to get content version: %@", error); + } + CFReleaseNull(error); + if (!contentVersion) { + contentVersion = [NSNumber numberWithInteger:0]; + } + return CFBridgingRetain(contentVersion); + } } diff --git a/OSX/sec/securityd/SecPolicyServer.c b/OSX/sec/securityd/SecPolicyServer.c index 56d212ce..77bf37cc 100644 --- a/OSX/sec/securityd/SecPolicyServer.c +++ b/OSX/sec/securityd/SecPolicyServer.c @@ -34,7 +34,7 @@ #include #include #include -#include +#include #include #include #include @@ -314,69 +314,6 @@ static void SecPolicyCheckExtendedKeyUsage(SecPVCRef pvc, CFStringRef key) { } } -#if 0 -static void SecPolicyCheckBasicContraintsCommon(SecPVCRef pvc, - CFStringRef key, bool strict) { - CFIndex ix, count = SecPVCGetCertificateCount(pvc); - for (ix = 0; ix < count; ++ix) { - SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix); - const SecCEBasicConstraints *bc = - SecCertificateGetBasicConstraints(cert); - if (bc) { - if (strict) { - if (ix == 0) { - /* Leaf certificate has basic constraints extension. */ - if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse)) - return; - } else if (!bc->critical) { - /* Basic constraints extension is not marked critical. */ - if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse)) - return; - } - } - - if (ix > 0 || count == 1) { - if (!bc->isCA) { - /* Non leaf certificate marked as isCA false. */ - if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse)) - return; - } - - if (bc->pathLenConstraintPresent) { - if (bc->pathLenConstraint < (uint32_t)(ix - 1)) { -#if 0 - /* @@@ If a self signed certificate is issued by - another cert that is trusted, then we are supposed - to treat the self signed cert itself as the anchor - for path length purposes. */ - CFIndex ssix = SecCertificatePathSelfSignedIndex(path); - if (ssix >= 0 && ix >= ssix) { - /* It's ok if the pathLenConstraint isn't met for - certificates signing a self signed cert in the - chain. */ - } else -#endif - { - /* Path Length Constraint Exceeded. */ - if (!SecPVCSetResult(pvc, key, ix, - kCFBooleanFalse)) - return; - } - } - } - } - } else if (strict && ix > 0) { - /* In strict mode all CA certificates *MUST* have a critical - basic constraints extension and the leaf certificate - *MUST NOT* have a basic constraints extension. */ - /* CA certificate is missing basicConstraints extension. */ - if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse)) - return; - } - } -} -#endif - static void SecPolicyCheckBasicConstraints(SecPVCRef pvc, CFStringRef key) { //SecPolicyCheckBasicContraintsCommon(pvc, key, false); @@ -396,10 +333,6 @@ static void SecPolicyCheckNonEmptySubject(SecPVCRef pvc, } } -static void SecPolicyCheckQualifiedCertStatements(SecPVCRef pvc, - CFStringRef key) { -} - /* AUDIT[securityd](done): policy->_options is a caller provided dictionary, only its cf type has been checked. @@ -448,11 +381,11 @@ static void SecPolicyCheckEmail(SecPVCRef pvc, CFStringRef key) { } } -static void SecPolicyCheckValidIntermediates(SecPVCRef pvc, +static void SecPolicyCheckTemporalValidity(SecPVCRef pvc, CFStringRef key) { CFIndex ix, count = SecPVCGetCertificateCount(pvc); CFAbsoluteTime verifyTime = SecPVCGetVerifyTime(pvc); - for (ix = 1; ix < count - 1; ++ix) { + for (ix = 0; ix < count; ++ix) { SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix); if (!SecCertificateIsValid(cert, verifyTime)) { /* Intermediate certificate has expired. */ @@ -462,30 +395,6 @@ static void SecPolicyCheckValidIntermediates(SecPVCRef pvc, } } -static void SecPolicyCheckValidLeaf(SecPVCRef pvc, - CFStringRef key) { - CFAbsoluteTime verifyTime = SecPVCGetVerifyTime(pvc); - SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, 0); - if (!SecCertificateIsValid(cert, verifyTime)) { - /* Leaf certificate has expired. */ - if (!SecPVCSetResult(pvc, key, 0, kCFBooleanFalse)) - return; - } -} - -static void SecPolicyCheckValidRoot(SecPVCRef pvc, - CFStringRef key) { - CFIndex ix, count = SecPVCGetCertificateCount(pvc); - CFAbsoluteTime verifyTime = SecPVCGetVerifyTime(pvc); - ix = count - 1; - SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix); - if (!SecCertificateIsValid(cert, verifyTime)) { - /* Root certificate has expired. */ - if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse)) - return; - } -} - /* AUDIT[securityd](done): policy->_options is a caller provided dictionary, only its cf type has been checked. @@ -836,7 +745,6 @@ static void SecPolicyCheckBlackListedLeaf(SecPVCRef pvc, serial_ptr, sizeof(*UTN_USERFirst_Hardware_Serial))) { SecPVCSetResult(pvc, key, 0, kCFBooleanFalse); - pvc->result = kSecTrustResultFatalTrustFailure; CFReleaseSafe(serial); return; } @@ -861,7 +769,6 @@ static void SecPolicyCheckBlackListedLeaf(SecPVCRef pvc, if (CFSetContainsValue(blackListedKeys, dgst)) { SecPVCSetResult(pvc, key, 0, kCFBooleanFalse); - pvc->result = kSecTrustResultFatalTrustFailure; } CFRelease(dgst); } @@ -918,6 +825,7 @@ static void SecPolicyCheckLeafMarkerOidWithoutValueCheck(SecPVCRef pvc, CFString } } + /* * The value is a dictionary. The dictionary contains keys indicating * whether the value is for Prod or QA. The values are the same as @@ -1038,10 +946,20 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc, /* trust may be restored for a path with an untrusted root that matches the allow list. (isAllowlisted is set by revocation check, which is performed prior to path checks) */ if (!SecCertificatePathVCIsAllowlisted(path)) { - /* Add a detail for the root not being trusted. */ - if (!SecPVCSetResultForced(pvc, kSecPolicyCheckAnchorTrusted, - n - 1, kCFBooleanFalse, true)) { - return; + Boolean isSelfSigned = false; + (void) SecCertificateIsSelfSigned(SecCertificatePathVCGetCertificateAtIndex(path, n - 1), &isSelfSigned); + if (isSelfSigned) { + /* Add a detail for the root not being trusted. */ + if (!SecPVCSetResultForced(pvc, kSecPolicyCheckAnchorTrusted, + n - 1, kCFBooleanFalse, true)) { + return; + } + } else { + /* Add a detail for the missing intermediate. */ + if (!SecPVCSetResultForced(pvc, kSecPolicyCheckMissingIntermediate, + n - 1, kCFBooleanFalse, true)) { + return; + } } } } @@ -1057,13 +975,13 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc, permitted_subtrees = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); excluded_subtrees = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks); require_action_quiet(permitted_subtrees != NULL, errOut, - SecPVCSetResultForced(pvc, key, 0, kCFBooleanFalse, true)); + SecPVCSetResultForced(pvc, kSecPolicyCheckNameConstraints, 0, kCFBooleanFalse, true)); require_action_quiet(excluded_subtrees != NULL, errOut, - SecPVCSetResultForced(pvc, key, 0, kCFBooleanFalse, true)); + SecPVCSetResultForced(pvc, kSecPolicyCheckNameConstraints, 0, kCFBooleanFalse, true)); #endif if (!SecCertificatePathVCVerifyPolicyTree(path, is_anchor_trusted)) { - if (!SecPVCSetResultForced(pvc, key, 0, kCFBooleanFalse, true)) { + if (!SecPVCSetResultForced(pvc, kSecPolicyCheckPolicyConstraints, 0, kCFBooleanFalse, true)) { goto errOut; } } @@ -1085,22 +1003,24 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc, /* (a) Verify the basic certificate information. */ /* @@@ Ensure that cert was signed with working_public_key_algorithm using the working_public_key and the working_public_key_parameters. */ -#if 1 + /* Already done by chain builder. */ if (!SecCertificateIsValid(cert, verify_time)) { - CFStringRef fail_key = i == n ? kSecPolicyCheckValidLeaf : kSecPolicyCheckValidIntermediates; - if (!SecPVCSetResult(pvc, fail_key, n - i, kCFBooleanFalse)) { + if (!SecPVCSetResult(pvc, kSecPolicyCheckTemporalValidity, n - i, kCFBooleanFalse)) { goto errOut; } } if (SecCertificateIsWeakKey(cert)) { - CFStringRef fail_key = i == n ? kSecPolicyCheckWeakLeaf : kSecPolicyCheckWeakIntermediates; - if (!SecPVCSetResult(pvc, fail_key, n - i, kCFBooleanFalse)) { + if (!SecPVCSetResult(pvc, kSecPolicyCheckWeakKeySize, n - i, kCFBooleanFalse)) { goto errOut; } - pvc->result = kSecTrustResultFatalTrustFailure; } -#endif + if (!SecPolicyCheckCertWeakSignature(cert, NULL)) { + if (!SecPVCSetResult(pvc, kSecPolicyCheckWeakSignature, n - i, kCFBooleanFalse)) { + goto errOut; + } + } + /* @@@ cert.issuer == working_issuer_name. */ #if POLICY_SUBTREES @@ -1111,14 +1031,14 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc, if(excluded_subtrees && CFArrayGetCount(excluded_subtrees)) { if ((errSecSuccess != SecNameContraintsMatchSubtrees(cert, excluded_subtrees, &found, false)) || found) { secnotice("policy", "name in excluded subtrees"); - if(!SecPVCSetResultForced(pvc, key, n - i, kCFBooleanFalse, true)) { goto errOut; } + if(!SecPVCSetResultForced(pvc, kSecPolicyCheckNameConstraints, n - i, kCFBooleanFalse, true)) { goto errOut; } } } /* Verify certificate Subject Name and SubjectAltNames are within the permitted_subtrees */ if(permitted_subtrees && CFArrayGetCount(permitted_subtrees)) { if ((errSecSuccess != SecNameContraintsMatchSubtrees(cert, permitted_subtrees, &found, true)) || !found) { secnotice("policy", "name not in permitted subtrees"); - if(!SecPVCSetResultForced(pvc, key, n - i, kCFBooleanFalse, true)) { goto errOut; } + if(!SecPVCSetResultForced(pvc, kSecPolicyCheckNameConstraints, n - i, kCFBooleanFalse, true)) { goto errOut; } } } } @@ -1154,31 +1074,22 @@ static void SecPolicyCheckBasicCertificateProcessing(SecPVCRef pvc, #endif /* (h), (i), (j) done by SecCertificatePathVCVerifyPolicyTree */ - /* (k) */ - const SecCEBasicConstraints *bc = - SecCertificateGetBasicConstraints(cert); -#if 0 /* Checked in chain builder pre signature verify already. SecPVCParentCertificateChecks */ - if (!bc || !bc->isCA) { - /* Basic constraints not present or not marked as isCA, illegal. */ - if (!SecPVCSetResult(pvc, kSecPolicyCheckBasicConstraints, - n - i, kCFBooleanFalse)) { - goto errOut; - } - } -#endif + /* (k) Checked in chain builder pre signature verify already. SecPVCParentCertificateChecks */ + /* (l) */ if (!is_self_issued) { if (max_path_length > 0) { max_path_length--; } else { /* max_path_len exceeded, illegal. */ - if (!SecPVCSetResult(pvc, kSecPolicyCheckBasicConstraints, - n - i, kCFBooleanFalse)) { + if (!SecPVCSetResultForced(pvc, kSecPolicyCheckBasicConstraintsPathLen, + n - i, kCFBooleanFalse, true)) { goto errOut; } } } /* (m) */ + const SecCEBasicConstraints *bc = SecCertificateGetBasicConstraints(cert); if (bc && bc->pathLenConstraintPresent && bc->pathLenConstraint < max_path_length) { max_path_length = bc->pathLenConstraint; @@ -1686,7 +1597,7 @@ out: return SCTs; } -static void SecPolicyCheckCT(SecPVCRef pvc, CFStringRef key) +static void SecPolicyCheckCT(SecPVCRef pvc) { SecCertificateRef leafCert = SecPVCGetCertificateAtIndex(pvc, 0); CFArrayRef embeddedScts = SecCertificateCopySignedCertificateTimestamps(leafCert); @@ -1695,6 +1606,8 @@ static void SecPolicyCheckCT(SecPVCRef pvc, CFStringRef key) CFArrayRef ocspScts = copy_ocsp_scts(pvc); CFDataRef precertEntry = copy_precert_entry_from_chain(pvc); CFDataRef x509Entry = copy_x509_entry_from_chain(pvc); + __block uint32_t trustedSCTCount = 0; + __block CFIndex totalSCTSize = 0; // This eventually contain list of logs who validated the SCT. CFMutableDictionaryRef currentLogsValidatingScts = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); @@ -1718,8 +1631,10 @@ static void SecPolicyCheckCT(SecPVCRef pvc, CFStringRef key) if(!CFDictionaryContainsKey(log, CFSTR("expiry"))) { addValidatingLog(currentLogsValidatingScts, log, sct_at); at_least_one_currently_valid_embedded = true; + trustedSCTCount++; } } + totalSCTSize += CFDataGetLength(value); }); } @@ -1730,7 +1645,9 @@ static void SecPolicyCheckCT(SecPVCRef pvc, CFStringRef key) if(log) { addValidatingLog(currentLogsValidatingScts, log, sct_at); at_least_one_currently_valid_external = true; + trustedSCTCount++; } + totalSCTSize += CFDataGetLength(value); }); } @@ -1741,7 +1658,9 @@ static void SecPolicyCheckCT(SecPVCRef pvc, CFStringRef key) if(log) { addValidatingLog(currentLogsValidatingScts, log, sct_at); at_least_one_currently_valid_external = true; + trustedSCTCount++; } + totalSCTSize += CFDataGetLength(value); }); } } @@ -1769,7 +1688,7 @@ static void SecPolicyCheckCT(SecPVCRef pvc, CFStringRef key) __block int lifetime; // in Months __block unsigned once_or_current_qualified_embedded = 0; - /* Calculate issuance time base on timestamp of SCTs from current logs */ + /* Calculate issuance time based on timestamp of SCTs from current logs */ CFDictionaryForEach(currentLogsValidatingScts, ^(const void *key, const void *value) { CFDictionaryRef log = key; if(!CFDictionaryContainsKey(log, CFSTR("expiry"))) { @@ -1787,8 +1706,12 @@ static void SecPolicyCheckCT(SecPVCRef pvc, CFStringRef key) CFDictionaryRef log = key; CFDateRef ts = value; CFDateRef expiry = CFDictionaryGetValue(log, CFSTR("expiry")); - if(expiry == NULL || CFDateCompare(ts, expiry, NULL) == kCFCompareLessThan) { + if (expiry == NULL) { // Currently qualified OR once_or_current_qualified_embedded++; + } else if (CFDateCompare(ts, expiry, NULL) == kCFCompareLessThan && // Once qualified. That is, qualified at the time of SCT AND + issuanceTime < CFDateGetAbsoluteTime(expiry)) { // at the time of issuance.) + once_or_current_qualified_embedded++; + trustedSCTCount++; } }); @@ -1818,6 +1741,30 @@ static void SecPolicyCheckCT(SecPVCRef pvc, CFStringRef key) } } + /* Record analytics data for CT */ + TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(pvc->builder); + require_quiet(analytics, out); + uint32_t sctCount = 0; + /* Count the total number of SCTs we found and report where we got them */ + if (embeddedScts && CFArrayGetCount(embeddedScts) > 0) { + analytics->sct_sources |= TA_SCTEmbedded; + sctCount += CFArrayGetCount(embeddedScts); + } + if (builderScts && CFArrayGetCount(builderScts) > 0) { + analytics->sct_sources |= TA_SCT_TLS; + sctCount += CFArrayGetCount(builderScts); + } + if (ocspScts && CFArrayGetCount(ocspScts) > 0) { + analytics->sct_sources |= TA_SCT_OCSP; + sctCount += CFArrayGetCount(ocspScts); + } + /* Report how many of those SCTs were once or currently qualified */ + analytics->number_trusted_scts = trustedSCTCount; + /* Report the total number of bytes in the SCTs */ + analytics->total_sct_size = totalSCTSize; + /* Report how many SCTs we got */ + analytics->number_scts = sctCount; + out: CFReleaseSafe(logsValidatingEmbeddedScts); CFReleaseSafe(currentLogsValidatingScts); @@ -1848,7 +1795,7 @@ static bool checkPolicyOidData(SecPVCRef pvc, CFDataRef oid) { return false; } -static void SecPolicyCheckCertificatePolicyOid(SecPVCRef pvc, CFStringRef key) +static void SecPolicyCheckCertificatePolicy(SecPVCRef pvc, CFStringRef key) { SecPolicyRef policy = SecPVCGetPolicy(pvc); CFTypeRef value = CFDictionaryGetValue(policy->_options, key); @@ -1900,51 +1847,39 @@ static void SecPolicyCheckNoNetworkAccess(SecPVCRef pvc, } } -static void SecPolicyCheckWeakIntermediates(SecPVCRef pvc, +static void SecPolicyCheckWeakKeySize(SecPVCRef pvc, CFStringRef key) { CFIndex ix, count = SecPVCGetCertificateCount(pvc); - for (ix = 1; ix < count - 1; ++ix) { + for (ix = 0; ix < count; ++ix) { SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix); if (cert && SecCertificateIsWeakKey(cert)) { /* Intermediate certificate has a weak key. */ if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse)) return; - pvc->result = kSecTrustResultFatalTrustFailure; } } } -static void SecPolicyCheckWeakLeaf(SecPVCRef pvc, - CFStringRef key) { - SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, 0); - if (cert && SecCertificateIsWeakKey(cert)) { - /* Leaf certificate has a weak key. */ - if (!SecPVCSetResult(pvc, key, 0, kCFBooleanFalse)) - return; - pvc->result = kSecTrustResultFatalTrustFailure; - } -} - -static void SecPolicyCheckWeakRoot(SecPVCRef pvc, - CFStringRef key) { +static void SecPolicyCheckKeySize(SecPVCRef pvc, CFStringRef key) { CFIndex ix, count = SecPVCGetCertificateCount(pvc); - ix = count - 1; - SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix); - if (cert && SecCertificateIsWeakKey(cert)) { - /* Root certificate has a weak key. */ - if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse)) - return; - pvc->result = kSecTrustResultFatalTrustFailure; + SecPolicyRef policy = SecPVCGetPolicy(pvc); + CFDictionaryRef keySizes = CFDictionaryGetValue(policy->_options, key); + for (ix = 0; ix < count; ++ix) { + SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix); + if (!SecCertificateIsAtLeastMinKeySize(cert, keySizes)) { + if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse)) + return; + } } } -static void SecPolicyCheckKeySize(SecPVCRef pvc, CFStringRef key) { +static void SecPolicyCheckWeakSignature(SecPVCRef pvc, CFStringRef key) { CFIndex ix, count = SecPVCGetCertificateCount(pvc); SecPolicyRef policy = SecPVCGetPolicy(pvc); - CFDictionaryRef keySizes = CFDictionaryGetValue(policy->_options, key); + CFTypeRef pvcValue = CFDictionaryGetValue(policy->_options, key); for (ix = 0; ix < count; ++ix) { SecCertificateRef cert = SecPVCGetCertificateAtIndex(pvc, ix); - if (!SecCertificateIsAtLeastMinKeySize(cert, keySizes)) { + if (!SecPolicyCheckCertWeakSignature(cert, pvcValue)) { if (!SecPVCSetResult(pvc, key, ix, kCFBooleanFalse)) return; } @@ -1979,19 +1914,11 @@ static bool leaf_is_on_weak_hash_whitelist(SecPVCRef pvc) { 0x7b, 0x3b, 0xad, 0x43, 0x88, 0xa9, 0x66, 0x59, 0xa8, 0x18 }; - /* subject:/C=US/ST=Kansas/L=Overland Park/O=Sprint/CN=oma.ssprov.sprint.com */ - /* issuer :/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C */ - /* Not After : Aug 16 05:04:29 2017 GMT */ - static const uint8_t sprint[] = { - 0xa3, 0x18, 0x70, 0x4f, 0xf7, 0xbf, 0xfb, 0x2b, 0xe2, 0x64, - 0x3a, 0x2d, 0x2b, 0xb8, 0x10, 0x5f, 0x77, 0xd5, 0x01, 0xab - }; - CFDataRef leafFingerprint = SecCertificateGetSHA1Digest(leaf); require_quiet(leafFingerprint, out); const unsigned int len = 20; const uint8_t *dp = CFDataGetBytePtr(leafFingerprint); - if (dp && (!memcmp(vodafone, dp, len) || !memcmp(sprint,dp,len))) { + if (dp && (!memcmp(vodafone, dp, len))) { return true; } @@ -2107,150 +2034,23 @@ void SecPolicyServerInitialize(void) { gSecPolicyPathCallbacks = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, NULL); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckBasicCertificateProcessing, - SecPolicyCheckBasicCertificateProcessing); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckCriticalExtensions, - SecPolicyCheckCriticalExtensions); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckIdLinkage, - SecPolicyCheckIdLinkage); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckKeyUsage, - SecPolicyCheckKeyUsage); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckExtendedKeyUsage, - SecPolicyCheckExtendedKeyUsage); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckBasicConstraints, - SecPolicyCheckBasicConstraints); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckNonEmptySubject, - SecPolicyCheckNonEmptySubject); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckQualifiedCertStatements, - SecPolicyCheckQualifiedCertStatements); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckSSLHostname, - SecPolicyCheckSSLHostname); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckEmail, - SecPolicyCheckEmail); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckValidIntermediates, - SecPolicyCheckValidIntermediates); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckValidLeaf, - SecPolicyCheckValidLeaf); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckValidRoot, - SecPolicyCheckValidRoot); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckIssuerCommonName, - SecPolicyCheckIssuerCommonName); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckSubjectCommonNamePrefix, - SecPolicyCheckSubjectCommonNamePrefix); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckSubjectCommonName, - SecPolicyCheckSubjectCommonName); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckNotValidBefore, - SecPolicyCheckNotValidBefore); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckChainLength, - SecPolicyCheckChainLength); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckAnchorSHA1, - SecPolicyCheckAnchorSHA1); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckAnchorSHA256, - SecPolicyCheckAnchorSHA256); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckAnchorApple, - SecPolicyCheckAnchorApple); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckSubjectOrganization, - SecPolicyCheckSubjectOrganization); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckSubjectOrganizationalUnit, - SecPolicyCheckSubjectOrganizationalUnit); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckEAPTrustedServerNames, - SecPolicyCheckEAPTrustedServerNames); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckSubjectCommonNameTEST, - SecPolicyCheckSubjectCommonNameTEST); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckRevocation, - SecPolicyCheckRevocation); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckRevocationResponseRequired, - SecPolicyCheckRevocationResponseRequired); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckRevocationOnline, - SecPolicyCheckRevocationOnline); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckNoNetworkAccess, - SecPolicyCheckNoNetworkAccess); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckBlackListedLeaf, - SecPolicyCheckBlackListedLeaf); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckGrayListedLeaf, - SecPolicyCheckGrayListedLeaf); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckLeafMarkerOid, - SecPolicyCheckLeafMarkerOid); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckLeafMarkerOidWithoutValueCheck, - SecPolicyCheckLeafMarkerOidWithoutValueCheck); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckLeafMarkersProdAndQA, - SecPolicyCheckLeafMarkersProdAndQA); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckIntermediateSPKISHA256, - SecPolicyCheckIntermediateSPKISHA256); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckIntermediateEKU, - SecPolicyCheckIntermediateEKU); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckIntermediateMarkerOid, - SecPolicyCheckIntermediateMarkerOid); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckCertificatePolicy, - SecPolicyCheckCertificatePolicyOid); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckWeakIntermediates, - SecPolicyCheckWeakIntermediates); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckWeakLeaf, - SecPolicyCheckWeakLeaf); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckWeakRoot, - SecPolicyCheckWeakRoot); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckKeySize, - SecPolicyCheckKeySize); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckSignatureHashAlgorithms, - SecPolicyCheckSignatureHashAlgorithms); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckSystemTrustedWeakHash, - SecPolicyCheckSystemTrustedWeakHash); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckSystemTrustedWeakKey, - SecPolicyCheckSystemTrustedWeakKey); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckIntermediateOrganization, - SecPolicyCheckIntermediateOrganization); - CFDictionaryAddValue(gSecPolicyPathCallbacks, - kSecPolicyCheckIntermediateCountry, - SecPolicyCheckIntermediateCountry); - CFDictionaryAddValue(gSecPolicyLeafCallbacks, - kSecPolicyCheckPinningRequired, - SecPolicyCheckPinningRequired); +#undef POLICYCHECKMACRO +#define __PC_ADD_CHECK_(NAME) +#define __PC_ADD_CHECK_L(NAME) CFDictionaryAddValue(gSecPolicyLeafCallbacks, kSecPolicyCheck##NAME, SecPolicyCheck##NAME); +#define __PC_ADD_CHECK_A(NAME) CFDictionaryAddValue(gSecPolicyPathCallbacks, kSecPolicyCheck##NAME, SecPolicyCheck##NAME); + +#define POLICYCHECKMACRO(NAME, TRUSTRESULT, SUBTYPE, LEAFCHECK, PATHCHECK, LEAFONLY, CSSMERR, OSSTATUS) \ +__PC_ADD_CHECK_##LEAFCHECK(NAME) \ +__PC_ADD_CHECK_##PATHCHECK(NAME) +#include "../Security/SecPolicyChecks.list" + + /* Some of these don't follow the naming conventions but are in the Pinning DB. + * fix policy check constant values */ + CFDictionaryAddValue(gSecPolicyLeafCallbacks, CFSTR("CheckLeafMarkerOid"), SecPolicyCheckLeafMarkerOid); + CFDictionaryAddValue(gSecPolicyLeafCallbacks, CFSTR("CheckLeafMarkersProdAndQA"), SecPolicyCheckLeafMarkersProdAndQA); + CFDictionaryAddValue(gSecPolicyPathCallbacks, CFSTR("CheckIntermediateMarkerOid"), SecPolicyCheckIntermediateMarkerOid); + CFDictionaryAddValue(gSecPolicyPathCallbacks, CFSTR("CheckIntermediateCountry"), SecPolicyCheckIntermediateCountry); + CFDictionaryAddValue(gSecPolicyPathCallbacks, CFSTR("CheckIntermediateOrganization"), SecPolicyCheckIntermediateOrganization); } // MARK: - @@ -2357,6 +2157,14 @@ static bool SecPVCIsExceptedError(SecPVCRef pvc, CFIndex ix, CFStringRef key, CF } } return true; + } else if (CFEqual(key, kSecPolicyCheckTemporalValidity) && CFDictionaryContainsKey(options, kSecPolicyCheckValidRoot)) { + /* Another special case - ValidRoot excepts Valid only for self-signed certs */ + Boolean isSelfSigned = false; + SecCertificateRef cert = SecPathBuilderGetCertificateAtIndex(pvc->builder, ix); + if (!cert || (errSecSuccess != SecCertificateIsSelfSigned(cert, &isSelfSigned)) || !isSelfSigned) { + return false; + } + return true; } } #endif @@ -2395,9 +2203,7 @@ static int32_t detailKeyToCssmErr(CFStringRef key) { else if (CFEqual(key, kSecPolicyCheckEmail)) { result = -2147408872; // CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND } - else if (CFEqual(key, kSecPolicyCheckValidLeaf) || - CFEqual(key, kSecPolicyCheckValidIntermediates) || - CFEqual(key, kSecPolicyCheckValidRoot)) { + else if (CFEqual(key, kSecPolicyCheckTemporalValidity)) { result = -2147409654; // CSSMERR_TP_CERT_EXPIRED } @@ -2458,6 +2264,28 @@ static bool SecPVCKeyIsConstraintPolicyOption(SecPVCRef pvc, CFStringRef key) { return false; } +static SecTrustResultType trust_result_for_key(CFStringRef key) { + SecTrustResultType result = kSecTrustResultRecoverableTrustFailure; +#undef POLICYCHECKMACRO +#define __PC_TYPE_MEMBER_ false +#define __PC_TYPE_MEMBER_R false +#define __PC_TYPE_MEMBER_F true +#define __PC_TYPE_MEMBER_D true + +#define __TRUSTRESULT_ kSecTrustResultRecoverableTrustFailure +#define __TRUSTRESULT_F kSecTrustResultFatalTrustFailure +#define __TRUSTRESULT_D kSecTrustResultDeny +#define __TRUSTRESULT_R kSecTrustResultRecoverableTrustFailure + +#define POLICYCHECKMACRO(NAME, TRUSTRESULT, SUBTYPE, LEAFCHECK, PATHCHECK, LEAFONLY, CSSMERR, OSSTATUS) \ +if (__PC_TYPE_MEMBER_##TRUSTRESULT && CFEqual(key,CFSTR(#NAME))) { \ + result = __TRUSTRESULT_##TRUSTRESULT; \ +} +#include "../Security/SecPolicyChecks.list" + return result; +} + + /* AUDIT[securityd](done): policy->_options is a caller provided dictionary, only its cf type has been checked. @@ -2495,10 +2323,15 @@ bool SecPVCSetResultForced(SecPVCRef pvc, return true; } - /* Check SecPVCIsOkResult to avoid resetting deny or fatal to recoverable */ - if (SecPVCIsOkResult(pvc)) { - pvc->result = kSecTrustResultRecoverableTrustFailure; - } + /* Avoid resetting deny or fatal to recoverable */ + SecTrustResultType trustResult = trust_result_for_key(key); + if (SecPVCIsOkResult(pvc) || trustResult == kSecTrustResultFatalTrustFailure) { + pvc->result = trustResult; + } else if (trustResult == kSecTrustResultDeny && + pvc->result == kSecTrustResultRecoverableTrustFailure) { + pvc->result = trustResult; + } + if (!pvc->details) return false; @@ -2534,19 +2367,27 @@ static void SecPVCValidateKey(const void *key, const void *value, CFDictionaryGetValue(pvc->callbacks, key); if (!fcn) { + /* "Optional" policy checks. This may be a new key from the + * pinning DB which is not implemented in this OS version. Log a + * warning, and on debug builds fail evaluation, to encourage us + * to ensure that checks are synchronized across the same build. */ if (pvc->callbacks == gSecPolicyLeafCallbacks) { if (!CFDictionaryContainsKey(gSecPolicyPathCallbacks, key)) { + secwarning("policy: unknown policy key %@, skipping", key); +#if DEBUG pvc->result = kSecTrustResultOtherError; +#endif } } else if (pvc->callbacks == gSecPolicyPathCallbacks) { if (!CFDictionaryContainsKey(gSecPolicyLeafCallbacks, key)) { + secwarning("policy: unknown policy key %@, skipping", key); +#if DEBUG pvc->result = kSecTrustResultOtherError; +#endif } } else { - /* Non standard validation phase. This may be a new key from the - * pinning DB which is not implemented in this OS version. Log - * a warning. */ - secwarning("policy: unknown policy key %@, skipping", key); + /* Non standard validation phase, nothing is optional. */ + pvc->result = kSecTrustResultOtherError; } return; } @@ -2597,16 +2438,21 @@ bool SecPVCParentCertificateChecks(SecPVCRef pvc, CFIndex ix) { if (!SecCertificateIsValid(cert, verifyTime)) { /* Certificate has expired. */ - if (!SecPVCSetResult(pvc, is_anchor ? kSecPolicyCheckValidRoot - : kSecPolicyCheckValidIntermediates, ix, kCFBooleanFalse)) { + if (!SecPVCSetResult(pvc, kSecPolicyCheckTemporalValidity, ix, kCFBooleanFalse)) { goto errOut; } } if (SecCertificateIsWeakKey(cert)) { /* Certificate uses weak key. */ - if (!SecPVCSetResult(pvc, is_anchor ? kSecPolicyCheckWeakRoot - : kSecPolicyCheckWeakIntermediates, ix, kCFBooleanFalse)) { + if (!SecPVCSetResult(pvc, kSecPolicyCheckWeakKeySize, ix, kCFBooleanFalse)) { + goto errOut; + } + } + + if (!SecPolicyCheckCertWeakSignature(cert, NULL)) { + /* Certificate uses weak hash. */ + if (!SecPVCSetResult(pvc, kSecPolicyCheckWeakSignature, ix, kCFBooleanFalse)) { goto errOut; } } @@ -2621,12 +2467,18 @@ bool SecPVCParentCertificateChecks(SecPVCRef pvc, CFIndex ix) { if (SecCertificateVersion(cert) >= 3) { const SecCEBasicConstraints *bc = SecCertificateGetBasicConstraints(cert); - if (!bc || !bc->isCA) { - /* Basic constraints not present or not marked as isCA, illegal. */ + if (!bc) { + /* Basic constraints not present, illegal. */ if (!SecPVCSetResultForced(pvc, kSecPolicyCheckBasicConstraints, ix, kCFBooleanFalse, true)) { goto errOut; } + } else if (!bc->isCA) { + /* Basic constraints not marked as isCA, illegal. */ + if (!SecPVCSetResultForced(pvc, kSecPolicyCheckBasicConstraintsCA, + ix, kCFBooleanFalse, true)) { + goto errOut; + } } } /* For a v1 or v2 certificate in an intermediate slot (not a leaf and @@ -2685,7 +2537,6 @@ static bool SecPVCBlackListedKeyChecks(SecPVCRef pvc, CFIndex ix) { if (!allowed) { SecPVCSetResultForced(pvc, kSecPolicyCheckBlackListedKey, ix, kCFBooleanFalse, true); - pvc->result = kSecTrustResultFatalTrustFailure; } } CFRelease(dgst); @@ -3065,7 +2916,6 @@ static void SecPVCCheckUsageConstraints(SecPVCRef pvc) { /* Set the pvc trust result based on the usage constraints and anchor source. */ if (result == kSecTrustSettingsResultDeny) { SecPVCSetResultForced(pvc, kSecPolicyCheckUsageConstraints, certIX, kCFBooleanFalse, true); - pvc->result = kSecTrustResultDeny; } else if ((result == kSecTrustSettingsResultTrustRoot || result == kSecTrustSettingsResultTrustAsRoot || result == kSecTrustSettingsResultInvalid) && SecPVCIsOkResult(pvc)) { /* If we already think the PVC is ok and this cert is from one of the user/ @@ -3084,7 +2934,6 @@ static void SecPVCCheckUsageConstraints(SecPVCRef pvc) { } } -#define kSecPolicySHA256Size 32 static const UInt8 kTestDateConstraintsRoot[kSecPolicySHA256Size] = { 0x51,0xA0,0xF3,0x1F,0xC0,0x1D,0xEC,0x87,0x32,0xB6,0xFD,0x13,0x6A,0x43,0x4D,0x6C, 0x87,0xCD,0x62,0xE0,0x38,0xB4,0xFB,0xD6,0x40,0xB0,0xFD,0x62,0x4D,0x1F,0xCF,0x6D @@ -3152,7 +3001,6 @@ static void SecPVCCheckIssuerDateConstraints(SecPVCRef pvc) { /* 1 Dec 2016 00:00:00 GMT */ if (child && (CFAbsoluteTime)502243200.0 <= SecCertificateNotValidBefore(child)) { SecPVCSetResultForced(pvc, kSecPolicyCheckBlackListedKey, certIX, kCFBooleanFalse, true); - pvc->result = kSecTrustResultFatalTrustFailure; shouldDeny = true; break; } @@ -3174,8 +3022,6 @@ void SecPVCPathChecks(SecPVCRef pvc) { pvc->policyIX = 0; SecPolicyCheckIdLinkage(pvc, kSecPolicyCheckIdLinkage); if (SecPVCIsOkResult(pvc) || pvc->details) { - /* @@@ This theoretically only needs to be done once per path, but since - this function affects the pvc result, we'll run it every time. */ SecPolicyCheckBasicCertificateProcessing(pvc, kSecPolicyCheckBasicCertificateProcessing); } @@ -3220,7 +3066,7 @@ void SecPVCPathChecks(SecPVCRef pvc) { /* Check for CT */ /* This call will set the value of pvc->is_ct, but won't change the result (pvc->result) */ - SecPolicyCheckCT(pvc, kSecPolicyCheckCertificateTransparency); + SecPolicyCheckCT(pvc); /* Certs are only EV if they are also CT verified */ if (ev_check_ok && SecCertificatePathVCIsCT(path)) { @@ -3228,7 +3074,21 @@ void SecPVCPathChecks(SecPVCRef pvc) { } } -//errOut: + /* Check that this path meets CT constraints. */ + if (!SecCertificatePathVCIsCT(path)) { + SecPathCTPolicy ctp = SecCertificatePathVCRequiresCT(path); + if (ctp > kSecPathCTNotRequired) { + /* CT was required. Error is always set on leaf certificate. */ + SecPVCSetResultForced(pvc, kSecPolicyCheckCTRequired, + 0, kCFBooleanFalse, true); + if (ctp != kSecPathCTRequiredOverridable) { + /* Normally kSecPolicyCheckCTRequired is recoverable, + so need to manually change trust result here. */ + pvc->result = kSecTrustResultFatalTrustFailure; + } + } + } + secdebug("policy", "end %strusted path: %@", (SecPVCIsOkResult(pvc) ? "" : "not "), SecPathBuilderGetPath(pvc->builder)); @@ -3236,20 +3096,32 @@ void SecPVCPathChecks(SecPVCRef pvc) { return; } -void SecPVCPathCheckRevocationRequired(SecPVCRef pvc) { +void SecPVCPathCheckRevocationResponsesReceived(SecPVCRef pvc) { +#if TARGET_OS_WATCH + /* Since we don't currently allow networking on watchOS, + * don't enforce the revocation-required check here. (32728029) */ + bool required = false; +#else + bool required = true; +#endif SecCertificatePathVCRef path = SecPathBuilderGetPath(pvc->builder); CFIndex ix, certCount = SecCertificatePathVCGetCount(path); for (ix = 0; ix < certCount; ix++) { - /* If we require revocation (for that cert per the SecCertificateVCRef or - * per the pvc) */ - if (SecCertificatePathVCIsRevocationRequiredForCertificateAtIndex(path, ix) || - ((ix == 0) && pvc->require_revocation_response)) { - /* Do we have a valid revocation response? */ - SecRVCRef rvc = SecCertificatePathVCGetRVCAtIndex(path, ix); - if (SecRVCGetEarliestNextUpdate(rvc) == NULL_TIME) { + SecRVCRef rvc = SecCertificatePathVCGetRVCAtIndex(path, ix); + /* Do we have a valid revocation response? */ + if (SecRVCGetEarliestNextUpdate(rvc) == NULL_TIME) { + /* No valid revocation response. + * Do we require revocation (for that cert per the + * SecCertificateVCRef, or per the pvc)? */ + if (required && (SecCertificatePathVCIsRevocationRequiredForCertificateAtIndex(path, ix) || + ((ix == 0) && pvc->require_revocation_response))) { SecPVCSetResultForced(pvc, kSecPolicyCheckRevocationResponseRequired, ix, kCFBooleanFalse, true); } + /* Do we have a definitive Valid revocation result for this cert? */ + if (SecRVCHasDefinitiveValidInfo(rvc) && SecRVCHasRevokedValidInfo(rvc)) { + SecRVCSetRevokedResult(rvc); + } } } } diff --git a/OSX/sec/securityd/SecPolicyServer.h b/OSX/sec/securityd/SecPolicyServer.h index 18840997..90f428ab 100644 --- a/OSX/sec/securityd/SecPolicyServer.h +++ b/OSX/sec/securityd/SecPolicyServer.h @@ -39,6 +39,8 @@ __BEGIN_DECLS +#define kSecPolicySHA256Size 32 + void SecPVCInit(SecPVCRef pvc, SecPathBuilderRef builder, CFArrayRef policies); void SecPVCDelete(SecPVCRef pvc); void SecPVCSetPath(SecPVCRef pvc, SecCertificatePathVCRef path); @@ -71,15 +73,17 @@ bool SecPVCParentCertificateChecks(SecPVCRef pvc, CFIndex ix); SecPathBuilderStep() should be called. */ void SecPVCPathChecks(SecPVCRef pvc); -/* Check whether revocation was required for any cert but revocation - * check failed. */ -void SecPVCPathCheckRevocationRequired(SecPVCRef pvc); +/* Check whether revocation responses were received for certificates + * in the path in pvc. If a valid response was not obtained for a + * certificate, this sets the appropriate error result if revocation + * was required, and/or definitive revocation info is present. */ +void SecPVCPathCheckRevocationResponsesReceived(SecPVCRef pvc); typedef void (*SecPolicyCheckFunction)(SecPVCRef pv, CFStringRef key); /* - Used by SecTrust to verify if a particular certificate chain matches - this policy. Returns true if the policy accepts the certificate chain. + * Used by SecTrust to verify if a particular certificate chain matches + * this policy. Returns true if the policy accepts the certificate chain. */ bool SecPolicyValidate(SecPolicyRef policy, SecPVCRef pvc, CFStringRef key); diff --git a/OSX/sec/securityd/SecRevocationDb.c b/OSX/sec/securityd/SecRevocationDb.c index f102eb64..2b9e6dcc 100644 --- a/OSX/sec/securityd/SecRevocationDb.c +++ b/OSX/sec/securityd/SecRevocationDb.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2017 Apple Inc. All Rights Reserved. + * Copyright (c) 2016-2018 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -30,6 +30,7 @@ #include #include #include +#include #include #include #include @@ -73,6 +74,11 @@ static CFStringRef kSecPrefsDomain = CFSTR("com.apple.security"); static CFStringRef kUpdateServerKey = CFSTR("ValidUpdateServer"); static CFStringRef kUpdateEnabledKey = CFSTR("ValidUpdateEnabled"); static CFStringRef kUpdateIntervalKey = CFSTR("ValidUpdateInterval"); +static CFStringRef kBoolTrueKey = CFSTR("1"); +static CFStringRef kBoolFalseKey = CFSTR("0"); + +/* constant length of boolean string keys */ +#define BOOL_STRING_KEY_LENGTH 1 typedef CF_OPTIONS(CFOptionFlags, SecValidInfoFlags) { kSecValidInfoComplete = 1u << 0, @@ -80,7 +86,11 @@ typedef CF_OPTIONS(CFOptionFlags, SecValidInfoFlags) { kSecValidInfoKnownOnly = 1u << 2, kSecValidInfoRequireCT = 1u << 3, kSecValidInfoAllowlist = 1u << 4, - kSecValidInfoNoCACheck = 1u << 5 + kSecValidInfoNoCACheck = 1u << 5, + kSecValidInfoOverridable = 1u << 6, + kSecValidInfoDateConstraints = 1u << 7, + kSecValidInfoNameConstraints = 1u << 8, + kSecValidInfoPolicyConstraints = 1u << 9, }; /* minimum update interval */ @@ -97,26 +107,29 @@ typedef CF_OPTIONS(CFOptionFlags, SecValidInfoFlags) { #define kSecRevocationDbFileName "valid.sqlite3" #define kSecRevocationDbReplaceFile ".valid_replace" +#define isDbOwner SecOTAPKIIsSystemTrustd + /* database schema version v1 = initial version v2 = fix for group entry transitions v3 = handle optional entries in update dictionaries v4 = add db_format and db_source entries + v5 = add date constraints table, with updated group flags Note: kSecRevocationDbMinSchemaVersion is the lowest version whose results can be used. This allows revocation results to be obtained from an existing db before the next update interval occurs, at which time we'll update to the current version (kSecRevocationDbSchemaVersion). */ -#define kSecRevocationDbSchemaVersion 4 /* current version we support */ -#define kSecRevocationDbMinSchemaVersion 3 /* minimum version we can use */ +#define kSecRevocationDbSchemaVersion 5 /* current version we support */ +#define kSecRevocationDbMinSchemaVersion 5 /* minimum version we can use */ /* update file format */ CF_ENUM(CFIndex) { - kSecValidUpdateFormatG1 = 1, /* initial version */ - kSecValidUpdateFormatG2 = 2, /* signed content, single plist */ - kSecValidUpdateFormatG3 = 3 /* signed content, multiple plists */ + kSecValidUpdateFormatG1 = 1, /* initial version */ + kSecValidUpdateFormatG2 = 2, /* signed content, single plist */ + kSecValidUpdateFormatG3 = 3 /* signed content, multiple plists */ }; #define kSecRevocationDbUpdateFormat 3 /* current version we support */ @@ -126,7 +139,9 @@ bool SecRevocationDbVerifyUpdate(void *update, CFIndex length); CFIndex SecRevocationDbIngestUpdate(CFDictionaryRef update, CFIndex chunkVersion); void SecRevocationDbApplyUpdate(CFDictionaryRef update, CFIndex version); CFAbsoluteTime SecRevocationDbComputeNextUpdateTime(CFIndex updateInterval); -void SecRevocationDbSetSchemaVersion(CFIndex dbversion); +bool SecRevocationDbSetVersion(CFIndex version); +bool SecRevocationDbSetSchemaVersion(CFIndex dbversion); +bool SecRevocationDbUpdateSchema(void); CFIndex SecRevocationDbGetUpdateFormat(void); void SecRevocationDbSetUpdateFormat(CFIndex dbformat); void SecRevocationDbSetUpdateSource(CFStringRef source); @@ -362,19 +377,6 @@ static bool removeFileWithSuffix(const char *basepath, const char *suffix) { return result; } -static bool isDbOwner() { -#if TARGET_OS_EMBEDDED - if (getuid() == 64) // _securityd -#else - if (getuid() == 0) -#endif - { - return true; - } - return false; -} - - // MARK: - // MARK: SecValidUpdate @@ -489,7 +491,7 @@ static bool SecValidUpdateProcessData(CFIndex format, CFDataRef updateData) { } if (version > 0) { - secdebug("validupdate", "Update received: v%lu", (unsigned long)version); + secdebug("validupdate", "Update received: v%ld", (long)version); gLastVersion = version; gNextUpdate = SecRevocationDbComputeNextUpdateTime(interval); secdebug("validupdate", "Next update time: %f", gNextUpdate); @@ -516,41 +518,16 @@ void SecValidUpdateVerifyAndIngest(CFDataRef updateData) { } if (!result) { secerror("failed to process valid update"); + TrustdHealthAnalyticsLogErrorCode(TAEventValidUpdate, TAFatalError, errSecDecode); + } else { + TrustdHealthAnalyticsLogSuccess(TAEventValidUpdate); } } else { secerror("failed to verify valid update"); + TrustdHealthAnalyticsLogErrorCode(TAEventValidUpdate, TAFatalError, errSecVerifyFailed); } } -static bool SecValidUpdateFromCompressed(CFDataRef CF_CONSUMED data) { - if (!data) { return false; } - - /* We're about to use a lot of memory for the uncompressed update -- go active */ - os_transaction_t transaction; - transaction = os_transaction_create("com.apple.trustd.valid"); - - /* Expand the update */ - __block CFDataRef inflatedData = NULL; - WithPathInRevocationInfoDirectory(CFSTR(kSecRevocationCurUpdateFile), ^(const char *curUpdatePath) { - inflatedData = copyInflatedDataToFile(data, (char *)curUpdatePath); - secdebug("validupdate", "data expanded: %ld bytes", (long)CFDataGetLength(inflatedData)); - }); - unmapData(data); - os_release(transaction); - - if (inflatedData) { - SecValidUpdateVerifyAndIngest(inflatedData); - unmapData(inflatedData); - } - - /* All done with the temporary file */ - WithPathInRevocationInfoDirectory(CFSTR(kSecRevocationCurUpdateFile), ^(const char *curUpdatePath) { - (void)removeFileWithSuffix(curUpdatePath, ""); - }); - - return true; -} - static bool SecValidDatabaseFromCompressed(CFDataRef CF_CONSUMED data) { if (!data) { return false; } @@ -670,28 +647,14 @@ static bool SecValidUpdateSatisfiedLocally(CFStringRef server, CFIndex version, } } result = SecValidDatabaseFromCompressed(data); - if (result) { - goto updateExit; - } - - // unable to use database asset; try update asset - const char *validUpdatePathBuf = SecOTAPKIGetValidUpdateSnapshot(otapkiRef); - if (validUpdatePathBuf) { - secdebug("validupdate", "will read data from \"%s\"", validUpdatePathBuf); - if ((rtn = readValidFile(validUpdatePathBuf, &data)) != 0) { - unmapData(data); - data = NULL; - secnotice("validupdate", "readValidFile error %d", rtn); - } - } - result = SecValidUpdateFromCompressed(data); updateExit: CFReleaseNull(otapkiRef); if (result) { sNumLocalUpdates++; - SecRevocationDbSetUpdateSource(server); gLastVersion = SecRevocationDbGetVersion(); + SecRevocationDbSetUpdateSource(server); + SecRevocationDbUpdateSchema(); gUpdateStarted = 0; secdebug("validupdate", "local update to g%ld/v%ld complete at %f", (long)SecRevocationDbGetUpdateFormat(), (long)gLastVersion, @@ -715,6 +678,7 @@ static bool SecValidUpdateSchedule(bool updateEnabled, CFStringRef server, CFInd #if !TARGET_OS_BRIDGE /* Schedule as a maintenance task */ + secdebug("validupdate", "will fetch v%lu from \"%@\"", (unsigned long)version, server); return SecValidUpdateRequest(SecRevocationDbGetUpdateQueue(), server, version); #else return false; @@ -789,13 +753,23 @@ static SecValidInfoRef SecValidInfoCreate(SecValidInfoFormat format, bool isOnList, CFDataRef certHash, CFDataRef issuerHash, - CFDataRef anchorHash) { + CFDataRef anchorHash, + CFDateRef notBeforeDate, + CFDateRef notAfterDate, + CFDataRef nameConstraints, + CFDataRef policyConstraints) { SecValidInfoRef validInfo; validInfo = (SecValidInfoRef)calloc(1, sizeof(struct __SecValidInfo)); if (!validInfo) { return NULL; } CFRetainSafe(certHash); CFRetainSafe(issuerHash); + CFRetainSafe(anchorHash); + CFRetainSafe(notBeforeDate); + CFRetainSafe(notAfterDate); + CFRetainSafe(nameConstraints); + CFRetainSafe(policyConstraints); + validInfo->format = format; validInfo->certHash = certHash; validInfo->issuerHash = issuerHash; @@ -807,15 +781,27 @@ static SecValidInfoRef SecValidInfoCreate(SecValidInfoFormat format, validInfo->knownOnly = (flags & kSecValidInfoKnownOnly); validInfo->requireCT = (flags & kSecValidInfoRequireCT); validInfo->noCACheck = (flags & kSecValidInfoNoCACheck); + validInfo->overridable = (flags & kSecValidInfoOverridable); + validInfo->hasDateConstraints = (flags & kSecValidInfoDateConstraints); + validInfo->hasNameConstraints = (flags & kSecValidInfoNameConstraints); + validInfo->hasPolicyConstraints = (flags & kSecValidInfoPolicyConstraints); + validInfo->notBeforeDate = notBeforeDate; + validInfo->notAfterDate = notAfterDate; + validInfo->nameConstraints = nameConstraints; + validInfo->policyConstraints = policyConstraints; return validInfo; } void SecValidInfoRelease(SecValidInfoRef validInfo) { if (validInfo) { - CFReleaseSafe(validInfo->certHash); - CFReleaseSafe(validInfo->issuerHash); - CFReleaseSafe(validInfo->anchorHash); + CFReleaseNull(validInfo->certHash); + CFReleaseNull(validInfo->issuerHash); + CFReleaseNull(validInfo->anchorHash); + CFReleaseNull(validInfo->notBeforeDate); + CFReleaseNull(validInfo->notAfterDate); + CFReleaseNull(validInfo->nameConstraints); + CFReleaseNull(validInfo->policyConstraints); free(validInfo); } } @@ -934,8 +920,7 @@ static bool _SecRevocationDbCheckNextUpdate(void) { if (db_version < kSecRevocationDbSchemaVersion || db_format < kSecRevocationDbUpdateFormat || kCFCompareEqualTo != CFStringCompare(server, db_source, kCFCompareCaseInsensitive)) { - /* we need to fully rebuild the db contents. */ - SecRevocationDbRemoveAllEntries(); + // we need to fully rebuild the db contents, so we set our version to 0. version = gLastVersion = 0; } @@ -1130,7 +1115,7 @@ CFIndex SecRevocationDbIngestUpdate(CFDictionaryRef update, CFIndex chunkVersion /* admin table holds these key-value (or key-ival) pairs: 'version' (integer) // version of database content - 'check_again' (double) // CFAbsoluteTime of next check (optional; this value is currently stored in prefs) + 'check_again' (double) // CFAbsoluteTime of next check (optional) 'db_version' (integer) // version of database schema 'db_hash' (blob) // SHA-256 database hash --> entries in admin table are unique by text key @@ -1144,12 +1129,16 @@ CFIndex SecRevocationDbIngestUpdate(CFDictionaryRef update, CFIndex chunkVersion groups table holds records with these attributes: groupid (integer) // ordinal ID associated with this group entry flags (integer) // a bitmask of the following values: - kSecValidInfoComplete (0x00000001) set if we have all revocation info for this issuer group - kSecValidInfoCheckOCSP (0x00000002) set if must check ocsp for certs from this issuer group - kSecValidInfoKnownOnly (0x00000004) set if any CA from this issuer group must be in database - kSecValidInfoRequireCT (0x00000008) set if all certs from this issuer group must have SCTs - kSecValidInfoAllowlist (0x00000010) set if this entry describes valid certs (i.e. is allowed) - kSecValidInfoNoCACheck (0x00000020) set if this entry does not require an OCSP check to accept + kSecValidInfoComplete (0x00000001) set if we have all revocation info for this issuer group + kSecValidInfoCheckOCSP (0x00000002) set if must check ocsp for certs from this issuer group + kSecValidInfoKnownOnly (0x00000004) set if any CA from this issuer group must be in database + kSecValidInfoRequireCT (0x00000008) set if all certs from this issuer group must have SCTs + kSecValidInfoAllowlist (0x00000010) set if this entry describes valid certs (i.e. is allowed) + kSecValidInfoNoCACheck (0x00000020) set if this entry does not require an OCSP check to accept + kSecValidInfoOverridable (0x00000040) set if the trust status is recoverable and can be overridden + kSecValidInfoDateConstraints (0x00000080) set if this group has not-before or not-after constraints + kSecValidInfoNameConstraints (0x00000100) [RESERVED] set if this group has name constraints in database + kSecValidInfoPolicyConstraints (0x00000200) [RESERVED] set if this group has policy constraints in database format (integer) // an integer describing format of entries: kSecValidInfoFormatUnknown (0) unknown format kSecValidInfoFormatSerial (1) serial number, not greater than 20 bytes in length @@ -1159,90 +1148,118 @@ CFIndex SecRevocationDbIngestUpdate(CFDictionaryRef update, CFIndex chunkVersion --> entries in groups table are unique by groupid serials table holds serial number blobs with these attributes: - rowid (integer) // ordinal ID associated with this serial number entry groupid (integer) // identifier for issuer group in the groups table serial (blob) // serial number --> entries in serials table are unique by serial and groupid hashes table holds SHA-256 hashes of certificates with these attributes: - rowid (integer) // ordinal ID associated with this sha256 hash entry groupid (integer) // identifier for issuer group in the groups table sha256 (blob) // SHA-256 hash of subject certificate --> entries in hashes table are unique by sha256 and groupid + + dates table holds notBefore and notAfter dates (as CFAbsoluteTime) with these attributes: + groupid (integer) // identifier for issuer group in the groups table (primary key) + notbefore (real) // issued certs are invalid if their notBefore is prior to this date + notafter (real) // issued certs are invalid after this date (or their notAfter, if earlier) + --> entries in dates table are unique by groupid, and only exist if kSecValidInfoDateConstraints is true + */ #define createTablesSQL CFSTR("CREATE TABLE admin(" \ - "key TEXT PRIMARY KEY NOT NULL," \ - "ival INTEGER NOT NULL," \ - "value BLOB" \ + "key TEXT PRIMARY KEY NOT NULL," \ + "ival INTEGER NOT NULL," \ + "value BLOB" \ ");" \ "CREATE TABLE issuers(" \ - "groupid INTEGER NOT NULL," \ - "issuer_hash BLOB PRIMARY KEY NOT NULL" \ + "groupid INTEGER NOT NULL," \ + "issuer_hash BLOB PRIMARY KEY NOT NULL" \ ");" \ "CREATE INDEX issuer_idx ON issuers(issuer_hash);" \ "CREATE TABLE groups(" \ - "groupid INTEGER PRIMARY KEY AUTOINCREMENT," \ - "flags INTEGER," \ - "format INTEGER," \ - "data BLOB" \ + "groupid INTEGER PRIMARY KEY AUTOINCREMENT," \ + "flags INTEGER," \ + "format INTEGER," \ + "data BLOB" \ ");" \ "CREATE TABLE serials(" \ - "rowid INTEGER PRIMARY KEY AUTOINCREMENT," \ - "groupid INTEGER NOT NULL," \ - "serial BLOB NOT NULL," \ - "UNIQUE(groupid,serial)" \ + "groupid INTEGER NOT NULL," \ + "serial BLOB NOT NULL," \ + "UNIQUE(groupid,serial)" \ ");" \ "CREATE TABLE hashes(" \ - "rowid INTEGER PRIMARY KEY AUTOINCREMENT," \ - "groupid INTEGER NOT NULL," \ - "sha256 BLOB NOT NULL," \ - "UNIQUE(groupid,sha256)" \ + "groupid INTEGER NOT NULL," \ + "sha256 BLOB NOT NULL," \ + "UNIQUE(groupid,sha256)" \ + ");" \ + "CREATE TABLE dates(" \ + "groupid INTEGER PRIMARY KEY NOT NULL," \ + "notbefore REAL," \ + "notafter REAL," \ ");" \ "CREATE TRIGGER group_del BEFORE DELETE ON groups FOR EACH ROW " \ "BEGIN " \ - "DELETE FROM serials WHERE groupid=OLD.groupid; " \ - "DELETE FROM hashes WHERE groupid=OLD.groupid; " \ - "DELETE FROM issuers WHERE groupid=OLD.groupid; " \ + "DELETE FROM serials WHERE groupid=OLD.groupid; " \ + "DELETE FROM hashes WHERE groupid=OLD.groupid; " \ + "DELETE FROM issuers WHERE groupid=OLD.groupid; " \ + "DELETE FROM dates WHERE groupid=OLD.groupid; " \ "END;") #define selectGroupIdSQL CFSTR("SELECT DISTINCT groupid " \ -"FROM issuers WHERE issuer_hash=?") + "FROM issuers WHERE issuer_hash=?") #define selectVersionSQL CFSTR("SELECT ival FROM admin " \ -"WHERE key='version'") + "WHERE key='version'") #define selectDbVersionSQL CFSTR("SELECT ival FROM admin " \ -"WHERE key='db_version'") + "WHERE key='db_version'") #define selectDbFormatSQL CFSTR("SELECT ival FROM admin " \ -"WHERE key='db_format'") + "WHERE key='db_format'") #define selectDbHashSQL CFSTR("SELECT value FROM admin " \ -"WHERE key='db_hash'") + "WHERE key='db_hash'") #define selectDbSourceSQL CFSTR("SELECT value FROM admin " \ -"WHERE key='db_source'") + "WHERE key='db_source'") #define selectNextUpdateSQL CFSTR("SELECT value FROM admin " \ -"WHERE key='check_again'") + "WHERE key='check_again'") #define selectGroupRecordSQL CFSTR("SELECT flags,format,data FROM " \ -"groups WHERE groupid=?") + "groups WHERE groupid=?") #define selectSerialRecordSQL CFSTR("SELECT rowid FROM serials " \ -"WHERE groupid=? AND serial=?") + "WHERE groupid=? AND serial=?") +#define selectDateRecordSQL CFSTR("SELECT notbefore,notafter FROM " \ + "dates WHERE groupid=?") #define selectHashRecordSQL CFSTR("SELECT rowid FROM hashes " \ -"WHERE groupid=? AND sha256=?") + "WHERE groupid=? AND sha256=?") #define insertAdminRecordSQL CFSTR("INSERT OR REPLACE INTO admin " \ -"(key,ival,value) VALUES (?,?,?)") + "(key,ival,value) VALUES (?,?,?)") #define insertIssuerRecordSQL CFSTR("INSERT OR REPLACE INTO issuers " \ -"(groupid,issuer_hash) VALUES (?,?)") + "(groupid,issuer_hash) VALUES (?,?)") #define insertGroupRecordSQL CFSTR("INSERT OR REPLACE INTO groups " \ -"(groupid,flags,format,data) VALUES (?,?,?,?)") + "(groupid,flags,format,data) VALUES (?,?,?,?)") #define insertSerialRecordSQL CFSTR("INSERT OR REPLACE INTO serials " \ -"(groupid,serial) VALUES (?,?)") + "(groupid,serial) VALUES (?,?)") +#define insertDateRecordSQL CFSTR("INSERT OR REPLACE INTO dates " \ + "(groupid,notbefore,notafter) VALUES (?,?,?)") #define insertSha256RecordSQL CFSTR("INSERT OR REPLACE INTO hashes " \ -"(groupid,sha256) VALUES (?,?)") + "(groupid,sha256) VALUES (?,?)") #define deleteGroupRecordSQL CFSTR("DELETE FROM groups WHERE groupid=?") -#define deleteAllEntriesSQL CFSTR("DELETE from hashes; " \ -"DELETE from serials; DELETE from issuers; DELETE from groups; " \ -"DELETE from admin; DELETE from sqlite_sequence") +#define updateConstraintsTablesSQL CFSTR("" \ +"CREATE TABLE if not exists dates(" \ + "groupid INTEGER PRIMARY KEY NOT NULL," \ + "notbefore REAL," \ + "notafter REAL," \ +");") + +#define updateGroupDeleteTriggerSQL CFSTR("" \ + "DROP TRIGGER if exists group_del;" \ + "CREATE TRIGGER group_del BEFORE DELETE ON groups FOR EACH ROW " \ + "BEGIN " \ + "DELETE FROM serials WHERE groupid=OLD.groupid; " \ + "DELETE FROM hashes WHERE groupid=OLD.groupid; " \ + "DELETE FROM issuers WHERE groupid=OLD.groupid; " \ + "DELETE FROM dates WHERE groupid=OLD.groupid; " \ + "END;") + #define deleteTablesSQL CFSTR("DROP TABLE hashes; " \ -"DROP TABLE serials; DROP TABLE issuers; DROP TABLE groups; " \ -"DROP TABLE admin; DELETE from sqlite_sequence") + "DROP TABLE serials; DROP TABLE issuers; " \ + "DROP TABLE dates; DROP TABLE groups; " \ + "DROP TABLE admin; DELETE from sqlite_sequence") /* Database management */ @@ -1263,9 +1280,15 @@ static SecDbRef SecRevocationDbCreate(CFStringRef path) { *commit = ok; }); } - CFReleaseSafe(localError); - if (!ok) + if (!ok || localError) { + CFIndex errCode = errSecInternalComponent; + if (error && *error) { + errCode = CFErrorGetCode(*error); + } secerror("%s failed: %@", didCreate ? "Create" : "Open", error ? *error : NULL); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationCreate, TAFatalError, errCode); + } + CFReleaseSafe(localError); return ok; }); @@ -1295,6 +1318,7 @@ static SecRevocationDbRef SecRevocationDbInit(CFStringRef db_name) { require(rdb->db = SecRevocationDbCreate(db_name), errOut); attr = dispatch_queue_attr_make_with_qos_class(DISPATCH_QUEUE_SERIAL, QOS_CLASS_BACKGROUND, 0); + attr = dispatch_queue_attr_make_with_autorelease_frequency(attr, DISPATCH_AUTORELEASE_FREQUENCY_WORK_ITEM); require(rdb->update_queue = dispatch_queue_create(NULL, attr), errOut); return rdb; @@ -1350,42 +1374,45 @@ static int64_t _SecRevocationDbGetVersion(SecRevocationDbRef rdb, CFErrorRef *er __block CFErrorRef localError = NULL; ok &= SecDbPerformRead(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { - if (ok) ok &= SecDbWithSQL(dbconn, selectVersionSQL, &localError, ^bool(sqlite3_stmt *selectVersion) { - ok = SecDbStep(dbconn, selectVersion, &localError, NULL); - version = sqlite3_column_int64(selectVersion, 0); + ok &= SecDbWithSQL(dbconn, selectVersionSQL, &localError, ^bool(sqlite3_stmt *selectVersion) { + ok &= SecDbStep(dbconn, selectVersion, &localError, ^void(bool *stop) { + version = sqlite3_column_int64(selectVersion, 0); + *stop = true; + }); return ok; }); }); + if (!ok || localError) { + secerror("_SecRevocationDbGetVersion failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationRead, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); + } (void) CFErrorPropagate(localError, error); return version; } -static void _SecRevocationDbSetVersion(SecRevocationDbRef rdb, CFIndex version){ +static void _SecRevocationDbSetVersion(SecRevocationDbRef rdb, CFIndex version) { secdebug("validupdate", "setting version to %ld", (long)version); __block CFErrorRef localError = NULL; __block bool ok = true; ok &= SecDbPerformWrite(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { ok &= SecDbTransaction(dbconn, kSecDbExclusiveTransactionType, &localError, ^(bool *commit) { - if (ok) ok = SecDbWithSQL(dbconn, insertAdminRecordSQL, &localError, ^bool(sqlite3_stmt *insertVersion) { - if (ok) { - const char *versionKey = "version"; - ok = SecDbBindText(insertVersion, 1, versionKey, strlen(versionKey), - SQLITE_TRANSIENT, &localError); - } - if (ok) { - ok = SecDbBindInt64(insertVersion, 2, - (sqlite3_int64)version, &localError); - } - if (ok) { - ok = SecDbStep(dbconn, insertVersion, &localError, NULL); - } + ok &= SecDbWithSQL(dbconn, insertAdminRecordSQL, &localError, ^bool(sqlite3_stmt *insertVersion) { + const char *versionKey = "version"; + ok = ok && SecDbBindText(insertVersion, 1, versionKey, strlen(versionKey), + SQLITE_TRANSIENT, &localError); + ok = ok && SecDbBindInt64(insertVersion, 2, + (sqlite3_int64)version, &localError); + ok = ok && SecDbStep(dbconn, insertVersion, &localError, NULL); return ok; }); }); }); - if (!ok) { + if (!ok || localError) { secerror("_SecRevocationDbSetVersion failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationWrite, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); } CFReleaseSafe(localError); } @@ -1397,46 +1424,83 @@ static int64_t _SecRevocationDbGetSchemaVersion(SecRevocationDbRef rdb, CFErrorR __block CFErrorRef localError = NULL; ok &= SecDbPerformRead(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { - if (ok) ok &= SecDbWithSQL(dbconn, selectDbVersionSQL, &localError, ^bool(sqlite3_stmt *selectDbVersion) { - ok = SecDbStep(dbconn, selectDbVersion, &localError, NULL); - db_version = sqlite3_column_int64(selectDbVersion, 0); + ok &= SecDbWithSQL(dbconn, selectDbVersionSQL, &localError, ^bool(sqlite3_stmt *selectDbVersion) { + ok &= SecDbStep(dbconn, selectDbVersion, &localError, ^void(bool *stop) { + db_version = sqlite3_column_int64(selectDbVersion, 0); + *stop = true; + }); return ok; }); }); + if (!ok || localError) { + secerror("_SecRevocationDbGetSchemaVersion failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationRead, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); + } (void) CFErrorPropagate(localError, error); return db_version; } -static void _SecRevocationDbSetSchemaVersion(SecRevocationDbRef rdb, CFIndex dbversion) { +static bool _SecRevocationDbSetSchemaVersion(SecRevocationDbRef rdb, CFIndex dbversion) { + if (dbversion > 0) { + int64_t db_version = _SecRevocationDbGetSchemaVersion(rdb, NULL); + if (db_version >= dbversion) { + return true; /* requested schema is earlier than current schema */ + } + } secdebug("validupdate", "setting db_version to %ld", (long)dbversion); __block CFErrorRef localError = NULL; __block bool ok = true; ok &= SecDbPerformWrite(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { ok &= SecDbTransaction(dbconn, kSecDbExclusiveTransactionType, &localError, ^(bool *commit) { - if (ok) ok = SecDbWithSQL(dbconn, insertAdminRecordSQL, &localError, ^bool(sqlite3_stmt *insertDbVersion) { - if (ok) { - const char *dbVersionKey = "db_version"; - ok = SecDbBindText(insertDbVersion, 1, dbVersionKey, strlen(dbVersionKey), - SQLITE_TRANSIENT, &localError); - } - if (ok) { - ok = SecDbBindInt64(insertDbVersion, 2, - (sqlite3_int64)dbversion, &localError); - } - if (ok) { - ok = SecDbStep(dbconn, insertDbVersion, &localError, NULL); - } + ok &= SecDbWithSQL(dbconn, insertAdminRecordSQL, &localError, ^bool(sqlite3_stmt *insertDbVersion) { + const char *dbVersionKey = "db_version"; + ok = ok && SecDbBindText(insertDbVersion, 1, dbVersionKey, strlen(dbVersionKey), + SQLITE_TRANSIENT, &localError); + ok = ok && SecDbBindInt64(insertDbVersion, 2, + (sqlite3_int64)dbversion, &localError); + ok = ok && SecDbStep(dbconn, insertDbVersion, &localError, NULL); return ok; }); }); }); - if (!ok) { + if (!ok || localError) { secerror("_SecRevocationDbSetSchemaVersion failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationWrite, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); } else { rdb->unsupportedVersion = false; } CFReleaseSafe(localError); + return ok; +} + +static bool _SecRevocationDbUpdateSchema(SecRevocationDbRef rdb) { + secdebug("validupdate", "updating db schema to v%ld", (long)kSecRevocationDbSchemaVersion); + + __block CFErrorRef localError = NULL; + __block bool ok = true; + ok &= SecDbPerformWrite(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { + ok &= SecDbTransaction(dbconn, kSecDbExclusiveTransactionType, &localError, ^(bool *commit) { + ok &= SecDbWithSQL(dbconn, updateConstraintsTablesSQL, &localError, ^bool(sqlite3_stmt *updateTables) { + ok = SecDbStep(dbconn, updateTables, &localError, NULL); + return ok; + }); + + ok &= SecDbWithSQL(dbconn, updateGroupDeleteTriggerSQL, &localError, ^bool(sqlite3_stmt *updateTrigger) { + ok = SecDbStep(dbconn, updateTrigger, &localError, NULL); + return ok; + }); + }); + }); + if (!ok) { + secerror("_SecRevocationDbUpdateSchema failed: %@", localError); + } else { + ok &= _SecRevocationDbSetSchemaVersion(rdb, kSecRevocationDbSchemaVersion); + } + CFReleaseSafe(localError); + return ok; } static int64_t _SecRevocationDbGetUpdateFormat(SecRevocationDbRef rdb, CFErrorRef *error) { @@ -1446,12 +1510,19 @@ static int64_t _SecRevocationDbGetUpdateFormat(SecRevocationDbRef rdb, CFErrorRe __block CFErrorRef localError = NULL; ok &= SecDbPerformRead(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { - if (ok) ok &= SecDbWithSQL(dbconn, selectDbFormatSQL, &localError, ^bool(sqlite3_stmt *selectDbFormat) { - ok = SecDbStep(dbconn, selectDbFormat, &localError, NULL); - db_format = sqlite3_column_int64(selectDbFormat, 0); + ok &= SecDbWithSQL(dbconn, selectDbFormatSQL, &localError, ^bool(sqlite3_stmt *selectDbFormat) { + ok &= SecDbStep(dbconn, selectDbFormat, &localError, ^void(bool *stop) { + db_format = sqlite3_column_int64(selectDbFormat, 0); + *stop = true; + }); return ok; }); }); + if (!ok || localError) { + secerror("_SecRevocationDbGetUpdateFormat failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationRead, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); + } (void) CFErrorPropagate(localError, error); return db_format; } @@ -1463,25 +1534,21 @@ static void _SecRevocationDbSetUpdateFormat(SecRevocationDbRef rdb, CFIndex dbfo __block bool ok = true; ok &= SecDbPerformWrite(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { ok &= SecDbTransaction(dbconn, kSecDbExclusiveTransactionType, &localError, ^(bool *commit) { - if (ok) ok = SecDbWithSQL(dbconn, insertAdminRecordSQL, &localError, ^bool(sqlite3_stmt *insertDbFormat) { - if (ok) { - const char *dbFormatKey = "db_format"; - ok = SecDbBindText(insertDbFormat, 1, dbFormatKey, strlen(dbFormatKey), - SQLITE_TRANSIENT, &localError); - } - if (ok) { - ok = SecDbBindInt64(insertDbFormat, 2, - (sqlite3_int64)dbformat, &localError); - } - if (ok) { - ok = SecDbStep(dbconn, insertDbFormat, &localError, NULL); - } + ok &= SecDbWithSQL(dbconn, insertAdminRecordSQL, &localError, ^bool(sqlite3_stmt *insertDbFormat) { + const char *dbFormatKey = "db_format"; + ok = ok && SecDbBindText(insertDbFormat, 1, dbFormatKey, strlen(dbFormatKey), + SQLITE_TRANSIENT, &localError); + ok = ok && SecDbBindInt64(insertDbFormat, 2, + (sqlite3_int64)dbformat, &localError); + ok = ok && SecDbStep(dbconn, insertDbFormat, &localError, NULL); return ok; }); }); }); - if (!ok) { + if (!ok || localError) { secerror("_SecRevocationDbSetUpdateFormat failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationWrite, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); } else { rdb->unsupportedVersion = false; } @@ -1495,19 +1562,25 @@ static CFStringRef _SecRevocationDbCopyUpdateSource(SecRevocationDbRef rdb, CFEr __block CFErrorRef localError = NULL; ok &= SecDbPerformRead(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { - if (ok) ok &= SecDbWithSQL(dbconn, selectDbSourceSQL, &localError, ^bool(sqlite3_stmt *selectDbSource) { - ok = SecDbStep(dbconn, selectDbSource, &localError, NULL); - const UInt8 *p = (const UInt8 *)sqlite3_column_blob(selectDbSource, 0); - if (p != NULL) { - CFIndex length = (CFIndex)sqlite3_column_bytes(selectDbSource, 0); - if (length > 0) { - updateSource = CFStringCreateWithBytes(kCFAllocatorDefault, p, length, kCFStringEncodingUTF8, false); + ok &= SecDbWithSQL(dbconn, selectDbSourceSQL, &localError, ^bool(sqlite3_stmt *selectDbSource) { + ok &= SecDbStep(dbconn, selectDbSource, &localError, ^void(bool *stop) { + const UInt8 *p = (const UInt8 *)sqlite3_column_blob(selectDbSource, 0); + if (p != NULL) { + CFIndex length = (CFIndex)sqlite3_column_bytes(selectDbSource, 0); + if (length > 0) { + updateSource = CFStringCreateWithBytes(kCFAllocatorDefault, p, length, kCFStringEncodingUTF8, false); + } } - } + *stop = true; + }); return ok; }); }); - + if (!ok || localError) { + secerror("_SecRevocationDbCopyUpdateSource failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationRead, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); + } (void) CFErrorPropagate(localError, error); return updateSource; } @@ -1534,30 +1607,24 @@ static void _SecRevocationDbSetUpdateSource(SecRevocationDbRef rdb, CFStringRef __block bool ok = true; ok &= SecDbPerformWrite(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { ok &= SecDbTransaction(dbconn, kSecDbExclusiveTransactionType, &localError, ^(bool *commit) { - if (ok) ok = SecDbWithSQL(dbconn, insertAdminRecordSQL, &localError, ^bool(sqlite3_stmt *insertRecord) { - if (ok) { - const char *dbSourceKey = "db_source"; - ok = SecDbBindText(insertRecord, 1, dbSourceKey, strlen(dbSourceKey), - SQLITE_TRANSIENT, &localError); - } - if (ok) { - ok = SecDbBindInt64(insertRecord, 2, - (sqlite3_int64)0, &localError); - } - if (ok) { - ok = SecDbBindBlob(insertRecord, 3, - updateSourceCStr, strlen(updateSourceCStr), - SQLITE_TRANSIENT, &localError); - } - if (ok) { - ok = SecDbStep(dbconn, insertRecord, &localError, NULL); - } + ok &= SecDbWithSQL(dbconn, insertAdminRecordSQL, &localError, ^bool(sqlite3_stmt *insertRecord) { + const char *dbSourceKey = "db_source"; + ok = ok && SecDbBindText(insertRecord, 1, dbSourceKey, strlen(dbSourceKey), + SQLITE_TRANSIENT, &localError); + ok = ok && SecDbBindInt64(insertRecord, 2, + (sqlite3_int64)0, &localError); + ok = ok && SecDbBindBlob(insertRecord, 3, + updateSourceCStr, strlen(updateSourceCStr), + SQLITE_TRANSIENT, &localError); + ok = ok && SecDbStep(dbconn, insertRecord, &localError, NULL); return ok; }); }); }); - if (!ok) { + if (!ok || localError) { secerror("_SecRevocationDbSetUpdateSource failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationWrite, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); } CFReleaseSafe(localError); } @@ -1569,18 +1636,24 @@ static CFAbsoluteTime _SecRevocationDbGetNextUpdateTime(SecRevocationDbRef rdb, __block CFErrorRef localError = NULL; ok &= SecDbPerformRead(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { - if (ok) ok &= SecDbWithSQL(dbconn, selectNextUpdateSQL, &localError, ^bool(sqlite3_stmt *selectNextUpdate) { - ok = SecDbStep(dbconn, selectNextUpdate, &localError, NULL); - CFAbsoluteTime *p = (CFAbsoluteTime *)sqlite3_column_blob(selectNextUpdate, 0); - if (p != NULL) { - if (sizeof(CFAbsoluteTime) == sqlite3_column_bytes(selectNextUpdate, 0)) { - nextUpdate = *p; + ok &= SecDbWithSQL(dbconn, selectNextUpdateSQL, &localError, ^bool(sqlite3_stmt *selectNextUpdate) { + ok &= SecDbStep(dbconn, selectNextUpdate, &localError, ^void(bool *stop) { + CFAbsoluteTime *p = (CFAbsoluteTime *)sqlite3_column_blob(selectNextUpdate, 0); + if (p != NULL) { + if (sizeof(CFAbsoluteTime) == sqlite3_column_bytes(selectNextUpdate, 0)) { + nextUpdate = *p; + } } - } + *stop = true; + }); return ok; }); }); - + if (!ok || localError) { + secerror("_SecRevocationDbGetNextUpdateTime failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationRead, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); + } (void) CFErrorPropagate(localError, error); return nextUpdate; } @@ -1592,30 +1665,24 @@ static void _SecRevocationDbSetNextUpdateTime(SecRevocationDbRef rdb, CFAbsolute __block bool ok = true; ok &= SecDbPerformWrite(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { ok &= SecDbTransaction(dbconn, kSecDbExclusiveTransactionType, &localError, ^(bool *commit) { - if (ok) ok = SecDbWithSQL(dbconn, insertAdminRecordSQL, &localError, ^bool(sqlite3_stmt *insertRecord) { - if (ok) { - const char *nextUpdateKey = "check_again"; - ok = SecDbBindText(insertRecord, 1, nextUpdateKey, strlen(nextUpdateKey), - SQLITE_TRANSIENT, &localError); - } - if (ok) { - ok = SecDbBindInt64(insertRecord, 2, - (sqlite3_int64)0, &localError); - } - if (ok) { - ok = SecDbBindBlob(insertRecord, 3, - &nextUpdate, sizeof(CFAbsoluteTime), - SQLITE_TRANSIENT, &localError); - } - if (ok) { - ok = SecDbStep(dbconn, insertRecord, &localError, NULL); - } + ok &= SecDbWithSQL(dbconn, insertAdminRecordSQL, &localError, ^bool(sqlite3_stmt *insertRecord) { + const char *nextUpdateKey = "check_again"; + ok = ok && SecDbBindText(insertRecord, 1, nextUpdateKey, strlen(nextUpdateKey), + SQLITE_TRANSIENT, &localError); + ok = ok && SecDbBindInt64(insertRecord, 2, + (sqlite3_int64)0, &localError); + ok = ok && SecDbBindBlob(insertRecord, 3, + &nextUpdate, sizeof(CFAbsoluteTime), + SQLITE_TRANSIENT, &localError); + ok = ok && SecDbStep(dbconn, insertRecord, &localError, NULL); return ok; }); }); }); - if (!ok) { + if (!ok || localError) { secerror("_SecRevocationDbSetNextUpdate failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationWrite, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); } CFReleaseSafe(localError); } @@ -1625,12 +1692,11 @@ static bool _SecRevocationDbRemoveAllEntries(SecRevocationDbRef rdb) { __block bool ok = true; __block CFErrorRef localError = NULL; + /* update schema first */ + _SecRevocationDbUpdateSchema(rdb); + ok &= SecDbPerformWrite(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { ok &= SecDbTransaction(dbconn, kSecDbExclusiveTransactionType, &localError, ^(bool *commit) { - //ok &= SecDbWithSQL(dbconn, deleteAllEntriesSQL, &localError, ^bool(sqlite3_stmt *deleteAll) { - // ok = SecDbStep(dbconn, deleteAll, &localError, NULL); - // return ok; - //}); /* drop all tables and recreate them, in case of schema changes */ ok &= SecDbExec(dbconn, deleteTablesSQL, &localError); ok &= SecDbExec(dbconn, createTablesSQL, &localError); @@ -1638,12 +1704,17 @@ static bool _SecRevocationDbRemoveAllEntries(SecRevocationDbRef rdb) { *commit = ok; }); /* compact the db (must be done outside transaction scope) */ - SecDbExec(dbconn, CFSTR("VACUUM"), &localError); + ok &= SecDbExec(dbconn, CFSTR("VACUUM"), &localError); }); /* one more thing: update the schema version and format to current */ _SecRevocationDbSetSchemaVersion(rdb, kSecRevocationDbSchemaVersion); _SecRevocationDbSetUpdateFormat(rdb, kSecRevocationDbUpdateFormat); + if (!ok || localError) { + secerror("_SecRevocationDbRemoveAllEntries failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationWrite, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); + } CFReleaseSafe(localError); return ok; } @@ -1663,33 +1734,31 @@ static bool _SecRevocationDbUpdateIssuers(SecRevocationDbRef rdb, int64_t groupI for (issuerIX=0; issuerIXdb, &localError, ^(SecDbConnectionRef dbconn) { + ok &= SecDbWithSQL(dbconn, selectDateRecordSQL, &localError, ^bool(sqlite3_stmt *selectDates) { + /* (groupid,notbefore,notafter) */ + ok &= SecDbBindInt64(selectDates, 1, groupId, &localError); + ok = ok && SecDbStep(dbconn, selectDates, &localError, ^(bool *stop) { + /* if column has no value, its type will be SQLITE_NULL */ + if (SQLITE_NULL != sqlite3_column_type(selectDates, 0)) { + CFAbsoluteTime nb = (CFAbsoluteTime)sqlite3_column_double(selectDates, 0); + localNotBefore = CFDateCreate(NULL, nb); + } + if (SQLITE_NULL != sqlite3_column_type(selectDates, 1)) { + CFAbsoluteTime na = (CFAbsoluteTime)sqlite3_column_double(selectDates, 1); + localNotAfter = CFDateCreate(NULL, na); + } + }); + return ok; + }); + }); + /* must have at least one date constraint */ + ok = ok && (localNotBefore != NULL || localNotAfter != NULL); + if (!ok || localError) { + secerror("_SecRevocationDbCopyDateConstraints failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationRead, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); + CFReleaseNull(localNotBefore); + CFReleaseNull(localNotAfter); + } + if (notBeforeDate) { + *notBeforeDate = localNotBefore; + } else { + CFReleaseSafe(localNotBefore); + } + if (notAfterDate) { + *notAfterDate = localNotAfter; + } else { + CFReleaseSafe(localNotAfter); + } + + (void) CFErrorPropagate(localError, error); + return ok; +} + +static bool _SecRevocationDbUpdateIssuerConstraints(SecRevocationDbRef rdb, int64_t groupId, CFDictionaryRef dict, CFErrorRef *error) { + /* update optional records in dates, names, or policies tables. */ + if (!dict || groupId < 0) { + return false; /* must have something to insert, and a group to associate with it */ + } + __block bool ok = true; + __block CFErrorRef localError = NULL; + __block CFAbsoluteTime notBefore = -3155760000.0; /* default: 1901-01-01 00:00:00-0000 */ + __block CFAbsoluteTime notAfter = 31556908800.0; /* default: 3001-01-01 00:00:00-0000 */ + + CFDateRef notBeforeDate = (CFDateRef)CFDictionaryGetValue(dict, CFSTR("not-before")); + CFDateRef notAfterDate = (CFDateRef)CFDictionaryGetValue(dict, CFSTR("not-after")); + if (isDate(notBeforeDate)) { + notBefore = CFDateGetAbsoluteTime(notBeforeDate); + } else { + notBeforeDate = NULL; + } + if (isDate(notAfterDate)) { + notAfter = CFDateGetAbsoluteTime(notAfterDate); + } else { + notAfterDate = NULL; + } + if (!(notBeforeDate || notAfterDate)) { + return false; /* no dates supplied, so we have nothing to update for this issuer */ + } + + if (!(notBeforeDate && notAfterDate)) { + /* only one date was supplied, so check for existing date constraints */ + CFDateRef curNotBeforeDate = NULL; + CFDateRef curNotAfterDate = NULL; + if (_SecRevocationDbCopyDateConstraints(rdb, groupId, &curNotBeforeDate, + &curNotAfterDate, &localError)) { + if (!notBeforeDate) { + notBeforeDate = curNotBeforeDate; + notBefore = CFDateGetAbsoluteTime(notBeforeDate); + } else { + CFReleaseSafe(curNotBeforeDate); + } + if (!notAfterDate) { + notAfterDate = curNotAfterDate; + notAfter = CFDateGetAbsoluteTime(notAfterDate); + } else { + CFReleaseSafe(curNotAfterDate); + } + } + } + + ok &= SecDbPerformWrite(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { + ok &= SecDbTransaction(dbconn, kSecDbExclusiveTransactionType, &localError, ^(bool *commit) { + ok &= SecDbWithSQL(dbconn, insertDateRecordSQL, &localError, ^bool(sqlite3_stmt *insertDate) { + /* (groupid,notbefore,notafter) */ + ok = ok && SecDbBindInt64(insertDate, 1, groupId, &localError); + ok = ok && SecDbBindDouble(insertDate, 2, notBefore, &localError); + ok = ok && SecDbBindDouble(insertDate, 3, notAfter, &localError); + ok = ok && SecDbStep(dbconn, insertDate, &localError, NULL); + return ok; + }); + + /* %%% (TBI:9254570,21234699) update name and policy constraint entries here */ + }); + }); + + if (!ok || localError) { + secinfo("validupdate", "_SecRevocationDbUpdateIssuerConstraints failed (ok=%s, localError=%@)", + (ok) ? "1" : "0", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationWrite, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); + } (void) CFErrorPropagate(localError, error); return ok; @@ -1763,14 +1956,14 @@ static SecValidInfoFormat _SecRevocationDbGetGroupFormat(SecRevocationDbRef rdb, /* Select the group record to determine flags and format. */ ok &= SecDbPerformRead(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { ok &= SecDbWithSQL(dbconn, selectGroupRecordSQL, &localError, ^bool(sqlite3_stmt *selectGroup) { - ok = SecDbBindInt64(selectGroup, 1, groupId, &localError); - ok &= SecDbStep(dbconn, selectGroup, &localError, ^(bool *stop) { + ok = ok && SecDbBindInt64(selectGroup, 1, groupId, &localError); + ok = ok && SecDbStep(dbconn, selectGroup, &localError, ^(bool *stop) { if (flags) { *flags = (SecValidInfoFlags)sqlite3_column_int(selectGroup, 0); } format = (SecValidInfoFormat)sqlite3_column_int(selectGroup, 1); if (data) { - //TODO: stream this from sqlite through the inflation so we return an inflated copy, then remove inflate from others + //%%% stream the data from the db into a streamed decompression uint8_t *p = (uint8_t *)sqlite3_column_blob(selectGroup, 2); if (p != NULL && format == kSecValidInfoFormatNto1) { CFIndex length = (CFIndex)sqlite3_column_bytes(selectGroup, 2); @@ -1781,8 +1974,10 @@ static SecValidInfoFormat _SecRevocationDbGetGroupFormat(SecRevocationDbRef rdb, return ok; }); }); - if (!ok) { + if (!ok || localError) { secdebug("validupdate", "GetGroupFormat for groupId %lu failed", (unsigned long)groupId); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationRead, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); format = kSecValidInfoFormatUnknown; } (void) CFErrorPropagate(localError, error); @@ -1794,14 +1989,28 @@ static SecValidInfoFormat _SecRevocationDbGetGroupFormat(SecRevocationDbRef rdb, static bool _SecRevocationDbUpdateFlags(CFDictionaryRef dict, CFStringRef key, SecValidInfoFlags mask, SecValidInfoFlags *flags) { /* If a boolean value exists in the given dictionary for the given key, + or an explicit "1" or "0" is specified as the key string, set or clear the corresponding bit(s) defined by the mask argument. Function returns true if the flags value was changed, false otherwise. */ - bool result = false; + if (!isDictionary(dict) || !isString(key) || !flags) { + return false; + } + bool hasValue = false, newValue = false, result = false; CFTypeRef value = (CFBooleanRef)CFDictionaryGetValue(dict, key); - if (isBoolean(value) && flags) { + if (isBoolean(value)) { + newValue = CFBooleanGetValue((CFBooleanRef)value); + hasValue = true; + } else if (BOOL_STRING_KEY_LENGTH == CFStringGetLength(key)) { + if (CFStringCompare(key, kBoolTrueKey, 0) == kCFCompareEqualTo) { + hasValue = newValue = true; + } else if (CFStringCompare(key, kBoolFalseKey, 0) == kCFCompareEqualTo) { + hasValue = true; + } + } + if (hasValue) { SecValidInfoFlags oldFlags = *flags; - if (CFBooleanGetValue((CFBooleanRef)value)) { + if (newValue) { *flags |= mask; } else { *flags &= ~(mask); @@ -1961,7 +2170,7 @@ static int64_t _SecRevocationDbUpdateGroup(SecRevocationDbRef rdb, int64_t group /* fetch the flags and data for an existing group record, in case some are being changed. */ format = _SecRevocationDbGetGroupFormat(rdb, groupId, &flags, &data, NULL); if (format == kSecValidInfoFormatUnknown) { - secdebug("validupdate", "existing group %lld has unknown format %d, flags=%lu", + secdebug("validupdate", "existing group %lld has unknown format %d, flags=0x%lx", (long long)groupId, format, flags); //%%% clean up by deleting all issuers with this groupId, then the group record, // or just force a full update? note: we can get here if we fail to bind the @@ -1995,9 +2204,7 @@ static int64_t _SecRevocationDbUpdateGroup(SecRevocationDbRef rdb, int64_t group ok &= SecDbWithSQL(dbconn, deleteGroupRecordSQL, &localError, ^bool(sqlite3_stmt *deleteResponse) { ok = SecDbBindInt64(deleteResponse, 1, groupId, &localError); /* Execute the delete statement. */ - if (ok) { - ok = SecDbStep(dbconn, deleteResponse, &localError, NULL); - } + ok = ok && SecDbStep(dbconn, deleteResponse, &localError, NULL); return ok; }); } @@ -2019,6 +2226,22 @@ static int64_t _SecRevocationDbUpdateGroup(SecRevocationDbRef rdb, int64_t group (void)_SecRevocationDbUpdateFlags(dict, CFSTR("require-ct"), kSecValidInfoRequireCT, &flags); (void)_SecRevocationDbUpdateFlags(dict, CFSTR("valid"), kSecValidInfoAllowlist, &flags); (void)_SecRevocationDbUpdateFlags(dict, CFSTR("no-ca"), kSecValidInfoNoCACheck, &flags); + (void)_SecRevocationDbUpdateFlags(dict, CFSTR("overridable"), kSecValidInfoOverridable, &flags); + + /* date constraints exist if either "not-before" or "not-after" keys are found */ + CFTypeRef notBeforeValue = (CFDateRef)CFDictionaryGetValue(dict, CFSTR("not-before")); + CFTypeRef notAfterValue = (CFDateRef)CFDictionaryGetValue(dict, CFSTR("not-after")); + if (isDate(notBeforeValue) || isDate(notAfterValue)) { + (void)_SecRevocationDbUpdateFlags(dict, kBoolTrueKey, kSecValidInfoDateConstraints, &flags); + /* Note that the spec defines not-before and not-after dates as optional, such that + not providing one does not change the database contents. Therefore, we can never clear + this flag; either a new date entry will be supplied, or a format change will cause + the entire group entry to be deleted. */ + } + + /* %%% (TBI:9254570,21234699) name and policy constraints don't exist yet */ + (void)_SecRevocationDbUpdateFlags(dict, kBoolFalseKey, kSecValidInfoNameConstraints, &flags); + (void)_SecRevocationDbUpdateFlags(dict, kBoolFalseKey, kSecValidInfoPolicyConstraints, &flags); ok = SecDbBindInt(insertGroup, 2, (int)flags, &localError); if (!ok) { @@ -2080,7 +2303,11 @@ static int64_t _SecRevocationDbUpdateGroup(SecRevocationDbRef rdb, int64_t group }); }); }); - + if (!ok || localError) { + secerror("_SecRevocationDbUpdateGroup failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationWrite, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); + } (void) CFErrorPropagate(localError, error); return result; } @@ -2116,7 +2343,7 @@ static int64_t _SecRevocationDbGroupIdForIssuerHash(SecRevocationDbRef rdb, CFDa */ ok &= SecDbPerformRead(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { ok &= SecDbWithSQL(dbconn, selectGroupIdSQL, &localError, ^bool(sqlite3_stmt *selectGroupId) { - ok = SecDbBindBlob(selectGroupId, 1, CFDataGetBytePtr(hash), CFDataGetLength(hash), SQLITE_TRANSIENT, &localError); + ok &= SecDbBindBlob(selectGroupId, 1, CFDataGetBytePtr(hash), CFDataGetLength(hash), SQLITE_TRANSIENT, &localError); ok &= SecDbStep(dbconn, selectGroupId, &localError, ^(bool *stopGroupId) { groupId = sqlite3_column_int64(selectGroupId, 0); }); @@ -2125,6 +2352,11 @@ static int64_t _SecRevocationDbGroupIdForIssuerHash(SecRevocationDbRef rdb, CFDa }); errOut: + if (!ok || localError) { + secerror("_SecRevocationDbGroupIdForIssuerHash failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationRead, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); + } (void) CFErrorPropagate(localError, error); return groupId; } @@ -2141,18 +2373,21 @@ static bool _SecRevocationDbApplyGroupDelete(SecRevocationDbRef rdb, CFDataRef i ok &= SecDbPerformWrite(rdb->db, &localError, ^(SecDbConnectionRef dbconn) { ok &= SecDbTransaction(dbconn, kSecDbExclusiveTransactionType, &localError, ^(bool *commit) { - ok = SecDbWithSQL(dbconn, deleteGroupRecordSQL, &localError, ^bool(sqlite3_stmt *deleteResponse) { - ok = SecDbBindInt64(deleteResponse, 1, groupId, &localError); + ok &= SecDbWithSQL(dbconn, deleteGroupRecordSQL, &localError, ^bool(sqlite3_stmt *deleteResponse) { + ok &= SecDbBindInt64(deleteResponse, 1, groupId, &localError); /* Execute the delete statement. */ - if (ok) { - ok = SecDbStep(dbconn, deleteResponse, &localError, NULL); - } + ok = ok && SecDbStep(dbconn, deleteResponse, &localError, NULL); return ok; }); }); }); errOut: + if (!ok || localError) { + secerror("_SecRevocationDbApplyGroupDelete failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationWrite, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); + } (void) CFErrorPropagate(localError, error); return (groupId < 0) ? false : true; } @@ -2180,7 +2415,9 @@ static bool _SecRevocationDbApplyGroupUpdate(SecRevocationDbRef rdb, CFDictionar /* create or update issuer entries, now that we know the group id */ _SecRevocationDbUpdateIssuers(rdb, groupId, issuers, &localError); /* create or update entries in serials or hashes tables */ - _SecRevocationDbUpdatePerIssuerData(rdb, groupId, dict, &localError); + _SecRevocationDbUpdateIssuerData(rdb, groupId, dict, &localError); + /* create or update entries in dates/names/policies tables */ + _SecRevocationDbUpdateIssuerConstraints(rdb, groupId, dict, &localError); } (void) CFErrorPropagate(localError, error); @@ -2220,6 +2457,8 @@ static void _SecRevocationDbApplyUpdate(SecRevocationDbRef rdb, CFDictionaryRef if (isData(issuerHash)) { (void)_SecRevocationDbApplyGroupDelete(rdb, issuerHash, &localError); CFReleaseNull(localError); + } else { + secdebug("validupdate", "skipping delete %ld (hash is not a data value)", (long)deleteIX); } } } @@ -2234,6 +2473,8 @@ static void _SecRevocationDbApplyUpdate(SecRevocationDbRef rdb, CFDictionaryRef if (isDictionary(dict)) { (void)_SecRevocationDbApplyGroupUpdate(rdb, dict, &localError); CFReleaseNull(localError); + } else { + secdebug("validupdate", "skipping update %ld (not a dictionary)", (long)updateIX); } } } @@ -2285,6 +2526,11 @@ static bool _SecRevocationDbSerialInGroup(SecRevocationDbRef rdb, }); errOut: + if (!ok || localError) { + secerror("_SecRevocationDbSerialInGroup failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationRead, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); + } (void) CFErrorPropagate(localError, error); return result; } @@ -2311,6 +2557,11 @@ static bool _SecRevocationDbCertHashInGroup(SecRevocationDbRef rdb, }); errOut: + if (!ok || localError) { + secerror("_SecRevocationDbCertHashInGroup failed: %@", localError); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TARevocationDb, TAOperationRead, TAFatalError, + localError ? CFErrorGetCode(localError) : errSecInternalComponent); + } (void) CFErrorPropagate(localError, error); return result; } @@ -2395,6 +2646,10 @@ static SecValidInfoRef _SecRevocationDbValidInfoForCertificate(SecRevocationDbRe int64_t groupId = 0; CFDataRef serial = NULL; CFDataRef certHash = NULL; + CFDateRef notBeforeDate = NULL; + CFDateRef notAfterDate = NULL; + CFDataRef nameConstraints = NULL; + CFDataRef policyConstraints = NULL; SecValidInfoRef result = NULL; require((serial = SecCertificateCopySerialNumberData(certificate, NULL)) != NULL, errOut); @@ -2405,7 +2660,8 @@ static SecValidInfoRef _SecRevocationDbValidInfoForCertificate(SecRevocationDbRe format = _SecRevocationDbGetGroupFormat(rdb, groupId, &flags, &data, &localError); if (format == kSecValidInfoFormatUnknown) { - /* No group record found for this issuer. */ + /* No group record found for this issuer. Don't return a SecValidInfoRef */ + goto errOut; } else if (format == kSecValidInfoFormatSerial) { /* Look up certificate's serial number in the serials table. */ @@ -2424,31 +2680,28 @@ static SecValidInfoRef _SecRevocationDbValidInfoForCertificate(SecRevocationDbRe if (matched) { /* Found a specific match for this certificate. */ - secdebug("validupdate", "Valid db matched certificate: %@, format=%d, flags=%lu", + secdebug("validupdate", "Valid db matched certificate: %@, format=%d, flags=0x%lx", certHash, format, flags); isOnList = true; } - else if ((flags & kSecValidInfoComplete) && (flags & kSecValidInfoAllowlist)) { - /* Not matching against a complete allowlist is equivalent to revocation. */ - secdebug("validupdate", "Valid db did NOT match certificate on allowlist: %@, format=%d, flags=%lu", - certHash, format, flags); - matched = true; - } - else if ((!(flags & kSecValidInfoComplete)) && (format > kSecValidInfoFormatUnknown)) { - /* Not matching against an incomplete list implies we need to check OCSP. */ - secdebug("validupdate", "Valid db did not find certificate on incomplete list: %@, format=%d, flags=%lu", - certHash, format, flags); - matched = true; - } - if (matched) { - /* Return SecValidInfo for a matched certificate. */ - result = SecValidInfoCreate(format, flags, isOnList, certHash, issuerHash, NULL); + /* If supplemental constraints are present for this issuer, then we always match. */ + if ((flags & kSecValidInfoDateConstraints) && + (_SecRevocationDbCopyDateConstraints(rdb, groupId, ¬BeforeDate, ¬AfterDate, &localError))) { + secdebug("validupdate", "Valid db matched supplemental date constraints for groupId %lld: nb=%@, na=%@", + (long long)groupId, notBeforeDate, notAfterDate); } + + /* Return SecValidInfo for certificates for which an issuer entry is found. */ + result = SecValidInfoCreate(format, flags, isOnList, + certHash, issuerHash, /*anchorHash*/ NULL, + notBeforeDate, notAfterDate, + nameConstraints, policyConstraints); + if (result && SecIsAppleTrustAnchor(certificate, 0)) { /* Prevent a catch-22. */ - secdebug("validupdate", "Valid db match for Apple trust anchor: %@, format=%d, flags=%lu", + secdebug("validupdate", "Valid db match for Apple trust anchor: %@, format=%d, flags=0x%lx", certHash, format, flags); SecValidInfoRelease(result); result = NULL; @@ -2459,6 +2712,10 @@ errOut: CFReleaseSafe(data); CFReleaseSafe(certHash); CFReleaseSafe(serial); + CFReleaseSafe(notBeforeDate); + CFReleaseSafe(notAfterDate); + CFReleaseSafe(nameConstraints); + CFReleaseSafe(policyConstraints); return result; } @@ -2495,14 +2752,40 @@ void SecRevocationDbApplyUpdate(CFDictionaryRef update, CFIndex version) { }); } +/* Update the database schema, insert missing tables and replace triggers. + (This function is expected to be called only by the database maintainer, + normally the system instance of trustd.) +*/ +bool SecRevocationDbUpdateSchema(void) { + __block bool result = false; + SecRevocationDbWith(^(SecRevocationDbRef db) { + result = _SecRevocationDbUpdateSchema(db); + }); + return result; +} + /* Set the schema version for the revocation database. (This function is expected to be called only by the database maintainer, normally the system instance of trustd.) */ -void SecRevocationDbSetSchemaVersion(CFIndex db_version) { +bool SecRevocationDbSetSchemaVersion(CFIndex db_version) { + __block bool result = false; SecRevocationDbWith(^(SecRevocationDbRef db) { - _SecRevocationDbSetSchemaVersion(db, db_version); + result = _SecRevocationDbSetSchemaVersion(db, db_version); }); + return result; +} + +/* Set the current version for the revocation database. + (This function is expected to be called only by the database maintainer, + normally the system instance of trustd.) +*/ +bool SecRevocationDbSetVersion(CFIndex version) { + __block bool result = false; + SecRevocationDbWith(^(SecRevocationDbRef db) { + _SecRevocationDbSetVersion(db, version); + }); + return result; } /* Set the update format for the revocation database. diff --git a/OSX/sec/securityd/SecRevocationDb.h b/OSX/sec/securityd/SecRevocationDb.h index 6c7c8c90..29a715fe 100644 --- a/OSX/sec/securityd/SecRevocationDb.h +++ b/OSX/sec/securityd/SecRevocationDb.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Apple Inc. All Rights Reserved. + * Copyright (c) 2016-2018 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -55,17 +55,25 @@ typedef CF_ENUM(uint32_t, SecValidInfoFormat) { typedef struct __SecValidInfo *SecValidInfoRef; struct __SecValidInfo { - SecValidInfoFormat format; // format of per-issuer validity data - CFDataRef certHash; // SHA-256 hash of cert to which the following info applies - CFDataRef issuerHash; // SHA-256 hash of issuing CA certificate - CFDataRef anchorHash; // SHA-256 hash of anchor certificate (optional) - bool isOnList; // true if this cert was found on allow list or block list - bool valid; // true if this is an allow list, false if a block list - bool complete; // true if list is complete (i.e. status is definitive) - bool checkOCSP; // true if complete is false and OCSP check is required - bool knownOnly; // true if all intermediates under issuer must be found in database - bool requireCT; // true if this cert must have CT proof - bool noCACheck; // true if an entry does not require an OCSP check to accept + SecValidInfoFormat format; // format of per-issuer validity data + CFDataRef certHash; // SHA-256 hash of cert to which the following info applies + CFDataRef issuerHash; // SHA-256 hash of issuing CA certificate + CFDataRef anchorHash; // SHA-256 hash of anchor certificate (optional) + bool isOnList; // true if this cert was found on allow list or block list + bool valid; // true if this is an allow list, false if a block list + bool complete; // true if list is complete (i.e. status is definitive) + bool checkOCSP; // true if complete is false and OCSP check is required + bool knownOnly; // true if all intermediates under issuer must be found in database + bool requireCT; // true if this cert must have CT proof + bool noCACheck; // true if an entry does not require an OCSP check to accept + bool overridable; // true if the trust status is recoverable and can be overridden + bool hasDateConstraints; // true if this issuer has supplemental date constraints + bool hasNameConstraints; // true if this issuer has supplemental name constraints + bool hasPolicyConstraints; // true if this issuer has policy constraints + CFDateRef notBeforeDate; // minimum notBefore for this certificate (if hasDateConstraints is true) + CFDateRef notAfterDate; // maximum notAfter for this certificate (if hasDateConstraints is true) + CFDataRef nameConstraints; // name constraints blob (if hasNameConstraints is true) + CFDataRef policyConstraints; // policy constraints blob (if policyConstraints is true) }; /*! diff --git a/OSX/sec/securityd/SecRevocationNetworking.m b/OSX/sec/securityd/SecRevocationNetworking.m index 21a0742a..a91c5851 100644 --- a/OSX/sec/securityd/SecRevocationNetworking.m +++ b/OSX/sec/securityd/SecRevocationNetworking.m @@ -35,6 +35,7 @@ #include "utilities/SecFileLocations.h" #include "SecRevocationDb.h" +#import "SecTrustLoggingServer.h" #import "SecRevocationNetworking.h" @@ -119,6 +120,7 @@ typedef void (^CompletionHandler)(void); int rtn; if ((rtn = readValidFile(updateFilePath, &updateData)) != 0) { secerror("failed to read %@ with error %d", updateFileURL, rtn); + TrustdHealthAnalyticsLogErrorCode(TAEventValidUpdate, TAFatalError, rtn); [self reschedule]; return; } @@ -198,6 +200,9 @@ didReceiveResponse:(NSURLResponse *)response self->_currentUpdateFile = [NSFileHandle fileHandleForWritingToURL:self->_currentUpdateFileURL error:&error]; if (!self->_currentUpdateFile) { secnotice("validupdate", "failed to open %@: %@. canceling task %@", self->_currentUpdateFileURL, error, dataTask); +#if ENABLE_TRUSTD_ANALYTICS + [[TrustdHealthAnalytics logger] logResultForEvent:TrustdHealthAnalyticsEventValidUpdate hardFailure:NO result:error]; +#endif // ENABLE_TRUSTD_ANALYTICS completionHandler(NSURLSessionResponseCancel); [self reschedule]; return; @@ -227,6 +232,7 @@ didReceiveResponse:(NSURLResponse *)response } @catch(NSException *exception) { secnotice("validupdate", "%s", exception.description.UTF8String); + TrustdHealthAnalyticsLogErrorCode(TAEventValidUpdate, TARecoverableError, errSecDiskFull); [dataTask cancel]; [self reschedule]; } @@ -242,6 +248,9 @@ didCompleteWithError:(NSError *)error { } if (error) { secnotice("validupdate", "Session %@ task %@ failed with error %@", session, task, error); +#if ENABLE_TRUSTD_ANALYTICS + [[TrustdHealthAnalytics logger] logResultForEvent:TrustdHealthAnalyticsEventValidUpdate hardFailure:NO result:error]; +#endif // ENABLE_TRUSTD_ANALYTICS [self reschedule]; /* close file before we leave */ [self->_currentUpdateFile closeFile]; @@ -343,8 +352,7 @@ static ValidUpdateRequest *request = nil; /* nsurlsessiond waits for unlock to finish launching, so we can't block trust evaluations * on scheduling this background task. Also, we want to wait a sufficient amount of time * after system boot before trying to initiate network activity, to avoid the possibility - * of a performance regression in the boot path. - */ + * of a performance regression in the boot path. */ dispatch_async(updateQueue, ^{ CFAbsoluteTime now = CFAbsoluteTimeGetCurrent(); if (self.updateScheduled != 0.0) { diff --git a/OSX/sec/securityd/SecRevocationServer.c b/OSX/sec/securityd/SecRevocationServer.c index a0400b49..78823096 100644 --- a/OSX/sec/securityd/SecRevocationServer.c +++ b/OSX/sec/securityd/SecRevocationServer.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2008-2017 Apple Inc. All Rights Reserved. + * Copyright (c) 2008-2018 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -27,6 +27,8 @@ #include +#include + #include #include #include @@ -182,7 +184,7 @@ static bool SecOCSPSingleResponseProcess(SecOCSPSingleResponseRef this, SInt32 reason = this->crlReason; CFNumberRef cfreason = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &reason); SecPathBuilderSetResultInPVCs(rvc->builder, kSecPolicyCheckRevocation, rvc->certIX, - cfreason, true, kSecTrustResultFatalTrustFailure); + cfreason, true); if (rvc->builder) { CFMutableDictionaryRef info = SecPathBuilderGetInfo(rvc->builder); if (info) { @@ -221,7 +223,7 @@ typedef void (^SecOCSPEvaluationCompleted)(SecTrustResultType tr); static void SecOCSPEvaluateCompleted(const void *userData, - SecCertificatePathRef chain, CFArrayRef details, CFDictionaryRef info, + CFArrayRef chain, CFArrayRef details, CFDictionaryRef info, SecTrustResultType result) { SecOCSPEvaluationCompleted evaluated = (SecOCSPEvaluationCompleted)userData; evaluated(result); @@ -359,9 +361,6 @@ static void SecORVCConsumeOCSPResponse(SecORVCRef rvc, SecOCSPResponseRef ocspRe require_quiet(!rvc->ocspSingleResponse || rvc->ocspSingleResponse->thisUpdate < sr->thisUpdate, errOut); CFAbsoluteTime verifyTime = CFAbsoluteTimeGetCurrent(); - /* TODO: If the responder doesn't have the ocsp-nocheck extension we should - check whether the leaf was revoked (we are already checking the rest of - the chain). */ /* Check the OCSP response signature and verify the response. */ require_quiet(SecOCSPResponseVerify(ocspResponse, rvc, sr->certStatus == CS_Revoked ? SecOCSPResponseProducedAt(ocspResponse) : verifyTime), errOut); @@ -401,6 +400,11 @@ errOut: static void SecOCSPFetchCompleted(asynchttp_t *http, CFTimeInterval maxAge) { SecORVCRef rvc = (SecORVCRef)http->info; SecPathBuilderRef builder = rvc->builder; + TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(builder); + if (analytics) { + /* Add the time this fetch took to complete to the total time */ + analytics->ocsp_fetch_time += (mach_absolute_time() - http->start_time); + } SecOCSPResponseRef ocspResponse = NULL; if (http->response) { CFDataRef data = CFHTTPMessageCopyBody(http->response); @@ -411,10 +415,19 @@ static void SecOCSPFetchCompleted(asynchttp_t *http, CFTimeInterval maxAge) { } } + if ((!http->response || !ocspResponse) && analytics) { + /* We didn't get any data back, so the fetch failed */ + analytics->ocsp_fetch_failed++; + } + SecORVCConsumeOCSPResponse(rvc, ocspResponse, maxAge, true); // TODO: maybe we should set the cache-control: false in the http header and try again if the response is stale if (!rvc->done) { + if (analytics && ocspResponse) { + /* We got an OCSP response that didn't pass validation */ + analytics-> ocsp_validation_failed = true; + } /* Clear the data for the next response. */ asynchttp_free(http); SecORVCFetchNext(rvc); @@ -548,9 +561,7 @@ static CFURLRef SecCRVCGetNextDistributionPoint(SecCRVCRef rvc) { static void SecCRVCGetCRLStatus(SecCRVCRef rvc) { SecCertificateRef cert = SecPathBuilderGetCertificateAtIndex(rvc->builder, rvc->certIX); SecCertificatePathVCRef path = SecPathBuilderGetPath(rvc->builder); - SecCertificatePathRef nonVCpath = SecCertificatePathVCCopyCertificatePath(path); - CFArrayRef serializedCertPath = SecCertificatePathCreateSerialized(nonVCpath, NULL); - CFReleaseNull(nonVCpath); + CFArrayRef serializedCertPath = SecCertificatePathVCCreateSerialized(path); secdebug("rvc", "searching CRL cache for cert: %ld", rvc->certIX); rvc->status = SecTrustLegacyCRLStatus(cert, serializedCertPath, rvc->distributionPoint); CFReleaseNull(serializedCertPath); @@ -577,9 +588,7 @@ static bool SecCRVCFetchNext(SecCRVCRef rvc) { while ((rvc->distributionPoint = SecCRVCGetNextDistributionPoint(rvc))) { SecCertificateRef cert = SecPathBuilderGetCertificateAtIndex(rvc->builder, rvc->certIX); SecCertificatePathVCRef path = SecPathBuilderGetPath(rvc->builder); - SecCertificatePathRef nonVCpath = SecCertificatePathVCCopyCertificatePath(path); - CFArrayRef serializedCertPath = SecCertificatePathCreateSerialized(nonVCpath, NULL); - CFReleaseNull(nonVCpath); + CFArrayRef serializedCertPath = SecCertificatePathVCCreateSerialized(path); secinfo("rvc", "fetching CRL for cert: %ld", rvc->certIX); if (!SecTrustLegacyCRLFetch(&rvc->async_ocspd, rvc->distributionPoint, CFAbsoluteTimeGetCurrent(), cert, serializedCertPath)) { @@ -611,7 +620,7 @@ static void SecCRVCUpdatePVC(SecCRVCRef rvc) { SInt32 reason = 0; // unspecified, since ocspd didn't tell us CFNumberRef cfreason = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &reason); SecPathBuilderSetResultInPVCs(rvc->builder, kSecPolicyCheckRevocation, rvc->certIX, - cfreason, true, kSecTrustResultFatalTrustFailure); + cfreason, true); if (rvc->builder) { CFMutableDictionaryRef info = SecPathBuilderGetInfo(rvc->builder); if (info) { @@ -626,6 +635,11 @@ static void SecCRVCUpdatePVC(SecCRVCRef rvc) { static void SecCRVCFetchCompleted(async_ocspd_t *ocspd) { SecCRVCRef rvc = ocspd->info; SecPathBuilderRef builder = rvc->builder; + TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(builder); + if (analytics) { + /* Add the time this fetch took to complete to the total time */ + analytics->crl_fetch_time += (mach_absolute_time() - ocspd->start_time); + } /* we got a response indicating that the CRL was checked */ if (ocspd->response == errSecSuccess || ocspd->response == errSecCertificateRevoked) { rvc->status = ocspd->response; @@ -639,6 +653,10 @@ static void SecCRVCFetchCompleted(async_ocspd_t *ocspd) { SecPathBuilderStep(builder); } } else { + if (analytics) { + /* We didn't get any data back, so the fetch failed */ + analytics->crl_fetch_failed++; + } if(SecCRVCFetchNext(rvc)) { if (!SecPathBuilderDecrementAsyncJobCount(builder)) { secdebug("rvc", "done with all async jobs"); @@ -671,10 +689,14 @@ static SecCRVCRef SecCRVCCreate(SecRVCRef rvc, SecPathBuilderRef builder, CFInde static bool SecRVCShouldCheckCRL(SecRVCRef rvc) { CFStringRef revocation_method = SecPathBuilderGetRevocationMethod(rvc->builder); + TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(rvc->builder); if (revocation_method && CFEqual(kSecPolicyCheckRevocationCRL, revocation_method)) { /* Our client insists on CRLs */ secinfo("rvc", "client told us to check CRL"); + if (analytics) { + analytics->crl_client = true; + } return true; } SecCertificateRef cert = SecPathBuilderGetCertificateAtIndex(rvc->builder, rvc->certIX); @@ -684,6 +706,9 @@ static bool SecRVCShouldCheckCRL(SecRVCRef rvc) { /* The cert doesn't have OCSP responders and the client didn't specifically ask for OCSP. * This logic will skip the CRL cache check if the client didn't ask for revocation checking */ secinfo("rvc", "client told us to check revocation and CRL is only option for cert: %ld", rvc->certIX); + if (analytics) { + analytics->crl_cert = true; + } return true; } return false; @@ -744,65 +769,182 @@ static bool SecRVCShouldCheckOCSP(SecRVCRef rvc) { } #endif -static void SecRVCProcessValidInfoResults(SecRVCRef rvc) { +static void SecRVCProcessValidDateConstraints(SecRVCRef rvc) { if (!rvc || !rvc->valid_info || !rvc->builder) { return; } - SecValidInfoFormat format = rvc->valid_info->format; - bool valid = rvc->valid_info->valid; - bool noCACheck = rvc->valid_info->noCACheck; - bool checkOCSP = rvc->valid_info->checkOCSP; - bool complete = rvc->valid_info->complete; - bool isOnList = rvc->valid_info->isOnList; - bool definitive = false; - - if (format == kSecValidInfoFormatSerial || format == kSecValidInfoFormatSHA256) { - /* serial or hash list: could be blocked or allowed; could be incomplete */ - if (((!valid && complete && isOnList) || (valid && complete && !isOnList)) && noCACheck) { - /* definitely revoked */ - SInt32 reason = 0; /* unspecified, since the Valid db doesn't tell us */ + if (!rvc->valid_info->hasDateConstraints) { + return; + } + SecCertificateRef certificate = SecPathBuilderGetCertificateAtIndex(rvc->builder, rvc->certIX); + if (!certificate) { + return; + } + CFAbsoluteTime certIssued = SecCertificateNotValidBefore(certificate); + CFAbsoluteTime caNotBefore = -3155760000.0; /* default: 1901-01-01 00:00:00-0000 */ + CFAbsoluteTime caNotAfter = 31556908800.0; /* default: 3001-01-01 00:00:00-0000 */ + if (rvc->valid_info->notBeforeDate) { + caNotBefore = CFDateGetAbsoluteTime(rvc->valid_info->notBeforeDate); + } + if (rvc->valid_info->notAfterDate) { + caNotAfter = CFDateGetAbsoluteTime(rvc->valid_info->notAfterDate); + /* per the Valid specification, if this date is in the past, we need to check CT. */ + CFAbsoluteTime now = CFAbsoluteTimeGetCurrent(); + if (caNotAfter < now) { + rvc->valid_info->requireCT = true; + } + } + if ((certIssued < caNotBefore) && (rvc->certIX > 0)) { + /* not-before constraint is only applied to leaf certificate, for now. */ + return; + } + + TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(rvc->builder); + if ((certIssued < caNotBefore) || (certIssued > caNotAfter)) { + /* We are outside the constrained validity period. */ + secnotice("rvc", "certificate issuance date not within the allowed range for this CA%s", + (rvc->valid_info->overridable) ? "" : " (non-recoverable error)"); + if (analytics) { + analytics->valid_status |= TAValidDateContrainedRevoked; + } + if (rvc->valid_info->overridable) { + /* error is recoverable, treat certificate as untrusted + (note this date check is different from kSecPolicyCheckTemporalValidity) */ + SecPathBuilderSetResultInPVCs(rvc->builder, kSecPolicyCheckGrayListedKey, rvc->certIX, + kCFBooleanFalse, true); + } else { + /* error is non-overridable, treat certificate as revoked */ + SInt32 reason = 0; /* unspecified reason code */ CFNumberRef cfreason = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &reason); SecPathBuilderSetResultInPVCs(rvc->builder, kSecPolicyCheckRevocation, rvc->certIX, - cfreason, true, kSecTrustResultFatalTrustFailure); + cfreason, true); CFMutableDictionaryRef info = SecPathBuilderGetInfo(rvc->builder); if (info) { /* make the revocation reason available in the trust result */ CFDictionarySetValue(info, kSecTrustRevocationReason, cfreason); } CFReleaseNull(cfreason); - definitive = true; } - else if (valid && complete && isOnList && noCACheck) { + } else if (analytics) { + analytics->valid_status |= TAValidDateConstrainedOK; + } +} + +bool SecRVCHasDefinitiveValidInfo(SecRVCRef rvc) { + if (!rvc || !rvc->valid_info) { + return false; + } + SecValidInfoRef info = rvc->valid_info; + /* outcomes as defined in Valid server specification */ + if (info->format == kSecValidInfoFormatSerial || + info->format == kSecValidInfoFormatSHA256) { + if (info->noCACheck || info->complete || info->isOnList) { + return true; + } + } else { /* info->format == kSecValidInfoFormatNto1 */ + if (info->noCACheck || (info->complete && !info->isOnList)) { + return true; + } + } + return false; +} + +bool SecRVCHasRevokedValidInfo(SecRVCRef rvc) { + if (!rvc || !rvc->valid_info) { + return false; + } + SecValidInfoRef info = rvc->valid_info; + /* either not present on an allowlist, or present on a blocklist */ + return (!info->isOnList && info->valid) || (info->isOnList && !info->valid); +} + +void SecRVCSetRevokedResult(SecRVCRef rvc) { + if (!rvc || !rvc->valid_info || !rvc->builder) { + return; + } + if (rvc->valid_info->overridable) { + /* error is recoverable, treat certificate as untrusted */ + SecPathBuilderSetResultInPVCs(rvc->builder, kSecPolicyCheckGrayListedKey, rvc->certIX, + kCFBooleanFalse, true); + return; + } + /* error is fatal, treat certificate as revoked */ + SInt32 reason = 0; /* unspecified, since the Valid db doesn't tell us */ + CFNumberRef cfreason = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &reason); + SecPathBuilderSetResultInPVCs(rvc->builder, kSecPolicyCheckRevocation, rvc->certIX, + cfreason, true); + CFMutableDictionaryRef info = SecPathBuilderGetInfo(rvc->builder); + if (info) { + /* make the revocation reason available in the trust result */ + CFDictionarySetValue(info, kSecTrustRevocationReason, cfreason); + } + CFReleaseNull(cfreason); +} + +static void SecRVCProcessValidInfoResults(SecRVCRef rvc) { + if (!rvc || !rvc->valid_info || !rvc->builder) { + return; + } + SecCertificatePathVCRef path = SecPathBuilderGetPath(rvc->builder); + SecValidInfoRef info = rvc->valid_info; + + bool definitive = SecRVCHasDefinitiveValidInfo(rvc); + bool revoked = SecRVCHasRevokedValidInfo(rvc); + + /* set analytics */ + TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(rvc->builder); + if (analytics) { + if (revoked) { + analytics->valid_status |= definitive ? TAValidDefinitelyRevoked : TAValidProbablyRevoked; + } else { + analytics->valid_status |= definitive ? TAValidDefinitelyOK : TAValidProbablyOK; + } + } + + /* Handle no-ca cases */ + if (info->noCACheck) { + bool allowed = (info->valid && info->complete && info->isOnList); + if (revoked) { + /* definitely revoked */ + SecRVCSetRevokedResult(rvc); + } else if (allowed) { /* definitely not revoked (allowlisted) */ - SecCertificatePathVCRef path = SecPathBuilderGetPath(rvc->builder); - if (path) { - SecCertificatePathVCSetIsAllowlisted(path, true); - } else { - secdebug("validupdate", "rvc: no certificate path for builder"); - } - definitive = true; + SecCertificatePathVCSetIsAllowlisted(path, true); } - if (definitive) { - /* either definitely revoked or allowed; no need to check further. */ - secdebug("validupdate", "rvc: definitely %s cert %" PRIdCFIndex, - (valid && complete && isOnList) ? "allowed" : "revoked", rvc->certIX); - rvc->done = true; - return; + /* no-ca is definitive; no need to check further. */ + secdebug("validupdate", "rvc: definitely %s cert %" PRIdCFIndex, + (allowed) ? "allowed" : "revoked", rvc->certIX); + rvc->done = true; + return; + } + + /* Handle date constraints, if present. + * Note: a not-after date may set the CT requirement, + * so check requireCT after this function is called. */ + SecRVCProcessValidDateConstraints(rvc); + + /* Set CT requirement on path, if present. */ + if (info->requireCT) { + if (analytics) { + analytics->valid_require_ct |= info->requireCT; } - /* verify our info with the OCSP server */ - checkOCSP = true; + SecPathCTPolicy ctp = kSecPathCTRequired; + if (info->overridable) { + ctp = kSecPathCTRequiredOverridable; + } + SecCertificatePathVCSetRequiresCT(path, ctp); } - /* Handle non-definitive information. - We set rvc->done = true above ONLY if the result was definitive; - otherwise we require a revocation check for SSL usage. - */ - if (format == kSecValidInfoFormatNto1) { - /* matched the filter */ - checkOCSP = true; + /* Trigger OCSP for any non-definitive or revoked cases */ + if (!definitive || revoked) { + info->checkOCSP = true; } - if (checkOCSP) { + if (info->checkOCSP) { + if (analytics) { + /* Valid DB results caused us to do OCSP */ + analytics->valid_trigger_ocsp = true; + } CFIndex count = SecPathBuilderGetCertificateCount(rvc->builder); CFIndex issuerIX = rvc->certIX + 1; if (issuerIX >= count) { @@ -831,7 +973,7 @@ static void SecRVCProcessValidInfoResults(SecRVCRef rvc) { } } secdebug("validupdate", "rvc: %s%s cert %" PRIdCFIndex " (will check OCSP)", - (complete) ? "" : "possibly ", (valid) ? "allowed" : "revoked", + (info->complete) ? "" : "possibly ", (info->valid) ? "allowed" : "revoked", rvc->certIX); SecPathBuilderSetRevocationMethod(rvc->builder, kSecPolicyCheckRevocationAny); } @@ -906,6 +1048,11 @@ static void SecRVCCheckRevocationCaches(SecRVCRef rvc) { SecORVCConsumeOCSPResponse(rvc->orvc, response, NULL_TIME, false); + TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(rvc->builder); + if (rvc->orvc->done && analytics) { + /* We found a valid OCSP response in the cache */ + analytics->ocsp_cache_hit = true; + } } #if ENABLE_CRLS /* Don't check CRL cache if policy requested OCSP only */ @@ -925,6 +1072,7 @@ static void SecRVCUpdatePVC(SecRVCRef rvc) { static bool SecRVCFetchNext(SecRVCRef rvc) { bool OCSP_fetch_finished = true; + TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(rvc->builder); /* Don't send OCSP request only if CRLs enabled and policy requested CRL only */ if (SecRVCShouldCheckOCSP(rvc)) { OCSP_fetch_finished &= SecORVCFetchNext(rvc->orvc); @@ -932,6 +1080,10 @@ static bool SecRVCFetchNext(SecRVCRef rvc) { if (OCSP_fetch_finished) { /* we didn't start an OCSP background job for this cert */ (void)SecPathBuilderDecrementAsyncJobCount(rvc->builder); + } else if (analytics) { + /* We did a network OCSP fetch, set report appropriately */ + analytics->ocsp_network = true; + analytics->ocsp_fetches++; } #if ENABLE_CRLS @@ -946,6 +1098,9 @@ static bool SecRVCFetchNext(SecRVCRef rvc) { if (CRL_fetch_finished) { /* we didn't start a CRL background job for this cert */ (void)SecPathBuilderDecrementAsyncJobCount(rvc->builder); + } else if (analytics) { + /* We did a CRL fetch */ + analytics->crl_fetches++; } OCSP_fetch_finished &= CRL_fetch_finished; #endif @@ -1010,7 +1165,21 @@ bool SecPathBuilderCheckRevocation(SecPathBuilderRef builder) { } SecRVCInit(rvc, builder, certIX); - if (rvc->done){ + + /* RFC 6960: OCSP No-Check extension says that we shouldn't check revocation. */ + if (SecCertificateHasMarkerExtension(SecCertificatePathVCGetCertificateAtIndex(path, certIX), + CFSTR("1.3.6.1.5.5.7.48.1.5"))) // id-pkix-ocsp-nocheck + { + secdebug("rvc", "skipping revocation checks for no-check cert: %ld", certIX); + TrustAnalyticsBuilder *analytics = SecPathBuilderGetAnalyticsData(builder); + if (analytics) { + /* This certificate has OCSP No-Check, so add to reporting analytics */ + analytics->ocsp_no_check = true; + } + rvc->done = true; + } + + if (rvc->done) { continue; } diff --git a/OSX/sec/securityd/SecRevocationServer.h b/OSX/sec/securityd/SecRevocationServer.h index aa73ab88..255f1f78 100644 --- a/OSX/sec/securityd/SecRevocationServer.h +++ b/OSX/sec/securityd/SecRevocationServer.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * Copyright (c) 2017-2018 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -30,11 +30,9 @@ #ifndef _SECURITY_SECREVOCATIONSERVER_H_ #define _SECURITY_SECREVOCATIONSERVER_H_ -#include +#include #include -#define ENABLE_CRLS (TARGET_OS_MAC && !TARGET_OS_IPHONE) - typedef struct OpaqueSecORVC *SecORVCRef; #if ENABLE_CRLS typedef struct OpaqueSecCRVC *SecCRVCRef; @@ -43,28 +41,31 @@ typedef struct OpaqueSecCRVC *SecCRVCRef; /* Revocation verification context. */ struct OpaqueSecRVC { /* Pointer to the builder for this revocation check */ - SecPathBuilderRef builder; + SecPathBuilderRef builder; /* Index of cert in pvc that this RVC is for 0 = leaf, etc. */ - CFIndex certIX; + CFIndex certIX; /* The OCSP Revocation verification context */ - SecORVCRef orvc; + SecORVCRef orvc; #if ENABLE_CRLS - SecCRVCRef crvc; + SecCRVCRef crvc; #endif /* Valid database info for this revocation check */ - SecValidInfoRef valid_info; + SecValidInfoRef valid_info; - bool done; + bool done; }; typedef struct OpaqueSecRVC *SecRVCRef; bool SecPathBuilderCheckRevocation(SecPathBuilderRef builder); CFAbsoluteTime SecRVCGetEarliestNextUpdate(SecRVCRef rvc); void SecRVCDelete(SecRVCRef rvc); +bool SecRVCHasDefinitiveValidInfo(SecRVCRef rvc); +bool SecRVCHasRevokedValidInfo(SecRVCRef rvc); +void SecRVCSetRevokedResult(SecRVCRef rvc); #endif /* _SECURITY_SECREVOCATIONSERVER_H_ */ diff --git a/OSX/sec/securityd/SecTrustLoggingServer.c b/OSX/sec/securityd/SecTrustLoggingServer.m similarity index 97% rename from OSX/sec/securityd/SecTrustLoggingServer.c rename to OSX/sec/securityd/SecTrustLoggingServer.m index 16c771eb..8e456720 100644 --- a/OSX/sec/securityd/SecTrustLoggingServer.c +++ b/OSX/sec/securityd/SecTrustLoggingServer.m @@ -24,5 +24,6 @@ * */ +#include #include "SecTrustLoggingServer.h" diff --git a/OSX/sec/securityd/SecTrustServer.c b/OSX/sec/securityd/SecTrustServer.c index 7667fb98..481a1246 100644 --- a/OSX/sec/securityd/SecTrustServer.c +++ b/OSX/sec/securityd/SecTrustServer.c @@ -40,7 +40,6 @@ #include #include #include -#include #include #include #include @@ -69,6 +68,7 @@ #include "OTATrustUtilities.h" #include "personalization.h" #include +#include #if TARGET_OS_OSX #include @@ -88,6 +88,7 @@ static void SecPathBuilderExtendPaths(void *context, CFArrayRef parents); ********************************************************/ struct SecPathBuilder { dispatch_queue_t queue; + uint64_t startTime; CFDataRef clientAuditToken; SecCertificateSourceRef certificateSource; SecCertificateSourceRef itemCertificateSource; @@ -107,7 +108,7 @@ struct SecPathBuilder { Note that this is the only container in which certificatePath objects are retained. Every certificatePath being considered is always in allPaths and in at - most one of partialPaths, rejectedPaths, candidatePath or extendedPaths + least one of partialPaths, rejectedPaths, or candidatePath, all of which don't retain their values. */ CFMutableSetRef allPaths; @@ -141,6 +142,7 @@ struct SecPathBuilder { bool (*state)(SecPathBuilderRef); SecPathBuilderCompleted completed; const void *context; + TrustAnalyticsBuilder * analyticsData; }; /* State functions. Return false if a async job was scheduled, return @@ -167,23 +169,26 @@ static void SecPathBuilderInit(SecPathBuilderRef builder, secdebug("alloc", "%p", builder); CFAllocatorRef allocator = kCFAllocatorDefault; + builder->analyticsData = calloc(1, sizeof(TrustAnalyticsBuilder)); + builder->analyticsData->start_time = mach_absolute_time(); + builder->clientAuditToken = (CFDataRef) ((clientAuditToken) ? CFRetain(clientAuditToken) : NULL); builder->queue = dispatch_queue_create("builder", DISPATCH_QUEUE_SERIAL); builder->nextParentSource = 1; #if !TARGET_OS_WATCH + /* */ builder->canAccessNetwork = true; #endif builder->anchorSources = CFArrayCreateMutable(allocator, 0, NULL); builder->parentSources = CFArrayCreateMutable(allocator, 0, NULL); - builder->allPaths = CFSetCreateMutable(allocator, 0, - &kCFTypeSetCallBacks); - builder->partialPaths = CFArrayCreateMutable(allocator, 0, NULL); - builder->rejectedPaths = CFArrayCreateMutable(allocator, 0, NULL); - builder->candidatePaths = CFArrayCreateMutable(allocator, 0, NULL); + builder->allPaths = CFSetCreateMutable(allocator, 0, &kCFTypeSetCallBacks); + builder->partialPaths = CFArrayCreateMutable(allocator, 0, NULL); // Does not retain, allPaths retains members. See declaration. + builder->rejectedPaths = CFArrayCreateMutable(allocator, 0, NULL); // Does not retain, allPaths retains members. See declaration. + builder->candidatePaths = CFArrayCreateMutable(allocator, 0, NULL); // Does not retain, allPaths retains members. See declaration. /* Init the policy verification context. */ builder->pvcs = malloc(sizeof(SecPVCRef)); @@ -296,8 +301,6 @@ static void SecPathBuilderInit(SecPathBuilderRef builder, SecPathBuilderSetPath(builder, path); CFRelease(path); - /* Set the revocation context */ - /* Next step is to process the leaf. We do that work on the builder queue * to avoid blocking the main thread with database lookups. */ builder->state = SecPathBuilderProcessLeaf; @@ -366,6 +369,9 @@ static void SecPathBuilderDestroy(SecPathBuilderRef builder) { CFReleaseNull(builder->info); CFReleaseNull(builder->exceptions); + free(builder->analyticsData); + builder->analyticsData = NULL; + if (builder->pvcs) { CFIndex ix; for (ix = 0; ix < builder->pvcCount; ix++) { @@ -406,6 +412,7 @@ void SecPathBuilderSetCanAccessNetwork(SecPathBuilderRef builder, bool allow) { a parent source. */ CFArrayAppendValue(builder->parentSources, kSecCAIssuerSource); #else + /* */ secnotice("http", "network access not allowed on WatchOS"); builder->canAccessNetwork = false; #endif @@ -437,6 +444,21 @@ CFArrayRef SecPathBuilderCopyTrustedLogs(SecPathBuilderRef builder) return CFRetainSafe(builder->trustedLogs); } +SecCertificateSourceRef SecPathBuilderGetAppAnchorSource(SecPathBuilderRef builder) +{ + return builder->anchorSource; +} + +CFSetRef SecPathBuilderGetAllPaths(SecPathBuilderRef builder) +{ + return builder->allPaths; +} + +TrustAnalyticsBuilder *SecPathBuilderGetAnalyticsData(SecPathBuilderRef builder) +{ + return builder->analyticsData; +} + SecCertificatePathVCRef SecPathBuilderGetBestPath(SecPathBuilderRef builder) { return builder->bestPath; @@ -455,7 +477,7 @@ bool SecPathBuilderHasTemporalParentChecks(SecPathBuilderRef builder) { SecPathBuilderForEachPVC(builder, ^(SecPVCRef pvc, bool *stop) { CFArrayForEach(pvc->policies, ^(const void *value) { SecPolicyRef policy = (SecPolicyRef)value; - if (CFDictionaryContainsKey(policy->_options, kSecPolicyCheckValidIntermediates)) { + if (CFDictionaryContainsKey(policy->_options, kSecPolicyCheckTemporalValidity)) { validIntermediates = true; *stop = true; } @@ -523,11 +545,9 @@ SecPVCRef SecPathBuilderGetPVCAtIndex(SecPathBuilderRef builder, CFIndex ix) { } void SecPathBuilderSetResultInPVCs(SecPathBuilderRef builder, CFStringRef key, - CFIndex ix, CFTypeRef result, bool force, - SecTrustResultType resultType) { + CFIndex ix, CFTypeRef result, bool force) { SecPathBuilderForEachPVC(builder, ^(SecPVCRef pvc, bool * __unused stop) { SecPVCSetResultForced(pvc, key, ix, result, force); - pvc->result = resultType; }); } @@ -540,7 +560,7 @@ static bool SecPathBuilderIsOkResult(SecPathBuilderRef builder) { return acceptPath; } -static SecPVCRef SecPathBuilderGetResultPVC(SecPathBuilderRef builder) { +SecPVCRef SecPathBuilderGetResultPVC(SecPathBuilderRef builder) { /* Return the first PVC that passed */ __block SecPVCRef resultPVC = NULL; SecPathBuilderForEachPVC(builder, ^(SecPVCRef pvc, bool *stop) { @@ -725,7 +745,7 @@ static void SecPathBuilderAddPinningPolicies(SecPathBuilderRef builder) { /* Found pinning policies. Apply them to the path builder. */ CFArrayRef newRules = CFDictionaryGetValue(results, kSecPinningDbKeyRules); CFStringRef dbPolicyName = CFDictionaryGetValue(results, kSecPinningDbKeyPolicyName); - secinfo("trust", "found pinning %lu %@ policies for hostname %@, policyName %@", + secinfo("SecPinningDb", "found pinning %lu %@ policies for hostname %@, policyName %@", (unsigned long)CFArrayGetCount(newRules), dbPolicyName, hostname, policyName); CFIndex newRulesIX; for (newRulesIX = 0; newRulesIX < CFArrayGetCount(newRules); newRulesIX++) { @@ -1079,7 +1099,8 @@ static bool SecPathBuilderValidatePath(SecPathBuilderRef builder) { builder->state = SecPathBuilderDidValidatePath; /* Revocation checking is now done before path checks, to ensure that - isAllowlisted will be set correctly for the subsequent path checks. */ + we have OCSP responses for CT checking and that isAllowlisted is + appropriately set for other checks. */ bool completed = SecPathBuilderCheckRevocation(builder); SecPathBuilderForEachPVC(builder, ^(SecPVCRef pvc, bool * __unused stop) { @@ -1094,7 +1115,7 @@ static bool SecPathBuilderDidValidatePath(SecPathBuilderRef builder) { * this is the state we call back into once all the asynchronous * revocation check calls are done. */ SecPathBuilderForEachPVC(builder, ^(SecPVCRef pvc, bool * __unused stop) { - SecPVCPathCheckRevocationRequired(pvc); + SecPVCPathCheckRevocationResponsesReceived(pvc); }); if (SecPathBuilderIsOkResult(builder)) { @@ -1113,7 +1134,6 @@ static bool SecPathBuilderComputeDetails(SecPathBuilderRef builder) { __block CFIndex ix, pathLength = SecCertificatePathVCGetCount(builder->bestPath); __block bool completed = true; - SecPathBuilderForEachPVC(builder, ^(SecPVCRef pvc, bool * __unused stop) { SecPVCComputeDetails(pvc, builder->bestPath); completed &= SecPathBuilderCheckRevocation(builder); @@ -1125,8 +1145,9 @@ static bool SecPathBuilderComputeDetails(SecPathBuilderRef builder) { builder->state = SecPathBuilderReportResult; + /* Check revocation responses. */ SecPathBuilderForEachPVC(builder, ^(SecPVCRef pvc, bool * __unused stop) { - SecPVCPathCheckRevocationRequired(pvc); + SecPVCPathCheckRevocationResponsesReceived(pvc); }); /* Reject the certificate if it was accepted before but we failed it now. (Should not happen anymore.) */ @@ -1152,7 +1173,7 @@ static bool SecPathBuilderReportResult(SecPathBuilderRef builder) { CFAbsoluteTime nextUpdate = SecCertificatePathVCGetEarliestNextUpdate(builder->bestPath); if (nextUpdate != 0) { #else - /* We don't do networking on watchOS, so we can't require OCSP for EV */ + /* We don't do networking on watchOS, so we can't require OCSP for EV */ { { #endif @@ -1261,7 +1282,7 @@ bool SecPathBuilderStep(SecPathBuilderRef builder) { builder->bestPath, pvc->details, result); if (builder->completed) { - SecCertificatePathRef resultPath = SecCertificatePathVCCopyCertificatePath(builder->bestPath); + CFArrayRef resultPath = SecCertificatePathVCCopyCertificates(builder->bestPath); builder->completed(builder->context, resultPath, pvc->details, builder->info, result); CFReleaseNull(resultPath); @@ -1288,19 +1309,20 @@ CFDataRef SecPathBuilderCopyClientAuditToken(SecPathBuilderRef builder) { ****************** SecTrustServer ********************** ********************************************************/ -typedef void (^SecTrustServerEvaluationCompleted)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, CFErrorRef error); +typedef void (^SecTrustServerEvaluationCompleted)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, CFArrayRef chain, CFErrorRef error); static void SecTrustServerEvaluateCompleted(const void *userData, - SecCertificatePathRef chain, CFArrayRef details, CFDictionaryRef info, + CFArrayRef chain, CFArrayRef details, CFDictionaryRef info, SecTrustResultType result) { SecTrustServerEvaluationCompleted evaluated = (SecTrustServerEvaluationCompleted)userData; + TrustdHealthAnalyticsLogSuccess(TAEventEvaluationCompleted); evaluated(result, details, info, chain, NULL); Block_release(evaluated); } void -SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, CFArrayRef accessGroups, CFArrayRef exceptions, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, CFErrorRef error)) { +SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, CFArrayRef accessGroups, CFArrayRef exceptions, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, CFArrayRef chain, CFErrorRef error)) { /* We need an array containing at least one certificate to proceed. */ if (!isArray(certificates) || !(CFArrayGetCount(certificates) > 0)) { CFErrorRef certError = CFErrorCreate(NULL, kCFErrorDomainOSStatus, errSecInvalidCertificate, NULL); @@ -1321,10 +1343,10 @@ SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates, // NO_SERVER Shim code only, xpc interface should call SecTrustServerEvaluateBlock() directly -SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *pdetails, CFDictionaryRef *pinfo, SecCertificatePathRef *pchain, CFErrorRef *perror) { +SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *pdetails, CFDictionaryRef *pinfo, CFArrayRef *pchain, CFErrorRef *perror) { dispatch_semaphore_t done = dispatch_semaphore_create(0); __block SecTrustResultType result = kSecTrustResultInvalid; - SecTrustServerEvaluateBlock(NULL, certificates, anchors, anchorsOnly, keychainsAllowed, policies, responses, SCTs, trustedLogs, verifyTime, accessGroups, exceptions, ^(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, CFErrorRef error) { + SecTrustServerEvaluateBlock(NULL, certificates, anchors, anchorsOnly, keychainsAllowed, policies, responses, SCTs, trustedLogs, verifyTime, accessGroups, exceptions, ^(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, CFArrayRef chain, CFErrorRef error) { result = tr; if (tr == kSecTrustResultInvalid) { if (perror) { diff --git a/OSX/sec/securityd/SecTrustServer.h b/OSX/sec/securityd/SecTrustServer.h index 1f068a66..0495c410 100644 --- a/OSX/sec/securityd/SecTrustServer.h +++ b/OSX/sec/securityd/SecTrustServer.h @@ -32,14 +32,16 @@ #include #include /* For errSecWaitForCallback. */ -#include #include #include #include - __BEGIN_DECLS +/* CRLs only implemented for macOS for legacy compatibility purposes using + * ocspd's (legacy) interfaces */ +#define ENABLE_CRLS TARGET_OS_OSX + typedef struct SecPathBuilder *SecPathBuilderRef; typedef struct OpaqueSecPVC *SecPVCRef; @@ -60,7 +62,7 @@ struct OpaqueSecPVC { /* Completion callback. */ typedef void(*SecPathBuilderCompleted)(const void *userData, - SecCertificatePathRef chain, CFArrayRef details, CFDictionaryRef info, + CFArrayRef chain, CFArrayRef details, CFDictionaryRef info, SecTrustResultType result); /* Returns a new trust path builder and policy evaluation engine instance. */ @@ -83,6 +85,7 @@ CFArrayRef SecPathBuilderCopySignedCertificateTimestamps(SecPathBuilderRef build CFArrayRef SecPathBuilderCopyOCSPResponses(SecPathBuilderRef builder); CFArrayRef SecPathBuilderCopyTrustedLogs(SecPathBuilderRef builder); +CFSetRef SecPathBuilderGetAllPaths(SecPathBuilderRef builder); SecCertificatePathVCRef SecPathBuilderGetPath(SecPathBuilderRef builder); SecCertificatePathVCRef SecPathBuilderGetBestPath(SecPathBuilderRef builder); CFAbsoluteTime SecPathBuilderGetVerifyTime(SecPathBuilderRef builder); @@ -97,14 +100,16 @@ bool SecPathBuilderHasTemporalParentChecks(SecPathBuilderRef builder); * as trust in an anchor is contextual to the policy being validated. */ bool SecPathBuilderIsAnchored(SecPathBuilderRef builder); bool SecPathBuilderIsAnchorSource(SecPathBuilderRef builder, SecCertificateSourceRef source); - +SecCertificateSourceRef SecPathBuilderGetAppAnchorSource(SecPathBuilderRef builder); CFIndex SecPathBuilderGetPVCCount(SecPathBuilderRef builder); SecPVCRef SecPathBuilderGetPVCAtIndex(SecPathBuilderRef builder, CFIndex ix); +/* Returns the first PVC that passed */ +SecPVCRef SecPathBuilderGetResultPVC(SecPathBuilderRef builder); + void SecPathBuilderSetResultInPVCs(SecPathBuilderRef builder, CFStringRef key, - CFIndex ix, CFTypeRef result, bool force, - SecTrustResultType resultType); + CFIndex ix, CFTypeRef result, bool force); /* This is a pre-decrement operation */ unsigned int SecPathBuilderDecrementAsyncJobCount(SecPathBuilderRef builder); @@ -134,12 +139,65 @@ dispatch_queue_t SecPathBuilderGetQueue(SecPathBuilderRef builder); CFDataRef SecPathBuilderCopyClientAuditToken(SecPathBuilderRef builder); /* Evaluate trust and call evaluated when done. */ -void SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, CFErrorRef error)); +void SecTrustServerEvaluateBlock(CFDataRef clientAuditToken, CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, void (^evaluated)(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, CFArrayRef chain, CFErrorRef error)); /* Synchronously invoke SecTrustServerEvaluateBlock. */ -SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, SecCertificatePathRef *chain, CFErrorRef *error); +SecTrustResultType SecTrustServerEvaluate(CFArrayRef certificates, CFArrayRef anchors, bool anchorsOnly, bool keychainsAllowed, CFArrayRef policies, CFArrayRef responses, CFArrayRef SCTs, CFArrayRef trustedLogs, CFAbsoluteTime verifyTime, __unused CFArrayRef accessGroups, CFArrayRef exceptions, CFArrayRef *details, CFDictionaryRef *info, CFArrayRef *chain, CFErrorRef *error); + +/* TrustAnalytics builder types */ +typedef CF_OPTIONS(uint8_t, TA_SCTSource) { + TA_SCTEmbedded = 1 << 0, + TA_SCT_OCSP = 1 << 1, + TA_SCT_TLS = 1 << 2, +}; + +typedef CF_OPTIONS(uint8_t, TAValidStatus) { + TAValidDefinitelyOK = 1 << 0, + TAValidProbablyOK = 1 << 1, + TAValidProbablyRevoked = 1 << 2, + TAValidDefinitelyRevoked = 1 << 3, + TAValidDateConstrainedOK = 1 << 4, + TAValidDateContrainedRevoked = 1 << 5, +}; -void InitializeAnchorTable(void); +typedef struct { + uint64_t start_time; + // Certificate Transparency + TA_SCTSource sct_sources; + uint32_t number_scts; + uint32_t number_trusted_scts; + size_t total_sct_size; + // CAIssuer + bool ca_issuer_cache_hit; + bool ca_issuer_network; + uint32_t ca_issuer_fetches; + uint64_t ca_issuer_fetch_time; + uint32_t ca_issuer_fetch_failed; + bool ca_issuer_unsupported_data; + bool ca_issuer_multiple_certs; + // OCSP + bool ocsp_no_check; + bool ocsp_cache_hit; + bool ocsp_network; + uint32_t ocsp_fetches; + uint64_t ocsp_fetch_time; + uint32_t ocsp_fetch_failed; + bool ocsp_validation_failed; +#if ENABLE_CRLS + // CRLs + bool crl_client; + bool crl_cert; + uint32_t crl_fetches; + uint64_t crl_fetch_time; + uint32_t crl_fetch_failed; +#endif + // Valid + TAValidStatus valid_status; + bool valid_trigger_ocsp; + bool valid_require_ct; +} TrustAnalyticsBuilder; + +TrustAnalyticsBuilder *SecPathBuilderGetAnalyticsData(SecPathBuilderRef builder); __END_DECLS diff --git a/OSX/sec/securityd/SecTrustStoreServer.c b/OSX/sec/securityd/SecTrustStoreServer.c index 28fd42c9..c7f0a5ba 100644 --- a/OSX/sec/securityd/SecTrustStoreServer.c +++ b/OSX/sec/securityd/SecTrustStoreServer.c @@ -52,6 +52,7 @@ #include #include "utilities/SecFileLocations.h" #include +#include /* uid of the _securityd user. */ #define SECURTYD_UID 64 @@ -165,7 +166,7 @@ errOutNotLocked: static SecTrustStoreRef SecTrustStoreCreate(const char *db_name, bool create) { SecTrustStoreRef ts; - int s3e; + int s3e = SQLITE_OK; require(ts = (SecTrustStoreRef)malloc(sizeof(struct __SecTrustStore)), errOut); ts->queue = dispatch_queue_create("truststore", DISPATCH_QUEUE_SERIAL); @@ -216,6 +217,8 @@ errOut: dispatch_release_safe(ts->queue); free(ts); } + secerror("Failed to create trust store database: %d", s3e); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TATrustStore, TAOperationCreate, TAFatalError, s3e); return NULL; } @@ -303,18 +306,18 @@ bool _SecTrustStoreSetTrustSettings(SecTrustStoreRef ts, require_action_quiet(s3e == SQLITE_OK, errOut, ok = SecError(errSecInternal, error, CFSTR("sqlite3 error: %d"), s3e)); /* Parameter order is sha1,subj,tset,data. */ - require_noerr_action_quiet(sqlite3_prepare(ts->s3h, insertSQL, sizeof(insertSQL), + require_noerr_action_quiet(s3e = sqlite3_prepare(ts->s3h, insertSQL, sizeof(insertSQL), &insert, NULL), errOutSql, ok = SecError(errSecInternal, error, CFSTR("sqlite3 error: %d"), s3e)); - require_noerr_action_quiet(sqlite3_bind_blob_wrapper(insert, 1, + require_noerr_action_quiet(s3e = sqlite3_bind_blob_wrapper(insert, 1, CFDataGetBytePtr(digest), CFDataGetLength(digest), SQLITE_STATIC), errOutSql, ok = SecError(errSecInternal, error, CFSTR("sqlite3 error: %d"), s3e)); - require_noerr_action_quiet(sqlite3_bind_blob_wrapper(insert, 2, + require_noerr_action_quiet(s3e = sqlite3_bind_blob_wrapper(insert, 2, CFDataGetBytePtr(subject), CFDataGetLength(subject), SQLITE_STATIC), errOutSql, ok = SecError(errSecInternal, error, CFSTR("sqlite3 error: %d"), s3e)); - require_noerr_action_quiet(sqlite3_bind_blob_wrapper(insert, 3, + require_noerr_action_quiet(s3e = sqlite3_bind_blob_wrapper(insert, 3, CFDataGetBytePtr(xmlData), CFDataGetLength(xmlData), SQLITE_STATIC), errOutSql, ok = SecError(errSecInternal, error, CFSTR("sqlite3 error: %d"), s3e)); - require_noerr_action_quiet(sqlite3_bind_blob_wrapper(insert, 4, + require_noerr_action_quiet(s3e = sqlite3_bind_blob_wrapper(insert, 4, SecCertificateGetBytePtr(certificate), SecCertificateGetLength(certificate), SQLITE_STATIC), errOutSql, ok = SecError(errSecInternal, error, CFSTR("sqlite3 error: %d"), s3e)); s3e = sqlite3_step(insert); @@ -342,15 +345,20 @@ bool _SecTrustStoreSetTrustSettings(SecTrustStoreRef ts, } errOutSql: - if (insert) + if (insert) { s3e = sqlite3_finalize(insert); - if (update) + } + if (update) { s3e = sqlite3_finalize(update); + } - if (ok && s3e == SQLITE_OK) + if (ok && s3e == SQLITE_OK) { s3e = sqlite3_exec(ts->s3h, "COMMIT TRANSACTION", NULL, NULL, NULL); + } if (!ok || s3e != SQLITE_OK) { + secerror("Failed to update trust store: (%d) %@", s3e, error ? *error : NULL); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TATrustStore, TAOperationWrite, TAFatalError, s3e); sqlite3_exec(ts->s3h, "ROLLBACK TRANSACTION", NULL, NULL, NULL); if (ok) { ok = SecError(errSecInternal, error, CFSTR("sqlite3 error: %d"), s3e); @@ -374,18 +382,24 @@ bool SecTrustStoreRemoveCertificateWithDigest(SecTrustStoreRef ts, require_quiet(ts, errOutNotLocked); require(!ts->readOnly, errOutNotLocked); dispatch_sync(ts->queue, ^{ + int s3e = SQLITE_OK; sqlite3_stmt *deleteStmt = NULL; - require_noerr(sqlite3_prepare(ts->s3h, deleteSQL, sizeof(deleteSQL), + + require_noerr(s3e = sqlite3_prepare(ts->s3h, deleteSQL, sizeof(deleteSQL), &deleteStmt, NULL), errOut); - require_noerr(sqlite3_bind_blob_wrapper(deleteStmt, 1, + require_noerr(s3e = sqlite3_bind_blob_wrapper(deleteStmt, 1, CFDataGetBytePtr(digest), CFDataGetLength(digest), SQLITE_STATIC), errOut); - sqlite3_step(deleteStmt); + s3e = sqlite3_step(deleteStmt); errOut: if (deleteStmt) { verify_noerr(sqlite3_finalize(deleteStmt)); } + if (s3e != SQLITE_OK && s3e != SQLITE_DONE) { + secerror("Removal of certificate from trust store failed: %d", s3e); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TATrustStore, TAOperationWrite, TAFatalError, s3e); + } }); errOutNotLocked: return true; @@ -397,9 +411,13 @@ bool _SecTrustStoreRemoveAll(SecTrustStoreRef ts, CFErrorRef *error) require(ts, errOutNotLocked); require(!ts->readOnly, errOutNotLocked); dispatch_sync(ts->queue, ^{ - if (SQLITE_OK == sqlite3_exec(ts->s3h, deleteAllSQL, NULL, NULL, NULL)) { + int s3e =sqlite3_exec(ts->s3h, deleteAllSQL, NULL, NULL, NULL); + if (s3e == SQLITE_OK) { removed_all = true; ts->containsSettings = false; + } else { + secerror("Clearing of trust store failed: %d", s3e); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TATrustStore, TAOperationWrite, TAFatalError, s3e); } /* prepared statements become unusable after deleteAllSQL, reset them */ @@ -421,19 +439,20 @@ CFArrayRef SecTrustStoreCopyParents(SecTrustStoreRef ts, __block CFMutableArrayRef parents = NULL; require(ts, errOutNotLocked); dispatch_sync(ts->queue, ^{ - require_quiet(ts->containsSettings, errOut); + int s3e = SQLITE_OK; + require_quiet(ts->containsSettings, ok); CFDataRef issuer; require(issuer = SecCertificateGetNormalizedIssuerContent(certificate), errOut); /* @@@ Might have to use SQLITE_TRANSIENT */ - require_noerr(sqlite3_bind_blob_wrapper(ts->copyParents, 1, + require_noerr(s3e = sqlite3_bind_blob_wrapper(ts->copyParents, 1, CFDataGetBytePtr(issuer), CFDataGetLength(issuer), SQLITE_STATIC), errOut); require(parents = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), errOut); for (;;) { - int s3e = sqlite3_step(ts->copyParents); + s3e = sqlite3_step(ts->copyParents); if (s3e == SQLITE_ROW) { SecCertificateRef cert; require(cert = SecCertificateCreateWithBytes(kCFAllocatorDefault, @@ -442,13 +461,15 @@ CFArrayRef SecTrustStoreCopyParents(SecTrustStoreRef ts, CFArrayAppendValue(parents, cert); CFRelease(cert); } else { - require(s3e == SQLITE_DONE, errOut); + require(s3e == SQLITE_DONE || s3e == SQLITE_OK, errOut); break; } } goto ok; errOut: + secerror("Failed to read parents from trust store: %d", s3e); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TATrustStore, TAOperationRead, TAFatalError, s3e); if (parents) { CFRelease(parents); parents = NULL; @@ -470,8 +491,8 @@ static bool SecTrustStoreQueryCertificateWithDigest(SecTrustStoreRef ts, dispatch_sync(ts->queue, ^{ CFDataRef xmlData = NULL; CFPropertyListRef trustSettings = NULL; + int s3e = SQLITE_OK; require_action_quiet(ts->containsSettings, errOut, ok = true); - int s3e; require_noerr_action(s3e = sqlite3_bind_blob_wrapper(ts->contains, 1, CFDataGetBytePtr(digest), CFDataGetLength(digest), SQLITE_STATIC), errOut, ok = SecDbErrorWithStmt(s3e, ts->contains, error, CFSTR("sqlite3_bind_blob failed"))); @@ -491,10 +512,15 @@ static bool SecTrustStoreQueryCertificateWithDigest(SecTrustStoreRef ts, *usageConstraints = CFRetain(trustSettings); } } else { - require_action(s3e == SQLITE_DONE, errOut, ok = SecDbErrorWithStmt(s3e, ts->contains, error, CFSTR("sqlite3_step failed"))); + require_action(s3e == SQLITE_DONE || s3e == SQLITE_OK, errOut, + ok = SecDbErrorWithStmt(s3e, ts->contains, error, CFSTR("sqlite3_step failed"))); } errOut: + if (!ok) { + secerror("Failed to query for cert in trust store: %d", s3e); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TATrustStore, TAOperationRead, TAFatalError, s3e); + } verify_noerr(sqlite3_reset(ts->contains)); verify_noerr(sqlite3_clear_bindings(ts->contains)); CFReleaseNull(xmlData); @@ -525,12 +551,12 @@ bool _SecTrustStoreCopyAll(SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFDataRef xmlData = NULL; CFPropertyListRef trustSettings = NULL; CFArrayRef certSettingsPair = NULL; - require_noerr(sqlite3_prepare(ts->s3h, copyAllSQL, sizeof(copyAllSQL), - ©AllStmt, NULL), errOut); + int s3e = SQLITE_OK; + require_noerr(s3e = sqlite3_prepare(ts->s3h, copyAllSQL, sizeof(copyAllSQL), + ©AllStmt, NULL), errOut); require(CertsAndSettings = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks), errOut); - for(;;) { - int s3e = sqlite3_step(copyAllStmt); + s3e = sqlite3_step(copyAllStmt); if (s3e == SQLITE_ROW) { require(cert = CFDataCreate(kCFAllocatorDefault, sqlite3_column_blob(copyAllStmt, 0), @@ -551,13 +577,15 @@ bool _SecTrustStoreCopyAll(SecTrustStoreRef ts, CFArrayRef *trustStoreContents, CFReleaseNull(trustSettings); CFReleaseNull(certSettingsPair); } else { - require_action(s3e == SQLITE_DONE, errOut, ok = SecDbErrorWithStmt(s3e, copyAllStmt, error, CFSTR("sqlite3_step failed"))); + require_action(s3e == SQLITE_DONE || s3e == SQLITE_OK, errOut, ok = SecDbErrorWithStmt(s3e, copyAllStmt, error, CFSTR("sqlite3_step failed"))); break; } } goto ok; errOut: + secerror("Failed to query for all certs in trust store: %d", s3e); + TrustdHealthAnalyticsLogErrorCodeForDatabase(TATrustStore, TAOperationRead, TAFatalError, s3e); CFReleaseNull(cert); CFReleaseNull(xmlData); CFReleaseNull(trustSettings); diff --git a/OSX/sec/securityd/asynchttp.c b/OSX/sec/securityd/asynchttp.c index 0a29fc43..d13e023a 100644 --- a/OSX/sec/securityd/asynchttp.c +++ b/OSX/sec/securityd/asynchttp.c @@ -38,6 +38,7 @@ #include #include #include +#include #include @@ -455,6 +456,8 @@ bool asynchttp_request(CFHTTPMessageRef request, uint64_t timeout, asynchttp_t * | kCFStreamEventEndEncountered), handle_server_response, &stream_context); CFReadStreamSetDispatchQueue(http->stream, http->queue); + + http->start_time = mach_absolute_time(); CFReadStreamOpen(http->stream); return false; /* false -> something was scheduled. */ diff --git a/OSX/sec/securityd/asynchttp.h b/OSX/sec/securityd/asynchttp.h index ea9c42fd..5a417954 100644 --- a/OSX/sec/securityd/asynchttp.h +++ b/OSX/sec/securityd/asynchttp.h @@ -46,6 +46,7 @@ typedef struct asynchttp_s { CFHTTPMessageRef request; CFHTTPMessageRef response; dispatch_queue_t queue; + uint64_t start_time; /* The fields below should be considered private. */ CFMutableDataRef data; CFReadStreamRef stream; diff --git a/OSX/sec/securityd/com.apple.secd.sb b/OSX/sec/securityd/com.apple.secd.sb index f73a83d3..15990dd1 100644 --- a/OSX/sec/securityd/com.apple.secd.sb +++ b/OSX/sec/securityd/com.apple.secd.sb @@ -31,10 +31,15 @@ (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.security.cloudkeychainproxy3") (global-name "com.apple.security.keychainsyncingoveridsproxy") + (global-name "com.apple.cdp.daemon") (global-name "com.apple.cloudd") (global-name "com.apple.apsd") (global-name "com.apple.windowserver.active")) +;; Used to send logs for MoiC. +(allow mach-lookup + (global-name "com.apple.imagent.desktop.auth")) + (allow iokit-open (iokit-user-client-class "AppleKeyStoreUserClient")) diff --git a/OSX/sec/securityd/entitlements.plist b/OSX/sec/securityd/entitlements.plist index 68535bba..fe8c7f7e 100644 --- a/OSX/sec/securityd/entitlements.plist +++ b/OSX/sec/securityd/entitlements.plist @@ -2,6 +2,8 @@ + com.apple.private.accounts.allaccounts + com.apple.private.aps-connection-initiate aps-connection-initiate @@ -50,6 +52,8 @@ com.apple.private.applecredentialmanager.allow + com.apple.private.imcore.imagent + com.apple.private.MobileGestalt.AllowedProtectedKeys SerialNumber diff --git a/OSX/sec/securityd/policytree.c b/OSX/sec/securityd/policytree.c index b85f4fd4..15efe996 100644 --- a/OSX/sec/securityd/policytree.c +++ b/OSX/sec/securityd/policytree.c @@ -26,7 +26,7 @@ */ #include "policytree.h" -#include +#include #include diff --git a/OSX/sec/securityd/spi.c b/OSX/sec/securityd/spi.c index c845fa5e..9fb3b586 100644 --- a/OSX/sec/securityd/spi.c +++ b/OSX/sec/securityd/spi.c @@ -34,9 +34,11 @@ #include #include #include +#include #include #include #include +#include #include #include "utilities/iOSforOSX.h" @@ -153,11 +155,13 @@ static struct trustd trustd_spi = { .sec_trust_store_remove_certificate = SecTrustStoreRemoveCertificateWithDigest, .sec_truststore_remove_all = _SecTrustStoreRemoveAll, .sec_trust_evaluate = SecTrustServerEvaluate, - .sec_ota_pki_asset_version = SecOTAPKIGetCurrentAssetVersion, + .sec_ota_pki_trust_store_version = SecOTAPKIGetCurrentTrustStoreVersion, .ota_CopyEscrowCertificates = SecOTAPKICopyCurrentEscrowCertificates, .sec_ota_pki_get_new_asset = SecOTAPKISignalNewAsset, .sec_trust_store_copy_all = _SecTrustStoreCopyAll, .sec_trust_store_copy_usage_constraints = _SecTrustStoreCopyUsageConstraints, + .sec_ocsp_cache_flush = SecOCSPCacheFlush, + .sec_tls_analytics_report = SecTLSAnalyticsReport, }; #endif diff --git a/OSX/sectests/SecurityTests-Entitlements.plist b/OSX/sectests/SecurityTests-Entitlements.plist index f1509978..bcd392ae 100644 --- a/OSX/sectests/SecurityTests-Entitlements.plist +++ b/OSX/sectests/SecurityTests-Entitlements.plist @@ -31,17 +31,5 @@ 123456.test.group 123456.test.group2 - com.apple.private.ubiquity-kvstore-access - - com.apple.securityd - - com.apple.developer.ubiquity-kvstore-identifier - com.apple.security.cloudkeychainproxy3 - com.apple.developer.ubiquity-container-identifiers - - com.apple.security.cloudkeychainproxy3 - com.apple.security.cloudkeychain - CloudKeychainProxy.xpc - diff --git a/OSX/shared_regressions/shared_regressions.h b/OSX/shared_regressions/shared_regressions.h index 534d53f6..9a5f7497 100644 --- a/OSX/shared_regressions/shared_regressions.h +++ b/OSX/shared_regressions/shared_regressions.h @@ -61,6 +61,7 @@ ONE_TEST(si_82_sectrust_ct) ONE_TEST(si_83_seccertificate_sighashalg) ONE_TEST(si_85_sectrust_ssl_policy) ONE_TEST(si_87_sectrust_name_constraints) +ONE_TEST(si_88_sectrust_valid) ONE_TEST(si_97_sectrust_path_scoring) ONE_TEST(rk_01_recoverykey) diff --git a/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist b/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist index 7ab213a3..d33efc70 100644 --- a/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist +++ b/OSX/shared_regressions/si-20-sectrust-policies-data/PinningPolicyTrustTest.plist @@ -2366,7 +2366,7 @@ Anchors AppleRootCA ExpectedResult - 4 + 6 ChainLength 3 VerifyDate @@ -2422,7 +2422,7 @@ Anchors AppleRootCA ExpectedResult - 4 + 6 ChainLength 3 VerifyDate @@ -2478,7 +2478,7 @@ Anchors AppleRootCA ExpectedResult - 4 + 6 ChainLength 3 VerifyDate @@ -2536,7 +2536,7 @@ Anchors AppleRootCA ExpectedResult - 4 + 6 ChainLength 3 VerifyDate diff --git a/OSX/shared_regressions/si-20-sectrust-policies.m b/OSX/shared_regressions/si-20-sectrust-policies.m index bffb97fd..992cbc5e 100644 --- a/OSX/shared_regressions/si-20-sectrust-policies.m +++ b/OSX/shared_regressions/si-20-sectrust-policies.m @@ -325,7 +325,7 @@ errOut: @end -void (^runTestForObject)(id, NSUInteger, BOOL *) = +void (^runPolicyTestForObject)(id, NSUInteger, BOOL *) = ^(NSDictionary *testDict, NSUInteger idx, BOOL *stop) { NSString *majorTestName = nil, *minorTestName = nil; TestObject *test = nil; @@ -384,7 +384,7 @@ void (^runTestForObject)(id, NSUInteger, BOOL *) = require_action_quiet(expectedResult = [testDict objectForKey:kSecTrustTestExpectedResult], testOut, fail("%@: failed to get expected result for test", test.fullTestName)); - /* If we enabled test certificates on a non-internal device, expect a failure instead of succees. */ + /* If we enabled test certificates on a non-internal device, expect a failure instead of success. */ if (enableTestCertificates && !SecIsInternalRelease() && ([expectedResult unsignedIntValue] == 4)) { ok(trustResult == 5, "%@: actual trust result %u did not match expected trust result %u", @@ -425,7 +425,7 @@ static void tests(void) plan_tests((int)[testsArray count]); - [testsArray enumerateObjectsUsingBlock:runTestForObject]; + [testsArray enumerateObjectsUsingBlock:runPolicyTestForObject]; exit: return; diff --git a/OSX/shared_regressions/si-88-sectrust-valid.m b/OSX/shared_regressions/si-88-sectrust-valid.m new file mode 100644 index 00000000..6d4aa4c2 --- /dev/null +++ b/OSX/shared_regressions/si-88-sectrust-valid.m @@ -0,0 +1,149 @@ +/* + * si-88-sectrust-valid.m + * Security + * + * Copyright (c) 2017-2018 Apple Inc. All Rights Reserved. + * + */ + +#include +#include +#include +#include +#include +#include +#include + +#include "shared_regressions.h" + +static void test_valid_trust(SecCertificateRef leaf, SecCertificateRef ca, CFArrayRef anchors, + CFDateRef date, SecTrustResultType expected, const char *test_name) +{ + CFArrayRef policies=NULL; + SecPolicyRef policy=NULL; + SecTrustRef trust=NULL; + SecTrustResultType trustResult; + CFMutableArrayRef certs=NULL; + + printf("Starting %s\n", test_name); + isnt(certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create cert array"); + if (certs) { + if (leaf) { + CFArrayAppendValue(certs, leaf); + } + if (ca) { + CFArrayAppendValue(certs, ca); + } + } + + isnt(policy = SecPolicyCreateBasicX509(), NULL, "create policy"); + isnt(policies = CFArrayCreate(kCFAllocatorDefault, (const void **)&policy, 1, &kCFTypeArrayCallBacks), NULL, "create policies"); + ok_status(SecTrustCreateWithCertificates(certs, policies, &trust), "create trust"); + + assert(trust); // silence analyzer + ok_status(SecTrustSetAnchorCertificates(trust, anchors), "set anchors"); + ok_status(SecTrustSetVerifyDate(trust, date), "set date"); + ok_status(SecTrustEvaluate(trust, &trustResult), "evaluate trust"); + ok(trustResult == expected, "trustResult %d expected (got %d)", + (int)expected, (int)trustResult); + + CFReleaseSafe(certs); + CFReleaseSafe(policy); + CFReleaseSafe(policies); + CFReleaseSafe(trust); +} + +#import +SecCertificateRef SecCertificateCreateWithPEM(CFAllocatorRef allocator, CFDataRef pem_certificate); + +static SecCertificateRef SecCertificateCreateFromResource(NSString *name) +{ + NSString *resources = @"si-88-sectrust-valid-data"; + NSString *extension = @"pem"; + + NSURL *url = [[NSBundle mainBundle] URLForResource:name withExtension:extension subdirectory:resources]; + if (!url) { + printf("No URL for resource \"%s.pem\"\n", [name UTF8String]); + return NULL; + } + + NSData *certData = [NSData dataWithContentsOfURL:url]; + if (!certData) { + printf("No cert data for resource \"%s.pem\"\n", [name UTF8String]); + return NULL; + } + + return SecCertificateCreateWithPEM(kCFAllocatorDefault, (__bridge CFDataRef)certData); +} + +static void tests() +{ + SecCertificateRef ca_na=NULL, ca_nb=NULL, root=NULL; + SecCertificateRef leaf_na_ok1=NULL, leaf_na_ok2=NULL; + SecCertificateRef leaf_nb_ok1=NULL, leaf_nb_ok2=NULL, leaf_nb_revoked1=NULL; + + isnt(ca_na = SecCertificateCreateFromResource(@"ca-na"), NULL, "create ca-na cert"); + isnt(ca_nb = SecCertificateCreateFromResource(@"ca-nb"), NULL, "create ca-nb cert"); + isnt(root = SecCertificateCreateFromResource(@"root"), NULL, "create root cert"); + isnt(leaf_na_ok1 = SecCertificateCreateFromResource(@"leaf-na-ok1"), NULL, "create leaf-na-ok1 cert"); + isnt(leaf_na_ok2 = SecCertificateCreateFromResource(@"leaf-na-ok2"), NULL, "create leaf-na-ok2 cert"); + isnt(leaf_nb_ok1 = SecCertificateCreateFromResource(@"leaf-nb-ok1"), NULL, "create leaf-nb-ok1 cert"); + isnt(leaf_nb_ok2 = SecCertificateCreateFromResource(@"leaf-nb-ok2"), NULL, "create leaf-nb-ok2 cert"); + isnt(leaf_nb_revoked1 = SecCertificateCreateFromResource(@"leaf-nb-revoked1"), NULL, "create leaf-nb-revoked1 cert"); + + CFMutableArrayRef anchors=NULL; + isnt(anchors = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks), NULL, "create anchors array"); + if (anchors && root) { + CFArrayAppendValue(anchors, root); + } + CFCalendarRef cal = NULL; + CFAbsoluteTime at; + CFDateRef date_20180102 = NULL; // a date when our test certs would all be valid, in the absence of Valid db info + + isnt(cal = CFCalendarCreateWithIdentifier(kCFAllocatorDefault, kCFGregorianCalendar), NULL, "create calendar"); + ok(CFCalendarComposeAbsoluteTime(cal, &at, "yMd", 2018, 1, 2), "create verify absolute time 20180102"); + isnt(date_20180102 = CFDateCreate(kCFAllocatorDefault, at), NULL, "create verify date 20180102"); + + /* Case 1: leaf_na_ok1 (not revoked) */ + /* -- was OK: cert issued 2017-10-20, before the CA not-after date of 2017-10-21 */ + /* -- now BAD: since a not-after date now requires CT and the test cert has no SCT, this is fatal. */ + test_valid_trust(leaf_na_ok1, ca_na, anchors, date_20180102, kSecTrustResultFatalTrustFailure, "leaf_na_ok1 test"); + + /* Case 2: leaf_na_ok2 (revoked) */ + /* -- BAD: cert issued 2017-10-26, after the CA not-after date of 2017-10-21 */ + test_valid_trust(leaf_na_ok2, ca_na, anchors, date_20180102, kSecTrustResultFatalTrustFailure, "leaf_na_ok2 test"); + + /* Case 3: leaf_nb_ok1 (revoked) */ + /* -- BAD: cert issued 2017-10-20, before the CA not-before date of 2017-10-22 */ + test_valid_trust(leaf_nb_ok1, ca_nb, anchors, date_20180102, kSecTrustResultFatalTrustFailure, "leaf_nb_ok1 test"); + + /* Case 4: leaf_nb_ok2 (not revoked) */ + /* -- OK: cert issued 2017-10-26, after the CA not-before date of 2017-10-22 */ + test_valid_trust(leaf_nb_ok2, ca_nb, anchors, date_20180102, kSecTrustResultUnspecified, "leaf_nb_ok2 test"); + + /* Case 5: leaf_nb_revoked1 (revoked) */ + /* -- BAD: cert issued 2017-10-20, before the CA not-before date of 2017-10-22 */ + test_valid_trust(leaf_nb_revoked1, ca_nb, anchors, date_20180102, kSecTrustResultFatalTrustFailure, "leaf_nb_revoked1 test"); + + CFReleaseSafe(ca_na); + CFReleaseSafe(ca_nb); + CFReleaseSafe(root); + CFReleaseSafe(leaf_na_ok1); + CFReleaseSafe(leaf_na_ok2); + CFReleaseSafe(leaf_nb_ok1); + CFReleaseSafe(leaf_nb_ok2); + CFReleaseSafe(leaf_nb_revoked1); + CFReleaseSafe(anchors); + CFReleaseSafe(cal); + CFReleaseSafe(date_20180102); +} + + +int si_88_sectrust_valid(int argc, char *const *argv) +{ + plan_tests(52); + + tests(); + + return 0; +} diff --git a/OSX/trustd/iOS/entitlements.plist b/OSX/trustd/iOS/entitlements.plist index 8513f430..dd43167f 100644 --- a/OSX/trustd/iOS/entitlements.plist +++ b/OSX/trustd/iOS/entitlements.plist @@ -19,6 +19,7 @@ com.apple.private.assets.accessible-asset-types com.apple.MobileAsset.CertificatePinning + com.apple.MobileAsset.PKITrustSupplementals seatbelt-profiles diff --git a/OSX/trustd/macOS/SecTrustOSXEntryPoints.h b/OSX/trustd/macOS/SecTrustOSXEntryPoints.h index 3f44a3a4..6dd6529b 100644 --- a/OSX/trustd/macOS/SecTrustOSXEntryPoints.h +++ b/OSX/trustd/macOS/SecTrustOSXEntryPoints.h @@ -39,6 +39,7 @@ void SecTrustLegacySourcesListenForKeychainEvents(void); OSStatus SecTrustLegacyCRLStatus(SecCertificateRef cert, CFArrayRef chain, CFURLRef currCRLDP); typedef struct async_ocspd_s { + uint64_t start_time; void (*completed)(struct async_ocspd_s *ocspd); void *info; OSStatus response; diff --git a/OSX/trustd/macOS/entitlements.plist b/OSX/trustd/macOS/entitlements.plist index d8fc3a06..3dbd2c88 100644 --- a/OSX/trustd/macOS/entitlements.plist +++ b/OSX/trustd/macOS/entitlements.plist @@ -15,6 +15,7 @@ com.apple.private.assets.accessible-asset-types com.apple.MobileAsset.CertificatePinning + com.apple.MobileAsset.PKITrustSupplementals diff --git a/OSX/trustd/trustd.c b/OSX/trustd/trustd.c index 6975da25..2fd55127 100644 --- a/OSX/trustd/trustd.c +++ b/OSX/trustd/trustd.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * Copyright (c) 2017-2018 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -31,12 +31,14 @@ #include #include #include +#include #include #include #include #include #include +#include #include #include @@ -47,12 +49,14 @@ #include #include #include +#include #include #include #include #include #include #include +#include #if TARGET_OS_OSX #include @@ -69,17 +73,29 @@ static struct trustd trustd_spi = { .sec_trust_store_remove_certificate = SecTrustStoreRemoveCertificateWithDigest, .sec_truststore_remove_all = _SecTrustStoreRemoveAll, .sec_trust_evaluate = SecTrustServerEvaluate, - .sec_ota_pki_asset_version = SecOTAPKIGetCurrentAssetVersion, + .sec_ota_pki_trust_store_version = SecOTAPKIGetCurrentTrustStoreVersion, .ota_CopyEscrowCertificates = SecOTAPKICopyCurrentEscrowCertificates, .sec_ota_pki_get_new_asset = SecOTAPKISignalNewAsset, .sec_trust_store_copy_all = _SecTrustStoreCopyAll, .sec_trust_store_copy_usage_constraints = _SecTrustStoreCopyUsageConstraints, + .sec_ocsp_cache_flush = SecOCSPCacheFlush, + .sec_tls_analytics_report = SecTLSAnalyticsReport, }; -static bool SecXPCDictionarySetChainOptional(xpc_object_t message, const char *key, SecCertificatePathRef path, CFErrorRef *error) { +static bool SecXPCDictionarySetChainOptional(xpc_object_t message, const char *key, CFArrayRef path, CFErrorRef *error) { if (!path) return true; - xpc_object_t xpc_chain = SecCertificatePathCopyXPCArray(path, error); + __block xpc_object_t xpc_chain = NULL; + require_action_quiet(xpc_chain = xpc_array_create(NULL, 0), exit, SecError(errSecParam, error, CFSTR("xpc_array_create failed"))); + CFArrayForEach(path, ^(const void *value) { + SecCertificateRef cert = (SecCertificateRef)value; + if (xpc_chain && !SecCertificateAppendToXPCArray(cert, xpc_chain, error)) { + xpc_release(xpc_chain); + xpc_chain = NULL; + } + }); + +exit: if (!xpc_chain) return false; @@ -189,32 +205,30 @@ static bool SecXPCTrustStoreSetTrustSettings(xpc_object_t event, xpc_object_t re } static bool SecXPCTrustStoreRemoveCertificate(xpc_object_t event, xpc_object_t reply, CFErrorRef *error) { - bool noError = false; SecTrustStoreRef ts = SecXPCDictionaryGetTrustStore(event, kSecXPCKeyDomain, error); if (ts) { CFDataRef digest = SecXPCDictionaryCopyData(event, kSecXPCKeyDigest, error); if (digest) { bool result = SecTrustStoreRemoveCertificateWithDigest(ts, digest, error); xpc_dictionary_set_bool(reply, kSecXPCKeyResult, result); - noError = true; CFReleaseNull(digest); + return true; } } - return noError; + return false; } static bool SecXPCTrustStoreCopyAll(xpc_object_t event, xpc_object_t reply, CFErrorRef *error) { - bool result = false; SecTrustStoreRef ts = SecXPCDictionaryGetTrustStore(event, kSecXPCKeyDomain, error); if (ts) { CFArrayRef trustStoreContents = NULL; if(_SecTrustStoreCopyAll(ts, &trustStoreContents, error) && trustStoreContents) { SecXPCDictionarySetPList(reply, kSecXPCKeyResult, trustStoreContents, error); CFReleaseNull(trustStoreContents); - result = true; + return true; } } - return result; + return false; } static bool SecXPCTrustStoreCopyUsageConstraints(xpc_object_t event, xpc_object_t reply, CFErrorRef *error) { @@ -235,8 +249,15 @@ static bool SecXPCTrustStoreCopyUsageConstraints(xpc_object_t event, xpc_object_ return result; } +static bool SecXPC_OCSPCacheFlush(xpc_object_t __unused event, xpc_object_t __unused reply, CFErrorRef *error) { + if(SecOCSPCacheFlush(error)) { + return true; + } + return false; +} + static bool SecXPC_OTAPKI_GetAssetVersion(xpc_object_t __unused event, xpc_object_t reply, CFErrorRef *error) { - xpc_dictionary_set_int64(reply, kSecXPCKeyResult, SecOTAPKIGetCurrentAssetVersion(error)); + xpc_dictionary_set_uint64(reply, kSecXPCKeyResult, SecOTAPKIGetCurrentTrustStoreVersion(error)); return true; } @@ -255,10 +276,22 @@ static bool SecXPC_OTAPKI_GetEscrowCertificates(xpc_object_t event, xpc_object_t } static bool SecXPC_OTAPKI_GetNewAsset(xpc_object_t __unused event, xpc_object_t reply, CFErrorRef *error) { - xpc_dictionary_set_int64(reply, kSecXPCKeyResult, SecOTAPKISignalNewAsset(error)); + xpc_dictionary_set_uint64(reply, kSecXPCKeyResult, SecOTAPKISignalNewAsset(error)); return true; } +static bool SecXPC_TLS_AnalyticsReport(xpc_object_t event, xpc_object_t reply, CFErrorRef *error) { + xpc_object_t attributes = xpc_dictionary_get_dictionary(event, kSecTrustEventAttributesKey); + CFStringRef eventName = SecXPCDictionaryCopyString(event, kSecTrustEventNameKey, error); + bool result = false; + if (attributes && eventName) { + result = SecTLSAnalyticsReport(eventName, attributes, error); + } + xpc_dictionary_set_bool(reply, kSecXPCKeyResult, result); + CFReleaseNull(eventName); + return result; +} + typedef bool(*SecXPCOperationHandler)(xpc_object_t event, xpc_object_t reply, CFErrorRef *error); typedef struct { @@ -272,9 +305,11 @@ struct trustd_operations { SecXPCServerOperation trust_store_remove_certificate; SecXPCServerOperation trust_store_copy_all; SecXPCServerOperation trust_store_copy_usage_constraints; - SecXPCServerOperation ota_pki_asset_version; + SecXPCServerOperation ocsp_cache_flush; + SecXPCServerOperation ota_pki_trust_store_version; SecXPCServerOperation ota_pki_get_escrow_certs; SecXPCServerOperation ota_pki_get_new_asset; + SecXPCServerOperation tls_analytics_report; }; static struct trustd_operations trustd_ops = { @@ -283,9 +318,11 @@ static struct trustd_operations trustd_ops = { .trust_store_remove_certificate = { kSecEntitlementModifyAnchorCertificates, SecXPCTrustStoreRemoveCertificate }, .trust_store_copy_all = { kSecEntitlementModifyAnchorCertificates, SecXPCTrustStoreCopyAll }, .trust_store_copy_usage_constraints = { kSecEntitlementModifyAnchorCertificates, SecXPCTrustStoreCopyUsageConstraints }, - .ota_pki_asset_version = { NULL, SecXPC_OTAPKI_GetAssetVersion }, + .ocsp_cache_flush = { NULL, SecXPC_OCSPCacheFlush }, + .ota_pki_trust_store_version = { NULL, SecXPC_OTAPKI_GetAssetVersion }, .ota_pki_get_escrow_certs = { NULL, SecXPC_OTAPKI_GetEscrowCertificates }, .ota_pki_get_new_asset = { NULL, SecXPC_OTAPKI_GetNewAsset }, + .tls_analytics_report = { NULL, SecXPC_TLS_AnalyticsReport }, }; static void trustd_xpc_dictionary_handler(const xpc_connection_t connection, xpc_object_t event) { @@ -350,7 +387,7 @@ static void trustd_xpc_dictionary_handler(const xpc_connection_t connection, xpc SecTrustServerEvaluateBlock(clientAuditToken, certificates, anchors, anchorsOnly, keychainsAllowed, policies, responses, scts, trustedLogs, verifyTime, client.accessGroups, exceptions, - ^(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, SecCertificatePathRef chain, + ^(SecTrustResultType tr, CFArrayRef details, CFDictionaryRef info, CFArrayRef chain, CFErrorRef replyError) { // Send back reply now if (replyError) { @@ -372,7 +409,39 @@ static void trustd_xpc_dictionary_handler(const xpc_connection_t connection, xpc } else { secdebug("ipc", "%@ %@ responding %@", client.task, SOSCCGetOperationDescription((enum SecXPCOperation)operation), asyncReply); } +#if TARGET_OS_IPHONE + // Ensure that we remain dirty for two seconds after ending the client's transaction to avoid jetsam loops. + // Refer to rdar://problem/38044831 for more details. + static dispatch_queue_t dirty_timer_queue = NULL; + static dispatch_source_t dirty_timer = NULL; + static bool has_transcation = false; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + dirty_timer_queue = dispatch_queue_create("dirty timer queue", DISPATCH_QUEUE_SERIAL); + dirty_timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, 0, 0, dirty_timer_queue); + dispatch_source_set_event_handler(dirty_timer, ^{ + /* timer fired, end the transaction */ + os_assumes(has_transcation); + xpc_transaction_end(); + has_transcation = false; + }); + }); + dispatch_sync(dirty_timer_queue, ^{ + /* reset the timer for 2 seconds from now */ + dispatch_source_set_timer(dirty_timer, dispatch_time(DISPATCH_TIME_NOW, 2 * NSEC_PER_SEC), + DISPATCH_TIME_FOREVER, 100 * NSEC_PER_MSEC); + if (!has_transcation) { + /* timer is not running/not holding a transaction, start transaction */ + xpc_transaction_begin(); + has_transcation = true; + } + static dispatch_once_t onceToken2; + dispatch_once(&onceToken2, ^{ + dispatch_resume(dirty_timer); + }); + }); +#endif xpc_connection_send_message(connection, asyncReply); xpc_release(asyncReply); xpc_release(connection); @@ -405,8 +474,11 @@ static void trustd_xpc_dictionary_handler(const xpc_connection_t connection, xpc case sec_trust_store_copy_usage_constraints_id: server_op = &trustd_ops.trust_store_copy_usage_constraints; break; - case sec_ota_pki_asset_version_id: - server_op = &trustd_ops.ota_pki_asset_version; + case sec_ocsp_cache_flush_id: + server_op = &trustd_ops.ocsp_cache_flush; + break; + case sec_ota_pki_trust_store_version_id: + server_op = &trustd_ops.ota_pki_trust_store_version; break; case kSecXPCOpOTAGetEscrowCertificates: server_op = &trustd_ops.ota_pki_get_escrow_certs; @@ -414,6 +486,8 @@ static void trustd_xpc_dictionary_handler(const xpc_connection_t connection, xpc case kSecXPCOpOTAPKIGetNewAsset: server_op = &trustd_ops.ota_pki_get_new_asset; break; + case kSecXPCOpTLSAnaltyicsReport: + server_op = &trustd_ops.tls_analytics_report; default: break; } @@ -493,56 +567,77 @@ static void trustd_xpc_init(const char *service_name) xpc_connection_resume(listener); } -static void trustd_delete_old_files(void) { - -#if TARGET_OS_EMBEDDED - if (getuid() != 64) // _securityd -#else - if (getuid() != 0) -#endif - { return; } - /* If we get past this line, then we can attempt to delete old revocation files; - otherwise we won't have sufficient privilege. */ - - /* We try to clean up after ourselves, but don't care if we succeed. */ - WithPathInRevocationInfoDirectory(CFSTR("update-current"), ^(const char *utf8String) { +static void trustd_delete_old_sqlite_keychain_files(CFStringRef baseFilename) { + WithPathInKeychainDirectory(baseFilename, ^(const char *utf8String) { (void)remove(utf8String); }); - WithPathInRevocationInfoDirectory(CFSTR("update-full"), ^(const char *utf8String) { + CFStringRef shmFile = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@-shm"), baseFilename); + WithPathInKeychainDirectory(shmFile, ^(const char *utf8String) { (void)remove(utf8String); }); - WithPathInRevocationInfoDirectory(CFSTR("update-full.gz"), ^(const char *utf8String) { + CFReleaseNull(shmFile); + CFStringRef walFile = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@-wal"), baseFilename); + WithPathInKeychainDirectory(walFile, ^(const char *utf8String) { (void)remove(utf8String); }); + CFReleaseNull(walFile); + CFStringRef journalFile = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@-journal"), baseFilename); + WithPathInKeychainDirectory(journalFile, ^(const char *utf8String) { + (void)remove(utf8String); + }); + CFReleaseNull(journalFile); } #if TARGET_OS_OSX -static void trustd_delete_old_caches(void) { - /* We try to clean up after ourselves, but don't care if we succeed. */ - WithPathInKeychainDirectory(CFSTR("ocspcache.sqlite3"), ^(const char *utf8String) { +static void trustd_delete_old_sqlite_user_cache_files(CFStringRef baseFilename) { + WithPathInUserCacheDirectory(baseFilename, ^(const char *utf8String) { (void)remove(utf8String); }); - WithPathInKeychainDirectory(CFSTR("ocspcache.sqlite3-wal"), ^(const char *utf8String) { + CFStringRef shmFile = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@-shm"), baseFilename); + WithPathInUserCacheDirectory(shmFile, ^(const char *utf8String) { (void)remove(utf8String); }); - WithPathInKeychainDirectory(CFSTR("ocspcache.sqlite3-shm"), ^(const char *utf8String) { + CFReleaseNull(shmFile); + CFStringRef walFile = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@-wal"), baseFilename); + WithPathInUserCacheDirectory(walFile, ^(const char *utf8String) { (void)remove(utf8String); }); - WithPathInKeychainDirectory(CFSTR("ocspcache.sqlite3-journal"), ^(const char *utf8String) { + CFReleaseNull(walFile); + CFStringRef journalFile = CFStringCreateWithFormat(NULL, NULL, CFSTR("%@-journal"), baseFilename); + WithPathInUserCacheDirectory(journalFile, ^(const char *utf8String) { (void)remove(utf8String); }); - WithPathInKeychainDirectory(CFSTR("caissuercache.sqlite3"), ^(const char *utf8String) { - (void)remove(utf8String); - }); - WithPathInKeychainDirectory(CFSTR("caissuercache.sqlite3-wal"), ^(const char *utf8String) { + CFReleaseNull(journalFile); +} +#endif // TARGET_OS_OSX + +static void trustd_delete_old_files(void) { + /* We try to clean up after ourselves, but don't care if we succeed. */ + WithPathInRevocationInfoDirectory(CFSTR("update-current"), ^(const char *utf8String) { (void)remove(utf8String); }); - WithPathInKeychainDirectory(CFSTR("caissuercache.sqlite3-shm"), ^(const char *utf8String) { + WithPathInRevocationInfoDirectory(CFSTR("update-full"), ^(const char *utf8String) { (void)remove(utf8String); }); - WithPathInKeychainDirectory(CFSTR("caissuercache.sqlite3-journal"), ^(const char *utf8String) { + WithPathInRevocationInfoDirectory(CFSTR("update-full.gz"), ^(const char *utf8String) { (void)remove(utf8String); }); +#if TARGET_OS_IPHONE + trustd_delete_old_sqlite_keychain_files(CFSTR("trustd_health_analytics.db")); + trustd_delete_old_sqlite_keychain_files(CFSTR("trust_analytics.db")); + trustd_delete_old_sqlite_keychain_files(CFSTR("TLS_analytics.db")); +#else + trustd_delete_old_sqlite_user_cache_files(CFSTR("trustd_health_analytics.db")); + trustd_delete_old_sqlite_user_cache_files(CFSTR("trust_analytics.db")); + trustd_delete_old_sqlite_user_cache_files(CFSTR("TLS_analytics.db")); +#endif //TARGET_OS_IPHONE +} + +#if TARGET_OS_OSX +static void trustd_delete_old_caches(void) { + /* We try to clean up after ourselves, but don't care if we succeed. */ + trustd_delete_old_sqlite_keychain_files(CFSTR("ocspcache.sqlite3")); + trustd_delete_old_sqlite_keychain_files(CFSTR("caissuercache.sqlite3")); } static void trustd_sandbox(void) { @@ -597,7 +692,6 @@ static void trustd_sandbox(void) { #endif static void trustd_cfstream_init() { - /* Force legacy CFStream run loop initialization before any NSURLSession usage */ CFReadStreamRef rs = CFReadStreamCreateWithBytesNoCopy(kCFAllocatorDefault, (const UInt8*) "", 0, kCFAllocatorNull); CFReadStreamSetDispatchQueue(rs, dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0)); CFReadStreamSetDispatchQueue(rs, NULL); @@ -636,11 +730,12 @@ int main(int argc, char *argv[]) * After we enter the sandbox, we won't be able to access them. */ trustd_delete_old_caches(); #endif - /* Also clean up old files in /Library/Keychains/crls */ - trustd_delete_old_files(); trustd_sandbox(); + /* Also clean up old files in our sandbox. After sandboxing, so that user dir suffix is set. */ + trustd_delete_old_files(); + const char *serviceName = kTrustdXPCServiceName; if (argc > 1 && (!strcmp(argv[1], "--agent"))) { serviceName = kTrustdAgentXPCServiceName; @@ -649,17 +744,20 @@ int main(int argc, char *argv[]) /* set up SQLite before some other component has a chance to create a database connection */ _SecDbServerSetup(); - /* set up revocation database if it doesn't already exist, or needs to be replaced */ - SecRevocationDbInitialize(); + /* Force legacy CFStream run loop initialization before any NSURLSession usage */ + trustd_cfstream_init(); gTrustd = &trustd_spi; - SecPolicyServerInitialize(); - SecPinningDbInitialize(); + + /* Initialize static content */ + SecPolicyServerInitialize(); // set up callbacks for policy checks + SecRevocationDbInitialize(); // set up revocation database if it doesn't already exist, or needs to be replaced + SecPinningDbInitialize(); // set up the pinning database #if TARGET_OS_OSX - SecTrustLegacySourcesListenForKeychainEvents(); + SecTrustLegacySourcesListenForKeychainEvents(); // set up the legacy keychain event listeners (for cache invalidation) #endif - trustd_cfstream_init(); - trustd_xpc_init(serviceName); + /* We're ready now. Go. */ + trustd_xpc_init(serviceName); dispatch_main(); } diff --git a/OSX/utilities/SecurityTool/security_tool_commands.h b/OSX/utilities/SecurityTool/security_tool_commands.h index 78ad8e3a..b6d601c9 100644 --- a/OSX/utilities/SecurityTool/security_tool_commands.h +++ b/OSX/utilities/SecurityTool/security_tool_commands.h @@ -21,6 +21,7 @@ * @APPLE_LICENSE_HEADER_END@ */ +#define SHOW_USAGE_MESSAGE 2 // This is included to make SECURITY_COMMAND macros result in declarations of // commands for use in SecurityTool @@ -40,5 +41,4 @@ #define SECURITY_COMMAND_MAC(name, function, parameters, description) extern int command_not_on_this_platform(int argc, char * const *argv); #endif - #endif diff --git a/OSX/utilities/src/SecCFError.c b/OSX/utilities/src/SecCFError.c index 0aebede6..39caa712 100644 --- a/OSX/utilities/src/SecCFError.c +++ b/OSX/utilities/src/SecCFError.c @@ -175,6 +175,7 @@ bool SecCFCreateErrorWithFormat(CFIndex errorCode, CFStringRef domain, CFErrorRe return result; } +// Also consumes whatever newError points to bool SecCFCreateErrorWithFormatAndArguments(CFIndex errorCode, CFStringRef domain, CF_CONSUMED CFErrorRef previousError, CFErrorRef *newError, CFDictionaryRef formatoptions, CFStringRef format, va_list args) @@ -186,12 +187,19 @@ bool SecCFCreateErrorWithFormatAndArguments(CFIndex errorCode, CFStringRef domai const void* values[2] = { formattedString, previousError }; const CFIndex numEntriesToUse = (previousError != NULL) ? 2 : 1; + // Prepare to release whatever we replaced, as long as they didn't tell us to do so via previousError + // In a sane world, this function wouldn't have a previousError argument, since it should always release what it's replacing, + // but changing all callsites is a huge change + CFErrorRef replacing = ((*newError) == previousError) ? NULL : *newError; + *newError = CFErrorCreateWithUserInfoKeysAndValues(kCFAllocatorDefault, domain, errorCode, keys, values, numEntriesToUse); CFReleaseNull(formattedString); if (previousError) secdebug("error_thee_well", "encapsulated %@ with new error: %@", previousError, *newError); + + CFReleaseNull(replacing); CFReleaseNull(previousError); } else { if (previousError && newError && (previousError != *newError)) { diff --git a/OSX/utilities/src/SecCFWrappers.h b/OSX/utilities/src/SecCFWrappers.h index 9598944e..b54b4c24 100644 --- a/OSX/utilities/src/SecCFWrappers.h +++ b/OSX/utilities/src/SecCFWrappers.h @@ -424,7 +424,7 @@ static inline char *CFStringToCString(CFStringRef inStr) // need to extract into buffer CFIndex length = CFStringGetLength(inStr); // in 16-bit character units - size_t len = CFStringGetMaximumSizeForEncoding(length, kCFStringEncodingUTF8); + size_t len = CFStringGetMaximumSizeForEncoding(length, kCFStringEncodingUTF8) + 1; char *buffer = (char *)malloc(len); // pessimistic if (!CFStringGetCString(inStr, buffer, len, kCFStringEncodingUTF8)) buffer[0] = 0; diff --git a/OSX/utilities/src/SecDb.c b/OSX/utilities/src/SecDb.c index f9e75861..814cb4f1 100644 --- a/OSX/utilities/src/SecDb.c +++ b/OSX/utilities/src/SecDb.c @@ -95,6 +95,7 @@ struct __OpaqueSecDb { bool readWrite; /* open database read-write, default true */ bool allowRepair; /* allow database repair, default true */ bool useWAL; /* use WAL mode, default true */ + void (^corruptionReset)(void); }; // MARK: Error domains and error helper functions @@ -262,6 +263,7 @@ SecDbCreateWithOptions(CFStringRef dbName, mode_t mode, bool readWrite, bool all db->readWrite = readWrite; db->allowRepair = allowRepair; db->useWAL = useWAL; + db->corruptionReset = NULL; done: return db; @@ -406,17 +408,7 @@ static bool SecDbDidCreateFirstConnection(SecDbConnectionRef dbconn, bool didCre void SecDbCorrupt(SecDbConnectionRef dbconn, CFErrorRef error) { - CFStringRef str = CFStringCreateWithFormat(NULL, NULL, CFSTR("SecDBCorrupt: %@"), error); - if (str) { - char buffer[1000] = "?"; - uint32_t errorCode = 0; - CFStringGetCString(str, buffer, sizeof(buffer), kCFStringEncodingUTF8); - os_log_fault(secLogObjForScope("SecEmergency"), "%s", buffer); - if (error) - errorCode = (uint32_t)CFErrorGetCode(error); - __security_simulatecrash(str, __sec_exception_code_CorruptDb(errorCode)); - CFRelease(str); - } + os_log_fault(secLogObjForScope("SecEmergency"), "SecDBCorrupt: %@", error); dbconn->isCorrupted = true; CFRetainAssign(dbconn->corruptionError, error); } @@ -873,9 +865,25 @@ static bool SecDbHandleCorrupt(SecDbConnectionRef dbconn, int rc, CFErrorRef *er ok = dbconn->db->opened(dbconn->db, dbconn, true, &dbconn->db->callOpenedHandlerForNextConnection, error); } + if (dbconn->db->corruptionReset) { + dbconn->db->corruptionReset(); + } + return ok; } +void +SecDbSetCorruptionReset(SecDbRef db, void (^corruptionReset)(void)) +{ + if (db->corruptionReset) { + Block_release(db->corruptionReset); + db->corruptionReset = NULL; + } + if (corruptionReset) { + db->corruptionReset = Block_copy(corruptionReset); + } +} + static bool SecDbLoggingEnabled(CFStringRef type) { CFTypeRef profile = NULL; @@ -1027,16 +1035,33 @@ static void SecDbConectionSetReadOnly(SecDbConnectionRef dbconn, bool readOnly) /* Read only connections go to the end of the queue, writeable connections go to the start of the queue. */ SecDbConnectionRef SecDbConnectionAcquire(SecDbRef db, bool readOnly, CFErrorRef *error) { + SecDbConnectionRef dbconn = NULL; + SecDbConnectionAcquireRefMigrationSafe(db, readOnly, &dbconn, error); + return dbconn; +} + +bool SecDbConnectionAcquireRefMigrationSafe(SecDbRef db, bool readOnly, SecDbConnectionRef* dbconnRef, CFErrorRef *error) +{ CFRetain(db); secinfo("dbconn", "acquire %s connection", readOnly ? "ro" : "rw"); dispatch_semaphore_wait(readOnly ? db->read_semaphore : db->write_semaphore, DISPATCH_TIME_FOREVER); __block SecDbConnectionRef dbconn = NULL; __block bool ok = true; __block bool ranOpenedHandler = false; + + bool (^assignDbConn)(SecDbConnectionRef) = ^bool(SecDbConnectionRef connection) { + dbconn = connection; + if (dbconnRef) { + *dbconnRef = connection; + } + + return dbconn != NULL; + }; + dispatch_sync(db->queue, ^{ if (!db->didFirstOpen) { bool didCreate = false; - ok = dbconn = SecDbConnectionCreate(db, false, error); + ok = assignDbConn(SecDbConnectionCreate(db, false, error)); CFErrorRef localError = NULL; if (ok && !SecDbOpenHandle(dbconn, &didCreate, &localError)) { secerror("Unable to create database: %@", localError); @@ -1064,9 +1089,8 @@ SecDbConnectionRef SecDbConnectionAcquire(SecDbRef db, bool readOnly, CFErrorRef CFIndex count = CFArrayGetCount(db->connections); while (count && !dbconn) { CFIndex ix = readOnly ? count - 1 : 0; - dbconn = (SecDbConnectionRef)CFArrayGetValueAtIndex(db->connections, ix); - if (dbconn) - CFRetain(dbconn); + if (assignDbConn((SecDbConnectionRef)CFArrayGetValueAtIndex(db->connections, ix))) + CFRetainSafe(dbconn); else secerror("got NULL dbconn at index: %" PRIdCFIndex " skipping", ix); CFArrayRemoveValueAtIndex(db->connections, ix); @@ -1082,12 +1106,12 @@ SecDbConnectionRef SecDbConnectionAcquire(SecDbRef db, bool readOnly, CFErrorRef } else if (ok) { /* Nothing found in cache, create a new connection */ bool created = false; - dbconn = SecDbConnectionCreate(db, readOnly, error); - if (dbconn && !SecDbOpenHandle(dbconn, &created, error)) { + if (assignDbConn(SecDbConnectionCreate(db, readOnly, error)) && !SecDbOpenHandle(dbconn, &created, error)) { CFReleaseNull(dbconn); } } + if (dbconn && !ranOpenedHandler && dbconn->db->opened) { dispatch_sync(db->queue, ^{ if (dbconn->db->callOpenedHandlerForNextConnection) { @@ -1101,13 +1125,17 @@ SecDbConnectionRef SecDbConnectionAcquire(SecDbRef db, bool readOnly, CFErrorRef }); } + if (dbconnRef) { + *dbconnRef = dbconn; + } + if (!dbconn) { // If acquire fails we need to signal the semaphore again. dispatch_semaphore_signal(readOnly ? db->read_semaphore : db->write_semaphore); CFRelease(db); } - return dbconn; + return dbconn ? true : false; } void SecDbConnectionRelease(SecDbConnectionRef dbconn) { diff --git a/OSX/utilities/src/SecDb.h b/OSX/utilities/src/SecDb.h index d00276cf..1e86e10d 100644 --- a/OSX/utilities/src/SecDb.h +++ b/OSX/utilities/src/SecDb.h @@ -107,11 +107,13 @@ SecDbRef SecDbCreateWithOptions(CFStringRef dbName, mode_t mode, bool readWrite, SecDbRef SecDbCreate(CFStringRef dbName, bool (^opened)(SecDbRef db, SecDbConnectionRef dbconn, bool didCreate, bool *callMeAgainForNextConnection, CFErrorRef *error)); void SecDbAddNotifyPhaseBlock(SecDbRef db, SecDBNotifyBlock notifyPhase); +void SecDbSetCorruptionReset(SecDbRef db, void (^corruptionReset)(void)); // Read only connections go to the end of the queue, writeable // connections go to the start of the queue. Use SecDbPerformRead() and SecDbPerformWrite() if you // can to avoid leaks. SecDbConnectionRef SecDbConnectionAcquire(SecDbRef db, bool readOnly, CFErrorRef *error); +bool SecDbConnectionAcquireRefMigrationSafe(SecDbRef db, bool readOnly, SecDbConnectionRef* dbconnRef, CFErrorRef *error); void SecDbConnectionRelease(SecDbConnectionRef dbconn); // Perform a database read operation, diff --git a/OSX/utilities/src/debugging.h b/OSX/utilities/src/debugging.h index 8c1f411d..1c1bbcc3 100644 --- a/OSX/utilities/src/debugging.h +++ b/OSX/utilities/src/debugging.h @@ -38,9 +38,7 @@ #ifndef _SECURITY_UTILITIES_DEBUGGING_H_ #define _SECURITY_UTILITIES_DEBUGGING_H_ -#if TARGET_OS_OSX -#include -#endif +#include #ifdef KERNEL #include @@ -60,7 +58,6 @@ #endif // NDEBUG #else // !KERNEL -#include #include #include diff --git a/OTAPKIAssetTool/OTAPKIAssetTool.xcconfig b/OTAPKIAssetTool/OTAPKIAssetTool.xcconfig deleted file mode 100644 index e4ac768f..00000000 --- a/OTAPKIAssetTool/OTAPKIAssetTool.xcconfig +++ /dev/null @@ -1,16 +0,0 @@ -// -// OTAPKIAssetTool.xcconfig -// Security -// -// - -// launchd plist -APPLY_RULES_IN_COPY_FILES = YES -PLIST_FILE_OUTPUT_FORMAT = binary -LAUNCHD_PLIST_INSTALL_DIR = $(DSTROOT)$(SYSTEM_LIBRARY_DIR)/LaunchDaemons - -// We do not want to install OTAPKIAssetTool into the simulator, so only -// define this for non-sim platforms. -OTAPKIASSETTOOL_LAUNCHD_PLIST[sdk=embedded*] = OTAPKIAssetTool/com.apple.OTAPKIAssetTool.plist - -GCC_PREPROCESSOR_DEFINITIONS = $(inherited) CORECRYPTO_DONOT_USE_TRANSPARENT_UNION=1 diff --git a/OTAPKIAssetTool/OTAServiceApp.h b/OTAPKIAssetTool/OTAServiceApp.h deleted file mode 100644 index 7ad689ef..00000000 --- a/OTAPKIAssetTool/OTAServiceApp.h +++ /dev/null @@ -1,46 +0,0 @@ -// -// OTAServiceApp.h -// Security -// -// Created by local on 2/11/13. -// -// - -#import -#import - - - -@interface OTAServiceApp : NSObject -{ - NSArray* _file_list; - NSString* _manifest_file_name; - NSString* _asset_version_file_name; - NSNumber* _current_asset_version; - NSNumber* _next_asset_version; - NSString* _current_asset_directory; - NSString* _assets_directory; - NSFileManager* _fileManager; - uid_t _uid; /* user uid */ - gid_t _gid; - CFTimeInterval _asset_query_retry_interval; - bool _verbose; -} - -@property (readonly) NSArray* file_list; -@property (readonly) NSString* manifest_file_name; -@property (readonly) NSString* asset_version_file_name; -@property (readonly) NSNumber* current_asset_version; -@property (readonly) NSNumber* next_asset_version; -@property (readonly) NSString* current_asset_directory; -@property (readonly) NSString* assets_directory; -@property (readonly) NSFileManager* fileManager; -@property (readonly) uid_t uid; -@property (readonly) gid_t gid; - - -- (id)init:(int)argc withArguments:(const char**)argv; - -- (void)checkInWithActivity; - -@end diff --git a/OTAPKIAssetTool/OTAServiceApp.m b/OTAPKIAssetTool/OTAServiceApp.m deleted file mode 100644 index fb94a5a3..00000000 --- a/OTAPKIAssetTool/OTAServiceApp.m +++ /dev/null @@ -1,1403 +0,0 @@ -// -// OTAServiceApp.m -// Security -// -// - - -#import "OTAServiceApp.h" - -#import -#import -#import -#import -#import -#import -#import -#import -#import -#import -#import -#import -#import -#import -#import -#import -#import -#import - -#if !TARGET_IPHONE_SIMULATOR -#import -#endif - -#import -#import -#import -#import -#import -#import -#import -#import - -#define CFReleaseSafe(CF) { CFTypeRef _cf = (CF); if (_cf) { CFRelease(_cf); } } -#define CFReleaseNull(CF) { CFTypeRef _cf = (CF); if (_cf) { (CF) = NULL; CFRelease(_cf); } } - -//#define VERBOSE_LOGGING 1 - -#if VERBOSE_LOGGING - -static void OTAPKI_LOG(const char* sz, ...) -{ - va_list va; - va_start(va, sz); - - FILE* fp = fopen("/tmp/OTAPKITool.log", "a"); - if (NULL != fp) - { - vfprintf(fp, sz, va); - fclose(fp); - } - va_end(va); -} - -#else - -#define OTAPKI_LOG(sz, ...) - -#endif - -//#define NEW_LOCATION 1 - - - -/* ========================================================================== - The following are a set of string constants used by this program. - - kBaseAssetDirectoryPath - This is the full path on the device that - will contain the Assets directory. This - directory was chosen because it is owned - by securityd - - kkManifestFileName - The file name of the manifest file for the - OTA PKI trust asset - - kAllowListFileName - The file name of the asset file that contains - hashes of the allowed leaf certificates whose - trust store root has been removed - - kAssetVersionFileName - The file name of the plist file in the asset - that contains the version number of this - OTA PKI trust asset. It is a plist that is a - dictionary with a single key with a single - key value pair that has the version number - of the asset. This is used to ensure against - anti-replay. - - kBlockKeyFileName - The file name of the asset file that contains - blocked keys. Any certificate with these keys - will be marked as not being trusted. - - kGrayListedKeysFileName - The file name of the asset file that contains - gray listed keys. If a chain has any of these - keys, than the chain will still be approved but - an entry will be added to the details dictionary - noting that the key was gray listed - - - kEVRootsFileName - The file name of the asset file that contains - the list of EV OIDS and their corresponding - certificates. This file sets which certs will - be considered to be EV. - - kCTLogsFileName - The file name of the asset file that contains - the list of Certificate Transparency logs and - their public keys. - - kCertsIndexFileName - The file name of the asset file that contains - a hash table of offsets into the cert table - file. This is used to look up anchor certs. - - kCertsTableFileName - The file name of the asset file that contains - all of the anchor certificates. The - kCertsIndexFileName file is used to find the - correct offset in this file to retrieve a - specific anchor certificate. - - kVersionNumberKey - The dictionary key for the kAssetVersionFileName - file to get the version number - - kVersionDirectoryNamePrefix - - The directory name prefix for all of the - asset directorys - - kPKITrustDataAssetType - The asset identifier of the OTA PKI asset - - -========================================================================== */ - -#if NEW_LOCATION -static const NSString* kBaseAssetDirectoryPath = @"/var/OTAPKI"; -#else -static const NSString* kBaseAssetDirectoryPath = @"/var/Keychains"; -#endif - -static const NSString* kManifestFileName = @"manifest.data"; -static const NSString* kAllowListFileName = @"Allowed.plist"; -static const NSString* kAssetVersionFileName = @"AssetVersion.plist"; -static const NSString* kAppleESCertificatesName = @"AppleESCertificates.plist"; -static const NSString* kBlockKeyFileName = @"Blocked.plist"; -static const NSString* kGrayListedKeysFileName = @"GrayListedKeys.plist"; -static const NSString* kEVRootsFileName = @"EVRoots.plist"; -static const NSString* kCTLogsFileName = @"TrustedCTLogs.plist"; -static const NSString* kCertsIndexFileName = @"certsIndex.data"; -static const NSString* kCertsTableFileName = @"certsTable.data"; -static const NSString* kVersionNumberKey = @"VersionNumber"; -static const NSString* kAssetDirectoryName = @"Assets"; -static const NSString* kAssetDirectoryUser = @"_securityd"; -static const NSString* kAssetDirectoryGroup = @"wheel"; -#if NEW_LOCATION -static const unsigned long kAssetDirectoryPermission = S_IRWXU | S_IRWXG | S_IRWXO; -#else -static const unsigned long kAssetDirectoryPermission = S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH; -#endif -static const NSString* kVersionDirectoryNamePrefix = @"Version_"; -static const NSString* kPKITrustDataAssetType =@"com.apple.MobileAsset.PKITrustServices.PKITrustData"; - -const char *kOTAPKIAssetToolActivity = "com.apple.OTAPKIAssetTool.asset-check"; -const char *kOTAPKIAssetToolBTAJob = "com.apple.BTA.OTAPKIAssetTool.asset-check"; - -static const UInt8 kApplePKISettingsRootCACert[] = { - 0x30, 0x82, 0x07, 0xca, 0x30, 0x82, 0x05, 0xb2, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x4e, - 0xa1, 0x31, 0xe7, 0xca, 0x50, 0xb8, 0x97, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00, 0x30, 0x81, 0x84, 0x31, 0x38, 0x30, 0x36, 0x06, 0x03, 0x55, - 0x04, 0x03, 0x0c, 0x2f, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x50, 0x4b, 0x49, 0x20, 0x53, 0x65, - 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, - 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, - 0x69, 0x74, 0x79, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x1d, 0x41, 0x70, - 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x13, 0x30, 0x11, 0x06, - 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, - 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x30, 0x1e, 0x17, - 0x0d, 0x31, 0x33, 0x30, 0x36, 0x32, 0x34, 0x32, 0x33, 0x33, 0x33, 0x33, 0x39, 0x5a, 0x17, 0x0d, - 0x34, 0x33, 0x30, 0x36, 0x31, 0x37, 0x32, 0x33, 0x33, 0x33, 0x33, 0x39, 0x5a, 0x30, 0x81, 0x84, - 0x31, 0x38, 0x30, 0x36, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x2f, 0x41, 0x70, 0x70, 0x6c, 0x65, - 0x20, 0x50, 0x4b, 0x49, 0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x20, 0x52, 0x6f, - 0x6f, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, - 0x55, 0x04, 0x0b, 0x0c, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, - 0x74, 0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, - 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, - 0x13, 0x02, 0x55, 0x53, 0x30, 0x82, 0x02, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0f, 0x00, 0x30, 0x82, 0x02, 0x0a, - 0x02, 0x82, 0x02, 0x01, 0x00, 0xce, 0x15, 0xf7, 0x6f, 0xd8, 0x42, 0x0c, 0x6f, 0x45, 0xb4, 0x04, - 0x59, 0x24, 0xcb, 0x70, 0x88, 0x84, 0x77, 0xa1, 0x91, 0x54, 0xf4, 0x87, 0x61, 0xb3, 0xd3, 0xfc, - 0xbe, 0xb6, 0x05, 0x3c, 0xb9, 0xb7, 0x7d, 0x7c, 0xbc, 0x0b, 0xe8, 0x87, 0x07, 0xcf, 0x20, 0xbe, - 0xaa, 0xeb, 0x24, 0xc5, 0xe4, 0x5c, 0xcd, 0xcb, 0x89, 0x9f, 0x7a, 0xea, 0xb4, 0x5d, 0x3b, 0x29, - 0x6c, 0xba, 0x4d, 0x15, 0xfb, 0x59, 0xd0, 0x5a, 0xea, 0x41, 0x4e, 0x0d, 0x1d, 0xf7, 0x66, 0x77, - 0xa2, 0x96, 0x56, 0xed, 0xd1, 0x16, 0x7b, 0xea, 0xf5, 0x60, 0xdf, 0x32, 0x9c, 0xa9, 0xfd, 0xbf, - 0xb8, 0x34, 0x6f, 0x57, 0x17, 0xe6, 0x04, 0x37, 0x71, 0x07, 0xc0, 0xe9, 0x0f, 0x3c, 0xed, 0x4f, - 0x31, 0x87, 0x05, 0xa4, 0xed, 0xab, 0xac, 0xd6, 0x50, 0x05, 0x5b, 0xca, 0xd3, 0xf9, 0xd6, 0xaa, - 0xaa, 0x88, 0x57, 0x66, 0xf6, 0x6d, 0x8d, 0x4b, 0x71, 0x29, 0xd4, 0x3d, 0x1d, 0xbc, 0x82, 0x6e, - 0x81, 0xe9, 0x19, 0xf5, 0xe1, 0x12, 0x9f, 0x47, 0xdb, 0x5c, 0xed, 0x88, 0xba, 0x51, 0xe7, 0x3a, - 0xa0, 0x77, 0x2d, 0xe6, 0xcc, 0xb4, 0x34, 0xdf, 0xad, 0xbd, 0x7b, 0xf8, 0xa7, 0x79, 0x51, 0x2d, - 0xe6, 0xc2, 0xee, 0xd2, 0x96, 0xfa, 0x60, 0x60, 0x32, 0x40, 0x41, 0x37, 0x12, 0xeb, 0x63, 0x99, - 0x3d, 0xf3, 0x21, 0xbe, 0xdf, 0xa1, 0x77, 0xe6, 0x81, 0xa9, 0x99, 0x0c, 0x4b, 0x43, 0x0c, 0x05, - 0x6a, 0x6b, 0x8f, 0x05, 0x02, 0xd9, 0x43, 0xab, 0x72, 0x76, 0xca, 0xa7, 0x75, 0x63, 0x85, 0xe3, - 0xa5, 0x5c, 0xc0, 0xd6, 0xd4, 0x1c, 0xeb, 0xac, 0x2c, 0x9a, 0x15, 0x6b, 0x4e, 0x99, 0x74, 0x7d, - 0xd2, 0x69, 0x9f, 0xa8, 0xf7, 0x65, 0xde, 0xeb, 0x36, 0x85, 0xd5, 0x7e, 0x4a, 0x7a, 0x8a, 0xeb, - 0x7c, 0xcd, 0x43, 0x9e, 0x05, 0xdb, 0x34, 0xc3, 0x69, 0xbd, 0xc2, 0xe7, 0xfb, 0xa0, 0x43, 0xb3, - 0xd7, 0x15, 0x28, 0x8a, 0x91, 0xce, 0xd7, 0xa7, 0xa4, 0xcc, 0xf4, 0x1b, 0x37, 0x33, 0x76, 0xc4, - 0x58, 0xb9, 0x2d, 0x89, 0xe2, 0xb6, 0x2c, 0x56, 0x10, 0x96, 0xcc, 0xa6, 0x07, 0x79, 0x11, 0x7d, - 0x26, 0xd2, 0x85, 0x22, 0x19, 0x20, 0xb7, 0xef, 0xc3, 0xd9, 0x4e, 0x18, 0xf3, 0xaa, 0x05, 0xce, - 0x87, 0x99, 0xde, 0x76, 0x90, 0x08, 0x74, 0xac, 0x61, 0x31, 0xf8, 0x51, 0xa0, 0xc9, 0x70, 0xfc, - 0xb9, 0x22, 0xfe, 0xd2, 0x0d, 0xc8, 0x49, 0x64, 0x00, 0xe4, 0xf1, 0x53, 0xfd, 0xa1, 0xe6, 0xff, - 0x8e, 0xd6, 0xde, 0x9e, 0xcc, 0x3d, 0x37, 0x3a, 0x10, 0x62, 0x59, 0xb2, 0x34, 0x8a, 0x1d, 0xf7, - 0x9e, 0xa0, 0xbb, 0xf4, 0x53, 0xd9, 0xb8, 0x18, 0x88, 0x12, 0x5c, 0x92, 0x0d, 0xc9, 0x94, 0x7f, - 0x24, 0xb9, 0x9f, 0xda, 0x07, 0xb6, 0x79, 0x77, 0x09, 0xa3, 0x29, 0x3a, 0x70, 0x63, 0x3b, 0x22, - 0x42, 0x14, 0xd0, 0xf9, 0x7b, 0x90, 0x52, 0x2b, 0x3f, 0x7f, 0xb7, 0x41, 0x20, 0x0d, 0x7e, 0x70, - 0xd7, 0x88, 0x36, 0xa2, 0xe9, 0x81, 0x77, 0xf4, 0xb0, 0x15, 0x43, 0x9c, 0x5f, 0x4d, 0x3e, 0x4f, - 0x83, 0x79, 0x06, 0x73, 0x7a, 0xe7, 0xcb, 0x79, 0x1d, 0xec, 0xa3, 0xce, 0x93, 0x5c, 0x68, 0xbf, - 0x5a, 0xe6, 0x4c, 0x23, 0x86, 0x41, 0x7f, 0xb4, 0xfc, 0xd0, 0x2c, 0x1b, 0x64, 0x39, 0x64, 0xb7, - 0xd2, 0x1d, 0xd0, 0x2d, 0x16, 0x77, 0xfe, 0x4d, 0xad, 0xf0, 0x4f, 0x38, 0xb3, 0xf9, 0x5a, 0xee, - 0x0e, 0x1d, 0xb6, 0xf9, 0x3f, 0xba, 0x77, 0x5a, 0x20, 0xd2, 0x74, 0x1a, 0x4b, 0x5a, 0xaf, 0x62, - 0xb5, 0xd3, 0xef, 0x37, 0x49, 0xfe, 0x1e, 0xcd, 0xb5, 0xba, 0xb5, 0xa6, 0x46, 0x7b, 0x38, 0x63, - 0x62, 0x3c, 0x18, 0x7d, 0x57, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x82, 0x02, 0x3c, 0x30, 0x82, - 0x02, 0x38, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x35, 0x07, 0x82, - 0xfe, 0x0e, 0x8f, 0xf5, 0xa0, 0x7c, 0x2e, 0xf9, 0x65, 0x7b, 0xa8, 0x48, 0xe8, 0x8f, 0x61, 0xb6, - 0x1c, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x05, 0x30, 0x03, 0x01, - 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x35, - 0x07, 0x82, 0xfe, 0x0e, 0x8f, 0xf5, 0xa0, 0x7c, 0x2e, 0xf9, 0x65, 0x7b, 0xa8, 0x48, 0xe8, 0x8f, - 0x61, 0xb6, 0x1c, 0x30, 0x82, 0x01, 0xd3, 0x06, 0x03, 0x55, 0x1d, 0x20, 0x04, 0x82, 0x01, 0xca, - 0x30, 0x82, 0x01, 0xc6, 0x30, 0x82, 0x01, 0xc2, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x63, - 0x64, 0x05, 0x01, 0x30, 0x82, 0x01, 0xb3, 0x30, 0x82, 0x01, 0x78, 0x06, 0x08, 0x2b, 0x06, 0x01, - 0x05, 0x05, 0x07, 0x02, 0x02, 0x30, 0x82, 0x01, 0x6a, 0x1e, 0x82, 0x01, 0x66, 0x00, 0x52, 0x00, - 0x65, 0x00, 0x6c, 0x00, 0x69, 0x00, 0x61, 0x00, 0x6e, 0x00, 0x63, 0x00, 0x65, 0x00, 0x20, 0x00, - 0x6f, 0x00, 0x6e, 0x00, 0x20, 0x00, 0x74, 0x00, 0x68, 0x00, 0x69, 0x00, 0x73, 0x00, 0x20, 0x00, - 0x63, 0x00, 0x65, 0x00, 0x72, 0x00, 0x74, 0x00, 0x69, 0x00, 0x66, 0x00, 0x69, 0x00, 0x63, 0x00, - 0x61, 0x00, 0x74, 0x00, 0x65, 0x00, 0x20, 0x00, 0x62, 0x00, 0x79, 0x00, 0x20, 0x00, 0x61, 0x00, - 0x6e, 0x00, 0x79, 0x00, 0x20, 0x00, 0x70, 0x00, 0x61, 0x00, 0x72, 0x00, 0x74, 0x00, 0x79, 0x00, - 0x20, 0x00, 0x61, 0x00, 0x73, 0x00, 0x73, 0x00, 0x75, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x73, 0x00, - 0x20, 0x00, 0x61, 0x00, 0x63, 0x00, 0x63, 0x00, 0x65, 0x00, 0x70, 0x00, 0x74, 0x00, 0x61, 0x00, - 0x6e, 0x00, 0x63, 0x00, 0x65, 0x00, 0x20, 0x00, 0x6f, 0x00, 0x66, 0x00, 0x20, 0x00, 0x74, 0x00, - 0x68, 0x00, 0x65, 0x00, 0x20, 0x00, 0x74, 0x00, 0x68, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x20, 0x00, - 0x61, 0x00, 0x70, 0x00, 0x70, 0x00, 0x6c, 0x00, 0x69, 0x00, 0x63, 0x00, 0x61, 0x00, 0x62, 0x00, - 0x6c, 0x00, 0x65, 0x00, 0x20, 0x00, 0x73, 0x00, 0x74, 0x00, 0x61, 0x00, 0x6e, 0x00, 0x64, 0x00, - 0x61, 0x00, 0x72, 0x00, 0x64, 0x00, 0x20, 0x00, 0x74, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6d, 0x00, - 0x73, 0x00, 0x20, 0x00, 0x61, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x20, 0x00, 0x63, 0x00, 0x6f, 0x00, - 0x6e, 0x00, 0x64, 0x00, 0x69, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6f, 0x00, 0x6e, 0x00, 0x73, 0x00, - 0x20, 0x00, 0x6f, 0x00, 0x66, 0x00, 0x20, 0x00, 0x75, 0x00, 0x73, 0x00, 0x65, 0x00, 0x2c, 0x00, - 0x20, 0x00, 0x63, 0x00, 0x65, 0x00, 0x72, 0x00, 0x74, 0x00, 0x69, 0x00, 0x66, 0x00, 0x69, 0x00, - 0x63, 0x00, 0x61, 0x00, 0x74, 0x00, 0x65, 0x00, 0x20, 0x00, 0x70, 0x00, 0x6f, 0x00, 0x6c, 0x00, - 0x69, 0x00, 0x63, 0x00, 0x79, 0x00, 0x20, 0x00, 0x61, 0x00, 0x6e, 0x00, 0x64, 0x00, 0x20, 0x00, - 0x63, 0x00, 0x65, 0x00, 0x72, 0x00, 0x74, 0x00, 0x69, 0x00, 0x66, 0x00, 0x69, 0x00, 0x63, 0x00, - 0x61, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6f, 0x00, 0x6e, 0x00, 0x20, 0x00, 0x70, 0x00, 0x72, 0x00, - 0x61, 0x00, 0x63, 0x00, 0x74, 0x00, 0x69, 0x00, 0x63, 0x00, 0x65, 0x00, 0x20, 0x00, 0x73, 0x00, - 0x74, 0x00, 0x61, 0x00, 0x74, 0x00, 0x65, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x6e, 0x00, 0x74, 0x00, - 0x73, 0x00, 0x2e, 0x30, 0x35, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x02, 0x01, 0x16, - 0x29, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x61, 0x70, 0x70, 0x6c, - 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, - 0x65, 0x61, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, - 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, - 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x6f, 0x8a, - 0xb7, 0x35, 0x73, 0x5a, 0xc5, 0x34, 0xf7, 0x8c, 0xf0, 0xd1, 0x4a, 0x17, 0x52, 0x1c, 0x70, 0xf0, - 0xe0, 0x53, 0xb4, 0x16, 0xde, 0x81, 0xda, 0x2a, 0xa4, 0xf9, 0x5b, 0x0e, 0xa6, 0x17, 0x86, 0x52, - 0xc6, 0x70, 0x73, 0xf3, 0x3f, 0x1c, 0x87, 0x94, 0xdd, 0xfe, 0x02, 0x0b, 0x85, 0xc9, 0xb9, 0xcf, - 0x15, 0x91, 0x05, 0x2e, 0x7e, 0xeb, 0xe6, 0xce, 0x0e, 0x4e, 0xd1, 0xf7, 0xe2, 0xd7, 0xf4, 0x60, - 0xd2, 0xfc, 0x1d, 0xbf, 0xad, 0x61, 0x28, 0xf8, 0x53, 0x31, 0xb3, 0x92, 0xef, 0xa4, 0x05, 0x34, - 0x97, 0x57, 0x97, 0x56, 0x3b, 0x12, 0x20, 0x2d, 0x88, 0x76, 0x81, 0x0e, 0x77, 0x85, 0xf1, 0x37, - 0xc6, 0x19, 0x8b, 0x23, 0xc2, 0x42, 0x55, 0x40, 0xc9, 0x91, 0x5c, 0x78, 0xc5, 0xe6, 0x77, 0xfe, - 0x72, 0x5f, 0xb2, 0x2c, 0x00, 0xf2, 0xe6, 0x8c, 0xcc, 0x02, 0x49, 0xd9, 0x78, 0x20, 0xae, 0xbd, - 0x75, 0x61, 0x6a, 0xaa, 0xc5, 0x71, 0x3e, 0x5d, 0x02, 0xdf, 0xd2, 0x91, 0x5c, 0x0a, 0x85, 0xc9, - 0x59, 0x7d, 0x4e, 0x89, 0x21, 0x59, 0x59, 0xe3, 0xc7, 0xdc, 0xff, 0x1e, 0x62, 0x1e, 0xb9, 0x62, - 0x2c, 0x34, 0x49, 0x15, 0xd9, 0xdf, 0x47, 0x99, 0x39, 0xcc, 0x1a, 0x01, 0xc0, 0xda, 0x48, 0x44, - 0xd4, 0x8b, 0xd3, 0x17, 0x7e, 0x39, 0xf9, 0x00, 0xe1, 0x2a, 0x46, 0xaa, 0x14, 0x22, 0xa1, 0x38, - 0x09, 0x0b, 0xb7, 0x0c, 0x88, 0xa5, 0x73, 0xfd, 0xc4, 0x6b, 0xee, 0x07, 0xb4, 0x1b, 0xb3, 0x4a, - 0xab, 0xae, 0xf6, 0xe7, 0x04, 0x61, 0x4b, 0x34, 0x7a, 0xe4, 0xff, 0xf9, 0x30, 0x28, 0x61, 0x92, - 0x52, 0x58, 0x10, 0x15, 0x3a, 0x9f, 0x0a, 0xaf, 0x15, 0x29, 0x6c, 0x67, 0xc4, 0xb4, 0xcf, 0xe6, - 0xf9, 0x46, 0x68, 0xe2, 0x2a, 0x97, 0x29, 0x16, 0xed, 0x1a, 0x9b, 0x9a, 0x45, 0x70, 0x3c, 0xf2, - 0xdf, 0x29, 0x20, 0x9e, 0x33, 0x4b, 0x5b, 0x8d, 0xf6, 0x19, 0xec, 0x4b, 0xae, 0x1a, 0x2f, 0x53, - 0x03, 0x9a, 0xfd, 0x68, 0x39, 0x58, 0xf7, 0x2e, 0x07, 0x9c, 0xf1, 0x3c, 0x1b, 0x47, 0x43, 0x19, - 0x81, 0x0e, 0x0a, 0xbb, 0x84, 0xa0, 0xda, 0x87, 0xbc, 0x8a, 0x2a, 0xb7, 0x9c, 0xe1, 0xf9, 0xeb, - 0x37, 0xb0, 0x11, 0x20, 0x7e, 0x4c, 0x11, 0x2e, 0x54, 0x30, 0xce, 0xaf, 0x63, 0xed, 0x6a, 0x63, - 0x1f, 0x1e, 0x61, 0x62, 0x04, 0xf3, 0x3a, 0x5f, 0x26, 0x6c, 0x5c, 0xd7, 0xba, 0x4f, 0xf2, 0x61, - 0x26, 0x29, 0x99, 0xea, 0x61, 0x84, 0x0d, 0x68, 0xa2, 0x5d, 0x9b, 0x5c, 0xe7, 0x86, 0x1d, 0xef, - 0xf4, 0x6f, 0x3b, 0x6c, 0x67, 0xf0, 0x70, 0xe9, 0xc5, 0xdc, 0x0a, 0x9d, 0x0f, 0xdc, 0xcc, 0x0e, - 0x7b, 0xf8, 0xc4, 0xee, 0x64, 0xe4, 0xd9, 0x3f, 0x14, 0xae, 0x8f, 0xc8, 0x18, 0x4d, 0xa1, 0xe4, - 0x40, 0x2c, 0xe9, 0x13, 0xc6, 0xc1, 0xe0, 0xb9, 0x13, 0xbe, 0xd9, 0x93, 0x66, 0x56, 0x35, 0x5c, - 0xc1, 0x38, 0x7d, 0xa1, 0xbb, 0x87, 0xa5, 0x90, 0x33, 0x4f, 0xea, 0xb6, 0x37, 0x19, 0x61, 0x81, - 0x40, 0xba, 0xd7, 0x07, 0x69, 0x05, 0x15, 0x96, 0xe9, 0xde, 0x4f, 0x8a, 0x2b, 0x99, 0x5a, 0x17, - 0x3f, 0x9f, 0xcf, 0x86, 0xf5, 0x37, 0x0a, 0xa1, 0x0e, 0x25, 0x65, 0x2d, 0x52, 0xce, 0x87, 0x10, - 0x0f, 0x25, 0xc2, 0x1e, 0x0f, 0x71, 0x93, 0xb5, 0xc0, 0xb3, 0xb4, 0xd1, 0x65, 0xa8, 0xb4, 0xf6, - 0xa5, 0x71, 0xad, 0x45, 0xdb, 0xdf, 0xec, 0xe3, 0x2a, 0x7e, 0x99, 0x96, 0x5a, 0x5d, 0x69, 0xfa, - 0xdb, 0x13, 0x39, 0xb8, 0xf5, 0x58, 0xbb, 0x87, 0x69, 0x8d, 0x2c, 0x6d, 0x39, 0xff, 0x26, 0xce, - 0x2c, 0xa8, 0x5a, 0x7e, 0x4b, 0x3f, 0xed, 0xac, 0x5f, 0xf0, 0xef, 0x48, 0xd3, 0xf8 -}; - - -static const UInt8 kAppleTestPKISettingsRootCACert[] = { - 0x30, 0x82, 0x05, 0xd7, 0x30, 0x82, 0x03, 0xbf, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x26, - 0xfe, 0xf8, 0xda, 0x41, 0xf3, 0x61, 0x90, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00, 0x30, 0x79, 0x31, 0x2d, 0x30, 0x2b, 0x06, 0x03, 0x55, 0x04, - 0x03, 0x0c, 0x24, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x50, 0x4b, 0x49, 0x20, 0x53, 0x65, 0x74, - 0x74, 0x69, 0x6e, 0x67, 0x73, 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, - 0x54, 0x45, 0x53, 0x54, 0x49, 0x4e, 0x47, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, - 0x0c, 0x1d, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, - 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, - 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, - 0x53, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x33, 0x30, 0x34, 0x32, 0x32, 0x32, 0x30, 0x33, 0x31, 0x34, - 0x36, 0x5a, 0x17, 0x0d, 0x34, 0x33, 0x30, 0x34, 0x31, 0x35, 0x32, 0x30, 0x33, 0x31, 0x34, 0x36, - 0x5a, 0x30, 0x79, 0x31, 0x2d, 0x30, 0x2b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x24, 0x41, 0x70, - 0x70, 0x6c, 0x65, 0x20, 0x50, 0x4b, 0x49, 0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, - 0x20, 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x20, 0x2d, 0x20, 0x54, 0x45, 0x53, 0x54, 0x49, - 0x4e, 0x47, 0x31, 0x26, 0x30, 0x24, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x0c, 0x1d, 0x41, 0x70, 0x70, - 0x6c, 0x65, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, - 0x55, 0x04, 0x0a, 0x0c, 0x0a, 0x41, 0x70, 0x70, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x2e, 0x31, - 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x30, 0x82, 0x02, 0x22, - 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, - 0x82, 0x02, 0x0f, 0x00, 0x30, 0x82, 0x02, 0x0a, 0x02, 0x82, 0x02, 0x01, 0x00, 0x84, 0xbe, 0xc2, - 0x69, 0x9b, 0xec, 0xd5, 0xde, 0x72, 0xf0, 0x4f, 0x78, 0x81, 0x10, 0xa9, 0x56, 0x59, 0x77, 0x9c, - 0x46, 0x95, 0xd7, 0xb7, 0x0b, 0x77, 0x73, 0x02, 0xce, 0xf8, 0xaa, 0x32, 0x89, 0xee, 0xbe, 0xaa, - 0x40, 0x53, 0xf9, 0x2d, 0x96, 0x08, 0xcd, 0x2a, 0xa4, 0x61, 0xd4, 0xfd, 0x7d, 0x67, 0x2a, 0x35, - 0xc1, 0xfc, 0x43, 0xa4, 0x9c, 0xd0, 0xbd, 0xcd, 0x82, 0x27, 0xed, 0xa1, 0x1c, 0x2d, 0x9a, 0x62, - 0xd5, 0x99, 0xbd, 0x74, 0xaa, 0xf3, 0xce, 0x78, 0xc6, 0x47, 0x07, 0x43, 0x04, 0x5b, 0xbc, 0x27, - 0x5e, 0x26, 0x3e, 0x77, 0x90, 0x69, 0x7a, 0xf6, 0xe0, 0x8e, 0xaa, 0xdf, 0x96, 0x12, 0x2c, 0xb2, - 0x8b, 0xb9, 0x7e, 0x17, 0xfe, 0xde, 0x99, 0x67, 0x9b, 0x50, 0x13, 0x5c, 0x8d, 0x15, 0x26, 0x0a, - 0x9f, 0x08, 0x2f, 0x3f, 0x7c, 0x01, 0x2c, 0x3e, 0xa1, 0xba, 0xb1, 0x25, 0x33, 0xe5, 0xd9, 0x39, - 0x37, 0xde, 0x06, 0x3a, 0x63, 0x48, 0xa0, 0x9d, 0x3b, 0xa5, 0x72, 0x46, 0xfb, 0x6e, 0xa2, 0xd4, - 0x74, 0xe6, 0xf1, 0xc1, 0x69, 0xc8, 0x31, 0xff, 0x58, 0x84, 0x3a, 0xc2, 0x6b, 0x9a, 0x0d, 0x19, - 0x76, 0xe4, 0xd4, 0x4d, 0x85, 0xbc, 0x84, 0xf0, 0x07, 0x75, 0x66, 0x5f, 0xd7, 0xea, 0xab, 0x9e, - 0x46, 0xf2, 0x8a, 0x29, 0xab, 0x73, 0x57, 0xaf, 0x95, 0x4f, 0xc7, 0xf3, 0x3b, 0x55, 0xb4, 0x26, - 0x57, 0x68, 0xe9, 0x5a, 0x34, 0xbb, 0xa9, 0x39, 0xb3, 0x57, 0x5f, 0x25, 0x93, 0xd6, 0x34, 0xb7, - 0xd1, 0xc4, 0xd7, 0x70, 0xed, 0x30, 0xdb, 0x21, 0xc1, 0xcc, 0xdf, 0xed, 0xec, 0x37, 0xc5, 0xdc, - 0x0b, 0xc9, 0x85, 0x46, 0x26, 0xa7, 0x51, 0xc8, 0xdd, 0xe6, 0x47, 0xfc, 0x37, 0xd6, 0x73, 0x6f, - 0x91, 0x3d, 0xef, 0xd8, 0xa4, 0xa5, 0x08, 0x32, 0x8c, 0xae, 0x8f, 0x57, 0xf7, 0x99, 0x48, 0xef, - 0x81, 0x44, 0xac, 0x80, 0x42, 0x57, 0x9f, 0x64, 0x77, 0x40, 0x2a, 0xec, 0x03, 0x21, 0x79, 0x01, - 0x0b, 0x87, 0xc3, 0x9d, 0x22, 0xc9, 0xc0, 0x69, 0xe0, 0x34, 0xff, 0x73, 0xdd, 0x1e, 0x1b, 0x0c, - 0xe0, 0x68, 0xf0, 0x8c, 0x7a, 0x4b, 0xcd, 0x1d, 0x3f, 0x38, 0x2d, 0xe8, 0x9b, 0x91, 0xa6, 0xfe, - 0xa8, 0x8b, 0x45, 0x1c, 0xdf, 0xaf, 0x49, 0x34, 0x48, 0x17, 0x02, 0x28, 0xdb, 0xe0, 0x6e, 0x74, - 0x34, 0xea, 0xac, 0x6b, 0x00, 0x45, 0x89, 0xa9, 0xb5, 0x63, 0xbd, 0x2f, 0xe0, 0x58, 0x2e, 0xd3, - 0xc2, 0x74, 0xa2, 0x37, 0x37, 0x62, 0xf6, 0x76, 0x1b, 0x3f, 0xfb, 0x98, 0x64, 0x13, 0xd6, 0x8c, - 0xa0, 0x0c, 0xbc, 0x54, 0x00, 0xe0, 0xf8, 0x63, 0x17, 0x22, 0x44, 0x36, 0xe0, 0x28, 0xa0, 0x7d, - 0x50, 0x9e, 0x50, 0x94, 0xea, 0xd7, 0x62, 0xab, 0x6d, 0x7a, 0x19, 0xa4, 0xa2, 0x74, 0x79, 0x5d, - 0x15, 0x85, 0x21, 0xfe, 0x9a, 0x35, 0x76, 0x40, 0x78, 0x01, 0xe3, 0x46, 0x2f, 0x6f, 0x2d, 0x0a, - 0x1d, 0xac, 0x2e, 0x23, 0xec, 0xb8, 0x48, 0x74, 0xbc, 0xee, 0x29, 0x72, 0xb6, 0xe7, 0x52, 0x8c, - 0xd4, 0x1a, 0x00, 0x34, 0x75, 0x1c, 0x4b, 0x83, 0x50, 0xbb, 0x57, 0x21, 0x9b, 0xd8, 0xb4, 0x75, - 0xf3, 0x98, 0x8a, 0x9b, 0x45, 0xa8, 0x61, 0x50, 0x10, 0xb4, 0xec, 0x91, 0x2e, 0xe7, 0xf2, 0xb8, - 0xb9, 0x62, 0x70, 0xc2, 0x93, 0xe7, 0xd9, 0xf1, 0x02, 0x27, 0xd7, 0xec, 0xde, 0x5b, 0x42, 0xa1, - 0x26, 0x37, 0x41, 0x32, 0x65, 0x11, 0x63, 0x38, 0xbb, 0x6f, 0x23, 0x7a, 0xa0, 0xb7, 0x24, 0xeb, - 0xa8, 0x38, 0x8b, 0xa7, 0x73, 0xe2, 0xc8, 0x30, 0x56, 0x73, 0x6f, 0x17, 0x6e, 0x1a, 0xe5, 0x32, - 0xff, 0xd6, 0xa2, 0x08, 0x7b, 0x6a, 0x23, 0x33, 0x9f, 0x10, 0x05, 0x71, 0xdd, 0x02, 0x03, 0x01, - 0x00, 0x01, 0xa3, 0x63, 0x30, 0x61, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, - 0x14, 0xd2, 0xa5, 0x3b, 0xf2, 0x5d, 0xfd, 0x1f, 0x25, 0xda, 0xfb, 0x06, 0xfb, 0x59, 0x99, 0xc4, - 0xac, 0xc4, 0x0b, 0xac, 0x64, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, - 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, - 0x16, 0x80, 0x14, 0xd2, 0xa5, 0x3b, 0xf2, 0x5d, 0xfd, 0x1f, 0x25, 0xda, 0xfb, 0x06, 0xfb, 0x59, - 0x99, 0xc4, 0xac, 0xc4, 0x0b, 0xac, 0x64, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, - 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00, 0x03, 0x82, 0x02, 0x01, 0x00, 0x71, 0x10, 0x3c, 0x89, 0xd5, - 0xc0, 0x00, 0xdc, 0x36, 0x1d, 0x93, 0xaa, 0xab, 0x4a, 0xb6, 0xfa, 0xa8, 0x5b, 0x89, 0x1c, 0xb3, - 0x4a, 0x04, 0x2e, 0xb3, 0x25, 0x0f, 0x12, 0x07, 0x29, 0x70, 0x3d, 0x34, 0xd1, 0xdd, 0x7e, 0x30, - 0xfd, 0xf5, 0xfa, 0x94, 0xf4, 0xcb, 0xdb, 0xac, 0x1b, 0xed, 0xe5, 0x11, 0x4a, 0xc8, 0xab, 0x26, - 0xe2, 0x41, 0xcb, 0xa5, 0x74, 0x4b, 0xe1, 0xd2, 0xf3, 0x83, 0x1c, 0x7a, 0xcb, 0x29, 0xd9, 0xd2, - 0xa6, 0x9d, 0x08, 0x95, 0x73, 0x63, 0xe2, 0x9c, 0xeb, 0xa5, 0x82, 0x8b, 0x6c, 0xf4, 0x64, 0x98, - 0x03, 0x53, 0x91, 0x35, 0x04, 0x89, 0x25, 0xa0, 0x1f, 0xdc, 0x42, 0xf7, 0x59, 0x44, 0x63, 0x75, - 0xe6, 0x49, 0x10, 0x66, 0x0f, 0x08, 0x07, 0x39, 0xc4, 0x3e, 0x1f, 0xba, 0x30, 0x42, 0xf8, 0x7a, - 0xc8, 0xbe, 0x6f, 0xdb, 0xec, 0x16, 0xb2, 0x76, 0x84, 0x2c, 0x6e, 0x20, 0xd1, 0xbd, 0xd5, 0x90, - 0x22, 0x0a, 0x90, 0x5c, 0x70, 0x47, 0xc9, 0x2d, 0xe3, 0x77, 0x74, 0xfd, 0xbb, 0x85, 0x1a, 0xd8, - 0x5c, 0x38, 0x94, 0x4c, 0x83, 0x28, 0x23, 0xa5, 0x4f, 0x55, 0x5f, 0xe3, 0x42, 0x80, 0x10, 0xd4, - 0xa5, 0x8d, 0xcf, 0x8b, 0x53, 0x69, 0x6d, 0xc5, 0x37, 0xd2, 0xfa, 0xbb, 0xc0, 0x5a, 0xab, 0x6f, - 0x71, 0x37, 0x92, 0xd4, 0x90, 0xef, 0x5d, 0xf1, 0xc3, 0xb8, 0x64, 0x08, 0xd3, 0xba, 0x36, 0x69, - 0x2b, 0x00, 0xed, 0xad, 0x36, 0x21, 0x38, 0xdf, 0x4a, 0xc6, 0x44, 0xc4, 0x6b, 0xd8, 0xb0, 0x7f, - 0x67, 0x05, 0xaa, 0x6f, 0x9e, 0x8a, 0xf1, 0x81, 0x95, 0x99, 0xb9, 0x56, 0xf4, 0x73, 0xa7, 0xb4, - 0x19, 0xb9, 0x4b, 0xb8, 0x1d, 0x10, 0xa5, 0x88, 0x7c, 0x39, 0xa3, 0x85, 0xe7, 0xba, 0x65, 0x86, - 0xca, 0xf7, 0x0e, 0xe0, 0x0d, 0x73, 0x3f, 0xea, 0x98, 0x88, 0x58, 0x73, 0xfa, 0x68, 0x5b, 0xaa, - 0x8c, 0xfd, 0x3e, 0x22, 0x3e, 0x92, 0xc7, 0xe2, 0x77, 0x14, 0x81, 0xe6, 0xd9, 0xdc, 0xc1, 0xe9, - 0xc0, 0x06, 0x57, 0xb4, 0xca, 0xb6, 0x14, 0x15, 0x16, 0x80, 0x7e, 0xc5, 0x11, 0xa4, 0x05, 0x66, - 0xad, 0x1d, 0xa3, 0xb6, 0xab, 0x2a, 0xbe, 0xd0, 0x52, 0x4e, 0x9e, 0x84, 0x61, 0x6b, 0xf4, 0x34, - 0x23, 0x94, 0x24, 0xc6, 0xc8, 0xb0, 0x94, 0x22, 0x4c, 0x3b, 0xac, 0x85, 0xe3, 0xd4, 0xf7, 0x38, - 0xe5, 0x9a, 0x76, 0xb3, 0x1b, 0xf0, 0xbc, 0x78, 0xc6, 0x6f, 0x11, 0xb3, 0x1a, 0x5c, 0x4f, 0x07, - 0x52, 0x06, 0x92, 0x7a, 0x25, 0x86, 0x91, 0x71, 0x8a, 0xf4, 0x03, 0xce, 0x19, 0x0d, 0xfc, 0xde, - 0x8f, 0xc9, 0x4e, 0x84, 0xf1, 0x17, 0x18, 0x6f, 0x37, 0x56, 0xb9, 0x76, 0x7e, 0x8f, 0xca, 0xde, - 0xd4, 0x1b, 0x2d, 0x8d, 0xcf, 0x12, 0x9f, 0xf9, 0xb9, 0x8b, 0x82, 0x8f, 0x4d, 0xb7, 0x63, 0x26, - 0x8d, 0xda, 0x35, 0x94, 0x18, 0xf9, 0x55, 0xca, 0x39, 0x09, 0xe9, 0x62, 0xe1, 0x00, 0xd8, 0x67, - 0xed, 0x5e, 0x84, 0xc2, 0xe5, 0x8e, 0x46, 0x57, 0xa4, 0xa7, 0x17, 0x70, 0xcf, 0x6d, 0xdf, 0x43, - 0x64, 0x2b, 0x36, 0xe6, 0xf3, 0xc1, 0x4c, 0x7a, 0x7e, 0x9e, 0x47, 0xc4, 0x14, 0x82, 0xbe, 0x94, - 0x73, 0x54, 0xd0, 0x2c, 0xc2, 0x31, 0xc6, 0xd5, 0xc3, 0xd7, 0xa9, 0xef, 0x11, 0x24, 0x2f, 0xd0, - 0x5b, 0xb8, 0x6a, 0x8e, 0x3c, 0xb7, 0x4b, 0x00, 0x9b, 0xc1, 0xca, 0x00, 0x6f, 0xd4, 0x73, 0x93, - 0x2e, 0x39, 0x37, 0x2a, 0x73, 0x44, 0x9b, 0x1b, 0x05, 0x1a, 0x7c, 0x2f, 0xc9, 0x2b, 0x37, 0xf3, - 0xcd, 0x8c, 0x4e, 0xc2, 0x7a, 0x6e, 0xd9, 0xd4, 0xf1, 0x8d, 0x6d, 0x07, 0x4b, 0xb5, 0x09, 0xb9, - 0x48, 0x55, 0xac, 0xc6, 0x7e, 0xbc, 0xc6, 0x76, 0xeb, 0x5f, 0x0f - -}; - -static NSDictionary* VerifyMessage(CFDataRef message, SecPolicyRef policy, CFDataRef cert_data) -{ - NSDictionary* result = nil; - - SecTrustRef trustRef = NULL; - CFDataRef payload = NULL; - CFArrayRef anchors = NULL; - OSStatus status = noErr; - SecCertificateRef aCertRef = NULL; - SecTrustResultType trust_result = kSecTrustResultRecoverableTrustFailure; - - if (NULL == message || NULL == policy || NULL == cert_data) - { - goto out; - } - - status = SecCMSVerifyCopyDataAndAttributes(message, NULL, policy, &trustRef, &payload, NULL); - if (noErr != status || NULL == trustRef || NULL == payload) - { - goto out; - } - - aCertRef = SecCertificateCreateWithData(NULL, cert_data); - if (NULL == aCertRef) - { - goto out; - } - - anchors = CFArrayCreate(kCFAllocatorDefault, (const void **)&aCertRef, 1, &kCFTypeArrayCallBacks); - if (NULL == anchors) - { - goto out; - } - - status = SecTrustSetAnchorCertificates(trustRef, anchors); - if (noErr != status) - { - goto out; - } - - status = SecTrustEvaluate(trustRef, &trust_result); - - if (noErr != status) - { - goto out; - } - - if (trust_result == kSecTrustResultUnspecified) - { - // Life is good and we got back the expected result. - - NSData* property_list_data = CFBridgingRelease(payload); - - NSPropertyListFormat format; - NSError* error = nil; - result = [NSPropertyListSerialization propertyListWithData:property_list_data options:0 format:&format error:&error]; - if (nil != error) - { - result = nil; - } - } - -out: - CFReleaseSafe(aCertRef) - CFReleaseSafe(anchors); - return result; -} - -/* ========================================================================== - Private Methods for the OTAServiceApp class - ========================================================================== */ -@interface OTAServiceApp (PrivateMethods) -- (void)processAssets:(NSArray*)assets; -- (BOOL)checkAssetVersions:(NSString *)assetDir; -- (BOOL)validateAsset:(NSString *)assetDir; -- (BOOL)validateDirectory:(NSString *)assetDir withFiles:(NSArray *)file_names; -- (NSDictionary *)decodeManifest:(NSData *)manifest_file_data; -- (BOOL)checkFileHash:(NSString *)file_path hash:(NSData *)hash; -- (BOOL)installAssetFiles:(NSString *)assetDir; -- (NSString*)getCurrentAssetDirectory; - -@end - -@implementation OTAServiceApp - -@synthesize file_list = _file_list; -@synthesize manifest_file_name = _manifest_file_name; -@synthesize asset_version_file_name = _asset_version_file_name; -@synthesize current_asset_version = _current_asset_version; -@synthesize next_asset_version = _next_asset_version; -@synthesize fileManager = _fileManager; -@synthesize current_asset_directory = _current_asset_directory; -@synthesize assets_directory = _assets_directory; - -/* -------------------------------------------------------------------------- - OTAServiceApp init:withArguments: - - Initialize a new instance of the OTAServiceApp class - -------------------------------------------------------------------------- */ -- (id)init:(int)argc withArguments:(const char**)argv -{ - if ((self = [super init])) - { - _fileManager = [NSFileManager defaultManager]; - - _manifest_file_name = (NSString *)kManifestFileName; - _asset_version_file_name = (NSString *)kAssetVersionFileName; - _file_list = [NSArray arrayWithObjects:kBlockKeyFileName, kGrayListedKeysFileName, - kEVRootsFileName, kCertsIndexFileName, kCertsTableFileName, - kManifestFileName, kAssetVersionFileName, kAppleESCertificatesName, - kAllowListFileName, kCTLogsFileName, nil]; - - _current_asset_version = nil; - _next_asset_version = nil; - _assets_directory = nil; - _current_asset_directory = [self getCurrentAssetDirectory]; - - /* Default interval is one hour */ - _asset_query_retry_interval = 60.0 * 60; - _verbose = false; - - int ch; - while ((ch = getopt(argc, (char * const *)argv, "d:v")) != -1 ) - { - switch (ch) - { - case 'd': - { - char *endptr = NULL; - errno = 0; - CFTimeInterval interval = strtod(optarg, &endptr); - if ((interval == 0 && endptr == optarg) || errno == ERANGE) { - syslog(LOG_ERR, "invalid argument '%s', ignoring", optarg); - } else { - syslog(LOG_NOTICE, "Setting query retry interval to %f seconds", interval); - _asset_query_retry_interval = (CFTimeInterval)interval; - } - } - break; - case 'v': - syslog(LOG_NOTICE, "Enabling verbose logging"); - _verbose = true; - break; - default: - break; - } - } - - struct stat info; -#if NEW_LOCATION - if (stat([kBaseAssetDirectoryPath UTF8String], &info)) - { - OTAPKI_LOG("OTAServiceApp.init:withArguments: stat of %s failed\n", [kBaseAssetDirectoryPath UTF8String]); - - if (mkdir([kBaseAssetDirectoryPath UTF8String], kAssetDirectoryPermission)) - { - OTAPKI_LOG("OTAServiceApp.init:withArguments: mkdir of %s failed\n", [kBaseAssetDirectoryPath UTF8String]); - } - else - { - if (stat([kBaseAssetDirectoryPath UTF8String], &info)) - { - OTAPKI_LOG("OTAServiceApp.init:withArguments: second stat of %s failed\n", [kBaseAssetDirectoryPath UTF8String]); - } - } - } -#else - stat([kBaseAssetDirectoryPath UTF8String], &info); - - _uid = info.st_uid; - _gid = info.st_gid; -#endif - - } - - return self; -} - -#if !TARGET_IPHONE_SIMULATOR - -- (void)registerBackgroundTaskAgentJobWithDelay:(CFTimeInterval)delay -{ - /* - * ELEs are very important, so allow asset queries on any network type and - * construct the job so that it will fire as soon as possible, unless we are - * scheduling a retry after a failure. - */ - xpc_object_t job = xpc_dictionary_create(NULL, NULL, 0); - if (delay != 0) - { - xpc_dictionary_set_double(job, kBackgroundTaskAgentJobWindowStartTime, CFAbsoluteTimeGetCurrent() + delay); - } - xpc_dictionary_set_double(job, kBackgroundTaskAgentJobWindowEndTime, CFAbsoluteTimeGetCurrent() + BACKGROUND_TASK_AGENT_JOB_WINDOW_MAX_TIME_FROM_NOW_SEC); - xpc_dictionary_set_bool(job, kBackgroundTaskAgentNetworkRequired, true); - xpc_dictionary_set_bool(job, kBackgroundTaskAgentCellularAllowed, true); - xpc_dictionary_set_bool(job, kBackgroundTaskAgentAllowedDuringRoaming, true); - xpc_dictionary_set_bool(job, kBackgroundTaskAgentPowerOptLevel, kBackgroundTaskAgentPowerDontCare); - - if (_verbose) - { - char *desc = xpc_copy_description(job); - syslog(LOG_NOTICE, "Adding BTA job %s", desc); - free(desc); - } -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wdeprecated-declarations" - BackgroundTaskAgentAddJob(kOTAPKIAssetToolBTAJob, job); -#pragma GCC diagnostic pop -} - -#endif - -/* -------------------------------------------------------------------------- - OTAServiceApp checkInWithActivity - - Check in with the XPC activity configured in OTAPKIAssetTool's launchd - plist. This activity will launch OTAPKIAssetTool every three days (with - some leeway decided by the system). At that time, we schedule a - BackgroundTaskAgent job to be notified immediately when the network is - available so we can perform an asset query. - -------------------------------------------------------------------------- */ -- (void)checkInWithActivity -{ -#if !TARGET_IPHONE_SIMULATOR -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wdeprecated-declarations" - BackgroundTaskAgentInit("com.apple.OTAPKIAssetTool", dispatch_get_main_queue(), ^(const char *job_name, xpc_object_t job) - { - /* - * We're doing real work at this point, so open a transaction so - * that the system (hopefully) won't kill us while we're busy - */ - xpc_transaction_begin(); - - if (self->_verbose) - { - syslog(LOG_NOTICE, "BackgroundTaskAgent job %s fired", job_name); - } - - int64_t job_status = xpc_dictionary_get_int64(job, kBackgroundTaskAgentJobStatus); - if (job_status == kBackgroundTaskAgentJobRequestError) - { - syslog(LOG_ERR, "Failed to create BTA job -- malformed job?"); - } - else if (job_status == kBackgroundTaskAgentJobSatisfied) - { - if (self->_verbose) - { - syslog(LOG_NOTICE, "BTA job %s is satisfied -- performing asset query", job_name); - } - bool shouldReschedule = false; - if ([self run:&shouldReschedule] || !shouldReschedule) - { - if (self->_verbose) - { - syslog(LOG_NOTICE, "Unscheduling BTA job"); - } - BackgroundTaskAgentRemoveJob(kOTAPKIAssetToolBTAJob); - } - else - { - syslog(LOG_NOTICE, "Asset query failed due to network error. Re-scheduling BTA job for another attempt in %f seconds.", self->_asset_query_retry_interval); - [self registerBackgroundTaskAgentJobWithDelay:self->_asset_query_retry_interval]; - } - } - else if (job_status == kBackgroundTaskAgentJobUnsatisfied) - { - /* - * We will receive this if the job expires before we get to do our - * work. We still want to check for new assets as soon as possible, - * so reschedule the job. - */ - if (xpc_dictionary_get_bool(job, kBackgroundTaskAgentJobExpired)) - { - [self registerBackgroundTaskAgentJobWithDelay:0]; - } - } - - xpc_transaction_end(); - }); -#pragma GCC diagnostic pop -#endif - - xpc_activity_register(kOTAPKIAssetToolActivity, XPC_ACTIVITY_CHECK_IN, ^(xpc_activity_t activity) - { - xpc_activity_state_t state = xpc_activity_get_state(activity); - - if (self->_verbose) - { - xpc_object_t criteria = xpc_activity_copy_criteria(activity); - - if (criteria != NULL) - { - char *desc = xpc_copy_description(criteria); - syslog(LOG_NOTICE, "Criteria for XPC activity %s: %s", kOTAPKIAssetToolActivity, desc); - free(desc); - } - else - { - syslog(LOG_NOTICE, "No critera for XPC activity %s", kOTAPKIAssetToolActivity); - } - } - - if (state == XPC_ACTIVITY_STATE_CHECK_IN) - { - /* - * The activity is already configured in the launchd plist, so there - * is nothing to do here - */ - if (self->_verbose) - { - syslog(LOG_NOTICE, "Activity %s in check in state", kOTAPKIAssetToolActivity); - } - } - else if (state == XPC_ACTIVITY_STATE_RUN) - { -#if !TARGET_IPHONE_SIMULATOR -#pragma GCC diagnostic push -#pragma GCC diagnostic ignored "-Wdeprecated-declarations" - xpc_object_t job = BackgroundTaskAgentCopyJob(kOTAPKIAssetToolBTAJob); -#pragma GCC diagnostic pop - if (job == NULL) - { - syslog(LOG_NOTICE, "Activity %s in run state. Scheduling BTA job for earliest network availability.", kOTAPKIAssetToolActivity); - [self registerBackgroundTaskAgentJobWithDelay:0]; - } - else if (self->_verbose) - { - syslog(LOG_NOTICE, "Already have a BTA job registered. Ignoring activity."); - } -#else - /* - * BackgroundTaskAgent doesn't exist on the iOS simulator, so we - * just directly try to find and download new assets. - */ - xpc_transaction_begin(); - bool shouldReschedule = false; - if (![self run:&shouldReschedule]) { - syslog(LOG_NOTICE, "Asset query failed%s.", shouldReschedule ? " due to network issue" : ""); - } - xpc_transaction_end(); -#endif - } - }); -} - -/* -------------------------------------------------------------------------- - OTAServiceApp run - - Run this program and leave. This program will currently run every 3 days, - with some leeway based on network availability. That will provide the - longest time from publisihing a change in the PKI trust setting asset and - having that asset be consumed by a device. - - The program simnply ask the mobile asset daemon if there are any assets - to be processed with the PKITrustDataAssetType. If not this program - will just complete and will be re-run in 3 days. If there is an asset to - process then the asset will be process and then the program will complete. - - Returns false if the operation failed. On return, shouldReschedule is set - to true if the operation failed due to a network error and the caller - should reschedule this operation at a more opportune time. - -------------------------------------------------------------------------- */ -- (bool)run:(bool *)shouldReschedule -{ - @autoreleasepool - { - if (shouldReschedule != NULL) { - *shouldReschedule = false; - } - - syslog(LOG_NOTICE, "OTAPKIAssetTool running"); - if (![[MCProfileConnection sharedConnection] isOTAPKIUpdatesAllowed]) - { - syslog(LOG_NOTICE, "OTAPKIAssetTool: OTAPKI updates are not allowed."); - return false; - } - - ASAssetQuery *assetQuery = [[ASAssetQuery alloc] initWithAssetType:(NSString *)kPKITrustDataAssetType]; - if (assetQuery == nil) - { - syslog(LOG_NOTICE, "OTAPKIAssetTool: Could not create the asset query."); - return false; - } - - // Get the asset synchronously - NSError *error = nil; - NSArray *foundAssets = [assetQuery runQueryAndReturnError:&error]; - if (nil != foundAssets) - { - [self processAssets:foundAssets]; - } - else - { - syslog(LOG_NOTICE, "OTAPKIAssetTool: No assets returned from query: %s", [[error description] UTF8String]); - - NSArray *networkErrorCodes = @[ @(ASErrorNetwork), @(ASErrorNetworkNoConnection), @(ASErrorNetworkTimedOut), @(ASErrorNetworkUnexpectedResponse) ]; - if ([[error domain] isEqualToString:ASErrorDomain] && [networkErrorCodes containsObject:@([error code])]) - { - syslog(LOG_NOTICE, "OTAPKIAssetTool: Query failed due to network error."); - if (shouldReschedule != NULL) { - *shouldReschedule = true; - } - } - return false; - } - - return true; - } -} - -/* -------------------------------------------------------------------------- - OTAServiceApp processAssets: - - If when run is called asset(s) are found they will be processed here. - -------------------------------------------------------------------------- */ -- (void)processAssets:(NSArray*)assets -{ - if (nil == assets) - { - return; - } - - NSError* error = nil; - ASAsset* asset = nil; - int asset_version = 0; - - for (asset in assets) - { - NSDictionary* asset_attributes = asset.attributes; - - NSNumber* contentVersion = [asset_attributes objectForKey:@"ContentVersion"]; - OTAPKI_LOG("In processAssets: about to check the ContentVersion\n"); - if (nil != contentVersion) - { - asset_version = [contentVersion intValue]; - int current_asset_version_number = (nil != _current_asset_version) ? [_current_asset_version intValue] : 0; - - if (asset_version <= current_asset_version_number) - { - syslog(LOG_NOTICE, "OTAPKIAssetTool: content version %d is too small. Current asset version id %d", - asset_version, current_asset_version_number); - - OTAPKI_LOG("In processAssets: content version is too small: current asset version is %d\nContent version is %d\n", - current_asset_version_number, asset_version); - asset = nil; - continue; - } - } - - if (nil == asset) - { - syslog(LOG_NOTICE, "OTAPKIAssetTool: no suitable asset found"); - return; - } - - - // Check to see if the asset needs to be downloaded - if (asset.state == ASAssetStateNotPresent) - { - __block dispatch_semaphore_t sem = dispatch_semaphore_create(0); - - [asset setProgressHandler:^(NSDictionary *state, NSError *anError) - { - if (error != nil) - { - // An error occured. Signal the semaphore to bail - dispatch_semaphore_signal(sem); - } - else if ([[state objectForKey:@"Operation"] isEqualToString:(NSString *) @"OperationCompleted"]) - { - // The download is complete. Signal the semaphore - dispatch_semaphore_signal(sem); - } - }]; - - NSNumber* yesValue = [NSNumber numberWithBool:YES]; - const id keys[] = {ASDownloadOptionAllow3G, ASDownloadOptionAllow4G, ASDownloadOptionPriority, ASDownloadOptionAllowBatteryPower}; - const id values[] = {yesValue, yesValue, ASDownloadPriorityHigh, yesValue}; - - NSDictionary* options = [NSDictionary dictionaryWithObjects:values forKeys:keys count:(sizeof (keys) / sizeof(keys[0]))]; - - [asset beginDownloadWithOptions:options]; - dispatch_semaphore_wait(sem, DISPATCH_TIME_FOREVER); - } - - // Check to see if the asset is now available for processing - if ([asset state] == ASAssetStateInstalled) - { - // Get the asset data directory - NSString* assetDir = [[[asset localURL] URLByAppendingPathComponent:@"PKITrustData"] path]; - if (nil != assetDir) - { - // validate the asset. - OTAPKI_LOG("In processAssets: about to validateAsset\n"); - if ([self validateAsset:assetDir]) - { - OTAPKI_LOG("In processAssets: asset validated installing\n"); - // The asset is valid so install the files - [self installAssetFiles:assetDir]; - - // Signal securityd to idle-exit at it's next opportunity - OTAPKI_LOG("In processAssets: notifying securityd\n"); - int didUpdate = 0; - (void)SecTrustOTAPKIGetUpdatedAsset(&didUpdate); - syslog(LOG_NOTICE, "OTAPKIAssetTool: installed new asset %d", asset_version); - _current_asset_version = contentVersion; - } - else - { - syslog(LOG_NOTICE, "OTAPKIAssetTool: Asset %d did not validate", asset_version); - } - - // regaurdless if the asset is valid. Now that it is - // installed, it needs to be purged to ensure that - // we can retrieve a new updated asset. - [asset purgeAndReturnError:&error]; - } - else - { - syslog(LOG_NOTICE, "OTAPKIAssetTool: Asset directory %s not found", [assetDir UTF8String]); - } - } - } -} - -/* -------------------------------------------------------------------------- - OTAServiceApp checkAssetVersions: - - If when run is called asset(s) are found they will be processed here. - -------------------------------------------------------------------------- */ -- (BOOL)checkAssetVersions:(NSString *)assetDir -{ - BOOL result = NO; - - OTAPKI_LOG("Entering checkAssetVersions\n"); - - if (nil == assetDir || nil == self.current_asset_version) - { - OTAPKI_LOG("checkAssetVersions: parameter error\n"); - return result; - } - - // first get the new version number from the downloaded asset - NSString* next_asset_version_path = [assetDir stringByAppendingPathComponent:self.asset_version_file_name]; - if (![self.fileManager fileExistsAtPath:next_asset_version_path]) - { - // The asset is missing the AssertVersion.plist - // This is an invalid asset - OTAPKI_LOG("checkAssetVersions: could not file asseet version file %s\n", [self.asset_version_file_name UTF8String]); - return result; - } - - NSError* error = nil; - NSInputStream* input_stream = [NSInputStream inputStreamWithFileAtPath:next_asset_version_path]; - [input_stream open]; - NSDictionary* asset_dict = [NSPropertyListSerialization propertyListWithStream:input_stream options:0 format:nil error:&error]; - [input_stream close]; - - if (nil != error) - { - OTAPKI_LOG("checkAssetVersions: error reading asset version file: %s\n", [[error localizedDescription] UTF8String]); - return result; - } - - _next_asset_version = [asset_dict objectForKey:kVersionNumberKey]; - if (nil == _next_asset_version) - { - OTAPKI_LOG("asset_dict did not have a entry with a key of kVersionNumberKey\n"); - return result; - } - - // Check the current asset version against the new asset version. The new asset version MUST be larger than the - // current asset version - NSInteger current_asset_version_value = [self.current_asset_version integerValue]; - NSInteger next_asset_version_value = [self.next_asset_version integerValue]; - - if (next_asset_version_value <= current_asset_version_value) - { - OTAPKI_LOG("heckAssetVersions: assert version too small. current_asset_version_value = %d next_asset_version_value = %d\n", - current_asset_version_value, next_asset_version_value); - return result; - } - - return YES; -} - - -/* -------------------------------------------------------------------------- - OTAServiceApp validateAsset: - - Decode the manifest and verify the file hashes - -------------------------------------------------------------------------- */ -- (BOOL)validateAsset:(NSString *)assetDir -{ - BOOL result = NO; - - OTAPKI_LOG("Enterning validateAsset\n"); - - if (![self validateDirectory:assetDir withFiles:self.file_list]) - { - OTAPKI_LOG("validateAsset param\n"); - return result; - } - - NSString* manifest_file_path = [assetDir stringByAppendingPathComponent:self.manifest_file_name]; - NSError* error = nil; - NSData* manifest_file_data = [NSData dataWithContentsOfFile:manifest_file_path options:0 error:&error]; - if (nil != error) - { - OTAPKI_LOG("validateAsset: could not read manifest file. error = %s\n", [[error localizedDescription] UTF8String]); - return result; - } - - NSDictionary* manifest_data = [self decodeManifest:manifest_file_data]; - if (nil == manifest_data) - { - OTAPKI_LOG("validateAsset: decodeManifest failed!\n"); - return result; - } - - NSString* full_file_path = nil; - NSData* hash = nil; - for (NSString* file_name in self.file_list) - { - if ([file_name isEqualToString:self.manifest_file_name]) - { - continue; - } - - hash = [manifest_data objectForKey:file_name]; - if (nil == hash) - { - OTAPKI_LOG("validateAsset: could not get hash for file %s\n", [file_name UTF8String]); - return result; - } - - full_file_path = [assetDir stringByAppendingPathComponent:file_name]; - if (![self checkFileHash:full_file_path hash:hash]) - { - OTAPKI_LOG("validateAsset: hash for file %s does not match\n", [file_name UTF8String]); - return result; - } - } - - result = [self checkAssetVersions:assetDir]; - return result; -} - -/* -------------------------------------------------------------------------- - OTAServiceApp validateDirectory:withFiles: - - Ensure that a given directory has the files listed in the files_names - parameter - -------------------------------------------------------------------------- */ -- (BOOL)validateDirectory:(NSString *)assetDir withFiles:(NSArray *)file_names -{ - BOOL result = NO; - OTAPKI_LOG("Enterning validateDirectory\n"); - - if (nil == assetDir || nil == file_names) - { - OTAPKI_LOG("validateDirectory param error\n"); - return result; - } - NSError* error = nil; - NSArray* dir_items = [self.fileManager contentsOfDirectoryAtPath:assetDir error:&error]; - if (nil != error) - { - OTAPKI_LOG("validateDirectory: Error calling contentsOfDirectoryAtPath: error = %s\n", [[error localizedDescription] UTF8String]); - return result; - } - - for (NSString* file_name in file_names) - { - if (![dir_items containsObject:file_name]) - { - OTAPKI_LOG("validateDirectory: missing file %s\n", [file_name UTF8String]); - return result; - } - } - - return YES; -} - -/* -------------------------------------------------------------------------- - OTAServiceApp decodeManifest: - - Ensure that the asset manifest blob has it CMS signature verified - -------------------------------------------------------------------------- */ -- (NSDictionary *)decodeManifest:(NSData *)manifest_file_data -{ - NSDictionary* result = nil; - CFDataRef cert_data = NULL; - CFDataRef message = NULL; - SecPolicyRef policy = NULL; - CFBooleanRef mgResult = NULL; - - OTAPKI_LOG("Enterning decodeManifest\n"); - - if (nil == manifest_file_data) - { - OTAPKI_LOG("decodeManifest: parameter error\n"); - goto out; - } - - message = CFBridgingRetain(manifest_file_data); - - policy = SecPolicyCreateOTAPKISigner(); - if (NULL == policy) - { - OTAPKI_LOG("decodeManifest: could not get the SecPolicyCreateOTAPKISigner policyRef\n"); - goto out; - } - - cert_data = CFDataCreate(kCFAllocatorDefault, kApplePKISettingsRootCACert, sizeof(kApplePKISettingsRootCACert)); - if (NULL == cert_data) - { - OTAPKI_LOG("decodeManifest: could not kApplePKISettingsRootCACert data\n"); - goto out; - } - - result = VerifyMessage(message, policy, cert_data); - - if (NULL != result) - { - OTAPKI_LOG("decodeManifest: SecPolicyCreateOTAPKISigner success!\n"); - goto out; - } - - OTAPKI_LOG("decodeManifest: SecPolicyCreateOTAPKISigner failed! Checking to see if this is an internal build\n"); - - // The first attempt did not work so check to see if this is running on an internal build. - if (!MGIsQuestionValid(kMGQAppleInternalInstallCapability)) - { - OTAPKI_LOG("decodeManifest: kMGQAppleInternalInstallCapability had an error\n"); - goto out; - } - - mgResult = MGCopyAnswer(kMGQAppleInternalInstallCapability, NULL); - - if (NULL == mgResult || !CFEqual(mgResult, kCFBooleanTrue)) - { - OTAPKI_LOG("decodeManifest: Not an internal build"); - goto out; - } - - OTAPKI_LOG("decodeManifest: This is an internal build\n"); - - CFReleaseNull(policy); - CFReleaseNull(cert_data); - - policy = SecPolicyCreateTestOTAPKISigner(); - if (NULL == policy) - { - OTAPKI_LOG("decodeManifest: could not SecPolicyCreateTestOTAPKISigner policyRef\n"); - goto out; - } - - cert_data = CFDataCreate(kCFAllocatorDefault, kAppleTestPKISettingsRootCACert, sizeof(kAppleTestPKISettingsRootCACert)); - if (NULL == cert_data) - { - OTAPKI_LOG("decodeManifest: could not kAppleTestPKISettingsRootCACert data\n"); - goto out; - } - - result = VerifyMessage(message, policy, cert_data); - -out: - - CFReleaseSafe(mgResult); - CFReleaseSafe(message); - CFReleaseSafe(policy); - CFReleaseSafe(cert_data); - return result; -} - -/* -------------------------------------------------------------------------- - OTAServiceApp checkFileHash:hash: - - Ensure that the given asset file's hash is the same as in the manifest - -------------------------------------------------------------------------- */ -- (BOOL)checkFileHash:(NSString *)file_path hash:(NSData *)hash -{ - BOOL result = NO; - if (nil == file_path || nil == hash) - { - return result; - } - - NSError* error = nil; - NSData* file_data = [NSData dataWithContentsOfFile:file_path options:0 error:&error]; - if (nil != error) - { - return result; - } - - NSMutableData *digest = [NSMutableData dataWithLength:CC_SHA256_DIGEST_LENGTH]; - uint8_t *dp = (digest) ? [digest mutableBytes] : NULL; - if (NULL == dp) - { - return result; - } - - memset(dp, 0, CC_SHA256_DIGEST_LENGTH); - CCDigest(kCCDigestSHA256, - (const uint8_t *)[file_data bytes], - (size_t)[file_data length], dp); - - result = [hash isEqualToData:digest]; - - return result; -} - -/* -------------------------------------------------------------------------- - OTAServiceApp installAssetFiles: - - Copy over the files into the /var/Keychains/Assets directory. - -------------------------------------------------------------------------- */ -- (BOOL)installAssetFiles:(NSString *)assetDir -{ - BOOL result = NO; - - OTAPKI_LOG("Entering installAssetFiles\n"); - - if (nil == assetDir) - { - OTAPKI_LOG("installAssetFiles: parameter error\n"); - return result; - } - - if (nil == self.assets_directory) - { - OTAPKI_LOG("installAssetFiles: no assets directory\n"); - return result; - } - - // Create a temp directory to hold the new asset files. - NSString* tempDir = [self.assets_directory stringByAppendingPathComponent:@"TempAssetDir"]; - NSError* error = nil; - -#if NEW_LOCATION - id values[] = {[NSNumber numberWithUnsignedLong: kAssetDirectoryPermission]}; - id keys[] = {NSFilePosixPermissions}; - - NSDictionary* attributes = [NSDictionary dictionaryWithObjects:values forKeys:keys count:1]; -#else - struct passwd *user_info = getpwnam([kAssetDirectoryUser UTF8String]); - struct group *group_info = getgrnam([kAssetDirectoryGroup UTF8String]); - NSNumber* uid_num = [NSNumber numberWithUnsignedInt: user_info->pw_uid]; - NSNumber* gid_num = [NSNumber numberWithUnsignedInt: group_info->gr_gid]; - - id values[] = {uid_num, gid_num, [NSNumber numberWithUnsignedLong: kAssetDirectoryPermission]}; - id keys[] = {NSFileOwnerAccountID, NSFileGroupOwnerAccountID, NSFilePosixPermissions}; - - NSDictionary* attributes = [NSDictionary dictionaryWithObjects:values forKeys:keys count:3]; -#endif - - - if (![self.fileManager createDirectoryAtPath:tempDir withIntermediateDirectories:YES - attributes:attributes error:&error]) - { - OTAPKI_LOG("installAssetFiles: could not create directory %s\n", [tempDir UTF8String]); - return result; - } - -#ifndef NEW_LOCATION - // Copy all of the asset files to the newly created directory - for (NSString* file_name in self.file_list) - { - NSString* download_assert_path = [assetDir stringByAppendingPathComponent:file_name]; - NSString* asset_path = [tempDir stringByAppendingPathComponent:file_name]; - if ([self.fileManager copyItemAtPath:download_assert_path toPath:asset_path error:&error]) - { - chown([asset_path UTF8String], self.uid, self.gid); - } - else - { - [self.fileManager removeItemAtPath:tempDir error:nil]; - return result; - } - } -#endif // !NEW_LOCATION - - - // Now that all of the files have been copied to the temp directory make a single call - // to rename (move) the temp directory to be the correct version directory. This rename - // allow for reducing a race conditions between this asset code and securityd. - NSInteger new_version_value = [self.next_asset_version integerValue]; - NSString* new_version_dir_name = [NSString stringWithFormat:@"%@%ld", kVersionDirectoryNamePrefix, (long)new_version_value]; - NSString* new_version_dir_path = [self.assets_directory stringByAppendingPathComponent:new_version_dir_name]; - if (![self.fileManager moveItemAtPath:tempDir toPath:new_version_dir_path error:&error]) - { - OTAPKI_LOG("installAssetFiles: could not move path %s\n", [tempDir UTF8String]); - [self.fileManager removeItemAtPath:tempDir error:nil]; - return result; - } - - result = YES; - return result; -} - -/* -------------------------------------------------------------------------- - OTAServiceApp getCurrentAssetDirectory: - - Looks through the /var/Keychains/Assets directory to find latest asset - version directory. If no assets have been downloaded then nil is returned - and the current asset version is set to 0 - -------------------------------------------------------------------------- */ -- (NSString*)getCurrentAssetDirectory -{ - NSString* result = nil; - BOOL isDir = NO; - - OTAPKI_LOG("In getCurrentAssetDirectory\n"); - OTAPKI_LOG("getCurrentAssetDirectory: checking to see if %s exists\n", [kBaseAssetDirectoryPath UTF8String]); - - // Check to see if the base directory is there - if (![self.fileManager fileExistsAtPath:(NSString *)kBaseAssetDirectoryPath isDirectory:&isDir] || !isDir) - { - OTAPKI_LOG("getCurrentAssetDirectory: %s does not exists\n", [kBaseAssetDirectoryPath UTF8String]); - // This might be fatal - return result; - } - - NSError* error = nil; - NSInteger version_number = 0; - NSInteger current_version_number = 0; - int aVerNum = 0; - OSStatus err = noErr; - - _assets_directory = [kBaseAssetDirectoryPath stringByAppendingPathComponent:(NSString *)kAssetDirectoryName]; - - OTAPKI_LOG("getCurrentAssetDirectory: %s does exists\n", [self.assets_directory UTF8String]); - - if ([self.fileManager fileExistsAtPath:self.assets_directory isDirectory:&isDir] && isDir) - { - OTAPKI_LOG("getCurrentAssetDirectory: %s does exists\n", [self.assets_directory UTF8String]); - NSDirectoryEnumerator* dirEnum = [self.fileManager enumeratorAtPath:self.assets_directory]; - [dirEnum skipDescendents]; - - for (NSString* file in dirEnum) - { - if ([file hasPrefix:(NSString *)kVersionDirectoryNamePrefix]) - { - NSString* version_str = [file substringFromIndex:[kVersionDirectoryNamePrefix length]]; - NSInteger aVersion_number = [version_str integerValue]; - if (aVersion_number > version_number) - { - version_number = aVersion_number; - } - } - } - } - else - { -#if NEW_LOCATION - id values[] = {[NSNumber numberWithUnsignedLong: kAssetDirectoryPermission]}; - id keys[] = {NSFilePosixPermissions}; - - NSDictionary* attributes = [NSDictionary dictionaryWithObjects:values forKeys:keys count:1]; -#else - - struct passwd *user_info = getpwnam([kAssetDirectoryUser UTF8String]); - struct group *group_info = getgrnam([kAssetDirectoryGroup UTF8String]); - NSNumber* uid_num = [NSNumber numberWithUnsignedInt: user_info->pw_uid]; - NSNumber* gid_num = [NSNumber numberWithUnsignedInt: group_info->gr_gid]; - - id values[] = {uid_num, gid_num, [NSNumber numberWithUnsignedLong: kAssetDirectoryPermission]}; - id keys[] = {NSFileOwnerAccountID, NSFileGroupOwnerAccountID, NSFilePosixPermissions}; - NSDictionary* attributes = [NSDictionary dictionaryWithObjects:values forKeys:keys count:3]; -#endif - OTAPKI_LOG("getCurrentAssetDirectory: %s does NOT exists\n", [self.assets_directory UTF8String]); - OTAPKI_LOG("getCurrentAssetDirectory: creating %s\n", [self.assets_directory UTF8String]); - - if (![self.fileManager createDirectoryAtPath:self.assets_directory withIntermediateDirectories:YES - attributes:attributes error:&error]) - { - OTAPKI_LOG("getCurrentAssetDirectory: failed to create %s\n", [self.assets_directory UTF8String]); - return result; - } - - } - - err = SecTrustGetOTAPKIAssetVersionNumber(&aVerNum); - if (errSecSuccess == err && aVerNum > 0) - { - current_version_number = aVerNum; - } - - if (version_number < current_version_number) - { - OTAPKI_LOG("The largest OTA version number is smaller than the current version number. This means the system has a newer asset\n"); - version_number = current_version_number; - } - else - { - OTAPKI_LOG("The largest OTA version number is equal to the current version number. The OTA asset is newer than the system asset\n"); - NSString* version_dir_name = [NSString stringWithFormat:@"%@%ld", kVersionDirectoryNamePrefix, (long)version_number]; - result = [self.assets_directory stringByAppendingPathComponent:version_dir_name]; - } - - OTAPKI_LOG("getCurrentAssetDirectory: setting version number to %d\n", version_number); - _current_asset_version = [NSNumber numberWithInteger:version_number]; - return result; -} - -@end diff --git a/OTAPKIAssetTool/OTAServicemain.m b/OTAPKIAssetTool/OTAServicemain.m deleted file mode 100644 index 02714a7b..00000000 --- a/OTAPKIAssetTool/OTAServicemain.m +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (c) 2012-2014 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -/* ========================================================================== - main for the OTAService for iOS securityd - ========================================================================== */ - -#import -#import -#import - -#import "OTAServiceApp.h" - -int main(int argc, const char * argv[]) -{ - // OTAServiceApp - @autoreleasepool - { - OTAServiceApp* ota_service_application = [[OTAServiceApp alloc] init:argc withArguments:argv]; - [ota_service_application checkInWithActivity]; - - /* Spin a runloop so events can be delivered */ - CFRunLoopRun(); - } - - return 0; -} - - - diff --git a/OTAPKIAssetTool/com.apple.OTAPKIAssetTool.plist b/OTAPKIAssetTool/com.apple.OTAPKIAssetTool.plist deleted file mode 100644 index cf161728..00000000 --- a/OTAPKIAssetTool/com.apple.OTAPKIAssetTool.plist +++ /dev/null @@ -1,37 +0,0 @@ - - - - - EnablePressuredExit - - EnableTransactions - - POSIXSpawnType - Adaptive - Label - com.apple.OTAPKIAssetTool - ProgramArguments - - /usr/libexec/OTAPKIAssetTool - - Umask - 18 - UserName - _securityd - LaunchEvents - - com.apple.xpc.activity - - com.apple.OTAPKIAssetTool.asset-check - - Priority - Utility - Interval - 259200 - GracePeriod - 3600 - - - - - diff --git a/RegressionTests/Security.plist b/RegressionTests/Security.plist index 9542400f..4db898f3 100644 --- a/RegressionTests/Security.plist +++ b/RegressionTests/Security.plist @@ -137,6 +137,15 @@ EligibleResource NOT (cpuArchitecture BEGINSWITH 'arm') + + TestName + KeychainAnalytics + Command + + BATS_XCTEST_CMD + /AppleInternal/XCTests/com.apple.security/KeychainAnalyticsTests.xctest + + diff --git a/RegressionTests/secitemfunctionality/secitemfunctionality.m b/RegressionTests/secitemfunctionality/secitemfunctionality.m index 96384f8b..59650cbb 100644 --- a/RegressionTests/secitemfunctionality/secitemfunctionality.m +++ b/RegressionTests/secitemfunctionality/secitemfunctionality.m @@ -526,6 +526,10 @@ CheckFindIdentityByReference(void) */ CFRelease(pref); + if(identity) { + CFRelease(identity); + identity = NULL; + } printf("[PASS] %s\n", __FUNCTION__); } diff --git a/SOSCCAuthPlugin/SOSCCAuthPlugin.m b/SOSCCAuthPlugin/SOSCCAuthPlugin.m index 0de5cbcd..e6dd747a 100644 --- a/SOSCCAuthPlugin/SOSCCAuthPlugin.m +++ b/SOSCCAuthPlugin/SOSCCAuthPlugin.m @@ -13,11 +13,18 @@ #import #import #import +#import +#import #import #import "utilities/SecCFRelease.h" #import "utilities/debugging.h" +#if !TARGET_OS_SIMULATOR +SOFT_LINK_FRAMEWORK(PrivateFrameworks, AuthKit); +SOFT_LINK_CLASS(AuthKit, AKAccountManager); +#endif + @implementation SOSCCAuthPlugin - (void) didReceiveAuthenticationResponseParameters: (NSDictionary *) parameters @@ -40,7 +47,21 @@ do_auth = [account aa_isPrimaryAccount]; } - ACLogNotice(@"do_auth %@", do_auth ? @"YES" : @"NO" ); +#if !TARGET_OS_SIMULATOR + // If this is an HSA2 account let cdpd SetCreds + AKAccountManager *manager = [getAKAccountManagerClass() sharedInstance]; + if(manager != nil) { + AKAppleIDSecurityLevel securityLevel = [manager securityLevelForAccount: account]; + if(securityLevel == AKAppleIDSecurityLevelHSA2) { + secnotice("accounts", "Not performing SOSCCSetUserCredentialsAndDSID in accountsd plugin since we're HSA2" ); + do_auth = NO; + } + } else { + secnotice("accounts", "Couldn't softlink AKAccountManager - proceeding with do_auth = %@", do_auth ? @"YES" : @"NO"); + } +#endif + + secnotice("accounts", "do_auth %@", do_auth ? @"YES" : @"NO" ); if (do_auth) { CFErrorRef authError = NULL; diff --git a/Security.exp-in b/Security.exp-in index e9c748cc..de4daeb6 100644 --- a/Security.exp-in +++ b/Security.exp-in @@ -4,23 +4,9 @@ #include "Security/SecAccessControlExports.exp-in" #include "Security/SecureObjectSync/SOSExports.exp-in" -#if TARGET_OS_OSX #include "CSSMOID.exp-in" -#endif -#if TARGET_OS_IPHONE -_CSSMOID_MD5WithRSA -_CSSMOID_SHA1 -_CSSMOID_SHA1WithRSA -_CSSMOID_SHA256WithRSA -_CSSMOID_SHA384WithRSA -_CSSMOID_ECDSA_WithSHA1 -_CSSMOID_ECDSA_WithSHA256 -_CSSMOID_ECDSA_WithSHA384 -_CSSMOID_PKCS5_HMAC_SHA1 -#endif #if TARGET_OS_IPHONE -_DEROidCompare _NtlmCreateClientRequest _NtlmCreateClientResponse __NtlmCreateClientResponse @@ -29,9 +15,21 @@ _NtlmGeneratorCreate _NtlmGeneratorRelease _NtlmGetNegotiatedVersion _OID_PKIX_OCSP_BASIC +_OID_PKIX_OCSP +_OID_PKIX_OCSP_ARCHIVE_CUTOFF +_OID_PKIX_OCSP_CRL +_OID_PKIX_OCSP_NOCHECK +_OID_PKIX_OCSP_NONCE +_OID_PKIX_OCSP_RESPONSE +_OID_PKIX_OCSP_SERVICE_LOCATOR _OID_GOOGLE_OCSP_SCT #endif +_SSLSetALPNProtocols +_SSLCopyALPNProtocols +__SSLProtocolVersionToWireFormatValue +_SSLSetECDSACurves + #if TARGET_OS_IPHONE _SSLAddDistinguishedName _SSLClose @@ -49,6 +47,9 @@ _SSLGetClientSideAuthenticate _SSLGetConnection _SSLGetDatagramWriteSize _SSLGetEnabledCiphers +_SSLSetError +_SSLSetOCSPResponse +_SSLSetSessionTicketsEnabled _SSLGetEncryptionCertificate _SSLGetMaxDatagramRecordSize _SSLGetMinimumDHGroupSize @@ -84,8 +85,6 @@ _SSLGetNPNData _SSLSetALPNData _SSLSetALPNFunc _SSLGetALPNData -_SSLSetALPNProtocols -_SSLCopyALPNProtocols _SSLCopyRequestedPeerName _SSLCopyRequestedPeerNameLength _SSLSetAllowAnonymousCiphers @@ -93,7 +92,6 @@ _SSLSetCertificate _SSLSetClientSideAuthenticate _SSLSetConnection _SSLSetDatagramHelloCookie -_SSLSetECDSACurves _SSLSetEnabledCiphers _SSLSetEncryptionCertificate _SSLSetIOFuncs @@ -154,10 +152,23 @@ __SSLSetRsaBlinding __SSLSetTrustedRoots #endif // TARGET_OS_IPHONE -#if TARGET_OS_OSX // // libsecurity_ssl // + +_SSLGetNumberOfECDSACurves +_SSLGetECDSACurves +_SSLGetNumberOfClientAuthTypes +_SSLGetNegotiatedClientAuthType +_SSLGetClientAuthTypes + +#if TARGET_OS_IPHONE +__SSLCopyCertificateAuthorities +__SSLCopyTrustedRoots +__SSLSetCertificateAuthorities +#endif + +#if TARGET_OS_OSX _SSLAddDistinguishedName _SSLClose _SSLContextGetTypeID @@ -174,6 +185,9 @@ _SSLGetConnection _SSLGetDiffieHellmanParams _SSLGetEnableCertVerify _SSLGetEnabledCiphers +_SSLSetError +_SSLSetOCSPResponse +_SSLSetSessionTicketsEnabled _SSLGetNegotiatedCipher _SSLGetNegotiatedProtocolVersion _SSLGetNumberEnabledCiphers @@ -185,6 +199,7 @@ _SSLGetPeerDomainName _SSLGetPeerDomainNameLength _SSLGetPeerID _SSLGetPeerSecTrust +_SSLGetPSKIdentity _SSLGetProtocolVersion _SSLGetProtocolVersionEnabled _SSLGetProtocolVersionMax @@ -250,12 +265,6 @@ _SSLCopyDistinguishedNames _SSLSetCertificateAuthorities _SSLCopyCertificateAuthorities _SSLGetNegotiatedCurve -_SSLGetNumberOfECDSACurves -_SSLGetECDSACurves -_SSLSetECDSACurves -_SSLGetNumberOfClientAuthTypes -_SSLGetClientAuthTypes -_SSLGetNegotiatedClientAuthType _SSLGetNumberOfSignatureAlgorithms _SSLGetSignatureAlgorithms _SSLNewDatagramContext @@ -301,8 +310,26 @@ _SecAbsoluteTimeFromDateContent _CKKSSetupControlProtocol #if TARGET_OS_IPHONE || (TARGET_OS_OSX && __x86_64__) _OBJC_CLASS_$_CKKSControl +_OBJC_CLASS_$_SecuritydXPCClient +#else +.objc_class_name_CKKSControl +.objc_class_name_SecuritydXPCClient #endif + +#if __OBJC2__ && (TARGET_OS_IPHONE || (TARGET_OS_OSX && __x86_64__)) +_OBJC_CLASS_$_SFTransactionMetric +#endif //__OBJC2__ && IPHONE || OSX + +_OTSetupControlProtocol +_OTDefaultContext +#if TARGET_OS_IPHONE || (TARGET_OS_OSX && __x86_64__) +_OBJC_CLASS_$_OTControl _OBJC_CLASS_$_SecuritydXPCClient +#else +.objc_class_name_OTControl +.objc_class_name_SecuritydXPCClient +#endif + _SecAccessGroupsGetCurrent _SecAccessGroupsSetCurrent _SecSecurityClientGet @@ -313,6 +340,7 @@ _securityd_send_sync_and_do #if TARGET_OS_IOS _SecSecuritySetMusrMode #endif +__SecSetSecuritydTargetUID _SecDERItemCopyOIDDecimalRepresentation _SecDigestCreate @@ -320,12 +348,12 @@ _SecDigestCreate _SecFrameworkCopyResourceContents _SecFrameworkCopyResourceURL #endif +_SecCopyErrorMessageString _SecPKCS12Import _SecRandomCopyBytes #if TARGET_OS_IPHONE _SecSHA1DigestCreate -_SecSHA256DigestCreateFromData #endif _SecTaskCopySigningIdentifier _SecTaskCopyValueForEntitlement @@ -334,9 +362,7 @@ _SecTaskCreateFromSelf _SecTaskCreateWithAuditToken _SecTaskGetCodeSignStatus _SecTaskGetTypeID -#if TARGET_OS_OSX _SecTaskEntitlementsValidated -#endif _kSecRandomDefault @@ -387,6 +413,7 @@ _CMSEncoderSetEncoder _CMSEncoderAddSignedAttributes _CMSEncoderSetSigningTime _CMSEncoderSetAppleCodesigningHashAgility +_CMSEncoderSetAppleCodesigningHashAgilityV2 _CMSEncoderSetCertificateChainMode _CMSEncoderGetCertificateChainMode _CMSEncoderUpdateContent @@ -416,6 +443,7 @@ _CMSDecoderCopySignerTimestampCertificates _CMSEncoderCopySignerTimestamp _CMSEncoderCopySignerTimestampWithPolicy _CMSDecoderCopySignerAppleCodesigningHashAgility +_CMSDecoderCopySignerAppleCodesigningHashAgilityV2 #endif // TARGET_OS_OSX #if TARGET_OS_OSX @@ -661,6 +689,7 @@ _SecTransformExecute _SecTransformExecuteAsync _SecNullTransformCreate _SecDigestTransformCreate +_SecDigestTransformGetTypeID _SecCreateMaskGenerationFunctionTransform _SecTransformCreate _SecTransformRegister @@ -683,6 +712,9 @@ _SecGroupTransformHasMember _kSecDigestTypeAttribute _kSecDigestLengthAttribute _kSecOAEPEncodingParametersAttributeName +_kSecOAEPMessageLengthAttributeName +_kSecOAEPMGF1DigestAlgorithmAttributeName +_kSecNullTransformName _kSecTransformInputAttributeName _kSecTransformDebugAttributeName _kSecTransformOutputAttributeName @@ -703,7 +735,9 @@ _kSecPaddingKey _kSecIVKey _kSecEncryptionMode _SecEncryptTransformCreate +_SecEncryptTransformGetTypeID _SecDecryptTransformCreate +_SecDecryptTransformGetTypeID _SecDecodeTransformCreate _SecEncodeTransformCreate _SecSignTransformCreate @@ -726,6 +760,7 @@ _kSecTransformActionProcessData _SecTransformSetAttributeAction _SecGroupTransformFindLastTransform _SecGroupTransformFindMonitor +_SecTransformConnectTransformsInternal _SecTransformDisconnectTransforms _SecTransformDotForDebugging _SecCreateCollectTransform @@ -773,10 +808,12 @@ _MDS_InstallFile _MDS_RemoveSubservice #endif // TARGET_OS_OSX -#if TARGET_OS_OSX // // libsecurity_keychain // + +#if TARGET_OS_OSX +_ConvertArrayToKeyUsage _SecACLCopyAuthorizations _SecACLCopyContents _SecACLCopySimpleContents @@ -799,7 +836,6 @@ _SecAccessCreateWithOwnerAndACL _SecAccessCreateWithTrustedApplications _SecAccessGetOwnerAndACL _SecAccessGetTypeID -_SecCopyErrorMessageString _SecCreateRecoveryPassword _SecDigestGetData _SecFDERecoveryUnwrapCRSKWithPrivKey @@ -825,11 +861,13 @@ _SecIdentityUpdatePreferenceItem _SecInferLabelFromX509Name _SecItemAdd_ios _SecItemCopyMatching_ios + _SecItemCopyParentCertificates_osx +_SecItemParentCachePurge + _SecItemCopyStoredCertificate -#if TARGET_OS_OSX _SecItemCreateFromAttributeDictionary_osx -#endif +_SecItemDeleteAll _SecItemDelete_ios _SecItemExport _SecItemImport @@ -843,6 +881,7 @@ _SecKeychainAttemptMigrationWithMasterKey _SecKeychainAttributeInfoForItemID _SecKeychainChangeKeyStorePassphrase _SecKeychainChangePassword +_SecKeychainCleanupHandles _SecKeychainCopyAccess _SecKeychainCopyBlob _SecKeychainCopyDefault @@ -953,13 +992,14 @@ _SecKeychainVerifyKeyStorePassphrase _SecPasswordAction _SecPasswordSetInitialAccess _SecRandomCopyData -_SecSHA256DigestCreateFromData _SecUnwrapRecoveryPasswordWithAnswers _SecWrapRecoveryPasswordWithAnswers __SecItemGetPersistentReference _cssmErrorString _cssmPerror _kSecACLAuthorizationAny +_kSecACLAuthorizationChangeACL +_kSecACLAuthorizationChangeOwner _kSecACLAuthorizationDecrypt _kSecACLAuthorizationDelete _kSecACLAuthorizationDerive @@ -1008,6 +1048,11 @@ _kSecOIDAPPLE_EXTENSION_ADC_APPLE_SIGNING _kSecOIDAPPLE_EXTENSION_ADC_DEV_SIGNING _kSecOIDAPPLE_EXTENSION_APPLE_SIGNING _kSecOIDAPPLE_EXTENSION_CODE_SIGNING +_kSecOIDAPPLE_EXTENSION_AAI_INTERMEDIATE +_kSecOIDAPPLE_EXTENSION_APPLEID_INTERMEDIATE +_kSecOIDAPPLE_EXTENSION_INTERMEDIATE_MARKER +_kSecOIDAPPLE_EXTENSION_WWDR_INTERMEDIATE +_kSecOIDAPPLE_EXTENSION_ITMS_INTERMEDIATE _kSecOIDAuthorityInfoAccess _kSecOIDAuthorityKeyIdentifier _kSecOIDBasicConstraints @@ -1129,6 +1174,9 @@ _kSecUseKeychain // libsecurity_asn1 // _SecAsn1OidCompare + +_SecASN1PrintableString +_SecASN1UTF8String #if TARGET_OS_IPHONE _SecAsn1CoderCreate _SecAsn1CoderRelease @@ -1143,6 +1191,101 @@ _kSecAsn1OCSPResponseDataTemplate _kSecAsn1OCSPResponseTemplate _kSecAsn1OCSPSignedRequestTemplate _kSecAsn1OctetStringTemplate + +_kSecAsn1AnyTemplate +_kSecAsn1BMPStringTemplate +_kSecAsn1BitStringTemplate +_kSecAsn1BooleanTemplate +_kSecAsn1EnumeratedTemplate +_kSecAsn1GeneralizedTimeTemplate +_kSecAsn1IA5StringTemplate +_kSecAsn1IntegerTemplate +_kSecAsn1NullTemplate +_kSecAsn1ObjectIDTemplate +_kSecAsn1PointerToAnyTemplate +_kSecAsn1PointerToBMPStringTemplate +_kSecAsn1PointerToBitStringTemplate +_kSecAsn1PointerToBooleanTemplate +_kSecAsn1PointerToEnumeratedTemplate +_kSecAsn1PointerToGeneralizedTimeTemplate +_kSecAsn1PointerToIA5StringTemplate +_kSecAsn1PointerToIntegerTemplate +_kSecAsn1PointerToNullTemplate +_kSecAsn1PointerToObjectIDTemplate +_kSecAsn1PointerToOctetStringTemplate +_kSecAsn1PointerToPrintableStringTemplate +_kSecAsn1PointerToT61StringTemplate +_kSecAsn1PointerToTeletexStringTemplate +_kSecAsn1PointerToUTCTimeTemplate +_kSecAsn1PointerToUTF8StringTemplate +_kSecAsn1PointerToUniversalStringTemplate +_kSecAsn1PointerToVisibleStringTemplate +_kSecAsn1PrintableStringTemplate +_kSecAsn1SequenceOfAnyTemplate +_kSecAsn1SequenceOfBMPStringTemplate +_kSecAsn1SequenceOfBitStringTemplate +_kSecAsn1SequenceOfBooleanTemplate +_kSecAsn1SequenceOfEnumeratedTemplate +_kSecAsn1SequenceOfGeneralizedTimeTemplate +_kSecAsn1SequenceOfIA5StringTemplate +_kSecAsn1SequenceOfIntegerTemplate +_kSecAsn1SequenceOfNullTemplate +_kSecAsn1SequenceOfObjectIDTemplate +_kSecAsn1SequenceOfOctetStringTemplate +_kSecAsn1SequenceOfPrintableStringTemplate +_kSecAsn1SequenceOfT61StringTemplate +_kSecAsn1SequenceOfTeletexStringTemplate +_kSecAsn1SequenceOfUTCTimeTemplate +_kSecAsn1SequenceOfUTF8StringTemplate +_kSecAsn1SequenceOfUniversalStringTemplate +_kSecAsn1SequenceOfVisibleStringTemplate +_kSecAsn1SetOfAnyTemplate +_kSecAsn1SetOfBMPStringTemplate +_kSecAsn1SetOfBitStringTemplate +_kSecAsn1SetOfBooleanTemplate +_kSecAsn1SetOfEnumeratedTemplate +_kSecAsn1SetOfGeneralizedTimeTemplate +_kSecAsn1SetOfIA5StringTemplate +_kSecAsn1SetOfIntegerTemplate +_kSecAsn1SetOfNullTemplate +_kSecAsn1SetOfObjectIDTemplate +_kSecAsn1SetOfOctetStringTemplate +_kSecAsn1SetOfPrintableStringTemplate +_kSecAsn1SetOfT61StringTemplate +_kSecAsn1SetOfTeletexStringTemplate +_kSecAsn1SetOfUTCTimeTemplate +_kSecAsn1SetOfUTF8StringTemplate +_kSecAsn1SetOfUniversalStringTemplate +_kSecAsn1SetOfVisibleStringTemplate +_kSecAsn1SkipTemplate +_kSecAsn1T61StringTemplate +_kSecAsn1TeletexStringTemplate +_kSecAsn1UTCTimeTemplate +_kSecAsn1UTF8StringTemplate +_kSecAsn1UniversalStringTemplate +_kSecAsn1UnsignedIntegerTemplate +_kSecAsn1VisibleStringTemplate + +_SecAsn1AllocCopy +_SecAsn1AllocCopyItem +_SecAsn1AllocItem +_SecAsn1Decode +_SecAsn1Malloc + +_kSecAsn1OCSPCertIDTemplate +_kSecAsn1OCSPCertStatusGoodTemplate +_kSecAsn1OCSPCertStatusUnknownTemplate +_kSecAsn1OCSPDRepliesTemplate +_kSecAsn1OCSPDReplyTemplate +_kSecAsn1OCSPDRequestTemplate +_kSecAsn1OCSPDRequestsTemplate +_kSecAsn1OCSPRequestTemplate +_kSecAsn1OCSPResponseBytesTemplate +_kSecAsn1OCSPRevokedInfoTemplate +_kSecAsn1OCSPSignatureTemplate +_kSecAsn1OCSPSingleResponseTemplate +_kSecAsn1OCSPTbsRequestTemplate + #elif TARGET_OS_OSX _PORT_FreeArena _PORT_NewArena @@ -1196,6 +1339,7 @@ _kSecAsn1DistPointFullNameTemplate _kSecAsn1DistPointRDNTemplate _kSecAsn1DistributionPointTemplate _kSecAsn1EncryptedPrivateKeyInfoTemplate +_kSecAsn1ECDSAPrivateKeyInfoTemplate _kSecAsn1EnumeratedTemplate _kSecAsn1GenNameOtherNameTemplate _kSecAsn1GeneralNameTemplate @@ -1204,6 +1348,7 @@ _kSecAsn1IA5StringTemplate _kSecAsn1IntegerTemplate _kSecAsn1IssuingDistributionPointTemplate _kSecAsn1NameTemplate +_kSecAsn1NameConstraintsTemplate _kSecAsn1NullTemplate _kSecAsn1OCSPBasicResponseTemplate _kSecAsn1OCSPCertIDTemplate @@ -1246,8 +1391,10 @@ _kSecAsn1PointerToUTCTimeTemplate _kSecAsn1PointerToUTF8StringTemplate _kSecAsn1PointerToUniversalStringTemplate _kSecAsn1PointerToVisibleStringTemplate +_kSecAsn1PolicyConstraintsTemplate _kSecAsn1PolicyInformationTemplate _kSecAsn1PolicyQualifierTemplate +_kSecAsn1PolicyMappingsTemplate _kSecAsn1PrintableStringTemplate _kSecAsn1PrivateKeyInfoTemplate _kSecAsn1QC_StatementTemplate @@ -1405,6 +1552,7 @@ _kSecCodeInfoFlags _kSecCodeInfoFormat _kSecCodeInfoDigestAlgorithm _kSecCodeInfoDigestAlgorithms +_kSecCodeInfoPlatformIdentifier _kSecCodeInfoIdentifier _kSecCodeInfoImplicitDesignatedRequirement _kSecCodeInfoMainExecutable @@ -1428,6 +1576,8 @@ _kSecCodeInfoResourceDirectory _kSecGuestAttributeCanonical _kSecGuestAttributeDynamicCode _kSecGuestAttributeDynamicCodeInfoPlist +_kSecGuestAttributeArchitecture +_kSecGuestAttributeSubarchitecture _kSecGuestAttributeHash _kSecGuestAttributeMachPort _kSecGuestAttributePid @@ -1454,6 +1604,7 @@ _SecAssessmentCopyResult _SecAssessmentUpdate _SecAssessmentCopyUpdate _SecAssessmentControl +_SecAssessmentGetTypeID _kSecAssessmentContextKeyOperation _kSecAssessmentOperationTypeExecute _kSecAssessmentOperationTypeInstall @@ -1479,7 +1630,9 @@ _kSecAssessmentUpdateKeyRow _kSecAssessmentUpdateKeyCount _kSecAssessmentUpdateKeyFound _kSecAssessmentAssessmentAuthority +_kSecAssessmentAssessmentAuthorityFlags _kSecAssessmentAssessmentAuthorityOverride +_kSecAssessmentAssessmentAuthorityOriginalVerdict _kSecAssessmentAssessmentAuthorityRow _kSecAssessmentAssessmentFromCache _kSecAssessmentAssessmentOriginator @@ -1498,8 +1651,85 @@ _kSecAssessmentRuleKeyExpires _kSecAssessmentRuleKeyDisabled _kSecAssessmentRuleKeyBookmark _kSecAssessmentContextKeyPrimarySignature +_kDisabledOverride #endif // TARGET_OS_OSX +#if TARGET_OS_IPHONE +_SecCodeCheckValidity +_SecCodeCheckValidityWithErrors +_SecCodeCopyComponent +_SecCodeCopyDesignatedRequirement +_SecCodeCopyHost +_SecCodeCopyInternalRequirement +_SecCodeCopyPath +_SecCodeCopySelf +_SecCodeCopyStaticCode +//_SecCodeCreateWithPID +_SecCodeGetStatus +_SecCodeGetTypeID +_SecCodeMapMemory +_SecCodeSetStatus +_SecCodeValidateFileResource +_SecCopyLastError + +_SecRequirementCopyData +_SecRequirementCopyString +_SecRequirementCreateWithData +_SecRequirementCreateWithString +_SecRequirementCreateWithStringAndErrors +_SecRequirementGetTypeID +_SecStaticCodeCheckValidity +_SecStaticCodeCreateWithPath +_SecStaticCodeGetTypeID +_kSecCFErrorArchitecture +_kSecCFErrorGuestAttributes +_kSecCFErrorInfoPlist +_kSecCFErrorPath +_kSecCFErrorPattern +_kSecCFErrorRequirementSyntax +_kSecCFErrorResourceSeal +_kSecCFErrorResourceSideband +_kSecCodeAttributeArchitecture +_kSecCodeAttributeBundleVersion +_kSecCodeAttributeSubarchitecture +_kSecCodeInfoCMS +_kSecCodeInfoCdHashes +_kSecCodeInfoChangedFiles +_kSecCodeInfoCodeDirectory +_kSecCodeInfoCodeOffset +_kSecCodeInfoDesignatedRequirement +_kSecCodeInfoDigestAlgorithm +_kSecCodeInfoDigestAlgorithms +_kSecCodeInfoDiskRepInfo +_kSecCodeInfoDiskRepNoLibraryValidation +_kSecCodeInfoDiskRepOSPlatform +_kSecCodeInfoDiskRepOSSDKVersion +_kSecCodeInfoDiskRepOSVersionMin +_kSecCodeInfoFlags +_kSecCodeInfoFormat +_kSecCodeInfoImplicitDesignatedRequirement +_kSecCodeInfoMainExecutable +_kSecCodeInfoPList +_kSecCodeInfoPlatformIdentifier +_kSecCodeInfoRequirementData +_kSecCodeInfoRequirements +_kSecCodeInfoResourceDirectory +_kSecCodeInfoSource +_kSecCodeInfoStatus +_kSecCodeInfoTimestamp +_kSecCodeInfoTrust +_kSecGuestAttributeArchitecture +_kSecGuestAttributeAudit +_kSecGuestAttributeCanonical +_kSecGuestAttributeDynamicCode +_kSecGuestAttributeDynamicCodeInfoPlist +_kSecGuestAttributeHash +_kSecGuestAttributeMachPort +_kSecGuestAttributePid +_kSecGuestAttributeSubarchitecture + +#endif // TARGET_OS_IPHONE + #if TARGET_OS_OSX //breadcrumb _SecBreadcrumbCreateFromPassword @@ -1507,10 +1737,6 @@ _SecBreadcrumbCopyPassword _SecBreadcrumbCreateNewEncryptedKey #endif // TARGET_OS_OSX -#if TARGET_OS_IPHONE -_oidAnyExtendedKeyUsage -_oidAnyPolicy -#elif TARGET_OS_OSX // // libDER OIDs // @@ -1544,12 +1770,17 @@ _oidSha224 _oidFee _oidMd5Fee _oidSha1Fee +_oidEcPrime192v1 +_oidEcPrime256v1 +_oidAnsip384r1 +_oidAnsip521r1 _oidSubjectKeyIdentifier _oidKeyUsage _oidPrivateKeyUsagePeriod _oidSubjectAltName _oidIssuerAltName _oidBasicConstraints +_oidNameConstraints _oidCrlDistributionPoints _oidCertificatePolicies _oidAnyPolicy @@ -1582,13 +1813,13 @@ _oidExtendedKeyUsageServerAuth _oidExtendedKeyUsageClientAuth _oidExtendedKeyUsageCodeSigning _oidExtendedKeyUsageEmailProtection +_oidExtendedKeyUsageTimeStamping _oidExtendedKeyUsageOCSPSigning _oidExtendedKeyUsageIPSec _oidExtendedKeyUsageMicrosoftSGC _oidExtendedKeyUsageNetscapeSGC _oidGoogleEmbeddedSignedCertificateTimestamp _oidGoogleOCSPSignedCertificateTimestamp -#endif // TARGET_OS_OSX #if TARGET_OS_OSX // @@ -1612,6 +1843,7 @@ _SecureDownloadCopyURLs _SecureDownloadCopyCreationDate _SecureDownloadGetDownloadSize __SecureDownloadCreateTicketXML +__SecureDownloadParseTicketXML _SecureDownloadCopyTicketLocation #endif // TARGET_OS_OSX @@ -1661,6 +1893,28 @@ _weak_os_log_create _weak_os_log_type_enabled _secLogEnable _secLogDisable + +_ApplyScopeDictionaryForID +_ApplyScopeListForID +_SecLogAPICreate +___security_simulatecrash +___security_simulatecrash_enable +___security_stackshotreport +_api_trace +_secLogEnabled +_CopyCurrentScopePlist + +#endif + +// SecFramework.h +#if TARGET_OS_IPHONE +_SecOSStatusWith +_SecSHA256DigestCreate +_SecSHA256DigestCreateFromData +#endif +#if TARGET_OS_OSX +_SecSHA256DigestCreate +_SecSHA256DigestCreateFromData #endif _secLogObjForScope @@ -1689,8 +1943,58 @@ _SecRKCreateRecoveryKeyString // Analytics // -.objc_class_name_SFSQLite -.objc_class_name_SFAnalyticsLogger +#if __OBJC2__ + +_OBJC_CLASS_$_SFSQLite +_OBJC_METACLASS_$_SFAnalytics +_OBJC_CLASS_$_SFAnalytics +_OBJC_CLASS_$_SFAnalyticsActivityTracker +_OBJC_CLASS_$_SFAnalyticsMultiSampler +_OBJC_CLASS_$_SFAnalyticsSampler +_OBJC_CLASS_$_SFAnalyticsSQLiteStore +_SFAnalyticsMaxEventsToReport +_SFSQLiteJournalSuffixes +_SFAnalyticsSamplerIntervalOncePerReport +_SFAnalyticsTableSuccessCount +_SFAnalyticsTableHardFailures +_SFAnalyticsTableSoftFailures +_SFAnalyticsTableSamples +_SFAnalyticsTableAllEvents +_SFAnalyticsColumnSuccessCount +_SFAnalyticsColumnHardFailureCount +_SFAnalyticsColumnSoftFailureCount +_SFAnalyticsColumnSampleValue +_SFAnalyticsColumnSampleName +_SFAnalyticsEventTime +_SFAnalyticsEventType +_SFAnalyticsEventClassKey +_SFAnalyticsUserDefaultsSuite +_SFAnalyticsFireSamplersNotification +_SFAnalyticsTableSchema +_SFAnalyticsAttributeErrorCode +_SFAnalyticsAttributeErrorDomain +_SFAnalyticsAttributeErrorUnderlyingChain +_SFAnalyticsTopicKeySync +_SFAnaltyicsTopicTrust + +_OBJC_CLASS_$_SOSAnalytics +_CKDKVSPerformanceCountersSampler +_CKDKVSPerfCounterSynchronize +_CKDKVSPerfCounterSynchronizeWithCompletionHandler +_CKDKVSPerfCounterIncomingMessages +_CKDKVSPerfCounterOutgoingMessages +_CKDKVSPerfCounterTotalWaitTimeSynchronize +_CKDKVSPerfCounterLongestWaitTimeSynchronize +_CKDKVSPerfCounterSynchronizeFailures +#endif // __OBJC2__ // Padding _SecPaddingCompute + +// +// Code coverage support +// + +_VPMergeHook* +___llvm_profile_* +_lprofCurFilename* diff --git a/Security.xcodeproj/project.pbxproj b/Security.xcodeproj/project.pbxproj index d86582c7..9b3a5bc6 100644 --- a/Security.xcodeproj/project.pbxproj +++ b/Security.xcodeproj/project.pbxproj @@ -36,6 +36,7 @@ buildPhases = ( ); dependencies = ( + 0C78CCE51FCC97E7008B4B24 /* PBXTargetDependency */, F621D0831ED6ED5B000EA569 /* PBXTargetDependency */, 6C24EF4A1E415109000DE79F /* PBXTargetDependency */, EB27FF261E40716D00EC9E3A /* PBXTargetDependency */, @@ -68,7 +69,10 @@ DCB515D91ED3CC6B001F1152 /* PBXTargetDependency */, 6C24EF4A1E415109000DE79F /* PBXTargetDependency */, DCB515D71ED3CC52001F1152 /* PBXTargetDependency */, + 6CAA8D3F1F8431C9007B6E03 /* PBXTargetDependency */, + 6CAA8CE91F82FD13007B6E03 /* PBXTargetDependency */, DC5225001E40295C0021640A /* PBXTargetDependency */, + 6C7C38811FD88C4700DFFE68 /* PBXTargetDependency */, ); name = Security_executables_osx; productName = Security_executables; @@ -114,6 +118,7 @@ buildPhases = ( ); dependencies = ( + 0C78CCE71FCC97F1008B4B24 /* PBXTargetDependency */, D41257F11E941E7D00781F23 /* PBXTargetDependency */, EB27FF281E40717400EC9E3A /* PBXTargetDependency */, EBF374841DC058C00065D840 /* PBXTargetDependency */, @@ -131,7 +136,6 @@ 0CC827F2138712B100BD99B7 /* PBXTargetDependency */, 52D82BF616A627100078DFE5 /* PBXTargetDependency */, CD0637811A840C6400C81E74 /* PBXTargetDependency */, - 5DDD0BEE16D6748900D6C0D6 /* PBXTargetDependency */, 4C52D0EE16EFCD720079966E /* PBXTargetDependency */, BE197F631911742900BA91D1 /* PBXTargetDependency */, BE4AC9B418B8020400B84964 /* PBXTargetDependency */, @@ -143,6 +147,9 @@ DCB515D01ED3CC36001F1152 /* PBXTargetDependency */, DC5224F91E4029520021640A /* PBXTargetDependency */, EB0D30FA1EF12BFB00C3C17D /* PBXTargetDependency */, + 6CAA8D3D1F8431BC007B6E03 /* PBXTargetDependency */, + 6CAA8CE51F82FD08007B6E03 /* PBXTargetDependency */, + 6C7C38881FD88C5A00DFFE68 /* PBXTargetDependency */, ); name = Security_executables_ios; productName = phase2; @@ -164,10 +171,10 @@ buildPhases = ( ); dependencies = ( - EB58A05E1E74C51F009C10D7 /* PBXTargetDependency */, EB6A6FBB1B90F8EC0045DC68 /* PBXTargetDependency */, 4C541FA10F250C5200E508AE /* PBXTargetDependency */, E7CFF6771C84F66A00E3484E /* PBXTargetDependency */, + EB58A05E1E74C51F009C10D7 /* PBXTargetDependency */, ); name = ios; productName = world; @@ -183,7 +190,6 @@ D41257F51E941E8E00781F23 /* PBXTargetDependency */, EBF374881DC058CC0065D840 /* PBXTargetDependency */, D41AD45C1B978A7A008C7270 /* PBXTargetDependency */, - D41AD4721B978F76008C7270 /* PBXTargetDependency */, D41AD45E1B978A7C008C7270 /* PBXTargetDependency */, D41AD4601B978E18008C7270 /* PBXTargetDependency */, D41AD4621B978E24008C7270 /* PBXTargetDependency */, @@ -209,7 +215,6 @@ EBF374861DC058C50065D840 /* PBXTargetDependency */, D41AD43A1B96721E008C7270 /* PBXTargetDependency */, D41AD4521B9788B2008C7270 /* PBXTargetDependency */, - D41AD45A1B978944008C7270 /* PBXTargetDependency */, D41AD4461B9786A3008C7270 /* PBXTargetDependency */, D41AD43E1B967242008C7270 /* PBXTargetDependency */, D41AD43C1B96723B008C7270 /* PBXTargetDependency */, @@ -385,6 +390,7 @@ EB58A0601E74C8D9009C10D7 /* PBXTargetDependency */, EB10557F1E14DFBE0003C309 /* PBXTargetDependency */, BE9C38D11EB115F4007E2AE1 /* PBXTargetDependency */, + DCDB29761FD8839F00B5D242 /* PBXTargetDependency */, ); name = Security_tests_osx; productName = Security_test_macos; @@ -402,6 +408,7 @@ EB58A0621E74C8E4009C10D7 /* PBXTargetDependency */, EB10557D1E14DFB60003C309 /* PBXTargetDependency */, BE9C38D31EB11605007E2AE1 /* PBXTargetDependency */, + DCDB29781FD883AB00B5D242 /* PBXTargetDependency */, ); name = Security_tests_ios; productName = Security_test_ios; @@ -413,7 +420,6 @@ ); dependencies = ( DC71D9E11D95BAC40065FB93 /* PBXTargetDependency */, - DC5AC1341D835C2300CF422C /* PBXTargetDependency */, DC178BF31D77ABE300B50D50 /* PBXTargetDependency */, BE9C38C81EB115A7007E2AE1 /* PBXTargetDependency */, DC58C4431D77C1F8003C25A4 /* PBXTargetDependency */, @@ -521,6 +527,16 @@ 0C0C88781CCEC5C400617D1B /* si-82-sectrust-ct-data in Resources */ = {isa = PBXBuildFile; fileRef = 0C0C88771CCEC5BD00617D1B /* si-82-sectrust-ct-data */; }; 0C0C88791CCEC5C500617D1B /* si-82-sectrust-ct-data in Resources */ = {isa = PBXBuildFile; fileRef = 0C0C88771CCEC5BD00617D1B /* si-82-sectrust-ct-data */; }; 0C0CECA41DA45ED700C22FBC /* recovery_key.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C0CEC9E1DA45EA200C22FBC /* recovery_key.m */; }; + 0C0DA5CE1FE1EAB9003BD3BB /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E7C01D7A463E00AFB96E /* SecurityFoundation.framework */; }; + 0C0DA5CF1FE1F1C5003BD3BB /* OTControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBF0D1FCB452300580909 /* OTControlProtocol.m */; }; + 0C0DA5D01FE1F1F3003BD3BB /* CKKSControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = DCF7A8A21F0450EB00CABE89 /* CKKSControlProtocol.m */; }; + 0C16371C1FD116B300210823 /* MockCloudKit.m in Sources */ = {isa = PBXBuildFile; fileRef = DC3502E61E0214C800BC0587 /* MockCloudKit.m */; }; + 0C1637211FD12F1500210823 /* OTCloudStoreTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C16371F1FD12F1500210823 /* OTCloudStoreTests.m */; }; + 0C1637271FD2065400210823 /* spi.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78CB01D8085D800865A7C /* spi.c */; }; + 0C1637291FD2066A00210823 /* SecdWatchdog.m in Sources */ = {isa = PBXBuildFile; fileRef = 476541641F339F6300413F65 /* SecdWatchdog.m */; }; + 0C16372B1FD2067F00210823 /* server_endpoint.m in Sources */ = {isa = PBXBuildFile; fileRef = DC6ACC401E81DF9400125DC5 /* server_endpoint.m */; }; + 0C16372D1FD2069300210823 /* server_entitlement_helpers.c in Sources */ = {isa = PBXBuildFile; fileRef = DC5F35A41EE0F1A900900966 /* server_entitlement_helpers.c */; }; + 0C1637301FD206BC00210823 /* server_security_helpers.c in Sources */ = {isa = PBXBuildFile; fileRef = DC4269061E82FBDF002B7110 /* server_security_helpers.c */; }; 0C2BCBAF1D06401F00ED7A2F /* ioSock.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CE5A65809C79E0600D27A3F /* ioSock.c */; }; 0C2BCBB01D06401F00ED7A2F /* sslAppUtils.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CE5A65A09C79E0600D27A3F /* sslAppUtils.cpp */; }; 0C2BCBB41D06401F00ED7A2F /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; }; @@ -531,19 +547,104 @@ 0C2BCBC91D0648D100ED7A2F /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; }; 0C2BCBCA1D0648D100ED7A2F /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E43C48C1B00D07000E5ECB2 /* CoreFoundation.framework */; }; 0C2BCBCF1D0648EF00ED7A2F /* dtlsEchoServer.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C2BCBA61D063F7D00ED7A2F /* dtlsEchoServer.c */; }; + 0C36B3212007F2550029F7A2 /* OTPreflightInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C36B3172007EE6C0029F7A2 /* OTPreflightInfo.m */; }; + 0C36B3222007F2570029F7A2 /* OTPreflightInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C36B3172007EE6C0029F7A2 /* OTPreflightInfo.m */; }; 0C3C00731EF3636500AB19FE /* secd-155-otr-negotiation-monitor.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C3C00721EF3636300AB19FE /* secd-155-otr-negotiation-monitor.m */; }; + 0C46A5712034C6BA00F17112 /* OTControl.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBF0E1FCB452400580909 /* OTControl.m */; }; + 0C46A57B2035019800F17112 /* OTLockStateNetworkingTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C46A57A2035019800F17112 /* OTLockStateNetworkingTests.m */; }; 0C48990B1E0E0FF300C6CF70 /* SOSTransportCircleCK.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C48990A1E0E0FF300C6CF70 /* SOSTransportCircleCK.h */; }; 0C4899121E0E105D00C6CF70 /* SOSTransportCircleCK.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C4899111E0E105D00C6CF70 /* SOSTransportCircleCK.m */; }; - 0C48991C1E0F384700C6CF70 /* SOSAccountTrustClassic.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C48991B1E0F384700C6CF70 /* SOSAccountTrustClassic.m */; }; 0C4899231E0F386900C6CF70 /* SOSAccountTrustClassic.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C4899221E0F386900C6CF70 /* SOSAccountTrustClassic.h */; }; 0C4899251E0F38FA00C6CF70 /* SOSAccountTrustOctagon.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C4899241E0F38FA00C6CF70 /* SOSAccountTrustOctagon.m */; }; 0C4899271E0F399B00C6CF70 /* SOSAccountTrustOctagon.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C4899261E0F399B00C6CF70 /* SOSAccountTrustOctagon.h */; }; + 0C52C1FF20003BCA003F0733 /* OTTestsBase.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C52C1FE20003BCA003F0733 /* OTTestsBase.m */; }; + 0C59605A1FB2D8E50095BA29 /* libprequelite.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CE98B5B1FA9360700CF1D54 /* libprequelite.tbd */; }; + 0C59605C1FB2D9280095BA29 /* libprequelite.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CE98B5B1FA9360700CF1D54 /* libprequelite.tbd */; }; + 0C59605D1FB2D95D0095BA29 /* libprequelite.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CE98B5B1FA9360700CF1D54 /* libprequelite.tbd */; }; + 0C59605E1FB2D9990095BA29 /* libprequelite.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CE98B5B1FA9360700CF1D54 /* libprequelite.tbd */; }; + 0C59605F1FB2D9F60095BA29 /* libprequelite.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CE98B5B1FA9360700CF1D54 /* libprequelite.tbd */; }; + 0C5960601FB2DA310095BA29 /* libprequelite.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CE98B5B1FA9360700CF1D54 /* libprequelite.tbd */; }; + 0C5960621FB2E0EC0095BA29 /* libprequelite.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CE98B5B1FA9360700CF1D54 /* libprequelite.tbd */; }; + 0C5960631FB2E1A70095BA29 /* libprequelite.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CE98B5B1FA9360700CF1D54 /* libprequelite.tbd */; }; + 0C5960641FB2E2070095BA29 /* libprequelite.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CE98B5B1FA9360700CF1D54 /* libprequelite.tbd */; settings = {ATTRIBUTES = (Weak, ); }; }; + 0C5960651FB2E2800095BA29 /* libprequelite.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CE98B5B1FA9360700CF1D54 /* libprequelite.tbd */; }; + 0C5960811FB369C50095BA29 /* CKKSHealTLKSharesOperation.m in Sources */ = {isa = PBXBuildFile; fileRef = DCBF2F841F913EF000ED0CA4 /* CKKSHealTLKSharesOperation.m */; }; + 0C5CFB382019610000913B9C /* OTRamping.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C5CFB37201960FF00913B9C /* OTRamping.m */; }; + 0C5CFB392019610000913B9C /* OTRamping.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C5CFB37201960FF00913B9C /* OTRamping.m */; }; 0C5D62F11E81E74800AA4D02 /* SOSInternal.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D8D1D8085F200865A7C /* SOSInternal.m */; }; + 0C5F4FD81F952FEA00AF1616 /* secd-700-sftm.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C5F4FD71F952FEA00AF1616 /* secd-700-sftm.m */; }; + 0C770EBC1FCF7C9800B5F0E2 /* OTCloudStore.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C8BBE891FC9DA5200580909 /* OTCloudStore.h */; }; + 0C770EC21FCF7C9800B5F0E2 /* OTCloudStore.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C8BBE891FC9DA5200580909 /* OTCloudStore.h */; }; + 0C770EC41FCF7E2000B5F0E2 /* OTCloudStore.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C770EC31FCF7E2000B5F0E2 /* OTCloudStore.m */; }; + 0C770EC51FCF7E2000B5F0E2 /* OTCloudStore.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C770EC31FCF7E2000B5F0E2 /* OTCloudStore.m */; }; 0C78F1CC16A5E1BF00654E08 /* sectask-10-sectask.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C78F1CA16A5E1BF00654E08 /* sectask-10-sectask.c */; }; 0C78F1CD16A5E1BF00654E08 /* sectask-10-sectask.c in Sources */ = {isa = PBXBuildFile; fileRef = 0C78F1CA16A5E1BF00654E08 /* sectask-10-sectask.c */; }; 0C78F1CE16A5E1BF00654E08 /* sectask_ipc.defs in Sources */ = {isa = PBXBuildFile; fileRef = 0C78F1CB16A5E1BF00654E08 /* sectask_ipc.defs */; settings = {ATTRIBUTES = (Client, Server, ); }; }; 0C78F1CF16A5E1BF00654E08 /* sectask_ipc.defs in Sources */ = {isa = PBXBuildFile; fileRef = 0C78F1CB16A5E1BF00654E08 /* sectask_ipc.defs */; settings = {ATTRIBUTES = (Client, Server, ); }; }; 0C78F1D016A5E3EB00654E08 /* libbsm.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 107227350D91FE89003CF14F /* libbsm.dylib */; }; + 0C85DFE71FB38BB6000343A7 /* libASN1_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC8834081D8A218F00CE0ACA /* libASN1_not_installed.a */; }; + 0C85DFE81FB38BB6000343A7 /* libsecurityd_ios_NO_AKS.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC222C771E034D1F00B09171 /* libsecurityd_ios_NO_AKS.a */; }; + 0C85DFE91FB38BB6000343A7 /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; + 0C85DFEA1FB38BB6000343A7 /* libSecureObjectSyncServer.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC52E8C61D80C25800B0A59C /* libSecureObjectSyncServer.a */; }; + 0C85DFEB1FB38BB6000343A7 /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCC78EA91D8088E200865A7C /* libsecurity.a */; }; + 0C85DFEC1FB38BB6000343A7 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC0BCC361D8C684F00070CB0 /* libutilities.a */; }; + 0C85DFED1FB38BB6000343A7 /* CFNetwork.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF730310EF9CDE300E17471 /* CFNetwork.framework */; }; + 0C85DFEE1FB38BB6000343A7 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; }; + 0C85DFF01FB38BB6000343A7 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CBCE5A90BE7F69100FF81F5 /* IOKit.framework */; }; + 0C85DFF11FB38BB6000343A7 /* OCMock.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC3502E81E02172C00BC0587 /* OCMock.framework */; }; + 0C85DFF31FB38BB6000343A7 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E71F3E3016EA69A900FAF9B4 /* SystemConfiguration.framework */; }; + 0C85DFF41FB38BB6000343A7 /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC610A3A1D78F228002223DE /* libACM.a */; }; + 0C85DFF51FB38BB6000343A7 /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4432AF8C1A01472C000958DC /* libaks_acl.a */; }; + 0C85DFF61FB38BB6000343A7 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246CE1F9AEAE300D63882 /* libDER.a */; }; + 0C85DFF71FB38BB6000343A7 /* libbsm.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 107227350D91FE89003CF14F /* libbsm.dylib */; }; + 0C85DFF81FB38BB6000343A7 /* libcoreauthd_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4432AF6A1A01458F000958DC /* libcoreauthd_client.a */; }; + 0C85DFF91FB38BB6000343A7 /* libctkclient.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FBDD1AA0A45C0021AA26 /* libctkclient.a */; }; + 0C85DFFA1FB38BB6000343A7 /* libsqlite3.0.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = DC27B57D1DDFC24500599261 /* libsqlite3.0.dylib */; }; + 0C85DFFB1FB38BB6000343A7 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = BE8ABDD71DC2DD9100EC2D58 /* libz.dylib */; }; + 0C85DFFE1FB38BB6000343A7 /* OCMock.framework in Embed OCMock */ = {isa = PBXBuildFile; fileRef = DC3502E81E02172C00BC0587 /* OCMock.framework */; settings = {ATTRIBUTES = (CodeSignOnCopy, RemoveHeadersOnCopy, ); }; }; + 0C8A03461FDF42BA0042E8BE /* OTEscrowKeyTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8A03451FDF42BA0042E8BE /* OTEscrowKeyTests.m */; }; + 0C8A034D1FDF4CCE0042E8BE /* OTLocalStoreTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8A034C1FDF4CCE0042E8BE /* OTLocalStoreTests.m */; }; + 0C8A034F1FDF60070042E8BE /* OTBottledPeerTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8A034E1FDF60070042E8BE /* OTBottledPeerTests.m */; }; + 0C8BBE9F1FC9DBA400580909 /* OTBottledPeer.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBE931FC9DA5700580909 /* OTBottledPeer.m */; }; + 0C8BBEA01FC9DBA400580909 /* OTBottledPeer.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBE931FC9DA5700580909 /* OTBottledPeer.m */; }; + 0C8BBEA21FC9DBAA00580909 /* OTContext.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBE981FC9DA5A00580909 /* OTContext.m */; }; + 0C8BBEA51FC9DBB100580909 /* OTEscrowKeys.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBE961FC9DA5900580909 /* OTEscrowKeys.m */; }; + 0C8BBEA61FC9DBB200580909 /* OTEscrowKeys.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBE961FC9DA5900580909 /* OTEscrowKeys.m */; }; + 0C8BBEA71FC9DBB500580909 /* OTIdentity.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBE8D1FC9DA5400580909 /* OTIdentity.m */; }; + 0C8BBEA81FC9DBB600580909 /* OTIdentity.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBE8D1FC9DA5400580909 /* OTIdentity.m */; }; + 0C8BBEA91FC9DBBF00580909 /* OTLocalStore.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBE8C1FC9DA5400580909 /* OTLocalStore.m */; }; + 0C8BBEAA1FC9DBC000580909 /* OTLocalStore.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBE8C1FC9DA5400580909 /* OTLocalStore.m */; }; + 0C8BBEE61FCA6E0500580909 /* OTContext.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBE981FC9DA5A00580909 /* OTContext.m */; }; + 0C8BBEFF1FCB446400580909 /* SecArgParse.c in Sources */ = {isa = PBXBuildFile; fileRef = DC5BCC461E5380EA00649140 /* SecArgParse.c */; }; + 0C8BBF031FCB446400580909 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52D82BD316A5EADA0078DFE5 /* Security.framework */; }; + 0C8BBF091FCB447600580909 /* otctl.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBEF71FCB405700580909 /* otctl.m */; }; + 0C8BBF111FCB4AAA00580909 /* OTControl.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBF0E1FCB452400580909 /* OTControl.m */; }; + 0C8BBF121FCB4AAB00580909 /* OTControl.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBF0E1FCB452400580909 /* OTControl.m */; }; + 0C8BBF131FCB4AFA00580909 /* OTControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBF0D1FCB452300580909 /* OTControlProtocol.m */; }; + 0C8BBF141FCB4AFB00580909 /* OTControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBF0D1FCB452300580909 /* OTControlProtocol.m */; }; + 0C8BBF151FCB4B1B00580909 /* OTManager.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBF0F1FCB481800580909 /* OTManager.m */; }; + 0C8BBF161FCB4B1C00580909 /* OTManager.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBF0F1FCB481800580909 /* OTManager.m */; }; + 0C8BBF171FCB4E5000580909 /* OTControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBF0D1FCB452300580909 /* OTControlProtocol.m */; }; + 0C8BBF181FCB4E5000580909 /* OTControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBF0D1FCB452300580909 /* OTControlProtocol.m */; }; + 0C8BBF1B1FCB4EC500580909 /* OTControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBF0D1FCB452300580909 /* OTControlProtocol.m */; }; + 0C8BBF1C1FCB4F0300580909 /* OTControl.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C8BBF0B1FCB452200580909 /* OTControl.h */; }; + 0C8BBF1D1FCB4F0300580909 /* OTControlProtocol.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C8BBF0C1FCB452200580909 /* OTControlProtocol.h */; }; + 0C8BBF1E1FCB4F0400580909 /* OTControl.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C8BBF0B1FCB452200580909 /* OTControl.h */; }; + 0C8BBF1F1FCB4F0400580909 /* OTControlProtocol.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C8BBF0C1FCB452200580909 /* OTControlProtocol.h */; }; + 0C8BBF201FCB4F1800580909 /* OTControl.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C8BBF0B1FCB452200580909 /* OTControl.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 0C8BBF211FCB4F1800580909 /* OTControlProtocol.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C8BBF0C1FCB452200580909 /* OTControlProtocol.h */; }; + 0C8BBF221FCB4F1800580909 /* OTControl.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C8BBF0B1FCB452200580909 /* OTControl.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 0C8BBF231FCB4F1800580909 /* OTControlProtocol.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C8BBF0C1FCB452200580909 /* OTControlProtocol.h */; }; + 0C8BBF241FCB4FE700580909 /* OTManager.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C8BBF101FCB486B00580909 /* OTManager.h */; }; + 0C8BBF251FCB4FE800580909 /* OTManager.h in Headers */ = {isa = PBXBuildFile; fileRef = 0C8BBF101FCB486B00580909 /* OTManager.h */; }; + 0C8BBF261FCB561C00580909 /* CoreCDP.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E9411D7F3E6E00AFB96E /* CoreCDP.framework */; }; + 0C8BBF2B1FCB575800580909 /* CoreCDP.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E9411D7F3E6E00AFB96E /* CoreCDP.framework */; }; + 0C8BBF2D1FCB5A2900580909 /* CoreCDP.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E9411D7F3E6E00AFB96E /* CoreCDP.framework */; }; + 0C8BBFFD1FCE8F3300580909 /* CoreCDP.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E9411D7F3E6E00AFB96E /* CoreCDP.framework */; settings = {ATTRIBUTES = (Weak, ); }; }; + 0CA4EBF3202B8D9C002B1D96 /* CloudKitKeychainSyncingTestsBase.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CA4EBF2202B8D1D002B1D96 /* CloudKitKeychainSyncingTestsBase.m */; }; + 0CA4EBF4202B8DBE002B1D96 /* CloudKitKeychainSyncingTestsBase.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CA4EBF2202B8D1D002B1D96 /* CloudKitKeychainSyncingTestsBase.m */; }; + 0CA4EC10202BB5AF002B1D96 /* Accounts.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF4C19C171E0EA600877419 /* Accounts.framework */; settings = {ATTRIBUTES = (Weak, ); }; }; + 0CA4EC11202BB5E9002B1D96 /* Accounts.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF4C19C171E0EA600877419 /* Accounts.framework */; settings = {ATTRIBUTES = (Weak, ); }; }; 0CAC5DBF1EB3DA4C00AD884B /* SOSPeerRateLimiter.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CAC5DBE1EB3DA4C00AD884B /* SOSPeerRateLimiter.m */; }; 0CAD1E1C1E032ADB00537693 /* SOSCloudCircleServer.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78CAA1D8085D800865A7C /* SOSCloudCircleServer.m */; }; 0CAD1E581E1C5C6C00537693 /* SOSCloudCircle.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D891D8085F200865A7C /* SOSCloudCircle.m */; }; @@ -553,10 +654,30 @@ 0CAD1E5C1E1C5CEB00537693 /* secd_77_ids_messaging.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78C691D8085D800865A7C /* secd_77_ids_messaging.m */; }; 0CAD1E5D1E1C5CF900537693 /* secd-80-views-alwayson.m in Sources */ = {isa = PBXBuildFile; fileRef = 7281E08B1DFD0A380021E1B7 /* secd-80-views-alwayson.m */; }; 0CAD1E5E1E1C5D0600537693 /* secd-95-escrow-persistence.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78C741D8085D800865A7C /* secd-95-escrow-persistence.m */; }; + 0CAEC9D81FD740CF00D1F2CA /* OTContextTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C8BBEAF1FC9DCA400580909 /* OTContextTests.m */; }; + 0CB9754E2023A8DD008D6B48 /* CloudKitKeychainSyncingMockXCTest.m in Sources */ = {isa = PBXBuildFile; fileRef = DC08D1C31E64FA8C006237DA /* CloudKitKeychainSyncingMockXCTest.m */; }; + 0CB9754F2023A8F5008D6B48 /* CloudKitMockXCTest.m in Sources */ = {isa = PBXBuildFile; fileRef = DC222CA71E08A7D900B09171 /* CloudKitMockXCTest.m */; }; + 0CB975512023B199008D6B48 /* OTRampingTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CB975502023B199008D6B48 /* OTRampingTests.m */; }; + 0CBD55B31FE883F200A8CE21 /* SFBehavior.m in Sources */ = {isa = PBXBuildFile; fileRef = EB82A2A51FAFF26900CA64A9 /* SFBehavior.m */; }; + 0CBD55B91FE883F300A8CE21 /* SFBehavior.m in Sources */ = {isa = PBXBuildFile; fileRef = EB82A2A51FAFF26900CA64A9 /* SFBehavior.m */; }; + 0CBDF64D1FFC951200433E0D /* OTBottledPeerTLK.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CBDF64C1FFC951200433E0D /* OTBottledPeerTLK.m */; }; + 0CBFEACA200FCD2D009A60E9 /* SFTransactionMetric.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CF0E2E31F8EE3B000BD18E4 /* SFTransactionMetric.m */; }; + 0CBFEACB200FCD2D009A60E9 /* SFTransactionMetric.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CF0E2E31F8EE3B000BD18E4 /* SFTransactionMetric.m */; }; + 0CBFEACC200FCD33009A60E9 /* SFTransactionMetric.h in Headers */ = {isa = PBXBuildFile; fileRef = 0CF0E2E71F8EE40700BD18E4 /* SFTransactionMetric.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 0CBFEACD200FCD33009A60E9 /* SFTransactionMetric.h in Headers */ = {isa = PBXBuildFile; fileRef = 0CF0E2E71F8EE40700BD18E4 /* SFTransactionMetric.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 0CC0445B1FFC4150004A5B63 /* CKKSControl.m in Sources */ = {isa = PBXBuildFile; fileRef = DC9C95B31F79CFD1000D19E5 /* CKKSControl.m */; }; 0CC319241DA46FBF005D42EA /* ProtectedCloudStorage.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 43DB542E1BB1F85B0083C3F1 /* ProtectedCloudStorage.framework */; }; + 0CCCC7C920261D310024405E /* OT.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CCCC7C820261D310024405E /* OT.m */; }; + 0CCCC7CA20261D310024405E /* OT.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CCCC7C820261D310024405E /* OT.m */; }; 0CCDE7171EEB08220021A946 /* secd-156-timers.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CCDE7161EEB08220021A946 /* secd-156-timers.m */; }; 0CD8CB051ECA50780076F37F /* SOSPeerOTRTimer.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CD8CB041ECA50780076F37F /* SOSPeerOTRTimer.m */; }; 0CD8CB0B1ECA50920076F37F /* SOSPeerOTRTimer.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CD8CB041ECA50780076F37F /* SOSPeerOTRTimer.m */; }; + 0CD9E8001FE05B6600F66C38 /* OTContextRecord.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CD9E7FF1FE05B6600F66C38 /* OTContextRecord.m */; }; + 0CD9E8011FE05B6600F66C38 /* OTContextRecord.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CD9E7FF1FE05B6600F66C38 /* OTContextRecord.m */; }; + 0CE1BCCE1FCE11680017230E /* OTBottledPeerSigned.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CE1BCC61FCE11480017230E /* OTBottledPeerSigned.m */; }; + 0CE1BCCF1FCE11690017230E /* OTBottledPeerSigned.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CE1BCC61FCE11480017230E /* OTBottledPeerSigned.m */; }; + 0CE407AC1FD4769B00F59B31 /* OTCloudStoreState.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CE407AB1FD4769B00F59B31 /* OTCloudStoreState.m */; }; + 0CE407AD1FD4769B00F59B31 /* OTCloudStoreState.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CE407AB1FD4769B00F59B31 /* OTCloudStoreState.m */; }; 0CE760481E12F2F300B4381E /* SOSAccountTrustClassic+Expansion.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CE760471E12F2F200B4381E /* SOSAccountTrustClassic+Expansion.m */; }; 0CE7604A1E12F30200B4381E /* SOSAccountTrustClassic+Circle.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CE760491E12F30200B4381E /* SOSAccountTrustClassic+Circle.m */; }; 0CE7604C1E12F56800B4381E /* SOSAccountTrustClassic+Identity.m in Sources */ = {isa = PBXBuildFile; fileRef = 0CE7604B1E12F56800B4381E /* SOSAccountTrustClassic+Identity.m */; }; @@ -576,7 +697,6 @@ 220179EB1E3BF1F100EFB6F3 /* detachedrep.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067E11D8CDF7E007602F1 /* detachedrep.cpp */; }; 222F239F1DAC15C5007ACB90 /* SecTaskPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD068031D8CDF7E007602F1 /* SecTaskPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; 222F23A01DAC1603007ACB90 /* SecTaskPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD068031D8CDF7E007602F1 /* SecTaskPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; - 225394B71E3081F900D3CD9B /* cskernel.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067CA1D8CDF7E007602F1 /* cskernel.cpp */; }; 225394B81E30820900D3CD9B /* Code.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067A01D8CDF7E007602F1 /* Code.cpp */; }; 225394B91E30821400D3CD9B /* bundlediskrep.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067D51D8CDF7E007602F1 /* bundlediskrep.cpp */; }; 225394BA1E30821E00D3CD9B /* cdbuilder.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067B01D8CDF7E007602F1 /* cdbuilder.cpp */; }; @@ -589,7 +709,6 @@ 225394C11E30827600D3CD9B /* filediskrep.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067D31D8CDF7E007602F1 /* filediskrep.cpp */; }; 225394C21E30827E00D3CD9B /* kerneldiskrep.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067D71D8CDF7E007602F1 /* kerneldiskrep.cpp */; }; 225394C31E30828800D3CD9B /* StaticCode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067A21D8CDF7E007602F1 /* StaticCode.cpp */; }; - 225394C41E30829300D3CD9B /* reqparser.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067C31D8CDF7E007602F1 /* reqparser.cpp */; }; 225394C51E3082A100D3CD9B /* requirement.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067BB1D8CDF7E007602F1 /* requirement.cpp */; }; 225394C61E3082AB00D3CD9B /* Requirements.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067A41D8CDF7E007602F1 /* Requirements.cpp */; }; 225394C71E3082B600D3CD9B /* reqdumper.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067C51D8CDF7E007602F1 /* reqdumper.cpp */; }; @@ -604,7 +723,6 @@ 225394D01E30836200D3CD9B /* singlediskrep.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067DF1D8CDF7E007602F1 /* singlediskrep.cpp */; }; 225394D11E30836F00D3CD9B /* reqreader.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067BF1D8CDF7E007602F1 /* reqreader.cpp */; }; 225394D21E30837900D3CD9B /* cserror.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067F11D8CDF7E007602F1 /* cserror.cpp */; }; - 225394D31E3083C600D3CD9B /* SecCodeHost.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785841D778B8000B50D50 /* SecCodeHost.h */; settings = {ATTRIBUTES = (Private, ); }; }; 225394D41E3083D000D3CD9B /* CodeSigning.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785811D778B7F00B50D50 /* CodeSigning.h */; settings = {ATTRIBUTES = (Private, ); }; }; 225394D51E3083DA00D3CD9B /* CSCommon.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785821D778B7F00B50D50 /* CSCommon.h */; settings = {ATTRIBUTES = (Private, ); }; }; 225394D61E3083E300D3CD9B /* SecCode.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785831D778B7F00B50D50 /* SecCode.h */; settings = {ATTRIBUTES = (Private, ); }; }; @@ -619,7 +737,6 @@ 22A23B3C1E3AAC9800C41830 /* SecCode.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD0678D1D8CDF7E007602F1 /* SecCode.h */; settings = {ATTRIBUTES = (Private, ); }; }; 22A23B3D1E3AAC9800C41830 /* SecStaticCode.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD067901D8CDF7E007602F1 /* SecStaticCode.h */; settings = {ATTRIBUTES = (Private, ); }; }; 22A23B3E1E3AAC9800C41830 /* SecRequirement.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD067931D8CDF7E007602F1 /* SecRequirement.h */; settings = {ATTRIBUTES = (Private, ); }; }; - 22A23B3F1E3AAC9800C41830 /* SecCodeHost.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD067981D8CDF7E007602F1 /* SecCodeHost.h */; settings = {ATTRIBUTES = (Private, ); }; }; 22E337DA1E37FD66001D5637 /* libsecurity_codesigning_ios.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 225394B41E3080A600D3CD9B /* libsecurity_codesigning_ios.a */; }; 24CBF8751E9D4E6100F09F0E /* kc-44-secrecoverypassword.c in Sources */ = {isa = PBXBuildFile; fileRef = 24CBF8731E9D4E4500F09F0E /* kc-44-secrecoverypassword.c */; }; 433E519E1B66D5F600482618 /* AppSupport.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 433E519D1B66D5F600482618 /* AppSupport.framework */; }; @@ -661,28 +778,58 @@ 44A655A61AA4B4C80059D185 /* libctkclient.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FBDD1AA0A45C0021AA26 /* libctkclient.a */; }; 470415DC1E5E1534001F3D95 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 470415DB1E5E1534001F3D95 /* main.m */; }; 4710A6D91F34F21700745267 /* CrashReporterSupport.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E9391D7F3DF200AFB96E /* CrashReporterSupport.framework */; }; + 471A03EC1F72E35B000A8904 /* SecDbKeychainItemV7.m in Sources */ = {isa = PBXBuildFile; fileRef = 470ACEF31F58C3A600D1D5BD /* SecDbKeychainItemV7.m */; }; + 471A03F21F72E35C000A8904 /* SecDbKeychainItemV7.m in Sources */ = {isa = PBXBuildFile; fileRef = 470ACEF31F58C3A600D1D5BD /* SecDbKeychainItemV7.m */; }; + 472339671FD7155E00CB6A72 /* libprequelite.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 472339611FD7155C00CB6A72 /* libprequelite.dylib */; }; + 472339691FD7156800CB6A72 /* CoreCDP.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 472339681FD7156700CB6A72 /* CoreCDP.framework */; }; 4723C9C21F152EB50082882F /* SFObjCType.h in Headers */ = {isa = PBXBuildFile; fileRef = 4723C9C01F152EB10082882F /* SFObjCType.h */; }; 4723C9C31F152EB60082882F /* SFObjCType.h in Headers */ = {isa = PBXBuildFile; fileRef = 4723C9C01F152EB10082882F /* SFObjCType.h */; }; - 4723C9C41F152EBB0082882F /* SFObjCType.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BE1F152EB10082882F /* SFObjCType.m */; }; - 4723C9C51F152EBC0082882F /* SFObjCType.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BE1F152EB10082882F /* SFObjCType.m */; }; 4723C9C61F152EC00082882F /* SFSQLite.h in Headers */ = {isa = PBXBuildFile; fileRef = 4723C9BD1F152EB10082882F /* SFSQLite.h */; settings = {ATTRIBUTES = (Private, ); }; }; 4723C9C71F152EC10082882F /* SFSQLite.h in Headers */ = {isa = PBXBuildFile; fileRef = 4723C9BD1F152EB10082882F /* SFSQLite.h */; settings = {ATTRIBUTES = (Private, ); }; }; - 4723C9C81F152ECA0082882F /* SFSQLite.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BC1F152EB10082882F /* SFSQLite.m */; }; - 4723C9C91F152ECA0082882F /* SFSQLite.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BC1F152EB10082882F /* SFSQLite.m */; }; 4723C9CA1F152ECE0082882F /* SFSQLiteStatement.h in Headers */ = {isa = PBXBuildFile; fileRef = 4723C9C11F152EB10082882F /* SFSQLiteStatement.h */; }; 4723C9CB1F152ECF0082882F /* SFSQLiteStatement.h in Headers */ = {isa = PBXBuildFile; fileRef = 4723C9C11F152EB10082882F /* SFSQLiteStatement.h */; }; 4723C9CC1F152ED30082882F /* SFSQLiteStatement.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BF1F152EB10082882F /* SFSQLiteStatement.m */; }; 4723C9CD1F152ED40082882F /* SFSQLiteStatement.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BF1F152EB10082882F /* SFSQLiteStatement.m */; }; 4723C9D41F1531A30082882F /* CKKSLoggerTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9D11F1531970082882F /* CKKSLoggerTests.m */; }; - 4723C9DC1F1540CE0082882F /* SFAnalyticsLogger.h in Headers */ = {isa = PBXBuildFile; fileRef = 4723C9DA1F1540CE0082882F /* SFAnalyticsLogger.h */; settings = {ATTRIBUTES = (Private, ); }; }; - 4723C9DD1F1540CE0082882F /* SFAnalyticsLogger.h in Headers */ = {isa = PBXBuildFile; fileRef = 4723C9DA1F1540CE0082882F /* SFAnalyticsLogger.h */; settings = {ATTRIBUTES = (Private, ); }; }; - 4723C9E01F1540CE0082882F /* SFAnalyticsLogger.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9DB1F1540CE0082882F /* SFAnalyticsLogger.m */; }; - 4723C9E11F1540CE0082882F /* SFAnalyticsLogger.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9DB1F1540CE0082882F /* SFAnalyticsLogger.m */; }; + 4727FBBA1F9918590003AE36 /* KeychainCryptoTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 4727FBB91F9918590003AE36 /* KeychainCryptoTests.m */; }; + 4727FBC51F991C470003AE36 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBC41F991C460003AE36 /* Foundation.framework */; }; + 4727FBC61F991DE90003AE36 /* libsecdRegressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC52EDB11D80D58400B0A59C /* libsecdRegressions.a */; }; + 4727FBC71F991E3A0003AE36 /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCC78EA91D8088E200865A7C /* libsecurity.a */; }; + 4727FBC81F991E460003AE36 /* libsecurityd_ios.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC52E7C21D80BC8000B0A59C /* libsecurityd_ios.a */; }; + 4727FBC91F991E5A0003AE36 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC0BCC361D8C684F00070CB0 /* libutilities.a */; }; + 4727FBCB1F991F510003AE36 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBCA1F991F510003AE36 /* Security.framework */; }; + 4727FBCD1F991F660003AE36 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBCC1F991F660003AE36 /* libsqlite3.dylib */; }; + 4727FBCE1F991F820003AE36 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBCF1F991F820003AE36 /* SecurityFoundation.framework */; }; + 4727FBD11F991F990003AE36 /* libMobileGestalt.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBD01F991F990003AE36 /* libMobileGestalt.dylib */; }; + 4727FBD31F9920290003AE36 /* CloudKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBD21F9920290003AE36 /* CloudKit.framework */; }; + 4727FBD51F9920510003AE36 /* ProtocolBuffer.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBD41F9920510003AE36 /* ProtocolBuffer.framework */; }; + 4727FBD61F9920960003AE36 /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; + 4727FBD71F99209C0003AE36 /* libSecureObjectSyncServer.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC52E8C61D80C25800B0A59C /* libSecureObjectSyncServer.a */; }; + 4727FBD91F9920BC0003AE36 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBD81F9920BB0003AE36 /* SystemConfiguration.framework */; }; + 4727FBDB1F9920CC0003AE36 /* WirelessDiagnostics.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBDA1F9920CB0003AE36 /* WirelessDiagnostics.framework */; }; + 4727FBDD1F9920F20003AE36 /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBDC1F9920F10003AE36 /* libaks_acl.a */; }; + 4727FBDF1F99211D0003AE36 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBDE1F99211D0003AE36 /* libaks.a */; }; + 4727FBE11F9921300003AE36 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBE01F99212F0003AE36 /* IOKit.framework */; }; + 4727FBE31F9921660003AE36 /* MobileKeyBag.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBE21F9921660003AE36 /* MobileKeyBag.framework */; }; + 4727FBE51F99217B0003AE36 /* SharedWebCredentials.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBE41F99217A0003AE36 /* SharedWebCredentials.framework */; }; + 4727FBE71F99218A0003AE36 /* ApplePushService.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBE61F9921890003AE36 /* ApplePushService.framework */; }; + 4727FBE91F9921D10003AE36 /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBE81F9921D00003AE36 /* libACM.a */; }; + 4727FBEA1F9922190003AE36 /* libregressionBase.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC0BCBFD1D8C648C00070CB0 /* libregressionBase.a */; }; + 4727FBEB1F99227F0003AE36 /* spi.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78CB01D8085D800865A7C /* spi.c */; }; + 4727FBEC1F99235B0003AE36 /* SecdWatchdog.m in Sources */ = {isa = PBXBuildFile; fileRef = 476541641F339F6300413F65 /* SecdWatchdog.m */; }; + 4727FBED1F99249A0003AE36 /* server_endpoint.m in Sources */ = {isa = PBXBuildFile; fileRef = DC6ACC401E81DF9400125DC5 /* server_endpoint.m */; }; + 4727FBEE1F9924DA0003AE36 /* server_entitlement_helpers.c in Sources */ = {isa = PBXBuildFile; fileRef = DC5F35A41EE0F1A900900966 /* server_entitlement_helpers.c */; }; + 4727FBEF1F9924FB0003AE36 /* server_security_helpers.c in Sources */ = {isa = PBXBuildFile; fileRef = DC4269061E82FBDF002B7110 /* server_security_helpers.c */; }; + 473337791FDAFBCC00E19F30 /* SFKeychainControlManager.h in Headers */ = {isa = PBXBuildFile; fileRef = 473337771FDAFBCC00E19F30 /* SFKeychainControlManager.h */; }; + 4733377A1FDAFBCC00E19F30 /* SFKeychainControlManager.h in Headers */ = {isa = PBXBuildFile; fileRef = 473337771FDAFBCC00E19F30 /* SFKeychainControlManager.h */; }; + 4733377B1FDAFBCC00E19F30 /* SFKeychainControlManager.m in Sources */ = {isa = PBXBuildFile; fileRef = 473337781FDAFBCC00E19F30 /* SFKeychainControlManager.m */; }; + 4733377C1FDAFBCC00E19F30 /* SFKeychainControlManager.m in Sources */ = {isa = PBXBuildFile; fileRef = 473337781FDAFBCC00E19F30 /* SFKeychainControlManager.m */; }; + 473337841FDB29C400E19F30 /* KeychainCheck.m in Sources */ = {isa = PBXBuildFile; fileRef = 473337831FDB29A200E19F30 /* KeychainCheck.m */; }; 474B5FC61E662E48007546F8 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E7C01D7A463E00AFB96E /* SecurityFoundation.framework */; }; 474B5FC71E662E67007546F8 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 474B5FBF1E662E21007546F8 /* SecurityFoundation.framework */; }; 474B5FC81E662E79007546F8 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E7C01D7A463E00AFB96E /* SecurityFoundation.framework */; }; - 475F37201EE8F23900248FB5 /* SFAnalyticsLogging.plist in Resources */ = {isa = PBXBuildFile; fileRef = 475F371F1EE8F23900248FB5 /* SFAnalyticsLogging.plist */; }; - 475F37211EE8F23900248FB5 /* SFAnalyticsLogging.plist in Resources */ = {isa = PBXBuildFile; fileRef = 475F371F1EE8F23900248FB5 /* SFAnalyticsLogging.plist */; }; + 475F37201EE8F23900248FB5 /* SFAnalytics.plist in Resources */ = {isa = PBXBuildFile; fileRef = 475F371F1EE8F23900248FB5 /* SFAnalytics.plist */; }; + 475F37211EE8F23900248FB5 /* SFAnalytics.plist in Resources */ = {isa = PBXBuildFile; fileRef = 475F371F1EE8F23900248FB5 /* SFAnalytics.plist */; }; 476541651F339F6300413F65 /* SecdWatchdog.h in Headers */ = {isa = PBXBuildFile; fileRef = 476541631F339F6300413F65 /* SecdWatchdog.h */; }; 476541701F33B59300413F65 /* SecdWatchdog.m in Sources */ = {isa = PBXBuildFile; fileRef = 476541641F339F6300413F65 /* SecdWatchdog.m */; }; 476541711F33B59500413F65 /* SecdWatchdog.m in Sources */ = {isa = PBXBuildFile; fileRef = 476541641F339F6300413F65 /* SecdWatchdog.m */; }; @@ -700,41 +847,89 @@ 47702B291E5F463400B29577 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52D82BD316A5EADA0078DFE5 /* Security.framework */; }; 47702B371E5F495C00B29577 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 47702B351E5F495C00B29577 /* main.m */; }; 47702B391E5F4B2200B29577 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52D82BD316A5EADA0078DFE5 /* Security.framework */; }; - 4771ECCC1F17CD0E00840998 /* SFSQLite.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BC1F152EB10082882F /* SFSQLite.m */; }; 4771ECCD1F17CD0E00840998 /* SFSQLiteStatement.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BF1F152EB10082882F /* SFSQLiteStatement.m */; }; - 4771ECCE1F17CD2100840998 /* SFObjCType.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BE1F152EB10082882F /* SFObjCType.m */; }; - 4771ECD91F17CE5100840998 /* SFAnalyticsLogger.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9DB1F1540CE0082882F /* SFAnalyticsLogger.m */; }; - 479108B71EE879F9008CEFA0 /* CKKSAnalyticsLogger.h in Headers */ = {isa = PBXBuildFile; fileRef = 479108B51EE879F9008CEFA0 /* CKKSAnalyticsLogger.h */; }; - 479108B81EE879F9008CEFA0 /* CKKSAnalyticsLogger.h in Headers */ = {isa = PBXBuildFile; fileRef = 479108B51EE879F9008CEFA0 /* CKKSAnalyticsLogger.h */; }; - 479108B91EE879F9008CEFA0 /* CKKSAnalyticsLogger.m in Sources */ = {isa = PBXBuildFile; fileRef = 479108B61EE879F9008CEFA0 /* CKKSAnalyticsLogger.m */; }; - 479108BA1EE879F9008CEFA0 /* CKKSAnalyticsLogger.m in Sources */ = {isa = PBXBuildFile; fileRef = 479108B61EE879F9008CEFA0 /* CKKSAnalyticsLogger.m */; }; + 477A1F5220320E4A00ACD81D /* Accounts.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 477A1F4C20320E4900ACD81D /* Accounts.framework */; }; + 477A1F5320320E5100ACD81D /* Accounts.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF4C19C171E0EA600877419 /* Accounts.framework */; }; + 477A1FE4203763A500ACD81D /* KeychainAPITests.m in Sources */ = {isa = PBXBuildFile; fileRef = 477A1FE1203763A500ACD81D /* KeychainAPITests.m */; }; + 477A1FE5203763A500ACD81D /* KeychainAPITests.m in Sources */ = {isa = PBXBuildFile; fileRef = 477A1FE1203763A500ACD81D /* KeychainAPITests.m */; }; + 477A1FED2037A0E000ACD81D /* KeychainXCTest.m in Sources */ = {isa = PBXBuildFile; fileRef = 477A1FEC2037A0E000ACD81D /* KeychainXCTest.m */; }; + 477A1FEE2037A0E000ACD81D /* KeychainXCTest.m in Sources */ = {isa = PBXBuildFile; fileRef = 477A1FEC2037A0E000ACD81D /* KeychainXCTest.m */; }; + 478D42761FD72A8100CAB645 /* server_xpc.m in Sources */ = {isa = PBXBuildFile; fileRef = DCB2214A1E8B0861001598BC /* server_xpc.m */; }; + 478D42771FD72A8100CAB645 /* server_security_helpers.c in Sources */ = {isa = PBXBuildFile; fileRef = DC4269061E82FBDF002B7110 /* server_security_helpers.c */; }; + 478D42781FD72A8100CAB645 /* server_entitlement_helpers.c in Sources */ = {isa = PBXBuildFile; fileRef = DC5F35A41EE0F1A900900966 /* server_entitlement_helpers.c */; }; + 478D42791FD72A8100CAB645 /* spi.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78CB01D8085D800865A7C /* spi.c */; }; + 478D427A1FD72A8100CAB645 /* SecdWatchdog.m in Sources */ = {isa = PBXBuildFile; fileRef = 476541641F339F6300413F65 /* SecdWatchdog.m */; }; + 478D427B1FD72A8100CAB645 /* KeychainCryptoTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 4727FBB91F9918590003AE36 /* KeychainCryptoTests.m */; }; + 478D427C1FD72A8100CAB645 /* server_endpoint.m in Sources */ = {isa = PBXBuildFile; fileRef = DC6ACC401E81DF9400125DC5 /* server_endpoint.m */; }; + 478D427E1FD72A8100CAB645 /* CoreCDP.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 472339681FD7156700CB6A72 /* CoreCDP.framework */; }; + 478D427F1FD72A8100CAB645 /* libprequelite.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 472339611FD7155C00CB6A72 /* libprequelite.dylib */; }; + 478D42801FD72A8100CAB645 /* OCMock.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 47D1838B1FB3827700CFCD89 /* OCMock.framework */; }; + 478D42811FD72A8100CAB645 /* libregressionBase.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC0BCBFD1D8C648C00070CB0 /* libregressionBase.a */; }; + 478D42821FD72A8100CAB645 /* libACM.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBE81F9921D00003AE36 /* libACM.a */; }; + 478D42831FD72A8100CAB645 /* ApplePushService.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBE61F9921890003AE36 /* ApplePushService.framework */; }; + 478D42841FD72A8100CAB645 /* SharedWebCredentials.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBE41F99217A0003AE36 /* SharedWebCredentials.framework */; }; + 478D42851FD72A8100CAB645 /* MobileKeyBag.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBE21F9921660003AE36 /* MobileKeyBag.framework */; }; + 478D42861FD72A8100CAB645 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBE01F99212F0003AE36 /* IOKit.framework */; }; + 478D42871FD72A8100CAB645 /* libaks.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBDE1F99211D0003AE36 /* libaks.a */; }; + 478D42881FD72A8100CAB645 /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBDC1F9920F10003AE36 /* libaks_acl.a */; }; + 478D42891FD72A8100CAB645 /* WirelessDiagnostics.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBDA1F9920CB0003AE36 /* WirelessDiagnostics.framework */; }; + 478D428A1FD72A8100CAB645 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBD81F9920BB0003AE36 /* SystemConfiguration.framework */; }; + 478D428B1FD72A8100CAB645 /* libSecureObjectSyncServer.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC52E8C61D80C25800B0A59C /* libSecureObjectSyncServer.a */; }; + 478D428C1FD72A8100CAB645 /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; + 478D428D1FD72A8100CAB645 /* ProtocolBuffer.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBD41F9920510003AE36 /* ProtocolBuffer.framework */; }; + 478D428E1FD72A8100CAB645 /* CloudKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBD21F9920290003AE36 /* CloudKit.framework */; }; + 478D42901FD72A8100CAB645 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBCF1F991F820003AE36 /* SecurityFoundation.framework */; }; + 478D42911FD72A8100CAB645 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBCC1F991F660003AE36 /* libsqlite3.dylib */; }; + 478D42921FD72A8100CAB645 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBCA1F991F510003AE36 /* Security.framework */; }; + 478D42931FD72A8100CAB645 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC0BCC361D8C684F00070CB0 /* libutilities.a */; }; + 478D42941FD72A8100CAB645 /* libsecurityd_ios.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC52E7C21D80BC8000B0A59C /* libsecurityd_ios.a */; }; + 478D42951FD72A8100CAB645 /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCC78EA91D8088E200865A7C /* libsecurity.a */; }; + 478D42961FD72A8100CAB645 /* libsecdRegressions.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC52EDB11D80D58400B0A59C /* libsecdRegressions.a */; }; + 478D42971FD72A8100CAB645 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4727FBC41F991C460003AE36 /* Foundation.framework */; }; + 478D429E1FD72C4800CAB645 /* CrashReporterSupport.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E9391D7F3DF200AFB96E /* CrashReporterSupport.framework */; }; + 478D429F1FD72C8400CAB645 /* AppleSystemInfo.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC610A3F1D78F2FF002223DE /* AppleSystemInfo.framework */; }; + 479108B71EE879F9008CEFA0 /* CKKSAnalytics.h in Headers */ = {isa = PBXBuildFile; fileRef = 479108B51EE879F9008CEFA0 /* CKKSAnalytics.h */; }; + 479108B81EE879F9008CEFA0 /* CKKSAnalytics.h in Headers */ = {isa = PBXBuildFile; fileRef = 479108B51EE879F9008CEFA0 /* CKKSAnalytics.h */; }; + 479108B91EE879F9008CEFA0 /* CKKSAnalytics.m in Sources */ = {isa = PBXBuildFile; fileRef = 479108B61EE879F9008CEFA0 /* CKKSAnalytics.m */; }; + 479108BA1EE879F9008CEFA0 /* CKKSAnalytics.m in Sources */ = {isa = PBXBuildFile; fileRef = 479108B61EE879F9008CEFA0 /* CKKSAnalytics.m */; }; + 47922D211FAA76000008F7E0 /* SecDbKeychainSerializedMetadata.proto in Resources */ = {isa = PBXBuildFile; fileRef = 47922D201FAA75FF0008F7E0 /* SecDbKeychainSerializedMetadata.proto */; }; + 47922D2D1FAA77970008F7E0 /* SecDbKeychainSerializedSecretData.proto in Resources */ = {isa = PBXBuildFile; fileRef = 47922D2C1FAA77970008F7E0 /* SecDbKeychainSerializedSecretData.proto */; }; + 47922D421FAA7C240008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.h in Headers */ = {isa = PBXBuildFile; fileRef = 47922D371FAA7C040008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.h */; }; + 47922D431FAA7C260008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.h in Headers */ = {isa = PBXBuildFile; fileRef = 47922D371FAA7C040008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.h */; }; + 47922D441FAA7C2C0008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.m in Sources */ = {isa = PBXBuildFile; fileRef = 47922D361FAA7C030008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.m */; }; + 47922D451FAA7C2E0008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.m in Sources */ = {isa = PBXBuildFile; fileRef = 47922D361FAA7C030008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.m */; }; + 47922D461FAA7C340008F7E0 /* SecDbKeychainSerializedMetadata.h in Headers */ = {isa = PBXBuildFile; fileRef = 47922D3B1FAA7C100008F7E0 /* SecDbKeychainSerializedMetadata.h */; }; + 47922D471FAA7C350008F7E0 /* SecDbKeychainSerializedMetadata.h in Headers */ = {isa = PBXBuildFile; fileRef = 47922D3B1FAA7C100008F7E0 /* SecDbKeychainSerializedMetadata.h */; }; + 47922D481FAA7C3C0008F7E0 /* SecDbKeychainSerializedMetadata.m in Sources */ = {isa = PBXBuildFile; fileRef = 47922D3A1FAA7C0F0008F7E0 /* SecDbKeychainSerializedMetadata.m */; }; + 47922D491FAA7C3D0008F7E0 /* SecDbKeychainSerializedMetadata.m in Sources */ = {isa = PBXBuildFile; fileRef = 47922D3A1FAA7C0F0008F7E0 /* SecDbKeychainSerializedMetadata.m */; }; + 47922D4A1FAA7C430008F7E0 /* SecDbKeychainSerializedSecretData.h in Headers */ = {isa = PBXBuildFile; fileRef = 47922D3E1FAA7C1A0008F7E0 /* SecDbKeychainSerializedSecretData.h */; }; + 47922D4B1FAA7C440008F7E0 /* SecDbKeychainSerializedSecretData.h in Headers */ = {isa = PBXBuildFile; fileRef = 47922D3E1FAA7C1A0008F7E0 /* SecDbKeychainSerializedSecretData.h */; }; + 47922D4C1FAA7C4A0008F7E0 /* SecDbKeychainSerializedSecretData.m in Sources */ = {isa = PBXBuildFile; fileRef = 47922D3F1FAA7C1B0008F7E0 /* SecDbKeychainSerializedSecretData.m */; }; + 47922D4D1FAA7C4B0008F7E0 /* SecDbKeychainSerializedSecretData.m in Sources */ = {isa = PBXBuildFile; fileRef = 47922D3F1FAA7C1B0008F7E0 /* SecDbKeychainSerializedSecretData.m */; }; + 47922D4F1FAA7D5C0008F7E0 /* SecDbKeychainSerializedItemV7.proto in Resources */ = {isa = PBXBuildFile; fileRef = 47922D4E1FAA7D5C0008F7E0 /* SecDbKeychainSerializedItemV7.proto */; }; + 47922D541FAA7E060008F7E0 /* SecDbKeychainSerializedItemV7.h in Headers */ = {isa = PBXBuildFile; fileRef = 47922D501FAA7DF60008F7E0 /* SecDbKeychainSerializedItemV7.h */; }; + 47922D551FAA7E070008F7E0 /* SecDbKeychainSerializedItemV7.h in Headers */ = {isa = PBXBuildFile; fileRef = 47922D501FAA7DF60008F7E0 /* SecDbKeychainSerializedItemV7.h */; }; + 47922D561FAA7E0D0008F7E0 /* SecDbKeychainSerializedItemV7.m in Sources */ = {isa = PBXBuildFile; fileRef = 47922D511FAA7DF70008F7E0 /* SecDbKeychainSerializedItemV7.m */; }; + 47922D571FAA7E0E0008F7E0 /* SecDbKeychainSerializedItemV7.m in Sources */ = {isa = PBXBuildFile; fileRef = 47922D511FAA7DF70008F7E0 /* SecDbKeychainSerializedItemV7.m */; }; 479DA1721EBBA8D10065C98F /* CKKSManifest.m in Sources */ = {isa = PBXBuildFile; fileRef = 47CEED1F1E60DE900044EAB4 /* CKKSManifest.m */; }; 479DA1781EBBA8D30065C98F /* CKKSManifest.m in Sources */ = {isa = PBXBuildFile; fileRef = 47CEED1F1E60DE900044EAB4 /* CKKSManifest.m */; }; + 47A05B161FDB5D9E00D0816E /* SFKeychainControl.h in Headers */ = {isa = PBXBuildFile; fileRef = 47A05B101FDB5A8B00D0816E /* SFKeychainControl.h */; }; + 47A05B171FDB5D9F00D0816E /* SFKeychainControl.h in Headers */ = {isa = PBXBuildFile; fileRef = 47A05B101FDB5A8B00D0816E /* SFKeychainControl.h */; }; + 47A05B181FDB5DBC00D0816E /* SFKeychainControl.h in Headers */ = {isa = PBXBuildFile; fileRef = 47A05B101FDB5A8B00D0816E /* SFKeychainControl.h */; }; 47A0ABA81E6F7B24001B388C /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 474B5FBF1E662E21007546F8 /* SecurityFoundation.framework */; }; - 47B011971F17D7810030B49F /* SFObjCType.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BE1F152EB10082882F /* SFObjCType.m */; }; - 47B011981F17D78D0030B49F /* SFSQLite.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BC1F152EB10082882F /* SFSQLite.m */; }; 47B011991F17D78D0030B49F /* SFSQLiteStatement.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BF1F152EB10082882F /* SFSQLiteStatement.m */; }; - 47B0119A1F17D7E80030B49F /* SFObjCType.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BE1F152EB10082882F /* SFObjCType.m */; }; - 47B0119B1F17D7F10030B49F /* SFSQLite.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BC1F152EB10082882F /* SFSQLite.m */; }; - 47B0119C1F17D7F10030B49F /* SFSQLiteStatement.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BF1F152EB10082882F /* SFSQLiteStatement.m */; }; - 47B011A71F17D8980030B49F /* SFAnalyticsLogger.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9DB1F1540CE0082882F /* SFAnalyticsLogger.m */; }; - 47B011AD1F17D8A00030B49F /* SFAnalyticsLogger.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9DB1F1540CE0082882F /* SFAnalyticsLogger.m */; }; 47B90C901F350966006500BC /* CrashReporterSupport.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E9391D7F3DF200AFB96E /* CrashReporterSupport.framework */; }; - 47B90C951F3509C1006500BC /* CrashReporterSupport.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E9391D7F3DF200AFB96E /* CrashReporterSupport.framework */; }; 47C51B871EEA657D0032D9E5 /* SecurityUnitTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 47C51B861EEA657D0032D9E5 /* SecurityUnitTests.m */; }; 47C51B891EEA657D0032D9E5 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC1789041D77980500B50D50 /* Security.framework */; }; 47D13F631E8447FB0063B6E2 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E7C01D7A463E00AFB96E /* SecurityFoundation.framework */; }; + 47D183911FB3827800CFCD89 /* OCMock.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 47D1838B1FB3827700CFCD89 /* OCMock.framework */; }; + 47DE88DA1FA7B07400DD3254 /* server_xpc.m in Sources */ = {isa = PBXBuildFile; fileRef = DCB2214A1E8B0861001598BC /* server_xpc.m */; }; 47E553741EDF674700749715 /* CKKSManifestTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 476E918D1E7343B200B4E4D3 /* CKKSManifestTests.m */; }; 483E798F1DC87605005C0008 /* secd-67-prefixedKeyIDs.m in Sources */ = {isa = PBXBuildFile; fileRef = 483E79891DC875F2005C0008 /* secd-67-prefixedKeyIDs.m */; }; 48776C811DA5BC0E00CC09B9 /* SOSAccountRecovery.m in Sources */ = {isa = PBXBuildFile; fileRef = 48776C801DA5BC0E00CC09B9 /* SOSAccountRecovery.m */; }; - 48C2F9391E4BCFDA0093D70C /* accountCirclesViewsPrint.m in Sources */ = {isa = PBXBuildFile; fileRef = 48C2F9321E4BCFC30093D70C /* accountCirclesViewsPrint.m */; }; - 48C2F93A1E4BCFDC0093D70C /* accountCirclesViewsPrint.m in Sources */ = {isa = PBXBuildFile; fileRef = 48C2F9321E4BCFC30093D70C /* accountCirclesViewsPrint.m */; }; - 48C2F93B1E4BCFE80093D70C /* accountCirclesViewsPrint.m in Sources */ = {isa = PBXBuildFile; fileRef = 48C2F9321E4BCFC30093D70C /* accountCirclesViewsPrint.m */; }; - 48C2F93C1E4BD00F0093D70C /* accountCirclesViewsPrint.h in Headers */ = {isa = PBXBuildFile; fileRef = 48C2F9331E4BCFC30093D70C /* accountCirclesViewsPrint.h */; }; 48CC589F1DA5FF2700EBD9DB /* secd-66-account-recovery.m in Sources */ = {isa = PBXBuildFile; fileRef = 48CC58971DA5FF0B00EBD9DB /* secd-66-account-recovery.m */; }; 48E617211DBEC6BA0098EAAD /* SOSBackupInformation.m in Sources */ = {isa = PBXBuildFile; fileRef = 48E6171A1DBEC40D0098EAAD /* SOSBackupInformation.m */; }; 48E617221DBEC6C60098EAAD /* SOSBackupInformation.h in Headers */ = {isa = PBXBuildFile; fileRef = 48E6171B1DBEC40D0098EAAD /* SOSBackupInformation.h */; }; - 4AF7000015AFB73800B9D400 /* SecOTRIdentityPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 4AF7FFF615AFB73800B9D400 /* SecOTRIdentityPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; 4AF7000115AFB73800B9D400 /* SecOTRMath.h in Headers */ = {isa = PBXBuildFile; fileRef = 4AF7FFF715AFB73800B9D400 /* SecOTRMath.h */; settings = {ATTRIBUTES = (Private, ); }; }; 4AF7000315AFB73800B9D400 /* SecOTRPacketData.h in Headers */ = {isa = PBXBuildFile; fileRef = 4AF7FFF915AFB73800B9D400 /* SecOTRPacketData.h */; settings = {ATTRIBUTES = (Private, ); }; }; 4AF7000415AFB73800B9D400 /* SecOTRPackets.h in Headers */ = {isa = PBXBuildFile; fileRef = 4AF7FFFA15AFB73800B9D400 /* SecOTRPackets.h */; settings = {ATTRIBUTES = (Private, ); }; }; @@ -743,7 +938,7 @@ 4AF7FFFD15AFB73800B9D400 /* SecOTR.h in Headers */ = {isa = PBXBuildFile; fileRef = 4AF7FFF315AFB73800B9D400 /* SecOTR.h */; settings = {ATTRIBUTES = (Private, ); }; }; 4AF7FFFE15AFB73800B9D400 /* SecOTRDHKey.h in Headers */ = {isa = PBXBuildFile; fileRef = 4AF7FFF415AFB73800B9D400 /* SecOTRDHKey.h */; settings = {ATTRIBUTES = (Private, ); }; }; 4AF7FFFF15AFB73800B9D400 /* SecOTRErrors.h in Headers */ = {isa = PBXBuildFile; fileRef = 4AF7FFF515AFB73800B9D400 /* SecOTRErrors.h */; settings = {ATTRIBUTES = (Private, ); }; }; - 4C0B906E0ACCBD240077CD03 /* SecFramework.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C0B906C0ACCBD240077CD03 /* SecFramework.h */; }; + 4C0B906E0ACCBD240077CD03 /* SecFramework.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C0B906C0ACCBD240077CD03 /* SecFramework.h */; settings = {ATTRIBUTES = (Private, ); }; }; 4C0CC642174C580200CC799A /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E71F3E3016EA69A900FAF9B4 /* SystemConfiguration.framework */; }; 4C12828D0BB4957D00985BB0 /* SecTrustSettingsPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C12828C0BB4957D00985BB0 /* SecTrustSettingsPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; 4C198F220ACDB4BF00AAB142 /* Certificate.strings in Resources */ = {isa = PBXBuildFile; fileRef = 4C198F1D0ACDB4BF00AAB142 /* Certificate.strings */; }; @@ -751,7 +946,7 @@ 4C1B442D0BB9CAF900461B82 /* SecTrustStore.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C1B442C0BB9CAF900461B82 /* SecTrustStore.h */; settings = {ATTRIBUTES = (Private, ); }; }; 4C2215220F3A612C00835155 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CB740680A4749C800D641BB /* libsqlite3.dylib */; }; 4C2F81D50BF121D2003C4F77 /* SecRandom.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C2F81D40BF121D2003C4F77 /* SecRandom.h */; settings = {ATTRIBUTES = (Public, ); }; }; - 4C32C1030A4976BF002891BD /* certextensions.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C28BCD60986EBCB0020C665 /* certextensions.h */; }; + 4C32C1030A4976BF002891BD /* certextensions.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C28BCD60986EBCB0020C665 /* certextensions.h */; settings = {ATTRIBUTES = (Private, ); }; }; 4C32C1240A4976BF002891BD /* SecBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C696B3709BFA94F000CBC75 /* SecBase.h */; settings = {ATTRIBUTES = (Public, ); }; }; 4C32C1250A4976BF002891BD /* SecCertificate.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C8FD03D099D5C91006867B6 /* SecCertificate.h */; settings = {ATTRIBUTES = (Public, ); }; }; 4C32C1260A4976BF002891BD /* SecTrust.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C8FD03E099D5C91006867B6 /* SecTrust.h */; settings = {ATTRIBUTES = (Public, ); }; }; @@ -911,12 +1106,10 @@ 4CE5A66009C79E0600D27A3F /* ioSock.c in Sources */ = {isa = PBXBuildFile; fileRef = 4CE5A65809C79E0600D27A3F /* ioSock.c */; }; 4CE5A66109C79E0600D27A3F /* sslAppUtils.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 4CE5A65A09C79E0600D27A3F /* sslAppUtils.cpp */; }; 4CE7EA791AEAF39C0067F5BD /* SecItemBackup.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CE7EA561AEAE8D60067F5BD /* SecItemBackup.h */; settings = {ATTRIBUTES = (Private, ); }; }; - 4CEF4CA80C5551FE00062475 /* SecCertificateInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CEF4CA70C5551FE00062475 /* SecCertificateInternal.h */; }; + 4CEF4CA80C5551FE00062475 /* SecCertificateInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CEF4CA70C5551FE00062475 /* SecCertificateInternal.h */; settings = {ATTRIBUTES = (Private, ); }; }; 4CF0484C0A5D988F00268236 /* SecItem.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CF0484A0A5D988F00268236 /* SecItem.h */; settings = {ATTRIBUTES = (Public, ); }; }; 4CF048800A5F016300268236 /* SecItemPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CF0487F0A5F016300268236 /* SecItemPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; - 4CF41D0C0BBB4022005F3248 /* SecCertificatePath.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CF41D0A0BBB4022005F3248 /* SecCertificatePath.h */; }; 4CF4C19D171E0EA600877419 /* Accounts.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF4C19C171E0EA600877419 /* Accounts.framework */; }; - 4CFBF6100D5A951100969BBE /* SecPolicyInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CFBF5F10D5A92E100969BBE /* SecPolicyInternal.h */; }; 52222CD0167BDAEC00EDD09C /* SpringBoardServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52222CC0167BDAE100EDD09C /* SpringBoardServices.framework */; }; 522B280E1E64B4BF002B5638 /* secd-230-keybagtable.m in Sources */ = {isa = PBXBuildFile; fileRef = 522B28081E64B48E002B5638 /* secd-230-keybagtable.m */; }; 524492941AFD6D480043695A /* der_plist.h in Headers */ = {isa = PBXBuildFile; fileRef = 524492931AFD6D480043695A /* der_plist.h */; settings = {ATTRIBUTES = (Private, ); }; }; @@ -955,18 +1148,30 @@ 5E8B53A51AA0B8A600345E7B /* libcoreauthd_test_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E8B53A41AA0B8A600345E7B /* libcoreauthd_test_client.a */; }; 5EAFA4D31EF1605A002DC188 /* LocalAuthentication.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5EAFA4CD1EF16059002DC188 /* LocalAuthentication.framework */; }; 5EBE247D1B00CCAE0007DB0E /* main.c in Sources */ = {isa = PBXBuildFile; fileRef = 5EBE247C1B00CCAE0007DB0E /* main.c */; }; - 6C0B0C491E253832007F95E5 /* AwdMetadata-0x60-Keychain.bin in CopyFiles */ = {isa = PBXBuildFile; fileRef = 6C3446551E2534E800F9522B /* AwdMetadata-0x60-Keychain.bin */; }; 6C0B0C4B1E253848007F95E5 /* AwdMetadata-0x60-Keychain.bin in CopyFiles */ = {isa = PBXBuildFile; fileRef = 6C3446551E2534E800F9522B /* AwdMetadata-0x60-Keychain.bin */; }; + 6C1260FD1F7DA42D001B2EEC /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; }; + 6C13AE471F8E9F5F00F047E3 /* supd.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C69517E1F758E1000F68F91 /* supd.m */; }; + 6C13AE481F8E9FC800F047E3 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC0BCC361D8C684F00070CB0 /* libutilities.a */; }; 6C1520D41DCCF71400C85C6D /* secd.8 in Install man8 page */ = {isa = PBXBuildFile; fileRef = 6C1520CD1DCCF57A00C85C6D /* secd.8 */; }; 6C1F93111DD5E41A00585608 /* libDiagnosticMessagesClient.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = DC610A3C1D78F25C002223DE /* libDiagnosticMessagesClient.dylib */; }; 6C3446301E24F6BE00F9522B /* CKKSRateLimiterTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C34462F1E24F6BE00F9522B /* CKKSRateLimiterTests.m */; }; 6C3446461E25346C00F9522B /* CKKSRateLimiter.h in Headers */ = {isa = PBXBuildFile; fileRef = 6CC185971E24E87D009657D8 /* CKKSRateLimiter.h */; }; 6C3446471E25346C00F9522B /* CKKSRateLimiter.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CC185981E24E87D009657D8 /* CKKSRateLimiter.m */; }; + 6C4605A51F882B9B001421B6 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; }; + 6C4605BC1F882DB6001421B6 /* SFAnalyticsTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C1A29FC1F882788002312D8 /* SFAnalyticsTests.m */; }; + 6C4605BD1F882DC3001421B6 /* SupdTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C758CB01F8826100075BD78 /* SupdTests.m */; }; 6C588D7F1EAA14AA00D7E322 /* RateLimiterTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C588D791EAA149F00D7E322 /* RateLimiterTests.m */; }; 6C588D801EAA20AB00D7E322 /* RateLimiter.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CC7F5B31E9F99EE0014AE63 /* RateLimiter.m */; }; 6C588D811EAA20AC00D7E322 /* RateLimiter.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CC7F5B31E9F99EE0014AE63 /* RateLimiter.m */; }; 6C5B36BA1E2F9B95008AD443 /* WirelessDiagnostics.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 6C0B0C3D1E2537C6007F95E5 /* WirelessDiagnostics.framework */; settings = {ATTRIBUTES = (Weak, ); }; }; 6C5B36C01E2F9BEA008AD443 /* WirelessDiagnostics.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 6C0B0C3D1E2537C6007F95E5 /* WirelessDiagnostics.framework */; settings = {ATTRIBUTES = (Weak, ); }; }; + 6C73F48A2006B839003D5D63 /* SOSAnalytics.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C7BB0032006B4EE004D1B6B /* SOSAnalytics.m */; }; + 6C73F48B2006B83A003D5D63 /* SOSAnalytics.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C7BB0032006B4EE004D1B6B /* SOSAnalytics.m */; }; + 6C73F48C2006B83D003D5D63 /* SOSAnalytics.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C7BB0032006B4EE004D1B6B /* SOSAnalytics.m */; }; + 6C73F48D2006B83E003D5D63 /* SOSAnalytics.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C7BB0032006B4EE004D1B6B /* SOSAnalytics.m */; }; + 6C73F48F2006B910003D5D63 /* SOSAnalytics.h in Headers */ = {isa = PBXBuildFile; fileRef = 6C7BB0042006B4EF004D1B6B /* SOSAnalytics.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 6C73F4902006B911003D5D63 /* SOSAnalytics.h in Headers */ = {isa = PBXBuildFile; fileRef = 6C7BB0042006B4EF004D1B6B /* SOSAnalytics.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 6C7FD5DF1F87FA42002C2285 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; }; 6C869A751F50CAF400957298 /* SOSEnsureBackup.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C860C7A1F4F63DB004100A1 /* SOSEnsureBackup.m */; }; 6C869A761F50CAF500957298 /* SOSEnsureBackup.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C860C7A1F4F63DB004100A1 /* SOSEnsureBackup.m */; }; 6C869A791F54C37900957298 /* AWDKeychainSOSKeychainBackupFailed.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C869A771F54C2D700957298 /* AWDKeychainSOSKeychainBackupFailed.m */; }; @@ -978,8 +1183,9 @@ 6C8CC3B41E2F913D009025C5 /* AWDKeychainCKKSRateLimiterOverload.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C3446521E2534E800F9522B /* AWDKeychainCKKSRateLimiterOverload.m */; }; 6C8CC3B51E2F913D009025C5 /* AWDKeychainCKKSRateLimiterTopWriters.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C3446541E2534E800F9522B /* AWDKeychainCKKSRateLimiterTopWriters.m */; }; 6C8CC3B61E2F98C2009025C5 /* ProtocolBuffer.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 6C0B0C441E2537CC007F95E5 /* ProtocolBuffer.framework */; settings = {ATTRIBUTES = (Weak, ); }; }; + 6C8CE6C11FA248DA0032ADF0 /* SFAnalyticsActivityTracker+Internal.h in Headers */ = {isa = PBXBuildFile; fileRef = 6C8CE6BB1FA248B50032ADF0 /* SFAnalyticsActivityTracker+Internal.h */; }; + 6C8CE6C21FA248DB0032ADF0 /* SFAnalyticsActivityTracker+Internal.h in Headers */ = {isa = PBXBuildFile; fileRef = 6C8CE6BB1FA248B50032ADF0 /* SFAnalyticsActivityTracker+Internal.h */; }; 6C98083E1E788AEB00E70590 /* spi.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78CB01D8085D800865A7C /* spi.c */; }; - 6C9808491E788AEB00E70590 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; 6C98084A1E788AEB00E70590 /* libASN1_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC8834081D8A218F00CE0ACA /* libASN1_not_installed.a */; }; 6C98084C1E788AEB00E70590 /* libsecurityd_ios_NO_AKS.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC222C771E034D1F00B09171 /* libsecurityd_ios_NO_AKS.a */; }; 6C98084D1E788AEB00E70590 /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; @@ -999,7 +1205,6 @@ 6C98085B1E788AEB00E70590 /* libsqlite3.0.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = DC27B57D1DDFC24500599261 /* libsqlite3.0.dylib */; }; 6C98085C1E788AEB00E70590 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = BE8ABDD71DC2DD9100EC2D58 /* libz.dylib */; }; 6C98087A1E788AFD00E70590 /* spi.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78CB01D8085D800865A7C /* spi.c */; }; - 6C9808851E788AFD00E70590 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; 6C9808861E788AFD00E70590 /* libASN1_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC8834081D8A218F00CE0ACA /* libASN1_not_installed.a */; }; 6C9808881E788AFD00E70590 /* libsecurityd_ios_NO_AKS.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC222C771E034D1F00B09171 /* libsecurityd_ios_NO_AKS.a */; }; 6C9808891E788AFD00E70590 /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; @@ -1020,13 +1225,84 @@ 6C9808981E788AFD00E70590 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = BE8ABDD71DC2DD9100EC2D58 /* libz.dylib */; }; 6C9808A51E788CD100E70590 /* CKKSCloudKitTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CCDF7911E3C2D69003F2555 /* CKKSCloudKitTests.m */; }; 6C9808A61E788CD200E70590 /* CKKSCloudKitTests.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CCDF7911E3C2D69003F2555 /* CKKSCloudKitTests.m */; }; + 6C9AA7A11F7C1D9000D08296 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C9AA7A01F7C1D9000D08296 /* main.m */; }; + 6C9AA7A51F7C6F7F00D08296 /* SecArgParse.c in Sources */ = {isa = PBXBuildFile; fileRef = DC5BCC461E5380EA00649140 /* SecArgParse.c */; }; + 6CAA8CDD1F82EDEF007B6E03 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC1789041D77980500B50D50 /* Security.framework */; }; + 6CAA8CEE1F83E417007B6E03 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; }; + 6CAA8CEF1F83E65D007B6E03 /* SFObjCType.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BE1F152EB10082882F /* SFObjCType.m */; }; + 6CAA8CF01F83E65E007B6E03 /* SFObjCType.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BE1F152EB10082882F /* SFObjCType.m */; }; + 6CAA8CF41F83E799007B6E03 /* SFSQLite.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BC1F152EB10082882F /* SFSQLite.m */; }; + 6CAA8CF61F83E79D007B6E03 /* SFSQLite.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BC1F152EB10082882F /* SFSQLite.m */; }; + 6CAA8CF71F83E79E007B6E03 /* SFSQLite.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BC1F152EB10082882F /* SFSQLite.m */; }; + 6CAA8CF81F83E7A9007B6E03 /* SFAnalyticsSQLiteStore.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C69518D1F75A7DB00F68F91 /* SFAnalyticsSQLiteStore.m */; }; + 6CAA8CF91F83E7AA007B6E03 /* SFAnalyticsSQLiteStore.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C69518D1F75A7DB00F68F91 /* SFAnalyticsSQLiteStore.m */; }; + 6CAA8CFA1F83E7AC007B6E03 /* SFAnalyticsSQLiteStore.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C69518D1F75A7DB00F68F91 /* SFAnalyticsSQLiteStore.m */; }; + 6CAA8CFC1F83E7EA007B6E03 /* SFObjCType.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BE1F152EB10082882F /* SFObjCType.m */; }; + 6CAA8CFD1F83E7EB007B6E03 /* SFObjCType.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BE1F152EB10082882F /* SFObjCType.m */; }; + 6CAA8CFE1F83E800007B6E03 /* SFSQLite.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BC1F152EB10082882F /* SFSQLite.m */; }; + 6CAA8CFF1F83E800007B6E03 /* SFSQLite.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BC1F152EB10082882F /* SFSQLite.m */; }; + 6CAA8D0D1F83EC57007B6E03 /* SFSQLiteStatement.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BF1F152EB10082882F /* SFSQLiteStatement.m */; }; + 6CAA8D131F83ECD4007B6E03 /* SFAnalytics.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9DB1F1540CE0082882F /* SFAnalytics.m */; }; + 6CAA8D141F83ECD5007B6E03 /* SFAnalytics.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9DB1F1540CE0082882F /* SFAnalytics.m */; }; + 6CAA8D151F83ECD9007B6E03 /* SFAnalytics.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9DB1F1540CE0082882F /* SFAnalytics.m */; }; + 6CAA8D271F843002007B6E03 /* supd.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C69517E1F758E1000F68F91 /* supd.m */; }; + 6CAA8D351F84306C007B6E03 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C6951801F758E1000F68F91 /* main.m */; }; + 6CAA8D371F843196007B6E03 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC1789041D77980500B50D50 /* Security.framework */; }; + 6CAA8D3A1F8431A7007B6E03 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC0BCC361D8C684F00070CB0 /* libutilities.a */; }; + 6CAA8D3B1F8431AE007B6E03 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = D40B6A881E2B5F9900CD6EE5 /* Foundation.framework */; }; 6CAB39C71E521BEA00566A79 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; }; 6CB5F47B1E402E6700DBF3F0 /* KeychainEntitledTestRunner.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CB5F47A1E402E5700DBF3F0 /* KeychainEntitledTestRunner.m */; }; + 6CB96BAC1F966D6500E11457 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C6951801F758E1000F68F91 /* main.m */; }; + 6CB96BB21F966DA400E11457 /* SFSQLite.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BC1F152EB10082882F /* SFSQLite.m */; }; + 6CB96BB31F966DA400E11457 /* SFSQLiteStatement.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BF1F152EB10082882F /* SFSQLiteStatement.m */; }; + 6CB96BB61F966E4300E11457 /* SFObjCType.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BE1F152EB10082882F /* SFObjCType.m */; }; + 6CBF65391FA147E500A68667 /* SFAnalyticsActivityTracker.h in Headers */ = {isa = PBXBuildFile; fileRef = 6CBF65371FA147E500A68667 /* SFAnalyticsActivityTracker.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 6CBF653A1FA147E500A68667 /* SFAnalyticsActivityTracker.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CBF65381FA147E500A68667 /* SFAnalyticsActivityTracker.m */; }; + 6CBF65401FA1480C00A68667 /* SFAnalyticsActivityTracker.h in Headers */ = {isa = PBXBuildFile; fileRef = 6CBF65371FA147E500A68667 /* SFAnalyticsActivityTracker.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 6CBF65411FA1481100A68667 /* SFAnalyticsActivityTracker.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CBF65381FA147E500A68667 /* SFAnalyticsActivityTracker.m */; }; + 6CBF65421FA2255800A68667 /* SFAnalyticsActivityTracker.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CBF65381FA147E500A68667 /* SFAnalyticsActivityTracker.m */; }; + 6CBF65431FA2257100A68667 /* SFAnalyticsActivityTracker.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CBF65381FA147E500A68667 /* SFAnalyticsActivityTracker.m */; }; + 6CBF65441FA2257200A68667 /* SFAnalyticsActivityTracker.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CBF65381FA147E500A68667 /* SFAnalyticsActivityTracker.m */; }; + 6CBF65451FA2257500A68667 /* SFAnalyticsActivityTracker.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CBF65381FA147E500A68667 /* SFAnalyticsActivityTracker.m */; }; 6CC1859E1E24E8EB009657D8 /* CKKSRateLimiter.h in Headers */ = {isa = PBXBuildFile; fileRef = 6CC185971E24E87D009657D8 /* CKKSRateLimiter.h */; }; 6CC1859F1E24E8EB009657D8 /* CKKSRateLimiter.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CC185981E24E87D009657D8 /* CKKSRateLimiter.m */; }; + 6CC952481FB4CB2C0051A823 /* SFAnalytics+Internal.h in Headers */ = {isa = PBXBuildFile; fileRef = 6CC952421FB4C5CA0051A823 /* SFAnalytics+Internal.h */; }; + 6CC952491FB4CB2D0051A823 /* SFAnalytics+Internal.h in Headers */ = {isa = PBXBuildFile; fileRef = 6CC952421FB4C5CA0051A823 /* SFAnalytics+Internal.h */; }; 6CCDF78C1E3C26BC003F2555 /* XCTest.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 6CCDF78B1E3C26BC003F2555 /* XCTest.framework */; }; 6CCDF78D1E3C26C2003F2555 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = D40B6A881E2B5F9900CD6EE5 /* Foundation.framework */; }; + 6CDB5FF51FA78D1A00410924 /* SFAnalyticsMultiSampler.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CDB5FED1FA78CB400410924 /* SFAnalyticsMultiSampler.m */; }; + 6CDB5FF61FA78D1B00410924 /* SFAnalyticsMultiSampler.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CDB5FED1FA78CB400410924 /* SFAnalyticsMultiSampler.m */; }; + 6CDB5FF71FA78D2100410924 /* SFAnalyticsMultiSampler.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CDB5FED1FA78CB400410924 /* SFAnalyticsMultiSampler.m */; }; + 6CDB5FF81FA78D2300410924 /* SFAnalyticsMultiSampler.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CDB5FED1FA78CB400410924 /* SFAnalyticsMultiSampler.m */; }; + 6CDB5FF91FA78D2400410924 /* SFAnalyticsMultiSampler.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CDB5FED1FA78CB400410924 /* SFAnalyticsMultiSampler.m */; }; + 6CDB5FFA1FA78D2500410924 /* SFAnalyticsMultiSampler.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CDB5FED1FA78CB400410924 /* SFAnalyticsMultiSampler.m */; }; + 6CDB5FFB1FA78D2C00410924 /* SFAnalyticsMultiSampler.h in Headers */ = {isa = PBXBuildFile; fileRef = 6CDB5FF41FA78CB500410924 /* SFAnalyticsMultiSampler.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 6CDB5FFC1FA78D2D00410924 /* SFAnalyticsMultiSampler.h in Headers */ = {isa = PBXBuildFile; fileRef = 6CDB5FF41FA78CB500410924 /* SFAnalyticsMultiSampler.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 6CDB600F1FA92D2B00410924 /* securityuploadd.8 in Copy Manpage */ = {isa = PBXBuildFile; fileRef = 6C5B10211F9164F5009B091E /* securityuploadd.8 */; }; + 6CDB60111FA9386200410924 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC1789041D77980500B50D50 /* Security.framework */; }; + 6CDB601A1FA93A1800410924 /* libsqlite3.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 6CB96BB41F966E0C00E11457 /* libsqlite3.tbd */; }; + 6CDB601B1FA93A2000410924 /* libprequelite.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 6CFDC4561F907E1D00646DBB /* libprequelite.tbd */; }; + 6CDF8DEF1F96495600140B54 /* SFAnalyticsSampler.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CDF8DE61F95562B00140B54 /* SFAnalyticsSampler.m */; }; + 6CDF8DF01F96495700140B54 /* SFAnalyticsSampler.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CDF8DE61F95562B00140B54 /* SFAnalyticsSampler.m */; }; + 6CDF8DF11F96498300140B54 /* SFAnalyticsSampler.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CDF8DE61F95562B00140B54 /* SFAnalyticsSampler.m */; }; + 6CDF8DF21F9649AB00140B54 /* SFAnalyticsSampler.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CDF8DE61F95562B00140B54 /* SFAnalyticsSampler.m */; }; + 6CDF8DF31F9649C000140B54 /* SFAnalyticsSQLiteStore.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C69518D1F75A7DB00F68F91 /* SFAnalyticsSQLiteStore.m */; }; + 6CDF8DF41F9649C000140B54 /* SFAnalytics.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9DB1F1540CE0082882F /* SFAnalytics.m */; }; 6CE22D701E49206600974785 /* UIKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 6CE22D6F1E49206600974785 /* UIKit.framework */; }; + 6CE3654B1FA100D00012F6AB /* SFAnalytics.h in Headers */ = {isa = PBXBuildFile; fileRef = 4723C9DA1F1540CE0082882F /* SFAnalytics.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 6CE3654C1FA100D10012F6AB /* SFAnalytics.h in Headers */ = {isa = PBXBuildFile; fileRef = 4723C9DA1F1540CE0082882F /* SFAnalytics.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 6CE3654D1FA100E50012F6AB /* SFAnalytics.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9DB1F1540CE0082882F /* SFAnalytics.m */; }; + 6CE3654E1FA100E50012F6AB /* SFAnalytics.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9DB1F1540CE0082882F /* SFAnalytics.m */; }; + 6CE3654F1FA100F10012F6AB /* SFAnalyticsDefines.h in Headers */ = {isa = PBXBuildFile; fileRef = 6C69518F1F75A8C100F68F91 /* SFAnalyticsDefines.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 6CE365501FA100F20012F6AB /* SFAnalyticsDefines.h in Headers */ = {isa = PBXBuildFile; fileRef = 6C69518F1F75A8C100F68F91 /* SFAnalyticsDefines.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 6CE365511FA100FE0012F6AB /* SFAnalyticsSampler.h in Headers */ = {isa = PBXBuildFile; fileRef = 6CDF8DE51F95562B00140B54 /* SFAnalyticsSampler.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 6CE365521FA100FF0012F6AB /* SFAnalyticsSampler.h in Headers */ = {isa = PBXBuildFile; fileRef = 6CDF8DE51F95562B00140B54 /* SFAnalyticsSampler.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 6CE365531FA101080012F6AB /* SFAnalyticsSampler.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CDF8DE61F95562B00140B54 /* SFAnalyticsSampler.m */; }; + 6CE365541FA101090012F6AB /* SFAnalyticsSampler.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CDF8DE61F95562B00140B54 /* SFAnalyticsSampler.m */; }; + 6CE365551FA101730012F6AB /* SFAnalyticsSQLiteStore.h in Headers */ = {isa = PBXBuildFile; fileRef = 6C69518E1F75A7DC00F68F91 /* SFAnalyticsSQLiteStore.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 6CE365561FA101740012F6AB /* SFAnalyticsSQLiteStore.h in Headers */ = {isa = PBXBuildFile; fileRef = 6C69518E1F75A7DC00F68F91 /* SFAnalyticsSQLiteStore.h */; settings = {ATTRIBUTES = (Private, ); }; }; + 6CE365571FA1017D0012F6AB /* SFAnalyticsSQLiteStore.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C69518D1F75A7DB00F68F91 /* SFAnalyticsSQLiteStore.m */; }; + 6CE365581FA1017E0012F6AB /* SFAnalyticsSQLiteStore.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C69518D1F75A7DB00F68F91 /* SFAnalyticsSQLiteStore.m */; }; 6CF4A0B81E45488B00ECD7B5 /* AppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CF4A0B71E45488B00ECD7B5 /* AppDelegate.m */; }; 6CF4A0BB1E45488B00ECD7B5 /* main.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CF4A0BA1E45488B00ECD7B5 /* main.m */; }; 6CF4A0BE1E45488B00ECD7B5 /* ViewController.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CF4A0BD1E45488B00ECD7B5 /* ViewController.m */; }; @@ -1038,6 +1314,7 @@ 6CF4A0ED1E4549F300ECD7B5 /* Main.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 6CF4A0EB1E4549F300ECD7B5 /* Main.storyboard */; }; 6CF4A0EF1E4549F300ECD7B5 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 6CF4A0EE1E4549F300ECD7B5 /* Assets.xcassets */; }; 6CF4A0F21E4549F300ECD7B5 /* LaunchScreen.storyboard in Resources */ = {isa = PBXBuildFile; fileRef = 6CF4A0F01E4549F300ECD7B5 /* LaunchScreen.storyboard */; }; + 6CFDC4551F907D2600646DBB /* SFObjCType.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BE1F152EB10082882F /* SFObjCType.m */; }; 7200D76F177B9999009BB396 /* ManagedConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 72C3EC2D1705F24E0040C87C /* ManagedConfiguration.framework */; }; 724340BA1ED3FEC800F8F566 /* SecSMIME.h in Headers */ = {isa = PBXBuildFile; fileRef = DC17870D1D778FA900B50D50 /* SecSMIME.h */; settings = {ATTRIBUTES = (Private, ); }; }; 7281E0871DFD01800021E1B7 /* SOSAccountGetSet.m in Sources */ = {isa = PBXBuildFile; fileRef = 7281E0861DFD015A0021E1B7 /* SOSAccountGetSet.m */; }; @@ -1047,15 +1324,8 @@ 7281E0901DFD0E0A0021E1B7 /* CKDKVSProxy.m in Sources */ = {isa = PBXBuildFile; fileRef = E7A5F4C71C0CFF3200F3BEBB /* CKDKVSProxy.m */; }; 7281E0911DFD0E510021E1B7 /* CKDSimulatedStore.m in Sources */ = {isa = PBXBuildFile; fileRef = E7FE40C41DC804E400F0F5B6 /* CKDSimulatedStore.m */; }; 7281E0971DFD0FD00021E1B7 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; }; - 728B56A216D59979008FA3AB /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; }; - 72C3EC2E1705F24E0040C87C /* ManagedConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 72C3EC2D1705F24E0040C87C /* ManagedConfiguration.framework */; }; - 72CD2BBE16D59AE30064EEE1 /* OTAServiceApp.m in Sources */ = {isa = PBXBuildFile; fileRef = 72CD2BBB16D59AE30064EEE1 /* OTAServiceApp.m */; }; - 72CD2BBF16D59AE30064EEE1 /* OTAServicemain.m in Sources */ = {isa = PBXBuildFile; fileRef = 72CD2BBD16D59AE30064EEE1 /* OTAServicemain.m */; }; - 72CD2BCD16D59AF30064EEE1 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; }; - 72CD2BCE16D59B010064EEE1 /* MobileAsset.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 7273402816CAFB3C0096622A /* MobileAsset.framework */; }; 72CDF5131EC679A4002D233B /* sec_action.h in Headers */ = {isa = PBXBuildFile; fileRef = 7221843F1EC6782A004C7BED /* sec_action.h */; }; 72CDF5191EC679A8002D233B /* sec_action.c in Sources */ = {isa = PBXBuildFile; fileRef = 7221843E1EC6782A004C7BED /* sec_action.c */; }; - 72DF9EFE178360230054641E /* libMobileGestalt.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = E7D690911652E06A0079537A /* libMobileGestalt.dylib */; }; 78F92F11195128D70023B54B /* SecECKeyPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 78F92F10195128D70023B54B /* SecECKeyPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; 7901791812D51F7200CA4D44 /* SecCmsBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 7901790E12D51F7200CA4D44 /* SecCmsBase.h */; settings = {ATTRIBUTES = (Private, ); }; }; 7901791912D51F7200CA4D44 /* SecCmsContentInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 7901790F12D51F7200CA4D44 /* SecCmsContentInfo.h */; settings = {ATTRIBUTES = (Private, ); }; }; @@ -1115,6 +1385,13 @@ BE22FBD11EE2084100893431 /* Config.m in Sources */ = {isa = PBXBuildFile; fileRef = BE22FBD01EE2084100893431 /* Config.m */; }; BE22FC041EE3584400893431 /* mark.m in Sources */ = {isa = PBXBuildFile; fileRef = BE22FBFC1EE23D9100893431 /* mark.m */; }; BE25C41618B83491003320E0 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; }; + BE2AD2B31FDA07EF00739F96 /* OTBottledPeerRecord.h in Headers */ = {isa = PBXBuildFile; fileRef = BE2AD2B11FDA07EF00739F96 /* OTBottledPeerRecord.h */; }; + BE2AD2BA1FDA080800739F96 /* OTBottledPeerRecord.m in Sources */ = {isa = PBXBuildFile; fileRef = BE2AD2B21FDA07EF00739F96 /* OTBottledPeerRecord.m */; }; + BE2AD2BB1FDA080900739F96 /* OTBottledPeerRecord.m in Sources */ = {isa = PBXBuildFile; fileRef = BE2AD2B21FDA07EF00739F96 /* OTBottledPeerRecord.m */; }; + BE3405AC1FD7258900933DAC /* OTBottle.proto in Sources */ = {isa = PBXBuildFile; fileRef = BE3405A11FD71CC800933DAC /* OTBottle.proto */; }; + BE3405AD1FD725A700933DAC /* OTBottleContents.proto in Sources */ = {isa = PBXBuildFile; fileRef = BE3405A51FD720C900933DAC /* OTBottleContents.proto */; }; + BE3405AE1FD725EC00933DAC /* OTBottle.proto in Sources */ = {isa = PBXBuildFile; fileRef = BE3405A11FD71CC800933DAC /* OTBottle.proto */; }; + BE3405AF1FD725F000933DAC /* OTBottleContents.proto in Sources */ = {isa = PBXBuildFile; fileRef = BE3405A51FD720C900933DAC /* OTBottleContents.proto */; }; BE405EE21DC2F10E00E227B1 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = BE8ABDD71DC2DD9100EC2D58 /* libz.dylib */; }; BE405EE31DC2F11E00E227B1 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = BE8ABDD71DC2DD9100EC2D58 /* libz.dylib */; }; BE442BAE18B7FDB800F24DAE /* libMobileGestalt.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = E7D690911652E06A0079537A /* libMobileGestalt.dylib */; }; @@ -1131,9 +1408,29 @@ BE6215BE1DB6E69100961E15 /* si-84-sectrust-allowlist.m in Sources */ = {isa = PBXBuildFile; fileRef = BE6215BD1DB6E69100961E15 /* si-84-sectrust-allowlist.m */; }; BE759DCB1917E38D00801E02 /* CoreGraphics.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE451314471B000DE34E /* CoreGraphics.framework */; }; BE8ABDD81DC2DD9100EC2D58 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = BE8ABDD71DC2DD9100EC2D58 /* libz.dylib */; }; + BEA74211202525CD00EC7993 /* si-88-sectrust-valid-data in Resources */ = {isa = PBXBuildFile; fileRef = BEB9EA2E1FFF1AF600676593 /* si-88-sectrust-valid-data */; }; + BEA74217202525DC00EC7993 /* si-88-sectrust-valid-data in Resources */ = {isa = PBXBuildFile; fileRef = BEB9EA2E1FFF1AF600676593 /* si-88-sectrust-valid-data */; }; + BEB0B0D71FFC3D9A007E6A83 /* OTPrivateKey.proto in Sources */ = {isa = PBXBuildFile; fileRef = BEB0B0CE1FFC37E3007E6A83 /* OTPrivateKey.proto */; }; + BEB0B0D81FFC3DD3007E6A83 /* OTPrivateKey.proto in Sources */ = {isa = PBXBuildFile; fileRef = BEB0B0CE1FFC37E3007E6A83 /* OTPrivateKey.proto */; }; + BEB0B0DB1FFC45C2007E6A83 /* OTPrivateKey+SF.h in Headers */ = {isa = PBXBuildFile; fileRef = BEB0B0D91FFC45C2007E6A83 /* OTPrivateKey+SF.h */; }; + BEB0B0DD1FFC45D7007E6A83 /* OTPrivateKey+SF.m in Sources */ = {isa = PBXBuildFile; fileRef = BEB0B0DA1FFC45C2007E6A83 /* OTPrivateKey+SF.m */; }; + BEB0B0DE1FFC45D8007E6A83 /* OTPrivateKey+SF.m in Sources */ = {isa = PBXBuildFile; fileRef = BEB0B0DA1FFC45C2007E6A83 /* OTPrivateKey+SF.m */; }; + BEB9E9EC1FFF195C00676593 /* si-88-sectrust-valid.m in Sources */ = {isa = PBXBuildFile; fileRef = BEB9E9E51FFF193D00676593 /* si-88-sectrust-valid.m */; }; + BEB9EA2F1FFF1AF700676593 /* si-88-sectrust-valid-data in Resources */ = {isa = PBXBuildFile; fileRef = BEB9EA2E1FFF1AF600676593 /* si-88-sectrust-valid-data */; }; + BEB9EA301FFF1B0800676593 /* si-88-sectrust-valid-data in Resources */ = {isa = PBXBuildFile; fileRef = BEB9EA2E1FFF1AF600676593 /* si-88-sectrust-valid-data */; }; BED208D81EDF950E00753952 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52D82BD316A5EADA0078DFE5 /* Security.framework */; }; BED208D91EDF950E00753952 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; }; BED208E81EDF974500753952 /* manifeststresstest.m in Sources */ = {isa = PBXBuildFile; fileRef = BED208E71EDF971600753952 /* manifeststresstest.m */; }; + BEE4B18C1FFD585800777D39 /* OTAuthenticatedCiphertext.proto in Sources */ = {isa = PBXBuildFile; fileRef = BEE4B1861FFD57D800777D39 /* OTAuthenticatedCiphertext.proto */; }; + BEE4B18D1FFD588000777D39 /* OTAuthenticatedCiphertext.proto in Sources */ = {isa = PBXBuildFile; fileRef = BEE4B1861FFD57D800777D39 /* OTAuthenticatedCiphertext.proto */; }; + BEE4B1921FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.h in Headers */ = {isa = PBXBuildFile; fileRef = BEE4B1901FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.h */; }; + BEE4B1931FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.h in Headers */ = {isa = PBXBuildFile; fileRef = BEE4B1901FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.h */; }; + BEE4B1941FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.m in Sources */ = {isa = PBXBuildFile; fileRef = BEE4B1911FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.m */; }; + BEE4B1951FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.m in Sources */ = {isa = PBXBuildFile; fileRef = BEE4B1911FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.m */; }; + BEE4B1981FFDAFE600777D39 /* SFPublicKey+SPKI.h in Headers */ = {isa = PBXBuildFile; fileRef = BEE4B1961FFDAFE600777D39 /* SFPublicKey+SPKI.h */; }; + BEE4B1991FFDAFE600777D39 /* SFPublicKey+SPKI.h in Headers */ = {isa = PBXBuildFile; fileRef = BEE4B1961FFDAFE600777D39 /* SFPublicKey+SPKI.h */; }; + BEE4B19A1FFDAFE600777D39 /* SFECPublicKey+SPKI.m in Sources */ = {isa = PBXBuildFile; fileRef = BEE4B1971FFDAFE600777D39 /* SFECPublicKey+SPKI.m */; }; + BEE4B19B1FFDAFE600777D39 /* SFECPublicKey+SPKI.m in Sources */ = {isa = PBXBuildFile; fileRef = BEE4B1971FFDAFE600777D39 /* SFECPublicKey+SPKI.m */; }; BEE523D91DACAA2500DD0AA3 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = DC1789221D7799A600B50D50 /* libz.dylib */; }; BEE523DC1DACAA9200DD0AA3 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = DC1789221D7799A600B50D50 /* libz.dylib */; }; BEEB47D91EA189F5004AA5C6 /* SecTrustStatusCodes.c in Sources */ = {isa = PBXBuildFile; fileRef = BEEB47D71EA189F5004AA5C6 /* SecTrustStatusCodes.c */; }; @@ -1204,7 +1501,6 @@ D4096E011ED5F0B5000AC459 /* si-60-cms.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DD81D8085FC00865A7C /* si-60-cms.c */; }; D4096E021ED5F207000AC459 /* si-64-ossl-cms.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DE71D8085FC00865A7C /* si-64-ossl-cms.c */; }; D4096E031ED5F21C000AC459 /* si-65-cms-cert-policy.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DE81D8085FC00865A7C /* si-65-cms-cert-policy.c */; }; - D40B6A821E2B5F5600CD6EE5 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; D40B6A831E2B5F5B00CD6EE5 /* libASN1_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC8834081D8A218F00CE0ACA /* libASN1_not_installed.a */; }; D40B6A8D1E2B63D900CD6EE5 /* libtrustd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D4ADA3191E2B41670031CEA3 /* libtrustd.a */; }; D40B6A8E1E2B643500CD6EE5 /* libtrustd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D4ADA3191E2B41670031CEA3 /* libtrustd.a */; }; @@ -1218,11 +1514,13 @@ D40B6A9B1E2B690E00CD6EE5 /* SecuritydXPC.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E9A1D8085FC00865A7C /* SecuritydXPC.c */; }; D40B6A9D1E2B6A2700CD6EE5 /* login.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E8271D7A4F0E00AFB96E /* login.framework */; }; D40B6A9E1E2B6A6F00CD6EE5 /* libtrustd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D4ADA3191E2B41670031CEA3 /* libtrustd.a */; }; + D4119E78202BDF490048587B /* libz.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = D4119E72202BDF2B0048587B /* libz.tbd */; }; + D4119E79202BDF580048587B /* libz.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = D4119E72202BDF2B0048587B /* libz.tbd */; }; + D4119E882032A8FA0048587B /* OCMock.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 47D1838B1FB3827700CFCD89 /* OCMock.framework */; }; D41257D01E9410A300781F23 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = D40B6A881E2B5F9900CD6EE5 /* Foundation.framework */; }; D41257D91E9412B800781F23 /* trustd.c in Sources */ = {isa = PBXBuildFile; fileRef = D4BEECE61E93093A00F76D1A /* trustd.c */; }; D41257DA1E9412DC00781F23 /* libtrustd.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D4ADA3191E2B41670031CEA3 /* libtrustd.a */; }; D41257DB1E9412E700781F23 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC0BCC361D8C684F00070CB0 /* libutilities.a */; }; - D41257DC1E94130C00781F23 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; D41257DE1E94132900781F23 /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CB740680A4749C800D641BB /* libsqlite3.dylib */; }; D41257DF1E94133600781F23 /* CFNetwork.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF730310EF9CDE300E17471 /* CFNetwork.framework */; }; D41257E01E94136000781F23 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = BE8ABDD71DC2DD9100EC2D58 /* libz.dylib */; }; @@ -1240,7 +1538,7 @@ D43B88721E72298500F86F19 /* MobileAsset.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 7273402816CAFB3C0096622A /* MobileAsset.framework */; settings = {ATTRIBUTES = (Weak, ); }; }; D43DBEFB1E99D1CA00C04AEA /* asynchttp.c in Sources */ = {isa = PBXBuildFile; fileRef = D43DBED51E99D17100C04AEA /* asynchttp.c */; }; D43DBEFC1E99D1CA00C04AEA /* nameconstraints.c in Sources */ = {isa = PBXBuildFile; fileRef = D43DBED71E99D17100C04AEA /* nameconstraints.c */; }; - D43DBEFD1E99D1CA00C04AEA /* OTATrustUtilities.c in Sources */ = {isa = PBXBuildFile; fileRef = D43DBED91E99D17100C04AEA /* OTATrustUtilities.c */; }; + D43DBEFD1E99D1CA00C04AEA /* OTATrustUtilities.m in Sources */ = {isa = PBXBuildFile; fileRef = D43DBED91E99D17100C04AEA /* OTATrustUtilities.m */; }; D43DBEFE1E99D1CA00C04AEA /* personalization.c in Sources */ = {isa = PBXBuildFile; fileRef = D43DBEDB1E99D17100C04AEA /* personalization.c */; }; D43DBEFF1E99D1CA00C04AEA /* policytree.c in Sources */ = {isa = PBXBuildFile; fileRef = D43DBEDD1E99D17100C04AEA /* policytree.c */; }; D43DBF001E99D1CA00C04AEA /* SecCAIssuerCache.c in Sources */ = {isa = PBXBuildFile; fileRef = D43DBEDF1E99D17200C04AEA /* SecCAIssuerCache.c */; }; @@ -1254,13 +1552,41 @@ D43DBF081E99D1CA00C04AEA /* SecPolicyServer.c in Sources */ = {isa = PBXBuildFile; fileRef = D43DBEEF1E99D17300C04AEA /* SecPolicyServer.c */; }; D43DBF091E99D1CA00C04AEA /* SecRevocationDb.c in Sources */ = {isa = PBXBuildFile; fileRef = D43DBEF11E99D17300C04AEA /* SecRevocationDb.c */; }; D43DBF0A1E99D1CA00C04AEA /* SecRevocationServer.c in Sources */ = {isa = PBXBuildFile; fileRef = D43DBEF31E99D17300C04AEA /* SecRevocationServer.c */; }; - D43DBF0B1E99D1CA00C04AEA /* SecTrustLoggingServer.c in Sources */ = {isa = PBXBuildFile; fileRef = D43DBEF51E99D17300C04AEA /* SecTrustLoggingServer.c */; }; + D43DBF0B1E99D1CA00C04AEA /* SecTrustLoggingServer.m in Sources */ = {isa = PBXBuildFile; fileRef = D43DBEF51E99D17300C04AEA /* SecTrustLoggingServer.m */; }; D43DBF0C1E99D1CA00C04AEA /* SecTrustServer.c in Sources */ = {isa = PBXBuildFile; fileRef = D43DBEF71E99D17300C04AEA /* SecTrustServer.c */; }; D43DBF0D1E99D1CA00C04AEA /* SecTrustStoreServer.c in Sources */ = {isa = PBXBuildFile; fileRef = D43DBEF91E99D17300C04AEA /* SecTrustStoreServer.c */; }; D447C4101D3094740082FC1D /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; }; D450686A1E948D2200FA7675 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4C32C0AF0A4975F6002891BD /* Security.framework */; }; + D453C3901FEC66AE00DE349B /* trust_update.m in Sources */ = {isa = PBXBuildFile; fileRef = D453C38A1FEC669300DE349B /* trust_update.m */; }; + D4574AA0203E618B006D9B82 /* Accounts.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF4C19C171E0EA600877419 /* Accounts.framework */; settings = {ATTRIBUTES = (Weak, ); }; }; + D4574AA1203E6893006D9B82 /* Accounts.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF4C19C171E0EA600877419 /* Accounts.framework */; settings = {ATTRIBUTES = (Weak, ); }; }; + D4574AA2203E68C8006D9B82 /* AuthKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5A94C6D4203CC2590066E391 /* AuthKit.framework */; settings = {ATTRIBUTES = (Weak, ); }; }; + D4574AA3203E68E0006D9B82 /* AuthKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5A94C6D4203CC2590066E391 /* AuthKit.framework */; settings = {ATTRIBUTES = (Weak, ); }; }; D45917E41DC13E6700752D25 /* SecCertificateRequest.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E3E1D8085FC00865A7C /* SecCertificateRequest.c */; }; D459A1781E9FFE60009ED74B /* CoreCDP.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E9411D7F3E6E00AFB96E /* CoreCDP.framework */; }; + D46246971F9AE2E400D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246911F9AE2E400D63882 /* libDER.a */; }; + D46246A31F9AE59E00D63882 /* oids.h in Headers */ = {isa = PBXBuildFile; fileRef = D46246A21F9AE49E00D63882 /* oids.h */; settings = {ATTRIBUTES = (Private, ); }; }; + D46246A61F9AE61000D63882 /* oids.c in Sources */ = {isa = PBXBuildFile; fileRef = D462469C1F9AE45900D63882 /* oids.c */; }; + D46246A71F9AE62000D63882 /* oids.c in Sources */ = {isa = PBXBuildFile; fileRef = D462469C1F9AE45900D63882 /* oids.c */; }; + D46246A81F9AE64000D63882 /* oids.h in Headers */ = {isa = PBXBuildFile; fileRef = D46246A21F9AE49E00D63882 /* oids.h */; settings = {ATTRIBUTES = (Public, ); }; }; + D46246AA1F9AE6CA00D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246A91F9AE6C900D63882 /* libDER.a */; }; + D46246B51F9AE74000D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246AF1F9AE73F00D63882 /* libDER.a */; }; + D46246B61F9AE75100D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246AF1F9AE73F00D63882 /* libDER.a */; }; + D46246B71F9AE76500D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246AF1F9AE73F00D63882 /* libDER.a */; }; + D46246B81F9AE77900D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246AF1F9AE73F00D63882 /* libDER.a */; }; + D46246B91F9AE79000D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246AF1F9AE73F00D63882 /* libDER.a */; }; + D46246BA1F9AE7A000D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246AF1F9AE73F00D63882 /* libDER.a */; }; + D46246BB1F9AE7B300D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246AF1F9AE73F00D63882 /* libDER.a */; }; + D46246BC1F9AE82B00D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246AF1F9AE73F00D63882 /* libDER.a */; }; + D46246BD1F9AE83600D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246AF1F9AE73F00D63882 /* libDER.a */; }; + D46246BE1F9AE86400D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246AF1F9AE73F00D63882 /* libDER.a */; }; + D46246C91F9AEA5300D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246C31F9AEA5200D63882 /* libDER.a */; }; + D46246D41F9AEAE300D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246CE1F9AEAE300D63882 /* libDER.a */; }; + D46246D91F9AED5D00D63882 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246CE1F9AEAE300D63882 /* libDER.a */; }; + D479F6E21F980FAB00388D28 /* Trust.strings in Resources */ = {isa = PBXBuildFile; fileRef = D479F6DF1F980F8F00388D28 /* Trust.strings */; }; + D479F6E31F981FD600388D28 /* OID.strings in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C198F1F0ACDB4BF00AAB142 /* OID.strings */; }; + D479F6E41F981FD600388D28 /* Certificate.strings in CopyFiles */ = {isa = PBXBuildFile; fileRef = 4C198F1D0ACDB4BF00AAB142 /* Certificate.strings */; }; + D479F6E51F981FD600388D28 /* Trust.strings in CopyFiles */ = {isa = PBXBuildFile; fileRef = D479F6DF1F980F8F00388D28 /* Trust.strings */; }; D47CA65D1EB036450038E2BB /* libMobileGestalt.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = D47CA65C1EB036450038E2BB /* libMobileGestalt.dylib */; }; D47E69401E92F75D002C8CF6 /* si-61-pkcs12.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DD91D8085FC00865A7C /* si-61-pkcs12.c */; }; D47F514C1C3B812500A7CEFE /* SecCFAllocator.h in Headers */ = {isa = PBXBuildFile; fileRef = D47F514B1C3B812500A7CEFE /* SecCFAllocator.h */; settings = {ATTRIBUTES = (Private, ); }; }; @@ -1268,7 +1594,7 @@ D487B9881DFA2902000410A1 /* SecInternalReleasePriv.h in Headers */ = {isa = PBXBuildFile; fileRef = DC0BCC771D8C68CF00070CB0 /* SecInternalReleasePriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; D487FBB81DB8357300D4BB0B /* si-29-sectrust-sha1-deprecation.m in Sources */ = {isa = PBXBuildFile; fileRef = D487FBB71DB8357300D4BB0B /* si-29-sectrust-sha1-deprecation.m */; }; D487FBBA1DB835B500D4BB0B /* si-29-sectrust-sha1-deprecation.h in Headers */ = {isa = PBXBuildFile; fileRef = D487FBB91DB835B500D4BB0B /* si-29-sectrust-sha1-deprecation.h */; }; - D48E4E241E42F0620011B4BA /* si-62-csr.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DDA1D8085FC00865A7C /* si-62-csr.c */; }; + D48E4E241E42F0620011B4BA /* si-62-csr.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DDA1D8085FC00865A7C /* si-62-csr.m */; }; D4AA64361E95D92600D317ED /* com.apple.trustd.sb in Copy Sandbox */ = {isa = PBXBuildFile; fileRef = D41257EB1E941CF200781F23 /* com.apple.trustd.sb */; }; D4AA643C1E95D93100D317ED /* com.apple.trustd.plist in Copy LaunchDaemon Files */ = {isa = PBXBuildFile; fileRef = D41257EA1E941CF200781F23 /* com.apple.trustd.plist */; }; D4AA643D1E95D93900D317ED /* com.apple.trustd.agent.plist in Copy LaunchAgent */ = {isa = PBXBuildFile; fileRef = D41257E91E941CF200781F23 /* com.apple.trustd.agent.plist */; }; @@ -1285,6 +1611,14 @@ D4ADA3311E2B43450031CEA3 /* CFNetwork.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CF730310EF9CDE300E17471 /* CFNetwork.framework */; }; D4B858671D370D9A003B2D95 /* MobileCoreServices.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = D4B858661D370D9A003B2D95 /* MobileCoreServices.framework */; }; D4BEECE81E93094500F76D1A /* trustd.c in Sources */ = {isa = PBXBuildFile; fileRef = D4BEECE61E93093A00F76D1A /* trustd.c */; }; + D4C263CE1F95300F001317EA /* SecErrorMessages.strings in Resources */ = {isa = PBXBuildFile; fileRef = D4C263CC1F952F6C001317EA /* SecErrorMessages.strings */; }; + D4C263CF1F953019001317EA /* SecDebugErrorMessages.strings in Resources */ = {isa = PBXBuildFile; fileRef = D4C263C81F952E64001317EA /* SecDebugErrorMessages.strings */; }; + D4C6C5C81FB2AD5E007EA57E /* si-87-sectrust-name-constraints in Resources */ = {isa = PBXBuildFile; fileRef = D4C6C5C71FB2AD3F007EA57E /* si-87-sectrust-name-constraints */; }; + D4C6C5C91FB2AD6D007EA57E /* si-87-sectrust-name-constraints in Resources */ = {isa = PBXBuildFile; fileRef = D4C6C5C71FB2AD3F007EA57E /* si-87-sectrust-name-constraints */; }; + D4C6C5CA1FB2AD7A007EA57E /* si-87-sectrust-name-constraints in Resources */ = {isa = PBXBuildFile; fileRef = D4C6C5C71FB2AD3F007EA57E /* si-87-sectrust-name-constraints */; }; + D4C6C5CD1FB3B423007EA57E /* libarchive.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = D4C6C5CB1FB3B3CC007EA57E /* libarchive.tbd */; }; + D4C6C5CF1FB3B44D007EA57E /* libarchive.2.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = D4C6C5CE1FB3B44C007EA57E /* libarchive.2.dylib */; }; + D4C6C5D01FB3B45E007EA57E /* libarchive.2.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = D4C6C5CE1FB3B44C007EA57E /* libarchive.2.dylib */; }; D4C7CD661E71E92D00139817 /* MobileAsset.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 7273402816CAFB3C0096622A /* MobileAsset.framework */; settings = {ATTRIBUTES = (Weak, ); }; }; D4CFAA7E1E660BB3004746AA /* si-32-sectrust-pinning-required.m in Sources */ = {isa = PBXBuildFile; fileRef = D4CFAA7D1E660BB3004746AA /* si-32-sectrust-pinning-required.m */; }; D4D718351E04A721000AE7A6 /* spbkdf-01-hmac-sha256.c in Sources */ = {isa = PBXBuildFile; fileRef = D4D718341E04A721000AE7A6 /* spbkdf-01-hmac-sha256.c */; }; @@ -1292,14 +1626,19 @@ D4D886C01CEB9F7200DC7583 /* ssl-policy-certs in Resources */ = {isa = PBXBuildFile; fileRef = D4D886BE1CEB9F3B00DC7583 /* ssl-policy-certs */; }; D4D886E91CEBDD2A00DC7583 /* nist-certs in Resources */ = {isa = PBXBuildFile; fileRef = D4D886E81CEBDD2A00DC7583 /* nist-certs */; }; D4D886EA1CEBDE0800DC7583 /* nist-certs in Resources */ = {isa = PBXBuildFile; fileRef = D4D886E81CEBDD2A00DC7583 /* nist-certs */; }; - D4D96ED51F478BAF004B5F01 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; D4EC94FB1CEA482D0083E753 /* si-20-sectrust-policies-data in Resources */ = {isa = PBXBuildFile; fileRef = D4EC94FA1CEA482D0083E753 /* si-20-sectrust-policies-data */; }; D4EC94FE1CEA48760083E753 /* si-20-sectrust-policies-data in Resources */ = {isa = PBXBuildFile; fileRef = D4EC94FA1CEA482D0083E753 /* si-20-sectrust-policies-data */; }; D4FBBD621DD661A7004408F7 /* CMSEncoder.h in Headers */ = {isa = PBXBuildFile; fileRef = D4FBBD601DD66196004408F7 /* CMSEncoder.h */; settings = {ATTRIBUTES = (Private, ); }; }; D4FBBD631DD661AD004408F7 /* CMSDecoder.h in Headers */ = {isa = PBXBuildFile; fileRef = D4FBBD611DD66196004408F7 /* CMSDecoder.h */; settings = {ATTRIBUTES = (Private, ); }; }; + DA19DAEF1FCFA420008E82EE /* CKKSControl.m in Sources */ = {isa = PBXBuildFile; fileRef = DC9C95B31F79CFD1000D19E5 /* CKKSControl.m */; }; + DA19DAF01FCFA425008E82EE /* CKKSControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = DCF7A8A21F0450EB00CABE89 /* CKKSControlProtocol.m */; }; DA30D6851DF8CA4100EC6B43 /* KeychainSyncAccountUpdater.m in Sources */ = {isa = PBXBuildFile; fileRef = DA30D6841DF8CA4100EC6B43 /* KeychainSyncAccountUpdater.m */; }; - DAD3BD011F9830BB00DF29BA /* CKKSControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = DCF7A8A21F0450EB00CABE89 /* CKKSControlProtocol.m */; }; - DAD3BD021F9830BC00DF29BA /* CKKSControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = DCF7A8A21F0450EB00CABE89 /* CKKSControlProtocol.m */; }; + DA6AA1651FE88AFB004565B0 /* CKKSControlServer.m in Sources */ = {isa = PBXBuildFile; fileRef = DA6AA15E1FE88AF9004565B0 /* CKKSControlServer.m */; }; + DA6AA1661FE88AFB004565B0 /* CKKSControlServer.m in Sources */ = {isa = PBXBuildFile; fileRef = DA6AA15E1FE88AF9004565B0 /* CKKSControlServer.m */; }; + DA6AA1671FE88AFB004565B0 /* CKKSControlServer.h in Headers */ = {isa = PBXBuildFile; fileRef = DA6AA1641FE88AFA004565B0 /* CKKSControlServer.h */; }; + DA6AA1681FE88AFB004565B0 /* CKKSControlServer.h in Headers */ = {isa = PBXBuildFile; fileRef = DA6AA1641FE88AFA004565B0 /* CKKSControlServer.h */; }; + DAB27AE11FA29EE300DEBBDE /* SOSControlServer.m in Sources */ = {isa = PBXBuildFile; fileRef = DAB27AE01FA29EB800DEBBDE /* SOSControlServer.m */; }; + DAEE055C1FAD3FC700DF27F3 /* AutoreleaseTest.c in Sources */ = {isa = PBXBuildFile; fileRef = DAEE05551FAD3FC500DF27F3 /* AutoreleaseTest.c */; }; DC0067C11D87879D005AF8DB /* ucspServer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DC6A82811D87734600418608 /* ucspServer.cpp */; }; DC0067C21D8787A4005AF8DB /* ucspNotifyReceiver.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DC6A82831D87734600418608 /* ucspNotifyReceiver.cpp */; }; DC0067D11D8788B7005AF8DB /* ucspClientC.c in Sources */ = {isa = PBXBuildFile; fileRef = DC6A82801D87734600418608 /* ucspClientC.c */; }; @@ -1421,8 +1760,6 @@ DC0BC6611D8B755200070CB0 /* ckutilities.c in Sources */ = {isa = PBXBuildFile; fileRef = DC0BC6131D8B755200070CB0 /* ckutilities.c */; }; DC0BC6621D8B755200070CB0 /* ckutilities.h in Headers */ = {isa = PBXBuildFile; fileRef = DC0BC6141D8B755200070CB0 /* ckutilities.h */; }; DC0BC6631D8B755200070CB0 /* Crypt.h in Headers */ = {isa = PBXBuildFile; fileRef = DC0BC6151D8B755200070CB0 /* Crypt.h */; }; - DC0BC6641D8B755200070CB0 /* CryptKitSA.h in Headers */ = {isa = PBXBuildFile; fileRef = DC0BC6161D8B755200070CB0 /* CryptKitSA.h */; }; - DC0BC6651D8B755200070CB0 /* CryptKit.h in Headers */ = {isa = PBXBuildFile; fileRef = DC0BC6171D8B755200070CB0 /* CryptKit.h */; }; DC0BC6661D8B755200070CB0 /* CryptKitAsn1.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DC0BC6181D8B755200070CB0 /* CryptKitAsn1.cpp */; }; DC0BC6671D8B755200070CB0 /* CryptKitAsn1.h in Headers */ = {isa = PBXBuildFile; fileRef = DC0BC6191D8B755200070CB0 /* CryptKitAsn1.h */; }; DC0BC6681D8B755200070CB0 /* CryptKitDER.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DC0BC61A1D8B755200070CB0 /* CryptKitDER.cpp */; }; @@ -1873,6 +2210,8 @@ DC0BCDB51D8C6A5B00070CB0 /* not_on_this_platorm.c in Sources */ = {isa = PBXBuildFile; fileRef = DC0BCDB41D8C6A5B00070CB0 /* not_on_this_platorm.c */; }; DC1002AF1D8E18870025549C /* libsecurity_codesigning.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD0677F1D8CDF19007602F1 /* libsecurity_codesigning.a */; }; DC1002D81D8E1A670025549C /* SecTask.h in Headers */ = {isa = PBXBuildFile; fileRef = 107226D10D91DB32003CF14F /* SecTask.h */; }; + DC124DCD20059BA900BE8DAC /* OctagonControlServer.m in Sources */ = {isa = PBXBuildFile; fileRef = DC124DC220059B8700BE8DAC /* OctagonControlServer.m */; }; + DC124DCE20059BA900BE8DAC /* OctagonControlServer.m in Sources */ = {isa = PBXBuildFile; fileRef = DC124DC220059B8700BE8DAC /* OctagonControlServer.m */; }; DC14478A1F5764C600236DB4 /* CKKSResultOperation.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1447881F5764C600236DB4 /* CKKSResultOperation.h */; }; DC14478B1F5764C600236DB4 /* CKKSResultOperation.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1447881F5764C600236DB4 /* CKKSResultOperation.h */; }; DC14478C1F5764C600236DB4 /* CKKSResultOperation.m in Sources */ = {isa = PBXBuildFile; fileRef = DC1447891F5764C600236DB4 /* CKKSResultOperation.m */; }; @@ -1908,7 +2247,6 @@ DC17853C1D778A3100B50D50 /* mds_schema.h in Headers */ = {isa = PBXBuildFile; fileRef = DC17853A1D778A3100B50D50 /* mds_schema.h */; settings = {ATTRIBUTES = (Public, ); }; }; DC17853D1D778A3100B50D50 /* mds.h in Headers */ = {isa = PBXBuildFile; fileRef = DC17853B1D778A3100B50D50 /* mds.h */; settings = {ATTRIBUTES = (Public, ); }; }; DC1785401D778A4E00B50D50 /* SecureDownload.h in Headers */ = {isa = PBXBuildFile; fileRef = DC17853F1D778A4E00B50D50 /* SecureDownload.h */; settings = {ATTRIBUTES = (Public, ); }; }; - DC1785431D778A7400B50D50 /* oids.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785421D778A7400B50D50 /* oids.h */; settings = {ATTRIBUTES = (Public, ); }; }; DC17854E1D778ACD00B50D50 /* SecAccess.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785451D778ACD00B50D50 /* SecAccess.h */; settings = {ATTRIBUTES = (Public, ); }; }; DC17854F1D778ACD00B50D50 /* SecACL.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785461D778ACD00B50D50 /* SecACL.h */; settings = {ATTRIBUTES = (Public, ); }; }; DC1785501D778ACD00B50D50 /* SecCertificateOIDs.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785471D778ACD00B50D50 /* SecCertificateOIDs.h */; settings = {ATTRIBUTES = (Public, ); }; }; @@ -1941,7 +2279,6 @@ DC1785871D778B8000B50D50 /* CodeSigning.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785811D778B7F00B50D50 /* CodeSigning.h */; settings = {ATTRIBUTES = (Public, ); }; }; DC1785881D778B8000B50D50 /* CSCommon.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785821D778B7F00B50D50 /* CSCommon.h */; settings = {ATTRIBUTES = (Public, ); }; }; DC1785891D778B8000B50D50 /* SecCode.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785831D778B7F00B50D50 /* SecCode.h */; settings = {ATTRIBUTES = (Public, ); }; }; - DC17858A1D778B8000B50D50 /* SecCodeHost.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785841D778B8000B50D50 /* SecCodeHost.h */; settings = {ATTRIBUTES = (Public, ); }; }; DC17858B1D778B8000B50D50 /* SecRequirement.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785851D778B8000B50D50 /* SecRequirement.h */; settings = {ATTRIBUTES = (Public, ); }; }; DC17858C1D778B8000B50D50 /* SecStaticCode.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785861D778B8000B50D50 /* SecStaticCode.h */; settings = {ATTRIBUTES = (Public, ); }; }; DC1785901D778B9D00B50D50 /* CMSDecoder.h in Headers */ = {isa = PBXBuildFile; fileRef = DC17858E1D778B9D00B50D50 /* CMSDecoder.h */; settings = {ATTRIBUTES = (Public, ); }; }; @@ -1984,8 +2321,6 @@ DC17871D1D778FAA00B50D50 /* SecCmsSignerInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = DC17870C1D778FA900B50D50 /* SecCmsSignerInfo.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC17871E1D778FAA00B50D50 /* SecSMIME.h in Headers */ = {isa = PBXBuildFile; fileRef = DC17870D1D778FA900B50D50 /* SecSMIME.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC17871F1D778FAA00B50D50 /* tsaSupport.h in Headers */ = {isa = PBXBuildFile; fileRef = DC17870E1D778FA900B50D50 /* tsaSupport.h */; settings = {ATTRIBUTES = (Private, ); }; }; - DC1787201D778FAA00B50D50 /* tsaSupportPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = DC17870F1D778FA900B50D50 /* tsaSupportPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; - DC1787211D778FAA00B50D50 /* tsaTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1787101D778FA900B50D50 /* tsaTemplates.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC1787231D778FC900B50D50 /* mdspriv.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1787221D778FC900B50D50 /* mdspriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC1787261D778FDE00B50D50 /* SecManifest.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1787241D778FDE00B50D50 /* SecManifest.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC1787271D778FDE00B50D50 /* SecureDownloadInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1787251D778FDE00B50D50 /* SecureDownloadInternal.h */; settings = {ATTRIBUTES = (Private, ); }; }; @@ -2005,7 +2340,6 @@ DC1787431D77906C00B50D50 /* cssmapplePriv.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1787421D77906C00B50D50 /* cssmapplePriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC17874E1D7790A500B50D50 /* CSCommonPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1787441D7790A500B50D50 /* CSCommonPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC17874F1D7790A500B50D50 /* SecAssessment.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1787451D7790A500B50D50 /* SecAssessment.h */; settings = {ATTRIBUTES = (Private, ); }; }; - DC1787501D7790A500B50D50 /* SecCodeHostLib.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1787461D7790A500B50D50 /* SecCodeHostLib.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC1787511D7790A500B50D50 /* SecCodePriv.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1787471D7790A500B50D50 /* SecCodePriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC1787521D7790A500B50D50 /* SecCodeSigner.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1787481D7790A500B50D50 /* SecCodeSigner.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC1787551D7790A500B50D50 /* SecRequirementPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = DC17874B1D7790A500B50D50 /* SecRequirementPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; @@ -2102,7 +2436,7 @@ DC222C3B1E034D1F00B09171 /* SOSChangeTracker.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D4F1D8085F200865A7C /* SOSChangeTracker.c */; }; DC222C3D1E034D1F00B09171 /* SOSEngine.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D561D8085F200865A7C /* SOSEngine.c */; }; DC222C401E034D1F00B09171 /* SecDbItem.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78C8E1D8085D800865A7C /* SecDbItem.c */; }; - DC222C411E034D1F00B09171 /* SecDbKeychainItem.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78C901D8085D800865A7C /* SecDbKeychainItem.c */; }; + DC222C411E034D1F00B09171 /* SecDbKeychainItem.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78C901D8085D800865A7C /* SecDbKeychainItem.m */; }; DC222C421E034D1F00B09171 /* SecDbQuery.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78C921D8085D800865A7C /* SecDbQuery.c */; }; DC222C431E034D1F00B09171 /* SecItemBackupServer.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78C9C1D8085D800865A7C /* SecItemBackupServer.c */; }; DC222C441E034D1F00B09171 /* SecItemDataSource.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78C941D8085D800865A7C /* SecItemDataSource.c */; }; @@ -2145,6 +2479,16 @@ DC2353311ECA658B00D7C1BE /* server_security_helpers.c in Sources */ = {isa = PBXBuildFile; fileRef = DC4269061E82FBDF002B7110 /* server_security_helpers.c */; }; DC2353321ECA659000D7C1BE /* server_xpc.m in Sources */ = {isa = PBXBuildFile; fileRef = DCB2214A1E8B0861001598BC /* server_xpc.m */; }; DC2353331ECA659000D7C1BE /* server_xpc.m in Sources */ = {isa = PBXBuildFile; fileRef = DCB2214A1E8B0861001598BC /* server_xpc.m */; }; + DC2670F21F3E6EC500816EED /* debugging.h in Headers */ = {isa = PBXBuildFile; fileRef = DC0BCC531D8C68CF00070CB0 /* debugging.h */; settings = {ATTRIBUTES = (Public, ); }; }; + DC2670F51F3E711400816EED /* SOSAccountCloudParameters.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D1A1D8085F200865A7C /* SOSAccountCloudParameters.m */; }; + DC2670F61F3E714000816EED /* libSecureObjectSyncServer.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC52E8C61D80C25800B0A59C /* libSecureObjectSyncServer.a */; }; + DC2670F71F3E721800816EED /* SOSAccountTrustClassic.m in Sources */ = {isa = PBXBuildFile; fileRef = 0C48991B1E0F384700C6CF70 /* SOSAccountTrustClassic.m */; }; + DC2670F81F3E723B00816EED /* SOSAccountDer.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D1C1D8085F200865A7C /* SOSAccountDer.m */; }; + DC2670FB1F3E72C000816EED /* SOSCircleDer.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D351D8085F200865A7C /* SOSCircleDer.c */; }; + DC2670FC1F3E72C400816EED /* SOSCircleDer.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D341D8085F200865A7C /* SOSCircleDer.h */; }; + DC2671001F3E766E00816EED /* SecOTRSession.h in Headers */ = {isa = PBXBuildFile; fileRef = 4AF7FFFB15AFB73800B9D400 /* SecOTRSession.h */; settings = {ATTRIBUTES = (Private, ); }; }; + DC2671071F3E8A0900816EED /* SecECKey.h in Headers */ = {isa = PBXBuildFile; fileRef = 4CD3BA601106FF4D00BE8B75 /* SecECKey.h */; settings = {ATTRIBUTES = (Private, ); }; }; + DC26710E1F3E932D00816EED /* libASN1_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC8834081D8A218F00CE0ACA /* libASN1_not_installed.a */; }; DC2C5F4B1F0D935200FEBDA7 /* CKKSControlProtocol.h in Headers */ = {isa = PBXBuildFile; fileRef = DCF7A89F1F04502300CABE89 /* CKKSControlProtocol.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC2C5F511F0D935300FEBDA7 /* CKKSControlProtocol.h in Headers */ = {isa = PBXBuildFile; fileRef = DCF7A89F1F04502300CABE89 /* CKKSControlProtocol.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC2C5F5D1F0EB97E00FEBDA7 /* CKKSNotifier.h in Headers */ = {isa = PBXBuildFile; fileRef = DC2C5F5A1F0EB97E00FEBDA7 /* CKKSNotifier.h */; }; @@ -2153,9 +2497,9 @@ DC2C5F611F0EB97E00FEBDA7 /* CKKSNotifier.m in Sources */ = {isa = PBXBuildFile; fileRef = DC2C5F5B1F0EB97E00FEBDA7 /* CKKSNotifier.m */; }; DC2D438F1F0EEC2A0005D382 /* MockCloudKit.m in Sources */ = {isa = PBXBuildFile; fileRef = DC3502E61E0214C800BC0587 /* MockCloudKit.m */; }; DC2D43951F0EEC300005D382 /* MockCloudKit.m in Sources */ = {isa = PBXBuildFile; fileRef = DC3502E61E0214C800BC0587 /* MockCloudKit.m */; }; + DC337B1F1EA04E2100B3A1F0 /* SecBase64.h in Headers */ = {isa = PBXBuildFile; fileRef = 18351B8F14CB65870097860E /* SecBase64.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC3502B81E0208BE00BC0587 /* CKKSTests.m in Sources */ = {isa = PBXBuildFile; fileRef = DC3502B71E0208BE00BC0587 /* CKKSTests.m */; }; DC3502C51E020D5100BC0587 /* libASN1_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC8834081D8A218F00CE0ACA /* libASN1_not_installed.a */; }; - DC3502C81E020D5B00BC0587 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; DC3502CA1E020DC100BC0587 /* libsqlite3.0.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = DC27B57D1DDFC24500599261 /* libsqlite3.0.dylib */; }; DC3502CF1E020E2900BC0587 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC0BCC361D8C684F00070CB0 /* libutilities.a */; }; DC3502D21E02113900BC0587 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CBCE5A90BE7F69100FF81F5 /* IOKit.framework */; }; @@ -2186,14 +2530,7 @@ DC3A81D71D99D58A000C7419 /* libcoretls_cfhelpers.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = DC3A81D41D99D567000C7419 /* libcoretls_cfhelpers.dylib */; }; DC3A81EC1D99F568000C7419 /* libcoretls.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CFC029B1D41650700E6283B /* libcoretls.dylib */; }; DC3C72E21D8374D600F6A832 /* SecureTransportPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1786FD1D778F5000B50D50 /* SecureTransportPriv.h */; settings = {ATTRIBUTES = (Private, ); }; }; - DC3C72E31D8376D700F6A832 /* SOSTypes.h in Copy SecurityObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D8F1D8085F200865A7C /* SOSTypes.h */; }; - DC3C72E41D8376DE00F6A832 /* SOSBackupSliceKeyBag.h in Copy SecurityObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D2A1D8085F200865A7C /* SOSBackupSliceKeyBag.h */; }; - DC3C72E51D8376E600F6A832 /* SOSCloudCircle.h in Copy SecurityObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D8A1D8085F200865A7C /* SOSCloudCircle.h */; }; - DC3C72E61D8376EC00F6A832 /* SOSCloudCircleInternal.h in Copy SecurityObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D8B1D8085F200865A7C /* SOSCloudCircleInternal.h */; }; - DC3C72E71D8376F300F6A832 /* SOSPeerInfo.h in Copy SecurityObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D641D8085F200865A7C /* SOSPeerInfo.h */; }; - DC3C72E81D8376F900F6A832 /* SOSViews.h in Copy SecurityObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D4B1D8085F200865A7C /* SOSViews.h */; }; DC3C72E91D83776B00F6A832 /* SOSBackupSliceKeyBag.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D2A1D8085F200865A7C /* SOSBackupSliceKeyBag.h */; }; - DC3C72EA1D83777100F6A832 /* SOSPeerInfoV2.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D681D8085F200865A7C /* SOSPeerInfoV2.h */; }; DC3C72EB1D83777600F6A832 /* SOSCloudCircle.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D8A1D8085F200865A7C /* SOSCloudCircle.h */; }; DC3C72EC1D83777B00F6A832 /* SOSPeerInfo.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D641D8085F200865A7C /* SOSPeerInfo.h */; }; DC3C72ED1D83778100F6A832 /* SOSViews.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D4B1D8085F200865A7C /* SOSViews.h */; }; @@ -2212,7 +2549,6 @@ DC3C7AB61D838C2D00F6A832 /* SecAsn1Types.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785151D77895A00B50D50 /* SecAsn1Types.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC3C7AB71D838C5C00F6A832 /* secasn1t.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1787681D77911D00B50D50 /* secasn1t.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC3C7AB81D838C6F00F6A832 /* oidsalg.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785111D77895A00B50D50 /* oidsalg.h */; settings = {ATTRIBUTES = (Private, ); }; }; - DC3C7AB91D838C8D00F6A832 /* oids.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1785421D778A7400B50D50 /* oids.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC3C7ABA1D838C9F00F6A832 /* sslTypes.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1786FB1D778F3C00B50D50 /* sslTypes.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC3C7C901D83957F00F6A832 /* NSFileHandle+Formatting.m in Sources */ = {isa = PBXBuildFile; fileRef = E78A9AD91D34959200006B5B /* NSFileHandle+Formatting.m */; }; DC3D748C1FD2217900AC57DA /* CKKSLocalSynchronizeOperation.h in Headers */ = {isa = PBXBuildFile; fileRef = DC3D748A1FD2217900AC57DA /* CKKSLocalSynchronizeOperation.h */; }; @@ -2249,7 +2585,7 @@ DC52E7CC1D80BCDF00B0A59C /* SecDbQuery.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78C921D8085D800865A7C /* SecDbQuery.c */; }; DC52E7CD1D80BCE700B0A59C /* SecItemDataSource.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78C941D8085D800865A7C /* SecItemDataSource.c */; }; DC52E7CF1D80BCFD00B0A59C /* SOSEngine.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D561D8085F200865A7C /* SOSEngine.c */; }; - DC52E7D31D80BD1800B0A59C /* SecDbKeychainItem.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78C901D8085D800865A7C /* SecDbKeychainItem.c */; }; + DC52E7D31D80BD1800B0A59C /* SecDbKeychainItem.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78C901D8085D800865A7C /* SecDbKeychainItem.m */; }; DC52E7D41D80BD1D00B0A59C /* iCloudTrace.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78CB31D8085D800865A7C /* iCloudTrace.c */; }; DC52E7D61D80BD2800B0A59C /* SecuritydXPC.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E9A1D8085FC00865A7C /* SecuritydXPC.c */; }; DC52E7D71D80BD2D00B0A59C /* SecItemServer.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78C9A1D8085D800865A7C /* SecItemServer.c */; }; @@ -2384,7 +2720,7 @@ DC52ECBD1D80D22600B0A59C /* si-42-identity.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DD11D8085FC00865A7C /* si-42-identity.c */; }; DC52ECBE1D80D22600B0A59C /* si-43-persistent.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DD21D8085FC00865A7C /* si-43-persistent.c */; }; DC52ECC31D80D22600B0A59C /* si-50-secrandom.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DD71D8085FC00865A7C /* si-50-secrandom.c */; }; - DC52ECC71D80D22600B0A59C /* si-63-scep.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DDE1D8085FC00865A7C /* si-63-scep.c */; }; + DC52ECC71D80D22600B0A59C /* si-63-scep.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DDE1D8085FC00865A7C /* si-63-scep.m */; }; DC52ECCD1D80D22600B0A59C /* si-69-keydesc.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DF91D8085FC00865A7C /* si-69-keydesc.c */; }; DC52ECD01D80D22600B0A59C /* si-72-syncableitems.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DFC1D8085FC00865A7C /* si-72-syncableitems.c */; }; DC52ECD11D80D22600B0A59C /* si-73-secpasswordgenerate.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DFD1D8085FC00865A7C /* si-73-secpasswordgenerate.c */; }; @@ -2393,7 +2729,7 @@ DC52ECD51D80D22600B0A59C /* si-78-query-attrs.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E011D8085FC00865A7C /* si-78-query-attrs.c */; }; DC52ECD61D80D22600B0A59C /* si-80-empty-data.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E021D8085FC00865A7C /* si-80-empty-data.c */; }; DC52ECD91D80D22600B0A59C /* si-82-token-ag.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E051D8085FC00865A7C /* si-82-token-ag.c */; }; - DC52ECDD1D80D22600B0A59C /* si-89-cms-hash-agility.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E0B1D8085FC00865A7C /* si-89-cms-hash-agility.c */; }; + DC52ECDD1D80D22600B0A59C /* si-89-cms-hash-agility.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E0B1D8085FC00865A7C /* si-89-cms-hash-agility.m */; }; DC52ECDE1D80D22600B0A59C /* si-90-emcs.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E0D1D8085FC00865A7C /* si-90-emcs.m */; }; DC52ECDF1D80D22600B0A59C /* si-95-cms-basic.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E0E1D8085FC00865A7C /* si-95-cms-basic.c */; }; DC52ECE11D80D2F000B0A59C /* otr-00-identity.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78DA71D8085FC00865A7C /* otr-00-identity.c */; }; @@ -2518,24 +2854,6 @@ DC58C43E1D77BED0003C25A4 /* csparser.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DC58C43B1D77BED0003C25A4 /* csparser.cpp */; }; DC59E9A41D91C6F0001BDDF5 /* libCMS.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC1002D71D8E19F20025549C /* libCMS.a */; }; DC59E9A71D91C7C7001BDDF5 /* libCMS.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC1002D71D8E19F20025549C /* libCMS.a */; }; - DC59E9FE1D91CA0A001BDDF5 /* DER_Keys.c in Sources */ = {isa = PBXBuildFile; fileRef = DC59E9ED1D91CA0A001BDDF5 /* DER_Keys.c */; }; - DC59EA011D91CA0A001BDDF5 /* DER_CertCrl.c in Sources */ = {isa = PBXBuildFile; fileRef = DC59E9F01D91CA0A001BDDF5 /* DER_CertCrl.c */; }; - DC59EA031D91CA0A001BDDF5 /* DER_Decode.c in Sources */ = {isa = PBXBuildFile; fileRef = DC59E9F21D91CA0A001BDDF5 /* DER_Decode.c */; }; - DC59EA051D91CA0A001BDDF5 /* DER_Encode.c in Sources */ = {isa = PBXBuildFile; fileRef = DC59E9F41D91CA0A001BDDF5 /* DER_Encode.c */; }; - DC59EA0A1D91CA0A001BDDF5 /* DER_Digest.c in Sources */ = {isa = PBXBuildFile; fileRef = DC59E9F91D91CA0A001BDDF5 /* DER_Digest.c */; }; - DC59EA0B1D91CA0A001BDDF5 /* oids.c in Sources */ = {isa = PBXBuildFile; fileRef = DC59E9FA1D91CA0A001BDDF5 /* oids.c */; }; - DC59EA771D91CC6D001BDDF5 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; - DC59EA7B1D91CC9F001BDDF5 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; - DC59EA7E1D91CCB2001BDDF5 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; - DC59EA821D91CD24001BDDF5 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; - DC59EA851D91CD35001BDDF5 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; - DC59EA881D91CD7E001BDDF5 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; - DC59EA8B1D91CD93001BDDF5 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; - DC59EA8E1D91CDC1001BDDF5 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; - DC59EA911D91CDCF001BDDF5 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; - DC59EA941D91CDE0001BDDF5 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; - DC59EA971D91CDFA001BDDF5 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; - DC59EA9A1D91CE94001BDDF5 /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; DC5ABDCC1D832E4000CF422C /* srCdsaUtils.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DC5ABD781D832D5800CF422C /* srCdsaUtils.cpp */; }; DC5ABDCD1D832E4000CF422C /* createFVMaster.c in Sources */ = {isa = PBXBuildFile; fileRef = DC5ABD7A1D832D5800CF422C /* createFVMaster.c */; }; DC5ABDCE1D832E4000CF422C /* mds_install.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DC5ABD7D1D832D5800CF422C /* mds_install.cpp */; }; @@ -2905,11 +3223,16 @@ DC8834911D8A21AB00CE0ACA /* oidsalg.c in Sources */ = {isa = PBXBuildFile; fileRef = DC8834491D8A21AA00CE0ACA /* oidsalg.c */; }; DC8834931D8A21AB00CE0ACA /* oidsattr.c in Sources */ = {isa = PBXBuildFile; fileRef = DC88344B1D8A21AA00CE0ACA /* oidsattr.c */; }; DC8834961D8A21AB00CE0ACA /* oidsocsp.c in Sources */ = {isa = PBXBuildFile; fileRef = DC88344E1D8A21AA00CE0ACA /* oidsocsp.c */; }; + DC8EB58D1F70743100080CF2 /* SOSPeerInfoV2.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D681D8085F200865A7C /* SOSPeerInfoV2.h */; }; DC9036B31D9DFED600B6C234 /* ss_types.defs in Headers */ = {isa = PBXBuildFile; fileRef = DC6A82771D87733C00418608 /* ss_types.defs */; settings = {ATTRIBUTES = (Public, ); }; }; DC9082C41EA0277600D0C1C5 /* CKKSZoneChangeFetcher.m in Sources */ = {isa = PBXBuildFile; fileRef = DC9082C31EA0276000D0C1C5 /* CKKSZoneChangeFetcher.m */; }; DC9082C51EA0277700D0C1C5 /* CKKSZoneChangeFetcher.m in Sources */ = {isa = PBXBuildFile; fileRef = DC9082C31EA0276000D0C1C5 /* CKKSZoneChangeFetcher.m */; }; DC9082C61EA027DB00D0C1C5 /* CKKSZoneChangeFetcher.h in Headers */ = {isa = PBXBuildFile; fileRef = DC9082C21EA0276000D0C1C5 /* CKKSZoneChangeFetcher.h */; }; DC9082C71EA027DC00D0C1C5 /* CKKSZoneChangeFetcher.h in Headers */ = {isa = PBXBuildFile; fileRef = DC9082C21EA0276000D0C1C5 /* CKKSZoneChangeFetcher.h */; }; + DC926F071F33F7C20012A315 /* SecCodeHost.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD067981D8CDF7E007602F1 /* SecCodeHost.h */; settings = {ATTRIBUTES = (Private, ); }; }; + DC926F081F33F7D30012A315 /* SecCodeHost.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD067981D8CDF7E007602F1 /* SecCodeHost.h */; settings = {ATTRIBUTES = (Public, ); }; }; + DC926F091F33FA8D0012A315 /* CKKSControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = DCF7A8A21F0450EB00CABE89 /* CKKSControlProtocol.m */; }; + DC926F0A1F33FA8E0012A315 /* CKKSControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = DCF7A8A21F0450EB00CABE89 /* CKKSControlProtocol.m */; }; DC94BCCA1F10448600E07CEB /* CloudKitCategories.h in Headers */ = {isa = PBXBuildFile; fileRef = DC94BCC81F10448600E07CEB /* CloudKitCategories.h */; }; DC94BCCB1F10448600E07CEB /* CloudKitCategories.h in Headers */ = {isa = PBXBuildFile; fileRef = DC94BCC81F10448600E07CEB /* CloudKitCategories.h */; }; DC94BCCC1F10448600E07CEB /* CloudKitCategories.m in Sources */ = {isa = PBXBuildFile; fileRef = DC94BCC91F10448600E07CEB /* CloudKitCategories.m */; }; @@ -2926,14 +3249,10 @@ DC9C95971F748D0B000D19E5 /* CKKSServerValidationRecoveryTests.m in Sources */ = {isa = PBXBuildFile; fileRef = DC9C95951F748D0B000D19E5 /* CKKSServerValidationRecoveryTests.m */; }; DC9C95B41F79CFD1000D19E5 /* CKKSControl.h in Headers */ = {isa = PBXBuildFile; fileRef = DC9C95B21F79CFD1000D19E5 /* CKKSControl.h */; }; DC9C95B51F79CFD1000D19E5 /* CKKSControl.h in Headers */ = {isa = PBXBuildFile; fileRef = DC9C95B21F79CFD1000D19E5 /* CKKSControl.h */; }; - DC9C95B61F79CFD1000D19E5 /* CKKSControl.m in Sources */ = {isa = PBXBuildFile; fileRef = DC9C95B31F79CFD1000D19E5 /* CKKSControl.m */; }; - DC9C95B71F79CFD1000D19E5 /* CKKSControl.m in Sources */ = {isa = PBXBuildFile; fileRef = DC9C95B31F79CFD1000D19E5 /* CKKSControl.m */; }; DC9C95BD1F79DC5A000D19E5 /* CKKSControl.h in Headers */ = {isa = PBXBuildFile; fileRef = DC9C95B21F79CFD1000D19E5 /* CKKSControl.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC9C95BE1F79DC5F000D19E5 /* CKKSControl.h in Headers */ = {isa = PBXBuildFile; fileRef = DC9C95B21F79CFD1000D19E5 /* CKKSControl.h */; settings = {ATTRIBUTES = (Private, ); }; }; DC9C95BF1F79DC88000D19E5 /* CKKSControl.m in Sources */ = {isa = PBXBuildFile; fileRef = DC9C95B31F79CFD1000D19E5 /* CKKSControl.m */; }; DC9C95C01F79DC89000D19E5 /* CKKSControl.m in Sources */ = {isa = PBXBuildFile; fileRef = DC9C95B31F79CFD1000D19E5 /* CKKSControl.m */; }; - DC9C95C11F79DD4B000D19E5 /* CKKSControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = DCF7A8A21F0450EB00CABE89 /* CKKSControlProtocol.m */; }; - DC9C95C21F79DD4D000D19E5 /* CKKSControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = DCF7A8A21F0450EB00CABE89 /* CKKSControlProtocol.m */; }; DC9FD3231F8587A500C8AAC8 /* CKKSSerializedKey.proto in Sources */ = {isa = PBXBuildFile; fileRef = DC4D49D81F857728007AF2B8 /* CKKSSerializedKey.proto */; }; DC9FD32C1F85990A00C8AAC8 /* CKKSPeer.m in Sources */ = {isa = PBXBuildFile; fileRef = DC9FD3291F8598F300C8AAC8 /* CKKSPeer.m */; }; DC9FD32D1F85990B00C8AAC8 /* CKKSPeer.m in Sources */ = {isa = PBXBuildFile; fileRef = DC9FD3291F8598F300C8AAC8 /* CKKSPeer.m */; }; @@ -2966,6 +3285,12 @@ DCB221581E8B08C9001598BC /* server_xpc.m in Sources */ = {isa = PBXBuildFile; fileRef = DCB2214A1E8B0861001598BC /* server_xpc.m */; }; DCB221591E8B08CA001598BC /* server_xpc.m in Sources */ = {isa = PBXBuildFile; fileRef = DCB2214A1E8B0861001598BC /* server_xpc.m */; }; DCB2215A1E8B08CB001598BC /* server_xpc.m in Sources */ = {isa = PBXBuildFile; fileRef = DCB2214A1E8B0861001598BC /* server_xpc.m */; }; + DCB332381F46804600178C30 /* SOSSysdiagnose.h in Headers */ = {isa = PBXBuildFile; fileRef = DCB332371F46804000178C30 /* SOSSysdiagnose.h */; }; + DCB3323B1F4681AE00178C30 /* SecOTR.h in Headers */ = {isa = PBXBuildFile; fileRef = 4AF7FFF315AFB73800B9D400 /* SecOTR.h */; settings = {ATTRIBUTES = (Private, ); }; }; + DCB3323C1F46833E00178C30 /* SecLogging.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78E661D8085FC00865A7C /* SecLogging.h */; settings = {ATTRIBUTES = (Private, ); }; }; + DCB332451F47856B00178C30 /* libSOSCommands.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC52EC341D80CFB200B0A59C /* libSOSCommands.a */; }; + DCB332591F478C3C00178C30 /* SOSUserKeygen.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D2B1D8085F200865A7C /* SOSUserKeygen.m */; }; + DCB3325A1F478C4100178C30 /* SOSUserKeygen.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D2C1D8085F200865A7C /* SOSUserKeygen.h */; }; DCB3407D1D8A24F70054D16E /* Authorization.c in Sources */ = {isa = PBXBuildFile; fileRef = DCB3406F1D8A24F70054D16E /* Authorization.c */; }; DCB340841D8A24F70054D16E /* Authorization.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCB340761D8A24F70054D16E /* Authorization.cpp */; }; DCB340871D8A24F70054D16E /* trampolineClient.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCB340791D8A24F70054D16E /* trampolineClient.cpp */; }; @@ -3305,7 +3630,6 @@ DCB344A51D8A35270054D16E /* si-20-sectrust-provisioning.h in Headers */ = {isa = PBXBuildFile; fileRef = DCB344701D8A35270054D16E /* si-20-sectrust-provisioning.h */; }; DCB344A61D8A35270054D16E /* si-33-keychain-backup.c in Sources */ = {isa = PBXBuildFile; fileRef = DCB344711D8A35270054D16E /* si-33-keychain-backup.c */; }; DCB344A71D8A35270054D16E /* si-34-one-true-keychain.c in Sources */ = {isa = PBXBuildFile; fileRef = DCB344721D8A35270054D16E /* si-34-one-true-keychain.c */; }; - DCB502331FDA156B008F8E4F /* AutoreleaseTest.c in Sources */ = {isa = PBXBuildFile; fileRef = DCB5022C1FDA155D008F8E4F /* AutoreleaseTest.c */; }; DCB515DE1ED3CF86001F1152 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E7C01D7A463E00AFB96E /* SecurityFoundation.framework */; }; DCB515DF1ED3CF95001F1152 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E7C01D7A463E00AFB96E /* SecurityFoundation.framework */; }; DCB515E01ED3D111001F1152 /* client.c in Sources */ = {isa = PBXBuildFile; fileRef = 7908507F0CA87CF00083CC4D /* client.c */; }; @@ -3332,7 +3656,6 @@ DCBF2F7D1F90084D00ED0CA4 /* CKKSTLKSharingTests.m in Sources */ = {isa = PBXBuildFile; fileRef = DCBF2F7C1F90084D00ED0CA4 /* CKKSTLKSharingTests.m */; }; DCBF2F851F913EF000ED0CA4 /* CKKSHealTLKSharesOperation.h in Headers */ = {isa = PBXBuildFile; fileRef = DCBF2F831F913EF000ED0CA4 /* CKKSHealTLKSharesOperation.h */; }; DCBF2F861F913EF000ED0CA4 /* CKKSHealTLKSharesOperation.h in Headers */ = {isa = PBXBuildFile; fileRef = DCBF2F831F913EF000ED0CA4 /* CKKSHealTLKSharesOperation.h */; }; - DCBF2F871F913EF000ED0CA4 /* CKKSHealTLKSharesOperation.m in Sources */ = {isa = PBXBuildFile; fileRef = DCBF2F841F913EF000ED0CA4 /* CKKSHealTLKSharesOperation.m */; }; DCBF2F881F913EF000ED0CA4 /* CKKSHealTLKSharesOperation.m in Sources */ = {isa = PBXBuildFile; fileRef = DCBF2F841F913EF000ED0CA4 /* CKKSHealTLKSharesOperation.m */; }; DCC093791D80B02100F984E4 /* SecOnOSX.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78E671D8085FC00865A7C /* SecOnOSX.h */; }; DCC0937A1D80B07200F984E4 /* SecOTRSessionPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = 4AF7FFFC15AFB73800B9D400 /* SecOTRSessionPriv.h */; }; @@ -3400,7 +3723,6 @@ DCC78EDD1D808AEC00865A7C /* SecDigest.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E481D8085FC00865A7C /* SecDigest.c */; }; DCC78EDE1D808AF100865A7C /* SecDH.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E461D8085FC00865A7C /* SecDH.c */; }; DCC78EDF1D808AF800865A7C /* SecCertificateRequest.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E3E1D8085FC00865A7C /* SecCertificateRequest.c */; }; - DCC78EE01D808B0000865A7C /* SecCertificatePath.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E3B1D8085FC00865A7C /* SecCertificatePath.c */; }; DCC78EE11D808B0900865A7C /* SecCertificate.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E381D8085FC00865A7C /* SecCertificate.c */; }; DCC78EE21D808B0E00865A7C /* SecCTKKey.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E441D8085FC00865A7C /* SecCTKKey.c */; }; DCC78EE31D808B1300865A7C /* SecCMS.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E421D8085FC00865A7C /* SecCMS.c */; }; @@ -3408,7 +3730,6 @@ DCC78EE51D808B2100865A7C /* SecBase64.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E351D8085FC00865A7C /* SecBase64.c */; }; DCC78EE61D808B2A00865A7C /* SecAccessControl.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E301D8085FC00865A7C /* SecAccessControl.c */; }; DCC78EE71D808B2F00865A7C /* secViewDisplay.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D9E1D8085F200865A7C /* secViewDisplay.c */; }; - DCC78EE81D808B3500865A7C /* secToolFileIO.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D931D8085F200865A7C /* secToolFileIO.c */; }; DCCA5E841E539EE7009EE93D /* AppKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCCA5E831E539EE7009EE93D /* AppKit.framework */; }; DCCBFA1E1DBA95CD001DD54D /* kc-20-item-delete-stress.c in Sources */ = {isa = PBXBuildFile; fileRef = DCCBFA1D1DBA95CD001DD54D /* kc-20-item-delete-stress.c */; }; DCCBFA391DBAE445001DD54D /* SecInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = 4C6416F00BB357D5001C83FD /* SecInternal.h */; settings = {ATTRIBUTES = (Private, ); }; }; @@ -3513,7 +3834,6 @@ DCD068641D8CDF7E007602F1 /* detachedrep.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067E11D8CDF7E007602F1 /* detachedrep.cpp */; }; DCD068651D8CDF7E007602F1 /* piddiskrep.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD067E21D8CDF7E007602F1 /* piddiskrep.h */; }; DCD068661D8CDF7E007602F1 /* piddiskrep.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067E31D8CDF7E007602F1 /* piddiskrep.cpp */; }; - DCD068691D8CDF7E007602F1 /* SecCodeHostLib.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD067E71D8CDF7E007602F1 /* SecCodeHostLib.h */; }; DCD0686E1D8CDF7E007602F1 /* csdatabase.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD067EE1D8CDF7E007602F1 /* csdatabase.h */; }; DCD0686F1D8CDF7E007602F1 /* csdatabase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067EF1D8CDF7E007602F1 /* csdatabase.cpp */; }; DCD068701D8CDF7E007602F1 /* cserror.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD067F01D8CDF7E007602F1 /* cserror.h */; }; @@ -3631,7 +3951,6 @@ DCD06A781D8CE309007602F1 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC0BCC361D8C684F00070CB0 /* libutilities.a */; }; DCD06A791D8CE30F007602F1 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E43C48C1B00D07000E5ECB2 /* CoreFoundation.framework */; }; DCD06A7A1D8CE318007602F1 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CBCE5A90BE7F69100FF81F5 /* IOKit.framework */; }; - DCD06B3D1D8E0D7D007602F1 /* debugging.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD06AB11D8E0D7D007602F1 /* debugging.h */; settings = {ATTRIBUTES = (Public, ); }; }; DCD06B3E1D8E0D7D007602F1 /* FileLockTransaction.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD06AB21D8E0D7D007602F1 /* FileLockTransaction.cpp */; }; DCD06B3F1D8E0D7D007602F1 /* FileLockTransaction.h in Headers */ = {isa = PBXBuildFile; fileRef = DCD06AB31D8E0D7D007602F1 /* FileLockTransaction.h */; settings = {ATTRIBUTES = (Public, ); }; }; DCD06B401D8E0D7D007602F1 /* CSPDLTransaction.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD06AB41D8E0D7D007602F1 /* CSPDLTransaction.cpp */; }; @@ -3817,7 +4136,6 @@ DCD66DBA1D82052000DB1393 /* SecPolicyLeafCallbacks.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E7F1D8085FC00865A7C /* SecPolicyLeafCallbacks.c */; }; DCD66DBB1D82052700DB1393 /* SecPolicy.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E7E1D8085FC00865A7C /* SecPolicy.c */; }; DCD66DBC1D82052B00DB1393 /* SecKeyAdaptors.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E621D8085FC00865A7C /* SecKeyAdaptors.c */; }; - DCD66DBD1D82053100DB1393 /* SecCertificatePath.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E3B1D8085FC00865A7C /* SecCertificatePath.c */; }; DCD66DBE1D82053700DB1393 /* SecBase64.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E351D8085FC00865A7C /* SecBase64.c */; }; DCD66DBF1D82053E00DB1393 /* SecDigest.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E481D8085FC00865A7C /* SecDigest.c */; }; DCD66DC01D82054500DB1393 /* SecCertificate.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78E381D8085FC00865A7C /* SecCertificate.c */; }; @@ -3836,13 +4154,18 @@ DCD6C4B41EC5302500414FEE /* CKKSNearFutureScheduler.m in Sources */ = {isa = PBXBuildFile; fileRef = DCD6C4B11EC5302500414FEE /* CKKSNearFutureScheduler.m */; }; DCD6C4B51EC5302500414FEE /* CKKSNearFutureScheduler.m in Sources */ = {isa = PBXBuildFile; fileRef = DCD6C4B11EC5302500414FEE /* CKKSNearFutureScheduler.m */; }; DCD6C4B71EC5319600414FEE /* CKKSNearFutureSchedulerTests.m in Sources */ = {isa = PBXBuildFile; fileRef = DCD6C4B61EC5319600414FEE /* CKKSNearFutureSchedulerTests.m */; }; + DCD7EE841F4E46F9007D9804 /* accountCirclesViewsPrint.m in Sources */ = {isa = PBXBuildFile; fileRef = 48C2F9321E4BCFC30093D70C /* accountCirclesViewsPrint.m */; }; + DCD7EE851F4E47D2007D9804 /* reqparser.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCD067C31D8CDF7E007602F1 /* reqparser.cpp */; }; + DCD7EE981F4F4DE9007D9804 /* SecBase64.h in Headers */ = {isa = PBXBuildFile; fileRef = 18351B8F14CB65870097860E /* SecBase64.h */; settings = {ATTRIBUTES = (Private, ); }; }; + DCD7EE991F4F4E03007D9804 /* ocspTemplates.h in Headers */ = {isa = PBXBuildFile; fileRef = DC1787661D77911D00B50D50 /* ocspTemplates.h */; settings = {ATTRIBUTES = (Private, ); }; }; + DCD7EE9A1F4F5156007D9804 /* oidsocsp.h in Headers */ = {isa = PBXBuildFile; fileRef = DC88344F1D8A21AA00CE0ACA /* oidsocsp.h */; settings = {ATTRIBUTES = (Private, ); }; }; + DCD7EEA41F4F58D7007D9804 /* SecLogging.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78E661D8085FC00865A7C /* SecLogging.h */; settings = {ATTRIBUTES = (Private, ); }; }; DCD8A0CF1E09EA1800E4FA0A /* SecKeybagSupport.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78C9E1D8085D800865A7C /* SecKeybagSupport.c */; }; DCD8A1321E09EE0F00E4FA0A /* SOSPeerInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D631D8085F200865A7C /* SOSPeerInfo.m */; }; DCD8A1511E09EE0F00E4FA0A /* SOSViews.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D4A1D8085F200865A7C /* SOSViews.m */; }; DCD8A15A1E09EE0F00E4FA0A /* SOSAccountTransaction.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D151D8085F200865A7C /* SOSAccountTransaction.h */; }; DCD8A15C1E09EE0F00E4FA0A /* SOSBackupSliceKeyBag.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D2A1D8085F200865A7C /* SOSBackupSliceKeyBag.h */; }; DCD8A15D1E09EE0F00E4FA0A /* SOSCircle.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D321D8085F200865A7C /* SOSCircle.h */; }; - DCD8A15E1E09EE0F00E4FA0A /* SOSCircleDer.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D341D8085F200865A7C /* SOSCircleDer.h */; }; DCD8A15F1E09EE0F00E4FA0A /* SOSCirclePriv.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D311D8085F200865A7C /* SOSCirclePriv.h */; }; DCD8A1601E09EE0F00E4FA0A /* SOSCircleRings.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D331D8085F200865A7C /* SOSCircleRings.h */; }; DCD8A1611E09EE0F00E4FA0A /* SOSCircleV2.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D301D8085F200865A7C /* SOSCircleV2.h */; }; @@ -3867,13 +4190,11 @@ DCD8A1851E09EE0F00E4FA0A /* SOSRingDER.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D411D8085F200865A7C /* SOSRingDER.h */; }; DCD8A1861E09EE0F00E4FA0A /* SOSRingPeerInfoUtils.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D431D8085F200865A7C /* SOSRingPeerInfoUtils.h */; }; DCD8A1871E09EE0F00E4FA0A /* SOSRingTypes.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D451D8085F200865A7C /* SOSRingTypes.h */; }; - DCD8A1881E09EE0F00E4FA0A /* SOSAccountPriv.h in Headers */ = {isa = PBXBuildFile; fileRef = CD9021471DE27A9E00F81DC4 /* SOSAccountPriv.h */; }; DCD8A1891E09EE0F00E4FA0A /* SOSRingUtils.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D471D8085F200865A7C /* SOSRingUtils.h */; }; DCD8A18A1E09EE0F00E4FA0A /* SOSRingV0.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D491D8085F200865A7C /* SOSRingV0.h */; }; DCD8A18B1E09EE0F00E4FA0A /* SOSTransport.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D751D8085F200865A7C /* SOSTransport.h */; }; DCD8A1901E09EE0F00E4FA0A /* SOSAccountTrust.h in Headers */ = {isa = PBXBuildFile; fileRef = CD31F8611DCD4C1400414B46 /* SOSAccountTrust.h */; }; DCD8A1931E09EE0F00E4FA0A /* SOSTypes.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D8F1D8085F200865A7C /* SOSTypes.h */; }; - DCD8A1941E09EE0F00E4FA0A /* SOSUserKeygen.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D2C1D8085F200865A7C /* SOSUserKeygen.h */; }; DCD8A1951E09EE0F00E4FA0A /* SOSViews.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D4B1D8085F200865A7C /* SOSViews.h */; }; DCD8A19A1E09EE9800E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; DCD8A19D1E09EEC800E4FA0A /* SOSBackupSliceKeyBag.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D291D8085F200865A7C /* SOSBackupSliceKeyBag.m */; }; @@ -3881,14 +4202,11 @@ DCD8A19F1E09EF0F00E4FA0A /* SOSInternal.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D8D1D8085F200865A7C /* SOSInternal.m */; }; DCD8A1A01E09EF3500E4FA0A /* SOSCloudKeychainClient.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78CF61D8085F200865A7C /* SOSCloudKeychainClient.c */; }; DCD8A1A11E09EF5C00E4FA0A /* SOSCloudKeychainConstants.c in Sources */ = {isa = PBXBuildFile; fileRef = E7A5F4D71C0D01B000F3BEBB /* SOSCloudKeychainConstants.c */; }; - DCD8A1A31E09EF7800E4FA0A /* SOSSysdiagnose.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D8C1D8085F200865A7C /* SOSSysdiagnose.m */; }; DCD8A1A41E09EF9000E4FA0A /* SOSPeerInfoCollections.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D6A1D8085F200865A7C /* SOSPeerInfoCollections.c */; }; DCD8A1A51E09EFAE00E4FA0A /* SOSPeerInfoV2.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D671D8085F200865A7C /* SOSPeerInfoV2.m */; }; DCD8A1A61E09EFD700E4FA0A /* SOSKVSKeys.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D721D8085F200865A7C /* SOSKVSKeys.m */; }; DCD8A1A71E09F01300E4FA0A /* SOSPeerInfoSecurityProperties.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D6F1D8085F200865A7C /* SOSPeerInfoSecurityProperties.m */; }; - DCD8A1A81E09F03100E4FA0A /* SOSUserKeygen.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D2B1D8085F200865A7C /* SOSUserKeygen.m */; }; DCD8A1A91E09F04700E4FA0A /* SOSECWrapUnwrap.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D881D8085F200865A7C /* SOSECWrapUnwrap.c */; }; - DCD8A1AC1E09F09200E4FA0A /* SOSCircleDer.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D351D8085F200865A7C /* SOSCircleDer.c */; }; DCD8A1AE1E09F0C500E4FA0A /* SOSRingDER.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D401D8085F200865A7C /* SOSRingDER.c */; }; DCD8A1AF1E09F0DC00E4FA0A /* SOSRingUtils.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D461D8085F200865A7C /* SOSRingUtils.c */; }; DCD8A1B01E09F0F400E4FA0A /* SOSRingTypes.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D441D8085F200865A7C /* SOSRingTypes.m */; }; @@ -3907,7 +4225,6 @@ DCD8A1BD1E09F1D600E4FA0A /* SOSFullPeerInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D611D8085F200865A7C /* SOSFullPeerInfo.m */; }; DCD8A1C21E09F23B00E4FA0A /* SOSRecoveryKeyBag.m in Sources */ = {isa = PBXBuildFile; fileRef = 48776C731DA5BB4200CC09B9 /* SOSRecoveryKeyBag.m */; }; DCD8A1C71E09F2B400E4FA0A /* SOSTransport.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D741D8085F200865A7C /* SOSTransport.m */; }; - DCD8A1DA1E09F54700E4FA0A /* SOSAccountDer.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D1C1D8085F200865A7C /* SOSAccountDer.m */; }; DCD8A1DB1E09F5D100E4FA0A /* SOSAccountTrust.m in Sources */ = {isa = PBXBuildFile; fileRef = CD31F8601DCD4C1400414B46 /* SOSAccountTrust.m */; }; DCD8A1DC1E09F5E500E4FA0A /* SOSAccount.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D131D8085F200865A7C /* SOSAccount.h */; }; DCD8A1DD1E09F73F00E4FA0A /* SOSPeerInfoDER.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D661D8085F200865A7C /* SOSPeerInfoDER.h */; }; @@ -3916,7 +4233,6 @@ DCD8A1E01E09F76800E4FA0A /* SOSPeerInfoRingState.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D6E1D8085F200865A7C /* SOSPeerInfoRingState.h */; }; DCD8A1E11E09F76D00E4FA0A /* SOSPeerInfoSecurityProperties.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D701D8085F200865A7C /* SOSPeerInfoSecurityProperties.h */; }; DCD8A1E21E09F78A00E4FA0A /* SOSTransportCircle.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D791D8085F200865A7C /* SOSTransportCircle.h */; }; - DCD8A1E31E09F7E700E4FA0A /* SOSAccountCloudParameters.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D1A1D8085F200865A7C /* SOSAccountCloudParameters.m */; }; DCD8A1E41E09F80B00E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; DCD8A1E71E09F85400E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; DCD8A1EA1E09F87B00E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; @@ -3927,12 +4243,22 @@ DCD8A1F91E09F98E00E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; DCD8A1FC1E09FA0B00E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; DCD8A1FF1E09FA6100E4FA0A /* secViewDisplay.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D9E1D8085F200865A7C /* secViewDisplay.c */; }; - DCD8A2001E09FA7900E4FA0A /* secToolFileIO.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D931D8085F200865A7C /* secToolFileIO.c */; }; DCD8A2011E09FAD900E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; DCD8A2041E09FB0D00E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; DCD8A20A1E09FB5900E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; settings = {ATTRIBUTES = (Weak, ); }; }; DCD8A20B1E09FB5A00E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; DCD8A20C1E09FB6600E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; + DCDB296C1FD8820400B5D242 /* SFAnalytics.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9DB1F1540CE0082882F /* SFAnalytics.m */; }; + DCDB296E1FD8821400B5D242 /* SFAnalyticsActivityTracker.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CBF65381FA147E500A68667 /* SFAnalyticsActivityTracker.m */; }; + DCDB29701FD8821800B5D242 /* SFAnalyticsMultiSampler.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CDB5FED1FA78CB400410924 /* SFAnalyticsMultiSampler.m */; }; + DCDB29721FD8821D00B5D242 /* SFAnalyticsSampler.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CDF8DE61F95562B00140B54 /* SFAnalyticsSampler.m */; }; + DCDB29741FD8822200B5D242 /* SFAnalyticsSQLiteStore.m in Sources */ = {isa = PBXBuildFile; fileRef = 6C69518D1F75A7DB00F68F91 /* SFAnalyticsSQLiteStore.m */; }; + DCDB29791FD8844C00B5D242 /* client.c in Sources */ = {isa = PBXBuildFile; fileRef = 7908507F0CA87CF00083CC4D /* client.c */; }; + DCDB297A1FD8845600B5D242 /* client_endpoint.m in Sources */ = {isa = PBXBuildFile; fileRef = DC844AEC1E81F315007AAB71 /* client_endpoint.m */; }; + DCDB297B1FD8847100B5D242 /* SecTask.c in Sources */ = {isa = PBXBuildFile; fileRef = 107226D00D91DB32003CF14F /* SecTask.c */; }; + DCDB297C1FD8848A00B5D242 /* SFSQLite.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BC1F152EB10082882F /* SFSQLite.m */; }; + DCDB297D1FD8849A00B5D242 /* SFSQLiteStatement.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BF1F152EB10082882F /* SFSQLiteStatement.m */; }; + DCDB297E1FD8849D00B5D242 /* SFObjCType.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9BE1F152EB10082882F /* SFObjCType.m */; }; DCDCC7E31D9B54EE006487E8 /* secd-202-recoverykey.m in Sources */ = {isa = PBXBuildFile; fileRef = DCDCC7DD1D9B54DF006487E8 /* secd-202-recoverykey.m */; }; DCDCC7E51D9B5526006487E8 /* SOSAccountSync.m in Sources */ = {isa = PBXBuildFile; fileRef = DCDCC7E41D9B551C006487E8 /* SOSAccountSync.m */; }; DCDCC8331D9B6A00006487E8 /* libcoretls.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 0CFC029B1D41650700E6283B /* libcoretls.dylib */; }; @@ -3946,6 +4272,12 @@ DCDCCB3E1DF25DA0006E840E /* ApplePushService.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DC9EBA231DEE36FE00D0F733 /* ApplePushService.framework */; }; DCDCCB8F1DF7B8D4006E840E /* CKKSItem.h in Headers */ = {isa = PBXBuildFile; fileRef = DCDCCB8D1DF7B8D4006E840E /* CKKSItem.h */; }; DCDCCB901DF7B8D4006E840E /* CKKSItem.m in Sources */ = {isa = PBXBuildFile; fileRef = DCDCCB8E1DF7B8D4006E840E /* CKKSItem.m */; }; + DCDD59CC1F69ACF70060641E /* SOSCloudCircleInternal.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D8B1D8085F200865A7C /* SOSCloudCircleInternal.h */; }; + DCDD59CD1F69ACF70060641E /* SOSTypes.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D8F1D8085F200865A7C /* SOSTypes.h */; }; + DCDD59CE1F69ACF70060641E /* SOSViews.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D4B1D8085F200865A7C /* SOSViews.h */; }; + DCDD59CF1F69ACF70060641E /* SOSPeerInfo.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D641D8085F200865A7C /* SOSPeerInfo.h */; }; + DCDD59D01F69ACF70060641E /* SOSCloudCircle.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D8A1D8085F200865A7C /* SOSCloudCircle.h */; }; + DCDD59D21F69ACF70060641E /* SOSBackupSliceKeyBag.h in Copy SecureObjectSync Headers */ = {isa = PBXBuildFile; fileRef = DCC78D2A1D8085F200865A7C /* SOSBackupSliceKeyBag.h */; }; DCDF0A4F1D81D76F007AF174 /* Security.exp-in in Sources */ = {isa = PBXBuildFile; fileRef = 4CB7405F0A47498100D641BB /* Security.exp-in */; }; DCE278DD1ED789EF0083B485 /* CKKSCurrentItemPointer.h in Headers */ = {isa = PBXBuildFile; fileRef = DCE278DB1ED789EF0083B485 /* CKKSCurrentItemPointer.h */; }; DCE278DE1ED789EF0083B485 /* CKKSCurrentItemPointer.h in Headers */ = {isa = PBXBuildFile; fileRef = DCE278DB1ED789EF0083B485 /* CKKSCurrentItemPointer.h */; }; @@ -4120,6 +4452,10 @@ DCE4E94A1D7F3E8E00AFB96E /* com.apple.security.keychain-circle-notification.plist in Resources */ = {isa = PBXBuildFile; fileRef = DCE4E9461D7F3E8700AFB96E /* com.apple.security.keychain-circle-notification.plist */; }; DCE4E94B1D7F3E8E00AFB96E /* InfoPlist.strings in Resources */ = {isa = PBXBuildFile; fileRef = DCE4E9471D7F3E8700AFB96E /* InfoPlist.strings */; }; DCE4E9711D7F3EBB00AFB96E /* com.apple.security.keychain-circle-notification.plist in Install launchd plist */ = {isa = PBXBuildFile; fileRef = DCE4E9461D7F3E8700AFB96E /* com.apple.security.keychain-circle-notification.plist */; }; + DCE5DC0F1EA80256006308A6 /* SOSSysdiagnose.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D8C1D8085F200865A7C /* SOSSysdiagnose.m */; }; + DCE5DC101EA802DA006308A6 /* secToolFileIO.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D921D8085F200865A7C /* secToolFileIO.h */; }; + DCE5DC111EA80348006308A6 /* accountCirclesViewsPrint.h in Headers */ = {isa = PBXBuildFile; fileRef = 48C2F9331E4BCFC30093D70C /* accountCirclesViewsPrint.h */; }; + DCE5DC121EA80369006308A6 /* libSOSCommands.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC52EC341D80CFB200B0A59C /* libSOSCommands.a */; }; DCE7F2091F21726500DDB0F7 /* CKKSAPSReceiverTests.m in Sources */ = {isa = PBXBuildFile; fileRef = DCE7F2081F21726500DDB0F7 /* CKKSAPSReceiverTests.m */; }; DCE809F31D9342BE00F91177 /* com.apple.securityd.plist in CopyFiles */ = {isa = PBXBuildFile; fileRef = DCEE1E851D93424D00DC0EB7 /* com.apple.securityd.plist */; }; DCEA5D551E2826DB0089CF55 /* CKKSSIV.h in Headers */ = {isa = PBXBuildFile; fileRef = DCEA5D531E2826DB0089CF55 /* CKKSSIV.h */; }; @@ -4138,7 +4474,6 @@ DCEDE3921D80B10E00C3826E /* SecOTRDHKey.h in Headers */ = {isa = PBXBuildFile; fileRef = 4AF7FFF415AFB73800B9D400 /* SecOTRDHKey.h */; }; DCEDE3931D80B11200C3826E /* SecOTR.h in Headers */ = {isa = PBXBuildFile; fileRef = 4AF7FFF315AFB73800B9D400 /* SecOTR.h */; }; DCEDE3941D80B11800C3826E /* SecPasswordGenerate.h in Headers */ = {isa = PBXBuildFile; fileRef = CDDE9BC31729AB910013B0E8 /* SecPasswordGenerate.h */; }; - DCEDE3951D80B12000C3826E /* secToolFileIO.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78D921D8085F200865A7C /* secToolFileIO.h */; }; DCEDE3961D80B12600C3826E /* SecTrustInternal.h in Headers */ = {isa = PBXBuildFile; fileRef = DCC78E921D8085FC00865A7C /* SecTrustInternal.h */; }; DCEE1E861D93427400DC0EB7 /* com.apple.securityd.plist in Resources */ = {isa = PBXBuildFile; fileRef = DCE4E80D1D7A4E3A00AFB96E /* com.apple.securityd.plist */; }; DCF7839D1D88B60D00E694BB /* aesCommon.h in Headers */ = {isa = PBXBuildFile; fileRef = DCF783151D88B60D00E694BB /* aesCommon.h */; }; @@ -4454,7 +4789,7 @@ DCF789481D88D17C00E694BB /* AppleX509TPBuiltin.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DCF789471D88D17C00E694BB /* AppleX509TPBuiltin.cpp */; }; DCF7A8A01F04502400CABE89 /* CKKSControlProtocol.h in Headers */ = {isa = PBXBuildFile; fileRef = DCF7A89F1F04502300CABE89 /* CKKSControlProtocol.h */; }; DCF7A8A11F04502400CABE89 /* CKKSControlProtocol.h in Headers */ = {isa = PBXBuildFile; fileRef = DCF7A89F1F04502300CABE89 /* CKKSControlProtocol.h */; }; - DCF7A8A51F0451AC00CABE89 /* CKKSControlProtocol.m in Sources */ = {isa = PBXBuildFile; fileRef = DCF7A8A21F0450EB00CABE89 /* CKKSControlProtocol.m */; }; + DCFABF8E20081E2F001128B5 /* CKKSDeviceStateUploadTests.m in Sources */ = {isa = PBXBuildFile; fileRef = DCFABF8D20081E2F001128B5 /* CKKSDeviceStateUploadTests.m */; }; DCFAEDCF1D999859005187E4 /* SOSAccountGhost.m in Sources */ = {isa = PBXBuildFile; fileRef = DCFAEDC81D999851005187E4 /* SOSAccountGhost.m */; }; DCFAEDD21D99991F005187E4 /* secd-668-ghosts.m in Sources */ = {isa = PBXBuildFile; fileRef = DCFAEDD11D9998DD005187E4 /* secd-668-ghosts.m */; }; DCFAEDD61D99A47A005187E4 /* secd-36-ks-encrypt.m in Sources */ = {isa = PBXBuildFile; fileRef = DCFAEDD51D99A464005187E4 /* secd-36-ks-encrypt.m */; }; @@ -4581,6 +4916,12 @@ EB10559E1E14E39D0003C309 /* CoreFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E43C48C1B00D07000E5ECB2 /* CoreFoundation.framework */; }; EB10559F1E14E3A80003C309 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52D82BD316A5EADA0078DFE5 /* Security.framework */; }; EB108F261E6CE4D2003B0456 /* KCPairingTest.m in Sources */ = {isa = PBXBuildFile; fileRef = EB413B7E1E663A8300592085 /* KCPairingTest.m */; }; + EB10A3E520356E2000E84270 /* OTConstants.h in Headers */ = {isa = PBXBuildFile; fileRef = EB10A3E320356E2000E84270 /* OTConstants.h */; settings = {ATTRIBUTES = (Private, ); }; }; + EB10A3E620356E2000E84270 /* OTConstants.m in Sources */ = {isa = PBXBuildFile; fileRef = EB10A3E420356E2000E84270 /* OTConstants.m */; }; + EB10A3E720356E6500E84270 /* OTConstants.m in Sources */ = {isa = PBXBuildFile; fileRef = EB10A3E420356E2000E84270 /* OTConstants.m */; }; + EB10A3E820356E6500E84270 /* OTConstants.m in Sources */ = {isa = PBXBuildFile; fileRef = EB10A3E420356E2000E84270 /* OTConstants.m */; }; + EB10A3E920356E7A00E84270 /* OTConstants.m in Sources */ = {isa = PBXBuildFile; fileRef = EB10A3E420356E2000E84270 /* OTConstants.m */; }; + EB10A3FC2035789B00E84270 /* OTConstants.h in Headers */ = {isa = PBXBuildFile; fileRef = EB10A3E320356E2000E84270 /* OTConstants.h */; settings = {ATTRIBUTES = (Private, ); }; }; EB27FF2D1E407FF600EC9E3A /* ckksctl.m in Sources */ = {isa = PBXBuildFile; fileRef = EB27FF0C1E402C8000EC9E3A /* ckksctl.m */; }; EB27FF311E408DC700EC9E3A /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52D82BD316A5EADA0078DFE5 /* Security.framework */; }; EB2CA4DA1D2C28F100AB770F /* libaks_acl.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4432AF8C1A01472C000958DC /* libaks_acl.a */; }; @@ -4599,10 +4940,42 @@ EB433A2E1CC325E900A7EACE /* secitemstresstest.entitlements in Resources */ = {isa = PBXBuildFile; fileRef = EB433A2D1CC325E900A7EACE /* secitemstresstest.entitlements */; }; EB48C1A51E573EE400EC5E57 /* whoami.m in Sources */ = {isa = PBXBuildFile; fileRef = DC52EA911D80CC2A00B0A59C /* whoami.m */; }; EB48C1A61E573EEC00EC5E57 /* sos.m in Sources */ = {isa = PBXBuildFile; fileRef = EB48C19E1E573EDC00EC5E57 /* sos.m */; }; + EB49B2B1202D8780003F34A0 /* secdmockaks.m in Sources */ = {isa = PBXBuildFile; fileRef = EB49B2B0202D8780003F34A0 /* secdmockaks.m */; }; + EB49B2BB202D8894003F34A0 /* libsecurityd_ios.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC52E7C21D80BC8000B0A59C /* libsecurityd_ios.a */; }; + EB49B2BC202DEF14003F34A0 /* libsqlite3.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = 6CB96BB41F966E0C00E11457 /* libsqlite3.tbd */; }; + EB49B2BD202DEF29003F34A0 /* libSecureObjectSyncFramework.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */; }; + EB49B2BE202DEF29003F34A0 /* libSecureObjectSyncServer.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC52E8C61D80C25800B0A59C /* libSecureObjectSyncServer.a */; }; + EB49B2BF202DEF67003F34A0 /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCC78EA91D8088E200865A7C /* libsecurity.a */; }; + EB49B2C0202DEF7D003F34A0 /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC0BCC361D8C684F00070CB0 /* libutilities.a */; }; + EB49B2C1202DEF8D003F34A0 /* libASN1_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC8834081D8A218F00CE0ACA /* libASN1_not_installed.a */; }; + EB49B2C2202DF002003F34A0 /* libDER.a in Frameworks */ = {isa = PBXBuildFile; fileRef = D46246911F9AE2E400D63882 /* libDER.a */; }; + EB49B2C7202DF0E9003F34A0 /* IOKit.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CBCE5A90BE7F69100FF81F5 /* IOKit.framework */; }; + EB49B2CD202DF0F9003F34A0 /* SystemConfiguration.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E71F3E3016EA69A900FAF9B4 /* SystemConfiguration.framework */; }; + EB49B2D0202DF14D003F34A0 /* SFAnalytics.m in Sources */ = {isa = PBXBuildFile; fileRef = 4723C9DB1F1540CE0082882F /* SFAnalytics.m */; }; + EB49B2D1202DF15F003F34A0 /* SFAnalyticsActivityTracker.m in Sources */ = {isa = PBXBuildFile; fileRef = 6CBF65381FA147E500A68667 /* SFAnalyticsActivityTracker.m */; }; + EB49B2D2202DF17D003F34A0 /* SecurityFoundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E7C01D7A463E00AFB96E /* SecurityFoundation.framework */; }; + EB49B2D3202DF1AC003F34A0 /* SecdWatchdog.m in Sources */ = {isa = PBXBuildFile; fileRef = 476541641F339F6300413F65 /* SecdWatchdog.m */; }; + EB49B2D4202DF1C1003F34A0 /* client.c in Sources */ = {isa = PBXBuildFile; fileRef = 7908507F0CA87CF00083CC4D /* client.c */; }; + EB49B2D5202DF1D8003F34A0 /* SecTask.c in Sources */ = {isa = PBXBuildFile; fileRef = 107226D00D91DB32003CF14F /* SecTask.c */; }; + EB49B2D7202DF1F7003F34A0 /* server_endpoint.m in Sources */ = {isa = PBXBuildFile; fileRef = DC6ACC401E81DF9400125DC5 /* server_endpoint.m */; }; + EB49B2D8202DF1F7003F34A0 /* server_xpc.m in Sources */ = {isa = PBXBuildFile; fileRef = DCB2214A1E8B0861001598BC /* server_xpc.m */; }; + EB49B2D9202DF1F7003F34A0 /* server_security_helpers.c in Sources */ = {isa = PBXBuildFile; fileRef = DC4269061E82FBDF002B7110 /* server_security_helpers.c */; }; + EB49B2DB202DF20F003F34A0 /* spi.c in Sources */ = {isa = PBXBuildFile; fileRef = DCC78CB01D8085D800865A7C /* spi.c */; }; + EB49B2DD202DF259003F34A0 /* libbsm.tbd in Frameworks */ = {isa = PBXBuildFile; fileRef = EB49B2DC202DF251003F34A0 /* libbsm.tbd */; }; + EB49B2E0202DF5D7003F34A0 /* server_entitlement_helpers.c in Sources */ = {isa = PBXBuildFile; fileRef = DC5F35A41EE0F1A900900966 /* server_entitlement_helpers.c */; }; + EB49B2E2202DFDA3003F34A0 /* CoreCDP.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E9411D7F3E6E00AFB96E /* CoreCDP.framework */; }; + EB49B2E5202DFEB3003F34A0 /* mockaks.m in Sources */ = {isa = PBXBuildFile; fileRef = EB49B2E4202DFE7F003F34A0 /* mockaks.m */; }; + EB49B308202FF421003F34A0 /* OCMock.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 47D1838B1FB3827700CFCD89 /* OCMock.framework */; }; + EB49B310202FF4AC003F34A0 /* OCMock.framework in Embedded OCMock */ = {isa = PBXBuildFile; fileRef = DC3502E81E02172C00BC0587 /* OCMock.framework */; settings = {ATTRIBUTES = (RemoveHeadersOnCopy, ); }; }; EB4B6E201DC0682A00AFC494 /* SecADWrapper.c in Sources */ = {isa = PBXBuildFile; fileRef = EBF3749A1DC064200065D840 /* SecADWrapper.c */; }; EB4B6E261DC0683600AFC494 /* SecADWrapper.h in Headers */ = {isa = PBXBuildFile; fileRef = EBF3749B1DC064200065D840 /* SecADWrapper.h */; }; + EB4E0CDB1FF36A9700CDCACC /* CKKSReachabilityTracker.m in Sources */ = {isa = PBXBuildFile; fileRef = EB4E0CD51FF36A1900CDCACC /* CKKSReachabilityTracker.m */; }; + EB4E0CDC1FF36A9700CDCACC /* CKKSReachabilityTracker.m in Sources */ = {isa = PBXBuildFile; fileRef = EB4E0CD51FF36A1900CDCACC /* CKKSReachabilityTracker.m */; }; EB58A0511E74BF07009C10D7 /* Security.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = 52D82BD316A5EADA0078DFE5 /* Security.framework */; }; EB59D6731E95F01600997EAC /* libcompression.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = EB59D66B1E95EF2900997EAC /* libcompression.dylib */; }; + EB5E3BCC2003C67A00F1631B /* SecSignpost.h in Headers */ = {isa = PBXBuildFile; fileRef = EB5E3BC62003C66300F1631B /* SecSignpost.h */; settings = {ATTRIBUTES = (Private, ); }; }; + EB5E3BCD2003C67B00F1631B /* SecSignpost.h in Headers */ = {isa = PBXBuildFile; fileRef = EB5E3BC62003C66300F1631B /* SecSignpost.h */; settings = {ATTRIBUTES = (Private, ); }; }; + EB6667C7204CD69F000B404F /* testPlistDER.m in Sources */ = {isa = PBXBuildFile; fileRef = EB6667BE204CD65E000B404F /* testPlistDER.m */; }; EB6928C51D9C9C6E00062A18 /* SecRecoveryKey.h in Headers */ = {isa = PBXBuildFile; fileRef = EB6928BE1D9C9C5900062A18 /* SecRecoveryKey.h */; settings = {ATTRIBUTES = (Private, ); }; }; EB6928C61D9C9C6F00062A18 /* SecRecoveryKey.h in Headers */ = {isa = PBXBuildFile; fileRef = EB6928BE1D9C9C5900062A18 /* SecRecoveryKey.h */; settings = {ATTRIBUTES = (Private, ); }; }; EB6928CA1D9C9E1800062A18 /* rk_01_recoverykey.m in Sources */ = {isa = PBXBuildFile; fileRef = EB6928C91D9C9D9D00062A18 /* rk_01_recoverykey.m */; }; @@ -4615,7 +4988,6 @@ EB75B48A1E75405100E469CC /* libsecurity.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DCC78EA91D8088E200865A7C /* libsecurity.a */; }; EB75B48C1E75407C00E469CC /* libutilities.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC0BCC361D8C684F00070CB0 /* libutilities.a */; }; EB75B48D1E75408900E469CC /* libASN1_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC8834081D8A218F00CE0ACA /* libASN1_not_installed.a */; }; - EB75B48E1E75408C00E469CC /* libDER_not_installed.a in Frameworks */ = {isa = PBXBuildFile; fileRef = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; }; EB75B48F1E75409A00E469CC /* libsqlite3.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 4CB740680A4749C800D641BB /* libsqlite3.dylib */; }; EB75B4901E7540AA00E469CC /* libctkclient_test.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 4469FBDC1AA0A45C0021AA26 /* libctkclient_test.a */; }; EB75B4911E7540BF00E469CC /* libcoreauthd_test_client.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 5E8B53A41AA0B8A600345E7B /* libcoreauthd_test_client.a */; }; @@ -4626,8 +4998,6 @@ EB78D3F91E600E93009AFE05 /* SOSCloudCircle.m in Sources */ = {isa = PBXBuildFile; fileRef = DCC78D891D8085F200865A7C /* SOSCloudCircle.m */; }; EB7AE6F81E86DACC00B80B15 /* SecPLWrappers.m in Sources */ = {isa = PBXBuildFile; fileRef = EB7AE6F61E86D55400B80B15 /* SecPLWrappers.m */; }; EB7AE6F91E86DAD200B80B15 /* SecPLWrappers.h in Headers */ = {isa = PBXBuildFile; fileRef = EB7AE6F71E86D55400B80B15 /* SecPLWrappers.h */; }; - EB7F50C51DB8800A003D787D /* CoreCDP.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E9411D7F3E6E00AFB96E /* CoreCDP.framework */; }; - EB7F50CC1DB88A03003D787D /* CoreCDP.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = DCE4E9411D7F3E6E00AFB96E /* CoreCDP.framework */; }; EB9C02481E8A15B40040D3C6 /* secd-37-pairing-initial-sync.m in Sources */ = {isa = PBXBuildFile; fileRef = EB9C02421E8A112A0040D3C6 /* secd-37-pairing-initial-sync.m */; }; EB9C1D7B1BDFD0E000F89272 /* Foundation.framework in Frameworks */ = {isa = PBXBuildFile; fileRef = E7FCBE431314471B000DE34E /* Foundation.framework */; }; EB9C1D7E1BDFD0E100F89272 /* secbackupntest.m in Sources */ = {isa = PBXBuildFile; fileRef = EB9C1D7D1BDFD0E100F89272 /* secbackupntest.m */; }; @@ -4684,7 +5054,7 @@ outputFiles = ( "$(BUILT_PRODUCTS_DIR)/$(PRODUCT_NAME).$(CURRENT_ARCH).exp", ); - script = "#!/bin/sh\n\nfor file in ${HEADER_SEARCH_PATHS[@]} ; do\nHEADER_SEARCH_OPTIONS=\"${HEADER_SEARCH_OPTIONS} -I${file}\"\ndone\n\nxcrun clang -E -Xpreprocessor -P -x c -arch ${CURRENT_ARCH} ${HEADER_SEARCH_OPTIONS} ${OTHER_INPUT_FILE_FLAGS} ${INPUT_FILE_PATH} -o ${BUILT_PRODUCTS_DIR}/${PRODUCT_NAME}.${CURRENT_ARCH}.exp\n"; + script = "#!/bin/sh\n\nfor file in ${HEADER_SEARCH_PATHS[@]} ; do\nHEADER_SEARCH_OPTIONS=\"${HEADER_SEARCH_OPTIONS} -I${file}\"\ndone\n\nfor prep in ${GCC_PREPROCESSOR_DEFINITIONS[@]} ; do\nPREPROCESSOR=\"${PREPROCESSOR} -D${prep}\"\ndone\n\nxcrun clang -E -Xpreprocessor -P -x objective-c -arch ${CURRENT_ARCH} ${HEADER_SEARCH_OPTIONS} ${OTHER_INPUT_FILE_FLAGS} ${PREPROCESSOR} ${INPUT_FILE_PATH} -o ${BUILT_PRODUCTS_DIR}/${PRODUCT_NAME}.${CURRENT_ARCH}.exp\n"; }; DC9FD3201F85818000C8AAC8 /* PBXBuildRule */ = { isa = PBXBuildRule; @@ -4719,7 +5089,7 @@ outputFiles = ( "$(BUILT_PRODUCTS_DIR)/$(PRODUCT_NAME).$(CURRENT_ARCH).exp", ); - script = "#!/bin/sh\n\nfor file in ${HEADER_SEARCH_PATHS[@]} ; do\nHEADER_SEARCH_OPTIONS=\"${HEADER_SEARCH_OPTIONS} -I${file}\"\ndone\n\nxcrun clang -E -Xpreprocessor -P -x c -arch ${CURRENT_ARCH} ${HEADER_SEARCH_OPTIONS} ${OTHER_INPUT_FILE_FLAGS} ${INPUT_FILE_PATH} -o ${BUILT_PRODUCTS_DIR}/${PRODUCT_NAME}.${CURRENT_ARCH}.exp\n"; + script = "#!/bin/sh\n\nfor file in ${HEADER_SEARCH_PATHS[@]} ; do\nHEADER_SEARCH_OPTIONS=\"${HEADER_SEARCH_OPTIONS} -I${file}\"\ndone\n\nfor prep in ${GCC_PREPROCESSOR_DEFINITIONS[@]} ; do\nPREPROCESSOR=\"${PREPROCESSOR} -D${prep}\"\ndone\n\nxcrun clang -E -Xpreprocessor -P -x objective-c -arch ${CURRENT_ARCH} ${HEADER_SEARCH_OPTIONS} ${OTHER_INPUT_FILE_FLAGS} ${PREPROCESSOR} ${INPUT_FILE_PATH} -o ${BUILT_PRODUCTS_DIR}/${PRODUCT_NAME}.${CURRENT_ARCH}.exp\n"; }; /* End PBXBuildRule section */ @@ -4759,6 +5129,62 @@ remoteGlobalIDString = 0C0BDB2E175685B000BC1A7E; remoteInfo = secdtests; }; + 0C78CCE41FCC97E7008B4B24 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 0C8BBEFD1FCB446400580909; + remoteInfo = otctl; + }; + 0C78CCE61FCC97F1008B4B24 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 0C8BBEFD1FCB446400580909; + remoteInfo = otctl; + }; + 0C85DFD51FB38BB6000343A7 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC222C371E034D1F00B09171; + remoteInfo = libsecurityd_ios_NO_AKS; + }; + 0C85DFD91FB38BB6000343A7 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC8834011D8A218F00CE0ACA; + remoteInfo = ASN1_not_installed; + }; + 0C85DFDB1FB38BB6000343A7 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC0BCC211D8C684F00070CB0; + remoteInfo = utilities; + }; + 0C85DFDD1FB38BB6000343A7 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DCD8A1061E09EE0F00E4FA0A; + remoteInfo = SecureObjectSyncFramework; + }; + 0C85DFDF1FB38BB6000343A7 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC52E8BE1D80C25800B0A59C; + remoteInfo = SecureObjectSyncServer; + }; + 0C85DFE11FB38BB6000343A7 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DCC78EA81D8088E200865A7C; + remoteInfo = security; + }; 0C99B73F131C984900584CF4 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -4801,6 +5227,34 @@ remoteGlobalIDString = 4381690B1B4EDCBD00C54D58; remoteInfo = SOSCCAuthPlugin; }; + 478D426E1FD72A8100CAB645 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC52EDA61D80D58400B0A59C; + remoteInfo = secdRegressions; + }; + 478D42701FD72A8100CAB645 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC0BCBD91D8C648C00070CB0; + remoteInfo = regressionBase; + }; + 478D42721FD72A8100CAB645 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC52E7731D80BC8000B0A59C; + remoteInfo = libsecurityd_ios; + }; + 478D42741FD72A8100CAB645 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DCC78EA81D8088E200865A7C; + remoteInfo = security; + }; 47C51B8A1EEA657D0032D9E5 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -4808,6 +5262,34 @@ remoteGlobalIDString = DC1789031D77980500B50D50; remoteInfo = Security_osx; }; + 47DE88CD1FA7AD6200DD3254 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DCC78EA81D8088E200865A7C; + remoteInfo = security; + }; + 47DE88D41FA7AD7000DD3254 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC52E7731D80BC8000B0A59C; + remoteInfo = libsecurityd_ios; + }; + 47DE88D61FA7ADAC00DD3254 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC0BCBD91D8C648C00070CB0; + remoteInfo = regressionBase; + }; + 47DE88D81FA7ADBB00DD3254 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC52EDA61D80D58400B0A59C; + remoteInfo = secdRegressions; + }; 4C52D0ED16EFCD720079966E /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -4871,13 +5353,6 @@ remoteGlobalIDString = 5346480017331E1100FE9172; remoteInfo = KeychainSyncAccountNotification; }; - 5DDD0BED16D6748900D6C0D6 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = 728B56A016D59979008FA3AB; - remoteInfo = OTAPKIAssetTool; - }; 5E10995319A5E80B00A60E2B /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -4906,12 +5381,19 @@ remoteGlobalIDString = 6CCDF7831E3C25FA003F2555; remoteInfo = KeychainEntitledTestRunner; }; - 6C98082E1E788AEB00E70590 /* PBXContainerItemProxy */ = { + 6C7C38801FD88C4700DFFE68 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 6C46056B1F882B9B001421B6; + remoteInfo = KeychainAnalyticsTests; + }; + 6C7C38871FD88C5A00DFFE68 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER_not_installed; + remoteGlobalIDString = 6C46056B1F882B9B001421B6; + remoteInfo = KeychainAnalyticsTests; }; 6C9808301E788AEB00E70590 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; @@ -4955,13 +5437,6 @@ remoteGlobalIDString = DC222C371E034D1F00B09171; remoteInfo = libsecurityd_ios_NO_AKS; }; - 6C98086A1E788AFD00E70590 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER_not_installed; - }; 6C98086C1E788AFD00E70590 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -5018,6 +5493,41 @@ remoteGlobalIDString = 6CF4A0DF1E4549F200ECD7B5; remoteInfo = KeychainEntitledTestApp_ios; }; + 6C9A49B11FAB647D00239D58 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC0BCC211D8C684F00070CB0; + remoteInfo = utilities; + }; + 6CAA8CE41F82FD08007B6E03 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 6C9AA79D1F7C1D8F00D08296; + remoteInfo = supdctl; + }; + 6CAA8CE81F82FD13007B6E03 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 6C9AA79D1F7C1D8F00D08296; + remoteInfo = supdctl; + }; + 6CAA8D3C1F8431BC007B6E03 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 6CAA8D1F1F842FB3007B6E03; + remoteInfo = supd; + }; + 6CAA8D3E1F8431C9007B6E03 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 6CAA8D1F1F842FB3007B6E03; + remoteInfo = supd; + }; ACBAF6FD1E941E090007BA2F /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -5158,13 +5668,6 @@ remoteGlobalIDString = D4ADA3181E2B41670031CEA3; remoteInfo = libtrustd; }; - D41257E31E941A8400781F23 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER_not_installed; - }; D41257E51E941ACC00781F23 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -5291,13 +5794,6 @@ remoteGlobalIDString = 52D82BDD16A621F70078DFE5; remoteInfo = CloudKeychainProxy; }; - D41AD4591B978944008C7270 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = 728B56A016D59979008FA3AB; - remoteInfo = OTAPKIAssetTool; - }; D41AD45B1B978A7A008C7270 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -5361,13 +5857,6 @@ remoteGlobalIDString = 5EBE24791B00CCAE0007DB0E; remoteInfo = secacltests; }; - D41AD4711B978F76008C7270 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = 728B56A016D59979008FA3AB; - remoteInfo = OTAPKIAssetTool; - }; DA30D6811DF8C93500EC6B43 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -5634,13 +6123,6 @@ remoteGlobalIDString = DC52E8BE1D80C25800B0A59C; remoteInfo = SecureObjectSyncServer; }; - DC0B62951D90B6DB00D43BCB /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC1785041D77873100B50D50; - remoteInfo = copyHeadersToSystem; - }; DC0BB4431ED4D74A0035F886 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -5865,19 +6347,40 @@ remoteGlobalIDString = DC222C371E034D1F00B09171; remoteInfo = libsecurityd_ios_NO_AKS; }; - DC3502C31E020D4D00BC0587 /* PBXContainerItemProxy */ = { + DC26710F1F3E933700816EED /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; proxyType = 1; remoteGlobalIDString = DC8834011D8A218F00CE0ACA; remoteInfo = ASN1_not_installed; }; - DC3502C61E020D5600BC0587 /* PBXContainerItemProxy */ = { + DC34CD2C20326C2C00302481 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER_not_installed; + remoteGlobalIDString = DC52E8BE1D80C25800B0A59C; + remoteInfo = SecureObjectSyncServer; + }; + DC34CD3320326C3100302481 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DCD8A1061E09EE0F00E4FA0A; + remoteInfo = SecureObjectSyncFramework; + }; + DC34CD3520326C3B00302481 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC0BCC211D8C684F00070CB0; + remoteInfo = utilities; + }; + DC3502C31E020D4D00BC0587 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC8834011D8A218F00CE0ACA; + remoteInfo = ASN1_not_installed; }; DC3502CD1E020E2200BC0587 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; @@ -6033,90 +6536,6 @@ remoteGlobalIDString = 79DC33610D4E6EEA0039E4BC; remoteInfo = libCMS; }; - DC59EA751D91CC5E001BDDF5 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER; - }; - DC59EA781D91CC78001BDDF5 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER; - }; - DC59EA7C1D91CCAA001BDDF5 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER; - }; - DC59EA801D91CD16001BDDF5 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER; - }; - DC59EA831D91CD2C001BDDF5 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER; - }; - DC59EA861D91CD76001BDDF5 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER; - }; - DC59EA891D91CD89001BDDF5 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER; - }; - DC59EA8C1D91CDB9001BDDF5 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER; - }; - DC59EA8F1D91CDC6001BDDF5 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER; - }; - DC59EA921D91CDD6001BDDF5 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER; - }; - DC59EA951D91CDEE001BDDF5 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER; - }; - DC59EA981D91CE8C001BDDF5 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER; - }; DC5ABE1B1D832F5E00CF422C /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -6173,13 +6592,6 @@ remoteGlobalIDString = DC5AC04F1D8352D900CF422C; remoteInfo = securityd_macos; }; - DC5AC1331D835C2300CF422C /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC1785041D77873100B50D50; - remoteInfo = copyHeadersToSystem; - }; DC61096A1D78E60C002223DE /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -6579,20 +6991,6 @@ remoteGlobalIDString = DC8834011D8A218F00CE0ACA; remoteInfo = ASN1_not_installed; }; - DC71DA081D95BEE00065FB93 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER_not_installed; - }; - DC71DA0A1D95BEF60065FB93 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER_not_installed; - }; DC71DA0C1D95DD670065FB93 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -6621,6 +7019,13 @@ remoteGlobalIDString = DC8834011D8A218F00CE0ACA; remoteInfo = ASN1_not_installed; }; + DCB332461F47857D00178C30 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC52EC211D80CFB200B0A59C; + remoteInfo = SOSCommands; + }; DCB340181D8A248C0054D16E /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -6957,6 +7362,20 @@ remoteGlobalIDString = DCD8A1061E09EE0F00E4FA0A; remoteInfo = SecureObjectSyncFramework; }; + DCDB29751FD8839F00B5D242 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 0C85DFD11FB38BB6000343A7; + remoteInfo = OTTests_osx; + }; + DCDB29771FD883AB00B5D242 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = 0C85DFD11FB38BB6000343A7; + remoteInfo = OTTests_osx; + }; DCE4E6A91D7A38E700AFB96E /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -7027,6 +7446,13 @@ remoteGlobalIDString = DCE4E9101D7F3D5300AFB96E; remoteInfo = "Keychain Circle Notification"; }; + DCE5DC161EA804E5006308A6 /* PBXContainerItemProxy */ = { + isa = PBXContainerItemProxy; + containerPortal = 4C35DB69094F906D002917C4 /* Project object */; + proxyType = 1; + remoteGlobalIDString = DC52EC211D80CFB200B0A59C; + remoteInfo = SOSCommands; + }; DCF785001D88B80600E694BB /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -7482,13 +7908,6 @@ remoteGlobalIDString = DCD8A1061E09EE0F00E4FA0A; remoteInfo = SecureObjectSyncFramework; }; - EBFBC2B71E76588200A34469 /* PBXContainerItemProxy */ = { - isa = PBXContainerItemProxy; - containerPortal = 4C35DB69094F906D002917C4 /* Project object */; - proxyType = 1; - remoteGlobalIDString = DC59E9AC1D91C9DC001BDDF5; - remoteInfo = DER_not_installed; - }; EBFBC2B91E76588A00A34469 /* PBXContainerItemProxy */ = { isa = PBXContainerItemProxy; containerPortal = 4C35DB69094F906D002917C4 /* Project object */; @@ -7550,6 +7969,26 @@ ); runOnlyForDeploymentPostprocessing = 1; }; + 0C85DFFD1FB38BB6000343A7 /* Embed OCMock */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 2147483647; + dstPath = ""; + dstSubfolderSpec = 10; + files = ( + 0C85DFFE1FB38BB6000343A7 /* OCMock.framework in Embed OCMock */, + ); + name = "Embed OCMock"; + runOnlyForDeploymentPostprocessing = 0; + }; + 0C8BBF041FCB446400580909 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 2147483647; + dstPath = /usr/share/man/man1/; + dstSubfolderSpec = 0; + files = ( + ); + runOnlyForDeploymentPostprocessing = 1; + }; 470415CD1E5E14B5001F3D95 /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 2147483647; @@ -7771,16 +8210,6 @@ ); runOnlyForDeploymentPostprocessing = 1; }; - 6C0B0C481E2537E2007F95E5 /* CopyFiles */ = { - isa = PBXCopyFilesBuildPhase; - buildActionMask = 8; - dstPath = /System/Library/AWD/Metadata; - dstSubfolderSpec = 0; - files = ( - 6C0B0C491E253832007F95E5 /* AwdMetadata-0x60-Keychain.bin in CopyFiles */, - ); - runOnlyForDeploymentPostprocessing = 1; - }; 6C0B0C4A1E253840007F95E5 /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; @@ -7802,6 +8231,26 @@ name = "Install man8 page"; runOnlyForDeploymentPostprocessing = 1; }; + 6C9AA79C1F7C1D8F00D08296 /* CopyFiles */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 2147483647; + dstPath = /usr/share/man/man1/; + dstSubfolderSpec = 0; + files = ( + ); + runOnlyForDeploymentPostprocessing = 1; + }; + 6CAA8D1E1F842FB3007B6E03 /* Copy Manpage */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 2147483647; + dstPath = /usr/share/man/man1/; + dstSubfolderSpec = 0; + files = ( + 6CDB600F1FA92D2B00410924 /* securityuploadd.8 in Copy Manpage */, + ); + name = "Copy Manpage"; + runOnlyForDeploymentPostprocessing = 1; + }; 6CCDF7821E3C25FA003F2555 /* Copy BATS Test Discovery plist */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; @@ -7933,28 +8382,15 @@ ); runOnlyForDeploymentPostprocessing = 1; }; - DC17886F1D77934100B50D50 /* Copy SecurityObjectSync Headers */ = { - isa = PBXCopyFilesBuildPhase; - buildActionMask = 8; - dstPath = PrivateHeaders/SecureObjectSync; - dstSubfolderSpec = 1; - files = ( - DC3C72E81D8376F900F6A832 /* SOSViews.h in Copy SecurityObjectSync Headers */, - DC3C72E71D8376F300F6A832 /* SOSPeerInfo.h in Copy SecurityObjectSync Headers */, - DC3C72E61D8376EC00F6A832 /* SOSCloudCircleInternal.h in Copy SecurityObjectSync Headers */, - DC3C72E51D8376E600F6A832 /* SOSCloudCircle.h in Copy SecurityObjectSync Headers */, - DC3C72E41D8376DE00F6A832 /* SOSBackupSliceKeyBag.h in Copy SecurityObjectSync Headers */, - DC3C72E31D8376D700F6A832 /* SOSTypes.h in Copy SecurityObjectSync Headers */, - ); - name = "Copy SecurityObjectSync Headers"; - runOnlyForDeploymentPostprocessing = 1; - }; DC1789E81D77A0E700B50D50 /* CopyFiles */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 2147483647; dstPath = en.lproj; dstSubfolderSpec = 7; files = ( + D479F6E31F981FD600388D28 /* OID.strings in CopyFiles */, + D479F6E41F981FD600388D28 /* Certificate.strings in CopyFiles */, + D479F6E51F981FD600388D28 /* Trust.strings in CopyFiles */, DC1789E91D77A0F300B50D50 /* CloudKeychain.strings in CopyFiles */, ); runOnlyForDeploymentPostprocessing = 0; @@ -8340,7 +8776,7 @@ name = "Install launchd plist"; runOnlyForDeploymentPostprocessing = 1; }; - E73288DD1AED7215008CE839 /* Copy SecureObjectSync Headers */ = { + DCF7F5D11F69AC28001042E9 /* Copy SecureObjectSync Headers */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 2147483647; dstPath = PrivateHeaders/SecureObjectSync; @@ -8351,12 +8787,28 @@ DC3C72ED1D83778100F6A832 /* SOSViews.h in Copy SecureObjectSync Headers */, DC3C72EC1D83777B00F6A832 /* SOSPeerInfo.h in Copy SecureObjectSync Headers */, DC3C72EB1D83777600F6A832 /* SOSCloudCircle.h in Copy SecureObjectSync Headers */, - DC3C72EA1D83777100F6A832 /* SOSPeerInfoV2.h in Copy SecureObjectSync Headers */, DC3C72E91D83776B00F6A832 /* SOSBackupSliceKeyBag.h in Copy SecureObjectSync Headers */, ); name = "Copy SecureObjectSync Headers"; runOnlyForDeploymentPostprocessing = 0; }; + E73288DD1AED7215008CE839 /* Copy SecureObjectSync Headers */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 2147483647; + dstPath = PrivateHeaders/SecureObjectSync; + dstSubfolderSpec = 1; + files = ( + DC8EB58D1F70743100080CF2 /* SOSPeerInfoV2.h in Copy SecureObjectSync Headers */, + DCDD59CC1F69ACF70060641E /* SOSCloudCircleInternal.h in Copy SecureObjectSync Headers */, + DCDD59CD1F69ACF70060641E /* SOSTypes.h in Copy SecureObjectSync Headers */, + DCDD59CE1F69ACF70060641E /* SOSViews.h in Copy SecureObjectSync Headers */, + DCDD59CF1F69ACF70060641E /* SOSPeerInfo.h in Copy SecureObjectSync Headers */, + DCDD59D01F69ACF70060641E /* SOSCloudCircle.h in Copy SecureObjectSync Headers */, + DCDD59D21F69ACF70060641E /* SOSBackupSliceKeyBag.h in Copy SecureObjectSync Headers */, + ); + name = "Copy SecureObjectSync Headers"; + runOnlyForDeploymentPostprocessing = 0; + }; E7CFF7211C86602B00E3484E /* Install BATS Tests */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; @@ -8412,6 +8864,17 @@ ); runOnlyForDeploymentPostprocessing = 1; }; + EB49B30E202FF484003F34A0 /* Embedded OCMock */ = { + isa = PBXCopyFilesBuildPhase; + buildActionMask = 2147483647; + dstPath = ""; + dstSubfolderSpec = 10; + files = ( + EB49B310202FF4AC003F34A0 /* OCMock.framework in Embedded OCMock */, + ); + name = "Embedded OCMock"; + runOnlyForDeploymentPostprocessing = 0; + }; EB76B7561DCB0C6900C43FBC /* Install man8 page */ = { isa = PBXCopyFilesBuildPhase; buildActionMask = 8; @@ -8516,29 +8979,78 @@ 0C0C88771CCEC5BD00617D1B /* si-82-sectrust-ct-data */ = {isa = PBXFileReference; lastKnownFileType = folder; name = "si-82-sectrust-ct-data"; path = "../OSX/shared_regressions/si-82-sectrust-ct-data"; sourceTree = ""; }; 0C0CEC9D1DA45EA200C22FBC /* recovery_key.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = recovery_key.h; sourceTree = ""; }; 0C0CEC9E1DA45EA200C22FBC /* recovery_key.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = recovery_key.m; sourceTree = ""; }; + 0C16371F1FD12F1500210823 /* OTCloudStoreTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTCloudStoreTests.m; path = ot/tests/OTCloudStoreTests.m; sourceTree = ""; }; 0C2BCBA51D063F7D00ED7A2F /* dtlsEchoClient.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = dtlsEchoClient.c; sourceTree = ""; }; 0C2BCBA61D063F7D00ED7A2F /* dtlsEchoServer.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = dtlsEchoServer.c; sourceTree = ""; }; 0C2BCBA71D063F7D00ED7A2F /* README */ = {isa = PBXFileReference; lastKnownFileType = text; path = README; sourceTree = ""; }; 0C2BCBB91D06401F00ED7A2F /* dtlsEchoClient */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = dtlsEchoClient; sourceTree = BUILT_PRODUCTS_DIR; }; 0C2BCBCE1D0648D100ED7A2F /* dtlsEchoServer */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = dtlsEchoServer; sourceTree = BUILT_PRODUCTS_DIR; }; + 0C36B3172007EE6C0029F7A2 /* OTPreflightInfo.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTPreflightInfo.m; path = ot/OTPreflightInfo.m; sourceTree = ""; }; + 0C36B3202007EE9B0029F7A2 /* OTPreflightInfo.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = OTPreflightInfo.h; path = ot/OTPreflightInfo.h; sourceTree = ""; }; 0C3C00721EF3636300AB19FE /* secd-155-otr-negotiation-monitor.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "secd-155-otr-negotiation-monitor.m"; sourceTree = ""; }; + 0C46A57A2035019800F17112 /* OTLockStateNetworkingTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTLockStateNetworkingTests.m; path = ot/tests/OTLockStateNetworkingTests.m; sourceTree = ""; }; 0C48990A1E0E0FF300C6CF70 /* SOSTransportCircleCK.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSTransportCircleCK.h; sourceTree = ""; }; 0C4899111E0E105D00C6CF70 /* SOSTransportCircleCK.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SOSTransportCircleCK.m; sourceTree = ""; }; 0C48991B1E0F384700C6CF70 /* SOSAccountTrustClassic.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = SOSAccountTrustClassic.m; path = SecureObjectSync/SOSAccountTrustClassic.m; sourceTree = ""; }; 0C4899221E0F386900C6CF70 /* SOSAccountTrustClassic.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSAccountTrustClassic.h; path = SecureObjectSync/SOSAccountTrustClassic.h; sourceTree = ""; }; 0C4899241E0F38FA00C6CF70 /* SOSAccountTrustOctagon.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = SOSAccountTrustOctagon.m; path = SecureObjectSync/SOSAccountTrustOctagon.m; sourceTree = ""; }; 0C4899261E0F399B00C6CF70 /* SOSAccountTrustOctagon.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSAccountTrustOctagon.h; path = SecureObjectSync/SOSAccountTrustOctagon.h; sourceTree = ""; }; + 0C52C1FE20003BCA003F0733 /* OTTestsBase.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTTestsBase.m; path = ot/tests/OTTestsBase.m; sourceTree = ""; }; + 0C52C20520004248003F0733 /* OTTestsBase.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = OTTestsBase.h; path = ot/tests/OTTestsBase.h; sourceTree = ""; }; + 0C5CFB37201960FF00913B9C /* OTRamping.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTRamping.m; path = ot/OTRamping.m; sourceTree = ""; }; + 0C5CFB3F201962FF00913B9C /* OTRamping.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = OTRamping.h; path = ot/OTRamping.h; sourceTree = ""; }; + 0C5F4FD71F952FEA00AF1616 /* secd-700-sftm.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "secd-700-sftm.m"; sourceTree = ""; }; 0C664AB2175926B20092D3D9 /* secdtests-entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "secdtests-entitlements.plist"; sourceTree = ""; }; + 0C770EC31FCF7E2000B5F0E2 /* OTCloudStore.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTCloudStore.m; path = ot/OTCloudStore.m; sourceTree = ""; }; 0C78F1C916A5E13400654E08 /* sectask_regressions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = sectask_regressions.h; sourceTree = ""; }; 0C78F1CA16A5E1BF00654E08 /* sectask-10-sectask.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "sectask-10-sectask.c"; sourceTree = ""; }; 0C78F1CB16A5E1BF00654E08 /* sectask_ipc.defs */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.mig; path = sectask_ipc.defs; sourceTree = ""; }; + 0C85E0031FB38BB6000343A7 /* OTTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = OTTests.xctest; sourceTree = BUILT_PRODUCTS_DIR; }; + 0C85E0041FB38BB7000343A7 /* OTTests-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist; name = "OTTests-Info.plist"; path = "/Users/ma/git/security/OTTests-Info.plist"; sourceTree = ""; }; + 0C8A03451FDF42BA0042E8BE /* OTEscrowKeyTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTEscrowKeyTests.m; path = ot/tests/OTEscrowKeyTests.m; sourceTree = ""; }; + 0C8A034C1FDF4CCE0042E8BE /* OTLocalStoreTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTLocalStoreTests.m; path = ot/tests/OTLocalStoreTests.m; sourceTree = ""; }; + 0C8A034E1FDF60070042E8BE /* OTBottledPeerTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTBottledPeerTests.m; path = ot/tests/OTBottledPeerTests.m; sourceTree = ""; }; + 0C8BBE891FC9DA5200580909 /* OTCloudStore.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OTCloudStore.h; path = ot/OTCloudStore.h; sourceTree = ""; }; + 0C8BBE8A1FC9DA5300580909 /* OTIdentity.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OTIdentity.h; path = ot/OTIdentity.h; sourceTree = ""; }; + 0C8BBE8B1FC9DA5300580909 /* OTContext.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OTContext.h; path = ot/OTContext.h; sourceTree = ""; }; + 0C8BBE8C1FC9DA5400580909 /* OTLocalStore.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = OTLocalStore.m; path = ot/OTLocalStore.m; sourceTree = ""; }; + 0C8BBE8D1FC9DA5400580909 /* OTIdentity.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = OTIdentity.m; path = ot/OTIdentity.m; sourceTree = ""; }; + 0C8BBE8E1FC9DA5500580909 /* OTLocalStore.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OTLocalStore.h; path = ot/OTLocalStore.h; sourceTree = ""; }; + 0C8BBE921FC9DA5700580909 /* OTEscrowKeys.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OTEscrowKeys.h; path = ot/OTEscrowKeys.h; sourceTree = ""; }; + 0C8BBE931FC9DA5700580909 /* OTBottledPeer.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = OTBottledPeer.m; path = ot/OTBottledPeer.m; sourceTree = ""; }; + 0C8BBE951FC9DA5800580909 /* OTBottledPeer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OTBottledPeer.h; path = ot/OTBottledPeer.h; sourceTree = ""; }; + 0C8BBE961FC9DA5900580909 /* OTEscrowKeys.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = OTEscrowKeys.m; path = ot/OTEscrowKeys.m; sourceTree = ""; }; + 0C8BBE971FC9DA5A00580909 /* OTDefines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OTDefines.h; path = ot/OTDefines.h; sourceTree = ""; }; + 0C8BBE981FC9DA5A00580909 /* OTContext.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = OTContext.m; path = ot/OTContext.m; sourceTree = ""; }; + 0C8BBEAF1FC9DCA400580909 /* OTContextTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = OTContextTests.m; path = ot/tests/OTContextTests.m; sourceTree = ""; }; + 0C8BBEF71FCB405700580909 /* otctl.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = otctl.m; sourceTree = ""; }; + 0C8BBEF81FCB407700580909 /* otctl-Entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "otctl-Entitlements.plist"; sourceTree = ""; }; + 0C8BBF081FCB446400580909 /* otctl */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = otctl; sourceTree = BUILT_PRODUCTS_DIR; }; + 0C8BBF0B1FCB452200580909 /* OTControl.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OTControl.h; path = ot/OTControl.h; sourceTree = ""; }; + 0C8BBF0C1FCB452200580909 /* OTControlProtocol.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OTControlProtocol.h; path = ot/OTControlProtocol.h; sourceTree = ""; }; + 0C8BBF0D1FCB452300580909 /* OTControlProtocol.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = OTControlProtocol.m; path = ot/OTControlProtocol.m; sourceTree = ""; }; + 0C8BBF0E1FCB452400580909 /* OTControl.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = OTControl.m; path = ot/OTControl.m; sourceTree = ""; }; + 0C8BBF0F1FCB481800580909 /* OTManager.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTManager.m; path = ot/OTManager.m; sourceTree = ""; }; + 0C8BBF101FCB486B00580909 /* OTManager.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = OTManager.h; path = ot/OTManager.h; sourceTree = ""; }; + 0CA4EBF1202B8D1C002B1D96 /* CloudKitKeychainSyncingTestsBase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CloudKitKeychainSyncingTestsBase.h; sourceTree = ""; }; + 0CA4EBF2202B8D1D002B1D96 /* CloudKitKeychainSyncingTestsBase.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = CloudKitKeychainSyncingTestsBase.m; sourceTree = ""; }; 0CAC5DBE1EB3DA4C00AD884B /* SOSPeerRateLimiter.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SOSPeerRateLimiter.m; sourceTree = ""; }; 0CAC5DC51EB3DB3C00AD884B /* SOSPeerRateLimiter.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSPeerRateLimiter.h; sourceTree = ""; }; 0CAD1E221E032D4000537693 /* AggregateDictionary.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AggregateDictionary.framework; path = "../../Library/Developer/Xcode/iOS DeviceSupport/11.0 (15A168)/Symbols/System/Library/PrivateFrameworks/AggregateDictionary.framework"; sourceTree = ""; }; 0CB321F01464A95F00587CD3 /* CreateCerts.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = CreateCerts.sh; sourceTree = ""; }; + 0CB975502023B199008D6B48 /* OTRampingTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTRampingTests.m; path = ot/tests/OTRampingTests.m; sourceTree = ""; }; + 0CBDF64C1FFC951200433E0D /* OTBottledPeerTLK.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTBottledPeerTLK.m; path = ot/tests/OTBottledPeerTLK.m; sourceTree = ""; }; + 0CCCC7C720261D050024405E /* OT.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OT.h; path = ot/OT.h; sourceTree = ""; }; + 0CCCC7C820261D310024405E /* OT.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OT.m; path = ot/OT.m; sourceTree = ""; }; 0CCDE7161EEB08220021A946 /* secd-156-timers.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "secd-156-timers.m"; sourceTree = ""; }; 0CD8CB041ECA50780076F37F /* SOSPeerOTRTimer.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SOSPeerOTRTimer.m; sourceTree = ""; }; 0CD8CB0C1ECA50D10076F37F /* SOSPeerOTRTimer.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSPeerOTRTimer.h; sourceTree = ""; }; + 0CD9E7FF1FE05B6600F66C38 /* OTContextRecord.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTContextRecord.m; path = ot/OTContextRecord.m; sourceTree = ""; }; + 0CD9E8071FE05B8700F66C38 /* OTContextRecord.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = OTContextRecord.h; path = ot/OTContextRecord.h; sourceTree = ""; }; + 0CE1BCC61FCE11480017230E /* OTBottledPeerSigned.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTBottledPeerSigned.m; path = ot/OTBottledPeerSigned.m; sourceTree = ""; }; + 0CE1BCCD1FCE11610017230E /* OTBottledPeerSigned.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = OTBottledPeerSigned.h; path = ot/OTBottledPeerSigned.h; sourceTree = ""; }; + 0CE407AB1FD4769B00F59B31 /* OTCloudStoreState.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTCloudStoreState.m; path = ot/OTCloudStoreState.m; sourceTree = ""; }; + 0CE407B31FD476E000F59B31 /* OTCloudStoreState.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = OTCloudStoreState.h; path = ot/OTCloudStoreState.h; sourceTree = ""; }; 0CE760471E12F2F200B4381E /* SOSAccountTrustClassic+Expansion.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "SOSAccountTrustClassic+Expansion.m"; path = "SecureObjectSync/SOSAccountTrustClassic+Expansion.m"; sourceTree = ""; }; 0CE760491E12F30200B4381E /* SOSAccountTrustClassic+Circle.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "SOSAccountTrustClassic+Circle.m"; path = "SecureObjectSync/SOSAccountTrustClassic+Circle.m"; sourceTree = ""; }; 0CE7604B1E12F56800B4381E /* SOSAccountTrustClassic+Identity.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "SOSAccountTrustClassic+Identity.m"; path = "SecureObjectSync/SOSAccountTrustClassic+Identity.m"; sourceTree = ""; }; @@ -8547,6 +9059,10 @@ 0CE760511E1314F700B4381E /* SOSAccountTrustClassic+Identity.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "SOSAccountTrustClassic+Identity.h"; path = "SecureObjectSync/SOSAccountTrustClassic+Identity.h"; sourceTree = ""; }; 0CE760531E13155100B4381E /* SOSAccountTrustClassic+Circle.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "SOSAccountTrustClassic+Circle.h"; path = "SecureObjectSync/SOSAccountTrustClassic+Circle.h"; sourceTree = ""; }; 0CE760551E1316E900B4381E /* SOSAccountTrustClassic+Retirement.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "SOSAccountTrustClassic+Retirement.h"; path = "SecureObjectSync/SOSAccountTrustClassic+Retirement.h"; sourceTree = ""; }; + 0CE98B5B1FA9360700CF1D54 /* libprequelite.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = libprequelite.tbd; path = usr/lib/libprequelite.tbd; sourceTree = SDKROOT; }; + 0CE98BAD1FA93AA900CF1D54 /* CKKSTests-Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist; name = "CKKSTests-Info.plist"; path = "/Volumes/Data/ma/git/security/CKKSTests-Info.plist"; sourceTree = ""; }; + 0CF0E2E31F8EE3B000BD18E4 /* SFTransactionMetric.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFTransactionMetric.m; sourceTree = ""; }; + 0CF0E2E71F8EE40700BD18E4 /* SFTransactionMetric.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SFTransactionMetric.h; sourceTree = ""; }; 0CFC029B1D41650700E6283B /* libcoretls.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libcoretls.dylib; path = usr/lib/libcoretls.dylib; sourceTree = SDKROOT; }; 107226D00D91DB32003CF14F /* SecTask.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecTask.c; sourceTree = ""; }; 107226D10D91DB32003CF14F /* SecTask.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTask.h; path = sectask/SecTask.h; sourceTree = ""; }; @@ -8554,7 +9070,6 @@ 18351B8F14CB65870097860E /* SecBase64.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecBase64.h; sourceTree = ""; }; 225394B41E3080A600D3CD9B /* libsecurity_codesigning_ios.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libsecurity_codesigning_ios.a; sourceTree = BUILT_PRODUCTS_DIR; }; 2281820D17B4686C0067C9C9 /* BackgroundTaskAgent.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = BackgroundTaskAgent.framework; path = System/Library/PrivateFrameworks/BackgroundTaskAgent.framework; sourceTree = SDKROOT; }; - 22C002A31AC9D33100B3469E /* OTAPKIAssetTool.xcconfig */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xcconfig; path = OTAPKIAssetTool.xcconfig; sourceTree = ""; }; 24CBF8731E9D4E4500F09F0E /* kc-44-secrecoverypassword.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "kc-44-secrecoverypassword.c"; path = "regressions/kc-44-secrecoverypassword.c"; sourceTree = ""; }; 433E519D1B66D5F600482618 /* AppSupport.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AppSupport.framework; path = System/Library/PrivateFrameworks/AppSupport.framework; sourceTree = SDKROOT; }; 4381690C1B4EDCBD00C54D58 /* SOSCCAuthPlugin.bundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = SOSCCAuthPlugin.bundle; sourceTree = BUILT_PRODUCTS_DIR; }; @@ -8571,7 +9086,11 @@ 470415CF1E5E14B5001F3D95 /* seckeychainnetworkextensionstest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = seckeychainnetworkextensionstest; sourceTree = BUILT_PRODUCTS_DIR; }; 470415DB1E5E1534001F3D95 /* main.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = main.m; path = RegressionTests/seckeychainnetworkextensionstest/main.m; sourceTree = SOURCE_ROOT; }; 470415DD1E5E15B3001F3D95 /* seckeychainnetworkextensionstest.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; name = seckeychainnetworkextensionstest.entitlements; path = RegressionTests/seckeychainnetworkextensionstest/seckeychainnetworkextensionstest.entitlements; sourceTree = SOURCE_ROOT; }; + 470ACEF21F58C3A600D1D5BD /* SecDbKeychainItemV7.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecDbKeychainItemV7.h; sourceTree = ""; }; + 470ACEF31F58C3A600D1D5BD /* SecDbKeychainItemV7.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SecDbKeychainItemV7.m; sourceTree = ""; }; 471024D91E79CB6D00844C09 /* CKKSTests.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CKKSTests.h; sourceTree = ""; }; + 472339611FD7155C00CB6A72 /* libprequelite.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libprequelite.dylib; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS12.0.Internal.sdk/usr/lib/libprequelite.dylib; sourceTree = DEVELOPER_DIR; }; + 472339681FD7156700CB6A72 /* CoreCDP.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreCDP.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS12.0.Internal.sdk/System/Library/PrivateFrameworks/CoreCDP.framework; sourceTree = DEVELOPER_DIR; }; 4723C9BC1F152EB10082882F /* SFSQLite.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFSQLite.m; sourceTree = ""; }; 4723C9BD1F152EB10082882F /* SFSQLite.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SFSQLite.h; sourceTree = ""; }; 4723C9BE1F152EB10082882F /* SFObjCType.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFObjCType.m; sourceTree = ""; }; @@ -8579,11 +9098,34 @@ 4723C9C01F152EB10082882F /* SFObjCType.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SFObjCType.h; sourceTree = ""; }; 4723C9C11F152EB10082882F /* SFSQLiteStatement.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SFSQLiteStatement.h; sourceTree = ""; }; 4723C9D11F1531970082882F /* CKKSLoggerTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = CKKSLoggerTests.m; sourceTree = ""; }; - 4723C9DA1F1540CE0082882F /* SFAnalyticsLogger.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SFAnalyticsLogger.h; sourceTree = ""; }; - 4723C9DB1F1540CE0082882F /* SFAnalyticsLogger.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFAnalyticsLogger.m; sourceTree = ""; }; + 4723C9DA1F1540CE0082882F /* SFAnalytics.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SFAnalytics.h; sourceTree = ""; }; + 4723C9DB1F1540CE0082882F /* SFAnalytics.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFAnalytics.m; sourceTree = ""; }; + 4727FBB71F9918580003AE36 /* secdxctests_ios.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = secdxctests_ios.xctest; sourceTree = BUILT_PRODUCTS_DIR; }; + 4727FBB91F9918590003AE36 /* KeychainCryptoTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = KeychainCryptoTests.m; sourceTree = ""; }; + 4727FBBB1F9918590003AE36 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; + 4727FBC41F991C460003AE36 /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.sdk/System/Library/Frameworks/Foundation.framework; sourceTree = DEVELOPER_DIR; }; + 4727FBCA1F991F510003AE36 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.sdk/System/Library/Frameworks/Security.framework; sourceTree = DEVELOPER_DIR; }; + 4727FBCC1F991F660003AE36 /* libsqlite3.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libsqlite3.dylib; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.sdk/usr/lib/libsqlite3.dylib; sourceTree = DEVELOPER_DIR; }; + 4727FBCF1F991F820003AE36 /* SecurityFoundation.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; path = SecurityFoundation.framework; sourceTree = BUILT_PRODUCTS_DIR; }; + 4727FBD01F991F990003AE36 /* libMobileGestalt.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libMobileGestalt.dylib; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.sdk/usr/lib/libMobileGestalt.dylib; sourceTree = DEVELOPER_DIR; }; + 4727FBD21F9920290003AE36 /* CloudKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CloudKit.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.sdk/System/Library/Frameworks/CloudKit.framework; sourceTree = DEVELOPER_DIR; }; + 4727FBD41F9920510003AE36 /* ProtocolBuffer.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = ProtocolBuffer.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.Internal.sdk/System/Library/PrivateFrameworks/ProtocolBuffer.framework; sourceTree = DEVELOPER_DIR; }; + 4727FBD81F9920BB0003AE36 /* SystemConfiguration.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SystemConfiguration.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.Internal.sdk/System/Library/Frameworks/SystemConfiguration.framework; sourceTree = DEVELOPER_DIR; }; + 4727FBDA1F9920CB0003AE36 /* WirelessDiagnostics.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = WirelessDiagnostics.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.Internal.sdk/System/Library/PrivateFrameworks/WirelessDiagnostics.framework; sourceTree = DEVELOPER_DIR; }; + 4727FBDC1F9920F10003AE36 /* libaks_acl.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libaks_acl.a; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.Internal.sdk/usr/local/lib/libaks_acl.a; sourceTree = DEVELOPER_DIR; }; + 4727FBDE1F99211D0003AE36 /* libaks.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libaks.a; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.Internal.sdk/usr/local/lib/libaks.a; sourceTree = DEVELOPER_DIR; }; + 4727FBE01F99212F0003AE36 /* IOKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = IOKit.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.Internal.sdk/System/Library/Frameworks/IOKit.framework; sourceTree = DEVELOPER_DIR; }; + 4727FBE21F9921660003AE36 /* MobileKeyBag.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = MobileKeyBag.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.Internal.sdk/System/Library/PrivateFrameworks/MobileKeyBag.framework; sourceTree = DEVELOPER_DIR; }; + 4727FBE41F99217A0003AE36 /* SharedWebCredentials.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SharedWebCredentials.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.Internal.sdk/System/Library/PrivateFrameworks/SharedWebCredentials.framework; sourceTree = DEVELOPER_DIR; }; + 4727FBE61F9921890003AE36 /* ApplePushService.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = ApplePushService.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.Internal.sdk/System/Library/PrivateFrameworks/ApplePushService.framework; sourceTree = DEVELOPER_DIR; }; + 4727FBE81F9921D00003AE36 /* libACM.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libACM.a; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.Internal.sdk/usr/local/lib/libACM.a; sourceTree = DEVELOPER_DIR; }; + 473337771FDAFBCC00E19F30 /* SFKeychainControlManager.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SFKeychainControlManager.h; sourceTree = ""; }; + 473337781FDAFBCC00E19F30 /* SFKeychainControlManager.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFKeychainControlManager.m; sourceTree = ""; }; + 473337821FDB29A200E19F30 /* KeychainCheck.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = KeychainCheck.h; sourceTree = ""; }; + 473337831FDB29A200E19F30 /* KeychainCheck.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = KeychainCheck.m; sourceTree = ""; }; 4738AE241E732D7E006BD53D /* SharedWebCredentials.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SharedWebCredentials.framework; path = System/Library/PrivateFrameworks/SharedWebCredentials.framework; sourceTree = SDKROOT; }; 474B5FBF1E662E21007546F8 /* SecurityFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = SecurityFoundation.framework; path = ../../Builds/iphoneos11.0.internal/SecurityFoundation.framework; sourceTree = ""; }; - 475F371F1EE8F23900248FB5 /* SFAnalyticsLogging.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = SFAnalyticsLogging.plist; sourceTree = ""; }; + 475F371F1EE8F23900248FB5 /* SFAnalytics.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = SFAnalytics.plist; sourceTree = ""; }; 476541631F339F6300413F65 /* SecdWatchdog.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecdWatchdog.h; sourceTree = ""; }; 476541641F339F6300413F65 /* SecdWatchdog.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SecdWatchdog.m; sourceTree = ""; }; 476D87391E6750E200190352 /* CKKSManifestLeafRecord.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CKKSManifestLeafRecord.h; sourceTree = ""; }; @@ -8595,13 +9137,32 @@ 47702B2E1E5F492C00B29577 /* seckeychainnetworkextensionunauthorizedaccesstest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = seckeychainnetworkextensionunauthorizedaccesstest; sourceTree = BUILT_PRODUCTS_DIR; }; 47702B351E5F495C00B29577 /* main.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = main.m; path = RegressionTests/seckeychainnetworkextensionunauthorizedaccesstest/main.m; sourceTree = SOURCE_ROOT; }; 47702B381E5F499A00B29577 /* seckeychainnetworkextensionunauthorizedaccesstest.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; name = seckeychainnetworkextensionunauthorizedaccesstest.entitlements; path = RegressionTests/seckeychainnetworkextensionunauthorizedaccesstest/seckeychainnetworkextensionunauthorizedaccesstest.entitlements; sourceTree = SOURCE_ROOT; }; - 479108B51EE879F9008CEFA0 /* CKKSAnalyticsLogger.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = CKKSAnalyticsLogger.h; path = ckks/CKKSAnalyticsLogger.h; sourceTree = ""; }; - 479108B61EE879F9008CEFA0 /* CKKSAnalyticsLogger.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = CKKSAnalyticsLogger.m; path = ckks/CKKSAnalyticsLogger.m; sourceTree = ""; }; + 477A1F4C20320E4900ACD81D /* Accounts.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Accounts.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.3.Internal.sdk/System/Library/Frameworks/Accounts.framework; sourceTree = DEVELOPER_DIR; }; + 477A1FE1203763A500ACD81D /* KeychainAPITests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = KeychainAPITests.m; sourceTree = ""; }; + 477A1FEB2037A0E000ACD81D /* KeychainXCTest.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = KeychainXCTest.h; sourceTree = ""; }; + 477A1FEC2037A0E000ACD81D /* KeychainXCTest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = KeychainXCTest.m; sourceTree = ""; }; + 478D429C1FD72A8100CAB645 /* secdxctests_mac.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = secdxctests_mac.xctest; sourceTree = BUILT_PRODUCTS_DIR; }; + 479108B51EE879F9008CEFA0 /* CKKSAnalytics.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = CKKSAnalytics.h; path = ckks/CKKSAnalytics.h; sourceTree = ""; }; + 479108B61EE879F9008CEFA0 /* CKKSAnalytics.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = CKKSAnalytics.m; path = ckks/CKKSAnalytics.m; sourceTree = ""; }; + 47922D171FAA65120008F7E0 /* SecDbKeychainAKSSerializedWrappedKey.proto */ = {isa = PBXFileReference; lastKnownFileType = text; path = SecDbKeychainAKSSerializedWrappedKey.proto; sourceTree = ""; }; + 47922D201FAA75FF0008F7E0 /* SecDbKeychainSerializedMetadata.proto */ = {isa = PBXFileReference; lastKnownFileType = text; path = SecDbKeychainSerializedMetadata.proto; sourceTree = ""; }; + 47922D2C1FAA77970008F7E0 /* SecDbKeychainSerializedSecretData.proto */ = {isa = PBXFileReference; lastKnownFileType = text; path = SecDbKeychainSerializedSecretData.proto; sourceTree = ""; }; + 47922D361FAA7C030008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SecDbKeychainSerializedAKSWrappedKey.m; sourceTree = ""; }; + 47922D371FAA7C040008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecDbKeychainSerializedAKSWrappedKey.h; sourceTree = ""; }; + 47922D3A1FAA7C0F0008F7E0 /* SecDbKeychainSerializedMetadata.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SecDbKeychainSerializedMetadata.m; sourceTree = ""; }; + 47922D3B1FAA7C100008F7E0 /* SecDbKeychainSerializedMetadata.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecDbKeychainSerializedMetadata.h; sourceTree = ""; }; + 47922D3E1FAA7C1A0008F7E0 /* SecDbKeychainSerializedSecretData.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecDbKeychainSerializedSecretData.h; sourceTree = ""; }; + 47922D3F1FAA7C1B0008F7E0 /* SecDbKeychainSerializedSecretData.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SecDbKeychainSerializedSecretData.m; sourceTree = ""; }; + 47922D4E1FAA7D5C0008F7E0 /* SecDbKeychainSerializedItemV7.proto */ = {isa = PBXFileReference; lastKnownFileType = text; path = SecDbKeychainSerializedItemV7.proto; sourceTree = ""; }; + 47922D501FAA7DF60008F7E0 /* SecDbKeychainSerializedItemV7.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecDbKeychainSerializedItemV7.h; sourceTree = ""; }; + 47922D511FAA7DF70008F7E0 /* SecDbKeychainSerializedItemV7.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SecDbKeychainSerializedItemV7.m; sourceTree = ""; }; + 47A05B101FDB5A8B00D0816E /* SFKeychainControl.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SFKeychainControl.h; sourceTree = ""; }; 47C51B841EEA657D0032D9E5 /* SecurityUnitTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = SecurityUnitTests.xctest; sourceTree = BUILT_PRODUCTS_DIR; }; 47C51B861EEA657D0032D9E5 /* SecurityUnitTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SecurityUnitTests.m; sourceTree = ""; }; 47C51B881EEA657D0032D9E5 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 47CEED1E1E60DE900044EAB4 /* CKKSManifest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CKKSManifest.h; sourceTree = ""; }; 47CEED1F1E60DE900044EAB4 /* CKKSManifest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = CKKSManifest.m; sourceTree = ""; }; + 47D1838B1FB3827700CFCD89 /* OCMock.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = OCMock.framework; path = Platforms/iPhoneOS.platform/Developer/AppleInternal/Library/Frameworks/OCMock.framework; sourceTree = DEVELOPER_DIR; }; 48284A041D1DB06E00C76CB7 /* README_os_log_prefs.txt */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; name = README_os_log_prefs.txt; path = OSX/sec/os_log/README_os_log_prefs.txt; sourceTree = ""; }; 483E79891DC875F2005C0008 /* secd-67-prefixedKeyIDs.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "secd-67-prefixedKeyIDs.m"; sourceTree = ""; }; 485B64081DC16E8300B771B9 /* SOSKeyedPubKeyIdentifier.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SOSKeyedPubKeyIdentifier.c; sourceTree = ""; }; @@ -8735,7 +9296,6 @@ 4CEF4CA70C5551FE00062475 /* SecCertificateInternal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCertificateInternal.h; sourceTree = ""; }; 4CF0484A0A5D988F00268236 /* SecItem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecItem.h; path = keychain/SecItem.h; sourceTree = ""; }; 4CF0487F0A5F016300268236 /* SecItemPriv.h */ = {isa = PBXFileReference; fileEncoding = 30; lastKnownFileType = sourcecode.c.h; name = SecItemPriv.h; path = keychain/SecItemPriv.h; sourceTree = ""; }; - 4CF41D0A0BBB4022005F3248 /* SecCertificatePath.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCertificatePath.h; sourceTree = ""; }; 4CF4C19C171E0EA600877419 /* Accounts.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Accounts.framework; path = System/Library/Frameworks/Accounts.framework; sourceTree = SDKROOT; }; 4CF730310EF9CDE300E17471 /* CFNetwork.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CFNetwork.framework; path = System/Library/Frameworks/CFNetwork.framework; sourceTree = SDKROOT; }; 4CFBF5F10D5A92E100969BBE /* SecPolicyInternal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecPolicyInternal.h; sourceTree = ""; }; @@ -8756,8 +9316,8 @@ 5346481C173322BD00FE9172 /* KeychainSyncAccountNotification.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KeychainSyncAccountNotification.h; sourceTree = ""; }; 5346481D173322BD00FE9172 /* KeychainSyncAccountNotification.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KeychainSyncAccountNotification.m; sourceTree = ""; }; 53C0E1F2177FAC2C00F8A018 /* English */ = {isa = PBXFileReference; lastKnownFileType = text.plist.strings; name = English; path = English.lproj/CloudKeychain.strings; sourceTree = ""; }; - 5DDD0BDD16D6740E00D6C0D6 /* com.apple.OTAPKIAssetTool.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = com.apple.OTAPKIAssetTool.plist; sourceTree = ""; }; - 5DDD0BDE16D6740E00D6C0D6 /* OTAPKIAssetTool-entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "OTAPKIAssetTool-entitlements.plist"; sourceTree = ""; }; + 5A94C6D1203CC1C60066E391 /* AOSAccountsLite.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AOSAccountsLite.framework; path = System/Library/PrivateFrameworks/AOSAccountsLite.framework; sourceTree = SDKROOT; }; + 5A94C6D4203CC2590066E391 /* AuthKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AuthKit.framework; path = System/Library/PrivateFrameworks/AuthKit.framework; sourceTree = SDKROOT; }; 5E10992519A5E55800A60E2B /* ISACLProtectedItems.bundle */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = ISACLProtectedItems.bundle; sourceTree = BUILT_PRODUCTS_DIR; }; 5E10992919A5E55800A60E2B /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 5E10994E19A5E5CE00A60E2B /* ISProtectedItems.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = ISProtectedItems.plist; sourceTree = ""; }; @@ -8777,7 +9337,10 @@ 5EBE247C1B00CCAE0007DB0E /* main.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = main.c; sourceTree = ""; }; 6C0B0C3D1E2537C6007F95E5 /* WirelessDiagnostics.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = WirelessDiagnostics.framework; path = System/Library/PrivateFrameworks/WirelessDiagnostics.framework; sourceTree = SDKROOT; }; 6C0B0C441E2537CC007F95E5 /* ProtocolBuffer.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = ProtocolBuffer.framework; path = System/Library/PrivateFrameworks/ProtocolBuffer.framework; sourceTree = SDKROOT; }; + 6C1260F21F7D5F25001B2EEC /* securityuploadd-osx.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "securityuploadd-osx.plist"; sourceTree = ""; }; + 6C1260FA1F7D631D001B2EEC /* securityuploadd-ios.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "securityuploadd-ios.plist"; sourceTree = ""; }; 6C1520CD1DCCF57A00C85C6D /* secd.8 */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = secd.8; sourceTree = ""; }; + 6C1A29FC1F882788002312D8 /* SFAnalyticsTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFAnalyticsTests.m; sourceTree = ""; }; 6C34462F1E24F6BE00F9522B /* CKKSRateLimiterTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = CKKSRateLimiterTests.m; sourceTree = ""; }; 6C34464F1E2534E800F9522B /* AWDKeychainCKKSRateLimiterAggregatedScores.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AWDKeychainCKKSRateLimiterAggregatedScores.h; path = analytics/awd/AWDKeychainCKKSRateLimiterAggregatedScores.h; sourceTree = ""; }; 6C3446501E2534E800F9522B /* AWDKeychainCKKSRateLimiterAggregatedScores.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = AWDKeychainCKKSRateLimiterAggregatedScores.m; path = analytics/awd/AWDKeychainCKKSRateLimiterAggregatedScores.m; sourceTree = ""; }; @@ -8787,27 +9350,57 @@ 6C3446541E2534E800F9522B /* AWDKeychainCKKSRateLimiterTopWriters.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = AWDKeychainCKKSRateLimiterTopWriters.m; path = analytics/awd/AWDKeychainCKKSRateLimiterTopWriters.m; sourceTree = ""; }; 6C3446551E2534E800F9522B /* AwdMetadata-0x60-Keychain.bin */ = {isa = PBXFileReference; lastKnownFileType = archive.macbinary; name = "AwdMetadata-0x60-Keychain.bin"; path = "analytics/awd/AwdMetadata-0x60-Keychain.bin"; sourceTree = ""; }; 6C3446561E2534E800F9522B /* AWDMetricIds_Keychain.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AWDMetricIds_Keychain.h; path = analytics/awd/AWDMetricIds_Keychain.h; sourceTree = ""; }; + 6C4605B81F882B9B001421B6 /* KeychainAnalyticsTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = KeychainAnalyticsTests.xctest; sourceTree = BUILT_PRODUCTS_DIR; }; 6C5232D41E3C183F00330DB1 /* CloudKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CloudKit.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/System/Library/Frameworks/CloudKit.framework; sourceTree = DEVELOPER_DIR; }; 6C588D791EAA149F00D7E322 /* RateLimiterTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = RateLimiterTests.m; sourceTree = ""; }; + 6C5B101B1F91613E009B091E /* supdctl-Entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "supdctl-Entitlements.plist"; sourceTree = ""; }; + 6C5B10211F9164F5009B091E /* securityuploadd.8 */ = {isa = PBXFileReference; lastKnownFileType = text; path = securityuploadd.8; sourceTree = ""; }; + 6C69517C1F758E1000F68F91 /* supdProtocol.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = supdProtocol.h; sourceTree = ""; }; + 6C69517D1F758E1000F68F91 /* supd.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = supd.h; sourceTree = ""; }; + 6C69517E1F758E1000F68F91 /* supd.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = supd.m; sourceTree = ""; }; + 6C6951801F758E1000F68F91 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = ""; }; + 6C6951821F758E1000F68F91 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; + 6C69518D1F75A7DB00F68F91 /* SFAnalyticsSQLiteStore.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFAnalyticsSQLiteStore.m; sourceTree = ""; }; + 6C69518E1F75A7DC00F68F91 /* SFAnalyticsSQLiteStore.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SFAnalyticsSQLiteStore.h; sourceTree = ""; }; + 6C69518F1F75A8C100F68F91 /* SFAnalyticsDefines.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SFAnalyticsDefines.h; sourceTree = ""; }; + 6C758CB01F8826100075BD78 /* SupdTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SupdTests.m; sourceTree = ""; }; + 6C758CB21F8826100075BD78 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; + 6C7BB0032006B4EE004D1B6B /* SOSAnalytics.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = SOSAnalytics.m; path = Analytics/Clients/SOSAnalytics.m; sourceTree = SOURCE_ROOT; }; + 6C7BB0042006B4EF004D1B6B /* SOSAnalytics.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SOSAnalytics.h; path = Analytics/Clients/SOSAnalytics.h; sourceTree = SOURCE_ROOT; }; 6C860C741F4F63AD004100A1 /* SOSEnsureBackup.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSEnsureBackup.h; sourceTree = ""; }; 6C860C7A1F4F63DB004100A1 /* SOSEnsureBackup.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SOSEnsureBackup.m; sourceTree = ""; }; 6C869A771F54C2D700957298 /* AWDKeychainSOSKeychainBackupFailed.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = AWDKeychainSOSKeychainBackupFailed.m; path = analytics/awd/AWDKeychainSOSKeychainBackupFailed.m; sourceTree = ""; }; 6C869A781F54C2D700957298 /* AWDKeychainSOSKeychainBackupFailed.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AWDKeychainSOSKeychainBackupFailed.h; path = analytics/awd/AWDKeychainSOSKeychainBackupFailed.h; sourceTree = ""; }; + 6C8CE6BB1FA248B50032ADF0 /* SFAnalyticsActivityTracker+Internal.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "SFAnalyticsActivityTracker+Internal.h"; sourceTree = ""; }; + 6C8CE6C31FA24A670032ADF0 /* SFAnalyticsSampler+Internal.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "SFAnalyticsSampler+Internal.h"; sourceTree = ""; }; 6C9808611E788AEB00E70590 /* CKKSCloudKitTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = CKKSCloudKitTests.xctest; sourceTree = BUILT_PRODUCTS_DIR; }; 6C98089D1E788AFD00E70590 /* CKKSCloudKitTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = CKKSCloudKitTests.xctest; sourceTree = BUILT_PRODUCTS_DIR; }; + 6C9AA79E1F7C1D8F00D08296 /* supdctl */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = supdctl; sourceTree = BUILT_PRODUCTS_DIR; }; + 6C9AA7A01F7C1D9000D08296 /* main.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = main.m; sourceTree = ""; }; 6CA2B9431E9F9F5700C43444 /* RateLimiter.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = RateLimiter.h; sourceTree = ""; }; + 6CAA8D201F842FB3007B6E03 /* securityuploadd */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = securityuploadd; sourceTree = BUILT_PRODUCTS_DIR; }; 6CB5F4751E4025AB00DBF3F0 /* CKKSCloudKitTestsInfo.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = CKKSCloudKitTestsInfo.plist; sourceTree = ""; }; 6CB5F4781E402E5700DBF3F0 /* KeychainCKKS.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = KeychainCKKS.plist; path = testrunner/KeychainCKKS.plist; sourceTree = ""; }; 6CB5F4791E402E5700DBF3F0 /* KeychainEntitledTestRunner-Entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "KeychainEntitledTestRunner-Entitlements.plist"; sourceTree = ""; }; 6CB5F47A1E402E5700DBF3F0 /* KeychainEntitledTestRunner.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KeychainEntitledTestRunner.m; sourceTree = ""; }; + 6CB96BB41F966E0C00E11457 /* libsqlite3.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = libsqlite3.tbd; path = usr/lib/libsqlite3.tbd; sourceTree = SDKROOT; }; + 6CBF65371FA147E500A68667 /* SFAnalyticsActivityTracker.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SFAnalyticsActivityTracker.h; sourceTree = ""; }; + 6CBF65381FA147E500A68667 /* SFAnalyticsActivityTracker.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFAnalyticsActivityTracker.m; sourceTree = ""; }; 6CC185971E24E87D009657D8 /* CKKSRateLimiter.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CKKSRateLimiter.h; sourceTree = ""; }; 6CC185981E24E87D009657D8 /* CKKSRateLimiter.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = CKKSRateLimiter.m; sourceTree = ""; }; 6CC7F5B31E9F99EE0014AE63 /* RateLimiter.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = RateLimiter.m; sourceTree = ""; }; + 6CC952421FB4C5CA0051A823 /* SFAnalytics+Internal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "SFAnalytics+Internal.h"; sourceTree = ""; }; 6CCDF7841E3C25FA003F2555 /* KeychainEntitledTestRunner */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = KeychainEntitledTestRunner; sourceTree = BUILT_PRODUCTS_DIR; }; 6CCDF78B1E3C26BC003F2555 /* XCTest.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = XCTest.framework; path = Platforms/MacOSX.platform/Developer/Library/Frameworks/XCTest.framework; sourceTree = DEVELOPER_DIR; }; 6CCDF7911E3C2D69003F2555 /* CKKSCloudKitTests.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = CKKSCloudKitTests.m; sourceTree = ""; }; 6CD8D3B11EB22114009AC7DC /* AWDKeychainSecDbMarkedCorrupt.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AWDKeychainSecDbMarkedCorrupt.h; path = analytics/awd/AWDKeychainSecDbMarkedCorrupt.h; sourceTree = ""; }; 6CD8D3B21EB22114009AC7DC /* AWDKeychainSecDbMarkedCorrupt.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = AWDKeychainSecDbMarkedCorrupt.m; path = analytics/awd/AWDKeychainSecDbMarkedCorrupt.m; sourceTree = ""; }; + 6CDB5FED1FA78CB400410924 /* SFAnalyticsMultiSampler.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SFAnalyticsMultiSampler.m; sourceTree = ""; }; + 6CDB5FF31FA78CB500410924 /* SFAnalyticsMultiSampler+Internal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "SFAnalyticsMultiSampler+Internal.h"; sourceTree = ""; }; + 6CDB5FF41FA78CB500410924 /* SFAnalyticsMultiSampler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SFAnalyticsMultiSampler.h; sourceTree = ""; }; + 6CDB600E1FA92C1700410924 /* securityuploadd-Entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "securityuploadd-Entitlements.plist"; sourceTree = ""; }; + 6CDF8DE51F95562B00140B54 /* SFAnalyticsSampler.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SFAnalyticsSampler.h; sourceTree = ""; }; + 6CDF8DE61F95562B00140B54 /* SFAnalyticsSampler.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFAnalyticsSampler.m; sourceTree = ""; }; 6CE22D6F1E49206600974785 /* UIKit.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = UIKit.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS11.0.Internal.sdk/System/Library/Frameworks/UIKit.framework; sourceTree = DEVELOPER_DIR; }; 6CF4A0B41E45488B00ECD7B5 /* KeychainEntitledTestApp.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = KeychainEntitledTestApp.app; sourceTree = BUILT_PRODUCTS_DIR; }; 6CF4A0B61E45488B00ECD7B5 /* AppDelegate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppDelegate.h; sourceTree = ""; }; @@ -8828,18 +9421,16 @@ 6CF4A0EE1E4549F300ECD7B5 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; 6CF4A0F11E4549F300ECD7B5 /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.storyboard; name = Base; path = Base.lproj/LaunchScreen.storyboard; sourceTree = ""; }; 6CF4A0F31E4549F300ECD7B5 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; + 6CFDC4561F907E1D00646DBB /* libprequelite.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = libprequelite.tbd; path = usr/lib/libprequelite.tbd; sourceTree = SDKROOT; }; 7221843E1EC6782A004C7BED /* sec_action.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = sec_action.c; path = src/sec_action.c; sourceTree = ""; }; 7221843F1EC6782A004C7BED /* sec_action.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = sec_action.h; path = src/sec_action.h; sourceTree = ""; }; 7273402816CAFB3C0096622A /* MobileAsset.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = MobileAsset.framework; path = System/Library/PrivateFrameworks/MobileAsset.framework; sourceTree = SDKROOT; }; 7281E0861DFD015A0021E1B7 /* SOSAccountGetSet.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SOSAccountGetSet.m; sourceTree = ""; }; 7281E08B1DFD0A380021E1B7 /* secd-80-views-alwayson.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "secd-80-views-alwayson.m"; sourceTree = ""; }; 7281E08E1DFD0D810021E1B7 /* secd-210-keyinterest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "secd-210-keyinterest.m"; sourceTree = ""; }; - 728B56A116D59979008FA3AB /* OTAPKIAssetTool */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = OTAPKIAssetTool; sourceTree = BUILT_PRODUCTS_DIR; }; 72B368BD179891FC004C37CE /* AggregateDictionary.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = AggregateDictionary.framework; path = System/Library/PrivateFrameworks/AggregateDictionary.framework; sourceTree = SDKROOT; }; 72C3EC2D1705F24E0040C87C /* ManagedConfiguration.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = ManagedConfiguration.framework; path = System/Library/PrivateFrameworks/ManagedConfiguration.framework; sourceTree = SDKROOT; }; - 72CD2BBB16D59AE30064EEE1 /* OTAServiceApp.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OTAServiceApp.m; sourceTree = ""; }; - 72CD2BBC16D59AE30064EEE1 /* OTAServiceApp.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OTAServiceApp.h; sourceTree = ""; }; - 72CD2BBD16D59AE30064EEE1 /* OTAServicemain.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OTAServicemain.m; sourceTree = ""; }; + 72D1E5F3202FE43C003A38C5 /* secdmock_db_version_10_5.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = secdmock_db_version_10_5.h; sourceTree = ""; }; 78F92F10195128D70023B54B /* SecECKeyPriv.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecECKeyPriv.h; sourceTree = ""; }; 7901790E12D51F7200CA4D44 /* SecCmsBase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCmsBase.h; sourceTree = ""; }; 7901790F12D51F7200CA4D44 /* SecCmsContentInfo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecCmsContentInfo.h; sourceTree = ""; }; @@ -8899,6 +9490,14 @@ BE22FBD01EE2084100893431 /* Config.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = Config.m; path = manifeststresstest/Config.m; sourceTree = ""; }; BE22FBFC1EE23D9100893431 /* mark.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = mark.m; path = manifeststresstest/mark.m; sourceTree = ""; }; BE22FC031EE23DA600893431 /* mark.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = mark.h; path = manifeststresstest/mark.h; sourceTree = ""; }; + BE2AD2B11FDA07EF00739F96 /* OTBottledPeerRecord.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = OTBottledPeerRecord.h; path = ot/OTBottledPeerRecord.h; sourceTree = ""; }; + BE2AD2B21FDA07EF00739F96 /* OTBottledPeerRecord.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTBottledPeerRecord.m; path = ot/OTBottledPeerRecord.m; sourceTree = ""; }; + BE3405A11FD71CC800933DAC /* OTBottle.proto */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = OTBottle.proto; sourceTree = ""; }; + BE3405A31FD71DA400933DAC /* OTBottle.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OTBottle.m; sourceTree = ""; }; + BE3405A41FD71DA600933DAC /* OTBottle.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OTBottle.h; sourceTree = ""; }; + BE3405A51FD720C900933DAC /* OTBottleContents.proto */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = OTBottleContents.proto; sourceTree = ""; }; + BE3405A61FD7210200933DAC /* OTBottleContents.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OTBottleContents.h; sourceTree = ""; }; + BE3405A71FD7210300933DAC /* OTBottleContents.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OTBottleContents.m; sourceTree = ""; }; BE442BC118B7FDB800F24DAE /* swcagent */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = swcagent; sourceTree = BUILT_PRODUCTS_DIR; }; BE4AC9A118B7FFAD00B84964 /* swcagent.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; lineEnding = 0; path = swcagent.m; sourceTree = ""; xcLanguageSpecificationIdentifier = xcode.lang.objc; }; BE4AC9AD18B7FFC800B84964 /* com.apple.security.swcagent.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = com.apple.security.swcagent.plist; sourceTree = ""; }; @@ -8906,9 +9505,23 @@ BE6215BD1DB6E69100961E15 /* si-84-sectrust-allowlist.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "si-84-sectrust-allowlist.m"; sourceTree = ""; }; BE8351D41EC0EEDD00ACD5FD /* framework_requiring_modern_objc_runtime.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = framework_requiring_modern_objc_runtime.xcconfig; path = xcconfig/framework_requiring_modern_objc_runtime.xcconfig; sourceTree = ""; }; BE8ABDD71DC2DD9100EC2D58 /* libz.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libz.dylib; path = usr/lib/libz.dylib; sourceTree = SDKROOT; }; + BEB0B0CE1FFC37E3007E6A83 /* OTPrivateKey.proto */ = {isa = PBXFileReference; lastKnownFileType = text; path = OTPrivateKey.proto; sourceTree = ""; }; + BEB0B0D41FFC3D32007E6A83 /* OTPrivateKey.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OTPrivateKey.m; sourceTree = ""; }; + BEB0B0D51FFC3D33007E6A83 /* OTPrivateKey.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OTPrivateKey.h; sourceTree = ""; }; + BEB0B0D91FFC45C2007E6A83 /* OTPrivateKey+SF.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = "OTPrivateKey+SF.h"; path = "ot/OTPrivateKey+SF.h"; sourceTree = ""; }; + BEB0B0DA1FFC45C2007E6A83 /* OTPrivateKey+SF.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = "OTPrivateKey+SF.m"; path = "ot/OTPrivateKey+SF.m"; sourceTree = ""; }; + BEB9E9E51FFF193D00676593 /* si-88-sectrust-valid.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = "si-88-sectrust-valid.m"; path = "OSX/shared_regressions/si-88-sectrust-valid.m"; sourceTree = SOURCE_ROOT; }; + BEB9EA2E1FFF1AF600676593 /* si-88-sectrust-valid-data */ = {isa = PBXFileReference; lastKnownFileType = folder; path = "si-88-sectrust-valid-data"; sourceTree = ""; }; BED208DD1EDF950E00753952 /* manifeststresstest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = manifeststresstest; sourceTree = BUILT_PRODUCTS_DIR; }; BED208E61EDF971600753952 /* manifeststresstest.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; name = manifeststresstest.entitlements; path = manifeststresstest/manifeststresstest.entitlements; sourceTree = ""; }; BED208E71EDF971600753952 /* manifeststresstest.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = manifeststresstest.m; path = manifeststresstest/manifeststresstest.m; sourceTree = ""; }; + BEE4B1861FFD57D800777D39 /* OTAuthenticatedCiphertext.proto */ = {isa = PBXFileReference; lastKnownFileType = text; path = OTAuthenticatedCiphertext.proto; sourceTree = ""; }; + BEE4B18E1FFD5F9000777D39 /* OTAuthenticatedCiphertext.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OTAuthenticatedCiphertext.h; sourceTree = ""; }; + BEE4B18F1FFD5F9100777D39 /* OTAuthenticatedCiphertext.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = OTAuthenticatedCiphertext.m; sourceTree = ""; }; + BEE4B1901FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = "OTAuthenticatedCiphertext+SF.h"; path = "ot/OTAuthenticatedCiphertext+SF.h"; sourceTree = ""; }; + BEE4B1911FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = "OTAuthenticatedCiphertext+SF.m"; path = "ot/OTAuthenticatedCiphertext+SF.m"; sourceTree = ""; }; + BEE4B1961FFDAFE600777D39 /* SFPublicKey+SPKI.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = "SFPublicKey+SPKI.h"; path = "ot/SFPublicKey+SPKI.h"; sourceTree = ""; }; + BEE4B1971FFDAFE600777D39 /* SFECPublicKey+SPKI.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = "SFECPublicKey+SPKI.m"; path = "ot/SFECPublicKey+SPKI.m"; sourceTree = ""; }; BEEB47D71EA189F5004AA5C6 /* SecTrustStatusCodes.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecTrustStatusCodes.c; sourceTree = ""; }; BEEB47D81EA189F5004AA5C6 /* SecTrustStatusCodes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecTrustStatusCodes.h; sourceTree = ""; }; BEF88C281EAFFC3F00357577 /* TrustedPeers.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = TrustedPeers.framework; sourceTree = BUILT_PRODUCTS_DIR; }; @@ -8987,6 +9600,7 @@ D40B6A871E2B5F9900CD6EE5 /* CoreFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFoundation.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/System/Library/Frameworks/CoreFoundation.framework; sourceTree = DEVELOPER_DIR; }; D40B6A881E2B5F9900CD6EE5 /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/System/Library/Frameworks/Foundation.framework; sourceTree = DEVELOPER_DIR; }; D41149A01E7C935D00C078C7 /* AppleiPhoneDeviceCACertificates.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = AppleiPhoneDeviceCACertificates.h; sourceTree = ""; }; + D4119E72202BDF2B0048587B /* libz.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = libz.tbd; path = usr/lib/libz.tbd; sourceTree = SDKROOT; }; D41257CF1E9410A300781F23 /* trustd */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = trustd; sourceTree = BUILT_PRODUCTS_DIR; }; D41257E91E941CF200781F23 /* com.apple.trustd.agent.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = com.apple.trustd.agent.plist; path = OSX/trustd/macOS/com.apple.trustd.agent.plist; sourceTree = ""; }; D41257EA1E941CF200781F23 /* com.apple.trustd.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = com.apple.trustd.plist; path = OSX/trustd/macOS/com.apple.trustd.plist; sourceTree = ""; }; @@ -9001,7 +9615,7 @@ D43DBED61E99D17100C04AEA /* asynchttp.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = asynchttp.h; path = OSX/sec/securityd/asynchttp.h; sourceTree = ""; }; D43DBED71E99D17100C04AEA /* nameconstraints.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = nameconstraints.c; path = OSX/sec/securityd/nameconstraints.c; sourceTree = ""; }; D43DBED81E99D17100C04AEA /* nameconstraints.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = nameconstraints.h; path = OSX/sec/securityd/nameconstraints.h; sourceTree = ""; }; - D43DBED91E99D17100C04AEA /* OTATrustUtilities.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = OTATrustUtilities.c; path = OSX/sec/securityd/OTATrustUtilities.c; sourceTree = ""; }; + D43DBED91E99D17100C04AEA /* OTATrustUtilities.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = OTATrustUtilities.m; path = OSX/sec/securityd/OTATrustUtilities.m; sourceTree = ""; }; D43DBEDA1E99D17100C04AEA /* OTATrustUtilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = OTATrustUtilities.h; path = OSX/sec/securityd/OTATrustUtilities.h; sourceTree = ""; }; D43DBEDB1E99D17100C04AEA /* personalization.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = personalization.c; path = OSX/sec/securityd/personalization.c; sourceTree = ""; }; D43DBEDC1E99D17100C04AEA /* personalization.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = personalization.h; path = OSX/sec/securityd/personalization.h; sourceTree = ""; }; @@ -9029,14 +9643,26 @@ D43DBEF21E99D17300C04AEA /* SecRevocationDb.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecRevocationDb.h; path = OSX/sec/securityd/SecRevocationDb.h; sourceTree = ""; }; D43DBEF31E99D17300C04AEA /* SecRevocationServer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = SecRevocationServer.c; path = OSX/sec/securityd/SecRevocationServer.c; sourceTree = ""; }; D43DBEF41E99D17300C04AEA /* SecRevocationServer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecRevocationServer.h; path = OSX/sec/securityd/SecRevocationServer.h; sourceTree = ""; }; - D43DBEF51E99D17300C04AEA /* SecTrustLoggingServer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = SecTrustLoggingServer.c; path = OSX/sec/securityd/SecTrustLoggingServer.c; sourceTree = ""; }; + D43DBEF51E99D17300C04AEA /* SecTrustLoggingServer.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = SecTrustLoggingServer.m; path = OSX/sec/securityd/SecTrustLoggingServer.m; sourceTree = ""; }; D43DBEF61E99D17300C04AEA /* SecTrustLoggingServer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTrustLoggingServer.h; path = OSX/sec/securityd/SecTrustLoggingServer.h; sourceTree = ""; }; D43DBEF71E99D17300C04AEA /* SecTrustServer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = SecTrustServer.c; path = OSX/sec/securityd/SecTrustServer.c; sourceTree = ""; }; D43DBEF81E99D17300C04AEA /* SecTrustServer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTrustServer.h; path = OSX/sec/securityd/SecTrustServer.h; sourceTree = ""; }; D43DBEF91E99D17300C04AEA /* SecTrustStoreServer.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = SecTrustStoreServer.c; path = OSX/sec/securityd/SecTrustStoreServer.c; sourceTree = ""; }; D43DBEFA1E99D17300C04AEA /* SecTrustStoreServer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecTrustStoreServer.h; path = OSX/sec/securityd/SecTrustStoreServer.h; sourceTree = ""; }; + D43DDE511F620F09009742A5 /* SecPolicyChecks.list */ = {isa = PBXFileReference; lastKnownFileType = text; path = SecPolicyChecks.list; sourceTree = ""; }; + D43DDE581F638061009742A5 /* SecPolicy.list */ = {isa = PBXFileReference; lastKnownFileType = text; path = SecPolicy.list; sourceTree = ""; }; D45068681E948A9E00FA7675 /* entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = entitlements.plist; path = OSX/trustd/macOS/entitlements.plist; sourceTree = ""; }; D45068691E948ACE00FA7675 /* entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; name = entitlements.plist; path = OSX/trustd/iOS/entitlements.plist; sourceTree = ""; }; + D453C38A1FEC669300DE349B /* trust_update.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = trust_update.m; sourceTree = ""; }; + D453C47F1FFD857400DE349B /* security_tool_commands.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = security_tool_commands.h; path = OSX/utilities/SecurityTool/security_tool_commands.h; sourceTree = SOURCE_ROOT; }; + D46246911F9AE2E400D63882 /* libDER.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libDER.a; path = usr/local/lib/security_libDER/libDER.a; sourceTree = SDKROOT; }; + D462469C1F9AE45900D63882 /* oids.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = oids.c; sourceTree = ""; }; + D46246A21F9AE49E00D63882 /* oids.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = oids.h; path = trust/oids.h; sourceTree = ""; }; + D46246A91F9AE6C900D63882 /* libDER.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libDER.a; path = usr/local/lib/security_libDER/libDER.a; sourceTree = SDKROOT; }; + D46246AF1F9AE73F00D63882 /* libDER.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libDER.a; path = usr/local/lib/security_libDER/libDER.a; sourceTree = SDKROOT; }; + D46246C31F9AEA5200D63882 /* libDER.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libDER.a; path = usr/local/lib/security_libDER/libDER.a; sourceTree = SDKROOT; }; + D46246CE1F9AEAE300D63882 /* libDER.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libDER.a; path = usr/local/lib/security_libDER/libDER.a; sourceTree = SDKROOT; }; + D479F6E01F980F8F00388D28 /* English */ = {isa = PBXFileReference; fileEncoding = 10; lastKnownFileType = text.plist.strings; name = English; path = English.lproj/Trust.strings; sourceTree = ""; }; D47C56AB1DCA831C00E18518 /* lib_ios_x64.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = lib_ios_x64.xcconfig; path = xcconfig/lib_ios_x64.xcconfig; sourceTree = ""; }; D47C56AF1DCA841D00E18518 /* lib_ios_x64_shim.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = lib_ios_x64_shim.xcconfig; path = xcconfig/lib_ios_x64_shim.xcconfig; sourceTree = ""; }; D47C56FB1DCA8F4900E18518 /* all_arches.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = all_arches.xcconfig; path = xcconfig/all_arches.xcconfig; sourceTree = ""; }; @@ -9051,6 +9677,12 @@ D4ADA3191E2B41670031CEA3 /* libtrustd.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libtrustd.a; sourceTree = BUILT_PRODUCTS_DIR; }; D4B858661D370D9A003B2D95 /* MobileCoreServices.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = MobileCoreServices.framework; path = Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS10.0.Internal.sdk/System/Library/Frameworks/MobileCoreServices.framework; sourceTree = DEVELOPER_DIR; }; D4BEECE61E93093A00F76D1A /* trustd.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = trustd.c; path = OSX/trustd/trustd.c; sourceTree = ""; }; + D4C263C51F8FF2A9001317EA /* generateErrStrings.pl */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.perl; name = generateErrStrings.pl; path = OSX/lib/generateErrStrings.pl; sourceTree = ""; usesTabs = 1; }; + D4C263C81F952E64001317EA /* SecDebugErrorMessages.strings */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.strings; name = SecDebugErrorMessages.strings; path = derived_src/SecDebugErrorMessages.strings; sourceTree = BUILT_PRODUCTS_DIR; }; + D4C263CD1F952F6C001317EA /* SecErrorMessages.strings */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.strings; name = SecErrorMessages.strings; path = derived_src/English.lproj/SecErrorMessages.strings; sourceTree = BUILT_PRODUCTS_DIR; }; + D4C6C5C71FB2AD3F007EA57E /* si-87-sectrust-name-constraints */ = {isa = PBXFileReference; lastKnownFileType = folder; path = "si-87-sectrust-name-constraints"; sourceTree = ""; }; + D4C6C5CB1FB3B3CC007EA57E /* libarchive.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = libarchive.tbd; path = usr/lib/libarchive.tbd; sourceTree = SDKROOT; }; + D4C6C5CE1FB3B44C007EA57E /* libarchive.2.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libarchive.2.dylib; path = /usr/lib/libarchive.2.dylib; sourceTree = SDKROOT; }; D4C8A1511E66709800CD6DF1 /* si-32-sectrust-pinning-required.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "si-32-sectrust-pinning-required.h"; sourceTree = ""; }; D4CFAA7D1E660BB3004746AA /* si-32-sectrust-pinning-required.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "si-32-sectrust-pinning-required.m"; sourceTree = ""; }; D4D718341E04A721000AE7A6 /* spbkdf-01-hmac-sha256.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "spbkdf-01-hmac-sha256.c"; sourceTree = ""; }; @@ -9064,6 +9696,12 @@ DA30D6781DF8C8FB00EC6B43 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; DA30D6831DF8CA4100EC6B43 /* KeychainSyncAccountUpdater.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KeychainSyncAccountUpdater.h; sourceTree = ""; }; DA30D6841DF8CA4100EC6B43 /* KeychainSyncAccountUpdater.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KeychainSyncAccountUpdater.m; sourceTree = ""; }; + DA6AA15E1FE88AF9004565B0 /* CKKSControlServer.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = CKKSControlServer.m; sourceTree = ""; }; + DA6AA1641FE88AFA004565B0 /* CKKSControlServer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CKKSControlServer.h; sourceTree = ""; }; + DAB27ADA1FA29EB700DEBBDE /* SOSControlServer.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSControlServer.h; sourceTree = ""; }; + DAB27AE01FA29EB800DEBBDE /* SOSControlServer.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SOSControlServer.m; sourceTree = ""; }; + DAEE05551FAD3FC500DF27F3 /* AutoreleaseTest.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = AutoreleaseTest.c; sourceTree = ""; }; + DAEE055B1FAD3FC600DF27F3 /* AutoreleaseTest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AutoreleaseTest.h; sourceTree = ""; }; DC0067911D87816C005AF8DB /* macos_legacy_lib.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = macos_legacy_lib.xcconfig; path = xcconfig/macos_legacy_lib.xcconfig; sourceTree = ""; }; DC0067C01D87876F005AF8DB /* libsecurityd_server.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libsecurityd_server.a; sourceTree = BUILT_PRODUCTS_DIR; }; DC0067D01D878898005AF8DB /* libsecurityd_ucspc.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libsecurityd_ucspc.a; sourceTree = BUILT_PRODUCTS_DIR; }; @@ -9134,8 +9772,6 @@ DC0BC6131D8B755200070CB0 /* ckutilities.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = ckutilities.c; sourceTree = ""; }; DC0BC6141D8B755200070CB0 /* ckutilities.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ckutilities.h; sourceTree = ""; }; DC0BC6151D8B755200070CB0 /* Crypt.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Crypt.h; sourceTree = ""; }; - DC0BC6161D8B755200070CB0 /* CryptKitSA.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CryptKitSA.h; sourceTree = ""; }; - DC0BC6171D8B755200070CB0 /* CryptKit.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CryptKit.h; sourceTree = ""; }; DC0BC6181D8B755200070CB0 /* CryptKitAsn1.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CryptKitAsn1.cpp; sourceTree = ""; }; DC0BC6191D8B755200070CB0 /* CryptKitAsn1.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CryptKitAsn1.h; sourceTree = ""; }; DC0BC61A1D8B755200070CB0 /* CryptKitDER.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = CryptKitDER.cpp; sourceTree = ""; }; @@ -9578,6 +10214,8 @@ DC0BCD551D8C697100070CB0 /* su-40-secdb.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "su-40-secdb.c"; sourceTree = ""; }; DC0BCD561D8C697100070CB0 /* su-41-secdb-stress.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "su-41-secdb-stress.c"; sourceTree = ""; }; DC0BCDB41D8C6A5B00070CB0 /* not_on_this_platorm.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = not_on_this_platorm.c; sourceTree = ""; }; + DC124DC120059B8700BE8DAC /* OctagonControlServer.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = OctagonControlServer.h; path = ot/OctagonControlServer.h; sourceTree = ""; }; + DC124DC220059B8700BE8DAC /* OctagonControlServer.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OctagonControlServer.m; path = ot/OctagonControlServer.m; sourceTree = ""; }; DC1447881F5764C600236DB4 /* CKKSResultOperation.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = CKKSResultOperation.h; sourceTree = ""; }; DC1447891F5764C600236DB4 /* CKKSResultOperation.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = CKKSResultOperation.m; sourceTree = ""; }; DC1447941F5766D200236DB4 /* NSOperationCategories.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = NSOperationCategories.h; sourceTree = ""; }; @@ -9587,7 +10225,6 @@ DC15F79B1E68EAD5003B9A40 /* CKKSTests+API.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "CKKSTests+API.m"; sourceTree = ""; }; DC1784421D77869A00B50D50 /* libsecurity_smime.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_smime.xcodeproj; path = OSX/libsecurity_smime/libsecurity_smime.xcodeproj; sourceTree = ""; }; DC1784AE1D7786C700B50D50 /* libsecurity_cms.xcodeproj */ = {isa = PBXFileReference; lastKnownFileType = "wrapper.pb-project"; name = libsecurity_cms.xcodeproj; path = OSX/libsecurity_cms/libsecurity_cms.xcodeproj; sourceTree = ""; }; - DC1785051D77873100B50D50 /* Security.framework */ = {isa = PBXFileReference; explicitFileType = wrapper.framework; includeInIndex = 0; path = Security.framework; sourceTree = BUILT_PRODUCTS_DIR; }; DC1785111D77895A00B50D50 /* oidsalg.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = oidsalg.h; path = OSX/libsecurity_asn1/lib/oidsalg.h; sourceTree = ""; }; DC1785121D77895A00B50D50 /* oidsattr.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = oidsattr.h; path = OSX/libsecurity_asn1/lib/oidsattr.h; sourceTree = ""; }; DC1785131D77895A00B50D50 /* SecAsn1Coder.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecAsn1Coder.h; path = OSX/libsecurity_asn1/lib/SecAsn1Coder.h; sourceTree = ""; }; @@ -9610,7 +10247,6 @@ DC17853A1D778A3100B50D50 /* mds_schema.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = mds_schema.h; path = OSX/libsecurity_mds/lib/mds_schema.h; sourceTree = ""; }; DC17853B1D778A3100B50D50 /* mds.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = mds.h; path = OSX/libsecurity_mds/lib/mds.h; sourceTree = ""; }; DC17853F1D778A4E00B50D50 /* SecureDownload.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecureDownload.h; path = OSX/libsecurity_manifest/lib/SecureDownload.h; sourceTree = ""; }; - DC1785421D778A7400B50D50 /* oids.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = oids.h; sourceTree = ""; }; DC1785451D778ACD00B50D50 /* SecAccess.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecAccess.h; path = OSX/libsecurity_keychain/lib/SecAccess.h; sourceTree = ""; }; DC1785461D778ACD00B50D50 /* SecACL.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecACL.h; path = OSX/libsecurity_keychain/lib/SecACL.h; sourceTree = ""; }; DC1785471D778ACD00B50D50 /* SecCertificateOIDs.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCertificateOIDs.h; path = OSX/libsecurity_keychain/lib/SecCertificateOIDs.h; sourceTree = ""; }; @@ -9643,7 +10279,6 @@ DC1785811D778B7F00B50D50 /* CodeSigning.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CodeSigning.h; path = lib/CodeSigning.h; sourceTree = ""; }; DC1785821D778B7F00B50D50 /* CSCommon.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CSCommon.h; path = lib/CSCommon.h; sourceTree = ""; }; DC1785831D778B7F00B50D50 /* SecCode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCode.h; path = lib/SecCode.h; sourceTree = ""; }; - DC1785841D778B8000B50D50 /* SecCodeHost.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCodeHost.h; path = lib/SecCodeHost.h; sourceTree = ""; }; DC1785851D778B8000B50D50 /* SecRequirement.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecRequirement.h; path = lib/SecRequirement.h; sourceTree = ""; }; DC1785861D778B8000B50D50 /* SecStaticCode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecStaticCode.h; path = lib/SecStaticCode.h; sourceTree = ""; }; DC17858E1D778B9D00B50D50 /* CMSDecoder.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CMSDecoder.h; path = OSX/libsecurity_cms/lib/CMSDecoder.h; sourceTree = ""; }; @@ -9693,7 +10328,6 @@ DC1787421D77906C00B50D50 /* cssmapplePriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = cssmapplePriv.h; path = OSX/libsecurity_cssm/lib/cssmapplePriv.h; sourceTree = ""; }; DC1787441D7790A500B50D50 /* CSCommonPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = CSCommonPriv.h; path = lib/CSCommonPriv.h; sourceTree = ""; }; DC1787451D7790A500B50D50 /* SecAssessment.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecAssessment.h; path = lib/SecAssessment.h; sourceTree = ""; }; - DC1787461D7790A500B50D50 /* SecCodeHostLib.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCodeHostLib.h; path = lib/SecCodeHostLib.h; sourceTree = ""; }; DC1787471D7790A500B50D50 /* SecCodePriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCodePriv.h; path = lib/SecCodePriv.h; sourceTree = ""; }; DC1787481D7790A500B50D50 /* SecCodeSigner.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecCodeSigner.h; path = lib/SecCodeSigner.h; sourceTree = ""; }; DC17874B1D7790A500B50D50 /* SecRequirementPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SecRequirementPriv.h; path = lib/SecRequirementPriv.h; sourceTree = ""; }; @@ -9824,7 +10458,6 @@ DC378B371DEFADB500A3DAFA /* CKKSZoneStateEntry.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = CKKSZoneStateEntry.m; sourceTree = ""; }; DC378B3A1DF0CA7200A3DAFA /* CKKSIncomingQueueEntry.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CKKSIncomingQueueEntry.h; sourceTree = ""; }; DC378B3B1DF0CA7200A3DAFA /* CKKSIncomingQueueEntry.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = CKKSIncomingQueueEntry.m; sourceTree = ""; }; - DC3832C01DB6E69800385F63 /* module.modulemap */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = "sourcecode.module-map"; path = module.modulemap; sourceTree = ""; }; DC3A4B581D91E9FB00E46D4A /* com.apple.CodeSigningHelper.xpc */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = com.apple.CodeSigningHelper.xpc; sourceTree = BUILT_PRODUCTS_DIR; }; DC3A4B5F1D91EAC500E46D4A /* CodeSigningHelper-Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "CodeSigningHelper-Info.plist"; sourceTree = ""; }; DC3A4B601D91EAC500E46D4A /* com.apple.CodeSigningHelper.sb */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = com.apple.CodeSigningHelper.sb; sourceTree = ""; }; @@ -9872,22 +10505,6 @@ DC58C43B1D77BED0003C25A4 /* csparser.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = csparser.cpp; path = OSX/lib/plugins/csparser.cpp; sourceTree = ""; }; DC58C43C1D77BED0003C25A4 /* csparser.exp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.exports; name = csparser.exp; path = OSX/lib/plugins/csparser.exp; sourceTree = ""; }; DC58C4411D77BFA4003C25A4 /* security_macos.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; name = security_macos.xcconfig; path = OSX/config/security_macos.xcconfig; sourceTree = ""; }; - DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libDER_not_installed.a; sourceTree = BUILT_PRODUCTS_DIR; }; - DC59E9ED1D91CA0A001BDDF5 /* DER_Keys.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = DER_Keys.c; sourceTree = ""; }; - DC59E9EE1D91CA0A001BDDF5 /* DER_Keys.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DER_Keys.h; sourceTree = ""; }; - DC59E9EF1D91CA0A001BDDF5 /* asn1Types.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = asn1Types.h; sourceTree = ""; }; - DC59E9F01D91CA0A001BDDF5 /* DER_CertCrl.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = DER_CertCrl.c; sourceTree = ""; }; - DC59E9F11D91CA0A001BDDF5 /* DER_CertCrl.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DER_CertCrl.h; sourceTree = ""; }; - DC59E9F21D91CA0A001BDDF5 /* DER_Decode.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = DER_Decode.c; sourceTree = ""; }; - DC59E9F31D91CA0A001BDDF5 /* DER_Decode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DER_Decode.h; sourceTree = ""; }; - DC59E9F41D91CA0A001BDDF5 /* DER_Encode.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = DER_Encode.c; sourceTree = ""; }; - DC59E9F51D91CA0A001BDDF5 /* DER_Encode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DER_Encode.h; sourceTree = ""; }; - DC59E9F61D91CA0A001BDDF5 /* libDER_config.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = libDER_config.h; sourceTree = ""; }; - DC59E9F71D91CA0A001BDDF5 /* libDER.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = libDER.h; sourceTree = ""; }; - DC59E9F81D91CA0A001BDDF5 /* DER_Digest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DER_Digest.h; sourceTree = ""; }; - DC59E9F91D91CA0A001BDDF5 /* DER_Digest.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = DER_Digest.c; sourceTree = ""; }; - DC59E9FA1D91CA0A001BDDF5 /* oids.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = oids.c; sourceTree = ""; }; - DC59E9FC1D91CA0A001BDDF5 /* oidsPriv.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = oidsPriv.h; sourceTree = ""; }; DC59EA731D91CBD0001BDDF5 /* libcrypto.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libcrypto.dylib; path = usr/lib/libcrypto.dylib; sourceTree = SDKROOT; }; DC5ABD781D832D5800CF422C /* srCdsaUtils.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = srCdsaUtils.cpp; sourceTree = ""; }; DC5ABD791D832D5800CF422C /* srCdsaUtils.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = srCdsaUtils.h; sourceTree = ""; }; @@ -10224,6 +10841,8 @@ DCAD9B481F8D95F200C5E2AE /* CloudKitKeychainSyncingFixupTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = CloudKitKeychainSyncingFixupTests.m; sourceTree = ""; }; DCB2214A1E8B0861001598BC /* server_xpc.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = server_xpc.m; sourceTree = ""; }; DCB2215B1E8B098D001598BC /* server_endpoint.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = server_endpoint.h; sourceTree = ""; }; + DCB332361F467CC200178C30 /* macos_tapi_hacks.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = macos_tapi_hacks.h; path = OSX/macos_tapi_hacks.h; sourceTree = ""; }; + DCB332371F46804000178C30 /* SOSSysdiagnose.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSSysdiagnose.h; sourceTree = ""; }; DCB3406D1D8A24DF0054D16E /* libsecurity_authorization.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libsecurity_authorization.a; sourceTree = BUILT_PRODUCTS_DIR; }; DCB3406F1D8A24F70054D16E /* Authorization.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = Authorization.c; path = lib/Authorization.c; sourceTree = ""; }; DCB340761D8A24F70054D16E /* Authorization.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = Authorization.cpp; path = lib/Authorization.cpp; sourceTree = ""; }; @@ -10574,8 +11193,6 @@ DCB344701D8A35270054D16E /* si-20-sectrust-provisioning.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = "si-20-sectrust-provisioning.h"; path = "regressions/si-20-sectrust-provisioning.h"; sourceTree = ""; }; DCB344711D8A35270054D16E /* si-33-keychain-backup.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "si-33-keychain-backup.c"; path = "regressions/si-33-keychain-backup.c"; sourceTree = ""; }; DCB344721D8A35270054D16E /* si-34-one-true-keychain.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = "si-34-one-true-keychain.c"; path = "regressions/si-34-one-true-keychain.c"; sourceTree = ""; }; - DCB5022C1FDA155D008F8E4F /* AutoreleaseTest.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = AutoreleaseTest.c; sourceTree = ""; }; - DCB502321FDA155E008F8E4F /* AutoreleaseTest.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = AutoreleaseTest.h; sourceTree = ""; }; DCB5D9391E4A9A3400BE22AB /* CKKSSynchronizeOperation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CKKSSynchronizeOperation.h; sourceTree = ""; }; DCB5D93A1E4A9A3400BE22AB /* CKKSSynchronizeOperation.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = CKKSSynchronizeOperation.m; sourceTree = ""; }; DCBDB3B01E57C67500B61300 /* CKKSKeychainView.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CKKSKeychainView.h; sourceTree = ""; }; @@ -10658,7 +11275,7 @@ DCC78C811D8085D800865A7C /* entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = entitlements.plist; sourceTree = ""; }; DCC78C8E1D8085D800865A7C /* SecDbItem.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecDbItem.c; sourceTree = ""; }; DCC78C8F1D8085D800865A7C /* SecDbItem.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecDbItem.h; sourceTree = ""; }; - DCC78C901D8085D800865A7C /* SecDbKeychainItem.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecDbKeychainItem.c; sourceTree = ""; }; + DCC78C901D8085D800865A7C /* SecDbKeychainItem.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SecDbKeychainItem.m; sourceTree = ""; }; DCC78C911D8085D800865A7C /* SecDbKeychainItem.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecDbKeychainItem.h; sourceTree = ""; }; DCC78C921D8085D800865A7C /* SecDbQuery.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecDbQuery.c; sourceTree = ""; }; DCC78C931D8085D800865A7C /* SecDbQuery.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecDbQuery.h; sourceTree = ""; }; @@ -10889,10 +11506,10 @@ DCC78DD71D8085FC00865A7C /* si-50-secrandom.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-50-secrandom.c"; sourceTree = ""; }; DCC78DD81D8085FC00865A7C /* si-60-cms.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-60-cms.c"; sourceTree = ""; }; DCC78DD91D8085FC00865A7C /* si-61-pkcs12.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-61-pkcs12.c"; sourceTree = ""; }; - DCC78DDA1D8085FC00865A7C /* si-62-csr.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-62-csr.c"; sourceTree = ""; }; + DCC78DDA1D8085FC00865A7C /* si-62-csr.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "si-62-csr.m"; sourceTree = ""; }; DCC78DDB1D8085FC00865A7C /* getcacert-mdes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "getcacert-mdes.h"; sourceTree = ""; }; DCC78DDC1D8085FC00865A7C /* getcacert-mdesqa.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "getcacert-mdesqa.h"; sourceTree = ""; }; - DCC78DDE1D8085FC00865A7C /* si-63-scep.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-63-scep.c"; sourceTree = ""; }; + DCC78DDE1D8085FC00865A7C /* si-63-scep.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "si-63-scep.m"; sourceTree = ""; }; DCC78DDF1D8085FC00865A7C /* si-63-scep.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-63-scep.h"; sourceTree = ""; }; DCC78DE01D8085FC00865A7C /* attached_no_data_signed_data.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = attached_no_data_signed_data.h; sourceTree = ""; }; DCC78DE11D8085FC00865A7C /* attached_signed_data.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = attached_signed_data.h; sourceTree = ""; }; @@ -10934,7 +11551,7 @@ DCC78E081D8085FC00865A7C /* si-85-sectrust-ssl-policy.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-85-sectrust-ssl-policy.h"; sourceTree = ""; }; DCC78E091D8085FC00865A7C /* si-87-sectrust-name-constraints.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "si-87-sectrust-name-constraints.m"; sourceTree = ""; }; DCC78E0A1D8085FC00865A7C /* si-87-sectrust-name-constraints.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-87-sectrust-name-constraints.h"; sourceTree = ""; }; - DCC78E0B1D8085FC00865A7C /* si-89-cms-hash-agility.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-89-cms-hash-agility.c"; sourceTree = ""; }; + DCC78E0B1D8085FC00865A7C /* si-89-cms-hash-agility.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "si-89-cms-hash-agility.m"; sourceTree = ""; }; DCC78E0C1D8085FC00865A7C /* si-89-cms-hash-agility.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "si-89-cms-hash-agility.h"; sourceTree = ""; }; DCC78E0D1D8085FC00865A7C /* si-90-emcs.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "si-90-emcs.m"; sourceTree = ""; }; DCC78E0E1D8085FC00865A7C /* si-95-cms-basic.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = "si-95-cms-basic.c"; sourceTree = ""; }; @@ -10967,7 +11584,6 @@ DCC78E321D8085FC00865A7C /* SecAccessControlExports.exp-in */ = {isa = PBXFileReference; lastKnownFileType = text; path = "SecAccessControlExports.exp-in"; sourceTree = ""; }; DCC78E351D8085FC00865A7C /* SecBase64.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = SecBase64.c; sourceTree = ""; }; DCC78E381D8085FC00865A7C /* SecCertificate.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = SecCertificate.c; sourceTree = ""; }; - DCC78E3B1D8085FC00865A7C /* SecCertificatePath.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = SecCertificatePath.c; sourceTree = ""; }; DCC78E3E1D8085FC00865A7C /* SecCertificateRequest.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = SecCertificateRequest.c; sourceTree = ""; }; DCC78E401D8085FC00865A7C /* SecCFAllocator.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = SecCFAllocator.c; sourceTree = ""; }; DCC78E421D8085FC00865A7C /* SecCMS.c */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.c; path = SecCMS.c; sourceTree = ""; }; @@ -11253,7 +11869,6 @@ DCD06A511D8CE281007602F1 /* libcodehost.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libcodehost.a; sourceTree = BUILT_PRODUCTS_DIR; }; DCD06A741D8CE2D5007602F1 /* gkunpack */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = gkunpack; sourceTree = BUILT_PRODUCTS_DIR; }; DCD06AB01D8E0D53007602F1 /* libsecurity_utilities.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libsecurity_utilities.a; sourceTree = BUILT_PRODUCTS_DIR; }; - DCD06AB11D8E0D7D007602F1 /* debugging.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; lineEnding = 0; name = debugging.h; path = ../../utilities/src/debugging.h; sourceTree = ""; }; DCD06AB21D8E0D7D007602F1 /* FileLockTransaction.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = FileLockTransaction.cpp; sourceTree = ""; }; DCD06AB31D8E0D7D007602F1 /* FileLockTransaction.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = FileLockTransaction.h; sourceTree = ""; }; DCD06AB41D8E0D7D007602F1 /* CSPDLTransaction.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; lineEnding = 0; path = CSPDLTransaction.cpp; sourceTree = ""; }; @@ -11364,6 +11979,7 @@ DCD6C4B01EC5302400414FEE /* CKKSNearFutureScheduler.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = CKKSNearFutureScheduler.h; sourceTree = ""; }; DCD6C4B11EC5302500414FEE /* CKKSNearFutureScheduler.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = CKKSNearFutureScheduler.m; sourceTree = ""; }; DCD6C4B61EC5319600414FEE /* CKKSNearFutureSchedulerTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = CKKSNearFutureSchedulerTests.m; sourceTree = ""; }; + DCD7EE9B1F4F51D9007D9804 /* ios_tapi_hacks.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ios_tapi_hacks.h; sourceTree = ""; }; DCD8A1991E09EE0F00E4FA0A /* libSecureObjectSyncFramework.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libSecureObjectSyncFramework.a; sourceTree = BUILT_PRODUCTS_DIR; }; DCDCC7DD1D9B54DF006487E8 /* secd-202-recoverykey.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "secd-202-recoverykey.m"; sourceTree = ""; }; DCDCC7E41D9B551C006487E8 /* SOSAccountSync.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SOSAccountSync.m; sourceTree = ""; }; @@ -11782,6 +12398,7 @@ DCF789471D88D17C00E694BB /* AppleX509TPBuiltin.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = AppleX509TPBuiltin.cpp; path = OSX/libsecurity_apple_x509_tp/lib/AppleX509TPBuiltin.cpp; sourceTree = ""; }; DCF7A89F1F04502300CABE89 /* CKKSControlProtocol.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = CKKSControlProtocol.h; sourceTree = ""; }; DCF7A8A21F0450EB00CABE89 /* CKKSControlProtocol.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = CKKSControlProtocol.m; sourceTree = ""; }; + DCFABF8D20081E2F001128B5 /* CKKSDeviceStateUploadTests.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = CKKSDeviceStateUploadTests.m; sourceTree = ""; }; DCFAEDC81D999851005187E4 /* SOSAccountGhost.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SOSAccountGhost.m; sourceTree = ""; }; DCFAEDC91D999851005187E4 /* SOSAccountGhost.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SOSAccountGhost.h; sourceTree = ""; }; DCFAEDD11D9998DD005187E4 /* secd-668-ghosts.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "secd-668-ghosts.m"; sourceTree = ""; }; @@ -11808,7 +12425,6 @@ E75C0E801C6FC31D00E6953B /* KCSRPContext.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = KCSRPContext.h; sourceTree = ""; }; E75C0E811C6FC31D00E6953B /* KCSRPContext.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = KCSRPContext.m; sourceTree = ""; }; E75C0E841C71325000E6953B /* KeychainCircle.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = KeychainCircle.h; sourceTree = ""; }; - E75E498A1C8F76360001A34F /* libDER.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libDER.a; path = ../../../../../usr/local/lib/libDER.a; sourceTree = ""; }; E75E498C1C8F76680001A34F /* libASN1.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libASN1.a; path = ../../../../../usr/local/lib/libASN1.a; sourceTree = ""; }; E76638AE1DD67B7100B769D3 /* security-sysdiagnose.entitlements.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "security-sysdiagnose.entitlements.plist"; sourceTree = ""; }; E7676DB519411DF300498DD4 /* SecServerEncryptionSupport.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SecServerEncryptionSupport.h; sourceTree = ""; }; @@ -11879,6 +12495,8 @@ EB10557A1E14DF640003C309 /* Security.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Security.framework; path = Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.13.sdk/System/Library/Frameworks/Security.framework; sourceTree = DEVELOPER_DIR; }; EB108F121E6CE48B003B0456 /* KCParing.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; name = KCParing.plist; path = Tests/KCParing.plist; sourceTree = ""; }; EB108F411E6CE4D2003B0456 /* KCPairingTests.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = KCPairingTests.xctest; sourceTree = BUILT_PRODUCTS_DIR; }; + EB10A3E320356E2000E84270 /* OTConstants.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = OTConstants.h; path = ot/OTConstants.h; sourceTree = ""; }; + EB10A3E420356E2000E84270 /* OTConstants.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = OTConstants.m; path = ot/OTConstants.m; sourceTree = ""; }; EB27FF0C1E402C8000EC9E3A /* ckksctl.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ckksctl.m; sourceTree = ""; }; EB27FF111E402CD300EC9E3A /* ckksctl */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = ckksctl; sourceTree = BUILT_PRODUCTS_DIR; }; EB27FF2F1E408CC900EC9E3A /* ckksctl-Entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist; path = "ckksctl-Entitlements.plist"; sourceTree = ""; }; @@ -11897,7 +12515,19 @@ EB433A281CC3243600A7EACE /* secitemstresstest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secitemstresstest; sourceTree = BUILT_PRODUCTS_DIR; }; EB433A2D1CC325E900A7EACE /* secitemstresstest.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = secitemstresstest.entitlements; path = secitemstresstest/secitemstresstest.entitlements; sourceTree = ""; }; EB48C19E1E573EDC00EC5E57 /* sos.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = sos.m; sourceTree = ""; }; + EB49B2AE202D877F003F34A0 /* secdmockaks.xctest */ = {isa = PBXFileReference; explicitFileType = wrapper.cfbundle; includeInIndex = 0; path = secdmockaks.xctest; sourceTree = BUILT_PRODUCTS_DIR; }; + EB49B2B0202D8780003F34A0 /* secdmockaks.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = secdmockaks.m; sourceTree = ""; }; + EB49B2B2202D8780003F34A0 /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; + EB49B2CE202DF111003F34A0 /* CoreFollowUp.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFollowUp.framework; path = System/Library/PrivateFrameworks/CoreFollowUp.framework; sourceTree = SDKROOT; }; + EB49B2DC202DF251003F34A0 /* libbsm.tbd */ = {isa = PBXFileReference; lastKnownFileType = "sourcecode.text-based-dylib-definition"; name = libbsm.tbd; path = usr/lib/libbsm.tbd; sourceTree = SDKROOT; }; + EB49B2DE202DF286003F34A0 /* CoreFollowUpUI.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFollowUpUI.framework; path = System/Library/PrivateFrameworks/CoreFollowUpUI.framework; sourceTree = SDKROOT; }; + EB49B2E4202DFE7F003F34A0 /* mockaks.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = mockaks.m; sourceTree = ""; }; + EB49B303202FB8DE003F34A0 /* mockaks.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = mockaks.h; sourceTree = ""; }; + EB4E0CD41FF36A1900CDCACC /* CKKSReachabilityTracker.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = CKKSReachabilityTracker.h; sourceTree = ""; }; + EB4E0CD51FF36A1900CDCACC /* CKKSReachabilityTracker.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = CKKSReachabilityTracker.m; sourceTree = ""; }; EB59D66B1E95EF2900997EAC /* libcompression.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libcompression.dylib; path = usr/lib/libcompression.dylib; sourceTree = SDKROOT; }; + EB5E3BC62003C66300F1631B /* SecSignpost.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SecSignpost.h; path = base/SecSignpost.h; sourceTree = ""; }; + EB6667BE204CD65E000B404F /* testPlistDER.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = testPlistDER.m; sourceTree = ""; }; EB6928BE1D9C9C5900062A18 /* SecRecoveryKey.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecRecoveryKey.h; sourceTree = ""; }; EB6928BF1D9C9C5900062A18 /* SecRecoveryKey.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SecRecoveryKey.m; sourceTree = ""; }; EB6928C91D9C9D9D00062A18 /* rk_01_recoverykey.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = rk_01_recoverykey.m; path = Regressions/rk_01_recoverykey.m; sourceTree = ""; }; @@ -11909,6 +12539,8 @@ EB7AE6F71E86D55400B80B15 /* SecPLWrappers.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SecPLWrappers.h; path = src/SecPLWrappers.h; sourceTree = ""; }; EB8021411D3D90BB008540C4 /* Security.iOS.modulemap */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = "sourcecode.module-map"; name = Security.iOS.modulemap; path = Modules/Security.iOS.modulemap; sourceTree = ""; }; EB8021421D3D90BB008540C4 /* Security.macOS.modulemap */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = "sourcecode.module-map"; name = Security.macOS.modulemap; path = Modules/Security.macOS.modulemap; sourceTree = ""; }; + EB82A2A41FAFF26900CA64A9 /* SFBehavior.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SFBehavior.h; sourceTree = ""; }; + EB82A2A51FAFF26900CA64A9 /* SFBehavior.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SFBehavior.m; sourceTree = ""; }; EB9C02421E8A112A0040D3C6 /* secd-37-pairing-initial-sync.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "secd-37-pairing-initial-sync.m"; sourceTree = ""; }; EB9C1D7A1BDFD0E000F89272 /* secbackupntest */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secbackupntest; sourceTree = BUILT_PRODUCTS_DIR; }; EB9C1D7D1BDFD0E100F89272 /* secbackupntest.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = secbackupntest.m; sourceTree = ""; }; @@ -11925,6 +12557,7 @@ EBCF73F11CE45F8600BED7CA /* secitemfunctionality.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; name = secitemfunctionality.entitlements; path = secitemfunctionality/secitemfunctionality.entitlements; sourceTree = ""; }; EBCF73F21CE45F8600BED7CA /* secitemfunctionality.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = secitemfunctionality.m; path = secitemfunctionality/secitemfunctionality.m; sourceTree = ""; }; EBCF73FC1CE45F9C00BED7CA /* secitemfunctionality */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = secitemfunctionality; sourceTree = BUILT_PRODUCTS_DIR; }; + EBD8AD632004B45500588BBA /* SecurityCustomSignposts.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist; name = SecurityCustomSignposts.plist; path = base/SecurityCustomSignposts.plist; sourceTree = ""; }; EBE54D771BE33227000C4856 /* libmis.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libmis.dylib; path = usr/lib/libmis.dylib; sourceTree = SDKROOT; }; EBEEEE351EA31A8300E15F5C /* SOSControlHelper.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SOSControlHelper.h; sourceTree = ""; }; EBEEEE361EA31A8300E15F5C /* SOSControlHelper.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = SOSControlHelper.m; sourceTree = ""; }; @@ -11959,7 +12592,6 @@ 438168C51B4ED43B00C54D58 /* CoreFoundation.framework in Frameworks */, EB3409B01C1D627400D77661 /* Foundation.framework in Frameworks */, DCD22D8B1D8CCC58001C9B81 /* libASN1_not_installed.a in Frameworks */, - DC59EA911D91CDCF001BDDF5 /* libDER_not_installed.a in Frameworks */, DC59E9A71D91C7C7001BDDF5 /* libCMS.a in Frameworks */, DC00ABD71D821F3F00513D74 /* libsecurity.a in Frameworks */, DC00ABD81D821F4300513D74 /* libsecdRegressions.a in Frameworks */, @@ -11972,11 +12604,13 @@ 0C0BDB8D1756A66100BC1A7E /* CFNetwork.framework in Frameworks */, 0C0BDB911756A8A400BC1A7E /* IOKit.framework in Frameworks */, 0C0BDB931756A8C900BC1A7E /* SystemConfiguration.framework in Frameworks */, + D46246B81F9AE77900D63882 /* libDER.a in Frameworks */, 5E8B53A51AA0B8A600345E7B /* libcoreauthd_test_client.a in Frameworks */, 4432B15F1A014D55000958DC /* libaks_acl.a in Frameworks */, 0C0BDB8F1756A6D500BC1A7E /* libMobileGestalt.dylib in Frameworks */, 0C0BDB881756A51000BC1A7E /* libsqlite3.dylib in Frameworks */, BE8ABDD81DC2DD9100EC2D58 /* libz.dylib in Frameworks */, + 0C59605D1FB2D95D0095BA29 /* libprequelite.tbd in Frameworks */, 4469FBFF1AA0A4820021AA26 /* libctkclient_test.a in Frameworks */, ); runOnlyForDeploymentPostprocessing = 0; @@ -12001,6 +12635,41 @@ ); runOnlyForDeploymentPostprocessing = 0; }; + 0C85DFE51FB38BB6000343A7 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 0C85DFE71FB38BB6000343A7 /* libASN1_not_installed.a in Frameworks */, + 0C85DFE81FB38BB6000343A7 /* libsecurityd_ios_NO_AKS.a in Frameworks */, + 0C85DFE91FB38BB6000343A7 /* libSecureObjectSyncFramework.a in Frameworks */, + 0C85DFEA1FB38BB6000343A7 /* libSecureObjectSyncServer.a in Frameworks */, + 0C85DFEB1FB38BB6000343A7 /* libsecurity.a in Frameworks */, + 0C85DFEC1FB38BB6000343A7 /* libutilities.a in Frameworks */, + 0C85DFED1FB38BB6000343A7 /* CFNetwork.framework in Frameworks */, + 0C85DFEE1FB38BB6000343A7 /* Foundation.framework in Frameworks */, + 0C85DFF01FB38BB6000343A7 /* IOKit.framework in Frameworks */, + 0C85DFF11FB38BB6000343A7 /* OCMock.framework in Frameworks */, + 0C0DA5CE1FE1EAB9003BD3BB /* SecurityFoundation.framework in Frameworks */, + 0C85DFF31FB38BB6000343A7 /* SystemConfiguration.framework in Frameworks */, + 0C85DFF41FB38BB6000343A7 /* libACM.a in Frameworks */, + 0C85DFF51FB38BB6000343A7 /* libaks_acl.a in Frameworks */, + 0C85DFF61FB38BB6000343A7 /* libDER.a in Frameworks */, + 0C85DFF71FB38BB6000343A7 /* libbsm.dylib in Frameworks */, + 0C85DFF81FB38BB6000343A7 /* libcoreauthd_client.a in Frameworks */, + 0C85DFF91FB38BB6000343A7 /* libctkclient.a in Frameworks */, + 0C85DFFA1FB38BB6000343A7 /* libsqlite3.0.dylib in Frameworks */, + 0C85DFFB1FB38BB6000343A7 /* libz.dylib in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 0C8BBF021FCB446400580909 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 0C8BBF031FCB446400580909 /* Security.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; 225394AF1E3080A600D3CD9B /* Frameworks */ = { isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; @@ -12027,6 +12696,40 @@ ); runOnlyForDeploymentPostprocessing = 0; }; + 4727FBB41F9918580003AE36 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 477A1F5220320E4A00ACD81D /* Accounts.framework in Frameworks */, + 472339691FD7156800CB6A72 /* CoreCDP.framework in Frameworks */, + 472339671FD7155E00CB6A72 /* libprequelite.dylib in Frameworks */, + 47D183911FB3827800CFCD89 /* OCMock.framework in Frameworks */, + 4727FBEA1F9922190003AE36 /* libregressionBase.a in Frameworks */, + 4727FBE91F9921D10003AE36 /* libACM.a in Frameworks */, + 4727FBE71F99218A0003AE36 /* ApplePushService.framework in Frameworks */, + 4727FBE51F99217B0003AE36 /* SharedWebCredentials.framework in Frameworks */, + 4727FBE31F9921660003AE36 /* MobileKeyBag.framework in Frameworks */, + 4727FBE11F9921300003AE36 /* IOKit.framework in Frameworks */, + 4727FBDF1F99211D0003AE36 /* libaks.a in Frameworks */, + 4727FBDD1F9920F20003AE36 /* libaks_acl.a in Frameworks */, + 4727FBDB1F9920CC0003AE36 /* WirelessDiagnostics.framework in Frameworks */, + 4727FBD91F9920BC0003AE36 /* SystemConfiguration.framework in Frameworks */, + 4727FBD71F99209C0003AE36 /* libSecureObjectSyncServer.a in Frameworks */, + 4727FBD61F9920960003AE36 /* libSecureObjectSyncFramework.a in Frameworks */, + 4727FBD51F9920510003AE36 /* ProtocolBuffer.framework in Frameworks */, + 4727FBD31F9920290003AE36 /* CloudKit.framework in Frameworks */, + 4727FBD11F991F990003AE36 /* libMobileGestalt.dylib in Frameworks */, + 4727FBCE1F991F820003AE36 /* SecurityFoundation.framework in Frameworks */, + 4727FBCD1F991F660003AE36 /* libsqlite3.dylib in Frameworks */, + 4727FBCB1F991F510003AE36 /* Security.framework in Frameworks */, + 4727FBC91F991E5A0003AE36 /* libutilities.a in Frameworks */, + 4727FBC81F991E460003AE36 /* libsecurityd_ios.a in Frameworks */, + 4727FBC71F991E3A0003AE36 /* libsecurity.a in Frameworks */, + 4727FBC61F991DE90003AE36 /* libsecdRegressions.a in Frameworks */, + 4727FBC51F991C470003AE36 /* Foundation.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; 47702B1B1E5F409700B29577 /* Frameworks */ = { isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; @@ -12043,6 +12746,41 @@ ); runOnlyForDeploymentPostprocessing = 0; }; + 478D427D1FD72A8100CAB645 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 477A1F5320320E5100ACD81D /* Accounts.framework in Frameworks */, + 478D429F1FD72C8400CAB645 /* AppleSystemInfo.framework in Frameworks */, + 478D429E1FD72C4800CAB645 /* CrashReporterSupport.framework in Frameworks */, + 478D427E1FD72A8100CAB645 /* CoreCDP.framework in Frameworks */, + 478D427F1FD72A8100CAB645 /* libprequelite.dylib in Frameworks */, + 478D42801FD72A8100CAB645 /* OCMock.framework in Frameworks */, + 478D42811FD72A8100CAB645 /* libregressionBase.a in Frameworks */, + 478D42821FD72A8100CAB645 /* libACM.a in Frameworks */, + 478D42831FD72A8100CAB645 /* ApplePushService.framework in Frameworks */, + 478D42841FD72A8100CAB645 /* SharedWebCredentials.framework in Frameworks */, + 478D42851FD72A8100CAB645 /* MobileKeyBag.framework in Frameworks */, + 478D42861FD72A8100CAB645 /* IOKit.framework in Frameworks */, + 478D42871FD72A8100CAB645 /* libaks.a in Frameworks */, + 478D42881FD72A8100CAB645 /* libaks_acl.a in Frameworks */, + 478D42891FD72A8100CAB645 /* WirelessDiagnostics.framework in Frameworks */, + 478D428A1FD72A8100CAB645 /* SystemConfiguration.framework in Frameworks */, + 478D428B1FD72A8100CAB645 /* libSecureObjectSyncServer.a in Frameworks */, + 478D428C1FD72A8100CAB645 /* libSecureObjectSyncFramework.a in Frameworks */, + 478D428D1FD72A8100CAB645 /* ProtocolBuffer.framework in Frameworks */, + 478D428E1FD72A8100CAB645 /* CloudKit.framework in Frameworks */, + 478D42901FD72A8100CAB645 /* SecurityFoundation.framework in Frameworks */, + 478D42911FD72A8100CAB645 /* libsqlite3.dylib in Frameworks */, + 478D42921FD72A8100CAB645 /* Security.framework in Frameworks */, + 478D42931FD72A8100CAB645 /* libutilities.a in Frameworks */, + 478D42941FD72A8100CAB645 /* libsecurityd_ios.a in Frameworks */, + 478D42951FD72A8100CAB645 /* libsecurity.a in Frameworks */, + 478D42961FD72A8100CAB645 /* libsecdRegressions.a in Frameworks */, + 478D42971FD72A8100CAB645 /* Foundation.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; 47C51B811EEA657D0032D9E5 /* Frameworks */ = { isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; @@ -12060,8 +12798,8 @@ DC3A81D51D99D568000C7419 /* libcoretls_cfhelpers.dylib in Frameworks */, 5296CB4E1655B8F5009912AF /* libMobileGestalt.dylib in Frameworks */, DCD8A19A1E09EE9800E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */, - DC59EA771D91CC6D001BDDF5 /* libDER_not_installed.a in Frameworks */, 0C78F1D016A5E3EB00654E08 /* libbsm.dylib in Frameworks */, + D46246971F9AE2E400D63882 /* libDER.a in Frameworks */, DCD22D771D8CC9CD001C9B81 /* libASN1_not_installed.a in Frameworks */, 44A655831AA4B4BB0059D185 /* libctkclient.a in Frameworks */, DC59E9A41D91C6F0001BDDF5 /* libCMS.a in Frameworks */, @@ -12106,7 +12844,7 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( - 47B90C951F3509C1006500BC /* CrashReporterSupport.framework in Frameworks */, + D4C6C5CF1FB3B44D007EA57E /* libarchive.2.dylib in Frameworks */, D40B6A8E1E2B643500CD6EE5 /* libtrustd.a in Frameworks */, DC00ABB31D821E0400513D74 /* libSharedRegressions.a in Frameworks */, EBE9019C1C2285DB007308C6 /* AggregateDictionary.framework in Frameworks */, @@ -12116,8 +12854,8 @@ DCD22D9A1D8CCFC1001C9B81 /* libutilities.a in Frameworks */, DC00ABB51D821E0B00513D74 /* libSecureObjectSyncServer.a in Frameworks */, DCD8A1F91E09F98E00E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */, + D46246B51F9AE74000D63882 /* libDER.a in Frameworks */, DCD22D9B1D8CCFCB001C9B81 /* libASN1_not_installed.a in Frameworks */, - DC59EA851D91CD35001BDDF5 /* libDER_not_installed.a in Frameworks */, DC65E7771D8CB82500152EF0 /* libregressionBase.a in Frameworks */, 438168C01B4ED42C00C54D58 /* CoreFoundation.framework in Frameworks */, DCD22D9C1D8CCFD6001C9B81 /* libutilitiesRegressions.a in Frameworks */, @@ -12159,8 +12897,8 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + 0C59605C1FB2D9280095BA29 /* libprequelite.tbd in Frameworks */, 47D13F631E8447FB0063B6E2 /* SecurityFoundation.framework in Frameworks */, - EB7F50C51DB8800A003D787D /* CoreCDP.framework in Frameworks */, EBE9019A1C22852C007308C6 /* AggregateDictionary.framework in Frameworks */, 438168BB1B4ED42300C54D58 /* CoreFoundation.framework in Frameworks */, DC00AB8E1D821D4900513D74 /* libSOSCommands.a in Frameworks */, @@ -12223,9 +12961,11 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + 0C8BBF261FCB561C00580909 /* CoreCDP.framework in Frameworks */, + 0C59605A1FB2D8E50095BA29 /* libprequelite.tbd in Frameworks */, + D46246BA1F9AE7A000D63882 /* libDER.a in Frameworks */, DCCD34001E4001AD00AA4AD1 /* libACM.a in Frameworks */, DCAB14271E40039600C81511 /* libASN1_not_installed.a in Frameworks */, - DC59EA8E1D91CDC1001BDDF5 /* libDER_not_installed.a in Frameworks */, EBF2D73C1C1E2B47006AB6FF /* Foundation.framework in Frameworks */, DCD22D801D8CCB0F001C9B81 /* libutilities.a in Frameworks */, DC00ABCC1D821F0B00513D74 /* libsecurityd_ios.a in Frameworks */, @@ -12242,11 +12982,28 @@ ); runOnlyForDeploymentPostprocessing = 0; }; + 6C46059B1F882B9B001421B6 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + D4574AA3203E68E0006D9B82 /* AuthKit.framework in Frameworks */, + D4574AA1203E6893006D9B82 /* Accounts.framework in Frameworks */, + D4119E79202BDF580048587B /* libz.tbd in Frameworks */, + 6CDB601B1FA93A2000410924 /* libprequelite.tbd in Frameworks */, + 6CDB601A1FA93A1800410924 /* libsqlite3.tbd in Frameworks */, + 6CDB60111FA9386200410924 /* Security.framework in Frameworks */, + D4119E882032A8FA0048587B /* OCMock.framework in Frameworks */, + 6C13AE481F8E9FC800F047E3 /* libutilities.a in Frameworks */, + 6C4605A51F882B9B001421B6 /* Foundation.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; 6C9808481E788AEB00E70590 /* Frameworks */ = { isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( - 6C9808491E788AEB00E70590 /* libDER_not_installed.a in Frameworks */, + 6CAA8CDD1F82EDEF007B6E03 /* Security.framework in Frameworks */, + D46246BC1F9AE82B00D63882 /* libDER.a in Frameworks */, 6C98084A1E788AEB00E70590 /* libASN1_not_installed.a in Frameworks */, 6C98084C1E788AEB00E70590 /* libsecurityd_ios_NO_AKS.a in Frameworks */, 6C98084D1E788AEB00E70590 /* libSecureObjectSyncFramework.a in Frameworks */, @@ -12264,6 +13021,7 @@ 6C9808581E788AEB00E70590 /* libbsm.dylib in Frameworks */, 6C9808591E788AEB00E70590 /* libcoreauthd_client.a in Frameworks */, 6C98085A1E788AEB00E70590 /* libctkclient.a in Frameworks */, + 0C5960651FB2E2800095BA29 /* libprequelite.tbd in Frameworks */, 6C98085B1E788AEB00E70590 /* libsqlite3.0.dylib in Frameworks */, 6C98085C1E788AEB00E70590 /* libz.dylib in Frameworks */, ); @@ -12273,7 +13031,8 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( - 6C9808851E788AFD00E70590 /* libDER_not_installed.a in Frameworks */, + 6CAA8CEE1F83E417007B6E03 /* Security.framework in Frameworks */, + D46246BD1F9AE83600D63882 /* libDER.a in Frameworks */, 6C9808861E788AFD00E70590 /* libASN1_not_installed.a in Frameworks */, 6C9808881E788AFD00E70590 /* libsecurityd_ios_NO_AKS.a in Frameworks */, 6C9808891E788AFD00E70590 /* libSecureObjectSyncFramework.a in Frameworks */, @@ -12291,11 +13050,34 @@ 6C9808941E788AFD00E70590 /* libbsm.dylib in Frameworks */, 6C9808951E788AFD00E70590 /* libcoreauthd_client.a in Frameworks */, 6C9808961E788AFD00E70590 /* libctkclient.a in Frameworks */, + 0C59605F1FB2D9F60095BA29 /* libprequelite.tbd in Frameworks */, 6C9808971E788AFD00E70590 /* libsqlite3.0.dylib in Frameworks */, 6C9808981E788AFD00E70590 /* libz.dylib in Frameworks */, ); runOnlyForDeploymentPostprocessing = 0; }; + 6C9AA79B1F7C1D8F00D08296 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + 6C7FD5DF1F87FA42002C2285 /* Security.framework in Frameworks */, + 6C1260FD1F7DA42D001B2EEC /* Foundation.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 6CAA8D1D1F842FB3007B6E03 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + D4574AA2203E68C8006D9B82 /* AuthKit.framework in Frameworks */, + D4574AA0203E618B006D9B82 /* Accounts.framework in Frameworks */, + D4119E78202BDF490048587B /* libz.tbd in Frameworks */, + 6CAA8D3B1F8431AE007B6E03 /* Foundation.framework in Frameworks */, + 6CAA8D3A1F8431A7007B6E03 /* libutilities.a in Frameworks */, + 6CAA8D371F843196007B6E03 /* Security.framework in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; 6CCDF7811E3C25FA003F2555 /* Frameworks */ = { isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; @@ -12322,18 +13104,6 @@ ); runOnlyForDeploymentPostprocessing = 0; }; - 728B569E16D59979008FA3AB /* Frameworks */ = { - isa = PBXFrameworksBuildPhase; - buildActionMask = 2147483647; - files = ( - 72DF9EFE178360230054641E /* libMobileGestalt.dylib in Frameworks */, - 72C3EC2E1705F24E0040C87C /* ManagedConfiguration.framework in Frameworks */, - 72CD2BCE16D59B010064EEE1 /* MobileAsset.framework in Frameworks */, - 72CD2BCD16D59AF30064EEE1 /* Security.framework in Frameworks */, - 728B56A216D59979008FA3AB /* Foundation.framework in Frameworks */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; 790851B40CA9859F0083CC4D /* Frameworks */ = { isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; @@ -12346,7 +13116,6 @@ DC00AB821D821C9500513D74 /* libSecureObjectSyncServer.a in Frameworks */, DCD8A1E71E09F85400E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */, DC00AB831D821C9A00513D74 /* libSWCAgent.a in Frameworks */, - DC59EA7E1D91CCB2001BDDF5 /* libDER_not_installed.a in Frameworks */, 790851EE0CA9B3410083CC4D /* Security.framework in Frameworks */, E71F3E3116EA69A900FAF9B4 /* SystemConfiguration.framework in Frameworks */, 4CAF66190F3A6FCD0064A534 /* IOKit.framework in Frameworks */, @@ -12454,11 +13223,11 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + D46246AA1F9AE6CA00D63882 /* libDER.a in Frameworks */, D41258011E94230400781F23 /* IOKit.framework in Frameworks */, D41257E01E94136000781F23 /* libz.dylib in Frameworks */, D41257DF1E94133600781F23 /* CFNetwork.framework in Frameworks */, D41257DE1E94132900781F23 /* libsqlite3.dylib in Frameworks */, - D41257DC1E94130C00781F23 /* libDER_not_installed.a in Frameworks */, D41257DB1E9412E700781F23 /* libutilities.a in Frameworks */, D41257DA1E9412DC00781F23 /* libtrustd.a in Frameworks */, D41257E21E94138600781F23 /* CoreFoundation.framework in Frameworks */, @@ -12666,7 +13435,6 @@ files = ( CD9F2AFB1DF24BAF00AD3577 /* Foundation.framework in Frameworks */, DCD22D4B1D8CBF54001C9B81 /* libASN1_not_installed.a in Frameworks */, - D4D96ED51F478BAF004B5F01 /* libDER_not_installed.a in Frameworks */, DC00AB6F1D821C3400513D74 /* libSecItemShimOSX.a in Frameworks */, DC00AB701D821C3800513D74 /* libSecOtrOSX.a in Frameworks */, DC00AB6B1D821C1A00513D74 /* libSecTrustOSX.a in Frameworks */, @@ -12711,6 +13479,7 @@ DC3A81D61D99D57F000C7419 /* libcoretls.dylib in Frameworks */, DC3A81D71D99D58A000C7419 /* libcoretls_cfhelpers.dylib in Frameworks */, DC1789291D779A2800B50D50 /* libctkclient.a in Frameworks */, + D46246C91F9AEA5300D63882 /* libDER.a in Frameworks */, DC17891D1D77999700B50D50 /* libpam.dylib in Frameworks */, DC17891F1D77999D00B50D50 /* libsqlite3.dylib in Frameworks */, DC1789211D7799A100B50D50 /* libxar.dylib in Frameworks */, @@ -12731,8 +13500,8 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + D46246BE1F9AE86400D63882 /* libDER.a in Frameworks */, 47A0ABA81E6F7B24001B388C /* SecurityFoundation.framework in Frameworks */, - DC3502C81E020D5B00BC0587 /* libDER_not_installed.a in Frameworks */, DC3502C51E020D5100BC0587 /* libASN1_not_installed.a in Frameworks */, DC222C7A1E034EF700B09171 /* libsecurityd_ios_NO_AKS.a in Frameworks */, DC0984FD1E1DB6DF00140ADC /* libSecureObjectSyncFramework.a in Frameworks */, @@ -12740,6 +13509,7 @@ DC3502D61E02118000BC0587 /* libsecurity.a in Frameworks */, DC3502CF1E020E2900BC0587 /* libutilities.a in Frameworks */, DC222C351E02418100B09171 /* CFNetwork.framework in Frameworks */, + 0C8BBF2B1FCB575800580909 /* CoreCDP.framework in Frameworks */, DC3502DF1E02129F00BC0587 /* Foundation.framework in Frameworks */, DC3502D21E02113900BC0587 /* IOKit.framework in Frameworks */, DC3502E91E02172C00BC0587 /* OCMock.framework in Frameworks */, @@ -12749,6 +13519,7 @@ DC222C361E02419B00B09171 /* libbsm.dylib in Frameworks */, DC3502E41E02130600BC0587 /* libcoreauthd_client.a in Frameworks */, DC3502E21E0212D100BC0587 /* libctkclient.a in Frameworks */, + 0C5960601FB2DA310095BA29 /* libprequelite.tbd in Frameworks */, DC3502CA1E020DC100BC0587 /* libsqlite3.0.dylib in Frameworks */, DC222C321E0240D300B09171 /* libz.dylib in Frameworks */, ); @@ -12879,13 +13650,6 @@ ); runOnlyForDeploymentPostprocessing = 0; }; - DC59E9E81D91C9DC001BDDF5 /* Frameworks */ = { - isa = PBXFrameworksBuildPhase; - buildActionMask = 2147483647; - files = ( - ); - runOnlyForDeploymentPostprocessing = 0; - }; DC5ABDC21D832DAB00CF422C /* Frameworks */ = { isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; @@ -12933,6 +13697,9 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + 0CA4EC10202BB5AF002B1D96 /* Accounts.framework in Frameworks */, + 0C8BBF2D1FCB5A2900580909 /* CoreCDP.framework in Frameworks */, + 0C5960631FB2E1A70095BA29 /* libprequelite.tbd in Frameworks */, 47B90C901F350966006500BC /* CrashReporterSupport.framework in Frameworks */, 474B5FC81E662E79007546F8 /* SecurityFoundation.framework in Frameworks */, D43B88721E72298500F86F19 /* MobileAsset.framework in Frameworks */, @@ -12942,8 +13709,8 @@ DC610A3B1D78F234002223DE /* libACM.a in Frameworks */, DC610A391D78F1B7002223DE /* libaks.a in Frameworks */, DC610A2C1D78F129002223DE /* libaks_acl.a in Frameworks */, + D46246B91F9AE79000D63882 /* libDER.a in Frameworks */, DCD22D601D8CC2EF001C9B81 /* libASN1_not_installed.a in Frameworks */, - DC59EA941D91CDE0001BDDF5 /* libDER_not_installed.a in Frameworks */, DCD22D611D8CC2F8001C9B81 /* libbsm.dylib in Frameworks */, DC610A2B1D78F129002223DE /* libcoreauthd_test_client.a in Frameworks */, DC610A2F1D78F129002223DE /* libctkclient_test.a in Frameworks */, @@ -12956,6 +13723,7 @@ DC00ABE81D821F7D00513D74 /* libsecurityd_ios.a in Frameworks */, D40B6A901E2B673500CD6EE5 /* libtrustd.a in Frameworks */, DCD22D631D8CC33A001C9B81 /* libSOSRegressions.a in Frameworks */, + DCB332451F47856B00178C30 /* libSOSCommands.a in Frameworks */, DCD22D641D8CC341001C9B81 /* libutilities.a in Frameworks */, DCD22D651D8CC349001C9B81 /* libutilitiesRegressions.a in Frameworks */, DCDCCB3A1DF25D1D006E840E /* ApplePushService.framework in Frameworks */, @@ -13048,7 +13816,6 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( - DC59EA9A1D91CE94001BDDF5 /* libDER_not_installed.a in Frameworks */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -13131,8 +13898,8 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + 0C5960621FB2E0EC0095BA29 /* libprequelite.tbd in Frameworks */, 6C1F93111DD5E41A00585608 /* libDiagnosticMessagesClient.dylib in Frameworks */, - EB7F50CC1DB88A03003D787D /* CoreCDP.framework in Frameworks */, DCE4E6AE1D7A3C6A00AFB96E /* AppleSystemInfo.framework in Frameworks */, DCE4E6AD1D7A3B9700AFB96E /* libaks.a in Frameworks */, DCE4E6AC1D7A3B5000AFB96E /* libACM.a in Frameworks */, @@ -13162,6 +13929,8 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + D4C6C5CD1FB3B423007EA57E /* libarchive.tbd in Frameworks */, + D46246B71F9AE76500D63882 /* libDER.a in Frameworks */, DC3A81EC1D99F568000C7419 /* libcoretls.dylib in Frameworks */, DCE4E7C61D7A468300AFB96E /* libaks.a in Frameworks */, DCE4E75E1D7A43B500AFB96E /* CoreFoundation.framework in Frameworks */, @@ -13170,7 +13939,7 @@ DCE4E7541D7A43B500AFB96E /* Foundation.framework in Frameworks */, DCE4E7681D7A43B500AFB96E /* IOKit.framework in Frameworks */, DC65E7751D8CB81000152EF0 /* libregressionBase.a in Frameworks */, - DC59EA8B1D91CD93001BDDF5 /* libDER_not_installed.a in Frameworks */, + DC26710E1F3E932D00816EED /* libASN1_not_installed.a in Frameworks */, DC00ABC71D821EF400513D74 /* libSharedRegressions.a in Frameworks */, DCD22D551D8CC148001C9B81 /* libsecurity_keychain_regressions.a in Frameworks */, DC63CAF81D91A15F00C03317 /* libsecurity_cms_regressions.a in Frameworks */, @@ -13185,10 +13954,10 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + D46246BB1F9AE7B300D63882 /* libDER.a in Frameworks */, DCD22D5F1D8CC294001C9B81 /* libsecurity_ssl_regressions.a in Frameworks */, DCE4E7E41D7A4B8F00AFB96E /* Foundation.framework in Frameworks */, DCE4E7EF1D7A4BCB00AFB96E /* libaks.a in Frameworks */, - DC59EA971D91CDFA001BDDF5 /* libDER_not_installed.a in Frameworks */, DC65E7C21D8CBB5800152EF0 /* libregressionBase.a in Frameworks */, DCE4E7EC1D7A4BB800AFB96E /* Security.framework in Frameworks */, DCE4E7EB1D7A4BB200AFB96E /* SecurityFoundation.framework in Frameworks */, @@ -13205,17 +13974,19 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + 0CA4EC11202BB5E9002B1D96 /* Accounts.framework in Frameworks */, + 0C5960641FB2E2070095BA29 /* libprequelite.tbd in Frameworks */, 4710A6D91F34F21700745267 /* CrashReporterSupport.framework in Frameworks */, D41D36711EB14D87007FA978 /* libDiagnosticMessagesClient.tbd in Frameworks */, 474B5FC61E662E48007546F8 /* SecurityFoundation.framework in Frameworks */, 6C5B36C01E2F9BEA008AD443 /* WirelessDiagnostics.framework in Frameworks */, CD9F2AF91DF249B400AD3577 /* Foundation.framework in Frameworks */, DCE4E8281D7A4F1600AFB96E /* login.framework in Frameworks */, + D46246D91F9AED5D00D63882 /* libDER.a in Frameworks */, DCE4E8251D7A4EE400AFB96E /* libACM.a in Frameworks */, DCE4E8241D7A4ECD00AFB96E /* libaks.a in Frameworks */, DCE4E8231D7A4EC900AFB96E /* libaks_acl.a in Frameworks */, DCD22D711D8CC78E001C9B81 /* libASN1_not_installed.a in Frameworks */, - DC59EA7B1D91CC9F001BDDF5 /* libDER_not_installed.a in Frameworks */, DCE4E8201D7A4EAC00AFB96E /* libcoreauthd_client.a in Frameworks */, DCE4E81F1D7A4EA700AFB96E /* libctkclient.a in Frameworks */, DCE4E81C1D7A4E8F00AFB96E /* libsqlite3.0.dylib in Frameworks */, @@ -13231,6 +14002,7 @@ DCD22D721D8CC804001C9B81 /* SystemConfiguration.framework in Frameworks */, DCE4E80F1D7A4E4600AFB96E /* Security.framework in Frameworks */, DC4DB16A1E26E9F900CD6769 /* ProtocolBuffer.framework in Frameworks */, + 0C8BBFFD1FCE8F3300580909 /* CoreCDP.framework in Frameworks */, DCE4E82C1D7A56FF00AFB96E /* AppleSystemInfo.framework in Frameworks */, ); runOnlyForDeploymentPostprocessing = 0; @@ -13239,6 +14011,7 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + D46246D41F9AEAE300D63882 /* libDER.a in Frameworks */, D40B6A9A1E2B68E800CD6EE5 /* libbsm.dylib in Frameworks */, D40B6A991E2B68A400CD6EE5 /* libz.dylib in Frameworks */, D40B6A981E2B687F00CD6EE5 /* libDiagnosticMessagesClient.dylib in Frameworks */, @@ -13246,7 +14019,6 @@ D40B6A9E1E2B6A6F00CD6EE5 /* libtrustd.a in Frameworks */, D40B6A931E2B67E500CD6EE5 /* libutilities.a in Frameworks */, D40B6A831E2B5F5B00CD6EE5 /* libASN1_not_installed.a in Frameworks */, - D40B6A821E2B5F5600CD6EE5 /* libDER_not_installed.a in Frameworks */, D40B6A9D1E2B6A2700CD6EE5 /* login.framework in Frameworks */, D4ADA3311E2B43450031CEA3 /* CFNetwork.framework in Frameworks */, D4ADA3301E2B433B0031CEA3 /* Security.framework in Frameworks */, @@ -13351,6 +14123,8 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + D4C6C5D01FB3B45E007EA57E /* libarchive.2.dylib in Frameworks */, + 0C59605E1FB2D9990095BA29 /* libprequelite.tbd in Frameworks */, D40B6A8F1E2B643D00CD6EE5 /* libtrustd.a in Frameworks */, DC00ABC01D821EBE00513D74 /* libSharedRegressions.a in Frameworks */, EBE9019B1C2285D4007308C6 /* AggregateDictionary.framework in Frameworks */, @@ -13361,7 +14135,7 @@ DC00ABC11D821EC300513D74 /* libsecurityd_ios.a in Frameworks */, DC00ABC21D821EC600513D74 /* libSecureObjectSyncServer.a in Frameworks */, DCD8A1F31E09F91700E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */, - DC59EA881D91CD7E001BDDF5 /* libDER_not_installed.a in Frameworks */, + D46246B61F9AE75100D63882 /* libDER.a in Frameworks */, DCD22D931D8CCD17001C9B81 /* libASN1_not_installed.a in Frameworks */, DCD22D941D8CCDFA001C9B81 /* libutilities.a in Frameworks */, DC17890B1D77980500B50D50 /* Security.framework in Frameworks */, @@ -13428,7 +14202,6 @@ DC00ABA51D821DCD00513D74 /* libsecurity.a in Frameworks */, DCD8A1F61E09F96900E4FA0A /* libSecureObjectSyncFramework.a in Frameworks */, DCD22D541D8CC0FC001C9B81 /* libutilities.a in Frameworks */, - DC59EA821D91CD24001BDDF5 /* libDER_not_installed.a in Frameworks */, DCD22D531D8CC0EF001C9B81 /* libASN1_not_installed.a in Frameworks */, E7F482A11C7543E500390FDB /* libsqlite3.dylib in Frameworks */, E7F482A31C7544E600390FDB /* libctkclient_test.a in Frameworks */, @@ -13465,7 +14238,6 @@ EB75B4891E75402400E469CC /* IOKit.framework in Frameworks */, EB75B48A1E75405100E469CC /* libsecurity.a in Frameworks */, EB75B48C1E75407C00E469CC /* libutilities.a in Frameworks */, - EB75B48E1E75408C00E469CC /* libDER_not_installed.a in Frameworks */, EB75B48D1E75408900E469CC /* libASN1_not_installed.a in Frameworks */, EB75B48F1E75409A00E469CC /* libsqlite3.dylib in Frameworks */, EB75B4901E7540AA00E469CC /* libctkclient_test.a in Frameworks */, @@ -13510,6 +14282,27 @@ ); runOnlyForDeploymentPostprocessing = 0; }; + EB49B2AB202D877F003F34A0 /* Frameworks */ = { + isa = PBXFrameworksBuildPhase; + buildActionMask = 2147483647; + files = ( + EB49B2C2202DF002003F34A0 /* libDER.a in Frameworks */, + EB49B2BD202DEF29003F34A0 /* libSecureObjectSyncFramework.a in Frameworks */, + EB49B2BE202DEF29003F34A0 /* libSecureObjectSyncServer.a in Frameworks */, + EB49B2BB202D8894003F34A0 /* libsecurityd_ios.a in Frameworks */, + EB49B2BF202DEF67003F34A0 /* libsecurity.a in Frameworks */, + EB49B2C1202DEF8D003F34A0 /* libASN1_not_installed.a in Frameworks */, + EB49B2C0202DEF7D003F34A0 /* libutilities.a in Frameworks */, + EB49B308202FF421003F34A0 /* OCMock.framework in Frameworks */, + EB49B2E2202DFDA3003F34A0 /* CoreCDP.framework in Frameworks */, + EB49B2D2202DF17D003F34A0 /* SecurityFoundation.framework in Frameworks */, + EB49B2CD202DF0F9003F34A0 /* SystemConfiguration.framework in Frameworks */, + EB49B2C7202DF0E9003F34A0 /* IOKit.framework in Frameworks */, + EB49B2DD202DF259003F34A0 /* libbsm.tbd in Frameworks */, + EB49B2BC202DEF14003F34A0 /* libsqlite3.tbd in Frameworks */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; EB9C1D771BDFD0E000F89272 /* Frameworks */ = { isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; @@ -13548,6 +14341,8 @@ isa = PBXFrameworksBuildPhase; buildActionMask = 2147483647; files = ( + DC2670F61F3E714000816EED /* libSecureObjectSyncServer.a in Frameworks */, + DCE5DC121EA80369006308A6 /* libSOSCommands.a in Frameworks */, EBF3747E1DC057B40065D840 /* Security.framework in Frameworks */, E76638A81DD679BC00B769D3 /* libutilities.a in Frameworks */, ); @@ -13603,6 +14398,102 @@ path = regressions; sourceTree = ""; }; + 0C7CEA391FE9CE3900125C79 /* behavior */ = { + isa = PBXGroup; + children = ( + EB82A2A41FAFF26900CA64A9 /* SFBehavior.h */, + EB82A2A51FAFF26900CA64A9 /* SFBehavior.m */, + ); + path = behavior; + sourceTree = ""; + }; + 0C8BBE831FC9DA1700580909 /* Octagon Trust */ = { + isa = PBXGroup; + children = ( + 0CCCC7C720261D050024405E /* OT.h */, + 0CCCC7C820261D310024405E /* OT.m */, + EB10A3E320356E2000E84270 /* OTConstants.h */, + EB10A3E420356E2000E84270 /* OTConstants.m */, + DC124DC120059B8700BE8DAC /* OctagonControlServer.h */, + DC124DC220059B8700BE8DAC /* OctagonControlServer.m */, + BEE4B1901FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.h */, + BEE4B1911FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.m */, + 0C8BBE951FC9DA5800580909 /* OTBottledPeer.h */, + 0C8BBE931FC9DA5700580909 /* OTBottledPeer.m */, + BE2AD2B11FDA07EF00739F96 /* OTBottledPeerRecord.h */, + BE2AD2B21FDA07EF00739F96 /* OTBottledPeerRecord.m */, + 0CE1BCCD1FCE11610017230E /* OTBottledPeerSigned.h */, + 0CE1BCC61FCE11480017230E /* OTBottledPeerSigned.m */, + 0C8BBE891FC9DA5200580909 /* OTCloudStore.h */, + 0C770EC31FCF7E2000B5F0E2 /* OTCloudStore.m */, + 0CE407B31FD476E000F59B31 /* OTCloudStoreState.h */, + 0CE407AB1FD4769B00F59B31 /* OTCloudStoreState.m */, + 0C8BBE8B1FC9DA5300580909 /* OTContext.h */, + 0C8BBE981FC9DA5A00580909 /* OTContext.m */, + 0CD9E8071FE05B8700F66C38 /* OTContextRecord.h */, + 0CD9E7FF1FE05B6600F66C38 /* OTContextRecord.m */, + 0C8BBF0B1FCB452200580909 /* OTControl.h */, + 0C8BBF0E1FCB452400580909 /* OTControl.m */, + 0C8BBF0C1FCB452200580909 /* OTControlProtocol.h */, + 0C8BBF0D1FCB452300580909 /* OTControlProtocol.m */, + 0C8BBE971FC9DA5A00580909 /* OTDefines.h */, + 0C8BBE921FC9DA5700580909 /* OTEscrowKeys.h */, + 0C8BBE961FC9DA5900580909 /* OTEscrowKeys.m */, + 0C8BBE8A1FC9DA5300580909 /* OTIdentity.h */, + 0C8BBE8D1FC9DA5400580909 /* OTIdentity.m */, + 0C8BBE8E1FC9DA5500580909 /* OTLocalStore.h */, + 0C8BBE8C1FC9DA5400580909 /* OTLocalStore.m */, + 0C8BBF101FCB486B00580909 /* OTManager.h */, + 0C8BBF0F1FCB481800580909 /* OTManager.m */, + 0C36B3202007EE9B0029F7A2 /* OTPreflightInfo.h */, + 0C36B3172007EE6C0029F7A2 /* OTPreflightInfo.m */, + BEB0B0D91FFC45C2007E6A83 /* OTPrivateKey+SF.h */, + BEB0B0DA1FFC45C2007E6A83 /* OTPrivateKey+SF.m */, + 0C5CFB3F201962FF00913B9C /* OTRamping.h */, + 0C5CFB37201960FF00913B9C /* OTRamping.m */, + BE34059B1FD71BA700933DAC /* Protocol Buffers */, + BEE4B1971FFDAFE600777D39 /* SFECPublicKey+SPKI.m */, + BEE4B1961FFDAFE600777D39 /* SFPublicKey+SPKI.h */, + 0C8BBEB11FC9DCAC00580909 /* tests */, + ); + name = "Octagon Trust"; + sourceTree = ""; + }; + 0C8BBEB11FC9DCAC00580909 /* tests */ = { + isa = PBXGroup; + children = ( + 0C8A034E1FDF60070042E8BE /* OTBottledPeerTests.m */, + 0CBDF64C1FFC951200433E0D /* OTBottledPeerTLK.m */, + 0C16371F1FD12F1500210823 /* OTCloudStoreTests.m */, + 0C8BBEAF1FC9DCA400580909 /* OTContextTests.m */, + 0C8A03451FDF42BA0042E8BE /* OTEscrowKeyTests.m */, + 0C8A034C1FDF4CCE0042E8BE /* OTLocalStoreTests.m */, + 0C46A57A2035019800F17112 /* OTLockStateNetworkingTests.m */, + 0CB975502023B199008D6B48 /* OTRampingTests.m */, + 0C52C20520004248003F0733 /* OTTestsBase.h */, + 0C52C1FE20003BCA003F0733 /* OTTestsBase.m */, + ); + name = tests; + sourceTree = ""; + }; + 0C8BBEF61FCB402900580909 /* otctl */ = { + isa = PBXGroup; + children = ( + 0C8BBEF71FCB405700580909 /* otctl.m */, + 0C8BBEF81FCB407700580909 /* otctl-Entitlements.plist */, + ); + path = otctl; + sourceTree = ""; + }; + 0CF0E2DD1F8EE37C00BD18E4 /* Signin Metrics */ = { + isa = PBXGroup; + children = ( + 0CF0E2E31F8EE3B000BD18E4 /* SFTransactionMetric.m */, + 0CF0E2E71F8EE40700BD18E4 /* SFTransactionMetric.h */, + ); + path = "Signin Metrics"; + sourceTree = ""; + }; 107226CF0D91DB32003CF14F /* sectask */ = { isa = PBXGroup; children = ( @@ -13636,10 +14527,24 @@ 4723C9B51F152E8E0082882F /* Analytics */ = { isa = PBXGroup; children = ( + 6C7BAFFD2006B4D4004D1B6B /* Clients */, 4723C9BB1F152E9E0082882F /* SQLite */, - 4723C9DA1F1540CE0082882F /* SFAnalyticsLogger.h */, - 4723C9DB1F1540CE0082882F /* SFAnalyticsLogger.m */, - 475F371F1EE8F23900248FB5 /* SFAnalyticsLogging.plist */, + 475F371F1EE8F23900248FB5 /* SFAnalytics.plist */, + 4723C9DA1F1540CE0082882F /* SFAnalytics.h */, + 6CC952421FB4C5CA0051A823 /* SFAnalytics+Internal.h */, + 4723C9DB1F1540CE0082882F /* SFAnalytics.m */, + 6CBF65371FA147E500A68667 /* SFAnalyticsActivityTracker.h */, + 6C8CE6BB1FA248B50032ADF0 /* SFAnalyticsActivityTracker+Internal.h */, + 6CBF65381FA147E500A68667 /* SFAnalyticsActivityTracker.m */, + 6C69518F1F75A8C100F68F91 /* SFAnalyticsDefines.h */, + 6CDB5FF41FA78CB500410924 /* SFAnalyticsMultiSampler.h */, + 6CDB5FED1FA78CB400410924 /* SFAnalyticsMultiSampler.m */, + 6CDB5FF31FA78CB500410924 /* SFAnalyticsMultiSampler+Internal.h */, + 6CDF8DE51F95562B00140B54 /* SFAnalyticsSampler.h */, + 6C8CE6C31FA24A670032ADF0 /* SFAnalyticsSampler+Internal.h */, + 6CDF8DE61F95562B00140B54 /* SFAnalyticsSampler.m */, + 6C69518E1F75A7DC00F68F91 /* SFAnalyticsSQLiteStore.h */, + 6C69518D1F75A7DB00F68F91 /* SFAnalyticsSQLiteStore.m */, ); path = Analytics; sourceTree = ""; @@ -13657,6 +14562,18 @@ path = SQLite; sourceTree = ""; }; + 4727FBB81F9918590003AE36 /* secdxctests */ = { + isa = PBXGroup; + children = ( + 4727FBB91F9918590003AE36 /* KeychainCryptoTests.m */, + 4727FBBB1F9918590003AE36 /* Info.plist */, + 477A1FE1203763A500ACD81D /* KeychainAPITests.m */, + 477A1FEB2037A0E000ACD81D /* KeychainXCTest.h */, + 477A1FEC2037A0E000ACD81D /* KeychainXCTest.m */, + ); + path = secdxctests; + sourceTree = ""; + }; 47702B1F1E5F409700B29577 /* seckeychainnetworkextensionsystemdaemontest */ = { isa = PBXGroup; children = ( @@ -13684,6 +14601,25 @@ path = SecurityUnitTests; sourceTree = ""; }; + 47D1837D1FB1183D00CFCD89 /* SecDbKeychainV7-protobufs */ = { + isa = PBXGroup; + children = ( + 47922D4E1FAA7D5C0008F7E0 /* SecDbKeychainSerializedItemV7.proto */, + 47922D501FAA7DF60008F7E0 /* SecDbKeychainSerializedItemV7.h */, + 47922D511FAA7DF70008F7E0 /* SecDbKeychainSerializedItemV7.m */, + 47922D171FAA65120008F7E0 /* SecDbKeychainAKSSerializedWrappedKey.proto */, + 47922D371FAA7C040008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.h */, + 47922D361FAA7C030008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.m */, + 47922D201FAA75FF0008F7E0 /* SecDbKeychainSerializedMetadata.proto */, + 47922D3B1FAA7C100008F7E0 /* SecDbKeychainSerializedMetadata.h */, + 47922D3A1FAA7C0F0008F7E0 /* SecDbKeychainSerializedMetadata.m */, + 47922D2C1FAA77970008F7E0 /* SecDbKeychainSerializedSecretData.proto */, + 47922D3E1FAA7C1A0008F7E0 /* SecDbKeychainSerializedSecretData.h */, + 47922D3F1FAA7C1B0008F7E0 /* SecDbKeychainSerializedSecretData.m */, + ); + path = "SecDbKeychainV7-protobufs"; + sourceTree = ""; + }; 4814D86C1CAA064F002FFC36 /* os_log */ = { isa = PBXGroup; children = ( @@ -13698,9 +14634,12 @@ isa = PBXGroup; children = ( 53C0E1F1177FAC2C00F8A018 /* CloudKeychain.strings */, + D4C263C81F952E64001317EA /* SecDebugErrorMessages.strings */, + D4C263CC1F952F6C001317EA /* SecErrorMessages.strings */, BE4AC9B818B8273600B84964 /* SharedWebCredentials.strings */, 4C198F1F0ACDB4BF00AAB142 /* OID.strings */, 4C198F1D0ACDB4BF00AAB142 /* Certificate.strings */, + D479F6DF1F980F8F00388D28 /* Trust.strings */, ); name = strings; path = ../../../resources; @@ -13715,6 +14654,7 @@ DCE4E8A01D7F352600AFB96E /* authd */, DCE4E85A1D7A583100AFB96E /* trustd */, DC5AC1FF1D83650C00CF422C /* securityd */, + 6C69517B1F758E1000F68F91 /* supd */, DC0BC4E51D8B6AA600070CB0 /* applications */, DC5AC2011D83663C00CF422C /* tests */, EB2CA5311D2C30CD00AB770F /* xcconfig */, @@ -13725,6 +14665,8 @@ 4C4CE9120AF81F0E0056B01D /* README */, 4CAB97FD1114CC5300EFB38D /* README.keychain */, 4C4CE9070AF81ED80056B01D /* TODO */, + 0CE98BAD1FA93AA900CF1D54 /* CKKSTests-Info.plist */, + 0C85E0041FB38BB7000343A7 /* OTTests-Info.plist */, ); sourceTree = ""; }; @@ -13741,7 +14683,6 @@ 4C711D7613AFCD0900FE865D /* SecurityDevTests.app */, E7B01BF2166594AB000485F1 /* SyncDevTest2.app */, 52D82BDE16A621F70078DFE5 /* CloudKeychainProxy.bundle */, - 728B56A116D59979008FA3AB /* OTAPKIAssetTool */, 4C52D0B416EFC61E0079966E /* CircleJoinRequested */, 5346480117331E1200FE9172 /* KeychainSyncAccountNotification.bundle */, 0C0BDB2F175685B000BC1A7E /* secdtests */, @@ -13761,7 +14702,6 @@ EBCF73FC1CE45F9C00BED7CA /* secitemfunctionality */, 0C2BCBB91D06401F00ED7A2F /* dtlsEchoClient */, 0C2BCBCE1D0648D100ED7A2F /* dtlsEchoServer */, - DC1785051D77873100B50D50 /* Security.framework */, DC1789041D77980500B50D50 /* Security.framework */, DC58C4231D77BDEA003C25A4 /* csparser.bundle */, DC610A341D78F129002223DE /* secdtests */, @@ -13838,7 +14778,6 @@ DCD06A511D8CE281007602F1 /* libcodehost.a */, DCD06A741D8CE2D5007602F1 /* gkunpack */, DCD06AB01D8E0D53007602F1 /* libsecurity_utilities.a */, - DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */, DC3A4B581D91E9FB00E46D4A /* com.apple.CodeSigningHelper.xpc */, DC71D9DF1D95BA6C0065FB93 /* libASN1.a */, EBF374721DC055580065D840 /* security-sysdiagnose */, @@ -13869,6 +14808,14 @@ BED208DD1EDF950E00753952 /* manifeststresstest */, 47C51B841EEA657D0032D9E5 /* SecurityUnitTests.xctest */, EB2D54AA1F02A45E00E46890 /* secatomicfile */, + 4727FBB71F9918580003AE36 /* secdxctests_ios.xctest */, + 0C85E0031FB38BB6000343A7 /* OTTests.xctest */, + 6C9AA79E1F7C1D8F00D08296 /* supdctl */, + 6CAA8D201F842FB3007B6E03 /* securityuploadd */, + 6C4605B81F882B9B001421B6 /* KeychainAnalyticsTests.xctest */, + 0C8BBF081FCB446400580909 /* otctl */, + 478D429C1FD72A8100CAB645 /* secdxctests_mac.xctest */, + EB49B2AE202D877F003F34A0 /* secdmockaks.xctest */, ); name = Products; sourceTree = ""; @@ -13978,6 +14925,8 @@ 4C4296300BB0A68200491999 /* SecTrustSettings.h */, 4C12828C0BB4957D00985BB0 /* SecTrustSettingsPriv.h */, 4C64E00B0B8FBBF3009B306C /* Security.h */, + EB5E3BC62003C66300F1631B /* SecSignpost.h */, + D46246A21F9AE49E00D63882 /* oids.h */, ); name = Security; sourceTree = SOURCE_ROOT; @@ -14002,6 +14951,7 @@ E78A9AD91D34959200006B5B /* NSFileHandle+Formatting.m */, 4C4CB7100DDA44900026B660 /* entitlements.plist */, E7104A0B169E171900DB0045 /* security_tool_commands.c */, + D453C47F1FFD857400DE349B /* security_tool_commands.h */, E7FEFB80169E26E200E18152 /* sub_commands.h */, ); name = "Security2Tool macOS"; @@ -14087,8 +15037,8 @@ 6C34464E1E2534D200F9522B /* AWD */, EBB407AF1EBA433A00A541A5 /* CKKSPowerCollection.h */, EBB407B01EBA433A00A541A5 /* CKKSPowerCollection.m */, - 479108B51EE879F9008CEFA0 /* CKKSAnalyticsLogger.h */, - 479108B61EE879F9008CEFA0 /* CKKSAnalyticsLogger.m */, + 479108B51EE879F9008CEFA0 /* CKKSAnalytics.h */, + 479108B61EE879F9008CEFA0 /* CKKSAnalytics.m */, ); name = Analytics; sourceTree = ""; @@ -14112,6 +15062,51 @@ name = AWD; sourceTree = ""; }; + 6C69517B1F758E1000F68F91 /* supd */ = { + isa = PBXGroup; + children = ( + 6C758CAF1F8826100075BD78 /* Tests */, + 6C69517C1F758E1000F68F91 /* supdProtocol.h */, + 6C69517D1F758E1000F68F91 /* supd.h */, + 6C69517E1F758E1000F68F91 /* supd.m */, + 6C6951801F758E1000F68F91 /* main.m */, + 6C6951821F758E1000F68F91 /* Info.plist */, + 6C1260FA1F7D631D001B2EEC /* securityuploadd-ios.plist */, + 6C1260F21F7D5F25001B2EEC /* securityuploadd-osx.plist */, + 6C5B10211F9164F5009B091E /* securityuploadd.8 */, + 6CDB600E1FA92C1700410924 /* securityuploadd-Entitlements.plist */, + ); + path = supd; + sourceTree = ""; + }; + 6C758CAF1F8826100075BD78 /* Tests */ = { + isa = PBXGroup; + children = ( + 6C1A29FC1F882788002312D8 /* SFAnalyticsTests.m */, + 6C758CB01F8826100075BD78 /* SupdTests.m */, + 6C758CB21F8826100075BD78 /* Info.plist */, + ); + path = Tests; + sourceTree = ""; + }; + 6C7BAFFD2006B4D4004D1B6B /* Clients */ = { + isa = PBXGroup; + children = ( + 6C7BB0042006B4EF004D1B6B /* SOSAnalytics.h */, + 6C7BB0032006B4EE004D1B6B /* SOSAnalytics.m */, + ); + path = Clients; + sourceTree = ""; + }; + 6C9AA79F1F7C1D9000D08296 /* supdctl */ = { + isa = PBXGroup; + children = ( + 6C9AA7A01F7C1D9000D08296 /* main.m */, + 6C5B101B1F91613E009B091E /* supdctl-Entitlements.plist */, + ); + path = supdctl; + sourceTree = ""; + }; 6CB5F4771E402D6D00DBF3F0 /* testrunner */ = { isa = PBXGroup; children = ( @@ -14170,27 +15165,6 @@ name = "Supporting Files"; sourceTree = ""; }; - 728B56A316D59979008FA3AB /* OTAPKIAssetTool */ = { - isa = PBXGroup; - children = ( - 72CD2BBB16D59AE30064EEE1 /* OTAServiceApp.m */, - 72CD2BBC16D59AE30064EEE1 /* OTAServiceApp.h */, - 72CD2BBD16D59AE30064EEE1 /* OTAServicemain.m */, - 728B56A416D59979008FA3AB /* Supporting Files */, - ); - path = OTAPKIAssetTool; - sourceTree = ""; - }; - 728B56A416D59979008FA3AB /* Supporting Files */ = { - isa = PBXGroup; - children = ( - 5DDD0BDD16D6740E00D6C0D6 /* com.apple.OTAPKIAssetTool.plist */, - 5DDD0BDE16D6740E00D6C0D6 /* OTAPKIAssetTool-entitlements.plist */, - 22C002A31AC9D33100B3469E /* OTAPKIAssetTool.xcconfig */, - ); - name = "Supporting Files"; - sourceTree = ""; - }; 7908507E0CA87CF00083CC4D /* ipc */ = { isa = PBXGroup; children = ( @@ -14257,6 +15231,35 @@ name = "Supporting Files"; sourceTree = ""; }; + BE34059B1FD71BA700933DAC /* Protocol Buffers */ = { + isa = PBXGroup; + children = ( + BE3405A11FD71CC800933DAC /* OTBottle.proto */, + BE3405A51FD720C900933DAC /* OTBottleContents.proto */, + BEB0B0CE1FFC37E3007E6A83 /* OTPrivateKey.proto */, + BEE4B1861FFD57D800777D39 /* OTAuthenticatedCiphertext.proto */, + BE3405A21FD71CDE00933DAC /* derived source */, + ); + name = "Protocol Buffers"; + path = ot/proto; + sourceTree = ""; + }; + BE3405A21FD71CDE00933DAC /* derived source */ = { + isa = PBXGroup; + children = ( + BE3405A41FD71DA600933DAC /* OTBottle.h */, + BE3405A31FD71DA400933DAC /* OTBottle.m */, + BE3405A61FD7210200933DAC /* OTBottleContents.h */, + BE3405A71FD7210300933DAC /* OTBottleContents.m */, + BEB0B0D51FFC3D33007E6A83 /* OTPrivateKey.h */, + BEB0B0D41FFC3D32007E6A83 /* OTPrivateKey.m */, + BEE4B18E1FFD5F9000777D39 /* OTAuthenticatedCiphertext.h */, + BEE4B18F1FFD5F9100777D39 /* OTAuthenticatedCiphertext.m */, + ); + name = "derived source"; + path = source; + sourceTree = ""; + }; BED208E31EDF95BB00753952 /* manifeststresstest */ = { isa = PBXGroup; children = ( @@ -14416,12 +15419,12 @@ F621D0801ED6EA4C000EA569 /* authorizationdump */, DC58C4391D77BEA1003C25A4 /* csparser */, 5E10992719A5E55800A60E2B /* ISACLProtectedItems */, - 728B56A316D59979008FA3AB /* OTAPKIAssetTool */, DC5AC1FE1D8364BA00CF422C /* SecurityTool */, DCC78EA21D80860C00865A7C /* SharedWebCredentialAgent */, BE197F2719116FD100BA91D1 /* SharedWebCredentialViewService */, DC0BC5361D8B6ABE00070CB0 /* XPCKeychainSandboxCheck */, DC0BC56E1D8B6E6400070CB0 /* XPCTimeStampingService */, + 6C9AA79F1F7C1D9000D08296 /* supdctl */, ); name = applications; sourceTree = ""; @@ -14560,8 +15563,6 @@ DC0BC6131D8B755200070CB0 /* ckutilities.c */, DC0BC6141D8B755200070CB0 /* ckutilities.h */, DC0BC6151D8B755200070CB0 /* Crypt.h */, - DC0BC6161D8B755200070CB0 /* CryptKitSA.h */, - DC0BC6171D8B755200070CB0 /* CryptKit.h */, DC0BC6181D8B755200070CB0 /* CryptKitAsn1.cpp */, DC0BC6191D8B755200070CB0 /* CryptKitAsn1.h */, DC0BC61A1D8B755200070CB0 /* CryptKitDER.cpp */, @@ -15333,8 +16334,6 @@ DCC78E451D8085FC00865A7C /* SecCTKKeyPriv.h */, DCC78E381D8085FC00865A7C /* SecCertificate.c */, 4CEF4CA70C5551FE00062475 /* SecCertificateInternal.h */, - DCC78E3B1D8085FC00865A7C /* SecCertificatePath.c */, - 4CF41D0A0BBB4022005F3248 /* SecCertificatePath.h */, DCC78E3E1D8085FC00865A7C /* SecCertificateRequest.c */, DCC78E461D8085FC00865A7C /* SecDH.c */, 7940D4110C3ACF9000FDB5D8 /* SecDH.h */, @@ -15387,6 +16386,8 @@ DCC78E7A1D8085FC00865A7C /* SecPasswordGenerate.c */, CDDE9BC31729AB910013B0E8 /* SecPasswordGenerate.h */, DCC78E7E1D8085FC00865A7C /* SecPolicy.c */, + D43DDE581F638061009742A5 /* SecPolicy.list */, + D43DDE511F620F09009742A5 /* SecPolicyChecks.list */, DCC78E811D8085FC00865A7C /* SecPolicyCerts.h */, 4CFBF5F10D5A92E100969BBE /* SecPolicyInternal.h */, DCC78E7F1D8085FC00865A7C /* SecPolicyLeafCallbacks.c */, @@ -15411,6 +16412,7 @@ EB6928BF1D9C9C5900062A18 /* SecRecoveryKey.m */, DCC78E9A1D8085FC00865A7C /* SecuritydXPC.c */, DCC78E9B1D8085FC00865A7C /* SecuritydXPC.h */, + D462469C1F9AE45900D63882 /* oids.c */, DCC78E2A1D8085FC00865A7C /* p12import.c */, 79EF5B720D3D6AFE009F5270 /* p12import.h */, DCC78E2C1D8085FC00865A7C /* p12pbegen.c */, @@ -15419,6 +16421,7 @@ 8E02FA691107BE460043545E /* pbkdf2.h */, DCC78E9C1D8085FC00865A7C /* vmdh.c */, 4C7391770B01745000C4CBFA /* vmdh.h */, + 47A05B101FDB5A8B00D0816E /* SFKeychainControl.h */, ); name = src; sourceTree = ""; @@ -15578,6 +16581,7 @@ DC1789A81D77A06800B50D50 /* Resources */, DC1789A41D779E3B00B50D50 /* dummy.cpp */, DC24B5801DA3286D00330B48 /* Security.order */, + DCB332361F467CC200178C30 /* macos_tapi_hacks.h */, ); name = "Security.framework macOS"; sourceTree = ""; @@ -15586,6 +16590,7 @@ isa = PBXGroup; children = ( DC178A311D77A1F500B50D50 /* FDEPrefs.plist */, + D4C263C51F8FF2A9001317EA /* generateErrStrings.pl */, DC178A321D77A1F500B50D50 /* SecDebugErrorMessages.strings */, DC178A331D77A1F500B50D50 /* SecErrorMessages.strings */, DC178A351D77A1F500B50D50 /* framework.sb */, @@ -15643,14 +16648,17 @@ DC3502B61E0208BE00BC0587 /* Tests (Local) */ = { isa = PBXGroup; children = ( - DCB5022C1FDA155D008F8E4F /* AutoreleaseTest.c */, - DCB502321FDA155E008F8E4F /* AutoreleaseTest.h */, + DAEE05551FAD3FC500DF27F3 /* AutoreleaseTest.c */, + DAEE055B1FAD3FC600DF27F3 /* AutoreleaseTest.h */, 471024D91E79CB6D00844C09 /* CKKSTests.h */, DC3502B71E0208BE00BC0587 /* CKKSTests.m */, + 0CA4EBF1202B8D1C002B1D96 /* CloudKitKeychainSyncingTestsBase.h */, + 0CA4EBF2202B8D1D002B1D96 /* CloudKitKeychainSyncingTestsBase.m */, DC6593D21ED8DBCE00C19462 /* CKKSTests+API.h */, DC15F79B1E68EAD5003B9A40 /* CKKSTests+API.m */, DC6593C91ED8DA9200C19462 /* CKKSTests+CurrentPointerAPI.m */, DC9A2C5E1EB3F556008FAC27 /* CKKSTests+Coalesce.m */, + DCFABF8D20081E2F001128B5 /* CKKSDeviceStateUploadTests.m */, DCAD9B481F8D95F200C5E2AE /* CloudKitKeychainSyncingFixupTests.m */, DCBF2F7C1F90084D00ED0CA4 /* CKKSTLKSharingTests.m */, DC08D1CB1E64FCC5006237DA /* CKKSSOSTests.m */, @@ -15731,6 +16739,8 @@ DC52EA981D80CC2A00B0A59C /* SecurityTool.c */, DC52EA991D80CC2A00B0A59C /* SecurityTool.h */, DC52EA9A1D80CC2A00B0A59C /* tool_errors.h */, + 473337821FDB29A200E19F30 /* KeychainCheck.h */, + 473337831FDB29A200E19F30 /* KeychainCheck.m */, ); name = "SecurityTool iOS"; path = OSX/sec/SecurityTool; @@ -15763,48 +16773,15 @@ DCD067621D8CDE9B007602F1 /* codesigning */, DCD06AA81D8E0D3D007602F1 /* security_utilities */, E7450BB216D42BD4009C07B8 /* Headers */, - DC59E9AB1D91C9CE001BDDF5 /* DER */, DC8834001D8A217200CE0ACA /* ASN1 */, DC0BCC371D8C689C00070CB0 /* utilities */, DCC0800D1CFF7903005C35C8 /* CSSMOID.exp-in */, 4CB7405F0A47498100D641BB /* Security.exp-in */, + EBD8AD632004B45500588BBA /* SecurityCustomSignposts.plist */, ); name = "Security.framework (Shared)"; sourceTree = ""; }; - DC59E9AB1D91C9CE001BDDF5 /* DER */ = { - isa = PBXGroup; - children = ( - DC59E9FD1D91CA0A001BDDF5 /* libDER */, - ); - name = DER; - sourceTree = ""; - }; - DC59E9FD1D91CA0A001BDDF5 /* libDER */ = { - isa = PBXGroup; - children = ( - DC3832C01DB6E69800385F63 /* module.modulemap */, - DC59E9ED1D91CA0A001BDDF5 /* DER_Keys.c */, - DC59E9EE1D91CA0A001BDDF5 /* DER_Keys.h */, - DC59E9EF1D91CA0A001BDDF5 /* asn1Types.h */, - DC59E9F01D91CA0A001BDDF5 /* DER_CertCrl.c */, - DC59E9F11D91CA0A001BDDF5 /* DER_CertCrl.h */, - DC59E9F21D91CA0A001BDDF5 /* DER_Decode.c */, - DC59E9F31D91CA0A001BDDF5 /* DER_Decode.h */, - DC59E9F41D91CA0A001BDDF5 /* DER_Encode.c */, - DC59E9F51D91CA0A001BDDF5 /* DER_Encode.h */, - DC59E9F61D91CA0A001BDDF5 /* libDER_config.h */, - DC59E9F71D91CA0A001BDDF5 /* libDER.h */, - DC59E9F81D91CA0A001BDDF5 /* DER_Digest.h */, - DC59E9F91D91CA0A001BDDF5 /* DER_Digest.c */, - DC59E9FA1D91CA0A001BDDF5 /* oids.c */, - DC1785421D778A7400B50D50 /* oids.h */, - DC59E9FC1D91CA0A001BDDF5 /* oidsPriv.h */, - ); - name = libDER; - path = OSX/libsecurity_keychain/libDER/libDER; - sourceTree = ""; - }; DC5ABD281D832D4C00CF422C /* SecurityTool macOS */ = { isa = PBXGroup; children = ( @@ -16239,6 +17216,8 @@ EB9C1DAA1BDFD0FE00F89272 /* RegressionTests */, 4CE5A55609C7970A00D27A3F /* sslViewer */, 0C2BCBA41D063F7D00ED7A2F /* dtlsEcho */, + 4727FBB81F9918590003AE36 /* secdxctests */, + EB49B2AF202D8780003F34A0 /* secdmockaks */, ); name = tests; sourceTree = ""; @@ -16406,6 +17385,10 @@ DC6D2C941DD3B20400BE372D /* keychain */ = { isa = PBXGroup; children = ( + 0C7CEA391FE9CE3900125C79 /* behavior */, + 0C8BBEF61FCB402900580909 /* otctl */, + 0C8BBE831FC9DA1700580909 /* Octagon Trust */, + 0CF0E2DD1F8EE37C00BD18E4 /* Signin Metrics */, EB27FF051E402C3C00EC9E3A /* ckksctl */, 6C34464D1E2534C200F9522B /* Analytics */, BEF88C451EAFFFED00357577 /* TrustedPeers */, @@ -16515,6 +17498,8 @@ 6CC7F5B31E9F99EE0014AE63 /* RateLimiter.m */, DC9C95B21F79CFD1000D19E5 /* CKKSControl.h */, DC9C95B31F79CFD1000D19E5 /* CKKSControl.m */, + DA6AA1641FE88AFA004565B0 /* CKKSControlServer.h */, + DA6AA15E1FE88AF9004565B0 /* CKKSControlServer.m */, ); name = "CloudKit Syncing"; path = ckks; @@ -16557,6 +17542,8 @@ DCA4D2191E569FFE0056214F /* Helpers */ = { isa = PBXGroup; children = ( + EB4E0CD41FF36A1900CDCACC /* CKKSReachabilityTracker.h */, + EB4E0CD51FF36A1900CDCACC /* CKKSReachabilityTracker.m */, DC207EB61ED4EAB600D46873 /* CKKSLockStateTracker.h */, DC207EB71ED4EAB600D46873 /* CKKSLockStateTracker.m */, DCCD88E61E42622200F5AA71 /* CKKSGroupOperation.h */, @@ -17169,6 +18156,7 @@ 7281E08E1DFD0D810021E1B7 /* secd-210-keyinterest.m */, 522B28081E64B48E002B5638 /* secd-230-keybagtable.m */, DCFAEDD11D9998DD005187E4 /* secd-668-ghosts.m */, + 0C5F4FD71F952FEA00AF1616 /* secd-700-sftm.m */, DCC78C791D8085D800865A7C /* SOSAccountTesting.h */, DCC78C7A1D8085D800865A7C /* SecdTestKeychainUtilities.c */, DCC78C7B1D8085D800865A7C /* SecdTestKeychainUtilities.h */, @@ -17191,7 +18179,7 @@ DCC78C811D8085D800865A7C /* entitlements.plist */, DCC78C8E1D8085D800865A7C /* SecDbItem.c */, DCC78C8F1D8085D800865A7C /* SecDbItem.h */, - DCC78C901D8085D800865A7C /* SecDbKeychainItem.c */, + DCC78C901D8085D800865A7C /* SecDbKeychainItem.m */, DCC78C911D8085D800865A7C /* SecDbKeychainItem.h */, DCC78C921D8085D800865A7C /* SecDbQuery.c */, DCC78C931D8085D800865A7C /* SecDbQuery.h */, @@ -17220,6 +18208,11 @@ EBC15B1B1DB4306C00126882 /* com.apple.secd.sb */, 526965CB1E6E283100627F9D /* AsymKeybagBackup.h */, 526965CC1E6E283100627F9D /* AsymKeybagBackup.m */, + 470ACEF21F58C3A600D1D5BD /* SecDbKeychainItemV7.h */, + 470ACEF31F58C3A600D1D5BD /* SecDbKeychainItemV7.m */, + 47D1837D1FB1183D00CFCD89 /* SecDbKeychainV7-protobufs */, + 473337771FDAFBCC00E19F30 /* SFKeychainControlManager.h */, + 473337781FDAFBCC00E19F30 /* SFKeychainControlManager.m */, ); name = "securityd iOS"; path = OSX/sec/securityd; @@ -17444,6 +18437,7 @@ DCC78D891D8085F200865A7C /* SOSCloudCircle.m */, DCC78D8A1D8085F200865A7C /* SOSCloudCircle.h */, DCC78D8B1D8085F200865A7C /* SOSCloudCircleInternal.h */, + DCB332371F46804000178C30 /* SOSSysdiagnose.h */, DCC78D8C1D8085F200865A7C /* SOSSysdiagnose.m */, DCC78D8D1D8085F200865A7C /* SOSInternal.m */, DCC78D8E1D8085F200865A7C /* SOSInternal.h */, @@ -17451,6 +18445,8 @@ DCC78D901D8085F200865A7C /* SOSPlatform.h */, EBEEEE351EA31A8300E15F5C /* SOSControlHelper.h */, EBEEEE361EA31A8300E15F5C /* SOSControlHelper.m */, + DAB27ADA1FA29EB700DEBBDE /* SOSControlServer.h */, + DAB27AE01FA29EB800DEBBDE /* SOSControlServer.m */, ); path = SecureObjectSync; sourceTree = ""; @@ -17621,9 +18617,9 @@ DCC78DD81D8085FC00865A7C /* si-60-cms.c */, DCC78DD91D8085FC00865A7C /* si-61-pkcs12.c */, D48F029B1EA1671B00ACC3C9 /* si-61-pkcs12.h */, - DCC78DDA1D8085FC00865A7C /* si-62-csr.c */, + DCC78DDA1D8085FC00865A7C /* si-62-csr.m */, DCC78DDD1D8085FC00865A7C /* si-63-scep */, - DCC78DDE1D8085FC00865A7C /* si-63-scep.c */, + DCC78DDE1D8085FC00865A7C /* si-63-scep.m */, DCC78DDF1D8085FC00865A7C /* si-63-scep.h */, DCC78DE61D8085FC00865A7C /* si-64-ossl-cms */, DCC78DE71D8085FC00865A7C /* si-64-ossl-cms.c */, @@ -17652,7 +18648,8 @@ DCC78E081D8085FC00865A7C /* si-85-sectrust-ssl-policy.h */, DCC78E091D8085FC00865A7C /* si-87-sectrust-name-constraints.m */, DCC78E0A1D8085FC00865A7C /* si-87-sectrust-name-constraints.h */, - DCC78E0B1D8085FC00865A7C /* si-89-cms-hash-agility.c */, + BEB9E9E51FFF193D00676593 /* si-88-sectrust-valid.m */, + DCC78E0B1D8085FC00865A7C /* si-89-cms-hash-agility.m */, DCC78E0C1D8085FC00865A7C /* si-89-cms-hash-agility.h */, DCC78E0D1D8085FC00865A7C /* si-90-emcs.m */, DCC78E0E1D8085FC00865A7C /* si-95-cms-basic.c */, @@ -17705,6 +18702,7 @@ DCC78E231D8085FC00865A7C /* scep.c */, DCC78E241D8085FC00865A7C /* SecurityCommands.h */, DCC78E251D8085FC00865A7C /* show_certificates.c */, + D453C38A1FEC669300DE349B /* trust_update.m */, DCC78E261D8085FC00865A7C /* spc.c */, ); name = Security/Tool; @@ -17723,6 +18721,7 @@ 79BDD3940D60D5F9000D84D3 /* libCMS.xcodeproj */, DCC78E321D8085FC00865A7C /* SecAccessControlExports.exp-in */, DCC78E4E1D8085FC00865A7C /* SecExports.exp-in */, + DCD7EE9B1F4F51D9007D9804 /* ios_tapi_hacks.h */, ); name = "Security.framework iOS"; path = OSX/sec/Security; @@ -17747,7 +18746,6 @@ children = ( DC1787441D7790A500B50D50 /* CSCommonPriv.h */, DC1787451D7790A500B50D50 /* SecAssessment.h */, - DC1787461D7790A500B50D50 /* SecCodeHostLib.h */, DC1787471D7790A500B50D50 /* SecCodePriv.h */, DC1787481D7790A500B50D50 /* SecCodeSigner.h */, DC17874B1D7790A500B50D50 /* SecRequirementPriv.h */, @@ -17755,7 +18753,6 @@ DC1785811D778B7F00B50D50 /* CodeSigning.h */, DC1785821D778B7F00B50D50 /* CSCommon.h */, DC1785831D778B7F00B50D50 /* SecCode.h */, - DC1785841D778B8000B50D50 /* SecCodeHost.h */, DC1785851D778B8000B50D50 /* SecRequirement.h */, DC1785861D778B8000B50D50 /* SecStaticCode.h */, DCD068141D8CDF7E007602F1 /* lib */, @@ -18228,7 +19225,6 @@ DCD06B3C1D8E0D7D007602F1 /* lib */ = { isa = PBXGroup; children = ( - DCD06AB11D8E0D7D007602F1 /* debugging.h */, DCD06AB21D8E0D7D007602F1 /* FileLockTransaction.cpp */, DCD06AB31D8E0D7D007602F1 /* FileLockTransaction.h */, DCD06AB41D8E0D7D007602F1 /* CSPDLTransaction.cpp */, @@ -18432,7 +19428,7 @@ D43DBED61E99D17100C04AEA /* asynchttp.h */, D43DBED71E99D17100C04AEA /* nameconstraints.c */, D43DBED81E99D17100C04AEA /* nameconstraints.h */, - D43DBED91E99D17100C04AEA /* OTATrustUtilities.c */, + D43DBED91E99D17100C04AEA /* OTATrustUtilities.m */, D43DBEDA1E99D17100C04AEA /* OTATrustUtilities.h */, D43DBEDB1E99D17100C04AEA /* personalization.c */, D43DBEDC1E99D17100C04AEA /* personalization.h */, @@ -18462,7 +19458,7 @@ D43761651EB2996C00954447 /* SecRevocationNetworking.m */, D43DBEF31E99D17300C04AEA /* SecRevocationServer.c */, D43DBEF41E99D17300C04AEA /* SecRevocationServer.h */, - D43DBEF51E99D17300C04AEA /* SecTrustLoggingServer.c */, + D43DBEF51E99D17300C04AEA /* SecTrustLoggingServer.m */, D43DBEF61E99D17300C04AEA /* SecTrustLoggingServer.h */, D43DBEF71E99D17300C04AEA /* SecTrustServer.c */, D43DBEF81E99D17300C04AEA /* SecTrustServer.h */, @@ -19276,6 +20272,8 @@ D4EC94FA1CEA482D0083E753 /* si-20-sectrust-policies-data */, 0C0C88771CCEC5BD00617D1B /* si-82-sectrust-ct-data */, DCE4E72E1D7A436300AFB96E /* si-82-sectrust-ct-logs.plist */, + D4C6C5C71FB2AD3F007EA57E /* si-87-sectrust-name-constraints */, + BEB9EA2E1FFF1AF600676593 /* si-88-sectrust-valid-data */, 4C50ACFB1410671D00EE92DE /* DigiNotar */, 79679E241462028800CF997F /* DigicertMalaysia */, E710C74B1331946500F85568 /* Supporting Files */, @@ -19415,6 +20413,42 @@ E7FCBE401314471B000DE34E /* Frameworks */ = { isa = PBXGroup; children = ( + 5A94C6D4203CC2590066E391 /* AuthKit.framework */, + 5A94C6D1203CC1C60066E391 /* AOSAccountsLite.framework */, + 477A1F4C20320E4900ACD81D /* Accounts.framework */, + EB49B2DE202DF286003F34A0 /* CoreFollowUpUI.framework */, + EB49B2DC202DF251003F34A0 /* libbsm.tbd */, + EB49B2CE202DF111003F34A0 /* CoreFollowUp.framework */, + D4119E72202BDF2B0048587B /* libz.tbd */, + 472339681FD7156700CB6A72 /* CoreCDP.framework */, + 472339611FD7155C00CB6A72 /* libprequelite.dylib */, + 47D1838B1FB3827700CFCD89 /* OCMock.framework */, + 4727FBE81F9921D00003AE36 /* libACM.a */, + 4727FBE61F9921890003AE36 /* ApplePushService.framework */, + 4727FBE41F99217A0003AE36 /* SharedWebCredentials.framework */, + 4727FBE21F9921660003AE36 /* MobileKeyBag.framework */, + 4727FBE01F99212F0003AE36 /* IOKit.framework */, + 4727FBDE1F99211D0003AE36 /* libaks.a */, + 4727FBDC1F9920F10003AE36 /* libaks_acl.a */, + 4727FBDA1F9920CB0003AE36 /* WirelessDiagnostics.framework */, + 4727FBD81F9920BB0003AE36 /* SystemConfiguration.framework */, + 4727FBD41F9920510003AE36 /* ProtocolBuffer.framework */, + 4727FBD21F9920290003AE36 /* CloudKit.framework */, + 4727FBD01F991F990003AE36 /* libMobileGestalt.dylib */, + 4727FBCF1F991F820003AE36 /* SecurityFoundation.framework */, + 4727FBCC1F991F660003AE36 /* libsqlite3.dylib */, + 4727FBCA1F991F510003AE36 /* Security.framework */, + 4727FBC41F991C460003AE36 /* Foundation.framework */, + D4C6C5CE1FB3B44C007EA57E /* libarchive.2.dylib */, + D4C6C5CB1FB3B3CC007EA57E /* libarchive.tbd */, + 6CB96BB41F966E0C00E11457 /* libsqlite3.tbd */, + 6CFDC4561F907E1D00646DBB /* libprequelite.tbd */, + D46246911F9AE2E400D63882 /* libDER.a */, + D46246A91F9AE6C900D63882 /* libDER.a */, + D46246AF1F9AE73F00D63882 /* libDER.a */, + D46246C31F9AEA5200D63882 /* libDER.a */, + D46246CE1F9AEAE300D63882 /* libDER.a */, + 0CE98B5B1FA9360700CF1D54 /* libprequelite.tbd */, F682C1CE1F4486F600F1B029 /* libctkloginhelper.a */, 5EAFA4CD1EF16059002DC188 /* LocalAuthentication.framework */, D41D36701EB14D87007FA978 /* libDiagnosticMessagesClient.tbd */, @@ -19484,7 +20518,6 @@ E71F3E3016EA69A900FAF9B4 /* SystemConfiguration.framework */, E7FCBE411314471B000DE34E /* UIKit.framework */, E75E498C1C8F76680001A34F /* libASN1.a */, - E75E498A1C8F76360001A34F /* libDER.a */, DC1789121D7798B300B50D50 /* libDiagnosticMessagesClient.dylib */, DC610A3C1D78F25C002223DE /* libDiagnosticMessagesClient.dylib */, DC1789141D77997F00B50D50 /* libOpenScriptingUtil.dylib */, @@ -19587,6 +20620,20 @@ name = secitemstresstest; sourceTree = ""; }; + EB49B2AF202D8780003F34A0 /* secdmockaks */ = { + isa = PBXGroup; + children = ( + 72D1E5F3202FE43C003A38C5 /* secdmock_db_version_10_5.h */, + EB49B2B0202D8780003F34A0 /* secdmockaks.m */, + EB6667BE204CD65E000B404F /* testPlistDER.m */, + EB49B303202FB8DE003F34A0 /* mockaks.h */, + EB49B2E4202DFE7F003F34A0 /* mockaks.m */, + EB49B2B2202D8780003F34A0 /* Info.plist */, + ); + name = secdmockaks; + path = tests/secdmockaks; + sourceTree = ""; + }; EB80211C1D3D9044008540C4 /* Modules */ = { isa = PBXGroup; children = ( @@ -19685,7 +20732,6 @@ isa = PBXHeadersBuildPhase; buildActionMask = 2147483647; files = ( - 225394D31E3083C600D3CD9B /* SecCodeHost.h in Headers */, 225394D41E3083D000D3CD9B /* CodeSigning.h in Headers */, 225394D51E3083DA00D3CD9B /* CSCommon.h in Headers */, 225394D61E3083E300D3CD9B /* SecCode.h in Headers */, @@ -19694,6 +20740,7 @@ 2296B0E61E32EF08000D1EA7 /* requirement.h in Headers */, 2296B0EC1E32EF10000D1EA7 /* cs.h in Headers */, 225394DB1E30864B00D3CD9B /* CSCommonPriv.h in Headers */, + DC926F071F33F7C20012A315 /* SecCodeHost.h in Headers */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -19706,13 +20753,17 @@ 4C32C1250A4976BF002891BD /* SecCertificate.h in Headers */, 4C32C1260A4976BF002891BD /* SecTrust.h in Headers */, 4CF0484C0A5D988F00268236 /* SecItem.h in Headers */, + 6CE3654F1FA100F10012F6AB /* SFAnalyticsDefines.h in Headers */, 4CF048800A5F016300268236 /* SecItemPriv.h in Headers */, 4C999BA60AB5F0BB0010451D /* NtlmGenerator.h in Headers */, 4C999BA80AB5F0BB0010451D /* ntlmBlobPriv.h in Headers */, + EB5E3BCC2003C67A00F1631B /* SecSignpost.h in Headers */, 4C7608B30AC34A8100980096 /* SecCertificatePriv.h in Headers */, + EB10A3E520356E2000E84270 /* OTConstants.h in Headers */, 4CEF4CA80C5551FE00062475 /* SecCertificateInternal.h in Headers */, BE061FE11899ECEE00C739F6 /* SecSharedCredential.h in Headers */, 443381EE18A3D83A00215606 /* SecAccessControlPriv.h in Headers */, + 6CC952491FB4CB2D0051A823 /* SFAnalytics+Internal.h in Headers */, DC3C73541D837B1900F6A832 /* SOSCloudCircle.h in Headers */, 524492941AFD6D480043695A /* der_plist.h in Headers */, DC3C73531D837AF800F6A832 /* SOSPeerInfo.h in Headers */, @@ -19721,12 +20772,15 @@ 4C7072860AC9EA4F007CC205 /* SecKey.h in Headers */, 476541651F339F6300413F65 /* SecdWatchdog.h in Headers */, 4C7072D40AC9ED5A007CC205 /* SecKeyPriv.h in Headers */, + DCD7EE981F4F4DE9007D9804 /* SecBase64.h in Headers */, 4C7073CA0ACB2BAD007CC205 /* SecRSAKey.h in Headers */, EB6928C51D9C9C6E00062A18 /* SecRecoveryKey.h in Headers */, 4C0B906E0ACCBD240077CD03 /* SecFramework.h in Headers */, 4C7391790B01745000C4CBFA /* vmdh.h in Headers */, + 6CDB5FFB1FA78D2C00410924 /* SFAnalyticsMultiSampler.h in Headers */, 4C64E01C0B8FBC71009B306C /* SecIdentity.h in Headers */, 4C64E01D0B8FBC7E009B306C /* Security.h in Headers */, + 0C8BBF211FCB4F1800580909 /* OTControlProtocol.h in Headers */, E7676DB619411DF300498DD4 /* SecServerEncryptionSupport.h in Headers */, F964772C1E5832540019E4EB /* SecCodePriv.h in Headers */, 4C4296320BB0A68200491999 /* SecTrustSettings.h in Headers */, @@ -19740,7 +20794,6 @@ 4C1B442D0BB9CAF900461B82 /* SecTrustStore.h in Headers */, DC3C7AB81D838C6F00F6A832 /* oidsalg.h in Headers */, B61F67561F1FCFCA00E2FDBB /* SecPaddingConfigurationsPriv.h in Headers */, - 4CF41D0C0BBB4022005F3248 /* SecCertificatePath.h in Headers */, 4C2F81D50BF121D2003C4F77 /* SecRandom.h in Headers */, ACBAF6EE1E941AE00007BA2F /* transform_regressions.h in Headers */, 7940D4130C3ACF9000FDB5D8 /* SecDH.h in Headers */, @@ -19751,36 +20804,42 @@ 4CE7EA791AEAF39C0067F5BD /* SecItemBackup.h in Headers */, 222F23A01DAC1603007ACB90 /* SecTaskPriv.h in Headers */, DC3C7AB51D838C1300F6A832 /* SecAsn1Templates.h in Headers */, + 6CE365511FA100FE0012F6AB /* SFAnalyticsSampler.h in Headers */, 79EF5B6E0D3D6A31009F5270 /* SecImportExport.h in Headers */, 4723C9CA1F152ECE0082882F /* SFSQLiteStatement.h in Headers */, 4CCE0ADA0D41797400DDBB21 /* SecIdentityPriv.h in Headers */, - 4723C9DC1F1540CE0082882F /* SFAnalyticsLogger.h in Headers */, 4CCE0ADE0D4179E500DDBB21 /* SecBasePriv.h in Headers */, - 4CFBF6100D5A951100969BBE /* SecPolicyInternal.h in Headers */, - DC3C7AB91D838C8D00F6A832 /* oids.h in Headers */, + DCD7EE991F4F4E03007D9804 /* ocspTemplates.h in Headers */, 4C87F3A80D611C26000E7104 /* SecTrustPriv.h in Headers */, 79BDD3C20D60DB84000D84D3 /* SecCMS.h in Headers */, DC2C5F4B1F0D935200FEBDA7 /* CKKSControlProtocol.h in Headers */, 107226D30D91DB32003CF14F /* SecTask.h in Headers */, 4C7CE5700DC7DC6600AE53FC /* SecEntitlements.h in Headers */, + 6CE365551FA101730012F6AB /* SFAnalyticsSQLiteStore.h in Headers */, 791766DE0DD0162C00F3B974 /* SecCertificateRequest.h in Headers */, 4C7416040F1D71A2008E0E4D /* SecSCEP.h in Headers */, DC3C72E21D8374D600F6A832 /* SecureTransportPriv.h in Headers */, 4AF7FFFD15AFB73800B9D400 /* SecOTR.h in Headers */, DC3C7AB21D838B6D00F6A832 /* SecureTransport.h in Headers */, + 6CBF65391FA147E500A68667 /* SFAnalyticsActivityTracker.h in Headers */, 4AF7FFFE15AFB73800B9D400 /* SecOTRDHKey.h in Headers */, 4AF7FFFF15AFB73800B9D400 /* SecOTRErrors.h in Headers */, - 4AF7000015AFB73800B9D400 /* SecOTRIdentityPriv.h in Headers */, + 6C73F48F2006B910003D5D63 /* SOSAnalytics.h in Headers */, + DCD7EE9A1F4F5156007D9804 /* oidsocsp.h in Headers */, + BE2AD2B31FDA07EF00739F96 /* OTBottledPeerRecord.h in Headers */, 4AF7000115AFB73800B9D400 /* SecOTRMath.h in Headers */, 4AF7000315AFB73800B9D400 /* SecOTRPacketData.h in Headers */, DC3C7AB31D838BC300F6A832 /* CipherSuite.h in Headers */, 4AF7000415AFB73800B9D400 /* SecOTRPackets.h in Headers */, + 6C8CE6C11FA248DA0032ADF0 /* SFAnalyticsActivityTracker+Internal.h in Headers */, DC3C7ABA1D838C9F00F6A832 /* sslTypes.h in Headers */, + 6CE3654B1FA100D00012F6AB /* SFAnalytics.h in Headers */, 4AF7000515AFB73800B9D400 /* SecOTRSession.h in Headers */, D487B9821DFA28DB000410A1 /* SecInternalReleasePriv.h in Headers */, 4AF7000615AFB73800B9D400 /* SecOTRSessionPriv.h in Headers */, EB69AB301BF4348000913AF1 /* SecEMCSPriv.h in Headers */, D47F514C1C3B812500A7CEFE /* SecCFAllocator.h in Headers */, + BEB0B0DB1FFC45C2007E6A83 /* OTPrivateKey+SF.h in Headers */, 8E02FA6B1107BE460043545E /* pbkdf2.h in Headers */, 8ED6F6CA110904E300D2B368 /* SecPBKDF.h in Headers */, 7901791812D51F7200CA4D44 /* SecCmsBase.h in Headers */, @@ -19792,14 +20851,18 @@ 22A23B3D1E3AAC9800C41830 /* SecStaticCode.h in Headers */, 724340BA1ED3FEC800F8F566 /* SecSMIME.h in Headers */, 22A23B3E1E3AAC9800C41830 /* SecRequirement.h in Headers */, - 22A23B3F1E3AAC9800C41830 /* SecCodeHost.h in Headers */, DC9C95BE1F79DC5F000D19E5 /* CKKSControl.h in Headers */, + 0CBFEACC200FCD33009A60E9 /* SFTransactionMetric.h in Headers */, DC3C7AB61D838C2D00F6A832 /* SecAsn1Types.h in Headers */, DC3C73551D837B2C00F6A832 /* SOSPeerInfoPriv.h in Headers */, + D46246A31F9AE59E00D63882 /* oids.h in Headers */, + DCD7EEA41F4F58D7007D9804 /* SecLogging.h in Headers */, + 47A05B161FDB5D9E00D0816E /* SFKeychainControl.h in Headers */, 7901791912D51F7200CA4D44 /* SecCmsContentInfo.h in Headers */, 7901791A12D51F7200CA4D44 /* SecCmsDecoder.h in Headers */, 7901791B12D51F7200CA4D44 /* SecCmsDigestContext.h in Headers */, 7901791C12D51F7200CA4D44 /* SecCmsEncoder.h in Headers */, + 0C8BBF201FCB4F1800580909 /* OTControl.h in Headers */, 7901791D12D51F7200CA4D44 /* SecCmsEnvelopedData.h in Headers */, 7901791E12D51F7200CA4D44 /* SecCmsMessage.h in Headers */, 7901791F12D51F7200CA4D44 /* SecCmsRecipientInfo.h in Headers */, @@ -19909,7 +20972,6 @@ DC0BC6721D8B755200070CB0 /* ellipticMeasure.h in Headers */, DC0BC6711D8B755200070CB0 /* elliptic.h in Headers */, DC0BC66E1D8B755200070CB0 /* ECDSA_Profile.h in Headers */, - DC0BC6651D8B755200070CB0 /* CryptKit.h in Headers */, DC0BC69B1D8B755200070CB0 /* platform.h in Headers */, DC0BC6581D8B755200070CB0 /* ckconfig.h in Headers */, DC0BC6831D8B755200070CB0 /* feeFEED.h in Headers */, @@ -19924,7 +20986,6 @@ DC0BC6741D8B755200070CB0 /* ellipticProj.h in Headers */, DC0BC6521D8B755200070CB0 /* byteRep.h in Headers */, DC0BC6851D8B755200070CB0 /* feeFEEDExp.h in Headers */, - DC0BC6641D8B755200070CB0 /* CryptKitSA.h in Headers */, DC0BC6571D8B755200070CB0 /* CipherFileTypes.h in Headers */, DC0BC6691D8B755200070CB0 /* CryptKitDER.h in Headers */, DC0BC65C1D8B755200070CB0 /* ckMD5.h in Headers */, @@ -20261,19 +21322,22 @@ ); runOnlyForDeploymentPostprocessing = 0; }; - DC1785021D77873100B50D50 /* Headers */ = { + DC1789011D77980500B50D50 /* Headers */ = { isa = PBXHeadersBuildPhase; buildActionMask = 2147483647; files = ( + D46246A81F9AE64000D63882 /* oids.h in Headers */, DC1785251D7789AF00B50D50 /* AuthSession.h in Headers */, DC1785211D7789AF00B50D50 /* Authorization.h in Headers */, DC1785221D7789AF00B50D50 /* AuthorizationDB.h in Headers */, DC1785231D7789AF00B50D50 /* AuthorizationPlugin.h in Headers */, DC17875F1D7790E500B50D50 /* AuthorizationPriv.h in Headers */, DC1785241D7789AF00B50D50 /* AuthorizationTags.h in Headers */, + EB5E3BCD2003C67B00F1631B /* SecSignpost.h in Headers */, DC1787601D7790E500B50D50 /* AuthorizationTagsPriv.h in Headers */, DC1785901D778B9D00B50D50 /* CMSDecoder.h in Headers */, DC1785911D778B9D00B50D50 /* CMSEncoder.h in Headers */, + EB10A3FC2035789B00E84270 /* OTConstants.h in Headers */, DC1787591D7790B600B50D50 /* CMSPrivate.h in Headers */, DC1785881D778B8000B50D50 /* CSCommon.h in Headers */, DC17874E1D7790A500B50D50 /* CSCommonPriv.h in Headers */, @@ -20289,7 +21353,9 @@ DC17851A1D77895A00B50D50 /* SecAsn1Types.h in Headers */, DC17874F1D7790A500B50D50 /* SecAssessment.h in Headers */, DC1785931D778BEE00B50D50 /* SecBase.h in Headers */, + DC2671071F3E8A0900816EED /* SecECKey.h in Headers */, DC17877C1D77919500B50D50 /* SecBasePriv.h in Headers */, + 0C8BBF231FCB4F1800580909 /* OTControlProtocol.h in Headers */, DC1787741D77915500B50D50 /* SecBreadcrumb.h in Headers */, DC1787761D77916600B50D50 /* SecCFAllocator.h in Headers */, DC1787111D778FA900B50D50 /* SecCMS.h in Headers */, @@ -20311,13 +21377,13 @@ DC17871C1D778FAA00B50D50 /* SecCmsSignedData.h in Headers */, DC17871D1D778FAA00B50D50 /* SecCmsSignerInfo.h in Headers */, DC1785891D778B8000B50D50 /* SecCode.h in Headers */, - DC17858A1D778B8000B50D50 /* SecCodeHost.h in Headers */, - DC1787501D7790A500B50D50 /* SecCodeHostLib.h in Headers */, DC1787511D7790A500B50D50 /* SecCodePriv.h in Headers */, DC1787521D7790A500B50D50 /* SecCodeSigner.h in Headers */, DC1785301D778A0100B50D50 /* SecCustomTransform.h in Headers */, + 0CBFEACD200FCD33009A60E9 /* SFTransactionMetric.h in Headers */, DC1787771D77916A00B50D50 /* SecDH.h in Headers */, DC1785311D778A0100B50D50 /* SecDecodeTransform.h in Headers */, + 6CE365561FA101740012F6AB /* SFAnalyticsSQLiteStore.h in Headers */, DC1785321D778A0100B50D50 /* SecDigestTransform.h in Headers */, DC1785331D778A0100B50D50 /* SecEncodeTransform.h in Headers */, DC1785341D778A0100B50D50 /* SecEncryptTransform.h in Headers */, @@ -20333,9 +21399,11 @@ DC1787781D77917100B50D50 /* SecItemBackup.h in Headers */, DC17877F1D7791A800B50D50 /* SecItemPriv.h in Headers */, DC17859D1D778C8000B50D50 /* SecKey.h in Headers */, + 6CC952481FB4CB2C0051A823 /* SFAnalytics+Internal.h in Headers */, DC1787801D7791AD00B50D50 /* SecKeyPriv.h in Headers */, DC1785521D778ACD00B50D50 /* SecKeychain.h in Headers */, DC1785531D778ACD00B50D50 /* SecKeychainItem.h in Headers */, + 0C8BBF221FCB4F1800580909 /* OTControl.h in Headers */, DC1787391D77903700B50D50 /* SecKeychainItemExtendedAttributes.h in Headers */, DC17873A1D77903700B50D50 /* SecKeychainItemPriv.h in Headers */, DC17873B1D77903700B50D50 /* SecKeychainPriv.h in Headers */, @@ -20354,6 +21422,7 @@ DC17873E1D77903700B50D50 /* SecRandomP.h in Headers */, DC1785351D778A0100B50D50 /* SecReadTransform.h in Headers */, DC17873F1D77903700B50D50 /* SecRecoveryPassword.h in Headers */, + 6CE3654C1FA100D10012F6AB /* SFAnalytics.h in Headers */, DC17858B1D778B8000B50D50 /* SecRequirement.h in Headers */, DC1787551D7790A500B50D50 /* SecRequirementPriv.h in Headers */, DC17871E1D778FAA00B50D50 /* SecSMIME.h in Headers */, @@ -20368,6 +21437,7 @@ DC1786F41D778EF800B50D50 /* SecTranslocate.h in Headers */, DC1785A01D778C9400B50D50 /* SecTrust.h in Headers */, DC1787841D7791C900B50D50 /* SecTrustPriv.h in Headers */, + 6CDB5FFC1FA78D2D00410924 /* SFAnalyticsMultiSampler.h in Headers */, DC1785A11D778C9A00B50D50 /* SecTrustSettings.h in Headers */, DC1787851D7791CE00B50D50 /* SecTrustSettingsPriv.h in Headers */, DC1785561D778ACD00B50D50 /* SecTrustedApplication.h in Headers */, @@ -20380,6 +21450,7 @@ DC1787411D77903700B50D50 /* TrustSettingsSchema.h in Headers */, D487B9881DFA2902000410A1 /* SecInternalReleasePriv.h in Headers */, DC1787721D77911D00B50D50 /* X509Templates.h in Headers */, + DC926F081F33F7D30012A315 /* SecCodeHost.h in Headers */, DC17876A1D77911D00B50D50 /* asn1Templates.h in Headers */, DC17876B1D77911D00B50D50 /* certExtensionTemplates.h in Headers */, DC1785971D778C0800B50D50 /* certextensions.h in Headers */, @@ -20387,13 +21458,16 @@ DC17876C1D77911D00B50D50 /* csrTemplates.h in Headers */, DC17856C1D778B4A00B50D50 /* cssm.h in Headers */, DC17856D1D778B4A00B50D50 /* cssmaci.h in Headers */, + 6CBF65401FA1480C00A68667 /* SFAnalyticsActivityTracker.h in Headers */, DC17856E1D778B4A00B50D50 /* cssmapi.h in Headers */, DC1785991D778C5300B50D50 /* cssmapple.h in Headers */, DC1787431D77906C00B50D50 /* cssmapplePriv.h in Headers */, DC17856F1D778B4A00B50D50 /* cssmcli.h in Headers */, DC1785701D778B4A00B50D50 /* cssmconfig.h in Headers */, DC1785711D778B4A00B50D50 /* cssmcspi.h in Headers */, + 6C73F4902006B911003D5D63 /* SOSAnalytics.h in Headers */, DC1785721D778B4A00B50D50 /* cssmdli.h in Headers */, + DC337B1F1EA04E2100B3A1F0 /* SecBase64.h in Headers */, DC1785731D778B4A00B50D50 /* cssmerr.h in Headers */, DC1785741D778B4A00B50D50 /* cssmkrapi.h in Headers */, DC1785751D778B4A00B50D50 /* cssmkrspi.h in Headers */, @@ -20403,14 +21477,15 @@ DC17877B1D77918C00B50D50 /* der_plist.h in Headers */, DC1785791D778B4A00B50D50 /* eisl.h in Headers */, DC17857A1D778B4A00B50D50 /* emmspi.h in Headers */, + 6C8CE6C21FA248DB0032ADF0 /* SFAnalyticsActivityTracker+Internal.h in Headers */, DC17857B1D778B4A00B50D50 /* emmtype.h in Headers */, DC17876D1D77911D00B50D50 /* keyTemplates.h in Headers */, DC17853D1D778A3100B50D50 /* mds.h in Headers */, DC17853C1D778A3100B50D50 /* mds_schema.h in Headers */, DC1787231D778FC900B50D50 /* mdspriv.h in Headers */, + DC2671001F3E766E00816EED /* SecOTRSession.h in Headers */, DC17876E1D77911D00B50D50 /* nameTemplates.h in Headers */, DC17876F1D77911D00B50D50 /* ocspTemplates.h in Headers */, - DC1785431D778A7400B50D50 /* oids.h in Headers */, DC1785161D77895A00B50D50 /* oidsalg.h in Headers */, DC1785171D77895A00B50D50 /* oidsattr.h in Headers */, DCCBFA391DBAE445001DD54D /* SecInternal.h in Headers */, @@ -20422,23 +21497,18 @@ DC1787711D77911D00B50D50 /* secasn1t.h in Headers */, DC1786FC1D778F3D00B50D50 /* sslTypes.h in Headers */, DC17871F1D778FAA00B50D50 /* tsaSupport.h in Headers */, - DC1787201D778FAA00B50D50 /* tsaSupportPriv.h in Headers */, - DC1787211D778FAA00B50D50 /* tsaTemplates.h in Headers */, DC17857F1D778B4A00B50D50 /* x509defs.h in Headers */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; - DC1789011D77980500B50D50 /* Headers */ = { - isa = PBXHeadersBuildPhase; - buildActionMask = 2147483647; - files = ( + DCB3323B1F4681AE00178C30 /* SecOTR.h in Headers */, 4723C9CB1F152ECF0082882F /* SFSQLiteStatement.h in Headers */, + 6CE365501FA100F20012F6AB /* SFAnalyticsDefines.h in Headers */, + 6CE365521FA100FF0012F6AB /* SFAnalyticsSampler.h in Headers */, 4723C9C31F152EB60082882F /* SFObjCType.h in Headers */, + DCB3323C1F46833E00178C30 /* SecLogging.h in Headers */, DC9C95BD1F79DC5A000D19E5 /* CKKSControl.h in Headers */, DC3C73561D837B9B00F6A832 /* SOSPeerInfoPriv.h in Headers */, EB6928C61D9C9C6F00062A18 /* SecRecoveryKey.h in Headers */, - 4723C9DD1F1540CE0082882F /* SFAnalyticsLogger.h in Headers */, 4723C9C71F152EC10082882F /* SFSQLite.h in Headers */, + 47A05B171FDB5D9F00D0816E /* SFKeychainControl.h in Headers */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -20446,19 +21516,23 @@ isa = PBXHeadersBuildPhase; buildActionMask = 2147483647; files = ( + 47922D431FAA7C260008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.h in Headers */, DCFE1C351F17ECE5007640C8 /* CKKSCondition.h in Headers */, 6C3446461E25346C00F9522B /* CKKSRateLimiter.h in Headers */, DC2C5F5E1F0EB97E00FEBDA7 /* CKKSNotifier.h in Headers */, DC5BB4FF1E0C98320010F836 /* CKKSOutgoingQueueOperation.h in Headers */, DC222C651E034D1F00B09171 /* SOSChangeTracker.h in Headers */, + 47922D551FAA7E070008F7E0 /* SecDbKeychainSerializedItemV7.h in Headers */, + 0C770EC21FCF7C9800B5F0E2 /* OTCloudStore.h in Headers */, DC14478B1F5764C600236DB4 /* CKKSResultOperation.h in Headers */, DCFE1C521F1825F7007640C8 /* CKKSUpdateDeviceStateOperation.h in Headers */, DCBDB3BC1E57CA7A00B61300 /* CKKSViewManager.h in Headers */, DC762A9F1E57A86A00B03A2C /* CKKSRecordHolder.h in Headers */, DC1DA65F1E4554620094CE7F /* CKKSScanLocalItemsOperation.h in Headers */, DC222C661E034D1F00B09171 /* SOSEngine.h in Headers */, + 0C8BBF1E1FCB4F0400580909 /* OTControl.h in Headers */, DCB5D93C1E4A9A3400BE22AB /* CKKSSynchronizeOperation.h in Headers */, - 479108B81EE879F9008CEFA0 /* CKKSAnalyticsLogger.h in Headers */, + 479108B81EE879F9008CEFA0 /* CKKSAnalytics.h in Headers */, DC222C671E034D1F00B09171 /* SecDbKeychainItem.h in Headers */, DC222C681E034D1F00B09171 /* SecDbQuery.h in Headers */, DCEA5D561E2826DB0089CF55 /* CKKSSIV.h in Headers */, @@ -20466,13 +21540,16 @@ DC222C6A1E034D1F00B09171 /* CKKSZoneStateEntry.h in Headers */, DC94BCCB1F10448600E07CEB /* CloudKitCategories.h in Headers */, DCFE1C281F17E455007640C8 /* CKKSDeviceStateEntry.h in Headers */, + BEE4B1931FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.h in Headers */, DCFB12C61E95A4C000510F5F /* CKKSCKAccountStateTracker.h in Headers */, DC222C6B1E034D1F00B09171 /* SecItemDataSource.h in Headers */, DC7341F41F8447AB00AB9BDF /* CKKSTLKShare.h in Headers */, DC18F7701E43E116006B8B43 /* CKKSFetchAllRecordZoneChangesOperation.h in Headers */, DC222C6C1E034D1F00B09171 /* CKKSIncomingQueueEntry.h in Headers */, + 47922D471FAA7C350008F7E0 /* SecDbKeychainSerializedMetadata.h in Headers */, DC9082C71EA027DC00D0C1C5 /* CKKSZoneChangeFetcher.h in Headers */, DCA4D2161E5684220056214F /* CKKSReencryptOutgoingItemsOperation.h in Headers */, + BEE4B1991FFDAFE600777D39 /* SFPublicKey+SPKI.h in Headers */, DC222C6D1E034D1F00B09171 /* SecItemDb.h in Headers */, DC222C6E1E034D1F00B09171 /* SecItemSchema.h in Headers */, DCAD9B451F8D939C00C5E2AE /* CKKSFixups.h in Headers */, @@ -20486,13 +21563,18 @@ DCCD88E91E42622200F5AA71 /* CKKSGroupOperation.h in Headers */, DC15F7671E67A6F6003B9A40 /* CKKSHealKeyHierarchyOperation.h in Headers */, DCD6C4B31EC5302500414FEE /* CKKSNearFutureScheduler.h in Headers */, + 0C8BBF251FCB4FE800580909 /* OTManager.h in Headers */, DCBF2F861F913EF000ED0CA4 /* CKKSHealTLKSharesOperation.h in Headers */, DCE278E91ED7A5B40083B485 /* CKKSUpdateCurrentItemPointerOperation.h in Headers */, + 0C8BBF1F1FCB4F0400580909 /* OTControlProtocol.h in Headers */, DCD662F61E329B6800188186 /* CKKSNewTLKOperation.h in Headers */, DC1447971F5766D200236DB4 /* NSOperationCategories.h in Headers */, DC4DB1511E24692100CD6769 /* CKKSKey.h in Headers */, DCE278DE1ED789EF0083B485 /* CKKSCurrentItemPointer.h in Headers */, + DA6AA1681FE88AFB004565B0 /* CKKSControlServer.h in Headers */, DC222C731E034D1F00B09171 /* CKKSItem.h in Headers */, + 4733377A1FDAFBCC00E19F30 /* SFKeychainControlManager.h in Headers */, + 47922D4B1FAA7C440008F7E0 /* SecDbKeychainSerializedSecretData.h in Headers */, DC7A17EE1E36ABC200EF14CE /* CKKSProcessReceivedKeysOperation.h in Headers */, ); runOnlyForDeploymentPostprocessing = 0; @@ -20501,19 +21583,23 @@ isa = PBXHeadersBuildPhase; buildActionMask = 2147483647; files = ( + 47922D421FAA7C240008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.h in Headers */, DCFE1C341F17ECE5007640C8 /* CKKSCondition.h in Headers */, DC1DA65E1E4554620094CE7F /* CKKSScanLocalItemsOperation.h in Headers */, DC2C5F5D1F0EB97E00FEBDA7 /* CKKSNotifier.h in Headers */, DCCD88E81E42622200F5AA71 /* CKKSGroupOperation.h in Headers */, 6CC1859E1E24E8EB009657D8 /* CKKSRateLimiter.h in Headers */, + 47922D541FAA7E060008F7E0 /* SecDbKeychainSerializedItemV7.h in Headers */, + 0C770EBC1FCF7C9800B5F0E2 /* OTCloudStore.h in Headers */, DC14478A1F5764C600236DB4 /* CKKSResultOperation.h in Headers */, DCFE1C511F1825F7007640C8 /* CKKSUpdateDeviceStateOperation.h in Headers */, DCBDB3BB1E57CA7A00B61300 /* CKKSViewManager.h in Headers */, DC762A9E1E57A86A00B03A2C /* CKKSRecordHolder.h in Headers */, DC5BB4FE1E0C98320010F836 /* CKKSOutgoingQueueOperation.h in Headers */, DCB5D93B1E4A9A3400BE22AB /* CKKSSynchronizeOperation.h in Headers */, + 0C8BBF1C1FCB4F0300580909 /* OTControl.h in Headers */, DC52E7E81D80BE8700B0A59C /* SOSChangeTracker.h in Headers */, - 479108B71EE879F9008CEFA0 /* CKKSAnalyticsLogger.h in Headers */, + 479108B71EE879F9008CEFA0 /* CKKSAnalytics.h in Headers */, DC52E7E51D80BE7400B0A59C /* SOSEngine.h in Headers */, DC52E7E41D80BE6E00B0A59C /* SecDbKeychainItem.h in Headers */, DC7A17ED1E36ABC200EF14CE /* CKKSProcessReceivedKeysOperation.h in Headers */, @@ -20521,13 +21607,16 @@ DC378B2D1DEF9DF000A3DAFA /* CKKSMirrorEntry.h in Headers */, DC94BCCA1F10448600E07CEB /* CloudKitCategories.h in Headers */, DCFE1C271F17E455007640C8 /* CKKSDeviceStateEntry.h in Headers */, + BEE4B1921FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.h in Headers */, DCFB12C51E95A4C000510F5F /* CKKSCKAccountStateTracker.h in Headers */, DC378B381DEFADB500A3DAFA /* CKKSZoneStateEntry.h in Headers */, DC7341F31F8447AB00AB9BDF /* CKKSTLKShare.h in Headers */, DC52E7E71D80BE8100B0A59C /* SecItemDataSource.h in Headers */, DC18F76F1E43E116006B8B43 /* CKKSFetchAllRecordZoneChangesOperation.h in Headers */, + 47922D461FAA7C340008F7E0 /* SecDbKeychainSerializedMetadata.h in Headers */, DC9082C61EA027DB00D0C1C5 /* CKKSZoneChangeFetcher.h in Headers */, DCA4D2151E5684220056214F /* CKKSReencryptOutgoingItemsOperation.h in Headers */, + BEE4B1981FFDAFE600777D39 /* SFPublicKey+SPKI.h in Headers */, DC378B3C1DF0CA7200A3DAFA /* CKKSIncomingQueueEntry.h in Headers */, DC52E7E61D80BE7B00B0A59C /* SecItemDb.h in Headers */, DCAD9B441F8D939C00C5E2AE /* CKKSFixups.h in Headers */, @@ -20541,13 +21630,18 @@ DC6D2C931DD2836500BE372D /* CKKSOutgoingQueueEntry.h in Headers */, DC15F7661E67A6F6003B9A40 /* CKKSHealKeyHierarchyOperation.h in Headers */, DCD6C4B21EC5302500414FEE /* CKKSNearFutureScheduler.h in Headers */, + 0C8BBF241FCB4FE700580909 /* OTManager.h in Headers */, DCBF2F851F913EF000ED0CA4 /* CKKSHealTLKSharesOperation.h in Headers */, DCE278E81ED7A5B40083B485 /* CKKSUpdateCurrentItemPointerOperation.h in Headers */, + 0C8BBF1D1FCB4F0300580909 /* OTControlProtocol.h in Headers */, DCEA5D851E2F14810089CF55 /* CKKSAPSReceiver.h in Headers */, DC1447961F5766D200236DB4 /* NSOperationCategories.h in Headers */, DC4DB1501E24692100CD6769 /* CKKSKey.h in Headers */, DCE278DD1ED789EF0083B485 /* CKKSCurrentItemPointer.h in Headers */, + DA6AA1671FE88AFB004565B0 /* CKKSControlServer.h in Headers */, DCEA5D551E2826DB0089CF55 /* CKKSSIV.h in Headers */, + 473337791FDAFBCC00E19F30 /* SFKeychainControlManager.h in Headers */, + 47922D4A1FAA7C430008F7E0 /* SecDbKeychainSerializedSecretData.h in Headers */, DCDCCB8F1DF7B8D4006E840E /* CKKSItem.h in Headers */, ); runOnlyForDeploymentPostprocessing = 0; @@ -20556,6 +21650,7 @@ isa = PBXHeadersBuildPhase; buildActionMask = 2147483647; files = ( + DCB3325A1F478C4100178C30 /* SOSUserKeygen.h in Headers */, DC52E9071D80C3B300B0A59C /* SOSARCDefines.h in Headers */, 0C48990B1E0E0FF300C6CF70 /* SOSTransportCircleCK.h in Headers */, DC52E9101D80C3EF00B0A59C /* SOSAccountLog.h in Headers */, @@ -20603,6 +21698,9 @@ isa = PBXHeadersBuildPhase; buildActionMask = 2147483647; files = ( + DCB332381F46804600178C30 /* SOSSysdiagnose.h in Headers */, + DCE5DC101EA802DA006308A6 /* secToolFileIO.h in Headers */, + DCE5DC111EA80348006308A6 /* accountCirclesViewsPrint.h in Headers */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -20663,13 +21761,7 @@ isa = PBXHeadersBuildPhase; buildActionMask = 2147483647; files = ( - ); - runOnlyForDeploymentPostprocessing = 0; - }; - DC59E9AD1D91C9DC001BDDF5 /* Headers */ = { - isa = PBXHeadersBuildPhase; - buildActionMask = 2147483647; - files = ( + 47A05B181FDB5DBC00D0816E /* SFKeychainControl.h in Headers */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -21033,7 +22125,6 @@ buildActionMask = 2147483647; files = ( DCEDE3961D80B12600C3826E /* SecTrustInternal.h in Headers */, - DCEDE3951D80B12000C3826E /* secToolFileIO.h in Headers */, DCEDE3941D80B11800C3826E /* SecPasswordGenerate.h in Headers */, DCEDE3931D80B11200C3826E /* SecOTR.h in Headers */, DCEDE3921D80B10E00C3826E /* SecOTRDHKey.h in Headers */, @@ -21046,7 +22137,6 @@ DCC0937E1D80B0A700F984E4 /* SecOTRPacketData.h in Headers */, DCC0937D1D80B09E00F984E4 /* SecOTRPackets.h in Headers */, DCC0937C1D80B09200F984E4 /* SecSignatureVerificationSupport.h in Headers */, - 48C2F93C1E4BD00F0093D70C /* accountCirclesViewsPrint.h in Headers */, DCC0937B1D80B07B00F984E4 /* SecOTRSession.h in Headers */, DCC0937A1D80B07200F984E4 /* SecOTRSessionPriv.h in Headers */, DCC093791D80B02100F984E4 /* SecOnOSX.h in Headers */, @@ -21123,7 +22213,6 @@ DCD068591D8CDF7E007602F1 /* kerneldiskrep.h in Headers */, DCD0685F1D8CDF7E007602F1 /* diskimagerep.h in Headers */, DCD069001D8CDFFE007602F1 /* CharInputBuffer.hpp in Headers */, - DCD068691D8CDF7E007602F1 /* SecCodeHostLib.h in Headers */, DCD068F61D8CDFFE007602F1 /* ANTLRUtil.hpp in Headers */, DCD069161D8CDFFF007602F1 /* SemanticException.hpp in Headers */, DC1002D81D8E1A670025549C /* SecTask.h in Headers */, @@ -21212,7 +22301,6 @@ DCD06B821D8E0D7D007602F1 /* utilities.h in Headers */, DCD06B521D8E0D7D007602F1 /* devrandom.h in Headers */, DCD06B751D8E0D7D007602F1 /* threading.h in Headers */, - DCD06B3D1D8E0D7D007602F1 /* debugging.h in Headers */, DCD06B611D8E0D7D007602F1 /* logging.h in Headers */, DCD06B471D8E0D7D007602F1 /* alloc.h in Headers */, DCD06B731D8E0D7D007602F1 /* superblob.h in Headers */, @@ -21223,6 +22311,7 @@ DCD06B951D8E0D7D007602F1 /* vproc++.h in Headers */, DCD06BAA1D8E0D7D007602F1 /* cfmunge.h in Headers */, DCD06B6A1D8E0D7D007602F1 /* seccfobject.h in Headers */, + DC2670F21F3E6EC500816EED /* debugging.h in Headers */, DCD06B411D8E0D7D007602F1 /* CSPDLTransaction.h in Headers */, DCD06B4D1D8E0D7D007602F1 /* daemon.h in Headers */, DCD06BAC1D8E0D7D007602F1 /* cfutilities.h in Headers */, @@ -21273,11 +22362,11 @@ files = ( DCD8A15A1E09EE0F00E4FA0A /* SOSAccountTransaction.h in Headers */, 0CE760561E1316E900B4381E /* SOSAccountTrustClassic+Retirement.h in Headers */, + DC2670FC1F3E72C400816EED /* SOSCircleDer.h in Headers */, 0CE760541E13155100B4381E /* SOSAccountTrustClassic+Circle.h in Headers */, DCD8A15C1E09EE0F00E4FA0A /* SOSBackupSliceKeyBag.h in Headers */, DCD8A15D1E09EE0F00E4FA0A /* SOSCircle.h in Headers */, 0C4899271E0F399B00C6CF70 /* SOSAccountTrustOctagon.h in Headers */, - DCD8A15E1E09EE0F00E4FA0A /* SOSCircleDer.h in Headers */, DCD8A15F1E09EE0F00E4FA0A /* SOSCirclePriv.h in Headers */, DCD8A1601E09EE0F00E4FA0A /* SOSCircleRings.h in Headers */, DCD8A1611E09EE0F00E4FA0A /* SOSCircleV2.h in Headers */, @@ -21308,7 +22397,6 @@ DCD8A1861E09EE0F00E4FA0A /* SOSRingPeerInfoUtils.h in Headers */, 0CE760521E1314F700B4381E /* SOSAccountTrustClassic+Identity.h in Headers */, DCD8A1871E09EE0F00E4FA0A /* SOSRingTypes.h in Headers */, - DCD8A1881E09EE0F00E4FA0A /* SOSAccountPriv.h in Headers */, DCD8A1DF1E09F76000E4FA0A /* SOSPeerInfoCollections.h in Headers */, DCD8A1891E09EE0F00E4FA0A /* SOSRingUtils.h in Headers */, DCD8A18A1E09EE0F00E4FA0A /* SOSRingV0.h in Headers */, @@ -21317,7 +22405,6 @@ DCD8A1901E09EE0F00E4FA0A /* SOSAccountTrust.h in Headers */, DCD8A1DE1E09F74700E4FA0A /* SOSPeerInfoV2.h in Headers */, DCD8A1931E09EE0F00E4FA0A /* SOSTypes.h in Headers */, - DCD8A1941E09EE0F00E4FA0A /* SOSUserKeygen.h in Headers */, DCD8A1951E09EE0F00E4FA0A /* SOSViews.h in Headers */, ); runOnlyForDeploymentPostprocessing = 0; @@ -21719,7 +22806,6 @@ DC00ABD11D821F1A00513D74 /* PBXTargetDependency */, DC00ABD31D821F1D00513D74 /* PBXTargetDependency */, DCD8A1EF1E09F8BC00E4FA0A /* PBXTargetDependency */, - DC59EA901D91CDC6001BDDF5 /* PBXTargetDependency */, DC65E75A1D8CB48900152EF0 /* PBXTargetDependency */, DC59E9A91D91C7CC001BDDF5 /* PBXTargetDependency */, DC65E75C1D8CB49200152EF0 /* PBXTargetDependency */, @@ -21766,6 +22852,47 @@ productReference = 0C2BCBCE1D0648D100ED7A2F /* dtlsEchoServer */; productType = "com.apple.product-type.tool"; }; + 0C85DFD11FB38BB6000343A7 /* OTTests */ = { + isa = PBXNativeTarget; + buildConfigurationList = 0C85E0001FB38BB6000343A7 /* Build configuration list for PBXNativeTarget "OTTests" */; + buildPhases = ( + 0C85DFE21FB38BB6000343A7 /* Sources */, + 0C85DFE51FB38BB6000343A7 /* Frameworks */, + 0C85DFFD1FB38BB6000343A7 /* Embed OCMock */, + 0C85DFFF1FB38BB6000343A7 /* ShellScript */, + ); + buildRules = ( + ); + dependencies = ( + 0C85DFD41FB38BB6000343A7 /* PBXTargetDependency */, + 0C85DFD81FB38BB6000343A7 /* PBXTargetDependency */, + 0C85DFDA1FB38BB6000343A7 /* PBXTargetDependency */, + 0C85DFDC1FB38BB6000343A7 /* PBXTargetDependency */, + 0C85DFDE1FB38BB6000343A7 /* PBXTargetDependency */, + 0C85DFE01FB38BB6000343A7 /* PBXTargetDependency */, + ); + name = OTTests; + productName = CKKSTests; + productReference = 0C85E0031FB38BB6000343A7 /* OTTests.xctest */; + productType = "com.apple.product-type.bundle.unit-test"; + }; + 0C8BBEFD1FCB446400580909 /* otctl */ = { + isa = PBXNativeTarget; + buildConfigurationList = 0C8BBF051FCB446400580909 /* Build configuration list for PBXNativeTarget "otctl" */; + buildPhases = ( + 0C8BBEFE1FCB446400580909 /* Sources */, + 0C8BBF021FCB446400580909 /* Frameworks */, + 0C8BBF041FCB446400580909 /* CopyFiles */, + ); + buildRules = ( + ); + dependencies = ( + ); + name = otctl; + productName = ckksctl; + productReference = 0C8BBF081FCB446400580909 /* otctl */; + productType = "com.apple.product-type.tool"; + }; 225394AC1E3080A600D3CD9B /* security_codesigning_ios */ = { isa = PBXNativeTarget; buildConfigurationList = 225394B11E3080A600D3CD9B /* Build configuration list for PBXNativeTarget "security_codesigning_ios" */; @@ -21818,6 +22945,27 @@ productReference = 470415CF1E5E14B5001F3D95 /* seckeychainnetworkextensionstest */; productType = "com.apple.product-type.tool"; }; + 4727FBB61F9918580003AE36 /* secdxctests_ios */ = { + isa = PBXNativeTarget; + buildConfigurationList = 4727FBC31F9918590003AE36 /* Build configuration list for PBXNativeTarget "secdxctests_ios" */; + buildPhases = ( + 4727FBB31F9918580003AE36 /* Sources */, + 4727FBB41F9918580003AE36 /* Frameworks */, + 4727FBB51F9918580003AE36 /* Resources */, + ); + buildRules = ( + ); + dependencies = ( + 47DE88D91FA7ADBB00DD3254 /* PBXTargetDependency */, + 47DE88D71FA7ADAC00DD3254 /* PBXTargetDependency */, + 47DE88D51FA7AD7000DD3254 /* PBXTargetDependency */, + 47DE88CE1FA7AD6200DD3254 /* PBXTargetDependency */, + ); + name = secdxctests_ios; + productName = secdxctests; + productReference = 4727FBB71F9918580003AE36 /* secdxctests_ios.xctest */; + productType = "com.apple.product-type.bundle.unit-test"; + }; 47702B1D1E5F409700B29577 /* seckeychainnetworkextensionsystemdaemontest */ = { isa = PBXNativeTarget; buildConfigurationList = 47702B221E5F409700B29577 /* Build configuration list for PBXNativeTarget "seckeychainnetworkextensionsystemdaemontest" */; @@ -21852,6 +23000,30 @@ productReference = 47702B2E1E5F492C00B29577 /* seckeychainnetworkextensionunauthorizedaccesstest */; productType = "com.apple.product-type.tool"; }; + 478D426C1FD72A8100CAB645 /* secdxctests_mac */ = { + isa = PBXNativeTarget; + buildConfigurationList = 478D42991FD72A8100CAB645 /* Build configuration list for PBXNativeTarget "secdxctests_mac" */; + buildPhases = ( + 478D42751FD72A8100CAB645 /* Sources */, + 478D427D1FD72A8100CAB645 /* Frameworks */, + 478D42981FD72A8100CAB645 /* Resources */, + ); + buildRules = ( + ); + dependencies = ( + DC34CD3620326C3B00302481 /* PBXTargetDependency */, + DC34CD3420326C3100302481 /* PBXTargetDependency */, + DC34CD2D20326C2C00302481 /* PBXTargetDependency */, + 478D426D1FD72A8100CAB645 /* PBXTargetDependency */, + 478D426F1FD72A8100CAB645 /* PBXTargetDependency */, + 478D42711FD72A8100CAB645 /* PBXTargetDependency */, + 478D42731FD72A8100CAB645 /* PBXTargetDependency */, + ); + name = secdxctests_mac; + productName = secdxctests; + productReference = 478D429C1FD72A8100CAB645 /* secdxctests_mac.xctest */; + productType = "com.apple.product-type.bundle.unit-test"; + }; 47C51B831EEA657D0032D9E5 /* SecurityUnitTests */ = { isa = PBXNativeTarget; buildConfigurationList = 47C51B931EEA657D0032D9E5 /* Build configuration list for PBXNativeTarget "SecurityUnitTests" */; @@ -21876,6 +23048,7 @@ buildPhases = ( 4C32C0AA0A4975F6002891BD /* Headers */, E73288DD1AED7215008CE839 /* Copy SecureObjectSync Headers */, + D4C263C41F8FEAA8001317EA /* Run Script Generate Error Strings */, 4C32C0AB0A4975F6002891BD /* Resources */, 4C32C0AC0A4975F6002891BD /* Sources */, 4C32C0AD0A4975F6002891BD /* Frameworks */, @@ -21886,7 +23059,6 @@ ); dependencies = ( DC59E9A61D91C710001BDDF5 /* PBXTargetDependency */, - DC59EA761D91CC5E001BDDF5 /* PBXTargetDependency */, DCD22D7D1D8CCA18001C9B81 /* PBXTargetDependency */, DCD22D7B1D8CCA07001C9B81 /* PBXTargetDependency */, DCD8A19C1E09EEA200E4FA0A /* PBXTargetDependency */, @@ -21934,7 +23106,6 @@ buildRules = ( ); dependencies = ( - DC59EA841D91CD2C001BDDF5 /* PBXTargetDependency */, DC00ABAA1D821DE600513D74 /* PBXTargetDependency */, DC00ABAC1D821DE700513D74 /* PBXTargetDependency */, DCD8A1FB1E09F99700E4FA0A /* PBXTargetDependency */, @@ -22075,7 +23246,6 @@ dependencies = ( D40B6A861E2B5F7600CD6EE5 /* PBXTargetDependency */, DC89998B1E410DBF00E6E604 /* PBXTargetDependency */, - DC59EA8D1D91CDB9001BDDF5 /* PBXTargetDependency */, DC65E7561D8CB47600152EF0 /* PBXTargetDependency */, DC00ABC91D821F0200513D74 /* PBXTargetDependency */, DCD8A1E61E09F81300E4FA0A /* PBXTargetDependency */, @@ -22087,6 +23257,23 @@ productReference = 5EBE247A1B00CCAE0007DB0E /* secacltests */; productType = "com.apple.product-type.tool"; }; + 6C46056B1F882B9B001421B6 /* KeychainAnalyticsTests */ = { + isa = PBXNativeTarget; + buildConfigurationList = 6C4605B51F882B9B001421B6 /* Build configuration list for PBXNativeTarget "KeychainAnalyticsTests" */; + buildPhases = ( + 6C46057A1F882B9B001421B6 /* Sources */, + 6C46059B1F882B9B001421B6 /* Frameworks */, + ); + buildRules = ( + ); + dependencies = ( + 6C9A49B21FAB647D00239D58 /* PBXTargetDependency */, + ); + name = KeychainAnalyticsTests; + productName = CKKSTests; + productReference = 6C4605B81F882B9B001421B6 /* KeychainAnalyticsTests.xctest */; + productType = "com.apple.product-type.bundle.unit-test"; + }; 6C98082C1E788AEB00E70590 /* CKKSCloudKitTests_mac */ = { isa = PBXNativeTarget; buildConfigurationList = 6C98085E1E788AEB00E70590 /* Build configuration list for PBXNativeTarget "CKKSCloudKitTests_mac" */; @@ -22098,7 +23285,6 @@ buildRules = ( ); dependencies = ( - 6C98082D1E788AEB00E70590 /* PBXTargetDependency */, 6C98082F1E788AEB00E70590 /* PBXTargetDependency */, 6C9808311E788AEB00E70590 /* PBXTargetDependency */, 6C9808351E788AEB00E70590 /* PBXTargetDependency */, @@ -22124,7 +23310,6 @@ ); dependencies = ( 6C9808A41E788CB100E70590 /* PBXTargetDependency */, - 6C9808691E788AFD00E70590 /* PBXTargetDependency */, 6C98086B1E788AFD00E70590 /* PBXTargetDependency */, 6C98086D1E788AFD00E70590 /* PBXTargetDependency */, 6C9808711E788AFD00E70590 /* PBXTargetDependency */, @@ -22137,6 +23322,41 @@ productReference = 6C98089D1E788AFD00E70590 /* CKKSCloudKitTests.xctest */; productType = "com.apple.product-type.bundle.unit-test"; }; + 6C9AA79D1F7C1D8F00D08296 /* supdctl */ = { + isa = PBXNativeTarget; + buildConfigurationList = 6C9AA7A21F7C1D9000D08296 /* Build configuration list for PBXNativeTarget "supdctl" */; + buildPhases = ( + 6C9AA79A1F7C1D8F00D08296 /* Sources */, + 6C9AA79B1F7C1D8F00D08296 /* Frameworks */, + 6C9AA79C1F7C1D8F00D08296 /* CopyFiles */, + ); + buildRules = ( + ); + dependencies = ( + ); + name = supdctl; + productName = supdctl; + productReference = 6C9AA79E1F7C1D8F00D08296 /* supdctl */; + productType = "com.apple.product-type.tool"; + }; + 6CAA8D1F1F842FB3007B6E03 /* securityuploadd */ = { + isa = PBXNativeTarget; + buildConfigurationList = 6CAA8D241F842FB4007B6E03 /* Build configuration list for PBXNativeTarget "securityuploadd" */; + buildPhases = ( + 6CAA8D1C1F842FB3007B6E03 /* Sources */, + 6CAA8D1D1F842FB3007B6E03 /* Frameworks */, + 6CAA8D1E1F842FB3007B6E03 /* Copy Manpage */, + 6CAA8D361F84317F007B6E03 /* Install launchd plist */, + ); + buildRules = ( + ); + dependencies = ( + ); + name = securityuploadd; + productName = supd; + productReference = 6CAA8D201F842FB3007B6E03 /* securityuploadd */; + productType = "com.apple.product-type.tool"; + }; 6CCDF7831E3C25FA003F2555 /* KeychainEntitledTestRunner */ = { isa = PBXNativeTarget; buildConfigurationList = 6CCDF7881E3C25FB003F2555 /* Build configuration list for PBXNativeTarget "KeychainEntitledTestRunner" */; @@ -22189,23 +23409,6 @@ productReference = 6CF4A0E01E4549F200ECD7B5 /* KeychainEntitledTestApp.app */; productType = "com.apple.product-type.application"; }; - 728B56A016D59979008FA3AB /* OTAPKIAssetTool */ = { - isa = PBXNativeTarget; - buildConfigurationList = 728B56AB16D59979008FA3AB /* Build configuration list for PBXNativeTarget "OTAPKIAssetTool" */; - buildPhases = ( - 728B569D16D59979008FA3AB /* Sources */, - 728B569E16D59979008FA3AB /* Frameworks */, - 22C002A21AC9D2D100B3469E /* ShellScript */, - ); - buildRules = ( - ); - dependencies = ( - ); - name = OTAPKIAssetTool; - productName = OTAPKIAssetTool; - productReference = 728B56A116D59979008FA3AB /* OTAPKIAssetTool */; - productType = "com.apple.product-type.tool"; - }; 790851B50CA9859F0083CC4D /* securityd_ios */ = { isa = PBXNativeTarget; buildConfigurationList = 790851C90CA985C10083CC4D /* Build configuration list for PBXNativeTarget "securityd_ios" */; @@ -22218,7 +23421,6 @@ buildRules = ( ); dependencies = ( - DC59EA7D1D91CCAA001BDDF5 /* PBXTargetDependency */, DC65E7291D8CB2F400152EF0 /* PBXTargetDependency */, D40B6A7F1E2B5F3D00CD6EE5 /* PBXTargetDependency */, DC52E84B1D80BF1100B0A59C /* PBXTargetDependency */, @@ -22385,7 +23587,6 @@ dependencies = ( D41257E81E941AD200781F23 /* PBXTargetDependency */, D41257E61E941ACC00781F23 /* PBXTargetDependency */, - D41257E41E941A8400781F23 /* PBXTargetDependency */, ); name = trustd_ios; productName = trustd_ios; @@ -22841,31 +24042,14 @@ productReference = DC0BCD481D8C694700070CB0 /* libutilitiesRegressions.a */; productType = "com.apple.product-type.library.static"; }; - DC1785041D77873100B50D50 /* copyHeadersToSystem */ = { - isa = PBXNativeTarget; - buildConfigurationList = DC17850A1D77873200B50D50 /* Build configuration list for PBXNativeTarget "copyHeadersToSystem" */; - buildPhases = ( - DC1785021D77873100B50D50 /* Headers */, - DC1785031D77873100B50D50 /* Resources */, - DC17886F1D77934100B50D50 /* Copy SecurityObjectSync Headers */, - DC1788D81D7793C000B50D50 /* Unifdef RC_HIDE_J79/J80 */, - ); - buildRules = ( - ); - dependencies = ( - ); - name = copyHeadersToSystem; - productName = copyHeadersToSystem; - productReference = DC1785051D77873100B50D50 /* Security.framework */; - productType = "com.apple.product-type.framework"; - }; DC1789031D77980500B50D50 /* Security_osx */ = { isa = PBXNativeTarget; buildConfigurationList = DC17890D1D77980500B50D50 /* Build configuration list for PBXNativeTarget "Security_osx" */; buildPhases = ( + DC1789011D77980500B50D50 /* Headers */, + DCF7F5D11F69AC28001042E9 /* Copy SecureObjectSync Headers */, DC1788FF1D77980500B50D50 /* Sources */, DC1789001D77980500B50D50 /* Frameworks */, - DC1789011D77980500B50D50 /* Headers */, DC1789A71D779E7E00B50D50 /* Run Script Generate Strings */, DC1789021D77980500B50D50 /* Resources */, DC1789E81D77A0E700B50D50 /* CopyFiles */, @@ -22876,10 +24060,8 @@ ); dependencies = ( DCD8A1FE1E09FA1800E4FA0A /* PBXTargetDependency */, - DC0B62961D90B6DB00D43BCB /* PBXTargetDependency */, DCC5BF381D937329008D1E84 /* PBXTargetDependency */, DC1789791D779C6700B50D50 /* PBXTargetDependency */, - DC59EA791D91CC78001BDDF5 /* PBXTargetDependency */, DC0BCDB71D8C6AD100070CB0 /* PBXTargetDependency */, DCB340191D8A248C0054D16E /* PBXTargetDependency */, DCD66DC31D82056C00DB1393 /* PBXTargetDependency */, @@ -22928,7 +24110,6 @@ DC222C381E034D1F00B09171 /* Sources */, DC222C631E034D1F00B09171 /* Frameworks */, DC222C641E034D1F00B09171 /* Headers */, - 6C0B0C481E2537E2007F95E5 /* CopyFiles */, ); buildRules = ( DC9FD3221F85877000C8AAC8 /* PBXBuildRule */, @@ -22953,7 +24134,6 @@ buildRules = ( ); dependencies = ( - DC3502C71E020D5600BC0587 /* PBXTargetDependency */, DC3502C41E020D4D00BC0587 /* PBXTargetDependency */, DC3502CE1E020E2200BC0587 /* PBXTargetDependency */, DC0984F71E1DB6D400140ADC /* PBXTargetDependency */, @@ -23228,24 +24408,6 @@ productReference = DC58C4231D77BDEA003C25A4 /* csparser.bundle */; productType = "com.apple.product-type.bundle"; }; - DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */ = { - isa = PBXNativeTarget; - buildConfigurationList = DC59E9E91D91C9DC001BDDF5 /* Build configuration list for PBXNativeTarget "DER_not_installed" */; - buildPhases = ( - DC71DA011D95BD670065FB93 /* Why is this here? */, - DC59E9AD1D91C9DC001BDDF5 /* Headers */, - DC59E9D01D91C9DC001BDDF5 /* Sources */, - DC59E9E81D91C9DC001BDDF5 /* Frameworks */, - ); - buildRules = ( - ); - dependencies = ( - ); - name = DER_not_installed; - productName = libsecurityd_client_macos; - productReference = DC59E9EC1D91C9DC001BDDF5 /* libDER_not_installed.a */; - productType = "com.apple.product-type.library.static"; - }; DC5ABDC41D832DAB00CF422C /* securitytool_macos */ = { isa = PBXNativeTarget; buildConfigurationList = DC5ABDC91D832DAB00CF422C /* Build configuration list for PBXNativeTarget "securitytool_macos" */; @@ -23301,7 +24463,6 @@ dependencies = ( DC0BB4441ED4D74A0035F886 /* PBXTargetDependency */, DC65E7601D8CB4A300152EF0 /* PBXTargetDependency */, - DC59EA931D91CDD6001BDDF5 /* PBXTargetDependency */, DC65E7621D8CB4AA00152EF0 /* PBXTargetDependency */, DC00ABE21D821F6000513D74 /* PBXTargetDependency */, DC00ABE01D821F5C00513D74 /* PBXTargetDependency */, @@ -23309,6 +24470,7 @@ D40B6A921E2B678D00CD6EE5 /* PBXTargetDependency */, DC00ABE41D821F6200513D74 /* PBXTargetDependency */, DCD22D671D8CC387001C9B81 /* PBXTargetDependency */, + DCB332471F47857D00178C30 /* PBXTargetDependency */, DC65E7641D8CB4B100152EF0 /* PBXTargetDependency */, DCD22D691D8CC3A6001C9B81 /* PBXTargetDependency */, ); @@ -23502,7 +24664,6 @@ buildRules = ( ); dependencies = ( - DC59EA991D91CE8C001BDDF5 /* PBXTargetDependency */, ); name = security_keychain; productName = libsecurityd_client_macos; @@ -23730,7 +24891,7 @@ ); dependencies = ( DC65E7541D8CB46100152EF0 /* PBXTargetDependency */, - DC59EA8A1D91CD89001BDDF5 /* PBXTargetDependency */, + DC2671101F3E933700816EED /* PBXTargetDependency */, DC52EE631D80D7D900B0A59C /* PBXTargetDependency */, DCB345B31D8A361F0054D16E /* PBXTargetDependency */, DC63CAFA1D91A16700C03317 /* PBXTargetDependency */, @@ -23754,7 +24915,6 @@ buildRules = ( ); dependencies = ( - DC59EA961D91CDEE001BDDF5 /* PBXTargetDependency */, DC65E7661D8CB4C200152EF0 /* PBXTargetDependency */, DC65E7681D8CB4CB00152EF0 /* PBXTargetDependency */, DCE4E7D81D7A4B3500AFB96E /* PBXTargetDependency */, @@ -23780,7 +24940,6 @@ ); dependencies = ( DCD8A2071E09FB1F00E4FA0A /* PBXTargetDependency */, - DC71DA091D95BEE00065FB93 /* PBXTargetDependency */, DC71DA031D95BDEA0065FB93 /* PBXTargetDependency */, DC00AB721D821C4600513D74 /* PBXTargetDependency */, DC00AB741D821C4800513D74 /* PBXTargetDependency */, @@ -23808,7 +24967,6 @@ ); dependencies = ( D40B6A811E2B5F4700CD6EE5 /* PBXTargetDependency */, - DC71DA0B1D95BEF60065FB93 /* PBXTargetDependency */, DC71DA051D95BDF90065FB93 /* PBXTargetDependency */, DC65E72C1D8CB31200152EF0 /* PBXTargetDependency */, ); @@ -24012,7 +25170,6 @@ buildRules = ( ); dependencies = ( - DC59EA871D91CD76001BDDF5 /* PBXTargetDependency */, DC00ABBB1D821E9B00513D74 /* PBXTargetDependency */, DC00ABBD1D821E9F00513D74 /* PBXTargetDependency */, DCD8A1F51E09F91F00E4FA0A /* PBXTargetDependency */, @@ -24086,7 +25243,6 @@ DC00AB9E1D821DBB00513D74 /* PBXTargetDependency */, DCD8A1F81E09F97300E4FA0A /* PBXTargetDependency */, DC65E7401D8CB3CD00152EF0 /* PBXTargetDependency */, - DC59EA811D91CD16001BDDF5 /* PBXTargetDependency */, DC65E7421D8CB3D400152EF0 /* PBXTargetDependency */, ); name = KeychainCircleTests; @@ -24143,7 +25299,6 @@ EBFBC2B41E76586700A34469 /* PBXTargetDependency */, EBFBC2B61E76587800A34469 /* PBXTargetDependency */, EB108F1F1E6CE4D2003B0456 /* PBXTargetDependency */, - EBFBC2B81E76588200A34469 /* PBXTargetDependency */, EBFBC2BA1E76588A00A34469 /* PBXTargetDependency */, ); name = KCPairingTests; @@ -24217,6 +25372,23 @@ productReference = EB433A281CC3243600A7EACE /* secitemstresstest */; productType = "com.apple.product-type.tool"; }; + EB49B2AD202D877F003F34A0 /* secdmockaks */ = { + isa = PBXNativeTarget; + buildConfigurationList = EB49B2BA202D8780003F34A0 /* Build configuration list for PBXNativeTarget "secdmockaks" */; + buildPhases = ( + EB49B2AA202D877F003F34A0 /* Sources */, + EB49B2AB202D877F003F34A0 /* Frameworks */, + EB49B30E202FF484003F34A0 /* Embedded OCMock */, + ); + buildRules = ( + ); + dependencies = ( + ); + name = secdmockaks; + productName = secdmockaks; + productReference = EB49B2AE202D877F003F34A0 /* secdmockaks.xctest */; + productType = "com.apple.product-type.bundle.unit-test"; + }; EB9C1D791BDFD0E000F89272 /* secbackupntest */ = { isa = PBXNativeTarget; buildConfigurationList = EB9C1DA91BDFD0E100F89272 /* Build configuration list for PBXNativeTarget "secbackupntest" */; @@ -24293,6 +25465,7 @@ buildRules = ( ); dependencies = ( + DCE5DC171EA804E5006308A6 /* PBXTargetDependency */, 0C10C93C1DD548BD000602A8 /* PBXTargetDependency */, 0C10C93A1DD548B6000602A8 /* PBXTargetDependency */, ); @@ -24350,6 +25523,10 @@ CreatedOnToolsVersion = 9.0; ProvisioningStyle = Automatic; }; + 4727FBB61F9918580003AE36 = { + CreatedOnToolsVersion = 9.1; + ProvisioningStyle = Automatic; + }; 47702B1D1E5F409700B29577 = { CreatedOnToolsVersion = 9.0; ProvisioningStyle = Automatic; @@ -24358,6 +25535,9 @@ CreatedOnToolsVersion = 9.0; ProvisioningStyle = Automatic; }; + 478D426C1FD72A8100CAB645 = { + ProvisioningStyle = Automatic; + }; 47C51B831EEA657D0032D9E5 = { CreatedOnToolsVersion = 9.0; }; @@ -24370,6 +25550,14 @@ 6C9808681E788AFD00E70590 = { TestTargetID = 6CF4A0DF1E4549F200ECD7B5; }; + 6C9AA79D1F7C1D8F00D08296 = { + CreatedOnToolsVersion = 9.0; + ProvisioningStyle = Automatic; + }; + 6CAA8D1F1F842FB3007B6E03 = { + CreatedOnToolsVersion = 9.0; + ProvisioningStyle = Automatic; + }; 6CCDF7831E3C25FA003F2555 = { CreatedOnToolsVersion = 8.3; ProvisioningStyle = Automatic; @@ -24423,10 +25611,6 @@ CreatedOnToolsVersion = 8.0; ProvisioningStyle = Automatic; }; - DC1785041D77873100B50D50 = { - CreatedOnToolsVersion = 8.0; - ProvisioningStyle = Automatic; - }; DC1789031D77980500B50D50 = { CreatedOnToolsVersion = 8.0; ProvisioningStyle = Automatic; @@ -24545,6 +25729,10 @@ CreatedOnToolsVersion = 8.3; ProvisioningStyle = Automatic; }; + EB49B2AD202D877F003F34A0 = { + CreatedOnToolsVersion = 9.3; + ProvisioningStyle = Automatic; + }; EB6A6FA81B90F83A0045DC68 = { CreatedOnToolsVersion = 7.0; }; @@ -24629,7 +25817,6 @@ DC8E04991D7F6D9C006D80EB /* ====== Frameworks ======== */, 4C32C0AE0A4975F6002891BD /* Security_ios */, DC1789031D77980500B50D50 /* Security_osx */, - DC1785041D77873100B50D50 /* copyHeadersToSystem */, E7D847C41C6BE9710025BB44 /* KeychainCircle */, BEF88C271EAFFC3F00357577 /* TrustedPeers */, DC8E04911D7F6CED006D80EB /* ======= Daemons ========= */, @@ -24637,6 +25824,7 @@ DCE4E7F51D7A4DA800AFB96E /* secd */, 790851B50CA9859F0083CC4D /* securityd_ios */, DC5AC04F1D8352D900CF422C /* securityd_macos */, + 6CAA8D1F1F842FB3007B6E03 /* securityuploadd */, D41257CE1E9410A300781F23 /* trustd_ios */, DCE4E82D1D7A57AE00AFB96E /* trustd_macos */, 52D82BDD16A621F70078DFE5 /* CloudKeychainProxy */, @@ -24672,7 +25860,6 @@ 225394AC1E3080A600D3CD9B /* security_codesigning_ios */, DC8834011D8A218F00CE0ACA /* ASN1_not_installed */, DC71D99F1D95BA6C0065FB93 /* ASN1 */, - DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */, DCF782BA1D88B44300E694BB /* ==== macOS Libraries ====== */, DCF7830A1D88B4DE00E694BB /* security_apple_csp */, DCF785021D88B95500E694BB /* security_apple_cspdl */, @@ -24713,8 +25900,10 @@ 4C52D0B316EFC61E0079966E /* CircleJoinRequested */, F93C49021AB8FCE00047E01A /* ckcdiagnose.sh */, EBF374711DC055580065D840 /* security-sysdiagnose */, + 6C9AA79D1F7C1D8F00D08296 /* supdctl */, EB27FF101E402CD300EC9E3A /* ckksctl */, F621D0271ED6DCE7000EA569 /* authorizationdump */, + 0C8BBEFD1FCB446400580909 /* otctl */, DC8E04A11D7F6DFC006D80EB /* ======= Apps ========== */, DCE4E9101D7F3D5300AFB96E /* Keychain Circle Notification */, DCE4E8DC1D7F39DB00AFB96E /* Cloud Keychain Utility */, @@ -24727,6 +25916,7 @@ E710C7411331946400F85568 /* SecurityTests */, DCE4E7311D7A43B500AFB96E /* SecurityTestsOSX */, DC3502B41E0208BE00BC0587 /* CKKSTests */, + 0C85DFD11FB38BB6000343A7 /* OTTests */, DC610AAD1D7910C3002223DE /* gk_reset_check_macos */, DC610A551D78F9D2002223DE /* codesign_tests_macos */, DC610A461D78F48F002223DE /* SecTaskTest_macos */, @@ -24758,6 +25948,7 @@ 6CF4A0B31E45488B00ECD7B5 /* KeychainEntitledTestApp_mac */, 6CF4A0DF1E4549F200ECD7B5 /* KeychainEntitledTestApp_ios */, 6CCDF7831E3C25FA003F2555 /* KeychainEntitledTestRunner */, + 6C46056B1F882B9B001421B6 /* KeychainAnalyticsTests */, DC5AC1351D835D9700CF422C /* ===== Source Gen ===== */, DC008B451D90CE53004002A3 /* securityd_macos_mig */, DC6BC26C1D90CFEF00DD57B3 /* securityd_macos_startup */, @@ -24770,7 +25961,6 @@ DCD0675B1D8CDD6D007602F1 /* codesigning_SystemPolicy */, DC8E04AD1D7F6E76006D80EB /* ======= misc ========= */, E7B01BBD166594AB000485F1 /* SyncDevTest2 */, - 728B56A016D59979008FA3AB /* OTAPKIAssetTool */, 5E10992419A5E55800A60E2B /* ISACLProtectedItems */, 5346480017331E1100FE9172 /* KeychainSyncAccountNotification */, DA30D6751DF8C8FB00EC6B43 /* KeychainSyncAccountUpdater */, @@ -24796,6 +25986,9 @@ 05EF68B519491512007958C3 /* Security_frameworks */, F667EC561E96E9B100203D5C /* authdtest */, 47C51B831EEA657D0032D9E5 /* SecurityUnitTests */, + 4727FBB61F9918580003AE36 /* secdxctests_ios */, + 478D426C1FD72A8100CAB645 /* secdxctests_mac */, + EB49B2AD202D877F003F34A0 /* secdmockaks */, ); }; /* End PBXProject section */ @@ -24888,6 +26081,20 @@ ); runOnlyForDeploymentPostprocessing = 0; }; + 4727FBB51F9918580003AE36 /* Resources */ = { + isa = PBXResourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 478D42981FD72A8100CAB645 /* Resources */ = { + isa = PBXResourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + runOnlyForDeploymentPostprocessing = 0; + }; 47C51B821EEA657D0032D9E5 /* Resources */ = { isa = PBXResourcesBuildPhase; buildActionMask = 2147483647; @@ -24899,13 +26106,20 @@ isa = PBXResourcesBuildPhase; buildActionMask = 2147483647; files = ( + D4C263CF1F953019001317EA /* SecDebugErrorMessages.strings in Resources */, + D4C263CE1F95300F001317EA /* SecErrorMessages.strings in Resources */, + BEB9EA2F1FFF1AF700676593 /* si-88-sectrust-valid-data in Resources */, + 47922D4F1FAA7D5C0008F7E0 /* SecDbKeychainSerializedItemV7.proto in Resources */, 53C0E1FF177FB48A00F8A018 /* CloudKeychain.strings in Resources */, BE4AC9BA18B8273600B84964 /* SharedWebCredentials.strings in Resources */, DCEE1E861D93427400DC0EB7 /* com.apple.securityd.plist in Resources */, + 47922D211FAA76000008F7E0 /* SecDbKeychainSerializedMetadata.proto in Resources */, EB433A2E1CC325E900A7EACE /* secitemstresstest.entitlements in Resources */, - 475F37201EE8F23900248FB5 /* SFAnalyticsLogging.plist in Resources */, + 47922D2D1FAA77970008F7E0 /* SecDbKeychainSerializedSecretData.proto in Resources */, + 475F37201EE8F23900248FB5 /* SFAnalytics.plist in Resources */, 4C198F220ACDB4BF00AAB142 /* Certificate.strings in Resources */, 4C198F230ACDB4BF00AAB142 /* OID.strings in Resources */, + D479F6E21F980FAB00388D28 /* Trust.strings in Resources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -24919,6 +26133,8 @@ D4AA64861E97273D00D317ED /* si-18-certificate-parse in Resources */, D4EC94FB1CEA482D0083E753 /* si-20-sectrust-policies-data in Resources */, 0C0C88781CCEC5C400617D1B /* si-82-sectrust-ct-data in Resources */, + D4C6C5CA1FB2AD7A007EA57E /* si-87-sectrust-name-constraints in Resources */, + BEA74217202525DC00EC7993 /* si-88-sectrust-valid-data in Resources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -25015,13 +26231,6 @@ ); runOnlyForDeploymentPostprocessing = 0; }; - DC1785031D77873100B50D50 /* Resources */ = { - isa = PBXResourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - ); - runOnlyForDeploymentPostprocessing = 0; - }; DC1789021D77980500B50D50 /* Resources */ = { isa = PBXResourcesBuildPhase; buildActionMask = 2147483647; @@ -25046,7 +26255,7 @@ DC178A2F1D77A1E700B50D50 /* sd_cspdl_common.mdsinfo in Resources */, DC178A291D77A1E700B50D50 /* dl_primary.mdsinfo in Resources */, DC178A261D77A1E700B50D50 /* cspdl_csp_primary.mdsinfo in Resources */, - 475F37211EE8F23900248FB5 /* SFAnalyticsLogging.plist in Resources */, + 475F37211EE8F23900248FB5 /* SFAnalytics.plist in Resources */, DC178A221D77A1E700B50D50 /* csp_common.mdsinfo in Resources */, DC178A431D77A1F600B50D50 /* SecDebugErrorMessages.strings in Resources */, DC178A481D77A1F600B50D50 /* TimeStampingPrefs.plist in Resources */, @@ -25080,6 +26289,8 @@ DCE4E76F1D7A43B500AFB96E /* si-20-sectrust-policies-data in Resources */, DCE4E7701D7A43B500AFB96E /* si-82-sectrust-ct-data in Resources */, DCE4E7B41D7A43DC00AFB96E /* si-82-sectrust-ct-logs.plist in Resources */, + D4C6C5C81FB2AD5E007EA57E /* si-87-sectrust-name-constraints in Resources */, + BEB9EA301FFF1B0800676593 /* si-88-sectrust-valid-data in Resources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -25131,6 +26342,8 @@ D4AA64871E97274900D317ED /* si-18-certificate-parse in Resources */, D4EC94FE1CEA48760083E753 /* si-20-sectrust-policies-data in Resources */, 0C0C88791CCEC5C500617D1B /* si-82-sectrust-ct-data in Resources */, + D4C6C5C91FB2AD6D007EA57E /* si-87-sectrust-name-constraints in Resources */, + BEA74211202525CD00EC7993 /* si-88-sectrust-valid-data in Resources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -25165,7 +26378,7 @@ /* End PBXResourcesBuildPhase section */ /* Begin PBXShellScriptBuildPhase section */ - 22C002A21AC9D2D100B3469E /* ShellScript */ = { + 0C85DFFF1FB38BB6000343A7 /* ShellScript */ = { isa = PBXShellScriptBuildPhase; buildActionMask = 8; files = ( @@ -25176,8 +26389,7 @@ ); runOnlyForDeploymentPostprocessing = 1; shellPath = /bin/sh; - shellScript = "if [ -n \"${OTAPKIASSETTOOL_LAUNCHD_PLIST}\" ]; then\n mkdir -p \"$LAUNCHD_PLIST_INSTALL_DIR\"\n plutil -convert binary1 -o \"$LAUNCHD_PLIST_INSTALL_DIR/com.apple.OTAPKIAssetTool.plist\" \"$OTAPKIASSETTOOL_LAUNCHD_PLIST\"\nfi"; - showEnvVarsInLog = 0; + shellScript = "#Disable until this places a plist in this directory\n#chown -f root:wheel ${DSTROOT}/AppleInternal/CoreOS/BATS/unit_tests/*.plist"; }; 5EE098DE1CD21661009FCA27 /* Unifdef RC_HIDE_J79/J80 */ = { isa = PBXShellScriptBuildPhase; @@ -25194,6 +26406,20 @@ shellScript = "if [ -d $DSTROOT ]; then\n RC_HIDE_J79_VAL=0\n RC_HIDE_J80_VAL=0\n SEC_HDRS_PATH=\"System/Library/Frameworks/Security.framework/Headers\"\n\n if [ ! -z $RC_HIDE_J79 ]; then\n RC_HIDE_J79_VAL=1\n fi\n\n if [ ! -z $RC_HIDE_J80 ]; then\n RC_HIDE_J80_VAL=1\n fi\n\n if [ -a $DSTROOT/$SEC_HDRS_PATH/SecAccessControl.h ]; then\n unifdef -B -DRC_HIDE_J79=$RC_HIDE_J79_VAL -DRC_HIDE_J80=$RC_HIDE_J80_VAL -o $DSTROOT/$SEC_HDRS_PATH/SecAccessControl.h $DSTROOT/$SEC_HDRS_PATH/SecAccessControl.h\n if [$? eq 2]; then\n exit 2\n fi\n fi\n\n if [ -a $DSTROOT/$SEC_HDRS_PATH/SecItem.h ]; then\n unifdef -B -DRC_HIDE_J79=$RC_HIDE_J79_VAL -DRC_HIDE_J80=$RC_HIDE_J80_VAL -o $DSTROOT/$SEC_HDRS_PATH/SecItem.h $DSTROOT/$SEC_HDRS_PATH/SecItem.h\n if [$? eq 2]; then\n exit 2\n fi\n fi\n\n exit 0\nfi"; showEnvVarsInLog = 0; }; + 6CAA8D361F84317F007B6E03 /* Install launchd plist */ = { + isa = PBXShellScriptBuildPhase; + buildActionMask = 8; + files = ( + ); + inputPaths = ( + ); + name = "Install launchd plist"; + outputPaths = ( + ); + runOnlyForDeploymentPostprocessing = 1; + shellPath = /bin/sh; + shellScript = "mkdir -p \"$LAUNCHD_PLIST_LOCATION\"\nplutil -convert binary1 -o \"$LAUNCHD_PLIST_LOCATION/com.apple.securityuploadd.plist\" \"$LAUNCHD_PLIST\""; + }; 6CB5F4761E402D0000DBF3F0 /* ShellScript */ = { isa = PBXShellScriptBuildPhase; buildActionMask = 8; @@ -25241,6 +26467,25 @@ shellPath = /bin/sh; shellScript = "PLIST_FILE_NAME=com.apple.security.cloudkeychainproxy3\nFILE_TO_COPY=${PROJECT_DIR}/KVSKeychainSyncingProxy/${PLIST_FILE_NAME}.ios.plist\n\nif [ ${PLATFORM_NAME} = \"macosx\" ]\nthen\nFILE_TO_COPY=${PROJECT_DIR}/KVSKeychainSyncingProxy/${PLIST_FILE_NAME}.osx.plist\nfi\n\ncp ${FILE_TO_COPY} ${INSTALL_ROOT}/${INSTALL_DAEMON_AGENT_DIR}/${PLIST_FILE_NAME}.plist"; }; + D4C263C41F8FEAA8001317EA /* Run Script Generate Error Strings */ = { + isa = PBXShellScriptBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + inputPaths = ( + "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecBase.h", + "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecureTransport.h", + "${BUILT_PRODUCTS_DIR}/Security.framework/PrivateHeaders/CSCommon.h", + ); + name = "Run Script Generate Error Strings"; + outputPaths = ( + "${BUILT_PRODUCTS_DIR}/derived_src/SecDebugErrorMessages.strings", + "${BUILT_PRODUCTS_DIR}/derived_src/English.lproj/SecErrorMessages.strings", + ); + runOnlyForDeploymentPostprocessing = 0; + shellPath = /bin/sh; + shellScript = "set -x\n\nDERIVED_SRC=${BUILT_PRODUCTS_DIR}/derived_src\nmkdir -p ${DERIVED_SRC}\n\n# make error message string files\n\nGENDEBUGSTRS[0]=YES; ERRORSTRINGS[0]=${DERIVED_SRC}/SecDebugErrorMessages.strings\nGENDEBUGSTRS[1]=NO ; ERRORSTRINGS[1]=${DERIVED_SRC}/English.lproj/SecErrorMessages.strings\n\nmkdir -p ${DERIVED_SRC}/English.lproj\n\nfor ((ix=0;ix<2;ix++)) ; do\nperl OSX/lib/generateErrStrings.pl \\\n${GENDEBUGSTRS[ix]} \\\n${DERIVED_SRC} \\\n${ERRORSTRINGS[ix]} \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecureTransport.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecBase.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/PrivateHeaders/CSCommon.h\ndone\n"; + }; DC008B581D90CE70004002A3 /* securityd mig */ = { isa = PBXShellScriptBuildPhase; buildActionMask = 2147483647; @@ -25275,21 +26520,6 @@ shellPath = /bin/sh; shellScript = "name=checkpw\n\nmkdir -p \"${DSTROOT}/private/etc/pam.d/\"\ncp \"${PROJECT_DIR}/OSX/libsecurity_checkpw/checkpw.pam\" \"${DSTROOT}/private/etc/pam.d/${name}\""; }; - DC1788D81D7793C000B50D50 /* Unifdef RC_HIDE_J79/J80 */ = { - isa = PBXShellScriptBuildPhase; - buildActionMask = 2147483647; - files = ( - ); - inputPaths = ( - ); - name = "Unifdef RC_HIDE_J79/J80"; - outputPaths = ( - ); - runOnlyForDeploymentPostprocessing = 0; - shellPath = /bin/sh; - shellScript = "if [ -d $DSTROOT ]; then\nRC_HIDE_J79_VAL=0\nRC_HIDE_J80_VAL=0\nSEC_HDRS_PATH=\"System/Library/Frameworks/Security.framework/Headers\"\n\nif [ ! -z $RC_HIDE_J79 ]; then\nRC_HIDE_J79_VAL=1\nfi\n\nif [ ! -z $RC_HIDE_J80 ]; then\nRC_HIDE_J80_VAL=1\nfi\n\nif [ -a $DSTROOT/$SEC_HDRS_PATH/SecAccessControl.h ]; then\nunifdef -B -DRC_HIDE_J79=$RC_HIDE_J79_VAL -DRC_HIDE_J80=$RC_HIDE_J80_VAL -o $DSTROOT/$SEC_HDRS_PATH/SecAccessControl.h $DSTROOT/$SEC_HDRS_PATH/SecAccessControl.h\nif [$? eq 2]; then\nexit 2\nfi\nfi\n\nif [ -a $DSTROOT/$SEC_HDRS_PATH/SecItem.h ]; then\nunifdef -B -DRC_HIDE_J79=$RC_HIDE_J79_VAL -DRC_HIDE_J80=$RC_HIDE_J80_VAL -o $DSTROOT/$SEC_HDRS_PATH/SecItem.h $DSTROOT/$SEC_HDRS_PATH/SecItem.h\nif [$? eq 2]; then\nexit 2\nfi\nfi\n\nexit 0\nfi"; - showEnvVarsInLog = 0; - }; DC1789A71D779E7E00B50D50 /* Run Script Generate Strings */ = { isa = PBXShellScriptBuildPhase; buildActionMask = 2147483647; @@ -25300,12 +26530,10 @@ "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/AuthSession.h", "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecureTransport.h", "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecBase.h", - "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/cssmerr.h", "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/cssmapple.h", "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/CSCommon.h", - "${BUILT_PRODUCTS_DIR}/Security.framework/PrivateHeaders/AuthorizationPriv.h", "${PROJECT_DIR}/libsecurity_keychain/lib/MacOSErrorStrings.h", - "${BUILT_PRODUCTS_DIR}/Security.framework/PrivateHeaders/SecureTransportPriv.h", + "${BUILT_PRODUCTS_DIR}/Security.framework/Headers/cssmerr.h", ); name = "Run Script Generate Strings"; outputPaths = ( @@ -25314,7 +26542,7 @@ ); runOnlyForDeploymentPostprocessing = 0; shellPath = /bin/sh; - shellScript = "set -x\n\nDERIVED_SRC=${BUILT_PRODUCTS_DIR}/derived_src\nmkdir -p ${DERIVED_SRC}\n\n# make error message string files\n\nGENDEBUGSTRS[0]=YES; ERRORSTRINGS[0]=${DERIVED_SRC}/SecDebugErrorMessages.strings\nGENDEBUGSTRS[1]=NO ; ERRORSTRINGS[1]=${DERIVED_SRC}/en.lproj/SecErrorMessages.strings\n\nmkdir -p ${DERIVED_SRC}/en.lproj\n\nfor ((ix=0;ix<2;ix++)) ; do\nperl OSX/lib/generateErrStrings.pl \\\n${GENDEBUGSTRS[ix]} \\\n${DERIVED_SRC} \\\n${ERRORSTRINGS[ix]} \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/Authorization.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/AuthSession.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecureTransport.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecBase.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/cssmerr.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/cssmapple.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/CSCommon.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/PrivateHeaders/AuthorizationPriv.h \\\n${PROJECT_DIR}/OSX/libsecurity_keychain/lib/MacOSErrorStrings.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/PrivateHeaders/SecureTransportPriv.h\ndone\n"; + shellScript = "set -x\n\nDERIVED_SRC=${BUILT_PRODUCTS_DIR}/derived_src\nmkdir -p ${DERIVED_SRC}\n\n# make error message string files\n\nGENDEBUGSTRS[0]=YES; ERRORSTRINGS[0]=${DERIVED_SRC}/SecDebugErrorMessages.strings\nGENDEBUGSTRS[1]=NO ; ERRORSTRINGS[1]=${DERIVED_SRC}/en.lproj/SecErrorMessages.strings\n\nmkdir -p ${DERIVED_SRC}/en.lproj\n\nfor ((ix=0;ix<2;ix++)) ; do\nperl OSX/lib/generateErrStrings.pl \\\n${GENDEBUGSTRS[ix]} \\\n${DERIVED_SRC} \\\n${ERRORSTRINGS[ix]} \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/Authorization.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/AuthSession.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecureTransport.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/SecBase.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/cssmerr.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/cssmapple.h \\\n${BUILT_PRODUCTS_DIR}/Security.framework/Headers/CSCommon.h \\\n${PROJECT_DIR}/OSX/libsecurity_keychain/lib/MacOSErrorStrings.h\ndone\n"; }; DC178B481D77A51600B50D50 /* Make XPC server symlink */ = { isa = PBXShellScriptBuildPhase; @@ -25458,22 +26686,6 @@ shellScript = "# The build system requires that we don't install these headers and .as in multiple phases.\n# This target will not install anything, so feel free to depend on it whenever you use it.\n\n# If you make changes to this target, please make them to ASN1 as well."; showEnvVarsInLog = 0; }; - DC71DA011D95BD670065FB93 /* Why is this here? */ = { - isa = PBXShellScriptBuildPhase; - buildActionMask = 8; - files = ( - ); - inputPaths = ( - "$(SRCROOT)/OSX/libsecurity_keychain/libDER/libDER/libDER.h", - ); - name = "Why is this here?"; - outputPaths = ( - ); - runOnlyForDeploymentPostprocessing = 1; - shellPath = /bin/sh; - shellScript = "# The build system requires that we don't install these headers and .as in multiple phases.\n# This target will not install anything, so feel free to depend on it whenever you use it.\n\n# If you make changes to this target, please make them to DER as well."; - showEnvVarsInLog = 0; - }; DC82FFE61D90D3F60085674B /* security_utilities DTrace */ = { isa = PBXShellScriptBuildPhase; buildActionMask = 2147483647; @@ -25679,6 +26891,57 @@ ); runOnlyForDeploymentPostprocessing = 0; }; + 0C85DFE21FB38BB6000343A7 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 0CB9754F2023A8F5008D6B48 /* CloudKitMockXCTest.m in Sources */, + 0CB9754E2023A8DD008D6B48 /* CloudKitKeychainSyncingMockXCTest.m in Sources */, + 0C0DA5D01FE1F1F3003BD3BB /* CKKSControlProtocol.m in Sources */, + 0CBDF64D1FFC951200433E0D /* OTBottledPeerTLK.m in Sources */, + 0C16371C1FD116B300210823 /* MockCloudKit.m in Sources */, + 0C8A034F1FDF60070042E8BE /* OTBottledPeerTests.m in Sources */, + 0C52C1FF20003BCA003F0733 /* OTTestsBase.m in Sources */, + 0C1637211FD12F1500210823 /* OTCloudStoreTests.m in Sources */, + 0CAEC9D81FD740CF00D1F2CA /* OTContextTests.m in Sources */, + 0C0DA5CF1FE1F1C5003BD3BB /* OTControlProtocol.m in Sources */, + 0C8A03461FDF42BA0042E8BE /* OTEscrowKeyTests.m in Sources */, + 0C8A034D1FDF4CCE0042E8BE /* OTLocalStoreTests.m in Sources */, + DCDB296C1FD8820400B5D242 /* SFAnalytics.m in Sources */, + 6C73F48D2006B83E003D5D63 /* SOSAnalytics.m in Sources */, + 0C46A57B2035019800F17112 /* OTLockStateNetworkingTests.m in Sources */, + DCDB296E1FD8821400B5D242 /* SFAnalyticsActivityTracker.m in Sources */, + DCDB29701FD8821800B5D242 /* SFAnalyticsMultiSampler.m in Sources */, + DCDB29741FD8822200B5D242 /* SFAnalyticsSQLiteStore.m in Sources */, + 0C46A5712034C6BA00F17112 /* OTControl.m in Sources */, + DCDB29721FD8821D00B5D242 /* SFAnalyticsSampler.m in Sources */, + DCDB297E1FD8849D00B5D242 /* SFObjCType.m in Sources */, + 0CC0445B1FFC4150004A5B63 /* CKKSControl.m in Sources */, + DCDB297C1FD8848A00B5D242 /* SFSQLite.m in Sources */, + 0CA4EBF4202B8DBE002B1D96 /* CloudKitKeychainSyncingTestsBase.m in Sources */, + DCDB297D1FD8849A00B5D242 /* SFSQLiteStatement.m in Sources */, + DCDB297B1FD8847100B5D242 /* SecTask.c in Sources */, + 0C1637291FD2066A00210823 /* SecdWatchdog.m in Sources */, + DCDB29791FD8844C00B5D242 /* client.c in Sources */, + DCDB297A1FD8845600B5D242 /* client_endpoint.m in Sources */, + 0CB975512023B199008D6B48 /* OTRampingTests.m in Sources */, + 0C16372B1FD2067F00210823 /* server_endpoint.m in Sources */, + 0C16372D1FD2069300210823 /* server_entitlement_helpers.c in Sources */, + 0C1637301FD206BC00210823 /* server_security_helpers.c in Sources */, + 0C1637271FD2065400210823 /* spi.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 0C8BBEFE1FCB446400580909 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 0C8BBF1B1FCB4EC500580909 /* OTControlProtocol.m in Sources */, + 0C8BBF091FCB447600580909 /* otctl.m in Sources */, + 0C8BBEFF1FCB446400580909 /* SecArgParse.c in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; 225394AD1E3080A600D3CD9B /* Sources */ = { isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; @@ -25686,7 +26949,6 @@ 220179EB1E3BF1F100EFB6F3 /* detachedrep.cpp in Sources */, 220179EA1E3BF16000EFB6F3 /* slcrep.cpp in Sources */, 220179E31E3BEB7100EFB6F3 /* dirscanner.cpp in Sources */, - 225394B71E3081F900D3CD9B /* cskernel.cpp in Sources */, 225394B81E30820900D3CD9B /* Code.cpp in Sources */, 225394B91E30821400D3CD9B /* bundlediskrep.cpp in Sources */, 225394BA1E30821E00D3CD9B /* cdbuilder.cpp in Sources */, @@ -25700,9 +26962,9 @@ 225394C11E30827600D3CD9B /* filediskrep.cpp in Sources */, 225394C21E30827E00D3CD9B /* kerneldiskrep.cpp in Sources */, 225394C31E30828800D3CD9B /* StaticCode.cpp in Sources */, - 225394C41E30829300D3CD9B /* reqparser.cpp in Sources */, 225394C51E3082A100D3CD9B /* requirement.cpp in Sources */, 225394C61E3082AB00D3CD9B /* Requirements.cpp in Sources */, + DCD7EE851F4E47D2007D9804 /* reqparser.cpp in Sources */, 225394C71E3082B600D3CD9B /* reqdumper.cpp in Sources */, 225394C81E3082BE00D3CD9B /* reqinterp.cpp in Sources */, 225394C91E3082C900D3CD9B /* reqmaker.cpp in Sources */, @@ -25734,6 +26996,22 @@ ); runOnlyForDeploymentPostprocessing = 0; }; + 4727FBB31F9918580003AE36 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 47DE88DA1FA7B07400DD3254 /* server_xpc.m in Sources */, + 4727FBEF1F9924FB0003AE36 /* server_security_helpers.c in Sources */, + 4727FBEE1F9924DA0003AE36 /* server_entitlement_helpers.c in Sources */, + 477A1FED2037A0E000ACD81D /* KeychainXCTest.m in Sources */, + 4727FBEB1F99227F0003AE36 /* spi.c in Sources */, + 4727FBEC1F99235B0003AE36 /* SecdWatchdog.m in Sources */, + 4727FBBA1F9918590003AE36 /* KeychainCryptoTests.m in Sources */, + 477A1FE4203763A500ACD81D /* KeychainAPITests.m in Sources */, + 4727FBED1F99249A0003AE36 /* server_endpoint.m in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; 47702B1A1E5F409700B29577 /* Sources */ = { isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; @@ -25750,6 +27028,22 @@ ); runOnlyForDeploymentPostprocessing = 0; }; + 478D42751FD72A8100CAB645 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 478D42761FD72A8100CAB645 /* server_xpc.m in Sources */, + 478D42771FD72A8100CAB645 /* server_security_helpers.c in Sources */, + 478D42781FD72A8100CAB645 /* server_entitlement_helpers.c in Sources */, + 477A1FEE2037A0E000ACD81D /* KeychainXCTest.m in Sources */, + 478D42791FD72A8100CAB645 /* spi.c in Sources */, + 478D427A1FD72A8100CAB645 /* SecdWatchdog.m in Sources */, + 478D427B1FD72A8100CAB645 /* KeychainCryptoTests.m in Sources */, + 477A1FE5203763A500ACD81D /* KeychainAPITests.m in Sources */, + 478D427C1FD72A8100CAB645 /* server_endpoint.m in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; 47C51B801EEA657D0032D9E5 /* Sources */ = { isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; @@ -25762,21 +27056,32 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( + 6CAA8CFF1F83E800007B6E03 /* SFSQLite.m in Sources */, + 6CDB5FF61FA78D1B00410924 /* SFAnalyticsMultiSampler.m in Sources */, + D46246A61F9AE61000D63882 /* oids.c in Sources */, + 0CBFEACB200FCD2D009A60E9 /* SFTransactionMetric.m in Sources */, + 0CBD55B31FE883F200A8CE21 /* SFBehavior.m in Sources */, 220179E91E3BF03200EFB6F3 /* dummy.cpp in Sources */, + DC926F091F33FA8D0012A315 /* CKKSControlProtocol.m in Sources */, 4723C9CC1F152ED30082882F /* SFSQLiteStatement.m in Sources */, - DC9C95C11F79DD4B000D19E5 /* CKKSControlProtocol.m in Sources */, DCA85B931E8D97E400BA7241 /* client.c in Sources */, + 6CBF653A1FA147E500A68667 /* SFAnalyticsActivityTracker.m in Sources */, DC9C95BF1F79DC88000D19E5 /* CKKSControl.m in Sources */, + 0C8BBF131FCB4AFA00580909 /* OTControlProtocol.m in Sources */, + EB10A3E620356E2000E84270 /* OTConstants.m in Sources */, 18F7F67914D77F4400F88A12 /* NtlmGenerator.c in Sources */, 0CD8CB051ECA50780076F37F /* SOSPeerOTRTimer.m in Sources */, DCA85B981E8D980A00BA7241 /* client_endpoint.m in Sources */, + 6CE3654E1FA100E50012F6AB /* SFAnalytics.m in Sources */, 18F7F67A14D77F4400F88A12 /* ntlmBlobPriv.c in Sources */, - 4723C9E01F1540CE0082882F /* SFAnalyticsLogger.m in Sources */, - 4723C9C81F152ECA0082882F /* SFSQLite.m in Sources */, + 6CAA8CFC1F83E7EA007B6E03 /* SFObjCType.m in Sources */, E7B00700170B581D00B27966 /* Security.exp-in in Sources */, - 4723C9C41F152EBB0082882F /* SFObjCType.m in Sources */, + 0C8BBF121FCB4AAB00580909 /* OTControl.m in Sources */, EB48C1A51E573EE400EC5E57 /* whoami.m in Sources */, B61F67571F1FCFCB00E2FDBB /* SecPaddingConfigurations.c in Sources */, + 6CE365531FA101080012F6AB /* SFAnalyticsSampler.m in Sources */, + 6C73F48A2006B839003D5D63 /* SOSAnalytics.m in Sources */, + 6CE365571FA1017D0012F6AB /* SFAnalyticsSQLiteStore.m in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -25885,24 +27190,47 @@ ); runOnlyForDeploymentPostprocessing = 0; }; + 6C46057A1F882B9B001421B6 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 6CB96BB21F966DA400E11457 /* SFSQLite.m in Sources */, + 6CB96BB31F966DA400E11457 /* SFSQLiteStatement.m in Sources */, + 6CBF65421FA2255800A68667 /* SFAnalyticsActivityTracker.m in Sources */, + 6CDF8DF21F9649AB00140B54 /* SFAnalyticsSampler.m in Sources */, + 6CDF8DF41F9649C000140B54 /* SFAnalytics.m in Sources */, + 6C4605BC1F882DB6001421B6 /* SFAnalyticsTests.m in Sources */, + 6C13AE471F8E9F5F00F047E3 /* supd.m in Sources */, + 6C4605BD1F882DC3001421B6 /* SupdTests.m in Sources */, + 6CDB5FFA1FA78D2500410924 /* SFAnalyticsMultiSampler.m in Sources */, + 6CB96BAC1F966D6500E11457 /* main.m in Sources */, + 6CB96BB61F966E4300E11457 /* SFObjCType.m in Sources */, + 6CDF8DF31F9649C000140B54 /* SFAnalyticsSQLiteStore.m in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; 6C98083D1E788AEB00E70590 /* Sources */ = { isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( + 6CBF65431FA2257100A68667 /* SFAnalyticsActivityTracker.m in Sources */, + 6CAA8CF71F83E79E007B6E03 /* SFSQLite.m in Sources */, 476541A41F33EDED00413F65 /* SecdWatchdog.m in Sources */, - 47B011A71F17D8980030B49F /* SFAnalyticsLogger.m in Sources */, - 47B011981F17D78D0030B49F /* SFSQLite.m in Sources */, 47B011991F17D78D0030B49F /* SFSQLiteStatement.m in Sources */, - 47B011971F17D7810030B49F /* SFObjCType.m in Sources */, DC2D438F1F0EEC2A0005D382 /* MockCloudKit.m in Sources */, + 6CDF8DEF1F96495600140B54 /* SFAnalyticsSampler.m in Sources */, DCB515E21ED3D134001F1152 /* SecTask.c in Sources */, DCB515E11ED3D11A001F1152 /* client.c in Sources */, 6C9808A61E788CD200E70590 /* CKKSCloudKitTests.m in Sources */, 6C98083E1E788AEB00E70590 /* spi.c in Sources */, DC2353301ECA658900D7C1BE /* server_security_helpers.c in Sources */, + 6CAA8CF01F83E65E007B6E03 /* SFObjCType.m in Sources */, + 6CAA8D131F83ECD4007B6E03 /* SFAnalytics.m in Sources */, DC2353321ECA659000D7C1BE /* server_xpc.m in Sources */, + 6CDB5FF91FA78D2400410924 /* SFAnalyticsMultiSampler.m in Sources */, DC5F35B11EE0F28B00900966 /* server_entitlement_helpers.c in Sources */, DC2353291ECA658300D7C1BE /* server_endpoint.m in Sources */, + 6CAA8CF91F83E7AA007B6E03 /* SFAnalyticsSQLiteStore.m in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -25910,21 +27238,43 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( + 6CAA8CF61F83E79D007B6E03 /* SFSQLite.m in Sources */, + 6CDB5FF81FA78D2300410924 /* SFAnalyticsMultiSampler.m in Sources */, 476541A51F33EE1E00413F65 /* SecdWatchdog.m in Sources */, - 47B011AD1F17D8A00030B49F /* SFAnalyticsLogger.m in Sources */, - 47B0119B1F17D7F10030B49F /* SFSQLite.m in Sources */, - 47B0119C1F17D7F10030B49F /* SFSQLiteStatement.m in Sources */, - 47B0119A1F17D7E80030B49F /* SFObjCType.m in Sources */, DC2D43951F0EEC300005D382 /* MockCloudKit.m in Sources */, + 6CAA8CF81F83E7A9007B6E03 /* SFAnalyticsSQLiteStore.m in Sources */, 6C9808A51E788CD100E70590 /* CKKSCloudKitTests.m in Sources */, + 6CBF65441FA2257200A68667 /* SFAnalyticsActivityTracker.m in Sources */, DCB515E31ED3D135001F1152 /* SecTask.c in Sources */, + 6CAA8CEF1F83E65D007B6E03 /* SFObjCType.m in Sources */, DCB515E01ED3D111001F1152 /* client.c in Sources */, DCB515E41ED3D15A001F1152 /* client_endpoint.m in Sources */, + 6CAA8D141F83ECD5007B6E03 /* SFAnalytics.m in Sources */, 6C98087A1E788AFD00E70590 /* spi.c in Sources */, + 6CAA8D0D1F83EC57007B6E03 /* SFSQLiteStatement.m in Sources */, DC5F35B21EE0F28C00900966 /* server_entitlement_helpers.c in Sources */, DC2353311ECA658B00D7C1BE /* server_security_helpers.c in Sources */, DC2353331ECA659000D7C1BE /* server_xpc.m in Sources */, DC23532F1ECA658400D7C1BE /* server_endpoint.m in Sources */, + 6CDF8DF01F96495700140B54 /* SFAnalyticsSampler.m in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 6C9AA79A1F7C1D8F00D08296 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 6C9AA7A51F7C6F7F00D08296 /* SecArgParse.c in Sources */, + 6C9AA7A11F7C1D9000D08296 /* main.m in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; + 6CAA8D1C1F842FB3007B6E03 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + 6CAA8D351F84306C007B6E03 /* main.m in Sources */, + 6CAA8D271F843002007B6E03 /* supd.m in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -25956,15 +27306,6 @@ ); runOnlyForDeploymentPostprocessing = 0; }; - 728B569D16D59979008FA3AB /* Sources */ = { - isa = PBXSourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - 72CD2BBE16D59AE30064EEE1 /* OTAServiceApp.m in Sources */, - 72CD2BBF16D59AE30064EEE1 /* OTAServicemain.m in Sources */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; 790851B30CA9859F0083CC4D /* Sources */ = { isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; @@ -26094,7 +27435,7 @@ files = ( D43DBEFB1E99D1CA00C04AEA /* asynchttp.c in Sources */, D43DBEFC1E99D1CA00C04AEA /* nameconstraints.c in Sources */, - D43DBEFD1E99D1CA00C04AEA /* OTATrustUtilities.c in Sources */, + D43DBEFD1E99D1CA00C04AEA /* OTATrustUtilities.m in Sources */, D43DBEFE1E99D1CA00C04AEA /* personalization.c in Sources */, D43DBEFF1E99D1CA00C04AEA /* policytree.c in Sources */, D43DBF001E99D1CA00C04AEA /* SecCAIssuerCache.c in Sources */, @@ -26109,7 +27450,7 @@ D43DBF081E99D1CA00C04AEA /* SecPolicyServer.c in Sources */, D43DBF091E99D1CA00C04AEA /* SecRevocationDb.c in Sources */, D43DBF0A1E99D1CA00C04AEA /* SecRevocationServer.c in Sources */, - D43DBF0B1E99D1CA00C04AEA /* SecTrustLoggingServer.c in Sources */, + D43DBF0B1E99D1CA00C04AEA /* SecTrustLoggingServer.m in Sources */, D43DBF0C1E99D1CA00C04AEA /* SecTrustServer.c in Sources */, D43DBF0D1E99D1CA00C04AEA /* SecTrustStoreServer.c in Sources */, D40B6A9B1E2B690E00CD6EE5 /* SecuritydXPC.c in Sources */, @@ -26529,18 +27870,29 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( - 4723C9C91F152ECA0082882F /* SFSQLite.m in Sources */, + 0CBD55B91FE883F300A8CE21 /* SFBehavior.m in Sources */, + D46246A71F9AE62000D63882 /* oids.c in Sources */, DCA85B991E8D980B00BA7241 /* client_endpoint.m in Sources */, + DC926F0A1F33FA8E0012A315 /* CKKSControlProtocol.m in Sources */, + 6CE365541FA101090012F6AB /* SFAnalyticsSampler.m in Sources */, + 6CE365581FA1017E0012F6AB /* SFAnalyticsSQLiteStore.m in Sources */, + 6CDB5FF51FA78D1A00410924 /* SFAnalyticsMultiSampler.m in Sources */, DCA85B941E8D97E400BA7241 /* client.c in Sources */, DCDF0A4F1D81D76F007AF174 /* Security.exp-in in Sources */, + 0CBFEACA200FCD2D009A60E9 /* SFTransactionMetric.m in Sources */, DC1789A51D779E3B00B50D50 /* dummy.cpp in Sources */, - 4723C9C51F152EBC0082882F /* SFObjCType.m in Sources */, + 0C8BBF111FCB4AAA00580909 /* OTControl.m in Sources */, 4723C9CD1F152ED40082882F /* SFSQLiteStatement.m in Sources */, + EB10A3E920356E7A00E84270 /* OTConstants.m in Sources */, + 6CAA8CFE1F83E800007B6E03 /* SFSQLite.m in Sources */, DC9C95C01F79DC89000D19E5 /* CKKSControl.m in Sources */, - 4723C9E11F1540CE0082882F /* SFAnalyticsLogger.m in Sources */, + 0C8BBF141FCB4AFB00580909 /* OTControlProtocol.m in Sources */, B61577E81F20151C004A3930 /* SecPaddingConfigurations.c in Sources */, + 6C73F48B2006B83A003D5D63 /* SOSAnalytics.m in Sources */, + 6CE3654D1FA100E50012F6AB /* SFAnalytics.m in Sources */, + 6CAA8CFD1F83E7EB007B6E03 /* SFObjCType.m in Sources */, DC1789A21D779DF400B50D50 /* SecBreadcrumb.c in Sources */, - DC9C95C21F79DD4D000D19E5 /* CKKSControlProtocol.m in Sources */, + 6CBF65411FA1481100A68667 /* SFAnalyticsActivityTracker.m in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -26548,18 +27900,27 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( + BEE4B18D1FFD588000777D39 /* OTAuthenticatedCiphertext.proto in Sources */, + BEB0B0D81FFC3DD3007E6A83 /* OTPrivateKey.proto in Sources */, + BE3405AE1FD725EC00933DAC /* OTBottle.proto in Sources */, + BE3405AF1FD725F000933DAC /* OTBottleContents.proto in Sources */, DC9FD3231F8587A500C8AAC8 /* CKKSSerializedKey.proto in Sources */, DC222C3A1E034D1F00B09171 /* CKKSItemEncrypter.m in Sources */, DC7A17F01E36ABC200EF14CE /* CKKSProcessReceivedKeysOperation.m in Sources */, DCEA5D581E2826DB0089CF55 /* CKKSSIV.m in Sources */, EBB407B41EBA46B300A541A5 /* CKKSPowerCollection.m in Sources */, DCB5D93E1E4A9A3400BE22AB /* CKKSSynchronizeOperation.m in Sources */, + 0CD9E8011FE05B6600F66C38 /* OTContextRecord.m in Sources */, + BEB0B0DE1FFC45D8007E6A83 /* OTPrivateKey+SF.m in Sources */, DC222C3B1E034D1F00B09171 /* SOSChangeTracker.c in Sources */, DC222C3D1E034D1F00B09171 /* SOSEngine.c in Sources */, 6C8CC3B31E2F913D009025C5 /* AWDKeychainCKKSRateLimiterAggregatedScores.m in Sources */, DC222C401E034D1F00B09171 /* SecDbItem.c in Sources */, DCCD88EB1E42622200F5AA71 /* CKKSGroupOperation.m in Sources */, - DC222C411E034D1F00B09171 /* SecDbKeychainItem.c in Sources */, + DC222C411E034D1F00B09171 /* SecDbKeychainItem.m in Sources */, + 0C8BBEAA1FC9DBC000580909 /* OTLocalStore.m in Sources */, + 4733377C1FDAFBCC00E19F30 /* SFKeychainControlManager.m in Sources */, + 0CE1BCCF1FCE11690017230E /* OTBottledPeerSigned.m in Sources */, DC222C421E034D1F00B09171 /* SecDbQuery.c in Sources */, 6C3446471E25346C00F9522B /* CKKSRateLimiter.m in Sources */, DCA4D2001E552DD50056214F /* CKKSCurrentKeyPointer.m in Sources */, @@ -26568,8 +27929,12 @@ DCE278E01ED789EF0083B485 /* CKKSCurrentItemPointer.m in Sources */, DC222C441E034D1F00B09171 /* SecItemDataSource.c in Sources */, DC3D748F1FD2217900AC57DA /* CKKSLocalSynchronizeOperation.m in Sources */, + 0C8BBF161FCB4B1C00580909 /* OTManager.m in Sources */, + 0C8BBEA61FC9DBB200580909 /* OTEscrowKeys.m in Sources */, 526965D31E6E284500627F9D /* AsymKeybagBackup.m in Sources */, + DA6AA1661FE88AFB004565B0 /* CKKSControlServer.m in Sources */, DCFE1C541F1825F7007640C8 /* CKKSUpdateDeviceStateOperation.m in Sources */, + 47922D491FAA7C3D0008F7E0 /* SecDbKeychainSerializedMetadata.m in Sources */, DCD6C4B51EC5302500414FEE /* CKKSNearFutureScheduler.m in Sources */, 6C588D811EAA20AC00D7E322 /* RateLimiter.m in Sources */, DC94BCCD1F10448600E07CEB /* CloudKitCategories.m in Sources */, @@ -26582,47 +27947,65 @@ DCEA5D881E2F14810089CF55 /* CKKSAPSReceiver.m in Sources */, DC2C5F611F0EB97E00FEBDA7 /* CKKSNotifier.m in Sources */, DC222C481E034D1F00B09171 /* SecItemServer.c in Sources */, - DC9C95B71F79CFD1000D19E5 /* CKKSControl.m in Sources */, DC18F7721E43E116006B8B43 /* CKKSFetchAllRecordZoneChangesOperation.m in Sources */, DC222C491E034D1F00B09171 /* SecKeybagSupport.c in Sources */, + 471A03F21F72E35C000A8904 /* SecDbKeychainItemV7.m in Sources */, + 0C8BBF181FCB4E5000580909 /* OTControlProtocol.m in Sources */, + EB4E0CDC1FF36A9700CDCACC /* CKKSReachabilityTracker.m in Sources */, DC1DA6691E4555D80094CE7F /* CKKSScanLocalItemsOperation.m in Sources */, 6C8CC3B41E2F913D009025C5 /* AWDKeychainCKKSRateLimiterOverload.m in Sources */, + 0C8BBEA21FC9DBAA00580909 /* OTContext.m in Sources */, DC222C4A1E034D1F00B09171 /* SecLogSettingsServer.m in Sources */, DC14478D1F5764C600236DB4 /* CKKSResultOperation.m in Sources */, 479DA1781EBBA8D30065C98F /* CKKSManifest.m in Sources */, DCD662F81E329B6800188186 /* CKKSNewTLKOperation.m in Sources */, + DC124DCE20059BA900BE8DAC /* OctagonControlServer.m in Sources */, DC222C4D1E034D1F00B09171 /* CKKSOutgoingQueueEntry.m in Sources */, DCBF2F881F913EF000ED0CA4 /* CKKSHealTLKSharesOperation.m in Sources */, + EB10A3E720356E6500E84270 /* OTConstants.m in Sources */, + 0C5CFB392019610000913B9C /* OTRamping.m in Sources */, DC222C4E1E034D1F00B09171 /* CKKS.m in Sources */, DC762AA11E57A86A00B03A2C /* CKKSRecordHolder.m in Sources */, DC222C501E034D1F00B09171 /* SecOTRRemote.m in Sources */, - 479108BA1EE879F9008CEFA0 /* CKKSAnalyticsLogger.m in Sources */, + 47922D451FAA7C2E0008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.m in Sources */, + 479108BA1EE879F9008CEFA0 /* CKKSAnalytics.m in Sources */, + 479108BA1EE879F9008CEFA0 /* CKKSAnalytics.m in Sources */, DC1447991F5766D200236DB4 /* NSOperationCategories.m in Sources */, DC222C511E034D1F00B09171 /* CKKSItem.m in Sources */, DCBDB3BE1E57CA7A00B61300 /* CKKSViewManager.m in Sources */, DCFE1C2A1F17E455007640C8 /* CKKSDeviceStateEntry.m in Sources */, + 0C8BBEA81FC9DBB600580909 /* OTIdentity.m in Sources */, DCAD9B471F8D939C00C5E2AE /* CKKSFixups.m in Sources */, DCA4D2181E5684220056214F /* CKKSReencryptOutgoingItemsOperation.m in Sources */, DCE278EB1ED7A5B40083B485 /* CKKSUpdateCurrentItemPointerOperation.m in Sources */, DC222C541E034D1F00B09171 /* CKKSSQLDatabaseObject.m in Sources */, DCEA5D981E3015840089CF55 /* CKKSZone.m in Sources */, + 0CE407AD1FD4769B00F59B31 /* OTCloudStoreState.m in Sources */, DCB837381ED5045100015C07 /* CKKSLockStateTracker.m in Sources */, - DAD3BD021F9830BC00DF29BA /* CKKSControlProtocol.m in Sources */, + 47922D4D1FAA7C4B0008F7E0 /* SecDbKeychainSerializedSecretData.m in Sources */, DC4DB1531E24692100CD6769 /* CKKSKey.m in Sources */, DC9082C51EA0277700D0C1C5 /* CKKSZoneChangeFetcher.m in Sources */, + 0CCCC7CA20261D310024405E /* OT.m in Sources */, + 47922D571FAA7E0E0008F7E0 /* SecDbKeychainSerializedItemV7.m in Sources */, DC222C571E034D1F00B09171 /* SecuritydXPC.c in Sources */, DC7341F61F8447AB00AB9BDF /* CKKSTLKShare.m in Sources */, 6C8CC3B51E2F913D009025C5 /* AWDKeychainCKKSRateLimiterTopWriters.m in Sources */, DCBDB3B81E57C82300B61300 /* CKKSKeychainView.m in Sources */, DC222C5A1E034D1F00B09171 /* iCloudTrace.c in Sources */, DC5BB5011E0C98320010F836 /* CKKSOutgoingQueueOperation.m in Sources */, + 0C8BBEA01FC9DBA400580909 /* OTBottledPeer.m in Sources */, 6C869A7A1F54C37A00957298 /* AWDKeychainSOSKeychainBackupFailed.m in Sources */, 6C869A761F50CAF500957298 /* SOSEnsureBackup.m in Sources */, + BE2AD2BB1FDA080900739F96 /* OTBottledPeerRecord.m in Sources */, + 0C770EC51FCF7E2000B5F0E2 /* OTCloudStore.m in Sources */, 5269658E1E6A154800627F9D /* SecBackupKeybagEntry.m in Sources */, + 0C36B3222007F2570029F7A2 /* OTPreflightInfo.m in Sources */, DC222C5D1E034D1F00B09171 /* CKKSMirrorEntry.m in Sources */, + BEE4B1951FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.m in Sources */, DC54DD101EA7D9E800108E92 /* CKKSManifestLeafRecord.m in Sources */, DCFE1C371F17ECE5007640C8 /* CKKSCondition.m in Sources */, DC222C611E034D1F00B09171 /* swcagent_client.c in Sources */, + BEE4B19B1FFDAFE600777D39 /* SFECPublicKey+SPKI.m in Sources */, DC222C621E034D1F00B09171 /* CKKSZoneStateEntry.m in Sources */, ); runOnlyForDeploymentPostprocessing = 0; @@ -26632,10 +28015,7 @@ buildActionMask = 2147483647; files = ( 476541A61F33EE2700413F65 /* SecdWatchdog.m in Sources */, - 4771ECD91F17CE5100840998 /* SFAnalyticsLogger.m in Sources */, - 4771ECCE1F17CD2100840998 /* SFObjCType.m in Sources */, - 4771ECCC1F17CD0E00840998 /* SFSQLite.m in Sources */, - DCB502331FDA156B008F8E4F /* AutoreleaseTest.c in Sources */, + 6CAA8CF41F83E799007B6E03 /* SFSQLite.m in Sources */, 4771ECCD1F17CD0E00840998 /* SFSQLiteStatement.m in Sources */, DCD6C4B71EC5319600414FEE /* CKKSNearFutureSchedulerTests.m in Sources */, DC08D1C41E64FA8C006237DA /* CloudKitKeychainSyncingMockXCTest.m in Sources */, @@ -26643,20 +28023,28 @@ 6C588D7F1EAA14AA00D7E322 /* RateLimiterTests.m in Sources */, DC4DB15F1E2590B100CD6769 /* CKKSAESSIVEncryptionTests.m in Sources */, DC3502E71E0214C800BC0587 /* MockCloudKit.m in Sources */, + 6CAA8D151F83ECD9007B6E03 /* SFAnalytics.m in Sources */, DC6593D11ED8DAB900C19462 /* CKKSTests+CurrentPointerAPI.m in Sources */, + 6CBF65451FA2257500A68667 /* SFAnalyticsActivityTracker.m in Sources */, DCA85B9A1E8D981100BA7241 /* client_endpoint.m in Sources */, DCAD9B491F8D95F200C5E2AE /* CloudKitKeychainSyncingFixupTests.m in Sources */, + 0CA4EBF3202B8D9C002B1D96 /* CloudKitKeychainSyncingTestsBase.m in Sources */, DC9A2C5F1EB3F557008FAC27 /* CKKSTests+Coalesce.m in Sources */, DC222C8A1E089BAE00B09171 /* CKKSSQLTests.m in Sources */, DC15F79C1E68EAD5003B9A40 /* CKKSTests+API.m in Sources */, 4723C9D41F1531A30082882F /* CKKSLoggerTests.m in Sources */, + 6C73F48C2006B83D003D5D63 /* SOSAnalytics.m in Sources */, DCBF2F7D1F90084D00ED0CA4 /* CKKSTLKSharingTests.m in Sources */, + DCFABF8E20081E2F001128B5 /* CKKSDeviceStateUploadTests.m in Sources */, DC3502B81E0208BE00BC0587 /* CKKSTests.m in Sources */, 6C3446301E24F6BE00F9522B /* CKKSRateLimiterTests.m in Sources */, DCA85B961E8D980100BA7241 /* client.c in Sources */, + 6CAA8CFA1F83E7AC007B6E03 /* SFAnalyticsSQLiteStore.m in Sources */, DCE7F2091F21726500DDB0F7 /* CKKSAPSReceiverTests.m in Sources */, DC96053F1ECA2D6400AF9BDA /* SecTask.c in Sources */, DC08D1CC1E64FCC5006237DA /* CKKSSOSTests.m in Sources */, + 6CDB5FF71FA78D2100410924 /* SFAnalyticsMultiSampler.m in Sources */, + 6CDF8DF11F96498300140B54 /* SFAnalyticsSampler.m in Sources */, DC222CA81E08A7D900B09171 /* CloudKitMockXCTest.m in Sources */, DC9C75161E4BCE1800F1CA0D /* CKKSOperationTests.m in Sources */, DCB221561E8B08BF001598BC /* server_xpc.m in Sources */, @@ -26664,9 +28052,13 @@ DC4268FE1E820371002B7110 /* server_endpoint.m in Sources */, DCFE1C3D1F17EFB5007640C8 /* CKKSConditionTests.m in Sources */, DCCD33C91E3FE95900AA4AD1 /* spi.c in Sources */, + 6CFDC4551F907D2600646DBB /* SFObjCType.m in Sources */, DC9C95971F748D0B000D19E5 /* CKKSServerValidationRecoveryTests.m in Sources */, DC7341FE1F84642C00AB9BDF /* CKKSTLKSharingEncryptionTests.m in Sources */, DC5F35AC1EE0F27900900966 /* server_entitlement_helpers.c in Sources */, + DAEE055C1FAD3FC700DF27F3 /* AutoreleaseTest.c in Sources */, + DA19DAEF1FCFA420008E82EE /* CKKSControl.m in Sources */, + DA19DAF01FCFA425008E82EE /* CKKSControlProtocol.m in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -26682,18 +28074,27 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( + BEE4B18C1FFD585800777D39 /* OTAuthenticatedCiphertext.proto in Sources */, + BEB0B0D71FFC3D9A007E6A83 /* OTPrivateKey.proto in Sources */, + BE3405AC1FD7258900933DAC /* OTBottle.proto in Sources */, + BE3405AD1FD725A700933DAC /* OTBottleContents.proto in Sources */, DC9FD3361F86A34F00C8AAC8 /* CKKSSerializedKey.proto in Sources */, DC797E1A1DD3F9A400CC9E42 /* CKKSSQLDatabaseObject.m in Sources */, 6CC1859F1E24E8EB009657D8 /* CKKSRateLimiter.m in Sources */, DCFB12C71E95A4C000510F5F /* CKKSCKAccountStateTracker.m in Sources */, EBB407B31EBA46B200A541A5 /* CKKSPowerCollection.m in Sources */, DCCD88EA1E42622200F5AA71 /* CKKSGroupOperation.m in Sources */, + 0CD9E8001FE05B6600F66C38 /* OTContextRecord.m in Sources */, + BEB0B0DD1FFC45D7007E6A83 /* OTPrivateKey+SF.m in Sources */, DC54DD0F1EA7D9E700108E92 /* CKKSManifestLeafRecord.m in Sources */, DCDCCB901DF7B8D4006E840E /* CKKSItem.m in Sources */, DC1ED8C11DD5197E002BDCFA /* CKKSItemEncrypter.m in Sources */, DC6D2C921DD2835A00BE372D /* CKKSOutgoingQueueEntry.m in Sources */, 6C8CC3AD1E2F913C009025C5 /* AWDKeychainCKKSRateLimiterTopWriters.m in Sources */, DC378B3D1DF0CA7200A3DAFA /* CKKSIncomingQueueEntry.m in Sources */, + 0C8BBEA91FC9DBBF00580909 /* OTLocalStore.m in Sources */, + 4733377B1FDAFBCC00E19F30 /* SFKeychainControlManager.m in Sources */, + 0CE1BCCE1FCE11680017230E /* OTBottledPeerSigned.m in Sources */, DC5BB4FA1E0C90DE0010F836 /* CKKSIncomingQueueOperation.m in Sources */, DC5BB5001E0C98320010F836 /* CKKSOutgoingQueueOperation.m in Sources */, DC378B391DEFADB500A3DAFA /* CKKSZoneStateEntry.m in Sources */, @@ -26702,8 +28103,12 @@ DC15F7681E67A6F6003B9A40 /* CKKSHealKeyHierarchyOperation.m in Sources */, DCE278DF1ED789EF0083B485 /* CKKSCurrentItemPointer.m in Sources */, DC3D748E1FD2217900AC57DA /* CKKSLocalSynchronizeOperation.m in Sources */, + 0C8BBF151FCB4B1B00580909 /* OTManager.m in Sources */, + 0C8BBEA51FC9DBB100580909 /* OTEscrowKeys.m in Sources */, DCA4D1FF1E552DD50056214F /* CKKSCurrentKeyPointer.m in Sources */, + DA6AA1651FE88AFB004565B0 /* CKKSControlServer.m in Sources */, DCFE1C531F1825F7007640C8 /* CKKSUpdateDeviceStateOperation.m in Sources */, + 47922D481FAA7C3C0008F7E0 /* SecDbKeychainSerializedMetadata.m in Sources */, DCD6C4B41EC5302500414FEE /* CKKSNearFutureScheduler.m in Sources */, DC378B2F1DEF9E0E00A3DAFA /* CKKSMirrorEntry.m in Sources */, DC94BCCC1F10448600E07CEB /* CloudKitCategories.m in Sources */, @@ -26716,47 +28121,65 @@ DC18F7711E43E116006B8B43 /* CKKSFetchAllRecordZoneChangesOperation.m in Sources */, DC2C5F601F0EB97E00FEBDA7 /* CKKSNotifier.m in Sources */, DC52E7CF1D80BCFD00B0A59C /* SOSEngine.c in Sources */, - DC9C95B61F79CFD1000D19E5 /* CKKSControl.m in Sources */, DC4DB1521E24692100CD6769 /* CKKSKey.m in Sources */, DCBDB3BD1E57CA7A00B61300 /* CKKSViewManager.m in Sources */, + 471A03EC1F72E35B000A8904 /* SecDbKeychainItemV7.m in Sources */, + 0C8BBF171FCB4E5000580909 /* OTControlProtocol.m in Sources */, + EB4E0CDB1FF36A9700CDCACC /* CKKSReachabilityTracker.m in Sources */, DC52E7C41D80BCAD00B0A59C /* SecDbItem.c in Sources */, - DC52E7D31D80BD1800B0A59C /* SecDbKeychainItem.c in Sources */, + DC52E7D31D80BD1800B0A59C /* SecDbKeychainItem.m in Sources */, DC52E7CC1D80BCDF00B0A59C /* SecDbQuery.c in Sources */, DC14478C1F5764C600236DB4 /* CKKSResultOperation.m in Sources */, 479DA1721EBBA8D10065C98F /* CKKSManifest.m in Sources */, DC52E7CB1D80BCD800B0A59C /* SecItemBackupServer.c in Sources */, DC52E7CD1D80BCE700B0A59C /* SecItemDataSource.c in Sources */, - DCBF2F871F913EF000ED0CA4 /* CKKSHealTLKSharesOperation.m in Sources */, + DC124DCD20059BA900BE8DAC /* OctagonControlServer.m in Sources */, DC52E7DE1D80BD7F00B0A59C /* SecItemDb.c in Sources */, DC52E7E01D80BD8D00B0A59C /* SecItemSchema.c in Sources */, + EB10A3E820356E6500E84270 /* OTConstants.m in Sources */, + 0C5CFB382019610000913B9C /* OTRamping.m in Sources */, DC52E7D71D80BD2D00B0A59C /* SecItemServer.c in Sources */, - 479108B91EE879F9008CEFA0 /* CKKSAnalyticsLogger.m in Sources */, + 47922D441FAA7C2C0008F7E0 /* SecDbKeychainSerializedAKSWrappedKey.m in Sources */, + 479108B91EE879F9008CEFA0 /* CKKSAnalytics.m in Sources */, + 479108B91EE879F9008CEFA0 /* CKKSAnalytics.m in Sources */, + 0C8BBEE61FCA6E0500580909 /* OTContext.m in Sources */, DC1447981F5766D200236DB4 /* NSOperationCategories.m in Sources */, DCD8A0CF1E09EA1800E4FA0A /* SecKeybagSupport.c in Sources */, DC52E7E11D80BD9300B0A59C /* SecLogSettingsServer.m in Sources */, DCFE1C291F17E455007640C8 /* CKKSDeviceStateEntry.m in Sources */, DCAD9B461F8D939C00C5E2AE /* CKKSFixups.m in Sources */, + 0C8BBEA71FC9DBB500580909 /* OTIdentity.m in Sources */, 6C8CC3AC1E2F913C009025C5 /* AWDKeychainCKKSRateLimiterOverload.m in Sources */, DC52E7DC1D80BD4F00B0A59C /* SecOTRRemote.m in Sources */, DCE278EA1ED7A5B40083B485 /* CKKSUpdateCurrentItemPointerOperation.m in Sources */, DCD662F71E329B6800188186 /* CKKSNewTLKOperation.m in Sources */, DCB837321ED5045000015C07 /* CKKSLockStateTracker.m in Sources */, - DAD3BD011F9830BB00DF29BA /* CKKSControlProtocol.m in Sources */, + 0CE407AC1FD4769B00F59B31 /* OTCloudStoreState.m in Sources */, + 47922D4C1FAA7C4A0008F7E0 /* SecDbKeychainSerializedSecretData.m in Sources */, DCBDB3B71E57C82300B61300 /* CKKSKeychainView.m in Sources */, DC52E7D61D80BD2800B0A59C /* SecuritydXPC.c in Sources */, + 47922D561FAA7E0D0008F7E0 /* SecDbKeychainSerializedItemV7.m in Sources */, + 0CCCC7C920261D310024405E /* OT.m in Sources */, DC7A17EF1E36ABC200EF14CE /* CKKSProcessReceivedKeysOperation.m in Sources */, DC7341F51F8447AB00AB9BDF /* CKKSTLKShare.m in Sources */, + 0C5960811FB369C50095BA29 /* CKKSHealTLKSharesOperation.m in Sources */, DCA4D2171E5684220056214F /* CKKSReencryptOutgoingItemsOperation.m in Sources */, 5269658D1E6A154700627F9D /* SecBackupKeybagEntry.m in Sources */, DC52E7D41D80BD1D00B0A59C /* iCloudTrace.c in Sources */, DCEA5D871E2F14810089CF55 /* CKKSAPSReceiver.m in Sources */, + 0C8BBE9F1FC9DBA400580909 /* OTBottledPeer.m in Sources */, 6C869A791F54C37900957298 /* AWDKeychainSOSKeychainBackupFailed.m in Sources */, 6C869A751F50CAF400957298 /* SOSEnsureBackup.m in Sources */, + BE2AD2BA1FDA080800739F96 /* OTBottledPeerRecord.m in Sources */, + 0C770EC41FCF7E2000B5F0E2 /* OTCloudStore.m in Sources */, DCEA5D571E2826DB0089CF55 /* CKKSSIV.m in Sources */, + 0C36B3212007F2550029F7A2 /* OTPreflightInfo.m in Sources */, 6C8CC3AB1E2F913C009025C5 /* AWDKeychainCKKSRateLimiterAggregatedScores.m in Sources */, + BEE4B1941FFD604B00777D39 /* OTAuthenticatedCiphertext+SF.m in Sources */, DC9082C41EA0277600D0C1C5 /* CKKSZoneChangeFetcher.m in Sources */, DCFE1C361F17ECE5007640C8 /* CKKSCondition.m in Sources */, DCEA5D971E3015830089CF55 /* CKKSZone.m in Sources */, + BEE4B19A1FFDAFE600777D39 /* SFECPublicKey+SPKI.m in Sources */, DC52E7C51D80BCB300B0A59C /* swcagent_client.c in Sources */, ); runOnlyForDeploymentPostprocessing = 0; @@ -26768,9 +28191,12 @@ 48E617211DBEC6BA0098EAAD /* SOSBackupInformation.m in Sources */, DC52E8F11D80C34000B0A59C /* SOSAccount.m in Sources */, DC52E8F31D80C34000B0A59C /* SOSAccountBackup.m in Sources */, + DCB332591F478C3C00178C30 /* SOSUserKeygen.m in Sources */, DC52E8F41D80C34000B0A59C /* SOSAccountCircles.m in Sources */, 0CD8CB0B1ECA50920076F37F /* SOSPeerOTRTimer.m in Sources */, + DC2670F51F3E711400816EED /* SOSAccountCloudParameters.m in Sources */, DCDCC7E51D9B5526006487E8 /* SOSAccountSync.m in Sources */, + DC2670F81F3E723B00816EED /* SOSAccountDer.m in Sources */, DC52E8F71D80C34000B0A59C /* SOSAccountCredentials.m in Sources */, DC52E8F91D80C34000B0A59C /* SOSAccountFullPeerInfo.m in Sources */, DC52E8FC1D80C34000B0A59C /* SOSAccountLog.m in Sources */, @@ -26782,6 +28208,7 @@ DC52E8FD1D80C34000B0A59C /* SOSAccountUpdate.m in Sources */, DC52E9001D80C34000B0A59C /* SOSAccountViewSync.m in Sources */, DC52E9011D80C34000B0A59C /* SOSBackupEvent.c in Sources */, + DC2670F71F3E721800816EED /* SOSAccountTrustClassic.m in Sources */, 7281E0871DFD01800021E1B7 /* SOSAccountGetSet.m in Sources */, 0C4899121E0E105D00C6CF70 /* SOSTransportCircleCK.m in Sources */, DC52E8DD1D80C31F00B0A59C /* SOSCoder.c in Sources */, @@ -26801,6 +28228,7 @@ 0CAD1E1C1E032ADB00537693 /* SOSCloudCircleServer.m in Sources */, DC52E8CF1D80C2FD00B0A59C /* SOSTransportMessageIDS.m in Sources */, 0CAC5DBF1EB3DA4C00AD884B /* SOSPeerRateLimiter.m in Sources */, + DAB27AE11FA29EE300DEBBDE /* SOSControlServer.m in Sources */, DC52E8D01D80C2FD00B0A59C /* SOSTransportMessageKVS.m in Sources */, ); runOnlyForDeploymentPostprocessing = 0; @@ -26813,6 +28241,7 @@ DC52EAA11D80CCAC00B0A59C /* SecurityTool.c in Sources */, DC52EAA01D80CCA700B0A59C /* whoami.m in Sources */, DC52EA9F1D80CCA100B0A59C /* digest_calc.c in Sources */, + 473337841FDB29C400E19F30 /* KeychainCheck.m in Sources */, EBEEEE3C1EA31D9600E15F5C /* SOSControlHelper.m in Sources */, DC52EA9E1D80CC9B00B0A59C /* leaks.c in Sources */, EB48C1A61E573EEC00EC5E57 /* sos.m in Sources */, @@ -26826,6 +28255,7 @@ buildActionMask = 2147483647; files = ( DC52EC1E1D80CF6700B0A59C /* verify_cert.c in Sources */, + D453C3901FEC66AE00DE349B /* trust_update.m in Sources */, DC52EC1D1D80CF6200B0A59C /* keychain_util.c in Sources */, DC52EC1C1D80CF5D00B0A59C /* add_internet_password.c in Sources */, DC52EC1B1D80CF5600B0A59C /* codesign.c in Sources */, @@ -26843,15 +28273,16 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( + DCD7EE841F4E46F9007D9804 /* accountCirclesViewsPrint.m in Sources */, 0C0CECA41DA45ED700C22FBC /* recovery_key.m in Sources */, DC52EC3B1D80CFE900B0A59C /* syncbackup.m in Sources */, DC52EC3A1D80CFE400B0A59C /* keychain_log.m in Sources */, - 48C2F93B1E4BCFE80093D70C /* accountCirclesViewsPrint.m in Sources */, DC52EC391D80CFDF00B0A59C /* secViewDisplay.c in Sources */, DC52EC381D80CFDB00B0A59C /* secToolFileIO.c in Sources */, DC52EC371D80CFD400B0A59C /* keychain_sync_test.m in Sources */, DC52EC361D80CFD000B0A59C /* keychain_sync.m in Sources */, DC3C7C901D83957F00F6A832 /* NSFileHandle+Formatting.m in Sources */, + DCE5DC0F1EA80256006308A6 /* SOSSysdiagnose.m in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -26925,7 +28356,7 @@ DC52ECBD1D80D22600B0A59C /* si-42-identity.c in Sources */, DC52ECBE1D80D22600B0A59C /* si-43-persistent.c in Sources */, DC52ECC31D80D22600B0A59C /* si-50-secrandom.c in Sources */, - DC52ECC71D80D22600B0A59C /* si-63-scep.c in Sources */, + DC52ECC71D80D22600B0A59C /* si-63-scep.m in Sources */, DC52ECCD1D80D22600B0A59C /* si-69-keydesc.c in Sources */, DC52ECD01D80D22600B0A59C /* si-72-syncableitems.c in Sources */, DC52ECD11D80D22600B0A59C /* si-73-secpasswordgenerate.c in Sources */, @@ -26934,7 +28365,7 @@ DC52ECD51D80D22600B0A59C /* si-78-query-attrs.c in Sources */, DC52ECD61D80D22600B0A59C /* si-80-empty-data.c in Sources */, DC52ECD91D80D22600B0A59C /* si-82-token-ag.c in Sources */, - DC52ECDD1D80D22600B0A59C /* si-89-cms-hash-agility.c in Sources */, + DC52ECDD1D80D22600B0A59C /* si-89-cms-hash-agility.m in Sources */, DC52ECDE1D80D22600B0A59C /* si-90-emcs.m in Sources */, DC52ECDF1D80D22600B0A59C /* si-95-cms-basic.c in Sources */, DC52EC981D80D1D100B0A59C /* vmdh-40.c in Sources */, @@ -27023,6 +28454,7 @@ 0CAD1E591E1C5CBD00537693 /* secd-52-offering-gencount-reset.m in Sources */, DC52EDDD1D80D5C500B0A59C /* secd-70-engine-corrupt.m in Sources */, DC52EDDE1D80D5C500B0A59C /* secd-70-engine-smash.m in Sources */, + 0C5F4FD81F952FEA00AF1616 /* secd-700-sftm.m in Sources */, 522B280E1E64B4BF002B5638 /* secd-230-keybagtable.m in Sources */, DC52EDDF1D80D5C500B0A59C /* secd-70-otr-remote.m in Sources */, DC52EDE21D80D5C500B0A59C /* secd-74-engine-beer-servers.m in Sources */, @@ -27067,7 +28499,7 @@ DC52EE441D80D71900B0A59C /* si-21-sectrust-asr.c in Sources */, DC52EE451D80D71900B0A59C /* si-22-sectrust-iap.c in Sources */, DC52EE471D80D71900B0A59C /* si-23-sectrust-ocsp.c in Sources */, - D48E4E241E42F0620011B4BA /* si-62-csr.c in Sources */, + D48E4E241E42F0620011B4BA /* si-62-csr.m in Sources */, DC52EE481D80D71900B0A59C /* si-24-sectrust-digicert-malaysia.c in Sources */, DC52EE491D80D71900B0A59C /* si-24-sectrust-diginotar.c in Sources */, DC52EE4A1D80D71900B0A59C /* si-24-sectrust-itms.c in Sources */, @@ -27091,6 +28523,7 @@ DC52EE5A1D80D73800B0A59C /* si-83-seccertificate-sighashalg.c in Sources */, DC52EE5B1D80D73800B0A59C /* si-97-sectrust-path-scoring.m in Sources */, D47E69401E92F75D002C8CF6 /* si-61-pkcs12.c in Sources */, + BEB9E9EC1FFF195C00676593 /* si-88-sectrust-valid.m in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -27125,19 +28558,6 @@ ); runOnlyForDeploymentPostprocessing = 0; }; - DC59E9D01D91C9DC001BDDF5 /* Sources */ = { - isa = PBXSourcesBuildPhase; - buildActionMask = 2147483647; - files = ( - DC59EA031D91CA0A001BDDF5 /* DER_Decode.c in Sources */, - DC59EA051D91CA0A001BDDF5 /* DER_Encode.c in Sources */, - DC59E9FE1D91CA0A001BDDF5 /* DER_Keys.c in Sources */, - DC59EA0A1D91CA0A001BDDF5 /* DER_Digest.c in Sources */, - DC59EA0B1D91CA0A001BDDF5 /* oids.c in Sources */, - DC59EA011D91CA0A001BDDF5 /* DER_CertCrl.c in Sources */, - ); - runOnlyForDeploymentPostprocessing = 0; - }; DC5ABDC11D832DAB00CF422C /* Sources */ = { isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; @@ -27596,7 +29016,6 @@ buildActionMask = 2147483647; files = ( 0CAD1E581E1C5C6C00537693 /* SOSCloudCircle.m in Sources */, - DCC78EE81D808B3500865A7C /* secToolFileIO.c in Sources */, DCC78EE71D808B2F00865A7C /* secViewDisplay.c in Sources */, DCC78EE61D808B2A00865A7C /* SecAccessControl.c in Sources */, DCC78EE51D808B2100865A7C /* SecBase64.c in Sources */, @@ -27605,7 +29024,6 @@ BEEB47D91EA189F5004AA5C6 /* SecTrustStatusCodes.c in Sources */, DCC78EE21D808B0E00865A7C /* SecCTKKey.c in Sources */, DCC78EE11D808B0900865A7C /* SecCertificate.c in Sources */, - DCC78EE01D808B0000865A7C /* SecCertificatePath.c in Sources */, DC4269041E82EDAC002B7110 /* SecItem.m in Sources */, EBEEEE3D1EA31DB000E15F5C /* SOSControlHelper.m in Sources */, DCC78EDF1D808AF800865A7C /* SecCertificateRequest.c in Sources */, @@ -27638,7 +29056,6 @@ DCC78EC51D808A4100865A7C /* SecRSAKey.c in Sources */, DCC78EC41D808A3B00865A7C /* SecSCEP.c in Sources */, DCC78EC31D808A2E00865A7C /* SecServerEncryptionSupport.c in Sources */, - 48C2F93A1E4BCFDC0093D70C /* accountCirclesViewsPrint.m in Sources */, DCC78EC21D808A2800865A7C /* SecSharedCredential.c in Sources */, DCC78EC11D808A2200865A7C /* SecSignatureVerificationSupport.c in Sources */, DCC78EC01D808A1C00865A7C /* SecTrust.c in Sources */, @@ -27826,7 +29243,6 @@ DCD66DBF1D82053E00DB1393 /* SecDigest.c in Sources */, BEEB47DA1EA189F5004AA5C6 /* SecTrustStatusCodes.c in Sources */, DCD66DBE1D82053700DB1393 /* SecBase64.c in Sources */, - DCD66DBD1D82053100DB1393 /* SecCertificatePath.c in Sources */, BE1F74D31F609D460068FA64 /* SecFramework.c in Sources */, DCD66DB61D82050900DB1393 /* SecKey.c in Sources */, DCD66DBC1D82052B00DB1393 /* SecKeyAdaptors.c in Sources */, @@ -27862,12 +29278,10 @@ isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; files = ( - DCD8A1DA1E09F54700E4FA0A /* SOSAccountDer.m in Sources */, - DCD8A1E31E09F7E700E4FA0A /* SOSAccountCloudParameters.m in Sources */, DCD8A19D1E09EEC800E4FA0A /* SOSBackupSliceKeyBag.m in Sources */, + DC2670FB1F3E72C000816EED /* SOSCircleDer.c in Sources */, EB75B4961E75A44100E469CC /* SOSPiggyback.m in Sources */, DCD8A1B31E09F12D00E4FA0A /* SOSCircle.c in Sources */, - DCD8A1AC1E09F09200E4FA0A /* SOSCircleDer.c in Sources */, DCD8A1FF1E09FA6100E4FA0A /* secViewDisplay.c in Sources */, DCD8A1B41E09F12D00E4FA0A /* SOSCircleV2.c in Sources */, DCD8A1A01E09EF3500E4FA0A /* SOSCloudKeychainClient.c in Sources */, @@ -27876,7 +29290,6 @@ DCD8A1A91E09F04700E4FA0A /* SOSECWrapUnwrap.c in Sources */, 0C4899251E0F38FA00C6CF70 /* SOSAccountTrustOctagon.m in Sources */, DCD8A1BD1E09F1D600E4FA0A /* SOSFullPeerInfo.m in Sources */, - DCD8A2001E09FA7900E4FA0A /* secToolFileIO.c in Sources */, DCD8A1B51E09F15400E4FA0A /* SOSGenCount.c in Sources */, DCD8A19F1E09EF0F00E4FA0A /* SOSInternal.m in Sources */, EBEEEE3F1EA31E6D00E15F5C /* SOSControlHelper.m in Sources */, @@ -27891,7 +29304,6 @@ 0CE7604E1E12F5BA00B4381E /* SOSAccountTrustClassic+Retirement.m in Sources */, DCD8A1A51E09EFAE00E4FA0A /* SOSPeerInfoV2.m in Sources */, 0CE760481E12F2F300B4381E /* SOSAccountTrustClassic+Expansion.m in Sources */, - 48C2F9391E4BCFDA0093D70C /* accountCirclesViewsPrint.m in Sources */, DCD8A1C21E09F23B00E4FA0A /* SOSRecoveryKeyBag.m in Sources */, DCD8A1B81E09F1BB00E4FA0A /* SOSRingBackup.m in Sources */, DCD8A1B91E09F1BB00E4FA0A /* SOSRingBasic.m in Sources */, @@ -27901,11 +29313,8 @@ DCD8A1BA1E09F1BB00E4FA0A /* SOSRingRecovery.m in Sources */, DCD8A1B01E09F0F400E4FA0A /* SOSRingTypes.m in Sources */, DCD8A1AF1E09F0DC00E4FA0A /* SOSRingUtils.c in Sources */, - 0C48991C1E0F384700C6CF70 /* SOSAccountTrustClassic.m in Sources */, DCD8A1B71E09F19100E4FA0A /* SOSRingV0.m in Sources */, - DCD8A1A31E09EF7800E4FA0A /* SOSSysdiagnose.m in Sources */, DCD8A1C71E09F2B400E4FA0A /* SOSTransport.m in Sources */, - DCD8A1A81E09F03100E4FA0A /* SOSUserKeygen.m in Sources */, DCD8A1511E09EE0F00E4FA0A /* SOSViews.m in Sources */, DCD8A19E1E09EEDA00E4FA0A /* SecRecoveryKey.m in Sources */, 0CE7604A1E12F30200B4381E /* SOSAccountTrustClassic+Circle.m in Sources */, @@ -28322,7 +29731,6 @@ files = ( DC5BCC481E53820200649140 /* SecArgParse.c in Sources */, EB27FF2D1E407FF600EC9E3A /* ckksctl.m in Sources */, - DCF7A8A51F0451AC00CABE89 /* CKKSControlProtocol.m in Sources */, ); runOnlyForDeploymentPostprocessing = 0; }; @@ -28350,6 +29758,26 @@ ); runOnlyForDeploymentPostprocessing = 0; }; + EB49B2AA202D877F003F34A0 /* Sources */ = { + isa = PBXSourcesBuildPhase; + buildActionMask = 2147483647; + files = ( + EB49B2E5202DFEB3003F34A0 /* mockaks.m in Sources */, + EB49B2DB202DF20F003F34A0 /* spi.c in Sources */, + EB49B2D7202DF1F7003F34A0 /* server_endpoint.m in Sources */, + EB49B2D8202DF1F7003F34A0 /* server_xpc.m in Sources */, + EB49B2D9202DF1F7003F34A0 /* server_security_helpers.c in Sources */, + EB49B2E0202DF5D7003F34A0 /* server_entitlement_helpers.c in Sources */, + EB6667C7204CD69F000B404F /* testPlistDER.m in Sources */, + EB49B2D5202DF1D8003F34A0 /* SecTask.c in Sources */, + EB49B2D4202DF1C1003F34A0 /* client.c in Sources */, + EB49B2D3202DF1AC003F34A0 /* SecdWatchdog.m in Sources */, + EB49B2B1202D8780003F34A0 /* secdmockaks.m in Sources */, + EB49B2D1202DF15F003F34A0 /* SFAnalyticsActivityTracker.m in Sources */, + EB49B2D0202DF14D003F34A0 /* SFAnalytics.m in Sources */, + ); + runOnlyForDeploymentPostprocessing = 0; + }; EB9C1D761BDFD0E000F89272 /* Sources */ = { isa = PBXSourcesBuildPhase; buildActionMask = 2147483647; @@ -28435,6 +29863,46 @@ target = 0C0BDB2E175685B000BC1A7E /* secdtests_ios */; targetProxy = 0C664AB31759270C0092D3D9 /* PBXContainerItemProxy */; }; + 0C78CCE51FCC97E7008B4B24 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 0C8BBEFD1FCB446400580909 /* otctl */; + targetProxy = 0C78CCE41FCC97E7008B4B24 /* PBXContainerItemProxy */; + }; + 0C78CCE71FCC97F1008B4B24 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 0C8BBEFD1FCB446400580909 /* otctl */; + targetProxy = 0C78CCE61FCC97F1008B4B24 /* PBXContainerItemProxy */; + }; + 0C85DFD41FB38BB6000343A7 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC222C371E034D1F00B09171 /* libsecurityd_ios_NO_AKS */; + targetProxy = 0C85DFD51FB38BB6000343A7 /* PBXContainerItemProxy */; + }; + 0C85DFD81FB38BB6000343A7 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC8834011D8A218F00CE0ACA /* ASN1_not_installed */; + targetProxy = 0C85DFD91FB38BB6000343A7 /* PBXContainerItemProxy */; + }; + 0C85DFDA1FB38BB6000343A7 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC0BCC211D8C684F00070CB0 /* utilities */; + targetProxy = 0C85DFDB1FB38BB6000343A7 /* PBXContainerItemProxy */; + }; + 0C85DFDC1FB38BB6000343A7 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DCD8A1061E09EE0F00E4FA0A /* SecureObjectSyncFramework */; + targetProxy = 0C85DFDD1FB38BB6000343A7 /* PBXContainerItemProxy */; + }; + 0C85DFDE1FB38BB6000343A7 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC52E8BE1D80C25800B0A59C /* SecureObjectSyncServer */; + targetProxy = 0C85DFDF1FB38BB6000343A7 /* PBXContainerItemProxy */; + }; + 0C85DFE01FB38BB6000343A7 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DCC78EA81D8088E200865A7C /* security */; + targetProxy = 0C85DFE11FB38BB6000343A7 /* PBXContainerItemProxy */; + }; 0C99B740131C984900584CF4 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 0C6799F912F7C37C00712919 /* dtlsTests */; @@ -28465,11 +29933,51 @@ target = 4381690B1B4EDCBD00C54D58 /* SOSCCAuthPlugin */; targetProxy = 438169E61B4EE4B300C54D58 /* PBXContainerItemProxy */; }; + 478D426D1FD72A8100CAB645 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC52EDA61D80D58400B0A59C /* secdRegressions */; + targetProxy = 478D426E1FD72A8100CAB645 /* PBXContainerItemProxy */; + }; + 478D426F1FD72A8100CAB645 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC0BCBD91D8C648C00070CB0 /* regressionBase */; + targetProxy = 478D42701FD72A8100CAB645 /* PBXContainerItemProxy */; + }; + 478D42711FD72A8100CAB645 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC52E7731D80BC8000B0A59C /* libsecurityd_ios */; + targetProxy = 478D42721FD72A8100CAB645 /* PBXContainerItemProxy */; + }; + 478D42731FD72A8100CAB645 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DCC78EA81D8088E200865A7C /* security */; + targetProxy = 478D42741FD72A8100CAB645 /* PBXContainerItemProxy */; + }; 47C51B8B1EEA657D0032D9E5 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = DC1789031D77980500B50D50 /* Security_osx */; targetProxy = 47C51B8A1EEA657D0032D9E5 /* PBXContainerItemProxy */; }; + 47DE88CE1FA7AD6200DD3254 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DCC78EA81D8088E200865A7C /* security */; + targetProxy = 47DE88CD1FA7AD6200DD3254 /* PBXContainerItemProxy */; + }; + 47DE88D51FA7AD7000DD3254 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC52E7731D80BC8000B0A59C /* libsecurityd_ios */; + targetProxy = 47DE88D41FA7AD7000DD3254 /* PBXContainerItemProxy */; + }; + 47DE88D71FA7ADAC00DD3254 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC0BCBD91D8C648C00070CB0 /* regressionBase */; + targetProxy = 47DE88D61FA7ADAC00DD3254 /* PBXContainerItemProxy */; + }; + 47DE88D91FA7ADBB00DD3254 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC52EDA61D80D58400B0A59C /* secdRegressions */; + targetProxy = 47DE88D81FA7ADBB00DD3254 /* PBXContainerItemProxy */; + }; 4C52D0EE16EFCD720079966E /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 4C52D0B316EFC61E0079966E /* CircleJoinRequested */; @@ -28515,11 +30023,6 @@ target = 5346480017331E1100FE9172 /* KeychainSyncAccountNotification */; targetProxy = 5346481A17331ED800FE9172 /* PBXContainerItemProxy */; }; - 5DDD0BEE16D6748900D6C0D6 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 728B56A016D59979008FA3AB /* OTAPKIAssetTool */; - targetProxy = 5DDD0BED16D6748900D6C0D6 /* PBXContainerItemProxy */; - }; 5E10995419A5E80B00A60E2B /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 5E10992419A5E55800A60E2B /* ISACLProtectedItems */; @@ -28540,10 +30043,15 @@ target = 6CCDF7831E3C25FA003F2555 /* KeychainEntitledTestRunner */; targetProxy = 6C24EF521E415132000DE79F /* PBXContainerItemProxy */; }; - 6C98082D1E788AEB00E70590 /* PBXTargetDependency */ = { + 6C7C38811FD88C4700DFFE68 /* PBXTargetDependency */ = { isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = 6C98082E1E788AEB00E70590 /* PBXContainerItemProxy */; + target = 6C46056B1F882B9B001421B6 /* KeychainAnalyticsTests */; + targetProxy = 6C7C38801FD88C4700DFFE68 /* PBXContainerItemProxy */; + }; + 6C7C38881FD88C5A00DFFE68 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 6C46056B1F882B9B001421B6 /* KeychainAnalyticsTests */; + targetProxy = 6C7C38871FD88C5A00DFFE68 /* PBXContainerItemProxy */; }; 6C98082F1E788AEB00E70590 /* PBXTargetDependency */ = { isa = PBXTargetDependency; @@ -28575,11 +30083,6 @@ target = DC222C371E034D1F00B09171 /* libsecurityd_ios_NO_AKS */; targetProxy = 6C98083C1E788AEB00E70590 /* PBXContainerItemProxy */; }; - 6C9808691E788AFD00E70590 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = 6C98086A1E788AFD00E70590 /* PBXContainerItemProxy */; - }; 6C98086B1E788AFD00E70590 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = DC8834011D8A218F00CE0ACA /* ASN1_not_installed */; @@ -28620,6 +30123,31 @@ target = 6CF4A0DF1E4549F200ECD7B5 /* KeychainEntitledTestApp_ios */; targetProxy = 6C9808A31E788CB100E70590 /* PBXContainerItemProxy */; }; + 6C9A49B21FAB647D00239D58 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC0BCC211D8C684F00070CB0 /* utilities */; + targetProxy = 6C9A49B11FAB647D00239D58 /* PBXContainerItemProxy */; + }; + 6CAA8CE51F82FD08007B6E03 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 6C9AA79D1F7C1D8F00D08296 /* supdctl */; + targetProxy = 6CAA8CE41F82FD08007B6E03 /* PBXContainerItemProxy */; + }; + 6CAA8CE91F82FD13007B6E03 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 6C9AA79D1F7C1D8F00D08296 /* supdctl */; + targetProxy = 6CAA8CE81F82FD13007B6E03 /* PBXContainerItemProxy */; + }; + 6CAA8D3D1F8431BC007B6E03 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 6CAA8D1F1F842FB3007B6E03 /* securityuploadd */; + targetProxy = 6CAA8D3C1F8431BC007B6E03 /* PBXContainerItemProxy */; + }; + 6CAA8D3F1F8431C9007B6E03 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 6CAA8D1F1F842FB3007B6E03 /* securityuploadd */; + targetProxy = 6CAA8D3E1F8431C9007B6E03 /* PBXContainerItemProxy */; + }; ACBAF6FE1E941E090007BA2F /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = ACBAF6991E9417F40007BA2F /* security_transform_regressions */; @@ -28715,11 +30243,6 @@ target = D4ADA3181E2B41670031CEA3 /* libtrustd */; targetProxy = D40B6A941E2B67FF00CD6EE5 /* PBXContainerItemProxy */; }; - D41257E41E941A8400781F23 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = D41257E31E941A8400781F23 /* PBXContainerItemProxy */; - }; D41257E61E941ACC00781F23 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = DC0BCC211D8C684F00070CB0 /* utilities */; @@ -28810,11 +30333,6 @@ target = 52D82BDD16A621F70078DFE5 /* CloudKeychainProxy */; targetProxy = D41AD4511B9788B2008C7270 /* PBXContainerItemProxy */; }; - D41AD45A1B978944008C7270 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 728B56A016D59979008FA3AB /* OTAPKIAssetTool */; - targetProxy = D41AD4591B978944008C7270 /* PBXContainerItemProxy */; - }; D41AD45C1B978A7A008C7270 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 790851B50CA9859F0083CC4D /* securityd_ios */; @@ -28860,11 +30378,6 @@ target = 5EBE24791B00CCAE0007DB0E /* secacltests */; targetProxy = D41AD46D1B978F4C008C7270 /* PBXContainerItemProxy */; }; - D41AD4721B978F76008C7270 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = 728B56A016D59979008FA3AB /* OTAPKIAssetTool */; - targetProxy = D41AD4711B978F76008C7270 /* PBXContainerItemProxy */; - }; DA30D6821DF8C93500EC6B43 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = DA30D6751DF8C8FB00EC6B43 /* KeychainSyncAccountUpdater */; @@ -29055,11 +30568,6 @@ target = DC52E8BE1D80C25800B0A59C /* SecureObjectSyncServer */; targetProxy = DC0984FF1E1DB70A00140ADC /* PBXContainerItemProxy */; }; - DC0B62961D90B6DB00D43BCB /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC1785041D77873100B50D50 /* copyHeadersToSystem */; - targetProxy = DC0B62951D90B6DB00D43BCB /* PBXContainerItemProxy */; - }; DC0BB4441ED4D74A0035F886 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = DCC78EA81D8088E200865A7C /* security */; @@ -29185,15 +30693,30 @@ target = DC222C371E034D1F00B09171 /* libsecurityd_ios_NO_AKS */; targetProxy = DC222C781E034EE700B09171 /* PBXContainerItemProxy */; }; - DC3502C41E020D4D00BC0587 /* PBXTargetDependency */ = { + DC2671101F3E933700816EED /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = DC8834011D8A218F00CE0ACA /* ASN1_not_installed */; - targetProxy = DC3502C31E020D4D00BC0587 /* PBXContainerItemProxy */; + targetProxy = DC26710F1F3E933700816EED /* PBXContainerItemProxy */; + }; + DC34CD2D20326C2C00302481 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC52E8BE1D80C25800B0A59C /* SecureObjectSyncServer */; + targetProxy = DC34CD2C20326C2C00302481 /* PBXContainerItemProxy */; + }; + DC34CD3420326C3100302481 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DCD8A1061E09EE0F00E4FA0A /* SecureObjectSyncFramework */; + targetProxy = DC34CD3320326C3100302481 /* PBXContainerItemProxy */; + }; + DC34CD3620326C3B00302481 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC0BCC211D8C684F00070CB0 /* utilities */; + targetProxy = DC34CD3520326C3B00302481 /* PBXContainerItemProxy */; }; - DC3502C71E020D5600BC0587 /* PBXTargetDependency */ = { + DC3502C41E020D4D00BC0587 /* PBXTargetDependency */ = { isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC3502C61E020D5600BC0587 /* PBXContainerItemProxy */; + target = DC8834011D8A218F00CE0ACA /* ASN1_not_installed */; + targetProxy = DC3502C31E020D4D00BC0587 /* PBXContainerItemProxy */; }; DC3502CE1E020E2200BC0587 /* PBXTargetDependency */ = { isa = PBXTargetDependency; @@ -29305,66 +30828,6 @@ name = libCMS; targetProxy = DC59E9A81D91C7CC001BDDF5 /* PBXContainerItemProxy */; }; - DC59EA761D91CC5E001BDDF5 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC59EA751D91CC5E001BDDF5 /* PBXContainerItemProxy */; - }; - DC59EA791D91CC78001BDDF5 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC59EA781D91CC78001BDDF5 /* PBXContainerItemProxy */; - }; - DC59EA7D1D91CCAA001BDDF5 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC59EA7C1D91CCAA001BDDF5 /* PBXContainerItemProxy */; - }; - DC59EA811D91CD16001BDDF5 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC59EA801D91CD16001BDDF5 /* PBXContainerItemProxy */; - }; - DC59EA841D91CD2C001BDDF5 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC59EA831D91CD2C001BDDF5 /* PBXContainerItemProxy */; - }; - DC59EA871D91CD76001BDDF5 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC59EA861D91CD76001BDDF5 /* PBXContainerItemProxy */; - }; - DC59EA8A1D91CD89001BDDF5 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC59EA891D91CD89001BDDF5 /* PBXContainerItemProxy */; - }; - DC59EA8D1D91CDB9001BDDF5 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC59EA8C1D91CDB9001BDDF5 /* PBXContainerItemProxy */; - }; - DC59EA901D91CDC6001BDDF5 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC59EA8F1D91CDC6001BDDF5 /* PBXContainerItemProxy */; - }; - DC59EA931D91CDD6001BDDF5 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC59EA921D91CDD6001BDDF5 /* PBXContainerItemProxy */; - }; - DC59EA961D91CDEE001BDDF5 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC59EA951D91CDEE001BDDF5 /* PBXContainerItemProxy */; - }; - DC59EA991D91CE8C001BDDF5 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC59EA981D91CE8C001BDDF5 /* PBXContainerItemProxy */; - }; DC5ABE1C1D832F5E00CF422C /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = DC5ABDC41D832DAB00CF422C /* securitytool_macos */; @@ -29385,11 +30848,6 @@ target = DC5AC04F1D8352D900CF422C /* securityd_macos */; targetProxy = DC5AC12E1D8356DA00CF422C /* PBXContainerItemProxy */; }; - DC5AC1341D835C2300CF422C /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC1785041D77873100B50D50 /* copyHeadersToSystem */; - targetProxy = DC5AC1331D835C2300CF422C /* PBXContainerItemProxy */; - }; DC61096B1D78E60C002223DE /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = 5EBE24791B00CCAE0007DB0E /* secacltests */; @@ -29675,16 +31133,6 @@ target = DC8834011D8A218F00CE0ACA /* ASN1_not_installed */; targetProxy = DC71DA061D95BE2F0065FB93 /* PBXContainerItemProxy */; }; - DC71DA091D95BEE00065FB93 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC71DA081D95BEE00065FB93 /* PBXContainerItemProxy */; - }; - DC71DA0B1D95BEF60065FB93 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = DC71DA0A1D95BEF60065FB93 /* PBXContainerItemProxy */; - }; DC71DA0D1D95DD670065FB93 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = DC52E8BE1D80C25800B0A59C /* SecureObjectSyncServer */; @@ -29705,6 +31153,11 @@ target = DC8834011D8A218F00CE0ACA /* ASN1_not_installed */; targetProxy = DC89998A1E410DBF00E6E604 /* PBXContainerItemProxy */; }; + DCB332471F47857D00178C30 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC52EC211D80CFB200B0A59C /* SOSCommands */; + targetProxy = DCB332461F47857D00178C30 /* PBXContainerItemProxy */; + }; DCB340191D8A248C0054D16E /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = DC8834011D8A218F00CE0ACA /* ASN1_not_installed */; @@ -29945,6 +31398,16 @@ target = DCD8A1061E09EE0F00E4FA0A /* SecureObjectSyncFramework */; targetProxy = DCD8A2061E09FB1F00E4FA0A /* PBXContainerItemProxy */; }; + DCDB29761FD8839F00B5D242 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 0C85DFD11FB38BB6000343A7 /* OTTests */; + targetProxy = DCDB29751FD8839F00B5D242 /* PBXContainerItemProxy */; + }; + DCDB29781FD883AB00B5D242 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = 0C85DFD11FB38BB6000343A7 /* OTTests */; + targetProxy = DCDB29771FD883AB00B5D242 /* PBXContainerItemProxy */; + }; DCE4E6AA1D7A38E700AFB96E /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = DCE4E68A1D7A37FA00AFB96E /* security2tool_macos */; @@ -29995,6 +31458,11 @@ target = DCE4E9101D7F3D5300AFB96E /* Keychain Circle Notification */; targetProxy = DCE4E9721D7F3FC200AFB96E /* PBXContainerItemProxy */; }; + DCE5DC171EA804E5006308A6 /* PBXTargetDependency */ = { + isa = PBXTargetDependency; + target = DC52EC211D80CFB200B0A59C /* SOSCommands */; + targetProxy = DCE5DC161EA804E5006308A6 /* PBXContainerItemProxy */; + }; DCF785011D88B80600E694BB /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = DCF7830A1D88B4DE00E694BB /* security_apple_csp */; @@ -30325,11 +31793,6 @@ target = DCD8A1061E09EE0F00E4FA0A /* SecureObjectSyncFramework */; targetProxy = EBFBC2B51E76587800A34469 /* PBXContainerItemProxy */; }; - EBFBC2B81E76588200A34469 /* PBXTargetDependency */ = { - isa = PBXTargetDependency; - target = DC59E9AC1D91C9DC001BDDF5 /* DER_not_installed */; - targetProxy = EBFBC2B71E76588200A34469 /* PBXContainerItemProxy */; - }; EBFBC2BA1E76588A00A34469 /* PBXTargetDependency */ = { isa = PBXTargetDependency; target = DC8834011D8A218F00CE0ACA /* ASN1_not_installed */; @@ -30448,6 +31911,23 @@ name = InfoPlist.strings; sourceTree = ""; }; + D479F6DF1F980F8F00388D28 /* Trust.strings */ = { + isa = PBXVariantGroup; + children = ( + D479F6E01F980F8F00388D28 /* English */, + ); + name = Trust.strings; + sourceTree = ""; + }; + D4C263CC1F952F6C001317EA /* SecErrorMessages.strings */ = { + isa = PBXVariantGroup; + children = ( + D4C263CD1F952F6C001317EA /* SecErrorMessages.strings */, + ); + name = SecErrorMessages.strings; + path = derived_src/en.lproj/; + sourceTree = BUILT_PRODUCTS_DIR; + }; DC0B622D1D909C4600D43BCB /* MainMenu.xib */ = { isa = PBXVariantGroup; children = ( @@ -30603,16 +32083,16 @@ ); GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; INSTALL_PATH = /usr/local/bin; - LIBRARY_SEARCH_PATHS = ( - "$(inherited)", - "$(SDKROOT)/usr/lib/system", - ); OTHER_LDFLAGS = ( "-ObjC", "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_MOBILEASSET)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=embedded]" = ( "$(inherited)", @@ -30626,6 +32106,9 @@ "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", "-framework", CrashReporterSupport, + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_NAME = secdtests; STRIP_STYLE = debugging; @@ -30647,16 +32130,16 @@ ); GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; INSTALL_PATH = /usr/local/bin; - LIBRARY_SEARCH_PATHS = ( - "$(inherited)", - "$(SDKROOT)/usr/lib/system", - ); OTHER_LDFLAGS = ( "-ObjC", "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_MOBILEASSET)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=embedded]" = ( "$(inherited)", @@ -30670,6 +32153,8 @@ "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", "-framework", CrashReporterSupport, + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_NAME = secdtests; STRIP_STYLE = debugging; @@ -30750,6 +32235,186 @@ }; name = Release; }; + 0C85E0011FB38BB6000343A7 /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_DOCUMENTATION_COMMENTS = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_IDENTITY = ""; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/../../AppleInternal/Library/Frameworks", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_PREPROCESSOR_DEFINITIONS = ( + "NO_SERVER=1", + "$(inherited)", + ); + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; + INFOPLIST_FILE = "keychain/ot/tests/OTTests-Info.plist"; + INSTALL_PATH = /AppleInternal/XCTests/com.apple.security/; + LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks"; + "LD_RUNPATH_SEARCH_PATHS[sdk=iphonesimulator*]" = "$(inherited) @executable_path/../Frameworks @loader_path/../Frameworks"; + "LD_RUNPATH_SEARCH_PATHS[sdk=macosx*]" = "$(inherited) @executable_path/../Frameworks @loader_path/../Frameworks"; + MTL_ENABLE_DEBUG_INFO = YES; + OTHER_LDFLAGS = ( + "$(APPLE_AKS_LIBRARY)", + "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", + "$(OTHER_LDFLAGS_PROTOBUF)", + "$(OTHER_LDFLAGS_MOBILEGESTALT)", + "$(OTHER_LDFLAGS_DIAGNOSTICSMESSAGESCLIENT)", + "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", + "$(OTHER_LDFLAGS_APS)", + "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", + "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", + "-ObjC", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", + ); + "OTHER_LDFLAGS[sdk=iphoneos*]" = ( + "$(APPLE_AKS_LIBRARY)", + "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", + "$(OTHER_LDFLAGS_PROTOBUF)", + "$(OTHER_LDFLAGS_MOBILEGESTALT)", + "$(OTHER_LDFLAGS_DIAGNOSTICSMESSAGESCLIENT)", + "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", + "$(OTHER_LDFLAGS_APS)", + "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", + "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", + "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", + "-ObjC", + "-framework", + CrashReporterSupport, + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", + ); + PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.OTTests; + PRODUCT_NAME = "$(TARGET_NAME)"; + USE_XCTRUNNER = YES; + }; + name = Debug; + }; + 0C85E0021FB38BB6000343A7 /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_DOCUMENTATION_COMMENTS = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_IDENTITY = ""; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/../../AppleInternal/Library/Frameworks", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_PREPROCESSOR_DEFINITIONS = ( + "NO_SERVER=1", + "$(inherited)", + ); + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; + INFOPLIST_FILE = "keychain/ot/tests/OTTests-Info.plist"; + INSTALL_PATH = /AppleInternal/XCTests/com.apple.security/; + LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks"; + "LD_RUNPATH_SEARCH_PATHS[sdk=iphonesimulator*]" = "$(inherited) @executable_path/../Frameworks @loader_path/../Frameworks"; + "LD_RUNPATH_SEARCH_PATHS[sdk=macosx*]" = "$(inherited) @executable_path/../Frameworks @loader_path/../Frameworks"; + MTL_ENABLE_DEBUG_INFO = NO; + OTHER_LDFLAGS = ( + "$(APPLE_AKS_LIBRARY)", + "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", + "$(OTHER_LDFLAGS_PROTOBUF)", + "$(OTHER_LDFLAGS_MOBILEGESTALT)", + "$(OTHER_LDFLAGS_DIAGNOSTICSMESSAGESCLIENT)", + "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", + "$(OTHER_LDFLAGS_APS)", + "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", + "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", + "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", + "-ObjC", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", + ); + "OTHER_LDFLAGS[sdk=iphoneos*]" = ( + "$(APPLE_AKS_LIBRARY)", + "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", + "$(OTHER_LDFLAGS_PROTOBUF)", + "$(OTHER_LDFLAGS_MOBILEGESTALT)", + "$(OTHER_LDFLAGS_DIAGNOSTICSMESSAGESCLIENT)", + "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", + "$(OTHER_LDFLAGS_APS)", + "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_PREQUELITE)", + "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", + "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", + "-ObjC", + "-framework", + CrashReporterSupport, + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", + ); + PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.OTTests; + PRODUCT_NAME = "$(TARGET_NAME)"; + USE_XCTRUNNER = YES; + VALIDATE_PRODUCT = YES; + }; + name = Release; + }; + 0C8BBF061FCB446400580909 /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_ENTITLEMENTS = "keychain/otctl/otctl-Entitlements.plist"; + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_DYNAMIC_NO_PIC = NO; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + INSTALL_PATH = /usr/local/bin; + MTL_ENABLE_DEBUG_INFO = YES; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Debug; + }; + 0C8BBF071FCB446400580909 /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_ENTITLEMENTS = "keychain/otctl/otctl-Entitlements.plist"; + COPY_PHASE_STRIP = NO; + ENABLE_NS_ASSERTIONS = NO; + GCC_C_LANGUAGE_STANDARD = gnu99; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + INSTALL_PATH = /usr/local/bin; + MTL_ENABLE_DEBUG_INFO = NO; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Release; + }; 225394B21E3080A600D3CD9B /* Debug */ = { isa = XCBuildConfiguration; baseConfigurationReference = D47C56AB1DCA831C00E18518 /* lib_ios_x64.xcconfig */; @@ -30780,7 +32445,7 @@ "$(PROJECT_DIR)/OSX/libsecurity_asn1", "$(PROJECT_DIR)/OSX/libsecurity_ssl", "$(PROJECT_DIR)/OSX/regressions", - "$(PROJECT_DIR)/OSX/ibsecurity_keychain/libDER", + "$(SDKROOT)/usr/local/include/security_libDER", "$(DSTROOT)/usr/local/include", "${BUILT_PRODUCTS_DIR}/cstemp/**", ); @@ -30829,7 +32494,7 @@ "$(PROJECT_DIR)/OSX/libsecurity_asn1", "$(PROJECT_DIR)/OSX/libsecurity_ssl", "$(PROJECT_DIR)/OSX/regressions", - "$(PROJECT_DIR)/OSX/ibsecurity_keychain/libDER", + "$(SDKROOT)/usr/local/include/security_libDER", "$(DSTROOT)/usr/local/include", "${BUILT_PRODUCTS_DIR}/cstemp/**", ); @@ -30916,6 +32581,85 @@ }; name = Release; }; + 4727FBBC1F9918590003AE36 /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; + CLANG_ENABLE_MODULES = NO; + CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; + CLANG_WARN_COMMA = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; + CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_STRICT_PROTOTYPES = NO; + CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_ENTITLEMENTS = "secdtests/secdtests-entitlements.plist"; + CODE_SIGN_IDENTITY = "-"; + CODE_SIGN_STYLE = Automatic; + DEBUG_INFORMATION_FORMAT = dwarf; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_DYNAMIC_NO_PIC = NO; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; + INFOPLIST_FILE = secdxctests/Info.plist; + IPHONEOS_DEPLOYMENT_TARGET = 11.3; + LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks"; + MTL_ENABLE_DEBUG_INFO = YES; + PRODUCT_BUNDLE_IDENTIFIER = com.apple.secdxctests; + PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = iphoneos.internal; + TARGETED_DEVICE_FAMILY = "1,2"; + }; + name = Debug; + }; + 4727FBBD1F9918590003AE36 /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; + CLANG_ENABLE_MODULES = NO; + CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; + CLANG_WARN_COMMA = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; + CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_STRICT_PROTOTYPES = NO; + CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_ENTITLEMENTS = "secdtests/secdtests-entitlements.plist"; + CODE_SIGN_IDENTITY = "-"; + CODE_SIGN_STYLE = Automatic; + COPY_PHASE_STRIP = NO; + ENABLE_NS_ASSERTIONS = NO; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; + INFOPLIST_FILE = secdxctests/Info.plist; + IPHONEOS_DEPLOYMENT_TARGET = 11.3; + LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks"; + MTL_ENABLE_DEBUG_INFO = NO; + PRODUCT_BUNDLE_IDENTIFIER = com.apple.secdxctests; + PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = iphoneos.internal; + TARGETED_DEVICE_FAMILY = "1,2"; + VALIDATE_PRODUCT = YES; + }; + name = Release; + }; 47702B231E5F409700B29577 /* Debug */ = { isa = XCBuildConfiguration; buildSettings = { @@ -31004,6 +32748,85 @@ }; name = Release; }; + 478D429A1FD72A8100CAB645 /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; + CLANG_ENABLE_MODULES = NO; + CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; + CLANG_WARN_COMMA = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; + CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_STRICT_PROTOTYPES = NO; + CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_ENTITLEMENTS = "secdtests/secdtests-entitlements.plist"; + CODE_SIGN_IDENTITY = "-"; + CODE_SIGN_STYLE = Automatic; + DEBUG_INFORMATION_FORMAT = dwarf; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_DYNAMIC_NO_PIC = NO; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; + INFOPLIST_FILE = secdxctests/Info.plist; + IPHONEOS_DEPLOYMENT_TARGET = 11.3; + LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks"; + MTL_ENABLE_DEBUG_INFO = YES; + PRODUCT_BUNDLE_IDENTIFIER = com.apple.secdxctests; + PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = macosx.internal; + TARGETED_DEVICE_FAMILY = "1,2"; + }; + name = Debug; + }; + 478D429B1FD72A8100CAB645 /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; + CLANG_ENABLE_MODULES = NO; + CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; + CLANG_WARN_COMMA = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; + CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_STRICT_PROTOTYPES = NO; + CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_ENTITLEMENTS = "secdtests/secdtests-entitlements.plist"; + CODE_SIGN_IDENTITY = "-"; + CODE_SIGN_STYLE = Automatic; + COPY_PHASE_STRIP = NO; + ENABLE_NS_ASSERTIONS = NO; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; + INFOPLIST_FILE = secdxctests/Info.plist; + IPHONEOS_DEPLOYMENT_TARGET = 11.3; + LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/Frameworks @loader_path/Frameworks"; + MTL_ENABLE_DEBUG_INFO = NO; + PRODUCT_BUNDLE_IDENTIFIER = com.apple.secdxctests; + PRODUCT_NAME = "$(TARGET_NAME)"; + SDKROOT = macosx.internal; + TARGETED_DEVICE_FAMILY = "1,2"; + VALIDATE_PRODUCT = YES; + }; + name = Release; + }; 47C51B8C1EEA657D0032D9E5 /* Debug */ = { isa = XCBuildConfiguration; buildSettings = { @@ -31026,11 +32849,9 @@ GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; INFOPLIST_FILE = SecurityUnitTests/Info.plist; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks @loader_path/../Frameworks"; - MACOSX_DEPLOYMENT_TARGET = 10.12; MTL_ENABLE_DEBUG_INFO = YES; PRODUCT_BUNDLE_IDENTIFIER = com.apple.SecurityUnitTests; PRODUCT_NAME = "$(TARGET_NAME)"; - SDKROOT = macosx; }; name = Debug; }; @@ -31056,11 +32877,9 @@ GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; INFOPLIST_FILE = SecurityUnitTests/Info.plist; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks @loader_path/../Frameworks"; - MACOSX_DEPLOYMENT_TARGET = 10.12; MTL_ENABLE_DEBUG_INFO = NO; PRODUCT_BUNDLE_IDENTIFIER = com.apple.SecurityUnitTests; PRODUCT_NAME = "$(TARGET_NAME)"; - SDKROOT = macosx; }; name = Release; }; @@ -31091,7 +32910,7 @@ HEADER_SEARCH_PATHS = ( "$(inherited)", "$(PROJECT_DIR)", - "$(PROJECT_DIR)/OSX/libsecurity_keychain/libDER", + "$(SDKROOT)/usr/local/include/security_libDER", "$(PROJECT_DIR)/OSX/libsecurity_asn1", "$(PROJECT_DIR)/libsecurity_smime", "$(PROJECT_DIR)/OSX/sec/ProjectHeaders", @@ -31139,7 +32958,7 @@ HEADER_SEARCH_PATHS = ( "$(inherited)", "$(PROJECT_DIR)", - "$(PROJECT_DIR)/OSX/libsecurity_keychain/libDER", + "$(SDKROOT)/usr/local/include/security_libDER", "$(PROJECT_DIR)/OSX/libsecurity_asn1", "$(PROJECT_DIR)/libsecurity_smime", "$(PROJECT_DIR)/OSX/sec/ProjectHeaders", @@ -31208,10 +33027,6 @@ "$(PROJECT_DIR)/OSX/regressions", ); INFOPLIST_FILE = "SecurityTests/SecurityDevTests-Info.plist"; - LIBRARY_SEARCH_PATHS = ( - "$(inherited)", - "\"$(SDKROOT)/usr/lib/system\"", - ); OTHER_LDFLAGS = ( "$(inherited)", "$(OTHER_LDFLAGS_APS)", @@ -31219,6 +33034,10 @@ "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SECURITYFOUNDATION)", + "$(OTHER_LDFLAGS_PREQUELITE)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=embedded][arch=*]" = ( "$(inherited)", @@ -31235,6 +33054,10 @@ "$(OTHER_LDFLAGS_CLOUDKIT)", "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", + "$(OTHER_LDFLAGS_PREQUELITE)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_BUNDLE_IDENTIFIER = "com.apple.security.${PRODUCT_NAME:identifier}"; PRODUCT_NAME = SecurityDevTests; @@ -31261,10 +33084,6 @@ "$(PROJECT_DIR)/OSX/regressions", ); INFOPLIST_FILE = "SecurityTests/SecurityDevTests-Info.plist"; - LIBRARY_SEARCH_PATHS = ( - "$(inherited)", - "\"$(SDKROOT)/usr/lib/system\"", - ); OTHER_LDFLAGS = ( "$(inherited)", "$(OTHER_LDFLAGS_APS)", @@ -31272,6 +33091,10 @@ "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SECURITYFOUNDATION)", + "$(OTHER_LDFLAGS_PREQUELITE)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=embedded]" = ( "$(inherited)", @@ -31288,6 +33111,10 @@ "$(OTHER_LDFLAGS_CLOUDKIT)", "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", + "$(OTHER_LDFLAGS_PREQUELITE)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_BUNDLE_IDENTIFIER = "com.apple.security.${PRODUCT_NAME:identifier}"; PRODUCT_NAME = SecurityDevTests; @@ -31587,7 +33414,10 @@ "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", ); INSTALL_PATH = /usr/local/bin; - LIBRARY_SEARCH_PATHS = "$(SDKROOT)/usr/local/lib"; + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/usr/local/lib", + ); OTHER_LDFLAGS = ( "$(APPLE_AKS_LIBRARY)", "$(OTHER_LDFLAGS_PROTOBUF)", @@ -31597,9 +33427,14 @@ "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", "$(OTHER_LDFLAGS_AGGREGATEDICTIONARY)", "$(OTHER_LDFLAGS_SECURITYFOUNDATION)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", + "$(OTHER_LDFLAGS_APPLEACCOUNT)", ); "OTHER_LDFLAGS[sdk=embedded]" = ( "$(inherited)", @@ -31624,7 +33459,10 @@ "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", ); INSTALL_PATH = /usr/local/bin; - LIBRARY_SEARCH_PATHS = "$(SDKROOT)/usr/local/lib"; + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/usr/local/lib", + ); OTHER_LDFLAGS = ( "$(APPLE_AKS_LIBRARY)", "$(OTHER_LDFLAGS_PROTOBUF)", @@ -31634,9 +33472,14 @@ "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", "$(OTHER_LDFLAGS_AGGREGATEDICTIONARY)", "$(OTHER_LDFLAGS_SECURITYFOUNDATION)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", + "$(OTHER_LDFLAGS_APPLEACCOUNT)", ); "OTHER_LDFLAGS[sdk=embedded]" = ( "$(inherited)", @@ -31650,6 +33493,69 @@ }; name = Release; }; + 6C4605B61F882B9B001421B6 /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_DOCUMENTATION_COMMENTS = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_IDENTITY = ""; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/../../AppleInternal/Library/Frameworks", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; + INFOPLIST_FILE = "$(SRCROOT)/supd/Tests/Info.plist"; + INSTALL_PATH = /AppleInternal/XCTests/com.apple.security/; + MTL_ENABLE_DEBUG_INFO = YES; + OTHER_LDFLAGS = ( + "-ObjC", + "$(AOSKIT_FRAMEWORK)", + "$(OTHER_LDFLAGS_CRASHREPORTER)", + "$(OTHER_LDFLAGS_APPLEACCOUNT)", + ); + PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.KeychainAnalyticsTests; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Debug; + }; + 6C4605B71F882B9B001421B6 /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_DOCUMENTATION_COMMENTS = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_IDENTITY = ""; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/../../AppleInternal/Library/Frameworks", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; + INFOPLIST_FILE = "$(SRCROOT)/supd/Tests/Info.plist"; + INSTALL_PATH = /AppleInternal/XCTests/com.apple.security/; + MTL_ENABLE_DEBUG_INFO = NO; + OTHER_LDFLAGS = ( + "-ObjC", + "$(AOSKIT_FRAMEWORK)", + "$(OTHER_LDFLAGS_CRASHREPORTER)", + "$(OTHER_LDFLAGS_APPLEACCOUNT)", + ); + PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.KeychainAnalyticsTests; + PRODUCT_NAME = "$(TARGET_NAME)"; + VALIDATE_PRODUCT = YES; + }; + name = Release; + }; 6C98085F1E788AEB00E70590 /* Debug */ = { isa = XCBuildConfiguration; buildSettings = { @@ -31684,8 +33590,12 @@ "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=iphoneos*]" = ( "$(APPLE_AKS_LIBRARY)", @@ -31696,10 +33606,14 @@ "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", "-framework", CrashReporterSupport, + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.CKKSCloudKitTests; PRODUCT_NAME = CKKSCloudKitTests; @@ -31741,8 +33655,12 @@ "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=iphoneos*]" = ( "$(APPLE_AKS_LIBRARY)", @@ -31753,10 +33671,14 @@ "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", "-framework", CrashReporterSupport, + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.CKKSCloudKitTests; PRODUCT_NAME = CKKSCloudKitTests; @@ -31799,8 +33721,12 @@ "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=iphoneos*]" = ( "$(APPLE_AKS_LIBRARY)", @@ -31811,10 +33737,14 @@ "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", "-framework", CrashReporterSupport, + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.CKKSCloudKitTests; PRODUCT_NAME = CKKSCloudKitTests; @@ -31856,8 +33786,12 @@ "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=iphoneos*]" = ( "$(APPLE_AKS_LIBRARY)", @@ -31868,10 +33802,14 @@ "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", "-framework", CrashReporterSupport, + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.CKKSCloudKitTests; PRODUCT_NAME = CKKSCloudKitTests; @@ -31880,6 +33818,142 @@ }; name = Release; }; + 6C9AA7A31F7C1D9000D08296 /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; + CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; + CLANG_WARN_COMMA = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; + CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_STRICT_PROTOTYPES = YES; + CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/supdctl/supdctl-Entitlements.plist"; + CODE_SIGN_STYLE = Automatic; + GCC_DYNAMIC_NO_PIC = NO; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + INSTALL_PATH = /usr/local/bin; + MTL_ENABLE_DEBUG_INFO = YES; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Debug; + }; + 6C9AA7A41F7C1D9000D08296 /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; + CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; + CLANG_WARN_COMMA = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; + CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_STRICT_PROTOTYPES = YES; + CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/supdctl/supdctl-Entitlements.plist"; + CODE_SIGN_STYLE = Automatic; + COPY_PHASE_STRIP = NO; + ENABLE_NS_ASSERTIONS = NO; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + INSTALL_PATH = /usr/local/bin; + MTL_ENABLE_DEBUG_INFO = NO; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Release; + }; + 6CAA8D251F842FB4007B6E03 /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; + CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; + CLANG_WARN_COMMA = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; + CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_STRICT_PROTOTYPES = YES; + CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/supd/securityuploadd-Entitlements.plist"; + CODE_SIGN_STYLE = Automatic; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_DYNAMIC_NO_PIC = NO; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + INSTALL_PATH = /usr/libexec; + "LAUNCHD_PLIST[sdk=iphoneos*]" = "$(SRCROOT)/supd/securityuploadd-ios.plist"; + "LAUNCHD_PLIST[sdk=iphonesimulator*]" = "$(SRCROOT)/supd/securityuploadd-ios.plist"; + "LAUNCHD_PLIST[sdk=macosx*]" = "$(SRCROOT)/supd/securityuploadd-osx.plist"; + "LAUNCHD_PLIST_LOCATION[sdk=iphoneos*]" = "$(DSTROOT)/System/Library/LaunchDaemons"; + "LAUNCHD_PLIST_LOCATION[sdk=iphonesimulator*]" = "$(DSTROOT)/System/Library/LaunchDaemons"; + "LAUNCHD_PLIST_LOCATION[sdk=macosx*]" = "$(DSTROOT)/System/Library/LaunchAgents"; + MTL_ENABLE_DEBUG_INFO = YES; + OTHER_LDFLAGS = ( + "$(AOSKIT_FRAMEWORK)", + "$(OTHER_LDFLAGS_CRASHREPORTER)", + "$(OTHER_LDFLAGS_APPLEACCOUNT)", + ); + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Debug; + }; + 6CAA8D261F842FB4007B6E03 /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; + CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; + CLANG_WARN_COMMA = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; + CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_STRICT_PROTOTYPES = YES; + CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_ENTITLEMENTS = "$(SRCROOT)/supd/securityuploadd-Entitlements.plist"; + CODE_SIGN_STYLE = Automatic; + COPY_PHASE_STRIP = NO; + ENABLE_NS_ASSERTIONS = NO; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + INSTALL_PATH = /usr/libexec; + "LAUNCHD_PLIST[sdk=iphoneos*]" = "$(SRCROOT)/supd/securityuploadd-ios.plist"; + "LAUNCHD_PLIST[sdk=iphonesimulator*]" = "$(SRCROOT)/supd/securityuploadd-ios.plist"; + "LAUNCHD_PLIST[sdk=macosx*]" = "$(SRCROOT)/supd/securityuploadd-osx.plist"; + "LAUNCHD_PLIST_LOCATION[sdk=iphoneos*]" = "$(DSTROOT)/System/Library/LaunchDaemons"; + "LAUNCHD_PLIST_LOCATION[sdk=iphonesimulator*]" = "$(DSTROOT)/System/Library/LaunchDaemons"; + "LAUNCHD_PLIST_LOCATION[sdk=macosx*]" = "$(DSTROOT)/System/Library/LaunchAgents"; + MTL_ENABLE_DEBUG_INFO = NO; + OTHER_LDFLAGS = ( + "$(AOSKIT_FRAMEWORK)", + "$(OTHER_LDFLAGS_CRASHREPORTER)", + "$(OTHER_LDFLAGS_APPLEACCOUNT)", + ); + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Release; + }; 6CCDF7891E3C25FB003F2555 /* Debug */ = { isa = XCBuildConfiguration; buildSettings = { @@ -31903,10 +33977,8 @@ GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; INSTALL_PATH = /AppleInternal/CoreOS/tests/Security; LD_RUNPATH_SEARCH_PATHS = "/Developer/Library/Frameworks /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/Library/Frameworks /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/Library/Frameworks/XCTest.framework/Frameworks"; - MACOSX_DEPLOYMENT_TARGET = 10.13; MTL_ENABLE_DEBUG_INFO = YES; PRODUCT_NAME = "$(TARGET_NAME)"; - SDKROOT = macosx.internal; }; name = Debug; }; @@ -31933,10 +34005,8 @@ GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; INSTALL_PATH = /AppleInternal/CoreOS/tests/Security; LD_RUNPATH_SEARCH_PATHS = "/Developer/Library/Frameworks /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/Library/Frameworks /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/Library/Frameworks/XCTest.framework/Frameworks"; - MACOSX_DEPLOYMENT_TARGET = 10.13; MTL_ENABLE_DEBUG_INFO = NO; PRODUCT_NAME = "$(TARGET_NAME)"; - SDKROOT = macosx.internal; }; name = Release; }; @@ -31961,7 +34031,6 @@ INFOPLIST_FILE = KeychainEntitledTestApp_mac/Info.plist; INSTALL_PATH = /AppleInternal/CoreOS/tests/Security; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks"; - MACOSX_DEPLOYMENT_TARGET = 10.13; MTL_ENABLE_DEBUG_INFO = YES; OTHER_CODE_SIGN_FLAGS = "--deep"; PRODUCT_BUNDLE_IDENTIFIER = "com.apple.security.KeychainEntitledTestApp-mac"; @@ -31990,7 +34059,6 @@ INFOPLIST_FILE = KeychainEntitledTestApp_mac/Info.plist; INSTALL_PATH = /AppleInternal/CoreOS/tests/Security; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks"; - MACOSX_DEPLOYMENT_TARGET = 10.13; MTL_ENABLE_DEBUG_INFO = NO; OTHER_CODE_SIGN_FLAGS = "--deep"; PRODUCT_BUNDLE_IDENTIFIER = "com.apple.security.KeychainEntitledTestApp-mac"; @@ -32054,76 +34122,6 @@ }; name = Release; }; - 728B56AC16D59979008FA3AB /* Debug */ = { - isa = XCBuildConfiguration; - baseConfigurationReference = 22C002A31AC9D33100B3469E /* OTAPKIAssetTool.xcconfig */; - buildSettings = { - ALWAYS_SEARCH_USER_PATHS = NO; - CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; - CLANG_CXX_LIBRARY = "libc++"; - CLANG_ENABLE_OBJC_ARC = YES; - CLANG_WARN_CONSTANT_CONVERSION = YES; - CLANG_WARN_EMPTY_BODY = YES; - CLANG_WARN_ENUM_CONVERSION = YES; - CLANG_WARN_INT_CONVERSION = YES; - CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; - CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; - CODE_SIGN_ENTITLEMENTS = "$(PROJECT_DIR)/OTAPKIAssetTool/OTAPKIAssetTool-entitlements.plist"; - CODE_SIGN_IDENTITY = "-"; - GCC_C_LANGUAGE_STANDARD = gnu99; - GCC_DYNAMIC_NO_PIC = NO; - GCC_PREPROCESSOR_DEFINITIONS = ( - "DEBUG=1", - "$(inherited)", - ); - GCC_SYMBOLS_PRIVATE_EXTERN = NO; - GCC_WARN_ABOUT_DEPRECATED_FUNCTIONS = NO; - GCC_WARN_UNINITIALIZED_AUTOS = YES; - INSTALL_PATH = /usr/libexec; - ONLY_ACTIVE_ARCH = YES; - OTHER_LDFLAGS = ""; - "OTHER_LDFLAGS[sdk=embedded]" = ( - "-framework", - BackgroundTaskAgent, - ); - PRODUCT_NAME = "$(TARGET_NAME)"; - SDKROOT = iphoneos.internal; - "SKIP_INSTALL[sdk=embeddedsimulator*]" = YES; - }; - name = Debug; - }; - 728B56AD16D59979008FA3AB /* Release */ = { - isa = XCBuildConfiguration; - baseConfigurationReference = 22C002A31AC9D33100B3469E /* OTAPKIAssetTool.xcconfig */; - buildSettings = { - ALWAYS_SEARCH_USER_PATHS = NO; - CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; - CLANG_CXX_LIBRARY = "libc++"; - CLANG_ENABLE_OBJC_ARC = YES; - CLANG_WARN_CONSTANT_CONVERSION = YES; - CLANG_WARN_EMPTY_BODY = YES; - CLANG_WARN_ENUM_CONVERSION = YES; - CLANG_WARN_INT_CONVERSION = YES; - CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; - CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; - CODE_SIGN_ENTITLEMENTS = "$(PROJECT_DIR)/OTAPKIAssetTool/OTAPKIAssetTool-entitlements.plist"; - CODE_SIGN_IDENTITY = "-"; - ENABLE_NS_ASSERTIONS = NO; - GCC_C_LANGUAGE_STANDARD = gnu99; - GCC_WARN_ABOUT_DEPRECATED_FUNCTIONS = NO; - INSTALL_PATH = /usr/libexec; - OTHER_LDFLAGS = ""; - "OTHER_LDFLAGS[sdk=embedded]" = ( - "-framework", - BackgroundTaskAgent, - ); - PRODUCT_NAME = "$(TARGET_NAME)"; - SDKROOT = iphoneos.internal; - "SKIP_INSTALL[sdk=embeddedsimulator*]" = YES; - VALIDATE_PRODUCT = YES; - }; - name = Release; - }; 7913B20D0D172B3900601FE9 /* Debug */ = { isa = XCBuildConfiguration; buildSettings = { @@ -32188,6 +34186,10 @@ INFOPLIST_FILE = "Security-Info.plist"; INSTALLHDRS_SCRIPT_PHASE = YES; INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks"; + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/usr/local/lib/security_libDER", + ); MODULEMAP_FILE = Modules/Security.iOS.modulemap; OTHER_LDFLAGS = ( "-laks", @@ -32195,9 +34197,11 @@ "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", ); "OTHER_LDFLAGS[sdk=*simulator*]" = "-Wl,-upward_framework,Foundation"; + OTHER_TAPI_FLAGS = "-I$(PROJECT_DIR)/header_symlinks/iOS/ -extra-private-header $(PROJECT_DIR)/OSX/sec/Security/ios_tapi_hacks.h $(OTHER_TAPI_FLAGS_SECURITY_FRAMEWORK) $(inherited)"; PRODUCT_BUNDLE_IDENTIFIER = "com.apple.${EXECUTABLE_NAME}"; PRODUCT_NAME = Security; STRIP_STYLE = debugging; + SUPPORTS_TEXT_BASED_API = YES; Sim_Name = ""; "Sim_Name[sdk=embeddedsimulator*][arch=*]" = _sim; }; @@ -32216,6 +34220,10 @@ INFOPLIST_FILE = "Security-Info.plist"; INSTALLHDRS_SCRIPT_PHASE = YES; INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks"; + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/usr/local/lib/security_libDER", + ); MODULEMAP_FILE = Modules/Security.iOS.modulemap; OTHER_LDFLAGS = ( "-laks", @@ -32223,9 +34231,11 @@ "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", ); "OTHER_LDFLAGS[sdk=*simulator*]" = "-Wl,-upward_framework,Foundation"; + OTHER_TAPI_FLAGS = "-I$(PROJECT_DIR)/header_symlinks/iOS/ -extra-private-header $(PROJECT_DIR)/OSX/sec/Security/ios_tapi_hacks.h $(OTHER_TAPI_FLAGS_SECURITY_FRAMEWORK) $(inherited)"; PRODUCT_BUNDLE_IDENTIFIER = "com.apple.${EXECUTABLE_NAME}"; PRODUCT_NAME = Security; STRIP_STYLE = debugging; + SUPPORTS_TEXT_BASED_API = YES; Sim_Name = ""; "Sim_Name[sdk=embeddedsimulator*][arch=*]" = _sim; }; @@ -32245,9 +34255,13 @@ "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SECURITYFOUNDATION)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=embedded][arch=*]" = ( "-lsqlite3", @@ -32264,7 +34278,11 @@ "$(OTHER_LDFLAGS_CLOUDKIT)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_PROTOBUF)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_SECURITYFOUNDATION)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_NAME = security; STRIP_STYLE = debugging; @@ -32292,9 +34310,13 @@ "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SECURITYFOUNDATION)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=embeddedsimulator*][arch=*]" = ( "-lsqlite3", @@ -32304,7 +34326,11 @@ "$(OTHER_LDFLAGS_CLOUDKIT)", "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_SECURITYFOUNDATION)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_NAME = security; STRIP_STYLE = debugging; @@ -32359,12 +34385,17 @@ GCC_WARN_ABOUT_DEPRECATED_FUNCTIONS = YES; INSTALL_PATH = /usr/libexec; LIBRARY_SEARCH_PATHS = "$(SDKROOT)/usr/local/lib"; + OTHER_CODE_SIGN_FLAGS = "$(OTHER_CODE_SIGN_FLAGS_LIBRARY_VALIDATION)"; OTHER_LDFLAGS = ( "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SECURITYFOUNDATION)", + "$(OTHER_LDFLAGS_PREQUELITE)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=embedded][arch=*]" = ( "$(OTHER_LDFLAGS)", @@ -32378,9 +34409,14 @@ "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", "$(OTHER_LDFLAGS_PROTOBUF)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "-framework", CrashReporterSupport, + "$(OTHER_LDFLAGS_PREQUELITE)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=iphonesimulator*]" = ( "$(inherited)", @@ -32414,12 +34450,17 @@ GCC_WARN_ABOUT_DEPRECATED_FUNCTIONS = YES; INSTALL_PATH = /usr/libexec; LIBRARY_SEARCH_PATHS = "$(SDKROOT)/usr/local/lib"; + OTHER_CODE_SIGN_FLAGS = "$(OTHER_CODE_SIGN_FLAGS_LIBRARY_VALIDATION)"; OTHER_LDFLAGS = ( "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SECURITYFOUNDATION)", + "$(OTHER_LDFLAGS_PREQUELITE)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=embedded][arch=*]" = ( "$(OTHER_LDFLAGS)", @@ -32434,8 +34475,13 @@ "$(OTHER_LDFLAGS_CLOUDKIT)", "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", + "$(OTHER_LDFLAGS_PREQUELITE)", "-framework", CrashReporterSupport, + "$(OTHER_LDFLAGS_PREQUELITE)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=iphonesimulator*]" = ( "$(inherited)", @@ -32533,8 +34579,10 @@ "SECURITY_FRAMEWORK_RESOURCES_DIR[sdk=macosx*]" = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/A/Resources"; STRIP_INSTALLED_PRODUCT = NO; SUPPORTED_PLATFORMS = "iphonesimulator iphoneos watchos macosx appletvos appletvsimulator watchsimulator"; + SUPPORTS_TEXT_BASED_API = YES; Sim_Name = ""; "Sim_Name[sdk=embeddedsimulator*][arch=*]" = _sim; + TAPI_VERIFY_MODE = ErrorsAndWarnings; TARGETED_DEVICE_FAMILY = "1,2"; }; name = Debug; @@ -32564,7 +34612,7 @@ CLANG_WARN__ARC_BRIDGE_CAST_NONARC = YES; CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; CODE_SIGN_IDENTITY = "-"; - COPY_PHASE_STRIP = YES; + COPY_PHASE_STRIP = NO; DEAD_CODE_STRIPPING = YES; DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; ENABLE_STRICT_OBJC_MSGSEND = YES; @@ -32604,8 +34652,10 @@ SECURITY_FRAMEWORK_RESOURCES_DIR = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/"; "SECURITY_FRAMEWORK_RESOURCES_DIR[sdk=macosx*]" = "$(SYSTEM_LIBRARY_DIR)/Frameworks/Security.framework/Versions/A/Resources"; SUPPORTED_PLATFORMS = "iphonesimulator iphoneos watchos macosx appletvos appletvsimulator watchsimulator"; + SUPPORTS_TEXT_BASED_API = YES; Sim_Name = ""; "Sim_Name[sdk=embeddedsimulator*][arch=*]" = _sim; + TAPI_VERIFY_MODE = ErrorsAndWarnings; TARGETED_DEVICE_FAMILY = "1,2"; }; name = Release; @@ -33005,7 +35055,10 @@ "$(inherited)", ); INSTALL_PATH = /usr/libexec; - LIBRARY_SEARCH_PATHS = "$(SDKROOT)/usr/local/lib"; + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/usr/local/lib", + ); MTL_ENABLE_DEBUG_INFO = YES; OTHER_LDFLAGS = "$(OTHER_LDFLAGS_MOBILEASSET)"; "OTHER_LDFLAGS[sdk=embedded]" = ( @@ -33028,7 +35081,10 @@ "$(inherited)", ); INSTALL_PATH = /usr/libexec; - LIBRARY_SEARCH_PATHS = "$(SDKROOT)/usr/local/lib"; + LIBRARY_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)/usr/local/lib", + ); MTL_ENABLE_DEBUG_INFO = NO; OTHER_LDFLAGS = "$(OTHER_LDFLAGS_MOBILEASSET)"; "OTHER_LDFLAGS[sdk=embedded]" = ( @@ -33937,6 +35993,7 @@ MTL_ENABLE_DEBUG_INFO = YES; PRODUCT_NAME = "$(TARGET_NAME)"; SKIP_INSTALL = YES; + STRIP_INSTALLED_PRODUCT = NO; WARNING_CFLAGS = ( "$(inherited)", "-Wno-unused-function", @@ -33970,6 +36027,7 @@ MTL_ENABLE_DEBUG_INFO = NO; PRODUCT_NAME = "$(TARGET_NAME)"; SKIP_INSTALL = YES; + STRIP_INSTALLED_PRODUCT = NO; WARNING_CFLAGS = ( "$(inherited)", "-Wno-unused-function", @@ -34037,100 +36095,6 @@ }; name = Release; }; - DC17850B1D77873200B50D50 /* Debug */ = { - isa = XCBuildConfiguration; - buildSettings = { - ALWAYS_SEARCH_USER_PATHS = NO; - CLANG_ANALYZER_NONNULL = YES; - CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; - CLANG_CXX_LIBRARY = "libc++"; - CLANG_ENABLE_OBJC_ARC = YES; - CLANG_WARN_BOOL_CONVERSION = YES; - CLANG_WARN_CONSTANT_CONVERSION = YES; - CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; - CLANG_WARN_DOCUMENTATION_COMMENTS = YES; - CLANG_WARN_EMPTY_BODY = YES; - CLANG_WARN_ENUM_CONVERSION = YES; - CLANG_WARN_INFINITE_RECURSION = YES; - CLANG_WARN_INT_CONVERSION = YES; - CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; - CLANG_WARN_SUSPICIOUS_MOVES = YES; - CLANG_WARN_UNREACHABLE_CODE = YES; - CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; - CODE_SIGN_IDENTITY = ""; - COMBINE_HIDPI_IMAGES = YES; - CURRENT_PROJECT_VERSION = 1; - DEBUG_INFORMATION_FORMAT = dwarf; - DYLIB_COMPATIBILITY_VERSION = 1; - DYLIB_CURRENT_VERSION = 1; - DYLIB_INSTALL_NAME_BASE = "@rpath"; - ENABLE_STRICT_OBJC_MSGSEND = YES; - FRAMEWORK_VERSION = A; - GCC_C_LANGUAGE_STANDARD = gnu99; - GCC_DYNAMIC_NO_PIC = NO; - GCC_NO_COMMON_BLOCKS = YES; - GCC_PREPROCESSOR_DEFINITIONS = ( - "DEBUG=1", - "$(inherited)", - ); - GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; - GCC_WARN_UNDECLARED_SELECTOR = YES; - GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; - INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks"; - LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks @loader_path/Frameworks"; - MTL_ENABLE_DEBUG_INFO = YES; - PRODUCT_NAME = Security; - SDKROOT = macosx.internal; - VERSIONING_SYSTEM = "apple-generic"; - VERSION_INFO_PREFIX = ""; - }; - name = Debug; - }; - DC17850C1D77873200B50D50 /* Release */ = { - isa = XCBuildConfiguration; - buildSettings = { - ALWAYS_SEARCH_USER_PATHS = NO; - CLANG_ANALYZER_NONNULL = YES; - CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; - CLANG_CXX_LIBRARY = "libc++"; - CLANG_ENABLE_OBJC_ARC = YES; - CLANG_WARN_BOOL_CONVERSION = YES; - CLANG_WARN_CONSTANT_CONVERSION = YES; - CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; - CLANG_WARN_DOCUMENTATION_COMMENTS = YES; - CLANG_WARN_EMPTY_BODY = YES; - CLANG_WARN_ENUM_CONVERSION = YES; - CLANG_WARN_INFINITE_RECURSION = YES; - CLANG_WARN_INT_CONVERSION = YES; - CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; - CLANG_WARN_SUSPICIOUS_MOVES = YES; - CLANG_WARN_UNREACHABLE_CODE = YES; - CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; - CODE_SIGN_IDENTITY = ""; - COMBINE_HIDPI_IMAGES = YES; - COPY_PHASE_STRIP = NO; - CURRENT_PROJECT_VERSION = 1; - DYLIB_COMPATIBILITY_VERSION = 1; - DYLIB_CURRENT_VERSION = 1; - DYLIB_INSTALL_NAME_BASE = "@rpath"; - ENABLE_NS_ASSERTIONS = NO; - ENABLE_STRICT_OBJC_MSGSEND = YES; - FRAMEWORK_VERSION = A; - GCC_C_LANGUAGE_STANDARD = gnu99; - GCC_NO_COMMON_BLOCKS = YES; - GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; - GCC_WARN_UNDECLARED_SELECTOR = YES; - GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; - INSTALL_PATH = "$(SYSTEM_LIBRARY_DIR)/Frameworks"; - LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks @loader_path/Frameworks"; - MTL_ENABLE_DEBUG_INFO = NO; - PRODUCT_NAME = Security; - SDKROOT = macosx.internal; - VERSIONING_SYSTEM = "apple-generic"; - VERSION_INFO_PREFIX = ""; - }; - name = Release; - }; DC17890E1D77980500B50D50 /* Debug */ = { isa = XCBuildConfiguration; baseConfigurationReference = DC178BB11D77A5F500B50D50 /* security_framework_macos.xcconfig */; @@ -34160,6 +36124,9 @@ "-Wl,-upward_framework,Foundation", "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", ); + SUPPORTS_TEXT_BASED_API = YES; + TAPI_VERIFY_MODE = ErrorsAndWarnings; + VERSIONING_SYSTEM = "apple-generic"; }; name = Debug; }; @@ -34192,6 +36159,9 @@ "-Wl,-upward_framework,Foundation", "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", ); + SUPPORTS_TEXT_BASED_API = YES; + TAPI_VERIFY_MODE = ErrorsAndWarnings; + VERSIONING_SYSTEM = "apple-generic"; }; name = Release; }; @@ -34291,9 +36261,12 @@ "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", "-ObjC", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=iphoneos*]" = ( "$(APPLE_AKS_LIBRARY)", @@ -34304,11 +36277,14 @@ "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", "-ObjC", "-framework", CrashReporterSupport, + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.CKKSTests; PRODUCT_NAME = "$(TARGET_NAME)"; @@ -34351,9 +36327,12 @@ "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", "-ObjC", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=iphoneos*]" = ( "$(APPLE_AKS_LIBRARY)", @@ -34364,11 +36343,14 @@ "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", "-ObjC", "-framework", CrashReporterSupport, + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.CKKSTests; PRODUCT_NAME = "$(TARGET_NAME)"; @@ -35096,42 +37078,6 @@ }; name = Release; }; - DC59E9EA1D91C9DC001BDDF5 /* Debug */ = { - isa = XCBuildConfiguration; - baseConfigurationReference = D47C56FB1DCA8F4900E18518 /* all_arches.xcconfig */; - buildSettings = { - CLANG_ANALYZER_NONNULL = YES; - CLANG_WARN_DOCUMENTATION_COMMENTS = YES; - CLANG_WARN_SUSPICIOUS_MOVES = YES; - ENABLE_STRICT_OBJC_MSGSEND = YES; - GENERATE_TEXT_BASED_STUBS = NO; - INLINE_PRIVATE_FRAMEWORKS = NO; - MTL_ENABLE_DEBUG_INFO = YES; - PRODUCT_NAME = "$(TARGET_NAME)"; - PUBLIC_HEADERS_FOLDER_PATH = /usr/local/include/security_libDER/libDER; - SKIP_INSTALL = YES; - SUPPORTS_TEXT_BASED_API = NO; - }; - name = Debug; - }; - DC59E9EB1D91C9DC001BDDF5 /* Release */ = { - isa = XCBuildConfiguration; - baseConfigurationReference = D47C56FB1DCA8F4900E18518 /* all_arches.xcconfig */; - buildSettings = { - CLANG_ANALYZER_NONNULL = YES; - CLANG_WARN_DOCUMENTATION_COMMENTS = YES; - CLANG_WARN_SUSPICIOUS_MOVES = YES; - ENABLE_STRICT_OBJC_MSGSEND = YES; - GENERATE_TEXT_BASED_STUBS = NO; - INLINE_PRIVATE_FRAMEWORKS = NO; - MTL_ENABLE_DEBUG_INFO = NO; - PRODUCT_NAME = "$(TARGET_NAME)"; - PUBLIC_HEADERS_FOLDER_PATH = /usr/local/include/security_libDER/libDER; - SKIP_INSTALL = YES; - SUPPORTS_TEXT_BASED_API = NO; - }; - name = Release; - }; DC5ABDCA1D832DAB00CF422C /* Debug */ = { isa = XCBuildConfiguration; buildSettings = { @@ -35380,14 +37326,11 @@ ); GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; INSTALL_PATH = /usr/local/bin; - LIBRARY_SEARCH_PATHS = ( - "$(inherited)", - "$(SDKROOT)/usr/lib/system", - ); OTHER_LDFLAGS = ( "$(APPLE_AKS_LIBRARY)", "-ObjC", "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", + "$(OTHER_LDFLAGS_IMCORE)", ); "OTHER_LDFLAGS[sdk=embedded]" = ( "-lACM", @@ -35414,14 +37357,11 @@ ); GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; INSTALL_PATH = /usr/local/bin; - LIBRARY_SEARCH_PATHS = ( - "$(inherited)", - "$(SDKROOT)/usr/lib/system", - ); OTHER_LDFLAGS = ( "$(APPLE_AKS_LIBRARY)", "-ObjC", "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", + "$(OTHER_LDFLAGS_IMCORE)", ); "OTHER_LDFLAGS[sdk=embedded]" = ( "-lACM", @@ -36723,6 +38663,7 @@ GCC_WARN_UNDECLARED_SELECTOR = YES; GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; MTL_ENABLE_DEBUG_INFO = YES; + SUPPORTS_TEXT_BASED_API = NO; }; name = Debug; }; @@ -36746,6 +38687,7 @@ GCC_WARN_UNDECLARED_SELECTOR = YES; GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; MTL_ENABLE_DEBUG_INFO = NO; + SUPPORTS_TEXT_BASED_API = NO; }; name = Release; }; @@ -37277,6 +39219,9 @@ "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SECURITYFOUNDATION)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_NAME = security2; SUPPORTED_PLATFORMS = macosx; @@ -37293,6 +39238,9 @@ "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SECURITYFOUNDATION)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_NAME = security2; SUPPORTED_PLATFORMS = macosx; @@ -37310,10 +39258,6 @@ INFOPLIST_FILE = OSX/SecurityTestsOSX/Info.plist; INSTALL_PATH = /AppleInternal/CoreOS/tests/Security/; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks"; - LIBRARY_SEARCH_PATHS = ( - "$(inherited)", - "\"$(SDKROOT)/usr/lib/system\"", - ); OTHER_LDFLAGS = ""; "OTHER_LDFLAGS[sdk=embedded]" = ( "$(inherited)", @@ -37341,10 +39285,6 @@ INFOPLIST_FILE = OSX/SecurityTestsOSX/Info.plist; INSTALL_PATH = /AppleInternal/CoreOS/tests/Security/; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks"; - LIBRARY_SEARCH_PATHS = ( - "$(inherited)", - "\"$(SDKROOT)/usr/lib/system\"", - ); OTHER_LDFLAGS = ""; "OTHER_LDFLAGS[sdk=embedded]" = ( "$(inherited)", @@ -37463,10 +39403,12 @@ INFOPLIST_FILE = "OSX/sec/securityd/Info-macOS.plist"; INSTALL_PATH = /usr/libexec; MTL_ENABLE_DEBUG_INFO = YES; + OTHER_CODE_SIGN_FLAGS = "$(OTHER_CODE_SIGN_FLAGS_LIBRARY_VALIDATION)"; OTHER_LDFLAGS = ( "$(APPLE_AKS_LIBRARY)", "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", "-ObjC", + "$(OTHER_LDFLAGS_IMCORE)", ); PRODUCT_NAME = "$(TARGET_NAME)"; USE_HEADERMAP = NO; @@ -37517,10 +39459,12 @@ INFOPLIST_FILE = "OSX/sec/securityd/Info-macOS.plist"; INSTALL_PATH = /usr/libexec; MTL_ENABLE_DEBUG_INFO = NO; + OTHER_CODE_SIGN_FLAGS = "$(OTHER_CODE_SIGN_FLAGS_LIBRARY_VALIDATION)"; OTHER_LDFLAGS = ( "$(APPLE_AKS_LIBRARY)", "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", "-ObjC", + "$(OTHER_LDFLAGS_IMCORE)", ); PRODUCT_NAME = "$(TARGET_NAME)"; USE_HEADERMAP = NO; @@ -38214,16 +40158,16 @@ INFOPLIST_FILE = "SecurityTests/SecurityTests-Info.plist"; INSTALL_PATH = /AppleInternal/Applications; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks"; - LIBRARY_SEARCH_PATHS = ( - "$(inherited)", - "\"$(SDKROOT)/usr/lib/system\"", - ); OTHER_LDFLAGS = ( "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SECURITYFOUNDATION)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=embedded]" = ( "$(inherited)", @@ -38238,10 +40182,14 @@ "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "-framework", CrashReporterSupport, + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_BUNDLE_IDENTIFIER = "com.apple.security.${PRODUCT_NAME:identifier}"; PRODUCT_NAME = "$(TARGET_NAME)"; @@ -38267,16 +40215,16 @@ INFOPLIST_FILE = "SecurityTests/SecurityTests-Info.plist"; INSTALL_PATH = /AppleInternal/Applications; LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks"; - LIBRARY_SEARCH_PATHS = ( - "$(inherited)", - "\"$(SDKROOT)/usr/lib/system\"", - ); OTHER_LDFLAGS = ( "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "$(OTHER_LDFLAGS_SECURITYFOUNDATION)", + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); "OTHER_LDFLAGS[sdk=embedded]" = ( "$(inherited)", @@ -38291,10 +40239,14 @@ "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", "$(OTHER_LDFLAGS_APS)", "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", "$(OTHER_LDFLAGS_PROTOBUF)", "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", "-framework", CrashReporterSupport, + "$(OTHER_LDFLAGS_CORECDP)", + "$(OTHER_LDFLAGS_IMCORE)", + "$(OTHER_LDFLAGS_ACCOUNTS)", ); PRODUCT_BUNDLE_IDENTIFIER = "com.apple.security.${PRODUCT_NAME:identifier}"; PRODUCT_NAME = "$(TARGET_NAME)"; @@ -38394,7 +40346,7 @@ HEADER_SEARCH_PATHS = ( "$(inherited)", "$(PROJECT_DIR)", - "$(PROJECT_DIR)/OSX/libsecurity_keychain/libDER", + "$(SDKROOT)/usr/local/include/security_libDER", "$(PROJECT_DIR)/OSX/libsecurity_asn1", "$(PROJECT_DIR)/libsecurity_smime", "$(PROJECT_DIR)/OSX/sec", @@ -38410,10 +40362,6 @@ ); INFOPLIST_FILE = "Keychain/Keychain-Info.plist"; INSTALL_PATH = /AppleInternal/Applications; - LIBRARY_SEARCH_PATHS = ( - "$(inherited)", - "\"$(SDKROOT)/usr/lib/system\"", - ); ONLY_ACTIVE_ARCH = YES; OTHER_LDFLAGS = "$(inherited)"; "OTHER_LDFLAGS[sdk=embedded][arch=*]" = ( @@ -38443,7 +40391,7 @@ HEADER_SEARCH_PATHS = ( "$(inherited)", "$(PROJECT_DIR)", - "$(PROJECT_DIR)/OSX/libsecurity_keychain/libDER", + "$(SDKROOT)/usr/local/include/security_libDER", "$(PROJECT_DIR)/OSX/libsecurity_asn1", "$(PROJECT_DIR)/libsecurity_smime", "$(PROJECT_DIR)/OSX/sec", @@ -38459,10 +40407,6 @@ ); INFOPLIST_FILE = "Keychain/Keychain-Info.plist"; INSTALL_PATH = /AppleInternal/Applications; - LIBRARY_SEARCH_PATHS = ( - "$(inherited)", - "\"$(SDKROOT)/usr/lib/system\"", - ); OTHER_CFLAGS = "-DNS_BLOCK_ASSERTIONS=1"; OTHER_LDFLAGS = "$(inherited)"; "OTHER_LDFLAGS[sdk=embedded]" = ( @@ -38533,6 +40477,7 @@ PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.KeychainCircle.KeychainCircle; PRODUCT_NAME = "$(TARGET_NAME)"; SUPPORTS_TEXT_BASED_API = YES; + TAPI_VERIFY_MODE = ErrorsOnly; VERSIONING_SYSTEM = "apple-generic"; VERSION_INFO_PREFIX = ""; }; @@ -38575,6 +40520,7 @@ PRODUCT_BUNDLE_IDENTIFIER = com.apple.security.KeychainCircle.KeychainCircle; PRODUCT_NAME = "$(TARGET_NAME)"; SUPPORTS_TEXT_BASED_API = YES; + TAPI_VERIFY_MODE = ErrorsOnly; VERSIONING_SYSTEM = "apple-generic"; VERSION_INFO_PREFIX = ""; }; @@ -38944,6 +40890,7 @@ MTL_ENABLE_DEBUG_INFO = YES; PRODUCT_NAME = "$(TARGET_NAME)"; SDKROOT = macosx.internal; + SUPPORTS_TEXT_BASED_API = NO; }; name = Debug; }; @@ -38969,6 +40916,7 @@ MTL_ENABLE_DEBUG_INFO = NO; PRODUCT_NAME = "$(TARGET_NAME)"; SDKROOT = macosx.internal; + SUPPORTS_TEXT_BASED_API = NO; }; name = Release; }; @@ -39492,6 +41440,104 @@ }; name = Release; }; + EB49B2B3202D8780003F34A0 /* Debug */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; + CLANG_ENABLE_OBJC_WEAK = YES; + CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; + CLANG_WARN_COMMA = YES; + CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; + CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_STRICT_PROTOTYPES = YES; + CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_STYLE = Automatic; + COMBINE_HIDPI_IMAGES = YES; + DEBUG_INFORMATION_FORMAT = dwarf; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_DYNAMIC_NO_PIC = NO; + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; + INFOPLIST_FILE = tests/secdmockaks/Info.plist; + LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks @loader_path/../Frameworks"; + MTL_ENABLE_DEBUG_INFO = YES; + OTHER_LDFLAGS = ( + "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", + "$(OTHER_LDFLAGS_PROTOBUF)", + "$(OTHER_LDFLAGS_MOBILEGESTALT)", + "$(OTHER_LDFLAGS_DIAGNOSTICSMESSAGESCLIENT)", + "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", + "$(OTHER_LDFLAGS_APS)", + "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", + "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", + "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", + "$(OTHER_LDFLAGS_ACCOUNTS)", + ); + PRODUCT_BUNDLE_IDENTIFIER = com.apple.Security.secdmockaks; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Debug; + }; + EB49B2B4202D8780003F34A0 /* Release */ = { + isa = XCBuildConfiguration; + buildSettings = { + ALWAYS_SEARCH_USER_PATHS = NO; + CLANG_ANALYZER_NONNULL = YES; + CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; + CLANG_CXX_LANGUAGE_STANDARD = "gnu++14"; + CLANG_ENABLE_OBJC_WEAK = YES; + CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; + CLANG_WARN_COMMA = YES; + CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; + CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; + CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; + CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; + CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; + CLANG_WARN_STRICT_PROTOTYPES = YES; + CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE; + CLANG_WARN_UNREACHABLE_CODE = YES; + CODE_SIGN_STYLE = Automatic; + COMBINE_HIDPI_IMAGES = YES; + COPY_PHASE_STRIP = NO; + ENABLE_NS_ASSERTIONS = NO; + FRAMEWORK_SEARCH_PATHS = ( + "$(inherited)", + "$(SDKROOT)$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks", + ); + GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; + GCC_WARN_FOUR_CHARACTER_CONSTANTS = NO; + INFOPLIST_FILE = tests/secdmockaks/Info.plist; + LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks @loader_path/../Frameworks"; + MTL_ENABLE_DEBUG_INFO = NO; + OTHER_LDFLAGS = ( + "$(OTHER_LDFLAGS_APPLEIDAUTHSUPPORT)", + "$(OTHER_LDFLAGS_PROTOBUF)", + "$(OTHER_LDFLAGS_MOBILEGESTALT)", + "$(OTHER_LDFLAGS_DIAGNOSTICSMESSAGESCLIENT)", + "$(OTHER_LDFLAGS_APPLESYSTEMINFO)", + "$(OTHER_LDFLAGS_APS)", + "$(OTHER_LDFLAGS_CLOUDKIT)", + "$(OTHER_LDFLAGS_PREQUELITE)", + "$(OTHER_LDFLAGS_WIRELESSDIAGNOSTICS)", + "$(OTHER_LDFLAGS_SHAREDWEBCREDENTIALS)", + "$(OTHER_LDFLAGS_ACCOUNTS)", + ); + PRODUCT_BUNDLE_IDENTIFIER = com.apple.Security.secdmockaks; + PRODUCT_NAME = "$(TARGET_NAME)"; + }; + name = Release; + }; EB6A6FAA1B90F83A0045DC68 /* Release */ = { isa = XCBuildConfiguration; buildSettings = { @@ -40300,6 +42346,24 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Release; }; + 0C85E0001FB38BB6000343A7 /* Build configuration list for PBXNativeTarget "OTTests" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 0C85E0011FB38BB6000343A7 /* Debug */, + 0C85E0021FB38BB6000343A7 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 0C8BBF051FCB446400580909 /* Build configuration list for PBXNativeTarget "otctl" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 0C8BBF061FCB446400580909 /* Debug */, + 0C8BBF071FCB446400580909 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; 225394B11E3080A600D3CD9B /* Build configuration list for PBXNativeTarget "security_codesigning_ios" */ = { isa = XCConfigurationList; buildConfigurations = ( @@ -40327,6 +42391,15 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Release; }; + 4727FBC31F9918590003AE36 /* Build configuration list for PBXNativeTarget "secdxctests_ios" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 4727FBBC1F9918590003AE36 /* Debug */, + 4727FBBD1F9918590003AE36 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; 47702B221E5F409700B29577 /* Build configuration list for PBXNativeTarget "seckeychainnetworkextensionsystemdaemontest" */ = { isa = XCConfigurationList; buildConfigurations = ( @@ -40345,6 +42418,15 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Release; }; + 478D42991FD72A8100CAB645 /* Build configuration list for PBXNativeTarget "secdxctests_mac" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 478D429A1FD72A8100CAB645 /* Debug */, + 478D429B1FD72A8100CAB645 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; 47C51B931EEA657D0032D9E5 /* Build configuration list for PBXNativeTarget "SecurityUnitTests" */ = { isa = XCConfigurationList; buildConfigurations = ( @@ -40480,6 +42562,15 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Release; }; + 6C4605B51F882B9B001421B6 /* Build configuration list for PBXNativeTarget "KeychainAnalyticsTests" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 6C4605B61F882B9B001421B6 /* Debug */, + 6C4605B71F882B9B001421B6 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; 6C98085E1E788AEB00E70590 /* Build configuration list for PBXNativeTarget "CKKSCloudKitTests_mac" */ = { isa = XCConfigurationList; buildConfigurations = ( @@ -40498,6 +42589,24 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Release; }; + 6C9AA7A21F7C1D9000D08296 /* Build configuration list for PBXNativeTarget "supdctl" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 6C9AA7A31F7C1D9000D08296 /* Debug */, + 6C9AA7A41F7C1D9000D08296 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; + 6CAA8D241F842FB4007B6E03 /* Build configuration list for PBXNativeTarget "securityuploadd" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + 6CAA8D251F842FB4007B6E03 /* Debug */, + 6CAA8D261F842FB4007B6E03 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; 6CCDF7881E3C25FB003F2555 /* Build configuration list for PBXNativeTarget "KeychainEntitledTestRunner" */ = { isa = XCConfigurationList; buildConfigurations = ( @@ -40525,15 +42634,6 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Release; }; - 728B56AB16D59979008FA3AB /* Build configuration list for PBXNativeTarget "OTAPKIAssetTool" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - 728B56AC16D59979008FA3AB /* Debug */, - 728B56AD16D59979008FA3AB /* Release */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Release; - }; 790851C90CA985C10083CC4D /* Build configuration list for PBXNativeTarget "securityd_ios" */ = { isa = XCConfigurationList; buildConfigurations = ( @@ -40885,15 +42985,6 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Release; }; - DC17850A1D77873200B50D50 /* Build configuration list for PBXNativeTarget "copyHeadersToSystem" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - DC17850B1D77873200B50D50 /* Debug */, - DC17850C1D77873200B50D50 /* Release */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Release; - }; DC17890D1D77980500B50D50 /* Build configuration list for PBXNativeTarget "Security_osx" */ = { isa = XCConfigurationList; buildConfigurations = ( @@ -41056,15 +43147,6 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Release; }; - DC59E9E91D91C9DC001BDDF5 /* Build configuration list for PBXNativeTarget "DER_not_installed" */ = { - isa = XCConfigurationList; - buildConfigurations = ( - DC59E9EA1D91C9DC001BDDF5 /* Debug */, - DC59E9EB1D91C9DC001BDDF5 /* Release */, - ); - defaultConfigurationIsVisible = 0; - defaultConfigurationName = Release; - }; DC5ABDC91D832DAB00CF422C /* Build configuration list for PBXNativeTarget "securitytool_macos" */ = { isa = XCConfigurationList; buildConfigurations = ( @@ -41776,6 +43858,15 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Release; }; + EB49B2BA202D8780003F34A0 /* Build configuration list for PBXNativeTarget "secdmockaks" */ = { + isa = XCConfigurationList; + buildConfigurations = ( + EB49B2B3202D8780003F34A0 /* Debug */, + EB49B2B4202D8780003F34A0 /* Release */, + ); + defaultConfigurationIsVisible = 0; + defaultConfigurationName = Release; + }; EB6A6FA91B90F83A0045DC68 /* Build configuration list for PBXAggregateTarget "phase1_ios" */ = { isa = XCConfigurationList; buildConfigurations = ( diff --git a/Security.xcodeproj/xcshareddata/xcschemes/CKKSTests.xcscheme b/Security.xcodeproj/xcshareddata/xcschemes/CKKSTests.xcscheme index 5bfe9cf0..822094ed 100644 --- a/Security.xcodeproj/xcshareddata/xcschemes/CKKSTests.xcscheme +++ b/Security.xcodeproj/xcshareddata/xcschemes/CKKSTests.xcscheme @@ -5,12 +5,27 @@ + + + + + + @@ -56,6 +57,7 @@ buildConfiguration = "Debug" selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB" selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB" + language = "" launchStyle = "0" useCustomWorkingDirectory = "NO" ignoresPersistentStateOnLaunch = "NO" diff --git a/Security.xcodeproj/xcshareddata/xcschemes/ios - Debug.xcscheme b/Security.xcodeproj/xcshareddata/xcschemes/ios - Debug.xcscheme index f6881673..87b2f010 100644 --- a/Security.xcodeproj/xcshareddata/xcschemes/ios - Debug.xcscheme +++ b/Security.xcodeproj/xcshareddata/xcschemes/ios - Debug.xcscheme @@ -40,7 +40,6 @@ buildConfiguration = "Debug" selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB" selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB" - language = "" shouldUseLaunchSchemeArgsEnv = "YES"> + + + + + + + + - - @@ -292,14 +306,6 @@ argument = "si_29_sectrust_sha1_deprecation" isEnabled = "NO"> - - - - @@ -428,10 +434,6 @@ argument = "si_80_empty_data" isEnabled = "NO"> - - @@ -456,6 +458,10 @@ argument = "si_87_sectrust_name_constraints" isEnabled = "NO"> + + @@ -480,42 +486,6 @@ argument = "sc_25_soskeygen" isEnabled = "NO"> - - - - - - - - - - - - - - - - - - diff --git a/Security.xcodeproj/xcshareddata/xcschemes/ios - Release.xcscheme b/Security.xcodeproj/xcshareddata/xcschemes/ios - Release.xcscheme index 470baeb2..502d6def 100644 --- a/Security.xcodeproj/xcshareddata/xcschemes/ios - Release.xcscheme +++ b/Security.xcodeproj/xcshareddata/xcschemes/ios - Release.xcscheme @@ -40,6 +40,7 @@ buildConfiguration = "Release" selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB" selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB" + language = "" shouldUseLaunchSchemeArgsEnv = "YES"> + + diff --git a/Security.xcodeproj/xcshareddata/xcschemes/ios - secdtests.xcscheme b/Security.xcodeproj/xcshareddata/xcschemes/ios - secdtests.xcscheme index cea3092e..92c639d2 100644 --- a/Security.xcodeproj/xcshareddata/xcschemes/ios - secdtests.xcscheme +++ b/Security.xcodeproj/xcshareddata/xcschemes/ios - secdtests.xcscheme @@ -26,9 +26,18 @@ buildConfiguration = "Debug" selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB" selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB" - language = "" shouldUseLaunchSchemeArgsEnv = "YES"> + + + + + + @@ -191,7 +203,7 @@ + isEnabled = "NO"> + + @@ -336,30 +352,10 @@ - - - - - - - - + + + + + + + + + + + + + + diff --git a/Security.xcodeproj/xcshareddata/xcschemes/osx - sectests.xcscheme b/Security.xcodeproj/xcshareddata/xcschemes/osx - sectests.xcscheme index fc4ced8e..0dbd5337 100644 --- a/Security.xcodeproj/xcshareddata/xcschemes/osx - sectests.xcscheme +++ b/Security.xcodeproj/xcshareddata/xcschemes/osx - sectests.xcscheme @@ -40,6 +40,7 @@ buildConfiguration = "Debug" selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB" selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB" + language = "" shouldUseLaunchSchemeArgsEnv = "YES"> @@ -59,6 +60,7 @@ buildConfiguration = "Debug" selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB" selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB" + language = "" launchStyle = "0" useCustomWorkingDirectory = "NO" ignoresPersistentStateOnLaunch = "NO" diff --git a/Security/Security.xcodeproj/project.xcworkspace/contents.xcworkspacedata b/Security/Security.xcodeproj/project.xcworkspace/contents.xcworkspacedata new file mode 100644 index 00000000..94b2795e --- /dev/null +++ b/Security/Security.xcodeproj/project.xcworkspace/contents.xcworkspacedata @@ -0,0 +1,4 @@ + + + diff --git a/SecurityTests/SecurityTests-Entitlements.plist b/SecurityTests/SecurityTests-Entitlements.plist index eec208ed..dc5def77 100644 --- a/SecurityTests/SecurityTests-Entitlements.plist +++ b/SecurityTests/SecurityTests-Entitlements.plist @@ -28,6 +28,8 @@ com.apple.security.regressions com.apple.private.uninstall.deletion + com.apple.private.security.delete.all + keychain-access-groups com.apple.security.regressions @@ -38,12 +40,6 @@ 123456.test.group2 com.apple.bluetooth - com.apple.private.ubiquity-kvstore-access - - com.apple.securityd - - com.apple.developer.ubiquity-kvstore-identifier - com.apple.security.cloudkeychainproxy3 com.apple.developer.shared-web-credentials localhost diff --git a/SecurityTests/si-87-sectrust-name-constraints/TestCertificates b/SecurityTests/si-87-sectrust-name-constraints/TestCertificates new file mode 100644 index 0000000000000000000000000000000000000000..8a2fbfa508ffc67762d617207cc3ddf7c9b145d4 GIT binary patch literal 7116800 zcmV)3K+C@$iwFQ7l>=G;1MIyA-0O7N|Igtt!(j;sBI7WG0~MN`hMmf}kRZARb^uJFMc2!c3@E}nZNaO|~55MK6t&LA8^7efdPf+&F! z5WX0MU<5%{SPXu^^?J?1(YQXGRmG~e{6@U|*UetmZ2k}BENjc+e?0ylG4P;;=Ya>U z_?0sjuDD>u6<1w(=gkj&`GNDmHCI`E`$L68|Gegc1#7Il0(jsl&>GU0q|*)+N6_p1r-hSZUbdur-bsFM&`3MlukBU>FXQL}oi^GjNl+moHqj zf!G^2hTVqKs*f9s8EWzDt&1UWvkljT2nYg+*{p&f(wsfb{NriH1o!#SD~}Sh9~jRN z+kpoy*z#X{bHU0hEIeqz+OvLN0IYb>f(0vFK1OcY`738Vy?y^@cjjIc|G3f7XKrxH zW?TQXaPE~ao_l=l$FKb5smV6n^SLe0Bp2RlUd*ZtBy_uR|= z{?N^yZ|x#}Z=ZsA=c?x6+0-J}ac{kszOg>t^Qi~d_})W@t|DG`+^vHz+}kbe2>)%N z&iw4xBjng;GpDX`+e0_+XFajq?Y~;E+6i0lwqT0pFjHH-;R_=ULsdr{hkYdvEb27ufFWZ>pgMB3#;^> zSn}!mS<)3rwU3B7e zFJ8OBh5K)O-(}k?=RdajHD_O%e`eK%E9|v#{>y*6F2kqBEq&8R9^7u})1w3L-|y$o zyt3ORcV4hiU18lVjyU^sM{aT7a~m)HAl5&$qwUpOy$_=3f7t)5|Iq9z^mqM-5dwwh z^dE=udHw$|Y==3cIbM_(Gh9U#vm!&O+-p|>Nfg;>!Z6ezjkf;t%K^h0pp2SqE(v(Z63hm0(SqT!;kv)s|yB3lQ z>pC~(+EjVj-)xD|rjZ@fLd~c|cEV|ZM2oML#JH1!+O2|SciL|-bk6EZ(}GG3m%VW$ z<+Ai>_NKW)$6{9YYe+S&8x;%?8FwnPb}S|CR8nnBZfg^X?SOfeGbP%7t#E2GDXTo$ zuIUq3>ynYf(6fR>S5m14kez^2IpL-fYfq$hc~*#DpSxCM|Mi+zmqgx@%A*NWuCdi} zndc_Cs+Mr-tO?w*CQy@n8P1OCx*6GBtY1?(MWU(K{zgwGxmgVok#js}_9#`#6V83D zpgh1*b=CZ<;F^$-#ST;DU7W^ZKSks*Tp)c7kY%OHMAbo+ zr5Lw`#CVI*p<<*XQJXWoSRD7WL_;&eaXVww{gj0fZH5^(&9Iw`O1#Aai5j{i)|y#F@}qo)s3Ra+XlYcgHqmS`(-JCWHH1p&AOm8)o9BmZ6VzBmXok!b=yXt9B#Ee?x|(ffGdPvzNARc#G^e?t+eES$ zsW<3Rs?>_e)N}+JW}3)&QCsnQs$?a?DDOb2@$8?p5x&_Rr$$Jxk<6A24Nw%{o?A!~ zm6;oRhnsM8dQ#3x)NC3xGZVI4%jE-8^deiP%3OgiQ|xSXXo`wQ3WW>-D#C*7NV3vq z1xq(6RnJwiQO)cSEClN*3b6*wp6J@T8!$SfNElfw@Rc0H<}9NSyDAOjN41oj9#(z4 z!qkdjuUhIB90BUkjoCPq11+x#WnWA?rEu&d?OIHCh+If#Gq6~IvtnQXB@ypHS|zIw zkSaKCGZx;KNV#0ab$!UD;htEVcBg(c_HCy@PjxDzL-lbHa*$~$#<3I(jQY)Cn*!O1 zS0Sqgf>zi>opk-N$LgLKCR8q*DvhF=hO|yy)Y(gW^<8+l;<>OB6zku)99I;Qi#NgpfoE~ zf9;z4uh&q$z0A!3uXo13+ZVv=o$>GX1@L-j{JU-jSmtMD^FR^bynyMyFW}N_>=~*Y zFt06UQ6cGxZQGerVACTIfF>LiK$Mi!L6&1U4swWWMMQdJE!*R(6kVzi>1>KdL9#E@ zZI^Oz(iDPpsb)>7dM=WIai@fXq>~+uL5T+|NyT?KG!?fXucx3oZjWWAV!@46Ef~i< zuY!c5VFgYfw&6lNLE8{O)Wgw`a{{i|t>SsvO^|M>Go3P_TC&UmZDtdEOt!g<$dnL2 z-LK+GM^K7H9M&yiG$1*k?qu}QAU*AcUdkAy(cuvHMyNXwlKyn;Oqz-v+GD6@OMOG* zD|lp^#B??;PE{vmk>N5xN-`J@Vrw%k9;#+>%xYsiUm3=1M)iX_1t>}2L4E1*i1g)~iRGgmj0+vIIl zCRJpB*>F*&V5AK25kL(y3-R3E9ec zNEV7*9;m4k(KoVnt(23BMjys!^=S4x!T<@oY0J@!b?QsGkIDzw(y4UQD2Bm%zY)4AmEKY)+QU@IgsSohFpgD|BN(E~iITTz` zU3AuNAdA-vZZ!jSa+GAlSgu5rstK6#i{)M4kIW)-%V(s#L1xXwt3%7VgZ=-Z%%aPa z*}1;>Xv*w+>I>lY&UkZQ%-!C;o4ecD0%rmt)JJ70g%KdcqMdQUtVQ6kgA=8!X8C+= z*r8>vHSvSVFiee`F$ES#yDqg8uY$CJZi$CPK?~|=f*>3&CY~K3O+090L(Xm#vW6fE zX;a6WJ=y2`Xk=JXJF>xu&o(N2uA~6^xK`pKrDydUa4N_3Fj*1V_B0`#YGI1Dv9LkK zq(qdYJZ_Jiavm!yLn}b|$=IK19oz@nZZw#7WzaG*jW{0QbfzL^xWF6rdPtiOMXuT~ z=weOb9EG=_ZhZ`MdbOF&(UIbp3@r!L+kUgs$j;=I%66g z59QFB&7p3kP;y)SR6NZ085dFzU7QS3aE~aWWEL;el1yOw2o*h zLILq>eN(_{Bf~>*t!u++o^KB|*shK-0&8ZZ6v5XE5Cb6<9*~-NTkXLV?Ug*p*1GI$ zWyr?R?$ThCrH2M&C-r76J(V(DS}_#i{6%!f4l^B}hP@K1_Dp!ptPbt`TP`CX2P%TYOphh~LE#=J$OAMSi%wSC= zH%=LRvpZGIiXO$L2M)s=WF?vZNp}C!fs1+jUoi;$-~rG(^B?TZ{0D{5`S{<5VcWLj3;+50hmBBh9Kui#CQxKMXmfDWW&G#kZ_j_;2!LSpKM#O# z5+z8GL`m|U0nitduYLF2Q&#@c%ZK(Kz3=3B8{x7$PCNAUz*sOi@`#fcJ^Ip~PfjlR zVQ|utKV5(y2CV*vz0SDR`1JV){$}as$#u8vMjg4y&3{=5+VXB>(}P$4*4^L!&0np< zetOEHKR=>8zVb8Q-|hOx7yb85)&t#@1m;xc_9Fe;uN`{v7FRDhjjd+BdbsrxxodI> zd+LTeXQ|bZ&-5O;bDdT1zu@*g9{l2De8<7Xdk#G8@e5#juby}6_5LUOc;*)1FKeA} z<<8%KdUD+!y@yiW-G9FEVMm;E?Pfx-&yM)I+i$ew9$}l$Ua>IT@DE!ZZ<7xoH=Xm< zKVEmsWewt4{dW(Z|GaVOrJMU(gMVFT>8S?@JB24-=6(PE1H7|$e-8lYAnKXZUk#sJ za$Dh`t+xHyr?TgteD4+h<5#bLYwyC_3y0qR;F1+?x@pPTh3d|Se{<6dGiUf;zJBdb zr0zNaIQRV9pU7?h>|LKZ>MQcgD-52y?3jZtc=Qn(H}dD~|I!{+?BPpR-RDQCRkC;A zxWipvyAj&tmELa09=FQ@x9w?cavu1~V86b6%ch%N`qC2P7l$la<&#fu*(K})pSpN8 z4c&Ry^;YN?55IovKkmH6($jB9jb1)1e&lagpLfUp4<7XidduR=FF3pI|Ch(k!FJj4 zTTkC~*(H1Iw&_`)yYtc)%wK)3-D!3YxTSU1ao>3A`fYCLZ?x1gA3UVKVe4X~SozV7 z#|ZwX74;Xltn}qOzNz&VFVVfncHOG~0j&Qy{r{i=&^z%Th=AYBe+USi*Z&X0-f8z7 z&jqK3{J-v=-B3vj-g1JJ{zrEA3`>cI$tpFGR1ur)80!-4zP@9uEQkM0fVb|JMR0k$ zrDs#-L}8pbYQOSa+`x>mWt)1oXpzZlxXnvw(H7lb8H&9v8h-3 zvx0n)lV|_ijO-RQl~{%W-hFVg>=V6I&k?j{CC*py38+T`R|nc925qG(g>E#-g55&i zGx2c9*S$6>>G()a6_Tk@=m(Q&HQ&pn4Nd};ZYR^z>zwIHX(R+#%M}_?aa1fxYFy-M zRNHAP)loxqq_A4k2#YQRMRU;2!8v{?jT)X2`>>yJxN0>^3`q>2T{RB)UfWPdb{!31 za0F>W!xw^9u`s)H;OuUH=nwj#(&Z#Z z;HrpRC0lkKLwtW=`kKc}Ij*RW>Qb-LNsqejZ1)`J*fE|iRdQkhNKZXVl8+hHI8Z`NDnm!YmwC!>{bU@Gm&tB z%n6Y|R&vmAh-iHf!A5bE85bzCP{aeH;*hxGXPJn@s|K!R^G%O6%#@*;#B>tjmB0rK z2kb`zJjO$^7>raoWtO0xS=Q`IkL^Rln%_aj-8goma+N_#V#;U0j@86vWi}aPG?xMf zb|OwI(gYk)UR%w&J&P<;Ud&FUQnB2cIy|CGyTw)y>kllHF%*SD!2xva3|q;>^J_h7FbPuK8au4@^9?nlhC(SOdP6mp(|oZpp85%xMZzo! z;An4zbsOodrdq|U4(aau3Qnfmv*i=k-ypApMv6q*^TEk?l3V{H8=QPkt_FDB*Sy&B zt;%$!0#TPFg`AMrvNb@g@$GWCj|!bK8o|0=R!vJD>Tm*ijNBXrC7(9pNfq~zq(u7? z-YcXAwoi#f3Ge17jS(>0MD-90wX<=i)=4)D8NJmin?ZlVrqFa^SJj$l)Pn)kENP{z z(We3uscGpzhSNs7+7MNsQpHkIAZKVCcOo}~wMU({Z&;M%!ak|Gs@6+*0UIy{lg@iS z*qltnx=>F`lIW6tw+jNT9z$q_ai8jj(L_| zZNG7jV=dFD%(++45~Q#OljAoJF*8{<#K3HFdf}urt_zG^(DV%9^rRjhuvFTtlelR$ zrr{{kBxopVIE{@}xroC4u$jsRW8D)}3t;F$H6tcophBHosvkAYtXhSse!17=4U09b ziqfb~%yv%G)V#)I%7Ia?PN!6aNh25&7@+3!C3KMMc%V_v#YAq{PZ3q7F$irE!SZmX z-^ur+LA?%k#{<{v8ErOg^!#*9Xm$iJE_4CZum!o`I~Z5jVm5NeDZcE&l_uZnRdk<; zhE+tEOh>pzh9yxhfCf*t>WtfO%*G;~kW+xH3PF)9dsDH`O~ne{&U>(4#}dgIgoss0 zn;I(DGQDBfm!hIJ43WTWMwrl}y45o1sw04)H6uO6b)r~Bd}J^XL|sFZt~3vj<^j?? zK$-_g^8jfcAkEu94FW%S0Q8Rhhald}e=u-9{`a96c+kRYz=Kx&=0Et)4#%&1p!*j7 zbLxjnP*4<_{lZWPCduuf#o%Vk_|JyR;XiKxK=6P51kkMd863<&D2`>`833LAqw-~+ zTIoC2T=s}cUUvRP+yCN=mpysp(Z@Wx@`V@OcX;uy8=bJ$Hb4EzmwtW5246U#j$Ln7 zezuQYU-`aYU#5NQu=UQ|;IMlHU=q`(*JUzx$epcE0v)?WF}f{r69$t=6*s zuYMyPehg1_Nw+-u(ys>adLT^wP%fw*PwLxbr`C z)#Xd~JGHU+jLn4`c9yQ|-f-$3>u;)p1NMpRGoxhyXbW)jHvyov=bo**(rVx;hpmLJ zA3gPUL}+p0yVk}#-@m~#LS^eezk2vhPhN0F<=PeR`5O^@b?+-T{M^OoJ?h-N!lT8n zFCteS{<8j+^Rn9xyANc(|B21{(}&wPFFttU zivFQTo%rqV4|Z7PrpFwhy5s<-wl#3n=G(1xb@a%Z*dALPvH1}jz5LYg)>{3-aPOaU zdz`)fPS>CR=$f59mVEi%;ZI(gu2_HNTTc&fTWh25XYV3@bIiSAptWy0ccp7ihMqWN z$sbQS^k+vzw?QZD;_cnGFTYSb`Y(SFGe>Rz=*<_ON$q>$W|yw~;&+S{KeiC&+twDt zEsrS>E4FVsd%cy6t)6QCsCMj@XKnuHyRQ2DcN)=}d%tkZrSE(Fzo!2mFaUZ-{)6Ig z;Xed4um2y0y(9m5?L+Ftf8G3!+fA`wUk?B2vLDIKugsRGa+{hxb|x~bp|cI2CDEPN zH+;%+`Hw`S2CH(&Y(qPdleq%KX|Wp2T|@tQjhhy;!NfJeDU(pSWwolQlwVZ=sUl6d zWru=9mg=)LecGQpU1N29PpXI$ZrMp3fu(%OLL|2WXTjOyG|N)TTtNU$1rh^dzQdcN zy5YKtjtL=cdG@;UhIR%J{h{|p%ZHU-NFVkUy>Ea-axe3%Usli}sq#(T(=2b6}YXyWg zxR#U2G-R_-5nu{#l>j6a!r5^?3Q|3**$~?)N~H#rQHc>)Z1gLrEe@0s6DMV_l4r1d z%onl{Xm;>am=JMNw*j>{;xl&9=_RocfO$y9#<_gO>cCJYfs?>c$3v+)n$0hl zob9D2HP^O^!~T$u(jmZTZH6#}PFYm!Y=`spypiRdY)hh{CO@>8NewS?(}^RGSO-O^ zmh47jw_O!_q?Ez1stj0WT=Bg+(a@pBP=(oSmmw&&R0(o!QLS}JJsT8?99ke|+gGjV zhqHY(uiyrQr!Y*5H54e$&7U$w2h-VvQmNA1@ClXIHn$wDQtTWHT3&3CDl-EBrZTZ9 zLZcy~3UR8yrCV$$dHjTLXhJbR?hX{IGKAoq&bTCE);YZpX81Z^A9k^ND=>OMVmG^b zT}LUSTuz%fWR#p%T<(?WG2f*mKQ&F)prAG#jp&r05LPx^Cgy4wGk%RIOusb0p z4^t6c&s)>5mrDj#q)>FdZ>Q;4z;I!lb!Z?T4 z^J>tJeXd!l5A*au?U&rVQV~TY#Z71X^@>@@xA|#L>lKDDm8 zUSxKx>xP7Awb{lc1;Aj4i7t;<98j1EUIR9$rl`UNZ{{W-GcYIhhA?i5R#ELSB|jU; z4TUaGn`#5}xe`^=0KWwG#E2;>Ge0v1r_Fw9R)5rN5G-GzbttWbC=HFV5Mt_6rk0PB zo;?&=PDgahDN@Y#fGj6TjxTo#Cf_Cz5{)#eTNQaEZlo)HG%?V!&aoppTPaq@wXojk z@)8A;ZaHe_Tb{+lKuRDRgE5krVMQwx>$1l-vnE>LNM z+x*lobZ7qh?eM_gc|0ZPMBJfeH`~n)JQZhXqXj_4E;KZu++aHJ)h^l{6beKz>NF53 zCGdH_*BX+fXnS;)B=eqIb9#Y8YU6Tx*e=D2PkMl-H3V8toJrAYA$BH>WI3hcGG!JH zE2vh08?1~~!aP)}bkoyjwVtK}eB2xl26&-Z6-^7s@wwqxDMn6vFpx577A`s6QoX>J zDJsDv&wy|(P;-#W=%kl5Q>Achk^^#>fdX+bNJtcr46QuTNn3-MOty`ntdIEv%ig3|Jp+m?;u;GEJ;h;a{hAfb!<_`BZY^{}%pp+J_2I5C{k7 zqQYbbLecG@Ex^r}@t=*B$AA760AVPUc?$qK@VpPb0nn@>AeqU)+d(OCyJZd7a@-h= zckI=>4Lj(K#>0B6Hy-V1HO8}Mjs4M%cF=uCT=b+W!+z$bmKYE6C0dy)pPqj zbn%nn=wmnCc*29(wzK;FyKndNQ+~4e>{FgCyz;%JUloqs^DOH02e&-xFtX&F6+HQU z;n}b7m#O<*v2@L2rZ<)NEjE36QSJ*5og1xn*C1YN-{Y6;DfVj*u5;UiuU!9yi$8V$ z?fI>!&A0pStG|BKtH$Zt4i{d1>T?^^2D^;g@iA++&rMzN`zO7<4*mFgw_Nb+Js$nR zw_bess*4w1cJTvt^Z1*0=W0&Enir$k_jDo^bY&3^U6859SJ}8(l+f!7l(iT&PD!E*?RLYJpRP`+wFJk zr>@QKy_UP*mC9M4$AlkTj#k^s>4Vevv#)_p+V5$qb=3a7bw2aA-*2+u$`uZJ`jYcL zb9Hub*VPZ4f5IPDTKdd)7LBi~9De<(J@fmAZByQ^{xbBG@ni0R&O!l@p1AFi#@|*y zVYN*z+x>xGEq(Zf3&PC4t?zv9KdnXc_Tk$y|Np@Pz<1_<*qitt0%G%@|M*bs9g|eO zcK+*M1JscgL+K8-JpQMC6aylOq-t1^En|{egCw>#cLvJ-dlYXj2%s*X|FKl#jX414 zAey(l9Dt2C=Kuuek^sJ+9Du-F62SM90}zlCX)Yi=k<>C=ROkAm+?Nz?B1~S-0qFgY zIRNMS;5{5pU>#4W_pDJ%7wT*z4yF+x>eW%NsZ7T`ecA;%u_vXtTHIGW4|7mc9oD06 z+tu<8k}4!%v16lpu|?Se#c=geR*Fy{7lhoDElj8}K}xip;prxw3_T{BF$KS#%I3tX zpD38s0i$xHg3T-um5fQI?gr&i)!`d}igeSyO2<4e_ng^IRn^;h{gTNgdtUB!ygDaI9(sPq)7+A7~1Bf}o*fa_IAkiF#RwvbL6uOZY z_WF!bg9Lx9`J@j{`{N>xG40Nf^6cqYsxnEpmFvnH24H!fb#hvrAVrxVEnOktaaa3XNwHoGV$O5~Y+_r*4muIAd?Q=e>NOm8QV7X9K(W{15+iNHg4CiKnMSJHrnLyx z8kGpeQjVX}dxf4n>RC0k=#EVp#fmviO@&OeS~Vdq20$b0aB$+LB(MOE6);m0Ch5`W z{luK{xsOc!jWrUI1>#NuQf!)n3~;DPyjn+ z5um{!pY1VrI<_GKmIZ?#GDbrvIZB`6d@7gZ$XejRm{H3WjfSW5xk@^&NL{|^qJ?}( zn0W~~U!QjKN+F+0`MPfl6R>Ti!j6{_ikK@WKErm=U`UT^l``EC`^ZQyhZ3)Dugo5 zkGiRnP~;VbVCj+J%6wA_6|8OZWoAP7qFoU~lpLbI&FC~KMD`BevPk>yjp_RCbHVO4&w$lwqUQ9K`fs~&%azScbZ-s8%Y*fm5q7!s7 zom9E&H?XWQWu=K+ai%DcG`eGhsxu8CXVMy0stP%9;tq1A0=G>$gt3 zw*Azx|MmMbAK&e>tB>#B@`!yt@%U+H{c&)xd&^zy8LK@^94;O36KntV`;V|U6jr`z zhube(|I1rlxJ~!^lMXsxeD1&_o>>1UDSU^m_Bro6tGXv|eok`6wLkfiddhLn{prga zE*jE1{^s|${OFSC4=aBwe({*=SH9}xE3#V?;?=)WH~T?+(!pn%`vNEPzuqf)vbNU8 z7ru1Suh#$eD<>51{M+YO*!zdfQ9DB5j}H&WwkVz70Dt(*OLw1zuK%CbqIvu9 zZJGc7&+6ET*OGW_oOpZfm_{{!WA z4V+aOm6P|(|K5G{gDNwu-PF1c+?3-9-mihv1ZcNlWegYdR?FZ}qS#BT1A3^U;zZ`k zYS0b}9W<&L^(vxX%47>eq}aZ0a%4wq?5Xx?mRhAhx4V_17!@eFGuLuH1`LVXz?+p$(- zJ5$^73sNtb3Ys(2EmCGE&Wxf0Xj!^bq6E5!DbMFS)0{>*`LTxRtOQJ^bzHDpqnPWGaJAZMp?nV^@N}%} zc`JyqZapn@;{i>V_;e*twfa^r9Z!Z%N-{|s%@+Vi95>$||KrFQ&J=3)fM6(bl!jXq ztCFf&a3p2Dti|>UU3^q=q9O!El>!fqGW zpli_C{@8G;dd1`#^$sgVT8rst>oN-Rbls)#B3Q1YMK#VR5MELYEzXfu93!Hx$3z_v zaQty`Vh^HD!wI}DR&j7y?zaS(O?%*YY@?|Gm^7tSAI{%XrYWg<(kMTs6YPud2)^y0P!LxxtDsfHsLuW1* zOE)-RJXYV<0B>h=6qNE91f+IAyTz$+;~a8M8pMaSfWZYGyQ)2&*s1*O4G zJp__!J3;bUr9$LGEv=>`rC~(bVS6mt;XtUErq3Ea(G~lQ7EtdmfA2gnoCk*Uz;GTI z&I7}FVEBL1AP|HsBw5{&MX)UrrW%@=NSB2k&w+xx=#;gxe$gKk&_;8_oFA zi!M6-rL)%ekK14k(fL(j&y(U)9{BQi&foT-&#Zm@;mp|-jmu!XP|wa`Vk&n_`&hN zmA^gQHMsWfZ5CX`ch|+2JoA&aJ~I*4dE{g5%U|rhywh+0yy$Z8zmDZD+WwMDQwxs& z_?g9@4vD>kIoi>eefd?Pvg+T~zixwdo;&CMt-f*dCpYcf zdd(Ay_naNKN5WjP3X0PwwaAou9(hDcuoa2xD&hv|3xq0{R?eW9Xl1roisY=L^Y+F3rj#oMZ#)P^ZRB#nz*#mn|ewY&5^E`;|dUooFOGcKZ2%vXqY8R28zs=^QHz zoqkx)SMB_GM1@f=O6iV4iA0-B$1zocN+RIY+rxCvs?upNQ$)GM&nBQ=0WF5kl;}y` z)NAF6=SC7-tn`^CB@htjRj@`{4FYx8NqImKtB3WlQiCQ21^Y>Dh^Lh*4f0(BB$@0u z4NG(=H<73}#Q0phl``c5WaLY^T23R%SseyC{BZpK_@B@UEnD%@<%~;$p)wq4zQp4} z25};S!@7+=OEN_iMfg%`;37O*H&Y@O&{EXUQ?XD0P^niibbLsS%ORnSgMhTmk`&qO z+z}c+;_5y(r3uVq3MM~k^=Pd(CS@d_c!Wz5$S?$2Qa-2jaT#T6MPCr5asXypyw6np zQNKESpHgosu4n{AKN*Exr=jMYs+D)}!JwUTsK5nEl+?=1CazLV4Wg*xa~+h|Q;6Cq zDlADmO}5gc+BFT$GTGS4L7G?XDuW!Hw#A-Y6Dk8hFd3B!G;bo-JMD-f-5BdyoF7!B zOwBD~PBG^t9k}U+eYnD9@(oS)$+{=WZ5>y@au5T>DN0ra9_yA*#Xvh;l?qNEhNlrut=(rR?J>Fz!yo3dLqA4(Q375%Yy@wPnQB!8BEwMRdqEQVMEdxj;Bh-VeooXBHSVf@It{2Th)|NY?mpq z*s@Zt+|~1q3^dZyLZFfXrB4Kw7@Crc>u@pA{J|(L>FtzX%2bjVXbNPp8ylgVHHX+# zPTO6jnu%eGsB06^ijqlIz$F!fHl@wyxgWR+!On<*rEJ#CsrTMWgp*;WC2)G|kbR4oaa*U$fv z5<6NR{|jE{e{-1cZTa6^V$k=J7ZfO`n$4aE=1htoOmHVMh#}fE#a@td?U}@;#i>xJ zwOJx&%U)CE`^9EQ9FjiVN|EW|$Wwv5(eoP9)&OxuS4>i69vtxbq8~zh6-tejHW#!? zM!i>Q=9A20yW6Sc!O}%hKd+=IOsuSQ71qJ zi5$CKN_BhLddJC$EDEYd0hINrlP3W=4BA{tLO9(ACq=$F%nur5i{rU!VOZ*SEn*-D zK8tW9mMg|1yE#Q#VX>J=Riv6WNu>dBeXTs|lZ8^Lps=~jG->Jes?9^qAwMaP%|gnm zJEZ~Xgl47RBQ>I*BZj3U7P%-2+LKTKSQm%+`Vi_{Xa^mdO5UmI;5_G>=X~>=Z=Unb zbG~`bH*fzi2n3OjB>%(a<9{E9y_NrA{nPIM2=G4)AxStxLioGjf5=CX{}Ch#5g8o) z-_HN})m`@0*w*Dc=^Ay_v1>oB_fBbkcE2Ai6|dRC_YYs^)=O{W*81y?54Cn(@6lI3 z|I!a1gO30CO?Uoe={Z-P@@V?ME;e4lm)>^B4Lct8Nc0)|&o5OkEw6Fik2XH-Z$H>$ z``>4$pF3&u3pagnK&{hy@Q&Yq_NK?S+h(^XzPImnn{4s}dZTAHJMg#-kA3LnZGVwE z?h}dqyETfpr`P-Ai638hpG%+dqmvfrufJ*Am9#%z`Auh!zg)iYjmg@Zp8c)0_WT@v z-{XII{P`7J{I~atq-wJ9P{jo?#ACHko%r^b?tAgaA>vqr_Voe&+yna zzk9q<=>cC|b*;UQTj8qT>?1$li4VQ!?4y6o9l61YdH=^R*v1K)Eh#{Y);rs{?&)7_ z`i1X*_JZ3l+v=nf7VSSc?h5u#&^h}lzdiuTU$f0`7w`8Vcfsz9SA{o#?!J7_TR(Tq z1)r$DH1=NDYeW~%yZiim*E{{o(0cG~2W)!9XT#qS+nu=ik^J#TIiDhrzHjZd5ApBW zb`iPb@Qlj!dtZC_PJg^?eNtuwfqWu@FlK#dM_|G3Z^oPHA{BzY+|I=DDZy&xb^Z);8{s+I6|IMHO|4{7T;eWYK zr{X66*ZAL5N@_?^twD0zeGljVlK)ruA0#CmOlrGxN$K7z|C8Pe{~HntB2^+jUE)g9 zSP=$5k1cdF7QqCR;TzNOIQH^xhX)O!@4+si1mkWH@P&+GH>dd#RARVcwr2LV;e>#y zWmCriQ!YYbHFE1(wdCt%9q(}&dyJTY2BimWk~O**1oarKGnnd3b25hcOrR9QUbSGP zGf657;2fyPF;nX)o$NNhXb zOAS!~ve(fC#vt#R;}R`8553s=}OV4F}_=N zCye5X$n9~q(&F2gKWVB6;}!a)J>_~36dL1#hQ!T=^o!GTe6=U)byUs z83GNKD2!48rd1ARKcvhyDxBDAq>Dk^w&1az)GD$Zji)l^)ccd6fu{;-6H$6DG#T=F z+Jb$r6>BgcaCFo+!X!kbLLt+qgHSQbm3&;V8)P$VQLtC62%0?BoJrgz$9XH5_yv+4 zzy-@8yjmUTQcTdNx)C~?@@cPP8=_SU9a3US&U9=EDX3E~fI&tWyVY)hQ|T@%xA8#5 zQ@MaH^@$9S_NuZI=H(hD4+*eIriBJpw%zv=TTabMY{f?*RPB z^1t`wZvM&tlJ~&>WTzTWQC}?K3NWlSr)-shvbu{(UKMuBGR+PooTZ9(k{P3eVij%q z!*;$TE0wWhr9sc3sf^wqXnna+7y`BdM%nq2@(3Mrq6W{bKR*u_ZIKrB&d*=q+{%`TRZygp!6 zlmZF86Ox5cQyay&L%WlKN@SXGuKOE#qcWA9w^GYS4VdRozkdaaini@n(25m>S=(RA5V_n&kn{+)I z zmG>qtICm+Xn*I78*k7L(%Rsl*ZP6X3%(RPvR?+2VLDFifZ?rR1iD-@ardG+NlQ2_k zSb7B-5@jsu=-i}RnQC%PsUd(msSkxb%vA6Qu{fujEi}MU+{oJuDf_zM^>L_+;RQP+ zQ@S}ZyrN%jq^U_kY*$q}CU`=l?$xdn^BQ@4GzvpXYxtLS|-@fJDf5!T-=V@;?~-2=G4`M@Rz3NrL=e z=6@%w`l-WKKKTA`?{STF-3{R0w>-Jwp{F0in^)ev;<>x;jqZ2L?|1nB*n97Ix9RKu zpB12D?@`JKP=)|W*02;t(X?b+vSrJ*Y$!yQY)O`F$y+ib%(9_uNTIB_{W|Ao%7O2n#jJpQUfXfb zpB~!zZ2r?5h8OMo@=;eJh`-fYf4u(QS)VtKxuv|;923k_WkI{jZfBI{8P4d z*lROJ(K6XressVq)|<0-MVqIlSGgFuL2p19o&>lwFQwB+?WTyD-QtsmUH-}*02zwC*(w?JoYK<)eF95AJP^}{fp$m9!`UR`*N*>Crq_L5#+eUtoOnAM;w6zeASr^`NVoVNe3 zem?b{os!D4y?MRofBqPd6(4eCu6% zZ}#Vv%@20E{mS=${*nTz*G_+P|K*?lbkD1{v>NI1hcUqUe8;DgC*JnvRO;dx`>(L_ zwI2pgQ=fLX+Wz|hi9mM0jzyDN^!g(If6x6tu}S~m_oaV_|CMwjmHe9G$KuQXB3V-x zm@+U$qrW--Q@(2cUxWGK@jq#t(QHKF%D6oC7MB013&Z~g&3NDF5f$GkM12NBAfQ_B z(isySj-{~Ntopey)eB-{o{t>32!|cGNG3~e%xJs)60fjE3%ASNG%hB!zS1bv3qH^? zoCx;FMmwlcLy{b-AdV2VQ6BH6vuRZy$-HZF6;8#PV7XLLJ*P_5u~?xO#T!Zq^mM>h zV;+&=<$y{wsh;ZfV*l^)SvQ6HBzc1Q_jdzeE!zMX{%9jXBo zFi}NHgdF6t#L)0iG)0#C1F>S3QK#AAR3)x^JvvCI)wGCat!B(=du-?zL7@gU1S|$r z3%%sG<9|ukmEl&duhnF)iw2ERET5(NiMT)R1eVfe)igI$Vk!YJSL8iH=apI1MyT<8V9SV>zVhGqFLkA0gQg$;Q-zL-hSx zBc^jzK9*2{GEbyDuvoVzR))jJiLTGu1`MXH5y=x?&f|qdxz-!!oOWhJ3(Zu2>_`bQ z&~p}OMoJX|2(n|q)oecB?}lSIUxqsqy9)m{{Ets8@O+I@{}f{Lj*l{v{O^DGpEUa6 z@xO&iH-G1U%0kWmBL^uXTM`pU3P?A~okZVjsdOC8Q)6y4M28JFRqAP?fVS~KZU|Kc zksz8+sL9q)D#K`MR2U7!Zrs-tVh991&PcP3Y^#*_E48BBPVz2A7?q67WTLWBF17lO zQ4QnCIM$0$syOJ3aH}Jgdm$KzN=XAoBvfX3ZOF@N0?#@5s7yLkBH4|Bg$AF&QaKat zXlOA7<+Umy$Bism#+#AAw9-R6*TM-vOn|X+w@Ma3o1$V`l0(%F4+#=MI1_1xr4q#) z(~mj0+VBIFg>qq2RazpgG%Fpjt-&QgGkeWMBw>8r=Fm|O>s@K`M5RT`tR-rxFvR%OBa8ve&5{>J~ZW19L( z{x`8`{+0jzul+!Qe{Bf*b+E8fqB1hib>pN)Q@K_bhr3W79V7uPh0B4#PHexXEGXF; zHt3Lc1_n)81o;>w1cf-AH~NDpH$bI~?sgiZBnL5-N?67wwrv|=DzT)XF+|Ntdc}y; z62399$|+t+E4BJq!7F{ZA2>!WF-r8Bt(1)xhrTRUNL$IkJS}$s(H+TRlN}9vMwlf= zloP3(qeNW{iNGSHV-A{hoX9Pfu{!DLZ8WBeE}jx#VdDLZPPZ$7SaxHakZaZ|RMg?{ zw53?3iXN1G*p#YDqAy1FFs8Gym{}KGPe`JCR0G+JCz_>!J{VxYU>Jw`6Su#C<_b-Z zAmWL_fDJHAj7456-=;DR8npaK2brORzGM1YYp;6Fddr@3`5jYUe@V~OkICHn!fjmsC2H5(-wmEx>e%vi zON*JSS3l*)=`D`Ru4i5``e2uTslvJM zoG^nvZ|NyV%o(?4@4E6l^R4&G2h2XAL`!aL#q%SYaJ?Gtxh`n?@7q_V~3PcI9d`LH(o!BwA~_3{BgAG zIeTlL|M_Qo&))2<*Pp!eiJj)m=J)-+W6`7*y}ro*-!uP1zJmWv_Wxca`gizWJ(7!w zADsU$%5Wx@(F(Ytc?-e+zH0toL-^tGKY1jN>6olZ@Wee>SpHX72>!?E9j-6;BRk?t zoQoD^5=iB>v4A%dP|&6t!@Q>_##)$+2250GOK?%gvm*rNM476!jfh5Vv=ON;ui;gn zkYe>-9dOI4WcH#0;YST0Vlc7U>2_Jx9?12o4>=(cK(VlpDGw`P97_dhs5dNWgS?nU z2FWZ$ClnPlgD~6HO_%GBy|I_$k|ozjB^akc8LbQtwb1r3 zNVJ-SC;@VwtGKx!ZPI}}Xeb>`lE4Z_7BiGo8i1p2rdd$=x*z1_n5!tX+2u2xx{T@2 zxDGdmd>m-fO;ANCXP8o;SKL^a-qNf6S<3D3YK5i2#JMBgfR zl5K={6E#4rx!kwoe@qtjEvq;2z81<0s7xs((3WFJqZYEgTuUA2!@h@BiuI8O#tm2q zG_Ax2aUn8PW*j5OfSnO_M^Y*|N~lDXqE^kZWFQHv%4*iPeCBu9v4b+TQKRt1XXzQM$2^m#HdWEVZ7T{h3L1iP+Nd`s@fu)X}Pl-phGmXP*m)Z(Ljqv--iFO3u?wg_Mbwm<#;JgM3M(j9@G znPPIq1l~4W6Eo^sM#P8xZdM3WXix!=rqLP<^q~6p{+~)x=FPA3|G|Ibe+$;eSMtA! zcS&FJ|NU?MK!Jbde2I1@X#^JEz{-Y#_Q7Gng$RbQLZRoznkMYhcnPfzt(I=UUMbxJ zTqSGsem*Ky8&!lD5UH9YBn>2_nubON{xG0zXH+t@SPtqZeU7d=pS9(|>-%CY9$TP@s z4Cq&p5Kj)gY6*wXezu6!Sd9;(ahD#~+p%#L?Z|vt)XY(Rtm1v1Z-gRdi)ER|im_Ci zqySK*YV~@{YrXZ>8_d)@r>uVR z*{`33-?QZm_p)oO)q8hcpZopR-S-Fc_TT^1m)4lxxqJzGotdwXPs2Cb_Nr&p*@?eA z=$!r7XCGauis6Yfqt10(zbwCT3O~(ZfU7?}8Mpu!a=Xh196Vm~!6T;4&u+8T+ZzoI z)}0QvBl6<=VrOpa!(FQP&3<2bW9_*Qta|&c%iX?xvH94|JM}NRYPjc*9y;tN8$WU3 zVYOqoyEk#Bcj7JF7CRPyAwKa-Vs`g|_ue>kiFx~Wy+;l|VQS*#w^u&m+zb4xPr2#f z_hxUn`|WT2bOXH-JM)cmFDbn733L4B?WOO&@6nSkpSsIN5D5J0jwPC#ytU3&-*+sU z)S}lH`F}C&|2gUZTO|5-_+J3liuw<3{@+;97(if_<TvuBA#vPZ-f)D}oATpx%UpZ^!?5D{a@jDm6&fl9}q5RZ%V* z2Zw#381{s8Hz+ncFoL(4(r}nf=h18lVvS&8yL$}7MmY?C$ZmNURvD?(?W*;JQR}Be zBhU6~rbE_XMDO(ZT$OGibj&JBnk^y40-e$|)9PDQJ?o_bam)?!syb#UBb!9@hG-d~ zhPNubQ_u;wQj#FC9i^HL9UEC~I9(|>234m}7}f`MzE~`&fRyO_LLwrKfK8?ADGN6h zy`LK?0~6|Ms%}=HG->VM6T)%L@E3k*3>@9=3T?%E4R_=#@;9!g)RoC&*lYgZ+kB zs=~QusaQlHoJkHQo(-l>gs7BV9_3YCsi(mp-%K+Dx0s<*3}6?aO1TOWjOh>CjZ96h z2W-Q^zU%&qHTd4VeoygYsPPG;50c<`7g)~{8 z*qCMCK&f7hF*&5l0Y7yG?t+pNS!Y7uXfd`!@i`3gO3%l0tLAwVuojMK0w zH(N=XBOEJBcXPU5DX8MaDZJ*@bWW-(J&DED)_`OS0hq%rL+@5|EhIIHt977UipAWX zgEip9n1t9+$|Y0zW>+IY1S3bx(946>c#M;UBuX-glv3jSS_KIpiyWYoi(xYHOK9}-F}D#XYUArt_OjYv4{ zI6cAqF8hBr=*|NE2a*44|4%E0k0)-Tt`o4OyRA}5q~rwVabnm=gJlzg7nWP_NvQB7n(awBo90$t*FwPTPi6kU2RgoI<6v%h()&N;K!_9>8L>TdA_WsN^`ATuhMDs**BFP7?0rCAuImV%x0+ z`5_o^*=WSXtwCC2T9DUU(BajuFhG~4eFx1CBF1JKA`Le{*%?>Ug$7ub5>9T|WXi2v zIpMazFc&A_UcjV~T)~@I$8eXS1q{dy3S5tsD0KjL3Q9hQPWJztWPOvYZ<6&*vc5^y zH>rOT0>kmelK&x-^}j`-FY~|qv=5*A{`ntaaY4eZYg)z(@_n5Nrs&8$!vyN_i>WeQvwIzuic+Hyj8dqF((5zW&?r`m?YcFy7 z##1i1``Rad|Js}ncD!&G`?&|=+oYDipM9Y5#7oQ0I_Ui?Ul{)6lD*H^aoQehzQ#;H z=;_1nTYKu>ho^qC`d>cfmppy?achoZAFTe$nFoBbZ*bg8PcQ%JVRu0437c*&-(5d{ znr`oP@d}>567$#t=k9l=Fm0VpH{9xghsvuB?zwL_$=qK4^?NVAHvQ7AfBoSZ)0RAM zgNN3B@tzfC4VRsNYOk|%H(c}0;c*YfR}ki$bbtTc)-s>gH;@14_#a1Ze(pxI8>g+c z#YL;G_RKkFNN4T#{B6tJ_Sx_x?5gQU^BTf*t&mXMu=?#}1y#HG#90M;S&wF6g9gdiR zKDzA|2W{DcSNLrHj!!P<{w}rQ!^rm?izc<`^+o<){Q7?qllgy<=-=UgAw!b>56=Gw z%bW@;S^=3j_%DS2@2lqjHIhF({-;h{u8C(jd*VLu3(Nn^h2ekk9+r&IY?v67`exg- z20#_$11RsL8v!UpmM~1?V=mJIodHX+QN9Ni>TTS0&}v$N86z}9qg!=RDNjIoyau`) z4vYnBnC}Fn)GNb2D`sWQB!@jU7$~f#+XPc%V?lzeK~8|Ws@LuKOieaH*_gQBmQ6(zV&|op z4@6|8Oo3>du2O6&rt^bF=(+-FNPSmj2i!2B4H0{2`Ea$@frptvMQTz~-v_-4GH#c8 zC_t(_%})HaT02(&!wB~Zq!km9uH8Oj-kG2n%CdtdV@JV`(a5#`76CnWP)gSaD-f zv7`%QukWDwTo$Mra=BBk#D@iFsI|cY!GTy<{a*_m|4#qU0iJTRllA4l@xSPY$Nv^8 z-TZ_9E!6zKY6OzH;Y)lOa9~ZMykxC~;7PpW)tds-6}v@Ifb4+kLpYi+CAucXv*;L? z@)Kbww7o7R_S~=u8C7UvXVl_;pvhG|K%-(`Rm(LlDu~t0h)>B?A#Rt2(2lqBnw#wU zR!QqKh#uPGY$nJy2CCZW0ZJvW_t1gdwYnI=k+LyHy2*wLxAZQUl#n4ER8_)aihLDQ z6c1|jYC_88v4lsOJ%ytTpy*Z7Fj8(s z`9zLZ@}rPpi7quj?P`Rkoh-OQTpkHs&kkre$Y?QWS^zO0Slp>t@yJw>2UIDrSSDO9{P&c*Qhm zw{`dA-==qBQ|05`zBq#)h zzXAUv7f1d_p%{rS`1(8Mf5$w#_OEx^zPaVJ8?LCB8-IMyTTd_b6x9A?$Is7s_t3Ss z{FA!<64z|K4LkqjX`8+E@$>OL`>#GkA92C+r*3w%{njnV9s0^8yXlwQ_smNd-g||4 z_DyGPMLge8FMD^h!`{x%+iw0{aObOCBBD z?yif3sdv(M?0wh+E1ado-i9Q4hmklanmE;&rW@BwIiXt`szTY;?3n~2aTl>e9>$6Fzv+TP+`_J*e zAI~{##%|5WmbvDPpUpbtz=JmYm3j_x-h=zxbF_L&_vZ7eTYq@>`t$ex6aVws2dVdL zw12qE_0zz0=B_)lnY#RmV;}y>P0ib`Kj5h~55MHiA6@gp(>q>s+-|?QZLcYx>rdEI zW_~_n=cVsh&U~<$HK-scU}0lp84?OIj6UF(I0tb!xztTSKhCBs@G>Ou6@vlp&Q_H z4_p3x+dJUMZ3}lkvwOAv^wPh)_tZy^tzCc9Y3n|E^);vEzVBExsYS0Z^8aGk|8uhc z_af21!~d|B7L4oKg_QLf4 z>?36w1yf;+(^N(5;!H2<)OwKWIj(7rv-nUc_j(O0LyfXE zx8mM`CqV z?{kEw)_S9SiRY1evI8*Lg5GtIFauWNsYcO7nsr^kIz!%yJLPV#r&cRHH=FMAnTgYA z+OrK!jg+Bdq@;1CK!hHkd0K1O7euTXCA|{Ek2SKd*&JC?crr)wBf7@fgcXm)(Lov? zmHJvotWrIpYC{xE4?P*^=h9X_og0$lL1~aQ645Y=@~Ko0E>}X=8i5s}u9P)ZrUqut zqQOBu6~-A85mk~>4P(#+24xKYcKnZaGBVvD6Ge~d^Hz$YiuoKXRa`yW@Deaq*GmOq zRH!Lq$bcDTXj*vAMod1I7;`Bw831)B8sT`qfv5XHnK77wFp3Q_eud59exGzORP~ z`JvhyQxxAz=aLiGE4R&rTkz_FYylm!-|UB&k}K!iISR{TEHp@|c$TTT!-7#`3TdgA zsM`tO?xI;DXEcqD+txcFU5g|4$M`>Ot*F>4Sc zzvd$r|7A7fA1eP_m~``Z{+C&p`G4t5KvfmFR~-rf88;=_9yIEKl#~rF84o5BNXLgc z$QXf2!;otnUP`&OQKsx=>5MkW1%W!|xv^0hG(Ft_EOazN6Eg3W=wfQ5pl&^=a$vT| zmeQC@M_DMJZzEo*5OmRW%NZDO1L=$hT0z8eJ$G!>03q#qa668qjdT}wO0w_CQaN1k z`-oobia9^oC*$#2D&vPxI6|XliL=Fef>JRsvWZRssH;X@!TDS*OVh5g8 z!BVIjUb5NGmWBfF4*E*Z6Y^EbWd%_#)lj`&wJp#Fa($1ELnSo8nlTa_=Ms_D=_@gk zYPV}n*B+_uM&BycV=g8Yuym`PgBnW7iqXxi(C@j91{ATfOUJ4MP4&LZ{-6Ks|68d3 zpUFYFJg#{huQM13!F^;zXevr@Sg#@u*d*$tyCb<&8su`x+7Q-YAkoFZpwVcMFa#GZ z$}Ac++iImUNygE|M7bGRj7V{{s+a<6A~$M^tp+YIhAe9moj?+G01Z?=Z}q@TBdCok z0i@QmwJvA)1l%2r2OLh&EL_3-EGr_8hfZYe;+TWWhTxz@r|r8nplQ_tYa*P*Ah;Hf z5qTfg?R2l@B6KcnB~LU_z3t*oy>Qkzfay-bO+hAzmWy~xRD05^v_ltiIE(&hW3 z>Y$t&TbaC#NOBoU*ds5KCF)|eJMkWgL!C|#51V#|6NHghH{&B%mw;T_x3alTQ&WhV z4^_MEp-%YzIO*FO5wt3lGAKtWdXn=^a=uB7{Oyi9Q!8zKk8rjAG#RuKOB$21Tyi}cRl}azwn(U-&uYd)@7zc z>1n@yb?4_^-|N;RUp?m%d#f9u)1O&$i&?WDO5bzjN?SdR@Ac3VOAz9%$3L;zxlbs; z#p@oI-S_ODUHS+3;F~Vr>G?T7t(|bUvh?%IKYZniYtN@Q+-s-3?NvYi@vKuGyk^G9 z=YuztWn{_I4gi*VXZmtlX}fxVuO+9`&pvm@rVpHW(W85ucH`VLf4kuYn{4?xeC3&k zef09{{v`_iv-_WXd;8xQ!YX@gw#nnyA9{K6ltY)C{>pU)>vw0~`uRP>6B>h!@0t5Y z?C71=d!5^5qm7STZSCTZg==3sthzCE)cN2ozdL35KQyL1(SQ1N@yR!~5W0sqU)cX5 z__O3=KRe||hp%$!5$pXbxApz>=KneVC*Lq7@#*UAHC8z~d|(!F|C_V&&sDd3b}F{g zaZGYg8I_nwZv zuHHsw9{P0sr>OP8!+7-1>&5Q+J@fjU-OXi>*`m6sa?m=n_qy)GT~>}Zt9|yunmyvy z4bczRx%{QeV>|3IXZ=4i`)|i?_{Q(pk2gN${3ABLa>fJ6OKMxZV{N?|GV4cMJDZ-; z{%ECk_vpJyC>dWR?zq{zO zn=0pg-?3;?i(X&k|L>Xq#lE8dCq9|~7lr-}{#Rn!I92$;`Tr1EQ{jw8k7Z8%=KjCT zSI+-aet7(^F!8*3L~fK(W#RpQ-op6*Ch+IZo zxk}(lm*Y&GoH!>J1j3hvv4iLPu?{bl8ik$$F-XmHMS2uVLq-B9wv$qti)jiM=xoGu zWg%gW;%1?rk*#dcHG4_0*^H1fV>coiZTk`GQd9!A@B~E;I>iVuiyd%w}=ZX51Rx4F~%4HNS4x@nC#;`Rsyag=73YCnK z!oi`OrAKw;dck{Xyvv}ihIlI65< zwNx*JWFZdJ8u|bo4rpHMB59_R7-q+9w>##VLBNi2x{uRoKW8`iLZErc1R-XSXdENd zMpaG~K-~m^LbDFxs$Q$8L`YVA9wZVKt{e^HY)>5Ig?t}PaV@8IS7wXFS5pD^!B-Zn`H~u&A$_;%M{#X7-k3>westeYANf}n# z3T(E7U?SCy)2(FF5+_n_JJ&NKyitw8|4T8Ng~5OU8+04hYS|*$5|}70`WdDyX1ar# zNuk5B07p52LsI}B>nd58!?5v0M9GkGbK(UE& zH8?g$ickfCBsUHiWToXRofsQunX#Ua$tER>u;z5IA}>2JzcsRJ&Hx>S1bQc2dFjE&PT$YIS;)?xzk`3%3onviG%@xsMFr`Sop;XHR~Reel+; zp8EJ|`KUiVz3pA6uDcF8WgezqB`k3k_sAI!1zY@CyL)JUvhQlIt+-Ql{d>>5=dtB& zT-vko`I;}C^W-WUzC2cU`e5pZE4Y`%&uS-sbHg^7+=;JWxXA~` z!A;&gZr8Uj($72z-<`bp?71Ie;5)DUZYA<``m@7-EZzIkyN@jM>`C-ne|qtKvyu5@7Is@raPzPidGw_Yl&@%TxFHSXnmADw&Vdas=@9lvr9qbIA?DbLZ3pA@ZH6%Wv`6AzuK!P2i3G1?a8v1<+d_ zUiP46ur-HoeigE_FI?q-W6!(GirZraC<@VDDtF3j+?&rzZQPBoxOx^dr>kfT$zmKvfZ+z%Ee?eydHoQlyth6z7 zCo|{01NK^a!(AHZ?noZ;;@g)kvr~`T_khoq*x~-uU)W>i&(_)a%+baV?K!u-?yWn$ z8Jqs&(vgp>Gt0ec?ons0NIpG!;TM~#Yitf(41TyQe)P)PD9aU}nz@v?Ue`JA*4u8I z``*Fg-O&pDSKj<wZ)`k${GT4aGR`SCOx@#=BN{8}+w3g7 zdf2_2J(i2(S1#$7kDdAK%lfegt-3Ebcb^^S{^`sE*WPQD^^ZE^>Y2a%*8Bgj@&7-I zfBp^r6Px&dlktC1=>Iz8MhhBJbu<6(A-CUaMpf_Y{9oK+dB{~bHIlUgs&M5n!^zmh z!LBMZ-ro*(`LE$W;lveSI;ZjI#KCo>jOl2B89^5O1>eK|@jX7w2>!^fz#%)PlV4m_ zS)-dp4Ulv4i2nizNgN$;BTugu`{tX3=&M$Z% zfT4Yvh4H49sPqiow(}*tA?M*y>I;06=GdHCO$hK`A2iQsm6C#(ttMQ{PyC{$qJZ2` zVYwlX6-~u5oEKAAFPylP+8388%L3dSEa*E`EfqbZH1R+a2V6D(|K0;hVx%t>qxt{& zkUB{(_&IB*{`!G+N1(_87vW@7BFZ2w>kd}{8hN3sxMc;wL5}HSvV|Enrzd9wEM=KF zbBtG{`k3k<5~*1IA(xNm1!z?E1cNRxAd%|q#8r5*BZb za-*V9Ee3IhEf1PR)TYgd!v|U|Llo-)I80h0kn%=#rai1P;}%b+YZ)=wqa8Wm(YPS8 zA>w(xX4B0i8ilb?Q%sRk(1cy*t8Cun1;ejkK*A7eYN{KLDY;Q&)Rx$h)Ezsl1O;{m z%eE^dldi{GgQi56(Nt8DT3n$V=QD(mAxB2gssUqH^E;v56G%N`^HD7r3L=(_M!Y0f zOO;rxhNlfj_Ptytna;|&N<2}~a-&QQ>}PbZ38#Vhg7u@)j2})cD2>j3QGERCA(m$} znp;qu{MV8LJNlyJF!6gypx!mZ>`+gs@@Hkadcj*5(q8EMWCuLaWP^f%IY}UK%G@u}FskHI8GtSt;|LA`mHD?q;Nc zhQ+V|&!(VeIh*R%YjiS341su(ZwFPa;`+rb+*jN12r9&N%w|wF%;@8x)d~tDsYY-? zN=M0JK^nVolGHH~X(ec*)BrNIYL*~kl|(7Sb`#xB{wb|T2AwE3d1oRF2yNF%DNM+9NdlH7K2z3!5tHX|xmT=#87`h9l9gWaD!sbh!i_--Yu)~CtNeazqr1UkLH3|Wh zi8F3E3^RE;Pf{QRRT4STHz-|FdjZ|!%%;S*d3KzQGKLic5_&yZDi9@g^gm%1kwyjX zYr-rC|FxDV+Gaqv6gV`3@z3R z?NUVzv<3wRP^_#4LnAD-;}y9Pfmln4YUv(EO1vq0Dqwp8XxVuPbURK)VSS;`r<0>T z;^7>`4h&`x8r`?f5zFB10PqGAQI20Qv(w9Io>Om@a_ypm zSgE2qa7IqCfz=glz&f!a>BDBO=`z)}k*W2Ac2gOR*a{F&YZ(`dXJEY4bGfpGq(Rh| z^R$B4sxxqD3N0u|j z19D8zLYh;XQBSuz=_Z$Tq?%v$ij(|jlK)KdpGp2R$$uvK&wry9RL>Vj{}(pt|5_ya zvj1zE9PGLn_`k?_45ctQPX6EiF9iM<{};9x_`e7w4##6SP9op2|Lcqyv+*})ZI?S{ zCZS?egMz%44s{J^IQ0pE-V=C7)et_ovodF8|T%PkiveBjofq zPhWoA_xB))U*7uE*=sz0%ELz-{KhHMwhUGx-@Im@vn!+5KH61XK8J1m+2b7c_>}UN zZz7wVFj)G4^T20*a^_bN;XOKUdOcOj|)OT$SQ}an~L@9=7R~ub=U&PaeJd z!nTT<)r!J1~_v*Aa??3bPRd+F`-!e0IFu3Im=m(%NhoLm2e)ba1_=Tz^QfBFo3E`8N~8&V%!uuUHN zzGKm(7QMd6|KG3w3x&}y`MSx_^nYpe!uY>N%}{J9rYj)%e4~&^>p&Lj#FN7i(OXQH zOEn52hYiz388pkSWSG&)r9gznX#rwzr(4#Ei7V%mep4^wp_M}7c>-u+4y;2A=vO5e z9}|?**Ydp>NO8piRn*uvLnOy~#sTf9QBS}lXP|_Ga#I~PXspEh-4Lk86qg^1PN4_E zWU5de#@S}o7-Xb&Q*aZ60%lVLT`Xsq0xq&jkB}Xt*iA+?JBNECi#35{R_@7mTeC-@ zsl;ooA6=fV@w#5^-rI&6dg?OdH#Rnh)lYO<8E>$~dB8Q_{6>fy>L?_Aym^$odb-$QsRn>7C z267}^PIldaTEl`m-pJR%bT1rrq%ux4`}qblOb&;(ETRya?mKXGY_TqwG1Z(l9?3?+ z_W+Nr%BhBrsbI|-xs9}01&5yB0qd29+NM=4%^>JF?L>VXPn3lyC6ppL+fQWNRIiPP z#TXEB?RJvQRY@AAMn!=HheKiznBT_#m0s`>i?H@jAy#Z~3_e*${vrFn7AD>Ng8?o~ z|Ho85JD_{{UaMIHQiIN*MU2}#Dl|&ukc)S1Y1o(aJW~qWSgNi#bQA!+f6p1VJ7CgNunJa6P`ya z34`v+BrUse4T9r<;ybMd=`m{7WwV~I#3uqmVxZDJ7H!K4AEcS8+0+7#Kr^|C2xs#Y zPg5KV+XIJBmNWs-YB4w;&y@I5t*VMRTx^VLB^KhFDO2q^eIIg0Rw>jf`6$E`mbHf6 z?nIz)YQ7W%XiORckxq1c$d&M>M3I?nGbxTo+Ayn&O?W_yFp5cmo+nzlLB>=XF+^zh zgo2;xX$c9BHwm!@#9|O>xlINY{_g)8$qDT1=D$_{=Km^kO#WN?zhaK0(RJW|8xHqP zX2Sss;4ob@k!~d(nPUZOa1LT}Lf>sm1!bJ)qaiL-GmSv%lxuxK$1+l-;>FlL@2FC& z#>+sRMi>FA%RwrJ<5H|b;7DJp!G(AWXY*FG3Hf8UXz-#ads(~XSj~yu884HJ5gC1$ z5OF|;5i{u|FkC^xnw56bB@tx8>csQ&^FqcQb9Sjb1o`5`7U#gS*OC2ntI+HCL%bo? z#fAjb^=2){g{&Co)n-FT5LU}p8c5bnCyKs8+t$#9StQx%*?na!(o&SOlu@?m*K4TR zHxv$N=2{R(!Ezc&WUBFkkYVa(HQwr%TGp^bbCKO3(H_ZKbx(|8UDM~9*@W5cC`zo; z9hO}KsH%NU5^c1bA6mRQBx+IUXSZn(ks&;JMlrBH&v$#25{kbmKS_+r5S;xLXO6dps!@0kCcWW066 zk1ko^XORq?w8@oo*1M&<=9#}+>lgcMu+n8$@3d6$xz(O~XT{)VZ0Dt)JblkM_Pg46 z>i=W!zQf(7&xY{_$`nvG1Sn;%7_ek*wwG*6mON$2VoI`xWyzLoOP0(iqwHDsN-#z1`?hwzjz$Y=Elj>cf03`EvIaH&zj{eUVZ!Z{m(t|tj})T`HLH7F7ejKC+=P+=Wcp;Ys!}6 z>Jl^laPgVDeewS6Ew5GXzUS68-befmmSFN59%h{Wx8Ll4{Z{v{UA%q0FAliwz57o( z@ya>5O^!e1?bTwmdqhesYi?u9oVeLB72yT-P+ zRnK_rgT3Bgb};M3kCxwU1pRWn#|kr6|Ihi~(tB>P)KT8mwRtBI#iw@kZk5(~;iS=y z+M`ciHSgI^(9yM@Z94tXgC1LM#X}$2>g-eNPp?-wYxlLMzL)Q9VQzo>{3Vv(>Vq|( z|8N~t)E;hz`zTi)Slk8r+q!G5aMxB(ZK1bwz#31~Z`t6Z3vZfo(zfv%PWkx2TxnlO z-jmq)j(H1Ku&3QI?+WU;O=hi-etN4FcRKUdyKg+@4mY~<>Hr>m*C#4PYbVa`|w+9Z*~{4iuv}--W{*M zQd)k$Ll<{0nv5Sm{$BqVbN@&5oBlUB|Mka-f5-nCRwyz*yZLVkcFe8BhF#N|{CWzwf?2k*uUK6SpM0Rctj{g=%KvgdHdB9deamup=_ERRM-DHbIPW+Z2%CQ4NbaZUH~;V@DuNzb?*TXr)*sgz7M3>d9~61tJ1E2Ka% zA(Uxn>Y2D}kAqeQZJRP0_C{KgQL{D8MBxEmE$16#$Lw^qv=g{uIzDm-Kq_A;en0=q znjPAY%VVyo6|0?AkxTI!TXPtcVM?_Uo3G)nNg-9GGAMFIF3Xe#aGj#GJ~u8IrKSbw zEGR@&c~lyeX3q3ZgL7=p8T#@_Zy8yMj0ZSr5uxp1a5fHRVimC=b!zFV+LB42 z+88HeF}V^qMuAk921-Q+<4tVPLWQFPK3TvBv?0gSOe@l?L1&okw9200+u>l)2^wI&%+oy# z7}KQ&lg`(~j!70Ef-FQ$rr>=q|I2@sVn_d+Vyi;8@vUq8|NEAOzw$ru=jVTmRBry^ ze~Z%pkv7ah%&f&md>im#nt^b-nWF-+NZG1~7JaE~_PiKduw8QGbqf=ZYBwS(tWy;e zF%TJzRHyH0m0Gi!YqtO;?fX2Rkd!>gxL6g7+*+9>nw5-_jRqrIMcsBKf1sb(!Y}>XQH)(9!cGB2Qnl!d;+n(6A+1SnmGdJ&9=brc8FVC9Kv;J#6 zzrCLg&3&qdMTH77;|#m%Sr{vUWSb{-33Vf87NzDVsa7_zQ2Ak!Qo9&iaa_cbJIe4< z6F#|`qhREv1PP=``X;}2TBt6#7&_+M$aO2O1GP1Ofa(nb>qy zR*H?_3M&|OMv8MkK>Q^s*%wYf`%&xT?`6Ad z%2n%oQbVk-_U1#456GKmr|&Nl+*19jtKVc#6hH-v3qby_6)UG zlh3!>^J3!8bK`=M#&LzSqGe^9QHG$(yjCpAutP?X2zFmTv-KA4Q}FeG8&n>$=8-B7 zw9Wp#Q`S#3Z2BWQX_FQscEK5nkPaWoj5^zK9{Aq@vV?{C5uRHFmIr-+W6^gW0FAM| znUOnSC&C}$FhR!Q*Si7Xxdq^O)bM`Fi1%5L2gKWIlvt~PbE+vx+ihI&GqHceN9{o8 zbQg7+jPOA9Ln}+II!iIP)~_ulGl!wn051^S1LVgURV&`sUd2FP!~9)b(?0WvJwVLk ztmeGdFekEFwt9HedChVqX|VcP_)6N;?P9Zu=hqCw3Gn0XTF>+SRF?2odGDvr+T)4& zwG7Dr+`M*ug9#vX*e^!Rf1k!Nu+u!!TK(p9FLqob{OBNWL0?@CJMDKB*Qlc8N^k-5 zsiOWmLI`5zqqyyNtXaQoxW7Ld!N~$#rHteNz_Jr00lJ6v#{^b4!?v056Kc=eM-`=p zhI@yX0f6z`nD%JEb=G~x`I0}!bHfS`*k!7ELzSR*^QqS&wyR?M~KE}JLo z@dgLX2hQ~F-CJPZ=@)j~ZkBaS7=zQe7~V+P+)XqMb@aVk3$7ZkTF4Ig=can)wL*98 zTM|9hV}8h#(*952{6P3(yZdTi(&W=>{*M4Sa%9*u{RGeXc*8KGb(;!|X7+U&m!8Pk zSbJ)FL&@M51bls+$Jo&KzUO{*Y&{pc4+;%%x`}4FXzoit>Aarye#kG~w`+rWSp-%B zW9naRd&MoILVe8a%cpcrJ1*pg0kC zol$!N4^bE#ft%g$pqUenL8R1Ri|y9Uc);fSP&y9tl^!Rau>X5Eh{XadRyPK8jHCk* zfg6eH=U>;R0^V${*2GTJ(Z;dcGP6Hsfpj@~#f)ANQ_T}3og>mb}GIa3@Q%2Qx z?=0&I_Nj3zgk|9D_--@230d93DX+tXoSEHPF?~7I8gub*Q6NfC$3;6*!v(92bUwXA z*h1XOZ&(AXSNJ&NJpbvk@enfvg7~!b(#L;sN?3(f<$5)`HDy>Cw#l|=QXys(-`=DJ z5Wf1t4J_*M@XJ8dGZT?i`gR*~(&Onya^T}|4r&#UQXPC5H8ShUA>xXLKbYg=DS2CS zDJU%&oF2tib?8Ebnu1Zq3yY5cK9bue13T<&rle@Ypd;zIYmb2)qtexr`4-pu|w7$OuH1#)7@B29G6-XGXS{qAH% zY;O9FfKe}$QVoYZ{)MR7j2dEIUGhiaC-l<>q%G=I3=cvr+ALC}{Wz4swZ+nL_J&xF ztWT@PqM)wm#OrIgzm;2$(zGX)F;*5hDJVc~q9zXcV?z+cfS^DV^+jG~>gOj`>;$3h)3-hKyectvHJ6Q^ zyl-E0L?J(BC7L&^^fP@hTN%cQuoOL|f>Ml+s#&ixM6DM$xlA=7MVbB5S4IM^;>?Y_ zXXyEYmV{Qt_VYxvL^E#}JQpZhZkzF5N4zxPf ziF_z6DusWx$v1++bzIAq5S68tIl9zb<+QSSVVf{TyA}`-N`!`^(S!1>NJ|b<5@SsA z@)Htt(cGjc{1gekHNlbRoKRysQ^FKNx~Wa8Bqq^* z!2WA?{ua7Yr&=_ZybUdKiH*ZTJ|*p!C?FNs{F*d62HXlFLiuyqGO(;9JphSz9w~(kb|{8yrxG zlU29Jr5dZ(IJaf|EP34tdW1!OEpk4Wo_c1xtw~=vnoaOLD-EdGbUW!k#d~@=9x!AS zJkH7vAj=In{uCk!|82V(@}alwX*m=dDbhSnZ8MLY`qemVTgz`ekQ&FaO*V5~-8D@F z8b=ux5`G*gHAGG;->CVX)o_ZvF*nV1Z68(Zbhfo(`1DdKx<_^$rmq+oS$pxgYy2L* zA^Z~4jWnJMSim|oKR?&&yoxci2zjibo&oHyb`}T6>ZAyGtkVNt^!EjSt*@o}H{4#k zXM#aDPDM|ZJJWL4JyTGRK{apN72#ONg!)@Wd7$HW$F+&pN$~I%e$RblY7PH+)5DeS zl1VQ93Yh!Vb71oqzJOoEU90-`6{zB#&S^7eWU|Mb#A6uv3FEFyus$$qKEGkR<66Vr z{pjoO0MM!r_N~E|Od`*Q(J>DRjRW8Tg|l%#VPIujC|E9)M@T$uz3sY zYB!<5(A^6wv=lxH5U?FO$nBs8-A=w~c(z-q0(hN3(I^4jk3hw%9c{n;axRMy*lBN< z(vOBfF1PlXWq!}s<|U6-K8wuenAV%e=`mnyx5onsi#CYX^!cf2rzcRzbv%jV50hcm z-DbG#|7YbMfpWvgJ^~^cK36WnX~qdSa*9q^AN*#cM=}`=1`OL3US9ZKZvM(2vHF-`**UscI++aRN)s-j*ftRtwTVIVEv#3Sc?`G2Vo8dP2!YAj z1YEs+Sg!>r^_c6J!a!$+G4CIN{Wh)gmY#L`i&VYyUu9bGZEXonC?%Rnxsz1fO|>Sx z4)vl_?`_<7-=d<@@#vZ^-6KOKv@-s(Hq8HSuHS-;sDkz&Wn+n|4vq2g^@vNDulB6} z9otzW4JX0RMNLU3y=1(A@YlplLsV=4K}%eMiYoI9Eyq@+(@)Onk?OAp%gW=bk=P}j z#;UWc`OF0h-F@&?O05zd6e)3{WLT?6e9|21qLB+CYvIE%sV7=$n#?5)L}Pb%8S!TX zr-WOyhj2EGX1)!)cB)d51UIIide~EMP6wCl{5csU$ao0A{r*tvn_>PkQ+dI19lQ%l zgS2@XYZF<`QvzZl>S5bDZKDZ4{{?KY+V>E%RhXUdXo6&8a{9RHVbtCTn4!_1R264< zI=Ao%g!JWQs;a16Dyg=GjEk};s>%&vQAHNY)MO2|6bY7rWCqjpIz(~d3I$fB2w2Sy zd|F?shmrjLx&PBC^ZX308vk;^TQN-by@aN{W)d%eVr&B^+YWzf>-PT-<{tdK1;h-vof-d_ zD1{)36ev^0-|xo8W}uKkn@G+#BN_B#$+<9Qt4x4mEi4t2$y9AEnjtf|#sJ_i;ZbEs1$(DehUD zan9dn45`qW^rztprhkI1QZ9VNaG7cDe*D^uzxz7&78({~^>?Z95t)4JS3+R@lh$HUd8o{WywrtvRL3G4 zlNv2Zv(bay6sx(ufJZRps_*sZzx8YjwzW`Me|`dl6I>90N?B}#m3BAkltN}Ll&WKY z>RG-=;Lr-qJlJ}QUe4QN)CM6%Vm_iea&;PEoy?zdT7Ji}3VU3)spc)?2xs2YmZr6D z_$hhIU(EYGKHuDIp8*Y~L%niQ++;wbCFUkSS^alXB0IbS%e1#d@eVUG`jn{SJ~>r` zf_Bw8_MB~0rTdIk0g##MCvVC(wUSi~i34~-lk`^zsc&^+Ymj)&K4gcFIu=!wvNo{M zRV{~QrW|BS-=zn(ipt%qz8y+L@LW0BG|!Qg#94fST~wP3cB8X6(%!0ltubLxaaWpW z0*JCvwVq<57H%=DcZ=)Dr(dd2Koi6qq>3Q_<Wcfbgesf(}cioO!ET?dCmQN;hN0d|6#C^N87D%g+%8y z3!DWe@;TP7&3U}Kwe70zZo9bL4L#Ru`^cHmpAmK++cdPdO!xLOe~jm;;dcVeXtuj; z(LKJ*d+7TOMIR5wakT0^|2Q8;Ve!4b^ULe+@gdO>BO$4|S?)gWGILvv=e$0bq4zZJUtsRYR(OtKsp{Ozn;E+W~(N2c+}qvW{?oKm+&8Mdvy$^~}}Q zg8v;&R)+IjZ{0M>3h6%I(oFLmEy5z}J{fr)uijc-F7>z#qes0SUM<}=Ok9=bq#y#=`JdiqBWr=5POl zil4xvpj54dbKtO&9Z)MgXAlgem^2<{3~Ub-j41SMpL%dJUX2c2GZUB_mxVDr2M*|n z5^1`GxHrtPjX^x{Vp`mYGQcK7*5l?ijU#?c&N^+mWOC|AklC~%_yt>4xH!@dIP>K3 z3sNxv^-I)EhfA;%>(C8A%k+vxT$*)@5DM;_J5T%x&Z^UtQAhm)@zx8|dQF(0BU690~}g6@Dy zYHXu-x@0Oy2RlT6V6XzqPgh}}an3zkE4}!<2`>Fxou4-S8Bjva-bFCcddCQRCQ9;$ zL4jrpGs3rk1<99?E_y+(eFN*l27s5B>}jVK1`&4uts3)ifv-_wUk}QKjD2xxe^7sI z(WH33t@bY-Y6boQGY-mw*@%k{A{{~(u_&GgFUVh&||m)-^~Q4D71@?D4?U=I=yNB+yozge%@ee;U7XksT|`{OtYJ-ZL+j zT~V`iYojTjPE}(!?>FP&2Nu27LcgIdztVq)-p0tLej zwiupJ?6H$t@4j(!Ffs0~4o0(n{Gm?Qv`k!n;i2K1n#gYt&eA?Bx)Pp67hshrsrT{Q z3(38D1kx{Xk_lSNasy}x`y6aO(JQP8)=hG`Hw29^&A$tCYHJ?&XAO3W%+JM}saMlv z#HUzR+PmxhS&io-Rkz(wujaGKLj=NabH$bLJs88YtgQOWkf68A3DVUuksd_WVfE4z zJSgWxApNxwm<^Qy1i#*9kFH_VnVH{?{I8uwtIL(&m1eQVcM zEXxxVvHc>&{)0pGK?3f#qLyHb9E@)<$y~RL9p-s*Kg4*`n^p+kZ#=q-Wmt@vpwH^2 zMjMKRpyjUvHTq6A2cD)?o%GY_Zl39F#=s)?P zNP-`7@wtN^R>OlHSl(-Io54%fm~Y)5EIgo;&v*1ZirU^KufW}zH0ES; zV>UHW#8%UCWf7Lj*^p{6@0J;duYCD#yBbT-t8@)*=_@<08HNZ$x@I9Ovy)j-sG96- zy>d(D*k>QSog6`mSni|*sdjYh*`tN~H;em=Z^&PvDqH+uJY;ESQ!v^K&ZL>gw5ygO z$0)<;wbN}^DrHEy5V|C&tW)KhziVeOaEGg{Ag;w94J%R2(c+Uq94K|;$2kCwXiTkj zxs?#;$t5ZW-j<5iYzoJgznz;<6{B-WgvF04>YeC)C-0@iKgxiEw?aZ_R;eL4-&a>X zt&Au5S==!cL?rop9Z4|uY{+0t)aSDeHiH!w9R`hSd{Zkd+4DQHb71LXXwP|zw568S z$!!kj8j9=xpKJaC^W#Ku4y@$l@^L*9=J>L6u;8xmm7N<1Mxza)Lj5M%6AaD=PkpA1 zT?b%LWl&Q4QyAaCJ^@U3zy&>h9n;*BJz!9>rBMCT;qea!M}GUAo4v|ytv7j8J%=@{ z56hSsckm}KXZNxiv4ae>Q z_)@?9Hx+F2Djm>m^??IY0qmxDTx}aUzSf<$)DZcu?bS|FIW#$R`655wk&z6QP-|Lv z2mr&Dw!6Ha1yexTT|mK7Ki}mn6wMr9g5PMw8xdgOY-IZVA>Hzwj)uu=!(t=A)vK=V zZZ$U>IyUNR?e5>AEiCb&@55Q2tYZMU>ULPucW&!o+^<;mYSVaux8*hEy1I$I-pg(K zvN7lTWzb=(zsEN8F2#YR$Hw!C>1t-IY&CduV7bXM*1%_ot2Qecc-IAN9n}*fQTAN*=TGcXz2-9xj31?}lopUN9O?m+mJ!uYlh& zoBRA=3&Q{dNejr}{R2GyP5uwa%W2_i7{f@{V_||ErGV?0(`W5BPs#0uZSC`&Hwlx+ zXy)uUW}f4L&(prQ=Y;(r1?;Bp?49Ni3-D%pWO>_U`%twA>x$3xD4L*`LEzVJ3xSMk zw7jCHPvyDh=IN9ju-7&|OUaVYo!@^zq z?)rgp$jEKRVfYBRApInud)z=fGjm|n8Utxxw=%twhBD9yO9YsYOE8hL0ns`$!P-~_ z$LYmg8{d2kcV*P#KrNd%(ri=%yZC%2(FP*f9dQ_STOr`EvK zJnxSz6daB!BeQ@I}I`1kTVyC5R0C$c5SMV;ZCIn8J#iF65SzK zl}>XQYF3NpUJk60;K*`poV2YDHPSVDjCwH-%)ET06p${8@Xga98sSBrfOK6ISlwv}8!h zax~$vuWaIzY9oP$c6{N^1^O7FU9%qEmkt`7HiB_7?Rqr9aUDsxM#z%S{O*jot`&IQ zdL?cx>C=0>Igv`e!TolcyMw-P^cB$hQZm`bKMQYZ)fFD=N>r?e%vGyovqn{tR{Qr=4G>QuZ?gF9 zG>{VAQ;=|us_2@5UFo#UC}A(59z>cP9!k}Dgink{#+E=PQ*r%*MIa5!hg44or-8W? zEV(x*9X?<~v%`eIo0rGtkTuE5HS`6JdneVZ#GS~IRo!!*LpsUyLo*8@>t<>)u zh(=hcG2EIs^$CkPEA=H8+<%xs>T~;)lT!vWxz#^{n-aD)K{zy^+z(;%rj2X%H9hhT zsRm~h2kM{bO_9tZ_N>})|sEHE{ z&l(+W(r(N)%Lpn!$h3JBkx<@Cr}#pRb&v6QvOGMMEMgiEcTX6{CnBoU(p??B-Zvdk>E3X?MSO>br^!XgY$2r5_RIVbHsL<%A7)oZHaD zW^x{;1Dpl805mf?Z-&cNEeyFXpB5oU{S{UDL9Zp71Ss4!47tzSGP;I}l0Kyx-&M7U z@@6DKfx)F!?c09mlbiNq=Es80HU2fPN=J$T{&#f%=EmVkOA_~KE8_C0ce_1(me^7? z_ce(aZi*(*z{IuJ_TK#KjD7dmgip2Kfg#G)OFma>dV}W2Yx3@~^l9x3^9FT*$NcXV zZbNO4=VO_X+J@I(6MBNC-3*#tfSXf&6cDzKr?>m^Pt9E4=UWu}=j}1sD}(Nf7ITN5 zXBG40&o*cE+s%yeg-xPCqF-4a+q||PA5h?%tz5IGRi!zNQ~#bh>o?qMf$tRFm%^X! z&j+?&#DcIwX7`aK^_pF8LkGBb(X{ua=NE~c{De9mhj&AX{@{Iz8A5@>QQ!~!Rvjo?gd9c_C!iL&l14>U?kVzxfiIY z1Q2qp@mkx4lk7a75U*@Hx%eDDe@D6S25#U`X{3Gcco>ws{*Y8qdfxfv z^daNgaDR32ft7LF%V)z+}nX3ReT5pDhCG-ad z(K)WCZ-l;Zl^hwRmq}REqwgI=(f5lV*K_9|2$KVgz+v}HHBi!iQnNL&b z_x<7IT5hvHo4mmP1-LVyHQ)|!c*@zZ)xJQWUP)saXhjbbT!T5W*EIz6u{4u_i@9F-9{Y8hlL$O@_;j9tK$bV9f zgsNjUCFNYHF-i6nD~B}}n2VC6Ds_+;s$n0l&?+DaN8;Fedc`b2bZM)N#`;~RD4;-> zmR0H&7Os|B4?(^q zbaqdPQMawHC`E+wv2K?ps|ptCj9X=;M%&B`yw=nzY5IeH9q z9wY~=t<0U26bXGXH~|qFp~SOo#}$`VjJ8yvGREmtIHwqH(n+ME=R>%#1+|RN>m7?G zb8Bpo#^tRA%}jte%UNiqAd_q=RU&BdW>05ZdLwfUdj+Oj4n@t$-UL54gFhy?4sxr& zOginrzu-@73s7k{k?NYqErr}*ijshC{9W2aD2(k%Um4fUwsw|mE3J9f3_XH85>^nB zw?XeNmgA6Il%lXZrMz-4m<8pnoynZwBuF1+RR70p$!ziI%tnsh6;V90PXYSzt90aS zze}M+qg2)e>c>^vI#yD6Mj16^+;iK%JbrwN<+Kydbu3xOWO{f0p94C0H9ynkq~%ub z=u?8ii^3}71j-g!$;g5tc$wXPkP_E@rD?95av;Yj-p`t*{ZSdU{8#PkVJBCNl>#A4 zytzm>aSI z>8UwRn`VEj*{L0uK{32|>Z9%nm_QnHO~x*&D4!r=>w;$j?f@huV4A`uEMdAm`bbLS zW>t zRxTgs^`{iQ`@ao~}XWpwPcv1rFx#cP}hpr?>tcN)-Kt)9@8(a-0TIjOK;TTa>qY-k zjPUzAtc#&uV%AodSs%sT!SF$~<@4(Cci(PUVjo{fANL!6;2&s3gVpSw<>=g6mmLZo zU*DI;`SPU?V(6Bwk29Q_B={??YSq$J!klo4U%d_ps!BCYX(5VE<)>q+_OXMcn92AKY`W@Tr^H*aM}s%rQ6$ z=&y#@?li59OrpnTxh-E@k+gZZciS9na7!Q$3;Tmv-&KA^(lEDOuBJ*ixT9ZQOl~?{ zZwPUAJzOy5_@Aw$`g(VG>=>0Ig{;04^kg**HPjLc_>7M?_WeROI0mxRHrIUboLQ;eFc0Lx$SRwMtiym z>MU+vLfY@va^(zxv2R`XJiTV#gIt1h?l)2zn#dlpTw5_aj;Yp>~)rboM% zwb9PD?@P}N$(nmEk^-@CciXQyv-g+V=U4E;IXL`NkxxSPAJx>bSNS~)c480)fTQQEw!4Wwm&1Lx30^lTt-p^DqWe@NSGpM zeObKYN9{S0dldd?jbWQ7P^IOkMfB%Z%hl6oc3V2h_T*?M`Hy$HatwQR7H`X#o+@> z@u;T~rb5G0eS`mO5Ea7oQP7+wK9;3V7acK` zkP%t;QzZ9=F2d=FU&`&Y zL3xG|0=<{XoAuf9Kqh=U%)u5zmvU0hYGxC&Kdgzhq^R~o>z-zsqz!XiJ~qM{fu>NJ zSGtTDkG~sYx!aLXiWbdK%`by=ZrqlcRgCT8!usop3gxDUUP)_`oXY7M&Cnd&>haH- z<786qt@6y2>Hd7%7t2SsJm>u>DzrR96|f7+EpSLOJ^TznF?=I={X9tgq~`(O0Dh)} zNBWk_I24-Wx)3Sf;5H@^7x2W9dCM* zk$C69@G3W+`n(ec>mm9ME}T(|D$73vB{xb-nG+GF=LW&_Z|Gu7r#y4>sDrnGq^2nb z3{S5Gf%p0f(i`p+NMY8JES_J;Ym*DbWgpgLv=K7C8k(avTDF)gHO#&Ydfh{@##_^x zVoN6)+b+)E+w=4qV_MBhcUlfJ(tKrZ0p)_bz>dnV0oXJ(=nzZiw^HRTWBHp#cQTtb z5iMkKUVT@tAHE36z69!ZxQMYEdE!x1p$DdB4OkipUbLDmNTkp%D$t?b?``_DaK;tE z5i-@7{lUvdv?UX_TKwg)lQqfz5ZZ0}AP6w4EsH~CHwpt)$-a^njh3~ptLez)L-k=s z49KDG?FasP2#viR5JgT(&I@aLJ1x^|!888$2wl%>Rqvu^kE~3pVuF?Sm9LhUG|6Iv zRVhMJjG4PiTe^Z|0e4l}BEnx$v|c6**c7A<^kq`NK>n=!rXmQ`v(>UHo^>Vaq0+!C zj2IM`Q0pv)%o*wXu_~|XI=qzTo-c8xr&jI^HQkh^Cp|&crpASmr(JJ;YPw}>yNil5 zo;?Q2O`PUA_5I)REX+WPO75Qkf>r!qWt7iV(v*d)KX@8>GK)TMZ@EveX8NF?Pi{tHm{!c^)Uj%raP4bl$p#9jkh6518wW;otbv8 zslw^$nic)K84t&bs!_+*W5`_$$L+vq6tG$BX9)g&Yt60NS@k^*W0w2cd}$V_-}*z) z-)*cUnxdxa>YWVSEBc#PRRK z)vC?jhff##{r=j_w&FGDotb6Y*Kb*D+Ue|`1u(pG+Ye%3em{4Eo$k6$;o%W@Yv)IK zD|$g}y%@Nu`di9_HHGGZYGISPb^HFfy_2&QCTv$*oT?u&F9e(clDO=5o=C*sOy?lA zUUz{GTP6-?x~^k>X>?m{R3h_5pY(L+byEK$4UaM$qkJQPRQhTEUn5&lBirH^ zk;_`3!1Hh}Zayy{i-)g6gul0Jhl{6#UFP;FO|9E1N2j)?pqBO{4ui^iQszn*FWSy? ze&O=!?kdCID>O|5ih#J+A*$LOVBEt7pBM&sza>$#&FVaMlz%I6SypAHTf<^BQDeuy z@Z*U~7;wjWxu@#TeY~k#n+yJn^7P#1lT)m<=|J3q9q~tc#Cgs4BfsgSCs)e~kZJMwxIh16XES>G##gx)(Uy3xkAC<$j z+I{S60P`M65~$Us7s%u1Np+-ygkkT!6*OCsyl4YxMRXQ3;RUD$O6B>Rf#FN@Ln~ z0EOiwcGT1|T*Hdls^TP1w9B*G+tIpTkV7!m-zuLF$8n^-6NRgZyHr~wFLKCj?x5OhnJd_Q0t|42T>j#VBbsun6ILl5Zg2Jx& z7iq(I_{Epq>@py}3LxSg1XhM=tD}c0w62D5McA$0>NOj*gzv}AylJGCMFi|N0}MbkMb!H%Q*HDwqjUanR;6 z$>5fvK4a!k!gCrcP)}9~U0mEc{5PuuU5cc8MX|x$?rI8ZyHvQMg`~LT0MySjF{Y)( zsI~zL6SnablNS*OXeqYyKowN>Qhf- z6oSkN*_hgYc)cCjpsvz2U#md^kFALgEiBqiz!cdVN(M7IVT)$Nn@RX)T|+q*Ms>15 z#zM_OCOq5@%d#MgB>Gz@0@E;knpAMP5d_Sm9@%!y;(niq#erRlJ*ScSHThag+AM~N zdtLz<>~cPGs@)L)pLu2KSRe=g_>RKE2sN|mQbN~rpH^I28jS;=Z` zq55`QRo1pu@kX-)f3c@kIE!mNB^=fLr5#q8bkySSyJoYe^N#>VA!mLt0$BFD;hUj< zmffRDu;Z&?i8ifFfi=B}4e64SAvyz?U6@8S91Zn;H@pa=!G=fh_UmRdp|ui+0K2j^ zJJFg<$bf@JdA0tM zdF9Q8dI(u|`4CxC=k)7*=x*BChy=t-Pmbkqm26*FQo4-T<2BI;h+xp{iFC0V;Dkb& zecK~rG%xc?P4zZM$o++y@il|ay$-j=gT7s_wyIB%kkuAz?bk$t>^JXNyVLTzOwGSG z^9`S3eob8+pWdX*nhll}pTuEC|KH?UCYxoY%2fSkdQptkOZi;@VO}oq5&s_|!Jv zkwwe>smg6My2a;Wmrpj^Z=*PMdpO{>lh5Z`-}fw-Z{zwUbqCPh)it@*iL+>{ApqtH zcv~pc6yy@d?{R+fTOu;h!`lw1{R{&Kzs)PW;V@U!zP}0kvkw$$YQ5&Q{+nsdYP@w; z+;o}ps_p5%sctR7c||Zi&Yi26N;K<}e<)?iyTaRH`-qG-6eRop6uJcd1!~=}Iqj?& zEyJmzCw>{_Iu=;s+tTv9{;BzK8g6*$zQa&D<9ppJAvx}b%QXph$9`MI^2#6E-la4LK8hW!iSYm3<33Vk?BspHEBzMvg zR(|JzNWa_M?rminwA_(jbVUDXZ(HJPEvyyLsH8iw_F%ECJ_4T=7tchcyd?oX#$K~~ zA!*n2*^(XX?~>SG`1ICakB%ZI_|geVs;eBk*t<_7SM&nwU^<73_WevL>-GK7d zSTSYY?oRgYp9yPT2NWbiQo8<-U{LUmSApboertzKz2vO=MMy({-{Y(5-GAPZ&4!@E zbCxTgnFC2b{~Z*f$Pzoy1`ZGmy9_o~eFcz=gT818i6z$ z*EQh8&xfSpAn4&GH!woymkY6!k`u%II5^|J9~?oEJ?f$tm@@3dPd-eQrxm~GGA3;u zPxmL7TQjbq>L|mvoHmKWTUEA5BIH2{cNI%U`Z0`YLe!P-}rgs6atYad-vU zzHGMqR!L9z{rSSL_`fnjdP35(C8*5k7;!uGcR0O;vO}wcXkLg{4vo{Hy|tRLQa91) zctW%G?*yHBA)G0H-a-@4)K^IXPjO3~au#IK1S>FNfK9Vb7^h?xC^q2`qorl*&j$f( z@N+2l>ULIU@ODduM!J{{#ONWk_NPv`>XO*JCCPHDcl7qyrjm3 zx#Bb|%Ks-*Kbc00-fHLIgOyChU{Z7`@x>}i(dl8-x1D}tmMwU(GTQn-KT zED&l5{0w_^kRdKcLn!Auu>TT0;e}A3_u25U5s?%UWY(-)UTn_CTq@UMXnsajp`WLe z2dTo=38(G5J#EgPf>9`LV4Qqi2%eZks^1e9Hi_>Y_70E%KU0ATJ|13n1d9Jt_UQFl z_SkEJuh7y}zzo5u2}7i7oA+(%;0wL&!=6gb5<9=OglboyMSeb+n(d>?7TP8En65ce zHA4=~gLoFYII2bq!}6 z=ij8;e>5rpsV6JCtx#wEIA@@>w@e2{tz^|$ew$y;(k>GuvNTZgNapi52_ieMivLbn zXja<{QvYteg0bJ0b9L_}4SkN3M_c^fQ^+;dq=KfiHQ9#Ca74i+xqgsEsw^ceTdE3l znXvxiyc&G2L_xr2-&EaHjc+LL1HoS7f$<2MEwob2FHrW+iqXw75oOFN$&miCk`ZOT z$E~Jb>^WdnKPJv{&J*<;8|Nm!0D^X2#YNP-sHuZ+9aGh%5e^CAPy-UVgHP;MP9O)i z&_K=&PQ&fopp;m|sbV>26U{B!WC+5A{ z>sgm3Zmx^oDuD`%p|h~lWVe2s0t!^xRaI{Qoe}RB#L~b$Ox7%@P;e;{)E<}<^tSUt z@`nc9@E~AU?ZdGLw{4_fGsuV0^==2aL(O8)i3;Wdd0hAoS+Yiulm5o|MTXx()`a|W z&vLWYZMGVjfwI28i`{Mp4rR2LkK>};$d5niU?!1`T0)}d|>^hWD?--OA zm|Sl0o_i**xV>*i_Z@{V4v*~W_TG*KBuYP-);L|5m)$m$X<=V*Y{`@W_#doL*IC>> zPvFG)VoS$CEYBue=IU(`-U?c0)M25J|JmjOsB4={H>Ctjz5>?)e)DOMJIothhr2 zxP0W=5j3urEMYpzYTBY0^B_3)^W5Cy2Y~DSRt;J&wE3Rqh`guqX#`Y-KiZ<(6-j)q z&V=<>3Db#3OQMf9Z9GL?NnK!LwZ-POI{TS9!V-IGP3J~KvRJMfu`na(HCj`6 zQOEjNxa;)-dFI1p##&b2_qG07uyY6boaOP{ex~bH!gNQ_pRPNhqroQ>_pPuh3v`#c z&){+Cxtld~bn$EcQTJlDOSoIu_uA5@5T^m9R>xCxBwcu??nHf`edt2I^Zlqs9=oTW zqLTmkiSH_90qnWn7y#vQa*se<9}c>GdpwM7vM9TqFpOi)ZSFURwJQ>Gdq3xaW2kYt zuUZXZ0hL5>W#-yF&Zb;{ygJZ6a~!PyHTaAw|684*?=djp;2jxY63Hjr3Hm(bS5Ij# z`?~}8RT(l7n0QHR)|?;HcivvXy6@nb{oDXi@E00%)!TrcRd7oR(Tu&+(p&C8c#se~ zb7r*TLcpBxcypB$gQ<1HViG4=0;hw6Xbtse?p)2zqT`fGuU-49s;i2?unR;0Tk6fRkooR7E>V5lA%Gi= z@nHKaDOXIUgupK|Sk1N$rNY7;4jkn0Dyepc#|zxis@;_o9EO7uIOopfxe!$kEo zaA1=HOW`RA5~Dh})HL^)NUIgN*#ybl^`vphpS+J*yDH3j*#yYh5%IX%T_Js$AWk`%dpx(L* z36w_8!YEtQMycBD1LjJF(Qp4aC4TCLE|s$|Z|9ubcZZfi_%AG_sN?M(a{^OKCbP|9f#L5s&oIAbX{5ZigLV^(WYa^J5|vIEJ* zus7z~KE`HF$97X>n^vn@u&&P`bSUICS(PuvaAV1|7_${${#{31OeM5!`b&;0l<6;L zhNl@!>RALSLSgJ3+Td_^rBZ5w@SH<@Hej;OP609%cp^D0R?n3j|2nE0hGR}woeZRF}^?7)&Kuk~6t=R|ei4E9>Spp%)Q9#o1*S+c=MiEZ zMmFFKQfB(bPz1OuTt|wZ%I9Jteah9+-es9L+iUaE4GXkSf|M{&zLj$O8DwnhJ=l}! zT&Ty#uRa*cPyN={6UC}olRA3)HDAtbkBMAZQj}@MO3ZP;Q$$0OK99EdICGtj; zzaS(mm4|7eQCnphzE+}BK_yIw*CJFt(qK+PGdp3N3zrUc2qFn86+zD^_v11`B5)xE z%dm#voku+Iw%e?`42Z0qE2$&lHSRhIY?IF&_iBF%|B_3BIc8b(9Q7W$|82bP#WM@F zpl6&Q2~t=jD?V(-Z*ea^ccBuSv_I4yOOQ^0=;Bounty7qEFAWUnHHNKD8Q&Y#E<1i z?@Lu;j3he0f)08Qkz($&+XB8?n|tZPk`-01Y?V=!-oo-A>5IstQpP3)*1o37^7HbT^@LZ1A$ z>J-iKn9tOaJAA2M(*Vq+;@M&ZBl^-Sr@HAOq#6<_tZkWEbDAi~9yqjRiL2gStTPUVF-Zv-8>W#mW$0ku+PsD3Y&2V)8|X#56mww|>>c~kn3+;> zOd(N`#yyM{eq~&o@te}eI6Z7!?uEBR%IDrJERzA1l<%GuC*i*xi%QJbQ8F^UFu!oq z!k>YSj(W1`>`Tpqrn+}J9NdBGfy%~vB^V3XwfI{?7~}KEQ->`vF(E%xn9gxaJ^b}0 z(_g}PPm(`0m-(5b(M-q0=R;g9+?eoggkY(j6*dR(QI1U$_XNI`?mF9%Cc_^VLvQ(@ zYNC&AF;<7e1SrY{15h*Qw4_Do)oNxb-dP6n3{A|sgO(D8Oqa;UJt%RON8~@JsdQ7s z_6w+dC;hk%>X9al#OXo$N@4m?h8hVnNiNM9CXofmC=J#9kupw{J)CMq1Z|UW55g?9 zgO!Tb&snitCHBq|vL^>XlrUW4Q5PnU=zkbyNSog+{kVSOw2HuqlFTQME3y804eU{>_?rE=)b@~{+Eq> z$XmekN3%iohwiI_ui9`04^xZvy$9QX@|F$Xw{UFzk?_<5rcqsc-$jQF*fHwXA!awZ z{Xo#T*mze}zYpn@=055WDY*Z784E+pzMq4&kgndaU5^dFs9oKkJo4QbpWbA$O0T~H zyaWU{{cALOa=&k7lHu8FNu*OB=LHm!oDjC&?mfzEsS!3^2*c7otcIUYoNhWkfVNu< z$B1lQZ|zL4aKDDju)2@nDWiI6tR4$Kb`jZdUDkItsaY+tpk0OYtZ8Sg9L_P>xIUkJ zAixf&cv@usyXG+(Tu<`4DNCGcdtigKx*z@XG+i^4(M*Y@eSZ;r&C~Vv5IE&-HJQxT zgx8L$^KkYSW>e30RquARNtDfg6LwkOU32AbJqn+!_Ijl;o#M7s)m;6UJrA(UroEYM zofAVGNZ9YISK$P9c;T(SzMAmy2CZGqN)#hX$1nZnuXwn~EU(~r@4%rG)9l_nn&xSG zISj9Cxparravd%@CsP8prN_xs$!#g|?Zv-TO;f*ql>uUwHh132+F{+cYUiUlZ5ob^ zo;}+Jukeb(W*Mq-=S8&376&z3C%SBMGS8Li7eYx|Y+V>#@WM)vLNg-#cz z!*Qj|+XW)P^|0jLob1}xz-&Ai)veR{=sNS+`YYF9HsL$Hgb)bqd82zd|HPB?qy$bQ zzN=$;yxKVKw%b{e)tVOFk4-xB{c*c%{ zD>d|;02NCGN_=BgYJqEL26iIC3AL*KExFFqqq=&Ex#f?V~LI##RWZdNx%hQ`YYNJI}lvTfqCLo1B@-S7H%1Rlzi6_sS)i| zP$5sKDd-qeH80tA%>dR$ff!YEl(#g|r%1+NKsEHC%q$^cCb2RoT*DD#|4uWNn#;B~ z|I^S?^RmpUKWhWw__uCR)X&!oV(ExpWFN+(lAymFI#DoBF@tL6l5Pfkrine0%~=h- z&gB^Uiq#uU0SGodjjr1=6xz}wqD8nqn7T0!`0IiYhVA@LV1<5#n%|p)s_=bU2_gNf zo|AbO)(eFR^n3^psHyXvv1d*Y!W$QhVIa|w8Chi}V}ivYEnyUcn{|B1MrurwrP&3U zark*5oM(c+(*I$UGC%Z|$#L1_$4!$=au2}9odY%QyIpEcz zivyAM-B^{VWEPXV7XXm}_qS>{aW$#d)x%1U0lHDo8hG8XSl2~Tny$|P;S{<7!3?^vffVq=5)lL;1|gxHO7Pt`6~Dha#%iRaYc!d5u4X5ntnC* zt9q$&uzt|RYg*ks2p#0qV>Q&s6Y`wA=qe5B{dKu9J`}RY1h}I4Z80D?qRxE<>U7TW zD0EBto78I*(G$oDN@0oay$SIUT7wjn+EMyi!8>3Lq!NR)qj4a@=!(@Ba4$le;-;hQ zb8Hq;U0XriO%kUCa(Q54QwvTaf-r%1+`0lh9ufXTqXZPq3D7t&0XRdJ;ttt=@nWXxFI_8?cg^0CH%sSyd) zog5ShqGWk_FRd_;rp*(JM(^TZZ}1qQiUr!_`Kkgqg9e|t(ZrMV(D5iODmm@)KYR&^ z*5fS9hz6?_boa8cDFD zWh=dhP&K2MC{i5?f~0HeWf4D?X&TaVT97!cY|vRy zr!iHe&?T5WH>U0#^mV7mUe>6Lk}8diwJK2)ak-S%k*eEFO2Z{kE);w&@mB9=v?S6Q zvZN(3E=R!jb7et-C;wadZQK9OY;C|ao>e8Hm4!GCWl_aj^B3Z0NvVpbC~u%Axlh~k zQ_!>xgO#@HrJ#M$G5-Z6$S3}tZL$bF3iiqbUdn48Uf^W`^`Mc3NHLIr2%mU*C&MGa zxIe?vIp`t4^w;gIY|89SyI~Y21TO-oKOY~pUw894T*(=3ll8?PPO(z4*(ywUS~!}W zBb(_}tq;)QyzLW~=d9QpH?f1pC^o$Bz8KSASAGUhYc~{Q1R>cvjyZtg);rhf{L*qi zCORx!S13Qn<_TWlSsP&E;?UyS>n+s9*_%H(i~VT`ax10lWbJJ{Jj-R!`~{(&wZ-75 zY`xoQxK^d=jp3U12V^KXUI4BHk7KVfo3>U9(ElHD3oh+|bs323sOsN3 zUD=oYVAg59R_a|kZGowHR<)1qi-p3;o1JWLx5pw+QNNagWNKtOMOR)EXG`n1xsRxK zdJtFUj3T3#kPxM0@V09<#YK#&c|C#c$=RK^rR#jow?n;t$81m9e>jBQL^zOD@tvmz zsjOT+{0}>yw`MY1m*i}8?k98$Elf7@x9g5|bQrQ|Gd%BT*fMWsg~_y^ue6^hQ@40B z*iDYyl0OL#+nd4AutB_$AC2ypWB|bfIwhstEK73!BIEA z1KP8`B8G&z1MbT<+Y6yaI=p&o$M&UM^`#xjsxt3n5YM zk(LvxwR-v)9SYto{9ZcI4XRZmS5$TD=Mp{b* zDVlmwvJ?@$=?E@y3h({PY*ZNOVdm>^32P+is&Im)FEs>j*(*85LR*oLx+`w+_^j@M zA_y|=87@rmYL!VlMTg4ioh3qM26ro7oLn11F)TyvJhA$zBiSyO)+D}v5?%9vcIc0G z0w^I>yI<2U0u-C@;_(1x`&DP6%A}tiI#yAzo3*&I9E6+KE(}^E@rp`JoT9RrM5a+y zsKJ~ujhgg_jHh;61CW7D)2AqT)MWa*rW=cqW!wGup=Wi1ohy~_IDisUl8&K-bW^6H zpF$!(UBk`+GGD_gksl=lrngy)R}c8DmyqCoCFRnz!FPX#E6;F#OolhbpOH8~|0K1N zO;n^fkCP?z2c1JNC!Nug#EDx~UUlg7H5peV&2KT&q;8A_bdF=zUS!2mNBGN;hOY1xIoDKqW!N1vAW{)0=-si zE}a1iZr=jYdbk-w%7ph$fn2z}S{TNP<>b(I$t2>G;|#QYTFG40O{% zO?*sx>Ug4=UxXkS`<;$rl%=Cc$IbJu-R zJPbUd_)qEeqy$hz`$+h;L2wyUN_RxR6RNsbtWv(#1JjT({$BW?-q3gVQl0c?rEuM< zgMZkp^ehK5Qr#`OAM_%@xh@T8DG0&x^G8}<9zp3rpf*+#OpVE+2Ha}JSc*P7ScP~x zf4i!2nUrMJYNwp@-EPWO4dtnDKH`HuQgu+R@rW2sIca!U|NOomCY5nWUeR*~{`}NV zLWx-6Y>%&aVi>-N!89xlxz(X1@ejY2ze^EqD62?6mCDR0bz&B}ruC735SSv#ORkB= zM5y5~gC!2OefFGq7)VVR-?_OnS4e+=P@%JzStv1}MAgYv<&xG2#U9t4%Ewj{Z;C0_ z>36nn$4Ho%Gh5YIGtJul=qOAjN%=vjJ!W#V8-mh9_o}0;8)5U!K_`FMRM~jCe2K(& z{8`)CNFFqZ#{+_)f$A6mI%2Vl0v1ZB8pEt<>RyorlE;YEZ~HIMr&z!Tm=&|>B%E2V zk~L_0A{x&$r|TXq4Q8%}=1zaANDjf_Q0*n^1y@IY7HyqH+{UU*aE@jy@BUg*` zh<^g9uI(^7A=E0-hZt96 z1gA^R`<257_eZ>52UeUC`QKm+V`m(dNTp#1KFggj2egL%QdDt&~IQD8ee7I1Lfh+~bM4wS9 z#9pB$S8P7WRJBLLC~3Z>=G8fG8D-&Kk1}O3a$>_7%J`>wQ0F$L&DGlKMdal& zN-asV+Q)OU!uhTQ?h2Xyb!Khfg~zk%m^bfbR;I^C3zv?cxJ7mCaW<;MR?RfKp+i34 zmadkPHlic$v`F-@<<%;XjYj^ceHqYr0)AV$9C$Q>0<7UF1 zYvv?zJ>$=|n$2bBVUz}~-Em}LAf6Vv!@PaB*2%QN8Q(Cl&ZDDY4D!f>3M&(3dsVNw z(z)Y3u+OBqe`?(P-d-<}ZQI>sDY2P`?UMX3pDDlu2Jym?^BVyynQ#nTTCLvYPCUw*zwl~av(QgktSX zSB%4_r{&pHj}Dl0)*xCAnv*l!f3^=i^iT7c_VNIlPZ`GXXg6%1kLFjM&*ZOHlb76| zWFR?2c<3xVO|T9Tr@%|8%PSwR2f_leG3oV4Hb zJ*U6ue0^V%lqtU^FTps~CR^_-fcr;*Kxo~1r7^=p-i-UmFtRAnVj2O(x`>;{D*U%p zx!?&_!hAS{N@|wYJ(da~7#P+OW%TM^vU1#XA3~{cqg=n`C=)$Y(WZL;plm$XIQ-Cx z!kUSeI9VY9=SuBrm3#iejPPX3(1G8q1dNJP!r}Si-KwnbUbz`oKL&C#@>A6d*90Dg zHs>`M>QBl~tKu#wwQMw#GgaY7(TrF|ITg90C<>k1avcPUbL|mg34Oh*v@IUuI|d;o zvu#p3n}#FmCk1f#QexH1Ngaa=W;y%LY*&gRN|5S<95R`zl{uT}_)Lst*ODNaI zOoYP4M$}`OC#Fzmv)# zeiyNs#E9|AQ_{{BvlUGZ`F;ClbY4l#KUc%C%T9-1~)YB=Zw4xYaendh~An5jqRr?n; z53#Md_K5j+sFM9>a;Y*cRY+}3It)MeQbNfH+zdOcvu)`p3n@d_?;9zFYX`7kg!gam zGeJTS6fX&+YMSIcHD_*Qyil<|6tfMzI)nrCsZV=LELp=|3ntR8LqXzPpc=g27GWv^ zHftgp=2D#x{w3hl-HSDe)@4jIUsI+C2@K&o>FLq0B~SS-D;;0lT#76tZI$tyr%*L9 zqGQWJ>)W*T`pvMiXs`wh9*_qOhv0*n6^i3X2ud%+@3p8?$jO&yU$NL`>WWiTm!qEL zNuS#*XHqZhOXWSx={nCShneA0LkznI9)N#{kvqse42oqOJ#{&sC8R zH-8bAP4_^Z?OwoB_;6FZSzvTFaNMZ<%WTT3ytDS}YT4xZtFn90Iq=^2Wi5NsOI?lK9FckLzRpC7Ge)(?)`budbU+i|@_#n$TbXc6sQQ-66l zKc#L{Yk{kycL{0T*)d8j+12&93A??>bz40>ywrX94aUk{`cnjucum*iihPYziG1PK z5WMQf^WU8q+&xOlnuK-_^7>^Y1@7_e&F{IcoZF zhAV(`Ora!kCfP}=c8x`V73|NpZuj1Z;Ar-v+pRRuv-;uew%x&I@8(}#1YO%@@1GY- zcVXfASkycYu12!uWWS2MBs7oC)Ed?w1w!GM%X-`_E)ed z^B?Fc5SUoTud5HbH`1?S;J42W2PVx2CKe=AT~GTpo1X3i5v4IpPqEAl^f{2YTpVO* z0LBREl-+n3*ut5Eaf2TwO#%Xgz2xhiO+$tF{Fb*L? zVIc+n{a+C|CcY}#j!>n{sAD%3IZ1da+$}x>LK*S}RsiFK$3N7m!9i`7MBj1-dYk|s zZ8!&{FcnyR_Yv-r;HzPx4XLp| zMn+boD7kl2Wp%EH4V={I44|13OUoJTXK)bR;nFBj;y<0uMHlBv(nPV8&>fiJC&TUf zf4slwA^og&9{jKD50f_M#JKz|;cz^5EQpP0w6 zU9jn)_5YDYmXIlXSwPR7Y-t1uE~rf2+^e21x5y|ubPB(qnN}z%C%Y0RuDG8gd)~_| zmV<*vtqhvKUPk5f<$g#o=rfjQZ@!1Ut( zG-sntf&t?dC8EpzY?BLvBu(sYBE-Ak@K+$DD_1Aw57@!kVbMn>oCl!o_!+z3lJkYC zj1gxW{Mgo2HTX#>R#ONM$}gt;!kCN~oP;MJNvnO4SCk?4l%_wDXzMq)*&r18R;W(o zi&@%6yuwdn6V%rt{hOx=zJW4k$}CV=^*BhCFsi=oce4DVD=XR3_-YIr%ba1!!V1m3 zo;(-}77pgmC^HIX+;c=(gc^O$saOBVjo=h-Hs1VpWDfw ze|@W2e}0lqEyo2b`IbHEW5$XM3grtcuiYB^?I)rmjyR8rsf08(jxvPgbbljq9F}e*I^ANm<#sLCG;?? zMy2bG2T6w#$0$-l^D?tvBBrV=4-}~26?$U~GKe+Wv+@yj$X!UQiDp6shv^xJt4p%}>)e?`ddw=8`W zR42ZfLu76NKPb(>uPmd;-+U!WWTizVcc0t_!BV`U#2*;|um!#r(QhLkyih1Gq+Tk%A79Cm_^Q99NkhI-c&7TMdm!2eNFqn=yJP!X^6Q(BUPRPv z!hSwBil%X*<2^yM!8-xiuL*l>d0(-xb&OG+#v4<=4knQ*r)mlr-CU(~GTI|8dSx4XRO-|Mg6bW1<%uP9FC{w(>_PN zq7!sH0g))Qtz>S)3dNc^ACz92EjOUmz_-Rsoz0gvC7lkl!A-XIi-p5wjZ)) z(8TMuow&twoZ0C+xa_%S`WnW9s(M-Al6$Y6<+eyO&nAn|;gtRl?VJo3uBqJ~*s0Qm z+V;4rKua;zYGl>7c9}3~y#^R3!d<0kGg|Yw2E1kO10*Wy&jn3tlQnre?Ozz4yI4Hq zBD5S_>>thEJ4xZCxvXgHUT1e&?xnkYTHfQynrW)<^*$rDT)H*19k#z)C!B~}vhBZk zdvmp~ZuZRYw)+3zZW#Lx(s2%3;5pvcA_BJ7jT;doagxq5JO-t(Jf*3_vTItMP+FH0 zmmAIwO@IwE)-o3Y7d4A-)0!eQjz?9^nq6&;Z~p)YCl@ z{j<7LqEXT&yO+{chcmZrYkZUI z&7RCC$F$Ak#^-#Jm*bPQ23^xa-eK|XIG}6ZlDx`Nkq+kE`ud#WBrB4*^H6CvldgJG;=)x9I(j% zJ}VpmRt&jbFE$JFvqEP6=jMNJY%j*3i zy9sNSHSvRD&LR{+?2<$Sbc9pZg|1cmJ^50w$REvHV3^{qjLM~q=c+u-!=-ZD4ipad z@&lvlz2k>8bM?D$jO5F1lxm40R%#c&D}+chc=1FazK$V4?+=8 z22J14f>@o!r(E_&7b~JBA3``A{B5KwRvi)6#uo(zAq3kqGZ|A7C}_oP%biD$`$>%c!bR?aL_=RiHqJ6 z!(7z0mzvYR0Y=|D@m!V_1$Dr+G+QF>;lNxZGAd9v&>rRts?n2WW^mN63-3X9;_%Oz z&#*&f6>rI!m|Sj)YejqoqPks!=J`uXyh)`YAO(Hg?`;2+R-0k4c5k8ocMhB=HzYil zT_eId?LiI$HouS%*lkypK26aKCZ?v6`HNHAp+wD43wAvA@*eL%m|I>NC^~KWrJ(JK zSwVY4e_$r95~PC>j0sJlzpCnRv-ywQrTNakll!_ceHz-B#9SPj7maB&xS}O;?%ZYQ zwOL!CB;ooitm|UU1NTYW=uiB(6|$zfqmjF6l4CdYUe0JJLz+0Gu$W6@-8$XcW zPG_F9au+M{B+-@y_2|iG39e~Yu3#;cEP~)tvOKD$9zrrT`@XYT2Q>**1(4?WE(@f8 zAy5y?q;;DoEV<%_<-8R!ORSUT)>kRP$jH06uX4%fV=PJojEC}WbGBsaaVs2m5RO@W z6}b|?$Y)RHIL0R4L)9xrP?^hqf#2$Fo>ApYp*tgwf8Qac_G%=iv1&p-g}iBI^F_m; zbrH)K;!xk|TMse03sNCSrt+I<8uJ8%@nfVOs6vL}s*;k#Z}O6(k&`PSJ@AGZ;!x(0 zQ26X7C6l)Y<&NQ32PYz}K0+{!)=hF0#B*KZK6Y&ibCg=11qZQ5;>R(g-Her8(qF&xVmz<FB{DCsCVQy@-(b!A&)WOgf4;_UW z{xRGO15s@9PQ%}`ViDZ4JlinG(8zKIDzcs=1pSw3#krndT)xyoLYOH@FS8!xMFa!6 z^_~);PT49(5Cbt5IE!uywaU-laYU+5Msjuim2nfs0M3%;xkpx3ay3dV45`VlbbT*{ z3Y)M;soE}zrDq+>Ur+|$x-aDa=)RA;yjUMQ-+cZDVn9gfy3e*RP)}zUFo5{o9Qn(a z0V?&K;A`^3<{3P><8?EA>&unZOxt#TJ-nlR%47O4%hheYk~aMl={5x^!&&J`!FqGT zZYM*>((b%se)P0*D=_$Sl=}6JB5@M2d$(a~QiRNz=Q$!g$@_Eb8Ow!l^Xnu;DU1DD zOL)V6emVQqaP>Tiv+?D&rKz95;#}OWoM>*wM#2KSmu|4h+kCltCwC7uZ*Q&#wgb1oMhfXX52w><&?3<`JoKKT$Szo{(>NZsw7eSmGVOQG zP3RhdWyd^)TK5Zm>CkxGG3si4)>%Z@ZYxg7JhiYElkB=LSSR13E-P{Mg-*?L?cp|$ z!-Tx>@mgUtvWZEyHBRm8?f2@JSBDi>^A(v2Ert`C>dn2=UAN}fvdQ$z#~2y!3a*Di zE75thx9XbZet51~?e3n-R$WHN*`mm{yM%l6Ay>~>eUqkvwCCY5FXu{XYh=vUenjUZ z?8P$T=eZOc8yZFC!;I3NU?0`7a>n*Gqk3cQv+?}wuygyH_BD0UC)tbl2A|vK+ce!4 z_xDozCGEQ9F;jF$E`a04^8J%VnsUQ_Ey98|h4(x^u(Ay>*BAZayn1P^Cc$TPw6rpj zn60_q`o4&PSH#DAy{d+%eV64r%a{tT-G<*iVH|$h@IiV!qz#ba-MdHIV6)cJS9!k+ zcLq*!U{!wX1yMbsQQ~-P5|9CBYE8$Ey1in70MAdp+tLp{or~|kEos?Wj<59<;P8q@ zJ%b`-Yjx9p-~A1;#~%wX*+TI|1cYSkFywOw9e3S*9XH*`BL{JzO=oeDmSsQrIdzHp zwUMKVB;8`LVsRR|Z}j@AmPK3E=n7X1Hw}gZL&V`x9O2GVq!|a*nYL&+I_;^~O<8?B zN$Hq8f71{dCkeVkDLe=NJbh^6#sMRd52T?|>C>2i+I=wZH`3rAI!B$9Yu0f&r8Wf< z9ha6LunmA8vnm=1!|=MBQYEF`Nxl1fqtz%M0_jL6C?rf_lBS=RRZ5a0O}MWN$1NQJ zvN%L;S@Nr8E2hJ>tQ35yr`!O&KN)Ij{5hSbBmESPk~;z!hC>bqE%=amte2Ow@6W$! zNOkVwBS$iQEODCUGnRS+is*Q4#{3}u+C#?Jcsz;`bQ^e_N|jQT&RV4A$8XY^QI24Wq854k%%~&)cLB2@mce~9Y9R5BLGHHzt3n~q4?+71d0_`JNU6Ql zzqX;0c8Wnh(s`he47?FaCwi+^^R#*ag=xR3YF?8PX2nq<>^d0>1mm!a+dq+ms1j9M z^$x;H3)ag9e1#`27#x#9-UEf$f0w1`DR6WVCtHMU^z$c9yH2$n)>atm2_vBuLO|ac z=dTRTem@s2@mY1rJNhXW{nl)d_ana!jMV5K+-F7#@%dE;U8wkh`iPwH2HCv=@ix-qs`8oBVQXJ*T zYg5;s8V`th!$6hhEp|?8k{2NUqR5Gf{cS)owkGPfVrqKXHge>& zGJ@o{W9(QKW3ikm2dTTpIJt{7H<^G*RDdt9l!%l^EYp{+QY$Pf z4bQocJ+W*U0Dt$d7SDoIvu3;Op)^DD-=}X;N!%Yb46p%8QYcjc#?6`reV+7&TjK=T zLB&nPb=f3IW=a~<4D#<-cu(@FYnA#e;ENRv;{9nC zhDW#nEPt^P))jR`6$m%W?~KU{FA_xwHh-PDNGQBNeg8pNlddUY65ou zSq}dDA0d~FPOPI#w+WC`mzcCo#B3*d`-bBM^to9sQlWc^O)vwL*d{yn69QO_OyV-m zeE-EIBU5Mi{eOb_E1MB2;1-Vr=wEyWxbN?p0%nx4fTf-(EuEB9supP?`RG*`P$eCGI}&dwj#~Zh4w|i+cBb z8z0`ve2P%+b}H__dM4q?&>FMn>^@ka> ztYI|Q%T5JAQu?31!Q-p!reiKF+Tn&j=}w5>RnebSL;KA%I9Q!E%dhX#Z#Q|<+G(9V zd6k1-xMkNg&V8jD+9c55GvP2(v1UeTM%OYR3OGAHnb!4s zH2FN;l7Of6a4Kk1>2Uv#=~_X?-7AOkIpb@LEc|;lX`+@5ubuaC=_M5`eoeUiQo-AJ z386b#C+(@BZhZ)`2-XDewf467nYIIdWzW*cIjBo5-lf$mv9tba^jN#)P{$hcVzI+3 zv!3x7&v|-$dAf}5a{|WY;%;3gsoiM!blt{?hsE>F$P@Z2VWG@n$@6mdKB?~7P0wXt z^3lq?7dX7-^_NRp3l@xY0pA_AGguZb){rF}Rq?wHn?$0HW;N*Vf|W#7oRP*a{GJ); zUr@i?p$UGu!{ht_6@Z5O;Ve`Zb z+x@VPDlbG^te5&gsX|f+i@Z_~m zb0lq<^BJIlXL|Hhe_E&j_R6RJ)!!Zti<|?OZNH8$zJsR3Kd8RY+)Zo0r0)4_s3$Mp zjGxZUVk^DBUbE+lvw&!x_aAgzNoz2KwaCOxpWu((Z+46DE|%R&xZ@9>hHf z0|;hMouVR~P1OF188+h%lePu;hOs$V(wm0%YL)#*XPPh-OU0$MJf=Cs`VKsutUgqaMQY{9Vdk+^(47>z z%^fM^&gN~>uiD8c9Qs_o@g;*I2t$3*vZ2}i37cwsK}Ucg5iZeGj3=# zA8R#)B#vm|_X?DY=cf3)lmUrtRDZ$d{}2p`zxeH1nQ0q7<$s|)^FUE{Vi^q(cm1q7g1gslU`gWGcS}Bi)GGZRd1s>hnv6(qT zk*g>oF(ayi)nASf+cXLlfV%VJ#v!X47O`+HKA*s?htBu!ArE2MZuk_9uH*>#HA%>& z+6nSJ{p`U?nj0f0qq%wxjSa`!}BznfwYs~qbhzyUUUJtv@ zq=HK89|9GFQoKc423E$?0HKR#EiEQVllnod@Mlh~lcTH|@=`9UV8NY4Y=1K8QrfB# zlb)WF9?}~1*LZ|Kh2S{i?#SeTbaOsLi}`2zF@UuVfwHCk>$w)_W$gB1aSniO+W6Q6 zqJD>T=MnWCUX@hVY59b536}2~71|r4`z&@DL5XeCo)O3SxJ}*+m*npLF;~wNDz&)e4O-d#sU$i34T8KX7q)y&VAfgZIqch#mZD@1S{obXwhV?p^o2DQ1U;! z#E?m?sSa0@#$>>aGpfNrFBA2rWCV#1QflSmeizBoTmGIO>im+mcB903;ORf8BPm-z zz5%_;GhL!CXQq>K?}Ug69UII;K2i12B}77hTu{U-^8D!lz2F3ocD&QViz(A8Tqe~R zCSSaPQ(Po!lVLi#u*Z!bWV*(>xr2!@7I062b4{z2gY*>770^t62%=ZMOnfZ``bVxHG4v(fW_{p&K5ibNav> zlo62j7gToau(FOac*b@m*D>jWfG0EMfHW{Qdh{dVIlZ%V@3oW{{o9-w^{08uOxYHi zda;$Cv2yq?87NU94GY<74rI9k7fnqlcwv#|D6|I@^608~k?Qe#!WqV&L<$z!$^;4* zoGiRQjp|k4wJ~JcGYt^>P5i$(#{6O__QiHc}&!c(lV4x zlUwdAWp=3VCmFZ@`}2tx`U-sivN#3Q9|JupZlQr5y73nj7G95E$)xx{1w!DW00=;$ zukU7z7mFPLRDdx)V`TqG_bO1D_7ZsUG;LWo(e)I))a|&%vlO*%Gsm3OSLG_*{smrU z`;g7M@iAw*3~LiKy@J5^=(22c(^IuEWm39aVdr7=&R1o35XHw~J8V*OYdF2`cJ!fy zH-Y1@H$+FIBe1EVS20r$5F7uq!oJ6#~NLXx~S2tZEJ*)4*FK6s`Dz_9fK8MWH>0V8h zVkt*lv(vGB<$PX@9^G48rQ31Gj&?soz5) zDqDBmt9j<9M|)Y1FJDuB9wa>iKPaDQfP*em&^8@UK9er(-n%h+)_~KQ>yNvxiL&b{ zuU6N2Bfi>YPNS>GQ6i$NxX24Fmlis}3F9%g!z<4-cQMejy0eMhwErLEbs{ zU$xUS#}}rafouAfSGo54=0X}d^yGhiu=Me&7cA znP3r76iie5F5Q|rKFIAhcZ&9PF#4~6#(MR0sG1XPawr)OuM((J3G5|jT?am+40i7T zgpq1tVbW8Jyv$uh~haY^Qh23snY~AQIQG){lh0b35pVR8UfK>LP z6xSk$FzU;}R>V4x2i_MqAv0uQ(0EV9(z#sZJ+gY=@~;@7ZPkvP?sT7Ut~%2@Mm`57 zfmIgXLm%ks0_5y3T_xd}5plD)%pyzqN)m;B0WTINe2(O#k6-*3vB>Q(%h1M8uc8xw zwN@bpdr-_fH&!S>ITHpwbh-RPj3XqOSXI%b=U0UfP9nse&)|@Z@?fy?Imn3`ag+&B z2zN2Lr4LQn_)r}{{NDKsqxAyg!qCEhPd$5xXBv)62kUxeEu|6g7vkjq`%X`kxKA*4 z6Hq&)g=fWAGXkcCvS`G60SuCn~IFf zxN65q?13S4h*=BOV7T?E|CQWaQnrZ;PuL~HOktq8yx9O^6qzGk5~chw9-wZDS%s-^ zkOHq(rZ%5Bn{a;Y;NRDh3R1JoDoIF#@2OLgQp9r+^h0wmwPHy&%(hfQ+Lr8xLTE|z z227a~=ICGgLFr{o$Iq61Ngqaq3AA$qs8aP<0t6;G#>jtZim??C<&z1y()~$TNwdEd zu;%j;;)eoe3+zVZI*al~weY2DBh)fm)XOJTa;!{M12y4(4BN`IhD)>t3&L;q-$*3*DFzmTJm$L z*QyBwhLa>suop#e+Kbe^Pe6Dv8L~ zK6V4|_>4X#@4La(t-r1Su=ZcsCHQ}`;m!LC;2Q!`E4EGHjeej(*lpP&M^VW(LW`c{ zrIxXf;;%=PjZJ9a7>%6S8ou-QTBC^k{#Kp;{PnS(Wub%=QLa+56r(H>B1$73mX=25 z3C5Fp%bliI9SaYxw4~D2tdT<>HyfBu&*$dEK>j&x`SSx;tB2CDQM;5AKbW1pBE*|yZ^%1Z z?j$QzT)BMm6(SQ4j)X`~gfd?EPY0EBIM}8M4sJ|1YoK37)#67$Lxw&3&YpniS;ucg z{Xj|6%ER=?SI)g4k0eWt8dg21aqQB}mMfRV{ibeh3=fr@Vx@9s6tnj)3 zs3lQ88dsfff7o!>r^zuweN6&+iO>{05wn;_jhS%K*2Ozx(Si^*@3{Ul?YB=hEc}MZ z^F2wOk@ojn%#fzEFH}ksZS@n1h1a3%T{ZrbG@plPcFC(_`)SEGHoyoexsl3Teav2> zV1rQq|CoBm_Bz|BYcy%v*fty6PVOX)8{24XJ6Vlw+qRw6*tTukYwbMyc=vwZFXIj>yo9tJknvY{Ay{IO@&3I!l71g)$cQu(Xs5x zDZ~L*2n@|~3x@f#ns~Rn3wO2_xLQ_)7AU6O^SI|pu(3g!dAv5iilgM|F#VItRSCV6 zOJsj*R$?iU*zA5*gd&F1{(3|x#@rv)qcWZoGF$f0I-NH%Gm&|u3XNn{srYtExRRmT z_!1U?*GPsI68@~LvSuy8luV>B=FnN@l9aP3H#hid*{yKA*&?s7X=gb9%A6Eo4riZo zWA^_8$o@NGF}ndXm_q0dxOxxhNqQ*)Uw-5O2Q{t%u;Klhd}4+-$2Y(U;a7vVulY+8 zQLMxPwGXxf^SeA6FgET+lUy}UPM!r)>o;x_AC7O0pz_=MEE*GB+&G=DbsOlppMSP? zU%d??18&m_tLMgUD*zo=O(Hox*JYb|56!?4Rc?K8k>YF1%q!P*TIS7>{=v#c{v01F zPy2S1)^5}359b3vovV+))M9RabKQ=?pt;9m`IF?R*ri_h%cFSo>8H@6_Js`x-!FuipDyjRx`aj)ZKt+iSuQGy!oa3GfQ3 zd|#jcX7utI=*)V3LvReb^~)4+36EZAT^IKB*>7a#KYC5o2Ti{kxCx(f5B#w7eCSTO z{rG%Bqt9-4s6Noobv^I#i)Kt9mal5H8&@an0am8Iqmx9 zd&Z5AZ7_zrz@K=6>4RsT*V^@JH#oszL7Vo zsQ~XG{^1jD{ktXG*e~Z50dV_@-+cSC`$Wp)zIFc=VVk$4ez(v5aqPI@b%9y`H;EsZ zDE<9$9r%8X(BukqzhS(txlubVSbe$MFMI^kUx8)6bOXXZEnu*0IA9QLC042pj@o-z zUIwF=Pf{3*yPZ4~NJplHK$wJI`TSqw~ zLxxL3E@P}$*l{qOtD-XSGxf%)IqdAEjcCG?;a5OJ& zsV^t9Cg|@5{i|ZS^JSF=#p9SJ%Gp|6Z8R(torjrHnM)~AtAe_OI6P(toH2a|zf`Af zg6az{q0@gXrkHhRmWGA17``qiN%?NrYVgT+*&!X@MgIg`HeI;5VfL4I=`PdKR#`R~ z$V(s!9ejs~Aw58N0!x=bXJluXk(xS~1Q!UHQs-Zo1{m2y!9`phh-i;^NY%~Kl>~{>sX*?50 zsg#sgGO~ajUiwI^KW0L~;kV>5Oi?Dg)=*aZ0tb1?EJ!O{jwGi4j5CltW|uzbkgcm` zU09205KW5smketW9U?}(DO>iDJ2)4ZDl_J07tk5p5D}NkB?@PD_!1rSEdH<&u^k#h z9BvfV{^sZ~?)3L4bkqR_SwzFC^IoP5-S z<$63pt^bXG8P*Lf{ine64`uk%K|F~tbxx)6X+Qb0BD7o3ZVzWN?(pnpP^7sdw7cdW zU0Kk)IQ9-P$17(yn&z&|ETncWva%SVenun7wTPB?8LPUGF}bLADMyVd{Rky3j&Q{^ zjwqGx(YZQt!Z7`|B*7=NWXTh^MLZ{fdfX948+Fb)TQ?A{X`jF+mKP$=k<@TRz!NOZ zC{V40;ZIXxlNRDE5@W^v;)dc@ddUWjNs)V6D%x@Ay3SYl9zcz)23QHtpBhkvb}^BX zQK>c)Y+O4FhPI2<6&fz$B(`@6wD<=3Ga{^uRAZq5w?qq4A)Y~|q8~QMib6A(zlx&@ z$+GWX{V!BmUr9LVzz{yFy`K2th+wLjW))RxyzrI>Q9YEXk})m#~53?2TrGUkF+!Fs=U?o@+|9h{GCEmkgyl8>m~>KVtW_am&W?YCJe z2=?IC*j#Es*6}=Cp`U^4X;e z6K}ob8nY-VC90(crL}F>A4thq)9faEtc)aR)0V=ex%Ti^HA{w+xBZ(`=_U@aNa@8= zQi#*5NVv$Xb~G}oyK))1(FRA~ zq*}$D|EYL#nYaFFh@9T<%RCwbWNGp7iKeX8+N;T)8Yw4pz5ePOP|$k~>9z;$-)COe zrM5oYqA>Gc%WVk&B83S(jtXNpn$NU82CaqO`e&EMv+G6+mu=m_O2%Ik%CBcE>oT=x zx2-y7mF~IXE_GR7Z{0J`cX#?)*L>Pu@J069Sk2qf-T1w5hu8W!x9@X)uw8aekJ4vI zW~#n@U|^UaQ|H}ZEDg`|c>DR-XN5H9=Z)hhKtaciLawLD;1J(CQJe}kz-E0gcLg*; zd4-w+dJ-32KZ?oiYQE7z&}-CuiuYFM=We`Zat`DSe7x<3y{%OMHlItRS959JuC+5W zsCaq!Y>_NE|5Mqdz9Q+hCuyD-8csFPzu%!(@H+;H*L=<4ZQsg)J+|o{e)D{5i-@kL zqfv2^s<$(ON@NW!>wXlj%U})cmMs$wnC&aggY@}WP(S6xV`&xAcJpHPd3O`c&4G$F z(fj3EL8!3by4jQdigqaKaD$s&+zW> znXunQ)9nW1(O@abr`zenDLKh^^DTfC2&eR&`K%l1nJzcW?_;3N>tKJKwsRBUW}f^N zs5aQedr-;!u0yD8QTwz2B769_uOx33_K@LvR=sTz+%jiAHz(Hd<}@1bZmq5*uWA@l zK=!V2o;dyPH=B7hLH(%G(hsQFzWH>n-9Gu3OX5ZdzT5bd(ssRo)uQiQJkI6oYx)>M zof7ZfaS{)l+19ssxc|SlU`H^?EiFiLq6Tar@kKRrmwT^0u)`A?7=Qx@e@V;Q5+~CM zy}f>3t4x6tHBY~W@Z!Vv6iBu#-C!)>Ef)v@8kQH`L=2cgF40!#Gvt6|V+dZ<`TT8a zrV}QIRd6{*r~oTb64~m!+D6aU#Ank=R%;w_NS1o<~4&}H#CU0!Y!$v-8orX{LP zg#OhIA)>k=$Vv^})&XsU9wmZ`2GueFoiA$BD#@4#0}*>(keCUbGlY{2w~YITr)s68 z)ixsWKQ5sQs#O+Kf0U;Eet=k-=R{Li8?TM_$%@!_oRdK4*TIii z{D)H+gp799UWcsn$2(%$r%qFzQiY05{1LNIyveD!FUKuw0Nccox8v}n9JEqvO@{WXq#UU zqQTknNaHgNMrG3BDjX*X#71fpz3aiV7K;9a3Hd5LM+1sElFqyis;Vru3)v|luxfCB zmy&|#((Oivqb>2iipiT48Sb#kNz*a^5WDp|z=N+IE88Hf=lgUJR%)B^3Nm*Rw|*p|M4ZBE1L2z*ky)`!O!}QPqP(*cyLAjcMRqK7NM+GD-+T_tBrwuz17cvQ0d#7B*Z z$_ab>VGL(KcajR-T7Mk()jxjyt+Wlh=C20Vf54g3KDl2vP#q89oXb~F3GZ)a1c?cK zuq_Cvl!eJTf(_7tmdvwaJPM&k)EKbpCB>5_ZDl{hi6$rRSM!V27;8x$#~|TNILja$ z)6=GtB#oyR6Vf%>f2-=Uh;iQZME#35SQJEX6|DKGdO}v-az{lK^2;PZ7t#%)EfRXx z0hOoSs#|c1l5>ipZr6}Q`Of5DAI7(Dr6TG~I96y$wf)*+4Zj#vY!F2@W`0G&gqWbG z%c&j}dj&Q|Y8$aNF16PaD~BwJM<9*ICx1ha)K9PXV%IQ%Xn{E^qLOKkD21ha!uYU(O#VXaIMcP~e_{3I`Y+jm@FW173GU?)@#zDTy0n0vO}{q{lc$P# zGx&@F-nXAqbE$piz%lR2uME)zu>R&OxP7}1B{yC(d?dH46}eY{5%7U9M>go-WjY)9 zP^wU36z~r%XyXC!qx;X->Gp9)CpO!2nhk}pZj6Epbbj8blSI5esh7;Azj-D>(MP6|EPBOmBLPdnnu69Ia#yNiCM9nfF|9@aC!{*^LN~XeZSu)$a;< zts9bg&$bq~zS!a#F$QlO4c5(1{*A|RfGw;{imL`?BXI}8-F1Gmt&e!X6y!(>tjAsG zHADLtxo{;B;-<W@Zjm(R0@O(XEdBk?q?{tzYMjcWjlT?0tf#^~z@MR&fm|vyn@; z+I^vs`mEZZyM1ji6xeiIqd@GsEmlhY(eidRUVB@Ovvk5->jR$2)Q-;F|FfiJ9f-u; ziz)jaBvh(T=?Psgfoi8;XL0<% zU`8<5{Ph^{O!ATYNiBH4l|K1DdmNAaU&_lKkH7?P&wz1xnf9#} z>;EvQ^5IDYE4_l@o8U<+_ITdWU~d@~&ClP8gbmauNBk6L@t3p> zDyQ^SA?rEyv$jGlBm?X^gaK0Tg?H9Xnx{;m30af6d{ZjJfk>2+<0mheW#nOhtSk`R zQ%T2HPLDhLKJc+IQ&&hu1{2iJ-Mh=P>5y#o^=fMgZ_YE6BMv;OQYa#+_ZrLEq@gcU zXWpNy1mswWtJN?sCR3RppXP<3(Z<|Mw*~z9>he-$TTEJ<`O8yy%KpBP5N93vjYDSg zqU^qimwdtIORFp`$5q;1{mQ7J~8v6&6zSpXS+uykks-I zVk2S!>nmob@Pkv#@*rot06c(dNSbFP)?Z{T25pm!0aOP~8Z?QmW5z@bsEyNv7|N8= z#k^%%)BB7K1l|6BGk(jN69Sjgapde=+7NMcxX|d6rU_1fGxu>PgJfzq{^Gw59n73c zjuCqkGP)b{Y^Td3Dp_4KpEhMKlK*~#IjL9DawkTs_rdkA!m?k*@u9|KA^FdFkATx3ZnzTBK0hfbSu9j##B+a(gUVEy5*7DUyM80&Mchas zqN~?p_a)h(Yfb(etEe^BLUKhfT7ro@gB8bOkV!CVVTa74mXg+zM{#n3rrUgo({+ z0<9ZmTS2B!$z4^kMkP`9#R@7rwhC*qT)jYY?%WOLQpv1K*<;@60wmginoT~!0+gg! zmS5>A6bz=lwrWjEx@)f1^Zy0WfT-8S``SNX96lZJyYe2!rvVB!(0l5KfiDTPw-7DIi`T-RyNRv9KQ*8=@^{2$xJ#SH-pJ6cXi=Ol$1Rd8Z`(^r?60k! znn|g9XGmBO(D3DeLNIVvCFn4jHw74Vx31|qfZn~&=k~_AOK`55S8R_u6o8(G+TH@U zsnuM%HkaG>t@F$p0q2LG+?`{lrq6Gl_xod8@{0*WKJZ-i*{8n#g(Qpvv;7 z|H0_OnIxxj!*@2+S-mKx>-p(<8m#wL7MQXD`bU!8Ia+bTN#=dmAZdfQ)jZN8T&3^w z%H&RrPdsbiBmwl~R@?BH&2(oX7V5eQl8xMce@&MBygO-s_FZhZ;OhB!vG@d6yaVTQ zPrw<1;K%WBKt6api6TiH=y(hy0}za<-J;d&fxA8p;7I+>J|r(Qm%*lF_tvL#KHxut zKQ6#BWk1rvCn`djYMpptC;1MO@PrWOBbEzDyqYv*#x0AHMJzPGj5^U2842l8275=+ zSwx1%mb%vRmQm>_e-eyQ*}G35F7!fJn5EWW*)rj9J!BBy`MR*+PUE0xe0ud2NN$9lOFG#v^#AAfh)gDmm5BIhaM%tzb05VLNC zq%%GvV{shtyPp2kD=)>S97{f;9C|+PZ#Yb)UO8JzXr6Lavz)sb)^Tt{?(f+EvLsk< zx_d6IvD;{q6~dSX3A(sscy;kod8Yo9q5putyu7H-I{P)LWJFRG+r32Y&%KhCtu%{+ zq?4nRGS`f&r54b5Qv+AglBlgry$#jtd!T}vMcyMH0rhqym!s^hI-wPX47N|&v>a8i z9^wPu(M%2Rdz*AL8E{AF=tcx8A(v0 z=?>buZ*lES28>fp))+nZ&=P;=A~Y`Abq=flG2dB3`mbSd$YH?@+MV}!q``b*tnkF9qPo@*2>MSuEnjaFJ zn{uavR}HBr3qi1v@ZC^$VcW6yk zVm`i&M0Ho`**|5()yz+l{o$Ehp~+7vxb-bxa%lKngU(!weet24-i&2|k8f8`X`|F-G1#~P)%632@EA>`~xK1>`QAtx#x@^Fzk(~egk9DU# zUMaaqQ6f=uF2G704WUJ)5%)(w#gEwTzuzQhfA=w!hoQRiyKqO7hX@QvRQISr^bz8` z6|tCbM%_4887dNd;*Dc7@U$xib z@7M%<;-?3wFf6j_S?klFclgslH?u*g8ys02bhHv!mJXqEk9X7P4fN7$gizcRz`&kh z(5}U37-L;3Q=Zx;*0kyLAPF#(YQ3!my95vPgM%^}EiOb+q;a2_sE zbtPqkDK=R^qsBc@x+5IAAD=k#QVF^SNjgM%x2u4jvdvChnHMuE$(}t!aN#dD9Tyyn zHVvI|r;eJ~xzJ-^2SigyF!u+bE9nXmtcChQcO1hN5@?(ac7{-SZ_Qkh;BU%iq z2m{MRT%nLV&vubxYEtSy-B$g!h?dnT+NSjDTtt2Jh-Eg-gJ_>#5E?sXbEB#d-FUG> zgo`6F^gg+hEmnkMsnnNz*+oA3l)e7;6v?8be_>&b-E8u_dM&&?sSJD5;Bg^Q!$t7= zSWCmH@P8wtg=buTW^n$~g39_ou=STZN9@c0Q2L<;=+rFeA>c`n`-DG1RstYTzOY zKU}B=|6cjxwKq5*bOQrfP;%XCwN=B78e>P2`|~x99p9QkuEUwBTzEE%@LIonbz`=3 zo|-yx+f}LFIr>P~MLpct&Z&X++`Cx@>s%@L0dz@Z0>Xv~B-z8~25k1ZLjf zw2PW<6AdmN3$&Mg?0gQCy!&{}bR}M|9>KI@_|@&+XJ+?YcrpV)cP(F$UW?mA_t_(W z10v^ISEk>4q1aoQ{6^PMOg@LL2!J+J&zAR%gktd?z*;+waDAkAy?}ds|Ix;es;`ph zbmPl#xmxgN*QDDE3t?6(s4)^;|4kNV+?q%^P4`K?nI#J*S-$N(0;Sf=CfVLR_WkRa zZnWRL|KJJ)&$h#ee>H0tKHFW`_JVF1*EdtE}m7Rj8}A!LR4ln|@9d zZfe%kK*F1u%*ZaltmEDKJE-9CL5zNFVvb+;Zpv6A+j+k497ld-_YCGr^DyFo__F)7 zdc1Z~uPwvs`uaq2+i7~~0}rOg=VOUEV))A1!28W~1|yQh=b$#AzIpZ8eI0w_{B(Da z`r_tcH&qna?o-%YRlPm0p^MwpDzwvjT>U(Ea+{f$=$_p;)lRKzq43-3`snUi@2J*A zxTdNx`W?~1sqWma)Zpm?kD#{ktp>)Bn?x1(rqTR=(fGHo_9xWG!c$WKkkg*QEl@tt znQy!8ep|6zk3=>+A!%h=5X=fWppXr=0Nj5}=gL%trD(#Zth@!hZ67ncD8kQ|1q3r# zn8Td7!24IsLhZ>f@5?CVU+rM`w^}JO{6|VyAh2GG_TYlMXJeq6_TZzpSMNxF8|(wY zW||!YI}xQsN~g)VR3&M}$X|i6r8wD4fmazw*%BbJRiweN`(Cei* zB^iEjNhtA4e)G-tH>MD0?>WNCXG3dkw8*&OO(S06mmO82-MPSwk(Nk0=#tGUt?$MIx8mt>|5m2r9GcQsVZT zaA}AWnOh?Ru#qzg{rB^#(oNaL1uaUl3Q8AE{|mjh5|iGg9h@?1qQbQ0kWf+7v__6z zaft5Ws%eofjeUrARC`cDul984AG+W`8RnsbF!R=qh*TD-_39z(lt=;dmetY{=GL zpzrpb_hkQ-Ze#Q}CbXAfFC{nu@gJqXn|mfsiQC7 ze^gN#_7rSKd!q90uXbD-{mMj`S7Z3n#f%7dX$60qb{rXruw-bt?D>)*Zm3O%CNQA4 zPn*6B>NH8z9J`3{`!#8MaD0NbB({@wYptWAAO2TcseXwhdi_x&$` zp&-Si-p)?|xEx=*Fx&r})Q?1D*$mpj@$ApvLgMk*vR?^7sUT|bxX&Xe9M?H>}S){f(u{i!-8VefVwP}7Vjv*0~!=fLH9 zt=|ZLB5x=7WAJX$)|J`#wiN$?azwk7!F#1f*zZBIHh1dUajX3q^j4z7rTwGxVW!pd z{Nv@U@~FmX_bG9nxS>VpH7Rk*`0H7Y9Vh8o?ZqMP+CbRAYBj$;y=ofj@z!$~ia>dE zU-;(`jU~imTZ|Hukm~)&ae5{=uJBj3rtTK47IYWr?Dx3Ox#qqp%nWwC zZFSplo*OP>SF$Oab(Wy$KlRq7$}=VQs|^#uMClvnY565Ka4Kmqw0&b3KfLcD}zc|5r39pua+v_?6{#2DFb-+ivHh56Dzw zYHMy=PdwAt$Z8+R*3oon7@Y?&2>Tf{ejW%_XOrkeoOQ)s+-zoRG$8YzW{b%acDpTk z0T7wM=U2=ZsvEm7(4m@`e;qvx&_l=PcKiK9;{{gC=%>)zJ@ZrB zne@{dQFyZZ+IxO(_p9vN$p1Bm>%qObdw|CKTwv0R#s^9?wLX~OD?YAVSs|6~e%RG3 zarzo?sc;WG;+_K2-B0^g_7$fui`aN0oB=)pUbbBn@s`e2hoRErbqn;MXYv@3ampFk zvDURI@+dHo8`2Am_PsKtGp%BN!P?@xU3ekfp-q|5uDiQ*>@NvO*1y5!HGGQpN!{Y+ zJe^pERPCIZ2#`*MEWkMhdl3#K+C`@C(00V(Zd%IUCt@CzLv35|7HaQ7sxzIh2k1KR z)*Y^`B&j&fLq|T$p=ID{C{iS=F^o#N8d)9foBEslm!=|X)_d-0qLR6~_N^Tq+G{Z* z2bt~C5;<2wB(7Td^;DHOtlg*&+Bknf?MKdIUd5zr;Tp}A%b9pBc6yiW4WgoGr7|8C z;VL~2^(R|-pT0ls$b6MD-nf=b$SZcx4!eC_g;AQ;_o$3|?F%|zq~Kn1J+8k(f~vqY zFcw0vO#MuFFWi`FAJ>Z_n%ksj3TYW75$* z5P!vCnM@*a5nC9V_q+#1QZkzoZWs1MSFOcd{)Wgj3SJ@D^_v^|i&VP?zmI7hKy@IseZN(-0fUyX${PL}!hE6m|?#wygBxcrCQwqheOd*eY1*J;Xr z-@Zl2q5Mn_@wSt*meTazo7HRy@-#z@-mI_~(@(BU&MOG{g`ripBr?(e=qO{w|GP)B zIPyPX6s@)`%d$U4743=f>Jhy)6+UR-KS#?^e~w6$FMge*KCXg*v7acfN3Yx87`Xw@ zz^897xn(2sJ{wcobC`yK`hGMeqyxl8hCfSg(NE6MN>>G|rU)oh+|OlZE`}CCc~^H) zQ6-;7N;oQv4EC9}ZQo#N>qx2WMtHj}l$CO<9L17E&O{Y2IwGP2zZe;uPv~CWHc0+Y zO*(~4f#e%$!DW2eKY3<%GJ~~GxSedQIwtJap7B%tj%bc&%EptaKhR??+Fy8d&`XTHl!+XRm4wda!#@5oY0xi51XIQ{A!{!ZXQon^ zNwFrUtF4gaO_oIrEx?Y5S|L&`^5}%$yD^6%-rITxzy`w$g;7m#TrW~&9hmi`&Dit9T@V1(h zl_22(@z~XLbeLXN{+os=`L;Xc{3jZYo3<|5Bx1sE^5i?DLaTU->f=#}91nOd&N;OX zon;E|v*S=NbS}&ua>?vC=XFj(^5BZ3@;)(cjr})eBf3&VIJ!>t!fk9wwakMe=ps@% zVH+6avL7V|PU%Wphym(b*72)es)}aW_Diq-3!rOgL^AL#)DGy&k!^ksFp&5OtXVAUM0c(dA0uFVzlq#Qsi==&SQYS^RMGoa|J+;-$l)EPQ%zZ zt>fu7v*TNK>6X{E-uNN*`jh2nLN|Nj__E+_MtAI5+bvuDv(fe%U*{)JD;M4QEN@66}s&(V;7Wej3wt({*JvH+~{~s0Rt7fp>M&&%x ziT!2~F=#BamN{9=?BVQoq~o3W`Qvdp!?{*~2s$j)vX5{g2q!{tY1L6>VN}& z?rQL+_ae@emg~Gpu+EeB$;4$^b|wH7?2>x_Ld3mQzj~eXgu(-Sn=w$R1J|u4EHkv6 za%zwe>H$oSwz}P4dux+yLCzreDUo^KlYRq(v&}#R=4VN35qGd_`7>bo!q#zNLnGB= zuVyk6MR_bD$iu6;`GGEp4|uBCdfXHU=L7qqLBIMvnl*DA3LXaB0Bix9B&k5W{Ycv?OB z3V|n^eoyaTCU(H}Kxi`2^C#e9(>-l}p`FFS3k{XD?g5(=6?Nb&1zpAjYdwKcr@=&v z>buQ&LbdUzQ@kl(5US`klDf=n!nyx)!-zno*-IlSg*?t8g&F;60;@BQ=89{fpLgxFKf&4~!)5Vt8 zdnr)YG4Q;na}SO_%e2a~0OTJXX0RH(;hZ-<~#j`3XVdU-EU$ zms_JxF!~cXOAp+txcAivub#gy7gwtdR&ZwnC>oep7LAOJmOcYdsb6!S7w?6U8Re0h zipJ^>7#zNeI={V;(0jC8(iN3`SMJ8Zq0-BnQ2m4YxYk^RZOKK8go?CWPrQD|TPZ+` z(f_YR1QPez{%=`)W-^Q%x=q(fLmC z;vaOSlab>JEwnV10qyV3j^r8>3qfZ2*%{QoVLSJ#pD_}BZ~yk4U7JMXuUq1cwZq7v=eJlRn4emF3MeHu(h@h? z5v{{!?TAN7J-U;;<*ZBW{78+WAA4zU0YMZu503(Kghg|9lu*sK(ymo5)_YvCt1a{^iE;Rle*EGtZOZM}-!U40Dy)6R zqwQcUHFwi7nBwpIlH2R~xPe_JjNl~Ea zZd=;m56F_Pv=Pn{aKcjNmAo<|)?M+MrmT>7qv7ATZ8~k-ID48L3OEQ?JYVMQiC)u?`%?0t{nywhnfXKR(q~23{d3X>80C; zlbUiMOKdp?KJu-RZXNsWr8Z%ScY;ErBABR~=^0xPSS@5UbP0a8m8(ONYr zR2RYHpC+R)cumHiDkb@xWP|QM;QuMf*0V-g$(;raae8kGsGF^oTMDaWl{Nb*;c9qO z^(&EXk&gV5l$FUXLp2U{oGcpSSII+M{K+KO+6K28mF&|$T?o~YBU&)agOBaSi++Bu zKW|tlqisbUZqmYDxa+brkSMgDr%jNTF-aOOgQjsxs)dz<*xVH`smmsZ^|SjIy06I9 zt0Aonx0MZ$UPTZ|!?Z5vG?Z?$xrt7Zu>^sV#XrD5cg{kRM2x`FB3yt(((0p0br=IZYz z34iXTsBqI)Wv@A;7Yn6z9=O3+XI|g^BhfGbLxAe$gBX!tG9LRX=JnigNqjZMd`wT} za<;rS+1afQhllU@Z8eK0)r33-`EHN7^*gSmM-rQBOAWmIH){^{?st~E%tu!=>s}3e7#van8fs%K|N(chV?ZABBS? zYp3b%R-rjvZfyfU-Xb(?p1p75|6F~Ha-P2&zvaOTZvc;Wi0s)4C!ctIw`!k+pLdeC zIv--!!B)3&5_9X37hrwo$a8G|o#;jqFLR%ptJ+#@?@q|nY5wB`+ZaRz;hojxCBfyn zttLC69jT?Z>&UMVl=_?f{x|U9IaqoE^f@gW4j2Y^sI};V$6gJ{dgN0WOAg@qW5{&uMCAYD40`1Q3baViAj;Jc4B&7Hgm z`NznuWE8ja@X{AspjN&xBu-XcYMW1dYT3x+s#EPTu>wcaUtt&oEtd3mAi|-Hcvz`1 z*@5+!%Y_%=L6F26DOHk!)?1u8%v&CLU3^mCOwV%BoJog};n;qfyRuN;jqN10v#4{C zO#R@1XGAu5lYd{@ND4VzdbvDUu5v7%&sd#;fYB624nY+jOT$$D}62q1v> za2rBuhX4IIUX+h!f31$EH?SvG6Kbwj#1DT#tIj_lILyBO)r;bK$F(y>LQg#gGWNT- z3Z#7EW%=0;SV58cDymVhNNIPza=Yr26gX3Sx~^sD&5qqyALe5^6LgqAsj7JpCnB6= zbKXS7suKk^bh-bP;IXQV(X<5rs)#k|SDj2LKfr^M3$MwXgRKzb;w_tZ&{TBvuUN6E z6elE1FEp~lO`46L-Zv@TFnv)httjKIn*P8XYFZMhXqd4L3CBlE+`zS_N-_)-%u9tE zw_`B%svF?O3dacM`lH%TJjWnXX8mHr&q|fC=`KgMH==2G=2)w7v1W#UsEoG^eWuv= zPcKLvK|QxmAUNQ5he%Skuec8ftn@Hcma6~l8(YCWP zp%C)VVr^2+x@I$@itsuk`w1kD?GbuEBD(|7CAb(P89QNB`b~c-DoLV)k-ynW%?n%?sV~ub#;s$! z3n53tmI~OF-2%rz$*G z%7SD#m%JV%c1VY0exNa~Qjs|jw>XwAl`(fGKMhHLn->?j$~IFEdkiEzF7GeEuPC7B*9S1e)4L_5_yT-6$b<*pwp?kECkO$u*xJ-aKGOP6 z2iefp#1F(7w(CHoIxW<`q<>ZvOyWfrN_!{2ljX?jk0Kl)qSu7TieI2-vUc{h}v1nCoD@ITu482558 zpIw1}b~f5j6Lo9k+&We0ZC^RVtyw54N1IBphvd&%YD*+aLPS-?G#a(h{#mDECb&Xn zSxH!6n>5nUHgPUQt7eR*yDZ_SV(|yxaf}?Ee})jVO_65(#cGOb8G5S1n$q6=UjTz4 z#b`jq55g{PAbX>M;m_;0+#v#=TTrM7jes-re79d5u=^FKj{eHe9q@DmcSv-mqG z-(|qk{bM)4oj?zio@)o5M9A@P<*^&Hxk((yf3EdDJXp;&xFMggcieskeN?$Vt8c%L zZ_;N8EN2tmK~QTFRC^A)C5qW?G4Qcz9I-pca!nyjxoTwSf+IET&}s}Gg2boSpVt1| zOWNG6c~c8JKhYTo-^7y~xr5}uJKj%gzE{7zuj1N|DVDok-+KmPpY&`K`_4xZGVS|k z>3durj^_HuKi-Px#}x>(d9M!WLtB9l3xR7Avclk((^P?ilJBFFE2+W$<&#HumB?CU!Jxzu_17v;?w%U$qn#b8XZ=cA-^ znoY85Q_wA(#GdP8lxbe0+_SndW#e*L2Xs0>!PS1PYs2l`%z3?XH-_`1QyJRIa|@8!HLhvLEO$I|xn>mwo+2uh@v*Ny`2dMkt$IQ2upcs+w8-kut8z-4v4 z{nMFqB0wSTj?+QGRPgRs=@%PlD0X|41bpG?F7PmRRGQWFTwv%(AMO3HS9t~6@jmP& zYh`xoududh1Z_0e0+@&xg^n#8%a?UF5K1}Jbq}UG+q^Y^W|@DsHcmf*gpwO|%4W@j z^p~zP2-`YGZF4#V+c*=i1I|AexmT(g*!2Y! zlnE+9U&;{QIS`=Y|6%H^qT&pjEe!+$!8N!9cXti$?(XgmjT7A6-QC?K1b5dCt_{JR z9{zJ?&Y7FK{w}_?>aD81pZ)K1j^$xg;AyFtA-Hr4dRNp%1@CK1(xpX_C!LnAaVN<9 z+-^LNJaW_G%iy8IVEZB7C@j&C*V^3je^ffLOL4t-h>uaO7$gA0m2Rb0c9GU=9 zM}b1<8Ua(Wbs$Jh@?@;}94`xY9FuG&-ze|qj^Ry6| znPgwNaA!v1j5|L{zYY|mLNXu6Z+cXu<}J?vr-8g0g{I!J#bPtRSU|VBv20DOD78)= zsQ3F*1gn9yJjI-Y3{Wl<`bH(kkFykVmN3O$+Tgq51CgobJ=FyQ&^xV7g;6~sVp^#w|lYfQ?LK? z5yJQjK8)h0J1^!IvQ@)7p04_kg{2ANgm9e(g*j|hsq!N3(fP1JBtqkcR^Ad7^A5Zz zfWPKDyJ6$k0jq-tKtfo|h2l3J7RAH?&0HNmiiGAw7d{tN64UmRK&x|WVUoz^Ni{qwu5 zpm`h*)Sg=WEzF7|?pASA3UMjaHsH@NGuERF_KJ=5N;BPM&WJ{Ou`K;Yjn;R6Sk}b2 z5su#m3i8*+xv(cmbVX#9X<0)}WH1(eXdYf;|J7oLbXeHjEskTrlVD0i0kCetf2LU7 zgm>^w5zDP<$2UD&$j~5QdS=w387SCF(glAy`%p(f-`N#oAp?`bvB0NIqg72RxftM3 zqzH07&k$rFptYVX-G||e|m8XrYk=C zx$8r2{KKSw22Z;W9*(kjIz_kPZ+DgUc{)rrtBovSP~NkiDkwOGHLkfL{K3`ARwlZK z>Nin+HJi2VQgA2{@{?VAM%1ECZVt~JiKNFb_|+C+&Q+3D8ERvadQ2$8!t>9`Z#?oy zRAlV=+bYCirN$`IPp+uYu&vvL@#78fE%7RtK?$sw_8?pP&F-eNEwRL`B=N5U;mVlV z(I2&wEEtVpgAm$%#CamQP78<#i-?3!#AP`Q@#RGC!h%G$innQmYAVQJ!A2PoFjpE5h3wIfee<@|8ndN5_P?2y_5VJAI2<2lnrAkdY ztn#Qv&GeE9`A49VU^*xDbG87o;yZfH@^70a?a&E&8Es+L5O}53L;%6oQUdZCvR>r$ zHF6L&d@4RgDVq5zY}P`Rx~o0}_MHXcxib4sWR*h{QFz|eFLy7aW9Zlcr$Tt$(ll5s z{go9snv-LjJXJJNc@B}!2tWu^(mb@#hI9#OATkAoBA-H7^c&@%Q_AT-r7ikdUSQ4b z^#7E1Vq_eVNTyGF^(DAjX>b4Ial(5n%Mc1o=8Rdi0C!{kDZ`=yi}pi*go|>gP+n)E zlJhAdXt*d4C_UHXRy4;p?*em*I zkoVinEvLcq*831y6;RdD@9KKn!1vpZN#tb|$`oG+Uyt9EUeU|nSuTL@FVPWp4}wZ%FPqm6|d8h-Yb8f zTyg&v&^VRA(*@h8!7Yc)u(duhj?$Ml@X*3p@r*0yaNuC_ZgT&wB==X|_OV_#R|KYsW1gK6sf`c6w{b9yh0PY?Y+ zrC5WG4o}P9HMd>PLoaSEXLK(c^MyLkRa_HI+g|^-$qs&m`-*@SecL{mVxBzTP+&JJ zKA0$Z`+7cLrO&2F3`?oR%kNKL17z}Bz(CCfFtaqnpVH^!0c|5N+xHT1xur#x31Dlu zC5Y*8Oay}2MyR?nxo8fr5q+L{^Ds$$VaP%-f$o!7!Zo7S2IsD0qZeUk$`21)r!pCq z>wLi3>=O3Xs>@~>&tpkdXDkHIeGB4??HADop3m?g>E_+|0sr(XV}aUlns!8)4>_D` zaN)|UKXRnMp0o@GN~g<7ACFpO!;ZL-U9IIQdwL1VDB_jyLYk76FX4r(7f|hurRY?! zCBd+&EAu(wqe>WLve5ICCl+6NnZ?n@CY>zvk@D8)=v}O4CzCYV;^bqa(QyS?NUWX` z1RZzD75>13g47yQvekm$96SF~o-*A&@vlLS?Og=*Hz3@!#;q`V1vi>uH8lyEb_XI{ zZ89c03jQne8Z0*%gD)r8)U6RNe#C&`d!@!^2xX-XF&nFR=MXl&aGDY&F6r;=TwE zfvC#z8#z{zj!?n7KgR{69@&vq`c$bo$1=j$x3q7kC0g8#hZ7fi zHQ3pG(fE zLXHR*iTtSN6}a-$_Tq&;hThp7%a3s6RacJt~!WcZ?CZ0R= zf|I>2l0Aw#RSXnY4<-5>b#A;=G^Mtg0}Bt^t>v8P&LrQ3C@RO0K2pKP#LvK~RD4*( zyV(!PQ673n&ST(X7rVm)dBx%Fu3TmAci%xaS2l|FazvePm+WXK0U0qf-*I}QZ(2=$ zWUI>sO(D8#S@H|8MvFOb(a_}3u4vWhRbvJL=5W7_&HcM2*Q`~rVjV;CYmz*8@ueB# zhGOUdux!^sYt;{(e3hZ4%nGWOMuxw35yJ{>KxSQp#x&>3jViG_(RNP=i7?>Xd<<2{ zcjNdNxm}>C$FI@)OUQA*73Wn$pubC}K5pi^{#~xb3gkOBpe2 z6H_LN+H9+c(x(J^l^ z($CwfF=L-~&%0sXv>icD8~_SN5(5T#p>v0uG*j z8Gc*o{=L51dwO^FO3c2wiCxbt+;&2hZg3ZvzOt#QFT#Dfgk9+vHktnhE9~nsvf0bv z;rdwLuQ(|#=~4S2c~WXg41^4NZB zcdY4=E3gMIV0h*<3Q&Vz4i@osZs%7N`*}V_4o8822?Wx1nWZ~rAh z|MleSyI24F?0UgNE|P|j3Xr4Zm*~*)dxgy1ELpR2(*id5P6)@8ZSPAZ(4=if= z`NIDF#Pv37w$#P-`|oQ)4-bSNXjy?n7KYtPHN(-gBo7aA0iA?0K6T?a~MXYeYNfd z&0J}t5S(cQQ>rrV?)h*w?}A_7{}Lo!JqZ?h(V#UZxzvBZN%l>bj_GnRZ@{Dfnu|Uz z8yk{%Y9}qc2DgX|*OBtg-^m8N2cF(sc%8?o*rG)V`;BVb2c zv`Ji{Plc~!1%F9pF>L21#RfGsm;pPC7rlG0HgOLnLc1{tm;3CXrC1RsPoFmDMPf?L zR~1U08QWDPILDeS(k@ln1c|(ap#0OjQZ5=VQ(8UoEQ!F9cHbkRE?BK%NHl5Ib@`%$ zut@+a{;enYFtZVQ$ODD(HVNKH%jRYMjY+d+p8@R`ccY%0$il)2r~bs9eDq$U4OD8f zf}t&3t=@N#cd;+l10D$3ruyiO=Fs0BN{X;s9n1bZO15*xp)#H2gj?Nj7~DL970zR@wc@o|&(~CyMxC@Q!MT&WbA9bvt6m!#>NLJIA-w3Q_@VaunnR-3%-=INkD(1U|Y0sX)54((Kc)I?3D%$){54 zY$fi&uuaiXHhQi+Q}@uS0h7;(xN{=GvSy1!HLd0vf~=>A7FeeCWz>5;pBpANdQDH@ z0)>vvP?0rGka{?l)}p9Z#Y5=?WiW1yT{vX0C@0>mIF1{)S+!tuV$T}ez6D>O60XQj zRF1a*Ulow{6URJ*>x~|GK7gBR^BpiuPw6y0m2&*&E81&Sxaz>teBuB}jBrjIEurv2 z2dPRpzFG$JsWL*5YKJf>kJ}inhaiWItRE-+p-d~9W}`F_n>UGx*f4%8pIKyq@#|ByPNvzbF(|^Df?(-wx$l@o!9w z7L5VR;O6Ht37>zAFl ztvp?>R}7@^;2~5RR4=Uqv#ADj1CdFQerC8S9YP}#pfwV8KS9NMS51f z)XeT>j66k6kEV>Zd+l!{^d7!-a^v!TpIVd)LJ9n#IBZlqgz5JcsiX&@oe$8B`U{X4 zw7YgOZ^J;3I3j1w8wLxgux=1JCt^GJ20fG|0~Ny~u-rVUKIj(PGpOU|#7=Z$(J0xm zZXHMPeS^r3Mui6poialzbs?cjoj-dlDhZR00@`Wv8PP_1y~nOesyCH2%1uwX1yW{~ z5ibX3SeyC(6)+Q2n9_~xX~6G`H{ei2{HtNief;y@dpwD8ju6L4+&?}Gz&60S2zZy^BY5KT>fTU6A+((HaSnLfP`)z3a~qVH9h(oO+V*|b zK0%J3J=gJ3~~7Uh?C-_9@>BzO4AIqi}Yq5cEH9 z1-V}FY^@z0B6aa?JqlTl3F}eJ&V>b{_q1BYXSUye}>V=Hwmuy~7_l z1rFl7-!ue+eQu%z>bft(qnVl?Nfq-OZ`xM-@A!-kTV)^fy~DfQPAm5f0j8o)ALafx zf7{a_12q5;!mPRLnvSVrW{`blA3iwZhofRNVHv?p`>5Df*kFE7ZvZ4!WC~pJo4#Wb4Se zx4T*PJPqpt7fAiuxoDSBJ!DsT>aog>j*7JC_2Q&`bF4*^YaTX6T z3msqU@!Gbs)aBN_$f$dB*X_xFe-G40kf3&*a62u%OTE;n6MSZT-hLy11^gQTY@6GjZ{bdR zJsH-jDc^uiTwW&61Eid@^7~1?BwPHs$ln0VE6^#l zjx;6I81wJ4HkNQac`Y^$fzn>DUx7hr*~r)dJ(SbaoTkab64H)KJVT0ESJZbCIAT8I z+%|>K{gY z#?M<7OJ6J$JEW|P%O);_(xQW$Q!h7-mb@!#tcz{D5yg?N7~#C_UN{GvtNwa=0mXcsLSNUA5}#|g%;)!M00%IsOMvhj9KU_+|bwv|jXxRSav+GxJ5 zvm-ZCP1E^f#w{V&pmD^oiRD`lMH|RZgz|?VQ9(jVb;&AnY8AgK{|?~q4fhb0p@x@E z+ZULA&&IS!7);#z#RK zXb4^B{(sJetZ%mb(H&j)4p6^FCLtozIS7I)<^2019z=ueQ*JP&B1$Joh4P`VLh7I5Hm6=!BnK zn}-0zHhkaGac<@#-B=n^c2@@ObcvHb!fOkky#q0^SnYv)w=XceY^p9<&NgDarmeDl zrm_1vT>Drh9y3=~8G?-nxZF(?WgPOOrN%s8N1a8wD~+K#K?@Gndi!b1; zYrJb{2WRoLjcXL5mty@%DwhfarMp~1+?VUes*$m8+LQ-UhPV9nw>~M9Cd$LxAqiz| zvsvyn5THjm&6%H3oU5wgH6cH4<&AGGXEvAC8f?Fpo}YnS6vnqz=MAxsqby!dOxqaM85X2^-C<}fJ0%~os4&RSPM$X!Nal$BfNMl_Xp5l|1doy80Z zI1Ct){Gj5)ePMeAzQvslfR_mF@_l}7{KG6!B~_&LB`^=*Xu(#EudZ46K0APPy9$nu#+qkha(=1^}i$+v#Ze3)Jzb}EU}{*V_{W?dO( z$yy;@GIww6d_@cz>jfSD_FjiLg)XaNOubpgM>!mMg7+LcSvW;ng{C&&mhh+i1iL=V4N*sw*P zPUEPZu(ni}tOP-_wa%{fmgtYCT1{$dEJQnR+;paI8>TCcZlx&aT-N^&A=5s71@ryQ z6aklh8i)JAhSb;2;BK5voA*zdl@tyoT22Vu-KWgzUhzZH_uE^%m@%R-NpP@`C77?F zWvdhj?el#5DGBSI4!Ay9Zoiqth<-HiWqNuRe!ZqbwSG>uKWh5Nhe8B+M7jc|&Bycg zftT2T;Bk{|@ifSfkAZsqw?BCCz75y)`CczOSMQgbk^K|z7!TLskGv+m-ArC?zGqyV z9gmm8LD{S1@n8^N`<3syu)4_R)r`~lAaZ;Hu-5@RY@lbeEc!uD#Pa;dxP0sOCHK6p z=lNyt!Eq^k*_60ruF|kw(=yYQHJjzuz=zHs9I-Vr>*%yF4O>=pMcg@Cg)Qhlp_|H+ z4RXGgp9Qb;gO><7KjVc*13b46|2!)1RX*y!y&YL@=WT$~7W3a9NaqQ518dPiBMiVn z#yspNlPM!1kdJ zT)?HVd6BWYnCjEM?H>KLMdIiH=Iqwcxl2ul4w%WIa{)>)`TPrdI?&ADv=|A$LQJ+Ko&fos)s_PR z;2vPU^7Cz8IAi}91Ywn?U6Sp?u95*LB@Uh)bz{>`a{w2!y*k7E3edF3x7Q6HE7 zp$W~L#_PX(4z*$Uj*QM{(#xFU<8T}Lhw0k*i69TOF&T)nJK#M=t$+; z=W04l&>8$`IiCH*|F*70mTWX0U}7(Uw>~G}^j{r#aqt#>J8BVM%kUsZIJy`F3K8J7 z#$#MO!bhSbmnSqx^CwcZmQNKrCkBq2%`6hcu(W4k_46@bwgKf_s`d7P)>Nl0R;^XI zC^2U9Si_`dD_^}8CfGN+B!i3&)W6hci@BU=A!d73{2p!11oq=}Nd$wAE&Q}#l5?&&9D6^UPbJ$d`<(%e3Kd>1p*f_oU87F$c@*@nZ zXs>NN#}WmdNWM(lUauV!SOcp%k7y(Rhx{H7okjJ#tTuEChRXCnnTrk)#O7srUi*_7 z*z_E4CttdqVt58-kr@-gl+;|O)mc!D#%AmGOn~7a+B((ow~Tj9f+#mxiC*zctZ{b| zWR~9F=8VN@&JmoYLFEu7q@Y^7eH}`PPe)eC6PUpuKw zzu3z#Qk6a^J&KcP{aZ*uGvUw4oB`NV%THJNecIA4e0vA ze*M>{;rcel$dYp$6lw;=nM6%pey4_pPns!RXB4k{Uq%Ei$ZT3MS)XE-?#7^|o8=d1q5w8zxX_ z)r8VWYqP8WVn|G1^ZyMuXQKApxM|SDL5MJW=nNY%Qro7D?;R`AHFJPp?bvn85m_86 z&^s^{{GnAW$$3bmn-rK;k%@_J%J8d6>c=9iHb(A|f`95 z(jogAL|XNbZ--iyB%%esT9{ksYeqRP$-uVXy&nyq4IjwBbc)tz&9B6=(Lbr$egHl! zf=J$1r=h^9?;PI!JBO;M%R^xr6r`;!>3HYXa08=abk}H5Ny9FgIq+)mwi`0aE5l<> zi4r~=rwRT(CQCNnktl!U%8sRAlyDkdY<>^FGtS|t(PtI838)tp7(i@<%23E1FDK1g zuyhA5hRy_j;VJymxDE-~*(I1NfE*H4z%-RJ1u+(LtuRgg)s0Ehc9q>wKbO| zi^FT}2Q_@NsTv*YcA~2JrkJ$FKbhn#sbPQbqKKa>RC2{Og~QTcDRGu3EC*v~vsqM$ zv4hpnu)=Xx%{RV~J9n&kR*6H!jQ&uyg*H!~K34rXPwuVfSoQ3|Ee=(ktI*wOxoVL# zV1`QW-kUhOR{o3Ur*Cr6S@G_I% zI|%CargE4EyiVggY*|*{BY*5pn_n!Eze{{nbTaWfuhRMO2f+5D1sv*P=W+7B2Mb70 zZSVnk9kU(#`=JnaQ-JwhJ=gR66)O9TP5a&3J zy7Cz~?}Sx5wr}18wb*-~-xoV&{ofnxHG1gUDYF6Yr`w8J?ieTK+5GKm=DKe;mfPwY zJs1B>({$~26v1ylPW-;;fb)Mkj-UuT;#yVur448h3W24~9&;vcl`{O9f7vB z^8Rklo==wxkDwbm?`1aN6Ts$uOPiQq$nus>vNyb~3lz18cRH-O+4D?z+CF^r4T#b1 z|5%}#27Z_v`o-_an*2t!;d45?YegeS0Xwug7zGv}>FW zs}?eRl10;hU(fG*8){#CWTkU#zv6qW?dS0q0UaQHO0!@m%7}A37Q5Es-Z^wiOJ@ad zX6bUDKny_tlb6->0py(KMI2*C@VrGp$4$XdFQ1+N?v7!<=c{Z-Gs?P0uITkuU*n`Q z9N>wyIw0BW1_tyZ+U|c2tJw?A%m?=$fx(|$A090HF&>cMhL<}HMj-oWhqPzy|Dmq- z@(Kx}R#ax&&kfiWx=45VN!NJu=1i%lb|^i++mI=&*PP)jg!fzhBNY6TO)_v!lVZNlTr$i8*+)mkUe0B!WX+w5EqvkQA9J)g z(T&8dk1WT1)#jY#j@8lLL~6ef?6dFD{`q?cI4g$q^x4qT?z$dB)s%5RuBvKgF=IeFUG+o;yf}IYZaqvK1F#Z zEjHjU|K+ZN#@KsVkyb-@29Ksn(Z)(LR}I&r09udX91e24ZQG}nEN&nvbi82=(%@i}mL3>NH_KokS zNI6-5mfye6Wdwl7+$b}qwv=e~Kb&r^>%V9)7B5`9jgJT985r%Mlw(^MSVC50MOw9J zR#MX|KUBC?9hUO-7XFsNLXH-edhlylCK7u#`;0_ZkTCzb7Gr8%B9$u`eh)Dley%=@ zR@9btcBC`%{o>wDcmdA{GEQ~bSd2xSSD0>jtHpu>Y1vVss)~bplbtbI1_mNe1m`T2^!XboQ_@J zVv?_b<&kum_BB6a7<{e)g++B`@cL@&*o^s>g@l`#QXVj&#ck&s>5n}NC!uQe(8dI2(@^^$sO&m0m$YfL4QPtYF-Ez2q% zWXIpa8$ax(N~{t-=xzItX0iW(nGLxo%vCx3dHD>VRy&2M!1a&*ru`|mp$IxQf=$F$ z!V7j(|DsGe#xSOpaiuT-9J5Wdlfg68n+U?ZlV+H_8c&dmMp~8ps{SvP6r zA=+UzTt@Ag#YPTGmUMyJi?NZ3oTCo)1Et!WcCA$V^pftFa}_)UDt9veWQI8z(<-4j zg@;YV?6KBFHVyJEVx?#hwOp>t{!=LQY!#!ztQ7V`W4bvs3tsBtqXIZ)0_D?jOFtGV zGt;c1eR~JpPie{B&r{KuFI%?A&V%@ zJ^E3DG-*&>Wss1sUQ94hmt@ouO4aU**%3^gW8bl@(_YUH*l6}w)Q8ix>a{; zFj*OcOn53Gg_le4<*P+_Ma-4LoXR6H8Y(@;tVr&<&7(|U|3c^CrlHd&QF=u!H-@-U zNXUvrsJ_Ehh>NHYiR#mfOBcX=E?0ibf6j zht{({@iF>_l_7W-jZ0;iZ=1tm8VFF3D3vIo!p#t<7lpfjt;kVU>WYZxjP+5MHi;&< zJlQdfVs}e18ley1m3GF_mm~qIZB;9)QdDUvN=s(9LI^1%@pLL_QMJ@mbz|Y#ZaXrH zoma_*7v^Bh>5D0vAJ}Y#{SALsF|PZ#M%@7U5q&`~N% zF9C+&P+@S(2i-e`7Fb-EJ0uBOdN=>}rCzjtdy^+a%W`sCvFma!-_CziQDGCb)k|zA zm0n}M#D?u}Pe;}bGNyYYU%6IQSMLEFu5q7Te`@gUPT zo0)1)0k^^V1)v266Yw;kL^I{(ZQn@m^aT(u(99+eZW6N#7)ve}dYJNL+|mNR*XE1f^FLiuMOcdafJp`25kie|ez;dH%^pA=0!Kd-U_{K5E^hXT4H8+Neg^+|5}|J?PZO zMmm1mjVz68*_Pzw`-rP%!iu9n>AG4-U(r3-{R8j0-GA;OOXzOk^x^9Gk@cLMspFWt zc?tfw?0!F92^jHl7^Vk&T1NOByKx1|pMI%x#^(9E-mf@wy8ca6^*6uM;)}lek9lwQ4;%^ptv5Uh#(2zl)c~Il!DLE;iG3a+LEPRP zFa2#K2Y@|~H>9w0ECX?*PlMsKbrO|6jr%|kb%z8UA@Bu{@>@=xn-O6AH(ckR)I(9E%i}j#~|6~Q!t=qVsWjbRb zc+d6g*{tK=Yr19=@_*i`UR~30pUHKdDc%%Z(>8hU&D#cSMstC0uZLXsXEdVU0pnM1 ze`7p1P~={igcR-Fx8f=X>x2S!_f!=(le|6MubvHa-Hz`j&ONr;Zug3IqAg5!M}aqB z(me3jfbq9>ZLsd=RbeS$P%W3~J^IU;qr*G4&Y7~5v@#W`Xpmv!2LkkOCJ^|^z6LB} z$%y?O11-Dr0HzvD%d!-F7f^#`iiO5ZOU15*6?^uBnO1^Qe1%!h)N49|Z~EI14Lh#2 zGVyT%X{1rz;K5gWa&*G}Nn|B26(-SXOqH{*@|~MdyrGO^?k)vK748JY$aMM*NL&c$ zd{Ig0g|H;UKde-$b@KkoyS{%+!5YP$9HCoVL>^6S6EWA^OHwY2hm&9gQCMMen<+}8 ziF+erbgGc8Qc-Q&l#eHqHKILy<)ATYlHeU@HXBQ2QGl${2Ux{FnPB}2OT^v{7Rf-| zV6egAjTNHtf zqx(L`op+KYwW(8j;OVj+V+wmXCfb2M*|i+R_f?qiJR?w2cz(4STm&V>5W}n2Y4>}Y zGedb%siHyKK}qhJ(sVasIvxpEr8O%3Om#g_%9&oONid^?j=>lzfd{>8L9Fo1sEAD( zskegF9K*LHaM;8-#(SHHi%>1<5K7qXZ%-x+o%bpO7D;6?h-(rK4pFtTkhOu*gQGUq z%jJkhE*}SN2QCLk#l>2saP+=SNut1D^rUr3cvB;Sh#yWo-k8l?9ri^g^UJ79{kDP? z#)yuR{n3>LuhUx6Y1Tdm3*A{-3fxhZLTiFcRLH6-+oD2cq-M6BVKJm2Z4<%j=t-Yo z5xh#XrB>haa`hMlRJ2|~GcTD_L=xyX%gwJGPJ&pkzRQ2odZz`wI(^6yY1|Z5_TBMw z*9|z%xMgXy2b6~8AF?kO{aU{lgzOqsbE@E*kN@Pa1`GoGUg}|FxB|EaU{1kWQ;pO! zbG}PNUs8SfV4d9pv~ZjCN-2%!tSS_(qwYyKO3md;7g^~S6`*;UxPZT$4iy~=;6D4cQvPI5aC`ThY1JPZFq2fJWVgo0SIRxTYwQCTaRZE4!oKwik z<;0?ij4+$Gi_&Ml^5aAhBsagQ*Xa z^^MVS2-(z!4hK_$@4Y5OU!WfnmGvgW&7fDOk|fn3M?D)03`pVdi?xICPVx${bsGLG z^Tr9>ch^ee92M`haHg&m(Us5+*I}-CGo7(`m_67JC?UAZ(WCXo@X%-V$t0)PrC9AG z$kE2_CC;NC6cwJ=HvBk{Uc;mV=?RKk7!^l`@G3x>ai@3#B}`+JUkt*|;$c;btVMmx zA+SZ-704C`YA5|=;Mk$-(Warc>;Yf!FVi=@YxuvSvXe+~YfAoBm>LueTOr&;LeS7w z@O8_my;0a}r{d_-U{WXs%-F4*qjRyYRU#$gN}&b{uS8C$H$qxgh2}+UeC4ytuK8P1 zB+OqLV!)?+P?Hn&@?h7vMvpTSy!(HPKiwB7<&*4BFdDbdM?3Q#!p9?blMeVo92CH2 z3rUU!Ma7)+1pmqRN(Q4vZ-E7Mr%1kG;0OnUjlp~Y)v%nvMg5DpFLcLtFn!Hx=93&r z!RJxU{w z`8{9_=aIoAe4f~QO+Ucu^_dTW>))jFzPsjYWgi2d^VH3Bl&z2F>Ysb$wBAor=F!AG zKH$@nx`57qxkwM&gTnD{c<>PY%o5wqMG1K~L$q8obs!r?Yl0 zzj+7adO?pBgzbADz)moEWdClWVaa6aV<+s*ti!|T;`?fxH^bBP5iGyY^+} zwk^Pc&TYCp&g7`?9e6AB(Lk2-N>q5F9;YiQs9C$!Bo8R1aPWH`-cU5~gSOXq8`!#% z7=QD*^8G3R8a#J=2H^rXt+FTmt5(|h=Q8uDebQ0-jxzOydUsE}u`hbT`2p;XGl^v! zdd8u5pcR4YMQr_B+1rhLy$l12^^YE*hq_3n?$_XG6z<#KSU1@3JAf0n z$6OTel#^*)ckoD__p4?6g%JqQ{d5lO^O%%f-M$03HjZ$bDsykg!je1z`%e6-z7dS7;AvQf)JW4BXW4g0RK_E&vC*Mp$!??D2@ zUPs54_V+ibj{1*V3d6Uw=k?md0jIHC7K-a9_b)qhJfodHZyhbmJ%s5S-pW`1W#)E# z4nTVh_}y>zv1#}5dGB(3%2yxLHr>&&E9N4CQ6SJnBFzANCyK-ny^JJ}-MtUw!oD7Ri-$0iflq&+lZxu)7MT4-EkOAIyn z>eeVLZw8Z$5`+#V;!#1-b7$MBCk85f=JhQp=&jv~HOc)SmTUS-lB|dPS^MQ)_N+=e zdZp^9u-1_E=9r62u8rC!)?eh<`BJ`oOTqDU{0-@GWSImw2SU3H&sidSh;fPIj zvGa`4Sc-5?b<-kXM@3XCGm2XXB}tFW5C%}Yn;J3y2~`mpC2Q7c9fnj_R)yyzXZ2=t zLfa@Utb_|wE5MIH^Tv{w{o$~-8RlOsOSGtXf*1;SR|PrKiNTL1}!JD_^x+bngYZ{lu{Hh-6U@i7IZR9;wrxh*uY- zS$E4dKTtuKp+nSj^+9 zv1xm}xxXns*+u8Nfd2+qTPlTEd?La>lbhNga@K6mcs(tb>!$2RNF4NL_67M!jT#<9Quu9eio1@JkziZ^K$UwCZ1VDs+cSe zi9uSz#?5J7`s{o)7W=G~!Kax45&nBv&y{a?c`!7%0dp$gy*sfy&|9J4@ zfbEJD9tJkqsYLlcX)RM*whG!NAX9weUavXn2Zzhd3~{>u$I$A8g^`6Gisehpt_{;robpM4>KM8>~1QxSgiqU(`jXoCv$`t)`5-6;~B2j)o3t=l#` z725uHF)mpg;C=aEF3VL>%}!JMEIGz zh1lsldL4D}m}L-}B6{6c{O}q?4(C7WcOS_c=`Wg%20S)xU$tX>y`{hAsbPK5LIp zkzmZfWo`N`|K`^5-ww&4X51~2#xI12u82Cnmf3^L&8%4iRw18ir{$n2@^z;h0kB-r z{dqWWb9dJ;O_9%^!2;QDgVD0ydC%6frfVbgBC+x+PfmmNy!KtxWd;SfiRs0rOw_Y4 zJ;~kT1Ih|Fz~*1j+WYv3=78#P{hy`_#^(mxbAp*tK5b`;mf@zax}4xzNqHG*p~RH$ zw5(^Ex!|u*Yytmd-yHveZu@5$IbdZcru>XvKIQG9FxNug&tS3K)R0+I+0XVwzyGZA zp2+j&w84XcUTt>v8@m~nRFeSjlV$wG${#p}Vm3jGn@$^Ta z+jIrPjYY=NT^yT-ih9)wxz_|di5&^H=;BFqFQtTqH01Bhg|$)nUsa7p%F$=i+;vd= z{54UCpRTber361!q6b~+$=!0o^|5kMi8NLiMbZVN=uoO<=`=}^4&29FL81``fDPn& zUbN=TOM^B%UZ=*S-0O$iU&Q?wWx^ZA;6H~@yb{4IkgMzjlOqBpLVr_KinU>4BRsrG zM1MeuPuc+8dR2yF4grEzkwn1TM8RJ-NU09lU*t|!jS=kCoEXsIL2haJoyW|JMEht; zlJEzsxBaA>WgyaZja*Xg30!rc^GJ!*Pi;SlCg~jZ@HEp>_Vin~1l_3bUY;H4jp zFb=ud5mFKvjpvlw#{Y>=XcQxJocgduiv+6{Lve+{m>i{!a+1fO)6*c9bC+YHYk*4F zdJb)Qk(@Nz+2CA;LWo?V_$&}UL6B+^(^ewlPJg{hw##AxbP=zo4b@!if;RIMl#+8F zm}TfhP%#n;Rb(QGv1LK8+JlxfjwIGRhgK;<_VTRjjFkvBjg%RjtC@&0UVTuHtg3YI z-8_ufCM31@a=Mx9Vx0>3Za_y)4EaY8_}?2>wasnrmL1C6?E94=5lVpSyCdY{H1NH? zo#Z~?n}z%OchXL>pAHS;e5KAhOem~MRH=8@k#TVphEd|`6$J(o72b9sQWqgcuQIb& zYE2AEQxaWwcgDvZ&cR%(-*zi5NMdNsdNAlp8BZ+t@!mU+0b^2*I z_dSY}_bQR0=|X7a%YIH!0}^MK`0gL3xQ^DVhCL7pgf2~=xsN>$605n1_H`4*zxVtx zs&L;d7*PE`Ouch=opHDQ-85>{s7V{!w$<3SZJWDs8r!yQ?bx=H#r2Upe*cf9PW zA073afqXa%y_(t|Eg%b?D{tD>j<1+8rA{aw=g!@8<0ks^k1F^Ds6)l}1zHstpFT7b z{}##(j)0MTPYnny^m^vgzqu)jC|IXjYVei=CpWnor@N+kk>a`((yqd3BoapHZu1|R zmomdtT?pjAVdhxANG|;I7Z`li(<>X|Rg#)5NRD4X&_!a#4m2xURd9+D8Hqz$uWWYg z9C`ewxWD7MvS23tYF1{S{Qs3JaKInIA1`9B1ib&%w-F%sRTiGUh|kzjk3)0Hz@D_4 z9l(gdGXYG%_7`wQ+jmlyhH?SO32-Sm>lMwF9%QvQ>uclwY0sl_>9!$)$;{r;+-0cJO$XiV*z;oNXE8c^pkEN_Th5MDq(SJNP?|XdR zp%6!zOTl0Q8B*ds+ArFZ;M$Jy?*QNP`vSYUOCQ(Phec%B??A{|OcwmDE69H!X92&n z;c?KA)wWbO0#3P524u9MM6h&1L$x%SxcbrNF)UW6xeH z2EPzLZwoLYHNKsg3gmM?z#t#le43)E^t|zk$!ytQ;;G!NYzEyRgD5-AUwStJlYPu* zv~g#gcK<3;`7mnL^cP}$E zx9_r}tth=Mk`EwgU+_H@KMh#h1Mi=4a=0IwoRix<{(nt&1R;9Hd4+uCZr2SVy)eM9sV$%`0z681PpDK|2Fod2pP7l-3;1?fC@CJ zjx`TQ>-{Rmedrvbj6tYmpIXa0(#Y1JBiN*6yaR(&%Ub%~$}X7Iny3(A)2xYH<5&%FR2gvr>8HPw#7n6>GD0km<+#_a$REdH3Paph!T&?5 zeI`8aFBSY3wb z2iy)NX>Mc&`@}2DcLHL{Vn%(t&_uE(pA@TdS?TDUSl#HyJHKPa&m-ub**`M!@Q#ud zW-FzU3&r7mI3c5Bf?kBP@nPTTVvD6MHdEQ5@kv?u$eNWI1(2+63(=O)mwpXf1z%7r z*=h_AC7Kx{SxO`@&R`CmlMb5T){ZPo&#T#H8nO8dI7?<>cyveyIuvM>V|0ZlULBOt zh9DgXUgSX+&8rRY!pr=k!|6~g#~7_#QZrPK?#cWY{*7e!yPhN29Q86@N;J+IB?F9@ z&N!J##cJ=#qr|lfq{VfToT(B%+Yp@-<=dXkIt(PL9m<6r#>GBe$GUNFa+qP1O*18{ z&zkCjg2iYNF_b1I-WLVTSz+f~O)qtZuwccm5-PfD>zD16dvN1xY9x~RbR_r?0MGXF z_?h-ylmUFxum8lcw;1_yevODf|58{ErAKVS#B+QoWUf(IZW%-`q}eJr1X-0NEhg8a}%@m>M&ulsR z=g6iGA(@5JA&V=7gk41Bj0eBourofQ!I7l7RD?#rZK*0QBH{F@j4V_L&zHcMHFF4! z*5gMQ(K!WvZu$LEv6zXFQeZvv;8;7thk`99Db}&1#1N9Sc$Q6@j5Hgfj5f-N3gl|` zylh)dR2<;~{$x8d=U4f4Tp0@$T;F1{wX(|+Xchy#n z;&i)kRvx<^p)m5{U_X51V)A}93CY9=N|c2nN)mM^F*9p?w-?Jvte#eu$vdma)!KRpJ#~HyY|WMtD?w?lwKX45x2? zHjxw6$>j!eMM^imI?NAgPrkZC=a%h+O(wZ?$zp|x@w9d-^fE}bTM%$DaubcA#EOBq ztcV&nW0E5eKQPU4giU!Zo0tZx57tas<=(zfCm5>d{%-&6@S^u?q-kMAiHe<`=fq0U zQ1N>dALmh>4$&wR-NG^(%~`|2jFaxhB!wW~rBziX#vQf|?4H+(xn@IbagmXQW_>z* zu2jNb$=R$6Fjquyg9hjSlE$~fQx#=?H?>dY= za$kE7>0)1fn)glt?4~NgN zXnxYJjl`)h;8%B39adE;k;j2jN!T(e9L(&a0jh(O!^kX*gI@M;#mOk*f|^C zAFH&*Vo(-HI4rJspS|81--mc6c?tdBD&O+o4+m>jr&}jv#offNDx|?as~P-lH<%Z| zBfuDreavji)vJf47qd@e$1`17YUfMbbCbT-o8EA>``OSq{mW74g!!v_R>Lmc3d$xnMJ!@kG?F-ddID0 zN%VC=Tfpwa9j5Qt$s%Xim}!sqridEM(R%Xj$y*0>zC;G_RejXw{=5a;I^ zY(*X>9|cYtAXi0#$;4#4>%mFgoZu_%(@)TbI?P};r!&I<^aJoVU;&JjRK5mxTfTiY zqp^efk|rOL9$dl#QRT$49Uidk(shN1z(y3s@tUMnv(u&-N~@q-9*yud+t$papn8m? z=n`>XCgm$k`$CK|(~6R_C=uVK1PV;t+dl%v^F9lo2Pm$4p~C`i+=>ep+yEw2@|^o zF*&eRF||+(>5HW1)@Oh9pVlH(z2#gxMf_cxZzhcvZxX=_HTakL4_qNPF0)n#MF65k zcxCsRwbX_|fI)xwfSJFYmsF6WCV?4A>hJ=)9IBe*A)n>LI$vUP#5pDN13lGJ@AtW? zB&Pz}<3??<3akz^cz@+T+08esC#;pUQx+~8b3=4Xl3vDvv=4KY!+|0{Bz~9UADvQ( zPLTzRN$rOOoXT|U^jsnOt3@C7s5L1}z*$1j$XI8&Ov%^D22^~H(upk>Ud{iP-e$yi z61ON6x!)V7W~&v;cpve7^b5LQ;Ve3x@gmFjITFM%+cdkrJH9#Y63h!Xy{+OF%2Qgbjj5#JU-L)Upc3 zB;9-`_|HAqyTIR>Lby^*ks7G|*~*3CETMA?QGSloex!}@CJa1S^V^3R`ySc6#Hiw8 z)AZNW1`@a*ylhG7oHE3MY+_gz39MDooApbhf`5zI>X88Xs& zM6S6Byqp-Q4i+;_F_V;L>9k0{R1juV#k8%M!;p2((3udWS-UpWZzP-AePyzwvrcIU zQdd&hvELTIgoO!LjB0{o?4E9U zL{1vjoTnolS{Fb0$bzAV*2DY{GWQ}@4ZlXbZHf2{{1Wp3K$rtJ@WDxZ$)G0IcTO}i zRZ$ZOwVXW(V}4~GQZM#m<2gQa+-cf$As!)Tb*mp^l>elQg$1Sa4>m%~6k=$w_osbu zWdy$Y*5%N}b(3-#Xf+aZNz21QSvPa1twBM#ie6e?CgRT(`Oh(M4EGg&yDuG8xRPBf z)r~dXNQO_wOIJW&WP&iIDX?Ui;As=ud2OTpydy~yS`7)g##3_0tk1lGuvXgj>hByt z;aVgM;xAtk$0EJ>`(yA)a53*|LFgusaSEI`w&O82KCk=7Z?$p7j0{ud!*tjCcL&cLL|1 zA)p|bX99R)LVrUn(mR4j;D^&GeP8>}%66jr*}vxao%=WpK)_9d0O#@EiLkI~nJ_Z9 z>E>)**-1J>BfzW2dA*+E#2k5z=L|#I`uYY`9r*$`>gwO5c5h%=` z2Ds09LkYE&>`|wy8`65xb@{X+(wpPEKjm<2(m&sb*PMI2zzu^R1CZSXZYBex*AGkk z?jvRCweFhKn+F)|ImVs8Q`>u8F%w)W=$&`3JrQg?)zMty*aQ0O#yP&P-=8mUS=_1X zs`e1HH@_abwrtSpJFV{mULNAbK?Z{?)4ZmGQ4E|$E$Sfn%El9l6l#K!74@l=mm7o> z0Nln|&9u*TgX+;GqkGd?G#^#hos&U<*SfJl$5Ad@_Mm*u+x}DzZXGz9r>c=2u$lSt zqz?859c}rIDDJ%-Re9WD-%KB!b@+8|%*SMcXV0z}d^uY-ZFg*6){)u81^6Gs9`Nn; zJl3_H`MG$S%t3Kadizsv_p!D$o374gkO1fB9k8ZrT8#D25fG6#F4wBjO~b#Wt@S75 znk(OFDrf#x>*dgDZ%nAGvlWzkUMapio>K9kz@!Uh&dd~J*sdB#b^`5$VdS1k`?(Y6^Lw|pb zQL@>!xj5aV2Td>F{9?NOHi-uGdCzs216YeHimK~9QGf2Xt@@_%1x{mSHJk5dnFmHW z&TpS@+y%U}+|SsuKQ6D9R;b%Qc4%*{+?*C(Gitd1%JZB3uYv{4z7hoWf4=ipU%|m> z;An7B>M!GNS5QjgFN}m=@QJCn>NQ{*Uq{fViar0_pNWX5n9;LYe(-=w=)=IS9aJph z=wy5sCLNLyG7x$YD&As~4`G}?uLx2oQ80p{+F zQHMH?|Kw?DZVM|N5@)vhix((m(gZzEGPgZcQ3n`jE*h#ZX^F=$P?{a0s3D=sViz@; zrWgy4l_PlX#UyO*J0Vmr@|9AvQ6_`!C$+q|Y6~T-9xnN&P`D({1SOkmNoiaIC*}8x zFpA?!%OS~*un78pVEt0IrAUE3-3 z&FbIbwp?btaL9IkoG9s0eNkY&C?~3jB!3A%mBm?^c%{Tyi={Jmm4ve#lv*aSvZ53< z`4jX@d0>-PxZZ0sx@^i}AHor3@IzZvqfH)!0 zRN2IXVvk{?;{lq2LCcDz-7k&%k0Nb6Hi`-aVg^IgF1w8MfULcL3+8+T{eW|DT3n?+ z+ZiC|ZTo)xb4QkF2f73xFoSDS8J*O2JsnTKz`zI$KM30FdxT%uxno16sBUwt9ER-?(+_Ran$Og?t(EbX*l>rCe1lHtXjM^qPdj% zZ6zH4&_R8AQCPiEoGOHbPojjSlTE1Nm9dmUuxZ02f;}VQ<>t>f4347%EV@w`K2jrW zllY5$?MeCp?5x)9W+Rv?55|Zay^7;IVkK!N!LlqYWjfM|HtMUWR3#mTeKJppBN(^v z()gqhqol7m^2j(ZL#1@?uzZax1h5+x8Yf=a17AqI6~rP(j*)Vy>_S|%j_R}QqE0D( zl!=>}ZqTRBIk0{Y`vUofWx1wq%hXI+ALeQ?V)*AP>zx`$ghWgB8{k8Jz&!a5cr9S{ z+y*{CA9HEgV|XPn{t@olHE(&k>ev+??ArCt@MKP{eF|wb7dw0qAG028#Gb&66THTm zPa9$-;TQzlsxxLle3``JS(Q{{3cCjpuKe-WSZ!6xi<}Cg^KY-L#?d%Zrc6?q)bcOc zJ0WkAC$Yh1#p+TyHj4&__98XL{wdZy#+t>EuNEb1qQ5zyzKk(dlF7Y_L=Y6u{^p=I zfLhCBbs3Q|{=GRi2OqVNt}+?HRJBwy_iNU$#Iz=!VXCs|J8U6T$!Ux@WY+m8n}ZHp zYqLU``E$OViTJ$YmJnfxsu65J-)UnS4y)8@&*e}ZhhyuvfAD{Jmf-a!aUU_z=&4!# z6;s)4KUY&a_bjz1M+lZiyiV{Zl^7=F*(FEJgKkN56^@i83csLaYO-!_*_BDTg>1{U zc7J6ZbZB;G{9lOz%L@{w|7ViS{y&rCWhgsi%r0;qls}OP%+TM@L2?@4R$w1z2k=X( zZ)W1BKREQ`YUNX8)b<|@ozeMHxZM@4;U{e4JziJCQfFi{i;v?qkDGFUZi2D^EL}fe z_n5BmI;S>vTO-3#?D*|X>-vfBp7`BfxIPo7sHFMp?vz^=3B3-NIi3+drPS!t z7WWQ7?xL%CT$cdX+=&A3T+jOhH3t+v2H$ca046@X?79LqX~(J268LSi-2Levk0Cv} zXkL=;(8tAd>bVfdb6n(eX3qk=-&F`S+;fK_?o&*^zlc?^M++@C1A;G~ch(uUTrV)4 zCx7a5*$ift2&^0oxK;~TRgK>L#C3J|*rn%*O7`@u8n)}Wso5q`d%t?wF3*}876;aD z!6VCE8Pe;#NV@FBOvwJlao=!jD)}z3ta%Y!luQ^2IpuvzetS>c);~FChEwgctI4s| zjZUuLa8xnQ*g-`>1TDp|O=1l~kG(RcYw7xCXJV}HEE z25@N_hJBqD?0&mh8&%m7o*ky zmr-_(th!Mj=b98hcg=?jzFP*sQ{g8bD`xw-3$Ld|j^DL_yKCYf>`0A`o;CQsrwiix z`GY>6V+|aS0SoZhcQZ=SzXUDegwmaMS+HaJz0-jic3%Z-nnCu8gTQ|P+to3-3h=JO zYsMMCKoT`Ber{N*i~o7?<0|3~Oc?hM=nGO86QB`^`$0la_89P*Q%49|-d)4xf(q@z z))|1S#e^i3KZ>f4+S3@dz~p1LEfiGvCjJAi-_=m7{3O9KBEmv3k)-XHSeYLC=;Ju~ zn$-?1p6VZs(t`UQyvOvgYA0E^Kr+^Kr4xF|W4EygsWpRjQ zydv6kYJ?RAbz40l1^i!%hT-RgS;BN=+R?@knCP8Ig6wcG<&xI098FAl_|*mRnC<4n zFU@5ExMx*xKlV4u)1a-eiV@s&sOH1tslS>faXCtkYfZ!Ion1?7WkYj)p53(ahNbxSkA6HZ}~Jv^ve;$hiJuR~rBPo*OaWf$#7| z>AX{poSSlRfnpSwYMXX`J*o!Z^FGA1AN>Os6?1vvmH8C$cs31#eozTq;*Eu8rjC&6&51j25*kO?kMpMh!Pvfe9R1whVVny2~& z^?RUIN$&eub9N8#^z6m-!H?QpF0W9vZ++5EU;?(uGWV;e!>$@-H?}gIB+U0fv%a(+ zS|P?ID6d2V-_Njfgyv2xnIkj1Q%{gDoN(OnsyXkzOCVDcQlpmgG*~gws#mth=@LBX z7A0^rvD*^|%K=5q^6S&=+$5=J+QNUt)Vs0GAZ>{&V=$9Iq?ysEk7<1sm~%=azHBKs zbXR#8gi9TJl(gGP&Uk^tCDSP?*k{%%$8eqbCHb3#?dv!?6hx1s1x`|RX^FO|zY>Yt z&d7`7@*?&HsBahq#z@CNhF8e&TyE3Rxkq30pp7RTLU{@Kjq;e;U}eEk%} zkkvZ;nlDW!*iV_AbNDp`?_*nrhpp1;Ie>ooLtg$Xe=+EOcY@hk(3cPo5+4&R{7(G7eeSAn_@9}nf z*dctrSRtQ>wO0)S7q&>SH--;@rUklg<3pF0wbr%+_J`gGoV?C9Kp9HzXX|SGeo4Jm zCAjwkXABqK&VDtQPJge?+dwDl_`s&xVN~&wy!n)9V2j6_iv1|09oNm=$zlpJu;E1V zX_Nxd&w2Cj;p(9taD%W=ufFXSHnrUxwcBa>xyjX_qTl?$BL9ay*{ao|zm(n@+F3wMnX+VKp;b-@Krx=i&cXi$N z5YCpzxi&JG8VJHy?|=7`wpC~~s9D~A=WBXyF3EW~UH7&TtHf`=`qts=FpBLS)#Ath z@dyw5u><}72IN)9Fh7b#|Gs?;+EfQ#_1}cd+9&U-3EbrB#%R1`CB$@CW9-Zs`#tm{ z#qc@ge5AY_cUS!}UFzIBqTo1{=f8Us$n*tAzu|Uoj*VFk*Z8s&-Nd`BDcxLw-pAG> zrjd6L@PQ-^rBDB*I<~w6!#@ z2<2%!N6)=2Di)vi*Mgo5CZrnGN>(%5x`dS_+P=yyu<4|;)lnz$l}012>`5#1;g#0_;or1HfghPe~8u z`+@(S2xiU-Ey039O{5etMy`o#Y6%8KBjcz@Tf5pto{6cnMQG) zjw);97$zyFi2G|-p`NY#AJhf@d`-py#F&Uvmxz1)k_FTnsst&m)DiQy8N@wFIeSZC zKc(o5;Du5pSA>Gr6JueO^F{**b8XT<*_-4-|0$EybPLi*)yig8xH-%)NM%0#-T-*c zs=*gRbcOGcD}5HXuJ17*n?vn;vQ6cX(9`rSeG6;cNf||lfB699RFTHU{DQ!$pk^Rs&M$ory zzTP!A>|Te??4y|o!=Pf*L2|;zpQK3FVZ@K&4^Fh|G*Y^(aiMioG8dDSWECAY-4I5Q z*i5~Dr15R^sg}RAIjj-i(qws0W0M__ZB!;Bs}z4f)?zpP4tQ7#N6XVD`iYr$i_aT5LqPf_>LUr$0QBG=9&3YD3AM0O_f*sr@f!>q-V(rCH#d3_OFHQNrk_f&%zdHTi)V&4bkmNB}gzX#2kO( zi))OP2k;?Z1q{CCS_eL`O2KWiE`I;>`=?_R>HUb_N(6~&6l4R_3AfScrFJfA zUZ5jKL^>C4iWHKA)!V9_MsDYTqt?8XlIU7BCT(aMgaVbm3Q)=7r&%f`*Jb0Yf^x(RUmIcb4!Io#fk zw>}aw{E?r!oGuohHsS_HJm2=NfL&9suorq;1uw^KCA{r@Yz$RD^$Z)?Iek-}7#`J~ z_5AKRYPMWayD%I3RNddvwvK-t=mEBx9!&K=D(~&*gJYTPR#W??r3qc>p{HJm>I> z1j#gMk44N|iNd}8nz>XDJT+l$g5)Z}ax5e-f*U|;qYjqFR(~4wL4z%Fqb1?WDJ(@3 zXcF)L8Ul52+Y008OBfwUsVpCA2z?9<_FSzR&OZ{f$mgxdh^_(=yQHZ~o#Y1G(;AAKC3KkP2Y))~O^mqQ@7S60{tdKL{j_Uj!wQJS97EU=4 zL|3)f+;P#Y;W@Yj0P3~%`$D*i8~%56 z722H#T!1U0&f&FbK$Wa0zq6RQSg z=`cMaMeK)O-i;s`LgM<98ZNMWhKS~HSeL@|z9f@rt#IFA*q1sfbQOCo15XXa8@b;p zzM_@x2xhv!PYcWj{}}x>BKvdHXH*eyp;iEI9_+_(i15|OfY;xx%s?VKv(q|RnsmLV zcpN`kFZFiSEM+&p2vN{yD*J(rZZyPrdZeSqMW+ z9>FAcWfA?O@H0M?Xs*1u(}(6BqO7zPk9U*aUG~>^udH_cYiGEdPm@-F?>^I;JQe1Z zRi>%j6$v;6Ox6tmwJ3~#5+(Hw4G+Pio~&8bCFH!bki>aE4Cv)F-SEbP6t@kBeF3LM zxg_nUKRptt+K`A;^P9BfFXJKChO0;mWj4u?j1{NYQ2wOF$`B<5-$7DvVLKb>qbXpf ztQRzwVL-7X&0k8;?VmwMTC-x28zCew7ub%FVu+kQN(pWoc^%NFQ)TQkvdCx}APPIc z?!qgnP*4^m)rwg#Sqb{mWz?J0W^f$D?Hw&j6)mN7W?%mb4?aXV^sif`o$OcM1qdwen2^ z_vXBA2RQFlyb%oVx935yAPl|xPizmr`+B88<}?9KBt(Kyq_zFn2lwd3lcjCote&Ns zwaHzLg}{cVwXdbMAo>9tQV z)Ddq|#B*U^#Uc{9wUk*-Z37b}Y!KVtn*B;yl(cwl;G0vK7&g)nyrpa6x zWu+KR%)%oISd(Tvdg0^aQWg+NVR^h_M01nB+o|0P+qLnHpeiL7skhN|4JXi?;GPiU z(5XhS%%q6PhLHLztgx+N%ApH8j7svOD~*=mC?S!0=@Y+x{vt8=$?L@V^!Oc*jUTe> z+y7U<|0H^Tedyi;Pk>;s+3p>vWnJ`;Y`Ysg3l;T`G-_u>{aWCa1tjkK21@xeTQ-mF zPsMy=|9OE_wn)*yT%yySi4w@sdA-xcVeh?Jru}aBBCy%AT~|P{y$WbzQ%nB{?ULuR zIrO&n^;zCId10v92e}QN+Qn3Yw}dF9kZoViEBC6`V0)*n@w`uGFLVLVThr>q_qI^4 z18;hK-m^ciczxGbBPO%%W^2?}4t7Y~RqR)fa;??9%q~$2D%|w{UFdItuO}Yl@IhpZ z^8(_?rDOyEa0m^1#!I!&ht|&v<~!U4-<#f)mNtjC5;@yy;JJSK6MlnhLmjTm+1j+i z?!-+Ea`#o>6FvZxr+)#ODCpR#zp9eHY`KJY&pyqmZ(sm=-`L90-LW(ZUC?!X&GPXJz=o5+xMSTp{1GA_c&XpwWdyWdUc1Ta z`c%MLC!c3Z?(a&lUAH%+ZV9uW?m2g12)B@8hF6sM(($=usj7ItW}vuKIq# zh}!ZodeuOKo6P-TA2aC(nyXmO0$eYeyQ}FhWVIB52AtYvhdGb|&a$s{P5p z_?0YUep?sZ51+~OP)cVp7UJUye(QSyygp5XX$y0IpexzPk`}erg3Re6!K+-GmC#yJ zk|JgGS`v(Z($%zo6R~0KJHJ?Ykup}reu0fudcf6$yLR&Xlc2@Sgw3H*{fC>RJ1L%N z5bNnc3A4tSHrD1Ij!v#U?r49EN|<5y_?O+1Fv8QF5dXT}xLzzpeN-P|O6H6yo18bv zmV-ertaY0s1>F8KIR)}y*rdTPv06MJ^8(@`O)1l{VQtRzLvQY8)nQ(&RV`gfAhcVi z95VBY;I-&*_Lp9iL?n)a=r%do-<(t|^znw%avhWtM0jjAzec_|jz5i1Ot!weQo-RZKIiqg++INIyQXr#DD^L4;4K5yBWp$iV4~d!ppjFf;eV zoYO^tGsje;bvWjODSh!v2OE_K^o9eo1o=8GH?%e}t~4AM&kk|f&ME5(nNfIovY2LO zA~v+!H)!LQC5A}nBCU?EoWFyVXGEwp0~q>$_aE(Aps9OnbP@0{sTF8L@H06VH5zmf za>Ey>a4;mXC=8cB&1<-RT`-k4=xo)@;TDSc9@su=CHmvSjc4y+4UzJw5>t7cOH%55 zf6b0-9s|iVmR7AWaV&1qh9H-WL3Y_fJprTJrZ;Xe_|#Els; zT(7F8Fg1c|^Wwv`Nx=Q7($`!s8}4h!8ae7nHcC$7fDxj5*F$iT6M~XW;!DYo4D-;e z!$z?0DPZLD*TS@FdkOs%3GV_p)Xr?>8SGRB5`*~ZilM)G*oTkK4M3O7fOaf_l{q7lI;wNX9^VA}&t8 z){;bFZnJXUul~sz5U@(bQY?QpEZlsXF2~K_B`w)&QVPls-B!^` zl&G{0#8HwaqZ6`(`j`~R&!3bmX)~mEqnH^ju};3PPI?$A=E;cBtBjfuT@jYzuG8D8 zHP{HXh|P-RQzQunYL5LLx;FTV6HnjR6Ae3ay?}!poWVW1=co8PE@Xf@N+s8|tCz8A zO{H9HA%nEQr4*B`w3a;)yUl8>*BAAEO-UB^$4ow-uH1UP3dv2ih66@3@1+oa)gh-z zz_BOXco3dg6I1C)g~WgxC!ZXYU-NhxpUPJop;6dG3*^&w?xB&!apx=r36G0I3j@LX zAlK01Y^ntK2?ZIZN5aK0vf0x-J8AkxXq;F{k!! z#FLx}?A0e|-riL{$xIk@v(hx68}ZZFrgeO>Hw_)L!I z)K*TLDGocw?3&sY>E5SS0n!l~eM)lafTM~CbZ^>}^}DjOY@p$DG`F$$>y$Qo>u%n% ze%on2q^i$q))XahS=+Zmzs7s?a+=mptdZRH{6)aqflCEoHRol&^{+&(dHZgyqxtQi zb36vimKW%BOU;v2*S|XUhxh(CX6l8{`H8Hg`mVy<%=dXm`n7GH|NRETe4L=tZNB&1 zP8~;`p!+rAZL;%mRQu7-9pM3e<}(!a1#3q8-{%*Mo>dN6ZPIX!AL^>Dv%Kvaz2kC2 zfB#nZ{)le0{?P=%jJtlQ@^JaNGRJfm#@b<^*KTiulEB(E*?<-}jKaKV4?P{2-f~+u z&Ffz6CG2?=EG zTyLll(u?+Ndbizrwck}SfMGb=NKTv*AS%~ie7T%%H1~S%SM^Q?N=W7YS~)~T<#OuB znrLKp3TsM{e?j+*`xrA_l>d7TA&MKfj)}y_NhQ5+1p^vI+9>rEDySZJ{;1JvL7$LD zcK9;9$R^bY1Y*lJwyFCYE(RyruNk{Ft9+v`+z2*{FyDf&nU`- zwB8%QS8Uc~#8$2>U~$^rqyfsA7Glqs@Uvs#e$dB}|Ix5>RvGv9My}G5W*vQ3mdu^E zAja2AmWBw|wQMLljize!-sO8RYS zd^42rOqN#?3^o^ysEcY}C3Er8KIA$_UNojTJac?m2@O0KW35!60v85@+sC)Rc%;^4 z6MqU`N;7}!5)ROmM=6?B_^Vp|%gtNMPD@ir^7=}0&kJ4tfJ=d;7dlcG#`+gsw5msb z*QYtb`FGtm(H}Y46DM5+T#W;*8cI>lv`W>T6|A#vvf5%3L5bWE$5Ni`h$PDp%njyX zk-<9b)C4^Rh(zck`8Y|h*#)>F##@Sv7yyt%mJB0AyO!%^H4BRU-GsvM6piLf(pP4; z_O3X&B%-*hd<=M;URUnj9yi=oqH_xqIPyEY4b#w|%ka*km8eMFnmS0IQsHksCx+<; zxi*tH>OJp0G`yF@~%R4K_Jc@t8BH*`x4C~Lzk#8VrrQGl-fi5Hs_Cr7EUXxd-FBn?AQ_8z@yfr zp`P2(gWq4_gY%?7N3=}bOVeUu#KuGdCGkl&760eB@od3d8niEU+LvD4$(8^ zN|}O9(l5+VdC>Z(L!vnZB0{MnqO=!o@cz}Y*#=99!`J1|5oM&x2VtYl^^+1%udb@* zk*%|*OYng%?Gw&f1IuL}T8vlLnQtZc)G_rUertaGt1zq$`uuNEZ*q1>^yf-*T#4AlybEPhEt{bb72s7IoABe;iJtf{fY~d`pb1l zI61b`M#qXvmIMz@5DQB~!<#dCYzC^yagu7u*Nak!j=jejQqQTVS<6gS`Ru!JE6QRQ zK6luBeR)fq5(K^*L};$IQ970z)*wSUcBJ(Q3}+r^cTc@zwW$FKKN0reSMJ+N&gf^E zG6Ib*qdJZ-HUhYI!6B#!6MX6KOWP>Inu~|#x8s(kYuc0M72*#-D)zmp*tW*&j2#SW) zWCZh>PGTI!iqoP8_t-BX=lAR4;Qckcw*N=1vdB?o+B9-@Vi7hxeM zcFN>pQDH~3qiOzn5n|xLz)C_87KN1J9iA|*=YLM4_PM`PCJQrAMDBhqRH>74CX6+0 zA!MSX{Efwu;4DNsojl}KCCGaEXYEc#G?#24h(&_T29q*odOWRlA`c2$R?Dc8^$c#! z=I%mH1r8qRr$*I7WF=2?dfGzgnQH@qVU-ua|0Yap_0-urT~4 znJhlh*{4QY&nETO;L9=l9Xz?v@#k1NTBu~?Z=OsUcb=HGq6 zcE(Ar`AnAoEq4Ge%=2u(&okil=TreCwtM%W&rv-GxYMoyOZEKti^iBNcmwVNA%qGj zgGB+br$97HS;KFV`QXbJd-3Yd>Fk3fz=qFLrrP5y4!ic=AD(62&(zV@^?>ymGPQOD zE~BKZ=ba*{e|GX(A4zx3T?R+G)oos~4owIxeiv&;>afXNfGBP5p~dTMt(3x)`zxT0 zniVkTqcJN#M{1S>wWh4do8IfGw%=aQ(emXSi2J-NM1Y%q-gFHw&uV77>HE&Xap3NE zQP<&pv;T6247gsk-VM!}iPZ&g-i>+^EJUwf)+r}j_&l#=iody^qjYFjxm~WWZ!3D) zwW&V?P2@a;`HT~04WBaI-r_0VFEhE^8Jzo^D7NlKntH-%I+nzc*W{lzFS5IQ56?65 z5wb_~#5YvHb@p36r_STxldos*OT<+K_JBP}K*x3CAjis+;=}IXmNz_jdJ%xCNJ`PJ`zUqH^*a`$0huj5 z09S68L=UfkM>OjL&VM_${5s!`BSLLnmZaASoL=G@$TK!ycH?fRj_BP>9~MGuwodfw z&ObT;&(E_o_{!}sWo_OU^yi)bkEnBujx=D>_QaWRCbn(cwrv{|JDCY5wr$&XGO=wZ z9oyZTcfZ~J{?s}Bw@>$Zo~pX*y7oVwj~RQW=C4RyuC$&l*IZgZ9yJ7g?3b1_VwZL9 zUn#HJAGe;}y&k$spE^E*lXQ7eCr?H`2ke7MZ>x zacjziOWAhKN9L@k>0u*K{Z`%@nABiKl;x?v;AwwCsbid*L&GsU#7#Xm8<*j<QhbNL4d|^(!xM&`e5Qv z;AYSG&rcT#M$F$-SQ@_EOZn-}z1J=HL_usfUsL`msLHOSY06Lxezc_HHp9M7QEpZZ z;WFEPip%jVo^OePhuq0&8mNyJsc;j66|#SwX};Yk3z#Yy%`qn9yDCYrh=b*ONjg9W zX&_c1!x3wg;O|r`bW@I8#>ZF4nDhUDYUY+kL}7zvbI#D?unqaeg!7Ews7Rd%JxuQM zXj1wQtKFCaslMktTs{i`&vJs`qf$zM8OA*<#jQ6BB_prN82IY0Gul_N+WMNMJ^CF2 zLc5`$!@e#yX2Yq4OUS5$>CZb&Xzidsm75jtBfj>cGH9>QqSoi;+=L*>sTW%e!X$$%R7 zqZ^=iJ|Gta4OES2{?0#J`UM!%0X-JKkL|3z)rROg0F8gcFMyO2n8{Akzb=D+lZn63 zFWIHH1xhE`Q7`RLK`kx()W1Lpv4AOfoF|f`hzQ*lkrrT=!7lsW;tSo_+&0xA#92jF zaAB5I6;-03Xs`r*X>22QEG7}E++M2zNKCT)@e0RvJnFVhAi26|0;V{tR!$Uii}SUS za^c#qqeCXq#)E;V)he=?V!(`E^ijXGBB=zqz?-B>|L~z*J|S-k7G8{jY)2`a1l1sQ!XDZPob3G`WHquD=8|zY8<#2 zzuA0{j($N%(tsSnpC**t^X4)t9O2nTVbY=B7ZZr%`>@Q|?yuegiJ@xY)#~V)sJ=K< zoRJhsfYl@te;rV9xb@`(ptnu&yw@y-xX1ZZlLF`q8dbdf@p2*5##nLhjMYzrl@UW} zPORV)Gi>v#9Pm_UWBLtE7A=AOUDei?;<)t6o3%cSx+pX9F@CdrPq=;XN;ug( zTRw7CIeWrbgw&Xw3wGTeSfW_bu$nTpX;f}sw6JoGt+@tjqFIZaYZM8o#y>djrbPwv zJKp%I{2bcWC7EVU5))DxaODI$RS8=C@)$|^KvNl4^c8HARa&ypq`roPd>f4(j+~cf zY1?n8+%9y8qpMOioI2L!1K(Dus+*I@&X&wpXC%05)~)Vs;=-$&#wg~)KYq-Yl_X)v z5?rcxn1um?h7GnV6`zB%-21ID|F?ih~_{{50qAWuI;_c--Vc_ns zz!A{2C8!ca4qOAF+<5eXe&9*ZvW1YG_O5}DwCz~zu6f>5L@ z8rFKhS?YQJ+uR+SBhDNSLO$kq;))A)7cgqqMCN&(9a($7^0_|fySuLmIG=jz_xV@^ zF703UHaJ*X9}kP)_i8Z%$aA|MQ7oH1XON@mQ`Re6049`%E}x?Mk3+|9n^8yiz1z1L z{4D|2>D-y<47JLou3OzPx|bdIjGdp45COo&W|+&z(&!K5r%gWI>p@PWO^>z4D~ywl zjqI1KmVVJaY?yJu%yzN;nGd{^KM)FjUSsEuc%P3)+?{q_g9?;+rQdb4ZdeSop10xS zEmb0?b2}gV!x(+WGInx13gloeMa7Z5-D+nMyU_vI9E8 z&wk z-L|f*=$U86w)$J&msVbHyYJkzNBh@5?WFkK^erui#eUp0Pi|d1xZfb&N$~;3)*R`) z$>z1(tB==PFM&hj0oux-TgQNoqEAlW9bP)u?q~zv(<@pAKAZG+OS@0-=ev@{c}&9A z(YeF-=d4b!w;`582^YbaJ(;K6fZkCsO}yLLn{;FhZctC!H`J?Rpik;m+tVqOWAs#O z8t3XqP*`hD>!JKh{>EuQmfPL!hNCBz-@9zsCGduy^&&a;vg&c4ddHn1BgRocKpWKS zbH8(Q_IB+^21ExH7WeSK^-KlG((m%kR;=W=p}LqNAasAB0?j z%6uOYqo6(s`z;Kjsbi13+4N^6t&Q*~oU09b7A9nq9gq;-mGlvpyl1iM#6pq#q%Aio zt;kv`yGiC(<~bJrPWEZMmCZJ(2t)kxQK;5?+^w^xBp)JJr{-9@SgzoPBvUE>e(`Ur z$3fGmVWHaHt+d}`JuY6_j5&ibvd{_Q+m{LJ8fQyDSdFLR0wyK2IFoBLe*MU1SXp+- zKw`>SzH>i`3x{CQ8zVj5q{^YG*`yK`qGzj`kt)XSP^T#Q&aY_gV|3#;Ux9sy5^^f_vP6M4quFbzbE8A{pI~!D2D1x}MaNWEN}6KX3VeBK*l_ zOmU2#u1|w= zman3rkT_%04zC6~i6Vh0mf#v&VZop@^7UAJlH0;h`!3DkgNSiawf64n|VFXSB5fg7n~zgpvnM#dkLTln@;0+IW{@xJi|xh8vcZKwsrG0$W`e<9f`2A0?B!s#&}yxXOda;N<3xqyC2HdDLxsR8s^Nk z{h;GlM`#q6^t*?i+fray0O-RpKP5BZWoO_a0F4-{5-H1uQWHvq!cbgYk{YvoQ>c1H z7Qg?gOhf#*Od(s0jSft*@UBSn_7!15{48O&A9}pp4HhZGR}#v#SF7YZj!bKHTZB`C z_3M~>()F6T)bC<0;(YwV;a8}HC|Lr<{^kKst7Te==sPcUHkIG!E~te?n89(GL}*iT z#mx%ta#7Gc8VFNP?T7$!Fvov32DTMc^2qAkxxbQ(qlKcJdXON5Nhs#mVsJHC{SyXF z+fFcFekK;1XFf_Rr12AU|i|_I{#-Z@5qZ*dJbJ;!G=1Uf3(s6vH5>eR2;Qd>PQr~&tX7qs=oy7i;RpVx}&XQBT;YW*>0muAT zmM;&3msC!Y)h5@9%C#DkaxqD3BIS?uaU}4fn9{?2p~9Pj zq=;{IxM`$A-?+t0FaGHDclT7{)Z1}6YouzayQ%YMwDee?XZ~M#7sUIHCE1e*43oPC z`Jvu=fn=R}yKgq01<{6?0|!bJqW{Akv;1JZ#lI0mE44-wl|lev&m~ zJ$@OMT?_g&lV0^ah;{)_V;sj4FI92akYJC zwm-!S=-u3(Hk_8ScRezB-u7g}b2n)JICiPwek*!pXuqALy{foqTMV+b`Fg)tuk^VD zp?-!5@>~V)@NXlW5|Z++U{+p_BsTgt^iOkMwJjjc;0b`Tl4o{~-vlokKiXUEJC-t6 z=wlsk3JY6oge}cAbgp4^s~>?lxJ$SoZqUZ(UzoV|;b}0-ERCJKmUH=9(Cr89-Vz5s z(pPA%)v~K~(!Z6@_x3434|pQD@g6n${iJqMzPHc6ae5(yu(rea?eY9bUEchxKjoRg z=j}N5)BkqZvMaaiaCN0d-({QR`l4g#l{U-k+8MsYVo2zbWx}LlV0kzkXu2uc%teBk#QaAW|NLmaJlB4MN#Gl>iI;|TuQX) zNd%TGa~ms~>hkW9Jf-M3<=-S_8nSN=tVK@Tha*O58mnfo4{Y6*RB~$c;i!$u%tx~{ zLq)SFaCNbiwD!50H0%Q&qv(9|ZAh##N34$(OO-I`4YN$H-=>x*uqPx-w=2Y<=&1_g zC$O{=p!3%D(KrUGX9q;iUeQ+B;QTz!4nKKiapsYWs;4r^rP|Vm@7w?GudlFhhl;Fqf zPcpA^xWFW4$=x>yw4%$XGemM~X*8>`ns<|+7nn%l_qbSIf1O3! z*Q83`PcV6wI4xx6&H>9`X?RS7bqYtpkU{rnL_}+5ga^7BWLRs*vp71|c)K4qx}}TG zaN_Su-&xuEu~4dScKATm6X$l^?A@s!hQL&~ua~#~tj8=*LG>^1~ET2o`7>%y_I+zo45TcL@3`=wvS&9Pd zgPp{3Wg%seY$A75i^wGRHafo7$0CYx=rZ@?dWRKMozsH-Ef$)cY9V&aq(|Rk)1i}r70JwXA4TST$_AIk zTF3R!F2=R{Cm`m>YJ5j9W}a5&WK;zBk7#o68F7no#RRxzg~i60G=w1GO=9pSJ9GW^ z@wk6^8&U{1*})YR!I~Hqu$4&ON@DALafzJDW(~7n@gI>+sEmO$4bJjbr@f zF4UUTsUNJ<=T@f24L#8sHskA`Bx7g5_%luP{a#oahpf$j#$AF*R@^=<=>R(XCNck_ zL4^-(9J>MMRE4}cZs50d6bb`Hn%Jxs${TKgb>jzO??={}j+p z1Y}g{?hej)*OMt{K}|>k^jg@ZjnBcIydLqc^@cvlumZnYQ2Ttt{+{R>-q+gGH#Ia+il<6 zYMk^ou5ZcW`y+Wx(LI%RRzI-auXE7yxjzsJ8jwB8{2GJP%=yi3PdvHky11ph@?9*a zb?_LZyI(%6+ys0GD_Np2=fv@43mo67IK3Oel^)DJ79>?3V z57X^dsRtbXyRDjhJ}U`{pDQ`dhv~hQj&6%H>x$RxjrD7YN3_{t!uMzD4IcJs*q5H; zo{qncO;>Iu++5DaY#pDfK2taM`cfTvEeclvQy0Z6`Zv1)(;$s)!1~q`H(*cMICetA z3xoTu!T#}+A=7DxP$6m=cnNdQe^W|(>X_~E4+Zl=2P`$<2p<#&|16+lU_<{|_AzKV zRk_)4I1^C!lIzHQ_X@b!ly5zJ*7XlDe@d@vKTw=OA{1op6n+_;a6F}o-JEgayz=?S z|IUeZoHhodxq30ke)H;a^*MMfIn(nJ4|5!2k?XxEUTfF!u6lm`n)UKvnmMrf^ZlBF zuxEK<7QQgjz4I09u8GoRgP-%{#pRja&|^wc*5Tuv9?+ZiIz&JiZJE`)Q7pO5@}7=- z6s_3bj=YnjM=dWiJi+m-xn6u;D>lVZm-WTh)0N0P5Dwh~jT^_Co>qNfvxiHXLZ zB8Q$L2mJ{EVg|&6zV8TvGI_)nM2gB!gw%B4&ja=cUUGMz$316AM#`uw{3{kAFX(h@ zNwld^gWqP$Y?hAAj6#1Y*_f$OrE8qC|D}p*4#h@rJ_DoltSQ8qQvrELD*el97Y0=S}OD-;gdkD!; z=%^E0xwq=vXvIxrsNI;JeUi&yL~YSy{yOSX9reo!^{z_$(Hy!^nB~;)9j+(>%s@{y zUHQv^IiB58$~n5U`Qw7yN-(UfTJ2|`7mr{~6Vv7xdB;y3nl*1V8woqGkl=nQO^5`e zP6wtYRczP$*TZkBJjA*bBm5+kEs|PuF}u?JsvFAr*yR68Q3o4c!glfMOjmxq126BvQDsbZAT)9qC%K@1%Ao ztm>7JZ2Z$g9Z)T5xI=Zi;O!1s5K9C}_TqtNNyZHj*yioa$h_Y(;)66=O2 z4&byP=x|CXxm(8?(EqeXDisf^cp~9>_4l1%XH^3H*MgKN!ispxmau-YWrj4E8o29x zKGltYON&WYysE_1zZ(^A{-aU<8?i6J~FrD5|$ihIqfyy?Xd^EKxYd3$DK`3qpsT`^F4Wh$!&n0kLMqd_}4E>x9sSc z5Qxbb3^J#0`bi@Uiy0}jw1@y!+F5M&9T%`arNIEB_RoFdsZ?63D9v`De zobi-n5kP~UUqmm8F+^3eufREU;yY1N40B^zl+Q9(^@(oJ#ssObFqkwc0J=EsuFNEl z=%1Duikx8`H;;Y_CCL>SYQ@gc?d`Y9R^Y;?AgCSanEw{Q!IzuC*2bZGr<28tp{q@ymCJgJrL)?mSE%BpU@b_#cSw*T^aZ@jK;v$Fk zWp>$m&K#Xns;ugwTc_%b1j=Cxa#h^BPk-r|LtATZ!F*!{BbnxpABDWd;lpOO5XKjU z>WvzjF7{oqFhU8`CpOJ*v*A#oHK>UXi*VSdp9mswIR?o8OweSND+gS%y~7YQhNWw- zIU7Sy5Gmy+E}y=2l2AKuFrD{=pW0EIkXfKfEYBXQKy8g7!mIWCHXAXIIbX!#-}w~= z332jXzthV1BlGXKDR{d%&6~1fCM8Em4V6#d#j|rRJWQVIE}lo`X~0yJ$V-qNUW-)q z#PU!b&y?@NBMN?@R=T}YZQfbmmkCDoe=o^u_oxb_tnp434Ko+ zq9(chf_=V6fsA*+K%`2L#ix*=pPeTleCN%bhBqf(gSQiGX|qqDgCg(_$t_hEbVqAe zegBB<^83J%FF^El@u1+zpw+(pLne~X|NQQ{yLDI`v)X@7xXZ=yDNVcc<7o!wvNzm) zXB6gw!*m7B1E?F&k=g^y&JCD!d|f>E>1|(brtJ=K{B^1RJ|keSC1ua&Q*DTJ^R)|o zd`zG6$;U+d(Y|}k|IkR_`8LS<NE0mCd2Ud;fIN ze<0ZPc~R=3*@gdeg3t3p{(c64-*%Z`tLJPF+G|Z&^>#W~O*Ztj+~{290*xQw9_1e9 z+@L$L6LMditnAzmUdHcyxE;`Py*w;fW;tE?Kl}UM--a0mJG8#( zpBr!*X1i@t0#gImW?l&2!a??Mj(6%Gj{g%riwDQh*gU40uiyttfz&ybfBYSx$i(-% zJ9nWjcwAnXA#~PzqX0ywavURVJ)DcLRaTQ0_U->mfNJcNa1KgrE)-A?l}3N*FE zw4IIL?|_!pXltLIJcHa6ol@!@y+ILMjC@M3Q|224FT{Qq>@c&wMh<_`7jP?!nf|`V8$E%<_nr>lLWsZE3)aiu z{eDU7fa$k^ZOzj&_MgYF`==uStK>bvU-q{4WoMP}@Ak6;kdSVeUQR_NJdi};ivTKZ z$Ocl3|2nZLB{8WAQK>RXNY~K<(K1AV%=f%y*(nL;b|n!-JjD8jWVzyhqomW#vw4T} z7!P}eiNSky@cw9Myl7I2mN+Hxv2Y5d|`QRl3% z{+eR*)=8;x_eD?hLYAn1SesT9f1*3I*WDA zL!T!GE|xPrY6TZ3urX<&F*ki{rlZJ7`lr%Ia!IF&Up#7Fwn|BdB4n#qnHc(M(J3c~ zVmn08c&nkO@Wgk#5Kg4is~ zU(2o(VC}4zPisFp$f7Wc2`9f*#gv~?CXt0>6z0jgpI{MX1TjPZmR!ynPZ0*gfWz`xBv+D@ybIyges-V$+c$*$*pkVPTK}w&*!aYdfv3Kl$Qsa)GL<|d{p#p8m z`ck~@v3efXQ=c!1BfyhI_6=H{q%kzbmNJj(sPUJVSV)n+73O`p0=3@;_@G^nA;DUi3UdgH8V++orCfp-kS6vXvrBZ*iu%uC9!kGwYI*~~(cf5obH zt`X~$RWHapgdovZMWAZh)n9r)6!q%d1GGUiGy2(mrDCP>S!{u(u5&6>8dW7WBII#C z{c08DVjc8@aG4`IDOPeL*vnFD{)siQ=@RT722#Ytvb9uY;>& zP2vhKI38(W+)>RdW?Bc&)jvvddNf$?)uVNJ;(e?KTMma`RL>fya$TAc^~c(}ab-)QQ<1>*~hUcb3&o->butKGSz)THOJOoh1O;&@-~xXj&t*uUqkjk@Ue z02B#kA@N~dKfE}lZru)X!_e_x2XD;qXK$wQH;yke=)M;Fot6l@#tbk84j&B*%5n zZu#ez-4@--=jrZ)!9)%VckbF&YZug$Pt+9t19Hpoe0Nqs$I8aKM#0USKA)BL&v1G7 z4QUNXw8>~ABwuHEA<~=4ilWFB2n#bO zgrG^qfT5Y3i-;iOlKW+)R+g>dNhyoQx}Z~*-Q0mjxBW&t6;@&oB;$;~rGq!b6Dtw% z%72@SDv_TjlV2#3Po8rvl3!pulTms4VHR;g?4#dx(Jf{+j$(e@of-uX3;QvhOh_mQ z=ld98uzSm08*t^9<>KHtZGGoWS$pEuZHOv@c$iO+uec}BoNUvOW6?_ zPk$PS{DncLl+am9IODYLsE$AFc|+OM@6(M3DI43gH6zB<&WA&0Iq57AfFWYcG!6tmD3>%M4_-Ey^D-6I>b4vY$42@Xxf8G#zg zX~!gJgwux#Wv@GrQb+j-yAip-jL2f*Bt@i?ZpY#u|24Q;bL(U-H-I+6Td2dCp(g89Fn10a%*FvL zA7!8INCn4ar$vNrpbemrq>UMh6UuOjL$2vF2Whf$bIS!TQBe!}PD z*;?cBe=SOQ?H1QbOEn@kguT+TmpjObuvv*S6L@3LUs$Q@f2{Oj^vkKXB#yDDAqmSb zrLbgJsPn!OMRAMXBX|udWh{+ULZp0Kovhn8q1wVp`9i=nezsuc1GIh(da5jsh*qg8 z;6{TwW zf5BXw0Hy)WlUw(PUg6Hu1?5Jox1V&1V0PaWf!dTi@FVwA5Idbza0V2b`v3}Ooe&AI z5QlP3o2@&^Jux>od52TGzU`l!=b3sItBue6GPv*8?cIrf=b0qS=0u1q~Ifp3#~Wja6{*)qc1MR zdbE11B2v8dSiRSWRj=MIBOdg}5DA+2udPHe7lKN%FWN{O%k)zR3AmKpP9!Q#N*9_P zyG%~;gM@UL`5_obWLTpo*Z(iLksr-KNni3$$Cj_X%Kie7lCKN*@#uYLGF@m7@{jUi z?{2`5<{YSuEeb^pCk!+QYy~maUH3TGc-~&pu2pl}1ng{!(q8v0)?TgZ`5z-ZH~HxA z&K6G+wrwuy>H`ncx9WB`Hkxy6y14GZqXS)Yx11_w$X`+qF0-j{R;$q zR|SUpDDaMe8TRAN#2Q1_j(}5)%l4B2M&~w&o1263;c!a< zPtn!=AwsQQ;AKv<5@>IFddbD0)2(jp=Zs^Ug7HQx+ru2Y0{*9kcYm!TBf;y2{Fi@G zZU-*=ZF&QluV;$=zKAt7yK@lx`pRz*>Dm9+bhItURl9LDCr8)ms@L2b=Vb@z9QTM5 zYuk=mP|P&y{s*=>T_!>*l|>s#r8`yuCD9oH7PJ3abu zURR@Mf{?nv+ubk^-lL31q)l}%@9xs84(m1eo@5`pBQ^VCdeVLK{j;!ZE&VOyMpg}f z#onvwbH){(uYlE~NxrYMW5w20(xt)M!TtMoAivw$_Q3(tP(aL8(^@tglDoiKrglDq5Sz-3bgF|GPX=U zuxGj1gr=0;PHYz8)2(~l+rGzL>U&Zld0gFkSpT?1;h1)4t=rRhaYl)|eYfK9`mWN` z^x)(ZP>1()tW5g+zWeY|$`Ig?3lHZJ^X-N=lkRgUH9OwI)Ocj{9F)2V3JX{VS)73A zv%V;3jErJTpUoQ})Z|jO66dYgccXn!2gvXEL-79mB*0B7-Q9S&nW*`Yt_-9NzaMY_ zG$Z0h(CbT1z;6CaJjLnT%n#pHxKS4F=nom z04FUwS7{%0Us0V8lTzPqzYTvdCZ0+eoY#?5DUo(gwDJ}y6-V$7A(N3pab74$!W4d& z_>-u?YS(1yyx8Q!RFa0@ZASh(NA1*kaIDDrGLUn`6h|@vXVN>4XM~dOvNA%tQGH|B zPIqP*mVgn7*XSRH5Vbmmz9919r5bF%u>P%Ic-Ft;$3aH@lfKl4 zuXcj8mW>P;idYr9g;R1Ay5@R$7_!kEG9{mU@u?Y)BSZF4ledcuhb%M_?dU<1(7#~O z3kk-3mMVVI28|W%3`$p$N#S6DmrKKVbo|U=92x5SIakjWD(g%zZQ}-RPkB^^B)(wx z1F27MS~fZXkjF(vT#T}k?3{ibCRDP>I4jePmB>wOq)VZOlUQE#E)Ez!d;JV3T;D0y z%9o@aveSP>1qJo`16zeAroOTae~v+Cq)RkYc##+1x|zzzv&!JDE4QT@rY;soeeh!r zAPkOC2jZ0wOm7XihJV3bl1gV`ttq2cjk=3sjt0R}Vf53@5qX=^6*%89J)Du4C&MB( zsfu^gxREnSl;L1|a@QFSi8z)G%b`HYhf-687$AbZ5i>ANFr=KV7``&=6gb&EiAj>XGnLp}~9{DHd zUfOQ(~)qD{522It$W38~J4Bb%`pr$)5uV z#dBVIs^+6W>eS-C7cAXHXpm9p5R@|`CZT*q(2yHQ`#4p}#V#LTnX=lb3rNx~$Bppj z@$_JsBL4!^YN%UE{kwT-EXoDc09xMa$Ai+2NtvF5U_Z!=TM}9EJJdy7yU|;H1L?#H zeo{e}_a`kG1CG&}2GurXpKa}EtlTaI)^Q|FB3tkH!LbISi>S4Oc;c7-i5C&Wjm`%2gXX{V;b*nKLCRQSQ+VJqDj;LfhUGn_ z0T(=<=cvI!@#zx8+J3^63!t*MZN&RDR-Nu^p~hMr@bqA({d6_VpVy-~ z*U&kK{_>2l>zVL8gjCTwhS{fAG_f_eS`c(l8aFZiFnuojtanR!Rwe5HdX-LVu)}+{ zPr1`|={q%;+Us)`<_`vfHVoE2XK``?Fv47PAPwWa_i58=f<2sII+xV&+k1hrD(tYo%wu^`%SxTZPS^~=G-mr;dScBCM~l52T(I6yY*!KBjgMpy0!KZ7+HJ(gS+`TPn$~T zvTS9!&zYLtJb38c56<&4FRz+XW05`{LSqgA`4kp1;_)|1n5f=}^9N569KkfTs9f7Vg8Cg=NNGR!%_F zx!j=Ix5s-y7*$ye8W(-7y~8id)!P>ZO{22HXsUHT!xr)3`wRq4@CzjMvt9B9T#$c- zwxf{RCQF)KYI#}nl~inBTG+txZxrzm>!|yVV-an&n8_G!q75OnZ@fG>mVI3rm(e2i z3E6CPvo^^;b;m_fTah*3tzt}BS_GW$^cWWhb1w2fix|gGH7Y4%D%GknyQ=>7u|2bK|F$Bn9=I_sKMVAI0CAQZ|2@)apuOXK6P zk`yEB=h0o8wyr3jlG2vvQ7i#;Wr&GQ=^^1c;HDArE2Ogd?6`TQs#piJ-f2wuuy#u- z!eQecYa(mU8#Wc>YHGTy-5s$`$xcXQfKcIbyVxl%L|)62Q930%=zYvh5bAl^8G^PW zq)E-`Vn^b4RvagsskU^q&EG$M~H6Yvf{P_$%v<1YoClHR6&wdF?eI_l5B8@v8~eaR43%z_WpB3(v99 z2yxLd{w<9vdssOA>L*GuW~9|jOwq;H;>IuPoBiGtk>WavGg)#oROr1<6pFjW0ygUW z_sJ#{X;r;RBznWV`5&@c^#~-mH7<6~z|WpRE2dNCFR_bU?TEZ<@iw?|aw@A*KpgyQ zo1W3zx4G&=64FvNr=E=2cw<0!1dq#MF)QYZ|$Lf&4rdDjzSja%hXRHJyJ}DDF2)=|59b2hxu=du`ff6o+-IV z3^J|2{^jc9>QwP?9i#lCqN6ZkfSI$JFSVj;wpNv($Ht(BP^e6>2wuiyy#`c+EEF-c zE1UXhqfJ_F_DJzZmhy0tN8Qn4U~Z9)ygn!eGDQTjeR67ZbJ0jrF7Ern?Ra#$xTx@} z&H4g%b#Sb$wEXOp8e9_qy^laX;=5{0df#YfbA+*_fOIVHQVs(RSOZs!XO&af$lr`5n5?ssAgVU&HQ!vDzX~vE_LHJgLBC0P=;;{DNTz zXetYVES};g7D)3A^e^B>@NVK+5K=@sZHO5br1-ug9=4ele@J-YyHRy;$k9|Z*L${KgA*@;He7_jMm3xhOj@5E+&m3@!VR$>TUg>H1Gtt}lfwV*Mq?P$M z)qDA6js}oBBX|seN$qX!d0t{v2zcAQS-C^x+^XAWi!ryU!)XRbQon9O@?6m4 zUj-q4JLKJAIbrp?!g~V#aaG4M@)eKOi$MKFIA-~c@DA-r7@zl9LZ@1ar{f&2vm=3r ze-oAR>czwPFhA$^b9QEnB7uS3Hbd&Q({#OH?_IpUf!5R8MABGJ~oI&b96UO@XtsIKPw0?PU3OX=vfwr!_*&er{4 z*pB}P*J#g6*cZJc72-Fi;QCooqJzOy*X`$JYbIwJgS&aMw^MgQ0_fmznNxA|poA%) ze=`1KyQAIH;lv`1+Yk=k%RQ|CGY`t#2;t|Y`c{yNB@I%y^OR#d{CsY7u!eH{)6TU=vQ)~X)~D+P3yPM0D$E*$Tr~eW2Tri zxlt(@)x^C29h3!iD+qO~9%_dbCPbl+;h>A;tXxpP#wH5(leIiW=2dzpNhJnb;nM~h=~j&1L>eNR z0F}fCmG$$K~^H*GFc$I9wZTQVZtJCwn{brX{P>cQ@%ezm$74xmx zw}@0_sC0f`q=m8ax*$HP5}1`YRjQlamXaCcn=SuaAW-Bo^y_$UXGW2!?yw_5|DxEM z?$D@6g??F!?fUmrJ{{+*3_P6$IHSfC0~gI+4LGd1{loBwV%48y6>&N2`o6Gqo`i`; zeG=Q>r%7oNzA(rOu;h`-q>^i{94)g7Xuvrp9hx%}7 z3$t<(A$`T5)JRWDf7WY#x7~8ylF4&7DADOTejP5^J{|R3fZ41ogZpy%Z5TN+J+X+Y zp$Cd(sYxqDM%kuMf(ljo8)DYOJLLHu#2^$)NqEyI&*`6en&;%t|ai8N36ns2dC zw==cqO^*7U6>l>Ott#WD_NRE$e+_T`g3aksZ!4cdhJnrsfd~OIe2NFcR%dv@Z%5d# zMm;*1u>nNM*?Y=22VxkGp>U{Y?F5}r0>k`2zxv&jOwg^M+gIDm9Ay-3!QvkS*2i&L zgv(N^xSIsId=^Z*l$}4!93nlJxQMh0_^aAAPUfv|SE*L5<<6Z>u-vIHOJE`nS4Z8M zgkM7YV<*~$TColmPb6#TfyO^{C5w2bX;vES8r?2OI@EXbAc`zBvrTIca&a8#4>aY` zu5?PUr$J;V9hkWVLA5?_P@Ng4yN&#MIgC;8k3oYx1hRh`yH%@~L;@Vt?@gCampGCE5I)9HjB1FQE0^erKLyRbBrLEoL!0xtJ z7s7rR1gq9)RBN!Px5vWB^o}JL)z1~;M*^77h_%ND!Ay4d)Y!^Yst~8Z#wComAUmAc zEvf1V9t6)os%YG-AAF!ef!p464~O}c{I7>X;1$f38N@?|U!dt-v`F>n8iCpImISykRcxtHjXbVN|8v>ULp;;@ ziC?W+KTM3ksSs4?Oh{qYGNjmy^-+OLrS!eSylcboG~0^OXH05!uqsd0D1&~@`R-(N zjHP*ooLa>#y&;K?Xl|)CYY3Qr`O@ zAh^4P;O_1a+&y^k;O^2$kU(&EcXxMpcWK zHR$5m<;$_a5&7(PL9i*OG(>C@NZJ4I3d(NH?w0fKcb%@Q5txBy>Ss|VMS<^Dl54Pa5+)gm!?tU|;vc)GZ@aG9K_G0-RW-eJdB+--r zv(d1~+Mgvt`W6$zFLBK#X}PHrfAmV*a4~lwik#**zWJWAx(E9xEW(7N!-wD zr&DW{(Y-Rm?YWIHlg9$o zZF9iz00S8|jj+FXDSt%i%J2*<27-6=Q7^lPIudUj%I!O{wszOr{k%t_q-@t#9^x8v z_Bywl-AO%%f{wa77J{ocT87^v4BtBcw4dhUHm_J@V>3Nnhzc9*+dk?RZ+h$-IF~|` z5?#M`x3krNCJ3vq#r^wb>uGMb?@%I7i!nVHPTv7(U$A8I}er#>e z7l?8_dG1$nYk>S#e!$&ivDyO$x300tU-bJP4CIH(T_yY+Op_YJLI)W3oa-6Yc@gYikLA%;#6!x#29 z`~L%g3BgCV@EQtTb|A=~r@a>|;za!;!)!>g-v{A*^+7n}OS_$v>XqeNjs8@IoH6-B z963y)pbN9u#Not)EGeKWRaSd$Pkyn19=x?HRj<_bXmG_Gm#vcYkciK`QfcLXY{3C^YO#a!#$W6s_EAT54iRsLhK(#!b+`yl28U``kZC@qR`avepG0Rl zZFFlKwpfCG%QoAizcNWg-#%OrtA8a;ICL5^!=x!&!&fRuGpi8v+OZn0m4vW_qbvyVLofQ7l?AI4c(-cMwEGlnbhkX3zrLC6=B5#1opnLC~<%`ZAOw#&C?MDQS*PVXQLo;HmBMq z<$j$i_+AGss^O<6_G=RQzLd^LyNGG#(=fI-Z2!GiLQ4851!Ih~yKA(ywP*GCNaCjl zr=+;1h84Wt@SezmxV~Knwe40Oek&M!5oyW{V611noJ5^YX-nP@@%$FNM%h#tTv(5i z#Q_`F!;Szn1*12f9qi0viLRyK$k7Q@);@}&4T;w;nN9s!tBEnn)`7w3l!fJA2sOwD zDkV=~?Y%0wsKQ%T$!A5|FT5xOE%)zI?Q?nL8~H2oE{ck(4+#7b+wlQ`*&s?iB5*j80ZZJUh$$H0N%o83|An&V zng|L-7V>wbpXL0{QFO-3T}x7vR+(-)3m8@Wu zl7>`btl3B{YpYH)i!U=36koUTZB;g-Tx-;6(7M)?9{)*`@<+J%*O7n4Qzcu;?TMP( zSVdL@WAlRz>MCzmQrt4u;WMiYSw^)tClb0U34`Zc&@n{oSh zVoa>;WvlWsCa@TFnQ80eqw=*joX&bt8UuOZcXXTr&`oUbIkIYTYfz@D=SqW2QEmIw z?|_rk`Df5u_2Xa2L6J+oA(5XX1Q>V@H^xbsGpr!Np*UzcLS7*v68d+E>FL1nBSW~r zIDdc7W_VB6v0RIJR6|N6ze~_L;;>PM=Xbt2uCk;JTiA0=T+&ynA(L2+)}q0943%k9 z8d?I&FKFf8iH*KZ>QSV`v2JK~SC`6blCvV7K-K=Io5Yo8yT_%F31`zWDf!exqWN}^ zC(Zvj<@{PO+xeejoRY%1SKJccW^ANeX3A%N&YW+a--rgpsH0v?BrXdP%nco+zSQzz z(>ACwM4w4eE%IT$1N`*Z}{3v~#t8 zF68B@8*m6NM-Nv0dH8vk0J-UA44i*>xh#IWY6%{*fDhTh6GM|u zlQ&84ITN!6OjwlrH9_7tpM;S_XOwP$QHbx?juZ+;KhnN)KNsgTFSkwm9AUXHW-jTT zYb6tNn=|nM9?N$rw>kxQ=o|Iy3e60Dg4(;Q1-*WH8-6$;n)I=HxPUjh(bc6JUBKsN z{b2pl?IYXz`FHmXPs7{S%BnS!s#LyLJcc&+ZUr6PbEgxDfyU&^bslSR=V6DMTmJE% z%N-B#?$h2M7v3ZOb#iw&KggsZ@c7g>`gQ1HJPWWF;p>()-|1*!d{ek|=XNGtt{;Z- z@V*N5YGcx0?L!V)*{QB*y1ne#oo>VdJS*MZ^Jjn;psa12?iZ6cJ$Rm81S~qv28GuE ztB3~gh0m%trQVmD<*#Z)UC(36Zy|jH~y=skLIiPNe8x(lBUv?kKIWu(#XMR`8<__K5!EH^vP0s>=zD6frJ-?eV7Xx(l z_wE#yyTGTs(cO?^XKSCMU)~YcWmq+%diJ4{(JSUB7q!qRBg9A;)Xt^cBwz(_hz5|? zVcOZf%c_4Kg}lc2z&)#H!}nN2%3*rb9kg!0Wa#_Uvz`}EdVA$<5wvHpb<)1?#4Ox< z3F_TT-+DPLA|-x!TbCn`Z;rfQZhyOp2m6dfHzicFCa=^Dc0R7zSqr&LZIpTpbDfhu z@LpCWPx-`eI($7EXpGW6DKR;di;Uv&SO*H?G7x5>`<%_BH+B1s7hd{Ym6)}fU9O$> zjh64Jp|0$cysmtB$^biOkm_eh_qZ@*0|39P28Nz|05B#zS)g{0z9E;wLcE>pc3N=$ zIX@g-Kt_BiN&T=DgN|@_v9v_66~in@o@`Q2{BC=S0a1`|>{9+3Evm4Yo;i^Tw1OZp zvG4uw&!qj}hg$iH+xL-DF;@PgwkC!&i{E;@dRKcVK}f1XiGN8M;WGrp<84%M-hDAw4+v*RuFXUY`56WpFrj8<+* zq2QN1KDDwW?3OK1PLU7@RgM5*qzaanl2JvEUZn`7tY*{WP&tj1w1@!|!)<3eIlz>@ zspEMVY)<0C`3`^}!33ZSE&hw!vD7iMj4U_;WVsfkc3b>*hc_=Jo2N;~Q@z@AZPEA& z<)YreUqtptM~e_{Te>`bQY2oN#_HCuRy=vvra17YevPrmN#4PZB$uIu`IJmk%z-Z# zT+A=WlxST$@(TI)8n)D53TB5!^J59{gri>%P&E7Ijk{Qz&>P_tKzW=LCYZ!70_1eg z9>m-IFp7Jgj=vleVFg%aB**h6MCh&5RIp`D^&ZYlV6$W{@R0bR*G^DacyqVoME0@k z?VtoTGmrI~l;m5Ct1xteXR(5Uei1B;=Zxd(_*AFwp2M0JN*e!mzi`}2R?3@J^aQ3=^o6$ z?01oAVE{+k$uK*$`d=m=J)gI;e%lb**^Rf|ec`0UbuGX^k z*2%POM={?=umWMMLFy}{7P@AF2iks`O;$C6NV-G}EUj@$HJO&5{!tfDxk;s^_j3+4 zow|;3FS3*rS*D|g;!r50TRJSHn}?@y*M)EV;>!&WMj{Ep+T*Ba^jD-1bCxnLAH5dm z$o^8uDtjne`i-mR8+J)hU;sMbl#)zI)V4TB(O5{l=uk#D7X|Dj6cKCUZwfmjzGTpR zZXCfQGM1yH?LZJc$8O^;p17;mO7l-Az7bq`WBG(9R-Tn5YSD8WBW}NCXbxb_xHOJaO)WmF!YFbU_@oEjsdULM z!4|4OACvhCX`U(CZ&0#_4-nSQ5~6;{yyPkuO7IHd#h4F6U4v-MujSj9ZI7%}_0R7r zDAw;Cprq&6LyXfu5g+0aB= zu%SpNlEwp9lBZp5c9$n}xLCUuWTsDTr9gZmwTX}^=j}2`yp&NR@imx4^HecW-CFNo zkB1df0pD7qf0N;TUasv!9z=LjF;_a%Pch9bvwI2e!-|)bn$WLc`Nbh4c6s79-;3+v zwlno!XKaLx`0!`y#XJXGAi4rX__iLdz`JW)H&}Vf9Df*_Q%uvlFeQ(*X%Q8c0KO13 zNq3SfEkR6{L2;b{ZO2ceWX+0dSR|7`w_r_0BW!qW1u+hbz3R_Y z44Y1kJ~P>NL-rljUwMC<`isA-Jq-5>IfDB+E#K0EQq{98iX-uCY3&$u^Hwf?!9vYh zF60W7a4i)!m`+)E(uKO}5*6xj29b~Zm(hqe=@YNf_1>v5&asKL#9zJ8%F*?3V*bH0 zusL$3+){qRSd!&mG!>B07H9sB&c075LSXOh#f9tgjl}#mTv&k$UcCZSdHU02MlZ?_ z6dYdOx^}(V95{_$T1EERmPPwKFHudOUtussiAZaf{8PL6LmX5$rb~Y27Z(2=TwtL? zt?BOYcf%(e$gH-B%E?oN5sWuGrN6Rq7&1 zAh`eC@O3P(4#`u4%RRW^HC1V=gIiWV&gc4Q{BrYi$4whz)avzR@ zo8IZSTt0~@S>Q4}E4&Hn5+*viV!u)vb8HsuenVa2J73-mVgq`<57I00SOrBg1HD^? zA>g7p@nO3b&^x~diH9dhA==aBeNM!Sj@>=@cC9!_N!TmU`sd1f^fk}`a6dThd&4{} z)hH+|kg9hvQ2aP234y~Awcy++xp)qeU%OprU3ISj z%ghstm+ii^PO**L0_FF8g48n+#Q63ISV-Pz) z$X;s15Q1>vA1d@loYC$yMUW1>TfmW0nF;Ye?^H3nL1gaUNy65|-5h0`Mr$YALXNI5 zTy=8Uh)3sGB=Tw{yE$Ip^=|g#2W$vhPp!Z1jwe5Zk?-~0)*LgJEQ>Xob)ez6rr(}M zNim0+#~IzW>E!I~F1tRo_j=X=XW7@s#N$QTE9u$?t!kv};M}c?XMPgj-Iy0+i_4fc zqwGsWEg9hope@*~RU?YWXxwx9-^0^tR&s{PgmdMUO83Tb^htBKw{@IN^SwE6uPc7; zGCApY^<%r*VCNO!(0u@t8H-B~a0Y#+Tg4;s99#1+d;gx~dvaPIC{;z~pWeot;kqk{ zN>pFs{XppM10hTg1E%`?_l|yl*gbg(>2TNuo0q+s- zhVb72OWlw_qVG z7BC=ENS9=1H+?1VoKZSqtY<%g5%=Rj^BJRuf41tsO}CAw-+$TkVh!hqjd4l!a?BX; zY+>YR$DisuBi|h4Y?!@;u~)C4Jp2<2_oI-NMUe9{d9K4g%p^0`>Nzg!63S$aWS)IE zi%~<`tE}dkPGRxDQBc{esG{eq`akRdnrp?ulivZqhEu~329=|DYcaNep&p}e!k!WQ zyTG`w4du21^Poyye3kphcM`Q;;B}`Svzx>2==%>1d-1HEp%;Hs;O|$rW>};jq>#XO zL+r-AM0|C%$-m?&m>Ldi!Rl>V8s&C#(wqao)(#UNCX}k6v?K2Z=-gdx17}xN4G9~q zKdB}-QlGRg8e8|pgejEb)0CtAjx*|Yqj*-OHU6wV|Gj0t7%AR3{hM|$`C^HJQXIapE zB7FhUytQPkDkG`GumOF_%eyZwiox=9TFA;FmKw7wZaXe0vd#UhY}a9$+H_hGYBU7q zP-QV`Ex}p1=a>BZ~>!O5<$AEz`kajyaGa3Hb zG*!$wFUU6s8d=A;e>@afBal90?$VgiG`!3hBW^I`n|WKm5qq{A=lEWYnDT>k(smmP zUyuPu>TwFf-B;k)4(*n+HhKUxf(nVT9~L1kO>RR*ud_t7V)BqmYwK& z?J^(&yMj^9qiW#Q-OS4j>xv_~h1deo(Yj!~GTKTA9_R2byv?1&PoxF68JQwC$3r`) zd3@nmDchp2hwQ4=DRB!eTN++QJd0wBl`M$`3ClfYKhIEZwZo47P34G_IW`f-nGs+A ziVa+`jAdBNw+VcZ)bKM_An?kKlWBqJF ziS!NoS~x*$jzxxy;^9A)okuCcf(0b!jf+vFi&fqCk07_{$dPm*o%d(u4ej@5JpxF* zQ;d3;00+d<^i7ntotYP5-d<*E>?i~Ln-3}RnbGB!y+tOiHtdHI%?7W#`y}zz`MJN`k zA7bXCpYS|UN_X*-=+ZX0J=bO4I5-6PRia9~w5naLw)p}huFi)^Dj`P6hV~ETJ67%^ z&F<44cN1nP?Khmp#YR5eF;b0wE7x(qxm5a&qw8} zXb0*8r~T$TJ`7fWU4ifZVHx{=n z?mm9pg1eqWskb)Y8WtQuNiFWP>CFJLc9gf*GdF#H(44IngScju=SwWEJJ0SSX!+;O zW}%-C&~cgAtJiEiJ5}cp>!@Vu`QkCF9i+rv@weg-9^ss^ZH@EsqJE=yG(U*j(DSCz zdD_r75mCgNem~7tn9ng8yV?7wV0qaOTq`ki-}Pu_QLy?m<>uxEvX~ADF{wX;^o0S2 zA$ryOG=|L|FSPn$8>tqI>^;C0A_Ws8Yz>i0hP*syBaKp$r#(R?NJ7&iQ$%TFNO0B$9l3W#n#$`rL@J4(}F`v{hT^gNM57v!cjnm0?u|}SYdF2 zLx&(zw@8`JyDWCnmA37RIzyA~(-H?Tu(Xy3l#h4DlXPZA6sa0)Svp@IDyB$G-GzQ1 z>Sl&v_C8UdAsgwDml$h96z1(3N9rc63PZ1<&Vc>hL}an}utzRui)Lv2fkS#CV5{0f zK^;GG2orB&Ja(IJvI0|#tEWG%82yCypl82DCF4kofbwM$){*lA94N4R%z_X>n$a$|FF>;vl5NHTEzq@t&@b9r01zr z#A|Kf3+or1X1+%BTXN79^vbxch-?#l5m7OuFA}RR&qJVgr*T+mD7yG2!Q$J!e%nb! z>LQc>la_{e&5S?G;6l+F9*zrHK!YieBZh-2-*|n(?{Z-g+>5aP? zAKBKa>GN8owe4mOfr$b7;uUxRz>FiF55N6D$c|q6b^i;!!H#6bBc*a41NUxKdeIUp@-e6 z*gX3yVaIp+24DFLy|RYF2jnG3G$P%C(dPD2-&m4-c|RFTveuh3abKj<5Mrz8wQrTM z1Xi*YQ4xr*rKz?V#=S7;{!(LGR#7K9IUVbi&gP|1-D{W1M|5=l z*5Rj&JNxt0M5kgnA?T*&rwjut{sX61Nq(f5iTQI)h8QB#-%pGa1?MV_a2mRUid{o! zsk!PVYf}{ZQ}HK7P@`N6xWt{)nwDA_VpwyU;>4x3g%t*Nu970FgyB0pj=^CI`tC5Z zdhEogA)ICu@Xt1taP>ODwP{vCi59gEIEeop5G7b7^pXF_!at;GltKppCFa*{!b)Z! zgau(x8ZWaI`W^QT^%)NGdIuYW2!uEg4Lf|M&bb4uKv4GWIO=;4}fS}Fn*Mrwfvn$4z+h$VTyD-qh+D>;w8Fr6ru(|VmFlDm5`BYY1dI8kgJ>rL_7rIH7%how4!*qL{^|Xjd zSEh#CDPBD_>$*eCvwSrkEA4-lA8JBw+%&n7<`bIcjKT6~sKkR8`EVb2jbYoy6VAa4fGwSf0zrvcTHfK{Y3p!18H!Fvby zR{MQ__yAy_%5jZ}o=H?7DEoawWu38mKqZ3631P|bpkj&{ou3V#-pOS?^Zm1sAL@ZQ#E{)y~}(ljM-NjyYe{BgzTiiyz$+ zYkF<1-NxE3G%I#qWQP8nZh=%3HfPB*>$!Vfoax%~9?7-=#+R6@4mTUe{%gq6asU$w zw1b)deYmlrm7zu7*Pcl!lo)M8!yp!rJraJ z!loIWh;e?tAINt(IS&5ob=Pcrp(9vYr9?VP?oL(#sK-Qlw_|ur1ota8ipEOJ%65DY z>w8v+cJF}mP4|v{^=B3b(^w2IZRLXcU-%rI0ST!xnW?5!sc|wTsS^~b6!9`eO1~`U z(3Qi#$x4YThhx#oTAY0AbdRYE+x;vHxEhN9V|f57Xb$d$02}WR}^JV1X=Wo+{PMtxlH+hnFxLJqAwg2ZqgiyX+)#s{bWVYVoC*PdW?!< zb%pt&+FxW^#;^UE+R6kN)ZSsSziF!2E;MSQanCWSmvQJC*p$q`S2iCvO^ml=GrYZ5mn^ETtlU`|IjaXm4 zdx@WDm?m2WvFV9_>bv&Tn?303p(nhDFC37pTAoB^g$^D?NINaLP+w4q!x6{`7wB7X zHlfHv*z`|poj=$>t3iB^)`l?Z#u?Eq2dMnjLPW+#`8zPJh=8G0BLBw@aM)*w!Q3uZ z{@V)4ZaZUjTpg)c=iWT4;Ef4wiElDj9Y3%i*3wbJLVyT8qo!5RgdP$=M_dy zn{_NY+qSsx!%^^Bdd+EbaIU;iGlwn5jT~hIgfZEaR;!|&LK;%UXdp(?!ZYL0F=V)pFav6dbI_GXaoD6UGXqhG_(4e z1g5EOm1aqu1o^+njZS}|9g3mnc%~|T^Qy95=9d<(j+Ey3&7mw$ET5j~Bw2I@?Mi?Z z`-$0N$Q<{s6bbV#O<9=hpooVBszZx$kE1HD!We~)G8e}?Y^fQ%c@LyggFzB5h9Q`W^$~tULq&OA-?^5|DqKDTnr9U3M7fjQTC2+NJ zWA2PP!xMP~;<g z40ATkpn6nH)Ro?}ack7=Pc|K!Tn;J zmh1U-+IjQG6bN{B>PHS6ORmL)sF=zZbc05o@OVWl7y@})A))tGs<=0b=*ft+bJmDR zDhw>5$aKKxI>Z&K)vsfx!NU+(KbQ-7a zpT!#^z_HEIXM|Y-9NP`=fAO-D{<8V^+mDmar+?iPtc`>9YVlLrFz0?13WZV9&3vgu zkypmAmu`kO$%tE~*CbE2vv95@6iL%L$G~2*_DmRX7c0aM3CasO6erhMw3Wzu7LDXW z5D~|b^I=Pn_AsxYP{tSN>5T}S@TeEdDM4%qYznF@ zMo^t`f20wT=R@tR7iQ7|{``-r>wk{zLlAhp?=#Z{ke&K7K=zLgAf&0wGum3%7ef9G zs}~I+I3{`0RBB zGfV+^dNx+So&R*)6jtCvT-vAwM|d~CKZMv{+#gq80qjEM>==pN2k6(q*Vj89DEBM9 z&VIhfeG)Y`hEEF@k%`gZIjVHKAz*N3eE61~%alI&E>kJvbt>zwpE>iU(J<@g-10Vf zndr@|%R_#%%h2~F12_GwtLygGJ;~4OK&IU7-1my_B&+<<`|g1n((x-&3RR9o@TgYH z-E(Iwu}a%|THFtt#Ml?a0a@$^3gEWi3c=|v=z6~$ERM`!rVD^fuj8u?n&M)?TSgX! zd>bAex(cL>zFPr>N0=sZzdkAwn+3W#GX-zk#4jVNyiW68qn|T#^lx{q(uKw%o433o zoOP-%owh#g!3D2@dV7PJ2CdH1g|gP9H-~=RuVZxMRn6J8-N<)V;JYl7<)5y-$mLl( zB#vnf+wSh?-3)a*Z}A^0@@^fIYWgLBYNiRXgO2lT8X@U(p_SGBVy$&_p!+f8X{Gas z#PeC_Wf{fm>^j1bD+oK?BGX+<`hw$rQrsN~I_}+(tMmenPH#CqFJDPk4QRGr?H^{Y zA2$D-^i-V0mG zyhZ0y7O&9lt!kE;B(+}#Zk?pp8x)rt7t0@#3aUuuZeSD=%}e4r7}_lT zXZ~lZ#}qqG5fO7?T&GPsMMT#;^a83PN2k`*&9gy`TD0AWMn(SLZ>%v%AK;kks%pOB zQoL8b>Ya0dS$a!PG@@eb#pj< zvo~glIi8}~5A)IDgfEnwjKYZg30Fmv!cMYY3}nb8Q4GxBXE~@~9p(3#f|9G^EGY_? zw?y*FvHadjvTG(PcJ@5^nSckeWG!Coc2Ba*vd3aT{1IjMvyLVdtT(urhmN`toOFBsx}8Eiee*YqAunM)+}b!aLlPyq@bBrL9A4?` zP3ho8c?<?=I zVYN}BE~K7Zts z{P0GWj9f4qMi`BR_c(;4HBwtk?d(_t^}B0+l&6xmyg}ZE&A+{?$8mpHhHn_W=n`@P zI5r;C(+#t*{?v5@AT@x#W+9omeggw1z_n5Ea>Q8d@@?kw=g%o)_7- zqmk+zAXaoiy@#ce2e~K=s3KK}8Kr-RsZXrrR4&%490`*Lsp^+)Kh4j6Lt58`WEXt(_3@aSn>D( zF{221VS$`=9|2lr*Uro>B*!Q>uO6r0Ij)yq(_&XmPt8Qs`#iMkXj@g>u0sSse`3?_ zTF`9ex0x;yaT3X%Y9VGNVT?+P_kI==#RQGFuK zGF6o-v{G2pJqn4T^Pdto1|d!rHPj2vHOTUt{|s55Dw3VdNhFPf!Z?75h_n939^##v zal0J$th8lVF3@w?{+WMy=c6?T+7JUO6Xrkb*pLa%`;!4ldC3I}7tf8-t5Hj=I%%;5 zbe&k#6(5b~NI?}WW##5wDi_aTk*3sN_%zs|ibC5(F>9syGc^*v7P)8EXzrOoolWs= zS3v(iV@MV7Vd@o%2TM&_)H`y)S^}aT2jQUCIU%;M;ARlMfVf5H#_b-T{$nGp-%_A2oZQ-X3sS zaQ#*}JMUOxw7S}$Z@6Dh0nIgvV?G*oY&Q=i+k5)1w%yJ((%U-qLMM|t9LbFJ!=+OT z8R6My=&T%la~OWbz4XrOx@K{Xm-5oJSrJ-T=YH?-n{C~0)M7d~f1X#<{AK64wRIA4 z{qF1r@T}jNmeqRrvruadd3Zj(fUABwdQ~Na6u(!yUXXDMU$5^O=)6SU+}KyX*)CI& zbX=cVn7jFK`rgw?>BsmzhqW_xzqL@eB`3DjLnzqg%H6XC+~@BVv%H7$4LclnoZ5wx zNl4ljj2;c#HZ`LK+Z}qBpkLQE{GM&yHy^t;NmgE)A2u~?K)}n>_osk*(x7hVEm2gP znoE>oprfzP8~Fs;S;y_V+Ete+aKb5*Or^b3Ul?+meSD3g32 zXwc}gXr?Rd@E(zjU35skUkLJhInBFzza!Muvvw>-HQclow#wA7e*@D_SGtUl<&!cd z>Xm0A+h}VyTql()8Zhy#o@P20*9>pBeJH@+$er^Ix0;4IgHHnm4Fy1b)$ex)XNS(y z$ytjvbE(NyAH6@D^cbg@#`aG@&!nZ0SSjJ&cv;~Z7f2>_rrw}1rcNE zzJp`mmB2kOfNUv#$)6v)tBWw!>iX`aAOsQnc@Dh4(KG6@hE#B_A zahJMy(NZG6a020f@T$DgTDr+K48Suf8DGF=II4Mx(h+r98uz5GvJvfvic{{F z`YpIU)n<C>?_V8HadaH=b)=f%EAQ#9x9_N&@vPGVHR-dEJ`UEeyplz!_Eh1`v z&+>3uRbhW;fTbrxP7h3H8zb8q{i;EY^#fJYd!qnNR9lBpTiuO~@j&W_Dvb0hw~+a} zuq45ct~A1?_ZoG3b=LJjXUYleZ|cnjs*UU?PxnnT{e)IbX$v-h1VX%74uzVOV01d= z=DmbeHyuycxo_B3SgU&mTvEt3J_UI?Cym=w z%}iSj5O0xLSw*YV69d|2cM;7Zrf_o~-=>p2Zp7c1)x4%5WAY(}Vi0k?+PEfST#{1) zqGNc$24z=-V;vS7ggNDGOJ9X9F5BDqRPJe_^B^$JH~kDtM4Pr*yg)zWRkB6;PgXr# zH6_cmI74h$kLT zQL$n*jYKyi;&9KR!N9IOJn<2!F7-t!GYyxk?4StgkfT{(TfZX90aHTb?DU5M%Qr0q zcb`DBiKp=|Z>K-xnKMT@!70T1_rp?@huPX2L9 zYE0G3eBlNMaG87>wW&SP8yJ5;zeQ-2O^e7W(c>H&;b7TqU1B7VFjY_SC$IQuQT+Kf z-E8+4Lma|hNoe;(bD0tLbdpl=vFQ+|X5rPp#?AVl?E9ofY&wn_e;+7|T(rbzP4{26 z_wtlhIytGd=ykwB`tN`Mknp}=f573`|AE6%zB7=~;wu1!tO~s3EXM=-8!Chv(k~1R zmYNbU?W2*|f!IOTo$KvwJKP;-DGYv)uD97&fztbBT&B~tT3++?nKZiH#&Ta7x`9!; zE=xd**?QgVMX##P@#oa}aiGWUaPMs>(C3-8@$ABRmjBkE~P((yVC zd}=+?dYPXFxIG~Ebx9$;z}Y@;cmZ;w_#FEA9|geA_QVd?WY*t{FWe5;fqH)ZW*rLi z#h=^Rqu-qJ^WD9ebS@sx4}q}N`%xP^V-BuYRyVpJK#ZUf@Fqpawz_d_U8sCv`DM>c zw;*&qlO?LV85oGz^=7*tSgxe|7!De+=1OQ@<>hsnrY1Ew1aG{D3N*c?JytkO{&`w; zbSLV*>mA=;(l-(g(D7ZQw->0;FdX5SS3uYtNfhe^A^LWL!&3z@r0^PbJ`>3-C+99Z~Oq>r)>q&5`m_{ zTwF`sYQQFVm(kwVX@I}H%5j4imGSL#*1kcj-6h-X3f*8G^eVho_QcTfR!-m5HtM?* zq$HT=XCA=}Y}D{L6x08kf zhp+qYT0(DK%w4VHIDn1Aj=d`3vsBM)w`dN+Y|{>YFklQEI&}znYuGis>BdPx56NzS z%RZjSAU4$dCnGy|EcMupS^?2|{Q$&?Sojun>?j5mG;*haMamoDX(ng$ZjEzHUt-45 zf-n0ipGIM&&2;wCi2n}L+0~{*%#{=#%VeB!CKy9kx@qtyz;(ed_YkpzfM`%l-#qq{ zUVVGWD`lYFeBJ{s)2ULYe@C)8|@n_*C9aq5XlFfVCE z@j%3XrTB^Rx6i~|HZKMH(4AxMtZCrqeuPyL#Afd=RS`?F;su!2iy>rmI`pv|YMNuv zJcXqSGLvYGRXYVl-;%Awc1-)|skAME3I1YP>36CSBzv1Q3V@G|qLJo__P))A&zb82OyQ&o75wILfb{dsW5nfhe*%XE?Im4H|f8 z#;Zz|pw!|867u^<~vRgf>sv(Hi}<$#WPl zcCv~SOP6BMns#i&XWtJNlqD>axX*KG8(-D1p`6=1yBGFujp?kM8L=c= z!{fI9AR)KsrUkv1{V_Yu_fb2Mf>j$^QuR@oUHmi>Y*(Hk<-pRk@@E8ot|n9I$&q$m z`jh}W!M1Rr*UO=e_b$kd>GJhN62-cCoSZ|3y%ZMe_m_>KVq^kzg)|kLpaPx32L3x( zlQj8VJ4~`b72#rxF8pE^fB@)qm|^_jE4+#9j55`ygT7UW0Sl(Ua-zwEXObM{k=*79{n&w-A|^1PUTslPbG?_&h%OY-ek{8y=Mx|7prxkQiOcNSKpV9pNyg$CFSb zupFF$r&}%vP?xcgB<{@(rL50_>-{-2Op#V@z8j*okYZVU?5I9bsc8^2%vxtw< ziUPjXNyzRo;D-_+zL0p~SeDKhNPMQis!+3Yc#RX!$~^3{rW8*$(#o7;@N;^p8)CdI zul1v^=txi@5*k+m*7Q)pL}7?d`~WDvfG`LFzHJ^u6F_Tcu#cF*VST2ztSoGSi#)o@&^7K8RUeh1#EZS8DlZPz zPjHX>{C7a~p~PWswC{w8()1y(6ua->$K6J&$N5L$@E@$7dual}@L;L8ct~tE6eM5e zPaqmb-wmK1;(L|Kj@oK5A5?Ng3Yi2Uy8Au{6xD8*Ff=xHzF$sy2agxIV^{z#CYjIQ zUt4i611dVUJJy$Zem%dUGTD9-a9i-i1$(SE(sg&pN^uV=fp6YE^hk$SOPlv|?+*`6 z+P|~!DwCN!9eE5q_xcqf8pV!1a_#~z=XS-@!nQTgzGcbaD%UYHdm<0_c#rKFDYs4w zut9Yx?le$TyAyPJ_2@`S#k_J!Z(*q0c~VxK)ebrLMp@(Vk`H|JH4}eXvL`5AjM9eb zVBcCRA-;|%er7iW++_Cm@AEgj>YN)GchxSJzjo9dKevV&x)C>@B1Q{7Qg!aq0exOp zN0a3A>kOt|1_zhlesNelHrn%8%vV>{SY19;Z*+hHjue?!!QMef;CZmtN}ryKx0C@4m6G>(!=lv1_^0XThBR zs%4VzL9Iu#*9&N{GrJ}u+^4xd!za7pa=(>v$StWwyxe|F-DBx|rX=tNauzc+kLfZ8 zT?yVyRq``;A8jOSb{XjUHSV`U&zO{-oVf)8+O`L*^Kqsx^Ae;r6X4@hz>k&; zj;gyQUE&AzFu(gHdURqx`ajSLy#=`nU65FE35|NVzd;h-QOUNh0QJw^!m&?UZ}#CS zGyCFk^S*BHsPO`%@%UdDHRs}^F9D=KA=6JED>+E^Z{S1*9hEmY?j^g60&Kx$Te1*& zVOM~pARkI7@=ZO+vbH~fL`m`Ue27@H!FSfIfZ{-_MS4Y1Vg)QOx~KS0+!CVbV{MDJ z%64*-9ui9bi>tGYYBONAb+O`B+@ZL;6nA%bFYfLXC{Vn(yL)kWcXxujI|K;1oNwK8 z?pgQGto%(@l6hzEnP)@c3(6!Xe#L#jjb4y;Eb=HYUT65Du_8xD3zbjfpo}Eem!EF@ zUE59|H$=Ec2d6W#k`spX_h8WU+Y*z_eYN0TdfqA%G{b30h)ItWGG#?FovR7=#<@Gd ziEcHW4GAZGa26A~8ip9{g_x`CX~fEmx7vbzsV@5kd5nO{q+6Y<0D`ONQFhZIAwHyG zeYE;}jbWAA-%$j~?hDypi#gWhjqE%1O)iyCXKe_557mEGCZN9JOb$d zRTq$-07nCO{9TXF+1d)A4e zl}*L*S2nHsT-rW%_a;OAQ~D7CdQ5k@pKRUL9eL_!;fNn=&V7Y-nv5=3o9r0%wc3{-`pHYcD+Dniu2s#ziYIz*#^Z*dRO zEmdCe`*B_N$&A~rbbFM}G<)+)g%crY&%eCM@E$8j74UfC;$8l2$K1U>r3&_ z1f5ajDqw^Zxo_iHA|wqfK0ATRUT^l@So4qfplEPoEKSfxEfpj7Lx+q|1)@ZQntWNNv?8s1dmICNyAKPU7At|OH4H?QE$Tn8+p z-;K53mS%P^=X&49;4t}5U0(-3X}c}~2PTdkUQcp*eq1~mCPUS%Og_)4@_7=| zGho0xhpMIYHjUW&J=nBB_H!i8NNsDdj`Ji1SYpB<=!mb z&ARSTwOoPv>$KoAvksVf-{J@iToym`JA{Pp=tFDuI{=hYH4jIf=UPTk{`)c8SzJE% zKm!K@&*O8?9ta5~!M!p)ob|=*^JVVU-fEKDu7MMUCxKl&pCu`+H&>4dU+}_5>igmE zO4aS27e3pZn#%BN-$g7v!ke=It*pBX&>c6k$+V8wZStgXL#81f=tt{ox2yVNOJGLT zpy68wee)X7(>Lp}7iHzTrv?mw8b++RvG?=?U3o2T1{5OBtOENVHRlGxF>t@R zEpWTb)0c3=b12bBehLigFWv~`XZ5-HIDCR_^}OPBPP8T7?$BxX?t>Dto-{a3$I)7Q zyzGzrj17oKHQe}Emf7s;m{}uB30fLfV$cGRzeRSyXuZtazUjekwoABhd-{7N^RLpJIdh?gF)J>h8A?beBg)(AM~HeIW<3ositJ7x+Kh|U*j`**7j71hn;i&0x&h;$y+zwP_; zF*T)8`ZEqr2Ae5EvHG>uX48nu1pSS?6c7VgC!dkm60>=;h5H(Vn_aaftq6A4Lt9lRV8iS9#=M>Rti#@dWfqzeg#IR=*1W zDY-cb!i4xxf{WmP zw1>T?KlV@(IDA|M%Bh2A7<#4g?{NP>%R^M89&lx>uotnghQAc$i2hCay`Swdj*Ft* zqJ1VUU?{7UEL!JaZb~%aS%8%Dw63xy`OCROfZ_b-nnwhjqpo|w$}P`Gt%7eKiwa$v zBt5w=-X{G&70)H*myel zNUI8%5DO6?(8&$)m^AhIm|7KzHoAJT%5j^}Y&R_duX4v;b%Z%-i z@~J2N>*LIaB@{Rd%}wS$2r{Zp*<;kYD^$6<>Tn>q;-tooB|4*tUUjpV%4znV0p>x{ z2``mAhWi3jk3$uv*5U^(X*PapeOo|vmV$M<&wP3bk>fa<1cQ-SdO^~vjY>LFM!KE! zPfNiGasYv`$s$U@_d(W*2q?qCepN;XeBMjluq$@O4ReW#{7L)8_eV5)}=QH^!nLZ~Ue?H(NyjWH#krp5oaZr$^_sa5tV zO;3H=#os^eVghp%f6(VVj7tUw8BTNd*@=rj#=s{tpDZ#Sk#A^`g%3SzU?$CKsle8q zUzx<($@=#(L`GZo|7^{c&Rb>-B|2k>w)Glk6bQz&7%qrJn0ZwVS-_jMB=75w_cPvJ zTiD41sjo)_fF{rFkDUGV-0Is5_rCf2=Jm4}@|uk@uUyxm2;cS|fSun6`PKNn;g;V% zL0fT-;d94^$Er6y@!e*oq^!AiPDK{x%M~oahvP)* ziIKqDw0+H{^~l?m!0Rm4j`}sv`37~)Lx$(Zr#9XFco}t0O%zSUd3`J9ig+bZx9H__ zPF>sSt>wJ(19cbCC?LGkcPVD3t+Qilo*T1S;3D5Fj`w5byop%fx5JjHwdwWdxu;q7ImdgFO5W7G7Sk9!?hk-K3_8@KuR_j$-^&HkD;Fv^F>;4!Erw2$P&3yi&u zFW|qUvtm6BW&4R@A?RDG{fdHUgr)V4UZS_XS8?G0wtdg%ngZ@$Y7#d-8>!=R zhY#mDZl1?Ao>p$%V@Pd`DqjhT_YL((Zr4!(vjFJ)2M|P8>u~o#`N*td#5!In}_7y%b#nF45jSgMZDdjoYOLI%C9UL$^yIC=s-)OayuB5$CK>9 znXZaiF3U+qhu8P~z2_?qL*4Xh>-O`ojb_*cjG|(TEJZ4bcs3-9H1el^+#^p=>-JA{ z)MEorVYx7^(x+9=m3=914JFBsN^PDlY(NR0Rp|`gK!i_bLG`4Hruc^C3k{0QtEOiX ziMmTCa?He|34+2+(A*XE>3c8U8ry=^5?_ht94}r4R(`Zt5nm`xW@F_k#g`HrA>yXV zbYIhcnTQHSYKe$ZtBfU*CxLtirw|t^wlkNy^}azH%UNhk!3S^55vkpxg~kctg_gyD zE~X~h>M0hFs6+NaG!$LwaH%^6hh<*cRjCU?NIhaYt}16s{M0waWZ8kNFE|9kHF#5g z?M;#DW33^WrD<^AW*G)yhqp%U4 zq0DO(g|7S~Bt@a7sv>ZU%-=ACKW5{%K(AJrbNQ_pCgxP3uS83HK>@+vFPv&hRBuVI z7)c!Wpu2MzlyA6SpeTg?S}%y1HvF5z9yWwJp3mw)eQ4L&Ae$$Yw|W9k{t!BN*SkA| z1=j?1+@2fayY@e}%hO5i-XUi?DJu6u1G5qLW`#BHKV}u?dS|p`4phhnNK}#>1&p7E zcYYK15%81{l&qon(&KQvpK${#39Yx`K%*-Guv(|QPXs7VNzfR)Ekq3s3Os~5+!2A> z_?tJ0FzUvc_e8)Wd2JN`cNg!{MKt z#c3{o0ik)e#Gow##b5t40XMULdyl;)Nw;%-EcHa|lNEgF?E zSalj%i76nnU8AC-k06X9I))^TmLOBQOYjqdca9TkHQuwOrQoUBZBH@=88!9;ICf1MU$!1byXRsqCXsTDoB5C z(*E}0zF7UOL8=@@W+Uv}e6{`Gd(yn0uRvfT7V+6!8L*h;3Rp10s|O6KvSrWh29v=- zBx1_+kx+uEL2)19qMwqq7)utF3SsE(rz8zJsq^Ft3HQ8sostrtXOc;M=a>R{)Os?3 zo>U}?fK8!qpjTv_ZVz={&s^&Cx#W=?1HX%UERVuxq0{`tfQ#hm){C{D%^g?$KT)#= zN*&;?z4wEvulNq%fqXWu#CONlO-YXWf}4IIz!PnBj&Cb~$C2pKd9PE;@uTU$@4lJb zq0=quVaSuI)sAmk|7YKGbKuSF&m(6k!cR#Y7D-7Dc!pe#)eVZNKHftN>}q~Hde`f@ zk6O7}8(tqh&3amlP_oMcUge^6*!9hL3iXP0_lz))=ovL`_bKrQ9(5fPdOZ?3;=HnxcI)zeRAhg+S=eaYUtL%*x0dEM*WEvM^#tD1wuI_| zPx4_?*Hb?}@w6vMj?DY4mNUg99k;8@`o7;%`|TDJEQ5E+!Z%%45VQt9Aq9Dlfp)lrw0 zCyd*hS5>J!op}i)M(L@j(xAPnmWQ{B7XGfu?9$D*ClO2Ho>z7y!iA4V?jv~HE!Xwt z`*ql=f5ZLRlc_a5&mWe}MPO3>?$>j@tAHb;e>=_LaRw$$o`x5WLf1*$|4Wm;I0REz z-UkML{|tOKvcevoJFfo7<)GDM(0+HSf zek8mYL32wT<_ipI`$;$UsuKJYtv}rX%CZ8a)QT>(TORxgWiy0Fnb?CD zxR$emt^7$t3KC#-*w{F*lhAw1WJ2InOAGW$-#Fr#IhI7&KQl?}XQDKeRU~;d>~7*U z(|?i5O+bIMZ0IyGe}JylRV1*|`pL#_7Y2Y2=5B`|n$Ko}(?vGhtY1)(Jr0AuYPV=M z3Z6vSVoYzs{~gnQRwiL4UuOcTseV~91pO5%QmcQ~tiKHRSk9?#{|A(p{)0;uFB_07 zS<}|AZaqpenYPv!SVBtTSXSj8oCu={h3T=S! zcGh^I(ZEKX|1aCo)9y2doP!bS&#>XuKG0}gji5+bmQz+F7A3plh_y+*d$`Ph`0uF) z?ws{{<-LL25wvp>RU=vnfn9zEwy$+$-2FQgqc2Z@n47JOn)Id%{ zLr2>BdqNI&I}~;`B{Gxb9pF1de4WiH2ZFphCyXdntyogzsbZH1wFI8zpGfMJkO-5F zEOGiSOg#AxB%MnuL+%~_X4nxCyigr}MEQ~Ze>mg*U#rGc*i3eZM^9te#loC3O*MiM zvhdI4g_cs=iR$OemR$?W)y@zORS3qHtWj}=*%s_x=&})q9Vq5;(arqz$g-(SXoks#4D#46n|8bWFFQ65D><5(S`$+Om3W zB8B$Sbz0N#Z$v2;4NL1FW9KsdY-1!@6pLYc9JmH{gGx!=6i)XL69-w8cALp3=bl9D zw<($Ii+Iie22qg&bh<**V#;`rj#=SSBCWU(S%{NjSm&(8UXg{<(vC1Jm~5L;c@`dn z>gRn`UE4hSCF;|JE!f9y8u>qcc|vzsJqp1@YMMdXcF@VqSyK-c)tDmG<>;c7pNS;x z$OVNV{zTjwGt=q=icvwsF@!?ql3jl76_|`=8qqet#*FPt^IuC0HINjSI~)e-Y%J{P z$vstx=1zI^%n_jYf|W%>~kv}?VO^U z)|Hty(VEm1b_KM?dvSPFNk(yNT&^r(0B?4bS@*mJMkCC>_C3<(EI2U%)P-Q%zxtE| zslEnvjLITuDh0x^7Lq!-}1vRjbZtPd%EK z9bVT;D$0p8YF2bOV!WnkjFwK-ZRs#4zYrlXgnKUbPJEG>;<)f(7OGn6Yoz(NKYPiJ zM~~UQ`4>SQ!3Bh3bDR;1K=bk$H!iDh#|JFhN{d96y@v4mQ50%Xu97ppppSFKCzco~ zoIuz5I@<7lyJ#Jm0Jq|<{MFJHJf*tL@c7>)(5!bhkRNmm{zQI?BwXJMS$#g?QGc7= za%BpAGJH+y0dBX%3SYH9`hR$CQvV0}i3y zU%txZ3bNi0z+)D&oScK{Pl$Z?UATL0VJ)%&vA#DW7rd~!0<_i}zAUuSgLZluSK5vum>C{dmo|i4-s&gxHvo>) z-h4u>Rv&6cpCjawBH$#nHo&^WsK%+EUT^oA7_`*Xqq%x|{6N}m_J~}o*yC#QlI*SJ zf35ve(jglayJ23vfD>>TKTpOj(Bb^320XO3)e_x=S2b6AZ%kL}lN$M6$Jd4s@Y6YTy}cqo942ph zTY?Fub&p#U!8eI*J?$r-pZU9%9Oxn(mbm_LX0~ax_;4h|_KEiD#L%$b$K+Qv{sh8ZN7FG zD=@)x;yFpK2RghM31DV=2jojlRg?H_m8WL$c{YxqOzh|1PUCO~zS|weU#lDway!0V zud3L0JyL(3u1AIR0>>3Srvh2q+*4suG@b#wlM^ELA5bCG+#xew7ZF-VfZf^`#ek7y zRK4T%ZTqg7tn4ctZ~@8td;QO+Oy7xfErjsx3wyVl$77K5AwdnV&;1W>eX-5EVxbn4<*{;Yw(D5~q>UKd?(FJalSXI0?HnHsp2kAwXF z#J6=;nf)|R`>a3=ygzN>(iG%heY-5(>fYgNnT(6;6fk_6*{FTmM3jSn;0n*m@cGDz z0|CLdU~ukXE*KEVa*+EDOD1F53s%r|$#@1Jh;>ptUS8 zwH4>ptm^{3=J#X_#KvE)70$*<_JmF*@r>O|`U}_-mv8r=Mx%L>cdquXO#;Ehe6%ir zIy2!!yM*a3UrirMqD8u2MY3j3258^X-3CwADRdd=V-$B}D|jpx0{sj|=AInKrmM;mt7jPy;qL$Eip zI4gPgbwC5y(>YR>IY8k20Nk#8_;g3Od`vC4Wa{nIuV*z3&Cxl3p{y83dg{O`HPs0y zD36_+IcCd~Z7OIjrTD#t*lv-yf)Lra^Hq=exr3jBJ@C&60$K`Q5NT9FVtU0=FeHfN z>5A{ez1@dUhz;|*8dp6!8iED0d9lof8^x4Orle*jmGx)Vbw;ywhY{&K!YbGzX=h zUCwjmFqdrDl8kelJ7oO7_~YqrlyUV$Vwl4YHA~a?5xQYod1O2}GdW@Mi;wu!v&J5V zJFD8N^J$OBCDUUwK<|r$7GHm6B>(dxb5RK@Z@21I&>sF0iHCY^vq?%2!ax$C(jXwY zhhR~mQ^RfX)xhJ(uo@QCZj&w!lAH4jJ(AI2g$g5qNdd;Xu<9h;!k3KiWT8O}3(QW1 zVLDn-{mPTetqAZU>1d`DrG3eq-=`_^1}Z4b8*+qbbq;Bu4))Wz6)fgKW0S%2xTgaH zBRzm#i+TJ3M!~H27iTDfK(9@f`|Eb$8eRE_Vl=bh$dh!#=A`uKv9Gxat~81dARpT6 zv>-<%Dz!@WX9U3Sr}d0QHD|pCU$4JkO+5&?ihkWgmq}S#aV0_=%5={?!x%ZH@RA44 zqp-ReH?2<7D9M*X?n8@r6D&;z=;Er2^j3@;@L>0P)EJx|5g1caS<7o=r)2JvaX4_Q zI_o=XP@^ROEZTG{YQvh5dp>p3#y@N4fo_c0E6n@j$r>(~Bss8)QM{<+o)$^{d2z$^ zZzumWN#c{>C(A~8j9#Wy)qH-~-7CNJ6;2*~`b;ZYdOT<->&FGsi8XEcQl@#>AhaMFu!TO9#M6o_=HeBx73d4a>_NUyHl>Ox$K@Oa+9k@9<$PI0V1z{86{mPx z!rxFQDF0W>NuXIWcYPYuJc{P7cAD13o7t!uP;%_#f4%(6t$hbM$*#a9 z)S`V!N;ZYslS4+;BsSRxg90Is!Eu6VU!vHhu(AZvKtrwm2irD@0{IWrKaX4$o(8Zf zeHH>mKINnA1hn6OX<#f^7wFMqdNr_IJ|%iktYpBz%F3#eDM=8fjn}zD{FRAyd_mwz z0$+0>n$=DF_j6?eH#XMxh(fU}G?7x@8|JG`EofNCW)SRhO?c3v@g${7wY$SwELE%D zo^xS3+3$6fNyV6jr-nep=sqt(c1JMZ%qolh!uwtqB5+r-+SBBN#3vOBe|?KgWH6DB zKKq4(p~Ji@QG-kChCJ!xXNy^^5Oi>0-7-tG+Siyw6?UkSdEzUHiYCk`WTP#)K)?k( z#<5zHltdXim0wgg-zAzOk(fU*BHOa&B*(6W5nHmzyXFwj8qs@&{R=-=tIMMg>GjDf zVgFx*<3#tI=pZC{3nr}?hS)!HC0~2G(_Z&TtDpW15^jqo4(t8CzacoFT`TVVN@V(_ z`PCnyqt7X7Hj+&Wah^0dhT+&#zQX+bt8#8t$Z|3MBb-E`%CN$a`yPU2Dm((RC9KJg zD&r)PE0Z2ot=J|BgTS~aUj&VL`! zIP`O>`;e#t_gkFzq{zOTfmZaw4bwsI=RLFOSi*myMH9i`Mx2GL}hSj0;b4! zObJlOaZmQ!v_W6Nh5a?*h;CHLu}NF4$O=PR;9&=Woiw1<-IJlJ)c`o{Rj8*F>$zny zz55G6;3GR^i}~Xy*0$E@FetUfZ$CWLw{WW1$k1gGn~%SFCw};761gL{CI_)wKIdU{ z_^tM^t8-If!mw?povRwO15MsZM84ei=yv(`2}=Q>e+mne6|R~9zv&4fWoGThU1Q&a z-A7g17b(Dd;^T*lIfU+c2>^9lK;Lm_>gY<3Uke;@CwbSO`RXHNsH59D6O(E_-RW1n zveo)tL&OC_a2}8q()B*%esWM;p{u$(>kn<|enx!qg=O?Svyi&%AnzH=*4h^Oj9FPE zC&>Mn^xupNc&m0S(&W9F-(cor~@(cnldtyqch}7=^U0b=;AuuLl$2T1JzIK-zBoZ^) z7VQg5LJ3U3od+KbZ}VNQ)Y^tqLs$nPoyP0B=SWyVqZiueDCDa^%O3jc58%@1Ri@)? z_Zu4cUvkTu!+sYI;X@`l(+`i3X(H|lj)3i*4F9IuEbwYf)Uxiw+cC=O+v`Goo`0X5 zZFXHt_fG4!LyFMenA~N{Ov>}-F>^YBso7#77pHkv|j7@qByzW21ChWM}oYtdbU$edI?0|2HpY<yfQLQD8R@cX(?zjB|IJ#b0YJe)|rsFwa$^@TmCpqQFk_ddWZ1 zI`*D2l}X~#A>zJ~K{&zW$Br7_))!yVz6&m6ISxyvI=`$cn7)({qR9&Zxa)Ut}&505gubhHaun#eC@7%i4ei;uch3H#AyXtc!5 zs)S|XedZSX)!ai__}CDgobq0O2($-sR29)O=?2zvG@IJhj41sn$TYr9v4p6wo3qzr z%DTW*$?$&PgEKNcbB2_bu1*yOsxa#vv13Hoy+lBdbqmlYR|y}z&SQ=`=2+{hr} zg;^;|lSu}uFG}vmViXAHJ79$k#0N)D+LTWzqB|pTem~k40Na0~ssO_q)x88>Y~o^b zl6~AQ1v09%10A9C6F%aKnbe`jzGbT0{xb6}s=$VuC<`ji$M18&$>GU3+_-@wQp7bX zx)0VrEfY-5922cpRZN@ZtX?zuouvLKk|#uiAsatAZ!y)fW13Z>XBBQrs4;#J$*ES> z=OnKxA(&cY=F+w_hZs^ms+0-1AYD2ub`hTVgK0HS<6;&~Zk_E`^(!B5joaO~Y$U`a zBTL5c&=~@+^lu&~jhwh^zY@F{aY(yupL?&1cCw93t9rPY+@*Y!sZ}Yx4peZfe$ZmI z-Mk`gdPOuIQS<@Aew~d1S&KoojiJ(@Fw$&P1pj4NI{($8mrBI`-v@S}_LKZl1=~lO z&5WIE05!6Ptvz#&4voA7JMV8Mk0LJHA}i9x5{Q!xN%WGG<@c7JO7JW9R3JtL3w&ne z@8b%FT5@P~aW5TYE3d59_EOk@7-e022G&G}d`uPc7FAo=<`s<+e+ZURkTnCsH{0oV z>fzta@)S0|LLhi-%*eg|hKD`M?k!dAIh{2wD0iz&ntmg9a{H~7(Zvdr2MPH|H@=$U z^9j0GN13oztyyF))$Siv+Jsk^MF2uBX~8LxR@Nll(#bM-7D=X_6ur@YnP3e?;8PwK z$YE0SE;MR+l#H@OTyq}eB0_77VJp#qLCn`~W-k0DIkK-QGxamRp5ulg?~hwi+V|+c zGm0#^igW2MRekW1Dfb#)lgNO@$&Gc%6a8LwU8W1H%xGOWYkLb$?2z$Z*x@P+%&HXD zqr2{`RCU%;==5fWKMnq5mO)O~aR0a51WNUy!3UCo9G~7D%Lj#Cwn^AX^gYIouLE)G zTH$dOlyir{J8?jgSC|_i!U8xXN_6N~?ze6D$vWE{A)X9;RB&tpQN?xlIA}O|Fmk`XE$u#p^i2|2gNz_uXTS?`p$QY_~c$8>IF$URhi3nd`c0 zAD(qHx=BQA?2#Ne!|!_v;4WgP4!B&eE*Lk6GE@P3Epk#j>dO05Hl6MFd<=M3pCsed zu0H4;VKILgGyR)9TIqCKCo3fDS})|Q@y+Sr4$wY&;tptfotX)C6!;i7c)E+_**Sjm zzn&Jlu8%|A>U?H&o$hteeG0MN=6e`UKHJ~zB>GC-&+$9^HG_$_fpMj;`&{K&(P-=gMQ@woWFX+`Cd4G3wL3ys(5pYWuxu1(S|pv zlv1pf!OgrYs`p~kh`?iK&z;AL(L*=@$1uIqOLN?Z$9gx;uDi^bs9|EG?I;N6gJrFp z=enKGaDXlxov*gR_;8z6#%n$DaABKYaWih)XKi4{|NU(R6yP;d;LH353ZnmT55H96 zqdshoGc@Vo+Y&s9c}LF!W?$5z1O~2=5C)vQYE?g-+qckPv9i?kXn~F*v-?ov_|L}4 zuScdY9NlK?Y$vx5r?GO7jD%iY6x(0>b{PRiTZurxjo!207T>%b!_*54I1u8vr>_AR zXg%1o6Bsb(Ht|A@S?1>qLVevpYAlLEtN~iT2^IXhQF;@??)LkjCJ&|>WS=3Sb^W|m z$^GyPj@K#QC(|7+^DyZCxn>0qS&*>onQ)8i+?L)kc{}M(YO|_P8jU=rjDc8>29s`;k6^qM#>dKePijCKR`NuHDjqS(+ZUoE*~WgwfK4=HrK@FqD%TA;hO_ zf>`)SoUYs(i4S%3Dq=F!VE~&RjT$I6b^F8n5Y?bTJ#@HcUFnoFPKm%^8WHL-l=TqV zHT+`E&GH9bAVT)j*;P+pyvU#>c4ihyM_;^zVt5FVd9r&W2|%f2QdXhH+K0$^);&BmM_|CzFy8cVt&uLm@wK-kxC8t>rpIe zGyh$G2v@6PzW}l0QnEsG@vHOfsPe_{`${Uaq=-mV9$n-`MEl&P+YHAxN%g|;Lqbt= zBK;P9L_7}{a;nP+@s`SiR*uWmily# zkaonmgv8UMN9%lR$FF>>;8Yt)_?0cMmX8Z>V88+Si$o=#T{wjH{4p^jh$c~#KI`Li zU;wVEm+R$Tf?wjn3O#Pg*S1E;|2*(8C?%@UC_;4QiwSuf~F}f&|JP=~{nK^m^hWtA!SREQMR1SLlXn&;o9g~554Skuf`Br9>QTY0bvVkc zP=Z<4m$pZ6$jV*k;=_v1*K0hB&5@WYMm+Cge$_s(!L-!0oa|I$|qg%vY0c<7Pk94wOxt@&3dfmDO|hqY)qdi z-mN8xlT42TB62yyd4oJ=r(K?tT3l?_@>1)?p<}}asWpu3O`9p!7r{L)0DF4!Xh2(6`Dp}3oID(Vf|*kdl?VA5{-rp zv<&ZB^)p<G3-H|bGH{Iu%M-aE8)b1Ew`zgHTIJF{w?E!i7S?WF+@Jfp%Zo9zb!zELmx7qvErl<~vbIme-U>SHsbz z^B&Pic3J^fx6`>oO3lbT--#HStb z64g>GQ0@D&P`UNvb?dQb?S?ut*Y~(n$iDp~EE@;ZdN-Ov+-&&I>}h?()0b$QxKm+u zZ}hnE(g<{AveH=}pBr!!riJ4Fr#;bh1h|jm?=-TY?t1SZ%X6vi*}lB4A7{s}q7;_6?9K=U&w29ATs1~EQ zkAN1!hvgw#LeKF5DZ&QyrX@wNHJIMRLHAl}H5>K%Zs2f>M?A~(VrJ0wK2*xk_rtc< zu=8lfgyQAaot_ZEp!+--s$2`CtMBa9Ab0s*~f|CPUspXe5YIvjNi{1*jO*S+1 z`T*6|Rxv^1mGR|D0R-XHsa*v^2Dd}kc>yJy7ps4w%W*=;CodF^;s!@gUy+>4*81 zVeWG*2Z0>B;3PP=7TotT@)lTt#>xk_FCXmL3$%b|b~0*z71EZbTNn!Q{yq3xs0-W% zo&*mv=Ylm@f-rW{OCch3Eo4B@ra)%bzKy02dEQW?VhTkygwjN{HrhZjNn5{he)Imf<%^cs()SHwET}@=6qVr^ zpEVH&h8>II^_ikd4<$9&$2)aA7Gu04A~u$EOmPWaS?wOPna_7=RR z0P5r-5buzBUs#&yICScQ9xI1^o(^SdZOKG&I;AS1%Tii{E_nz1OSUSb%;BIYN@}CS zx1+*;X2L4v3$B^E^fnK(iuURZhdPQfO)xWyc*^lF6gbiN1$aAzc|KS{9*_%?5BMC# z7gXOY($gaEkb+WR69nA>bf$?zHd8fiEOT_`yrA!pYgWpZNM2`9Kr)!XVW4Bw#G{jX z8GR(|u5|-(K7|m%zUp++c)UjPW#`^8MhvxA%)BilR0^cRzUrS1J9-Y}=xm7iYmQrsht>REv~Ite#foE|l@=k=vC+LaLzZGx`D>NoJaQ8GWdXNHOl3v^ z4n1M&t1fqDQ@pL@>L0dCXxXuJlyJRJ<4Ac04`ufbr=8~^$wHkFoBE@cAUHOB3F%@` zyMr31B8zf<+!~t}l88~3<_Utp1s)zc5gCP2D>nAp(h!v`D5?DN|!-lpQo5m6N(xxOSj2_0=BjY03D zgns4@i&omC?Xr<=SBbxm+$Kt!>{qKo+lZkolK=IriT&-k7OFw zZq0>AtbE~0IaMufrDz_kx;}U5rx>>y8IBYdi(^VDW+vO6j8edcnBPW4K!F!b1FR9e z`0kYs{rd}hgQ0*`5Cp9k{@NHfuSZ3sq{kwIwSYn?jcg&yvnFNVOF$lhY^KJ&RE-f^NUJ;w63M-)>{fCaM`$(YTz?yt)4b0L{|&6XE|{c{ zBs;5^)4^+4OG&3TXPyjxh1C3OSD;s@`@U$4J+g1zaAEGny)dSvAfLm=A**>qoAis0 za|#I)?nyS8bs_OwJ|hQqg&_WhRafQDKU8R$E@&D$T(ZS9O;^T=@FA^rNf2_gi_za2Q{~@DYv3CR zSF?k~ee%P(At!FdB=How=#;hU%YEQg@ThRx1h6F{$p*|=^=^DZMXF)OXpu}AW^W{V z)Hrl&G?i9d8t0g&-$UJk@qTSz&fEbQwx|AI83v=Vh!+@1gEO0`IFu_L##`cQ7F`LR|o0)81j_`P)09Zl?a%dU5fBe2nm0yrzbKLppOEf*jwZeCB` z`7%9|J6fJJMIA>H5Z;e3P;)$MAO1CqOZoT*492ROPD_-4iS_;Y`K`?&gM>@nw& zWR(&yND_F%>RxE(zQCOMl(PCw23`;mWa}29CSakcq!z8*sDpl$(P zPRJyeCdYTh%@Nm>-tA8(MmMu0m)w5*a?GUiR!fn|Zyj4~We0jAsaC(Ce`ZvK& z-O&Mf*yqlcLgCHgd+guNiVwUT8rcvMat{}H_I(FtyJ*?JWovbJ9WfsB-+5n4H`HjpWwp7LwK zr}M;6(3%xJIe4m00Hp?>EQvZ3D!c%nL{^TBl#}FQrl|?!siNkhz)EVybJ5p9Vr8!$ zqrgbD>)=A5|10D~kB(Pr1N5swED~=pZC3sc6^SvKZ%-TQqt2YSWJfQstOq4iyT%KU zWDi-M&CF9Y%ujY3dt9_3G4`8#vHM76HbZuzFgX;-XXzW4A&L#J;ffySt=29u zLzbjj_jvK}{(?%*K1a@LmB!CrBuD!VQlhtkXP|agg8o{jI81v`EogzOK^JDhmP4{M zjADSbCW;G_L8C5H8ZTFMvC)>#hSnbF0o_>VK~(@Gv%@0gKCmqtkG2xPwee6P8L=m- zFY)mBRg@%X$Yil0@Gr4|jIfc8EonltgK$>Xm68vTWsJLQ8d-AfW}`TAogv!+t;nXF z5xEba<3NE%J$Cx>hobRSoX+j{-oIQ0@+l@3mnG84I`i^cw_v}pnngcWN0!aiA(LA5 z-%0-plN5@{GJb?2L|Ok!4#~=onp0;`TEIdttE~9q@+z$0dCz}QbiPhOY&C0H4xV7x zG9CHYwy%qy7q@8ueV%>_olG1D$|X5`Z2SilYFJxbLbrq40?~N6d`72M&Fu`So@gVm zG18vFD@>nG2C)7XYl;npIdQA5E~OfxJ7FKx`P;%_)jjnuYQ@KO)tj)pR!QiRO|AgvMiYl4|HpD#A#?QYJkU&y4L8e@ro}w!%?3!oFmTk65TEy zyE}dA3K#{)GOI%y%smAh{4nTc$_*23n*A{HMtl2Tx8zd=d#u7S^j_JQDAA_wbk0-; zbd^npK~pJI&WV|lC?<#kP|ZHcm99l4bf?7&3NL~HwFkLA9UA<~85$Y3I<`5& zZz=LQ9_fW&4g>;QV{;{pyq`Oq`zVQZj~N2zx!Ma$o`!}#N&SDjg+&}l}FVCsEXfG z%7u|lKq`^p>u_bx+$Al`rv9Q+#xVJ*IkEe*C_1QO9dgOi$S%a3pE{j%>V{f+41QbO zgg0!19qRU7fTmoUJ7S#%BHQhCxGsu?1UmlfHeD;{{LOx{6Ax@20wdWiRu6JzOZ0#yZ1^YpQ}5NAbg-yrZ_S73;IX6 z?<6>aDFCcAIB6e2JmwF21KepOw_^~251S2uKKssgFTcExSAZV5-ri)7d!>(S#~HP6 zHz)2$d^@K*&3Y@F-HwXxmpv1OcfgbBGr2i)1EACG3lY(VZPEjh{!v=2sk^qS*6zpk zQu|1?1L!EFS)#MMY0lE#E~v-B^riJ!uvIR;!@M@yosawOoYS76_G979AiZ$o_Lrcen6O`wF0JzODxmHPh=dr|WSl-*?SY zhj)8qz6jpyp1$2x*Q={fK_EW-6BDX~{ z!GIYFAc3Fpbe2YPa8~WA3&v@I=V>q}_%dy1qZRys>AmUKyS%kOG_SzHJ<5%>isV!I zF<)G^T{57z`y4WG!t{AI+tiMEVM&Q(EI)4@Jm}B!$wK+mU{(w^G$!k3k0Vcp za`2eUp8pq#UL1OP(|7#w`UUtef8>|hWEMmdVe-d0cCCaaGk^d57l>`2Tq%Swu4c9N zk?ff1YB{d-V5J$W<5s#orF@A_8OXC*KBCX)R78oMT-iRiNN!E0E#B{zKCko_f9CC6 zva!uZ@L!*J_n#uGM>f_`1(-Mi2P+6x6VmRl(lym)(qaNbr>vk0k31+-HC5AL;!y!E zX*ko|=ATSSBvS$c&Uxp@JX82OqKZTjb^83rpE*9`%VmriV z&>7|Eq&Usp-@KGjNHfL;=bEC-tt-&Jh*4H@#^Ud#c2bsnG8UUxmVOEmth|UW(C$8* z6k#am8?DOno8J~DOKH30$e4ENH*XQj1_;mF_=$s^t;{T(`B~U)|BR(8IT;rTW;}af z-bnGzjz+2$Xu4|FMZCE{um|&nre;1_aQ$ujv33KgV^m7Lr}7SW;JPC{WG&xh1H3F* z5DT`rFJ-`l6&wGuK*$F@_qS#Uv70{qI%`@e?no&yT{Lcr z)lr|2lM6LWqL1-5-KeyXE5>e3*R}uQF3y7)psy1oNgPSWt?bx;&(rlY#hb?ZXXIPO zT2z*3Ws2TrB?>BEh_z=wu^4reN-j)`4&uKAv`8@)gzx!*`gRiHDRc-*!OVX`41Z}p z(I1cO7~SE#Z@mfTIXLt2ocR+y6TKbY0Vt$7!Fk|F85VHu4rorDY-w(tk{FKyy%u(j zCba!s(s1Px=u`GP7*1rOXDJAKEfVFJpMXrj+`pxHFa9GD#50aG$2g2yr7A; zN~8ZX6J=6|8Jn3y9)(7nvzNzw-$F2YMdcv`-y+wWCoyr_m^pDQ)zqrjlfQ*KDca=OnjF0nHE?%L%8s47dz3HO{+8^&mcaa(@>>oZ zXfW}nU>7?Yj99sA7V@68tSek3&!2O|?)x$Ilu^G;Z$X1Pzh}pnD=*qjODh6#jxzKz znQBA99%C2+&t&qoBAw=Bk$8S$p-C`b=65Tdr!Mz3cFAO<*V<+5_>^*HRL<;|h|F(r z7_gNETk&u4sBH?FV9>6Y=D9y~+=)*CnBg+{+H%9|!`6q0li{ecLg#N71GTA{bbZb! zjiH4xetBH@_wnBS-)yvH#nN=NY2H68TNu8FB*^PAK$%iQlU~d2;dJWi;MDtkBL9Uk zXIyeJ8Ry^#qdY3m6q-Dkld9En&97?o}G6qSRwpHiSsC9}bER2MRvCSGy{_i~oC`)(ZDHqnJwQ}(; z?n@FgKR2KM@A%i$Fz`#5FN=>`Z5(71&z+ufkPc7Kvy&2}X%i{=B;ZMBX(@Q)^hv0dL=5cJO zbKAD|VV(Ka8F`AA%5^?yO5MYiIY zR)gNVR{ksU-)Zmeyhn?bOkHme8;^ji5Br+-_2mG!UZw3*dmE1n#1;O|H5~UVTfr?n zL2$Upqu}rRSoaoQQc?R}v^q;uQ{JVf%`xqN* z^ZZw>!Spg!IKmGew|C2`DbY*G{zRe25?pRoy)1PSZr^pKT((&_`|icB?DEwxvNm(01nq1S7g!thcgVB~7Xrt2mAx1!0Nkl{W=up*#s(2wbdP#GOp1Zpu^=Lwcb!!kueFce7$1(;}Sy zo>i9Af=Ztu%ipy;!5Z5TgXQr19Mi(M>@Vb$e5I&C*n|=0BCBWBnxZ)IK=XT$0>)HL z5NoWm0omUg2w3zg)^luRwgw0;pXOu`G_=#mPXZ*g5W0tXcG!X(4zkK(Y6INT?DU=R z(8vO{VOdTCWb;c%`ttOwKOO+cCbF%@(ahf649D`dL)`Mc{IX`2Yy%l3!*xiquDHOl zG8Kq$BeIqH3-~k`i75SPNfSS9C}kh}m`QrpiBk^qhWR$bawDwldrG@i$P00O4OOpE z9$hA?e=#elc+7L6H&me$lUTS}wSv*J)@l{@}KV>>DAv zRtN2{$MjW!B{z1{kA!)jM#7|NwlniH2Pj z-QWKiWe*__T39@_H)#mb`qWrd<~Xwd{8p?^EJ}~_MNyk*oWDq1K2uE|qq|Bhh2`Y@ z*LUBs-A0<284I6PF%|}K=;FXlhV`(-`U6?FS@S*@ILSd~yr6Dzw3E&Ze8G$OSG1-P zmWPIIhCvKUb`~BrT8D}Hd0AJs_N$>GGe8)3^=|j#R%9FsOH(%vQq8-a;8eP%bmI+j0YihNhXd0ahEmfin zGN=m;6N<`#F{N>{c}=9WR=jA{jH;*(>vs1+j1b&fR%Wr-Yeu@_x*63m!{vI;cV}3 zGOiYGrUm1uA!}txMJbO>t@51^;c)*bM16SrHX2o!9cdVWfx+W+-88* zYu5i=V&gw$cn{%|O7>~OP<+gR88^?{q6OW-1H`yt-|zTj6Wp&KR&|yP-5p$ zMA23OYv9jZBJOxXzbQn#Y8NMuyVe;U@V2MDLHE2H=LI1xsK#SpQ|Bm-=w;cxhl2sg zb=9V(4pim3ZUcAlEWDi(mMSa*Z+S;-AGe(S{GGv(!4ULm_^SXTKi5G*pV^A7X9-=O zM}l1ed%aiLUE6;(tgYL3O9ZVSJ8Q;Rd|tn5tKJ?josWM^gY3a$jYQe55101mZN7M( zW}jE^ziVEcFERGEUuP)%J*&DL-nT$C_(>g>BN%OX%UbR;GK^j4pDb?5SA$uBhxVK} zK+J1~o6vowVApLgMlnzx@UhAddk*v(BjC5dI^Jx&VHsEfvCf{eV0F7)UR`cE_2udF z`X)F%#0f?LdF~-^a#&Y9Y=iYK+jhj5T~FSrZ10{B;!j6_x1YW6Ay#(N3tf_PoTcp_ zJr4;hu&?{a&gq4^&wIiJkGtNpHF!;iQ>|ypCpH88aAj-K^Yi1 z1#H?m^tEfVj@=mAnkLrw1ZCM*xAqAwAOQIR9*6qo{HZ-B_~iMaba7%G@%*kEP*9eg zh}(R;J5GY@>3Xx4`nQkM*0nd+26jNlxsI%~(>*7NvSyvNsSg%#K>s$A){33SH622Y z0BBHUh8LXSS^EAKiZxTcts!uBbCExA<#$mM*!swiOdpLrlY4i|n3e4(`|<}?9XyV3 zRqbS*^r~lDZLNZ5U%zGuY_kiWII^95_ZvXV<9q2^iPHveFs;tgm~Zkw-Gy%0Jgx7~ z;J>-upF<&Udd@{|*>ZTn@!VFhrh&WMKU1DFZwx=c*=Jyfd!kqW>18lO$|oGOwsx89 zZ9*MPHPR2nuZoLapOiZ+ef*CSznk6(CKz9590y1E^Cs)>J^MdUd|HeXNKEJmmZ;2i z+usgdAui1c6mMA*5Yw_^6Ohtww`V!N*wC^Kd)3MoERmC9bKp(AMIL4rB&y$g%{$!u z&Kwm($v^Mf!>*>q=ewIiC(NT3!i{dZaQ{P<=13bm38g8Ii|k2|Ctq6*ACI7`kmuf*F4?n+In9RCDs+=? zNdMV@r#I0M@s&8rvZ8F|^Y_j&DZNva+`uY6OF?z>O(EQl{%dIBO6?1G%K5Eh)~Qwf zzdb%ZV-nYcBAnhRZ&xPU<2B`qzvu};yQ$9nrO{k!X5>;LvZNKbG4aYn^oA`Fb_lJo zTBW+b$KZ9D&mO*^c+;+{_zXWdln0s4ua?bX+>-~_$u-P{DYvM6|HXvYZ~`HB$KHkU ziYOxQEmyFq@)Y*v7v(rdaL4abc;(Hz7uS$u9{t0{d+-64efYELv`J&oos0$f6 zmE56p=|IcB%8CR!=x0tLnU`K9JgJ_&`L?R;Tq$uE4VxKeV}1fOUeD4gC#eW-uH&~> zG=+mXJ?r#e%m4oHSP0^3vcz_p%Ak`)qHZ0kPYbb#;PsuHTrs~KAu*IKov5->IKUMh z^~!Q7AqbIV39%|38ZSzItTH0PoE)A#hJ=$5IT6@qa-5ZT@K5~{E7%8~4~>6Qa9fz9 zdI3)MKevH>jRX~U_7R1^rGEK2JfmvX1V45ydGu6ElA&RKHU4DYj}m2(p035gWh_gA zkey4)H$+4w3KJE#O+@D)J=F`JCvOkO7^$uy@`481{Gh8b~S!%cB48vlZ0SIgRW5~dSNH|!yVpr9iSCj2&S0%Ku=jwUeD zuBVW##WdhiMl4#$@5mzE+23}Op2ET%Q6^`cPQa2ojd}NhO)M-)DB7#_fMT4>l%0{-0ye_n!^%*FX~Z65@Zr3xALS zU_}7{xD#^Q&mV)E5IkXEySyVL<9K?her0%yYk7R5^SeFDN{V*p4$bra960vbO+FS- zL|VV-tBgIOw8o&45OA7v9dEfnKC;KqyV=;X`zPSIKDXDi=V$Nh51Pnpe=U_b1nIpJ zemvC@wA>ut&eTWSb(mIKYrK@SoIjt~FNPg=d%7__oo+_k^W0p%)x;AyO`z()xf{p3 zt?>CREit{Y`yMdW%1!VJ_Zz=fyH8loP9IN6z0O_gOea0A8W%rjF?k>LBYeDV8W8#QSL7uC zci+%*H~;Na-tT{SVZDhyfM731?OoTByf5hl+=Lzv!A;-RwNN{-D8J&v^oFPyVE6(eYevqjzn(v@q+b*<5CLfUE`qvijc17;bUQh##&dA z$B)4C@~%_R<=j^TeBBM(3II>PU}C-7O`N%Fc~;8hy)MJg=r>#-!~s5VdG)VzCIq>z zt-u#LyTShbIV@e8I#;uuc3O;nH7ys9<|Go|Ib@FB-u|J1w2Y@8cL+D9<9pmswbtHe z+N{B@m%4%aIlKiq^lywadY+Fnt*dSRW4jZZ3EsDkFH0g!-k=LWmCx~TD`Q(mrl61A zeHIAtlGWVW^|)-C+xgV-{^$M5dotYaP46PN)!rVgs3W(D zbf3QWe+%)<>+Q1v42GT=sg*E&$I&OFyPf=l^X7~!l8K{2igk`F(i~C<+sJ~MQO%aG zC95DOF+7=SG3gKdx^J7_7|BJP4d&lKMAxp>MznDp!I8q5}(AHu5`earVLHwx@ZL z&QruC`!~e%qyrRLj=WV8KKkT({Y*zZ(sc7wvNKMDF0hj{1Y`sr^2%dSCgp;6Vd}w| z`sbsUPru33Rj0LqRKB(4#9--S%KXwy~Q`v9*T0Leha-1 zkouWza2Ycu#7qF{CPCM57K=ElAV4WZRjOUQ_DI4rbCpz@wdv7sQiT|2ZxTngL;sph zjTMEXQ_)HrdoOvo7-hjpZn)^Y{I4w#mr#-m!?v;#lyj%@P*nHoxQ$yLhvr zAfq7~@wV6>e!oxlqv1HULh+FG_nyIY!f zfa_^gA=p$9?haBp1#REM?5i{8rX1@3!m3a%6ayv-hnCv)n+luc7i|tm zorvS3fF`nbY~hkspJr{@Otx*DreySFG#=DGMdrb2(;JsUZ7H|V%~ctiHJF&?vuEvL z`^*$^0fe$J)nyp+CA?B&$nb|~ByBhGX6!(`P{~x5gxM0W#0rb_P>L_9c#Tq=b7b&1 z<;$|i3y^;zM-EN+V?iP`KXyh_l*LNYEEJ547TJQ>@RqbMf)Eu-I|3s)g1tH%p~T%^8th#;@(A%U1Ys!#=_lAp9Zbu)8KBN4nFa5^Jt7jBy~9 zPQZifNfWb9-gZW3Sb!{5Ef!+(Lhg&hNzocbe(8tnPkepZTG zS9#z*^hgvgG2g;x{{z6a;6K=2FbcXb%D14Mt4y$-Yv>5eJ(6Q#34`B2;H~;qwdZJR zp;!%9T)Sgq@q?v~ox6{FH8AHslGXY`0@&_5G`GY{=U zr1ZIS;5N5+9#(;d{@QDV4rANG_C@Wa#Q8G7=U`PN%VSRE zR_CH|OCO+R4xTg8An>0eJ_ip-g9Up1-c7XjYjhD(ax7Ei8^9}!QqvsKU&)G8~ zKd)txPJWlR*Rj9-yRR!S$hF-kS9`An^#75j-LOlyGR3MsreXNQb-|1Rue7cfP>Cw#QhY2NamscM&>m>W7! zdDov}YRXBuoG|${*h`}77X&KZDuoK!{VMU5G=rS{I%blSc$QcfOrqg6O_3M6P9!xd{aZn}5amZFnZhT5T|R_P zhFIv>gO##=L%W#EC!LG?Owo}ce!3qp?XLLCG`KA|T%1Rp20=OcQmp|h%UDJkg@TGm ziZ^l6j805@LB_HyK_P;pFRG>H7heKNrZOS*4r$DHZ>W+T#JNE9;LLdkNf#=e*t*Nv z`PD%O6{ZQHC=wl^Z$I9ymJ&#$RDy_zz*)5}ckUl)S$WU?U*=N~>`>(vZz1N!TIf#dGKvyoY9HtH z*$3QZgOAI#C2Ewpq(O-V^M*TwDh>qH{TH+`W~g#greXTfBZ2g#j{IT8jZi$+l$z`4 zKQNkrR!+jqas6FtoIl)9mAaOHo<%gJFsmV5v_vJ+X#Ln#)FO`Ct*}VtRvLqCxuQ{y zv=PnK+3%Otv^--GL8%VgaJ-h+6o*Oi7^AJsDcI9ODT!4~hYAWo4R>N@W_)qwh0T~E zK{$O5!T%-9y1o0YYbP~KwLHU~j=6(2wO^>^u;fQzVb~!FvjfD|mwn-qHOy%7$&-Yz z3-gMb&7WscIOA2%N?8v^s6o-L#g+oFP}cTyzcs8yu*FN0=1cOQ9j z9lY`2p)s&Gc*cvOj$A#QtMSx~Hih;`BT`%VAqJjBsyx;z;lWB6VZ=pb**e>LK#8wH z%@~fHhC21zP#}B`^-+i3VC~SgY{w?E(>ysPDQTPJ3pY0W;>?8DtY_tZ z+)Q;I1WY`kO%sP+S}}qg$#&+ywB`Fv1N$i+)8zcCWX9!n*i0v;?3M1gi2aljw7?1( zo~%FAKWpOoV*@OH(F}6YSsjuO32STSA66NSoNifl&vx{;qe!Rjk?$f zVMrVhz~YP3>KJzrsJY0vEZdVuRy)P>|nUBq}TTI;G`F<4_Gk76H$~>(vs{)b>NBnIC#3< zb%WP0L&r5VK6TCef}6;|r@!6hIkKyj~DNG zHd|@!=S~&8``6Cu88BC_uKS~D8hRdiY5Kk#Ynr!ASJ16JPVee{{oY+JYny^?b6KzW z0}lo~;7kOLjf?J_JsrW<$tsHF3eOqv!8Xo9GMEEQN2uH8d6CpN!+~kX|5y>c(q)s8 z=C)qkHf=gn+pVSUad)042i(7Tjq`HTIINqPUcawh;rCb-UwDA69%{|*K2MyP(LP76 z>{)qP8eb4-^Nf8^;5EVleN+OsK$r))9U%I5wuQ#}Tj3s-g zA)1i~D2x+@meCtKVvGf^paB9oT(&}`hG_-2gD@pql@Ju#SRa-QIpm^%^TjpN(Ngh% zym2bE*14Dm>wWC_*aW_f)>T7YY191rny}w7_!&+KcB6KoTRg>JXnd09B^6q~W&z%_ezxx(UN$2vq< znO2vfKfW)UNKMAXy0wnd3@9xU>F8;w^v2B* zSX38i+pYZ~$l$BkNdSo4f`b85l@|B;QO5L>&*@E<{6sHUAm!fXj4Np>Gv>wdGiSB}WuzH;Pux9Jl zAsbZ%ZSJ>UF_oPub{r9Fko#7VVLyh)l<_BxB1qcVD|?l-%0{s$HPmr4D*o6i4Ozj` zhkE2ZqBSG+qW9xRqS6YriZl(Ky>pN@`n>X9g4Y-|ktF4A08CE?Py74+cPVxsec&VW z4}%h-k&P0AQB6i-47s3Mwe#;`=CK_`j+i{Z?MZ^U(|$;;I&0$dW|T!3I_zu}Ry$pKceYae zuwX-iW7y!5kfYdCTZog-lIi>xA%+r*wPsmtDqnPy39N~b_3eCHkT!Gzu1KU?jU}1w z7cynb^`FwsO3mtJSOK|Fuuc@Ai`4p8#Hm%QJT@og=UfSRNxr&sw>TRXjVP(5UA?Hr zu9dh{;=-h-t`vbt-1$M2XHr8UjcTCIOYpP8+g0ZYSW3b&yd2?o?c9Vpyhxc+ZF4|^ zfy2g@+ZZ0PFe}<`%?Y_Nmt@;!F|rtnT^~|{tCqy>o)wv2QssJ<^0%av&%_7)TC6Hi zFF72U&`DZrBPxt|11Dzl@LHkE;Y(vy702xL5fS{R*jUV4iL_%jn5o_!T-1|iuRMQl ze^srC?J^r+6q3fqchnOq+dM&&q+J`!H%DNYVl>=-hDj<1W=^xOzf;=th&1IRpCM@! z{p_XZn4rY%#~80JO;GiwZ~3-xdBYfN4$#5cDS$xKxF(2=YdoXit7;9uG`Fb3N1 ziA#VRCHu?G6qsSw+qC29G@Pl~pdI_=y2icMXVBZT+qLZB5^Q7aI9+ubIG|^sUFQ0v zzy!GXGk~R6KLaRX1fLjsS7rG+@3wcJ9Z&M{o!NThy?N35P%e9K3GQv-yb|^^c60hq z=M^JtXZy*!OtE@TD$TS%tRAMVdaq`1TaRt_jZCgOhYK<`NI$$2#CtO|J3#r^)q}P* z5j`)by7hUkC*$?Gb{xQq+|K^auV@nlj@96CKPo{`r$ii=-HY}3;lU$O9aeXPC5iJ< z7N_314?VEO_-vmW&~emaEx&19=??U|A3KZlzfIUDl(T)?o>*YS-7;fnSb{@d<%Ei_ zbw7Q&3H9$5ubcnq3~;Y;)iupfllQThn=k;LKBFC1-4E;M)%Xm`AiRIZSm!}?pX_*n zzuc$3;{RiSWBhoiyNmz|b_~UEw|)}Es}wHw-SX;hr2yW(24#3KML!fd1jQTNL81#4@v{}D8-`etsfcCI}GpLe}W=}z#bVpG_<1qs82Ga=aBv@~tZP$Xf|GMte&;dZz$` zh0&#Eyz?AG02sxY1QT^+Ju5ZRw5a=38`wO&wJniEzrObP9|u>MVT7 z;w)O^c}%5WBttg6Y|z;j6EYPLeWgP_=Y*yqeSvd`+tPJ@d=&r4XwK#-W!Eib7M$6p zhIpM&%bm)xmv@Wk4U99}V}zE{-SF`0*bq1%E4HPRy5Zpw+H+GI_oeGid(DVVVf*U{ z_kQ9I@o_DyX#U-i=U8PRolAykIQ-r#+ih3R^(((ENdj9fvDxHXxj;qhraa8zFyr`& zPRQbza82#&vzLGY4vXVjaoK&@980p*rvZ@p#ixdGX%S!Z>uvzCx7<+GcibX;8D--H zb*mGj;EA6}Og*te9qQNL(^+)^8I^r5*=Qy-I$!tt4oYZT3JByelf@_Uu!z7d8gi6u znK>HSZ!60j~76_^lIR z0kN-gWV=mgs1xyCaLs=LSX>FPha1ZyC^M+n{-rM}LLvw&%&2CWSt>Rdt4ChC66-j_ zBqT&0*CouTdOZ(11gJ%0qyO{6%{S$a&$pB~tgO|LAUtg~Vc~nYS2r@BLw0X9U2dYO$ zw!P(hyKmIgK_twsdza?KHLqT~$&;Q8MFqWKx@{*zcb zG!>}gncXn8`mNezlv|pZrENeySA9o@pCEM1x3m+VjKwz7Z2u;pL=4vqyDcD7jJj_A zWj2$(iOGoL8bc_n9%>E)7Jbel&XJ71u1-nz)w6nm-McxPxRj+OJQ}L~V2H={w?(;j z-sv)5(ZM}!s7G@GifcnGi+(HgSpBaP_Y3t7jAP++3nP;nyobV$TGFn zl9J)?kkX2g^6bV*XsjNL{>62|oLLnu8IE5kaCSTOyCw_>o}s8A_kaUy@_;XHsn~3K425 zNY~!5AQf3!Hz!txzz7>nx7xPlM{&_y1dd0g0a1LEB#Yfd6c@Heq#b31=TK2DdUrY! zaUdVQ3r)=E@+uOWq!5&1aBRAyd~SUg3=PTJqY1Tw+-?p{7i*|{$@Mh)c1Axhcp_7S zA58KBnEf9I;oU$3IEDWKb?vW|L;(@_Gw9tLj0N`*4Muo|d;r4jtGA?|H%mO4E{&^W2&&v(^|LU@c@LNI`{ZYmxo=ZO z$IAB{Q`M5a4kLG4UcP#FGTC(=-j#mbF07}n2zre54JV~tFVrjt>-B`4oY__&D3%~nz3i=;D3j!jC{eQeE4qv z)r>NJEeK1BteUhph_4Q@uHT&7IJvfT&JDHIgmwXrnHPsss|K2@2s4KC3-g{Q@>nIl zp7}Gm!b$L4nF#e7{QwzG%>;Uq9Je%ARn*gfex7o#QkD@{I~T;uQp^3tn}KYxsRqvM zkKrxaM&~thKq;yHs^iZFs z(WML8JY|+<)ozSoIIN(sFQl`MKj!3^V6@aJel0YOVvK6e!*}VzGp_zafj#|0RTM^= zhbmD*&@1{g28NVs0oM`jExwn&85leP3W)N+);;r6g4jE6_x_Wke-zJF@MO2X z;Ey>?4N6Wvq##M8R-MkG@U;I(jQXcJ8zC!n^2ZOL#^OL*Lq)n+%k^hj*!#WXAojut zYv(4vrrFhCa#mQJ6pl(%H9MyAXp|;E9@2TTM-RmQ!+LQ}G)OjiJ;KCO){GCo2;tof zrZ;1DFN*retir68_KV!!RppYnJd}P>gpGE#A|$a$$*lJ_ zK;0-zyh;@bMRt4#X9(YwUCmil-!Y6pq1J8EZDy?RJL#Dns;%|2RjJBfv5CMDM6G+< z{1F}3pWF05eoCek#?8lpModJJS#y+#n6#!LX2yf-=lhHVf=-Uwb_c^B^qHnhVWQI5 zxdZI>1o1{k3vA)vohg~=wIh|ucG<$4*=)3pQg*)wol*W)p=tIy zA;oHCaDtHS!C7onWlm=3_)GpLAPzB;tjUVwR-9F1<&P%rrOMdvb9JT2(_*Wy7DbV| zQ%3Zxx#9abzsgl*GNi*w&|9mK9+dQBn(5UK@3Y04=j8iKO=&W124KtiGASf`fNtE1 zVGZnCcZG`3kU2!(^cUuSa!nSqz+_IUjM)KJ8TtvJ63iw zP3W`C`_*YUi~{AeXryo@lSQ)5PnAT(BL9|Bsg7Bc-1(&qNQj!OXJ#Xp*yyX^J48Xr zJND8baScI&IiUl|?}HEgRUQD)1xz=9l|Tx6zPs0Bf383y@<2sk1Xu{%5ALyn(7Ap? zE_L`0N%H0G^EngTtnbTAN$dI2DR=tc?I{6PEjyh*rJ%gEfPYhLHh$Tk)=lGO%N&bE zK>yqZ+;e!j3hL9CMw&?kuKR)(1i73jcG4$(@Bx6)^iTqku?B%JoTGnLK;|i$``(-Q@lDZr)%V zz59}V0tl_|wl?jrYXf%OA5pAt_nz+Pe8FyUH*P$$duDJ%zh9|V-@FU`#&i$nCwY>t!-h%EadaRDTE@Zjg97-tt|i1z74n_SUZK zPQMd)xt*h0!|gxmOv$wZ&esuv9S&RXZX2h$1bG_*&LrTpc6a=jl}~?OXK!8S_>H1v zEs`mhcDvP@%Q+*9!-qiYxh=))(r2vXnuPbf>ofzLxO?{?&f&^xSd zS$$8sQ%-R2P^YHHtGyDm_KGC~Hj=nbJSV&LyY`=W95v z&$4SBxmO|bI(s`jzh#~FN=xFr=muT@1hzg-^qn8|PeGtbz4snig-xEvYZn(i&lL)V zj<=xz8R7 zB;3}had&+G&>KDJWwQG0TemSr;#B^NsBem{B;cA&Cbn(cwr$(Ct%+^hb~5oKnb@{% z+c`JC?)S1+KleFnRqv`@RXqGnr!RPkWq$~tyuJZ>C%uKM>8}Lv3jeK$hX97m)WZE; zA9i-fj`348!O*g~U#H%7G@b({0k5z5k&-oW^53yv5T7^M7_63|cl|*SYR--fI@W;) zHNwE4o7WsVWE2K{3B0*9>Le~XSB64=XDdBY$&qKed^L9M7M8e(S(1E$i_o$H6$#Au zMW-Ku{Zyk8L3h|^3y{w=!K&u`A>XX3F54sVvz~cNqEuCdF%w03G+cg_&W#DSi-)Qa z3n04!QK4|_+%!m)mZ1ABBQ_F`{aFhOc@vo?_{c3vpi<4mw@*;2%$_J22*h_lkYk6ihc0L zjqhVu0OH?2&W1~w?sV=^XsZsjU%KlSWhRTCWM%u~k_rthVuDZ|<0fD;o{CEz3c3I_+?Kg#+vdfLmL=~V(OjLtBB4Mlo z6RoR~;5&P)S~dr&T(nY8CN&zinvzC8nLptu6VDW@p@7%x!7m&r(3|w5sI}S$Vr-)Xt+1oS@eM`Tvqz_C zyc7y0wX=pwSk1=yWE`!lxh?R7dJXZQq9-;PRF$#522~V8IN2ifRmMksJj8g|c_)5o`J8zT0+4BOujFlN{I=5Y zjLega<4NxAWk+AoonZTGwCehfK2pNz3mTPl%JDl)ZR*xggDS*#Lli>VYjIS5`$B9< zR^BvHzeNb1SyhRMm>$^p$cbS=4nw+Zs9Xk7S)m_jR7$F6wWLE6<07gChbbp<0q#4iHa!>_2CAa zq)|;&u~)}0Es0`VgtPQ>N9^g85W->vXvKarD6Kw2pb187C96Xe=}wl85T>erV{V;@ z2+j+Sg;h$0yS2oK-{kox+~zU^O`cMCe=eCM7*&xme&h2B=R(@L9L_Q_rttb zt;arqK(gRjUTxTyYsjx55#w}>@NJ_sB4#Mn0vUf$k#vAQlOyV;D&YuyEKAr<`OYOw z2nk5|M98lK&_ViT0+?p>+n#=8a!6PSsR$saTbx^gAMJ?X8DuvAG}I7Nd~eX>3c&OI zGLqvmKhD$bw}Ty!6i1agvD5v9HXMpD_Wfu(MsdKd0m7u%{lo!=0Nv54Po2o$mt@nxnK`$f}r!TY0Jg@vY_6NwR4X> zm+#r{Ag$3b<_wk6u!oCGsUH@qQVRSx9rgB86C7FTi>nOZ64xZoco!JE^n!c|- zF|Whhdblb&*YV~OBYUdWVa%WT;b`Bdm-{kMBW=|>z{~D&_j-B5z}fDYqj&S{WEmL3 zzx86{m;jzT&@)hbKjduHNi5)Qgu|ESjo0N+yrWBGmbQ zKBMb+)9G}_u(Eo2)wXYuza~piwDZ2swLmj* ze-2#T({*A!tzB($1heeF+r2gOADw)s4S)b(24tTD{t7-4-1f@17O^ieuu*>$J_v}~ zMkTVcgIM*v8a!0L8tnZX>{2Hzswyf~%TDL#8GMh-AOIHL(Zr>S%?fp%&r|A$fO-rr zmPnQ2DQb{Qibc$wbmwnUrNSAPhHc zOJlMO=rWl4(XIM-ix{O%PeXLiVD#$1X-Dn!giRTF8)K(^c!~4+UoE{In}s!cJC-JT?EG#WA5O$ zAwr?U2%z0M(k5M^fLI~TQFdbKLZn9!Tbhl$d?KYDT?Z>NiCeFg*5`ylNiHBw4G6?mn-JkteTaiUsv2kvPbaxVISM}axYB-<%#h=o&iLD7@B z$6$1h*)uQ^Mh9BAFv%XLND@>(7KiM{QFoNKsG*NDh7L&bd@j+E;ZjA(yt(eKgwse_ zp(Cq%HQ~QFT~KsBFG6#%7S%to&O$S6BF*$zF%uGE&3#>}RdVDdV=aYAN9+sChWI4W zRLxf-DUb=XSy>D!xzgp=aF#i(zv!~Zl+e_yhlR!;h`aE!b9`oql>Mq>%Stp8tcd<- zI=pv#&LIR!C)byFZ7ACU$9914yD<^R7VHcIM!styEZ_2lZP)F&HdTL8Kwk+S|G!?I z_0R_h3Ck`QmNow1S3D1uYG;mI4}kP>!m;MEp#&H8j&RwIKBG zrUj239THilvU$#+47&tSrMxa?_8TE}HC2_wTW-Vp=<|?~+yb&?V@$giuM#}8Um}gW z3>Il_*-zMyEYceCV3J5X@FJ2DI85@ag3MGy&P54?`50@0kRFjIw8$uMBCLp8Mgkic z#a>-jtQt`bP@JI0DhyXK2&F35^;~S$E!(m z%5v!u_Fatx&BWRJ9~)LHa>l@uA=VDNXtmJ4DpHi;a_Kxqyue}z(G`iIXig2O3}Ty$ zV+t0fzv9Xka{UwO;MavwB|*_7a)fK=@NCGGl%2b!^{gZDFk($|_b?&BNpf*1^=u$P#JQ9!IuBt1LP4Vi25gd z#%KI57UNMf^j`j8u_WpcBx)bz=?@kk{$TOl4;G`cYCVz0O!5TYqyX?*)^ysEmto== zdMBg5N1D@l7XQ9qx}@`cX+M;-M4iZBKb+#R?C?5VtUcH71bvLqbq-fu)Hbh}FFY6N z0|~6YXneVi=6d)UaPM|gq`5x(Fs=HgT9xnIokP8gJ-7P<8d>1Eo)U`NN!q+$LyGyg z+#8nzM{HkDp?5=%LEHf2YYbm*2b>=LSr+sdvelEDUj_3v6Wg~JG!9&sQ?Y5U86N6- zhcR+l@qgPVoIRAM?ZWeVA4dp8WO@TfqknomZ$j0st$PQJKk9v#-8KZ8E*)NW47U)3 zZ=0_>A!@&~ob})D_QA_*AJ46DbXz<=i#hCjE!FCqr|j#Es`;Pq@hrBUowWE&Qkh4ii$@JFKE{BH8f0JgOx=e-`2g^?~@m-d#_1T5Zk}0RXc?1p$BScHZNajS_Ed z>b$RED(cw%U7wqt@85KBtEQn77@bb`Bb$#^ZVXwqH|?9PGkTxX6f58EBP!{etCf>~ zofz$oaPTkXc+jp{WVUX{3`P&eZS3xdoz9A?6#%#Y^cco^{@yxe?>sgi2z(5MW5ls@ z0{qOo=nN7G-0=k-W64_AzseUk>K&Y6-k2YP<|6RSEuCZOCo^Fc8Yx=d2*?T9+ z0&LgG_g**A2G?kK-PR3TO4D^za-H5bV*#VIJttmm)6moxb=+U6Dkt=R`Ik1Nv_7w+ zdv79GOTj8<9snQDtbvr1H}ikX=M?y4xPa;mc`#jCQk1PfL?e_~_^YUrtes#jBHyJekFaIb z0jq8$69~tRtVb_Rk=U~_>Ky~+6{0xPifBMRYX|%g220pDMQJDrqo#{xWSJjJ@z*#- zG9=FKw@5@SMus#8%Ig`cS$1Xx!OT$>s~Y_-S+s567e3;|TPC?CKBovcQ%uwXed{f= z0a~>+aQR<*lO}2}OdE6~wCX1?CF(-FRmS5~)=kxgzz;!innpKn{kDC}wB%@b)G`SW zg1NCpQfpNi=W)SG*A5d|_Z_$>N+LMrDvW>r_)~7$(o9G|L)xLXcW7+KI{wC@?Qjq) zF+^<6i@Ib+FhBmR&Z3h8T%~Q|XrJ4$7 zW)G;!s-=Qel_1OWXpuA;6O8jJ35JJd#g4K*OdK?U9XV1=4bm0;mY^}=%uIitKHJSK zh??{74dWuKUs`BW-&<*Jfw4eEVv ziBT%ZWYuKc>Km-lok|sZW+Ze@T3HilBbLF_9Jt&oaTMBkd@Iz$D4N+gARX;}(y2me ziY!K8Vqt0GWxr_N?5s!cyx0y4-xY{jXH)DRZN8(206%9o_<-O5-%p4CBA{P)JpEtu zs|I|l$^;uBEioSrQv~M^5G(JG8h0XDIcUYWKqsPfh3Ost%!+|mjD@+7S$3DjL;jS34(SO?AJQHI#T#ZawZRs`%5bWL9vhL?)$z2Z16Un__wj%SJe? zB?7P7twD0&2$Qg`mTzr3RkuO6qD7+rkGRmf6_zy5ju|uEn22;ZoT+47+%ygDL9(93 zGO!}UtyEl=VP3F`f6VqaBiXMr#;8L$Ff6-*m)Z;~X{efvV!$-km}#fpM|8YZMY?x) z36)zZ{EVCife!_eurw~C7ASOx;WHp*^!W#aTYhS49vF8t?t8t0fqUy#PBe`8f7_2q z>pvf?a~?hZ#J^h~(1XLz2mK=Qf}}swru*Z#hNi@R@)s!Wo?)WLZKq;vZSqzG~Z37l$S52&gU%v7+Abq+q*74|l? z^|uaX@`)5@87f^RpD8bLV0+r;-~8!O6J*6O zT@PMJH*7aEax&r~l)?M3QsGF!=q{?>w4y}FaRf8P@U?r>tuXIidX37WDduixZLoqg zglPO#I?cE+7Q2R}GVoc|`WdQej-j_Q&K=Z~?0sLA_pTrG4T$(e$o@fJ#Gg(0>-gC( z|7-h=09=?7mWVXQKlwZV^v9BQ|3gw^LMAiD1%lq|J@j5ArCVj!xebrBZFwE+r|-B_ z-`{#cz}NBYzb~+RTi=nr6jvbltNT2S@#U>MKc2hHZfNM2mbUgB_e8H?_IhYpC&!-r zeO9F;&|WoJz*x>~S)>7Sv=a|-)qb_ z@TBzL;+YS>K;G>y&Q9Ehs9pc)ZO8BmxVDp+EaL#277VzrIt;Dh2;9=UjjnO%_PlTG zx@jTxMloD+oC55aVoq-G+VJQ0cF`meT|s%z_wAyTS zeCED<*%rr($MY}f8jZ>Qu)mr<=X_85d2gp-)wrPqu49#5X2~1>E^@fM?}wk@-5>Xk9k0R&+nV$3J5XOt*cn14ronZa*y!b!M=0Wp=v0ik^Be-Dmw?99l1b`ZkXc za2A>@!qaVMa`$sQRd2SPbpL*NMBDM5B${~eo&HX*b4%krIz#AOqxoqZv8W5!J+4o% zSR2Q$r~B*blX#T>%f45Dx-O@F3y>b_-?Vr9kzUpv-MRHJ-TpOH_`Yk^t99@ZC#j;H z@XiYe*!jGfcmUj1e(%7D0-yjeMo^!3ZvaLq7bL687?+>Mk`sWG0T-bDyZ9ggo38`j zmohF_()gqcP|o}Vze-jRd|7f2qVZuS4xpaI(8d zu~?v>R)W`*Y~yJAa$;7PQ|3a{uspiylODo?45|yloYz@u_%vZuIJ9kMMDS#0M6`>M z!s+nY&VplfozcrE+DiB_!&~lwrXRV;*}K)avkS(0wC5ben+F;E1g=GY`EU1IRh3c^ zWhm`Rl2k;OVo7whLcwPD?Sd~)$+X71Vhihm=~vR4##pl$i5a2?rG(1=iPIzwCMs2+ zJur#hKk(E2q<4&`yWz-)TB}tix3f^Expn~k+9p(IsHBQNZDte0BdIG)z#fJFDq9U4 zDLj9A%UTu1{D8W~_r#I%ee5iAblNfBoQj^HQ;#CLzhx#x7EgUd5On+e}^gThvD zbkb?1naMQSjwQ+cmUK=&qStByB}yp_-PSqnenI!9AbMmMv=o8KRSXjpe!UJENyixX zktJlT@putvPP=K6XpMX6IQhKZE`PuJWJpH*umf?ngBcVPG99KvIFz<7R&L_q(hpj= zmaMEsPP0+A)|#+j5y7f&Wgcgw!HCoaq6}8*I3+)HH!|LPMl99w?A&xyoTtiS%D9%X z4yy9hn*OQ(ibqT3jHkHc72k+Wxq5d6$CP14|M%5?b|9*_%f&k9Vd#3U1|uiWumK;Z zBFiv?OgXv4oNB)j8LrTOFgFbm0#qQZM=Mb&9`{}kMdTf?1I>m zx=YSQeE(qtVv`9b-g>2a1hqbDBU*9p5{_WXtslqvhOAW0ERj`Eu`I-R^p3d$7Zb-& z919@H7y>wbT<&A%BNW>OB;gHm(;>3SrifgBquAr5M0!JHk13H8>2 z+73z8)jnzPNbH=UWW1At8jpT&`trCO`{*pDSaQM=M+B<6wG~zo2&E8wsf;og5ruc8 zG}O_#Xds^Fl)MgYOn207>aQ3WiKfxzOyl(GCa@U!cg}403#7WeUxqE&Ca^~h&bMCL#t*hbxjaN#5!|7DGK~5hMkjR3l2#5AjUf)MW8!R?~vB5s`3QMeP~d*%S*O z{f?!SE2Sw)^Qz5?1t1vN$hu=@I=avUG`OM)^RA+jQ&aXi8Z$P*(UYQ{@x7WpwU4S; znaG|a_DiCr7h=57_nNgmp5z3w%Y?#5_}~wdHAbltjNq8U3A=w+{odPnr4P#W`BaP2 z1?SHrg*CTW>cKF~`^YT;yIwsmKHro6{_CE)*wU=~Yc z1y1IC!u!}^;o+}7d00a2&_U8`Y!4OrB>tyk{}Sh(1QDMpd! z`?`K=b-iKY8FPu}aS5D~*9HX10h;b4bo^W=cmg_}=)VgNJ#bT+y^?mNK zIB<)= z80Mw@IKnxa;dw)K&o1wuD9{KTTSTna8!rY~q63r$6D<^YE|6ZU*5Oy`y@?H zTpms*O#sfy9sDKf`ZDNZ2*XlXo zkD~HILkT%iWo^OECZOm3vzMS4K%~5p_pvRK*>bW3_~UgekQR9h&+ooyOKh`(9V`u6 zf;Qn2$+W@!8RQZbL6QH}b#ZOdhY+2|Rpjwg9=1=bAoW8G-9Nwwl76d9T`izl?C z1x~UrR{hvIrAfA(MBXjk{t|~F; zgj?r^VXP$arC~f4G9UPKmM(qzIVvk5?hR-Z+&oz^l;)io^a)1Wcr1>Ff3m~jl%>DD zf9FYp?MwqQ`U@Bym2Ej7lUsa2ntguhKr<(DHawZyo|FRPuoUcDz|;o)zK^eL{%Kk~t((hx}y-&_GXY=~So+S*0KKV~dCsqwGH*OijE6fCbtfzsCI}WY5lJL-lCTXDG=va1&!B4Mm{H3EWs?8WF~}<6Gh> zB@wz6aaa|`l;F->ZOG+^1pNs*_&0llmNgX^qlu+@CTAFfb?-IYEUi^j@f`Gr4=C7H zd|a;V`@|m_cR^(5Oe>Z?j1z6ej2tMgkB)ij!Ad{)=Qq{NE?Ziizg=e(i(WIHOK!P# zoX1V2ptZ?1A!8(qx<15HpFkxI0mhD07hzmA7N$o+F=k}b944K+M4wRdlME8CpFKv* zE9ce)oAh*dGj*}!P|IW0ZG>u)%LY|+QImdn zJ!m#Nt5dCROP<{`=IW)K*@=rbvbEsXSQ$@RiEdk3gTM{IDl+GT?K^$k_c|byQ!1bo zAP1Ml@V*0BML>Nu7MZQTf{4lhNh8$NqQfM^VUP~lY(OIcL&YjRA`iRDgTFAuhi8&J z#S-DA2 z?FnPF)*pSYBl7+sUU7* zxAN%96|x17T*W4iD_c8HD*lFA@;tb5;%~Uj$}+cQ*%a#zZ0M5pFMOehF>m3vf5x?v z#AdM5RykRiR&dqouDL#WRunP#e3Wh% zK%yA(-)H@kc_iu=4Rnl_V&VNK@}xF@eBFuDJ|}#S(hGI*}k1p|htv-n~5(wy<2xB8J0VfERFY&sjIF^8D4!%c?DZTvZ?mtf*3e#LB zE#dk)L|=V35p?@*ae6hbeR=6^)9~Rofby@KXFP@({jWj&-9`*uufxh{g2pjAm>h2I zujgp*jqGW^0pq7Jtx57{d4Dr>>Cb%QDZJvKbaXEE|)B z4}^te-9~EVOD!wP4qQ-lVuGYmH6#c_5MzZ6%`g4gcC3%OMN8qJ#kTTfe;-%m&58fY zou`T&_q4QtH4oEffO5lrk}XU42c06>r>>ef7PUw(Plh(YC;=jUh{mDkZU$tLaPNo; z7Yv%+mh@G^6u1Q%l0qS3lk=>rHFmeJSs^1&U2h6QnG|`ndLx*&;^0QoDh+HDCIZSg zR}cG+j_oK$FJh57ws^sqr-Ikvui+4^MQYtf#w?%mgqk`=R%$OTaz%dWp$ncMB{UkT zh`u=T6$ra-s_U|6)I}`^x0<1_m?T`7WO$}ss6B&x=xDeEDla1lHiwJRNk@giXxH%a zvjNj2*iT3;T}mw{mn5cET&S_aLCNct(W;g@*Jace#gK}@^`;q>W-(J`IyP?}{A4kb z{X45B(@>GpM{-O^3fGGM4W*{ys6`}RiIhDTuHMT1=VOp`>k)B8+5?(0+dBEld{xZZ zN^rVlPM4@C_Sd1{8uz-xXsvzFAJ*_AM)w*X%pLCId5$UGWNb;~>r6NcW;Ye)os14cA@K;eO?424lT=-vdANkg zSa3y0>A+29WyucFiLwNEu_m)s`xeTQ;h=45c%^(CEs zL^MNG_3RXb#8YoEJXu~+Ayyav;y1g`_{=T~T*jXTSS5zzNlM`c3y==j6W|AAm!BQy ze{(RL0FJJlG)N|tepG40AzZCY`>N@SC`37E5(X}D7U_|3v0=|&t)=&*5z@d_aec(q z;dncfak2c@3(9FhOvUgKLL!#j-BR6T?nb3lkK}=KVNZ(ch;62~-nsklN^SV^W{FIT zqY9U*|6)<;?%Nx=fI^uJmp?kFvsJzQqQuP#GvJG$`$bF=%|8=^OUUa;B|8@!C@Zu~ zRGZicpP1IFqtLRh%lnxBAuSGKeZYaMKuG1&BEYJl`V~*OJ{mVy5BdFA&VJ3T>9)|O z7MA=Tm&YT`G51k69CiYSEBkr$-V3NC zpu813!HHpHIN>Z-c27bOM~x!8=>8jLwz;T^OxUUXYy6#3)5;pzjFHV9vLtF)G)%k$ zUrQNr!l}v-p(rfpcsa+Miyll5Qf$(w7nMX+L4E>0HdLr|(;mWJ-!>f@b~dW;c~rPP zFT4I(cfcl5R)ttv6owXEl{$)MZV~TnUd+?7uvVHCcF0tw4mOH=sWn?^7F@L+)11O{ zuJMo`Lu=}vT)+1`ZohGXsE9y0jw$%a>He%0sqYL!wp39>tQQ|&*@$wJ&QA{NBHbUU z*~AOzt-E6C(>L^MZKT0h__bCfgvCc_&PN(5*3dIDcmntgN^B!JPJ_s15kgDUKIsTG zQ#wq~fhwxlDDi0yabj^;8NbTu_hNlkJrvF>--T(8{~dsEkT6Q;o<{*!Z@|q*1jEOU zI}WYiGQv%ON^nrWWft+7!%yWw?>hnf6vTJ~Cp={S)uYYA$vi;njZz=AYxAh?bgOv3N zSv8&`HCuq5xJIh3)1eKzVp9Ym|K^+rbBkpa3fn)L*CDmwEBgLd?7f;xUU%KOt*;+! zY2GeAmB)oA2It>aT@%f1^3UxgQ@Acu;v+jgYf~Hu8z(n@BT*Qc1U3W*y`0C#Lru{L z+nBuFuiyl^zB88_g^>x?C6^ZIv{}J(@|DXR?shd3aSDr^)Lbp!*HC-2s zj_z$5SpJ&-ROlYo)#1>Y7!0zyI>5&Zr z?_HUKM%P(u@$%+ur%Ux7Sl6}3Cq&CiYlqLpkwJj-07+iPUHL@($A|ZX?(&g<*^B50Er!6~SHEyF1v8CznuamYk=UY__zq&Q8Xs$?;$U`v zr-fjFIsvzzL+tKOKq|)7OND3Z_aJv~2a{K*9=FBN)lQxj#Zc-rxPPPeu?B-)X)Sj5 z57SNXJ&R?<-81vkikJ_050GC0_zB$IyylBWBY(5u;5{?~#%jVMuS`iB(O&-xfO7%m zW&Xb3>A9Vggp^H9U zo-Nivx_>Z>I<5@4ocl);ddzhRW}z?!9ygWvm3P(NSW9Glg#I5mEa2)h{-H@zCMu)A z4lTyfG+eY%s>>IVDBWS z{b8`Qyr|h<#yXQuWJxBwzF(_T#j8LM!!>c%QJZa#@&tnvag5>;Ta5^$;`FP_prvT> zEUDPh&RgUQz$0{x)+KUadtF6SqyCq0W!KI;`$;0?Dr0WW{sL_Z*#Yl6|3y0gF*MH@y8L4T(t}vJR=0)t zYHPHQ6{+06a$zDH2u;j zY#jz#ZC+@H9zCmw>hpvo(cZ`>EB~uQ41E)O-vgE{K|;AhBK5#iH<4=x54d4h2sY?Z ziZ7plJVmr>uw{V?6uER>P!7?HcCzs&#tpri{$xEcI(102EICQ3x4*n)7Ocq=M7r9m zRl7C=%uBJ(MvB4yK8=|O+F4%`PRFe+n@R)ZB*Pv$}kP%f+2F1_#!!oH7XV*q$x`q!Q2wuvnl06XfAxS`dqHHVbKlE#6UaPSF|2X`fp8ltg)~P`I>&6vXsCsQJ{p2WIZ(hW?o*aHrL7ra z;mw(Cfrh zpfoN@HV#$YIwybPbM+hFYZLPhGzE0Nop`SkhGwfG{~G=YH!`?UGVy+u?%jM!?L17` zY=jJ7_F;gxNW#BFy>xSt@FpgwgaY{5k`@iZEjEE#SeG26hRe=xVVUDU0}sGw7*TXA z0~jcK0rbSbHUZY+w|hT)f3Bv3gfOA~ir)pS{T~IA2q}|>nf7^}dv%;~Fbu1wYaSl2 zWeo11Ub43?x7xEAHg7y$`tqkct%9%6wUXAvS1<2+-83jFni2Fb`f*rbfZ(3 zntn4~+>R6VYBt1NdY`6U&?)U#C?E0e5X8)B+pND-bK_ zx}LpV4EztV!}8fQ9B$Wq1SR?5>^Zm74` zogIMGOD0~cJ+?*Ob^gasV@4~y#md^rai)!J3(Cjz1;dwLqL@an|5Ue$Tj_!nTiV@-u<_w)fM*v*)iZqop?eFT_s&8xDDHe?;n;VT@_+rz6n6 zm*v3;{;ka`(|dYnOx>@=GhWRz-B-({J}>;*ItR4_E1eg!Y&!re1`j2>(C**ac|5Mo z!2;^mK0&Dy^cxpvp#k1o3jP8A%tc+Mx?k#Y{7+(8nmMjrfn0}=&dk&Wmi5n0(%Ip= z+8@KSHQM1a+^h*nHZc7CX0mO*eP2G(dkodS!-UT6gZ({(-`aR;JZ>0*O5ww%1AacB zp8p}-^u7|FC|;yyKWBHp+7IF>e7T9CB;b4P1KDP3xOYCb>j`|V$#LXAY`&*`i&&JL zz49M4zXkAL0=T|j1a@RTdA`dBgnPb=A9^drdSj!jkfo|{{7eAJz2`rq@(%~2l8z-^ zgZYi~6fos=*ZapJrpBn4UT_SOKFbY3aZ`S?%1bRGK2+IG_VI(PY|*iEO*9K%T+V}W zxmZ??vTPFns7$e;99l$R2l151_QW{}?sun3MOr5u67-)|Bh^ZACs1*(Ok{4XRGGHV z$OMx2t-QTb@Z?sQ4bAeMDh1@Bf*tD=X4u&w8qRsUl6gc84yF#$*&*#kiK3Qu{^5rHXBiWd-*kD}v z@Vk*1B%V%^SgNR4UJMR_dP$99iKtbN1&Xv9uz^GCjJiOoamO@K>v`BfJ$&PBYOBS~ ziurSqyh1!%Mp#&(?9ysD^c5V%%aF3xNwo)h)|;5ZIY0RsQpDA5$zobbOyFZw{wn*q zRcg?z`3=g{d8jrq*+v;c`7Sc4gxInn)?v^r&e1Wqpwz#L+xHTlU`r}IiOWrY(kRW> z=?8Te=ZmoIoPjNz0KU=zR(tU?fMcu9H^4W=%nzL`ym86q=frDB1Ef&q(%q;7D^t3t znXE@oHGAf}C5_g!gcO{@O>5Mi>(s;mZ>x;Nqm~tCww&N&3f|~V1fyyb#`;udsh$=c zE8QK`hSO3p;eoZGj9rY$idb0#ikx*B8IiB9908rEof`g1yLK9-k5Lf_w^617*5^RX zrtshw1dF*5$YM4ml;qZBXBMTMgS-xGaRhTnX~QvPjkPC5QO#J(4#yf>NT?%RSRU>Q zDejyaOH3Ie+PCjlj5-)}faBfGFM&@7_}nJZ&8el67@^ZqLcBSbQ5gC;z#3Bi$yDf z>=YalaQ2F@BX3+9!68*{V`2SMFD{xL1*5cIDWiW3TXmJiwcw{s%9didHHYbrNBBZi z*ZDe3m#i~{D7*Vc)ld>h_dB#ZheXFhl2Rj>6mOB)#+Ox|g2rrAOiXl3KWh}mBoS8b z2z4I!tuYgnNTQHU`JR#EC|)?*^V+z{SOW(rXB8qqRB>menrCR>^0VH_ErVGt5%w|B zsk&wz329|5<{Bj6??w8TN?5lL#G3X7LHH>y1WQ4L4t$e^y=!)iCT%aVXhX|&{3b%Q zv-H!yia4RjRMI|5Gww}Fj@}O{KZM@MRQ^L2|M$~>Gsbg2jPc(8DYfvDm$$n=`zocZ zF{QjB>Lc7|{C5zb?;#LSh$)=F3U;vS@uP0kZqav=IlTcd>1ouiut5W#{=`Km8WT=ygBWtieqNxIFW0|85TO-n)4^CA3?X ziMIWFk@;@z@!9C|KCr(JLe%yAQLb*!_&#&>?CE(Tg%I#saDVw8uwCLk$=t%_!_RIa zrl4u@tPi+*0QkQ}T=cXoTvuzPf#RO6xkjQgi5&`#f^K zD3q(`d8v=Z>LeL#^6`nzb@pMY%eQtL$*?TIw$4VT8K5ofNzjv9bxnKJ*bBYjI&{I$Aa9(Ih)q9=|H} z>sD2nm!_qWN-`6bZFGL^rj9yO^)0U3*PKI{8nP%3U%^q!(lPbvKqBaLBK^_Ryoq&N zWm0Nqfn}2%bIV3F_oE8~Ov6apl|2)EbyaVSe;G`0!(uN{TF_ zjHTuz)A1vl6>_Q{z(c0wRr88iG{_)uvqXrG!~_c)Ofl@fJ(CDtYyGIBhpK!E`_jgY zPl2)C16jFX5`od0rXDHCVZx_is=b=v!`5JNDq!l#)M9psog&nUY=RCsj_c~_j3|bL z^F6d|3%TMQ4(pjkrpGv6_lwz;$b6-mpy$S#lV~G^Rv4g6JWi?#qp*@kKN*x(5}iS^ z|8*(F@uNcQ@XB!j9(%pG016S-M@bslCCKcAW}s84zP^|xS#;!Q&U)BOLX|S3h>#C0 zPQi~yLe)97gH(91e|t>TWE`6Zjm=_DJxFm*Gs`l=ADy6RnbPE0nV-ZLm&lS_MU!Yy ziqZSc@zzco_2F+4;VE4qQayFqu|&}!l&TO|tqRSf#pFeJy?7aOc$xP{lmaKhIk(5z zaLh&&L{MNS&gM!~C$u!-o_P91)d@QxgE|pBYmw(>!FrYvUYQHmoP9JeSG+}IuN4Z6 zcOy$QmHVv=_t@5XwQ$%g$&;sUkJxi)VHFX8nG4BJ;Mg7yBAMsN_-9m8RSRUCAObUe z#T$IytSeVU!B5B9Qn&EmJ&5eQ3!k&Tg6jC%wynDHVW%%xJcG z^@M7I(D3gh^I9=@oM}RZ4Iwfmb+F#q%Z%cAQA*54+!Q-P1dNWpRi=BT2-gWU%|F4~ zbT%;;d|2q-$W+Z>Hi+dUF!dF0pb-*cvd2OavYKy-v`D;+_8+WDI7f&51!}Whn6Q1? zK`f-aRvu9?#J3fF8>&S>aW++0rmMa)S734jbnNe)h_Zg*VM=TrCCd8;iKO0DI>%@N zC=Z;P)YwOi8f47}ky+FCHRo_Fovd-D;o#YkSx}*+f0rmhu4Jn#kQCX{D<4N~Q>civ z=x{^^%)M3RT4s@om`UUnTtC%E&6B2x2IX{-Q`(z2Y6R`gevyh70|hR)!ORisC5^b} zqbny{hdv;QoIYQC0x={mdvWBw$WIPZQC{) z+qP}%oO5%r?!7PbuwV9C|JrNMKObhiL-es=6S!m(zRTKvt%0n1#LlVuSOh&YeuNT# z2a$u;550Q45%Q>^vb{e0<8Yp0m(L+!SKmn1-M$~!0I>HV(8(-q%4PV<;qD7-soo?u z-G?G*tw?Y6P2aIXE`|F(VD*?Gxpgng?4@MD%5KXB1sKLJ`vSz3YOoU6(RLos0lW5h zm=VNo?<_pMQI;}hKfTj~npe5)2;JI-bv-8tmZx7|LR>J~pSiv7n+P-();#c!%bacM zo@LdQGWb9Yk9Y!kVXfLZggD@zxMQayzG?HJ>1x=fmX7#HtR2TmO^vPvNccn zjdS{dW%ARos0JcrfM`aXdJI=?!EK-8qrNfDe*Mkpv*QQx+ z3q#`*rl8&Gw4fcVd0ovgk6D}^q44(G1S>%APv=c#)w15}4F5GzPNvf`T!m_l_GfAp zBme6GPoz)h(!~1pH?@~R-3l=`daK*R7VnR`jsQ-()~jwVfrnJqWbGEuop&(?ua6@y!uKia9;R!rov?~z-{)ys zo4!mgv%E`P_k8aQiqM+3If)v)R!^G*=$n!n|9~!d7>c=n+kg${D(ITmL#rWZxth+o zV!MrsEmwcn(ccv=R~&#f!yAxApi;o%8zso#5}UJdqr}%|E15Nk^8LKpOXDo>ImXL4 zt>Nj_g1Ad&Hz+~W?iw^FgjsXD6_C`x&~Ea6^W4}pJUY%Oe?@nQ-z@U@0JHt^5HenB z2Lyt}K;Y@SY48>pC9r1)@clnI`l)LG+&mL?#8HSd3iiq44f!zW_0s`j^6D`-ldB3D zFAWth6~toEI$^pcr#b@kHj=uB{BFu`B=pO$UM3XyjpZ0mQ-3=)s}hG$W^ASkKyTJf$3=TJi~@C z`+qi*C_$*14n`goh97g?iB8w&Sr>Y#$#re7$gS$+?W+0OuU8xs{P+M(7r ze<(A`@GGdu3tH30{wz_DShS~}>Qg+BEoLYJt(ruTz_<)Kfv+~^#;eQZx@Hzg)Tn{a z(?l6ECOwVVS)dvj8XE5BV`H$9y6DmnJy*Kl2GjPXo6=Oc zg4baDk#0Xp>Py<*a9kfMdaM(o##wolDK&Q~b(SL*MuqdR{de|AwLcPEF7t`T<$yFC zdCU5n)uVj?M*V4Gy795CtgpkmKP+I~HPurWqLu69SfO>DD$rDH^1-|_C7d_UQc}eSKVR*vQF*UV4>b`!9FxerV(LgcxUMN0(=`}H3aWDd=U>!rQC0Hw+~P* zsPxT~MTgAkXRl-tk)P4cmgr|m6%v1MXjO`!z6xv4DL09GDkmj4uQ?8>2pzE^@00$O zEeWJJe%7iR)~{m7z%z+I5tqi`rNfs(lb=HPDJZLt(-#jriZ;V68!cg-ISV5mXa2pE z+|9Uz#_Uy?@cJR-P;jTuwgXO~$&(NPb>mO9halDi%uuU}j8m<`acuf>mE*P{VO*-# z`{6N&yeot}P$$#><|kd1_E}0gCweN>aZVrIL}=Eq(|`_`|lU;j^na?m)tJijmRs z;Fz(X7k!Hng{Fd*$o?$I0Y$~Ib~9lM24#P8uy}T@rpvS12=Dl75}rO+ zP&+_rSfT_3*h*ZMbC4uCrOr3dh9wIt&W6Dx)M@|Bvlg9R(mf%={BJ=|MKVSsElbNvYAWsloVPpv&k#$oU$`|Oy%DlUgSjm}h% zG|lc8RbRzjOMJ=!iwMbueObe>l{_xPgR(R_G2@1xOXcaM8_b@b!O9WnhGB7*cuC(C zl)j5Vo@q8r{CE{rVW}_W9Fgu56uJZzLNte2YWSyph$|G9&!IpVAC9 zO?vv$#CT|C8V(&nRm&MOW`sO?wi z!MChd!v4ZySe`V}8<`oX-YIZF>W({z5|ZkvNUUMPH~R%2=ckcI;i7I>lB3}|UA_v` zWYf2%YNYR7p7Mq&oUD)Ja>X}n)rh=Txri0=v+FnmH$wa!+3vYc6 z{talqsvY9B;yTa#2$fRX^7}%kc^u_r%XM-V3ZfB+Pi-51WwdJ?8E@(FdY$H&xVl}( zxrmo+4Gbh$2kJ-w}n+3s0NcC+(XoIsBOokS$~wTzC# z^S$0)$KdsSrZK<&m9YgYk%D_oq-Y~gcWzv}j~xiM@V>Ra*Qv`^46BY^jnL9a zJGS`SKNPQ*LpPdE6y6y&AwTE zc%R0|Wq0iem_fO9KTolwT)T|YTwif|yxai^y>0vNGytod#Fzmq)Qmq*ySxU6e(dqC7F&_WwJ|QqF2xuXm5B&f0+(68`!~5+U3-G({ z-gX%nN2_1rTx=Q4oP2!sy^*$dMYa3%)sBnE*90uKJFEsS5>ZNtkh12$IBo+;$xKNB zQ{XuQf9|J{kd-#a5yO6EUk=Ev&!SeFDLwvWqga~p?L3C!W@E82>MtbMj7u~^s8IR- zE{k0~8vYe)lTZ(FVJL^b3T35QgObsJA~As?%(t=UIg22>xM0c2GIu)h+SE<+r!)RK z(&9Kn4l4xQK-4f~6?AM!>25ATzA|QIT;rsRvIOC+`ataqcQ`1{71@Nqa!YplhE3-3 z1xnGJg}qUe zxawzBp${LFSr4NO6yS{+;a`embKx5I(9<;u6z14FxiepK18x$0H|*D7nI;M~($kcVc!X(R#6PuDi?- z{Z86bnrvLLGJQbQH*6WUIe?sM(?njs_r*lm+|3a4dgT!(QLa~7tz@oDI(T?gR%;>m zYg|BaH*uGOPY|~wyfZDeL^vyZ!tRJ8uLjf_eRrR~NY7NFgr3EKeVmygsY+mHF&5d_ ztAskPkU^80^oXK|^-(+&Z=aJ%lnjmmtgBA0qGYpJxByS-bKRM~x>fo?>7Gir3=s1@ z=B;L~r*Osp@Nd-V{kHGKquxEs=Epq5aS_<4TX3(sY!|u{!MFi7Lt+6^tAIzMD^Vns zB7CPmFNQ*$e-ZANfLf`Hu{QH+A%3aAti*59%2jfm?b6pvWUM#x>~fRyCZUF1)q$YJ zNt}@dXxdW;49mx%`eHa;L!w4FIwc71f9CA&)JYX)Xa_STK|gj338q5*vuG(J$k&m8 zJaJ=~?zMYOSk0@r9N1IWcaz?{`9(ZdTCIfG1l4X;KiVBQ0J)1k!Nz z$@BA0Vym$7vb5%|PAr_Y5tKHG9-5MVS=O|nkjT@F!DWHFRwpMCLg$Um!bjh9XfbG1 zbZ1bxE-T0{nD3`z9%F;^tfE`7U{0bIHgC|CEaJsjS3wUB%MFkFx+Ytd0ohT`*$k)w z#}_NEEHC;Q55kcjjVi8|g2of}F+Y^ymwy7#WPe+KgYT7vaKK2J% z%VHnSu(g{7;ZQjQRZDy!fsUYg=X-J25QOC-NqNbl528(?yPaYKZ}SiJ;B-8ZED^1r z0j=imBF$-5t!czd^JPy9b^vzSv3}BKJ*$xT-$_+-5P0S;Ec{sc)v9sl5F(N~jrR~;eC}F(K!blBLxTGq(uIlf`fjgRz|nu6`N3`?PK#!K?E_<8 zcp5nk`{R^y+3c<}-Go)ImD=WAI(f`iiSMpY1@LmE3qu)|SVkqI27Tp~@%D#g!kwSWH|Nm%7PQc2$o zc)gH|?xug8Gu{0%B&PN`@QvjA{=)fV_14}s)>4s|LYLVIG<=2 z1q1kGlD5co<#Gn#*ZRG75iQ}~Rr@{){n}&iDsl@O`0y-+(c*O%T@s?^jB!FhU`4p` ze2X4xEmZ93w^iP-x|+hrVpOLl>lE`V*=x`Xef2)uXnMov*oK44JEuj!hsW<$O402+ z>PgeCN2M7M)MhXZU8A#K2*qtw!sloWT5UjjFZJ`ioLkmiF=4iT=H>+2*r2uMzkS-Z z>e#Pi0uKc?&Qiv!Sj}=Um&l@DCiw{~>*ap&8+UN}CHnyrC>a+1Iw5&O@R+qcA7%Q; z*}v_?NPWDXDEmSGZ8NM>`KC7ixPF6_(&jy=Q@_>3xw)!+oi6i{w6Av6_Gsij8|r)V zmkod0%$oxYt_6h(pQHd|GPA)wF)wZ(NCjBHaBg$cni=g3s`txF^@N1tt)B61Gd zD4|NZzc9=|;*{s8HRY;t2*)gLQE@?5=1x7~n@pu19PnGNDDg#W&c$|}bAXBYIg<1n=@ogV!hlRG70 zK!8_~=*M3n;3BE~T~zkS!ayQox5LRtrQg-PLZN7Cc=iq955oBmD`x_$AkDHfAsxwo zXm|D_k8A@fv8^@wb>R{8+~q0IW(Tf&;kxNT36j5pod!#pzRC|3^kjj_+dNaUu(-dC z9fy0`ncv5q4kWI^uZF`*m1;1808dxE7cTX_cmO3bI_MunS{zU#x^x!lY%=T4g%WGZ zg7bwIYmE{a%@(K}^_=d;j3~%l2uNbZq2xqTPqD;A^@%=$^0BvGFCMqIiVsc>P~11K z0@vrB)vO@Nj04~8XQ1cRvlq?F;!-Q*amIJ%i;`hdcv7k;7uxotuluFeW{nt%VeXAk zr_qtlkDk>d(s;UQmRX$uIBmVygT%zbN!>CcLs64H9`b@PPPqDnm(b)$GA?eK!L@;MXwplOwXDkS_X-uIOVrphA&3v){7 z9EtP@3CnmQ$plwu%C$rzxNnJ0qc40pRGyPyS0|gH z&`wS;%0nTeC9I-(|G8{kzfdqIll~n;s_3ISWxm9-ZPKh>#x>ZKuA?K<5W>??gpGpp zz|v3qhddDIy=~l3Bw&z{nn|6oSj}R(t8Ba?TVoPajM%^;lYoZ)X=eMqrdO5h7M8Pg z%_f)F-?@h=JHWkWrDc*VQQJ2WTb_O7^p`QMPDv%y-~~rUH4So#Wl_1O zyu=st{$Rt@naRBqBXEY~SJ3ra4?Exq5M@-6GYgg%Q&!}->0u9jXY1Pi6C;cD6oT(q zD8pY$9xYR4*ra05^kYb;&g{(HZozgZDXz@vF^$*A(WqsrKTlxjfrG_b2|@_XdxBVb ztF&Ngq69qzS}ywrTgA=OTAnIWyX}ZuezD(YvswguAm&{k2E%0#1*fYRzEH)R$-HUq zs~xF%^2s1xKb-Q8AkS`8RfK-Mbc3cUR+1H>atGO3lA-@eta;SZR~@>gF981&l2qx4 zwGk_}17=;?B_bsyGtrZLy9y=IURoW5J4F*QRnLtHeQvs3jx1yeuLCmAA2YS0Be<)T zdk?Wf0F}J8R^ITkh+VlyvZ(`RWhT;|AT&cor8&n)JIZ?LNwTl(CK-inP#dl`P;w|_ zr+w_+=7mX;Y<;f|oUH43wipOz|Lp$3cg|V2ggALv#8)K-b2cpmW>xXNO(z<;uFmn=4{E7un}Kc4QZh}e zK02EGI?sQVT-V#Xe=I-qVt3kJElqE>y-P^}{2>YBd2L*SoKGfav{IyJL&w(bwY+PC zH9$L|Jz3*9j|By=)}Z9jTQ$DU6F&W;f<8j#_?WG4shGiarN|2#cS;c z6qw`Z{5X38s*dt454YuX>*q9W9^M~$`y~;APO}Z(qHL~S%Npkbs~)>?8%{<%;HD8qwdh1t%w?8dijyC8D<$ygeH`R@IV`7pF6IS#IKFe7*2S$D zr5H{a1Rk6tdHw3PFCeVezi6tpUy6Qb@Vb`4%zD}kw9URB<6LNA@U+|f#p}BlcG7EpEtJeAc9vsQRCy?}huCj^GVvD6y$I+4e^1_b`aGU$XXW!t{ z)3(mtp#vboQDbT>LO}`>Wc`THCjBrj{V21!ZN#k@ygSp?<)X`WLc3 zHXyy5sCe#In;IHRR(z;gQsd&y@E`G!AXO=2ie#SC0VyGdno{YpDplTqZ3*bKv5}Jp z7|&cR{3wKToqUWXlA=H;5)P^r4oi z97#hHCKbJrK~M7q%cO@};8(Y&CF98op|e1ANW}TjYQ;+>C|3N4LaX?L{y`!qr^AAy z`7Lw$Y5g&Mlgu(um{l1km&G+M?X(rcRfbskPx;T=~PJ>WHO_B$7tMno8~Yz1BFq{xLg6UKU_7(#0Bw|#7WVqOY`1B_q7p;DhQ~Y zuXu7r#j+At@NJ`|sh>0VWk&SnNyLz1a`Vi*P^EP#W3%{B!|CcY>$XwkVrRpZYo84m z3Ol4mi&e`3n`y~I+`^RYDO1}O%#c4me_N?O8Ky;uK zpm|spXdgKv0qb8XKlr&041CAQ)zbuPReq*fgU=a4z=sMmE*%SvbCX|o8Z~at!l{)) zFtpJ6aT~uUF9Oz_COhbcO?DXoA}erOf1Ew$aE%|No30)MIK-g21rolt7pwovn8d++ zX4d(GYbYvvSPzs{z*l4E&!*{TVMDGX;DMIHuZ1XI>{U=#aD&IwnQUSEQ!Tfvoij~> z-maK-#*RM@PpnBGst;@1V7rNRxE3tYo$87p>&hc4e+sA4Px8LXVh~f0PsCodlPo6_ zsT&*K;K9eKKp~V(r&2-`l<_i>Jk$QWn49t`agPm0W>_^Ts|}HDm7pG9@>|GhW7Z^b z0bjC6A`0ek{%oZpmMDU_Elv~bqx^wnw(@VsCbmNr-28_w@*z^Ziac=-HQ5V@$MZF69-JHex=D)5^;y_S- zBa6H5@3q1bIPXyIAN}XbbX$y8gGEMaIA;(b9L#1$LERrN_0zgj*@#(AEGS&J?+t<# zxs74rj%5K0MI`~R{1EE&9G}6ALp|Tt<-_7@L#G~^1Qr5H#V{(yd8)J=#;^qCB*b7Z z;kbq{{;x`Y)1l%JH%*U?=p+a^QSXA>r^oOGLaz|3X+Bi;wLOs`H<@sGhcT=)j@X*m zEQLTDwoFg$lNf53m5b3;8dF$x*`^g+G6iDVNFfGk_2oOCh?BoovfB>moLPIfSmM2z zeXKul6e$+VGThfI)W+D0=EwVt=hD;3A@46S%&;F_H3?+2CI!R-?OD~bT#4&7ala0( z9@#fcah`ks4?O$vBB%cA{tFW8ZFu+76Y-t{S7+XD$n&|`?OHX5#{bGX%e1c#buYGYijdBPBqu96FjI_ z<9hvS^SfizFbo2Jy zomZ=N>_en%{9&7A#&lHBlJ)X99PNIzXqhEmMtJ3Y=@DwvHL(uQ_W>Nv*0C%YR@*pV z_qj;A1lN1l{%l#Fmpg@b+caH#rQEo6GHE|Nnd6lWCn$JszmGr8nYzMCtDuT%5W{@) zgLrz&_1+wGlJnYG;}*N{-ZTj156JQDvrV$Q?)=#}ZToL`-1@%wdA-T^sp`?sir#H@ zvd7yv623+ITjc#{n^@S#S2piBultbsbX<_d>%3m%Q`g-UYc;>%iq-Ka`Bw3{U6mEF zE_K`-s>KM5>HhA1ZAa7t_(4_Imq-9l`Vf~_ZMT@SXww0_J2#tCJukCnNMooad~C~p zS85emuP*_J$@>p5oL$C?!_zH<0#}taRnF5*>q%-pR)fnJd~M37Kd+l%a`KVW^m=xI3oW|f5IXjLl=%XaYq~oi& zZa7}2tb~+vfwr>j_jv=xt(RRZKaKV;ELBKPe6A(z^-&3Gd=_Q%$p+2s);%WEfD?I_ zE;Kjf9@nW4gl50%&&$r4<}E13`enw5cbl*K>H4zF$!ouhGYff} zxp>W82-J6YTY_WbD48DhE}9|6n~ z4rWWYJle|AFZ1tucb~-j{z<&BQaagG4kRD54vm8k01M`i7_|MueAzrr#u*$|@H(0Q z9uzh@?Pr>UPY#uc=rpbCYc@GqQz{a5_GCr-krsIm6V1^nN+xb}hO> z@~|Y>wWg1U#))>jO)T1sMj?ubAy6t(bQPLeL95K-NcO&bq62pj?3G_njOmsSOjUa< zdh5&TxuP^D!(pCPFhy2XhnW<~vJ~p@eh*hJ*TC6tJF`|1Xk|-VnQPgJ=LIbZ=Y@RN zfEdpkF}nwJf0|@SiwzjI37K5ba9iW{i{^%I`d*O8;zfMZU_Py#MrR@QVWHo*1i<%O z&nWzB9{$?SWPBN)|I94s58u9I#)VB${u5(&(sm;inM=b`Ws`)fq5Zi*+0WW}mQU<3 zycxY?69tYaIx(lY!5qetjEsI{2G+X=7BeC2&woc;3LTocHok~cPvN&d5TZB! zdm6-PUf4(X=UY_c{*1G$jVx0u{BU>SdC8TXKfL6e_GEpK6}tkob=qS`~>}S||B4@7JhMo(rs6HH?f~s9#ETdx(Xi*r(XR z3@X-%jZ=-i3lFE_Ho5ju(D?ch7XD!h0tXt!F>CucD&cuSFwr8};KUMxq}!{PL*egNmhr-KHts;&fUMkUZV}^H{1ae9u3y5F0{(D4Cnv>OITC z689IStyLMXiN)6!?x>I~Fj$Z|!IC7|v@|$emWj2j*2XJvw=k>U^1Cgr$MP9fdw;r% zH0@92p~yD2t>2;|&B&?}TX>F_?JOqJVfCy<-Ymvit1 zHPrkKg3M|iq-(kD^5VRX6~!!~AZ)yFyky{dIFX=(k@{<8UItvkj%NxNg@3 zc#8do%5c#pP&jBt!*1K615VCu{~v%M{d*BWhj)MjJ5cD<71#&mRsyW$JnAN^bq5+I z`q|&hB}A0d2fp#U1Dr|i_#s4-k_jtt0lD9|*@wv~FI8K2gCMK*@}dbIuENFe8YeZz zKjO9_zH?UPNMt{LeL0`+Zl2#73W?fOxNv~&PVmCQE1D`s( zf=snCZy))=8(i0`>_}RS-Pa@U;JdML`0PoURv_UD{uZzZ`jnSb$9=X4sjGIK;$E#& zP48y=39z@DQ|Y;CO8qf9^#uu*+obIGy1*UF{e(h_&BuXai+aXJvsej=^0ba0qPrV# z0%C2wqqgCwt%h-}$rF5bEdOjrQ0@onPhK7d&d0P?e$2my60~r>b+|N^1V6^QsCFkF zU;^RpuDXCxR)ix~ZZ)3UI^#BVvzfm*F^;{#!NJqj^`^&2j9KuuUT>prCe04;72d77 z9y+`7FD5Q`%X7at^)v8b@oEJ-a(u0U^GXsPlL=cL_x0#U9}A$J&GF}P>=|gn>ZcS^ z-#FgkwSyo~Amf%@OJ;vf&-KCUu$@a#Ev?BqfawWG+j$md_@ZMuAYWkeQbm7B?>=_? z>TNB_si)!EB!ki2`sK~VO8d3rLwES~S=Z$~pPZj$atIUKZyYSu3Zmrk0@+Cneo|~} zLE_k_{b#>aCXR#-EIkeNh0?p;t=<#3q1zL5Jmn3Q65Bd9ad;nj?w2%p+oR0MdWqat zh;ua5D%giL120^sbv=B^w*47yUY#^bgOpU^!jV#j6xfNy5ky=R9{dqRjd>mxYgOi{ zKDp1IWE(AyE+1I0^p&|rKHFTT)z+0BcG;WKb)nh>rLM-52M)*7W7?*^c0|NG2QGfV zi89~TEWLnFUN$(%+|=2kpQuQPVTqxC{=t-T z<;I8b;si?pf~Mbo?BA;-3x-wHw}jE>{{(x4z0SYv<{2LKS_d?C7Kl?PAw8OF~z2%Fr0~(i}tfi>I0oMA$eu}ahL|Rk` z*x!G!6H+VVHwFDDmnl6-6GXw6F)N<2k0s=Yw+zI78ivHEIFG&x!J+;!mOD2(XM$s) zGA0Tm`?uAfJcQUwH*SiE8n-t+ZvYoR<9;TO0HKP=2u8%9&Lv24FvOhP%3C z&VLEqJU#yZQnvt*nsz40PZ7OdYEXD^5=Br=@GHKwBggWNzIgP)1y$K>DP4R!PyDcS z#3Y)#%>|W@z!+?Tdc73ie#^Z|Hy;tLHGw_KxIv;S|1zG+=TOr1;k-=G#7gFO6D|Tp zJT7rspmNg(>%*fqeA*!*H^7_a^&7V^zYBwVXio}5(k%`d!dYdah#MXalfR`;Nq@DlTAU42wVsQVXa9=NetI-%3K)(w z5~+c~7oU8liP*Mn&yUbj?5HZOKPWIj%N$+wWC@{NnIMhhfZ9%gPoUdg+;Fal#4+gq z^@|(5L7ZN=)1spyv{~p}Ao4({lpwj$wE&t6V?H$~O{nG(01}hZ0B^tMd{zWb@z&oa zK%Dn~eEPr_gHRn<_G(J!YOq?9VW|XQ3Vy=uj^Q&^Csn)e5Mjfq9~hgKWq2#84?y>UQ8$-F6*(K7#$4M}=CnJG~0d=0Ba5tF}K& z+Dnc>I@W9W_flmH3GQxMejla&0U9?pXZ0gHVNm-kJnXL7|H7_)(uH8kac;x_T(?jzo__bVLgW-y&R9% zCfwJq=$>h<$HVZ?NbaL7vya`dtxPegW9wQbr+;h9v&Xjhy4_C(ejhGZhcbULF*c4a zU!P7dopigO4_QM2=UsjSmlZWhZ70>3)4J!U(0)J&JK#kOu65fJy%_Lm>G+4&QC!zH zrWSu5sB_9V2B!PD*vHjM_iTlqz}J_cZN8%eGe>h=zFDrP7G71|XnCCA z?P_=U<7w8YyX)k2>Pc>kZK2=A&A^rSpy$%BWV?G2m=-$KZE@@b0ghKZ&N_-o_Gr(~ zI;*|T?z+t2t&st^2RrU{S5!YK)^0-+W_v0f9nM;$06dnnkg|02yfpvHw*C|_t^I(m zxn^J6ZRXr|*WbU-O#1X~dwAeqUmAz6-RV{Op}WLu+LLnSr4Gl~{ZVs%^#Q7iS=uh( zAgp-a{)ln{y}TDJb>;yL11_5PobIlrKo%934yP7&TXS3PJq6pHhTWZ8UNP4x+-CDW z&Duc(Zul*}hnX36g0`EslODW1VRY}IXm(w1M<&m{7sUr*Nr{ktH*2Oa%THc(k5NUc zZH5K-vY`DVtm}WF`Xw8FkI(ydKMB`O4ii+@F5=4BeF>|(n-&d@w;R^3v(+z$#|a(( z1!wS?&EwLYqF8WrkGyDs^!kp$rE+hC!4pSdMiLMt7#B8b;CIib#tlz%@lf7#Ze2MH zm%H`@*MoEJlkR(LEssz=3Ri6Q$$#r;gOxB#KxU!EL_xMkn(j;}`Wc4)rO@1vm>Ht% zOBBU}vXbYt^!!#a5%Q|p3q(uI|2Xmy%I6L8lFMmkxWs6fQHo?N##pi8#Z_eDv7nm} zHmE3z&opu7XPTaV-nJ@O{A8oYG7U;&6vuJF$1#E|!7Fx3+^{)L@Z{;`6*T&b86a+s zF6r#DmPC`~AW6FzLE1W^sx!F5BhFxgFyw5DkXL9{DuBj;+9T+NnB(u>jr0>+9E-R# zajLPYy07Mql)tosvt;gZ!a?QP7R5~#xlic~q`cF61 z6}}4LAo+|ZbxzgclT_>FuMwOTiZIj`zw=dpQf3R4lu?y1?QtPyC(qP3@5VK{r z!7HJgzEI1wscZCZvMQTeS%D^su!hMRsf zm(5U5BTSY7IOa*>Jo2~GyAbZi+czkeWK!2lke(htWQQS& zGblM;rl&bRz~-=)Wx{y_`5m&&YqL@VR#yaUM)dpS`PiWNR6}xq{2LGb z9skp0J2G+y)V@pQd7_ZtwXbO(jNn;hTv#yEfa7HP^L5Ayc(~aga0j@kIQEN7vISlF zMb3le=!W7)k>=8(VPXT6nAq!4;xQ`EeRBq7b^^V3Z1Z-96k&^i0IGKLNk0|IiqyKumP%jme}BYD<4FLS6WAf)~C(I~azQP^oH99hoNK1UbYgaW?U3 z3R;NuqrEDe>>w`gx*0d0oTmKR0+3@X6V9f5NDt5{76Y}aWKgg(I#77 z^eiEpataQWJQa6rS=1luWm2vZovH^=33yu`bqzcPZj1rSoz~BpJpqVcF^|C*B?P5b zsw{%omH9Z72$bqEj8HnQfXq>CBNn}xHUae`u~${ppW35AG>wKW@2m+JYOq*wJ8%&y zQDa4EDH02-ie)NFU#(1O_FQ%?7p`Itzca?V(<1zfOKV2=N7_x6f1)n2EfK0or;m!S z+ZsyaH*$qr#M0GH@OT7q-wG2@w^9YdVT4h(B<-<8xYp4 zHB)^11o~>4c_;zmd0EY8CIXU^1aO%y-5SRk{{vvHPXc}|dgxi*27`t75_-ti6#asu8bG2_{t z|9;Q{n#qAf_wzPaorew{V>Yq**RA&ZD&70rP1C1tU{Lsb?fO%CPv0P8lr2xu<3xVf zU)FsXyY=^_*K56o?YQNKB|g&ug5m@Y^j{#f|dbSKci3z=`+htk4Zk)Kz_B}680DUaQf*!KeMU9ALX2CEgZ5xg3myw5Ikw)Zfu^0$pI>ILNQ-vkrJ0 zo|rn1s`d{Q2=aT|d&!|rp+^}z3t=+GLzRhuAecir{ljqdTKIeE-iLP`l6MwL3I@$5 zmJJuj#4BsAQ2w{j0QK%b?gW$$eW`p=x^e_wZd@8qHtLzEiDoRk58l0$CYA`1%o4Y} zeV4oGor(p_k5!bk*3Ic979Bo1EJO~GNpE&4NY~gfQgQ!Ep)OMqBWl{lTuZ$c9&>h# z5h{ZfYt6f)R68wc-R~z6DK`0?oXr_<L)6 zfpMD2@njj2DLji`xlN%u(C6?CO?@hihb@SuAX(wym#I%YxHl{}5t|09I4!<09r-dxkxC|Y~tR-5fFbVz_edZnCKfAQkD@}?v#mQj;A7a4Amfk{A9>rgAl z6Dt&TAfy=MEL92fpsW$r!vY72niFZnQ_$#w@g>`)zj5fnmy(l;qIisVc)8< zpXHrk?qx8ZiZ>u7W0T;sunf9Rm5~n3Za3<)H%4)E{vx)kd z+mDUtS4!rq!iIcOtz#(Rx7|WJ!4Mr@PW1(kT{Hm5$>kNGMY9P)1U0i$^)$P);l5jYL`Jb3h}?UB=y36k%)gi3@d)Lrz%YAJ zC4VR(f|aQ}pF_0Xgo;zf437irxQH*xO(ouRqCAsi9a3=Q&O==`@*BVb7Oh^S5i^!Y zs-t{zpT0RQVm{EYfb&4AUft4>pJ|7;O;Y0tZnAao7)J2ZP;G!h$|yqr92ljn`qp<3pzocc~jxFR@`;p4NH8fO_r-Tw#R_fL|2{8YJy|E+T0 zwoPgn)?7#52_uZyBnzMUIUdStH~564>Q&=NdmkIj>k>?cE+K=4 zIr7hc`a{_r3rNwaa*_a3cTG|KVZwrw&tad{%;qs=PQy(*o!fDdo`dU5bD*6V^eY%*F`2A?vHXk;3GR)@aN0WM}hiP__Fyeeh2NZT2b5UR~VOlm(5}3 z9qvp%UV067#iSL!_cG#} zz&ZRjzAX;k(?^KYkM~zeErEU=&v}&fnwJJn*N%=CP%>_3^WjEGi5H%9cKw9oRR&CE zpX*cG4Z|$~qQ-Z?_TO!R7mvq$sT|N!0^`>EN~BtrM|RtjqhGtIogVNa3yJ?JDrG!F zdCHv-@R5t7rT{5B7sS_nUeGzYFgHZhO7}^7?DmUIF|x)Fi6PrmBJxaNq~f z^C-x#bfE6D9EfH>Z81zPD`MImIrs>0a`>pRWl2-z&nRgO6Zf(n{vw!T!G^7djPhfj zZgDxZT4P#~x((a-B3NVzeYdblzoD;+e}q@o9tkKlr0MFgE6xZkGX-Mq-E7fkq*(MB7X!H`(R^o z#)1hzzbIM3*^-r~ z9qljYtyAx*?@!lSKYLZJzPq2k?)yP5upvDV&4xsqABLMykOg@XUaifvllvY))5Vh56u z+Vu0F+vfEr!>9O*Y`OJDU6uru!=g$xUC1At70L1nMkTq}t7z+Kz#5fFeH0hpB~M1DsrV$nC7EeIqyp7>%a7oIhAVgeRBSAn8e5YdRRS;f=Aj3985Fo8 zw_#Oz0;y4v3K(JJNc0?L{(c*+qr7E;F7G7vD}~ci3eKbQ%(Mu7u};RCRGm>Nh;1x2 zqD^HAQG_zu#c5Fiw%tS!PGfrUyC7z?w9ZqAV1STO*%fXVF0AFdVf;#ErMF_%qz{SnIKbF|ollu+o%<6M-#R>S2YDy8?n z9-+!aoHg^!~lf+CDYo^o>3p=g@X#iY;RREqC(@N8uDD^M$M^YZVs)`5|K>>hS=ZDN ziGM>;#_nEvWM<737X4OYPm3ng4MT{?wx;+tQqsZ8U80>6ODBUNt2FbELW>c5pd8Th zUh|bFUfUsb+GRocG)4q%SBWwm0+}h%o_|fQd~2#LBwE2TT<>a$CRjqAv@aJejZxA1 zXCibssBTowYuf5-QRuW|c@QR?b{usiOv)#~RxqLVBbBrB_q5(a-+iK^8iv4P?Z$Kj zuT^1yy1e9?9m%p|)h7LY)_b}OW8o~|t6cQMTa)Hj3BRy2cuGB&ALT1&u{xeVleJs) zFx4m^c=V|x79=F2i>NffcO-9Dcje%6%Y;1pBKG!{sDKnk7H^aTMTv`^VI)i1Q-FY1 z09sP2j0Y@4x$%19Yc{J=I6Lylo@o0*#n&Xi5>a%AEh}WM4$cDLU3TCzhjkGV159g6OfP_%Nle#Qg#Js(gASY z=&&||1$@==5Qr11ATgtL;sObMH^Mq(J-SMHq|^j-8#QX?)vQ$AjQT0SYQH79A}D{_ zqq$!FG_bl1Vo_dE#Q{&IpN3(h|4O5Ew*7fUn8ziAh&ch(54^Kyuj6UC)iOx|V_$7LyXAD&>gVwKob1ij`*^-$ z=ZXFi+dBw?%kEk*7ycMlDHX!%emb{em~B6ttF33?b<^8CTN>?o+VZvAvP#m_IofJC zX-LccF!Q>=FxbrTyjkRr_H7roeVm8nW&-yK97LY8^h?Itku(keJK?VN+us$ojlDt5 zYmj_d+soDQd^*z*xJV3}-SjxHF%T|$h`KxKd6^f|tmZNI1ML- zh1tR~{krnIjuhU{yH^l=e#|op8>;MzV+FQLldAcz4ENj_np7r;>%bE4_1$Qd0 zzjR<}_IhU7zo7cQ77<--?4+(#!L;Uj?y-lRe^hh0Z{Kb^#8{wmA)fU*9K&j+99HYo z*806xX3cVTl%-~Ub8R-53O!9sCh|8<62e>g zd+q&y1lIiXGM9$x=Vc+X6&)Sj;qHr}x8n=gwNvHayqalx9@j!@QcM8a1nCx1zebcQ z6f$W)z>^;7=Pyj^_SESn25UmlNo@9oPPvK!5=Wr`D)y)jRT+TVfg4t7L{)pmf)nnj z&ym{9a@5J$4xx4qO~b(<#eR`oF_*`xa~^N4-C$Q7BcVYQ?&AI*I|@(eILZRrWuut1 z%6`0^^T^Qt1Z{x=fdJu{hx@;nsA7#xSEuATsSOHPigYi?3~rpZJRDyW!2GeSWu*U3Iw}kSaA_Z z0tY|qsJZ#D;w^`zJ9+U+lcj6WmF9{tn!VgG5WQ_>-0$j`_(WN4W3~HcEG9oa91cqX z^Txj#*o2))R2uqNa{$KhuYK6Bo3c*t%Ck0{!BvRo6KLiSXuEsQ4P^=1y&YH1<|~!N=Wo-CKGBnaIj5m zLzK#P&O(Ou{9^KSa>)%Jo-5#JKD=ZNKx^PEhtbUM zfuX$fJ`K6wR>{PQ%Z6kZ6j*{w8pL~XLk%SMspL~^5==54P-x75)K#nBE}Tx~=Uq_> zd{tBGDXDn3!$mrKpc~=U`74_ShXl7y)ti>_sRS2p-Po>X(@_gh&7&DVJC9NXlEfps zgOJk$g(Ge>h}4J0xEG>$qP|oXDa^605V#Be-eqO_X)zL{jfmW&2F+H+G^2-sh{DkR zK?|MyrK+KXd+a_@IXOC{e9En3PrAP3@OCM7ONyY}Xg-_}XB_#*a@nzO{kmugg87dH zG8l1)jWG5fD0nx>;TcUxK)9Pkfoe*xT2WYLiW$$G<{7wk@lM~|{ zaoovnR4Fxq^%Vf%(J^@t2H(5^cNf7f>lu6jQ7MkQ(sa#u&4{M0vw$H;9%>95wFbf8 zimr$%WTSiy{6z$7Zfu{SVUrhy;y>zPU2Ik%^9%M%Rho-V4_`wPNibi?((R<$<13dO z>A6#GDGxPy%79jdmYV1{1_~UW+>0hNV=nTz@TYR^W((6gp@EVi0i0hVud5%Yx@aQe z@8|5iFLL=f&Mdqa(Vj{Tk`O=$x#`#lfAd#c11VLBWYm8hD%1_?2$rL&3vT3Uqs`@f zHJs6)P8w+XS3by7y?Vbo^wP~05s$t{)wYdKO@}UpJi!$Ai*xkZ<@n5}xMFON(HJ&a zSbC|^NlGoMN7CCgnVOR}3qzlO=7B&e>K`n~uhQU)3exvsRaP--}Lo_z5KMe3$M=iY*u`y%s*qdqaKwJj@36Lyxdh zf;?Y=H_B~00DJn^?x)R3|2B5KZI4ZxUdGg;H|w3&L*=NJo|g;znhyi7nPx<_5QEEG z{k*dG(-haQ7ispr4nT!CB3>SK!#kEc6ut*FyXr!}ci-#dysoC($GdQbRR8^G?EFz&J7mk@a-)a0iU8x(8u--s{i{YwtFpj>MBQ5 zgMasV9OYH$$=11&vxRTacZqjD<7^!3QRq_sASZa|ti~&ozpw$-eH5;@-M#&Y>*XZV zJNKo}m1a}Wf`6|V#eLq7X4rWJXwoh}%jdg;cy<1KWW%!K#&_XkKAd;ib8?Dm-?GfP zE-38x*b+m`5WfItepL~4WZwnf!LoY!d1t$+;BNc2;)+U^ zN5gFJbVIjB5Gl=ictHD&*)TGrSo!ti73>tnuEzmCxPgT6fy> zwbxJ9*v`zo-TkX*#{<~0VSbsmQQUSOPQ9vfog|3o#@T#-8IwSBPuyii#_Z1#>?FsJwe`~?QGQ2x)=Esi-h z40!tRK5Yg3?@wZ;c4d~MBjDlbHF|j8-&w&*i@tj=t1;ze4o|NzVlDL z>X;vuMESz?% z-x^00wT3@}li4>OPW+3D+Fqj8goYm81~HnhlNFl;5NIMGLMtvUuBoOo;r#pBy-E<2 z5ICswbthY+HIK92ukl+u6IF3kc`CdVU)szA4HI4BX$b{jUP$-Sxnc&Ma}}zdxhMcy zrLj?fs?V1rhvZH{J5CQcs}L0D1`H%j`N3JwmVBRRk6g}2d7mVqMm+Gn1auzmEt<$<-+6jZhx_6s%qphsPGI$4)_KyLjUfY-slBQyyTMtLhc+}kHP z^^a|&q>=}`f_?u#hi)m@uz*yeNo?6x7uv~B^Q5GMa(U1?JWs}x^BQb=CHT*vv~tuR zFGxZJdTkFO2#0q5{PSyCWtPa#f45rrz1Czk|M{5E@)f?}2ecVHJUiB!cR12c1J)Wn z0W@BN*_gp;FHR2+u5kMwoafiZz@m?Oj1!XT~ZiCCCFzet*pLfhpr(*7FKs$g#)c9qD+Dyw^~U(!S+#SLR5g?~XA3 z=8`0bS)nPAXo>9kXPhEp9b2vJ77zDlg7PQIhC<8k1oV<@jLCR3tNM=Y#MrKAOQ?ry z>z`Y|sP*-?E9_u4nHjmmd`;{QgKkKdNZw)r38xqX!CPmT$q?rQV(T>>*7@fmjcQk? zBo#LM%5q}FKgDXyGkj2;0;$x$=~(@U=ZGr*;)K0-zRqZwErlBQ~KLPR}kyp7!PvSY-?(eTydv2|kD>hsM(ecZ3gOVm@V^D5< z3X`@H)lG0iO(xO4?EIk-()tPyeJ1Jy*W>|mnNBJ(U)55*&0rjxxk~?PLt_o7x$Yu0 zkg`oIBG7%kB^Y;6IhSPm%!GdcXvH}HY$}2Bflngjzz*%%xzA824?#GPL9O-H+8isE zDrLLL2o*shDh;V5JL`vG2~(}XN4Kj`lROo{%bZFkK?PIDC?VA#&tGsY z5e^Sxt4hmlnzZAq*o3)N^fd?PW6Edo7NA4ONJ>~Hh5XeB+zU0xmN!4T-XiSD8gzGl zwnG6R%o=UZ>6A^Gi}dnh!AxMBsEC#~Cmy*ItJ0-lJ2yP`hcBekXxAfi0uDK?H)|DFli+;+B7a(F)2jl1ewN2ZN#!6h<XsKySL2`ZTb|pupSI9x)Fw4=A2tY!*Hc1x(!;s9PeelB3tJCf>T*$3+aHCHmWaF|jn-O*+*Ssw!kImgY zTYb3fuy6rt`uSo&%IEUw8opLxTzVb98g_vaRD0{zNDKu45#9=*lj1N#@Sf>{|A*`0 zA>xYg&OVDB-xaO_&*Rb-WHDQZh3iw@oj<$%!7EDJ*=Cv{v;tV=14Q)Z1J!%@4cOJG zr|)@I``IGNZpq{I&%>|1BxNVboo$79x zXVn(TUi=w`pFmT%)v&Qib<>u__4rDWe|Ox&=XI9bC+nyhzUG=a_esd|GN^PUE{}=C zYaZnNVgY`(GI1DX7>KNXB{pzvuT4k1jOI2^+3{O2_w!sh4n6a82eG}L=+-{$uDu4$ zzWF_^6l{&`xwtl)yG8X~Rju?KmzytAwFuu<-dc4EZyG!zzeeG78E7kdUWARq6kgbG z9R1-?M9tftgy-&gQ;@3^RNgKz<@jXa?e5PZ_x9Xz<^A4LI+?W}ah>ykOzpmP?+?u0 zPmcvI7dE9Q_rCqD;Tunf?^u>kv!z10AAfs>n8Qk0{0^nxJ#A-gSMxNd%;PXE-%eRJ zdU^k4WyCC}#et>}&${Z=5CspKLAN*gU9arhTN|l|_K$@)xxFUiui)!y{Ub16pubZ; z;3%hOrrgA3|M_^j=EXk0J>(JGE9)=x;~nSm@`WWm;P9}Q2^*x@Z~ul32956iE(k^u z=Y0$K*ZLZP?3bYZtK-`IZOtAv3&zJa!EyWR^TgGxe*?z9?tVMsmwclY3vkb)dn(FX zr;WeGNnda0|GacHKkiq9>>Hc8ch}Z+$)S20-Sl&YTLAL78D6~EL}gjCGL7I3LhkkZ zUlAEd*991f^BzXc(SOwrQg{X=T>|Q@%~T*(Dl;fnzuXx!bCbQid>0puAPsf>I_rEQ z=C!$OEn_0fiG3m!V;n)QqJscvWQJW>6Z40U#*xsmN?iy!Es9CukZ@bHT#P^yw^oB{ zRn6f`uv2#itnLg;jN?-`Q*YYDu9ny#n{*39I%%7QJ4nH1$#Dz|s1KRUBuzPqUlwwh zU&G3KCog}qN~eGL4N1itoR4@$)G~I{R;6k5h1P?1mb^v@30)Q`DZA=9Vg>45rQo#m z!H20fjV41b2m1hhLyX_4HnVbnRl?4wi5(EJ3z>z};gN>?cg#u=*4*j4XrYsY(vTem zsx}jwU3|qER;P+`)w+=m7ZaTwt}XDJgbH(B&Q?e(Mk1o|E*ur5aNYO(OfohI>o%7f zPIP*d`RsVBc`GkzNG_EKy@*}u^0UW?@!zB+#Q?soY_nC%7P4J~@}F@Jv7x*$`O@Y~ z(OLlLc*f5PJUiz|yfVGnqKRrt(eju|Ngbd=0aJ9mDT|=r3$H|wVUcZ}( zXUb$J-zb=se9?dO&TEo* zFDG9s(uhj8|4qzSj;sd2EmcI3E~-}~5=gE@I|X-%4CG9AmA&FIZ6(0Eb}7)z&7@F;k4EdxkA z6FHzgGO zvddfF^`g|#^J^%~BaUwbwfbR==1SgNX1}YOi6uQCDYK9-iBMoMJ5)G&w&?$ni#_pV z*L2kFz*uXBfN%eE>4|Iw->RQiP9U+8()ge@>ztv(Ay|0yK1SfPO-%)gSzULpDo_<80IBOhHIk-B^+_ zwv>${rSjm*I;2DI27`njuGYJq=1=-`+s8(;Y0gXv+6xM|A$Jp5QQHcsq2Swd3lUx0 z7TJnnj$niOS;#Wrs0o(>tZ6plWRVT_1o9LzWf4L{4`mB`Td7$`hFg^DTx^n?zTv)a zCt>Uq520KY-Q3*IxbWfY9KAo|>=&pLRMz%chFRl$NltlgKdDn7J&2r{y4OJ#M5F6~ z>aMx&pyh#<7*>jThAy?zRSDes5Fse}znyN1@s;K!sauQ_xsp9Y@ts&-tz(nR; zU38WfJl3!r-Bzs!2m!j)t6AuBwuZ+zb&nBqHTI+tOOrBXjmh>4^e~$-%mLDBnmRdV z2H8rrn>9>2otDA!S3dJX#t1qKOiTox;s`%VNt8Wu@h|q*t^;t;D0}+D+?!tZN3(1oZTIbBq%g?hUA&Ef2w z8A1f3A8OSIu9&q(3e32TqS_ZqdgbAhA+!TZ-(}?@&ea0pL((9Ys0b#$4^Ut}y2=-2 zO#QMM7qo|7QSqbS^;Q`qd`VgjBvr56pu>(?`)Xw^y;@-*-UIb4)r@5do}D@%WX*(< zaPG52!JURI zfE#p7Oe!hN&~NCJe`72V>Mu9mESgdO34@^njBvqikaJ=$;sc0T>Bd97up(ja*B=yd zxdx4Ow%M)d0)4x2 zW%seMb-8Xd++DNn{*m-}C%H*r+pBhxIS}V37c5EWIJ@p0?Y?>5JZoY9ep`};9`>N~ z(l05{^2)gYvyk_3Ev496oTKS`H-H@bjPEwMLxFk&Ty-fWv0LgT+k8Yb=_fhBL7hxy z!BSn{pRyPBzuDVJ3A?o*P6v-Bg%Mpxr?GUq zfPQy)6WpW|`E2>Ur}s8weQZiK$5C(hJ@wcuV8!t;$yxWlYwU5rVH^6|J#fb1J8}a% z*MHXf?j@VIYFW>2`DJ$V+$GV#^4s2ULFk}nKQTkx54R$A2*EMm^?#|y2G3REj2AD&e9bs-SirY21YI0tt}V+jRCfYT32J~-wKor= z*_Cmfblvj>;ZIXCwRWCz@efwM$7JO1JZ>AlHeZ-Z6F=gSmXB$DTI+Ru zkL!KV9_$Q*A)bE6&2q|$-S$TYLr+hR$BRN<0U`nMqR_=!ie}IG#zz7OSo3zi6xZXm zyk8T{v$xzmv-xu3?EkWqQp_9F4f1D1tkq^9Pt0- zQq`y;gzIrtO8G0NAB5k{Y+2bzvWN+d#*aWtg+l9g8!epE*#Dfh*`#>gczQ`5sWhcz2?2-_Jc;nBIhc0|n^Qy8Gx6@*DLj_CX zV+8=Wd_jg0pDJw(bNBl#NVncP^{=HH8KRdvfQ-YFzmavrL@3@wB1bOR^)85X-A6oV z6hT@BS>}Az1@kep7<~)%UpAIPG($I6w1sqyNm^!|oXHOwDaVR@SOlroznDu#y!wj|F$-V4wT2g0+vWg#yb5e!6n{?+Hhl0JcgjgW9y% zFRI|1c4JG({MKb9sEQV5S5y9M{CKx2z)wT}^_$YF7Nb;NoN?teo)H>rK{LvfZ~PfP zs41OKL}s%IZ@$Tn_XU^zlnGqQL#uQ zJOcc_v61*R#_|OB$THpW{u2b@&P6+5IEMbdG%vC>rL6qKAbU)7$w5BMsimY{`Z_Is z$sAIAY6iPpr%Vg#&UXvX2GuHzaH3mVo?2G9!O%M=e5-(;5*X8Zt?@N~)#_tg7zrew zRnQ?bR*Srpkf&qlM14;h_Sk30i%}GOi)(`u5nw>av4#F$Q zT2wuS01kO4;#O+J6-(pio&n=1%~eH}Fg?=F(NQ=$SS70yCxVIPe?&2iL}r`kf4K$? zxwK2HWr{EIJ=o2Bze&t(g;^`1CMzs@;nK(y7jO=@K)IPB%jF&72=n;RG&g>HOIih^ zW@Lezwf4K;!9DHDXIsNKB;sJ<=r3eQ&~&(*R*>XOs%dJiZq0Yt>Jdp zzAL@CR3z@+f<*<^C|iiy*k3nt=61ogU$tP^d!9Z?zF!|8t~@VYxc6?p%6Qg&pvtUn z3DXL;JvqG!AllL8-llc7zU92el#&2i5RCk%#Wk$-{dZ2!1UyDKZf<3_eCChS-ikz=<*fBIQZ(mw;x{`EV4s}i!w|>T~%{>ye z+JF38sc_fx9O0OdY1c&EpuAgKAUS)ih3O+ReQ3rNJ` z%(>^o`{*z3^>Z73pAz2DJ^{^pjzi&5~=Hz<%s>+PkQKIoxv3VI&pmrsEX}vD1~}GQUFCIY`)F60~dlnMijU za<^Zh+?USN-Vn?)mN)iE;Vd#x$SJsNlH)_Mf`z-BtyM1gz@4ub3qGf7X#r|1}gU zZoRQcoraGM;M@+Q5c#)#_#>{Zyv~3Vg?!(^^yy=O&sI!;GaQ^^FwkX(Q!Dwyf3Zyt z$L4ksBT7vEMo zG!p7PXKxem^0IevJX?-&)@HP^}t)PTPw z*2zP3)g^puHIOBI0Y8qLvsFnHUq2Ipz6J{c>By~Wq~}BhWA1+soqpBxue!@%!%;2K z!Bh6^-O3A5aN|2O-_x(8#3O?GUsn%{}oH7O`rMy_+k}arxMYl<-8Wf}g{u zI8r23%jOm6xv=;M_=?@OEupC}a6LkUMkvMDBl(c@J*8U3(57_ivXuv;Pw6fBQp8~u z^cMa>su6}@F7Izf6dlN5IiOpKRG*X>qfae2rZ34&w$UA|=dM~c81sCQ?v_85H-SLy zSXwMP#`tp(zGZ-*uBE3C>?V=>g|m>KNpc&LEF?jVp`R@X3(chn2Uey~CosLkF3inh zv4w{}K+sIjb&b$aLXe)F;5+``fCHqEkvdA!6Qc?cJMz+qISNSXuJ^gsy6( zDb!Vn6pkz8+cD|JAVWh==&K_M(}tU_Yznly67BjHJ*paR&;B2MRRUPSj_EXzai_FO zH+8b>vknd33L<`H8}YOQA5EVl129^G3S|%Lo69LL0hALwp-k@XAjl0dPaD*RvSP+{ zf--I}Ug7D{!Y!YLQERLF?txx1nPXKCS7Ex*R~$6zh6rJb+^^RYQKY-({%N=%=LY42 z3*WpC4XR5Vv)NEI6c|EL}x5B`QVghWKj?2es9^n z5)1${oL(r$Yu4~xsNheu(W~27utEPL)KDE~UT5{`RIbk4b3%@^xgdsYa4^lr3iTw& zUjGrJ%5O$J3h-i0%SjJuz)9g~KsOFpHEA=^k)tcjknvPr#O-*&C6;5v9LCfw%oJOt zzOKMX*fO4F!J0TRn@d3WV^A$h4CNZA;b;qgG>{VtxD_$6=WfZ_CSDbwWcj2V* z6pB?UoXGcpFKOO)I2KR$Ju3n3q&{v+4KJd}x*!9Sq9i3qusu&r*HxH9o$Zg6K$ zaM$1Yt`|G1D-FEmK2vG$_x6TLBb`0Kmi}898XUYm4Bp;=bhx<_{z5~GN%<}N1@*31 zHC6a&h^4B1MUl8O=62{kRsVLLNmK6>=gI$|i#w0^rk$V{{Q7WI0Oak{Iw`nxJtJ-b zQ=j=ch84#N7=vQ$x=*(&WsaVA>eJ4Bj)^8$C$8Ln`*$w>eJUab-5m%6&nuEL7Fawl zJFbBD_d}akwf;(mTf)|cw<;?B#!n3XUH?W*dwdS;XJ|h@YGfA(?A%6~S1#J+Yuw-6 zFE1~6^{-?NxAvz5nf(C0A1CYPVT4`MwVn^=xLxBjuSjV&M;}g;w!IsG#&l zLOrgmebIZV+Mg=!{hS_b5F^iSM76yDhG9d`Y{5=X;iSTw{avqlq4_fCW6z%0={oQ! z*K5Zb)i7`4xW+=ELzdaz-~UZ^k4NEO2hRc);KGj9O>Kx-ACa5@EjWcJC{X{_cA^*{|M)^-b+BOr3s7&%@1mK=1*EQ~T^k z#;iSP>k4lL{0p?;|32@`($A9OKciUZaGsTdSXx_hy5VS+*n zAyTs^$|G~5vNPkaaO;1qaMs!*StBj~S`f>%quKis0eG-uK=NtZ;0|LVurS-oq|Xjs z3iwuTHdcjm#1>3j>2=;fDQS|Klvlz=$+^E~^r#l0>Zw{GJ4ktU_x^PlG)H-M%iE3? zDALMm%@CqCg$~m&yqs=8Bl!S_EI+w->LS2eWelUrfDx&1tcF){lMoQTV_Ej|CvvQ; zC3XPc8Zl7VysFULk2G4wr%pbunk!l@f**jf+98>artZHGb`=n~A zQ&6i?#=`jE$(RMG^2L~Incz&6cB8RS9WyL;N5P~&()}su(F$SZFRPL4yfmgL#~Q4U zh?Ep6!77Gdj97jhc16hWdq`fbP;wQk`KBYrh=i?5Rhdw5WhLoaOBUXF_9#U#T;xMb zno>2vG%IQcWH@g40h!%YvX3fb*fQ(P{vFY^FpE-IsznFkFJ!N2b0$lgDkVQin_H^g z(F?Mj7U+!KN|v!BObIqXfQSc5oBzb_1{pyP{O`% z_6eKQKoIcH6nG-e5-G!WK2!LMi`d?NO$laSc6rQ2&1(KAhjY>bkH$rDoif)-A?*AQ z=LM=>Lby~(9Ep@b-4^)Bye4@>2h%y?#rb$LBRSiDC0=7g_?)T_oB5oMm<*1a#?^-S zg?MDeeM%6>{7$K(K7e1S)LlDS5SOt;om+MM;c2qUO#;ifWvGLc5t$33vKMg)0(tQh z@LUqZ84<=#YSf9F`5CJNzm?<(SQk(%c8dtL)MLX-^qaM1cd;qebSP3uzUf(L)uy%= zY(*3(8wPn8?nNDhpG^L8pD@AthTAwOt^EB=L4FFCdJB(!rzpN~!ig~@hw@(cf?gP1 z%3q5fHpY#@fs;=kKCzB{<8Xnp;!9vk5jfdV^?u2g3F_IW5495NY7|su$#XEwQ;9j!anLCqkIz3Sij{?F+j?crj@5wX zDN|f?D1b()-m@lmvxcpK{*RJB-dh#YMDiE6T&TlVd7RTX6=ebdvk`#=In|(3PFjex z2z#UIOQgerJ-PEM=-vk%d51E>*+=@^!4` z8gSPxv9H@u%o2X!Is^s5sV*^N(l<&r-4-RJCL3)s#)kw{VOG~vsj>=&feu-Lgojy! zKF;a(D0lDn2+)DoGzs8>e|jJGj$_`>Kn|PUF7wB|BY#RUGSaU*tdC@$T|t;Xp0;7* zqw+pe!zKP{Md7}5Pm*PtORzjxNRli zfPh<$9j|FE+EiWfx^C4AA6)}`m2=Vvw6=85bok}-AYscZR~Qo z+bxS*3yk;}m#62TbiJ|x+>GMAd}a{#-cPyN)4X7=^0>sqvG3kMTsMHj@UH>4f`Aq8 zjVN$6y_Ru#1`lVFH7}>Ue~EJ*+^OugsC?Hr`2!}iJw{Uf?-kno4A7Zgr?KL;BYxyo zRdt`gZ@m58&)Yscgr`~Guy*p5jgLO%FAj6VHFx0@L)cXfqjMzHCO^p3++E@ zOqi(zoj?km$SA$H)1BCaw=XclGGM=z3wNI?$9KEJBx>2oEOtZh>(22HT>(#E&v2R@ zpZTnAZ{6_UyviE?UA+GJ+8S=23%uujxX0eKyPCHA_S0H7eybRm_M^@|)f>;=_Jh;v zIEpRXywyv^SCtKi75^hfqd}-tkG;=U9tNOsXW+-14W3z}uwdJz;3@kxSKM}w#8t$S zYtKzJ1K)>2nz|x*ZT5)8o#nk$FgHc#u9}ks{>Xn5+e!huwCe&a4ET7;{m6q4Cv*Pr zcO2{O2a{9dHRUVne>V6+JY{1m&sUKY6%qiSb&-HMJ{QheX*2okDFwV-CSzrgp`Y?I z$)C~Vx)5?=-apg=hkOt!q)0eq{VsU)F*ia`Q7z`NM%#9CSkxz?Cfu55$>Ua$jxt7L z6)`f1%qjQ=WyT@Oo%vsQcuy5?!{r*RQwjHt_-0Ccwqx>tO+N7F+MHt4TqgdK-QO3> zL9*U+OZ!d$Q^Puz@<#Yot}L*`nW!sR#;*N5X|3-p&8FHXJ%k!lod!vllFs#fQKpD3 zLGTEFC@U$rsmhV& zlqC0iW~4IKEmR#Z`Tvv;*m1}G#1){#-T(3T&xK=X+Qb@n(w3`HH+3Qdr|~C-lpYG0 zR!SYJ$y2f_3?$R>*AhAr$Q{aiE{Y%whK&E@uIQ{8z?DBmcByct6AGLw;0MiW%6>O( zt&8nP^UQTCbMZtg^W-?;;!RyKFPMgGNywcchpxpqQK{A*^Tc1yEV)4;TN=q+kSbq> zuts2tk3t}##F5cy7R48xjLh)!g|LFpCoSaSCmyq!ZB((6v0NmuTz$2Cvo|L8%m&eX zNNVS}nb&+=5q-eH|mM{@YWxUNTxLS z%q=TcZe3aCivMWI)UA$)(BW%hMR7zfF-v*{qwH~?)WH-Lw~!`F5{29xqlZv3b3N#g ztH{f!)x;ueckZP+BvpGyaH3Nvo|RLDoCIvwO~y&Sn;>arSf?G)v(CC{AveP?>y9-| z85CEsRbln@g6HaA*Q>~rz@B7);xt2#l?K*Xizd2T&WrbKHA;pqHF`tOJg5RHf^jd8k zTxAoownPUHgErSMK&DX99Z9a}%^_>pY_g`(C9u!wO)a-$+t0k095lo( zDm{$Ff9egd7{2y}vnwEUu&j(^p#OzAiHI8RCgeOt(F)y7m%-hbfjIdz7I2r8{YD+N zOZ+}WjImdozz-{drFba$E?SzZ%>K92MnhMGx)!G#WAAn7ni#!&mg@$NUmx1Wj(&9h*F zCThGZyam3~Rg@k5c-&_gzp&>E({dBssgm?c!FuGq%9b?T1U=)_thMxRuB^NqZYL4g z>pH~v4Z7*>cwf~&VD$ESx8CJ?ak3Q8N^xl)9jab|-W}oW93VfgyJfSxoL}^sozJm5 zg{Z(k-`4g%dA7ef3|sAkwWyoxLYD7YsCr6Rk6TCAIW@stg8Y&>T;RwJgYK7nmMTgO z)GgP%+TxWB|1_Jv2jL|856k9TjZz{KyWR)T>=hR{l$(1SFDVc7SAO>BHfD6jzi@8V zWcr>W&+|gj`^tTRg66XGN*SniouwZ~?`!NAzUeU~egDKQ>>Zp}JIT;0z$)Z_V16@6 zybd1PBxA^AkazPvz1#j^0Kw_M5jNfgJ;*)@-4&7$M>+|2w))!7$Y7^BD~`-$_<0 z3GDd%YFxJ(?dzf|4!Dsi}afBbI1u$b5{q&_Sy(E`j(Qex>v%VL< zuM8)1XN=;uJ%b+FF=C|*K=Xdwexc=nAj_=*jaqwU-kZoI1rMp7)XE8qaY^9yi^b$D zQ3*@u?BCl!v%8AU>&9i>CxSw5|A*C_SD>#Xc#XStQ^&BI_3F*H$1B#qZ=zRADR;Z8 z+I=S$=uziBN$@5+m{$|rs=JI3j8Q4BJe8xL^6+ z1{d{59_1`xl}W>iu2Mt^<(ItJHj$J9iE8EWcKoFKCTzt3mPW{3h_$C#l3nBG^?`$B zI^8DDQlu_4Zqbe=oOIe>j<2iGcf=(q)UL&U=Z2^yLIo!A#EYzH)a4^PjdRg|^Kqw> z((xEB(Z~fsAnO?08ACN{Ic$ypUKXr7PLBwi1a^3oFM_BGyE73`yD-T}Prp!C3q@78+fZgy=~j znQBXT)$WF@gxvV|R}0))!AYio3UkU>2jrxuI(Z7xc1{ysJ;t(Wq5V;R9dU~TAKa+N zWJDvj{eS_ihy>jU#WFZXMXzSg0vDaiBW&0!x7bK8+k~Boi8F%GdX?TXGmSx1f0j5u zfda754*__K04k%y1?UW-!JT~z6S3BzxDR(;mw}X9I;q;IEomyqBnmTS<-~T9Qp|%T zSHX)CX15Gkl=Vw*k_)hY}@@C$w1!z5~6WIZ>*B1d#oT^L6zP`63e@ma7t zNT-HtO^6>*>Zc63JZG+3wVb0Vp|2|U=sd!S26PTd{I+vzEH2VHP5uOr<|w3H(dEc5 zTIN{GA+UBtzh>!R6Z;nX96e@dxdijb_bvv9HLEzaZp-w0NscI%M^53N-xGbz=1=sg3ed zFVMIM$GKJSil~m3g6oLUwKwZ>i?(fDaaCMN z#TDDOZQHhOr()Z-ZQHhOo9}ya@7cHQcE5~Yu+|)Nj?sI69=ONJL)j`{pube`=@*j6 z{F@{O2IdP47L!dzl@8L$j&pgqn+I0veGhXBp7MLuUg zZHvWjj(vSEprAWD@K5s}!Klw2e*6)HfBs@v_#30CuY5m2r30ll^2^_zC@$= z+>ohpIeg|-lPtAbt}|^cSRd-@X^y*_m}#x47}pyTP;lSL`?ITX>s)2Z=U3GY#wXTZzy@QFgojB99<)Lk(my6SyRsUuD1L`!|(V=Q;G6#hN+77b70fXPEzJ zCMYeL#Cc#<3Sp3h7$3Og^(7Fn&7or>-k+r}_ba$d$`>zCNQi1j$|IT9Tib7F_e^~--B9k`IdH$d=)wAA6G z3BAeFjYo1)qhCNARR42M$7n}qO8PTa&d1HPJ}@^(JI|FebuMC4EoTRhI^EaLuEquh zbE3Bg>;Vtpdqf@s9v=g#P~B;PoQF^!*>`o{!)PILq<`|TMLgg@LEf;>7(TqvenjZ6 z@7Z($D^$~UMas47(NRWr$MVApppWA^-fVlXBIc!PD&ys1Ct`j}*Tb=|VuUNt`hH`; z^}WAthx4F3i7^JJ<6^ICYKO^nsHF>wYRlzm#@5X}WXX2Tum~4$%~?WKH#0=!-ZwRG zxf)EHIaKMrJdu)VhhR5|v~cjkv0v8b-?1~ab2qhFlv1VpaUTJ7xwKVU|3D*)a#TdK zRSoan6eY{+byU|eglS6?VdcD>^$I4-<#ikk@OZg)_ecURu#R8q&*i0byH8uZN3^jH zIm@c+hY{AV=wf8K?WX8%-u|0_=lE#$(%%r}Ey?tl^f=M2Wv3;_d|Fi=;kNa0M7~I`be4FK4pT?O<^0lT|q3Sw^ySYM1-*E-)f zysrWC?V483CxrXKHMW2*?wp?Y@d(MDPNyzg>bw5!H)!~Dhw^8Gu`g9RnfiTM(%bcWk{gJ5~&)sP_+N!VD zP3`7$tBk}J?%g8h^IMVLqa6?9jDzUT>rd|Iw|&YO{15CN87r#>?=QDW;6+&nRt;C( zgukTVv3iHkhu-N!?^=(~dq{@u6SvX8OqJsnN`O_!eb1plW8*v-h(J z2QUWjtNn4B(i~vhWm{m`^Zah;d3cQ7tfy-MHPOtwiTt z^V*F@M%81ry>~L)L7DdQc=PuCveztRSI@j}1_D#xaNoB9Ip`cGK(vrg&d(X@_0k8B zwg_1&przDckO=XVU}5zA-U(3rh7&mRwRqPP1Zg}4Vp;+%UfELmDXabmfL2?C8J;*{ z*TFT-v~c^A?AddzStHP}iTySd^jdi$Icq>W#MI98Sv?^RxfxArQ)0Yy0_mLaZ$X}c zAJSBMl@lf36!@D;`nTT(O!3Z&u67SL1zS{E)<@DLhdt*t_00MBBv%S7-W@q z1b-KHP^_(ojz)RlkZs~wEDdEg3+vq!58*xZ%oaurK8jb87s8-jNfJ5ErP45R6i2MY z6)u;~_ym^PJfl*-^;^?A{UDdQ7usczvnn1|KqQg*F+d0VJX2YGNRQJ6wmvlSoj>LZ z?$$svPXI1f(fzRCj<7z{tO>&_P6T7q)bXU4lGAyAUAFkYtax1r9zb0PHu1FqUBo?G;BoO?iBN)e+e=z(z ztU0%2L7kgds@!@7{fC!Ld^|?2&iGG*X84XG5P3eS@^nf~>V@zO?L0nsgLViE6_qE5 z>T!mG`Bqtv@j^MvT*DtTtm=cQCYW02`ICBT^h06tPj`Rm_dJc4;Ea{11*|m4&4kG# z+j3X@|MI{&dku;iQ)=s(nP}*Q$t->2#>JtzM&LIX$X*&k5p$*L)L_(VAI9Y0b)n@P#q7dLP zkcW=@GwjGW;@Ac-3@j8*1Cj>$C#Q%a6N-Wk=5C9rD_0G%g0*X*bxjUF6&Gz2W!R{c zH4?j6N{~(-w@)QXl*ylRLK9FJN9HqSd`IK>t%VuTjPC}b{t~fiNW=`2(X}OYP9NSI zr41NzVXTq(hXezWoMjvmD69F0Dgg{PpDgZ zUq|%D(k-_!DYExTX-GPf>f2MVI@g^97OLJb;TUrgDK9LBK~|@TSIdAOjUNTO(vg20v=B55`L?SG9!4VU`(AQ>)(p%UYT=^<1k;(-Ce3MGk-bdklgCb)5LgfluEo zIice1cP1G<0~wsW`=;zhk&H#GY>Wp=Z2SO=SU;oaimnaO#o z1!t}T)_geGMq8$`ML>|r;n^tdZ7l=c9G^p*K=fZ0xjY?z1$#uSH3CsE#6S}BmTNRm zIe{3VNj!ph;VXl!mxAq7L{4zY^`_)lC5tzCUMBpALJzB*^C|sq_DRRN&Y7CLw9Y z=V{tOc?Q?x`mrp{h*%7@m@fpoWr(h~J;q~p0gUvQvl;8NXU)%)tbW~(+o2Nrjhhqr zYON%&p4)xh0pjP^zG^64yQAg}+?QMO4lANc_l>@eVau&fle@wdSsr8Q*C5s!jd9@F z)e1+(U$0q!Y_$ll%acpa#&fo8}-I+vOCrxIWw_( zS})FId0M{~JbOOJW$u(Er+ds3vXZb>I$RreDw{q|wqMUGR!UEBxx`d}*VCSxftSI} zvfg`R2MFt4L&h>5dfU^ijXIo%XBm%s3>B5{Ubnh6K+dn%1{p5&(v#ty8TN4~S(j+XZ?n2GF$x$sfQ z7u}g^MWFFfrzox#U~a2|tWES~I3-is6&(;L zl!;GA%e3D~-tB9_wDqzFtXnFeB^NC`3{BW*7iJC=Ua>X7NwB{UVgy*7(#xg4iSu9_YV(;}u!@D^N)Re9X5u)Ja3 z$ytO^zw>4Thll>VAePkw%6d%$Y2n{oUv)#Dpx zHYR1D?4R%Nj3}m}09H^z1233hj17jKVqx}R>S zGNMsshnqG&30xjO{JDmes0GBzc$0)}DjWpELWu-w+5lc|64u8(UP_F2IK_8VtTk5t zd@+ptBEOfh8bM_?&Z{-?Y_EjPq`L=}f@&id;h@EmTPTlt*T-c!?GbVb*_Q?zP*&oV{ud-!T_|I!k}g z%hyP;lW|5r93YP;WluuP%{NW*t~NDz(-@owA(hHSQbdr{J*0hlqb+xA*M;=NZ5*sTKiIWaQ^7&2tq%$+Zzr^s^ePuQVBpH^%xo z+Dz3po*Y56016K3KO2nn6HJgSPcT>~7)RoiE{NrERuZpq_9o5l?Vh+74q2ds{bD2& zBggd9YGT6@_v)pxX+gSHU8L8568F!c7P9g18=@mY&xF(wxC(?vG*RSWCNwHy>~x7> zjhbF-fB<6tp9*nmbkk22esMjFGR|+)`M+C;GE^qf*l|v^?r1RY8l6xB-}q?*?;1%+ zEjp*~WPjgQ;7O@vgwDOA!lmz8_nqq!5Y?pZo6SejT{h;3qpXNBkxnA9JO zu9%&6ffZ#FO+4SYOVXZ}w;h_N6e!HCvOg@Rbc-xC$*ITAND2hO@)R~PG$(~iXtM`X=nKrr>DXg_9DIsrM$z~Dl{zpAOvGV@W{FqQ6_gK zsr6X-OMIe*$2Ez~*`fAwN5OK0J|Xq#lPsi!{(1tXUnFvY@Nq&*n6VcAprNaQjIilc zQoTmoGM)lGyAc$>oHcRXL=ZUGy{9?@QLg}y2PIZ-x2@bzQp@SfysX_EwmNpZ?!iVgX!Wo)p}SVl6ay)J&l z<$}HEF-n?y0pigSf9UfRyqL~nJjFROg{t+79!Lr(^WgWnOCTJf>75FHUu${`SSK@r z5&lpR;J`$WQ@^or>oYavC%H!5tHik?B8Pd!ro#0f{eio`Y;3rLHJBT{Bs zoBSy@)I?X9HA@!nF(eJ6rZmFI-kL=`q+kAn1g10Fj3lt^%p&R>88SaAye9N1HL)s= ziA?NA@LujxH78~^+T8E7+K@BvTa+r#LkD=a4X^(!OmtGGL*{VUV- zy34~xf%ELXEra&{G?Ri(Tj%RLPp-D72T{O%+rzcSW1MmF=TgK!tnx<}Fo)NHmKpaO6t|R>>utj^T^*KH z^EGy?&+|uTgtV@6{crFHg!@j-I*?`4ccNnU0_b*%eli zFB|Rg?p!>l}E-QyUNq#{JCakrFoqjQ7ye3-g)vwdELC0n863V43A_Nm*N zsOnl@CpXQs?``PNwNutVi}B#BA3~s6-<8$8{@l~d?VwOL&vt+7XyTnD)9sjs=InMn z+$Cjo`QE&HJ>TKlI$T_2i0^*}z6{U;cGpzxJ@3V&Ka}3*U z#w*a;VXll?7`2GNWM}QN3xaHZv;q%f|xeZWiF3D6tu3n3w+ zs%&NYw?u-b+II?9B(TUqgZ=urV|J7p5`CQtBu}X(#vou2Q<(_Yxl-O{GVUkf^zeJeV+>Caq5!l$wwh z5KzQC)y-2w@K8cfaLg|>IfW7Q-IeO8pu@YiD&eUzl5c0fQ@xVeVnM_g!NwU;KyLjZ zF>WF|N^|kY?1yk2q>^w$8(dThvojjx`~JLVwg z%%HLa&3BQczaW0IiKlw5AoQoBSE?yaY_v?IQxI;T&R16Cz~dvqF2!FiodKd+{J*vuo*}OE5Gd4K1(v2U@i@*lMUv|;zBDN1 zxcbDPKCE}Er3nvHu5~Y&AAAeDZcUUgkQw1^uqwisq@s;pJi*s-^{zCXL^+N=V+wtx zlZ|5vEm5t45i=n?3Mx#RkJptzz$CmfkVq|V*Z_k1SxK8RCja~NK%eOxNxOx3Kx015 zE+KPMyj&uRhPjL&Y?s<|@z^_`ciLIJmMi*^356Yf^NiTZI+GSGOhcJA3}rz4gpv-1 zJP5KuqM$dQUN<)jM3u&aMr*⋘bfFH1Q1Ka*r)cne(mln5YuAHv^nZL5W8f0Xk_K z+_I=$prFE&IYL2!P?uS#3I*-LL9_V=-9nSECNk2rlN`_$_E+E3*d z;3pLDW9AWf34#2lv`ND*wyDm8iz*Ruo{{5nk>WZ$E*ADN)U4^9-E=pc8a|-U!s3TM zL1H3*%bKPgJrdEc#6G76ca%KxHl(GB;CZQTO z{RRz~GkDBW5=KzS*Zl2J0aiwpcV{MZlLn0-Hpl^w?oDTWkm_KcVlp+nJl9SmGezpv z>0IV~{qrw&Hthvy=#G${(-F_>w0&7GHs9gsurJe@g&5#Mm}-}= zw*t>)`T5fTF+BdsHaTzeekb8X1-EN)dz89QmuGKN#*C`%w(<6y=vL28{Uy}y%nHX{ zzxB-bBJcWf>@Gr^@uh}$(|JXg*Q2oh+R)N&h1O>>;Xzl|ben?ort@iGw9S&;v#V!2 zp#`^Y*u~SzelQ`Tre{EJb9&%CLew3#v|^f;^hSFqOIzjY+kN-Wkm2@0<!QYgS8Shlaz zpxkCqr&rw~az^|1Y&%=-Q9qkw%&U&EvzAoP7GgR*r(YipD^hG5SLH`=JMW!Yfv@~N zBM%uRoA^D=&)l|v;_U6`+o>BGT<2vS(i!giV@4GXRiAf3=jY!k-8~mG+d#Y~v+LZo z4@E~Bb?-6hD{dc1TJDo<-AWIN91UP_1&TumF>S=|OAgO-=QuQHr^gQFd~gC|!%Ld>q3riD9+x_t|!Ts35 z&C=m~p}NV)%IzU+qd*huVf<6X&V0~J)!0DL##7=g*%SW4bKk8ks zyR+PJ5=oD)VdT*P_Wb+eEtvs+XzcIY@hTh^Y`aziO{r*Gb!{0^8OlU-H-S7CpS*-` zTMxYWDr)d4a3Jy|FyB|{c0|BPF;oH*}KX!n?l$@v@ z*RL*xjsVj~3gn?#@Up@;@xT|OQYv+fx`6fSGWRcs9cs{U;eFyN()h4iNVqr;`pc71 zC2B@^C!LFbXJjm7Mv+ipvjpP==uO=hLgDa9{ATxzwX$144Kf)y4-ZbFqy6 z*|T7gXdC|3e&p2|neAUCec8-Uci5tGK^sofS4Iua81&4!IkarX(8IA_(G&-r3XppQ zf24C=QsFgR+Oi`b<&h57^<+vYqw<%bl{pEDhllMk$-tHQ@Z?KwDD+@%jFUjEJmkXU zoOwpXr5A8zq;a*A#VeM_Na^#JRqE_n%cCsAZ5|u=`wWcrl%zd$r-2N143_X1M!f1gRM&9Y_)*DSP;>j0$D{Qks8r}Hlmgcw^;*4s%ly7I~nS$yhuGwOE)9d zAw95-e+iy!Vxp0qjv9XaxRgDyRt5p~iEHP~aws^tVLnwx$SO7!Tsk-0IUf;8lB;~o zpk~#EGz>6ruv6l>`31Y6za9;QSQ+*_dCqW^hurt3F%d*MfglLwgvQYsV4 zM4}&yhEIsJciDT-%sEi}PvP>eW3<{A?FNoWA__qdZ zHSNydsM5nF+B``Fj*Y3VQ@h-BD(>SN+>0?#3$83EpTyTXrQ8ia?nc!H;+tqDf zhBV*?eyECn=!-_Y-csHG-(sG8VU~aknD%EY{fO%R?HMlF|7 zt5V%CbFe!IirCG46{m|AGDqba)L9p@;c=RRd)eYx9(qD?P%a|j>1QPdgbT+YXcVCe z#P|>prL}Ths^)}$*hWkJHQ}q|D=z=}=~S46 z9xg8AZQ+f;NU`gVD|tZA)4*1G#W<<+R<~Q(M@s0FGIC(SQ6X95rOQ#C2DXxe__MfJ zpoi7x83?+ORL2>{P4BKvBH|YF|D=s0{F%gn&U(J$-1-e6l@;f5H0{Zwu@gM@=0Km1S zxU+rb`0n?CG7g(jS5r!2G~0cYGQjTbC1b6lI=~goxA8PPBTDzZckM1da*DFBd zkK1!=*AL69s^r%J`H7xZm3>)TD*FZO8!kY9q${qj=~hO)C>3Mtdq7);Z!hn2|BO%T z0O81&OOE8T+iku#%VyNF^jWNCH5WM9r}M>#N%za=z?zt@ZJXU9b}{bOHr32C(!N)plSLnq)$lUs+h#J>bBy!$g;fH5 z60*@#m*|wS;lkGK_ zW_e}5X+F}`G!zfW=tKInuF;O$I0!^e?(}u}iXK8M^ZD+t0Q;A2z%24Zw5Ic8igC0D zll>I+M9*65?cDQG)dP;lF}Yb*8Yk_UFYxeg9INYYHtA-*r~Uk}Vw;P*XBq0_7tX7l z_4eD%m%{2-CUSPjG@BXs-LwcFuY1;otwTcN5xlGomth5^Z})+%ul+dKC_vT4l*?Du ztrxn)`38QPqpaE5I862SXovkD$Nm{q&bGSd*)VRm^9i)+mDe!A-o7a0SCz|VWp`rx z{rMI`jIKmh$D{wqWKNy?IUt8u+s&@7Yw(b}{qgy0rK0AliNa}~Q8r_&)%< zruh;v{EU|S{68$(uR!;aOXu0;j_Q~6wnIT)AM@o;!1&7e4=@-QrQR@S%xmiSu6gMjzPBH) zPayGN%X+Un30$1v0N!w(`KFFH7YEbq*4NDfPH3dQa)b!m<55p5QI9UYlmbCYRB#tX zgLV*}q$-#%C9-HBB@BsZe$}d9BWSN(?qf=2csEPtomoUIbUKtLOTqusFIx=uug;ZM z*mxF(s$uwsx498QT|e)sO^+Z&N@ACAiA@w6pgPv)h@(;-H1aqo)vRHjL=>8U8En9F zRxe+()P_$An@7@*xFhZ>a#w{BPX&wyXyXKV8YWRP!6-<%o!JzTl87QRrAQVK_@ zcBeswJdcEebhxpi7Kp@u>~vZwDXTtoG4oKZb;0z4k1LxNFk+qx@eDtA0-R)-13L zaT*rr1RIiIpxOswte26R(2+w9yo_=RwQ;+QtpOd*0om_P{@ve5v~)#GOi;77Cy$*_ ztR;Jzy%Tl>^ilLRymSr(NI8-@^kqnhMvIBG>|IxpREu*NcFjo!&}48)vcNGX)JAgY z6en)&QP(aWKMo)I;VE&!dZb9c)9=^O3Wx6TCofA~uUGInZ=u?7WYl0I&^zVJRzEod zc*pCkKMhPE8H0tGqci^JCybx~K}BiAsL059iWZ>_#WZZvzDK;#cG@4G}Ji%r^>TUYK`L=lKCGRlzhElS{%nVty{ zYhxfDXmqdWaaasYx^59=+eG-q!as)5uw-2qs!;MfRrMDi2sr+9m2{(=WDkWTVm`0N3YA{-_H-M@Gva$a#q7|MB{x&c!_ zfjRA6-`Snd8%GEF1m^ls7+DH#@A=_962?BQ9SjnX>A#KtMsFJH5?9ZZrRVU)y4mG3 ziRLNp?7}LHu^3YI{}dQBu*qASd$;5-NBt2|OHz;q$7E2?oA9AtsAhGvYg%WuCls>$ zHN!COo=?I2@ozjgCoTe;sK~NSU?K)TD0!S89PZu;3Vc;Qq#hJMij+}(40&H%Kh^x# z5Qw#srn+5kG4~+3B_Zq-O3){IB`M`x=>{bccEX~j7bVC~Yu-M#LV5kTvO9!AgP=69 z{zr7?c{1KT6GKt@1EtuhrH&=>G*-h{GewS&KTQS@Pe!?7%hrzj=>FCh&J4dP&aCD} zUrK27cy4ARFY^sZt&Y4%;wZz3aVRY}SFhHUV7~bT16d@U=KUG}Ez!OxKS3A1-?I1iV_a~VL2$&BDumCs)jQt)c>klqkg_uK=0tNst9Vo4V$ys%@ z9?$r`JlETnSp}%NAN4!9`Pp7W#V0uR6P>)(t`8^|UuH+VtE&(nnYyVx)3#W1EH^my z#|tl+uZq5Fo-H4GLmjm+8?=+e;WdEw(w5_^H8$7$nlfF-ZU2Uk_`^*fT?gwbpIx4l zZRdrd+j7k-PF}#mWJ0hP5dPo{!*u`dnuBw(az7!%A1T#cQ79VFo9=?V%F+1uL<+ z^zXM^idMVsfMMT#Wb$k6Y9Q-!AlJ0|UWWZJOs}EoE?aqY$>RBqJ!$Rc zsA*o4@Z4#lrvd^XO-86q0q=v>bY9QooPS%-WL?{UtFKaaC)nRQuDYF^w}6Hd<(sT= z+>ZO`lO=eXYtLnh4sH*6hs%gmoN9ZlVHl-i5c&kPApTM&J{;BQ@GbhVo%j1 z2B^%hb)*?xyJvDE0m9M+65FYIw`?efjmy4;Vi0aPsRPHp#sElMc zqouKzx{#c=V#awVudKVfcOcvfFfWG(NK5YxxLH90MgzqsE)sTQlxoaoS?IMiX@b+a!s`GY*~n1n!+ zT)0bP6_1j*NyY3Q{$D-|L3t%E3|l`*XLmdleN3?<{d{Ghx)=#!PgyPbpIb8{hSLnA zesW^Ak#oA#p{7fhURXEg6HDy2Afun5)F)^3Qhq<_%N*WU<2mg|YR0fDAdHG3KaW0X zqeS@2;0e??FP2C^PDf)`%ZiP7N9by)mN^x?gM_9e2nO`+>TfVOn9Q2O*E(kLcYk=DWEwJZzXCu`y=)mx8x#9w?5inKJ6b%Ka`rEKF{T|7_irR&hC(T z05YkVlsH&mz|Fv1+VLZAr1PQZ9JmU>jXU!E-Gli{>K;!DSAq4?ClCNM@Bi<;`!jaJ z5QRTTLYy3kL@6Wj^@osUVBk`5|sp-{CN`uuS!j8Lh zcBAqILhyF&4E-Z=*b(w(e4a&>3{CwQ0wd&2d;H5Pn!*X@c8yt?wO1x7iWfRMXoikv zoRLg*9H@wgFhp?3QNeG#PrmGFfxI(7q@33rF8%zO+nz*Hbl;n+H(?D=&>Yo=6;we* zYc=B9RX*X6;`Y&2jBla1IZIx4x>(uIlKbUaXg-k&I#3vbWMR$(@D-(|_(P{WjSP}k zkrrmDW%N9q%ydQ*j3@>+p`d-C8F<1{I*R)=f6!h7Mrt`H%5r9Co*{TiHVSxlsIgU) z=(zAQ38CEt@manpsmS1?;sXp3o%&X<5xBhkWk^2rS(h-P5CfqM)OD973T9)?@Q3YQ z`ug39Qg6crh z2i<;5#ZA`zay(Zt#N+69vYaue%Y+>GPx+*U1?TU!0DPzdLWsofbG{HrOD=%j$$l^D zpU`eOLoxtdU?5B9YxIa@B7<0eq`_onXrA?3=z+F@j_ z#LI3}V*KJG%Np=@O_=O$9h>U;M(cRGIsdPPd)(S__3J!pYDGugFlTM`=;WOB3s9iT z(>;~_Va*V+=^LR-Q~yQVS+K+AK83bJRoTQAbTK!WY1AMXliugeEuM!C@^(-zb2T|z_r=2p&tRn1njJQtUy%qk zIlId4|Eg#pYBWENt>127F1A@+S3pZ_x}NVmZ|r0Yu2K8oX|D&W9PTQcSU=?LJF0Xx ztk~8)TpcSmV%+jw-1TRgB0{KI)C?B(I=P#@tX|Sa!X8-F907toCDR#i0Ot;y`#tC# zUhU5>satbE;s$O8Fz_Jxbdvr23V;K5m@YVzZT}Je!gY=N@Hi>Bqh*e8zgE?I8Tiuw z@#!&j&My0Py1ZoaWjr_F(|jZ8%XK$rsrD7^b#=Wk+!LH-=-Tm+oOQTk?Rsw^nF9o|&}rMn-W`*y!ArA1t-eopB2Je~k; z-+&cIIlkJ!q*qfQ|Jd0l@M*B8y)O#w4=FgXgH50ASb7uJCmUG1GmfS8Z^^FhjkP+h zy{>{lk<}T6eeM0Qm){wud)sZ7`g4?9Tv7&N7!QcTSOxD zd?23$TdYm@Lp??C+7J;*t#~B4vb2Ryg(9n&^g>{i-uFW%*m&ImB0(EldO%UPfNA0o zjq7);krz7z@)f2o&Z_Xrl%|m4^g!M#{f?NG#0rHMCSW7sI6-7hA=aVaRhu}Mhq&vEqlrM z=*dw0)3EzNuKKwlqRgmTX9Up?BStT0T~_)27v6}p-%KFEd7dT`^H=dQejVhmmUZM> z|D!yiB|FYed0Vq`+o&Z9*0FnjVnvJ+iZdP!YdG&*idf`kE&Ba?A+xmPe$2H7U^$&+J# zPd5+;{DJ|Cj~F3NM1NNB#ug;Te)t%Wg0>%QU3H+~Q$p37!ny@lvC;o3!}r^=ASWvn zu2hU*>jd5B;T;CuDR0)75f_`YQ;=(tVvue-OP4tE=MialZXH^3x86<6br45%6ydaJ zQ&x)_baI%dfE8%?GiKPZNSJ`AR?6f=OOt$lrGu|t4z?TcRzNS#o1QKQnegHEaA(U} zt2M8;3Xzcj?A(fl=H32|NKXVsKTu%hCsfDXvoqfuD%Mfc1QCy@90RNBd)!p{H3!jF z6}U+Edof<6Jo`Q(h*4_Yh$rO+q%uo{RIOeoUj8>s&l5^YQ_m zsBpBDm2NW};YF$*@x4Cr9%*}VgG^W=1n!ECkUg^6pf)9x(}tJ)(TFDQ_dq6Pqal9XW4z^yDGNXkRJkx0f`Im<}7JK zLdRs?hi9A83i|Y99pR&DlUHlC=otAU43%UGGKmNUMS+O_(7~@rIu&ye&GHQ|ZPY}Y zgP%>Jq*8v#V{{L$8t3_wXCutIw9>wgZLAKSyT3@QY3ohkyPLbRi;d`V!HhE zfJHQpgg(768YC0T;w~ElDg7MuERE*n$5B|s#96qa_WtLn9Q?EVRjbc_X4q+{_(@(a@Tod;p^Tyaou_19(ilJ|IsC9FJ>YVn&Xz&W`F5(iTBw#Ql3Bb6G3G_qTMpGyzoIgA` z&Vxb@jbKs8jV4rLJy9DPTMxag+9jc==EJuy?X2wB_%uana;-X%jE7m?Xfs`zT z0Wu4-OY?IX$xNG~Nt1k)x;ewWJy}weg+3XxFu19cW$`JE?zgFY9^S>4l`c^qh^D@T zm@{mtbc#!4qRgya@`)7dg*izOqoS==W}{<)3tQf>nY^VkWi~x{pZ(ksVx9Q_&9J1H zkh7l@_acPaKhjRLbrfpr4QT_tNF$~UGq`pB5)ISe5K&E3LuR1}2t-8cu@vQ%_hViJ zjp2MMuEw#(;kAFC_7~-DhaD`|U5mX<|64c!^r)BFzE~GMwP)`&--85gVABGw@Rf9%Gz-xWRG^jH_2xKLIu2lxcvxGcpt$c8m{Eh%pU zcB8+pHCdQHR#dNE`!GFs#E>_rx>q4+$y$(NbX;r=yIfb^wys*XZXY>kZ6;i8H9Qv> zV{9f$s(}-%z*Y5wqO2G-rlxg}Y)t^uA+ zi;knsB~yD{=Py<7B+D9go8h}DW)+?blYeV=hJdD|xW#CTv!kqN?)||c)6Z+a0{EP# z@fKijiC6tNQ@dIFF!<=jvfJ>$KzJ` z!_%^h9Or$M-_yFz_USp!w_w|22|U^{barX7C$W-W?kM?b`{dKV#z6-9RAl>Gko zp_xaoi@VR&1ZS%9HALG#rQ%&XBI~2WnNF`k{f$`0^R03cs^xvV&Q#lV%KgN8Z_|nV z!N2Q7Thr@ibK>?m*|kx3%`J`C$7ktRE5{83^}AgK*7ckC^1I#KOZR_g`2%0LW3ns0 z(mBBA?|aC%Zr;Uw6L7ucTSgUF7924y4fhuCqzhw_1Mn>a68s75Ls=F&G%?4&=z%rS zKkq5mD*qL|zW3unj{lSt-%q{__0Z(N=KEal99~s0le;4U7c@RC-&+v@A(B7va2GS* zW{VW7Gn`%0f%zL@FG^I1)N5{+;ZKSEHwX`3bOf8(GLbNC)=Zba{2;eL-yJid-=zLL zS%D*vMMHcC?*3|W(YPK0lB|FZIX^Rw>igXjUOv{Hc0)KWM(O<4hdz{U9wvv$QtoQW zVdm_RDfM1C?7C5=G@js%vU@v5*MDKXiow_A(|7m!hxut{6$!MMM47XQWl6?BUYVlh z-(S>6(Co>7Mw-dzW#LA!=|41V4z|{VER-*`^4I1E1mr86cI8R?9oyCDHj-)nKm{Ks zKU6FKF{r0W#uJ$?CugGO8@gPa>ap}1d)R5uM|+;C%>0`QF%&pQIi;spB0y+*q8TWDXdliL;QuU!S2Ua}vCB;N&pga+Q+mw1Wo=FX@!oAJ z&CLc=62pU^R>~m?PaIO1(VsD{XgHQC_eXH@V7cy*{6vPM4oY220x8ltnOt|sJ{e%zC0MqZqJO!73nIjOyULJ zeMn5h`E%?gFq6dBpG-Qg6ZiD%a!e30oAi4h8+=A$4e7*^%k;sU<~;Z<5W1z{KpOR8 z+!KKze==%fEC7ulJ}DPH|5xe_LL&tf%{#y+FP2x_#F6WlU%Y1c*Ebq+Uu2~eL60xI z|DNioO)Hs35Len%UP=8V(ne3))+*%)zD+DNZOBz=2qs0oW;=&ZPD&cAhlh@?QAAaC zYG|37E@ViOqu8V~6KotzdEy8N>aC!o8dZz*`^rlx@#oT&7=oK7BAdrvd=yy@<=--s zDgvP^X45j&Yc@^fOrXFydRVFyd@LJHH4C&4ug7oQf#~NiTYg$2P`^SO2Gy8aL0&Ry z8%Cojvma4#1e+u5Ow`OS#GhS)v}aPf6(O!F{p^)`1^YucnVj&Ool_l=t(FQ+0&GM!(d?cC+JF37jg*yYy! zNf$u+{XdR(@-zS}`BN@sr(He>L_0tjwq*4s2!+DqQO3E{Zk`*IBhXv^Frpe!7nE;V zjag%Au!K_*a3X!CFT9lB^`>-0k@5bR&rf&ZjMFcWUZZ*EX7`_yiJeGwLRtu>5HK|2 z=+(GgJ%_hP?%77kZS)6 z3{%4fjT*_J?fB>^cd{Kb9Ilf<%+&nH7_)FSU8sFA!ZPw&?U3|pent6}0>|2zO6TBe z=1=t^y*H1t403rxEXroiXp%@6NO4zEKKcx@JA3@l1(DvQN|iBUbjB1GzNT{xKV@%#-q?5Mzzt-N!hZj?nAV^|n+%_n1*hX?Pgl!|>;k}OYuhU7UuxfTjE`VsO`7^(xrfq<^ zM_Mz*XOe@@Y&PCDXeQsJZj>)+k5&uzZ3iO&cW+j6#l2P zc~V%_dc74X`z!{~Z{_|hav5d%aZ4@+na;P3l~gq|yCSjX9j4R=X`&A5k~M)>Y0>WL{2!*ivAxo8YclGNI<{@w9ox3; zjyp~|wr$(y4m!5EW4mMT$(cFt%zUZqxt>2zcdb=bYiXE|p;h>G%r*|_2@Z|R$v5WyS`$&o3`=dKrT zQJ)<>rQwfWPh1)Ls7RA=Jr8tngF6wkKhrbK-d%G5E;iXu1hBV2j+5-L91Q=41F$81UoPP-j$jmtlkLYNzvZv^%_TM+gbEdO0_rHn2lJsy3 zC`4G9s;ESL-CcmQ$y~^HiN9?49?Cvx;gakehENhW3blPZM2gc)1v{ky)-KyYiO>oy zoHeU9ZRZufoQRDQcVf_Kj5F4r!j$BeUYE%;Bcqc+3BK-!Wy2NT2qO-~+<5UX?M_hn z2TiMvqIw3(T*x14hY7NvVV)95mv*dTI@LNl)?kHs#!-``h#yUAYE8n6pS666=f(U9^!?c20cJ%KPM(PIL0Y3< zFq*in3?MkJ2;ESM(ZkM|lG* zA0`#V5f=oSwU%Z@Qd;i%u@xxF{IsqY?{Q%?vIwci(6a49zOhi4WgtsdQS>KOy^7I7 zMATy3SBh4SY8lHGT0wGACNOEY^b>0ms1Eh+c0jH>1k9$7#nH=Bn-f^Vn6*)|Mg@x?CUHrFYA9)pmu(zVQdy!QM4C@^1clGA+m5~PnF2)K7iGdig5)Ox8I4uV*V^dZW4l-tG zyI>M^PV@2rGi30+2JzY;2?@_CZsSV`x7KQc|EDhnp;5h#}MPBU(Y2wxA8 z7Fmu>Scu|nFbRct!j7xH8JE0gLzDj9vb=r&OT~Al1+&V$OMiN@Pf`7yFKd;I)6Z|w z*d6=*eiLULgD3(JgF1h)d?pk`(H&A#YBhv?2TxSQxh3U##4RlI$^W9zrihb7-4(;A zeYm#Bvime9o*XDCb2MEx2A|v6#@7>vkrnH3EWt_e7nFS~xp4hRG@B@xPS8lVfwlV< z9(nc~|C@tBe7S;LGpvu18Jug+n2SRRFjUU)u1|WiTIn=$L*<--;@Y*LP{}FElTVln zER=v#N2z3I-+gmwJR@?rCI0(CqB=cCOS&5zEOvBPj}5?BecmSKd?|%~I=tnVQj5^k z3D}P@CCcGPnUC@)l8#u$AIOFHSYE*+t~8`RBA735mW#=@Lz4~1HqsVQ)d=3|Hl~~hjqnIqILFI#@OS&&{G?T zHgJU@ZXKSwtzb4~QhDlb^bB|=~v-D05Z2h+u^ez@6xBoGmfmFcmMAywa0?}J#D3`a0j0 z#|q&S!S5Z_E}vi1F2|_4DOcc_ICz%g9ul^x4mo!lZqvCvlaUjj?>RLE7=+qS&}$#L zuU3P1p;YKZVB3JB^bLzxqV@_ON5?18EAYxV4-J8vWYcY)_hfO6?fj6BMJt0^RSxP{;yMXlbzNx3l8$vH(M`lhMg~uO;6?;;Y7x%+KzRS z-m*Qkb}b&ZND?kP z76jVce*oeA1R>MO8li#3G`r!>i z8*d)`2L_&r^ago@60c}2My}4`3?Y8iom!c94RZ3P*OjWxUY*gz(jVaZIFqjzSiVX{ z)nsH}W&UEhp$rjjthM0Pmpd+{%mn)p$|x%;Oh&wq`r}Yi9{b;(4KjN|X=P+|0fo;gbT#TB z#y!bT>Oz9*S%ga+!?UDYr4lC%ae4@BGZ}=;Qxb7F!bFZjEzP&zH3OE$FfyGfgyDlR z!KKJ#YT+BBM)S9{Vgo_di_{^}m4Ol90t2P4Y8SLBhH%zWP{9;M6JWwqXRBo6H8q2p1PEG+IY2@ z>r#Bn_vU;6*DllbV`o;386_f+1iKQ33zNNDNZ=G!<`gq{HW$ru{fn8QB}BeC+o@5cOdewcCmHC@A$f-b@sCxzXqm=FKsy#!xr;$N zL_@5KG^QA@7AutjE4CwFB#zar!X!?-hXe~bbOEeDqqx%|GtL{AEKy6`t%;^x5hbNm zhki$uXY|1aApv*YQ{DU%$@_`mn$wLF5nqLxc-(*?z8>zI++01SJ=j`fH#@yy zjj?X(*B6EC9}#I9rTmL}OB~~cMv_U^c@Z4*6jq3DaLEE9G;bcNe%-zkC$ezn-PgXK zPFFo0pC>Ys$8$V}dB^B%+NIfLFhh&<)n9=<6qt11cB=2T(_Izx!^h~&6 z>I2HR2GB=irL;oERTyvt%nTzUX{c-Umzdtf*1HlcQqr_YJW`RY0T#^RiNCl4&Yew1 zC-hpGt;BuMgKSo?=b>_$9)zT;hUsBioLRH$cu(8c8H#>}N8FZYeLIt;m&fQMw>Q#; zUv5&8ROJCo!gaI?UKC8iYRLHe zgScWWFXR3J)E<37bVKY937=d`RzFYtzj_t9cY^Q+eDN_;o7S+&66{9FI7Slcsi5ajVqq9r%RwW*~(q4wUYa(QksFXPuu)3|^y%>y7 zOBTd`KU0#3K5L~K`+0Q#Pg*tPMFafOwOp);7$?D8qzL(rESGliM%W>_R5`B-ts`-o zV~_M4%!ua_KImfhOtD381vk2?7>3opA*5Nxb72`xV@Q4(&cLF27Kf?7tdXZio0MFH z4k1`M<{Nogg_n#yzXu@hQj}a&ub*?&?G|{kZ9>K=x5w>JxE_&$0>s;5LAGk8q9)9D)`mT2#Efa z%!iRifqB$^+uohqxv6;+c#yMbyfrvY($qG6Gre!x!D6ff*!Dgy2EqH^uaB1jUnE>- z?H%>J|KV+K#0-SZ$SWDjsJ42JhN~Z6mzDYT2puc#31Zd>nPG zy9G22xgFinsoDZ>rZG0QSA9Q|E&XB~0{I`Rn*85mKDZ3_xw10Sx&WB19j?lUrAM%I z3@&?S6S9uJrc;3T&riqR-aE(KZqSye|Hr9|CeZaWN|KQBppU0)iqA0DV`AU3XRaF- zU^%f(TUS^0{&E`y`sMj@m}1awTH{v7U4MXr7n~LSFDdYkTM-u@=&U6U_IYUOus3nSte z+I|dO(cE+a4cLz4bslLr_Oe=rDy^TNJ}a{CO~Zk*)7<{E@ATg46qcHdr^Q6V&53!gt`!Cb`AD zf838C_^jThPh|;ex!iug_;}^=d%LpP);$~#n=1nL!{c2%T&%G*KPdK`CKg#W9*|W z^=?*x*S~$Il~<4+jq5;D%0)74ZhflIy?#DJ9r@0SEkE9lH$$F)4RCKR&(jO;TaW9G zM1Z##+YYShKZfh?ueVQIzcGBD+XVgYf|)ucGh=7iwkAM^^`L&DUH?_rPZ0lq7~Ys@ zD2a%T=i~4}Fg14ftxN4N@3GnP61rjdQi}CD;yp{8|{)jWg1y!9#BB)DLo6osY zs9$=68Cyz~+e-wJl}*q{;wiH_N~3RIK1O#&ABzA9_nVgq+!?;p!Aj8%i4c@CDsXf< z`~4{fCzKJ9);goRJj&O&Chub|-1mV-O!rc23TiZeXctn>r=-Lz!6zw)sYAvmq||Z_ zcv^!M!Ys=Ln@oVS=C-!7!s%a1MGi_rA8EW4F05I$2^L5Anh87Gj9bM_$>j7`XMGbPrPhM4;ms}VWjqrFO!vw^*_5lgTtnCAw6CLUey$Coz@TdvRvL2x7803OO{4mevR@`A-rK;!0?F z#y}7|-in#S54WsiC*J&N;i#L3UpBG16)|LOyec468R;`I>Tx z7r{t}#dz={!OJv#cxecYBTI{R9U2!K1mo~>O{}{Z*^PMl5goz(O*k0+e|7S1s#Lxl z&Qfe6KW^3B)0w@%@bQvlC$V>asuMllX@vzm(cCsFf@`;lmgWqcQ!676l{d3 zuq!vM8>XOGte@b}XE7d{d6jGoBGF~U9FpfMX};pC&cPVvkizT~EE0Dl^r=b!zFQH1 z{#|5tsU_-ipCvgK^-+XfS6LFr7M-YQGgK^hn9Px245%b+5(oO!|I7p$k_<^<1?000 z+N;Y2F{pRGgn@=+cm2f?2rW=n+{y6LvHvXL$N0=23fDp?a(EiR3yql=(ZN%w)~J<| zMmZ6)_teh(5`!%nTP0Ze)==j{DsC1)n?jr5L$+t#rm3zPD|nKLPIPNd4*a#pepMx` zIXNQly(%Y)xJg<={TDiO%IO96Dj5N+C~^&bc^nFoa=;0A(vtLx5b3*`1S1E>L@)!# z#^Xki48U%LbhVM)Kzaqf#jfGvk2yRPd8Yeb?@(yqgys$-?Gj|Ibn9p#>9I&Ka-yEn zemZ6i`>#@DPLU-OFV0*Rf(*q%Vjv`pE4Pj7chlVAmSU0bHMNH4R-`|T@SqH3%D9IK zc_Q$a7@%Robp@EYa4M$~2-4JRq&UU%wFu$!*}hZZgL*+2&(WVw=b-$j4@c>ZXDQIc zFp&Z1sqQQgg2=U3B8WT~xv(-Qp#r1SYe7S_CVfakiLu_Pb|$CIoN4a8EQBrU%ATyZI_(Pvs=x^eE@TcBE}hK`s;n3UOU7& zi!Vvo{}K!-8e~+w^wvt3E{wUNMh6yUwdtS&ccP%fFxKW-pS}#)pu~Y|Avx!pI3x~6 ztJ|T{DS;Eunrx+-uQny*n_T6cQ#oLvRF!o?vECx$6t50X13}^%HKV!4|L4y*vO-*- zb8O}Tp5EV(7>RJ@Umh1FLM=5|?d=mCB#sHV^Rx5c>9mz9Z9(p z`w_mCmGqmM)7OhQuc{JfNu(5O$X4jPEHakJju~|lo;2Ud^KJhZK8O&pL+6-EKon*F z=ZYT4Zm!-8CI>d}Ld$jg?Cvhp*YP9lS@;w1o zpCyL8cGno5UQ9i!@~-M{Q-&)x)HNrvw_dFu+6}LMpNCLw^_($3EjIbz_KS98Dd?U8 z=Rc#6h#yy5`9M43Z8#%%Wj~!C#BJ$i>|fS7kzU^(U%GO;bpez;D_>=oT#E1Kh3ZHj z3o^$bY8Rfjo|u{ULxJD!;QmABf(EwccV~oNLjp+W+sOb!oGnd1Q_Ad4n@^{R=?h4O z&viqlBtosH40F)!-2tIXz>*?M2q0(m?GgO3#t^WVah4szR-~PANXfR+etEB+aU|h( z(ct)DhxIxSUAunJ^~JdxcDu@LdTYQ&!1i9(v_9za@zWOI^$8?iwf&T3yScF4y&Lgyu*OBR-IL7g*U??Z;AJ0Gl*;pTut$`7H;Ja0 z?)3EP0)BOg@aX?lHP*&^f15=l@HlokljjTi#N$8y=?T*Bx^k^aFgQMwWt6CM7#T6> z>eltY3p<<|j{7=BvR{?+YeM22NSEigr3^pKb6Ibi20Be>Vp=Vvc*F)=i!WQPx#&#PMWtpvEXgvX6r`vs(Yv>xs zPLOBWodyB~KM0nsfP5MMT|W~=M!&6UI(!hZa@3D}_I}E1Q01+Hg5x$pb?-}ef*hC` z?~8dP6d@%~g4Px9akZ>!!gNDgEg9^Wp+~mOSB)m+;SYol?!&Byc&bD2$Lt|xNeaUR&jQJq%_X7ZFp7XaSqCJTrq0bsJW`F z`c=zn{RXcz;q$o_Fg?q7Y2k!xwE|u_xHK7$8o^W*8c~-OF*nmwv3vOM2{OQK<;lsO z`nnUPa8aVpG%cgyGQ z+-!(d;#o=cox(Xg{1y+Zt7qKZ0BZ7&A2viX%>ke3)D47-Y!h;mbSkt(?uD*}<6A{*!A(v&gmCo?K7tD zE|n{o9t6tmTI(5$`%z{noI?jwWQLg+{@!XAub-$ly9x$Dn9^817Ai<2>n2<-qA8T0 z%D@ur68K}Yn7}5EIQL`MW2}!qnTLcn^{UdBoQr6O;3~y@dv1&!krPooL4as}C@+;+ zma<>cQL4*>L+cn`v`=ijbLT}E@bp}5(p_wKd@b%DEcy}M9C!f6IQ(gl6smqq$SZ_ZRi@ig!c%~y%0h0R zQ%>Q(XfJ~<=C@EmkYoPZAk{Hh(Ex{o92rR0aUN6^bR8@>+0?3zYK0d8YS@;!eEd}c z0M)}dB*QX9V4_wW@q$<*2Z;^@{AjL_xG-7O5__*Cw)=3{xw3#A3j^h40s`iubwnaO zAwP~0Nu@_(kU`H*fN`a+^Br*}M5w!P@PP&y{nH?fjg~f2(tO1 zlQ~Ti$vB{jRmnS68i}ASO4mToW>6(4)xyYLp5DDP!jblVAsZ$y#Hg8^H_N9e*e>R54cR!W+vA|Cwr+ zVJ1S}n<0Hm0>7gW_`KIUdn9e9^XE+u&Ch+Lec$CS|CK`zIy+UcRp={i4A3PW;CXDa zt6Lz=+r0-~!9?NpNWo5vPnhJ*k3%JAS!ve)Oeg$m#Mt~86kUHmxy zt6_@gd5rUnj?TgNM4^hQ)Wc@GRW$~9HMDZ=_p&JK*lP(O!mppg9n53&@;y>7`*5SP z#yeQU@X*_D#JSV#dVa?u)JhewUA77c?|k7GX)q^R|rc8YW002MyGzi1L_GFw)+U6Q5ErlC2$ zC-PjyZ?twKdHY>mTj+m|Zb&%vpheg-0v$ijdp%G6*FlwETbnZ`d_LaG(-wnTPA0e6!3lL`;of0K6llsUr3%drnSGJ(Et$)NcA`=bBS|M=tUqLezp9r9=;!Fs>*YvSdrUnpfLk@Zdf1_FM zL(i{a#QmeknceR4JZK_S}D|lS#wmQ)uu8m5Y#R$|{S^#YL?8LAZbV7Uq;v}+SZ zTz|a%f{_Zj%O9RVRYXanph)0KHrPNH-Jn1V!3TuOO&oPM=4FU{F?LKm*W_TyP zIYE8&2I{h#E(i6R^xVICLyKDsl&FufcLZ6{CcvoL@fc zWn6j`Dkqnt?|)UAQmN<0n0-f+F|JEVv32WET@Do{P=g{fDv8(-_cr4x5Q%`xhcAf` z7@H5DA9$}=_-nMLP&e)#uXUhOs(I!r0=*DMm`z)WpnJw4W2Zi9R+B=!*vzT{CzPr} z7PWvZjEjY9&_ml+bqZCUtg2*&^j4@XE%cB}r#fZCkFCVfqpRpPni@|qqTjR74$!iM|6i01v0&xFjNQWX1d-Xec=b_S#2UAy@Bx1 zyASM2E*qAw@DQBZNh5m-ouz@*LO#hwl6`=JY+MD1xc{=oZW87*F_&K+5i;i0yIR?{ zA%y5kB|1UZp2E3RK`MYti>_=FMRl4+i~>+xVeL!i~5aYP^cP4FSQl`dRHmD8?Acgl9+#kXd(R<4K3K2fx&@RU{}^ zFP{SM1Jqo}Hx_hy_EuR(Q_I=Mq406PYOR9_W@{`d1*FeNv^o^ANZBH|crDOScxC)p zQQ;tzI5NFxq_C(Em2ptmH!6)(b3%=RaEdQDQ98D2?i#R9g14gYu^U)&k~hxG`2V_+ z;e^xXFDsb`1Sfe#g6PlvKa)VdoDYKHj_4twR*jjHOQgjVCCr90YZQHE+?IjsQ z7SN8tu0|$>=s+bX5Wo>^+qOQG^DU=G>e+G7v?t1X?eiXR$SP}~Cb}9x>12#vxkt9{ zZI~x9xQ$rE?7~SE+E9fOYS?ng^f<3Oa3kv=h{XP|4cD?Qp$-4$t?FUh2>I-k_xD}~ zQcSYNq4bifn#GVroa?NUhF^uJL(2|_po2-heydnz#eBB@MZta3_K|nrnl8I_;Qs*# z5`2*Pv*aFd`fB*ava6ukJBcpef1i>@$PuK-!uff9pc|$l5DImue2XRiNA$-v)JAfM#v8&>txqmTVYl{>y!N6yAu zBvqcx647h_uacfrSPeMN&KoSvE$-v>YqYAF_lK8X*}6a5sXV5m0h0_>g1= zC9)oLfNqnQtFFA9!FTJw2TyOgw0J&=Js?Ym`B*>??ecP2uf z{Z7sgls65$R0tbK2R?Mg8Tbgq8TKv(b>&Rf2{bWZU$$Uw3hp0>Pt<7YTp#ZWx9xr1 zq{+F@>F8R8=1rq8_^QO>3G;ZH|is=X) zcj@u{^^&OXf)&s1;fSn?AJVQ{=2#jOqM4xM3v`ha%Q4mK%5O3`{+#*E z1oD45^WU5OpDD43pcJ2B$AiDLpA9wjU)g5`5y1|S@4=^k%hxRLlzFC^q*qok2h!U5 zLs1_NWcs^TgXvsee$PbDE+Ye9h$l1xOT~gCnzXrc`Obs^bBIJztqO{5*iC&z!V0Gf zWeF}-?7)Z05tCw(xXT77Rc{8uIh(mum2hJ`S#9Cr)}V2PopQAv{f+y~6`O+~mQ5c> zHk7R+XH$yYDkLC;D^nw(Q>hMdV8e3>YmQL2C<12_)~$*~p{FcbFh-45V$j0J@!dHQ zHpe>3iTP+W5b3T0T$?C1+)fOfh8yc-(5ZGuGG~&zy5u!8RSNpUtFKsg&8gPbXiTkX zeGJJP8BGSEbQ`a%Y2Rt%$u0zE5iB&+cowabc^tl3ef(R?aLu*#tGF4qlImN_>8yd)A|5~Lt2NN8OdF1|#CpDwrk2Q&Q>quSbjt;M zj+&k#9>o1pmk1+hT8(@glm1pEC%0|_bYBCfrzW&sYs7GR5fL=zB8wbmQ$f8Ypyx=~ zgs?;s&t#RRghdQd2zi8Bxw-)F%(b?M|B+b6Gu!PaTE^m>gbS?L{q$8jqq^ZG|$fL+!t+3 zGg4ZHust1H@r>HK4M@Tb0aRwD@r>qHICwoA2D`EL7dpZV@|iDZ`C0x$CUSC7Lb)a* zr&Ij9K#vx#4L6=lM)9Q-=@OLg5N8^m_?iMA0S9S-8ymQR;?kO&-c_tf4~IgWx>_Fv zd@h6^m5)A8&!|fqQ$xuiQ`cqIt4VhNMtDq)U27B zO_H5!_)USMKa~RY+@+6OPqHR7vSfdyNVh?62PYf!$D83Jx{y zAoN%5B4ACYD1S0bkE+{`vbc3bjeljiMQ~!uVe=%FbV@a9#EDMpU_0w-L3YZ&*&ruXzj8T$euog(rV*BW%jv?zlJtZ`#ay1MMJf^H()Z7k()CQ%VW` z8f1#)yJ;N%`Y1^1w_JhjOy@QWWYPhC1_s@Qpl+E*9alQfN-|;_}f4y0) z@oe;H=pFW5m~R(X_!ira&j9^bbVF9+Ru6;!=G+#IFlfEhZe0Jqd3~NWx0%VSw|X(m z@!lP7vYg~UEoNJCy!Hit)9ig%4AG_EBGS5g%9<)0hpuSb_8R|MXSi>tI~eXU02cUM z{Ct2JZ=1`!hi91WPt_qOB-Y2e%&ITm1YNMPT_4$6A>9kE5;< zO84)gpKd`|7yhG?i=gajP@e2N-zSyqe)sFw6j-@cv|t0#Gc@+UEF1I1vhq35+L4|a zd0r)H%b@!bZP17|1IF?JZ-$czX+Oq-P$K~u6zvG)Qbm=u^BLe+BG3|>oDch_{Aq?R^f!Z z6ZHn{JRMd_-H{m8LX#f5gas6Rn6$7$q%2n6v3bkT53z}TIj*_0`1R^_iZQKkQ|y{@ zr3@*uI^}RS6xAo~xZ<$*yD^kMhRA5JsMEqR=R<0oEtpBDgag5=7>ujoEJjenr_JUa z|DFAUvF^+mE4kn%l{Lq5e0jSJMn@UW2>Tq=p@oe%8@1KGRylj z248?=;_zy0zRB+)ERt@9)gvCCFsh z;SSk#XwIMncB_=AE;}?D;^h%c^w71c%wWJHxDjARi)b8GWb<#55{QX3YzqqAYkgE-H2Km~8E+XvZjewCuTFGZv8{*`VgWjTRd}YvTlKd+uPzUh@`R1)TZg zf=oZJ{8PSGu@vo+8vloBM>S_bsg%I?FQ&Bt0Zb|spiA1f7{GkuzFNH0h7(rNX*Q7g zzSgmag%&RKDbN_rl-kA%0miCCsUr}V9l5FIlFCh}iYkOUV_?6Go@m?(xoD6QHxjp{ zPAksL(*KffT*K(G87qCORqmGZFc<{8}Z>YAOe5DbEHnhid^*zZjnPFG*OQMyI2ORt}FT8-a+W3u#h4gMzA&=S@B zlYM?v$~$V3o4mVMKSvXFUk_=l(?o<~%A9|px3sIOMPP!vlsNNG$V<&Z9gXpP=ke{6 z>Lz1uJ^-zCHRF zf`5KoVW<78Br*_EYGx6{D!7)FljV#1#Nww*V!(>og0s@9HLrDL$$e}XmL4eeu1i1o zC3u=C)8Otx8Ykwn6*E3X94~>XL;E4RA^k~w=nk3Eb8In=UF^?t;UMY!%^D?fIGa;n z9i@>WG17Al*^oa51vc;Xk})bRj7wLGVPg&!>tJOFzy2@WfXw=s<@{(q9KAq!GZa5B z{6|DSwZB%i%F@_WDCm;^6nFd&px@)3QJ;xI_OzU7i<0tMKmsmiuI;V;h;d8?Nvn30 zuQ1KK(SoCjjoX@$6Bqy9V^;vqBbSZ@zo9vg=MMiqFrs4i`tFD-*0?OXC3KIdHz^8u zEvaK|VSjVB}#0mp}Aj-F1#n_*`&BS*K&XK$7c8|MW7{<RL5(nSs z>IHwjHS6sVKKs^%8o;W6|5~Bw)#m<~H_~iUyz336pw3|RA{Q<}_a)_$)90b4cdye5-^{AKH)gK$l{Jra0s~O3%k)xNE#YOu z^w1K9|LbjbouLy{Q7y%1*@t7;UL9_nfy+tWuX3Nu?DIH-{RH2e9KyA#{;Nks*8LZo zCg+X3@S8C2d!px4#iQRI7roamikELAHoh;i?%f4`=SRA_cOGx+nPF*pl#TEfP}_!% zMPZzuy9#TLC3#-QId?0*CvuN(y1q|mJI!RE%s1ffM6UbZf%m~c7a`yNj^WRTXD+|? zwIVEF%h1{cLH+u3-JRIm<>KqT%f-uwB~z8hbN5%Wx8;^|$@_Y{enS7frDMDINzZxt z@|x1Y=e_>Xyh{ILCv%+T&f)U`5xR4&NwKk7ba{1!4)okSvQ=Ps26SC0JXyla!}pyN z_^J)d{b%qAGWlSFr6_v>z5V%5KlVliT~A#$s6Z9+twIwQ!-V(s?m(g=8CBB~NV8c^};BrCC zgdU>df8kOzieC!s+{PwPZrzs-njMrzq>M?2xGgbW)PN?9QIvT3p_Zf)au6j&xZWT+3@k7CatqrjNa&0dfhH1IZucF3gk1+F z=_r&89oIebTTEhjZ7#WFdO$q+W&u49jkc8t6sv(0Mwe?irq8l%8Bhbf;sz3j{wdKp zsy<1nVL3hvSQ^}N$(b_C)6P5EqT??4r`Uo8IY10M^5a)=6Jk=5K7yU*hfGi;Da!(F z+qCcfEOS*#y(ip} z=?N$jO!or4I(8LyN>#z}=*W?V3@By`qlt`I&FL04a&p+jDUX9cUF)O7pq|kz?s7wuS^k@vpzXi#_ z!deW-atQpT?L9%GHT|uSweXKq#w1^zpi~8R>wy-%)HM-*r{PcsM|dB1o(LgfLO%`W{-EyDxvQDc8}TPU zXVR|?nUFEMu|8CERpF1JkCp#zmqBu_kc*T~fo)QnzALY48;};+!@xp}9FtokOb_50 zv+PopmK|-qk1Pp_-Gz2%j6zDWLud;3s=I8998{BC_y#vsjFzKJS0o8xkxci85*I;; z`uB&IkSMA!jq9IN_8glK$s!i+hEP{X2DpT@3FrE&#+X*&jrn%tRf+ioj;bV-uekd0jBEzJkg>4ACYxA&^O{JdgL>Uy&|Vo9+VlzF9- z-{C0IX!ah3cImFrI%RTQFZ84c&1tzxaK0$hb|I; zd26Y_OcZA0^ieKdcZS3D8rPrrA`HqEfjXHhx2_kzf+bhfCdS+3^uLdft#fCQ0SziG z=fl+tc)``Fp-7-PyTR?9Ee6nh-Sqx;QX6t1KosvO=b04AaAeVxmVgDwx}NN4)uo{& zfsZ!Epl8}zLang=COVI?G3N$ab?GOgQwUxaa-Z0);hVd$;Q+<&#yF9q8ElJboYPp5 z$tvXCh(5ZF7K@5QJxJqDn&*`xBbS6H!<9J~E?nINrbTwiX`y%|uu}qRlVNh86clpE zs*7=95g8MtEGI2aPsM{4jJOd({|nCmQX}lr-ssOT`4!Ns-rnG6+fG{@{v*YWASzXo zDrg|_YrVv0zFl{$>^>DR=><%s6267D(Y`Xf12aD4n{L&+F52TKyF2|(qYbZL`Yd*) z90fWDKj!4?3_Fi>%Yb~=pYD&2Pd*Q@OYOUhmc*spWe?`LC>42GF;uaBVm3X8-LfX zGgchgW(@Ynrb7X`|Ncc4cWg`oo@?9|1r+w`-d{s)0qZ_j8#4x7b1SoaPrx%SKnK`l zM%Hi>=lfdsV56bG$+>s$62OS^-|GUrp_a$~A(!6o=>gT5txsLsYtJExw)ewG$Rqxq zH-T(8H?(smk5`JmhK*cJ;4{e>@A;;7M@qs--L}J_Dbe#?ucB8>l0q*2=#?vQ{j=aW z$K`m%vd8N#gKgXAAw)H9?PTlQaee6XbgQl*zG>%kV^Z?4Les&qOoI$)Pc0n)h|2!WjgpEBs<+fB)_SJs4I% z^QR?~{Krh}COiKG76W36YiTI2PyrjZIb|(joYxTf9IHU1T5XJqg23axmjO8&MJACf zLED^dpdYb(%&lIj;jT~Kk&p6}RsbbhBl{_Q4-5uxVj|Ue{8R~jVgRp!*N@K7)pBZ; zM#})yZ8chfjE0(fD|YF%?{$`Lh&T0|41XnxrWA@Rfhh02&~c}J#mikG{M$|PEDJM% zmBPPq5~Nm&^-wEI8>AFSw82js2xq6um1PUq=NPkW`iIC04f+MZIdMNI6;TGr?NEg| z)H!t!M)POc;a_3N{tl~TO?9NiB0&WQalF=)YF^S|G#VYAE45j^wQ|it#nIhw8bp$N zVZW@&&9gl1!0jsvd~_6urHt zzM$&#F^@0HXSA5JZ(ePgDqwe$)PjV9l`LHW(~8Au9!^0?FA~9vZmKa$cjU63aX_Mr zh=;xSjzDFC^0+Sn2rYG@`Bm&(VjI%!LeK9@%sBBomt~>-AkK#{nvZ(A8 zH=T+_dNR9Kg;TrLeYQkrlGLmjt0Of*sO$k1O8nyK@7btRs3n>dQOz+H3~A0;#eM${ z3jK?Nye=)Kw4|6*>)odhrkABVK#9zM@WFW)Kc>Kt9ZBT)vi{!c`-_xD zQmZJ-#T;hXs4~y@GneTW!g#eVdF1o%z9dXS2a8ZQPQ>HzZ#nFflDF!cM#S110QKkLv^C4*B_ z?w$LS)Z&x$LwAGy%^s76%TsiEmdHjifiCrUZ0V8JaG@FGla=3?DxAtHa&^7Ik z3|%>8U5O))Ktl8MgGp_Y2r>TV!%lkyuK`(+utV+eY?jl2LNEqVyqefyAYQZw(g9iC zUL5Sd*WL7jq=D!k6(4aKUWE{!>Q1vr%il5L|#;?3*RfyIlnsY70S?U};z@p|7uYf6O#-!8j$rh%OXzOuX+=8i~=*501doB1Hkx$ zZaiaDOfoEn7jg|ZQ0R(A2Vz&wI}vXFo5So3R&ukE>v&_{Bb9oQ>MjQteE1mhcUjRg zuKz{WR|eG;bxQ^afdu#9mf-I0uEE_xaCf)h?hxGF-MP5CySwX!i`+YW^QPXLsrj?& z{64jJ^+hJn>Rx{OsEXPvTc5tLMprFC!F9B+9FLzR@6 z0`;c@lZ@k=Nsw@-fB|xqF6J*s>d;a55-u7Y($sxx56#4rRvhfOgYOqiZOrVZ6GYWw zSSa7+?4Y^+n~nb9r6CF(IbsEQJ;Kc^vK>uNxpt65Z>`xZ=W56*y3>M&FR=`RLoa zP5XE0N}nM&{Wd#LfAhxf=_C$43niFVwKqYN%{P*m(ECRCrBg2&-*oLCw>Wcy|R7u>ug>>|7s5A)cfs|Yi8ToMbiQuOhQX`_9DX-|_u7>DJ~i>OivW3k z>%WaLJ)ZTjs`gu_&pO;)*>stuS?_AUx2nmy;c=}HIF6(By(2oYfwp;on$fxBpV2{k zc^Nj=+ubFP&A4w!she2MS`!~yABXKvrHNF5BlLU!>(;VvRHc>HHNFOQpR)o^es2^z zdvI&s-t@KZ@9i5q^{VQeT3b4(J`-@dcDEYD8QS~%UPFPr*6>dGxYH4kHlzyr4*hZ zIg)RR#;fL|dqH{6+r#w%LjPP|jj<^o{xKeEsv8#m1P6r6ebHjs$ixF!c#rw|y{Ut~ zL&A$=K2@n>(y+OjM67=uxojabN zq|1beC~WM|IexQY{o|HmL?i#CI=1tVfnU+)XgM>g`f4#`=DdI_w-JB+ zz)p*Q&?60tjGtwl5_;DJy@&1TpMer*)RGcMH^Q*$S;R?mB*#knb56uKp~-s?*LkCI zVpr`i`OH;qk1B%x+yxu%zv26zNF)_Z$xInpU*`y1HS6N-^;WLe+e&}0qN_8om=w)k z!$&0uX;sM4WTHoyD|GXI5-6#z^ClFyd;axLcmX@A%{*xw#5PfLdi25~sT%(h;(Ak<`_Ql2n_3paUpc_v!jSq+?gwTxdSp{CQ@wKvp)-xI zzAaa9Ck}_$&q-#g9tZO2nDi>u5~Cl`v6(Y0yzB!PoQaMyl}3+z>&5s)T-J2dIjg@b zaJf^h-!HobAB_q_X-17JQ7!SPkYv8}=AQgA z^JL9S6N=Tk$XSbU7G=#ZLgXeF3fAQ)<9fQTJIb6P0)whXzeiQ`a=;~5$+U3wEc|NE zTaAXCkXtLj#|2Z}ohwd%x}?-jw_UoV#1*CaC80G2JzCAh)Cw8i@)_<@SVr16qbjK9 zj?yWPsQflb6lR#-D4j7|ET3NJKf`7**C@SKNDIY%LH&0`B80$%pjb}p<4ed^2uSqp z+qb{<(@wX~?yvV>vWX>=90Zq-W6vL6jypXMUyklAy06dgK|>fNqL$2TCqdZ%q7%?* zkwT^l>BKV29v(}@5`qL_Bs9yylFjVZW-NaHRVSDng- zQky!Z{&b+R=US~+b=$`Tn_n zY5td#%cHxmJ5wo7h>uXDUxtI(UcDr2Ho%4#Au>$(XROGy`q#&@932C@Ori{v!bNqW zWIMm?#BR}TV>mojc!O%zrFKkN!KA8{hr7|tfN0Bj4=yQUl;ihD89&(u3$7|A;y6=_ zM?X7U#~ABK(16kRi0M`pxZExNV|w1FV8$>q_5*W??AMS{QYQmJF3x#*k?0#aR1$O! zY3bSgfhkNI3j2!H&!wfPDOkn@%;+ zJT%D%xc46m!-o;9XLq^+z>R8w{lYh=|t;YTS9|H83SKB`kSKqBo+S{ST& z?qNE00cn`vC6}}AOka$Z`{a-6APe4XSQ|mvJ0{9t^WlR)=J=}L)=E2}Hu!-oHuTt$ zt{DRnMgmCVn;t`HW|{v}K<;*(9bRCI3y8?kD?lK{-43$cPe}-TpxlCpe`5M-^yBaD z48#wzyfFsC1p4KDN9_3wEd)6O#iqR~ta$rSj}Si&pc^jgbl)b!0WpRFp2>Hd5D<07 z63QLtsw0R$)!+yd!nuBVKecbLBGCrSH`v0=A1{75n6PNBFSTDe7Dxt`7JLa-L&uHV8`cpcXI$cFBNqa zu&(FcE_crfIo+;&-kU(3?T5t|n^Xbk0i{^Jh3#qpXsT_)#@qP{r3SP#-O@Os6DvvN z>2<)f+|9glzczdY?!~^gZe30UXn{-d_1}k@?5bVPpC4berd-DXz>K{-NgvvFyEYZz z>*zAFSCW8yYrv^ahhFRT&n)6UH9QXNw`ut5+?NksoY4#$WBP0x)VfDriB{PBT^Co7 zD{u{M?#~th$Vm0}&Gq*6-P_*ewQt|#cJ1DaqFWNg{fxJZU}Z&QRUR^w!`Ke&Nw`7v zQLq1P3eOL?kT%N#%%*@68Mm&NF0jnz6$JoZhbi*d-dABC9QT)nmQe7iyfX+r39YI&l;MaIj8n`|&|^X$!bN6i4t87`|2zTZ^N+rt7+X5&60H z1y`r;FqC)N$EC^SiTl-Rd6{VabVE|&$>$vWZr65kY_M@WV<(XR=|r0G@-+h+biU4L z@vbVr+^N@T(a;eCnNOw_N)=q?dY<`{xM<7gunB7xPpSJXZB__+=Gw1$gkW4jL~23z z+X8vdW-kE$Txv(++OKzImk`Hdzs(Y+Et^9Tfj`i-M1slF>lrK}=enP?F<*|wz#Z~I?V zEh!U1eLQ;>-e2YPhqDoLbf;{Fh0M-*U^L?VwL8eS-)DJ`0z^W}MR-xG8nzsXEdNg$ zsw5OzJtOa zEiCQKrUHXJA%Is5XM5luBQ z8J&ndAYHIOREu&%>)(iZ-yh61tX+(gll_#AZqc(v6C zm4Koo%9Rn@qhc-RxaY}lrL6J^*`quLrzbA`Vpio5Y(hM&mErwE1D|zC3A9`~$YYQk zW?)`KA|2io2AU!*eNdZlH_KklRmzIfIle0rPPsh}UHewK{sj@P`kI<3j*T_L{_f)nSi z;a&uB5hU_)>k_gDAsw8m%wx;SfjqZ>Yfv`KzzaY>dcBVjYbb`vw_)@XybDcwXo?iv zM0VMz%dNslUVRn(`G%{cl(C@TPXP+aZLNwhdSqXXmrE%@YpuUIZJ46z*#<)9*+xvi zC6`VXSof7Xuh`6?anQN5=Zbj*7~G}X{P^`E#mv~)Tez3PZ(xBo#b$P@LO`ssc@Z`F z;BBIeR$H5x6om(;rS+p228QUKs_1JlgUk|bTYId~_rt(`hJ-^nXmuLQpZNVJ_Wpfo zX-4GG)GA{?Y@FUd#3La+(I6v~N-WV*L29&+!(5}lk5@fAZE*3E`=+6kHQu!dz6WHf5c4LyhUtfp;S@@q0qNJwOC#3yq|0 zKkg!;^m*9)Wj~Ckl6GIHGUaZ#KJ*k2gOAd(ikZVKOOo#JKP<6Xm#ec@w-~*$zY>)! zfOcM;XryEQENZA1-e~kwM{ciiOoV6XF*5qCH6EXn)JOAYhNh;Sw7%0-bNa!Gb)3{M z1>D1ZY10*k<<&y`rwSKc`-xnXU}N&iV;QYlTdSyQ1)i^3nd8)KeYh0-P0w7sQrfG( z$x}k7yw8_Aai=nN|4#u=qo4-$C>B8i?qB_gB|DcPTRb4r9hHx)P5(Zszo;XjH-a|+ z5HX1QMi7+xY8_k#p^!x3H)vq3pSa3&S1QH2PwDr zH+vzWY~9BNDt4VemC$RMoZCT;$A+!zQf_z1w@&dlI5dw2s-_`xN9UW36YP`rqv}?d zz60zAIh$w(&;2?%eh&-pih^FdyER#j&s(X}fWyWX2Kvk_58ncut?q~M3_)|QO}7|k zV%Y0->vO|xn^bG?*m`Qs^Ehy+L~wb_W1NxyW~Vn=Evaf{I4jhzcCjwBx^vMX)cd}* zWy#%olUMNw(5hn`8=6AMA49L*sd#zu{%GRYR}C05ohE2LAnWcJYBBI~E>LNPEUKqs zgEzq~w^kW%3h(-61r-+i14~GsRoeQR7T$X<~jZ0ycf$? zqUK(lZ#axhR~?>>SCgTc?h}d1yOX9zSti}>+IH8Xwlr1U)8E_}ol`yTK!daKvAUjT z-B+T+0^t1w!0Z#iW7@__{)*>3_zr|ny0@EC*ir*r!{&??_%Q4yCN_I(0{itH z1B9=g!0XeU(5{ZY}r|jd?SdSOY9_YD1bW!k%`0lCxxR+hd<_$iC_!@|9~lwBY`*Iufz^ ztyJ!)qb&;_g?cdl!mer8c*@M*7_1w)?GyM%|6tlb)M>yG=pR7JtdIe0K0RAB)T71k zedcW4(%SF zOjKG_N$Q0Wq>kNxmA zzzSBHZEDV;&b1}uTuyYZ?47eJRUv|MlB7E*jp-eAW!F-r1$lSly^IevB~XsyRsueZIi%qT6qBHRAUfw@P7Q(9h<$FgBEKh zDV2#VaD~QX)dBXC1mC9hr=mt}c~K{l)=pInCPQsb9q|_3QBCe*sF^^}Yf^;rKdHA1I*}LuE@&5g;!Fbg)x@wQ^ z3Nc+ELzb+7WzhMDU7{&!8^~NdlSCNkOGxlZzUGU?R_>C6WJ46Itff%JI{KcHK-Sb@ zC|9*H_F%ouSI+aELLsYFfx%yxGry=1r`JgdVAeEg9ouSS`X#;`q&eUx9t)s1Lyr7{ zMuLeC{Cci3ZV+<8V=|5UtZl;t5KZSz6 z7H4l|8O48{{>Owc)DAtf?(j zR4C~h-b9$`w0whFvhS}!gl7eRQf=bjeM4S55i>LBDSy$a+(W`h(@Exu^*AARU=l4 z|JtC@rNdb6ovTo3E~r?6W5oj$VN!>1albjlI0%1<5n0^Zv(jPovK5ybE2#|8ZO zqC$Q{UbDA5cM9c0bS`_kcJ%$8V^6z~pZm^N3MlDTY!jsb7ygGWD@lGw__4OGmj@U0 zjGd4vLeBP=_Ty^49v>%D#y?A&j=|SLEm=xb`W}hC_%Fjq*DEfHFY6ho8dvtSEiaPR zDd}DU9$+53%!ZEutLKfc7k@j{yYFHIapCXOAcwSx2#lAPcQeJI-hmBUWdz}zSF=l9 zhRgWae#igj&|+nDtbSdU1k2WV9JJXHHTEMd>$i3YY`tHwE`xX9CGEU;Z^VtDxb=b6 z1hJNl>1|pQ>kozx$d8bxFP{dEma~9dUIS{}#vT#6 zAY7r2Lj=wbSFXdysWE)WU6?#@^_UVNha_d=HM70;@fs+&@FiokAFyVd%HHC6H9Q6L zYH!*(kr7JJc0SQ+30YqPz1Mt`RqwP)9Uu6~n}qiMd}9tQdW1ONS~nT1|J`ywD`oV# zKEj`hO)*&N18U#u+IU}is=T}y(D`01VCZw_xu5m-cpP7XCMp2#ueQ&**ScQ!F;%ng zE#A9s1}{hXu#Ci4*6;VLN?WN!s}G7AZ_XH2X=*XN9u0k`EuTyDA@>=Q6?eSXejN2O zZ?upJJ>Qmc669u`eXEkT^;!T(2H04#biL6rbw5qj!SA&vvF&>hZNJ3S8w4Y^3`7rzAp^xgY%IOw{YUi-Hh*ujWN~vp93)z`2vMjB@zOH63*q|HOYkb^?Ish#6%-Nie&V1(yz%FSLlIT1YV+kb5o#e2cFGv&LL$+OWVLO9aU|J7m zHSS4gVb>yjs_0)BHx*W}k=9ZeKh}1boOm>9BIvi&%YTgvMM#Lij`JqE0)E^U22Lpf zmHGDfM$_+lT}l=-unmLAhel;Jnv3zYzXb?^<@*-AF%~tLazdXbW|4BCGZ4%1*IG4k zSWIj(ec2$i<^l6zi&`qd_}DVAONds~tOX~jYvPLxCTJG$1p#N~ZA#Nkt3U8@ENRGF zCgP)?P3Tm_zctIndc_^aP%5xbV2dumDU)5dxRa%)`=kHlT2?j^z0n~s&Oc(y>?kX0 z6)039_{x%Bn#{}m`Kf$R$h`c+{_x@{{as)RfK?l^%Y$(7?(?-_{=!C07=^=l9k@?K%V&jiApJQUm#8zCuQ(R65=}dE2oo`rzYa7Y) zi+Sm?qYpeG5I)OV;ah_*@wdLb{=~G-a2T=mo`?GK+!WH+O(UbD^BQDrS547_)Ic_Arb@(FL6O(ivtVo3c(c>m#&c|iyIr0 zzfUYC3Cyv!2RsXUa~Y6(Zx?DU$s@+uP2^Emn>x-3*W*!scK$=jlaoNE7Dm~!o8jyGbbhYt;i8~--J}I z+{BiO>xL?(*0u(V2g@^P!WzBUV=;A8&a%a&C|+6p67T{EAv^bugRp~-{323u1nVJn zr>_qX`biIaZ$=~5{kNc^&vCJ|CZ8S%2C663a5?E%E+wjso}h;rW_B>mbH8y%QM1eS zk68WUZ-LK%9)p>TO3Ux9)y)2?8p9yOnn){(t_dApIsTn=KEx1iRaie+ z#XT2IRRsGkdFEi$I%KduoKG3EYHofQBe1&BM92+QdtS{Ue+s>;s;nz*#^&TEHzN8^ z5a++b**>}EV4zu23RN$lh3F`6&q8X0UM32SBsL6a; zHOj4`@Fa2$iQ1D#tg3MtlSSkT%uHHL{;i4%9T=Zjql-@!hJ^T@#(cSZGfr%p#41)ARPW(`BKAPXKPfSUlnW0~CUbpk%T2{P%zIJ*o`(pcC z(Y&Nw{57~}t9IIFj_u+nt9n)BOp^z!M%1|4Y6g-my>A*DaNj)ORIC%!T6@oCjT0*8 zy3uUhHyjoVy}!o3o7Zu+KKHt{9;R-%t?F=^B@TklAlgP-Fa%DdRAL>tt{pFlPXuUsFLj;#-uh=XxaY&5YDV0P#4TvO3Ay!bj20OZ;yQaZ@pR5u?aqdR z%Gl|1rC*ZWN%J^3=YFY1^h@u|3}9gYn&C#lcmZq+tZ`4O5%Afr`%pRpYG3xWUY$xh zd0t{op3XLWZvg8M4xf%UWiU%g2e^EfmQn8wv=`t;?6{4pX}0fkUsJWZ`Qx_I3n;YQ z=6tNv@($L1;sYECzuL@o9*+9>d0iy~TOtvfSHbZ}>MO6|sft=gC4i{dGFTnE&Oer$ zwZl-$$P_#7H5b=8fUC0&10p`~R_Y4vqfdn-LC15u*5$Lt)|MfJ7}L$x?)Gi3AP3rO zo$g7roVopGPO^zMZamf`hYxi1=23FdR&h6cMBnT77}$~8*)U8kXz-kTFK;!gbCk}T zX}~q4eJeZGWOWT1v5I`+KkMtL_Py8$y%My~@yTv8uW*X-e(eDu0vuj`GH%}Ni*mfL z@_OaCA7e=#D+)RW1|~h{7EEtGj(J_JSH^bLtwo&M0ciauv}hb(^bo*z|3f{`b3!ow z59HngBrN=2a@xQEu|Hy^`C*2^@c}5;ey6X`IjN8fkiqHZ zLz*T}cCoTf3}GU)jCJQgN@MlN71tjvq1Ir)1 zY>}8%meHv*Z6gm!S3!B_0B6H$x~u^u-k> zjjVG_I6Uc$FP*HWLE-r`I7Tk@WzvY}w_+lT%&Zb$_Tu^K4>5SxjqkiEy8|AYsgok4 z_3cWdwkUPl@iE*&wm>;2DV_lma@9}XWaOX8;xOlElB{e#HzcMBApVrgqVgaUYz{E0 z(uJ>pVxhwH&N3G*=)_4=byh17*hg;EDM zm3TtJyDQ=>b*MSZWYDZ$W42Bg>gDOX5M{E8zDmGx3 zV$kRjuc_u1uA?fq5Bw~hV-jfkPsCd??MvD$i8?hif#MPN6(u`lz98iK#USPxFa=o< zCO$X079m-fS?Qa0p!y@( z^uk!!!lxVW3V+P6fWNW9Z%oyu_H9Nux_SJUJ?VCcTmpR#TW9OVl#=AyNpN^D5hB8p zvNka0pXO@Qv9%J*CVmzkz+fCC$qu1nm>|oFSCBZ9>M&_lG6r$1jkZW( zS|6sD;w`_JKX)#<(L6+%j54q*`rI#Y{&#s26cj=g5l9AyPJHA~5!~uSUbn=(d@mE9 z1iycoZ4(#iBQA!Zfb76|r2y|dqi0X1){bZvEQ+-k zC~Mm0!eHEbFRWnpg;&65kp^eDBj&U~yjDATRH}JTh(&&}9MU4IF>n!|K zPC3;9%8kr!zlbfN2jmKGTU9z&H!rScwmyqztAZO{kaIg*`&ns9 zn|QG6^FGp;9XP1t{GkK;VnGX7L}<6;+HvmI#(J&)+#oysw$CfM>0TViE1|6_7_Iqm zOzWkS$?a~jofz{xR=*)Wy>Wz#?{^x#Z?Neulj%N%q7NPdM^`;fTz$u~b3X@J0rehr z{8p4-U$9>xcO}OU$P=eEsU?ctU}8lIFFv&th0rH~lg^>Th2MYLBpnY0H;>d%Je_Hu zMP4SCgU=#S==^3-p1eSul2vWD^qSAjnjHt-&eK&ytFNu|4DMI6=Ii^*zTKcp;_jxC z5b(~yC-90Q-H zs(h!KlqJZ)hnZOR-lBypx;)F%Rj?aEn&x+mX#ExjW3?IVVbj90y&r$&l27I@{fS`d z@y~`$Ity1QD&al8(8j{|o-c?u)5rhjhoL3h7O@dH30fk7&vRVmM5<3#w^1Fq4~s`_ zG}tRe78+V)h9*~^;TRqyEr@dvU+CphA?%atSVk&_wMSoID?{WoTo(0+ztR{9*l7HT zZ_zMVsrH#}HpeU9g{iM5!FLp>v`!F@tKmvMWMa*Ur55t5Q5$2IKiF2oefu)XS;%$4 zw=7oscUiHk@)S7_h*=~q+~&#bGWX1c2TG@UAGV(mQ64Z8u~8DvZoSU_cNhxqi`+E-FPpKJj#$&-KW@(4T3=#yw&*Ui+9__U6U3&L#}i+MNFgg zD)NWPibjNm?f1o9G9x$R4KsuQl`GgAOxF>TDpO|xovJ}&a&xXP0)`(Di^PP&t_Rq@ zK(oneu;Na!4c#m@4kXfhR1qUTmnxb;XX0BHV&yAGqIK8o>(^qZt*{ou>Ooeqsf{^j zOK<#khds)EB0z0J6Yv`#C!XSefy;AFXj#^w3tXQU;=ouGxq6eLkw4*G{dz%b@abMX;7yispB_^N7-Y z_XgCutWrWvbfIXj$Q;#YGW6GmHOy?U40_tor?Z00fIE5yj0A@*1m_@ym%_R6Nt&3X zSgfKs^W)D8pBz0HWf3C_NMvushZk(7X_3b~pi({2(yu)%C_)Fc+BGL47RQACHh`dY z3qoOA_=teD)oHGwB-SWcU%#p(mG*t#vMsbxqfCFqwOK7vqJ(k9n7up~>pqj^hJ%q3 zl(t^HkdoPv(2k^L8T;f|MS)%_mTn`i)>?^FjvY3i+#c2Ar1o0^vkWSJhYLQTp4N>t zU*qb*A~X#sDh!3*#TGp`OSjmDe(|eH^CHo?E%iA@jH4_s+oCWrMq5UX2urXIlmprE zgQSCU5LryjCETCDc!!p1-J=Z_ZUTa?LCzR$(I!=B7=O#nLW)Q*MVGTepA@nc1TIRGeFg4xo5shYgG@z!9Rj6NWQqPLaXdxQ;{RlBW zs?b;4KZ*-JxQwWjgo6~d0fpJ7RXXFvyz)B@$}tR5c8nABI<4%gT*P8)C%Y=%Qc|>K zr{Lu5DK@T3WhY>m63` z#$QKd-SoXr`@M3SCaoA_um8Bk=4@S6;0XHdOybnM9#m_4I0kxd!r?{IxUXJ;x&B73A66^ zd)7Lq6qyyn&gykPGGeYj=H5N z`aQad$-${to8vncB8$xXRs|{bHQ;yLw+rR1srv~164dWH5}bnEF<1#WtU3vr#B}d$ z$QrmJ?NmC+80gyVUVU)Q$4`EcRjZut)~;TeVV^RNjoX+C4W66glB|{#Jwd%*q= zZ0;kj=SLuSX6Ttn_M}c!xT$IV-i_;Cg0aizaq-c#-~Wgl9}}j@+3U-XM?GiK?BnS% zF?`jRZ>;~$#S4b%*=)%5|4_M?Tn(6MSg16JB_%Ome8I#M=2$@<%^w=0W5_V--EDLQ z=$<|VroppIm+S;cnV1)dv6FvZ-D_NDNPw|4Z3s(6>TiRS_u{F${i=a!^=z&>bsMJP zvJg*%{XI27vz>3UMOglqjwg2@e)`_OfWsnR-tvHzPZA=^S^wB$Xxt0L&OqcWQ&V~! z7A;}_Cfm%kTSWRv*qQi6Q5vO(;d1oV5M(9ww?K`B1~2)ebxn4Xmv^$+z%%bx;;4YZ(rbk0vP)_TS;JcA z(1tHI!TS+f3BM57Tex<)Co@j)<#NWrmd;L|RaB_ScRLoj0~%H4m13gEUOx zn~grL4B;>Tfi_APW7YnUE|Oa#oay-ysxkN5FqzZanZb2BHX`RwiC3^BKf=Fn?zmU5 zCiHl6mBQ@Dv(uWqV}FbM5?AG6sKY`6n`N5W(})WDi(+2;d%FJIa{0|KJVVy9QSSL% z)_$ys(|D1x??v3j>v3L#L$#Xcs!i#dD$fq4JulMn;aD@Ic@i9>z>wJ=OFHq)@Av<3#b%3;l;VxIO-Rboo1iqdWA0Siqb0w}h*|^1`W~HR7=3-ua9)xa zvYzY$n&c7|2Gx=>An1viY#TVY0_C}nd+H#L3g0hgG9R@jxwhK+GtgM+8+Gx_0>&ya zDOSz8r0_BpX{&y<6b|@g8JCF zTBESTHHK(nUd-*QTEKJINnE~aou4WpZ(rRAYzv1vE@>t|jF3mOO06!;w$WE58Z;J24OB)C`e zy<(KjyQ(q6kT4mDH|7g*`Vj3W4Z%CNp>rric$aBoR4vH~^%))=$*NQT;fuaeOdgX*%5RKVp z7}Kht_Q^6>j!o9lGMO6jhLkMvJw|XFlk5K>g&RId;foJa`1wEJiuM7nE#QXs-49wA zJ|F@9b1&5$=^M)HN9*eM(YgjpLx-Sc27w2`ZZ8hYfOtKZ#|CvxqxV3y3EB)R;$}{{ZdpmA(tiCRvXwhz$ z!R1hti-xm(faY;|zg@2XJH)#e%G7)LFqpNbL7#g+^p!92@^Pcsz~?O}ka2r&h_TX{ zEy0N9V**5kY7cat}wUw#v%t?7z`;Iz*V)GwtyzU6@HhwI}i6$Ao93wpDoyAgDQ8Z z*BzLO(bz1<5q+ylNc6VgZI7iJ@p?B`*Hflh5ggImZr_^cgkyA?-wJ8bPLhgm*M^~@ zz)j2gWmPcad&m2ArCqmAe^G~b@ayGPMpo;etYNn}hV|XWWk~0&D~0DV9{*t;IYZ}O zR#VFQT^WEtdi!l{&p=?y11gMo&AV2@_T6S_{ZMv@=$zR5nN_e19N>LxUeIu9f$~9k zn?9@9ddK>=^+MxTbae@0|dT?RWxK7s_jqj98P4~+PEdp>vf|I}L^cx)b z&oNRUEues& z!nx?u@3_(l#EXne8^4MYZ2JTnB zL{Aw#_WO6f!cm{T;?;pG2S*p(h|EqXl4z2|th`kT-AgK9sRYN1kImBf$EZ|yNk<=Q z1jRHs9x;}3vvwK7;YTHF0h-DbiuRYv#|j=RGu=rdauaU}2eil}b2Zhd&-k7XnnW%L z>~Pc27S+9T^rP{|OJA?fV2pLuwepaisTma2SXn)Cz1bkfuUT6`4CWStwo7#iMWktL zi`8Q5swI z4GFP{7uW06+w|?nEA(?cn(?$9%11AeF#Vsfrw=*u$9xgwCsJljZBoLP+b36TfU2D= zV)BP9yj=1zPY)UaW6Y{g)R?KZ->5lbVJw&+2_;~va`j(F%s!N|iio9@{D3|Ks~a~i zK+r0>RN196@!bJ`M1u<&!5z9zsnFkxo|S$)k8Yah(SPC2rk&Iiooyc)>Lgb?gn&a> zclQ^1<`VJrigd^k|3OredV!l_qSf}vCJ|eDsFlz)5DWIJho?da7Q0LUD|1$ z^R7BSWIuJKGb(h+2$zs>F01kuY%rNgtJ{4ZHA%Lr2v3IN5ou$GIY&#Lbdz7bNX^oh zs9r?PmtA98JFdv;F5>O)ELa@>jlGcmFX&*F>KJdcp3vzt-pnWEY^ue9$ddr!B5brj zA)AiU*rzfjy0a0c8!}RE)!9dUEt^Kan*=YpG0OO6*7FC-iyS`I?viuI=bV{`#jxpr zrYX%G(`8PwbLU#b&Pk+WI!~pnvHZ%fw_Q9=Cuht=wElANg}dY8$(jonu~&7#QHC4` z9@kUmt83TyEskbRO0ls9(y!NM4Z|3_m zC=&^8u7skBN0l8G0-5C4y*KBy+y7N=Azx90ZWIe3c|HFH$G3pgfEHQErnmqUr2i9q zwigsR@et(ZLyR_3(gR_F51nn(fd3GL10rL)ZH@qSVbUcFkeqk9dG9f_b*Q8*Vj z%}wPR$fkxXJ)myxp7wnMa%mx1L)fL-v6E3?RW$Af@#Mxp!hgrdW@tOB#!&FlRgd|2 ztL;V&a;`0cXubVG)=N8kD$U?(zNTB+E0w-i z`Cfhw!~4_kr)CSgUR9fl`Um9`YGyUw!_luBPfb%~cXhWFpdGq}~f=~{JDcW-N*Payk9ib-r!lw}lr zSvzQakBQF2@=XS18_D}IvVX2G)bea^*cI{?qk6FtZ{YVT6 zIJ!WI=M~``gExGL$B#`#%Y2-(%zUg`x5 z-m$*Rf>MXKZ|8*vzJ!)X;qWANH7X0}?v*1o2V6ReUy3c3f-)LG_;s zbb+6)gyp1zl}O{Mh5rM=Pj7&=4+c4^t%VxesYWGS%MxP67!A?V)Ul8BW}6cK$FDFv zALaiI{k*(krWR^hPP+=&W20z=L3Z;H&){x(*1MB?HHBDpG_sd;!Q&hAu*k4hk*Bpi zW>}hoHKYn<7vI1qWhAkTuxt6p(HHs_c9fWdzX|CRU2(WdC{Z1KmZ}p7yAK(RGFGx=o|TN#mrkZ8vIT+qP}3G`4Nq zwr$(Covf^re~*3kIs4|ln3r?R@jdhX9zB{ZNkyp8lr#3jW>i02%H&X+G!st{;w#U| z+oz>I9P>HO>D9ycyc)1%FK+xANhuv{&8v{@&D}y_gteB|uuwVo>}Q-CQ~8QYxNKm9 z^#7S1YlLhm{s$?bl5iQpcw_LD8OnKrmS^^Yi4UJ-wndeSl(IkOHvx~lHS<)Ez@jx0 zp`bGJVZ-DX{O(h0`I%<6%=9D6HFWB0IQH-zag2o(N2Mv(!%8!;U`pNmLnk(`9|+Dv zdQ@P_Ymsk`)4vSmC&4wF;qYSB)n}y16ljFCV5g8NS1P3IR-D?WQa~MU_@mUG21!~1 zn-pqqym6oV$HeHTp{~DUE{4hd-=A=+`ssRSiyAUhhLu(&ruU0QTYbe4)ouAdS4vd; zB{26MtFlw6zVFJ!!{Ww~eP!G$wd#ITGBb(h{0$e7we^pNEIbafRPlk3|5W6! zUxDF}2wtJI)9gXN%L7pi6UyoPp`J0~~jxhjOgzxO08_s)XYJ3CXNSO&(s`M>kgK>}$ zWD!Juqq*RMhCDkp<6X6j<_=ul7I>Umo!~}678%`Sjzm%*WD}8kA>&=)U8cMBd+KRt8 zhn=G{X=%bRJtH}6UKLM1!{N9ds1Auo?SFVm_ax9iW~-8qAh)X~DY-N9z`)lb?dK@N z<@9g5SK6=LM9c2%KWGX2zWEX3>6;Tnuq!f07D|s6NSTl;#=}&k8Ic<^Q?ZOT%oMny zK@^B<#*lZ4Uwlw?%+-LFQ$yuw0mVxC)r(k5h$N=)zaUKD&}3SbltZUxNxrI6AQe~@?kNSOi^e`_;%VkcGjw?k`pwVXEB)s z#WG2fn-zagUa-G&=$m_^Fh3YkCoGgbXh|^FYq*s|)0UZVu3F?vn*}Fr(xn!5#7zcr zrEAa<$+XiFcsgO3ASw8Qo4j(^Jgbgrv8McX|9gCHBmVFUoh|?g*1rQJiNBIqw^w~4 z_xZg+{X{=VelUak6ZC>Yp1;Ccv2XZ)fumpz&%(bDJay0GJ0NKnCS}%t#A?!N-Tn>@ zZQ8oGd<<{m73w&`vpTJGs4hrq-(7Fk?%ugb?{_`oWrEr6I$L_`OH7~`@5Y+7G%=ZqN;BK8<>9XeX7#!6FcZ9ETR9W0r zvpoqQ@4jJm*~#?eV_gAFBpy|FJ|b1GaV1o5y&|c8T%5-%BU)X)EOg3dKuxq7CYw@U ztZV*my-E+p-_Qh(4OiKCKOdKaOezmuJb(qLRbOj+dekTR)X{PZc%|KT=sKO}^lNp8 z`vvcE({5$-=e%mtmiMLX8i?KFMRwrBS@E#CtA2;frd2ZUv9CB)H_PpCntGe-V8yX? zcFgp`eo24fbNRN}s^$T1n03ulwF^h*V@y$$-iwrL&oUTjVzl9KJ@kTdh4;?u{%WDg zOOhO=QM1Ret#w>!tb)bovBa}%>phWX`ket{ook+}N06b5#I|cL2-n{Bp8sXs0#nDm z(B=B`j)UHLGg%iPxrg*KNs_47y?kQRiNWQSA^YKD?nnWU1vm}F+;snYzO?=JS`GZb zO{WJ&@*sX*o*qZHbRu%;#plbk+O`@$;^Fh0b zWZ2hVnca0?I={S6+b1BuBYd9Al1k&!UYNQfdCz`ecn4u;^Mf=S zfCeU{F7gP3jV+(cI=?{U*n~>s@0)z(fjR<7oC21k|He_RVxwOB+)}3O6wBsocN+#U z7LjeGCk>El3t?7H6}ZLwga|PUik4H=Gcb7On|?$n#KegsSQqEQ3$Uw>yXD&t+VWhu zG0I&yKomFHM;8QHETOduHVPFNz#51D{M`t&`fAjBm2X5+E{2HqD?S;wp z4+*;Tt5vStx|#~n}fjD0V7vtAvtVshN*- zY!WB4-@G+W8O6{j#)6C&Z{b|sAMqpiyK`I$sfK^rw;r(UPq$A|XA*Yp3bs;l*klol zd_5`;A7t6@D{$kBZSmMm;5=AKv89VU-$P4qy?-87ilkJx8`FW0%&p)Zkt;zmm57Uc zT`YyKk&p$?K=R7L@sXFS)6?unDya;t$xRnU$WI2h83m(JsC&Zqh^ynm5GSE_y5xh4 zK(gx|5wf4Fm4sk0*Zx*o)zHRK?qs#aK4lGSe2G|TQ2d!o!jk_B`A%l-jAgz_wq9W& z{3AAb*qk9vZP2EkX)IzjVr5oQe^Gc9(JnwV;}1jDT#a!jHr@rqloJopa@ zb4AfU<1RJHSIe>&6h}%-4%!(W64zHJ8!a zeI|?6{4Wu_{YSLA5#KKVBS;cHS~hR>6L9@X@bY@!J(yBi z-L`4N(DOz@CMLRHC5%*0s$39C3=tQxoAg?cjyjf4E$#T7#_?z5-!sZH`1;72zMPSX z%0ztMAa-L33{nN@a6{@4Lnhi;!NQH1jE6$;-n27+LK=}lcrp{VOk+2$9SyFcVUwOz zG#*9)o)VeiDl3eDKSnk16VY#f^W~l@5!h$7-Xct3mS{(y2*nFhFY(FT_J};pin>zG$ zDQ9y0=Z{Cl308WC$C5p%3niM$kRIgvj3&zGHhSI?RB~*D0Q;h8iTFC^!BZtDN7jX) zVfFRcKjqNFI*SNu!*p-L6sq?-$TqKidN`el~f-q7@3lmq421qT4 zl}E?wCpgBv{@(y)f(bIdrapA9-ghU7dCh=iVDY_yEMF}dP`z^S{X5ZL@!aoU_uF4s z3ucV$brjtHRkOsicR`0Q%rOo6MkFYyZg+l3VQbsr1^jnpndv{a&?Z`V{W1zCi)Rm8 zf8`6>gu(4>UFOpSac|vmDyKg$d-6d#;$&zYsr4mlJ*rZ-3{7_Zv`AZ3 zt+1H3epR;Ro*;o6A>UnLzv%Do_yin1=Rs;EW)m2uGzEA^L%)B{@`BCLuog=fdFWIFVn1cJmbN%Y0v|m zsdTjZhV_dgBCK=fpQ@YeI!2D*OG03H4D z=*N4#Q2+#r61)l@7r^PZyw$MLbLVuP&fRCvG+XV-Zh2h5o+F9yuUbadBXyo3ak~z( z$0JOy!Ed=A&$~?HS8tnm-zQsMEds|$wxd*iE=Q7GKW?{lfk!(AK2x=pRX&d@>z{hB zTw{{K7p~7c|CV@%uU$7Yj6rW|=SPYcjaS)#jP@}q+z2Et*W>s=1YN)(&%wi1ezx0{ zWwO$4{3ImDknX4U(a`Jkw>?YC>!*_JHIH{M&nrwHWj|Ag?z*5D8r!41*07BeQSsP1pA82z_EJlwhlL zfhMtL2oC<1Y<{X&NXgu(luDzR7$&v;NAaqNsY$~+2w}FrL4p)sLk34t(uUK9DkMimBKr6P;We_dwE(8$Yl1;9tGEhQvz<4%1^g<*`+c)4t332Tbh@N#z%Ed@15 zP=~E>FETyJGo;e0WtokLDkr^4xcmO6B$>9D`JOpnMsh-rGtl29uq2d3 zdlHk7X@1$0U2l|b-RK;}gyTU--}2`IPQ;!TZ{h-7`E2i9qnn;(zyaHSs%U6yn++z8 zTi4&e@YYe#;5mWKG12OvWY>7FWO`$>GO1Q@)vxmPhHD->6?R;_!Fzebm0AV=xYg_t z3Gv0e2eUOq{Xwd_L6q-yhn(AKqlYrONx+7@MBFFB%rOa{^nyE?uJge8u5!vGJxz7S zlVzpRQ^K8`aLODNvjBGA0xDFi!NCxT!x&!~FG$hyuu=}Fc#B~HO_`{KVwkFMgAk0G z)LB)l2E#syMeXsEBwE}U4HnmJ4xWNk#Yk$l#vZr}k&z=r)UQy)7et}@Yowi_@t0#D%WA`fLb9en41}Gn_=DT zAJF<1=}5heohX(koaa$QD?Jb~gN0NRG;n~2UH1*&*QV65Z^{=D zfP+i02~rEY7P5}fSU6%323AgPdp2|3_`K63^tt?*EF#7N|=r% znj{w%X6tk6UdCLMcZGjgM?P-4R0Au|_!%wfoV4^VL@ceOzc!-6T+kO8snA0jAzvL> zl?Dp|i)g7m08{8ejP)&Qci$qez_!p289q zUk!tGkw%}4{xTnY9zx0_4Q|610-E}tz7_U?AZ;f0GgGMbsA09M0PkKkPmg6}%&=ufxiOX~A6%6#g`}2^6GoDBu z>mLgv1abOb$KJ>7!+JJQBZvqT4`ODF0QiDjboP?@@B2{u?a&4|K)Qn0J?Oe?f^X+! znAWWuOFWymM>zcLmc`OjuvI$Gm!S`D`|CXGRW}a|a6rxGx3`Cd*&6#POm>|bCf7HK z$%9YVCVUHofr__&V4YyPIF&*H{y!2FYU zNB7jLvRnHjqi1yR`ApY2;PF<{*8R4HMn&hcbXY~xWa@Rg>Nw-2-mqF5xuebr6f&+$ z&*1%Gn9dR9TQHdvx9WdWc!cNlMt}d*b~Gg!5sbU81u6^-t65M*^t@@d^l{X@ziF1~ zN&&vfsBHBAb9n$FJUR*H(x;K*yQle|FD z?0TuYec;w_fHLr`wY%+wMs+g1{<;YB`evp*r*h{%RC-Dks+fCuhUM^?4M?TCep0Z?hb$35AoKB(^dai&CUp0KLAtK_f zdfu%jA4Ou?+$UxmA5HRq22O48>(*z{S2|CM@I(je0`Af=yFVv+s$S>Xf}68>9N2Ex zyFvRdjk=ZP%h7W6GX|oXeU(CD@CzX z*_$O+H-FfS%0bJceQdryR3Agf37JvRL(F)^a-=P!_aO8w3i=M7SCv>EdA{hPS(y`+ z&Q{-r~J5soC zWl%)soI$|Ihv%^`e%aCTKC2efDZhw{nBIN^aQe2Kv~GUX0iUX#Z|dNkX}DO2G6b;pPW`F%)!Y{F>UNJ)Zvtt{Rq0Ma`TT|%nR$X}=oyKFM% zz+fRmJzB!48+G89Z$uwV`N-Q$aVs^JQkj!;0BH(G5Uf)fU6T8p5vi!EvS*o7W@;nq zg3TW*>omzae|^eV0gIkDH)`d0Q>Y|_MkqJ*v%l6s2Pk}SC374a}5;0gm~Kg{1dGhaXXCjMR~pF6FVM6nI}Y zZDz|hguIwKC3=y%UwR@e0M^vJ;M)n`xsto~^k{(Qh>3Zm0j9M~7hwHg=+>r7j!_Y` zQ!e5xF0#(>J(QpZ@+|D82wj0K+t_Kv<~ZUnq;bcvi~?_ABbGJ0D(nt| z0;*vqv@^gAwv!#R>Co`Unfju^Co{QGD*b9}Jux5+;i?ylS;%{k9wqX$kRT`$Yu=J24YKG@_

fuxgLH)=L=6S0`GY`IPI zmD1YRCts|4ynF)~zv00wn1hk1Oq08P?n8r1usDW3eOwN;ycm39FY)JJVC!D3H22xjhP%xmZD&h zs3t+rlQBV_#AU#)G$+6m&3AbqBaF25)YBXTM>G*hvR?h(_C55qDFZ{Tr8C6I7r>0i z$Ad!2FkN#;yd!RE@`-+e7GIr{nQFfDdi?(Fa;XfK(~$wKS48KBR7!@I8*y=;csW0o zsBvq0bomzNP>wtU|A~p50I3-!EXyAbs*nw#fyfwWray`1`f=pe3wiTq81VMOztYGk zsFZ$2&x>L#RU?v@WR;`%!p$~jY^Go*3Y#Q6jq!mWag*9Cx{U}GLAI7Zqj>D4i?D@D zYEM3B6jrF+bYy8XRluf0%@GMNQX0feH4bQ@i=R=|&D)prM&qK7)3q`wQA>%Hlf?NY zIuKAN$+Oy$X(1bPTTN2X2wadGWe3iR*C)cmOIbHdu|x~&_~<1NZO)1~kg%{E{4I!b zeXpZOccl7$T`1Z04N^st2+TZf%(=XS?SzJ1!%v%eecbd?sVHDlO7bSeOm#(1qIW)} z-ob7%X6Q=oLe}IbAa_0EF-ILK?SICbZK!bjarWR_^@J60`DZB75@7RYr}5qA?NN6i z4;wkq{)XfM@V95$0Emg`&l$DL_)1U(;y!5X=iqeAl#J@Y$J^)xf9e!n2JD`8+cdhK zi4I>*5delN`8RDB3ssu?!JF6KE-nz>D>_e?XtF;K>hBpgP6iK4tnssSGP?M?7!El2 zz5J6wExVB0-G>VIN#4)g$Nwr*W-a*nk9lnQAHAJc$D{clFfq5D2TId*K`VFn+Z+2= zkFs5?ud@V6yr->f%XHayiPsq~D_89f$I&tp7w<9}KQe28VWi}Pirj3`~EQ8M4Syp6s^E}v% z|4UFY>yzh^X0{VB`9tsHs7=z^ZBUWo^B~hzp?G)O&0+bTdA-u^oMCbN>f;{H_46pV za3=j){jew-4JoR35%b$)F@V1gvp}`whGSbPn&%^zg+ph*B{}9^vHIgNw*}MI`MOu| zHY-u~mA*P6AahA`CZOEsLxlmLp3N_ zkNwV5pk3x=e$azDuZPn?RWqJiZMN4#P%F|e?>F&v2Ct_G!;&}ba=u;mr02(Y{4N|G z>&|M>OW<{txAM{HXRIwhuzz3W;MvQp`fyR{^?{c@`v~b}cWb)iW?<@!8QNzJ+nhbg zsDlRt7<<%xfqw7KeYyDPCf(aE1;JXiT?0};-X`bWCK$Keq%xC2c18~*O8{xGUEM5@ z+WW^MpwTpo2R&Q^3{uM_jV>76=No?n3?1Xakz zLm6Md!XG@N2E9MN=0pcnT-r}e@$^WR`7VPr5gs~=_rd6Sh)xx`{|dt@?V&P`c$}a! z)aYvYu5gK?i&3T`sVNWOg9}f6u~W8E%HtoIgIUiYbZwSAe6Y>n!>mi78cQWMX&?+a zbY1-v;LnZKL?tJ^noDS)BF)$nY~M*0?Nb66mL2{!$g40UaG-HdeL2Gi=PJ-4FoG*Y)!*H z57#vAQLw#+FAXnRbX(FUW&-oE$zj{lO?!&CQKS+>MnKN~Y-22By9vXThVT3?44v*y z=a0X$eDbjYv6`-2`Ag8a*s(Bm!lkD!1AUZ}wIRnzzhoZk>}EtsON*jkh+<;;%R+Kp zri@CVFeOUA$6>;%%qav>Ne*1N$OSxfDE03%T1Vl0=ek4+l(%A3s;VkqWhXS{DwV4+ zM$KrH@FC7M7`?(GIR6m!kq?V>1SJ@F7ZxX&o_BARgZ%gbkGkP(UqzkYFpob(!SG{+ zoj1lK$^`@iHkYk0J*%DC2F+^)L^d_Xl z+$zY~_)ot33_iw*u`G2?Em?^pIa7QqvSUJDrc^g9z9#AUcg=#(rbf7Y%|A<=$SPz6 zCU54egn0oAy`wO(SSZ0Rkq4AE_6rWp0(=EDiewz^3G@ZnY6(L1z_EA*`c!qjc`dAl zMxEtS<_<`ufgqa&l*qXPL6Z#xO`-Noe3~xRL4oa%m*4UsA$k7m8JhN-zY6sbt_u-( zzAc`WSS9-Ij%2{|WF$v}bU=qNtxv&^0G6*;Hup>8W#mzp1^g8Fs0+A;hVJMl+Sq&W zca$^+A5m}GM?uR{%+N9u)fQ5aTeFylCG$Y&&6&h!opGoQ6~`_nk+f=z!;3?%RBgyh zLL5RPbcK@W+{9aCRxn}Q0rJI{v<7L!D*w45f0-a)OvBbDLnd;@n+x(^5nqO>kW8`J zqsN&QU?w(ih`&M<7ZT?v1+z4!+(PzC$@%!H#1ilu!I^VOU=K&b{t`txN<*%MiHkR` zzApeg&M1w61WQvk)~OZC@;hczIWd*Yjts+DPgN#?dt`$~#TmR5^8jn|LO8nn(V$SD zAMbkjw=ZJt!^R~il@LXmCov**&LeZHBt$-Cl$3Zdg1L?Y)d*nXtHJb-Dnaw)g;!CQ zEyFkIAJL?7*)MjpBo8Y9dA{9(RqYBb;?&;Ge~-^>*dKp#zG!x$|4XyWTD={<^Lc|v za#M-G|3O4~LxB9ZjsXO;-!$(&Mf*sh_87mTfb>B;p1YE&8O}4Gnl|1xFFWJMA8n1# z9C-{IZrj|2)tkWM*6Hmg1?Tj;n}41vfc=tX*Y&V&o7KvWe@z^k4XK@@)c5b8F@Bv>v+ch^^c30C2*6;CGE|!a* z9Bj7%n`MBu>#<}@OHk8sr`tWO(|H!KQ2MP@+NVUW9lvEsBR%W&%>^#`O~LC$6PN!y z-u5zg@w3M6{&KtPF8-<81)y39xUg}QO{?G1twKk7KX;w7i-xGyMr|>Fwrrt5vJ9nh zT8}n*6t&IhrhY$Q|7z5}pVIc}R`z+FgPOi= zr5Ynk*Li3>tc}alYycSI!ps94S;CStWimnE{W4CL6wzDk1&M&LBe=N%K zkW3E6MYtY=WLH7V1Q(#7sVq>7(0|%Fg`x+Jj;BB-OK0I9;bT8EP(M#TpBbhB4Sayl z<#1t9DAOz%k&LwPa{z&NwqIOo0B*XDM8bC&+J$F%0YH@=;)~~ zf)+}w#43qvYzAu)awfihCXHv(wDaWLfwW_*)*QT3y^uL+sQsUe#DW0s6Kb;PQTSh0 zIC}G2O8BiEkyx3%tnj@T$U^%?T46X&Y(3|bC>FAlfBYd0rXyzm7`^*TP#;1XfLZVL zwhTwE<3&lpQxuv2qZCd!-$=Lrj^@xN1skIb31G({bitWN29f@B!^wg z*B6HKLK|&U!U$ed5Om)CDIZ;v5*3!SLE%+I{s@g1RFWc4&nd#61!AJ}MqVUT{1IcH zxP;>%8$Xz~L8%^aI{$UlB;HXjTg$%G${*&s@D|LJPMP2$u%^5H7C3Xpjn<;@ZBPiq zW%t;mJWHT*4MTu|UO=x~ug3kc5ey?*OU=Fhge-oAWF7-O8Z=S(O*nIpNjEztRXi}y zPFz2dTEE;%WPAjTm3%FXQAis>lp5F;PyH__nfPaS(Y{}L18WNesTl@Co=HEEfHN9v zF5jGue_?7tAjTM7F3BAAmEE6l7C$FM2DCRT7JJRdP+>-7Tya0>hfL~FQv)_|NbBG0 z6Q&bwy1|k9TA3z?e8O$|_Bc!aGx0xJ4&LWU_WjKBWz_r65(!DUja2gLALd~&MDY$79{|FI89DU(RF15kNjugq_clC;@rw*r1GorZ( z=Yuqs`PML`(jXeDvH~G1NGy#-!W_8TzlfW^$J_-+>6Y)Eq_+A{`6o@dm>8nq zoHwpyy%doPm1Jw#ID1-r(8YKJN0)|G^qNk#>~?5O!XRnvXHzgJ)8M&VW}kW)@yZNF znf<0%3E0(TF{s`7sm`6lp}o|vTx0*_Zzz7pIWwNW)bB=*Cgr5&GBMqm+b2@ZK(=e& zY%mb7W-fu9Z@JP>?TTS9X4S)l!Am!xu>-$QH{Ho99!EK?*pPfb<=u?YmiTdcKRDvc<6v|!jnCs-r;CXX z;A}`0@3pv@{(+$DGvt#-`W5$ME4`caVu;^!AI=j0{gEIu*EEYiRn5L_2?3fOL3>MO zxmCX(uMEzX+pO2(c9){74A@6z^Rb6ph|4fXkWpc`NAgZkdz-Z{vL|j;rlFWE{U7?H;@tsAjmmiLYt;c!W53 zkEm-?oIEc36eb(5x#_w6jPGWMZFG;2?fH;#5@H%HFylVs91;8kLS2r-&EvNf2%JF{TN4fBa(J z->saVuD8F+8N{~7u4@MAraNBJmyAs%QUD9}vp|N9EF;C&>&!k5)zvS|n(#c2%6xWv z-mqG3o3}27 zpZ*aHK(BXe(0eY!Odf8((P&7up%HC*4K}7Pc0Vn$5xo2O>=G^WbIP#m? zu7SM|5#8JJoNg#ycabo(R%dm~KZW!=C44R}L3gH%cM?^1&qgkh7gtNtzbt{he0I0& zHFdr2-AsxqVkAT8^%5AVy5r`diJhps}10v1=kv^Q>SNDbrB$Q}M{x z|DXAI=^x|aXIzU+6Bx}BQ?;h8WTH+rOou;2RFTq6iML!ThHySqy(>C&{ZK0cON{IV ze{z)R3!t@nL)|9L*;ea}CO^JAYvW-Q1I>PE3aR_IOQ>Ha0?kd2f`cLLwMs}UlCky4 zTz-T7aGO}-K2#DAlS9pgWt*4y*UznNRGuVSXJvHbF5>7HHb>C9|04lSseD+!kaH>B z%Vz`(4|U9Rj!0eQHndC+CScTy3@fTuD>vH@)}T>_qde(*n4ZGLn}1#$RY`oyFH0_# zbDRRO6|)^LDbW6_e2g3^G!hGuGO6j12QBLzp8G}#`kF=w4X=KWCXqk3+Av28*iaI# zKmFE>;h!C~96cF6zfq+y@UR{XaXE*XSAC;TCHvr8{&io*hlo6xv;H@G?~PPEfW*4bSTSyI zpm1rTe(4Q`5kpX;ci-)ZkNzGzVltL?lsyP^`e|!46&{M@9zFXBghxGHY60tiTbC4y@fKMNepQoA)}Alsg+>n)f-#pgQ-5W*$qOR{ z2bA!}$5qaX*$kT1erJ728-aBOa9(jPaZ(cQGmdi6F&WEO~J@_@{L6BR6pG2P5UgZ#?StMhYTW+*a6Ii6HM;$6H_c4i85 zl>!fIcg~rze5pnyJEEM_oq2=7Py-0_BQM84hj$*UsY_=AoFgs;au&y}QSqW8Oh@gU zRr_6wmA4`)4Zq_@huwW8A0hn-A~l^jP8dnLHNA94=iZcu?!P+T(rc&uuwxqg2ZJ*k0>@llerzjpULE(p!aV3N3WFZ2n*oeg1~R6 z*>G&X930~^syy$(Mj&(e-$4V+BhR{2ixYu#lVXn(3AapIr&^t+OXGBs6<1MXqd7J| zMC}Aqks5NSM+~%rGsp(|=7N&JABwotBmqcrLb6OTp=d-AR6(@_0sR81v~!pZVA^L3 z!R)DtyzRQr4OXr@BfRPO!fR-j_Dbb@5M1Aa4`5j>mJ8F80wD5{J-U_CF$6L)BE%EY z%2wfrN_+&X=R<$bYOmfHWIqIlWN^TjQG(fP{OF5P7!y@D#_?5d3v#Fv@vSorgpw!{ zk%%ov>D2q(2h&gQw;(q{4y0U?@FB-0#OlGMMzx#O3@RE->yr^KFMpKaj%WMf#a)&5 zL$!n{-fZd3q|)|(#&tIb;g8n=+#aCjXYkY&h%WRc2Q+!#1ez?q0+5FIGX5h(4)THk z{ry^R2a2!19`#Xz5vNW7)<81iVY3eDnGbml>uvA*g@M~WOM&!TWV8ePoeSBXeYLV3 zcbSIlZ4QGUd<^{Uo9M+$0hZg$Q|src!F!kGxLfTY{AX0#ZQ6aFqe)`t3;sHbP9azc$vKvRYiQcmKjZ~?s1Dfh=(%!Gj2UO|I=xwKpUcd7g zn_50|$Y^`}PvD#?UT0UlP#9F-D$kYDT-`4W>29>YyqH%5+{Z83b6p{aZ`is!^?Nxv z4Spq6ale*SUS)lKD)^kkd_q#*w&NSwVBn(n>kmA9Ki4kiN7E0gYot^2MS zSjV2s7YN@(u78ejnql59USwyt9E|mUC?<;oZrh)COFQXx)HHjn<-a`16ny5O`(s=7 z)noO$$~g~ct>#4w$F4kWCtz%Fw&RIHb5_F+<5j?=4&TEJuY|1b>r5EWNqUw1*5laM zPB^|!OOLPRS$PZOFK$|2c=f@mNZEZ}fAVFKQJ(db<)*LSW47fF67>g490L!(r0@TZg#!p91Qp6EaMC^$Ml_cpCX=9r#9{Po1&AzTfbL^D(fo8 z9rW^FPB;EEmq~A@D6Neu?;4<1QCEDvO|6z$M@hi_=VFsCx${Rk-0`(7BhB}5&hah> zK{UM1CG82EtuR$wN%0`7){*2f38$DgEA~_vVhv+YabpQqIeW7|jEY*=Nd9pVH_BmWO^#r%HWN7V@A7L12 z#OmNX@IG34*3~~%wd-ixxwuJA{Kg7LVb*X6^Yg=olCcb)ia^OVCxWK(0znPl^nh$K^R)Qx%4gv-G8G25;N6nLx|oAivNlr;2L zQ5x8H>XbzO)kH1Oj2n?)G13V`OXJi0eTX?_wV!+NFlfZUP;5(`N_Syy^!U9z@(|pw zK}1UHi?%W}eBb>cCeLHuq$(ZSsIZl$w&}xjeN>{KZFX-+Nwf5&@k6fcI7^c3_Y!D~ zH4AYG2+a|}T8GLT%}HfAuz++oD1ecQ`uPjr5U-PHQMpY3-Lq+{!XQUba8ruBI>%+f z>>cAr^SfQ*v)A_@-c{;K>n24C5Sj_84k64->}Q8igJuq5QNXfU1G*}NMVQ5NHFaD= z%|!*qFE?A*?Jp!HaSz6*`+zw!<%lXX;?B94yTGdw(Y8S5VOBkvK_sa`K3ZSPf7MWMnj);x>6dV`5?;AxH0|8F^+EGEESiQUo)~9-M=&&nQEmShD_- z0jUj_@6vQ)wY3-gSZao{68;r?zVx~f1l&{>pz>_ z<|p|-Y}+^=0XEAe?}f0m5n$X*#V!d66h`h7QXbgqU$nB2b4$lR^f|BZV|3NR#HC$$ z$$LqQ7t4Eu6woA;JCf4%IN#z{g!a`Y*jSsY9_7#pR5cRyGQtL@T1uK3SN8jI<(3{* z65$5^WJF~~(5k|^#mCpuN`R4B30P(+Rv>-}$t)-0o zF?cf7fq4oj;xhVJnlQ*p7azsbgD@Gs3n>h0`m>iXJ6b-H;-VqmB@nSAv(}@ml?#z9 zk-<8fo<=G8GcgtyhBjELm+AoQZh}s6SnRKagL4aiEbUKR44_6_y?px*Lk+y8Jt=$I z^~7&blDtN&RHQ7;IMhOk4cxSIzNV^m;;D~8{aX~?pU3>K+km5w>7OEK-%!HE$W`SX zlXhGJ>IPdnQkLr2YA=WTxl=g`4A!gjCVwR-AhRJ*`w=IFp0TQYZ;N$>^sUy=OLFqe z-kxzr_tjGLW{@FlGesV0sV&cjpzD|x=wbx%?uk2w_(s$U@J(#hIdxr3kSZN^{HVK;BCBH=aF{MsJnsY1N_x=T}Q~~ zWpWr0*>&5~8;$pNliPQ-%)}J+n5< zdjn(r3VY7h+U_uwrsw^Nj#qc3TYaOI3=ZlxY8wey;|Qs zGYrP2z+3LHNRGsBf7%%eEdHLJ_3&N0<-F$ci-aaFt^^#ja@r4?Udb)BYjjy+o5^Ht zKP^@+t=nW~Zei&<-jf7?0Y4s$ZQ2}8l~o1_T8q2RT9I@eftHfjZ=CVEATA@v%N;IH z(5_!_cLUo)eCF{Dfb*rn+2!}{u&T)P#P)9M5j6#TE?4AxRQP0KXQJZlrL2|RX=Qs} zyN`KhxyJM_W}TNwe;1g81+L{H`e|LKZlB!t3uh#3$EJ_V;>=hRL-C>ZdywhP$Mly;=D*xoit+LY zz>nAL0oafdHq=nI+~^CyUiSs)*yrB0^L$;@0nMoU|hjpr< zU91!l-hsD>Hx;>))LMqzJ58)sc!;%7gGra+rRW?USVeZzl*h3MV>)gVCU5D}xk@KO zwizhlt5li_RRD*gfJU%O40cMqphF=5d%`Bl<Luh)DvA0S}G558!vg zfjle&xKh~d>>XMyjdCf+NmQzdZNd;l1sN6BX70J0p&A2v83r3Qn@4|!glD9|T*1RP zL}3!#N3hi08gzn-B?1ruL4;VtM)=0x%tfzZ3O^8m5{hq^-X40A;i zl7H&D7(6C)Y`4C5Ka`wm*-Dam1Y4uSHmkJ9aTS+n9uO)Q$m0WW9d!QG{4QW+X;E$J ztLiseY?5I*JwpaNC?$ND6VZjcBcTrAxm2R5@NL9T2waVtZWU(}_&db_sZ36@S6+D;RLa zhpE@E7nMBrf-T}a`@Y$c>$2|&oc21)Ukydfn-zs>VM0p!Dej_*_*xag3%lr-49b~r z#N?+fmL&;DH8@_1fp_foq(~uD6RHSvZVpmw7@L@s%-}(U58}_JM}%ipA)AjbNmaz+ zEsoc5KZWI|8sSX;PK98E-jsJ8sq4~A6w-Zy(~rw4DiGg`&`x#rNEN2wr686Uz|yZs zGj2<~u``8D_H$uMOyDKt@a?gIL`_T7$b%sJfj;Kt*RoVXuy~7t()#mzZbyKsV9oq5 zxuk*xh^Q+T{F7wfvJEf;O@Ym+uR?0i9v;~w5QtLJzYYRybp&zdq5+;PpTxR;&8c9b zNj$y?TY8=yoZu-g@`CJp9Yb=cF_u8il4kpFrvRfN;pZy4cQwGi7Ge1FGD~T2*r6^kOSQ-wa7G5}!&IyzU z>nEBQlJ~g)QhpXkYH^%8-}iTrG{=`vTEvS-XPOOtTj;~*uR9R0l=y40^nU=+KrX+C zm1NXSm4T2e7xW5Q>W++7C6`mpE+=TSVPhDq(P&Q_QLW{&N`6F`MKSS;1-M<)8YWV$ zq7Y(9VFHXptYulVYtXEWQ3Dk6*{Gft$9bZaAI30GvRTl~L0)FSRcC?I<7cs@NQrbw z$O#gjwOat@W(Q>~PdIHWmnVyMDA0Im_TNI;n{<7AiU>V$m`c)awp~f-9k5tUG6Ci$ zbYapoIJo5Or_m~RgA{U0$HM)5Bt|C`JIeJ=J<{`aHjmOtuC!2fUvCDJI2d>Z{9 z{$=EUX$(O~l1#(@Vg7gGpE3tsbO^QsHvfs~88`iG-uLZb$s6~6c=ea>IE&|iMbXC( zymiqBR=uut=q!tCyU)+2IEqwfq&!hkNY&!1jaT z-G}ar{a}ONWDj`sC9ksF%}g#@_m1~QPY-Xu>q_Q|TbKRKioE&_YTLCB|I7Ec@4olI z-52b=`<-_Iw)x}rH@ssb;H>l7{X2hjE@%Cjmd`r<%G;LWu9dI-y8Xz@hyADc-#N=J z^0klSf8ci4-tvdc(^KxO>;CleQrB>m0QB?Kl5%nVmNOfmuA` z=UZ{3m#eoN`1JmmI=bU#JX3t&)_vE!_DF7H>%za?b?Tj)EwaHb^DA3^|BWASu+*mI z8{awRV&=TTuJ50=^cDNB1ZGc%o?YzBCr-X|bo#6KlNRvAPEQ{BqaQx7>OI%HZ>~G< zszonAwmM?Bd!K#qSJ%sQG-scueGvb@SpEk? z_+0(ZFUbBK{?{)1h2mF^|3!R4;X*>ig3|r;`aj`g`~Q6v`5(-)JR-7u#4o)5ueLD! zua|<{Y)nteBg=(GkXQyv)qZ~<$db|*+i{D5@D$Fw;#ec2PG{;D(0X;Mm+M0?M|bO0 z!h_0bTpSThF(stylS#P_6gz!xT1Xdi%Cy5aAgSSH+D*;OHB04KwratIPf0Ge&PeCIwJ4(}Swp zMv;Lzk+6{#p=Bl?#4*^h44~JwnrhZ8wz}4^Ubm)3&~8IKfM#yulDU}A=-mB(WuOPf7}l9MLm z4I{E+lq7!K@2ASN7IS%r;89l`!g#d|^vHsgLYvh>z1be*>x|qhi1@@~p%yt&%CJp~ z7S{5}>>wA7brUJz@l^9|ODu*JaU^IuP&M1-HpWr5tLEf-c3@@8X`-HWdWIXu9OOgH zxKsg^c9GuQH}LL1NP zqC6>t1ea9JB z{y(|cX4UVe=JLiL@<05m$Nv^8-28+8ElmHvQiX+Q0|{$B0t6HZO~#&7oNY$cQdEMJ z*kU9KFVQJ)(nh0h3O6z?m!T9jjR*pW@#%3dDmVXA zvV30lleSiyIQdSeM{3l>3}bOf*pWUMkeLN_I=fWA-NS1Z2^2)<3NO$uEfA zpH%HBizKrb~mIkl_&&D_cy(G*g*^!xwY}qU{{W z=qS*Hk)g`_t!5#m%W9&vha_Z@E!9`lO1e`NLAeC?m`*&-#882f`4$xS(iyC0n4oS} zNE;}3M45#xv0OIMx>##=HOtm*JE?b4xIKsH<`CT+qMJi>bBJyZ(aqUsw*?K#zKr}2 zhvxEspND;v|DBQ)cKhP_AA%Aj4yV)Dr|JJk{4@VUp)UddL$Gw_0~z3dnE#!6`u)Zx zH~#L-Z~pm>!*=w(zQ(q@T=nZ;zp>gPzpibi+qPPp!dm5zJxjeE9tl#P}+%iU<{?9&q%2S6+7cF7Kal?{j~cKJo_pr{1&I*~>n+Yx^(vulUUq z=DoXTebcL6nOu1J8BhNHgeAN-hwjS9jXDGoD`);(- zjSnxv-Jl-J{NUoJ*R-#?`OWyam0q8J^cBx-aqGNOk;9hR?!cvXAKcfz&U$a&BU`L` z)svg9_R~Ypc;L#-?miSBIrs1K%2L0Ww~MFWc;e*0&Hr{>{iKKYHw-;Q*HaKyT90Lm9?+FfY|@2(>6WzrbX|cFq7`+y`_%6Sv=>sHI!eS811>{9tXd6($!Bq zvDQ03E1silOg=yO{pr_K*4%?n4uA0yW}6gxYOOonu&PY^ukUjqSUEg@=(10r<=pJ< z@Z>yW+4$uj1UIe?JRV<5l#hMlZ`QY7KIfb*_EsKUJbQNakIP>7^Xsm?Y@c^8J^Qu2 zc0Ff}OD?+N?G?{_3q0VtHC{LNTItdQde^6Zqg`CvC7|!tg)eP|^Y#4%sm|h`COi02=(D zD>cz_1*Jx1UoZK3$3RL*R8*^azM~i2{v_wjZq%}uu*II<&SJw-#*JGBEp|sK5HQQU zo65Mu^vDy#DVU`s&>Z^{oveir-f1bW=t#Xt52R9OY6MC&Dg<^&!~VqOf+8=p0k1j5 zCh1Z)Vwt);4w-Ss=8JgTC|3(9N$Hof?GVv)VKD4v(Me!sAkD?ALAHiV96QS7t3Y0` z(Yz~{DXE$XJ6%*BiA7PT`s5gw;!1JU$$BtW??il7DYgxxPdcX z>9g@aR!Qj=Sg&PTy<*lxD@K!=#$?`6(Xa>?Y-Qm5-Cz6sW2&Mk8CU#*=8ykfQHbJfWWB{ez2Ghc0GHDEK3?XzhGQgfb z8aAdt$%hIER_q&1fv^#Z!&q5~nxz_+LQB3d8Af49sG2@voURqK>d?<{`m|KZ)@DaA zvPJ`FQq7bl1m@5t484{f=ln3BwX)L@P`NU0SHuBT==dl{&-MstV~ntp0j0X#VZG8S zalMQROiD;9<79AOHhOJB>cxIPNEbd+{m;KMok{Hk+O(=88=vK*cPqJiHQQ?=TVri)+;%4NuIscVxiM3`#E9LiSM6-1ON zFylel>`7S;YwA@xmB|e8au8}LV4``(cVbu@X0(bN^>{PwdCiz}{DPJ43?`(%fODH- zB?-c6r(6@fJf7DH*mOHNG7Ou*urQ434y54)rH#VX&Q!KRhn;Yv$p~@ify`v#q3#+= zp#Tk9nPNhZ+(Fo59lla-x9Eri%&}pSxTt1pN|$MLsD4giqG^c4m8?2ZW8Rac(8QdW zCIs9F`Qk`*iKz`MVpvFpf~5g`!O(O$L4mVIF-qJ4RikONTg^`t8`LFvOjU_k zD@tiYjEcBQaFGBDlnPE|TmXWgsNtY9ZML8f^?x+aray`Q1t04FiV9_Uvxo{5Fiz_% znCA^)+HnP_>*R*B(3+H;qOBEXA=a$~-59qz2=uXj8ucn2tFOGb&~??WBs4$5JZ82~t>&m=s*`hdH7EO!&-b((~I$Jyq4=LOzTrECQqS zaGcH%Tx%9?P-4s}I5noI#2J7iCd2xTg3#z58`Y2}gMoz=PN7hPH5QuyAV7Ai`+9?)lkh13~u|ZC? z91E&*@Nf2y?#!pJJQ?*~;$G4B$<5n&%?;1o>!&Z>R!;r4 z{FiTRH+g8A7av*t@U^wVE`RMU@&fzb#&z&#&z;czaWwx=OP}u@amg>vJZ`V0|9I&E zKiqM-Ka^ix;rZ`hee$2bbyenPk6GV)<^A2h{`z;9{hqd1vg11sTxbj5z4ZJ)ZhyfN zFKn`8;++26ap#^SZgj^p7d-M)?~pJyY71Gb-((-^|t~$zjyc%CvUllvd4G) zwSMr-G7oM&|G{T;z<6lcta04(sVCnI7n8Jy*53Q7;$wTCu-2i!KeBt-xm__lxY8U3xeGh;7-fv|tHCp{eUQkwDZ2n8^jXS>Z1U{d5@GtH~8(u-J z^Q~m->xS^%L1EZwfA82!PugSqZFgMZi6h^7_tc}eiJx9$wTF(q;JgjbJkZ=<_~T#h zzWbrawp)Lj?N9!F^_y?KwbvT2oOkCh=9@Wq^H)zh{#on9O%A)8|NYKO9`r?fq&fRM z?SuIL1?&ItkMh5{{(qm3{X6_`VwbA$CnTr8#QaZ4C`4qr+5Ls#e;?QX?<>jwFd^X( zp5+rkS!n*(T^RmXgPE?Mmbi|ZKsCEMqJSWj`?$|onT~F@63BrIB@a?ZxKuDJT~;X- z2~n-kwBF`BSXIkMM!%t#234z)1hJd20bmQcI*c%Z)}h-39V$(EoR*YyHDPisc0iF_ zxlKB0iO=CJN9*cYm@I21KC#Mz7AuaH0F5RxWaJK~O`0^)Oihw{X+ny2HHdO3CBRle z${I+dRK%8{g<&v6cfnR0IJ_gVR9h@!EMs3*I-*qbs<@-ky*?wLoQ-R z*f@szo}-)XG1IkuQ?A>{G?yCm*-}430LC815T=6VT!tQFzSzrycv6KhgKewSw2h>2 zeAJnCZB_2FDVlWeC-_ z+h92g3xoWG09C3@B673krTa~*iMSZyv5=9?^z%SAr%K&PPt|KB$?vOOMNv60pgv1p znOwkp#_fM{u|a{w8gunOzsme?VZzNn_}{|x|Klf(AvO+}kW&F@+U%iWJU|9!JEXc^ zFKCv@X0L;BXup`t%>qJ7VMBtOisedP9@x4GPSp@f24brlkvIz!Jl2fh53EzHAN*VB$7|q~le{$TXs| zf#Zf&D1jU`;V>&jD1kU1|LIh9nDB!LAZ2vER3%jYrXINu!S zo8x?QoNtcv&2hf}{~HXW=`SV!o6G-wF7{FW_xMumjbA+fLs0~WV4Q%+Pr?7vUqb$e z;t-DEXl6kJ!~ZD%+y5+Vk>G5QE}e5N_TC9go&M^zqsiY6*z{X}zR@Y)>_pIY{Prh3 ze9)~s!#h2@p7D!sBsryS6pe{j`g>9 z$*wo={P>_VN~bS@*{kpK!p(QAdCq%x-FWs|gH7L7pRdrVvzZ$k=DDw5cgJ(m>9?-) z?d86I=3OUrp1Nq08#7%0rmYX!?7?SFD;~D;a@nhYzSsG0>*xP%i5>p%%UxgYJhtok zH|+Yz?-x0J=R5B|l-}-&yN-DFj_tp{{&C-46v}NC3@tL)^ zQn&e$d7yL7CBuE+I=d1dCBLxtF2xo1XVM!vKizTt2Y)s1ds_@o_;2$+Yn{z6Uklpq zq!(^{^;`JK`nK4KZya;@GA|r;1ONW(8?AfQckf=~uf+Uyzau-zeXe`PHs877a^*Ph z+`mHjBWwNUtQ8sge}4Ve^nl}bUW$GAhbQiJcYJ&4!7VpD_JSSXUF_O$WxX) z9PHfnyTX!x-fW+D-X4s0yRx&`xu;zDMSG+<`#kM~`2Pj-KkTFRKZ!a0-{)fg4*!E| zu8w>{a{9~5|7KqlELbWou(eNL|5N<9{(njCtH=NN+3T-`yfQm|w!5(W&sZ4#XGWb? zW^6NsBAXjXdASToqMm^0Br|1%AoL3bSID?SIJCTJr(LapS-09ALS~1Sa&fI9<)8-A zjoh$;20AUYOHc`D`bb~Ob;w-Z)>U>?5&4E4<~np)=h{717qg7g6PRWv=1WPb5yk=E zvQT37bKVZh`Fa_Et4XOdXew#m$d0uRftf=&-$uLrzM_u$6SPq$EV9OqY&WN+TzvMB zNmO$cX;@@jTH!1pRWs_DI>%SLwuBimYYfRD+cB6VRWEmm*-n32Q-oYl^K01#=7nfj z^1Mv0A=Fth7!9NxP@+0DXOc`^D~^#Ps7Tp2D6`3Bo{yY!@GNlHp?$DKGY(AjZqq=;5; zhz(mt$8@3v@f0{YgnHx0{&Z zrh2B{(0Y8tY_nNVCY^yS7Sg40E#2nwJ!d@W zWMbFDi}66K&;t@paZnn>*|Dh3W?~_pWci@$)5XB>U0t;(D^^+1WCl*5=+wa6#8FDM zvD7tLaa^?~>NH&sl5Zv!FrTsbPcAm; zCpm9U|MwyPi@tjNZ=u4?|Koq+!u0jHar{1U8w!^w*rAKB>jZWp=D$u|O9-gCyfm<6zx+OQr(WD@; z1-?`wdIFl3_*OeDm4`G94j^t84yv6oO?ad?on&feUj#6AkVAEYX!U2|Ez9<#7B_4} zwg_4^H=2YD5|MR};MyG(DwnE$PjL(d&TDwCXk$&+kAU8ooJw@N?o@DXRLt@ng!8JS zY`#o5;{us&6x9sdWJZKuNtuBtaFyO9@(FS7#GFrdR=Rc6Bw06Z7TH;P4F62uWHF@+cQTNSk0CMvp|g)ES>0pZB&ZBNHLYD zDsWO55Lgc@O&U&58&5N&mPP}h)#5Bc9yKSB zrWWivCgs!O?6%W_hMjz~RBZ=YYLY0R*URulNKbd#C}#D>+OQQMiaw2iY>T1?t@7Bm z;HEPks+Qj#N7byvvF@NZ(hDL}86jOK$_tIeqFWt#6ltmv4j@F6>X~2;{mr4jIrKM& z{^ro%9QvEH|IJ_+&3q~OA3B%+`#kI;{O`3z8b93bOThoq`0R^B;ZMW=GXKK=kS_uM z!)CJ?g;5mxPuKt4_x1hvnmmpDVaM(<8-{+QSEd4ITgm#@`d-t9p2 z^w#>@V0WCg<^_#KuiZFG-?1A0gY8fG`4cC?T8%#Hk#B5u&v^%|z4?t_Q+HL4zvg!D zf(Pz>@4$GaH+tDO-oEX$cg^ebEPUNVH`U%3H+b6LaIMN+;MMG+o9jp4c0l~y^{A`Y zx{SQ#M}NEPm~X80t;GlRWh*6aURryPfC9J}1Q zzh16c_{KKhbLXQst#&hg{Ki{s>#wm1b_#Xzx|gkS;MPl>#02ASVCe1tZT`1GzIY9P z#FM$|dhgtK__OBDYpl2OF3Bd(9kJ&6^RN3sO4i*H#vo*}oImwU>3@n?gbA6#aM z$JqFW*EhOzzxU4E|F+w0@x}-5+N}4@wJyzf%Fkyr)b0EKdDT^RTKAa>z?U{Krakm~1*Cnlk5_(U`&tSy|8d7UMW>zuT<< zZb32}mFYJ|0v%R4rgsA8#T&U$Q9{=PGfWw;%xN zGM_s8@$vkxm{HYg3FrGxLl}>19eC8@V5=)(MmAe4@Y76}bW3WR974WAbZX3Orj3YL zQ2G-st&ssRsi67Vc!ZX7bu7ZQsS?I)E1R;06hDrqV3B1CJ*-LaqiU`-9=eHW3SxJv zjkMX&_wyhJq|%^6wIvtK=K3}{m>sN}4Ej?n%NC}o>d?o{isMfuyu=ftlef5N?8pI} z_q4E*uLlhW;4%}6<@_4q1h5_}{b*qDtS!$xO16&hNY>Qbfx|Ebtt7Dn0v4RCIg%%1 zsTar|RIQGH4wF~3k(uvQ6Ikqyl3|b&L~eqpOcb^_LYu7yvrkGMWZLbv47*Wv(t%o3 z0GHeC#@KEG#hg~QslZ_qF*6pK!%ifFMQL32DFD zB$H|-0ITG59CI-4OdZYT0C^ge%0wG7ptO&7^A6Savdlnn6Zyaop!)RjXcS# zQpTH5I?nM^xS^J4&LSNiaAB$(LN?wm4yNK5E0;ZO8i1gcavOc5X=5>1jQs=|WR19O z>RQIDPiLN&FA{kpInQ<QQi&Ip!+;+qX!WYIoJ{8m41f<>G2urI~VBm3qDUO;X+lT2PIrm}sNnI?V3801ALKVX%CF&<(z)5u~oN2S`CA<$E>NlM{BB~f#rQ7FN= z2|h&iLY^xYYeTb|V|uumH1(3=(gah_5NMuncmumLg>*3P7J+HR2rh|dtJuVcq(VE4 zYs1iT{VAVNTH+F5wWV2-u5<@sw?k$+Cel!(Ud9OxF;)_K0OUdl!uar)icI?gPo|gIaoLc3+G_r94wrJg>$g*|D?e%_TR>T{~P~<36lH> z|AXf8f1is%yDxeLwENdj`G5Q`wf9oLn)ea@cf#k2&kzisjp5A4At;J&1g{0H@c}+t z>Erny_CN6-h9K#W;J=+d_tT&K{|veSVQ%!l0=>)A&zw7d-F;3vS$cW{W9O|;c;u3Y zj(y@b_?`=wdhniA54&Qq(qz9MufQD{#dI>04I%J@%aZIJEKI`yO%o+q+(=!^i!Kerm~W#}uD^bj!+OW-M?L$Ot>4@8 z=qrDB();B!=|B7Yq4yk=-{vt7_|87tJbux$>;+q_y6@$u-+IS>KS-`^UV7ig=tjRd z`nlUSeBW?d#80x{c<0S-`c(bk z#ok%A`_e@xqL-X@z_w3bwDaXtWbc!1-@JR3a&KIJ`=NW!J+Sg7Aq3K)4 zb=B(fe0xuN2YR`ER#|e9J3sUK|GWSH@8X|N(f^J37yg5gBsS;&KM(ugHo5Tv zal+_-iW7pVj*W-SPe@KW?3Z$rE3h&yvT7`{3qE6Ci)S0V4o?q0+}Kq=f&W0WGr*dx zl0|2CLLs4M2jXHe=Ph^)`^RJ1X!clWw4jJdsNx4_r7DzNR{*}khuIH+5XVwOR&7MX z1!Se;*d|}$!YuXo-xXNO<~t~FRFE7r`yS<3s=DAn08M#31L3xoZw2k9VN@Hq#aE%Q z^Z~vpvrI+q>GpYZV@nw^UN!D;e* z4zed&z8-fP^+CHaJJ4){D_8&L7;qfTeT4UAa}*^ql$@p({GKsNv!An6h82XIuXV`| z6Xv9e&}>o(kV~b#awo=#ysQk}0#%-58&hQViU!@V#|hnfwc+*{Q*diKC<>U*GYfS-_Qyj81w3SUuee;HEGpq0aHd~q;3q;oD$j~Ky?P$ zAOji0LD?faCRcNCrk^uITZ80L!j)*e4d3M~rVDKiM%c45T8aljXR9izl4U{*#L zR4R1jHr*`N{n6MG=q}_t<2u^w6M936&~`Hh8?&`gZgz8)Yq*HX)`runP)t?0HZZI= zr-YWY6E%Au*<(_$}H+Ad+&QD8Dg zp|;&f;5Jxi{DwP135N*FU_J;H3f?osMQZMM0B z?be-!Pr-Gz?PE+9AX#|ij)Po&l6MARvB;VV#ZQ}T(TWFt3U1?mCL6Y3yqHRZrGln5 zrtp}Mr;ayUCr+Z}fL=KWK-R!$eW>PV-Z3ADI@4qLYS;oROi7i9UdowrqfirghG!8L zw}at8buCzx-9|kRpy?ss(o!=I+*eDP?Cg1_ine-*4x>!Odn1(;l}26dQccKe=+%)m z9l{+$);V195U)}L>{7o}^o4pSlgr@!aZapc`vH^AYHq1B8?Zj9sA6qcEzwCuWTCj0 zNyZghnq3?t6%EWrAIJ`hb&B_G=R-FO4Z=$D32v7C`_$G7hCJq(iNUf|2{1zgT7Z61 z;OwR}yXKT%U|4x}hfQI#Tb@D~2B~9e0}ea++N3j^WdGA&1OMW%BhIQfO4tzUb>VTJ z@|b)x5?YbdrAl5<_S^aNaLgH=gH5}-(r#yRz%;HC+0K~tFpaK=c+;QYL%uMMD%BcP zvl`$eRdRi@iZJPFu9tOd4G*ie#$%txMy+Cyq=2y3!U!Kmi<)hZ<>HWHXrz|ykb~63 zw}c9**r7(w-oGH}w18@5mgc|#PfQ}GIGVI;*%45}+aTr_s)jf)$n>P|8||qova;fh zV5B~nc2TtOH{DmZOKlL>4F(M7a*iaa(YnY z2-i2Ils}66ey%DzZ+}diEfhax?lbA($O+Up0M4P zD|~n5*Vc!Z*nF)kHotGNaMOpr{v9noeX~3LMag7q`q6ExTS>p(^`cYu?Z5X(_OvBV zIrwMSRoRyv)|#%0GMa`O0luJ@R7UfZJYs$kng4#2@WAUp`h?`;HZtS>Z3qBI}kH zIc?KBDhDiCbPhh|;>If9JM$Gf8o##H_XT0QE7GTFw>;)w_xf!ofcLNRvo&*1c>itv zSL;UR_fPM!_^s3xd+c(fapC%3d+?%Nul{*y(>0gB;j-IKxNW0k$v4S;RyiK|?jL@2 z8b9x)#yaomum5(h>(|@djeZEO`|HVTZ%WO(ulUt!>rF5G@p~sWHn?e%tFPGUvO7ml zs-@*`I4Bd}cj&MGdhsFS-yO*Ba{Xqh^WXc`mhRgZU2w$SxNz<(51xFcwBD2AJvYu< z^4@nSSvH5%4F@J@uKiL0^_DFN~dD;i@{|m1FNPblRg%fk} z|MReaL;nTkQHbe$694c1d9sYQIkEkJhRr__Hz0ROS|AB$f-{nr8p$e}_q+tpd> z!s)*RmRbn?7t1F@pH>rj*vslRmKwK!W``VNV5dpw4%Kw@qFd%#h$y!Wd}M_kUdy!E zW{0oL903ss)rsR0u4M%^k0566={Q3HNTchwVLYAVs`)AjnxVktBt6U(yjq`!DVVEx zmAFvN!d)rLiuSmdFE?3XJk^NlF{XF4Js;!YU1qulwiQOWWt~Swf%P18?J=c#(E3d{WyiaN( zjKsuPCi*DFYo4A3+r382sgIp#x`UW>e%6=XVdOfWBapN1B%(m zpmb-LL9=bTOF$v77ji?V6g7oHDy)a;BngvBlBIyM)=iN#UQ}$j%pw$B1kFS@Y_^?h z60~aP$#z{Sv5``!cWQ8>HX+*%IYzsl9icdFlv%)~B9j?_Xntf+)uxZs(PqKayCVji zz@pKO+fcoo6@@+_w;YtHnn~EuCbd+Wq|=j}$Y?+%4u>TaO=bFymPRT@f1t_1sLXrS zVm&W=L}%(2$5kf@69_sW=DCQo1+o^_Gm6oykHwx>Cz7;_ z*KEjDvJDpNquFAshoy^L8ykls+0OV=+KvThV2Le&*6TeXEP#R8;iPIU+ijZzmH$lr zhQI~=-zKGhaOU4cP)djvv__MFq^1k>SSS~U zlT^!L&2-LAQ=?8EO}EM|58-5;$mD7ng-r1@jX~Cg(ThYN;%dEPHVe^Y<{e;%tB=r3 z(zi?LNjhCa+ej!4%Hy_5r=)IOq@B26wJ9ETi={G|s;8+IT;?aasuS{s65x1XNp!J* z@ha(TD~UZa7>_HQA~m`$6feKt_#%(-4ZF-U$<@1k`b#Zi~UV zWeQT#C!6xjF-n1M7I|1VN26{aw^(+ls&&$xfV?4(a)Y{`l*2G>$yP6E0p85VgmiUa z7ckW@Em^$Y_kS5%0n(?~1dCBZ3Z=Uu@RC$-qOVJQU<%zTsgn6Xyu0L@f@R!kvZ zRX)^z@#Jhef0F*o`B48=NGQ##1RqoXaiRLbsU4u+>#+h~opRODh;GnezGM)AC+CK+ z>6>Cf!KSFs(L+6<5(s28zF)7G+k9T(TlsufMRC9!G;0ZtF~NjWQYqC}?V%BvvBC^< z7H1c0!L-qEt8ODFHi}{gta@!OQVGauIOA?f15E%NYip21Sc6i# zU~{@0)o9WSygbw_#Rc6@g@P(#eGZG7L4c%+m-Bf~A|Gg)jyc z^l2l7i@gjpXy>sU3g>k^$xa4@As~4$o#FdsO$QRSKNwE)rIFn9A;V?z=46D#LqbK$W4<~3Vd zw;%^D_wa95hHu#5#>TbFoOaNaQ(JocfoE4d_?j~>h`$M}n!VF{;f1ZY`qnkk<~zOf z)BCsko4V@VKU^1F{@Tk|oZdBW`9=0U;@nFPx(Z+RtqbB>CXPeva|JLmf-4xvO zzzV?QH=QJ}xae{3DC819|I1TJueILwkJ(RFZaO*4{AL^ZmBxLCfM?7;~iT>$X1if^Yxe^XbD*Zyzw zzr%iYz;763bkt$e52&KM-!Int>!JNyPyGGwUOY?q)23ISsok;J?T_qK&HnU;zb(@| z<9pij>SpqYe(kA0{C4Nja{g7v9Y6of4PM{qx|1J!=&f^hUFp%qO80NQPw^FIL-|M4 z>KF4{t#kXC$SQw){`lT~yLr!sr=GIIZ=e6;FSi!g8?C>Tf56Jpc*Xs%dE}DUm!5yl zYmYjoS+DfL;Ne})TQ7X+s0&~3l^))Iv9(^_;ih{x+f!QMf-8@3UfBH9qkeSGdOuus zr7L$^`n==MJaOykYTx;Z{L*!g(`oH1i zT>Sq$?BC&k)y!ZbedYKc%(Dh8{9OxI!#+L#``G%A!dH*~)e>Hrou);Fd@@*A{`ct< z9hA&;G^apHaM|wq#K_KI6ChL~%Jq^^1W_@k;5FN#NQTv5RmxP!il`M^*tCO1an~KS zGI$#U%R_X~v+6B_wbg3zkPD>fUIVAJT+~u#vj74!GOM9Qeq2#mG{zvXmvbV~9G3?? zsAC{1q@t#&3>}NJ$nHqW>p&LLq^5+HD)^*N74@W@Pqkr@aQsZZ19N(U4ZV^YGoYf% zV_s`#JR+Tv`&EMkTUyQ}cz`J~C0nDpY7kdsYqp!u={n`W_H@kbo5AUQwVawJv6XGH!Q?LA^*X5DQ4txEGd0Rgk*R!2o#ydj&y8KC ziU;*!S44ACiIu9OmH`vBu~TvTh2ew&WVM!R7OSo$k8-Jz9o7|8PiO6XphRMBLT9^8 zvj-!g9Qmv+b&z36=X%y8X&Jg$9$yIX_oJ}&c7c_@v zW!UKChe_2z6ego^y~3c#@KM}Tno_Ur^MIZnW@BtNX=x!ZI3>3e22rve4(U{9GI1Sj;A%0_ zgDVl5ZUs?6D7l?rU^ZeL6H=2p*YT&*lw9YuI;FMySO5cJ1)j$OKORsIh4EH5N7~WNLRQ*RB)IHr%sYyJ*Y#? zb{}k~FxFIvqHVNLv6^f5GenZtr#jXE+XW9Hifllov#k<<4H=}`1qpmqEsvtvf@qOo zB=o{uwk$S7%FlU$Idijo%TI-UeH8MI&N!(yiTtpU#fn)U=!MkSw{*iLO8Qjn`XO1a z`5D}@{RZZzHL&8)=~|%!MDlRW=M9r7R2}0@4IodJ8a5v2E`fQZ2N@cQxksqkH_DCK>h`?_{_{@9XDPVPH7zd7gT&5!&q{r~O% zMm5MuUFi%uZOlwV+RQkErX?>(b@E{^lEh-G228_Y!Nl-9jj=jg=aEv^RT|W=K9GrK zTJGeEKF@Wl-M-0}gM=;kRD@b~s!$t+!-&WFgH{j7*g_A1R08kyW)d_hTTV<@Bp=Qe z5i)DK`AClap;sH=RG@D?1(+Zi6wTYfX;da$C zdogSci(PUo4Q14tn7Q(pLg~H;q-tq#CgECY4FW52J5f4h)1L4H76swVXYfDhAN&vb3i#j5QJ^@HMTmd5|NRI)^u_txPln5` zeA%2Gulo>u^ltF(;?d^C0uUIe%G4jvn1|m#fz| zcUbJ#8=v=J=?d!7+Ila%ay?L7@{R)rD_!>T5%{&k_iNwT`rsS;3t#`mY7bw#)0X#M zbOHYGgQ??N?c2BC=$Lz|3r|qx)3I)R_Z7!J*IV_Om9F~nes4Z^;mLfAydCzd0W~{d95jTl4z?M~*kXGIdt;${jb|dFR=y z9Cgj&C;sNtaI0ela$)C!H%>Z!vwev>MtdLd`xmqo8}o0vrGDHcwT9&pvm* z`+GV6lT#0!f9ur;y{bR%+;)2RJ1ZBqx^x$2a^jnt{`A2kPg(rwA0PVs4u@?0&cWYW zV)^RTc6Uy}F;>Brhkv@%@+YG}_L@EJ-Q~2ShflrtkhIDs2c3PKu+)Ahuk!k0yPdZq z)_?oERDEN2T>-as(#Ccg+qP{tPGj5lX>8kRY}<`(yRmJY^X3`v827pN%lZX-@3rS# z6L^4gf$8qch)d*dYJbO<*>{&b?PJJVjyCtV*$rgmGzSg58NtV!rQ`GS?cVdFG1}VD z3IDaPf{dQg7n@Je*&{&Aq8D@@GT6HZ*iwv`7c_Hz`$|2XHF)kjFwSt_pSc1|Q@!TB zJ>K`esnJHoKNv)*j7mHT*()!DQp9A5V)$Z4e(xsxNhrGN*~uClCFuYs#U`ZUu6wc`bXCMxQczb*4YBrP z9SJ)GQd*H&1V>UlYjK_+$|Mq&9x;RV`bYu+78CC7MVG1g`_E?7rbvMm>f+1oVD%qd z&Ypj!)p$9O2y7&(1!xo~hHeGywF%5iri^>1_Aj+DtYijcIcUV2WsGO{f2pwQuz_B! z4YfF8VjNl6@MA?H&eUxYtD0~ZWFaN#;jPk!hqP+A4kwFNmDF*^AMRg?w&GCbWqki! zw;rk>)fSyTaEp76OdJJzkHC}B$`yKcLnKa(gY74cGW8#RtEYy%{Mp`RmY@b7OQW{-xv^X0tIE}Bj$1bS^rgN{^gYj6A$1!t@9`*{T__*=aw+s>Rs9q=vZYSyLSMjaK&w#CsEW?VtV&S=PPE-AN7 z`q-rsWu&+@tAviABcMY@3-!_Nn#^(BC)54cGbKUG1-KWo_|L<1@0?)Y5^S1mZT;#k zR)AuCM6guYK{DtHG1hRxs!f|BsZp3y={_%`5K+~G>8aPwqH*Hgn=;_pX|2Y?P>h-7 z&YVDBYKw=Od;hqkqqK*!a zM_u50+c{p-qz2|m8tHK9my8d6bsDw$PYMef>xHsjr`5FHAlmn`9I~& z#xckOX6vr8V`{X&ve48fVr87VMO}&_4@F}fiMx;j{kiC)jgcI4a^R zJju0{UG>IE#M_z2L(T>zX;Xx`&Se9jCDrGZ(#!B$;gSCF6n7z6lxsBFEsdBIPnV3) zj7XU?<}LL-`o>uYdDGEjQ?#g4!3`8~mru+kt4?Ihh1(<))}Ux%rR9MQ7hSYL8EO30 zA9ve~o#Y}|#XV#%Q>jk)K)JRKBpe(P%$vJ^gvc$Kz&b}F0WZGOmw()s-DYi$MhgdKMU{2UxzP2kc%pdZDDeG@NeXMEU*M6PiyC}Wx z1+EW-<=za)CHnyY|27;PTrYWwmlWgNJ%Q8k_HkER`%3PGVMHzOe>V;oeGRjyt~c@4 zZMWDy%u*HmUUM}4H`n$@)3AjenoPLD?H(Q>H|(3XY6-hKdXKq8?aDd)-_r-a(&po+ zpi5Fa&v-sJKR8@^UOTpYFn6w5>p`*218eQ-$4V8I zY{t&LjQ4MV)qmVo&SMQ*$9lLn0uRUPQuoI>-R~x?+x4e7O#BU7XPpGRyr+B~c1lC& zP}f_&eXrQiN(!2ZSVBD5x_C99uf_Uk{T{P$o#XsuK-kskJv^@2{dmmL>T~mm=&tR# zqZ;OL=+HRjm6lVthm}!{1sLY@x*d5oct6Plc|$fkfGo>AAMz@6rERY2Psb-OD$1*429nxl$;ncIrh(*gB@HBs7=~uWj>rcT((rXKdQY zV4!=4W;}(t^R^9LO2`jwsI-RNyK1k`*5j4)%6HxN*FJ4p&-2M4s#5PJZA%fjA3B_O zc8(Ogo&9iBY|wc<;(0T^DP(&;W$~)6)M+!|Q*}^nQ{e;hO_@vNzS)EI*#^wFBMUt5 zt)-E73INT%8m?bR_iG^)O z^qRK^2v_4IDc21nPL*TzFdtoX&pw zDi*%XlJCDY>5i%5=F@>^BxH(wk7o~zIMI664%rN+_Kwds#)C9MN$MJNo`RY#s1bAa zGD~EHza){*J8~3c zr72^A&Q*9yziJ!~R6D_uiJ@75BsMXFq2z?G*Blwea28zX}llRZ+>ytPCQg%#mdjk@gY_+AKVf(|1VGf8*ix`Ca7<{cdB@hz;&-|`ZzTkNp-0<#sJ3I#bMb1Dca zghv!CsKZW%3ml%_;!hsi%t>r*LLqFvu`|jv%#MY}j$7gULB0uAi*uoAlR+AF64H@+ z33j5=E8fTtEir-UKv<3%(2$!T|CcU;o?mnGn6MgF;ztuvA&Z2aLK$8fxHtK;B&we4 zmS@GNV~9R#A0rUzvjFROVoP`aT!HUMoVNL6-I1M;lR6gvH^m?F;qHX0;x_+Zhstzx zB_f40Scow<$+{oyM+rh!pc#Lw{ucA&gx+ajEA`=#12Bz#{H@oTH`aP7bpniL#yZKa za4BoNN~+v$t5nvy{PdSRGqVCLOS~^s)QypDp0K5V{!+S=zyLe+x6(o_jvQi|Dz4@6 zm_*hj_U{10P{zN;ebjQzi|m{$CO#LJdrTp`M=oTyY1BbQz2 zsh+Xv;;^-Nf9xj)VuKFmKhzGX`_L#XcjHQaa{RFBR$K@Ywd98hlZI8M{KU_yXgh2O zY^nPBoW;8y5y8GW)3N}&v47Hq?S^U<|3@wwvdNBya?UEtq))$hyFO62j57F3xz{II zp+e6p+iuL8I*zkI%F*9wjx5|AXjrC4kVBdqo;nOkiCf-=pD4?DiN%X*Ok+vQHilGI z6Q}`xWUvFezg`A0j05wc^<+`W(v?$6?3(H6OY34JNg95UWHr(jH|=}rL!NyX_Mdf@ zLQ|exl-{I??%0O3_*Lr?@ogBS}evKTB{S7D>JqX;UWl{MDpFs0=2&s)8g%yiD%iTk32B1o+9Eh`fJBo2ydcGT8U7PUZcQ5e{ddHGsDx2OdJ=(L zouCzLG|&ZriJqV5fKqbBlPR z_-t3-<$IWt>^7OxHxYDRD(bBI)x+mWzpXA!S=fz zU?bdl1zL`?WQh1lV-bGM;!yXTnKsAQJ&RKSe|5u{+)=Sj3@=?os_l}Qiw;ZS7#g^fc z)Db2Y{qqRXr?1EU)e7MKatOG{m8m?cqA>zCk}PsO`F!R(rZCTLnhR`7umPtf@Bl~s>xZz|PZqD|4z~%RqdIj?9*4>i zMqb<7t-SX4$uB+qY@Ei9XX|}~`W~_kWB1_G@l6&#KpFV2vplGUm)YkJkM~O!lO1Ru z8Zh^+;XV>GKv1%_fAz6+9d8!vbvaE}y3@6`@p-h-`9g#5`Y&qP23S5g53jgpzwP1S z>wX*bN|&p3-;P|vyRRhm_VcJ^+d;qUY(`4Z?VpU)=SP771FG(0BRt>Qep|Ojp3d7q zYw4ApoQu#RbYIuSzT9QcdEs0w$ay{wsm*asfYHmV+N^-j-$@IYX2bZoH-Ch@E+k-D z_`2E8Rk;w_M~zLBxMf52&D6CLg48lceNn^Mj$78PPM>7iIEk z;B)-LR~}W$r@jY?6f^vn;ho{<9Tz?9cm>JV!@VHlK0jY(oz!&@#X57fcY83dCY1HLei?ylmThvb! z$Ak3(OPdMDUlqB6LLxc}?R4uq!A3t)Rgmal8Nt4kd<;HBudnU}K4&!l=~nfyfVYqT0}qBwKWdqLHTx{7lD%k8Q~n zik3WCV{Qk=6M+X1r}xU5MJzhmxhk z!IUh0tE$3S#?2Acv2?+QQ0z|TnH1i$gb3D1XV}oMN|uM5ut@Nwt9(ga<;b8vHa$fu zPFk$HO16VE$=^#)-V|3sjg?&@pvWB~v8^UJ#|=tw&wAEA_4d!~E22!2fLxeQQ69?X z)H0*@l%`x!)U2qpcoQMPowbexr&`lx%fm}2`g$RqNn-$+pjV=IgL-*hvB(IOsE+Mx zqI=h~+N>aV_>dAJF^TMYIEGXrY}&d2bLu&U3{q2*erEV2=IxrXDSCt?!Hx2HP6sG! zgwl#B@&n`g8f?}Qs#VJ#vNK{9oEGwyNajN;@dU?<68Ic^B`9@Hv(icTt~>6lBhqd0-O=f1DGq9dcr*7zRqZjYma}*P*oIf_ zaxU3ZYOWYEM&$HMX4MRheNsAVC!zGQr`Lk<5_m*pgkhMnq_Nc+kD^G+7E5enyHK=t zSj=MP)M^yn(sd@~wS>ioCLpopAIp`>TPscs>L4O_--TGVlze*PZsH(|+lZOu>vT{h*v1Bc@lf1iC->3gOhNZv*VcygqgxJ~mK+h6`Ut#7t zc(sr(20fsEY}Y8%Fcw0pAfX4M52p7ou$xVsPaj^G0eF7vh4j#u7B0ni+7I#vE-hSZ z*?nCYHE+afEP4RV?^pKFmrYY~{vD0&7dZ}>Tdq2M+Z{ay;HvM8?YoHsB|;zjL$8I} zI@h3nb*8i_3)p{H53R&gwUQUMbIN<*V8D>G3&PvPfGtK8b2j5?JiIFDQOG$#$9JN{opi zaDAD3Uh(I?kFW1%pwcx!z5Wd7_-7+$+dW}+P~U0qyaW}}J?&$ehm6GtoQ8Y<76%IN zy>fd06L!@T+~UB~>#FX!l9Dm6GZ7p2X1IfV)a~o~7O#qZF6gB9F?~64|CPE{T1#~B zPG_;RX<2sR);jf3`l;j#;(tWO>wf*8a(Wq0GwQ9P*ZbBd1pYMS0+n;?C z*PWh?R9AZMMGhCD$*rCi?;%tS+_;^uxJIC->lOF3q?K+_E#D5PZuO&Z%&s6n>$SUP zjxXH9#@12aKc(MZp99zzz)h}e9XKATUL#QDvhQ7Y8kY{U-+LN#p8uMPfxBd83==C* z8`NtG8rTKsgSgHC2GSq!KxkHi^}oIDz_4&d0kRYsHRsWp9-z|O;Fo7}Wd<~vF;Ej^ z{3{p~0tBQ;+zJVhJEgh)i%nDzHv9dD#&DH%Bv3Z7q4us2HbEYtHjMg^6W$bVpH`nB zS%;NengXga0>dcEO108Z^cy_qFR@F-@$b^KnFyVF6m*I%Xf~Bi8)t~bPNvYtVoXmr z9hJMjyASW}uvu&z(0}n{b{#oO7opZf#`n<};q!6y8(L%QqwACK7)MXmKL*=&Fe<=t?bGkD zo9iD`5#Tr03yz|z*E?90Wn`h`Pg_=%F6N)@<4(Xapk4VTjLQ zpi}eWRZ{}tw9W2h7l2lUTHM_SV^g z+Egh5C$!_ND_H1S&ngrHAGVR>cI3RbPRp=ky0bv+K^V>?f@?PYy?x8M5v1KW_o7tV zmIcAmP7dMU)j#N3x;Lp;z|u1-@7sCV4-U;uveBB$k5U?Cp|Qa|F(9q#t>1pC*9jXL zVhfa)sUvXEriUxx5@zqy;>-_C6te2wb{sNV7d_m8onS#-e#0p;>*}L!$s?Pa#JFD= zKouVfaby+VrKb>Sn_(|81#b{@W*w3=B2tnrNIXM$D-1>9qc;_0js12y*T*b3FtZQX zl(Ok5*uDNh9<@&SXAA0$`$T?wd)*;T$?E-@k0AKIO?t>c7C)E*G%ebJu2n=c#gmSny(`2(Df;&3y4BByW44$#IFa3!O6l83M ziX^)-X;ET6D~on?Aqb2C#~`!J$VIv zm8@SA>kn|@I2qy{glu_;5yx6w5Byabm^S+*Z|*%79`e}iNW)I^NOdw{IO^uX^>StZ0F8< zA7%k;P_k~7A7?WOAUQ7#$k-22EOdaOX$!@JDSuMVhEL8VQ$_4dsmW+K6>rHd8I{q% za%v1~D?mwO=_n4c#4H#I`b%CQ!M3Ohv1A)2?r+TjQy#;0PQN?=(*^f5tR@O=$T#6` z2R%N1e{*pdT9OCaYimD>Ai+gW)lw$HUX)}_ zSDh&XGx{*&u1LWk;v;*Uc6U*Aa?GF{1zB~dm;#CiymBWscXQFHlLq{=T+owNT_sk{ zad}xX*Pv65>AdG}xOwSF;-Kn$h-y<6J@zqmL}aUkjp@LD^gsSPfJz7`;&rt}ps6d+ zW5}S;yTPYr!_DD4QNR>NCqg!fU=+y6Km>Ae9sb2rCs@mQ43a{IjA_uh-!R zTb{Rl#sbl%VPVit_sis_h$d86$Xn!_rUix4w#>V6_0XzpT{ zNAtMTm(2~u82i)@P!ovYrSz|e57u;#f#5Pdf7{wXZ>OT)VHomd58q3U0UUN!{py#X z>Du68c_q<+vC-M-ng`Go(*7(M`?f^W?+tzZ@v*?U=?!XtT&d|=6wo&RR9zc7evs?s zxj}RZ3kl189I;5%A|fBl`F(K7zOWrPsIRJ+W757r^ke*Z)jc z95eYzw0V|BrQ7lZUV8mH(Ft&LQgvmtmG+0SuH z`Yi}^n!}pyKg$Q^1)5Al?!GD((x2ZpYlLSCQQA6cc}*GWa0LygIQVck?{Hmh@1KRN zJ!*K}F&AryYFA)Q;Pl_uDW$7s|=PD|Xx;J_~mF*W286UfutfXO?>s z@^lByFwuR{%ya{&mj0JdAn~DKc~k9(;)YHb;B&+$Xx%^v!W}}DE$Ew7O9YYuZETnIP#}V; z`?{r*?E?<36srWhShx|?oho$z$HrsVdT#Ka+@nAZk;^jaj^LG|$-1?IUw@d)bf>G(!qAF+)lB6yi@4{fXHw!YxY`?3v9B;m4 zP&7xl1)*MK0%ZxEH8v7kOhzS2n(sfCC(t>h0vmZjK^3?7P^dCaf(gl_J0?sRt(Qf- z#!Uqy#9YzYp`1HzE{=e56)pqZXy}4&q#`%Je3Bq@=r5Khe4f;^h$0xt>`L_raDFT+ zw*y76z#ng?xKo~6R>4+@IcbjFgXu<*Tngn>U}|ir9bOe93dS-0@cO@ON3rDA)r;dW zn;SOfHj)xHlylkw_X>>|Oezy|5`4LqOvrMcs#&z?anYND4JCVsGsSYOG4Co=ApELH zNY`iu&A_>k-2~vkW}P#s#~?$DKQdel#ZEH@nWKI5sFe;x;^<;>YOa3J;>py3A?6Y7Gr#Wc{g0#`6uE{tJd(T4B~zIb!REjM{hHl{RtZ?-*RPlPcIht?wnPwL67DRp>K}&Pj zxs^)IG9o#t4y7o==@H}@Yji4S1#O~^SqD!8Po(zx&(p({+z5pnwZ;Xi>@FOR;jTpF z?tZnUlD7GC$M5MFw;9;hs5D%cM)aew=e&+R%dSyK)M+2qq|%OK^6L4)DNd}iNlg=v z4SMZaj0nlwZJ{3OAy#7-@l@eeI*cjFSTp_pC41~@=DgPIQaEH$*s7MxH6>yAX->Cs zpGxTW2c^{@GQp?bjIiKI(s!bq_(Us3ZvsvstNMl9St+0LC#tzwkXw)bp0~2nC0*4? zfoR9E)?fLMaTF2*CfM)un4%5ovRv@qlISs!U!kq&sm`PjlaJ#inSDXodzmRBI?2wW zS|*Ub1%_%e#GSg88})25JSApyOLp?oi`n@XL$esi@3)+Wr&aIH%;yiF%JKBI}Kx>%j5}5kZO*d5OeemN|N*yoe?|KtE)3) zy;)Kk)De_cp7}}PnZLh^V7Q)Vr&=QpYs;N+kweLA*B3UuM{1kExvAq@S$k=>9z3X_ zk$BHaWGJIojYdv*`J1n^b*f`rxT-Qx(k+?Ex>(aocy;7QW+pvT4A43f%w);ys0Tx~ z-$Ack*7SLZdGN?hrZ)1je zL!buGE?_Y23g8F@!Gcd>_@f^<1@v&ed;64&2+I-D{G5Ae9T@5514!NB#t4$OK4UGQ z1MY@ZYE2uUAGRHK{132fbl>>NY616@(6-IHk)K~E&O06$iG$yKI&6_6v>m@0-hFVLn_(s zJfAUkcHLA9IcT;YUSh{-$7r2b2vxZqOy3s!tS|yTGfI^nT3)VjRv02`>i@Ca&zx?t zdcF)o&bbH)==wen@f>CND zkQFG) zeO(JudrQ@;rQLhJ1Y#`w=qI|k0dB?Ne>SjQpS2OdBln{alLop%E+&t{j?G$RzcRp)d)oC)W(#L4FQ_lZ!rO*^^?thZ zBF*0&q<(EN)ILGjxZ9;_UnQjW4;e-Cec(N+Hq9jO{a3^EpG(h2_!fBwm)F0w*jEZd zu3Www{5QwFe2D&zpY8A29eY*)!HWvK)b^XE^DDjm8_ne{)BUI(=$T)R#qV31*WT)s zoWJ%fTuSftJ*TyWbpHXN?ExlZhg`aTjX6v`9<^y6n`U85d|w$%*f@Y{kU;}TWL4;$ zh*t;H8~(*j&wL~I{Gf?a?Wq8!#S^g*kk27-->c;Lx`W=o;PLXxBnT~mlB8Z&>7W5k zW}5Wfz()DQLF)pY)x;@&fF+TGVuYqHGBa8N7ex$AfJ-y3U+a8c#2)V0XUaOTjRz-d z@i)B*Bzh&hil9`xxcQz@!S}VyxRM`jdBSF8$*pJslZCL%;`kLirOAQk$?JY-)N}P5 zkWk>3U{*1Tk^5(!-;yrZn~;*AW@VR1Y0M{)4qVF_32k`lMp|z}Ns^`B!f~5rN;6Ae ze5E8M(I`1aq$z%zAc(p#2KJdZr^^iKmCsX@n@@u!jbRkxUJN=wLB@+q`)7-c=VS}l zVVp-OqZ62}-eFiHPndF+sTeIf6b>Y7h(xe#A<&5gpAySUXp@Z=mA1$mr3awzT&)k zXqJl=r`ovck#^cFVWjMl3gwD&k22Aa)uI+^sFgHU^ygO7?yLReVPPgQX7U9?$?!wE zmVXlVFxq(MNTQ(d#;XLZ*{k5fngm$o*ISO;J(<+;&ED*(^JS`knMipn)M7o9UBruc zuu`Ygg-$pXYguYEWi0%r!76Buieyz6-7Z^+$zPNY8FFPH!}UBd>5o5!SJOy*(AFN) zh~bRZRA;tM93Qk^Dg0K8NNEN*KxDI~NNVBDsfs~Vi9C}Q{v$sI1IMlY4JQpRW&6eD z5+nmK6*SuaVy7$hm=G+EmGFss91W1z&-mxK>OKLokGksy}eEekU_D zTL`+k5#l!Ke3x{95dOPY+Ba&Cg)?*2LdOkr&e4z#{--a8QkcV_>?GNovK)3Lc|x0} z@O`_k9|_}+(JhaV-l;{n$`F3=f=nZOE>4IV-|g?<03)m)@0OK}b*K(b3E6=##h2&y zY&*2?xjKQ7yPjWGw<$u4sZCPwErK&s!f%d2az(-xq7z_ZV)HUPCl7Myp>pb^)LUqH zV7d2jNAW9*nWY>kYPRlnzWLY!@d)IF`(fzdw}{1}b2UL<4ZToG*ka4I!R6X?)l{kL z7J670N8`SN$L5xd5bKb*7~*c`@vG*5vmdfk5eK>U))}-LfigKil8RLrIo~&_#MbI_ws0}Cyy2e7AmjCS%$qEq zg7$IN>Y3kW@hw>GQ>u+zcf=Aug#_v`ru8RlLlyZdg#QrYQ=Q&-LX8ZMU81&z8-}!8MV!ci zr9V}7D>^nbTLzk6I{eSL1{nM%4g^qqBIo9S-bw$XyrTG6|M*fi?@C?X3kM7T{kjpq z?7R~teo32&ApW6%8#x~BTms&^>-JLVfdAgII6G;^s)YGF7oCa+di~a0XF6YQ24*OL zA88B*owwynjXRwlD-1x-bF9+5H&K&}>6q57?>g6v>L*)mnn$gC3|gPT*J>I%s>itm zJaRRi)2M04i~#qDm9%c1j{S9l_47QkTHaWX)E2MTr3uZ|j{>PD<;M4kl}{tjMfeRM z1zQ-eaW`A8NY&KEz>2@ysnl}UYYUmnR=;zU!{b9z+VsXzMza#%M-y}n-uk4K zXgmYwZ|_IhEH|ln+EyRy`ke%;T>;nn_1gqe25u>CyWfdk9?cZ_-S-;_A14M2JrwML zO7A=B*tMUXKH(Zc6&yb53-5-YYj< znl(E$4QIR-AHL78a@qA2p(!5v_6G7UIcZf>8XIRTVFC|Yhf{Q1+~!w`VKoU^I_=TF zuByL>BQxoqPjA38?XdaZ%`+(VT%3)>a=T5V$6a~Pwu8IXIeqx;6qI7xrlhRst>o7g zJ|h!uIEL65@R0F&gQk*(*F=Ff=hBED(Kis2ip=YIv zWf9ZW_zMq{%Ht)I%cBmzO%&?|$&Q#SMCko~%5XO>a!HX?z(v5b6J8lp97#Z}9WO-} zBVTAk9Q!#hWA;-W{e&rUqJ`Q-x!VW;|Jqw0bC*Zt?A(Li!EiZzB0P98(_uu3}* zJ=;K_xkR8C9=&OW0!NA|u3ubDvKelo8L^m%lfKJ{bR*i4!p3zX#5A>=VCGThmJA+U zQ%>$?G~H{&LXcUodMFL{PvZWhENW;jJR~k8Um5sOD25;Mv|eC(55}LZH{wkcRUoR4f1x?7w24Z&nUESlLeN zI(1cTC`f9IhiDsAp$eu4mNVOAEQxB)HH(za$QT)oVhOH%^_Y>}XSf3yhZNPz$ERz) zOmLvt+B^`0O8ct=C<(h5L^LD!lU)r~CA$R8NEmE?Qu=a*wj^UEOfm2|GQVsh)W}Af z|7rbH`McDe#sTFIaG9tS9-Mi_b_g0%633K%lsr5vF{yIFFDUZ06qY5C zS?gVobxT3A_$A6bW_dyK^;LTNkM~d3&61h(mC=a3;QZ|mBS|Pbfnr!21 zthc3$2g8~&@UoqaSkhJW_iTp$D!^Z!OEfADM$#`aOBh&?Mp|6r7Q&|s88yN%w5BFa zK7C#ID`nHm&^%vKxn->+=G72cjzhb386i#=lIc|&NB)aNOwA|b8v@3#zA4$lpY5V^ z-xx9Yg%5I0=*u6ckOCE&mE>n&LUUrca@)ugh@C zv{lsC9{zqt^jVwrHi9UE?Itw4D5a&93&(D^s*FTSiT=CX%uW|hR-jAs)TE2jEJHRQ z2@&QB4o#I6ngXiyD{*sfBlx0-H3s$2Ex}!#I=Z+=)|L>r4K%- z456XClt!d~<%0e154B91x`7HEx>9E?_oIK+8wVS%jXd|2Q;6a578X~a|1Es}l0bt{ zzfQ!rDG$ACK%uYOToS0e+w2kBrPmh}BtjlE!1fFN9RVoy)rA&d01gVWh|TMRAy0bc zdf%BM3XKxe^xNoV?>WQ(<(4iS^;=vy<@r0stW3`nc~5$~Eg)*pb!P%hVuW&?(HqVd zY_8z^wKkmI2^6z@j(>gJj;K;)`vLiSz5gBTbMZWnf3EWA%zy*#u-18Zea;*-KZnZW z7`Z_$-TMC8T4y1h`hT0#h!zdjyY8oaJbcsq{UfMSS8c95^R_s-3qT88Qb7M!ez!Z8 z0Sf~j=Mb^L=DKDL@8|MyZ=5qIDFY|qMi@P3@9XC9&L<-%sqzduQfL#qM6pw)`-WedzNAPmzAh5L?ntx1F zt@e5E?l&qLU2ho=POa5lGqe*|Z+vIr9>^O&v5Q>4X@(r<5ATiMhu?00nO65zT;lz% z1g@rSW^!Tp99(ht^A7ax&*pWO9O9OiT2&l2Yu_62f2Yt zkbrsDWTA`w>k@LFx7mVJEMu(?DE}4V=3g$=vYmDR<4bG`efS zAeZj~+J+0s>ySx^|5V9k=Jl&ktW%1=`_x2}`ap^DBEW<2O0Q!egO8u3+hgLqMh}X| z`QNVr?4+?7BCU^C`2VZXnpL{#y|DcRk?tAX2$judA&eU|ehQ(prdqKkOc~|c3-%Dmv^#~1ezdv0;24KeUsl~0A-BSc;WDk% zG&M=NfF9zfVu4llP9R>QDf5!m`UG>!*;7me`hY!N=7V@Ob(~-6yyByE_z4t?C_)86 zT(zlD2l|?sD%F6jWO-+U+L^cv?*j3hIbg8mHKTRU^dhEFwJiHlon5h9RPWEZQJOuH z?X1OPL$<3G@vNs_>yTusw3e#}Kp-nFqvag0aZ=nU zun6`kgeFqpjJfbb{84{0td8-T_o`USN5%Lu!bp!|+6vYvE0mQ5n6~7=WjjB+T!E}K zXwCT?unY7#Cp$J_sFi8MF*mpaV!g$`PhoZ|E7sn%qvj)IhxWm$iP?;eo6@%n3m%R; zw;Z*1(5i$6W6)xeqdT@Ry;543YX@&|z;8kn;C_BkGnB<_mR)f1p=#E+4K`F9-KhOI zC*E9aLOTi=a>vU%Dm9!vPSD`uJL}8Tmux_bfXo)#bvFnLEw|=mqQ;KyBYr{{mBD<3p!d?)m8T9zVo`l1M7F%@ z@3T)`ygDzEF^Nn$m#r`X<|{u?^M!gy5|C$1(+VEc2z&;7Dn<1816!s4qla$&QfQf9 zEjvaYvrW-tMvie3kO}6e?eVgmtTyo?Eym(|c!5o#wO`~zE6=5~IS;YpVPuLFAh@{W zTov;ysfD3)U}h;w6hjB<#NL{BZbfPrn!9|P%HDYTVQiy{i>Guzn_O}!sS;ztOCkvd z>Ey%)9g}6ZE`R8#hfp@!I;mo(mi{85mo^m77L{X#nSKT-X1abPjq9-wHK~}QE3&8K zUo~>7qMSyTn;=`FN?Iius&?4zESKJtEI4_R~==?7Lkx69OYoOHw^kvZJerP_Z_fuG^ zXE@WZQCirY#gbB4>F$hXekn?fB%)G!y*#pvcy@kp;wYy_dx@`F*76~cmFscHnZ%@Z zJ;iny#>EXu%toS!cUE>lO<8qcdsb?gQO1W^K$Q9?J(8y$4q~)$^gr9g-{7-$zZt3* z79@LirFd%cNyzF}jdG$BDzpfGD4K_c{E3w<#tMfJ`x%@Ox&Vt8T0#S1qAkf_8~Z1; z@Ec+YVa!}&0Oz90cQ`nVY~1fKk*ZFu!G(wneMy9K-?NOnt9XA^=YUZcE^Us7D|l1{ z{F6eN)Zhb!b-(|1&hEm3MhXT~h5;AdK=FqEQ5UH$ui4BX*I+i5YKkV@V!Gy>U^Sv_I)17%urBe1qVe`$izFFirEWeun|8WiQ5Jq{sKI-i~2B3uQ=iLZ7wtyV! zA=*|n{gJMk7imC;fK!+4m)q*Ro8H%`l$l)wIAcq!0Ac(od$?-&norccYGCUp^5^wO zT7c0W`bX=zaqs)!WDR@>41MS64rKRt+{$gs?zc^i%LOKVD<9A45S?DHnXDDi?Vs)H zEc_;$>9*&xjeSi2yY49m0l?iX+U6bvsrjtvXSFb1Jz}4N-vp(c`+hEfeBP3m3rO=rd2K|G-Rfvu#F`Pi%Iw`y z#<0FXTY!Ai_&fx34q;s-?HgABd_H!w2i&`X8`(~uJ!woV7N7HO2Awr7LybbcCT@G% z1caW4TN^5i9Noi&=Q)qIism!F-eRab_W6ixZv{jNfEV#PX}reon?y{$4_md{Js(kf zdgt_6fG>mD`;6B`j?NXIMDJ10Nbes0{pNz^`sf=Kq5E2+lwNXkkDK^eHdSE>@aGfR ztPZm7ajo!m7E!>q^DgTVEO6V_4a*L;~Ohy z!=utNAO*BWs9{wj_`JGdPp$-bu8LV|z-s=8@Ba;0DB5p-@Zty_W?LB4A(0j3@%yg_ z#CNK0XOhGlM|U!$HIOPFubwS`#QM%az+s_ax<^iosLIrT?;h7pifdxjubwo6c?$&sU9ryZEC1JwF)EbF@YH>+cEPAvxZ~uEgd(D zY&5#!dsq4Gsm7AssX1%ojLmWvYgBY8#(GVD_tju!O1IkN>y#uq#Bg)2x}piB1VJj) zBP-@(GCd)Se@|sAG2>VSdV#=6Vu*DIR@#9UhgeA7+NtEDET(zG4a!eQB9qDx4Iw3- z(+nG`L7p;>DYIMi%mwtGr7ZDFWjJo(4M zvp4z7OhsM(wlRE)^1S$izf9`%#pf~8DHl`qqRuJT#>p2a(czu-rVqe2?pcqxDYSTe z_MnaDS!MORzZAwRdFC1VD>P}W#@eiFv0yY5Ch5|8oeE>|Tm_S-tES*4{~pPblCfuW zf71Q}mc6``cGJq0lQ-6JzpkV}^1hWd2#-JXqq-}%^SB_gcD0I9DGd4A+zP^&&zm|z` zaE0F8_DgOdE-8vybQ+_ss4e#?3Bp{;h4#$TUBeEOa(OtJ6t{-E zL_I{zE!;GAaK5+{>eNgTE;p68{Kol#N<+MrI|H2KhceIP;|2w(+LTB%>wejtQZk$> zyj+OM8`HcE7e4hz>CGFcUFDC?%R?hk29s&IqjFki+$FSjGW*7anN(m>^LP>?jOjgD zSm~}+2K$|U=g@ep*m|IRCatYp1VQSEgj`{|y-me(s08lFnyqZPcK%$$83!y|fNm~6 z?syS(+XI*bgedBL6f675oJfv24iZjL4q7Yc~$Wo~w6XA&Y>NDbn z=Z~)inp65sWAQ(ZSaaPLVBFJMr_{Wco27Z0=@pes_ZJfW>Z!{jqmML;FO^s)m!Zmz zmA+eWWtRv|6ZxEO6Z{)dv$`PGYP6DqHP@Qed=NGKiZFGm@V2a`xf#iwtml!=7r+yux^LUxX{I zIknV5STvS+U6&^R$vF_wB8Q7X!FFj*)tVzzw40ld^N(ac+ok24UE)7AUM?{$>R(jc zaxr0=F@=65I-^nn3UIq$N4a&j=@kE|Of8xc1M`Eja*IZ2n@YW+IHO0Xq~U`mThdJ2tOfkhN#S~^!Zt23N#p7r0d_H4#bl>A823a>T%djNWnyO9`BpdU%TUh4up%Q>QP3%&lkn3y`c(S7eM zywN)upQC^Bt9$8i#pkZ>#xYVPZU;qpS8ml0W(#-uUX(rsm;ixN{FYsdpdCR_1_{Is z__o8lm+%rha>OO*cCz94^1b_BtEOZ|2=a?l(f_gy^t#!xi43In=&-+r5q3xv-h5dZ zWui_wNuq|+_bzN&+;jEt1T=W~z0}N1ZM@wQ0v0e4Q`TLcx;*}tH_VUYI(j`2%+}oK zvq6&GALXvFfUSQ2D%zB4{sQ4zt2l1f*uR|PU8mj%BF;_ddy{ugjqe!gRi?+ycmscr zw5+;qG^b5trV6_pN{$4F8=e|G^dmd=yxv?x+7C~g!LC}bYe9~k2HPhu7tHO-pt(k0 z)u-);O-{?5m*YacDZQu3?YLJ0G4dB_(Aj8kThu-Tns!623Cbb_D6t7 z;4}9$AnDut#0sR@>00kIwgw#5(mB~9p!~4l0Wb%ns=QaW)->>!E&CMtCq?Rp6F`;< zTZ1MareMk8jqJp06L{(?F#Y`6cuc+L1Drot}=R>bw=yY&9A4GSG&j z*Otem0Ea_C%&b1w?dyPI@HdY=3n*(>(=QXv4|!n?FW&Uwm5WUOIz0 z=)MklG(yeDHp73pN7v2@GVe$2qcT*Kx%|s`B-j#7t3V*9pr)`w!^*|!9*A+0&@hwe zRlInR(T=-xVM6{(&Ajl>RqJd~T3JG-F}Nsnye&_VZ8R-tiZ$O1pj9JmH8eLwXO&znG5FEs7`^p+7pJp3kjq+!L(|sPh7=Hz!iQ)w3USW}e<2iy^ zZMYxg2vaP>DY?*8pcEn-V`gEPWzc~aq0)ugP$g@D8HBKbl_hiGj9W|Q!MhQgE`%IL zr3rfoYfD*JVMD>SzO4GWBv#kCRA@AY?%HWKidOOryEsg}k@`boQPC%B@%5lz!FmX6 zmSaQ1ehrxUraZn_$Ea-E)H^%M*UzERJ5iRSW)nJL)836ZnigHrzVSv ztZ4bGTQeslL$1VYeh~R1sDz@ttP!#ga&#(Q4jou~uZ?@{*=II_tdKEs1Gsu6cp)lz zh<-KI!6|xhEL>tEUZ~KerZGq7cmmvXuAGt-P$|o0ek@ZOx0<_+MB~gSMLsH1QAnwd z_u9dz)zRlrynnacl-2JtW2;B!i*VgC;~myT)GhzPI(RoxvSc?Yiutt`u}6;ovY_1R zZ?bNt+&hM@EBg+QhqgHN&ALXD+GK$eIXwB&0#Bi}z-@+D-3`^QzTwmzp{cf@Fp!UFMb42Nl5WREU+)(y0xDbG1Iu98v#ph(Y(N32#BQxn`lp zO4g#_uG|DSuSBKr$D(hjVS9BwXLZQKU13UQ!`=6rM-4Ix^QOWi0{MK);FgPzj8AMt zGod&>(ltk4X|}Q#t2Nr7=Z;?2LcUP>6JizMaUz_jRH|@)d(hzJUtsVK`C( z)1}qiC)Vujwodc(3$dM6uwv-`+z(rvB1!&aA~yEch3Gq=0|LrzMa?QUYT7OEg`OCC6R4-l9E%l@HcVJenCA{P2+!8z`fkrXiMtTKTRT4ZK((5nu~EuS(P9uym`I zCEI0q%NVEsQy@1m(D}2t{{fG^?CeJW#)UA|G|#ceqhJGJd;G` z(S%HaiPr%2kge9e3i<;nh=rTCdmG}T(C#Rv$Ll(jaJTsTdg#u;3ZGIA!Rncd-;WM=LYXt-HDR6V`(Bcj*!4bANEOc>bBJeV!%T<|MvDfkhq0&q5Ce3 zGR2494RtDeZ-L%Hq|#-y99e=G9@;+9X8+z(#?uW8;XaX_q_?t9pFmIS| z^s|0gP8S20s;c0iT16^Z0$GrI z*^;Ymx{vofj6k{izd!B7X+yK|R2uyi(ZkpT*`R7Wck!d!n(*;|c?S4-)%6Obi#$rW zyu7;#P%X)J_z`O~_Rv#K$9K!C{Y@O-;tEkx9ggMeb*lN*BsE+_e3k8!l5S=LN&YhZ5R#buxJ<9*ehyH zGHW1!Ezfr>4$NcEHLLjvm(Wm;R9I?P;c35w6%)uLqA}DTZtFt_H$GMgVbc$yC z@by@oC&Ml<`wsoS4ss%^#Oht3WHET4YJk$>quC*GPE_Y)Li(5W#eIQ~B#a4xJB(_R ztjz)EvgFn+X_^v>dYmS)p!72#_E5RLbeVf)=(CSKAAPod6@|33NVCNF3)Z|gT=as0nKG@nIPVzps`3x`#$tL8mZ;>b*pcRgMP_Qux4>I`=35!FqWXoA(Xz6cVpHFW$W zyE<*<=ejYnZrG!S{U$S-jFZPcF0GcYf`Lp)zJaIaSFk+=NFuT1uA`efKYbvizP$K>BuF#OP7#UTd>YyoTW$Gq|v+j&>m1 zx;-@!bNPu*%&c1tr%{4>p<+#Sh8DVSkeF)etZbyW?;!Xieto@Zdm>O1$%;?i)oMb{ zJq(;D$`z&~caET1yvCC5(>@>>aU@$cd*OuX^pm6fv*O=bibRy*#5982Z$D3(n6zfd zRNIgC-B(Pj^Yf7G$CD2AUB}(gw)5D z(w{2NmPW*#<>14X8wNIq&C;ZK6Qx#om8vr*xRDjRu%2)T@{%LL?~F;RBSi#^jrKi|#&=~X zL}y(@qQydhPphs_9%Su;gJ@ar^grbvK;j45SHSl-$47AO5Jv7p4{nP8I0*cPs^|4U z9`W*-hX$!ZXa!DJM{#- zoOX&ibfbWlQ!K?_?LAlF2v&N%skb;bLCKC%zWUJH^4$wt7S@i>Y5)3V|dw$&^NbOW6vI@p<-f~mJf8MocRlFedlj4 zzUTFDl1@Sr*YUom08dAkn&!32lXs_U*<@U6cc|NtZ9s~{*;Qb-_qdkB-|NREVZW=T z3BXjX8>Ivz$lqm$h`Zyoq87{H(X;(B;C3FkDp->D$-eDp@P;R$5NCihvS!ag|M=?$ zGZDdrVd}P7Gd=U>=jxdrCSReJ7I3v%9EBl|*H9P9nEwr&EniQUNineGeiRkZHY5Ad zU^8EjH7#}bnYL^LzNIj|&S2tP_UOAk+dkqEkhJ!BC>cDyT%Ba`K7}5jw%yiSU^+5- zD!uoWnmzJffV^%nxxMZREKdY|7lrnr zTJ7COY$k(j<$a#u7PQ_z!a~}22^&0LyIX797xeuJt`9Rew6*93UBxbLr|-D+1K51E zmEZhL7vOR`ATKdoey1@Tp6hA6)&o=WLB7CKVIdlaXYUX8n0D6f+zSLI3j#Y;1BoJk zM~BE&kW%}tgK~|uA;Cpv#{L?T;!9~C$Mdd`6o^K*-@B!_s;Y#9WC&%dfjWeqArj(F zQ%1fVhFnxGCGCHS@M&!sg#KqOoOB%14f&?66sDu63jQzQympu6SJ1SX=T7{6=nWL7fahv z_dO^O_Yj@>F^;02`S>ZGhPJ3OMXzOjsh4mVcmKPt`-QHZO}dAGJGdp}KnLw1JAeU6 z$5J~Jlu&?d3Ed)AG#{u>RN)bU&ifq&RyI%ja!|~BvL<;~v2ZRgtZI0bHOL~2b>xLt z$*RuFG=2;|V&M>(61B<2sTPV`gV_FX5JO*nM0^OJG=S)mJx7pkE;)8IGnp>=1e3=j z+y)n)=IHZHhz(m7J{Ovg;$!Z;uwsdOqi|Ib3*P}Jy^AA;SC^kSE4?Yr{a#3e*~byuWi zb@g&ee)~nru?H(Z^_ENaOXik+HdZ}?W)Z`5Dcffi!Wn6gZXv4Kl~zEMNo3sSMDIpQ z<-eR%lQ~&0cKfy{>Eo-K{*z4)PQIKh7354Cj5YpSLrLQvs$fUr4u4v6^Gn&iwaQ$! zOMt4Q$DvamO?iBi+_$qB4xh9;sUJ8PUSiiyVt*Qo<<-WJcFo9Q(2!WK z*tSfiV$hc;yvfn1OL6**_S<@%>|Zg)ZKFI7XpCb*7%4uaA}h^ zgoGZE`Jw0VE0N_txU0M3KXTc9Fmr*d_5~?I1l#d$m1}VzKHs4 zQ4&UWxdc-v)~}c~4wtlpunrre*(u^lcPP4O110WCBca$6s2ab)S;i;QK$lRWpD3SH zpu$9EYMST#c|#1^el-r0F0=2P)s0hRw6AabK$2f z)-S+X_kuYF&tXm_rm0`KI!SjN&pP>qzPL{Y#tKVUpH&bg(?!(*dVpsq#@c3GJj9PU zgOAOiTnRzeOu7Pd$xkFqO#;_}f-1q(ybw#%_)}_l9gF;PQ`_os&zlBhr(hCb`z$dL zbcHi#brhmro1Y2(bn3~l@lPAdjc|p?oX^Bkb?EM)SMiQ0yxQYDScs7tp(d6+UN~(% zEX25*3$M3Os4RRN&1zk-RUk{IE}P0!IsNa?*15mw4#4UH4#LC$^{@|FcaINSu6!U% zKJa=}!e;d1YXQcd0&f(;## zDBI=qvv@r#r?Q_8k^V=Q>9RGdEG21nY_&;SGAqTx#Uxk;tLaVDG>r(=VCF)~h5Ew0 z(uFWZrf3J)AisHLoE-qw>xw}J(~M-}Bu$i4QL+?6g@e#PRHpI73QxHAa|BDiTaO{o zW&4Lg%eTW@1_rG}#rd2s-j@F(c>izd`v&0t11-|;e>&^Go>nbh=gxtX8vqadLAo8z z$nJk2WJVy87nl#&=kOj<^!{p3JLD#X#P1a(xUAsF3yhcW7-M1H#d(-1KxPq@2**ko`l%R%WheoZx;182zJ#iy@?uId#{B1u51$4{Y znhiK&noy?qNxtdf<8f<4-Z%zh5|eCp-%`%#yPXJlR%dUo9gSwbe-dta%%=p`__o~f zR}wz7x1SZFcDWB>#xc9Pdq=$nSPS^gI-C?Q2O1eY&Qs>vzn={{Jdp zPRl;70JIDgg-nNpum3(6_;z|MjfD%>Ln8ZYW6$4SPE#HE_A0WwNCez3*GL4Wp;CSI z4mut^e4m>eJpuQ_f&urdOauH5ekSY>#jV*?ZEwscSv`jma3oz8g*|H$1P(iGyJ>JY z`2J6u1`g}iJ)XpGdGVag8qPL`S9{b8Zy+`mzTI+9CKx~qaE#lqGskQAPcZv3-)a8( z8(>wS3+N*(U|rc!+}xrvuw1VKUT&Fsqb#z2nePwkLEtk%*S@_de&2CAUNAoRNAT?5r;T9OOU~j z52FulvW8C~)dD?^2$loFk5O0hjWYSRNYWsQ$TDja+fVq_#yj;U3?~DLRe$EgxPIIG zvBpf(%!+6h@v*X~HpGxn=*599zbG!~y|9n%_fcHhJkC>57hLT@3zP|ifA~KA~ zMtl5a$itaVNv#Uzk9o}++Apqr>SWTDs7tCOS<|liEjK5N^~MYsS=4xN5!+d_oAd5O z;SVx7*&&ot^K^U`@juKgR-c+&-3_ZzyiMypm@g$)B{mw`sF+l@g zUX*_#u=>ZONtc+9C#ZZk{S~I?cm_3a zi5wgtc*d{cP9X)wNaMyAoqa~i`8P=Xi?aJzx=}^M)1@;bGJkb@-zk$|KFki*l59_W zdYEEzH8$cHmhqHI8TK&daGI4Nn${PdB{(cw)l2RLdkt%{2<6l=1k>bkPXA*B0^mWw z;$;ZuI9*Dbg-*Vt4*jU)p!)Q~LqnhN2H6^EWhW4bfwH-aMJBIY@M0`Vt*F)LJt)-@_Jl+1HZT6x|aQV9EziC;b_ z1mOK{DN9=NTm|{CE$#m2)v|5_H9{z(T;5BytW*1)qcnIw6;a{UrP4Q1VQt2t7jB2P zxyYVkI+J>1Q;VTG;o&8tV_IA(idnBWcWVOAyI?c$uq(ZwpBqX+pg*CfVR8uWc4-b~ z>QvbWFA_BTWymJZ%2eW*#q9=DL!%-AtG#~h`UJnlQsmJUeq607@-df#6t`?GUYDEL zED<4+0z4H4>8krQYXsR%PFNvF_M z>GQaz6e2b7vc@o-OJ!0J%WJ+qhRcZ1B~2(ymyuIdBaJV~HYRiYio~J!5oSnAkk*`s zL1%4xoNO>ljb@#MBi2oBzjoTa4~a9I%d6(ThYi1AM_{8IEJ#=QY*D>Mi1?E$k@~#{ z@*6YZeeqs+D(=m359TC69GZn)rm3cN134Ri3ENG7kTTiU?Ec3mzr*@M?HejKn{ zE#Viw&X<8cc-ITkgHZh;cm2Ag@gy_cBW)qhszFSrURr^VTO}%cjZ=%@Y?(-ziUo^I zg-y5$!-+oHXd)zfTBfaHwxSeHai$nL=(45G*dMWB3CEG?A*1sxRX{5%zI!rE7Iq0% zkx3}hqKIUtwBC3Ps!Vxof>a)33(By@>R8&ivM(CbbmnEjFAa%~-y7IG=9{gh(T9v< zIWm!EG2!bXd{FrCBisXKXLb#($DMRUPUQ2AXk=ej?GCaf4VXz!m7@g3ROT=Q12fVC zMvLu9^+qS}witG%{#%A2XlNl8-4XBMACzMpIlp-b2jFP?qa8y_=dp<9eS5|OGv8}{ zSnEE6<9;+q!%{j4+<#2Ea-2mTbiOA)Uso!W9s;GhE3)3f8be^@4xyHzp!=F_%cT`& zpTi996&|mStr@?osRuFJtrm!nqhX~(+a_kKQAeN1RE#G-LD$O<(B=T@y63gw8zUs` zWvV07?3HL<6RjxCp7PBhA6vv7<8`)c&*Fi-ahkPM2E55YN{gCh9U& zCVnsP%nf2c(12}j*Uk22;{;YLZ^Qd;{Rva^c9v;yy@%#gh-D4#&4l4YFed*dyWVn2 z$g=)k3Z|ApU5fuQbB%$M$bq1T+`r|I;Osq@v-G(zf?T&JwpvG>?z6hZj4KV{XCPNg zg0JJ2`F6QuqteS1=g!-f5AKfp6K~Jzds@`YoTdO^Mx|rM@Zu7P{Il4V+joD!{wZg~ zpl89D{^kh?wpNFv?Tt}iQB?Qr2zD5CAH1d8b9o(C(i@11*<^1Z4=?-qgu}6~Jk{`< z+{l_XcGbHoI*c+4w#{>Ak4VwyzD)8y@Gf7I%f(Ep-EcYT z&ywT`S+7BbMJAulu*MPuM9|9?FVCC>@ih`u2Yc6kM2RgB>%!C&<{63%>A2dg{j!z~ zmO(3jt5a65I7WkComG|>#RNwy3 z%xq1{87D=5uS{OZva{_TVYhJ!4Su=`bd0Jh1Fu2b5H|u7*BLsU$3(E|=a@o|j-i4W zO)fhRcj+soEE!lDw_O_)OXCI$H}Nc2^~eU<#CS~U<})p)m3bFC@>pNLpo~t77B3l; zzRmcn!;%^#4X96u;7XkkwFHk9kNGmL8!eXxgp|WC{uX z*rBvaPfP(o9}LiYNTj!3XwX+1Y@)mkQl!NBk#d)bq?hKw!SSl8meBmOGM zZ=kZ6m<#_@%zU<*RQ~TFiCLUf)C#?}aje+ZwCx)X+?CkA#}cU6^F(zjq54$Jk6Z0V@K15tv%^Kqu^=>Qt_8# z?KvHqS1x2=y5k!!V}x}Dy83Z{vud*|{sd3T6lMNbu;xt*l1t`tSPC+FG=*g9sPrk_ z3KttFk1bmYE@M77xeDSwzIyA}#vdILUOTsG`r0YI9B2v?IdQh=skhq)RLt|Spr0S} zFuP54E=VwDUj4)>OWi~glho;?K>nMfH}QlxB`f!Rzy7jatN{Pxgy9f}Z3zC)r;ufN zGyU;XWZYCS28}9L6rnM*+i2m$`vhzC1L)s%>Q!@bC(=wmdTi^gsIKpZ(uq+w@65Hu7duPV$g)q@T$p zcye=#RZ%((i$~OSoY>xdiUYJ*c;dA2rUbE*2dilef3wyqDuR8mp~slCr;gk+Ki#z$ z0O2@v**8RbQfz1$2qY6fF<2b&!A8<16#&!qjo>e0=%RG|oFBDkbeOY%{r{(cg>leA z3XG&79}=2v{UG(*O+3WUtLsC`Z6HnRWBUpF!f+3n?YR>MBklrpDA?}@jMJXAav^Qu zE(2T}B#`BRjh&9^$c-$(GP{*^pTE@mdv9^7;Z^)z!-!coU^@{myV3Lht@gL4(Ct;~ z#elm9pU=ZKGvM81IiDoclR5BxvCAWM8^N+P+v6Z`!VvUtoSJWg(GzU^B=82z=F?L0 zK%=<(tzk5pf|AcYZr^m3vodlaT-X1~-R-j?)&T(@nw}tcH#|HAxEVLyR`Zn`DCIVI zb{;lg`1^yn71w_{K6Rp!bcq_?Hl2Q_YpQ-y-Hn!!%JmruUJ5e zkLL$m{1=z6j(+3-s(YItxo zEG|&0`J*1}` z&$|&J2{6#D>l;5jhI?q?(I0nb_6ApR^Cxeirg=V7@hdp`TO#`v`fqnxPxYfu2zGCU zT^xFDzm?4&*Q)RMn4CRE%_YJCTXI|Pb3ALnQ0GaO{8yL7E>WGpH*6Gr@8Cod9;QFTWKNEimalS)!e@Y=My8nLsicC< zT2l{tWsK4F(&jM;f;HxA)|&OcirE7%R?9@o* zmnUQ{XC6g$s2a7%!qozCHzXHY>CyDA@}$sFEJgE6K3fXHBK2`GYiO)S_0_}1*kS6c z4E?L%DWpYOdQ+coI1$?a2ApdN)rU`M=q+Kr{~~C1h%yf$EzpLa4^W_TG@92e{m~1x zi>x9rF2SfANU;F30}mehb82smCLv-OT}%X%kN=r}|NYPW%Qz1fE-3)si?ql638a>x zsS%M$GyRKD!S!vxKD5S?qEklCl+hSp`6D`LvMFI=<=%{F3~iukQSKCr>+Ioy2@MMj z7Qgl~*Dixr{>|+I>_(CGq5tV?F)u+N8j!d8*AcyqZXR!izz^zd9g5CwLr~WtvzJ5b zRD(_#aYEd`xSZ6Fd(VsHUZeHKq*3TL?5*4)FfcYGJY;Y z$qI77$+md!Iff*V-CN&7gxZO5UPxx*vz36t7RTmboj4$P;kld2R*EC8E;QCQ^-D-d zyrShHUa+W$hNON@;~Ck(%8?>pO{Qq@Kc6$d9?4fyK}oSZHLXy59=AyzHHn1>D|JQp zDVLarMjAZ4c3rbli}*;Ve08Q)-Exm&s$R~nN-8Kki&rZcW%Ky)AG)wHRVc8b z=EE^T2C_Y6nbCS4UzCzIj_sO8G9$rz?OI*!kDV{oMoP!sssUaxRE^U&Bs#=fHfxrE zTp?H23vCDpSt+{*=+NUjP1G6dJbKsB?FUwXBYN%ixYhL3y7|>I%f)}$)zOM?=l_J9 z%Jkev8O*PQLvNJpy8a}G3-M@k%znz=*oF+%tf0YlHk=36Dd{aNpO`873v~U=we-w= zf9wrMlH4>WaGhdwTyrTt2Oj`Ah5Qaeua*N|r@K-(xDD-dr3(I&aCw>yMPhW@eWS_j zWk!8ef$uxA&I~^3UdeXsX_*r=crC*Om)}=H5fsO4)$1Ou>xJhk(GZi@J{P13xb zQDKBxpYfCWG@S>fRo|?GNuoJxu7GrmOo(*zc^R0)AiCv8c{PIA(gGvRO~ZOEvJ%!s z?2!YyL#QIL;y+(LBXX9|2QnD!4$s#uGR;f)2PQR{uv8}_)5>&Mh5V$#O1)R<#xsZZ zRlVksEd7eKmj|2y840CQQZK#ywKoCPMc!+cs#Mg|mQ$lf(r!+ZVQbXC{!2^k*t06I zd~-&b82eHN_p^31BhV0gH1KPuv!(7Y7q3z!rK`^gU)h|!KS?>1%f?AF?@%S%Xp9ZS zhR=F+MbzQx*mx6}fB6!Ci{jToof@B?u2h82Jsl_Ne~edoZ=x%rEP%Q$dkRfw$3v@* zKGn2*rl%lVsGlu;&!o(dVVIHW?O{c)@)9#UD9fczJWDwuZ{|5qQP)B^wfTs~J zl3|YCI`@?-3kw!w>oX5}wytRL#<-3#75-^;z3NC`g$=o~N-fZNg`pU8=?F^8Mk>2V zuTq^alodVPBpn^Y3F(59HyK0_&UY4*WojUKjeW*h{slYtR^l40}G9`(!s$w&u*%@psPbc`iBjkzdNIJ zpC)yL>TKk=&d@%#2oezF75_a7WM?60ks_eHOG6Ot8X?e)59o@_X2sQ|5w%r&n z!6^QAmXSqL_Lj00H94)wfKG|PtYTkNPe%6?%9H`yTG3axvLa>TIjq`}-n2YEb6pHG zVN8JF1fg89V@N+0_#8?4yPLbbtllmew9T)cGU;47)G=3kBlZ>Sx zT?~>q%0whx-UwC3it1TuI%X6pdy+2&x;}?&)x$jG8;@xY&8`ysFzeoqd=4}E&3ydU z4`qR6F=Pn|8L^}%%ItEdL{y;~l|vOMt60?9{v$tO@YA2u(;uS0XQ%s0jAgU_j^48- z*J|*iBtkAS-g2$7l4UinbO!mH1Ery%0={*g%i`H@dYDAwo) z%D1(HPh@J#`9C}s#wQgwqPb+G#v2q8o2>c%a23Lc|JWth&+)#>? zOe^;I(jyh%_eT3Kk$m(Su=CnJ&AS5Z*7BX_Xv-CvDSdKHRPDIYFi#crE0TCFmFPBeiL=($oz$ViTO-&%lw}DhVk*?&3F%FrS%pk9 zT{TXio;Y;u%T6$p56<6~3ftaI2y=qv9;YstHJCOW-W@%STo#IJx{lHb&b3H9*qV(x zK!o1%_ko$mOt%l&EnX4M!(13@VJjvZ zMokqrLiMIkdETg3Z)`40)h9K6dyQH*pm7JODeHuco)ou@y#sS41IMP!+v<@SN?0W! zKQ;Q-%ys7Fsan^Sh4Py%&u5cN!pE!Z0RK;|X9gtz@Z1x!lK&y-MKJEi;(;yE50{~J zkqxHT$`K=N@0k_P?SPF;ZavV_NJ~VHUc=M+d#R)6dUyDB!;P#F;IQd{*ykW7%3;l` zt>$l%$HGNV!qJkJ@4rak)8G5<@OPJGj~<`LzmOIPV{S@7>%-Sq`GhU4wte3$ zgu#6hs=oZS9~R`!zOpLd5b>$2OP9dQilDOP?aXy~((VCVz0;QOzFtkg?NZr%!d)UP z3@K8Bg!s>WL^KP{cmcqWpbLo8!@vi}Y#HLubesEZr0INhrd9nO7h}FPNSPgqQ$r1K zfxM2s1GcrMArGN3W#ek*doR&?y6O;i+&;*+ZDwua1T}mZwsTDafArZ3gJB@8TyV4q zpQ9I&igTn@VS%m_K-I+ek_Cz057sfPn1S7%H<5+wuN{s@CCH^TIqXv1TG3hSxtD&PbV$E<+up3YF~v`ebvg4e5BzT$e?Ozk8unOq z;E9M0I((tZhk;XTD`Td{W7(pU+Q1Uv1&angb?%C;W#xo2^^96 z0}Lx{(w)aFrx^M_6@+4iNiRDhhUUa!{Uy%8UbtdXcRN#T)4`8Lk0T=A^2>=R;nS`V z4bV6|hqhS)Ez(SL{t`7NoRx5ioD(17K#+R!#iU%awfv!Y}mzIoV=|Ih1yDk|OG;Otz5}IJjv=co;5!%0oC1YxoJ%p6y0;!8v z&J|}X{xrmqHnHD_gk~8zC1G@$^rqq7AZBv=`*F9zbdX<=Wc^66HYBsn>3s3hX}?f5eoVyd40UxRC&%tdI;?ut{mfJM8MXHZ@IID>>AHvdmkfbW@)0b-1nkkAaoMJ`1<`XGH zy4Xksk)H_AKx6T~Om=S8`5>gvQ~aYp;y-gDA4mBSqBgSTXZ|7dU}^nDOUM|>qGx%5 zBWqDoKreIVmLmd>7RRUND*BgHh2R(b+~@X;f>N6>?ThDe@n&i53m)ewB3Ry1z7heG zZ|Rpm8f=Q?ivqjT`rDr;^Fx{7$f_qfv_7B87|@*45ZA+}L?UVwLVq=H|MR7uMZ96k znvn{+Lkl@mk|jT%iGIE$nQ6(!x%nhnUp!5Qrcs+GD)hev(u4ACnB9m8BDV7+?C0@z zb02~FYIKgfGYUWe$B~kfMPaN>Qvd6jOr3)?@I>aPr>FkId)?`Kg0$EQKSep+_igEQ z$>Og3{rQ{VnO{jSKr5g;YWjJ&C7jST*7LoFxyQeU#dD)4dn4dH3#oPEmy)B~AlI32 zZOg*C7LjfCdtvhne@}qd?QXE5UTf=y#2G*2E_DM1!Vd3Sn**G{cOJJD&TL$8Um<#! zK9~S%_V@v40h3cYH-dMU9fqB2yqR8~vcSOCRzq~$>+2mC<(rJHQmLJ;Ouna5OOl3H zE@5r=Qn(fU8_y8|*EN!DL5pz9r;q(PzvK$+QFH@5C+q&Wu*#sk?W z1=P45K}mz7u}!F*^_lMdxm@U*n!4vJ9az0%?kBspSN=jvP5T`}T) zT-V!JHHX_cK`QG%IxJ*nz8zIOC%^XuZA78gL@ULPcV5mA1g#W*Y)F9D!zZ0xvEDnK zf=n+3AC@J*oZI(j2+S+V9r_1Ast0o4HVD`SXe$m@431!x`gy-GC%8lX!J{_(%ez7S zD11cz3h~GOn7~UZDo*DoNi0>~W^|HXgb6t0p;W7wXf;cMj%))tRnaX~ANBlO`O0Ef zZMt^|6b2M~Y`&rqCmay(T<(86KMSTkk?&REkN)jqWO48z9I+x4)$6-*kY2{)TYeQy zLN#&XI7R*GHoL#+ke{Pe9;_XOKaCcISF}!LBZy<;sVhcViyK~mg!OEd=IWn#@mIoZ z^32MjOjahG2F7616i&LZIwShqF7}_m`~St%IX>0_bzQzq8rx}%#!hamhK+4Dw$<<^ zX=B^AZQHhO+xJeMd1mIFFZ&NTAI>^w@3ntRk0P!j2~pe4bDl(ZoR%GGnAGuia2#H| zzgDPHJR3a6Btm(%gco(hvnX-DRM)y;m~t(a{C)Abd`75|FOB;b?A3AS={B>syPwyDx1{G@|oY&#N-QOn;mu5}j~cXOAen7bchoBbF|JI>wYrtdMOMY33-&F){B&r|0jC`@F=r2}0sg)VFcXMsUzul! zey5|)&LQU2daWC~uw#z(C6Aq0?j@Sk-d*`*H~+{7`)wOcfHF zAL%@jW1%Xs};xbw25W6z@jQKePx3(QH$mphizd zcJu6vKgpzI|Def~MOwY(EJQ8@WIQF{+`7!)z3$(H@RS z;wB?61ByJ+6zE+$( zinyi^MpdhWgWCv6t?m?ewd5uaC=Nj}LQM*JlMtdlC3N^QU-u8ul}vh)Z7{neZ6%P$ zFAiO%uvjJOVl;c(64yw$hMyrfgX8&{Hfm`~6KBl(p!7g2Yz#^~& zRH%GmJ6YYI!5Zg4u6K&-t^f#$-J@Ki?J}{v_F*TIT;og{CvXpQC*y9V@u5!|=dHr^vC{M7B-bkItq|0$=}FjeB?i=a zI`6pIc~rOdJf+hHJEWu$ui6)gMD=z$&6Re6E;Xh9I{i&MyaE~GaX#u={pE}9UV>aVFObU8X`I8L3<1_F0L*@g!ZT25tv( zZgo7OchwF!Wo>|0T=YCH4~;lIckHfQ^u5fL?~zOH`i6+!#|Cd_-qwFkaJ#o}-+ET+ z%D$|j5SzPp27c1lu9}k`b>GkFNCdqQ`zCd28eY)v#osa1^(|3L<2m1g{S`aeh7V-P|nBXz7B8YR67WX4~I*$11~YI*(-OF7D5E z0;_DA4rBv*UaHC;BDShJS6arRm(HsfW$#b#el6+G%6^;&UTf3Aj!hXY@Mc$)l#OWX zHf{eCIpgfw2HyEr@Y~&X{02+w^BgYD!}mVgZMoeCPHc}j;f%jIG=FEELN9#vH(B!h zBmI=tg{%9p9lEwzx86PQAzhR5Vu+A`}F%fXJ0NVzkc4f(1^VV>aCVh!WYX0_zr?C{D z>!WkF4L$Yw&eU?>>-$6lEI2kI=%B(O()spN8fVB&7BS0eU~q&-RqslVjAe1Ap!jD- zTLSpv2Y7YTTwE-Z>9X0(+P|)9q;*Slmpo3S#@r}%NYSWU{^T;84{OZIK~uZOMWVs0^sa<6UrQ>q9^$NbMvZ6z~n<;%<}q&nYlZ%2t!BKZn!Ov2(mKA zaa28a9^e*zw^7_bgXlNIGDDOnZA{>}N)LN?BeIGDk(F8d%yb=Q4!c1aYf<*f5Ll-Cob~FZ>QaryLBIMn zN9Q`)`#KMu@D=l)`>7awZ08G-HUR4bd!`M>FuZ7{>O3u07oB?QVRy}pd-w!&JmBCP z(9na0-c-Oe>;PDo%>?mm55OX?12@7sH|i+;3PkoCMPmz)~o|u zB>jr;finKy^#snp3l}IZtBDJiDpkE5m2x>mC(=-ASo>_kF3}}x%8|4gr7#6M{H1+! zp(EU(A8{e9>t_3MSgc#1KY}>~%~#CYV6kx`Jvz@|N%Bhyi78I@slJ$l-a(DZxyDbq z>gNI;D*-$|6}pFVHf|)PPlDs!fYd}f{*=t2k$ViIfXk=Xw2@HMi4{)JN)@kvp1Q5k4Oy?V_`+D3;ZvQQ4L z^FhslNTokb^RBA`+XX#n7YQspGD+g*So1Y0et0MkB+5{pY(-ztbdt&pt22d_zoG0+ z5Nz7F1(*sbqmln0hY+hQS2GVCR+lEqaoqS8yH=rjme$buKV{`P%XbIt@zw=A0@|mN z2VDx`q;K@gy8^>_`xd?$UG-6CQ>~F z*K5fOJXb#ZKP}tvH+k+dOrF-x-5u^9vIOsE3&$6J>A+^NJ$W8Yu6SNw7jULGl)Mi8 z8s5`yu?S8quCiR&E+ z+VI#s#V7LAem}>*KEtm}<#y{j%6ZVEYrpXJOw+a%JYU2|J=|2y%#gnbyx%?v#L2wd zKkd;)`LJ(cOA-uh|HZGoa$F$onn;w|b=TP+G2Xe>*!aixE!zoXCvJu9qpagGz*ct# zdVSdgy3X2d+sv;wSQXFU9bE!9eU2DBXBpCx&&-&%Ft=W+@H3TlK~Fn!X>4W0fA)N; z7`^*d@w?m~q34(0-1xfrI{OFHZuGm};@J|lMps|d&XSV&o_7a^DPqDq|JpAXW*^omOD#0BslO(T|n8<&1q zDD7iF(e|g*x+JYTf`!Wh?oDrUyA$;YQr zC-n4Y8GxU^r%|tyxSlEq%a6Rj{W3YuSD*PRnPB+njXKJ*AI(xaVxLnE@YK^*a$=DN zeYio0cqm~c5Mb?OrvNb`NgD#>zbWkh%q3m7x_MB{JLJ;Ba-%>BMYy_)7@oE)8F8B4 z%2LU@_fQR-$b`{c9fy2ChnKL0%jBLHHPkTPG0ZP_iAxcw*%XwK+$CYsX+Bb^(>mcO zWs?W6oiJE{pSXt)ir0fS?H6rE@x*qOIOnyh=}4_-^64ZSq0YjWFC3W_+>r7< zkBVLQ541fdp(FC*VYyc8ywy>?f&SmHlW~dpI)gH3(uroJQKSHk@xllT&-jwBWM`Og zWd7M`{-NGFv>XwV=8x6lSXLyu%CdofEOt@CQf#wGB#o&l`?}-rIuK!0DF)~u*d0`c z(h=i=?St&K_6oa|l+tWHE4VIA9zga4n#P6dMEEghBcUn>xC^s8DkU3Z1vNfsxYQhc z5p~oY=)wdTBbm&N)N``plG5gCZwz$@QStP|sp+{>?c$VGg=qY1xFH#-!$~=)KX+3& zD@2w48Xx-4j_kgLMFF#xYvbiu5pbx$F5mqlxAX&(-3j0k{g<&=wdhqVi143AtThwP zQWn2daac8$BmOl+eLV2$J~@O%lpc@N;%Kc}MV515f>6?BxRfm3=~$fMuDh4#}sTSih z?RLMfYCXYR&v3ZkzLkm~$%jy;75VeG{`pLmnODc`f6h6Gh~({jqNjc|vU7{h)_C6* zrQ+TZ7Mrb~&S*b%6BrjZe6F%wGnmybD7IUZ$eDSQ^qlEa%^w!!d}phbfPxO4apAqnSU48Ku__L^V2C{*dJ4TGRjNQDnq|DN8`+$BjbX z!C%^KnYKcc6c0qTb`MZTl)v&F^YO$$*F`RSY<39IAo2db4Aslovav>_(=DV^ij z(9xv#+3OQ64VFwp&VAOvL%ESPH8)n+5Sr2a0F^N&EDVmYQkPEEkTR1_Y^|1>G<2jo z@>k!KDWwYl8@jcP&L}$!#<)2yTOXTN`l)7RqLdqqNbGi;njP(tC6t~8r%b%X!f179 zk~sy8j97tE5QHl2M-~7fYWH-gKy&f=?KO8h{%43#dO$zqyK;oOAE9(U(=<9ii6rzl zquBUjOa_&k$8qK}(4Duh+bKI%Y75S-f^xJlZLGC&=< z*pL+RI>hEXWy0tyF8PlZOOCbsRr0SQunCw!Y~1U^($Ps*2Y1drETfEvk{ZHm;h7Hf zwXAU{={gm3LvmGVQcYv;u)<@x(X(N3y(*Si!(<^Ufg2takM)`f7(I{%OfkF1f_%ai`43-eaDOWL6$en0D~UU{vWq7cvlyKJH;+=W$vh1ve#iLt`QgFaQm;#mK* zE1F5@0|(ly4mWgn`12jP#~{dWm2f4<_j>VSb@&=&*WUh6ra!zSqfaXLvNy{aURiEk zeV4K}KUEmIBv@Ujol5j)5D%t%OT(pXZ$GI^5^TF9Ld31CFxpQ!K53P{AFocm-xep+Om2kryDmSTahjumPa#hK@niGaJD&=8 zVsOF~z3+7Xj{2nsB%2tJ-`bL_@6hA#id}uMRDQ{5pJJtAX!^kO99GwVHjI(k@Y(Dk z0Uu*i>D=Hj4PG3f@SBVw49~#HGss)uTo5Z#(W1z^`n-T}^negP?_IiJEK_xj!~MJm z;>_owu}v+*s>#=1DRk*KamuzWU^A!EE!{^`s}eha&!jP)flm-abvW~pyaM=S!slj? za})pP932fWCCHw+2Xpu4z!4Hb?)-}B!G7+X&@WwWO=mT^g+Ur{vHjmQ1 z1~N)QIyW4z=pPRYMzm(+_3P!}i8m@eufjf%e7<$~R=m8oZFxzSZ$<(?(?f=3^|-=v zh_T#KfGea)pb*{1@L!cVN&4FvZp(>QgwLn)SGqTeylPyx^&(7qyNQ!nTdxk=`tReq z+IAjAZacPzf2%%j6B^>_9`)zk7uK%BKDnMZ?t^c8;G}9WKH$F%gn8hD^c?Gb!Woz& z!38GK8AH_>{q^62J}im%JSd9iX`u`p%dE*+7<(r3V^E|2l_^Ol{)0G$OC~Nam7joO z!(S#s`)4cuvUy(#HeI{_u$-+aM>%;*O&os2+QG=bVwDRO7L*u?mMwLd@70y2R3c{K z`$4Q`&aI@(#dU^xz2iFAdn|EKJtx(b*99_Ye$%#$iR?w2jKQHti4D8?2d3ppF#+i* zGlBuf4KWi=U)aSq$}n8#G4S^hO(*b5cfT{8tf7CyR_#tqe`R zMYTbe{8dA;g~tq6DN46E=(euWW9R1V!w6q$fZ)u4(~1w3u8Ge_5Q5Nr87{3CXOIi~ z*B^k+bD1CBj`$nNHv8E+NB5M=VbzF=J&@?0r8K&zTZom$R3#o}2ra`OE|RKTatohU z5^~nlpg#f=5o#1`Pk9kIv(PQ?rCnMkU?-K=o(nh?;TcxbW|e_*O_KNqAT!>&G59yc z=4iMUz;}+b27Sb4i(<|r7Yv08@!FtaS$OB|6ufx%!BzhcbM*qVZ6%-H*s{-Iyzs!bl{S znrdH+Ae@(&Oq+i!wF}89D_^RGCsH9=f2(fl&yU*RCB=MYTWHJlF~x+GG27#_iSVrv zY`F0psA87IWnVW4vS`0^Q9Nt}hYlqNCrPR-G%5ctNT|h{dw_BYWlW;b1gXXpTH$K7 z;)Yuf!Jor9Y!}fJlpJb)%xUNfwWo)#6fnZG@U+htB%|JgA6v}oF+;1?A4@O~`XlO9 zAgh?bG$8KwXS|%o@W4SP0x3h)*WzJ7d6W**B`Z_`QbBHd;lA~csz_Bl04*8HfKXLj z>0n%YOx(Z92;9s{(%J=Sv*40pNQ{Yk4})Ox4#z64pOzS5J4)oNRVcq$wdx6(jGoOm zi`vbVBosS@3=a1cuoZ1+?H5$I@xLIGI#U|*W1K>o?yC6rGbP(p7eLdbD?SwaA!?@! zQ~YHK?RS}qEQr|{$K8;u@DCQXNru{eT^1)3j~V;UJSN*#JX{a`K_i4q@Hh4)M?hnYy*6eb=oD62C{=};zPqyV}FZZ zaib_AuleD7z1SQhb+RIaQhO?1F5%*M{D@~t&#O8AwAwyIS(>p=-JHm(3_vHzOe>)% zkHowaR)Uf-pWj{~;=e~A#98vDkT@^py)R(AvSI^IEib?$tHS;sJx0l^*KA^y^OeD@ zC>`R4k@SrW>Th{PE#=6*mpRRV@52o{ytARjBcA3C3pJDKtzHi`AD~g$T4Cd4j61HgJ-h z1uR876I_r#1P1&p>H(G|u>4q|8m+p=@_&$RX2MxU=HoH{@qi?V1}jE*I`<T-2JRfw&Y{m61JaN5UGfYhhlrVuFU6O2H6rxueAK&TLKo7Ms zEmwV#p#HUD-YUGBsP#-Qn<4zj7n_!9cxJ(NXdUaGxVEm>iRY5KTA*$LECRM&laTB){IDt^q)p0ra<_UAq`8Yo& zcv>L^*aU$J5jf67n)FDLJv*9uXxskop8-U=W?F!GT|y`mTNaZKYwNrg0^bi`KIh}Q zxARw9?)lCoZwNZg7dK6b>-(JxiOVV4wv!!BPkJs4b_bq4R6IdCjSoV*qdFf4BLt7# zMVw2Vn+MrpRr+vSWKNeBuWUH{Gd@N^BEXu{SOlL&os;~d9$6nZ$A|eR*Y}kX9TBdb zV2nwREC0Hb4^Dw&tFG6<0cqRX!OOSRv}BY_6aL3p$F@dCvM6VIm`{pkBu6j;9#WcLYj7tDH= ze`kuAA0Pj8qmcw?YD62z?3cuQ{l}vAL45GpMNNq7dIB0r6_+#Bg1v8D5NiAFRRtiB znA9a!j3LL-VWZPh@|L=p_pny;QW>Z7e$zJ;K@Fbq$P}0*c}DnTp?2hC!y4A{+fwOR z<*$^GX(?KB1&I0T4>_zL!f22bu-Yh^%bE8Qpt<)=8_;no{*o<1L*2D6Z?PqI*!Ndg z`*0*WUmS&>x7YQ>>ItV-$m<^!flLp`_9;XR`HoTGNVG;&*2&}=cCz_n=~TWgKef{A zW_LJwy2Fw0t7;cSzB_$XoDofutsJ%2{$qkg-ohlVg1o#`^yr&QP68XV9Nek(mSbuh zCAl20B2yA!#B(>%*NH}=+16cT6|4ZGB|_-z4bnLaLi!Mj7zDif8G5B3t6!XKxYHi% zyAk}O=WNP&8i!nnvyJgT;y<=n=XT8DlN_sMA7K8Fm%DF}36{v5vJ6Yu*UVM-cG{4Y zmTMR?#86P=zGYn2Grh^=6hNdaTzRArB*SU5gwPmpnrS=GMrg>w-WOBi)tfXf2B-bb zJNiE7h-0}F){-+bDW{l$dQR%gDfDB(ib~__c#3t!n%}?vcuR&vbKZ;4t?0VZYC%HDA7BaMhQFVDb-8y?WU;RCT_jv3#lGxQ3b)J?}KW`?Sq0!@^wg zx42(=I^w*Liso)6J-Jd!ct89oCnxrUcrFfVB2UQv_Bw0Kp?+JUA2rqtM%Ok)E;sSC z723yh(VR=u4U7JDkkUTG4ABeyCu;1Qr4-RORkcHBd!5mzVB>4eC!k1cfZUCd(mA;H zU^f87`EvTn@gB+9_D9ICWX^JzM zWVaPtXwH;rsDmBo3|EExMjZ3-xT!s$Sx-#P37F3%Q4Q=bnoXxu2gm%?r*St_8A^Jw zL}#f8Z9lQ>)Q%+H zpjj_Pgn5yE+Snp^5{V<+8I!+Die!D7vqn+|yT{+~+gv^Q&J|YvnBHQKmyKMmEDd zL!})_N)ZalQ9SvOWJ^Q-uNfMernusJ{ud;RqNm6udPxKjfos;Nh#b8wm%(=nq&icg za0dvnOb=f1BP)y=)Ma{Ah03(L4HzQVh+XSaA$*aI4e{{v-6g8V-M%G{d&BwgQk*7Q z`LTQa1I`GHsrX6C*aAP%i!1JsG-lvgW?V`glo;MD!l%Ce*qC+^#MzOhn6rV+@Dg!? zPDwZYt~>BoGlr_3F@DJk!2SPE!0X1Jy4ZemMRIG&y(|_?*-YhQ$>^1!M^2{Ko{oc^tdFakRN+*X9)2+t~WBJ}39*;Nthd z-IW;l&l$Aa_}k>dlFFPL!Q=jW(NkN~ntp9p-d(p#)MSw($|mRxhLM`6>15XFy5VzB zDzb5<&m(XZ*%zyPWkb+%M}AiL=_1=aWj<&I&DyowGBsCrorynfb>5Svt=HT)MftoY zwRH(RSy3f@-sReJMsXr~E&Hku%R@su*j;UC9^T-A#*0iEL$eRiM#a%JQ@Xa+!(hwM zZBRz-Z!k~$B=%B<(|G>%=%Qf94$JS1iahnk)N$RL?-%fAAr;7;Mp?f&eS5kx97nVT zJa7EH=AOjpyCI4=uH_>r}XHRUPVac6os9 z?w&e47r(B>FkL;5`$M_qqR_i6)0lPsncK<)yT0GbS8n;pzjte^anot+R1jZqU#)!f zAuZ}Z-j0D@Yug6WvqY!7%=SK;Wp1@EZCiA3cN5ZE&m~j*K7OhXT~7US()=z%=}D8# zJH1fa=MBrTR$U(VR`V<=TOY;+%5Hn=Ew>$?c}oeahEqwle9jiPT&J&NSI>)_Tas_` z0ynSvt!JS7Dz}#_zMJo%-!izEa7LVut_6;BSs@e~sA~<;-{8eC^ zW7W$iTeS)&>wUAzwfU&>CKTnujnL`*b!lqLWzI#8-zep#v8+6|+?3#9F~*Zz@cI99 zqCElou2Gi2q;-4XBeYMW=?>3s>;0$R{uaC1WsUob!#L^V2zC-21)3E&26qpcyjcJ$nmEgQ&tIPmQYB^wir%rO?B%0n!q^CwemfFCr^i z`WONOHUMgYy3}0I4(mBa&5lEJ3g491H?}$yTlkxf1LO}@^aa}<7Eu*X7Q_?fT*94! zb7}@*Df6*VRx*!1i-j6Mj(^O6X@~EZmR5v>UWpP;kBI8fu>8Rh)_nbtsk}2ytWJFn}C`Q9q6Mxm1V0hgfxzV1>gpBatJ%63UzadeyElEnUZf2xOreD(AKk>!saI!=Aa+F75lnca?KadJT#-Erj-0f z!b@2$qk*(iN#u17ZBnW@R5^Hv&QT^|i}5TiqWr=b;UqQ|mhXyGo?qU-J4~RKkxH-} z;Gx83jo_M>99-cqE*H~7T>;eMKNzD#Ix98*iubUkeFK7S%l zLyGa9P1uLp3{U8HVp&JJZh2#kkjo*Ik@GqhS`q6vC6*~uLi^o%D=wYcj$~wp!5)DL z9!HNHa0GY+Y%g>Qv-rsz+Xhan|A#r&{1OCi`CQ{4$jr1--BHPbi%wT(kmd3)6o>jJ z4MVAk>&j!|V~x)mb`Y01XT>6eAJWf*AD;?~7&d@j^tg{0=N3bT@{H#HH#!K;;HQjp z{kO$<&~h0UhaOcNo;Cp|k~sYw@-UK!O7S=EZ$`X6N*VF9|03#*zZ`@&tHn@?64Q** z|3I>e8GRa)^-MQJf;klJV=wwX6y26W{nd#?4sa4~f+A7I*XTX=RfdK9H~cJiIIZ}d zJ=TCpJ!P`T=3*PJ5oTS6Wm+{3Mi=G+>A4Nu5_bMcQ`!un03zeRnMlyR}4A7seH~yq!6s%F3fUCMzb*SyVFz!aH z;g)!BDrxsWg#)D9ZIAb%^txpY&id>lp96y~>QAFS&1mGoGJ!wQxFEeDz#?7Ypd<>^ zVBZ{>N4CcWP2{QlFR_4q#EqS&JfGXiopjpc+S>UO z|2fr^fa8G$PFBmo3;WeH@kQ%?D~;QwrFNCq3`zxCCg`i<`rw%xu=5XhCr4NMvHK_}ppU7wc`gXcHzrdKGk82)nx__xT1g?Q2dGEGCFX~{& zA*?LjnpZ~)5(v8Bq^$Bc9+8@OB|Wzu7Tvt9&r5(P@O^)Ez&aqve|0^U1?B zBrfeKv*sba^651dhyG#n(XR9M_TzFb4QP}nf=%G``}qxjYxDZl=I}v{4|J`%$)mXW zK=B+~9tXPYlMgvY)8{qZOR&>9s3yMRxJnzvvhzX^kkP9iVC1x^zq;_0Z{fxVwFH80 zYjKG8D9yGSW;!@8xO5F~^u63h@+RAwA#8#Js|YC4KOJQbMqMJ0LXRE>;PZBosI`ZT zEe7B&cG={GUYCK_3GJn&e1_*-D{%en@z-Hy`$LoMMb~RDJN{*f-WE5oq%N%J%IzkS z4&*T;NL1qv_H(;k+PIz+yZPJ1Uim)KqwoBQ8=GR=BnEdKzjmQKfu-~QtG*%N2F2E5 zZyj(KQw2C@c3u>7@Tc)czd#FE_EUgq_4&bUiY7T=Stqt2S;kVZdGw;ljIiq_+ykRTD_%Wi|L_U9!A5gd^gmcocP2fJqcW`p?yP>1)$!6N zVxz^Q3=qfi!NrU8a077GvVGJxIj^wch4ol+3zZ7EK}eN$Nm340|6CmB6^8FM^9w{Z z6|U6#D+j-NF&>zNkq@h;r_hVZ#aqt1&aTK+aZ834D2YE9&QXoARn3nYIM89KQMO>J zAFC0DB_{JB*t6qWs=X@GHx>XE3hC4;cneh;7GVE*Eu4siV5~{mK%k$_kD3;=tJKb6 zkwx>)LC2dQWdoGj<&S{w$;5%ErgG&{R^6^~>-NbfSm^Zn7;iKz85f_y-kni<|Efk6 zQgTl$TdN%PaujF*v;%jEE|T{el}>xu6tP~pB~`#*6;Mv;>?TZQrw3s=$$Qw<|S?_6lSCw z%g1q)@Y-O};<2fV!w1U9;Y0K}Vi|2$ul)4y4X!+);m?y7X3I(`Wwx5A5 zv}S8!Zobz#zpnqH^-rZkPGFpWongoPo6MXu@kPdrK-j$C~8GxTLxrL>e)S1K1qPSh_6x4)IBr@epJkFo?r#>1VEa|_ak zyaFO52y-^$QlZ8|$FWyNBlm@JrXAnKxeMlga1VT8W`4I+EQ=Sym!n;=NSjdZ%;<4! z*UYc0sLe*;COh3O3CBU;FViaRl`8rkWg_4;KIHw=~vNolTWxa0!@BivHdKlmyCp z?V?HX`Ujr5NC(|`di%_)Wpxi-Je2Iv5bg{`SWcCvLG@ip?~}wa264A3hU?xEm{{{816PkddfGnIS47=|B;#4xRqnnZjE_h@r4Nc}}Jg5xxWv&#e7SGyGr@9# z6j<)rE8-=Txg0MfCuH_4wYbW*arP*gDi@K$^AEgyy56oN=N-}>-%>r`gF@&1; zmlV)ZwZE^S44N<-QV#};Q7@>ST7+DiZ4T~(jjjZ`35q5Mc9bFMEFp5BV86i*pi0-$ zQvBAgrC5u#!5ZVp8Lp)$)2OAFu9dm!cq#})mm)#c5N`Q5tqqHc4)Nn(<2))4eTG-v zPF9+U|(h zPR0E-z!#SguyqI}bK?>gfEyf(tB`L1Wr~M5raCA-P5j-WO!pEXVZ;GrkBw;7^M4EY z4#J;#U-|_2iM0Uh?B;>o&Rj-8pI>e?>evxuW>hjT99RU@1FmNB1EYNloT5Mc@vix{ zrKt_Le13gAtI}-Sd0-&2$Xt2Zi)vc4AAmu|uTvL%s;jGPPWdn?X?%%X{5mFh$p0{m zaWboy6eN$Qz5fdAd|DIq7Ua3T>1oG8=4EKuPr-{!O*%n8VSrD9Iv-wbt-6-@cAs|U);1kC4VPRu zYo{hMpL*erDjerM+*Ij2@1 z=d*0zA6J2$M$$K`ev_5`U2s#Ow$kBwa=} z9^1X!B0SPE+m;`$m|E`U?uu}_TDJKIpr_i9Hi1nqD4m6Gco|l7FKD(}GI)&+3K3;!8qfxS_M^)~9-^(r>A7|Tag)?1O=91_YSDvof-ybzO z3sAInex1_&djFjw3$4GlzoELce$}$~w0vIQx006N0w2UzJEFyVemh4j*fx;H$=Gl% z7N+~h?ry?6Mw*zP-3-buC$0JRa_enl9RuXtOQZF+qjEb)L8b4I^l`0q)}Z%1=N6}t zwAV*wG;w~p_WrUK#NV}o!~eg#+Qj8x{ZC{8ND71o7H;oY=cI^uuvSn zrqz>``mu+JvwTw)|7*SvXBsPfrrDuR&FWKQi&c)Sl4nkHB3V)@p*|`#JYtx@d@TnJ zNvT4chQS;v9W|>!DaR8RtNC-(Aw4@i?ypBHAjB~SFPt#EZakGA0Ha5X$9`Ulvj8~) z8CbHT!NlE)XM$LiCJiwEAEh z`eN*n=5kpY!s`kz_*)d|F2Fd%jy$kF)~lmHHxi1;sD%au*WBhQZB}dx=PZu;n|7_J zd{M{qOQ@eGjM1@CNt>^=L9N6O9WGEdx7=qwAPZR-+puoDLdUd}9k8%cx>R)5cr;{| z)A=cTdhsdtDkw;QHHH?JlXh7qoJxXG3Qf2U{vejfARM5|B3;jG*d*JSEzfr0Tf zsoPJ&Xy1e;h?~6&h{lZ=P&g)o52N!+cr>2D-c$5np!$tMgj-`RpJuImaow)NDa5iQ zXM{vi67JpoV?Ug#Z$0}g-zA9j6|3sx#wWcFgBfeS5Rvj{XDZ`Sl&LJZ|HDlA)>Y!J&eqT<$LKNw< zX@FJIw;d8y5XP^;5ga}!l+oV(D}sYrLQ2dLv*2!TdDu{QXkqRocDkv#aq&soBQwhB zE7ok|&?g6I!y5h%4fT?h?ojbWc)SDgu{?hiCPQFPk3lMqxI$id8HCnUumQdy_f%To zU&O4c8Av@x(qjCzSmvCzgU6qr+svrnJdBG7Lh||-ty;W{nC}qOP%9G|QbP7j{s45D zB41Fk+mu!~#+_%Hq@iq0caRmV2}L8CQT~U~+ES=O5rZ&>;{Z<;v(I zD%HoaVk*i=pqnVl)HIkYBXS*0a(|-!f-}LkRJ^ZImw{V?X942Ps2=uZB3Kl9lIw49 zVB$&doO5`%G&M=LlpM}nGAsYOa$+o#TAp$g+ z9scocEeVNYVd7%m@b!H_5$^>XAp>oJsa|G%1m0m}n`qG*&HkL1sriz*@#td;Xia*=&uCF=Sai<-dSd(^rFt*RXgwa?6qag-2I zam5g(^=fKi_x%|VKBH4RB_Lrign92yksDywvR!26h+&N7M0c!F_aH*Ff=>@spz|6_Gj)7#hk&OMeyl-4ES@$nvkEO4^1 zS(&yD-mQ7Es~)v{>UtG*-=-1#=9ZPT*(-jS)Z zWB5w&1~`A)(X#^|P(DomNfIPhbOY5sjx^OwU3n_Lb-V0AGL0H@=%r{HuJO9{AJU84 z&GVAHk&v(7m8~`|g#(*LPtR}Kh(LQ)O-CK%9iWP^s6){Ew*I7WrT6Wm(UDJ`!;PYVDcLBrh^govp1~@>2jFav9ge@bIL7*l7r9P8<1V+#vBMzb4@t*#D zH~>G(%&Qs%oB=(}fPl-^;I1hO5EfXPeN6a)?g&WDX)=?71nkuWyiUDseai2d&!_xO z+OuU{Cqm!OiB*DWm_osdkV1^f+&Y<<${yOz4Bh8YB}y=8qZeA7$;p-hjE$J92aYc+ zOT@Ptr`#cUZT^Q+tqDfOBhK~Xgb)#gE~gJej{8`TZnNH_1FZ; z2O6N*va(3`#%@hD1pCj2V+#PjXJO1S$T`u~6MQML5B4Y*GjLfh^7xR;V%Kg}w|U6# zWk%Jq>Ex*;Gun?2%#9g4AvYK9wP%bU)gVvWc|arC^O^pcPL!q5JUf+UKzrY>LTCF; zGOoOsyhiG*mt)rt2~C+qd`<+9ibHK>C|x6@r^2l}^};VsVXXjnUo>P6j;&SXS0l{N z(WizxE=U1$7w_EX=)^T2eX|DB8U zZ9;$%2d;o&a4~;@JWUA2CXt`?LMzWT!vZ1hC&U?ssIOD%y4AB18q}>3Wm?n$ycj26 zR`;n;=LJuTT$yn;4ZSiw7hH;|GN}2~SsF3maIE-Zlu$v5T>%|(5;8f*dN)Cw=hX5x zI&i~hw$wqhQ666meS~8Oz@XwTi-AyRK${-Z4=w8e$&t6R!DIV^{F^0T=awe|`me`= zpN=i!y=})^$vabneJD~GajGF2stQ}(C%*PGt?%L8E+#Rp>uoFd9!$5;=4xqfhAH;# zR)JkwTf&B5SZqt$OiCP%A!(qR6Y~R+TjmX$7uUe}{6QE#37=j5aW(&66rXHfAbZ@G zd&$Y$!7dEH!teb4 znKKasXI7}2NrU0e7&h!MKwBqPRKy!lDJhMon(#tE7nGv{ zW6v8OkpdR2G;q~Lp`sDs#fxIdD1cqaj4YJXJDkVPs2|E$CVOqvM}M_&oeqZfPs4G> z#wBT1Kc~tj-nIXc2QWuwV8shriA3!&mc58X>kH7CFa6UxS0?{V#umGFolVZVfm!zW z#gMgkT)|26xa$mPNMPa>3+4vi2@Z~05?=x5dpCj5&DYW=DvwniV1W@3wYa!nBztiv zh9g&rIff@dC3JLHSp0V$S$!D6Nj6;a2w;ZmQKtbj_&I-LR1Rh$RiDJk)P)QAD}Ofm zubNaH%6fb9-PPQgy$eR&nSaoDP_NVpG)@}COe!lL^ulx4@@4IY(48!$r4J#nKMx3~ z#j4G}Jur_rLDMEuxiY0-7XD^d?1SE7n2E!i@bDLqd&^cWBF)vLhS40h`whAFzlb`k zptu5VSqFjz4G`P{1b25QKydd!aCe8`!QCA~aCeu%-QC^YWngCR{73G2S?MNOnt0XSsloqox!nqd!Jm}t_1z>u>DQ@6{){F85}l|3-KkrRe_j1Tq|@t zLW0GJ#XeacVcaRbkUe35rTuQfh!S6;18I?Wp^drQMtud(f)XMk$KRf`ESMpiE`A*# z28?5agw%G3fCa$wnm>-I>n-BV;dM)Pe8WS->{cTWTH-6m)4Fd_kYjL`$IHz8>7!dEd0hi_aq#D4K0wk5vIKHPu=}HlrfWxnS0fAPPrdp6vNlQ9 z#nX8+bhf;pcI^1(pj0%Zcg^E)=ytX33+lKAFDhXGu6x=BH<#D;qW1xS_44bQ$G0$# zpPfw$Wfjb?cRXVdcSzR#WkK8__#x}{x%+K_5AVwRVcMhhFyZ~mMn0R)oY`-BF!;LH zr_<&9%!bjI@8KxXzb?s6u@kTBWK>}K4OFqRlveG1Wi(Be=mUC{*VR3*-Jjwsaw+J1 zOx@hAm|>+&nl}m+;Tiexo^-2^2F0^K@z6it09QJ@ly^U^c!?L^si*HQLdp_EwOdqubHH_54{OO@L zUWHwrxk%QGCftWlV4etWHhl-Unu=)JO1$(?gpkekMx9cF%kMOkXa2i1yUBXcTO=o| zH6sz$UG`T}V}dpO7~3Q-yG}fk^1|GQ0cr&$93R;%iS?oc6(rv;R;cSbS&Vwhk)M6w zF0mE&vcz5R_lx4o+^h)?<)bgYZRc1A5OETDdwh+Ws+~DsLG6!7U0PIC4{DFNc+M(K zz0BI@-KI_`+dS$?Ouo}^`k+WmgAn#jnL?#;nQTx2;~RFzi6r&XJ#wGuh*F`lN>)?h zGEZ-NB9HXJx0xGmHTVws0=;SH{2e^m0OOK$==%FzCfJ5`(pe2*N+FU8BM8eo8@13n z!ORS{N*N~-vm(M0?b|lIPYfwhRQ&EKQ$Cp<`q$HR8Cv5wg-{_Z$*B6V;0)leIoft% z>~ki{f)&$t^$8xN$tR@B^-mrB-Uv&Q^mgRB1b^3)GJIs|ex?w#VRMhtQx4vpMPe?F zsn=xfn5Lbtc*$2NcV@cxP?O6b^T%SROk0K1!r&N+Mz*WxeMXS>aCFqqm(~^PSJ}th zUE^CgJ@~8W7XK^b>Z=%>q0M1b3jTR0Tv%J#sbibl*8B|k&+hA9XB?YY`$+|U=+U}&NTuj- zHF>U5Rzsc?bq6^zA(f&nQZSm12crRG+@%*LMS!WE&3)LY!70^cq?G~7je;rr0qbKi zCq3O`8OdU(9h|uLYVX9z@qv96i;KDx5!#y@-WQGT-JSL+F1PiC_U1&GOhuKO7-lgP z(|M!8-@JAmP8oUBCW0IpFF6z_Pb%dcig&LDn>46P8hiCaJZG1GWfUfmKSwxoMSM?7 zjZSAsj%Zg^maLSM)-J$JKGgquaEV209L&2pHrn=2|CCzUutboaT8*^w1K%)lvNbQ$ zxMiK>x$kBZRyoYkgrZ=BKE-LRY4pz2pDTAYsUq$<)yv2s>7Q&^C#i~2b{}k4HEOWk zkPN|kplNiiT9ICe^B~~W&@PioWC>!9Few7uhUj8^c^MA+oA)OKZ6o*&b1saKb=&!T zQ}eUtfGoyGQ+vUNzZrrO78&#os>y%kRda+(Tq!49P8q9O>h*P0I+f+VvL|V%EG*J+ zFXxYgXbHA9N@P>7xv7nI3ij6gj*K{vBiL?5 zI1)=c!G=am^Fti=7c|n!hqq6DE(kttRqY?i9cf^M+3YFN_&B(p3%?OJ46$Gso}Z1c zqA<4}$2AEozh6b{1DB*LfqORnS_b?^fUG=%D*yg976%t|uFc76&&fD$S8z5TTtS|` zQ9;zxo6hs#AXzJT#3k)@GO1?UN#*xA<_#4}ZNb#m%i<)D-|5!9rP*x*{@N}2C)gb@fYLwQ?Wav7H`$jv)MAb%9|54ZcRomA$aIZi| zU*6R|`Z|_W%=|I2(?Z--^Yxg%(Dgqu6=|@370cJuJUJ0?Y5TgE2k|n+w2nx}StMTN zs;`LhbKBkBeY3&cn8wxb2Rfr`oNb>2q7sn}i00YuGWxV3VRo0v)Apsm#>J#VO)HB( zdDA(u=_-)21aeB#j4B#p7_S!Z&T2&ogdP+ zTUnl`aQ^x(P^N*OPD}uPquhrs%e-}+<4-Pet?!#{Y|kfH9R}(h7VDHP)nMbpBc*E{ ztCz>ixDE3hA5H&@s}uM~;1Q96YuQ7^D07Whn21ZV-<-g9=ai1ac#a>i2l)-)wZ|vm zj1zE4S_fr;<1DXmbS))B{q%dq-EtB@*K}-u3s%Af{M5cY6F+^oICkh-?{e@^e3Q7U zFNj?;$dqH!>HOLHv~}5#){6(y(+XOBsUJiQg z8CK*S4=w*9bWctL>4f;&LPU-+YZ(p(c1GL+!8G3gf<|s4YShiN(Lg^r# zgmKQNMq4c#HGll4YNw`CM%BDyaFBr|@x$Oa*KOa7Io*>jfU7#N2;b6kI*+e1}*0 zZhA_EftoZiW!}9DjR;f zpMQ*_<#dLbekj`*L}5>gv+%=Do{MIkI(Xw=u|#m<_&eAf-$J=i6G!34E5={26z({L z5JL3JxJ^TZ2S!!}5b^0dCp{q{d5P(=%qrz52caux(0KmWD1=X`_iK$CR86SxTGI4X z%>pEW;&+pZ4Hzqv`P{awA*P&?$iLVecN4Owxn}FksR<{FU>UI5-IV3rG7Z+`7))}k zxk=EdzEu^)l;8)@=3vfRvuje}z^%%z7tVd#`*NX)@0?*U!sJLUFTDCNQmmK(|rX~G$B;q|k z_eeaN6Ua<+_CvbtAh|QN&bi6DgQ*8m&uAFyf^(68_j{FAh+~n~Oc?#9WCvfso@{?}PGcrw; zmc&{n?Gh;+e&lrMC1P$!eC~Ni;W82*`W4KC>KIxUo(eaJn=-reNE5r9$a>GL*Mi>I zFUI_ctkWyam0~h}$l?7ETK+LzNw#^#iumt{Mt44h{s~TtfoZzriITSL6+%Ns;BG5`l#U-Pxob2Z0*QcuQZjNb3N-o??LoD zQIZJX4ZZ}g7@3w(3rpkHM~3N4HQE@BvP{7nySW(JYq970t?HMoTiXJD37W^oM4P3e z#RmN^=K}rJC-1L}(Xwss0xYxgnRZ7Y_ir}23#4p98R3P=)^8lxcJs8HRMXY<#Jcx$ zNw9hdSUmWWXdKnb@oNKT1%I=0MRjwC$JFr1q6?jcZEOf?wdt^m`!t2%jS3aJGM1@7 z3Qsm@hz_EdHSI`HO~%NejFo*6v_#L`4_y04m2pQQtn_4_^Izr8|2x3JAA?x;{`2+s z*gsG1_X0!_c*L>=+yh~RI$}|ZCB9gk`D2mYi4em9;J}C$j#$(2tjK;)?$`y<)O81g zW?Fi~di^uNZm%2(@T4c-}CwS6)sE~P&wpl&9JR$e) zo6;Bqk+->q=}n6^U&A(wD$sQe&UM=z(HmqZlFOj2UT4*;V2ztd1eAC$&wkwb+`>oW zFsy!G ziQ-#z*Q1<>uFl1z|MdfQY#XG{@FIg_S?3YF7St3TTt2Pid3*FQH77TGt=sOqy#LHw z`m_^VB2T;c3*dI-@bvQC=rOcK%c=oyVVK2X`{@a1j{$?YxX6RJ%6S!M7+M3J+QDd^ z%jdrzv!v;_tmpJ*F(vdE2iV-FvDtR-X)Js{JbOmpqyz3^WvNF^K2~RRzX!CvHzSgC zoUe+s?f<2e>LAVb+qnqN?b;i)K<84Nf>&bU4O}UmKqkTBOBC#AX9tXnwz>Q`XiIu2c2UOx*FVRqWkJBr&!_&LW-rudt$fM1= z;<`SK$<4B5ht&6bfdBnBfGqeCGOh)2;f7q_NB9py7-vUEp{}k9*{Y05U);k=sPX1Z z`VC^nOaHuhFXDd0yyB=a_D{n);oP4PYW6}?MXuk+ZDXY&XYAKRjjo`LP@MhJrzt3g zG+uxu%rwlr$-u6iXYVn*z{#xWUH2VjpB(Kw9}UOV-&1#EN9~GaqktZkhh4#b%_6J~ z6nH^smh*~>7LO=}kRZWw;oXRi5btxCnd~Q==%GN(ULz&!$R?yXoUiOIa3W3<2>CBR z_#@6*7kVN!==LP4WI(ZcRksqY7wXL=G#0YLRoGyi5gU~l?`g%=WSv9{>!ens zEu*fW&HNW;@1|?y^ zeU!7vslIkW3yrnq7dcS=R>CTu_o;!hmRE%+QZ{;_`!BTuwNRvwV_XDUgxH5j`$e63 zdTR;#pSMo!-!v2wYV&2)dg|$fuyj*#n`XQ*9q4|DM2)}8NYZZqkYR{(|Ak)aBV71p zv`(u`%#xf=KB|C}mcq$$aqxZMSayV!6;b~u)2`PKcM{6H9|_((>TBL2bdB`^1d+Z< zHSTaSn3qSoK%QQD^wM;yUr8MFP9Y^Af|wDGLFr3c^gq8b0QaT+yYgb;C%(gf{mh~pBZdko6jhW1Ln8M>(eAsR0M<~HiXMSfaB^FSHFODGsT%p%#Sb%AiSMsI9Ht}8=inp5oXLLgRe}55 znvc2vkgUa6m0#Z~on(%qj@q_-+9s==Oewg?4IIkfx@ z586>lZ2gM$y&0PJ#W7Af%~3}e+#0(e}bNvU(Fswum+v*rQ)a8Ad0J( z%_fEd7FQ8G?>kuaHo!)})B zwmFRab0yxF4IHpw9Jtp@FK2`QW`Iw##{a|pLDgGz=UxNiMdO3)a~D3O(vKK&{y3%W z9h0$)-Jz&^Zg-=49|_Vwwm#lC-b2$Z(ZVn-f_gD#N71syyboQ+Mzh0 z)e7Vpe|`$xU94VloW8;q0Nr)Er1>1efmV&|x5@1MUa!I!loqZj0Jl<)BP84cuZap% zZ5N>(WPC@H(s2gY@m>|ek4;tM9+yvd8s`9yna0Ld7VsvRN6>FI2?O9j1%Ca=-F;-u zOxs!89~f5M@Orz>SogfBHve^6?*cDmJI`%mlV%ev_}s&!R1vrJcAv+>`;Jj#FW_)| zsObsucp6&=gE19Bk*}Fc>K!!c*4gc1xh&W84=Pj-7Mdc=#@83sbEJ0X|K+~&WK%U$?0~l|>?jI1%{eJRk>EQnE|PGtMI*#7zXs2NT<}W-5oQM(y|~A1nyil3aY(=0OYN-iIyvhW@iD zph#lseBbu3(s{ve?C3jFjMM%MLZ#p$bh|J*XI9mlLJ{X)_k}zCtl?Eojep}WjeOSk4 z5a`{ey(kczfcdOJrB+L0f>)+dq(6w`s$wkK!iqExtucINU(u##o%~$(!>$v)$9KJN zUcaB}?SM9b`tQP@P%hrI#`}~^C4w?n#%QO{^~gI&)ki2?$n4|ts+aOMR!t+}qUAH= zXLh0aPO+Nq~DkPtd3V~qHUTd#41wVxcTK4)aSL#B_~Q1 zGy~OGTjAxPHLtStM*`a&ZPg;RqsSvp@{Q2BFpBhLhch;;q#$4k}_ujg)$SXXWVTkZYWa6BJWwta3+{bVa97 z-Fy;6KxPb0c)j|ZI8iU?IR2`ui;VzEKc$qC&GpnqB+K$lN!AU5X^2(Ft9tl6iE|mb zTq`E@A(0;MsDV>GT?U?(F?vUwJ9S>?-|`G?dDJI~KL$n2J=3+O8OLLkVb&Ax#7$@7!cGx!)0%riLzeVfxOJcNRTTVy~G z;N}+YW@P&sJqFqMm5kInG47>$a3R^m?={9$VDKmOmMWDU zAF7x~BhD=Jc~OR1N1Cz>1RUJVG`!~386$qN>DL@krcU3JkaLl%{T z%@I?}V$10T$6&e;R(N=cIk78~iBRdiwW88vSH_q2BNnO_*ZG&@9m(SmtavUL^(k=7 zEOMoFr{&$EWQ7svC#~~WDZ+3K5>IrCsVv3m4Vjb0vOQ8{RifpB%ALA?M5p~z4OPr8 zA1LClhfTZGrR!DcAy`(GEU9(Wh~536J}dt5d!wp~qZ~E`TNgX0=IW5AxO7uFEe|Dn zL^0py_w-z|HQxP?C%j6B$RV8=!Fgt&X^hux3pGemeH5IY2?0{<1hwuCylPS7)?Z}a ze=+WsTxn#;`{ukFlvq$`?mPx40S6_^%oAoFO6~M-CkvnlCQDRjm2bpQ;kSae0mA| z!-*AdwRCoY^PzfS^rByU)oSO5IsYLL<>AyibmE2X%nYF|Pn$wTi{p7r) zGv#Jp7j9nxtOOQb#n!!4X~V(knzp42QKqXE|57*da0#uoneb$tg~yh?C&h#KHI+{A z10vX5%h(HB`FrE!Kz{lf2s$yzazEN~S_nIbiycctnm#3~{MFr7tMyK$jw*96t6CYV z#F^6F{l5W$d<+6#9*RI%Ai=D}kZ?#~!z*;74e()kHQd>f%YNJjr};q*PfujG05uUU z;b6=!eV_0rO-1pyzvyDxV9Y-&n(us6@7sFrAvVi?O7lEdm&!S7aVb&_G6EKZkaiJn&R>L z*}gUv)#Y?EHcfhWw5;^3wer3$qP=*;V(3xc7*O()5iSt90G=mA!*GslxDkBNKHf!Vq=Pxv@cH45=jSx^dEOxzJ<5 zUXV51*X;0FZeW(Q7jb#qoc>JOj&+TKJRajsSFcwR+iZB2>mr;ETg-?{{y(N_Sa`3Gen0Sb zY{!uak-QAv-REh)@Dy5X8rxuvGGuDwszaSF|RzpjLUUSX9k8gFBU%~Mo<39Hjq7;%Pn z(zc&=Bh9Xs)TWwzCVrqnX`nsO3XkKfg1GMYP_x1#l^)0SEw9%f zHr1WC>@gl$TGg)e*#O%+HC9lA9XjAFG{^6$EDz$J1A%nC-}}E|yoi7hUn?L14X=h! zZ8juYGc^(`S9$cex1?;;$tV<|gG2#U?Jd1zb8j@=^Z!g-@HC(h-MO}AgIW}_Up|48 zGTLAZe@woc93`danOoS0E0m)->@LRx{9|&}Q4DMwdw=+4GWj}cFwvcJeha{EO$UGY zqfIYRs5@rbs;tTXv1Iy_t-J*UC=@!zuTRrY0IUDO0-XD$w6gUkG(dl8|L*IVYt*Hv z9bstcUtF3Xr`M0&Wy)UpTXeWRfUVN>q%~v=tB;5m5ga14ixyWw8e!&7J4hCz9MAqo z&e%TeE_7WO%t`ymf3cYbJDwX~qy2tQM}F-SAzGrZy# z=el9KdG8WbhSyASgj6OBYSAf1_yYP2rZkjD#?uYQmC5w%Eb&^wkaK4FZ>z9&ZkgES z&}0#25e87GP0w7{c~G2718xXyeaz)lii%uEz&MgPZiPBKajhtT{FaoXIt+=yEzDJg zRx9){aD4&fycxxz6Y=9;0y@5V?xPFqd@l7wUr-8m!|0Rb^1=;z#K^u1w=U>x1 zHD|bU)wP>dI}cMmPQDh}FlvwdAK8ecAWZlosviWY>hkI3#+-_JL9-K@46>YP)Zg)r zym7WOfL!b4G@F>F0`p}{mNXx5r{Cw!R2-JwY}tgd9j(%0zfGTqoeK!=BZXpO z43>gzg9l;A4=tp=Y^J()@eQ$GsxK_Wi(_OhDOZ@Zk}vOd{-9YjQZNeYxGLqHeJNWx zT}|B?rUM}Mc-ak*ACAnUu78qYGQrsp7gy{0a-ho3jyjk*Qxs!he2!Kak8!4!^|V%- zMwI*}S)u|D^kvlu+0~C5q$aLjU}~G0Zj{tGlNC!SyZtDiXU;|atExUF5ZRQVa*|=i3D9mSP+N8xN@@*N~{+MVnR(2Vb!66_LbYwCiL3j1D>(J0gpt8D~2l zPBfNlOv>28{$}j>?7&97M0aD_wS(xpr?#SGzxzN~EX>)}7q~*_2U`Of&cV~YpgHza zF&w+^`~K4!Y%Y@VJ;U6jCeL0KKeIoYIlg8}-X>y3`gG-&w3?l*@(eFi@(|VLwN1hz zH<7HnW%zy~+L8B_qczfH^Uu>^lYfWuFGwS}h(+pUMInFB=ADiIn3aC#)78MKQpvJ; z{-tdDRibq<^&Tgl$!q`b8K<{1c@Y24s>B`9lAoqIDmB*KrRFd|mDuYcDh@klIP3kW3>-3;ObQDh2BIdL({>TvgwWh~m0{-L)|y}qDwi(# zk4-`ZRV2fTG)YOHdkKHsHtLKP##G~~(0`;1$W_oY3&tZsC;6eX#iGV#U#jKUo>=yI z4F444Au}MAyk89{_CeK|tVMeSpEo8juvH$`^0$&GwRg8Z#DAXAa=7mSyIAL}MxtXJ z|B)>XBPPVkpeO81FxA5ESSN4P#fv4YXzr9Z>#*KY7=tH16?QP^AF;bR!YU-YCJ;ku zW%Ualyn5Ry-_?LLd1;nYM@)#qy}D|plW(*7hX`ORg(`(Lb!#Xl=1koQ);wFsWi$GE zr&LQ+D;HOO!lIJGx>QR1u)U&8NGGaEO2+6Al5|!5I+3K`WL(9&E7D0N3JnK#n_B*h zt5A-0V8I`lGATo5fnWm#wOK_y*Uon&svf7b+cN6S<@<~vCET^uKja_0@CSBXWji|O zF2%4VZz*|t=~x+m7^$HnXGFt9P{3%Fcl`}F0l__HQR~($P-6WXbVVM)Qw~3KoczSE zuAo#x>@QoyerYY9>KZfJRPZ~O2`52ZIX<(j8e`mDj%VYpaUFBUDxV$}hRmuqC11M& z)1vKG8~-2rkxqX?P^hI#VR=Ee@VP)kH^=`U_j#l!O4ESoSHlro@G_K%G70hiRkYK~ zA`D?jf{6&x30M(PfnXv+$RQ{|tOI|ucvOUa)=&L;PT=LTrKD~CNj|qgEk679!(0J_ zw-+KOyD65~wbz6g9!r)-(B;N!iT~@iT(EB_98YWR}wtio6fqupU?iM$zA^j|* z9k;00sXP@J&}z!__pW%fhmJmv%GX+gH z2BYr~hx8<5Fmmbn8Zf1I)1w!)d0U~#{M)NdND**{bMtk&vjWl&#i@1C<$}-EVg-!0 ztjq2}(n>2YrD{t0*H!)=V6C@9#8ejJ&K6+VeX4|J`0eJg8v3{iJtLkAsl2~N=*eGSRJN5g&rd7CIm{n-yDWr;*}Z`p@cc~!-Jkqi zwn*|`D_O6*K&0J`eh-PmzvwQ7TLhj}ZEK~yUnhWBp8#=N8E@|?J9XIzqrnv{Oe|WBYBttRm zdaudA7?bh*F?F-_Z^=K~9FGbT6`NpSf%>XeKf{6|S&rCq*tjts#QsmU&4@A3UE=Kd zZ?2xvKNurTPb>bB7*)SzfMJ&X8KgWp+%Kr?CMrE*RAjBt_gSnIFW5?q z)={FbAoxA}Bw*hNO1XCCbXfe(eixpwE>1$!&&nz%ijPtolFqn{$-b=Y(xgZ*9n@;6 zTL1A`)-Hb^2RJoSMr#5nRzE32a*38Y7<1J5g<`eUB!~RD;c~8I9P%&n(7Gmk(RP5q zJxZlG&RE@8c|US9!wc;qb4z*WQ2f`Y87N=+%HiXe zoEs%$?WZA_jFLF|D(tZQgD!2~=-B5uC*vPVP5$9#KUO&pCH3lxSi-Jo$ClyBQdx4J zjMHvWqLN}k8yD)aP#;Ph&l;i&S;qC20$i z9YakG#R;9t{SjEN03b3qT zf}097K2VP`VHAKL e$L>bI5G8{C|Ma$4kUl8+2EW)3r*EVj}4UGJX*{B207$BNu zVXHSBmQ%VyF>3V>@1qiJR=WxzmlRz3s80}ks(v5c!A7yNxLkWxnCih|gJLk-7dXen z52&uxY7LCZv%!jpHkpiZ49?0scPYlj;Zd66oDLN^5}$ensOlLw$yPL#pdwJbINfIp-$n~lW8tcYd$S98w~O^v@=5E&bLPE3Hvyxi{V zXkm0~ddT;r7sfY$Z!378;?cjsg(_J#F2^xmsWNk{ex%3Z{5wO>fpVV@p>>dB*Oo-O z>9@xwaX3-e#Z)w;#iIHP6DcZ~(?rWJQaP$InkeK8q-j!5J$+@iODSd~5ogMMp~VWz zeYR~`lOJ(9`&;gW@F^ICST?!5L(~z_lYaAUqeT(!y8mSQGpxvLcom%$<0O@)@xxL} zhb6n!ye%EZvLmPPqEH%0Ppy1snqA}5RBjCn+%kO${IlGYQN~T>twyX#9h-?8OsC^w zG30N@e;?TozfnFQMKCfJ@ThC>$-8i=kDdzsID>w$7Hh&IGF$9Ww29A6KTv|7SFq6; zTYW5kP&POlHoU^Q>uiRU^JEG#yafd`Di}uXTVT|EB2v{%r`FcvF8IYH*G#3;Y$|8I zmTJ3NAIik?3F!}7n#vQk=t^=|ezK1F%Ac<1tuJHmzRqv^PgeQQFS1W4SjlYxyM^;?WDtf zk26~SZ->5XCUM?MdCt~X#TBhu<~5dffPw33ndj4rmQ4`*%jSj)gSLmAGc2!A{=1LJkdIgW~Q*WB!{RCK=44idQthLSc(j2^y$A1>p;0IV#b-40b;JCi>pXA_~xYcUg z?Jmg`+$$BBu3#yL+2*vU;2BoDF_bDY!_@)DnrKzo1FyPA)6iFUZYHOBj~Y~kfOGQ_H%2ByG-(sy8Tb;*0WS+R$5H zF4kpPBu6q`bPojv?jhNN@5PWt$mw*=%{v#1?fF&xiA&hT+LM8Q1WB5J$5^ybp66Y` z;FiH%C}Qf4{cEScM0ef1lQc^=C~LV2a)&;aJYHkpT?g3!X$hN0jD6HKIaYc{1n^zm z8N9B((%9!QBk4a6CGpOy}47EF0wb_Rw|wcAZ4T&!I? z;R&@o^|MTE?gX2Gon>6G-=0_>Z$k|+v;r|!EtUqCMwdw^4SwH(hI5~Li~Z9>e>&?OkO;c4Y28{*FD?T+>*7MyPmk}a(-Tb%bn@?{ya*p#kotI5zh}myPG3OgT zQ$@ON4Z+SFODp>u*xRq}*Df_a=0`5;T_O5hYZfh9Q?E|k98UM-~e2IJkK9&*ou4T*$M$r6mdFFyK54}=d7Jas;Xdq2#BuBG2Z zz=R+Sob|GZew?rQlM^)%(8KqbWO=r3nP@Dhvf)#muAzf5(V?Ii*lBnPmleVi@7VyP z&(XsqAy=NSk_gOe2JPi@m4UA*>P(X-ronEy1X1C$+KM%CANnkx)RZ?0?@KjDj`CG4 zJ=W-83g5c2XXz=12F}Ng#3q*S2GdCn_YI`%)fw7uX^{)Q5q`k&Jc!k{;XRRd`nf0D zRLo&ax1n&36HLYd<1gM^^p&>IAIhl#LAB9fj^U^ zfYlCCe5K2mh}vxlpQQa7L;`@-IpUU`iHnkE8-E0Ts&mQ{F`EXeP}}Qn+x?%sQ z)eN$B#DR<1lff_2@z?h#_;a0%Mz>!;i%%)YqQFT>8Mag>R$T%k>ZUdVa#dp(#FkjQ|XW@QMGHQRXzO3pRqd%VwOk8{un^i2D09m zs-Q!SF4FZ~2*uJb>eopyP>8Get`$!}xxL7%Ym%khu`lx{wZ*F#la4??Sh>d)h?-)~ z)isNPG(Io*om{rey*YrOiBXL1^LL2|{mODmck$zn0Z$p#f`E$gfzO}J0uhb7!PDvs^J0Sh={cgFb|EYMq8$5u&QY+<2~7^ihvQ8$V53UP~@K9rKd*I7RB6 z_S4POU&U|9=^uFLwdHNdnfv=ORbs^Sx0&ec(Sfr0vAQWv)C=Oe>7~|e`7xM>xTB~I zmN=q&oTEI4L#$#y3XqAl^(p0!k}N9);{Q@>P-lTeW#BhODTh2G9LrcyEc8AKXjMMy zk6C`8DpWho^fQcVNG^N+W++z2mL6*One#Zc9L8zz3@}&bIC;nxaVRuq?TV95^VO&~p=ji83 z$!oO7ru+yzD$bkY${2O-Xb6zB!IMU9BJafcRH-5vo43k-IVcq0n5(ilm6ehCVa~}+ znZ+9yS#n=jZ@R&eF#}Gm@DJ|J1b%fvo2+%=pG={Dd|if)X7o2}gVy-wP5niVQtOLiW3?*#1Y3ej?~maA4J$u=_8rAt|9vX-i|8f&x7>GB`XVJ~J6 z@K^awUw`D+aA=vMD-m1Zx0P!|h+!^Gf~Q&LS&vTWmrx?4tOdEy`AraHkOF{{}b@ z6^UXeWDY_NfIy-KFy5~#+&qMBCgHFBX(Ri-X3GCPQMwWFgvvJR@X_PHY@VL0?KA)3 zYnRDSJ%+eGOkNWuMIHw1PYUNLB}-7FQh~jIcW{Acr@o%`}m<%}3BKyS=pi zvWnx_+`-$Ye{pI1q$q<|#d8%XG^eW%QVB-ZoeBGv)a|eNehSc=0oG2z1yT3;6pc$5?ZR7 zf%btj6nz#|@G{FR==;d34q z+xBE^RuX5=XG?SOs?efilJmY6m5epK2?0|>$wg!J^EG7O$)+lWV!K*L&86-AyEhD$ z1>S2JSaKFigDdRX$3r=Uj$Rm8_{6k5y6#i?jaL;6d7UaWwDf_q7EuQ(HTJ$wIC>lH zqfHL$VRKqSJB%mMoCE;V_a-olHbg@7Anffw&*6R40AR--E^AK#taa?a(<$U=?6cKp z>-#MX;=haIC!iKyi6wkOm)bB1WYBPVvRgZ$z8{5yK;O4oOlO zaX@a*MXGycWs_>*L3S1B@2cc%dYw~nkMYk~-u1LK(3fYQ{;7u+(B zb;r6;u3^8KDoay`fS}9d)G&nRlV=@fc`hI}4MOfQn{wTPt>k(aeJ{;8?l10#{NB;; zBvmvV{n0;%qpeF4MwgLQF$yw4?6Fx2GNVQ}J;!y{v>BPvG!>@?Wvc_p_$WKH=M5w| zl~i_sq$>>iq8Sn#+aJ~UIBj$>*88TEFi#iwWZV_(CXKaq5*gg*1x6`@2+T9r>9vau z>4|E1P~dmuU=$O%s%KFKx%%AWEAuwVXIU(2;*Xl8+R3y&!Dp>HsPWW`QHvjP2q{IT zA+$&_A*Azgi?{fr>L1G^s0zXfbY<0KP;+)!GonpQ7*p~If+OOFjEX59J65x2=mw%y z$!h=bXDq8gOOWT_6N#yZ^#37R-4?R!NBlW-{yr~}6uMPWh#ej$QC%s@RzUxUUtNrG z8P<8QUFXm?){^7&H@0Tzj`AtH5dYHbTWHV2+r`(9I0{?CSk5IeX1bfKbZL6%gwGV4 z=hOjWIBJ7}*yYy2N~U*0GvQX=_UV@9LiQ^SE{Z#GLVzv1m~pz&NH-8K+h_dtQ;Pbu z5nhCu7-zAq2%I%~Q}$cMZAUenN+kg^bw=fKsUz|R71#HOmTsytSnL*%CZ3Y%VYYrT z9cNHrameAJ(ImyUqOu1%b|q7JKr)aIoR+ox(bX3GGm?rehKmMt?E^va_XYD99v(S> zmvb>7S-eb>$bX1F>m!slZWdt;dN$*DZKkGHm(zs|y{R`uBlrm;nPmSd$D9gjpI0|F z5KuaFb;TcVrK1T*{DCneZC73y|2=kEtTxy}SqAwxcTO;psdD{%BF$f?B}Q3_L9MyZ zRHYv+S7O+3=jg`UY)9d-`cWx7HmmoVRt&}n%)J*AQHsSAdm5;*>xC*2wW4q$nf9&z z@oI*nYmiiETTqO%@(~|>kaeYO7tHot^(t9AO-rKOvf6i>k4B@c-aT`qDt6ahWFyq< zvA6ms{KrY+NumG3*r+A0Hy|~<)qwry@}C*{+QPUD&Gkg7qSOqWAHlLStbs);#h>r% zFm+U3M5AdE(l5-S+wE5nkXC}(vFA~n4&SHWTN2`>Agk{!YtLYp}M>BI$aa6h=t)XRgZLYYF7dS*pHZSTrN=b*gN%0f zuS$7hABEPH1GF2ecqRi4nP>gz#|Xb<+n^6qNGD*Lo!Q~Ya}*I0U<@Jstnk2@XvsD& z&Xgq=@J{gaQKnDrbV50f>lR#5;X zn}wOIGEmWa=)+ixe+*UKPfa+{mLY7&O5x74PGQ$Br-Fm`ka@Ig%QfDUjG583YLS!d zPdHpsao$7k(W)T$buen$$vW{$7lXASEKu_#iNs8OII0kw^o#dX=>Loth@>d?vj<8M zq&Ml@A0P=`jom$O7iNQ=MQpdAI9iy%0jLHakiBE*AiX z0n~2aob~&h8b(UD_53tqA29jpu%_Q_zL^K#YbW*r-E4>liI}b1OR@CUTE|P|0|!m@ z)rwvjV=Zl7X*E9Y}+$^<}?jDgD>&6 znzw|s^xJ36-&o(wUy_<=w)&wTquZ$loPExnOM6GHj|R!wx58mUPWLN)qDpP5028^KGP zkGU+0AmGUM^)(6qe%CnJ+e^&i)cWp(2dVc}Xj7Wcft%5M*J0DJG$UYQ0!i2Yp{8Sps?)ca}CfF%fgCj{dS6Vgw84q?HB?#B`K`cU5byHd2P9qfy-=jl?SSg(hGJfN|QQ@jq^e-hTQuhlCuSPtF2?k3aJIBTR zdk?xT)6gQ$AhBwwj^*O-ImKnG#c12DGEq2tRLYU1`+q}{`P{JVk47y6nr_2PGW%bH zU##*NR@}bn**RPPKdR0tI?}Ld*Re5iGO=yjwrzW2+qN^YZQHhOV`8UwzJIUve|w+Q zL7()yy5IHGQ*~EecdPn5FP?qqdhF6gs{5GCT*4CFdkBav{6!aTKTxV0gUZQ$JavO= zbI7Q%cRt>;_(J><8b0=EIF&wTM}%`_`8(!@8mO&?v;=WeDU)TXI)s&@b~W3SRN07o zlCaZ6U(2ysJu#Ly!Jg;u2gth6w*c*OD471i6qwaGaX!gb?NDM)PX8)pk*SFO79Dtl z8jwUJOHo>VsQS7%=TJ+AGt}{xp#|^+MWg@pu#;#T)9uw3i}DdQ45pArW*>T0hFC)GBvQ=z$O+JgC+7!7U#FzIcrw#14+`o$4bIN+@VxpL8J1o zpyDLQ9TP|uYs@GKkJpcVyEO<8kwnlT3=l5UQ|x#cC*t#qj}iwn*Cy)?W)K4eBsMGd zoVjcymfh**Rh6i#kCHpSCWrqwg-n82BJi45R6k##El42}4r~Mqv{!bh&bn1T6e_f|dP;z!=2bKTrA6o%FWEh$XiS9Fm~#`X zJtG9#ZVDvWWm$q)7>(L?*QiFb{&H+)RnVv_PNnTlvNkLRlUxArA3Tr(uBNO?ioZ6K zc}hlNkVw-$hA2X)0y659Wl&50=Nl4XL0H^w30oSH0DlrVq=8}Dx)W%esyY0j8lyO= z)2w0#lu+g98-%5BCE+^JB5nBUPv7K~&$Pr9( z$(lM1Ji`DJE?94Zn11^;i@G+?|Ij=2Qzo~LFU>yldmcDKez%_F0oJga6jlV9DTmi$ zlbW>kDrx6=30BBOY1>!G z_YzdkLO?lJft27Zkidt|PlyR=+0r%eM8%gK5>do0ij0JNOc_+EiAKkvaG#<@&{B%{ zjG)W!`eKdiA%2nB)c7BL%H*esjA+K6j~{=>=aju*5lSf3oF^MkXf#q)`&LAaVhfUA z*5l@9glIObV^;WAtq~R~qs#l7P%=ERTn8Xe#&>U|+q9$GmFei7z|B!OXF4F4$1ISb zRbGsU7)3+Aje)NL(`f1yF5J9FkH^cE=aesJS`aVSNc+-Ch71nG=UJ(y#jr2ti|y4d zpRK2$=3xGTwp;qa;hbhU_xv{iT7R0-&iRl0CXQdXY2o>04rT zJ~x>vx1TlaEA*RAV|lJ)`bNAd zK9A?lRlVlQM_0FP#O24nacxOrvy$B%0o_~wQ+j-xr+G^1PuDnU zHlddYO7q&fRY7Sz zhcQca@Y3pyjeQ`$lOGp~uWh^9+un8Ekbcfdd0Bb#Zw547M!@R?2K1Bc_u&`+Z7-l> z^p%tSs&}(y_KNwqy1Uh7rnvMbtor$s-cI*8W<3l?=gZWsU#Hyr zX+D46(b~TGs`7&JMW%DKYww73mv8?iPN!{rLK}M(o5Jj@38M5>L+76;1=UQ`(7$8 zTW{u3i?Fo-K_QYnD=Gze2PU;H&l5v>QO)(mjz>Ba^X%d?*JQW@?Ffrn=tctEHUCrD}1QUq5lGr;wb8PKT8 zXvRum45;Iq$*OM=)AW(ReolxqO64HpOD>=JqaYC{l1X1NP`038nRWas5Vk2*y;AyH zl9M!!iADjdoOeu}JEm?#%8YoY{^PxE7RfX+u3b3z4?*&hmJz-cl^NG@zgTw~HDS&; zbQd$xB}|^$!rbfwe+%v`9E0~kKxNUnaAhw0RbY0_TYMO^2rt@zW3nR!bJU(Yxt>I) zEkoANRb?18yE&Z)+$6~x?>Z38y07@$WcCVv5ieVC7Y6|*B}vPE#A?FKZyh-U_EJKilNKobjuKbf7-M8cQB;fz#76=EfR`#s$uRt zC2&H~m^*#&sJNnEF!SLt z6E5=?u8yLdc3zA`6u@;WsoLd2JuBlRg)1BjPREfeGAM0JE?|pS&X9Y3II1{F#G8K_ zqTM1{SH?#r#;rGY@+d*tcwok2!=!M*0`DYhB*79VHu*;Z3lGoUF%5ocMp0U#H!|}a@%o@5M4ei0BjJ(XC8#p#1#H*xGVrZ(n+cMWo-zjIFN zIGu&^@0^O5HXC4Bv;)Rcy+93Yb(rdiY&lB--3xT*dH)85YMnkqGWLTgVBWiZDLdJH zl-!BxZrs5RfI5p(r^i~j%${E%{yi4 zhr1quA|ki8K3~WCTMRslg+|5+3>5dsQ6U&xhOXa1a|-8Ou4`EV8hbh=K#^w*#%5{y z$67kaklGflFe%-}^S650o5PAVHGJJK^es7y3XA?mB=&7b;R>AwMw`TMvUB_Y4YvRR zfnNc%Kgcn;8o(FwoiL!&IjX+}_Qyz)CxTECQ|=oTF!&$p_Ky?{^=r6~M9P1!cO9VD zHLvldc^^7or5T4;Z&>_bdD}6G?Pcn3ys$7)elA|+cl5lytJA~XdHvOTL*Im8RiF3P z9^l(NBkTorJ960w;CP?{IQ!doiSoTpPZihbE%_NdJspg*dk`juz9zngG-y-xEAi~hEDzAw};KdcWstzO&8aboZgJWNd-MU0aJ zSgvWz7DfHs7(LFdHvisFH~u{FV|yu2*YJ|t+IOja6b6|(*Ll+YynJrMRaiT&RV_~A ziDrLvt36Td?p4-?u$vFt@W;`!h1^Yf3M{)$ciF?!A~T}SeuR%*Zp+(xEnmkI@hGYt z;zina!qPUhOS-K+iYl1bQmVb_o)8f^9b{M7{NO2 z?VL}<@E)@Ne(t{XZ4b;Z$evZ(cREfkx3vGMKE~gD zI+50cw6kZIZ*MZ;2mJD?9;t~DS#;BR9;)SQf8Z{2+JXoXf6nTD?tJsgq{j)PPvD*9 znes08eJT-`*L}>eP4&1=`C1X_30%3N)6MkSxu3OrQ~6lZ#@8zRx4rqfMc&ful-YLQ zcxm%E7dRu4bSFKce+dA&0YJ;&0JIhEYF~2~C0{ZDMV#9Mmwt5;uz7j^^5@h}2LZm$ z-}?Kjr+!>ClvX6NUA~eT_5kId&(G|Bsk8~zD&D*ZX4w*<8yuGr;=$DWR%DsqefP~$ zJ#!RGI}#DEIcmV8R0}M+*PDo=>)vN|C=_Hn@QhMu1xcZX39yhH8Htbt%2dmnsv@L$ z+YzKrCyt?BMQY8!M1u+bC1bfm7f#Tgq-dvM4Gc~$D03c_2BsxckF`Ym&3YmHCmkfL zZ0WMJ+uI|3QTtEtUnN*hmSs`N9~Z#bA=(ZN$#;0h3rsE%h3*Jtti(+-*z$(hgnHJP z^5dnR8H>aW{|}Gaa1LM+Z(V)g7agHHG8aTx>U&bRMP9h9YFjR|GO`->&4z>D~0AiMLNS7e# z*e={WpEdjiCXQ*B#51b{73l(F&w~PY;hGMB0`FC_8tg}nShPl$|A1?!RfEh~8<`wuB zqsrln<|z@57uC4f{DC4SU6nYM zB2}Yx=nBh!BMkTy3EpEB4~~m0QVww!Dc39>>xIM&1}59FhQ_ZeX(rQgPeb|N56_|7 zme9QG)+uGRrEAe`;SoU-iKRZpSB@?m+vKCr|5NDA0$*=X8`I*HBS~y4bZ;h#$1FbB z(kM@SbC$(-2FG&1rGx&)0VJJVzrhs$h``l&ITkX{fX^L3pMEZ2TKzx8?)2BqFP{!T`bfASlUzmC**0g$Ap2A5eD>7Kr@o&(? zo4JX@Gt4sc^axm^sbJf#G&n9StS859CjJZQIZQ~<7Lo*)k=XJcD}_UExfU-ehzr+2 z;1vI4I|Pu4Lf3j!F4owDLQl)|KQM2K(GNNZ4HL*Wr0=#1_~AY(_^L2ff=2^*LueVU zwR0shbfIMas0o>ELyrl;F=D*+9LZhZ6quybB`THyTM`lb>GKz{JXDC6(U|out0xU( z{-l=X@wd^u1gR!2?N#tt)0oylAnSM{)sEGQDI_UXV?lH~ETKOdwIwx)x+n)th5F%F zMcPPW`tsujpFw_*FCmVK(j4FlAPtrMGW$9EBLzEWviP+CWU~$U|MiZ1K7)e$!ogOu z($qXBc>bD9Pt`81kW-n8!R?3-gDPIFaF(bc?P^2-a{ODm(oypoF)8%GH6!3! z85$I4H8P*>1&r&89f<+D(3V_`1qzmqLfB-eF&>DCG9b)Ypk^n8nzs9zGjHB!(OL!)v@n(U#0{|0^YpS(+-{LS9}{qiIBe%;d2xLfvr><&c; z8Gr!~MC9)Iz4E`}_xyU*2MI=&qzNDZ*a5iRzhvj6Yv}zv`U3;1R_`f%p2I@3*lJX8Rrk>~zhT`|V5p z_2kv^w`cm}mS4-~rg;67*L&Me<{{wEp!>OLYTM<_;LH{r&r?6B`HLIh4J)*siTwUrP{--@$LkV&TGsnL z?PRsj(n;<2dEQU+c}%gglse!l9;;n<;(i}bacW?x&3^F0BR ztN(JB^Zs4`w8D9!;(p%vFny`t@jgykJuvlw$n{+)e4FWbENE^LZH{1OuXBfRy|8$B z1>1Zq`j0+Kr|~jVT>sJeW4ji?J(kNi<&FuT#&K%Bvbuc=*NOhkvlgqerf249b=zYm zf!aykCe67f-DwRpcV@@${jIbYx=XAeXu9=#ul&$lW;gu-X zdl>`ZI@7Ug+jSj7e*3iSISF!ne#z(V{*{RG4ePD8&NSZDwawnR(!$>6C1_qW{z`gS z`{W0F3n2DA^BXb&-0GA3Fvmde@-V)VSR+GL0lyODrm;s*p(Fi2odF;7Z+^u;=j5`X zV!1F%t>3|)tcOd#_s=VUwIFS8g8wDBHkpzSjx^9OvQw2{+q)AETu%?vqSnoT4I>}L z7aH)}$$~7& z)xT0-+o@&|j|<<;_Xk8VMBn2E-O1oVw$0Jvr;-cQnT(C9Iw9tpw zic}y+6?-7fPmny7PLP`S>=alE$&PP1&YD?YXM#6&7Nk!X(!z44 zioscy6!-2%o-aVFjoT7|zD%aYr9qTJ6|2|+k`31C#^N+#lO6T1I!eCMQjg|ogY^hF zHvvVbyW|Sq3}8F!*iIbrvKhTC3rI%0h*X(03u7u~`m3c$O9s{#@ubzvf-bG<#Trv< zDiC+ICQ~!9KQ(kdKPznsYL}V>-E5;WZ6j3w=~zaVXhUDxuq{^ubELeXK$pK#$1}sp zB40Nm0#Y`N14WBz+&E$BD@jm?kcM}7E+>YNpB=}2E*Ev&EyNTnD$p}#jV60OIPO|a za6dTo>rUK?@#;|oxu))}4j4j}i`GQSu=0c$40Ki5mcO8(*ofvh*0#@BHn-{lv?Ew$ zfin)@cy7%a{HFwN_~|!ue7RA&PJQ$+pZo28;6GmeOkz>}&pcKJAPw71AuWf)nG2y! zm=d(HD);&Tf<0RG-OO-pvfo1Fpjc72d_=Yw1X3ggQ=Y`HM0qrS#+gsB_|ytrzqiQb(fCa0d%ht zXp_wfsb%gI8%mEFPQ3@YT9^{=V1-3{p7<$JzW&jG35EJSaT%oBI%-rDI-POBN&F!R zyoCykscw#dXPs_Dr)&`lI*A8Ec*;A+xVmoFw1bH-9)hQV-kB6I*VtMjKH_pF)&R>W zaJLahQ5b6s9a+yyZ%w@2H#30R=hjau3)Qy;P+W+=4q)g15-6VA1L7{z>Hu+jZI~1^ z;XYe3)e|*owZuw^9&i>4{y%x|b zsY_H++Ewtk|A}kMktEE-7=;~#QYe<$BZoAPXjJ+{1Ua153%Yv+F1dvORB&9iE#J5( zELsMc$4-W8x9CCkf5TTV+Aon`KT7ZZ|5bYX06jY=5x1@y|Gv|Lp)82p`k{}=U-9pL zaN9Is-)SPq&^9|@gMMy+*+RZ|_fFAaX1c3cx|tpB7QjBD^y-%{s|T9L;pC+Ba|^yc z^gexY+Pb>8$)QuJe%B~?6pe%Nv47HS=hHX8?bvNJjbDP=$F_JHPUEf_;`!~A4-}BT zwl2qcThug)TK?>&X$r2`O~yUO=#}rcYbVcVfZsLktS(ls!3gW{D0;7%m=%eA`xJt_ zZ#{T&RNn1Df&HBF$e%|guqs83JyM^YJWp;gHU44YVw{kkA?Z?;hS1W_MQ)WsP`*v!2g$%RNzd?crVz zrH_AWPyG6>6B#Kn>Rw-(@fueP^xe{_4YM1k2!y_;3-;Z0$d~vBxPz;$?zN4R)0Mfs znt%+98Sb2}Kf}%R+-FDjs~)!OHtVe?RUhI<#UISlcHaxG>N=hCN{_2vRj&I+^mr_K z2Ni4e&%>4aLE_T54kL22sHM^R99Nm*B|IF$A7Z;-R})tHw`*E=HE}!oOl_wz#`xzv zZm&ThrzKUc|N3`At>NWZI>KsP-=nKbxA#PoU4^qwYF&kHsx3bA| zFn(|8Yc;lN9}^#y(7yN?14egY-OBh|j!>L1{yPIb@SU6V)$5n=L)oTJVBRDERBi&o zBBiW$?g#w%TLJ$!?~c^Y0lPwH=ziRpTzcK8On_8HElepAt(`AGZ&6NmG zn0dRT@6!a@pER2ZB5t>-z)#?U)sPZ43d5OXJyUCG;Gw>`Q}4%l=HsPHb!(410okcn zGB(U|pxK^@6y^s-I*x}QSH>S}1+&XFfejIVIt>KlnrB>oMY zN2P#6EXJq08byS;B0Pk)QG&V>tdh=7r5B!&1Cp{3!BfLpkWKls6*K8d9i+B{<^*E! z(DU)|NuT5jhe(?$tk`E+`3pUwt1`=l_O?Q=N=2PoL%X5BKuHma|IfKtt;(`zjv!Gv z+~T=PK-2OmC{6G*vQ#)HyJYDGuS%a#s)ne`z!Q;K!WV!IG$g1jRM(m)fHAq_av z6WzW!5DU&@Q~s5tJNwFVQjid?b9c%1tdLFnuc!3Leb#)j);?!OUgxa_%QY+!hcQPb zhmq6`kO817t?PRG(Z-&fKZ-4q7~~b9s&PRc9op7p%;Q8FXpLNQ)P`$_&294%ag&m@ zRLR!E$S@|-ta4%`0|HV~K`QX2B>nXjl~1kJhN>=zstdF!^#mp#)bR>sitoZ1LvgiR}0-gF(&`RZAe;Wg*`-136trPjIFL zhHJMcVmxh&UfEbmG?s`Zj3oKK_tA2D*@~%2Na$K*3J`NOlUAS&r#i*n5JN($@!J81 z`o+?=4*nmS95T*?q=}4FkXBP@H0?K&Qf<|8#$AkM8dV~z2$)HN!UT0>U0z7;CZO0Jd1M%dODavt)Y04ZS$H8` z2>~eEkx7t_hPV}&8Q!!xa~;Gp;X&tMn(D|}?Qs#w!Y59YW>+qjRMf??*-t?>HVnT| zF!52X8gRG-RK-+?uuc06`kw$cr5!&nR?e&bhaa1l27QHkvV-mgXH3!W1etcQMNonq zfu~SB)=DL+vjj|AlXIa>g>({TyjC(tHTEOMAXx5k!VLSwD)ib4+ADM$%ZbY;PG-?huZ? z;_Iq88z&MjGG#6Ls&c$#s<|K?Mk<#isI0)U$Yc@h9@^t9HG<#u3;vAYm8c~g?5m{y zzpK(Bi*_J8$&w1nDn|Fc8&_4o;P?$Te1h2ueQN?q3KNv&Q~Q31z`&Z@g&w^6#8@hj z7Uif%=W@1rLGV&AgL$b}u2k+DkyFkU)R@;GiSeFr=1on8x#RI_yxO;EBHb#Mtp`a< z?2R?Gc5AviP@jnMB*+v(dq4K;=0=8(y(BOLV3FkW zKTAg2?XPZO`gQk2m(Hbj^KFmi#4j4paojo{XQ~+b4R0x>xn!$e3-+zP=j_#2Rk--= zr%9iU>@wEfPn%&o0E2e3i=qYAC3A8aUYynzj<8&&<0|$T`XA-Hei$vxwwT`+z*ifm zjM($CGx1UltJmbYTDZ&On*fQ|d*%EB^VS8c?(z9b&!6S^3`_3k@}(YS!R?#1CGB^a zVam^aa)^7Q?{ZE|r`dCVVaeS4dcSrho!j%fyJsNFWz$RC)BD!G#KoT1`kG(z%gxR> zhLXD1?+I7i;ugQl2q1G`7ZmcO&*ibaEzqaF*dU^=RMu(&B~Qj+4o{{ngPT_DaV@+d7d@ z+wHVTMm>|j$Nkhpe?|Fz1?k3rbIf{ot-Okg?&XT+8`n9|tY%x|vcTt8hp=Xmp(%f@ zs`KDrScz>F#S5T&zP})^I2!cgzsKy}VBPd-e;Sv5_mc73&;Uq4TInG1@LO*rXIT5x zZ|ZXQ?N@UC2B+p+6ye3AWpju7v66Lvc^%5-++H<}z0=GON(%7MJ`kn>Kk$J>eX z`4dA;-^H+Z!|S)waQXj?GkbsWlb-^4I4Dh#JPaze7|1I43ugBg+O4wqF@zkD+nBDF_T0iz!+2G+#@ztnaMDcVKH@4 zDb;Qdz<**IjwoH_*f`-1p-PKZS5Rqc4!0|T=C&fGZc!@I?Q@d4b0}axSduFhI2mxo zr)Lg;b~QeWN6q7-Tph9+7*Bt~iDJ308JRmyFgX5)UaV?}3elH<%;p6(D0E1cE8N&@ zwQTeuOJe5;%Id$_oUT}&BE4im03JZQO54bJ(s&(lNq3rQBMq*VehuLHaejl5PlY+Q z;$tr3lwk|1|D|No_*P{we1;lU(D8SMI$Jn;%)#ZCJ0rc&n+#jgVSx5DaCaWr$TlC> zzb&$W7F_gUh}2X;LZ#+Dxa_g_ZVu6nYC%i|GbM~54z4-pvc&6rhJ8{=gQ|0a+c zaMI9-NHwfJo}_wrt{rSvY9ndstUB}sx}e$9|VIJ+&C!ygR7kP2u(Pm*C}gorw&U#8%)T`eQcQL|Ikfj7YtSLLaS zISc-(NNJ(^?XH64EUAR#uy&!qL_&ZZUc?>98!Q!5zgkXxu3?B8WF(_J&H_|1Gc+aG zvTFIEIk*y5_$(nH#Xkw~EdrPq5KxahdO1$N0$%u!eng80RlDy|K+)SzK|8rn?4A}J z;Q*f}F@g=pWJ$a$r>Z5)sTv!qDTLFXw}CdQwX6(Th{!!FOeNNLG5_8wJtqOjh3So~6(x z7?&U5sx5|91eF{n05?hKb#7R-0HG}`qOjMOQEmM&t`fG9&v$ufF z$$%A+V^F7SJH@$1Ro~!?A20*>mi^*awv@ypARX^N7sDI*3{F`>HY%*#tSP8$uM!st zuWf#HWrvQ=@NAeH43#XgAj`H=dl@k7$QVPs=At_}PG7ZN)8p4v#6mgGBMz3FD`wDJ z9G3$wI_O3>aM5K~m2Mxrr@#(2;>wU0)=E-b)+p4pAIuR#CE+GeT6dt}{BfgjZ_Sa$ z#zPVpwbJ`*v|JYeYh|Au`W9LGvs|xAH8jw2UbHBvp1Q9>2N~EP^QuU9Xa-?GiepGj zM7a9iz>I+7FBZ5{cO?W-R-*lMlQ)l{fML!GYbEh?M4?Mp+#Q&8g}9DD#X?=9v@8sP zfE=x>>K)qWPlcQ`K&TiT5&AI6>ilt$=OJ zf+$+Q^%(40mud4(+`FOmM&BQ(a7S=H0?bWW*!SwEL`d{dpHp3$*<9bl~9!uNF=fK6MEsTKK1kUDs7e(@aN{6%T$JmGN>O&z+a*L%~0 zKcxj5aAMPWF}`{2g5`A}oCSele?ONUce~?(eTn%!v5N1}=DtaM{`aYK<-<9b9f9v3 z$g`wDsd7n;yM|YxwwbLaYK`~Ba}=G1w*3U>eT??3w^dT9oc`gSCbbOzNs3dSyuP>b zhF};4wSMFC|14s2%Ke1}EybAkf)17g0&OuFPYn2_LNjiax@7__QAeuTK%&0hK!WTE z0tOY_^B9cm3H=KsKeXi$2sS_Dw`bTKw6}2EmN)c29X1l!E$-Xz`q?R-%Xy2qogbU* zhaU6AugNIj*&^%*E&D)wO@5u~9sm`<62NVH`!Lfh?qPoD)Ph~*v?q+Q@X-y&2i{X& z?fJ6sLf3LAdcDyeP`6&Pi6UKlKQIvH2Z$)fhuGcuFtvDyYA;>Qei)gM7sH@;+2UHp z$mOz=zY1yhs`|4)CtWq8?>VE7Z9m;Dfiw#g6M{zkHGbw z=VI?^^r0G?$JN%n$O+?cIx~6QpfxoM;f@ z%jZ{*c-K78>0{2W`MLYQMNII|Olv&(oy@+)$(#Hk$9gDAvWQVWy(b=^< zj3uU9`ft@A47W!7-Q6dE^$Nhb3GfOS>OJrar7EhMUC;jBc+cfPt7KEDpu(@;_I}+p z&jFlzAAZvJqa+{`Ml|GSd@%HWpH9!d`RQm`Mc9-`EX6l0T$7>x${4HyA52H6oN`x6 z+P8`tPu$J{tx!&74EJr^LF z;2?vYA{k>gs?!=DMHx{ok`N!QB^r4HLAy)qaojP%!p&xBG;L*@2m%2zftc5XpdKX~ z8c*7l#$i*+Ri&2YS$bwMZ6hFU(_3(aIV*c<7gWi}8{CS670OwO4ccwwm-n7}K%C+m z@~<=|5TnUTH=@j1X2xcM*eWAqHm4 z0W{I+--H3l;wgf&f)FDuQp;7vOiUiEGB{Nhi^ZX)jf?OM_rwy+5^f-^ z2(5YC?2}=|SX33W4FsWZxevMRU?Y2mKc8%poADEJ204~xXPBjRKzEj!SCqe#p8_1p zqbWJNZ8P{%o)?#q4#%zy8>#-}1dP*;V5KX=AwWCM5qR{Hq2NIO4&GheZ`p`m!egj# z2%Tj%gv2%DhLCi0u}?oHHC#~Vag214Q4Ict>mb+&Cr+$1(-CBrZ_0sIsN4{o09$wL z**eggs0U5H&-QaN+1d01ZoYFh8ez?;8o&7Y?|NsqA%5Pr-A~#7m{7fO0^(i_TdT@Q zIgdfYH3y)vMepKeco?zS8iK2mig|Jl3Mm-_sZz%Cz^U?=>mj>LVN~I(#@hJEKnr#$ zQcUu~qjjC2o~zHtYFCW&hnl05i&&q_^>~xUgKRVCl?-)Y>l7$C4}J-8h2WTbL|)1c zyEX&8))zw!$Kt`E1Q?D$MTw>;Syn*)|M1?T}84_4_9>mr(njZ*+>D;>?D-ew)QT&0pj5gvbao`O|iNGzQ5y(9G*RC8UzOcAVI{(PiI=jI|3qO&;1 zO4DU|IY-mb{m{i&^hmMC@OkP7ZUE(pqR2ETQKC8=yEF4}|5VbVGF9UY`=$4P1E3QG z3~+et2S@@0aH4)C15C{>0q7DY&svXe8QtidZ@pjijrX~D+aJo`Zl55>%ur%^G|@+d zsG#%H{ZGuh-|4d}uQq^>uzP;Y2{XQ7zfQV;li~)Lz>09->;Qbh+q}}}P8u%L%A*yx z^~;-1hlpi4kBfVAe9ih?&V3p0Qd0cW?D)@a>VAK%jTdImebtTjB7|q+voG1&Gv}2ywCnf!tljH(0qxa_?h6vBzgFxx9u`*Y z>%6m%ZPN^BpRSgRVmq^I@jk||f0EOCeCeIW^|{Qvm z=cblp$IJK7UFxcLSI3;%`?EsnZ%!~^op$r_@sZ*7(|pma@xI>w9xX%=b#{Fvsu~KN9?%uX9=k>i4l{ z>h|{wqVtxRn)mA>|FkzI_jN2>|b72;+dk^qS_4_sl0P}AH7@57kH$fr*me;@i zRI(Y~0Z}M{l#I5A->1udiu#kyl_JYV^%a5zQG*4Qre-VFv&r-+^JfsZq=#-*VD+s;s+@t3_vEA zhy}%&6fZyF*6U=W|LgUMDgL8xV=CGSH=mKwOPo1Cjo)ry&;CSKxRgtCe&%fU?y#>Ga1C8OqT{>DXt7Bq5fL+_f|?z zQauv{Wl+Y}s1y{tLdQDGfp^qGr1nCTY2|z@a}C;K1%ft3 z?1KvT_pp|jqj~B&(9vtdb@37t5}NI@5sDUmK8!XL7R3$1C2PLGz;q3YAToY-KvCq750))%lcPW+2L!g_(e=!`tEXXm7PFtO!~u-$wT5>0dC%_d7X|ns~B2 z7n_>(@Q!x9RMPZ%WV69%u)vaF?qWD*qTxSE^GvDbleUdE`#!(@9~5F zd|L7y3TY1G2>n#$Gi5`P*+p*_N*M4{|6Hu$lvN9EG?PzJf2Sy=zHp39BIlr%a#*C17bIGpJPD4)I2GHpWKkELrI*(^;LDuZ43+CGMv^d_KRwvgmN-M@ zt+P?5_!idO6(`;%|4fl~iiRS=oM3Y(TO3JrMrq#zRbmm#l*j9dKlVcu3p!NlP?|I| z8E_~K?R$_7>9pIgaLWH%qc`L~5S)815w;8x{qy^3$VOc+4LeqI8mA?8sYA1yX zGM-R`hc3v(7*A4fv{CJVWRUr{UK8h7w5s+las8mO-~>UL)O3MjK*WK8alZ;OE_|kL zYNU+GidhsK)|-bWh*)>JLV(Ncl2E&mjFXs^GR?bOdBG8@LgU)-`V+H|1~`JVoODT))IFzVY6GA}bZkS4B$4u?SE}`U z|E$GN`CP4-%l4lk=@JrhL7z9hM6;DDALars$yKtHvFN;pOHmq?C~)!*C4$Kmmb&B!u1b zdE4|&{Zu-CK&pNhpZn%W<`-97ExNC#uiO)JNyJ1opA4~g4b8kkXR0xg%$8<+;T|!UG*5Ll``_?=J0jkBsz3TpZ_@H@9WYdS z*-OXm*m~>x^rX*xh#VqFk@N*}+H08MR{@ytgTLq%Ab~AtmqDNU%DU`5+3I>-85X8P zDGa*lxQ{)?Tf1$#FZRNT_f`5KQ;WWsJw7S7IPz^lZ`*~mL-PFD(*NArZx8D{WAy}q@A(i{w>jhRs`5E+e{)%Bf1M-eQr87~^jqm@@q9+H)~dw)6n2f_ z#~+|oy}-BZdfmonyY>30nLJ&$*XfI>RyWDA>RNJ)u$|6Pdv>nBmxTL9YxLtUuX}n4}k9w}+ zb({Bes$D-$7^Z#BSk`eaR)6l@+f4iX`9Xc1|Hb(&dEIuD*1YOw`Lpp1S64d>zOCP% zOa^-Kx7|e`%DG+Hx9}=z2e6HQv`K}7z3=T8LcH4F@(sy1>72ESVg|Ro$ zzHRDrn@(=H5zcOE& zxBjX6J?4hitNfBSJ2#s8hq2!AG=)mVmzO^_!O&Ps~TthDHgc#%WBLQ1cl0@Zt{ z;y9`pCmtA7ZIVc>$71{$Q2q#rjD6Z)36H%W0k(D}>2I zUR(&v$n(?UjF)ABO{)%0uZ1J>Na@iM^gM$^c}5PFn>=E0oaPd+c?tNGEsbe;%OZ{I z)55mV4w=luOA9*4y6rNi%o1X_qCG?0i`PPj%^WD?L1P5H#fIfOg1Je@J=0}2O!RDE zl1FW0R&=LqxwuixUoFu^{6$*Pl98XuiIWl?n`0_U@PD@07l^pvn)m|QqlJPRAShJI zT`}2_8~@B?%Qyz!0;w|NlVGk2*|Kaa?+4_P1?Lz%Q_mM=r@%nvyTR&0;kd$fpn(te9NJQE>L3anbLE-D16u@`!Nd4(hpnuITbIn zbO5aUi_^RCe|p~e)z*?zVT$NWNv=c!qvQbB293vJ9ZQ=2T!MaKW|lN?i_IzyPj zU;bFMZ~hem1D*DcOoXbtYJGA{2i_10D{HdKCVZz$bG`_sLvdVXhxH|F08=#SQY`uV zTU{#w*8GwQhJv(UE;Q-ByOkc8ap4lPE zip9Q14MbIQA@_vH7H-nf23*v8f0)@z_?X1P#& zx&Tp2Q9*kSxk^DWPwvjP)G9Q{8&G389nb1BLK7UKi0`hhn_{HnoZm`-hfP zyp0#Ev&hn2$funlBE^9dQMldHQw&GSfDZa31^H+vgEz30O`I0~G)Kf3fLJo8)JN>| z$S1f^OKV5!sKFLKBhd-J#`bywj# z{2!{$vAeFo+xoH5Hf)T>=84nTP8!>`-88msTa9yK+eTyCI5|)LcieIBbKk5Fu=gHg z?zPrj^Ea};hp2NO5B2%cK|Kh@wL5}J+=2AXKHl`!uang?L+cbjsP@x`x$MOKQX+fswy9n*5^@-|!o!XpX?W#PtYXBMneDZ+xxtL>Lw z&HlISfswxq^wbuA;zr*5k;w!u{GYVOZQeMp1?fZg8*#IOy92=g$!z;qirmu$1s*?Q zK^UJv+5b(l~wsoI)F+0qTxf3L% zGOfJ(I*dk7>yC`f$dv{$Bn(a8oi`+2|+y8p;wc}%cU*6i@;nr-bmEHZq;vutHVDB?Yj2G1%u%>W2hEqSK)Vf( z`oGS80CXHr6>>dy$|f(j&I9RG9$t&5vr@gJTlBuyy5+m|Ln3%MX1+RnD=Kx*Zccxc_;EwI?r#Uw!UvDn=WOuvQ zkDyJe*we&B-P8@k+N%wbFskiVed{BR*tZI{IUD+sXO9nX#G4>l?j<-a$ovQl`=9U< z3f~ecANjzsnv%!>-t2nlS*JJz29OA?8;QVSm_a(2=modvs*#uio!_3?-!Eh}>*pTypE z3cV7lU^$n|yN;bXgmq zNu08#RFYF5Bb9K%a69C3Wp6XV+)JyNtW#owmIH)R;`uk+elseL66zm zoY@>r5~1v+?)t!UBx=$VAH>d;Kg(`d0!&A~#1Y0Wqcp9~5V0v&d@cePQq0XypMghw zcl{$|{^`$vY31u*Uz!4Yj{ycFJWOGB@gdSum-Q|M+$7qgWBe=a7B_L>0 z6;q;In3K%jKRZ%9D%_z1_mxJyu7_5GtzEZf)a{zGVs=uCAokO4;X<*k_{{YK*Zq)I zn{-9KDQwPz>=zl(mP`}A;MPLqTs$Q;Qql5{ngFPGL7a`t8EXl&I@RDqG<9?}*N9*yi7yQi2mnqT7? zWf))+gl4I%&U?OE_6JmvVU$%{wy6Ad*6852Q5Y1bMpul;*~b);nKcs6GJAy15`SeTj?o-Dqr30(PYko?f>uc zzD-CHCZsO|&b$CO{oI}ZcuF14)!MCm5~R)?2UmNcy+VD!`=Wx-g;_mO#N!Aa?H{}O z0c}z{_wN@9ev%&s$+p|!OFRcawW;oZNw26aTaKEbwV+sikI?zw@eH@X@ihH!1Y^jUw?mL`SsE$6WAi<=ctu*%MV#q%A)ZB}Gy zKPbeHi^$=9bq#Vg)Wf{*{N-di}q4BNoH-?%;1nNiERon^y5p%Nl3>%mjlFlavKJ@t@n>_Gh>cVOzsuFJ-(&y&oRM|HAIbDY6t5Q%fy`dAIh40u}dE^ zL^sEH64kDA!Ds#?3~kZ%dmEd8_J8lm{*K4di3^u>+ntw;4<4GJ#mfd{V0%A5I#HJQ z(GPEhC#hpshpEX>JHJb!<+Ip{Hiv2M>21N&+K1dnL7Q1IlrxgOQ_p_3Gx)8Rdsi;t*eOV|W(6J?e>wU?gpc7ull>Pm}+q|pm@*M_7Noa;jz{$FWtx?zq~z4*f`VpITQFij!0#%UELkCjgCIFed|G_+RL|DJTJxNkeG zH>U7_*RbpbPI1>?|3B>op}$7GcCT)OHAy~=Z^S%}cF|pq5B~MX*rf^9LEnl+^*6v9 z)7Ra!HA@LiLSz);3EEluV7jSTFxJ|aeibGEB;quYvT07p2x%0~sQ00ydYe+r ze3h_@%wp_8VQMKr*4!4+v=awmHVyz3jSOjFdG7t0tJm#D%uUeF8 zRgWoc!pZWfh$ilGL2vt;Atu_zAr_aRGw`Hg98*-DxAy!ftOANa*um607IL-6R&AgAIsTkf& zcaQcg2iTZZ8uvB9m8~YhdBRnz~uRXe+VyR zj)x{%!XYo`#8I?CoY1cbU{E4v5&1TjdMs{}NqM}Rta!nE5x<#t=F6g6ECpW|s-q;7 zFQsu2%7SW@STs@3fg`_Y3S|Ed7{B%r7z#Woz}Y6jW$=5=l<30g^Tu>SOCvV|Qt9qQCotjx51I4Y;m?BFU$yjIAhQu9LVYNP ziB(AN%rNh7yd7v?zDWlUDuyU-%awcnQ(sy*2oANI!~+i?Hmn!% z!wRT8uradn5WTYDR>pk3gWp`xXTAhEPeOpR$T`8Wwm3m-vAA?zdcC z;t#4{cn!1VJQqc11~I*&?O*WHn7mopgyJcGhq*$^xJ!=TuU)Fj*^tS;kyEh#?8Z8{ zE!^P>+C#EEViAQrFHs?Vj8By=^oyuSQ5}Sp zV#`hU+{HVgwx=wFIZlQz&Vd1Z!yq%F#b_v(ywhd*+8R*q&`u#1_BBYYGx6d?h~?Wr zQnWRtps5F5{OlAiLcbIxpbWi1%A69Bxk0pocD7giqKXc}@Nx^Cw z-w$XygxjwbF+c3h;EqT-a`Dka?8f`WHBC)IlMBvJC{!R`p=WR_GmsxTJ``;fpq7~7 z{!)(z>ttL$4Au;zl2&fxnFp71B#w-FRUfA`+BIflW-k~(q*)b0bD~t5$)v~8oB8~x zh>CpQw+|>gVwT`+y#*P%&+4y8<@)P z7#!q3N$}jC-O~1eqh$Jax4bP~d4rB_6sL<+h5&6@V1#@ z_lmo+%X@7Sp0WMSndwTb3+Md@#9>vm9%#%2|0*PV#d%JhzWX|8+|Q#p*~>jKy4ITs znA~y~DDs)F1&e;+3h6qI+QC$RK8{CYr_DhNJ` z)oZxBP#`(dbGU7bBz_b31-gSfx7Tp^olczrpmxu{oxR6q_c^Ye+~W*S)rHeW)2nBz zSTV2Tw-TVwldeO(YM)E*YfkO0rX8`!+Rh_Xf4$wdonrg!wwdy!=E#rzQYJg#hW!E| zt<*skTi4sM)xh2O1|h-yzv~0|t5x$(P+@AmGZR1PcP8w~zJq5!$+OVYkmy zkoQ=(+BEAg>TG|#CRa1NqtGQS|D#m-HDMjAgJA4z_ucq6eV?6;Mg3G_&!+3dJNrua zLECL$MEC9Bt#ljP6*S}O(V7@eS4qm-L*U^K9q^`daO-o8K-98huh;RAw|TjJu^v%> zPy3=>Wj+ACr03b>d$qj-kN$DFyl&(7{zWvU+apu%*9K^oZQ9SbBl;5Pb18KUJgR!w zAZBw5HObX21|Gup4}SQ(8b|6m92TTrl8I93ylvdjWw&E^jVn{>++6@#{*MG-u}y); zNgMCLzr*}{!MCui+qJ%Xr(h!*8u{XiY)LiS*Fg}|%l58+*gjsJ=;F88!J}pHz{`zb zTV)<+UWo05@3J@Nu%aR~t@?f0mfNpJf-ZdWBeqUuBN=%YHN6T+fMI#XkqF%SRW5qlpl! z7X$bxX*Ffkf~2Y?Sw<+2ekd{XL(WntXd8o84#qRxhBbK>BZYte1j?FcjZ%=#u~S@- z+sfC@Q)isU81i6C*PZbo=o@uODdEU!Q8UuUsrriOlKYsG5oNuVk-c9~j5!UPvl!eY zqL_n=ek9=?=Be0tU5fq+5ZEZ{$^y^s2T&5a3a1O#11!}IS^)_|m{w+I3_nu8yO|D% zk(pwWnQ@a2WzdwE41W8PgY|PP2C}C5s7N&L&ZCCj?4M6F4tm*dN`P?;$7*^cR*5IB zDp$wi@~umB1nVB7yv9pZe1AihCM4!E=Ng07X&I}wi?mCl9zhBlnRRnW7Lx%6@{o#S z1@|!Y^rZN1&z}5xEe)Mz|ePrWH&l$bxF%F zX~dNAq_gCZmFgXmf%mV*MPj7C%3+fD9VQy((1|=wC$Ne~ECm^ryrkh59nzQz+40nz zvP754qwr##962ez_9J0aGgPQ!>cC01^5l+{gGkNHs8-$TmCb&%>AWj{Jk1I?Nq&e# z4C3pIWju6$@>C|LUGCh$GKZyLs>_idg~@+n5PH<`N7V~{IY*_~Sj)~Trz1n*9V(`l~V>1GDH}XcG*hE!{Pz zW*c)6D`DBb1o#AkuJN4wK{%El42MBxJ40;^gea5RA4jr6Y$Dh;j67aBcJ-`dH9~gE zIelzQL&aVT7GfQpb5hQbZ6#HwqnK1OVpn1;(&#}Da@=)k%V3usBH2=16Xjz2gEBfd zB5tKYy1~wJb5Ks&`i)NYA5xIJm4~vBvxvNuHVMhy-(RwtXk`U4S3jF{emlko$#aZz zs&0!+D#?&k-D;GE`HaR?84|<3u*yamef@zCixLLQv@639!V#_T9{c$+k6!c-F~DyY zHa?EvLWhssDWvzSVS;D#w=;EE;b^Hpk0E#&hWkEA946)A+$T9(Cb~(6b+T%Pp^2P! zr`d+6BL;dRcmYN%7^*>#oMZ@&)DKFWnY;MWzo6ucSXEEaVHmzN8F1O1#$l>Q7|AZm zjUr*dmKhnguc&3nVvBlK?`j>%S;Mbj1{Z8(ygqzTImz76n_c4VW(8GA<_S2mpVfd!6%_pHD>*gF= zu*0|?8I7%G^En-Lc5Bgo^VGKQ(gW`UG?8;<^LCgVRQbg9#orWIJY9%ZfcYMyvekp; z%l7an#pKuW_U2^W_)x=h|H!?DOo<|9@Atf)lUh^nauw%nuWxw5Hr09PEfXx^f0n?% zRpEk`0bSL;4*9XpD|eUKLtMqJt_xbJR@iztvIe^U3rA<@d=fLK_bt6%(H<2i-g1F? z>^)nr1@-FVXVzR#U6!hL@gpwDxg~bHPk7?z8u>k$T)#AOKA-H+(Q+HMivu`DL>P{ey1EJaXuh)^ST2pH6k@l#vpI| zM7JK4(1CX|no@cBH=ZkgbykB%jBxbcRw8+8KdxzyV3s%i7EFohUAG^v`0sZ#ONo3B z3e|18#LPO~FR8SzyqAqboafu=vKt4&jX!SJ*A|Nv{xxqua1nm_FS%P3AZUv<#^+3~XZTg^xuZ6{M-MCO92e3xGQ)m}4? z{K=@5A0>Q$8pnU4&A~~ZnyZXZm-DkdTO%1?VBINzi{(a(35Vr-4W|KX-D37(0t6#M z6gDPacKGyefyIll&Z!2EPKNA=P;gj5L@fHK(@$Ioc?DGWZ;vJAtSk1JqBVTi9Nx@^ z_}5`r>`i9u-zRz(>nhYhVLPnxzp<2I-LqtR-KLZSFn_6JnubjTC0Qc>fJt#l{w*XX zYZR`dW~B94)YaC2IRb< z7_-`N0WB(=2d=`<@62n_Z@e3lzok|jz93vSYiYKNz0zb^U5Xw@tK~E#)stm|zV8a|2hn+Lk78x?uI(E~daYpelgPl9pNkx43YmU<5 z`u%;QF50?o38p`AQM@r-px0Ts^!S_C531_A1q*GhHpcM3gKa+pvtbe>mS(KNr*Q^u zA<**A6>Yg#d6cw*?M#miHJAvU5mz2fjNJFqac85-`UF(-gzj@Z; z;OmbfHB9_JnQ?;B^+vWB9`Ti+UF@attM|I?9pbxbIq(+}-#G{{SeRHq09B_D>pCPYjTtE-uLR4KC z4NyQ~7w2>1yWX!`81Hoqt@_qqfwK?i%BQBhBVC(p&iaihk#LQHy|PIU1zVh=Q4@Yh zu6_40Lxb>4^qUSrykr+Vw(h6f7O_GrRYnAn{)nM%0Y>GE3~$bCq!M=gKc}#P=6RS3 zAT3q&Ja-zsdldVMiejOXA{ULw^hTs18$r2??abF!t#Cw}BAk25b_{OX z6AY<$2J*~I1a7+XM^-bRg*LxlnL4FYBY5MDQye&T!_Xc6+#lchV-Lts+*i+Nt6=15KWGW4 zifLL;H_@4Va~i$FbmNH(Zq(rVpYq&I`}2!PSIP(A?G23l<8$j9jg#Yd@i}egN}MEp zA-D}b1;_c{3Labk^Jfk-{E{@8H}aWJ;vsztmV^GTa)Ry53YWo_ow5}bEZwLI6RgFg1 zA-Z$UFZ525!fmg64^J8psmsMYh$42=(YK&={Nm6m)sya=p0UMU!}s0kdfM&mq;YHW zO1_0sFBP;^i~eD7CxYX(`9t(?4x`*5Z!=%r+*EY0ehjEg%p)y#&Tg@q z65c)P9bJ`eJN4K_F7Aj4X!u{9#eyecyS-kpK?mkfBRRg;bdlNqM@z(0ZLUC9?(?E$ z@cc*1>ce*Wlgn$>yVP>k-zy>VR&(5j=5bq#8{hj=t(~8yLmvZ< zUj1Ck=S=wYsoPoPU`?jk@9H*p>!7A-(rnB2>ay#tW!l$l3cnVq@mQ@jV&@ zJ|!OmL6P=1sRuU~c3x+e?vs_;3g>=f6~IPye&;vTO!J)XbIYXm{lTY+a^gXBV&!IC z_s<}+(DPy8bt3=$&Lfa+j_1zmMtJR%r$^_ETxQc!Zb!}?8+ftUZsm?j;{Cb|S)cE; zc@I38E}&5K9?2XFpbe%Gno?*H{+8G(ZY3&G}g zZXfzzKBvz5928hL)2kiNcyIdQ$_DinlRh@)U9I5%65-2F5gt>OWv^3R?D5b4sO2R7 zkVw{{z&6-2XTwN{nb*W+ZVEAxKpmQ%57Qx$W=SPvPc%zTXv^nwWdij(r80U$|E zD&r^Dz@VLy*JR-R2*Pcf3|uV~$K=_JD^2AiZrmj@h87)`@HqT2GaZH4We?$hH_^@d^WVlZYdsqdpcqVm0%h#xzkfWz09gMB0A;)(AHm;4>KhB}9SF zsG02Pm2sdRL@NK{k=rZ0HQT_G4hZnV30xz@Q&^lYN8u-UMi2?bD$*A>h=0E3!x}M*`GCQB{hW zCY%Iqs(z-q+Cr*}Qs1VPWq(IU;!&i-gN>+mq{&A$qrd`;g+!s2Vp8#vGf*Z{#!E!* z6%a{F;aw^lHS$q=i*7Kps(F$Ks|2`E3Nw(6)Yz%$_1-y}3Y$2*k3SQGT0U~i{Uz&7 zyRz~8+h z1^{;G23z$iN$%NgSP>9Ixc1qtT=_E1-c0$TLm2X)$M_qJ3eZGTI&@{EN>`zBQ`L0F z1HUC9|CWs9wL@O4H)Mk@6-z#KFS79^TVi80rl#qse$ap%TO5R(QXRJAw@3sUu940c zC+Yq9F%!)DBjb}nEaLN{N3+!yH4QfwH&RJ)>=zHjlJP>8BGV(C1um&AaH7beZ{Xff z25(eELg>1HVt|Gvf+KVUMd%zEXI#Q;S<%F*dpABO&iM#P1*;o4JYc3L*ZXcCO86-hclxK#Rc~Tfx7>%a-Kb!V zqxDm13o+t({kxfc=ffU_9Ur>4f%9v!ShsKQ3A%mzK}9INbyX7gZ94Jm<@aejM>^M? z`hWO>+ZG+Ej0xfr8+9wE=|}e4&mot!hqkS+&%Cqpd+0=b_-!>^>!I2}S2ExrUFORf zQR}T!s7mUjxAi6e*}@X=ZTSi88oqIm%3uH5RJ$O2hc(;c4R($evj~-2o6}vhv6`-hP(^cM95`^ONU({!$?*wTXci?1| zs=sVq+%aULXq45J}YA$553F6?Z%#^xUoGiQU`#(>wJp*{< z_0I5waq=;|P#H*m4p#gzlS*OG9&9!lXN8Hg)oj?e(@fw%0WRma1pYxp`J*Rt{CR$j z%y7@MFoXC-+Ue;}|D+Vc6EkU#!?fPr#MU(9QcAJ@*>bm@@3t0b5Y^EIVO6l*-6g24O!tKh4*5%9N$U%6iR z-(KzS!ED%~;M9p`YSKPrsV)lSr1XCfy{x>yE7IfU9Lw{!Buu{^a0yRoR8+>(F#S=j zi&I!i^eez|NW21kQ2&u}(o8=x5EUR^7NS(r)R2k*73FKUL*o;8yM@<-RNe zRnQb5vf2HZ<;xyJcF4}t{R~41vPv$4$S^;)CFM2Ku2TvW-H>k;7iM#c`;BC>isI6h zsjjpr7p+`fRM4cjMMY~O?n0ro6e)_8MvX@hZx?@QPQUC{X~DLNR9}-#K%-g1LnKru zT9m<)q=e!bFiV!g=$s#eC09ZRr%I-PLSIIk$jX01}xHg)Ox ziy0$fswV*vx)kB~;Hc;tt=H;GjHO>6glPVY>l?VfnlbeLLf)un;YKYAbJ#cM@$prV%T1A42qd+y78z8Yc&R~#2nxAeC! z%vgsp9WU@;bi@v8!DcLYvAJyi&FsUj|on*>J9bM9Mb5TQvzvD$8ad-~9Mk5?-{lQh`Eo zRVz7J+EgK?EsQxgdHr(D7g&ptn-c z!sEcXw&<0X!KE@8tI^JezgRK-wSpxpx8_sIO1YP7?6O<}Oum+AZnK}g=@TFb$0JjK z$xF}tx5a(p!IQo>K9?Ow{vKqIdx#l7;%a-qBmTSo;lTmm9b7pBM5vN_Ff+KreMtX$ zcn0{9fny{sXKeF(|!y-%2AZccGvVd z7*(ipI_M=nZ;xttm?y4votX>e1Z2DRPaHukx8|_`TtD}RVprQ>$wHSqz0#~HH%7t} zcwOhq!2O6ue{bj8sO@TwVQPcO+PaI}CAH}f2g3IX=qE1k)pYnS|Gu_JebDRymX?V4e}1<&IvWkei#U%vhN-nI=Z?Z&yMgc zgKei#9~4lln@8w4I(o%Wzea3!K>SkjvV9v#+`j1+U8=7-OS=yYEFb7S`^MdiC=x!aTz%2_*{`n$b1~5v#ERT z;NB3p5FgF)pXkP(*|dBQ_e`y6@58VrNG-RWZTG|JVm>-47jhXzefl;Y7@IV_%WH3A z{DJAs>3No$vUNOb?7seVF+`W^=QT9iLhnumntSuEIoRI&Fsg;Q$wW=je;E2AaF*KZ z9s9AV<^hdAF69Is0fqSask0Xu%$K}P2i4uyJ*Gj@uT{KD?PvL;Q^Bi2fLL$OgNI*P z+0I>OQS5}#W(x19os~yLE>s<;K`N6;)--cOYfm{H7OZ`;VD`GI6 z97uso`JBQ8(3JOH+ePwT%XkgEg~|Mphqu=!h7Lo}uuc=FYkPXwl}WY^gtF`ZOCJE`bpbdsRB?BV2qBpqi`$y3n>Ck*U(NOdwL@m zZfaw$BZhtLW%{ zs2$%EQsSjcZw4t7QUJ<(<$s^yS$yO%0g60AVJp=Q#5LUq_O+@Up^>DkUUR(U9{yx!ipQvHt z)cIo{Vxm9o;oEq|N^0r$Z0JZb$aPSRT%0$f9%2IsO-lM?&jyAVM_xie2g`5YL7^|K zA{n}V>Hl|IKpddjICX2>E`q_s{U@44FojBkB~j_Vd1*#m4tj(|T(Kg|1kHJ;-fBR) zAhlw7-WL-(d`WTS2qd4dkI;+owT_eeXHb5r`U&%-L1Lh4sb?O>ppLK{9^oRwfmvQ% zugSzAKLI1=qRpt?{(^-fpfa0inbPsE3gO}VdD`Q8c|&^iTRC4(Y{xkWgyrBW(#|rW1ck z*23i*7*ehm{MW$qVsAo@8DQTj@b2eFrJeWbhkmygdIcjAc2;q7C6Q77tko{(2vZKi zI7jSDu$2mW`EjNiS@o+g`40|t^IEcK{1=X|>dKJw*NvmUtQ3t$(@Oe@0)C7Hl(Kp0 zD|nEO8Wl$*Fh0J2O+t+rHK8h1rfD58m_+y+c^X%7eX-Q4_UBtWe;Ln*2F&TGUGS`J zXys3fZt;=dCYmt#PK8pa_GqDg`Mc{<37t<`@36A4xg6Bvj2&7+Z)DS z$_lW+))rExPt+)08b|+AzQdie2cbBY04o8r#WsdoOT)jM|Ksg|m)M z^zGsk&in{aG?a^j&7T>euxe{hRt&T%nXUb~TNYP^LL0~XIA&09ykz|#Krs@vt{}W; zWA)9`Y?dGx7DzE50vNn$O;s5+^4);fkXP7gwrr~zZ-^>hOw)Lj7Sk8^&d1~Gmj&+T zp(^ZHwuaHR5s0sTsd>)&%vuA_ z4W~<;w}-ydx}o-tPfLXopO;B5v$5*i;@)?lCPu-Vi|qG)J;_|Cs>E%x)uBuDO>Gb7 zJ!>Mti#RzyDg?mT5yn%k-xPd!vfm9anSYq=Rdd!WjK>qdEN-xHE*h`r-lL1 zR>PMoTPH=Ksc^KJKJSl07lO8rXWUN$f_rH=%g+Ymr8#^S#e4EvN9yLFCM}K;@WGP|8L^aj6y&gDp z>5(binh28E6{Z!rab6ksP zc2s0#s4_P8gqDablnuR?3-K*aEBx`@ zgINd;Xh>`GVxr3Ag2;|DXfcwYmm4Z9>^w$e4u!6UR3XC<%-O>%TheiW2!Wo~oIZA{ z*+Kjq&wPBCAHTwoTGpV9I2`sfnoTXuf)no7Pq#?phQeD+emjb>7xA{@0Bi#?$W#^{ zNF2>e2pUDB2$SI?_9#3f>`N{FdD20xQBEr3AOPPN*=UlAf_)J=6k(%P0Z-F1d^S4`@E+8bAJz z)FtsQJro}Dzt9DS4Edg6tHdc%L-ax^`fOp2@{f2T(hR3!RP0X8x+uN*m`|+9B;%-o zMq@Y}63LF&ALt6QU9M^2k+X@;nfMN#C%9=SR5&%Oe|PC@=4*IsV#P@LQF)p=#FhgF+NZjB?jDmGSZwJ^ZY$q!r0tEwR(-#^&M<^~b(S>_9Zb8C+Cx(chMVl;= zc?)~*I@rSG8VDJNB|l2b%1ZI03y5G+7GxAm1b)I{u(OQarT^CCV3Uf@!fV8~7z~O} zfoafHp*z%I(tdEQTL;L{)XU2hSV};XD$*8dFTNDoIoqLriW(9CZaDuj|hICg@n`Kp-9 z!Nw1<7-aK{GZ-Sj%Mv{8zW`>41D6UUQR`O5kS@+$2c z(JJ{m&F&nT5~;vfVPL#3PcM0~N?wi!sE65i+H+~C8kF7MCd`0*#tGxASmOd2MJso4 zHUk@3v3^$PIDdwaU7mOuw5g*Yf2TT?fndQJf8uV8Ht17;lZ3hkKbWL)nix(5A@mD> zDu#?B@k;vl#9o%-*|JDbQ(wG!lF}nIezWm1H_=uCuBJRh<+(y z*=9e?9P$CnKnYQMIa{E_@i$-?Ud?`ZnzIFw_v;ocubevQc5`|e}^w-6u4|!_wQb%k+A*sreb=< zp-&0k=rm0}sM$bmL;N6dol|2|c%E%4J#_4Q5`l#OY9fw3>QuF)q4Pr;6N)loR! z>L;j69yV#cZy-+f`)hf3Ooklka*Ygo>n*0gTpRhPH%h%r@R;c#`DeoZwhrt6y}YE# zCJ6T+2IzR6XK>@1@xP1{xdN_got6wozYC1(t9w2k^VY=AT}`ex#cbJ4@}BLcXMWr+ zUSCur9>gAx!lSmd*lX?&lYBy^EE)do8@k{ z!%k1lTLeh)vIGynX_#X9q;Y#a*72!jl;j`-JkrL z&DxRoZ`%Wc?(l7<_28Ok1ns(PE+SH>z!pOdfJrTze)Hz%?|`Qxx(lA2DQ>WahUJWD!1$PGxxjt!_sHo1GIPfTMvHO4}|&{<(|{+mrBg% zJNYrp|BrJ4I<3(UJoJG>IRCi3;SX=T+D%mVrcFm^msp+ZrfGkN*Gz5acT-kMF+A6$09ar94q7+)B}d79{4_Uj_-O!-Q#F*I^!@tIlzH75ds=15BNmDC?_E%F8)>v_!OYr8Y?D#Czvs!@ z6zvDft5D!K@^a(@43};y9z=-4GWzi;F%9+wZx5bVELQho# zWh2xv>-BSPsXMMvtOT;eV*F%_kAJe1P`%5nxwExIrUJc)ui2o}q!7HS*HBN4M)QKp zq2X|THeFfSPz_83rqxo6I4NZM%Oww)v~$GFiE(^(J1qQUfk_$<-9+GVjv!p;d!an? zrm|@d(WUW}VT*Z%MXHcoL?OMyHqbd=CIb(?u*ulRJd!jZI3Lfa*VYDbH1HK)b0#+r9)aNPmw4ULi1pB zBrPeMDqgMCoi}NA$z^b3h#-B_lynP!trM^ST=Ogvnihp*6-zJT+2aPpTDi(Qicdx$ z#@mrajzDrRyfufJx9Jq%8F(&Q71J~iQTH3k$-5Wg#j4?(wHGWl=n6xBsmRT2Mfrb3 zol|sXZLqD=v2ELSI!?#7ZQJbFwv&!++qP}n&UfQQ{y!e&E-83q_TB4rWYS{!g~<{-131e+Q^Yk}F#oQ!7A{dKEw!!>H4- zj1g9K4-ITN8Ugpcnk&n38B<4DCI`sFm&-_+dlm2@yH|B0rmN^$hYZPs)0RMu8<*_h zkKpQv%EZhZ+WgCvURMy0Q_o8y(voN}@0XJQ zV+Y*Un8P?`iL3_YI2twKUFw?7bEXcO!U_drvBSh^kFfouw5`WlQ zSS+e-ApXv#O}P@ni%p>VH5+YWY!O+4x)!e5UGn%Xwu1Ewa-YZ=~aRq*i zp}6gL$8SMe*TwJvsPvu&C~7O7$z-qe-1RV;&7Ann?!4}#9_|~{%j`uX9yMH>kHXao zX-1U`%Yq`?_Awwx4oS~gDhQ1SEMTEuIEBa)ykz~QLN#bE4@Wj!z}!S-BT<{ig3QJ$ z^4u1%lJovsqA)z(SYgVH&kClR=rv8r=ncZo+QHj&bli&l^r$^8Clz=H^k*Q1i5@~{ z^IFTHOu6~j8X>P=n0j3j%~4Rm*=XUE2Oc;R%aSM?_I(sI0u82!v9{Z3v!qE?CS1jq zDB_bvy~WcnA){<~dX9N@4m!nwdfTNAbE-&r9rm6KNhg5JpKyos`{PHl3dJ2_yb>^10X|fLx6SG* z_I!MACw^MJ-9?X<1if9q65onf*r8icAyRYf(D=dQQSe*O+`Wb+02|-~;xjZK>JaAD zZn&lU11cjAg;hEs6A&wKQ`^F?{x~O+Lx1HyF-5cKUQ<6rVpptM*4_E5b7R^LKVq)~ zw@9aU6>LTuQ#%D=xy|vY4T4QoSMj%7Xis%!$2`|Vt%xf>l0l8+jt6|djeQ@8pRVc->Mr5rD~u&Vo~lS?s zm3w`op^|RTpD;f*zYe5Nedooe)v@OUEvJf``%@3E5bj`{OFs9nsIF)Ji!M6f`nTAX z@f&5i2!_hI&pz-}eqYC%R2*AVCxlLiSI}(jri~6Ky;n@VyKxwQv76Sn$8XV*>aTmT z23`K<*2#a*-!HD$d;^*8)UsYCCw{WBq_6mMzFfQBDxP9!vsARd_6NG3 zp8zeNfT{glzXVr2avSLSBIHYvnn(qlRK1& zr)xsVRsmZfANX`bEB6Eec9p#Ts&LXJr@a#=9lXWp3ehHeJ@kZreR(P29C_vI1e37K zn(}YZ{E=#&z$Qd1Vtm3vL~b?CWqB;+&#heiZ6ihvZ9x6jl55gxtW{1%+7WhtyLb|I zl5qYB_e;8-qK<?3VXM`h5{6Bh20<>E1Qa?&L?c%^54u;6X0v$Y z5W)hn7?%V?SBJh5ioAa;Q5@Gm4D1wG&su1K9;*4S53Fn$VS}jx$wvL#BnDO?1&>QE zH3F_vVW>f*aBg?Rotm5afpvnLnd5M*RqB!H55vku5^z|GdI{bNUWSri@n5&IFib+1p>AI|Jd5y;34f_W> zs-0A#QjQOii2&_f{ehWt6s4MnU+9%(?q00B9Z7`+8R9PYroc5J$%We$|Ckm}=;Ei% z?hENk+pEv3ZTF`nw?zyREY^+jYa2a>KtQ1IN3=J}P@k%bD&w`QmA+2%~Odk{H6 z&C$*%*d5y^mS43eX{k#mTPVoWtr#2?znBhqj3Z|C4tX$5=|BcP8!!K_TmA zFO^sZRZ5Q-j#ZJwZ^3F?Di0F;`wg%Vlw&p2Kom@ib#j#$*wAnVH#x+Tf{4yRB+u%a9QoI8)vQi!v zVG97|W?a?ZutbE{DCb4SO14Yp3B+EkY)xrl&QDD(p~vh`@xOyqBMoAh3oIN%gky*w zC&N<~aModT4AaBk2Q}!+PZ&E%Xy1x)bZmp&kf9dbz#m_rXS`GyuA{V9#@HjT zM!sN>uw22tov3IMs{gS;N$t9{*EvKV0pW157S@H6A?J5gn>bJ@Uky>Zfi?nwW{Nz) zVCpM@bpmiT7b!YSpF+xKHq+t^nl&48BGp64_=b=Z11KmeNOvR!H};Q;;Z}00{fNbY z+Add(uy0BTwtCQun*UBE^U$|+9{2%C7K_Pei-(ye*#}AcsGlQzG-a6`8FEfasr*rf zMv^))(a3ip*}y)rg2gV^jR01p>%&WDk~5CpCe>Kn_|nA4463p=wR8t9t3}TfsX0c6 z2_!E4dlWDv+#d0C9=zWx50M8H6)6)cGFM!qk^e8XvGTk=U4EI;AR*qQ@Oat0Y|yxF zpRx#kkZ~&_L({rgCBAqZl*aWP>7@DM2pP%Mqtg>JRtaP5)N&at*O< z(Mpk3%Ev3UyKep;~eNv@H`*>C_^uw?5iyR>( zrP=h`Iz762Ywx>@;p;HrvpAG@$jAK~i+{^JkOk)=%kyg9N$z{-Ze!8y$LaTRzyZ(m zc*oMrc_a2(^gM78s0DaS{7U^WcV~DKV1@B=t8kIqJ}%IaWSDB*T>Tu;DwA{3^K^T9 zSR=T8uaKkWAg%Y?y!^M|%GsZGHy_yh+~Vxo{&Zf1@AuGMK%HsVp_HzN)nz`1amBwy zVNKm;btheG9I<-p)}*xUM(?+YA~xy$RJfJ&mEtF^o2veBiNR#Lg*D7k1<07{ z5#d?*eH$&OreU%Ym`8(ML}&W-*MZHJUc$RM#Gs>$v(05wYy%bf_w2C zUc0X%1C(!dj)mIgdK|*X(rIqmAMR*)e@q6V^3!brwwuisx3{5r+>gop9tT zrmUtpUy3U9ctIDRIjdS-%9wBJM4H|6?WYKygTEc?X#uWn;EVX19NwQs?%T*tCLxn3p2nYwdc24#PG{&yMfH}V}zc?b3_CVkP$bMkND~znUn_iS*9UXw^rACeEnvIA6uu)8QFqP`)eH2qLJV6uL2mk|xN^ z8R_!F5J(#P7xu~`{y~%Cx;0k_BTJ;L<}S{p(J4m`f5Ko|NyhUEj^A_{h_x7R`qIW% z!ZHX(Bv6A2Y=0$*ut-2~v_yuMr24t3fJ;-5Mvlo53a z)Z56T4rxSWL`iTSZjmol&PWkC)6tpshdV7fpsMvF!_dX!ah3lG4zNIa&yK#~Te+QI zS%N-Ece4kab=s&@YA!Gnp@9vf6U&iHwkXY(0;35jxD65-sfAMELU0QQflA9=FTEeC zPja>%r@-thlaE?fDZ-gdmczj=cqE&H1%r<*mSc6`*VpeX|7m1)j#9{HJS_L_-UZtw zU2(2}FK?^f%rLgf-!P}3ZB+u(U+ydOt&4>_%u%FiUhQLuhv5+~x7!bo{%O-+B;EngC7Lhpv1oA+jXgxls zV4w+jYWs$H`#$UWANLuEHX=aGVDk8?(2|Df*W>%Y%f2RP^bwGMGmWD1jHDX8G%17q zrPxmTmm~0&FnfgQplqg?p;dQ5bwoA)mKK_)o%?N)_opY6LNN0L#Irj2_HZ@ePI|Fr?krR&r$*_bcl5i852}+X{g@-#T zUGUS4q9r)1qZ#7ZO0pZmJUN09R3Mw(-igx+gXV3-{4?o$u1$U41TZla?J_L*A?055 z6mnvH!F*v{K&}JZ3(!%4=pDbUN))%{CA%;q$9j!orZOk{M#c{7TV&Da9SKKYNm(@M zf&!cKB=;?)AW^qTC&zpSsEb7!j;Un|ccrk=)GgNBYUoLaBB!Da)N|n{J1R5SoEjTt z9sC;7k0=yYfstVu2D0S5wT7RA!6V{3dR1SPc2wMAoG6p?uh zj>UWk^n2H8nKaEAn@YyDwf)2^VK)EsyH<@Tpjv#HL=UK>n($v9VR#u9BVt;9gjy1N z`KkyX)Zaq?B@r0AQ3=~`>M)VFZG7&&P3%~M1{6v5IzN)RI*-tvISihjU3U> z#dF)N>p#JkkU}IshBPVZ6+n0ND=`3Na=KuL7f_&|MP3Ffqon5#AOZ{m!hZZ{3X~D# z=4pf|0E2J0e)dO$9}LJ*`vl)LhO76Fq1@l+dF^|wW4VQa-|*Rh#`gW8As8Y?!(dIU zhK0Qf|MUF%2T$yFLZ>h_>Dk`!DAKX*!09*(a$Tpz!+p|576+1BdDV5s8+zcR)_Ph` z5v%z?dKYcQ$5-9>g2S(8(ZZoN0RI`?wK5kvvz^~HCFk2Xsd}Q2SzXP0|0;^+v@FWa zXJ5(Isbu0L@|5jm>-YL%)%me|poM2kpt-@V0F1una^zx3W1XADRMED>E9YH1uP3*4 zyY%q2<<>p;sd5~zhX=SDX~`*hv|T%!B)j(VNWG+)ApX_<(e6gu0`1eA$l%8C>RvRZ z`*Bz&wdJMCcgy9lja7h_>Uoot_bOyCm);=P`GtSMqeV6OH^?pnfK-K6M0T9b`ts`X z?B&+N@eks++zs5!hU37Jt{y{Qm(O^En9hV9AX5%q@BaHMmETtPJ0Hhxt)_PApyi6= zpn5;+N!8$%FBguj-+nWMPvam|k=8b!ReJQv???uZOV15@hv5V@_8ec2GMb8)s~%1F z(&TlIT0j}PNtW*%_w|vG3B23lRZrEn#5GEn_ngHKtcB)AzDCpVSy-#+qVO^PF}ZE~E-j_a)Zsz-uo)tT1$XKxO```}Obv284T?R00qy1nYxwQGz=@V_u`Alhm-?{=Mfo=XUNovpqVG9(oj?V$=1mWW0ZoX z&{Nnj`sNB_`Q$kUjO)VOsHjRVQDa!`@=AHd@&@MS+Pjf9nnC9ULV~9!71?7!u%am5 z@)>E+j4p*@V2CVA$~NZcM_CCLNgMKQvsh4tn$@RJB4?N&QUwjg+x?V!P!9*;*WfNn zR}?aW;IqHS(XO!PpxGcRPYaY09ye5W&Lk~VDm96t>NILkS8z^@?FKD*h)%HTq*?T7Q^fjWu;?!Jxjf?Vx95wHz!pO9ms1l zkrSs9{vHj!)r1qqy@LpCK`%jqQZd04#ky!^epPB zi#-92loaUNoE-Tp_Rt2F`jIx{N-0c`d^2B(4r2s~00API$3|ttLFd9>qa^!^^uA0q z^#(J-mX-XfTeqL2mxWqq3}S%PW~hn%B>5p(=+uV}AZG3h=TZ5ST$21-MIy7B$S?P8 zCqSCR@5B#gACPvD2PT)GL4gSr2OM)GTO4li25oJi!xPD2)gD|d^{IY|O-FF$K1rHr zyH^<&L}*zrByVj1iYZ1?wG;nKiTz&)0d*@0Dee~fdQ(|;FfL5YeBoL+a|XMtpyH-| zo`igKy^oS*YN;_r1)|78GKGphHP~Mw6xazJ)bI=t3*bt>i)4o&gLq49U`aIy7@S>Pt ztuwxBG_W$Z3{R!DpyA>UGB?a~IsvGLlqFNv>VsGnxza>fd{ddgONXb3tf{Du*}?_M zj^o-z%8@LcmiORI0hDu;wjax6EeL7hd+GQ>E3ZHQi(es`?W4(O%?lSGGxqJ93~;dD z^WyqJUA6Vs7;I1qHnBIuR0&F>;4cn%B8$;7kq~WAVTfYN`j1IMJ``^x!b1gE4sl&`ZXLY4JnOKe6)8 zd%D6UV=IBG%4BkfZNyA0HjqqZeMvft-iI0k{8?*@|yEvvtgPka6m^nC6&zE9Tl^J;{uj0TDEJ{%@x~ z1Ms7{6Zt;TejL+;`2`?B%pkV_exrWpcQ!cmQ!+}=D+7J{$uVX>nS9jK``pdPd)B&) z>xbcH^89+{xbk6%WOzSmZy)eo$?=>0xs-2QuWPtzmaN*1zmlcbZTXW??#~kYwjj6^ zSkrSYXqosva5Im&dfm&q*gt2kLP-S-9Z{qVUI4-X9#>{fC8DA2R-NwSa(>|K zF93Ii1MIJC1lQ#0?dw9ctxfbB>yEkgY&Sozi z2Y$1D-6S<9gWzZOYz6UI?$*~N<@dYtc;#y1nBYuUCM?&+c zszcA?O2;eq0-no0Q1NWP$}ExPFF)_6dv)iOg4DLhj>3;0@Ey4*)oN99jU;e~?>@ri z;Wdnfp$kCYz~vVFx*d|r4Rk3wE zbmH3iK~^k>?PAW5eUG4HziWcPvwvyBpasuu|Cj^MX`z{>@z^$TW~X78jNnp5^HOfd zMKmMEj)gB1&|~!->Z<_wIpcV%8tfSWL>cxqbPH$I-`?{}A48*zu?d-+U(`$kHUWCC z1k@Jz^dsAgCt%9}D42eLc3bYGn$FbapK}5DVI82KE*5U6LiKl6j_tbz+zSkd1j?=H z;lLC%>2oQ)-17zQp&GM>=~F2b15yt7c*@Nl10NT5Yff zjlS@!@JAQRiQP|BZdt&e2s$^C5-r<6cUTJ?h@pF(smnMtbOalUnYqLTP81ZU zrQW|&X-()>3C>DEN40pobvW$p-iwbsaAZsF+OaSsLfA;!zS<<|6^Q`T1xM5b|6hLw zf=4UOD+NZ&ZBgFpSq($4Y$Gno6TA_OBMX7m`Z|9p4va25#V^z>n3r49(A93()dQhp zVrqbFNze7Ms9ypS%|sIzd zT1F~WYOsdcrZn%CtHY5n4U+VP%=jvNbXG-uJc?w6b}w z%2v?j9Bj*nj&uKrt1I2jEs#~)YBNzRQ7Nr3Rd+{-m8o9bks|5^cKlm&DkXB@L$HW* z=RWwNTPt(!ES5nNsn&i?u#HYvKrb~yV5yIzGRM=nIyELD^Z~=6Y88pL*DNNM?d9Es zYR<&WZygU>MKGo+%m)}bXQLieRN0Qe@70xxJX7}HFD0e2X<|_TW1qna?cS}rnM`7X zVeu!LGR~B|w*|#uJmBs@8doU%p%#oc<`D)D)u!2^viA^`t+P%6{$w(d(WydLMxwT$ zn4?)+xU|dol42FUi^R}|a!nnEbBlIn47USyDI7|C(ni)ho))&5#x znCbi+-r!>!9{KzXdRbYwn10w&skoVXTYF!1*&Z{?>KR*_=zP0H!{GY#y6#$9qF;5o z`{LL-D_PExcuvvE?X=s`QOi0Z*m{4v{mB&L*6XS&S#48do0gm z@HEN5Wx72HQjARdQz*Ns+e{F2j%>f^I!?SpBj^&?xlOKDOzG^Uu{3X9CEs6{wQ1d` zW@~qFvtDdp)9WT3JfZ2Ly z97^u60<0?Mz8O7_KBH$gJ&vWEQnFoEiI%Ez+kNY{{CxELT78xYBwj<^7{2^gJ8s-t z$~qiAE15wHD;X!YDGA5cO(aw3G_>mJ)y14mn~(ZvlQf=by>5WO#>JJMw@C!j zO_ZJ~lXPCW5ctxY6+-OaA!ud{qEnopM=3$w{#(@9!ybC2ff z6xNAtEqb$|=S|@0z-5DJ*W+1~5xjZTLZy2WwXGuCk8M`bNnL#@l&nVF5x zE-^s|#!mB)>qXUE>qW2?hu^AJ(uQZj0iVw62Y!69q2Tbz1K>p)fRZ^5_~_o>x$Cj) zUbpa>`lZ6J56Da%E;c6DGebV*cq-4 z%$$ODorXw20F1igfd6l>Dnuj5`rVRuygr+8iT)eO14GZ!5qZ|^6i@e_jC1O?Vj5P1 zf;{KIzZFgc)D$3&v{lJ(DS?`$jBSB!un}0l=qd&{?Qp&vR{O+l>jj#v92-(*FsQh; z;TH|4vv{buLdhTrtuY--vX#u+D#}$!oh6ZH0<8mVg&p|gkN=cgFW(y|(xWFJb0CkP zZ(tI&r6CYGYeLln!7q$?)(}dyBFW-gvRSo*K?%1x(_b3fcZdnovKR|{1X(D<{Hu_l zR2UL-0asXcoR>)cr47|(cj5;uRe`DM;5F5ZTLjFiGaXyxt%X52bXsTmr&`iB3T{)> zwUn&yS4=V90#bzxjbJF>(XYkYG}KvA#ad(bAR`}cwSYa+A{Xp|xD`!l{$!A%+Jv)~ z&}KU~g`&(BNuf~vFJBV7c_ew;w*c7|Vw+RQDc|mkU0n_ZTvloq`8bL%UXB2$0rCi6 z(f}Rr#Q@E4_u}j!OAuNVnq~XE`8&+f7P1w27bYQxrfM!2&~R^kgkhp z5pqonoKM+7L9Qf1bdkk}4P~X#l2*fXaS@P%jaTDHFpb(5szExA2k`Iq)R*tSX$R-RzlM!R$-IXxu5UARweMMyP ztB|rHm+aCo2P^76MEbo;w^_OB=`hYLN>c#1z?K&nt1a8goHd1ww|fptc`_x#b;1&e z#5G)j8Y&c8B3lI5DaggqIR3PS(0}rj3E1qH>fEOApi6(>&bePolJS?-XY5hWEx*s? ztlpX513Y+EuG24nKYGY_7xmHGs|2lNaDSZbv*mC93)Hw z2@cvaG*!v7Uc$SS-oMz$=y$?_(qM2~%v!!HSRADp$-Skf!*W2XHF+^o#uOv0L}`dP z%0uNRXU(PdV}u#fB1;N?u#Beujr*51&t1jS@h>xnFp=CRCf>{fb-@dkFCY4F6fE9( zb_s;ouNnU1S;Qq5C?M^V2<{zbB0D6va)RgRXvd?uHKL`qaGt{b)w+Vic4_d(P`VT? z^>^RuDJmE(8IoZP)a^Lo8Z~6)A^DSHbKIDRI;3YXqFV^*wtVI#(5YIxbA>vJ)}235 zYOU(hBhK6G3UpPSVr6_j!O*!Od}Y(T>6V!hqoPDq!x7Oo%-y{EICM#+{r^6|4US9K*+-{XZj&pHTa6K05BHj8z{mwd0LP5>AKRUE-=l;b+>gxxvzy0J zmy*qs&$l3i7)yMwt-46w(`@|O9=($W7FAzcD7!X_0gM*Sy?m8~$&JwMmvuuixRrLF zXuT|7K1I%b#oO9Igx2rDS8&9av;x(Z?f0Y5klc5%V7soZuUePIWeA(PNjyxK*JKFE z^B8V^_q!|qKA7C>hEj*0&#r&ly5H`}vD17Pxc%E_M=%VlC&4P2D_cIV_%uDY$4F(d zIqiFYN#NbDg!SAzo7VTw*VU@Q@K-v)a60*ohD)rpjhwjo{GP3*$Baz#z7I{ko|kK| zYBoDH0^g=$D71gV*OrHDH5k5sa2LLbk*+&l4Vw_LosD}~v88?<(_`)(e4N@c8vh&~ zg3YQ&c+s=F`WQ;K{P22at#7Y{sha)BTt=%aJ}18~ujNuR?x@<&Bi$J8`Wim$KK7d2 ztUvPYU5>^(6gf8US8M`ZWci+2O8RkR^_~wfZamH&F;?0P-TsZtKuhY;KJ*_4stwZo%xjaqs_elq`v-BH#i&d3kZtbUE z8?qh)>PMR(7@oj8_s7Z>BfImTY<^$6mvCG^(5Sc9h@Sv1r_pq|p0;(ZOcU29_AbX~ zv`_mUG@eToL-M9UsF|9E(Z_@9ZFG71pS~=*X5;w^FV%YxN%ga^aiq#^o8$NWaW*pn z{hLp$xKbVA!NVKC>zV(MX8Px%|M)-BR1Ba=sYvrcObvjd#v&>`QE2$^tkF{kDAV)! z-ie(97-F0Cme=$qPUPqTSdK>kk1;UENd^TdQd$P|va>+!IsF#?gDoO$C3rD5E*FGM@TW$A+&VN`UB8-bRs~|DkCHG7mhyMrx()1xEjN= zVOj;~y32d@*yIg_W*KWj4QqBUQo1F3y?FD)R%4o-co$HAui%u{$Tu2^nl{Fx*Ne1^ zXf<;*ST`$$UXafWwQM8Qc|{%*++Bqi1q(8#p`J?RQ@8^1|CScQLHv;}TnG8R-5@

R%;qr142iZI0zv@1YQ zvCTV28QCb6X-aSvYz`?$VxfxOny6TDEXJG%ovDzfktPow2}GX4s?0ZZ8c2jbb;`nc zff6iP6S*w0Qo-^>=3maPruzm5wAu+2)-`#Cki%BWxWt2!R$(8r-sv<3P<;pxlG>76v8(@&kQx(u= zU>rm0ZDt7Zwq7y(Pn%B$KD!yt2*3d1hBS8Fu2sk?pq}@@<2&^G_49v#7jL=0^-cg- z;+ax~-pte>q9Bb?W2@C7vI|HdV8hdv)ojPO!D8lek6JD=v1L>Hwbm}XkK454nGD+&xE%?V-@2@i3w8B6KfRoE}CzU zhDB&Z^f`zE2h|fdS^A2xfn$!OBw5F-1Qg%YTQs3m4BH@KvpS^BzSZyun?n4lOzag0>KM*G89Gob(m3cVvAgBG zofJ|ByOb&>p>0+CMko%ZTBZ;d^3hch!9%N0A0p)7*yMp zsM^>VYzIPx?~22qj3v#no9ZOE1Fayt3AvvcQfHRa%1ws3Ay(D-A@VY;?GTrKR^pMY@t9R5S=AUWTnZ@Vw zum&?#+U2|06q)_K>-0YF#K-AaH$)S@!*VG&W24l46$auIycUUpuu)InT|2{I%ViWO zMfna|R6klr0f2Ym-^yzWUL?qRNaXOVf1V7L^N%|m2t12cHF>B~Yd0L|aNV+g;3D|` zL0truSJhlxt#0um1-F`D2t~D@FYmaQc-MaX3IwIY| zerHk0w!Vj1h$*|SeVy$*`!!$Hcu&A4@Y2ajaPU^WmTx$mZ_MKbAex{p~T`7*auxr|^IBh-0EpN~QCA;l4?|ZZ)}zh3E<2@zQku-sbRoPI=iY znH*VVQp@@p$y9r#;(fUW?wrEY@>1J!-(GkpW9hj;vYj{tOOuWp}q zh-j~Ou~UF3{~u8wp_fB@eNymU@}7JG@Ze_$C~=t6E-U+|l4wZzGVXQ@wO-KcfyrP!4hBT2#zm9q9sGn5P6e6ocgvXAw zJ{e0AY_Bk+mMMUkPbmZrS27-gt&AP!uUeVDWEqHuQ$Djx$Cg5KNNtJ-{V&XFB-C2G zOcAPlol10>429A04|A@yX%_LIat7Qv*eii?aCB6;#3$)xR`roW`4DS6dc$cwMJL z4ckdp*<`dZg37suaS{rYP;1#Abc$G}Kn6blYg`-&{*i11Qfrt|FlHg1USq(P2=_J6H+*TFH%U2D0(S#igbI;DN`p!bFFBN=^HCcD@;Jx3P z?mZ9SW4-H;pb{{(^B?Nszqn6fno0LIAo6v*zXB2C@=>h)%$L4da2bdU6&5{eYS1by zI)qxm@uG)tBUq5~#oJ@#-t{cy>7C&pvVK|BzY1#UhP7iRAc`CgWI!8$^ z8jgjLkCBRD!ch=htU6Deqljpa9=YJ)tSH7D0v!avyOudbiqs0KI>u$q$sHSW^z|CV z8caC~jl&Tw$WTxs8jKf!&p)T>a%Od2|Ft&Gz$R4dL|+phegHr2*RBc|ZA!5|d#AK| zw%1Yi7B_sCjegE>);Anu++bx(2$p*oLj7Xcao z7Ol|}prBi9VI$_07p;5FD&{hA!G7za>p0JR^tKq7Vv9!XXDXz#B&&Zjl%zb((AoOp zL*di4@RVx`8D!FBI2@XiVd-$9)&lDAKW2*nL-XimV)C5b`=;*WXJA*(7&Hf2aTC)(i*uVLr#oxVe0 zZQhtmYrh$OGCPuXjz0Aj`~(L2E}xt|gn_L>0jX`Vfw z_&S5w^+S!ACzYPvDg36mllv9}0DU5aE09L#bISPq$lFPR6mGrOH+r-0ONGa&X#Dk~ zTi%ME-xd)2>!~?wM+GBpnSt95LkDFlb}`LIa1YB;%Q+3xF&H*aC9&0fA9at8+_WC| zF;^rHRZ^qxtANMpm_HC*n(^@A(7uz~MdyyYZ7n7eFm(PpI5H;QB^tKaNdWJVtJKumC{s#^7EXnqu3v%N1TcO*RG> zM|ygf1stxefCZM7gIrGQ1(x*_x|T`BX)qdHyXNGVmyO^~o7g2mn|Gle-5x4}QT)^D zq^N)f-KZJ&ql6!X^Wp47N=>2M`nJ1s=zLjC^K|<2#0GqZ&kzZWjpsq#494O_&Br4` z#kJGc4Sf5i`+Jg!?3>&NLG3hK#dZ@%ZQlXLmRR-2I9y;RJJzS^m|2389^i6J>{z>z zu3q+||K)l0a8F~PLv7P1_Il>#(vFB$dq~csPxmYRDtc!pMC3!ob)CauZMvqqUQ>JL z`OO3&*L7F!n%Ap{M30-j@^G6wRLiC6h0nXH&HcDBy7=z$#&5&(Y;SjxhN0`Lo$DJiY_nT#z%j@uKQCwZkz-)KEQPH3?HAG$#rY) zhs<}2-A#v9skYzu+uVqs_GPMH+hakt9oKDv&GovHFPZxL6dUeod-|s6rY#M<*Op9; z_Upb020zcG2nR)M*ZG@9Zu-Zd-FK7wRF)V%w|RkxpWFG&%$J5q>x^LsdTmRN#@qi5 zmJw>dPZr;LU`W6500YsC?B5wvu>?N`u!qx_iT-jud|xNP$M^%lH|jg|OHOe-Ej=}f zx#v4ImjIyj$fRxV!YaJ~YYcn4}m-Y!Ea|H!_7T5);0f zG&MhW2*FS)6ZY>Ej<8dGPA8EujXp0~ozXm9ynE$tVoiN$)ObU_oA>&hv3y)mBgkfm zEaC@-Y+0PYN2s7QIU4>GrcaA@11>-`FbH97s1CkChf%586?3Vs+I+)pn;ZoLMSgLrsjFZf0L4pe)U=+Km_$?siHE+M+?+geJIDA-3K;q+F2efWzGc1Ct-~=g!rEYw zmQoUBze`)rJnczvMq2;5^-|wfJXN80q4!iP2OwsQRxD`q)FU<}!s1IM&+Id4!w;1u;tw%?*KZqI&RqNBin^qES*GMT2W zviRJQn8b85CAU);qy_dEyok-CTnz|y@^UhNbO|+^rrHqjN zveDRMKIE`gSkt}cw|IVx49i$hqMgy10`v_x9)|pww#VP6JkXowe#ThrbVuL$6G!Qw zQ^%&|K}qmn6|Rcd*VR%UyW4}LWLwOSO1_;1;b3!$XS$s zB!oYDFg&%eWl@l(HFzK*(Y@u{D79t*>MsXJkT@pcx&1TPj3CnLokk0qrIUl5VL*5N zw^^k~>?{@FgXv@E^T(0(((}dzU|=(M*<@mfh34!Xk-VxSIJp#(As6K0P!6^Xm(W~a ztvqCrXkWTE`C2Eu!O35BdPJ%&H-G#IMr$i}eUrz<-ukMLUODR*CI`#Bo~3 zzS0lZ%x%nB#Ru6D1-oC(F>PL5&}$?|S%%*SnvD<1icMBM#3hrBjWO#R{_}f`bBB~H zEO?l;eT4-;cyaqo8uv8phbg(8<0qo1->Q=;hLde!PS0F+&I|YN)9gw%M5?hb8q?@0 zPcuvdB)X0#zTo3w)3t@Hg$6o97on*$u2bNe*zNmtkul-gi$GbYmnL>BzGnPxdv1!q z%@oX>AS3PrwFSzcG;Gn())iQY@+3)0?cAm$iLwt^c^9fmzM%74kkgHM2{?TjmWO;w zcgpWyTW6)$)NyOrz>27r4+`)H<^;xK(5hf@^i9B&G_MTHGA3U1)ouE8$Jt>Xz z9*xzlR~#k#7#y$EnPxXs$`MxP)0N@H8O?Rz_mRRc!nNhiXawmcj?a1YO1uiRMa>~B zmLK=4yoa!tEDfr3=~(L|yGZ9G)vYw)1frj;DsdMeq82DIyRX$>ON&sNWDzgwgAIst zabq&3NI}j_bYtDJ16u0kIg~)Vp5(NgDKXQ};D7oo5*0cXDnSLlBPqDXJ7qMF_ z{;A=k2arMN01G5z1E@&C+^ZvkIFCH7PBeP{6o!0?}lts(%( zT>c2wpe!CVR_Webj$8iw&{IED2}RPFy<4|SzY~7I;`79758s>F3YuXBL){z$dbDaM zAdTCO|7DB!k?!(toZEVx*Dy48VMH5zr~I<>mO=fzt4dEyb=7jBt-!^Uc0K*U^e!Ch zi!Rn1#c^iyjr^qY%BlnZc`;^-yE-#C%Ob}3ZFfoU%XO#VPIbNG0`B;+k^ILs&Q+r4c4V+pWqH$j zIn&POVG@Vq()UTzk8>}WjGsrz?Ei6fmO*g^%C?3;Ab5}f!QGwU?(XjH?#>{=T?Th| zg1fuBySuy2Tf-1I#ZgALGbyS6nU-HEru0OXnt-#J#8E# ziP=Br+vyVfbL{pOyWwz0Rlh^u7Fg-MoaHY4Fxd~cYShJ9wy^um;xV=HUEIySbTc-L zX}SztH}mJwYfq~DDE_Gam@9GbHjC)&9Dcy(QCcyszfN7cSmIIBB>%+p61~}-lTC5j zvTm!9_8i-?Yu%Wf+i=?FfW)z72oHOEz@1J&kO}*n!h_ zEv-9#)`c`-ZM0r5O1d^>pS$ccW83Mqd4D9k`TSgF@VUdEY6fI4Jc{#v`4M=CWCj8v zr;b4Qx*u{(tSlh<&}X)Hq+MX#+ULvxNaoWS+A>&xCHm#?=>H1GdV62%+At3Qq;i#YE1(p`mnX?Zt~ObXdw> zwfw~jI)dL2dUnY6LWGh_56AVa^2iZ6gKC1}iEts1yFcDYBXT_9%~;BNFp zaq5UiltRu@O9o1o`9DQ@2I3W-#82Z9qsY@Ca!29}27~W5U=xppuQo?gLzUiNyTVpJ zvVS8@$cWnsG4#?85(i52>ne=ikJ2EhrSVIdt+r$=@k4j0Q*{Grrl?Ug@C(y?(}=|( z&@AO~uN)9DBZvP;3OhDQH5Odv{1N?GQUTEbh3q?a2O3Ywz)10~WOOEK;k;Q4iNh=gTqP=Gc@{*5(4(WVi-?mf%n~IXU(UC}w7nIK0@h1WLJ7X@);lkaU;-T^m*15x~G33JeVx4LWDH z6);bW;EE!EU;n0jS>G<)kvJv8t1gT!3Q;s&ZE8_{pw2$6`a>4zf*xhoOP~`({hf-6 zq;^FeLsHdIwTK?MrD8 z+z^Nm3MLNZxXR8cO@t#Iw9z8Tcq*!4My3axVzDeD?^xUTfjf-Fy&>->#=TBgMU&kX zElFru=P2X$(z$=&@lvUNSOW7Nva;u2;&f(3##rt`p~WE8AnRw?7cd*{>cI~pC7v1r zN1ndWG>b*{c;^MPVX{O?AyJCI3I~ZRP%y?Fz?srJFJUq;D8QECD2qdWB@hL}N<${_ zlqJ;kY_h{8Q@RL+!QR6w#gXhP2!%Rxl!3!2L+Ye`wn>`D(7? zp!Dk3Y)RA;6R+qT_-6$$st%I=VSDCu@CZjM;~m5RGD#{pwi-niN=$96lA&3q3m9WF zziv&3pQPf&Q)&;!5Fw6aQS9-hT(FGk8 zC`_cJhNqM}YdTnr=lf7oyEcD|q+D?1kVxnG5wpM~*s?BWQW`-7Y~Rsz#>jbZq+>~; zCLA|CUZ^LfK+C! zU~nM6SQE`5ej6KtiNlh5F9E!Ai8Lh=#__zph9^V=uOzG{6%P}WSaBIcVZdTxYG6>P z;84h==nW-Kf@6r2545Bs5lq8RZ^`BO|Fz*O1jyXd|3@3XiJ77H27O`(A(I4mGd#%L zf=U4QU6}6>*Ik&R#K!Pp$j4v3)s4>adtGwZc=^<%VD-B3On$Yb%@^$pe~R~Gqs_J# zL!!N=Khv%2x~<#_Zg1u`hR^-MKn$0W?6Q@=-2s&yLufE z(mLs&j*-rMpKAkcU)mSrww;tVb-)dcD;#yXj%M@4UU8n*+zZtJLBkzxn_+;1*#qJF zF+4WA%E{l^U1NLX+|9-HeZK(`dKTIL=3bev#F8mDYiAe6&O0{9#w(Vl++T~#VzfOs zf@HJWhFPZUy!H;9Tsb*A2c#dOO&Z|V|BQ;-iJtB)<#W~+z-t`^{RIWt z89?g1Pg*&;YKgh>z!ZawEkozEgkb#QVR1ceL>2&B7@{h_y$Q0yyAAv zyzvovjBvGOQ^sG2sp1uNGQcE;%$fvn;IOz)4k6MDyLx3%$xj0XmSN+&*w~7}bX#*v z>0EycpA^4`qyeBrZJDJxF{Y%vHBN1xdjcC8!7fw9eiD>y7J{S2ihh6Ex+7#^xw&lq zdT9~C2pg_)ReeJ{7Ba*y6eW(lM08XHy6TAU1Y9p<ZjuInYu_VW<1`qgnmw*A+~9UEsLgKe9b=}<}5Hb$zZ^?I&<-e^9unbIRvKiK74)g&# zu7iacc)yirMJt7qA$#+P$kAXK77&}U!r53tsah*Blj~ioLjTI=!@8Tsl6t{L)~Bg> zfC0%W3;0#U78J@=-NTisS`*;VrZl6g1 zE~kRBQGLgE4hKr-1}bnNg6cqw5a3cOl6P5NT2Yd;zv$Q!GDnoTlF|+HiKL6xlU8VB z?7PqcLDdt-;HknBkQOH{Nn+U7 z#4<%DML;r{nHNB;x?LeiKl+b2Ce15njmgU4e`UyG_Xo+77g-83r!Y&E)gfX zm1%Yge4ht3v5LuD%+M=sl-siQZ26mO?$8VinO*3FzB7WvCDv|LJqj&V@Q=1BxG&!kze2W$+6YhhE3###%Lw{X&=>zONrfB5r&%n5k{S|N~_Zjm3B`%A|V-1F3KIklg+HYs5FUJ|0{44cn0n3C> zAKrI?i`;Gqf7@a{u3MW_J9qknRH?Tdj##)h+txIkvNsNcmk`rrJN&wQ=LFr}YnuDa zsw+V^7W5F}E)5@>Ma`L)E3Kb55-(tq=N{)h7$9J8afkhal~{*J6+5%`&ihmrM%E{@ z{qPETmHo95In1C=Pm&vs{rI|`vu@|z-rAzh?TwDp3*X0mN4lD~=YpB)ZPLCT=WgKn z?oE^2G0xo*G?LyJ7LppN|(OUp`H|7OscO z;x0@LE?VcS$**lF5+9fA>H)|Cv}O)^tMYs=ARgxnyY6|aY?(x^G#jQ(^1Ry|KwL?E z!1Js-d7P!qTpi-oi0b*8 zPsn8Z@Ov9v9@Oz_csd+ZY^U5gCU*iZm^0OK+wfM-g0Tzd@V%YFXtk_l+wzVC@Za}6 zuW`@+t1myD0VpD6GeJ*016_N7AWITSJ*A9G=yL#8GC$gui1Jnn66me$4)nesGYzt* zWwr|>j-m85^!=#j<@yEW;Loj7f9Q7&tMY5GusM z<@ghBit0jE-lQH%EV_`U+86H9xv0oAlCteAfoRUiszV%P%B+AR-ymP@L__Pc10MQ> z!md#rn(C=A={jmb9H}5uHXV^z%PZMe5w;)!DFaRtjX@=#*K5Fp6l9&SUAF%d{)U7^ zwraXDeIbRauGBF0WN^ThlRO|QU_vPh@#=7oRS7Egy*UMzM(rN0Zj#|Zf&1rK4R^Mw z6f*4s>IT+|JgthH%7(P5uv3_B5q8wjw~FM|5~R0ok%-wWcZ3VX4zmG50E4g5;Y!QyN>2TZ=g6;o`{9O59-R4vx0C=Z4o;Z#aR z%P-JKjLVE_5{_9@QU;q?7z#x7HOJ&$>z59DMWMk3P=%%1SNLhWjW~ZH;;GCo6mkA3 zOMMi#7O^1G7&^1uk)m9g^N?Hs?Ib_eoGhU0GUJCR6C1O);Goa}(MBO6Zl%`a60EQ`Kqp{abM1uhl zQubynsDx!y$c}i%x=YTeESxWzpMn~Kz|_woLsctVniABn$#Rn9fkO}&jGo()Hpi6k ztJqAP(m(#+ZPN{(hwkLk^h*fgB3^0StI7lD^X)MXQ1Qve_jQu=VdpyuN+4`6&(SVj zH3j>H(NB^It*{Y2bfVs9gRtATEYFrx^|RpAupv# zI-Vzke7|rAnWtuGxnfNjOx%J*&_(p(f#XOXzf}D4&>%u(2=E$mRBaGz^`~e%6h?Yb zQ6`R>zko>inqY?@4AuJGXjm?k3@`emYPoo@c()={UodQeXv%<-uow|nBfG7Z$?#DQ zm5`ML!B`<>U6M>}hhLSS;jAOaB%ancy%WZP(C}yUeEulSprsw>*#Y6wAf#c%PCHhp z2}1}Mzjlqk$Yi4P4P6T$918A7mj^y6z31$KniIPd03$unpsX9Df^(lf5B2?!6ani` zNMv|CapXcG5Z*xdF?|sFqfmC6i3OXF-w7*dn0wFM@G4eA+UbZ`2yAb z%E-Yx&Q=+T;<-sCB-Lm4ChUClBXvsfKQT7glE&;%vUHIA->S z24Ev`1?5Qev;2rC{@c0=mao~Oqpyv-)1i%4$b6z0dY=|1`n&Y)!5TkMrK-CKOed$A zAD_T;BuoL%xEY~K^`bt!gTY_SaMhK|qqmQmxJAh6!jQ?rkCB+-`<}Os)NC9FSVdA| z)PY0Aa+telEULcs?1H`BEOl`_RB^XGEd2kJYfu=!A;{w63v3Ybll^n*GlcMY{&Oqf zhkLciRN#~5{&m;ORx97edHi1IK7gD~o;M;FO@f#~V22{eI=lj*`h_FA@*Vg!-fX>w z5Hjvcy*7;nbb7)LN??(h|J}UT^W2;W>1gmhszpFbN+VzYuy!BRxH@=Re*k9)M3Uve zY!=aVdRU2=Xn6&`-ZfdbJYiAa+1(?xrg|Ez>|qU`RpwW*za|i;TI`fhBS34r`nk(m zWp2_w@it!XX6`j+_=dN=YvcziCd+M^=JL^cZz+VxoOxdhf3df+(;LNKpO}-gvr-T@ zUSAXJaDAujf~fK7FPj#k4z@NuUv?HmWI->o=SK9S{>dOHnN?svzbj3Y>mOyo)^jV^cxxN8bNQ_ZKrV#nSoAvImi zDCbcY$>)C6&Ma3}xoke3dB&Fa?*5Y=kLMyQ^A(KQpV>8gt_;r~H!EMul7F|8PFWw! zbu$C$a$Eb)eML@76U({RJG@cFo9906axN^spgA_0OVbW3JGUi`HMpk^`$}(6+7oSy zSpFX?x$TzZrhz7=BfNe58^!?JTC%43-JSHkgT>ioFtc-Cb9Ue2XZ&N(-5>~5@%hg6 zqQ{7mIttPxxT#*O$Oqlve*&sCcp6jjfSqKZ@|!@Ny1Y|%maK}I;Iix(nMDhcAeS!n z;#9p0zEbe(0~SlzmsS?bh&QjbE_2T7tHzIrA_$P}e||7jUnH=c@;~Sp-#)bWg_gm> z0cKpecr@bC9Sy7X(=$ilSQKGgZa0HUw2gwp@nayixCsrGSv@Qg#mA+JP*$8<>3_l3 zL;i!phs`<;H1Eh+tCg+%+_-mWw66H&jJ^lwehW;AbGk&~IMH^?gb}Vw=J4wYILPBOSTs9P;*)Uw6cIhzOU)K-X z2!B%cvKM46PIbp{bB2P_`PiIe-Q5QUtn~c5bvW;5_4J0jRuYBNC5E`GPlsVeYmYNm39rLE(Y2NoUNH^3H|od~=r65AsJ5 zHeyXwLFXk)F%&4&x!el=;V+mp1!*I;jYSZ_6Cx5V2k3vMaLf#f5+j?q!tIJjobx#; zNCSjNk_mD8lvD@uIWpjya}Wf#|NW{ip4Ml|nI~yEol(qNkcxI%NxXEY9T%wc;h^{b z=vQaMQtvwvo$(uE6SL9WJFU#%JNX$+>zrVZBfgjr9^vV*$Yj$Om2CaAW(`Bu?D2^D zVfS{@y4}otF1s?-g=34&w@lmfl4j{gf0*_{;A*+fVj1XN>n}<19gUI527%eK`qE_C z5T80eNHByZq|%q)OMzJanPBl^;KSC`8u)rJyt6(GH@edJ8@?{n8CrY^)&&#Ss|p*j z$A8uqN|}`hjf7M&uLj=q?!%e8EVL#Gb!o!27{v|~PbZ1Rz&w_~h>PDf<6>Z3IO7`^ zp4QXrODtvUA_EGwP_v%xgEbFLi1dakeBqeJ?>wXDU(~-3WN7phq}soctVK;*`}yR< zwDe%kllTaW`ixtl-EpuaJ6JHEqPONzOL;V>s50js_#w1dOA4}Xh(y5pCDtC4RhDb` z-X^=~h7L$IjPMn_$}?XNDCU`VL%`YeT;$;YNZJ}%h!kyPHB?$@pZ@K@Nbvg#={%9l zx8{4wgT~%jBbdt`AXqQt;1)u~kUQx6o}d1n?nvW1zCmIQKmiEARoN>L7pURVud!}4gML_%G9NW;Qo#ZcfKk%E=mhoGNmi-EME z|7c0ITWx(I#&3_G#!$SP<99WoR1qzXt@Ai4Xj9wvgcK_p7PpI<<6uxWH|!on!OBj%F@@<*W>MunSX9sH zZpebagqHf_7Y#of*QjEQH|rw|B*%bJUP7E*{t7@J>-V+aMQmRpGJBr@Y-h6R-fYvqOi940$}`}Qny2Ma zq71T%Ec!3Kt^-tGus|=+VBxuXvLMZFus^w*=YmP>cdl zTJL`OfWKXw*l~YyfK|d(f5?H|&rPAWCjG_Ovim|89YE#}4pqxnwHFS6Ecq3l7-YgezI2wZ6NSzg87kpDa%Fz{*W(p)}LsW)4& z+*9vPGwWD6950OIy3W@1pa5x~RSi1`X82AAJ@g@07xwq`=v_CTDn!^vGnF~3roCb5{KKQN zFVG_P~)`x3gb|PwsKmyrs@HL`rU9 zD}T|)0kjaqLyPKr@&>BD0|7AoKD#~xeHH;;3rKfgRMT{Q%6Af~ zaEK;0Vx34yCj1vFC6k7@>9Vn@!BRZM(Oi(ui_?c#-ak$y0|g7b9Fmpi>Ztqrp7tpN zz#9%1utmU_HHR|O_%8ch)syth@)y5iVdzHz0mYDUNThB$;*rW?J$Dm%X-nwD=Y!R^ z1eZc|s#L080cQMSoCMk_F9N?&L=vpt4c4t6X)bd#OZHk+LUGR$FS7o*Dun}1(|Y*z z(kfUDMAq(f^ORHGMj`^>BdYq8GY&0=yG%yHBCDyB?^Ky`zA_TK1a90{9RrnVhkvY? zk^ad(6^Iw~y{{*CGVc5Pve~`tAO$02->P zYMPg=+17DXL{nVcLt^hcsS}>SD{LC{e8YjpTfjyu3QfU{P;FxE_xiqd^UcrdW`UvL zIc+9Lcs&8KISeV^nL@Uph&BARGcL~R7jLrh>|BoE-$ipwDo@T*Eq|*REVS(fjS{f$ zL81$YKih=1-787sRn?ESWeclMH~b*i8Ykg+g!g2=#XwP3;7@QHxeKCvZ-6UE+c8&+ zTNM`UiCer8{l)Mj^)@FWT1mcBVO-iPn57<;q-xkBZ??$l1&3Bz#O%*yGUxYS;{4ph zjpRY`bmX3tOqw}rgq$a)!KLN-{yD1--w_Gq6L1+Em^V7p2QB&{`DsXh%hbbx2YKv? zjVK15jQf=tOJ%peyjMr4CzTnedZ6FOXdyb^k0c4H=DzU*AXzm%(rl3;jAVjHht7n3 zZMxrbm&k)vvT0S&stY1j{7G*At(j<{TZXZ8P@y-ssyO;JM@87f(VI+%bN27)vX9GJ zUc7=;Fv%89otO`(q&riFbGGlx2FcsS!X{yOITW(SdFtRD$G9xw37?zC+oTjC0t?fK zn4@ruu)brN2k6QgLN~Ay?id6r{p?yj7s(7TmLoS2mF>rrk2KxP6z4#IGog`P74Ztk zc0jERt{3T(*M=P#Zd5THJ?af$JVkXVxa`RBn#FX^wTu`kx`fG2JkY#E`w5y)=zF?0Xrq2Fm(?V6WJZF2-T8l#r8@t@sDiz=xFZm3)U}mrzmd!tX(G z;AM%9>yh2}s}r6JQTC<;IogdYlBtyjBZSmcVxv`Qb?>^FZcID%#{P7(-RFvpBDc=_ z;DMNxMMYE)0M3bCb!9VNvosUXt7GGLrNY8gWM*bw;T()qdDl%2J^lZb4SMa-Ib$hB z^jvVPnSZHvp{9--%`A7>ya1*tEXXYtni8|ZdK^13^#-DFAwNuJh0aa5(TV14Q4O{z z^8l9aWj_I#AanOWvR=_wEkZyN9P9W~$-b0RSt!-93`L=(Z^I5g*76OT&B~{RXTE`w zGOx{=#;7Z{7iZ{PXE$Lk1FeN`9h?wyzyMtPL9dmEjGh_tDR`=w0LZn!IhnIBw z=)G?mfeC!I)U;kxObM%uwRd%oUe%Ye-0LgNx98E-owwHtA6HX6U~RsWC^4Ph{R1;( zH$i8**VklcLC0@bht(dRHz&Dppp$ML^wtBlH=bG}ZqC!xQQ!Q9dhBG)*ZnnK#mjj_ zPnVSsTlJ%WaY`?`&OdkK$kjeiRoUyUzo#z$y@=p$bb5-sl0c!U0 z%RfG=w&)!PW`mB}pZ;z|jYGt&TZ6osB<(P>qSl>uR*+O0bzU><*kU^FH>ISy-ZqTn zdUjclbZTxb-ySjA9JjpeJo=~BUx&fXf+FlbzSwj}pLrg=US_-xqjF1I4jVFW)x2KA zF`K@wHA|~p^j*sqy?B5X$`y-*VG zOD|s+;??baIsJLlup5$B@QWYc*;)*qghCtMr+GPGfgbJaK5tR$Vt~1l{ApFc_}7w` zPutm4nVv(RWV)9ccf$^CHC?KgllSu_fK$HfxulKt^T56d_dPHRp^8SQeRkHVeNylO zSk-pxaO!dVxYhNvHn8|Xp#j76X;{&AhP2^Um43HN8pHF<4d@TV@NS1z44vXnI+TTHh2EwmZ(XuIczrziy_k>3Xb9mgBtp z{ZlTMw1&(S*6n=DV_Sc4nG&zNQ5htE0a@{a;6T%TgyH z`{8~OOJdZ+5G)r&e_cRP%Q^Zs;viX8c3Vu_PmRhkF>%yAUmc>`)x5Pyw1RQ%8yhR^W^ZwsQ6oz>5+^FO0F&V5(9E5tXG735xQe1PTR|yq?hLiw%sq~FTryf15il=o zjU{s+1;JE8^qqEy>R=g6eY~iY;wyERb(5xfha^m=pm()0P7@4)jpDXo_N=j4yJd=6 z(RBLah{x^_+(#A;hT9HYl`94PXX|m>A3w5W_VsInT6V* zFiBabvS^$&T8XDhg0$Z|{53XcG?AE|m7c{B2pz%2!|t}qwr!5m>af^l+v5m&d#H?S z44eVU(oz?;YGc6f#psH1WEef?Nd{eO)3^viQKR(db$n23* zS-R!kKt7$|bpO8IHR_G`39zHHclwe(<=bDdQ>^|LM3IE$gfY$Y^~H`#Qr2p4&dU&Q zy7U6nB+4QAsTv{5!3fAhxsH-}Dr6?hVe@{Yb2;CnN50u`QRp&?^WdwwOeee@*rux0 z0kuO(UwnI<7QQ|}wVDmo;J*F+C8H^2HDiAsY*GI0+8Oz7O?0K41yvlcJ}uvLkl;Fg zIrRrsD5DAq5U-$Bl*lSjQa7vdB`u4JBT6$PVw)xc;zF7_aC*;BqwXa2Z8BOs2)Cq9 zJFG0P!(wOtw zhec^5^bh=W^&j~wohD^PaxnJ!@^VT^8`V*#x~i3g8>uvmx#lS+3zE?{7ND-^ev#}Y z5dGJdmv5k`R<9L=&+OC&QS`eNHwzBI_Y|Fb-3C<0SNB<7(u8iLo=6~=RUfO{Xng>K z41WI8hB*kb&L|&3jVE`$K|Bfi4l@GX@Y~6w$WqgcEo(wq!XI@7;r57-Yw2(%GzOJ( zLNNLqZ_^x=0(~4~$%X*%!`XX3+-Y{Kbe4u~@{_}2R>=yJdfS(}Z2>U}j z@Y{CSnEf|3CG5-};TF0k;>!=@cvgf7lLUTBxEz;7j55(qvZ!VAXuwhG^MAP#(%Gjw zGWr=L4d?yNAy9X%C=bj zX#5k8FX=(u8b31rr+`+#iGQ~9ziyqs=;=v#FM_ICZf_tueL;QlD8%BBI z{93SQeAa{pMzlWU#Ak#)rzj^axs%x?R6~3iU*s! zuE=qrDQW$vX2AB0w+*yuh1-Ewr%>5C6iE1d!Q#egd&YwAVV-LzAO)~LT0x?BTAxZ% zPU1b#InT6*xg6YR$6#f@jKK$!<6h|mm24RRHVt7mn%|GEe4o6k={#<-)}~cuHaC6jHvB= ztSqjg=pC+FZfvYBS+veKn|J+z$;(%jdoi1mJSGQ=56PEa-fgo3ol(mUS!JNSI9lV?%vFse7q7Pj=7KXMapNhe+@0WbP1m#Jr0 zcjqQTFPj+E?9MGAY4|pcDV@6irtzP0xW`<>Rv$Q zp@0F<-~!)v`2azMbh*@Z@X{k z8bNgSi3V*da*_S^qmhF66r8k!->CN}1s*aJlg7p#n3f})WY}w{<&TS_Fe{%N2PCM? z=SE^@MW}_IUMd1tZHeiXz~b-fCKQ2rJ`I@|;*BRV0~9Q_QPd@(GTLR`KNPhjRN^)B z<$m2%j13a0U{UH1-MPzHfrmy;&;THO<)i zOTt!Yy$Lhg!lV+k#?4JO$-XOo7AXGvEbcMy>&& zmRp!1h7I9}#juISMJKB0Cd;$^a&n{JekP)d!E50#t6bZ9nfeKy+%#7;zCp?f-C!1_ z377a+5}_kF|63beF<*7L$26%8`sA<6 z$2wse>;kCyT_f?8!zl4+$fAcHvNBJm_jz98M2Q)}o=5b=QNtx~hKG6BL)I&UiA149 z*eHtvYc~aWD=y{W*gB$+Ga76`J$;a-YNM`9Z!Hgo=vso4fxuBGT(0Xns`_`bgtHN1 zGF=)~G(OA}u`0GcX+O|cQ|c&KDa5QlPNkGNfiM9=@_=q}q6RawrXen7+r8;X%-iUE zDeZxbWBeAErb;a{apVpvKDj(jTiHkFx07Mq9#$dP^$c2ytY|4LzI`E-MoLTES$xoS z>aB5X!5|0jBw723N7B--NY&$$TERaJZr{li0;3XjiWWMsbW{J*RYQDA%ZKRgU_lOQ zjDb|XKtU?YkP}!HA{tu9J!R4@#sg6y2d_UI6)VhJ>T|c?-KymuDcD6YsAgyl6+|vw zYo|N%In$)nBP_Xp_FXCdTsU$vN4YnDq2kU9Dqa;G4%5?wz#@N??HKa_9c8qbHBp2k zP!V=!TV#tx%l07^3X4)=;*_oL3bQPke~iL+Gh$-Zguvf{rAy6~YHK})6gnRt!3h${ zxQC4TXF9-EKS5Fl_D%?PruU*n<(#Vep`-n#`uA6vZr|+0F6q7KXj2tjF7?kf#TeQrKh~dy}?03pFN=I@7*AKOxe8?_#3-w5SLCxN7q_k zv2N2RnHtY$&+9PnOF4ZjM7zlgpIz6)IyMH!OEWIs!>0Ggo(u+`;gr~A`{5Eki&Kk> zD?FR#8b@)XI#A~(xAGu;i~FkPESh|B^{i%%UhlRvAs!W<9ki%brESnqSxmOuS$DvQ zG)GF9>@ant(jO3u>^=d{q+dx-IA`n+Ky>sjNo$f?%;(0jGm?15_rM0cKhK%(hV z2-vizX`R5n;`ZQjyC>ATaO`e9oU_BN>AeKBOIYB6wpYy{ofcQNOH{fb0A^8E$*`UXX4gDB^bN}{$jU8}=+Xs!*9{c%#XGI{#q=f)Aj5;(Q z)3I}KktNOZbbB@~d*y52moP+P`0`wz6|d2UZOgTmiecs?&9kJN@9jAi+wJXvvdN?!>5#7FDMP7hb;r~7uKcRSJ}9OHp<4<=^R9hCtsu$U zoA2c;E6#MUJW}o!wDjftW6}aWxeRpe0>s&mSvwsb0I}o74kM;DFXdmx-!IF7ZUv_M zOj1tj8DrNcn_dVismVW6Rjxb(WuIQ6dXyXscjz?d+pON3vTUZr#!1t5C=H|z)~JPZ zfeE={rmR9g60Vy%nS64C-yDP3&GDJ4XRKgR?CPg5FW**x55huR17$yfc@`7LjxRa5 zd+wZu@!$(Yut7EKk;rK&ABy|R{nAz7h#qC)F>fU67mv#XV5r@7BcuI2u{4y33L#cRMhLs+bQf0n=&29Q zvNqFME&PaoDhj?w?m`cAM#RX-VTt>a+U4-$35H*qM+$GWnk)9vBsdXE;{Q}GOE%@o z(@MTw@!ve@ah1St)~xA=?>iq3m9NnHw!#Q5U1o4P_JWV`L^(Q46wKnsJ%G7jFN-+g z+r$xfuWiWoY)VYyZ;V(isGbeg;cOMlgz%4SK}IqWqMPpEHow9gMi(LROuxjTK6njJ z=law-T&2dJm8F4ZoTa&a>^ltY4GNXRLwD|KelV)5pMV-F=bkL9iGMpScC@A0ooQa5 zr&!${P2$`HkzJ@s^Ko1ThC48k{ulGLzF_@vaF3gEjwWMKNlYy4@1@t@UIZ=f*@Y57 zh*Dh*6)RDSrbKvYw^{QMG3Ts%rtlL{jm07bPEtodcKceRMazuxUy3 z*sE}4I&XEk2Ji71U3yKO0@lOX_k1ME7xcVf$y5wKGMOI_juSMjE9{vInFch#VDLAS zce$)3LyjbnZFo?tQVGM?%T@{+*y8>=>2khf1Jxb%frM*FN>zCn%Agnqwws|_7fTih z!&83c2rG)W>1+KGmbWHaAjpD`dR3;LASnbVel=9xu2tpIhnYQVMMX|=M8EV`2(s;t zvji61D-%dGN?Vwki-wzBTXtk(c(6-LKxz@4V&S?RpX6L2>`pJO;xN!5NOCaiU?Q3N z;^2nlZ8E2!NCfk!(~0+a7N)a!tWGQa^V3p@j}`2}ihk#on}_M6!6H^jxuf2xC_bgGifE!{YlUaU*1Q?-K*qdLZ*f+GEhF8`yB!*_Zh)pwbB7n zc`SOuA)2;9Avq(4hwQY^J`9o3^kzoVC=GGKKb~w-T|;Wu=Ep zc!}rCHBzud65!2qCdz!19bKXpO1u_jB@Mn%KM|SzVWIHYO}Ru>nyL)mvl3u6kY}CN zvHNp0#gdRsqC~NJ>6HC5REzDXn|$S zHvPnb?F6H3pbXxu)S?O|kbfTrQFIad0#S(~=tH1sw+`sPI_EGjiRF=isYa7zXBmeU z!2;D#bS+Ia9!nFx6MrS)-Ghe1mSo!PcU`?6)zIeT}p zAM8^Rcu2$4c@iz4V2-+uyZ*(#aQ2> z(sB71Yy13y7tz~AHF;XyZzkB`d0`7{d-T1&Qcs=N?O)Fr0U}I4Z~t=;*Nks{w~b5w zdiYw*|CHT!-z3N1xOS5QoaAt(edu`W9pRzAtUVh{jxQ97!%gbiE^@K+uB2c>0BeXU6w$F%#p9rG2&O`P8tbb@idd#l~CLXZaAa)!foVJ*P$Q(gXXJd}Qs^ zQ=NWu;08u-3t9^yA5cp%c`Rvfx-c>01Dy5EWpC8qYP3{7Ad%CblXe0|vdk|2WwneP zf8ANcWL&(THuo`M@cHhKl5>9~D5))9ZukD?`^pA;U5UtO7`=|Pl;G>GSIP5PCfxXw>?AuC(pEJRY;MvwhqSI+iWAw!gQul2ye}9ZK)Q z13ztJYj+r?di!`}bpHOL2H;)T>UmvsI@;BHiu{AEXW|_X>N-s8{0 z&4FzT?D2v#PM-5`%?CwJ8Z}(!h&EBuSh4ArRx+{CQkikgm~Ez;r2mJhcM6V#jk-pY zOw5UG+fF97ZQGg{JxM0EZQHhO+t$QRpS<6%bF;6ysxP{__OsSrps*!A)D5L;y5ri% zIm;uAF=H{P5R^mjUDxW+q|MD5OLRk^m9!jJdi_PucI&~yz;-yyb_Bma$3=)1$dfl= zMW$5vMK(QDJMe(oyBj~2axd^}L5fmc?-}>eL;9y2N!H#(kklA+W9>W~q_FnU{cUO; z4Z08-4qHat<82{Cu&`1;8tT6ZPfi1qJrs^*iMdmbc*^})P1&aPfwZT6>r<1#+h zs%WkH6&guq>vGC=Mt^%hOTqsZXISu}B+hUpna(;*;IZ42;Z*+izG_@Gy;2q4<8mTBYwt~{E{G_>gy zj#Z>0EWvc|iL!4;se=~3icUhLLs2qijlEoMfJmTd8%*G8qSFpMUonzwf2h$7;~ z*X@TirCSYKy8l6^*b3*LKX4+&MNViZ;MJxAvBJe8l`RXUK;}5~V((^Ft~J)cT2_)m z$N-HOW6r>C5uu+#5pRYgwo0{)iW48ku?Am+`VEg>H;lD(SPUvWJ{il16iPCxl0*!t zMHVhwR~=F2&*~VP7%N6uFfIu#TdyR&saULNxQS}p8Yyz+C-e6RZ%^KAxf!l*bHFD; zN&L6;B)ra9I<)sI*wv%At;Rn*YZhlk+}m{mCal<@X<2pV;K7nF&Ulae`wxZpMIa3a zxvv%QAOWBZvV`We(^84FBoh8ruh-LwA`b*;&hnlG#qF%oQ z*KDWY-jP^I=CPX37LmV>2Sjvf<^)b`HNhzRwy2O@K{7sRK8XqQwNq9{vsfMEW zw~`J{bi&nQ*c5rOjUt}2La;=BpMjvwEWY9WHC?y=(ph9J$-zu3# zt_W@;3rCc*wvn191G=Y`Mz9?t@_hT#1el0cc6 z@5?XxtroE0#sipCvjd#x5{_pI+chZsLely9$@l}+6f#Te;3MPnCIzXg`{v<1V~2lY z=OdZEqWC?~MEru!iy0kovYMgOq3e?G)*GXXwcG7`6Wp`jZOq<>E4;As_UlZZSUSkADjqcmz^9Q}W3*vNj^Qai1FBZd=_nyLG`{mV% zp6~9&X#CopOvYx0=UY(B^^T0*={RW~{qjp6OwIMzaZSiFy@2*>`xH@o=X=ZF?>HB4 z9Si-Q-wTu&0-O4!wNl>CsPd)`A7{!NzofZaGJPNKaj!e~x2CugFadsBBmi!QtcpF8 z=rc-Q-PSuKXK&z{_k@1O)ThLEP$^@_d!GbDLtj+zUCDPm%&T}rZqz-%8p-*DPRiE- z@Nj(614aKfEtKrP+43c=Q9R)?qr1KFbb@*1{fYPteAy(_ZMm1;!O^`f3GwToyMMvo zJMZBJmLuf+!320U%olW2IUU#decnn(RJ+(!cuUl{Z~Ikrx!(Id^S@Vl`=xhhWj1&i zb%fYo=6rILTr`z51Au>_hHTLC+7-_VTw=H#PcYp9CKm>Nj!7?FXE()^JuP=?E*i_F z9SS7=A=X>;F*rR>4RYZwZZzi0+Hc4jtTTQ`E$@WUnQc>HCv7`+jy3WO{>!8=uSeA-Y{p)?Y>~n?4I#8`}z#zPI1k^oN(W5Qc`?A2X$#8i2xTVZctC>+R#s zOS?tk+6&D=!bi{UBT#lG8~C0y_>FO$8Khl%zA^6TB#$qR#_vkaxNeV6gWH^JV2R)N zKRtweqpv6&6_fT}4_Go81LStCqn7j38(*RaAETl-jE&4Eko0y%nQMqG%}7@>w9Sd1 zP$9-i5uyBN##GG_p_;WP@|Mw%;^^@|DQzpe^K>Bi= zeTI;5@e-COPpUibUxj>eGhsJeEaoh1ZxdmexHL;?F!ss%bW36}v7^MfD6JMlP9Me% zR8*Ez-rovl=EG*OB~nx-329{-+4;MQ)b)-cDdSR2aPZ?pbrl*BsD(#rW5J*%fx7sV z^|r;BN_fK4x|}?U5G~B}@Ro!X%I z{O!B0!$u@#mri9;o_@tfvc!FHdBGJv|6O^C*DavTrVK#T`75t zM@vsgTV%C73h@_e&m39)t#D{v!~-QYWb|Fs9RDR6DwkySP_YMsv+p}=bz-Fgc77zJ zU6JVOvRX>aUVvZx2%|z^zOFoR*;tC$pP!3O?MFYQE@N+^DT6ASR8v%m%y#-*0jUU% zZnL?}Zg&|yCxqb8z|R(6v88IR$++BvQB~3##_jwrOT7fXMzs}-W}(UC!yV*(_UnhD z7D>=*vM5pjtO|#>y4oe`G1|~x@sb>rW43Bk`Mkr1QrB|vW3kNu2TK49*A5m;lR5ss z&33F4-sB5_@29}krDZm-C=_S`RN$E^63kF_(COTR z#+c0nhr1p;1wuMNwL5u%wu+_7jYX>50UKLU^o0*}83%8vm{&9c?GK`uc0#2lwxmfM zk_|c@d!aoog=O8GZQxdKVo>2muSq~4F9gh3G+!UPa)5qs=&fmUp+oYUdD;IN|3f0b zfSmyvPJlk--^gfli8+X(8I}*W3oto5=

c%^h^+Z7tK#yymjDZg`ei;hsI{yvj8){y^~qN zf`I<_uauVLz^^ZG5vEeJ=G}O3I5={>bJV>aJOa3g?D%@Po|i~)sC4#pXW|2<@?)fV z&yg(a6MoPDpJYajD)^e_Vsg|pHs1~@b2?p8f;hF_j{~ih{oIZPD?sa-8TV;Tq_m%0c+_u3D+H8;M$BgX>!Va#c7n72iw1yYuh?>tW zjh7>Nyqwl!Tpd+?ZoB&d6{O4NJ9Z6n?XtRn&c7IH|8B zW+I;)=s#W_9fG>nb8G}w-;W*Z2=!BX#_1_a96H;(XEIVgtnPLF(tO>IPY;871aYtL zMfWg6fRXCWx|eZ52~ajrvCjp25@)VB?m{yTZ@bt-NFJ}#=nh*J-=%llAeyIrsOsZO zH=Q=uEBvHW!y4E*hd_v0;EC-QPm;gB)sx`dIU z24N^HA`@G#A&e8P1~Z=gmK0=F%{s-^Q+|?B)t-dIw%(4GoEHkVU0C*zfm7R3&ni}X zGRC_W9b-dsM#CyXVZp(jl1H#<%vB2Y z?fQz1rBu<6lSPL$TREPOL|4&cL3bj%T-~oNQ*#xAk!Ci$ki3w|2CgXA$3=%=L#fbc zZYf(K;q1>tD234A5(eA7eMuPC&@bGR?2GJ2OGK@#k1} zU(BQqbe%H`D9sHBwjPpgi$|%i(j~`L+ET95OS%i)TSx#8;I#v3$QTtRS24tn`2ed4 zUdp$5?##>#2V>h{%yUjM4bkKl7<1Lb#fkewF7$@i6niZl;Vc$x<8pC%bL~1jfz?(g z6(+`JLPm{2$hVd)mTQGvPES+cQlRBiCs3X3)}3x{tjr9Yp!XgJ^|TzsA}iD&M@BGE+JvcyqvFz&P1$@j{4%*@ z`1LFDG$ZrK<1?mO{MNh#?X(JLu(DEw#-AE{!NTex1I!8_KXpof6aQ*VD?fuq<*QD4 zw@Xl|_$?MtY`O6}OMiJLkyRxG$3;0xJ{B4ufn8BhsQb$Kj~ZgTms9@&m@>OwB8GQ7 zsnts^rTU0hf>ZgHEsw!vYvuJS-ZII8oq)NHCGT0i#|A80@4obqBMUXOQ_-R_468Jx zz7bJzt19l~6ElEH^?sok3?h^z^LHIJdQ4`eLr75_!#KVG1e&O>S0GuJ3yAW4C|_``QZk!D4R5(S?T z%~Hf;qggM=5pGSNt^wHTldd$Fj-r$=(1VZ=VajP7!b!buThK0InFc8%x{>}jnTa_3 zj|l;trcDS{>Zf}7KUh=Qk)nKENjkoyC$^siG1|;?%L$tHqL3wbuVg=D^XW9C4I}#_ zij;L4eM$wuC#qR<2mNozVyTwa%i^@J(5%S=XQ`<~k_?xR`3vSBlfpS!i;|$wq@{|a zd+?SwF!)Z9tUbGN%gWjv#tZt%M$i8)d>2iJ+9BMP>TvE#@sDYeuZr_f?5>piI^cwGXkf0CECeTw_vkRD|L^c){UM(F5O50MV(S1ts|{Lw z-e9`pmob8TNeDWo6G`!XLVPfOB7LRkf2XzliIt_u8rub4zx8|@Z(ZiiJ03BHm%HzW z-oFDxAJ@$@K05&(6joVZPpnAxO^4SKoA0Cixcn~D#Tk=Y=k84!Ifq3y1l-@H#w!B* z;Y~bH=*cgy5iTy@Ez_C5`;uZnTYwL{S7kAkfk^FFx$(`zBLeXtXJuXvOq2Zg6=uwL z0}IzaSG7=ZNO*N7sRpL62JizPygF@2+GSNUI@fke)%9O|3hho&?_i zB`;>nG|Y5OiQnk@Vmx1LA$1%dN?haQxPLNaSlp~t0sD?uvfW2rmN|6jy>8vTvL3sV z?0cNj*29n(0A%h@YdvMQ-*Ks*4rv+Jt<5ftS|8i`Z5oIhZV<22>}v~A4mWcjSFrtM zfiefIU!A4JS&pO9C))1jjGlK$C4`{xE&Wi)vSK7YTp z9?W<-IxhM@tLAt+-yr)ehS*#J8WwRlB0jkIjtWJu_3JNhZ^+&0S7mbgakw?n@?+yCxl1iY3q+o43jd0E{^7F|Kd82JRQ0zlCdDleCP!4D>%bdx>;6V6$THD|{2u8$vw7dLIuhhVc9XM+u;gfoj5bH-mLxWIywYZHVX)78Cv zAF$TO!wfI7Li(YX;uOcFVYJ>UYa!*r2A26TDXka(*&E;-DKPoUFI0aSy#N(L5I1$A zS`{IPj*2-y_fwSpmt`-6tzw@GH@)8JGF~on@w^w?UY@-}xU&3Ea2^+ZYJy?DMdREo ziB*$Y%`;i(F*je8_K(==r{DdOYm00GO6a|#oZbfC{k`e_1;Va>4U^KmBT<)#D&@c1 zesyqC8H{w}AV@W=Feyl(MntS9!%;>}aSL}FFPX=G4AsNApw}6UHZGJZA{k2KV)WBU zt##S=*l#>jmuq-*vX-jfvU_^dr-N;OI}?EJU?o zWef`(Oas}Eyo2V*lb@Y+s+X;h$BQK9TT#gfsy8YT{F5U|LI|l_o+w^EL@@ra)>n9= z(eATA9YJ26Zl$eGV8*O?^iHQnjdNRA#t{;)V#{2R3n?m%wM5#iDzlc)=@J7myPB5v z`PKC)P+-f8zenorhWmnh3Aj)AFCy*U<;!5&Rw`dw#GV%k4W3*WIs@MvK?epZo8MoB zy+5@*8$q4D2A#=K-ajaN@$|9YczaMst3_6@xbK82_BY%g5|7T{rx4vm`y{aV-lN*_ z0ECJuw^pK^^T;3k)JG;QcHiJSW+9hHVG@9_i)o=;*ALzD$O}97mF9 zSuE(4_`CF_M@!&4%;jopjnoa+6O)4?<&D}J8P&ZQsU)*D!l6q-QjA6!VvS1|`4Hej zPJ!cavIU1YLOTkPV5!2wl^WPhaqT2yWW{v@;cBWsdBF$8B?>d0QZTx^zj6Qu|B=7~ z2-)@i#sDToqyF)OU9wUWSHD%{LTkhk*Qv2vt|;Vj*=go+n0;^&bOkvVtYEJK6vTEq zRrLr#DYdA^)ezaS;SU(vwah_ip29eDHTc~0ttu#HbTr&H;pEa|$Sb__q0F?}_H+te z_t+nbjf@*V23aY%wb<6oLBThWb@0-);%S>Y(nt_mtg9#zsM~~M)#BQ57UPMkk5AXB z(!9WOQ!R_u#vcZinC#;`j!>ioD*vr?MrGW#_vkW96TCpGEaGB5H8V!7Q2jdF_uW!dMev#;nRrC z@aIB2+tJqGV z^B|xJX}l*v&wHVyyoOnT|KWsF^QNooCfXspuqS`}ZTupJu<_PmWaf&Q`=nj5`^+<+ z>-jIzbjiTZbumH9O?Acg%c+V2)$Znryo}xNXU3b7oHy!EOvM+N_OEh6d{KO#$vF1` z-0sGI!j$yS{Rh!E3?C^v8t}{WIhuPXBOm9dMqWu!4tm!ofO5w2>z3QHno8%7tIHb> z5k@S`?#D@maEZ+Km+PsRvI_jGP`w-+GK(6z?T(A?5`4DK*EL`Lt%uIrf|;r^U*7er z`Og*_yqCT2yQ`bWvp;^J%QEOTgBybucDF}I(hs)|1N!$qM*o%Wo@ZjvjP{4sz~#?@ zeT&c2=x2^DTP@Sq7&qS`YQCoXs||*yyyEkvT+zRNUZhiFEZ>z2HWg7-M!6f|Lyu=__luFv$=JHhQfHPm7b@b$jq!^tPS zX|q^E$Axk0EmV)A)iWVuIm>%l>Sntep?e6YhtKGY{|1Hd`j^+^#fbiW*9pL5#_-+@ zgV(Md&F7Tkee*W@cCY4ceD!o&2i^deYht6cG2!rKZB1YUM)6mS z4e_iZQkG?G?<^#jHHhz=>E6$nKL4eMACPi+b~G|&Po;k*lH4p%)Vi1~HO9dp?ms!s z!qt-$$%^3iy7W5=5Tn1>kwEHK#18*pe8#4AF=$ zp2BRg1``dN!af#f{e=Hf%I3-*#3as(UOXo}B4lc;%6g|HbE`>yWDLV-Ln0DmrzYCT z+Xx+F`xnB&GK?v6*9!}&lr73{=nEjVW!fr9nJn>7)8P>Zva);MKaGk@gjSP+c*G93+97a?xBjqt|dg^M&aB-mm~-~MG5KHrFn$go*6`( zEu#jN8W36b=lN0{?6+PMWIc+X z3Wmh>TZ~Tol2XG-Og6;_(#ZIjk2s2@F2X&E2`~BE7s6YhBTQ5oXSUghrke>#!6FO=S#6=E8D^LX5qfpBU*PKeO z{V8GffkWIP=Ei>HD_9%0mK;7yljJzZ9Gs;xRB16su>lPXu8=jefuo;`BYZcjrxUNo zLTvJn+Y?1O-;XNmTdaotU^-7xMxe!gh9#;Fl+TAqz{VYgnTjKeg`oXd1d{ojJAZ)z zNk0`nV`9d<5!R%9y6aI7-%8&At0yu~D|3ncLrzO|*Kum_M>-=?K%5~4*#K=x( zNh@cbUdiS!8hj%DEqrF97zdZlSLczY)Mdj1a{1zIe!R)V7 zmZpUJNpaE&zldvEW_bB7)vbJQMP81q*Q4Z!+KI^AKT40Ff-!qz@~O+3Ag?M?r2;R^ zsj@&b-ii%bmvNZPh}b|!Y0Ofj!$sKOCnRGqRTGp#RB@%(sw7S z9o=R4r-|DA=TmB|jp(*&!FgfL+L?a3^dAoBJ3Jw=F&qsfis&q;-qzuX>Z#SEREnTf zvfVGX9l86h|2KYrLt;aw&#H%>vo8SynQuE$cE;^Lik(g%vLmdBA|7cj;~wDb+fekO zvkL$RD_}y*hrVNc>QQOolXx3o2Jm$)?ARxX0gMf#x1CsPAEZ*~pXUjuH}?|JHCq2s zwpB!#@lFi0Hp#8Ng$>_R?gtiGm)Q)@)I5iSiOMiCpZuF@R#>vYdtHy*1YWL*Z`0JT}(*ixDOzydp$nwcx_z1ulH;K-C9XL zGd6MWzq_WlK98%LCt**z9F3|XHs9fVr!r&cB@)YB)S1> zViE?N*4iz@jI0OS-wKx3N(LI`{`?I- zbNrXp0=_p7E$W@GuM)?dQOycg-4rYrn+=WK2T?i>t`9K=p)uQ6e+w{P|3LtrAERHl zTvzx!chxHR8&0;KyIOWgk=BZE|E^2bRCkWVWb@t>vom!1?>KyUDs=ImFue9B{964? zY>D3Fr6 z3S8YzU?+CDE#T^nU-|%#r;m{+vOE;Tu@|r?c976ZqZ!b(0Ye7zXb0 zOwaDLeF0Pwe5sR7*pu1dKIXqleC&ZeZ|*ZdZB**zJ_zqWG}`7ypEFviZvx0yt^Al3 z5ta)fU9-|4+_TitXv&WTrcOH-MO~fNfi%b&Z`=uNf1C_WR9|jbef;sVW&SI!HH%v zl237v)fER1wa<(xEUY$_?Tn?8?=)7R=01})g$+)uaHUC=AG2@c7LJcslWnJv`z`KI zad@WG9S={`n{~M5Z@JKA94;6ftar*L$Z+u}^HsY&ss1QrCacBHACMJia3KWeHMi$R zdErTc8cgjD7U^ttT=7aM*60-&xzad3NY%^o@>hZ-b6w3WWJNd`I<(q=t%9azwy9kv zEP&6tsZ!TBHZ0V+BMYKlu_MWgO=iZosuPUSf|Vhi(-DSwj7QVUE0Os{28puci%fD z_L1deV}Ehx{gix%sU~DBNALsFNvsgknaeylebP^lKTIkk2ozb)4$36pJ}kl;;*?~g z!L;PCsI7)iQJ@j*6tb)cRElPW#n#F$v&qhF&YJhK-E&sHNpAvveLugAy+3hvx_MHc zdK5kxAGhv%f}}ZtSAg;U2jB!mUR)Kq5c-opjWoEv=caW2loDJFYU3E3Xef`>`V1@wmLW47DHOP>3RXz2TBA3hHm(bwxDKSz- z30Ge7G(Obs>KrKKi4tFDt2O0iW#g)g6Q00Pv_c}Q3*)dp(#@uXX*yGCpIFE4Tw)j* zg5McC?&^e%;2}rLDDscH=cUk{krv?vsrvW>fwuGK00fuI7LC>|z_vIbQT-fKT%4Pm z&eMr@4&{^$13mmlu!Wp(&M0Ui-V)y$C-~wXXaPL#&oK)0>z)gsZCF%y>6gOGB2YDk zq^A&wo}qOW(eeo1ZD}wwQ}MijdzBl^!POxo@>E(RjZzINjl8eSlOW$hqzOyHH!yw{ z{%7G8@9eAz42*m{e~r)$?C%NI0*)JL>vf+AJqoLdjEtxt1Tx$FEFR{3V6>t&jii+9 zsq?fyvy?qnwh;PDcZ8H?a0pck-gr2dE3ye?n_gTMMPQ7+HHvHf|Vg!l7We&Jr$UkCUpnx)f`>&7y=)ZkLe{=u!tOB20 zio~9wyRrxp-T2IoAvcZ~NBSiURA1&~^iV$jwJl5;Fhgkz1b1yB-eE#!~x_n3a zb^7c+7)Aa!1oz*x#xJiKZAuWrOjZ77A03~joEJ~Z_J8gDo>{CZU500t>(5q2G<4GwMi{A}*;%3J8YW<_wQZ)ofZ6yM2KTV8b(92Jemg1KYZx*H z%~O6e>d`u4?Z+W5i~!f5ejV@4rvj0@Eru}6wAaP(C{p=#>#_yq`)1#hAt=Hx%QcPK z9AC#PM#Nsk_X&H}MFYM2%dcmLR)d0;?Xc&qruWUP><*sI!xe??j*p-Wy7*39A2+_Q z-MmeGZ#~f|!0A~IpWpub#17v{;emtB``J#_!`(IJl05(OTU$mvCvl8DfZ^%#vJ1)U zzP+nA1HQTGXau**FN6IG095+V$Q%59Ajy2|IeP=vkbl7d3#bU#oOjyZ1XQD?G^0z7 z|2a{A-F-c`eFD29zCy;eArtv2*-QZa(UyO!4n$h9M|Es1~br#HSHc z-+UB!7H2~{Z$PRfqy$(poSb+#Rx*w2u>If??NV6b<9RthJLf|o9UW90lBg|(+MZ=s zN;uDfI<$-sxg(CqKuvFxu8<{rq&BNVuc8Dp1nhP%#UEvX?16;)M+2Jq0+tLtCf)#!?c|bsL~qA$I_u8?GDGEpp8C+i_^@?`Bshm z|FU2d6z?vxQ|`o59%YBAsWDGCK^32I(B(m;Ki20YD(aT7ig+(t4*v`N(;J*#nZ&Dz z9DDI|n*+Kg>!!u58u!tKT;Yc|q7EZffKs8C91bh^5w`n zjM%V_+Vu%oHDPg7SaIz!RdbXzSB@}}ENR~WVb3P`usm7}-l=eDV2q7%^iZRn0_{7N$`cOsf2FV@`)8gHm>rlaYMk#d$G zM>vA=)VY~fQk9Cz!KevX&n5cDrvSZ{m!6LpeZ_nBxA!l=UpuaaiJ=`Upib)lVBpj* zfY#Fa??J`VW8^>3zV2-0@N+ad7z=Cj6qj{adylFHo!l zCdHcQ2yUo)slfOT3e77#@#2PLnS$x0tfJkrEu=MOZgC%c@Xws? zXKD;vvUS-S0cl4JBG@%k%i==F{AQK5vQ4s9sTjg~n8|97Gm1+Q6GB%fnke{q{Ztik zZsh`YcIZ?Z{&PlKmLk@ba^N|JAYj zu%ulHi*6d9IqvjWojBQdx2OY=g&}TCib6$VV0D(rB>&^rR#m%*($B3_(V^ty)jZ|- zhxkCVIf|G=$YL=f4>j}l0)PI<_CRLVe)7edVdCY><&8gUIEXTaKTtdsOQii&k+og< zRsPjh^NTyB1%|s4GrTwc`YqPHC=3VNr!dQAFNM%9!-1AN#AH^yGhyY_H+P08@uVX? zF{*rKy=yTb1a*Y#Q79FR)NCU)Qn8{(EL!2OFI2$HQ6CSIEf~0;8bsk!w`MeJDM&f4 z=G2d9BTJ7Xc4?T1A(CVDsMR$GvUWLIhNew0=-S~cKn=|Vg6gBhmKUd{WQ9v_L(C{) zL~1pF&vn6_oKeRDAAtcU<(&RnoaXR<$Bh6h5!Rdg{SNR5@H6-z=T^Y+8*|veI6m#K z{As}C{Zs*N;B4OizIvH?*$FeC&FO;P<@4{1-^=S4)OX#7$S&Fk z_SgH^ir)(~G%8kT|L!CZ^`Y7;j_Y}!p7UkzsK!B-VTZu(xxr$E#@2h69@EaXm!*Q< z&Bp@s`r&iC+Y?!v&#J4*K$oy+dDG3sEv--F`Rl9O#GAL0>}>b)LH-y;(Q0L++=B0E z-}SqjWqQ+I<9-c}kl%Xh{fXB%WZU<-vu9oR)Efd8t;WwAqUA03=jFSN4kmqKur^bwGpEt0hLh|jmS{ESbuypTn zjf02nWA1zu=ZyCHN+)Nw&tBpQN1NLjX`fE>l6cFc{&Qyx;>MT193iItrt?V@=PUTb zGL*%~kJG9bm{VUQUF#n5ST%_nKZ0dDV1-FAC!X&!H6daB(;6=0JxKR7J{14`dq#sh zUeg$cLemO=82@?Ju|6Y@4jy2e6{&fJ*Hl02<&(Rk#^e5D@<)WgQ$@%17@gnh6yY>K zz}J%A0p@i*Fh^H<{cepje1RvHAuv`E4;dVsHno74{fo9AhO3TxBaI=1%7IotH`_8H6#&5i<;nh25 zy4&yUg?0xBzy|`mKJEeU3b5}`K&@FG7q1T>&pt5yP#%L${^{#v-&CMHCLvJt1LAAI zhnBL9MFos}7-s?pdn`LWJ$-eFto-q8u=)k!i#3}EtZ>{iZEJCm+`qnV@tWZU z>#ilnY#4SU3hxKr0yDLbvue9|^8^kNdLh+4473?Gi{ZmKmnIP{d(T!P>>8EG*P{!c zNOO_4v@Yzrc6JEKY*;z`C)0CJQWjSBKKkZil@Mcqb87rxz|~$r4tI^(IDG@l zqo4|^Zqtjvj1Y&6nZSW>8c;h|IsxvN0`I;7W(AKD&+Hp~UlVWbZa#wn>fN6*p{U3h zw$L~_DqWU@{VwT=1bi`8D7C4}#J4ut*cmS?fr!EGt3tKEgbSYmb5C;Bsg@u@6O=A? zg({R=r4`K!KYq{7dr9(Zx#ocryxWF^L=5RqjHBx6)6Qib&vNhtNp;bMMWJwjY)%{U z72Dbhzi{zM|Ix}5a{hrhcF)ZDI}hIAHhf43^{`(kk2128jXS`DX=!F+OM4=|K~Oo< zk{)3`mY8BZFpdVMe$Y`0Z(-0{4i6>@14Hey^elva{V5osW5HHUa5xvHitQ;4R!~hu zgJIdXt4f9(TMfL&Wh#-Hu z*PLqnd34G52POgaFE1-nw!!m~=6(Bz0u0=lv!jKVGSP4Eo%)Bu!f;B06oPLPb*I~GW7W);T2Ko zU$z)~KO|@gs~%8U9xpbuC7YlD*~wO?+PYkYq*o}a9?!q%Rw7MhqY`Cv0uIZsZ;`EBjK@5TX1V_*|EwyHsd4{Z!m?AjuN}> zk+$GW5nr;uUVuAc@c++`)ITb z5$K|;K9L6}T11smgC>5hvCe~U87CQybmeXvAKGzXZseR^>Y$gbYp59u4(IY?CuPeA zF=FGA>ES{Y+F7v;b%%zzre!?Sy46;t`#v+_`!C%KET(aDsakfSiC-ZIcZjCSKJ`<3 z=s!wH8~YRK!VQgdg>an<=M8mBDkHTL7q||aUE#nVcJILDQ8meaukO-tHryoYxOWQq>4Of1@~`TLq*vK=Svp>qA)zHCojKH@~)4 z?VF{8-^%Krk+mvCT&nj9lMbbCw}P5`dEi`~E-zx&7|*prS;#!vHt2$|;0MWWw0Wfu z98pZFD_Jkn28yxchjIuINhwS{;+~am%LJuiv0W69=*baP?v%I5YoAhp;3TZ$k4>9v zFLho-qw6gvc=n&LoG*^urTbMEryVQO$s`FShjqE(WT-Y6!lM`3raiySt48gM%4pV2{2uM#8Z|6A+u&daiA|Kw;{}s7D;Gg!8=tFqSHUr|(75JyA zaQ5U5?i?n9StYJgeOabxQlGA4%1JzKy^^~8Ab2H`whVDPCc!qJH+W*4}~H$igvP9GTBe6LTYy1 zSF=K|cgX9m*92Y;UPtz(Y??Q$OuQ3D^gVBv0`rGbS`w_?ZM;M>ENh_#;=D1Nm?5FH(k~Ff*6%G8>=TVrq0fjDS-FeyYRr z9{-jOvf1348CS2jPIoDhJOq8L8Y+(UUH4Q3K*%MZ;jeK$wzq&K#|4-UM}(?sUoYkoOA4rqA#Y~MlQK_>2SnRed=ntFcM zc)}a_+IG$m$NZwzo838O;PCPaa;2oCf7^~@O-?+>m{~V&x)E@ihu8tw4TIVUxI_Al z$?4bvrX>iofp_yKH70-ge>e`ak1Z*9T=#a|VM znq`~rcEAy3vJsRZ)WONY44k{CaqEC%^sj3%K`Py(T zI(cifxcPem7g4z;R48P?abuA#g3_b5K_Hp@PZih9!M6Hx3CJXvEC#;o1qOXP@}Hru z^U8q^7s_IceE~3ACLb8rI$VZBpBQxPzmE&FBKjI7s_Q;!9{!jY?qeI)4Bea zOo6eg8fDh!M47d02i_Y@{#CIAxYZQ5Lgd?N;#nRoQ`dRqs4jFKSNsi5D+CiINbO_} zF(0vptj^F9Kzv1YT8LK6#y02rrxjD?m}u@M@N|(WmfD=S|3TcIo)XUiSL#5KSy1ibP3Q9GDf^-#SHZ)M`&-zmWWj-fAFhMo8ao zf>+CUn@|0O!ma?T>$d@KHH^BvU(3q?dfoQd3{Zy2ubBP95sgrgp(dDF^AY07lOfae z0RAqyxxaR@Od(=nd41a0R(#?#ZN*uZix+0Uq|RVZ6@PTu4J(!)YNDM0VGW%K&OI=M z4$>4Zdcdhoe3d>iU#vb?0&ET@RshU}FG%VyJ1yM*Vww!#lh`I1a2kY&5ZULADPoEG znPi0hrIy9`DU@U+rkvAjF3c$npn{9KZ)W3<=tFI3c^3f7TK+!t#=3tL<|o8 zO41;}c9E5sz6f_og$K#Az(#q1wf#|Jrl0MvkdL8FUO(W{s0?SW)RD(*l(sD>dr(w| zA)#TAQj-cIAu|!7mv=l+l1RW-2f>P~5T}YPgnjL=rIs@FSM@5OiS9FGlp~)w_=N!< z0MkFATTFCJCdR6&i!x3fG1n{S2avNmdP%?8mP+fEjwUgA`UN-(zRYv z&EKR-%9Zc*r7wH)%^Z)St6S78HAi_EaVM$J&L|uCanTqNK-rK9U zT1OdMjQ~p9*Zb7VQrFs^yS0j2?(2+oIVH2N|8#k!gredcl=|90^&=?sH&}=50j^<# zLTP~G16T_JmwR1iqo*C)a0f5@BrniZJa)g&sOL514A0|DH=u3nw4c|k)V%)VW+16Yma;S6`I~K5zKQ)qlUp^gaw4{N1X^ zwB5CnHQCb(HpSmQ5bAw^V6N#MM902*KRB$b*)AxV2Q2sa;b~X(X!>yZ(X;o zwp=~eJN9wgRq<1amJD|r%hf+R_C99EEHUHP|5|cS15P`KMgRwCJm&|8=>d&x$33+h zQuZQsfRfMq1IS#xy9@MYuJ)*=a}-U3^uuqRuG`(8L3Y!~#nlZ{Y=`nD9>Wzq;3@Ie zJt%EDyNz6v-*!`K>5;kTA~M!vATF4}3f3slJ-E8f+$h2$MaSWz|?48bX6Ah;hKK<((KIAzS#5lZR zQ!1qjPPL#gKZS{BNLJ>J!d|6+)R z4VoC&rVc_kYi4RM$U(fvil>m|OQ4NEckdIYK0EZQmuF90en7*FiJEU&JjeJ;C-3!` zN0>M+pF2GE`{_lK8*8E{w2fm6ImoUG#YOp#=S7s57EdmnOsXI0qD)+-Y1GeR#c)(y z&!S=#O!l$BdY^F-%88YGpnm;#>Jj0t9fyG758~`Nd1&X{$e(&}m1ri$7{Se$Qls+b zdtG9Pj-}Hc6r3zJHD8U3E0&X7^4K%rsD@D!=2bA2!f3Ipy`e_rjuQ}!#$s|Yj;o^_ z3PUxUNo1X1Zw2A54}Ldrjr}e*aTYz8l8nUr^8NCwzFtd&%XB(&WTPl%Om38s zwP%>7HJS=~;;PM8!mAej0V&xct%@QBo!mgIIYo5%Xf5*L{a=c+xY|0^S<_TEx*ip; zCOfslB`asmUw1WbSW#ql4l|{qJVzgD zz(q6orq{G@uH~gB3fIeJ!NXmMt3kh0R9Qx7e&&4HB=u_rt0)a${y+3k(Ym~}2?8M+ zX?4-Lv2V!|&^hu>F)0luKM)#-^c1~}Nz~2so5@OOk}1E?shLzME0A$&b3Mc%`45a(I*fK97RF+&-(N6tEBpxU9v|Nq6gYl_?bfMTB zA>R$yKzAUEKG4*p5=;I|WcJUdIoo8~N5-N1^dCmrO@-$`0*irZi%#;8g>n$KY|g#J z$L_?Z-+!dCkp9&FbvW2aogVHze>fN{C&Z&ksB~!4suk@=`?dX4xWsQmG*U8>-b}_( znX%AV(VE=E5I=1Mz4y3%M8AqW@S_TLbvdP4B$f|VJ$r*>wdLNF3m(4I1RE(^p=6cb ziPsc$xf#AVlI_R!Y8GX_<;HZCrPi3{4(;E|5>9B+0*P!wV&`P{bjE*_o+U`f;~CQNv=pxt8IZ7hICJ5VpC1%K=qob~D}sbG4lKo= z|Ni#@Ye5X4zF*!6J)ncLcfjYik+ZM6*3~OSuSXv!k|YG8q&P}|PaW=$1%;#0K$gP6 zfj?_POW6ZrcDhA-)}8PU`Q+*7LtrLwVn#6HAvR1 zweB|$uk3qwn9ii_?QfBn+Cw75REdHJui+MkEt7rf$Y z|Ngs4%z7v5?B@461?b%9^5Jhd_JL9N^R)jA-F3@HD%b(6=Y}63;SB1Vg}(gTH9zrM zC3Wzudt^=h@jygB-7CD=0s<|f6!5R4l+O5E4ei#%f$RGGn}I88<@&ArwOV}?ZE+B7 zyq7hU$2%!~_qBs}uGduzT?3g!4L*lq-oAc4*L>x@F1!0$efs>1{+n;>z9oJm^h!IR z;&(;giTOq;`!1E+ir&w_!1G<1oEZu;Su<=mQKr%7%49iO7vT5&FBd4tR0lrVhn*t7 z&h9-mr6&R)C>r%#I^XnQ?s{D%@`mTPdz=;?dwRL$d)*Ju=5z9%)(jG_HJ^hm$~*Vf zq%4hiuGd$&HgB$q9lF_eacF^qq3q0ns=jmYyVL4=cIdP0Yu4i^+-wK%#q@dY-N9}A zwP7c)Lk)5DNBai1AeqAG>VK}U9oN7KvrhoA`O|l>`;gE+;Ih(Me6M>2T+5LtAV}$J z_F#1X$b1UeIesyc_kVtO97vi7Rybut=k@s9wl^W}189~e<6u&|MmOMHD#W1*;5Und zMfY%j4cUug42e&WIdQ1oDwe8L39B@6{n0Bl8hVgjtFcKqpD$I+o1_Pd0<0v2vrLk{ z0`}q*YA0h^W*M^e_2OV~G7J8AOdgF%b}Nc1Z%#u0(wr-@Y11{PmuVdS{aF%&YMrx=J`@uY&+DHyikwqHm;%*waIp)M))-lc^fH2If40MMV%}h|=E#{DYXMhb z@)M3K-bVmJJ|ApK_M&P4+zKol*-;m(1z%?6bL)Bv{{?b$-{$;u-q(4Y6~f}&92+PK z-nsxz@IEx>NesH_fgCdP%7_N#YJ{INYQ|Oraf)2AMX6@x!vGPxri@`~GvBu+|7p4` z@sY7_L7IA14>5kcHDl^gjLG8F>zoP=1|G)a=PS+Qd^=Wgw@9JM`lY+6zUHy5P5UOb z6uQ$ML9kmcTxE%gA_+Gg+O-%q4Xa8{MCU8)Nx$VqTXi&*yM7|WUREZD-aajP=S?Ub zy5-tFa*)H|IZYn}8?D{E(Vs{%;HrIARj4Hq>HnOnw}s*<>?D(m|K?SkE_yL5qTUjvr>ws+08Fcu0NmBS0zEzG~S{9E%dZ&H~+u zl0`~=T7@)lY8COTb}5hrg8JvL#ftz-R1%|M@LK;9K<<4T_1ygz8}Dc2+z3Q1@&Dxa z9;*zjM~@c^`{4sY5v1D+nVhUxz2MTVj)N68@WqYJg*ei7nw3Erbx9tMeumAq>BFHXNU3nHDZXDA(J!bBV{FgB90B8PD&G4hP? zTh-P^m`dT6g+m%hZnb?GQuh{Z5%lGN5PB3cFnwgc6FO1@PqI@ym43uW3w59piQI6)eLk?8PG$>OQlmQHpG+1c+jjcYh|#I zTTY<^LLZ~HtVw%Bxx)~hz#QR8@2dNvX79^n#|5bfxGg~INprwu{)SbFPd>Au%eNRL zN=NWZDVLII`D_j;(m+OTIl1BdLx?E{QQpkPJ|EO4!KVFrTCFix;@$oO#|?eZxkk)~ zHGv9A&8ggQKhg1sq|Q>6YgHj5H6^3LwYX*Vj8{$S3l@wdHT-?>{6SJOUrew7jpheO zO8wXG3}uCttm5*qw#j_#kFPph;%w@v)g_x8Lbp^D!nB;5QEFb^LvG@ATWRNGB@y%E z5T|^0!^{}e+fOCRiTJg3qz|H`Y8VSY>vGh}-v$)ecRB9=?*ot)W=VO~d?o(T3wn0{ z&z&~b%auXjSCCXe<lfKu_&U1C2 z0k6SqZzmJm{GKG~0^UrnHe z{x187pRA8t18~Df94s|grso4$dvDV2@$Mzy?d&2+tE%3CU4JrwKd14ow%*9&HM^s6 zSSKE(o<|Wl?z?tSkWb{XBqa>$8?>;z(+b2Ey;4{eTo7PyyzTu*5J3LC{+`eM*>f=( zp|$Iy*yooEvh=leWL&()Ug4aUF5aLjp|N7e=15C(V+ggFxS z1o@Qrzw~TM#a|45084leGml}fpxWK??aFfd_rJ+u}Q;X--=x_Qm&)U|r$8@32 zx39h&0iI8)>_lWc-PYyNicO9JPT9n#e{Hb)KK2}={h%N`cGUt-3T)H8Q~J(Yy?4RO z?63cy4*vt?F9N}ze)I?!#tH7QzXH75z6w6*fL2i06XA7;?e75(gZp2I>1mkjRX#-p23q;BDpOQ^1&M#2rDOo9$bY+rBaa6q4F_pdUn3Ia8&PYm< zSu+!yBR3^%Iw-Aubf{LOX^Rtq&`TcO^h4r>hD7Psb9ALqdsa!;El~>8VIvM*A*~lO z6emBSs#@rr`UUq0JH__}zTa~2m^zWlV&)(ZF^Wm$4y z(|MQ)n?wl_Z`bJ2pKnZ`lR3D%O-;VE0i!7tT!~4}<)f7Nnf{uw=I}xcM!6ZczcHjzvSfd5yvm zmhGw$i3d-ePrF{AjuS2wi8dMDCRIT5fzOHc1Ts;h-qPAU>1&}1;;7$7iI=WDRYo1v z0VHP2dhqB2e)7nYYh|KKTDUbk6Qx)3$WJ<(!!M;}=67727svG485AL;k>?^0{Y=L1 z>~DZDnhUta^O0Ti{|4Nmu}8pYajUrW2I_JUj6;sdZ+SuHB0{;Q#g)Dt^?Uy)qz}3! z*_Ft;>`5ec>Uf|sQco;!lvC4IB@mFw3WeRiowVpVVRMXhst>M|*YzSm!$K|F(bO6W z8n59HkW}QKD8|^)AFJ8~*vtjJ7^id zoM~$<(H0Y}c1(Fn%f~+UCsVVVX3!uLA(R2yEWyE+!y*%F5$t&lK27`w36?7Z zKYs|xcrBUZlU5#7mZ`2%TP@Jxm=M#YeAbdzq|D{?Y{*lN;;AncF|5F_`EWB^zOAQF zQQr1(pDMjNc<`W#QJO^a&VI`+S)|C#NQY{^EK}?G_uOi;Y0a)^H^vJwW@6aITEk&5 z6XuQ0sGV9+{Gvg&J75EY`%>^{4b^6ed`>>~_uPoPb0895LX|pZ@wJn1u}I2U#I)Y> z_uaih(XG2P3E3pM?<%pfhPt9YVmQSLhVxdrIO&YyXO>w&#dYXKue7``S-K;=UToIX z+GLKCY{>`e{fWopsCJQ@{UR3p1bUv${=um?$~G-NB83)i32vNloeWA))}LINwc+3` z#uuE-e0lR0-7lJ^g+JIZ(TR^oYHeJ6z_Zrp*=>FQecn*M!G$F_7J~~H-vIuMpKvi> z?B3@N$4^h$3on=zXK3K_kZVlnh4`KEMhH6RHMBtd%*X)jS@d=bdkOEpd{gySFL*2U z%C47tbEmkClApxPD)hr1bhJ+&KggWdD|wjqX30o7B@pwnf8OuV!0qU<({(JEZb87()aqlg2?td?Y zX15`8XJ8Wf-95fc1B5Mh{0`H`zQ!|%5H(%DUDr83;|Z-5y8@*qEdjb+=9Nd$k46Dr z_aI+=mq%JDI!8wT?b>z!Q_J=rZujW%yKi-f@!p`vYa>R+zLDYc9+z?Fkw-llC40k; z$6z5)>C+rNN=;i<4?FWu>Tdh<#0MoMGA|-G`h5 z_n8EYpJ3%KV!Y`O+ileKwnJ%sGQ(8*-G*P2IrDwqTCfe@Kd`v7 zToIYk0MaEZz{kw?nL9`Wy}ef<@cVN6uD&zsfZaz&)EcYyY*a9$=At!ObuC zKT&e5D=_ai`1$`RD+?_w@H0lL2V*yX4j;*?YT^7qz(p_Y zCuFX*U*W_`^qQp*1`bC#oxw((VLgd*JuRCc>$4u4VzbFyuL&ALlsRZF>>E51MN3d& z2%0RK4`K)!U!fQYQelYUowsO5C;SbH>p#^#-zVLl_3kr#c!WUz=YZ#c8Ar$A@eo;g zW;*aBGXgl9Ds4J|S?S2Ub!aW=7|MoP-fX}xG}871FFRe?V@`5}DQZ*O9?gTbk8335 zsUZ5CkAd>CkpN4VQY0qKI$9wD89#!8mF^Z9O2#~kmc3fbpDMY4pT$OcIxz_cLBCu$ zJ4wP5(_MU%FdvIrCKi{BEPsqw8o5HgN)myn5Fx#7Jt2dmcit>36^qJ_63Qb6$C^{l zClg*pgTQmbv`C$0Js8hY@1X)-qmxLPHk6$G@9TEXky(<=QVb2feB4HW{_r-|k15Q> zT8}aoc@=1=@yn3RCrTa7VndrG>)1(Xma9#i*gq=GLRV4|(We!wkre_IUa1~wp$Oz% zX{b%+&J~tfhYpa6x1f-*PPcaWM{R0cDAb)g{~w@q>!B#N!sdt~gr+GAGje<>@jvn1 zJO*kabhI0}9h&$k>a);qCeX-Dz3R-1h`lj_R{w;p*Fq}--Q5Jvs1H=pCgw|_CF1n@ zXgKU8-Ste<9C1xG9o@9?i;F5Cy6wO3)1~kWA~ybJ5s|I=M=!WwHJ9T!mzFjwT(O-9 z)3S6VFdMxlHgpMjn>e)liCWTDyMJ-|fKXW~~6s+22YuBaG7H*LPKqp~8XCW?c=Sz#1m zJQAYg&iBijJTc)}h z;nm8AK7%vkkBiqulnx><1APLgSokm(HLV$E9xB~IbzB%WnfWPswAhY7^2*;1IYvr685(I)=q2Z?Vxt!Q3w^ypHA zr8_<~B&{;;M(D255p5&cga9mw`%%;w}+l?#){F|#_M z1-98}YD-?ZAUjO^MC6M#%gyoqRK?gTg=^EA?H7Lfd=-TEsOroU_*gq>${(RuHH8iz z=?H87&{cA1v&a4$-UG2nPBzr-kH$vQ5T1I5boAG{Ru@l7RN29U|B)gI7ilX4!z;Mp zWNw^QmcJaWG60)}UcWKPyd+E~)|c^*ox&uj>Xo$v=M|8stKoSmP##vKY5Wg~Atxvl+|Py+bX!je z{$+UvFbeaJ0Wt^R*v?(utxR1D@~v<7edeuat;i_J4rT>pzpb;kCXS8i!i( zf?EQ%&$(#^h`hIbsXGd9{p)6+8R83y%lp68)RUGyewQlvz0K>}t{^x1_8r6vYi>Kx z$-CH<;NwoWW^I1JoFU+KIeE4^KF^l`KG*knWKsb5qfu4)W#11%h}hd>z5kuS+vm;9 zvFR_<;g%dTz%`TmTlbmN9lVy{Iw^Ny`|JGAV{R_c_zZQw(`CS}&j*MP)Ge0|T6vPP z14z4uPENe-xL`QFcO;2E_gSp78|oduB07$N?zWTJXCuiU>yJNLdmipq^?_E`A+?tE z7WU4=e$+IRn{?b~n*yoh`3iMT*RSBscgNO#hgNVc{%64lH|n*ZX=b|z(Rw&3zrD+9 z*v|TdUO&C#V+7yv8Kr~v^`-erhXcPuG4=ak6bRFD=NS|$C$RSrYwNHHT;IGhJ-}RC zHM-jrj0<>OQft{|-*S+v_c_tamS>A+zTbj4kG(Ps0Hbqx1$-7;2%P;cpUv4qRQy}+ zx`Ciq*SBoIeOoWkzn|s$qNlX;?)ygMyTYqi5l_%B4zBS=$?d$x{Rq$V-rTqk^)G1m zwbbW7FX;ww0j8UedwMogM=$yngN?4fU<;fE_cHZaKet=-pXR3J(f7V6-j@ukjvs;o z4c$*QMwtTsh>a3``*?}?LVfuKa5lS_QpRL9*nIf zFY5yPZQ?n88kPCufcpbJkw8aaf8HmdzW|0^Va7-Na_}#+@(^Y-lRFMa@WuOe@)3A= zk2@ZG_%D6y5hx3Q-*K9WMU$`cxom6Yoh@9Po+n3$^|Aa zL{P+!L;7Wp1Waf>MM>JO zhB;FHWywx`i5z%z#-Y`c73CwvWg7p6lVYOIr)3u!OB1guJa1Eufp&SYs2?w(Rx@;; z8g>=cNFv+-PvvUPfFP+5QHi4WVWv^ZOPhx#Z6!Jp>BBklWhoD%Yg#6~>1SH=KT#`k zZ}?<8wM$!t5|~^4BF@4E!7hhr+=Ys63n8tQ)12dWbbH$|h*~_$a86h$U~r8Z+(_BJ zk3vF`D%*kh=L$dy3%b;w9257kZ|-sN+r+)>K((bE-BLKmoFxv}^$gr)kbD{ykX_g< zfc&aljoo(ZL1`{At(rV>qtl8LCtG*SUskXCvoR}kC&Pwau_!s(&3I{A)43r@%ey+Y zUE6c&^zc+N3ZB9=*SH9a%#p-LGwUWPljAHq(yVZvPPuP!=A}1H;|rcmd+6sLz3L5S zmwd5Pe~NmeK8;OXB4iSH;UTU=~u$wVDSY8NM%A?GYRW8_f!Jb zKkE$oPDlW>6gtlFn(V_GVx<@pDsl~dDr~>r28kJ)bLP{0QKhN= zXVorE0{_Ty7Wf(dLrAA=iLEB{?ndgJ`Ss|wUjl&}d;o}M11mXGVO6i9C+9&XoWRXL zKwFh|^3{Je6uNfl)0yY%Jz8Sr&zuMetu4`S{mLL2-2P@R2-ZX!M6 zUKUxQP6BU!2!S=g?b07YwcjejL@2)(>T;#9%M=PYsd;hA#Jv1K4MonODQ!$VrRdtlCjqE`Qs z-E9+Z9@Ru1gc2%YX5`2Vvlxo(#ZM(e68)C7<-_(5}dgP zG1tssHC>EJzZ8!s)3t>q;8Q|Q-i1jg<`_~Kjh9HT(n&*F$kLA8OMjVcl&D5HrU{F` zpirgAu;4+1q4fQO=wENE*#3_PI@&q^!Pgj9Ms&F5yfnCoyBI!az>ht{5$1l{xDR*g z88BoFP1R=#f=#A)X9YJI=*@u}A-Rzkcoq@ZJi86G`?Q0t*`wy;(nfsUv3e$?XOHfaf0lUH+*(|> zc|T2j**Yrb+vhY)U+6*r9NRv>V7m_7#^!%$t!3J&@!r;0|8Ugv$$R{~?a`Q7f2l7g zYIgy~eQY5IblaK$z2%5Uc7&=Q?yKwhoo_cmHyb(6fSz?MW{0KTU7%$6kM?d z-u>UU6&&AnnEL%K*Pk_eO?Kk@0M85UJ9jVvd*3gg0jmARq3&FMH2Rh+I=h>3HF5r;oac;zLlB`)V=WQxz zwzh3$aP;u%7r=X4B)h&R*-C>bd$Hdrjj4f1vG?w+__p8f_RqvZ)%|l%3V2-*S>R_IG9>yl{Ke0-ORb20# z_j9?umGGU$&*QfQPN(~ur+(+}zUv)r13q5w_FrHAJO(Wbo;*c#-^NMJbXeaH(O$>V zKZn2)^TO^jY8M7<#Sdny@;kQc+l+2-GEecnD8X(AaCz4I4yA4JqHNtwKJWDGCDwx6 z2C0s-vGqHsJO_J>dc7$@OUzh8dnLP$O>U+jMLBPLA!q_ua1CMm&h4xc=&qr?|E;>w z^)AeJMkt`}YVhTnGl+08xv&D_0q|7olm+!ha))8NcvSB}^mF zB*YFU?@5}H4mJJdu%1}Vzq5wqvj`>_Qs!L1|B-0g{Uc&D_*{IMf&wj26NN;DLwii@ zj&|&QgWJWGv!c2`r{7uMx2ZR7EWYiBfZi85I28x-JBaZp|*k-yG3{ z1dHDmV;xo+ex00&Fb*S%DB-k?i+4%RG9w7AA`u$B`SlfeDH7Gmc5#UAB->0ZK~vP2 z=o)8+RZKpRNpYe(mFeR8##x$Fn6Za8L@pnq$azP*-Xr_sja)9Bctp{7!leRN_qX{E z9e-tCrQxPcqg=ikQQmKtEIXWO2ObVF+0nbO+E%sAi&Swou?Q+FpzAh-Z%P7^R;qrZ z7WvBRs}*IX6PMoRL`8cqGf+_TU=54xUf!tiqBWcLQC46WIy&j|1jRaJmzDaNQz!(+ zaj92^tTfAt;&Oz&&k^4D=F|l`kaLRaHw|bDelsQSp_8f%$Yw`?qChV!?lMynVB8B- zoaZiBhzMl~-`@&kVs(SeMVho5^DJnRrzkj^qmW=wVQkq@>`N)zxAXXIm3b-$HLNO( zZDVVkxV$%z(RgB4zkJn>86I`15=lPLBFx&Tt2lnjL|_~QMb+dTOE+m;q>6XkJ%tM4 zH)i{QR!NYS*dmScONDOY>+SJ8zcZd(?UO18fk_gQ^9-c8OAwFvwHIYrzOoBN!qI3 zX`vND(gv$a7u<-K;NFz8RzzF1HLKw!$W7*~

dBmF4s#Eq&yjWr2TLr4yG@m|~4J zec{H4J>iz{eOa^$DKH{@tdK#gFeN*`B7tmh~LzvEdK9;aXieI%TL0Su&mp z^oOisb_%U@d=bKTC`Q2C43z?%h>MG|YztDi^od7d=xA@wJgqvKIHBnII9HgPk8~CN zk}*LseI@Bx8yj6l6X% z;#moClZjNQ{e9PB5v7q9E8V#F!byx`1mHwO`U%{{aU$OR94~a7`hQ$##j5z1sQt+O zS=gwjVmv!4O`a$@-jpqty-&rtN{}RY+jQ7`I{rW#(^*0|9gU#cN zEgeq*z>Li3%PIS-W`e1WI6Pm1)gf5lDVIk`SJU3H}~U@J}Zy;rp6V%U9%+UXd){5x?v6fEw_I_aP|EM((hj4{>Nak zd~b7nYld8>A3p2Xd4S_hTe#I9plmTCe=yl&m{tg{6oWSf=W!P=>=DYkoY8F`KEu-~ zWuO02-wb?hDfb6(1?9T+CCv9n=ObT}$DTJmQv>scQ~B9=xMQQ32{``>aPJ}qBHK9l zt}N=o(P$q}1T`RJiErng-R5p3`Zv zA2{;!9y_H3e<#TNl=;z~TR7dz_Sy2<@Oid>yDMPPGp)n9yZ0Aos8~F}t^D=0yBCnS zlh59D9DgkIqt6Qbn0I~QZq@K&u6Nz^RPEa`GP&#iJdX{w2F^eATRF5YKY8|Tz5mM- z>b#z|ZIbG35x>%Vbzr{om~3b62fnYy_qrVu8#w0kAANh!zRg?}4<#NKi_lsvw)|2i)-1glhYHx!AI z*EfRiYxs-?`b)TV_&08)YJ;(TJ7C7|=yE^y*HONnuikxLWnBPp0=xz${zRW>gQ5KO z!N1ViLEy;-Fg%!*CZ@t)cI5r>P^e+A;~z(+MESbu`#Nxz`m<;L(*%qsQp_LxBP1e<&z5^sqGdy|UNE4g8<@}@CBXVLpwfotl>16zP}|N>laeW4(~0rG&MwzmC8cmM^?nlW+OpcVM<0q7Ku-U}9Fhg2PZ435hY`pF^l!#*Me(U6pw1 z(sg92&Nul}VZ|bshgT&h(%Kig0%$N1o)m~>`*S{~RZ*d8RUz(6vmfJTIt=95k$Fv~ zD^7zT+E8I2x(IgIKhkM)$7qthWw&b8?8P5bK)xy-f6WQ<^ z8_5hrU)|9H)%^hJSaI$f8QvuHOuAe`wYdV-n{w(#(NV~t)eZw_gdS+`y(&TpsC3ANQe6IUd8L3=$34I#$T z+y*RGCb47AFO6Dbzaz9JDaAJwT5*$QPkq`7Fcb)_y`cJ_ma-~M6h;=Z)>+oB9@=6! zl1OD)AUc13%cS5a$!GstV(AnSr^(xiL&-5%p=!=iz9u0J&5<(rM^!AXJbWer=Sa0j zraR`@`#}g$e;R)YaBjq`r=B?hfTF=ey8@tQ>3>K0@0Kb@0CQ3z6De)`qJls&PM_GS z!lbX__R9;kW*jH-@6r|JbOwyyyGnFqSs>#Ihn3UW7)&OeR4e2oTgaf0BrmxzM<uPOsb%kRR#*$16N{gt9l2v<{q4_WWAXH~% zS}j5YFBYU;i6xJc@<#w+#HWBEvP-YU2!xVG`9bZD8G2dc2aK_cyANxt*k*&qMQJ55 zyLuK5@-0@>6Z8*`8xtcbQ~3;e6l&tliJ`Q3-^9^A4gdHea>EYM zKTHg)Zno*;3rS4liCV}^6<6)rua%5kzs-7O*{os3;B=SumZc|XXhWO@b;M;Mv%@YS zX=3!0O_beLLwO)V{=$WBu8ZeQH9*9LUM7%JV%P=dipt9b5JaY-G|P5sP!HM#K2fPK z3XS07Nr+z}(5MH={|!mtq0>du;y%RtE_h9#v2bfvs={jYBdmy$`fRa8WNBO0*u#_g9}N5DU#IhqOZW7b7AEg zMry0~AIL^yd2YifZJQne9Z($S@p42j&DV7wzebt(-8?>C1}z86*)2hIK5nb&If!vQ z|3sddv1fppZH-Q@%#Bxu=Q(QDcqqO7AF*;n#bT@e#C<syE7?_G%l z{^hWPo)#c>lBEdNd#(n~iMKsIcKzFPL7^=xE6+l&?UrqV=eg){I~M&Dj-l7~syVHT zvHfeWtFYTbfXBg0*LKxcYJCHjT|=ie*7T2)K;G5l*>;qlt3o#+=V?ElhOP}-wG!f1lJ=JFH#^@9T0=ygl=GT4TFI zM`wV`zvSwhXV-rG4LK+3LGL_iIV9#k;CYSY*3^A^3}>#@!hd)<-pxm`9j(Qg*}aI6 zVtNs~Ie6cm0gr;fb6~*mEAcz}Yyb2V;8pbk@CU#rZz}A+KoVTf2^PUnlv1z5sMaR} zO}$Hf3;~sP#X-O1!4e2k;VwO6AGUC|u4GC6)kt^vY7s*;R7x0HWS-DvSSxBg zWYa<06zYUI1jKI|OYD@a#~!R4*~xS;5h4z_c2-GY@bZp1)uK?S(vN2ze5un%uo}ZC z)p=TUW)s_G*(wsBtBgxH4cBF#UD4Bmqbha$=>xlY^r94P+VaUkv;^t&Wtw&D!nC}r z2!*!I^a)0`O+-Z58q`Hf!%Nf!VNaM!KV_)oA_k{e6)L@hGN5L{GU;#e^R6o!pjr1^ z4h03<-AQBac+3Lh7e z+>LUgbvmQgrRJ2K2sCZ9s;@fry5^seh^Oy{3qy(kfq#dA==y$18n9n}t#!_h0#5Wz zFSuf5R}Y$W*(R}u!`A5Z)_4k9WtxJi&@n>zy^-lK=oz<~f>oW>XTG^N?_S06qFZ%A z2eH(^XT_-E#=NOcg+CNreg|?aOdn+X8CW6LI%KLLrX^(O{n3r$H=wndp@|hy9{xfr zJvS}FAJSo(aHJ!4CXU;ob!XiFE3S#Qg-W!v>3b)#Qxc9F&_j77wxVq5`$`kO&d^s` zO7bymJ!eYJm=N7A=r{yk38vKUapBri8qL;;rlF#Y6p}E$4Jb7(iYy1de8)o5)z;{gDj8UXHf^D)1wt2W~LR*s#ke~+x{1nhv|KxXbgu>d9L_0 zr)l}QHdLEOeVL#iUMmwTG-doySBB21z8mp+g8y11>(?JV|Lv=t)j$by{_`Komte6ij&d~}9vKSu6P&?^KsLfpelTqpLV2&uxIJfQ*AJYQo}4AL zJ@KR|G^hNF#|5}=5Pg>glHbfELRQc)(&{jAcWmr(L~4RBFl3P|ti==Ge3u5Jk1;%0zn6o)gLOLo_V}?u|Jb=^1XqGG%3$^N z_G!pG48n$zRH|noC@T|@(AA~FBRq^|pPK^I=rVuK(?@toR&0b4O_SDSP`+ARBuX^= zLq{%$Iwp-)ruBk@kl??}w8pMN!w_5ArxEv2tzF`Bg(340W=JZFhj7j^T+b2aUD{{o zg)<3dI4?)A|AwOdg*Nq061}_w3ugrnUGN{*0%aE(;s@836B{QoftHOn_r$YrM=eQj zQXLS6>afNo^nz-bOIXxc;(XI1TDB!RKz1Jq<&!_7r=)46$I#s8V8S6b{%DurDL3Gy zPnBtrC)dhvuyO^23>2p#7EzdW;P6thcK#Y5dLZ{v!T$ItS+Sq#Ohu=>U8I3B0T0cD zoHEcMI0f`>fwD+dfqS@rMLN#>C%~R#8FoMAl!rUR{u7My>wCtl?p=Q7Czdec?hDGJ<2x)E?}j*O$cZ3qoZ|iKeSY!o##`Lan`h=7F6Vb5 z;O=fB;2=S#oJpcbm)8rpf3@Lwo*VF*tbm41aa7lGB(WFyduDg1x_g6lgs=U8_-M9F zOYB>ZP30aRVp?aw_-a+IkRbTTY_}QMeZ9ROh=R9D*w53n#C&OF&=S~jR^Bgkbm`lZ zt=N&P^VIMj^u1$+w7EE)IW%Lj-NTWe*8R>d%r zXKa(;@nv})*&O+Mm0g)1ke>gz@ZB=NF?Z|np>4I+*H1?O zurbzf)1`NKrt1dA1^7wUT9NsiR-M}?@vwKKN7!=gqh(PYZV#N&!8Y{2m(l9?yg{k| zpme=FnzRGmAPnm<=^QV(&M`-TKT9#?29G35a{)K|AIsfL>n9`W;D^n2;vM)mYo#vp zPR~LH<9>gHgPMkWy>o~6nNp$GOI8W{>g$4X1L-_(>%G}$L9tDx`nNBh5*mYw-oV!E zS;K2k^Q%(iOwaCx>)|jU&;1}eTtC2qn8&{yDD;bQ;mOV{- z-|w{M;~O9s=knudB|QHmW+&1E@V>Ol%^knnd^g02{muYd-ojL5U_W~rgFk0*9}7}S z2_-(FTFq&GI!kAA9=I>(0J*)X8rr7bR@2X<=W%K3)cDt1s0&LBn4<;KFm^Gysg4LRWXS~(or+0|3= zK5BpgDyD=QVGI+S`i0KvWOWv3P-sdyhPl?bg|^*BmxLuWci4yTN zFOM{BEE*%@IhQ8hglzYvAv-i*5_c--0QRtwEeN*+;4jvcvAozz)#Wt8S zw!y_tn<9~XyVqd7=Z}D^$gZj&`NdYdR#&vq#5^i!g^2&uhBx%!M4x$5LZUX$tvBf( zoQJb^vTdZ<+)*-|s$*H$;ar03cik@=B@h8WK!eLZl2a`1sYhxQ0;nG@m2+}keO9z2 z8SO)+@p9uC^&_<=b1T&vwOmZJ_LFLFa7ItEffyQHbTLix12`JWlte2SOP4L`>%vX~ z=vI$~KRGr8lEWFA3);jX7>7+ICZ9ibPQFRz3#JtUVpiP+%}|K#h&@*g#tG9FUF-Uf zXt`Pp!=yyFS|;C6yaBFZ2F*aZ&;mI!X%2?UFJqgn(AlkBCQ7*BSgB^)1lls5R2N@F zeE)~2bAGEd?$&rslR4F7+qP@6YqD)~vNhRmXWO=IW3p}R_UT*)?=R~wc&=xC*Shcf zvm90Bk9oOEbSny=5+>8@;S%^QsoEf;WjR%9p~zZwc-i==P+ht;X$~Z$?GyS`n6fLH z|3oC#p{A!|yBWiqp(Hmqg2Oe z;skpzk(Pgeqr+&n%o_wzsNqVOe;CRUC&G0r$Hi*|n_H#wla!3VPbhIP!9DnPDPQbK zHti4e6{b^~z^hOGNF27&9Cl(Fr-aL>K8Gk1an-t%$`PZ<>4$68VM;{uA37wlOb`e# z+7gvxBg2p@YG4+y+V`lm6@N9PPF9$c`isdYVn1(Lv(kJn+mj{A&R#R~#UN3B?o1ARVcO6mx^^-BZ0mGdP@Yc!46jvTT% zM2Xl>$8-YDtjeO4%h`t4O=eL#m#t6>AD$**$ z?iJZ6;!gt{h*<;lw1h>5BbmamA7};B8b2Gdt5v+V*{os%ou-wvFmPmV5KbWnLOBdO zt2w1c@SUN6leqxw2i728v)LJhxAZ!Y2~*&Q{XPIR>IakXfdvXMI|6xALtQouejPW9 zoB@9I5csK{Yy4Z|kK-i9p8z7P7$tOYC9)85&M;2@<#!Z71_J*1^LRQg`LZ(iJJBC{Q*E1cqFCV(%R>>(dBXX*s|Rjue4#b z%GI%0}ucls)KE~ut+BxXk zP_y`a?LvFv_jsB*H=my9oYn5s(Y|%FcY1NS)aKNC&h~gx%j#T~=Ij;Js4aG$!ncMr zul!03-_kbw85WJ~@aOO4loL95dY^v@t5$t708vMIzkj1Lfk3;@xtwg;9sSqGIKPUzN#BO+0|xKY zsj-Ggd)LbdE!z=NhJa=P)0MC6t=r}0R!8}SjlMPGpN+Rui05jLZT%STi|2EKZT{k> zzP(}LOaPBHT3@Hx?epi&#MBkn8!E%=p17bs_%Hp8tnBy8pB3nYL@VukB}?v?zpmFk zBQO||U~2nzpt%9>Ay+yj^_++A zZiMXxu%i#(L0EjB)9wJ8>?Tv+Kch2lyj}&Q;cJereHm{TYpako*-mF$4SypB%{n%F zY1OB;ayon~a8tX?Hl}!{irA6?O$TS6E2Z zT2Tw>WKH%_1$-n*G;@hruOu{cpQt}5Gq%Ci4*ycSWE_S{%PKG?MVPK?zp!5b^kw8! zw&AOA*bI%eK5nWXNVcdk!P|(!%8&yTLkr%s^wJ+N6MhzKSWbkS^>*9;Ol{pFo_xGJ)Z^5^6lb1BWJD!GV(LyIeSJHHA>_IJqaJ!i9UeSCLWjtPqy5n*DL1e*(s|NUN z9yi969{aQ4Hwa5IyAabC&{Wu?AaHYDtypcwBWz!K#$~cHRrkHrwn~RS0X0H(V@%J9 z59e+#m(Fd1IxXVQC|V+-G79yuDnDh&Q(kvv2wuuqBU}E-`Z|o{o@I?V*&~fkX06I! z>37ItA^0^jz2&ntQFlcgQ!Tp$8V}L5V(PXZ7zw2cZnf<+Trv9J)1V^y*cY$WsIj6J za<$ZNb0|HGwq%!Aq2?PSw?YbuPk;V3V;^o9fMSHvt0HS-u7c*7txOX4sW)&2Zo*U- zKVab-DwV*XM;7CNr}S2J8nX24#ViMA?VW~7=0LDvZ^Q&>N4q2 zHDH@1tA)eJW2aq7BQW4X!sU+k6>Gdy>c^#(_gb}!;`LFoMgU{Z^0n~DxTRQt zR4sHS#2^Ia+!m*iOwrTHe|q@@A_`V2%zCInQUK*sBGB6GTEFh9YlKH7m9%?*3iv%tk4M71n^P5J#ydAq1D5PQ5Wy%Tcr$qH~Wm z+KALDwjZ6xD#VmDN5dfKz+*vDIq^IGIz(IlvkeNC2zBUzkcfm;Cs@Wl`qdk;mdRwE z;aM_Y!fDh=-2@qzZ^q3%)2^9v3}#T?k(o*;bvu}iy0xl)oJSn8b#Od|QZA`UsUH=wm9WDDU z@eI=YqM)mhbb(ut`eCFt(7;=d3N{h^cY(9w=IBFcN@CI7kOmEAgGddeA-x$wt{INZ zIwH<7(5(UR!$~Y;{-T@m)ndK|C%PYuOc;taiQ+e>Hph)yB9 z@P4__*U&VYSi!()5gzxt!OaKH2dh=$oynnkmif0W-MTak{^XL1-LfXa0d2!#R zRukA#If)5fCzeRGfYV#=NS8qNp_NO+0rH_d`P{PT$hV?1A`>gFK=gHbo_-M@9hu_s zG`-SQp%$@}cC~{2$Bav(`1*Dl3a9S=vp+v6we8TY1`FpZ4o=b#{&)(RTb5!LLbA#o zb1^XS=dv@`*`byx(r=K~awT$bYtP-6%AIo-;qQBR@axCr986^w~D0-{TvA?AtCn9Qltu!E?W2+GG7k!NC1f%TQjxgMJU_32mT2UW=}4c+8n|^L2aR=n@Fwe0dGAs%3w&y!u z)W>`IwCM1l{6dAxoo`n_U?!yg#ocM#<$#_lxS-$KIP4QQA9){wFpa+U7JdU56X+y+ zowa^Fp!Ut7={%5J9}AxCYlmfa1Z;T^cdg~OKGh6L@Imc7zKdngJI^aa7`^tN56D4; z*{{de`X70lpsT*cPKZe7l(xq<_6GO+itg8SH{6UcdQhkLBP!>I!*z>7^uj)63~+n* zUGU(d_HMnmY^n>x+bg^}-q$qQJ*CU~{?d(0<8uR?7DA>w`R#m*_QRn1b#+>%`+5DU zM9+7J;yjzU67Hd^WO^H9N$$$`ajed|({r{rJhQTOShg>}njt07eEsx-p`GKqprjDr zAP-9EiAv?SK8_}I9B4`P#O;1d&|YbKyc4v$-$Ucf+~=N#9O-&$z6%;z>9Cpl?e|8r z*lN_bOItyC)xI30UimbsC6Rp1|2PVC*Y{QV_;=`c0YV0X)cHWrufeZ^qfsCb%Y|P) zNUE6G_AWXT6jUzeu}f&Y52yZC3EUwO`W*bUZ?ez%9QkWf9X!DtJr>g){ze$4hYpOj zblGIuZ9O3a!#xQfg>V8lEOWx7ReLv5AP(oltn<`Aw1h<1kmm`dE5o(oF4Qpk<^8Ym zjzo(v&7j=SN?enQOK2N&-Dd;tZ+RTRL8>`ABV3F_gSJA3n9t;|BSsasiF9mYv`JfE z<2-Rdq-W{Ai7}l4TJNE?X^jfb$z|yvnQmcK^!(55*kSA@4*A+rgk?I#JR_PC3tt*Y zSR+QZB;pxq0S%Q%Jd|{)4O?fmd1F()B8pH^n5H4w3N9352q}a$@1oT+ocIM}Pc5{{ zK3UVngWFohB;wz)*1cFMIud)gI;Aa%LEcnH6~P6We??oq7tTLZC8Oe}-)jXP4ux!w z;=$naCmV>X5jD3)Kt;8m9NeG!)z|9z|56KM!6vsb3ZJbypfp4%i{D-l+n_OU&@>I} zva2benEI|=!MktLViT@K6lF@-i-s6y>-zWmB1*lAv9grKklGgV8+No*v)B||S*Q91 zNp+&-G_-kq*13j{2y`5Ta!D^9K}?&3GoG z{eUYin`w0&H-p2$gdv3najL{rFm1;8YC?2zt6vq%?Txs&q@2^wH$RLc&T2Ciif_RY zFwg}aOnWXmDRq|)L<>$5 zNYv>9ThAZML-nVMi$r9cR3d1WA~Se%*uF6t2epQo(g;x!994=?N+!ZicjG^&8O zE0)R$IGY8=0?83-mW01f;esZp-=KaFqt^W_LxmDX&u5)(sGKD=MG2D`w7Q=5SWYs{)%Et7JgMZ#CKaIA76GfYJlKv&+k=xG1Mvr=-&%gWk=K~i=6R0-;xLVN`k|NFvJJ9&>VxogeR-AHYJM@~C1`nwW%a7@+15MihVJID zZb1aBU#vU3Ya2f~jUJV3b9(g=J14Ueyxs@FFZY;#@+bhFZZataT@O)X2_9^?S3iFK z*dXbA*etlpYMBGdAI<9p6qMuic+TUyCTT zIyGFumR!8dl4@7Uc4g>-l2~^HUc_JerzQ@no1C|S)qL9@%Rw~)pWD2k#;msfrlmx^ zMS}kNtD4k~y=i&|uTyoeAllEn8D9Su{0@WcL~~uYRs9(4>*%RT#MB76_mct+d~e~8 zk`9^I>LI<%md{WLTi-QLP6DUN%cDN)d;5t99;=sF{9V3uyx#i?JByXobIr!&-Tj0Y_UeZY*IFkl{3C8 zU%sAgiR}T!SnFMhQM!gITmn~FEO)n%8NBn~J)u4Y&vAqZ%gVk>I2WA?Fax9m$xTU*92}W zJVT(^u6HE&tagl01;&hEy-EE_R`h6S(~v08_g7Y%@osdFxakC zuwP-bUe^JN-wwWl+3YBuVY9@&=63y=nYe%SpmInpiq& zZtfhlukP=ckTf3g&Su>89}k{-c$pg}1&=^G_aJv25aK%?DE$^>Pu?8}ile*!dr6oD zDjbv&P)#bq$7<_WLFQHm+35rhqIe zSvUw`06aGdJ=6SyC-fNlo3f#7yW*m^Z!V4MbU!3{BouS@<(Q2YY8Hkh2KbSeaDV)(a918EVJB&sUp_Aa<<_hG#T)q0<9wg8%DWXce;I0cwWNbJT4 zZ3>D~tbd4gO_Vf6hSqk_>R}J5hl`q=nNaL=o8RqBQPiX*md@`2xeJmsn$rvDU27{ zw8~K(MIKH0;ik=@pIyub+d>Xul&Ke+cScHD!0xPsQxO#=3Y&6{Mowy-GtJ`i-$}6d@Mi2L^Bo!8NA2Rbg%H6^-p|hZ%=5dgHQ6I1Y^Bq^XVUg z_k=HD$Aa*Un;#2)7=@p>govFcmdcipwz&hLK#^RnQ|6#XF#vu=SH5ilLrR%Rd1AjL zRYL2^2ustTWG+rHE*f|D@)(P5BRx|d(l_bxfTX_~6EWhFvsRc;;uy*G)zy?4Hp7j^ ziTL;IrHj(xd>b<=-&HT0F70x};nGwQpoo~5S@uJ*Q_gVU?`?l(ByrX9U7(t=Ga?lP zD>=fp@eRYUBjC+dEWgoE4@6U$vWjX5N%ITM1&db7QQ>?+)Cj&uXDacirjjwCaj&`2 zPL2KQBI-45lrjs6!YalcFqD!%-m61&Ly&<+B_B2_Z4Mx=a+Ic4)-`6qlhC5XiuF?6 zS>jpCl6}@lJ!*P-XxpRCnauR84&@Ndi2iNsfBLs5F#i0u^iC7VX~UD%GwQcF^HIV? zj8KE>Ee~vgJcSmGaTa3HpV|$eIB7N|?_!I$A%D<;s`S(Wn4Nvsy--5y=`&PxDm~_I zm90xK_(3F-JgDPu{G&H2{D(cw776uPnzi|EKzb>gv_+AwEDH@L0@VhMe}qyZc_^9o zffV`35>2+6yG@!YWiJ@q_`Pve+P^-@@USMWjQCnvc~dk*$VjCDXdq2irD zQ`}>Oh(aA?D>68xo`fMVRJpc6mKM5u3UHwmlVQrqa?o zYM2FS`mO#J{BzsXqGQ$~k=oJeEB&!}LEjP;dH>|$nht$tZaSkYT2@nc)S=^Ewzao& zQE=6rRqGP#d$JEy5NR%pp7xQX>G9Rr6Ll&QJKDOzcpHyhr%<_I9e(&Q$_@e}5)+Ki(ECZ)bO$hYuVHe)Q&@U+i$z^_)_V0AIqvKkmR~ zsvVatbUqF%7{LL2z^h_~EU&|_gpBzn7`=Is@BP1j2NT{I2}F)dd(k zyZsw>Z?};R)+_w=n@xhhj^PImY%%L_^__-%9nAK-YJ5m}-1j+GIy|Pk_hvBpLBU;d z`WIw1rs+Yy1Rr8Oz4mQmPY?*U4;mr#*S&f)SFT+XJ_hSBZ3_i|!L0Dro<}<$k9Ab% ztQ|f@*Kwxk56f+R9=EuE`4Yd#;wE)snaJqKi)O&nr6Todo$hl5q_l=Uc|m^j<+U26 z$ZnMDO|QL^1<=hqU<(xGF(2c45p%>Ed+oN^K63FH8Li&#`SfD<&@?r$G(bB2_82hy zKP~sU7BmwD@}s>~{V1`q%({aFaRcAa1xqF2ZcFqdon9xNK(8|$jG$j1#|zFXqDc{w z7jzaN08#_dC)zMo05f|bkAGIMXj8dRZZW%wA}*P1)j+E+1nxmL!=ZB`*6%$Ij1p%S z&0H%O>*7GiI>LLZgv9}o6Jd*XUM5?Aw~)qvT4pS`!b&k#P76R*W+qSNHv5$1ZUTzr zy-`}u?@_z79CIf}a+M60;XmCv1O6U^!>KX-e8Tk^S!fC_O?z=k%)Cf7Y&+^Oj=Bu> zp;RN4?VHE~Tk=GU4;K46y-WO?!xJ1Dff%WUoWX&mUa863L?a2NV|TxJ%UxE_xq;{h zblmyA0003hor{}|+iKK^%&0Z%|_!Dbf4!fDz9gycqIKG8$FbKX#o#AuNB(59>DthLV>1KCa2eBDzs+{^6W|?91xjg~f=E zQY=FoV@xG(dz;fK`B zViX-p2B-S0cSta8eFO-L0@%cW;7K9y{Jro|JIXV$}Rt&7R65rWG~{)ug?WSP$_j&>m~~^VdJ;Ga!|H znEFnpoY?TNTXB$xTcga0xv#Y=A(ky&ncOl(go>aGX^e#`AdoKpBDhB&%q(9zsa(si z)KtRB@#J&$I-yljr5LO*FbNm2L^v&(bwpCO36mqH4EwQofu4{Ya+Y z7X5lb)*wLOKN1`s94)qxJhloiHc3@1e4%eaMZ`g;FFL(WQ#d;`uy&raj>2ZM@NB<` zAmOdTeoiO*5Tga#P*x0LFq3fs&Rz0p{%OV}Ptq>Mr>awev#M}&Q55nZQ^uDL9iYkz z{bfRTPz}X%)LSZ#0ml56L$N}d9#&~b62h+y_*V(e8JfFBaB%K)jixaH`4b|oTd*rr!(>+cIZLLHvIrA*k=U6iXI zV4f1Xp4d%VtcBH)C*dB8DWKdxYhG5j_`2x&G!#|8-%F)tIV_T5cCBfArc`-QuB`qG zEeh|~eCat?RSg^x^!KynURd#&8-(3*B@46$IrYa^*KEY@#;D5 zePba(Q%zT^jyv zK>PKs;%a(672u=`jaSq2bP$g@t;z7(!afA(a^4$b1Ri{T0G~TOgpb8<$|j+$@%h?l zT!DQf*B&2<=Y9^2oi}BioNljU!v#kGWboOA8otN8yY3P|qss0Q@Z3DRb>q&jd#`vu zZt!|I)~=-wyCvYf2~*&4x4!l(_PQ+(ebz$c_)+oIZ5k^&uaQT;+=3UqU|_& zlQGAyfXxr2UcK=-?YdK`|I`=j>(ZUE_nDF1aPGWud3WVRsf+BxbS?hc*Yd3Kw#F|w z;o>&~+8KDWKau?eaqLyR#6tDaJbnH1NKS>sltC_>;ocsgbnhI{svsBW6vf!EzwmFp zKf08WFi=7R1tjHimQ@gQ5WzVJ108Ie8!3$x;EVvnj(TdiVe6(1l|%6lRp0fuW#Y*j zn#F9{36`;Iq=)CC%v^J<#kW00Pbt~oLL4@!7p+`a#-#~DaB5YyB?o7tSd9f(jOk^{ za1XQ^OaJ1%f0v`E$V>+pXRjn0H?c93;+)9gDM~*I%g1E@*r$@rnl1|cbW!I>=qpX9 zRl|+wWOb16bXVz1Cs}lmYZl!XP03ya&buhs$(DPLLONBUS~Y9V=8H%ltw}NVt>F50 zO}evrqm%E()F|g&hpLDX(iSi3pUma628iSaD&#Y>rA3vC!pS@rPS;+)Ob)vG2sL(?_0Y9=tI~K8MU$+BCaG9q zWtAEm*T9r0kw8)sL*jECh6-m!2uE-<6nrrKGB;%T{hdcZ$Hw!4N{PmZ>3Y@hcLL(# z83HitIMpBn{ZIpj5++53@)2dYK{Sv4m!KByr`7tT?eIVlOOIcDdbQqI}&rVo!h!cT$WTVMr8LtU&nG)o-zYW2+H z#p{pw3DkVzmW{jd0PVXBKGg|$J{5uH!YP@4Z!;#sA0yv*11_b@YLOh|+Bm;(I^WJ; zRdi3>4yAclQn|zB*z=@Sr&p;pl%zfCHmxn!5F}kUk+`r#jP!rQu^oNGH~oe@9QP0D z9O`1-1i68=%qEb7iNQ2A+o{ySvV;iXhhIjvgvI)}Cv|kiqByWS;%EIgB86{tR>`)@ zdGSWGq|6lk>(xldrJH1#SFVGr72V=_^45QK% zh2}3yShI<&cvoVu5oOVMVv`*!lh5B^={-5{DPYTCsg!ugvLp%D`{R)GqIYp6;-D#2 zehHfPpe4WVFLG(2{b4A3%Z7i!={+qX3DUS0lWh^sc&RKcfANNbrL-%bjR{!Y^`I)R znMeP+wTb7xH@!@qVj31A1)_}(d&XNFVi^UeuJ&X#!GpH}+c;8r z(DzNTujrv^S#IcFv=m?h8YX}lJt6YVgEzepMtl;selxft#b24b?EJJ)MHDeN>8y-& zNm7c2KEHpo2Fne0@;Hz$9w*q22?<_u>aN2hzJQF6ffuUx5Hw z?2=`QY%>~!q8djbK`Xx}u<0`T^8Zsnb>MvtXI`g*tiYb0 zcgjIaWyaL@<{KiND>|8Qro|%HFUXti^n}LTYb} zN-AA;=b?2R_U38%9afFe{`eRcQTo%{cN@+HS+cb%P7~CwiF0nYyf_hV3O?7|+>Ts~ z<@HTvvktB?PQKoY%*=fLbNsvn7Ak~?_&ppYp6I4KGp@cYnd`N>J*%erS#;jp&&Im( z+0#cj&g9%5@FRES;+Ax`F7y$0-mDwn6KL5y^zGTlA^`{Ro?9o>oa{h<4$po4*4ou; zIw7|dbC(iKvcgFjq zgFZBm^_|;N^ECI29xsm@&m1vbj{EF@F8h{!h1aEsm5i`0$D0V}RBgA**go6R$ES>@ zfXDA|{eFCnGuXU4pifQpPG;+wUp0GfJ9cGrN9H~EFLlRag#NsjZ3{p_oSetW0d2j` z`Q)0L8M==A`(@H+!lxtSo5P-si*hf!*!Xh*Z%y~^-6itl?$@)X^(A60s48~bi-QM2 z!|e9E@303UVfU+z`(a|sp_uJ17GNW^`$w`Z!g+v;V6TvN{~C=K-A zO||FE{wuD1IjDY1*znh7mrx7HNsl__WYrFe8jShrX9@Zt*aDhCp7SGe6d@B^OaG){ zECnTD4*FFZLgJ$v^)DwNB+)t%^p;+Vw)_~N=7NVpFFxM2c#~tMmpdY9N{t*gq~Ebv zAycpT^{aG{V|ROi`EM$m3?gQnYGNynzco{d;=Qee zREs+@&9u&*9ZFMa5wM4T!7Ep*?fn)qCbNPZPAf!5WQGpmu_}2BU_lZGB8f!Nb73#Q zah^q&ADZptV`EYKhffW;v5qf5?Unm4o!xz{hKsKw_D2$O6QwHXJzI@$R1@7O)Fc*@ zYfnQ}t9RJb1SBnRFax$4_4?SzMjLUbQWz)v)p8YE5EMqFmk=-2v>2ZzETtk6(YF>* zEs{g53W9$mQ{dOC<%x4=$9=1%$ot8k>AwUE8O+16c)qFeobMn? z5mAn2je>P>0*PTfiJ(`CSo2y;G0c*3&s#+myocf`TyJ?SvUqdsFXCpHxCc{YAAf%S z(RV=Xof!@?jcVQ{nX?m&GYvy-?Ybl-U-f!fUg2V(v!j$XZ? z%+-vF3=Sj2g>q>rTjC|78zkgt-eAorqQQjq-tc^J0&7#;h&uUyBK2vEBZoEapyT_q z9&B5Idok)Kzcuc?lF$2)qpH8D>!BD%D3*@%#MzX8j>~Z9|(duksU#W=& zf-qm7G~w_4#TjlSN;0O_wX1Y(>^OBWtB|ZHKcn#eFyXa8F8+co%R1i>5>%bd%MZ)_ z>iXe>s`(Z~9m_5tj?-63_8FpxCnmY&y-70jym_jKH&iqv&9RzdONDxWieq#3s{FcB zX?|-7Lv^`D;5VbVc%2z(5`0o55;<|Scm*@8RjgEMIQvK5raT6Uq!hky7CZK>5kErZ zps&=cK~Id&ei)^nnZjTu?NP`!Ji}rHmh5t>(%e-~tFa@UdYs&TD8(vWtkWLDtyr;f z)BX=@`Id=ONENfqm~BFof*C?pjr!9^=UUu1K=gq;j2wwbJo#E!{L{XOF){eC- zNhnP~ml64Ihir$qq*heL#gE#nC9f>`r%fA1ecR@7(nf(%Bhg5;cs8}?cr$UBcey-G zHJa~>cbo=<*l37` z8dgzis!DzY;B9|HEVwLKdzCnf}Y2~pPbvE-1pB$k~r%gk*m)8&W$2{fj?OF;~46d zbsoUfT_<7K<$Gq?l$RV(c(|;bn?*``_Naz@Os>`%ym(FZW*j>KXmpwaqbeU&O4i>}lx)oZSob^xoh0FF-mnlk2^IYIkb+j{2+p>E&%g!P_TRhwV? zA+;&&XJXS;XL-k>@41ei=UJ3?VMxpBzg*0f!J>O4A7#J8B6qc%u3_2@yJs6?>RXrn z%a(m|PM?~#ojhlZw)-nI0&VK1KG>2j{T%YvlCF=3rR#1gs`&@g@He^9BF z&x7rw1!oL|1dXom=CSDRTLb}u)qvD^2HIGI8#K??LPK4%n{UHAmu zPs0#JUYwkIz8~)Y+h%WpfP+aO;F_lUFX&;(tpx}<6wy8Md4IZvSyw=`M<)1s_j%t2 z^lKO71C5Q4NO`}}DGKZTd$S)8e2GOJ)v3|Kc7By^U`wHJ6(VS%EJ~B*tXJkIgzA@U zfYn5%*Qp4>fK^Y=2~KYdUe8-qmTR0W|M&1)gDuG^UpC~Bn5hsxqIsiOIjv0gISb#N zD?pl^&|37%ZFcRRZ)Qw(3depWs>2RzHQkzkHnPS=uwjwuqzT4|_$Goz&(ah%_(TGA z8DstWAT;Jm+BYWicuKK>mS|E?#r7dJmM769z3@~{CavI2RSf4(D*L7yAMqe7u@`EY z=9*`gpJBP25iO8fK5SZ{Irp%7k;&hrKSZ-I0#BWsql`EiKHLQ7f5=^l=bxIlj$RK!;h9*f0T(Q~2 zNtVM9i89!>9UsnJdnr^4-IKYbzo|Jg;-{}c#i^(r+vvDvMZPJ{cN{9jd}z!>h+YPG zk)=iF4Ap_=GV?V6mDj zORt}j?2wj=^kyfMDRBT*&o{XcNN-l(Sr9Wx!}QwIa99TF#LYUSafh0?(kGjE)G&!6 zVQ0>e2)K_~9rMBpcDLVO>NWjGQEIZVB%E2^RzZVpxi+@eAKniAhbh-97!tK|cf z203#8Uan1=xB%m;nYk!tCPI$7rtua6WYNucIJI+PNz?T- zl^=!DI55T5@=LhuM0UH>ato3aR7Jo-LvxX7rMO}P3YMiGT8$O;DRE|q?USTw5-vvPY3SSyx_Yu<$R+w>B zp<6k;2~NJC9jfRafhQO zI`RnbO^$w9Qz7(m&R((!?(IJ1I&(#VDhVBsbH5TaVf%%3l%cmy!w?JtB~XLeU}Ue3 z5Q=q!n4N`;DeM=Lsf@`k`bs6-QFT(VPqbnR8%WzQxD!?)CiZKqVuirmhBddzrsAcf zvxO|{jhl3-T@Gf`sF67Lg;b=eUw+M^+CBh;rdkH@9-w@(S?UkAE zAo{?9q(Bv*!h|njHXsozCBTsnDEB_2cdx*GFg@U=bH0qrGFW%6*Zx_68+Q_amNUG) zfmBK!lOrZFgM>y~B}S-x{ONKu7Dm7O4C?%3H{ZH@%BtA$+G})OI6-Zw-FWtLXnbtK z%mTVt-l}5gnO-54xN*#?ZF+P}&^Wt!x)6g(<+3E=su(?NB(oQLK;P5&j@Dfp1#>)~ zBU(@kSP42WkvaLguP{1TGkLBVyO+e1OA<>qzcV;ffLe?>kJNTKHv(mT&|_%rH|>0! z9dR}*UUe3~?5+Fx{Mlx&ppCq2TNGE%+2Fr>*s<$M#RWKQDVgiO4~EcgI=x&(OIP51 zjJLjJ)Ia)McYBQojcoP|FF#k^IlQ-$=d2n7#GdT=|7>+o@17-d_`Ni;b57uU9_cCA zIM05~w#kCi00tYgiOg?jF%p>tG;yXmSdgO}!aTKw=b zWPbgXIoo+o)u(ry=SJo)&Eb4b5XAfQYMEKxvKK>3@3xe|iRS{60qR!!os}+Z^-Oa+ zB>v)Ax%S))f)|9mbRJA}HrLf!y_w>F(%DacPwlV?lc?@~4Il4xIH(uA_73_Uxe7o290P z5QWKio`|(%A3ehA+PKC`a)8R`Y7QaDY3-+0qf&l-uBF2tHLj=z7pNd9wcY?g_KmfvgP;P&)kXV9$iT>AoYw<;v3D$R? z)I-nPve`7~)q@|6joea0U0|1F-1t?na*i>A!xl5%Cz;1RZbw-`Po_C1gS`>Y9a)B0 zMUvx^q{4$a46Xr*P&J0k!!(BnBQ3yhWei&mzL6J^I#56HaBf_YEEV|*J}{)QSwnF@ zCdEJVZUmsXQyDGr-^V5mGny1}QcMtCI4v~lQprDInpfGONk-!rDB9)Ftz2FZlNh{j zhTSbzkB*00KzBsxt>9;?n0O--i`JN2*k}WTc zxu7COQ~psACYK3C)R~Mpm89Sj_K+sS7OsR7xq$DqCqb9}z0Pf$Fl?bDTkU=`_sDI? zu3h&!U`V+=Fjlw$k_|0=Zsnek!`Aw67ffyuYCerx*-a$5=+EeWGL2pC7SE}LE9T{r zN;UG65#2Fnx!lt3t6SGp`V>N3ZwG()MKE_fc5?;-!n2|lO;TyynFDGOY?~%f%7IpKKpr>l z#LENOQ@&v{Y0Cz8w|0ecpy)SP>;4g|xmlW}Tn*+!g2E&Tx>yU5G89e`Ah(ec%_M$sk_1|pT z#p0vWc5;c2=*7y5k=DnkYDj}A4+-l@WEyVBH3gU6({n_K?se8MayA%@`dtznoOx%h>~o%Qqg3EHN^V< zUvVU~RxE%}O$K?WMmb~Sj!VRBr=~#75EdqXt=im#BntI!)E8|&lxtMbYgP&5op*)# zgOJ*B^;05{uFkJHmyk(Igf6@F5X1v2i;-ZNvospS2sm!U3>G#t23!?_R;8w5dFvS| zO7sHO&pc$AYU{1D;>rOA=N{dbfA%#{YGDWgMRBuE+_ zzP%yau(B9xaiCkNmR9urDJ4zDnl0a&rGm-h!1sZw8iwM}`8+%oeDWY{3Ey*}JBUc& zVW?e=BhKoEl_jEfk|s)TVE-HOcZ*wA8*E-0 z$pMZ8xdY*omQbeUty;sBLBhC)cc&LHb-K&`1CO0x`I ze$TUFHeWSkPd@AEI9o8qY=5VW6n~N z=3fQ%1v-6fw@e{gUOAjT1HRhk4DbSMrvH>T02T^@@s12gY9HR9YUX_yQY77<6qg@uL((Oce~1}>K$2cMCCmWD74RgyP*4+e~N*N zgsq=quZ%NOa-L6V>0~+C#_cQ^95bE+Si2mrk9WLIu!Aa14o(R<-#vhw(_kHk1whry zv{xK5r{}=|YV7lgd!zfOt2N*OokeZhHb;$HT<2>DFb;j#m1*-O3;JgJJo9JmHfGgZ z5-^EcTx0oYNd=){0hN-R;}mUS05Hb0EJ47i46V@%hrh-~Hes z%AdClLHik8+Uj?aWTvj^dw3>%*iXw>{~S~Ow(Y-ZmX_p`*14bDhnTu~`}fcQyiYq! zK99-=zRf+8^*>j@+IHChGI{yV06xy>B=({@FP_1lEgI=+nl_L-w`wY-ba&cSVpV;NBJ%{IWsO4Qg##7cH8Q>(EF<8tKMhHSiTthAt%Np!F^$3{2=s9rWgq-#^Tc2$X}inM(%ZL>vtS7jMk zY;^%7Q>Rpj2UhF5k%?)xONAUTuAzmpc=7Z~1Vy)XS|Y66Eh;C_zGT?2gQ?@kz9zdY z!{KCaMHNoUC&5Nj`E#dOE!?=_P};B?q>7_zwQE%zQ=#85O#x{$6WM-+e6*c%l+~q# z6j!ks*~TqOcqo^lcuJoQM&`sX0-@%S5pWc(zG42MrSihzn8lNv-A_?2P*)aLwHvT( zhnF8zC5w=hRANk)l)g=n(pt(8qDvd2P~t@WWzF*T_#Rfp@h%!Ef)Lckal4w@XU;Pa z&OTC2Frmg@YW%aPwcKqU8q5^IDPEv%gT+*hLOwC`kyl#B36^vJVV z$Io>|4eyUCP;HUEf>*7*LG_8`{ZP6z5#=`DU@R;Y!q@j`W5bid+G( zd@^tFqhfLlW5Lz+=>3<$04t3!^Np29smK^Zn1_lQJ(kaP$Otav3zwq{q8dhqg>;Wv zXqmNQdDm{eK`Z5dYLEtYaM6cVx5*GdAJDAE)20ZZak&d_asnZtBm^ z|7B1bCn^B3iX?1@BpS~p{1NNT8(xPrmZ!c2*rpY7J zmTaaL>liN;q$O9-)-5$`E{dI@3UZknFl9ViAD1_mR9^aGtrM#J{T^DFy;CUg)1A54 zO?e+CK^KNvp0W|ep*EY+I7N~&bzEGdvirYf!Zi-em=ld5-O$r;_{#7KEWIZ>f_V1( zKrQqEO|uKzP8eQ$x1mKo->Tqd=~j68zv>&qL0)osHX-5XOJo9axJI4dEVM5XG(Rg} zlHt)v2DrXxGFx?O<3$(v@MMx_^1ETU26c=+>D(FeWG;P4K{WOYxuA zLko%mKlf85e>n5^AOAk^l)JevGcIOwjCGLsg;P7NLHnqZP#*rPJI3{|(KCes{#V6=n@Ki#%?*~h?$J{g2891corQmkxQ2k6~h@4tc0~Rk9R3O z2Zb@>`KyY~J$$&Ni)Ejbzb#Sci`VCzHD_=Ts{F2MRjXlGeo^MSz#7fb!jht+>X0n9 zyB&6k_}fR$Sy-w&IMyW2zJbpRYO&{#td}Yo{rve^%n2G@gn7$8BjwixN{}&)=}kOK z{!h$MjGsj^mZ8#T6ye64VxB>||NCEgzea!yW&Ne_hno@&JMWs zhWces5pU$z!{oEVQSS@te}Xf#(2a}vD{Z{Ps{fNS2pxYY#{W-q6mKTPvN94}nzl{r z+x8;g&w5NyKX!Z0)cS5M6F8T2&KAqK)6wjC%8~{p;h}KR_^hpP0p2t#4pZk>st$n&)u67gSz>EmPP7#WXy0x-JWc|2`Sk$F;2QjxBKN1Kii=@3x~HdLiBlIc^K& zjj>!;7hslJJr&5wxGRwl+xq+V*4NG6Nt9(PUEs>58YeO%xfAirZ1n`~Ooz?8%VT!< zS%s;C{}ujSt}m-hj{2tS_EZ?K8?j}_OzN##BGrps`+AX~mG5#Qv%1s*;4XBw**n#_ z>D|(~MoWCz0<>P~(b7ThJV@9!Xw`JsFILFX$Od@J9CX~baGj1&L)z~9ZF1`O=xTdC zp0ns$r3F50ax@uRWvA^JoW`kbcbR+PqIMSiFrn#x&bp#~HZrM!V9yn1{VGBf1Gns4yEd@=G2iQow>w*L9K>Vwh?g&~*XMk5B^Ak?ZwsgE zd5+lLM^EjjhVMGyY`D2_r}P-o;qgbMb2kG~$AS>zf~e zfvEqZdsfJ?e}H?0U4c+DPN>r-{wZWXX?rWVJfGl9;f0AB7LSAPA|O%B(c9Z8V}48N*W2z+1dR&o{v_7pGKC zKo4^_BgM*mrWy013i!H)rARN4vgz`s%MxY1MZpJHW@g4!=<;h6!tP9&y|&@k$=53t z2rM|Yk#dVFnr&HZlQ$DBfX7+Dme&zj`~zn?8GWy{<6yawU>%Lki)8|z zWw8+Pvcpc*n4Lxv?hw=a@MqtU3*`I-m2#aBXQ-Nw4=otwsM3^aWrdbmS$UlV=cCD< zqO?HhX(4vss--d-(@d2f;ndI8lYsTJleX8a`haHAdMMUic%n1>-$_(ac6BJvA?T?* zLlpu9QdiF09~oV12&%b}`J2qgnl*?A1I99xY!wFa-k*in)s~6bU8ip;icji!4DNKq zghFIWC?Ec){t-NNNwTePhuLIOfp113Q3`=4jTalS6euu-Vk&Yq6J-|^t!lnU-ik#0 zx_!cd++U01*=At5*Z)Tz={=()ILPqRftL?0l=?!57mZXiD{bz|WPHZ4#MA6C=;tP_ zRgD;}A^!s1Z7Kq0gl_ryfN`FhM8_!hr-ErExFLC}qi!^#MNB!wWdtW$i2x{PEu9D3yGE}6BWdUTu!My{Gs z36Zuj))?2WSwweP`mmbyTlUilJN!IfC=|9O%+S7tr zGz=L_Bp&4!>AFYjm_w0irg25Ra{M*4+VNr9fpts2T@7u9-!3}ZjJUAu?Dy%A zsCQ~mIs^{gxN8?I@;!@COUfAUgY2>KfR1@1_LMXln)ffsXr7S@(X-;(1kE-DW{@aM zb;70hj1r%;>fuh1lF=v<|5Ptw_s)#NKG3fun-!0oY3&k7MRg%bZ<-(doi{_zD!2n< zP4i$Q$qOGb5uR8w0k`lEO^c?j=wk*N_Wcj#?@|(IxMq?I``c*ab=(|ch2>?ICwrPQ zAyYgP#zcICCZ`y`m)i7OaZlxoj`=dO<1M*s#=48B%S{88yHX`-U6k?B9x3w2qy+W~ zL;|X*JAM?GlEXv2s(ExMz!lahv0ZqqIyH(cus8oK4UiKEYb9?9ib@ZdE3(|0U-cZc1FaD5XU~JKSR%34U;)AdBg-Nv3^CjXSDy`I<3=OB9m8HkPidq0oZlH{xf0 zVewx%_BRq_j`k-8!OBek{{(yuzK^nD^f~&txzhYTvZt_d;sX!q?~MZ|2_=?Oe915W zu-w=-N0FN=o4Brz(Wrl;-f=m=0ihe^6u-p&*)&4tY@@biyyUnCGVeUfws~Q__hJEd zd!nR!cS+OPR(iHSNWY3U;`*X!WAwdFTA$*<6H<>g8)z7_2<>7nJr*?u0X?rO8TY#yW=7%a7%T= z&Ezuh@bxx%rQaRTQdy_eLt2srtik;`d2~M&biaI#oJi3>THz7 zYgS4)n}+?mWe(6X8g$>$@!;Km+UIO@+Ykf#_*Ncs^76>@V)J>f2LL*}W`>Ul>cLaq zUHrgEI*1E$!-Np$X7dzH=|4pe`~9ER-K`gL-zRuO+QZn#AvoQS1zDRe>VP`uOem&l z{@6AWzN3G|SF7KYu60x14X>i^QT82zfQA( zsf&RQAK!)+Yk{ye-R|e(2Q69_CD-lWCjs@BEu{p81aG`<*{G>6kCh{ylU*GL0UKA2 zhE|8poCe^)d=CfnIXcEUfRE9wh#xC8WFak}^V;XKW2eWP^TymMWy*oeCt|_RZ%f;| z$MFggb_Wvo0s+25wq8*a-?LsF#{TDyS>dO~Uv5C#8vtF&yu?2>>0eRS>&GIP8|3fz z=VLj%jgQImg??<}Blk9b0*k-|o+e^qUaWu6zj!NPEE($4P!fLX<{_72gndOmFKNi` zFjh7RB8<3bTaoBfd-MWQAxW5QYL#)kApUl=OnM~yg?&Wy%uHYLq9=S9Ez ze|O7{n5`et9cQpW{Dv@pD2zq(9E`^{2|xOz>{fi(2ED6TOcjj%iwX+(#z1LD*FLXE zeR$SajtT)hT|r&AHrNtysgTGfP&NoDBA8Mm^U7sXS(#^+NZ}-wSgn^>bu5H-3&js^ zmyy7Y<%Cg^$h1Vq(a5w!+M0$xUw;F=W4s8&-bg(60NZPvx6i$1JiQO?ayJ!nk5}G$ z9%JE-O3{OenOoRstmt_xF=;J-dx-OjnBVEPqOLX)zLq`^ms2$lEqv^a}-3_tJX>l z81t&M>mDpH&0m(~4*$qgO9_(xcJXyf`|hzchWjJQ@t=I*28;`%hJ)C;#~+4f3C#Qh z1)BDP*b=mz7HvJ&za;SrkE`Dbv|Sq|9ZzZTS~8%L%CcClfISM&#D!5nS$Y6e=Kq3_-j%iOw6BFXI z{f(i)4p0MsTy7nk`~&HQW6~uv`pbrc0B)geeg0Gi0uZgT!=sN0BQwaqNT_=AyhxFb z<2T>nN{5#7CM{ZaLVmChjqonQrk&d4#6>G{akgq?iU_aSP&3M0d=c3X@U>Dp5lAD^*{g{2R4xv}m zWper5GRxUaU{o$lg8w6dvtvIQc0^M{eV4S2Btj(W-{*OAwJxT1NtN1I60H!qA~kGs zYFQ|bH20DKSPNw#eN3F1$=eUQ^ai;P^h*b$dc2grRc?aV0Y66&x(bh%{bAm!t}@Zsj>AgjF&TXVpE^^o(q{HjUZIm$geCH zQrc1IC4_wBO>-o6)=(N_^5VZQOKqo^!r3xWUYV^<(Iak42sq4YG?GiYDB(C;)~)2` zzfC)hHpY|X7MkMQ7}&q@XCm2=8VG9%AW}E_YH?L9G-3(OB*;pju6EEeg<*^fR^$b^3Q7rqvlTje$slk zw#*&&d(eQaA#^;l_@%`?&(P%3{RcT}0v)XUBa5mBxfZtio;0@#JOhFS)xHOj{&@Wc zUVC)z^~oBrV8xR$*#Q#^9anMQte`9cgI2WfW88_Yf394B5kP|}vD#)U+79!+%5U@Ht?zIs$-*NEkjAa%Xhyr*2ngK&M2MIdDVTn%Zu)^yV1VQ zll7`=@RgdtZMuEO^PuL`IWs4PyERJ4o4<+1LT#%8t=sG%^B))k=JPwLWbVx$D5kKxqtIDN!yz?X8 zy?8Fj*6(^u)Ic%tZkhv)Wa8s*5O*vG+-}MEI_JiE>=AJu98@~n7@c>`YaZkPvb#2Z zUcEmu=~%p;KKVIi7*|~+WriHC>a2Fw(A-b11LF=Rn zwomIOyo9~`UVzShaOG16C?c1*?deeCFYj)>XVQZh>Ke5J@P6vRJ(kBV+cQqTyPvn# z*6ln|@3ITR{A7NuSM9U~I*(6Jo9YJL#mak8C&tk8{Tbd?sg5Ja?D$3_346XAFSl z*AT!c1k(F{&-4fhIC_UT<3bj4TswAuHPpVZ@Y@hzd-)uh2xJkN_r`mxbL)f_7xAe* ztYzwUckK$+(3%DIUM)xy?*qm!5SUpjk7w5e*izA7XL3(ccP;yYb-lh!oJy-dp6o0K zD4K5e)U#)owlfoQTB${&0d@b zPt6y9MTIs!ku)ah(wp3X8hrpMe|38{y%bC1Mqj2$j7j|)mmOU(AX{F#|1TA+{8*$7 z8+}Z|gIm3FnTz;HQwsbR6{^jPFrU%JKg;!&@V?8jyl*I<2spxN$xWH*HO%o3rE9Z*roCb4HSC8CeRVJsgFRX06ONU5>IXGz z6DsX(QFvOBWw0tjODBm^0ZaDvTjULL^{{T8JZ8qpe^l9LznYRp>xG_cc=7X@W|x%l z;^}|)4qU%V`bPrgY_-jI)UWIC-QKs^=Nc?Og2zJ~BR+#x!k$GP{7#&upele?xq_J7IQ8?e0*5wWalJ~>k zyYIPTjMcMQ0Emeo%|!<$m(*_|eBX6fi;rrblIUgsh;fk)t~Y)a-De=lV#AM-A3;gV zQ?HP3ObO1&SW7HY&8y(ec&e(`HlfmW_~*<~3!gpaYE+2X*Dh{nNy-M(gioXIs9F+5 zO^bcg=vrnXhprPYVTcm-GQS#X3@c-Crx=y>U2%uhtDOC~sM6%h`-~ zm{LEFhNxS6h(wWVhBzhPzSqsk#8 z7p)}$J5|?rTXfB0W>e5VXu<~;>%WzCrb%K5wSB4xW~$6O6)OV`12lMF^Wb2llZ`}F z75`-v>Ce<%*v@Mbgp*fbv^R;bnQ?sFqOGM(dRkzJ-C#7*Ax}FOS1^1M-GM@;vdQyD zZj{8}U5kTnw0)V82+A^0E!tc(5ajLyXirm@5Lj>kPKaQcwe0#80#`2_BE)fEe%7r) z4K4Y2s%C>`M`3}{!a`Yyb;caHZh7DMjcCP zAhG!m&>7bVDb%IP6>nb&5l7Wl%cA{fS^bo`RR+gG(Zb-5lu-}+7B)KMa(3%f)80%r zGX1M#+Eh|(J$UI8MGHI={4qBIAHgGANktaTZu=?EnJnPn|H?ZP0iyg&Z}Y-6C&%UP;^$ZrFM*8@x<(HHjE zukjssyuL0eY3QrkbZ_hxMxNapbr_sTJ;qVQjwr$WJgUwoRx2NMZ?{R0Qz{9o;tiMU| z(R-~_Yn4x*7tr7mi0!>^=#YTu2YQa(@pwRua5et5PwY)M1-N-h39!7K>~?n3HF;k0 zUe*LXkKkn*|D~n02G50f>TJ2}<=WTq`wgAaZFR`p{hfF4FLpV4&ph_Ok%ec&0#Vin zyDz>`Z$DS=v+91lOEEeIC0@4g39CWc|x6zj5Ls=Ux$>`)hr_5Pto& zpU&ebX-<<}PaCJa7DOuA|N6;WpBG~3>>Hk}PsMVAVw1vF?2CIlAEGunuN=0WM<_@A z%|dE7w>%uT8v*_tk54nG9uGN~M7}4#ld$U3xV*b9Pz-#w@n@RUd4UIjSHtS&rAXkG z*DCSy_H9t_CWLqd;_nRNd@lqC%`8FQbw_#=Atrbn+K~Ar{~)aAu!8%#qBMXNs1-UM z{DBSIn@ocgQX;NDOET~zxZ053`+xT`I_oVDMpIr|oW;~3Pj%zN`cZKziB_!}=#J;w z9>q}-l5YYp^hx`u2|>s{Y?942pcPr#O0dG4coq8J-7M+Te5V1llYnA;)*ej zSAh^0nP2_(tdgW;gxFc#7AHUCp&Yo#^krtheOq{!tUnAW^Tg!Q_#yp?8>ip62z`NL zu!**Xx{k_J9F&s}&vG3)5x&=^tM}L9EQO>g)IN2DrZXlbvz;DCgz@v3{V;P=QSHgM z=tjQ`CJL^dvpFKxBD8{d+~>=Dvy=#yX`ZFnWH)K4dP|8|LiPBrE6jk%wVwidU{n#u z@B1SONz}3xs#(9wRIGVWM3EC8i@m_71Qt|3+W^Pegf z*_jEm1vc{aXiY_E4%}94-^N_gbooJ}ZkBI<%?q%jL|O>tpn8%=K$>uMCD_01eplt0 z!k%+_drD41XG>dg9SjOF(gI(~iRjztdBjVF#COe&LQ6#Il4?^Lpt2-mcwRgRJ|}A< zCMb9A%0H@7FMW?GUshPdFvjdC% z`wR8D)>zH<=}^pVlYt2A&0gA$8G#6FCn!})4rouKngI^U_;8ca$`QJbkNWJ^MQ6AI zv=;d}{7#t!LrtF==h-fPPoocTEs+tFN+`va{dJ=`t1DhwPmHj%Wk5`VCOC0jgCWH{ z&icj`i?2Gl5-E@uJ1U^Tu1(%3@k}wmUL_Q8uF!~LvfR!!An7lt!`6S7s3hguu{<^% z2OH#t5QzWM1;F_IOLdtFH;43|Ch{M74#zCpf*s0!Q%v!qY%?K;oD^OLGW5AjU^39g zzSoLW%GUKEmj3srU{vF-{iZL`2;y#~dKwGX3}5R#5*`%?VqvPO*x)Lp8~fEC8q6sW z%E=BbEiE!mHEV}Im8E(lT4{ztazXxl5itNph{UrEIBt1j7BL%=qyUxzwfft_J?uO} zS*sVwr(GUUTZ%+bsGB_e`ZA{MFlM7NOzBx<;M@<#N!LUeo|iaWzE}58?Tnk3Sx#As z=WBNSJiESRD|dOKtj8d7lwd7Ro?d+rzCb$bnHr|7($>S+#64vSNs6F?lU)W@LF&O! z=)US9#Z0E#*S*YiH<)@D6_SvlAK#G4JIFS4ja1>R)t4-b&T%^|m#LZyhP^P0xN}?* zg*{E1c2yJ4ODF9$!qG$K8`=6OtX$Z#y0=hx<-Wticy*A)%MA^%mCQ5E2k^OW%5PQ! z8(bneycG3<|3)u|iu;Mvn?|BB7iE6AaBPoAMIy0eF2?(u8q`><6pcEkyC$esS1d%P zhMQ4WdlRG{k`L=9LANN1V50-omos^v?wrdF{9l1=L5V9qBc1|o{^P(u1>FYr;J27#;JN#+I|#O?@uG*9uYI!EfzkCTwKQJAcmE+R?QG7b ziYs#a7?saqRQdS#bt}iZON;WB+tadlSL^ujSPNZM$7(i^;eHHZbo18&vB9R{mP~G^ zQTlNjuS%|UwSib^@BOZr1fL%71?E$ydjK|DME69gz%`R|)8+fw33{%!68}XI_%dzV z@zo`+^&f9f?~GAO(id>VZKywAShr=^ac(E(w#mj4N8mdz7NUFCOHsGm>ycR+FK-U0 z2ht1zVq!s}-@{P0KW(ounLzAW= z?@fK7n+HhaIwj8k*K550(}E3ot-qa9v@3d1&TsI^tc1OvXSq9;=Uxr+v=mb>gtv6t zaj^e`HGbl}VV6l?arGBugbQxPpF1B{5F6rbeR+M167YLw;{3eadA2wIi|*hOv!~~E z(A%N@WVh2!NB}u$^Nb@- zyt2Dx2-ZLQlj+}h;L&-{0q_gr>;VpHFs<688*ln0$V7!Yo39F-^+EH}tfr@>fw3 z2I0FtDve6cMlq451;$VCkAdWH)(SQFa4S`)<&57|vQ)F`Vl}d!p6lWztj)uoU}+p? z(G%VLq)oRF_J0owqu_ngj5G;v5*|%=w4bOn(eRx02?{qfh)FZ zSvS-9&vr;OCXyvEA`vAjzQh?Lnn;!b8FS2vgvkTtJE(*Vlvo>o;r`RF;|nFnc) zh@F zH|>}h!uny`Qe#+9b3j;ht>v^}DupLGt{!Bm+VFF1a`@+73w7uW90O_og68HA2`g8u z^6&<{{YMJ*#|B0fQKLoNW7sLKdKW~vj+e4n-WJ{~8?Qei-I4poYUhntkbQOUr8@~H zA+Q1wwx1Tr!sx?jUuHgxmaeaa4MjFN89RCP@8KQoMhj1S0c&+617hl1w7Lr{%@(0q zVQ9*sX#I+``+7AOXMbM&NfBk2n6*9}EFT>6;4jTQe6Q9lIPnUr(bbC_6q^zqyJt18 z6IfB2!;Kv;{t(^8-kD)C>pJGZ%*(0yg%rcB!vJ~dY)#OKB=5bel<3=ez z4jyNAkcOj@g$*fRo!?s1rYgEz9Fq_f`F{FqULnQ14c?9JqUA8CL@Uvrw_w~c_74$nKJ_67$WF}~j zkrdwW#jzcV(}^K1^J6P{iOdrG&Wo)7m3#kReQ=RJq#)RIUdS8Yhy>^u$!@8?cgO!% za_}z}Il)|tk7@!~$cyFYwwaHI1jBH_c>?!ffJ3gcm-!$dS|eYf(|!BiU?G<0{eYmhArax+n7v zPJStOFz9+8Dc$lJ-F--VG5|+I$-i#-Q4=)0&4<-^ub`)Oy*^=0k+1mO;2sDF65(fN z1KSvlQJG#RW=41PExfSnq`$S#Cn`WdxB$2rz1wnc2k(=tiIWRzcVBIU$X;Hnw1s7E z-*i19z~S9?yT)m zzQ4XODSF?8$-DF3md@;`w!J)UX=q)KL1}E43G2I>@Na{6JJbHGaPLpNY&d}4Y3JNt z%O?e%VLYadD<>5g?vR{WmwW~VY?feKOAqI!XJ%nBTK$*WJX}3GOM4$xo-bkTd8|gw zdVtxiBMMd9dZw4#l*Rkfm0}B+SGo@Y=QS7A_Xr+u4n4lhb2}cOoc{AuWE5Y^M$cZ) z^NvdeZcwnqPOs(CQu=NUcCPm&7}i1aI{GX@hp6|6aM)R%@9oR&gGyT0?rY=B^HOBy z&dY@Y#|u&YwjOME*F1M76Zkx>M)yglw{9B;3>I{1@;?G93@jMm-c7XxU zx}cdEvv)c$x^edQDCUpXf3K)~8?*V!QDG_cfR_XC!m9A)7np79nB=iipPQ_JF=IgT16$*VbPvsdoaSI zZ>^lAdnxn_mJS+|TfV~_fC?>dpPbJsUVE9AVIPMSM30PWD0!+QPrh-2qAT`LSib0T z``O@nnU0p_8`6}$rMjJ=IFBJ4;*%s(LVB4IX9xVq67LJjN_8@Yc)7yv?_IU;b~t}2 z#>-rK<0sQ5iZldo))?E$o02hpV>PIBpSvRJI}a6V7nYT^dt4x~ym%o|MG|68C7X&T zOO{Kw>tKW^4ImfF_P1s+FOjea&L+H`=5bCJ*)1PD8nq|{|0%FZXG1>j=UGzk(9-?q z-86r)9x+?(k!*#+LQklvEM0({r zqL65wB4_Psd&5YTA7*&X398M`a#RgSfTPbnH5eJ7z^Xqz*38j~eP8VA+Jn=D*Z#R= zshyPZd!IwWV2LTPkcq~^46_V&{Gb@1NUZrJAHe8T?DKQ^{GsS9keRI5+6Y#La(pOM zq-nBkt7k{HxRZU8MW#!!TF&|NTH15qg$^mogOP^N!>V)>5g@YIRCxJ4Fnu-#EJ$${ zl0`mjEB9j~NIJn@ zsf#0A#Y%m>_PHz`I;KWcjUj46+xj#$i@`NbADk2|yur*oVMXlS(}ioi$}l5D3kb0i zRxIUq4}I2vygcLmGSK{=HTi<}A25K#m?Z>Hbb*LCdidhpPwm2Zr7{pXG=APxk92SjSw(Cl;%$ z$YL6qvM(y<&f*+0K%q%XBs6|<3z}(V#PV;ka@9tNb>Ca25>l6Lc^*hM63$zqRHV5g z5uz7yEY|(Hr|Wg+78a`LTSd0cQIOhr*iGDVqB2N7r+?PT@040TvkK|KGuNIX%EFJ{ zMEN?0xy6aMnwKI+D+JwNGVZ7z1S~}tvo6azAG4Bzp0^UVkJDVa?8w!CMBzXLFFy%s>_@swx8&v@sUmZ7a$mfHr(W{D|%N;AWodaz3 zVym2V6h{t?cuA=y3^R^5y&UtVjOGZi{!c))ILv`ye}_*GOfNIKkn0&UpGANBHBik| z&nIwFj@;+OygG${fD^zo>eB}=_Dg{w^nlcNNHpkpwK$vdSnvH^X~z_G>m>qgZK2!# z*UQ1jcbK0;->u&D1Cf0Yq)uAz?!aTXFkh^ZE-}qZ-Fu+!umg;B(mFiE#+u2^)%V(I z+}1iAe}N_b)jzR!$7KJ$alH-MDoz6mX!d7qf@hsJeVk^D3BBA}A6r(zH5Xr32tzkT z?64WI{ojsT9eUQLVclRmi3Jq4k~gnA$I#Q>;hz>qJkDi^Xmuffk2-TT?QL7$oNp5L zZWS0?Cq_2-oYu5zU2-Ao3vX*HU5;P7FzTOQN0^!zE-RnLqOPwy|G^#tIe5=c%$T(8 zz$?A2uhV;%?pNS*Vt(Bo(LMVDb+a%7tutJ3gL}Ri{>S~?9v)}6=X$#i8Xfk=+sxbE z8FtotGk~z}wSUxC9Bgta`?RxmFrlHK33-`1&P_G2dSQ2)PX+CF?J)U|O#{mPLQw4e zb}gpldYt}|?w|X;zIAf?pHJ`;>%QKAh=xu@1loRiU4C`Qd2LPvSB@?>6VvS6524W6 zgN|r6HuL$Ki%>4_lFmNOa`p3lgLRv)*8y?q>+TPc% zDH0>2)?#q&(Xq??0@a`)!`$( zzWgV>iW4YN_4t6vsS#U}1gOlM$Ebn12mVnI!v=dwC*!@lfw#COW-vLcxc%a8hP{YA z&sDhdCt{l0=ei-bm;t!E^77dsBxE(qGN}izP|HFQa=XY&;fm$>!F9u3-jL*trYLl( zxY_J^=-)O;(MuT%8I2chM*YMAMvid2L8wdg9Lk+2Kz@%6Wq$f!p z^z+w~qG1Hh6Z|?^Vh$u9tWv6XJwr{DFR5tg)Cf+!hpmvfW!)vIXcU!;r4xeQL>VI@ z*3czYq+s(@gUFQaE#o?BLb%q1RhsaVpjSM~f|=L$FfK#t*B*X&WdO_0n4Kn=DbzcK zdC+jUqM&5^e|X!WsVq7*E4n7o>#;h!QlOGo>CF6t-;iCQY222_t+QDk{j2!|&D>B| zWXN8hwekrk8e1S6Qim(&m{KPw?#f0T?-TrFow`kaZZeRq?&ueu9yAhIib&x&Uzxn+ zqH-B7)g9W*W5f%4Vp4l~+HSQnRI${i5rrR}IOuI&8(!kMa|WGMUap$qDe|i>HX0YC zZqBAkV>NE&YJ@TvP!!p}Nh5Nxa?thIrs}J{-T)UMbBaz+-vag|Pe-kKG zY$#9yEP_+TGkgt$d4-24?G~9-sckKp%4pP$`aZzhuS)zsi)m4!v^6S+|53zA{(=%E z9mCd668*9Oulj|LNMcJGm6EOboZYxq)1JjXZn$5ns)eqGZCCUcn=72g{kQ44h-l(w z;bt|5Op)@*7Nfo&2M8eqRwWOz73m)2fjCQ(Car8$6xA&oee4sD40;S11vqSXdOu{P zgte`s%8mtDUV_~*ClHF-|y7zvE&whuT~$t z*>)fYHb>6qMnh9c?U%?asIpryZ}E*6X9*yG^xb$!Wuvm&U$h`9jaf6xsgYrwXbzPr zUH8YYFKjSs-;(`_9BtFxCo4}E!}}INV?Tw&^EckEf+1~xNGWs%jh}t1+{7ANa$Kr! zJ^otBL-F#7vUT~|WsK2|ce5^g;LZg7UwcW$O*w}4{a;b1dMqw`j==l$#2?|WxVK8)1Q_l)fIBdx;ua7ZX3NhN)Zfa^X+z-U(C!MAL$ zS}Xp%)_N|@k1L%Aju+n4*-x*vPhFtx?rW}nBw)X#0}} zZ1u(8*!>&R;$}ldNtAYYD%g_(f9<+fvk1F)^@FB+3k46Z9J_*=(-u1$P}>${6;;1Z{({N~Be<`+x7 zojZKugXwki1e1f|%1Mwh2tP`pyX$^Z_&AUO@53A1Oy(B0Gh5Flt|1K_r^+jrcgqhW zX|zG)D4uS=Zp+X4L4)M>o+lRz?moNqTmJr4k5#{xWy11yKvnM+r+fF*j9zDR=QSRu zM3X&U(*aESucodsX$7t=ZGMBbjG)5o@S{0}Vd~zSi$n>+S8Y{Ajtx@2=C0un!@kW# zjPraIKI=gPIP9RcOKM-Q+r(+_b$B!k5vLzsc~H`Q(MbZd`T1Jj8mQ*FIVljmFA^K* z0@n&(wgU1Ypq@?70Hv?kD8l_V;J^fOVVeZA$#w$1QT=wY`ZL zzh4Uhqwmk-*9N|OQoX*%WB<_I?*QP_M*J(EyCYz)?WXH!g8NSQl*07JL%o`x_c6=L zb?%&B!y77=CoszdsEGjhm&f1fzZpBBe>cj0&I{hFzdwK5dc(Zl%`%d4K@MTr9ceXW4*|ym?I5l{%fsQHrD0hvq74LqT!- zU-}!CNq=X9Wh>Xt(#BA#E$$TqzQKM2M2IPqhP5%fo&LZS;vS+%bOchx)YR< zG|!|rUw2E-nzg?XT0?~9VVFDPqSN>(pC!n^Tg|f;el~}^Q930^i0HUwZ=_^A54S67 zr{5@;WdEWzZ^+%68b^qu(O}GwNU4w^*a$)X4o@70S-xJ6K!Al)GoO!Ff)<<#?cz-y z=w6MIT(d}Z>cc~g!cL7t!t%$?tvc^;J(cM^f0FL@N4_j87Ig9DLp7VaERav<^T?OP zm*mHt;CS@ItWPph-4{Wk9RVm|W&aPeKuo{X?G_LdV`tByYekZsz?p2q1mh`2tD}sX zYB6}Lk}f4WkoU9!lNI&OAXLk6+~S%_-U0jdOp2M^N!p<68|8AhU(%FHH6X%VmuDiM zs}h21Pqd<-0A|;5vw~7-yJUkbCyJQG$$08jn-T7oz0O#7dYz!03lzN{_IpXu2kBgO zRGUOql25T%44{!PERi{~rcB3dVtAJ6w-iZ%U&0?FwIVro?VMmW;W?)I^{Th zNGUZ7foh*C>$++j4X(v#812og$I7ERjq?@ z$~Mx?X)lbGzMGvkP!DEDWroR#41ic8ot=OzNtu0O1U0ix#c5VkK5ju1OB-qG#K@SI z2j)$ype1ys3|qKgCuN<;PL#=52XHAW>&dXzDFlDf^TH{#ipE<8(n&21A48;gaJZy^s-+ZREK0=>*RRV zEmNRJCu1}%CAF?!ciBiwM(upJ)6uFhCy%%cNbj5$Og}Rj4|hH3^K%S`!HjX79DqJ`R``F7}$)iRnATxSDX3J;k|3 zH&3zA)Ca+)UNfW6rgJ=Bmn-=aXOD4$cGa5D%5@V-ngA}S&GF3~-^}sN9N*0G%^cs% zjsIrA2#S9p{b#QJ&*w5e;y+6+{)l<$zu$kz1$hA^f>78e@E`mi{0IL6_zwvq5HXwg z&}W_h^NX$4J@kMlpE&bdTfY9>As0#8%u|-A9C`E)Uj6YRPYORf?&}X^-n`(l)4qkC zbHI3q1Lyyed2CyB<;!nhW667d^``&it-)bi+_Ln;M{aRK_xmTmTfbZsp_8`_p%! zYo}qIIB25}PPl!qBbXgZmi8Zq#2f7Y&>rtB!CjnearmX<`f?}TUENYY=YwUo{KHj0 zTVA{1^lw+r-t5AYHdU*a?|W%`zwf=;W5H7{_@;H4)7*da4VKtT`S}LN=dR!6(bge1 zJhRBkCqA_26P>j`*mA3z#>X6Ua0NAb+uQ41bLRX--@5kAD{kKP?a#=6R{B|c)#f#) zzVy9$clf)Vu+6FOueu^}*_B6cwbmi8Nb6sAUS_ES&%N;6TQe))Jv=9Q=9iCt|D3}& zK5x~XP797&bo2Y4-|l{P(f!w3ao69!vS{Us_rLb1lDG3u7TN!*b-Q~Ej=eel!^5Yw zzH!2;?^&y_n68%|#J+i1%Y)~i_QEdG^zK8h-1M34s;_VOuJYBVU*B%C7Z&gQ_El`h zV{TiOtK48;reCvPeDSNdSubs*Eplj7?k@j+@Z-IQ=1E8I zb=R(^Z25~N&Rp!)U9Z}7pRWerx@E^Z&k^qZS=!JpiJ{%QXoXtwPZ7K~kS z+{dk9uZ?+t-)Y3N4+8tnN6o3;t@S`hH)SW6kFx$J~w-2r8dO6H0F_Id16eWKug(0I2^fjwiA)X zv=;{K!!h^|6~Wn5#zu*V+C{$Zgs_S6R)CCCm6w1HiZS1DQ1=RLBlkMPJ19p z5~OxfFfNnRd?YqfK!vBqVB1#_gw*0ZtEcI1nUpAGWcEreJjECIVs+#hDQ2jHus*C$ zLM|T;+zMB%V3;9UK($h0r&9zijf%E_*6DGIlzUVxN%o+zV9Jn+(?{WKJg)RKD=JB% z*UOc$UJUh$ifT1$K*r3c>_T%`rHx5OM02R382u`TNJ+sMD`>Vbf|EcT)oX)NRwj{j zaZn6dvL4Iyq}Ai1IxtR;TZ}W-WmF3~v%P*@A0&`y79ghVU~;7~3{}mD6u|=XlU}=q z4~umWFZL$3R%#jzv_enHKBAVi}mo&e*E70|uhT0#`4ZJ>Fo(gRIX4L#~hZhQ(>6 z4TYxO&6F&tQtB%?$%hAgWQV1E7RG?76C}DgL0E(~)mTL7P|WnGUb-+Iv1Z?OvuVF6 zAVEGdBc_waprDqIA+iucUY#3t%Qj#Xx~bs^Yj?XKUN5%ENrM;;hjan!MQyj`;Cvo# zo096AEh}B`_2F{K5m2hEHcdMy>y0cxBEwO2l++b-48|p}3#M~azF^F*#t1V8RO!Q* z8upD`v6LrRN34sX9?41~qIPvqbOZ;OkSPx9P3@ehd9lsF`54C=X|3JGTZuVVz1p-j z#3oXbY9`%Tkki1XR?Q|=kCn>^uaZ-s)nrpOQXN&n@?Z0RN)k(doc~aN^&h!KLm%Tm zr3SCl^-o&X4fwdaZVU2#oB~Lf^aMsLrDD>q8E!^*;vqIr?4~VP_H5d6`PodQQG1w+ z`%0r;AB`tmCRG+|>B#2l(iAQ#LzEQ7I5UQYAVU@EVKhRu9tRm1Uscqi%>#1YYcg?} zs&X`H6_T1iVU@9u72T{_YZscj<>@k??N{qmW`KA^BPo%QBdaQ&lAxX~4}rv#oOm>t zj#7i*|o_uup7=8AgFCDq(QwKl)%WLH)e)Y3&70x}u zU2@(MKV)t_MPF;3cj$TdJ?tJDAM=`V=c1?Iw!u@km(B`)bm?guY;ya$ckg}c;akK< zz4N;p9((zwRd!y2`@=F{}j@)9KcTZn` zn|GhO8hh*gU!DFRKRGidKvCNX)U#PoZ|GRC@`R;+{Stq@<*ewUXjucz*EiW&# z?rY24{LY%wEzZB-oX+sf3<(_k9qPgZf6TAIWv)JYxqUV~#;ZQ|lkA2YvUluz*!a@b zmwBc6%T-U<^&)*Jue28U)<)+_OYiW|c*PfAfA58FY_#N-_;OF*_~d%mr1CGn{lK}* z2Zt$VzWM4C!+6yjPrB*MqgVOM{r_S7|2O*&^ilu8$+`Idd5nL-f7pE81pSXGPV~j~ zA5?1jkkqnpIVmrM|NPVbKVL@wfo2<8c=iXAv-HCHkF_xVV`PKS$dRcLT8OBTR;GZW z&!q;aQPkQIZnhLmnr+3(FvHbLVUMh8nXaCJKq!n%0-y5rrav`Pm3GsoX)qF@Daim; z742r?nr6&4xg|O-*(8yx4N(l#8G)DK20iFf#a7nqPF=Q>Ddf^sr&W^ky<#)z^I(Jl zb}K9u`Dof>S~aB3jwK(;(&bt&BJ)Ks5BDS%lmy!C7Wk|MOSVuRf?35&Vcp1;MFFe< zWE08g{Ib%K)AAzk+Y zMG;GG*5G}=A`PI6n)=A4SRjsG}TxMVm>r%hqfUuTG zQ*Hq9l@L&pO(B*bR%Hg30`lDg0!B5nF|hmPf*~a2f!QDSg;t;I$&XqQ zQ(k!L4GX}KR@buWk)0LnLThNFk-}p(#wJbOgTYZ-=~aDx#7#q9w%W~P%S5t}6wA56 z*aI6qE=mEY96FUDXN+2yqGi2_n@4!2lKOY@htR^BU*o^&|C3?#K7oCP#Pa`G{%|4x zNqqhI&mwI%f8{@m(*H+PCx~w970kAPiITP0mI@cW2ubUy5W{j4eV89aTF}Z6;v@t1 zYMwuwc(opB^;Ie<(aP|;p9tRzBO`mg>!DT(>4{y!hjhlTt{U{c-B zxPU-WOb^CMso{SET#%LJXo=f9K-jj^7Mw8iekjx||rmtBvQG;q|9}DGrgXFsI zL`Q38y4#ayrwCS|$)U%Wijaxb5=E**XD}4Y4H?_0lGUuQbPH|Ti>CYA5F!RO zrlFfjBh^iXTn50aTm^1(W3SL-8$=x%IyMN`2L-=kffKz}MRXT2#f&_$Wq8P@2X(gF zw>tx&NIV#W;o9b=b7O=Gq%tY z2uge<`Oi%L?@O^y^Pk!uE$~0je@KMHr_+FhKTrKP;_vuR@+-i9NIZ$d=yW1eUoii< zXh*1V{U&p6+uoml!O_Rv0H3)12P<5$rhfm!C-1Q%wzhHlf?LEs#|1s9qxVYUFUB1 zt25`3!s)koKi($nU3PigDDe&GwpudPfT z5Ld;YUH`=A=8liF?%MyDpW44#dHzSE_qP7|0ULh=ce1~E_0eA_4_rFy;^r~Gxaf%$ zdMn=bnP*)=`u@vzdGv`j*zc#- zzI65q8~>Wv&3fp~-`Hbjw}YQOzqR&B$6mF6ck31NZ?C!E+H=-japzsHIp^ZT%;g_= z>za?Q-48vcQklE;s!Q#BXX-EO|6~9EAFlsKBtOM}h?)LBUyA)J{HItF^zvr}yVPa=Rg0j|BwFl<3F8Ao+(As;ZHw@MXvwWTonG(9cal>oPcEW3_7eZrg8J6)qZ^Htb`A zxT*L6Wa7Nu5e%%GZqZd`Tr2T)N=|VNK5uJbLq(VYU4rD;mTO{jkPf@kDAJY-el`eL zQ0XQCI%?h)b*)MZsAw~>NLn4 z)OGtE4wL*27y>w{O@_=Mu+lkQ4~v}|8YrfKaBQll@Z}Uc(wn5wEf9=IOB0dPrJ^eb z1l*LUPMnmQS-??r1Qmuz(ktM3W-^^{&N$@5e~bSt%qxzIf8%2FW}vrc@`|7EALQ%D ze->%G`78ffl>R@06-}4g^d6Va0g5rmNA=q& zSEPA{bR9o}i;OrbT2h{sjjWRfAib@~CaRWEIOT?Lk{W=tA~mu$U2W18cO;p0Mxk3y zP3+}y&xGZXI1XAwXmj-;#`J2y)W6q=QOWPg8rq+Fdsep8t`Qb8*npG=Rw(nMxImy* z1{+6F&QCK5G)B;YsSB3hH-|Dng$)71I1rQ*Mg_?URgE(kVNxPR5mJ(Jqm|6)P)lKy zDp(?t`h+Qv1E<%~AlGpE88r(OeL>fY200mh!ha-6Vuqi^f4ool&q9gMXY(IsVV|E4 zoLboD2Tc9B&(CK`e1Mu;UNU$SZEU?jv zt5TvYc1I=%I%K=6IA9l0dcKk;?22K4irCYK4n0we&S27V)U?y8hIYPR%D4HVn+fgi zI8j3ic~0~cJM5CFAdTQaB!?>6Fq?I~B?!Vm)~!yz8sZ})lL8?(0jp`M=4Kt%$`qtT z4eb$}Foan!q=%|(m7@&M33VnygGec9a-1XLQI-nC8I8{j`13fAU+)-uLruFtGaOHo4c=JoUEb-I*J{`)u!uZ~ubx)*GC{zlh9zj<^1=CAB>-6NIK zm4mq}?sPIr{QrZ@#_q?&)hRx5_s+Y(Ki(IX|!7vd-au{P7N%SFV}$hgs`* zk8W`JTE|Jf1!t;Kzwty!d*L9kI1_ z*(!q8eZysMK4m`gz4;PU-L$pX?FX)W`urunApV2S`o{O(+yD{peCi4r zx!{1uw@aS6z_9Q2@7&=K_~7e)y>DmVpWm`Q(q8I;pC13vzPs<6|H%={|Kh`kp4{fH zvl6ebw(`0gW#>J9&5i3HzRRlLPrmhwl{Q}R;HfYVNAZN2Am#D@z;aZ(r?(Bj0~){(bvD|3|m8&z$Ih-uQ$AEy=yM{R_>5x^7y?E%wO}A*Ou=cZER|+7JsulOYjdKedp?*bHLS)uTxz+np?a1 z_1r~Q{*->=`NAgq9sc9R&V6C!pY7Wm+7~pIT6gJ3k3R09b(h}{z55|zZ@Ay_zrE3` zt6V(qsh3dnh#fj}=4bZ0=P&F3WB>mj*8kw>r|ZAX@c%Ex{uTbya_J8AwbTD#a;$`M z%;PfC`TYHV^8c{^PwVT)f9z0Zq)3{EO?hpR^*^0O;Xn0SC99P)5{(3l@kxpKZy=u=}No#;}w2$pII-mgl%X2(YoRk36Tz&O#M z6N9MRatfU>4|Stf7K*dgbh6u;3_BJA5mcUF3nGqcjMvjyPOLLtED-sy=a0wfDlqaW z)nxFLV0T(oJJ-rdM1mi+TzOc{FkO@3Dy4KR;{oMliroQRZlLV~(aBns>O{uVeQ_E! zGK`4%E|ZwX&1ti(h9QGwh`7>MP?8zI1*Ioi8NcVGgc<>f^?)2m#z1%brDCo%Za4sy zHnaa8|4C1>WF8#3wmzBu-WB_CoysR6t)5B63L)n>rPxWbkvq{PdNk?OTd9ItY=o7h zt+t9m56IYADmzi~W5q4>ODG)Kl`&Nos#Mnw{ItLYc&bt!$VsXNH>E~xK-ZHX*HsEu z(x{9{y#Uk=HHu}FidnmE=y1~w6Ou=^5rQev6J9R0xg;t}NSlI2L1L&i)lxNp#7Z}3 zBBi=qXMuK(M21Zm5hnR6=oUe~Z3!u9m^2KtDfWqcC8&kfb~7gW0#DhzQ#3syP`yI6 z)e0w6*a6D=uy0dCkM~JPPPaP=LWxwUg;H5thoBZhG!DnJg)G<7lV5Fmo05i`JHdlHKOW03pL>c3?dy4dhN@PBaw#C9hFL22Qd~Q2)paQr z8VRj$r(e#h3FunQM9m~^HI@_AjO4KbTT?TdH8$%a zX_QSDwwOjGU9$bO46B*eh__;ejs|v|Vv4-#0t6@dWWMZon^iraU4pmB>;xWY4QIeq z1_Rlk=wUl_gZ>!tqc}fk!vnijYC82I%3ww!0YHXTNhU)WMf+U{f^@!))XKUPHbKV3 z`e`R*CJ|q9>ro*JT#Al*H7=hO&88>PSOxEofWQ{(uF1nCPxk6rwrKQvRSRomhN&iJ zWsO1J_f)G>P}^3@sntuOOG*Pa9}GKqDdnoZ4U}@e8Rn#4Upr2-=Ft4|2LaH~;*+6Cn7R|t-8CWy}i)LWa3@rNJZ3zUW zzLNZBrvJm2VxQ(er_KAQ{uSUqNsPpZh4bNa@E_`{$bU!}!*L8F6JId@x%$oLkGlf6 zN4@BS*G_qQ&BJ%AZSm+@kDPyu@WIiS&EBdE{qS3?{LWl$!)V2umb+}u()T=Y?1Rf* z^XBH-ejjXm`JVfe-*B)kci(;MZ_WF~FBkma=HKMLC*G5MaF>0R7p`0J(R&tO(Y^ym zUZb`-Yd-Yy!$)9q51qZ=)9ase$ofZr5bpdy`OXEGKR>*B{#C<2-E`ANt8bz0|J>x= zdsn$Z`R+USJ^$);tDpSMwd(U`eS5thE(rmnAD4CkkALNrapjQ}cKTN3jFVrmUwbW& zK6Sw1Kztdw`40~{|J<{GH*dif*PZj>1I@ce&u%0X%fEYQpL>&6|8Twe+ur=^Zy(lr za&+ZI`|k0gz4STt_io#JnN2#gzj5I`_pGzg7sP*tTdaCH+gjq_8|J@y%i33*_3BTb z%{RY)@((w^_4oJP@l5B?b62UnbMCUMUGQ7uZjFEXjRpRb)CQYvs2=~o5qn>%FLB~~ z#vx zi(7L}I%Dl;4*bE*#~Yj3t8d(X**yHkt(;DR)-IxJ2$@XPtP8bK6d>}R=Mk*r%v1a@?F{0UN~s?5AV3|p3m)!PSw+}MT)qh$4AN&9RF#kdRLH{3Y#{YjA_OI}to>vYAUpxKJ!bIHkxr0qZ z(a*2{$^XOtKVL`wgG|pKmgDC1!7nQRu@{B^#N#0$G}Dnm2)={%eF~_iW2e=(6BIA- z1YT6L4pkUNBfgba(MG}x@mgt&WI97Bw3(uprzdXN6qSLhcDYd;XGNf?M4;jGLQR8= z>Zm^5u1!M=K$de`RY`{Ox&$W6+DL3?Cj?dkTfGbv_;D{vIwQ1D956sFjJla@TFlf( zaK6}vhQq2gNu$|jHLBPxPYA#`7CjV6&gq(7+MqRq&P1&$Wf&f!nQ%0{jp!9aAeHtS{~rIL zyNOK4>7C>)lC9mZ=`# zwCPEgD|Ey_#k!eHAR{prc9ouC}EVF>lPwb?Lxz3HLOBWrfx|< zHA{dELgp-`$a2GUwPiO3Lw2NDSg{e~c#UWKq^^y^oMv^&F+VD+A`iQx7#d1WfM6_O zQS_)%hy`tAn@S9cwk^X*ZJ0uZY#L98W7@OmphXF|SAOzN#XI^j*vk{LCbs1r!eQdPZMFcivf6=S1@_39i@ zSJFA!G5JxyMHZ^nXsl`$)RO)k{zEU+d<6Nwaj|v|w=$oB*#D2E3m5Vq^y|le7HPZr zEB{%f{y&9|nvn2G2WkKT+GD^fL1e1gNUd=}Gs+raIfHi;XE?!4Guxs=tmaSMIjxK# zl8c7zs>nsTafb@(DO>~eT0GPWdI)e0j z4Q!YhR3=rE@MA8l3ZR(-L`o(^Qyfxu9%K1tzUhUsQYQ$FEEv+roGu)!HKr>>75AcA zJuP?Qi3bg7kh9zz#-Kf*mu^=&MHur+36Sl1yw7)_AjqW?O-6~zRXnOIEZZ>K)nuDw zvtuOe=K{Oc3_Q23CrJSZkdi$XRkqselb`S(Nn*Xv(*K~J@E?gujX#tBaPg=0Kc7_( z4){l$$3VuW-wMYpT2>-dFk(+AB83F*4%BQ<%)=V4I7P2ylqi_DQ#HYe?Y zS;Yn3@SAMA+ZcODZq&)sL=mK@WZkQ~?wHH9%gs!&6VOGmE%o!o2w+T)<60vDWi2qa z*glT>D({NbtUH)UG=d132Hog43yf{iw%rnJEG>Yvmo8=ErmJ>qKsgg+6JsYYBsx0T zY^t77FJ-d%DwA$Dr}Gu;8w3d!tH{{b1}&nmHwSIlkw>H4B*iv5H4vb5n{-EDmvkAj zST=J7LJ#`QY&n<8a1t@ry=)g_k&p@0LATkhwFf<<+VvGdpay0EYg0h0YE#8_3LM0C z3jzyLzk<|UsS_^=l~==}scZ-XQKhh6svhh4eryIZd=@9^HNcr9p~4e}T5qpUIf?PDLL zu3vBS7v5IC^}(ILzvp*%|LO2|ANkG}*OgA#%(>^q=P&G|%XXLamiNwGnk>A!>~`#Z zhrj*71&Phy+;YcN4%y(<30vD>%eRM9ne|sW1zD%JnMiZv6X^X{t?CDwsQAA?BO?l z{qDWsed}L%M(45fmM^~ip+cYc?slvD%a6MskcFEDzrJ|>cP?4#eRo7$^yoo*?gL!5 z@kYy^x6-l~AGGuEg15eZ-v;?@&fj3^dzGK7>k+HI{`!)eU3$eqKfeg;Yw;cJj;bt#Mhj(^;oPa~?f^qh$_z;Tu401HoSBr0;dR=HrK- z4X&PC3S6+%Y1{_krB_gwJpA4*JH9fnc=NND9oByJ?u#zmLp}F{OF!cGU+Y`$`pW&= z1*a`}?Qxp|T)uLN{p|aD-TS~V4|h}8@`-Tt3dtbBa zi6>>9`M+IuE?ArV{?O0<6ktEIJKb zLpe@O55&h(!dv(n_Se_gD4+4djt)n3oDx1BRZUAdWet#2DP%teLOhe|Gqp<8Ur1IO zJ;#((K4epW{#%wwIZ^|aIx3QZr_WJ_Nfj3!2uP=Ytm0nqH9;&7K1r#pxS01qCEaNywTV%bEh`wNfZ`?Pxj_(vCbZdoc9uuQ-~*dP`3^4Sa?^c0X&y`jNUEI;&>jMpU#ZscV1{8)nqLO2AaNw3|6 zyZ{A~J%uu%aiUA-iv^v+a*kpTMqxdUY%{`pl~7DI^XUxYW)TpIb66W2*~JKPCSb|- zHLC~&Rz+%Y#Vkx^)AdHZKPaVPxoWliP7|spI+?NJ5aSv#mNJo`r|N;06&0@w3a-Ei z1X`N_6sN)w=DL14w6grzRP`cK>F8})Zn&Uqmz0+1rpFF5Bvr~q2BSf0$UBj2H^(UN z(m4<4b+TSIU(mhS4y$5A2;>^7HuGIoQq}2_2|KY@>9wj}r;9?W=vjPZbu~pJ$!-kh zprQbj7tS9gmG+|Pgwj%lkCTso4r1A~mSPqrC;vX>K!+cv9H#HXfqpwoDp?7n3l$Hv zS}iw`4p>AlDz#ju7gvLP#qqG1*D+pZr~kUIl=9_KsfuA?t}_sFWdJv76Ld`bjX@Ab z4PTRER*VA%5=kaQS%lfBj;FI7O=^Bk9Edib%uJ(2SCv{L$<*1t3Utwat2aRq`z2VYt_Gbt&vAK{_H+%`Vf%QUWQ44qD))0+8#p`M8vYRHvI9 zDf zq7J=8zLM}Gc4%3RNiGwHP?+q(gFpy+$(luvWxPgkLZ9qsBW*NhC}8Y0E3IU9GDHVW z$!_Fo-gJTd>+Fa7v-XGk8}|zL@QOFn`{(0)p(Vwi$$prxWDaprx0+Ab547qyInV>L+@;=e2mB18IMp%t@b4@GMNnuQq0bg#_c%0MCVO2*0 zTA#))N>K(v3X$S^$!УxCu6TIY*Xk+3C?Ti|P**;T=@_r4DQK$=*hR6sDht)AW z6p)ZAg##66oBpsRwQ}Qj*@tng6@_NMN_iez28~oYR$E;!-6$Gt3*p_4iG^jAw52BJ zhGQmh#IyluXgLvb>M%W|Jug?_>&0}xM_HXQ&w3PCC0n##w9I@p9JRPwyH7FnM3vAX!b4|!-m5Vu_9%lfqtEDYvcsYO=$w4jyQ6Z;K63iM=Fg_oLCJf z(@LP2Hgd$M3%8I`PtpTA8WM^SglOzYU9?Pz285w0Zc+h~0i_eETubZc(DHx}8dA;^ zEiJ3nk))lUIAQ~$`F4Q{YY`}WqeK#JrUgz`C9qVkr>hdsSJ9vmwX(VjHtSi@wDr0V z6{-?Rd!;avohs8O>iK#rOy=k=Wu{}7)Th@rwg|zOfvrC`X2(ukm;1bNSyrV`X3DbJN*y&pV$8oFoD7dv9OBW z7p(s|pPXxczxv??xow`Dv*y+9-}erjx7DLdj(5~vJvcZ2lC>|Mzh8g(GdFwi#>ek| z?x5{X4qnQB6F={a1*>27^Eq>$S!RCb^8OFf4;}d9Ynun`yh-y=>Q(8vO_sd$^pjuw zXtNzRIc9G6=0_fU<*CgcUV4X>77Lm??zyyl(OMgZi=S}Jch^|<>{D(bic76`@F{zr zyVZ5yd3DDHw1(e(8DIaC z6K+{{<#$e6?wRe^(B9te$_0nqq`z^*dl%r_W$X97^yEu7E*PwtZlC$&O=~!BKDgA& ziys(2zQgjjz4d+T!X1uV=c+9Zc;m*#V(K?o`u7k0w!h1IXVsa5cTumIy{B{jPjG(6 zb64l~+^DnWR*!R6UA1_^`Q1I&ZxKGff_F%1l}F-v?iP)gKichQ<-=#cwfMSw|LBx` z|F~7UbY-vmT2vB$d*Q0gjl0kK_Fe^infl&K?<;S&_UT)fjy_|f71uDYdE3?JOE5#N?4(i>lxidp zy4FuLP^1Ek#w=RxTY4N!2C$6hMnz-n_LSJy(4HMm^b8;1orsAk2`m;<1�%*}h%S z*lNp2gmoUsi&FdF)BiB+P;Cr?k~W|Al8x!^%idxnt&%w@6JoTmL;p%uorpEAm!zBo)!zjI7h{ec0R3i%U#-}tKCw? z^%``pF&Nohxvqvh(P99vTg=0PCHNB>1{GEn7`Tud#6(ol9A(f{JAxncqEYNwW2BlK zRz{=ZAZUopQ0-YA=daf>S$E9!?t-N^a{gDSCIlnpKygJE6T-? z^V?!8$F-+B3qm!699;!6EMK-JS}9wrM@=!uabPFtxR98|lx{a$qLafuR%NX?UClRe zqn9ScT#_>~tr5raLnCJZV_K@UMn+@l-Z%8wUGD_x~B&CLYY>4nNWVd}i+O zE35xmwC(1v3}{j6zX=&asw@3;Gp_N6#VX*`e|60gVb|n>RyKy|Vl$v=tUW9g zO9KuUFxhZx7+7l5O90Fxvb8LT|9JCh+CJLW)at3p0#M*YZ#oS&uBC*RUc4 z&Sv<&>2hI3WZ7KK>yJ6HTI>``db-if05V~#h!Zm-l>DOm|5z!1Asd3o|GEEQ_gUG|=;S6;%6f8|jJ!YK2NSr>e1Djd0Itw(?4B^P`yW0C99t9v=QExHNd(H zCAEICP)E@BZfK)$SM3(U#ZGx#6BQ8_R8W(Lmy_ za8YlQ3!a?q1m}J4s1ILg@6=CS^wO$VAMs4`42+~V7`{WS*ZSb}ORRN9`B{UPFS`5Q zt)YXRUP_`d;K#j7cR;E@pn7jZr$+8#%umz$(z4*==mFNCuEmg<&?ahqBni} z)b7pqyIVbXx^n;EnYoKoUl9LUhdX2Z(~q85@quGbnr%0|D_+}X36kEcBhCgNe(I>V zsjVJde!(|3dUKaG*ZO1So@=F}wtV=|rQi1t+kCR!Ip2Kmp~>!-?XX~S%#pts%(Y*6 zp#JEuPD{eaeaP&6ioH_;=yn2etP}9m%Zi-`&{-~ z@{PT3I%CuOzkBfEXWpXSwC^3K|LBiPp8Zy{^Nr&l+H8xpj(_B7Atzrld?59_}$ZoSlXey_OtV zl&%k(ASR8Iikz0fR?29n(q2mz3rOBm%1XT}C)-JKP%wZ-fF}h9gS9+HkcoKEVJAJQ z5;mz3R)C>g#|lR%n<{!HT8HJX5DKn<m@7Fp`R?r%*AQ(ew66cJ1 zj}saJf}t6iTsWrKpbmO53%dj#8sNCk>3txnx;TS_R7@ zVkwt)BVRJfT%Ywvp5>J=pUC8T2zS zov;dQBWYHASxF@l9o{zD8BHvbFu^8@IeP@Vl8BoWn2N@&G7<`c2B-rqhd{hsb{b@I zoF-aLydu%nQXF&yW74PFnPIYFC>mZzk?D7*M16gi~^)Y?7TAj|^I zsO3pM7xhVVP-KHJsjI3Lr-MKXx)Zlxg9Qtno8RlMtvoLw%}~dILLE;wQYc#@ z>!W@bgW3#M$5Kt)L@=To*3@Co@8mekOtptRTkQ5?H7YBh1O~k{mh@c@u#1Hfo-cMd zC}wd1jK@VnFh=EkPDE8N%=dG{IGV_sSAgM?T<~cawZVy$rpPoEkcC_Xb9JA2KAne$gKok zW~CgtV-0iFiCAC;=WRo_^PeCW;A6)ZGY^VozmIxj2<;=mD@o0~G3Z?(`WsVMv^_#Vz}73I$0 zGDfwg40iHqwQaS}IL1Q><|m#yM0Kni&wi+WhoMo(2oPniwfH~M_@}$}x4zgK5>VRf z=ktG6@eBo+%)2jDoFt6CvQTU%CkXTlFb;5d`7(#2UBcBp7R^{O7xe0B>O**J{ec4WO= zK#X^FuU*McYP~n39pkNOA4T5(J1UySSMc1>?5_PlMfPn)=v-Sb;qjbTbypD&X&O->*Uz%b(as&=o;V6%WkP_S+gfZ5v6@xja}>`LUDGK&Z_J z*d`FiC}^>-Sg`Xw`ryTBZ$45c&tks5@g{sd$!fyX7X>`7>Hj0I1fS;K@ikaNdbWIe zRi|%#33(xMQ#OxXb=*=-B|S`d#gjM{DzVos~X6tvT%{ z9$<90h6gi_44;R- z4R^VzlmC&$YxF>bKE z8^OW5Wrf;w%)6ktL4&HH2Euw9kF|^j%rBj4wraB1yFxI@zd5tT_jxFJ@#<1(Y56k$ zd{ma1r5cEgUJNYcX@u+$i1`#|9C<^O@OxpT<;Lj)zfZiVATtH#Cf}NNFA6H^87NmX zT%g9mIOfiyKVXHH2js_2>TuJvb}}wN`;Sr9$p~1?xvU?J{FxsKZlSu&)s$g#0$)nw z;6Qy6?&b+E!5w7~ecS(gwJuqzja5ii_-z5F4WJB4_)-hVsOwzXvaAmp+jqwwlT}aQ zd?+UdnxM0Ayf-6R6(W8{dRWwKjC&EArnOc+Clrx@Wn_h^{nHJhb##eFpe}389QbHf z97ItYhAU8Nh)a~Ew}|;Jyc@z>$v#m4CnEQo7s`E3U=)9e15#R4w|?Wq^<6@-$x9@2 zN|}yk(IHSRRE*7jv^+S4lLk{mwA)BOxx_Tn$s`hzL^ zFNQ3U3#E{W#P)q?tAjNXPL=oHiP%W{j)?nN69P@V2443oBSNEfHKHoU0}o}XCj(J3 ziuh2qJ4$jP3y8D_FoTR=>DOrbsB)?N<#O2l)?JQEt{J+F)#hpn+x^*@MODZ0ZSAH@W_C49hz{4ke2O2R#OikfPWy#e7#3`e0V z9~)VKC6;GkY_zEkALb@x(dbZ{ZV{${L-YJ%5nmz-ZqRDw$@B~1M|E@v>+hJTb)3)$ zNBI$X=tHYmGSp&nPchb6c%uHeHl%cW|8D`0G_2%ir~*z4x71xC=!7^36lU*XoiXRt zag?hGf5TZaEtjPnxy88-)dpS0zjK9;*_s~|VAIFk_#jcFoc1wXg$D+G(hXRB;9ojQp{i~g|!_;1uMR!^!$n6rkuHwTkdZ3>Pyw zdN*o^Zn{mI5fvrh2@GcIg``6Y`$|fXOAGOAK5$WnokL^e)q5Ins5l!~zftya4gbcU zx>lmf`zkcBRQK@I7#%Z)wmF#BO{hBryDZp@q)f6N^rDZ|Y*qwUGUA%AMjjy1n=@AX zt4Kngc(1@+vW}=6$W-7q5+Xg&-@cG}*?#>?W>FUdL!X~8Ylq^2j|d~Ya; zRvz2iy0HIeauOWbLFJj|))(Dy*XCdj}%eaWv`odZxe!aECy zGW&fO73BFDWH3q+9V^Lk%lU%*_8%*Fbli&z%MIoPz;D6lu`7l6y$)gpe{1bHS)ZO+ zd%eY&E`#Ug?CA66qd*fg3uZ%-unD}$*=Rb&uIsHO24LN|1b^pB4o&E5J|%l!19AvM zYzDYjm@nVT@t(>ZtROz?fUZ6yu5P7c1pU14t6O;5Kg_0@+<97;`qn=`PvF_PuG>HC zea%;Mavpav`WIyPP}%hw7gS5GQ?=jL@IO7;8dr47Sg$~n^2yyh$=u1CYp)i_J4r)M zxS39a_zgrVUe|HBEgcV$OL5fSFzFPc_CwSOyYknmc-i2+T^b=5I?yv{jy5>lhq>+F zJ~p0@3EkV(^~rqq54E?oRt;j@756K&zwmE$5{MdmDp6f|x6`V zJQY*dYyR3?c!Gbj$bRo@UOA`FIXVV_Rve;|{v;{YRH*YlsodU`pjy)#_`%xOZCBl` zzaGKaSG7&z_N=-*ejsfcHQX<^A7<{n^5aYMw)FR9n5ldBYu#eXU&sTE5?&+1w5L3; zQd%xrD_ntWqvFe1EsilczLTosSM3kX?{=+sZu`pefR`-JeN!aBoj;U4KXMn~XwT+x zkay-yc(9;F=QJ&<#=|Ma{b>!9Y`b)n_-x00SpQO5a13>3u$;3A81=Kx)LMW1|C3fB zyE#jsi4*>wpYQ4~F?+-h%P}Ask_tA&n?etw=2sw){1XN!E)Dp2K}H@|qb1VB7cp89 zJ>;LuUjPVOcQrz)HBji&{N*(|`DUX!a8gfD5(qtVR4xJ)M&+b_%09G6M;rm6PY3JO zZhu@@y<<*ZcdAwuu6#`ol%5jv9?I zXTH*~0;$Xgy=(Z(E&sF*BrzKA5us9b^}%J<`iNPis9TP<0MuX0heI@uP_|! zdR1si#ie^)ZQ5K}Zl-Z?_Tc0@QD`>_ng5z|f>doYetT@Tp$gij~rL7d|X$Q^ia9 zpFWkZ^<{?pAq3hyKPjv5!b49$8KF)K(v|yCQR;Yi>hzTtrp;(51>1ztWE>`F-@jUXh@5t*ux1UJEN-L?{lx^qs+#q>#{|I#1u ze{SFB)MsQwdyz%IFoNQO>X)&tg&3=_!lAI+HLkuI=T=#seE2nBvPe`%1?h&q{5>wV+}SYWfH0SWG&jnn{|q;lzD~@hi&6Rf7pKmM<~_a(kS8BW-aMK zKNa;NSxG2_JZdOKZ>CXp<5I{vX*=k!1CiOn`zPL2b;zR>y_rq<}8Q z;SixdHDPApRNSafEubBlPC!`@#7h3I0}meo)Mj`0-9VvEFpwcJyaP2$Wezkh(% zA1SXopUUsSAO@H8Yx!&H*wYrc!#}eARFckbkIuf1T>J21`RcS7r*1tEfdFNJ}1IES5)Bv)uT_f|X!YYqi4A z!O&!*QBsznD&=HrsZHAD2F;BqY6Uf77of-9Py|=846UZK;jasqusyq$ag*Si?mG3 zX9#jJi=9H4OB3W`mN17tomk;#{w_9KL;6LUfzRsyv66SC5OD2&C8|*vME8Cn(bD8R z$-g4MAp>FFaBc`8LkzwPmn6JNAMv;FH>bPEU+7%ZGIJf5dRltDn{O;XXNO>5G;W(Aft6)pO(hQ(cg_TGt2X`zAgeLLvHe8%x@&0_PR`eaCRPckLQXhlM?h z%~`>~;Nd&qAs4lRda3)di&Rec@j|@0`{;yp+2i_x71M`(p6}e7JB#0Y^FADtzva5% zDeityu0Q9RYv-b)r{|HdMlL&@QeZ&2!QJ=l$mYG$bgP}Ghm!5O&h*;Hr)j(L zne;YiA9G^$VnSJ-uqhe!EVcGk+)^lFolzQj~mbD3ZLF7RL61Po7YuA zhDx;Nr|xANGki&>!xqlEt=APbzFWceMJiy$l<7%xrS7~FI6!aT^Dx(d(eu27e>nNf zahqrBrgvAke;s!~n`}zAdAO%UhL z_QeJurd_diwsPKD9{+iWmc7UO2r3kxgTts{C~n(wLcg7~ zTVVPY{J=1%o@ZA{!2?2&OiY98ld2%T@?3_Tna4`|zMT{~Kd8b0!&PJ$4bhKic0|^*y18N@7Xx!u!q*L@ni{6FIL-zLg1g zR5qghEruX>p7=&dF4)qI)>XyQI*esihKtyK43)rmjqdCwkB(%LGkhJ38=yq=nNG9T zO@p4yLCAxE9mz|rT%JHtEWKafoBa{Ra(Qo&VRqt;l|S;}KL+S=VXFyFwLIO>23Xsf zCDMt@LT;215ve#V)zuwId_e)U@cLl4E$sBiyRcG7WM6)`T0b^ZRqh0yIm zVn-I8CN{A&uH_tHiw3XoUBS0ufX$DRsg76Jb!*A7&|>2oC26r>K(}d4FL|R7poVYP zbqWRvhnh{BS<#59oZA)%r-BRjD+6Yp$35C9%6Y({Y!Q!TNeL`n5Uqw!t?Vj^Wc7_5 z;NiN;mu2DWGJdosr>A)wN)`_>f!Se+u+*x8hl&f@Vo4|@j{QZjVPQsGM#3R&UWAPl zNl?YhIl=g7>@WA&W-{@jno?GT{7Lx_bA8063Yt}OWM8!;Vvo%qUn!#Gp>BCBd10%L8NV z76|`n71>*;i;ooOHr~*ms;XKO{hPL(usFn%6zV_-4R@`c^(rXL#5@s^DvOBMNS5R3 zOqGbn1XZhss~S3qD30nM##+^_@sf;#)u6O>kQmrY;kK2d8l(DmDl8Vg6S+I!z~yTz zyMl8X(l85mEX6QGi28T!T(3+UwQylIv{2|3b8i1QQ(d85li|aEE(DGa%!7>{#agE* zjEcW6)MOjr*wSZl4-wET<0C~(5R#bFa*0~Ivmna@HKNH2(WnaK?*LSI5Pk%pJ`gvE zTrM=H55Sc5Cn|uiW@+6#$qVA^)h>#MXKu42r+b#E**;WmE%#t$ly(&DVINBl)v945 zUi=1jG#pf}@$U^m@gH=R9?@9xxo*{wX4a`Iib?5j1{YB?4_eG<1d8Q~9aa)*RJUQQ zd%aR{u1var^Igt57mvp|VkA-!X`&XF^mn27ylI*JpOw? z0VVJYb76Scx~o8;rh2@^+f|V4zzhG+Q*WR}UBXJ+J>SM<*cMw0@8_^)2J+I|BDgt$ z>&@Vj_Pb5<=ICBK3^DtBg}T};0gthhlwSlqQuoy@dJ;1|w>5^mKKJwNhhJ@y%Yjx) z>}f&O@RZ&qH~i;K6{4GuD7D%uVz_kbum@px?cU`&&m}wimTP|n(iTXkVMu>hH+N!t zH&b((_l*s%OS`*|X{yIFp-4^>^jA2hzcyj+*>aV7spsiyv)FtHbN${6&}rFsQQ+q} zOuv;?!=nNb?Q@b<;jVwk3re{^EujN^TqL>mm@hs=gx$73f7OfMf6Tq~O-{Xiii*bo zWV<**lJl`r>THOga$L;CH|D1hpmb~~_ zTPv}1I;nim?!FHNly)}FoixJN5b8Rv#ptj6D7*%EHid#bM%tgN?n0r~i>f&~Tb*9R zY1fAF-QV@Dzsj*;#_6u?Ci!l6VUCLkwBG$4_p{KwLv3IGg;i1t+;pF_ z7pQrIV$}Q3tLh(?+}?_qA6a8skN0es46Dod>bs?`Ja@gOc|5PF<P8?W5F;m}P>&<dHqXP9SJC?xc#0whagB z7cUaU^_uh^Rs+e|WE$gt89@AAQ(c)HRLi;HB2bF?%cE^=9hpL_kVKT*1e8R@Pu5y3 zT#{yCw$qxWDW9z(dMb=l%s)t-6>cyljS9y;j^8N_OjIP%x8cx1gD;|*IZrWZB5Of= z7$A<7Sj;dj#~M4dk?J4uK|ObsbU#rL)JZ%Puuox8yf*2At`tnNF+O+)L-l4jKPdO8 zs3tL1lagC$$3MzQ%AT)`Qa+@R?9a+vZ}?{hZ>f-kM<_e;Cr5wka1GVmG{8vD)w?XO z@&NS`XE3t94D7slRBlFo0SbMRygiF3uK~RP6G1_t7uxe@xv8tf#d|YF!cVYA&x43t zLaKS0ut5^Ry#!(e^KryEl2JJ8;s)b_tv_{F9`Wu(U%wr3Iq&RH0Rr{&3WgO6O$YTp z*cif0ehxVljvxgOJZ^y!)euRg(&%87o)*nB>Z%HnI=sOa-h=A82`p;$vX~)RbwAYN zw^%q>w6J3JqMhJ1>sUixJXHZxDwl#}L`-o#A=H+=SrS@J;@;4)&R+YNB^S+4*@WW zK=PEkqni{z7G(%5$jKb|=#fXvQU{@PFMlK?2T1B5ODW|}xQ@bZtG!W9*}aBLF3qwf zsS(jJ_MI@WaYKLGao|Az8T8#X@pQH>L9UN>07Iz>PvrPbdhVnDU(#+xggiU&pV3dMyA)G z)*MQ&4k4)DON9F)iBEw z(CBPP>t!jelSMm_585Av66oh;TZAPZWipwZ*)U;$L@F9px}W;^sg&)>1DEB^OpuGL*n#U*2R2T=P zOEy!nLmF1ypB_*HWJxId8k^Elt$cmb5Ixn=g|oRDHfH&;Wg;(sLw^zt-kA_fYGWH% zpz*@eCF!KZ5i`ez7_@W29#krq!wlu3)~#|>^f%ctR_!O5Xp<+m$EDK?J?ldG-Y+9#9+#dNt0kqL5_c6WiM&Yw zEi%tqA+>3dDvX-tX2xRVTEe7!ZX0qx@qZe`B0pLL8NvboLDZ=MP&eGyIlJu!sQ-EL z#dZ}O-bnu#Se)ta@W1fi5WakYumXo@{;%kOft0VCcJs$9Ic?MNDfP79IpujTd<&n` zQuVrx0I%<1lza7a#K$z(YYe8X=R*#LLRrT$GuuaB`Bh&`Cdke1$^N)|A@yT-lf5G) z^LDBNGpBQmD&n@n{_!{mGezTL7mdx&^7W9=F&P?p>q$P{e%}Uy{F@TppK%;>>TewO8&s<&d0)CVeKog$x3dCC(N)z z>JdtLJtyqps}}t;8zk3A8|drVeDoVygz;PoC4< z@4+=KHfs~KKab$DWmS63Rj$3K$m?xb_k4Qe@^>7X!q_**ds_2*<=^%?O$CxqaI5Jp z(XPRu!ff>Xc-zIXCZ) z^9DAeRks~~EZS*5^`m7IFLAlZT`tPL{M)E|E1`AI;a$7#$Y3mqyWaX-3!T0uB6K<3Y z(2{cnVom_PF0SMeVAsD<=9U zUtMNM)6WEritdq@N}p~Jy(*u|(2+t0uS(oVK=zqSKN4heRumW$Lp>TfjDx>w!Oo)S4)sqEWvAL;@u|c zdInlz;l41aJhpn&u~_u*6$c?S3+I@lQwUK^(DmC_rDAVZbe7e9_M~PP$91IWU|r)B zSk)@j;;%8K@E=1ET2bDVztx>JybQ0@8X`)pv!zu>+9CgXGS!G`!KsK0GYkDWf1Iml zVQ4sjyytBpUw$B+#H8?#TAh$fkFcU*1=Aii zSn=M2v^tcN!hdYKCHU3(Opb%o5Yj$lKLVvVeOW+H5y~?o`Qrnx|3jIF0VkX zi8A>d!}WUB(03VzGGhE9nmKDpQnbg1N^}FqjG3-miQt4Xxd1A4bggY-UPnks zOJ*w-qW_qPDdmG6k^Xy&4oQt9Y^ zVz}!@vz7n1H;g;TAn`@(E+=go03dy`{B&OCi&E`|2Eq*g{VCE*a!Y?hxOe_lTk>7l zAW$TiJ`JSPbPqh&^L~HD{|b@>A0QC|O|CM?_2PAo-_7kE@!HO6dOoH+%3$bp-9o?h z?ApCIM{j$f>dwFyzLu~cwV#lbzUw$<#V15PT#+bLZ5?E zK34q;ZQ``8cTo_aiBE@!&Fhz4`Q?sTuGh2AbpEb~j`z5oDHt~PZYO{n@XgOXb7jrs zvm(pmd>-vKo4V5dwQt$haj1WC@p#JXxVDe%yz`@L{tCEy;eFld7n8#Fxx0m_--!Us z`pw>LetOO0yn2ni;#45(cSffDDcM15suQ?_sngwG$F2{Ukj15Im?OOx=SH@F+X0~2!;Nu=9%l5K`v-gJ{=+`Cue!7SH6&yG8UBBiB=vmijUuClT zST1##UoqPERW0kOt?a$N-XCGM=o>Fy%5^6_jUGN}zAIX`q!cu5bG|+9at@V|^ET|* zUS;C4J?a4fHTTyzmA(nzZH8xJ2v}jd9v--parF3KC%3?A^W2Z_==B1Dm0cg1q!UYK ze;^tNvu^w{Jog=u(F=p9CIUH9<2Gb9dc@Rlg>=eLpbSUgoFmG|d+A z<+!c-OW1v0w-UI;^;qeEZc|?5+cCVr3hrg!m*}7-W8{_Bd?<3d-i|8U=oRm4-I}fE zyMknW&?C%t`vc=&Bg`@@e_MQ6uDKfbf?C|5N$t`X)!=fqaiW8su+U zhLU7VMlpX1=mN>VGQWd-&|Z;slC@S;TEuxawNyUmwSImwm${8qo^v!g)rHBb$U!OT z)?BI-2@ua=`)p9{)(v5!@HsY}B1IvsqVAahC3_OlwaUgsg0aS&N5VCw`Y=k}%i(6S z%bB=_wOXx{OvsRQvP{q{apYQ@(IsY`SP8B$;q9C+23`1M-pg*>r$tjCc=t2A0n3x71QW`XF(jHVSL@R*5N`iwgKEc`B z%5Nxjm^dqiH1w#{A-)RHB*+ZOtB5vV*Jsm1t*vWB!|u{VZnBD@xWL@zSG^l*fNY`# zwoVJ^0}|S${uDPU=5Ujc`X1j+>k1WOqnPE@F`%(1Sr!I2NM{>`V+t4vXWWb-69X?u zN16iOUWh?Wm(?mAZ5*ScQ7W>$-ZvB`>5wS8uJw~xG6j~Z8L$lN!b)4t7WXM`kr@s zXUaVuH=n=&Hh=PJJp5;5Gh@^D=_B^g0FQ#$cgQTpyd!7kSESM!;E;itBp;RHX$M^;4EcSWtNQP68JNMxJm zvq55ga{FaE{{gfcK{Sk6(Vjf|jWIb4Wehb`CogK(YvVLebrg}wqkvNARg7!yPO&(_ zo|P)(ha_qmb*Po#BF`l3(BB_0V3TYYIz@|aTu|~d#7=BT=VmHnh1k;rUW-<%80VZ2 zHNlroL{~5l(7{ySxy>510_QT3;CHGV21u>b+HvHGDTp{b6~84|BmMoXV zdSsa2<8mSqf5htBaa@`D$D6liLIfs_OwC9(#76h3iaGg?Pc}=Zoy*dzBA!Aij8l=- zj;_uSCmUkxTslKs(VHk}O=^mVy&SyME+MY zLB~9HGHS#{=TaodP8&><6H5)h6{57BpUQhQFa8U96Ek#{UhzJK5BYZalQ^>8WIma* zSU@9y&t)%%UVe<=cOH$zl#8y>As(=4Uwgpu6q0J8Atx6iOSs>Flx6eB3;o%fza@DJA)n{8(u&8B zuloF>f_^}z>j?Exj{j6O2~Bzf1m=V#1GWxg9C9HwT9Ff#7_EIzcY9d9XOL3~YJZLrZ2s=*l4K z^7NAc-8l4nA4h??G*p%22OVn(sjvA&{AqlEB7KTlV$;z=YMeyH}BVw;(UqRf>RA?TB}`PgbK{o$V= zdz8p{ed$k#>HkfAJuM5F|6}CpL-`xe0hjRQR3!ohfPU#idJ;IISB( z^|ZQyajo-{q0?K3alenUHrDK0&teMA{rr~4d)6(^i(0y#5|^v>%v*Gq(z@DM-BZ*o zqoj{)UxD`1t54zVfWB&XAR>V8?$1ZH_ER9M=3As|v|rsDiPy5Ly}gd!wFF4gW0=;@ zVKJ(Nu+R2yjhksHkN5o#b;8=UpxuucJ=ZmF022~-UPqsF3{eel?Jc&)Ue-0C+s>Ku zv!?HUmD|hf!4O1_?xCmCDlVJu*}Ne(#cV#6et#!l zlZm^4r0;jyR@43Pa@6H(Hkzhy7o7FylH2{ybtbdMl+Rsb*7n*{J1g=UefMf>YpZ79 zBC_8}rSS7d_NT^c|G~UA08rqLxe=9eG+Cvnc=v_9?`(0Z=7isDI!3+z5T2L=?W&Nc zKqo-_6u|Gps*YJt?Fld2VRg9@Z!tyIC&_?vgENl zxtP=SaS9*0XNHUCFlX@i-Uwe{3pd@A&`Vu$B|_MKq_nMDeX|1FvDtdj`D*Zf=Slz@ zz^i56jytXInsEP_$n~oJ;(E=?vLe89pWSq|CH(_wvC$T*3!2t@pg@9@EyBKcO8HQM0i#ngQ^*q#WN$v*Pm> zG<{e7vII)~3y|mihFt-2{Qz8mK>c5Cg2+#P=12Y>)OYt6WHT>|_l#kH$7tVJBba;> zIgtLI@be3T6MH;?;?c!kxCf_PBdbUGcZAN0FERRdmZFU8c@>nzRqmcBSV>ZuF-N1F zNs@1k6(!D63xAEgRL zWbWM-@YdYaYfXr21AkmDIwNEO4q}jv-1{1uH{WRE*5{) zER<=z5|CKJmCTxASjG-Fgmov_ zn}WxukBvNpUH^+Ec%|$xJxq$i`*BD@sdo+~uz;d)E*R;spJLYh=BX?eJi(xX~%dY^=ph6w(o7Z+3;S4|Ss zFZ%$K>M~{{R&$xsaz?7dk>GD%m(_&{w=Tn@!Eb`+N4fa!BErzrydIHML?w5Ef(mdy z4Su<@Ub=8khEoS+a>$*=53?N5{{t|=8;2xJY`1B&E=~BD0iQv76JNs>VLbu=pW+Mr z0%1y88r|f+JOM?27A(>r$7B&u_*jJy=d4^)&Cs!#J{=CCbZbKk4+RIX;u#Ay;P6N*_2TiG)47%? zS`W?euMZWC-=t9?dr9#1WJANqAQh=1o};v6^QiKML&mVuy|}A)NkYQQJVleq83*vA z1|^bcs}j#1>NVNFu{2e;*f3pk%1YP5OqA|KmAjBh7p`hZF*;CfWBwv8bOQhWm`fZQ zZkQ}3T3_X{8Mp)KpHhWBZ~XI?c2q;-cD!OeTw=tHdev4g6!lk?R?A#9>pUwj$?4xj znu;aJ2#bU>4ZR#3Fx_I(pP8sJ0XyWtk`czL>2VPF7XgMp9{Q^7)B&CXb3j!DcsDVb zD1oDOff6=S-b7=KZRUx@jx2GStuSQgs9c`Vc_lA*a)PzNle&{Vij4Gkt8z5R17gGFQ+(R1r=2ccg-rnzJH)QXllQjrAlFrG9D?L`MxF+!nPu52t<4*atDcQo#y1CwvG z0GU~j-f6r@8zJ(##RMbEm7`Q&lm=-~bog&nF<1#)ndd)B#N$B;xai?bK$5P22n6`bO&(JRlkH ztRLFB$mbgH{)U^;=`Q`E*fNq_97~W#z-2JN^LOr>53vqJ@b>HKDvzl>zw=jh}KN$f%;Mqdx zGHANf@X%b9q_*+VXiw{TzPKapeMi69uvK%Mld;p{aWci+;`z3Don80T;o~!T$ghR& zOVh2{~yZl2S+S?z7-aSwkaeXN~ge)U=X z2vox*ExhKfklw#z%{pIS>Sogzquv1oU)$AF{@QY{}&b!lXorNH$ zIGIgudOeQbk@MVs;x;^QKF^V=A^JTN+)hy5>&+#nxmrH%u1?dnaeNFM?c=+1z6P-Z zUKcQCGu|i1`P~QY)iYV4?lQByNs4gpW2w0G1Qv$j6Vwzt9M zJ>a>yb@A|PmkgMf5^qo2eLDSw>-*lad2YYKTI|+!ak-DN-TMC2*TUEFnK?0yCJ%gi z{U5*8a?R(u%;&VaF$fwoIYY-rT!j+ZgN&Z#~CAl;(u(s zzPPl1Q!u^){|yvCa(tX>ZP|m?c(zQ3Dj@=ePBjQ@sl+{Tsq#|n!B!o7v?vJ(>Pab^ zb_14tNxubxnJh`V;8#Te(+!U0n7zcO1`@A--ipSqOnufw(@zExmKr%%(C;}oQ=s+Y62r0HrC-SQ|%RLBs69W7CRm<$LZ=2&&;Rjj4lkd@5Xt!4zD ze$!2CbdxfNMl`bVMqiI>;4o=0$wN$%`W>FR1;r4dzP?3KVM$W>ZpxVqY%R$vz81ey z09&_ArJ@$GG$0i;qLA^}ni;OAOyZfBSAP@8C^tbx93_HKL$x{)~eOL15^si=-FK7 zCOuoO{f0v_8t*KMIFXWuGL#Bz>%ApT`jkOy&sakhF(?P*Dp-+?Quh-AI_P|gD32dy zr8v@!RyD>g3;9Nj75Ly5~~l+@x${UgrHDW2rSOBmFOz^$xPdj?7aGGiwmvv z#tt&^OiAz45%()s=LZ6+{h2T!6`C`ya9ttQaePqO0|b)KlG9`HpbeNy5&pQj}x4OR35l&SlA+ z@Xx|VVuxhZG$ZjMq^mN7$VMx3Ay|%jKi{M9I3bPJ$%3^zY) z^96DduAqnF!R{a;lVRSd&t9 zCP2e17#R*p0I%pnY~yz8%``cQa$-|%N)M!Vb*R(*wjkG&Ir7u%_Ln>oUTd0~NS5kv z!U;2h4CMy}^YKZK%Jimi9=bv3qla)F9zkk0bu_e%?+jsyHX4s2f7d^AD<#r$Vc1A6D8)#h@4Hv7^uzPQ%6V?7$u#a<1a%`hZKNXhB zlpw<=myb$HmPi{`uTQ@^*#@hYxaUXsC++#4u>KC;|Bd-e%4ohNBgw7TH|=rz;^9Bz zTJa$3kCu&ER_Jnc+A*?nN)}4o+9Vt@3L1N+GwkKV;3%&%6`SL=ppM#SCUf79sS zGHHlNJ5gK!z_et4Qn@N8{R0MWbd>={O(cq^As3Se?8@ zt5d^a`z~$&IA?&R1%`-5lp-n0D4i&a?)o?F&7Qf^JmhhrHXD11x!=p|;u;~a4z&Do zoO4H*`HOE5ko%u;p0EJthVWf11Yr&-ngf2^ zz;i&P{1VXSGw4Ge81!$Xp;yCQ=sv+uh_d7Uc?`^R6KIb$Idw1K=NY2)x z>CRIV$ewu^SJym$d{6c?1<9VO)9Vc_4P1@Ybl>m8$n}7VCJDFR>#jFnSJcEeTqZ|j zN|C3_d4OZ~>T9>igmxXzgvp#%C9;XgGs}fA%4M4bbhF&Nu0h^Ig5sh>ZG@Y5?~~h^ zA204xG0`6DZ?Dehnc1ASk2#m592u+D>gpih+Lb<~MsTP2_rh^KDxCr(JuRDnAI zNyilA7CnbuKk3ibwp}>nN?^m9m2~%#jYdo2)CQoSNqe}^Bc^LfJFmU1k=yTBl)M_a zpF`g&X?O+1I!kn{bNl;70n-yQsleDD~!%;B_E z&~Z5A;F?`K`FOvxU)ldg&MvWUJqKC?eC}55bz1gtdKA?nr#jBNTADi?Y93URJnz{D zb9$~;a&&p0@5rZocz8y;?ssKZ5Atek{_4GNXq)4+n-2!HaEPoNV5Zc-Pk~P9mU)}! zVYa;@)-7wq?YW$ve0J3?1KztP0j(^N& z+{+&>))sY-O2a+wSLxCi-8XNb2oMMm@t1kMT%*g8JzvY>puAyL`X2MiNhKYgGz2Sm#X-oAuFu8+oN5;QYa_1r1t3!hRm=vwL za%XCMPkqq$OD>tGTNdF^4sO_a@J=n7U;IP`tNT)YaXDEvOsF zG~A2JsG^JI{wi@xOw8(vP{$KYplz6tY^*nPCyW< zw9F}jN0U>e{b6-4zaCKxI@QiHACLa6JYBi18nJXvprxXmAIgEKk+Oki_O_&JsqDl% zeT+?b6LczvF|R6=B~MMG_sae9^22FDQ8_~&I}13X_>1y|8Ojy4V`iC%98BqEAUB#EmOYq2vpzlaCh?_? zy4&VeIYvW~d$xVG2CkgA>Fn_MD)!V61zGu8m)Ut*#>~MMrZx$ia^g4`QrVKkqoDF7 zZ9{l`vcH&#HY}^PYqX*2wfeA~+*CMC?OaWQpd=KU8B#`0nabLHTw@nD_4Ao;)(}lM zH5PyT{5;7YIqmT{CuL)$F|~Wt`Fl#ym`L%MfEHf!jH;4X+D&rpo(&SwfJhQpuFYSS zs#i$1vG!_kAcTX@8w8tPvEp8rTAF$@-yEM0p&vR;JU1?DC?CyH42);$_i*ol--o7R z%pzR8la4N{5AU&Dqar^c%S{&f z&rckxh8l+sc120|5qC5~EY{}LizUli%m;`?2%W_Ibi9?1c&LP{xEZ4q_3_6scJO&Y zO=}7gDb+(W_O8hm|5qILoufNk@sI zOxI6YMU=F^+A$%rRYx4qg_9-s1$wkxF02JGt>X>k5lwr(TThiNP?P?OrY@?`?VLAq zDPtLHwMMTBQ5_!)ARI`f=%c&oH`t;_hYJ1RvFBWQlZj$+_(PdGG!t&UM|{LNk(h9ig#W7VhhEVoHv}4`8Q_VYznO_S29%}zFj?@yzv@^y13L`-z`p9Sf^r_SjFQe|>Z7zPF6qu7Qd2`A}Z+LCUYstFf~ zW=swDI1PnZ+NZiSD%d96Jd=v?DWp^Gjd>`W#`!6doa=tFSZ9cFvAcQZPQ=+m4Be;S zs!&VTYKAt{8bYLT}kWn0)TjA@zF{-fpK9gaN)c5uHgJPhP&; zd?P}Rxlx3@SJx>{I|v@`D<*_&DBW)>4$MEM35uq!p0Pa^G>&R3yIbF-M)ZIutbaL5 zb1_3Cb^wQ=Z#m*;2}?EFZ&a08N`CtT$zh)^m9g3aPRhFJ4b*Le_S#&38Wh#X3BppCApB-*AOiUm`@ey^hAJiy8+EURN9%riR{i z7v2pUHFi3^nt8bNJ(oBQls{+mHHK;{pZ!6BHs-lq+_w|mSAbUUVM3wyO9nfZn;)qK zK6IHv0oAU*{99M%>8iYEIcx};mL#~Ud}rNit5`J6*Id+7QwW&uFLD$t56)0vJ?cgT zdUgXdhb^vJdI1Ob3WT1Y>6Q5IkASUheuou;qphYTvR=)-Sf<>x4q=I9z324<1p_U+ z!{i^e&*izY_CEirmh^MqyE;~a>;{Q+{SPwzP~ZEUQ51e(N7ZPWFnC`%#IBz;ED-VD z@-ej%F?G%4;`z#Gz6QVXMfToIj}dJ-9SUTBAWRr;Y_=>`2&G6*?cn>|j{VEWBWOEY z3lm^!EOA@RdP$F@^`O}9nd|yYqRKcDWZGK(Dmm>Q-Ul{}pyzrXR153Xv64bqqt*bFivt3Esn-%gWP^vNiECU8AQ(m&WX+b+w&iNaMlN)zIdzyCyamZK!aZ(qO8L@sXFs>r#UYsi9y zE}Gb-40m_jHjVm5v*uN^k1WSzebD(wBZ;Q(J2*GV19iQ|?0|pYd27FM;ZWF6(t2p6 z+K8cq_Hc!4b2k5J6vE=q%Z?2cOC5w4k2jLKe zE%2HwDYE(HCA^j#=o`XVBaK-}w})|MEn-zTbz~?fsxl_^Ht%TG9Bd{%Y4i`_rn4hH z@j;Yo-6>Pi^k9jC6}Q#B|RDPSHarkJpOJV5WGkjBc3r<#mOAu2SkwQNF| z`+a6kA#%EJ-nbk!KV&`na3&dA8KMfEA-Gg}gDHhW0o@vL7so}PM`KB*vv**`&uK{_ zOF^r;@b| zA?E^z!G7us5qkWVrg%~X)}g=D?7s_MzM8jplwwsh3UA<`Br&Z6W=Wb9zkJ2$TP@@| zDGVMu=xPo0m0BtE6AizvQKc>OL(#oaz#)EbixOeOa=3~ha6DvOr)S=nQv|-V1VRt^ zNZn!&(3*&w-aQuIqrQ>1@kpWbDQYT}Tgz8!Vf>|C^AA*#l39Ua(TrNB>4yyl zo%cL|W DK??c(a?MVx@7y;;$AF&IfbXmKLif#^z=eRL%FoQ9fuX3xHW8xHQc9K) z4#*Czq=fCi7Gcs`OmEaeWocd8sBlo0noYcSF zGW01477+IjlByQup$4djLk5e0RS_sJge0m!d5Kc~@c|kshe}pNq(+=#roEqfCrDm} zQllIV8&M>TqM^{SQ4-xjr>oRcb;+VQrX-fKggjh09Y*|4G9yDgD zRj+f(-Oa9p%J2()q!20)fo$tk))E!DLmJL@M2r<*r(6;h0=|!;BXoe18+(kE`M0J9 zBGT&ZMQtN!rZ)@p>iuOb2~J4Ca>n00C5h&aG$+kgA}EJmC1ZbD_per;8Ou|br+Ss* zA&hM@Zy{k@bTmE^@Hk*b;<94zD7G$H_}xIksw~yGSsh1#1STM=6hy5eHAYgKfeXWj z)izNg(EY2>zooi#*l#m3Pq{a3FOE0gSbzMBoHXYkwBn$Lv`leu7vnQOFkW%LXJ94} z&*Hhu?=j#i7;eIP%75^*cA=rY#6?z7m1t&E#Y<66iX9{amlVe(qLVhJ;?OLk6EXW z`wX5E1ie%434K_!0l|wMb^x%LVYBQaN{gvqGV~oFi~$%h>@Nv?DKR2hk2z@VJ)2uW zsAFTxqN}Zcp_I5>m6)kj#wcDbJktX-7UrQ((c`88!oO<+mgiR86nPyDj2hE9IBmWs zFCE)EzZB}t`8lkqaW&*B*!MbYEu{dbvYCW@4v0K7UDgFp6H})@1d$k9Uei4uS_G~i zcdnX`=Qjvip5Q8T{kI`^TF(^3BYW;wFk%6idao~u@O%b-)A@i6;G2+OifAmK-v*3O zM_b2-c4<}e8ZgLCo#!?=`vR}_Q&PY)`EmK4GtK20r7-U%S@#|h;)J4&G z9@JCN>T2+CoY&hGk)rAyo{8l){pda`C9Gd@NG%RxYY9Wy19@*cGdX;C-(o%Wb-J(n zXEQiNKKI_F4pn{;NDxi$4~$%m!FWXcCxZJ<#>qRty(g~i&y5lb;M<7ubrN5TPSNeV z374;>qoHy4vgdvjA0UVjkk@+#N90%6KfWQ*xLNzR@2+}l`(=wnILGsw{sZD={&7DA zu}?6=l}FBR{f(24xA=i6kN2%{Au^OtB$3Td=r%^s=n)<8+sVkggC>^&@8WyCw?ta%1lN2TAiHfeLQ8$oD=*Xg!;fQ^^WNrO zpHH^?sor!csK^02IUoOz;|T|Si>DgW>@-*XpY8UQ84Q>_&}AJlE6MHR{;a6+9pWR* zToEL676anO&X^U z(XecIi3X!jB1@jkwj)~p9+}`JG{{A%;!kr$`WrWVQ-u~ShSi)#1~gHc_%B&LM>ey# zHg4$B>7)xo`>c5AzO-~llbR|cT;7@%`eJP-1hYPrQzvA%)o)N1Yf>n%54b`~K@AsH z+{x#x3!^5|^qb{8TdPrHEtABejjX4NCJeD{(Lp!>QZ$i|Jd zeX5%IYfxiOhqVVnxeK7u*g(I*f7XkoBFo9qFU}?fP5kSZ zxwhc^zs8_d7^-4n-HC%L?QX_6Hc{$7c;#SKEzk%AgWnJ+()E1||Ji9!pD@Sn$`MCU z8jjCp#7o4}tI?Vky02Ags;pcTATON-Ea_Wl6W9pDx7-CWMOiiSGHdV6;>BOmFoK6C zz$^Pw!%IcDnJaJoEaTJ>Ovyx+d2G^P6!nwqpDW9iNnM##I7B;2N)yN52#UPWKOxwt-=`F zR!xX4))GeuqnAZRAFxyv1TCuqlk`IGl`GVohV|prO%j<%#wJmdDpJ0gm6+AmMuFj? zoVDZgs#zcY&uU!;WY&HP#monz(Qz?*{jM>7h4_6qY=lq)r-vM4gv4ZWFBEu zz{808f_P}WP;(5Y*>}hq6OI^iN}jwV#(vDHq8=rwgxSn)!^?u8>0N{;(!FCXrIu!c z(F1Flo<+(WQyB}}W6|NpAY#mkwO6%4qS=1p`od^|6iPg23J)bbr{1$8UsX4$=}wME z4m+C8NGWX<#Q>{m&F|_IZfDv+Sp=^)JJ1Bbj%OXO$u(L87bG2Kdq@>69-Gn-Od?RD zF#?98>_=hL|6Ps5O)2Qm9_Keu#9OiTGG=9kx9+f&QoJxX2D*MuK?!RAAf5aHVeR)J zEBfq2!=Z5bHOrwZXLgGjWEfrj3fnI8()7wI9G%I&Ec-cs<22j(U)Y%c?A4k7 z?$zUP1i?>F@EaodU`hCqJf?l2(cV`D@2>~wq4VU(#pMqx7eXjh6M-wb4;!~z0NvxE zWPi{$hEJB);9)aCV;|o$e&<*iLZJiWf{xMQu+6(4(FQO|VQcDI@Tu8t$b)DL^xWy- z|A^6P>pwY@y9NYCy7OK(XJ2zawA`Z{J-6L`_x4@aR`?j>xkbI~Mv~r*U)9U>f4L&1 z>v{Uz#7ONmtJZj4f2VVB>tk-Id9Dj~YS2COF ze^VR#en{Vl$3K+*9l)h? zBF{mES2~Y&C&w3;e_@|$r3{UW(H7kwcNwXYwLPv|WnMFEy*0X?qq#Bm2M&RMt{q;& zD838a1`>QPO-Wse_RujNz>xQ6Y+e@w(9Z5`5BAVEB=IbW$W$X@-9KvQC63vwQJ=6n9261B* zrL3M1Z}K$);gGEwF$~El^T7#=5Go7XO^JoHrd*MhQ%*R$u8UdAIO!Iv?hC}M7-0!m z4QY5Xo?I0RJkuQ3)rygH)XE$JTcuf2iO9ktLj~{#6P7=h9Nwb6N6j=zmQHqcl@nxn z(C?xvLfgDoF%cMW2RlN3PGz(w*`GIY;u@vfv(R+d)y#mMwqd8(>7_mW?7`kE89QTv zjW%qyM5}@0mEV%VBiy`*K&2a#8z8#l@Jg%k=+Y-}QG_N=5>!gtZO)i)wAqui%17oL zTOLg#D=$*A*5KX5mQ^aSY~{OQFBfIhH*0k50SnuYT6_RwwwLeC03C=cb}K0~c+~}? z<5Y4N!C9i_LoDI4qZx;r(ePq9e@qs|$fEX`XfjLAGdc)UFNBd{VN+f5=1NiOWpIX5 z#+sf{L(lk1VNjRIXqHefR;WT8n&`5*Xoi`EVu|&;8WetGPMEK>%8So2gd8tKz+bkN zw$)LtuoKWIE5^?;+QZZ{zeB`+Ml;=QV$H6Qszb|CDK<(AyI?_l4)CoGU5?gAlUFk_ zrL|Z>BNB~Baqt+m%DyocYY{F(TQSU6u@N^@rooz!j|VSYRUy|p18=Drw*K;@jhyO= z?V7u9a96sqcLhabO#iKP{1JwL&EM!&?Da<-FGFPVVA!1KV!yVLRYh7E zioXhV0CVob&|nB~0@@df21wO=JFrj9Jb_*r-)DgIT%ZRc8~NETOxGsEsbbSp})vAz$HfWT+tEB$jbBB`q1_I%!yh>wA$W8u}@YLju_~ zYDEeK36y^6alUCrb>Jt~jPgiTdd_M#ZxSv(tY4Mwg~jAs6UMTi2GGcl#+~x=8YVdk zSsAvQCaF%qF7L5sFX!>%HoKgD%Q;6CHC<0Oq1mz0F^RPIe#;Xng_rt@F3^D1iwGz{ zcPFmnquiLa_#{h8-;D&qyiWqm#Scx>f~7m_*RU8%Sb0|gkLD@sMeNkP z+D7JMZs)>W!wgt~pG+uZjSv)g`{^6A_RXvUjR*U`T9s0`!)U`3DGfYEfs+USs=Up? zR((~|4D$|+8}zIsFOzU0@>Jm9#pI?(W|`IS*~t(1cfe+%8-(aO(3;QE z#7!LiRJ@rwU7Z#;w^U@~YEWY0mMV3C$7jR#7|{Nf9^RsBxkqB3c|n~$rJNIIjp1F4 z3BG_%e{&0Ku5BtzmxPtX$Z_ILW62jMq{w!u-ZIsOzfCQ2N|;?4W5&BO6ZN3as`l1h zk^s|YG)_29Hfy<|{Bs=cay+zPkeuPirEf)6M*AM-VzQ`XS&H3ic6TM zA`5V7r7|P68Rn@1uBxH@7&C#&`DS!#HMrrUHcsk;OdLU&AHCAsIUIRfkQx6w-mbny z?VdoK3N?NZ^~8TU+1q_5#N=O|KEei#ph%RmfUKXvjNzZ6#Iut^_@5mg$D+@-dN~le zz>{{o70R>VCaks@C~&?WX_z+$bbojsMWlDUx*`-;|5Mm6lPkfv>TF^W7N{{Vj_} z((Cv}=Q63+R;E8d!(pp?0^v6HNZ+!@_htE{;#t6Zj1_OYV*^XVz;7gd1o9f_3Vb)H z?zZwsZY2D8X!5z*UL%#?v0s_2UG`7zKEw4`v+OQBx@x|@O!}mU+j+b{66js1srodY zIX7nyPGKIia zKI1$7$sY<_XG~<@%Rhd;>%8M%bU$>XT(8gQIKK~h^jy^~`TMN4Omw-PG}bb8O|n&X zzg0yEzL7tW;?euh4ms2a9NGIGln>-jI}nx;^~m0>_${xxUX`@g3YPbL+j$tiUiYEz z>O+3Jxf=kvt}-pJy)bPL^V!~ZR%ZUtUFEik94FlFrkjh*c3sn7mQMXVtXWbmcp85! z#g5+8nbE2R_dbrd?48_LwwL({NT+{0FXZHPxxaL1zmo<1dkAK#^_Vg)Hvs+{qRU;q zE-hWdBXAjEN{M2e93;8`3}wa&`E8^-e8sdB;{CZMYJZ^(0|L)RzTT&C@o#@kv5@yN zpQ=^>wEHgz9f5Z4L9ORP)DPDm07Ytn4bUZC1ZWrltT!s(;Q^(u%})77HeYxh8_qIa z3ymGW#satQa|QYD{rBMYLh0_Wg$`eNKp3Hfa|Lkxu+6+V1X1+Fg!3x=v@{IOV`Q*Z z&EK@hs55~9V+k#sw$9q~a_l=p_3|{LDO-q_Efl5vd57^baYKlTGN+%jRY^@9RZTE? zJWl(Bv2Fz-gc6~`0%p=sIj%CaQ>c1E=Yer5D{V2!gTdNCO>W4F-iC!K*+q7%HQxm1 zb8%n8mcNRwH|{!rJtn7>R`OJ-g_ zomYV6lP^+$J49(*qL7I@m(ay_ke zcUm$6_=zx5y;%6os;Xz|#8=m$zKw_XIQb;(L%==MMltu4y^bSGv=&4uL7zj9cf?e{?-%9<=bbGG)gv#`z)wQ>9*=e zX<*OLg*dKc=>%)PZq$IK?6pJdP0vg;%R?VY+~-2MuPAq42kTYa{_|95444Iq?-v<$ z>F!E{L}Z&6BTzccOSJjr$b|Y;j;u68s?@$+G0UR21P?tH3N;?@S7tyI=ZW@vSo|A~ zNjo^?Z&M$B(|)6syJlAIqj)O;lR}oL8_FEEQl<2Ct)Ump5P4cojuSR*?(9)E4IwKs zC2Pgq0A0I^2WsC%kN%z&ijl*Bl}3DU5%jdF4UUWuGf(2fgP?NkQ+I)UHb%-~)Ef3b zI_pVhU}+{5pJ^<{I~Z~L5Z@lfY2ZDhveGDHsbwP-oqdsGB&iJST~BN)68FU#`CC+R zF~3O?I=VvOr7~CKYknXSshvBPnE$GZRn>G$;_z+JtMKq~RzitSDexwR`*AU8IeVv) z46ix13N~Zevnz`=@R9rGpu`jFr}V+~$Of`nSR2-OAR64wz#({PdH7McW^CGlfLu6Rx)- zwvXcIfOf{MQx=f*aAtr!bS0{0R^%Hc5y&n)NuYbK%wDXcL5xZhVO6WltThY7{GBQz zfM@@M4~LInq(g@tvd$>LkykIO(Mao>MlC(H<12h6q`axmYKmB`Qk0<$hU}6u?-@4i zGD8K&L&v*)W%x(jpZaD^`eO8@wH=0XRZ3ZYzQ(gNN; zMf;egc44FX4f+9ffUgv&{~%-%$*kYZC+APOCJKI*WQX(Fu?*6woPz5pezw__2$z&Z zD#!Hhx1}FC@Is%DYcj7c+g}X}1f2e-?-H1~oiBMro4z-Py*>HQXOK3-9$PMbObY8R zSDXY-1f@oArD9wx<`KBw;}Yg;R8-S`!^q*91=X9 z?`S=0JPWGgDZ%(XL^gxEw#fKkhQ(61>fRn_3?6%^PpL>N3F{rsdfcL}9$(*Qblmv( zbzPI6Q}yXTHwXZ@qI~%3dbdl`6JCCP4>uOM`lYIZ{vUc&U%@R0|6Yj%?*|}7%Bea((x z@{j>)8g`Ve&OgTY+iW3k_s(F2bb7$c_VK3~)qVIh9$kN_@11S=9jD(V!Vd+2$FoFi z&GVibpWn^RtIW2V&nLT4GS85LI`1znYv&W;<1Cq8fQ}vZxW%C@Mfb!;clz-9r z!>*Gy>2RHEKAuT04rzUHiQ*3f6SsKDqyDtR+J)<3Q!*yoX4?d67?In)+VtZQveM z6C!@f%UXiul>nVxAzxGvu17dd$sF<9oJ}IruO`0I)2#I}gbW(%gEET=Gp}h_!%G8> z%sZiWG5Dd5oA#lB6(!l(Zv6OC5d1gU4vt*k9`{WHoGsRwuEW7nl_X+BeY%s;z%@CR zjd@|!;hP-I!<{p^ay}+^m34E2K9M0tF?jlKS`LV|GFODI3Z9TQj(@NkWv-M~n{$uS z#aoBdL`Ax7`r1>!$x?-r!x6pJfx$|@S1tn(v{vYfNK$eiqD2eB^J#&I^x z5&32^am3DlhAzQ6!b-EVqkJc+0Nbz61Cx$z6{){&A*+>73z-KKF2lwU&R{CC5PZKX zLaX;&%twc?jbm5%ZcQ<5+3I8Ohn{FW1M>$P-RIBl)4I0actZg=N@au{uUmMWI}^ zmGI#cVw!Fki#BOulR)d2r)~zUxWPs8!$2h=YL;0vJ{9p+uy!Dd&xJa?kS+uK{$irEctgHmsGnP!u=B=VizxswUP&wKg zTBJRt#SkpP`fTB@%V8jGu9%Gre^V*NpsBzgGM^@Ew=7Py^rajhjH5n zu}>A?B*0po^FH|_Or90u20(}WeBJyn)chhv#qAH9`LO(&dpPD6_)n-T>E`f@kVnSr zsm)(4!g+!4r^!)8-)Snd2xbszjWA0Z+(->(7FEj)0^av&1@HZa2l&9q)Tp}l6HM4K zRAiMe8b}9rxzkY|^jm+>Ekn6O_#gSm%jET;kChBWD4DuY?+{{I&QgPu?GPM#HK?#R zR>`$3{cTB*G*9fv9fHBkO=^^nkgT(xev)R?wlT`vlH+TxSO4p+KDQF6Bp{6u6^F#; z59TvqOjQb{)Qc%vw(+y5Bwe{bDlX&U17dlY8UA-&X#Pvvls18tWi;JS(TtIK<^u}Bp^&04rOtL`Ux zXZ|~Y*T~p?x6pHd@UAZO}!g48Oy7aCUx zx?b;2mJznRReXr7TkoeZR(wvL@w_FfJwYN4IhXO$ZB9;8_qDyx!6pvf9wCu{&avAK zeaGgemx{A74g46;s^;xnEFhS;63l|IXCo8=2H@k+O=Q=!bZ{W+`#$F4-#J1>q+93Z zJBb%<@*S}2ci_0+nYT;{V} z$$sKp?mhyO;AG@@!g&+q3Jl&AH}y$!;) zhia-P0lRb|`zGMroASBc`<#8V#Fb#jOW0wm^~HUpXD?Or2xYB9^C#zSr^Utg8fV*X zyx~;=f?dNqt^-3Odp#jw7wwte)yS_}?%!PSuGtLpzv;@%Ve1XTht-{u$5aRJ^FKsP zA5{AV8by12R0~|!P4l8jP7|zQ`eIw3_e&^zp1}mE+t1%$6Qfx@h&n*Ud{uR)6)^hn zR}E%X|2nDo9QdEhLb!lq-k>xPUUbG(}^s{C(<*i0!WauQFY# zbGt;`7hQ*pB6H3gm3r;;E2wkOY>+yTCaz_j$B3CEB8HiM+$4iigjYjF2P_;uoA>HC zvwM{mH(s;&@w?ItM|KOL{D3h=SiNnSGM{hgPamXy1}ZU{Ff5tfpHKXzqYzq~Xd49F z1uQ|&xM>D6T50Kd@zSwP3Hlnmq6}mT^CW2*t89Gi0P7G(rU*o&=nviQDzMX@urgiB z(W5zWj3`e4`uzZYH3>TQ(5b4nNkdBV!C1Odc7%*`TA88vKxs@EmsAO>64+WpgTWNw zu7JAb_IoB(32vgjg&n6@2tl##poROc7Usa6lG|)WArv|7dY1>cbQt;A4EeQDu}weN z1e$pzxtlNnmN*8oi}+eX6@|8&2wY%f(vnE)F*^lpG!hE=ea{+=oH+Nt5iRK9C8uvE zZgc99l#n%}{zmD`e4-`TtQ8JF=nrh~PkVV&EHjugHjm0cgc*M`101 z{n7n1HiA_AbNDR{A$yX!P?AMG0HSGw_H`~#8D1-S3@hKg` zfA)gCD?`1OyBk~+n@_ID(2Jsk=Tf0sHWO>gISygBL;aqWW3k%$@|L-O4(&KD{<3Lo z6kk&M-b+RAzEQyaIE7N#WgBO&Tt8q`a2cj6-i{@NRd(52y!hBr4&iFEXQO~)r zry!L(zH0L=ygq#x>LaQ|Yzi-7ihZ~V*V%M(c2-`9QKf>yl*YkPM``{Yn*(oFcA7nZ z^pvr;a7pPz!DO50K+L0dZ6+(!Eym2+RP$xN)jc^xn>5V|;?fJ6K|}hWlRr9REtkS- zgH#u*vZH7YG3)XHU?oaQ7W%zxF2V0^a}IdF^IYYa(v|($5{((EQnB-wP${$f>#(rI zp&1sKH_J(HhKy?tO9D7+af+1$jPk5^lY=R3*XDj(cNkAlhdblW*+eB&>bMdO)klS* zZWZ+3H(im46sFay2pBSB2MQDm6?MSxgs01k2&emw%VOPr7w75XwA{cVyTfVLJ%P$r zC5cekSJG6JmTpX#h~)>f@XDsd52s4z{4C0 zpRZ=+JD`N5x=vKjf#lGUA_5&_%9#R9 z%{u8;R8jvhb=(F)Ibrj=7*(a#T3zX4R9?kYWq(-lSvk3dBwP9KFlBw^@_VRdA~AM} zL4AcO@y}5rFLKkxXkC4iaWn4Hh12vIc%y>)*+y{blrear@x6wXip=Pw72ASpWtnvK zNy&KC?>QNN$duD{iBPNnn|KFU856E}S)Y%P8q-RPf-!aj9&|wPsKp04~I`t|1b0_!Ul;Oh!)k~YYu9^9vZoxxqb&8 zxoEIR^Ii5Vj)VbUUg%nV+dSr70rby7UeA2z*#Nli!BDzu*OBCFfvywAY9gkdx5#tB zpn0t&}=VyY(tJ+dHtd6k%>T@D9OT1vAnv0?rT=;{7m05s)4SywD^XzO zR(Yh5kD%}8B49q2Jl$6M2!8*yeh)-|e=w94Zc{g37yP~&LKd%LRdUV!a|MsO_Gci8 z06BV>n;{yYKE}wbo^iV$4!Q=XiQ@=As@hd9=NH_4&zd&e{RF!o)x)@-`5(A$Vvvpr zfykc;K7@X^5d%UDN}!>)ce@QDkgGvmx0prOwf~RYw?>Ir?ft)xf}ab?J3;~4l%zR4 z?r%rqE0bO(?Xf>V6V1&s4mphH*gvXOrHQ)l2zxh)uJIbzYU_bHGdtp& zKKo%Zy6;yV*YpqP#e!bDFfg#W_?;UVwYl6mjgDG#xd5|t)1^6{*o3WM523qdG89C> z)9!ysW?c|cx&Y|jZV2#C2%q6!$O{5z6G9c}p^$Y;#QZ5sajoLt|6jkcw|e)v@Y(6` z>HvLV(v#jBA}fDjn8JB;TrHI&cwwoSAP(5l>|~s+537|{&+@g!xN75eRRMVd9hOV= zxBRGC*7*reID=WN`qUPLJ#4i7QAU{_*>_52DYyqiY?x+o8as^(YU)x|ax2M_(A0a| z9@9H-n{{$%wHy&~mjan;@+@iH^kipc)_EH+&QMI7QN;e)pnPhEOVOayWb>yvTWsp;^ci;VHSQCs@zGh7nRI!*&;7DaFC8siYZ}cSN$y| z_oMFj`ytn)ir$pOazICl6!YiX(9>Uhx!?GIpDXQCl=!O;U7_sKLdohYzJ(ldFZ~)4 z86haAVHP&tIeR*jlf0lU*-}`eK|r!C*pW~F%dF@4AC6gDZHD|ZC?0p!S1U_oz^M}F z(T4^9HbPTUAsKUck(;v0r_JH}fPIWcIfSG;Rp|0`*iT%Wute*e7TNMN0{9pzI{U1D z8BLo^Vw72u!LnSH^41sFmp^&fA}*}!BPgV%tK0jM_5$T+IUY!~E0LtyH0BVjHyym} zYbnaJ&G}Z0@Ro$jH5C>fpUQYx>{zK2)4Me66)yi`6zD?|%c=d!o5VEv-KJ!k*`Y~d zCHxnyJ{GcfKOVj*XP$sguK+NrNW4N-Woj zL$!0ba8*lmZl*2SeJt8$ zkl?3E%4iR7On~3Si7ZhLkkyUCWvqt43FWdaG_%CLB8_5ioc+y9Me%(Li46$bir4Pc zcqCCM_>W66!o4v#9a9_apDqmDpiw=fDntH4KqpJ$0SqdgQi***{?R)<_dP+5>@S>9 zib13gdNOG=RU_*)?~7fL9{gzMeW?=22j{Znr$lW{5l^n7W+w?!HsbYct)mZV!JY6< z{sIf%R*lS|0xkNC{~d4g!~E7-#2+x}exJ{BgMc>_*VnIZu)lzLSb0(?;rK6(Is6L} zn=?X^py8K(>6qJHFY%6sf9QMeEL=0T92Q5aakiI#x%GWgK;%6ysWTU#TLh!ZR=ag= z=SGVQjut)$-iL<$GY^CAy8<97U~94+Zrvqu!2i7wWo6a7`1sq6j8ARzAuUQa5ZLgF zV(p66!oPhVWk$cvCHn5jYYm}w>nQ6DMV;@d z<#2l4X6D`XupMC<_-I^1b zh>>Z(gTGSpNy|PSi@E;RqCSebgw8)zcn^Utgx&86J|#Yk77qPD)2>7KO3I6!^-rXC zd*DM&nAJ$psGc1^8oZ)r>V?#KKE7b-mup%>Om3mRSrH<1pp zrTbVKcP-lf3ni0wU0Wd*wcb)k?>JZMPY&NVUUsXu;pEe7Y8s#3Mc?maQnWog^_~=V zyf12x>bPoMHVtyDvmIZDW9{nxk^TS$Y{G3E4{#MtAs1DDEEjZ5nmH`%-+rs~^PSlY zo?l_|@9CX(8u7mwZ0R%4E%~ASl64LGUv@eC3u&wYK~sZ(eW9+ujoTj8AO#_GOFTv@ zhNk%{ivJ6EWk$x;J&rz}zhqV&Uw~J!+xAqr_xp^ky=SrN1b9(3r6hbxxe{|DirS#C z+!b7wk~O+Mf?09hwK6=63{C$ztdtsk|Hmjk*15Yfj?WM$Eu?tl%rK5R@|L9ZxON_{ z@irdMK27}Dah)#RabY#L&VnNg2eve147@5$?CFw~^^u~VD&%k!f_%V^L;^|#iHjtw8W#IpOpA4)#@VW~z$x0bRaEZxDoep-~)sH!X0CD){i zMD1llmhn&Rk1?Mo9$u84i>t~IFi$nvMzLM;YRgHS_8>>YU@eV;lW|x2bAZNFBVviKnL!4V=6G*ZUm)gz|_gip7UgBy|gnvGHGvs=3 zi+WTQTsOHfPg43PKs1H~)~>+tC!JCx`>RCK;7bT%G;Gso^_-{Y=pmrRxe&O?irv|%!wtDGS+jU9WzjR?%`4HC!5d*VEhAp<^BX+ zFg&oHC}FE09LtXeGDZ?@?#>lSLaj0xQZ(2NTbadIz&KLc2r+Ci4$iS>NyILY5lho6 z1JXJr#d)Hx@0OCh7;gr)!xhDerBH&(`2s33WKL*?jiQYGK%%A!nl+Os zVu(6>xIbbt)@6QisXD(F$2`(ji=mYW;S22p8woaG;c9ZFPANF4$bDsYZ~iJJ`C~q3 zLI*TE7N#@4vLu~m)a6MEhtsy3$7GtXp|K;oabhUHW@zRWhd-G04Th0(Tr(?nWJv{@ zLrUiVYTafm%Vv2^2fZBnf+B&XAL$_WYTH-3cLl-MtS@Vo3W|JA+;>GbR_O& z2Rc%fhqC9ysUq~wWg6d*iON)()mc`>d2Nk(N~=|UI?$~RL$Me(F73EsK((+dQ zkN6}7UxAX(D7vhLkBzKKGR;a?tz0QNpSTmpyMUqCCs;65*x9>OQ8*Fvrxt#!Fm2yh z5nF>RL4)pCpJm2%@Dt{ujBJIb?0{c)>hy7+$e>JrS<-cj#4ltAcWqBB?9#j--oBum zetD=rZVmre*!(4N26aM+J30qG5V=0R?r@=fUFBY4EPLK>JQHD;%wq@TLw!;J!+>0% z{4cUOPzk=68Db>Ab`5aVb{fp5-g!19GhM*siR3_i7WAwAkbf?DPFE2$UnDa~ z>wJ7#f>Am?8sU}behzXx3thm_;CBBo`j@opUR@FCc^s2gnS5Nwa@(FO6cqK&uPi}d z1oIr~=1dEx@KUS0yxrDqp0&cJy-Ws|vRZ5WeWKo0vBs9z9CM9!lRPhSf{14gANJa# z=zB)Po-v7Kh@ao3j?_^6;5_g9QX``nombUxh}l{jw-~zlUdUQ^Q+RDw)pBkJ&jUaE zxLX~kBxX-3{lSf< zfR4deN04#mqfobF$D1Hkv!mzXa4~U%fAfn5aECOuaq^~RQD#qPleIHd=yehFOw_&S zrNrc?=6hq7H(l(g=h%zo|MlWr3GSJwm*3+wzHeR-FcztH6gaR9c~zJ9_VuEmIb74)Blp^M(>WALZHLIAe@qo;X~ zNTkTv2U4@%kV$8pyrmVQmv*?M&vKB8m&I;=X999==Dsw&YCGnIGBalJ?^G{YLfPZm4D&Blv$L$i0;^%Mnizv1(#2ipe{aI; z5W31zM~?4&vyyrw&6;#QQl>9^$Xkg=3|B>X)YYjt94o+TrDHEH70F)`D4aZ|IpQkxgF5V&NO7sIA&=y#tC}c9D2w|1CG^1$qyw4SnWx93A$Wr- z-lqtVI2J4o6t#MzzgJd@w$bd7tVa9QI*A;c_oI{H!BFWvNLR!&ShNQ(qv(MI`N_IZtThku7Y$p5O zXOT2Ve7|W|?GahbKV3HCpD`brgarB}yJU$pN1Sy0Vr75 z)!S#H@(8?-{A;3K%r#&TU`FJI8Z5ZwW2MGL>y^SJr<+O@X=IBD+I~}UG#O>Au&Sb7 zaM<^9?BlNq+qOzps2Awu?LH!YH$c1>r^CYQHmpuq96r-J2jBBN?zWwm1#wyuqxz?Q z?h2)3g70!C-aon7R_a$?Cc9V?0g~%zGWBs^a5&J0)C9}WDM&uCCfot|9=@y0k z90xM(>#{OSb!7;q9%G7|p8jTPU;0a~cH{-oO`7>hqyd;t!`{jBuvinP#o0Dx%jPz` ze}I}jv%q3kh4K}-&-iQ+`3j3T#yCV-c{6u!(fa+05O}^}*k%jsDqW`u95HSht`TX) zV=8vq45R|oAGBBl-=~DT9Jow3z4{!q&4^O_n^MJGs@T4YOVe*STPssqA;@Z2l(e1> zi53+#Q0tsgn%;v=Zv_8tm&}aZHPX=fq@)OJBGf$vu#(&AC4`xIF-L~cZ#J0ewb*^a zuk!u`e_jia=E)jAg1dE9Au&~{F=f{ZLmyhlWN5 zdM7;oGtYu2XK5$`^vAw*wiL+_%47rby-WS#o&%4A37DeGZ5%A=q&Zbf2=I&X3Q%Gm2rvsUog`hg+4Dk@ zJMc|@91&x|PdOuGF4HSCB+mIch@fcW$}Rh+PqUz~Vc`etXVBrodg6ekKq}qfLab7lbvrV)U*`Rf%JhM8PCN~45Jp4%1AiKt z_$tiqzi+TNrZ)(G73QDz*;~tj_0zf~`E1X4%ed=m+K}6Hdm=rnK~=CFc4CB_u5Q9I z9)^qb!)2mtRgb2NLjG7Nt10JE!hurxPNkYH!zqvw5spszK|*&LF096>PpPs>!5^Y} zN1kh8+-~%V4B3{Ug0LMJ_xu(BO{v|n8-j^gJ7T!-MJ#+w*rI~RE`cn^QZ@UWdNkj} zWdA|jgj@alsH#PoWvKUm3kVenxBrZ(2>g@n4UjwhQU{ig;q~fd3INmd2qO=YB!O^2 zVgR&{FiK^lKx<4;(#Of#iw}UtkncUj*+rq_=K`(q zEKH?g-fhb}i+J;`Is z?fSKPHCbxsvMPWxHRJE-XnEm-Jy`B%7I@X$eHjY*CEj?QD+B-r`cf6~qmIC!Dp4jjC5oZa|1yT3ePVj&)0G5YWb z+H17ce`arz-(U5xx7dBSg=M0D{+MpvxwsTkBJ#a}1N9QSs(L#f8>o(w``W~5})vStx<~}aJM<_ zx7!1Xus7sA-$#ypy+@nP@fnPX-Gti-;#Rb5n&{E{@B{S{gL^$sdZ!=2K)VsZzR)s@ zT)9!lYi`8OjFfj*u25jYXl`pF&p0}8Uv!amdY=T|UET>)$rmxJf|zp}04)_xwy zbLRZ0b8blo&e6`1!9KXGWt(CKl4GjnLX0xnR(tvlbFD+NH6zIcobwfLnzV2{;pnH( zBHCCGw;!AiO@yrjx`JBhq3bepbE5hD2_n%~tx+rNv6+T8Ql_MqX+e0+Sto~1{XvP3 zC94p&0hbwy6Q=eW;?hOiI6jHu`02Rf7IveHO2+301-#|#YLrPePbBz9;t-f3taE9i z-5KG$Uy9?E6@n_dcBU*3(;B3ClT{iLP^}$gE7ujG7CRI=={Y567fUu=eN;V`3_VP2 zR4Q{6AyATOSJ}Lm=~Pwy+3}w9y%`d9pE^d+O+b5C6fc;43z^7 zWXoenWFe%REc^#RLhYFGl1q|{DPyV|Vdj5q%rxMK{}5_wiMDGZURiU`jGxJR#YJb} zNh6zD#hpC|$rqkNnLwF&hTEp{^P$l#b7ImgJ8zP>wZ;?QBbO+g{EZNqmmuYnU2<(* zLaH2D`^_pdk6GyoCGDh>h*gp8&<^!zWnhW4luEv|-(915odQ#n;p~%)AW^QE8k$8} zNV?G$?B49&S?*I0%`VCOyQsS&!4v`ePsSFtq@NW#t+{;B&sM+eJcQ;lv2(KJyaJ+3 zay-V$2Rdy7;nDBukR`KmH+|A7XI93PD^*LbGOC`{4Dh-f!yf&xUk~aztzj9}B1w~= z=_us-62tern_cY=zci#Lz;@T|mHI%@{KzA8Y?T0E0B3voz}1)RKA#{v&?MlNDHlw? z?0k<3)~Nsq(MyMk^$+MWD>u-#iz}&TISJJ+V(k(thd9}_bjtD$n=PVbnA7;~Yq*i! zNN4b8#NkVytve6MHH@2>Lw-XNw6Q?2kIVCkbd=O~Nva-DL|^Q<+9}g>>ZVp{tYSvhi791nuPkj69VN41B)Y^f zl`J*<%4}3IT>YyBPkH)YeZ>(}TmiLfH#t(c3YW@tls+xf!;rsJS-yd?baaF($5#oS z%=;>pa$D{Eg9ZURcA{h|7^wuGfYeiL5#}Y>slP6K;H%vClSLk|!f9asfi1;g_~t>8 zV{%nh!s%aG4QyGI(DP-R+Jz*l-)V%wUsz82U(1qzS@*04z_t+u1nau9VwOlpY9IT~ z1aAxn?{l)0WXXR+(<&Axy)9P7J80J=vWkYojPKXzCW-%3^t%`~<7sRt{6cSBSvKs) zz9ob4&`GcYVJmja+*oEXnwB~g959zJYI6jY8zH% zNsZCoMDC`Aa%6b)#R~&#l#B2^5*-CIY+uv{zA`Vn@w@*%%djgRFw?x!3!Es|(2t)& zSCTEzOv>{lP5ULj1eB%C9baHDAgH5}hS@T7CM=?}D}#H|&EEUgFd{~;s>aY6 zKW1JOO4HYlN1xGO@ZZ985)cnQxdMQsz$DWD#6Dv#J`Xo}Sl79KtD{^j@0jSa2uz)h*!TB8fH&6Mk%)0An@Y3}=FD30UXD_4vD zN6Zw@W}cpbd-1Xn@=qK`fty1Ye@O?=A)5B+flBk)gR|lXDJkSx++arYCdH+3q!+n_GIJN8S2r7AkC0JpU z+!e4Oiv?V8+^6{6x-d-$wIR=ajN3mmb?n>xOUeekG|J)F-42-cS07tI@;Rn|cjP-S zIwHab4xm+H!bUl4y{)<*?5O{`_$|?R((8RR;@IOh^3mmb`totb5;-=cC~)9wFwXyn*QQNN$QIlM_!!{F7br+|-%AtR%P>v0}WM3%^q|gAq*S$Zyl$>|y9T-MH*{+1g#+({SY`W!Ss??)O(G zwy!s%ag%Y>z<ZU(T!3Ssd_U+T=#Sa&uZ!$JeIr%oHx`*KGD|cH8|im#vcP4!^|(ha%u= zV|SO!_p;a-wf6})iNa$&XnE7El`PwgZ&Xlo=_cQfGY>RLiJ&Da7a-R)>(cZhnrn&EY=2i)R@Qywz zY18FLSs@roqk+#N(#L5;TD0=sa%RQnZW+3YME6s>Af^4Z7)=Qds<5wf53><{EF%eU zklH1c6eL}0IFmuL^G<&tcUF+Bvb=L0)fv+#H6(*__8ovrJzO&oDKc5Jv=m5nY4c~X4 zQ>iV+!Bp8xyH6RSVHd1;zkl#uIY`oTp*!nA=)xl6C~sb3_CZv>L7_DV*=1j^sQosy z3Wpz$^Q{cQ6-z&HZaAl`bf^7p){msMoUNY(w_ibp2SMEM&FBHSWZ^0VxbQQH{$=^~ zTT*Ze+De!z410zd z|z4%9=j)mKh6}6!BUy zYoo|a1b3Lm5%%_)))moV#8Gt!u)=lznH4l8sHz?vDpnk%P1Al=c2=D&J^BU%CkY`EDL*ZrFTQ=eN0>6rY>GP4?_90y zZlE>@JTKF)V_?Y`sda^WtQ?0A=s>QmZ2D(vv;WlL9l~^WOvUqNKaTyE9H_LXVWx6e zI6()VwTEcoI3>FZdlPklV7yYj5B&Hchhc%%xM}72;SObs64(!|Nl7ljhQ3e_TegCX zr~S9fCW!r3UMUbgV*;9l(kcA=oOkVTv1bu^rE)Kpi%Lxr1SZCBzCfPqj`B85ax1x9 z`CFEqrO;;A>DcotyBQ0*ZARXtk--RB?6BZ0OxX_;bhQ&=*Lm14iK zv0>^f`+kXeLS!sjs0MeSxsxjVi~ed9G5_fPqe!1^~#R#Msn21~98585Hh zS%V`)rasXwU8ZAX#pRO%(#&7cmKabji!Q2U7WjZbZ!U7R26c;H?bDK8VI9m@;=CA) zGQ580DXo}GQV6dKlk_|BJE@}FcqDx3gsE4R>w;gzmF>1#`VO(Y5oCgH1K-D#xXBbVeh_(Lc!&b=PkpR=W4Bis z;_q8J_)N_3!X+5W-O}}TjYc(CWb#2%4kl^UWxCP-uDZ@ti~&Q%&dNEoZfOYfQhTxi z_%@Mr7)7w7U%nEEu^s$SC=?F%)h5&KNwFWp;IJ{CpiUmgm)B^{uS=Irm%)|ykkf6& zRY)DTOPdX1L`_>JVd4S$9Hzb5=kcX>clIB*Yb7HYq7u@#Akkxb;c)zZdt|W6)1&zhW%Qg&NfySw9!P|QfWUTi!x?{NE9+mntUZ$ zVl(2s6!&SIZQ^`El!p$>U%N#RP#2y|Czm>cvo4)iOR(vcJvs~?Vx4cB=VC298+G4f zH<9n6Ouy=L(>4FXg#v`w`02!MXL IpSgAYx)1n31CmV!3QK!1t$6555eAR?kDAu z`Q`lr@a<3DH^Ks$OF#{nBo9yl&i`?Ws0?Q7M#0Z#&Uk6M04RDNegSHwUTk8Y>=PJx zjEm0XKCea}UUma?{S!m@4DPPpXh#i&z@dIhZ)fRDI5ieIZL)fBJRgw^hJ5+AQ9P^3 zL|xZiE<_EhhW>8A<9|iBmt4BDwLW_im3;vJk6WHskp!;?R;_FTe(sAYTbI2E+gaec z_2~6O^ugt@p1!N}6!LD{N%g^K>MoD%O2o4kr zT@O-?tE3=|L+_&Fv4GDR4c~`D?SbRz`(X=lR_i<>Q&01@V~T*qpw?&pWI4vHdoI9s z)c$GnD)s0JyZfoHW3yYA=K9xR=LP5vlEeG-iK-t9@b8n2X3%jLec$^SB;@$|%DbA= z8``Gnd++fCTz*FFc^Qr-?wDT#>Y@6|J_@}}t@~UcUwa?s@YLG1Yo&0%*h(2`t$X*g z)b4a;w!WbZr^dA1`1oA6{HgP>YPRz0<0ChJ_Eu2@8JDMaC!tdcltB72EhB_`ptI;wG`lV0VuG}_#7;$wJYva287`CfTvG>B2q4qb&&YIm6YQR$)PlQhk}yCK~>= zGbrCg5Ftj1JzYZ_L}n_^D?Qc3gJa!KpNNW}zo7ozd>}mEz%uz;B<*;IAT+HV`mFoZ z58^tgg4lI0I?-;~9I0dxta29Nla%Gsh;}g{=F;wgSGu@QHyDqjGpi=dLhB;-54R4pcef~m9qgHnvAiaieNSX|}<-C8!Qy*MMp`{WGq-w6f^^P)6*_ohBerkxgiD)Ra5S(T)& z*tdiv=3{uJ`bxuRp_HX5goe;ciSs!HP2;-hwnrBh1sZP6lncY!tl1}}TAau@<}4y3 zq0r$xo~IKr{HK`Q>ul-xrppMwt(GboQMsyRt(ZCVs9}J*Q1V)QBo}1avWgU@Y^3Ik z6oGlHw{(M98N`%Q*KI$FsR86;62mf_`%VoeW4^>EaiTcK(ev~1cMyTkv!coCLnPgCjyD>Wu0OMXVi0V=^VE>ka)THr?Y&*3&CE9)76 z96?Y?nj_Gk@r&w5PWo9L9v3YP;b-tPaKn{VgC(R!xfwR|YECRPqzN7a_wmfHNF$7V zYz}{(*$rv14<(LmigY2iOLW+VRa+R*Vo9A@EPqe3-EbTkL!$FQdK~w#2pa-cQ7(q2 zR6Z$lAy%3H`wE>OsbdpnSxSVm1*T{Cg{;gFet~MHO-lzb+&Nmb zxFA}=SM=F52U0S*EJ0O6OoOgVj2Z2`00n*}v_M3KSJQmytbu|S16RY9cyffJHQZRPU`! z*Dof6)qKZmO@9{M;=Ix+-Q^@;pnhP0)%fhj9 zcYUAdVpa$|q4wIkc_`EEc;h|FVXKk73c9Uue)v8MI!<$YcC@Si3?knGEYI%(yl3vl z%^A6|d9N$JuK(PgzSgO|=JHqWpluwKU4^>OI91WQ8t4H|lMQp^@JRvHp3C>!8(U^e zP&a_-Y_YvhC7Z|9UYF@(_EEcOa=v2QciVJzMuxzLtzRclu(ro2yZh%Zih2);=M9gO znqJEK;|Puepe_(GiqF5LMu6V}w&jOsZ%|43E{xv3SwqHVuD@6FUbkKsaPs1b+c?Tg z`hLBVc6X@fA{)5nVW?yNK*TT)m7Tkz~ST>>3V;-Qv4f(w5sE{t)nH>vTxv1^>TXbD0siG z|2o&1(Rq{=9dpF%Q{#PjZEo61d$-cV=Lq~uIbho7nFt4RJ>?V1V54)pfSL9%YQq+K z9<>y&Ty@U}G`_DRKIt~Hy&YjOg08t{d2g;qYo{!)Q)z{~?!Q}rTRklO-9`&1zrU>_ zavJ%+1;J%Ul{b3`o|VukS^b&yw(Rs!bK!Z9!{P$%$qKb)zUTMOG-yrr{L1wRPIhF3 z#cWf2?S50{{KMqyiG0;>-@+v!~6D>S-JJNEXKIy^!+Sg z+oSD0!0PCO=5kpo&H5fA#WzcOEt9M|fw5QFZQfi~+`~r?r^9AulG}Xy z>sricOvC?qL?t^HWZfuIRw>8YN-}9xA1f@icJQO>xyxEyR z7G3tF9w3*Q%qN@BaEzmorVm9PCCC&GOHzl(swxFKIDEU8lqY|s#>V+w6WAZ^y=b>o zB7;hCQXzp)ajGd5o`F!&;Y+tPYBxB=_1eB44(Sp>ayn`Jg?F7O>`6r6oX;6M8isxE zUf53@ODG*oO$II3t_f+g&qBsg5l{AQ+pcrQOgzerzLB4WgNv^YFp)3)`{r4h+;^O$K zV&}XgQEN`f2CpSD-W>C0gASB*|I`WB@us4d3x)O>Ue#Qc;p@IS>2gUc6nt8!dPOlW zC+%CG4+kii3Ij+?S8Pp+C0dnGgAw(73YW)(rAL{-Qhk(1f>1J+D#P5KGAxa!ZR6&^ z39kt=yl#}+oi(X%dM&^C6C0UXDE4WJb&0-tePfU~!gUUAz}5>?99mCOeoh!f*s*h; zM4N2+jmZERe2BG%q69DRoh01`qb|q2=n6`-L;WrH3JwNuflG7uHxpy2>)(Z11YXP^ zbBlExKzl-;|7?1)Xwy$^e`QFZ+4221@6THtg9MbrbvA42oGg+oJ=ud33oCRr84B&c zO%ongW|&BN(p3F0=^XV@WwDC-GIXf^i?l*rhsh)J5kLM&&t^8@ojbiEI+WX9J-F@A z{Y`^EzDz?dI4R&t7AD#%r3OKhfSPXa*CA=(a99xg=EU$3uDxpU4)bt`3%Q;&w#<8Sw8vd;I3}8HCj=1p+g{i zLAUFqz4?#h18Jkqd5bplYEeCVDugpF>cL__ZEBx>IzuT1t{f6=@Q5l$epw@$dD8S; z=vF9+`BBBZnlx^0M^7Qlw5SkQ{FkCi5-io=;Dk31@ch`>)jJw!(3AKj7L)Cfk?*ss z`-?({0Vi|XCjNU8GCw^|BQahso?_(}v5L6z_H^+YgH>gks6e7bxuu7a?W-b5ceEB6 z@>)@Mr7=s5GA3D;BxF|a^p;82WXomNxzF&i3SG1y9`gw{0xv`vMMti>WZB2j(6u{!EtGMs3>g!Sith#kj0gcolWllC7i~X#)Ijzwmd~|!k+vtac#H!ss-uF(l~}@!6!a=55NrT3)o3Jj;s{gcSO_eB+Ra=$}|@m-dDg zWI+hzLz!qfJz0CiX^t)Zy zKi|f1769StAHB0CzH0#g)_MP0e-J3h1Xp5@TU?ZQ5D>>y0RDFCnq4aW_4TtyewgWD z7kA;$;CA~f{a<&idv!zIu?>M;%i=%8>kSf6AYfU;$lxFcN^LgF<8@2&DnhCxYO{jV z35+UUmb+ zMklkyb03a*Ts+2$adr=~T5a<#op&iuzy+UXC#!rrhPN_Z? zV5wZ~_t8y7FR#sk;iATORz&x0%XG49?o&EckV&bKeSP#>HpXoC-LcQj+YD3xq@y-t zTSj`Uy)P&W(Qt>!W8E1JCJ_qBp$2Q$d8YJGDD&Md%V;mFlZkA~&)bKvdzR6bzuAVy z)aZF&dP?(+$o)8EaFW<#N09yT!^g3is}M{Gc4!sKa)Wcca*9UCy~8f7?zY@dc5~;m zUeSsXxR?e$3wjPBoH*?6od3r8(1|(*z4kY!3jDk>xT+2BpKeVe7;BBLTqC{#Kdj*7 z_<$?5?EJQ1=>Q+4m0+s_+vrNQu|uj-~~=>icl4C3;<4MO{Hj zz%lB4%gzJ-ug1-~0Nkd(=FZx_Q-Pq4XvZI<$a{_S!4aS99SO&Tz8Reb#JhkE@C+dM zvzKWVH^Y3gE%73#c1wQ3JvS!IO&%b%u>&ILP?<2@hE__AI^$|UXL-FQHXHW5ImRKh0N$W)t4k1sEp|(1_}2Q_ zW|ix&edW!-NDYNoU)jb*?Muwtq~yx=E}~*cV}fU-6Ic)DObbt_X{3t`*h zqB5ng8RL=SgI5xwrmr(534fdLLsp@P7O-mcabea?IH=f=P?x0ZKgQpwBpwO^I1sIM zEL>y_%uIPUQ=>DISl^Q5-n`g{&{?(qElC&BZk63|`IQ^lS=cuv)=&hTk2O|AXN=>@ zRATk91RigAS>r|%?pAY-I>#7~vs$(SRXIgy;Pu8(DH)(${C>+K^-tlJW!ml1j6-kT z1TLGTA#;#EsB~~-!yi6`SeYG)|F*JZNM|2RxhB_B;Kdwa7}gLevsY)|3#PuJ>GFVzp^ztQF?6Qc2b1*S6GtsYT%ovp@xpOP5<+Q_WncC;{EBOFq^P!X-3fAhMO=-nC?WnzjDGu(Fn{&w-DJVt zY6oVkZF~9-S%I!~&lmAJ_D=zFOC%4=M1Zn}bYIh7t^{!in+q$}{^YosJOMNx|BcxP zj!Z|Wh&qYTHbR~Z$khdW+#;FI^OJGBc+>7 znrY%+3S2Ly^`)%x&whkyATTb?@yV<^3z(TD)s6kBGig;GjI-STyloi3hhDUBeoj;AhrUm^7+W@GR*}`z_<$Q@28D>0kP*7_c!N$vj6Jv z)*Y5ob;+=9CJn+}0~?q^JmFDo1q?As3mMlA7}K-G4TIt+`^6{dXyF=npef+0+cL4G zHS>UVJ7wYrU51YxUnW<6Fl}lgc+LKhvon}QI`~?tq2`HIA*ab>&lfM?%+mnF0jwyB z^0LRju#I0!BKx+)CcHc7f)M!p3k`O%j!4sBLt_m-Lrxm2R2?smXsJT8p8Zs`*!O#I z!{gAyxUoDxYBC>^8HBDbr|#5PgszzLlp@odO^WVMZ4*i z>thduPJ3Ta|H0f6BbC5M1}MKQKIOuV(>bg?);ALm=C0*oR5wakmbMGEy;oE1c%P;K zFYL{8TLz2uvfuu_M3~}yT;FbZuEf+fK!AyL7$3 zyeIDQT0h}7UhK82$nEUUoB*Msq4ub5zOG#4`oH`!GQa+H9iaI#WB1Tui&NWr9}$(S z8^GW(FmS**Rn@Q&(s_w**sb<-v1`{;KZ}w~fa2Ze)=&tznj*_G$LY%U*+cblPia4V zKk~@>SQu`#>+P55&J}9)u=sbf9Er2tb8gRM9;IYzKOi>m$zY2C~dvJ1wmD z?poeVJ`24M4H9kn_VT%-@6vy=UBqhmpKYtJqaAzT{si!FxBha+qL~37Z&lX%9$Ida z*-iluO5H$u?jZbcW5gWKt0(#mSBkR$x1Gq-kJ+=6+_Ej%8y26Cn_bnL&aK1R6N90i zhJUh^*Du%a#K&A2jVpl>oesN?m}K=gth4su_g4Scl@HV%r~MM9^}A)h9go=i!9kbt z!C8(iIe?&LX|+SAMRO3qZ(c9`%D-hbXqVSz)slGY=-tSO*Y|yUbBAq~@2VN2rhYW+ z>Z6aNy3oiIM7n(=w|8%}?s$XfUmwPIaol+GKH^kKzsU0{c@fI?)bV!Bk%QmsZ^YKS zOJf8av5#7Pq4j#WqI*A8@?iiCzK;4H7)-5!ZYy_oPM7KaL<9UmC5R}1u!<3S+4OpgSd$*l9_(w+Z-odj|-C05hPV z_srMabdY22_>0neSmYo12eiyYqo1GF-v+yf-a^f&0RlJzoDHTn5(JMcG9^Z^$3(a} zlz&L+;e%N&#oY`384w323Ka69Lv*Tg20_cRVQw#k+SDvwKSX|5bcU;KGfNk@sgzGD zMp|_2CfMs*ef>E%mXxeQRXmnwSP5Y-QS*zTM>?hdvPe3}pz(N|K`N<sC7=G=Z++P(Rad=fvpo1+f;sv)+#h14IeD=842ge;i*LJ5#?4wrQ!o&8=}wxc zLz|={NMVlIgIyro*7_+_srZ~?Ord{rBVkmhC`(6VYkrqQ0LCxMA0}>58(dD9Sf(9w zq%$SHC{w%2XM8Vh`$h%_{G!k)p267=kYt?}5&C~JAiKRAI!TkHFuPh6zhRRVCPZMD`KMhFFJrjpc#+PoMk zb?l6}`bgE-fD-?TngyT0ftBLGMo{mcoQ2yL%KI;>mrX9|EaAqFBE9iS^O{zT2}$!h zIFw<_Kj8F4NGNRAgoj3(F|kX=7?bRf&NN9(*exKDbjS0`=D6iO(A}BFUJkWg-d*cs zJEO91&(cs1W=|AH4ZsA3VWzYZwA+CL zh>lR4A4;M_NQD+}7U<2zr#dwL(@L9M)4TzBHp&f=ST>tHuNc|GthHpeGrc5CrFT>I z(}2*-ZX*l-ekRbdW)V^lCc!&?<|HCh-=k7xo?s>E!rNqzAad+P(R zN8k9Xf1thwg5|ZAZ%yA&aR3kX4t>2YMDtucn=! zd+KE4c*_oG-(Eyo52ayQRX0B*4a(KwoLE(Eer_9gtTxuG8|@YPOAKzw*6PZ?NiM-p zrXgYX%|XLQLdMBbq{hD{{@$|;(p@f*Z>LB1El(h5hA$0%32`utVawMG|K9LZLP2Ew zN08y1Rh%cG39j<728n@GwW!X(IJ}zjs6k+JTi~>gHv{ACPm4I(O2b8Dj5ett5<-+o zcY+64*XZgHd>BkUmi74q%|iZx(D?OpDivPRO!#5DT_VjU0XO0!xcFtI1-ZL7s#3nFf;KQlT{I}ah zkCk2uNp%GXc)ZZ*QLXwPc|2N{{qVQ1H03?1PTYMPFTEkI;@KLteFqk}*tEJ^IBv9) zHXC{2_~GlcL&!rzsI(EUU?khLf-WA*heF<)_ zf@)~0oz}ANkNs|oS@0nBV`)x`q@hYlNwx4U_ zf?#Hb*7XU6kzQA%)BeFWGPv$`tP@shH`<}a3RKUv-39umWhCJBcU6m@*M{YT!v zme2F%AfTu9@7=0DU@&smiAnu)W4gf-&;rGj?aEkb^qBNa14M0_bnNXA7CH_z*VDUl z6#|SS+@Qf-TIUFzR6xycKc7a`H0aS;Q^Cf@C}QAb$z?ru2XXRW5m?r|&m~5!ydU)3 zb3!`G_dakiclGpuAP$|PS_Pc%!wlPRPX`Ux?~A4f-c~-2P?%<~VxNsZ3Lg8Scf7AJ zH{-&LdiE@ps#MxQshbyc1`C@XmxxU1k3k=)wnp!#ZXYl{y{%RPtdma z^FUK#hVG=u5HwemU`@$m%Dj*9ZSj-X%fDI8XBSr6T8ySKh6%mtK;Dg+bp7S1ZS7=1 zXR-jXTe{&d<^1ePvwIp@g>{Fz$gi<#d{1o6{3h%5182G=Ozk`Jo`suI5qStC!*3NB zb*FeR?0nLFrY_&KUxV+UC==l$jmr*^{M8wpD+sk%*yt%SXar#r#G1H-n`q$zkXONG zpuu>X%CJcqM_gry$@Wkcjp>QCP<#mdk;9?*KW#*u7%(}+Ew{KXSHGBREP2@-QH%Ux z=4fRlXy7Onyr&I~&d@r@LnT(#^s}fZ{84OSAuE3fv_zcT#rJ7skq9_@yJDoM>N~A{ za*6%umkI>u@lryt`SSWz;k7tWCAavu3AI9fqYAf7R?H}rMf+(nJR7dHbwi;F1B08s z^e;rm7(7A`RwHyrMlY|U5WGCH{vrGvZA_P5&83E z{-*9nhL_T9yfq1LT#fan&Byg3{wOp~@fKcqC={YSV|TdqX}F-iQ@#EJ&Z>Sw!;XYr z7aqVW_5Lt1n>_ksU(RgCQ6eM-qnz4*s}Xj}Bwum`TbQWRI(r$Bany2IJyWx)J!1f? zwoi*MGiKuj=B>j*DWICi+jQV7W!8T?@&3j7ikxSsBNbJ$sU<5v=jx^!htXl4?#7Z# z<}%eL3g?`lDODaIPWpwR-GLG{^Uj67a&Y+ErVJm}QnLDblX2CCb;L zoSoA|F7+Gi+W(0YIDbbfoAjJWn1kMAaM4}-9lSxVkpfiZG5CSbK8$^zShYMaYB$iX z8-amEBGbh4X99J|^9w6vK)AEfW26r2d+jT+#DOjGkYjFdPhTK$4rfbtRwDQzI>)v^DuK?^6i3j9iN$N8gUISM_;ch6 zUzwK755`O{@ak3Z$789Z&%jqg%BZrun8bGR=t+$|ytnlF-2WEvCvNTQ`=|6}69Rvv z|3Q6Ia#?2Bd53&Kl@Vi)nV%ay0|))jMpnsBLW&;=|Fe;GO5EFa*?!{ax_@^cPS<7L z>$bs?TGeb~*_eofUMui%mCM~Zcc z+iQ5*(E)h5@|*+Ah!N^B7ojJtzxZBS%RLVAJc0tij&B;dF11hie;mcOOL`htx4G@f z);b(ly>5TRw7p*B>VC}jQ$FmQqGowa=Z^+lC0E;m|GBtu99Iiux`U){EM|o6v!ZW$ zAKs*P($BhIGCPkM?gwBzx;&;CrDC~y)t(L8AJ9H=U=HpB{z`<-*OI9-f~Hq~ueDb` z7dH2rPax;A&-L`YsLo0|zg^zONYol`;QF+W;O)rmz;Lgau9E`C>1RH|QDQG2y@bPuGYC&_54nST{A##qavuK4rSgakKRX!+y47=ji-R$aY?G zDZWy)cV+~~sQu3Tq}F4wYv5?N%WpZX*MBlQY6dE}b*JkU+I=^Akl}j$rNKPMmo14% zsHyQ_TS$@r?lV@o-TLj*g{}dg@q!B6P(IGoq$DU^dV8O{r2<_H)7)-;`5oWfgFjxt zJa4GLz588@eXu1P2m?%0AzuhCz5qjAT)k^^;b|W<72oCpKJ)S>Ple>R;8v$E+4~L7 zK|;XdyWDSwQqjMLe3%_YhFvisf|DktWLI!sl$+y2(!B>N8!5K;Nel`01WI!hmD3s5 zY(2}3*DtIcnDj1@FyxE58Eui{zn~W?$}kB3Vp17jfSF}VFohtZK5!qHO_OAbDe%q` z-hyTQ*$hi}gx_*8CmLbhiOUrqMf3yDpY2rdDPF~B(vS#E z`gFR*;p#kZ1*PP0o_t%Oqd@mbk{SCpQwLQxXMwcmtQJV#vK2 z$@eshxzUDlvZ`3*sm-^5$_etC!#)vL2twn)nrf zc$2%3fWnOmq8!i!r*AcVL<3ysK93&(q`n%C`+dK(La`gcZPJ61A`LK6^0kdddfC)p z;p6#n(3^CtWyl-9xTBl0%46ZQ@rrd=*M;B=NPighs+~@9*l_OM4lv3SEn@}XZ&?_6m;=?Y9vAmjMsUAQnqftLM-`3;c#$SF$A5WM7^^=e)VS^jLLWDC{vSqMTazsSG3#;d9d0*GtJsq`_7S54IsN!RCm-Os~^(5`2z;S z!~)SEz2hbxk=y@3{^#qRN8@4B5f!WLQL;ySpmy1YmF{*eFyP;J%pRX;g>TT z*pFXYBjP_F={KWw%u57Ssh%*%fKsX15)o-61qGg9HJV~ID$`=5c}#o1B_szPL;%AZ zlrVz^)14YLL&wT*wv!FJb4dCZ9=#26i}x*-`7Zlz5(i(()As6t+p@Y#qK&~H5%8D` z9O%qd0ad@&gUSd1zMq{0c-Pb4cQA_xHYR8?z%gvJFNh3qqB8@2)=`Zg za_g$hhlpp6Pqa3$=~=UARAfx6^|`5ktrnUD(a=|@q9=Gz!SL-T-0?dnXGoVSBPc6{ z4g{qyaEcJ9>vg|B_~*__V^RxrH^{MOq$99aOyT8

Nk`%*13L3KVHj;!< zG-YOX^^Q`vuNRdc1J!=jO+7Eq`Npk2Z>ur#odAX}?G_6_?x5azNU(Skf1jLp!uQ;-L{Qdi z!mPhvq<3%Fed;-28rXUGyJ!7+vr=~bF)i@Q$0}6oZ#CeZwr-@)lJ04L%=G=SSucp) z3OGZx9*w#F@9pHH50Gs|@P5XQls3O+)13WNE!cL`W$ofx{OyMJ9#6lSIY!&p?q0UE z799zR@2YOIH|e&sm$5WvTK9z9+NwIo@!1Et)@F02J3;s8G45p#mpZqIH};2`lEX=) zjRN_kj&48J`k!Rz)Hfa9Tt~eZ{i~|#m^9P7@vWPS&HPF|Zp*3ZR-NCT*XHw?Jw210 z(?E|CSLV=VGJ0#JRhMexE6;;lEZL9AbziQtsuTNAYnWoBOwXuxeUsQHHg2Ec10+wk z@Q;+0<0>gWyp0z{=l=Ps<*Co>Pv{&Q?a%6`iGzW8JpvOCwOYF)8C!yujnsXBRJXJE zJl|(fuh81YldlKNOIG*B&qG+xc)69CTl!kx1AVoP?)5$7CD+Z}SCM5W-)H^eR8FZ4 z%kG~`o_m7tO&9F#k98j@9)`iDzJGk$MiW|V94~ORw)4W|wq2*!O>IUt7d30dWiGI~ zoC~#H;A^uzYk)s%E^qLUweD0mPQ-|wD$l(w1D78Ak?A_mT0MITtsX-;0p0H5YCz{b zDtf)9SEMmrz_f4Z_W7%;7I#4P-uY4GH17`pr|$mNa&1@7dqn+aAK-_L?m-7ReY;`k zm3B*|Zy{)-t6%lP*8b?y6%@C2-x8>X>Iy8ZNs`;xS(*dGTDU8Xscmx|H`d*y7pSt7 zUB6B{c=#O3+@QUFq4oLr3+d)TZeQ3l35s0;f$Bg-fa1?}D^P2#(L49&e8ri^-OptZ zbo{~#6jKjl;643M2hgT3Uo%MVCG!XX#nMCEUhrDh^zXwr>ia3^cgr&)*M!P}pq$@> zD5kt7D>xNaBjX03*+ zREWNjr>7?}fvYxVD2^=Q6yO-~lQD5vAA++kA~C(z>7ZpL0a%*55M+7fM66uo>Bne+ z@nD+9)ubYt&Aj@7Cfynl?ddxB0qw;5#a5v|#y2fe#HornX6wTV(d|2#EF>Z1>Gq6m zPXGGJ+pHz*|MaP;X{G)Z@r)L_Psu!A`cIH3Uc%=5@UC0m6K>sbwAN%mz_cRML~(e( zBB{_X01(vk=M%Y4-9U@2w0!BWH3{D$zrAq)o0(YPY0+t%dFMfsenu!Y?CV&`A)@sO6kZ$=7mM?TZpAk{o zhO4*}B{TecUUK@7!}qG?A*Ph3b;;hJOfN_>3v+Cetf$J2s4&?DTmSGO<&9+Q0%`J4KMz@T@tV?lmJm5i-LId-wb(W>PsC5b!qgth-~W;qcS1X zN7gD7cHpN?CXZP3R4Hy%5gHz-(-ufX>cT&a=R>mOEcPJJqh+wrVHfxrv*|P5DVPgT zW>n5nrs0%*dF-hJ;>wXL&@>&YGNQo^7Dr~Ab$?f%%=;mg{G$CWI`USI9ra=Z8 zq-5#Vacurxh6^K|iyy<<3a>!$a~1DjYS(NYm-(s$ON%F?R!f-yG$DUs15>Yl>*!#S zNx5S7(lD_=qeZ~Uk6(K@#SxgN-b)ZrswA;ts$nk=gsVe4T*AgRuVi4O4*#!$ZMzD?N3ATtQ(Ebey?+Y2w9}B4QQt{ zcLMa%_J1#4zDf7fLJMDmNE?+fNunguCNRt~&C=kK3Jm^xxA1sDVni33^|R2Mg|fT> zVM#?AopF=X{Cty0=1kjd+EkP$1&Y)wQ*7W zfCJrFv2~ZqluD)@jfmMFi{X+|I_kSTFss0_u|=N^GuK`xb8M5Sy$7G zgAqu@9;(_|aqvcBwx&`HHK)_V!hAyF!h*BZrHe{@TLFFK2Zq#d4=il{(FjI;5;n7X z?iOd!xo3Z_@}|QX`yerB$)aV`u5*K{T~3ud}RmTG=HU(v3)+N zM9IBQJG0XafQ~*w`H2vQiGBzILP02?eZb1{U*9m6h<*-)_;mVJ-$yF#jw1{yo37R3 zqpa(#1~KhT?ycsnw~NZB^X_XXWVS7Qo9Ap}ext3=TDp6l&W&8(x@nV2eBYfGOP{yc z;o7cxQ@r*~k56lQ0{dm-vo6{j6?&1pxGtzbhXVp{{8*x)*o4@ z;WrIC)Y3tAJb`xBhtJ){x2_(r-;g~4UjJf&p#X=yE`Z+WXW?{~ad##DF*ASLzUO!v zd)3oD1|eOF_vgMfa@Tv*(Kd%c9>bT5;)PBx0i=;@HUMPA8!+}-gc zY#JEb8`6Qdwx39rn_1lss{{fsZJx?| z^)npjo81hz`oGHbwC9MCc&^SDHb^gveZMa=(`Vn0?>#;GcFko~hb=){=0?L(?Uj}cl{V7e|;`O#$@Ru6$H8;Jsm6_T)IA@jPve@Cq z)VydSWm`R{+CB#rs(w^k_IUTNzv;O?-cB!w9Yrm<^#C^%u=Jcy)1fb$=DB=V?Jsy! z0M?hIM+}Z+zL_AxYLH&ft8L>0peN(z>Up|O`5Jz^?L9aBjx16<$4^q};_e9)5BR!! zAHEJq=1>h$AtP4qWNdSRk734Ax>er-OKNr!l-Wr>eCg5>Zm# z1I{`%S+RIcGuJatfgub!`eY5h$`6K2?Tn~!GbD>JKd z=~!dUNg!4FyR>Xclh7zG)aR*GSkZ+?Y^V!Y`@yaHm9M~5K%^LmLD61 zYmV2F`k@oLQm$v7vcY2E(2ZcGN=tIGv`Yhh=MO)st%9e(`&TvS7VD0XYV+}nwPs4! zuQ5WHziuiKB8~h}${~8h5i9VI5Lc%Jda0RB+#pu5&So0kX zQDr0=rU3B>5q+wkcY?$!qE+(bl_8^~zGUvl&t0P6Sp4{!AQcFj^=90esY-Lx2(+|C z`DT5&OBD}AlKz%j1PTd8^!9l&W9f9|(_|i#CM|g&clCAPfYgI#k-_U<2Am<*SxHp% zz^Lp)Wvh|-AJ#!aRq0K%17(lN0R_kAwZm%tU|BNDE8xjLJXr?ibLP{&2~01JdE*4% zKf0+e-0qQO#qQQCpHu6g?{NWbjE3^Yj2zk+PGllvDy)l#4@^=jOvJ%#A@ctnpmT(B zSUaD$n8^%~iAp>heE9Mee`-xz+}t>^**vp@{CnI#8~N8Kw?9k;UO_O%{bO&3en-Fg zk-~F0vC~mhia(V7(_EAUq6~ow&0Rnt(><yOt{j5v#TRi;!ZAsR=%%J`H3F zp$iE)7~ZYe^p)Yi0{CzNO!LgIP{yt%F@oV+&ieg(>0GHt=0jFYbSKO>bqPn7PUK+f zB-s+HnxmuRvVYjSZDe;0ct$!k3pY_URq@KTJxvlG)VcbdqX&%0gya^raxmVa5-7f< z;zx6pq>z=ukS^ga_N7hX24tQ{8KKQMkS-*VjF|O>*~mIzu2_k2LK%iBa82w7YksAI zv=Ge}ZIsRUpl2YYIYhWVDC^n0np4xoGFDnAiWUkcg>VI!Fw$55RuM!L`0@n>vay5F zP#8ur3<{CWft)_r>DP0w0Ob>)&d;AZhl@Ok%qArYX+KcAQ0owdF0k7LEiL#p7@;i9 zwnt|Tf1C&f3L+k#iiG@ZW&XHakzg17UWkiGrJXE20?uOPCIF6W{F|G0#GXBoKi$CU zNf?RrmJf1@hDY#cnj3@+7ECYOO?{>sE&bou;FzSZ-uQ*dm@Ga3(&$hee+FU)(pvYI z17!%9{M^hkO-+GFflrSAP#QQFR=cjrT}#3lmt}{pJ_1XNJxIk$AGAq%R`MJlm1>@h zE$c*N$rL*}&&7gi44j#0A2f-m`OP?_*)D7qYnH^+otGllsXV4k zT&KJg){8Kr=LS}Q0###FR!iyfy zzx3ZXU$gC8<4sSkf!CZbAIC>|?#IywIfOA0!Y{`2yZtZbY1H?+)*oavM}lBT5#hc1 z;fu77^m$@)X6>;HPfyozI@F_WGuk(HusOB5AC!4C8u``dB($8}o#y+|)C{U7&s}e$ z*<5wV*BKZtZr%o%H{Z9aJ=Au*oh!}Y`?^pw)nj>59}r?)wFUbKeC`ken%UnRzjtY` z-klVKqOxBP(=qFgJr*HywrboJy;f7i9uKEJ1|wUYQ(sqKU27O!FZ4DW4%@}7ULu3( zJB*I3k=)ulW}+j%`g}dKF7KYT`nzK!tebb_Bx5fZ-9hYXbV%L46Z8S=a$Pqoi$_bC z+;y!7F7O}Vy#J~%%N;G~tEBX>-Y@fu)i_u_M`PJEcXzMLK^=Q-0DPyJ2Qk3?M>qRm zbtillm2chlhV7MpEP)`h_FndU7I$otD$iqlcRD#c=iw6lsBehpaJ=i%y^NiPfKV$mCp!+p<=c%*xN<-JXn>khcFh_4{^LF>+3io4BZ{OiI z{akN`_qCJvdv({Afz8P$27%j0>aq_Jjm!2eIi9w=4Z3|TU~)ZM{jp8Vro;0?;!#l0 zOKSU~^sDEZnG<`}rb*uG5gyvhZZrSV*)y9kXgo?+b9Bu1v(0Dl_Zzh-UhAPXdr^OQ z$NZPK2)Jf`+4%Y03^YdFQkB(pplW(UjWcX>eJ(>^)BKoAxP9Akr5DF(o8C-lry79e z?VUT;D~9iV^lO)?E4ib5VDs_tt7i;&`Kgs<7wbHn5B=^D53O3$_0P-oE%~a={^&Ct ziyW|a*gpx}*0LgGb?dxueF4qBf>^6SY@MIJqAy@E)dY8s6^57YV zdj%4z9G&Pi(a;ESq*+IWdc6atYO4YcyVU)X`Wn?NuLXUots)_ftVJ-m!K7X|%HW9t zZN)Ry7ezuGiDp&E3SqK=&hS}q3Hw85hsxiX_wY>1(-@;JBs0IoV8>A8Pfn!ke@WHP zt7?hF8(M`eNDbB`g7-_Sr>3PL)Pr#tg!YRT2G?aNFXQU|RG>(fuBSjoNz73lNiLO# zvbAUysQ$h4XNI)QfSNd7IQ861NcudbuMD3ew6{Ze&}7)KzR6~Hb9X`^Gg2!biu8a% z;g^$S_#b#244Le4Bmt5`O+KYC21`5&ol=zLHbv{Q;`mY!+) zKhwvf>Y@owq-5j-dPyA&0^gfUjAJS&6D0X<;;<13FeCE5N<*X-r|OKP$^{#!zA=_W zS*X;MaSDj;!%=O?C2O_l5|IVhl{Z6z%fu=EoKAr(9ool1@g-FhR)E!iwe^m7iUy)0D;Z590e z76wD1gwZiyp>MK^B?9AE7dU_7R;XC0!tn7cd=dJAavuT42PJCQ21#tl(8!3W-68aw z8G?);rX_r$z9`Z&G2<}|Y;M1j3etpV`~sfr;Az<|rD(Qn>!v)~j(y5ia0`!fe%?0- zrPA#g14buLk7l%yY(Zc#*(cT*=%wk^mca^ZVO4#XebpD!sPn}Zr0_M-%H?ZOp?`Rd zQnLBg{mc(W>1Um$5hhA-DWD_ABGJCChUHyg&KdK}`73c+bd@Fq#9T}NWVtG$HOX84 zg$&uSQberMjVZurP2cj5C_2%cF=+X$cPZt7%f?QAa}0W!kBR^t3(h>+OsIj&MMNtqsx>Yu10(+ z2@6TJ!-5gB$szA0H4&8vi3W$mws?iIpZ2hq{$V^Owhdl-I!CO<6@ZMXo9#p%tQ6PE>H z!j3aF9(tRB0{Jm>$`9MF_|}_E^*#qjWlaMUP6VWY6%m< zRH7&mO9qd-Y9Oo@!u9wq+AeF4JP)oy9BRbn#-bC4D~}!T>$}g2=Gym_FI~=X@`;W6 zY?H;Ov!CAkkwuaSxl;4C>%h&038w5~CVr=2he5{`p2vnx(8Mc<(PrRfGxZC^Gf*a< z;2>2mm=UYLkw3BI6tA<^t|~1x85kRcguFjxh=Bnr98)ARij*WJ;pi95D2qk2u#AwW z7mzduo9i9HpSa*)zTyhNXVk}*X#gZ^scYQAuC6--D6#XbfF+F*C+sY|UWfb>0M46}tjGx2VSowDLX)x4`u}ZOhqRZ&P*@YrXBpY~`MN zk=V26JM2fFrn^j&;bXM!f=+@Z$_#`*Y6`{%LXA9XstcHrr4y%8FQiA> zkA{-kE=z{bVXfR}9pJ-lAN{_cffwvPsDSIdM*%J1EWd7sYk-&J;d`kb@5LwS*EmMdGbBOIbEkCK zu^ZLCXm z_h^G&^#CTkdFP}lJ)Y>mcpQMXg^v8nAlRdp%Qkxt35fEt;dvI|`C3%{sQZj*dxz-z zT1rdT@$xG41hDs-Yv$gz6L|^!i_F%Sg?#e;8GpOsq#nQIEE4rqMy>&oVkcg@%E zg7%2+{mj{>`(O65=Y(b~;q@B+vNo#r%L;_6i6=nsev%hi)BR<=yb#g)1wEGt*Alec zXvxQy?YOc2%;#vsc0LGV0|7KaJw9K5<{QY1b#MDRSJ37dqv5}%)+V0j(ufQhsi-6` zAJEIfCm`B32lSlyQX5#+Pjvz;+ygvfCB zr+Sf}n^LNFK#4h}GdMU6B;Xn=C*|r_A%_~bkBC7!Mw&DU=$Ih{cOJ&DN3BI3)^$V( z_sCLscHujR%>L_|v_w=EGh0>=!ys(kn^66tQ8E)rTCWA$3)FZ0M)}hvlMbFd56!^4 zGW!&XvPjdlgoc1ROV8Ot^}DFFm9SekZcxdsGx-_Y@K;!tqOuLww;xqovz!$=!E-1& z)VQ4FY@RPRDSs!^`^~3X8fX2CZZJ8 z!BJu^i=Ipqecu$qBJs`^U*8T!S+xFJg_a+i#pZPqN<;P7UgRiHSu29kOO2(Uc%9wL@<#b#I=T6<^qCC!j0>72mzM-5T z)|czne$0u!eRjo#-{qLBGwDkv?u6x}D5+s`&d#F5>nnqm_KJ?5dz7|J}O%M%0Rh zU0HP!$`)2cYH1yuo8q#+N;bqY5r!qS=r;P=qbx9n$^#FhBr)(CWnBKe*l~YKR^|k= zQ_uD!0A|oH%8n+J1%@SwR~_}%m}}iNh4Z2z^wWDQ5VIx{)-B^Q=w2&q;=w1=v2yM!p;jB znr+H?$*loB#=ZdHl|j+X4Z`MglE@rkgzWYk;xcjkn0Z{bs(#AEsIVDK8-ksA&w*Zw zkqmlM$jX&#(j=sVroGxx>&2oaQa=}esNK~`^9V?3kjT>TvG`>`Rd|#i@3N_rD;R51 ziD|;Y#d(BeB!tP&ZgQMVmzvjWBshQ}RPK#XYL?Scq&!!oLt%ffPR4J;)f)RF8GXQz zYJ-3#GU!dbJa&V@qIJUDhmuq@fXnYzn(*udBz0YvjvHcX0WYG_wpvt9Aw2Scggo?E zBx54LGTMj@Wus*{Fn6h_)K^Q0uR5+b?qGsrwc`^&6g4AX@Ne5mI3I9eI##YqEmKuE zwKR4+#kE3-_ZqQ#$cFG!#IgQ{)Y**L*G&hsAtaYIGD$ENzerG5sY z50Jk@=Ujm9k`c^mMQTGHHTNfCKTPRpF5h=La<6lhfQozqbJ+f+HwfWIhpp2Zgqlyk z`7}P}KaL2;dWuo+6A!jsUdHGF5XH07P=Pa(AZNj8m+3I_?w;lFpNgqE?i(HIUiY;~ zdbh-`)W5yVddwgDSaUkMnx77i1wGja^zIu}oq$3AY|^|RplOMvav zotnY`nbfw=LyK!R=yg?maFu4IDxll*aMpISy|zdFrUOv&)ZTTccTTN#u(k2ACd2M_ zMZT|9xzW9io9JDu{WhUC=lGFr<= zwAFRS+$r0nmc!{SRz;a(Vx8QM0b0Znt8KdY%+B@nZBuW*^!&N`&>L)ZA{N`6YQdZA zd7P#)<$GIp|48UR1vTRVg5(ZxS@*{kmeNugW9E-HKt!g@N_I)vC_Z@901sZnOuUl&guk$s`o`_XH z?gUS{j|KkBVOZ?|t}~|++^jhK3rY2H9dt#0Iq9~|LD1&5jVB}oR@L3*CKOI3%rDb< zE*Q(n%`zY5JRKWOSN-T|x`B$V!mITjPfVS5KP?|#ige*T_H+gMdLNvRALb|))$sM| znMNA21MIf0i5_1JF>~K`1GTE&@p`t6)wX)ZR>iB^mnx76AZuAPk*BSEsh0RoJVP&? z=hmqoK@JZMa`UNIPHR(dI#0b|>{mDAjk@igtH`SS3A#NpA_#B3AA2WSM=5qXQo~@wabeP8# zU%HxZ%W}8WiaQ0;e!a>yGz^9(x51A%F=qqKs^D0(D5-#z)5xsE@{9jz;2kO(?0#u5 zaOS2hr;%Pc*Xv0!Y``BCByEkdo0-UE95$l9>p|r=777oklMSpzmf3WsW}Qf+nkl+Q z-3~+0q0``j{&>h#rD)bo)bCvP&qz-9ElV-+fvklbSAt03#Y*JCN;U`Nv?m>krBX`Z zErcI}V(L{YUrnqJe@^0=NhO2cSWzG)p9elnK$vl3Mn}HcF7UpHvJX6oQx8=7-SU}3 zZlr_z5Qur;8WUVjt%&fW@(si4Lw9gU5U?(l11VKbrHiodyG@);os=F#*Z2v)yP_DU z+^8VjS1D%>9hC##XoGQJW%)gALefJ}mmkkh#7~_!J!-NQxQ*ma4$kZ61r#+{2w0#I zu}4X&4V0nI^Zp@y$Xl9OwQ>z832Go{5m=66sy<`$P97`$eHU1_w7zlC)TgAZ53wuh@s78X=kQkQgR5l80|t(R!gnE zw_*OJGcd>e2F0`6PQz0EK-rU~IKn8kUDWwKH4^7zTGh)&I$Ld?>BaEM@Oba@~G+jx^lQ7Oedm$xWT;Ib=AUzaIUwe+=HkxdRn6$4ND$`{%~ zK2K4q`uWO&GZ+|4HJo7BkUGK+SxUoE3hnZfTR*6Rtu%r& zg=+LsYjnnrniXsx|1@F_z!u>RsICjs9A(sZ==QaT&g57kH~X#Mi`Fm%zGKnL3UC}i z)5yo(Amv`l*r$apzZ8K}w_Qkv0X^6YHYj5l&|vBRE6<&PiB!C3R5L6UCt0kKR6GOn zftW>>loFyQ;maml(!h;E<`Vfcxnka2$-%^@DefHOgK8h!sx)?Kf=6sbh;AGE)@NDu zJTEW_muaJTgqRS~&!cjGxTQD^rrf0Pon)v>m9yL=)VVcj$v&H2RWsWKYF28p-XJ5r zN;jNaxcj#xN$A5mM&5$bj3|2FX-iFg%m_n%cIdjZcU1$*cnZ8jsKU8J4Y}+|0ZxHK z1hqsASGM#_*^j>p7%01KmZf8yCMzkGc*rXIK8TOy5&b`fdH;ULG#&cW6NSV~$5aqn zJ<3v!y$Dx^h>=SX@%`I^dn3OE&dHv!3s;tV5x_9LIJ##D$*AjztXT9NST5ndWv>=+!EnmDlFN85j9975m>S~U+LZ#=})tJ zIWdZ}b+gbg#KM|N;u^w z;($XVBWbYwOiIOs@*j>uxwO3=)YwQG1%h(#+WA-aLnw%qGi5+9BFg2@nDYQgC zu-JYyK^pvxGsFJ!7G~l`yGkb4m?Ds|%;MNT{FgSDP-B1mxC4%ku*XrNyvOWN>Y_{`@7Zlu|sf)bYFoyP9Wl@ zfNKd$Ju$&AX){dGP1iI_)Nn=q#Es3_bjis?=6_+BeCYl7WtkBKojVD7ksKnw^L1%6 z!FjNZ0}1tEGv4_Vft){)!9J8eN$8z3tX+ zOrvx0`3#HGGx3-dsRulY({e$Qefu{Z+x5CI%kE|C4Z5A2OjTX?%6<<&>iwKjvqrJD zd+0Syr_bT9>3l1W)Z^$nD0ama>*^dfm-=|OvI5;M0=RZ4UPiH8S3&t0^;p}NS1*q( zj#E^*a5nDGP{=-4W~-b&(d_ISk0rBuDIA_tH&_FKA~pJKoMY-vt%TWjAmZxrDZtyv zl+Wl%HG0dzzxJNQn$Lt=Urd)Y!rYI}%s4|;p#FHbnx1av`}u2Xi`GL|g`L)$uJyE7 z?0avntnNF#T)bSCgVfW=Bk@i4Ch~%(4S`54fl|-Yj8NjdtqNv2kI&~9nfn+~_-MIN zw}}zik2S@)->{)0X1c6xQK<4ljm%-*CfCp^+qoM}EuX5wwr(C?NeJL_&K=u+yA2$= zn)l^&+MGvxnRCyySy{JARLeP{l3X`J2;YIA(MCa?%&P` z==j)Hoac2~+cGxYxU{{Lu7{)Z-Jsg|yd)fjo{xv&U9&&m!KkZXnvblWZV5mCdm#X7 zd;!?uz6F8)HGXUZ6K<~dL1y|{ABT&+{rl!FhgY8yFUkP`(@$hL@mx*NMP?c((0d_n zBlkt&{rdzc-2{sSRJwbJ7%7SKtHq2JS{@P#>8X_`+>`(KT*#Q#Y|3K zf)?uzgVWql$j0ORy<3YW(jT@`9I;q~6Mxz8PoLQzv*lA(J%^2$iH1uSF&vRrX*eNZ z)xH3r5-u=3do|9yDI1y9i>Z20x5NC)0G#OrMna%*5t0pkQXpU-ohCWRtA&Ar%6cm) z(t2F4&UUBKM3hN_T4Wz3*WAq$eS}YZl7bH(7ELF6f`a&fzm`afet`>7stbN+O`JyM zkwDwJ=E6hCg$vsOrv=|=VOA`6|O$}iKra%Hc?q6f?e+kL_FpEC5e8d^7%ma$85s#lByESVN zHIu9*>0~kr1D4^$Boltz-;UrM7KCeIB{SA?;uyq*5ozGJ8%blF6FG&Iz|;|NC!xHMXOGGI7W;3SdsT^e%~GEA^Lb*J2~hi&dC;w7Jbe=xH0H;9_BvgCJtUPyp=wHYg5NuJ62F{TL`L}4(aW_f zm|LGz4xxX=U)5M7ls>n2>107*XE`lcVvWFnLeXGMXf5RvD`R zX7geV$S~6g1Ai6&?x=OrHsA8Xa}rQ;vecnKS#|q>A}jQuk7eRLh&HUaA%J_z(8q;= zus6$w7*O;*)<1v6nJ8cA2W<$$vtPLiSGHenToYNb*NpAbkC?}Y6C#7vG+VT8JCYzW z9*Ua-B*La>jmz|dod3Y;&6kQB<@$^1Ht_|$QRC#^=YI5iu7KJ=ad(*@6nR`BzSyrU zPBG9ZKSfj=wye+S=iT0&4VS|uoSMJyGqKxwylIXbpAgT@U)9~vOqUqm+rt2dXD+Rx zF*&@NEz}&p4VZ10+1EGXLA923@9^biz1uFC=@>mvpHa?fS=r~&3$gB&b3(Pry&LK= zZ+O$#Mc`BQc9ahOOF!&Ud?umK^j2wB!=hpL-cxPP{d{&kpr>mw+LdR1dl&ra$+HT0 z?H~N_{r5CrugH|I>m`fzDZTO1guaT=^-OKbvIarZs z*0j;xPGPUQ??9-w-KIRENoCdDCaUq&Z_NQfm&vu=1pxa|I$M<~?^5|lw)LGbsjsE{ zYL$}r+j;3_R_lX6CM0*2&*jc2Z0Uvl4@cpKbeCs1=qtzRiZ`&6QctnB-+E1jh>2yyoypaa~lJpKAz_r z}q)XSfJ}DvDR8Wul8rq95 zJ0Paa{rnw9&%H?C$G#S}($HUj_A(g3i0jE2d@!N?PYOwy$}wxhIwojjQUQ(CELpQ& zfA++nWt_r}?i(i*k;kMxo`Z?%c`NkJ-^V|=c#6`~=B_(r1Nw1bupRNTnH-d1;6g?A z)WaA}WoY^RsD>tfZBR${V|I7`-wj`MWt4{OS_}mD#_~4$O>)N8CiGQ=#aK&aZw?&j zbe2@qkURtQf*x8{zs&{bZ8%z{!(p*lF=ndHwPz{27G?kr=1$l$9ItmEzY>)pAKl^h zl$FMw!taZq9z_u~>%mwSD!x|pxBdvHe=27BkLzJ~!RKW{g8n>>SC?#CmEwxC*F?6- zxQ6`RDvPE>LKju99eKKT8cg!^Q(GYS2#nhGYUCVqnAdM-gpJpSq9f-7uU>R!B&K$# z`ExiUIin~O*x=RiJ0Sd0M&dUOxc=&(nXj;?7f{aMJ7`S9V`V5ne1Bbu2Kr2x`%g(k zLZdMhK7v!j-vX!DIaDA?=p-!5-LG9EcK;W}ZqsI^=Ac|*)~XQY25n|^#Ifd@0Pc>} zDA*hs&&8Irdh|}M=}P>mWgVVbzpOO2yp6nk!EChNC-^@Ir|KO#`WeX*^<+$B@ygT_ z1ASx?lz}S>oVGY9rimXOnUc{K=tLEnvSa@O?a37~A4NRCICw%%WD4*@jw zCR=6ZjRM25A4klAF?w1cjk=4kXI~@H!?qEf8E27vHi8AeE_mqX)C6v}Je`rleGpBl zw9MInSHYhW8YJ;)_!XKhfy}Q`qB1t9aN^peIh*FZlO{;%fp7NA2)q0Gc$bQ8iE6ab zO*AaSX63?}tE&qfq~#fGbbisQ;kY;#^VxlQr>{G7>uRF@I-&uoxqg`pb{I$a>j5u&K?&E zR-Z&KfNWLytSu*Q;TbHyH2L#KOq6AX=E?=jzlC-i%t46@SQv%)kT#NCZzI=pZ#4-_r_ z2IDlun)90{B<8n-hl}R)8fe|Akjzk@w^<>A4;bofs48m2^d{$^HaW3XJzB)8C1};0 zUUwYJfepwG?qTvyMXk9k`;8|vNEjm)FH_suq2rMU%uq6POIPqFPvTnqFeAo$D*l5& zUQfPO0*(U2M0;@{gNddYOv=t%XpIc^5F>UZ3u=Z(7(jxPp*xbK+?Iv@-jNG0##`~j zJc4T?`8WUBewpZ?zc5*CW4#8!{(&_1orC`I(R>gS^PseauxPYBBNHO^`bnx_1Enx5 z7Dt(KBgHpW@X_nLfuN}eh^aV|w&jZ;hOC?y`2%t|)d+8O@nR~k(DW3OyFim(Gt8*} zfn(q8uWXVR%~xc`pP)CYA@Yx-u3QY4=jpfUiB4AR!Elya&Q}o12;c?zh4nf&{Vdd! zz$9w`XawTi?Qq=oIwoteD{eT3>j8E;&e0by}CU0BuDF+^L|OoklsI zht^0N-v|9SV8s@wvDy~+%#GEO`)Pk?V)6Sh);EGr-3s*k?=4^EWmPtp>7Cy2JzrlU z`?(Xl)3V9WD$o4}c!1CGkQ5BzquLvv>y}R}*YcJ7Bvt6Xth?QEznrbl)AAGD@Vf-3 z6SeWpo?|R>jN3yN^m!-dws3diCg}Dr_W&GLZTByc&354=-Xzr%pa4Wv2_3UYw zOOboks(mbEZH+HX#RR@r=$*UXI|EQIXs6RQcsuStM}MdG(RY05xc31(mtm%KTD*KM z%Y0|=LNz+vT??fxtB2l~-Tkh-CYgY#-esdHwCbwI4VDCKLPrkPEa_Xvwk%MS=PbA9)3Fxj= zx3gSndXMSk`KzrX$W}g9V5uX?YbraGEB?i$_iaV%lalZA-S6Z#xiymJGdWjI&z<2` z&8t4@VrPOayIe8V4xhrCT2R+a7uFH)&c*Y@SfUh?*i$Ezw&#uYj3u4sIP9Xci1QQq z)`$K_+BR=mj=O2gLqku8sr7^H9jNdD1jqsjeW@J(hZMibr8^YKrBS|fe#%uhC{oXn z4By9@IeH?zntw07o4g}*IduM0+F&X)2mS;~hlAe*uxi3<%ZhMDw@77`D*N-;NY6v* z+%_tbkjJpt$<+9%-c6#a+qjl1f5K zfybMS`m^yTc-Z^R^qUOZ7G}dd?$b?a2sSf2yt>cP^chl)-WegEqd>;91RMOE364r1 z>VpwJ4Kv8ZBoF3b{br1Yh01YIG~`ikZcKFo#U;t0h}M@+g*!J6gO8^tX9~uQrEu>zA%)qblN}RjL+#Xb4)3o@*mxrE;n#3CvT!czWeD4PtjR zZfE^ISNw;Cd3$a zQ+`~FpAx!Pmo>5CKvGlL@iikeMQZjsasWl??n~o*K$x;3%Q^0iSr4L*B%XRAJpW&g zyzBcYNa0)|l|p$T9@_52K2bW$gy@f5R8puDy;A{|-k$?y|Gj7~MhVkF7?~s_z0w;+ zswsrN_c}(VGyUL}a8w5IH%_F>x6*P&3@?Sy%~glck}V^>E};m) zqEaGt#IyT76Bx@mjRky@7{wTmH+B6-r6M6NaB9X#a7#ltXr{t2WYTYA_B%4eXb`E? zgsdbvuSP-I@z%+tG-Ju%o-;zS9stvrmE+XiW}W|mTE&z!L)D&j!XhdZC*IeAu|I3& zF=OTz)K^M6LlD);*^>*srYmM%X_6={KzIa-Lt}oY0l|KGnqMaF%0K(1v8s^phy<*0 zYq*g%lvsTFTvSAF8q`zp**4>0a9GBSGADzSY0I{xO)C~75)NN;ubD&C~n+9!c zl4LUO7fw8*z$}82Za~PMuHcUxD)ceA-moKeg;jlZFkqRyw4QS%GKpm7b1c>n;4&FS z)(Mx^m;%OXaWYBX$@*e(-j3=aDmZvhM#(BJ@{sY~Z?3{MYW|)$JE8p`;F0^GJGZy# z>!Hl_3)zvE2T+f}>h+;(p=QiMosRm;^&wHrtvF9Z$y&G&YbiV5c&zTC#1pp*6&!$# zbjz}IwO~mFW6$XC%EJqo@F(F3duK8*(GtRQsMc@4$hY7LIwn&&M|yRr&VgXc=D#j+ z6*!P3phA8QW9w$X42qB>gD6QGvS@D$8%UEuV}xD)kr6D^HJ`XHD-UUp#tv4ykM6{n z$p~$1J|{EKVfwJ$qr7 zuJQLocnfM$6<+_WJDtald5U?D=l{X{XJs!;IGx6)(C4JD$r1>d^=J=j|C#PPf%XqT z2_r|UKqKJ=1rh+Q`u;J4y(Wb0!#cr$^__k5ee{%DX|n5+ip{hGN6>+=E z+TAG4v-YE&_Ph>%Gr9UHdIhTYCipm$2G!qfZQj08V`5uszdxgou*dlBxxxeAj^CG4 zGvWBwr$&1W9LK-nxsi%+qP||v2C2# zIA`E4=>b1w)Dv+8(N$3IG-R_6zpm4S?MuJQfP_H+4k{J?K$hT zxN+b1-hJtEJ_U5R%z6tVs!||Kng?#h~dW~z==+8#Y@M*l3`RKJSr$?(4AfRM}49pHT10U!bs z4THgrU}BVpnCOfBP|ojA~EwmrOmO!G`Q_7PAh=>_EIU z!QzCpwR9tfdzFbOiL#`_iOlMQt1Kb?mqSW&pMT_OxQ(e0*^4ZVaW>HdK3xfE^4pgp zruwpcq8(bEuPzNzd1N%$_vP+>{T?K$G-blevdN9g9)+ExtoUTupInN@=pwWb#W^j~ zbrgSOytUyU&C&wrin8P!&hOus%V}ks_aWm`DgzY3G;QLrSts7hj`23NGim;EPKlB~ z2*ZAw6G!q-YP`K03r{rRm$!6rt|{t}N@`VLt5ieKQ}*djDnUU;N^af5kuBrmg~_t< zVjS0!sA$dkB$K$8FXOO>rT*e7{kv&Hv8aNO_}g9h3z}g_#i}63sb@i{_z5J9p4$Wj z#nGx?jN4=6}ERK^aYPoM#P| z%)h#CddSaTeuja!TU)t)Xb!n`1Z%CvB%Hu`G+k%w?>A*$DfL}#YkfgZgb zA=r$d4?k6zBpxqxb71}_(p+6p8`)q&#^vl>nmKDfJy)Sw4CUn_;S>Yg8e)!$A&1yV zSrtfG6Ek-!9%4_sZfAT3NAGRfqGFfom;XbvPo@I-rm|l`2mjwSdm7OR6gxXPZTKOY zGpe(A^>N^6uEhuiEiEg@C{8S&r0$W}^0)U)NTu{eNz^>=N{E9GZR0Q#sCP+CFQ4Y{G?O&jt^zN0hBpq+bz$Bs3 zcQ&AX{{tcW3|66404qAU#yv=IDj<_r0zx1erOjGs~C`cOTB2`mvVg&T8a7!z%TU05dNqhzF(OAOSI6AEf`#GIKF;46Pw zs<_OSjpQexa38@sK{P$1AmUbLQfiVw-5z&Gz zv)u{B4^tlT-Gc6n{5Nq)(RHLy3Hk4leEk0q7ttHjNf7wwCZzTs@f+1KIkZLoAO@XbmyTz-wNp1 zPCqv4emQhSrn3aKf4afb9!`#$nEdG$z3(4GW?qlPuvl)pYVca3ORK&CK*KkWn|LLL zLQh)Ao!zU1C2_Ddx6_n(@K!>hlROW{J$yE?2#)J$+jmC@)ou3S`%YaBS&PeEYB=@{ zrydk0Ad2v9U7yz-ceZ1v=IM`=%Er6yYg;S_O|$Qtr`IFfU6vZBH+N6ZYZ=IJL+4C- zX9vgAI>+fk0$dk_YXOv6tLQsVS?+C%{;zRBLjRA5Z9|U>$uS14fS+ZdDngD;LQD<6 z-yI&ZN@97gOQFMU$8Grdy~ao;o&fDPMB`MS&u6adv&aMpnVm0=fGwv-G(3X({95Cz zW5*6_&hC#nEUz278HbL09WJJ(?H?~;0UMA7+liOH*S|ZqI_)POd|HV71Yg{q;`;GC z{cBuHJB~$<{6R1uQ$|%SeHTuKPt!aIda7($Lbu4{`lwh$(mdiptH zuez^}kl$}!{jHv^C<538{XVv>7(sorT2+1ru8fKD>?=hXZ#HGoF<&MpI?6=0Is3#J2qtW?4vho zALbg4t8W(^k+YwqLDuhA`{03RFwrzP?2|V8qSOQ!0Z7ZP_5rcoTf4$c)&^UKS zA~9foTdZSEB!OS_=Oj6`@c&^_XIL!b{t9z^JMaU~c2l)|rL@5TB~YP| zYx-GKmd4$dr!J!qomQ^I%~ExA)_F2M-9DOHO6wjoH04auUEG4A$7!U_wj&U@I6n?` zwI5jyam=C+0S`!}*{L=dopa_>i}T6O8C%4`QhhdTK2Wr#N^#eio}E;_%Kbw6WKn7< zzFN6|Xz+_}&!Udr1==l@KxJH5SuH*hk4utLer!p5K9UvYVYN;ddm&~F4hYGUITIiV z-nDBY*Tdo9BOrijBJH;@@4Ju*GJ{@(DNS1Is$Cc}tsWPhB*rmrUa&%>bGZw-Wq(!( z?5uDmpD0;lZn8J4-o{4{0t6{TKt+LY60a?q)Kv5 z8(57e5yIsovT=CMzJaq6q%)rsa1x|1zu-XcwBSBH?%CE}&V{;o5D_=TGS8_C6>r+g zX?%piF=o5@o8$;Zhx%+)Mc49hCIQUQVm&jGudxrtG_A`mmtlJYfG&mPuNUufhT1pY zQ@{~XYGA2S?$B}8xb&memDe{y*Qkfdr zpbUb)R?o6Sv7-OQuS%Bx@y|sTKJsV#DnVY?ca}@cYjOCAgN&-d!pK4~4jt@7vh%2vy|yhWGbB_^D-%b2zaUl^j|8fi;UlfMV8ui^ zj?4*=X5}#dQZ>Lz`-c#1TVBo;7?3p!MdwDwsc~Bqz5gU?zq$&KwNCJ{XZ)9B^j7zSp5v`!)nb2 zv$s34i?LtC0(3ku`0%u2kW}NNiletp+=O#-f3mWhW@wB z`~X>jL!=l-qz-;i`QL5D!n*?Xt^N^PUK^@9`7);URK#a@XoeveDh<`CBVn8UZq9r! z+y|E8%%KE=;;d4NPWY5VHI$4%i>L=%ffRg-`cvtOMR?(Jjo<12C`svXB?)2bRN5eZ zZT^VaS*t~eN8F30gPi({wgjbgQk5Ngk0LV`P0&oHdH0n$KOOjYS^UMiSG&MD=Fmqv z@)yYzunnV+$@_iqky?8Mks|k0Jx}9l%_~b`pT;UPqY zLj0g}X1(O6$v&RCM2%EUCcUXcwJp)kJr~h|*rb^OjZKr?OyYkE7#24=?iuxy_W97$ zllaI2*0Df3cQl8;&iOrg?J>~DWU{nLg}sHE*GD3%vvzl{#z z$>uAs{wV~&c4|L%>kwW0M|2X5jS#tEz)O4?q z95Aq<<1}%nB@{}skTW@MaI>^k(%Ho4w(Gm!_d|CV(~szGWU`|rr|TYg+?j-3lWXWp z_jVooeT^sA2;lpM{C#5(V0kqhu)Y~`d7rhle($xo>8S5@{!L2CvzCBqHp2D0(WT<6rxiBR|>h(vYJ`X!xA9zf5h&lhJxI z<%BcR?E*wt^~4=9@UnUyuTC`iQ*D6xc=G-T)TublQ>glYW zcs)KUl(w$_P_6vZnlXA^g>4pmSJFZX=zJGj?=k5DEM%=unWevNG+hdQuJiM3Tu{Bc zMEc#64SjX6&5z*IwvxwK27a$am|3sGpW{77!l=#(VMzint_$stVwfJc_d_`uoxUKzh zY{IfnUky&g8UeTvpvfNUGcNcFq%fuO8;iwXO=x!u(&8|zWd^3z$&H{O`ZRslktw%f zXGQyv#x>=v`9U^U8YWwrR0=OvZ=Hq}sGEsl1IN%Iy9&84XwHF3Q2wtpv4Vz0m4xkY zf`H49_&=z}XYBgeznj^!wjyjkPZqjAAnQr^WJ>4y+h6_;lZGiu>M~4e6Jst>mX|4x zcc*h^>R0HLnkp<`hZ(4;#XIVSwZb)`2TI>5)E`l>x@`Q6_ts!43rnGnrN+Kj`;1;k z;2|FkNf6&!Ja}D6qJ-E}4Ml1w%2TC>3&ac-t@%6oqniYawUttHQMQ17q*WWUPh_AB z5tRnkd}tb*1|7<6#nzSvdcRaY)n>5B4dI$b>ctO4)+#`gM`Aw>*D8Dqqb~Zm@MA$P zU9k2nWc%V3ASNJD;ix2YQWEMV1fIX{L;w z$eZ#DQ%UGd#i|8~B+IfxsD6urL(exqAUhS!uSp*=Y%pChtQQ?-IcSz-m@7qdlRI?BF@BF$C*rjZ zTWD96C8D7G)fw5$V^~(ejbjn+Hp&Kb%3SnEbFmy!?w4^9!c!`5)&(M~PA*I{qIPzo z%*LNjsPMB{hFE9&@Et_Z#81lDrgM~i%M1?EJ@it&N@@4Rv|gR|xQ4qn%)oD)Fi$4r z6|9{NDH>^iK-ZQ0nBD4?ft7y#l}F-1b3$&-jN^@o6^-$rqSWP~_L>d}XsA z^1g6&cCrb$Vy>%9h?mU&Bq)W14Gc69*gmnz%7;}PAJP=S3X>NSp&u_>;y5?A2&Ute z^nmH4ObIQOYOzLmTK$?RJk@!`85pl)zs}P!;U@l@4lc`Zy=Ed(S8uxE^b1YKANzi6 z@?&6U+GB1ha~YzGbs~|eeYuJJH})M#%Doj{^-0#&5?@A*=2m_J4hghsO#h0oz8DW< zX$AvQJkdV8gAH*QM-Rx3wd}3LXmMh@l=Uommo>aR=c3H!F?d#76aP)x#0T7zvO;C8 z_zaA6X<;Y z=PJqFZFY~4X`ddf5&uf0ug5W@rAENRz=$Jgsbgkp+ovps$eWow0KA zuy@b6i+vZl^EUpK!8&rqexCd^4IZ`=y$jxaY*y{~h#0KdyuoTYU-E6`0ZcoGV>Tx* zb6>5tC8)lCm_2dRbeg_Rr1-xM3RN~7x(IEPuXgPANfGa@#@B7{rfl9WxEu?3+~6ur zD+wwQY_0v>ZgM@pst&k*@(sFrs_r;kzN)Ub*^BmX>2Th3_cS;|ImQ~TFL5ZYa_$wZ zu^`HEzfoHzY65Bk?ESAonwI(R{#kWP3Hdw$&pM=Pe9nxzA0~tEqY(6@DyOqryS<;i zl8`*J-!55Wx0^=fEjDBvqO+#bgB|ED2Xpt6KX+5e*!vMHYSsz4O zYwY=g&??#+DAX}|@wO@P^`JyUbgXiPzA;w+t|hTUmtw1>2W$05No_1F?iom*dVy

*fvV;YGt($M`+t1=O%Cc*)2wrCK{8 zHJj*oKu4M-VCz^4PDCQ>l!%&a-q6=gb~zpXqhZIiieEmQ%!dKOWU|QPZ%O#y4)B0s zlj(n%FR^?Kwa!J0#JhjBa;w4T^%~1_<=iG-gnIB3JzW1pwRClWHrq2rWP#3xCNJjL zlcis`^-PaI%^kp>yM$Au7-M1$SC=uS`l!}|kFu6;%)+-C)8RA9*TKC*%U5j)a#VZo zd;rv%|BkCqEra!vB4gEH7V}WG&EDNmsZoSWP1cJ{tGakH+V6!1;KE6DOb>d4xo{RUR@!SqKs(a?&86TEJ6< zOWi-nwMm@E;YEvT#f|Y{O%9fntXgT(SDMh>S6wCNo)Mmd%7~FiyfPu1iT|d|InA7e zuAE(49#gl*?Dz?OQm%TT&cGJI(WE68F;vGhiy^n831C$fsVy7OM|@i)Nw%rekZYl$ zF#ZQeWz2nY9AiS0MwSjS=zf9!2z?BotNru`r{CnnzEi!Qz08;z{3k#8bGa>1W_&c} zRcfN;@5QQv0wVY$jor=nD%XWl&T~}d@hqW^ePs!9pCcVV1k z9uoX-BnWq06%KKX=y$f;CeVplft(v?2UO;ltuA-SABN z2w;btHDD*#A`ZB@Be*#N(N;xpY&-|pxou}9qAu&%HykKfiVGB_yz>MfiRszNxpVDl zIZ)9w5TVl5vG0;}XW3sew-6#6MUrKrq3`6ws8KMuN-aO|LpkoP=c*zsy!sRC3n1)Y zBz<#Dzr#G|Ar=_K9cSKRrGcvy9bVZZlje-(6zrSFW7TZ+5vr10 z=QhPW>DPZomdNC|N`p@_TIbkqAuJ25%hWl!=_Fbr`QzBcMnXdaN>Eh%_3h@T#!J-* z)e%>6Q*FDHPQ4YEVGqUG&e5spA^FmzOIeMBrk)bNsX~eh1mfA!td2F$i^!@KIc_+h ztBujCFTCz^jto0C2%f!da?Tg8znpfcD-IM%;vW5MW1U3(k~MZu_1&=XH>+cPdK%DO zj3y<=&3Dz7Cy9piLii+MO25yPKMLu_5go2bc9qh*!kYa2YaH=6XDe-Gh1zX3dDd!P zwk0+*f&Zrfd$_Pk#y)53b=pG@Q-S{mpt0!&_z5cs5t;86R^*dEV|zw^VFHEFLx4g^ z<_p5(p>8CW!7mlf*QM**?YmV1t`mgqAOSvn#-8p;$aBNmiA6ob_t#Y?wh>^{6b+T{ z5SNDu;p)Njlu_4VYz1<4z{~XqqrW#0DMT+7bjsv+hZlbGICjm3%Vuv|*NE1a<}%WIF>(n5c-hZ+g3Z|H<4Dg8BrX01RC>PO^H_T^{ormrPwQ z0QZ`KZjQH=q%BU*&X+kU#`*7?4>uu7o2N_L2v6=@n-AYiD4uHhi~y(ri|NP-{hzx7 zJ#zK}-JDM@o-b6I$kj}l^^>epEz|ri+YG$}5ok&YJ}r|rvETVG+q$>}?Yu^6mULiN z53U(vFLG{>+B|!8xwhY*nXul^(w`K=wKAF>rm_kg+nQS?K}%CX7j!3B2SVF`>sg(1 zVExQ(Nf%7FFUaPR;dF$uCdc=XvO;ae#fq`xuX;nej$J( zrt@vp74SXk+^0nfnNkUKstN!-dhq4k9i<6%?EIIe+yiw4$hZMB6@5-wwKL|XcdcsB zOuhhf-b(THDL=>a1?W!Z0ib?aaV+FQJj}}b;a+UCIrKo}>ij-Zgj*n4PXC0ad$3c) z0-MWGO^eo7%j9_xIMzFbIOlw}3K6N46BTbsN@I@NW!f+9uBoB-3(kH_OtaS(Nptbg z@argD744P<0jCc7qz5KGi)LCfYL@xbrl*~1`N;A=ca|lC()HZQd72h%fv+6g&QCa!y^EWR^Mbo?mK^U~As{^X1eJ z**=iNJydKi^h;}@#E?(f54USYx{E(2mKQulkAd_^pOF?z^KMNRbw6P=)HpThO1x=~ z5Pl_6w2%qx>Nt0AcUYM%}-Y^Pve5ySeI34eiGZy%5Rbw&56@|R7-YU(U z&6F>Sb*c(WYek&O(pq-K+=bs1+*PY?gJ$XP)7=_2oh4Jp&+rMUTC2CFCZbh$Uifzp zB)g51rOavZTu(8fu^ahk_x`ea^!;{(bCyszj)J-S&zv2_9g4NQ?eS0gf412H4PV0j zT#d@&uZ(PpW7buF%XmFnn5a~_{8 zCMO<}#9uTCEbK9)@Yfpr=7^sYd2q1Ag8Cv=l%7_pZObIb@lZlY!Y~rk(?fxpHS5G- zdDN`mkr%MX#+zn6EC!*on*X9D#bt0~#MJPJr%yG$2^tZ`P)$|ajb?Gq2Q|^E5a5Yy z?wb%gRS37MvG3}a#3?IxoZ5_;Ml-|LDm~mw1~bmK@fWI@<@am$OV(t@vq=`{Ro4&P zL_ofQs5PKN+ZXZwF>lzi8JUAx0Jk|zl;8}UN9?i6ClwZ<(&zp6)?SRi>N&8D9x`>c zj&ulW@k=UrsvY~`2HXmbL(M62AoL zKn5<4^my-G0uLE=uLoldl{~NvUzR9^jBehi28%(doZyw!E3o?q8L0kxCnVX&eI_cq zx@>*p?x6)8n#XGwSj92Z8UUHVx4$|V7AsX_(nR;&NF?5;-@OGhCnxjz6;^5UX6Me6 zkj=NRpAPIc-NlEw?E6;-GwfAxli9xP>(sQHV(4uSwpaoZRTwhA zexUe*O~Xe#^`4|Vnmo9?$Mo=WyfXj`8zVXVJ8vVE0p1o-NxzT1GBWwBvQi9RZaQ=P z&)dR1pI2XJr#l>7Us^l^^q+?wPkuWYfiLTY(*664c9=#10RdSg45>X<9*y^e4e@r} zFTj3_5l5Yjw|f~Wz4ZPhNf>&RKolWI;?Z_j+k zg3W6LD@?Ipkhue}-Z4A|25?6yn4IcfrZRLY(qr*^=FgYEf(ZFKU0laEEvq17S8p55 zGy@*ej;DF;GZLJ9mC3l$`C~J&g=oPSe`*HKyWXr%Uq5C5E8sP4KZj9PKgrXjMdh>NdLOpO^CP8HW zrXM*q`CwvINy(yU<}6pHW-xbD0yxIe9A@6Td;$AFpk0-jIdGx1Gpjx`a$uKG#+{nZ z469taqaxbQf^~gvqFEVZB27^_Z++=LUb}1^(nyB8Tuc1S8KzVTa2Y{Dk;Yo!_@{b8 z3>S~b(kU^iPO}9=hCZ)&%B@5-HJ4fI;aPVZZmr0~cQEN?dxGJQRp%t{MXPRP|GO=bHL_0n#)-( z=1(rB$(1{YaItPoEVcuqtMEv`2)hq^3EM&GA78weJ4yp zTTW4OQX6HDTGCa0)+U)PPYork%|1|T)Q60&R++aT`qq{L9W~3XY%DsynKDwCp6b@S z)e=3Ta!c*}&!$y@CT9&=mtWrGw_0J>cB)5i^1kP2qI^l*$T(>dHk%s!3}w7htj{ai zYFI=xb$!Xc38KahEg1y^G7&Y0YK`XkquU>Y6Rv28c;^A<@Bb7MC*dg7v28cK4#eeg{IcS~CF5bC)|K5E+BwM~)v?k=5Mps9j7@ zo#C_^Hcqi@8S8*Tzc#QJL*3d}{VN4Oi%3jK18NVZM1Wy|G+tE&b%buCmW^H27t<4<^4H^T4+ z&Jkzik9O;1g=vtKeafg}GWZv9JVmGlh|wDQFx5AIFgvaTPi!n}q|S3M|3$Xz#rb^6 z!;&b`Q8>+yShJr+uGi6`3uzDa5fECfXcrS=r;~6NKL?t20AKmD7;qu>^Gny6HyM>_ z7Af5;Mg+2Yu6{S>kX(LdS@4l+samEiVl= z_2u_~AIJMLFvz}i_fw+G#;u-u=d@OoD_Er+MknUmYKCF6?&B93E8N8XBi|Q!-SN=+ zO7!9ul|{EiMTi$eCZqx!zh3tP-uSXUaZHL;S#;kleZ~0l!YS7#&B#BzBy$%}1n7O= zSSj-`pt1~oROb^?F$+!A;Sv7o8RJ3%M$fC&EbqiJN}-wMVsHMPDgPgr@qhb`!Jc^0 zab^D{1`GN9M+|m7>pZW1nR!G0V+sY2h8+!n0n2oIaT|Kq^?aaX#w*9Hq8!rgAg*5+C1qL!a+ zjh=15>+e-pr*_K*Ev2JeyI3kN5uz23?QNm@Jy{{0!`CFkR`+9r=`}FQb2(4SMMA*y z$vw;2yOF)ivH6u87r_60-Rz3D+H)L3X{kHBb!GY-Zsgj^{1`ldT(j-3=+I^vjIn_}EkLo&ZzTo8Q@7my$N!%~rMR zQoE_!Y)bzeX#L_zh^C;mLYg>+0x19%?59}>!=bfo7;WY z*=QZKw$9Zf4Y1zybO2PiB6D+OzMaKB^0{a2`>q2U33`CQBG(pyv*+bl064qGz->jA z>e5W8`LO=&Q2^|zXP>(8Xb3v%hrHXyG4y&r(hKwjb}wX&1diCV66Sywc*iUPY6mdK zySII~8ZM)>E?s-qCbUrTwiOZ5q_%yo`dv9)9sxAXgMw2+VE=ajHW)kr3h@&KaamJ>064%;cJ<6u{#gk*m9EPNEan0(ZS!4S z?oq*iq+xBa)TfN6#DmGkp|0IXT$YTr4A>Z21)0h;R<6k11!u5hOVZp`UsS3R9jRa`2U}xg)Qf^_lN|oe z>$nJLkh!qx4M=I!{Z=7QqlwTMo^Go9if@Ia7=)i}0u&^d3>9Mc7aVOlPe}aEEZas$ z9+?l5-0PA)%JI-2;atcZfwX{Tc z@A!_WJh6q=q<+KpHh7VkUCF85qz=YKec-@4S0Bk%J;7{8RyD= z0#;uFM(B~+DR{M{S+jw?Kc_8I+p&~-e@Y))K%yoRUe(JIL6ra&qeaM(7OGc(e|XbH ztOa|M@;ziEqeP%{um_xLH147fWk{BbP_=cYLODhk`D0qd)#x#H#Zj^7n!8GScw2w0 z#6$g)CC$QO*g~=rUMfy3y+xxe(879ToC=7B7d2#dE;I>=RM5h>1(tI|?iUS+_P%!$=7g$VN% z!oDad^lw>oWTM_L_;I^+jxGro&Bb?qP{K5M6<$PK|6gmZdp z`nlo!wjYr9m9DgO0Y;c7dgQSAAVx&)SJTR@z2@u*^?KyDVuMjLGf^@LS_P=z6!rf3 zvm9X-!H2F{-zJ9;Ghw8c?a%P%oos{2BD&*a$U31ZQ2scvQznpT*|V9o{{!;WR>7r( z4pi9s>!Vy)Y7+Gs%t1!i>ip5;AO3XL%gnV@J?}@sy)UNX?Tz~$xORH+sXuvvz$sxi@ z&m-@v6c8Q+%Pudzx(mVobSc#}Ev_UbIs~9e1mOgvgN=z^W*W5=+igyaKEl6g({D3l zKD_!FgOObkD-$@9aM-(v-fdzau{hCC;v~?j;qcbUr=dB~ zU`Z>)ShXR)WnkvPUz{_6F(#o%*kLP_?AMg$WJe}Ksw7Q1WQd$NY^xhbUo1BYb!ir* zTGj54;ty-=Ys_I0!Nb=U4kyVNOFz~!h$ti>pz+A()tu&~X2I3XmQ89jH8@64#KnuX zg{0)c{Uc(&R`E6SBA8wjqCj%U7}4JxFTnImgLyk&mh5`k-zXcNPjj9^T$Sr2=L^xS%0YsfTJ{KE#-FKJ`1wSSk!7yUR#*`Foz&(xE`mJ9o80}D-< zZoKy%qamiS|NT$VYUvvV-vNcd72qG_FD&37t6Q)i4bqy^s$JekGS5C4cohQFM{<7g zzyjuZkvl|#8c5&{jfa9L7^~WK62$|IQl0zPgWu;Li4a91V{c|Wd+rCQMi=fOU}ZgSz0W)G zT67)O@VxDLKV?3oq!>N#cK7J+?>Nk~S?_;3fOqnc=&rkbdtC1jN(Ad%W>-yWkOElx zu!3i1ayEHw&&7~4?lhIUO}2=(pJVzASIgH%+~%~ld`SKKPJ(l$z1tpoe@zs6tbmw2 zxt5c&yH8?1KmB1wn7DzxA4@O(w);G90OPKQzS+nMPQaenzg6_L10!LprSRMa)W-h4 z2@^Xd!&ma5w1$72O7|KoyEHlN>ad8haC zq8@+ez&Mv+Y8$Adf?kOCy=CA?(Fq)8uYWShC)Qy}a1w`f^nNxd;Gtue?K+Fc=XV@d z1nPX*Tnt$b@cLrdFo8QV)#I>*xn@+g&-wl`e`JSTpXm*KQyG&Z1a3-Nw!8GQedzbR zdYP89I#e{+Pmk*97{MsH@TBuQy_g`pR9%j#@%K)1sv3A40t!AogZ19QfC-@-67c%S z2W=2K~AS=xl2YMstvS&~8JDq<7n!vZE`)z+v|8Lu{QM|%OB2-~Jq;l?FsGRj1oC8iW>!EOj zf_Uciufj$=MdYE^Yi4K?1n+$bZ>#9vM@w|`Sm}yC59a_vurK^s;FY(j_Ybjg8Qa;X z`S0KsWO}k6d6E`iD_9)6Rw~mq7+oOd8ZuuCG12XUOU;meC}5?36!KHM#kl;tHw!MH zt{_OrOmd5>ot+WK_-B8|P|j1{*k%r6j51}pK(1*uWw}^-?;`$Bsx5be#yT%WG>Y+T zSvHc8%$q0WYIdJ|=y6K7dcM-yr42Lo3pS>l^1yAm{pwCU+LDK`+b0}|qgFc^3OWQR zqFG-Ut?u3)3JcS!uADHyQV4Cj{CP}cwhwhq%+7W#mJLr|%A;i&ijK#qXDrl~w@a*5 z_a`szEgw{JNhsx3Z~BXu=Z$u#>*FH&1(d6|w9aqp+NQb~kzrji1vj5?5_7iyUA^Xz z?-OcLZeeRHQdtYl!DaKtvk;x7JoL>N%^G%|OQHD0ksGK?tMUHx=Ef;OJ4~}|GJj|c zVBjJROT@?{AD;UCdCZHx0(Ie$Wt)a%fVr}fww6de6#i(enpu7U4UUXd1!Zz}07i0H z86r)ZH%jqZ`pi|hL6F)V*3$HcZ!4xp<8a)i)X$owJY7k)Udeo`k+EQ~IXD088CHjei`sD|)g4o5Qj07dN!_X1l7*A(-2Rjd$>Pd4 z5-%^w@U726G8p0g@$J1&E;m8)Uj8m;AfRTFyH(0N`G?IQjz~8*fv_T96qS*?P)_!n}4%d*ooPc!yxK5-q8A1ob@8ENw*DI>uJh@Jn+Ellfx4vS)AH35N&N+c_961^7yQQoMqM#PkPQ+`r7Z*CTBa=r z#8gev41J&mq-qeaCSklRIwE`P!=##2gw!loD`Sbtjryuh2G_1Uf>9YvUnpXIGVl?+ zgGmmRKnE=n7DceOr23Kit-ewIyM82|v^|{*9%M#A$u0&?;vIb{C#0ULY*w;kQ86`)kjgq*w$Tqp=eELR#-Wo03bIoW2&>| zpjxK&bY&qesm%2^j?k|iL9#=_=3@fyAj*`sjtAHjf?($Dp`8?&nt%X81TQ;YOmyiQ zm$*7=9Q=4(e;;NgEf%#g-Je1tnrL-S&5}E{N?&ISRcn&OAn1P|m@8AOvw5t-+;Jm* zb4;s2JV#rRJ}h;MWfXTQgL))`vcz@&$v>Uo7mD*mf9JOX)#Akx(kRhCmLzgNsH~N? z;4QlQXmbgZ+RIYt1c<#6Um&l_gg7jd_hHF|LlnKVBiGumgyN1L$|uY zhf2?E@VjrTy}h^oS81!CEWtE_^{cMq*E8=K9x)ol41U{sb2^E`V-S!7a!rNpv?`D)1T<|euoTXSFO^`;AH$;GLmVK5{MSERK*#)(x0 zL6c~>#IQkdY zUgQ-&gJoy(E#BIQc??CISS6dWsmPogC^ApT{(sAT4@tL|PdD=tcxV1WXj{&&33QyC zvJILLRR)XgQA3%)eFK5d0n*n-XMlgdazU`LDu{i?h@k3oz@N?a4Kpi1)5}^|MrEg_ zzuSAm-SI~2Za|CZVA9OA(VnsENbIs9$J$G_T%^Y`kzqcWIY`Y`Nf7~2xHY>iHq#GeeC!X+j+|M0hAxR9S){P z21@;0Cwx`DCrs1&=ld2+PDYI&n{aZY)#}cRu36d+Cg*L^KE*iCrLFgFuB`4u>r?Lv zWQ0NAj>&8YBfag9#j8?K$?KBb9%)B%%NAhF^{k+Qi9Zz5sr#c}XDbF7pF(SHW? zN>W1azZT`@0-`FZ*3h|Fb>G@JD)XLkIPbaNIGBF1Nn_Cb{$}N64WjCg)_KL4oN=UBTozXYnHU#y#NH0bzF{$&%p%L0FvxfDL%Y2L&SY1G+mg%nhL4Sbft1Ya zzhf-vUlZ1Aygx1=7mn7Nx-741Cp?%4?w8+!{jt^qruI7_Yqm~yB$hT$KVYl-v{u=i z=dytQzlAox8=0>U9qT_GB@;1tY_;3XhQD8C&l#LD)V$s)as6%KJ(v?>aGA0=?gBl1 zfLq?d1503H;#&-GU&%S3JLOsF3=r04DFT{(0E8@PA}vI7R@QOc<1K-618<$)dOonv z0m={H?n$Pzz!T^S@T|6v$ZJnsI&0zhYv`>!+drBnB=WIr{6~#&A{G){3q;+75XtHC z+5%DxgzH|s+eP~Rjx2Kln$c9vxd{t{$)`f$7V7i`2s-q3h$NfUtmOEX49m2|JBp4G zPY1Tx##3G{VdehmNR~~SM(T-KQZalpPU{fwIw&NGT5M>sDxJW{X>#}_W_PF< zW65CAL4taJvkTEQW&FFiqm@JDIe6*xpQk_dL&I<()XnG^%@=(b%tBv6CCQ-eC;1rK z)JC;BP*db7|Eeq%_>CZWE8(F}jW#O_0i$s!t91fknKLhmrDMF>Rq1?RN{vrQ#N=6{ z8RpHhl~#fzYl9Lbez3--l?m!Q7(>_TVQXM#<<-x^U9)sv1J3}1hRBmG43sKqKXD4T zuovz!4_337?PEphv!dI5pvBan;2(!UtyS#&3nQ*FKIDs3L*)qM_^yL{^+4>`)=Wmy z0mp2N{rb6v`5}~u|3%a_e^mmu+sQTAwrx)}*|u#>b|>4eiIY9qwr#skp3HOm*81+f zzwE!@U2DJ3^K9gcHX;>csE`|{IBr0z+6;769J%DqOI`+9f{SG*nNg`n^0xJv16|un zFw`1xqmLR_Y||Uu{t{s?vEhcRTps@bNM}%5)@7oJ;6b+!pI~Z4*HFqYPGw?%O z(Se(2mZpt<&8kF@c&bZhJBqd#5#hfQ1C25$;SmII8=`W_v2 zgfnw>ezaX1SME|51ZB*jK zdm!rCXHX(>$(@ z+q1xJmHEBC_^Stc_jOem1rtv;gfnTYfbcfh7}Lhow{G2f*cV3^YKkzJ5CZBex@%() z+FFAs*l-yXg9-N0{vx!*d=B_-M+ag&2ke$u%_80GAi}&-H3SAQ|5Bn!SD9Lk?Z4<1 zmF~PI*IT%EZHP}FZSR#z;u$4(H{)+S#(J?6boIVOnqQu{togQR>dn{O8v+5NRdDmz|ENp$QFrpd#C|56Z<=x=7nbjauDH9+aovK$#Jgoek0 zVL)uC{)50EN?>!mLEx%s(#BWvNrhAv74GEC?IpuQ zlH0t8hAx|HiXpf?BGVO1)hTCl^Q5&WzEj6ekI1J~bM_}@tKeaQJuAz_WEbZwpqf9M z>%H@7I?f+M!k55MR8vKwt{ZK1F+w+kg_c9W0h_XtHaQf@LCX9FBz0&3s+gGdbxX}z z;}xER!HX|@wp(vckDaq4{;t^(R0*&BLdcDB{Oo)dS~ z2_FXtxF;@3hI~?aOcDxs%~Q2>k;dGdTy4I`kNA5o&!m5jIaUi5vw~i_sEBXyFS*{z z7G^T0a@k+)TBc@rjoAH$b64#530mjg$3Op-oY?tyyk9KH{%BjQ20$zPsBu+yN-orF zw`sE4))3k|zHHvt?QrmTy~EyypX~5_+b{7^>d(d~fIT;&^z0bZL1z6}{ zZ@=9Le6^EEw@?Z-3q39NUC;0fd~X(X-3qQ+vAUw}>GAD2vJhZ#+zy4A_VR47bQiK) z+Del_QZP7tXt+|y6F9hqNXtL2d6=HuBdd%(Verl$uAZLMZEhbi$Jea&dwC?J)L8f1 zc|l&p-e7>MagFr^O6S?L80shsak?D-qt2kVbN&EZ^?##nF+|bRg^uI#^ULhIF)};h z_pZ%;ZgyHadhzsky|_Flvi`v^V{V|+)(PB$c*Rlm`t{Tm?`5_Y>!4$I%Wb#=-yqno z)Uz9DJL1#bwdm&lWVteJU^3i?zu7S#7QOO>ovw9)ol@4#dH#T0qg6PXyQ25_Og|&V z05}PrfWYs}@O#1bouZ(|E~0+Q>RfjR>X)19fz!JhwH z6@l02umwLeffKWjt{cYf_(_(Ny?!I5xKz$Y%1g%Z2A-{)*`6-zN>OCBgj%DyQc_c+ zN1A+=m`Xt6Ds0BG%P4SEmKoU(1+}p_CZ|cJnjex*U8k1(3zva&ownmbp=*$g=N=Q@ zl*jQWH;|Ad-9AQET@iy6VXz&tqMvFo>OH?AO(k*bRMt0}tN_~Pk+(CU2A9b~ZCnQo z|Kz|V<0|Rf`t+R?c#V&9j}o;+y9|Obu7wJwI-Qes~sLk^U(+>gt5$@(nSC+jj(uBz227)}FpahU_(iX}06#^R)@-S(Ngl!S`k ziH!0X*&GW^-WjxFWgJ!zzQ(8Wki#^$N*QN?iM_0?%#W{s^P>qI=EO5in*P#1$Hrv; ztFIY)`1%t(cCf4|26mw)i2G!k32M^?ph5f=tbwwrkCK$`DMcJq=;@1sBe#SS#+|I}vib~eGnMW=}y9oJN+hx8|c8N>T*|fl1v&vm?sp_v8RN$pk zm!rau-%{rM1CdGC(s7SktrsS3tuirgixbO%`J1erNjVkgwCrk}ioaip{|ZOj6d=iN zxL3%k>A_!~p!loF;>wTHue=r0U1P24q#~o>NSV9vcBqJvG4z(O6_o9M@m)e<6#kLU zdLO4EuB#YPk~U%acT`(h^}mB=^7!fM5W}iJ$r-F|qBQ@Rl~?uoDm2@pEKP`KDyEBO zg-NUlr;PE!O&*b_Ild)T;-NDVBb02b472zI^s&+?l>SBK9h9UgS7Id>OJrC<)0<-F z^R~8u>kWzHFrG7Rf<+}ksO(i?Ka4dg4TqtJ!~cXh<%;L71N+H_CFH zC$~!)(Eh`3^{&{=MUR=L z7_JtcmddbtmXe+3Xu!e&xB-=pI;po}XXel>m*qEQ88m@M~P>yym?!q+*VkD^oQ z6`AAX{rWAU_Iaj$!m@c7;0Yoni3lP|p@?wY6}stpMs7xVMh@I12_wZo0E~RPEK`o> z>Xs9W<{h2<@Y<&8nv$LF%JU!s5lrX&UAbZ>-Z&fbF*x=2oTq(+=O%F52EOTGl@oV$ zjFZ(m3Z64Bw-FP&0SkpXfc0+NY{&2S8HJkLpEr*Rp6&z`+$dcLX-u^YCf(#||bHtkseaD4A8i;;dfWpX=ol(;{l zE&Hr&vGd;V$38$fv{@bvF+Cr64=({;tN$;KOc(gju%8j<>h{_Y zx&k~;O>CVy0>Yh$y!)F44*lgkK?#>DJ08VftotZf*mTYO){l4`iTrbvP#4fXg!|Ol z^p6+D*VDvD{>886rSJ7*7rVQyyyXz4c7gs!>p}2u0SWj0!B`hTgyXy*!XG|4;>$uA zTj0^xI>0LW=C}6{$-FJcg#n=LjQ>O86H*UWYtqYkb<4E3m+8M){q*;bv*7VZ{v&i^ z!;jO=Ee~Fl7+uA%UHAAN|22MO!SWri#>+g9 zT&9EZb`-1ff2sE~cz@vz;Gh4j_)eWkvvISsX^w63HN`?{APCHt)MW2$0(3yrfbT+r zpqKsEt=!kbLK{6@B@in1AYj+mDxP#Li^j8gIbIYcL79Dr)vbINsWL$T*r8Au%Ojm` zDWO*v_|xRKH79ka()cJMscJlXmWk$KrvRIg(8`o%;Iz~brxv;|Q-w^(SH)zTn5<%c zK0lWi-U?llMNN6I$-FG2H)Hrp#q4-CiDkR~CN ztKoXJ)3jJX7oN*$)uA)*ez%DaLI*Uy=O8gI-wQW`YR*!@0}g&++T1nCnODv_Bv# z^n=dLNILAeN>v<%=(vB9<7@YReZD#D8A0 zdy4Pdr7`=_Yr8m?wmRT5W|a~tf|oT|&Svp5HqxAPfeIIOFa)K|y>7IW!x0#l5e#&N zP%4Q#UM%Z}vbZS*sbO}1xP6lQo(ZjGlyrB2{(?#(H&@mb(Hi(?X~3kR^eOx(7hAn59CrYw^5yh7mepkbQ8YA3s!73RM&cr{a<`p;M#C6%YTCV%?HDq=kFA(3Rhd zPFjNHm0oJFNybl+6+k&e*}1&TFT$hMjY2?(=?SSk$RqrJ6go2?8zhyGoVdp@nN!4|FE!tO(g-Fpg1QVBB^?$ zp^hm<;&a?x9ByRF@=JxK`EgDw*B^R6dO2^}YSLsIOrk2QWwmk!Q9edH5xji1i#p&&~E%Z4DgOARZD>)F$jw?q31|yEolUb!# z&ya#o<%J+N(^5>VEthNh_rfTj&d!nL!|4;Ex5r~kksI`hGzA`4_-oDcochPbr$c*y z#=8;uTmE5acuteI^RV*XZ%HO^(O*|%(acl~OMd@8(|z9yrw>lD9|8^nYMaUYdyI;2 zqc=du6*6Afpo>|2JdM{*V}7&L~pze z18hCIPh~mFt5zPiE!6o7xhYptu5qmdzX^~D7hl|}0e8xGd2PUDNyS#bgCnXLM(69Q z6lMD2S#-xAM%!Lbxm~)($X`*&CxJfM)?M$X zA4>~JJm*y(&AQFL4_upUmX42W`yNcgIc_HxV||6#0SAEYGu29G=FYp_8klYWf4mzP z&hyIgwXO$O!5*4Cs!V`(QkUrquMs`K+*$4W|INC)XRmq0be|9)<--Kb#9Ca1?weQS zKh5LlvGxHK1u;Esph1x8yCo2OBSJlGphPen>Veo?_?;R|hEv1(pG+mRTS#0I)K6wC zBYGqB&)#tUG6z?4ApwOa7yVrI4A)7^7-Q>f*%UogyulQ6%2bh`b^f*71fxI9ARuI| zOa)`-;7Z8Ch6MMpql1&w>miJ*9vz9*^P$=iis&$CMfYyAf-ZQ3SthSk0aW3gnlE- zI`^IUbj*-G%%Cv98dlSsgf3zYSzK&261fU#lBJ`1{t=&gE<=?%TL~?peFl{JH5(y+ zE>jQ7vno}3A9dbrJ@Fm=Qf0Ew(~n~;OeeThgr1U1mEF*Na+NalwkYi>(s&34VeRFXXeZTY|1-ufBqNUR$V z7m1a)0wn4)q*7?eI4zv0Hb-`$HL3zB%Qn0cK#rWEpL}VGsThrpocxrYWrHZ&!1N8# zL1Wk@T<~!zwDYiYQ?1m{HDjug*wH8}e|*qf_bCX=8kAxp9_Nr!`f>7AzUuG$+3<5@ zO6Z;1;2S70s9%fx^&v?F9IBCGwpGmZm!Q_rX*sp$8A|xRRZW5H_#@Z6Z{e@w%u!YLJqnaWm z*};1Z=`p0Gx;Q4d-y5XhX3K0J$5t}xFuQhB81Wbrpso0A4 zFGlXWPMK7cM#@J_P;Y1tf*Gleo-1_>P`cUUtUzd0d)Bc2yNFA&tSH+)83hl|Ow6Ij zT?3atwX;eXsLDABcc3j+%t=vCREX(hA*ISXv%t^|JTu#H4>@$U+O}yGYuVcEFDexK zuJ|aMfq!V%fOqJeu}HM?j#5^JU>&F2EVI;oPpl&S)H4n6Hhfjglway;0?9G{t$mJf z$p6?40ECObt69`kMx@yseLzqB-4e7*f9uSXRe$4^IEjMmhA+?b=XrqmmgFbMiUkGT zY)(y=U`&_wmyniq)Y7V!q(57&hUt#%wN;weI?aPZP$ z4Fu{Zj*Yj8`rpgLRXmnX)Y!FETQa&L2|2%%#9c93-IMmf>cff}Ju;qTFe&>gQytR9 zDmk1-sB{Eq6KoOJrU|ZgF(Q*TVSaI$(8$wLS&4!S3lVIl)4D-^1wz8V0mZAn>`YKC>OEGA94N9oM2K&g?!~`1JP1io6SYXvnLEGJqo1HdKI{hBjP(d;h)C zVOEE{;mGKR*X;6w`D^A0Kd-y{%HYls@VVue+u{B(S-vlh9qKWa<#iQ0H83Ck`3n5~ z)cMdGPqdBid!A0+IkM>{{!0(|dH>E1{mN9VohJ1g^~pJ^WZOorQsuzFYX{&4s; zyDs1&?d?rS;PkGo=m~7Z?0yKT{i3B-U&He@q&Q9&8_7Kutg3q5#y$6Q9{ZRE+SX`#AHUnyY@N*B#h(qi2<;pcRL<;p zR5y&#-<=q`KfX!s+-qG5z8_dF^ZKEF1l<9;`;jE4wOt=!p2bIYEA@O{i**@WJ{VUt z6wZ43Rv!87R!lWO6Yns2LPk&&K2ukkOg?>S*VjJBIhz;hSUY}i#Rh(NCnFiiwJmo@ zm7N{OY3Ix@s}LS~OPiK2>z-|S(+UP{16||$Pg6dhz~3A-|Dp+Z_^W(9JKLSkZdzj% zy3gO~-x0C5ZU#!1N%J`u;7SH!#jihhPH?5Bmt8M*+NP_k z&TU%mnR+|c{yi+*_;IsY>;8V%Ih3n+{meNGV^_c2-k)b-1hYGl*S5uK3HmSFJ_rqJ zeue#kdh)&o+)@@iOMl-7p|bf3(kx?zMJ$1r;jgl(jTfO*;ye%s38#Z%3KnAd1^5$S z;cLA8SCSD#p6wv7$6<{1oq#3r&YR7cMyih1+q_flGKMurU6oN%x>2`;vN=X$IU9wv z^eL3D1ln&zd^kj?iG@r#ODkXoS8MdvLNTv(pqa@=&)ZC)@u#tpLL%nSoOHy@18O$g z*5A}|E?wd9+L1EGTZ5ihs&7=>U@&&(qk9Ux^ed)C*DOQ*o&+RiYF5SPM+H!<5s4Lt zG(Qx}tCR95cjI)PTspCzssvGPiVSe-QG{=eb!wBb=85rf;vQcw%{cRp!wP-d4Q0`( zk}5hNcdXp^%#x7pS}$JfL;AnhK=*HV;{{pw4{GN!?wUf94A+oB+Zb1&%xJ$8I4KW0 zka8p{k)U6g&JwqrbOT%xvrDbHACIU+R)A!u=;p8tDe2!RP8&Mio@IMGw)2>T^ge|_ zo?4{@dlH-WOnM5QMnkZI_H+>(OzfZj!Ei9;blw(AW$AX-zDwZ>i6_n=yMdVSGA``= z-EYfmTd-7>mysv2)y@S*s-Y@{8MI`caa4i+S>gClA^5fkStT}AdX~3h*emTv&dkLv zBYtjwteN=cc$*OWSQY6|<#vU~kM`*dzxpp>*lj}0C+q(R8}-XpY-gOq6IS9iXSz4c zC*qkg#<9n&fzOp=4vaX}VY2zR*d6<_<~f2*jn=DplPwiGujx=vdD>(Mzwd55$KQ)b z<-mUNt&2AIxj*7p>4gu%b110yYkQ)de{c+XiElT$12`Z2Bo?d7grHgzq?X`InHDQq zqQ^=aYNz5afLEll=?d1QS&!|sNk^C9Wh2rpZ;c;o6?Jw>8%gkd;>Z}6c2gH%kO zV4SwiSc?I2SS+GGvm_DdX;X}5sbqkQ;D!ZLsb8S4SW1sB(%; zv(AOH-=tx}-#ULxr>QbsMd|kwt^l`~tPgGKAo$1lR&aiyk(Uv&Mb)9A-1D`otf-LZ zzRv@Gh+FyQfH1!Jw=h+uy9oq)+f)8^2KWE92Hy8Ahok2BZV7MPcuC{iLxkDy3yX4= zwZJUB89QNKwee9n2a_<|o`ATn06O-p>S8e)0=x(aGrfq##_xEhO3Wq~#w@5xhzmEJ z%W`AJZRdw1>ltb|tSj^!>Q4D)@=XZX_9-+^-ln=Rup*3q9#Zr{`?@{QOE&>g4PGU- zs(fbLwsD86XK>n7zw2-$t-F)W7Yq!C3d?e;;@>ckT?w$S4^o}Tcqc1m1TBA+WYAKf z&~P$v?DLqxRJ#Y3LlO-?z8d8u)VFUkVstcV5%$}V9b|ih507$E@SF}Q%ASD(NBOa*4ogxtaBlD*y1LUVDDP%|i zq?qr@9RTU~`3!S+cYIOxr^HK`kbO&I$2O{u;ve#-wr4xn@Zi7i54GE)2q`)4lk24u4;_>k#~vbqCDshHJcQE^S>UY@c7jm5(-*7FX`e zvQM2JOGmoyGkU;v{Jh=muA^Of#jdk6Sz_(WKyHI#MQ`)a)VOj3w_QW7kFhLE0cY%n zM~G+t9$oWC>T6%u*@o)LT>c(dJ0WhsW|ZWPg5cd=@!fKUlVnDwkJ4Q9#$_Hds4Zb^WSwci2atn>@IsTi_nY3n7<+wfFE`$9B)Q`rJ+0pas65@0e|9bTW6iq}6Y`hmqekhR0!VA<>rI6_>yI zQi;0(J7F`MjgR8B-K(uvRc)5O{uwX+w&$7rdN(f>hs9RF*QC8XE_Gj7u$+)n>Gq=shK^sOztDhajUk7Iy#^R&7pY35<^*s zR|LM3xd{iJw<5{k3b$R0!vKBDp`L3{&k-o}FKD9?1Yo|+dyYSV{@NK=f->7HQ;lOe zORwyYpl%mw&io6+?IQdxS)`0xs59P+!mcKyeGTp=c#JD_ znoupxKQJ)RD}zW)zzxpNWJ9XY&(=o3Q{=K)WYUxjCg%Nul;KJ$hUwf5zVyvx&{I6x z0hj8aph&Z#jcG{Kt8y8)s681kO$zf;Z;l2*-!Fqm%Gbq;?NW@ELz!DO@*mMp*TeVO zoOVvd5aGH3oKV5JN;>tpQl&AKoO_nN;lN*>J*)sxvNjGTef=RO+t)@Gbl& zhARGhdL=sDL{zmg6)HsRe=>eC)J49Pl{V6%6j2<+@$7t7ClKI8kriBa)Vi+7u&*5d zF5jt_nx`IHNi29azs-f^V^M!-p|yIq%*T%!o{mFaU?wYs%Rxr4&>%Yd@-f0#2?xHd5pCVf#;_h* zk3y~DnZk*OnCKOt%>AK>Cj@^g12_4_0mLs*t^NnaX9Vv)KP6$Wj%@@KCC z5v`xI82eOfN%-HT%^o6osMh$jWZ*u^c4}{+H%nZG?D_`4!>O|)S&3H7GcS-((WW0< ztSg}9F5PJKSy+aqhGVmTquvaS-3?#iHx zBtF9kCQ+|kY*lW#Unqk-A0kpvb5NkzTSb}9flRPW?xiN5QjZFwsxoiaE~+y8);Frq z=2l(^Rz*({tyjynTcOi4_8YDyiPLX3fTTF1VmM5>AKJ^zDk#F>GQ$MldMF4N$<`o> zm}4LeYLrol_V@5=AfWZrk#YU4ACPni*Z@@@9v$RXjmT+SOEoVMgf)>A57Q}0$TttI z4h;{EKECCMG@BL@k`A>DQ8vTi^lds{CYuD1jU#jX zdFPfK)sSyjXp()O3;C9{(~m(HC;?F;Mj_l)B>i!#WG61hMgEF8tOTSq2G(M0U}j0~ z{{sl>>t5Tf^g81T%DblQ1`1&lru$lx-Vg`%v!Vp;I?jU-4RJog$&A58P%uDoA1A$~ zTt04X+(O-#iGznv4gO7Q3m#h!tHe*4PrdJ^k416(rOsp9^ajw9)7D?+qj(0t=j@TG zJAbbmdLcv897cm${g$_J+q~_vF284L-RW+>2_H>8=VXm@V3!5!HA9Q@)8?I!&+A=( zn_%mKD9mL`OTUP&|6i=z70E1*o$iQ_VYCs4YlDwT^&SBrcIB1RExFS}$_m|^eB8@m zIM?s%WrLdW@s9YbO#_=>^N&5J22LYcznSlPv8KX>JpT?lm~}Njv&XbfL5+YO+jWVA z^a>3-KB8b8ecx1uf4pyIhC6tDGRZn)>(1E!UgelkXZA9EI1R$&{&3Z>D8E$Dx$NBP z=n!ySX0l~s2j!D5m;LFxk>7b6`o8I)sMq+8yORj2`hmTEKWEC#ELh*4vr(NXtJkn5 zGeY=rLF~-`&V_voj2wBay2VOYewk>|hjR4yK7X6Bcb!M-EgdmvU0FDxqralva@*)W zJb7buc@Uit_?*t(T6+rWqw1?|&K2)&p}1CX;I+I>&prB5)@8=GGIs&?$a~(O&GX;F z(H_E0HMj48@Z4IT)Vdd)=hggx=A~=EZGTq}|8C8K15^A=w^8U&t=4{9{QQ!S&ph6Q zVf`fMiJ!N-U$u|Jj*^y77o$Vw(+IW169{;(sMuyX!TI>QrTu2f9a$0h|rel4DWt9lRgqJv5*fbeLAY<{zo3= z{y7sr2SB-uHa;}$JcPOiX&9h@tWCUOx$eBFSk8KdCBKt!vu9}(`G``CEAsK$6nTZI z#)Zgm?TjPwg~BDfwYOuiYZwYcmQ#*|EEcf&a#sK2X0TXG?c zmcYzBm8(ww*NQu*w5UceMphUJe#~zz6ikyN=P(;Dm-dzVqF#>e(!C@@opPvTlL?{C z@ObV=SRQJUYVq55g8p{?uUs##8Hb%k2o1NjirlG|CmBPQcCStASx;r!hB!{F}A1;)s4E&x$;2nm0 z#$ufcAu|dNb#~{ zCGqd#d6TL9Il{s5O-|xS_y`Cp((vL@6cArqj=RaaS_AiKPn4O4T(itl?c&)V#Ja(--Wv4~fQ?9CTXya8MP9SP zkn3X{1Ink`>Y-%_Z918-1;e8!{LP5a%KD1WnI8h;eQTmD0# zcq~Sx2;J(#nNN0wAyBNwHd8tJ9cgE@qD+?<{pv)2FYYw2%*nDdgCm+g1!hra&;5p@ z>qMFB4qjh?(mLdO^0Bk7lb}-aC2r67uoRB_4S1djngorB8BLGJ6Y4R3dk^q{m1H`a zP~g8Jur#WH8JnzeHuh!CEFF{?sl zgIWg_Be8#&Kwr3*QHGg69WZt{BDFG^DqCJ}7RE+oY3qrdJE$RjuP-e1?XgHiQ!6iG zfkdDH&kD6Psk-9Nxkfp{xTo~)d%Nbf*ghId7JTI=5kxA}UlZ|^^qQ5i1f zM$0+Uh%HH(m21s@ueNek?2-l}c!z*n`?p7jh47{Fk+AQj|B>S#+)Tje!^`ij4ipX` zAEAySB7kcusa|Ag)&}#ck#3OEeW)j5A2cr)j%}+mG)8SzLuGHgw3(JldzXDAGbZ?6 zjS@$-q#*~YwPqN&qNCMdBDAsUkhFLlTw)CjnYm4zmX zw!JE5^`e+>C9ekxjA+r~WdeudRWTEyn*^cqv=N(fW`FZD6*0+NigetTQ+-V6)dsL; zCo#9$t?s>9O-f7yf63SOb6;Ey=8H`^M2L8wfSAW#Rpw)K9i z)A=sYSdn^~o#Ke&i^#0)nO+;Nj2y@q79qz1!P&qi5G%f*#qob|e}Di>75O!z-u&;3 zO4RnR?;ZJ4=yXws1P&okir^FaQ}jI=lpxglrS1gFE=3<@ibd-e>Uac{r1ahljSA%MSX3b}2#!zL6I(iQ|*zCKhh3w+d3?!4e+KBdz& zzHlZFzp4S5G!{K-Q_hKmXyqzNXYxgayy-vrf&AGaP30*DjK~=AI4lRpumN%7o zp4-D7-L*@KxYf6lk9kwIOwQ1%G1pasK8N%T3aJ&1WkdMAHFxMT;V&?Ri2Mj z8<#ux+noo+9V=c`Ez1R!Q#&)Qk4d zKRkNe_DPGcmIudXCHNTt`)tVib+?l$`{+s9HURFsvryr9^dJze|99AW;MlI=-QW=teEEGHv<9C z(FRal`g)n4?I3k*=(p1OO*ma2r*pF$PT#HYUld9=Bx_y2R$ke%^E$(z5m%-BwchRFyY#@;bUHdkv5(zG9VB8}$BrI0OD`dq+7ey7FLn@(< z4E#6`CFb5Wy^JS+|m{k6H%`uUEBRHiqZ$fQFA1Solqh1Fg`QD+UF(vWZ{2ecf8(XR7M3eU*7T+xfxx;yB{G zJ(&17Tu(V}lW@cDqd}rVRp%fLX(rjHdVwN3$ryRpoXJu4z*ej}_w3a03P|4A5+#I+ zHMw|~3%o#_AL);!-9%mo1SdXCzH%ae7M#ms!bffRMF?y+VcOLO#^T|<*$}+8*~8q) zFY(oRkF{f3{HUZnwgO9&5mL)6pMT9R(-);h$r3j7-#G_j2Wp`9zq8Oiw7E;G3hTHf z7Zy>`g0Id<5G?KCYjkJ?%Z8D>bvaayr`?;`%1LQA{DdE1$#_N3Yaoe^tC0}UzZ@T^ zTMD_j_1FS2nt7^Z)PTNJv)zxZyCOg#c<;^k0RWcSXMA>LluB35H78%d3QPx|!|fl& z^q_ePIwZYcNw`P4sSexJ1)q@h(Sp}X;&2LdIn5F7RipTjC6&hoU@3IpnrFvllVtW~ zn&OaezYcLjRCY-0R#7hC{WI?Pg?9RtnmA(EoZPGtlij^VQrgB67U^YR4`Sr0Vo|tC z<1KGzxrXTYCLPiU{XZ7$^UI~@Wr}c#g{hbL<_YS&IxJkjSNA0p;VIDok(8`U>&B(< zpmAg<)Vt1O+tap_`C-*3U_OYpnCic;OtNrdJB%RKV&ln_m^O_Q=~8=1%Yk|QU1Ga^ zU+hEqhg-^{F)5*E;(a8nKsY#{!ju6?ORuKdEPz9csZ9Gc$nx8zLyIbDR%a6;1hup& zD+je8SV#-h0{D*=>eI1YMmcvpL1#AN!JD;URDqTifu=q^WeAmE;SvsQK^QSmxpb{% zs&RYB1+m*u28B~%Z@oR>SeAuFCLN74C_b1YL-Je+oQ`@-gMB9gZkxQMTVWAi1!GXe z*oxYQvA9$^Yw!(RMHJ64AkPXM=SN-gheWfz`5pM_nnlxwEk+T+Jge%K^WeWWJyBVk zv(fLY)+)2~Qi0VSakYG*bnxVUy|8b|-!+qB6f&5W(E`P>@5;gZme9sHl7LOlh1s)o zrVJTs4RZD*eTeCk<&S?Czu#<@%|lRiuG$xOgakd}@afZ(j!;C$QP!*t@;b~;X)dU1 zAv0z>CR&u2Ba^h#9O4-dDze~cv^z|wKIA=F__uB%Ukjl~C9p&UW4s`~hreTk3b4RIfku$SDB!Oq0dpQep%FsQ zd1J}kj-v+VbC~W1Z-8lJ{%sq8fvJ0R<`I3S=S1slf2;l8c0))pXTc|Z2Xw!pXv(~5 z?wF%9MA)g#W7|4BY-`|AesR&5)j3}1*oBb|I?r+U8Np@h{?~`Em8WZe?@{;5d;e2+3 z*ynQX=-Lao3>w(>3+GqRj~;*)!Sp*N6dA#;GAJXLt!G$EVpvO~bfHbN*G`IN;2!%E zW*~Y>**FU)$}DXK$C*+fDuUb?W_WXmCf*Y)R0+I>WpZ6{AZZgyI2Vc@-(z5@| zdi2Nkf@MqM8&bzdA|}>)d&8{o2fMo&vCs8U{Bc?MMTf-wm_45R?zke6tF%jt{T|`9 zzuCT_(CU3y_2p5{c}^(vvB9Q`_DPu~lP=-9RVmCcK9kdMb>3#zwN?-k80t|a<@-kl1=6*gX9;GfoyR^v7N{{gE%eYhR#DqH+drY@KDCV55p`PyD; zV%c}Xxuz3SF|YX@Gy5C`KWj@Be7vGt(sb=-H0fNPgia6p&0VnD-QuQ-jwt|He!w+$ zBtOR%&a2JGe9h~g>#UVlaqOB8t;3qnzM;*7t{ji`o1x;|a-sv~`jc8!n9kSNf5?_M zJ<}k?15nQjfCT)r6Eyi%#aJB!82ajMq}JUL04Yb&6=B#$^k>~@J`x|nzkwQid_D(4 zoj0?ks(1yEr(PcNj^Ce=ZHF%%cz5KzC$*f~CGeyY_J1jr6~OVMKlNvwnaM_)=+t5w zD*@$Q=4-ZqPw0_4-^c1@#IXlV!ee6tkNAT6;_IakyCMI@(*A(F}#fFC0(o|Q&6F?m{OrwB`tQKv$S zj6jd8|8rfw1c4K-;*^9V8CUc}&@^l8&sRIGRWm+9pmI}mxKgkbjt$+ei$HNrGmWUJ zfC*cTX0-|}@1hRv%)wo#9Q4&~ssnbcUuUN5{IAk%3$S?!-dIRorG|C399AJ%>Y^}n za4AN<#Dp?V$ciBJ8ggEoLXANiTCkI7%8+rc!p>p&UnI0puPgV&sn)49!z;lYcKK3& zRIW4@IQ!Hl&SnYJsx(sF1wzn0|C%3elwhl?Ku-5wdjFYC^ZwFm5(N0Oa}pp9gsz6O2HZjwv>+3r-cC>+IN> zZI}u{ztOOA9z5p6NYsiLn4(iujTDFu?Xlo-c=&jG6ACEu7&ClEJ>^n(uj=bipz-iz1f`xGGMST7iYhiH4&I30#DpglyX4D<##l?hj@ zTZGu01CpdSM$rRoR_^{I&X-FXLpCBdLP5RSY}L^WcnP~A(WYb`qsOUeEV|AW7#XNe z@S`tTeR$EFT?lE2qJRsf<3fE*4nz7gq;x_dGnn2$#>V2ic>`WdxSaFrv}O<|_UK() z>eMP`n+Qi4X*F$mmhzbG;@_lGpHMnV-Yiu0?^^iWF7|8!SR)X;0lwjRi!e&If4*_z zGf9~&MXOlHxP3Q*%TmDWC@SKuJxc^zz2u6vZX$;6T$5bnQpKfYu{0qQM^mO(7J-n^ zkC*c}1fvFMfXGo7HeO`k!>@dgg)%d0-pczen(ZC(!9=G$ppb*=X$#o^ioQRLtS?CL35|NFM1hG9p7N zz{pL~O@tT_m8wDiTT_sxP9-7F(ytjrt~1DyPtIw)!lBaK!{AvwVkKY7Pb6HCIm_Bv z0gLhgvI@Jcb+VkoaMHnG{!7-I5zeAT7iYt5$+Aokn~kGu++y^ACfhDBbTR$snQZiNOc&({Yo zx)I|;Xq8B&r2L6JL{sk~GrM5o8Q^C3W&eL*{~QT0O49lE0RvNK6$rXQ`Zo3 z3y10juz-i61d(+|ft29C+K_p~f6_?#ex+)J+w}}0y)nD?bWP9M3IPU~yM?w(+n*&* zuAQFg0G(EC#O8okzIq_t%$4u5a{ToAPpv5JiZh}FujkYjfA`+tmevtzSv$|2DSV1l zY)MI`&MO63?l|Z0{ii2EHl1UN&%WR^zq2-5wv}tZ`%9+t+d3hV=gFVaz5#B(dzr%L zIc1?w;g^#ZB9rX9i@T93@BZQRA!K6zC-IKW#=A31a2Wl%8@H98vWyLnj7!&BD;p05 z_h;$$c8(3zH-j?U20QqI?MHK4yVZBh+NT^hBj;P)CyI`|mXC$_Rn7ep@yPxiAE75X zJsX7^HK}j%IbOSu(QNVl*D2;6?M7SEwjQ0Gn(j|qib79`wyh@~h8~_HIC_Vz)y!E9 z{m#?h0k6+ZoQ~bLIgX=%<<5sH)fI!Y*!W}DaotA^9YB-$+>-{)bB}M~vO-V22B|iW zz=*wLb^TIRapzLrz17L-3Ab)YU&h4Ak6Rk|3DL2_6+XI_Q^N3?*I?d>G$w7EOOu_! zM;+I~C58^bnuKHS>dr}wc8~T-mvxJLnhxL!mtUZ-^Zue)NXrUKg%6lJm$av7;Qg}a zquAx@x=&l%`C)MRKSX_FcO~GmbZpz!gcIAgZQGjIo+K07<^&UKV(w&O+qSc_Z_c{s zzVDa*1JAQocU5;)<%$;@(^T=3_MPvbK6ULqRMdJOe+K@(Ja*~?3BIB_8~Wb^QEb&( zgk{zlgMb7TNJjbU{?FfBdpJkyCb#_WG9%Vl4${{yo<{O(>RjH|mq|Mwcj8;PiDP^A zwPHyL`annfYo^v)f$LH*=ho-m-fhCE>z#g(f&GM0LCQKHV2Ux%$F%e(A4oVJ1Uh;n zbtwNl-sb#-1|{KBT0Zw#xEDh&2Ys!FlduqfVacCpKNqlEfbI<+NM#Z#qVSi$^X5B) zYypWN3*NwNjpo7Zjhz~3HO}B_wuu9%?6QC8%C<_3qNZpG|8fH^& z!;@;ueiaG_$6=zV{p{SX3+5|yDb{&CrHQa!YYtF#T2{6aL5G8?KI8 z!QY?iNR^f5-erDl|7bJ~CW5z+Sb{#k_jri7VRTOJY(11#r=g=SUHen7Ki zWDmw5_v?82vRmg|%4jfkSS}M>TJT~bDq#N|qZ|M6792^1*Z8)&@#~;W#Q85gqIYV@ zX0&}kj{!VV$!b$Xw%I7&f-}!csl$*`6fw9W1i%VoShgfjwLRZ(IED{B8Sq;jl#+#O zHW-A|_$LhdBm?a|Xyt8B0M!2#F2in|nA7(@^YH*ekM;-LsHixTfuTRm$N2VSk4baZ z;2_iL&`cjlaxAL;6KfXdGS#cF9Jp*|V+d6ONLGM@5%^&MtlPCDz$|<1XlbDwhgC|9 zZ~j7Uh*0I!Sjna4-p4BHP5!cz1}Ie6M6(taFdV=6<2bxhm*Li6Ba58tL9tOT76Dtc zQXtAJ#8+`bTcbQX=gxPp9*#vt{BmpN0qwT$->?4^p9Uc7<|T9Cy#FQ5UCQgo~UeN?&p-M$GkUnxlwJOH4Tq zv6iWlYGk~p>akHSi^z=AoR`nvR3izHJsJvC8}{VP+*)N~q-~Q?8^=0v6FvMzCjG_+ zkqPAE7t40B<*Rxp;w~3lf@-8IZbWf%mrRCxM8DKd%eRXTU{m7YfjvT!gMV)^Yg*?D zG2l_ZW`~qwH{tki0V$)xeF`5JfEI&XLSGDks2t6o&vi&H1=ogML9xp#GU@ITG4qDA0h_Q<+<{|L2TRroip;l9rZ-^_G#9?aa%IBmb}4#NF3=ZO~0 z`Lg+RUqkNWzgk_wybjvCNLNi4Hjl`Vn*@RT_5RqoKX-IXc%xfRM$#g#0p|;7%vV*kQ@P zFbW(9>z}Lv?i}HIPu-u_xvvY3)_XCbO#6D|y-|;TIaU)Yx2__S3hqn*`9C1oa#Qd41<ZdeD zD1ftp-R)Z3DZZ*Jx9{@P`*7XpFeK+ zaWr9nV7zR-`GezB&`*S{j_>^K_&UHFP^T=|AnyEj<^rU>?m7H7ARkp9>D+lXUm)^? z?G51DFH;X{1wltKd#;iUUDbU4c*Jb=kLy3v7FqzQw>Dki;Q7sP0gYk)Jg;4Jq4qqL z0GVwIp7s=-d;U7~jk3L!$k(OmWBws|+f2G+co%3pTFwUr#elvHuI~HZQ6FC43h+T7 zuMtrCq|%Y2%si+7@C`*sz<}tO}pyGJ~Gw!Y_-2w0?{7 zbf@nj6kMm(tTM5x3DCu3#{*ur|Em8~kW!xF*(t)*ajAMM6ln8H{!n2-nT%e(5E~4U zj39=U9bp?iiBYQg)es3rjPg*cQaG0(V9Sz0BU z!;I%a>^A=4vSB}37Q&|(+0U5#wC_4%n-U|Y2e_5-5kM$atqP&Vd<;24K^qdA_|D9g z>Quc#I}Qck>7-YVS>}M%FT$H^#F3`-I{OewKliGPOA1P^ajT*LOzY=<9H&9ke0W%z z@(nwPNDoW7EnKBaaWXU@b&JwYF{^uLXNT^Os|9m4ahBKPx+I10YCjvaoVfjH)YFKl zmyVwk$!y+DrNU-+@&2cPVQ#p9-J(}vplK%_ksOLD!?&B9un|kfuzoaoiNn%n@>4EW zCAJNoj5SujgpoAm<;Mwb<`f*!FDPA%U-gq2>@Hp5M=H^6kmXGJA$wHo0Dt;#F#$>( zQ}Cr;V8xLMyKH*H127~M3HCM}Sn7idAuN&*6o&!;rhB&wLQYijGh2;RT`ne#lH}CG z8?Pu>li!kMDVGYmP`qpNk^5(8j_MLt3%03xhRKQxV`i`votSHKrMm3WFwq->c#*@Q zt}1d?U^RP5t>y^y%M*&e)rFald&>=^Rz{aIJnyKxi!IRexw`Zp9=iWhc34_Sy+RD= zbGM}d)=yyo<;>wG10-^-q$zVOGIwSag27Yw4pnipFnd1uP0ex)Vz_<=s&PSQ0~YwGQ}at!4hIKW}?H$_KP%@WOgV|_VCo|l$?z`%!Tv9VFrO} zr=30#35}tvF--Lie?8@9_56F`JTOcC$yOAWB8@Owm_W>QFt6Fz)j3p0VA?QTad%-( z*}7_CTkQIC60Y{Ft>Aehj5B6lg0B?f+EZ?_!)3{$rAScH$agTNdnPAe(acdIP9e#w zA=)je*+e;K6U(0`DWJr{0AZG@kHNF2U{@RYe=hb#>bm&Wb+f=XJ6y8Je+AeO$RTZg zoG&>l{>pFj)DQjKt6Og}Fe)~U4DnoG6fYXikXm|>dS|qPG)DWQuiI?Qn(H-=eBeRG z!zI>mv|@Y16A2@>^N?rZx>q3}q|dbTmrU-?k!7hXB7K&HL$lMAZeIbu_C7bMxI=bu z@{z+%!O}h+!xYYmeT>p_4iPH-Z+jq5Jgh}vxHpEyKt5LNW3c#rq{52XZ?x=s4Z34T z!*tEGlWc#|WB|h8LuO_DQ)9B0{15U-$lcO)l(D2`g++1q(`xtHb3jDXXQ@d8X)K+1!xT1Im1MG z{ZUfkow)RIcxP?oyX^McE8~4fTVLRDq=W&iFKBQ2Qn>SB-!q?guL;vBrQcr9of00#gSxkN*DTLoX}y*E4l`=HoA#jfg*|W0 zwE+PKM9+1~!FlqdPe!l%q@+sDk8vAwPfC5Z4g6^@Oc}O9?Z|pv_vMS*{!jh-%HYcS z_tP7#IonNBX9YL%T%?FzdUtKWw0s`_C!7o<+@90=Lm?mQL{=ex+ec5-A4eNZD1nx7 zxBA;EK-7mW!Lpvc>)(IYoZIV!lB=439bXwgKjpE!nA%;RqcUH&XZ>2eAhTJ8^y;1| zc;A)p7v#^qh8^yIBov|u=f-|Tb}BuRYGd?&8_mfN9POIQ)qP-^`R%%S{rSD(HB9oj z_hZiC%K-1VcL(TttFIk!cFAreuy?{v+V_5HxYV<^H<{k-Hj~!`Y`M)fcK)NkTcR0s zXN)>|477N9Q_gGo<-c5>19Wf(9l2T&wmuJTCT2!Vb?)tfq-MU}jyOTkT>NQIP>B(~ zizKZT!|i@e-B=KmJ%nv7)c(N^dwpXNcrKLl8mw#jnwR)?!Y%LoHgaJtw6?c%L@)pG z;}NLU>7H`(sy`F>!|C%2(vbF%llZ?OEV>)_-Xy)HxibUrwSw|M1tXv!cOdGA52(K= z>jmWaGpOv7_Pp8bxJw&Uf_0pB3YR&Bkn&px6b3$rdkH!!>-BpS7Nhb})Og}?@Fh8F z{;ZIhkp`m1(P7gsEB}iK9wvl1Mgoib_6vg-Vl>TF_UDKy?V$2rV5jrDPdV+qm{q8! zg5^I&RKkvsWojO*(GtC%g}hxd2X|j7&N@mbR)x%vjgJ_!Q3Ot6&u&#DX z#e8x<;1)vUFC)v;Vx}bU|AwC&=N-9#p-B+u-3J8Sn-1N}}9zA$IvPD8H9Al1o|FO{7JqR7fzHy6Jc-ltS5 zK326!eK-7C%Ab{4UY2&1rCm#r%U@QDqfn6MUCz2P>SV}n1^-7T9jYvO|C=kkhaD42 z2{lAD;bZzb_QF%81+Qo%DyyxTO^a>dIXElrL7x#2RdF_QscatFTqT+?E07%An%^gh z%w1KKCb^1!KjT|&9D`-CA;o(u@eLma!=;6s#Jexy%_B{J{O%Y8BJ@X3Ra>$rk`2vcFFOYjhpl~2=Ly|P;Q#^7 zb_Uk(RJpT~X!}Xsh#1TSd^2>-R$Uop3^7E{_u(rv2wzKf(U5pKFBPfkG&FolS?)MD z4&f_oWVzJG&Y5-r!zY=5pJ`1NMZXCmnVuC#Rk~^yVO**=>a1wYXNizU{F^N*O_HAF zyS3N=o%4lEO`5lV9NKalCOx@{;EFl#n(a(aa8e8NWWmW!c2LFUiTk{8v&csctA*b2L6KK?8g=`r9@ZAXEQR;bg))mj?- z`zFn;klSBs`oXh!jM6SO-9CQ-Rx^Al8s6qhSR`Vpzs%MRtCu3W+yYNllEH2PpR?r} zR0B$)ng%riw|~u?1(mbFm;5#W4UQOZEy2DN^O43A5&8(mmF2{^!KydC8tGi?GfB3r z_v)tQtdx$+Ql&b!yOA`=G;6wS`fkQFn&A@tlxg_o2_azpqNiV0$hxP+=W8M+){_(G zTjr&soXXQw!r(G;>}yVT4AW2*0!=9ulg^s8gISh*Vxrbrf|1Qs7<5>iY5m@Y&E%pyK;~pJ2(6oKOsG4tZ|ijp^lh%rbPqh7xyIQW}Gd=A1^UPT=m)x!NwC>vso;xWghG zWHlG)`X|*HZ@T3}c` zKOq4;|NdKm)+li0h0t?BR!gAXv|At0__A6YGuUUCI90eP8bkmzCx&wHscCK`w?Yw$_$1(|MEI$g?Q9J+3Am(UkWC!pj~6e=uw_D&Ro=Q zg-Pv_^B%}rzlmvU61QQmXXWCE{gj!_o#ZZ|6=vV(pAo;?cj_~)n11u0$Fh}OK9dEV z-0}l?J^vK00 z*spFy3JY>I(zm?Y;`a3Q6QC~QPS>v*K6RQiKbIYkYbF>SY?T#kAy{AY|3Lgm%2NXU zHo2NxQ|A}#ye21f__%Sa5&YO`Wgu!!Y3nlby*h@h=5>78o0NEHYoX>I-PS?R0M& z_>MiTTnt*FX5h>eYPIjh?@i8}3x5o+TNnJXT=uuPUoT)Pcx8TglO1(zdBsee z<~aDqyH!*NeIRQ>tD%Bo;D48 zH$=q-Z;KS8#e>&sh*E!o_Z8b{YVqw5PyB{{b#DaWps1%i;T@UZ9{gtt5-+!PXua5( z&W?6u06CGb|9m}zLTG)g+dRO-vQCGhoY&Qpk-f#OXZGYsl3B^Kl<%LSI$lMj6dpaR zeTRx-OWXt;AY)HM9Z^IE|1itWc#`{|TldU2-tZajj+?7aAwhc+=!JVek8@9zao+tY6ADfN!#+&A`Z5*>356+)7V&y zC>sNAS7zAX*!4Z#0W)_>-p$H(8AJONjmEtimsJWyrW7`;5lmIU1)9iQ^o@s-R((`cYU=ZJzgK+Z|>AMO}S~m7y>Uc2%L1 zG~h7ks51CQ#cgJ9Wn71o6He4sTxfM^H*0U10=Yd>BM1USz5PX#qcR zN68a)aNwXhMeXj^gX0>L6uo95BwlW?FfMP^%PmEpWODW=>4A1JeU-jLE5sz8qOdKT zWH+^z95toRWMDT1CSR1uSAz4_<|1L8j%v9kmvZdYpnUnVap_^;IT9xptE^nG3cN}n z4+lo0gT!UkNgYLm5J0F)#fq$2WW+5^7mibGCqmF}c2rWS?{q@2a^$Ax4!0C;0YjFZ zt$_L1n)e8qSKB7)7yRdSY5A_e=RDf{h*ZoWF#0$t>r*)Bk(B)7>UG9n(CPC^_`VsW z&uoY$zpq!e9Sk--j;k~6O!c59r_q#BYCI((P_*LDEnDHK)tFto(i9cr3sHb|F2#X> zuOK=f-&-W6k_MxZlCPv7fvkgLJBGh^m-o1pm3m|J7;jqEqw@Vo9`h%{P5S>ft9 zXstD(68iRCtU@e*Z!OtZNwfqi7Dt9K^zI{bwQW{=Dxtg5DgG%@3}Eyqv0aU}NGxKT z0$8+bBz9UK6gI)xDATWUT1bw+4h$q>Y67xA!C&lhx8HuvJF2`js6*?d*%sxa8E8RX zjmXK!KZWy$Xq{rNn^{p#NN3`xTQqKNj@5d{vTo0(I{Si^NTo=nW{7IO|KF%(5rJYh zu}yFV0BVtPK8!>?9FfsNo5(rzZ*2xyjb@oftZo&;TyFR~fruCXpi#ItF^_Qa0^1zj z-%zpRTaO;PmuUS2wr{<;3Ot6C`f|UR(nvT`-6|m7)U2~R{%8cBStC_jU_o__bFT&d z%G2N%ArEQsmb^-GS~>?o)y9}Y659!m5{jTZ z>HcR@i%nHeq9>^+i;^TizW|O>Q1szL&GzppIvs6y^2Hi(wi4b3IT>>|SuVXld^JyM z9eq*06v1=DhI1}8<15XpVm7z20RKJf|CQGnVl;(*#8S{-_Vb|ak(X}JMekaCM^GP# z3{I&SO4Rg5`-b$T-~(0<>;qQxo7tO66x{*gQvvQW)g!mi$FHu7tBqY@OWy^3{w^y9 zMvzU*8MAgf%qIPG;3@b_*89CR&Sm}U5I<^%GwIEl({GmBr_nzBx5o;Ut}EIgo@;LD zx?tk_yEJc5_aF7QUV9%M(lTmyBj~!9SUYv!9WJLXiDr<908eJ$i_Zd-hi--11Y<~p zCW-W8@|Jgd+Whxp)uTpkhoXjp#dg6>960Jg#*lGCq7z2I-lvhSdu^jT>)On4t<6{ULGQe6l{=O}t*S$&&U{ zR#;j&Y8(Ct6cW!$w81U3|ZQ!H%XF7zi*JZTsrs@k;@8HZU4eMZ-tK%>sx z^oe=YkwN4q-NRzRAwuUK+meR(48N)EeHfI%HTLc?4TQ zWA+-^`jLrZN?48FRJ0e>X|c#2p&eSrF}27To4LeE-3esA_)|+Xc=o7bxGx2i6vkv* zqy>U1F~O6XcwT)(B;D}oXZTGvLZMDr>f#bcKSxcA+HiRN6MlukDJN2h;=$iPXcDaF z-vo%Wux*jzU0tbgAv2tmAl{X#-B$www$k+3CSKzHol^xCa>gNt{z><*S}|OoOk$6f<8fH zvNhL==ey~cS9_(l6KgMZlT#D5>Nt_~A*(tJROT6_ScRb&4Q3OXd{LU)k4&efw{}vg zR9*t>W=I6bpIt;u5kD5`=?(hIt#y8^K*oE3s~qCN15Kq;={&`_qR%SV)N5GnXK^Ik zCN%MI(k7yh=T)a=(q_>^6m5nH6cOSJgC8593aPMTNwC!VGpA#e$R5TIqOTTv6F?Tn z5i8N4C^Y>;XlB+gh?@nH`1)H}zrRo}a5SgjjTC)g!cFD53<)gdNhaY1X{?2u@49O1 z!Lm9&?(nJmNuxxxiPB@lBk}xT6=mgW#j-RffxUgeuRN4jiVnPE1(tQvc3C=2iYQi7 zr(B*X2VH|{%40;ZI`s;tIU74Tru9f}(4ofYa1s7z+1PhuZ5?PE_Ly#lwbMBXiOBku z@3a;%lx0p3#6zOOgUv`;*>Eu&8@V2Q05X(VVvN zc%8UCL+#q}cFZI9aP9R{xcTSR zB|KE@QX2)8)W^(H859QN`B^vB0w}%{QwZ8Bl7U}miEp2|n=L2kfvqabv!#CHsO)=H zCc6c&oP$b&j)Wyyr~@oPSz9uo3*n%1Sf~$o@xs?r*n?F;I6SSn6u0P+Z_Dwrz3Db{ znJL)()ZvN`Ne1OYO~az<7o|VSw8#I}Gjkm%u}Ny_S>fCdgg`Xt2usg};AhD-8#RUV zB}=_YabBOaYn?471Mz-St&Fr^YDd)WK4wBuKQs;$4m7xos5^*wt5@n0^f%$g&AXE< zaB^9O4Ycot8xl?;l{L*ttEFY5W2M}IX%Mldjmd~Mr%##2rz%5gGV@bp$rVK=yafgn zhCl6CPWG&*Y12wW z3F3HB5BxlFrwOe}in0o`QgvYgTzP*+xM&xxaz*U0qrN2cr-mgEQ2S{RqQ9w%zch$0 zjY9LNHZXBk4gXg@w+YY`$iKQT+5dIl+@5oMZO}Uq7MdJMf)(zK{!w^L_!YGq>;)A; zl`ORXJ5=D{r#q|XqL=cO#`@_C_-*Pt`Qwi3sN)U8%~?Pq(l$PYeu2+~So6~7p(6{4 zM!;USFmAf_);GuWKu6^tVZu>yMBO0r4$|w}lYr;J{*ZGb^|{h7Ll<;g zLZW;Aq`>}o0Y2IHencD9)3bII)v8?U@IDvSmDe%07f1YZQht5a)7Ay#kIMXbBXqWQ z@)Z1WXL3CWs@>@exGP##-r^EqA!m)+5e8hZ3H|xpk&mlwO7gsfKmU9NPjm=8x#p_% z^6IJaSh{L!oe8pjy-7lqZ@xBsTzF694`c-*KPtz8ggnuL- z&<#Vxh)KB4u);0C#VjUL{lLb8f5$UhKrA9YUZcI@mNx#~{W<+(q33=j{lbVgjODGy z(^u)Wo;YRxGi_nRv*D6yJksZ@nffjwWAkI&zf=}NMw`2f*adzr8H!VF*Bx)Aq-{%8 zPA;FL??ijVjl4d4FK~w?Og*jB)IlDz)z7sg&cg2x&7Xci1HUM7W&i7A*gUUMnw+-x zu20`-J$(oFgGRrpRd&n#enyW8OTMN~ua8e!a8CKzcR)X*$G;1Z-<}!(+WRm`p$uwTBeLnSB>BAQji=|nYC-WD zjH~hl*)N?8)l^>oMpIjzT>d=&0C9YRa)7YFP~i5>|B}qZL41@vg}t?)nb31#w^}hZ z1#<-ZX=$MHhvX+^;PZzxa+%q;4|(;wJ^y8p%>BM_<5ky)3blkv7Ku$qFr>d-#P7)du~MrrbJ@&)#oDy+qPC0amc6%{l# znI=ri`&z3zop>t6Cs$wpv2+&e;wY z=F0xf-#$$}j3u}?hrb+zQ%uz%NzxyqlQ-9eo>7$Hed6CViB_PZ0YrER$wmefytS)K z|0N^#m6NZ}_@0Dkg};(W%PBwBDx=U36Cer~rPP^2{J@q{Y$W?7DY(<=)b|e7IsMs} z5BiRQx&(}Iw4M@4sm69w!~eV3q_6N4&?3q&Q39)Yec!bAfXS?FMh!==|62bqg*KYc zB4lAqQ>}+jSnIxpIrX~yHgf-c{Ko(>C2` z;SFqX(btfazPc%9ny6dEps@)6BXHEvy7aE)!CKNrpGzO#vHI3alANK`E6a3xt7v(pW_de=R@}bVbdbRgtCN9umI&5FfC%f=} zF4mLrwV_t+A=HaS}#5)eR3K^ZpT$4GkoW&ka zFz4r#`HQgk02C?6^bs680{_MfM2|7zL9=z4BhCgG{pN5n{0_}#NN(JG`g8Ez1>t9* zobgZ3nrjbzN}@-uq|}{>f&BwsdksA6kqxxEXlW< z4}N6kHEp0K6GCbgrZ)66vSbtaEvcUc&Pltu8%iC~GWLV1Ql-KzgfCDxTo znHZPyeIcdQyaqnE&b&JNdJH0mvuV?`CJUx(cwj2fg?);BP~gAio|KI&Qw&!IBx?Od zG{=7t%^jvC)b0N{6L&F!MoS3928rTIfcja9#K@6e%g=+J1V1Y=YaUmxf8Twk&#H|w z$85N4UIf&ilxOs~yvl5k`R;31apP4yidENKdR!)w^m_I2GURtpJhKS2_ia)vOKI1( zKhGqY_mdjGRt#@%JOOhOI*8V8Rs;5GxD1P3H(Z@rdij~V1JA**{x27>fP-Rt=kw3%_Rl@S92UlM z>R##X=GhMGUxYnPD=^YlI9rgu4zE!lmoITf8_sXdcVf^?RIC z|3D5)V_NTYKtW|3@HCTW&9_mrmH+eVg3p@yA!k^5IHLqt|F-|WYc)!F({((oKo}tT z+;M-E`x3Y9;Blz8{R>1S+<9Ls&fWDg4J+&q`YCZ7eb`2Ub8f2acoX7t6SaV0ePyfz zDp9Ng3TO2U%SqRh8TZTyKIE}XZQYK!T4&^uwRSEtJhkRr>D4!%Du+Q#wsv>LZ(Cv}0{xp7m#*3D&|m!KKYvh_Ua zNB4{$u5toB;fGg%D~k9svz(!xuw&8j=gnO-&u(S`>pO|xTD&!58|c}n>ovsl;F_gl zzsteBXUW$3x^)iuW5a8=>K*0fM+|CE`((ZJl^18RV$w_^G)=SeoI$F` zqd^y90~?L)QI>oLL4$7;R)Cv4J0Rh&3_j`_v}hd{fT|L& zoRv(ZTj(@B)6R%py>@Fh7>CqMs9)!mDj~ZSkD6X~1Yv)RsyH%BEuivVuq@#$NvFK9 z)-ZCST=kT}44jbP1OB2cBoGFXyu>k4`a8!&n9c}1cHCmKVFKZom7t}75+{rUSx8{< zxON^_zT>@?mrd~LSPq>zdZE0N>z;_Yz8wRgck7>9xMGMUD}qM8E%|WqWeJjMJx0;_ zPPGxaV1NVcH$}oshg1=X!qtbLzdJxViDv+*Y1mmg2q&#k$pL)sw@Q&Cb}u!rd&ky1 zm#(n4hio_r*I%v#1~5zG!Ce2+u@XWsHqA7-hPB1$tnJC=>=IyFWQZ9?6SPiI;Dwcr zV!x@{oQ2CBzc{R2eZ!Pk95tN2T8ItSL{I~a*la`<+o?F6mviDP7%#6Gr4lzMtZB8l z`fj)l)1A}VO1AMDe6uiAP%Kid9>J**k(FxFV$G86tw~r#R z!c!IUhZ&2t75>~s&jGx}e)y{QPQV zv2qkiLyU@(Nj@qL%aDDnXG4lLDtKBN{Mt+wbbqVA;Fs+}?0{am?jl;RQFVo%N#<|m z+G>v61vml)Nl`Zax?hfrHVKw+vWeOC>}TrHiPm7#t<|Yt8WO!GN1AYrsF@0abbwV| zVa+LBxgsr}5!Qu@DmnD^;Wt3aWD*IjNhw$s1!QJJ75vCwfWc!`)`u6C{=VPnU-W#{JKj`DkY3S<7?2-Y`*|VHW>tZ z@AKhgC4w{#KuxA>U3)R!65!DZl^=nX|l$^RmpMa{!^D8F?i0pkT1RUkU3q3 zK~=@kLSIL`j&n}KW?iMzeDSqtjk+^TCh}XGMq$-NrVFyhOjy&uj1Z@IORDY2Z;;do zCR-Et7#1ULEVUDu`ePaVDHd$|%h~kS2;@esEe6%_2@qM05oQp(>R|a#aCxLh0JFef zST^I|G0cl8o5MLHv1xd#Ydpo#lU)ll8Vn@AW~ml(nd;S6b6f^;gg?Yd6#{o z><&Jm$^@dh746K5?&6GNOKf#n$@%!_S&jc!UQtQV6imN>?9@Zh%a`s7czpWo?RU0) zEsPgENQaby_lo@i`(+0siUS7f-#G=LgyKO5eF51IOFx#@dA2ylPHEqq{d_+2S$U_6 z%h#<%`RRa~`x2AxjReGP|2YxCyDCz);|=$bYc2j6zM$EP=`7FTejwKE=p}C7TkxiG zk7pE#+az;NPp5Bzu-~B|iQc^gP~3MB+4^ux@OgjS>RqsB_Q@NkAYzwRPr3a(sQvp# zvD8)9g-MS6r~iH(tV8R}^RoXLphdX-b?GPoxBM6Z?)9(v=i+dL?- z=RVjkuNFec1s|iFOun2ADwe|!4$gLtOEISu-*GKeL^``vajsledSJ`XsQlvF{zNKy zQ$_F;;(%sW#y2>GrsZYCJqV$mP`K^q{OxzYcR%TQ0pdv3GNFIh%8*s%W{c=V=!4IFNB20gAxb6l;x@^fFf zObcD-dcRTz`>(6P3O81s?m06X@ET=^L+Cyuve#_xCLYW{K-pYr-2j`cBWnEuij$`>?A` zzlt*ZnRU*4;^%*k#&^nZv!;EQmRcS6Z48396HFD3|MEQVxc0VibNfOX`#U36mFvDc zkC)*JepKNC+_!u%Ht(l03c5M{j+)n7q-v&*orUs*`Tnq4B+g=FB<6qIipy_2F1!XI zX|FhRQMJq<)HwCL3-%`#tRACY`{wlh0607G`hu*z*8M8Nyw~=U`z}C<4f9$jUNK${p3qsI=5WSmWfm{OY9 zDx*WZ(lJhV`UEVmOd<-V*ODa7XeSVDgZeHv$yI(+X(_fqw_Qb*SFTwZaFA9U4R?b)D2 z*`}l0NrM@WT?+VqXhF=N!`j#b*k;us-?&;hUPy$u908ZB;{;3#QhuvN9rw3)mr!k5Av7vjygD?I@aDs&#PQZ-^UO}@qbVRatOf-0p+h6HwId2MyBQxzDG z{-h){tP6DIh^iVlZl9Iq@;GzMtY8IZP<0!!jnnP*n0RLKFE}OAMh=siRkXCHU__h_L zIpZq`2gwP3?5mVyQ7vexm$PdGh)Bw75!b9)Mmpkqk&Ocdu;T$NouB#_wC|VrpZA_e z!ieThpCdsyRT(kQxlH5m}y+q^y?2W|iBO7hFAL^Q2xs6x&WM%VyBigczwd zXhS*AOwn|MueiQ5jk+pl^QwxV3GuJjNR70qK;zgi->7s|g+FQ(>(98aG(;OU#Lr&a ztuDahplKJ>tcd-m&6Y}uGiR&)cozIixd913hBc`%9)lPQLo#5fTwR>PW|fzd>%k3{ z{nBCnM$UjXZuzm1YzZ;1vAWvjA6amzJp9jKEOvsI?RwA?>c??h6)0WpfLsNRagg}b zi$+#C-Vd5lYvja5M#k!2h7H4vx&^!VQdB~=d`Bm>h~~W?{heg8h$!cmt0&6oe-s+6T zTDwC#+Y&@tfDH@|;BPU$4hLkMmB}m;<6DqCS>`}r@`rW#=S&7g!GSO-hfwA__Kq+e zG&)r@NFNw<^PA%9*y>Rw8p5wJy}tX_Q;@n8V83L0f)X`VXL!4^vFR7r z=YF&JAb;(^s$+kAxNUHFu`jgpP`J5SgUYvmz|A#k+_U$7xrDkLva*S=bVd^fg^b_4o4mV8)@@`4U8{W7{vP;&&dg{L)e z3R;}sHq@E7Y;GW{?oArJfYZ}*Z3d?WO+sGVm{;IOz6_Ul6Ow+y{^#X6eLcLs{qx%a zr4vL3ADgvhD4Q9+>a8qq>POjt#>))-PmB8v&)%LbOY7PI5omsQfe#V+n#VLgW#Lqh(YXJLOG;Al;L??g9ZLSD~#eatqg=PDDf zPypa7BBAxPz<>GB^gcUp=?7>x=gm4Vy;|TY{+PMTrq6ou6Y|;__pn!j7VdF|`(yhD9YeN^;he4(pgS#=uQ-9kiX`ib)NK%8N z?8jAHW`1hU!ehrbxYu_deX`^9px*W7w8!m^>j7Y=^TwaM&xb?8+7#ZwuFEcAzmvj! zt)K*9f2@3lZUX0igcCh{)f)PJ< zVV5r}_q_3@i8k+`*9=^C6 zeQ?mNpJ-Ktm3%p@au_L@I3aHb@W<%RRBDPdI{h?hfd@Xpkcsr@3sfrNe0d#o>sHV2T-dw5B7?iK-zUfmyKK_3%mQX zC>?1scxHJHbv4mJfhsWqXa2qE%X+O#H)ne3Ck8)TgqlLj2rH^GUm1eVx0I1W$RiDb zVT&4!bVT{sInHWiC=y5{2_GMJmL!Lo#f(Kes;_-4m?Mv!)NfTvm7C_pp_OLQcA_*0 za^9=8%I#A)H}-9X$7GtnA(Gr^_D+LS5j=bsS`02~j-CTlqN(qg$O}<`?n!KRp6u|t z@C@n|EQv0crLumkWn4T6y2en=?;3@+3PjNa#rTb~zEm znA-752-3~`6o&R4gNo12E*1QHnFg1&l;u{6Aj)|~SC=1$^@BomN7pek&euV+<_42b z3ivd(6DKY?iPPafMm@wt$^;|dPsmw|ZuW_4yNs0zw5FH)!DwPNJa^ElH(Id`v<*SBy+#jHMwDywu`Bwmfo0|x*mp5& zY++Th+SkW6sK&a}4*PJq)u4GnX82IW*__ zoNa;Nq?>X3xwPAA4UsyCc}NLp1*v8yUoBNFz0z(*Ed$Mzd+AKr9;SMbQY4%p=al?< zf9!j@)BdcE2Cpo;o8j_kZf>4l^ae-HDBy2kmA(RD%LHuMkLk9#Zz4l_o6|& z-r>i!T0!Vd8oZA;+u49-;j&J*NPuTC4Cy8eEW)c!s|1Qw*ABI*ZHBxSs<+t|3o@n{ z3_V9wXg?K}3I)X$9INdlq)ZLz0Ze{e8!4h<Gz9ew<79$IYWyEmErQnn9hfjZS)kYnA z>`!mZxpE`pxYu?Q&M9oQ zpDlCA1!r!!9(BpHTYhKjw=as--@UTdpViuu=dEz}uMUC5>l>$`_rAUB3FrKHy{*oB ze9;{)esure{&}?%ue|vC&&Drbx70G%>^R!;!0uh!mhP&a^>}`pXHI@{*2bHryFXYm zSaY4N>AluJsf&HE%hum{yoO%cdvuZak6LT@TaLVN_ZQDQ<`OUW%B-v1b^BX`D=vEC zX&2wP?Cj&0IQ^{MFS`ER7k0h#8`AQ7AAZv!3ajCT0AbRtB@ux4+ z{rr2I-hB4#@+FtLVq(dyZhZIgUvlGXZ{KIDr#9PkgI}(6!sER1>lgd4wZC)38>^6K z@3Pr3ty3@9V%bfee)54EFFoah<+t4R_2mwH_|BivH{F5$?8bKoXTb*|vkrJ>&Gpy5 z_+(&%U1vT zh2=lZg~|Vst*URxf=ZbMq1s3eBtR&kow8aiD!E!1bzEjt;kwyC=E;tX$PU%$m*P%V zV_Jp2HAwh^T4||PcLZSyM0U)`Z2+UV1+i{5g|MSm!EU#)DlWm@Kn9x)PQ}D3)a_eI zdW^?muUZ8smAu_`c&-$=Tw3F4j0X~(VPr=*tf1*K36GPxaZ%4}TD^~teWl78p3m^P zY=;nf;KU0#KDI-P1g3MyRV*p`p>Y10C3L#>XaO%p_o*6fa@X+hh zqkO~fqz$}Oh>5b1N3u*y?3b-{Q4~EdR~hQ6pM!wF6AMz;QcDUr0ih9G%OupA(oJhJ zJs1=)(Q&E@Pm}`)N|qY}t|T*QC&S4)Ge|PXpw9sm)pB{S(ZRJ*xoV?QrquHg5sAia z%P1rY6*)idVhpE5ITX!-85d;-nBdwDj}5&EgLpuqU-y|-+chmO%rJORx3z9iqN_=p z?evOdVIpPauGEB6EwydbDT(OO97BkCzB6*1gcSg&-V(W{S(wDt>20N=g9RN^(#_8k zHv|{N{0II&s91&^H|?3Y;n$h}ER4DN8~<6D{y&9eQzpkyJLxMxHi?!=P!Nm5{!kn= zdrlz4cwy9p+EQMla7vBT#-PH~CI+5nqh5tc^^3`t!?tpCu8Joy+r*rAz4r6eY(oeyNw$;I>w_{8kFGhumOXi&Z-W>^eBAB4Q_R#PS$& zi&YaUW#}G34w+hCY?{4Puih&ZrRf)#wz@)_PmM$}J2q0D7!`8`00c$8-OCrz<~TRi z?Onz#dUCgsLL3uqc4gG5lX@kSD)D@`ozcpv8m5qgn9@p)&YNA&1@!4nB$p?kM2J9H zw2}|giZWmWs-&e9O|L4$IM?H8qXe4SLad{mCWA?lO78Z+soH9FRC@CTCW<9 zI(Wo#RBB*KO<)MOEWeg&`F?WT<`G*fX5Fk=0U@&4FlP|W45FDqG&6{12GPtQni={0 z0>KpdmE=D&`9EKZe3JjD$38sgE5Ls!2*hEELjIlnAM&605B3${Khv|BE@>Qu$uF4y zT>0`(_Wto=8-Rx;cU|J5laEwae zHT)wloE=>M?v1L~(!1YGZuRI<%Se~q zbLDybF8iJSes&jr-Dht|Ji6>@TRwKp3MJ^F3ts8XI_j0j=U=(aM#ERHT7A(?j6Z#o zef-zI{KXH8+)KBGC_Wa!&AN=N)?_IaX{M(jZ_l^yv#m>|Y>7HErLix{5e_HddYmDfyT*b$`>v4iA=I zc|NBWuK&X`8xDf=j2gdM;?DK%IP(rW0pP$!Z~gQQak;H_!gio;AO-R(PNCV&~PPu>0({r^AC{{cUl|AP}V`v1$2|AhZ2sK$$5yZj$m?3kd? zp+PY&{mX{jf8{^Yr}qE(I`SWE>d?bNr;7>kLg)XO3&VdrZs_xP&aE|?{VEqX+kh=p z9p6f@A+F;Nl19r=Y*@CEAv`o^7rA!CWR))15Hzp>v9O{y7z? z+6c{v8rh0o=G&xQtuuq>h@jH)1kQxbwlfZ!SjdMNp6P~dyPY1|?OFqsb1B$O0Ofq6 zRjJc#gA}l^Q>)dqxZBUzvJm%?!t_>Q0JUROU>cKB(6Ct0&v=ZK&E(M%nSqVSQGss4 zEhN=$0jDRWT9s3Rz6@qNcAeHIW|l#EUK<{jYEw76k|4trO*QN^H?FY|HY#Ns$$|_d z^D%`tVyV~3WDu`I;8X$6O+s>zG#a|@1O`9pKxn=<tc~uFp zWDonC`9Fz-sZaPYqN?RAM!*Ik^u;`mW`Zy%b}~*s(6W6=8sJ@w&ot^Cg7wL0looNA z0Y{Y@;80N`(f6=^dU|K&XG&0ni)}m1IS5-E;B29tgj9|m>BJynXaiMyb-$V^R;6yc zEUV=t4772ygOAfnl#BCSwitv4l^mtz(1dciv^~rR?7$nS)taA9RJ(9G!J&EyYNpvJ zD-`nz?E;y!I8_WrMjQE%Hwe2$iI+*H4+qUQ2v->s%MajwyNU67!Qv)uQ`Lu&&`6V@ z(XpKIum}*N-eg3=!(6HnwG9{=>&~!=jniDc8);fWa#=1)qc%}vb2e8-O+QB|q2FtB zbO9^bGzCD4Vp~~iAQ#4EmXc&v&&gyw{yh0VAI9{D_CKgt$*gAenV{sy{0IE{@t=h< zH-F_n(!%urk#hZBB^R>1kOGVX$Z1Yl?1zDeN?8~Zivr>sIT-TTG$9kkfsil7Xiwrf zv6n4Wn(20{6q>E7>GI98R|EWx2Kho+#felH4wyku(owq4Fd>T<5ZwfG(gJum{F^?6L7V}uwy&+xpptzR0_p}ldwY~n}KUeR|k7) zUb0(ROP*fCENcwnsRj|ing^gkQE*Zc?dl>}g7;YsZ@#$6W3Z^fHkuA0vSL~`2i|SX0 zwxD8kEo2d!$$ETS9G5HEED$6bu+V_)LH@7#KPiDFKa2kaALsw@8r|tlEh@mFxmIJr zI@iTf!xO=#o9RzYYg}-7r^QW8tfvIc26J`_RXP=z)MOlp{f_U6^=eJ$jHtvUET{r{ogz2z z?L<~fm%F4Tj;VS#ohliYiP!_2%$nk`h6!nIQX~jKj>3jFRX-^#Ta&a(cUX5@XjIK< zNr@R_1G(BE%R(WS&%r9Jqe!w{v_V(tj+zavnBvAbp!A$>IS3uQ1lJ~ENo$rIxh>M| zK4ry76@mDKkD;cW=?23I)<;#b*WoBp0SjPT&zU0=;GmK23bh^@R>Vx#?&mAnR>zp0 zppg&a!pbfTNxJdJSL01#b_ggd2_!7#WW`$7Q4bqv>F zB>Q>#w9UYy8F(}Uk7nS}3_O~FNB{2#1XI*klK;%a|GpIYB>xE(efiM;J^vvvh=53f zf{}lN|4?5={)3~_4@W?l`hxk->>cmOo_*XRTg{oRa!LbB=jr4S%D1 z%FYoRtlFzR`^H*&bl{eQb52(`S~Ner53|;MPe1D|AzR1p{l!xAM(;27z$Sa0aL-wX zAM?y}``mWmm7{O%L+|w6jW=sweb82i4u6(0o>@Dy_Qj1qw-^8RhWoF7WAVpl@3!MU zN36EzF{?ei`)R_Gjji95@7lICK4IBk?|;zyTczJ0J^9mz3ODZJU$gXebI&>dnR{O6 zmVW-K@7<<9^UTq!mRBhr5np!YuhBes+U~@?$4bX+Qo3o;YkrA+aG&_%+4tqC(ct1)?_U1QX0y({_|NOC8}a-NFCM$Y zJGDPOzu8WQY(RP2*0k5bKkxbCerMda){mW|<_u1L_1#ym+4F|epV(S?_Xk(3k=xz> zW#+2+{2eRL+2(*}PrLH@{#i$?@coP5UtzVv(`&8EZ2!>dhqfL%^vu22+jgwcRzR-+@Uk?X2#W@eqI>eaoGNwT)%P!x%=p4&fI6G>%r|{PDm%* z^xE5&-qvRQ@X5DMzvQf+uKK6^>6@(n;*o_XSKjmNy>H!sIQPMMHy^)RX4ah6TbmuS z@rJ*-@t3#0^1;fxoN~_FFF$G?aP8_#pZZGwgssXeao2D9yT9oF|8f2g_9^w>X8Qkp zDe|B2pE^En!Jpyues%c|BE%(F=#<7noQD2={`0B*f68A!{?mjO`05hd#DtEpu>7aH zF#IRtY?EYU1gclkBc@o2fKp09^NpaO4|K;GDB=L7^0`)8<^2Lt?@!XzDy%ClHum8P z+6RYXWP+iJ^dQfL8WB@80fs6<`Ut9dpg_PaN6*VuuEO>+W-(Kvb+T>JMlXv@@@N^Z zA%zA?23#pUF2uZQfD}@n065JIbBRQnC<2P^>gr$foKRWH2HcM4{z+ zY`(4OElbq&W~6a2k3O5N=A$qCX`$vh&0u38>eF)~>x4`i#H zs4*4LuQ!Tygh{hTm@QZ9RhAewD2ohXPZuEDuUnQ7M3lE`|d2YESKjBBo_W183r=@@2d4RCAvvu1GA%{|W2= zpkk|*5+rBhiXZbI=lvITSw1__$zbRLWW6`}Gxaf@jj=`}X-{3x7#6y)Dkr)?#R&z$LAktI;83QOO-iL< zqA>UooJ zrG7eLWt8de%1o$cNsjG_1=R_ZMC7=cq2&Tn=KNN|nl3#F$g8zb2-w=lh9^c>;RnW0 zwTqrqz}looHw?QADP-9i*Cs&$&9-yCKQO9g#|q#^#%O9qpq0R^5TC$XvZz3#gfS9fVA41;XE^(XNL34aGn{? zGsAgih#_?Z7}@f|R8nEDC+bK;kZ zPhf;3F%TkP5+=z_pmo8uKf))gek%V#{+|Az5R89<{_OOnpFIvC2nM4dzRADjIs0?Y zjw?R4^}HocSoF6~y?pKKXMX$AW6wYNrWG$c=c@b9zU7v4t-~K)a~&=k7S4R&h088F zY@OXVKJBz0x@)|$&Yp+<_EF@zC2#!0$)}w6t2x$IyVV!_)uqeNK4^>k#h-68UT+2A z{uK}U^|unQ-#`1C!ur52Hym*HlJ6Y4s#jfU+w(7Z{j%A$r4Gdq{oYM>K56&U8b4ZV&p%%I>+gJDsseA{cjGp6l2>lJ za&83Ed!BQ;?anuco4lObW5u~ol$Y8?_=xAM2rmCmJm*tr&FqU--l_F8 zy$H14sk>e=YjAJtgvKS$T)69^t1X?n@i*uBwODy@IdDK&vA9&m!8?}4GAYSBy&CmJ8GRF=7^vChZvzMhR z@0W5+gw^aaq!*E=Dk|`(Y;&CJAB{RbX9Wx@DCf!TXVVXFa75H zz0Ta}H|MI!=YRFy(VO4(hh0`;HKOOtWLkIrTv41>tV8Pf$Z948aw_py?>Db#s3jBENx;piBYZX4M z=}LckASag=r=MLLHEnt##0&%c+W|=)Q>}K*1QicWgr)ty+MBl-PR4#9)lqA>~xh9WV2_)UDcA`otlhZMV?g247iJIBKKy@i- zbg?8-;yraFYQ?Bg4J-x6xmcdW6@*g?yr7d6IxW<*e65|!advuW*8phL>N7EsObiJn z8%z?J44HGKbkrpgHxYyxc#IcPL|{)GEv*wN0-98Eq7V<7IZ_&`ObVdNh~013D7riv znB{)AnJD$5c4>NA1&_o8hv!qxX0l>sqAZyx1!GLtP_R4H`}Ky#FB6ShLmkRDvV7R;sAD6;x^fS7MSL<;1*;!+*;2hQk-_Oz_zwyaeO!;I z(Tqf(0XjHAjHq~!gn}HymO9OepHGLr-bcHAyFT_Znw09(Q_sH6DqvtYs&Lq)ib1VK z7HTjKw2?8!kBMyAkco-!d90YJ(J53E2#-u=ZMNL0%1|y7SWq@n3tFR^Nq~hK?-m8K zm&mytz)rOK1tBMmMIuuR%0t$JjLgu5P+` z)KDGKU;wPEP;p|xRL#jqY>63V!1Aa>!6mk+;9e(5`OS_mDm5{g3UV2=W({0-BG9@N z(S$~!E`a9~k;$u#mf9F`#lj@ZEqs0kT%$@1|^Dot{^OcP?E|jSO zKDIRrf!M>M2~i!F?vJtq6ljmzNwXjDJf#mv%LtK3DJNK)Dj6*6w!4V}QJ*LTJ~S&7 z+)wwbLsU#hZn`xd48&x~&I9F)R~foNzMq(G5~a#TL{cB65Xz;fB0Er;s-xG3IxHv? zs}>@GI)USn(`)K_QplMJ3kE!g4|+q!G>EcXSBkpaCn>T@3_~S3UD0C07oV3+eW^n zQr%%9q*TYYOQo7wZ<-peb$uZ0yLH6%+8@UjwKyeyR%}r+KUBX)iWSB}owkHjf&n-k zvl@E2^N(vBvuhP)fq4ZRoG`4yRM?Zp;{|J;Pta!uD``iTiVfUTYH+cM z3bjdrCY?l+hg&tT6~pF4MUeh58uA_j#6_sl4f%Sy+K+o<4=WH%s;F3#o?T%^IH>4w zks8BV7)BB&5DJ%$$33fAkZ?C&C{c+j5D=J?#PW>MA6vyB;$Wj7m{P)ZG(k^P^F2k) zYT?i)$r|1k+k;TWg*uf0#T1I^m8cK`IU-;C-Y~9u z>6BX$Gu6-2vu%bE%`l=FMl{2SW*E^7Bl>y^gn<8b0Q4{U&)?_&AmE4mhnUI#`BDVj zbJj1wJr_IUulxtPa~<@mPw=0UzFdNWViW;`ID$|Jz6rD*xXwrXXSL7ZKmP!LV1)Qz z1EA^YQwT`F5Cx!&SC^q_r|Xsu&7JbzqI1sO=($a|J8U9r!RbG`HNOwjejWk2mpNtT=$;< z&q*NT-&uU0Jx+Y>yzym<(%kK=6{P*&d^bM+ie-x@u6fL9r|+*nu+3)G3tqnThNo^> z??(ER#2+4C#XI+bW$$ahdHvpN9dy;(%!8D)Xm9rA=$!lCIpd;}F4=p__fPlcrocB4_VhCRbnbkM~f8%-k!te)-g$uYG@`3(~hO@`nq1KY!$=(^h|P z{4Huf4!|~Ry}rV)PTJ~EudLI2PhpEf6QQXVrgWzmkrw$d)isOCw^(M8%H0 z;DPLhkm`Qy+^L_*e}oiTVW)4LIY-7>xPNt_~d~}+EkO7@xD_f2ldbwNIrw5ukxw88AbCAoWa-Zn;l>Q4{ zAn65vXUzPEq``{^VS*MXUW>;uqse#C-ovICzhEc&RDF@I_qMX4oFwK&wo|bEnwWf(c9X6z+rkodB zh!7e0C}CBLBTAq{i%FHav4#g8*dRQz;{iB3sA6h5S1RDiOj0DqMMw(KfmtkOn}H~| zLO4vtd3B5hVvnMT76-9Gm~YF23P+1$qy`XXK^x~fR(jF_6C|UHn$t2W7TWdUhGr;2 zY$a(#*9iw5ASHR+%dxG30kyPRXx5#8;AKp(1GnB#R@-7?&5bcl+dQKpmKPfpT26PoFIx0)^%iB`4VfE+Vn zroustVJ4ZMbPL|7K?4}&y7{P3WQr#33{;Kj5jl>oc9W@;U9l%ElNe`{rbMS(S+U4C#$wPspt z%A-sRXX-%|reK`l^EDtyBv6IuL!)uN(QkBlla-5~ga4!!sMlfQAJl8$CHt~A6G!|o zX4nys&&>T{zmjppg*7#QHLY6mJ=X2WTB+S&Gb}3TMX6DIL*!^kt?|Qnjd5U9@Z*ViJhuau&Ad^b%NP`H{D1K ztaNM>Eu=`xCBz!VOt)P3aEQw1QFp*3Gm%`QlOw7Hpf$8exUFW*O3MOoG;zJ8wfP|^ z!D$-|iObJU=C;{s#2H$PTVk<8DMNk%$ko9UN!0A#s=hn;CM0G5309D6Tmu+%d91$*ca%u-qd@XcuI zGmpW9I;scpC}>22r=+F0)VCDTPtgJs(K!(-h!%8s+;K_)X zu1$1=ji@m;p2WG1q_?_eoh?a8uvhO*uw*HAJ-P3r{Q-j3cw~VO&rcyE#sEIxP!pqKR-qH@d@e3-Lk)1tO#2 zH?=mJQz*=d=!qdpZCg>C$imocl%x}}+DdeDlT>CHq{F%{OI=1*TVmFU#uF_X15Rn| z2b~tnNdh%BuX)!QBxoYp068P?CEP?8H?0}&GsAsmxX%ptnc+S&+~@yySr9${O4Wb+ zi2q>tO#kmMMLt>o?evX~@&EVr-$)2TrfUMn!GBr*ZMuU0ss7t1Gl0JQ`fntPOg|aI zF!&3u|F*{qJ3PG8^S^w_x#m8q_4C*7_YWdoJ1qY3dUN(#Ghgf9wfU%Vz*bL&^YY>@ zs{NY_-@W>cZFV~GwLi04@ASq|@4vCmPnQ2lxX;l`o``aL-uhDa?VrzE2QMD3y?iTu z{Svb`%&d9NxfgzS`Mvnxx#(|Bed#sp!WF@7AAjDw>!tZyo`1p<$;waKXM7*~ZSonv z>o?YYgzG%{-tng{pFH!yUp)8BGkc%2*-AU^yzdIQa4_}w2`gNEYIDG2oO zf7HEVawhfIA4EYM|6MkIeXC`T zUFp2}zt}^3|DZR2xAe<5UweDPm@_$O_3s@&_wL&sU4P4i?tNz2CmY{72wH62ThV(q z=J8|r^9*r?ZC9FCS?R1N2i7WwbXJ`F=GAAvaqMkpldG)#?8XPaf92XgeBs>_PY*7+ z^|m99UH|TV?eG5n{EIJtVZHFpGroPtJ-b)L6>hDEbJ+8jNxpFOoEM*6J~#z>d!xhO zI$`$8@87&O_Uwv#t@=#;wC8W!V8vbcg^#+Ved>0Fr_TCyZqcPLzxmGeM!)&#tYIT-=)XSUBgpEyU(6Qqwr{2Txy&Z&h1sXeCgL1@zym|F(dAd}{xn+SjlC+X8=Fm zmIORr}gnWWdl_@E4u zg58U25y@3tDCGro4e+YfL?IPVsDfIUP6Hj$A(OdHN>DL#J-|}nQ8(WAP#8e(lANs zqjp|xBRy$U;vxzeS_Oliz@k(Dh@{dpxarnY+Fmp67s5_27mcN`Q#HtnIq?u1<3@!M z14DifDq}g3rwyyYX=Y2wr$?v;fwy^k&VYn`~p;_7nLuGN_K37M>Y)ilgErj+HVZ;?t>$ zt4><-hA7u3z=<}%GRmM2(XO6h%YZd3=O?z6cS{IwD5y-(!qQR$8^CKBzXMY}ugE7GOb!ywMlK5E&+{xfzJLLR(m$wJ zvxKXOnH-?6bN#o4F*ko>Knv6Vhu5u&nCbV1gEG*E6o#*jN(NffWR9aUR3cZAQhYkZ zqpYVZgIq>!$xI@S5V^@Wqizj#4O44JeIaAOa0X~qN@2xQ`=l0Rv2xFf61I;)39OVX z69U3jq9Sjz1JqJm4w&ij1U10hF*h&^x#BRO%1vM-jXkCk`GH4dO+V5!CJ(Z11?yXr zv`PC3swvY=l@*AJ*oShOOv<%E%$1k~lxy>Hrwzy+Oi+c;pJ>%OrrTA4uQfQj!u4U2 z>{-kNcf~|D9~H-bsexAqbY_I;)ud9B(#_CrMzVuN~mahjOmgjE(FSmts@p< zVNh&zTT!VgTK!l-(4IGzRTmwpYR~8?EHvFxUaHru02Crp&2qz0r}l`*O8&5p(}5A2 z*)*3OkJvaA6|^sv^rn)AtZqwa^=K@#<;t+G7#)&yfVSYl#e%5^kQ7!c^?D0cFqeS+ zKAl6d0>f9dPPtkrmM~BzGSxwVCgiSd5AxZBUS^fB4n&XE8Avz?J z0!s<)s1O#UY?+{K6`wdQLe>e1m^5TICI=0xUPwaenY5l6yfcG$X7J7o-kHHWGxDzl zLO|#%$$w_*zkMn4N&a)&ymb%w3h*Bip)~JhANKA8+->rF6gYbbD651~_67mg zw4^eMZP~J{Wy?dBnYLtEwk6A!ELj$->>c*r8&dWN31yG42`wu?S!IYJjwf#=_&=aA#pKSTsrgv<6)`qwG&Rz$`=HsjMQ{e@7 zGz%Lt%U*Z!yj#U%=G}XWc-UyI1(&^hR%r9feRgp~Fn8nBjAJ%@>aZoQYeAPSyZN)9 zUoGf|Y`ubNy(XVG$ep&uo5%fa>opHW)_n0kpcH&wy5v!=w>Rs&-k!hHH6I@Thxf#X z*A6Pr{PuzN;L>MTy`10gE`0F4`cL`F$6B9kvrQtzmkDQIGNZBUN5CV?UUlZ;o7`~E z`^&ZW0gpH*@#uMLo$&f|Z}kp4=fYK2*mAiykGp)W%NO+T+-llYC)}U+-+ghNE6+W4 zwN;)*h^v==@cOmLYc^Z*p6fo!cOU!B`>!9WzIfNV`+R!Rs`o8-={~QXvvx50sPO9j z%eD^u!z~70dt%jxuQ~AE&9Yj=##4t4_-L`$tPcb`jYz&FW<2L*{fdc zZ-2p(a~JUZ`1Nf+*O@&M56p~xa_t(Y-G1vw*BAD?A@$I_yPtYsZnHSrWz7?>yXFrk zogZ6n+A@dEeQvp|e(&A~JaOK`H|=)8dd`~Z{KxOLGyR{O|6pQAgM_I3x4TM&tCEC?trwha@PSERDlUS?-v8;!e zGL|JM*-)TLl`-0AI1O6Woz{R(wrb$8ZS=-Qo60Bid83zr2n+(U%@A=5EdiHHyf;o+ zSy9r=94l)zKh+DA1{?3?2b0B3o$+Ox5XyE|QR~PEWQ)yYkM>LeFH3~pC`4pAM;3ie zm)k-rUnxRE${44NPO4CvEH~K(-S84aUmT{<6bpw~qOYQZp$B&~AfWwD%7aIlzD&4s zhUmA-rdMj@>v*d=9IJeZ&4zk6%PDHd9m!@=;v3|E#T*Q-SL=GR3gq&Tp&K{}v8qOE zWhSSBU@45#PS&hg8Q+5u1&1=Z0h2A(Y6_;aQa7GZY?&!e#x8}A0G&6`@8&R zQdC-qY+5iJfoXU1tqwM#TLpu)5};2HlZITc#m5Q5@6;kZYUKPh+6BiRJg@&g?YCV9=Em#dE22p&s)Y?Hm@wRiT#3Mv9c6M>td}(tNQ@m7%q$`Yp3dg{90@h@@;DDLpa}PT zyiM?4n{b^9VWsngQq9*bhl?^GJ;a)UYz+JC*cSM<-YzF3z6dJHRJT%kjdMlJS;W&3Lz`u*o^I)3Rt-`E3g(e?NWu<*EghE8~ou!^w7RY(SXQQVLD6 z;P9!c6XY$%Y4w5fm?r~J4}0AX3Ta-~DPY6UsZ}|G8J8(s9u0IDclfmAl#3Z|+|(61 zG&{+X$H@sqg9V_}h?{UBEA%u9Hh72~fM8ga6QHYbgWRAPsXU%ijKFH)Y5=2Mo?x>B zo`e~y>uSSRvp#th6u;PvFxQS`kgLNA*fQABAf2YYY9^D3O|HWweQy&?vU zo(O4nrazf#Bi_zgdUi79_GC{RA*HiV<|L+Hhulmn>ZymAKkMBPeMnV({VKDkF{0CVS{fCHC zI39;_?0fc~3vOJ0ht00OqC}ta+=hERu>4IMH1^IcpBJCaA3JZE(hf(@{qQJDBDa3y z#@|0snQOn%?5{Dsxy!tnwcCDq$vThxu6-S=f41FLH=Ov?r@ePhJ?X;Yg0-T=1@&ng z!OPtvEw$v1Tg;gC!uE3>S^c2{^!u9c7EYb<-je$+X{_xew|NQY(uZGkVtJpHP5tge zUbVYx{5tI{#-BdR{`H(FxAAL-r+yvGXRrTw`?t4m&)?va&7azQ2;RT^+N(S=^JiDD zec&q3Z2js{kDUGnSd)$;UdqQlSZwx;kJlbUv+um>k=6hF@-Aqy^^4eIhbOkV8`y2< z9Z&o1?K>Cme*U+Ax#;|5cL~!kt-U9DiFU#t&N*yT{G5{) z+_F~wnCGV-w(?1}^DbytW{UfiZ$0Pp?M^)P{G<0gb!Bw7c~64-o<#liqa9z{>xwg9 z`#5p!v=7fbWSJL=<9$#1;E`9adFaFUPdMhN)QoFio3ZzqA6C|QA>CMUv%AlG?e1Tn zyw2ldSi7OQ_nw=z=db;&zt_h%U=^qH^6KKFdsI>5;@)+i9Og1#e6jtJ((2w)R~Da4 zZcNW-K7J8{*ZS+F%WQ*uAspP?e4|s=-RPw7wYl%^)O!9;>zupmId%KxtFw#NWG;g|0;w>f#~>u)&s(b-F1zWQpZPc~n#a67Q^oxLZY-r-NH zA8_5-yIp(B^Wx~i^?)lJ`0x4uN3Q=NzQ%v1`hWf)@$dK##+xYfl}0s-y8qxpr;ACY z1UC5?`S$+P`8xm6e|rAYg`_XRN-^=wkX8!4cwdvz5|}mnacbO5)fsG_w6SDak9dt=ypm2P?xER z{h|WrC!gt>>24)wa~Uz6;ox+IlUW&0<|0>RxNbkf{IJOK39d%A{9zPt)oUCMpe?vn zjy1tphiCjzQ>ir|os$~l$t|+G?QTt~va#&I6*Sn5BUNK0WvQ6h)-o~HK*+H-00wdsG@?b0nw(C}XpW+dap2fV)fk)VKnxrtzy?MxFFQ6&(?L~M-8_{I8NMNo(P{c&L}5m!-Eq2?9F1$ZCaJkrqs6uA!yL;FQ}`e)ja-|<1x&5* zQPk`KaE_8=bpeY;Jd9{gfgQ3oC)p&_PCvPzRIrP2kW4Qg3!*wJh!Q}t1+ z$o9&^Q9qU(33V*i^{gmjnqV@oa+w^U)EzAuhZNte^;<@(lBJ=5)LKD~DAJSzM@^d= ziYk>DYm@+|@dn*5X;^HM9ZJ=9ZWz!&0vu8yUB-r;92kTnJn1XlPHB*5Ij;g5l+cP& z3SA+~lf@RxcYSsc#0D0I581RKP&`Egb!0Ri%Sn_fmH$!yLrjMAH~EkK5C6$V3Eh#s zuc`l0S-w^^%||8K5J1KL5B&3ujw@> z=)`(0R>^3XB%$%iBTG1@WuYJIRug=O?Zp8`${I#ShH{-yinsI*8;n>!l1z;R^_pk6 zD54CE4j!TvlJ5{k*i`G-K!?CloXd}xst*_jRdiEQFD2*d;y6}KjHaAt%6X=oXUch| zoM*~;rsDq&7=_S9(toDTfA~S-EB>?cI={W_h#%d5Up3uxA7nJzxfaO*6}-Vp2urn#wg#DZs(b4 zT8en4z3idt!|mRp9-bQy=lg=uQ;%oTr%CwWVntI?$Hy=o!x~GJ&pD%g+>fV$&49-j z6yTZM+fAD#R{LY{A~%hyY2?yz)eXJ(ugMnN zj!WMJz_I^fr)&GuuA0*#_vcepdGqFvOChtFBDW(x4@XP8hu(`KKDQqHqzBtgm%Z^V zAJ<9CCg()S2_Aav^|$bFJ3dPWySsCq`4lXC0boL1((A_GwU5JzHZ$P!%Nz<}2e4${ zr}2n^9WtsLOk{sA@W;@sQbZj7t_J3(^PGcE3bSBB-nTFuwz9M^LV>Q0E42@ky&8Go&HhyLZDMqm{cKyE z2Z{~ultAk^6i7N6683&6kbJE8!di&W~R}N?PlQtU+rtLT5420S)9nzORx7+RmYtd06cY_;c z(ONEn{<>QRE5CzvA~#&N$LFHfFQ#DdNcDKzX-{%cfVZCoC?6Lx#sv_MD{ikFJe*Tk zHK$C7DxYIhmO%HZjeFPAsoSXwkNqpTkjGISms1Q+{IIj(N|+CmuE>tQON|1TcNZt% z-H5~76|jmLFXN?8@;2j>)%3ytGZTbW@M-r9ddw<$ogyUvL;{TzwM!{Im%PY(kWNFX z&|)Zr(lh+}kiY-)Y4o}OUKF3KUHN+8ep)QSP!FP=-`Qu1vRexfhjzw5aIE+TCJ2W? zKi{U$$9_yKCSs>*|MP;yPe>syL2vqjbK-bOlc^*Vsn}YykhNEqq@*!?X)t7s5Dd7)jfqa~p-(^HT$d5vObUNW_V|);5e^xOb;Yx1aDQ7% zV4g2$&U0LrBv-Bpkn#107g^C)q)ITR6+=cf4hY>fo}s9DQDd@Wr}k$`LjuIiUG4jh zoQ^+7eXBNO$bmJq(*yh7yE}ZXom(M7_GL`F}w0sp`G1nBMk2x7r7#GmX%5E}Hjh-NF|I#i& z5lsf5QxPE;QST%k^maSmxq<)rNqW$)tRgo()DDHKR;qX^hHJJQFu&c$PV4^@!>W%g z3LczM5<k&MNK6~o82ZGmO;lJ2KEl%nJ}|_iWdFq{ z$ih@yY8)JWMsDdK%A8W|-%msn)_qb))vlvYyO&=mSM^1YSfCw&t>&)gFXZk0ALKPB zeixSrGt%mdG%iQF)`u^VfRL=Y$yCY9ckWS^7_U$n6Gi*-9@~|WDmo9FG4e^8?P1Bv zyk@0*7bIuQ5-tVykN-4gHfRm?Ko`@ zGNIy-TggVB^0=8;M6e{DxZBbt;s;J5U?(z2g@^{CUIW2Nw=f+&_(Dyk_9owV=fbfR zCAB0qohX~tq8PEl1w4Ck7oatEu-Ye-1nc4IXf}{Szy*ETX$u- z5sYA>`gYSc@Gl%|+JGD$oh`)RcSX=*S|KhCWjor@9g^+%5{!%D$*2$p(wPUe48}mJ zKsIIPF&J91wAHWRmP`*+L3dE%*6Y zl0v?CBSBPJZrOh<4Ke;Y4Us51^1n9Bx%94d2n*ZF_JlT+zqlw|efLtYs-nzAU$HyB`}6Y$&#rxS_-p z3wKW%n|2Cf7v)o)XZe4|4G0lCu=)#Mt4lt*2uV6m1^O-8(wktPQG^Ee7%?cW?REr~ zbB_hkrFI#Ak@P?5fSg`0GLk(96F4e7UXW~_?VaHsLLxa@?AC@j#_ce)F0Oww?8y_} ztsBuWT+usijc>hR>CCLlW^}%KOXJIHbDGr*aqziT96a$E1s7eu@@{akKi}^o*gh_P zzVDJvW-oHMy1CtKZFS|iu1^Ku?O>H@(R%NBR(0`N(*nEaQdpaheqw#z^gnSJd5G(N z3{nqWwXr#$&~@?o)J%@lxpJQNQ55Q}aY_2z<-{d%+0Bht!gMwFnNn=jxt=s=c%yXHb0i!yLfjJHbC26ZVM4f zTU+@qXQlHqY)=bYQ(+xH1b%ot?*P;}HftI?fzc*0eXcBxms?GH7d+#uHd$8-Kz5wZ z7mKshHGa+A@Hqi9TOIca9R|Hi)`Nh&MS-W~le#OO`_(;;RF~bwJ70hR<8E5U;|gZ@ zN6Dxi(_P8XH8-Bxm()9lv$XzR_ObXpFmmdm&H;l(0LW^nczYWUzO#Fu?lhe=d>85B zdzop|-2jCoWb(Yd>k$?Rs5cYy{dC`cT%%t;$f;BNoG2Nx_5KW+-H_M5J!e8|cz?Z1 z^r(8D{E7pteDWDD_1(c_h7r_vDtdeLsO7SGM@R3M1z2rud7foGVV--RCLGxwT{aqh z$x!figkDg-P&@>6yBG|JW?Whm9UnL9+*jo-o2Z`J*NWv=_~;c$b^QEBj~!npM(q!O zn`L?=I){ofxV}xj_fdkb$4s?dcPu^2J+A_RQ=o7qP!niRz|D&q1p59T%N0meuE^2^ zHQh^`qbo4I-d@oiYrRE3HynZ9(LZ1kq^L>aTSKrDuoi*v2zvrI%*8X33>fGv#>{Ic z(7p?7LS>c2JqPH28pm0&W#F#{)_|^f|>rWi5|?r3HZ4WVxA`C=mscS}O>QK%D#-26w8I zQ3z}GS*5r)YvG^0!(q<)zP2Qe_pxd=tV6}|xJ5V(KZ}*dyS+$)du&{>{pv3)e>pPx z8GS=oIN+wk)uo#^(Un$b%geweZ_}{k9raY`yZ+g-1V|FAJ$z8U2mqtTfp%IkZCMwF z%7H@XE_}iNpnw~zh?PwwZkZi1G;PY%*GysEMF=xwQ}8d_j-4AVDBveaae$OfU~c7* zYSp1t9%~f!T{8EiJea7@bUJ6!8dH482gghoZbFYZZU*d~h{?p)K)Hh?YB?}0 zH`>dX&)H%Et2+;tt9w4sU&uMQ;?asQR1q_InAaIai7y2m8YCRST{^a)X;iCiTy`TT zQpwVnT584wG$tb!6wO71=cs2auhtM!nD7BK;LOMUiM#p52o2DQQh+ThD*2}*<=1HY zRc}Tw1qEkaq{P{M+-I9%o*GN9R-p(nLfufl8flnKD46_nHG{V@p^i=YN&H1ad-vs@ zvsjjY&X=Mp2cKCm49bYgPa-Bj6keN_{?NJK;Ga*8STPyo$myRZ;o2HWw6UJwFn&gC zx!djq+DxNQ+!-TjC3}l_l>%sSq%T)bz_+fCqqh^#pc@w+YprIOD~avDwi(TGAoUIaZ*ao&&~&ZyGJgXzCzVVR4$6IKu_+&rMF&i1HXm{SRAcEs zkQ`v_*RFA#iRLL5iu5P^#I+CVwCMLEP|3cwO@hV1#E|vWA9~gFKjvx{8q|<`0)(Q^ z8m&SsA@UmG$s22lQl-QxvkS5+&ucuWV)Q}NDP(KLwTM@2M{F(Khm@ijCk!9JrwDZ| zQn-i5ptBg&=~qG4aXDgpuY@Y7vEcjVTT;&%2TM&HjT22R{^*>WNXAzqzn`XzNey{K zQ`TS&6#d@;ioH2dTO&CUP(A{Jh;CHBO8=@>9)_L>v42v<=j*3GV}AOBI6yg=U|)j0 zWilxo`b+0q7k=H-;~DSur4IvP%IbcES>>4RLytrH>${fuX}if4E+OM3!={hlSAYm$ zw5c3C+{Vzg9CR4eRFy5@z1>J*`}7i&_HWdMj=t{cAHyWTuHiL2Dg8tAv@#=ka%5QhJG2($C9qiur|W%Fd|!+yebbM*uQD0zSL z!7lLkWlS{b-0|^}&?Ap)Ni|E$FfDw_?Z~yx^_c$VgpgzT7q9VHTk4eBE}ij)NENq( zo#Eap4NKG3UgnGrj70 zzfZ8E9B>~q`wIsEB|x`+R_Um-WxnRp3Xs->XGz%kqDFD$b@qEzQt2{g-@TIWsWFx3 z;?F}6-IowOMFgZKo^GdA|3Iibd~maK>XDxAjIFHx@jfGpYvI zJQV0!NcXQaCm_nIzT;;ZfSL5DRruUa-HANXzV7`uhS#y;K6c)IZdhZMwefxq(KO}b za7nQCag+BjrES>Bb}_MpX6K$viKSvGzIk^T|mi+81cvxZvpc+$P@~? zQ2%TRlUKw6O}4MvgS`34ldnWYZyFxN(Z@|pWU%2XfeCY?UQ}8PA`&wR)za^8uHoz| zEYxyg#HAC(3eI9b`5~pf1hj(01hG)I)$l}-gM=upR^;PQS`0XlW_WDX!s%+2rcO)FspcI8d3ifo05-5X=l&Ee`2vQZ1 zR-nFDbA9hIO|f&y1=EnGKI!h3DAr#Z<6AAScaqbkX!HLUFWGMid!!EdsIMi2onb3T}y&U*g>ld`9`4yZirmw@bve8j5&K zF5jLD2rL@0IR@3rwCl?LO-|cb@Kr=IqvbO(|J!HD)HT{LCSCwo#<4Df174zHr8J;M zVrm8XB)$tZWjYxd(5TY_qH;nvzyK)AUcmuWJbCtg&k7Y~5WVFTTtLCUQhbC_dk3ba zbB(*cvIQojJ#Q01nYO*J%Q9kNqA}>vQhzDbsmXF|4n5p^h1)6@V88@X!sXL#MjC53e*<#pbNK%W z!s$l>^quRLT3?Rr=}{Lj=DGAs>K(A?Alw3e$NotSDNcE=^(_Cc_W=|5g|I@`Bf~*( zkguI*z{8*_(%(m?6tHNCxr28O^+x3eg|sOiH^pZ$^v4i|4;PH+#V zH{s?X!z6_(e8*{;;hUvF7dIo&lK3;vS(i)l{bNNPkUtA}xq0Nme`sPgHTC%jVB>OS z%4d1{n^ZbvpT_qv3IEg{!r*31_8LC)8DM)C?nKZI9Lh?<+}c%-Cah62d1`a@FgzUZ zD@;;rv!JuMNhiuhIZj zmO6YKye3(TqCDk~h;27HWyf6}XJF2{mpGkX4`2bN3gD#ttJ;Hmgqtf)#K=c$vTt7iR0$uZYP{`^6o z+O>h#A7`5mMmx!I1nn;$WtCgw?Kk;17;l^CT~nSrcJcx~JA1B|puv?rKC_G)B9~j) zVij+U1nG8+m)Kzl zY@!9(OVv3XJ2hv~_(<*CSEVeqTK z<7OF0lA+l4T%;9qkN)6K159htnH=A<6KZIf7Q`eu{K^{Du>&)S1pTt$EGTg znG>6E=vY3y4LOV86v0*#3B4kBqGQ&H^{Xf5DP^R0E#d7?osgmvEt4f$!O_%!t|O6( za!wv?NEW8z`es5UJ1BxWewa}F``d|7NRPt|EQ=b0#ImLO!Rbe>5c-&4hs}J7frmac zS*zywlSEz$zQTqJ8UEngg~Z$+WAwEBM78J(E+kIC;4P(kj1sHn@bHN)*f7#hMG1sj z5sGjRQ;o2D4{jl2Xm}?2Hn=*;hw-mc%~iVoBV3$?YMw501DU@E zR{Bulni7BM$w<5Ue7+C@)KPTR1R@(a?GvkbLhAn{Z0v%Su4jCO`x1s_{3LCVHfStep`vLd zvEP80b$fuUkNToZOG51&GvySYAh}f)o~S^D=6y6?;hq1W&%vGzN826-!c_Xp4sRr?IQA%o(m z#vO#IRex?{g5Q5{Ts;_WUIPV#LcZ3eyGDTRz-Rf&_+!qJdsvNSk1SAT(O;1Am45N7S+ix`Tp|p#0*MEVHiem<^sE~H86so~SG&t{CO z(25Z&29rQ-inM-azCk0mV)?>bVzM6hmTsd9%an?L;8u^a)KkrQu~Ru1@UXkc15G>u z){Mp`#rYBN=}5W1XcTRe>Q*UbO{o`pIWvUE6MJ0%CaLB~L&cZfToSPU4k*P4VwpH~ zOckcw?!w`?dEAlLE4f>HP(?ay9{yfkh?Xa6I^Sigh#yY>V5IY+vsnq(O<>IlB3(q! zkl>sldXENI$e;}HhNHQ2zh$KRjQ%aeGyi|bF(}PfF+}4(*nPhuB>fVKo9G;LAHR4l zx*xGKGv)49;b-u(-6sSC_@_TfoZYtpBFLA_kE8kBAhU~xiAW&N=iLcU#`}BYTc`cj z0HL>%*WTpb8PBDUXeaQrQfu6z<03sxNQ*LB=Z7)#yJxW~;c9ifKZTh><79rKx8hv(^Zcyv&byZc96bk~uqc%=GmczlkIr<%?t|<#F%PRGMnp7H1Zh3!+_n{c`T6IYM|p% z_pw@F!S1=vespF)9{Km{jlV#6<(5^b2*cZj_uQ1?Eybf0Oy(mv%Ug%qdBV=B)rR+N z-EAVmXRR72Y9`eVR6Ffu_jwph_#A9?<4^c{z0jeSzo|jidfzi=S`nA}GOD$t`+L(U zl*Jav?Dg5QICjJj9DF(z&_d|3g7LX;>LGtqy!he4GDQvjR^I%B#m-@WnWyfPpXscqrw)2L9L%VUt z`wFjiuKnavHJbM3Zgpe&Wo*6Wl1k~R*!d&Z+pais+4`jm{z=DrZy8XP@pPnW_u>2* zM{%L`Iv~rjkp=Vzo`e^v`NTduIeZ+sa@D<#)}+~+W4F7EU zW2t3M!{KeENX#exUSM<4G`m5fY_}geAL3s#srqVEvmTTE?FH3n|JpORc~N!y^bY#@ zCXe@F`7sp_djBsL6^*q>b_Kxf2(JW13{XbGW-LmCz$5Gk=(&E%$G@DsL^GzAkK~PH z8P(KHKM1V$KFd3DLL=a5BExr(6Fvp-cQ1<~V2)dkgdK!9QsD9gh8-wApzbIB5n9v~ z8ka$nE8-d5r!k3A4BKI(VdtT>t2G*yf!Ltd$wgu>RIlwLC1Wl>Q=GuX``OR?V}ZLh z2u^lQC__s2Qamumm=^O9E`KGkAcBM1TyVn%R!mC5m|2Z6A1+kZWkx9v<WI%@p`c_aW@E6xyFBKtIeRF~wNAbk zWm(04Lod*B`hO$Kuv5(q_%S%V75ZK)MtXts){o=#A=G^3YLoggR*29q8bdO-&4YK^ zHG-(NH01IGu(%>M)=SRiaMUB0lsk3v_7U;EnZ18H(?G@%8g*Ge1H?+h^=lN_kpDdz zJ4i^E^Vi}9AX``F#yNKtl^EjAhiy=jR0Jd%BWMKf&=OGzsW3;S6s$J?RZYW}4^YT5 zTII@}SnQpht_eflX`uXV6?7^wh!z^Z1@j;^7&t=8UJiz;Lgwk9P8<0u(?h4Y+>e9~$9l2S_!bj*s{| z)@000qZ+(=xT@F&XlDm(7_Snr;iN`t#K&Bdz%M*ho;r&N7Hdfa8#>9B7zmlKo2J#| z#J5!z2MXjTGhY~zO3 zh>`u;{2laROLmdOV_bie0+P6qe3jOukstV468i|wHGD78M(tQpvkw|fNZ(z02<2`g z5eMf;6`w|hN>*j(Rh2ND8hKSNTq+bUOn8fn11C`DulvLrELWHU;rb*W>A+udg|pG& zPMI*VpdAX6BI7Dk^3h9Y>Eo$wq9a_%U9m^*L|~F;c-2sI$YV#x>^Z)@semiYt@vfH zK}Fnt?g;4oHR$RA{(JdC-&i?jgcE^~kwi4Hu>fz?zjPQmUPuW;zNH$SnHXMwm|vX> znHN*+ZwKOl=Vz-I;+(#gQtB9*f{7m`m(iyG;U?=R(!mOWc-5P@HEUQ*$*-k+jEwn2f%5la_* zU|GlZ+p7MnfFh(7H3_v<&mo+8jmlFWuYQ<$7{ZhS>#Qx47MkChBG-d=ciO8~p1CiT zAA7%kT_RGc20C`(Vl+7b^{dg7Qh}@?jEv_z2FkhYH^DYklPz}`JL7uDT}bELNxop~ zp%Y&NX0!osx-Vi&Wdokh;yF6kIl3h2%%qDU2`ptKQ`KR&u2uaWI=1ZJng1Q2Xt2ER zEtIb)V6qpWkMCc)v-{(zWa;P42aNc(WPhxkGDw6z?DI#FendZo|Jzqic`s`NR8!Qe z9Gw)I7O^U_Sk&}>GW`5S6YuNB<*Z~N)ZFZynH#&^j0(y^A!ILVru-InDkki*US^7t z&gQO`f46#Xj(Os{-LX_0Ee394@6_MS@TE;UPRY#y1uIweS8vPquTp_C_b1^w!BxkT z5A2$at+G23f6VUR3knI@Cbycx6WY&%1jfDItCp^S8!OSFXLO+HC@W=)lKQ1Sz&ihj zuZf-|0ZIq^7PZY?Indzx=Hrdt{a*YtQk}rl{=9S}X-l+aw&3dXZosV9F5Ui)g~nFX z7By@0`S>C0vu2CiQirMGjp@m;NQWPkbPpkp=T+qM(ld`6xL78Ce)ov4McBSP{^eF) z;lGVL)nb+IMJ`rYH(z{#F<|odTjgpRp||6)QCG4q=VM$21J?si1m9!JPcwu^m@NFR zc^(F@&u-*77h3$fU3gD?o>kLJIh67^&bFGR503{j@1^VqIDZI+fk|`OH*+zQlP5cw z&Od@a6=vdhhmW=~dPJMt<@_8R#p~ekFhs$095%1(aolwiY0K-j(xB7iq|7d|4pyIq zDzmDWCN47u;40W0X4aoE7XhA|a^m|t&n@rc%dwQR$QUA1M|WgB_h+oZ84ZHmsp zs!Hz4ySmc%6Pms}HEoa2s9^nW(ZPwa_lJoJf)l)^54+X6t)#`|hW**M+paW-xu^H@ z9<{si?M;l@*NCM-EPl!hR|>2(&q>2&$D^!H{m*+CdhWY`DLv7t^Nr8{!C@5c1<=J% z*q6ji)DY=2hf?&_e)2)dHAb$?K}FT4b*#~cKr zEym=jaH7Rh&jmXmfCb65`CG;{D0f(KP~(&su*8W*6-Fq!BF2g=4a$~hPOy^%sF>Ml!T4*yM?J0`U#HYdQsr@VgXWI>p*PWvD z!aRW|YcT`B!PBLhQ1Q8v>eyTt_%nNO%$GxrZD2}~7>s*Or~fN7hFzi2lM zIY021_l~sgv`P4lr|9C5t_W4oJxFBu{T0I+Y2vL|n@i58NO*hT*Mo=makPGH@W?>A zOVnvN6V8<8!s}i7lMPs&vw8uv> zD3X?UJb=rF6oor1xxP-HvxOzJm3)VcH4s`LNL)X92?frR>TShgWA|7_1GvD$WKO^ zYWnpAg^P^Il`UQ@#~v-TX?eHqs3m_yLeG5M9Z{wz0!P;BrZ2$RuoQEmB3Ibr128JB z>+RJ?LKkx2meBGvDXe|B6hQW>ypeV!Rtn{tdIu_^tq*?-$ z1VRs#*-bkI76YH7IaBH}SAoYPYi$d-nzH09^U2e@HtXQ`Re68Ac%oII0k*^wsuh)} zOV?t$PbLiEOJocyB^chE(6g}FGMRkl3G)cVu;SY8%h-qZ4J`8oUWI9R`kE$=@OZE_q`og{-%6p%KZ>Ej+DBE?cqOz^3$fRK#G*Ctx>b+8QkYY@7e% zTJ4>djxQF(k@#7aXe)}U$Rdk4{>TEUP)ZcWI{wp-yEpkS#V;_pLH#ZxgXSZ$4b+)& zD^cbMI=MB^rvV0^la0KmHN$~N!L~%M%i)wY zZ#lcxcW5jJ@V9He1i+%z*kn}NMg&e4fy+`_*@{yHhpoH*QeD>SUXJ&o9#(l)rpF2S zYaEHI%41ZpYj5HmVVilAy4tEh+s#XUtL#lAfWXI~A!{USQs8M@?=ef@x-~0$D~Rqm zxv$CV0&%|(fD!?$=6E@+VG*F_15F1d{oo;Nx@{1jS~=g%*!*Ce+H8Myc|th&_zEUd zU3swceVqQOthxgBSOPt5H>JCLZqyIK%o0jbDt!*zY4BfGI~e#{g#JYTf%Fo~az9&E zZrnS~8d%ihz|>LJd#y8BN(ZjJ`|DC&p&@a2o-UXi*7FbT6fHFA>Q-+;P-K3*Tr?d| z5vI2PXfwW;=R3LX9ja>C`=@7O%lR>m1Hp8D8;is(bynuQHcto-S#gOdr$6Q|>aHHlLg(txz&umOPF+fICQL)O`oh znH?9aL*snUA-$R#dwt$|T5tDN_&(iNC9-{ydi;U-zuUGx-|nJ1o@0$B*HqoS*Mcpz zbbHpyIvgkdMw{{<_XG>nP3SyTy3G0sK>l;6G3H}!KXcvUv1PBl#IJyP;{1&1c^u+> zJ}M(@dtJi1DDbwweMRswv3?u+smpcmcE;bix1!QatWl`Pm)s@7yBi zz=;Qj)0oGu2(~z7~@yl;6S5O0Lyd?BbPy4ri-aK zs5&71O=-2D0S^0`=#)JDdm#*^wHo|)=@G}3YH7Mcvy~1nW0DHnL}{n&++ZKL-Pt)r zuIX^*?lXNWbkj83I$c$m;{bXgnWj>9CmW%fS4sh?{2lg98j;Y}!-Njg{7CXb$yPqK z9jG=waO(+KKO+%^ctynqs}fw~=r8NCx`ncyC6?%5){Syr%bi&oCqVm@v7vM(0-pnB z=bjP<91+t3mv5(^{bCs|F79nld#W#jS~2!EkAIML!?sspD1ORPO5$H$RB8Nchi>D@ zalns(Z-F%nQ-i?b`DA0bb;jxw(cclbnOY$~Rt)&Xc33woRa#{SphVdbW?vi%#gK8? zbpZ=&BRL35{<;X}@qX5jd9m7M-Q2_jYS0i1)pYY|ziaqHKRWl=*wWCY2fF_)P?ptw zX0OC(6mCb1YbQf59vc;YFdQJtVpd{Q%I+e2}k^>@54Nv%R?Ox3t5N0 zkRvW@xaej%*`1Gtr&>_5%8o&1`8zK!n|wGQh?92WD>U+;X|Zexk2HfSj3ADm^)N2R zp7cmEn6`|~fBE-YILXW3X=VHg=Ku}KeToNT3jbwMzMrIggoiA`Tb8mqR>@>J-1#bP zWQL5A$Pk@JN0IeN!(K6E5&0fd2nDp8qw(>08sz+AUT{%5>vvYUA0iu>0hrSArKGc?53oxU_se- zW`E>MB#H@>!hoy8a zxVe0th;)nHqTdHj7gS^+$kcHY47w%U#b_R_Rq@D%G}mxuIt<9QtcK>4_jxkPrFtBT zGNyK@EeGWgm4)KQ`Y-+osf)7NvIr`MZ+mU$tjH|Oq3;#@8UJcnJPdmvp^qpPl^gu! zBoQ37ZoO^4eK6iS+#P?aX&4~pjGK*`o~{{VsfgVNl`Fj}|P1R&MsYZbk#C ziN}E9;S}L1Nv#Id6BHJq+?fHGd(ysP!(8QnGm8y?bP4}haHJwbF|^7|bQx74^+exf>3QWmLkd@y z_!Chfio!Z8+jq=!0|zL|Kvtg+pIOf^fAx2bp3T1QWWGp*bxYt4#>j%I1kI`%=wA=+ zU>G0 zTO<&TO+&a(+70>$#V;8sSQbal+)W+LGyX?c9_xE+Np)tIgt||Pg_mN>^0*#l<3|ozpLS>)YQO6B5a{Tw?_9q>I z4NADmyZtDNX@K2h8P^4u9bugiFc>NK;1k|?QNH3$Uhqf@2*pj4-}yQ6Zu)S3lGbVO zv3vhPzj?P?7lpr7fBmW_;Isc@JG>|Nozhj`rVN2_Tb*K4`>5pU@$-RW-|DFeb-zbC z%FDd^b8XAVZ1HO!=zSIWXq?-+t&X1equ<7-E>HT(XMAF;r)s_ZglvlcCVXt^edKIO zuWL-6!_za1MjlibtL@OkiCNj|Xtx{HG4#e}*Dlq*JCjlM`{WS+Xi4u&6)>$5=zJPh zdMmxS;xs6k(EDC738v2X-fbixFUQ{eSZ<>3k=^vQ$!#a__7?-_-fLAC)o!;zLEq(8 zeRKH$_;d!n@l@8WwoNrew+m|BKj72HFqpUB`Ffvmbp4TOUJxqEYywT1>GHHKt+x(L z3G85$7SccM7uLybTDv~N)KJ3>nmFm~luUVjfXF^UT>}CjHBeK^GiYELMAs9E$&r7v z4`S&-+Bw7q{rW(8E0D3jv*wE#{mp8(=sVDfT5c?2ug)X>k}%~N$srG4gedW6%N0<Tr>960Ih1f)_4%+x|vzO0@+tnibK z7UX{Pb>K7)W5Q8}8$of3s#-kY4>GYX*OTB(UtpqfrsN7-ujZ)z6DaFc9`>*-BU%2C zfte=$4X7>dC?vpIyAiu_U81}8_={A3S2BlXqOmB2b{6+Q8A_};KL@NZXFWSUzvu7P z3|f2K9hhEVDrEYORQ3eDt-iltoFo&zQwga$6G?yn-mIH1dvLX`TAc-@c~C2}iep}- z-i17MHcYln=rr8m@qM5zr9Fw7B5~_J7H364n{kcEf|f$u%xRFu2$QVP%&F9H?T8Y? zRNybwCSPrgLCztne37+bWam|p&`#;p(^UTI=vrY55 zd5ZY1T1=Y*C%l<fJ%?L$h;dBC^F~Efj1WQOlD1H2A|2qI^TA-$s_i_^20T zofkn6&q zv-2Vqa_29ijaEo%jfaj3%CHa5D2$oj2y2+bi5;t-7Hl#e6fo;=2#1|y2B-KoH*;Qz zQEFsWd+8n_<_CVAEAMeuAipl`(ml(!Zy<_OM4DL5RS*2}rw(jYV*}51#Sj9Ubhe{C zlTz-haL;cXvfiX#0ODH2Rp1=dbZ;b}M^9TSQ56E_(_2 z2#`iI-N2lyq&AvG%Y_XwjJVOnVPvZ%ckv7H6w{+tQHc&8UpX&Y_*>YdN; zpx97;$L@!tT9Q%bha?6~Vuj}noe?m9oRAJjf)w*@0&z5+ki$eZ*$rP=Jfvnpyj_fk zEo!=b;pjz*3jvor;HMG5ydJevHw1@Y61hC0*fJ*rux9vMN}|LgHhuozkHQ)2f3{>Y ztk@l2f8>c=h^kV#uK(}+ZxOo&y$A_De@9!;(eD4z%fT9e*Gil76)X2~8_4IY0Ma|F z1Lpm51QD!T6H=FrAOl_`!6`ZV1IVl}KzWP^D}M)lgp*~}Kb6Gy+rnra6ghqWXY{8d(OevSlF0!S?VQWU>0V*-F z)C-9u*u#x9Axlw`rP-*^Nd|qGIsJ^wk*OBR=3`L*REaZbidd|BO8-gPt=k8jOvsMd zk`g!T(1O9v8v_*Q@MIldViQf?=IuSy*vg^-YzXM5CJ{l?raX8(F?YzL|spF`B)ICk_;bY8dQML@PrN<)J6AS-lC+#+i@KbJ9b5Q_D-^|sq zvy&89R(TznWT$Pi=2_`w6r2%~b=yY@(Z~hZo>F*jey$YljAec>{n32O2j~hE zcU+u9=q2Cv;sQ6V*&6yD%#^LVc*NDSwjPda2W{^12EoQz%Ita#rgVMAbmm*TA}*0R zx-RCIe{JzR{}Wx3uZ+vhBR;vziyn=mY3F^~y*s>kILf-BFfHZTz~$#UQn>8TlY<3v zom>v%t3O?NUH8$odOX$NJ|5Y&zJFA0e)d?Er9YzSy_PK39oigb0-`(Pblsj_`{p)z z?L>C&`5s?h_5@nY;zTmNt?Fl&#!%9eH6aO`7HZRaMyH&xs;;k1#|T|Mzj*8|%0lxPPZ(ZIP4+6vY zJS250tRGKkr@+y9v}541k|APBqqaY3u2SP4RR~9iem5I`RQFX@v=?t;d77bjF*VKgxg3ote1P;=Aq;X-Bbv5XV7aW!iE+zs>i zHPr;GXc;GoP%<7mc1{VV;7Tz(B|oq zD_UHd^vCsh=0v-ZwQcnj^)X^$^ zv&O*%B2iS@qck7Y9TbW}xxf-;9~~6Sq9ST}*{I2*PGuVDyjqYOHMj|&)-q$UR)Y0( zoR`?J*puNVW`CynKjLD<9=87>#Abvho19@lAL)Ohub%#AiME@+GoU5u|0ea@2;Cal zg4hIFp#o;iUK2%qX_C^)mNYK+WR~paS!L>PRk<-ln-(MSID-(7S?%B>vXaVsn&k*X zZxjJWP%LPZ96#a)&?rTtRUyc8M8QmQy3!dKftq*7lv+Th=h-!+5ryQFeO+mfM{c2z z?t&<=cwn1BjVzrO3n7zmP0%dyoM3w-O6ZWKc#{zX(v?)*F~Kpc%P?6@m?abLJCMes zy*$9u702M}TCa55Upxs5WlBlSfBl2KXa)?f@o9S4IG*bxtW|kP^4N@qzlPSFv zi4wr@=a|I-2fc_7e|&I1A#!@-V2 zwirHwnhuc{=+FvdtR5>_(Ez3<~((W2TKuUoe=Ha+d2B%wP9no>xO^ZM&SJj%Ry>X>5+g7&2h0Q^6yA-~CN1aGY8o}EG^WG`$Qc~gAX|Ww8BiD_ zf@r-Mh6u#7ER2}WsAhD6paciGXjHOQf(u%W>GoOaft`V46|Md_atZ^Oz-=J!6Zvr5 zH%DkHvdIFULIXZbnoxB{EHuM|W_ZvH51QdYGd$?O!$27Pe=Y#}xA+e$WHcjleuJ9uuU*8!&;DUXC9~>@j zb>6quIqZ=iZnN_I=NCP+*5{_+RVg-0#lx%!5$JGIVR^H(Ld zzhLig;J44&;J$;bQ#ZV5?~S?L*37*4-0U5$J@(q)59S`T^5k#v|3BRS4gEO(!DjS7 zUx@uX{HGk-P3kK*{|B5tg1p&<7mH#(J^%Ta{onFmJ^oXHB(smmY#)-!*(K#apFTgG zrl+~c4UC4A84aCLBZ@-`5b_WM^$LAE!SXnzL54M=J-J@cJIzkY5xQN!oy}*8L@C)s zIz0-{5ZShl#wCPHHJNd41awA0f=?TbfyCewSEvM4G~KO8nQ6inK*NR&_FN*13%zn6Kv`#7?@ZZ!`;F zt0%N3qC2ttP;SvMD98zPdW$D&s#fhZ0G4m!Y*3+cdWqS7g&8DG5VH z_C!c$6nv~T3x>_>8C?;m++c*YVqqFIC&P$EykSmnS);0 ztL_*_O<6_NY>Exw238b!q*1RV8~rGoB&vg<)=Gqm?vsPO2xn9vq{msoR0;%7@*L)7 zBF*BUz=b;_Bj2qEmBc`ba~>C00KtQ$TJ58iq zPErmiDQfmgI*afR=5F=Bx|14sbO}ZJwb~#KSMA|fz|V-?g9gb(d+nd z(&}UkiJzpa5-cY5UM&-rA}Z+j&@m~b{pltwmT}IWM0QD3RkqaO`kk?-s4U>9TG6iy z<+vSpjRu!4XC`jBmu^R?ZoZZk+I<}g+k;5Y7vwP($U~RX3Nl$3qHQ9R<5LhYp5Z(* zoM(pf%y6C=&NIV#{<{r?LFh}#e`fyv`wOv;^Pk=PJHY=u|G^*mess>8C;x22r&oSt z!6oDkcO0?)p|70s`c1w)e}g}-dusTd{l9;}t{)`tH?a$kTz<9v>xJ?Y2V9c5^|)MMdlYN!L zHr;92>*$T1edpv7aNs_>?)8V2<6ptV{PXYno$Ti-`Q~Wdb8c83c>K&|?%HGM&!5cN zZjVEC2cC zDJx8_?4G$*?foBZ5qB41gXW!&J)S({rBfbR@2(4<-|UWWKRs`=18%r_g9C4AUlTu+ zsU7s%rhg7!-TQY>tZ@voIlbIwXFb|HVn_EbddFAaP!hLp8eRR}OINzFxC(vJ&5fsb z`puz7E|_zW@~Z>y+H>KKes%cWyVq@P_v_5;<$kl@qI33K_lg63@s4xPTIa~0f4JPP zkIbU@i!vua{Qj@ylg?Y~T9@B=W&OVQ_j%}mJ)at_bN)9@!JfHywA#rVD@&a?T1 zf3XVt)UUR>@uhR`*kSwf`WMeVXoE!y-&t;#8|CiYuRVQ;aWLR*p14 z$M;I^+*^~RHrTAP>^?_c7+m)KU0(a$9yeb$?2aD%Tm1hL&i|Rwe|{nM@9>}2SfT2l zP@Meo@*hb0%cBVA%N+FS`H%Up_>c0{<3IICE*InJX8=m^66=4mOTvG$0vv0}ZNk!l{37&oQ1kk;CA%#mTbR+f|f$mFDYyWKC^V^rX| z5e2~k2oNPB5c(wr!O}=Uv{l5f3woxb6ta+8R)rADv`|Ar%yOpdjS6ux4Ymmk zuh>lu5J0qD8|pc`Yf`DS?+P;ye4G+AMlLK!I((TQc7LnbOVIyuEQz*-g_cT!$6 z;TK)O2a3eN{EYK|JVqH?3O>QW_NX@*XH_{;Eh;09jL2+;gM1%C97F97ims*f5S}b| zO}UtF$lX>qlc9k!ZxU=aSAe1Kuw2X3V)b+ z3>rPrDR(=p0;7#K&?^YF9+S7~vZ-n=6%q`SAt1V69i~EqaY?E!q{_uKS4V3p8Xg1! zSni2rg(zfH94!iIAj&G;>5UgN1_w|(&r}-tG*XNUmXzv{HLllHl2$fT*ZYAdw;H45 zq=wm^;tl0|gYhBCYyoz%M&JmQAUGc{*Z4}oQp}c*e9rTKiVYKWnxBB!|Cf~u7xSOg zSC9WJ(RTB9{$nl)|G@&*N+6Xn$^jj>s+;u~E11PmFHGRg2p@BjRG-ijN$reN(O8d5 zc3gm1GIZ=@e*`8HRcbO!M0!AG7Ujo^XXv|YYsjICUY zfO=W5rWIISh#Zy(B!km2u9DWhb`sDUjY>Wm#%(z&OcY$pk~pfsNP_7)dBaM?C7H1q z2XAAwb^s5!h#6?yG;}JM2@b0r$poaR0HKYRJI+-`&FQWwrAq?o`$VqSlkKpYMbojI z_e80m;+#noWE?dCVyQAVO%s(kktBeE3N@O{paZh0FKYgeNx6&pPm=hb=l{^LNjMF) zLJLC6;Sy}!O7M&fieY=;y5q>HB|%BdkOAdAq{7U?ECe%RzC zvE?@zEetf*rOQaGpT}gl67byuPYakjMgeV->2#TKA9ne`K)fK+sH51xv@EO#rcfl0 z#znehRI!fLW2CHHZpT^C0`XSU!%+}X17H+4*k(^12gz=}6Zvvnt&qOXR3jCO9UL`6 zaXjwTu<}SZ6sRbGniJ-0bRnDcd9^q834jBO#o?Iug)%oHq@kb`)S;2$2h$HRTdnp? zFh6WHnkk#N4YFxj#UO5oawwpP1@$#C%mG2V?C@?t_25*Z`6b{# zIEmrJ)N#;H!GGW{BmW`MsbL5~e$M=7_l?d)um9PKD<1axTDv8)$VIPz>vi#u^bt$X zTW`@H!WA#O`l;9U89e5^A0fNaC!DbNtb6`|d~MBN-msGV^+Q%x*4%dg-#qsAmhZLa z)&9($DsKOSV>dqicknjB68q4&Sdv}+|l25a^G>CA|M9;+;yL`m-}IJg zINPtZQu^{oUcgU7&!^wm@8_#-w!6G^FFR+>8ucU3U%j{IE=wIZZ>Muk`h9)>gI-u_ z{~ND5;H(EPTmII)R$sW=#`nCm?B!P;@bp7Bef#(qZ&?4Kr_cWFs>^CSc6Zq5PrDtl z>1DhB_!K|)x$>W%-}9TT<}E;oHE&*YYkHxi-?00M`|pvu=H$19BahgCJN#$FDc?=} z;@)q(cgyI0U2Z?@$ZdDOhkR@G!Ms_gZNKJj&A0DG_6%1+B(H%dXv-`u9%SDxA$TKSoS793k& z|J)7MIia*r-Q}gkAJ!%>zn}ZrvbA?FWJ`1RJ&kf-|MtV=-{Sw5u>Tu26aT*m`*--y zKx)Ocubln|%9~A8UR;oiIrP)>pZLFp|G@I%2TKKcv$CZ8M_Lm8116F+JuUNWw%)|D zLmviWlPPdjtErJq+wX>in^Dt=v{vicIA_;5ttoamO6ogik?Zk}n`-w>w4Um;xm>?c z^w9vo&>%IeW(t(o8Fix~lFW3}q0dRAHF9dXR7-I*q^?C>(hhToiPWe94v{cBih9%2 z;*>0)TW@--kaXj!B?^QQ#4QvpS36u~x@(g%6XMmVSjaTSy@;$k^>M|_He<%G(prto zwmFjqjJU^3e6~H-eU#Ny5OI@)Lpn)VD7eFcttYy^QI_LgI^b#9H1SeD?^4h>RjE!e z8qDfIA~C>ojb5>aYaK(e_g^)K@C@EY8?vIeWYi%EGe0n4ZVm) zVG1XTECG3{2(VtcPZsK<$+$Q|CS0wqmc=aJQG_6Zjp-4Z@G#LINxdweMK#nN3576U zFAjp(8$oiOssLg?nJMOZ%acn~s!-*S$YoOvrykXc+Ms2cl-9>_kkTwt6A(!4fdgG| z`c|hGRuQ&s;Q%GeMviC8vfLPx1FL5$V22+$Rm-)4V4~nyXm=W=3g52i>L|9GL7~{h zE1eGNl^V^lD*;qK(Q8JLI<_M)>v&R9NXLbdT^yxaVWHOc4BgG~nMRwZ2bFZP4RWRo zCEPHdRx&`3gI5zP8YLoRtib_9jvglwhMlshQF zS&gPAnouw*Fi5x3PXuF+@gpKQ>O#!K0Els<4cbYoBIFCndZSn=6*Nk14+kvF6{_X{?^YsBl)|plEfO6^ z!ugRmp`cb0uQFkBSOt)z57u}S?$N0)s{h+R@So4A{~NDa<-n6ic|Yi7b+>3FyS217 zD64v_NHCrp_CYYJSso|oK|*OGj^9f#VXmwCxC|&&vWSHcoJw+=nSc09(QZS ze8KMHG*eJbveM78I>V8%o*cQhmDk#+O++D7fiNIdRB6eP9jBKXRh4v0uniy0S=C`M z1B+&0(F`n_fkiX0Xa*MjR~QI`$d{7;pfmNqFTy^~e}4PRC;b0B|H0v@N03wJ_%!|B zkbmMo=$C;1;0O%CI0hlu=gfbO-(yzi(4B`TKD3T=|53|c@a=Eia$I`NQ_)2iy_$bz zwTDl-{?M(CsU6&UuX(~fIrzO7f!S|eyvc>nPRi$@U%&hL{uaGWkXf%EdO>>O&kuQY zi{HF-v$x*k#|~CM@WlJ;+dnyGbj|7S0oOd0nVs3_k@y3#kgY8o+DlzGdH4D=_gHJ| z`Rf(ld*qnOzVEGY=N0GP3!#^-w$w&@y?EMvZ(n)&1>`DQ{^p_$??BhQVWX$@uY3Dn zyP9$Q)2m+l;V$)kYr#`NwLkyztvGMxg?HR?^h=fA>o1>q!1L#+r|<>%oz$Z9K3D!T zf1A0te{+ncwz#|ep>W;&AHVw?@xA=9%O)1=y7wbXKmDTn)M4}YUpDAHaV-Pv^z8Nz ztP*W9`}_-bf9UmDN3AuwzWMa7_k_^xv)X@Hj=X0-ci|SwPxiX>*v-RlZSljUAAjWL z+je^NLiP_=JhL+R`Z>pqcH8zxujZdPX{(!lc=<-}?C`*PyRO6k=C)Ukh}SH@V1BE#Q6Ph`0&P4_cZQEs(=MHoakaqP3f_`RZ$fq z+e6a`U^{8A)ygFjt+D`iMJ_C9l-uy_LMDMpj#>!WUR)x_RVx5lavX7P%@rv{b85q? z9}l|)fWkPUMRp|uH;0Jt!YQ}r$!su`omAe_d-+@kL1?e%M*d@{a<2|Do#}#*@z?;R0P5vJT(-xFES7i6py-*Ul46i@F+y`DTx2VK zO2O03R8o`;pz0WA!Hgusjg7z-x9l_Z? zo#xX>CLcf$P{@HfT`iW0I^0cENP%=S9+!{?-4@j&<4!vv5z{M6(8p0=$}Sw`gq-W9 zrB#c^?!5moZgz5|ML<50l#|uXNk6( z|DXTlmt_7=R`S}3F`B0!5$Los$+1ppB&oHDoC^|qLuV26gMd0)vJrXhHPF3$;toNIJJLobDN zeq?q4B8Vl&b;Nq5VbOHXEIX0FD^#(KTBNOU-BH=;D9V6Jg^D-G@hv@2sO$(Em;wu? z>S7%T!Gh+qaxB(#TZ|N6@jR*Gf~{yWNmfwDW*S|)|S$U!rCmoGxAO&Td@ANTV=CU&FW^A7Z(@?WT_Ulf!Sj=0)p);zd zd#;!Q+BLg|jIg9H<<;I`kV>Q=u%Pfhmk|VvNDlaNt1H??QwlSbQ)fj}lQVSQ z2QusdsqPHtnc+M$oM(pf%y6C=&huYwAPk~kO8ztR_upTLeVqS1dB<+Q{u1yX62#D{ zzYyT3;6La;@gM9OS&}x8FNEfonX!=q~&9hfiAh%2yY_EcOWkq|U!R4&@$MsY zPrKlA zvU9YW|HK6^jIj4`eobFnd#yLt{K@Zb-gJ228mF)Hz}A%~e!3m;;qPvE@9b?7oo~#t z)oTu#<#XWcD}4Qt^#{+Nxy7E(U3u1pn|d2V~-z@j?`-hA#e0kYxzVY1U-+STVUtV$W!P0EylDFUd*>b;Me)-*2ym{eiE5G>U zf%mR=>I#2&Y5eNum+Xn1Z8+aMe8*pYaP1#1nRoO)2b{g>Q+sYxeBy8M|3AxrKot5o z|CyQp_J!EL!+$`ek}ZGb`oF<>GaF4)%{U*|mw^BL%lSWFMgD_I`x|?ikGu;BA@g)5QRM{RHd=iZk9u? zZ21E+rTd-2L{E!(j%r0gpaQ+9Ssr5fww6wnnwTf&oIKBuBfU%@g=!hYW04-EyfQk5 zdbM=hmI)e!X}fQnu5v+P^z&xYlT~pn}S zuvu_9S#3Avs#(vJBSffqi3wjT`RUZawFW>vNQ{$tEo8t9%o)>!Jj^uBk(!R-F3CZD zE~V;rw-b%oxTX#xhvZ6f25Jo}S~5u6Niz#1+UgK;DF<_LA8Sb%$&@OB)b?}(O-X`d z!)ZH4GZ9|Ibu~pBaA2V=q}s}G8G#-c%?i-<15-~51)(&;IMD3dgGhiv+!yp3A@q>U zfMoTyn2DNG-pAk4!#8V1HL?G!T2Owp}rJk;>&L{)N{pN0Rh_~M>l z*4s0l}=XoMe2N*(jKEa@oODnR>aG-=EIG}_FOUYw>GC@tj% z5tzxeYzXJlWDA^7Ic~yN-HASGFhSLhV6uc3V#9S+7f8BHY7~iTSs55e!L6jzao&T4)oa+Ctx9=m$v;#kG5Iv|K<`9U)-D1*3*1B$Oi_&D2dtEy5mMmF7sssp@0 zM}`Tv46|<6v3x58>nQ;&^+UbVm4q-DWYR;(;aFR<0HT!PTf8T=7&ussDWu_A&mm%5v})!hfFs5C{fBI1ZzqhW}t+ zM*f2l5J5~A^LfwzId6OLiZ@=`_k-oOU%LC0eCh8|eEmayd%{7j?>%uGS@5~3Dz7*Q< z&4aDWk2?6C=6%a_7uA#y}9xu zn>=@#_~9*ch&7fv-rDf)-LHRa;jd0uBQx)!)(`HxbH8WjJT5-});9MH7R)mDP1%hH z=ih-G`F(S>D_grl8$J4pxc#Ho&3zBKW2J+3_|Ym?ZF<^Xz_BNu*lI1i>9Q;IFTvhe z@$8kiIq@c?vFf~=j(YD;+U*T6{p9oCB075`Ys_tIywxApeZO?dyr-nkmH+Jb*!ofq z-u6%MPwsNxSo*1*U$|%gOLjSBZSA^KuG#ms=21H%4_iyED%})i|uS{GBJgJHPka6LPb<-YLuf;t}+D7TLag>v!GR@6KK2u%G?uy}K5^ z!F*3ko*I1byzqd^4-VXWZVveVX~b|T@8uhR^werk&VpXw?6K#c_1%;1+kP$q-MaOY zHDfE0-uX7`z2m4Sp4sS;H{U&k*)n?M?fLsXy6(NJpSJeb4zFzR_16E#-hIctPL_=W zN0Akf4Fa+^lw)R-hMhENnl?$Bt~6mt+Ki5*Nz*oI!bU+vRQ6J2$_Cj>5Dt5T4B1Qe zQb14vfnSfx>#N8sM|cr_?{oig&iOp&oSr=Go$JnZf6sMa2Q7WXhHo#q*T#>Af4JgB zdF30=vRq)pSJ0J~YwUD9XFdGa`2QcS|3T;c=RY<69seOg#A|)w&VQRFe$*@x-7UFV*RUEOZbxRFynj^$%+Xb2}b^OWv zhYjo&o&|>^ziUn-6PE`R3mcY>2Ph_rMyjP~Xe#GXO*@OpJ+{gXp`ttV#zS-3PICef z<590naiRjM;GmK?Jth-X3W`!z&|I^hSJ|{nO@=Y;4m$&+F-%PrA`-;}<-B~*6?GSY z42Qxds_PWfnP#=2P>o&&LaXg*R96CWFtk!w3rqK$Q7xBGNnBqy>rxBzYp_v{r+teA z(qdsq^H|%*^KQ|b<-#4l-7yNLK@BaE=8Le|skR)qU1^7XOdC!lI%9HGuslNaT)vg{ zfN5=ZvCZ1JUv5HZWir;%UYp_kbc%;vrjavrm}>d6)ZSrLi8J^zTvcmmMH}>e7wVKa z7Qp-gLe!BQZGf4!l9Uy$L&@ML*>7ao1tB(c|1QK5UL{|hJOAwi|3SWZ{rt}_J)Q^p;ogw`v|&p zhT^j{Cg$>{LzY9M4FlSgnB6N=N~u<=`D&}d)$&qz776MFrULjZDWKv`}bD+0hVC3#|<4V(2(4rD`QAJ@ybdoc7slInuKOzV9{(Fvqv#R7dGz zVu@zc*+RPukE&o)$km2rphKue9_olJ1>1b5A5X;CF)Roym2rWRMO=)BRMwqPD#W@& zW|;S!Ud2aX7*>0zGyrD{9mS8tdNi`D><9HfRWV0>l>d+)_|NPi0s094sdo4pWqsUZ z-GGle*KI+)PbZ%fkX}Y;6pd_|C{3JdX2|!34wQq-d|sV2s{{{JHK^N;+fyrp8;02s zjSy5wFodZP8ITT$@diiWRFEeEUzXC+s91{q5FB%*Tz7(T-4HNpiir_0WHd!ZFHnwy zaVey#c<`{2%9=#FnJagb(TLMBq?c!5i?qPO&0YDNgyIO?x#)0k$VhT_7t*_cY(H+;|BRA;*a7?wO;ZG zBs)dQ8gF3rZYj{S5r&uJ+yF`J2|m?EAP#m*^|p~2fut##DG{ji2JK4~utX_wgDIHy zY^C&guo_D(Bh91JsRj>QC8inVyqY%-@+E4n+-J^<=DcXmi{`v&&WrwU4H$)q&!hhk z(A@stXE8qPKbtOSpTewl!xxWvX{UEyfAo<>qIs!buDZl^la)4p{MNItU+RV5ed+p#Sa#PV!3QVR zJ+YHtSbpg{rp_O>yk^6@R=?)x&hW{1j*NR>>mNS<#6ML|nrtXtXYBH=??3+QZ8kqi zJ7VqMt+j@_I?&ns`EPFf#)g$M4psNP_nOU=rT08(GMTsB;>WJ^Ei8ETO!P-9Ty({H zzq#eIo2xgTddR7lZno1tOF#DTE_)N~az2L-J`I#$DI?&k0)Zbca z+uMHeOnsjtzWFosLGAb3zPR?0dnm8S@7;3OlS}OI17s2P&dHuzuX)aW`>k;=6b9xE zTQ(m);P-2tc?fo}`h#H6Q@{1=De&&k(My;6RQ<<4@4fK)OV3&2J6&m|cco{4pATQm zbe8(98P>LX@kipJ+k}_JUj4wI2is^ba>p#c?`G^>PZ-;sASCglJKuZI#n9K~dPeU) z^_4&T@awA|w)ecR=QqK@dk^+5dhC+gqVHXBoj?4tpBv!N$vf`znp;|BmtF2SbLAbQ z_HPcl0Q%{deszE6m;RpBv+u;eyX{R6tpGp}wFZt=YG(Duhr>=O6Bb-Hlx z!O(Z%%%NOxB7N|8cKGp6o;~l9=TC3`){xJ>{swgAWQC<~R=@w_<&pPq+&5vInIc%e%Wl40IEhd6R#k~vKrRM-M$&>O}g3R z#~MFKQOy=ob6dp%@5{Ih=^)>&W!jmJJJslx>48EI1Jcc;)<8n9!H>3-J(+$*ghkmx*>-)K!W+gC-a{y8%HC7%&7%Y!HVGR>wF!M0K_kNQZx+XF%vwZ~-x3Ph3_M))AH z`$eM_$Ju79F@zCWD3-$n8QR=%EI3gng9jkWPDqpm2lb(kqJS%-A(hTb3R5yB9Oe$& zQ^)ye!I3@ROb3OHy`)FxC&5KYmfga(gh z7?S}jdLIrG3~Q(jN05j%U$eoY#MBU1vI{1GsW2S5=EN8Si3NEBCah!&EoYWvy92RC zjYI5{>>q*)dcI8luK!OZ2c-<|BT6j)kL@3RQT=COmYcu%&qDS8VZ9ntuA37c0rGjF z-U#b#JyS*$LMsF!SJ806Ls7DpWWi!gBvZRt!VCC#G-!D-;n3|=AFnV4z1kRN8vsPK zA%8*|Hk}1&QFaq&sw%a9q9k3Z7sX169F8&BY?1}a;3sU3aqIO&DVHkcG!$cnHqe=R zvLo7-Kk+hkn+@tRRm~+iCoWT3qIHN~AEUeJf+1T@L3P-nSn3X=4(b*{yk0KlbHK32 zDO_(d^@_s@XAhZnUc&}r+Umg~T#oZ4In$IAL1x0V3+LODR$m@Sz6fXBZfD{N83bsL z!#s+XvT0(R&y|gdZGlKXJFblVT$RmtvPe0P^B~`96?&!GIG^ozCz>K#qdXlt&S3T} zRQ+y`MI9dX|I2?Uk@=|pKYy7I3;bvHFx34>|6vkJ`nbos{keV5pss30s^j~WcDXdR zX3q-Llph!97B;4Ou8i2F;VkAjjF>KPWFVl@AZP`#RF@^)2I5@5S032oG-{EM&>v5W zLx{%Qtf$pA&?pFbj~6HzF4S~s*c+Mckp*FfVbK*whsJ$e0VEKOBAZdNIgAu*E)Tnz zdLYA*sY+b6iT72Xu0#D2KQPK7jSBt7pp#aRUbY@3L&vuRpwz0k?XDlj2^WW`P;Nt} zB@S{$zG-;es1r>bECts36s;)vNC1g;TgpNmxsr1$nTZWT0GA!5!+|=n)d)-%#72b) z`h--gaxRet^>SzW&NJscbK}ngM&Zoo(tqH&{lCv*eAs^~Kf3Lj&w>9C2!;|k z3_%~me=?s({~bZ>;zFug^RAF6+&c zHu=+6`J0kod>1(J+_Tx2Ute`?{v=_OHsF#mmVFq?r`Hj;y-$5r;Sh8wSUvQ^bfv${Zhw? z!-q@no&MH!Pwn^6=!Ng?vg(an-M9ZP=jG=4SN-yV2O1}=xdmA}^!dv--^qL^Dqp|I zgx+(s(@i%lvh!{mB&WQxe`)~EKN{U;sT)q;F)6R(?YqnphwroblF#3@>fwh3H{bK6 zT|ZU-8S|&F_nm#{jUP`f@x$gW54?HdTH7uCt+h82zPs}D=$BSqbno)MU?#uoV_WZV z%nuf;Jb6@^{rc0t{o3_+p7FB>`JIkOcH6L~MXSzxbN+^pY<}Tl^KLw4lT#YMJ7ipk z7Ts+Nn19Rizj^L*XIyv7^{@VElT(%#Z+!d5>z?+*^{>%(jv{8|%AL}Mt33*QV~g#2 zzjA-n*!4Ro_ov7|;Kgr0Fn;)`v$wC@abxg{qu<`?uw@RM-2U4KF7n^o0s6-M@4veF zQ8)dGLd{)nTk(5DLHxxLN2`0k@yFHfv@Ce9=YGM37iE?>dq?K7Up#o;s>dojpYy|O zQp;Z$e{Yrhzxf=sL3rOaI(72&rG3x6{>#FfuUWr~pSt<4@&7-3{u_aR$bX2r{y(3| z_;>tAhT44eh3o&5mS(wXsitCLZz0ZqEB({{KVL-uL1&k_;4q>E2DGsLV=s*V)FaA< z!ctl^0@1Il84~EG!3O0wL$#gsn;oVvx7tA~q>5@X#&SO0>@|w0;}7z#Pg*dj6opx? zt<uB0{%yj*YV=9~BB? zV}N-ImpADNoH79~U5$$to@A$Hg~9u?KPGWzmr4?{XuCnyq=v)hge`JoP8ehbgjb27 zhX{H_Z-5Rr3TU7UQC8E}xhTYCqoCK5#;B5JM8)lCtQig?+ZYUtfh6E*pEDDy>nkE; z^q~fUX9r+8sR5W$2|i)}A3N}hjh@mV3#=0igt#qz``U6aA?@CA*ny!@i>Npwxk+Mizl>!_J5%TEE+WAOD-GF_ zJnkTco@XksJO%qv8iIkKUx1KtiEhPkrXeCu5D`tTqr?fEre+p)a;6bb61Oni)goMWtn}CxN7;_>6ucdXpB>4gaTRzHB?uKJrswtdRM0T2_kpexYhERE5XwVVzj(k zyP?z|-7+}^lj}|~B#dk&Cxj(!s%mnY?*PqGI{Snm^2eJ zcsmqau8FatjS+#kKp>kTlj)_e7y zV)O>nzFg`QgqGC7JafQUf~_ODJRtPyHlcBL(mRkvK@&Fb;{ z=eK?6f(Q2dP4U3JH#q3z{fR%W_Q;OQ|Bz~}`t%vg70!4cyYaiT$Nyt*zUNzypFTy- z)#L+Sy>+>*FS&5LSC=^GlKC&vU*BO1uk!VF2>sCc@+Ir-{hRf7*x@U$ytN-(OTV!~ zb>7P9>Y6WYu=TsymC@x7SKfX7osF+L@vf`xy#2<}>ea#(J8b#Y&8~IUUJW|;t}FIi z>+92Hp1Wd&rJuX~x{bfS@+vDnvBs|P>-PH$y2rWlBTL+M9B@gp;npX=<9+ks&CYvV zt}R(TFaO;GpZxydmrGDcL-c%b^J`VV>aEr;$R zUTBveIp@r4t=Hx)ekyn1&o=qVW5+Ff&+Us3HoEDIeGYqVn`O3r7`f)GJAc_+?%}P& z+_i7re(943SVWy;aHLVUg(s6_;$&h?Y}=aHPA0Z9v2EM7ZQHhuiH(laN#A^5)xG!6 ze*0fnb-jJ|IeV@1thH^LYjfYK@{J&nRj<88WlrBK{djqVa+^Do`| zUb9-4^NjgBz?Iu>beLlcqVs9P{v!Jj$=2F!1>JYTrs_jeq*h~7+vcKF&I9zh zQ9WjQGsAOLY;DtS-htWd>7J{q%jr}5$^fB8_qiM`r(?Sc*Yh>ozQew$_#k;&y8t`% z6G%pqCvfT0?WNf4ubt&|Y>f7MJpr9vk~j#wzaq8xe3@a;DR}Qs&n|RGiz{5GJWbyY zdjJ=Id0Qqw*II9Ujjk%Ei+k=9hsWMyeH@wqV&i%TAm6r6ifErT-{W&%{>1+zUF@KF z9Aj34kO;#0>;-Kircn4#58h|LX3UGP1F!P2QbjpYDOgPL2~PuW^1cQ@acRJUQ^m{V2AFAY1RdU7m@@JR|N|z%>X*EK=O|W*QwPV2iWhPDPk_aOw(^R=3r?qqC zsRT_?s5+(uLT3#|=XRReB0YB%dw{OoOno{&rL3iW{4v#9Sv?6;?oIqUin4Q+2U#|H zm}&O{>XH9!+vfX{U$|`pS$>>Oyq(t$;FBG>@kOO znHk=&-eD*H@Y&X-52Sk6x9DZd%VX@C%y5AY_{SYRqR(&c>H!UhdA3XKBcu~F2R(`V zf8~N}8KFgR{F1_9shYk(Nt?m-JGn>Q;8ke|H1>^`Da#pu-9;NIQasT+Y5;*NjH%_( za9qrDiDHOGQuO+&xALa~+O8=(=%lSya@9`hXU`GF;f5twLRq-v0ju<8rW`JjDdB|Y zjeu1jC{~`G+c|sa^jY&D2>%K^ag)r&s`&~;POd`yWs`!30)*d#~gA)}5wl(%#D{A-4Yq&K73 zT8w(uR-D?+Q!Uw+3CKj|6lB?h0PTG_+kL8V`eoq^ToQdr#mq}t+uLQNC8ZcgirM;c z#1Z!6bE5$Yr?Q&huCU5S)EBL2B0mS{t{ExYhr<&gE@ViFt@t zFv^DJ6p_*s5Nps^kU2=BI=*TU+B^WO1dRVtGahf{hZ*n{55`zkDm{|I%+9Go8!nt# zz`_Nq$XOSi<9_72 zcAiBYxtV%TD8AUC_;blVOR1+!uAp#eQA;n{%&b=G&`<7@^nRE6wzynPbua+g`i-4; zMcQ7oup|SSPu3%l{#O*-xs@utol}802@R2Vd*nakWLlCkzVr+hDU!iP{=a#&v2F0DJc+ibp%N zR)9gzf+5tjeF14Xlc1PKJt1Txzc8l%uY7>` z^wC~-k8^#`1YW+ZS>`pLUwwFvKl1a}#>pgw_nv?j(d2gHnh_ zBCH9kAGL7RADH~F8v@S+hrIx#ki5gt7qivbw|leIXv3f3|AtIKC{8}EixZi8UWY5A zG1t2_-A0eMwl+a&wmnYgpB%kKmnvI)#XoPIc5h(Jt~@X7do900cyqlx9}C4R&o7## zH+8zNJmtM`-Hs?yw?AsS&qKuNw*@Y`lTYXxKTCLuW;T2SkLX8Jyv)t6Mry4<3;)#m zaf@5@oXf#y_yKCQ1Wg#dll4mkJ31{--HjaGXR(>SXI-^;Prtn*|Bmp+RCx)wWI2uS zJZpCV6=$Qe4UTyr07K}Ig+Cox(_uLQQpI?hMI0GDm&tJZSyT`u#pN1L9j zD>5X_kKuWiXX{QRKqi9A@ebdc=j8S}=e;!$nA-c{cMpfEOWU}p#_;yRH+sb0Myh^s zY@&u^=-#=QT6n`GZhJl{zID;P(m^GZ8t&sYxpF3;>k5ny?E>D02;FI32II|i zd-q1>ixT+west&NxZc)|MKW}sY`J3c^tfrh6+NtXhhBGGM(<|5TpB@TtCb7bT~{wJ z5VUf+>d>*d8?-7r3_qpb2!PVwFG712Jg-o9LB25{P$v*z`v4MzCg%GZSV!K~I;^|( z`?Ct3^`0~^Z71Qq7Xm|HwT~N63dNKL=*`D|GQ7B_^frrhfCNAPd_aT3&D8wZ(s3eZ z?ibhL6dE!AB`VEm-LhTU>KTZeC$7Lpby+*n~h+0eMGwRh?U*Z?f)&7*aexN~0f2tksg8NQENvWf<5)_|ukuj^HfQxZNMLT1J_0#)TiLZYSCKb>5tj`ir3 z(H!GgH0n;4lyJOt(!0Orw8@pA557J34A9)k^rtfkwJ_bwN0kl`P_on~Y{YQds5?DX zG|I%Bds{zqJa1znb! zj@VH14>cI!pXQ{WnM;;-6#ez~wo>*8=rUIG%X<_0L*_zearh+V{D)$sQf10Z6pq7+ zvhYdYo^XC=sBz`fr*2PuBR>_Ha8nSp0Kk+pGNz#djK22uQR@Xm%#|ymiPny1hP@^o zgZzp35crG>@l?FkX~GLN&&77%?3?tPog3i(2s5q*8duZ=5b=`5>-K-e1&`B+&_TBv z_CiDlvctE{UkWEuZDh`nt3*?SOaOPY?bOn%l&1a1hXU8M#)Z9?v{RqD5K+t};bw&@ z+~R9KyaA1>OO`@&(8*gJwHNc3yQxx|QV^5cjfwf>T|!dZaz(;|3Ameea8XBoqR3qt z86qyV`V&&88;xBYSd2yxzZ?{5A@`5QvojP_%H%}|Kb*bWyi03k9$R%s5 z$k?(|G&ME|8MRijd4qpHv>|C!$0uEA(Zb^-Oc!yRlqfrrR578YRfM&9qn7ovq9|!H zOra*aBsQF(ak&(i7`FY`p&`XKH1@+=V&QdLa$b=2DUyp~4o0{r7Af$E`XQo#kcbmb z9n4?CUb%&~q@H8f-hyjrXBijJmSDOTUi4O+pLN(ryTT~GO{F(nP<6)si!e{rKPh0y zek&lH$f-o7-0S-nc=PlbV0+RVIYk@N;H$3)!3-L9Pomp1~UOBidN!vN>tg2=l~| zNpBXN$^xA*o|%7>s*LKXb|`@}l*(=lwl_wB83&3Y4zxKcn#mBEemxU0Whp5-M0h4O zq?Ww3xyt@7T_s2%yr-dsBS#i~-zIw%l6zc2ldJ(>zdT>-*~IU?H^Q#Ahi zSs!x}P)^UzPGdqSzmKwnp_K((WrW*QEPO^bNI?g6nWVKIMUBB*)8|L@39P($oldp> zv%*&x^h$}x1cLp{{Ge2lV2@;FRP`sx8(yZUUY~l;4R~21KoobY5#yw?(jKK?-@%i@ zU$c=^h2N{fnC&+&TyGTD6v(wcjhA?9ub=WX$+DdM$bwr`z)2z_lKTpIJ{D~_jCOcZ zA%c@!{l>{GE}=SOpOLXQVpz3m`H@3v_lIqhU?n13r6R$>(R>0bUnX3t|JAZ|RScRh zxv@`WL)DKTngun$EUWECeo1o(;7!1+8j}e>CRjT5hTa``x=l{42wfc`sf8n3zc1qC zaG)Npie@hJF6V)w|0NXGl)9HxEeBQfh2YVOuNOXu*d&v8w`Ex1XfKL2`$Yr$ph6XU z@S$3CYQR{hhRt&%;&mj(PqB06DX9efwdXMsHYBDWw=*)v_eI4xE`6{O(8-$0gj_jC z`5d=c{;vRhEoj$V-+5O+Q;(oetC7$P-xv>IXXNL}g|9v|nHd~W&N%SmEq8tD_5Cdu z34G2>4+K8Q8I-U7BS7HjE%%_t-TY(HcI)~&n`8Sb8y(RDs>|th0#W|p2EFMhrEuQU(UsauNKY$-@4=&>zLm2bQ58OV7T>9kj? znQL=)SigR*a^Cu5+kMG<|2DD-v`97{&6D)Ks(3x=x?M!|T_3l3IMwQ`dO8NrH3`bTMX|dr% zuefQk+LAc4PaQk*uF6*0{4M36g_ULtzc6T7zlFF!A|S5hq;iQE!ORx%Dz&3hXCJNr zD}~eO9#`p_PFTtH0R33HOr^k33`-Is*^2Ie9P+4GA582{JpitVRRS9fv0BtJu9@yo zzbe(3V&Eqcn9_lhqxie_?|WYyE_t-q_l*jbM5^4M(=I<>qBilx+kZeb=hvjoP@Q7Y zFylv<42p4OD{#ffa9fjRUps%3R#e6=PC=bOh}IY5=b1P%J7Wr5Z{*^0$UL)Jocdv~ zX%JzEic(f)?XIxsr1@H83J^m+O+LTtI@Doz>6tX-{Laq&cQTBlOl-Dgj-cuEUU#PRKQy!_P-e*6#fbM!r$Oq zq%2lXNx)T9$M36_ZkLp;6{_q!b*U7JadXZ0U7(VP2ufYMq5P>~#e<@J5iP?&q0G91 zCodPW&q5b!oh2n*l~HvlcknGhh;()cBcf^-V&#!jbd0E`6sYphVbvP^R*=~w7Id1C zq>r_Ir!eHfedRP)HA@^oXDL`8NJye&LQP~5Huy)QLT-77lk%~gD6|qXPhkAeQ>aja z1RKoCqVDJor@WbWbTTQ=!1+=TVwMBN9##&L@uopUvX}`IaqR~a#-S3f`2fi_O%k*F zeeb!iNcRrVS;;pt%R^OacOiG?AiVmKh^TQIuQeisxswj50Zbth&E-o5y?7LAW+2?cgtZf zM+M=ZYWAJ=Oc19N?XFHH2aJH}Vx@%cv(na2<4>OauqLyLo%@5$p|3(ONj9l?7O+T+ zH6kXnn3E*jxJ?WvN7`1T1A*{cL@=;`7z=4X0*ZsCPA_ZZK!VOMX#d5TCJz7oWV#@kZ-{AmXkD+wzH!um$(DiF!7@!4ZQ-m< zRoU}f|Bcq3F!a%fPPnofR&7Dy_jtpwm!;-1ZH_Tn^*l9#=x(9pJR3A0Z7jJ>H@YPv z*-Y~5RQqh!`~McuJXj$#u>B#o{S)a+&8!0fz1q!u-??scStItb!17;4ZwX!irvi-x zrkIK3{8xZopN7HKT5t2S#opct-Ci8MH|>wpqc)NiPQ#=3X0^uW^H|$PAkgP^3Bcg7 zH?XYNb;d(>F^?OUnkx|PZ9H9!BpU;qLAB-e+16h_e<)49IR&hA{~Pnh=YP>yFRv2P z_WoxP+0)AMw3qO_(+to=>RYb1<#ZgL#$PijOug=v*}AMir3Y@Tm(q^|C4KiC4AxsH z(l(uY>W}55Y12IfMsl`wbd6gFigyY0?_CjnHZ{Pw0ZEvHuUGCTIrE+wT+jEVD{lK= z*ssmIAY$Kc0kf->1@W4?6HCl3Sh~l5kHcEeZ6{0e%f8><-L7{Sb~Utj z1%StUq4A#!CP=`$=M(AC>bHTM3vKUr3+9$LO|>1+;N-aD)4J(2rX1+0p2Ma~bA)sM zhj%a?iODj>(#ewRz;i6$RjFro&uO6A^~YN$V7B++?s*)JzKkw$^Xl$(0hOcX?b5rm z3KY0|v*iK8O-=22nhD|Yb-kEo=e!?!W_UZW+_MO^vafi%Fw0}vIS*USDsvOB?HUif zVc&WBBXG#!#OM**$-|)2bZ~>|Z53Xo&-?mfv3h9Z9@+C1Np5a<2hd%=w>LUkj$MDv zr+IGMyGCG{p-N>E&t+xX(e^nSZE>dyb&^ZFyx*8DqM6+Rr6OIo>?_{BUA)fH0v?!N zlmv9)d+zE1EU^yN^lS# z_|R-qSTRB2bR+(``&DX;0Kl^glJYV911*D2LOimiDT?1ot6C^#&1w!t!g~1Q5t-gF zBSKKN(hR;!D%q-eEyFO?S-=R+5TQj(BOR8B9q)}(w*a+W4_C#pT3ZIpp+}+2yuU81 z4SSPd)1Uon%%oso_`BqTN@)C@E@4?-Vm}Ht?`8TkfSO{2jW0d{Yrku~3zhD*AV;MR!gn&93%IKx?O$#q? za}`Qgd7#*`kq0BnBdRp(%~*4QZs*E;F-tM?sAcg}9VglthdM?=NA5XNc74oZr_D0& z+s-1|`mlnH%V@I*k&#_i-iCVlKdodb_g2W&iesYPg+vA5$*R7 z&@Uyw)?n3TA{5HYI}f@RN-gdduR#X}>mD991b5&dN#8r5S^j?wYXe!Jkw8H;{1J0< zzHiW-8O6N*?8YG><6`VTIl&_itZWnomeVhCMpX3GcT%x1qvODJ3T=}7BvWV- zXt@E0AsJ7L$sE4;xs{)=P}A|#W{Xr2cpN|dlnFVfP~(a$MQ1E|&SXTDl2kV7+ME0upxEc&>^{=_axK;})6aDF%TGpZ`phs-}}QffL~-E@PqipK+=dh$uC}*OEV4Ca&q9n<~M%W7AbO z(sGbz{ra_{`Jwc8Eo&HhMjTf=H%e0x^XB#^XQV^}KP)Y&^zUJ+ej3qkejLOk-Q;^} za~idMCOVwKC#yKY`sWTh)K&@_dOG&;UIq+)On|qimm%p%<8n6Z_QR|8QS&vg1 zv;SYVUiAAY?|Xf|ZS@`rID$a$|5eOK8Mb-=xz7X;Ba**D77j;GL4kz6Hv(7>T(<-e z!^{wZC=hQJ@3XZ4z>cS5Y2%A<{xW^ zFKg^>XB}*c%2UtF%F3UsTJqQ(z>LML_46iFY}dtiqV8klS^R~q57$uLw-?>}e;m6+ z5q@1ZLx8p`zTlYKFOl#+%)RdlR z65qR_V=b$3o8A_t?C;YtS7?fT0UKC$6;e zYFLz`lE&+}4j#bAf(6$Hd9sv8ataNV+7iYOXRyVbMZmFe#5A%y*rI#eNTu-IXdeym({WOt$ z?yrieGnL56k!{L0Yrfg%Bx(d2ZRoMF(HvFVr`Da`=XD4<8-NSU%lpp`fsKlfEwvS& z`8KytwJj2P?WY8j76mcPtJZNv!T%W50IMLgnomF@HYf(v*Rb+ifcWkM_$E)wY}G(0 zkWJ=2KKlHH>HZKmJY~oM-71%_ikr4`X;;u$fpYPC6+V?)4?Gm7g%T;FJ-Zgb(7ZHT zSvw;!bp{%&czK*9JSJF3Yn0U;6Yw9cGZ-59+GgO7r07iM&Xh1Ki@5PBmjJJ@j82}3 z{8pu~3S>k;k!iPTNisS?k7jKsqe8O=-h(5oPNalI!qaxVP2&n-I+}QLZkTw@Tj;WqGhz%I2+TVmMCy)TzkZalUK1_br&S z6m(N99CJzyzws@hpDWlfbQ%G2wxx~j|-S!%uP-=(GRF=$R zx@zJ#_>fPkO}-0BC?XFIzc9wKni@1Eo?q{oVCQsXwU@#dfC;r}Pexla*z0qq!EqYZ zoS-Q+$y+eP9*W8o4VTJ%qvUZplvA%1G=d`fZbvE)p&Li(!QKhP0W(xEi-1TpPRcuS zpioWX=~I|WLPtz(P_`^s2v!hdBw;)+6qzLdex*{5cALL!pjnmg?q0uH!$Rn&xoQJaB88dO`(}`9dnPm@b@<6w6H4oZXGN!U4c6-Brcpe z4-maHR*0L7wP%+gY*Z^{DvhT)3-gPa%9O>}8m%pz)izm6DBtp#H36+aP#rTNMc}=L z7<`eBhk@$sdz^aKo+;2lRs1%~YEcxaSeD&r>iVV&|6-XEPmVSJ^36W}tkhBi4{bU| z7U4dN_MlN3a!9BmRExSm!l;}Mv4T)a_1$s`&6$Yhm!A{ctl5I)gkt0!Z4F|0-e3gx zp(qt>3-wo~Af@2!B$kDs<9V*j*A5tvD_;si%7x>uV3#rzhNfcIZql}m@(*CfYWe#> zIjH)+uoj}fIoyNLie&%O~ zj0~mG4T9$6)=w9BmaN}0+rJ-k%z4Sd6;O(C79Er)Ku;7-sY_DCjT8ICK7ch(skD`- zSl-u7AH^+MeLs97(zZ1SsrV_VhpR7)nzK@Z=bjf%70eK4!_St3vGy(E0uMprM0>hX zhgNxhE+1#m-eu_uV8EtkoKRP44jbUaS+`I=g^%zr14^qbjt*%Mo(%cd7IlH2`2VZm z|NZpg`z3`73Z#CrJcD|_?z|X)+&$4JK7YL+<;am>rHsVI?hBlr%=<#4h%q^_0|ZP! z?Q0qq$yzyryPImbUwn%C(Jaqzog22b9;BWBtQlLteeSNWgF3S;&ftTw(!5(_!A^y~Z=i4xKOJ!%>G1>n*u>!^E+YHAuJXUo)dpig3 zR%;%^?AC2!tDKyiayrjDP`oB!r`%ipV(A5(S6(;5Q>{7|W%YO(yU%UJXLhHC-~_s^ zwg_~e2J_x%e4OT(Z_A&pCUSj7VmwP@+fUL%r$Z_}IN{rbiAJF)Ra2ad&LN6x%h zi=rU9KPIy&PxgEQQso5@df$S?gIk|G-CrGz{;Z!!-&i*-9%t_Q9?UaPn9+i?j;a`9 z@da#wk%@u16wP?|YBmpFSDd+cLD6ZEpxogv=Qo9sGhiRH=941D(u(-eSp9N*?W?CA zf-pgXMVfpmSlBt;m|y4Be*-T_%heMu<}CKuUw_I!wcq;?3QH|yvnk2_^(b4rHb6!< z{CzqU7o+}@A>SHSlbyk^e^{Aj`b8B8&m8!k4;LpDEp6tA5Ep9Hd+xFhL@6NvZ^zt#7t&2w7 zCI(eNhYuS|`ACa+GZ2ah4aVuV7ykoWp{u7hjREVg_|3){h#)9`rD!@;SzKY!68R|8 z0ajpo8tlwSmEbJ+)M#0v7}CJi$~tEhFwy!Uv;z*SAtV=!ojSiXufK+ioR7wVSC2=? zzl7B1e>7pC`a3XZ6;h{REcVnQO$en&$v=oP$V(3qHc^}h(gORqGZ?-+;6MT^YSMG4%4%o?%Sg;+9sEd2Q8(0 z3O(s^|2xPA!G1g4!|4+%Hj$sVqv67USWPl3PHy{8xt7|GL4x z9{Wt0tQWzn=$*=G}KsxP}0FFUH^v_nUbeRz4j@Z zClwK!#H7z`RcW~4bj~_qD@E7JR1;p#0U0(sq_hgIcN0-d$?wTyua4m6V4O{~%AvK% zA4rSNaDRDv#v@|X3SeZJ3+@sPLzaMk*>== z&p7`Ui(8N3wzNd28qk)J{pFO3eR80`g4Jil6Twj}bIz2@5Bq*)$(^_&&97@*su+?r z1ngr7^a^HQVoImMx-U~j(I>zEO?(l<9c{%KdFVcmL;`ha0 z2FuA}llRhs+oM@;X!DteXiZqPOCwnc%;&4luqRy(!QYcfRd~?z{>Yg)D9xP$gnTAs zkzs6Cs=5|Yyay>DvPHL~*m)>lhwpz^QC=36z^509mAeEkO2uz~o3rQ;xE3YGPjTZ9 z7PCz5TZ3P%LuMO*EQ*m|RJE^w5u09)4xxEdmKmH>TBR`N>=%aY>rj$Q1(a*Yyi{HE zei(hu3N8CKu76n(BXEQ{W%x?+3Q8qE{-m%&{TwqvZWF>WS9JVh(~bGzsAQ<}$r*^U zZs&`B$%-T0gfYT##s4_j+mS6>0xA~oCEBxa3;XkgoK)Z^$lW694%q$vE=(<44!GA- z_4COIMpR3#+Ib0%dA4ygqV_HaN`VJQtz{%nB5e}lrpeMbu`HrxiqUmr46VLxqMdwwDhy=~k0;ZV1rhWfgd{6uoA>NhVGqRYxMThfe?|Y*wUBJUXY(&hJG?(-2^GWSCYChc^4OG1Qb4zQfoM!do zRp3ds8kg%`st@bO^s!pdl7HnVGuurG$86iH{HEo;;SJu~pz6%->p)}w1I}*mQ=jw6 zmeVXuC}%8fi@@_!cXu+Z!0z$w=zZu7_{WaU=X@(tr!8R8m5f~vSa4(IwBX-smeO(g zz>~stc_Iyl@ z%yM7iDZgl|_62U#_BKALh7y+ICxK)>N?Wey-#25Muif3_az9UfY{rUfeMEbCp~TOUG5QQE{f)4)98LmdohC9SNlJk3G9~TavGLGi1b~SciG# z9O}C9!@bJi_#5eI7mLiYx%?vX<=9;|qK@ zeGg;LKqM?%YO}sYX8}SY4cBtT!OsNF`9N_pw{|urNCWLKwqg?S2m<0H$YyR$MAZ!P zP3Lz>-7;!UCVZ)ntuR?6F%PtXc6&TgY5hjke?KW)PKy%Yv>RA{O#HB+QmtPcbI6*T zVlkoYZweC!aLp1%MaXF|Vx_eRh#4c;B#%{@shB-^m;C>saRBVllC$VWVBMpL77ppj>zn%=7`1)yNa0VjN0;t> z#60r_1@h^D*>jfKPUC?*<+HnX8ER@f)F7BsmqOfS)>&**lfSe}tlw;L#PYLj&9K@S zTBmZ%?<&rmLK02EAAVXe*Ri#5l>L1ZF;^Q&*H$-=ekWSBUHvtQvPMf7T5x*?46O*O zHVC0~tz=?`T>wkXE>H-({N0rq(iM~}6i#}SptcmFM-N= z`4{U0ibLEeAp09~n3V4tQj&}+8cxE@szOyB=~^8OMqCZ$Qyh>pD?b=6Y8!QpG`vv;yi*qj-`u3mBuB7IIlzM*D9=~BIu+M19SEx?N)(myS_eR zswGu>I{6f8%6-#DtA#4f+~Z$N-Fs8MK%~z?rWBl@#*;9DH+kSPAU9ak=5y5dF!&6V zSX&VSM#3xI_IsQ35knJtxQc5!aU%||Mfo+P62_=qG1r|IyJ7A5U1xhlh|QvP&yoN) zN#7Agh)OZg3m*$v&cDp_QL_h5^LxfUr?ojou|w72hOszDkjLOn^N}uB&^tTV3SK7a zyCUu^&JW2{d(^oNW6|rA&9aQj5iz|-Z%a$E;f}u!^X5W(Lg*2;YU#;^lF5A zyyBR$mfGmx`hoq7HXu<&*u0CwoZO*I8!`lMmld7GN;P-?;S}GHzT5ecTmOdP4meeVOxB5260SvWhF!g8==M9?|#$uV$RsBE{+?B#JHGa1Ihdh8ik=-Xc3GaQL@69%TbP;Q-i`B*FyL*tce!pH^z`2;N9MTqyf+_AS30Jmx0lSd9PYcw=Bv;ZfAP%#_6 z%hN6!9M00OL4zr}Ced^Rz2?!SHavR|0Df~|6gS(N^UfhKw3X|8n(nyk_1|gE@U!Mc z^RlbY-8r7f{V8}$W+M>g;-+OQ#(LA;F?Z$9;&$tfzM6Ytq*i5*^bN-@=gC~P50}r8 z_z7Oe2b)0p$xhp`D^ka2cE6nd!OPXMY^=s{LrC{sB}bRTX#MdQwDpMa=JR3~FLr0m z)CZ7-UgK@j(=OZ6G)hehrrXtz(;O+!{XQCd*^JvW!Y%*l2EcrNT@U$70BYu=*9OYR z5^Qn5tqPi8?;Q#E&m%uLB3(H@V^`+X4UK#5KK?U0gdF@kdz14v6C=-`!0|V^u!)0V zFUK471^tZtihH^O0YsxgL%vBd$)|elz+4eI6>XOykp(jsTu=+hO9qr%TLRis5|TA@ z8Hm69kKTI}e3y$hO@4K!kK*s$xPg$V{QK_!GV#}9x%4;rEnT}kbf`IejnY(ZgOMl5{=bAcg}&7|rPg+FV(sCrpj1c3Vh+Z7i%HTd~`RUnz=;q@Pq! zMOnz;@}NEEn3z2o=AmfS=Fh#-vZYHmRv4`}Iqf)P=(#B?dJxyzYGBtU;AdoNx>UL| zU%TRIT{OMk_^omqY-#{|kc%Vsn5-j9CYPF}E3hE(yhWSEqR3uY%K2V)`AE~pB0&z@ zPAbmyb9)G7Ce6u>sMg(j$evTcD4~-lX0&NtOKyPawB((xB-cU*++y5Bo5Y4*2203 z7lWDtyShGP#FZKZdk={WK?*>_QLAoEcCzLQh}4Y+!@u1=kisFs%(@zLI9u3L+9-~u)nSoTcyz^-|1rZ=k+{?1Rxfd33NE6Y4smF(dMG zE$^O8!wX~4#*)W+L3T0K*a_0XB$ly&ruAl{KlC!cv*;noxOWMi76Sa?zsoCOck~OB ztEZ+NPf0BYT((RnWwy()R-}kR;tmZOEZ9C4r>x2@kd?0XdDiGV88+vGk>!tQGT$sQ zH*>R&KOn?lmr@@jWv#-x&nmMuS)I^8Q^ihHkEqb?VP{$*a_$zlGbc3)=9P$i?69gT zq&2}#BB#O97_&g#8xdum%etlZcNRs3N|jPeq`NSa-PLSH($OhevGRhZEPnFYO`YN#D}d86yk+5~E~{Fz{7Gu)l)jSFDEPzq)Bb18o)u zIZbPp#2!%i{fflSOm`hF&gXD5yIe4c8x?z-bxv>XN!@el(@dt~GXUxA%4*nL*nf$2`-w zJV|Ai%oyo$9mj9_wr`}k_B5{;&2~56FmKj0J?X|?Itf1ZJMOf()wfQR-oQch)=nqNJ$fuR^(E3G##+Y^DC)v7x}0?Hu&v@0UEPDB5A>6YtwwAo`BREe4Sp?f8FWLLk=>p4;E z=V7{V3>NQQUo5iE?DEDzAc6P!-83Tqep=?jLHllx-K4NQIeU6zukWR5X^~&kYlFRnD^rM>TGbSFTX&wB8f9v%c#Yv#t82 zN89PnGaeec$9Jfd_EU^@$NmkDPr6Uv{#SwY*f)987SQYo^Cv2(-1A=Kqix_p&l2Qc zBoaW@9fI+=(rY#L;R5Xx?(4+R$FCd|j2cHUNggKt>Xs+U()R2N%KP z+x<$E9g`9XW?ZFri%V$w2v@LlGm$S7RV`YRCsOCfTS@w}Sp04`Pmpg(&sK)9UBCoQ z@lAm8j<*zMyoo~EB<8$-iZUAd!(pa`2%652M6oi4awZlF9QP0~Mrnl~%!GR2EW5QtqIK`3eGcO1UCwiGrxrKr0|`$!_BZWNTnLWA5yVd%aRkGc4%^ z_<3E`19VDm+Z8YK*)k2rC3eL8!-z4za_XEm2^P;xU3Lu_e4|YchBbgQW zcj|pSj5(<~Sa?Pa<&WR3aHlQ|nJo9B4AbGszYMTN1d_oq@ru$o zT$IoltO|bk-(AMEArc>%A?+pjC!T=z)w1#4Won8*1FD+VABR}7q14gMD5 zEBZ1lX%aYbbg^TcEgSW^s$D~@ztX6q2NQ}}+mu?6Frj5DC<7E{4O*hy13mbWjGPkl z9(^W^GrQA8>s40cn693$?v@NlbD9FT7)PAU^Mt#mmx8laZ2N?0<4AXnE6L^cTMWMX zh*7)2u*x^`&2cD~X&6ay^mU2Bx(uzbNQGsTO3?rYAO!}cN9Tupazy9$WNA! z^DibC9f$98?thNEHzsl8tVPC)-?=^F?5!IESG9#)F7?S>E?~1N3t&nojJh*MGE9Xh zRx+hRGGNjIyrx7B z_tWs-YPC_XR1U_P^kXMvp*AOst9{tOZ?YL|qE@7lVMOC<=WQA(FnseULn8*i?wom> zf}i9eEJ?UZmmU;|Rog{NvBKsA#M#;j;Lz~aLpm^!W&=}+%-c+cZD`DW@Em{4OK?aY zW*kMZja8F2>T6HQP|J<8+@;%VD}?RRTjMtBJG`C?vu=p`HN^UUJ~^uSRm;p z6=9QAtT4t&zS`93hi%U3ZplU>?xa6Q9x>RLD-LITsRXH!e*#2IZt@@jMD;oWz@;1; zeuhZ!w=S&@Ga=0str2ri5;<#|P;;hJV@Ss`qX%c!lu9s77B6%dHY+`?G zFk6IeF3+Z9o~|Omo-z_aqeAF#C(8MQM&$Rjn3Fa4>F8Ka!D5YLZvD0(u6knOMtL!#1HEubErPUhKyaP-vMZ)>OI5~d&380#V{f)=Q2DUFvocA ze}l20*H$S3Cqq;M0lh|&D)TskwRJnLJHMFi7Br4iowNQ|R&RIx6v*xiAF@~PyQhu4 z7JR34zUY(xNzMDnQT^DI2%osX_*V*$VD}GT;IxbGk?8_@4t5ssLQ)v6oC8Llir0#ENH+W zIT7Z$YSwdZmv`OQVt#q5 zvUNWeg1Ax>N^QzAx@WpH-D!7NxV_!g+~Os7*1Z2={+wIf@jB)X=zMv%bg@*s_F2=K zJ6xx|hfO8a7UOT3b;?hVW%1p&-Ck)B0YR^yzlv0SuF4!3oLe(~p{Ps$T{_OBwfor0 z0Go{3Zx#~`cg75tTRslFm$R!0yhwaLvTgaEo{)-`FPlHoqrp9^eaFceHay1IU9B4X zZO+QZr}*@P02xn>TQ*;ua#O4EsH=f-+bZHvFt^Ng5K+hyR>(N*s_u+r7n&<6ByUhV!6awKC* z_!D2P<#Q;Iq07`Esrl?Me0Dmay7MKK!lunr!0N3}fnj0G=U{d-dt>LK8sF(vSI*~t zlQ2%$p2ej4(beN7z%*+8Q2r*hHJ$GL#+d_t+Kr}-m^;U5fX(*8bJ^e=0kP9P^@~30 z0wJi}P7vbWleqEiLjTfLR-Ao;a8KqX9d?d}~uwLKmUR_;3> zRegTR%p&j8V(*{=(|3^9m&$xgm>psMjLP1nrwj5YFA5&{7lesf23#M00>yTF0F|=b zfh>d`G;#PA`k%#(jKFx@MU?FO^L#u_x%^o_aDxqTfv$d+&QPK_C+j?D=Da4hAqh22 z>@t1sn5|?M8{|4Qa1VAfi4|GV``}#1^&1W4 zhQaWzRxLX4f9ghwCjS}GxMQ6qQgg2oQt)Bn2tf!O&**AVnYZeE)8sT6(LZTQ>w%?r#jwjHvX^?-1hr>{BCI#7?mL8O2nW zcLGz=t^bV4h%s4(Xv7TI*NrYyCBh(-gRosged3orI5qlinZKi@;uJ|*0jwL_AJ=kd z(}+rTA*4@x-g4p@;CV23CRnMfLVhws%fVy}T28dA_FEus5+M-bDnuC+*GV_$@g(lX zT<3e}?x7i#a0`2ssEB4tXf=~77q#<+4Bg2nlA|4n=LqA`8mX=&NHo7j* zysIDW&(nMcT>zYrRmyt^vL#!j!7i#IEogiS1M@}h?*DY=D*)U)NNj|a25Ym%%K-Yu z-!STdYFKuXUc#g;$i)cZW{>qk79YoC?W}|sHU2LO3w6va+8iWAy5-I9>aAa79BQ`T zgrxmEk}c1R67FAX#SU7A$dGSsaEAMED2?gpjBwZjFT=!*n!_YTRB#Z8*M-)Ppvka^ z5D;nY6)U3zJM$Y5nym6NiTQ%s8o*cxB!A(Tiu_*fg218TtzrR7yyK~Yb9ae7p-};+ z6erWBEThY^R*SeD>BHL2cX+|FsFNqQeQ)Kqki+)eVE?IEZ<+_Sm+ww3=Hl0{Y>@ls zn^{l>BeqUHE@&TM{;!sQ)VBlaGsLxIY4{zfKIb_ag6>5bwg5QyejI-xwsZi?*w+hv z9u|*0Y)^9en;2H6{0Fq;Yw9DT7Sgb$D$PN=J1Mn6VXiJyowcuEob_xKtSHCCHy@pA z)&+y&1*u{-NL zJP4yqPPFBxnp@Nl*bQmcCOcIrLJs`wBNhbOQfQoe+$B8tq*i5nvcC+zA#ly))j12K zaWW}dq4g=3o!bQptuq_9CZe?Gf^kKZMhn%_qYb*i%%zZ^3xdN81j|fi?N!X=6w%8= z;z}TaC8hA9ILBkirL9Q2r(;xM`Cgh=j~h zmHAN|z#e>R%*SW`W1-@6Vr}|=<>F=gOK0AbIt83uylx*e@t*;nLon%qgYR-UnX9fw zJMdv3T%hnr{8zrkcaX$aQzj-8^jQKrN`J*CPr17UkrTS@?it>AXRW$Unj(1}*syrM zo>F}4Wm(3<)=AOZ15!*5tFF#(wYh&b+3GldNR4mg=P#~5^FVN!JzDQh4gv@qM!D61 zyE-=Y8*flvpMUnakIvo%J*%I_IxG1ISIzhD+21yqhI`VT7mEECFl-%6@1s|C zB7|=zA_q`cP5pVQR`wJ;oc61x-nL7sycCm9tLold+MkoCZ0&aHrz)Gb@A;cdYoHJ@ ze1^AxFV73}^vKt4FG+`4@!d~H2uO53eQPuuE$@=u8vu3v&iJmz$)mz|f#;;cWxn65 zn4Tu*g{?1Y?-wudt&8*L6^`3!%b9;JT%UV;akeXCJ!yTOma{nbauXck9z!gzFFsCM z)V^lkRXv{9K+J5nmxc1|y~zdaZQxs7>Up?awb#;o_u50HjEnZc=-Uwm{{2o<^we@U zX#6qC-A+Nt1EJG2nEZ45Tes1IA^>r^C2_>f8 zwvBRp?eeIJ%dgROzd>=Wk_J`9Z<;tcTu!I>(T~WHe1(@mxKTe?8NJn^Rkyy`OyBtS zEVt(2@U*P!&FOtjw}!FFL!X0$W$NSgxhhxbePW4ZC2{o-=(#Jxp?TaG!qdYe#%H?i zNL+V;vN_qrl%>8Kg?a6LCVn5=e8%^9W*kI@7o1b35cndYL8lZ=e3^ z_X+M*hS_gpd-tj@n{}k3d`(Tjct^sIBT~%FySF!r>2n>Q#=HMp^P1fIc9q;_zsR8& z;=j-&g90Zm3=L~lf$$Pd8LOZ5-{97%ABOa7)+s*Q*X#K>A6i# z>h}ItI1M4o`{Uu@xJWbjp9@Yy zBASibL0PXR%Y6+2b zV_G`x(Q?03dEyCbSlTyPbC?E0op3+Zag!|gbQy#s@p~bZo^ZqBIh0VfGgNu1FjsUc zNrziECgh%&e=zamD-wOj{wA`dzFv{crd$$T7mUfnT8v0ruOT^o(NykZE?uru3mvGt z*D?_5A0aACFhuuDkG0WW45~=*_t;C$e(L^`8KZ;gmIO7J>cPsQLt#u@$mtl`Ed}c) zbh`mh@Q1R`fdhp1ihya}-!1UFT72$Rmo@4LY_}5%ZCA3fJ=TLdRVh};80Lziwo8JP z!F%$)d5S{C{`mro%`jX=;>jZaf-M@w-&!MV5x>QGF1xrUxxi267ktO*MqWb)e4%TZ z04AniCqmI60X@F|m(c0^QQY!H=p0~1e~Hx30JrudL^KML2=x)fx}PXHR`h}*As*0_ z*R)L8lhlcIQDlPYC!$}Fu;%@>`DF!G$rm(=D?&PW*PbUXw@x+5Z{d_l6LhbT;)=16 z?^3dt!H+eSOfVPQf0aPlFXs!($5p2!zUW|#kCn(JA;@emYXqnOEhTV1qke=; zd7l6zg<=WM0W9%H*`LRt3Mi-#N5K}kzPtbxj8}Qo4fsj;x=Epn`u;8^MSnlmS1&F0 z*|beV^|E!fbA(b3Mk$2Q6KVn`mezz)S_i)T;Xk^#3zY$>rAWm%swdG49{4$If~+_f zl>G~kZ{Kjpz`>8+3Z1BVCMQ3zm|3|RrfyXvuJgPq1)!1+3g{>k3+EnlBjjXy%uU`( zB{@rP53QP&8qd>oWo2?r;HF+rrPnydjMwQ$b!Hjo_wC&enq$(Guf;osRtdzh!Oa$f z_i9Anoq22<@r2K1zVaANsxT#u(~alTqRw@xiO z7YHqtR_9*LN~aZ-GL_gbUlH|-v~T^P>uPe3??~#ZK%6)ZkmDodg96n1H2}v8 zihrL*Cj0*1u@%vyjl+oGcI%V>>;AIR!FjVwDpHs0I`wh(%UI*~L9*_{CTiC9^N#7r zs5h={=Ta8Wb@%W5#;srBbWbI|6t0v`cXHkL!1ZRmwqtrIe2+a(Jsuzh66lS`vy*Z2 zz7wzxRatK?`}6CYN7Hwnw*5Y7dIsR>xbIo# z=xY1$2c$f|7!GIp?99)ia#(k-y){p5GIM|4;nOqu3|Dr1NV@VjgnV8G653wBZ$OlP z95m;jyM#~ihq|G!pC@Eb^WA(Jx`5K^FOjZ44NZs1UD|eQ27P?axT_gDOUA1Tvp?Tu z*ikGkLHdI#U61Ku?fXxem|{{@U4w6Vv9C&XUlX&&;fS@5+l3&Ko<`?kA$Zf2+F<_K z7u|FZqvoR@s_K0pHvQ_1pc(MozVPAMlT66{5V3sCR+4?}J6GOxEeCo{Tz=BCpHzc~ z)Ukmv0^RD`qRrWMyTjjv&(Te1-CT}0zYo!K(0e{iXK#XddA?$)d>t3xp!kuh8_%DY zUw2->A5@;>=a+dK8R{QU$9bl=JOo~^c1e*y|H;olaNh{f#FOv4_Rv>8H+Bj1^Vhgb z%7dY5beEE`Fyp)J%l{=!tIhhFu-8y)E^L-w)O_uEufFc2wHDZvPaYMp9e*wMG=L3N zMvD&WHtV9CSX8I{!gHLVV~0lg@-QZmZPZp9!*WxH#^8g zG_27!A2sO$mc_hCIcJAzCB|1kTVqG|E>c_l$cdUU)4=n0CQP$m6DKrEvLWZWRWa~e z$PoHr!H&M>Gw?nHIq%!q=9@XFiVojcfm#~!R5B=3?UYR89C5j79T{eOr1+vhn9h_6-RZ|~Du~-IE zm_;p8dvh+oiP+~kO=1B4Ey!o3wi9U$h%_@_9EdAC;*nRVYWvF^PZl7~XS#_O;dK1Q z=;NGs7}n-OD%kT8gS})~~z0+Xt*dm+NPTSS9Vir z5Cbrw0}=OY=ipjoCghK}n;7KufCPTinGRj^n)h-Sg(Bwlw@uogCI4*v7&z)!Hb z#HMwO2fDvJjc?X8i?MppdaDWy=hDt)#~~0Sjb`zd{YYq*EIFZ%crLJQ!tctRVDo$O2s=rfV3{CW0K6Z_Yc zTWpvXE14*Z=V0wsg8V9QQ!g@<+V_^iz!Cl^sYb$sQOe1rR-w315lf zwILgp4b%iY>A0_jL94L6)#tiTKS8gz$72-GNx}Bt$8vr{l5?b|BA){j<(6LDK!P9+ z&>v_?pTE8?uN#CukiY)1!jR7Vhvh`{t_QYHz?oJzJw8|Iyx!n;bna&otXws0QDYLO z>O2-UciZ5leVj!gRXty2whu74WV*h=NLhK5diI)>S7CfQjO!f1n9_T!`K&?>PrQeG zk58XUJmzm*4Q{us@Pq>JZRxH_;8b%Q)e!gF+Z9Fbi>a`uM`+h_6wWPY_ zEV6*0v7K4H4oL@IbyNa4Yw8d?cKy4z^k22zpL=7&&xcgSwwuB6w(1`@)@_@7J0E9# z+nzGg^*lVTwQc}5*hH@MjmxXsn-6lXI;g}Q)YOPv--VCf ztG%tKQB{%Tcuk|dZ5o$FvQc~*201jMI)BjfAx+6OHoM>B0^Z-0tT6dcyhPIgAdc}5 zbf+Vs^H0>1iW{{V4IIt8_|GFAt&5ih1O~m&Ckr)vXKBZLZ#B-_n$0Em9kcVav)0YA zJ73MqNxCGR#@gKuKvm9V{b`-6b&!qAj&Qm4UWF%61F(HlM(A>F9XYe!jMwctS1s4( z61#c*{_kUN_k5x=rDF-Vs%t>9$Kf2%J7~}Ps$UxT<4&<=iI+?v-zB_0kB)p$fN!MxHlq2Y-Ahen! zeA=pO-t4}#IIngXUN4NV4)|ha>ppx8>+(KVsadWGpGPsMs%hB9?iPSHn9{pJvggJ3 z1RdS2r?%UM)m4-2MvwLMhPL^ZXP*;$&666o&n$>VTYMc@a?!l!aq-*0U{@5MVI;ug zJBZ;H1Y!VvSc3e4tG+SPCQZQguU+w?sB2pe(PYg_H%Hriz--ZY_5olb*&&~XrP0kK zFl1~rfH!3+KySoGvf+LANcQ~)NWz2w%!H9Ue9B6flqV{WYf!Lutiu+)nU zLsBF2=VekljR<}`Gih-enK?(X%u5lojR-43t%O#7X5AhenB09Mm=4Qs7atCFS|W@= zV)B7kA+xGyaQR6gRprv~EYToykV4fqLkvqbMYXx=aFO%`#0?H12T?(!v0eA~@}R6( zgiqO7(qbW;`?DvvfqKPye#+aMCDo&yvtZ7m6o&wpk5Y9o~UV>v%oU=vvav@=y%V1pBh#YYm>8#9>T?}FS` z5ED?AdT>7rVuxZe5RZTB=0(g@L{bd8==jfnyK;GlK$GsHL~4!M6YaNpQd&XkB z0sLL|Duz)pwe0?UoS2Edk!v74l5&sw56v0!6i+Lif4 zr{#LQ;QQY(xZJBbg2&RB)&+J0p}7vTRcSx@!|t&ejLX5h%@*$K=B{%% zMKt-eAY|J z&$jz$4@3(OQ2S`_lS{4dlDL!VavS~J{d`Y(NoXV%{H7&W{~SSn$Vx8 zt(J}k>(I1FTz7?K`e(AxGAiL;P1yK-rcb?ml9zmiQ;tXEGkIAgSYg6H<&d$GJP{ep ziSsIEc%$q@UbhpoxZ(NN(E&rEcm-T_JXy!V3KM(X(B)LgF(p{aKgxV<7Svpl!88g& z5~Wn=kpeWSlFTGLx{fCPb`c9J&ZG&GaMH%oQZ4`7%xc%=T-P`eDeX^iOEQ^6)X%iG z>|$6jb0v`zo7_`a*#c>s+kKoZkO|LrTk9)A|zSIl}|KqUVn zi3B31gY6Pfun;H#6c0o>03mZC>SLu5GiTcar*&jOty-Z^$Mah{JrA$@JRj~df!(zJzVmkX zdGmY8n$Pe>+FXqo259lf_oB=0@aO&W%TDN*b7+YgiOyPRhl#k}x4eTpZ*)tshQPj>ARQIp1bS=6m!JF|W?tDm!)UUgu0 z6|K`;HUDe?83I7N>G>yH$(`E-?nk6Y3e$Y92jjNYEL<;fGFiL^g@Eb@jJC(i<&5{I zO@=PV#iPrYE@Qwt5a4;hK+4@7?%3_Q=Zd7`Q0*NUUp?PiE~|TH8Quw8&rJ5dd4W>I z#FsQ6iG`QtkJS0Tk%xPA`}S7o`1}&wgE)!A1>!z|8397 zFF@eaL!jxem-H*ZgNkVPOpP7{mH4<6a6h2#u;SYclKU=Bs0FG7E{=n0QC98aN%rYa zAR1y`0Wgh>uK*{yO#`dIQKsDJ*zfC5Z`_i8;{2CyeDXM0eF9d&tBiJrTa*Z%)>7jI ze>ed@@67VkVGj5+0(D6A=%gSZna1%kpf4EFq4r_5?1g?yWW0cCUAK3ml$O7r_{)ok z`~BtbAr}_!@mqvL7HFa!w`j5&uai!+8jsU9(yBB1w*`}#+l*{+(un{cGs8pH@U8z_ z?k{AakeNHgYbl#9v@65!(GJ%dpo!O`bO*1F#wU$;*C$PPQoVe`_SCEQUU6)!KjraR z><}cw_2iv&2GX$*{r+kTXvs9#yfbpqYNR4E>BKOc08OP;aP~qoHQsQ_l~;$TLrlf^WJ~culce zQzjB|pHj3yU&y5puHYxgZNN}XX(CoH+n`zd7FaG@nr@qit?UOLgCZKHh0Q|FiS3e8 zRk|2HNmb~dNZt8>w=Bq%iu=1376PZGiL6Fz?Q zx!lIRPv!A;;H11%Rwg7EmFtWXy@7k@K)as>;oC!J5@~?OXn4OuvL%Yb`W1Fyh9CQP z5`w0bv?|#`g|g!O&KSZ(GrANbD71-u1tJHs?@o3`zw(`Nz)OE4lrR#+zviXC@_udu zH$SqeagoAPS6K$TH$nbg?$5p$mhG?YV05ye=78-f4-x$5#Gg6vvoHz;hEay~nSaU< zOMm`qX_A0(2Cyx4l1Re+&~^>$n^0QqiHm|%g&82Xo4re81r|^lx@*Y6W|6SA6+t9{E{zL5#p5%K%j;R%;P<4Xk!#Gy<^eSVzDV^g|R41 z|5Ru$4)`f4o9jcmtRF8PI_Hju_oEbc?RUfiQBb30ur20|-HHw5HyVe01wR)n*vaG> z=4=ZL$)Fat5f!6wvHAdgtU`|nNz@X>^4DEX$VElCiRB-Zh~iqPek7WwiSyb~QvrGh zAB4#S-g`pkcfJ{*czh&pqD)-FPy@8L-`qMxUy+rDtpubnVD!a%{0n1m8jH=$>>1as z(1R=a_8F3I+E8bnDG`ah0*M#M0TZd$5_pUx#a{GDyI`vW!tstu-%s|;Os$ertlZ~Z z%j?q4(L{yIiJ+`W(ciqv5Pw{5andHo;cyhp)tX1emHtHtlm^N1ErL-BXGfn5>z^_vms;{A%kdZA`=FLHg@T}$Z+2nkRK>l66UFr} zG(C^SWVyWq=Uu$4^&BX!>R5EQ;I(fQj!P7rChZrI(uOgT0Y38=dP%;nTer!!j~i0U zo3G>BT{VZB%CEN+Hk=kOu#Arxq?|$G?KfyY^)CBz%y2eq4>M z*DUrCAKa%JjjOh&?9)vr!TMc_o;S_&+%(W>(I(y7=??eC^V;@(s&IM3Sm)tm7x$v^ z2!(^7X75?N?y)_&mL=NTe$jPm+kN)s{Ur$fxFY;y0)glH_6UU#FLlH90^PRyLHn{R zTZX=}f{PEBPzn;E`;3zWHyrnKT9-e;gE& zPjB8V-C~R>6_OuUde1x_pWNWQgJAe~296Nk2|72BFe;kI+)W`b7q?m{v9p^#JK2UF+MR;@cs~nf=C6Im*gb32`7j zD~ir+REU(Utww}Pyg7fz;v9o5ZB_##Ma*)r?nAqWfoe(aY~|L-np0F^Qo)sP$BCdB zNGt@wYAUQT#(svD+}LTLD?1)`)BuGpWSxJiO+p%^KE7=6C^+ddCU9aJO!Bk$(PlXe z$2=k(QOSR@nOlak0BS%vN9nSFluZ!@E1Jf9o?3Rnq)s`>AXK zl_HPqOe)pJ$#X3Qe*SYvP%2l3*S|1F3@r{#7?iB2gcf1X4p0L0gV%`O{~ zmf!G2j<`>nFvma?j>xewUKOvy9@B7@U{3Sa(DgG{vT72iwHC0&rmId-9rmt$yIJ)U zNzhD2T+B#;6Yl1!Y!DS%#gQvw4}H9A?U0v3aBn4R;L1dJmq?@IsLu~Ob!gMD0rPTI zo`GzPiEV`!tG`*GTq^7dv5&f{a|vYejzLA`>5msQJxS}+XjR|3Vemfz0d zOI@5yA`5AiM)aTZYvoaas@)RxnPH&;6_M#B^3lP-sB(7NS?74O4LTw#$2_+RSom-h zSvleU!dU5g6f~N?8fFJ>y_=70i%yJ#@X?FcJ-tsT;L+=}f%Siv=Yyx9Ar2hn>0R7f z4#>2!Uqz{snZai)+p_2r8x2VMB@7EBm~n7+R4ODq;8X(bf+jy)Y5B5=c}y@bg)}^jO)6 z$Nha%@;w3zK#%s~|8FO?Lrkk}hB;TeeW8Fe?Al#DS+NKv zAPQ}WXy#W^ysqs_@0B{4Kzbgldk}2g zME7#a&;1=mFU=wGjLbiM(W^bTXuY3x`f%bGJZzT|6AXA1)=$d?kwghL=`Pjfa~B2F z9R60{s(Q#C#qLa( z3>Q=eZqcnm7I^VyW*>WXu>G+DW!dEm&hi@aCh-|Eh9)Kehf!YB5B9t$B_e%49Hh5I zYDCObQO}8IjRX^F9afrSUc}QkH=*33Il1xe?Vyu{Y<6U2}bROGQ#R7MoGCZ!$#Oy~^Nvqnf`v>M?U z5*RJ4#$s~Z1;senC%1%Lo;~RJbAuik`TPJHbnCt|Vf`FgNT=%Lxi@gSME%G(xD#Ua z+{6O;3w3Z+aZFJC+{0 z_<+v@c1^HjrJ~6eoAF4*Uu)+Dxn;XqFJmTg?WA$xb~FH02ZxwE zD_qY+`U12HLaZFiZ#OZw8yISEGTXM=e8Wir!125Cjn`zc=M`jK(^kN*Y2B7zUE3Qi~1FdG*5B*EY z*EH~PDLrte=84st;77~%Q{RdV7#qh;-^zy5sOE}ozI(rDMb}Q4ObpssOF+}Q#q_2Q zAD8Ej5WHFE=E^#`vZbQt%J!%&S-11Nef`5I(0vHflV};}ejngH9czl; zz7)6aech00Yfkt!GuH@l*nI@5-u@uO%bEn~iGEN3_a8m1Z*Y$RDHoEydlXq!T2FV2MA{tcB7po~UzB^i2RJ`V@XM zMWjc=jSkS7(EM>hD|{!T#6Yf^RbYnUx+?oYDox2x!TN244y{0LV>Rd}}qXw}rFHNh%)FwOOgqY3S>!UiE&_)B;~ zZ0{=N;}Mu`u-u}O2oGoGe5Xw9(MNde1pK8l0@Oc)7+k@D-*ZGo4(?y&x_&;(FIg~d z_Ocq({aFYXlO*m95!awX{$i0~1t?^vNd_-7p*TVwtSqY5l|rIM{i+iKxP~fo&8Rus#Np~>tdaLO9)#11w8vO@*k#-NRbg?6ET zSR}Fpdy_)iwT^rOb${3x5k}0DxhvVp?5fIx?JBsPOw-1W&FJ=v?Db9NM=TX-{%Uzu zCQLn+n_1u-{E}gTYDiG8Gh|c$ViB{I-2-Yt=sHNYISk(Ogt9!2bdRtWSj2w zXL`NYSc+zgD#vRNq)pyqx#SJsr>^zQH(&b*f%2(=FTg1rctF=XiID`xu0>y^C&3C&!V! zViAJGz;(KH3J3R@p6<(eSRmtje}(a0$e(dP1U{?7k?9meH}qUBTRg2kjNdz4Rd+h< zsM?;E>FQ`VJC@m)JaRc)5q`<<{g&v;VXKG~h4>=$c^tRtqGgKiRM{%G(PnI(XkT}z z@B4aXsHF#*wRFvNf5l(I6}!AwzTT^JX}Su}+PrOns^a-`Kd!g#6`mNULQqxR&GK^Q zNRjyJU4JMZ#6uvx87U3 zCez3DoVV7_Vnb+KKG%R}82BBBlVvv#qh8UxmN&}j^%f3~ z3F^n59nZI%r=^++YF*B&UqLiagfH6`7q$$6Oa@E<2bY@ozkd*F=w;jczR3QV$#ieptTo?>S znIXCCP)ns&8nBsNN;>zw{NE?lWpafH*ZC@ZY!K{D!{B5>Z;a7DG74uF$@xQA6yt|? z0a508&MQ;}9MkqjW@We)uc(pbAz{-s%cflO)rR&Ou%Xk8%|)TMWr$eB7m@p2*iggWdB1cO_*RfWm&`b534!6pMWREE>f*XpKThtujb zO>PJoT7pFASPFXfpKHro_Rs|j)2WrN<2ffK15-M8lh#na|(canu?@LYp z>1ly9Ixdf{f$_9aAjZswtg}SB@~5;0~tH2oN*erCcZPo6bv2}OY&sR zSj~z!YQi@K+QEBhDAT5j)R>rt*UdpFZVE}##PMaAuPGN(D&qw1LJMEi(l=O};N!^!vHJwaF7k!Wq`E?-gqZ;)BO9pb!z_Wd_C zJ<(;=b$Nu2{0^rIk-fIOsEN{`Q2_;5&gKME3vTY<)%J&2k^`{#73qxwl&X=Kn+yS3 z^*sp{hNHWWcdj1I<%;Pw$;O|u`l1A7OC)YgB=JzbPhvUBV0{oGlGdwGRXlQ+2Jnr@ zXN{TRkg_V}&CB5iI#63-?qc*Cljy69`>9TkCG=RR{)mM#;D#|@@MQ4$Kp@Kf9*6|pzM5f2f*gPlgtvuE0T{#E+(EMf1* z5e!XYK-rpO9(bD>_(dikwJ_#$e?6cv3&w;V^E z#cT4bK;keWEk9>d2v4m|b+yQGzJ{!T4nZDyd+0+IM{Fzw%2i*!=aV=~z4DhB!lDHQ zL4oBjDz43ctd;`xkpC+WzRW~F1iPbv!V_NrF{;~Y;C-g_9-&#hq~S` zYWjb!GlbEUtD!|Y_0AFGaPIX60}O(+ke(XJ3e>%-1$== zBW+{w-Jd*Rb^w?7qSqfcll9K4P}y01?k<+ZS{{OYx1?7-yAiv6>Z(9HuoM87C#0W; z?a`Z{g*3upB#iC1ls6^spjP12$t4Hqr6RKFbzI>Z;1GIO@9{(hs-dgWZQ0ohIp%M9 zuwB-Eo!vZq`*$fdw7!`A6&wsOwYc|<%ArxqmVmmNuX!xbm-Tw?gnHUK8x@Y?asfI2 zd3rEjy6pbAMPzy%>j)RSsk-;UiCkWpd=up3KPzQv=G$M`a4rpDU$09i`hLzvwl{XGr-PencbS~>JTtq0)?r@x089Qnvgz&=fILRt1-T?7=J7iFt~th-pV6}oxCnKg;&$)yG|(|~I(y@ivS^)|Hk)=GOv&!LSc8J0?*Q_j z)eAJcJrxnCx8FCF06zNi?U-P6y$>?g?5sx|rF%RrmXFSKbQuKM?IKhR_=DQLYO=72 zWv*^ECH4xQ!8ip*iS$%Fd>XE6G=Vh(wR;W%CK_~FZa2{ypxrsKuGu&lOnm{+Zc_HT zn$n|tPy1`_LiVHScH4U{oxZ`t!7L7c{XcEKPmA3rB#d;AhFU zUJqzyk|6W3*J+(DW&2|3oP7_crL%5v_wMGM56t&#*R2APlCtuFj_Ja`=wZxbwy-&K znJ2$50Ak`G6K*c`%JQ5pP{xPdS4~Q{`)5MLfoN1j&cdFQtvygeix5Qf!|e+Ux}mSX zySLYP4Q4cxyX#XSlgvj9#o;wZj2wc>o4io0gZ;kvfoobwNTC{@y@MY~8kyKGOzE6# z6i_ak=eJOU^_D6rxzr1Z)o&-Ks&#}guRK(5%6T2X4;G5ep(Z-r> zLB?5r^o=+n!)y5P^38%?c32+q%(*>V_AHJ5tr5|od|Sl4v59593QV3q%H-#@ht!Se&JwEAsnJRHig*J~Je$Hp zno)OeE(DSUQJHc03JLxaCLLDFDY3TMN>uz?hnIp0ORH(FWGeS`aT7=Z`gOQC7xMBG zaHtvyNJQRIkL+#6xNtFn;|c50t^kju~fYR?968hs9bWt0P&c>|Vbz(k+$$z5hd%IA7OB z)h`@=ZIa^_PPp&~D#^EhXc6qHjC5~56(hB!*!=S2czXw!gLY!4S*265AJj(BoZEjz zww-Z@(?gLJnGIEY6vByO+m$WmLZV%*?xP~?N2hMr4N!!d3&Tp>s$QTFo6jAh<0T*3pN*bFrwF0{tU)H&FiIM2|uN7 zp;d!3e@-myWGTl7iv6q(bKydS1}6m5OoA3}J3V+6_YvAfE`W;X#a)4g3Tu+&+5p3j z(qUzJd=RI*>IlxLo3*T9u!N|C(b@W1vDKvl4uINX(v5}wniqbk4aLKy)G*3E@iy4r zFatlqN#N7f&z}yA6r$7$li)d&T0TOLtjg)zdVR4v_A!dX-Q?!hr|7`6dn*g{#kII<(DO-3(N+898>T zI-5)#6gP698M7}hb=jgKR1%39mzIG!YX-%08gkTvo^m9|3UZb}lOGwNg;d!?$2Syf zobpDf4~5BHK^Z&lodg+?%#%0U3NyUWqyzdHSZB^Ds!`m!0i{3(Npo2a!cd#LB!^Vf z5L%wHHEBVXrZjIj$%v%hrWwHjsntB?3Joix*u}as-7!}SDmyo6TIMr!Op*BFWlzRL zHG9n?M-GuE)_?imR6~))#F1QPN;AsPln^yLmW>@H~blJC?xLx#!JPq3(n#XBsG;Ht-;s!S&*;b$xj!KL`G}iKy;vNjzMGzsvL!% zlXHEqLtokSVb~P^=4d8oCL{s3qRv~z1ynE6lPjvzPh~jtyux&tNFBkK&2O)cm)Q4L zx(LEBlEv@b2eJ8#WLa+he3_$ZQ zA6F*K_crIcrjz8MZ@Jf(8S$^VVDHV>gS)c))pHR^N*X8{%e3NqRFfun40p)_?0fck zzK~k(0$CfL&%5e5-N`NI6I3}L--lfC*ZkRw)~NhkAUxpR-B;tPpISTIk*I#X1bSwE z|Kxw2*ZQ69el*7fdMmt7=Cju2{?Rp{we9{^VC>@C$*|$Iw+hg65&|u<)a_^-WF{mF zniQEMZya@pHw}Ep>2!U`=vA+&Y#QSj-f|p5iQz}mwl}y5{VV^mANMTKIR^0swmJnK zUq|Zq{62zsKYk~99tw`Jd!9)%w{w+w=PUWJ+^5^UEx%83{~cs9e#?RY@VSU8+2#%5 z0eJ6lHnrHbIy~;9cwL;7j7`JCbft%=J7=#M?anK7x*gH1%T0q$^P_wlcFNyn_+FB@&dEz`->0xmcizPEZFBeWK4cbL37j@oU6aPh zT>^YN489`gnVw7^yZZ&#wr<0}%A&GY4dzLgWGBix*^R8NpT?;s9qdtXn zHyq)4O-Ik^wA_;+{dwMaTMwnf*!$R=Y3pv}+1Gg(6ZlZ|9Nqb9coVD! z@M7pWPwVJ(ddR$a?9g`y{kIl(gZ=^u{)2bE77hCD0IY)P&ilBkKpE^=WsAK=Y9S^X zVt@|N$NDQ^`>U++pd8=#u1-JJT7n;yf@>tSk7XB2&6#klUVFqkt%RO zM%!nP!!zUvC*3pSkmh@IXcHNc_sHc@{MooOGB+B)dpGOi5>A%=4Uv2#6LFw0<5cDp z`o|!(08NR^g4++odEu3Zzny0dEGv_P35JQ+xbwBd^HH?8g`2z?s{Xq(=VE`cv825b zTHI#FekVa@L}I0)4~a`qI+0|?x(zT@XdP!$Xa&Jd5^Wh%3>%y$hImrCW?roT>H^iu z)%k^qqL6UqhHFexcqOH#Vh-Xo&5B~%uM5wU`I562g=&;jr28W&QJ2MK7KQ~{LS$PT znjy^|l%gaxhT`7*&?k1nY6vZqXo-@45pU!l&vngW^~m$-%+NS$|1*nfDj}@)WN*|NG*fk=!`BU3I!taQjJY zxRN09$RuM9)uo3E1k0kB~>r2~nLz{L!Ki6p2{G$3Z?_j+nvLNRYHmJ$u5!_t8Cw1VoP1*rAWoHDZNVB_2g|yg)YA6ogpR%jChWMpp0= z{#cv*!0WunR08MF^i!O`^s&(?zgXH?Qm%NN{m3}UItkfxADt4#`B>(@Zglh1GHwtwftp@jsH|(u29D`hB;ylU(JeVF38M+ zg#FlUb{%Z^vCqMlh^flg>7I9k=P};(n~b$ArcvhVQP=JF6d#-8zQ@^4-kbh4|A{na zRwC4)a7+aee#Q+F0F^M*&3^5{Ul&D68;HQRFN&B2-b+sU0MOBnTYXeoAlsfD?=Y&n zI9H4qY7i{c?NWYS6*9SemnUX4S#kxODtw6!$8w_upBJ5b$l&^) zODobSP#&E9WU$M*fevNWF=~{Ssgj%3^89$&tiKE}GU3npnw6GEv_qURmLrJr%c4AO zYDy8|ziBLyQ(v9h=ps7|PDiaXFs}v9QqX+m#G*^|z#S&(MQ;M9-1L6gYa4sX z4;}uaAAGO!eu8)Ue*<*&c=l<7bF4d z>#gwz^->2J!peF%_@5#?<{(Tlw#x83_OmGHOZIe@HBR@#*-u0Gx4oa3qX63LeD25y z>rJiOVdUEHpuM`X3cboXJktSel0&66;#e0+rXxNKJS3(no&#UJh}12n7E zoS8>Kv*L5-JJlV)^z4p-?AeFvr1@pnDUbg5+4q?4`w0}1(e8DnnC%*A{?6&9_Zs^< z6wdC07YJYHla_`X=~ISn`cAbjO2L%vBhEL8tH$^AYeNMAH^ZknGM}znwTUf-N|*7!=00v$QZtrTx7B^2^Ru#}N8ox2N#1Qgi=*aPpZ414CRhiwweHX)_t$RzI%|#3 zIH%v3#0I!4h?B+l+=j#W_4Z@sh!AHr96WiJmQ=gl=d=x|cOER5XOUF3qm!gV+crOlW-z|u@7#plh^*_^zH2}TGMvEH ztlu+JNO<^V(vOIWpRB|}>ZRN`63xY^g1^yn5Jt}d<;;G@=B!o}JW0$oN_muv4lA8W zbM8Px_v@!%5jot>ViwJcdaHdw01dNj{u zb7XWsT2?QZNErnLHCOr1Q&_nASZ-z3NEr_9p3LheuX24{PgCeh^#>0_a(QJ|xtIZN z4%tX4nmsnoS%ShpxrvVx>>PLR{1ocN`LgTOo6=Ot`e+TvBS~x!6j*oOu#E5lnvdGm zSBF%8g~Jp$e#k8o<+8(_1}j=LF67b6#jhx_smJA(52$xwMv~U3u|uCqQ^?*Wn02i+ zsTFL)^pVeh+tr6tlJHa9jh{XS;8DL74yRS_GL+ciKt-1QayG)sYRVZC zfq3E6UH}3mI6)U%F4!iLz5J4KMja+}S2N0?E+egxTrq`LPV)RbA@qv8IC0#Mjl!~d zw@rSBbHp}gz+=%X&UvyFKg}f>Vvm)8Hg)+lLF%i)G4^jJq@1$xQ0+k|HA=W8!NEXU z2si!Ug_G(<5?KW0sv&XsEwfcHb}x={_|<#W)5MvL$?v&Bu`pHaCGzUkLHf0_xbOVL z_a13t@2t9LlC`O2D2x8ZW??=Y{!5nA1{8h&$+29HnK~ zay??#zobiRpW+ePA=L%k6u#P28N8tOVHSuwA=!(WIbA>Xw$IjO^em~uLTw;zUM)Vo zk?Qv!Dp203WsP^ym@O(0-ii#d`{{!R5zb4O>?~b8@`T9LNm6-qa_kgzNaExJN@AVK z@?Jnn%A^O-h)4ysfU8n7$$e|Chy}rkN#RAk+7rs)xlf_u#!{azi@$AD4O3b zKNCP1phWcaw~x<(8Sq~cL^laNIr6ih>)Kp}h8)?dqlwNdaV%&Z6@)89N9m5SB4r`{ zQUr>s*}IUJLD^!O70e-74JFu(sYuEMw4y*f!FZ2uNDS_b$2VA=u{nCyQrAAhg=w(1 z5#x?i%84cOtwgwWEVl?X@Cb4?hyW9`;5wkaMpUkFmYuTku#KD%D_dFNU*WN9cw%H` zZ1o2jsr8`uQXI&1s@*mg2n=N!4Ymd7)uVl6zM*-u_<;;br30&9&`<=MZjcIc6w}}d z!ns1;=;D7Zms{Xl(*p)-W1k$d))p#}*qRh=&ExnZ7vYO+LnzbAW(f|$-G9b~v_hkN zYv#13F`6=kuo)w#FJVWtU77f0V#RLX_+364S2dwdaOr{;s-`$8D=z-`LZTNB-(r&1 zTUt@h{{{&76=J^q3Nf4fUx@h$1EKltD_#|3j0v{CVx9*24b$P8%O**Uh$fRCl_#eKJIJHyo#~+eB47rMc3) zlmI%LPNkzi=ePB{&RAkzhwMmv%%eTRMG6hv_ZCmXeiPm&*x)d%*b4w$L46Nsnm&2@ zC)MwJ)4Ppjv(-&!1GzM{tWhdtKKgE`#*nyx<+ z8Rx*)bpmG>#`LMGwGzPNk!6q1{YDX&u)*7o_3olKQ&ta()4x%Y zEB!8;%aoAzyXCt9rmaU0uT!uZfY;2rW6yKYn}Suv@fVwf-N%FPHQjL{1jW;# zYN+dFs>8NRb~pRxR!-mZIoLQu0rW72^hAlw8;uWagEwbvd1ml=*;Ue@7cqEyLox@2 zZesY}6dNDKX6W+HGV1K^Csn?yr*(X?#%#MXqU3z+2_SsNdfecwcX_{(pnU%GNl`id z6ql&{*wW|Qblr;x5%|{CxV1KZ5uejwU|8_9&y@Xew{iDj{CvrhI zs%9H(@cODvAmF>#jga&9-~0RC)7S9q+g<*m@F79xR&+wZ1)@scMCQDwqom?}S_K|& zPl8^>-%uz!&L(~{_1^7GgDe@NK?@t=3<^U5@v(|bw=(22-(MSZVHIhTgV$njjsE4x zTM}4lAQf>mmR|kZL55c<)$xgaI8?1VGpTCackWOobxQb7$_`5)0$24dM3D#&XH;?A z&7yfD)2MKkh}J~&{z7W_F)obwl~?~Ud=Im1vhrIAai17+?T5>3Hl(6_)*nUh)LFFO zxlSdv9sFZY10LN&i9$So2KSgp7K2FjGM-9;Ifl?PEF*uL;8+|Rr{D0W$_?w!E40wy zxsH72l}nLj#`!XH@Qv)0t#N}`#g9CI`q=pH_NAgw)hoZTFu%>EQ;_t9RhvH-i|!l> zH6OM8RWAP5%AlLNr;f~Y9vyvH;Iztt-k5B+_kB2mpZX;z7e-Y_?ei;Q6FfOiA|wfHy(v+UX~lRXmKQ8r5ks9?W5xv~MXXilD6xBRj4kLM_k^1PlTf_C zp^K}WS)X{n$-1jx#R0$AvEFu`dX@gCoM)!lDXB#Gqm=|%n!Hl9irHT*iEk@*T4JN( z6p45arUek+3!pD09NNEQX?K^xxfGMjAZ`s23J~q|&D@zrjKi}M9}%z+ed|^NKOZn` zCWI&7-?i;oz?)l~$R&&nh8-|$Q{C9Fa;l!MJMpJkd&K23Wn-gxh%2{2#{C6e(w`{y zGU+6w_(-p7QZWj9>O~Bq@tFfLFn)@JSItp6RdK(%==@5`gl;E%$@fQYs;15Eq`Oxv9hOOBREfo7H>q-o%k^sD^q#}=Z> z|CN~#l?o*vM2kbwTD9Q2%gsA_7jvNBXId3ER0HsCvA8megH@%;1^5to5T1o*s2j&r zv%(X;QTy!&FYI*rRK@wJwQ(^--a6nL!ZN0uj4l+4TXDkiMmhNx;~CA+n#S=f6Fi+` z6)j955BsU(W7b18tS>`ZE<{BtFjAmL;U|!?f!yPVFc(6t9DE1!^9^X6VcbQF^@d8v z5@)lJsZnc{tyCOFyeM>TL}SYeYw5*0@Rrbr*@t#KFD#Rus z`?WTk-dIpk?$V@*lPr&W-h1NEkG<1Dh@VFQ-ULfu+b{d~7ibT#wD>5#TVT`@?^-?2hYOD(7fj|; zZWmPIC`M!@ihi>C`+d8Y5|97i`RQ6}hLtoGJ*9vo{WL#1ldhLuts+dju zccu&%-N@hst9P3$;u)43KTV70snMo$rLs_H zlxa0N3fh0j5SDq`ab3j%G*ep`>HqSz=>KonnF+!E^kD$PWC?)YS--;b<|zAzdSCXg zup%M_3%uCum)d;rr8fTw?KM|t3;Y5+Iey+%2tHg?DUjS3WHD)72g>-G6LvicUkvq( z+WPdykYGOp_C}~eH?u!qqhzYube@Nrh&zDJdzyCm^xhlwII-_pE_t2LXb7A^8f(9E zp0{<-w{EICrrQng*$9TO4{aV1>^~y_TdZyK@B5rgz}k30h4h{)FRji-aiZtB$>HpF zd{ny=!LJ6`2VsQ@^E`<}+m@V}X#=wRiRqS2H#*A!lb}Q1w8f$p7T0lz>9&iZhUzn0 zoe+INH!X`@y@B}i%TXH$+ffo!T6d#&RD7( z>e%QyGL3og*nNKSR#@FDJI`J%>AEi)2mArL&ysDKUK92#hOKYaK5uFq=^LEg98*mb zw_e(81v6#TaB=duB=9URr>tKToD;XZPGhaZ$Sr%EeKpQ}a>CfDudug*US-s)wwtyH zj*;ywHr%rv&dt_8beHA3-Y+^@+<|E+uG>4s2t7?hCOt7P`_IffvDyBW|pZ8MRT&71V*8!{r^wl6I>|tN-pN^1H z$U`CRg~n=K{-5RiEim7@mTnU{;hN==@kIZx(ATZzY#DVX#oe8C$t7o7NIt7k&iZ z64SEjXEdUcA_rD4chn5NcjlwjL!#Lx*r_A)TzqINAd<4aYDWr(1X8T^xP=Z=8R0AZ zbPDsSc|}{OeCXfj#QX7eB~*qV30t59P=QiOpX7Lm)@59B(j_)SD3dBk46E?LqCx** ziqNOZvR}5G^AfBV+U2tTO_Yra2C+{zKtCMzo%94{!hc)E9G-JH`^1*rMW8A;O^(Qz zC5IJ6@^l5E?NYCc%Y5kvDJsS*8Al67*`+v{C`*|}&XyMcQ?8giK~{#6Ee%pssJ&4{ z$>Um0h*uhihE|MsuEOaw|8BZ%%-0v{>JS!ixCN|gTGs!al9?%c=lu@McHdsEDiT$~ z&(A;mSFiQt*E<#F9#1m{S&pz;or>N;p9+~f2fvmcQqh)~CKuw=d~qP0UNl*TfJXxc z*|3w#@Gk%XRZKMJ-#AUG4UQ<1jwKGow@`!^u{s#Q|++tt}+aNTx{ax zX)4Dkz{Ve;mEonlnoeET788+VQLE*nc{fxQIxU&D!)7_lW0P3Pgwlp)n#mSN8oZhP zMHrl3oJt{*trpMGfbPHTd1I7ve5mLi5_q>^WXzY22oq@(TTAVwgA2V5AlCaRMxDD%I4PvALDbIktV0BJ#pE4_WOxL-Ct z|6_4q07{z6BYeNgFofCJBj_#gL6Dy!pa>A@7mB;j%pc9)7#IGF1$w`~&1}Fo^!~X_ zw|x$1{+I`7o451P9_6-7O*??z6#0?zi-w)uc* z+eu6{)rL_=WshQCjl5B&IXS*V-a2eO-FMv_iSrFJ`7n-vp92#R8JYa64jt}PU5;;d zG5XJlXK%(atIrb^OFFI*Ew@BHzSlq2tCAUXTMu`S1p_}{bNNoO39~ts_~5X&+&yj|URF6=7ov`RoR+>K4!KRzEqp84-%D$0C4ZmV-HJJvEhr#*KAxoS>zy~29>MeHg&|8=fogRWe3o}#+e zl2Ux!$L*$9A9|_mcv_uDp{c%CYyzL$AHGz9_mvx_K_ zk5gVQXhzrj8dt^AocLqC`XjuUS}x!r(ZuVbx&p~Nt&nUu6MJ07s$f4O+@$sJ z_FU;d=({&yWCON+Z~M>}N&$7RH;-b?px2!4&y=QlJhPmH7}6Mz+f|6w6lC1j7Qq(j z_W3rBCLqGH-h0KQwb|o(eT=}((A4ZD6}|h8RL{XxkLf6Zwx_PAp;gil5&+;{vxR4_ zps#Zsk3rn(4NTDBd8HS7UH2RzKDNGHTYA=QKCK(9dS8n1xo>+$5wO{c@7>;eU+UWe z?DYChfDHQI>>NKqZIQmiz8<(zNIecfUv!>xG39(?BefVn8^}u)ltT;pswudm*Ecm= z?$w`(^)dtw>)?V|j3S4|rCDwAwO;?)Wj@OWfEnZ$6j~dP_fxem7Hv= zArX7Xa{3%OxtzLF;Z54TFYMX21$7O5c*XR(S;nc?3DwKRFdPI{bWehp9)ID%1}%BPrAJd8P=Er zE1vwHjHY6$_V1-JFX{?nZu&;))ZcT7_-I@F(8{sy9hA;hXTnP;U$qD7pavap03cDU?_d9%=COj?jHQyd}&@^B&Ys4g10koA448#S;`9 zqjIbcC*N_P|2H2}-d+@lgYs8zyIf9{%f{B12>VOPi7J%7KBD&u|)394hB) z)E+NO$p1H1xOu@xEG_zj1_{kswj_g|j*CFCP49ud!Jz89zVo+tX#wz+-YV>aJ>Ysa6kVP8<(^<1eIEo^AIikr2mbh&D)&_)XA2akn-} zx?JlAgFU0ss%BT^KX!I%Pr`!WTpMN^4kEldTkIJ)s-{$@a5ls&d%Q_mFlh+eY4vX; zaN-7UF*7H3b@S$vA1c`B!EoS>0JsW3T+O>BLsn4hCENRmroj&d~S zD*oBWG8h%Sb%hR$Bz-^5nu!+s9EHJ(R;*=zmr6g&_Bl!TC10&B+IDLi8$)ohc!1R) z(A2XWz=qN)Schl0NLQ8Vl6R;K9>#B6KoOa#4URddd9L7cW#S(SI|rUsfFDY* zq~UmIRicYTvP4t?%Vh?|ArzpkCx?EU8k{bLi#LDaP&Mkl!Q%VDV=K36FyG-zwt3m!W<3+9p!+Q zd_!YyNGxnY*N%8I#1RHimvt*NBrnt0l8weAly$mQ&EL+#%JjI2-)Z-!9SL*}o^1`uYWpB1Yp9ysG!`0I;<~_#k_qyE_ z-wqIFP;NBmw4^$AqxI?soxsbQ@H)foiD^X8{&BU<2O4cRKM&0Ii|6*C>~%lHK47yE z=MSmVLI+^QKu}1~r{m&pR?pul-WhEWIPdlg--#EJ_T4_v3{*wDb{>=w-`(zQj_sVu{r4Zh|kES$arVvuJK zuaK7#6=Vcay%!-`6jc&OtP;|i3TT$I-q43O3^qOsqiVe3g8a?Q{VZ3lkh7r5;u4t~ zASS`pU21oJulV{fa3!q@n-I*fCoq3(PfORZZhBy$VzGa@kdW*NxxGa`xxga47^L=f5W@+B>8E2v;vG2u`9LpqtBVR@qa>FsNkg`p#+>rCX0tr zd=uE>Bu8ONtc}M+%i`6&8~RBJV5IY@AWJf8<0jPuT$WI*lqUxqQJbD^%3E@m(iuDY z$@$Z4+l^={DfJN(d8zgs2$lQe#k>%JLUNpXQOWjp_@4B zkIXd3ntGZmmZ&k8_|Lw3q}XY0z_iQU`FG!+xkD?nvcHYetAxg?!nqBKVymV5)Z)Nqhu?fk^yzc_?K zxzS(yN`Hy1EzHbVrB6lwwj`Wdil$m-5gEcm@YpSDKxF-j6y< zd9qz~{&>x_OqZsq+;w7h@yc08-ry1ivJ$R3p`nwheoa@QMp35pKW*}mzZzGBqw3Z% z;CTWUU-|!0=TJVI_xbFy-z&^l1Qf5$=w3~4KSOWc4KMqQ`_Mci;JB2%_WI-orJ2ES zqRibEen*j3BMm%okmTxsqO^LpFFzBtQ9wb^3b5lGDqH#0c9dK5>>(h)3>%P+Oej&? zF+km@qbbfp=hxTrTM8;ews!?14RiQJrH#~;cA#)u;_a1v8AGaQLbm+TZ!E^kM74xa z3a+F1Sz?U4f~x zNLrAJJFu}*hGd$%^?1f^N=_k-eal_(R~MSgqQ=to^da@W9s|#ej3Hz1y^u3cLa|5X zyJbPPgESD;i4ryz877a#c1HRk#u6J()a=Q)SgZMox*zKLe4~0nije{MGX(>GMu74Su_d`T=b^_H>)a6uU?w0 zYo#DnYzk??bruWB-^PtMDbfMk0TV2Z3?=3M>4v-{H z4dd!4%#n3j26U*Kr1JRDk>xT@QWieEkeEGhe15btR?HiX5kSU>d$8Dz6o^&1eWl}5 zr!2;5)?DMRGCrsWfE_QIayXm{5uH5_NnLvI%US=2s@3^CY6e zf`nLG#Uh#ioR>s&29JZH@mzC^+DyK-rH5W!Z~ty1ca^#l>*76RYYtN)AM4EJYH;yl zeGoq2}fkGI97H5_I4d&{BOr_aGAs5{ZQjG+GF_vjpjV zqCk7&-TP9bQ^KX{D)wHnO@erA2B^+uS8W)?zHhNdf9Ln9?6ztrpi&sCyMT9_E#!O*k53)tZ+jW{J(D)W3dmo;n3}qU zoA8pF&!dCzrL*Op2P7cS9fh#_lcXC@W||+EK_qY3yz=hpDd^gNE|cYq_gIziocCMe zp8?JU8MH6Y`wiFiJc+(bQwY=cX*TCX=Uo#KX*=Cp0$YReY^&$f+BEk!Mu3l) zdH8~thoj~4YJPJYaIbm!=q|I-vKe-M-9F&`9xS7G`aY_B;eL78?LGNtTjw+WRrcOj zotyi9<;T|KK1QVssC6PfL$LAWS^eLwzWvP+^zW_u^Ue3}$BwU$=4#&GEIL=$zAAi7 z=C+%>&T)AniS7RjL*%pEW%qdcN(0sNYUeBOdtJ!T)2t%WV9Waq`9NtjOu+dXVQT=4 zI=tAda!lq2Rk6jqO-4-vulVnFZ8#HS*pQvCbyB>Yj$xKoa)C3qJ#?3q0n?Rr*N+RG zOMeNXuiQ#~LFLnjEv}1w_zEj{k(CK)0)VAKgkxxQ0c zzkZ~>?>KaHSt&rKM;}R3`+__gT=h}5d@^yM$3qoP%0{If}Z;yh~9tg-^ zk}5#ZQficGK`FHd;U`oRApdW-WamBJSoglDG_wV($53{X2CW|?G~@KLpD05`Ufr0{ zj+T3g1awkP#^3GYyMOq;<_su~v~saCQ7TEKs@C@i=WVOoMWgJvP0 zjD%<|#*wC;IcS5nT1#@#G#%FS5t_{#Cc~mSU8!TSeo7?HgEZpW>)6z7fkvj4OsH?~ zLMCnjr_gW$n>*l-E`sCEXfXX-5b%x43L?}9-n*7ic1Uw0kE~2bRMwbPu1Uy{`c-7k zdQJt-IMfSVlV!qR-Jj?|=FoO{c9t_?P_&HrB!O^5JSaJWiwg4EPq$h{j`E86_79d_z%;b2QXx>g5M8c(rN+ z1K6C-A^uq7MSFilMQ9Wzr8#nqX}q8b3{_&-g?Yc=7~aFh&|fXTIn47?XQLaOyMR02 zy&C<`|7xp2mO=kJOQ)+Yzas}}tr8vB=bpjZ%%oH~=Bthg3`3c*gT<@BQwJGG%yfv*=~DV= z@zlKn%~+u|tug0SRu>(lNW)qYnu3L_Sdon}t)WV#$r(`+Bn4{M6T%jZ!@;&?_Qhxc za@5$(fxm=*w}~sFQAsL@c;fSkiXjP6F>5TV$U@kBiFLl8G@#>#Q;dqRlJm0ahA^h3MoO0sIGmPqMC^a%;d={pf7R+WgU1)3>lQr7W;}HE&m8@>sv(a# zzb&2n7KCQY&L;Px0FtK&K+L1wP*|?+$_y6VO^A-idl11wfIz`u9`sMDhkCCqIH~&Z z(8^#Qt3C^jig+moo^gBZm*|?z&z4K$W+d?Lxqu{eGMstLt7C8rQYvoCV%qA&7J*R= zN(Oi{Wo)?v=NjH9BSFUZAyK=EpH>^@jj$ue__&c6ld<3Bab01n7PBnoKgj0`tE`KZ z;k`?BuSW*7-5Iqkrb3Rq{%>^0Lx{7ye5vw|z#c%#ts&@jA8OOI+YQubm>viVACjlA z1GwpVL3yLNAtC%Lg+HVi{}u^64&NXBhp%(h0`%Ym?IvG;UOm1tC4SZprZv5WR0-N` ze~GhiWwY7W#Ez0)<67gDyw}}HSKKJJIn4)g_mmo7bUvQXO-r7CxiePn!<^MGvg&jL z=!v?TbUeJGym@YV1#~vOkEZio9l#T{>{>FmSKlf*T7v`tsyL#Vvi{sD&DG?RTzW33r!|P4J|Qh@Uzzi5I4w+H<;8Sh0dD)33pHvs zEG&_APQ!8J-$o4{i8K)9efD{O!K}ACrkxdZbpCn2>&cDwHEHXJc0XPo>8{B1+`UA3 zec$k0KzUjUHYdJsXc}Gyy!M-#XSwaEZ~?8moPBDSzmI3XMI2nTxT>M-)T}scg`ec; zPj+^keyQ>}uHD|3@~aIeEd~O&XP;b2xNTx=u6!-8 z3H*|tsqCIyd>-~-qTQ~GQo27IqC#{mHDCceAp6`0@nFHy*Mp?nxXl6mw!7(TgORPa z`OWFBmd~PN`nwepS8vnp1`VBqxxXo&qmCnHW!FqD*-69C;7mO3D!Gp-1MLYN`2KBmdPDjk;Us0WCK&MmwW}?`FRl} z!ffkC_f4XNhh<9!qOtsz&zkb|Dt_{CpPFU;)HpMDz#T}8sE*AKfV#SN~qPv2LtG3_|%|kv>HXozc4vs)u6QNfpyw9+5(!bg&P+69bQ;v%sspHC- za0+YV!SW0G@c~&dxYmp*f*#@On7-|kFXQ|39??i{`(<6nGU{!F)SWh zR;gb7s@;~UuumpIx2Z`RX(wiT!iC~C6b4b45-t{~Vz8(At0J_sPMHnm7A@aPv+SBu zS^Ox19hV?#TAff|P*no3eQr^uR|k)TRiPqChc zZ__wm2g7Kos!deM>u{%1TO&u&)Q{tjOG)+NCY(Y_r9-4sZwIfI%n)fqr#jKN)?5s) zdVK_`-b-szM7^_far*mM9I9;P!q|uSB#MKb!_!E*TT%fgm@$z-#{O}-9fWdGq-9_I zxeoK0;Pv=np7;L?^W`9Q)319bXtV_IbUij(C_>_LlXwMTb?k@<+XewbIZu2wB7$sr ze-T!$*<0#sF>z@8C$hT5#JM&00zO#eL0bR-H@PqVs1YH^gfr+|pnK!W3YZIX7P)R) z*kK$sh3;J-H+%a35%pD3Z3bGiZJ|(Hi@UqK1u5?CP~6=$IK?UM?(PmLP+W_su>%nQ!*qGZVRKdbi+O!Rl`xT`GtezZ<)S+wRR`yC0(`!_~{_qB9B+J~oH0s)}}^eSG$6 z2`<@PxUX@1NaZFh&ksq?WDU|*>kDjA^3PfZ&^&GeqSFSyqJFJ8-F2fBbw9ks^{YrmB{G3u8Z&?GRUCNLJkl^wXh?!Z#2|{w`{H{U+S_Ooq*Vww>*Am zE-M7pH0bJ;^!d0RdBCniA-GC|0i&5l@?{rq#_WYx)mrA6&xVYV`TM<{UD8;~cne%? z7b|;oz$ck}@&1EKBkDejS?RP&90@PsS1XUTljCypd})&cvL!WJ$A6znWN0aos3}(~ z;e=G<0?}!yDYQdyM;Lc2ip*)^+|pPUhQ1|aXV`|1TKt9M7ab$a&WLq&<2(7dGF{1X zZFbe<{M>|O;!8{xl@nIJ%)vaxJC$`i{$F^T!efafHI#vn9zH;X;;u;{+D`Kh>yCFH z?U$C&gI19NLelRjH_Y$BesFK$0ajnaj0m2`Um+ozK4ui}PlJRSJ@3!`i`{k&8z9~Qojq+&lRyprQ%4VKSc8D7 zo}t3mZZC#L758dRYY#3IgZmjmLv6EbhAs#lwR?>|$mzaj)`sZsX2-8E6D z$mjsJ^TP+Y&kkYvZ8P60;?!Q>W42K~RtpYI&fg@oo;6-Ow_gf$E}~W1d#^Eb`T5>Q z+0%av?bm!`@P|$oG6huTH$N&%BmhFrrx?rxc0H4Ly49Y~iBkZ#(cMeU)FoDfor6on z1yANz%mK^VY-`5$e$pu+_8!QjS0;nkkq5JZF{Md$_6EOqwJPz{<#z*r$y3;S;yvaa z1?JjY#z!>g{eAm-mr;j21ViA%)n!ii(RSSB>-hKa%1wP&vD5X9mZ9~wWqC*%1f&HC zl-}!qXV-+>y5K^>Aam>k89#yJnX{n3@8s?KQdK7rYK#makT!_w8!YxZ0fVO9k8vi~ zcSR$kHw!KLLp?R~w~JU?ec@GW|=x%0g+4aMqz_l#Cs_?;REhrIi=(k`|^= zq}cR*{pRp5G*2{aw%`-zwn~WB4>Tn{1prae#|F~!rzxq_nz!^FgUd%fQUvpCu{|9A zf$3j*1(_fQ4HY}WQBCMjI-a5-N=%Z2G8h30c(*ZCc7&GQl7{0{DJqha-HlInu4=*7 z?FAB7!}1wdp^Bo7wS0~&T#lQ>$je#RPn%Dq zc$5;*R-|Xlh4A7|wS$~}DE$KVIp)9m&N~CLA$$00oA#_=_=O3Vl$zO(PN|9}S?5A~ zv=ItRr!J+$E;4@f7o!wwB$_n|P928XY-z4gDCHq|=`pEPa>d$TU8Tbzp{IKCH8Jco z<);{b6Z5631xaoNzo-_PTQ=-U*!)r_fWy0j4#1-AIHBHE(JfzL(Zp2i$j zL)Pal4a%PT6VIOC$2mOr>#LW;TsdZfT0nebsgp5}>iQoE{kSR$b=CoP5sC0=;lo>s zh%jyOS;G8NSx=}5w**X#XR4?@Kc3%sNlAEefufTftbMnFD@Wl8wJkb%^TeiA-Xmp6 z>&nP>oK&>TXf6aI#k$J>F5sXlj8Nc}Sx42NuxL=AhWea_os7s8<|7-02b_BcOP7hD zvF{+b5ElqB9>w5f7Q{FCKTB_752LqmMPI1}D7>*R37QsPdJ!A_5JO~GxNGJ+X*QAx z`1c}~W#<27WLtOJr+@E+s&KVz?xZdKWFgfuM`Yv;{rBrA@pqOPYALR$aRqeb7ZM71 zt!amP2Kth@^8OY^{5V@Sh36JkJZu*Qg=3l?vSWL+GS``iz3nDhEn7OkFRv!@V@s9! zssievMC%MPi7xxSoeY)aB{r@keU?l-iDo)Ftz7~nj%D{@9}R07nOUdGwCgn%;<=f7 z?@&7#Cp)}2D7zCff-iAFRDwu4c(kmdD(w6}tkDlt0=_&DC|W(0D}-B>g`!P0xy^@+ z(M}I1y^`)>73!D^6jhi^bhmx}DXP9@J z^$IG?)M?oe4uz4AO%mm*3QH%_n6bj7gZ{8^6|DRga8mjKlO>>s3|Fr&gAt>qM+}e4 zJ~~6GKX?t75~dPq>ipS(%UpJ&EdwtxnXOMvbROju=R{5n-|?GnqILO2+Y*%%u`OkE zjHu88X@e35Y_-APt$g~e;F{cPU4tX;s64eZ_Tao2HH;3v&!Sxl`!F#nM;sC>&{a-_ zB$8SRA~gz7#RI?Xxi5cIm>qb#r0J| z=(ZDwM~CiZHrdUVJ1~Cr;})R<@b);{(9rMH`}m}Lp_6#Y6eRnxl6`_X6$1cmLpRr+ zCPORNy5@FE*KF-P*2uuH%z|B5hB+MvN2`+{($r_SuC7&W$W<=m!}^gf$j|Cs!SCXR z_}uS25!AMiqG8gWtoyhDE@~ihf4$fgii4e`XtAog3rB>2qd@I#T|0!8;DQDk|C={J z&efg){RL#4%ptQ{P*btn*ZcLi`iAG>Z+0wxm)2LVjeW3Yh=W?K_G9FLhn|^(WiAHj zpz&}zP6)IkTS?H`*SfLvzJEA#D}22)JLj<0F&~ji1nGAJp8ET+E#rZ9*za?*73f)_ zKBB)pKde__hn1n8>4q2c&$JJFcGPE$GwZ8N&nqt$nj67PVhc|PMyF?ljC7{?*UCYE zvVnK9^lScyP*L42ch5d|2E3PDi3jJtYUcCjOHetw*S_z2hC*sOWi2 z&Xe+aeCD2QVr{^$r;N@`PSBIIy5HVb?_ldkcHh?YBhi-{qDKeX^XER~Wsv(JHGL3} z=8a*{-k|mV-RY&!g9(zF3aX#%J*`CqZ+(o6v9ln-Qy)7E<=xF|;&ubr?b<8|iAu8o z!W;ZBgL|k@JA{IGA26yp1$0%D!;3#+i%**SkhFh8uZjPT7YX(ig;*yeIL1W>lBkT9 zp%?pA*^9a^9|mh!1ZlD;TP4FK4s)8w$Ma3p!Atsixd---JJOA=qg8F`i`k}sBKSLN z-nf%kh)20)z|&b&T}E#tbw)1_beAXm9Od2qwv?u0DQ}Hmjx#peKkR6P7J33djY1{I zks&_8%Yb67p)2X-A`=qbSJy=^X+WG#mu=n7L*`hhM-`*YYwO~tTs@Z{w4uO4a*)J= z)V`|{xYu-+cQ#FQ*}7g7@LQg-5_O?X`<5cs*sMJD#7t+O4&AA|<+${oMcjr>$$D-* zM~r)*fzTtgFUjpy31o>PCKH+@!@B9LR96u=J6%3M`lBP+CgZt-HU3U-VR%UjWh-0n z>i8oV?4LzzlR~8%`Si3qN7X%o->PC8^}aYDz`2*|N$_=-k2`xKt&M6hmqMDVmYg$cGjfVXrtEsWF*K zM{xzDC}-WNnvOC@k&dEke|COD&aCF9tVO3bCYmI?;_6c1pkSr z7swjb6&8z(A{@u#v>H6!6=A1F&M=4e%XlNU@BIiUxy96NqI0vUft~&cbNBnNtTiQl zlcWoeks;MLiTwKM>_$v5kd;h&O@r&QRrkCHftggnu{QslSInWVL0xR&7mY(ZDh>b zSw--~sAGKKX&&n*^Ej=Q>#jT7o7P4@DAldc97Z;Ly&7Sk6`ReXVmWgzVyVKmDTHh-D;Y0 z_MS&|r1RV#>RjakRmzn$M4*cqB@gAJdzTE~PwyQC5(r6J=eUIfm+oLz5F0KaJ+*b% z6DMDiPZ1ec&xIGb#}+%99u@5~u}rfvGMaa~32il_4wcBn+_C-h{1Jwph10KLyjMz9 ziG-)5LpJVRZ5gzSY>PB{$6_)@l!xuI{4XFJo~>eD+MdOVeWGLxyZyJ0WpU>(&7cOs z${@EVbEs1+y&ThiYuT}ObP?b4KB$C1!ZH~e8 z!>eNn$0N`onpc(^lex}HL?v;=e!Al!Qjg$D-Fs1`r^C9P&l`*vQu%BaS82-7fHhQ? zWPt=jJobex2v@ga3kuda9I2T5;8V|1ts04&r4rdbM_UGb25mRI4Pqp`lg_aUQ4JNF zsOMeC{!g7bBUm@LUeQ+yR0)@7A(x*VuoC})JAn5G-}=#lVRKd?uL6VNU<=Pt zWNQEGcd;FoucQ*L9XK_aOEx_9ahCJg+DI%kQ)>v?J%3cbseaRS z5XkRwg!tEHQQF?#R&uX5Jl%c%V9u$_&+boyUypKbK~|4B-s=22b>Xo-I~CMin~;Z@ z)z(;nW5@?L2#O5(Q}JWGr#OqUPz=z?TbBHqtKem@8DKG z_|X&ktl=_1nBwOMS*etT7=;ebaQmGP_+Hll^u2WbH`Tf1$!o)Ux&7P6lsz_@4i*#* zu3umM@B0j{6ZmUgucRvl7vIp_r(#<{h!?ZVIJvDNKH9DKPtH%xmj;bP?GEN5fAk!_ zmby-E*bLD_?mx&@{KE4n#YM4ge-S&I^|I#U1U#+d6&coAlBol{%P-XR7KrVT+-ch$ z)zkb>|2?s_wrP9BLyR7LpM=4j4|F{mdDyW4NhQU3_D|$I+;6wr2zX2zOc4S%v@LAE z?kRxZQT*TEb94!S-0m*GaN@9a>=4fTgZiBel*dVd0egGj;~M@q_xIRTi^qJf4J#Y( z`};;4fu@zK@$rm>Kzum*jgEtD7IDFrhm1_zRzaDopXQ~_AL*Y{hlIZK%tQjRe()l| z#?7zP7jE+k{jWEYj4wBW;hQ}o-q*7mxLt0Nr*HB=?~~t*w^RQNHw|wVE-_J7&eOXc zgk)A)oJXuTH?21pH`ea&-QuYIdrm)7XSZx`rW_jhm$kWA--EHA$DBgKaGw2?{Z?yGw>JC zJ;BvVnh+Q--!n5+J_qG2ep(OnF&@;=b|X8rhbE4S5>Z0JObmZI*7TVltR-Zzvz$wr z@OjMp&KGs2@Z|mlzn67dC+BA-O6ESzF+~Q6GJM-Zo#Lqo%eN%P_6)Wq&DyLkN{_a@ znqIohP)Fxn5$RNrr#`{7*IG|83C8#%Iet)jORSKASxRVj5*mm<(f6RDrp|^u9@=bG zJr}P(_haczsqvJTCYMWC1mPEx?Ys&L=Px>Pj86l~?g1r3zkWA;W81WHC$!G9(jucU zOUkBd9M&or4Uw0PvC?Dq5yQZB{aH4HqKrVgh9gDI^zqA!4W$=huxz)}!b<2OCnIM4 z;U^=WMT)o(M73v*M0p2F*3@{BUpOQ45v03i`vMY``-I2v%oO^_Tjz!OlIWs{7&E~% z_8A;lfwqh`$hau@Jj;mMt}2N|N~87NR2wl9TuLbT%UNYAf*`zTVT#f?1PVCv#2;gm z1#0kA{Q`*|@!qv_$Q3I;ZaFeb#|lMI9!}1)_C9yhsPx_NkYcQJ`i4$%N5Sc|0Ae7f zSZB|Q@8uB1ZjHg00ba=SAK=#icU0+=y#x9kA2>3NQ-6G>Qu5w=Pm~I^PH+^WZ7AWB6K{Df;!_`ZZL)*m@HmGRVMqa|5o6M$u#N%!p8XL*5Lg*v@n1{An4G*ZBw zaH$Qflwpw=9XAmo?#85I{7V@(+G`%nSl6z0AX6b)q^$C%Z(h|Y$ZYvgG5AW=R>iA! z^R@%l6$}d{1g7d4XVdsToV>UxY!$rYZf5ca@}Y&5HS0HKByg{8?eSmBv#c#d{P;#Q z;Dml{dB+cx3`7vRCWt8E8E0eaRp1T?U)-^(SkJnyyX}qJmd8{e0^BNSq#>K{fP%Ew zws!#HOCaQzw)tBGm^#zfSGzUNb~Ev~d6&T2!^WLm^Km={ZEGSZ)t-JIohZczXU-PE zl-_wv$Lf=1;_s|LwJ>XPdA#arK?{|b+fbEmKD%TIxzW1Oiqw=biJul!YO4G5%AmAH zTWuDjg|p~@z~x&i6ja*qZ9Ke(uloi+m!UCbDN89CwpKui&RqUlu@fq7JY1 ztYK}>Kc_{IG9#dIq+&vsi01_bptb#gbeY<4{TWQzeGYlpc#qS29Ug&eWbd=pxTqRe zv|cDY&4g|pzn!|~AprzE({Hpd3qB}IPSNYPY<_HQDg2HmJkm04d(Kj9svZj&HR6AuMJL@XelF7x6Tg_i|hZo)SIw&4R! z0${JzqfTM5`^wgkhpNq4g94Snb{d8i@c#W;@{CZZ>rUfw(1OtARk!sLtajO&ergcz z-|XHt*LZo+c~P0^7K_t)>QemnW)rsw>@Up8OX*=XXnpCs+h4Q?*?PDh&+IE%jD5dc zG4B>ryysqd0N-;py!+0Qf;?lp%{LDn{KF!1cB~bg3?Rq-C0ez}P5AY)IP-n3 z+ynl5QtSHXVqvNb7HIb4)ub?~*cyu=v3#~{nWeJuV-?)PVSjgMM6+oe#I82=jBd8i zBI3Rt(d-Sq-=j>GQn$3|Bnv(jUO_w4IRa-=b@d&!Xam-r=i%Y0NK%*b3}xo=3i&vb zPFdI}eJLA?4LY^d7##R8w`lZ>IeNmyl~XC(0zWyCED2Av>EQ&^ty4M)?)taR9R_9x!Uzi7xkJCfvou~Q3aie(W-3}wl* zVS(1$m+koJh>0_x*YZ&)D#5&C2kVT#Rmb{m%q~+k1n)#P(U=|i>5GxKLCoi_7W4ai z7&bC8PQz#Ee+|Otmj9M3^WqQ4ne|EG*Ph2g8{<{!}`v*T`< zFP}v(DP>VY3`A>X5eP*^-wn_W3`C#8kpvpL)_8|3rrIBCYJE9xV=Vl0E@ypUiV{r$ z^E1}!&9wVy)ieviu7zxWi~-5cc)SH#(|nFKDMta)MU#{(3ApAJfeat@e>64;_i4Ay% ziuLOYpeY$IXvnm3+HB`)jG55qLbT10Yylk9L+kRDGB1Lj``t4RSE0y`+Le7=Xr$rt@Z)PTij8R=Sikn;`3eWKk zN+OrGU_GJI#tyYXmGkf9pJ!6R!0)xioNvf!Qf72c#X0bK3vHF#NGk{?#hj?@$-n=o z{RpU2tI#{2^}YpxsSQUt08_v`MX-hc=F`qc*w|P0GvQkx!{?dYq~~YXG$^10z#QSs z#9juPy-gdr*T_Nbs)`6M+?R1~w&y$=-CUrg-FRBL!ZH|k?fuvEX}dK4?%+CFjB29B z=+vQG#UdBOB0_YFz(a$T2O`osnwgGqqVdl*q(i%U6gUNp;S68u^%&OXV{!wuCiHAn|iO^Pj;jk&W-;h*{$F@^(M1=z4xItUr-MPYg&*|7#M{+!C%OgTfybDI zeHVX&HN*jjhp>Drr9pp>1Rr)stqWew`}0NI05(3dIBWbtZDWNFiMKb0-xs>3h?&51 zU-@kXo}Z0Fi|JbJ+D6||dLG{O_E&--jx)>j#Mj|A3LxL8Q%&#y(VwjK30SV~ z+nq{eU$0AcklziXZuQ$LK9kUsgw1PkET8dj@k>6;tf2`)9p=s3vC6ofKW*6ztl3j)_k(oiMuw_n#`7QQ}$tbF#;`yZDXgvHri2dmtAZEH4t zudjmqnjMcd6Ud!eUOSQf+&x!)y_ZD%*H3OK4GJK)(tUuZO*r;tvA@?;aCleX#ERL2 z+ft}(&Q<2vp&foVdmQia^*zv{r8OSde6S%&aI;{%;vIUvu# zrN7U$tMxk%7Cg%YIxdS3jgGo+>a%&mx4A#vax-maYlr%IbiZr=3qIG7c z@Ph-OH2FODFFy_Po_4jr2OktJ);?CA8ZMjOj2Chn+$^D|`j)umYa5BHTqXDu7LcR?ur&d&(=0{%mLobKzn0>IUqZDW9ebA40C zVULGl3!oF6cNZjim}g`vU6znIygv7 za(Mpqw{TRZv)b==*QIXqLU+@@*Nd0|eAG}1Iaayc*46BBIfTkVweUi1pZfUlXzta0 z|`u5tK!)B`}dp1sXrh0!8w8K#G zBzn;2U(TKX*(H8cs&O(kz>-O~%z}FEI7Oo6`aP*#F8reajjTM~9wyKxkzjAyt~RFW zIeI6ve%kthhS1FCli@`yWf@nV+86QJavdTBE1|?lSa*duM2b{bQM@SqTsh<_gJSKh zD~80Ra3&kat1`rLVd~>KHvJ;53lXlrF{gWJvAZI2v6UOEpVDiB%!o`2dV76u<`HL7*^n^Lv(yfMMK`9HPN{RHNQAb%psl4egSvk{} z2tst}2aFiLD0+-eL8h;!g!TujpL8nfgF?0i`BR$pVr}@PiJ8Aev{6~p zc4K3YDMX@m$l#c(?qemXuqMQ@3x`jB+#7j#w_34=xYhv_im1W%Rh7~(Oqw!i6LOdB zg^pi&l4*x-5vDNQU_$?$k*J;>v3-&eprbOu`D<;2;6Qe4+NjN%&AbZ;eI|A9dzb%p zFIRv%IR|;318zBdWRpz0-fBX$<6i)jLdqVA0tfV1c{a$u$*PfmGkg~Tmf^v<2B9g< z%faByU{m0^F1yc_FQD?|7}$0MYr1s*BaI4bQ%&w3|z@U@R`KN~LVannaXeZLv=@v1@np^Yi zxHl(dC3!fFH7WeZ7@-=Z0)mVZUaDVqsf_9Z^)ms|Z~;2d|JZg?Du3Ef|A=<|9ICUv zQ1%0xf>{EJlz=kHbNuGnK4}smm;!OWiN?sClacTc^V?4&^%|3eA(hF}cXpck?5Qyb zmEQ@#jbHtx@16Zz3U~>CWTPNIy@oghVC$|yQ^~~IBj4g zwE&dhvz1F#%aljHQHD1NkBAKo%9i~GWZswn40)VIVSPx9Q@ zZqf9{&X~v(j-iq13Vc_^e)K})*)Q3`2!lJ&%y-J4zNAY#tKssI%{Hi8Fl3BK!B`cu^}Tn>l5Z98_XDC&vx$8uz6(5vI; zqqIOOJ$k%x>#V&UOVKXh+7+Iqc&u62zE26!VMvY&)TojV3jo*VJ8O_!qgW*S^Okv? zB}~+R;0U52OGZ<#^fDy}zN{_&pxqq4?Gi)qD>yvJ38y3hCj|KUBNb{A_$%}ekjC~M zs(@s#QV7DX4N1M4LN+-0*i4=_(brzw{ZxOr56<0iA2FE$flg2ep9NhncIE+g&nr;1 z1Zg}#@X*wXS$fIq9UikCOQx5l#lwK^Wc%9$s^QJah`jN|GXNY9+`r&fSiQSnZ52G9 z?u+2wOE+;4Jh%cc^6X8LPYPbQqcC|MNbJNZo=s(WP1Y{(tnwI7Mp5Uw*c}v*PnNGa z4+bBGRi8bd624`1zPl6)YIuS>I2Ra+TAmd>vKkwo0!8f`wrBd)-JNQ6T!yx87$@5g z!=P$&ZnZjk7EhLJxU0MrxWNxImv0vaZ<0d-PDlGTwLbS39+!)t+UcH~!0X1l`MrMt z0U{x@>{2YC<12Y=8}jQwgXC*p`k#Lw>9gy;FdwjQ@Mf0(y`*6|#P-Ur`>wyo?dkfp z#>W9Hwe8w^Kcs2C?mhgO`)yHUi14AZ`?1HNah(V&&K>A7_;?AK7pG z?l10~nD8!p`A&r!wA&9Y3R2p4zd0M)BVOa|aK51?lbuSa@Z&s43@<0w8*Ln<3MRDKmvDgfG+!G6yJ^_7E0^%E@( zUsg~g`6mrt`|vNH_HQk^y3WHB|1a(4K}aC@tQZhb>_hF7qMUmC9`_`$#D>$UkKI)- zR(2cvF&C%>8G1T+j$_~SD>%;J)Ha^`dY^j`^rVPV!|^>T$}$-LJHLJS7d91WRWKC~ zEu3YpTD3-Ga%Qm{xfEJWj;TP%anpn?dWB00MJojh`YoRHuvrqZ$1 ztMrCq6}iGXA(@ZhNQ%9I)0ZcNQoy^PD-yDL3jp+Y?@heiEtt92yjnOdXpr8Di}= z*AxK56Rnq=UyshGVOm)B$B#30`^L&pkv5Vgz9815B)$ZT3RZ_S)bnNBm<6_HM&^)s$yg zQ9qY8>=%7obuY+Pv_?0QCTFC&g2^rr2mNAiwjbOcoyUuicP^4D*8S=d65u<4J>Wc3 z9cL{pe_mv5-=NJHb#L2Y@GZ2ZEW(^gRgQ+Y<=ldbC)QljTjKCfADn;}c6Cy0{ltHHT1C^r+gxnDEv z-%kJtDv;9Y$X7A3N^7idsKr<_R*M}Kc}@d4@?P*qSauo#I0QEJ9sd9AzIH$ow5B2(2Ve%KH1|B`616@8Q^Zi!;PdZ z_SdF#l-yK{oj+L`l!>Pc#+tq{v8vvbosqAMtNkMv+$dY zamPC6wT$$(%(FM4%)_~RNb)Cd7K#Y0Umo%rMxMbn-o-f@UnCvPvd}9N3)E~r{^>Cs zMsDu$3`Cy5+h(U$^1ELm%~L!9gTLmZNz8pj=>JVrI1w=*yZDRtoC^$R@;PZYs z>+ASulRD&8a&k7c=o?*s2we$T0%BOUN+Y$nRy(?iG)d_n({`zQzQP|&16%}Zqjkjw zD0@|`NGRU(!+}tZd9oKYba!;PJ$xq;HH&i*DM&HGIM6TaB{iC>MRT;JrG7M)J7@^= zUuku-hRGEy5?IqMTjo+W!cm)NFcRV;AK~@M*U9mIs)+K&cu*k>d9gNK|-=!jfq$!-?ybdb!jSm z>H$CKm#I~tW4;R%9+{SxZP+2PCt&XXNCMsAnOT$!~+ijd!S9=^s~DBH$=t0JTT79QAaNqA2&b}99 z5?30i9nESI`}||7wCkB62SC6X%(?C_)#Y=vy_FWVZ9Bo43=lb^)ceD3!rB50;0xo+ z4mY+STBp%wDX`(Zd=ocEQ;*c#V`8nbPpI#stMcK-d=+zwr-Zbde-$crZYrK`w{gMc z!sjN|C1rU#AQKyO8$(!KI|qz^Y;8L$&$Vf-om0teKPA%qGLLaaX}DnNn%s(F zn!D;$zj#SR;JOnv)hX%M^|-7{)P53fbGFcaLn*;)wz@+{jFPpv-Z~+EfRHVpn%4Yq zI&}da(~e;eE=+m3X8Z6f*H-v#&%Ea1*uIdwUL?W_!Ta-f@2KnMy3Z2ZYhM?&a;=`v z0fHj3`8_81PrEgvxYIUu?+UZy_(Hq^ivnlug%1P{UMhaqEA{-dL%DZR@;%-EaJjFs zH=35Er<{==LXV|q{yM^CS0D=$szcSb2<;7)oY$D&cyFKrHRvQ(P zkMV>vo^-oDjKHpqg&1I4_)`jQPR6zTg+=Aud^u$&L=*cj3|dlT(mHVD1Nnf&HUvj9m2R2dd#pGQyr$J1fFDh>3pW=f?$i)bq=9E zmO0cQ6*4L1V524S5chf*8Zflp1bRtrC7v`&xf9}yQR6y-0FR^<>MpV=tE$*r&;T;p zvISKVrD7i1GL23$kNr1c$w}Dn&5P0~cfD=pnclw%!YYPUy{ZkG{E9}@rJ_H*-tpM} zMhYTZ%4f1vKrWqFO7TYeWCbTJ<$Sj`eOjJ_cO)@kHwG6M%)wNl$XCq7w2RIk7K%QR zyv%3F#Fnt2k)Lmr5S9YH$J6V_3mM@h#9@OS2(l4x)3(EOQ5H(R7)ptsvFvwH|BdI6 zgjBnJSe>!@D{t^;!5pDMxzW#`ji0uuUdvJgjGX(nc?TPY{=JO~5}9y2HFIBc0GCqQ z%_+xGkFyf9l`Q)n;u&%sEWf5FeJ3fFe{r8jpUA^N9Q?6%M<-`xTIz~8DFMe3iy#O( zJ~9fjaWh%4Y|3}7`AqdZlJ{xmV){#@KU;)?@n^*8w?C?PBH^;?q){>$i91Rn*2A9& zP{9RBao-T>%>BZ@;-@WNy-ry24f}|b6!w{iox&t4=Zi;+;7Fp5ltNcaYR>eA&|yk6 z!L^8Y6*iMN%}gbi3+bFC@-ow6Krcam9#Lq8e+xOma?HFFuhBX(zdwU`e15In1NLK> z$wgQ^Ac1<{8%bs-fUhVZl6znzx_wa--rirkJdO;KYMnKO2XE28ulh{3FLpe*GSM?Q zY5IM;cgNFcAJLcyaM*#P6ISEZr-JD->|PNI0k#UQa&4F>5eId9qs}a6yf;hdEk_0e z-(ZNoIq_{T;AYX!jedkIl{i?ZkBF2HrQ7@sxd&dAXzOeK1xqU?_R#PbeTxLaItd6Esj4&dEY)qn)D~5O4dmp)ZDpF!MSR9$_WRy<(!;E zaph^GbXpWz-#w?@f=T{DWXXj}F-&stLY=#Acum-_{f|`eN)g^|h{GYU@wnF)A{`Hb zyg59e&Yk76sw^$soqtWkd(`Pp61kZV6HZjK_Q+Nyj^s*Gou~y91cfiPEvfC>C6ZwT?=FVJf_ldT2=g_ zk08VT$1?}$n@UXtQ4y0XG#oHL+LT$$Z$J}TQ_=V1{{f)mhnj8vUo{*4ziJj8f3oLt z^8!EuQ?VLxL3up7$~-$|LFE+ z6>}Vi>9Gad$r{$94yf>LsO{VaS)&$fru@{j@ygc>*WG60n0rjn_7c44fgF!ZV%(dT z?tC{%A0S#0+wIXg6K)x01OZE3;gFz5dnrxxB3o{*~2e zZ&aAc1TvnGC-!$3p?f@~S8R8Suw6Rqa=UzSSsOjw}~vPHWTdb z%?eNHJRE*?SZjB_JQ)M!0Pg0hAKG`af*p9xKPE&V5e;8x(bTp3KXEZgxjnb>)&3$5 zz)7*yGw;EuR3XQa-`g`gb%3%|RrzkAxAlbNRg;DvmpzS}w!H>hRQ z{&9dgk$4<$3hM{G%p1wlN&m#<`?EO88l`3~WR?%)f7nd@jt;@@dvjoahcq_L5l#S;K~Hgt2?u|V zl2<7$t7b^(pxh~vBXD-V7rznN!B={#hMj-AMCL6eFV9jeVIsN2(n zofV~8U$D{=rxkFIuw)uy=J27|Qsqj2AO!XMB2_G6)Xb)=;fw@q(U@^IU{vC3lO?#` z(alf@ibd2jTt17FU|`iT9|D?I(XYdlCzBJcMP*omt*OJ!BqJ0g;SRG zd2IttO|mp^Sv93fPt%4YLK&2dR#5|&Xz|Q$z!Z{2RD}t%k#Zoyej-GAgGqcVHHKmW z-ODkdd4g~I|CVCYTooHj){*L*=ZZ4^VwR^=s9JN=eEUuaH(Ri3C2T%jJ%-GC(QyB# zGFH0Rqw+Tzb*OW*GJCWXl{L#WJ$Ai8yycc-kVT?^E?GMpKEB&@6Kzyh!1qmB&6+YFQ!_t0h~l&izo*;cUy8#V<0BfD@co!K;ww zrxiCdVH_&b<;)1~7Rn)%q&S1hv3a1!5TupJ!`84GOfst3hBtJ2=T1N8FtspezE*`i zuXXxU){=c1VSA2+VP|h4Kn$)lwM&=}M2Bwkp7ng9<)K9a5yyGNFg6#PdG#C-? zYz$?imPrFT%}snT`dMhMeG&BHh|~ETsm{hB$F00g66n5yhsWCNDzf6VKUEC|##3aF zF~cd9t>g|{gfY`)Op$!Nun3G|;W+M%g14xsOq>JB;(Bv3?bJp*4iJ7^|n|Sxh^4 z$3~<0#ya86qd&bci`JD&)1^38>n5SRgNK*DYsU1BL)_n6LD#vpR1n?vMZ8bEi;D7? zTEYcCd4keKm-8@0=>@a(Zwotg-Q4&q2g0KIBv{agh@@hiiw`UlFfy8zt@+45W$UPJ z3kZc}#H(^U$)VqA{C2L~zoC$g>!nG&i4oCq`X%w5bdTXT&6V63+9+>9Vw%DU6p41Z zD>|DYO2pizsjuTt1@^eKUo}MZg~xkQH9;r zY97}`f9&9vF&B>|6i6t4nP|O&rgRp;or>#u z7^8L~7|5siZ12fc0OW7J9F(W+>P7MKOL4> zEp_v?O?`4xe$%#^IO}$`I(5ILJ*gB0cz!;C(jkw^ofTXKs?61+<#8ronp4z!+W{OO z%e|o9z1BiRecsqT+gI zId|3Y;+lOvC)LgQ1A1A2X|=!iJdT$a@;pGb-mnL}UI|(5o^JS`Ka?6~WMcuey!tQo zZvQymYLY;%Roy#IRu{YWMxq3si=38PTRS1W;Y7E&osQv#j2(XF;UP~VyUm;3w?8k= zcT;u1g@mzLj~^qa9*@L0=C%^t2mSr-d#1LxH8*Cytzz+(S1qB#Xw6-)%snwT`yRpEw+U7yr$L|(E zpZVUxM`9I^k;hSx-&3bzjgS#Dcy=Ui%Kso*7LwMO%Ig_w_MGFjAx8iHw9L&8i+%C* z6!BQIf?FM`o7=hUvTcQr-J?H2hObZ)+xd*{x}I*!R-Ja}2Ji#t(5Z6EJZj$j ztLaW;;h{hO`WOFtNRvkJ42@U$x`f)a5l7T`0R$`H7^2GMRwSu$Qy4xCd^BR(ajix$ z)z6+%?3bzwFZFrlv=inz_>!4dq1OHdILA-34-g5~@fm2^Co#rM?BCD`j#bMS3B!eH z)Jjd%)V0V5s!&>Wp-L8#X#*_e{iRC`EHK|xrtZoo3x?q zkF~hZn@XkdX3yL*g1cM!7GFXZgPn8mWJ+bBj2tm1$iz1$ZK58cXVZiZ2H=>J)@I-q znRTvZckDchvSuAwVuXod=~}&gHf&F9!sgg0>MCD4fZ)j4XZz&9cCp{y|K=5V8tO_Gy~?!iT}pDLDi+CZDCH{2C&MnK>iFsJrncG{NQlQrmDwIP!oSjIzFhf`V}Pliu!*3Oe-SH|ZH;G(UXLuNf2Bhs2^ zS0y7ke$`WQiQyfQ%4H^DPJjT-iJha2N)?}JFwj7sfe!*a;ayUew=AD2p(H7mLSqCe z@}ygwbP1te4tYo}pAuiL6t#fJ1WVCW{}mz99_1~eX`lOW3Fwy9Z(tOlO6657uqLa? zLheY>l#8frh_t*?oXaPqhAG5OU=(s&v)Ehls5ykq`P-TFYUwFciN!bpG;Zg-y@=Jn4F`E{oF-F{kNNJWKq)D;q*+k-ljW21dhF(li zU3N0<<+dpyX;~l?TXlB~QN8HIO-Lce)x~o7hPPHep233l!QRI^u-VQw1ynr8u{qT-#qfrP_uYh^L_G^rgLLh@>b)vgsC_xnX1~smVlh z2E&fV8xQ;f5#^S2bT8eysIV~szdq_x-QOf|jJ51otU%_Yvk(JQMU z$_s4BY_z&b)`PB$s*qv7RTD_Mrkr2MG{hmiC>tvpMWh2swTgVtUSd;B!c|1&BBY>4 zyfb02Wg;s&>M*r}^N2#b`#dlW3R!N)UXqwow=?iJ|2sY?S^?cBa0dVapW~0&)dha< zFY$^Q&wsoAU*;P>7;y)YPyi<<{*0$LGv6zNKY)DFr~=Zo62?~=eqi(N)q|U6jjwb; z)~LScQ|88Ya(9}J;g$Y&^RoEce!On?qT6bSoLg>hzSmu4`Ay$TD60RXenIDu=!Tg! zW;fsC4Dk&cyFW)JYn+bZB6$DP=+|2+fvxklGmXE0addC4~Yu+oLn+CEI-M(4VO}sVExU6Qa_+4kr-JV@r3LT+Y9^i0v z9=-NOUGHYs?)pI?&g^S_Y1FQ^wc7Dm@o0Cg>+Vc*o`zZVw;go#si+)@LyvE8Xzem)h1dk=MMg)f{SPw)MMW-0r)s^IA*E zh@1Al?w)ad#-HHsJ%CZ1t8Wa|YQ4`tDIVXKq-5@Q+Cm(8SugF4 zmp#*KKBM?=13a|hYgXo~y}tC5=EVOSFtqwHCAR$6@5@}th}n?}eII2JQ2wJ6Xhi^I z1ZKZa^8k}0CtQ*9_>JF~<{mm>UzRzY zNw_k9ewCzH{7TYnr(p`k&6sI%B4M6qNiI++vW~#SMo~3>gC<)J+%eI)aD8uqd4>iL zt)`}G{&mq^NI-NJHfwS*4p5CFXM}?#o2rR?!kne>q#Hz^c3D0NPzVbLoLdCMXy@%7 z`PPccI=OLTzf>hkA~LdrDnBt>j9KPOc%Cd;@-y$b%3d0^+`K^wlKW?m4rJzAgbL`ub zC!JwhxPO}DZl%IngjBKQd5l*Gr9<6l_ySr$s5TB{VC(;x;V%mY2V7WINPwnre%3ai zWSDf>6}u>eyoxA%|JNXhFRV(eV1H+0UdM;mKx@Q>BPo!GST8(&+^pmG6$_wBjTQPi z1nW6E1u5Ey?7n;r0q0oFa(T|LRT}ECfYv43rWLzkTVIG)p%qQ5#2q8|VFivEU@UAZ z$~U?Mm5>UD!d(T=quQ@IPg%UECZ?jT=B!q#91ufneyeB2yRyzqJYcuHq{W_an)WBc znq!KdnTS=MPAif&Mo8cBlfaW(%=E!o$>uBkieN?n80`Bn^MBK4;93bE_MKw&7DX`# zLi|V~MMq?wTGxjjF-D!KIeTP!zeZfAMZV9j zsec&=k@@q^&C6(%PBrE@FDPZSplX&PMMT*BJmlQ2Us35u{#P-4W49^{EiWS~r1ZE&I2iyCl4p7l)Kld{rB=qaPff)}PDqK5@sedg z`SmjZjZ)Ka+^%k|k*s+GW&5$@Y_dd^Fw)9zijb=Ri2NrvD4HdvJrPy3?19jva8-sR zi!20XYgX_^1|r;|$8*2VHyre#pHAU3pIa;XjCRdjv>eGamQnvY+y|*E<{}*=rb6Yg zWi!}d7hhGW1=I*_4Ey3eF0lJ>mN$qeN+vMbMHssi{h(VhO+`m9kA@kl0~Mf>j1>_SnRYvk){eD?^jA zQYPfrMlISD%z|Kr)6}?Kx59jMEeKg^7WDc7?j~L-b*E2Ndf2bb%fjin7|kCA8aZKE zev6G`Dt##A?{qs<9QP2^w~ITok&7HMfh@lD%OlRvB8)D#uUOmhCPAt{yPHLw@c81`dxnm zOmfEE@E*@mRo}g3YF6buxK5REx zE1Tale7{j&r>Mudt?&MMRkvZ$UH-z&%>CVv^AOTKxf8BE>R!B|1)jyfXbaK|JN5TPk3a)=Xd%E7G=)E+(A@~kwwP$Q@J1d`MO|~8obbh&XpV_sn zK$_&XJ5&s%SvW6dY=+d^Rh*Cch_g- zpTAc=bUNSHi@=6eCy!h^gI6hT713t$C4qKFL0teUC%ncSY2^<$1BxWZQE^iu7;=?2|>#^xmf`0walujdNQp1v{oZ6nRq zp|e^3s=x6XyWMtzz~}QBgWk{6<2l;9|8@&uUCODv7+p8k`?(-r!2M&yU*qlaK2U)B zo{6|FziCPDmH~3pqWOC3G2wvpePbFK|3cvO|EvM}{|SUC8E@n_ zSLjB3mg6oujL-b$UCi-u1OjZn+Rv;QpT1*3IvQrohMn|;N1W{iUk}3=4U13JWeQ|O z@>+h{#-yc;S5QLPm+x;0VIFm*XkKn=24pxXENu&kM>?YUDdEtEucad6ro+r!nJ#?I zTh?Nqjn}P2><|Xs!3QwIrb&<@mN_e?sI_K!HmN^2uF-fKQL z`C{18IOx@J`bXFdq_y-5(XFthsWU-tsMIKAZN=h!xcyS z(CLULV)YXXgTgargeI6*1;!M@q7(;y(gQCzDOm-N&4z}Gdz+9c%S5Z{+PYI_uAzi! zR9VdvMUFbLO4u-$&6oaQF*FM*#Dpn2%fdS$Uu7*T=p}4R#OlQ)_J+~O2`Mm9nFE%r z#HzVPXrpad-Y0mDty_~|KqV5=C2#p$K?}}XM(+F^Rc!R9#IOFTJ|g~If3c6<5DnEr zOrUebr-04wZT5HEjCuQG*&m%0s7<8mfGx>B|Lj_BHy3c4~;-J1lj;Z@6%#u8Rf=0p`O8Q>SG+PpX) z&#v{9WdMgsrPiSb4ky?d`Tm4*abn1YiY3F`0*Q;Lf*QvYw%}Bn8?d0$I}=D>B;qP+ zZzPi=#Yz-gM~TL2Yh+9oP39^B9nHq|?;#Uj;9dmVLYzuunmgqi!VHW1^b0ec+X)e` zLsaJcsk)d*lnH$}?v2-sB|#4l)`TC6jcO^zsaFm^U=r|GLWanRU9uak3WHF!gI-LO zM69c4s7k>PH#%5M7KcoEFag6GUvx0mq?&&zYFWe(ny_I(_HfQj@3ZAgew?ASceWZ> z>~k)F6?WWv=KDG1|5wPo4@k;?mp>ah{OE#3e&=ehGu4T-C?{-?ZqY`HUD3dAd-kcL z`5;}jK3A9{GggA-UA4zyZR|$*mLsEvD$-Ta(J6(sYVb!ax)xcBzED^ZlDI+LNwh5h zyEKPv`C=LK>95G_(Qi6RBFSxP>M>e3@(+?X6Oh|+hiK_cbcK9!gSXhsye6bjO& zNNl=Hj=w>n-$Y4>Us@stD6!P&XWt1xHSJ2NolKzlb^PY?*{x->BAy(VXo0i|X)}DO zG&IN5VYsg85>;81nR!CaPPd8T3U{tez3NSwL%JjhbD}MwNzUj6{%ou^Gzy4otthb) z-?9}exT?b0clO-rbk08c00QM8uI7=BVcn^kb*Z|jvxy;AGS1;Gw=od{wG-=aCQ;7+ zj?Cv-EtEfdp_Bf50;|AGz{kt?x9^3(Xl-{|8`3Lcm@uUbSs{Z05Goi$4EP5I;v1Po zQxAMdZf1YI>!bM4o32TaJWBUHh%~j2z;Be(c#fCe-G|K98|V8rbVs+=jcYh}bV%SI>g%9qy8*m8h$ch;M`W>^#vr7q!7{ zJ5H0ve*G)n?fi{9b)W95A2T;?ugPAY3y3;BH-i4$pMTJ1dpys=(|P?Mu8{COM(f;h zuYF!Gd+^|-`M(z1{T?BFTJE6&JYU~WrhSe zO4Y@-h~${JtzNP;*LNBI3N9hm*sKD4pht}=i_YA&YeLhOLs#Mr8f_@tfh5cGIwQD( z#N6|}#R&P9q+?FR_jRN+mK74QrK8FX#h9EZWGqUQyOw3&X60lPWhh&+3$=?;fFgtf zE*v%gh&Jfd&ypo14i&a!Co-Zx_hK5cluV<}dPD0@DYzr+Qyn|P!@ngJX9_^I{x!hd zV*ZJ-m{)eG1aB`@$%V@-%1P(ZtHhObvpy{o-1-5tG=9-Y_coMJ_e~U}C&ud}-as3O zqWaE!BMP@$`j&JRn748$eubo=H24EssNkF?lFvzQdRl2dF(*jt3%j*FCn=_xW14%Sq`(YGfbZju#)$4b9y z=*b6s4Bc=}>Af)^Ll?~k`@9345+=~Pj7&Rs&$Ec_%APlZ(`&MxEWGNUAz7i=>H>rs zH4Gzoi)**07k0s2O}wSzyY&5@-pQ4YS?j7lHQ+=o6~xS9=0NcY0IMPqkyB{sZy0;pn%z2rPY6i zU|FCdjnN^6orKJlTFp@~PMVZ+?4SMlC4b@H(Z3R~2&5Wv8*{3B$NCQmQBeeG!FUve(5$z_zKC6_@?r-ll=7b_s$E0W-?G)4y|`r(n%t@ro6{8u3X^1A$azv&<>fvlYP=D-WGf^ zoUqeO%_E~mA7POMLo4V|vl%}VSyw0ntusqnR+_8+oeE>mh}OJL^3W%wiJxMpK@uPK zu1IaumgJILgZQ8_gB22yovAVqa@lQ@3W~j;F!?mDk{-gZ2PBE6I&J=L@mTX8g5mr6 z1vISvc9D1Z^UGTiZ#Av`hR}1QrFF0d_tnH$;77+0e(H|M@;;C>B1vQxCE)xanhNTUX;!*r`buz-uP7_k2L0KP-U z{5v%|6BwKN*i~oZKNH}{F|q`D0tF38BZ(ZB=lt&oJeY0?eib@EizD4neixnt zb9h$#UQPg}Gd#|*;-AU>u1n-c!FHdEY02@A+BJvg;a9E~AG!IwrT)vv{_6vML>}S- z0QF7X4p*$3%Xf=61;Zn{IB)aGaJdcPb&KGyG=`hEEoYo--x)}p+GQ^HJexcJH2_C^ zjXvMe+J4l_?D~E2=FZx2Z?1aRYs5Ab&-RGz*Tn?&sBOy=l{u%jj>}SH^|jmI0iVw? zPYiySY_p91Mj_Z{AyvJv5=jWSv0AT+e zj|6z#rB1MM2J%_b?M0*e8Jy2w;~}ln@E%vq(7WD+Q@h&ly-DG|dAba62ilRi4bvUZ zel4G$0F7#MPf708y#xS9`9s3&7CAi^*3uUjLBpkb9-q=r`SxEQkEYkFabpDUthiSi zo!<4?D_*9t6K;f=9p_i=b3Ey76hmB*D8!HaU$Wd2{>QzQ=!3{&VV_*JlE|%v|ms3joA4wSN2d&ez`Fk6=LXF8}93 z>CVO_qPz`oAPWPx^_)*W*8J122l%>a|8-PcYG>2qHrCjz?*(YXA=tf-;yLDfh^}=L zco;xU?-kuKe!(fW-)X$a+SDoB?pQjL)&XWW_m)%p;`e#UvK+yMo8zQR9BfKx-jdb1CnFP3xD;8`gL3}c`sXFR2B)7@XL z;n^F3Wci2u$JJT?p+*aLiXu9rqHPToAToyOCn72zASlJ!X*Y}+E!MC}wAc|nViCzQgtk@t*sx}{JSkMdu&lvD|B)r85AqpE2~8HiIt(Oy=>+T-1E$i!SqWXR1PmD4O_0{AqNYWK()A^sZxIx zL)|oL5T-5(iyu}3pa&C<4iU(T;q}g{EpTJH(yq}rC7d&|NlhT^or-DKAr4)F2ecx1 zE{UD22UcuQuOo?7!(?Hr|8UN@H8$v<1&B?IVbcAfb7kyMJGDNj2x|;&fIVzfNxidW z{^2D_xkw<@HW9f9=ih~e@JG-ODIieGhE!EXx}_R36YHNxQhfk=9yR3?@g-;^)3iSm za9>pRMud+7DHWbghR~!w_guti)#!;>M*TjL&}^G~sYW!1XDVtNf%P{rsc|&Pq67(v z!CIuJ()@%Aai)l^iBW^ixb;1`88&xtr5Ck;TUc$(pPwQUYkd7Ko}UL zM3RKmV3!8Y3z>sO>T5v30-c&Yr!dlGA(ud4A>S|ISmxbt@FwvR(xyY63rn(6UkDtr z0mr#yGEU;>FGUq?Kh^Q4KW;?m*e+<-1I0CJCQsBsj%_>6UPk;dK~D8LQ9qL^-xGFE8crnFVLEu5zEY+=9bN*R`YEm+4vOvyU5=)_gao2%2s z0wF`7`LP{hz4jyS!KPJ++Su+sw9h3^gEJhH68Osq$`hYE7+4F&3Md1%pGfL|Nh6$g29bZ_Dy86_H>hn3?sbov!tqp`06YsA0S%H|y=Kr{4mz=22b9OOn(0cS%Xf`xcuGw=CQ{stlrE@k zYE=-!LXp^ya~?|pACP%TXf1OUU5o7?Mt6*xa^9Y*=wjP0415wSf|~;#xpQe z;H5_V$RZV!FDWr6%j7IGEC;;*-#F<1R@}93#XbEW#hu-5U5JeSPX#DDAA-cchgZZl z&hHhZumf%w;iL3(esd%Yt9DOY;|#$n-vN5z<15){f6tI}>-3>E&JEuCfaA@d*WnxD z`YZQU01lor&%?)`YFpPk_xv53%wYT#jGl${y+oPgl3o4wudP-@1_5`(O&+UR@che) zOS0T&9BDqEGvv-b@293ta{`5@A+?u59=)b5qOG82yB@RHLH6y3j0gOkXGqWM9=x=j zgJZy^M?2p6C#*LxOMPDzk>7h7E`H4^oI`J};_~4JKAwM{=p&e9T6l%aFZeC)r5`lA z-tPV@$r|W1ek!;>SbehF@sC-&roo;R8>)WO%g+zg$8~lZql00qO~!Ra(0mnvTi5>RsKkiVV3(nc%CmffA~gtAoHXrS=TLDfH^z68zr6pFz3??Z(#jOFOS!8 z@Zw@BulKzdj(dfp2I?B0^T~_ahi|In=lqSH zQ=a!n_$b3w?(IPL3tlDfbMnnv|Cx@9|IL4N_DUds0cc+Kb)x>CYBE7hl84G>%;;92 z3@{^+6*&>CTrhvrzeN5S2*`Rvq+TDEP-$Kq6@AYCS5yPsC;g$a2aEl*c%`z)-ZU`w zGC-=BOkvVZ=l-hK&EOiVNEaSlw;a7b2L2w%0xv^vzmj0JMzM^YO52K^h*~-kC;*y) zsm9lk=e$;!fvQ9|!366?WUvX36RuJ@-DxL=%k{ksYd1m)O8+sY2JNf=zTEQHN40q$P(@2?|Z+Q3byz z#CHD2NPy35u89q+92%9bMaX80W6F{oYmkb!ri=0t{b9Z4k_=v++1t2{SUn1|zQr*h zjS>(Ikl!Gn^zBCoTh0q9sn+Ay92QNHY+gJlQ4*t$gQl|J(Nzo*%8ybl-gXI1!41>w z3_gLh42V5~F(VUNvkFzroOHhOnPy5ZVcq|8x7I2y(}X7ciTs1QCQ&AsBz*W@b=@j9 z)r>AB>9;OOE$&ejI{oTh9IR-LVX28mVp%04vKJCg0$$nlCLRqBGYfs`iuO3UshPM+ zoA%T=zkx}}*;&$X5SR|^d#8&b$k85t<=&MGPx6>*C8Ol;(~c{*jaX2AF{?rN=m#;4 zibkaZ4C>$FOq0_)m`Y;MVU^TLnXFr3GRcML3SO5>^Ai@Bgp1He=0@?v3T2k$myxF% zfPy(RF4ziEX$Pzp>);Ig2;E**axVxPPkj?RWF1VS;3wuIsEwF}L!fD zs1pm1s+C(uhSHV`Lb_*|xJky}tvejnFs&vid~E{?cJWo6CUF6spyVf;Q-l#INbMC7 zB7&uIkK<}x?BheG#JLPjF8WTOf9Y4J@-pR?Uh(s2pSDzNHuUynBLaTY$oA#l8u%u( z0K{g_erBNrJy91L7v;=Z8}r(M50@=Tnq(yosa-0Dg$qqRTbd=!7lkOtXe*}t#0g~# z^5i_Ij8G)I=+Q*<)*8fp%*6Z&vh^a?kZY68{L~0U`sc#o7Y2Ofe(ou7bI82n2jUO43*&_d$vMA4_nPDOVqa`BvY&Z75m7a7g3@3P6j+ zyofiD0#o-CNdgP^2Q++Y5&wY9n-7E{BhKMdLzN0!t9raN{|bqiVKH9vpp5=>T=*jC z`gus?(vYGkb9(5!37460W*7+Wp)zMkJS<+-?iu+7TlMvz*ZQf&8M%!j;BXD&yplH! zxiT--=txQE><$cKC>lukEy4yGC}ot;p%o14{>QdG`}uk6 z?`^^Aoj-Svy{i}A@w<=Q5U*e8tkiBY;o>>>yQ<@J`J4t`PHbKO<*auDFWUraoX3gI znTNWybKSS$pvqr($3gW7W*&AmX)JMt*^bh6UYO=UnT$UfCF&y>s+@sO@eK~K5ZLt`O#efyc^%BP)4#7{LBG`Cyp#oSy@z}EJ`0APde7%wXd>D<9M8m0 z@qZ4>y(+b=E~>l6ce?I`a_9mltCw>b`VY!i?QwI|Isl#0=qhzqjtq5AkMDcv7e3T>#^y&U*RlY(7^kxpYKE7G`^Kz!oAK_OeZX-S3Sk_xGTqaEiV=hf5Hx3 zp>`Tp_;_~u4dC{1n&U9fU-AKuo%K^(M<3SyotyOD1dGvW+mP#)=^XK!_wzK@xAlA` z)%pCrpRwOasNEcMhL!8D#Uq?4H?bS}nYB`{jUe6l7d!{f9rU*R=**8tQ1#rKt18I@!i9R_u2AiAabAIm$J@U z3~tip<)dTbMZaZq(^t6$HtNriDVCPG)R9bL_=eED9IFZwVg@M`C|Bv93kmO^5g-Rr zqB*2dnQ|fUi^c5B(-cs?q=_ZPpqt0B_>@5z*&tvEbf&oF$E=Cy_z-PT7NH`=JMwNi zQx{dmHtE7pTMcxp%&2MO*?s~bg}j$TrRS`{;FG^48H0R;uUpGuZb>Oki1^Z4_~XeZ zG*v5*)P7D|vMD`8aKe)>&kxA7nXoKYnP$OMr8Q81SS~R#D~E)k5vK=3)_O%nr8-d! zvWshIQMKKFb_K{U&=uz${o+@?hS_EEGSn&%9*8b6Cm8I2Va#r#Xvtuhm1;-7()gq%zAk8}*wFVys5w{E)@sBO!>?enE2lsu>&rAm-h8r62o z;L??XpRNOn!T{n=f2GV&wtn;(Y@j|7du6$hm6_k2F)*^<@2goNJ=_0vw&)RvEX{{G zy2%|O`w}Fx5|qUjrONx`4Qym}*l~6IlruX*>gNb`sg52KtZXX7io@vbr(UU0C^K1% z^ixUn-|t6OrqYVBO?q&{@CdVR8j6pr9CijxqfrkYN<3&ZE;)gdg}-KD4D*(kLHSHJ z-Ufzg{?>k)l8S7H?ypK>&BtRqvV0teAlsZ`R0JC~-Hl9^9TI7lpcZFSc4SBL7{yW< zfDm_KBb;vAbRdz6Pa>k21gFzgeRa~GEJ-r3y$s_P?^NnaJL2Ll-9IoQ*QA24AXY?d zfakGM2PcH$Fs!ePg*;;dE9Ngk5a;UBN@5OFxt})E7}k^p-Djpf%9P40-*A(k97#6N zh+|%S=tekAUNPyyu*R(R)d5Z;eG_4C3CJHBfn%uLfXXixK8vqq|F2Cihk<_dkat>I z>Siti86|wZ6jdP<{h9~;EP7o>vyvGl^CN6jzX=>Er;gX z0Hk)5>9c-0Zq?>QQo1@eYEm?GOjuBO>Sevs)2tavDRZr`;ikf($3f=AlEgLkg9(wg zWN_-=;OMxUevmJ4D!RFkFwP@UW;GW7Z=3>wpv9bx8s7zC!0>t#p9TLmFW^=;IykTp zDXFLoO7!0O74hzy_(%`=6)Y^0q|*T(@sad-5)h8D)%e8w6-L+Ry{TCb$I$1u2!5jf zP^0!R+y_+anxF*?hp*Wvg_tN1NgUclwO z@uanGd?%*o-Vcn|!Vb_ra=psyzL&j8(EPT{qw|(c;^+70k|NIIYi9kOf5V5sn=kQf z+IXe|uluIP8UOYaYPP>_SjY2InP%!oI}Y$v=_L{Eh%Bw!r?Rg{->i6gMhm#p9_L{- zm|qVZG1(Rfblwo?LftHv@&PUv%lDthaUr+1cU?i^P+pRFhr|u2l#Ba2}Zla};%~I^X&A^zN=^h0B zlv@{mSNb$ptzFqYO8q7wV2AI#PNt{x@26wvw%6UgPqE=Ygb7VN=J)w%xb;HW7UJBfnzap}J zmxo2&*}uxO1uyCzutcHKjeL>FTDTZ8IL^xz=I{FRw*qHZ=l#)FdGV9D5llIfKW%%;z#Vgw^{V&o2_bthC z>>A16d9j8{?bNYOLaftMSe8>it@Kjq!T98eo*FoA(U8x`H{5c`*|q@w>q3+4VVJv~%lY&>y`N7(aJ~e#;%90)=WoEE1GMkJ_-*-c_sCr9~GA zu&WJE|3|cI1khm?t{k>OCl}8wlTIn>Nd`le4SKn#nN7rH?1h7kg5Fmm?het#-;&)H)9S;4f7!wsWrvW1m8)ttc+(lR!{!b_?tg(ut>DVp2EN=Z+_rbP^u zL|{(#yX>^cvVVFH2@^`rl8Da|3Kcbtw%@2_-?SX*3|TylbNVevfD;+VJ@ZST4oD7T zRCT9$;a~8*DA;ejtNcpN^l|!}^;iFH?o>aiL?*oE^ia0un6Sad9TC&Jh3n;((2z`+ z?_%9KF`-tBVT-zptOILVq|#5pW~=(c!HuUGvLv)9&1ny76)CuT>GHfXms&!k4V%1LDJY*e|6#m6HSl-28lu8KhvhAv}u9<|} ztzijUx%$d4!Su^qZ^d-#@RR|C#1)CHz@ok&sn2&h= z@A!H_z#JYQUht2|1oYP%eQPc?2Wt4o$tM(r1SyOlC5$fukO)H@_zeY%Bt_-~kiE|a zO&_iD^lR?;9?mPfdEQi(k+jQM707)YbjP3c1!kf}e76zI z@_EpAk1X!`9O7?V%wQapvICB%)A1Z`mfiDizOHlKcQOZP@_N=`hrtPY&A)E{mLqU| zy@DfdzC+35xBMe1U+&sk-rYHQzM?3{eR)Oc?&%t8i~qYHhGW;g8#e0uYSv)DGh>a{ zFo8p$+nwUT?*Wvvzi#?SlAiIiYS+#C02~n1^>5bucOMK-FEn;XN^iM$`V8pYNrR-87tsvoH1O94|_G{;)5$ z*z~oNHm~O)=Bb*id0CwS{5#)*v}gO?3wN(vY#Mg?XmDS)NRp)mWcpvZonM2R)%rYB zc@O}nI4e*LxJ~=g);8XcfUkOjuJg5GV8QDI+0@16Wy7`hiGn=e@~1;P6#amo3jd+J zIaPUm=atxu+x?B4|KXc-9M4I`?p7~Qww z0eGeS4wTRr0M3`)@bPTBcrp7*N1qGCirx`4R9WRAJy;oOs4>TAL3QaS+Q=k$1*=wJ z@|Gkme*8$bsXa1MSs*VOsX~}dmDN56?S!LPSl8x7v;(i?ifOSF>(`zA(_0sx zfkguqo;)KY{k18?WLT~o^R==@JSsusG99}@fr^KdLndpDb=n5utpr{so{*@%#3@z@ zamcdNHto@hBDbRCz>(bikvg&?$smoW-BXr7ThVQ)9w2_@thZCm%W(8a#=zcM_^P7}X|}L2!2nm0>IFs8E9~ ztoALi4Z(e;^-)01eqhBGene^)wO4T&t+8O__?Q;+-~)o9SvdImkE0T(k{ZK*(Evo6 z_6a+2qDEpqqmfA7c|`6rzXBB%Dy;Qo!=#IZR^Daj(RkX|!r6sr)2H+Z2^dLvGp@uQp4?eDbV_|67`u@`ERk{9>?X%DHa+N*=mk zrJW^~S_?XOr6VtKBh8u}%3;LtAFUZ$vcXE#<8LBOLFyj*qEbVX_RT!Y>}jUzq{TJx z0k4V!U*T1X1GBn7rol%_v^VH97)uE=Vq#gWbv=7*zA7}nqeX?f1fnLb)0XKbTtQ8! zfbUXdC9nF?2(+SO<1-O^h2?$)V7`1MP%YKV273B+cJzw{@CKMA*8Pu{`@LbN$j-W* zuwV|FxMLl7npByQCONt*SSi<3cRQbiBI_tFpb~TGEIF80t{{a?%%kIszno3v;gCJ;PfS&7{ z%zJKCEd+9A$INv5#Q9@Iqg~G!rxHF6;vk6N@IEUgky)-^Qe1c*4M$Bl5l5`^EOlE+ zJl-gEjD~pb_K#rIu+y@UC@z_|MF9pGJeY1jGNKW;99hU(_(9jwLr$9Bq`UNIAh>W) zF&TU(e+&G8p^xnpe6$2lqKw0!mcbL=5BYr$iPWpO-I||kl2c<~kX{yRVA7^Y(q<)9 zGZu8hca20yD;uu1%vB;(SCchBv&G=hujGQS%{P1YShN7ONlE#JG~EJmC(UqcUFr$7 zrzwxQoG=w5CE8@s%zAO-3N}jw_(taEy~Mf}nUU+2k}4&T4`^zVGuW+I&Ji;qG_tt{ zcm&*yn9LZix~}OWQ|VfhVv##B>l_E-wV{n4`9)&OE%lHf8+iAy|4P7qk+HHzGYS`} zAV_tQK6d1QA~GeihgFKu2ox%RHYk)Fw*41VU)dE`v;~O;50K!l!QH));O@cQ-5o-( z1ShydaCi6M?lewtcW>zK;mw-$-h8P)aQ8ZOPo3IT-{>ngU7a^q|(Ra3_*_6ts!A_XzewKB;8pRX>i#4LH=4EJnqL5n|qE&!c%L zFTZIAf^IVi&ob(B{|6a2D)7>-cJ=pp84yh4vF9S_VC2>`^ava&#!eE!P7nczgsMV! z0V`(z00@YtHlK$Q*!;mWUu39d9P2d#mzYF1l6x-j-7k%7ADnAhJ=uDX!#v41{Z1g_ z&bg1njThR7HP@+pk3N$=o)-_!fsW7pEY7uUF-FLo-j`9^TpLbTn2)~TbaDzH?b#<%XYtJD{ZIFw9?I@A;g)~6B&8%GG z$m#d0dWYpiz^dQV=yQIOu?|3S&^ZOLB0*FFc)LqvX?h#yCBACVFau(8O_V)}jbumQ z)*S#vi7U5S{<_9HCjp?jdzd|k<>Zjd+t^$Z*sSuq){WrEO=HmT%w}jI?s@Ff)`G7k zamu-qcc1a2h?Hb&oSlEQd&2$bk_sxOk?G{-o-4$RqF1XvMeH#9tr(;tXv*rpTG89_ z0B+jK@jTQ%t7@`6Z3P(LWMSrBS7pohUf%|7zZj7~4tAN+{H6_Wo00wA+jDYfAk!smS{PSCA2K7-_S?#9D-<3P~Ew%rx&OxrbN z>Yh|#`&(U2Z%>NPrBLs193QemL#HoWMSQ)$!pHTNqS@f-lg6i>vwr>jzvRnzmtAgG(Lm_G z3Ob*wjl!CM&nvr-9MH*LaMxlh#)|vX)b?}#4}J2Lhtoi>&ft*?-rk__0X9cNXzc0j zQ&$S~a=q8+0v|H&QP=|tRH?3C+erh9K-eN4wylRy9#TC(%fCc;G4^vDBFKMxs6k5>rkDQV zVB!Bv&m%rdJNh^xuC<(@S;;}>F%hm=jdvRmTB;va8C%zcd29GF<9d}Ny_yepsCu3~ zHI9X)3Ty9X^a`6l?10FIz2CQDb#TOG^63lD_36@D8EW}w12b1Y&3O9OGPOXMq8K8+ z{A{ytstRRlv0gO)||*Jj07u1jJLMVX)^m`Y9u$x6=Ue z?tZFQEtX3}%d12s;Blukv0-Fl4_$g`{n5sBZS8MB-?({Gr7xmsB($t{Wj5u3VV0z~ zAT~h!te%?QB*&v(2`R^0;A7^s!TWK9VIJlu{ zt^zGgoQOo#`RB)O)*m%lxB*}C&X?$;=nJ@4m}GiXS@pAR_WLc;6~?9-6zsa2b{E96 zj#g=sFOK}hfPL;xf5X;U7a8wA0_0yLDr1@wvt_&$>NG!t_N)lU%uh}Nn}2p9mXv7t z8SD?plTPCKeAgn3lwMm!h-VVVAK4GnX8^hYV5ZFCB-R+}5$iu-bKRc2CHzd%Y!<4B zYqKR-80oOmf#Ki$VbYAV9>-TiouNofJ%rPCnoo%-PrJr6QXU~d_MNO?35Vb*VuvC< zsKv$eyk0J~xfFQ1R`;=)J)R^}KB0eY0cP>YKjeo7tlBwxxZ6h(1rKF3ZgJ_dsA|E6 zVwbT3;qO1xFh6`YbEomE8^9@GYlN%=US`rXppJfTHr+;}v$h`?rCE@p6HCaHukhg3 zS_#FqE1SJ&wB@D0lr}1s7XPguUp*~y^jCIAF3)iQjuk~{=W>Nycp0aW) z%!z$ZO+&X_u?d16otB5(#zQ-&My!7bg{16=^Dd$3XrdbJC)I!XIaJv2<%KOn$|`VT zdd{T{8E)KFYtrOjs=roec;1AJj^71gNm>R}8IJwC#b5>2I7ku=9wTjp zq_G#cwa^N)76dK_Y&>Nb=e7mU^j5{bJr-%-dLMidN`qk%x$l!X;mY+pweG|XYSeuz zT+qqt9noeodRci}MLJjA^jXe+Rc?b;cpJ65z6RF*)H|yRf>frpGvV7i58!W$Z9iAu ze9;$n9slBdJJP$Zch?1PyyN`7EgT4JH=o`~>+)D#Zza9`+_-)f+;XH3SPj42ew!S> z3VVICFb_9A$R%F(HHGZs*k*wbao64Bw_Xb2y?p}K&w8&a!IefU+d?)uhQUpr{m7F0 zdR~T!3>{C3o~xe=_N;qzxtw)x$JRUFKm+T}!Mm$ykG>#c>#g$X_J8*>J-%8_aXv3f z0J*A1IG(LD8_=Nn_r_HI!y3Lc2v_3Ujvk%U*nty-+HTjl0@{??{Q~LqUX5xGj5y^k7>ZW8;w6-=%v;|aco}+Y2X)T$_>F8@I~Z4Vwa$Dg6}8(! z%6&RZQt>~NC5bwmemd^Vb^0FsGMq$5x*lw^dg0ac7>Wz$FWPWdIZ^PhhZq6^#&@OK z3iF{jtwWQyDfj2MSLQ&MAzQTA7x>%4Ps7dRe*b=-9SL)%2{rc4$Kr3j4ouaw-ycQX z-R^ipEi(T4U)?kYdoPUZa05GFJ``i}ojI&*9m1J3<^{FlU-;4YjF{ z@z$hXvl>X%Tu(d1J-xT^d^vwMn5C=_a$gS6u4>$dM1$L&Zdg*l*!Ex(qm$&k549rx zOXh64trjXUub9`bD9JDH*HnV#U`gv;s1C=w8!BT9z5)Dx%E?v`M)Q*X^1_F_LGH@I z!98)1P&`fSB+XBmJRNWs7dc@MKjU9(x}|P z-cpCykrWr7^!;eqh|Ne#hFahXE_Rbt#~eGcRI`O0@+SlQYo^6MnFUI#&K^17ICc^< z!YXVYZMGjPszE8UV35{yu_}vc@eVVU)DJ@|I*yQKX5au!g392uMS42>04(P?zvf^9|3pYEq32Wj!`bry#jpVKlN^m30RV=&%U}6 zoyGj)(m3Mxbl;ZU`LT;6#>wozbY--{m$8QZmiE+8M}PPv{ljMAd@+`m6E1*u{s3V; z9~Bj^g-$k+9tXRnNS=(nT5P=`VCoSU`^LGdI4kV~;Ki&{0`@*|=w z8MZHDxeP8%Nr|;K`%TX|$Qf_Kv-sTyU~CQ5O`eznyjiP(p!=uQqj#Tka`oWX+$M-h z+Jo9thDjPU$!_ejNAVjZtv>TK!Z&_bUrJqMh(oX(U2eQ4AWqd3v=uk2H6-@n$QR<4 zW;Kp@RV2O}>1MwAID|vFyrZ3WbKg&M7{e>~Wf+Y7H*>*-WN~ekpON1;jYzOf2W~VI zXE(M&-E`Nkg{m%)=0GUci)A%gFfg0RQhg8x_f@Gvq`#Wqg`L-2hK4(q+;4Tts`5Lo z4)xS&x@txU<#6Wx2qk$lB1E=wKmw&Il_Ez8!9kQLHS&wL21!*&8pw%1GkLOXyB5Y` z=h2S;bs*`QCe2>k}h!e%MJ3Z&W+!X zOgtBAgt#AymxEuA9stpr&?%e5| z(8BkUx&{bR=DYlsf^PGu4v4g3^F17aG>W+0VrqBZVnf{5{?j`roiF>jME3K@X!XC? zeBI!^q-MZoFr*xe8DVlw_iSBT8*n#AgNVIAow;@z%zEr~mICZ~DZDhDxNMJUwe|Erk_mx0J_NXHcuh631$mTrLvC+R{h=n^ z-;Y}KD4YL=u2z$u0|b0;>+uh|U+~=lJ=d4pxq|*Lz{?k#gIiDg=#1AZqbI*zzO2hu zIqS2ShqvylH^%xk?AoB$^t@m$@GCCg9B_l$|K-g$-neaXDvilKS2xx8sTouG0%`6F znEA9W!fMP3mOW}6^lwbm+4i$@*(3BG2RvK)Ll9MZd?%<|Njs9e4%Qn{pK`lePf1PA3c(*)yUmyohLMM_|cJ3@alOebi;A$ev1~9?c3Eic@CYxUTC*IhS2lY=HlI@z}c%z zkH}f|mzqwf|9Wrm7QQGHN(6;&-_Ae{pdUj4JAn7B?4=ke!(1#rUeOI2)cX&y_ncea za|~Ol(1uyYvAlsJr_%YqaDj@!Uubmu=!qvm*&7UbJAhFSv^vJpl3CkZA~|e7ki^2* zmUEUj!pHc$;^FWn{0vWRZgTD!iA&3&XahLAR<88gF+UTX$zlt4_ z|3E=PxrP3JLZYlt&rjtH{G<03c8-;5_wSl>#V>j6kH2>>eL5JbdmT&YOA3tYuKh=( zi#L{-7VtA^+ocYm5cCFJ+SgxW$BWx^<@A0#SGrtJKoll6ASvO`-zfZP~ zwb)BxJikCTB?SF--0JY$vV1u`>(enfW#yD$aeYF`xU%?6CZ89?gm(r=zMTz$J&K6khK%!H9MwRrf;Lj;3X-{xZ<8~(Z!R&9q>x;r-?if z(~ih-rTdaD&0sg@nd9hR?jV>#LXF+3_3u{c&S~$aJX-^jXb#%>r+uVeev^4w|4E> zdobf8X(V%q@z8~DgmX^KvaM$DHDO$RZ_v)3#?qtJmBqp?9C_k0#1)g3u5Pi%?kYRp z{4qZ9i}IA4QTdC&y_O74y|^%?Qa2642OWlqKN6+UBCM)l+NAST(+^lHR^-G&N@~(> zLE@AKSW1W`pZs}dPkpujvg(y5JA>5S%cK>XKc}fi6KSDdc$JXttifF8%hILCEmCLV z(*66Kl9>5v;1AZYQU=j0Nhw1CMXTpm*?6Y<@PzE;W7(ZDW2s$-9y{2Sj(mpPjUBX2 zqaRdvk{`wemn3pj>Wx;}7987iMkkJGydr6I<-(b_uNy3l@S|iIW={pgA{%n48)+B5 zBbV6TWJqL#;O>47{%r;nZUDk{qGN7{C)e_NrwG@EZmicZTfa?Hvz`_on!k$UeVNqz zmFkdK>@ZBc55uB_-d3-k?vd;jq3K(gHcCliltYn#*5cSk<(jQ0rb&yp7>8&^Dw${D zX0AzpZ)ebP0p}2kuwMMVQWkgA_4el)iCL3yNm&r5Obk`?OkA~MN_o~8bYLqmQbZ*+ zcF%eY85u6>oIw)Rg3T9U-l|Dyo`zITV|l$qX}yY8DH8)Lq1(baq1&>M3Ym%+A(@4u zq0~Va4z4%rN~MP^s>hgY$E52jkaPsR?M~vI%PUZu4LlN^;i^JxTS)rV!~P-3qE9Z= zpl~0~LQo8p!e8w>hLF{i<)BY{={^XHf6NF{1QTEBo!X>bWF4iSv9zf&3g5GG~IG#HCiM zDDQfAqZ-Cf`n{NnSR*yJ!97IQF@$%qirb26J)whJhI>u6W_+=qUz4#yg|9*ymrXZR zF;+VepA^d%haTZ&m3z9`oM6UWk*r+kLa}GVaUz29z=J-25!G<^#;sZe1q+~+!Ybv@ zfmUE+VXh|!&-l=w;4@aHOp`pPjr@^u~dC{lzzdq%;f@e^4^6n<(0f3iGL!H2#QE=MU?Ywzzu-%ojvDfK8 z*P_?AkgO`7dC=iZB2Zfw{H)~RTJ3Dya^MTlht}!~IV+NhKF*Q9y=-0Jt(x7v2Kxq% zc6Iz|n=E-CU3efD4enLKWA=nJN88hNyLI@F{u*lL1w7PaL+yV7$=B|ia^n5W!dZY% z?4Y*P)*0g4XdAH$&GynFYR-J#-`3w0qDV%#y-}T@8KMys3V5n zzliz^4bDq9xVLAwQp*MjCH}c8koBIP`7e?4{5*#_(4bo zF-y4T+vVV1$WDCK#I(Tk=rJ&@Dc-;OcuzzIfeRoP2R;$}A9*5AeiJ%8 zfs^H^7|ok@y)=|ajYz~viRIl2LGAq*rv;~e0S2DYT*@W|KZA%>)33k8XZ~{H4V1Q= z>PZ==c1!5mXd`sgn8D{O)p@GRkzi;|+*FC=xHiFruoqDTaMDKoEc==+gCbup$`P5b ze|yL}P&V0}pl;%s@59MHJuV-6UR;;R9azb-{7XV(4o91ncU3RsO4i9Nw0mnqDT44I zBSB&X>(>vQiLb*3B`UjO@l~{4I0>m#ZUr;57G=PB#E9lmwN;d|jL%C;wuzs>rL(N^Cv}lM^k-@_n%NQ%IgpO$}sb+UdA%sk7%ENMrTTC<=w5#=pS@jOOq3Xf5 z_kTl)HH+cWn2V<>TKbrTuFQu`a=gcVI(wo@`sfE|iOpQI`^H{U`iYZi!BT$yV`C9d zpSmLszw-3>f^JL;;%~w7xB;&jq`~YRWkR5OX+^T%JL$%M{z{;1DxEn_;gArDzTA*Z zfRhr%wT$Q%m>gpzi9(tw!0#BgSa06=g@L!`J3d= zkI~}d*#MunG6)jnbP3A5=ym4}uU7_fcH8w4rh4E;rSD+Gop`Y=Ji}kYr<-1L=k_LsyavQIOxWZr?DvIxJORN2R&VW>*(s}=lA1`!4>N4#>?QI?nm zYu=st5g;MTia|+UG$Tp zOqc*UihsDV>O50?b|hhZWx1nBI7*iTm~&!IIihV-a|z>FuSLArsb?jq8fh?|9Eon7 z;{Ku>mq+E|UlG~0N9YKPCo|=?uBP9$f+8cDH$9YLT95@RsKH1oy{V2}=u;^-@6`&N zzuk1IGOe@sabjLP?#SghP_0UIT(s`2`*gq*$Wp&cMx_n2%7`;(^R1%uM&<$VB_kSY z2*!L=1J7(2W?;C@z6W8k?+I($w2F3J#j3BN$|oG$?QCcZCB6LtPR}^Diwm@rv@J;F zLl5_VUs)1wV&MzhiXDN}(@22XmnO63SRYjw&A04Rw77&2==ONUB);-0{pGC&Y4aj^ zQpjhdh)u?c(|`F`G`#pQnkbTR-!1muUBW6R*Wmnk__!GBTzL+EkPg*Okxs1tQW~2A+m(Oby-=Fxl-O$) zQQ>d;r4nT$D{)n5ik^e-D59vK)2tDVB|ZPqiY}oyg{Saekz|-3pf(b_gAmrG6lOkl z9P-l-#owyp1+qC2n=O7eMTQ74-xj+9t#?EX2}4qTBXx+Q;ktUW<~La#f73h*r!QG? z*gq?I!Y>qUv*Q**xvn zd(rQl-VjRV&INBtEf{X|5Bgl?q+M=b)GQ$>?Eo;}YMo;qd*{+haANROD@8L|fRee&D8ZU_6@5 z+2`0*D2QUK5t553`PaZ;GA-c*mjH{ZP?hopCTrQfUTpwx0?p8|D-sJIydEPkseJ4zdm&?*FuIl z`KkjvO~(vh&kUO`{^(l*e?};{^qz0LCE?FYey8>lC~Z+UBoY zXopr$ZmCrLbo9ULUf(3XL=>*y+gtAq{AZ;CwjCQFGuY=ips9ge0Jk>$k}MB~&UA9n zgTPP01gY((r}4&(|5}{0pEf>3-i%zf4opq^$(===~&S)~SczO+6=hd`L9 z1@Dvh@(gXSf(`~-5jrpjJiL`^E|oNB5HK-E2Dm|A(!kq2QII>+E55G5O!M{%mMUn# zZI~Bp-coEi(^oUffO1|Srpvq!MTlr?bPm~4QeG} zdjusWAaa4)Fq4O`?8$e>ZjEX<0*yk2DK}5{Kbv90NlidZxq2S&Rv+rD9jPyNp9qzR zVk+$PufmJJ;_7*#q%GC!WK1}Ah^>$v>e8M~SuU5+zStBvB|9qDjJ0bwo~(zZ=V_MM zR*oNF=S{3FYO+Pvhu_SJk$7=veHi_5Sw6^)abKZ^`z`A09m&EkB1OWBR>Npw`BhWw zNBQ3*o+VOWnFUOAM}!a~YGEhc?`9W809XyhdqC`f*jpPllN(lZ@}4f>DEd zdL-{rAGmVp*+ldi(rgvU1!|RlsI=^oE7ZPB!-_1*mxQ{_Iw{@yPNEcDHf5E+Zd3^p zlrqzg`qfThTF%{Vx~`MPf9YCTOoq*K7XM<#9``*{9FZy}4N1P1Gqax_z|E-jkwMC~ zdb`Z5p;oS87Z`q4LyCl5nc>a9qpv}Yim|CG4Sz7G)UO-IQZJ(lNY8tfVVq@)PWf8ZG?4h32#v9X zef7Qz)+2w3pSEJkn-5MfDi~ks3+5v^PMSo76Rl!*V=A&)>lWRWk!sFKk^2M0*|4kM zZlc*F6Cl~7wr+P#q%gy_mOC54Md z<4Dh`W>c&&fy)V7L}RcxGv|9^^tF7oe#vYI!u^kp{LvMxY#m+EQ+F+DO8V3o;fC)F zb-S(~TXZLy5K2|$(9JaC2%S&+^t{SaZ#PHhLPC`EICwL;$EW%4g_;eTqcM>nqbwb3 zvgGr2{TB#7#Bt>b%dtAzS2uD~K-Dz&>PFfxC?GS(@#wUIzHv?L z^^m$}wB#uJ?`a2?%oC2Wn7l`md@9)0Wbza7{0S#*jeyapXQ&WGtBAbJERKefb7OZm z5OUaWLl*P@;5c~rhZ@|AItY_981m#>75_TZNrwpp?}8>v3N?2&6?rpcK%3z+hTm zFnu=Fk(15+0JP8g6cG6a(*@dXWmB2?ff;Gv3Y>0-CO0a#0Rucb9Z&T!r$r$J#BALr zBJWp8)SfJGF5iw1g}25 zlwQ3q<+br_wLNUvjFtVzbehp;BCw+-Gz3rxS)wko&&tJYO}`CiS^o~L8VQl%hxqn}Q`1*8EoMrRjO zX`;~G3#Sgq%@Mv3D0H_o3-Ykal|PnL>ZIz^@V2}f+yiJsCKl~J(#;arPrBZ3%4wx1 zYn?lI-S!*)_nqf*1J!`?Rp$62@{!c2!m#CB1w;QR?S_y|0rUybRj4H#{q|10_wJrY zbgXh@+j(uit61H}>lD3Eylca5YfNL?v))`6B=@rg9q>ODOkwclX0MOm$&^t?%gd1t zD@fX9lVyN~4YX!|^2q1tvVmvqQLLYvFAhx|*Zj0@X6W0c6S-{%EoTUWTyLw{0S=(23utAfuR^{aDWQ{brS$k~=Z z{=@4z>N&@i6EO>RUe_H4L2J7AG!MvZqqz z_CnKjMqX=Q)7+s=OBcjd*K2UDmF_{Gz$}p9{s+Kw?=`uZC?uHd3~)m}Py2GK;{?H^ z)iG?+v>Zm&7X!3I`Jv;%M8+b}lWF;-cJk$%&c(lfK`N%EZ>3e0$kcdmm-)n z+nr;wI>L!Q^3?sDqZ}-c?Ub+NJNp%e5SzId!LZa;_pS1;A1B@&p^e0MIX-%ECt5a5 zF)`^riE>@fTRbh#aiyu5*VScuV1#+SUY-=`)|fp@?g0xWn&t424XvPw29bbnL7GoY zF`UF00S^+-d#|1q1%U&@Lcxlf83z$ZRv5`8N8y?#Hdf%jSYfnO#Lr;^?u7om6sjmJ zFJg>8IEwkFHGk83G^*d8xp2%~K)6-LNehHs-DRigf$dJ8$h14ixZ-XDBb{6vKbWI^ zOZs4;cftLqYj-vr)pN@MmrEKl;VN8sF;zLaBLSHkAv6Qd^3W} zTn+KsHyM)r0Qf3c)HdaK0}rBsnC~S(9R0r;fL9+joBZ(=j|Qvb<)7W`85; z3&!|G3sN$D-xsF?NXQZW7-_3^k3?-PINS)fO2v5OtuE{L%qgc`Mgf?l@g5;-(hQ@+)_Co?w%{uOXYqoz< ze<)5#pWf6teWg@R_JciG;^^dw6Zn4Y!a;PGL=ht+xGA<1_w}zMRjv7-jR+l1bh}G-NGJcFU2dCyxUs*fbXbyP zyP0WBktj>e6_$jm>sEiDhwzCR9EAk?}8tzlmZ#%v?@@LqiWE+o^p%bPPsa<%DlR|mOQd9B%& z@1To2hIwUnM7W_W$q9EK=&YKo?Syy;=hh|myQAJGLOm>k-mczCpA(@r%Be4lkb!BD z%m2%}dBkJBzoqb2kpHYyFnYOEDy2q?7051zJEbr`+}7~za+~$l!){T@RUj$2A%zol zOnZ-nRe3Db3mtM))i?Hu7j>1>Mchg+|g*$*>KYd6L1K2tU@^sW7 zdI+ejQLa`DM0txGHi;^-#epC|LLo`e1YCCBeYX%t|n;AmOiCL)&_dOOfZn zrxjqUFa7U}(pr&=ed4TRSfO)|^TUggpnBA8fxYSO&dW3J>c9u$_8YXNfxh`xppaXz zVcbmn4eplzUA<2hu2bcPK~8pknspG@ytCoa6jblNPl#176F*@Nq1LKK@Vf1T(D}ng zp|@}yrufRiM`y(NBo$G=!dJ-KzB`lgBhilWp~5;@_ZFP%oj}$DDbSn<;LXFGJ3D_blkgPj7i=}=KcjO!k`XK+lCIo$s_0|#bI+6+=u6fIH zj2EIa0{v_C((`T22)-wdC--Yoe|z*(Y4G3j9YWH1GdtQ0vw@l`3p%vZJsO>?%WO2Q z2N8?R6tOYa4~U+4@6Rj-^NO@Jo+kEA09uB>Y=67i9})e$RgfdR%YaDmS6cAWr)@T-ty{jJ zWx!r?^p^0e{u8;&4ObeVC%~V_`y#Y(>9YN3rTMJV01A0d?e;eEMlyTfRW6Og%Qk0g zbn3i$t95pns_8UtUKe>^b^ApeNnG`acK^boT*MmC0-dIfHUjm_Uv)FF`3=~2=C$aB zIh9mFsC@P^uQt4in-#0;+k(huH(oh!W22q*AwvT-x*pMu6_w1;(YS+Yk&)axRg1U( zP%b3&6Zu`<3utD>8jJ)ncXNv-gk~8$Dx3p~Gr}3pBYm^mu^?QpdAk6gUk8Vx@c3!g z8-GFZU8>;ivO{_mC4xL|-$W)t3arFHTV8g52BIkmYO;t~{vUL!Zte!B_WOBrLGli)!);Ss!XJ&7FTAVB+>?Lm1OTE zjNvC^Of`=bFrv#ABr$nQhdFvKnZn?F(VuT5Bdy$1OrxJ(yX0oSbNR#+&*W&1et>Gi zLAgt?Q$SWI9%8ygL(np^-^N7~Sb>6`$;JEoh;y-}vIyZ~m>)HmFQU2RKHg3$tbT&GNn`nGhSd|7hN|vsSY*LVrdh*G?DJ2#)#jJ1v z!=5zyj?QZ=ZLt9c&6SNkyzuH^A4X;1Qm=l4$3%ogUzJ^ z4~o{R;ih6=b{?&0QU;bNBVa!xBG;j9pgP%+EzC4GqINx;QlosT`4JVF!S%V*0JFAm zBnzJWANFRRz)N`L3##?TSYC|J99!DdgDno6OCi!yPYvR9&6(8xyn!yqSMc*J=XPM6xg0bk2VG8>!n4wPa z*l5&3JzYf;`uNjst{_@|}i|Hg)?>zp%XIxC*n(fED|*0WdYKMzAnAyobTXV+yOIPp>= zkCcuW@2;+v7#&1jV-bc>gB-}AuUJyQz}ilmvcO)xoF>vjVwJoSiZ15#Fc@Uzz$=bi ztrln4(DlPC%XWZUz6^+}SO~!8N?AESb?Jbp#FWPb!lGAr9 z16la(`?UQMf1L;|0L4qSY&1 zRJeSzIho>>s9%YD41`;bG4s-Yv3o{L+D|MpSiQYs4pW-RAQW-Aumnf6I~deyiEswyDR)1f@Kk7r!nPM#}{} zDah!PK1IUE3o3Wqq((NNEhk)V>_!w;s8lt+YM*en1s&YjFVk)7^?ZHmhIIa_js@ zbnc3C$8_LkNZ06$cbik5^F;td@3t9IO$V4qAN+5A$kC(zL+dLrRkV8&1odHvJ{SwGnzX)Ae4!G{quf*3^AYu2l zKF_?~+xEBCnh`|p2pnphN@2V{jLvC2nrWydYg_fx$*wt5= zMml@80EB}&YK=SZAbeLn7YYDe$nA0EfpN9xE-o6V)3I~^l<&L|taRa20zC**3K1yLhE@^qCecWp>NCy}iH$bd3+7O}h8G zPuRZF0|f05gvf1Dd>Z^f_IJyUygg6n-ZQWIZ_ppFy_9$FR^LUC%9{*oG7%)@3>q<^ zjGshmbtyv@YzAcjPrLvwYIC7&vj(?OsVi$6)~2jgP#d%z0JBU>k{35M0rNCyD2yDI zIj=aX!Jhqh-wq@Emy`$|6HOExkug@j>%|{)lqypH5=!p;xPS~Gu0&IL)@r>Xb#gfP z=6|OKfV9O4DXzpb_jUyS%aot1%vjN))_=`onZhvU&g1;;yut=wasfFuyetGE37?Q* zIKtH!Kb7cs3#&QVNvterqL$0W?Rg`Ys+fkyS+p!BE{G#>rtTJ{L(slpO5jZ^RhH{X@^Z{Pow31V#dHUk9a-Fo z?fV}yhbd(ZnL5Hyfh({oeYBXoxx1@8%f%5VD8AADj`rln*~y3)+QJz`d=cjuFf)S_ zyQO$Nd86YSLjL+Ns=iD$8k5Lr(`}Pbys|sd65FPhx+H{dNhcQTWgJZ@ z7DITrUk)pleoec_75kuwDq5Q%V~R8l?csb@ z4R?x|fX!Y^k#7*QzWbm#_XDpWcGQ;1#jHYN{}=-YgF;Sao}Fbrz|n%svg3f(YWyGtoJEai1HmQ^Z*IC+*Zrw z5=-HKAH=Q*Gn6&U^HH_VkSyrV#zIl`p1C1~?@cxUt#@e|FZOH8;mmsp6Zw7R5df`u z^UWB_z%u!k*PdlyHB|TKo~EyA|6f3}k;f^R=3_u}e{+^=*3<(^|F7FXjm6QvYV1Me z>LwH1s8<0N{j&+pSY-L`>{$fCF`9j1lkk{xBE?Fs1@6Wlr0p6@C)7z2Fx0G?@P*pl zI~fV*_&04sKVA%WkNo7dhNZ>uF`2?L*kU;w&9H`7qkbY#O1Z@l-ao4qd9!$#oHivm z$8>_20o8>yo6HupmWh?(x|}fV8h`3*KJjoDYoJ8@7)b`%2m$*X+Qa>QQ{-)>UQ%e(ibpQ?K#jYkg2qm&E}xN)97wo&m^KPwHKO-N&soX9fu z-48=#eFN=4F zCQ(U+kda&ATTX>c1{`&2V11_CZ55GSog*<<#KPR~?+n;H8pyxMh6Q;rVcSYfsIZjLetW7dRV^sYKBUPO#f^R2dvJR&&SDUDkxnRe?P}MT+hXOOB7ctSE znVl}8OLAoAA)H+DZEbl1hgcW5PUi(GJbNA zDeCHvbXZbCsUxQ{4jWhMo^Ov!%FW`M{vOpFwAl@!A?<^-*g!@bEiT|(J}W!E^>~VQ zEhDW-O1j{lYdD%s(X>2jj>V4clCxAIwzaxZ*2o`U=FI;BNS>A8%Qagu^xxf4aNY>0 z4SHYi*w3~R?1CJEl_~9VpY)6gQGrMX-n>VA5&SUcm!ishc+1N&YA<-)x2>$LUsSs4 zZoc9@t7UcqBeqPj#YqK){p8!|`sx%O+UHFEiN$mBE-PSRnEO5^TS#1xbXItLrU$o zqkUEm7*rX}R$%liyXm;L%&<oL-eKPKcrh6P&&rix7rlnVf>!hFGc9)kSk;HUHZ^qSg6RpmlnLD0&tcj6& z%bbk@?oAoZp4qKB6~hsm$3ZJMqnT1}XmLG2c{i>M@Jg@uf55 z->>E;-39&yA-{}+&IytpyBC7J;xs1_7xA-jVsa-6YX?-!@im{&_fPzHE;t%$>;lGo zafN2oLf-1jjnq)M-a&nUq9CWq(-ecx#~c+1<;nGUX)^k5CleMLvD6V|tZ zma`~=XJD8KS!8+Bg)4Q3+Mhfr2CvEJ(EaAyPOk%77%G!4!(8{Yhdli}!%620G-fE; z=zfai-9%Y#nXpUY54+7@mRg~(gU!V7+`dd-ibdqw(j1Gaq3t>FkXRX58dSYVImeu7 z{`@~oy<>1?4b&_gYl4Z5nF%Jgor!JRw(VqM+qO>3nOG;r#J25ozC7=DZ@u?V|K3%* z_U>A}dUZ=J8X2+;dLB;u7H?812IeZa+Q3L!U1E+O{;P<=@V0ywmz0O*v^GmM zmKc@enrSZY#)_xW7M7Js!}Eq_zLfF8VKUWO-!;Iy!@&vO4zux&OEd{VO-5e5?Fq{k@+Vdp3ao}{JF*W(Gz37PqF@5!jWls1K6Lq`e^%B(@Er4euGzGau!I&xl+$7YD-w3_#Lz4Mj(u01 zT#<`CSz83f928Y-2Zin-vDei7w)8Szd7p_4JZCZ)U{DHzV@Xb@rC|7RAJqdR8_sM$ zPH(p=r`emyl2aQT#cYX2=_EjF*`qjx2+Lm(ScrBY)LBuD-B=m3%0*yQGLh{@vWplM zQDS(xIf)6YB~PU$EJdLq7jEXyVe_GnWqK4{VU@j~ zg{M45ZWJ7Z=H%XUHq8=4qLFj59qG&w?k##|foX@>r;56+)YNvK#J=K`L;AWRYp&?> zHg5Ikj}zksa;C9D@X-kAB~Vsq5ulPuT!1wObk$mYbWSW&#z7T7Tw*HJ%C%rBIFdB{ z-|uU*Z>>=+^N+qC(;6!QIObh1U7zFaJE@X{#5}_o;SXHLj<_$C1Q{1V%FNjszVF%v zP-&4&i~qFJ+}8176!;q1em>E+>W8Z+;3Yip5Z_`(6E>&`g*N48hOyGYATzyb4W7abdS&M1;?fPWbDXZ>m@v%SNeu8Gi&vB!y%y!Z!ZV{dCP59gy0 z4p@A1gMIig&4yaju`_LRW6Fm{hmh>2&74M9RT33y_`X28Y{APF&f_rCl*8hDL-JpR z9crf^*=tyq!lzD_nJ6qa_T#654JW49#A9Cok(<97wS+*-kCDYw#2VLM9T8Ile~B8L zq>5j_*yCyX9h3J+hqGB#*kTTh56-BXtF|1|vDlaSw-#4JXdUX!a7H4$^?hs|8hiXV z*@6p7wkFGjl^RuMRsN#S_!6(h~o#t z?89TCMU(PKBDsyUqWEzzh5Xd+1be|>JZlyX36(JqR7lVMR73~)n$d+cK?s+na~+ct zj%$mo6f(3%8*rkYR%0nqos2bF^`KrG+Z@ zU9jQKtEKp!N=kQ!l_z}hm&>92zeG!DJ_`<(^U!H#;cC$_Z5)eLC1U$77Z2mi#`l8o z6CC|t-ty}+>=t~D-p7%6VwE_kT==vQ-8m^NV*2N)=MWcib93Eylf2Xa3*eehv(!!L zef~=y7^J&2@^K^)O^D|EDIu4j6Np$Lzrlchy(fcbJ|*O!Z=ph8iC!i@j%q$LuI~H& z0z?Cj+Nn5S|E6djy)I7cTul8S=^73)@C0{!X*tF+%uSCN$!(b^vZbgiL1?)*AGfdRb%8fws?#gm)9Wv3>J~eyAW{wmH9GsJah9RvjKYeQM6ff_I^;a zwRHpf@i}h|l!la}f7+qg8m5u{-EnC zdv9*=UUHmVUGI6$fC0Zd{PoO;dvyHA=gRh_tA4}xiORvt^)9td@Pe<1#O~p8{*A<> zcsdU>@fo1%>+8Fqe?Q_TDBvCtOZTwq16!(11^egh|3+EUm3MbVhzAnh+x^($3wvZPS54#NC2g3M5UVMW84n|O#*ZEdv)!G=joI&LZL%jLqMtz zZtrdJ<7c_@5SY;j-1eV-Z1zC~GEvy|zo}jV*K#m$PwMuX?~rmFzU+hU7>~fd*dOp} zRbd@6={FeFpH``iFDl>xld{88Z2s}+#-X$_SVI=~2;OR)Nqd`8OGJ>e!C>#jwzT9^s(rE4p+* zIK^I65sEjq(rK9%b}~V(R&5T!uqg4FVx)RG`4+rv$O<#vaMcrzx=~IyXcHx7x z@h5z_LbQowlTEBMYM*jqiZPuwC{|HY>{&EVbxg=?KRwjKvz?ZVXvTg~OmaRj(+7I4 zVJHoSDT=IZ#fJp*6%f(a6~JZ-`vfMXwjFjaF6KaM2ZoDxRgg--n3YSJkSWF-&Z$^# z8kCnl`v4O5xNs6lRuhWTupC7P=F)p;$SDl6F|o_2H@MfCWS5 zIygQYDwX_4q@lKH%->{rF&wzM+^H0Cu1Oj0Uwda}OL$JMU1&_lC7A?4aP06sS+;~h zI`IV7RVu`yw5jEIavpb5?9N@!rVPv%SV#rI@{``f4(b?G14=@EyT}%W_40>#astyu zieoHmW1&HBL|3!ztmcTHXu);lKr+R zj4|{G0D&`*!$l4^D;T8_%*adfJ`(`CxYg*qkDUeBC!Sq` zjO}DyVe7fZN?yJl1Dkm)2YYcUQzVh`M@fS#VW{}OT~*?&7j9=Aa*9}CDbr&?5VC)% z!Qt^`1ogl6am(Hpf&&)<*1)xJZ=KcbS~yCt_!EnmKFw~qL6G@{cY9% zl9ky|MA-L>Ria7x$y-atHkEKp`i~{M;OU=Lw`9h+iIz$!tT7d|Qky4?WzAH~;2FO# z?;lySnVfLsezy|D&{1j)aa7MaE+7;Z;X77+M#om96Sy3vEJ=xgrW^am zrIwRn&kqr8I?CDX>l5s(_icfIVD5LsMT7Qa5HOB|$iym|Zs|5qJmkHdJ2fi&Fy0%W z%Xo%V8G~#iMB;5wQ1&h{q&vcFuw(MgbRt5gMh5v=SKEuC1g+I5m z5jle3H@^R2d}C__0A~L)Jy~0K^TscRpL_^X${1@qUTH%vVrfJz9L6UuI|`YtGT=4Ok^z ztF~*~y=Vj5r(@gm+sCFZcOGRApgd}N3`jijgSNG;T71x+AK&`;L9?vW?GNh4nP<2L zPZzQA?3^9<8HA|%H$~|iHpb@&_G1?wA*clHgjP@L+tG3UM-+az)-9N=#NC2KJ#>0~ zQZ~2GF+3t~^%@3(zqdC1ub(Ma%Y%)L1~~mJ$A0v^VKn8nZK6;ATAs#PcbmVv`gnFW zNj9ioCm8mCkr3=TC{;*JS?$^qyo2A;EO9=D6r9Mx&GR}o(7wz&@&*4j==R(`VT>Hi zEADw(yz&F<%qUfdP8QmbI=+2c#=0CjKdRFW-lIJK3Y_f-2KapwP2cpgyIwc3$$d0$SUJ$xY&oVL zzv%O^0_eoAd)~F7diV56T~uB4(UN*?`uq4^WS~0j$xwB>3-oPua9g(Iw7+cD*Mj5N z1%mjl4`x%J{H{_-+ZC>UGn&~pPE$}_rB^!q8|9zlGiun4ve!pOg^|BvieV|EDD|?G@}i5Y}TxME{?n!dmQNxFCu!{ z@0#cRZUQ>3NGGl}ntLK&7qg(Sox{c#YSiTTa;1fcgP@q0YotHB>s*nD7NZ0lcrX48 zjAd1>y8Ru={62{d=bQO+dCX`F@7`NaApZwBOnzYCG9!my6}!D!wHWuXvz3&1L;ESt zx^^x}DD!#(*GwibID_D~CS!6r606CKn{)@%z?3M-s9N>k^1J-*eC0 zRL%Os?;q1&8!7%eU$#!OcpXQ6^nGsJNp%K;s3|BNE&*1mXcp#=v&UT4+ha%gztapg zwb{lf-p_quo`;(yhDb{t70RtKr&=l>zei846ZS&Q-+!&n4~EhZ312c%1gvosCnoRM zjddGXhcf?-;}AqL7c~V-5S3cO2=&{ zsm&r{cl9S35G5UWs*^4RTnP3EPS>{p#*kDVx2P0J#YEB4MO>C(N4W6%oV z;^cDcqz?^s#`VgK$TIMBDyXe4i?Pg ztc4_z{Zn2Xo;_-jrY(VRl9_oz%2Yx7D#`t9&DM^@y(7Xl(&|iRAwqU) z;Pub)3AgVxS*2_J;$cgj=D5ZLs+yKjz1L3tvIF!Qp>+oR$#gGR6+^0hZbZAWhL4<~+l%Gqu zOW+IA_andw*qnC7SYl#mTb0U0U~&qfchj*WY2cUE55m>&c-2F3@?tz+pv*ZrF=jPQ ztD5vVS?3FE?tPe)^YHP?AG2zGyNt|?M2Np-iUNZ`;E_$gz#jRf*gg0aqfu3EG8OYs zN;!bgpO`W$^Xxb_qm^cOd21Bl>*zZAby(q zdZ+;IezYCG{5RbrzU2qL<@w}Rk3NsSr}C{Uez`C>+k2??_{SJ5OUMu?-SB|7G*k9k?S%G8rtGCVR^8-#n=fX6iWA<4E0 z)tpWml!LruHA$M_fdz6a`89!&uP;TrYe0FK`ja3nJZ{gj>9>9e;=d49=H}^a_-E4e z3P~yJhBjV;tnR5R-?>#MBtwL2obb4Gi!eVFm|OJc(XfjqTZGvELjDBg54;=vds5`!!$+_{?2SLT z!#w$@?+O2!^n3E(0=D1Dq<;eaq?Xz-^(#SyKQSfY2H0x9Q1l&@KWfS?ygOmxYYr> z{g~}NJ^HLW(A&Dih3}*7?Rj&aaM~eRW*#ACd zgk1yM1emw3IRRCAy>F>b1$ErxdoOc;IrRBdn#6g%FGZILGxh-|&T7cjdK(Gd?ih}n z4Ddmg`fp9pX}S+oj%VA~?ZxfMt@ybcdG7WMq`nJJz--j#zZz>#TAUw-;8=CucQiq- zy{KIK9n!>(7h3+OL%j*CD^Fukkc_SSJEO4}ZN#W`usn@4D@vm@6ifrPahu~5rTb-@zeT8&uX}qeXqc0c{i>7*821N+_9;%i{6IU z&l4j2b1;Vn_@(l{h->lK-miX}uYGEiQAZ-yD;ZTaIiOKcvH$iby-R?{e%dnkRKVx3 zT+r2l+oSgcSKNCt<`dsxAQ5E~lKCJMfOWR$_p0GNAt0PHC0J1ovG+1W9moGuqNpw+OX_}xDho@3-WukvYPqIli25vb{(A6R zr5t`lq300ha(zw!#fBMj@XOUhr zRse0}r}2@qa!f`C@+uoZGiR=uWjz|!JmCjA*^yeToF?zzw0+Ui-m4t6>bk=xQk(h+glc$z{#4G_E#)%oTKGqmto3H}rKDOYr zs>LQ3!M=GP7EWo|;73w7rz!AQ7sxT^IFe>Ju(BK*+pg@a6!B1_98@4LrdNEfRYI>_ zC1sYvBEj}0ZvJkvfT9brh^)B%d~8LxR)d-nA{|- z*=mHyl)&0bR$3ZXI?-wK&MW z^>fibVfK1zE6iThM}Eq2RbBC+U1y(!3z}l6K+|xV)4%hDko}#yPZ5s9_J!(nrNxs> z(?QjrfW#Y0V4&-Y7oyCVKEb0X{oL9yj99VnQ^J??`w!EFIGV67aG!?5He z#6$SFTNMK5_uKQIt-eOe1XCC|y(#%@uc8c?grd~MVqY;m=~>R%a@4UyKh)DCcGQIk zVG?l6W-(ZmYaTFGW^2?@omENDL&O6z8YDY5h`jVVL=UvRWwl6j0oDmC{(T zf&N*-NtVh~ick^ImIdLd!qSrXds5;U%?KC~?)Gz%6Rx#~xZY|OkDFofU&?^Z1JdMX zo`$BUT&$*l5tZWMl1I<>qhnc=9q>+80{EgAX?Uf_IBJAz@y-GKcvfG$Q{_g5g=heH zA`s?QJi(^~MBj6RH|(V8qb-yRzmfC*MF{l;d^ZeK0I)uasy1}_pLHHu0B z&Q}8q-c+P+a-L_0Hs_ZDe;hjL?^6NbcZr>TbBhjuf3}ZnHKDtv(L?(3$Gja{UGH+; zbk2JHl{jDTJARwLS#HQ7u(Q%f{Aei_~e&Y~BcX z=lrp${(-cwExYsl%Lv(7cjIkRy=%_K&h|RtmHMIH{s(F@uKnxva)9?6$>c`Mxs7pE z?<@Nd=IhzV^98(t=Sf}aklKpHrFQ#ASKDUOSQXlOcGvZDDMu4WM{U<)C8xUOVgF;( zntiXECj;pB>onSBhlB4uAlp2Es@H#*J`4bQ{}ao3p20Ph6`vC@Z6B{2@OL`kg5LIg zZfo!1OdWine{|{fay9p53OCK~D6eaIomf+5{j`$SqxUc*EC?Kq+eO{497 z9+UU7>k+*^f%hEn_iEW6Dofw@Wtr4d%=#5#U%2JOlFxQ@o_BgjWyqV2M;vx5dV{7-%$kp4ejfDQ=EA^K+eH72@jlHEc zzw%nbH_|5Vt~>m$`rEnEH3r|K{s~a?5u^K-Z)I#9-_36HvVN5d(vKj;v*piSE?5g3 zbaVgqVR8B1reOBY3reQ+;dtt}%NKoY`aP-KFv)>45Fl{;p3m~}a+kkC=(41@kbt11 z<>mBI4&VaK6Q^*6$Y8oDFTBaMOhDL0D81&=sm%^nvdu~8DvjNs;t#vE1HE#^=WX^H zxm0-t^fJsEWLrff+Dq4dF;{k&t3b=<+agyY&@N5NL!elPB+`139YwSl^Ulj0SvAtH zylXlRmSAu>Gfbcr<)z>>N@0fC(ZYpSrC;^qmzSc+ERfMiRQV~yws zUS(@omK^Fp!B4D-jPxjRKS@sSMQ`js9XTl^vhyNkLLn+Gm4W`s2~zzH6Y~GCqgVXh zR_VA7?CT|HX;_-eS02goEy@U_%oY(*WGi$}O(evA>R6TeATOOLOUt$bTqnq4 zV+w?&TFx30fd&~CrZCg&L1 zGW~>3hv~_131>IL(n0uVX~DZ_E?m{@&7>w_=MABFKrJU_Wp-M!23Y3TcNA__CqnL2 z1U93%d>`9EcoP14VO}Cq!qMYj;?rK$l67gSd9?$9^m$?q2Zg&@NTT}sTcx;+#|lZ9 zgz#G}8+B2;%u<5zAhH&XB}S}sr?TwO3UZ`|oIeZHs4#q0DZ)H+_zE0qyf=a6;MB+o zcsMxP+aCqo2qp{#@CWd;@jq*T$KnJ7Kmg5&|88>|r@&4$zj_StsB5VU%pPdcpQOsN za>Fs_(=_La+UR-`(&j_WB4J8?|8YmUv0LKJl9*CwF!lB+GR$y9`2 z%@$@_^pUJ^6-71h`Ne^iyT~U>FsHw{PnDS+!ujXznn&b1PM`Q_7bOE}HtM=^N-|7> zZwjr$2~vH@ojdXv;0jleq(43!QI}_v z;aSIPYk6v_D)Ou}M0+MHP**Npn}J`}uTA`0juDRnZc`?FDUx>kf@2E0ScGMkfPl5C zk;6JIWJ(BX%om?6(W*cUI95~~j2D()AxcX)(maA(sw=W;ga}A!wOWGw#cW-<^8T|r zweKZ9X1eSy;u&qxZ#v+adJ*~f`2#dS;5Am$qOBeq2gKlEvl&8*oyN*Pg$BIn<%)=- zv>@VE@5CtF_6Op`6xCkKb+JlTx6D+(r0`tMg(op$%$F=$RI5_4(>V(Ze1U;GSmnyB z6X7_deqd3Z>=0KP!xbTSopGLsuP${`-o6-pgy}h#bp~*LQ(ig}hCN5QrD5sA)JM3+J4hqJAavVvjiy>E^;g3nMhxDQ_P0 zf}KE`&B9?cTx7i%obcxdOjE6T&o_(gy-hZha#bW%Vl2XykRlP~4(S5ZG6V?BJxcz> zEHMRkYa9b>jwTmh))CJC2R?7q@LmEoK^F$EXpfK|TiYG4`3h!2pT+9b&2PAeeMf?8 zW%at=eG!{Sf+K!azDZMt2*O`IDPv8pajxNJyaNuB83P)?@4w#KCeNqeo{!e@9}g^W zi1k8u@x*O!7=@3PMw%@E)AA0TH?xGjnxk?C0>`m;j0O%TSAHSyr|!VLCxN;5UDgeQ zT-{k73wv)YUbc2U9|?nNE^n2~#0Li&2CgBt_~)B^lEJMFBS5SJuY}UH2#3K#!a$!J zuz#W7K({hSsq^qpHkyFPL|0tN=bxW6;WV!o(Cn%g)QRF@%dnx> zL<1UDUj4!Kw9bF@ zF{pi3i+jcUnzf<6>QMjaNBa~rK+64eN$S=H7=4HbosO>=G?jaOI83vRkL@t(^_A=WSlD+Mvr%7J#JT(L1$8aVMSVnrka!41&cK+*zBly+0KVq) zh&SL=pP(CfWIAoaLhtoZ-A2#3CRzU|Hk#6-`YqROeg&SiZGoZB@ACPEoA%N#!S{i% zx@@cWEw#L_b?E7ko3Yz{#_0TMn(ArIzU{~Iz_O&Tthasi7z^#@%d?Wf;M8Yo??8Hf z*RG^v3-q*}%f_Ao_gU9#&p=pTWJ-DXR^;?n0q@n^c(GT^@I@fdI&8L_0r%ddU8G;x@l!uzyB%b~xsi~V#st;gK)(q=Gc>c@qwb@Z<5UWpn*nDc0Jqnep~1=HDN1wRWJoRBG5TrP1t5* zkbSid9+HUPDs!JTPj~su0R5PFBJKrqC`uQ<6&MUiSiv^6w&jkV#8_=)DK+P0ld-S&q7Tq=ZXlSENK$( z5gxL+S?iW{+e(V_bc2U?4PL~J@oOy)xQ-b)wTmXo>i)#mp{F&1XdjjnUf4dpfj^^7WkI|u^v;pp4G}T0AUtI@6a6B7x~tU2P|+k0lEkofoVBD zilGG^{2KMoWz$4$jaD5y)#k3s_wWg{Z1oXQWkg+*jB`-2u9~B>Nk$e8C(%fLqp!3` zqevm&?hdN9qrkT@6l1>kuKAh5k;EFm4Z*9NmU<}WfkC` zm>zGiG9$DqJTJ|zRo*N}MylCsw#NB^7*K(A|L z*h}sBi2fsQXy51fZoOLc2KfUCXl&1ss2qK$kXRHlW-F3f*>Au}3Qk%#KVcbSSj~Aq zs*Mzj@MBz!%IFznDv){mDAUA-5`fo$)g;%g8vGVyac?FAS2}YbZibit$YTOuJlvtw zm0mZY<)VC{X$c&Sg(x%>6Ny@i#i(cd+AkwiCbc-;IhE3%HeMtg8WTCUaAG5d_Ee39 z4{I5yYBpM%ZW@jfsKi>w`pay64n9=taOhivT%`BbpRDdmb04#z;@gjvUjw*4H|@Be zwZzn!-xmm!P5+K*bV3LliefbCieCh2mCj?7Md>hRh3IDDl`rZSrT}Noh3wny2I@`M zjMO0gXfo1J1l7;92chKZ>=LRp@nA&5iDI<)CZaB9q%wb5ayW#ZDyDYw_b{r9Wd3zz z;vI|hZ4Kne{$N8?3#AqkXQBV=DoxW*!d#OPy5uMzeu36y*%wd({^f}Rz+BHd`*>XT z6RqcZQG7EJO!kS6?po-!5FFhNT?y0>E;5k9wMv9n?X>!mOPP+PgvVB$RN?VMyWiT2 zXPj*uXZ%@tHM6A2ty=lan!oHXRb|zDYQ%g-XaNhP>|N$0**vPq@Gei5guIJXTjH~c zl6`|LT1{IhTRC!hs<0ZW?1aM^+wxr0hH#dM5d4`^V2pH_^^8^N=kxsXr5N+r{hfcc zXcnW@0G7IF1>k$JW&x9BZ+gE%!W$oCKa?M)KV4uHTP^*bs{*_wl|Nnd*KhH zjO&0*sD) z-iz_E2^l5zw)Pt-mmRJ1sH67sNLtWIPn|K&NWwb2kzv&AqIG6Y>u|sqz*lC50L=_D zu!xu3CcV5F$5Ai%n1p#P$tq#Tt(jd%y(b{&$#Sj6DnSdA%tnc}jg4Cqt1So(bzODX zZs-?FZY#X3z}Gn-i;r)nrP zl+xAk z49p)_q(Xfwo^hKmwnnXF{_xkxJ+$H*8_QYRzBfwEhjK5a%DzQLQS?zYTrr(CP zv&<&v(P}Js5=o!*v)oW-dV@33trRE-l>2Qg|;l?vE)5e4uMZyv5aFknUsuz;6 z;w`=B=s1&YdzYBr+@WPg?sE`6oT^vM=n_X?ksVNn2r50c~xDLSU|2Tg~qbT=CAoS}VOdRF>BK^7$1c83iQd);oAo zuXjE?JuN+Q-IaV0Fp}O&+?{ygW326`oz2zT`JRw$F#(iLD$bt3e@_pTTyot~zYI`i@gtIug45u0L(RdeW=6tLT?7ZlKKeK@3k*+|pK?|zzv zeCvu>|AA(+S5M;D*Cc+u#;&06Xw(dZV_cc+Pp7k{ZrOxiYpL=fTs^h*BH!U5Q z()nm!e%kV{#!Ls#VsOHaMtks^Pfnh(759`u34z#8xlPapI7{z4%05GN9S zC~8CphLf)Hyw{JdZjP%Y*1p$TH;#9+ixQbmG&iEAFPMv=J z-p;;o=h(PO^v1AR(f$n~^rxLs3ml6XbT!{;(=UyC9h9%B#>pB*fk&@S(#KUD!W@%w zZ{1khJ;++l&B|qluX1)U$i<$k_Q!H1IYaL$voQFBR+=F6lTxIJJ9l1iX;Y` z{HFNV%F?gEqymsO@vNb}cFT8C;yN}^&D)vHTuy8K(D07^qA)X&)kq@+?o<;GY2Mo9p4`N8H2-V}7QBpxY*sgt<;19}W%eIe?{rkOM$E|!^ zee@qIJtH=6URu*+4xb{ySDxKfKZMz6)u|xfH1VUL?&OS2W#EpoNJr`}r9E^#wu~{9 zaTB?!BMyBKjHdLUuR6;C&(OpLdUf%fDjW(SknHEzYz_o<)?_Hr?qx7At>Y%*Apmo; z8cglY_VD>tO4s_n48%V`3Y_caqn$oc+Nk?~cZ=2KL?m|R8P!UG`RS!qd~L-)<^JP$ z33bMGHFvRkl%MHbdPs%poMoRdZcf(Jj9jeJ_c@xBkU!Qf1lJ|$5FNwk{J-Ty9^NY| zRb>BAeE*f{S&Cfl1K?I9OmS7CQ5EL4toE$JSh3Dkl18SD7}Y;4veEEJucWZr-q4dSlL2;_49fW)ZT{#5L(N;8+mvx5((Z@u9Rh* z*I$qH&K*aOQo%lxyxRf(MC>a+e=X_?TbFy>IBMMhq#2oB(4kGa?;8iWWa<^I=Cx(^ zLZ+r?$DgW8fxZm}Jd~U6byOJU;b#K|P8~Bm3?}ko`2+GqZvwa>6w&vl(*;9-jU zY1Jp-^$*W>JV0Y=dj1J~6BokJ=Lrj5G&y|&+e$fRFLPAn>uYxggK3^_U#K=3$9|(7 z9`e7g56A!m>OL;mGafF1daj%PI<-x!HraJLmUIa9T^<|r0qOi#;}=7uzIW{pq>ROk z{48ndoj1RB7EPyfmI21^-!^hHe)^mSn0`);?iR(Tb;U2<6NwM-*>e*Hu8nkGlUfw zv7KMFOTy@)ah=u`b`P*H^#znlgcJOE|GXb^>2F^A{E&YKT`xBlHg*gkb zajfGkICxAo!8*f69TF9*K?RzR?;7|zx}Tm!6|g zo(-~G7tu{pTU``t8P~7o3cllKT|6)vxF=lCbko6%F51`bOtk=5EOg_ynOuzndu?aUeL8Ryms1~o>QX+=N!4kPEGO1?IV{FVgu1}^om*KIM`(er_ z`iYPPdFf0l{8AeDd(Q;CV^$>HTVdPC=bw|8CH$0eYK8fgyWIU3au&per>XGGk~DaW zwHZ|yW>lzta-)Xw6fGy?>BHzUlg7hlNv+xo%#R?Mv(JiC+Wc)HvM3W#WN1CjBw|%c zMoI%vB9h?p7jC%Ue)#$Qa1_3crIjQg0Zqd<@bv&q14|E6eKv^kVIg$990O(7G4OHyMkM48oWIQ+61 z+emh{cIFDUlJ9#Olg=1o@b-dMDWev;=1({6n@Ae1h4xviuS!Bti27sqSQNt;&HN3Y zMZAywsEHS4GJapJg6ilync>)HV`i41nWcO%eu*ZVck13=3p<5Ew@9;E9-1&DNnbA@ zzZ!EsD*ZgWgGHcqanCA9Do`gXkVAIc>v!eTp&HiBIjwNa0(SOLZktky6_vY2+4|FD zwGODs(3d;>@+LB)?dYwYvqd8}LoYqdu!!^eUjR9v;{Bb^mjVm_Uo+Ym>k<&`1s<`p+$+Va2a|HydB7y{!B|d&BPLbDx0B#=L=C0~vamJzY95 ztP}sc`TcVnRlxp?DnLd1EPD&IvZ@iQ4WCawuJifUdov~conFq`*8Sh@cyk$vJEX4q z)7RkZn&zsgY8?+d;sspp>f2uDhSrF@hL?L6Hr|0>K+m~L&o*zmNOUh@wMzmj+++S1 zM;>Ec$Zmpq0=#c1Z1~%@r^`tlYCe=*QnRUi@1`dNypH(n9v0m*J)#_s z;gY;YXA?dCh%xqFdq14wK0`lg`qc{NHLN|^Ywc7lZ{-PI?S@I@_)FbI^jUr!cT6#i zoB8zoy8vI0TwR*^7J*y_iPQZ*WG1>jJuM#I7}m@`eCnq37WKjF?Z_AfHqVLJW+1LnNB?U(44(MZQ_9^7wnDZS_ER|dC(W}NRm4;%Tq zzL)hYg4>_9*0W0T%w+DWx`W#*0I*Xi+^R%woYm2L>D_=y< zcOx-=xvrhw=gyvd)Vwnuko%gS7l^^3<{9%f5<7-HGI|F(n%536P3W-IvyZ0n-1L^a z_~bL|{WRt0@b66KEys7onN!ancqQ+1KIJu`2k2+fUQ? ztK+&FdN(Y`oE9`KrH_CgTO+n}qkq_xy!7=N(AkCWAKABZZj)FiZ*pqZ$u>WW}Aj-tc zz0bny`FZO)|9$s4p4Ke9M;Cyg9V@%P4UJaO@_J(5wH0{`5iL_I&4O1!M~U|vJ-zCg zZTFASKhBUrD{W(jMKL|WVC_YH(?vf{3v4yRqQ6F3@isFF%pbnwu3ELEuD;WC%C5oH zvXI1WD%9q497Mq1O77CvE&k!ET3<+n_S&Hb3zb7@&COY?9uIB|jdw1R*y*foDOqfj zNPc;@=84*-*lW|!?@Jd;q2HVIBAA!7GKq7M^~cJ89uYFA}e8ipjH2ku!;R! z^yHsRW8!K=%3HEaTIzVlxGdOlyi&d~JG39)g;iSmSbZ>WkUjkXAQ9b-z~hPL=W7KUg>qfZDV) z?%r&)){<$*G}w)qfh|bO(Q?87a+0jFebpW$FP4F~4rf)!*V2Xa%o{IF>+-SJg30Y3 zV=vuzO%TA6)M@aua6(PFkWT}A*YTJ?r1f9K=BDv;{G2F{nV@nG4U8=R)SY7(i(0Ow z#!uwWASfW!o!!55b~f9=1WIu?z8X%kFRA7););)YNHr>0N@t2V@Jw~=Gv@W)Z36P~ z7vB%ZQ{;cOd|xnA-MsTp=ml|0-ul2F!zxSL{+4~o+6W>i36c1_qsl-S z#948ui7?Vn9~PwSLhA)d#bqd_>ZKa>!VK)UQierY*|M~~clCM;p1>Ha4oTN`ZRtl^ z=mzGg5iNUDPv0eiAyZMa&ZV!!ii1oLiGH|$xNJtGO3SVa~O*3{>CZU|Nozru4>CG`0JKLEo(JipE3Ma*vd6sNOJWbiGi zU#^Ssq&OjsdbW<#kh!sVhh%;%0Eq2U4#TM)a zYX`kX5_mpc8qe9!oc+w%&z$|t+0UH){NEigf+L?v|Cu}g;Zqs!_n+Rir>yuH@E_7XR9W8mn_0Ru&&(kkRze+bK^sNIPTta^6gsX_= zgV-b2U&|bO_dUCAaPc|HpSD@@$-7>D`^~~&?|Hv>o?GgbW1RVaI_8GKqsyQ5+ScDd zt{fb(>3Q31y4@D{?OHkNSATMUxbx3n*d{6Oaf7h#4d3m)bl&y5eyKt3aj-&EmU?%S zJ+|I>i8Ic9t-f}=*4@p*2?s25@Zs*m_sL&abM-yW3eVhZCvq3z5{Hn=izpyV{@}{fKS>>rG9=pG{3U}C92OqT)bGFJ>E`0LX zM>kr3{p6l?`s_oSmR~YYdU%V&4fFI3A6&0-?d_+ow!}A&UGcJ8@zox`JabFwtd-BY z=KQrkQU4i#Px$hdr+w?$OP@b*`3GNo;Gyq7bIw6a9(m1u5B~9cHwz1PxbLmQ_B~_% zVGH8ZP9L7K=Ghtb+oOk$|M6=l?6}NU*fAyW+EvbablI0~-A9^l-*?OJ{&fBhM|WHB zcduLP=iHs=Jhf0toiIyBQpMBV9=ppqfBxpaU%M1cvaf!BnXNYX%JY?HcfY8;fV|{J z{Eatvd5Sp4npeH*`peeKUV2pJh(}-Bdckyq(rxnJV4OVi7@$dLg%^Z)x&t3fwBu|Tw%u>)S>@0@=O#ip|5B!%)XNyz0yx9HU8L(B)2Z2_jn2$2eRxz6mYCW(9b*D*)l(`JS@C~6YGlrB2q<*@^%45+H)GFB| zV6bK6O@b+WP2(VG^6sW9}p=XzD_B037FtFjKlwuVlX`~bTAy3s<&+3byj5(=F z4VTh(DmQhijUF(rqj5WFiyX)Iat>OtJFWuOM3yWPyj&NUT;689jI9>ZaG{E43@>n@ zX5!#zJJu1+8Uqy}L8}pkbcg+Vr{)ZXVaS^Vqp728-9nUlcC1#5Ivg|Yl9>-n5km-# z98rjie4~=fKso?PQtjjU51sOpohbR~==q1}ZdRja@NQDA#^if7n(!a~DtDvqY?WULN2o06h-5^5e>>?lex-_Dvt zD4-ySsZ^VEl;%cIpba2^!Z^$?_6IFCZH-d(WWp(NhwXu!&FE~MkdoLFM#XA~)l|BM z>6)ISL8@A&by;z&K_>vrTFM*2BQ6W7wuH-#frnKh+#;*(Y%O4eu`PxM!--XB(lpF` zmom(O+93TB>kn|ILJom$x#LctOeW8Ogca)bPQ_&uDvrP%U(Af}aeaqT3JirH@trBQ6TDliWXq*h*Y#vmer8 z^Z(dh;v)Y^K7anRSj)}d{b#xu{v)@mJXmW~JFE`0)h=a`;}%qI#|+eL6@m&rbcO{w z8j+ONhjq2M_ULPirUoArod`45J7_t zlr9eWvWg2iPIqkv#z~55;@tp@;<8e9vxHfmz2txhYI3F}jH*R}1E-=^$X5K0*(f^= zFjky$Hy(%C1~L>GQRrflPf(FcD3m6EwN|}J4|+fz!m?`MjN#bs^c;|>LP6SL=vm~Q zma9V26sH=AkZ3JQ5ptvkP^OU|r8@Zlk0Q|OhErg+4kh`rTPM?5*>+NxBy{stVGK9o zmdS{iH#Q3Th=ygvQ~E||i8YaTI_9L&rlrz=s&s)CLdA_ht(L6Ld;Sy2Irqc*zg6G! zpRz~GAK8Cq6X~D*=fC^G0sq_(ZgKj-^&4Xcw?_-)$>-za> zv&{A3k`41Ph)gxyjt7J&t;o;2GvTIye1BRuF1xZC`8Y()gH1I-`DX1pv=7{7 zuXw7|(If&Fy`*91^4K7U>Qv;Y209I5M72c-=yjBYX|)BmtdX+Pr{cMOaC2BRhedN( zG>1iVSoFVZzzClCO#08<`46AUc)$PbS3BkF|9SsGVGK%RI6;1t`k%}{`493L@E`g&r?-!%hq0eci-VR{}k*@0*5~R($b-P^DR%FXx!la@~uNB z`>j+usqyl<$e#uW-E;rm_rLV}t)ov!p#RpzuHB%C*l8v9s^-Rz zWxn{6D_4K($K<`6-?mqL+Unaccy_^Z8y)bqJs*CF-+%P84f*>oI&IT)4%+1>TdDXG zC!W5Vcl(daFIlTwI~~8>iu><*@cbJVtn%$|Y;(XLuKDh&w>S1JUiHQym;ChkRd(D< z!LB&HwQ$$p?0NPRYkn`a=0oSOHtXGav_b!{ot&X>8F0~kaX;D>>uA1+6a z-0{6_)l9fSZGckk2>$D z2X7Ykc-2{9g)MG-{(#Oc*aOczeqIWOGq0WnRc=#$3LSDid<%5bi-&xnhdunnmG8dU zKk@gEE!bz+EsQUyLhH_xgbNQ0c6s5xE04H7xifdg_V8urO^>wCU;Pg(vz4*p z8B^Ia;E(J-$_JkRqkR7Sr!rAIDp9;fMlCOP{ZDZ*{D z{om+Hr6^?`kV{HM7;MG{-*4(tv6I(Bs@$C9?E%$p7HW(c&|y;=H>zq$69zKa#PUfq z!T_Ek1XZx>bW5cLMat@_k~0`%p(mMTy_2{|f5ehy+_rOYr8O>qs4tOqO4sD3TOPRC_3BiG02er)twd2rn5TVPKJ6(W%{ z;Q;7Ky4b53My4c8`y84bK^d`}{{PKW|CRr6f9d}Q{zHg$RK=0z{O3LYnSTEKXR(%> z|MnkcanAn{dy+YUSzkjYKq(HFJ5r^tn4OLhjtn{hk!gpV-$@aEFQ>|Q z%(R$Fzn5u8H5F$jqhVD77`$Jt!W5)eyM+RdOa8P{3Pw|qvkiuh3rW9?Rxz$m4LCAw zW8lQ%QZ+AM*7O9YHH|WXwCxmgnQ^+y1)y7$Xh&!pHaw;?J$o<`ykt3nOV@7bae+g`QE@H9XUZ3M1Xl443lCylBQ7BPZK)i^h3 zStRXeSf$?eB6O5A+Z`WOJPRMFZ964#Gni)v^UPqL8O$?-d1f%r{}O?d1h!c6pPBwY zUyFR2|6FqJoA)gS{0AqJFgn!<;tTK}Y;oj26ih9A2VZ&rw=PB?d&dv9FfXUX3_^yZqUKXlMJEO>&Sb?!-< zuW|d^4d+qJcy=3S7#J}<0?5{3=mEexqY9elvG?dgr?j)Q;VcTKcM2_uc3fZ&k6CJ!Z7Uu@^o4 zAo}n_f4a55Wn<@a4xh6cI_s9Nl>dDH@%^`%y#3_Lm+iRMDyI=q8vUi^H&|AhDTc7cAhTMLQjo&@zTOS;^)PvhDyXn2}OYXO{6F0hI<<-LF zwz>ZB&DW6-Bzy4M-`jdSV!!LRdYJ#otF7>~y(gR8Cog#O6xw+6F4uZ99lr7W_qI9j z*{dGD;~(~a@$3Iaz%%y$>yUqk|MV=R_n8Tb#hd?#Dz^~dBp33KFV25HbNm&jXozJnTLUx_t6r_#5nrVq% zC)E_O6kP0fIK3#iQOqXzlGP*!jk?CC(PYK1x|%5fofIp6IsU`eVN@EmwMH(F4LeG8 z(j8<-LDn5ssMpm=zh9W{j3km6*C$yd2{QILQIwKI3M|B$o$mq?A9P_04im{_+#{2j z?hup-L7cvOs#@zLRJos{W4lpQaHQb74YUANaFUQS3NeBP<%$e|VX9DLS!YQ*Kx zI#_0jg6|DsuW9jt5Jqfu05-vqYdGmdxfljqA>A$#(=b-I%}Htm3{yETqNA#5S&8zv zGeW$aEh)7!SjzB{h%0D?&s0Oq6M3?pvi+f2tB1UfN2)kI-?{#(ZjNB zFk6(kaMb@&{O7a!zqt}ykv<2p|1ZlMepC6+qPUxX@}EVS|HGF$hHRlyt=Rz#r@|X% z!AI3j*D*w|kNTyW-vmX+X$1XR&S>Ovew>3LvXhw%Bn~I)f?oBqS*GnY#qJP5MAP-P zpyEx^WM|aW2}G7hN~zgW`=DRx*2i2JhBbK7L2;(ZCWfgdk{PzVQnNs!1)OgK6DJi7 zaXd#4+>{kga%BHG5Mo&0(lvdq-EKEH?R&+XsCdiozJ+Rmih^!Qx zuI6E(C!w)Z7ejK4_UhfTHpnnY;FPN^ti?~pNxhn&yX{_@7n@Cza&m<+Pfq<*0uUj; z=@aeVP)Stl*>=u}(*2}GlX`(4j-_n7InHOefmK0mM$k&q0L1%VE;}radL|1K0|?Lu zrRs3%mnvcUf4cvhL;DN)PlEja@Bfz036fD@y9So6HzV6|Pz@8uEhR^WT|JA}$w3K@ z6Lk+UkjWOgGLhDiYBy~e1jY_itdg0a1wT_svQrCOtq&&(ULPo> z%2b6-(dAMKC*>TV7MlaPldi}@zdKIj^0*WQqn3+_MWhlo^3cS!xw6@ci;R2dt?K9jGi#Q~GbIVduj?rvf_H%NnZr|ls#{oiI-&kXCC zVLdafXNL9sFBUjS;EN^ynYsV_Ymra$pGW2Ux&J)>!ILPCCl`Kx0se#k7yg4T2K)!d zF?jk&BFIB;hHxBq#kv$hw$|10gWRqvbiSLmI?A3JZ^v-a5a-jDC5(D`TCKa3x}@P2aF11^20 zyUsfAWlo;`_IabewbG+|ol;tQ`|eG9w60P1>qnd1bN@D_J5O8o;nYo=Y$`sk_m9|U z+l$0A=O1?Yw;!&ZuxjeMt;&boy3ge&u3Y=o@keZikKf+^!mpJ7{B)^%-=1~Y@88&| zX*_@1^PB(rq+dK%akbOv6(p<*!J=z>2TE_-+RkF*X;b*?>0C()RDK> zczoj>pY2*#KD|8g$~{klTU3tQttI}j{bhG=xaq4se!(G|Z++q$hu+2Byz09@xPI;~hoAn`Pe2^o{?ttm zdM+Doa?|kCrCER78)kp&hab*9EBWfsQ8mJ18YEHBIJVb@! z&>OX2EH#eN5)`%?EGyMg1FAdhNqLcq7+xNsB^h&jO1D!+lKqz1FJ(cXV1$|WH2SKl z9k|s+GQK^ud}cV7h?-C?#&ABC+FUZxDd7bbp}SQ-m+;Fp<}n=|q}*r-_${m=W%5?J zlhzXSKtNQ78xOJU5F$%iq3F>mODN%0rin?YAq@;X&cmQtO!{4>J>rWtfbumWVRU;9 zl7QS;Rw1y@rP6Fi&2*BUI;xsXA*rY6M!m#Y6+1Da(sa-4=XApgE7^(|0Hbuv$oXB> z$E)>JhGE2v5olUH63V$opM=16iqQEK6D54Y>RO#n1{U%OP@oaoYjg{33P1)W_Dk0P z;Pil3hkR)w779VDr6!|+5>i}AspBT2DQ&NBM7fSQ?&Z}ct>md@$lC1`nBropg)u-q zKq^6JG}NmmPBDRK}9`FuGaOyXS6kwP0z=fOdNPAEVp zKS{F9p3f;&uNB!GUFR^R+(NTiF-uLa1l3NY^5vM)U0iEc<3uJ?YF8>$Bjb+y-~ev} zNm(&cSRHE$Tp^rlM$5|z(9rb~C0EOP2$)68C~Nzu)vwm@Rt$>6Av_N4m>dqhR$r|F z4org{Srghp9MPOYwAImo&e~sf|F?174B?siKcDa)=$prX7RlZGlm9Hr{2#7dUIKF^r)Xc-B#KYFn>H zgQy79>mKRY)X<~r2nJ>;ZMr2YF-5XZ&`p~st%PR!@wha}iMGH7q%>W5oUUe}RzHQt z%_;`43BDT^D*2|K%9}&Y8VoFp)k+huCe`xMeEmw~KrROqhhhL|JO!+nzM36zx)SlJ26224ZB(C8DI}QB;HQ z6TKurj-fn)qzBz3AvgJiYEC+FwFM4E3WKvE332U46CEJkM!MB+;i3uk0*DI6@NgJp znFi7Z@`{93+p=lF^W&6E8;Hq2+k&~T)5%u~sRe+`{tNUuNxG={_ zR$6wZ?`HYBQgQ4;lIvQ-oZ`Y(j#9_nwmT{1fJ)?BRb)IAi)}>rAPq8W*rcoQjqY?U zXgu4g^%QbKXlXwpQhru5(`kez#vz2`LzCfqz@S;rl8vy^)$4p4EEy8w$$TLq#&p#h zbIBx~sz76i8?iDE!XvYbmLb+uV$IR|7>O1%pvPr~CEVdDs~&7;v`YQFhNHe zqkiOi4HKd3RZ>;kIhoGTZ~5v z4EPU$peRJ*2#$Wm{O8t3Uq4oc#&d)}@yD9@wdEUmj|z0@prqDC$G54RpOFQ|E9XlQrFMkfxdjlAGKC~ zeETK5^KPE3*8Ig=$87ibyuZv@|AH=d_M`gA7cW;o@7J##`GH0qc-K#Vx%Li^EdR<0 zvo8I0?zrYgk36y3DF@wrF7WJuYn`y~DL0?C?JGCkZJqg+zu&$`zs$>z`eEne!*8ob z%in+NwO2p3eSFGkcVxTa3P+xP@QO#`SN6H)soPTHkLP{A&aHjvaL2h2ve_|g`-nMD zue;*@fB5r>TW`zETZz4S&Y#b@B0l+!4VPbKtHgJr(jCl!%O14eLF*vWSIU3B=bU@z z0*IPBCw}{ipYOZeFNb^X)~nn(=R4b;_VS81T>I)4tB6O`j^7)hFTQ7=57#+yxsvvZ z7H)Qi`oiRiC6_E7cHHs5zVXsqW^H%Q=rJaB+4&N-*F)(Q*Sho2U7!7MU;gl4BxS`u zV85eDt9|M+ul>BZzqE__aSz?2ThJY2XiaIRc+)7S2M-u;LDU;O&N&CLJ#dgR~XKh%Wf(x20uXfftLk}8iE z4rLJ8H2TH)&u7m6seJSJ&ota-IapNXSY$hk%74s7;XkyP?Q~GNL+4|LZNNwsD5?En za$wnLlw)u`;|9f2rRfw$)T9^|{c?x5ea1;P#8^w1vOBb3CDYHe%RHWzgS_4*fFjxU zNz=wVDaN4l5m><}wxs#lkWk8FClsc?)F^lpzZ>gaJS@uj0bghiO8KfGggK?s1Tax$ zJu-|Mb`Dc@M4(J8Puq6iEt07e!;YAC90vU^G;Va^7OoVyh?%Y|RYoVRmI);(05?of z@0&`2Kqr*bqQ?~6C8wb_T+j9zy*eqkBilQJ*er47N2Veao6e6d=&8#B!Y|*dl3WLCf^iBipLD{GA(ff zz#XeFH3HF&`6lz9MR7O(*iak&U?PSzRX^_mrR=F=1$k-f@9HZ%*J`C0kP0?~>v1%qI1Djf5N~eJl zh4x!uqGKf*sg{joQrQs&m2%Z|xvk|)eFT>kMGR6>OEh&kCT%4u@x3}fD*E6==twdk z;FZ=i(u&Nw7_fn(VZO*W2OZXi*%<04bb$^AgM2%eHyAlkhft%Pft#5Wm?h0jNlCQ; zK^!!|L{dn&>BMNHh6N9CH7RR#I`wSQ%UhbjX9Bn<)`?cSik5P=Q_Tx?GfI;>He^W~ zfGs68CWoRVwlk(4xk*rw8-p}dtq^bpOAf$%YtZtF=)`dvQhoxdD%+lvEh%W2qT_NR z0EvOxbLF&xL;utL-~P4!XOa59)m0D7M1F1{vV=FFUB1yC)w+HGwRH%Hth(1hryjJ0 zhjleX9T*zJN)QH#TGAvl`AMdePgRF?Lz)5vkLP^4vju{$$1u7B%s3Ex0ZM5w{ zub9wAO21GLZCW6ExRn%yfJu(Uq&65Cj^g$ikc0E!q@E?ylWGmAb&^>U(E1Hbj~j+k zFWFELG>c%iG)VXs!}mBlcBYQ4?t!7Gni)v^UPqL8O$?- zdH$COoFvG_lK;%~|M^oOO{bL7i*|}r(-J3Fpzqi2s;U#Em{oikK>;YbU!`;SVEBkw?OP_L4 zeXaBFl+W7y_4)DtvznLB5(ZU=G%AL`IY`gX9jO%&Zhr#8Fqvp3#%Q> zek5$Q|I3d*zSPr=H*ej}+wlkTksGhq+#%v_VQ&4_ZywgfRU7k{-{Go*vT~Zg^yQo0 ztZ!-E2HthvDmU!3-?iM4Yn^|~k?qyrw ze8rp__W5@2;3u}Uk10R@#1Z2SZn<{--)wV(pZd4>&jqV3vE*m*p9`PeWshCLT{l>c zKrH;WBbU4P;cGU}9`%O*&XL~f`(5$F`j)+oPRX95|0rH#h0}Mu%6hbW`aM@;sox#2 z{W@nn{=@SxIQpV@AG<7d;$!b@dvkxuzkc}e8t68=+-+~T>}|hDKGvCa_Dg?Wrm)dt zyUsab`(3Nq3v;`6-&}qBRW|?i>c>8H{ZbpRyhZc%4>p;0Gd z%#909f*w6(ySL9+``ulCU-z%rV%Y~S*kWD#7lvFrFLLRx#PDf^bxJUjsd)3&T z&T8)T_J%*C*$p;$ZIhoZC|#>$kNEfjbHqd0l7EB$)H8YpmA-NOCn>TV zD*o+;?9LaT|08|o{GV?k|3Rj)b~JtO$!Yw(sQkxXl=(kuMb6>Alfv*GnbHi|1Yo9) zBCTW(lF?qZIn|Dy#b+yattNo2M!Q$T$8^&cv23N>8)+IZCrSm>wS2c&Ok|0PWdnX| z(hnM}PkLcB+h8HSSoFz!Iqa$(O_0mtG)_z#M7tXlCI~FryegQ!GiI4)vyjU8d=Du0 z@}WxO`LrG~cFCm(T#_A?D?kn0D-4Se;)q1DRZC+ynePiP zkjdBbS*g_+NhBvFE13>HvD)r1!9X5bF{aUV6d>JXo^A)E#Vb|-XQVN%3=w%kSnwEV zQ;CV$GLz-5&@YZk^|+T#m*`TUgqhI65Y~-oLm5&y+jmE*2{|>IR=OeS!;;LK9NGf> zSnhr~{=;=d!>&nfzGxTmQXLl4Ny^m~uUs&bO;GDmX}oImLfA6Ix8EDwVqX~LkaG~kxb*F#)w5Cytrw*5-VOK4I9E{ByG*C_U! zz{vKSAkgtSQJ2eoOA<5fVqv=HN~f46*cB^c=njJruM(qLn=j;xm8v_y2N}PV>5~Nn zq-z;Q9CiSDfMdMT%%O;5p>>fTwJK#qPjDFFU>=I5RGmeN5hHjNK2s-+W+9s%XnHx0 zk}*^#>kbeVTq>disG2RNkY=}Ip&H#VgfEjfgcjC(4E%pFu_>P`XJ_XBe8PX=Zyx_y zBzNZ(G^MCS%PPW=$h6$Yjy4ZjW^#Osf{2s7FBCd;fx6j#gYpp$K6VWQ##|8q*@S+_rku< zkEsfs9a#y_AM$#Kj`H~`+2kt?z!}I$nHr7C6H{XXwbo4d3~vWSj?9cw{ur_AoDrC& zIsJE>-WMT1*+8v939c(7*>^@Dzy~!4E!*7+6*Wd_yD~NgS+|+>`i-H+w=zsF?Qvt? zbPL6RZ`RFWz$Mw9-EOBdt(1^ps(?`^3`+5BwO;-Q{}C4Y?$7K0_Nl8A_yp0Ua>YEO z_G3@`M4m@*JZ%$f$fD`#{=m*fN<_7b0|kU9Q^V@PKu4*Uq8KJUf+z@8 zhAEW_tW$Fowb@ITp<)RE2L%a9B{^3nGh7_FSi$6Eux)whB*zR3K(k&#g_>Ie(MD45 z7qrM{(S?Jk3LRxajnqJ!L|nTtYLfDBTxix>PzuL_IF-p~60tB&j)6duh5FDq)vDh%!uMHJCp$FutwrI5S5=x7B z24yC$Cxk73K!ZeAn`zrNgJ@y`85B@e6Z6p z|9SpHA}Ed~aRN(z0sce%7yg4U2KN{&R%;)Cbc14L>^c-Fe?ScZEw1 zHVQv@GqK5aA8Zs~dG0|AT5GRN=6^qT^CKURkVDpd>`&W15M3j!c>0qM)mGT<%+2qo zhuhYY>0_ebp69j?Dz9mPN4{~}@fSXGr@HFAbq`we;Q5>UGJ0**;{N{W=UczHc%!8* zU+$%yX05m4ymJoSWzG`M+%^7ay<^||!TGc2AN|zx-`(-}z4qSmR5gD5S1YXb`jX{s z&fE-M;e};Ryz!31-@)$P0ZHs?Rjyj_@Lw|@?Xh5`Q*Zi3vh}khaQGf4jqknft}R9@ zJhkAQl@8tgxEC(T-}L@pZg~*?XxkfaTXU?L&=kFZ;xE^AG#gsfhUfJw9CPsf{+>eV^)r zOO2m1x4c5VeQ5FF%T|7M-RIkbU5`F1VwXPZr33YY_p`N+HvMV-h;1m8+v~N<56j$q z^TXD6w*Su0R_s3dXl3KUN`IPv`%izlYF)nitXGBLkohYwxc1QdZhY^#O}BaPl$W1f z4Y=;f_lkQ$|_BuOXeR}t<7hk>p zp>zIW|Nq1FKhS5?|IE~Xel7Cv@E-{#)75X>{2z20$WA17;XT%N@{9AI&z%2L`{wZ< zI~G|T5+-_5RE0(5Kb=M4KV3J5R4hX`2XcXlCJ7EG^;l-$CE5(_n^4{(2OSj03hh*n zH-(Go%3cU8LO{k5r{z;FEbq53AjDQqRdo zI^+zr*oM7473A%pC$uw|B-8}mYlD;VP%D?6;1)FMu0II85s1hZb4%lw+DpN$8W)0Vy z)3~@%NF*wWh#Y14?l|_w0Roo@q7~LUWDRe(hE1C`SRgr~MqiHqq$Q)w%3NzW_WS_^ zrHVq?l|)wtixtQ$k;7C0wuWWCP4ov)FV|5jJs$Ta86?e`M5`?V!(yh_n!YE<;94n@ z?W8l4Ru)9)dOB9)5i)YHwkN>t0?adtQZyzVxyW%=kMa7+T(_rHfF71ls5Kd@P|XQ9 zF^geSle*Phi_L~q*1`g+7gy*6<`r@QL)Y;XA41JcCS}Goj!;S*lybcQj}jd!Wngl*6z1b<6%g9YxGJ&}E6J8y zT3M_nDBl}@srf&D%jt*he=)H_vYDLWKmUjSAm2Rxvq zoAxRkh;*QqQp=K(X(wSS*@e1jBd&M5s+?7H3zG|wHpwDsIomQ@l_;lGAkKsfb{Q)I z7~}R^qTKTERJ$(!i41pv3l3 zpd`0+E|(2bNc9G9o!hjyMh}h|8(Md|9GA=1kk1-r*dP*>99u>%;T*FwX=bAV&JP|V8On>THCj~d( zZRDmd)>8sA#vB8IKGRMEe?PAf1G)p>w){az_o2`;iWRzGnz{$~O;irlQ7^?g#h~CL z<`7ijNc62}(09~)7f|s;q{T|Vk3hX}U}J^p`42(P=I!1j8`bmu@u(P34v(->p{@$B z=uA?y$PILmg^F#&1p37^o#5HrxYSkiW`@aoX4OFx{S?MqR!BvyN?i-NfkgD1Q?En0 zof6MNpapf%p->y}6`+!`)cSN=-yW6Xu$k^UE=x}G^&(U;^#Vm$6i82U%|Is_S+!aR zN4b>4S3(MI@ftFzX)#d4`9{@lauuOpY?dprk^q~aQ_&AzOCNYYHHv4aZ&M#m8 z+09op=eT1KP7MUb6I) z`(9z(Irq`?E}#xJm;U4VKR788-v9Bcx4plhxQU=2aoFl7|LV!x_S@vQ2b{`#-+$!s z7d}cPHoNb82mR^H2mUg+7JuoKLw-EDW6gt(UGj=GKRRO8r4Oeno9}Syfk!WOQA|EQ zw|(7?*tI*KeY6dn{nUCFZhF~!x4m$Kv&MD@9C-2k*YNEhJNTycSDJHi|Ej~z-g%$D ztN_2Y@piXdE?VEJJ-P3(%YG~K!M^ns$F=2ueB^6ytaHPfn_jTyX!FBf+4J?aU;f3V zzx(jp+q|`4xt;d^$q7$Cx5`f6g?@f7UEko~dh*Y|efZ=f{tk53hko#1fX=Fa2Rh3` z%YJ_Uw*9aRm#nS+_L{SiweI-YiZ48|d$dgb;H}Ml9yoL3KR>wp8oOqnzu=Bt-+O7! zI%-fpe8<;Y;oZO8ckLGr-ecEa|NKwe9PsPguSNs-+YcPK{t^r7+szrzGH;5*{WZAjgoN&!w+`3@h&A(5rF#qk|7R|M<>FwA#_RMRSSbM88 zkMqT47rYzXIl2Gv_ttoQ@7wctU3bGXe?Iy26E4{5tktvlNzqjs?eOlLr+2kx?{LN| zL1*2IJ(gSW=4q4lyX)N5qRRgHE6>|t^ZkO;KfHb3ChnKM{{LqG|7Y>fe_#KDJsoNHdWB@1Qq^+cmE7Im5|acCie4|HeL?h3O6(5hwb>hCGJAbUq36 zN}t1j(CHDNRaQ+Wr-AHPoY2!3ng+Gq-ol@u|NL1xk}|!qU4x?3gwFr{sC1R?R#ZSx zgmL=sK!{`MKC5d{e<4{h+-^%yxN(~P+jBXV?g~ayuoWZ&O&_BSOP3bD5WvtqAq8RG zMz$8ztF~RzFh?jsWB%{>rog5Y*~n&~zrARQQEQqAn{F3smZpEG%1JDCHVBQ= zjgB7KzTWi1ip_S1xg4)_GhozS@japEdwkVuV6MyiQ2rL`5KUlr?(KnPgK@fklP zdAwx?L)8bAghd;{Nl9UySCNy;NV7d9h95c9r1va9Ye#im%o9%jW-Eu8-6u$C*-6TPZkv^rbA!hDNLgP;=zwN|`T_Qv?^9*YID>YfKpVU?!*d_xzzF$Dhl7 z*u^rZxTvn?6ZV5Hika>Bebw?t)v;!>fKW{9aXhG(0@N!&RWRv`3LBQk9WV!0qq@}= zi>@`OqZ~QOlumyC}j<;?Bzxk!e@ug zR3XJS`+AL2si+TSOsv*!X0e=JY6fw(!vQQw_M33s&vz=7Y=Y|53TDU45F=fYa=K`D z;7S4#+QX^ii;)tk6KRE18G6uP=vO*8nYB8v!Ikcf1zgAOWaRTuh* zh0+pF)1{89XIU?3j*1{BIc1!zGMzLQ)#?NU#Y9Nz_qbigt7S}pO3nVmpmY4SN{Hf8@Ux0ti# zmcW2E%hEjXFFoD(bWxy@R0^q}x(1JpY&kThO7;2nImH5oQ>z4`5w*Qat^vEam_@mx(JueRuUHMHL&8OSft9HSQP4MW<&$%I1y{2Pl{+WlNW=AI~)zX zoY}#vlsh$vy{_CaC;gGsjIxBwONztf@x}m5=ZUGC)(jJv_=aYxrq(x|Nb$867#niX zPW1w#8NtP|Hr?4zHD)4c5jbjh3c=LD8>w+fMikg=m~j)(V?wFYeyW{EgjzgC!>(BE zx@Fp(RCS|Zw5ya-&9&pgfanszz{nV>P%LQ%Mzcg{q?$uOV&p`1B4I<^$O>ZHRoy~* zhWX4epBd&e!+d6#&kXaKk$;ti+4IG#{^#%fhe*!k|Gp0Sbp4OJ;nF)S2K7HAP9`Y? z!?FLq{)dGAOZ^YA7}Wnz5INneqbN#z#q~dDof>RMY?43t(e=nWeYSkgI{4~)Ty^T> zcb$CFD%xRd%w2Z&cl8ZB)eDY1;>_jt{X=I{`Chc2AAfw{M&I38TKc!|{b=*MpSlwz zmAlV6Yl{t@IPLrA|7wE`pLyuAwI7x@UiHKkUqD~o_qelPp3K|i*;}8y|M7QMP94AG zXumBUd})Ih_qd^bX6){=&T)62iX|WGq}DlNscVk8cBz}Ob=Uj0e)sJ6{=Dp-N4{@G zmmV{J)o<_d+tJ=jZ1KB`N=F=Z%5J-#7oCfpIRDD6-aDgs-K?!|zS;PQ-usQ@ammqv zyW(f8bn>6xdhPAYO3go9U3_n|InZ_w9^dKi`KTqYwuQ7c_0susS9opyN%w605BvWg z?*E2;y8Z`8XYBviA^%SOkDkjb@0N1T+Cl4{3-Lx0ivKPVu4X8*TuV*L*)I`%|T zIaqYci&p<5vGk(M|H-B;9#Nfa8tREjs-zYG4WB4kt2pwy4C`5_RTvYE`WPWwbj2MG zTg3q6skk~xWqXZDCTI>Nu*;X-qN8FM-*in4z$Sswa_zY5fu57?PK=>c)k__R)hp&m zPK9owA6C<3UK#QU*0jt?VAoq6v%zC&7l#^Iz*L>%em{sVv zF4C5$Q`3`6{#Aj*EGq=B*`t0Hq&QQ(it^Lk9W%6poNR7X#gyeHOl&>5FZ|N&z&tX_ z!$b{VK7c-o;airq(F%u-o}fqwO|ZG*T&tgwxqoje#5woylX?123zzAHS=;&$&zpbq zCY?If@?)Jxci)+RHU-O8?>;-;*b^nC(km&ih{CfDe-R{^f_}Lv!j14gMAAc%l$wC{FOIr;(dJU324_ zgQ0bOt;hvL_>2BO2MxoDbfD=h_)AHnmI_x;ncUkIEZZtjc;Qn`Oz2AHT?;Bx7U}r& zX@#J1p1LQz5C8Q8?Y?e*Q#Gnk&U3gR4*>enw;5WX2C6T^0p48kt;a!CZlO1SCFwiZ zt&E*zO)R3ZgKm#rZ@5dP8b@N>5+299EB`;(mMFANt@u8Y!+wRL&ACJ0VnI&n5I#sM zqsC#4Foi^AbIfF|orOCGXY9m99r~XXl+fmM$L(>!7W9$M`A-jP z3op(o5pks^{|+s?q{P6l4CIn6G2(Ib@H8Q?xRqq@dbDv-fJ!e(T4}a_0t|nhX^t(Le8-mJ^=1ff#GtRC;kZK2p51Zu(zap^}cz}OvZsD6+ z(ylK-2K5^%ZM@|w()i$1@9d%9OeyoH0kUNkxb2^|S__JG=t-jA)LfNh?{QK)gLF1D zn%po4ECVAgtRmgisE9hYjtQ+WJ!Cn?Y*~+08666L4s?eu1VY z6WGFkek!@+l`l<_F@$qNSWd?M)O@TSmz~L%L{G!BQl84qtUegC4N%lvEI%$TX_sy1 z>qAx{N&~Unul$ev8t}7DnEkgVgPx(};%^K`0j76=|30k31Asj&0kS~~zkX8?qf+EC z_5yYW<3O?B5lMeZlJ$H!{ritGoeiLxr4Hc9^^+A0C`tB;)#}g;kvrt`k$Bjy(as&X z|J=!E*5|6Nd(7VfjG)Z=aC$w{Mf50*m7e-sYN_6($=dGext;U$@~v*%=~%8f#&0=x zTW&jTRF)G*+V%lP?vuu%ZudoFtD((de>JmS=g z2VZW9_O`j)7HF9}7}K|L-m+2u0Is;d=LkPV%P>mQ)MPhabQT?Naf>DQxk}iy952cn zbo4xKd@XL57PSbxr6nHqJAC3t=e&Om^9jdchQW0K0&Sj>T2ZER-qYZY3Zj zpu-!@<9Nx_>tU%Gm+)q7`lX2hGxRfCSDeeK2tf)7^aNAF%~R8I`+X06K%h41rOr3fPk>lrj7JI zuX`p~dJ&TXuRiAEYj6oBZqh93L;pJ6wYR&|AG5fIy*oSWKA@U%Fta`0>gQWBFK&j{ z*03gWnuZIejrE;--cKB#vmTdL_knORll)J|*FEoVMpaPqSMK{=Q5ENeHZ9xC?|gE7 zOT>(TzssZYd|dA_D{AXqK{Z~Z-SXLg50DB8DFOj2AP^HsNPrInLuvZovWp0Ei2P~g zHD!M{m;(Akk}*W4mg?i6?+iqO`<}B3s=A%r7r+;>zXrzt?oatX{sT+(}NMEmGs9?LQ$d4$crbRr)J^VZr z2FCgtT855mQ3KIR9V-pvqnLEV7SBmHEV-8OC)V}-t`-FYhJC_X^EgU3D)K9~ z9l`$nc#Mv&zpay^iG6ja!bVF`NEq#j^7d%Q@MQgwCyl5I2>gaW!(JWin()NNAo`6+TWJjzBH>U9Dc^++3YBAWuT70Vq=db0aF?0#&uyTB zmMg+VE(_xke3b$diKIzb&ALv7%5fAAGF9E zG>V$R*UwRk_;(`yB>%`(@y-M#z9srW>r9`PV3Tn%IE1b_OJa|Uyav*~Yt32zAkVRf zL=YDwJrA!kd^l*)4yUYg2~>=uogZp{KKn%QTx{CE+O;;FePR(<4W}w(CFLvG>WBu;6cG z)AZ!=NN^|%me!^HS(My5+7NuGZ(px$oR=u8*z@*nf%t)m*J$`e*NjXJN9QK>H{;sr zRV+AcJ}7#T0V(9Lm!eIJbeemY=zEZPZ2rPu6+dL66cVF|$`fOaCf*LK=eJijw%ngZ z7r||1q$6Be$p;O@*P_4T62yhd@QS;L1mU2{R7qWOInOfi&@8HnRfa7{86xMnQm775 zsp670n5oku4`9=>wGqc)_3P>%zfxk_i6YI>h>1(U;VhHAhOTQVUSUCL3>w$>FY=F| z8^YvdkGsF{g&q`?bIQ~d7pKqDW&+L%w>WIG!7IVLJ7JNi80D{)m?PYy41wdy7=@XJ zN;5DfrRWi<(y9m*+0tnXsf8Q0i1JWsSLnmhVZ-lZk)_Dh&8*diCqB16=YWbce`T6d{T zhXpv0Xxd2!zJqjCs#nur8d=zmcRV$zlb+#|F(<{jq@Uq9gtYewVfFZi~G(ffUfV%6fJ` z%5l%W#hc7@kC}d*aNky1Adhcj3AtYqp((mUrF=j`=PHxM+0TtRtm|X@l$oFYPjUWm z11J90De{KI?G1dE{dfF%jN@G~)p8~9^LrjOi)cUcE%^rwkP#^C^$ra1=0HXz>qUQM zf1kFH-}KtTp~Y*O+Yt5Ch`H#vWnAcgk2zXeyLf9-(|j#2$$FLpvhHnjRqj6P3Uqwv zy$+?}()|KuK~-!p*^My1^yPJU=kgxvM0I!V)u^}LEke4cHy!cF+q@J&KD8eDUtC_$ zi!VpJ|7qD&mZxi2q#p4moO)UOQLy2`NREZ?XuS6rVdrx(W~SbLEi2RW7NqLqbIW(U zkhA(=0*Z5qAJ0HyVCTPQoEE6Pb9lH`@22-KdMXk4P(1cyX?q+UqW>Yl?+R?H>vhm*>_H<20RrgQwe8>*Nw)jY}*E1ZVXN*i@I6c5c@5 z*6IYo53?GQF3xk9^#wa0>m&U0XAXY8>yPwhWluT}^XZiBZ-nmdLkY(@jz^VHBk9+G zo8f&uJ`ek8D7#FL0kI12%1tKHw%H><>u%uUwZP+V*3TQnW8Qer$BT`a{cBKcy65dW zEx%Sk=*a>=TtSx zo`ZVa@?~SGb~BRffiC(;@a3!%$|R9c9S7wM8|RCi4Y6NeFQ;Uru0gH||{RtCTsYeY;ndLG*rUrhp7M14c!C2-f{2$XZP6d+htTk(hgBGLw z*H%zOCRVzJfa`5lXwJgcWdv^{^sdebK zi7aQH3D}fkppU0+#0tLRH+W_~I)_-r) zd-R-N`sMZo>85+Sm1CJ@5(eAVMl(7a<;h8^vA*&CX@N9HtaDN5MXZfGuS%0nh2PGT zB;;ARbT}7go@icQMXbe4rcDTGI72(I);lStHqGcnKP+=_mK#s+8P6(~af-N69)&JL zhF%vNr`Q9-IY)|K`sz1{)-^REERn#el{%V8>0QnkE?hRY;GtHwVdj{f zdDk$R=!a>{FTSut%#-*hCuSab<|bGX*Ol8G?&_$^w;>>2h}Z_kYVTAf;QEoOZP~&F zPK`ZBK@7u0un02l3zI%SM?YH%1_VPn5eoczZ{;S*;X~!eRjQY)b`sT2qM=BJp)dLA z3zAhWxOFi&YjwlN1h)@7NA)~|s6*5GdhT)-z5+)r)uKOGUfe;N z8$N>iUY3$3-&ZaWBmOM>`2pYOAQAs`a8^ptXIy|8;B2wrT-$0yBnfsZ zHDD9)Pg|k}U6P&9!XZ<{v_c~&bEk;|ejXutVcgI?HjtKm4*R>QZVWY;+P(9*JpNvJGYRhyThIPw(s0QodKjzrrxIAHhsWdf|_t?Huu`wx89glMr z&z&ana^$e$(#QM$!%>k9BUYuAfh!{#K|!8w)+`H8IS>hvecx!!2~7xwQc#nf3eZ_Q zC}S!^oGaFB2>AjYp`xDs(p$;!2sI3VrflSl5}nsz``_}=!$K4&m@EP6E1m{*hrM)y z=rr!%em*4a#3cxT@2mRWI;loUo~%> zB2_x>F~;a#M&3_*S>nG|Leb*!arQh;<}_b#*&!WG?m^rQy*Hf`2-sC+p^fv;wqAsL zW770Hom0kmU6fd5ZW-n9&0Kaiox`qT#dLfG5b8H>dTt)7yW6E4M`sbV0^hMuKNLZ6BFt&+K=Kl;{v?ToBKzMtw*~lcJC3+298rddgq2K z9o0vD9txy=+V`vu&c&x=)%*wf)GKu!+JES}|9iw$9Sg~3t^ozC-e09>dek~sYtSD$LmG`p69th_t-W=B(Mbb(k+_?<47#@}pvWeMj%%c^NpPE0 zG>;j~-oo3v^yC}Y-RaY~54_IbzH@6~| z$Bqn$4+?`ahX+;w1*EG%=yOSBpCuekZBD(6*8;a7bdX=fsT5s%nxvxU#k;_s;fp-C zGEuOoK|EW;p_kE4p^#uW`rzOW-k`IMO1Zd)O6D4XBwDITqr&PNo4ik6{LERuKE!=$$Za9QL|@KqOmQow92jGAa}9n@g2uIWB3LLM5}o zNZ8@6;4r<=I2o!5h7FRhRyu<>J4iA?31w0aI*(3S>c{g33opCWFGAHMx`L88OIX6B zHR>MH8CP<<8Ipf}Mje?_fl&JAW4?ML?2yKLSVXHLMo>AW)cis?Efo2z*$?Dl#K}Gz+3Gm z%_Dc=Wxn?&vCT;Xha@Tg$ZW#y$PHNe68g`P^JYVV(iqXcW=DiJAZTL-=tj+PyP5__ z1(l%l;4ETX=ohYlOpZghRY97Whew1!G{$HUy1{TntrrCfqz@Z9^e4D_)IZ<-^UotP z7;%iMq^rV<+K@hIt>htd{ogA(%1z}#$cqNmYV)|t=NM`XOJL3MreR8G*3bqlI872o zEY^AEUDvAXLaf;Jx`csz1)Ptt`D%Vr`*}5iujp%)D*3RJLG(l;W47J2v6>AL2?{NG z=o+yyKd|XEapF~0Cxs5-i$!uXu$$tD1K8pl=PgMmxvNz0iUS}Z{Dzw}#!$qh3VHg8 z(1_L+9_&iO(+o3d_B#c4tdwRKLFj&U-}qT~<1%AFu=% zC@H@GQrfBQPfA?nVn(Fy9pLodLO_8BB2$y#c{D4$wN<>NOt5aX_Vi7#;Sd)hly-qw zLx~G+b`}LGLg9S2x-hM6u0!o2MnvnsIl*$HqDY7_e|OnoXH%A4E9c}=`3u-d^^7WK zTTAyeCYDu^HU%4hktkT4!6S+ORKH?pUPLN%!Riv)#FYWM9t)NxMApy?l;LsFP5Bgx z+8MiZ{2F!9aOY*r*gWJxBNl`PIV|D~3b+RvF3Y{VG{bMI;Re*qg1N}XnMW$nk>n)f z>RE-=tQM;h;-^Eg=LqLIO;JaiWrP(n0Ys1rWgH8O4b@StTt!m7;V|hN8kKI1wX${0 za1C)4OaZRx_=Bq7Y29YQaZ@O?=Avo-rV)VsZ4i~6~`#W9{OKn zK(4Feh+gMU?lm^-$6FB|8M?QUwgUo!gxya2iUafV?1-=9w#U{x(*TPYeZs%4_K%q+ z{2xHzxV{%~sO>DqZG!h<*YaQH!|S+8+Bt{!+apZ3+7}PzN>M<%vldmW?N3*q>~v1! zT=0*M7N9G%=YCezmb6)x3y066`{|KlM-1ZjbMAmE*X859sq%(=&oeMQAgi|mF#c5i zx-Tug>1k`)VPEui6>o>|{Ni(7FMeyDL)%rb^xEij!n3*3#@6(v19x6@0Vb1M;@zL#Z&RzA3z*~hTx-{!$2}1O0KhPp zNx_biP19nF`t#XWmey|abQFQyHttrP0XZ*e^`!T4q>F3&{l2J^dRzWe$Tk6&8IMEB zd`q|C=CQu}b@?OG7^T}PV0r)Xy%vj6>$CTMTkBDNWKG@uiv*A+v1Mk2**UbUTMnaVouC#Zt;+fB!-$hk?!iBd+YZOm=a6P-#7`D??+b36%#&5}#KtD2S0;b0mO{uPiD9 zTfY>WH|X3GYY9WnyJKlCu<96LV`qNvxSG7qu%#ea2DWR$JyG{snaSjd4)M@xEV?U( z7c85eK3{KX(@v4c6qm0Z2Cgs3aSr)?a0Wir@+~}nJUg2%F?e80;d;p(-w)jCclfIw zhSlOlx+>k6&hk{0tfY03d%IrYog@1up;K}ES+pkWJQbx7Jm*L4dD6YPxC(?|sj{%r z5DqM7S-`5@~Fhg6|U)m4e94U zx|roDitC}cvC}k?%2inP-99=0J&}8_0lLS54Zp@G0dMjK4sW0vF(&q-z~M6z1^Yka z0sg#3Sjx6bO%3iG^EJ}mBNj_!9e4>{;ELvm8a_%6X(RA|HBd#gc4pOz(fo8UM?&Iq z;1pVN=6SdA?bF~bmskT?(TB>SbuGgcE0kmMd%ZxRCn?j4aaY=NYh#Gj7iZ-8EuS; z3L2=Ad74w%(TX3ul`jF@=Bdn-=Z5O%#PutrJHh>9FTNaPe8S+b;9I!AwJHoxN0V{# zWMqSpsaZ~K%T8}YS4Q3umy0@slWkkp7z(4XMVEF|*d9#_7l@dAi;1G~p*jy|ph;tH z+C#NxYuBr!rLcwWjbNQO{7fh|2#o*Hot=_0&VG|*&lRBqk7o8&td$v`Fvu1uA4mot z4eQ*kg)?7>ki$iEB#ugy7+3p|8%x*tmpx!knbsJS)^9+rnIFzqt&5}D*B^USk;=99 zb_Vl7uu-!6EcAD35UNb3w5&7zSXj3DX@+pJ*u6|JGDeVPbdM5kv&C6jarS=-2>;7C zZvXa%1nob64A>U&ngVcWoEMOC=tF#AH(^Pj_K<;J*0C*VJkYaIcH?801`mP@@M4_^i3UX8LRT z_p#wTMy>T$@$Qv1aE&J=po6^nZM6bMr?HQV@`Bq87?2_L#mtx{1#B_)Y(O#!eEfC@ zm|yx@0or{t+i3Q10x5r9XSrg8Z+kA4yXm^VP+x-mMPnACi##w^>rd7 zP}bQ02>GzB+Pl!KvCrtbHGZ8+a5G7M)A|hAqWkL=*U9AJ6fmhqb?s@hOEt6cP`eFy zTLB-|N4UkMxcYU-^!9{ZR3dY|m1MbDV!8s5%lsbDq4RX|aiuuS|3|ll;`QlTpZm7i zX6ePdb+UsM<87x%{g+{k^2H-Z``hZ!l%UboQ-kZ8$>zI&jL*jchS{~-Bd=}5{L)6D z*Y}1EHEGX9++}|A=H{bt&f_NyyO)#(TW?TxQGZE}wrLCo;_5)xUM?i;M<8KO?VV~) zCD(q}{P@)7`RqMG^Y}9PS6bu?#`1Jp(`T|>PxDlE4nYzgoqDS7=D|k;$JXvan}Dw8 ztloi(It6C+U4U$I&+|_IGk@z}xw8Xhf|16f%!dPiPqmfZx>p&Awv<38vx}u*V+Q zT86|(-QBU8sDR2hsgd21(U0lZUY_k+Re(TA=2IKRMh2G2i3A6ZV7szZ@sYv%IzAO4}> z7i-}ajiqD0@o8JIVp}RONi%P#3|Awndu-;ZGe3T>4L@2itqDIMqyN+9i}?phtX-Kk zxJaw3Zr}%L)0&^QuKWm(F1(dnhPTqtTyRWe@SyJn*kN@hY!YTc8myX~)ujeGbV4a- zGK`Up<E?O59q71;rJ8~`QZdxnHgi)Hrf9B;vX=VwiTgF)xj6aL7#~-`!eHd$^ zn3d8tWk^Zbx9kURuxVAeM^~&q`lk}|2qENZ=`S8nws5BH$VNTqOT(RDI?7mBh*GwU zgEy_pjVL(`1iO@kiw{GKT`rmrRBncDlj}?9sDgt~Z0q|uynx66HlPF9obF1_QyYaU zV^n8$%-ayLlBX~TZBpTvGG@zM343PtnTZpoF#BdfY+fdoMjl~I;QMXvUvM-7Vu|Yz zpZ;+j2aRB{%wmTclu|}gqSPO>aV85CqfTbqbE$T;wuImm%zX_DNMvZa!i82&L;SzS zq_X%blHSH%laJfZI3?x(8bKeMfSIpfG`c0nd!(=C6)4aK7x8@h+t2n?&>&rF=`5kP%ja=*^Z;Y z4Vio4!Rf^UG~8jKHNT>0xcjQPOw@$DIxL!z>?*@)*>8tLlwj2OOU{v%2N*$iS8)x< z3UdaXYeVw9C^0lO+#^)IP_;S|Y^%Xa5@rR_3dzGT9tZkzwot`+#H8Yda=_E~(b8+y zmBJ5MhArDMYFIfSt z!D z5&FRl3G0MdRF6|*IJ4HyH1uy61*i+9SG$T3G-0a5IAPpM_hh<9++|XtB8{ypiQokx zf}uYb^Y8>t$k)it=PnlJEw&8qDVUqr5_riB7&b4&sbhnFh)qf@dr0XL7)Yfl57YZv z4zgSy;XoC{M#6_w!P`r~&E|;=4Q8*(I(uC9!b%PJEa9od*9NC(;pd&Ws}aS~E8l~4 zXGzhdL$=gImUBtW*rO-?IP3+l^3bTcIo0bXc!jE3rUw*t+x)+N@Ru{Zz3Ph$p-u8> z*8W8bM$LI9G;Ab%zkElE^riZqK=fqt0rPGK^6Ml2+PXr2O*71Ay8Rl(cCvE-a-r`T z;b0g$CM~tAM)aBA=NHWg2lTw&G%pl!d+txT1$ZX^g5rk-*3LHXUp_pZLH0`@sx_O> zGVWiSq-`&4tRw5FDcugY)L3{MojV?T!{cet~Z1lesO~AMX01`^M(X{oJ0Wrfc5D*3E?+GSwgC3C{?FKwd2Y z$NUd_?%KNDjxuz;b{D_xYStOIW^bwwvVC5LTH3Ovv7*int>^)-nOI0#yKQa)+^rCF zpWlS9AhK0oHv>GgT!8Y~4xjkZe@|<$fKYlw`aVgtn|D)w3r}wo2^`%vTM3-UW9!jK zKK&X;F1vcSdEy>(8%Esv6`%|I6{9Pkb)6Y5lfT1=JF9lp4g=B|0*(vy6@-2?Jp65E zD2&a7?pz&1cGG%q1NR__iAv10Ect^R1GQh5-Sqr_PpdP`$o1DgUNExHKhMH1ZQXB9 zw;z(Z9M;8Y-zV2iERig*JKayfL%pu+jdjTv))!_ zYNgK0UF;3#hg<#QdMke$`U1{gvDiZ8W7u-^!@Yr-?CRS$SXR6aTWWx#7`>~bg5?G1 z$3T~R$ctG{yZW=dPtL>p7Oud~E^|A#b31_PJ(7Ui6-9?_?Z<48r%&R#*?UBbCvBbj zNAIQ`zf#sNzB`2H#k84i8%eHLE9>3dZjAMMa?2%t*Cv#kAMK|}$GLJv_uZ8zU>qd< z=d4Q7n3 z5tjmMdoS{8%C{V0@{S8+>nCy^#IabG*d^pq;>yCNnFMLL>U%;ABrL^J3TYx#@qyR5 z@$6JF3jEt6#5)VqBLp1wIakTJY~SI%M_AZ7XK|dAJ?q5=PmF?mdReJyP(_!_(+6AO z!ve%M!t-0J%K7!ue|fp(vqci@m+=xA*lS)yp6xrhRGKGX4iAb9m$Rd*t2qeYSyPh+ z)eF7<`c-P)s>6ve^Jk%+1WPBII#zJt_Rv2YE@RTi{dWKtL11tte2j{|@tXm4_>7d1 z#@yM)ifIt<5*n>gvwAHBa{x4g`AbItRLOmhHfv4!UIRZuE7LZ4&!ruAjYx0c(n8&dt$`K*P zVbJIsw8juU=;0da@@6?I{nXx9U`Slt&eE14|e)gxE!tYO6#Xmz%i2iWw#0#8RG4vG7SYzd?lwp6>+i^)b z&d%M^fP+)9DYddcbLFaoL}l2H>ep@1!zx-(2tQ4D(&(M}7e11QJ8ovw!Rn`LC8i6+P?8WSto3SY6_SB8zmwqUNW3TK4p>*b%3scO+6e z>ykee>TfeeOf5>@SI`3cLQg+P%4E`=z4UqqE+Z&RmLoslW0 z!NiM0>rPl55Y0#`uRtS;Tx8nC~adQYxWFkdc=r_ z?=D7*XSh|+In+w^>Wz6}RAdz2b0*g5H1LZp+NUVle0TG|DT76_3r7&+xs>#={GlGj-WF&WdP-QI8&iQ2w* z>owYG97U42{j-SgL&Ul}7fPKq*pU1b(i^?vg;cJr(mru*_k2~(;(h519v%iQNu0yOJ zVKBziK%ft)Z>FuG)B+^bTQ^xpLaJTD!zPxOkA)-`a00xoUded`-R7H-EU~T;}yyqE0!I(?42X zr{mq;ey!Z+&~i(_eg3$q8wV(~*{-J@WUZ4_O!i!^7$x%=Rd?Qv8D4&k?_U zgVGN$I|pyr7^B5+vfu5D5!n3KbzLP}y0&&*i z@6W(v&RXfy4S9$0^U7_)oTIj_$4JFc}l+Xb{! zch7zn=Vs$jgS4t=6M}91gT7Xl5$a*muX}>CphbOw!#&6xLS!`1zIz5Dteege7^fB~53kXdUNzYQ}r zbwJEtjVkUmIhEYZn1!vvRdazOig`)XRx4*HQ?VYoC%cFQbsG3Vu{m>y!6qCgd#lpg z-i8Bpe0i25%6QWnsjQ?DLVk`_90BqYHF4VYkb{5OprRzIe>wLRJF6tca^oYjCc9=A zdY`7qIdkELxK|t8Yh9%21;h|d0soFhx;%woj$KMS8G>ap(JG|WiA$1@RKu!kuhYx| zhh}bOY4F=?=#ftSca&yAlq8*yN8jYMiwXz!u(9-j-#%t6W0<_Ei2p@$jJf}nCe{F(WgmVTJwoR%!_wYqg zE7tNMH+AGsTX(8hLpc$09$$H_nwI>}-+hOah_J&H(*z#Oo3bq1KM2vC znQN%!|HjOavViTc{Z^BS#Pjhj=9g+coG2s;G2+jrvaq?D_9!pcUk1%p#vW$){rLvocW1JAiKGqj@fj!pr6q#~ z8UsKBo(c8xbaF-`{RX?P@AdE5ZUBg6>o5Omemhohr%GWe4r4m1bws+CabqhI&k9)- zMTS_b;RlpeFP*H28N?c7P#2^^2o}n_jfJv}z$A#3FIdEUqfw_-Dl=~4Aj%jlCBz}8 zFdo*?bny0|A&fH0Ag1vsI;Od6MQlv!%%N@gjFnY!q)Qg&#Zv+afFn#p&(H56CTPWiQOpqghLhLI=6Tw&FA; zir|!CuSFpdt`K44Ic#UES3L$13SV$5uQ;*zvNBHNgwh29UlaL|$!@-%GCVVlkh1?N z!_UA0Kq&bfAoldW$ByJnYz2zt*G|@-3BLu@qQn12z9at#(Lnu#$-x0F!1x0uflePW zBT+f=n67dir(}R9QQRoKkB2P%&Pc^^mnpBKVqCk`nyKW+kK<$j&E^Z=e#SeH7?Dh8G^yFl0cx>{?X z#eezB)m%uehHd8&K(X=tUKcHr*k zL=?lybLW!$)vjGm*C5z%bQ)k)XirPN>b6%D(C#%|ao^MNaI zzS_to^xkM*Pd>_Sd2rfb4=Hw4C0um`N_AAd%`ZLywLZ;OFKB+W_q0CW#nikQJGqCf zPuu6{+th4BWfc0PMkIgjoe6+^8vES~p6_bNFRx~+mPDUZdH};l>Q@WvxEr0d&)7ZW z$6M_o>8(@*w9n!U;XLeHt7en_;YV1oe)Ee-sa< z4TxQ5%Vu`j-kw*8Fk3ClTS+md?c&Ic1a)0cqfaH*PIT=jQTysmU+1|U0w00=`E7m5 z>liUHC-i!)pXu1A?9h`jJuq1$+pc&w_btz#kB>FBw?6M5MHTy14E&ZUds?gvABU02 zHlP~_7=8Oa%?*Q?Y8FB?Q$F7F7pzH2KU)WB^MaxjpX)xW7S5gb+@3c^AC~vwDJ0u; zVqoFTmKxS3@W0lY-jRa6fWYZSkQeD!m~l+djlxG(2M8^K843#>ftqG0r3a+^kq;DL zc;CDyM8U*BK-aajEZy6Ci)r}v47dxla#6{eh7vo$%FBh`@u}}EouR5E&#yGaiXu}B z4}B_4tiu<>OZp*~QSJPTYLiCXBH*$_HNr?Zv;g;2rezu3FBq&|3sVJ|-k(Y8AmlgI zOIY%0@=uX!M|QExd&dgCV$?8#xg3>3WII#G;F@3F!^e5ZRB;9HtRug4s^&(2A*jLS zH?Lj|x}dPIh!&@ZU+RrpFYSiUhU-vqjAomfo=P$F?uG5Cg3Dtw75U))hHQpEUG!hJ zZeea#OCk|SBZOj?spV#GUZN4PM2M8$be27kovwSMi4z^#=g;l_X z2Xo3(g9#tj4d!XmV&@k_Os|dEBHBRhl7tpw1w8CQE&BP)9cL1rGnG5h>U6gKb_J$)WqpIX;?*%0g*vnKSS<7a%s)n@iM1D! zlja@pHfm!c2QTqv4`Z4PYOhmF7J{V3$Rug7>)6VqRB5KP!g*5g;;pMTjo?&F0{aDW z%kdq0O{a*TECvf3YT*R6e^HO2woXg9+MqC9deX$C;EAD5VKqa7$&4CAaFA6s{9GJ0 zB%TtD;RiO$_#ETm(lFQQVQ}D3 zw6joQYvkoBw3WltnmQ;*^^ujeR_P?OdFb+IA9QJjS)=1>%t^eUQDaF_(12~V_OG|< z8;o`L{wWfXj&FBG{Gb6QykATJ@PNwUHi`bo+SNuPdlljOL&zu>>)Twv zhdC%PAP#n$ulgJq%gBnIjU8u@IPVLo31B%MJ}oN|~nW_9R0Kx@aO~ z(ePj$E2ThXV_!wJ(lCkqi37@H)$#t~xvIze)CDnIw6u~2G&ywE&GPbKsmP)9gI7No zieiFdSey|JDF_!-O4J*w7#`56K=#NXFbFjB#Z!{!l68tW6|iS5QD~kI{4E=_h9eUU zO(G8_YZGFs2H#Y+YUa2YHY%#D&--Yo|KJ)yBR3fYKPWsXH%eVkCf)*;NBW}}2Yxg2 z_X%;)dg0Wqk19?J>R*1!#4|sRq?Zj9EYdZos^Yh#DPR0=f!m@(D%^dLt-n;@x(w*! z=k(bBIcZMrarGTo@^$8SII~719g3lm)|Dp>oRjAftkBO?$#%7wAD)kvgV}TQ{K=C8 zve>z1eZ(ZvpWNJ*3<*CwAQ;@$xf51ckmO4Nz}wme*sO4-!fpcGu6(nfCh3s9pbB_7RpV6dEB z&0>4i0VlG!&-{PO3BXYByAZ?wvjR29`i%W`(v#r7iw=RpB;^AOA_hf(dZm3qg~$;7 zL@ZD~o1Xy0_Q}rMq(esi{b1GYcl&{Xt{00C{n~qO$dBtu&D2b%h4ST&{atEtL3-E6QF1`mp>D(A+A#37;PnS^ zqa%L9Tg?gBfK`+&@QigXNsCnG;@V+$I@XD?Ve`a$pS{|`eEjk8f2cag;L5^nU3b*! z*mlRZZQHi(jyvwyw(X8>+qRu_vZ9rBvv=J(=iWb~X4U*RYu5LEL(h9J*!%D{n`Y>| zD{paQeATdP-$}>>O7g+Vxx14L&vw~zp|l-Li!*fdLCOV|m0``Lb=wpDBYEB@QIveI zeJwkQM6zq(Z(F6;{Je>KWbAx*yLr^^x2xAqF}cBDDN^8Gm9eEiP{RLuSS1Kw`? zAocq;u$w@D@0H`a(eT{#GWzkWN?f%2cACTXSd`He(6f~k(EeCH`K*1?J&%?nzI=Jp z&D1;23i!NuDY;tjbf~h$t9!Vsmh~`rnaV{XPZgNNVDLNM+m3sIa-Cz9w14Z*L*jme zdTPG3sO}o+VLeT5M51i*b)I~MyS`(*_Iw@KC%VQqY&}Ig-D;Q%cno^{35m7z*g9BJj8iofYu8 zfVlnUs(GZ*eS5*q;QiuTSpNa|w5#I=otK>RN4#Bpsr5}+|r!E;?}f=g!Ev!zzuGkn|q4 z|2H2sZXEdVb$?N$jsE%=JcW6>G^d)geWP}Rb59X0TAC8ISu2`UhxnwBgn!ZXu*G3> zmUWSxN+gCvL$7V*`PK-m<9)Z*nd_|^@BdcDZB>)7L~GHM-+-w@5x zB&$Vf?J8+lb-12%O7tqK$%ZB9Gs}NnJv~qvGBBU(=_xc;FEP8gbQ+ecqi+$dKnpcz ze3^)C5m)2Ql1Z~20&{u(FL)p5s0{I11}qjDtXfXO=CVOdVj^_SveNS#i=I)qqg zq$kg)VxYdr=-P}%n<4p^eAPw5pq0~4rqUL1IkA(wsf{TGiotXD+!a!#~B@svxRqHyBoI09>C&a`Kl z0dJWrHw1Rf&pZ-c?XeZK*z8sN67jUZ0-DkKvisbH=1XtQbOSG@xppLBB$5ftxUE~5 zkuX5`s;~JHMK{vmL4x+xGxR7uk0lm-c=(BwkUIDvT)pckJ3Njjw+#wf$Tb?KuD;EP zdW4g;XUHE@ESjrgjvYSFC<(OzMWF4>is%LT7xC4H&uS z2^L$WQD91UGVbC*hjV6~PYxVM`Tc7y(hw}+CBkJ%_`m%prK#C-V<0Gum0oiN@Q=s8 zGv~XfqW$a}J9B}hzu-z(MQxD&A-YP;Yj_NrV9l6Sxhj8Dq;Ap2=U6^B9q4_ZJ^J5z za}`LDG-VmqEd#GfNJ%jqOx2i`K&40R zN4gzh)$(_n+$)7>LgJ&z2w|M6@`{e~BpQ{#5QY&F!WAkggW?g5Mq_C0dAy$@NmGag zV-*qJWc}kz)F~G|Fp!NQOETkNL@uP|6-V{S+-I7_c4}kg6qZ@z((@{Reqd5c%#o40 z@1^<~TuTS7B)_0ofI%^j4tysX5!DY0OEFtho8st?wUUy?KtUS!X;)D6EGfu*5S97| z2}?MfM3*Tq=cigu4Tckd8rM-_v4kKxHJU`G%c0|ud;R<)r9sA68mwu%csGR%0*QrR zR{~atol&(SRE_1u@n{lZ^X(a0$zDmsh-ae;sQsa$x_0ek6t&to0SW8su-W} zaWVsK3kKdorH#4OA8T*qbBAtq)sn#I7c-#+f9-6N5dq ztO|LVNjyQ)#X|*$tZ#`7*Ww$(X(UiZQmLRMZ+D@|GtIX+#ri+tv6q(k2;}+s>Ij5> z?*iq|{rgWfx{q6S7W#CmZSVH8iNDe0I2Ky)RM0Y@$QQh<9$mT+GKhq#i=7Q_>jiW- z&SQA><f1*NTa34Z{EpM@3qTNwftX*6?>?Asl|)<8RHEYn1@-gZ@k9GBU7 z@C<_cFBv(ahW5j^x5+0v=tSD~w!V4K7y!EWXZ6v#eqaA%y$#thCP5ZK0u%YN7yL5A zz72B{ZZv0wnMrxeys7DDrPTD=Uvo<_>#aGrq zxk+h(oP4)W5NV&+wv0q9u2BfxUjy5=Rka^;$hD;bb$ld_^1cmuPZxAQ-CYh6xIHn) zpZRIGSGBK_AZFTQbXeAGJOZ8sTW^yCdWJL80+?(ERd3dCcbe|Z?;9!W0^U>54iGpx z@BSn=-hR1RR0*{6W}GtcJ-)RH*!OshVUAw)j{o{~!CPg22ejX$!rQze08VY7Zel? z+>)Qpthc~c4U2N$((a{+{O%@nxUC1ey58vDYy4!@z4oKq-?g#w3ch?)CbQ~*GjX8a z5fCWg^%V5Q_yBc)gkIb}KqM<5+V-3&ALqCHmjKGvq>$>x3(ltiQ>?KgkDV~RglTf| zW(@i5urkz+4x!c_nX_caJ0iP_ABj9wE@x^3xDf$4C;Ta01D{=S+(vPUGXY+u;~@8>2}z8(y%J)|kzb8k?)=)aV9UjH9Ahx*j_~NlEj>Smy!&52y@G9Ynlcy@CsJX?O5$>L@@xfzF`^ZrNN@g$p)jeda;c0Sft6#A^%M6lEs)mv@%9p3`zD0h zq-v&I{b#jiCy}OWPmTVO5}8cJLP3I7E3DH!F`P%}eSu1Am$;?{e>7~3S;vi0t%FL8 zIcX59uKT3lGrpx!{t-Y|uENejo1=1$l&dWIDQk94*Eh`@U>5m2s!EwG0|XAA2FM$5 z>y)f{WhH^Smixp4Hf_@1crc`R*T3`F95q|?rj&OM6Jx=PA)Vi~N3UFS+%=-ekujOj zT4>g*lEGrgHl$fUU%Bw65&VPurq+mBuv{hYa?QLgtSyFBuBMvd{ke?Yzpg+?{nVzy zQb?;J`rC%vJF)bsEi=8i+fAeHDE!-epRX9+`+350YjAn&>EiZ%F@#qMG9JZ-0IlNB z+8Bz&VGFF8(s0r5)Jw@a2}@*Dxa6!tGzX}DQ3~}qmCKe?(kwFC7>`GUdJTzIXGt*3 zGw_w7ErQe+UPy@#m^=(eI2$l8W_4EIs3BZwVCI=CRh{!oFEN@;vxbYoOz6wGWe}u$ zLopzPDa48eq@R%KubjcR!-Tq0t|l3vLu62hvX<)wQ|ZC-)FN}C{L|J21FnH1A8B_o zVrNT5-rl!&b?+g$AJfl+4DmkUk3JQz6aMwDFio|XN5KsH>X#X0$jQiK$Yi7c;2QO3 zcnHPR8=d+QI-Y*xnai0g*`Q|xs*KB_?*MWhl){X9bbr(+5B$c%|EAGpW0d4Su(~il zXP416rz&43quxPkt~C1uffAEtRm~nMq3KSmile?$`BRN`ef!wgp zJt4Y)wpfpmm0IE-g#)wUL=_%^d`d80x;(V(^ve^EB{M-J-J6{(GSgGUFPh59;+;%;s4ULGhH$ zE~Sa%k=jL&`7*eQ!H2MF{}N#8(CyV*Nop4UT?nTfxX_GOghtpNIgfE_TV1%tOUv4| zsx>1%Dq*dD8z%suy)sX<4=_z|>5PWiiZha=>bUV9&*l8RF{Z+nlm<&nI#%OH?g*ja zc;Gf!A`C=;DxYr~V3mCbuc8r@y9xL|>A8X3+kp44p% zwv_Z6!AO&Amsxtv7cG+v_ap95msdzPy3e>4yaA)LJ3C&3+tHGkey<04jBn5F$IWZn z;Q?L>ufw58{;ww!r;If|0~m^i?&*FPu(LgnA8CU_6=gn}NQb5Z-7W6V7(*v;pz|Dc zPW{%lSp>)4nCh;%x*Oi(XYDwASGFEBzr$R`tMo&7<>n)Ob*0?UziJ=ScW^Ng&mfN3I6h8))ooT#lfU_(5A&Ip@>Kox^XPB>}tFzovPMgwqj) zV+VK;!YxY#co_jWEbaPSzH{dI^=;D{dQD7i-gb&;SFjuh8DR3f;ePC?Gq z-pdb70q*;Q!P*}CN#3Q+JZ;k&+pkaCHNb7_268zwQ_`{oxaM@H^6WJnd-OYWm%36q zEt_mDrsYn8K8Mge_3P@7{AP8s`2HTzDvs-(W>twto~{;T zZ`K+GH;r32Yq@HASJ@TOHFe$6*jpbFwQegFElLCKNAmI*cZ1|(N04s*Rx^SK|7$Ap zLx3N2D){#^=PmCK8v5C&CWy3BUM!t6eefWc{AmtqB{KbDe2$<~G;(W2pSFHV zmYkG*N=5|<%#U$jt8I~o8r1x7YN+NdNtknk)(L9~73r9rM_g8+*QOdwCB>B|+r~jn ziol}|?YO--A}c|+mYP)+MOOreXrfkf4y5A<>6^8#&uXNooEQ2D9iy}a1nQ_skANnR-23i1q|zkFzBmyIB|a$odz4IMV2AtMHTF8i2w6oxlcscK&IEF`%7N7t zCVwY{<`Gq`N2PJdNfYus1S_?$-8cEREx9BMSX_zx5}#WBJCe!gq;@x|B^4kQFFxjk z!qWMneYI|NtL=8d=CSnjEU!tObaY^YgVk;WC@aOXJR5V>yf#=ZN|+>Tv7u7Jt&&*t zAzvD2%4d4q>0&zq-u0rBXl#Y-sFhTj2cdbn{ExJ5|JU?~1B}+wgBEy-a zK1`UN#28JJLsotEkDtRuf)*?szlb8)rWrqnc%O9iltcy3kB$tX=t%NVf>c`sPt?J) z;&FG$lcm8%uz3|GiU<1KTikSb3<>8ghcA22WYceQJcA19aAp2iKeZZ+rKQk}dBRr@ z0`(?Jc}47+(JMC_eYda64uzM*==3U2Wisp_DMK)YsB#ZVqW)N%IceNS)+(w;n$xOB z*BDPb0L;izuA#hY2c-AQ@tX#vkAw;ArJ6~+^lUVKSL%_d(_sCB#VkZfg3MliqEPfp zdm~!O(gc})q#@&#OCx6Gf*wt4K^b|I(}M6;J#W1+xZMR~83{|^4_d}X8WPEBW8q-g zHe&<7xEKn$_K~k^l^sUB1a&Ln-564&5>1;!!o?YH{-H|_NxTv-{Z_*>#Vh(DeN0vM z+e<59s5$$FG^QXz!k=^9V;Em>{;^inshNfdj<}|;2u#pq&5g!h;@gfRj7o=r2rouq zMG{zcl@e6;f{QxVRrE$OHRrm{Br9`iKShHO+fNyK=XIG_+%mb2pWu2_u{Ou~Hk^^M73 z&FF?!l5(+Eu*-9r6=do)$Y_Cn=z&&vR57axo7{NHeV+AQOL@0+%D;z- z+oC|dF7_e?8%G8OHpN$sei;V-M~RHd1+}*P&D%r%)(`I9pSrIu={7Ly@ced_=GvrP z%*hc{Ma=r|toCAy5^VoBfZ(vAOZT7_0_x9!y+kH{+W`if2M<`EkDtLLRIp{pd{6Wz zpyIuNhrBwhZ@|0HU~*>Eekpih5AgKmxK1y2H|*CT5 zOKyHx6u0L7a$2*icfZBn&8^ z!n?t*!R0|8BA=JJ!8CthGyQc9TCc(VUscVm_dz`W0!G)P)T;F~kjKeH1f_oqxzn~r zZzoLK#nDohgWSheMwVf>PnP(u*3n0}LB~zlEDu6J9VJ!=@I&+^(C_7Qwhq#Hqw3T` zf;MsHaus@A6Tk!Lv-dct%Tqr>0-nP_d!}Cbd0c}v33dX#W3{kAPt+yrm;6+W??#uf zBrTX;7AFgqdiA>r9~SN7BLTj^KgXv#0;l&|3A}Wk*Qd=XST}kv2`*KBedCl@?|UbV zjC@fYr>(1Ej6L{-Bt+-@PUWDvx>aBIaiIUh=5`#nW5e+0m;N?=28$Txfr1s^K}d~X za1vn^wyn=FNYDN!qF*#1xkx*l9KiE6@YL`*04>1xQ#Dt{F4S3hnq>Gj7gXf`ZstLg z=AJRmR8Mn=I|?H&4HGW3r`}JZ?)XACEiC3jqh6iizCdI)#Jso&K7*SaK_)mBvnkz^ zQ7&q=1y=QHV-n(AU1T{Sgme0CXZ*83qE!}dx_Cf{zC4}Q@=nDXA1l!~Le(eert>po zBHiA4jP$F{>G>U^W-OfKNAeHyL7SEQAW8edv=K=C5IoEYwxJH=izf>yL?J>mHnswl zTy+9vnp=XAV_)KS?ypgle=H zE1mq$j!-fhnoEtz&0(MR)8n!~%J;!IHY$e^MLOCu73B%!V(p%j@wugz-`J<7q3m{7 zp_hc9phy0wkDAg`R*;UXS{I$($KrsISJNg_79Bv=9h1~-L7qpFDZFT~raobcCDv1m zUw0Vf)7SU2A9k$YylzvJ^*N|B2)V!#I}hY6nKvslDvuKfw$h3tE*a?(b{^zMCQz&p z9O32g1wXST2T_ihOvE(@%MX{;YT1IMs*`YqUCD~V0Coy<7O|2ci zuahZQR4hn26({RTaV)F+;Dwhfi8|B?|6UzY6|VmsV|WXjT&X$f(qe1KGZUnmu4%&E z0+Rg`%9@>)`K7@rU)5FtP)6OC41ZYqzxCeRKrQe}SFS63vp|>Y8$ljgYstbxOU%Ld z@EKY<$2meMGnDgOFW0JE2R7P?iNzJv`!@)YOZI55qC4&|P{?aT)twv&XxO?z*IJX> zY?oN^T>qutWCTE8s|EZnMojdO`q&=CHn|%yh(5ymB0Rsf|JAOB7{l3`_bWnZPOZ1+qJkYNYLgbv(&d zFoIiYBU!;^(Tqis@blo860~L6D{I2$2QU3<=sbq!gfle?F)6`nqk;&uW~tUeiy(Sb zmT||gZ}>Gp$Cj#bvKdgSP#*A{_x)}bBJjkM5Sa-nDmp@ER7SyljZ@a9-D0t2$L@%G zsz6t#ffZw5&}Hb?v_jO(I75OeN{5o`;~xwFmH!0{k^%lvl7mKtE)646+p`d7Mec-- zfa>*XH$`0^S|merw%kv323OK%B@HTd%;TLU5Wi8N|7fEOLdz-z_l$Hjw37y&>(H9L zIIv=^uOxddQ^|u$8(c-+?Jr%bQBHXxQE70`Fzz;Ue!5)g9yxA1T}DXeurcpC%r9gl zHAd2l@g6;4a|8m6D+@+lrS7paEf zh6}q7^}gw3OZ*nljp66PmsUHc0e*j!t+V<+{Id-o%)0{2EaP4K4(?$2)qOrLLU{6c z#L4dZ+?@;<9`JhjET&O>Y*EhY`V9^X3UhX+Pz<&ja@|}*cq-i7^{YtMHI4HRP^ai> zSOSb#ql6}RzpTF!n+Kpd%YWPEynlx4yo{`r6`i#x&e3)o58qvs@%u*hoRQDwdDb;P zVzt&bJ{C&O9%Z`LeoSMgF+Pn;Izq+ec5X`6<#?I_mfu^rT)WeDw)cnEFYA1Eed3}m zPHP#)PW`-|DqC-!M%Xdcuy?f&rYZeBM(j8B|DCIHA^={mf^<20_F9`1ySw)VKOlV` zDQ7+M+D1BtH?nWKEu47`9;SBkreg_Rotv6HvMz7a#OKy#_uj7ULt# zSeLX{26B4uNxgKHtGB*yCj_y)FQFy>Hw9i>1&04FI|Ly$d?J9Dsbkra1Uue{wEj&M zpQ$r5m+m><3hsQt!7^HLVC1)Rd5*R|zBrr$AK~oI;)D|dYO4da{P9j;R&F*3)HZ#j zR!dnjX(JVwh}L8rL$tz;*~BAm%r?djs|5Y8WQH7>3Nof8$YDv_xoBg@9Pv%`@q`@O zD1Wn3xaJR|ad)N_w&eKvS^A0zmszzD@i^`wsh$@l!iSPzkRvW+gJC5%iE=|IyQ>%9L2j!)4l<-*R{$tRW0?J}>ia~iTJ`{#^!r1DuSr2nv3$s`aID)1B-7BH1xC^x6lDtt>fu`MU% zRPR=rEY5IgAohX~qkxVl=yyVd{PNT^Mj(qF5Xm(E;MnH4Kj8|EUvEQ@RqtC;y}msY z%wf<*x+bRGZ?_=fw|nl;SfH^rE;D4NbY{mVaZ3}G7o?{ptb=n3qqkOA9yddVN8b=C zApHKav`g0kheStL7;VLetv;r)#&9nG1MJm;c61>SNBIdxofAT!+#Qvgl;H&0tu+UF zVcbZ_T43{=a^Q${5Pm5fOy}HeGV9;<#PDle2Y?P$l{03I=*w?BISP*!wuncbP|Hd9 zK90?XEE(EFip%Lr9(T+`lIvEkyif?53ol{h@c2R-aFsdQ>&CjFD<+f4>D=S-5A1{A z6=-tw9MLxFniySB>YGXe`kHwD?)Ylo%>(OMN4RE|d^w;?DvemG+GvKL6f{Mw2IPpT z;-4uJ@OX&&qvmbg6pZkJ4 zzAuV_$RS*!uhnPZ!(D%x$Z*cCAQYLIzeNY-!X=Q>|&y{2+Fs!xrZ8dOwyTtU5&_T~Zf=Z=5U@q9m|S z9y0aq8YRL2PvVb4l+D4nG0_ENYW8%EFl>065(}*@PYcvRj#_{{4e5S5SFy!4W zH5^6pWD|p8)Ut3Ex#t63sHk7Jq;gXQd5XDQT8yw`vB|Nl!%~#*J;fdfDRqx-L1W4? z3ng&;Y}>yJW$>;w!Fdd8C6PzlxQTZ)@zf}T2fKuqHphj>(`fMRD=L#clXElsU3|?Z zpQQr3Jqx+N;*5Vk5vExs4j zsv1wxc2OYLPbn@NX@Wo3+pyDDLQA8xkPhZ3X6Adrnp;;8#NCGJngEndh zAv5PBUv(M|Y)z=R_|4dm3EH>ppnvmR^DWM>{!e%m^y#;P)hGVixCYH4HTK*HTD{8d zebEuQ!jK_DihkVFe<4heftDAAG5b!DWIdLk_DhMU6rY#F?H-;#j2D8|Tq&{msTjO>dXWx_4Z6=Pbd5$I(u!W7l!EpySi~VAW-p^I7ic4a<8r zcbvuzDxu-UX_+KZ?W#5(u>MffU#IOQU!Oz3Z+R%1RS+~T3n+`z2R$vWaNhbK&U6!g zyk1W_G;TOh+5yfwZ;1lN6MTAXcAbxOC3~O3)7o=Vc^{a7rvufepC3jJ_xw~iFN^v$ zx{QA$_FUnBZvW0qCIwXZcDD51jtSOWZngpIMaPUg52=$#pWBhg|GvMwGP<4$cy)YS zV5DWg8-HB6Z13v(NI1t~6;-!!dndRicf zwd??TrdaawJlAG97d?ts{VZOO>)IYy9w@s>XVyX2Kmlq#=VeC1o_k>Tvx@I!D!|~y zByP4=+=BU*+L1xNx}4ziD7LkxslPoObmM$3X18m;(>B}|p3`u$E@vKUZ%9ZxQ;?DuqohQ999GGB>E#XyjyLdnMRuM6PETO5<%li)8X zn`N3es#PgS?}+jPAs?e7ilMfXMJgm(jR7{UNad~Uz}PmCW_~Nqhht}q{cxZ#&oDx` zUu5Q4Ix&XNa0m~D95GQ~bMEpCl!fpg?KR~mWnH?}M0>hhk1F?W5vOt)z=mi@X!6KPxfTW+oJpYch z?jnLKjnRVWk**>ni3r9Pqdc(ci#LHA!@?=0t>1KlxCXxD;AS&u(OaZ@Tu{xr%*PL3 zG1ii46h4XFt)~be577G7L1pmf@Hu#9E|^8)DwbQ^k;zQBs9%D}dhM`fn^^wkZiTzA zr!$?Q-4Kj9icqPM0$V<=;nV&z6^hCX(v?e&MyYv1^9nvp_8c;iu+^=UP?ekO(lXdM zo}o;fiF2~uB;s^1;DIDf^gJX`8#!JsG2NyZgK}F;nr?k>{;fPGETLneWulRe zNh+Hpky$yGoLZ{vZ7P2bLk*@?k7@J9^yi-I2NO})ut{B%rmJ+bSiRNCRk2N|R4cT% zxteQ`2m;b3TG5^+P3#FId9Q;p8mrOd#T@v?F>^xl&pJlAbg%(SwKC41I&8Hx78Mw= zZWW<(;1$hV1u#gF2^cY9qC=56~LNaxHFiDJ>a--v;W})X&H14%EbA%`xM~14Ss>- z+-?KsL@U1@c^Fi?CH1&2H{}LLzBDHH=H3p0-U+LPole0IMsKQ?+h;UFwkb@X;IL;$ zIlZBjPPGZtN|B1F5^vM-lo{4xtUAn~q80{=uTWC){zIA#(}*CG9%-Kr$9`y&cwv5t z;I?3N$O3*J!DOmsEAn` zt?XgnJG!ICfQgNCu~mL`d|q$xu3_WPkK@P-h}TGBJeT&}d%7{B4dI=5r6qigFy?6} zC}AQ*ydPMmDX8q}|5%5l#6=rrQl=^+O>+gLzTGc9Ht0$Ir9)$7Z>dOCub5~s>z0S3 z4?{>S)^@>QSXVv%DJ2gG$ol`dU|;kU)p4k~0H+_BJD_)xl~rKb+lTyfz)rxAbSVmD zGV%D`fiKY7k>DEmo}j8DSx^CX?prSKv{ICTi=z4QDsCqyC7?7}$GL`l=C5KKOaNFS zqW;6M_CKBL`H7n0QwNVl*XIMg+dG{Ag!c_si@%Is|E^W@yzY-Z)^_RJl71TST!!er zzuWr_Br*PQ{CKF=Z}qG!DXW|9=01Hs^lx7f#@cNGlAapY?{{<7xV;h88JtvKICAp+ zBLx3pu!S#p{SSJj`(DEQS#};{RDk~!00%k{GcVx0R%q~6`;nd--=`3a|)A2=l8~bI{oqQq6pFdv#Vq#Q(5o018qk8 zz25G4wXFK#UjtUP8$|bM5t8rQfNNAXcMtJXOXI2aC7u714gjD08nj~yRCna_1`Sw3 z1E04Q^V*Mmp7P)>cz0SZQ~`N~p#32TffS;R@t=xTInvvJ$tp|3_FH|+YL@p@*|g7f zg;BoVjoP%j$909c>5G4@olj%kE3LY#=+7K^?~7QUUfqYQ8m(L=U)6-H*nodu_cTVp zr*Ai!e`~!jwd<5)aRv}#&r{LMV}<_+Dg%M=>biS5c5vCS(=yGr*5|(G1=o9hIzP@I zf}nn7`+7-kPaKjOpY7!(b=tDlcMzxd^J;`sbNy(bEKdD-gZKW}J#8wd^I=2pW;UyU zve)~=w9`Fq?aybo&%K|l-pglFUh*@~b>U;WK8MfAeRHKE!*}(ra$i!nZL}yP+fYx$ z4v*$g&8@egrq$1JkvKJf=ezN!_PX2kalq_^N1WeX`e>ZfGajG&%kCivd<|s30SbtJ z`dS6cT*`lls|DeysF}Boxis{-?Ct~%1#p8T-|t`JxSvSJ;*n38m>p*7Kx2=ppd!pL zjPN1(m{}D}b$7k|^ykN+A4Ts9o3M}BkZ8-8jIrwv#15N-90g@c^WxzW166UOVvNVI zxgt>=Yx0!LK{Wk+Oj#(=J^Dr2W<)J_SJ;y)(#$^^J*aP+gKd=rg9Z$yfQ4~Jan-wyC|C=2a4wR@cuXt$F91kk$_~zY^NF`=vbq_-o z&-;t@WRc9#1_G5%?HgOQ8m#^Tr2Vdv`$7bNSA@Guw8}NcQuXQ&@9y##ZtC_VdFPw&1B-T5`cq0=~D9;P6oGU0SBEPd#BE2)q(*{>(H$Gq! zBFbVk3Zx#I$;-E+VL%K_FoCu|D7QU@=}w|ELt|Yn+`mA#P^A(>#yU!gF@y#Tp6WHq z3I+1>Ef}eCirCRVHm3P*+kER_&EP`JIn8J=Re!Mv&fMSs$|km|-+3S{RS5UutE%uQ zL{`L=V!}B^yK0+uJ#o@1iaK{gf?Nnr)M91baLTR=wCFusv)Un&w68>)q?)n_1~2eT zqL(<{E*+2{Q^BXW_|;>`kgjfUr*HI|o#k=DT(0ZqZz)AZ=|jDyJPfU_T_Ut=X-pia zT4hd%ZUh#QP_aiR@;r#iWiEH}Li0NQ#pevyqEUvNxw%VwJOTWnn07{FAxdn*U(UWG!uTJHQ0ha8)Bfa)BbbwH`9f5`?dNDy`B6E8 zggd92LyOmM)y#_gUTY6Pxj3k`?7`DhCC!K^3{2(=uJu*Dn>Y=jx-t( zqaP+?N~~FDoJCil@ViRVxVT4D1-d(U+~n_5sz2*Lt_oM*3f_8wSfJP3w_fGage!HG z&@Or&^ARGYZ3dR7O%2`U(ooq5ohD@n@gz-hG+Zs0$?~H&FlyH@qzTyg@9dZ>5EJy~ zQal+IR{p&<^R>AIN0T`N#r+ztIVx*Gl?c)vjoo_Uwl)>Yb&(_)6`jAfzFnBB0KDC{ zYMPs4#UVqLTd05i;%A*mDhfn3TTl^n6lu`bnCeNJh(i4n#3MSQA^B6%oiLvo?08}& zUF1Qm);?xkd0{o)1rbp-!}$*+*}-w2O{+PD3KOYKLHPO|Rlbo$_OYvY=l4I2=xd=g z*)EYzY7VF?F`$Nr8#Hcgq#+|lE471nTJ zB4EEveWe)@T810f=e$Gs{>Lfezn&5Q1WmqDRo(w5Rh@s8+=KfKLRNwuR!aQf_zb51 z^C?OZfgZL$1o#?Z$(FbDyZ;N^h?+F`d-*b^&CBS&Jiv;ioGJhuoXENbwsb#UX-3I* z$G2~H0wRk5$SYjgx}a;HEYGW7KvosNFFNOuvhxkmr)9zon?d+S0?+l9R(`<#44$3S z)4^>`$E-nkL%&26c3cxu#%UcbquVSYQEe-k*Isx)8z7n+j+FL%lF~u@Vs3O-|L6l+ zvGYah;&+~(_gdAZJz(X4^SW^b;^1Xfa(a7{*MEOo@ZT<{z#6a#VI)sKVEjrKb+p@K zp5-mJET`+XLf6q?DUZi-nbGrYQMZi9^(Aj+b3Y#_nBxl4)eP`|O_j`ch+!bTZ8zE+ zr<~)x{QP$$*z+`T>QmEOsNoGHysMRsd6#@A@&cFyd#?D~Uz*Rje-`H9OuZTaEv;|v zh6%fYnP>{vUl8y8W~}R*SAmbSLrtVOX9k=eUr^r8Qo$4usWh_8;blvPi12Y`lCgCq z*L5%wue-YUi$`v+g*2`H9nf^7fN&kglb-sKCa)t z+!rxrt2w)j4*e{<+h01vZ<-FhvkaV>_HMWiGnN_kj4zut+QYDNJ1kBLKF)6M1Hi689AAGHv^FRfw1ncL^)mm8 zL{lkWUaspsN&V9GhtcC7+gkmXTrT{)!12a;SpN5D9?q zL(n5o{3|`}hTf>F!Nzl$f{=$&q%7ukuMww+i?0PBM<+=TNR`71Z4n(sRl`;d=70mM z%@O0P_zf#IX~*oI#yQTVOhaqe%~_75TH_6iV{XJ-(rj;e;NCbbAQQq)d+1JHokH*S zP2C+eIr&c3UBs2R0-vhJzk-+0yrb=K5kd!TjVGnlyiCi^(}r%?0#XBOG=3lUZOwM+ zx6wrvFHVW(vg-$Oj?4k`$Z3)&ganPv<{6ifKy(yM8SA^cJN#*}*dj7oPz4eY za?UAn&-0O}(*6w$p_J#f1CoLrjqr(dv4V-ebl2^>aUr27LDTv8h|;rd7Zzr>2Zhr) zjW*H}@&p9DmiZVYgV0reoT_SXDGy#Vs?LrF58v#8V5%V#G#hO&Qg^dJkvELiZe%i4xJZ2NPm)8D#Rc89xU#~T`6s^2K zRWTf|&Kv=yqpV$^y?FMb#l%1kzhy}rcW!K;GK(bw^O%L;8vle>1UV`WqZadUZooK2 z1J7Y&EzARs&!n4N?7*V{XXU)r3}>bXyMN|$1F~4@Yl~2v1-(uL>=EUGrdI!B6u~O^ z7y$d@Ff5+*IaBmo?547vkn*3jZnko&+IYr{Lk9~gP4Eot;F1IeUU^<&fQya>o~?05 zMl?)J)lUknat# zH=OSsXfXrjxo6nFwJr0luysXxl@vJO3pobx_^?RVjmIT_2n3!$DH0k%2%Umpc95mW~_yy=$@k#LUt0B8B`A=p9(W`yy;1?hJ*bp7@ zuNsdU{E&Q6;o_{H@9BAX%o6RyIBvbX%A59OSvxWqn34HP(_6WX z(BIaDtmpFA=>pXeCoj6vD6Xd3#+F$cDcx|e$E~Y3=}IY$@y$?r`3pM8m6`HgSTw7^ zsbV=s%sH3)s!$U$L)?l~$UCDA2+6CnS7;)IYZGTea5vnn1uK-SH>JjHbkN%?qvTvL z^7V(yT&^;w)Vm=!m`8lMnNW?^i~5=S(vMsRBz;CyE92HlQsy9>y4owvdB8M~`#e1Ug0Ea1~Ajq}FfzL7o8pZlJtc^Gl>M8n5R z^*s?uqpiU&v2nVnv&(zt)F5Y<w-q%xV%(v`4xIC8S(V}YJj?RPm4gG$FF7Z?$Bkc+?27GsY0bB_3=C$9+FrMW3 zI4AaF|FksI`y<&m$7gmNOSJzweP`d(};GVm-KI6pf+Y;;-@!TAQg z;b9?ZnLnGo$F=hBojgt&=6XBdyy#Eq5-LrxuL57*Hj}kCx9jhNqk0?8EZ5mJzgUB1 zO)-9TxLlIe^SzJrib!SgYNj(=IYb+7MYMVR$JZ&IUPm*_wQG}n|Ash+x09QX-b1$$ zfmBWXgN6p)nQuFYYrI(ePMtOd~eR2IKYl^O5lswB+ymxtRUO+2LnpyHqyl({cH=0#smQKZZrSB6W#^5z&H9 ztWMn$rXaPf%_!Ws+?II3M7sKOF?2|+QOP(ei9`~;qH9;UzHud^ye(%nLxF&Enq*x* zR7l7Yygpl#xp?umLZd&Y1FX@VdhXZoq_>6OlBx@jj4np7;v+jPk)l{ZNsK+06j?a? z4<}-ae9lmf&fQ8SWdG^vFsHnte@zIx%HT zLpcn!rxpP_~2X=%}My-OD*c6Wb39w z8x|uNv$xJy#qZQf7aU-%VO$UfO2V?-5hQh7DE}AU(uo z+}|4v<<YI4_EzNpq+|z3+8$&y)LA5h;QOtu5VjTaUawZOLJKT_MIa`$)MQ`?M z8nUo)lM%KyDab^H7KnAe+l@i#agmpr<_d>f!EZ49c7_=h}Bu2VlG~@qro0$!E5l3bz z;4SiY)HA!RmJRToa@?!T0g=8#XUjLFz>P))9yU94nkmxYiYmg;=nbbqTnEdySTrL< zwcwN)HDqd9dDJ9@z8+Qjj%UeT%GIH*d=(0oR1=`mHkyh=V|UNH1WwP1GEbNO3t+fY zW<-qi(!(MPTizp4M*BWKUG~}(!s}&+D?}us%Trq2v!&`PgRU`A{78KGg(q*S1V5W{(nEUz$L>dcojQ`e;YxpwTgFaI} zj$l;XDI)Kg+ogbNi-@)2_JV)FEY5ycv&Q+)MAVV3$D`SnGtdS}A=boNXwEq!lV=g8 z8VPlwE+*qVtcB!QB9G3JjlH1?_oq$iU_hm*#CFNXiIL|V5SRF}P3PzJXqlvjq&|Ca zmvI-pGJ(~y%H#M`sh(xcMpF)MnRrLSiKNd2vjmEuyEql=KQTy`mh^b>s666iGEbeV zmFmK{4{S5%m3Dki#0^Q}F79;SSSw?ftLGlmiGw*-6p zT(K%}f!}w&ja|BKz~;~aF~AS^pDxCw_>&)98?UqsHUOtJ<`mk;qZzK}*z?wTa!s0o zUe7J_>relV?M~-JGb8;&`Q{IzS_T7N11i@An+wD4d)k7Iu?pFpmVK8C{Yi?LS@!yY z9shrS$C6)$IeYiI!e;-Pm!qRb2e{mf&fv%NRa|~Fc9#Pk{QuyBk{oOG3_yy4TP};r zD}RYOxj7nJxJ-{@Yp*+O3oZh>wH%WTFC9q#{e!JHFz|m%qVjZ%(=okg$712ks<92L z?C0}-j7@mT(^72N8lIx%=-DoL0#D;Uh`1)`T>nkGc{x2A2eg5HEHhQM> z-~QWy(Y;F5HeRgtU{BwRgE!P@GXz{wdhlF)4vHVybI6{0c7NLg+CTPJEBmdUPEuYHw6#~ifU*LrTrY=#h8T%}Fm67c`jhw+GwCPs#U$4HxRN$hu$}q+jrpnO9_TRIa1`vDzk0Fh zd(HjyU?!j_Fxy=)3+fP;>$8l8Ab=(z2+2bj~Vz58br)d z8bogQy_6jaXs*2w70%k_zp6hqs{Yv64}+c&)%0(AJSq3^FV&oj0A-{LehjKBYTH+v z9{XFysUMO$9y@HB?FE}Y#X59cyMsG-rgZ^}?j5=TJ?}_@{rZ62u(#FqfRBBm_;st8 z6A!MNgxLYkoi_(C_{#~H*cEgy-3k~33|VjG(3Nq`m#+a37sU%`oeO0Z1$)4LyRU); z;^09ndk5td%R#305|Al<6u1R{S_^&BiM#QLCauyXF!vOOAP0|HoX;NCJ?xzG0Q3uE zi6YrlwX=a`@Yb(2l#~MV3^&(vgbI(%UAJ=SL8cXMDI2+;3Kl_4q^rg>iAzn6!XN90 zSFM|@N5u~jR9|C5`UQqB6UzEkRsF^?78Dqg0JKKv{tuZNQ8zki-4n*R8FHO|I6H6M!g)CC5r4D)! zs>fJ#YSy2{YgOsCIYbXVuC-wM&CXk|+w6LbqSCT13h{%ZX{$&S-X*)~-H)aqx-6_{ zKjO}btHp&NXDKe$G**(20`@9=yXc=x0d4ohC$$or{h z;{R#=!0Y!j;jNcN>lP-d_IX)B3u}>1_wj4tw)toY ze^Uv1XdCRHfr2t1)b@&)ya!NW3}Hwn>h#O3eFo~)@>sP(IKN|pM;exgCU>bd6?g~ot7)2R?}Efe^}4s$ZLOp|!> zy;2)*$iCvj*Lfv5<|HABvHaWf>7uViwC;UGu zP%ovwg^oy|@*@z02DyYao zm*~@A&o@#0-1U7CtjaCLJ`r5<1+nsu?3%nw+9ToF1J;@x2KLXp=qH}OGye_gaITFw z`MMf3X2n0ImVGo;p(lUT-0P-NL_IM6H7~a?a2sQGJ^3`|D7~;nR$^RjUr(UWdPIe< zs=`Ft*C>&c*W40`f0?!kZL#$gk->GxcEy*>Av6Dt%e&j(lXhI{GsH z8V&SCmcjX@0o87|K1ST((O+7TYF~_^jf?kic@~AP#+Mopf;KL3N@T}7E~S*)P{NaR z2(;GJCe9@!2)#%hijZs~&kQP8Dj~|aN3977vf%d72o=tS7URngGmUJ7|Ax-7oXwC? zMkD0odM;Wu&gK0!ElK`Ty=!yh`Mdad!T-3&Y9{7CaSGN7`4;`I_ByNgQIJsDy94;~vX`?>c_WAc7sM62 zPX+q<9`VlhimI@S0J%pDB6=)9uNAc2Fbvp$v)#PCeH^V`{n55#o&fN#gy!793b;sq zwcjA}4ZS~45#+PFaqPJ}#MJF;8DWJN^au_Z(kyrfHd@|ztQZ;;@I4T7-8RnKPx0Wa^z^^JzbmTWs(l;2141O#aafWQ4`^V~O)Z1dlb{L{A&cmS=E zL^6!HzP|5ncM<*#cP*oY2zSXY^{MN$oJ0&W@g<{ za^Ss-cl3ZMAAq}aYR30yp2M{Iyj536-c*6pGfI!JnfIvvVQOqZ@r&GZ?;;jOM9r4Z zxgjyueI^ z`s2+r>ZNVovE>Ya$-7F?a*#l4j^I@EP4OS}D%d*U@qH}pus!BG_3fn=T_u=Hc3&{O zmY2)k{V&eZfJ_}T-0oCMU|N(>M(MUJ7%}0HSn?U{yd^Y z?!|0r);Gx|)siF5Ax=CBzWzLP8ymNkF4C=n~AU-9PB#w_;WE11GL0Tp^9VAiNSprq`g@Yqp+Ra^P5M+2pn&U~yu$we5t zv+!{9tcIJX614nLT6JHx>|VS9wp$&1v_px$>X<>L$t4oG6Fdb}y5S-%YXv!}(@AQH z2BY{U6M-uwTn+|>l5h2U=VpjYe^|J160%iXO`aM8znP1=TBUkS=CxSfn~-v-l5LUi z<9#vyrzL?j;YoU20RuL1 z2`4LH?^!_N?58Sf-szqbOwI6l>>|VMcVC4ZB2{$bTZmkh<4 zzY(#f!27!IY_^|8kVCklHW5XeYmqu-EHHinV+I|{Pk$oryw4dfk2NMkpY^BHzB!{J zb2$ci{kOUgK}$r&hCXgoXP(yEN01S)*1knZSORzFXg8@i)TfgFkY zI>Q6Tu^#j)-$#Ms3<=CC%emE3KZ`TtB?+0EqDK4!EkcV+)j-)HzP&U?cTVnHPRpV4 z)kNKN;RKqyQ39mIaY|DZ(zCn(XVFK<4yTbro6&$ZXNQu?cCN0q<1-7e%F^F_6}-_y zjd_|A0?UdVA^sZ?mhxLnoSD_jvb9-@fb+ z>q42GQe-Ud`%n;fL9we`;TN2`#4=g5t?aNeWpV}-^D_MfXl7@n!Qgs(@UQD2HZVXlBZ9G{tped8ar>#{|13j&k}Bv zhq1#RDBG{~MuXxRAamri(@}L!i&a08e1pgHWo+vRhIfvD^IB}Wo`WwpVe&qxj!)0| zud_ss@}0dm>xaMZ``oX?#&TQ0v?-i*Hyq_L1_vt44vM29e%iLe!FXg4{!25Io=Y8=7OU8D+RlW6?WrEL=pw()%$22dzzQ@@k zsZbQh-xvIZt+%NM$h$DszDhb@YTwz)lY-VBze{?_+I`U7MxNniDV>r=W`W>y715Oy zzumjQ@Y8?+s{KG-c$B8a_?9KVxB8rGuX?xN z&DaHfu#JCEo3T%B`W}DB80d1{Fs=;F8txo>=&r9FZKE547iQbNj9~RU-InvfE`)bvHlG(U-c}lN>YUOP(~q-6z$a8(SF;h>GT-IRtw}D+uEbU_0T1(_vCT4`YeX{ za`&gl`lGrq?~GJ$`H9nFTzc?LE)cf`GC_>Gfk!*4X&F?Ym7FBrALl}qlXu3a|5q=G!ZknoZAG` zf8zdAC&>;sPB%c%ru4JLi2x7ZStnwiITA(3DR+$=st^vObZ=y_TLou8cnncK7T&U* zY;0J|K51U@XF*0lliEu?ZLBwaeHjN|Jdt?_rFFd3$>3j(1FFcK&(_J11YyI3@F``J zmI;CA7$OYoFMM}PENtB?ozrGw*dl&qY9#N!WV_K6Xv9NQB{D;K#(^#0VGt;a+s-lI z?D$pBdAzC;UFYfsP^w{lFccS@dC`xH+&Z^$*4Z;qOQMCEoHgd=1BmP{lwev&kgJ>7 zOV6~@bgE~K4BS1?It^Me!i-1hjF+Qs9(HqU5Q1aehn4%0G)bu@+Ku~&i%f~zV099v zSrQUlvQIL$=9#ESS0wKW#P6dEUr|9R`%88{4j%>o3*Wwv{`};$oA!=B(TZdj;6p;` zValHqPh}7%>V$MT5}A;LoCI8^8Os`fEX@oE(rMm>5X&Q3QhU>>VvA8!+^mvQr9;iT zRHYc-0^B{wvs;B(v%mdXYI83AX8m0a|1TMKCgz6agWCo{MS59P*8+1i^(d69JL?`< zx-6~voFe3hb$6}Y7l!&Hpa6NBq}8}~LuHnp`f~S7n_H4u^JZ{ zl2!Am5h1agyBavr}8hY8gfB^+uy{0H4&Yl=m>hA}IXt}coq=8dpK{}MyeN{<2S9uBXqb3mmlYH>V$g4#lbq1xYOZa!QL zO_oK8GujLr?<=iBw_g1)?9`{QONlzkAwr|MBWuD6;ZLzOp|YgIC~9VC2CFgh_C$0o#TttgL4} zaC#L|lQ82>e(4{TcMJfv=l*Qf_)3^<;n_yL~} zI0T;aMf+bDoX-3UwvUhc31Ia-uil5Fx{)vMZnE~*v8Vf~n+H)nKfGTK7ZnBEhyP8^ z=DYm+lGA&@T>!87MmhTeQA?fYJAMF<(GT=JtG&>frNhs=zwg%UbiJZQeO~;*36KBR zQ17uXj^W6&|2azQym|Pb zyCs3^m|=A0(({aagTLou74L25<05C3Qv9ZG#yd|i2cTowHL>6eu;=lw@?K#rCn~!7 zIB$*HRJjvIDxk7=yL`mH^f*iEj;Y;oqz5hMwm+KBPJkFbFINxn7w@(WITI-Tc|yqce93Ex}6Ay&-(>{ zMi9~%1J{!#Qik^50>FZBy`bN7e!pSF=EWY-jq|0?`#XBn)@-L)e|vl@2&w0xtQ(Ad z4Ho|ZgX=(kk?%xMFO=Y*FJ27b6H{w2&8__QBM}Gy*JlrVV<8hmt#IgX18vwc?$Ruz z2pLloI~Cj;KE-td>wARyNJI{`O?1l8hofBZ@z&ShelgJBeRFfgb9;0B=G%?Z(|eO0 zi^T>{?*TKhK7Uk(%iH4vg^B&RecY;W{qpKmm5l$Mzo>3Ei9>L*hri-!_%&x>Us(Ml+Y zB%`*Z_>whYx(n*P17Hy(%p>NS^p$bSxW7r8zyH#ltgw-$YXH07JZ5SdcU46PS(1m|mH$)%Y#B!rwb z*&(?pVd3%RB;@K#r1o|j>|bVeofTx*V}NK8F(KL=h#1I{xAMMPk4@`IX?5*p{rc1;L4zl&Up5Wb#p(a1Ioz^d(SK&=XCyc*yYOL8(@pJXgQsq zLegWxz(vI7H1Sn>R4ejr3d7Q6e=8Ae^BqA=4`8W0U1tiyxbR43`F<7EjT- zEEHX{*MUTzbS8c}GjY~GGj{9VsPfi#h>0TKZfiBe{1za9QR7JTjarwY6-xW{m*Hx5 z->Q+=>`Lx0f$HKH!~B6ox^R!!uc~r1Jki3Y>xjfO6rxSAcOvpv6!!8fWkNso2kgs| z)n2LT^0Hh+ew@S5a4ewfGEyg6rZY+ZQ*}!UKX8Dq=EAJ?ucU5 z88OLHV8f=jP>1IrdagX|qII_gM|IrE7A1$QgDmO1G<$%xH4+hR89P>~OblIYx9W&W z8M}wak2a%7YsCC`chzUJrWaq`;gQCnUdh5N$--@@TAoDtRIbth#p<(YeKqgQc<457MGYI-Sau1@fqk5*~KpQQLdy62EYUJfw0nf!Bomyr-Pm zLWN6qEWiGcw>rllH==&#x=0&Nh5uT{%Qms2say7da}z4ym6{x;WUNj?RSz zoyt5S6@&wHGN?||J!1~>fcC}Qar)r80aMHw*MZyBi!DO(zX1l=d_x4)L(la;6g-`Pja)CletgKAmg}+u z{^{I6M^K1ee@y@T+xtmqf~JxZ0jW`NFaiQ)dk_a4r{5T0MLQP!4h=C#bteryXLm1+ zNT!S-JP1G*8p~}OynZA2=Y0|CuA$9ne644`W&2|jh~qbT;L+>2m-lAib57HL?pJ@i zmVZL0XS{`(e!-|`$m+1=GfiLL`H^`K-Utj6ZQuHbU0?Gs(WSfT^Q6wuzB##?=UV9g zFQc#VG0&5~ zYQnYCEIDeO;3mj-XZvmX#rGM$#ex$XNc!A8)H29hrn;3WTw& zsycp_)nDTtY4C_Mjv{?2e@Yph{j^m(*ejaCYd&c`YWn8`s7k+Wh%4lo^n(p>!rd zN%h5 z<3tX1sa46=$Vu}q#8lBl60F$qpXQ$D9!8x_P(P0^afsWvDr}8nC8-=c7&M1YB5qHgRfT0rXA2v5qnG6hTsVn6BoRTXCI76hs{Mw zQsk4R2=5k+lL|-sbdA=yjF@G9+P3jA88@c3`M5(9Q|2l&wxUm$$&ucf%MrGHIPuN$B3-+-Nu_y$<0Uk{Gp}C7t<^ix6u>#qd2!_@ZRS`D!n8+L~LQB|HRACnSk1@SIF7Gv0<} zylq{JL){9;A-+5&{0Vh^7+$YvSR?ATzqEO-5~!FGHboC9EP9Zis{c zJxEz93>N1uUJFr4Yh=7$V;C}iwgSy%F)9~1W4qMF#l}3=d7h;3!hrAg6IpPmqfXm5 zNQvui-|G6Yl{)9(%0D=bn~DXx{j>+a2Kf2*7c)tkdo z?ab^;M{!mU8?+y;qpO}^3{8Xyq03NzF?oirUby{MOe*4WO!|!4KMp7Y>;kPh3=y^g z-5*4Gc$YMbBgdeIf{DsOazY!>v7qe2^vtz+3Y{ED(Ozp{bc~IZb_b0UN7u-Z-IubJ*_KTS1Z ztG}YRT5J&0P&X$rR|HVfh`Y4U8ihfYgqj49NYuuw<|?qkAgr&|U3{Bh5v}|y?zWyX z8sbq$@oKklK8{kIu^Eth_u-?;YPPy48p9dxz)Fr3%fp)wp@IV|JwIj_0ehv;9(pIb zb&7mtSHLnDl^aRzq?h*)ExLX4k40k=HNtt2JkNMI@jzo5;+!7)a^IcfT#mHoSi5Sn zRpL9Rm`oTX1Cm82MvP5)Q5P~L#~FlaNS#KRNbvOJG@=-#P&o#ow?{=;s%N+MctTao zg$4J)74=YVafvyW2Uh7b#8riC0@l%UiFEdiYmi)m3$BKC>TQaIC4fPs2%Pa95{w=N zA|mWm^DMFGHbD`e)ZDWpQ*-J4uEmNBaotQ4hjoFIoy4NUz;uoxS%rpf5{E-AjhAu4 z3RJEWk27u#E-^2MEv)U!JEE>>6-dt? zm&L7x?;K>lQvEV_nrNpp_?8A~Q*z`4b6fW(+YFjE?UFi{mz++MfXX?ZmURCzdiP>_ zr9|WFm<47%rAeX((pKD0Q3(V?R~a9WmOP?83h^)<5w5PkSta@Y8(_`9MeFy9#vhzt3#!5QjV({Bfa3I@ zC}4~wKrvIOmKp@gTLy5)Li1K|8Bi<$3)~@247Ld2k{AN-y*j=*(T1`;orjUO=LNCzja1iSb!&g>WCo!09NY)$0$Ar0OkUKu z4eidIBwc!ywocwxXcG1MKACH-?+WUG>F-B1;H{g48N4nc9X$0#P{Xf z&cD(h>bPFJYX!^O{r){Y9X`SIVF2!b)3<9~^*ahGG&tHW*D)nb9frcE&-XnISx_4G zZ{B+vxGZ9}6Z)=VALXF<`yEX__U)a-yK7wOZfrlu+t7rqW!v(1oD5|s@;HG@b?3Vd zI(jL=VYKltGX)OX&zqG~H|hTSx5Xa)*;*I0Z}xX1nk#IMyuhaCQZw|I#91PMJ@~M^ z&w0l&`uzB0g0{R4ug>LrqfX!8eW~Wlee&&$^mxbS! z0w-N2JVN!eKQL9J?|6 zinwsY;!HJNr4lq{b&O1v31PPIS}QEgJ6y}Z|IVC)Zc2RZ>saGtJy09q9jt!`ReE71 zTB0RdnkO*At}Aex%xU;!t}&sIYUxYpHY}_*`gCy^m9%6yDihN^Afx@_jSls&6%RQS z7L*AQ31=HmAJr|EF_INGRa!vrM$t@8$~}@r*1IlK4UtRBZ=*5@{ent05RA=HTsWF) z?`f6bzVo$VuY&2!#7YUP8}dt&s2_pCS-#56S$o$ze98dnqky2DJ%~+0-Y~ds18JAf@OT?u_&d-hiZK2$eithxJi^LNr^9} zepFb|+_akF;q0(crOOcpMH8yi}*CBtZ>~ z{pAgvM}*NW2QBM9zRs$YO@!vZe9oS&gO|7U;I%|vg`0y$Vy$CE;zLL>W~97Z-XI1M zHNSxFpB#%Ji6l{RKxBiP_^)?kBuhzwNqL}{| zNi;B5$Gy_o?ztsx;&w|z3mZ0x{*-NP6fq>|cifeq#Ul}G)QBXq->jh05W4a zMZ%0i31TA-5%f9}hin^$NnBAcrFw>~XP2$3!Ncpg= zvle+zzrc{Hb+>_POeHx~rHy}OP%BAZUQn|h+A37WLl|b0GUX}=*GBGxKpVXIf;+bC zFEOcW(9dT})_Ye>TPl>&ahQ7$453*(i~o3nC}9X^(I=Bev|i@L+0PMeiQ$cW=T zY4W!@#jt2Ik_B62a(=q-h7_elc%L#Vn*EBns(L+)hAqRow5D#7xOkp- zoN!_DBni6W6os{{@!|l$ei8z-Ynnu<1^d5PIE{I`d>2<}@`=)4{NY!rg%)On=xi=x%3A5VmB@-l$Y(j0t2d~r?n=R>o zy(J~{oG@9TgdG202mp~qgik-)1phm3pu742nbzE77xaKX)k(q#;i5|sw?wClr-EEi zLrl>{Yk)NXiqnpsDQBbW;j(2<$BF*ENAG(NVcUz!FTSTu$6omUTXDO}UA0*N)gIB> z&9!ddT`4f#`;M`?gj4V?-d1AP0Z-RbudQXPjHu(Gf5ztlFZg*R`1UsCZpYugek)$9 z+4&H~w!km*X4xa4*A`jQu={AaUT0vYo<2j{Jthy}tP~JZP~Wzlb?9Qt-*v77cE41q z{y|{}82B>A*gUO?<3?LU{QlDPqL>eL>1x_iHoN_J!g*;*w0=2p_mXkhw%#}2X-IT^ zPu}aZrVMzQ5%tV}*z$d1umk=+Y2WeD7wJ1fs%D{NY<^0ktaTN8+A};@fGyt&c=>L~ z7taIsz0ex`e1E;ldwael{Z{+((!2dGdYzP#uw|ZSXiMn`Ve!f511tghIQmR;M2~?1 z7X&_YZR>`bj^JsV@-1h{*M=4Kovu^6t8&5hqmhE??i;6<&K*8rTrp7r&jjc?4%Pnt zxVT@}0vPiH;Js=-a_(MV>v}S1dEK*UJn8W7IRlWubfn$}08yf%BxpODZgg1)gQAC! z3}4RMd?PI#0dv@#Gx|h=0Tm6@zpk9l;ras(?=n~ftq7ZL`5tfK9k*TTKQive3k>cj z5G4b$Ch9z=W*lq%M!U$r_&+F?7T3RCO#AAsdp}kl5N%$@9Hp%WSiNlZHC=f)ZaqB< zj7OF8-;3T{0M;u%+m6$d@p(^^lo9an=5Lo>ujhi^M-P%5f>NlfJ&*CcBDP_+p8SAr zcpgVThm@3pcTo_<<@k-=lHT3}{-faAr-0}U*!=;fycA@54*+L<779u~ctOR@gcRT` zT`*;OcMO(!=7;aO+<(dh+m^EcuG_2Wyz_>dPT6xoA_0fIuv(iT4Ln#lRiR$gcBN8S zwH)Fq6P4263!$tO}Vv(Gg9#xj|X`!xL^7%04xk_(v9==*JGpLKJ zRw2E)?G&NTgNR?ghxvVTp=xV0>0rK_J>HTT_POf#eZ0Q#|%&8GHthmz; zN;rTqh?#}MBJx#1z0baxfVdT&Nl~;6QC=<7D^zPg@KAOZZC${slwgBu=@YMl(wMZ4>7zqExF)O%K?$`+w~QxakCx_?IVn+?Xd4`~uyhaI z!j_p>_$8Is0*bRtC)8)1VDgVt)(_k&2+NHRYkR#hYMLYFv*3#PI5z>BLE>vAca-Uk z<*xA6tuKie31meZ(zJEazD5xhX1RP7M>LBRSr0ne^F&f^-CsFhRk9=xeSFpiTdmr< zi;0ywG;CmEm*BW?bSb9Q*YT3g!+k2vFng@$<9KSN{o7`}c`S(`1==a*2=1qtXa5uL zME2hhhYDoCgD1yef%wM&F!%XW>C|V5{`OL5Kp3V>Kn{fZo&X97EPw(BIj53X_y#J2 zjlnMpUVC5G?gaUr+P~^-5%;}#)?ax8kzV~@sb@b)|Oj+LK2>ye*-o*VYI zTg9$p`i?dZr)3-of=n89laJNqTRmj&~ZtafiCsK>Oin@=VJ-(fbdiRqwMLYKso>oTpx(&~d zW~`dFefils=UwzQT%>-`!Aw1o#@K2t;3~k@!F|DFofjqNX;Si$clQtG>dxbls6hXL z3aa$*%3$@5&j=}MgYU)|F=GKoKw3W8{ffZh?aG8Nk@Jx!1*hQCy8>#@cf!^U;eY!5 zuPYKyH3Ir42ES7HO$XB~34E@9Z1nlPgqJhkFVe5PnxBt&8?KoaoNSF5@|=a;d%PGw z+$z@t3PtlH^LzKVLHX4M_nRDw{Y|%#v4fkwrzrT~-M`fVcl$(BHg`ElMT;E9L;xzl zqAost>yG<|e)C6xfd@+0y=2Z#*VW)WYJksHh-aPOt<6Y*_2{33tvk7=xnl;;-k*%F zb8#V*r~sn_Bn5zJ^$V>Y{8sZ-?f>@ZYrsOk-!A&6U%+FFpH7am0qXMhOyZ}-3&E(V z39F>mIgwQ@DDYW8AXqNzv+<13j0&4i7*bL}?+i+4AOndilkZhCs$Rsv;gNUdrca2WP`TC0TrM4`XzoJFR?bf zXTVxj=g%MHo6GGBGYA!3 zlxLrUMBZjni;}WvW;L1E3*j&qOO_7BrJShoCTq0{^&-a*%ilpf@`eo}^}RBK z9JshL!{s1m`Oj-RQ00m*y!FE6Ygvw6R`4Z9vIP`IP+HWtw4@&1NPa?99b*)>QWNtf zhUZFUDPW*x$5G(Q;bWuk6&Lh zT8ohO`F27AqtE^o|JE!cl(chQ938-qjMIBiKK{NKbNpQtNYtfOZBca9iRX0lnn3V> zC$XZZ^t)u(PgeCWlx8SWtx%=)?v!y{w-gTplk?%ioZ^~ws)T9(UV6SOqmhqVbh9$p z(1}WxCSIIr#6!sPM+paUS%2d(-$VEmOw=o#8*A5Z*?x7Ar@LfV(omGN%RIdd%B=5VZe59VSxu0|9~q+m#mFEWbG zWW0p2Nm}pGDZDyKzYjGwPK5jtmrVd=vQ~)AY29Q&{jWG4y51BDeTFF&<(|!O-LA$f zbyHQeSeE=tGee?_YdSPSU*a#)UNW;ZA9O}Fl}}&V6B$uitxQ{(GvfMuSU4LBK1Oc! zKG(*CNL-CPx=z`AIx%hqijI6Ka$DE;=Q{9s>eOq@eZinFh}5d3SL<`lMsQ7JGweT? zve>-@9f^0^v4};7^6FQC#5{jleHNU12z>6VudlS*E5U21ohOm6(|Zsf^{~ zE`LY~VZQ3UpqN%}FZOe>L{F+a`a1_yJteFNHDx?ALmqZhBNKrLDIQj}u#&X(p4SrF zdv1(*P~G=1pM3j2(1JfYtx11zmxu(Z%p&5|spm$E!PSoj>yMz-GC`WEgzJXVd~W!t zzl21>J{SIC8Wf{3)M_#xx$@hGW2O@Yof90U`pE?aCpNqSy% zkTckU7%SU+(Km;u=2pnipwKAMyBhstv`m--O-`yfDt-i7qJ?_bEtgL|LOSl<9=fKbT8RB+ZV8gxhVs;RqG zS^t8x6LVcrHH3H_6?`(PGG0Jd27ZuRt$FwieOk2HybEBc=3DUG`oo{tp!alqjGpa~ z>ek=od09Z_20~r6^*uIj9q(OQJY-3&R)#c+ixT5cH#r_ zsjnM*4VK}1OYzx1fjxf$?&=zTa&`Shn^Xs2>j0O z?n8a~+YV?Mmwj6#22I|_K(3)f8{UGvvO1Cdp@=GXA3`>?!eH*jT7E1i7)vA@OEn|> zN^ZB(NY*wAmNgS0cS7I~(uJiALL1@JEX6(vniBaK^o7UhiBH1K9r20^`w83aGP}v^ zQnPEZ>+i#~0MFrJ!z1`GyM3fD3!B)h`{kj-)z)n%efhAXeOvNz!{xB*FtA~f2T~|w zo7OpWw*QmIcz#t+z`ZGlbiI3X{bJ;?LW=RRf7fO1@vj1A*8pJt_r%+A89vw^;!wfy z__vdSY*EIAbCn#j{Wgey0(gBp>PpC2(DJp)w1WnI zu4a1aaq@L}B3s?`ViC>B}Ci&RBjfV9bAzJ>t~!Iy2$S24CG!G_bww{+p@M zt$$3McAru_rkT)nj_pnAP1arUG=pYjf7kJR&W_D#(LIdeOf^ne2j}Sd+BjEni+D~} zFnXHBIzH$a&Nr)XcH9rf)P(OaQLQpjieQue&LI5? zxMTUM2ejr0jc`$q4rRxR6Ln9$tMy-UYR?ZLIQ~BIDD{A<>-@k*bYbFY%U0u za!CS1R^i{Wfp(l?nNJ&xx@e`KV)3ZjZxGr@@^XEuT#VV+PhyeGA!_5oJf#76lX*u_ zmpIPZN-M>mQ!iZR1Rt#^zmS^k1dSgaKA$WRX^@bT;wfK^tCdGMl{wN>Qq5Cn8)PLE zQBrbW%1{gfR62?ehpGftK7@QDDm&GwO|bO5w_+_difrNw49>MC{x;sYhb6>G8BVL& zxcq28Qf`sORec|C(k7;Ch@5*p{F3?V`+Ytk0c-O-AiwgU4l%XLSm__-GSmD_?chP! zv3Wr#<-Wh+JV6wL(aZu)yZQ|K6!wWAjjiE_<;nWY#llEqAL-UKhmzSdHI{PKpUN!D zvVoS(H2qculEfS0rWmm#3-klh*wqxp$a~m!V~e5Uc-a_*=IV%W!NWie3w6U;(P69N zjihwU;1nHhQMkgmOI2(xhFj8Q4#UQ!k4_D9GKm~>A)fQsT-C29lriu5y)@^@UOX5{wlL@8X5 z+0Hy&Y3OWQ$Qmu3!U$UEy>t}?Z}gWk8klliJAsnDh;+fCH0mGRq=mnese`rY@sQ7v zroYt7giO+)0MQQ+{_=fFxl8%9^4C1m%LTPgpQaS&_V`-`8dCpT0&n|241bZz`q{Pb4Is zaVq@I7U3*kdnG>&uTt5+Ppp$1baQM(H)EyrIfPwnPGs)9_^%f~`%x6N!dYEo?86n_ z#>CwzglTzkhCutP5K0L0Iacyvh*1i*B3wn)j$nPrTxjF+g7;zM1oXibayzi+J0^|= zV7!^lV*=urJ5c0$ecEajxWs>zW;DcT62-eu{eq5*WVdH(LCM-P8^$mvfmaAv$KxX5MR7Vh1Ba!DlqAWv z3@TFZwlo()#Z*9bH?TdT9l$<3RIFJzUW+}xd|tF9Iugw6MeEWqgAxyIe91=Yy!G(C zR{ij~9%oRoRdX&r?S}tEGX0T#iC5KgMLBDqq29*j+PNG%vMcs zaXYhZfUXUKjU3B!RW}G1YSP^872N;u_x89 z?~z^CZ%$C@*KK}uE>bk<*|3_nZf$A(C&I}w`DtWgL(1`xS4;2jesGHBvRaq(%cG@~ zfcqWz5o|UTn!|k<0ou4czZo5ys+!zvI?=QwS=M@VHh<7Xzj*z}Ga=%swZCIL?b;%G zE+yOUn)P$ew|Rrf{T_FS?|Lo$vHF?#JZe^tWWxy(L!A6#Y2!YFCH2Ft&T%ZW-z2MT zEu53|b?N%>LU{=s=xM>bOxEE(I8xr!XJTu%u-?w%=;Gsf0f)ZnG|zi>k>+!eK9+v0 zB)5JT;<$P9GB@+qyr|pO7Xa&Xwfhjip-V&Nw1e(a$8m6(*#H@R%xS5)&v^84pD&;X zUl-ByK55B{x10v$PK zV6`wV*Y(|+Tpy40wNtn@q}J(Lb1ug^mbwA3nJVwS=& zSZW%c6ry~Lo7!9Z5$9Z!Lo23G8OKy#j&!*mu;=L^Dab=eN$2oJAhBByQ*X|$hTGR? zG#6=9#GO00R8*eG7KdZuoj0BIr+MMQ5;8>)h2eqq%VQ~wUr3*de%e4X*rYeQPqBIG zrhT1~rYt-U1NRw6<72+2unSSrN-0Y7l?AU2O>I|(UCFH>_n`)G{s+0L@&X?V8?3x5 zFFUJv`+%hX;24;IC_+%{Y#)#VwXMxN7* zI1xKg-!fi2#>Vd6xV)lHH-c+t{xDp*KCu_tUz#R;BRwx^5Fhx@dyqg%zNXqgC_1i4 z@UqBLrbvg=%Ua=u`Ujf=nFJ-U0)0v19~nKICZcHJbajzXICASWem2xP0VU%`8qyLA zrg?dJo-{z^gq{ONcjln+4t$aRPA#Pe{ynrvi7|!I2_cBZU^-AS4&smJ0*5#i40UQ` zn*xQ(U8f3$eNB#Cq+FvrdNK1E0$H*xm>EGf!o(wYF3t!G2IL>%yXhy9>UbPWvdzC@ zmxS%NjLoq6zYoaDTUGr+2-vBBE7NqDfg#F;d@nf^j`5dLjr=3t6sP1Sad-2B@zbw) z!L<%Xas^ttf&vHaIeUiH?`n-+gGBrMNb+`r(W}~%@%kavX0r;?P2LSS{cpJpQYaxT z{HA~WQU7w>galhnDk1t;Y5b~YF#R-_>tBrz1hNJPyEN;{5hAK2o;+hP&VoITZu8^^ z`2oZ!yv}sysJqmsc{qzUyq`A3X}rbe{8?&xDH3Qb>fe4H`o6w`0g*{i&<+7yet4a- zEh@-wUnb}DC6N50A)IK|nVR2e^Q}$BRM8} zzK4L3AtG;q&|JL_&|bule9ZKa_@7I@vSWIfT)`PRhApog*A=j6y^L;Wf!5omoVu4I zjgC*Qw@4UCu6YX=0Uvzz<+h?Cm1=1f8Uf$e1J$m^spZ)B| z9r#C zc=izdGWmsgVpAcGc(d(w%J?5usk0(+G^3_#(xQp89G78(=@*}!ZWp)v6i#tR*UkFI zjcrTX_BEfGi3ia3w{B0q_TyVyTUVG?kSBfU>pB>8>HoOd+~;E1fl|||AGm1kJw*kv zJ63JT=>|8+kh!_!sBpHqEr1&O#+E`?0QIlP8(wb9(OH80DjgRAs8U2kJjT~c792~?@cV6_d42fuYUQitcx2Y}5i zD5O2>{mcz7xbb;~)YkXz02ZC>DV@hR+P&p%D^4Zyu%-*6eZL7md70~R@ND0=+Z{aT zUB^qNKHUXuQLbs9QSI(BaoX}A=AU|xt7O*_@Zn=VJvP}rUeMcx`f@>uWxX7rlhWXv zpZ{3`!%llAysqr~2JSb9$19DWMG!tInx8E5MsIhbm_N+v8M=L~0n*=(I zB*1!+q!U;b?(Ujt3d4gk9w(P7#Dg-@aY;4Y#op*?fG4wx8uZ?p7HWSAKPI8W2AUPC ze``>{jd+zEP({%ggTWBtNvCi!Ot7H!Ay>r!Se7$Ph~vK`^^`Xzs4%h{yaKzopPjlj zsGdCYTs7{#TS`XF+uXR%`^-6!D#g+({osPiO2yG8 z6-mA1nXAb0@=aJrO#SMa@y@Sv6GnrL0L{nc8TjqyX^B!n8{>(|)jYq1&2ZerkhI3t zDZDMCs3VG$d+>3IB0nJf{ytTtyi|HJ*D|$=OlFF zQ>U}{blVA09&U+y>;kLhF{3=`5Au7!$$*l}>fXht{C@GS1Vox&f?df{(Ql z6=xQ0X}CRiRZ0~LKniM z183BYD0>AKp5#VEPDn_C(Ts;Zbe~b&ynf&oo7SCtC&|tl+(T3t>NHCI5qp)ZEaz0} zfo+4t6k4LGP;Dh+Q5n7c7KfRMXC39&^UYy4{PmxMdtkHDRUFCt>GtLGhoro*?T^b+ z6uG(wHw+O8Yaulz^f+@=EEv@3v-tRMYx&mbu#!accS7Qv%T^YA(+W?wmERH~-%PI_ zAtHh1YZ=!$v0&4i``erWBAa&|b)*uMhQ3VHn{B*K1)F?|dBhTXEOl`8Z*F;=meo?; z;s}a1$7N~iVwvi<5;c^5zuRlR6x!b709?rn0~UOU*2N!rY5$hGyWq$a|@^VoZ?I|UYzwO8d>_E`#Ar2V6d z^WN3wT0A2`5|Sbv%JCrt6nuq6{#xMf)heiTXj73p zDi|3J;?j*tnpEg4>~&$QmCFn67=%wqSn1N!D2$&UXj$i~R47O`2_IF7V#JP)2&kAB z0NFLRa*Id84JovS0ywzy8!aN5W*AL0qEyCJ!W2mxH9c^T)SVgx7@aV8459HN+|Owc zrI#gNH^#h&;!FCtGw%HQ(kVGK3+ZkjlOM8$e+mC_BJ-V9gbyoL_28dLsDC7ZMV?>K z|L*zBq36ORKYnk?qh-ybi{SYK_@bJOkNtc+FFt%P$fT3eh(p}sj_`Gydi`_xQmgK; zs-Or1aGVW3SxlcnYhnGbj^$^A2TA3)) zzyqgcf4tZU4@wwoWrdr?V1!jsY1b@-yEpuEsQ}JR%7|OfF^OvJ<-sdZR!S#)hXEU9 z?Q%;lq&W;E;zUWRB^jVwwcML4fBU`N8q<;ON?2UKaT{Zt9it*Ldnff){wDGEar4(MmiYqi=)5sLxmo>E>-_&32rgrH@5I86WwAZ(`<~;y}NdoJW z4A%RMrNz_7d-$R~s|(!1*>O^N7p|4_(w~tG6=~|2MVk_K>O|(OK>0G4y!IO6{z_6) z-8xQD@wQ#bNv1scBHkSy@bB@9Pvsz*jn?z^ShB}`LQ>c3LiA=@%lcC;!ge#-``J1+TJeD_9NB%I-N5u*Tl%?RcXF$&s=aD3xAj;9-PId|9G^+(Z44{g1+A@~AEW$*$K!O>B=^>J zvFDBceoEVF+{{CRiT7n|#;xm`qx5re6@GSO+!Y${P6xdz_&NH%MDOo%Iu}ijZgeQ` zIaK-N0D!lsjoKQh<&o9khYP*CQrZ-_1?~RyYoT!ImuaUktAss0{p%WV|V(1w70LNp*$BV|Us}0YRKG$ybLbVgd zx)mx{UDlsqS#V>{SA1#{+qZW*o3jDE1)M_Te6MrTUToiKE$3SaH3Aw}vjRd`1ps}SO6Kq%Iel9}OCLd`8S(|sV_6-$sdPOFDs6?WKr!m7{c;~6SOiKv zBQbZ~d=~LE>miA5yoQ31nrE>p>lR0rnq6$?KH`|vA-FW+xIICNIR6S&8es{uk1Bx; zPj}>S+(uOy{t0yENdZP-Z91iw7*|sSea5)vy#^Z`V{ub>RYI9x1BT}ciHwe&{cfWB z4sXe_E1G6oW7~mLA)g{JwalYWHM0`3%+>vuu1eQ1DhzINjajk@N`;COZC*(vVhKK0 zmI+oXH8=1Z3Dfcz_y>Jqhc~Ze3)9Bdr2_e^N|fOaeutI3L6=BIW-Iz6K^k74 zHCz>#!hY3KnvgUc%AL5Zue5vv|2iidprKmIx5h?LoiG_hRc7{vqbKKwoB_iBS9g_a zB&knm8W7P-A3HQ#(2d*AQyqgi%47m0mhtlukf_=JS}fc65ZQ%Q_Kf7ORimH%V=}tU zVl-&>_Bk5xLyYbZTFz<}N5Ib&&7(<86VihFyjvM00#uw3lO{PFb+4604=0&nbs!;| z@wSBN6RHdPIFJj^X{dVG=A;$9ZY7=E>m*-UELf?9UJRtTd3nZY*>zHqK<8%Pm(b*< z-Np6R{>jRKI{XqXnx`S>kL|xm=OF&seO1EM!?{_viaO#d=$z70vsuGBEj(}2TL?Xd@t5&zjN!`PH zy}z--qO5?G{W8lWq7Gxs80>SqFfMLtSzmOrbJs)}sbEmwgIyUuV*v~2h3QNx<(>)^ zaAvENQDf_a;zY*6cJ536?EH&bt!j-Sz2j2OdC(+wg3H|xe3l+dz@*WzHw@YR>t3jt zsT+&1PhB|Y%s0WCO3kIxzKU?J{dgh4+9Z12BO@YtmR#mYm5K^~iDup+{WmOdqYEd1*-DT*#@ z9|^;oDAR#U3f=#9MPZu6jlU9Tzef;Hp%8%lrvER1$*d62l=K*&z0e&1YYr6hU&S|N zUE}aQ75bCdG(sR2!OPDl^m~;%GB1U}kMPvpM_|C>x#Ns^yN>W-&bC=pATwQb(PAGXZTa|90ge^s-^jeC9d$lH_ecNR6Re zZKw0CrGRtsd0;ixm<)UmbX9IH*jsGzxP}<+4joq3zF3#=*7n;%B_SV#oRl@(n`|+Ql zD)&)(fvtu*7!tp-@$~KT^7(?Fp1`yh{d_~m^&-M{LptcSt()sG+t&MV!H_0&o#w*3 zsq3X|RhR!TPL?b{6}o&NN>NFz zm}PL7@rL&H;3195H`|ENbSH)sWo&_IbYyJ7_^pUkS@-!BE_Ae6J3`ZTpo{(;74BR; zIS=q<884nh*`cXC^`lNYaVR-69V-w}Gq%pLCH-$hez>8IGtSyywLl2QGAdHTYVX#f zUF+)#@I!!8%Wki?&RGd5_Xn4L9QJ(c`WOy>$||*nW!2`H1zyB1wM0vy59SX`9I$Yr zHOb*TNeVg_D2RoBI4s0NTqO1LX>$|5WF$v1eH51_C>~iUER72hl-?RuA9adHGN4x+ zUYIK$sI96$^k+V7g=dWqC?t(3k5pwVtIt2u5FB;l>Rh{#r!aO$L^OpHJHfCfJw0rw zvY}<*d_S`sgDqy%^nw#;WTbT;AYY^v7xplUkn7TVaySk>h@s1;;no-BN%msW1%!X!c6Fb4B zDy1^Qc?%a#w?VLY2nE_QxR(71^72Y{&D>w%K~~M*X)Ny%hSPs7*4l$^zB2Jjz^QK9 z5oIZ=kont9#?GyY+Yei`>-T@moT3yS#F-fn3bfZcj@I%(&7~gsP*|%|v{gcnrKuRA zLo5_DJej&8>T1A1*D&HRWzXDre(#_IphRS_3Du9@Punnq!MVi@LH@cKc-ApXy{kaA z-RII4I&Y6&-lyL#eB!1f7ro=uE)^(3y&OnHnn%p>YG0I10&9>LbR+|7a@!@&Q#l=& z;Kb_$m?ZkzXohNE`d)rPG5Ua4LRt=JY!wCLP0rK%)*_O9?G5CMR|1ja_}=d?&&i{K zX%@|^u84895LDOLWviL^hmZvUBp9E!KnKcBoZ%{~_^qx))DNZ;;UL5#H6Dy9-tuNZ zXG{N)JoWx7FZ6a;k~*+NWRMI-Em&g!s@7AYTJrH^(ZoO3`8^}X&>T6;Vo|%51c}!3 ze4^$io5jo=>hvIWLg648K~S;RM3u935UOF_?o%z|IWoENuCS(Tq#KVx2Aj>spYL9Ejtonx@aUPQ#IG9$Ff@eL9G1)jj5A z+Qw{6>rdzSy?f7h;E3vrT zKTGkdSdz9!ek`j(#rmuWmtLQxdT5!Mga-CA`9RNjTnOy~tWeJsJ8zugmFTF*5yAtd zyEx|8IjIJ6C91Dp2=i{JBWW=cg}nD z&UxbyI6C8Jb-{42lX)$7vYNLdC+So+kilIk)fCN}?uT{P*^AqDZMAp-p2sxflvU$N z6~^2zUKT}%HM(~54x!nNrxTmq4|hrh-Y%OK=iU$guAUKudR-(=Q{QN@d3V5;t{Dx- zQe-PXIdiBc(PN(tIoc&cyG-&)JLWbvk2|%TH1EFKmyKxc07+icf0$7`t=~^*SuMI8#)W^lcZhay(Je-mK_6~rd_o& z+rikan>~H?KR0eyH!ojD^ZKZIRQjxutGx^l$<80nRI~Og=id6mX3pQEDrF>Nb+neu z?sIZjUZ#_JdB{3yuOSEL^cST$XlwP`tR*DZdX9Q)w<(`Hq_my4R@`a0?%v&U4a*Fd z)%2Z?E)TKWh{!ohV3o_joQ{=B>z82xZId+bhOTt#y=Oo9x@JU!r$WKO@j|S>t++&1=&z_tAG~{?Yrz z_2>SD=5qqgq=&&|R>q~(O%M0UuSMG?KDTMN*Ml-Gh}*I&-A_I$2CwT{l>&U171zs6 zKJYqtAwAPw*s=*yZL7>fmel|)$2X^`?y}M_DJvrD<}kNQBR)KT#He2r+ikCE*{oUf z7~5X8f}Vx1TDuj#f|M3sw&YR(yq2B2k~Q5cTmted_UEH2YGE@E?)ssufkGJlV`Oa(E{Jgv+_ zg_LDU#;ox*8b2TCJ&@i1H{A`DZ~cXwAX|yoIB=gcxbrkwtMW77rCGr=!7Nzw4^~K~ zEajNX=zfwwunJ|mnM2ZFLM5*ebYXWEw0vnH92HK}xO)qg5$4gjS?8j(21j_Y{BM5D z!o>%8TOJ$?@^)!N*N9D;-xsaP=uM26`Vd@E1|;04Y)z4NWhY1q;})hQno+)Scot!p ziQoB6pO43FvFdM*$OiZ*i&(3sz6+OG?}F&e$UO!{)a!#&sX;Ck<+>G)vXjSU?n5wp z9I{KLxmcMi2D`<4s765E{^*h#zm6ERD`MQRh`firpi*61(&Q#vSL z{;PEo+VlsE6^|wfbVQkL2InnS5jDYG#8r{d`A=zOclA{(@}Q!Iee$g82y5Y6dRzr_ zq3^QMeA(Y%R?FzV98U!!t*V6z%#YF%&K}Rje`LLGL&>JUt(~%NwwfMwMWOE<{WxrN zj&y;76fKPR(ZNO$j+^xo)1{C3WCSTFl6Iqzn`n%P1m zc9lFE{Brp&iy%*oJ<5frPn`n3R(9e8U4eb7IJO&gj@s-XLU3cXcuzl%C6OCPlCit4 z@v*~iYpYVg1fG?NAR`wWX|NciJ1$`iM zwm*S}$u2lqMG+OrkQ=>-(B?X7PJ_OFL>3b3US&%4sb{+@wf~YS8%ctT>Yeh{t2*^Z zV__cCR0tSNSUEj_mGmfAnpQbsUpiy%(+|1rn_8+y6qZn0d2(}w-&53-eGir%e}FH} zjrc^RRxZ8S428Wmbueb)TTiWvSuue^UqDx0jBvfcRA$&il-q3v|%^YkzZjZ$eCmAnGD_-ibdXnFQ=E}FCh){&s^S;I*yb(66_y4a#s zWdXCCPXdYg!Cg9sN+Bp1xJ^oQTV0!%#lV)0O3$!VlHPqUz>xGEWx6AgNP$XqVeZ$_ ze_WgRQ(`SiIr7S*771H02nkpNH~yajwuc}hj6`n&{k}Y8ud!3ITsaqjwfq$Ts@t>< zM(UH}dCp`#SsO76%)wv#^|ZU+Kz`g`Rz8B*O{#e_7T;m%ZBIFL{ixTei*9LW$CH6y z{ZCj}>7K5b*uNi`V-9a|9J|zs*6=ox_U{idcpDvkLM#tY$i&M0gMGuqv9}bIgb5TS zIGsn+i3nJtl@8$(gOwpg4^^dU#145OTfKQc>mpN)0nX>tv<#vV^SDL-ohBkrmZTTOvG0TAd+g(;3m9_lM zp9?o>rnEt$AY#I#e4O0TFc;84MpH-f1O4A(O&u>QmER5l7Qmw8;PChzA&krIPu703 z-5(n&8IT7tf={O1f@b}aWT|OH`YTSE`GQIoe?=3%rq$*AFQh#H-gmv@@4H@;8>rWR zN9&s%6WZ0AF@zU|M4|X@&#d{5KG=5sMq(7$Bq6Hal@@NB8dLcM0;@aBY6x$DT zXOKN?gTkjTO33a`4H@$$t;ap@JAb$6jjbl}EhS!xEF_+vK5X8Go7&99EZc!MLVeXw z{w&bhT0j4;a(aa4)M;B^_y{lsde78&20|J)T397=zm9)VsUyqBfQH`24igB_d*Tn}) zE?eWndaCxN2wyJu`{k4$?$CmXa3!uYQbNLXBa|MCPc=r@;%lHFgZ%nPdk-F~J$85TY_yAdQwyrB9 zfR5*22^GUtL=ak^pBe>z=ajZF6YIr%Nn~m!qYR3(=yPZ9-Awd?|u>h<+vi| zb2Po~W$)@{m+LW1ua5z^ZG`>dw8~|Bf}X_b8pw&-@PKD2?c#P2ggqdo3pKgusYq}C z;`04&lzmBt7oL9Hfo@E|WAb>?3hPV9o%0P`O%3qC}12OfQa8JsYj5$ z_o|&r_oT6wu4#Eu5?!3HqJ+L6Nt&M#CNCgjRk?|B3SSKNPO zUKH`1l9)%}J-TNL^g%&4f<~qSwvZMh{>>Ah4BtME7u~E?`LI)fKq0AaLtXaBDZ9@U z%X9exVI#H4VqUzMBKB%uTo1LX4GKPAO5hBN)xzut+btZ6T|R`0JUQa1Y%~;0 z%A`_R9!{LSFGAd6^y{Vtb6n}l=Q#Qtt6(1gv6tbhxK?@|t1xO~#`Og*9{p7Kd7$n0yXy9Pz-h)ROnV$p#nHO-G=n9VwKEPZasA+3 z>EA?g=RrK?R8}p@H>pn8->}7HrKEJI=NDnh3!Hz{r;5`CyKpj{{=$90mN399PeGoS zZxOR*o@WxP#9Yzc8`Jc!!2OJA=!V-yPbnqX9#^(61;^$DKhtA9Wbom{gEqM~#EySi zsRMo#J|ML@v7S8w$CccoG0rbDH+#(T!zCvS)m@cUIH<`v#O@5qWPV1-H-J2_KKhw7 zFEgUA_A6$Az}(zdQNvNuuHVQWOLHeUBsepI1x?3=?TNYb0amT29z$p=?#(_z9kr)U9b3wI!$+qQe1FT*Qp(6u` z2TEYm6?4e6FU0q@_X9K)gp_p+;2-#-Ovm9gJ}{h-18O zXGE01D=;iwBQ!dzq-YZ>MV@YQFWQ%aB%RBgYS1#{wfOTmY+YfR(of%jf_&6#Y<69k zdG<`fekmS>im>!pwkV$CNhmL-wN>}x?v;66;z;~=6fy<;V}O6JC5$^uI6A2tqu+{wj1fsR*kj>5);V%&=Xi0^%>5I_sHJ0L z618e*G=@C>JoQ#_7TOib4c6=|L%Ey}NVsWkf^IP&!s zvD<^PL*JC36o3KWtu!z|PcjhwZSelezrp9O4tnNy{06jr7hK6g6`wy1NMISKn%m}L zdRZD7y7hNojcC5NI>XRCGLiwn2w?O1J)**oFr*Oi+@je!BL8uGe`5+40$Qx$v+$&me=d9o@K} z;>5f2>D;kA)b7|xDw-AotnPxcIDD?N7LgrOz|#z5Z+VY9k^5>Ft4nL->dY7BD|H=9dc^GeAxmZ}8uGzO^%?o-$LF7pM~Y8G1!@8y+kX>3AGq&q z(Dih<&AqOjk!@b*(HD936RkOP@z#yPtr@`uzBAh?>rZ1xZMS;QX6LSpsh!UnVDN<1 z*;C)`5Ly_$Z%gmDgTLMLa_Xo3woUj}Z+%LiyC(i}8}dq)0BZ5uL5BiRCjnZaE+&#Bq9uC)PG9iNrY>D=%6M_0Tbj|bu z73$RU&ZS=g3m-y@G}_}W(O%VAL-!Ki*LtGz*|p^?Sj*?>#=U6{YyI}q=$=&JlR+Zg zw8BWE6^dm#Brq7uf1Danu;C(4ViGiXd%O#^&B|zbYm+(_Yz~9GD3;3;s((dsk6Np% z)ZyY}!c5MSB7C3@l6(x6SZU-*{2sWiO1E$};g(rd)DcIR%BY;g3eM&~qv<7(M8SF} zT;7FeTdT2_5wYt<_lsp4Qow8yxDp-rMi1AVuMviuITBUnG z(W(90BFxj~3>l0cw6gqm1X@h9s^R)c9|X#Qv=Mz#5pcz0O>C#`;+#apKz9_?MlW1= zyVXfN`XmopE59&3V##E-Cz6MLMx+{%tINI$I;O^F!u@&3WEFmM(_}N*1$~=tYpV!o z=mDESHq}{6rgZ;64Ai^>BdRe@_-x;_&`4vA0ZRBq#ZliT8W!|%(dOnC^{BZKvqCjf z*>Sk2UwEEs_JeJ&(n?_Q#}AraC90@F!*Io7J?gC zqLf$Y8m^WGqy^*#=8MlcM`6gYjWm>#WNVIZ{MSFN`^UTpM_ekT38hG9WF`%@8yOy{ zy2CL9Ta-zn&4!a~>JJK&NB9viv5bf4s5`w<(rc0a)ia@>=9Mf$HewjJpq;ZN)R>}K zvnhPIb|EQX9Nh&HWuv(!66CHo%0}^yypiK_VW>H$R@d|qa>N%aJ{JzGdSE(9B!9^T z3-A#dhm3zm{`M`ng+M9z2e#d7@C>CP=G;>a5YJ`k`H8jf$KzqO4ldD(pe!13Wb-o& z$ewpvZ;uZnOI&>Rk#8D5A+s65o80R~MK*VY(qhXPn^0|L0BF220x|7?hY0A?m;usq zJ)7jmfAjaE=_tIkqPXlx z2S^aujGoG@0)89wF#Wbh?7vbS%>1KuLy1{DGhh)(J$}557}kdL-QGl=Bnh?48i}@< zGRc4<@uPw|a1^AfHO-Zuk_YOL+6_0Nw%KoQvniXx0`f?3_~!+WB36$MZnqvhlpkA^ z6z)odjLufoS8F2dG}ULq^VpPg*p;Di?Af^u`x~JSuzWg?^$!B%s{@&$Z=JJ*$ct9K z7ZM}%wVasg9h`RPAHLKKGK_U>Hm`rwhX;p7J*BG{Bu;Z7r1q7Mo> zW*M9%WpWs6;qy2R_;a$Zvj{iS{s*4BH}I;meQ_V5<8x4m!wStKRQvuT=hNgRG!FwQ z7?G$q)wc`!+5i1q3Hmke5>#ZHOU3{pT1oE;lCv9WtJ-3fll5{Gj6=$byZr>>Dhf>+P1_0xzlIcwb}cd>&A5AY`y3Cv(<_>ibeyA#Tg{OUVnbm zCy1KncN`hSC>Fb>)ullbIC~hxsm9se%ezw?N-U+Wz{>CR`G<*Scg>D+O$k+p_78Qn#WMPJNv61FFMy(@0i=I3p+h1AbP8P zWK~yd*q^^dQIkLR^3!DL-`6D!g0 z&amyQCLh;@4@+&*_3>OcQ`j~9Xo6SZ_YA>53}k}41QAT0Siu@7dBSQY+neOXBxht*?@H^ggrKkNtpVTq%k~ulfJEA zS85}@{lJ@{4#J)>a~yr)kdlwyy`rP7U9Yg}QqdyY;ad}k#&hF5qGi3R_oI2v?bqR6 z`%lY-B>V;F*&DIy@&!SD{iI`LcQZJv<_>KGJirPVp?pXc`BJws3h2^-Jb!Ch&e3s0 z_;Qe}dA|dYlmgN6EBNS-wT)@}T-ryU-Oz)#>y%>Ju9p^l+9u+Ms$6=Lf(hwY`geWU z(U)J77akrv64np9;+t;M(7)KtBhz>}3I4MhUhiI{f9^hnUOv5{zg-^sD$as8yON%4 zC!lv2;!J;ILx)wYqvR|;}&pVR?-tZbLi}T#<=sGgVpvO zys3%0M7?r8!L?a|7G?nVF)l_yn(l%NIL9z1tsbVya1)JI6dV|@l1hnLb!IfLjF!y? zq)ZAff43=p4Jjlq8XR3_!w5WoDaAHij)*cMU8B&CBv=vta}e=E+Q^aHC5mkh>w9t2 z{~_udyDJU1Wjo!mZQHgxwryj@ww;b`+cr8KCmq|iI`&#O`;L9i`BFdN9pfGIsaZ9v z?gGOr8|yt>b_+;wq;kb6d6oYC;}+K`s56y|*hjY^4<{>Llnn(pL0qbY>pZ7$WeDmJ zA!e6(UHwa*B~V7Q+M#>C%wm-Bhacf=5|eD)$b-cSMRQPoC5; zGvh(BdnyWEZ_A(7QJIbM5tstFVaU)(??U~EYTt76{YF(f^p1&&^F~ZQ^*Zm^W~~ORAJcM&+Z-14?x&3S*hvoOeUWW2}rjcNHpRafJn`P6V=N(ylY(vbMUm zCnI9GM`tLLQg(!KBFLkX0>O2M65|GTMiX+lvvQ?ekM_)6YqSfH*^UlL4Qho-)lD)? zlSUSrtp`RalThG)E#E0x?L|3eZpH=5V&OkX;pI$JCn<>qgT|$8P&7vJzVKj{ohOkq;rP^~*V0!UmOo%VMw`vFir|5T*e;_uu7}Uc1<-Q7O zpWh1%2fme~UzF+?kmYTwe!RaDy+n8bEfdqS1F&a{9s-g_#hS{&kBQ^I%iimyNQ^K6~M=hhE)t; zNkLyJ4gb}0p!f&GW<;`eQMs(BHRDcy8 zzcIILblAH$p^boHC#=$$O-j-(`i>&Umc*%aC#FMzc{XuE|wATw$0mI*- z5)J=FWbija`sv7FiPD*pXMnL2b`Z$NeRKR)2H31fl1a49xr*$SnZkb@0h3wCg;lkG z^2&~kZdz+(uDn65qB<(k2&`&2J(BO-`=P-(Q&d?;QjnrOj-{-HM37VR$2VN=VRx0p zIboIgCq*U}0S#`&=cRDv!{WF3?>ZPAEJ~&qFzLu_KN^NCbKGMz%sPe!a%wVS_0ps~ zw9>M@-{}NI#&}Ex&ozC6YsxDD@Q-}jWZy2K)02W!VGVf6xCsZN56Tfji#evv~<^ zKa7gF@!W3pcZs@c5Ae-LI8H^>xxVwm0-|%fMp+uh-Ky0f2o>n#Rn+4ghl8>tK{GJ)d_fbKL+>%SSiiB>hV5dbZ|)yhw0Ap+slUUcsR#8 z=gUvlwQ0Um$xXG$c|31?-kR%kI73KNUY5bXrFI$X;}emzYh}1UpYxxa+Di9wdUi3~ zGB1DJ&Ib8Dn!jn*BE(zwx~-p6ZSp%T$Gx2KyvlWlq3rM_2&nEXfv%L2w*6e}Ay9f~X4#(QU2=3F|q zgS*?UUn`G31Dj)q`aaj%keS`83p=l^VH-xln@qHNp;d1{q+<8O5<<{qU#S&4mXSV>(k}6*CweCoh(ZT(c zwZH3PPBRbB;dvIXI=@qi`}=RhPhoCQk|Dq62#pW^Fc;x@4oK;3SAetQ>gvJ;iEWbr zD<4kiGx;P1R&7219NPKVs*$Rt* zrx7PY`OkvyJ*k;uzsBpYg$&n0R}rT|(wX)HDtbU)Q)lJRlWMG1RgPMn{3`jkUVB^1 z#hmar*x8DA+eJ}2`Ql%HB%X zHZ;2SPl4ZMt#cFDiIX`!`^SyQ1=P(-nynGYaBNUds2vYEe%36_Rpr8OF=Ok^iFb)Q z!MNHwlL~K0wIykywHN@*C8Xlcjz-wElkZK<&l5>g<8;k(Zasrn-dbC7H9U)v4%|w% zq2CEw&@Y75MCY8_s6&nnrj1Qx_KUMtmLrrnclKO-Pnq!#!yZ$v!~c<&DrQ;BBPWYD zpS^ja`>+_5BGm4W1)Y0v)9cDS@v16zvP43QOD&ySr_%1$VoD?wZk94+5n_{?2f||5 z$SX6VQs77dC{ApqK|%MgMGjUB8TGmYB~vk~W@^YIoXeOdNc4Z=FcJ0|$0yb_nl4*L zaM2f4x(vzAJ6Gi5AcJ99_2`nfxNp!2}&Wz*FmL)EYUw#3-Z1yMA zN=HIl9s|x(Ah*);iW_Rz$=(XW4p&1hx*1A2K4({I-sV@+FD&o{oaGQHWXKfKHd5+2 zLRfc2s*9gO*@Lw15*Od(d6sQQaX5*GvKvfkxMVuLC0@%;K;W^gN%`BdA0+QHMf6;t zfBE8PppgN&PTm%Y?>~Q#<7-E&&?|lzL6>#UHcZ>p;7uT=SRGOsA=Hl<3mMUA!=9fb z=YYBRwayx!TSz-OcLx2i;t^O$06g9`V`~s$ zZK@^Q(Aa7bg$Hr9=xRBDo7IZszymav*t*Y!hXyL@y}@!PN7QOuS(>dm{7}(jD-{8m z-rDg~h+~=JNCy-NMHixAQYM1boB#|Mx*-wR5-F!YC$T02?YTOMSIF11GEgOYqCa{! zD0HVdbr6#Z(;LR?rs4-6m4aUqqMEVEx^@mf@m1YO%uYU}JfQQFQCWy5Lj(mn(*OXt`3e43zDJX=qX0BqZ z?ZcVBBvzWUxbwp(fqJ>YIF4o00M#8o_v~Lvl48t&Z&r<_v|~L#V0B;VkqT+#penQs^kaI$iQrf^&`*&Np#&Lau^H(OxHg zBotYS4p%{CoY18%P1^^Rnnl8YNwJUY3U=CO&g@0wap+4aoUx$>Dd60eIW;hCdwiwt zrn_x)3-t_6TftGWDa)(Aj{gl%iq>DzldkDI&ek8PnOd)McRp0+o1z>Y1` z2mzqgTTb(dd>&^2t*!fC<@>yjqq5TQQ6eFaO26w33>v+E#e*|Bs@*p{mkXs#o?3<; z3sc8-tsd6Xd00eK57(<_^RGXw(h)rT&rcM$-S?!4HcRTAXBqEjy61dOs2qqYG%Me? z4ZJ4tp1g#0lp&7oZs%I_r6uk7Ei*Gmu}%gRO$hzBBT-=K} z+BYtO6}!h|G?D9b{8s=g6wkVM;_&)Mc~C^TdUc39o3`7d-F=?;x&|J%4qss=J|CTf z9c)Yi7sn^1x3p}}y^aGKH=C|6=Qh{3BX>5okIV0PSG@h71LC?s883zq!`}5;sF>!9 znhv~P>4TX+A(9&b_S=zmU0OFIUb<8cp%(c)!))}dM4nv_FDOiQ{P)W>etSl~XH1*= z@#{uwmRJF1|5gUMcmRUR)OAh6h}{~T9(j51Dt82@ksF+zCZBH(%Y82uZ@twmm+FZZ z!E{gS@40Ic2EQ&FR&H*zj*B{Nf-g3`*I{LW+BT_37qGoM@{ZshuXZhfE(XqFdR@lKZ9uOp?LvkDyEm_(cPbHwrWo03ETA`1Mx4 z^0^So$MRN%*x8BhAJ=>)I+^?!{n&d|giFImO_XJ%Pi^{j{$;~?i5HO}RbyJ%Ty@~i zMO*~`>%K#tz__qq)jI7+t^|U-V3*bsy4XN48qrgB&f5 ztt|_!z*ciYx;n|B!Mpp4S6`2CJ;XLDx|lvGTqKyby}_AF-QLt9HQcstPi;JDQ8S7@ zpLsw9%j(Dvjz)ps(&T5a!sO&4jS3n>VX{TBRaJ*cxJVYkn-%eR9Oludgrb^E;%`sS zALp)VS@wocka`F80$DvxRD5P6*WY%pvcTIV8J}Br< z)&2=T9Cz6J^FR&Qnl|Kx^Gcf7RD9CAl?KV!soh)3?cgr0B!^Vqwz85%S@FvZ8ni3( zO&XTq6v=-NT{wiH@jfXpdDIJuG+3$mnj9-KDguo(tdJ@w7e~g0n@KrKxsN&~d2~pP z|M;a@iWF}WA&3-=Ie%Aa8RfyT6nCW;2Qt^6ASvEtM(GtUCW}lMZtWs=`&(}uQkiT^; zT8Zn;2d|edXMh3F*-{-xKFijdR-;xqiLK9R-$zbBC7og%e7*fIVIX25evo#_(J>M5 zfIb>jVU1O3hRuBQO~jyz%-F@`VM7PU{&;c_7v-L3$l1HIBQKcFh*H{pD}0R>QMyYv zPF|2i8{EvKl2*G6?;HDBR#swsCniaSh6X34YxGaK#)OG^Yd9Jw9Y$^1pC8!P!Hj=+ z8DwP4MEK3|&NMjU;R9zY(ZVbuamkttRPU6HQOCSSXxqE2D1S{jN62I(15$AKPRa3O z04;;R(U{1C-6^oi(Fh7GO92pIA}+ff6tFyLCnf>h_MUc4+;ea4UE1o88r2Rk@LT7* z?AuksKYl5xD9_7>;QaZ<9#oWN@MoTZ@gd8Yqg0IAccqEqMHaiD&uL!)K`U^6CFk>H5Q^MchCN9z+O3s3z zp7;jIcmgR-Q#A*Um065hWX*EZ+Lc!Oi-ty`$d>|)M!nbEWXZN@H|n)VQkJnauA?l2 zIzFhdT6Hj7DYObEu4T=BWZ@tErQ-{?)qqw1Z|`D_QWG@BrMO=({c)x$WYnr;1AogA zAj80D@@d^YvrNahx3EI5m9BXp#OMDo7i|Qs*DT6YL6RU&W5#}vkk@VQ6!FuOamTP&?l~F`O zOKtvbma*;1Hd$8As9brmavi$fy~3y6*;Zstm-Sx&L4XxI-uavf{d)lJw4;E&By`zHvpydXi4wdd3pmxk`dy*%uT$5D z=idR)^zy&KAKIz@#lFpaAe4If>{xo?p-N($gk0o5NSt6%`L#g8bO&ti(ja<;`X4`i zv@tE+@ITdH1qnF3n*POoGTOGa%h(h+Sr7I3!Ts2znD-ZSlmeIYNW{k3 zzgsbSwq#-3bq98zRL`_}GcDvFUCSI0cC@|uI^v_rcMEvQyEp7Y);WVmJp-NRe%Z30 zI*f^B_|y%;JvQ8^94oN`o(W%XaU^;9_}vt|+S7Ua^**l@>zVA`dRhk^91J2}w%C&G zdSB;9{(Su1<|22ntrM#Dxs3=I+X>b0Idm!=J=XL7lx2JFP8Hnr9oJfZ34!_Lv zL^W5nb+1xni%xfu^0$sQe-Zj!DDvUA48k(mX$iikW^g@9Sx9P8n2VcCEkvvsLRS2IpUFU0{g1@nPb1DbrFavx;{D(WY>cStaXE&zM~)jKc=GPS5I? z)pfCPBrU-(>FC5-3Du@BO4Et>69Lku+q|9oZq2uF(8*j;o?VHe3WH6*l1EN6D6Yha za2daP>b&6QNP8J;RxZ7Qvd{uef-R~lO%~NQ{^ofQJzF}ynq3GvRA!LuR!nEUIWWm8 zN%e^HsC>6lsNk1gI|ZIxyF*~lw8!YDeI|(tuLb1!V@B7K)MdQ6p%n+7OdAl zkj#oWG`w7(GXIE9ruFC>|45b*Azi3Y!V-H=XYsd1SRmzRhMeM36t@jbo{GyT$*7z@ zyk05%Z!_tX>at8!@524~NDC&1L_1^=a*x1;5J*#b${>nTx0(fH{`Rf=JF>-n7kD^a zH0ESTfKH)WUJG{P`G5qeI+sZcq`3Uh&*laPxHWe|Ty`gO;m0l836wDAdR=e%a4@K&jIg$0+RlBprSDagZ?R`1IiN{ zSW`_N@ddw*5oSaf2VJn25yuKv(Zfe*LsQMm@w#q?u5L+$D4#^n7#4RSL*|F1$b^!e< zT@kPmnecnrzHKSTMy z0K|fd`E&X_A5iuV@};}I0T$bPz1{6}f_6bSlNl0@r*tn!Z%n|DfM;NcD02$=yeH~s z*?T`h7vif{$GacZO;u+#l+eVl8OH7py?})$N+iT3w8I6%e1zV}+TMXZSOf+Sak%xn zhKnYm-maA%y7cbT?biI>r#f9j-S@7AVg3B{yo`JMt7{v7{2MZ2)PiwdDxvGYa<;}-$O#K|D z)!J>7JBeBMiRC-JQ-s|=0|^9}?+O!HLyO2^yh!dC}z0OK`%dqLa!@l`Drh{x@5{g+V7 zhqVino^7!gQ(xx@5n|>>M{8HUyTN;o>ZK2`E5U%vhueK(v(`fJ?ZC3-bd7IW%l&Dq z+`#F*oQpP_-|^*<3!n3%hfPS|?w!wmZF$|p@vqqw9MRTGu6%=y2x6gqH?Y}sd&6l% zQA7Xb_mw5c{eJBdw;J)fV_gr@7kD-$==YgNH5!$6An8 zee;>K`LS4W+j*J^?%=66dp^6Dzxi+&AJ#`rRBYMKA1ziYScoQjD4b5*~bsD(LDm#fb2WtnRn>N;77?3uJ{HgQ|~V1ZC? z`>A($Eo52$m^}|Wi+iRScW9| z&0cf1lP?(XrExJvHAz~|s9p$F&hB+oTlOpYY8EsK#R1k>k-8FASr8iv;Htwo$q5)) zxV!ceF1JoN&U}Meld4(S>`OYaH`$32Yhm^}1e~R|?6hl$%oS-7obzQ2@F(BLjK|3KyKBpg#e)F$U%|#}PJ)XnsKZA?I(Fw25AwaMfbm*R=nAs_e;l7wnZi!KR$WF6 zFiAnEqxuGf(HgSt3y&IXqf~m?FyWOyyhPP`%xA9sHH8C#cg!iOCQPcmQ6N20?7 z+r)91j@ydD^SBv-itEYIRa*+1VowWGkqh&II>2H!yzI7F5Ywi7hK-LLM2J!*6Elwx z5rV>wy`rjx1xtB5%UTlnyr7B|xs+Y?^8!sgdZbuT^|`C&+g;6y7joAx~PDREEq_gnGK^dK$5jAP+H5@a20hYS}?xRRV-xl5Lu< zz{W3Gde&=qXn_x2peShStE4@}1kS%rDC;SosOjqn-}ye^LsBQ@RR|ydZBUI;;)QgV z%(Ob%QNo&@^IwddmztKb%7CM-rgG?5QjbC@E>8x_C;LdpXFK{om> zmq{BY`HuuiUb&na2xT;dlq@~O@H3g+C1W4t!-+wbkZgNqHEi@YJa`DW;mVJ1k49k3 zp;A;yO*qStYb}2`jK}0t&&=vWA*?7hWOF5i($6T7|B&Kh(TGT)^4O24H+reFQuk4Z^Yqavz4DCpZB4hRW!<4Ca(*y2hDhsFuz>qw?mRbKE@3B;GmovKOHxN!pI@-2RaOC0wAy3|v^ z!A~bS`eV~*$r{n)SrRWQu5xf&%?U(tILVW9Hf=hla5L&t(PbO0%TtwwG|;lnl&DGaq@kE{0dLhtvI8$=u+y6JCI1|6h0*M8FPf zyea)Z@pXInS8P8NFr*9yTa=jm72^ZyUGNP_V%HN^zG&=Ac10>hvhNF+nXI4bXXL1U z{R6{RU$xV-j5!v)vXPFs@a|s2kw{sCYYHs=gGL9moLlF8Rw}x@?HB>) zL388m;~7x?J;c)fVb=T?R~&gg->s5Wz{SU41&Ok*?Y$urw@e3v)@{zGM#tr>&kFC* zEAufX{u9l|-VEcHtA~uR<8i^)_~>tM^Nu%W_h&TEXh73osVsaRA)(8&wDZi4U30TP z)vxy4)@=p4kB1)BG@X0A$Nc*?904y$ZSI>pQQ*JB?+ziF%X$|bccYqWY41nNz4`Qw zKUzjx`S`t}TPDyfRm=4@FMC=h5GD!T#^c_7op(yPcAS693vEA#xb3HB+vv4E{EP_T zXH$Ie$i3%N_q(rEwb%8kU38JP^F4uuOBPy2a>9d3_YiQqJ7}-tcf2`Z3NYFu=-%cr zJ%)@xuXh<a>cqc2Q5Vtb3S1)>jBZ1ZimaTgYk=lh_m`^hKl3l4V!a! zYW2X>$tqKO8jP;ef|fc^qKMoLfKY(JmPu+zu0hkKF!Q<={uqD_> zn^t95z=c&-u@Ps73iHIm2d93{Erty(h}Pg8vv9Cj=>on>KeUk0Ds0}BP|^TXf8dmdPOeQ9&>LoXH&A7!b7bP7?m&OF90&GdK_=qe5NYUQ}A}1x9=GKnbOpp zI3F90P#vg_x8+}oY8H*qz-v-$%wpHRVBN0cwABFzA6`&r?Mfo0mN|CqC}u<2Qiyqy zwWQ{5tED}ZE~_mtG*KBu1&uOkLz-YHsz}lwrfzzaU%DiJUo% zhvI2jf{@_+F9)~CB}*xT01H;DEzq9uPFa6ZLXN57P7$i|G_k)U@+ELxvnW-q*3EbJ zDNQEGfhkftOLOfLXhc5BROdXVx|3WXChk!~lB#UG=7LpQY``gP}fq%ZFFDx@QeWiGylhPZpoml`Y~ z^C_d|!50>kGe?H6paIK>{!YrOk$^joxD?pTTs3ksh3IfzrOBm7_$(b<``sUj@DWOh zD_Rsn0SVS*k({(Sh3+7#>P#u6a9uEWWn=i<>bHhXN6O>_99ix{_qcbxih3aPMqxEP zQ?vNoMax65qIMW>A**P0X6cAY5NmTAEQPt8%py*C-el_^e@S~l(;1r8kBM*5obKg7 z1=599mB5v_jhkO@v}c=0}Oi z&|HC)<}a!BF*Sfm<;p%TfZ)#!C?+qmt&dp6Ocs!%B=Ul~r!QKAZ=E zB@?mkVZ98-A~8CIR!#-mV%>R86)NR#TBKCe5A}8cpn8FhLKT@CES$mJ=qJx#W=H~m zBZ`nNwtWVLdPS|3CTHUK%xgy@XvFLSV{FMPeCZX{oHbM&#;OUFT}KKA&Xz(V^I2O4 z0<@_P#z<>~d_r<|1c?Qs{{fH(c+8*5ubEr0@E-8xIOzuAKLtAP{bzB^E-%cTBjX1F zlK%V!Lf-iS%Ixw$mmNUl{IxPXq`;D$B;yT<$1m678W1097=Q>*LH*Xf~;`w$x zEQ|1_|HbvbhJ{Uf&j=A2c26Ale+VReyj1)Eef&aW#KP0v>PKl?P$pvf45j$E%ZOb* zsn53FEHw0pc`J7F*ao&QWi@OJ=N`R9OzR&f@IcY`Z1gM$oy-e7+g*1rZ4Nb!_N4k# zwjZa?8Bp=>G5Q^4^nbqLG%Fr+UTyVG%t?NjKjs^3@ZCpUrEk6FBI$0$1~k9rkTIqk z@Lo{2zY96xkn({ z2~g>HFRagReSQCmn_s>|>W8~ldtUQmvY;>tBLLl9^T=Y~g?EEqOV~aYtDru^=yOuv zB|a^i7wSJMI(I3q>JJEZ_;!zu^1Sxu=P51uZ<~iSxaeIHU#c}N>|Ivp6hH5}+L<=M zc%AnMN6N4admN7&#qkjlXs4=FZa4{E~c&xLi!$xcNl>8A`jc|2N(+5Z&#g` zJ4xElHOqG^)BbPK>JGWt@f!Lr`RPqqhPAoPkY!sQAm^1_-|?Dk8K#!@&coUbhn)ke za>D1Q!&M6Vw}-S`roNNJqc$ziqZ$r{EYNPQB+2owMbQs1_SW!KoNLZ zqv_vyF{o{&V7}zBE!dIWdG4s8Pptot1LL_Q9Cw5q^NVnU$L)t4@8fS=G%ni^hue`m7QX!YNK*QT>k#eanq; zn{HKjEaO3h7q-%0Cth6@NyH6;K`jbd%UZ&L;&C%WSxlMYhFSMu!4=Nl2HLPS1HB3I z(Wt`1Gyl|5zHs;!0Wy^N7QwhTe6Gl|8aDL{C$dP^99YD(GN1>45)0%@1udYbut9!c zLM?}6apv5~ThA#lO+U3S59DZ~l}igQi)!pbFf}8yR-}C#jWY;S3v7^G(XZTWyOdV0 z8W&&@tuz5k%(kzPsLGR13{;^Z>r*`?LE&1YDNB_%w{@65V{0OWR-USBKlGJ`Gp)nS{;PtwP*49OJP)8$gP@DRgW_l!N3ZFB34Bbyj9rjl~6hzZ0U0ldBs-5Z%#h2v9t zhrwPidNI|95HQuvr{#=0L;R2`@b70JMkr>2CLd{YURy0|8SgMJiYB^$O-wSo;|Lq? z91rJ4`Os>&iGiDNW)MY>1&6|>#OyK>KU;5Y;SQP&DpAB}H?#pFy?aF?fOv*=#MG2> z&g=$=8vZ{E{+hdAB-ppu3@!%Xl!kN|5oGk-fvvIesE1Y~s|ADG2!3H4b7HBCZ~^6s zfU2^`oh&1ZXK)x!*CX@VtKJ-Wu`!%pjMpSqt{4q(+aeHTbd%K6sG?LivsbD|KXP z%tZ@Qo}!`V@?8h75Y4U&A$a_w<8M-+8GLl=Px1m3)1x=FBD?}pG!6ZxlK91F6qinE znq=8(gLEs(=%$d=9IanJ>(-bCgK<{^rB~=s(3QtfX0d>#@>_ob?udYJAmtqR*VfO7 zyf-n355=iHU@MoN(3nd~Dx;V?D-~X>Z9mVSpn~i(qeSU6`bdlelxVeizrJCr7r9YQ z$UIFdNKxK7m<2R%@X_T}ajRJw1c;g?j7vZf6mpb^UCtlX*SPITZ++(Ezd^|gkOXbq zSkujbfPHNUGWDPhZIRS0KpcuJKfA_h^kTJIH*NvEZ}Wj{vWZsZdodw&xs1h+!&4DW zk%Pc1Q4Bd;DnCPjrF9kiKPan`K>6+>YqT*_Q+%m?_>2S@x5X?S2_HKmcc`tr6|u&` zW6i2)e3he|^=GYW(b&zj5>u@ZhFe(s64I&>5CW>-D1|eiz*R;oXhu#ZgQ2~)W@UU1 zFf-la6fsq5WIiSvnQ+)N)m43}gG9(1!-C0=AzU8uO`dP2DtY9fDw8`(!a&}`gst;r{6<9dT2QcbXecns}R(bK)2(dZmGI^$ClpS zqPc8#&BsP9BEk*mDC>c*JInH@ZuR-t_ql*<%?^_=N#}FhwB4SG%lG18976W02;{Up zpMC?HOgMa7dBci(>i8jaerAZ#)=~fX(3t*dwl)wkna2w{{B#Hu)V|F) z+7WnagXpj9_tI*aH+wWBdSK^02vLkFRcyQWxOzK4sL$%%G(ej2jRv{ytPpj(r7%v3;>RQk0G;8lKrVRS#`E33;K=*iWPuwil`JSb*<#m5(mQG%px4nMa z|K*gmZ&=IouyHuIwB^d1@+$^5gZ#29yDy*aVkiuFp9(CSF~rsMN7!~P06`5Qm`JbNE?5bSs!m2XQRxGu>*-NggFTzBiYy$=82ji>%*c=9uv zal;aPIaC-1zIRVgZFb9f>?~REG;0@)Omho6|-k_-m7~*%}T~?0HaH3>o=bp8qXE>b$@{YyI|)UZ5Y!}M3|`6{2v@WaW&_gv<=ziCtEWb^U) z14QtS^mg-Q(0dQ?=lc)S&9}!r4Oq?j0KO@b^Qux<)r6Wv4fb_`e9u1er;%m?nr3%6 z$z}H!Z5qZtcg}z93%zRO$v+lIG-v-^xy-ToCeUceF4grN4G2EGgs)RWIT)&sM}tcG z;H!8>W#e5w_S7X`t)sMuEs|^;VI)2`mATA}5c*Hp-jigV9VJ&~(%*Eb^^O}F%WIW( zHQF?dPn}EV2zOBB5A9tk*m8zhwkg|Kytfwh?YCS&{EuMFt;+d&ovKbbdAG82Oq!7_ z0&!OB=JXO-^o5u|1B<2K%PBL}5Xqq{*nZmNX8ilM5jBF=pdP9}F@?yXMqjXHKT63K z1xQr|kg=)O6)Yu&bb^ym`V@ihLEs-yN)L#L3;qT}u;(dqNFS=ysaJ^+=`GAiHHH%r z-H^d-f@VF0Q;xgFs+wvX@_?h?p>gsr#4a|8mgn&+n7TM#xzC3et=a-F<8ZN1$WH(| z>iztMo|N;}f{IMIR_)=N!qMm}RT5eRUQD5R`aH%GO?$qo-W*s@*|gTSYF#u8yFmE3 zPHfZ7z^g15L92_jFffaM6t&7ku^B3(F$PFWq%SsdtV$nCb3{@C^ybJ6lcz~`E{7i5 z{L~Z=agUWBlrw6S7CEQdVwX&^XcKF9NtI*M&4;eM1;4`Pu4NT2%Rutx*}M!?tIEO= zKalvlaS*3h`A1`UPoxOOrFBT`W&$?{f2`{QsXIZ9#SiAj^@11t;oYQ;I7L3CWwk~E z>msXAs#iwJx)kgbzHCA#*UlruY_KvNS>nK4Nt_!u8VdZorKHA>Kxrw~{igHwH<7u8 z@tEzHf5<1;%^Nky&Cs_&%FR{BoLE$PpmuR-h!3RH_QI z>QZPKPP1fLp7*M?@<$ul%*t>vAkttbhZk~O#w_5&&tKIIksN3Iy|a#($xby8C9BdG zuE-P>Wjw4BpmlcMVk8);0yKs7RmVW8k4D~B3?us`N{s2`!56{I*U0xM7fsDko>^lU zu}6)R08CjP1K#?V#6~_9fyrOWH!O>^uOFyT8q6w!;q*Qr|J!&!0^FP8)8K-H#VVb( z{@4^%ax?+8`4apTr2@cG}Se*b!n;vGAAKp!-g zmliv3laT#-o$fkG4G0&8pou9YM8R)Rr^&~hwdJ~sUaOBDi<#vJP6j2D<419hEv-sd z&p)Dy)9f!w^zJFC$3lKEPILYuPN_aGHsNKtb0G_zo;w;EV($twL%7P2P?Lwmka70* zXH%uN$Qle5=eF8KUT_I2JG0F4|1X>b{QONF6TtLI#nB6Twj1hyp9v|6^83b&z!^XO7ghRko-My?0{i+q)>GZ(~K~Ej%nrJ86>3NAMWhLM$ z<8`#o6*4rxd-w1AjBXY!k1pu(ZUeI>cWW;(IZf+0Y8z*ZOF`(oC!!F8vrE8o(_8V9 z!RLcf<6P8kk8cxjy;t7UHP@K<^= z;A`&6S%9!!h}wy`pQ(x^pA9WLJtupw{|!P2Xp00J8*Y(>xm0b|@j83h5yxgk$GY~v2 zzxwnw4#FYPyX{4K59nPOKP(-jzn!u9OupN?ujMblU&Lfvl-9lPUiT95zSl-zMOSpP zH_E*Y*l_wE4SWve>#r9BA0+QW2UzIxUhaG0nzS?=_=&%>3tP$oQ)s%M{osz z`Yv?S$$y=oZU{CT?}faHe%S%i2>?_?n?LORO55)vpon^OuTzf&1#Sj~^dagxzI(mp z3+Vt0;oL=@41A}M6h6=#uUS2^PVzF>OIuf2+H>zGI0I%tJ5C@jv$u~K4~#E~SME-9 z@@?-mUJq3?(cajkGUsCgNER^uK@>Ip@$Vxdo7RL!Em~i$4675QYoq)zioaxMnH1`U zbZOLqnHZ=$*?R8npyW;}IP9SoEg~CAkBza-v`i<@pUW~)EY{C-L`GtW@~+x$z&`nz zcZ!i*K|&(zEOInZQZqkg@BnIfCi+*OY<}><#EPJMY|I39mT18R5t_VoSz?{VjsRV9 zCO4njB9E6wuPiKF)&%~OP&k3cCj=g1O*V~M7F;YmnD|3b^5~r(7DyELPy7Wav~uC5 zFmrM5mCI?ja53%I@3XbS9Eoh2Qn~I~%e@=oq;G@gsvaq6CD`yqqJ_H#_o z=eSi*rSXLi@7-XNO&X}>{@RL&Qm9>fW}?!H2+DIMvCdsQdYWP)8gEoK#{6xiE8wDr zm^KS;D??Rshb3wRmVZNmkV#<6MInf;-KXYCjpTQ5^rN72^)6CMY^B6{^dc3?%l?U} z8v=i0c6ShZLmKNX_+ym}2gj1$j9AC59;@JJow=->ErA7!S<~*VvuNDCRgl+Sl}+N; zKpCP6;1UbcPoZVP(aT;XpFP4lOE$`4ps)&jL*vzYL+;OjRU|jhCKtq#^a*20i~&O( zCJuwtl<)kw8MJ%WLN&86fWx2m#oHJfGdGIghSRi(7Ar;ySMg>2_dYQ#JfH7k{mHsN z-OgEyNS9=*XYeT5V3A88$06$y@tGEYZ9XG!3x;Z;sf-RIUs_@b#wzF}j^{LKUFcCgw1X1B&I%ugGUq8aevapARrL5zmx z%{xcDI+TgEKpU8>i;8mdA(v>)`|haiRd776zoPPl#BWvIWCKHPuKQ` z9D6G?pTN)+L?4F+i&QOck1(|YOr&cft=xMqyoC5eB!i2)K9Sqstn;L$2K98Ok|k_% zbwW8goBcE9AhbvYaG3m3G7Ba1C3o zYE;sS1Ah2K(wmgB!Z~*EMeKcUCHdXJS{l-NQ2yr*bl44u4s_OgBBUM;@HGQv@(paC z2u)FJAtAmH)2oCzlR~OPGgYQQ%=wZ$MtaxI+ogI(@uUptj4C0c%+bEpzzdt$@T;c4 zPy9x&$to~Hxa?UrhOiPNN2h0>I$LZwb7EJ~Vx%t>Pe(Sww?l2b;;3K*V{Z&>UTeEd z@u8sRJ4<xD&hV!i(7H)jsdlAVrpmB9wf~ zbt~Vp?lhbiaGEd|9}t@uDo7@I)XO4PW#pQ_Q{#a%DfSj0eG6hAe8-TPc@^F)wdE!< z?_P`6`B6Ma9QAWF3R>*21l>AmL=BUiC!r*I+M@&~g(NeQ1|{ldIf~hg`kNh>^=K@- zRn|RzTQ~ylPraJBD2vL(U_ZL2V@3>qi8`BmE%tcv|AYLgKqYEW=xq0%{S?`%qkBTTF(0Phqvv++&!}3%`_3(g zUiz(OJ^rgRs5X5-CxT$W@ksmi-Dy>bDcAPLq!5HZwkGH6R9bi6Q>Rco=Dxz);c#!g zVZhupUs!+tWf+%(YJm5QwyT5pwyEaLY0u|dce?(+>&)&;k40-s;1Lql_1k6b|0C+G zg5v6;Z4JR8KnNBbLejVdcMb0D?(XhMaCdiicXy|8cXzi&x-Wm#Ip@C2hyA#B)gHCR zm}`9RkzHO#htJjZ`vGDX-j|6tLp>yH8}>7n3{~w5;O?BH4YRpOHQw#0&dot$sccQ1 z)w7rhy5j|gtumYY)s~$j^%sZ3lLK~+R|+@pht;(#J?BHF zHR6}1h1L_?^7|+BB6fzSgNv)zp>&dR$d{`wDq6Q~hU_gdPx;O(I8XTk3l9W>?mhX{^KU z&2FOE`>yYG-`c*{7Ux0bUq8t9eb83dhSrka4YFHs@1~dww_8Q$V!;E*YI!Lp7=C`i z&931=qnzIFVh@4X<(yZ}+Wx@3-wGZjK~0ag!ixmv@_HV~*7-VGpR{@(CqvLZ(os9? zJx^uC4xak@Glxb%(&WwtF(0t-btqZ18p6WAIsi|46UH5|V5irK;;b zArma;x>o-@u0t?lX=Ud;gEQ$y-$J2o1U%_K2QQIyDm!GF70eM|W!x3ijb7T>bglCi z4l#Y`Ib`Q0d;Rs@%ohTb1AvJjz4sYQpos@aYH36kbp*oH`)mIbWQH#X0yLZRBVEvY z(^TGRJ!&ifW70}MvQOY#(eb?D#g7!N1l3(L{5K+ z)+29RK?5|0amuGCxZWQH%hZ6U8%1_PfIW$Ak~uf~j=#kcnyDxKan!Nt=&qrB8S9%V zw=?!XfTKu?$*`m?;m)b`@=t(1L(I!YLFC`oUz9&8ZQ&3B2d4!qRnl6Sviu7&F$=>) z4a@O8eLun%!)&!ooa*V(jY>;HWmxA3SG@aBUkw>)3Te^&KhyrLS7iEz9xnUQ7lQw# z?Ar$YTv-E5GRj54Dr=ZQc-nw5W16uG5*c2ZXhTra<+Lws4INBEViCWL3b3cXae17} zkf52{P$xa-Wh4vDJ}b#)`9}0_fdmD{FA1^^oBP#I!{7M?3K%IQ=(CNe9De53xH6;VtLa=DrJu=RT&;zHBPVT?ex8Vv=TCkXi%Llwfk#f-+%+1I|?%_B1yfGetNb{ zd>I%W76HnFe8#SNsD2yv1p1Bf6@JL=&MbNfL?iBfTT@j6u7)}mMQYA*%RuHpSq&3(Y zTl&SaQvOB^RLA^Xx|+XdSCBJbgJ=eOxZZU`AAWaTK>4Q56@7YHw=w*|W7di3k4oxe zpK0ak{EYUDJkK0c36Hv(7m_Mmzb=d!t6bRG?}X+P_zE%mD)br->2K5GbCCg>@q4S^ z0^#AbNDdDVO4dZ&ZQ=;p$%_rM?c0P@xzwZd(?6<#tl#hJimA!brxApZ>v?C{{qxWQp z+B9hMQ46x2NCfopeL1X5Rgul)`-`Tk&Ly_#xLCG@-PII@XzlP!c17EE5R)D}Zuho~ z`^Y2cxpzLhN3%3w6r~BNvlBs2r@4TTpSb8dU(c}XdC#@;w~aVQA5^uQOpeOnR=aPc zxk>50jl0M1)4Y80NQ_74ewF&Dq7-O!nZzzE&R&1suYB~qO}iel_$j&X;kmi=dsg4YyehhR(*vOM(nq6$Bc7pGVJeoanOk>xD^K z?pvO#nz__O8m$XdB9F88Vtg}e`z7qASzD6ew0L32*&t?A``Ijc2Ta#RM|+Uxv+X(_ zMJzWVTY3h#VO+ao9DDepYwJ==25diG?N@fy1aXtSUbQ@`av70qxIP1? zqJP-bG+H|KRG#pByzXbizRed5YFNMR16>w73?5iF`69;_?dS;X2w&fL`QdB4vi$b7 z7enL}CEK=9WnZcJ#dG@6I4DrvEFGif$>;vFw*3cd+hK>s3+;HMIe7x@$aH_pU6G z@AbN4-P3ypT3;f{r&HCBtb4O4C^=q69bOhp>%B4Gcl!;=HVW}uaBe5aO5E6qsnEse zs=z12#nt%1kOhz-NH;PO(IzEovRl*qBr_Q821l8V$d{5ymc!!qw60kMkVOuV%ERih?|5z>Xbi({No?g#OK(0Mf_S6C27KLAi|7IS?1Yly zLb7Zn{B-`^!qFoP8(`x{GD#4JAz1%{J49=ISQ)1BjnlR%M;%=?@#N@;t4ga%bYIg?|uu7KvNHH^7Js_co>ys8pqvGKQ@0z5>&QtOjRf= zV47589#vj%WMcE1op*6k1}cwmz7Ed&Txwvw<7)yI|1Fm@N9kxihDd>FciF2+?(wc* z^`H6FW$RUCs-r~Hz7|uie!>`O7^Oo-Yy1Ov@c=^(ZJ}SW;edQ(OqI_Vd9y-fS7tG* zq~9C|Zy0+(sg=owAK(on1ZbQqPWDD)+v(ztHhzl-8n(GFNG@rk)3heN`hfm+dW}nr zRJ6?{>oCmt*7zc{037S4R5k&tg%a^r*DL}y?{dEJqF;{~N$||!$?(JX`~^$Yp*y#4 zv)fxq&^|@X3c=eA@gjj} zQ_M)1;y=^G2+kSvjhx-2Whp5hH08J3=l)E5o2*eE$oY!?xwCFARXWUF6{ncPm()61)m;JJX8_&5| z10Q}_JtFi`IkS}JC z6fb6f{+I+{mLMaEVxKHv8?r=V4yPn?=%V~CNwF|P!jc)J(t-{e2%!rq<+VK`aQPM0 z5vl~ImFcP65JR{$tAtEdr@oSwI6k2M?+|`iW24+n3uC}}xHAHIJ}qzBOu+F?H%;a> zT#LiUKCN)Fn;zqqt}|D@esQbW_HJ~?ux<3~531TQAv6!o+}9tY#`Q=N;InnMBiLsTn>#&aAz*ul3La}W6d+`Ux09N z@RY5_$0_pAS&gB~5B)eYEu$PipA7-i<0A7%-d|1{d!VdjPxX_xwXAi2hxp@TVK0?> z3TV@eRDL12&(pQysQdSIEJnC?uErp^YEFe~sfxRv4S~YO{%e|WEW?gagjsoO5Kn_6 zIZVu1*S@kIiyhay|*^gha{HW<2sZ*io^BD#1r^# zoPWLk0PFy@O~w;EbsaQ1b@|+3AY?n=oyTCZxyLd`ckP{3^Lk!;+CAw7Zh3g8_x@tw z>kQ(&^E}G@xZ3(DY>U)w7DvycpKte>KkI2axqCv+Z#_ayrwrB_9K7d*3pS}=EpM-O zT&I8P9j|cx`QCV3Mi>2onRH9$etSyq%#Z47zQBq0MRRX}+>I)#b%6Gn!%H>=$4TOJ zoF|TmLF)Ym=Hcr_S&9NqcBM{@|IcVv@E~jje7g&l4kb9!F!m zmKPK&@-@5fEoyGX2tE}L{O!mnkIhr7C(moZ_4_cd>emO{nvF|kT>Iqp28WCCH#NW4 zw$u&n z^YJ5=KRJW^1uj9nzkk%aKpMpBvkAcA48?w7XMQYz6uPYZGAb0`k(X?|9Pe$gT_8~R zJvy%BbGZ2dl*+q4(wU#Pqr{_M`AIz2pX)-;AyPx-CaN5xIKG(?Wrfz^V2h~e!y(fR zqcR_afCJ*yYi{x>Z0&|DIPQniEi>viOE2LSX*hCXmNtRG5D%ZB@Jvq$!n=Cu#A-Pj zN9cqQ(;!nUII`Fvy8IwQ7F6mv915OT^fhtAVq)f+ShOAm=HYaa9P=o3`^!Lomy%^G zBn9C1KOQ3!Z59hz$HY_=C+5c7=8hkeog=|S{M3Ck?-`xMMZ=vf)860TtdC50p%bNbL@ z3JrcfldVL4pY%wIWokSe_s~L7fNJ=gf9%PhB_hQZ3MT;<(=d`su$X_pZZbfocx7=n z?WoSg{3{>>S`Lm@ja`WW3LBpcl(cU;Dp=0)WREAc(~mDg!8iz0SY^6D=Ajz}8)PKJ zC~p8ez|w`;%$o5xoz6@i(aGFvmQJ}Az%3=HJBE4UEXD``N$cQ>17{Hlk5#3Ptn)S~SlJWR&P@wWP{3u< zLy*z@r^+6E7(4%BQQbJ{&BYW6QJW}tOlXY(!3iOj&xWcODusytC#8#0AFISADj?~q zp8G%6RoAhnetabmxuTfWga1r>$9G`dXLg8K?D$f40XZNP1J^uF7knarMkC1TL zpN#urtq$oY_hy9yG!lbM5pX7a>A&RvRZ%8zag9d z@3BtE$kzURL8O%t-_6BZv=4gmk#3^kh1BH2mbNLi^3v2|j5-Q>5yFy%R}4e@@cxkW7V--oaB zqzmfG0sk}*lq{y#G>PIs2AmduPgGC;C6*9)bX!%Xn{bpH0Zo z4Stds_%KUn`cGW4KS4$XJwA{3js)M39B02FfU%y@kpp1=O%m~gf4u@FP;!>kT4+{$ zTTU0}UKwt#Y`pIlX=FF#IBrKXK}U9!=XWB>D<7$zC-X}mF9UJo>LzZMscyrATKC() zxE+Z%%*{5h)mFp7sgB8-aFzBqttF$6UQ26GGItjpomX7bn&#H)N>*^iCitfRr0}(B z+uI>hDr(*MdZ;=J1X}Ihpuf9rExvkAq(|qE=Xq21UPR$v)+gGbHmJ$y`sHcmYmnah zSDh+-#i7%(((P?(c*CQavZdo4eN*bhbqhaTHKiq z@^a-o-f@vj)$MqxOf2tMA3o)`n(pp6IQyeRKa5?RTttEOw^Tuw^Mm^f<5C&2=tkckUYB zWq6YIo@K@K0&eUDJPo7Jzw8Ao_s7u^cqjd22HYCuXh;+tssFu zo>zY_dBZqwb5R&J9%s*RE*+1{Z}~KGyO_BIG}V{uQ%8a;#5M161?cJqdLH^U*3n`+}aA03%Mv zkTp$T3-Nv)r72}z%+bu_!EoY`$iQP6{p6uUuwQ_mplV14gG!1W+!$kCCzvJ?|Baqf zIAZQKQkR~Xsi;pdZ8m*?O%tU~N3_9;n6%lmhqP8IbSM=-E;t=$ipNf7pt# z3rgYpOH#8Jgi#iT?IWq!5r3JE6Bo`LyMJn+Tdgt{mF69%;l(VMmFmxlU9CY=NkrO0 z$E5o<(uXJ(o0NJN!=$;#NCQaxVT!PVPYk1Lx9!IQiCrks`GksR$4-D8hO|*b@x9BE z4XY8y$aqk4R6Dtr6YWQTXu=uB_nDNEK}(rfGm%cz91-Md7tDp@Q{}C1b0_O^;WsQ9 zGL|xuK($?-De@-q-@-E2l2z~zI=`q^bVOY*FcNG&1?WDBOh})2+G^wO=I}@bNm@Uf zOcV!`w`1doIW5U(;xZAjR(_rj9cfx~lK73U+0-B9BM<^811iT#@&tl>_igZ_pE{SN^=ra$Qkw+9<)ljzhO40bHXm{96ba8HHJacJ z3kPOeGP8v;nrV~ZJb!22`4hxX%Jb>Krki@Gvq`Ydg%poGlW@jLlezV~J7EZUtibN^ z@H(V;kXZyK^$K#A1(D|W0@wfUpY(eL#+^fo+|zg!nL4|Mq13%pu`D{c@%ou7hm$l| zk8k2NO|_>UQWR#GiE4*pDK}IBp3vukZ-|wjkFsorQoS%ejS!F9J*#vpFkGT34W+v| znUDBf?9++u%gdfoQ5iz*stkXb9HOC=vaSY~E4RgqBcmTRU(pQ5xm z)58M+=r0_WhxXd%oX@aX<}NY=F4g=PmP`X!#n40F8#A_8jsTlq%_MtrFlr0{dv|3k z&H9w%M*`)_77>yQ8vLelwR3a9%vGfURU{^NfVkO4`XeEC{6TpFdZGOtMVH`D}KFN^Zwp>1BzeYPN&%*Qi3Jr9oCJ%+dKd4i|6 z%Q`;|tHH4vmzz>O9-qbw67b<>bSguL9Y3Tq((isKTDA3}-HI4;ySLT)Y&E{nqy=K1 zb9irJKPjB@d8ng6TfOUu+~jM;R95BP;uk9 zFX{(-1Ci8np1`gYGOv$XUZ*sCyern(dh`!xn`4K*cIVd@!Qk@x_v@*tCb18O#p|F{ z_f1bw@VWPy-Bz334giHsoT1AI_u}yt?d77ntEN9Wx~<-RvZGUh zn7-#G%L4Q;+;E!WHr&FzqLYepHMp&P0m_2uyW2{jeNW67blVPI82+?(`1WGp64u2v z9eZw8b$~}upJLx>w!rxEE!UHDz7L%5H_Z%Mj{}`fOD#v_UPlvwuU)Q#L<~L`QA<(U zn)s8l8aD0b3tFo8vYbZ_H-*Jp$9b8&T`rFp?Bc^&u2YBU_j2B>ye}a~t{~Y8J|NNE zkahM+HLgzkhAc|8k25-$8$@zAknr#_;L-PWAlTpj$6METf=KLPsiip&T&&B z$=1K&X@Q?Tn0J9*+IjU@C znw(Gzw_jhQYkoZNTekjGZU|)>Yv+ve&-^9->uDpP48 zW?BFUSi)%e2nZ2{bAHdP+qeO1lyS9u6{>L?^B=RroZrx-Yl!@55G>Kc7G)v@6SS(^k|g}im^0yt z-LU{ZTvQ_rw$_qd%TY>;Prr2tHJLSp!`}r-V#Ms(Gr3c9J5*!cXF?>+Gn2H5 ztI+|{l{gMgSIx^K`zF5D4y~5L^C4}8_)U!BX1)GYpRD5pkFq$G7+FG3Plf5}PDCZb zd+;K>Bw4r8jl*R&sZVbx?II^!m1DK+Ic^3E#2!@WVDZb0{(Q5*V2oqiPo>bD2pPg} z*)1uG-zzbwI3|}=c^+V9+EBHYfp3@t&La~siN!zQPa_RKSS#7$+(qJLqOL|#DLcRI z8n5S6wy1x?<4x?fTix!PW8<9lK25CFqcKcmFt!aMA6%$XZIQPS))<8UT1 z_x`7@Dwnc&wwr#NciAidmwVqN_xSzBphuBDW*axjnHP6zN?p3qNTuJW`8hX|f;ULw za*V-Oiu9X&{8dN=vCTzlyTRMaw&A#B&vDU?r8P)m0XkWX5&fTKCu!QmDeN!(FO`e5 zhsx=ZS~>~iUpr&2e}>Knc`Gc!tJEl578rSqEeZoI7NP1i><~zgRFuu+BZt58PLz~| zVi)6JKh36$l>ug{K|amDFu76=70gpCRKIZI&$1*>NJA|Q_eNae;}xX+sF$B4pVLqv zUpH3VPuGybDU%*kUe_#hVS7hbcIn})ZlmtmpdfK}~7@%-E>jRtf;l<<#SbcdG*iGTi0tArg2QHNxI=&Q!Z z5}uGzA9QDvpJn9rW^d6y zfv6v}P$>!##w}e+cx1I4vK9C|Y=+!_ip>`;TZ}q5lFhU_vj!dk_A=FvbPE*q|BR!` zGh`#mfBDDO5=889rG<(K%97JK;lkIl-oH>A3led4gz;tj?A_We|5K8$ca2wLu$Rt*4ek=8ueu^=C8)HcX@ zpxvoRj6%J=-KouTA|ufro}%u`LN8#dE;AadXAy5?J&&ZLg^K@4beT? z@UV)Xw%`<6-%vJ2j2IXzR|x63JM+u_-Ld5-yS{yT z1il0RCG+4wKX6jN6n;j(l>`6vMt(!+Kgxm*Fp>uwJ!bE*tysMVch~Xy?XiyDmAA)Fv?9)^}mk}ECU{PGi*q|rBzTiyyuG-Bz}%Y&> zx!e5^iC;tChIdz0<9_+-E}HgzO46&dex3e|XfB1&0|V6h?(6m@d5vUtp5ba&-BE)} zoNa#{zrk$l8jqbnt7s27n3dB_A+m>QJ6hpi4$Ho{-#`4jN`>xwFpBD?cSL672<+px zTGG4hge9!CySs>dYQLQ(+VcG2t@V1@eRe72Gt;-8Y1a}=%XK1VwI8L^ z-Tc{i@L@;xWpr5Q^+Qu}Ra*`>*@L*=GvW9lJ1R7G-V=E+s%tim@g2i`!|ACqQ6X}u z-*DdV8r`mRR}CNc;;&kue6H{7qd4_-Kq1fQ+yY)E8fT&A&Y};$z+h(FO3-Q3*+t_S z`&C+3{R*gCD{plWSV(g8;ZM<;cIhDkE+`*v1q|Jy3lfCM;R zT|xdD-GLzSAs@Q>hWzg=yY+o5r?vDzndU5IDCH#hDf|BKo7np~C_2^B1X^hfIxng7 z=L3m}#9MI+)zCM#y$8?kg)dkZ@B=q2HcFO?Ca6t)@<#tyWHrA7X9H?)IzMGY$}5*MgnD-FdgfFh4w`CFf~RY(96e8zg7 zQf4o#(q!VSnJV}#UP>fBiNjA zKba(Y8Xl#nD0T$R4yqHDinGxy0ZQ0nXpbbkBQG>8=tf;XGgX9=iI){hFkYF0!C}2Z z3tgUF#OPPDuux5GptKAz=7o2ulDW!l6n69AZ~VrxD6Kp#^5VT<%@`XP)+8H%$O4<@ z`PRGG=w#;9M;FNlwin!AY}_d~c=be5L_HFNLE$y$A1TJ@GVSJBLJ^Jfb3wkvZuC#DDcepdw5;FNTR{M>i z<2R@VMe3a}gWgI&W0DqOicab!W1{pga&?S~1wy~?BkBb7FZIU$7>HZnZhWAEgB6T{ z9XU!7W=(`Rw_IB3VU*P+Cb<`l504y{Dui{hsmK)!p=q zMO+7=7jb{Z9&mN?d>^WjOI7V#Ld6~@cO?w)6fz&Y`5`A0OZwS_{Wph^IFvN{8IYDL znJQr~_uDL5-_+eC&(_5MAHxtt#K4&k`6c~d`K@|=@tN}5^s`3{5`-O8IQ~%Imk;&z z{ZQZF86N08(l>`C$lHA|x-0ut#YyM$!d_0N?R%_qgkMZ6dG{3ExZP*o(RJ6G&SX8e zH3l4>&V^&Q?&m(?Io4*Mlj*Y@+%gpIi8KW3;j8J6%Ny>FOj)iqEw8(acLIX@u2T8QaDcBepKc} zfSy`z^DOV)>2P7PMA!Iw*L?ngw9_XgGPd=3KS=gH>f_GdL%wu zGjf^~eh)p0CXchZ6xQv$%(~;R8+bz?nN^H-j+s?`B>!5%@HoojQqvHz z_Z~2R;m1K%xj1~>JwZ8GB}hjRGLt;uXP!sFL56k^Cf^=A*ADvy71>3{Tv|d6@Le`_ z$k#7zzV!C@fP?DD)E|SgKoc=*rgx!A=snczxcbNS^3_q7*hNN!W0jgubGB=F62-e7 zb7-dSo|@xl|Bw#h=3%s$i?<%lmv@|$T7y?lb52TCtB_nMCN-kq%R0$)GGrWdik$GA zO|4cutLU3c#rHcMRAx@5r@~EKO`RuN0uJ(R>v6Z0T`r9c#1b9pP>##69#BgT5q1-r zCXw>U?YH&`w1Y7&G&D<;uN9C2=L`c))6K_?i&70y?>TmXztRLqhoMy^ozNK>`guhT@Fr2 z<%&tWvY1SK7Z(oUdj%FcRnZR3f&!1V3b*B4F##8AMM)L0*&TTXRU93{x~$>iE;rsmvndjerI3WY1xPnI&|XHYsD(STgDSMC!7%+WG9%pB4hqx_^q z>3?a8m9|#O4h~jH*&z>YtWiQ*_i%C9&f&EMWfy|U(;%e5kNuPjwX_8Z7kB}UMMpX* z$_QjhGRmasro0e^TZL1<=Rqnq&@dKvMgTr*ch|GVWA;xxTW~a_L~0fyb{s;4em?cn z2F)K3s-E_$UWT=Tgk4WVf!8e#ARQ1Zs{)|ynvT)4-W(Xz&ra@2jE_aJG|C-)TPADg zLH^9MW&XQFH}7n+K&la0JGYSiyUYF>+AdN+){io?54^U-P~h8V;~@G3XQP3`4MqL| z8z`reJOxJ^7Q6;-V%7Rp(EQ#`&Jnl!*J0FkSYZ;2qXE%=!Bca>{?<<$ji%(yQcf*N z2m%!t_{I*@ZFC(h0LjD*x&l}Ae?rSeYrgZ-qA})oUuoFOW7h|Rz!iB*+|q9IXrJIC zq3PuF&Oh!7n%V+u0YY3O8de0B>8j+kcTGQp6=D9i@&EnVI6id7}}Yl z9D63I8AY|U@>H0zrW35FtY;>$;d!q_Eh%g#F~5eiBc>5G{-pA8pXXKfmEfWdGgYH} zpGC~~r#>*{@GlXOj473@UphvcPQrFMrNWH$B_@nWtojSRFx1NeBYMOc?Gx#7VS*9iQccfL}AL4{>9*mh^l*^n7HG*Al7fYrN zTB1(f%2e2+pDgsnMJuh@9yr3oPIjG~R|xJpu-MMn+UPx9p158F3`KW@G;8 zi(78bqiC*wE)Ni>wM-13tzoYy4&Z*|q8mv{^J$D!e{X@Yvd+x=j8q`hFe8EyeZC#E z8DgV^B?SBTO8Aiz9T;y zVQ^_`ze=pWWZkfQC+c>?^Bp&3r~t)0%o=b*Oyljanmz7CUq-y|7+-QH?K<49hEvHi zO;l^`+Ai70W!U|$C$9dm({|*c(Kq+IeWb$oaFcfDZ^wC)s&bE7Pou(a__|MfR?#$! zOIPiq8)t15E$s<9j}vNn+>5IR#qHXHYcyA`$J~F#AZOF>3%AH(&l7()o3kPpAzY59 z2LpX#O?>VPxL283t#`Wdb{oys7o^V(tJH3tzR!hTtZJJl_%BILBpjX!^%qqwEK_`s zABWpN*?P5!%|=Ie(QlWRX31TRwQj9^24)YsNnE3x+JmdsVH?*LMWsmZt{@ zlNz_v)yonZ$LlEtJql-t6hMRB!d;eR%)a#Z~Fd&sVEVPru{B$Eq-YYUN->t!3j3NchQz?nH%~Elbquk+#;Wmc(>+|H&8`H4u%pWeO>W;MIAKF{s=f%ew4 zbQ>=Mg0W<`z*BI?xoYTH0o8uif#qylhdqu*A-qYA-7n?i;4H|;IRnN|;2qcj@%w&r z^^E?h>2wdM4Iy#A#L-%p5;AcH5uR=0nEE zEzAF{Kv`NgSVt!cG`C2yoERx^LGk8Nl&Z$w=S!OG0s(p9X+(N2|DmdDmPYFww$CwO z1y=}S@p4!GlKrq)EwT|!Z?FhMlvxGHaLutuz%YpvA&!W$A&+c&U3Chwjlg3=$CB-B z<==v+o*^84!Pg+ZrPivaw#}!EtPTrD{?2T@%h%FiYTEq+$5tJrUvvvNtc9@OjB7`< z3NVCKbA$Fq254mK1Sx1n-bx~(6iO${0qQ8~d_>cpt2T?=>T+Y(Gs>cDDCJy z;35BsYqcoWmtOS_3zs!}Xw4s~bvl1bsWw`8HH!!e2&h zm=gYq1n469(9G`@dk^7)?8<3^@tHbEnod}9ZQ9jCfIk7_qNbWAwGE17eJy%I?wZw4 zVQHUo02>b62hOS#ybC`TWb3aIZw-PahcinxGb|H?6M07(a*DWj?R%@yd*TZ3RYC;Ny4SG(hj!@_iCO+#zX;X{cE7QP=cXu^-t7Ajhn9wL1*(JD5Mzs`a|*aimpr*Y)(eMa||nL=TiT0 z&t|0v^o*D``MyOY^}9_Mrfi`m3#nCd`JB9hqE%_xv8~^7x>1XCk+$WgA&#o)`!wvZ zMKJ-KlA2tg#mIg~!)g%?s(_4(b!J8<1$0HEw4G$I{-kx;BBBd79^PO-7Z;9IJ_f>* zk=jqGA4!(Oh@939gJCh3*Zy=aU#i5}$MS6hi3+?ersK7^0CFCh|IWPi4#f@Da|QUc z;v`x_9*kin$QM{J5@vlB5Bznz*a_b+-{GVT9At4r~x25kCnQwPZ zw%IK{a!n#PLow73(u{LuoTS16$RtsK6LH0ULFT2#3q?+B$_05LsG@?el@iRu)7l+$CtL;ON{Iq+Gu3Ay5h&*KiC2h*%PG zYqxQiqNhbx#YXfrv8Oh~t*k_%!mw$Ul#pI{>;CR7(+S{Gw#lgaPDi>{EjLzIfm0Um zTs-ouJ4{=G&+CX1u*)XNCnnNQm72tB=rn(7Z?!@0&?{* zjcY-CA!G`l{+NFrES1~gA4s0@V?-|0Py4}V2U+nd&+K($&^n7iFZuiA{{CE<#p_y( zTCL@rh~CwNQ4f}z+PFbF5!2H3>oX!CcDXB?X0YA76nfjgkkfKoBC1}uX>Ful+mPYk zng1Y5uvu;3Rr?^+OkuQcdAqMX`f)%mO*-9NJ8w>gvsjZmE*Vb_&yu+&xN2^W2T^!y zreks6_DlII9r{+gyP=hzI=vqVn2-0_Za9cd@A7eVJq!wW$_w?dTnm=kuN(4lQ+>~R z$JsrM2APvOj8kusaj%}|d~{dc?wZm4c9sz6-u)d%zpiQ58G#O1(YdawZgiS?9>KYG zI{0=TXN7h|jpswFZq@G35kF=i6xQJsC=KI)Otxc4(}c-gHVdkl)@ff>%XrRaJV zb{)LW#qXaTX1vro_vP(IfeU`VpEEtCF;4E-xc{wJ)a@bh`&|utUA5k>z;?g!t7OUdAlauHm}O$o{JYZC>{rbn+3Mdhr*g^FB> z{elv`#a3qzJ$sWajkTxjT@kCS%9ZZn(xQ>o#XfG<`<`KBr5os>Xo&{TU z((sh1KU(sO0NrGpHYYGK{y9dwriH^rMJSOjj?*t^iMN%R#QH<&@)cjLlM4pN(X^Ue zWrHy~v>vvZZbWA2gE#eM6p?3E&20GW4+i77Tua^lfoEU`CHjSA_-QWyDBgAu-P^Uo zO53bgmXL}@{0plj`MQML9@q$7mMIh=6pLZrb^My&`TP1VA=YBwqh;45 zeKqavnU@aZEW2XdEM^Mp*kqgyqm(oXabYrJb;dDIUT6cR%0OvL=7ZBc&1IpqcUgmL zno|?gB|@l}94dQ1mr<>KrV$nl*X^Z|1^s(Y5BSm{HJygL9+T%#DmOT$jFV_6Mk>rp z!TB8mi`2>i#2P}n4P(63vjW9Ra;OCA)d|Wh(34-G&|Qv4Y{n989mEY3)<2&SjfnP_ zsYnQO#r^5@T%{&ZKqe}B4q_^KB!>rwL7;>{9bOXXkXJVD!B30PPJJBu~y8X_H$-)7SpJWE5rmbiTYe3V6_Mh zX@o==ZT=ro=h$9n*lq2gLE|)bW7}Mfoiw&>+qP|6jh!?$+SqAqJ6UVJ+56b<^L!aU z;lA!U<~hd@xDeYl9ajTF)DAmUq%FV}Lj04rbjSbYH1g$}?%WZavGk?FXb7qFtuUr4 z+@8f9YqYMMgt%Hy7-C0JzbZ3pldrdd&e(&w&8qjFITRmZ)l91I4#)Qy4@l zRB~|)t>7(ev{~d%H$4~A1S_?$z3oc(<3XB8CaNY;Af0sY#0 zP8JnJv(CRZLtOgY(oHoJw&{74GT#@ajS`cMlQEOvrMu?$&pKOz=-z0)@W?#ViBuD| zTM0fe6mQ2H^E(sPmK++Yn*i+vhv58*rf-x}zD0^8A)EDERtSWYl9MB*1|wWWb5Wm) zj&Z=L^s>>3BQICf5Wzbvd>NqvVdma2{!O)G{mRg>URb>~+e10#yo3YE$tl7KI91W3 zU1X56mWzH+4P^ufcNN#Ue^CAjm`n}qST71MT%!LB zSOBHqc%2t~{+%R&r@Og?dcmbx!5C}vJ^krWSpbLo`#*LlA0`4f#vThkzTCCyN(_0!GZlAz(jz_XBxGJ=NGC(Grcq05G1XwP7i*BdR z2?ffX{lV}VSpR`D=_2hLDoTMR*=kQ&ruaaXO84GcIo74^4*Xm32A-;7&#;uYHr(UK zXwIwg&x&Svx)JrI9Meu#JJhYC;e+ISk!6A(r2JEMBNB@fZDCRaL@78eLB&a&f8w%y zGaetUyca)1w?oFfxZKOhspU|+;+oWH;Jvxw3K{d$5!4dm=qi<5YSJD8k-E%m{zhx- zh0K02`ZngBl`vMZ3VSzK>U*ww}Xm$HV&s@3V;+ zjh8iMfaXKsy+b-q|7FngD4_qiu%V%b;R)AI!y5gp_B`GTJhF0I(%$17lmoiy&g*ko zJc#0!)w%Q?#csIL?Kq9wA$Hl|yIsg|j5(XLEzNjAEPyPAXDH-#`bmVe!q|3 zQ>}cnNA>gLcDy~l0jEG;=d`fHcIWR6$NNP2o%H;zeU0wA?iCUT;DXv_{2Lq&QbN}* zi(|#XuUoB>1^{f|!{oaLx6BYU=-2H%-1cL0T02*I$V&e+pJAuV2i;xGOVK^I68E+l zy5%!QgU;n}4N3QDVnl!{50=+U_3cr_)o&r)A>yD8B$^!S>lm0PQu+H;E z?q@J(vE*#u^(;_*b-DX#qApq`B8+9 zp#Ngo2B7))n}&VNg@6A`c?6NmwN(zt_43>!z~=2PD`%mf57=-E-njrAjD14PkKhmE z(f&OE?_cI`2AyvOUXRSpU*>W$Vnz$L1B9Hw1r5bu!{&PkX(s3xZ8Lx1ST+fm_J}>`vBmqeidbV^kcyVD!FX>K*Cmu#~O6U<*dEw1)P(M5D<7hNc5IA--oY$e*VZ#EnpYSx1iSzgGSqvm4l zEZmI|525%~V%V_3BDEoDzr&Sa@dm~5FJZPY4?^YUz8y+$RAYrGuTHz^aMXzv9yAu;aCk{%7Ga%ZAFPHo6k5wVGOB8hntL;mMN6WnBx=4RlUd3$XiaI zu8S~l?Q#^<8EtojO4jp)LZq~^7oOn=)LEbkTWZVsGST6of3~^5u7fLNP!FPVX_cGNWTh1R(8fgiIih}3X*zxpabNe|G?t>a#;h8k zp#1W2@x>H*MoifldxCc6Z{%&6wocoRLTu@9)+*~LON=~sHg)(_*?)coPW!+{XsWn>BC5m>4*1XIa z$L2tUj7tS;DNblyy9wVgb=m#E0Z(NZI-MT}LTT&&~!bTG(nc{RpZARFz za_nd~DXb0W&e;8u(hWLXJ(Mak;gT!pk5hv-6_q=5d?U=NWOFq(8<3B#f6q7QmfqlGlWzroD=% zg0--R1kk+!a5pf(7M>db+{I^&h2k_%#YeVcEQup1TN^(J6YkYbw=u_{HO=1R5S|y< zPk6zGtkSo9l1a3teoWS$sjTN346?UbrA0ca<*aPNQ)%Hyy`r%FE?NH4TAWLyeFC5n+HMS~ni^C6;xsz%3oWH|4Ni^h6--iR-%8_8A&)1M)^0FGKcF@qY!Z0zHa$CVL8S znF|OY-QNe1H~4qHes0?l%AAtPlp;ScL85+mz=+ItW_00&f_5{XwSb&y`bdiVa2 z12A;$tcS=)Q5`3Yd6B8tX$nxU@_IFT*^AwGlKi<5wwHZ}`tb&oF2T9-H;#}evD3ZV zmAA?FNNWDr+qi_xfAw$o>VEjx*5K^nCUy%6Gg$Nd!_Ty}gj;vhjN|-qT4%GeWpOX= zE~v9(5=PHQ4{#d|p2};PYomA0VCcP}&9Hx1bUp^EYaX6ZCKE|q-yQDs{Tlg$D&m9c za8GhBsO7u2_l&aj+Tjk`q72((GCRI_bD?udz{~$37-*iWcB0YWc3yMbV_h4toUf?w z>SlGm$Xz1|a2$5ckY(1ryuSpyPqtn?ZI(~_22>Qt!|W!j{|@!w=QV>(0xN__0j35M_e5=GrHeU*L3O5@9Q~S zz3T^faU`w1kDE~J^XTlb?Em#bg1zcq71&Ynv5gM!`uKg^$_Q4yF6hB}_3_+^Zrg^$ z@dvctHDu_XhfufqK?;~AG!w7B!ub$6iGquWQYzy8oKIaYIfDxt9H(Y+u3MHTB5Lo) zUo&jA$RcovT!-#=R-cPy+qOB~hLkOu6zw%OA9gd;yKV3cQ!-H2ZNo;cR#_+%Jl8eP zSzjET9?R-ANPKRdpZO7qFfLs&`z{9Gau6BYUN~1000K@+O9lQXEq?lb=N+;;LVIg5 zNf8_8ADkd?4iN6$6U_ZBI|ghp{G#zuk$R~$pz*mU#?XVz;Dp4+04+QRqyRpj+qch& zm={8=T$z6isH0+7Q2~mNR4ohf`t9EN7Cj)braq zSukk)&`nDH8%Pw~`o!Aq#hKMNB~T{B)-|gUjfnDOvY>X|l^R1`p@kzJTUO_ILZo@) zZjOG;l>b7HF@x>lca*qv)SNlki!S2&MM#5KPKhR^Wq-RXR2v9G`BxVgshj}gODh3`Z4jCjlUOoG-o*4gsOuPVQ&P^pWcG%=Qiz=> zD+o`zdw*Lc<2ebS0#AH&f(c$cNY(K(ZT;#&$K+t)K5r1a!NN?yYl48mJD3GhS!G-o zjvFFD!kag#i~`qA*_x1(-9O@cEvx{Y`MkO~zD0}NjPx1fM&7!7iE5f{efqwpZpy}L zs3-*8w+JOIG=kE@_B*_qMd!}Z`Kz&7lc-0+ok=d<9-+(TeTg!ZB@@y4`Nl!c-ss~T z+BsM@nAPC{24Y2>1zq~2WCkH3n-Cey$I2GsNpm?LL(_I+<66vcG1LpxJ28~uT>Zw; zRCrjLy%KG%BAG|$8JPtB!`#U<2JO7U&dA@#X2C_fK0`)4<5Ua>+(?9&>weqw4%TUnW{xxpzrE^Rghu zU$Lfq8|h-*>s3ENn6zw5vqU9G;cD7fxlQY17e}XEYyU1*G#}OWaBU0cly?^W*r?$>n+_w$2YON*Kn7jJ8w>f zIwO2NOQc*9nIfeLAv6hdol_4MNK`0O&bpw2R=h@+ub>qaNF9k?KE#I`muJh4 z&l&tzbt(LSqrm#>j5YG;ai&GQ*U^6jBnlf#`j9an0B>mzyhg+$c`g`GTwcGH-34&O z?Ka0ii3){*=fS&xgHIISGLuZ|TM7K0%Ts|#gxBqm2{DVm$DfdMhk$WdYG&8VB@O3{ zm8?r{P}TFszWR0^ciXD@enweYyP)$u5!1^PzfIj!1aOr4KOUq}sqT7U2BU_jzT zL0d7-`Ef_GUn=hg%4;}{-oAZW zIzebipns>$hB;s;Nz*%~WKIWmZ7=xvaD-T&0*A!kiFnrSqj%QemFu>*!a-o=W1Cgu z=gUDf^3#Vd(4rGA!iVr@?_T9&n43R%+Q*0T%3~JP`o8YB(nzm+Z}@84-nQ3yNYDT% z0KHvv>Av$5F!bnKlu@GK_uP(8`D}Nzzdo82%w0Yn#Vuf*wiEZSB0sO1CFv>Fy^qV_ zJacQC59J&(<{K*lZoKUO#N~gQ)kMqHc1_kFDvles3p%!UM_e{-1pL7O`S|^3!PWl9 zp7&?a0<%6~EgHpp3bYlKUYXxMLXyyT+@l8w%;>Z|hkgc}+qFHlo?E~3*ucUOy+V|Y%tiW(v*Lm{ zkLZP1s=mq~7yLr*LgU%eV&We7C}!f?OHw1@$AF%>=VWh_39;=vKIyBVVUeU_^s>c) z&Y8l7EYHqw!&9A~ns+?e`=);+gBvu(R-stu%agsRltI*3TZZY9Vs587UZYjNc4Cq$ z=E9H*S?PUpm!7O%T2E}_Sc6rB#d^wdTX~J#DAOrKnPNqu?yFM06ro3BRUAjmN>uC@ zKmNOl?ze=ee132(ZHHr!Yh0yf2wl=w(izpo26@>YcmmC+Z=9&~Qw-na29ih*Hlrk3 z?%u}nA>1*}J82napLA4EnenxU)v^2u%h-(auR2je@T<(>Ca7x9lT9?Uk*Z&Q+L>E? z&8_B~hnk<{Z~a{B`Wi$r(u_P6-EtV5uyp)84dE%6)zFqlixusu9qhH&cJ@gvXlUa{*>@It<8JZnnU~iK+e84gCe+o_*_M z=F?vWlZX-Xo~km&umvKnL_=cAK==GqmW2#?(2Ak`6_R8wBE*4PTER=L@>qaAA-e6#t<=NndP64_DC$zT4=Me4sCYoW_UKy=OkYg7H=Ia^RG*V z{z)!4@SnCs_^2BWJw)_E6kTsAiMKYfTGOji$#omMQs-atxSv1IMG(0j+4yk3+II=o zO(|d$2{!+%o}B4mJeU7YumrzMu&!rneSGezJoorgs7w29IIBS4DT3nU#pu)Wq}pZh~Z7&0%HyU8apAllWn`Dc8~* zXUWU5HCsGbR$4iEbnz(NnW;9$ zDjM_^O`J+!W7%|*BNPZo8?Ri~*^q0|*}u+0=obA=voTVQ9~v#ifcF^O>iJr@Jjgd2Vz0(!vrV<+dl7u=QFV0lWj7NJ zRS0xv(QudnuyxQ|wG6|s&uY==VJ2DiP#1#Sw zIll66vKZml7kG=_x#~MN4%_JW`fK*i;PnSb5f*09WrFqG z(ct&H;pg^AQdj|>Ti)Q1$YUY3hPUfu7|w?AqJU+b{u6$fuI9FgdzH$H`J)1tfw z&(IL@-qU92#z~9N;}ar@P%GHw8F;D@;nN%Eu77-Si$S30bc@k1G1;xRsOy_nrsxYE z%_!(>vM;zFs85UF@^McS<@RiM<^s%HgD|16wF8hx=Q&lufb~ek>N(^;C$z9k8aq>ld0R}Ffh@sw%Nx&S8Vy?kJve>VK>5QJU9f?MKcSX!-LyXB?w$y&`+xUy#HL z?3KFcdyVsOGjk;0{(H`M-m_ZinWyOMTMO~A19~p-zF$!mygw>tjAR5jwptjkXgPK| zaG@;tzfKcb*m zU|taT`fd(<0XP{0!VMnnfpJ(t6=EKI*Z*9>{SFF33VbvIzd>3+#W&fk6B#R$?Qo>Z zQmu{y{CnbYF7f4enobpP6qur!{I|7LoTSBs4F%=2fIv{`nc?>HuYSLTgv06YP3J$S zDdj-Sl4h22?bVRRTCp$vfr*Lc;Z~vv5%;De7j8t23}OQJ#|4LfBSJE;qw&IDb2UFYm6&f-$9ESah==vx$g|F*$(nOP17F3})N9Va**xh(=a$E~Ph`HjKK4A|xi&_B>S;SeP-Kg)qr!&2mY)+bSvMD<$ANvcSg$=_J zu*h!$^h%2}y#U7-g9SLXn@x#1hd!mNU+u`Q6YfK_Nq*bVBt5dat`nh#b*(gYD3r^jVP#Hy+3Pr5kbv>`Mh98EGn}%C*g%kN(`WeZOu6X4p z+%nDa3*90pl0NAmRKlp&KJ`sPwem5iHbqp&(Pq3`298A~*8E;PO{7zLv#=tSMP%Kz z8f$q{uM*H!lypwXq0La<&70rcgh8fuW{ltAWy$h+X6&1MN+%Ai zG|Hrz6{zUBmbfU(i6vD&mFX-kS!IhAq?JH=YbmuY5DzNPeSN{VA(Xu}m@?K$18fp- z?)Y8pXz4Md0%*Sp8V6{$X7qGD3Bk75=#<11Nt#I)#xqsr##H+ky1p!-=KJFP;IwIE z4zEQ0_cW>~gxt)lw44ryu*{MJScsIWV~YmZBuHGWiw*QO=mgU~e5vuVdlBe0n#5|Dssg_%I!8-HrY6_LsCJ<>!Y4O|&md^cddYMJn?cdw zluzK&r@s;&>m=iTg%Q8T_h!6tf}=@*>Mem&(nZOv;v8;yFbrIV5xU02`o(*N3o0%6 zE!rv*COu-ONHK3j?F&~hf2Elgt@YhR{@yuO>yBd!-fC@-upBM1&|-|qD(%e4{%^#p zZSv}$FZabFyj&s~&ICSkvtGY>0GZOiwV zWaS#W)a@&l3MmvWI`YLEjq53%8jF8$#abhT&Koh~iQk4!o&#}d(k-PZPK+9MuGkqh zcK!SWh}6X~CtMm$J$5_r4qUK!DNas*GRx@J4I#w!)f1$O@9z&@5PIg@@xSoA*<^-| zC4uG!85};m1X(RIl#THlkCRYtJjzvep_A|qd6EcNa8VutMqiRk7jKmbfHMO7I(nWw2u% ze_sBPHxRcDvE>ZwK+nQYV`I?F(&TLqKP0dcJjM|S5IC&klL!q&WQVTIdgNJX|D^>* zyh4>#xr4!uv4BKFy$uq3DzN(8JE zcs!@p=tu?r>BwFAVRX#R>L>*x4hmU$RAk|C4J4UlzGVuw+j>;oJ_=sE8klcOwtbt; z9nyk2N{y`b2tiwvF(}K9$|;!Asr-~h8V~#&HQ)DHm(73lD9cU#;F>{cL64n3Toafy z(p^Be^h~}cD69V6on^g!QXxx|%A|fMh6K~ZhKHwuMzQC-k#%3li<+Ez<%;5PcIHLP|ZWNA~irkkEXCH>pt+9*e$M^Q_J=j;|>iZM#1mBLci64(k$PStx zUEJ5V>d*P+KuV35Kq8_AzPDr;W}1NGoQU3c$)_Sg#egNPiyQvyF54Y5dK~~fQ_J|R zqJA@E?y^1=_~A%tN5`s{B&xx>|7CWx!Sn{sf&aM?!$a`qcI%4AxA|5)!T#e2YHsI` z=kvd3bw9WL6cm8z+U2&sSJX_qc6^!rn*ZfWJ>S{pHfsCJ(hPko;o&;bCYguj-QPnS zy*C}N0h>hG{AUn8xZn33jP|1Y0VW&mR|fB6si^@cFTo+Q*@075sQHKa1#KW|$YI3` z@bbsm646Z_kGdvwra^mpjNT9 z`jF0gU$84Z&{XWPS>hu3)!2dUVNK3x+J`KzwOOPV-%Nj?q6&p22q9QsO2yY=-nffW zPUE0!|imub8+TS}9n^G!{bB9Khs9I8 zXWoJ&&rK=#r{(PjUh6M-ha}1#WEblO>P1Pd&%>2@=k?EKG#XCarHLZav>+&bf)1#4 zw^6dKiKx_uk>Yr*`f{pMT6kG5ehMiEjwc_xMs-H3wU)v+OGOfDhEYvCVn@Onxbp6w zbbt$-Q{#Zh#uO`=WK9wy*sv%zIUo171y*2v!mDHYsGjC|MUyK1WgC3OEL5D*c2RNH z_X)>A%nt>I^uf}8)iUjWyk?Goi+RJf_Z`Fc-w z3FJ{%$2Cz?`B$8{da+)Ng`g>^P_n}|hkPA;Y`qExqT2U?oSn|Nf%KM>X&k^ z`Em4wFw5E~B6^JQp-j^M=^W#1G>Uz(b=!?#&_@ zxK8j|OK&RXr|Bp$@3NdL=C>A3q(@Pcm3r=^fuS$S6~Y^lsmG6lCH`71Sbxe1p>Ksw zZue8!XCHhC3;=zuHSX8IlImp8KVq=Deh>h^#BVC(F_`U!KGoJ@w^O+bjbK1GG0W98 zHUu60Zj?(PLLGy_EC13(`>ReL?ia@lT&wR8K9^lQ?#2jJd>3a~d52i~1m7k^Nr;HH zv0ybE>XOl)3yp4Lwf$VS^;n}naAFH*>UeOhdVc9q3&QBOQF5|yQ?J^ArRTZ!3K*Gm zDyk#1R_L4UShXwYb$c9m#fg6}p!_JK3JG%poe%a8tzCue{up|3}nRw zDZil#w1b|-V-w!z%p&~HcLTb?^JpR|Xwk|C6}KcWBp(rP&+n+nMqh$OXu?ton!%g* z<6(+BmmjBn7Hz&4%kqDpfqmWA%g2~1=NI3uJfs z#GS(bS{CV6a-ILqGGBowN&9*AdX8*r z{C%c!P{SJhFM;F{K1_Yf!u=oHSC5+svJE={hdH0uDOPt8ZY zCTXD{s3V_1)PkfDnCC!{!O%8Q9RW@hyl?4fkqS5^NY^vE`PbPF@EQo}HnO4G>2Y48 zcJMy`Fsq2jP0=553;6Bt^D0l0{lSp2l`qE#pKvXBNPP6Xo&J99JZQZ$N%VBU4|v_y zYG;1hW=9q1#A!TS-_g8IgME7mVRi^7?%(j@FX$7tYiQ*QIDt=aXg-ShS7YNkUlQPa zmo!4&zJ4clcHsy1{FB~oU}fJi=tq6&z7@05DRWx=kTkBdLZ0*Sl((TMct(cgXP71I zyIquZzXDo*o-=v+UqAj5EIR!d@GkN{)R_r86KB6QaHq#opLMz?qM5Sp4q!hH1>)s<;CP=jy3{>{POu^RRq_MswEaoq#2anMN(kacZW@Fh;RwBF}5(O zal_JVI(2CmY{{Hi@*V5e3Lx!`zjC#XM3cz9eW_~iUI2wY->DFw`IuH+imG|Br1_R* zGe_G+GO1-F1F{{ZPm&|Qw*5`4E|n@%x<)B;?aaVSWnT!6UiQ()MuQdMq6$^0stv(t zx9bX=)9t}xaUDhvrWYgY=|+A&A~kO(iIM)FIsV%f~1+`c-N0Mz)4GaFFNVI z(PsgwN$+n?Wr-|V8>9t%#TWqz&))UL=QkB{63)0QnqhcG9R>XT^riAZW5{B_J_w+T zP*PpJ!d-4n8G>FY%HJ6|J&{B>Dkr2|mX4-KFEM@8CCnm)$vSdQ)UKg=)x~V9WPDEuX9U3lSE%duqkM8ex99S zDjMlFO#S7ZpI|r1EcIheON-G8`hIR?vKlnelQA$lz%e;0C5fEKw2=S3ROc-D`+O`% zVj<^J7N#AWm^jVXOg3C}tW;W$p=bfxWqxe+)(>oIQ*Zm;by!6AO-5@#2lQE$$0OR|EHN{;$GzY=sc+M#y2$gApnJs(xc(Lpd%(iX&WDBnTR&E9`h>d( zm1SFC*I%s%eQ>a5Wgi+S8>FFP&+XR51EbxcWD7b|4CJ84Fp8ct-16N*FOc2&E#6ty@>dD#Fqh`cr0dYL_f{9$Y-Oj1?xzd=PAW~}#w{jB zaxrDPgaA4P{H7(XD-*arSA8j3R5bmMe!=?COjDu_5mrNx_mrMf_e5%~@f2 zUOr!AQRBEbm9)#HORdf)o;4BN6>WN&dq}`@7KXHVjo4X8i+cG)V=3vIDVInahzbwW zdY~#)F4Z-W2=vvcpfHeZ(v~Gzk+{NbIFVQ;Sj@Jb;4D^dPnEBD{r&IZEVV$qG&;7B zhD^s5-HINjSm--~in80=9d3-ZShIlxQjfX7t#b(iA5s@|5avSEx8_{IF#(rp_W#Iz z0jnXBcwZ`r{quGGJgIu0i;1~dd;9i+8mD}6VL}+{hX57^4FsGp2Z4XXi_P{K^L%`Q z-S*rK-YIS-jlUv$hOi=nd?A`1Vat^DW}}sXrr`H+p@yp1HjKDGL0!^7A$V#>D#&4d|XllgK&{w-NUqWS##e zu=PJFxl&JHvmkoH^h(O~J1x~i$z}q-p}Ond46aX2#M{IZzt1LJ@^44p)d2h-+Oe6= zH8wvYuSh&@>0{)t(Qc1;fXkMhqJ@oJK?r z@SEUupT*A4*}lhdy>;rPyZw}Hz00j74-jNx_xV2y2cJbxJJ&U7#3z970kCd%{n4hv zfwg0QO%26Sqknk&>a1pk$LBI_NBi{5qCo4#<*{JliD!5FGyx^xeg;JF5C4cYq8FR_ zV>4w=&+BR7c;~S-Vp->7Imte6=;nUn<~15{T^Z zvQ@e9 z9bbFy*DlED2!b}T2!s$;M>Gbx-Tio52ZeMDdJl_o`pEje7(@>-gBgD1>-0R0P5=Z= zUgOkxU(g;`+Y?e|_0Ff`NH*X9pr*41^j^SJTsMQc(5TK*>xJaFA9yW$UlYGM;w*%rdMWG9k@z!z1B%($t9`m}aG<5vOUy zHLX+eL3fqpMx|%)Lh?_$KMT+5GbUt8_~IWgjbR|OTW#~3DIGN@Bq>!CppRMNn0WHegmuZA#w_p&f3)sYelQ%@D8J= zw4<0~$K2~z>uEXE*i3$fRJPI}+_^^uLsb>R#Az2!Ou{b_eHQi7S1FX3EjE6`cit?t zxcSCfMYkna!A(1;j~42k(5P%aySM32wN-8v&Z^lsF71YyT^X7j`gyEN5kl5Iju3; z9E+2aq>!}oUo77YqOKtuZ*l3cAs=PQi9o=BJqn8~W+-7eP$RKD%nP=H5>+AQ+zTef zxcdwhi#M$YO9KO@QGwJm>@opIJ)ot4(d6#=0Of$k0>$wWxvorERzDZh6j$C_ng`Ed z?4@)lO!m7%F%@MJ0(8Cfr^!Cuxats|iDgn0q{PsM4NA_rc)1DsA&y~eyV!l$@jZl2%o{h`@@Qy;&6Rw}i0Lo7Hz*vYiQ zjbhB zJWQPc4yJv6I7UhcS%5oFv*0(JX5zDxnmkS#O+nXJ&wy#AdspnUHd$*7Eq1ABH z8{T8wC!;pp+ixK?26p|==GR@viCzGK`c4&sfU|7GV{8(@K{)-&%fOt!Q9hXHu(P+H zXaKHj-L3oj*FWPtSp%OJrGKAiD<3P*S=0rz`X80GbuIwFSocjD!B{(S@RkF%fq8&y zO6R?r1H*R%Z{w9#oQ=2m%eL$4kGUkq_cLH5E ztOu&M0lmAt2tx1gE)VXfS7`w7Ews&y&)tzuAFstRcgKdu>aERtgR;7C*st&#JQ^UgtaiAv9ddLV~CJ24Z?MakovwHPEao$6f1~dklQ?dcG{M zKk38O`-{9$mc$EWH--ThFy?u2vY)~KHtuI%yW@F*mC@6yy;w!ucs?@4)M}&TOd@b) z?>3WTaJKW2Q=$;?SWA$lXOP{z!+v=sJm=769pF1$u(E2{oVL@qd!a6`<9GF(?un2b zC*P*!R)hdU{_h{(YSa{z7m^qFz*WVKR9JTV!=(+Q~b~1YG>~0khuJ--#HqP_Y8MDn4GV;7d zJO-l)J!Opbk+{X{{JPqEY!C2Vs2fY!-hv~!`>b^$*#?LBwt!KEr;otQWFTa)6?>$G zjX@_6kdn1VqMF&o4ptocgxAVRjsbZM`QXx|;1#LV=_ps$Iu7I?Sy=6IE zZxA`Q?vF$$?iD3ya>lZh(+*AgRvnWVtfAm-HXX?OD>lB)s(poFr0-zis}7~D_eHfMcB`ZeNo~Xg6U9s0!Yyuw*DIE>fvsN- z%7Z`LkycJ5z87FXe#y#udzMY!t){Ith;nM&f0wSpQK#@>!9D|}$~HSNoevg*EZ9 z{&!T+XDEqy*Ve~SKzYnAfUSnxtYqqZ4`Li%oIlHuRv`bOi?$*h8;Ro3Se$c8+&#dS z3$KIp#<(&eyUvze#E|S@(bG_JG7x29`itY9tGsKheTA;tl6SpSREG>1P09g!FA0*B z@sXTist~@8Zt1W;vd4yX5$T#`h_$F|IP71uCJw8pB`bi;arqzDFBaaFQHJtD(&4qE z1n~Ph#dTGwYR^o>0r6u}ui$O(2Upn0*7=ka8U~pbfX?}F362{hqnrn_s zTI!Oh(W&(w{uZDzUdmcrulAx_I8l}CG**OKPlrF!*_SY^7Rtr8NEU$|95b7ljf^hR z9A+VNRQOGGYiYR`Qb_X4vyn=1m?oR!k8L@UDZk-p-C}A{tzQSYf~KNK@s4Cq6rANH zmFXJ`cC52KBx&6elDFdCO?mqGg|4g^E+DWe@LyGE}A$?`C=nma;HK$$+f_?uv=D+*s3}#)kzls;N zpmxKBFco`MGm#~AH_Kg)I2`j=}QS@kv$VHxANgiD|oRD$>u66-9p^Bjbt|}&6wjt z!(h1yKas&GJK&U{Rltz7Ty!+VHJ>KadjzsAJ;0`!v!#x*{h3hEtzkIepp{P}v({$a z;wt1=KlPUUm$sgGiS?2chCL~gOp;25f`h2yo*QlKPmyqjrY3A5+dUKfhXMEh3wYqu zq<&X^o3jO9GgAni0dlrG?ufx&VBzlwWLEg3iJ!qFtAKY@6u++@aKgJ;{}f2k-ahAO zn7fac@a=QS`nOr+41?B++dMb@_oqhX^%hUbIO!+3_SOb60X_9<~ zHS=vv1y@YIw{f!xaoRzg-CY|A?(XjHE)Btg2X}W1-Z+F1+}&LpcZVL{v(B8EFZ&lfYu!)Pu6@-` zOUIqwGEdkDwH-_AT{2ZO1p>VPKZZS$7QNGbJ*UUrQl9F&Ejp_)J#cs9B-p{a9JVJ6 zaCt<%DfHZc(K5Z!<=@5t>U?|zoPt^SfbVS=f_EDpXu$|TCAflogdOI@>5k!;8T`Gq8{?X!P$eR`*3DahhbZ$kjErb+&aPf z<-{{V7AVp0e7T@b$||G8%g4!i?(QMScW~cJP|jUxgU{=XAx((Wsh9gi`V-0Jk^EA zW;BLpEw0Z&O21*Ce{Tg!wO{{QORY^A2#QDOGXL?tWU3hk$bV42FiE0!SO2ikb=JfH z?2&nf{VP29b~OWKqRak%khj!g4dds9>8X3bjlkuQcy0(hYwga1%V6J&QDcqz+K7%&#eRw$rF zrbQc9&$RMQ;vzb@=cgI@?dF=%84H$oS`E386jkIY@dtj>Wx@4E*wh^yb$_LzGNu3G z(wK;|`eodG5Q};eLwXa9fg+)HHLNb8bcWtEKGd6^3C|-=k!}{5Zb&8L8*Ju2YW+HN zrb<+0k%dBqL|45G2P%WoS?92IktIxIq-RM*mJq#SaF@LR1-HRKhOgov;u7|p&4}=4 z>kMLfe&M1+`Dr3F`97BEtKvadZ(4Ec9V8}clW-FULiZBt4HvELYFM`EBQ{8--HU$H|UPkm256{&43 z!MDU8Z$MtE6WIFhXL_*qJE4z(e2u&K_lwQ~sv5!~s?;%{WQnsBwq*GYU}OQ&NnZW9 z)>1N2d4}v|8j2JOSCW06Vrx%wRjjyWa4*P7WLz~jPMTaT{D~|6T}h;5vL7?px4|~K zW1W$TZ3LQN7HJ&uksI!FU8+`sd{^=v6^LE7U!#QuY0snwK+fLW-A{AJhO%P5K^YkAuLUuZgfrSy~>KXhAQT)iCYCl7WdQW71q~Gx9Y)Z-x%pyl{+C z4Qabjfkz<67Gby1qfB@DbBv-?F!;HUm#!Y{A4wk(tQ$O#U3D0xCXVm%PuQx6Yh-lW zGxL{Zoe}GmB@#~78MDk{Z~`~S)HjrSc9Q3K`BDE{nfF=96cC$za_|`i@FwNZqNKKh zROiO3_b_hqTM%!a9sSS_TT+RwBF|NYH=+t!OZmftwzn`x9| zhe*Hd%(`xg!O3H;p_DAEI@)(}ChT%~Ev4o!6&$CaKb0#Jcess7q)&?MDO;5(8Mskn zJNQ$!s`J8wB`@X_X7?gZ%wB8yLd8hX<9;A68B)r#Smg$~xtaCIa$07ck!C-&9308n z;GHkH=;=`eu-PS?M88C5WJ^|02EHd@thfM|swec>WIW*;4K_|Fi?uj@$ft(qJC@iU zo4CNE`tZ}uA$T)#RB*$T4OB|O?8cnUn-q^*;MJ_znXj7a4Lq;^ppX@^`2)|I8Qf=! zFxM zJ8|myz>*VSE1%xk>w+o|B!+?NN3o-$nKF)w8vg zZUDpsy0+tv`9`bzp))J4{dipHL9Qoo<0}eD-FPDp(2U(`pF{{3P&dZ{#z;F|8fIFZ z)5J9l7-&#(@);5B7+HH&yXa+qjO%IL*IMjy)!EfsX4>@L`n8y=d-s6z7eSLPHOp&= zJp$k|6$1NqwQbPtIqXqOeCa>DZZ*;1r>-ci>KAZGcGQ}3u5AY1*Iakx;_Wf^UTTi0 zo5PS>cUkmu;@x`H_-6%b-7Y5S23F|!+u1C3X#-C74oO}=$Gly4rQL6A5uWBpYd$Eh zKE{+O!SB|v@L>WN?*1q#wqE?0P*mE;6|nMlPhWnB@>@L3emKneO$pLrIwc@*Xgj@c zrZM8RnBaB-cE12Y{J=Xo(DOpHl@M3!VeVqBkfrS+lIfV`?6e+c7xD0J#sSNX*cQ5a0`WYJCS7$v{N0xr=`>TsJ9S;miY@B(6y0 zcJr$@KN6pMOkrQYe=&Csf|JH`4Nt{srg_VavhrV1;}{t$+2Q`c8;`OZ&qYzoAT_qa zX*wk=Lo-rvgw%7}#(id$SMuvDWSDIA;xauoGI)kaLdaAxTtDE_(rx`7Jj!5Qx zRCNv&kvNA9BgK@u%3;~3Qm&4Q?N$Y>kwi0Hb}TFbKE6$JzJ{25{S3sfSwS)HKf|*) z8c$-@n97usF_Npfv&oe|sXs|RH9jd#K=A>Cmiw>?dQW0kwV{n!!Y*_I%Lw&*Eh@uwaCF#d2Nt2cBP7$w(gC4+eRabydV$hkrYr^HRVO51OeenJb+g0M$j@pa*y!&D|B>U|7)B2>q1E%{z(hdT zk4W?%6lbqH6IXTFQLdopl2P(@UXl!mxAC*lWOMIh*JHvw(!m2%b7J*QmK4bbYhgx3 zk$LGN6q(Ew_%#WC=~FkPOIO>VKPaU`WS9=uslx433|A)jw01Y&%CJM_XK(tMGI%$t z|GwBnEf*hI3NIZW&1dAB4334TdoPK3Y*md z5UK)z@6EkS)tOL&54UlmtwBcMOkHI@svCbVwuz>~?@IZ{t^|#i<@xop=eP%r{UR_C z;x2rf7ck8DjHj&H69C~eDoTOP+LY?;^1@BjKfN9IMN+`GHiP@UTB-AJ< zevQkNo$dEBB0NM{@KW7Xwk7fovCZaYj!>!7OUm;>{{)H0XZ78-qNKXR9a4~E+5}(B zy-{v9!mBl#dg;vuB{0ev>ynDEj9cQ=&M1_mhBPT6E^*K)#qw@6@3-p>(?0(CA={={ zFHEk!Qo((jy=*}rW*#NU^<^hU+Opk+Uc!OT}IgwGLVVP`!8l#;TF-cb~-_q3s^E0;WjwHhnVn~KwD}`&!zvvox zPE^F=^TN!HorHT<&#}rmOFV`!Eb(%xNBis6cReiRA5zzk7{q>+_dw!q0!11%fV%U60=r`QKpuZ6T?y38 ze`x4oA0G45wgZmj48AV7y0-Q#^RV`6{LE0#rbFMdb`<4hc!2?OT_;|Sb?WMsI0b9y{9-$=u^4Dsa%j|knF0o(RNq|3 z9t^iIb%Wgw4I0MdCO02%?+HFzIem1UKc$Qsb{#Kw5K}l^kG-8UOc~DeIjwm;GStim zy7nU9wD=rET}O8io(Nvf2HYEYgrtquVUgZiod= z+tQHzj*$IEYmK}YYZlhVdb?;e0pLq5lwEFKn`WGgC8!n077FIT12m<8@0&5}reS(o z;=pThlQ)`f&sBT^Ccgz!KSRyeXOlj;(aF3(U7z$n(aT1qpY%-QHUr~%wh1k`yLj%NLK%ayZtaeK3>WnMZy-n92VZ#Z+> zKNs9=lwbnZI2)?X+ZLxp;&u0D&2_HX)JSp{mh+N6=yq*6X=1A2F=BD`X z2Lup1@pIru%jzAZ;+v5WB*BWhlfCp(n9^@v;x6x){ArR`^@b`v-i_0y#m^m<)TF#9 z?h$h)+C_$jL#=hwQ8hPf{uy2$FZoLL)H92&aGdw?r=k}X24Vrf@W|>&Q=c5&r{AXd zy0b-pNZI>+cU&<`Fn<4_CtFa^tHH+_097JdOXcmc2Qd^c zFHojP`3S9+vSW|Xfh%(n{LID_r>;mzFdKeNiRb4o*(F@6_us0wa}HOupK-I(L6J)G zb)A+)w2=n!1=>dXcI8&AsMW_HYU3g;JJy=PrPEaX*wZmtH=$m3-9*|~Re|eML@W2S zvJ5}Vc%s8YMPG(?sSi1vt(Tef|5c=FW_=Imr9H0H8@FzQzV*|hmvDASk&XD;Hje94 zl*=vNNe|n6Q?_PKchT1rc1@9b$3ME_xG__R3y9621UawddRDwU4(*NLd>92)MQc9? z9+gzObipOpsF_7u%%vJ&Q35-@uBQ1@WPbCR zF*Ws`=}-18;bI}=n%T;}zocj~)DuGqHIzk%=L0g7f=w3P-Wb=s4C6qPT_GqDn8Y6MU#q9qP7z!_*gzyBf+rxxU}iLa8* zrYQ7h1%FmVMmZ`j{NYeYl&s^+`!n2_26bAoMTJ5{dCHeK1NHqp z$2X1YFWoQsklbM3VlI!%c0O9~uNAqDDZ+AZJT4}0En!sy5T<_HnPifQ1>np7Eq9|o ziYzKi#JX|fT}@%6_a%p=gKWS1;6KZ!-r9Z5WQwg=s52yLhJ9`lxwdWmJpZb0!&+gk zW|2b4POnJ{U%}6w5KKt-gUWJf0Ib@fE#_y_>4;T1(v(nvn3-B_snWINKu!u(L?{e* zCW+i|r5JKm_BlHSp46CaKiLFv7d<1V4X2c~1b`?F)rU8aSMfb^rk*Y(V;HL$n!-0w z=Aw8eZu?%^V-Fo3k6y%%vR-{PZdh`Wy2KNH#Edr`|(LK^xa>w7RlKk|UE&x^Jx(=`Da_O=UUKKo`h!KycV}T#e zsKjWe-RvKlR^FO$H|-f6p$qmtI)LYd@g&S&6NA#df$mJyJjR!vt9P%tKx0}ho7QY+ zMWitnLE|H#(r8a?|jgzG^aN^zVv}?5%q}Oy+@zN<|1&$`}yc%2Fo)6?* zKjW(EUe1`weaWu<4Y^I_Iccj7 zxUB52r|=$(X70I{Bipx6X%cT9x&{pH)3OBLYig@*;((_FM*$=8%>FND^CX>*CMQcZ zE$_2k=vE`kMUKL(kaO^Zhvtew=DW)3{khyE)CM4}asS)IO|Kc(TE3!RP)W=4+UNGtk2YB9 zvD#Ssns#~-;QT^WOW5Riw{BMI&T(6O;cHDRKV}YLe4`XZl%m(b6G)DRX z4<&J(dTs7+G)B!@ulq$GAv3?HyQ)Cn5aiR=z{909(DU$a{CWMn2b6=x!GzNV=q*$0 z=5;#_DU}yd__}O!sHZL;IE!)C(PY>2uItc4%^imreSZ~rpZz1p3`tpqG}fU(sg_$`{uN^Vk52Nziq)C{ZiPui!p~;()f9i| zUi|1C0HKcU3%=5$N$pH&``s5~@2|{+FFI}0JSAu}Wh3)TCIj9bV=HD|%b0hZvYF`I z77k`XiaOJT9}R7Z*WNG;V!P}?v*Li^1T!^6UBV@MS^snmc+>?tR|@ycQ3<%n=W#|; zR1E)LRKLW6k}8nRx!?w8#0Ox>ZRYG1_|&fp2-$nlRU2gbWTI0(3(Yjimy*{tz(iM{ zUAxQ_FqpE;VG!eB5QCrj+O^(c7bT_(?62F*RIn#cHO_L< zS#XwP{`!QK=2%0;t&-ymL+U=#o?pvT+z>oCCKEL9h^a7W zQYY}jWg+U z#Iylr>#^DJ;w(>k0*(MlAISm6nX?0u_eR<`V1wYeOy6k`tzs~xUXZBM_k7N8^e!EG zSXJ5?Xg0dP;mct;mW^B@HA8YJB64u|3O=)tjO z_Ng}GGHK!!a54L&a=4@f#z}r`<>wpOoov_^=n+bj)y^VS>^?u4Xbgto_B{v0l%v(>gb>QutM=Bte-D#L{HCus_gDMN5+~ ziHjMr<4$GgOI%bJm-!bZZURYQ*a}K_kmwV%snXlvpqc&_j0O!(GlEMM)<$Edcvp$0 z%VS|mz~vk_%i<+b(aXA8s1X$KbJrfVI3-x&2^De7o>#dmJ3-m@UalVc&{rrA5KLFs z_A8keU_Q#5)%Mb(HUzDVWF2w?nE!Zp=Y9AICopH%EA@UkkNsVfSsb=FHY++nEb~sb zg`d$b5M=Ihu1==5Kq;rPOtCMy&EEVb(9JWh>(0fZZklAK+D!5A&B*IfU}%m(}lBu8mj%6TXr^= zcC@<`obJ@5uE-P~0FT?;c2z7L1U=GhEJRfw#tyrTS6cC?pej+NI{51!wKnmdvO_k~ zb}&{}myD7zyL=y!u>@&kzOM1Yg(x7{SbWAiri>FWzB!$pgL`!t&fL-Jt*0~zU0Bh6@aI-f%k9}4kX6-EO<@brM9kE!Esu-(cYnUSIR zV#%i?TFKwEvHx9+2-&EW=53=dXTs7e_kB$F1m%%q)8OHe0|#Q}H9kr#WPNfW*sxJ! zN7Qh&yyZi8cwBXEaQxG&8)E-(OY_ir{&8BgB74%zB6vLyC8vBGg4BKv^}zjGceVQ@ z#QZ&zdPpLiMXYH3Yz)_G08{@Cj>CpCAw+)pT-XLOw(AP^q+S{z)w zY$)mhdTX1ZR-1M;2wXo-BB}^o zUIS2s{SHJ!cDi_+ZXOp})>;?GPYzMEv8Fba@9~8pw_v4L%l+Hipa(AjDd5(ek;82j z1`A*8+?7%1#|o18&w7udo;={XW8HJzw5##Dr_~}1ft&YDYLQTfyo%*_t6*Ni&eObI zvD{|q^#r)LoRaJ{wv-Ou5+k%Z))w0>;+h$GAW^``c>!EN7a+*;|| zJ=dzgU)w{0_y@atFYoQKbuaPUgM@Ki0K(HAIFveS^!nGwsT+~VGwwAOklp%Bjidhj zlI{7hKL+o#;bHm)`tX@qK9t9Qn>FeG9$U9Y`3r_az^}2g`X7gJ7PSffwh$Fz5Jc&` z>JU&;yj5a_tTAA9up500I4^uuqA{Qx?04m2Rv1;5efUCp0b^pN?SjxeO)8pY-^D85 zB077@5YS4aY~sK#Yd$!B;u$uKJN-TR2l@PY)R?vIZ*K);RyykM*54zPN5w{LNk$NF zsuT7F9I^3Y-#np)VbvH?!kbXHM^SN`;H@X?aX|$?L%+$2z|qC>uFXj%%pR`0D3w2S z_(T!%Ws4arf<#*e`{tIy*zvlFIaCwQ4ns8Y;;o6POK}ZgTMKNsmN6r7D2uS-$qRCC zrgu;|%8VVVcXxdi4$R3J$eb6g;6PN!^~GbmHZt+73Hl4vC73A-#~NDX@+Q!r!LO~1CqZG<9xHM%m|4SB z_Ab919(I_gD{nM0MkGzBi0w=&De4TQ8LkviV>2t-HICfzD-i$n6+)HgSnJZ&i_(Qx z<7<}74>n8=j2#+4#``incQI5?A@$Aw!rqho|JPsM2aFWnLR7qqVz*tgaB)RgDB2Z; z4p;`oeAK$lu zk@RLtN#Lkyvghg5WLgi+v{siL&Xu_1q`k1owe2s?=P*Om43YmG#~UlFtQL?TC0dOs zSuPNJRER3lT)Z9A2BRqNEQSA5h{{})W9US>xbaJ7ZNq1^#uD3aE)L2IYl2&v%R~0d zZwUj529;^kb}6O57aZ8m$cvDp|A5xZ5GPYjxuIyJ4QEFgS1Vfs_$gu<(h*w47QgS< zXVlo`S-tVZ!{IzDMLm<8^k`VnK{HO-rnGX-570GiQxO$UTmDn`U5aKaOqW`&o{I=k zC5r7hV>cYfA}`lrRvaMWSUfbNr}}ax+k?Ul1-oeR)xyl=yTY_IEu187bW!`Cm{6tmE9xf%6=n{%lIFoL^beUCXhq?(zr$1HvoIGgsd@n7-S=<&~#0@Xipu^chjpH2QcmL zM%$MEY*X?x6EiMq9!5b0iGcv*UIFd%38&;=zW6+unwyw_T&Zm10*9T@|8HDvLJcTC ze-N&RPM9RjuSenVl$DW(64Ut_Qx~U67 zrAg8Bq`#bF0|Kw+1O(EU-)DNQew3~2tUj_-5eL2pzK;(QCwX?G5DNDg=ht3wL`HuANbO^zd(Dct8*|vT3dhjq}SDY`zBEHe5^W(d`RqjLECOTNTAf; zB6w~IsqQ!GINg83F?@Kw!QtE#zFU{-l1n3Y^xkHQ=q~ytQ0rzTA+Hfa^9T05^??Ls zrP6J7?D~?{{|yyZ#X<2?8&CO`&CkCayFawV09_D&`~Rtu*t%|l zpB!6dTOR$$Nj-i9N;^qMEYmE`>XmMzw~fuAGLrl6o6~6mxK+ajEBpn2e4B8wX=KHo#-x43o??sQ!*0>NQvrbwnk!I1DdZculAcC` zgV)Mb@M1e0GO?VtaGZG3#+%dWo(uOx2$mi=LvaLP5NAn*1_(i>5?O<-_}gGo{UCDx z{aBGy;$p^>DW7CWqqvouAm^X--AO!2?7237&s>&go5_1IQo}^Y zPmNI#yf#ui7IjH;YjrzgUWb5A##q*lfIRy5~-BjL8AZCCg=)6(#&fjh3p|#6uUks!x4GCe6;g zAeVS?hLcY5(N=En7rA;3{#U6&Nm=*_0?D0}y_l1XeX^*}L>!L!w)D1J@{QGdTwYNM zOp#?J`WHhbj^tH6;`DaqaT9jZ|89}Tf(&6T%JDD25U(KVH5?06T z7481`971ulw?a)y3%rKlX-Bd%4JJQRcJw78XYCyn1_~_N$o}GjNSPf@+C{|_U60iZ zTQO<|+gzd30tIbZj9(bYX5l4af4*A4k#HqnTmOXvu`UE_n#ebJbQwnHPd2`<0-h!h z)gZBEv}WjX%?(f}s7%4Lt` zX)d6mzJ<$Aqj~q66MMH^beON}98Sl$a#d9!f;!1C53apA|4)JBX2dT?8+6(6PpN~@ z;XDdIoe8>UKKE9nj!G9RyM<}0)baDPmd}_A+us*?4kXV#^V&Ajin_vYkgH<-RaU{G z*>$JvGt9dY2@@~LkixGnPNrZK*D=6I$17#FzSK0z@=?1+Q z_{Y_w{JbHvlqZDoiwail!gV@loVNljX%z2j={BvwUj;_nSw4!-1=q&Bw&KQ(e`nN3 z>F^THAMh>n_EBqdoSuvEHJ?GbQ;m0Qo?;%;hkD5s`;Zg{SU3c`lDC|KhLMG2wbxrn~(H9Kw}5&gcw6| zfOQ#0@82L}Z-pp%KUC1ktV6{>??$4BohkDvl_;<@ujeUUIQDK!=v)CGMV^6m^6&p{ zGB@?lW+*~^7$oA)-mWV#{B*z+3Tyqg3ANtJMkd^MvgSGbu~p_0~QM zz&6k9yse_`DRPq08`9Dt_^+ntj^xTBmH%yh{bfhA%-!&3|9q;xeM?#Q!z0G1jh~p( zTjs_th)c7}y3eUri*$3uU1|L?wHY}nla-k6jT+(>+z@C~pNqfy$TFPsjncZaQ za{0{tPH<$8=0KD*x1E*w2%NX0i=j2(zg#o>yc$Y z6!b?+C9GDA-Kak~Dt=6U=a~Hj$Q!8!=mq9yQ2deaPL#BwuGsyXoZ(ZzsD5;d6NvIM z_%MSZaTLFf&$(SHf9@ouQNv2q^<~JyC;Oe?n}rYcR@DHdHZ8-QV;NOi<1XjTVxEO} zDaE47G84rY&KnQ%%b51duurMrQNmC!`+97h(vwP<^I>|<)b{}%pInBt|>;)Vlb7K(~bD8?^v~WYxqm;%z zmVcErO*@iKVl`N;)V~QjT!o(bVN@ERYoO8>A>vTKfgA9oFymk5WeZkWY$Yr7Dt$-|23=FUIYZ4EZ~fcK$%V>@=dC9%WjZ;NOHLsY%?Y%%*1AuBBJQ&tR+Q5&(JpTEc3gIQD3;lc-K|RfH~+F}184D_rn*)Wsa)oTxUC*5^SF4JAu&UWWT6 z+jjDNg>-2SX|ZZemAs~7UUj>uFXOlLh}(3btkb~_GhFQR-?eDD^)&mdM*Pc`&KkQ+ zD70o_14MH^MZjqm&%}6QA8~*P=# zl&&?q%$uiA^+oy&_>j$_R$XIX$cJYY_Fgg%`ffNv4Hz!Bg4`3^ol`dmePXG_XGOdtLTL)yVoHL*Mws zqY<1#W&`qSGgIgjh$5JUDw@3QC=pTT>qfth9($7|BHftm`9Z}mL<=r6@Uwrz4cuV7 zM{r%RF7ao|3BIO>-!U(U7&7F!C?ld7tLQf!eZa6>p5sC-f)!kItdFC7!Qu;0)x1A7~MzZcel%WlmwCs{HcPwnUe&Q5Ir~`^iRD z9-F%oT=^Xy=8-&(+_Fq(vU&YDzpnsZ?c#`xBEyxaDngZ2ld;~WQng!F3lrUm+db3c zOLs_b(bYDO_mQ@zRix zzFawiR!DC!kV$Dw3)eJ$8Mbgsma!Yq?)4FJ;D6K_nBM*U%Q}`>pGXz!D>3OY@=ofo z_mrAYjm3$`@bz=h6WVcxfQw~$7BlEhTtot0B&5ZvWPn*OD zo|C|!JHSV~H{>DbU)o1)N`R-z#Y-)uSB5c|RBf|I5<-IbPPPD1{_c7l0iFArdICiD zKg{6r=fPkmUzVBS?wKS?83O>BPzfHu<=dOb% zkQUmav!1SpA71UTy508IX5*F*p6wJ{3#e-D-pj1MuEY>Q#(>_$ei&U3aI0tS`Ie#apq_d&(2*6u?1V5Kn-lI7#}*2aUyyaJrO zyN6t+KX~Dta~_^?I0DadI}dpwwdTiq`U+7C-oEWBVx&w4XQ?;9&86wrr< zAmo_Se4BBaHJSpyipJ!;X|b@5=Wl806Fth1g3&YoOp*eGX3EaEB3=`&UAw!QXF2y6 zvFP!^$^#A^=rNr*`7kW=y@xD61UDiF&2&5uR<{h1SG}P*Uu^Er-Y9MCADGvsF4gBu0waFU zn(;-yx62olM{ulD?Iu|8Rvv40>ju!51^ErSqtDvk?1|%hd3v57PEtZ;QAhDUGi3no zeO!<;Cf!a7mJUz9Y?N6k_g@Z!Jk?_ zctH`o{kP0Ax$z!0`!X~09Co2UV1GMJgYwbIK~oE0fNp8;7p!cDOL^pL8zZ~PORe92 zK2^=iodDK7Z{9#qY9T0W0q?6`=pP^ir3O2cDx-SQr@k79XeqW=>(~s!1OTDO@(l&? z!xeeuc^cG$6w#P#X8LA4RiyR&dIOejG==d&Y6O*q&@be=q5gglmPkI4X~eC%@{bgl z2Iwbpk*i|rG8Rv(x2KJNtk|$iSmChcDAHzML@^vx=G(s`_Dxw2C-Ht-S-)47+v_k> zmrHyqJc!_BpGGANA3ZHLRGETKhV^qFxkPwUtw|>f=SAE9%FAjtB({(C>#R3KvC0ZQ zwsk9JwST49uphipm$-}WJW?;M_Ze2barGOAcx$cZx6l9DqWZAgxU zTvBXF!`S}%LLdfUr29o<+ca>fue$dpk5AA~##2mzh;_`@MtvZF*SJg^LqG_=W6OpO zU!FoT=gmnpK^{Z)TUNJ6@u(!YXZxyP@x5rZSFijZvUn0)L!{-nJy^9Cp^Q3Q*q9Lh zTZ;Vxh+4Tmiic>mH^haJmX9m%h7@NECFg5aSuVb=AwH(sGCG5nRG_|SrCJeAR6r@z zb+G-imHrK(J{W>Qd5!JLd#k!lzTO)E(2U{qqt!y)qI zlY9-|=Mz_qaWEKHZiTB*^SY6!zDA)YKFL%kDYBC{bttrgN-#wpj!XIv9?TsFpM07R ziFI0R_-JBa5*{=WpBfph?1||_%Q^(sPSHNlSLrJHIq&h~yJ}RP9S0yr@R>tIj` zIU9YU@=s)pD6{dI?Ye(TCvq{``BJFCF|x0FjAqC3d2U(CL^M{(7U)imCKablDu#>K zZJhSP}>_xO$MyoYr&;5J}zzD9)abLH=@Lx~a?W7I=QOe-crSEaX zD0m9?`6LV9%1$k%I2jrH?S`yHEL1d_MxCp0P=|Z{BGboBUxJ|Ah7LV#k_I;a*BGiR z5@K5@^sgTmN=@u&Q~X0*z3tg#5y zwYo_)2S_SDHm1f3{ZlLtdfPu^ZGzj5UB`s^B<+&zk$L_VD+Jr3-8AQt^>{sft-7!u zq-C=6rCDq-x{lJ8dB=w(9if2x`?QVlrlq*Fe4COV%(@x+-GbW=%Z_J$lpO@0R>xyN%L zQt#IF`B&pj|B}7JikENt{EeAGGJ&L5R~T)Wnk6jfPw}y8doDaaD8!Q=RXh6}!f_@t zi_H1I0}>6@%en^(2F$(yH)Z^Xf!z8|yD7DA?{5*>ti;BIO4Qxq5K_nvUFoc4Qlcj7qez-uuZ<@Dt? zUcp!=aa}y`^Qkn99_trpqa+#Ctv*Wvz`n^;fRDjtPMT+X7oyN>;~)?JHM>W2)@0Y? z$ZCr~bK)xhOL0U09S4cdS!Rh`1X0~FLmoH$Wi<+<>7nRPdyh%(dw&T76Va(pqBAK9 zh8|(_!gDQQK)>lrj_6wbnayoX(S(6T8x`@AJ=gL1o8rrDFYLSBP4pR7Amn);HphL8 zKALehM)3OO=I8r74wM*i`p^bBEKcX18LvcH!xI=O|lj>#;$j z{O2seUYtR~!uPnPA(B*7m4bPq_;_m$;9)Cf&Gwf!#Tmf|ng-@;a5Yv4p^R3Jxw5K1 z)hF_(Q`&|(ieh9iucrNt0CFIjaGj1JyX9LGxEc#69({WRET9 zY?vX-oaSiJq+@O%AoDW%yHM;$NC&UmY6{{y1)2au42=aEA2+ty^kv1M`-0%kRe^VTSUJETycL~aBwZRVH1Q`- zlDyo+AK9>p@*ol21gu!ZILh!2x+O2)f`g_SYrl& zn~L~PXTKLsTG$JJwceR)G>A@m#9Wpo`XnF6=f`uVGw~hkbOo& zS1R?>^3>oQu~m5{9#-^nl;5^M>;ftlt*p;;#w>QZFTpOPe^Thwvi2Au%@g^1eM4rg zr(C04vBa~;9|gpjZ>+rf0mb`9Icfnq^pOz(m&M|j@Sr#f`)BpfKfXJHs`;$P#oK@f zBAy8&k@_y9^^}90%Q46Nl*gi?)t^gf?UNG=iD#H0Q83MC)bCri5=D{<67XabGV+tf ziHl9-o{8~ZJ1CjBs3N$`Oo&(gJd~{!tcAX2h>P~gsKyM3@i}y+g zk#;M5AisWD@Stz+p9-2c zA5%p9Hkb8tlY%e)KQE@=_`H}?+inYbe)rgEB7m6r%C6|yW@CW&df9XY z+pXlp$LKBpK9=MKufapvA9K5|ed8sE+nfHKbC)ddow~^yS%=l_8-l9$vtp`(%kEd; zMaqWpntd^cN9n6w$HHko zi(w#A3rU+%f0BUTPF^OKAg;AH+or+Zp7wl{Gd zu(jT+Sig0dqdn7$9B8=Lf^49DKLwkv2MQY`1U(eGXe@_%-92cteP)5W4MEa9VN7q+ zt{+EV7jPJ8L_0thbo>g+shc#GQ5M{d4II-YC`W)S9OQltObh=EI^SJ|I{pNT+L9vaxW8e_ZoLfSr>u+lk`uVPZ zk@$j^_hgD3L;4yC?~KGtEcz4;*16Tfb+ebU`fjMEnO?nPEApE(HltnH{cB}I2Wbxl zd7RK-ti9<*33ePIB^lqz`7j0p224YBDg_C{VRJbbGDv>Ps6)00EJk35H?4BZOxO_c zTqu;moIbKkpK7Xu{n=%Vm4c$*JVuUmS8$q;&@~GAtwKs?Bxhy3$VLFytA~5N9);$+BYo0}# z8n(N3Y>=s@0?(kj|?R#+?6BfUi zCANZJ#IU!&g61IY)RV6?`7fp*(8x+^pdR2@!$(LMx(z1`eTh-Z=)3DRwJGldxdWy* zRH18|d)1)Asc8{PkQp1Vgj)u>iyl&yEYKb8P%TG0ZNd5Hc%%|KPzYf{C4>Bs^soF$ zUBX!T@rtYsg#qOjdk^;~klm*GW5Ieu!^BORcz+;ynbYEvH?bcSGf>c3$ z02%sxUr~@SL#|YM4`2!Z`0O4E3=ZGZhqV_{vpj@$S#yN){uy_(E#n52=)d+57{RLp9;av z0qx;hZNs(hWyDfcSSFX)w9TIVZ)_IQ*;LkXaWvjMLF%Bw7#y4+C1faGnS?$_{QSpv zbLN={JKhSej@VI(v424uwDop$ursLWI!%=tjg}Pyl_NC-jRFB==3ITLB1XJ`a#Kg~j1f2Rp42ZCF!dr7p5Xiw7{ZHIQCW8R~Q70c-a!j9pW z=RxPM%6Tu!pvK3R8q{qgJW~N7@-x$F#hx^w4 z=0IHK)8@2oyVuF-RIm4>*6DVARO8dnTBirbsp*L3sK2nE`i_g0T+y293Jm$pP6i2@B7Pp9)@P0{Y%sD??Vf;IS-sw z{Of$XN8?qj4()>p-PGN#m)c|c0~nH%+;CBb~>w2d4XU(^)=Ya>V&L$#Ev-77!hcB*%>Quz_G{%ORM}L2z#XxW8fXdb=y^x3NXkeJ1a{f9cfZ^P+#01r2yvLVU8+XE~}A z{k**wz5A1$eMWS%15b4UsP{Gm6^_N}n)^N+^k=;s7++m=TRQBnytDHK$vwQ>lhSb?*#2g3LSiXy zb*hFv$z37?YSuG!8$@%8&AU4E&ipT8PPTm3R-$+u2QQoHI|q60=VkSDbzFw;6}hky z4t%!+Y&Ko!Sl1&~3;%NoyL=#jI=qKwOo6t<->E)TNm}_H^6#>P&^1|B4oOR?Nes6D zyMV7WIZ-x+ns5$_p1UFJ1!@n6Y5?2$6?FRxKXpH$J1 zs^}Oe;jMX-irxhn3rWmVtyfjgI;Ny3YM2Xdl-ICy1rkQ?l#)?nZ_Vc46!^5ch0;xK_JS>$*ZI#Sh(Umehh-kr1TLEk$Eb|Z}PQ!2JpZ%o? zx$95xXhUP+g(UPht;7_?^t|Cisp!cG6zEn!h}wabe@--&;khhL4Cu}0j65bv-x{Fx zan5cB^}rS;Z4<6r`67Gy;bCX7$t{QJm(ESxMfTxgX4Qq`I8gt%dz?0jH*zA~_@9kB zD{$x>luj?g{^-oU)R;4GQWW}NR6JxYY)L(5-RsflGksRTs-ThF}nEBdvUU9VNBMWbYtDiWz!Kgbbp+~ zThbJ3*E3dvC!>vGmW1f8*%ya@kTjg{N9elYqO}~I49~$JA2;M2q6!fGg6kbJC=9C) z5Y$F&VG>iNDJrC?Dqd`j?MW%i^=|)5YR0S&A12P8ZAUD1xr@2<2}~8vIT?D-4;fDx zADc2*PM^Ip1Ul9@q$(Q0bY!9LdxGnbUhraS@6Q8t>P2Z)q}eg|mPqB&Ur}I{@#3r0 z$16=3a^dW|Uew#{a|%pAWhfjx0;;pr%-uC$m$p526J2ovF_J}zkbQX73~O7bjHu#x z;&4<#0I)nnCIxy3p@0}g`BXxWGFww^16Kr6DXI-hpC%pE@N$Vn0dqv6H9_i4nvyWB zVEd^M8&x$6Im$onJYAcMLafrhYR07iZm`9v8qUd5UHWjS6qmoEo>n3PNFs>`qlP1! z)V6?|{A$Ocn~E!?RW}?d>o-o@Z}_YzD-&vXAh?V5nb3^$iuZ<$H_v*#MS%2FZPCwd z%X90BUyW#!8QWCr%yaU6(2tTk3x;pi_OCRnHHsd>7uaQh2G_P!uy3xY6awv!{qa9f zJx18V(tw3Vu@3weHBxrIoKi|zVQ@utJl}};#9hyLj61JxI&5`Cqc|UN^1G25%$!^D zS)0M%!l(nB;q#Q*#2fD8P{+$ek2XaiyR?R7_rJNIoCc?A?Gn%K2L#I8;`Ib#axD47 z5F=+UBr)1%9lfLnZj*kbfNeW(Tu@ThxOs4m!_W%HcU30hW-;d|cC06tOkx9q>goHxuh zE$5v*7YlyQkBvI4J8yMNe+Fh@*yd-MkzRG)mg51q_wK2=eExNvfK`wp2rL_T1#AC) zUSS=!ZJrFd($8e3yB_-d0#eotW1h-Ovb?&qa|yO0Uu-_VS$MP|dT;t27#uFN8;%OJ zE!lh9dC&YCfjoRiYc|;59|SxuW;(2L*;EsL?sE{GKqD)*kFNoJZj%RhaRC3^=A;X+ zZzDK;?iU$8o#!S5KivBXrok3n$+< z)3K%mi~K6Ramlu4d3*IS(k@8T@D(^&%-`~{Ni`m-_HM=n+Bl70EecDXnwQqmn`nWGiK=O8JKZ-6ogjl)+3D>E#S{z6k zwxeu%L%C$Qk2}V3HMf(tK27uR(u~O6cxDn(x7dv!??9)5_Pk5hJEcoaUeSo(cbWp;Dwe+A>$GxA8Swp>_CBAv16c8W3aSQDPz2$W4DD!bK5scEQv{a^zm(rRgm)>Py_ z8EVt*im6kp!6F>3T|{%fd(vX#l@8+X2{UrHW&fssY@lkFkk8n{LbT>+#-HJ82^DRY z!AS)@_}Qp2QmTeWMT>8Ya-G4^0$2BpAxhM&Ck{hRVp6~I_b_|LTM!>IK|srhb7~qO zjn)FQF&B#!{%QpYn`3l>aiAz_a#F=#|HM;RV@${d{^jip9?R%a_Wk+1q=Nk}-n^HB zJmx5$rZr5w$=qQIUg4};A zu(TU%%29|pn2Iz$pqxU8euLCf+jh$V7+N1}*FVtpPYy% zl)MmC4A`}CCs8+H-dH6C%=xxUa%=6h{rwVw3k~{^Jp3|p`E!N^qseEw^ z?mCWtJ+S2*@En~MG8-Zs*Jty50#9_}7Hg_!W(c9eh59VeKKS4zh{}84)GiFT46*3(={=RFzJ;;w z)H;^UvoUzg5L;%Q{)^;E9+#l{QN$Wxc#1;0ig4;rx~SXOQCgam%#{{7S;SiE#0g|4ulJ#!*P1(vYaiiZ<&(TROUs)M6Qf#=!!Xhs(I_go8dD_2ZzZLxFz49r}~< zv!AKtMXSc<9aOOF4yJK%a?!{1{zV{snHG`f0xbddgTJ6*cagD-2X4a){>MCyLLPzxllyknBsqEXhg7L%@1UG*K*dN??omXiZ^8NBCpZ$YP{Bl{V zcz(+0P{PGq%FnA}uYwf{cZPA<9PBJGP%BTG44_#1H}CtE1xX7eH06!p{Oy66dJQ(_ ztTLtA`)0qeCsq}+vk^YIf6an}lS) z6^$E1C4)6z>xX+TA=B3wiBLtGPtGc#li+BSKvPQ|pScfXeXnY^%5<;w)nQ88(|oGU z%0c*r5o-P{W-QFCz9ssE2PyyJd71nOEv)y)XfpN^t|yND)UD5{uFEDQNYufkdb&n2 zxe1B5?G$pJ6DMATFkyaB%Kd>;U9A}*z3_b;hhjg?m#U0gshXVws$LX4I!CT;k-p3? z`M?`D5|49V*@&p76-mEXR-aSz0EIG|O^T!`-!&E2Bi@(VfqTPrLf2CRk5&3R{hSeP zxuzKrAsPzLf*$-|Rf%?+9TA}tvUCf#Ry(^4@a#G)D1f?nao!9a9^sCv8ZtZ*IWssyG!jZxbmWAOeix}kij~1{CWrSge z;&6DP>N*A#qr$Og<|VYqIaIOGYwfs(Euoz%!Df?XM7C&UqJ~f!uqg-KDn^WYWlDd< zkf%DFmf@1@x`s`&f5^@M?|5f|f#|;`DgeoWKv!4fUqZ8Hwqx7p*Q$*dNAz zd#k#=^Sy^2G(Yw=K@VfqgMybK7wxy=!=3KEMAL6Rp*B~1`x>9ggQ3+Mum3*t+BPqE z3z0sLN6svWy3QjWLWw@Cyt56>v)bh81)3(zY^GBe6m(^{xj6Q44xgTUp1;j~UQkj^ z;(faaHP8M$%+Ag{$pGvn9s0&FwjM%7Tspnt;9b@1&Ei2*Ws}5c(D=D;yJx@KT70J7 zWpCKIhkeGHSGC^HfoHuuXOVfl+NP}2wikfTA_u!?WblOi1vaxqkh0NU`7hC&AgqTZ&m$=XxYbYuo!|!bbDT@y)cKd*AB95z$1; zUY2;w2ou-StYWm5OZr7sx9eeheN*dh;XnSPGI7F=>$E=+OiT}B^`T6DeHbIZV!GW< zOg*z@x?D^x!bUY#*_K?g^&2<1NnR=M9o;8S>B0)Plt5o9^U>Yb%*ku^72PKq2*;J- z=j+W&jIC@!X?IOuQ@0<8=w<5>^uqG0DAEL}XAG%UhxPi-dMjO;u^oMeAHkw>qi3M1e zVlBj4)_mL>o2SBPqd+ZO9^}^ibHszZQtI$um!eZ6Ipux*pooL%qDrc6!hIxu>CaT> z5NTLu(e=sb43%m*YUUD!qQzJZf+<%U^#Fo;<8!2hFui6qO}N43LlJ2kjYbsNpoBDK zMhFb3?Re`ayetss&>9&_l({Z-7PA=L(pfmQK0bDSjev-WHU82Y3pgcD=?!)@dqk3o zj+7)vwVo3iJ{@>Tkp`{yltivrB4MCbNMdJ^ZVz~+QBCXp@+5*0p@sxl@iNMK`EVV1 z!TT6YRlj;hnUOz1u1ZP|ZbSd07>`Iozt_yPS)mw;I~Yw#5v~%2yfU23!)c8s6Q`Cv zzQ2Z-5tm#N3zSf@5lITBF>UTLMtZNl4IlbzfnIeADx4-Vc&sHAT!8x0>JRG_4n3l% z@lOQ{kDd@8d_Eux&zC|RqECZr$5NIS$;>%D>G_f%9_X8M-yV_ zPC1B5|HhwZc*2%=7E7;Fb*3{xZkEHw+;Q52xNNdzm8K#eg2yclgHRSWXP!IhPoVhq zzoXF9mo!$HvB3CJg1o~>9{9sb5%ItpdqlowaF#~=tm#n!&Ws^0hz@mzo}GZeMiR9Eup^k5cmhZQwS3*ZNoG1*%YY)N z<&^hfz2&=Ye?X|Xi0HWqx_OQtikN>6#)+Ei<;Ljx$&uhMcKCQuubK z47?qd__7B@t5KL;*CB=IUp!`*RTIJ!K=~t0 zLbr`mP(`lHGka>LBMw%^`tBd7$29^u*ad`{q+gq7C^Mi=p<)~pw?!k@{cD=W`c-tE zsC|8-%mlp4^XbJO@iQyQIjAx3eeg5LY@qw_2}Fep4!0dIfYKF1RToJ9?ZY@?l1LiFv;Ox%n zFShBfm%nJl*z9brT`1HAq4RX{fvWDat9*wHEzSltK3z9=iMBp^l0xm8AJju{yf>Qm zi(kjAMj@%hw<{; zH-C`M^txvoQ;=RnFaP<1Bs0HO?RE2^fC_}+?>)WKM*bG?T-uKv8+#nQcVQk`AFfmIp$wVnwZJ{RcQ=}| z2D@s(!&U7Ffah@Q(KL6S-@*9ZqPH=(ZMBFg-~Alq#s`u2PQ^c_Y`|St4=R?6#leALo8nzg>JVoJ}T&AJZY4Uh`gj{Ay(CeCS-cXM1um^g63O z%Ib2T+xpiQ!IQLn^*Y%pNKm&b;4*!2ak~@D~{rkvImG&>3jxpA41OrTTIV#)m-x+eI2{HKwtiV;N+La{Ig_Y zZg!!~m2~js>&`vxdsY-h6O+8bn9~StBr&7`OO-=|GAx>>2xN9@FbGnr{6@y0D?4Zu z;j{;31|hPK#fNx=-K00n_UxZ++9wt-QR!$MP<;QxMCh-3ei_AyQ#MAbd(nL1b4W=O zogF-?kqR;x2_7q&S`aU~ZocR*bhY@Gj(#abfAi%AgQ&GZjsBDqYYp4>iIV&h{^q>W z6R}BEZ}6?+J&~-+L>s-<@-+3*`3y02JX#8q#t-UR^AuWCGOWl`27Ao@hc5i(C)ctkGCIeAEGxv^sb5=%lgM z-(~N92rw>^LunL-$Kp~*g3DOjNH-ybA$C*^Kw1i4rGtI*B331V7uSvXD>8q`Q^1RJ zIJmmtNk8yXH8CO|q_84hnmh*!I7K2)r4Q6q?)E#bJ$d?h0YWpamDZu@; zqGqP=fIOifEdP`_krRhU>$uWDtsmVcVx~8F_?~Qu$igHF=GMi8G{VPgzHQKd?Il1d zV*T-D>ADMtXI_I6O{gq6_lrNia#qss&+itwMd@E0*uHzv50qN$Vu^F9pzl>bRP$8P z&o9X_9u7GI z{));B(MQijr^%!EHclYpZy|%t4STJW;wz1N#FC>X*lX`7;|1d7UV69WQRxer!4t;Y zBk26%txAIt4f>}dp5)9!IPTMi+IW#1l9UEF?P2p`@1_?#X7=-2c~}GccaC;&m^M=l zk{S#(XK{nL2{25GUOz|%m&h?MaK4QO`RpcjE#U~Iu-k?AoN9P0g+ThUEfHa%zCd~v z1&kb-rg;z4GO#}BQkKP};acNlfWryEw7mT*Rp|1k{X}Qd{=QTm~Uf0eNc0*jdej z$C_=6eHG>>D*_|+S%DI^S~^1XzNic>?s&eTs3DgrI)6+fmGv z8Fn%u@IWSxGkVBhabP$nDqPsNzE3|CR}ukfh2OsqY~x-%2uMP73L^5>wE0+UIL7>%iZY+oj-wBrrAE+je~z; z7$4xTgZLl2KL@j~q3y1+n9ov>xj1z`70dmmsv{V6R?UxYj*dE<&ffE*TVB&X3_9G; zbm^Ej2Gy%FTpncG*Imb^$BXMED_++P4FSefJ^W5ptjvmA_g$S1KF0jdx0dMy$lm87 zr?>T2YtGF}&!HM}K)=UJG7p39HyWnGWs1$;w;!U5{3f$~A4?a$Gw%<5z968_O-fZw4`cU!LdN^Ig~c*(z*q^DSHnef$biao^TP zmGT<2xg-_eq1P|3mT%Ucrt=!yUG`7PFWOczg9e;=e_l_gk0Li9m8~0otD!*hv~}@* zl%_jcG}!y9PU_Fv^1C3=@Xn3mPuNQC@JlLJ)ZY#BjxRp=`$7GfP{>P!o03G8uEncOYnRJ<<20bZ-A?A!c4WnSbN zqo8Cf8kRDWwzz*SsWeR5;Z^%Wgxl92R+URIEpa{Hv+ZpT_m8ufE#Wmhuk;&eA3TV% zb-!ok@z-p19Z0I;UDZxOO>cnKVlJiMt>b?_U7kgIe#CEZz70BBy?C$@W!_+S^s+uZ zD*Bxq4p*%lis<^i`Q+1KOZpx9bC3CPgc4x-ASlk0 zs6|7v1`JX|r~LADKfk2qGs#22zXNl%1BXAj-Ic@!x3_xupm}hc3gXtNN#=3 zD^)E@dma0#z3*1^NTJr=U=}>Tn*1yseP9{L++Fke%uI=D|+ ziC)JNl?t1J8|C*rV`G>0sl_MzZl$|I7Vw@EBmRnE&V}i8XBV{XcH8av zgTo0y3&7ENt=s-Auh-Em@10vUNWzVLBjYB!`(+wS0hzJnlP$Y{a_hsQ>k&lLJe0=7 z^Dh@7_Q6CSO9-nz!xc-UPOVDDOn1d6pSs}>ROq~tEt_;{;9!v${6Bn%JOZRqHy3MV zV2D1UkawXRGW}8;M>$NZf$BM36rt*&7~9p_!AXw)0ec5s&5+|RTB!u#MwT4 zr*ef=C`uX2o{m6hZ~=R*f=~(<*fGKqCDWfO^;CuWKF8&G3yhHk`$7t?x5nwt@D~PM z7g#*4>?ocbE<(-i;D4$~Ark{4l;%p2S6eYj9Fs(9(G%Zb<@*0MU`OsDg==)+;zH(L zq%;(Spa&@ESiX=5#?z#3pUNZ5>SpnV@pgXSIvNTS9-?JWKnU}|AxW8beJ@&6W3@wp zb`j@FP2~9&$0XgzA~AyW;-Cwf%ze9ir;`2zECKcqn=LViAC|4tCh6sJGo`9XrICn< z6Bb7hI6EP~tH+!~VUQ@)n$M0wU#f6S?W-q3ckH$gCmI ze_%>GY2;mroNJBUqqOfngiDaJ!$qQ)vb1oS|NDW}IGo4RS)Vft8_1PpKLTv4O=d&* zHneV;LkZRv+AfgM2u08?!g)*m7n}1t+IP`|V`|-y1C3B?j&QPquPiSHDg$d}%-G|tu3XC+K*KV9)~y-Tl|L|=~$dGe8eOCc{V}!q<_j{RJ^bsSJ|?+a(GvN z^z)rS@M900(r*>|)?0Ap;ed^hdplz#%;OT^+V6RU=GXKZFs=8yH#eQ=@!jc4cj$4T z5&7S}?gQe|%Vzeam-}>z!23$2CQ*~z!|~phfoJW6?oyTWBERAlrY88k z*zfnuVf(xD5_JCi9`UCP!08?I>>DG{_v$@G!PmC(&O_?vSKzACpT@f@z5J-dPy1ZD zM|O?w%MbDFe%*0_w;6cBmr>jZ0>D8URmIb3T4n?z|JB~GhNoxPQS{1@%|kXr_2zym zP(UayR@d#Vk_dmZ^(f7v()Z|!iO0EcJXn+K?Ew7B2YbE#RKVfV`7|7vWqJcJo4~7g z)!jX7pVX+?hL_FXdh_Vr9M2{2@fB&vb#V=ZcL!bS2`-fhx7UR?EEc;fXdjOg-s55{BadRH!e zTPmlQ{5-7`w@gFLjbQTn3?|SF%6h(+e|>;Aw4K`c>XL4$w|4c(b_6;_Fy4Lw>DFC0 zeh@{U5BfDr`j+Yo3OtWBmmJ;K`_+EjHZBEvfN()r9baIdFB#f=wR=|(b=E#~s(A{q z(1Kf98%P@s?`H)X^}GBO+>!wGCZ1>}F-VkMPE~`n?)C)ndCdpI^<75{Br5jHU~(SG zfS2*$Y4E3hiPjX-%sWdb?#RigUXzm7U4n6TEM#T*)|5ZyO}eEiWr|Ffh1&uPQT?;o z`58x>Y{WZ&DQvCQe0>+VdQ4_sZ7f#JQtFb@W=5ql3l0cseuWuV{$jJ4k8{m+`WaI4M$#wv<(_Pz7h7Obnn+?I*qN=Iu(L;UH zKfE)X1bC*{haAwCN_NbR=ejWxZewWL{^Tx*i#8Rw8VD1HpH5;aR&F}=vqDLQs75Z< zA9f%4rZhf^E>9}9F#3|@oK~p<$qxCzLPt&IY+I#KpsYgqj}eqTLEqHC!ug+uV znPJZAglQR&c5(9Cbo;s_9r+Ckivznuf4DLMdp{zDmOHa;P!}MP5I;%z}%>1`{fIRp_Ej_)TiQllnV-lZTKG1;qX(~W(ruP*}$POSNYM^ ziAmLQc3~HtLpieSzE{ds|Jg_NG0M7Yrv${XeSNA!G@NKu9YWS9mne-OE{(9jgc9Oly{-b0 zhc1LB(Y|L3&*MPDBK*%Dj>MT08VsxVD_zh9(fiSvHYn<%RzX(CrSP|`1|}TIV6@XO zW+UPe>R$TrR~$;esz8B;d}!D@bc$*B@Wd*Bgmxxi5K0akeXO?%6Sk z+Y=bePDCW{f0q%9WJULusY5t&)67$lgasFd*z8Je5-$EEU$kZ2$p0%5aejvqk8hb^ z<(}1eVBRb1Z{mUP%m@yzR{}l)v%3eD@5aY(S#)5Ex9gmU8j16Jq`j2hV8n={q?i-M z3o63A#`3@8Sa*dOy%19hBy4^N>I!?*2CbOgObUEHy&(t1lZyy5i}=8Taxuj~B-bZv zs`CK9$})&fT%@s&@ISMYTOT0UB(A>|)1la5eBN!L9GQ{5zC! zVFR#-EWp1ca1C?OY_b}0Cu`^={cpz|GH1k9gEg<*K6 z$%I%>_`W=B)qS;tDjuyJ39ffUQSVyW^GqtI-<=6wzCXtV#+IV?IR+JB2ytXaedp3# zOig4?u9eeAEJ3X>GZGl94Maj!qa}zjYkBrBGAyNokXVCFNrB%{FIrp(^xYRJhwn8vx@RkR;uMeiWQ^K zQ9z_O^NRSFcSxa9`I%Z`BjKATBfg2#Pq7}k0JYG#hhUakDl~3N=Q$YlmS^&V?3=w6!O1i6$F$a@{ITnnT2) ze%K$=tN`JZnY3exm86^vnJ`O?h~*|;2LG6o7;+_U6tCJ-LX5dq9}@**&5vWoMqKS= zPe>-fJ3hKFuls4*5k~4ky9b+s&a9I#OhPLzS_rqQl8v*#sxlmZW~?wt3OgNnF4iR! zGZui6k-|WtyCkU{mSAU*_>Nu1R&3cuB%orO1P;#Li_Q2}>8rXZ?Qzl1NKq$HH6*gj0(u zVsX=dgwP0uWhhWgxYF>bux+GILV?=6!{SdMth1iWMA8YuJ^gR4W6C`5cE(C6=aiD_7ty8*G zPm*!e!@xU?#lR=Zaq$Li9(gdXMwJ^)hWVIOBWfcQ4y9oQMXk&l+=<900<;{DHUw{g zHTrrY;f_xwb^%Ni@-;WZ4?H`bvT|I6B9R$~BwNfuih+uwT%Sl(Abr`7;Ao98G9RZI zn`o(}`JU)x3gy^ya68c-UY9Mjq4U!?VldRB$!nApxIz1>r9Q^kN|BVdmR7c$wvQ8PSu&=<(v2_}IZm>h<2!&bZwrFKQCBTB2qmKXI9}wnz1;H^;!L-te6sRQyQE@b3K{+}!?L%gC zY*TD|eE)BNnsM13-mXCUpD#oo(4Y#C(agl%)|M3b)5jEWyDK8&h6}U;_50BJ_oBu7 zQGr9Eq7gb3EPCG$e9_X$+=m{w&pxVh->;kK3;H>8!UPBbxPyj}v(wzc5XhaJ??69X z{hVUF_Lv?en)r@4xmVl{c&E}IdXXXqENZxZDH_HwI`yQrch-J5>7G0NaD46OHFV$h zo2rkv$yC`*?bF$)kWG?_GBRf@6J}eO%se zM!dV97;ZiH-tKuPYoClhRc+jjz)xykX&nw=WiPt~TRpw3th#X7SEl1scRC$7KJF6X zzjbmwL^$_d3hL}|b+-+*t#4WnG8i_i;=Q{cV5I2Z40ZcYy>7RGAb7?>kgmxPSb~{gpvoe-jtqowvKy?Q);64R>$I z0@+h{5TVxvfAhwm#?pG(+Zg|_{j&b&AV1^p_tHYelIpg32`(SU)r_Z@4DVGa8-p8^ z&O@T^JJQ?y#ocM!=5t?{`B|Pn;^X6mfI01*$c?Pln+2dEU}sPtl(?MR4d#0$UhQ)f zQtrq4G_TppL1gIX^!tW`QtF4%`;ma$?xu?trDb;VN~(EXvO_HB z1HfNhDldN^-y$&|Rn-jPq8F2rp~t%bXqn5W`>r4mz)dr8?_;*yM~=GqPdBEbVlg`b zj@+H(5CAFwD*3Wz!G1oSm>jZNpWKDu@R;kHqJI{%z=uKw|FHLHIn?N+zXJpE`-+MJ z;R54qBTuKkN&wR_2^2%ZcON@l`p7Yw2_En!3=^e8RVlZ4;a5HIi2j5FN-hI8(=cr= zp&hMU3TXmk!^EAmq6?=e?^ef{@j`81sO4~RbOs~+u%fl!n+wLT7c}d&v!zRxBj&L) ztC;e5B3{-*GW1Jm5*69m%j_^1aiqzw9@9KqsDjd10t)-+Lxr3W=iK1)r>nc*W$cDH z0N2U4vJL7q&5?-;4giKjI1!&F^)9;McZ>M(O-SQ+HB^oj)4y`$3U$#+V-1B*$({D zf|C%XG#Y;5XW=yW<7Ur>FYwAKHlRz!eezrB0wfk<@@BY@XRiPl-d<0(k_??PvRT>R zW*MQ%Z)q8!7A2`cKlkItG{Sev{0Ek;hSp6k*|TG)liSa@k>uwPhj4}%)UI5&bqcGP zr->}3Av;V6WGL!3_;yr?AX*7omDBm^HOa@5qFk+EnVB5dZVsCzellIo^|0q(vE}DqKiAUDoxggi+jwZ3x8O0@X4k&vv2>yE^P{TzL6)_T& z@UK8^_BSdcClq^7pT7rSJ83s>K$*$>UiA-zlnt}fB}{* zT3gqQ_Y#!-J91uddiN3{BbRQ|1ZF-jO8WP9^N$XqHgA0Mk|2wXa~C(p%@YXm&YeX8 z%2-IPf?eF-6W4ST;ERyO_k{{6wk{Ulh4OW{ODcXA0S5j1aRNvT=gU;ZLREoNKWv7PBO$>+HjdECuL9 z)=LHzoG6wkj~5Ix!6k-drWn-kS)P-NfC|<#II)90UJUs`BIqFGsuk$Mg=^`*xOR!k55}4cm{IlrVPju1r z3Y~eTF-Mn)5is-vaf)D5j?~IsD34BE%+S#K9joOxsP-B;CsIu0zV0A3WJvHU%mDQ_ zX*q(<@Q8>cxeo9m;fiCQR2fBGJTdb93rQoTD2RU1C5%29fYcO`8k!i0!u_KxrXdg} zVlZF%ETV>lRwgv232Z$*gSt;MH^LXP5_PBsmlssbO1V)tE}I~sCx?e<@c)z8P7^19 zSf@9hue#p=TPv~FUpA5#$66DA6`px_k#6RJzyGH>JV-xn$*Ks9_b)=V+1SEZ+5{+U zc6pFp3af>&8g>14$WPAxApdIph%q|=9dhgz+;G}oD;ziownXemt>R>Azh)c3pUx1c z5i08oi-qDT|3=!|u$_g95g@j!7Ea+NTZmDFNv2yccr8WjlrtU!;uB>(cm5!Pi%&B9 zuMyvR1wS?>(_A8@DcMb;w#St)P-nzt3h-Ywk)znabL{^qO}X6ZSX~5EXtvJm%t-{ISFx{O%A)gnd$vtp!n**^?rS4HEiY={ z_P#=W?3R`zeLGfmN^P32{<7{kdYK?+L|y9`ry9#)Wfo zj;)e4J$J*RDtOdhFXz3JR^E3qv|0B~?!~D(YNt8cGakOXJ1HMq_h&8WU1KreH<{CP zUVCV71`?T^`92{-P_HFZ(Y+id!OpBb#`KnF+%;_ZJy)6#S?OBA-o_`HwCmaZtKG-Z zia8q1u4fJqTl?1@`%snm&Y#pSv8cIRFL{H5e>Zs;FW~yruZlXiCqs`!8{p?`wLOQd zUjE%8a<&hgPd?{{^>SVuD$n3nw~(|5InuQH+N*4J4j&x*xN|n`i*7!ks8!_8%z@EhoxT7IPm=M8GIpu+Hyq5E+;dhBA+)ntWhP`YGi+BH0iVn_x=~9p zWs<4ysY!#@;npsRMM0&qz;h(1v0);tbi_g?H6w8<- zxPu1b&z{Jf*DK?X3%dNsb_VFhE>nUjPlWc>~PV5F$xNPFrS>XArt%hbpR%d6i+EXFQWxQ@2z z6pvPMQp#%B?=BhnowbZ(ZI0!wcc~~E)23J4sTKSo^*~9r;P29|AgPdR0sAGyVclBL z!hZo#xg!K3d$oL-m<-4^}H|Jt{ zjMO{*#QVUw^||eL{GBVs?@9?qnIKFHlZ5OAANk;*67Y*N+LVKoi2b)R`dNr|aj<{l zxziq;WS!x*YM(iZ-W|UyQM5ac`EfMQ@6%v4W)UfNMmUOU49I356~=rX3x4FGa;D~b zB{X)815*3a;ns6^a?nMQj@2rMbg1#4%0IAPD{_LIa?Y`}t%c_L=c-Y#C@VOHOQo3v zmKWEa`KXgaVVNpPxVWc3lpt8_;#@ov6& zVHl5#N(>aHhZ1u5^dy}r)Jf1DYP4a&SwET_)Be&63?X1BOH@LV6l38bCruWuER_Fb zju*=5j(?2F&m7T?QH% zY}}^zn_l>?RS>LFwrrQt1!{m`FH^SDM$I}=9{m_M5R#ozK&FrxDRfEes|d?u#DUO& zB4oEP9_tE_UMMf26BkfhbH?geIe>*xyHc^s6UX zY(Ja7K-6y8B{EEkhQ{d}+(1zTKI``w+w$aZOY_crkT0iHmdNys>H389EA%?6?yc&*LH||{ia|w_$i=XbJK{0Lmp{ltIc3N<&ryDJh+3aGya{~g;cl+J6+s^um$UJ-( z?`t9PE%qw0*K-0bcH|jrQ&#|em&?;zf4%d3^6T`#5U%a~esuMme#GJ8eYDqu-sg>< zwd-@jy})%04ZfR<=k|dubq$jmUiB=iphIJ zYlq@4crIM^FUQARa-``_&n%Yhb>qX=>SeAj?@Orl`bXu*HuJm2m#JV$pOQ$Wif`RE zrR$~djnBnb{w?*+o^RK!$)1X84d7pWZa}Y3K$`>b=1WicB?Nm6?7X!5b!VY9YjNx0 z6@T~RPGYU(X4}QPnSf5u@y66R4Ru5I3?cw@NL{oi>j%q0ol4zp!sX2U6RZB{$5u>dDT3U( zi1@EbME@1NvMLaVC$C5qbM@{xad{=cNmJWArLf@!Wm7CM@)iL5J$uJ z=d~bK$X$5i@Z7MP-K5z}?I5xRD}>FM<163BI4@t}^5TrT=J_+6&|%!oNC{TS%)ke4 z`8aaq(_^~b{1Gn?$dUp1a=j>=4LvMrvmgfQziisHeFT*{%*s+>W`ykJNhP`HDRjnv z1Rk1y&oK+lUY}8rt6Naw28Z4&ai;HWP$UHZkpNXx4@&y-5W%P@G=Tkk49Srhj%70- zZ=G{i_`^2Aj5v|n1%{hhSyHnjbt(-u${IB+W>2kLX~EFC#Bz=r=S3i_xoqh1vl*25 zrcFv^&mVC-6IquwCP=E&FPT_o@W8_*?(bowAx}I-KiBZHWVO5|A@ZPKT^bHqljs!_ zDO?Ge5+#@%5jXV_bh}b2QWLdJjHM1CJAd!QyKTBVAISmka-l60c8hoJ0fvGdIrUKS0vD-o(6YNH?#4UO;NVPof@8r9RJ6 zXTo0zW1VPiUzZp^s8no<7Gg4$w%-P>2AxuqXk9t*>ZE{if|UgN^1a!Sl^HES5sgf4 zt9e0OcR&IV@Paeh53cfNGh=IC%o0j5wm1ES66+(2Vx^@;bx9gepFQ?H3~U|V~#WwrwsoTg%_Zt zfLxH4h#XiI$KoimV#p^Fd)RkrX{Av2V|UqD>WpM-#rF!hsPK9lx#EiqJmzH&&F?J& zqFC_*|7{TLMMebj)UuG9{;^P=U=ru%%wXzlI-FpVYi%GEXDXu$i?eEnTik}?^q;l~ zm!eD;Y6nl=r!S30ph}+~kgwJ$-*D*>)Js?`bzJ6$+VjG_Wd4aFYF`frzOFX?I|G># z&k1K>>S?T~=rC|Xu7WRHVE$o(Mk@d+x%^DT0V7f$KaBIszCtm9A!=ciRLwAG1Y@y5 zEy{JYWni#7DfLox_;HLexJ~S!-61SxL~R#Vu`BW9+^^qAoCXQ3Y+0P%W7Gt^NFB*g zwR%Bt_8e7&O-z2eKAYla!nv6Yi)5;HK;#7KKS9oT+hfoVWFV$#I22Bg(X zVT<^Q2Q{X&VA&z*h5%uylxQY`b*LGBvy`ZeB63z1(+_8p?p92?43NVAQ{H>G2~Yyj z#enJVfDdf*+^5{m6&~9U-(DaAd6XQ2xKH|*FP$6zBR&o>KWOmDU%i*+_gUjd#?oJv zR`))i4Q!@gC%G6qO~8~@p3g~QmNuWa=$!7ey$xCUJyBC`(P{_7qx@8r9Pi?m%l7aO z^~1nj>jck3(aOuu!0x^&+H&Spc6$4DcwKGUmmPk~lvvo2${FtWxSQ^}E62?0&z7ez zM%$~;Q(TG7&&x{6myQdqjz!wm*~`ue(MtR+PS;3SRvy={1J&4GU3$%%Y$w;3d*WK2 zgL$j{K9Z?M6GB%~i%h)tohn7m@}X&b-ZtPY&&uptPOsbcN8QDTEOpc1btBFCLE1fB zWX|W>c5F}mdd;r-K^y0a{0s1UmZ7t^CatpOE3(aAFnR_2>PIyypWs{O9U{?Ysn@3c#ysw@+$qV^)1iSKscvjkncydOv2MByC}{I8HV~n+99FY)1txZ?e#~#JgS&Ry-@M zueUpwhk3oSw)I~(Y-6ga-v=Nnak`>EuSYU*y8Ay=0Y!EHMt6DB*-uy;8mmpb=dvEy znk)_8M&4g|Z@(vE+h_b&$8%qkbKc(g=h|1gzeTkS8|Dz*oQwtqs#+ozKsu@CNm zLEn#0Q4mzo{t^mS4&Vpybl~$9epX*CGY#^!4l-SC^%PXVm=88>jwTqh7kovJyDDZX z%OB&3KvUACfuB{LX%RVwtdvYc$srg)PwKaK=5|q<&$zN1S zXSngF2sI4&J|CAKn_hy|N*m=i=@CObyQYk|y(={PJ);jubBGCq*<)~@J~$g{wcJ(V z1lo({CQ-!=;&TN1XtZR_`iQPDb?~0aB1$)DV6#~|(n_v$AX{F~mDfPUh5X09tJL&k zvDs*(v|?xO>0s>w(uM%iegV`20>(pO{%kj!f+VtY;hsFy#Cih1pK(zeDL)O`ZK@@1 zx9Lk;>t!%1-H;P4aP-5k(3qta8R3-ws&sbAL?tp1XMoM;qq5~jIPq7L+Bn308ne=5IjQ2YNEISzo-OuQ&6>!g z6AaacO+vgwAR1$h>yb=1WMep+`Ei0%D;}Fp2D3B|%`dg7I)jL@KoU$daSTG!d6`Pq zpnK8+0zt#WC25q4y2VqHv~vWoK_!KB$Zfdw(s*$jwlXs7^|43lsk62pr!m$8=v6p6 zWvyujJ2<8vxc8M@x&U^|zTj&F)sZ7w$aG86(R}?ZkxxXaqJFKsQ={}+{80(LN=INlE}ch>qD9Q_1iJP-HBig~$?_zn zA8fy<+3o8MQL4vI_w5s$lLaIeAE-6uGO8Ql6)$lHXh~-@6u`+)i+uzk>P$a>j9?fANn< zxN1`6p=bCSQ0gmKVi>K*i6>#B@t^%X8qk=r$(L-`leKDec zt!ah@_8_6|X{1NJI-=Z*?RlcrG>FH+P*5S?M#QcQ+%^QTRoWN!?j?K=RW95Y0lMN-m8mx2~Z_^;ES9Frsw$6hOKx zw1F?Hnvqs|IB7^%Tc;l5@-eKrlb>25oy$d<~&?Dl+RLIIx4JEgjw`w;P!nqLaDpAp^SEU`4 z4lvH{O3BpE!8}g?f8}k~3L%2Q8?{$PXky;AbMR z?|anEqYEiGb&`VUH3708?hhaoexn(VcfB06UQ(k4RXpiGMsK$xACF{JZ?>bhe8+XI zx@}C?Lu=JhH@#8|;k~Td(f}}}?kC`z?#nZ0!#iM_EiSvjBWtLqrVVM!%ih*r3FG@Q zkOAyjfJNjR?dCtv(9d^3m+K(K34Nzpa5l}yTSAbM zTaWX2=L${e)zb_}FSZ*e&GSbg9&dsDez4>DKUb0qfPv zDWF{y-s_^LQ#Ye|h_sX2l@ng4YqJ(^qIUt1?=*&dEpP$2|M>XwC>#M<{W^>wbLlo{ z){7Qh6(7V`tqN`3WmbDTr;6pV2+p+mx)(o`TA8l&B@IguaD*|5~i`b9pXX5*P8vL z(h(Q~vT5I*%?wDAg@%}sdx}Kmj7H=X;Eb8@$R;`%&3_ViYDDu%mr`~A<|KkR@LvWC zI3p_=$1v_^??hBZp)zvs5*o7o8`) zoQpF$qE_6Qmqn9#p#GA2hAEa< zoKa2CgDG=0RH{0bN-t{+z+Mt1L9%EOvw=jG-$Dvh=-HC}m&J*(0V1&>PNFJ(=dbND zCEiXI0j+0`wHeE?5e65D3rYD(ESY$D$Y$|g{5(eXQ)zshhV9D50yM|u0au*x331XQ zNLhu08@X>n*w$(uw^&_2$*!-3L_bLkN_X7%c$zpy5r|;0FQZIqa*WtJ4PfN`&yq%# zgAc?U36n-ovx)q5&Y!q|VkmS>)SZ6j`svVK5~dzkn~29~BjSco+9Xb)8KqbZE>9_b zOh?Sr@t3UJ6x7H7^jl0-ny;%ED^pnt4w#G=+jGnsIw(*9!G#o56R$p`ZjZYp;>qpD zC{H=kBqbCcC|dg!b}VMOK_0}4-L(w9tj9oc6!s(f<>m$!Z*(&0(lT<+xCFoq&PZ zo-iz`!WPK2zu3>;$lYp2&?fcRsN7_bMFtQ;U62_}fh{8X7zL9Q8%4(_tXZz>v;LD^^ACNS~$J4F(%O2Wa! zQ$?dSY2pxe{o;vyTV--8P>#|~Z>&H>)S5S802pA}_xLIL`!rJjUC;lu@bC;RG51~G zYbSADO+U{5Wx=lE6bx*zV^YI%b|scajfrd?Ll75KlHKC`A>%K+bjl1+ZUsR*geH-6 z{0gJjEBv9Ck-ng4a*pRpGyo4f&6m?m4fk{ z7Gz5xlN7a9P&Re|P3$Zh=&r066e8?_u+%j*r)WJ+%UHt#`edbj=DO9P^aD$WQsKK?<{NNaNsp(4~qaiQj^ZzZtepmr|C;!LX^tWEyBJUAj z7Qi(rXEfRmV1KE1FoE9XWEC)kCJZ1LM+Xu}C-m(DZ`^ezb6=1YrFNVRK5E~Mhc~yj zalOvYdLK+Ry?LkX@bL{##n18{X4&k0pYjQ&V&VD9QR`>ja(Yt4Yrh|WQSk;8sefFx zV)y_IT5VVfdJ?;yT}Qvj9UmrhuN!Az=x+O3VsE-$Uaqz7dy4betC?lmjVGs7HF+0p zujW1M+Yh^s$Y#F5uA1D!RlE|;+wG1mmAg0G^lkSLu~yE@ov!#rQ$Cle@RN4AQq>BZcdwqN zuhB(V7d4r9-7TA=EyFKzyASxUP91HvO}lS;eZN+)6(e^)FRMihZ)N(A$)HASAHE1S zT&~5jdApZ%cq?l&p?Xz-@gI0(Rc%+oy|Y$t=iaMbcSAJ6ndmMB##gDMmxNR(x?HBY ziqWRI-ERZLE^FuV?Hr~b#Q54DS=hVYN3j>Q%`=rF{=V-!vo2l0HOUFh%bKp+z)+=w zIecFQjl*tPQuFqq54V<;Bui#qU1f8nyKdM=k zXM^Bl2|uOdX=IoeaM}=zw)1)|d98VNN0q}?5f3o|)00alTIp6!lY#!COVM?tXlx6qR=bpY3v9 z-@XymFpl>Qt9m@JwB+q>Z9aqT<#;SBj@3Bq6r}~;DmRwm3!DWm&js(_fYt(;0l>_! z(AUd%TgH!GZ^kR#+gvzg47~g5N+5{xN&u=h-?98m>NEb6;|uVOAta_kAvK*}abMC{SBhe(W4j~$P*eoasnTZ2Zu!uFqo?hHMV{tCs zCuHD{SYL&XOF}}r6$!r#Wzbq4S6-UbU_B?U3Yo{?nZHaSvBJ2DEdm;rK4*{eK*Qcj7xmgcX)?jG ztR`5qgsNgiX`ISrExFHRIln`snDCF4E5hL)j}PHih8e-}+;v1}a3HY5StG}Z9&7-UGX+}{`0(^+hO3H=d-W+6gtTww~M z31BrIaZH=Tg=0Vs7FT_GgiQ7zPOX*j!#wfOo%a>{TR4taltQ_Th=yTwcsPQKO~pDA ztYRovl;<&xs0Zm1UXXnb=kPnf(?IBVqBVNdsNWCc1oDu+2*T1ffgOnb{4~<_jLers zLK;RAvU!%dirllez@4xlNgstPbPbfmQ-#mC5kGkiX=iA}U*GY_Dk%ybD!1Si?6yyd zDta;;BICCiQdz-R+`Q-s3xeJHZhr-NZ3O5{w1>M1)gdR#BSc zkEw;2#KGVc$<+xnWmb=d%LdfS8!}Zwg^_5<8 zcofEvsM{ovOgh91Hj=2T*vDIsC-~2C2F*zd)aC~#$O*u73!0_!frI7?`sEv)9&&=E z`r3ec=@X>(O{>o`&Surea%(Q^SXx%AUbNmbwpvNSHc%%QPUOSeJ;h`tEASuAqZvT1 zK%ObPtsYJ>RS=VsbfCz3YLg$pN?wWNYhwsDiKUSFsHAdfp6>DeqQTh7L#DUuJ*T3G z!ZmZ&uaI>FS2_6zOH;rpNCC0#qLb&)mx&ow+Wd~{gQ>WLN`!|0&5;x=sy0-TiA8xf)!615X``lbLnk+x8#FC- zsDf*uY05=$DQ6|7;(4K66{`lgH}=gNRR)<7o_n%I1{KQVOlU}>x+uB{x1tKB!Sr0s zzn*Al(*p(SYD_SZCi?T#)bG5;kTM9m`~bm$TPwiLWL@k7zDw`N%iGHXKBy=LMs7OJ zn&}?z5brJiB~_mnSWx;J+c`U4guQV@@3}Xz#nlljf1Ve9qeDt$!!AjBOsn%C+l{d~q_> z?%R}-fa@4%>Rylez%#?t_vvZzdc2$G8=Zr%&T=aJ&RI6)Ck9D; z3Z5za?zLrFZFJiDe&XqOk4|lu1#wmGhN}=s*NIN)+OD_eua}Hm%?ht}Hs9s1S)XhF zr|0dLw@e+*!_}{cSis1BDQ}ABTWjmh` zOpi@I*17*MySaJNS*HYU*punpOMf&Sw3~`qyuspWdS@!Tb~SrI_U`JYBDfB;a69ub zxF%1obbAe_HewU3b~%oLweq;EP2PAJRwAcbX|Nu)0A#M;usm+h4k_Waoox~U&o8x; zv2eYfjitVyd*2bnfY0Y(>|C7BoVQv-bTA$6SvLFoAr-0|zyri68NS^>d}j6|*m)3c z?eAb$W+dVM}i8ITn`6Nz{ky`(kN0E+5m0NxCp z`=E~GIcDr6vBuv)S0(DXOkmwyNue;^q}=wk4~_p@>GKb|9OG5nYT zkZx<>S4uI>M+TWI{`&Nq7Yq7$SFSiz*2V{1`-kn}1tq9sQ}e|I+2E2;{VEp{=+5O$ zp+*a!j0?yyhXo5ppk{2!h8Lj6bIbm58AR;qqYQa$Z7RtITIX83TpdLB3P4S=7?_649ZfSBSWsjx4WRO*qBCNDmBN{|ot3o|8%sW5r}nVxE8MqNTB9VEt)tTEJ}>`%3FL5(!( zQ&T05^vkrQi`~v5oJdr#8@-O?$MdF3W}z_aPt7C!WDGx(9$ZnC%&I%ka(#|0+^7rx zisr~G`)!5$WH+U;M4c9MOU6oRh$Jhd2;_O2$B@AoxMKpw^0nk4$k*S?D-0Ys80rlO zqKeKONMz~^6VLJd-WF{{xO7FPAdu`M{VFL412~Kg1q#@eCt#(I!mqKn{s8P(R~nV7 z<%i()$34+c)Ay$XUYO?X&*=XkpShq#Ez?9~b9#t%T5PJJ5}3|qoW=ZcvzpQ7!_FwP zr9yCvuLR}n6s5}3Qbbi1@69D*&~3R_s1gNxbN_zsWpfD(Casmc?<~oOQj~AVvsPB#@(JPkMRyS_Ql4QCldfe*OxOQIQ({Kg z#D%bUllP|@vj&UjRLB}P?hsnI8cGb8tAwsgP%H$Ai{$Joes*l>OG36R+7uzb_s=|o z#o~8WYLHNe&ffSNDlwr`6td`_7~P!{)1t8$k+%rDpPCXtx@#3HLg8<1PU&OOYsr8*fj-17B1Ub+`NZKP%8NudL4UCT|e+T3J zeABU2LlbqcBx5+x8AjJvo`LB`QaRwR$`KH-(lg#Tswoq&8@_9j(a1=55Wqc70E^Av>gKuFHwYqP0Ep^&2&L2M(02AXEBE_9GmW_ri0H!QL}JgmVTYgX4OHwF(H`4(LNh z&7p!xYZBvDfo&l(BZ6afgNjoXnj%SsRrSzlp+X}OtXD^J!af|vLL)POW11=2!<0de z`V?cNJ3#PvKh!UyrYLzD8uQ@fjgNb=3NsRW`0A06n|A?$0nQ@3PgKUm?yqx_$x5BJs}QoQqpi;geDqD?$>M3j+1Eyoy-Z14&&R;$3fF9pm+Z=!b^GRGbnnv- z-p+lFE#0e%#S?;)T&FSUNuGwQV@(mUg37q2btx9`cE_O4hv zT@~N^mB_Z&_!dm2S8uSAruXB^I(hSY>Jx>yf1E1&Y5D`-?dZGjvheH$@5Vp2-Z{tY z02V@7TyNa%LUVh*uK#Xy_IjRuxSgL$4tX8Vu7a~h-B{3Yx*we5CgILzi3a*|dtB@9 z{|c>#&$SIdA6(77D}+@Py=v_5zj?-^nNbI(aW6qYOVTl-kzIp8}lV6Vr!Eegj4u=n=|*Jml^Ldk9OqOYJ452~b%1y|gdJ6CqX3%%UOHDDYE{{YRu_qOsMQ8S>o}rda!O zQHUJ_W~t<2hxHjrdi_HapOY6)*nke9{Huh=1e&s3!?MiqKYxC7o0B)d9X{=bksYRx9qC zO%~HIpz*|cV8M-wVbSNu^|plXF~Cc*8FUcpuJjuz5I0{r_hk+~~Y!?iQypl7H9n&vU)^}hI`wa?f8G!3` zuGzx(=Li{HFqo?~VaZUc$MVtv~ zRl#;ro(mR|0n73uU-|2phN#pMjOjUCeFp-b)XELaoCk)FbZ4+^9wSt-(MlvgG=i;| z#)rz+Ox%)+B#@O$=HxAgf|)yoP{%ZI2R*@pgP5K3#NS5B3QQFRkTIXhpp@t@{5Y@* zU_r8&AV+=;iq|UF#7Z~l`QoKg zs1(My)boW1?kQ+o3D!_#bcX)Sm9gserd>5NY4CU;nBi>D&&$)-Wah8--iu2c zl&3CplnCd1QIM*lyT1xaWXP-eU*l7k_13lQnC4a+P!5VU?9v$aEibdw7wN{_ja8;8 zPg4y!Ks`abfOm=e-2eKi!FNCH?7ORe}6JAVx*^^0Sy3- zcknMe%@6CU~8sdBT!&;b?C zlZ4k$qvv1WOSDw&ZLa5RDj$~=>-2wj@GGEho

j}4ofk|#fh8>vo-gQcV)t|Yxi5Bc)f24e_4CpyGa0*cQcrw zJ`b<$l2#(#K+e%_pJ~{e-@6@_^}OaUJTC?axi0_IEqUwTS`x8a+udhiC;3`wUuKXY zwjZbbL$4g?8JoAso=|;Zty6X{gKo5qKR=^+dA;X57dwH)pQgpGH(WOXiM3nS*Oaz0 zm9%iW8WvPfJK8neuldTgn)EQ&y_>qjt;5Ncv52YO7jelk9*1s`?e)O(n_l3kv*THE ziEH*TPs;=r?$yAFt4_&AnpNFmgyXLJ;pz!ftJi*jD~kp0?%%D}7ud;Nrzcq*orrJ1 ziuvp9Nat7H^C_*0`^&wdkIT~ze7F5}y*&f4_tX2@+q$sWRmXYK(^Yf_-B#U@o2(+P zmt45@2CyfYZ18-(L3^BCZxh>=%AIm-+b!>Yp5v|hvtrVk^<;g1lJ>dr!MAOdIW@a( z@$Xln?dD7LYnw91YR=1Cv)N0iWQ|NU{mUn7%GyZ#+jh39=Ae%O`IWE4=SK6jCTnen z%(6aSyYW}yaZki)g4RDq|!B!ou4rTl}|v|=PT4yu-vTjtZ6t$4t-Bc@tD zHxUt>)mMqkHHRWoz!1$-qae_y;vJ4^HF|M|s9m?bLw<=#(pObKgnqyq+$4oiB+f@- zkR&juUzW^PBF$eelKs0QFr2eUgBWFr*~4JJJRPcPQyt%YHA1Ia{NCNK+}M$^18&1sA2JCyv)VMm{>b*4bM%Mx{C5S$fMFIlEsYrJZP zT747p?2Ku5AkcyCO7w50>3v~>*b5&|RXP}1YA&U=J7_zBX5P6Balba6-LF+_3<_M^ z@4=I*aBRYFBrh5J>`Zm;wUG#|1j{orTR1qo-WJAuYJx=koffZ?$zRdH`J?R+fP&dcVHM1Gv;zRwb_Y3 z*OD@lT(vk|iP!(YO(&Lb#h(4R(5^&+kixMg`Zrpb{>CD^dGJ@iBhe3;Ht4UH# zK5xo@4blNe)TbhH(PW=C!`B+)an+0_tMU=Bn`I-$6W4l(0&`7fO=)a;ZgjB&Ncfq4 z^rR^C%2Fh_Lj4S|UPA|8D#R#h6K)f0-8IMP2!ZLh^L9)l+yz>ego0Je5k@sa#fvx) zZtT`-RHW%pqN>8Wmyr}Lxe}Ku%#suW?Z2gQFo>7ybDM_706K{ z_-wgsnu{jJ47-5VU#-0dyg;n4R#KiuRZ}yX?M$cXx`^?gx{2rM)Js@%$~lJ+!Yf%0 zhWY=CsdEa>tm~q6I(9mC(n&hDZM$Pz9ou+g+qP{x9ox2T<30K6)T#g6tc!iWYpgNX zn9sOEjamquYmkj1(7-DyYh&7~Y_5m`XY&hIriK$+nnELI7>yk2TIP=+T@sJgyvcC&lrrmQos7YDrzT*6zYGp-x8v97ne3Ej=Gm zsd}@wSfq-_Z&8eA%7m7JP{Rke`5(*=R#bu$IVvzL)`r;?wJ31wT#d#g^a|p>eodd> zNTFzPW)6(RYYwcu{t?LPr_bRk?IeCIT6CiV2BybCVw&Cu$r)f$IBztS`Q|ex_7s7# z7Yd%*%Ah%9+RJLr1~}!k*2)a(q$v>iiA`Y;t}@@XthNlQSnwK{V^jbCY&bng6xj0Z zQs2H^s_8qw7v+=v*S+Hz;`8?)7%Mm*290E7x)*Q)_#O|d`2r^*gLAP#3xJDnwkfE_ zo;P?;X0}Q()G7oG6@+6diS%ZMnNKp4Z<8$nZ#PZTM{t{d#T}x8_0E zSfF3hD-o8ttT+ z_AhS9`gmJ5+OKiu3sSZ$J~!vct@kQjdl6E2yn%I10oC1ilLMPYeXhE6nFC!9H?Cwu zFd1ex>6li8MTwq1jgx!gl~R|0)3U9eM4%O?Ss88g&l>Ni<{s#%EW&M{alK2I?6-|I zc^f?5ract?ui}T9yzcr7DqPkl)g?m6ByYHy;_j|D$r3bGzB765?w5c9fX`;<^^_La z%j&5mXvfDvYeoy;;X7sBW$XjNW%`*km1q$Vbfn8lZJh_%O?P%7Ri{bG4quf71K-giv(Z@%&8#( z5*bhSMyyRBv=`IU0P8S=frX!S8|+g1(0JgCn)IQ*dV*ToYri{xA}Yx)>AS-@@5&G- zEaru#ux=ZM_q9q7>+86Vom%ykJIy#vpDa~q;DJH;ZozpqO@PCXQwtF-mfI0%R21rv zRymKzte-dzWyR{;z4$)DUPQ-$%vT^xYn4oE*dYj8IH$ADZt;+upabT2;s?qtr6Nhf^7{ zjZ22nv9Hw5o|;gqA+@}4auC>ol;x?iVKX{$9s0l4 zQWRG_`u9B{cQ7dur^T8xu|Xy4_g^X^UXEVW@)HbDE(z@AvZLV%;2Drzh)5H!3{kc(x(kvsjnZH17 z!HO%~K_uz4pb8^}3Y(?16E=6JuWm}U>+5GY>rCwzM;~?D812T47*yC#6Q3k7VPM?E z!6s3vY1Q|c<_N)N*he%E3Wk&w4k^p)yurxJv{NO+Dao4GDRC;$k?;grO;iHu&vCl2 zr^+(6Ht^7+37k}@IzV;o0@|PU)zE%7DO?@_ZwcMMMfIS+c4B@%IRaXse5-nybvQoU z;b(>_I?8Zz#v^|8$y#(wNxTCybRWj$E?DwdVCd1kjAA5O{=j~M95%SfB8xQW_TQJz z6~c#dJ9_?p_pRATzAf8vH27!O3H31!2&=KExvKb!(h`Rsq+vCI)c~U!iyv7wikIld zBhYie^*3999U0MuKCe^oz;dBI{2X1+LU~$pA#^W_NEU;&`%Ksc(G?e^(s+K!CT7-k{pgI z3WCUIHstGZvx0S$0~$#VGav|Wkp*&G4py=r?gR7>1=@zjSih770%<*S*CGr!EN+Ai zA}P=m!*5cphMKszeCCKyzF+kEx&?S;8UHEpMi=Y-S zL6!0Rh9jXbnaYHi7j>H`p-Q-DwP`GtLJbr%Asx$eviRTB*OYOZ=IC{r0h~M)zzr1K z0UYpyOHO{nHQ@uE)juHJVg{!^ae-}+9G4;gSyyBZseA@OpX4w83I1dL5Wp#v0PSDh ze+&$DF!eZ{V?G)OPLL z4JTR8+4pmfJ%bjmEj6o$&z@Vi>)sPR%FkSuEe%26(W{TsruTQIEKEe)088D*Lz@Zv z#d*0*N9p?)xaYNJ^34pk4V#!E!0UZV%NT)hbynM+tmXWND1hTJk5!)MZ0~;5`^3)3 zD{csBspsLT|8==oRSQDvb&=4_=V_(b_M&HYZn`I@-TfXaMiOwI`q>QZ>nyS5Fc!ag z+TLn8F!-{crhDw~BftKrO1bycYn_`)p|jteNxS>=8{k*L_lbSL=+xYOjPgosNVB1Xw=*=YeG1m3|8U<+654HfC}K4y@2e~!gGyNPrK z_Kf&^yXPd?O4gLPmL1pNUb`KRw^V&pz02!< z1WoD%)TFzb*OUrb!Y!!=l>t_&5Vww8h1INTn{1u! zC|w;lL$h=ikX4E!WrMgl4-v#XAE{I=&+Of63;8?2TCV=ET);6)GPw<}HYU*rC-loD_iC_cof5KME1}e* z3GrV4Wc*sjMHo~qD|YHY^}j^>`HN@E_W5aGH~NL9_DJXJa#E6x`YmiMe>hSWUXE6h ziRH=?S&5eO^f9RIRp!7{w8OO~Vp8R!Y82HAblJkPxrZXy7EqZ!koz!#0hJWUy7PK^*V9aLNe8BBQf zLS++{(*b*VeJ*(xvcf@Cf2n4=GFaqLf<3srK_$X_J_3tKJe!0OERn{>5_Vw43i8?1 zMr$ABafVKNyrhNZ?0Cfw?Q;$op1=O(re=3h2E`PJorwCkyj{PI-65l?3y#pP&mkC? zBI)DV12O;lAO!R{*7@N!^T`_C^HbZt`~V7e`+V0zHD~nP=6qKlCtTl{DjjL2&Vean zAPuo@TX@)%{d!MwSv%bc9gezHEld8jec8Xf zQn5DT;U6R-4xQqC8=g3g>R4iO-VF3UubE*7cRvDBxuD8dD5y8*@pOWg1LOhTPF}crmA;hD8o-^Y}#-q~+i< z3N6_6#@^a*rNEd*{p&B5&z6`fxg8RbgsPuJ*ZCwIU~(!Af->cQ*~$gcyN+*)in-`w z>dQ5g!qe=_hTYN%HB(mcU|oJp5~hoISfH=c3_@g9FO2`R?PsBgti#);O{Q=vY?E5N z2!+%=$FZV?q;rUz)lTP$lID z8lZ@Y5pL3Qs_{802lO?K9Q zAd!ifX0gd`n4N)kpJu3%Umpl6^1AgeDxQ%W=chA)u?J0vh<%DtTq?nY>fQu#x`qgI z#9ve7Nt*n$CVCs_ub!>1BHcdqXj| zIr}}zUjBQ(17;Z{85v-0{VNdwKw+=DOZg*yV8bU;cmc;F<441M3ZEBfF;;j!vPA+w z${mqL*RJeq+2|W#`bOcloGz`~@UH;svSpXlF~{pyyG;%=GdoX*(`z0Wy_U4olAC^>LH{m&5ncESziRb31NE`1;zR)`aB#KwzAu1AO=*s>yo4dq;I> z7)08%>N#}xe9lVNv)Vq~>ONhewauV&-04JYdE|LvC(pj=u>HC!E6N#Y*1WIW!1!oc zYTL`w>U4Gm><#YsbUnfGJF0d#g-j-MxeTh&xuwHW>`#eGy>B_aYIM}Bf9*mbe@MS~ za)yBOua&QdWb>?a9`1U|^VVz)VQd~07U;fSU8xb&U0ayZHLP#O0ORYIHm@~YiY5h~ zhQ7XoKOX}m4+v??dhVW8UGnTMYjo#w;uD5?#fQNtc;+(;~v`L@viTW}oLNST&uy9h4znvqpf&1E-k_qKEgu1*~P~^VgDV zXY=mjS(kW@U3T44g)71vp!2M?Ld_kRCpp{YDE*n_=)=iVGpGlx8~1*z*%2Qjm#w{L zwi8v;d7EM6;%+(ZTF!0jbc}IFDgU|KtH&-g zn6UCrHp3UX?UR<2<86GilDuABw@?nq>X^dEyzV@F4dHw0M@~MWa~*x6_j=DlJp$}L z0{wu%?Lqz=X&{21*(Wf?07zpfhryG{mk2cb#}m|kn!V!#3*7CAM|O-`h8d-mglk}c%GQOG*gW$N{A&5WmWL`{*87-EqJG4o(%i!f<3HNa0ju#ZENqPyr%+nTenuraZyjQ5Ez5Y-e z^iJ3p)RXO^)ELz#OPSIM@-U;F4;V#?BHri=ma@eUlUu8fws zKev&7&zC`5JG$%!OsJLk$xFebIiZ_Jx*Xs|FL;6oy&dW{A8=WlD%PKOCu0?5^Aoj0 zACFM1uz1#P;RacZT9r5&@AQvStXFUqVT?WUv`POkNH5c@t}YoDg;NdDpBj;k;@OTi zP{R|A)tyuXtAdbYp+t2S*}Q!BpeEv$^iEf9&yE4HAJP}qjCzRw=hv(l6KK&PRw}}I zqD}?*1XD6$Fp-M^T|g106&0Lhh~rg634NJ&o#G5a8|Cf)5LiBm-KUO&gN%6M)27;hzl~Ypp+G>n#c-k~NRfm; zYSfApy=YM+2U({_5B=)VrX{AB6)XQpCag>nl9UbV26rS+Iry}n22)g&h(yQ-{6#F+ zpc$?goB1*P0m1&t0EnZq$H+aDCRG>t8;Xh^KsA88EC{tJ;+MuqXEq_1gZ(HbN?h^n zHt~Ns4^C#R+PB1^N|CBit_U!z<#nLbAh*AMfm=rJ!bFhEgyH`37zl*buj2{jl2Si) zb;3fu3qKap{=QfVCCeaKpc4py_CuJ^Z_Di(H4VCOwU?qd-2P_q3`<(Xo=XXi!fLSM zIgMPb-YatS$lJIW46v%Y@cj96LGiH;!hBPKdT=nITPo?niuIaWf=ouglaDeY$%?eh zf?|Ghz7iE&PLFCWsyS|v+J_o+!<-SS#AAzLpd9C#Gnpe=ny9FPfC}x*!E~h89`4Lh zr7`=q?%!>zh33U~A-0jQLxl-gdx3wI7^MqX$B%f8ymQrm^ncz-==AyR@2@wgjY_B% zDxcOvM#WnKy{X>6e=L~MpiK)tL;jQg*43|CUrZ96lVEd#n-18G#A1#iC-PV2I7JE6 zbNc}Zfz^*j<5$j`NA2#y$TC~p>kMN$G9=4`>MAyhs|wW9LM_tUBV2_#N4JA0ql^0$Im zVnULkE^Pg2DKmZ_Zvn}}oF5^DOqxo&p>^(&lcI!dSLj$VsDO+cvr4Lf*hUf;-Rx9( z?QiC|!$febg%gSMpr3H7*qF+}G9@z(>qb?jtzOj<K~zXRt>E9?rgL$u)d zBANE(9q)Q4E|$o=6DH6j5!bEOU}F+&DmX1x+WKQFqVK#%rPW61f}7Mmh2|p@Az4vu zro5)^>_eaw1u0MVvoGLalzw#e|xu*s*BFIh1D4 z+fF5NW||=uLi7IqJcafz6=Y3F4!6&;7(+*X!rCM%6_}4h<_>K5^jD~fBa*mNOeRbS zVp=~o2Au?xP%lD>#JEjorC>k9P(NF?JjKCsUVmF45-9qKJ~!F_E9EeJfSB82Cs(5? zw_H2{UMZ6Ems&_kD7N}0vN&2Q-q;H&jwBOABfm|vg%q27vsYrNQ&i-bbWtS94BCDl zxGIi7C=VT)UpoVhW3u9bxK2Z_`J{429v3WsYLQ&Sf_XC6q+*H28H;q*7t*T##j9G~ zS4e6V@Ky2R`-&r<^(b|;tp^k)fsfwfh@AU|B!&b6^S=9kVHbciSaJg#QVci8H9$_R zTD|OjUAx1wdkh`-QqAkDh5=LhYWIgF_Knt~(>yLfhiA>YP1RTtcQL!WhYbCToqxPeGm_*(tYa*uu z{eEDM*OiBEqy0(gcp7k)DvCJ4{=EID#SL)G$hZUW+>|ZUTzQ+^e*zqKD=@FzZ@2El zZM&QID=Z0}4>06gA1C#A6TLj`^4y115=iAVKQ|8ZN!a}5+ODF>ZC8(~E~77}^}J+i z-j9q6aw_W`E?40eqSQ9@$0w#8w%hfcMs9JlUo)aG^1sZ+74GKAmvDLC@8r+dw?8d! zYf{?J?M8guWcc01Qs+jb~A2wgodMnlmB%hy`x+zC(* zmeXy|ahn961DU*ZI;IUdy6yd*QMiDf`D}5?FNEh*&u}C_1^e?J{uSCZaLcA8yZ#va z8}{OLQQcL;bG9C_EpnMG&bHz-tCOv+r$5E1v+6IGcg+i8UT{q5xGwE=R6eYgjkSAT zHz+l|MA1&@Wxq`ro)+=_-+@BLc~4x!$MN@UUkMmsa=TVCSgp7DM)(~#3p?-# zD?H6<0wTdm@Rv;SNu_*KKNJ!S z+H5EUm{!Ig&n*Zd1eNa|P;z9IS56VIJ5R?BU5ZQv{nsiNWd2Pbcg9j^S}R<<^oHJ6 zrWq}A`Hi)x51T(SDPhUB#^yNP$W%chppnja{#hFiwfQkgx=)6UVZ?T7xBE{4J$F9Z zyFmVtwFbY@(q5)@v^1+~VR8jwy>KUqRo8`VQPp*hKssT?-%h4zGi*796KY%y)_1ml zETB&Hk{CxR&w*xT>Kv4s{i9a-FOH#@z-@Cnt6|M@gu2qcrEunhcWYvk6xxW1J_uXa zZt6w4mk)!DBHnl*7Hv-QFRtbx^fpjRR+596#<18V$R&1%fb`jlqx+^{KL<@=YLEiC zY@p$H7R~ThNY!SK(^h6KsCAz2Efb?dN+ug{^g2G6aO4;B_`nl;)4>$AXy^cDV0N+Xekek=cn$JquT_6bF8RhN@#S`6Sy=?gx)IQ*2}Pzurk;x#c0bqKK0F8+KeeC~fce zqD7$i?Y_$jKWZWh8)0LFMsbNh4r-!K+|*6BDyoM)c!g();VfQZitE(RRa<pzZ2jzSc1C=O9A<09DSCXZsGv?NMG+SARwWnnCrCDmDx;kuGg88#}G3z%SIi~TG` zr@+s=Rtn8Bb}EWu! zgx{9E^jG=ByoF81T%?M7u5v=1)yv9%Ey-ME(YRv~LO_7K*+rPeUq7H`8yEkP<57S$!`Po#BPKim#?}x6(|YpqQn4LAEQ1u z;T=BP9?xokzqZaRO}6-&+_&kR{A*9R+g>Ld3Akpo4qA)bM&IN;_N$Nk2KvtCo&$sf z>1!HzU|b6S?ps6iPj>wpZ>w;h9C_;v!23%V`|5q$?ixMLaQ-wcFqU&;e+mxxa2yid zbrQE9(A=@i$gTK6DX!D@QvXcoab@38&GY+M|4xg|V%*Y(OHq3+Qu31YV6>>cLhs|)+%NasDfj>BzLM~8LWyv6!7 z@QQ8N`V$RsY4N-%L+H-`6dAV5jqmc1{mfx)99Liq=!hMr?_TgzBS%!f$F=0ewthcn zy&}+dpRYa?_TR+hJWA0j+aAygp>6LQSl0Eq@}#eR_nw14;dObTvV!% zXv+S1^KaL=Mr%BG3UQgNAD;{R)3CrK25(Gy?e`q^jqs4)Xm9nzzl*A$`5jrvAEe98cWi{0~AZ3@+DCB}A z-ow(U(>I%uF$yuyE0SM4-1_&L`6;jdc`Hip&#k-QNcO{AH|Z_;njjSMnxwvdAr zlK4}o)%Qjuv-G#=#Ika^_nZ^w$*m#l8am4z=qF*&&u2vZeHxg}R^`8qL+#&}bnZl!;lQo!u6brA z)o!ZcKs=wNURvzvQXMB&Dya1*6=&(M;6U^DM%$!lCM9jEVCJ35Uwt+yb5z+p=i+&X zHOPc(SQinraGkQbTB`}eB$#+d@yu1yAoJ`QKReKN`zU5`)!PWjB0*~>ZT6nnFWjbF z$iEvO+?djif5kHn`Sr}c8W_H1`DMEQq~|alRRoTsXC20mY|+{9cjPYBexaxz+WPK< zDuac5N18;!8*2xK8Dm4XBz$}HQ@TFbg{=6@M6#dkVfR&|Uv4pbr(8=iv@upLg^Zwi zqrZh4nK9^ELSCaN%V56pNq{2X$cw%+xGWV(e@s6M@e2+7Z#?EfApg@9n1w^V6;_WE zyl6U_;3+YDtg#}Qpa3&vg0U1?nhb=WG1;h0e3~R#TB4vjax$^3$WP=SNyJ?+64#i4ts$JVl7k5wuU z`-WhK@^X91r9U&e!IBTB@QHV6f=Eu(DU~bLa>L@dE{~u;zSXS*OkoA=vfKcqg3vO8g^n%dtK~#h*sJrYGvyA7 zMJ95rj)AIzzsCaI3ioI-sO`#0ldYtm>oh_!xX`0-72I}$P4Ov43&o4E8yFq=IDoWN z^D`l@F;9NLkIP`(aS`|r%O1j4;bWul9E5&FKypp8SsF4i#wzg-3NXgH;#W=S^MJ*4 ztpW=Xjqx?(If%Ah76wOn-f;sG>(p~}QCnz4DaZRl+9m@|npB@S(8gS5G>?IiQ2)N) zja;Q0v`nNG%86N(nkw4)f#Ypf1sO)#^??+*bCPTOQfoutkV{@7;BJgbnhvwL?i75M z{sx1{<+^1Ir`UM9n06YI4G7Iltl!zag?~Sz{_s}yw=D^v<56*={OH_F#V*LEp5#GL z8tPOebapQbUn?p`Ud0>nZ}SM+=N!2nQVn0h$HS<2M1e2Q%qC1@V?gcW2$*Rsq-d(M z7z$geoRgTrDlw02AycR#7Ni@rEdPCvRx(3dyeMQErESS{@?N_H%AlRK>2yzT1ss8H9R&2gVW(0_uU2fUif8R{1S}1o#k4 zrpPbj(N8l%{rz`cKF_v}mKAE(gQ7E6$Mtt~CAXbL2#4D-T(tnC&pTUwz*%%63)!~H ziSzsv3_yK(|FQ=&Bo3@ohcpJ^=GXmN9ygiK{+<> zt>O@mNqU{T;Ze)=>+!EQ3mNabpe<)|LKa_OYUSJKkScdIV4ZI2j-TWGZRf^hSEp?8 z8mH3>7{=#t=F>B*wz^N<(b+vUb^WWT;Mv=J7YQlpBmfGRCK%{-nfsiB>wUZ9DK5@- zAx8-`wZ0Tn>bwe?xa-9?qtU*cA&>T4LDXGS;`|6YoXepF%prtCKdmLZ+c=wNyZPo(p2R5&+4P-IIlO>yWfY-_152GGY$y(9-*6FM=y6= zM;~fB2;Rn)xDVu|bzAMHA$q!aIChE7GrKn5t5@s>UG56tQrwLkMnw5bs<|JuS^~$d zpJBV+y`glblUq8j$eB-DN%4Vz93a05P!K2!%y9<-MGRp+%tn&nOwJmP`QtUGr7XCU zv5pI#fTN%$@7u5P*WaJzm{P#W_5nT$K?XCR{5?JoINkN1eEIf1Fd69 zXw5*;nT)ia8C2~=1;=*(s0&9H#<%MTXW^9cAU1H~rYF7)@F>d1`-=}D|C!E5PtEc~ zO{E~ncOu3WE#OVTY!dr*eI(9!S!%3Wok&St_gk0Z_E58JTRi<%xpLtT`46KUrYf6$+>ZD)oX%!7qh6lf|)zpNZDz^TQ;FK3QTS^py)1fBwv^TOL<_ z+X1ofz_+ZNzf4nV9wS<y$ANa;R09wDW3GAUbjTlZPJM(4;??Al?fSToKeh zU)<$Ex_9<#f&LjK;4Y!KaM~iMp1&M3@L$s#Nx{Gb$LfqJnG^zZ0pha7eiroK=ZJ&h zd&0V~Gm_9KG;}ycn=3uD5l;R)Uq4&r z4ALl+=BJuNx-mkwX&7wXT;7GZevGSR|BKn1xz#q`8wQq58OnsZ=*8ZKrGVv-_ z&W|=2*@G&>@TD86g_hlD(?ytm>=<%;)x*%XIAg7_T((sUmCUftC=}~Jm-2*2{NpcG zxF6sKiR!D2c`I;jR>anOVk0CML^aBUoIpnJv@d5+#15 zNHy}|(ngA@D^`FP8e&ca|G6<)}X)N>LTPES*ru*cm{z^zNU9e zeANvCo8_QkVg@mYPLWYYR(h_wQ{i4Aq6&lmjcJm$flQm*CRT*0nIf({xHN@&eE)$~ zH)6l3efiOy7(&7K)>xDu%USZ^71S4M;^}S3tNc0tXGq$3{{aW&iM?9sA4dgHg@DU2WCl@Sx}hY(hW)3&;mtH3>nd}iP)H{1YTV``PYm~ zT4kldyqbx9s=U~bN`P`hp|J#Re>ck4hebm+rCkzU0}U=rl9 z^fbaG2-%ekiNPrm+K?;dNjpG1=7Rn+ooxKon8ZAi+yzvsHtQ6<9Y*b6fDMUDy)vbN zrmS@RM10>;!=H3!4k$wnI*UD%Iv#oc`v>O#9fZIZUj;l3s?TpVnwFe0#|xQ|dOysJ_cja7lVrZA%fjIX8otbQ*TYrfXZ< z8+&^V{yNcmkJ;y1^1qtKeVm?k+4;Nry2fogit??{vblJS9lZc|??{{1oZDUd*>yKl zH_E3eF`qXl@41-lUKfL46#!mErS95S=4ZWIpWUAylB--4Z?`IKS_{K7)0eDUwA!zq z-cJ_O1Y9>(H(O9_-nY>eDN&EidhK)Shh8_qhVS_wVjZ8gH5blX^eye|u469pKKpU! z-QDMGS~}=mZbt*dSCL-3Rp0B`x*sJSbig-=Q%}#U9_;$7`wc&G>KOXxVS2pRE_xc{ zY)+4PlP3*$Ao9XE{p9O=p{Lh#;v*Z+d2E&{;KTb!J|gfjnfE<(HM-^toBGPh_~Aqj zsmpt(&GMpUa4ARcGgh|Slksknq*=Rmo^>I+qIA@@dhK#|%08p}PNvEW$hWQg+AX}D zRdstHR^#(nyQ9Bn&%4eo~e7H+J3za7N`B#tRXm+xZSDp2DI!cv~+E7U$kxv0lbg6 zOK3X|*S6JLVL$(kz2e*I)?T~YssJ7*m|SfDdbNJtQ}1fPqq*%)w`H|2ukB#7>rJkc z^HEA%T~~qAn@@UAyK(DY(czb@8ZVP3;pNU9+}EgbsB3q%b-m*sHCfXXAHwUGhadHyA zxCoIFU_@`O{3{f>Iw(#hRgZ@HE>cyU4{`3)-cJ%L35ehsiqG4+DAg6E^K~ab$V*kE zSY#ad zLb_7f(@KtK08&GfMY3sds&SX+@8LUfa zWS@RR;L6I>c|`Bc;*j0k3Gx*V z<{TTlb;qGWS5!wVr;7R$l}kATW}WY7=yHI@kF%K0Be^EuRfnN#OL6n-f_kU_*>0 z!NzAj1KyuIlC@WN(3z`-+E;?=;vr}8s9iuOQQBD0 zOVU)?DLnsZA|$rKR70gO|D=eGGS`W@)sSueH>Zx(uiLS(XlX+A4>t{-_j?5^7)J~F z1eS;n1%tFUj)O%8Wd4?n!uflluvsUBaI*dfHnR+tNv?#&VrDvfke5MnuK#?*pat7s zE-Fz5ZAc?gwqgVjF|#U>{tTo1bU1D{rNg-k5az;>v+0W;Vsd2h&_%q9d3%x_a{jLr zkUH^C?UUNxY(*3TtQ!7`msl0>aGcg`E*oqMcm2Ii5gOe36#>l)sO%?ZDojQt=vS0gfl)H-ry8uSmD2??~{wzr$mH z`lEg;@306n-^bGxl$Ujf&h>?j>yf<8=G9S9N9D((&E0rS%>%3PCkbrDji;X13fwqN zr^p7)CE?A8>G5^LGOl1Qk1qe;0A9BBN93>Zm`cDwLCjYBR07i1%^{}RHowNa<|)}{ zT}TaZ6&Eh1b3dqwkTdKh{59a(`mvz`(evUGpJ4qY9W&dC=Vb|F(gd-M<+a#x$b)}{ zSLeRGMhCD}{m{bRy;mJ#sYT~;8OM#dLueC}mU7K`7X;Y0@*)IpH$2{sOdD1 zlK6F8?c5iQrp^i4j=JUXy+))`@V$Qn&%122oJJz_bgvI>(YLyLxsJ&LLL{@Xy3sge zYr|DnMa|z2Vc>rUFQ<^FLm~?=rzW*n^kNj=za$@&mhBnW<{k+W zIk%!6`nF>J)RaLGs@5UY;8i1gV~SvC!ciVTmpB+MV@sY>MUua!#k}9V~rJe## z!h~$*ykgO-==Zwj_cnLF{z527 z)8sd#?Z~Ez5)AATd8-25REp}wE36zr&?H@uiO`ae@xCQJ#{4#?cm-03dFX?059;ea z?>+QC`Q383&-n(|Rete1Smv5@dV$FL8pb)nRL>o}^Bgoy3V}G7s!qRhs@pjs2-@31 zvVV448nJv%`wt_&Mwr~z;x-B zI?R{s=k#7C6uDf6uhxJF7`q7zB{tfMS*>6ONS1>_^^Fr6F45ed1$*2UQyIn))2_DR zxZe3;nPBR6dq(+P0mG3>wp)lgU6jW**MhlBmySA{M5d%XQjx#KQ+u)hv;>L%mI~&I zp=RE$z5GmbvshS?_FYRpki-qHNYZZ59i4vgq6_HoNNKp+PaMS<63k)DRVWZ~H8fl~ zV*<^TY>@rSb!qA3J_q%-D%V}HV(_cDK}@HD)UIVJFIu0|(f!rek}FZr1qVM5x0shA zeJYlCRFzqGDBySJ8N$7<0yX4|{)U|eD(3x1o)XQRIXeMH#sW0qf~jb2I3gCk{fLzs zbu+orG9`fa%lr%4xZ@M4R`sgp0Kr8iyEjtIv!56vF2xUdv#5y9{0(nyiN% zg+)g~?)=XKW^O+B<3TfBt+k_rl9~rXJzF*J0Jv-pKn7}!*G+Olw9iH3ddjv<)WN^u z7XFXDRjPOE+f7vZ&iz_?TG#B)bNVQ`j{8A&4BjN2<11OH;p5m%f>w{mMu(&xwcX4p z)%D{^I1g@o_I6cdq?l!|%G&)Ot56HyZe5t-d*qDgKKvHZ{@nSIvCi)K(zU4?zoq>Z zzU{p$zRX`cs-_CKXj8fBY_dOQ>iCEU#&^2stUb2#XSI)!iC3z)?@y|vOw(##$^PB0 zkYD{&tI@f4J{e;7z0cNU8L#5gzIsx-dRa9+&)o8;EZt^pBlIx4(Bt~p7k=Dd9_xDf z7<>OSY#J1>uE)nlp(Yrm^--=zOMclFoUuLU1MDSvQuo;ro%!l>1s%EXR#z$`xAYVUvj?dSs55d;n z-$X=BxA%KF0rZzOo=2}+jvB2?s9-`o-x2=n*hzfY^;5S`Y~Z;|XrldhM$TzmAc5Jo z#0>v#0}tlK+h=Qv^9Ru9OCNRykXZ}-5H*tgFrURL7z)LcYeIXE9nxTtOm0k|_I~&h zNCs>GM?NoJXEx8(4>dKbXUMuEeZI7P96m~ClH(Xrt1?4$ z2vy97vAO2MVf>%q-1W(ShMBKHiWhlnnVP~q(5zLR!kgv)Yo!p$0hiK?1ed0=@c_Umt1j3$rNh5d zJ}xDSa9@`?v4+e-ZT1F+Lm2n7X6+}9Pi(D})7l|&Aglx#UjHF+&5B>e3GrDR`vs0k zg<|(gc!=DhBB20hJ>P4XY*WjM$ zOkg8lsh_H&1o4blF#Y1+ED}yCgy=Rc3`R|VAEe>LyrA2^t6-Vf728uO#InIkd3>m0 zatMq0~9pep96A-_06AqIwSe3j5J+eRHsg z&BQK(1k=i=oUxjB6g{aIKZXb+;SlmOzjEDjkxoKyBn`)LZG@SrKPiHf)$s>3;%~L` zCra4oc|)!9r8*7VgfciKkD`^7H#+MA@M7>WGDf~6cb?*N40Y^^424lYSg1+eT1C7R z-Eup2ZYrLHPN7CZgfYF+r02qRUW!R#DbP>{<_pBEk4^oUzc?CK2u1LU^ZTd-gCiUCb~3KM-Y-w?>s*y!AS zI`Nqb1evi+RndM&v*BWJh!U?W6tBO_N4UT%96f{R>Nd(G`w6MUQ zVyYBWQ|(P67)@4L_@5cK#LF1czc+51&1CHygab1~5h!RUQy(UkXLuj~=kWf}2NQGf zE`K2O_61%ihJCLXG&`N{rN!St+2G`iXu$$fpGZBdZ%C2_5*TER-eaG~S?3HpMQ-DS zzMz;X`ff;%qnDra{VP^07l3f5_p_l`xW7Z^Y&GshjWVWdKF@FGQZrC9ZS6C*%}=%) zIn3w`yq2A(?S-BC-p;Xy0RmZ_Pa9L&vF`Z~Hw^+_GG!PTS#>vIp@bVk{5O%AHa<7R z?OW%gh?%?`HokUk2K|*hwpH>BSko*4Phs7JTKiYIemTCe4IcL>1uXEf7Iu$D4}I+rjm>jv?X9&w zr^S^u9jjVfdXLlSzR!^yZWlSXA9BspBIeX9H9Z!Yox^k|w&44iL%P-&t=xKi$3Y17 zmq6$JT*NN-VJJ1=y=LUDz{u8HBzTAWWwhMUEl;l3>k>oMVzzHn&hwYt1W%6R>0_tU zgbv`Qo^6i-*Y4#tJEL~<>0{u#KJsyRsiyaFRJsRApmWEUgCB50>{ja(^i_Jj)$wW_ zO;_0bDhY^uQ+&>Knz`dCvKR0;P3O7v+$HbS?S7P-LTBeWdc0SATcF{I<&bisky^Q= zM$Y@P8x45gT<&@)ew6b$*fyUA-iu*g_HuQ%_;9w*I>BA3$<1j8b|+)%b?y`(yqCJv=+55) zpI-r|JV4w3qBDMeZ?lGcg|YnBpMcdOBki!Eq`C1b1RrPMYwIU~Kk^$){%o-LoqUY? zG+YC;Wcbb`^IRP_J7^m_^m29kktmor%kqJ z;~mbrk*zsS1VZD6vS;3If#e(!C^v|dM#dZ#^S?$*sHJ;Dw)nXOyVWT*2OTLVC5Ir4 zb>!>DxV*=|hgv&Pp!4_>l58jKRh#N( zTo4%%cxlSU%S58{``Gh^lulVMujGA6e`cLEL#Gl@62%W{8$96N|gtErK*Mjyrr=&e79>o zg@=YHgdB8oOfdBvHaz7B#VVpga^<`eCh`1&^Vp^3NVW`89axfQXhN+*uo!f9DT63R zNe&_57=DSfWv>=kYfp7tZuXtzHY_aD>VE_uWi^W3H=4W>g_#~$6uAbO$;RE*RfB9- zG?Qo$dDPUy*WzHx=#9dcYSLZL>IcpXxIh&;bH;)%XW6*CFbM=x1yv+h1C# z>OV>oFZ^<5O}-Ph#SoJAiWT@#37lb>V1$rqF@M|mic*qFAPAz)ZB3RDKd*r2_dDdp z^#n8D%_@C>x|y8+K*#?zM~hQ_Eo)*wcY_j9EW{|0S^8kz1nCv<)WJZ!re{90U~MFp zGm%XTi%^m8r*jfK4a-%k24zo649Td_nx6|YKEY7nEx(90XLY3a!C1-tPVKg#7}ZW; z#Mj`0Qr?0&AY1B+FeR$vcK)!_OEBN^WHKOHgteBJ z&KS9*6)LtZZ0oC?WDBH?kDV4Sln#UXy_RS8gYz%ACL#{G^m?OJ8T$m~Pe>%@sd`{@ABxvz|8P6+NsD~0$7DqDA^je z45jY;e;`GtQ`#dGwq`yk~2HxE}}@rN!IWsfWak(mL;Dq z!VF9_9JZ_*loSsT@|w>XDe$1p_`k=SJ~m^-af;M;RnIlh2lZPKb^p)0bCTZ&I7Y$+ zJ+aIAs`wqg^R)&ru=wU|X{Dw=ok4>~$)0lub3J#%O>^3ATT2mtzRb9_TDU2f+}j># z-X4>P^*T=|Z@Z~`I!1zV&{cVDT5mQUyZLfzwmg1xB5l1r)TjD{&%VL+z8C&Jt$AdN zZNJB*^Me06S(~uub~k-!wZFbUL(snNxyi5wdOF;7`JV1-^Lh>Ce63B;JMlagkL0|; zecrL?yC?Hou^jF$v43-Ws2>P?UZOJgoSOhlCC=yR#$~>D>j92y?LQAC07$v+_W*V4 zXR_8_{3-|6+J}ow0H&Wlxnx|}4fNQ_c zM0Vo>%Ou@$#%xju3c1wwE%KQ^ji|;IjeycWi+y|XXWQxH z$oKp^S2_e()ikBQy!zgqsm^~mu6q7&ip8vWV449ro6b&qzv?WLqWg73yvJe93CZ?# zpkuwvmbY;~7czF+WitGDdAog9!~B(Q+v6y_lD>Tycq<82wHy1qer#Qv)9?ke(%b$x ze7%?e$FXVpeDCXdESZ_b@wr~>*6lii@H&a}Zok8I5bqPpk=26G&+iN%e|yEhDLGo2 z>G?SS#LxvyaaBh-ToY7gIldFbddwNz@3-P}X`B~KuzLU*-|}{Lq`Tm*^2c_H-4o=5DzPE^VIlhli+X0ZhV-?!`e->)guN?18 zLq*MHDkt>z-R@3Pj($F3zNcQguS%)|tbqs|UPAhH_s;~IN8SG|iAo)~-#I!L5QzU~ zXZR8rH(|~ukPr%}b`3&GF=bt&6PI_}=LdWVSpyQjKZT6#A zfH_5PE+~H}v;?_1JX>WXFSh9~L*yBfs73L1Sx+?bj8YAjtgd(tFADfBt46MX$s%8* zZbVzj1RJo3({Z663r@0Ig1S%F<75JDiCXH^%E3yeQA^1%Ih)EluM~~^?Ky0wHZ5K} z8g*6}4jY4zV=FJM+}D&&vR6;9)u26Aw^hcLgw5ubnk@NCM0R4ijKi#ou>zAU+Umgw zrloF?POe#nh%F^8$={%ebRnwzp7|oy(pdO`dK%uU6vd7jY%b-m$h3%cv_aWoeqKL~ zQfOi~q|w@U9JgB*Kch*5i`cIQ#^f^@J6^g}=R)CR7m85XhGZf-lXQ^d=d+qs$v-wH zlVqx#+W8~xWo!9Pq70~XFyN&gb*e0I}=9RI&>PiLf=#H>h;Do&3v zv_x$U+aW8#v(~D?yo?FtZ(P#8tEXAtl}uN&eMr*GFO3R|#P(eMnk4LQ(Tt|h;X2OW zWRNwFSb7ozYA_80TBWO$uZB54CPD4wzfIcD4(TIo#L8ICU4}wJrJQ3gx?CrS=|(>m zu(*=e`Gj*s6Y(}eyp-mRjGM_oZ>vIxm@d~raPQn}u3I)dO%p^iPn%e=#IxD0TXg9v zEE|6f+_kYd8)!L9O37MIcxdEKBy>`12c;(kC4(n&l_+A1?UzR+F~dfh-bu)PznAEh zaxydbg?2_#trObcN81TIB=<%T4IEL@cHz<~bIV_36{aNDae+XleBFfm9i`ccly61A zm%uj-@xMmv;jgFN{w6Bs-+pCJ4zi20n@vpCr=BsCu7U*lHsx@U8S{9p=ZPB18VY!b zP^QSqQo*2e3vDoKl?kr%1%4(NnBT~mD8mbjuR&yCOXa&eYS5|1P@qia;2WDpn(G8_ zFy~g1@1bVt-D&dUVa+qD~;aCS;=3fV&Yhw`vW1F%d1&ja_Ob zs!D34j~M#PkG*p=HPvEX&=Z4V=8U$A^7(4B#>N>uXq(|6gg9Bvn8j5rb;~$7Go$Rk>D+X14k#RkKL;L?HAqj+eopm8YQ&1R149zb zR0k;4#&r-QF3zSl%husyCq!A}``((QbDF+qg(;!_KExGKGLl9hMvyQ$CP7>w=jcho zRMabZ<);eyRg+?gf36Hk&MMLDxk&M?sk+qy@3iXJ&sYYE@beMi!(LWn+Oe~7F*j`j z5}PpoPDRDhoJK^=Q>|yryO@-?PN?ZxHbqKC{=?w|qq6eVjG$>pHINe#5zT5+d~)=k z37H}%?>Aas77w9fIi<~dFR(+HSA&_#$Qz{;@s=`0D?nJHaptN5+e$c!_Ohdk8)0*u zj3HI~|MkYGj1fPj3xSh>ulK}oz-?}I%1-sQ_uE&X;OJ(xpqbOR+Bgh&BygkjPXIa! zWz7bIJnnn4if`|@H`~1DKs@h#_ZU*0Z&2_Rch8$5$;Wg{dA8jw4)=Pw&RMH}9Tbrg zx-{?i-fv)%iv#a2Bjw-wZ`To!zD(aYa@M|PBYmC!LLgBx*o@@vNn(gP zm89xFe|X+Hh>SE5yl)lm2-xJ-+O$4T!;-Y1T)<7o|tK~owITd|#wb7|{=iq4w%A&3>bt<8l^VfXshJ$X0m%8jnx z%OxIrmtD^fn|EzQo#ssM^H1MzpWu4`wZYhES}i>vL{cOO37z4zHCF6;%IZdqiHkLAaM1wJj_7hs%Mc=SE* zqhyyijCX#AR;B1W?}L~-r*4@(7ydWy3rso(xsulZM zKQuw`V}^&ONC*;ane7;q?Tt0i=L5SGeitIj{ofP! z3S;~$<(m1<6SEw%FB9GY6E9CMP;Y)2&jmzr`;-7RS-E>6s}axiJ@Yt z7J>L-{$Rr_Vg2eXh4IFPv`|QWu7X~YI03=9VMOt}YYd&ZVA)j}yo5v)RflvXYQ5P~ zP+G(nCFZLjVrZ;3Y+ksI}8dXupamMfBQ$$aLw9pL0;5b%1 zd~=!~@s%{rmJv_Qi#Hh%T2x|&;tl+ApEH1qQ+cRw>C@hRj%M!j|A4=_U!-($Kte@E zJcTccGbTrizP(li?YN4==QFpt3g}?rI^;~MzoXVR` z&f$ql#*m{u`M2Y3lkK*wq0t*;US~#f{iPmZh2nB#0$9zvd5i%PLpHZQJ^E>x(Fg4? z?pELF>Zw1*M!DGLM_X)hSu{*p)&BC&<)jS9EC;mlvq6`lQdr}sg*O^9N^Z`^Cw0|g zH?e2R!sA05H45zU=;dqwy{WNO6-iZ*<=8V(m^6BvmoQ7W3dDnvt>RBG&fmFu80$)W z-jrg%FQ#UMcYt`do?=?~%=@CyHw*iwTmOLpQB=nX7Hr^Y?Yd_GxuyQSEANXPnpG5} zQ)xjFY|S~BF=xK(`A$;=srQ`Jdnn)yC(_`95Q z)NB=nhN{Z9Rq7}5dyIxWM4LtLa)fZqFx+XB!PA1J;HpfJip2|(B$$5YLV*WekP_4X z3>WehwFl>gjIV0qN+H!-GO)A9UU~#O3}ux>McEyHR-+X-Gftxq@529kz}QZASJ1c% zGAzG%TL_Buv{PhbCgspC1Fz!`2V+$u|C+5?esw3oE?5x7Wv8j*f&qnWhh6*^Sbiad zL1v|hCTUDMGge~utc@4Jb}qs}jbKix#7Zv0uAEF0ZIu=2rOFOZvIQb_F`MNttjQ*; z(sGoeP~aa%>{ED_a*S`W?SJ(Dj(sO!Jy4uJ`3r33KZ|T&nf7HP+KW7*zhr=)BVjQR zsr?%a4&Os&dZuYT_;NBcg+zLNOq&_hR2moH{IQ!hR1D(k?P0d?q_dvS+h!XJ9oQk z%9ZwmJ#D?pwh>yl!Sv@%U@>m*<6UcxmqqSls5#&JbZtXxDm#OE6$AtR1;O*W(aTK3 zZOIkW<>RPR4A*&(iyZe`oqg5gzkr3OvdylYnqwUYwNuR2&t1p8tu5F0uCcAOlAR6@ z=g*Y0H-V08?Tzj>Bd??$fr9H?_jO#P?8fnov!{*fkI+te z?tep>gnBOiK+Jhs&gAB2E$3mmtVTcm^Q-9EwLKLeCP$xnzr2q7`1Q5LX3t5^dLYtH z`)#_H_dVa!4Nn>vyN^x#g4A)X>#f~P&*R7bJFVBnGLOEmW#;>3bF7Wmoowp~g|9gz z;(-VT-{UsIsBS7haL5s$iOywS=X(!h^BhRHVX-28rE?f-|K(4f>&?4rbrw-5cuaxBmY%aVHXS&_d+?VYIG8_HPP`gJqf{lUlh5-vt;fhva8oVjWb8QT! zPd3|=@js3GsSIVqLwYW`Vpr@DJSuEKnz#&i+f@D}Q`LW_rwvV#p#oQRxRI|r6)%w= zH-354R5AOxRtIwOOO{JDe=Xb+X%0DUTpMyAh)#kAJXq7FnRUVCHNfa39aLN1Q;APH zW;lL2g^N~Z2^9Ikk)MlA%7+g}%_JUIdI@Jusc9|^Nqjp_3DUHhe>!OojmZ`RLnT!1 z0Z{H=kYO}9=J+5wft zYfB494NdGetG_Oe{ZM1k{|78?!@3i>5graTJNtUV+R1Ol0|bMz5+=%!mOzaZbLWji zw(eoX5#ib-+4rM#%~PTU`@Xpf|LUjRTcZT&2`F z@KHp^y5&o6b#A9u4MC3Y)_7tfiop!lr+jm&)52z}h12gyiS2?5IUbl4b}uD>XBw?1 zod&}~iSnpJ#@KiXULGzK%QA_4rYMG=w)ZpN|EHyOfTt&Cb#qBM0hA&Y2W@nTM(cHC z7-UN}q?y}zBENv;iU_~+n}6{E4=HczkKL$hRWEAZ`g*L|)(#Q2=yM`IIR$?~Z9F}L zKMaOix|f zSK=icwW*em`?}qL9gnnJXIKL0WeLya?V+XD)zvvVj%97!aHH@qiiR?(uVtedd?9tu3o_f!3)My4%x`Ya%^KIK`VKY`m{m-=^vSwua3fV}iC zft?6{FIrc&wvmETz%+ne{3pXs{Wj*yO!y8pzrSKu2EPyqBZSec*ev(ISpGqZ%1@`S z``nG*e#)o>{XPL6pNUcdghk2-5o9St+)wH8#`gw!#!0K%dHddMcjJXztebWkxYn-M zAt(VoBlZsY_mE!iw_B*t?B|7X?#kl&vz!i^P3I1cvp`% zsFB*1neVzIovPltk2BnltBXL6cP_wbm+>;+Yh8ENu+s)%@2YL3w>{KNpz$>b;r3Zm zEWd9m{gmGBHlgj8qGiK?sSi!>~p!asBZbq>JqpEk6$C~j_J-ZX& zZ|n2VYSv_mB?pcJTmNO$dL-Mb_hGD|lK*{<0dUv&oA6~#O}zVajwF`gJB z-sNMXa9}yM1|qBJ5;ivX=ATa|$VgS=!I)__kW2)D%b~p05x3^#MoS?Dx zr4s4uV{Z;g$NeBeojxb?{h$51+o#1og*J}|lI`PZ>GP*=qDQNJ#}}bFe#>DY(q{dw zRA%1@?lED{Scf+2&JJ-FX>Q%g#R0njKeG7VXRR*An(?)?eB1S9_Q#YS&(k70d-riV z)HQEj^HRCAZ^NS#4^||d&o24MC&p=36X{Lhwt^eUO=luJ;Kpbf=xP zXLo-`o27G6oJXfu?N~lEfleX2>*3tK>kD`U1OoSR0aJikhBH7PHV|07+B?>;a2-T%@TE(k0<|>UkT7yh-vT)95#b)03&1o&y9{|LiV&|#03=!Yc zc(kYG5Kw|0dDwqhpX})G7o1ufc0!7kr(p>2&~%HsHK7t=9>%@HLz`->n?Fh&%uvvX zwHl8N%Zz@9H)ZzCoV3#FtMz3j?>VmXa+ahlpXUXfNs; zqFjO+zdw!@X3=BKRv>#5h=>JDC~}pEHh$j`poXGEaIPv^iS#7ote-?|rmUnT8_XCU zWLe_VAc%CBEMR~%Z>s`n7H49t;fh&GDiu5|K#Dh^){TNKlPbVZ2O3vv3|Y%{p`jQh zut~!_3H}f*oDP8$tLAC#xU~7n%joQiu{wT{LdzT z85#H{G#=sHTNybC44gl(N?3^dLgRlpnI=}1D5|g#{Ou{a7%6`^FbJ^)Xl>IrDSP0m zO_Y;-BCN(T_KISCrJ@p##<K^(1}P!I_5t5fYg?zJSt1=GYh`4vbMa z@1#ns++7rwtlv2w8B#a1vB+kx3h1{ZD$ss$Af47CiPD{+kxBlyL2>6IVHTL6qAYGIz7kM zQ>CA-gU+u~{oS~$)P-8biOBUV7^mFSNV!Fpj6ed?#AMO)AZ(#HO63LmjOTE)eu8LF z#I{0L8REw+Ua1h4mXPrJFJ-pfy5G?r1BKFx?HYZzXtp$$8rRq&c=z}n;WW)KgDjL- zZDU&EL4E_2Q}VM}sUMqD!WJ5)y+c!ufX-~$d|jEb1#FgVLR5ob#H~_G?(|=$r@cP@ zm)=zCQHNr1PKyKD-k&dVJ)m1y8U|%QuzlHxx8scN8RF+=J=bQIEIEym^=`c5!LE3Xf{x{ zmpbJWV_UM_owVAGL??t|->RSf6cX}WvlFG|$o$M%OQo-ZGa8z&Y==c!u%>?{-V6$X z8+kcW>Qstr>FlRNs2?sLjo%*$oCmJ7Se$UV^d&1HT~xZO4GXsoETds5e4yG2ngmD(0g=Go0Sq?oKUG2nDu~5>%)jPz@yR1Iz;Z z;QYU!hD#H31WQ<6&(8r*+;$tEt)Km|Is8%5Mf6bMLHW6QyJ-CL&VGc5uSz^-=f~AVoOW*4&YJUbK`wv$d?Bkr?aOHL zOG2#0ek3G%hhU1*=4yTE$`@|M*HsI=fHSOJfY9fxq(YyZ*GsX_{k-{oRScI0TzjQF9jW!U z2VPeLo?M^1?l-gCd~-s43yq=pdn3CKnr8_GI9*FUT9e$mjS4^c--aD}HB{D*%PLby z*t_;01La4id%q%5-2{O9#S4G!DLB5wxXlqvTWzU(`TiL^+!|Nf;{g{$rhK-#Y25g| zXC`9poBw9abaQX;E{tn?)jDlkzx<}Tc3+6*xqLiJ3@t*PNC7l@njM%lf01gdhQx~@wTa~|4qSv|BOt%5gtT-K#7}w09y_9#evEV zY>$z_6~VedmMOMJOJNSe!_iswMIe#ihx~hQ_zvG^Eb6heDXo4+41~6x;HSI{L)cd- zckgS48Y$Tz6+BiKI!J!4mTiFowCE!3BWnu>OugZhWC^SuR}FI-QA@rKhG7Tz!a|cL zY-!~rC0#(UNjHm)lqJzm3T?CIA|+MC=aEOn;L0GBRM;2L47j@&Kbw4P|0`4_R3wy% zC~nL62xbKACcF|!6j-8W8XF5^hyjYSCX-gO4vgY7637yYV3=apuquUgf|5Df2NlIy zgmQLndK!&hZPkhrk#xZtzDbL8VUz{~RX7V=+Q|L9i>CT<@FcwH@_a*uvpb0Z3Q^vX z6+^=yXi^DjNyZ855AYirwaRg4)!%N?WC-k~_A7gg#_+fSDCnkAlx&xNYU{2u=DNQL zM%uwGZV)xH{qk&^4F%z#ZaEf!bq4X}%s#>=6w+&60)>GHmO#) zDb$a3yAo=os)Qu?X(jnq!q-1uG%8+9S4*c%GDnAhN)e)BtNV=-7jjI1m5IX+LJv|X zCWxe22}_sxDmk(g3cD%z`-Fq;o!b1EBi76=iBjyZvlg!0hst5epD^psS}oGA81cnu zL1EIJEU$*&w4qQXl))xbIUh#wlY&c^lTD052^)FMqhHnxgp1(Y9H@MZs&F&pPRux9 zHf=P9mz_J{Escz&?l%Z)QjAN>RnrzT&1>mUqZmNb2sE9>;i@}uF87WO)hwJOkxEm! z=gRma9ieuuo+njbjCfw9R+~zkR}kq-(&y8zfwxGkATkar>b7NH0Ng$5Ty=QvZPN&5 zvo-(z2DX2h-)$`bX%*UDdBC*dzU;XGj0c}KW6Xd3l4gticXr2#b*wz~qB_vi6FJLB zN;F*A`GRQo!1a}p@skC=im!DRIakALKypl#Iq5rUuPJ%<%`FKr>Sa{MXFH~ zKMdP7oE8oJ3CJU*$(BJ3EmvyDw-WKTaYhZ$UreND#J<^TAS*`svq<>YwqXWYDf{^w z=P?nZ)ZAO>F0iGJGcV&EUMi9qyXsfd9RD+BlZhnl^N{z+Ke^afEQ3B~Z8JdnKm|}O%2y;_W#BveMdSws|HJ&Wa36pYoQxP6G{5#6 zclhq*9Q}S$lKP_`T1H{V4~Pf2cGac>Y}$tE@W3*7Kh&|wb)K(S-_TSg^gJ-w)61i! zYCuw|hRkBulF6@EdR=x&e|cWtzkd(dk!#g*)$5L`ffE9|2K4V z{>$2@%JbS^uH0|(nV*(VPV)Mm5&#Z^c&FNzTkQV9$j!Q`SB($S_ph<=$S(IIam+0r zmE|_;bH3WI;W=&K`q!5%(soNv-RAAYJZ9w!r~7ByUsW$c$G&PzLYpd%^R3>Rr&R6a zi^Ej@j!~XizRr0F0RQ<(C#3z>pFaMHZh+Zo%Mk&mY)c zW($=*pQwLU?$^#U_u1IL?(GGtyWbW+<#n1zjHPF~8-SkzV4c-Y!>ThopGVR(me(J9 z;dJzx*N>0eJI@`DS6+Kc`+L?5T&MVs6XR95dS2F394o;5_ffh?+qSFA&fJdO^^&{Q zC3!;EgD!y_y&gcWn_F6U8-k6ur`fUlurcBKt?E@cLW=a&`-N+|sN+PafDb!=IcLxA z*)h9q|VlGOd2gjFh9)*iWIR!zJ8CA@+%e~tO^~3X z)XgMA_UbEb%@L88%*a|2k7-;O zSeBrPjh(21NOFe2s%;fDzUCZK=>$s@+wWkVbTx-^nm9yR0>M-wfnl1-#y*AavOy4+ z#gx4eXp)WQEmI-vZ7zu10UDA>Ud>T~|8!+@E%%g`5I-=;xwVf8>nM{^OEJmRcDjI}C1;@EY zKvCRvRT^DHT?yT5^9WMRQ&9eH3nL=QUyL)v+OD2}tt}{ok!w`#cf$uz#sr8CG|Ybe zDE-pcv9a}BIQzbS-l?xM0YRC)_qh^h*(zd6L=pDRWLJA%r#k4M5#T z7;cSJu;k6Jgg%Nb%t~k#rZY^iO`r;wE!<=UAD?YbT6gr9!5Pu8$Z*D9QjmR`5Uy0P zmel>l#@IZoI;x0r(N_moh=8Z8+NMfV1otM2a4ETXh>Qk?Y74o0Hy}|`8LYBhrbNq7 zZY(YrE6!JkynK+MWecU(@I!4%aFo?Xhz>TY!pxyoB1I4qYe0oUu1UC*=_3n>W`g*^ z{1x~OLYE*x%mv&NrleHWAh%P)gc=i!S$PZ< zXAYD>-7ApCuY7km(Ku@oZ&~s~Cc=A+;qC4-LCErc*}e`IRIkFA|)MDDDE+NU?=T=*2Fw zXrWWu;KD0an(im|qgW8@5s||xHE>KY>I1Q)+3Al6^OjhlMkuGyN#1Xy`@Miwk@<4r z`GQv+`eKYRqm=o4cmwG8jAN}Ltg;|pSfetXrmiR+8KKX7gM^61$`Go0Vr-KQCNr(B zsk&V3Cze59v(*{+_g8(3`wdmPqz|a{a-a|H)9){*7&?Oc>tg{dx%dSJv`^S~Ao9(? zD4^^Wl{|{5%svmON#1%&&(PgF@VwG;wQU}IC&%OC7<2RQCr?UC*GUM)G~ZnlU2eG3 zaSbQZuN4hIa_jR3bEjrV=TX{Y*YVgyEg!!xlOo)8+i}NITDADtGtyhx+lp=#=!4Au z<9$lI_W}LaHeY0|`?*L3xBEl*Fsi6yrt*b&Z|}&(ZN>FjC?CI${>J`A}%xoh=zr{!5FQ(WiM#TF*ZY#KT;{WUJc0>YyTO1D+?Fg>t|?{MxhvQwKVE6^ zFqn|d5=i!~U!eadrXcJrrzgwznfx5@Mo`$AY0KC3WS?6lP=7=pN)S}jp?TEo5*ox} ze(PrU?P&XrS=|iY>Uk)8#MHV;RaHp;da<{W)AL~LMgy?@@G<@4ScZi=LD74L=E z39s4G5DmOXH+P7{cbE-_QWOYX*|uBSAyCoy@Z(vg$!&Yla<{z_PrYzW?s?OX**4p9 zdDgnWlip&H^Ey2dZ~M=*)%yzc(_aNb4Vl07`p`VNyvU~(y&lv0~A zrdIJgTt}`DD?jyArpzokjn$ZNaa@fRp+gd-!00`m;*ftf{nT*mjvweS>~h9 zM3a8{FR)|r?3vpm;h#?d0!QPO25JHLCakm(^>qrQMB+>zM(LyWr$HDv^`W{kv_WG= zP>hw9*4daZoDzG2E1VD7aXR^>UmNTg|w$25jOzB{5MGXbYeJ7|UZCiYHggz=<^{33ZF(!qo~}BD4T&wFU;(p|Kc=!xeQ6o zx!=edS3pYI`a{E7$s~N^{kdBa1oN->ypXnd+j?@VcwP>PFr(jL6aLB95aqn6s3&QO zKk^Mo^m>zn9pU|1;pvX!`YGwe#pbITe91S;SOxV0NUM~ftqwsb--VaY1R;7etIBMw zpnoOBk%X8k#t7SkLfX_$Gn2z%5GOJVC!HjN=^Ic}Lm`ffDr0vvWu->gh$1>yZ4pHx z`;i}zr_f}wiePA#8J6fk(I14nD(#+0c`;H!#VcVo!mF9F)E7nmq8h1=k*754y}0qk z^&9stB}AwcTh1ppYDX_v!oz9mg#nID+t*{K1BZv#N$?KLJ^Os70eja3K+U{A_io>+ z5ojPxmZ8OxlOzCML4@LfJB@@#QkSs&v9I>n6QPs6N+Ag|R$Dbc=k$;UmaC#Y+g}x5 zwQcs|PjbPW?6Pe!Vp4=p#r`d_0C6WBqu3|8R{5^(vJE*bBLAp|L`*8^!+nK` z!^u44T&GgkPYY8#j%U#yu5{3ON8$ zu85s>f$N7!qCEFbW3bCuIVLZcSnC3!K*1ar=j@OpMhl4>4j}SqIxb*=jx)lTk_?Kh zwtngl8+M-mMIj*B2l5Re-jLFdLIoV9G62kaHy1k7ogmAb^BLs?A_Vi_Quk^_;w)D z`l~GY%=Q}J_23}3Xi^kO&+00|WjGd&_n6T~lPu-^-tJ+om6dn17sXZX_C>U{*P-<9 zUhQErggL#o{{3ERZHR{7?!JmSf6FUs>Sl7f*1(ApDf>;h{=txw&*&!HlbqkauvlF)G~4y8 zbON$D`og*& zk?q+LTJ>1wsEgTa0upRh)E{yBbom6o$wg>eJKW+N<;)gXcbvF3XtXvRxCffYpqy;C zehl}npGDECGYA6T8&ks6HoJYA?=UFU4aW4`Na`mD-Vt+Tdb%I}j7(*d#dg8@G`Owa zNeZ^C?7?WauCLU(4r_&QqF?VXeBNzqW7<2MM^4mq>Uugqtb0#$JKYBvbi8p}W>0A# zw_Msi-j-Zb*1lY%dw&m0NvvlsyGxn+qoD>%lerP72A62F03nSlIgEeCH^-HDOIp146x{`!mf|`!KOXvEVkX5O z5D!Lla{o;V-Y#6D%&yn^eXDid6X>)a=DwqjG4wV<8C2k5+1);8c3PsTt=*X=kZmNX$sB5qQ3ID7fut5jg%!-j*t;d`hPkWFg_>z zC{l;OHGZQmDRjHy6MlZcA%7&Ts=~O>BV^|rDtht}|4kO~MVE|@GY&gU;=O~#E;jlreaJ{h6gC@IpNC_=! zK~qq}x&gKayGY_SYI2dEQ|W}o)%Vmrv)S-(<&QXC1zfaYLLUD~@nn__)RExz`l*~> zQEytw2;4~lBEm4GGjingyrZGIoDX4!>s91Dq}b+YM1`LEg$Lin>B7AkbQ>iEq#yWO zP&u9YRFZX2bC{&mn=YAlaqk)LQSIm=(4gH%ZtO8GwPb79X8g;`U%?tD|XP9#1Na|*~#~v zWE6bO2s_7NCm8hoUeD&mK=0CGcDXD4(?0hrn4@z9fI+qSkqsJz>jSVD{%T5g%yD)U zA}$L&Q;_j!-^kWC``N^oBLrV6_r2VZ{koH#X5o%SJu1Y{fF|0gviOivzu=hEf<6q+ zU+p16nnX#oyem)9o=nirJIH~k(k=S}mL;Jg6&_*1ntTopvV9d-sa!b$quNZe?k5^9 zc-jsQFS#D!^Sh|>L3KR?)0&K{s%+^Gr&>BpTm-GJ8cn>T@UF5)>mpIy%eIC4WZn8J zLm~TLa$Z`nj85We2^TjOaTOYOx}85&0yAZQ)8jFIxruFro22k44z~VxxE4Qo^E!i5I|R zqZA9GD0z|nsk$Q)D(;|BD4evV<%(|NQ~p$WDHAj`{FuB!lxYlN_#;7(Dn20GJgMP0 z8wtMC;z|If%TthGTRS%%<>8^b%*-aWCjwq5;nAY*?5(@N5aUpT! z5ksOCPB_rMO=v^fpJEfa@B3srR5PxQr(e}qB8=Y3ewSK4T%J+X{E&qG{EW0OVrx~? za4c!D(1`8|{kMd&C7Hq+l^j(T(rdwi@}=6~)#W;ni+&xRy`CVf8N{|9oBkU+9V#Jhq& z;S0V;92l5_2p_%>x8)0Q!6~Gj1i;^*fjc$Ymt{zy7off5%%^nsSKH9iR=%g^Qgu5u zFMBF)TP}SLz+c=a^L^e>uc1K)-_S$#8RA;;G zgca#I1zULS<|%PT%c>lWq0PG2qM3D@`(eQyDT~12c5jBj+e7cMe21lX`+imSg#YFP zcl>lcYO6Gr|Fd+4(fzRC@Hu7YeQit33%G8Oo8vx&A4}*kZ;$l*fs>KrTK|1O`D6`! z@ko8kYT326A8~l9I2r=C}#$_)z_6A+Wgz;rmkDwPScL9{BO#&1c7qdndnvLwE_sceo2t{|FUU-RG@T3VOS$u` zrhpM9nU&G#Kr3O0uW6y}P*K~!2b^D&aLS8VI&$ZOku z>4)JmGp;c8s@1B-GY}E50&iv?l33yVLvUeH+R?Xjb#o1TR1gbx9CP7bTAgGVS!O+w z4!uWTKNdmp1`M;-8#%`AnM z6g8FI>cXwoS3Y*DDHQq?#BScs2!(#~NJibttHTfm*)VOjbI za_u*~lK>2|%@2dmM4dPwprNkfwS4aTw7b7a;mU8(vHG_sG8Sd01jlfvG&G2kAsq|0 z*)YS7zfMuVS^F2GizVY$i_(7TS0nu}LyPhc>-Qee<~ycM%SMY>(9)87v*N9$g!zg6 zSgGewAhW%=pso@K7Vzid#ETt;xS=D%;f)OzUVaqaTbQy5MbLKCZMz^*LTp2Ic#JCi z5>h_;r|iVTyJtO#r!c>UR9a-E9b z6<#ed#d1hA@Vlt;%puY;R0#!)IQn|1@0MgZ-`Lxit}O@@Qpb1HL7bugW=;g9??79i z>P*GDjs%pF{Bb2p!)DRFM=*{gnoqLf4la>!FuBDLhB%J?90NL+cVtm)HonIaC@QFx zs|q?AQCVpnFhluat+{?I7{<9X;Y8JiSupWQQc8?7 z!5zqJKC{y2{z=YCIRR(M#6}8(wske6q!_A6vBWRs z7kXC^p^ds=M`BD8Cl$dE2pQjEi%EzENKciCM95YPJ5$0ztGlzbh%*(-EWDWBAe8vt&T@@Jv+@!zle2G|g z1#xRaxT^tzAYupb90MGQ+pi05T}V7A4h!6H;p_w9L2xBCjJ}2kv?cD>E^-yr>Hin5 z_ib-2GdAPp3TDf9>JP1+x9`7!`{~Z>YSCIQv|hl_5aQbIVdHS;@yAf?j&b`~Mkk=F z-5mzN91<)^U%+{We$3}Rf85FcdgC;K_Zm1|MI-1jn;og!k_KG`9N6$%Pwx)wI((W# zdDm-v0BarZWUSvY5Y*Qlozi~<^5+7RysxXcD|6L8ZniqjuX`p(7<208o~(P`c4ty| zK(D5)T;~nqxd0))Iwp6gtDcLUN8#J1NCTA`GesY#>{|iOUe9ZW=VbRvuv!D)U36yj zv%b$QQrIUmCSX16sn^cY=AuOA8nX6t)?*RCy)n`klJJK!2RmU;?DRjq%?&e zUgs_4Gktw#TLpAy`SO|YIMSN)-gsQgv7iso)J*L?i)wD!cGiR|oIhP?b@#bB2)cgx zy|yLT_7BF|^HYVh)~^ad;Pp~QhraPX2*#Adk}xdOdE3A${i3$}@~ypf>jll*-^{$( zeCuWWnwB^F{Z5Thzx^5ec6%u(cE|7EQ04bj25>!(8^%gT%gE0+* zj+fCX_bGv=Wm8EW+AHVz85+r%_p=K@{=3Aho$i-4`ey;RrFTxtZuiOL-Mzly(Ci!6 z6_EKSVDAFN(FmGpH8uzWdFU3aPy@bp+63b*OQTd+XGe(F^N*9xhvJ$WCcT|^(06R5wqn)KR?EdqYlLHnE5h3CYgS1g^ZOJGFC&k@y)>s3;X>W3V$ zY5KEk%^L?KaEZW9VWDnGw<48$1rm;V64AUAqUzoaqvMt9A{zKD{sn z{9I!m?YP3(NxY>fdH)TVMRul2kSSQRf%#5>okQzl!jddn7Z#|4UAC{@;i$?e#Gl3a z!zU6|!d78oDH=MB9*Rc3j954sdqweKh-5c&wQeje>GxAn%B&l{{87bz-MnH3Y|!CN z2d>POGBksXm;Z8@A3J@%X$HCvZgO3e7Nk(UQ~ z1uC=%WB?)s^-g&pg48`N1piVJ4TdV7#kb}CUMH6KnO8*|T1CEmCP#1iWqS&n#%0P- zpS0x!ZC|eAb{mo@ZsmRpb0-gtpZ&x<$lVGnA_z!$7Su#}BKipTJ{qWvzRBN`Rr$o= zw7Qe)AS`TL9fh&n@+BDXMhmgBvWflMc&>wKULAMY7{a zTg6$Jjn|L|T|^4E-6qRM{zGoQ<%1&LhTF=1KR#`1d{4ax@$^b~H{JmucGOJkk!A^A zsh>rxYGO-0Csw5ZqqSMxmMF-UF}>zVD#=F8!dX@9ucNHnxDcxWr%*h*($tC-k?L$v zzHsRw==jr~;GpmiZz1S43na9||Jf+CcYOU}F8lD96NaH}cR?lWeMPnizcBs-cn?A%@)_q6Q0x^j2 zVB8Msw4etm+=_CA!(!ZFvYHI|G@(ub%ceK2)TiqD5GuKzsW8{Tf2lm*G^Sne3d0CI zqU|d|8-P7QkUVh5!(2#0M2pa!#<2(5iPXMB+c}P!jnb01WHUa}e`_@PktuFe;zzzW z6eshKlKa5xZ+xL=!P;R}s(#fO%yzn zzszLVy?K<*g%+(ilrl- zSn_Auk_dzU16yq4CuwjUjvzG=;Y@PqgCF~)eug437X00mw%o_L2ONLUf*GZb%Ut0m zf#x_$U>wyEa&fCoECfn*M7VcLg{UR^@F)&9F~m=gH6rUgMh$xZzPjo--fU1up6Tp@ zn%NY(eL3$6T#br17_y4tFv-haxy(&UY_P;GpQRA)|7VJclKQ@wV$sP(P!GZvX}4w* zO7H&hd{2l<@;z9H82;_Y2Mh@2Gl&uLBUFs(M^27FppWmT^S)8!RsE;cThLUdU&s2C zcfWVl^ExqY=mgyxhvxy*vo6c?poZTG{QzCB_4VCpS7=N!Blk)2mn6ynaPhYlabtI| z`PsvJ;LEIY`P|){+xc`QTl==qt^*YCaceft{m1Wqy-q05uyK^@S2q%&VbePp6i%4i z8|4Og$#mp?oyBQoxE*mfz|-f?^s&B2pILnqGmCBID9`Si4qw6Je;KeG-J79FZWLTM zzTV*60Vb^^GH&95v;v`H?HhBSd0+Pq2Tm5JH-PViR}OnwnSM;C^H;qx-U2=Qo-c;& zo{F_@ALT3fbt7*lL8B8JbniLMke!Q+xv{ZyB7e@iT0U+ukL|XyUM=bnFLK*2NM#9c z#(<^TynH>nKpcYVs_h;pu$LK2q+E})A;Ked{)ZG!4o@oV9AJM0487l_(L-T2r8)34 zO~=f>VT2^op#AKwIF~`X8qjw!^G}cQ38`{Zia@=)VAu^r0o<@$KM6Svi_Gy4|CWBU-8YOv+m zNW0T^Uaj_li94Ye%E;+q4RT)jMd(bBVI#18*1j_0JV-k2Nh-iAXnxZE9Oqu|9J~7V z0D=Crow_|+!=EInuaa_WCpEQ=#AkK1lmfbWkF05(#Ie?A!VzRMsYwJlU7SUZZtS>; z9fiPYyuBn14n-ag zKLIl50Dk{-pv7o51@Vpmex<7w=#Gh(oE?2}?tl)E;?);cnW`IpdIBW*#bnY10BStlqYsar<+5GH}MPgxL92%)0OL?&4UywchF$2 z*10Se*|LZAsj0AQ|DGe7 zUTatold*94LZ2}=S#f*;5<08Ewy8Qw z6XB5Y6I!lx@&!}oYFYfSk?|tF0+DWIun37kF_#L)@EEReBDq8_YGRe$TM5?WQw?l} z!ZADDR1qn-vHGOQj)k8cdw+}qO>HVOAa>=*T%GENJ+vwKeHKsNOHDv``#t~b zlwyGE?A4)!7fT{hms_NnN8qw`{sFnT(l$@}1YPR79a#?Xz@!`dpk3~iQw5P{UK>kZ z=jQ}G8QBuj!`*k{u@(laUP)>uzLc%{QChqh#))-?6yCDKHZ-I_hP|E zW!Rth+@OG7?+^2U{;8cWHPj_2u{I&@%&M}NMYr{#|onieI})VJ7F#UuBF zLtGtBTE67c@k{hvpWvtijHtvy#l~~MDcVwje~-;5c7UTu2AydpT`3=ntck@~Os3l4 z#JG$e>0MK%4!gs6-cpD9;u|{|q%;Lwj(miAeGaj22jOz`ALD(?YP$mDEfUDJEa8>DR=n^+Bx;yHx+k2A}w*J_o`YU$RD)1JyM z*c{$!@$_7}aYK5ayAK|`cPuSr4zhR_K5d#v8o6QKVbNUDRDufA`;dve!HX%%B_+$u zK=?8YVSeZa@;Y`NV>Z(<2m2)bzvDF*A35S+M;w&i4tmcFXMCHPVa((FKzu=p319*v z8B9F`{Q+PCL#2wDnL~}B+U1^+x?OmM#nwV z)ZDfsI^nHzK8K}JL_ntQ#q<8SY?|a14X`32_emzEbH)4N`zJ=iit`2D8`=3tXo5)(p|r#s>f&_yw4IbhLa=KnA z`$c4dKC6Dh2Cx3+NL+j#CUsNI1DzSuUnYysN_UotYxgsTjSthQ0}T3|Os>oGL`-(S zo~cNniiRf5HYiaL|D~@v<>^^#-RRx!?#?I@2(@XHyl7vj_zy1Vwi!SXRJq(_AmIJ} zkmvb6FZ1ZHVc+e0)mvO6Z{Rt9z3hF3_}pdNd;S8V0|7ceAq;OYf#znQR(rCZ2oP1X zDpb0nbHQ~T==;K%nKXqk@$z5BYeA43DEGP$L=-3|v2a3|dICY^rQnXqc{mf0>^GwgC4YydVdylW?3*CfMg$hvn`cW@+NoWV zP!?;-(d&@=OFzt;;^(Wm7m&L!Ot;Qwb1hjwq8QK=sn*V3;gZ5v!DQ?+`!bN2qE8>! zp&C;{6EmBD>BePBmsBgtC_vM69Qa$Qg|3mAJI!$kK6JveUG7Jl^!F2U&%^vK=91p1 zLrs;joVZC_P3>1kj)+K7pwy%e$;jj6x0;$bw&u!I3+*8Eu;V}! zHRV!BBI*oNoC$I(WGQoqBII=av-kVwvrJoxnn>OD(zqy}APw6bkyai%(+V69hFq8c z?zye(V{!u4qJO~RS8FLKe>`tlx*r-t{3~CDo!y}P9GpT^moZf>?eE|Pml<4qgjH}! zdd@269Z@3kfpEvrBP+%(u2Uo4n2)Hsyd)Egt^po}oPAm5tKlrHR)>_-!rBcH4X?>| z3aam-O>>;Iq^vW5y)?1=R|*()k6lpv{TaM&PYN?qI)Gy>dboeVOsB|Bd7I;m=+kRj#6U1g^!sK86mV!}6x;lyh5Zh!D4hhE;2gX-1M_y|+}7i3kP4{PkGt4E zJN>Btx)DS-dUQWKj_3shte3@zS zoSbDKg5DU1Ufp^f8uDpVo0XPqK$QtKxh%{FPVITdA(q@$O``goG?nm_5OOga-QycK z)$tO|Ng)X;BD-B#v&b0ntT1AE^17vyNXoZTBN!*mX^9H{{&{r4yGI3P_A@wYdRo@B ziRY>K>*oy%bgPa5z7z$X>R-0Uw{8s#EqVxL;z1Z$f%R;NZYpDt3%DD^A>zbS(65jq z3MVSB3VOIqBpmgZUct#^tZOhKRzKk>^k$X(Wawp>(l4|6G#o{n@)dP9V;Xe-qas+VJTVsu6eo9yZm zXufX|DCNlW8IMiLlOiEmX3Fv^-zx$l(}rSLrwZrU;uGUn@vx~esbZOg%Te-X!FjXo zzRs*R%O=Y9HFBJlmu!_J0ebaKr;wMpfp*l9$XN{kvCX&0*wn$dF6- zDXahNTZN33k-8<2MQ6bONKLmRMf8G_gu{g`oK%%8&*C!N(k3w;|Ayv+AN!SzfZdb+ z-|?DDh#XPcoA?PaRR!`zyA=nmIitPJ+3x_p{~T1N{yx;lxF>i9xF!7H-4%pP5h*ce z&I0f40O9p0n=eh?w_d+iqHEME_IyUjy0<_2dg20u41g@4x1~;gXC3cQ+!>23+-ZKt z`*%c^*ndq1-DmSUoNGXctB`1gQajz(`e+87T_esCPdd-(n zpkSA~$AV`j9q8FP{86J;xBbMFSD=0IHJ0M!a-rKXC=qlsUR6B3qdZU0`Jz7zI$P%? z1RgTx=omdNxLp`EzwN9<6RZOFGIOYHyvNpIu3bd!@^P>A@1~p;{j7-{r-wW30DaZ9 zxl9_|%$`%iFx9=2#hjpje0y88bBP@Prjy-sA5&Sc+@CiYn+rZx1!C2!cRpV1Pi&iG z0pEOgYfrvy03U}`o?eU{9(xEIPjc@6t#PtFzg$3EfB(w=x{+LI#_R*Qwe7q*TK5j5 z_JCXe0}WT=+P^F0dko4%+I3E%yc^t(-Q6u!o2GJ|TRlZZo6$D_$s<9h4f0TCK>8Hm zU)N69NE@G1v@6MFX9E33dfVPxv=s~jFE90*Wo?9Qy=%;O(7)JHe$axo@+A6*t!rKT zg_B@z=NchgA3tGLj;Y^mO^^Lkb?@?@jbBjH9Ra#>HMt&Z&GtFY?`w?P-50R2K$Cm8 z>kaP}&e)f;LX935xWXEbepqKa!yT^IoMJ$V4fFes>%m+pefLh#!J`{bwLyT{F3H4H(pR1gH~hr#R8jx@u*Dv5RNR1V-e zSp0B^B6b=avvcqKd~seawe`rLXXjB0hY$qA4X z^!rK>o$uWOmA(S+31JQ`p)fA#xPbU{WuPX^LBOO9V$>*!7^IXkZEH5quS^qRI5eX` zBHj|UFcp$y#5A1Mp$lCBov>gr-1Ec6q~mdFbup}o=zD#7^*!c-lZe+Jv(*Qx>vgv5 zf!+P1N|)PV7yAR+yoq$^KBCuJYO;Zm_{3C-&XTp7c|YjY2oo1lfBmyOU?yUf=QSp3 zKeSkc{Xt#8_QTaUK~=A4=a5ykScn#nm!-?iYqxL7O*&odHGd5!r2;we;5#HyQxrq& z!>^;N3PGd$527E)tkvp;JrcOufs<|eCQBwIc!;ZR+tMlMHSw_!9D0(@$-!XAuzXsq zfeMpR%+oPcy_dmGy_iwW9O&h`W~W{uH1x#}S#t_R3h}1GEgAN17eHa!nKeXzkv~uD z7XYm4pRF6gT81hL{dBuYztmlrVu{^CFPGL_Ix&!x@duZ55n@rfW=76jN>qX?BG&17 z{Igq`8KtP#Y6`u|G_f#j632Fz>Xxzl60P*<_TPf95+G1!l;xx78Vx(iS7*Nk1XAH2 zfgy-U%grjknxv#*(HTpR3x&X2q1HjkKaJ`dL?o<*@05!3heEB<495+$sE%XdYn$)> z_@=hu=f=g*!k!@USW?pvoimZDNk=3;Vtz#wZ|1v2X){=|uB9Rd!5bbaH9gK%Sj438 z&8#dmnav`BVaq1Sl9jQgPCsO9-Yp?88zW2hm|V{sYRPoXs~h)c$B(Q$iV!>D1=RE; zghO^!QbYDFN*r|&7268Nl7^3!+guwr{Rn(_5cLqpkF^w@#_gAO5Ydj{m#BGS3iOye z4}JwYs9?6-%ho4@Frm;WYVi0jDxHSS3TF-`}Sk@`P5pF3W~nt#0NAR}x$K zp@VMYmTIqPo*5DXGErv3WFQ|&hf9SS`S04)1=_D*`r{xOZT#;Zy$i0Jx&=t&URx4> zHB`7bd$DAk&-5`nFJ*D)>y8-_LsZ@e%s634qLmJUI|Vk4%)lpJ;J~ zI9^$~THyEZ=m3B9r6O5yg*W#VJB3Y7Fq&-+$TAER*=3{g-@%gAopjR~YBR+UX&VyO zqXk=wQ#l?ECx*kQtai#00~(Q93%RwD6?JZ@HutL~TE#&a3*qkl-br<0`0*rgjsks21FQkb&Bj;k%xjZam+^Wz z8Cq=sM`B`NP$&{I2?P4a4kvveF@H!vlwJBwq+xef32=@I29mr}jhrV0S|4?_gY+4t zkZCrO+s3H%OlaEaXrJuhFhO%VwE`>?y-Z|&h&KotT9$it&%duaze_~EEZ`bG-%S=D z4y(*jlrbY%+e=LSbe2_*948)MqpJ0nSIMUNaHLt6#s7}aRH)$nLHBvUZu(=dJxR~0 zAf;}Sz}0_XHc1Ahd@*$$6#9Y*k_Nng-V;`?QU83!c@*?+jBeMsdTdFNvlq!`xyXlW zi)QH9yB-X(<|ukoz7}-&oXGsN>(be4A%7AupFmg}x@oMbV(?vZYz3a0IizkFtPf1- zPYSdxBUT^CGH$ts+>H*svg+&KzBwK&b8q5(t`=vmkJDb(i?!B|%KU{malY8ZnAB$k z_35qT-oCJ0)3-=7=&gN7oUCP5@*mb&uU)O^y?(%8^c-wW)Qj)z?3X@s=ITF>87sIO z04VkM}9gQ3X1B|^XZemE6b_+nO#EsEy#jb}kHd*^rO zjjNvAoAr5(j{uVy`0kguXbsOikN(rVE1BX_^|sF^4C};=Y?t8rS?s+*Rl5p&-?x1G zEAKUh5r)To@RylsYiPz9?dz#Y#qF(?i7ZejjGzo*`Bcx%*NThb{bZfHnQmZylA5!5 zkf+vd8s(~}V*)B}>2%-7v}5S?`updF_s*%dTA0uIz2oGv})1KRG@NWo>*3?{~TX$_VPF`Pgs4DEMBs7NFR8wfDq7({76Qx(pvE!Cf;Yh@b={WR1k~t!ol+Gg!U42Kqm#_ zR2FR#=`h|SW-;-sSc0C-&N?p8if^7!^)YjVu&Y}78G{%R^GA?M---%A{MVe0dormpBt*^NCUe- zODOwNh#A74RdD#8`w`R?P{<#Nc2sdUyH!{%Ilufa`uW3V6A#4^MfF#y;yF~{q^eEl z93A?wbkNF{6475$nfe8PA?*e_#}bN%4K)ddd3->XIWilb_gWtRBF$34{37L7lg%#{ zR14PyDOGDHvXLt#`AYJDKYYG_Bf^w^EJ>hNTgnwT+=d)sS(rt$ zAIMxEFH)V#{2L4LFru*Uq0LfUoDKFDIqBpgX|tZy5~=$0@XryAw!2h%D9+uN3a-eBdt%H}Ge3$ZySFW>3qNvU(Y*gp3fjIh`$!BqKI+F)eX0* z^MC*NXV^k79|(qrV#BY+`J%2%<7yO>_KBAVxxhbxRaC%WZ6YC0N$WKx;cPOvaA~np zC@kBz;5t66TF5tU*rrNS;)|G|BX6OE4#b{bwyFLP1( z`}TtD!iuI+JxBmC+KqBW316xnB9qud*M23<&(ZO72#bv6;fIIFWz3t10o0f>t0Bh1 z2eKhlox=X3aQX4!H}^mesoG8J1OEI9(GF-1`H>qc(y9iBetGv>u`!m@zu(MN%FLyj zgJZ(*Q4`oEq)Q3}b~{VVM;%gv4VgF@#G_j_qvV2MB^;GYhTQ%>)1vIq6-td+Xd_h2 zUMX8HTE3v-BW=LbJ!%$ld2zTyfmeAt_Ir3n51|t--{E>02utX&N zPR$OhB-^ykB6ip)6pr&fnpiFRyoeyUT;FlA%sXGn**wd9*wgI)j{ODyS+QP2x!7)f8OBY{;p2E8GvMA|jP(;^Y*-T2sc{CK_B#u- zy(_;?rD|m0Up1+Nrb1v^*`D~X8+KPt-?l3%`8|}ae8Aqm?&Cg#<(W)^??LPtaPdza zfKEe4zkjY5xgMV^k%WN13ZeF0GxsmbGr97;Aenv3B#Ogk^}|>G9PdWskQMxvg+I<9 zm-BW`hQ>#o=t0lUDs~Ml{>D4(PTd|?qiA3mDWkUA$zn%u+7kcSWHv3})1;l=joV*p ztF!v)G-H(1T=z(@8>LB9yyt8YW~J*hhjyFu*rrj@$m!rq!Fg?4&~0o3`Oj-dQFDKU zQ?GmMuJ^9y+^2-^BH-d9@~(>M8bC|m^0RHQCo;b>=H!$2Y3+9qFm0vwjfz>{q7bvi z?>OAy`5^UmK;cAo&M%slk`EO27p!=8O8n@_D;DhR>D4Md`cn#U2~gPhi1G@C4tG&1l!|n zuXAguHEvTmhUdp{7}{4y#(&s49&_GIPkL?#X=@39!$G~h9@W6@E|=<51KyK6Z$IBx z@2AAc_P&NMW7gRm(sfCwV9&)qP%uH~2tm=)bq<}dJ)4Jn_3H><#=4;=Vq({6Rh`@2 z{m84#AE(h~KjEv$eA=C=>kYi(Xghz26gX@(uznLT4MN(xTD`!SV)VVQxZXfwY<#_* z*2moJZmfOo__9zDfO5YAuX;c3$kB2;T z84gu2E0?eE>U6&YzW#k%OCHP>6ahOSpUDuBA=px+;>WdtLr-XzAWu%>m8A+5l~R}t z1&`u!z$d-~-jHwpHtjnhCq?O)r@>4UT<&(!rV0fO0cn2OaN;l-l&%c(`g5J9#1xk#)!g( zg@!8)GUbvm5BcI-_+?wkJTeXalWCJ+`(NF?$7U3 z>RC?+oS}i`Srxr0IoTtpVOAfcQVXd+nv-}e^tL|}G@;_wE!)%}RC<=_LzYmr6p+3; z=q)@niRl|jqT&lAwZXT*#)?qIn*Yrn7*0?mBsFfWa*L)1VIz7SR@k zCexLpOUJDM9Y@^1$hRl#eyH+xeie0KL ze>{@t(@~Ylx9X%LTqMz5bE=w5Rf~!2vEQ;jRZoF%XNE}rEuA{-H;qG{4D8{D4J5P= zpO_&p`(>mQHZ_R^hNCx?U_%?;rN>qSC$<`eae=j#j0A3?5cB0YbM&y<;MuV(P)ej? zaHR}rD7f_=3M_rlF0kR}&3$<5wUeJqIqodsx>ml&*HzJ-m7O|y3SyATi1zH-=2XUE z7a{!y|KU?!~kEnchoJX<%ap(ppmu~VFh1;1hRe)T!a$n~P1xGzeD zU}<6ly77c7fIb;fJyWokDyo%prXMEqzs;k81&>MC41R;B;U>>z0vos1;OD9c(KPc?J;k7=>~(4QeExO^GUlE7W` zgoSa(e!~RU@G|s^AfsZPnbZ-|c;-UK9VlsCISH~6$~SC`U$Zs-LX&Mf`4Nz|h+{IP z+v72)C>n$au%dbgL6)?n;kPwU>VxsHyG%<(@Pt7*JrkUUR;*#cVWX^pd{2WXVzYNJmY1|P?k z?)#nepSNg)$*tTjUFSKkf}36a!V?Bg*R+BkH~G$&gqI$xRmLN){!4Bz3wf%FDZ8m-hu%ipB0r>NJcu>z6Z-I{GQj-kLaC`)5N@lsnoXJ zS2AnaNS<%OQ?VYTt~(5=cs|FT1F~-b-y_vrJ^!~{Zh-gQ#}0j~YxSoMrQci3(K7%% zH1KrWw2A3-|HySp1; z-k$mCSA9EbXMS$J>9a(#B2e#qyX}3wnbN&`?7ltuI_&IxORv9W0nDXotkE&$yd1yJ z3v%-ShO5;c#Lzr>mm<~Z+yOlmH0#uUNZ2aI6bqIHqg8Zlfg`{U$4NFV!`n zy{F!RG%%o-(dQ?gyZQS7%q&8?&b|1rrttauEBC}_;9J1IoYEPAr~gCLHAPnvcFQ=K z*tTu!B$JugwrywPnPg(yn%K5&+qUgmsk|TfKhmZ`eNZXk$CWf3stEoZ0l?Li0nww)x52TTpp1x_f`E zew>ET1FU(;rrl@p7Ni9PB|n3DyH5ZdpW9t&FZ7Q969HxA?Pj3E#*f_k9ar*@iT!jI zEl?oDNB1Sj-1qv--xfVx7&Dv@U^NWQn>aUF@@BXEpa=pJQFVVWE01-^#sE{GnedsO5lt9(Q@XWhs>KVnp0_nM9J`1OkonN|0naQ}d`{<{eI% zdYZ-5#uX$~S1buUI~`ajW@L8xj|O9@sV!MDY|>&?SxWN|kl|KT+LD~*h+k)W7)0Di zW+cohxFkpNws#~F@i~G-X+=Lt<>7zi^|8Cn;hNzU7VbDUDOWeB7~;?=OpBV%$YH@2 zz(qQX3)3I9TNx=k!v;+DS_&~Y|MMEHHt%x^o0PUksZ%oc;$ue=$3B(K2yD#5OUVWH zTtb)?;KBYBmc!itKBf|4UJsx%?^^Q181=LX5k1UNu3*`D9P?4W097^iE1dfuIf!g8 zzU4r-Z+!Is#x4Nq^eUZ((@-leLhEYIxRKPBIuje6Y?NpaVU>wn%mfcjYU@-WKGv*D zOa4i)ESCe|#M}?6Gh@v}FYQbG+<>qYUpPm%E^LFp{@Y}Ij#azQ#!20bmw3TY8;z@5 zt$JzM$c9F09HlODeE`5*qz_W@f!RIHD=LN845q=A)jfAz&%u%8(s~6&4`&F;arJ_C}O&SxbJ}YpXh;SCTc+ykeQD(v2g<*3G1f zgsCpMGW{b!RApLD;4e*AR2m_T9D-4lSBZ@s4McwS{6tZ>d9d_*1bj|^y|l((8UCLr za@ZA81eC|CipJSD6WxOZq$_Tmr0eq1)|{74TuLnCoPmg&O48K~9X#J_+%<#Yv&;dT zhpWm>JAt{`1Mk_@uyw&rU}F*--<{tCM(C3{56UnnqOB0(@}$T(oulpka%+-Mi#E-1 z$fjct#;F8e7>iX?gffc#1bfhPAYBhvqvLwdTZ0;|_$hzy(<$jXq)#77KpP(`ST_^I zRTGKQ|7|cfttf=sMZb&38q8B>%oLNOTUz6k{TRQRFkdEmyxt5}f1s=wCfKYNiMx)_@U@i_{%+YkzYeiy@Ey1!|y!h$a4; z{2K~;J@8p>0O#}gk!oPu_Zm_JgRI3ZQBudiQ8YxzzfJP zwY;QHsKBxiJK)=OEKA7Pww_-wG+i^b276v_tinzSo7^up4^MgfRs)aLs~hh($BxRA z?D+xpefcO^ZqHA{EM6>~^@-b-om@D2*J_3Bj|4Q`qQXw|T47k}1RGBqUCl8Dv(cMg zS(n0IADB)oFB|#M-t>Xx@0;zjG4jHDi))78g% z-hZ=%>DaZuO~!Q5GJT9uPhbsc6<^g2-qz!Q3Yxz5w|~_~Po?YmC1b{Ka4NtrtIr${l zg13rRNz2&szK-FJdrAHqH)Dk;f)^9Fwx)}G022LEqge|tH%S8A`hWGzLI43Q_HH|!Y1=+^=SBal1O@BcBlxjwyG#HI}j3rbmenngV8_|z2kL8#0m=^8~etuW| z-qh{GD+4b`3|N^X&{SxIhaqME_LCXw zJ+N*cxi31g=S-PfD>A`Sn*q(R6_DE-Crrp&36XcK)wDz4*PVqK^gFxYUZ2$${%Cmv z6k=A`k}@BWl({nAz|Sf+eySh2LZN-FlXPwF*tiViVb#ubWSJnPNjkaX+$!$6doi5R z9&FNORC)?yui1!;COP_1!yoRRtSY$y->Qq4l;u%sF$<(gg_)aYjaxa<$HPP^Doyqr zHEkgt7eWs`=~me+Gw+l*RB$oXTFa4)GjG~G6CnEeVcMW8Qr-B41g)F3X(LRT$eB!C z)JPy)m&xEaAw>D0@uA8w1Bc*op1P-ifK~;Y-$1^>?_xZFY%QG+;rHnPU3=gz0AUUk zRo>3HPJ^0H2G*)PTnW?poheB&gzH!C{Ns1J)uJ%Jy0hUlDIFiwa$aZm9;4xn`HFq^1?#03frAA`>v^Q?`_-VtC$y< zOhsW%3k8{WMR!vOhS@y{>OvmtSVk6t!Y&P(4Y$xrwH~HD{X(tlN;!K*Nu**X1+TNID&* z!#er6go!$&8I#NWifK_L{M8W^Q)_77PAbW=QxZr4zL2@+;6HS*AgsgtCFv3?wYk>u zUxJATFhBF)qqrXGKtvD?z;g@PKG0ZkczBFR`wovG59B>qYzO?M^c*%Xp# zYaUD97sala2i})8)smDH@_KrKP9j?nCJq?{EXj|->s%wmr^en5#qaN2AyKre-3^-Q zAx4J5&mpX9V)sSHo1o97Xg%bK)842q$plk8K*XLjoc(_Qo&28R{K$I9`R|rE0A$;? zAskcvMs!2s<3)|i`X}J44DVe31EG>8!qlqrKQ4YAH_L2vz8ASv4;frLI4uTk2{a3; z>9lzQye7O*vb(p2rU|)m*KHhHZb+88%9Wn=r!GBrJg>Z7Ii6l_ zYyG|6jxd^E=PSf~j`m{aJ;amRTP%2Vpasvt`|}G(e-RM zDe{xFi?0au9D9KZnKBn{=GR?3C_2E@`{zW5cBj(MERz(_eum6qQ>RM`3309dessUa z`ccJuQ#+`rJd4SEGyDc&2N1TQ^*WAx@+$701ux^&T z@vwF@>kW8V8KY@(?`pcr61K?V!QTD|U7Ud}Je)}oZYl7Z#d2V79VfcHeBO9n$&dM* zq*4eFsB+n$83&z2XHDxkPjNhO%lLFW#yPMwP1@W(vY5m$zl!YNNMIAq>TH%?z6>Nx zHx5sOtoFAB#nHRd8V7^l-yRuI1U*WJYPMH)1_c~CZ0aed8THye+foX+_0Edqp7e}b zZ`pB1zFkL;13I2hn->FTkx(|SPD7GAJ#%oHyDyUaPz((03mFP?zF5EW^XsaQC3Tw= z?C#6e`zx)70k8r%;FruCx_#$ZUn%4?eo;d=Da7cp1lkeA7-Dw9Pd zdj)}gIt%7nU>u~AW%I8ug@?IcRa zxu_gQG3WZHA1@S^z>^V&46C#xUMsZ&YX@8^?ow5W3EKs26x`@I%thbh2k*8*O!+4i zTPY<$!F7H~TD3|lZ|TP12iUj5uDyo?@uVw9=QbLT+8mHQ#-YMU(getG35ljWRS;p#EHD@?BgEzvot}h@1wRY_nH@eDmjcqJaIAZK9}_ zkK*FIs}?4LZnMF@OXM;Zbx}&H>03iA7)BHt6WE2~U3WGJ^GD${QvL*trF|pxfp1k7vafpd}ijI@N3FI(8!-ADKLPsT`60@rg3EYOc6YOFL;~WbU zY&966+2Su(PHqFe@}>z4(T&(eM}GY14_sqoFEaJt3zv?7a8^cL5||V&PTf&d#}Zmp zzBT4Zh-k14NlX`x#|`;=#z7fj_QCi^N?rAo-zn5ohbt%Lw-gRx5@YqWG3%)tR>$A~ zlEHb%C!rpznsWdOzS%HCi+*h^f$Nzua|Euqr{n|Y$oOj~JgYsba+L!%MR5+t;s|NK z;Rg51TuG=l9VS9q(!W$RbTneEHa#nxKzY8Ykfm<05)6^NY$wssPa3A>7;2lQNNSRZUqam>xxyDAf zRzwi+?9=6_`Un(l6N$|UORys!DoWgw3Y2S+7Hya7Dn%hBpsKK(p{3we^=r7 zE`1j*;H6OGJfL=6+pSOJBv(D#clA6*QBt7fUFFg=AnHkMhHl#sW{_kYQG3 zdD>)CB3hkP)}S+knxESV$BA>4ub_U5#K!&ArBb9CFHqEalkK|peW1;Hh}|qRb$S{MfL3a5$(4HnP13F z>(oN-UwV4>^wY5hDA4B$ASefO|470O{3267o**HBS@*nRl+~1%MI3UO@{vm+7zzp+ zI-(aN(7f*2a5>VW5cC90L<;Z? z>p6Qw*I5q5OO_l~Syi$Xk$V1&`IOF24ByNo+_W4~#=mMeN4iU~4XrClN(*lNlw3RH zFp-~};pzm71Lw4U#;W4&@$Cs7kxic?MJ9~1t?rG?HEL8z6j7s^%krU-m#(zt$czoQ zKE#ctMGU@N`yoAGBB&g%HVYOHVZ4ibgr#WSM;blQ`l>xCuMQJ+%Sx|c8t0fE<$hA= zI%ct;Z;^WLn$TdVArp`_Mb9sy3>jyf?x)6#A_f=cog_Uhagm&T#c3(X#(Gzvg-_Fv z$=NT+F~RYFaNo^A${FQD^9h@w1$w96ivZT2CVO0fF5jm)LtXJH6%S-yQ0}IIkb&Fa zpg(b{^g-yTfBfA*tKM11$zJrlcEy#~z<#nAUEoY%dCtp^{nEb52q9$dwwfEVr}bkJ zKI1*NXa-52e4fI7iJZwb}#R z>xRP|#1++^?nk?u0@Fu+;o;>u5gnaCm-mnC4rDx8ebD)?Mpw&YFrfWpsgn5xykiyo z(`-reBw-kb|8Nn@gRTEdS-h`!@4TRD-oUGF*d=k_1f6D7uX|j*7boGo(z(3&UT)5@ zd>;JM0jxg7E~5CpH*{vd%NRFfT>Cg}F7g<%_=o$ztlmc1UDqTFotJr&ba>38Gy^YH z#_ewcwY;6Zj&tYT1?;Vy0GnD z7D(xAzs>6IFnaxL2I97Y767)5TiYmGJ1nJoppM-w6t7{TUBZ?N^k<^S0kUqN^O-^e z)T(PTor)KFwvK}=z7Xd3ub9q_nl&LA7XN#s;Y!b^jQw@@u*%1nJpq94?dwvk)?wPd z!PnsC+ko8mmR&vrahFxCfzQpy9}-Q&W12-d|7W#fki{!VUdrnk%% zMq0v(Q;nw=oN5dHmW)GmmQ!P>REcc-Eirzm!8T@xun>SJ3s)nI*Z~Kf0G&ur^a5@D=WGT|lWdC4yTp#n23T z%R4xf)gu$?Cpwn_OFbZh=UG-NGZS1~ngpDP(s<3N3Sw zZd{CWqH(h=e(0F0dexgOyQ>({+$FXtYF>1iB=0iLJrn3`|}! zjIRFqH%{e+-<;FOU!~U(oA1wEFw-w8HCA{ZXG2<9wJ0HZ$?__LM8znA1tLs2R-{@x z4da42{1Ve9c(we~G{^<0?`P|u$V??gm~M9%#PfU%Q7Ds5F_#4AwI z3sK8{W>JSUd(&kt3ihBC5HI(_KvyJUcx~DWVU$*Ssg%Qnr_$4_lgGjTH6mc-?o6lf z{4P}BmK4u!YGav-P61}miGEvG!Dd@*yDau?`my4Jax?ePb@U3RN(Bv;k8Y|6o-&kU z^qcbedMKVYs#u0eB|T&;al3k*w!2+5F&4ijba{U~MAU*bl^!&QmdOlee>gn;t37S} zJR5bQogF)P`v)y;!W-PpcvkIJk8W$6samFOpI)Hkz!Yd7=m6O?hV0C79tzq8Y#h8F z1HLkvUPHbNId=d)NGh~>!{wgXJ52mGH<8NIqZqMFoa|cB?oMAL$G-9oYQji5Nd~^+|ejO<={U(RVvl^H&X9tYhO_k*_oS%8%1y;XUbo z?aVrtVlR>NizdEY&Bz>Lsh^(x4x(1UVoaGRpe{IG4b9}1qm`v$m0Mt~JB7+(966R= zisc!^9>gS#F!iCoC~ZUpTp*hnvRi6s6D#HC5)PrHNiOMR)Bd(!G0|It6|%Mc#s;Tj zC!~&uJb^m%ttk<85pP0emj_YsPs%0~ImGA;S&c4|YP>}m)@t!YtWK>$th#);gb{pfz zAF3MBHnJXhB&d01!BL}V0cDjo{lfD`_>9TmPf885n~@1J%rrs>aew|bcHD)ApA-n( zH1o~qlMvg3i6Tbjo)Ke;lctynGtO-^fC$BA?94eL6XM@3h`;EPCy1RN**8uu7(2m#-qBvV>zC6xj$bNnCF`EHw%%{w zyAtLGxP|gYlBxee#{J5+2(hf5r_;&%9km$@l`>?lNa4CI18H6uUw;ez-tbdg5uS8pZ_ksq(9Hp7!^rxU2`}1FPJ|n!nPcB8$kN$acRrzE-+lP(GM$ zNL;;eOjv{a7ryB0Plr^OLp`1B+Zh2F7A4=OC>;%Z&c_}- z^J9gr+wTD7ofx!JdkIrw*O__f=;wR2Pn6upj!UVr|TBCfgaU)S?p z7X`2<@O0huUlbl+l^}0#S-z(vYl0qfQfj1{rMM^0&I~v)6+^K3%rgohJ{+p6}lYJI{tRj+WboSwnwwC zy{AR6aBW?IUZYX2G8z~EX-sK7tO7NSlC>Saa3?2BeTOJBNI&($ePu`IdR8)OxT zaaT~CCH8^+j1X`CCcYP$z55=`lMDL^)gKdeVTqU_>3KqhNx$!Y&Rcqf&i2zh1DpW$ zqXtm%yNn6KQB0{`(lgdfYa2QvjPR;34Wc9+X7ju$u6BC4#8Fox-&SlCt32!=m$ih8 z7QjZ_gx`pU1Z9$i;M||5fDm}vn4GaM+RD&as{cbo3&Jg&FV7O&C0wm1E8Zm1&10cF zpkyP`1vNRw2h447YWY4VF%`F^=$cQw!sFfCLeZTj?$YVkx+rS3gnIcy15TVe6XvG$@r4Z^Gw@>k#JG-( zxIa3xC*Uu^zK+*>q`2Unr)5d_EB%!EOXqMF&$DPJh*9nwancK#`KN`t2$S;0B^zY? zh!`;ooP$L}6@(mgjhJR&?bfdIf9NGo8?J2f%$DkR|8|Pf5 z3ca$Jg@z>E_~}MXRb*Y`oGJ3bC-X?6#@RXS=c4Uo>!xZ7aGh&cmZ+oj-D0hdZ@Gtx zU;^fm(qGXkjLo1fV}jL(L=VmIElDl`UK@IrSuFXk!b+eleL&jrx7i3%>Ce>Ksi19QyPFjyF z#U@?E-tl*6didgz#N;z;a*ghNr3-$RkXxFC&>Vs;KO8^@0Fc1zHh!h?j8exx(h;pc zq@)v}oI&0^vo`w<{|L+_#BdA_k7&|i*4V4P3eo?EJQT0-u!F8{b^a-Z zaxd|VCI(z;l$_2ycW@%WleUMNsLbY;{=lPH4+o-MxG)KF#OkC9D@d)?z%8^+2RQ>n zDfzu-8oco;beikz(KsSi^Xh@fmu4FguUCyu4C9-2pQHloOkI{kv@W#;?MQCwPoW`q z%|fHm0kD%1r$1~AwrwHQJu_pLX!=*G)Y{+&5%bSbNq&v1C8g@&*lRPtSfd#Rlf}`H zcov`K`f<}mzJ3fghJ{6S`ZA0)+yP6y!`3q9{&WgVeCHuTL^RqAi(8+{1-qovJanwM ztCgk<5VUC++1H%}-+6%f+h+m)`Kf9iu?DgHRi+gf7$4~`WWB6ZykR^wU7So^Du_843Va!3`u_9VG|1eEIrm7u{LzjKK!rRCsj)G3|8C#!TzK z9`tj(6B8Wf2>2fR7P|Sz2m|liul-KKX0kk{5MDj^WsXVs-wXQnTdr%@HU?|@=%#hu z$MW8ymJJ@(l-u2_H<7$g&nEp|C?C(1x4*163x)X~TQbx+!%;pi<57q|^Z8bv0?K0m zC;8=9J|AV<-5xt31RJe`VmP)c`czH>XT!Jcgzvih{U{8_-3{++{yGQXH-u}UIDP)e zx^IKRcl%=gZa|gw4&TG%V&~3Fg-r<^EWXbtfW>a{R|=+l_T$T|_q3?K*Ip6FcIelJ z)FV!HpvrLfW9@7Id-cn`Qv~>PMdvItiqNa&%cnU=(aZY> z1;6*Zob8qKW`WPkB&wyA*FKVt1Pn*a-yg6^*3 zmkVnW0k=Sr?|jad*R}V~tH&|NdUcRs%L4<-l+dR}HTQ*?JP%5X%OsDk-^&gI?9>tr zVD)DDJX_Gg=jihI)6o6t6w4?76wKQP0z1k$;cfx>HkFt?#Y%+LlC5AQ{p5uJ#V1*#|YVfYxO{a~z6% zu|T!xdO4t}!LRTf3CXK!M9|sT?$#OV*l_d7hv>RzkT_KpiCj>~)6&NjlNFoU> z6D19IaNpL)=@7NsRw)IcHm>B5!n2wedpx#8m6^~8Idf2~FvbqbmVejY&)l1{OffA} z3WVdef{2o#^W8B?U612noa(n?+lC7Dnn?3ulS2MRYmBIO;+Vv!1baUE9gszbK$q#h zQ&Y8UCV=`7KX+%NHE6z^>J}kbvKw64wC?`va5zXI=E>?Y4j}Ox2u)X_Za4GDEMgbycm7)v- zsS5@18l~ST{?_$2#|!r)>Y)XrqwCfZ{u<4i6=Zx6SWwkvt>5UMD^`*zpKL)tHhS^DC5|Bt&>UDtyk5RDQ8Dv z+>XjP!PGhv9(Zrb2zOV$14c1wKttRrT{*5R?XBjs5b(qgn||2J2sle@?zro z(Z%RDeTRysR?&gWC&icb@QH2_RcHBq+zp{NzSLQH1QM|ryKVIc&CK@(Vv*BtVu8lK zm<+!Ro_F-cvKtoIBe988QfV(w1>j@M$XWB!+%p!e7r zDU=zLzm=w!K9?+L66G0+Tf1>&MGqIcP?WEZ94Wi;E=qj+owO)&j*h`|Zt1u{Aq^Rf z37?q*$DgJYjy+*LiF%(a9b=Jd5$tLHe*oOJWfe!;76*~#rG0ig{QD}dep_$ng=zW6c}!_E%2%$B<3t|`#(WxsTHE_*j-$_`29+cl9*2qT zj^59`#4iKqo$#3KRjbPclFhS0-(`K%^YU%E&6Y94xOop??`0u}LD$YP4Gr?<(Jj)n z0Iq{@>!j}a!KV8L*6~!UOR)-b*ToG}aL8952>g^g`ZySi>AS2&lHS#t`Qhz;yw(`g zl>xA-O?XDtX!$a~5WIygCh8t!(>ZX!JYZ_BzNq7EEz`?!o1h3(8)7Jz(R+5v)ZI^{ z*;-{%$?66i zlbE5WxBB>cTgP566_&J6ynKOZ4@q@(TPWN|(JT}i-KD317ME$0=QWINV|OOd#%c9G z8s@(sTV>%0B|qlx$=3yeILksNt__f%fr&M>q#8^}Q%m zYd?0d&rJ?@`Vr7!Lz0%LahyC9nnj7agv!KKYwST_9wBC+W71?-p-?pG-MRLcs)-|^ zh?~-vzqQuty5o1sD}a#>k6^JfhQZm_(nmwdIY|l%NGnrK{bukPcJ=(9hEwKLC)l@24z9<8@r#56x?ij)uijH_v}hbu2*45`qXB834Pu^FIx8Gsa^%U`8z zNuA!sJ(#Y{lB}JjYptpvPAsB>|M~bqqi2Z~0?s*A5RvcxyWO^|+N@OYC%j#=gr#Hj zpNg6JNOUdH6?5=>Yw@!6>s~<{){b5me>};ZyEa&LBF&e9Q(q#E5+;v3zAN z@bt+a6w`|HG&W6$&BBVMRpF_&VH0kDI;g@sf22_P2;rpvO_4pv4WW2d;zm4!GGM_R zZW~`Uq^zyl&+F3rQok+HYfBpEo^Zh@P7keHofi{H)xSKrtFtD5ne$;|bs#ngW>+8d z^;l9p5KsUruKD_-~ zN{z4jyB3(M#avG$J~|$mZ0FL21mB7IdsnTbiZ3&cR_^RI`6|M%l=F=r*pH6zVR17J zoQK2z$GQ*LHUnv;p8m%tjP=pK;P+Qha~16lswMk@t4~V&B4$jVyZlAaA!2Va8{cB7 zY&CN5N#S3qJ!quzI8_A#$9T)L(i(DC(dOI*c#+s|Sw>x}l3}AqW~ zGK&gM?&+t%NQCQo;EpIP3B)Z}ntCzS%oAZYN<)>@M2gg=R1(<2^*&PbK2Z`D=1u;LB5kt!uub1P$w6{(JC3i&D0H!j&;&h3NDsAgkWgp{JiWm`O& zi1&wTi2N-v6@lP;FoVvwrKBJ*jX3+TK$rt4WehhF)Ptf@I$V5_oFo79@d=!_nAcK} zqpk9#yn)8=Q*~%F(L53)*CK;%M@D&g<5brfcjgT865Ej;tRMxN7P4ISD8qok3SFCM zI04Zytu7(j7~@Vew_Ek1buf&;J&e|l_bMgEbh&NE!(FJDqA*6 zCr?|t_gB2Pf|cqNh@_JSEe@=Sj3-Dg*=S^#NiVvR7lIaAdce>UgL}JREdnA~N zU&7}1aB6Kc;QjIk3%j7qI+Ttwr!6KDJ(ovhbdArPXZq&cxf3B<7`kQ*H!$C9Ft62^ zHZ}O@Cv_>nnqQEbNcoqpWxjC^EA2r7y<~B~JV~`p*9bAcu_mQwu!NGqpcr!<@pK|~ z>i+>mfiy&Wr*jJ6$N>Sx*DSs!sa!m??sRqlywJ0p(z^yj{v!_gpjh4@(v^qyFLzFf zja5*IqON>0TA0>c0RkOR6LLE9#_3B z0|+@nd94fU4ZdMJ^{Q33KjjK21T;pSF?1?$I(*E=>ln24btFt>|B|Qz?n@}{6ijlD zO`L7KbDrob<2Xf!VYZ?ldW zWsqVtFnEv+1dZ#PJv!a9sFt-q9wg!~irQKJf-c$+J$J6L351(Ys&u-Xd(gUReOp%d zi?^eJyQ|^;PkHwMFZ=S|&259Lg`CaK$w2Q-w+k7aSpdI#L_$uxLvy(X-)%tmmE(DQ z%9Z1IXV&xiu))n-(!HNMCgA$!kf-zgb}@I~-dC{g;a>*8ht&6&J?XQF&&t4y$8gK( zL0+Ltv*k9o|KFj;MfSWQN-6XE4shCz-p#*$@cQ^;uLz+j(ckyxtxeoO0^3pVao@B*#7Q>u_XM+C)&Urisc&UKm zk?iG|zgGSp;?KK7YWT`p zzizE=mH#;KTHkwrR)=wa0>zufxaf4j{%Ec4xN946BYq1Y@^L<{-i;AijWf7 zRS@L~Us`XD&Q}=J3E(DR4NyjA5?(t4RMEo)u?c93+mDHVCn#VyjI987{l^X^aq8^B zj$a_do6+ZM6)r7-<5CBa{Y+Klf*0eeGCJ=~>hBZTG5 zq9J>l!LmpsoaOTjC+2#bH_G`V~aoy+Y26UX6t8imdtg$y&n>B&*dz(yz5lm~_z1%JOLOSRi?ziAn~vZfur7 zXdSsm^4EGHS8Tx%C^R>w8~>CVWgcP1L z4Na+*ED}^{Vl=f?&oL3qhomq=2@M+i_*IgrU*+rUN(;rQE8OA>-K|cF-wGB9Eo$S{ zF@F2;kYI2}V>USUqEYUg;}7JkfmY5$UZxi&xg z{r^K6r&7ww(AIrpL6S5BWTbO8i1y09A|fSa^{^;jqG=UL2c{3~Ub+5~cjX}0uyN&0 zkRSf_Z=KG2v&F&{ixVOkZ_VM(G=ZRzjy~)sH%k9Tjn2|akDE!KLSZX&Z?u3`GJW&+ z#?Z)nuEOxO8nMS*^9qQSnoTBpHr^+y%Cf(NbUfP9IO7a(fAOgDkLWd5k!YBi)h3B& z8Dj1=GaQ!hKT0gMi4(y&Q=$=2(a~0w$p@pP#nYkR!}4Ybh7a*qD`m{0?!|rc#P<@y zQQOoJh{(9QxB6s=m5|YTe($+QQO2K!b3QblJ`ZB{) zjgRoKSf!1ma9)#3k-Ad!PmeaGk_jTy5{LSqhjQZ}^pK8tWTrph)(K7Q%zb7Y?!JDO$mW`3zCt9Y4SWGDTIsZB6;J~Zi9JD_+;yr zGUw={-^*F{Rkv84(ntOHuGbPIMQfLE2~5bA>D|4)QRQ$q(&iF+BS!jQG^=D+bIZv$ zzBS6ulK#?A>P%%xN~cI?+4J4_M};%1)sQXK>P6MJ^Oq}}v)i`V>bI1}I~HZSNVqA^ z8FKQT|eMH#YDd*Q4Ykera>9ESf3AQW!g{1S&k5GlvI|Mrjf z3ed+X&{OC0_!CybGL_QFS@bp2{~WOJCD*=v$+d)HWU0Yc@b70pmr0*Cw-#eh08JA7#7K)@rHS`BjcM%h%7I4k3LIbQj{CzC8Hu@avdP!@-XX zZ!IRPrhn2UXZ2j|u<>dG*U3Mwe=w`2-S&x{D|Y-Ntk4 zpkWN1%3=qssu~~$%SPyiV;@&fRN%Zpj{nrVx2~|3UHxkJ+H3Ytm1n<(!#tg8dp&gk z@DBkuVv|%y!=_V;kXNMde#mZ`M`!xh@cR1^3A5k)b0Uu4nZeB!ay{s7h-<)cnPj>P z$msZaxxPQH{>%M1W;g#l3w9bp;=)LYnGuVF80&RrSy;a{N#z^~r+11SPYfxJdU3cZ9 zNmM;<*k=$r%a_r7TnvXj;h)>JdoHXU9sUI1Zns|s0fby{pMt0GVnlg9&Y~>*-EUZM zHc$LZ#nrASf_<>Z&0MiGkbcOURkH+J1q%+LzlNujx6;UulMyX`=Ld2hWMJ}X zzsaA31Ld|L0ThcRlss02?`o710|S<%{JO_bW$@NVk5DoE+ zr%!+V%0f>a6OU}P;itK}mO`d_p}j-wFOx7cA$Es9$_U;Yj^8 z3|f#Rh2dbf&x6jU)`;0tD4zj`PG;@GpZ+kIIjE9VQpVyuDHvW0GYR7AgR^wJz1RuX zd2^-fsN66&k%1xkvDr{=LDJA+1@^E>aVGI{|3V_^tpeTcBor_p7wuN}QpXG1MAgSI zZ3YVR#G;622JcBVPk#H&k3>s!T&A)gXI!B_b1|8y{Wo5T;Xzkzbn6aDLa$t+hb4vr;-X{gYp^* z>qO~8f_6@+8CV(rSv~Ve>rpX~VxD~+L=HOjI|Cr39=m*oWcfIK6=4%%5jS`)Xlc{O z^s#hm9U1lE3Ddu3L1hF9)&L<+dOe6fTL|XGc;8{m8LoI{HptN`&phlEk$!p+zbFkF zxxxkW{2xVq38YJ5Nig)os(?+ocgE4dq>;*J3A^I4V|J%nf#^)1siXEpl%62{#%uf_ zk$IhcS*}#L&^_)H@cXfAFR}};?h+W8KXqlm64Al+q6Yk`GFBC#UVIV*(l9HQpy|YvQp|vI; z7bMhFDjyNBwb!RNTRxNY@V}`PUtj4@`d_2(+t=uOG6~#apW{2{x9`Zz+xZ3}BKlUq z08Q2%44VDgN9UIu3lK3pvF-ur*32DXU84W)R!xjN(c|+!hhDQgMe3W@G!rOg;x~SW)iLI~P-3%v`{mr*`E*Ia&-YgF{ zT34JpYF&Gv&UT_Yo(DId0F3#_>-j_wTGw$bXQ-Ovd?k#5gS%4y!#gLOMb#~xM zc65ri^$vU`;-<^+UGa!t^HoI8n`;U1A{W>=qnM62bF(Y=Ub_h6&D(JO+2eKn2d8$U zry1LA6tBVh#dEEPM%njv$vuTC>#5fZhv6LKxZ2|}XC~L17D#T|;Es4r;Qp~3y&=DG zDPH2d>A!J1oqBh7SbEvDrTqfc(76WaPiZ?C^xRoUlY zw=A!4oFl^Un@7TzFE{*LzSnDeckR?RZ%dxze$%UaM3iT{emO-UFbA@^FSJ>IJVje$ zr{djRd>zBmaNFCzJXBA!&Z7kRrhYP7b-CZi#`KsZ-i}T5FktjNgnS${BhF|#uXOsH zREO#H@V?$LXaJs>5j&oyE4MYh3d4$w!=mr_?3`Q=fXO?0&t5MH3uaZxk9?DyG zfE&ExS59~I^lu6rtD0}vzSrJz9*}&tkEHH^=eI7lZs7JrsyC?fIgOoO=dpXkY--Kp zc3AsJFH*;ARQbFm7a#>X$-}7eI-UBGn>#f4>hqZ#vbWW)gZQyPpatN4`WycOl=(2| zi}OGO<+rv6{)e|^#1%=0PTL!Y+x_pkcY(EyRZY{E24}hdP2QX6BP^K&c3MdCH+c*9 zT4VT8z+WwkqJ6_0l^`L6^B9FfDGS(e4&#s(nR4S{OPvL8gM5l;Cy}-t7SAxtJ~d|r zo9{*N-)t2eoFx>(76Xq@0yV8dv69CUj|g#!oTluWgOwli`aZJCZcG-WjX2YZ zCgT?l!MO%MjEXCdOj`7%TJl4ekzb4YHjLuX&g4qf=-+*RT#+knd2!N9`5+Gc5we%~ z<%&n`CYy&57{8l@VoGz!>a6M5yUtseZf?pzBPv`yJLp(o%(U!s$xXCIf~o11PH7~Z zY;XuZ>Iz2Bd|@CnbES44E|ot8r;{=6L_=w{Cer;QdFwBSVLj%x*+@7xM!_XnPW7VZ zz~vgOWQ;Xf8pBX67ASE_PQ8#acGOi`lVdLoM)zX=TjUe-Kot8wv8g({*uRc-&llo<>I-t_9mk#fm|{C%+!3@g~* z8pgvx*{utanR2C38UE|W^~n2f+>XdLD6r$jMSggA{j7}pBd2m}d0Wk*%P@7+WbMlo zcFsv03?ncR7e?hq`nh_8-ws`MgJOAy=^hx3Pt2Ip^am(mm*9z{SeWgS?b$N@$WO^b z2J>po4@lsYg;?QZP$>MVRQ1#RvrvqgcHFhme#;cXH!7d4N~rvH?3z`_MmC2J-S^@C zUExMnqgicY6}WN$Ytvs1_^~L-7*9jI1jCyUil?fEBHNKl;VD7jG=DherI#&W8DUIdc!53=%4L@LGL=r;=-u|Y?&NvG4QGdXVCYNhkV z3J<{%D+pN$(#|^7Ko4*Og(=$K6qg2Of|#Tv2#Z=AisT1+Ekp9KQu5+neiP-TCpF2# z32t3f?qqqrjgYK0X{4@%vKW?udyiaCmY)Raahk`GAEjR{ipi$QzbU?kmn>pdCs7zGB06sTQr?9i ziC3q-B$PO4K#ssh`&IU|s*`#5>Q)|g;>7%K!B{@BGAs3J#Ul#yC-tQf)6t@gDm{us zYz=y^PCx}t6T>yAmdNBJHlQsf`S?= zUg!y{FNMa-zn*kH5X0<1+pYvWE-b&*sCi z!}9jd7o5A4_PniJsC;!Zzh0b<2HGkSwPm@??9XEmw|!RlvR+@Y?h!Q2D}P;M;&&lG zZ(0HL4v`M4Fj7Bm_eyh`LRy2|C$5>Y&GlPvPQ14}N*ab^r+vJ8GW~e1Z}sWAC!cz_ z4I6g0_}}lWg8crSWG-sb>ohM_WyW~Eee4hqiE<>H?nhnnui@{lwoAce~T=HmU!20qpof&V@2v!&xGgS>X_ z-xg_E?iANc7#3#(mb`{V8vg2TE7DB#$(kB`;t_c&p3TuHxJyV=h3x;)9eICR@j6V(s|hu`(TFd)2BQ<8b1-_3Y?= z<5*)nGK{Cq)$;sxCZfEOearNgI{gXyfxHFVfvR zT9V(XudtSleH(23B@R5c`=jX{v@-$%b$s00e?o=K%^U!N%)YeD#Fsm?e)~UQEc-!v zSp|rypNeU(1#kQpEl#)GpTA@=y#I`A)%ByJqnebBmOqukb$?*IAoB5kn>2w($fmOx z87JZN{SB@Zx%DH~5abaRsnX5uHm)!zldwlFZi+P~HwSi*#dE|5P81*uS*02g_~WnA zEtf1Oc~slM4j|Pq5w9(9Tn=G3|8xg=hU^|L2U>!(g9&0cTdRGuMRsH?)j@q)*!c8U z_t;+zM)?*wm~>lTW`a z2^QMgalpeZ5+1o(!om#cZ$#*|qj(s@_jIT3CWgztZe{|TT5`?3a+r1Zl-)E9WwgK| zjeHsIhEqne)My zrdkg2SRj@5IRZm{3Kkuf9`df)wpud+Moe`_xg?fNnbnlU)?l>kXSTaDQJW zq@z`v(C&bh@W#oWjj6C_Y%7Q#aqxD7cuSH0l{e)s+1~-X1 zRRr5hmgz~pau%Gmux#Gt%-ZN1m>Z-#zjWdP_uNWTReguG;06M4<$(w4pUS>5F=vu z2cvx5-3G3gyD*1PG}perxx8jbrU@-nFj!`ilUQ!TI8m8o8rjF4K!?N_MlBS-ocEezE^IUgPZV1U zaE`cqpkkOW<7U|~>=CmwJLd|86t zk`0M_X@VJsW->phD&bp&pHYHFUF_Je&~45j(#dF9+JdD0N z(?1XYl93S>_i+$qm0`H}!$>{&+qsa$GiFz*CQ7x1ZJeb2{u67s zJ~7m|J&#&beP63dxgx@Yj2n>hU-M0^5yOs*Au}d(5r%!5_mjk12-KUz7}02|6ogeH zQPxnWYgU5jL4In|s~Kg~^q0qi&z>Rs`v$@?o4akj^6O*BtO5GQGVUMXrjuu#eiDIC z)n{JNI^f4?{o~Q+yUv_~KQN((V5sUA_#kzz2j^AMOyDWcko!D309*8h z18a}sk3;J=Itt$zrdV!y)H^Rr2{~10*lq7c`5y%q&GWnoOk14u@W?tveke9qeJU8 zAT)0HiU^JlBE-UV`8AkX=7WIRPIw;<**h+HSdf4d~`|r7e)^QT}@1JLN zS5ix;EO=T?xcQtaY4oCFmOYu>iu15*MtI6aF{P%4)N5un#Wz@PMw zuXg8M=3@r^yt9oBlp6~oLW;_xz%Kj;AOHyqgHS+0zHoa0=$|8w*aa|el_MaXx7DDI znvcYn%l&5WhtQ9J3H!G<2!7x$n)M~q+x~Fo#n;8+{&QB#8Ppe>yqr}U$ID$g9(mQf z<+Xolo$I>B+Mo`~c`@_=bC`^f&gohDtNrmY)B7Wnw=?zafqr@GOw@e@j-AuJt*6to zFOwQKt*bD%E4a;@^2*i;$onrpwv9mN{T9mH&qu~6bs_gssnYgwz2TVN`74HCvdNv- zqgH=Ytfr|SyM^@0r}U-9VY32};BN5#OOHOg_hAcFo;q-|pQ__Ih2YMAv+4wdck^8O z_nKSne3}(R|GG_|qT#F0G`gJ9g;UPwx~NFa_j$11(_sOO#oxAEd0q0|g`c#oey0Zr zd74yS^R^%wRlD_$o!B8>y_=lnux_`t*3BDjq7;Yx0cjT5*fxF0eXd-Uu^N?livqyX9X+qNBjGarX_?)v51JlfEDvs;M|+FjeY0a6A@tbS1XyZH5+xZ`~KM4IocA3wk6 zJS^8wHG~Xo9{euV_d6ioI42chwwh>2={{R0U+F%7CB?{} z*4r&1o_svQztie`Jh^;~-L#uKUe1k@^L`I??dP8Ex`H^oeLk-BerV#~>GY0OKI8n9 zp6k00N`|!8t-s7%q0!s|{$#*=O7oA96tyJ4tD5SwRmk} zuv6FSQn7Lq#wlnoN2sPSX0T2Mv#B06-4VU)3sA&Q5b>t;Jx5#00tL4g!4<1SO+FP6fHmQPvm9PIJgFr=0bWv zVzW$LRs5lsdgvW*A=Me>Y=xRBf|GD%X7s5++LABie5a750#jzuj{tc0`5%}QcjQxM zvZHLwR$wE%i4#i|eCqbgG^!DyMiI9v_HGieSLEK6_s`R-`rRt zP@z)cOwLAF%O9wTgQKCT25|pGDp2P9ZI5)Aw%ja3DF>Pg)XcRVCjzsrl#RRxOspn_ zk&(#TA!-Vsc?%b+ODd}MLRN6(hVV^Z*z8PX>u7QEmn`ahq2!I!P}3Cwlj6<6(awH> zG!StsIip_Mv`=-vgF8$s;wZ{~@TCx%s4SBU(xBa_Rg~S^Sgs~N%CPR|7w|fYE%qWf z;UiGEOb1Il)X*QkhdT+K{W6?zahNDoaxK&h=$DyhULy(!+2lBtzu{W4ZSZ7_$H4Z$ z8o(9+hr($c2&3dG{ArlZJQl8VWu#vUl=lh%k1hsa8!0DhwekJ}-CKSjK5RvTG|Rpe zaFC4*uRDV|5ei*49nlG3)rzn`mm*|zrdRr4j^L*9cYE2CZ4E!aOf%7JQRJ0^e5i^J z3$`bX4B+Qc7tS6v%ZL8>&kYbZna$y85u}nOItHrk{{4lVH5wMo_+2;y|#Rp7=XGV~z2`&n8G^jqq2H-3pLqOQCM zHevnfOm2zS>X%-3X-7{H?5$-n{yk->*KuR{nHw?L(nAO&PX>PR@tGv2GtnSTu>Ziu zJ%2mWP3@0>ZVHVuuEvP;!SA8x5Df~)G^>sAJ{Ji79u&8xn};_dzes%A4mho9kkEtW zO7&-M1J%KlMZ~{{Y37!rY0>x63@TC1?N`~kLv%o_vNq4rS zJ@-3?x~VJu1PfZI1LxXEl}I(RH24$P)4gwgA7*4%fv8k83SQ*AXP ziIv81Ub^&<7-dmTQU}pK(ZQ72j4wIy3ZWKhGwS1CV|0m!b}XqzRW#vMIabn+oc&7Q z!DtsqCzi#yGW5CLLmMotVrVlI3YYj291wx`mu&@`D<49qA@Nh_UmUZa8ro{<&7{&P zw(y9W=%%aKIe%%sa|u>%f#Z6%-Ex}Wd2kFlCa8UCG=b2%zEGK+HmSGm_mLXr}SECv}Uf6@G+K5KwK z&NHRx5FjE6%m8%!qgQMo1Z@mZI1oBU0O^VL4W!dDymdiNJtF_o_?Md5Jr#bL<8w}V z5b>PXYH;)KyFDLXl-9RwW4ucP^!c%^wEA^ z=*!;mv~C%uBV3Z=d86q&Y&^qXS>>@sTdRCUZqN7dN@Sk*4#pnQB(uas0l~ z?Fn;R*c2Ddw`Tj+HDpVtVOF~)f6u+$F!cUv4s5(gSgCEj*2P#+(?!v}OK71NfSpr> z+Tk^il#WEKcDcu+xi2)WePi8BcN}4^%)arM+W`%dr)=Hae?@EEMDo&M$`>x{*9~2s zb;5gf=m9Pj!}#0!cGdOVPBXc|yBgfrjE0ALwDh%KZ-_tNGM;C+SnPN`RwCtVL8+QT zx51`-p5{AH=zV}$W`x)~9G-cek5f3d+K}s9dA#?lk#oba5hEz;9-lWvxb?z;oL5(K z)4N{hJ`6Ku_Acsc&yhK9-h5oQRYeSaSbEo+@aL_UD=c-r9y+J3*w4O%Yx3*N_->c& zYih&`O+CYPSMjYkEKiGfV!-F#wRZD$%R&m32TM|8q*Wv{zso$pO8q=< zEpeV_xjc=OZYp`WgztsH`Exh7A2;&4uU@9h0_&_wz2s}Ukl8mS+pPcr>ucF9%gw2* z`aZ8o{P+#GN_`*cy8~f_=h;+rSlQ2|uc=t}_~(B|M4(o8T)r~EK!7i!o=+T5dIjhy zdyxG$H&8`+u9geb@bWg(FT@k##IDhb|M>>Iw?FUsMEZn69$&jX;1%Ur(p3SyzD2I| z0H+D6GdPm1^0GN*ZIlSN|FnpI%W>C!Ei)ofA|@t#^_veZvLb;F|10_MtKi^n zzYJG#i;Vlg22;K@Ty3T)z>s(YDaj}SQ?%+rkuS=>uv6u{MY2hm?gwmCS#_&KUnt~w zuzoO?ONSX3O#Z64r;S2E0Hozww8oEswKVk;_ywN9#SP;jmje_v?BuPOFs#cmqypOs z1t^|UN{KF=rV4ab8Pv^;A0{N^VN|k9zZPUD2EDD|n6eMjLjKmjcrZA4N%9{Zezx|z zBem~hrDLWU7#5b2NJr7D5)m4B%Kb>|y zpoD1BttWVMEl-;_;|~q>E!+YSQdGZAdl+ig>ypeU#|ol_#%_Pkn+J>J`xozH$}c8U z6tFZ-MZ`~0i~bIB2;8N}{>|E!=f@rkmXbfnI%}4VS&&)Gv-|y4h!Kier~$>z$|%;- zj5!%Rx%T-WLdo9R&eVX~={^8cf($XLhx1)H?VmXW9GA=t4gq6V zjth@;zlo9}orVyUAiZJdc2hw@(K^MGbiTN;!GpZ)qlu&g@vpFh*`Qh6*(D)amM$`(_Orl6NhwirD!mj1-?d%hp8h4J2|zJy_f1Pw+n?e&vffG^fmz zK~#eikKYqcdatQ@3_oWQ>EB;0E&|p0qRK`}st`79gyUy#JWOhIauz{hB zQu;K|C~qWPIvK*{P~EqQ9(*9#mdh7ep#9^?e~4D8Q-WMnZ^U`=?T%2eCI5vY{T_J5 zuM@D`T>->-aR+I>*nDV%42Sh=Ku_j#w`O;;ZNf+U9vgmFzGYM7P)1pQ|H*ASTaH~dtJZoYAn91YTDN!=Yc00Ccm`fo zvaThM^MoZAM#Za8)X8FV;NZ^&B}iSkS8v!m$J zk?FCE+cm-1{I^f~FE=sO8QZ9B&!cvAuCs;IojQ2RoqIkMrl03mEyv&;F4aqjZNOll zwRfsq_hWSr4gdE2vNC`7)q==^=I#J9AA)+@ek0KAm@YrtVW}Oi_vEQq&HDz)Z0#Mf z`*5@iq5Ywm-=|Z2x8iWd+p%^g-dauS+}WL{bU2RvZ^!(58a1uQXT)=ir~9?>LhRIC z?bi8R^tSXQp5CJ0r5TOBhhbt^&6n4RGjjWP`ukuTf)DJM(NJnTA-_&vueAZ{>uirP z@Q%ruWcO~PVQ^=?sTye)L~Xz)?KHfe99@?|$Ar00Gc@oQHzAvO*P48-$C!5*kW|&{ zpyk;uhF5*nW+yk5oyQu+eoJ>94nN!Mk3wro`&oVNrTbjwy}FfecQSZRGS(C&kHaV| z&St}Iru__mflj9LnE6JJ$Mb0i@HM|{Chc{Vw85@l^>U~M-Ntb)ME=8L;|E~PZ24?i zfFI1;HFCM*fhtqqccJ~&SKaGyQnN+R=T-^MuE+F^sZy}V?;&d`H^a?{UN6+W+e^=| zdS07br}F`#N9TFC$*=wiSgGH=M&7e}l^xU~OY}@2_Gz<(aeV3i&GDq96xV4JYeZ{C zZ{FK%VX-(jJvEyRaCBAafujpaAdSC<*VVp(d~Sb1urMTX=u&@TMYd+3;7#65@k9KG0Xb&mdq|83KxN=upqVdD8o}OBNJ~Y5 z>#!)TZ2aJ{Kw=?dL#(_rjk0}U+QW&6SmL*G!Hy03+n;u$MGdFUos4#u&=fTlxwX z{&G^{kHXiWTKy3H%UGJ<0gqX3ij7TFl;(n1nL#;-aahpLA|^ssh=V*U+>}CU;=+9j z8$%shFsSJ$OK%{oh#kxzpR{2cZj+oB6>kZdl~d*3ufcSZ;lw9>%LVn%2k*@dm{<@$ zEKns_->E6;EJw3O+DJnZP3;O!2KlHmPY^zafKIQ@Y+1pB6p3q&`5E|Kxs63A#vik! zL9TXC!jdYtB2!9BT0OjA>wb(PG3YX5oo*C%RZ+}NRyf3{eLrk#kAd`=Wu3~A5K2XI zX8}f6$yt;9XNXqW48=un)gEf@OWO3L4sqsP<(@6DTco8anNingr`fh!dN< zcmj@HvF}3zPm9ly^eNc(stTkO-Ll5gA^P1uAT^N-z|_Q4Mr9#!W|WEI1F6mGrCzt9G~<8+p8(wQSoaBK)_-3BGK)9^K(}oFaxHWD>XGm0%${bA zaGWW@loVRxNB%yFEml3b(5-|iHIbN{NO35UQBts59Z(tO#GT_cj4LTn>ltM#YDWAM z92u(v?~S#gWKL&;G#P|h+pPN|Rfak8&j+2UDr0iw)u&~?nnfFdTXH{~B@Bs7ac&qU zxi^g13M|f}e6>iDekFXQtxWXb6dzWe47WIE0XA<#MY&6=vTx6?&mhbQ1*f6&U|eU@ ztpvG%o3&-pS;+B|sXfZ$q9oBP)MNq>8rQ+>*&uIy zcsCrrnz$KoQ6++bCyGOc2f$y@4F6Kd`#3Q#WuRa{e9UjlaVlpWcH8nQu~?O*GD5t* zyiFr}4GXd&nO_4PZNbyKqa4*jN~wRpOOGEQB^MhIZo$)JM2Bj)J)QZI?`(+Q^?UDVfsLl297Hw@Msb^BWVP!=~Q~eGE^~| zVjW125U&&!QTZopVjV`P_bpwG;qPuM*gl7y{|_1gK?4o}*Pk_Hp-KAVWmyW@XCP)% zUghQgDYx?A`6Pce-Vhm^K+n2gz-o@(@w)$oqH#zF#?TP}Jdhx82yiph3qV2o83di~ ze`|lm-@~=M`L;Hn?d`*2ue^6zxUKOfABO0*E~U9!fZ_D1-ZenLL))|oo~rBnO#}FG zh!)qdP+y`3HsJgUd4tygd^JIPP-J*m>MBZ=kA+ z(sz1>B(Icq;A}n*%6!ALcbE|OUcm4C5>(~1Z*{9*`Bs4j!?b|Sy7IuPdeG+OGS6$Y zw^>@x+HU^__*;Uu9GB~pnS0N1%TfcquG^7p&&LoHPS$C()by(NdE^>Dz?0j{WlwzO z0aRp%zVTir??!UBPU_9a;J!cDCf}3&wfBY+!?*-3RO<1$?2Gq!7@cn*=()Sv5Aatt zO$m#4I~_f#_jH|xvuAtWh~f}GllVWQpG7o)%7I@8opv4^6!mF8`PS zy-l-TdHR;CwzPf){v`4 zy8#{r4XUS)p!DlbA4ejn^_V^jct@8?&&h#j$?5l36}q?k?`&KSE9o7)4%cj@S&DjI zrW}^;sTP}^JF18k=8wl0pu|kGgq7}x**9@Lo|i{#oE%LJe$Rgq?mSNS4cb|$n|!Z{ z9Il((P+;o(PcqS#x*j9OJ(*4OcgH!tJNfEeDmmFL^qxT(&AV%FRv0zM+s*H?Pfc)Y zzI#PDDI2CuKcuf6Ppw*ZS};<)pIb@!ad;etIO%r)JMYd{?KHqXK`1o49b!iMT+Uh_ zTiKBvYG=eypvw`D}1yZ=H~4Up|Ps3-A-3|L4`8vojt4HA5Dbko6H2^`x)e18Kn z1AF%PHS%>LU!1@XxFaw4Lqu;0hLwU1)rcTENZGSeen3R&#vl42%SQ%hOEw#6Y?sDq zIpS6-Azuh@iM6*l@GIGP5tE3z@HSX8dNo-|SY%h2E_}IgWBoOiNkOhigx2mFwaO@x z=D^=RQBBlA2tPI^g@$kcp?{t{S;Fqp)~->n6_bpqCN_^r@%vPae!Oy-Fjl-hTX~}z zKN~Y#czBN+k3x8|8Lk5Ne(f09L^^=#j^OhqySC+3$;e734qGDE(TKUe6zP&Dls;mQ6FX{;h= zGL%28NC?qtW|k$=CnRv!zwOpK`Tz=vvVG1w&IO!52AF{F8=s(dc6ejfr`4p&}@ zMzVoWOSx?>W!vR*_m@?`-9|-60?+EWdz^Gj=;zHkk z&)FYiervoxr8=i>#fYZz{3f|B)vYhO;gG*~lTo00rkgC8DOIzm#4R*@4R)#kzdE=| z=C!Z1i6|QV6D`38SbE;G)Ih5A>i(DuJb%If)BzhP{(rxdPH13a^1J5`$&z#`1cA10 z41)J^{P195PC-?RIJ)Ep7~elGK|aB=j6wurqzR*8ri|6-(v&OK@9EGF@k%ZBVgig} zh~liW(#1rOBdHMbI+Tqg}5syv=YXbPZ;w` z|Hj)PD0k|>&%0=o_oC27x9c&8c)8FMiWaX4W}0;7Ajc;aJ7x>v+mJLcjy}Yhb;5&V zMX8Er$Rj?A1uAs1VRMQyNVXWQB@7MxNm6WwNJJmes*IJ=B85SwQgWyKkNM5rKwFrq{WcBw_#WjnsaqIr&@ z!xh(1lUvnZ-l;nEBHI#)bZ8fJMau1zP@frhVure45{WnSFh8aAy-}&;#K8`+WS=hO zbhIe+305ap*mi-A-P(^mCV~l7z8IGxPg``XB1I&l>|c-wUp~toCn3_K%V=@7U4@Y8 zq!sF%BlX0KSzGB+yi6@-XnmfN6)7(OSHv_j042z#B}GsiQ?(QuA8J)o3U?W9i*00h zp~6l>G=tj93hx%{Kgk05giZs6KUcp3u~1)BYGL29q{~K=&}22|{;Zrz4G07KNyL!!2LQ7}a{v@V1ab$Ycl1v{48XB;!@U#Oi|EyJ zCoRs`-!svzrpdZ~R83B|_E>`2@^tq^i;`~S<;{<+yXbYCP}*#j_3^=j!*P-2iMZW% z@!+iQY4nCYJa7H6>g{-WPft(KGWo$BdlbvJl_KBvIXtNxTdMAq>$&UWkce~5f7G5b zpaYmpR)?M78qek5Ho3Qr<-Tql$C%N7Ha8#h&hF@TxcaztqW|o?`v{t$VbtDnyn>YX z^IPtkxaf-JJCmyfqHjB-^V9l1SI#@Sck=*RM_glVZPn=g-som>yV~MD$Hvd5xaoQx zir;lyHC}_d26OTKmJOe8?{nJX$hvMlrMvtpng#>7?YfV{t`X?hEY=y{JFa=V?+(vV zbNsy7eKwSjS+8?jfZhvVP4AV*em_pm4Eajuj<(m^rQDO{%Q!#L#^+rreCUtf>}zl1 zSm_c~{P&4IkV#wV#7K%9?&jS+Gk!grXU-}X@RB#R z%o*@^sm*zseh26cx_Bvh-*lZ3HMutb^j=Z4Yh`l{<@>a?3xT-uIM`x7Q{Up+p4q(W z%DcG;!{N6C?yW$zELZX+tsaRsJq)Yj?3eQROk*%#^BX=*db79eCL(^8?1SuI0gP23 zwk6Odcewo?f0qDeD}U=ff8tPPC=4pztttH5I&c8A0pvgXnkF(70;v2$ka_A)kAC}r$a zvv;Y3Rhdb&v#nBhQWU0P5`{m77_j!y2uWQ)WK?!wjjNE2}PFuR~J7c#CGf ztxTiR9o9*xu|AZ*e+{M7P&XjtJE2stOBZVfO>APa)o&aG4GO(eB%zWy3>iv8(~+zV z(nP)fvM==*eC7a8V)Q1gpc^hsUxEOYY~;=~pzK>puFnKAbJ2vYBQAQpkJW7P@AzNB zyn4vG;6q(;g-nuVv;rynBu>@8E$ejQ2R%)`&mN7UC%UnyaUG&!5ePPAa9}0jsc5a{ zNhp3`!a5OmQQ)9#D7RZs#HqE3Sg@tK!M78Dqo%@SWL1(4Kk5+K4;kAg)_w0xnoLUi zHcj2{Ntxv^sj$eMC+ssu0*E+ta3<~5;kniT;YYxhQ$!_O~3 zb#-Xl$-2w!c}M&hxX%^Mumg?&UPMnpiPce3SxY3LL*E#v?#hj9F|9`|iJ%X6O-3E% z@=ee_{RZp~ev+=)p<9yaE&lErK7v%}!YDwlWKgPs%QXB|r`>Pzy-;RTlv9yDQZF=S z-*5T&q_@$O!S?99Y}C8>?O?9~xW$3)er$Mqw9Y&< zQ#jaJ@%^ow-yH{>OhMxGlSV1-jH-rcudq~Uxe})$Op+lnn3wC0a5(A~Yn)(YZ?s0& zu%ZGHaw4}wcZGl`?(mmHpqBL~JNnUjJieMvu3|_+;hNeu)Nr_5!M0g~kkV8dYx9a# zIl7G+Heck4YX$G0yzV_Nzmsy#w!t&(`~_Dy`{;a7D}}4rwmtnw4SX@TJ4E5R3 zt*jW9xNCtr>Jml7BO1ZzfEQ)_slsR^LkDFjVkuKnR7G_dm8oVl_8nEhmibf8hY5Ts zTfm8OF&d?Mj9Ay@UXb0U&IuMlWZiByIcr)8q63@ttgzP}_0f-QyWa~r&O$jm$q<1e zNZQL!!f8!KcHAGYX%R_E7(PKNJCvyLX4~Y$-^O;e`Y1efhEP;0+S*O)8)^H_<0ZZFVK*x@ww)lJK?CP>KLOz(nmh)G8fJ&f z-+Xqhvf;n1tcZ4Mlu7oz@JdZB3_IA9{_oB2*A5uy4Iw0HQ~!`#4n*9M{9;AW8E+`Xkc&UG@{L5Db1mpi31WSO^+tBtISG zJiok~Kc+q@jXv6HU1F2B{o~!kbsceewNLlq5`r<2&CBKkIwf}7G2J;8-zC6x-!0yZ zGRB6Y)vyQY<38`RFts>K-p(x&t=M@V4%aV_kze&h_#AH?L2Ad?@f0%|x1{E}+ikM4 zvNzm11FO=n(`so0K~)V#ukrer6TB~)XM3h{tFKpEa=P-ZaILRz?{b@t8(lG~_WYKD zZlFZ*pGt|A6o9Q>Zv={sjR`o;sU$s)!NS+#}S8J z|&vA4Bw!wQdG zoBB-F^90n5?jG}CuJ6xW=PjQP!-Kz@#MYgf>qiUjdi)VuUO~FcJ*Ha_`dWU)e?dE&3=VyMtm!hsK^dsHJj@T<6Q1~hLjrrpY=V$5rl*ayW@%{f2ub|8~ z`x_M?h;A?QMP7r6tGZU>gsvMHM5_b1%Z63SYpewT!$2*cfCqvckPES2l^`5Ovyi5i z3aFeW0_1X9q&Ju@RIy}!-sYhQ&Lor*f#FhsI;a&C16$6tgdY88I4Mwf{NUVxO67#& z1f!}x_Bh;QvckU(_l|Z|fV+z|`L{sSZkcMF-l|?Lq=*pu=0@8T%7IJD)uUrIL#)BAK#bD+eIt)~^+5U#Cl;0!k zHG-jttEV7^bZ|>vbh^#F+Or+@1t|OfghIm_Ez^^6U*!=?GqOQq#p{PE+X|+l4E@xg ziJjXWWqy%?S6ck8dOe(Z$e|54!O}~O`9%9!nq=c$rRAvXBpFYA$}_VBg=u%_?Ao1p zskz^}V=GLij(=zQR}C{poGv8va%^3$*;ow^Gt6yEI##z}o4WK+u73}L3!^eVq@RP0 zY9Rk4U$Xt`0PgiWQ9bg~Neu7Y)FR9G;_QmOZ$1rE6^~XW+q<(_YoTNWHwQl@7Z@N` z2GnB99~CenD)l0mBhWWvM%Iob{!k#-1PrMW*nk^EOJ>UQ4CTLqXEz@@vTOeCbb}}5 zsI);Uv_gdWtnAW?lDoxMNkGk0c%pPiQc-EWJd#3-72T!7BT*5T zig$s=cK9*Oqsf*rl)n}BgP?nD`F^;^A@!fn9&7sBT42z}&4+pX{~=!=K$J-J-!DtIlq$ej?nt|3(V~A} zBMo5MYGI+nefvp5nSLCp*@3;ULY)~_RwbGuEvjx$7(;qWkq*whSC$R=vp~1e7hOUmp)iB%x{B*a zAF^&4y0Z)ug9KA*tmI$A2uEK9a5R1ao~~0iCu3KgqYyQDradbSCRas>yXcaM@rmZQ+IH4>;8qNb}NO8>D}`9Q}GvTpf|fNMyuD1h(ZhFTb%Q z7^6X`S@CQYw+av}F>FYs>TuHo`fJqhld-A@^{L!Shg448%# zz=9S)Vf3@x>aU1z?x1v@WMXc3U?qqI0)6T%I%LK-nSk|;r%W@w&!htHn6{?0A(660 z|Dh53oW;PK_72O)d zXk6>Rw1q%(SE#3a;&sY3#zLJGecb+&O4y76w>>7qnF*^|dy>@3Snx5_fi?a69UCp& zA1iT)qGa1pMM||^Ng0Xo8kD?3t!4I+FOOb^FH0M0kwm32+jfcJzCpn$oLe;iTK7aP z_H0{r-`SJnCc0BBS~;Oi9(igg-*?KQ89 z;T`;^yAOTaFJzkyspWY~MNDmL|5U_y?P`rT=DOg2O(baIGBfVzBgc9>zmur*SK6aQ12LAGPlrNzB`?N zbkO-Y4Y4=3GrZiqu6p9Yh!Y(8wvsma19B*)V*H*0Z#Eq#5^{MQr@_^?-a?(xHn+sJ z-up15+!wg*9M0^jO@EE}^6*_wireWK$F`l*ac^}W)@`Y4UjwOIC&yZ{8T|lD{L}1L zyq_f#?3=Ni;)?noYaFK|e6K1z2B+e7{O4W2Iveo0VlzE^?WA>^E0C{Bw_Jy3?oQA% zHxLuF?O$)mpmZCcfeof#{l=^|U+h#{R%^zK?pr8C`aXi*KJq2LS&Q?6wyrNQh&kou z#QZb2#!>ZjH)ty{weCW&eOOJQLoz=q|2{+4s>304VC}#F4wcpq0o6aNFb|y2V`tCn5vxddwU{Q zU$YJ;| z`XE68lM2wx^M80*2Fa3D0-aCxsO!Z*p|-j@M)sG-&#x$D&@0g!q85d@aJP=|3sYAa zP+1!lB*~VD^oz@efu`IlDt}%8mS6>jmu8W6psI0|4c={dz3kvOn^uuhThZKj8$=zy z&FgrcfJ<9UFTwzs<&X%IjcJ%M*!375iKKvz7MqN=1vO>=5>wFz>}?W_n1c#NnP3{M zD>Z+GdES?ZWBJUmV#Qtnnx(2afG*nQm!|f80Rp)u1pA)UkWVeuPk4PdD+4z6m=&AQ zq9vsbieva7^lvj#|HA2Ta(}`wd@}%7!oka)9F#RzDGyhuhelw8zLqYCbWdcI%^Upx z0J1<$zZy4apg2|w@s1ks1Gm?q8=x%fR#%V!JS`xjVr)cZS&X1543^nsGU<<#&Zs95 zMS29|S!#%5trR_~rC6^#Y|?#?XKgx@Xt%3rfU~>bvi=*5=SxzGPk~jticEgIE(MK3 zCa!=bj|gl=hD0x9tF~YhSRckxSS^jDW5%e2Dnw-JA^=(=$V~J{20^MC=YnLrAauEy z(kl}kv73yt8L4koCKsTs(Y{P0P|O?zG+H%PrwS3;7$C*2TkL|iMGhk;l^itMqBH`F zz9*nLcqEb*9J$Er)lI z$rsh3(yK=bCAor)7BV6~uDUU-HA=V0N~^qT%HNZ)U!n0&DHe`bwXbTi_TROS_=EMIMVW5?;XjMg|A*tbd=%JWwIKuf4C>=? z6^mP)7;5TZu~iSKe5I+v`3g#6Y>9^3vMI-6h~Mbu%l*6&?_hF;EDsZDxR?@w$!!}( zFkgww4SLjXCE8-zPq&S63^HW2m<#oxP3pCHrfL@gEal6%OSTexAq_VvCV|*4FtW`i ztBUe)kWQ(H8Enybqdr%7Aoh5nJg-pO+kk%=x`9IRH2>dF!VqTi`_1V0dcub znO-NSQQF`ACnzxJSJi)O{M~Ta+W=`T+ zCE3q%ygm+avmoL9cpxCrSRPdpkyHy^M#-4nI!C2Ul#JAfAc20ign?8lQFncIFia72 zR*Z3uQ=N?NB3$+=hF3^U?n#@0ZP0TPjiN*QxXoik(@qK;&H`1h;S231Rncg)&pEwP zS`xeEz?MkWEsJeM_uIL$1t|ytCak`kN7LOdNP$9o#OisGPyjGnZ4Vj33F{uu#QROt zDEfk$$C%{Qp`j@-ngXLKFq#6RDKPp!5fDlei>3ce?f-oz@g@I>t)JQAk?-Aq5D*99 z1c@dP>}&WB@h|?9`2PK8;Ryy9AxIed7UzEsbn2^AvD5?8Zg{A>|2^^!%U$#MUQ2Iu z$&XT(ZTs0TKU$@ytoQOJTYa)*$-Qmo@Xnj^>g~(To_<*Ud?WMu$#Y-NpD}l}yB|Mv zm*vjh>cRWUM+gUaE39&I^3Y~Q|J}afpT(`$c=)p3x~Ja$Yv5*!vp(s+xbL1vtiI0U z7wp*I!MXpBSH8N{LBH(JZe4Sk@&xwVYnhWCxnKzvpYz6w3uYg^+=BVp4VTz?`}g|> z@}RQyC({pqn_uJV`)-VGIsVp*FPndAZ_T%k-(b}(&#c*IY^Fsjs#PW(yp7HFlJ03^AbIH}a9J}Xb+@Gku-#q)1wP$?t&>!#h ze%g3q5&XyB@!6Y??oWGYwHwKe-kG!P8t=@x{x@6p-h24?OQDN@I-u!se zowr>f`Nn!1ethFW+?flGD1W@fk~{w9^h4Bx>$MxkPdvA?wBC$5?r_gII- zA^5Ubr`n7{_F{ddV|F8IJV^6&P zin3A}m+ezoEUQOjfd~n>MUo;-B{--LSe<;)!(l8*mwer!ELyAt0@31FXNY;pYN-#k z5hB7zEFBm8W?agRf~H%HJh{^!C4{sIR7Yck!TK@PMVV|_>hxj=0Y_PsNYsl#KR=ZF zjTAJrw3eDpf{NaD+@4=(kH+SpW?E1s07{zH`+DbX(WfWn{phW9!DL-bz zLN%w5qe>lZQ;m2Vj@eqd9}Hw4k4XVhfMVrbCQ^Y+j)n7QJUy`4Wv!=TCGH<$Bv6N6@o2V8o24ITN}dwH^6PXR4nHZz8^=zbi7qzeY95{ zyZJ!^5tzE7vXSSqJ_h;RWcA)m46Pbob8{&>HyYSOAZm>{8U#mmj?4H+itab7pzh`& zw&f=q;h;G(q3kH-$^*Hl5VTp8>a78YC!2k;*-Dm^1ArT*@+~Zg`?_6j)J8C0mBK#g z^N5x#w4G*3Mj1zHv=?@l=W3Azb<*8O~-MU^?4myR3p{W-8njG(`dO)i+S|f^d3#(Uc(FEI}oUbGrO{*KW%T5@m^ne~`jbfokx-P>z zO1la$CChZARDCR!D7>DmbEM^|0jl*u2_Dwy5?arAo>Z)l*df;nz&r?A(&UDiX=9u! zH}wvn4tfSk@>af_^*d-gS&Wx7M$N}<(x%(=xMnD#obgqe;fqG8j@eBa?xzHSG}u;? zX0;r^sEm!uW@sd`U@K_0;QXM{5YknuN7dtQr;0KOZYVQ8?3IGyh$VSFNme6IWpp{O z70E6j##PcqoeoCQfA=4wkO{uZf4INO^i!#O9PGx&i} z#vAD*XjF|c!1DzsU+5)r1+nX5t*(J0?Obl8lUZU=&loCPY0Eu%@*y(AbK_VmQgUpp z=gMfZ#%TqE2!L1{Ds>{wZVpFo4;uJ=Rc7mb#>KoGO&5}7giX^{dEi5cPE#o!7kEyH zdu`Jzqa?i*{IV@{{t`>u} zuAQQM(q=|Z*9NLn&NJmaQ_eHxJX6jye{tTS&+oJ(edq?e?zOrGzIpJ2KQH}$rB&8>^|@#L4__~C z{ORwWf9WT0J@z_y+54Bex8d!=k<0Ejd)7LcB|ks-ch_%u+|D0e3Egwoep_?vZ)D$o z!g6D+vdsgxO#jh-f7zrv{r&h6?=8LE3e(p;?Z(fZT5HDP^XNxcn=aOS`^}p3$x~M8 z7a!iqJXPO2c3J;OWrx?EJY)6Jj0|<&Lm%Jv`WCl8vCkiOIVOz%`Q6`qI6pX3+xM8$ z-r6+x#ZrfDQES|^2>!D>xb~HwFZtAJCtttBjC;4+_VJ}ZxcQLdUoci#V^esIpPW#A zVB2TUIceiffpgD>Yw3A^e6mO2cdT>ri@&*ar~P&fZ}{cwDQm&e(bDtx+H_56ueCwvqKKrXRSE!sKz&mdGsB^;Q{Zo!k%=`G1%db85c#+!U=&LVS@>kV8<~w_S z`tXXM{kgktzP8tg>rS_>oObS04=;891$V6dF!#>ZhdYf6<{aPpz})dF_LSB4xOJ!B zF!#J_ZepCU^}ZWj`ncAsfa{L0P(R-Ax}EOX{(!Z#3$M8JvIm=QPkUsr_5qvj`Qv?` ze(w-sqs!&XpSkePgCE^nJoVD+_OQq z|L@s<&@c7>fxs#M|4!nY_zw@}5&4JK|ECZvWDJ2SM3a99U)z6#f7}13_rvoaI{fSU zbu5hw<=Ue9PjgZHr`D?K&AO%Id9ZJll70nX1T5=xOC5^I#=1Tz>OC@rAfaTp(rLoA z3qyfRsO-2{^}0A&DFxloN|319v@(VqDuDpE5gqEIoob3KWcope&9uXUWGjvZ^b%ab#S;`Oh)AGSGL+Zu>5U|m?F-Eo zZVh0|5E}f5_g$TLP*rRu@d_N(ac-y;x`i$ev>d*mVgkWLm0k`>H+dnQPLDCUE(X-d z$cw!&n;LY+NLFDJx?d$QKF{{Cff~UVlM>Vua>bBUztVu!yoK}hZcK*XqXqbzq>qV+54KYgd1Sqs9 zwwx3|f*U}bH?YV3WE!5V@<%?Tx9Ui)qBl9iquUsjXabU=c3X~+DD*ro*-cOxIoaq} z1fRr%P}JcDG+AuJX)+M{^&&CQ61hooUYtR53QlnK-- zOQAbNOtqMW)D)WPNil(^)i}@KcA?==iGdIH44xx+ckBaZ&Z+mTA?(R%+-BLhk;H^t zY*36^pjb$O6{ZJ3b-qd#C57~bfWxDwv{}C3c|Bsk%huJ)2kP0ArL#NM#qY72Z zmarlp%gU5$46JmL?Tu*_HybQbtX8RPw^5knyE4-04eNp34udGjVNMA21gVNvFj=*v zm@$mwFsubreDu3 z%!SD)4&#Q`#5HD+Bw(-)dTv`+{5({^q<$X{nvHf1p}kheq5_eN7cCZG%2}h7iP1!g zwpvWP(&Bv{^B6h9g>qrY%S}eZu()S-(wVqQ*(9GuxLnlf>TVe>wKFtO7!vt`pjqiU z(Nmy+r86|A@kP1{x??jz8aQK8Xf01?j-TqFRjelQ4jhz=9l9VCduc?`Af#;#PhOCx}cN#$gYb4Qv?cs)WM#s#P#^%#*J+oh^FSypSUww^JQqneRXhD|8hA)ILP zp^zV9nxqXTlf?XGb3TQkj zbi7`o*)$~=&^lEu-|M&FW}d2zLRt^qxSFf+ki+s`JrJUF0?BpBe9g(llw=Qs&3?O= zBhzG#P5PXX1R$Ozv`%g`PDO)Zxt8|z#u!w5J~_ySdCVDd76}KcWacNIyv!6{EQ3WV z)hs23QrU5)=x2(4rs!viex~SWihlkJ0zyf0vGgBoYX9%Mh%fukp2vR3EC&8VfM|k9 zASnDb{D)i|{U?#YAaL>qzQy^UC)ax1fAz%bDtmr%>FkSs^Y)z0mzUT0UHZ?zz30&L zryu*h?a;7RfAP}8?Ym30Rr_n-lHBgnXbmB@@dYcMee;ga9^4kQ zpKu?%>gu!6_kaHUmCvtv&<$%oa^$@Gwu?FI&CCDkwVA(OZ~GsGxBh7kVSS2BqxYG9 z)egC>;XAIFcImsbHk`Y=vBl4OKf3hy%e9Z(eAdiQm%iJlFWg6&d-w;NfAYkyH2b-a z-o2@E)~`RujvzJ!m)i8gpT0bMhaYXWdv@LPKWcBe#I*E>Pfh=E+oB_<<{*`Rzuh9Cz#7bC$gQ#LSiQjLpr}K0N-x&#q1_{oG3h^|{|= zHT&b&FMH*^gJ*31(#85U*Iu^4dF}tl-k-obPFMf`II@fqh7pE+8FpkT(CkS?kfdqT zv`yMHX_^!S(lkqxrfJ%yZGs50@5n9!g6trhfGE2ng2?KC$fC%O2%?N2vi~~r;p0bv zzYhFA2;a{=b9?V&?tQe)JAJ>;JLf!eUdQ{xPua!muCd8(+}@?noVUW0cf1fU*ki>l zR>5g?`&Yuf_&uF0`g^ZfpS(C=-Zl?H zc3AhR2loBdzUw@()3+|(=1hB^<@jeGo_zbbt)HI%(+|7;-|_$dVf{Dwf7bsH@9>|w z{%;?PeHi|uv{f7Y)Ybn?XOCE5IGA_6O!LsrnZ&~;c znCexg>eyv`tk{!U)f`Zj+D0ir@|jLP7!Xtj8?N9CbT^oZyL* zz{Bo@Q7uPNJzq7ggx4*wU*Y}K&<0A=sFS3p6(@~ZUNFF;OdX-wfU{M_NsU3VGzbZ$ z-%GlEpCz~f7c`4Vy_yxsnC_Th3<1+lm2G7h5}DNcRks_?=9w2*!(nbb&bf7DG|W(y zQLWpdNW0BRoKox9vr}5gRNHmM8uk!i8d=k@qLfWP<7I-%IMNG+N=FGbf-!1&ZB$S@ z`E*#Yx~XhG-R%^RA=AjPB-fyN-2|i@fb1LNMwY|9Rxt##y)cRVYSgC%WLU8B9am0k z8GVwfw#N-kNZ4XnmCz^>8<44H*$x_@K(^aN3>YhA>xrvOW6mlRyUp(8qwt@~(wdLB z@((UnLNSb;%Nf4Qf3Qy<|5>K(=I{Jxnfm`s%2g%Dq;akYKz%{t;7kwlrWrWIa?O-J zY_cIKXQ~3;HF<#=j>kqps0%8{iW6sQG!!9QL?*gskl-``x&^tXAx=fCRRhVJreh*Q zG&8~MoM&LVBT5q+h1@(&xN#(P7_AinnA3ohuv)YtX{h#)PEX?H z@+8ov!5}8>T3jm@c~WUrha9bwI~B+W!X?D5m=xKf;y)KXg|rac`C z>d~O27aI_Guqa6F}A$H%gHx5p|YU-wh)&`gIyd5~!U67IwuiRur`|E~Wb`9knP z{HOOW|IrxQ{K))gHo@M*f2?KIg9F|V7P&A{ck37*DlN5%Nfg&gdKtmvG{4E%sVs_( z)BSe4+GnP!0EjpO#qv1jp%&-`M%t4JR<4(-acHVzp+uGHG?NqKo@%vs4)~yzOvRf+}Xah}{sE!ipD(GSjs0J4q zm7D&nj9PD9*v6Iao9Yi{@a_ z94wlHMW0H8u>WoP^RM|2j$!}Ie^7X?{^w&caK9BU0QXz|n0NWlj+^?2?q7co|2g$z z#V0UAX3*I`7=tl<8)##2(L4BL?f2zB*#DqEFbcg-_n*B!_M^vVZw!+lhHdk&i+nD8 z@LON|%9R=F3cK->>mTFqyXS>hx4r+TH)k`OE&k)BS7ouaE;{v=gLW%lu>RAx9`oEf zH|%xAYtD1~hd13>*!sM<^WwAI;r8;ou66X$>+So>L|)~J&KLK1bmw~(UvdA9FF~C6 z-Okm=Z*|w}_0@KI%YHJu$qmhg6nx1yhiCu!Yv1nf&V`3;WWL#_UMz2X*Nz)myMFe> zOHR9Zteu!%p61s6^2ML4Ch9JQvrZmUC+@lS8rSrJH_v!>mFG8pzI^lY?I3>P zuC0>#t)=quD-G>CHaK|uqnE5LZtk-i-7g%qc#oIwTWyu2yD7XP*_o&Q#QlkMl-O+54)YO?lCpWXAYSAM3#dp^7PFI%nt+3s4e zr7q}S_`B^Uf4uhC=DgKN>#8@N+<4(()(CBU{m$2SI%aakIak-WBscl}iQD{y-RC## z@3yF3^^02;|LIO?{ZlUVZoA>?Lw9t|^Y0YzS@N~j;tjP+4h@ewnV-(v_kv%afBe~x z@cR9|uU0o-d>Fg-AvOFie&tm!d}RNhp7EpGN(Y|u;)T7VGucI#F28kZkL`c`ryp6D znCou&zp(z7`v3o3`t$G9|G@vme_#Th(|`L|>|e#G@!$9l`#)n;rzvo4<^#lux}Vq> z72^{lt}u37kvU`*m+3rhzZ;j;-k<-}C%}7S(hqJ%(PRET_IHO4eAuzSJ9OZ~j{V)C z153v)FdjG?H^jSjcs6#6r@?o}-jHS?Xj3hYnvGh2_Cj4QC(PcvIW{`fbZI|w;NQO? zeRf{DK{`rMqpFfnv%&{{iMIeMl^zagD@)+1ZYmy8Dw~XT4=u)0(stA7k_`=}TI^_2 zDGz#@IVmJut;3~9Q`(P)u$%w}12*&R5T-$^ltR1MSc58_;<;g6w`fk)B~v5G&}3LO zU9489s!-@m4YrLAT(hn|{RfaE9W$Rl3wC2{fU6Mj0qU>{m#<5k<*J z>WQ+^Fg<%LBH+Zx8skhT^Z=_gKuDp=1zkHDMAKSNPqzZIT^#FXJ=YrR8G9llatg$G zlaI&k5YP7Uy1?lzf5^ZXIQta-mXPF^!o&}1NdCdMi%&rvDB`|9ZgfS{VJn#GBeXB^ zLkKg|rB-N~8Ix&(6^e+nqlPMs=ps`lRL&Eae4jM&p5$ZzlSOq8lLK=WVfVt0ROC$> z*2?3Y-lE%O)T}s!p76t}H5t}3e3mvHN~uhgz{~gY8AY>zLa#E)<_AR0iIXIW>8d1~ zV6i-4`b68L`*hhJOO}<7LstyA$QlmPd0uo(F5N3JF@|S=z${Mkwlc}J4Rl(qqBSFM z`Kpo2GDy7|XX{+b$iKqkfCo5(^_5^4=mWyn0L;%) z-QIMfl8&UY=?UwD2`ZE5R4!J)9^7wveOPG{LVi?B#+ZqYhaAGog|N@?nT)B%Kozg* zsV1(ubRm3PqEG?DPjnH}FsPT~3qlV}h~lu`2k=qW zDQacfQfYLQ&z2&wHdLovgP3x9+oPjVp*SW+b=R{>iI~;fsy2+q>QuC?Tpq3(89)vN zd+f*#-AW_HykBmH2A-z#y<%5Q&%Cf1bjN*VVuDf5hWeaU^E;!aY@#jQ@%d;hkAX(u z+mkRmdN<{#y0q~@DL+a4oBK8C95)e5l*7}hEKq1*POG7~|2W67PE)Nd-Cn`gQfvcf zMnP>j`DaeVXk2-=796Lg(!-{NMNL)wK#)(-cHYY>PNP_HVF78^x)DKOEDIEL(FR-Q zC@oY3yIj!%x@5K5V5v}$6__kAH69e(a#Qa12VT|e+U2Q^<#98Ga-djsM<(FPiQ%LW zL(+7{7!)g=3YR7-gCapND3!F^aC){Q^bmH!i=bTV=j39MpL+19AL{uWkH4F>t>Xt_Am7{;dDzKj@i<{JH-g z{&U*LOHfb(%48sd$Y40K4YUck(L4NSoe$tY{{Vns4E#?6pxGCMpace^2>h=B(DAQb z`fRw;{p<02pQm5A&9>?u!{_F``fTMG`jop@R*ya8r>kr|pIWf%^~--@EAQ5CUU=Jv zJI+7*?dM;8^c&kOeEjyq@BFKC!fW0+hnt&!>F`t5UU#LaxBoNJ)>>t`1?m%LT$(=n zXWMPO@X6g59k=WC8~%C4$>^2bfma5DeLfp5ZhY;#Z(eM+zyHWJsV^R|+Md^+zghKg z;VY+ZHUFudDhvO_Z~4m&Qa7*r?3oAb^1zm7Hn-d7&T}q*W}*(hw^{avKkW5PdacE` z+<4=8Sz+tib}PPg>LUl;wdX_M+V%cB)_j%x&gYWd_n-gj>7RRR;rzE>fAfx)?z(r6 zBi5Fy|q62 z;uSys-uCzYUcLa{{|6V}e(HHA+;zrTum0+eEl+A5Sv~G6H$S|d_ULiv?e)S2kMIBU zum9#3=iap7!sDn%c00Z~Z>NVh*m%c%Hrua|WmkVRbH~f)p^vPx=gzzDGpsy6K6Kv) zPTj${{=iGkd(hQhIbiMGG3?Dpoy%_DMZf2W8wq`j`VIC#-sYlS1=#zEh_IoNB-?t5=@&Cfpa`v05% z|6c|`|C0aU@2UR*=k(t`9{ZR4XK8|R@DB+}(6@!Y`+g0Gm)8Fzh&LOivbs{9x(mT2#J|8Uo9s2j*<))QrWlhWPI(&_rt-w%SzJ>614bFqJpVK@; zNlRY{ps9e*f>^iBHix=u+foB_c?q19-YMTHGufKhV)NkNUR0vxWtSD4yP!z0fS66{Y`q4mghH-jk5d z{TE#zsil9<+NHmdhAzctWg@6b@)$SABiI+KeV|*cs;y$LOL$Q)>$ARC$HfS)m0>mw zQ=_aQ2eEE;TY(nCLvJcHdkr5>kSEK^M4-+RV@yhShDo`Sj$mojDGk_Bn8z_i z?m7yEi~gW#<{4yE8FbPP1tv^?I4CzOqqy0E`yo(6q6h;MqZFz_Ro5C&AoWZru47c5 z;h5o6kx@#U;<*@$VYgJVuu`!^!%#7HOwSUz8epp-&4USzw2VSJFHTZa)fkj~sp=Kl zMw9HAMp&$iMW{mHh*fHPb-y`^^>GC1M!kgAhX4_ZbNI+)HTluT9Mx%vEWL2Hhd zDP}1P`sWlwcJfY&VfMT!P!GohVT9Zu!m311ZKWMC52ctWRaW~!Z_IPPRTri56wXkI z88A6E@jZFM$O)6wU|Q`1fxs&6sK((Vhw{tlBRThfx;NxP}1_yP$76l4KR<-IYry* za|PDda`k@Gs#+fFcn$B|Ns>^0LEro~#T#5aXTfU^UIW3hy6 zFhgug)+_E99%5x}wqOAy-*IzES8@9x8M}O(?G9QWf&Y}2<_xFVe{ioI6x93=aIgR8 za)z$>!L>ikCo*TatXs{0^PgpLvtdUhO&gv0psE4nQ9@5C70p$oj?xXrc$2FR`O#!B z<_3MbVr0uhkR8#*Nqu0MgJO4tkHbch&T#N}HuVG;P{}aI8bxt7z>*7xw9$?v zAYnc!I`LHLC{Ct8~Yu!lk7!?0cl6o(puz%>WyGaLKWTLKou}Yz7FN*N3rt#U zJ!;LK^uf-Zb~H8P0Tw&Ez^+hKU{^W4J#m##n9W(gilsW^p(m1rT&#^~*n*;Lib~TY zZ5g$Z>oqG5TQ{0U0~iyfRI5dZHq#dZH&PN7t9!*M(+ZvD08i6h2So~~nA0LNBy*kV zq&ZtS)R1#~-h?e^C7=euqedT&8o{JIY`89JH?x-5sdV`)Z?Yz2j|>%6dv&!{==XWY zEp~{|@|m(`HIxB8E&@{~3L1=Rp+c%BI>Ta4G(rP6)l_#NAR}M2n_X-Q4+R7Y6*@F> zg}4xM)lt73weph~o&qA(j@4nkk(Ob$HEG%rR}R$(1~J^%2;UZYy_D<8bazqref&LGxJ|7K^S zz4+9v*4%J|b8lMr)GHpnZ0pqyd-#keUgh_^Y^Mj$Xk2|!`Gp1Y?e?mdXP&+v{M^Y> z%d(PYcF!#l0E~36L`RO`$UAF#pE3DUi<%(y&BOZJIw)4+ieCCmB{qzE4{G%0i z4F7Q7=2x9LpFV5F>)0*tJ?z@MtCwwRt@G3-`>eOYMpr#azV(aJrZ=%C{_4?}hrc>f ze0qi7wO(AR+eBwXMy6zh-(FN`vUHyKCP4<2zSw z-}lSWZg+s;=65|FuCu|j&=vkc&v)P6ck72AF_`O5`No!JdSP>w^mp%=_qENBSu6R& z>rY>K=%FiYv#oRONf+(=_)mU)-sknxcl+h4wz|uns~?!#YAa&N?XMldaxWd>37cQT zecK=Y!n=RxeP7_WUG7i!Z~Dg3J3PP~vij@gqt>W={rSa5ZDF@=%zyQ4sJ`mOD~Mlv zX75;A@PpOX{lXdR?b6)U*^Yf+LHyNMluJ&3aMc^*qmJGPSfIYX!EvjcF|T*fB}cB+ zdHm|FpT>5);Y-_H!fo-`@t+^wUiw3I$)R7>mOEuPOuZ3VZ_gjf2Wk{Qt*dA4dPJU9WeL52*k7 zhv0HZh2fV){|#Dt4wgm#O+gsH zRjeEN5tl+HYS{s@v`I%bsBOyQ!Z2pJRyQbXl>wI>^?JEhYd9%zBO{f=#Uag4)FD*N z!hVbI7y8_AY`}#8=;fw`q@PTzBCm1TILoR=FtRIk7oWsYr$J2GJrh>tVKU}&U@q$O zh!V!FE|ei zi9)r9%5AO{lzep92lTwv?GJ=u#~h2KiK|)t06jF;i9?Z4maW zwK^S6)t=6@J)Rfv3R{!Fo>c_0L)ev)qC(QGLOwqp+wM3W3sOl}s!EZzN;aj81UFMg zS(S6ils&PPx)>G4R#r`95fy2*LOrVLsBxiN@7Iam z6!oie%O-lnY>gyAuL2GWQl12m^0+RS+f1QQm^M1RC6!A#T+lvB4Nz&Ri=DFn;9^@j z1uD(e0R5N#8$bE<>Ax-0cJp@zv`qbfl!BegNHm&e0o%;v$%5l?gPxrsP>&0`vfovP zeUfccbap^Fk)Cpxtl{Sru+a<=qlIM3u{EUkk%nIPG|Uz58z zy3-0c1&O(wB1x{B==^MZ*ISiJDUB%gN|C~8ZR86Ki^s!^2b61cQcx1DqUysGZ*fG2 zO}lA@&$jV|#M7BdzQawS{5Z>sctqIfY~)@6uBF*h4H}NxB_LDOrJ*|!;~WT;F$L9o z_30?DFmMWlDZ7+sDkY^o(VDdq6twcnFgM}Hkpn|`o68rfJsxO-tpaSsM5^3#EB(Zm zG`8CakmZepB%u4UWbp%W(xs$Q-9YU@+AB6YbPwP}H8akQV2>w4loE89 zo9(S4k2z7k;W$0U;VMXPU}*?h!*PVRks7X~Ogx8s+1cDPJ3tk~gJ@c7dAU@8i9!V0 zb2@Kx9B7UM&2gYP4m8Js{+}`k1EEhO|C#Im^Rd`_`Ok%`oVwvBfd7ygj3h`D``7({ zW;6Jo_z(06;6Dfi5jY7FaOT7FpYJa|__4j`uf5W`aro&M=;b>e z`0Z`Ce{cECmi(px{OUWS-M;ipZR3;I=x($ED*%VBw9&8Mte$$eJulL<$r_;am z^a>~6zuJS;g{REF=Ew&#>)jXhE^mE*^{YFpO+J76Gp8MN)cpJLv$tOI%=y=+zQ4u7 zV>c?^@WUhb*>cg7o70DynL zcfq4w{h50X+VdxiIQ$zgzO>bA5AJo%_Sf%q%1*a^M(pgp(fZ&0^}I7~9lvbdxBkzY z&mDHmg@^v}l)gs4TXUF+JS^4_2!omHk z-hAwf<`VadM{IfIq3ZDA8}6o$ICRMy2hSf~__}*G{N^#M+`i(@-}v2!UH|X+|Nk)m zLGkzUpE>{kvDk;>Mmp z|DUD&=iiT0XJM*gkqt=hQK64Qq*m1jKrCv)Fi`y`!|wfMXSs2#WtwXsPAM?}@Dr4$6MHU{P_tV7{RCTG_3 zWH6kuHQj3txT#)BdSfu0 z1#D%Q9uG4{f##7BgmZAET*@FdC=L^B43x_Sg9%Ywq1@cqXhiy$8X-9f^)n5zITp;U z3pV<=S*m*?=Qm;otFRGfBSQ~Cq)w=!fMlZ+O+m)_-UPL|YN4)x{YEXPKq^eu5e6$% zMg~1?^ox=R4hTZ4)?;QmlJv5pcNNL31Lnjoel-45z-sMbT1YBmreoz=p^x`n%;2jY zX^zW{CLvkfX2ZuIhsZj4RDlUEo-I+M*KMgI%&!Aho2gC1oLxfOEIrMcZLvBF>&d*J zgk4l0_PHv}(4m);T4GdbQfQ3zdqOVdU~r^pj2Z(|EQbqr$tz<k%r)fNXyk*b+6g1 zyI7J$Wo}SNJ0fp%Y%X7{Fk04jiiNH|9t1T!9+!{;K&zNj927HgTgS9<&1&aOwOjni25sH(pl5U}PrPcTAI$V;ZBG$%py3;h8fZa)t^MXJ+>L~2eNEh>|{xpMr zBn>!ssRmr>A6%@LGy-%kJ@{$nKg+V+{GIx1dx=a(+)edfJy6H=z33p`KZVi3Qg9&^JNCZg9R0c};mfXtJ z(Hb-$vJ%uq4K=CDj7qRdO@Y9w((IF#!)5B#F&vMkv%|q0%uSbpv`4{|<=6U=WT`C{ zEe>KKgVkvqFAXdb=g72$=b>7`!3SfbZH&ePEl9aw*_o12ixX^sD@8*vAW#L&dJ|im zN@Jc$kzw4|bYu*Lq&}H6GF7qE7UC(ynNF<=dmT8aSH;Xg!ZjI)3NQzESe&4HT+)tw zj8W}Is6nb!mz26zpADAtJsq>ypy>!$sg+{2Y(gZpfi-Cdb^!2VX#iWpkfOYI`Oj?o z@ji(Euf`GXG(i_ZAU-AnPgN4K8d%)#9`XWx_t@jZ2}RIXX~qpnjt}qTm71 zj=3b7j?{EX^E!PRGs=e6oNCsHx01TTdZP@OwBn+nm0Y?Mbc=KylQ{s(lwe-vsFuxT z1`1-NOqUc=UL7i!tyF(piUMR@0|~UF*)$`vj9Vy}el|xrU8)exE*}5|Yt{?AI&!Dz zFdgOwMJ$&m$9Rxu#}%CVd(bg&%ROPa%cF|@h}?PET`Pg%w(Hz2Z| zE*EK}K1rfx!Im^HE2c9&94RystOoTAEZr;_ec5GXC2tD_rk5HeV`qc|U9pAADm@a& zX|>3T{-np*N@uD_hTNN?&6J2MfAG2d-^XF^VmIFQnUyz7->&wAS8qOm+vwa2*Bq?2@xEVv{+5lF zr(S#F@|VS@F01UaNWT!c_vO_(`L*Y5^E`0h53l*gU-ZjOD`L;@TsjJ=yOff7M;v5B}xC4SuxiQEz4| zc0lzA1rJtz;ZM|C^Y_>)yWGi_9rxM;^mb3&aqKnF9Y=7fUmkwTqnkW;Bz#tP>tl|- zoasSFEur zcxm9C-CrBrEk~9 zs$ASE=W>9Gpk|oUou~(Ug|ZRlqe$*e8nZVoTLX1CO!u^0q{E$VZ;C`R(=$n7RM%T6 z!o!k?d9;mG%nH5!dSgO=vAveUjNm}eGnl^wC8qd|NR%a>~m^R}~N6Dy= zMU#3-LR-}m(5v+_UZ7L>IMb`brGPgqdG-lKqDl#6nyY0biWqg+as*c(PR+B5%kmiC zWoH*Lt*PBp0XtLqi1j~oS!=?i(CM>iN4HELvK2>fXR2o3Xv;!TO>r3p?}l`TN+Cp0 zFPGR9(x5Oukf5BGDFKCiYTCkzm1@wEW1^bN7F)$hh4pimEAj;fLlLT9GD;0p(QD&2 zSD_m+I>Lh_?t+7~pcsINPI108$wM(QP7}P%`%or3Var*n#t2|~LJxCB4YgpW-Rvew zD{HlyYQvGIm5iOs1v(Gp(5|Gm(OSFLVvFO`rqvvgqDUJ6!zzkIJ)_o^$wpaBcgH%d;>}P;0^iU`vzty_Oz{ki?}tFw=^<0js2`c?RqlO z$roRdKfsxy3ofRLN}uO1W3XUH*b5)ohcHcqtOaxCqu~rv#oORU=9w9_&^|5Ac}-at zQ^maJ$qs9#mnmo)7h0@{xqNRrwyCvN6!j|FAAa%2^K`*u_QIB@<53C$cY?$Ak$d59 zayL8QC5$cZ$nSFFsJ=hxryBo#>-|o*Rnhso7cQgki^-tvyl^BzsYBePMq(3o?A(dE zXA7Q|R0ovDPX_fhkAdsHyzO|)e!}v7$%W+>fuXNs!OjVBSdx(}7gh7F8%lcg({iW- z)GE#8uVQ}*Vw`Ek4VW2{%VqmR<#$cLX6mxU5?H!?U8AIdP4;TzZYXsku3AV7+>VJV z?j=2teFw1se9m ze@XQ2%h?g2<39#pvcp>-Nmy4Z7B!WtD1l!lmjyAnFP>=LM%K|Gs zf-Sa|xjX1neC*8&r69u^+ZpJCmSO!aIT;>ta zKA(C{7H>NwukE8MECa){>UY!$>^qoVn7u={rp<3|z zN7_F%H(n#n7kNFRm}ETm9_)!c25n1i{Ias4woVAhfICht4Q^ulANcGwJ+@mFwt;U!Oy}a&nSQoX7iZNfJxz;hxj4Bx_m4ZZ zrf7AK@5S$rW<45$cN6evLvd|Rt-Yhe-Q6CoB0aV%sXE%1we5pq$@J=N=i~Nj`uz99 zPlB_xaUkSB*;5-fpe^EaoXbw&K`zZwk)O{JY%8JO#y0g6B%M%40?WO}us3yO>%1*! zZ{77GSC2bs?It-D83@``S-e0$_Zi)_z7p)l+VI_cuSQQhL}Ida*{pxUMuQC6`$6!# z^4zZiK6Q-}A2l(`Rl9e%4y~=Brtqs|x?uAr=VQcsfs=_}fjP47o*REK?|5j+3)m z3FFSo;UQh}8F;Q`ZK;e7zn2Kc)qmqs)a9lGzEYG07;#ZP-1(;lh|GLOW>!i+R*xkX zuF+GofOTJ|p<5b_;G<1QRFpmbdzP;4QH&{<*8ohYGq!IHH6c}2bm8Nk)Al<_K6 zddy^JiD!?o^p=yrX8}c?mm-7zS(UPVKI^m)yf}U6{*6f~HHa_s;P+Li`2ALuu(0c= z+c&hl5+*HG^q_g=>O^%p59RY~S;{hXe)glM7#C4?osE-BN~3jJN`$1(RRq(;*;?*)nLN~JOYfcUgs(^Bol?zQQcwto6Bsd zvVE5Mo%-F1|Dx}jMyB$+-4VQ!HKEz~Kte)AmaA^*dD&zhZJH_$on_N9=9n>p!-mz? zxpBOf87Y5_nyWP0wp(iEv{w6O#qn>Q;6zn*V*G=qRs5yxne$OvOyTyTe|3qf=rjX? ziNlUR;#&7w77(#w4pdF26G06~p(nW6FE33YFf~yK$)s{9_y;XaPw9H)?Pl99>E?5om_J?} zKP$F@2nSp9iDOt~%#~GG#JD$MP*cc6T$m>c1uq#oNRktQ5aSwVV4N|EM!3Iz`R|O{ zNJjO5tiBsc88*EotCVmehT+2KH>jUl9i_q`VZmay7e9X7Nls6WT&8dxw0Qn+G>H77^NIokGtSg`w{_Rj)aS?`068b(S&P9hLgn;J|(^XFrqX zcaT8Kp}CN}Dqx`7_+oV#{DjXC1}A2Kn=G#GIZxmsTn9jsTe?sGxm8Hy#IJTHXZK4c z^YGjGex?9kV4=^Vhzl0^G%tp%HRix4+_ZVT=6#fBag-^>H&@5lyK%=Ho=LW0&qMAh z!lM`9sM!qWtJFS#n>!Wq#(ggEZr&*-q5n4fu}n5GaNtB%Jl`sZ2ty(uq`6Swpa5L) zzs%vkKcXeqJs%5eb)NR3WF(Gir7wDJW?ne{?YVE>^|{XJKX1~}XTSdf^+-W1Vz^}Zz1EY1F4YLP~dzbli@)sXZP`}nmqSSr2-e1@AYjbUF{E=4ahlf zF3-06L*?SQ0QeB|CN?bQXS83;Wnz$2m<4)4%uykd5DO3G$$^g`HrT(!-oZV6Fx7;1KS>ywL zooLa0h#={%H+Trs1MZ%s0-9%y&AYs=yPwSL6Ol9oDFBOI%3agsHT)*+Ovh(LZk8uF z8!FhjEjxIrK5MI&&MUXDtyyoW_PU59LSC)o2~ZOX^{s&+j?z#wZy z$6)b~`PI4_AIhcIeT6>2?W%jN)}=R9-xTmaldb6AkFARHL+*#s3<1nGUg^jMo&T2ZuA?^%z#Xi<+r*DEM;9Mx`2bf>V`r& z^1dd==J~9nTroD=*TtWO1BjGttgQ$>V&voIMkyEsO)3g|hBpgX`w~~^Ge}Ioh7iU9C z!Q7?86ju0UX5^2ZMkfv9UpVE~388)hKU~>RDYG9_fz+7w(pqF1F`cnlIGuQ^O4lsR z+uSbPhO0_w^@+>4q*D70J4vINM0zC6h5XC7UYft$`E#O^Y&H@(~iJntE6!?=yn6AYrP%_ei)C`xI&qgR)y~F4f(`j~$X(2KJHJSd9<8zj5SzElq zu~Weq)-QNoJsugXzjZpI9fdv|>PY<3!<@5bQ8pnlA_$eGp6$aGs+?r?4e11lH+7fp zCF4ct!m7T+~?49IJ^%Fcsa^Fz|W#6B#X6 zkVJ~g2#-F6E0)9B!UXUfHO^5#36Hxe8ObV&XR4{9YNQVTkTCw+uypY-@S1u5Qr%{(0u3JZJ5o6K-ADvZ3^qlfy8*=989y7Ybq) zwfdW8>2wv2ZN%;adkJf^n@F`|VN#y7|FViH@@+{lM(ab#9AQ4}WR8<%L!ib!d%T;o zfba*>;;VoZO2^7})rjZ?Laorlw5EXY6*`5m+l7d?{jDN%&a~21%OBsaVkyDy0 zmozT8b*KjNKJe=X8L%_7{W2Ywx&B?QK`KOA*2W$F!ea7{1KEjKaREbtMP5F(%0GWL zLwh~zf%`3V+RJ(6Ws1Y(5Ti0Go&&(?1;ZRrmNC>SoRVWJ83~r6YM+&~sq)de1<}6u zBs{SyCRN9gZW%ZqGLs}pFrXO9Tm~0c>P!etv6f1(k_QZmo5%)vQ)6iTO@Sma*jbXjp} zcm=uvT-Hw579l4z9EJPXrL=jm^8JNXLY<~>dA3T~dJ#p>39AnAp|tq@JU(n;_J`LK zgx%@=T+YvCli)C6+;HFTFX-(5X~6*4}r-w&DLXe;9-W@oCqNUF-)#tIpSbasWbFxy`hl&?+WUXI*1$ri<{?KPdeIP=R3I5bQ zxK+~=3mjc6F}9$0oOd4tLgKpK{N1uTu)`G66=7fy1cK2JNy8URmEcUq8cektD6~`d zr)@L`8%$*y)!{GFH7XJMVo%r!KDvWlHn46DQS%9LI4M4-%oR_*|$CyFW~}! z=Q;0_B;%W|N6v9N)=P&9`iwm*`ko>Ep_y)+K@vwaVHbt#bu;VEkd|}0-MPD1-MgEi zhCzvSeY-bsT%@xfRklYr@O_oqR(P<`vzPXK=&=o;MsXD=!ar^oBb0PmAJ@76=0^Tg#?*UfDf{ZskE zN0d#iNaAdxw{GkBr@!%QRqa@+z_u{P&byqm+&}L#sXI*O8taN{#v1?~8l7u(VB?+J z)eoG@u8Yan4fO3wpvU@G;B&(gWcUUG(18R^%|qTxhf;4y@|8^YrYz;b6AvV5aX3^y zNaJj7?}MNtwl@gEmLNolw70l)q(-m{GWr1wX`lg<$M5mtjSk=vOP=N#F8X`zN2|7O z{T5|K}8mAo%(F4MT(H3=~r%qG`FRQ*+M7vU1TqnGVS_{FSgbh-`9MoQ4g|%e>TM6UUw*U z(|k}SuRJGG%ESeT7O7H5tuTjf$C($gC=IIf@MW(M!{A2TIE7}jgZtEMn~+DKekrK- zR6qte$jgf>gOqqwY_Pq**x->DPH=|8u2`x5C}-%6DWJ)KrIH_#M-W@l!>)evUXWcs z{%qu~`tU|1bu|aF;SWx9lS*_ljAYfszwRDNUXQ+Lt2%jE4gm!}n*7=kAc}qCy&s5O z3_+JD{AwTLoNNU1>$9}bAH(9&W-_(%?GdP*5k{rI-1Pt&xIm+D%kOY+EfOa$Xx~&E z$mK^)LRG%Qz!O?SX)+wq@VKoZ_FqJQ`$B&g$)hNvY3KjKPE&lEHM=)haAxHdPZSf@ zZ1b6xf>uc?qPc$qv)>Heg6H-b~VWj{WXeNMj}MrL~ji z`stxD1*~C&BWz=W8nWci{BSfRFRha_yd0SFz#;sR!1!j`&m(P;!TrUIDrbMONNUBB zY4#3^^+FY*d3iXMPF|tTzOo45Du=K`q(E^ajfGQ{kP+Z6AR)7$Cl8WDRCD{X*6}H~ zwRX*X;ccEx2as;*C>9tQSe96-WrFuRP^x|*9gOw$Z%b&CtL!v$UG|R`(aeSdojx*e z@$U)?ze`d`k#iENS@70B530(Mb_Qg@|BO7hOktzN8jxih98C%|=k_)z#|RYn!^Ikd zu0N9=K@=-xaNR!;jv+u>J;>QH|NFBWd4El@@OM9~HYZ&d3xTUJcUhWF&1rebdIjadutH~m5zjpVgHi_1}}UGcW$Ps$WN5- zN}@6T6{j&LjZjMO!qdAi#Tk~n!E2$CG9-MH~_kyn>FyYuVGv@-m@Dwy_J()ewT3exlNXb2!dLmn2AD!=Yzo| z2q}=mcR%5Qq{}bPbu!~E*Wr?9z!09q>t^o5_>=?mwaC^b;d8h%eJDO$ceu0FX7KEH z*0AY@25;V0MsNB!VWRS$`Rv5IK6W%x^gL~{EcH+zx_3Rldps4}2^@rmowzP8pND$l zeAVc3+Oez^T+3}UCvje7A(?NUJJM^|S#Ml7J)Aq+Ftz5}@N(WGHR@Sd0xhJZ>bu>J zDokxUj1kytUN5ROKJl83a|HDJJ-|VpUsHAJ7SerMsLG!v+H0NQlvNL%G9RmC(EOhK zUt2C~v1-X_?bnRB}Cbs`#*6RPc zf9xe;^xRPA%dW|GUgl7O5c{U@v|Hywtn5xMcDDXB^eLPIt8AN=7%K(329*GtyYH=N zoxsV+THU7egVb85B(^K`RzdK-71Ngg0!hyd?t454_1n*noY&P8c#ZxlK)~U`^kk>c zQ&;w)m)YP@WNTGxU(6EA2E%F?SZU?-w(*ktz|Hl5VYA)8qk`9ZROibS(Q0agygouEg?C^tjCfEpxd%w6N@ug68 z5e+~2<I<_QRnay zO(XAx)mpf8;r12l)v}3sKaH3u-f^BuAsU+p?zRf?7CwJVL+k@4!qw;31v&qSeKn-OHdmZtklAi?6zjQ0g9b{WT_%X2!HDIpX^g(WxsE z*VqDKI&FPDANEj$i7uRDb+*l${9ujyNlk+38`PXBH&;ZGvq!e71Sb1zhXw7*gPcUl zb$(gozxyO?%cz!9kj)6R^SAKUAksu@7dVUh#LvIX6yL1C{c3cQf)&62;8#d0sth42 z&^N=_8L;8&l*<8|Y2l-*?|e#GS-bqcS7zvRMB`WqMkGNSoVQp=J^Ztx9v8-&dtiqy zZXjwjobGoj-u3^rqH4H)!O@9r5*W;QpLv1?V7$M_{(J`QFFmc-LK~b6Q$#(oqe$xQ znqGD=V^(|S@`e8-tZ4ICYHq3^L5neD?{kU6f}u(|Y{>#1lx88NbPO)L>sI6_B40>z z^mkUO@PwtqWO3~8zTFwQf_zG?R4y^WD7P1A)*Nt@A{BgkQ0%f?Gc?hori>Yqh=9tV z!k?@3WIwy&{~;b&QcXSBwyq2nne|#m%K{afB3Y8ZWJhZy6%$SuMgGJKs?VFchxe`j z`&44yl=DIdPW(`4EM4cmLhk87N7QD!vpj=bmc8^0l!C3-!$3hCahgE%c%bpsMO+@RJr@t2%*qH7hT>+ zrpkTzX_`s9pb&_d9*xR1SO`9WU;H_Ew$si z*;<>Hwe<;U6#T;wRN3QLI}37DyVt4>RjFZ1LbSIr0%|Ws%}_NiwPsV|P{IxcyLLVM zcfK{nj9cURgt#`Ei$veW(xR4FR}!QZy0(oC*l?PELs_| zOMPzN|NT;imbww30#Nv`r{(_bV4&~%hW{wmK+$Pi!3mlxGKj&in~eN+k>uQuy~qgb zVjGOyr4wLdy{ARz(qyv)b2~v}GhXYmgi||Wd1;GKBUK6QlUFXuOQAg z&eqTWzXietA1$)aH4B_hf9R<-_E`l!Zak%G`#`^k`O|PqZNuEdzK6Y2y`oEfK@i=+ zy*~gQnVdcL%X{`TgG!Kd!u&Tl-}<37n3@j{6X)E3$*Z><#*=Q-^nB-@x~5}|jP2(K z=JxUvVR|&S*g0Hp+0}YJU9Nj-VHcgsw;`{)wOKHi%?nz0TyNJ0dns>sYK;%)tc%bO z!}?m+m#nQ-S}R$;ZZYT9=2?P%@*9_{n%X+o+n(;{*R3Qr0Po4yC*40FN&-aS`h)L% zv8}l-1hjB??lqpsRM$0I-H7eo+TA-9CwLIEmO)_S4zapJmbvVnaE;q^6KFbhzciQE zG`*6e>esJsT$@-AV*+%IYxcwf+osyDt{m^@wpMIPHHULp(!4tviG7YgEE}EPBGxYw z0{8W!x8XVQs=;|(UZ;BYBOiom-xlyp$jIPYTrPEu z^Zud&;C9q66TtCSpZ&O*@iyWn@$DL(v+a$KEBAwgqQGC+Q`g{W*y(y2Q?)!eQLLRpRWDsQ4oQ>P4eKtD}Z|s>pH-B5xq&)eBzXj&t+=N7HjETb(6lEFa$f*?CSnswTJ9eqru!KfPSHc#0&j zM@YY(ApO|ZwfJpj>!DmL^w}iBi|XK6GaogMdd@kjzF9rY`pv~Vj}&^Srrr~cbh>1U zN0|XDyjk^I$yi}1YOI<3~PK_<_ZEKP019H%jr%2MMgT0e_5CsX*!(_C&tgcgS!bG{%@XI2FU;#1yz;}%aQ zl6`4R2k05NhvkpqdpN=0kTBPu?x5Epmp)}<&u2kn7)itU=!W~p%D(cBKV8e?D=sRmv>;|Bgb z94x$elom(q?BJ*65k<))*anU-?7uRchf_YyR#8L-{zeV&xLmSUGf#5}b{xQ0;-Td% z4T$s)6_=-&@6czcuSa#lXEq@4ZCJ8Qjd}_AM)B1}jMZ>{-1H`&eDPxE@8=U<4Fcxa zZ7<j7>6OP5I}Uvkl+|lgX`)<9cV0znI~%hI zHK-VB@~6gnk|D5qc_`V{)O13*7G>BNg)GY-;-Oogp=W+bz{h$Z+A*6-&yO1fmKyG?UifWEZMQfh_&?;aKZ5@Cs2!X2r}H{W^Ab;mpRTB%3{N{%H*3#yyM>kMeykbXYe0E8$;gIug`S zzmB-%fKM0}W}!Hkb<(lHKIHgZr;L~}62vm1*cuio*KjgZ%Tv*y@&76BTSUxglsz8< z@7?QFt?5Vil?R%IT>aO?8*G^LGm$y{{WCc6Hj9zNrb-<3c!62gvN~2iJ(Z?xo&-Jac;^J_DSBRT?{sr%tkITW z+(kDscJ0TR+r0C)9)ZpOR1y}f&| zdVsT0OhjLETvs~B>|WJD!3Q~=@BrTRmq@Mej_=;~{Jy7e^!#mac5m2BIjuvn64lam z*?yB3!{b(e9ydQ7b?dy2^?y!fZeU6Rk)7I8a_@Y2+ z-4SEwoc`-o`dYU4qT7V$Rn>h|b*tcj=w$mmi0B{}6 zpy2sbXnXHW^3xu8kx$*@KCeWbbvuw;@La-TKmD^7`kZ!Q&v z{yb1RcLh@VdU2N<(#{j7khp%LTaU8<( zh*6P8s2Buu(om?fNY-k0kG03d5{EUH97o{=4(woHxxM%pX3QBZ=D``9C_&$3+UYZ2lM(qiepk2v+rGL@kl2Vn^g@#at*hp@GR3%|9!G@7_|!= z0`e`=MLX%aLewiS1rIJj@ZSHKr2Q|}; z$}aDIWWWF>$y-^tI4^*DZX#>H^;9o+yfsZKy^cFQ1zN68`d2;Kb#b@oTUJ4nfL0WF z1-BzCfY=I(C2$y|MHQtGY8+zE(cn>$^OIMrQ&iZ27DHS_e@teOcs_g5y)1&c3uBW^ zr1nb#54VO5v}$i0Lu(3CX^0eHh$?v5*n_Ppu|N&w(8_U!LUHDyT?{sB4mzvj3E$ zA61Ja@yZLJ+l=Z1LPIxLd{x5^i5%S#Qh3(aBMjd|I4u z_Bu#*QrJEKm6u>QO3z{ZO|)ZB9UiGqy@vAJT8!v)b3{ID&<~m>wgeIPwNK=8lnv*_9%|jHoL?QV!Fv3!V#od1(?^Rsh7uO!3GLp@<1BrXYaayG3kQ${$`V@%#4qhXznH;G!^ z886?fqc}$W<~1*zM1ay1kBL*LkMD-DLLb1w{^4kyvVQ=5OYaiHHx2}>zq3l5kh#+K zzG}pMokMRlx4CH@s0wS+z7)yE>8$QVj|8{v2*E*XxtJN;s@1^S?jVlt2$8wV%?~hkkkE7eW)e0UbfrlaXSwyd;Q#Wy*Cb`)l zbPew7NfH4q56Is{9DbdgR$Yf#u}oiwmFt)__gC_!XJY4=+}gX#T;k4)oF#W1GvU+p zwcgG)*Bq^{eEiM8honMuU88;;^C_>(n*}$(T@yWU=9k{`LEl3F!x56)Yh=4KuY}&~ z4wL+{!Bd!e&smG=p{z>};176gu8T6RmWN=f$KdLqCXQIJvu+i(XZ38iwgE!$K=MR# z{-3T3+UowV+1EVD2<2M46+%F#x;l5?Ab_zuz902AW&Xj)5OUJ96?mh~M=w#A}3w$2cTHw{A%a`X%b!n)P zQs!yrq57M}TW>Pzo+%BVK!iaiJCR}rDAY@~5VA`nQX57( zM*K0mq)e>hLM_lpC_j&ZR~+4v#DF?zLSP}!O`Jr=j)`5~rkwgcive$8{@$>kig~n+ zYV)bGz}~RSs9dYC+Q+F1kzwNWP%<(Y3GR29r`5VV9D{knn3ZscIzzBXpR6mAz-Fq? zFy0V{fGU|qhCTjn9)j6U!>M^k3mF~V9(n*BcVNF=3l-hoPeJHgM1~+5c|W5Asqs@@ zt6};|1WoEy-=HD!e)*2yUyz)1NApHf0zTA1&eq??O!qzo#gS8KgrwyeQ0xB0<4xfI zp>~I1tC5fh#Yw$ukf0pJKcIFN(;(0!!GIbRAYPMNN{7l~6k->cRwUKB_fTIutIyvL z_Jwd==l--&mAvO;1ASb2N&de}Z#hIER0~8tY z$O}z%6qo4KsH1?huQOY!Y;cVF#YJ@Kw~a~hG0DJ7s4eOLu?is{NQPAeFv>UL6>={c4ebZ& zEy(8;C$Ws6v#f?75$j)84xTEOt5VqooFFxul*Zd9XMgs$RP-H4&rcGv1RzI#;+BGa zFzPY;saCKuAy-=Td3+?Xrp7_NkJ5A43AZLa$al$3O`OhOl(Gx^nioCgdo|9}Sd3Q9 zKW)J(jZVg@JltQYgZVW#hMB*8SCAChW~8Gviws&+0tr90r=YK*@MCX4Rv~gnnxMP) zu$KX#Xed>89mHf$VF}{X@ZU|>x8zQ=CR)KL;K$Pn#ggT4BH~Qk`U%cF0u+>wgX*frlS2xbvymOi{;>k<{%rZh}V@g&X9QmdQU@;Do>a?mH>uYf+Ka6q->b+U2JY#B!+y)v^WHs%e z{CQj$jPVX#DfViL^WFX*3~dXq{|a@B#xR0)&J9Mgcz%YK{MMkCiwHMuMng~xb?>xQ z`qz#E>uUUC2J_>qn;%M5gl{8(9+-9-ro>W(G8m3bXInebjDm1A7Gliiht*hr;sGv zLeV49dNLN&+-n5EgYDmg4Cb7VRNfoUmi(SS6br1FUm|TE?URodMSzcIzVhH>uG(|z z9JlAMeVezMD?~$FHLY)9>m|={IJtF7tgS}75vzB*h!PtPXXONBpuLT&r_~EPTh5k6 z=ft|3FmRP^&l=F97I}@@j2b8a@rRW-U*^A^-ZHV{dFZ6K3Ci{!tFhO2bH8g@;1b*k zy=XxO`rfJF=sB#rY23EDB$$7&I|x>_bv2x_~UTQ+u6V*&5SMW~F^Zv2bgcaL$4 zE{FE6Pg%Zx?$2K(CiToRDX07fld5o9J0O=A`rbxo9EB1JGn^aEUJp-N1VH;6^B1;W z4*l$hU)D$Q1%DbQLpuL}?z4;G-QN%B&VU}n9m5bo!JUN4r9XjQW*Z`Uo30&JFFb3hdV(f}hmU+4_fVkvTN|kAC#KQH-9AV)zcrpkIkdT9C7S-*k4KiHbsxPu zjVLB?R5Go)0C+({xnJdMh-GT|#MW;83Us%@-jmlLf z(BpWWZ|-#7JLnq#;`)Hw-c{4CYLcGn$9oCDBzS=DsiIkaWn26rEL|;y`*_&C2>i9? z5mYVzWr8H<>*QL~>o^nV!eyCF!$-c@ctuX#EW;D{26t`KZiAygEcQ6NZ4gOD2UeRJ zL*hq|+|dSR4!7}w1ovKKOs($YE(y-*$)#H@Q61qu#lv~O#Cp@>p+eTqIcWT>@H9Z% zhaEgp9+v%QnILRif!}9sH|`J4<$H21r02tAtO}25XSQCA39km z5O3#5L3U23Zm=h~--kSLwWmje^_cxh)I%I!0ka)0*9w^MFBvcl9GWBl%YJwTNW(*9 z5$GaAJ6zf9n=*tv>zL^nd6Rd-#muo}L!Qg-kv7WJq4W+V(&L1~jV*F#7V3Kx)$#R) zcTDY)@*&`6LJ{|8xY0G%zMpe(#wqz@$o2@5GXjFBJK1I}i?!A*y6TRpOd^GS!#*k| zvkmkA8m71Go3bkARX=h5K{H7y1^kLv^mnIBa>v;O5@G56DNJVWdx}RT=D(yvyx}KhQu3WKhE=gYT0nB*e$u%%68&7+MpJ_ zu}nF7xX^e-Hiu#rMwny&EOBza-~77vOBTl8;zljfU6Cmr_PO#|l*P4~5%$mY8T4OO%;)|j)aJOE?r)QN^mB`dMLQz zj%xENNBt+(%=;aslr8VPZIdHDR4Iy#!+y}Fn2174mL<8SI1zizXbnWSPX80koUW8W z2CW__jS5ePJVg>A|1dO%S@AQ9gh>!AU^!7l$KL4Rc&nd^J6jl+id&M33!5ei80mco zjxHBa6UX$S)UKgMRd?K$=fE%icc1sGvMgJw%Iy_HilfNL=2j73i0n!dH()lJWYu9i)jH=R5w#klcJm&SS8tv5vYQz5$={NCXZ zzvQhEZhJw*nMZ~u6H`rqB_F0zt=m=;EBxM2Z8cK8aLf`CW|vJb#5_2<5o36c3P2SsR2& zLq)<*5xxFq9zjJ?A;f^@Q)VW*=znWGew-H?f@8|EkU~?*{3C&~jvwSSMdKw*W#oX5 zbnCN3`0&ri_Ejd0(|}&RH}0EwlWNz>*Dnf+Fe?i42>6X>R$KRcgcX^|Fu^bf4axT3 zn@p`7dy*HWOL~vEp_-uElKvSFI_*Ccou)A(PO$ovPA4_SC!)jUh_E-ZDtp9t)- zT1EZBcOlCxfJToBPqT(u0M$a^+Loyx6!SMmEVB6Qq2(_d^sEzsj-l*qY?@q5o22uC zlcVB~5=_j=g$ryY`p=Z3cFYv)7y!gZ2Vjw(UfRSlP@ivnMLE#?i?^W^`gXJq?=K79 zh<(7q{rg%%j#uc>2`PNhi;MkhV#Gjr2>|fB6d4A0IOJ302rK4dr6lQmX3Y^AvQRQc zv{y5Zs0FV1g3tUu!NYmcH1>uc3Uybs6y@J0JM2c|D!S&MSazn>R7NiSS(wxKt8h*$ z_!9ZDP*1LeLwM+Oa}4C~pjdXjmkuI*VGlO2HQ^C>5PAI|VZo z&pw_oVuftCPphJKYFCXwOJ3a1QXa2Jlj4YWK5HWK{rThr>LS{;HxxpuL;@chhGXlm z+F{ngWrNz}lh0GZOk7N$8D}l0P{NDcnDR<%0iwgYT|i#41vriGD{R-cRa zmi|BGrH2)}CI^Ul2E0yx&HY&5cYw{oB23w!+**iK0gNyixA0d;HyAz?Tnr9-hMR{_ zutfGH!i2=@cZ1Dy*@$OE&PRk#tBBOs?~2X24@!872^5|WP8BYid!4WB6niu}LWHhO zH9XhX-d7v-f$vcEd$|{!?!CDh0xtvS+D{v9SEqN30LZ3s+ZuZJ{nOEEP!|)9pTq0| zt;b;0p@622d%7!$g+RxX-rKvu*p^x9uQ9IN)lj-xNH)5gQvTc{jgHIHPWvq1+2kliNFyk))$VQL zYIJSD)3vz$^y)EobJJQL9IsX_anY%;R>@z*uV1<)^qC{BAa_bGo07TjM5yf`{0h@88Mkp~ud>p1dEzQgZINO_Cp1t?xSJ{|{5& z*j{J2b(=J5Y}>ZY#-h!GxaYtegv}F; zU7J<(J05+$AKsBO6PD#3?Nly=Eq{>o9G^d~Pdo^KOLEs&JlR5Ad{+aF&b!{iFT-c? zLLI}37hI0DEt6%-Fa9I1d%cHz<$T#Q{s^X*=D`YA%+($D8gegs!%y#Yd_UHX@;rLG zpu2&R_t)JQojqOLKE$PtSssV*|3;1v^jet(ovvp zSy|2V2oa2AX-dZLLp=QTZoIRoaDUBkAkR3fP4HWj3iJY_#j5_DER&!Fsob!Ad|B1#R2 zX8eq)cNbHJMeE9bsy<+f&;FylCfRLFF3`?!m~oidgQaBuW`_DT=e0 zeV&83#VaW=h*3&GcOFV5?5dWy?0(L|f^=DkvO*F!uBZ#w0D`fiXcBpy$8erJYz~+w zG9opYPzpGXvp)qqr{!lvQk>6F-FWJRfQqT%kzRg03vkeVr_{?jnmx) z$u$?osz5tz>4jm7T&JXA$b86ASK29l9`Q|3-5aRiYM8|m;UxK$_}``$s7ZQpS{T7f z+&L&-_13WvRd!nRh-^?ruU2!Dlsu6lf@-!T)%gi!O8%{E zHyVxbN2#axDk~?Skj6KPgSo$l&4k9sB2A(~!qK^FV_OIWnp5@jIrTDS_O$L1Y(#^t z>kXk{>4v`(p4jn9@dZkb7M`Yi0dyEd6(pGGGE~p!e(k`Wrd74F5-?$5MiURFsn2hj zuGRbjZWZ9O{~ATdAW~-NP;ldgU>z2~Z1G(klwH92+g+0VAkaghAiXf6GZE3mw!@67 zVN|hxknq(Wru|KivA-ORYX=wlwEIqY8+4pseRBT>Drpx|d4eb5W>RR3%!|N8*ZGl2 zfv0UAA%i!I*PdTvi77!TTFC2%P{F5vRXCJjzrJl3GAAk7L+51TRe*d^FjJ-70$7)y zv4izStqJt!g@Unj#?XOcC-y}7mU0nCVjL<7F_oQ5K!!9eS-4(vW*{>S<5enwj-cDD zT1kF1^1=!wMquPR1rK6(yI5%gp_Cx_&uHibVvFkZ!GkekxxF*PvT0Sf5$A!@gZViV$`P$)=)q zniZ&IQ|vHn^<5IloWM2bteK+PK&(rI0}Zop}CaDl<(eQ9_2=jpnqF>rrhwBjV!?R1P=&fGQNR96SQ$U=5#T7-KO{+8dQB3cyAFTVn0?IKYEkV9 z**7Vk?QKjdfnKVmdEc!sEYm;TFGKQu_VyuD{Ei036)%5XejIsd_2g^Qfrhp<1uzck z{7~FxUr%?as};Wpgyl93)1T+Z{;pr|nA&;ii-yT3T^GyiUNp~R4W-`Ks`w+a)%W+d zna=Eemzi!l#Mut_zS#WcO(i1Nd%E(i9DeWNg}Zd3Cs$Q8A_5^-g`>EZxYalx^BxbI zYtU;7^^A}oAzqdTtEfI`VzI+uCd=oipXzIm8XCz-`f)RtVM5~xCH!hQd}Fju|OvH zf0VmoKK{D7R7NtZWX>5TsP*ad47R^*xbTXLzaG{0=4{eDNX@Pa*NLu$sZ41_s@ic? zA{|=b=Yr%YQ4t{=`jx`2ZjDgE#sel@R(dGpqgdXg*rp{pvru@_xIBxq!$EVj@x>X? zX1#J4Jj15%vTdQUQmWi1!x=RgS@!L^2za!!ks`~|rfF34NsdnwLYeeO;Wz!WWif?d zzbu5aj0=9MVquNUKlqZ2sW2V1IFW0tq{fv2w^LGMbZCCz{oWWy87J8W&&J51NigXF zFZm-OgBb<>liwg`@7w_{i|PXtdBRiLaI`sWn)d5zeuub!0WPJYaRLP)OPn#VRI|Ja zOusJjOB|Q^ip+^J*at$qYbkij<-~*F;LrOUTZb>SclQ5E4WFl zgeR#p4KJ$uP@qn?n?6xt4SZd7Cj_ATu~eHa$ud$?$g+m3Pc8h}$84YY`o ztKm=m{P^KlO76QdrxBBh>|$wnC>b=_1`Y*1ZKw?1Hd>+_pbo|6O0YovLVspehjqE z?4(0971rZ<$Q0d)V2#VB{IptsG_mE($v4ubqsXDG8kDb$S+lB}4ppON2Me@r=^4GW zhnm~9WAEJHngT^>pnr~DyPT>|xUJjuaab36<5A>{6%NZ_UZjUY$`p^dvZ15Z^o|6z zY`NO7u^Flm<(M_F| z70yovBesHKun-Zf+F2g#cxfl87H6x_X>r5qcK{1O8VJe-PH4phlcD@Fn`Dckj9IxG zk|MaUYggAw?r-4VCXbT}DiA6@L9U?u*;>q3*^dC6JT9)`W5 z1Y1i<32LmYx;$2H*sdd%S<}k-(>c^{`%Ps-c{9$2YwAU?f$E~^R#cRp?-FBA)kh_( zmLcE(jCU1!wkf2MCY2u5**#Sm3?N(DT!|?9Vip^vr74@8Y-2d%|OV&&V%`H^gvq zWYTEiSPsTd<{y^3hn?qF{zHlT9dhAHj)tm3*;lWV0;)j&uK8S_UbXMUU-a!2?U~N* zw(}57zMsW*X_4eKG%PbpWh(><>h{pN$A*c z?-ISo=mIEv2b`WUuvu680QP5(bl|&Z_e_+H&Vu&ZpH|-oW^ML@pZdFA4lm@M0wC5H zb=@v^4eYzw>NYDht|=Wtm^L)F8e6`#PGBxccGZyAwH+&3q9NM_Y+XZ_Gisl89L)A^ z@I0I$*GA3s01LNrFn1Jt{FkR~KmAwbxVkQRh1%B%P`kZ(dIx!|?LGehvldgFgJ_fkF+;4w-`|OV0 ztNJ$bnxuf(^a5^w2z~{crDa^_Hwb_L^aO1*!!___PoZf+y{d)_j}zun?4eARRN z1@bEzzz-q0i9Ga+R1_jA1Zq^9N`vW5CuuO~wNk1DM^_(_>9kVfqj_I{Wx8?Mev`V2 zT@!wTfaQE3k|lX~nbj9^aQL=0+5bTU@>pR%=4H1$%4s;PY3X@=? z?Lqajy?f@Y3)r76a=xhT+D(IDE>6$w+CXn`K1LMoGRckJ;jrN*xE68|b?HJz*Q;*i zX|r0-bGaeXLU^(7J^lD1>OuQJ(7^oZJILVAm+lFUO*X#p#RSv?lF*Y+(aPqC?tmYo zA8cQu)bsmjwsbR`f*_%ERtnZiz;ozreuKERbZuJc=yvZSwY!*;W>L%saP)gvcmB z3skKtI=?|hkYZ zzT{UJ;o<~VhF`5qy0KJ{Hm#eYX47_KR!Vya6GWVyTYtc>$g|3ts+OS0R&^O3|Eh8aL!#)FS)L^fR*$+0XQ%ewbQ3D zc+@2^oVF-jGnN-SIwKO6c!EO=o1|z+D0wT!FzH&DPAZHi9AdjMlto59+wO^LO>Tjv ztjo@9!@t3tAy`r?znY(EpL4j~mWTIoBqm-iC`wOXjFk~Rg)J?m3M31BOIg7S2r!o? zh*G#HjaFgTTu;t;7Tl^Unq6{Za8U^}j4^)<+=nR#Hn;)=;uftVlQDkUjbkY@j8rCO zr)2+9Jc37xtQ4?Fy>&+9zHm>*9~crvS>)`ou=Fj0MYfh($rTe0sp60-gdz$w??}E* z3lS3gfv!P-@Z3ovqgtEc5FUYCEHfnf&20|}o>tP1=cpjHWrehNcCU&ZS!PKM;aA-^7cnI*FvK2L?O#Gd0T$|t{JA+t8X zHCJ`ApO{k0D_=C4m_kSqn@xmDgjdfga5`XX=(7UUo5E8=6{E-mR|>*IOgI6*8P$#P z12u>jROIzcWKIT6`N=L|tJj?A2H+3}3CzhUwnx>B%Zm}{7z`36HEVWj`|Zp*jy8b; zuo$7PTMBA1Nf+_;5(OyB1*n#4>umYvmv|bgsMRS{zWINv%!clV4aw@#<-*D^F)1Z+ z!Et zx*HXkUVXdK=4)DXp5l%rbk0TD&eDnf-iVcIS6n`R(G@?`l<IVui&`vEQ!iwIvEM~-JKGiQTU+Fh{UZx}gjf+F z5Yh^pmYt6J&BZq^pS4ktTS=MaMWtn3X1+!)04J;Ym72id2j9TuZBb2Sj7{JJ>$0B& z-1h!Xw=Pa&eylvG{d=t6xTBa%xqOfs1qq86Yxah;KF?AI9EOV?u3xGaev^6i#k zLp2l6EXllv7cYz~guNFP087YMT9~kN#@S>8Tr-mQ`{f)nXG>!OpS^r z=NJ7UOl{Enr0|xnDsZNKh`Q&LF|%L~S}(+YZ^Oa&Ot*)$ zY@z0*Wp<_Yo6fHE=OK2>cU`{+t#DA;BlPW5PaVkh;N3gmVZoyoN8sgbnL5woRq2?9 zok-C?O8l+Q=}*3}AiW^gDi49SMf#8 zUk4ED2pimhN5xo1|DJmkdmKKn|GtzH_*_tOOJt@lTn^RsJfuE!f27Byce`!oPp!Kh z?>u{C3%c}^$*XUgA$x4k_USHS?7IKu{3z|)ek(sODQ6mN6@Cdy_7M78yb=^`^fXEC;oaiWEOX&^m9^^J z58wwScVQbiee`@bcK2N$denGNxN|3^-q|=lf$MgP8N3{?=7??G#77@1D>--^6!n-6 z@Vj2F)~z2TpM!k4s9XE~FSh!Bz$lt7z6JD_KU00Go!rN6XaPYl`>*i=tfrAnl!vfQ zD4*;vY@mh!yHE1PQ>!y_+IdaYvYJpJv9-xNwc6lf=OV_kKlOaM3m<&U{$pSzau`v* zg^MCFs%&V^u9r^drfJov@T08o+5JYFxp#e)gFHMMd@@M9FY+DeDo$wkT>Ai875^ z1sAYNYuI}@QZPkYj8wWc(yB}nh|(nimsyeA_CR;h`mZ`;iIE9?;wSdpIiQ_OCeCae zv$8>JzXuPdWmI|_`(ELffSXTDm_rdfHI6=2NTk4>1o|m-CQ<%uy7>fDj!BDN-Lph| z8HdoRu6Uwq=a1|{$h5}?(pYj7n=r}FC<)&++=LHElNOGaM29_242x(mIqPJ{W8nvq z&B~}wX01}i1ZE_fo!c5anZsNe6FU^h-^eoFXFjiu#FI=Dbie+5*9nDJyEF_z2gfjV ztrk)A<`R@2jYTpbhNsZ}BSoXpnq9nRiNKaLN~#AlIt<4T~<0U>;_N zgSCT9Ee?V$ z_uKsVV#f@N3hpKrJ;#}A->7f4o49Wf2q7gvrlCQPoGFUT$y1V|rRGm&eUL4Okwu;A z>4dTGIO7Kba{x)$Ik{t2jeWK~NV%jCv%GPrxY%c4rP#k0q;zIj2%5+HulpkM>+<+a z`u&%xM!Cj>BI0>M9eMxgR76?t+NIK`472gaBZIccRLJ?~IzQ@-quh}y zE6B|W5X=+B!AtGD1>?=0yO-q6*pv&QFmF^X5)x(P04v6LObEE>$WE0T%k;oco+znr z%+z;Y)?d;EXMY{ClgXSypxYhjIUYk+{km!z`s-95`W%f zcJNFiwVVrXo(Xz5PU# zSst>f{(i`W$Im2hZcDy?3*CKrNLvt#iU`0I6 zk9L8l%&B!h2dQXwLbo=(+*rvnaVC%a#j*4|%eXDIOar|0XsW!jm5xl-GHDpwR)1Ov z>sTMll_=f$@1D3`&Sm}arN@g8F8ii{KEtsu|G#4tguwz${Z-lpq4ZzmeE}-JeLjKY zdvp}azGEne8jS`d2}^)vOla-SaEzS2~o@Eoo3$(t{d(^(}^WwgpZ2G^A zThGxRJG70EJ~4CxaF@3zZ#g=hnr--a9T{oAicyYxG!z-@&ccLScx`*Edz0~_(L%tR75wgXznf?LYrTC(+Y0Kf_5*!~ ztd-~BieuS2gltN_P%>Hr#|i*FF<(3wL?ow-E+35U7ynS(}PX> zo+VMO>yMSAI-{q4g$t_V{HCoi?kUfUB_HmO=7y`%sk$}+_lC@)iSKX6_*XWcpULb@ zonCdqNVTAL0NGbe_^yT0W8>cRXwhh9)3xaz(`Ze-dUBV2=BVQHXmot7^8+KhMSjP@ zVYt4@!uG7ebUMb5^$y!w9n_Qvq>fInRx zCv^R1$SA;Z`8cD=(jZ&#xM-(oYN-4o!0V;|(tpPBq4i~{mD;cI0*;xmc@>^rlmFzA z_a#5jhtxCx9ck^TQbDLu@pXDn94p7?BbVK#VdL2twElK^CbYQn?_l@p()lr{oaZw0 z{EK<}o8<9&lq8kscN@ly!v2WU?X>1YT+_O-*6m+&$7+eN;(NR>coOthkGR5Xb9jGc z<-3+2f-t3EA$EWC=@4>n(HBs9|4%WRz;k5_^LqUwXv@8vI$nXv>9Ov=du`qmh{R|C zWa$k$_CVYH6Oc93x&ewBiuAAlES6-mXShMuUXi_7eI$O7`+8mDd{EOa645D?0AxK2 zKcozBKq{3Ik_>AGQOv8J%ISy94C-(&#gY|@0X50?$=vaP>1 zX^w1CNvi<4F`DiZIID`>zWLZ2V2PT^f&hZ0h+gYEw&bkv(z?5Clh#_ZijA!1 zMMXN_bc%*EtVaehsp148RvQI`HRg`&WN{m<{jAbF;TfF88*)UKit+)ZuG+E{V>G2u z%5|C38gJy^oHcj^X;{6i7+50W03wu=7`^78{LUk3ZFs_HOyXE+s38f;F{Qs_vlcLk zr>;JL{#kL2#;m%H>g9@5dDZFS-#^cw!kEG6woJFj3sjg&Ytr(pa7Cxb5p0G^%#*Nq zucZCjz$~IIT7S@v!;Z&ze>;j{_XTh|0V{q&z+D_4niXcunc*W{d{dljk-&&BWQx=Y znqOhSriB_S87Z|AK+vYsurJEua;Nq#&al@B#K5fbcb8uw$l#Fd5vW|(X__ZSv}M5b zfG&xTlVbQscFHlZ01ALvR+ecY4H7MCp zfzP@jGYIbJ_Y`%ZjDjtVgThsc_elb?bSXfL!0ww{1M`>5dw}M2j6xY*DA*g(;DhTe z-~`G?NV4S%fT5R%Ul+d&8#`t;_!!;oJ_avsyj$KNtO?E`T*@-D+*7pvmi(7#1HN)sIl z^Y_mN>ml_ZijE3{RcoJRoG)yra}M2`qf(^fy#%DVSa(jFSq%bmZr?AQ&lvcA@aoM8eHGC-UaAr8M)`-U;fXkXVA;OkeVkQ@|X=aWwwk0;?EPq-bf8 zz9^MZz@n_-#!$0hmR3Q@C%dtLxB19zGZR9EpaF-?wT4fWZV<$$Va*HZC z^Ud)Oz)T60r!)YO(a{*T5bh1SOyvhlA_FC@tdUKw@%uGFS58G}ZsGlY;xR659 zmk>1YIUS%X3e-q*9D zud~k#lk#fp8qb$UL4y8=58NwiJA9VY<-#UM)4a!#Pk9wr0aw|~`5wboGg!icCUrnz z9J}{&2hV@&^g({uI>_(Sk*UMSt#Q>IwhruiKRSu^ zt;<^1euYc5`Cn#b+RpkKNl$MdV1F8Z6MCv#0rzm|7;|>9*g>VJb##)Fi|-Z#oz{N= z@U6-HQVXF;?55V*S(cwiyZNZ4QagVekX+*N4?8x$XWdp}`PR+6J#jArQTK=jbNlya z$Aw-mC=u>ZmUD`Yuy3Ho}${Pwc?wZH~W`)Nk^5{ zKBrBc6U^uy&{en(qx0>ymaxY@pQsa{yiU+^CeDM+hoC2nXXE^LNXYbQ6_<7?3XQGs z{mOFowfkSkHos-vgE$W*P`Jw!`CtfleH~%P+O@ya2L9~KN!$EEe!$zfL4eq{4^oGN z+w+lX6@j1rLvSL6`*f`ix(m;L3AHsjIKf*I+K)W)& z=pbuu)|K~$Tu^JERT&(AC%Dqb=lK&Tv9B4V^fr1dJSE}Y0|>7gyfZ8OC~s!@WKX)N zmTMRmu!0;i@!)|*;F9I~A#tPfpaHMMm(x;(}rPsh_6UTWLfrulzJjP$1tDK7`E$@-M>s6 z^uJ~K3s$5Wj&9ywBARq2aL%0RHjjQqBUrMC-Rqn@0JM(b?isemcpY(rOT<4ovgXCm znBqfrOpJ+qa*sK1$|0|W;qf_=It85(zQ+LHh^VOXS${8XA ziL+_02|v|rCfnpLiT3vDpBZNZnhu<1A1+|E%pMf86LaG90Ob{I2T?M@nI<=+X(xXH z{^@6}>b$Ydr)DMYKV2>qsZ_D7O2$(3w7hS=OXa8zRkcwHGo7&vpui@q`l(3EP}-+d zaFEczJnoHE>JY#;_>U0(Bq#(oPIn<|t20fOEfr>?!&|?$f$A72Z}RO}MTN62*Bi48 z&mfkkGH6!5SjUWor)jJl9b!3$;5&H^hSvMNYNKt4kg66NGr+0l*L8|b)|yg@kLfJ& zw|*EnW};yx#aN43xo)@vgm4-IL&pxIHx0wbfHhB8wB=f@8=205pSPAA6p*)9pX0E? zJ}V7lqs@xZs_R0ioim1wv}Rce{I&u!=|==h{UDOo>>e4&iW1v9jb~~)fcLllnVEJ4 zHfF`F6Eu7L8S?S`Zdq8C9qR{)GgXIO$h7_R@vS356F>Oaufz|;aFD2h>I2ad9WcwM zB?jo5aI~YR7V_jy!lip~qL8Hk>>`~@SVA~bHRxdN{t{vw&!ve{cHK4nC_72F@?HZ5 zla%yvt}SpYvJV1XIe^$o>a%IxdVCn{T(ha|KrbpBc)@~1i*@Hj=^!dTwlcMnj5nY1 zQe|8`KdNTwIv--FCVxI7a+5X@{Ie{x@#u2KoPNh8*mBUWA~$cL`GZZR^tp-QY1&@m zg~nSAonQe$Qc!uVfhh?M3r5?NsgO*AX%E8_8XkO{eZhn}jA7?)Pzz`al$>;OQ}tf{ z)B$2J&SM4=d*97AZTHU1I|TNZSBmCAubbt`4_gnaZq}e>0`XK5E7Isi8=|=F_!P}t zzO-63C^0+)v?P7yLS;rd6vPMFqClT8u+k}cbQ8JX6|I-`>Z2pDyIjF$KT?axpm;5` z>!=aC9c{>#6pP>6aii=i(!rGfg-Oz)L!r=nj#T8wRkZ#<(7W|qs551xEjJlw*>~TQ zM>9=6@Ghj1PpU|)e#lTAMffJ-LQ|Igdl>2GkZM|m7NS3ym2po7gw!x!q&1!W-q$kR z$bie{tU!oF+LNGwp`RG`BOUy2h0*e6+M+Tok;I#*CEBe)`;RC42&W~|a}N~anLF1O zwj?z>e6f$mb`}~Ro@JmO#jKKoD}nxE2f(Ye=8qUf11kq~`K)`kd!F@i=6}cO^XwPw zf<#}Dxq3dI48DGR$44*k)?bKAf|5g~65JnAw=ewM_xgp(;Lph4e$tZt5aGF-{y4r+ zy6$=%%%t&MBx`EZf2ivca=rHv{d^WC{L!l(pdx4&nQk$o&A^#|p=;^*blyP>a%&Sr zx7|s9+l)dcdi+$SH{^G@s$=r}+i}0sd-Lw~mhU${W9vWh+Q)zP=O~ST9%dFm;Q3E# z_K~ZCu(zo7*nyjAb?tNAym(PlfBz8k=AhN*ru07EE1aG>zX56e^+wpSevs+e`j2Cs zzB{UIvi)VL;bHBXS%=?B*04i^-|?8%%8xYfi^1rWX)R7{YNd_)n)B=JfJrx|x6AkJ zJf66o*Db`|R4%W|wt*dX|J$ih{Lbs@o<-LUxJ-HrUGjgG!yvBRLl^p4})>HJOS z$tn+C9HBHn&*gGM-hVSM;r`wO;Mvy=&}1KXA+|FChrM6Ot9BF`0Bg7gEF?HdS@~RF z9^ICWPv>mibX(8Pavu@&+mQ`aKrSrc z`LR`uZvfN#yh{Id3gtz?nY-6}dcWri>H1SL->E!c!b$7;;dy)Z%5@wZIhTuG-oO1A z?e9UrY1www_1fuF4aL%ay#|7Hn(82|n%qrWx#H zwgE?Ax0cL#n2lvE6NzG894iKp=BZIH;4J@DNW3tt29VApGqH1_;5`ofZ z$&D~aEZj74C9TPHmI{>|nzBL$_UctXgV@9ER9X_wcwD7xcvw*D&YN|h&&oV&4Iu<- zGinC42`}4P6zK?;tdQbN>ra|F0z}SABlF2e>QOiNQk4RI6I!Tp!*ENAmm=;w)g< zb}YU%x&;X=f1Y9U2B3H97p`KxFFUtRW!!mOC%Df4@jCLHM3^r)wjh*=j+#o8hxe^?^wroy>$i?c^;iUoJ08q52= zM8?*E6)X#iBH!f|R<6Lxl;RkJ)*hE!h1#?9kE`0L4Qgfh&60TnY?)aDj$?XC;bdT{ z1q%?YlB3_}M^SEDqs`a}T#Se34wee@Dh_fF%?t-ZVLW;+o*1qjKsQ#>d22-0VGLEF zrf|41JjN58hLsd?AQ>t)zfmaxeF#E_^( z8>%enmV^>ilKC5{VS+eFyUkfE)npIACrwgM+~}iiM5tv_Esgs|aB+4V^-{FG5-u!o zOg6kB3u+z~gxF!wMCh;1oq)Xx;UkRIv$*=DRZ^A>_}9Qw_qL;|nad zsW-^9v$%CwlHyZu=3EzXfj?-uVUVlMx;#O5rN%UfA{r_PaQK|(sR&s&g1*LX1j)l= z1oP^{Uk7X1!K}Haa86w}a>2=*6N_W2RRt5PO);FA_7~&uQ$}tRq@8#G?kK#YDezckBc{5jo`ZB}s#HpF-_ANh>=fwx z?N$+}4grx!L-g9|rQU~%L^Z+Rb+363@>G<}7$;Ngx{7qyC3-1T2!+xoeWGBn%t-4H z2&BcR-5qnFees8UzVF^QigPzR?SWT!!>gtoTt^559xm?b8J1D=^w=M#HMxY75{2yI%rb3 z{jI@m;5}@9mDh1O{^aN@SJn-*YBJ)h5@;Tv>8ItC@QD5+A6-`* zB!OHV14Vs339&oTT0Q$ikNfwrN_D<(+=r=#yKgnSHCyioq4?dC+Z~e&0m2^%P4Io4 zzI9z|!^c8>=dzp0_)IS4@AErv#65@O?{Iy)*C+H^ZA4vOrQw=yU(R4=M1zh^sxO*+ zjQs7xuY+8x(RAQ>xi3UU&~d_?(X|( zayaxTD>q})(af=d(|p*hk?+*>rlG%s`{oL?k3$!>%WUQz8~x{NY`Rd#YpEai>$y&w z;#AAk_WJ<#m_5ww)$`R%Ks#urkFoR1JT5kYI=&qT!t4@r{jeJM@%Nt$ceL*#Y+8Yq z^LzgGJg`wN{PKBpaNgEH;x%v7`ySnfZFE2T@MrCMWtynlb@=U35Jo_gVtLYV_u9=g z+N(&g`zGm8|M}z?uMSk&{!{t+ZI8o!CH3xCS5HFvab5dC7yFeqrGU%IL_o&9!Zm32 z4)o;vspsqsntj6jVx5&EDv|tMkNXrb{V3JlU!Z;vzXCsww zBQ?v!14G+Q8@+|s0hFVnJ^W0_bYNNbhz4~E(Kb7lNn+sTI_UPRo?*>wLiVQ#`N-P! z>>OKpb?R>szt^#d!vsu~@KUs^!L7JMQF-|ytbb6*=Ph|dlHZG?V|V-=(>hUcOsY9l z?a9k$n2bH5&~fL}u_>Z}b7(P(B>-zdTmI5}?H13xaXV`~f8(E-P1az)5w$&?fjZSf!2B?hS!6X$~%mR#?ZKsptl!d^mu?YcIKG)PdUOvG!-vpmU^ z`pHz#5V~0CP~);un~J^LAT4t8GW(%=#`q;dVml8hAY#pviB9lX$H2YqWYG+!xqO83 zZbxg2F>Ms(5jvs}UEGx8mV}7utOHm$8z- z2*##SbO1v8_iapV1Ay z|7xadU(>%+5BXgQzsT?bOF!8;tvID98UnO0wK!55S@6xYGc^7CcXc8i>fuX*+O0-FGP7W;U3NGbF z)k5QlJf87(r)Zim$p`6gSfa)@#eqg%RE8Nx`5 z?LLU6%#fHW+6%kPYL8s|2Wb z!IRZmWKI9S;}sOpk0bv{@?qHt8uCChy2)ou_w*;edwU|rkW@i1>K8E@3K$ExCw_+6 z6Q)U`aQgj+^l$dtEa9*Vk??yIFg;b+H`(XP6^JcIeCKmE1LVThzaRap)cN?q&ei=< zL`cMQI^(5ReyOU(SF@Ky&L)_^s*khKGlU>y3fvIwis(Lpf%uq z`Ism-`Qu>P!$7V5G*3r3V6VBan7GbE>^=QZNYLptlla|W8&&XSFWOT0uTZDB+xfD2 zfX>H$O`7mi=t}5I$V}G_w`2EvmCDcF&cE;2#5|yC-a3KKLAYcHLpB)CsI=W(pY_tH zj+q9fY5$9MMr2w6-~@A;=da7?l}x|0&o!dH-TTjDO@Tu9iObO(r}W#6plhbPh0Yu6 z9nAO~*9-Gi%17@8%8S-huP1}nr6xU-^r_wV0{-I*kNX^YO`%uwPppw$;PK>#^=$IB z&v7fIk(*(U^(=m5PaO@h_fgHY{i5}ZAn>atxSOQq9)7L-bFs_tS3j`Mlz(dH;AxUk ziJ>j?5vzBdxy|!mu~n6i&}+Sjfb$h;dC98pN6%vZYuOXX@&)AcNc=4K4wL!CIsf?L zoMj}o2_DR&(S_|mDjX1r*8U9hns>Hu@pu2(e6v1oU*a+3;Dx%*wA~ls&xKdSUgA&3 zFl%61#Jnq3sA?h9ZAta$HW8=mHf2xN%xa7|+7(Y$cu>{RHtLHyI#d%V6pAY?R5f-? zMhu1de_1(|IA7vagzB0-(lvr@{$$>V`B%UuA`5Bbv9>mY1iSG4z9IN;O!cb7aHEt^ zb%ZgV!(*eS&Y(S*sP7_S1{%*Jy?G&mN13cyK&3<7N`j=#g@)H$5|m&zxSnxwTxu-A z@)9~>8@Gf#MLD9B$VgLJ<&I1Un{JQO03CkqhOxK0g*2~WR^UDBex==#nwkLF5LvnE z0c;XRsXWy-QH)+JQU6e!*?Og;Z2=+H2>2L3?Fa%(7QGxUZMk`(r*b++S%_?ofi-mn zRWj~_xAg`od%@~C1aD;RmnE*SMTI3R1$qwhUxjbW7DJe`sQ_LH944D%80G+j+yO%7 zC5P^^vSljl>Q5~#$L|)6xqSxNU?F}W?iJJ z3~IhQrVMIyK`In(=!X_`!KC2lU)5_6gdbTvebrkXBIwNj% zeq3SLs@I_Dn$JcDqsgqA)f}S{Vu35qnbYXdQ)-W(qkE^GJl#n4KG?s9>(*QF6n(9} zWpK``d4}xotZ%b}^8e9$C%!o6eLXR*}Gu- zPKL=+Y@!saXR1Y-in5xOw5DY6l{#=rW-j*9vS)#15BRt`c)A3H3Bx-iL9KJW^qerK z>g+RF(lXbhrLY3QJz*mfu#MRXhx*LBEfrQpigX%*7NHrBbW!&0Dn-gT++@1p^rb~P z3>2>&a3v=I#bi9LXViZ$W{HO*%Er!9H2iqlmmJw(aEE!EBl1H>P*h4P#+0;ymnKzc zqSECOq$pEw>T{JvJ$eLqdW~N`{Gxeqyu=vB^I7QS>sGOlpPO-i;3V*=^c(K|*C^4gNB@Vauk4B|YLg9~;K2z5OK^9$ z;O_1o++7+8?(XjH?jg9lHg1hOG}gn+yz9=oU+M>(v)9?Do~ow`zI(SWY6(mGI>A)i zP>#X?lg6chN?ElS1-Id|p^PvYH69Joh_*EQ$~!t^(Qid0Q2Dj-x}J?}Sh1>MGkdj} zk+0Ne^bo{1{|L51UCb~3Ek2BAQ9mX%&K*f)_1u@Sej|*6V^(C3oO_}d>Or^LCD|5h zp8tU($c{fV*S*LcF=2*2-jPZh zGe!70LsoBzXT5Wma(peCQ*$vJoze zs{he(-f|qDEIFQL)pR>d_aEHjfz1!jA~!v4FMUz<_WGM^1%Kzd_I2lW97U(9;8r_K zSn?kFweEv7M0jiJj=%S~jt6n_O;J8K)~vV;9hbUJwEGO6BJuLYr|Gh5xeueQ_j_akIEd`*ULJC21-)jAc`v{x>zUJTDz(`yr$o0~FZ&OU z*OwLywv2$cuLQc!odfndM;BJtm(_*EGA#EBesciyOwXIM;45OoNAEf_H<^H8+s?HU zT5+7T_JuUhzK~X5Cg;p{`&?&`C9i!Os0-}p`hdFU+1ve=t~QZbuG6w%If#vFa54nN zd9?WAzt=Rd@se#o*s)sDYI9pjY3Fotx_NiV{?g;~FO%xs?>t9GrWfEfUL8V9->~xS zae7<7ZU1#}z}o(8l;)(Md-#Z>)_Zr>rP=vfWIVTdTnpgsTB@Z%->iMKQYo*0JNSmy zc2@q~&u__>c2dCWZUYVNGq!nVcW-QeI3p}5Y^S%gk01<+ zNoH7kvat4GwG*^`JCiCsdl(B4%xwm1TdO@ZAQ00@2tJHe-Maf)z1ePM;=fu3lM`F` z-9H4#eCP1Csi-w@I()N$U6}vhaWmx8G$3;ma-03%YeYs%!%`O#tq_ZoAmI`LMN6_l zgDpT$5o9`c9)P}@Tw>*5UoeAoF1Y!@dPg$!%3$`aevqDg>BxeHZ7Eh*9Mz3sVGiFN zX#y2%F{q{e!SANbFG@FKQC~|qO;%$2tk-&S1?NCxCL~rqisM3f%$f)VAEZQtNvHm2 zgW>lBcrA_YB)m$OQ0m`Is49SjBl#y+iluSIH}VQDW&EZ+y8&{?yyWG3rs4aJ7PAAU zL2+rxZbFxVl=|XlktgV!YGl{F!;^U%Gu%Ns$2@p zSfdQ)l{KWuf4oE=G2yhUg0sgylSSDn?*oVa$Yg-H*h$v{=ZJ!DVDZQX$|Ixim?WEq3 z*f6FgYEpKpNeh=@j=(yJmnJ7k!4?%Gc2;gSjm%mb-Q@{g(fg*NjhYj{!xvZzg=k}@ zEJ}>)utv9wLclgIt|#PdUYs@H5Ij|OzeW<}iCYAtQ7x__X4=5duDxeIyxUv^bH`7| zTJBt|G<D9Z@K8n*d8sW_gd0YM(bg!9GY)&~zi_^N1qn zWrW`*kqpQAvy)7glDAwY7V`y8c>n?EuNg$U2#!Mil(QDbtSbqxe<> zI&$_Lyp%$X*a5OEd|!xO^0!L5kz;YA`BkA&gy}oy3SX6B8IaDguJSX?5=xcnPh)zO zd>c1h!c)R!F#Xc)yr)!y3&pp1u{JWwI=6;NxXljfw7 zcz7B9WeSWp3YLN&0$7d>c__7?9YZtVutSA&q-oZn31Ww#JSvvDX&CU^NIgC0B4r#fT9iCbQ z1CQ!IVI4b`3Jut|a=^dQI)T~I{x*2kZD2 zZ>J&0f?UEr{eV2seedPZJbv8HZ)?u8tb&iZ)%E1^ng^F3lvkxkML-zmGa^*}=Md7F zlBg7 zoY~HA2w_ulrew_zI%)HZTHFPHE#olr+9^F-QYibh6C**W1&7S z{qM9J9~B3kjDRbeP~w|?a4uIQ#3=M2qI7!XtV`QT>1u8Za$W&*L_9pD?Ubvcp|cx6 zur$HfG*JLTDCcDKxr?$9#Jq`LFXpEsG-6XbUct(`MpJ&L9qH2o&%B*)8(zb@zB#S`P)DDu z3R8QWhdW!__U9f`JS`pVYS;7>_^;D%su12@w~{P^;Q-o}*Ts3{k2-wqW5>~qCb<)t z<6CNeU_IM->+BcK-u;p{YF($2k8HTu)Da$?I@jGNl0eLU@2juRlfHBJ>@bM@)OizAm|NR-J)c0!k zoB-FJEd}U%Q0WyNE8l&D3u$}#)0k>-vbsL?@)Ro}H24Em-=+2a{>32a32$qhic#N> z|F*xP^`iNmhmr7pdrd+hO@oy-yTi?Psdzcddv_WvvYU5_>+%B<$!3G_+=d*?5YnPD-R~Go99CgUxsg;!jqg&-5*ItTAHk*{76w2{)U++xi(H0Jg~eSTf~Dc0L`wtdI-(>^2Q@R^ za?Kfq*}SQS5YSYxxXU=TTrQ)Q$~w=7&Il$kwxsVNeyAQfhk{Oc*>3=anvsbDL5qpq zEroh`IQrlce!Lw1f^gkL+Ln<|K$=-%@}RDQ_F}B0`0EUt>IH ztD>Kl>^2oo3zQXL_*lt-n9ag~E)>)gRo$XrWOcWHRY&fB*ltWbiU<4cMtP{(MS74{ zAxot9OjwvSDUKFt=`2uJFbzhq6T3XT&Q!+Q*@sZ5HptC^;8jGf4%P#WhEA1&`goIN#h z^hM{$)*4&=B%@R!WUd$28t!lc#oelML}3RLOE>G7EkCX7F@Vj-2eOD~W4*2l6uc28 zGIw_UbM==ZT{&~ULn*CExAyyuP~Go$RhA~=Ns6QdYJkJj)8jse3@yIf?9P5Kkr>ks zg2dN!!~y6KR`iH3+NQ5xu?3+8;nrYKW1liRhhSy{>Hg{`1 z3#R$2$Q!wmkb52Qu{D9(iq&<}4HFu&Qc6m?D@?^)x|hP+;Cbai9xcQ2Se4p?1WH+? zyoD|4rw2_q{$(x(=5NLstiL3d$ygO4k~_pa)aq3eA`CzMP0^5N{#&Oek7*L;Oq%)K zTAs0gJ1oUGPap~F2WZ=;2$LpPp3j=9G-IALAu>8pX9L{|0%GkHTd zCx$wYeacfRj3uSuz)0M}Zv1afZOv_6h$3W8tK>&C0RwK#DxPU#Q}$n8TP6BDQ|3r* zZ0#Q_N`Lz&mG@zTWUCjM&%D$La3~NtVXZLR6TT)X`H~SR&H0B0m^`nV@7KXF^G}@c z|9PaW3j0@%BOt^>iZ)PRIO0{p;!=u<1vBGVJ{<2bC^MjnyNoOZV2i!4cJpH6frx4(aq*JS-Z550!#T9 zvNY_U1HmOTRkupn$-MkT4EQdT6U_$=+)1BoFkWKvOaGt^&|!px+%g++EQ4S0O*WI{ z;s++hmb;)JyL^xXetU?^qz*4H&POR^Us#mji!?eiYa`0f!F_@>_VvVUfIeFq&}vMv zQp>+dYzw($h#1~?drS09ye4HON&4`IQGpw>JC?J2Wg)K2e8wtzxpW}5axpdEoeb1> z=n{pgkW(NWZu$=&%vsG65M8F}ul31Eto_Q@Q)F?F z1Ej31qDiVZk53yXd*oD&`73lfD&@0oBu~uC0;X;*k|e}r6#Da0Gi`TC?7#YnP~gd) z!*H#XN}u#qm0*2D)!+cpGE|%bt>HvT;T9}!k+a-`*7CGL+KH-~tnlSk_|Z4%t1cri zI3!4eSwg=r`hLs#7(jjhT{WO+N5)Yo?VV=ofu(Jb zfQRWkOum93tPz|>|5R?1OB%5xit?4Eb~q@nl6#G<%5j2_YBFH%{~*)u!esw}U(ZL1N(-AhWEb;GB$Sk{yvHGR{y)SBD31gN|kOlW0SHwG1{1o`md)pp*NY7jPV*Xw0rG%KC9EJRqqP1EOh zd+rq5ce$@Q4QZVcy*-J{xUz1ci zGrv2YW~L^$dR;BK4lP3i!MCmNYw^RkFMKW!5$<_N7Y64F23iHJqw@3p=6rRdxO zZ=h=24WG$PNm8Pl7Lb?V%8PXv?wuQr3#pV%54NvL05prl`JRWqO_}Nwpq`A0 zL=U4q*;ePPTcyEs_U#G+vEL~OA@@B7Jm&|}kzcj#=2rkdpG!a)+Jc_tJzUO>B&8R0@h+<0S}J`d~R^RDMyoF&f8fQGD%hU%}@x2fS~Fa=#OnG*yLp z{$MFAl%^RpQFTriU&*@ueQBl>%RKnDu6S2eX(>$~r%4_Dui*>wEH$t?$#FGizC;-| z=&Q)gApDxJVw2pQ$*OWu8M}>op?11CwgZitNal4?L1aVNL1&+7l`{1}Ej5Gew$&Or z7x~wUL3vYe{g9LP$#Pvrf0qvSJegxW7G_1_lb;v+R{D+`HO>CUJ<4TLg{uhP#xr8( zr{%^l1I$A@&hELbl#_T|W#`PNMPd^c+Hy1Q#)Ci$?&EPuAP$jF!=Dq`w)sZMbvy8) zfi;VbH*Q-Qw)eEIqNe!_Jrj>xs;W#b zB-x{Sna~`N)0HId#jA}{mw)^VrfAzz6zkW{SQjRfs%tpctmoY2@nD%o!jb4*i3HLz zlWSi*)X!lhA$N^EWHFTAIhXIWg_9C4B3L2@6r^a`UI%%J$jLSv`TI6**h8mSy0Li9 zldVxrQg)Zk5r~7dS-b zBo&H9wG?lKv7o9Yi5Dh9&S=GhIIo3wtJnI~-0UkgdNj255v!qKHg!;(Jv4Tim|_B> zTxp2L_b+?0`N-BO>hfbYl}iLC!GUtjmKn8a6@fc8zI5rBOp$KS1Di!h{nUBpvF-19 zq$3`t3gI46;nMj(%psXC5ZSTzz?BTvJhW55?#E*4w6QHGgeh;Z9a5e4H9JefA`%03 zpAS}M`#n#&x`0ZhdQx4O;CjfdmK?4l!U7&X*BZ_f&uIvbmu{lv)7bq^)C`ujW`Ub{ zUmiD8Jt9vwy}fGWR$>CxK}!j`_MO z)hFQRYlIFuEaUu$Wt!%SErw`Jx+ZNU&1wXZ{J#!(N1Z7fL(h)%%j51mM*Klb<9M2h z6wGmB;`brc0Uik#aoPnfp~iyAtq7h5F_gk<*Cd+DDkEuQh$3ky9mO4Amq}E=6=yaA zYW1Ots27_e^hYaGtSoy7TQU-@c%rB~x$!(NKGUY_c9*}PXoZZl!DM!uE_@90*QP11 z>ZEvtA`?y=tbXE!KW(i-juJa(C@&x;iK=B`#rf%K6!mt7S3j|XsVw#`oXr%68>vuDe zf10V8?~6#S-9~<21fh0lqmqh#n_r0modQ40-lPw)1?Xrd&4SXlOS!#I{CTh3d73n7RRd2znl1RrlOw%xix6nBzT>hSpNf% zTZwN$^9CPIxEJu{w3*KW0F}3r3nF+ah$ou>8&g`Yuqy}xTodmjZ42UwZ;O7DQ&}i| z%niD5C(<{=yLk2eYOvFv_y`5Ab68(rzK-qn1-QH_y)b(lxDR=bcL`or_uJb0@2{Tf zdhcxlSoU=Q9Ybr3UA!B&yW>gcse+D>o4>kU>%0)Py-(}=GI(74wY^Xi+Rm4YCED`6uy5(UXzDE2^VZ3*=<&SL z#zK6aDcG(isKuhLV3)({Oi}oc@Es(FxtUa11_Ioq6 z2Y8NmdYyiF65!UJJ+T1Vyf~o0nhgRoB*r*YQi}C6foF+;_US;brXt(B1%UG(G3kZ#!M?UEjO9y!4cF znj%8F5I8NRJX#jF$vMseyn1T9U2l@d=v-E5wAkvuKd2$t_0GGiAlSL?IJVNg^f`^l z)MoQ`aJ4-FF;TVNy$p*rIH~`-yGUH2+Ox%WT~_NXwK+A)TnN5CU>E$Q*&OgWNdcc` z3Dh<{K0a3KGx6kdKR+mRz6*vy47%P0pLE}jj#vbuAujPr3(s@+5UJ^#8AT_n`eUEn zmn~zV*Ve~gDFXpW`5^g{=ue4g=`rJ%X-WlsR_qp2Hg5XsJwGX1Pj#W&KG>-iWwz7& zYE;x;Fd~G@Uuf#ZwF=LgbQOQmz^>sGOf|tgI81(KF)KRDY>O-E1cna-DPMwSlpNS8LE*7#AsBjfOT^J8M0`4%k0t`NGsNsesqK zag0NWcXD!2U?U%okseD+^_y4Sjii#|^Vq+$OC;kA`r>{4^|(lBts8W--~gK}HIZQ~ znDRL{yd<^bFvWj-N5MujRF;;QGRbvcG5;v>Z|x`tsW&4jw~y6jkiYnf9DW)wj;^9o z_D#)n@cdSeUv0UJeJ0gwN50VKFpe^Nq9&_G*X~zwUsSq%>O4b6btQGSokg=7+x2ld?w`i367=-pH!gwogFy0pUl@yy=bn3QVSDMsp{vNgbTw|sx5voG6+ znZLEtILfpKWWD&5&D1Dts8A|`p53C8_N&P28TiLn*VBtKCna1uzEp_u&N}{cHi9c- zqlhWw{vBh_$y5+V?y#}zQ71Fjge>J)Dt4V=DJsq6ZxsWrQ$K13|8wMi-3%8d2vM=W zT)kIr<=b-MLDhxa*lr$uXcScxZDX^he-z?jSa<$vqO`ABUwygy&t>N>$^HO7yqExW zjJXrd2;=BrMG)~UC+FlE;~W# zPTctZb7X}=6;;j+y^-Ql8DVjL;KI=ASF#vhn64sThmJXR@%}u)i^_$t)FBxCTVRhG zqE9RIU|-stICY_#rDHrYyyi^Zn|>I1gyQ$q%6aV`KJPyzw7<=OM#@wPvu{xBeKh4U zSsuyy1u$k2bHAFzn_fZ^mo(`MUTljjV|mCn2A`43_v@U5Jmz~2P`*%G@qAR?3)e3t z*beL^(tL!2^UCrWlX)U1BIPgmqu-M9Beqcu7FxMiU|HcOZrfTaA2M(K@eG{&V?tEo z;G}p!A%x}c+r+oN5eQj&7limg){XBWmWhr_)2Pl?hL3nTQLOjqBHcdNCs;q|$Xm}o zB2Dm$r8_cztL7a9NK^19RJO^fu8|9$;U%g@2=f-s)unr&Z;dvICyZ-pXL0i9PcFn0 z3ixMYs3etqB$6Mxl1z{vwrwBja#bn}V(f~V59HXA0}aICH?IjPD`TC6_Jj-%0GiG*@$m54zZpJ&rzrKxo#bg zL)^DqmsL1AIGIBOuH(FIEw7IpFagJb`zG2Y<=)%fM+UyL*Ps?XWXR~7UGn<+HZ$kmIl}wX z9vmle-T680h5MjAquycQ6qNV%4f{vN+2Q4i434zHI!KS2@Alq8-utcXog$TQZQXiD zPS7c*$)|=K0CuUbKPdQz_WMrenuw>mwL>-JS|y5q;3(_42$0jP}0R+7q_sXn-6RUd84fPmn~b^S6G5%o&p#Op zneUo~w}0s2(eW*yS?5%Z7OGdGlaP5V>3|r@iArhJG)hVga+a+e$OmPVFphEi;mnxn zn*62nM6$b<)w46z@oSbyzi?CIuo!lymNqy9FP#eg4X_+$;AB2ld$ z%0NypENm?qLWzeu9@=g>M!S$mplC1)zH8X&` zA$@v#@sn-rzSh6Lt_@i0zbVpLRN)?zis*|6jNwx$UF>n-8V1A_s@kO(L<1ak9`GB} zC+6&uM=TbcR8IF%Lc>lI{d8o}90(=Ad4&xs+Swiji?YjLzF0T1e8e9aXwbGcx=&H> zFzhra>V3f{Wd)(lb^N>hL8yFaLB{OqpU=yupKa)i4&Y0bxH<4Sv*M}_zA42>ADHXFkF<+_EX6xe8sb#VS{7&7LYF9^hRHJ6nF8LF^6BVJ^?gc}5(w2k( z{pV0;KuBg8f8Z>tyYG8GH9v5c_lE>^zGln<4|}j%XVk%9gK1#1Y~R3}6x zWNESZ@SjuPNW07CrI{Ld&%NceWrYJ0rBCD;Th_SfXFdZjgjKnjtCeRTv%}HF7yiIr z-DtAIO*CP;u;HsK1BGzA)#GfLmh#q)TU7q3DngHp?(3E-pI8v0hLgHOcN9l-9U}k( zNF_cqQxs8k2XQ)CIc}@}Gg^nxy$^iYqAMU+#xGFpRzAq}kV_t!*SY8ET^mlw6|sfm zD}ue@4+QH00T}enu>CmXqkOP1)HoHr%Ua%m4}GCYxJFcG7Xi&7-E+Z;=~)PMxnjbi zB+l0+ebvDFxQt-UKQgSM;W&#F+!4)^1T2#3-&Y&r*?-3(7U?%8NN@i;nKhKgUh$G`B;uM z*F55ALkInpOg$D8zG2RA2gkqXOsn}cWFr`5A^Uc1@)&0rEvhU*u8E~4;E9g}k3-*CGm}+v1Kt+_EJj2JuC}vX_L3^q zjKbez2_{)bcKoNXPB(&rtg3-5hCtNw)iEcJwfur(sfa{O$mo00$oq#yU25Ukr$FPuNGJCZ04I z74&~kk*{@TA7o@xU+0T&QMoS1$b0=3buu@!IuEB>7cX@!FY9K_anF$OENqWP4v_49 zjsDfPJZNmaoW|d$?&HRSCf1FHuk~wzUAqAzxqi({3JhzfIg>F@W6F;e`vR#SpL8{} z&E}nuom^qSmI&b1K!~YGF@I1jy>z1h&(j_ za$Zj{Zt=1=Cw4!+A#Bn>5r`V_Zl|K9UaoH=0DSIG2lbjRfJcC3V8qt#)EiMBF|0z{ zQHe_I)@8=%dgynE$$oa`i-bVi&d&L;!P<;t?|PEv_OmN0-&K`Ckb)LqAVFNZt|P-!ku3FJ`i*0I~`bDySI9nTvDd4oiid_fM=HOi(|ULMkeP7 z^t>{(n_mO(GR1ZS@4+5!zkjzNDK(?K)A2D2!FtAH65(b01zL$=t((Ri|fnk0AH zjcHY$gxKsw1QRJD*lYAYol8L)Gx^q33%#pcdfI768z9LQ9L}9bU@I{Bpaz{VEYyl8 zClTzUV3$dEE<8_NZGw2I73no{tVfzu2mei>5_Kwlb0K1lJo=E=gEfh?lq|6u)o^Kz zx&*$`$LL?1muO3!oqS6qOvNmxR5^~=c}|V<9>!seX~F!1&qpYTBo$_YEBm?mkWg>U zi4!)~x_lJ5i}4T_yoi4KoJiqMwI{#C`oB)luEj<;Q^_-41Iv~C8b^p`5u7(MaAh7p zAgiyTDB*Ne_f>X@3-vU_QsRcgh9%iY^)*=65wjCoZky0wN^|?I9g?st(s}sDZ;jq!D<%YtkWRbPSBZZjS?Ka$J*|B&5=YeU$KRC!c+HIY0d@_cgZ?s%AI0T;jXZDTxYJIuvIhWfwW)2M= z<`~pS2R7WExs_FrGH!WmXtN#O>WRfQv5`__^T<;vI)QZig@kwit398@YbQkLV~C>DO4 z!>6v^_&2I;ES$}Krlr`e!(U!wAyHGt?=IN$!F`?q{9+FE+jz5I3w>9y0G(Le5wGkf z%i=!$lM50!wBs^VnvJVr#-uZ7XxMMl&KtJe*wr=^F&jglW}>e}bFX(q6Z<)-gl$l8 zZ1Z{A?Q6>%@h@~m;l8e@gVHW3ixNx*g%mRFl5WoRaT@E1bTx)Jeic-UN3EdS zr3i5?M?p{Lh5F{LEz*?;x~kk1Y_ac{hA%E}8ClYzGJOHpIVK&a zY`vv9PFF^`OAs9tPZ{awu!^hSs-kqm$8+Ugg&H@YG2Pi2LcGa<+5f;>ES@E@cyHW0 ztNTaJ4vWBvAmHt-W9Q@M{hSuaj8#&n@G*RSW_%Cwg?hE%h?n}Dj~@1V_wIZ>9cxf` za}1kCQ$tGJkf5-9o_in1N9+_w4D_wNgVtjkueKE8W}I z7Q8NV>DE7`ljAcQzD~wjdmSBp@e?=eZoq_yyw^SJ{%`sE`+X+Rl_>M|E-aY{z|ei& z+$$hw;O)EDg6i}#$5?YWOwVA&=+T-z`nrE*U+Xe21-MW3xSpuK&^dSC;(jJMGo%48 zZc_HX-CFy3NHtAm1J+)~qHA;yUI3k!6;pe>3@i4@z8Ysa?|}5a5&H}v=62bILk`6PO=>jdrnEr;b#k&e%)K^=w(~036k6hy$!z&YH_i8d&TYr2jzmdj-m&y@=dT zooNF+pKgjT$4`2Xwc`z|6EMg}fEg|Ny{%DJRe4w9{d_ul|TfOSae z`^QjFURU{PRe~rH2lC!Jw)>3RV2*e{l?@a=2yvTnU3*I0X{b#wA+xN4u8n zZWF)!Q~4AB>@Y8j95iT7v+ET^$#apippepg6eAPnixX{wGfK@nu2d7!N;I4HsU^-#9#49bN*eJ_f zsp*wC$w5C@hp|l8v@5I;;Qck4ps8qoJZ9-PGUZ;CKZ|ExCfjf_4a-%XqlR^HCA}cy z{gcr<9&8m2hva@IwZaTdu;HER0;1`FU1XE1=5F!xO}6@4c~G0oq< z)@bPddIWdGkYrlH-%(aTWV3p zEMF?uGyi>I$R-6pc;B!{-e>8=ALaK(<@%38>Q>c2MgD+hlM+yI1&Lx#ce+i(U6KhG zKT>&4Ew3F}d+s3MCi0if(=;g#8bt?>JKa-0q^Q^Dy-{<0@`LhOIzB_N_Tz)iJZpb9 zLCx1NL8BD}=l?^d1-){yC48(+p%pm=d{4ReAifD`TgyLf=j9Yw&kjFjpbSDhM2R>*64pgr3xn?9`=8P)DREQnLvzrgu>Tnwq$?{X_!1e3IHU-spuZDRo{ZMhm1@0T@R<0i+KT7$ zC2y)?Rh{u`rO{PB1dj~YFAIVtaF-h)Vj<87scUps?E|=SZ}e`WP^w-Fuat-%|4d~c zvs++JBkF_wBf+CRMCV>9zkFgQkyyY#)5T@?uPcnCIX>?93frJ)vRBDG4nZ>)f_Zkw z1-OijUfutKiC6`55aTS*-YBg?Rg{J?)(WO3+HIVh<*zlNz0-WmuXHCF$$V^g8?gfZ z8*z#=MV^`Mn{&g6`xi4NYv+o^V%W^T$l`>!;ICh>6%8hTXILb65iYm-@>0$>38!}H z6Oh)ehy?^5;)<_kp(X1C*VIJKYSSlc22-iq&Z?JLYDvmzhL_g~*fDj@bF!R&$tg5f z;04Jh1R^TtkIL)j5GH#N%Iqt1s*hy_f}#rTc{dOfvG6%%7uID790n zPA^I4&?U*ShGskBbDm=T4?r3}blrN!q7UEH5g>Q?DGcJDNpyWNXYdI^N`+WzP8_DN zEx6MAg!T@1MT}7}7dZw{e42lmE|#)}z}-FNz-ZrU1l6v&ykjog`hsn7&wNN-&K^!L zuk}C^KNiX)WN~9yHsU7K-)*wOhUuvdnuK9@EnR)qRUo zNe6g%Txtgeda9l5ci)^Hu6IA|j|r|5>pa)D;%s!BT^LBTI9-nwJ`gW;9x%?{E~s1z zbeySJfA0WAS8lzuo)4AUI-hYq@Pnh&Qaw&5&N=rlf&0-1oL&!I^tHN=*Nx<$;zYF7 zew~i`zs66~9hZ7$#nS?2izQx9vz5ayU5+Mi6`e8M#k=2KhbE8geJ+)Pi20p2@D~r| zY9o%`Z=gHm_*_wCiC`{!FKVneob7!l<(9$gLl(p>SYDecoRghL>wvNv<6ho1_eZ_h z%~QgFZ1UhuxOGDJ1N&uk{U>VAetPbcBcv`E$W5a=aqR@}VVPcA5TO17wHK6gJ6x>4 z_WJn{>SbihR`7KIvo(j4xUEgo&oXt1L#LJ4;6DF+OZVA->@bthVOFEY?@kitrshfe z;JneUysBs70SQe-$rf-ueCLP@B(#XriCMi7f8EhpTJZrdzAJAY$qTU3Xtqsbk$jVwtT@>;(U>xC=3Y2n()3LenZC zVBMk8t6XZ0bL{KbQM2B@_aEG3%F6$=-c!N_+aa&(?}7&6ko31Ly|$)fPf4E0Q^DrJ z>)diaWS}~Y0alZb7gZS#I)cOJe)81u35+)52)hLx#VN-UFrt-&=<=1L|NlRQXl(wQT%{r^F<;W~`ewZe8BTo7?*3O2kFk3f#st}ZQ)9)S~ zIaiWajcF#9*u=f0RcIu35*+fj+>v?pq>7~VJ1PUlvCLK{=v|kb+$3KpW9|-vxxB6hoZhG z`&P%{mKN&|oDMc9NSTjQK{xZ5F2l91$LN54wgR>E?oW2=zQuwpMI75)stvF!`J!9a z;VICN|HW?;Q6iYkNfgiAeTr5nm_8J2mpr!aih@&Qlg34o%Vim{o3g~!5iP}(UbJk@ zW|sv}`BSSPtt0Nho4ab;BC=%3Vxr-(XBMt30DJ_C_n^o>)*K)*4m(anFs&b4NJjotX+%fIS41uN& zK&hJW2Wx(YrYDQ`P!1V!7g_tJC{}?PBhJ^gQhE zy}#&!mav{p!rlPOjytJK033@>a43XM9zvX79{oy1BZu+T!9uAieG+4S_77g^j*D*m z=)c%6sI}B?7OEV`B?hxT8TT}nl1e&I_IM9%GvzMc;^El~P|}Xw8T!F2^~jH>QG$Q9N_^8?r1O=np|C4!)9cXEjg}-M)3fv_ zD08%@K*7JHvJBbgBtEj9*_})NB~=F0x+02ptYQ)}6i^k2K(Er(ko}M{j$~#ql^&%6 z9?+t5Aj69^<)GpxmnP8c6$ewRXNDB3!=_`Dpqk708cPrCe9E&1*T<=U6Yox)a%#5} zAs#Uc9#eK*RlnEPWr{}*i#{Mj;9!aQcm<1+nMFXSKOKuCNJ1OLvCc}|F7T^pZxWc? zk9)6_kNJ?KMCAL`x6nx}C|b7si2`%s@`q0B)QZH$v#KJ?Fr8!!`iLYq(3z=cn@?~j$KS1;;`QI zn6QB)xtoBP`4;V+tlX`JE&fs;i^7E;)3s6%(;eno)C2@~?vrA1cLRiW(^h-CMw5{B zZBFZ$on{-4?5hZRPRLj$qe1(6i~B5Z_FBh%=6>NaksG-48bd>Wc13gJ_xU95S?A_E z0?e8IBhk&qoR7ywh|&2-buK(3txen2pn-s&?Vjy-Vu9u|$kh1?kdiF4rhCX?6$wy3 zOMzzNab&F0b&}YB^nP?rY4P z0$u}qq4yWLRJZzE&jB;fJK8cX8+%rBvC0JYu1|Kof?vHit@xbXTp--jb`|8buzd-O zKq9UUzn8&rm6xN~)mKo^*6SE4QZpt6+Pmp<=N>WJrO(OHNzP-Js@Gh{{x+v^@}PisG1Vs@*?MM&c&pY5qV;4S~a-9^9CIJdzSLMrHKXziHz6s?l;!TzTz zXmxubu1Go3ZXIc>pL3Y@hbMB;&Dsc{@wk7UH%mm^HBB)(I7=skau2^@|? z^6TD1ee8O@73eB=GeE!a=}Y-v<1%F6vA6%jIu9wowtOv(+BJKTIT9>8UN9d0`h&Wh zKIDIH+-k;LNE%41C;IKpd00;uqJ%pP$Y3~=ODv+dj2_A97Dq>KZOeg~1uDgV3zpV> zNH7lmw=2a`N2@O}32&Z4{$EsmQ*@kB*mayXZqlH!jmAl1+qUgAwr$(C&Bo@$wr$M( z`Mmy{v*u#fnw$5XeV+Yn5TQeqPOa?eM@}$$Q4DEPsuN3wkVB$1BNsELm8rf(EsU7D zhp3J=aj0Il?zrF{GU{1Tr{N%SCy|P|Q4P5a+WJMN=G5i-VMVPam(GC0io{GqRbubg-UAg>-)W$o@P81Teto)H^dx3B!1I3#! zggi_l1<;e+ZzJ?g6k0QW7}1^bcr<03G@}R+Q%B2@lMH$8)U*|P7H!JUk!c=Nc@lE$ zgBC!3VJ}#SrGhJ1{Cz9#-IO*H&`>3YWzevdW-tDyg#vtBMl?_QFx4x{#lnDte$WQmM-6lMKCH@7SP7&IQZ4F%sci? z7Zd~}9CbTlVz3jG2-l2if5_ZlYA4pj6!-8WY1=?ZItSpS7wh`lP7Dke;mq?VDTO$o z)$iD^EE;G@(hSV8fEQ|Ri~P0K#4dfaClfP~>6Jv0sWTYC-)lOJKPfV&L>2*?v)a?= zvTe*EBZmHgLH;SYZJG8$*z%s3$3z`<;=--$z+NmOu2iJ2G}WZ2WMdp8V!jAHNLAIQ z`}-R=iZJ11EkE_{tWgG*GOkxa1Th(=GNWG6FT1k}%ko8kDYD<Ev15PtKw~mQ6za#*?vzP`$SXouiUzuEIfGbkN><&?}X?0=hYeej-tNW+?CbaSAD` z#D+9HR!N>Ro=_4tHIoH-i8?h{B`bXt{0EqTczJm}K$A)h?t9IWlILeQ$;gnkr*(uW z+s-+*ep3CLIWB*f4T(_+US`&{09>-PP~bHdxu{GZQeuXw{susSt{$!Smn%`1>NF0y zvdw+pN{N&;i{Ys`OG|~9k?>K#0d>Q6nqZ^ij(hO%iqs0;5D(>XMUft4)7lI?TGXwz`ePy6OU0+CJE2# zND7*!jpNj2wo7>nlMxUswF;B?{v2w9cPD8LhHxj}t)-mVlvzkzh(%bHh0}@_2!AI4 zi~sQ2@@2V?tZuHr7J2)wNgx%md70qFcPz7rAb%Kz#4feSRS| zcNKijv^kYANx+5hc$XS85ZagR}7aqaXF1jQ?l|je^QtU#vQslcJ$sJzV z7);F3q;8nvwwhUE!YJ}=LPZSR=QP+1$FRM=urqAfu+r?MMfqEqLJf@*#y+9k{8Ymk zAW1ZZDLWy+qWa2-^zWsUg*?5aK;^LMpEkZ-cUo)6O~K~$vldQb;&0k1#D$h&!tCS9 z&Mr{IvVtcy*(Th*iRl9coU|GLd%P*eu)v^w37LtGra`>1w+bLe*;n18FWK_XbbI7)1S!E2CjH#pnEY>I2EY^zuGWt8_Mo$tl+ z%_2GhiO<{VY8l_%WvbZr6L8?4? zF_-B*&F)u}d>aH0Q=W5u{-y%%@9liO`&*Iq-X1G2AwB2+9ZvJ^g_eSnb$w5h9QJ=@ z^3ZO0JMEOY*Tt11xh-RtH}VA)0$y;iU8K1Z#_^?=v2mbv@pO3${*%rnzFr&qtI zyZ%^C57_Z31x(Mq+;{^Racw$G$kUk>kUhi<3QLOJm(hg!vLj>9N1zlFob?T-b#W~HZ%*R{op)@%?oMM>D|}aP0mMI18SdF?+{WI8<%>Ev67Dj!CtTemWDGkglvlHj6${RTi5TC51~_AjnRTkzAX*Qg43#hnz>G9nXgEWKi2hkD9PIcV zr&!D2!aY3$m6fh;jSVam=)2O1+%`65>G1JwRFL1`v|EBeU(pP;f_Y53q-e5e(wI0R zQ95DFSTZ4Ek9?$99ztOAFySHQ#v1Y!b9OBNISYvDY0yE}r%zjc1P$OtjAqz>A z4xcg12QcWo6RAeBC18!mPNWT_O{Mr>RFEUl_)>j1wZuROmg~IDRCA;e3?7qe^-8TA zk1kT^g}wT6mtP5SEXq zi|dafB~*m(2lLu?Xw9^0+t9!inE2`l3nxq~1ad)sLW&uA}XRX9}&f?JqCb zZ`o-n8jNOUq$kZM4-ShW&gJPNm=lWsEjWc@VOc{o;+|h1X;&S}q%ZgtvR=7R106j~ zmEx@9zQT~|L|1)KPN?$3Q^r1n-OpD2S3Q;T(7P~B@E>}vtT+d@7?$`TEhpPW7Wbwj z52IdHn-)Sbku2O@6`4PL|KbhSn!u));~0sMEqZ@{7ZFEaFH}tz;|m8VV+OBKeaaEF zf-DVE&99oFy2-Oh1)pj@e?ol1 zQ(}3{gNgh_f*|P7qWt)oiX(Fne3y`?kDwo|i9`RfAh*S|*Nm$Pv$?q_l2un6ajqgG zm1^qJ*? zaJk}={q->P0PFf@T#aid4}*&|rR@bJ{x8(YqPn-K%6Jq#O%wA-PBXeQq)_S~u;4vE z2`@jBEj0EMU93MxE0DUUWj2K-f*3&q!xIrEKV>m3k6JYwhU~T@F0b2~|mwN zlwp*Tg|Tmr6ek&@r!>aD8$t!pJ|z3#+h-E%sf7t5&2K*w#1>a0-{%g$14$n5E-0P| z{=8y7@e@K=6f73?yP;+}f14lvM=G>i236`H zarP*P#Fi$&XwmeOV27hcI_cI!=yJFL4#{eg6lVZMw7iY*7_amC*AiGT%JTlo(S-pe zre^wL-l{a2=81FW4;0C@y5-uKJ!zTcP$dTFPI^MG_orqXvOhLs-fQL8L$^z9P@++uv%60WPDCRKJ8Wev78UsdVWN8A=Y>e@~J8 zadiym(K?W<#j9HR6h|wsEQPRPZSN+@F7{@w?VPcBMS3Rxs7YTdkN-zN9knoYvhUm! znp_Lla@C>`wwyl0?wu2oa8p%!cB65!s!U*N*_VZX<4!EEIZU3xiHP4=(iSK*R zw*SH`+aSyBQMV(O_<#zl=cE9%L*^mt9=mybaBaOu5_8$S4R%-4c3$Rw=!5L>eEao@ zr?zQ5(b?N^{J_s8x&*p(ujS#ZeTguez@c*kE~3}G?K1LxES*iju3LMh`NXhw_0bUPMA^~M~-{%lX;fkZyzbH-|r)zH5lrnf-20*rIz3#ClZ1XuT zS&aN-&u>}J>w3to^)9@fCc@0}l6$ms{Tw}=_Pw7qsbURb$ZZ>83wK_1KaG^r^ybvi zbnbNAZ?~xqTvCwbe(B=-xcmUvcHV6y5_p~hvU^>Z@Itpc&jIUO9lxEkfd@Xmf8M4i z*xG?>I;kt}Q=V7WSDlyHA6@q$ecisc+#C$OQ@ay6O>=q&WZ9`mTJGVW*QeUdAal3v z+t_3hVA_`V=~V6Naa?iVGN{GyY$vz-zA+i2hnNl21nKfz`?U4WbY4cV?K7Ck$9Gb< z!Mio$4cv|diy%^D(6sGZBJS-xps_Q0e{9Jpt?i z73^No>LEq@&?AAB!>!qyy``cB8+fOg1Y&JwK!#-HW}#xnrPh?~GID!O z_7ujD<-wqg4pF67hGl(?ExO`qJjuc0SX22z3RoN=K_J%hloIYHwW*bErJ1x=H;lAY zy4xZa%L1LuFF2(nTYfgC8pF-Fe>#Li`gr-ODnpc+Cu|a`amt8M9XjdE zRy{0q0?QZGfDF?%zYn2q08wyZoqlk z_`}?a(;1|{Xf{5shEdIS)IaP^D*-^x!Q4QI8lfd?Bs^Y&B2<)Zbjz%z?%}MZyoE*l zm2!zDD?K(j#~6v}j`H7yo=K);OJviAVoAxF*nPQ>r;oC1CYSSv`~Itp?5w3N0{ zrp=$SVX7VTIL%N!7LN9Yu@lJ^8BColGeSSg$bXC{LiXy`q5i}wz+)+L^oXS*;YEYv zJ`^d(<{TeVNjQPi=ny%7!opGh2}K{}Siwe^#zvmX+E&i*&zXJokZa>WGTQWh%d>@8Wpn4B1==F#kKmNIjL$`mdRMV*o z3qO^{xID;bGlb^-;iDudU$wLH17q-H#H3qn5>?SJSYQ@XM3?pXBp|DOnk%(*!WA+w zm>C@u!Z~~78L&vIm|A4ipckgvs*+*bRg=Gw2mLOS^{gh9yJ=PoU=ig{n~=V9UMx4I zgsy<8R{moho#FP2{@x<6>co;k>zAX8zn{p^0amH(L@<3MRDnRUQ>`)hQxMGh)Kgff z6_)ukKP-!I1m(PcBHrk4b`*GFirRsy!b61)@@MDD?bJQgShcT6nsi1#NdY-V>Q`lt z4GJA)^0$tZ5GfnJ*g?0>RfM#H#2QwJusZGKNvRU_i6*^ZWeF)IT^+EF;uMhzrD}xp zTn$jG?zGkcpT!5L6{H1DKbauKI*=yBh03AwutzkU)CeYY(qo{tAg}UIBHGUU66tW* zs3LiRsk)wl8L?UTb+{==iuhn0!w8`<(Pwtl6^19VmKD50@zy9~dR}8|U{X3?`)qf} zhZwdFI%aAkNy0=_1b!D?LnY585@YY0}Cwr>yXQ;WiQ6$XlI^8iaO^q?>rA_d~0n!UaM+a1{7V>~Cf<9!F*Wa{!TPzXgWR6odHx zV@*8#g{@hx6JNaJ5irm{5?iUCBTaxe;A?Ik^1Yea^8JlMghC9D3U&Jhu~AdHW6RSI zHS5m33!Yj$b+2D@<5#Vi+WG>YPbX&W>#)Y*L<`XXdM|DrBrqT5Q_X+MQoUC@4Z+u3$dViFp0~Nq-lJz*>&r_th zGN2p`7~Y$b($MKZ zu~N14UL(&~AbSW6@9T&2LHl}k*jVUfY!3d_C4H;K+8BXj+TEziOsw6??M2A_n~~hq zHZZF;>;B}QcT6UOoxBe4hubE4swM(xchLXkDuWN$Z^5???9}3|m}j@~KD~Y_(+0Wt zItAWkCSm{&TQ+?jGPyc?yFlEtdNwC(3^~m)uJdywhnJ7T_aLYH5Q-mCIX6c$ ztvY7sp({`3vB$U<>PVr_xjyC!*HgDVD06b zDA&hZCg|+aXBRoO{W0P4ijvKh5+Qa~!`q+RyEht8%BFpIx!W>lBDNVx-@F}seq9gP z1z;9!i;1~i(;E>yJq>X>gh#@9Uf-FX2L1gC(KicTC+KJAbh9~VihR+lt96m=ha6z{wnKa16+|vz&Hco$3{J>zFsF8-xpm2#T29w=}_8@wduvmEt z=@liU7d48(kp9`GVE1El1dtRc-8zy~M~WIlo}kqe{Du-V`mH<;rA`wpKO96k5>-o? zz;&h0_^%+uO7`~Wb_NXX;&Q`A9`@q905+?oUsxi&@vcTnDKr$4{=(su0Flz8I#rf> zn7CU5r>#PGVagwpBEYjEBGF}${XE0tH?>9ooW-A^F>9A7O~LEBIIs#)i#rXOGZ=l8 zG^t|kCFtpChM{dt!c+zuwCeu(CAihab1g7f)uw!@P9ChK%j|^q`tMT~dF_q{i-MkI zkb6pW5oW(!eAM@dFejVG1Pw-MGx%k-Y}yvV;o`n~Gl8i3gc@|uT<-l>lZYdKs1S^i zM#-+B5TPZS(tk&UIUB^MMTg)2zDz%q6&IrU$`smC0)vwDrqY-~hm2!0NU>`kv2-qK zG>;Bj6p08y?&w(t*GgnPZ;zf79?2uF(3I9J4t-@<0^#Spq68I=vSKkX_+eVICe=!e zSEDE>A4HSD88;Fw38vX!M$g{CM0J0#n7J2d%ipR^2BY|h`p=*vEHgQau4uvmnXEX8 zefQC$QJj@LaixWkZ6eCZf9G@c3stf$wX=A(QR8V+&;8PxyEs&CI0yU-RIvpP6PU2o zF!9nAJL0C&m?Q&bMJke-iPoKAP3uuh7pjHnog}^ghC!+$7M_iZ%T5&MELkW|webC_ z+yOa(T73$okdEGZz2iU499lAcUuO0uK~$KVlfrfj14$4Mal?dMN7V9-W&Wg$k&iH& zc297Q7APqVFbacpmS%qzwO)!!kZ7P0B#cq<3t6c}=cjy-&DlMrQv>S?a*V91g!A_~ zGVwB~zbdLVu;z!F~Fjy#y5?H6}6V zHQeT-K9zsjO|ubT$tZI(o7c~gYVGcDugFih2uw#Iy1LALm#>hQp2r@RAG?c&SUFa7 z&qS@r#<(;yS4#}Oqns_aW@BoO7k!4=vFK>Rl;`9Y>n`agbpup2vApoBIpB2O2l? z+;7tb3jrl!dRW9DL?^7Ac5b zRIv2II0RrD7ocSk@FS4WUvfxPC+*0%c_C#iOX+MUYo1ck>z`^oZvdElk|>ifv8+hD z$Z<(Z%}VzV)etR`g*&u-f>X%+l*<84E|u0n(MmHJY@Nakm~vqSn8vsx)4)E9{c2m; zGfOWyM~*ct1w1YOzC8ZIftcL6=89CC8ASO1W1+u3F&qW_KJd--1!{rDj2j7V2<&S> zUw>?U-KiZ28=hlIThFf-m#GEH72{yvRj|QJ;Z zHlCl7@jL?2n7F#uwTZ|+h+PG^R*&9lv%E%~ffASO7h(zLJ(^2Ccb}oLz9;z;?3cT0 z1a~=i)=;)LdP!zOB77OW4-Gp^?+np3*gY={6F#=yFDW=`9y|ZIo;(l639KEjR)G^- zxg^;Q05&Td=L=}v({$$E+rFF;?e2M(ne4_}HRN`~F{_v^;74-I_H)_BEf@DE`TO*4 z>h>%VP*WQXbbn=MeC2+$6x|kC)tf~@*ZF`tvF$VAD!WPi_xw_?*QK?26u5An({yI= z!7%Od+&<;2+T&HO_MYl>IZ05^xlO6#Jk8Xb20Yt%fZwM31g>~%#XgptF6WHH>fELm zAE*s2Bl#LHMDNhVa@}ph6I|GOJstY;Trxh*t6l%Y_kQ(pT1BMawpuW|PQGpv&W`Qs z9Ga=!a8Lbv`nk;1->agT>j>ik~wwPuv7ra89l{yeQdH9`Xa~F389={1i>`Hg^4~rsau9n z|2bEXD+Idz8%(8#E0O{yJ4UMJeqEudShF1mrmA1~&y!HO#E~9gDZ44sP=NTRqe>|j zys^!vR^aHZDx@yu7rAq>-z0uGD8c}B@RuY7s@^A5b;M?uNaS}#&j>q$2%K{? zeSoj80wY7Y4AMNT_biH;9wp$1-zDIO?Hs4&9%-Xg$m&Y^H2sjt?x3CcW z!t$*6#fmPeQ0QB*%m$gm(RJw#cmBL%vHLC_>P2n-Q0$)234vHO+><3t%B=9H*$OP3 zXn?DtIJ_XpdYVd@rL*M)$x3kvnYx?_98TQn4t4JoP>DsQmC&I_Jw-av5WD3~kjxt* z{Om4Arr!Y+Tqk8&>$_%+(j-5wXsf0=?pjhtXi!5qoWXDT^A5rZk5X>y{0Px ziP#Yw6Z^8*JXrr6a2j#=-Q)*+72>cSH)t1%XCR$$2_Em|4C`au~ZNka}_TIG-U+n@%zT^o+zxx&&G zBB0r$I;A{}mr6G7yPA^LA-y5;on&hTR6zMYG~JGRk;1eUBlvJ5ODFSOrilRdxlVL5 zbNZ7qDX+wJtB9DN(p~O9t9Zq*$`IU^&F$ehxyd`*;ig}D%C5$2H~ zt?h3VF0c$Tfm2~}fzmM#Qp{P6mqn}rfm2B?9R*yCZwb0OHi-2a2`POBzpP6<^Jhc= zwAs|GbHwta_UKYj6V4JN^S>0$LOVM=g;>C|k7-zQ8+EB#16!XBWV z&-v_ZWW{UqE9?~P#?TsjH^9Ibu{jg^XRQEySI{3rb!$P<%8jyJYkVg;P6kUL6KkxM zE-loKnd&F~&OW;eFN{qGyLJ)D%iVVD)Wc=$|730FxK~u|u(T5Snvx}A1+}P8z4>K$ z!)ufgVlCn?Lyvcq4!k}pk6-v|de>oaUbLtO$1>!Br;?dBF=rKD3om3ov2I0c{8g%D zyntT5XpimO8B$V5ndM|9icET0Plg#^q&zx8%ik0Me!SS!lh(3%78J3_jotDOt4Zg# zSVLYcyD=Aa+^GexgRq)_wCW@)QRix{sTbf8%s(okK`Y9;PEl@1*hTTz9-d}>0ii|n zXUO)hs3=Qvqz8rCX;pS87i#{ zid~w-ZgT=>lXlr+fXZ@B5sFCRT+%j)u#I+U1Anues$1KR^nv7}x#L;Z_2ldH{~f)% znob@-_bO2T(U~uA@?-y7ZfB43g%{G9Z^KK$D(7zq(DNhTx0kPP5HV>G2b%Ipe9p|N zfsOEHeH>J+_jH|wJX`xX3~h~b?3^_|d*79~KQA6_zvx>WHn+~~I#k-92PCt5cnk~> z_D!#jT3EqUd6;=F0VI{oqki4M zbgX{RwV5HOR64!I+ijlO42ijJ-@LnDYk$*gI3Dg}WUvdgZQ7lwlX5vB_^11=rvoGh z|HgFpj|bCfLyCd-))n)z+iA?s<}(pdw|VvbfYsuI!*gsCBdgQoy3;Pp`&hRUbUMvd z+dcd4{1&}`%cY0t;`2)Hyc+DwJ2?9B3bR|J73*=jthd^E_p&+p+%>|WcQ_yHf&?Y%Z>9RYjh6d%Sxnu}$k)EENuAS)e#SyzkNw-W^_hjcw~dVHZRk1@@qKxO zUj8ueEnW67S*TWPe{bk_u)A<6YaLidj*dy=t!v!r?mqUms+pi|-4L09nPAY~+a%lm zd_tWx*(=$$s_s2{qOh(@aGX@K^Uq}XSRnVL^CWU#YDo@_^|Fkd_;;58OR(?)V94dz zy~sPyo;^@iPprYe&HiVc{fQ~r`YFJ>Sjny6ndo*BC$rRhpOCD|YaU&S5itk2#PQ-euktpoc=^a(Eygn3-NZcS z`*Wg|zKvkFek}&O)di?e-FBRBo=V92CQo%ZKs`<ZqCD9V)QtX-4C6%IA zPFW3~4J)KU0=^m850duebU{5j=gSCD&ynR}qXLhFE}Am!fNNQD{!UVZ+$vz{NpyU@ zCYmT-?0CE}+|S_rksDLCEJycX32fBip_&|Oix`T&Q`y$#R?*M!utW(n$rHcx;7ds! z`x60*yGo17D7I*@Ol;zU2M*^vr`NXZBm+t{{P!cU_|h`1z{-6KwCEMTFe|X5CLXb9 z^;n$PHIE(DU|DbT*gL!c@p#ZTfQu_OKxjs*_1KUhJuWyF}H+>*R)z{5p-rB(3xw9U5n`M677EVr+=$_}%z) z!9qMKG6e_;In;eqh2sLBoEl{J|`V=36xx-s;@?Q;Y%9R{Q zRlkS6T`?OK$9%u=`EMkyoj!arj`(B%SPual$&xdF*}2*>a@B=(3^qKdhBca)w7%>Y z)Zd0ANywu6s&e#;QXQC!9;?K1YWIL9{jWxgr8jXi{^T@41;l@jfWf=uK?aL7t}!wt zV~oN_Khw^Zzt6X)(s~v{zq=8gh}NiKCnchQSs#oi9O3zG2@)z z3je6V1z$;J9*hF4m=21H);|1LKZy?a1*#l%2qjfC-3w<~=L*KCsI)ETSEq}h3IqK^ z4W{DGL`=i4eoq=}-$+I0%udKL9ksDfH-BL0!1q|Rd{D-xBX#jw7Sh*=U;grir+Ua zSFOWwSSoeWiYL#bA1k)ptqOdtrs!$;;oJO}dY%YLuW^>Gq6S(|oYNX;-1C-F%k}(3 zo3vf7>N(SM>H3NQBIv;9+V3K$x~Ys-^=9FGPC&E^z5E1VwzTigbw^^RTj6$YWNfdw zFK6So#c=K}ug|N|whz#;<9a~*>^Xl@xOVexJa5$g;xlsTDNFhffAnLV{qulgEgnQP zlG~H2#W{hRs>k5hZ}1%9sdst%J9zc_T)Ioyer~9aoc6oczP!pJdxM6T4{@w&?d(^h zk#*b-dpP%d22_E7Zmo}#w2AEHcM5JEU&kvdHLufuwb}Mlhhp0lTY2~``!Ni?Y3@6_ z6Kt!X2c0D^x6B20;3LgG&N=dRCzRuUM_+g6mWP9zYK%|V+d{n_^7FNxO+UnOTo$109~4Fzb)YYxZ81j?qS^Cs zj!IO&Df|+zU4WKAd#`dtyQZnU6KZHV6<+}*UJu-?YNgnx`17}?)I7A!!DY&J5bC2# zXsoRAI{(a(Gc3Ee1Vl@6rf3pdAjSmLK>>_bP^4Fi2$D-wzkl zFssStrv7c;EcyicBmK6XHnuX zVTtxwrNt-@&H(a#LU6{;xG@M+P49`yD&*-AC79jAb(zfx5noX}WpRi_c~<%)3XpsG zhCYIzIdRrss#yu?&%|ioA0jaC+KX6;G!V)W&J1!T&>bZWlZdoNzfU2t6E+2$z0~ET zhU4$pXV+nwStSLFEKK)}E;0dRpsb8? zt0et?G`|*&E@d{Uepi~xBUo*xnqtZ?pu8}Lir6YDG&^J~kT!9%TyaM$9$RARQ&L#1 zwg>-R#ad`cE+2j-9HpcV=9)O`AeAL9E7`VUyg_vo6G|#J6tZz``D?5IewBk=*wHlY zJ`L_S-N8W)*{vngRcj_%H_|{NRudDO5E)Cq2_d=3-l}CPA(T9VA@WgY3;mGsNDHoq zrVV7vR_PsCxAACT4o7u#NV-q|I7jY*+wW#`pxn*Oy{~*wrSkDxZ}&Cd3g-Xn#$`e5 zA)=%mbS>%DNcvXRriRHfjWx>i5+YWlmzwU>52IQAPG@UPW;9Lxv1^YIMGm?x0};_w zD;YON?MF*exDY4cMn4P-FK70oJYB{_OZkZCGIIBfW0&hmN7=Ezya4K!YP5FNhqD5V z7ik0eVQT-fvQ+&EYbJFq4Y@FqFg+#5%U!rciOf?yHnr(PB0_9omDRzS^+_xoZNFC( zA&6iXA(D#4HYWZdj8Ja>gVmwK6Yd;8#F|Lyx*ugMxiOnERRM=yg^P8Nh9w(}__JOK zE`O>3QW@rNn_@Hg0Lj1a^MoVG8+CM!Ho8_X13%TQ5f;7V8mXJ97E@4qWTOVH-Q{zK z~7n>k`gt{-jh1)*7S2sPSR(+Y*%S8<{$-`5qD#jN6^}dvx@{$*P9RO;lsc(oBuh`$G`DpT zW1ptUM&Fq6m`z1Oyjh1ZIcGSqf*&qF^7mmxNsuzFQP z%;FFfEHYP=*c(Tt2yOk@u=8$P=Zn#-((;t#C_V|_Y0jSX{mlP6e0!k{zJ0Vm#^?-d`MHv|EGi~(tv$prnrJHAf@2p?ZS%-vZ-3$y?2?fVhv;mOk?yt`G$ zrxMMTNVbdazIfZqDA9~T=c#>a+CABt&)wfe4zP{PZ9TxS{Wg(0(-WKUr*lmW%(va-O~aTr6Hu;wu|#{T>||7rGd1JtW>0-1E$>G2ZzI2AV6G#=H4 z&%vkYAM|p!fqQe<&#)IV*UoQg@JeiZ*gtmA>3Nt1yT5ziGaO#q_Ch7`oo0mE@*^`y zTP}B4(Q`O;4z%Lsek2meyruF?;MT7vzMixHV%JsOnoj|~T^Auo53-<-2H^zSDh+p6E5KWBAa$a>PL8<04DHy=~ku1==cJAW$tmyEx5v6woy zyrgxLS)1eWs8=m57aa5<6=;!v=Djw!`IzNa`--OzJPQ)|QMW7OUJ04x6VfrFv# z{J_}Tw%30LeNUkC?yAN+oZYmrQ-fB3QzOOpweZL6r2o4zWd~WyaDS#cBDI|BwR;q6 z_gI{H-FDGJM-|`^vGtN{73I1WWcRlAmyh$zw(en2Xy#(!Wex+Um&nKHe4GjPT1RJn zLJ`^8WmbsFb&8}y?9%(LwMVLGyu;AOdV8Mx2T%JH}G6W^oX%{CJ{0{F1j?==kkJve%pH{ zdwJu!@?G!FAs6(#2QvGLDw+D?+*QwwUgU&jtQ_vXRAo5{j4jLm+H&p{jzOeg>+i0& z1W~EuC=8q^sRtO#zT=Tfpn*HLYP|U?VfheiHd3NIR1@On4ff&oriB7JuanS}n5f^K z98$#}+Nq9Vrky$DLPIHsN{-$QXPo>22A^Br4}W()V)%%2k0(y(Ix{_GNtu2#+IqY z!TjD_EeBy86lL>!Bw%&7h^;|e1Y4R20Y=4DzunywAu4ILlWi7(ZJU7Q9bEh|po?k9 zqFZFKR3EEo?20x#Lz;{;8Zn|kujRF6?tBPcl+>$+4op)lTqk~KHl9$1+M`0ac%_9D zyNKy*u-!uwn@FT|lo24P!>DACAAMZvl{km>do1)%B20iR)^{IhCgQnglwP>yhc*3#BMCx0u{Iqt5?)yoC>lm6 zfy6-i`1uG^f$D@FZDk#p`3x3A51+v6*hZz0z2g2jRSv=L2802Y&E^+OO5NFhGD}N{ zY*HA4zf+v0s@Hd6#!uQ0AFgk%J{JeHA z2~jkgKP}#%()YFI)$vD0jmKGGL`(EX!s2MC%8**baSWsB{ZbFGmautwFI-5PP6NX& z34!`m0^(|RG78GAuMvw4!bE3@%0`kNnw{E+2tQBoSS1L>x3mx_^fSgBee>zP&g%)L+`HwXtCnmG|4CJoOMV>)oPHYl^+ z`ap#ItBjXyJEhRe1)@MlQPxp|PXG7lL>XRmW93h*Hg(>FKSSWSkcp-p+S!UcT;q=g zaCR;Tg_`AU8Tr%(WgRWK*zo0RMVQMcnw>JHi<)dI_uTRMA~>vCD1^_md+Ib;uZq>u z7Mr3ZDUp}Nkc}dRObQtFHmzcwcv!0Mf`ByX`RbW#LcI7lyb?Yy9htx{cOoSNiA1oT8j#loY5Mcm)= zKglc1EXzZJ4hXB}=_Lv_5R-JnlIgH=Z_@3*@HpA zATGoFipKkEQ^SfKrR=SJo#xF!GbWxos$A*j3;{5tt|kvRGl4-NF~H7!^6W^(#)^l} z)2TPURWkV#6qljG++MW55OdW+1$YRN0LN#mFZ;(fU$aOb(^yzmEE4UZF|Fb*auf>X zC%w=m%DRp?v3Ezs^kX7=0 zKV2CHULoyGGNqQ}A0x|^h6#El_=hNqxH_^>$ROJ92s~FD5_bGf8HJj2eqsWw1g6e1 z(3*4F-827RFqjs@HzD9MESNVfNZ|O(w-x<0uJrpjJXz*;gZg|i^AMtpz7RKVrVwO2 zyZVVhyecOT`a5FF#pnEh(b?;O1{|)3z4zTXN#*jQ>iU$U*|7HoZrJhm(m4;(K)G5z ztck?D-CS*Jd`1__tv=NasDk>t(2#m>bho^^6v*rSz90Py zw>(Qgpl+|WmC{EYh2FT48SjHE=-cbwa*jtkxpm#;-*eqtk21b`y@+2!*Z4WkEqs>m z1ka}`z`Dz|W!lDmKxoaPFYEh?&$3-h?M-E=uFn44B)GqY|GmpPX#SF63Uovm(=Ett zvQI|;<+*Y#NKd8zG3ID{JgCt@LxTzvVVTwYBxWH zKlTPi+0l0n8t|Ik56=$SGx9^Wld zXt(>;ysLfK+mS2K^1czx&Ld+^;Hw>XF{(7r8aS6&QHi4!1_vnoFP{huN|#GvDU>;AW50G}laO(n!nt z^@dh6I{tLdqu*@T-57hX_kqVff!1S|5bVt7Yw)<5kMCW7ES>ReuASrJbIba9$!leo zRL80cLClrT-Lh2eec=3k=|;;sb1$>(v7OKTrBV@M>^iWO3%`B+q(o^Bk-^L89Z21G zt=6qSh264%FNf>BCv)882~4m3w5*MN|LDa8@fm%kZ;E`*Xn%l|mqu<0OqF-L8L~jM z5n^|*o=_vy(gKVqA59!LO;zC8f<+w1_>ce}Va^@P=Oitk{|6o!8 z3|3>(%b!VdqZw9aMR#HVS^MP+3nC5``FsbY69-e{X?bYeqf_7amWuqTuRXeK``5D0 z&wmO#d$CW#|1&14NnYOmpS^rVybL323SnoZpyVHLF&)ZVis_=Ea0w4Mm$xAWi?zv7 zygWlAYTenj#ExIVip4nvl7~%8nNG0KddI6Zl!vRzBn_p%cNIIv>mXFi2Z$$v2GaKK zjrv5ed8Qn~6uXU-E?DSj!oJMb;Qg~Tw1x75_f$jDhks1^$As(TC1U^OvwfHPXbPS~ z`X01f_8-D-X$AH5hjpyrDO3+-27vyQDq0q$Mn8&}=vtULX*M>)JO)OpA$K-a;t-6< z^j5a03=TxSrb~B?o-O;0fGG6qR?&*I#i%*U4K74YP*S{1vd5=Iu%x*nUKAtXTJ>gJ z{K7*%>}KwI>SG7I$3{LhTh^r%XxRbs zMzon_Ir>a-^O{5RzYjaV9X>&Fo**a}mx|;L`i_c_EC~X01+7iWWV_q<|9xd+bH44p z{%66{&DWy$%-7@fD=9t0Q2|VRXd@1=2Q`>Lg;qSIE~AOBMlhIcN)7NQ7yOb|DXKJ~ zbt%xlH5@t!#JYq`x)J}5Hu(N~jVCV0*ueeZ$clIYuOq!9m1M-Wzbt?_Ysw4;$vCNy zG1^FJ-PD-eN)i?M7H!SIJPB+Z<7ybql~_b5xi9k%r!A?hVl=Y_G*uBqfY}{YOac!$ zX(wFTFDjd^<$2isC`b|yzJ7nE5Ua3$De#WL zQTNl0w8h3b)Tx|dprgXHpb^be4U$zyHRD0Pz=4L~xljOz@cJED>M$Vof=~Hw*Jjht z_mEq98Q1A1kCM?61>RoP_^%*N?D`Y}B%^-f39;bHVLIbFB`a9>T%$wbIvKzq4KFg8 zck}1(96S|{G#m^|2?uS06$nbpHr9Hr{Pa9!vWW3d7pC>|M@A$BY;spNj{pZk4cYWyx z%lWVE_-eWS^6RP9zj5Rh^z{g+FbYoJY^|J_}uu5sf2>zF&Nb=qpr?NR#uvA z4%vIzpYQ(H!DhGgIwvl@(+#`LyI`3GhOq2e>hp`?KiwZa0qpsWot|6$l)Zk1F8tw{ zSLsjwl*^vnFI)SV=@WKA7T&nk@4vjxGfO{m?K-9IDgw6I_t$!31fBY&mH(z4_s$`A zT;yd&?s&h_iv!?zE= zP`c^sXP1w8aOeGZN^ahKllWol$-k|8?it>n_^0QylXqYL#Wvpp51n`2!dJK3{e@!aYVbpR2>L`cH* z7Fi=RQM)?|jdUt4vjriO&s979w$|nbR(@=y5fw`mrNqPKvZVG)VyF(xiUh!^M5jbe z%5>!HIcANQD1t}3!F z;8YbqhKF&Z{G49X->g2VythH!=Hi~V8H+<1HDFm_B9qN_xl{K;i;z3CUa%EL%n8oOQQBRqR0u0hS2Su#t!mLw=rtQ@ zSx*LB0m?FyOn%q^CK)ftG*W{$;ic+S9`9C%ST9gwx+PY}g={bo`W3G!Hf#)S%2};j z;r(n>RZ@H^+YtNe6v#E|a@+(ZQdDPtffUAO3xWlPPT+xx1U)~8jk0VoEMOD5z_Ct- z7^O#P)r2)Wkm(!<0yI>#(Tvy4vaC|*kcQLml`I5ljI(1t!I+%csfl7xkhhT#N=rL;cRy}a^cRf45eMK>%pTI3PU+5uX~Xn z$E{Wu^RTEK;VLM42vF*KWrrHFH0XW6e?&Rm{8#)3{(%21S{omq|L}~|jvSa-)aD0d z{?_K_gKZA{GyAFVR;^JW`Y}Cdl^W?RAEioBnA4!D;5LfXqK;|Z0on9AbVc*pc@Bs{ zu#y8qaY&SE?6^Gbw=APmgeAAZQHq`vjFCn)O~;DhFwb8Y+%shO@^F zri_L?uV&+X)v3l}t=$vtxTd)wlWN7isi~mJw9mIdISdms7GXE96j8sME5Z#ig-n33 z4(5V7St1fqD^%662)}yyS;nmlV-7mTH{zujho>$7}AH2#dOR{U0uI%R?cy*Wcy1!Xhy8p~# zX7}P!YaII2PRky0@dkf*_zFIm6v3f+WhYKw%_>Xd1syPukBagw6}ZV zUJluWcu2x;yLVxK-$!3mj3Bf6am2}oN#{Jg-fvH#wm^?P@h7*xvLf@6eBXK36AO%` zetJP`!8!BSUg}pT{$c~*jb*P{^XdE6*?jNsow4LknqB-#Xu97;2m80({l-;iFLOY5 z%l-8o?z||w#kWo=-+jtGKMjt*edUw3{PU@U8@_zdPrtn4V5>t`_&PoO<(V($F1>5% zwRYSWynf?bH#+O&Kfbfq)o-76)A_sKvl#rRx7%B9t$F>vPrl^Of8ooOzb^dgk{e9V zS>n=%+RJKRdVZHzUcd1$`-&$ny=lW2I=gRn!g>ckx$AO|xvO4%LGj$5Jbw9-x2&;j zxZO&d^e;H+7k}LB^+&eMo%q0$KbU|1G3zh4q`uSJ_pds><>$_?)_CaboU^sR^tLh>JU(Ff9H-a(XPvHSm&7N`GDcZ`Rk*Fgj#+jTn$g8(VD*h~-OJZopQ za-oEGQkmW?%uzxE=Bmh;EFz2_O>325VZ>w$!$OMmQMO58Di|?#x~&02ya4qqLx4HI zqvqmbI|U<}EqPfMDZ?2s%?I)%E^$&i8EBTIvdC1ZI96d$(Z$9%JE{T=qQ)V1hi+jU zRS^`$P~dumI4NOd3z%kt-I`CfBFc~Q3L`WEt3gkiTw0APxK$4ZF$oBwOMtm@itiI- z)5O5eywYDYvXNkLtOO>)9p4$IGz;m4yKo*+8?DGYPU2bDGq! zbjlv4EU#JXl_aoMb@PTDX`aZoH3yy;eC#&_XJRQxp*(0>1nmy+1Ym9BQ|iC*ajp-Q zi#;$gKr8HFm2onVAao2$HP9A~amiF6JvAEA!)YCAgrSWY-t zjooT}EEk%y|DPUYz$V_R$|OH3KxstFw1dI4AU8uBX-zZT4ENOzEW1GsWh3O14@@oiF19|_`@K2-^8x>ve)0IvVjVYs=Rb?n|3@6R z$Z-y1O&0LZMCd`b%z%6%H-u73FtwT~s_~$b4C;j4(nhk}g0oT8f(LSv0qfeJ*m1jU zmrv2;>}wflR|itrD0I_)jW}R!bBhs zK%8kOy4nJI5K=QEJ;#lCtq~-BE+MJBo=zr{j5f&>1DP20;C8j+N1Wm)T9Z|1M9R5( zpUR9ng{}yc5D2Tw*;pF>2mcA=tn;t*-^w5GAEU#{ADjQo7SccSpa0N<1O8bMZgKSB zO8LA9Sl+lhGD`to%VrzZ5;=|Ank?H1%~h*P)3SR?jz;o@36V;NDKnfjz?e~Nqgiq# zM450^paLt7sf1?1M+ayZt@Kuts(y$rm zsis{h19DNN2m_&&5OqAAY0D)pV@ZU; zY8e)30M2+?*1D=Pg!+|yuGfnFQazk4H8rpI6WJy-wNPu4*&I@wYPD7#vh1l_o`PyS zMWz}J5Ct5#3oCY1p>Z@dBB}ybZcZs7kDA#;RC*ecE{H|g(^!k1f;FR=Q{6I#Y6aBp zKt0jrDge@+$Xu80L&G3N_R@(yrw2C&i{@a_94wlHMRTy||1U#ul=xiopSk`IpNV~# z|NQcXY5m{Ne=rQj5t@MMk5m6c{1g94eGd2!Mv*9jk`(qS`v2^I>sPjTILaRKm37Zq z_xZ0c`Pkbx(7=;m|I-tEo}cbdQBDc|O|y6Stc^|WM-2g|#zr(U;lm`I15ciqOz{bkihoV6GJ z{-QH4U47#n_kU1Qy=91tU)jt$@4&ZSI(AoJ;a|4f>W1a+4o|*)j|Jf5fM|mwR@o@U z?7GhB&p+_(w|XyJ@ygxDzcha0^{rmo?aD27+i?Gv(yeEf-1vesU)^H8c}v`M;F1Rf zW8}~s4qN7u$By{+(#jU4`}R4D{{Eh?KXveV%lz=?7p!tj>F53d&wp*R{T|x$odw4o zhQD%~xXC)d|MPx-KKHTfs<+9V6R$8%-EuMbPrkC&tL5A;w3k~4K61plch!IY%FF8} zTPDkT%C!Uj3{1TH^~PnJ|6=RLiO+p2d)tl=U$EVw-&^%iZQ&Kc@_)SXfU|DI9$4?a zJ-3LTx?%m7j@kqsU4Px~UwQW%D=u-xcHANbDB-(F&) zN6tB9!R>clTU_@$z5M)}c4xjPck|6#p800_l^=fp{@3n3=KIfF0=#kDcIRBwx%Acz z68e|IzU%#zNZtBL_y7C;|KH4iun+6Mk;t6?|19j2@SpxT(=h%;?E3lTKd{`9VR;t2 zDTao8eE#!M{eKMci^qR7cu^izHL8o^*2U#N)y1j*391;bCqkz|)FyZa%=UpwwU41G z&q8ZztJ~v>Bcs`G2aXyPnkB5Bt%^?3&*V1?WC^cRuc1&Ym|ASJX=N~AO1R@` zrJ$ARY0l#`rkv+n<$}nOMWrk##Rwlosjge*VJ7yeG&^o*$tm8@BOB&N(Qv2(ur%>< zh4EOL_HDF>@kZP4T0tI%2V|7xGUd^zV0$Q4w}+xc76!vX=p*nHPZ!4y%cgM(urqq5 z&8IW2Ks3rA*tLbp81!R|FQJ%aLE%K1!nHQoVT2HYi+X)XwaT4d05+RxBG7j z5^fo=L_0+r6E!ZXRxM^q79xiM+pXBeeo~O8h=B#}xHk=qUY1Hp6{Vk>s#a=RiTHLE zV$BLrinqIR|oPm3)T5<;q;F=mT++R(FwfXqzNqUq4n zYC9VMJtD1Sni5|t3A$T?o2n!Wd}OpI<3gE+rKu)jHG8rsr>8hR!OKHMEsPjeAWWiR zW=sPp!J*4f$t0ajTJxY?gHE_3+d1pUmI%-@t!xv0VwPrRVt12mB}g;_;uwI&S{X ze-@|zkLXllJN7#jvJ4d448zBX(e%4r%Nordrbc)$!sTw3S4F7E8LHnU)Vfl_NvtS2 zn$gEbuEK}9s*k;v=K`ipa_9tRLASyN2-MRgPOXquUW0ka;nZM^&4v~?Y^0y&s1ZK) zr(`MV?1l9b*3rh zM&)k0Hkk}Xh3mOCkgAG43L>3OyVYd%oC-qe64KMaP7m_hc(0qDbkaW2v^OSY z3sYixn3d2>*s~z44+w-0W7$63#Q%f;ROL+dU-2LQ1O8Ls8RBE}pKS8s`kxQ<;DCP? zg!?GY(^9z3&*2U~m?7;0Evt=RR`xYv+CUgcEic9zopy*u~2zsXg~wBDW5_(XHdsxfed8 zzp~=4$K{^8`9Xizas8zIFFOC4H>BjUt8e-0h3o(EN7uWRljr~GvQ2;W!{?st-?7Da zc0aMT$AdqV*IUj%`tc=ByL-bko_KWqKdscbav5!#eK%jTSeI^DYOUpNKXl%ifBDVJ zE8eoyISbZY^2*@dYc9F=En=0sgM$O{>z9rmVULlPe`bq^Up#B~TbWC?Ka1v`KFYfN zNAqsK<-DCwItu;z-mjEaB#*l6d8zDj2V5e}D<1S*@%-DKeHxRGyma^T9(r}Juk4Xo z?TsU&{O{L*zjN4W8=@<`al%Qj9(n3w@Sm*?VfV;9{Z;y^%(15*`{=>zy;jL>efni5{Q1DOcinNf zbnPv3mD_4JFZ0^`fuV`3JiBLR%M&-by!zXpiA(JA^7fBx7~Zn{?f9i{gdT^Cnr^L$J`Mw{&wE?SJE~+Y(ICc@gA42jy?_Fbl7bhukq9A z0r8F3J-Fw7SFLf&S({qlTyWJ|OK<)Cr-T(Q{O!`G{bJcI(6h&PUUeS!HS?`MExB;* zQ!o7T6Q6YdzwiG)hx%{mod5qU?33^xOr-qAzerAge)$g~cXG+>6)Q=4G3tLlvj30r z#p6G-_s`GfqQk(7ky~8;(_9?>({$=^wI`<`E*X>{r$PXkiO<-LS&Wxw*)XV$DxDPC zuLxux$wK@{D7S{wLPI6mzE7*&EIi~(qncohz(g3RdIu%|nh1lT6`Acg?#L-=h)Pfu zo^-NiJ=Z59x@XE(3vaRbsDU+gTFYR5tguNp-|S*}ib$t`)P(aQVm2;|vE86lr;DjB zrwK`pG1EmKQnPO84n|HrC5KgH)UTLnycCP^r3v5aPDuGSa^lm{>plmAbXPP>d zEht^NM#Y{xNZc+P%219TiC8Nqc8oy-v;q}jMF}2_btKCG#OQ;Cmsx|ahtz2nzfz(j_*a7TE^B*ar%8Hau zw;XC(%hohCf|*{)h|(l$S{>2IAh6beh698uj7dSyjvHvV))6VEIl2gww| z`vhn74bAS!4p9c%g;K6joD^c%G9xoAQMFJU3;B#JQk>AwB7BEU@!|v<0E7CZ(!+eD zT1w@b5QUQ!h1L5a=df~OH_W_~)ZC&&PB3-a^uz|nY1$}L2h;W>WmoY|8OX&RPn(M8 z$RQiL6=#ysJME}bnpC2uiV$Eb&E`^nwWWtscA?S$pdyt86y*{ zMvrwU>trl%7-#UI^WUximJmuMJC`^7fd3?4JpQv-$IajQ&*Jp|nK|@PzmY0bVH_w| zrbM-hmjxLTVU4cJN=INu;B3^vK(p#2RU9@eD3@hx4NoDJ7LKygShReEsf0F;jeuTO z9MmF4L^fI>0aQ3L#5xrWf)+ZU=X5u^-O|lubl8))Y(9tq6*y23dssOcC zlZ0oEkQ#{2XqxLgk_XP-n$*WilUgz06j7t?VP#T)Locqk)ixG{i_|?^ZORN?Y7B^x zHUaro)%0>uqb9@!rVAM{nM9b55xtgw`9j2+oaL79DfM7$C4}ms6 zNDXu~1;I@NX0!NscHDSQr8H?Mo^6mS(;WAbOp`Zpik#%4N|seSDy}Or8B9_*nFSh= zk6{E+^GDSGwEkO%2^R4mi28r)zqMt%WJt~^=wgW{t58E?vcBkKs5(R;$^^*|y5lA- zPA#>L_=(sBLJyt|h!?n^;SyuEICXfuuF?VTkOhh$Frikh*7L|9sFq8`%Cu4eL#O2Q z>9JMDQ=X0jR+%^3oX6HfR1?F2Oteu~qijv>RU@5^nXDSJR@}A3wiV{eb%vFy{%oO- z1}Q{fsPPoY_hBtFmJ_onF;to^Om)uF!7@2iI6{jD5Dr3P81LnHCYnx%M#{Df826&| z?9RcFipW49=Gwuu0y;xfa8jU#4_#Bj@d~}j$Jh0g(Y3q@-(cj49k5^=8Lf7VH}Xn$ zOeJMVbAU!QOM1DoR4RvLUoW@FG8b27$F9`TMKndh-6+=kbNX*{tY?n(%(0$1)-%U? z{udj9qtxe;|IB^<`!lf*@gHQBmw)z?e?R{r5Ilv>{*dIy;6Kzq@gMASz<&r7PQf%m z5b!7GKX29Yy=^Z4$@bf?e!(|_ouA(J?fV|y;xmEz-~J)GAVjDMvG z?6>Pd?^PdC_Ad=kCYeeuvE z4twCr%~R6hSATuiowm@nI-t3+a`l}@9DM4xZn_oU^{zEvm`B|-?}xA6u*bs3+Izix z-K|H8C$e9^;dgs};}^%7@068OSKsDQZ{@GOxY@b)@ABx2cf$uQwd%=(L((_jb=dPq zAAj#l=(h6@+3jcNI5~RT(+^(I`pYgWBUX9a-bTj-FFa80Ee8K#$isiV^OIZNw{l~v z!kgB0*iMDzk377)-Juun`tOFsIZ35j%9D)7n=f~W#^RCyCm!5w3$!q)q zIO3c0&$;guZkrbmT7K;f54_{4t<96KUwx;DoOXMAu6FdB8yzt3$SVt(eK+6W#IyGM z#wKUK_Ja$~``PNH=N=(;`sx#`ynOrg+#6fxul&-Q=8Jc|_Pd?edwBbs=PgX$TjnpW zaN4HRORu`NEZ5rx9(-hcb?=G*U4-~ZI7q3=`8gMX7f z{IL!7r=K_zeC4V=yq7bpoOZ?PN9}mZR_$ZXc)9l4Uv^k_tUSye`Q~Gfc}MT_qixPPnf(Z6{7r#e-PMF~kcR+8r8@*ih$_>W-d#Zc68y-BK~3BeErh+(4| zG9^ci8Aw1>q^U$5x>pZ!M$AcMQbduw9?>PUYAJ{TLnAQPRobOtl+lqAYWhAf0A;A0 zrMtRH6*O1`k*OHA^?Ev?HXi7tX&IqNP z6d-J?NYUL=FF*>kIh8yCPIu}aLybZXfuZ&^_68jW^v10cXgA`p*loJin6%RX7kT`r z<3H(anxzYVN#r1y(7H?zA;lI~&v$F}x@$~b9;S?9uiS-FkgbYD+V4}tyxGg-+I}!0 zvH-z?L@0N{z@zG2E8)X>d(g__X*7{ZuG(;%dYkfHHy>xxqXC#2aC$)Z;*P2>>sxlo?NR49-%voZlM-8NSqV>=TuA;=yN^~>C zOJ$(kk>%#>iOmuR`N>FY3R;ARisyXCDEfG&na&`ZsE%o*S=7RD zlBH;X2(##@&^L#HO!f#T-{xllI-mP*)_c#=0Et4x;XuR zay2{djT1eWkbqQ3FmzfdDn+6&);y{=wfKsjnIzS+>xx0TIB5QxSnHF`XJ0W7Y5H23c0}1+q6Dw#%bZs#L;Tc*;{mI;oH9x~S2m zq^(C_nAj-O7y{M67);t!x8jV`WMQHV=^oz(n?|lRqRUb=yB{6fvqza|s_Su(K{&A| zj*F=&24z6IJ&}Nhkg`pf^|Q*b+^@GC*wg!|!1G43pRjn?D~mcri4&#Yia3@s!8+I; z3$Z;K7^2J8n>3(hBq8Qgvva)kKdt}v5B%r9NB_-|TV=rG;F6k)>yTqwlOiM&Ef39m zt=@!dWgtt5sU$b^r#X|xn`E=9H|v8;BVX;5&3cwl!4w48P8l8yN_t$(DV2b=cmzf( ztT=V;q2>B~Q4cz4OJNPN%aClP(AV33w@;w~r#Fgu8XE!QR>Jrx)i2~gvCHPo;b6${ z?NpE&XZopB#znEXs)&vpPLZ4^M7566D28f&*mm%&B};w42}rqs+jWtJyS$EyxDNR_ zTdW6hw++^DON|CjRHN%U-;Y|s7!#d}=PKGLgO3GD=?sC1sIwqf6KF=x*lBS*#^f#~ zb%lXLmY~ddsN1qiJMd6~jZV;-?Q&MMs0`&y6tHaB-3l=93Ih-$x|o>)QLYVg+8ivJ zgGF<&Xbu+5!J;`>^#7G1I7)vm`A=#t|Mywghxrfo{7DCV4)_n5B4*14BjJz1f9TI6 z|DjVU45z8or{F&)YzudT7H2T-OHV%a<=0lIZ~EdXKQ@7Z_@dB0`n&WW zo0r^EJL6WxdS$C+Pucp>Q*Ig`zGvx6Pu>Wgd+5COc`L64<-c%a0}^nd?Sva;vxBJA`Q0xy3iUf5+J8gz%m+_iqPy~Li@|?ZdH09K1;02xJZMww zuoD*Cem{9_;|Hg`X6&&0QuJwi*Z;h``E>Fu|JT#Lyv@)4blobK=R4mzefYphr#x}f zFDdtqle+6Br)==UJAYN!aKR>*eB-W7t~m^N@3QY)J8#`B4}b95GhfPFzU_^Btg65M zgZFkCJsgm`Ef;0e+l;3oeA+4}{Y+mnwbV~8zjBL5wp;0v*B*W1op1fZ-{kZ^9lPk%Y-pYa{b|)p|9Jhn_wKju33pWb&DY+=vTq#yE2VQfs_=Uq zKvm+l?_K`VElX~<$+-5%eJ-DW=qKI(@B9DHq5j)k|DVsqJ_-Mkj4B^|@%WEo$dR1L zsA^PGAD{nxWdENpBL6|o0EjS-g1ReJeu-iq7&sLsnaFX?8Z4n)>K z&4%q%ppNZsCebIoVFoG|wK5%{ZEo0}Etqy@$d`PSZ4J_616T7|&TM32q*;(LxD52P zjIJAspXriDx;?w4{UF;x;EkCEa@s|72Lz$Wo1O(S;EYIesQqk48@3ToU)Kv+Q2 z(jl$EiSA}FwKFMaG`7SvhPq6)aiKSOBIosJP|0C1#YZD31Ir-?^0YcB<;yj+RPVRkiBv{#qdfw7Fm3?8 zkg(Gd*es-CsX+Nu#grorm$MD7z$1*+E2AEh^%R*&GG$%Q>MaS9;PjXj$T&?-1rsna zFQM$&dT4m5w(z4eqTU7{yA*2)5drh*Jt9IFZgI1Uv$MPefE5Jy2%uS|zj*C-vNi#`HQ7bZ)ln5X+`z?bi)C9%z ztYR&hkfn58kJu<}MtE_|%L9GVZBZi%tu%DGJLK!^u*+0xQ7bBTr2GVMgOVo7^{7^^ zdyz$TT*$US&@GXD$BK&vtK$uLY7BovR6&!#s1CXAbksVV*h6 z^S{Ip9Q&WfKmR5FAxQE={0AoH@_(O&!3&nU9A2>G$sh2a?eJP^x8Hq;{~Y(3;*->D z8PH^kL`e)uZHash{_6YqWbKdUKiGf5KPfEr5%O=leb&RrQwRam7=;pB{+E>J+$+ym z^}y36PrdhzwZ8J+4-RQQanO+~-o5(pq{Ei}-l#QsYPIM8x^#HLPxd%+|3lW@>Cvmz z)0Y2{HGXq*cI=piOFi%A1?{Vz{r>sckED~nx#=&je&Du!F1vk`b0F(io344H{ww^X zOV{1ztH+(VUZH>5bnWBL_;&2SvQcNf=jDrEe)Q(-OLwkv(`LQn_WARd&(@p`zBKsj zW8Bqiyn;3_+o}{TEL?lsHHZJ{p7sB@^MzY(eE*h}26V^Ed$^};TK)Mqj&$CU!bjy? z8HAQN^}7#r!!Kb=JaXiHyAHO$*4gpF)vLQ7|32l}7~bfgD96(2ur&6S z$-Ec z^YG{Wx4yf>?k|}?{^eoSgO=O+_wAh?m9wjy@Nl@# zVcOF3-`?QYBjE9*|IWTgU*5T5-ecW)kM4QOZI8Z2t|z^z9#DKFkFWOhrq@>P`p$dv zwi=Je`);tqZCC%gyvf7KKD8hI?!uL^BQBcP*k=FR>0qnvk-v58||Npc2=fC7X z2=QV4H)O8<^E0vkDyWSYB`1gKe-3JqBAFh>oqxf9_|IiftNe|7RA)il?BAWzB0-*p z%z7ULa>akaf8f~&unKRa(OIAxDG4*XP!5ri!J_YBfB#;3s%8d}Q-h~m!ievWs%kLZ zvH{4t9Hrj}LOGuC`Kmef7m<}luiKXOT$E=1_A`NJx^e@R9X*wSXMayKJX2hBA%JBD zG6&;bD_aZe6~`%>ctQtAkn6>>rH1vvELu2EN9^Ec+qE!8)n(7o3jhe0$Q#3pXVT#V{;$6-|7FGkfNAH zKj$3jZ^eXy2OH)H2*9X0URdtI~#UTbgyF=9nViAuJ2=645YR2}% zey$7V#6Tn+RhdqqnybpAoJC`tq`4H(sN^|E^Q3T6CcsH!R4_psSIxM9dw4rTSv8lO zmMWt@m3>UKy68cfwXT^NwVsIN!GQUn>I zIaUX9*=W{{Rx4^i#Y)fB6P}9s1ZPmd%*e%7h3xi6Jks2WB zih+yXPch847zOk^nawlkm=;|-rx7+L*N3wpu;U_3FX-z5+rxY9vC-f$&n=I}q27oa zey<}LHa#LNgaA}Vwi^;cLRd&-n6l4#9oACyz9C^2l@ECxlu{`tOVqNgRH#aINvPX{ z5NxMfU|M8aHh>OUVHCRA4l!+*Zj0!(#;!FnxxO_@k5Eh${w(w?K`35M z7luW}ABb4&XX}8Z`+1%4DT$%+T(&lD#^l&_;bN!ko1_CmE!d0(dL6atNv?0?M=&qqnhQm(UVeB7L6l0%L+X0&}ysGOr!MLc!%mf==UE)x;Vb~R+ zmmAq}-EP98LNPsPOe3b^Hj-)2%Cx<9KUMN4Spcl{hYhHkwshE{OJhMV3jM@u@>NV_ zynIR`YpgKj>3jtTJfdsQ zf}^!$cINUDMgsm7)A=|^r&^PL;KrP6@Ae55pofg)2rKl(czz`GKrM&7;LPeGG;&7x!5{WnyOQB?Yj3ZdV_kFYP z^cpE~O4K0?_DiOvR2ozzoa(a+7>QuWR9lOct*XI_3{ zh$*b5Ap&#kGr%lpE zqN-rxI z{-^pM{BuzML*h7sVksC!KY9JnCF^Kctoz6jH|=-bxx1P-T%<)$up88`UhR+rN(Qqt9PufnUUaxlv}5y?(s@8+v_1W22`RJo?O&R~;ojcTNBF7P!jsPh9fWRfTW8 z`OB4``Pw1B-?)6ieF!&iixnW_irwt#m*+nv|NNN8?>h3&n@l%(@Dv@t^PmH-`d)a> z+Yh{U>dxGk_PO($54^DTRmH<^dB(C4^!|CmEqfhH-$Na@Dh|E7=C{uXzL9?WlIeY? zYA>$)ox8Kw?|@k=Y`xODC-u(0bmNUz_&M}=>3(9LyY@Y97x}zf#3Pp9_MLs#S{QF| zz;6$E;A&wAEev&82Nr_O)prq}w%hBu$E(aPJO{bTCu$KP_>=J826@1ZNMJNDC% zA!5%M7Bu-j9lq|Y9anp8-MzNwBU?Ul&)qJ+;kduDZ@KX%QVHoIc)`-E-ZyJgGgBW|0+$UmR_R;<2$=+>=`nj0OodNd~A zSZR+7)-nnkNsqmryLVmT(StN+&x3!JTN}h~+4+E%pS$Xg;@Ra>^_4fjXw4_cqkC`c zu*P4X2;STK1oyz-AGF!7hhFsCGncF0x#Go-oU?6X&E|RM-Mt-t_tSfRi`{&9NaNI- ze@Op`2b&M9z5H+Y*mkL!|rg&QVZU?9m;>_$o*g4?JL_qv(w?@kGcQf_y7Oi`X2OVgl`y};0 zMvyA2|BC;7ZtH($v8flUd^1uK2mP4!KQJJFr2bp^i&y`%Xbv<)HD+^Q$ctD1qwvh) z)c^E^iNxm}i7RF-hR6jrKo4NN-eqTZc6L{?a!`*%y}}u~;NX)qJ=yessTR75<^=yl* zR*ir)lNd7l%{1znt+oR|)NBGKvv4$Dw-^x55seZ#bTY$!QyGJZEXByEkNPF4C#&O1 zGX{H-kn}aTQ;WQ|7$h9PiHck>d#1&(E!{9HR>ulCw%uTBY14*0t4j`|mX;*F-cVE{ zo_1`{5VCeu$>|C5tT&6duLf}GYOk-o#VI%OsX6QhR1pfgmgT0IS> z;lZ>ttrn_<91=I+oM4v*fio^BX&^3A9M`B1l42RjmczDbA*eG#nwbPniWQZbw&{!( z73zKl4GJcW4J!l8YZryWP~uDyZU9~}a-=CI<&6TYiT`m805ZSR!5kirXLsKyYUR{e`!qR5xU;?@5w)^YQ92DDiEZ!}y?<={TX2*B(-Narf;Yy~W*)NWKa*^;5S zwpFkhBWd@jxM5YLU^GbQ-IG}D(X`Yl$~_jeYYeM$hRw#s zYF@WmbS-G5d*nn7_(FB&YSOJiSxcZ0^``@#$cP!pD)HD6K+;2{MBe&(r4jk$%HZ6x{ zjSqmN(eVl`2C0-Rw>Ig>ogV8CiZYd_{2q_#xjH6<**-5J)pk8SG{${5j)|t-q^sl* z4j2n4_cgECFcH1kLyHZuL`*v_p3Rk@JUh;a>4w-Tad-$-Mm=9Pq!CUFYH2DZ6-H_| zA)?Iy85?U1!ICrpGwFD&<%`2~x|Y)sf0)TlD`=%J6s3gsYpMw$t#o@-NbICk_H%qZ z>_NKJ2ihZ8puie!=Ix-8>sH3SLJ#B2s7RIxx=_XQIW^BrJE;)?*_Cw1;rxysz*^yMj2W|y5m-L#71*CXAbAg;hZ^~Glz5LaL$~4YC~`g z`F!yo>2zcxaoizh-{r?7P!%+;`3&9$ewm@SoMcbg+{je3`go z=d~U`{=z4Z+j67t9i941_LUvBxa<1Ywz>A@>}pG;kMHe=-gWjCt5SDwbj(}t9C~zh z%>#E_aqY)qFI|7x+uwZRjoohi&G-JW>>qD}yqBIeE;!E6=^~s+$~e(!%{-Jm9*G zzpY;K;z3qB0Z}Z&q#%X7kkN>s3+GFW!f3wRE zUfoW+Y*Z=Lau}{K(+F8?L zzi|3*sA_1q!fTPrSK*J(e?C(Gt@g#^KTbTG157bwe6jogDE!Bdj%UGfGgHN4o3Opk zAYHbat_lzdJTOVcM(aH=1?E_F!n3V0kCjDCWpuPf_oO-; zlsr$cBB1U~#mLimzd2Q+>|}jYbmeikWIF6P>5gryV|8rXwryJ-+qP}nwma$A_BnIz zotgX1TJy3W&hvkr`c>85RT}$~v6^y~YJu_n3J*;cG?+*51xaU;#fxP`I&SHy)>N`Q z;N-s9Fld?e6xap2$~?cW1#>8bwt^P%O^q8Q%#@hvne_{F4K<2r$cm1W zVx=wKAp=yiaSI{StgL2ia0bTS1jDU~c8C^3n6`>sM{1v!HpWG0BQPWgcB-v5>aR2E z^Y>9Sz@SHqBi37CL+w4s~)dSB5a`4hq#iY_XVtXKlxj$d^FgPicL0N9Ps^n1Rg3l zyKxec@*@&SnN9bnA95@76;=@i z6{;738Ig|Js;I?G@hbvg7qB;L7sBXR6;7-7kAkTe8gKce@sLK)yG&<9nMY9yQ)^Wt zn-(&s>>@%Vm9zU_)A6}nPs>f_wqnrL(7y`nso5*isKSslD)g(1k{Fg)KXeMxsgpRv zR>lcdP42Se1E$e1c=-yC8+Sw4Az-0LDU{2I%%lHRCT0BP#1ieCF0NBCTQX`RM4izp zI~s%AqMA_RD-WdEBoa3*k>G|HSd#cbRVpOiRAq)tc=BO9X>KEaR-uxB<4}aEMIq6> zc0!qL)vTmI-?K+1cCL+1RioN1M?P*XAaN&|FQ7c?4p0QfBxu|ZeVX6Lz1xe%5FnhW zsR;DLU9El`b~A|6>xa?BAs?r%sys&7X{T!&`MMg-+zP@60&H`k0nh&ErNbUn2zU#^ z^i}1<8=91%?NKbx%Mwy(;`SVHVak~liap`MX8o|CB#K3o*JR&()XriO9aV5$o)Vy& zhAO7St!hQ0iAgPj@{d}7(H5yfH)b=9IFehKtP7mI@Uq3N-l@S_sG+8cL&j#aJ7N;g zSEvr!FeKp193|bamzYPbi|@BuaIRR^fy+LxwV@9f|LTYVgH9Sl0c5+y4|0} zRKO&Xq?8G+c0*lFA!$T~mT40E^pU?g7ucN=y|kXKEo$Q$wCb5Z8D3!&3E@R`(WK;V zkSG|Lu?(#t@6sT*VXaE((jgNX6p6Sl71}`6Ff9j;M?XO>FZv*`d)OpvfitKmCod|7 zWzniMAsH&>8ky}!5O;iM@jv4fm=)lNpo#NE2|tqu^!;%s2<+I_4)J{l2+zboaL z|5y9;CkK!?6&zS#U~`R$l(0Vbk_U044M@g6`aQeuI@RmD>xZ1fwl3{^zN&oFVU)BP zcM)Fuu`_ojKvTUQout~j=kUi`{p}z##-u@^O~r>6@E9SEgk1oRu)R0_m26h{`xLz zkIN1s!;V|{mVHH?_W-@^+3it>avT7ZG<4~{KMS9>u}cKFAC>0k4%?*n&jh7&*Hy>@ z+x^zSF=;ordnV+~H7I zh>aPoMZd~)#07N3(6{4g!Q)XQwG2cSkGzu}D~_wV?$KjrF?8wf-&8?}m zaS>)pQx^2)j?u!|z40a^8t6@Q!A~#H6g|H;Y*-IIqF6q4lA4VllR-nOw1WCa!x=m* z+Z0rx7{T#<#FDdNGFB0+u``(biLkh8+{%n3*f}pzY{vnIrIAN9UPl<0HCs{;FHHxr zsA7IH42sijFr-TLSNCG=t%S+97}me^5{&AZrQ7ytE}pFA2-)CR6e6Jl=R>0kR28xM zVBs@`@F}4cHrP!za0jrw>`qDq<)*M@>V&T>K?(`&n+{EK#t7<-RLckL#2DNgI&O=t zrK*jPqfmX!C{b@>6?=vaBw71^5r`g4Ya=ExQY9&&!()PmWp1s``$g+H8?N9M7-75V zM}`vNR;#6oe#ul5*S)orf~(Rke^Y^2cug#60Bz12b89%4F7y}8@CiSg6e~U1w$uzO zO$q!cMyPO_y1Z9N;*fzwa#%hF(@Wg0=daZYip|ndbMq~tS(HBDr@I4u<<-A2QnRO% zmooX+z9It!`Mg2i{L~Epmw7!WVCnEGS8Z;72zH*4miyA3xf<^WwIRp68ivv5MDen1 zv;{+vRdjORG_#M+@mR1Tp*7LA%{Y9of~_G#bOab9E4Cj4Vpx;Win?zw8jguTR|RrP z`T$DhAGMyXSopvpWh{9v02Y}u=^`RIYt~CjJk;rTD~ClBnyl7fRojZlP6pcaA_`hz zXJwqlHze7SUxSVwlSFTh)zgp3C+EbQHpbW6%QUE@EX{XO@bDA$o3!Gv!d_ImDgAE7 z7Ez@v)8-2{lE2bz_MGWD<;cnt$UC%x#C+Vfpc5PBEn9U(ClhU1t+{OUq>L5kJ1lE5 zZahTmXXhk_uCXMm5--q2n@CotEXv}r75G$)(Qikcl&o0XmREs}K*~g?`S3US2SUID zAOM%f1i`0%FYdnJEggfqWIn+A$&i2Epj+j}nnIvxL#$yjloWOF;;2`%KnrIy;@hCg zDRFH`^!9h!h<>(l*kr>`AE{aTAh2pe8e`Mj*cgxxm?V@&vXYN1 zqqE)K)(dteP6;_5>X|^S)6o>dv~ng-#ySQs1pH#TfAbqlmR7E!$z00U%U42wO4nE!k2{u>>39vbLIWLfVLbn!^c1vN<$S`DtLHw?& zLWAveE+t}3)GE|9a6V$Qi*NN)ai1rjzVwPN3Cd?W(>>SoB;!9L4k+Ev8OD$TU;%#J z$dmD%^2bs4)zLu#l0nR`2y)TRv|ZbWiN~hb^w- zZTfdzMe&r2`|A?Np59YsaNpfZ8I)h}Il8-To3RfbaHr2?mNwg5|8IRpuyYml7GZHW zIb>J&7p>#W*V@))4aBagnwG>Vm)9X-srB_3cn=sydLscSUc;Ubk;d z_pjhfXV1*}?Itc_Tk0BVn)l1~bVG&L6?%!OJ(p7tZreLwV}al9%-7u2>nh_Q1hNMx z@MdLpbbs(h_whMS&i?D}HK)f}%H6hapm1_(ap1%0B~ttC;z(}$=1AZDWy9?TSC9Lu z|H6N%#Gmw1!OL*XInKwok0-Ck=0u&tq>bLjaXnH$Ox+Ws`>5cw`-Op%s_hD6Y+;;h ziFWTjtZk?gnfD_!Nv_4e=O8zn*A=J_Qdd@3PO`g*UN@@7xhZ#9Xmot_Ih>!v^uPZ8 zoxAq`w^Ku@{_5#JWb3vQ*=5ZJtk|o484iBI+gj)Cc&;4k_>k9nnRD+G&~Y4p;XC*Q zdINyTUoamAUmQk!K!1`u$4{8n<*?U`E@1FfHKa6MO!5hP2;q+ZA`q02mjJCp_f^BR zV6+EJz!>wF3bmmWnkLvAyrNNCIPWheywe?4kg53tbrn?{XHD9kX6Wr>8Rl@QB277@ zh{C+mJKrkV!M5t#Go^(eRKV=_XAVrVZn{3&UZQh|)tg8x-P1PTV~|RI^aFVHIp|wvGfA zZI-h5r5tK-sBahhPb6?9HHvB1KfyJ`Au#Bv1F+MLO7~-L6V)dkkNF4%E$SG!L;vPy z6JmZ>G1Htt?3AMzl4?q3E?N&hV5Lhf7O^YSqBDNs}RS-g&Pz!2b?Fg|X86A_&RmWRM!?%w2 z!|zW^{U;-}8~dQu(i?#QCRnX&CpOd4vehQoKeE1j*fBD z{azTfM284TX;V2Z5V20ZTI8+lVe*fZ(`K{t_?*5ovDIWG8?Gn_8(fG;&8a@3C`#<9 zv7MRfMFOqXEg8>veI#LZQcbaK(|B=^s`f23agxJDqjscpWSxC31`OH~E+zAXrzAC* zV;WY28eWve)VNZP_FudQ5cFvjP=6P$X)uiALE)wuVQXVdY(y9ZpT8F5YEAg5ltPPO zQD3xn{@g!T=+PlzNEG>F!y@x)xnHj@=+FSNj<0fMi)eo3E0&u^r&V#6%~rXamNPSW^7#ICaouG`*2KD;W4tA&5fwqrb}5=-Is+1 z%=AZ-mq)1v<-SHpzaHG`yXHJZR)*u^CA6N}vT3JsgL6s;F-N6F#ZsfGU{$fJhB*y6 ze!Ta7{SJrj)+)D0b}7mE+3q$Z-p?Yzss%TxFuRpo)Wv1z&}i)pL?;%O+~_2|g9ZHV z_;2~Cl~^f?Tb5o0^q5rk!^pj@HJ_mm&1aFR#o6e}Z$5%a`uj8D?X+qOtzrDla~5+GWGQ|7@@j zhO*4{J3cf2&)@@;fvBxE&6jyEaES5;DDwsKbtF_DxD4XD1)6YKxC~66sGl$&_Mq&h zcR*68Lj>6g0nz#4#~fczUbUn3K>y9hz{8Pv-@~)M8~;m47lAMN`wsV<-oTC979u0y z@`MVCpzn_5b&ApN?+7LB0^!=u(ZW+(*N3Xrx>vKIuYa6+38}iy$;D@tK7hvK#ha1Q zy(+NBNGQRda%&_O3mg6^R&nCjkX*I}M4^ML@ON%ah&J-1of3ftB5O8$(N>0@dMW8`re1SkTh;@72CS&FT3*A>MH$iZ2tbn`F$4z!?0lY_Ffl0405u) zKRYMpH;?D6>Ah8-YS2AyWtv_$@Bie2*=xP-6ZST)eEY1y^(*tg)9%v;#PZ})?D|^B zf4#Q+`p1zKLkQ#NwP4@2htpFB*v<)^wXgel(;a(M+ll?tJ6El*b@ao>v;%lC@Bl;5 zd_#&{+scoYQ^(ldr^~y_$m>0_^rotAh%0XYfO-PldjOW{01-1l884P2W4C$OS7y)~ z$d+;q%kOb_?jKm)eelIeps3&bzANAoaQba7K<+3IVx~vO#BQj!9Z*CU3uNW}ll$y~ zdh_NeI`+Y8FtMOgy_iU9Hb_wUU2kA4ewA|w@;JiJe{QQn>4+d$4nA2xRlBFw0G_LG z3wQcT5IpM^tbwDsJ{4ypr5xLm&vwkSE#9gLn}fD>P)^LQLV})Bx_VRaFGY-6*tc3r zg&KCZaEUt9Z?J`GRVvVVrsBKJCfZ!RJQog~|AIp1kb@;7#Cs@y<@4}8`d!!{F?Nw| z1SlCt^(Vqr1)!mJ2ojiy`za{OFz>aD(kTxbWbXe?!Bd6y*~!BV0!Q;y*kXnow*g<< zQtaJqz9Pct>R+elN-B_D#gSac3)$V?KWm;33{AEU6H=pfU~Su}od{ug-=3#_hAU7| z@5xs*AJv({H~D570D1x4gg*ierJHK?GrxPnA7QiMwN?(-BOLLh_*q|%6rYPMVYduW zeF@f@IQmEjnoz_X$VgADB0!I8>_Z+!U%7?JMkb>SMfKcQQCo*wFsN0@lcEx zr_H)vW9l{cR}uG-nOphO5i^{~iXEk8^B8u}gfmjO*`X6AtvHT09$Ip4dHx1mSqrWX z;V&4!Il9}XWdsP)h^7MJqHoC2QObOVuFYvvP(iVOY`B@6JFs%NC6ngKgw7u`k2P|i zx>4!nNV5vgkr)iatf`JH4HqFfnc*_!GAn+vq`*CzX)maxVKYd6aXfzskCneO0)$%z z8Tj>qS0K(-5FRUC1Ekw^ddLHiGRgt-4kD&0lR+`PB>B=o+Q?YxIkH?LMETGeXyDA>)homvSqUBPb5nbZlH8%^3jzn}c%F16`S;59J#_vU%cm9c6Kx_L;2HkkxgtO4x^(>p* z8a+DJS&S8|U_J+9KBwMG^u&#SjTs*3oY?tXTto6;b&%KocN~&M^u3f$)+L zz`{XOWQhKr52UmE-R|#iCE1jtl|7XePqQ`*U;;&gv1Sz&P;id3I@x?P{ykW1F%lu# z-vmXv%o9}E)zh1JlNQl2M~f(KX9}-JPL!VBu-(kHIvor4CM@<>>J8}^cIzOg4K{W; zoXPo)Ssu1EPWD{cuU$qW`VEUGpGN(AHX8IhHN#~}PWfc!XC_RO;0mrgPEKZK(FnmX zlKFq;8Ii%M6$yXYFC~ez6``|}Nnq6=x|Iq3pcOR2v7_f;Yu;mrH;yByOdJ>t$rn1c zL7#W}6_BI=MZ);lKd9imGd)VW2eF#?P{5siZ%-i;K`-gjx?e##ut1Y6W{gA(9r;FWw z2{^3nFF_Wy9Mx|+HAIK*5PRsVDITmA#CZGdV0p>i-|y{#04h6|b*ry8u1|${Zi0D$TWj45Zm@o?q!QtbBFIXPj{40Pyr%P5@*8uv`TaN!s0IsujB&X=!_n#Vb#*FDP!!m5 zv+i&b`Mn0x&mP|~Rj`8e@4?rj^6^2U<)Ip6zVpgN!X5x&S*Pg2;>1k>hA*u$uQ z&pYi{)_z6?I_XV(R(M?Q{k^Aq&Fgaxqv5qLeCD_^2S@D2^_Dn$pX2k4wF{&Fdq*D~ z=jUk4^IqX&6Xl-PQFYa+t-HoqHLP=F!^Th*pxXbG8(H6RbIP0lIVnc{BeVHy)}Dcd z*V5%*ZW>-GUl3l;%gwG$jS=Bf$5P;vo3~X5R2zd=oBvH_)`{NEM|o2l?}<1}_c0J~ zGQ}&5_pqrNUQ>AWvG4fu`AHU&=XaF7mfL-j`uk;6pQiG%rR+0+?_a^vZ2RYKUa!j> zD(;qeo!bdlQ%(cncH=}+7o%5Y^F`i8*(G16!%5TL)*Hdqy(tGT%lphu$5PtY#bn#I z)84O5h(D&D8I65tQ9!K{<^KYukXd{?_^VzGitPL@V`0j&!7g>Qs zR2!BVJbGEJf^`IFUYrc*0@lU`q6?#yaW%AF95mL#-+!qMGLHnQqm29hAT{`?*U8qv zE<-d?<(!~$kNs`M94P9@!80$a!Im2K46)?7(TAi_mRqI*CoMIJuv0@?LEyB!C}EoS zoXdcw6K}F?;a(jX&ZlYIV17u_>Ep17Ho_4ms?z$t9B|hOMjFFPx@7RPM&W8*<$N-C z7pH4QF`L?1wqtQY$^ufBl8x3LYI~YKfk2n}4^C$PNV;qzn5a~t;FLz$&Osu(6n6(Z zGYhOJn?k**RTD45nF|cgoi1HCkDdeik z1V*#QYpfo^*-6Cy2U}lhiN9onr!^w$kWpaOo>w!Bltd_+kVAT=)pU&R194{75*dh2=}|=WoP?TRa8%7Q zsb$e&I6AwXBrk0>F(&E8`EZ=$XA?U2uR4@iBm z6`eMPOA`Y@s|xC6dR8aPeUV>kQeSp$rEL#aZg~f^WJ{-Rk0KN;KBL4LQS&*T{Sgql z<_h+*)HMphrtL7XTZ+)I+meo%*5es>beCRs&Q?636VXgX0ak;5BXTvBnU;`7xaSjO zobh5R9f15dKosYpx1rCmk8t33>K%g0B!6e1x#Ri39oDz#_jZ+kpHeV$v>W-G@W-p0 z-|Y5Tf~#nC_1adDsNHn;phFGmRq*)J#AR|Rvot3X2ASYZf@;-HIZEN?*0O}HP6uR- z)}v~&l`kq2R|7K}=@ZDS)X+#%j-dKdXf@>^u4opk1?2Dp$~h89_^FLssIlaJ5ck74 zC?Xd{r$v#n|E2zU;x$XhUI-Z|GJTPH2^X50VP}TtgoX31=Gnq7;zO-!-woQY3DW?A zKOtA~-vvO0aM@N;uc5Qf~BW@NKwKjgIW3O{fce99%->zG-p&@-|eCZ&o&? zl6Sdlh$%;U#xB){ItFf%;}s9dnQw>DM5MHMly!rFQ;bC$5{LSGjAk8IgoUX}u}hWY z9M4?$!}Nc~m_IDmSfg|a(BR?3KTpJG-v9jdY!1X}Ae*eGh5y?)Zei=@?#D3~_7x9yeg< z+KqOOH?*&t518G%J=Uu*3Hk;z*9gh*KWA|N(XVvLZ60^ZUhBH-6GG4Zei!*DpV9BK zKWZV|_1;Np8Y)w(@P_Z3&VAm0NSivFIVvdg1Mv6y?gfvIq^&IFWjma3BisDT&GIz+ zg0OH29bKTj@?S!=Kf2<1dE33;Mm_U}cYC`NOM?vef2lgD?U-oc$zDzdyw7`5>P%ju z>fSb{aUHDIU9pjppintU#ZHIG$a*6Y8oi?0J#vk|H$h*zKrrdX+74 zc!D5harWX5dv^(@$(onh7Yv?p+8*$<<$A#Jxe%fNQQs?Z)1`|twoJe8qMd)I1xZ2U zmAvx#7I8DDricSMuJbrRSpWU%VsegSQ(fydIOgSJNB^ZK&W5n_bMlh$#rNL5ORN8) zP50}7=G6YC&fga}$fnPGQ)4_wD%al7y5ph!^ef1=(v&NCN z_XlP3E^KVKcLqMk`gyVO?CXv;=1sI3z{l`5hGloe@^g1A*TxaJRBqoZ+69%r5D9~0OU8CWv zoh8LNyCm7ViSi>!TH1}#T*Qkgy+bTzN|nMS`nw+O8vZ{Td9<~xL~76Ub-CX6dtPdj^=NGO4SnV?OOX(F7 z0%qIAtD|C1ay*P{UimDF#cmmQr8%VwzN;b``r2zAW)GYt^{|W%3 z<|LK4K|U=m2T!RF9F5AcofWf9&sKdk88jmfA(X8*oO!fW7ielS(qr>E{6e=BNZZiF ztXieARTC&v!beF?&C6Wf-eR%9wF$<=6|!5V_gdoQ*q2d&MaZ^$rwRY?NuWP2)2XZZ zVMIzJ(t({h4687A#_~wy(--HG=k#E-4|^MR-vw z1rp?c-j81qku{0VSX+>Il}SOZ)k#aXma!EDmI>|L23 z1h*{N+pOn$S`USKeK=4aUE#~&E0tT;?$9W@uud)k63&Du)!(X?uE0yxnxfYUZw>jr zozy)}E6?#h{omp98TaiFt3l-*na>~aA_<}s=5u}3O*3UT{5M^Qu``H>_n=OxJ4OJ6 z@VwGK|MyrEP^=W(8_2o^s+RFLZ6N(2KyO?Bdp^_3JwLwe@22JTiBU%2aAvj!bXlrt z{rwiYT>zunpwhbCV#o1v<$1!`_eIRJ)ANA1y>M?lqW=Zyee?3iZNusQR=du1)z5e( z%kFKWPEL>EVdbX#>uc&d0$RngtLYk=vHLM-^@!kM`r3Ne`J|@H$lmVmI9Bwb0o}Ne zL${=7B@0vcb^I7L0g1um%lji*!fJ*s?-Rh-=cId-dhxtr|H8O}>?*(Szs70!VB70s z-2JdL_q%6{C%pD$lMkkS{48xv{3@?5+Z)t^73=-=@^YZ9*Q*JfxBql`(kJj7801*> zJ-MBTEDP-*EYsfpm^A%78;T)_LfZE2qK!M#W#xW!pU>M}ROUV0I^-H zpxy>y-M5k`>0i%6H{c|6`#ulAnv za_9BhJlv{#AHIAf^nI|qu6$bEMd$rGFY{OTJPJrzEzfC_zJNcPlIL;D+Pe7;aENW* zW&k!EvB!B(67+5dz9^k!#a(rLZhZ=?S0r)zexxQL@jUbot z`r1xL-F>aE%0BvWCJAPo^<)Y9+~%tG+-^WMVH`f!FWUTGJMOWTHLX8^_e0kDlLW6V zh;?lD=3kx{?zNg-FQZU+9rnI6Fs+&w{lfn5J=%nyN8;H)|2d$v{#V-@fIm+L#AeT! zeapT;<}FLs);I|>ExGB876S0i0GQVyehf0&{I|-7n5PPyc@98q*4putlB7tkh1@D9 z5)6?i8y$S&dznSBB~o{`DUUC*{J&x=m-PHCmQ2o#nmAd(s#Faq z%E4#^mLCe?cOtma2=Z9LC8G#4uGpb9GL(pYsmdb6TjQ?2#Ml&16ylFGe9U$eLxDWS zUNwRQb$7P;Lqhb_(9ZZ<6_4ARgm|&j8S+P+@u~-6(1ETIHdA)yVM>4KOh>?Sw$5AM zWn!4hDxu^oi6UZV+c#%#g(QFEi{&mVHLE)P;z2?v7-~lDN2oMuQ$h=M^Jks%WE`pTk7_x@XQrLYG)qghhWf(N zM>E9w(R8(nT=0_G-r}dd#-C`k3c)`VixhM5;WnbnU_^Vg&x>(3(}@k+=BG%Z?N3Yw z@i?{^cpOK<3f>R}?T*1h$3?|>w5Psj3r)mmE!wz&(5`dI#ctixREBxTEG~$PouLbH zK3K7kl+CQDo#*Q3h$IZtdAgxHeGSnP-BwJZ93RY+Q&H-9R#WByiVjU|gAMr-CH}Nn zgQf6zw z|Nm@Afo?-2c(*eeZKJ=B_J5e$h!jT$%cY=1*cd$rX*QY1DmP@^kx`m(7b^#p*tugR z1_o9fxh*W{;Mz*Kc#;gFC=7?SbaG<3dO|XqO1WX;v9YcxQKFccDLTeu8z&{A8qP3~ zO)Cs76$`4baFI$IZKy?HgK4ypXjmJMln<{nOyP{ERYWY;AgGn2m*JBvDsU|<(yb2v zRe%t66nMPg8fm=j97@&2kKj@*XRRX3!{-n!+h#5sr6Z6vCphJTyTo>pH7hbRV>3%-+ zg-rojEOFCM^PCQJ1T&{%Xor$O8h0hpwZ}M+(BAhx2h4i6uV%ths{l8$WD@Ia+9=kv zY5&<8zMARlC}m9=U2tI=_&4guJb@(3k|ItDC;MXh)Z>SlmIPV_YI(JQkZio1RDpr% zAj8^JJ(G!AxRK>vP6lW4LH>ShIz>V%4LPISz3}+_G9E7z zH2LuIlP6u~SmA#LFa-p#9V+j0KEUw*-ihj~{=9830UaG-l^%z|zbn22!=3&@0UHGmU>EX0>Bt3$%i+NS*jO0hKk)+LY$_cRVOw~m>{V4LmwQo45K zFx9ZN=V5kbE-x|W_Y#iBx$CrJI>%#h;xRCV%_mKWa7y(nc7KGL3Jwyl-R%i`b zBHan8`#kfcwZkY_cD_l!`}nWy?@#$%(>VT)kLw)w+OE-WdF$sP69DZNHBCd=lPdeq z+SgF+-Opf(uQ9u{;*=f6qi0Ra&vWNJE&G|YIXwVA?NqkcOXbCGIw9IU$fMQo_}olW zdwn{MxArgLZM{m^vuv4!;rE-K48OnxzK`njHGU}L-fIJ*e4e#oDi;l!Cy3Q~8{-=O zy3L2hRX-Em{`13R>!aLl)9W}E&ieGofy%P^`0fMn%W81E{*c!fNnz}JT0L>s%+YZz zdC=p%4}3@J(>;k}YIA6@UFGp=6WxA^-M!`T{(JKITBdE%_EzC?Ys+E()NzBmrF(4S z+xNC8x43nY-M2>FM?>f4rf{FO8q0M)Y|~1sL-z}| zCwNQx9Fed7I9^Q>ms`I)J|g5J-M%TU;`#7#Eh(GjCwJb^^k#TD?DKP7IwaUSsvZzS zu5~@Js#5Xue$B(=YpT9xP^qa}+q9|b(bFESkC#|AKPMTLM6_OUVvxxvA};rRw`Jgl!AIiIF6>n-{fRx!gV-g zb>>fuS<$c~>Zgvh5>vbzQ)^`Y=F2|AJ%P;)8)1+s(b}p<3qiSwn`i_f<`>a?m1^Cv zcQEKj(0yiC5J8$b z$M9JrZ3*dIrhM2E#w{OI+Xo$5AucsPZ?k7ddzp|nG&1NkIOChrWJOiZy5OTwGHtGC zGl%DMwFa(Ym+RdK`H7)Z8ce!x7V-Ucr@3E;3vFbe0ngZHKacxsl=Qtk1U1lah#_@Y zhCLzFOUW*|)GaIHks1N!7y7735u2QZ{`pe`Nr)M4ju3hBRxp^gpe^U*V*-K#CdFyu z8?yBTR2r5{$uH%L!y%>7arG)!yzJK*@V!YCO_NFV$4K1@BrezQQoYlqCRO%CVb#x( z3`|x}ISWk8TEZYZh{wg7eX=BCOa>I=U@6O!zfSK6E7`V5X8YPxf6DAeMtRfMsiZLK zLIf{$q#!w(9TH~-J?k!nSKFBIlMI4u>DWnD`$DwGuso1DBfl|FH92ga5!XyLHf6UR zYJNy5YL2rBVQGB*q$OGpRk-V74sFcI`pC?k`EE#SSW(r{is>+LB9%pnN`T@x^Iv>O zpqLIC1acl$%QE&pQF07Zk_8FHSZh$L1c%|0q&H$O+DwFCu+gPX8;P92F*kZ0vjDvjD$wvyAZGzumwiz(c%ewqx+aUpyL4T{2Yy(gKo)RJ&OMz zAwXD`1`LKS$SBdS^lE_uwuZ5_Emg#H2ot37E8x49z?UL?sSFaDQ>X`8*&i<$q@6`X z)4;T2ZUI!tPMLL~MPkA(DqB`rl{dH)a;ZLyF&(hK@2ixDGqw9F8E`jA=b2WT^$PO^ zF~-dlg?{{sxBF0Cqb6e}S&>jKrV3>Yo*xEBC7yL1CSH|iL2MJjV5`rU>9OhxA#=0M z217X_PLZNKkJ<8ElnMI5Up??U*lOvQN`)CSuYD%|DjY6brRse~HzB;*m;p6|2;Hnb zQ~)uQk{-Bd-L?7KM76HPI79+Rd)N>08Wb@yHe6M7mndVcu$GBth#z`IlJGc`DvvS< z-+~l>{voiJ_<4W0=KqoQ!T(1YSTlbVNDw4nSycl`Z{?dH+s#srk$giIB9y6a!`Dh$j->^=E^ugquxf z#VXxA#&ir(w|qt5`5g3{(W-&BYHoHR*cC>m$6gg;PlLvO`H%Bto*Io*r>Bj4)_Jc| zH11sq6v|(sKc94#u>`q!2mUzf-IURDd<%0Uj<2HNM!l@mMD@Y0pkg5XPE|zZlq)+B zQs`(1Hi30>dpmAkEi*zu0b1csLVNt#Uzq+~IVp86(LWDVm%%~4Q+fSNxYwBE| zr!BSIsl0tYd$p9~ZNKjiE&`E&8k~k{(+O3_dR(CEja)1KQa6P7D{_m4!qEk;mk)@`j;&J@FBPXrUbzKjE5b8T;@Cy)kzLz62 zjC|eCiWxbWc=t;^r+@sLcK%LP8+_j1we9kqoqBuA_cm>;GG4y2yey>H`5L{a@BY`^(;#@eQ5ryiKR+PyC9uQ6JA{hL;I{dKb=LY>|%?LAKRjfCH= zETso^dwm9bMSB}xm>f2p6V&0^x0~7vt^>k)C*51>3T^L;PZN2`^!Y^ueic10YZY09 zzZqViZJ*`%t5r}@z(D=$k%p^U3AduE$Jb=Y~6*WnZ@=Un;Dh$B5*zaBMO(C)zCmEAOSuw$OAIC0BWhtDyn{jt zOH|(!i7E})Sajoq6{>bq8@r*7n||Bdh3jXwgv(46MA=|atrci3!BU&yt-%3QMu+ap z|Ex%1ms@ZWDVtolE}BRFV9rFfbC-dS>sF2{&33_t%EZA>t9AnYWU?Dqgi$%6Z5!c1ER|u_wIsUuv26YY&841>~wDQ%& zNXO6>bLC8M>I)PL(xMis$<@&qg(LFrl2YeJgJ-n5YDsf}%~?o$0K;deZE=f!X_n)N zY(_$I+|WSCUaUnai~Z|?`#mAg!%VH#Wa`XnNauzYs7Y3mfWjES3s(+GWqPmS92HXp zcUPdM(I&{8rNN<=*}HL9RLlq)S#&@aEn2_4yY?Vk$T6zrvl`YbLynJ$rEqn8WMQ(gGSf$(F`WNd7Jxg3!o6>Hq?cch z=s@(Oz-L>~eIy*Jk+<;dU}q=#rdQ3%#D&Dux`4}s$dQdiQmYrO*$=i=Vl;5|^xhC? zDo&MIpuCHLB8;ru$auVInS#aIZ&|Pscp~{!BmKmAYlU4R9mj@Kg2;_DW5LTVEZZXn_ctN<0$U+Ul<(w^em#GkoPX?x zgnGknKg>OR&H+|vw^;T(j-Or-Z7!J83dCkeqB0t44;>2WCmk^D;cvkVc*y4*KG=MQ zryL`e$=%3qdkD79Hc>>|FWrc!scgiJ#GqL(TO)Gylf zYpmE3t{tt=`Ylq9x>we$)`jVY>O^;#k4ZsACd)D8Mo@#y6_o6YQmjbiaN4fpQrxZW zTx2D{8R|x}W3nLxQ)b${URnPY{WH1-R4tm&VIuC3j0FDS2)}fYh-d`HAvuM_ACi>9 z_$h8AlKROFgzde}tCsWbLF4##%(i!;f5>|K)**Mc{U{n*5o|i^JZaWpe&^7pHyIu& zL$!#`UDCReAeVNhw}bxLKW%`3jo{j#sT|mV(c1W(ZxP0TfPBf}r}QfJ;7>@^>U3rV z*DV~?zdwcKFIJRYtOPn7NO#z1cNMA~2Ood+lM2ltp(I{v%6J;Nfw%U%Y71M7#FnUp z5eX#Apwp3DF1XE}j;rNhuN%o%j&kv_DL~;W;0lLW-f32b7yLM>bl9-%MAAcT790$T z6bU_I20tVFh-}SUiSMT1nEG8lB&}JoMd#*8WNp|{s*r|Ps3*H#tT9?y2_-Grvr0ol zbChU+jNU0$b|BN7%gTf(S?(3%#z!aTV{bzeK%!X`B)_f}oRo7(rDE;c!q*(WP|SKL zz=HJujHTnOE?_vY?>Nu@f?tIBjT{(Qknz=bQzYok;DO(K0&ec}mp|*!yZasdjvUB! z=6&=NQu+WgYDhAXECI0$-zaA8&7`F6neemk7CDHR^PL>9apv9kc^3Nfdp21FBCzH@ z`*_DgU|HX`toQD{khZ6O!w`f_8;$b3tlLg`JD6QAp~7=IY5X<=W&S;AeuH($UeCX> zxsG$&^fZQO-(CXj-zZ1T41qb7vfF9Sxorv1fJ$7 zNoPOlfv_%X`Sf;?Jz4L0S6IE%sq~Gzxu+GHv=_0h%cZXQ`l}u25P;}&)$@hTdx=dmlTNyf{)uaAw zL;z*uxz87Q@!pJYVdx*dbWC#Ymp-u~ZC1d2b>wJroHum<*#Jfm*w-$p~==E>NAN!4! zfAUW$t1{@%>rPwCGkuwS?(|Mqqjg+I3_AI6!|AbYYOkeVCy_H;kloD6eTI#tE3VgP z_d|J7pv8SIhI#j1BOOhbmQoo=t)c zfidBmC(yM2;AqcA*Ms$Vb&pj=iyj7q{>AEk=$e^t@7ozES(`Cm!tL!YpK5^K z(eMY(cDo6=jOcSKQ`Kb!bHA0LMN~8FvjbzgXZf{jg@9ERDm=f{Rf1u~!5`+>Nw(pt zD$Xioh_YbBIoi))Sz^CjFC)0#HJ462mA_H>n$46}(_~LvTl*^sWhyVM_fNPBSRFQ! z_LXxXIIH)_E|8ES@`8Y^n0q?Iy_IovdQcl3)c zeyD(M82#0V!&z3kVvFE{BM|Sweo?j)YoeLWU}>aFuPq`)Z83?$_aK$Z3`ghGo6Dy6DyNnTnpt9H6a2c8p$|{XrQ!lC}RaKIZ+d;hW)72&yv2F?TZAE zJk&#kimBL8u0vGxlP=bJHpKp1pbKXaLb7p{F=rL1MdcPX`p3&|iS&nJLXV%titNo2 zO)b*I0-oQTeJqt3J4~k{Rf-_7fO!TnID}rsIn_c^(NSd#JvgUiaZEs^_QgTok1}Z` zTtG#*jMQ+r4iCywr*-8^XewGSf;9g8ct6v?3|1=L!42L|i<&%%4`P8cxmLVmwiH4k zy-Eg*Z`m#{zNGqs*1r_%pL00z%7E9E9M`k^`(vvm;wM&>4n^)$I$$cRn{e2NMaa#^g~VKH_0NR7Z`wHSZ0r6L3}A)N&`v6hiSwj7|JV$FnS!u^FA@XgK; z5hh@sQJaqyt(4B!C@*Fs7dN~$?8C0H=f*ZhV1tNb6e1&u3Ff^MA=Re4@AJYVL=Z^>xVwO}or(1$cuOHtJ7l8nEk z%SCEVVV28|#cU?|ROel`X2VQwIz3?@QtJLf9N;GV<;v4Aze35iPxV%?+&sVi1OJ?o z#ZBJfR^IEcJvQypEK3U@`-;$0?7iW!4@C5YcH~m_((AkJ0b94%3xk`$&ATN%)@{#t z!AP>MdZ$syI3BI7I_=~V`56rdb=fp(7QEDLrci-)S5}TI1v+3>4u%NkJ?~JWeWZ3m*|V=DeuVK&bWV2IVrsMnl(_D1Rks z+j>K&^l3BR^MtoUm|9YR{klw0dQx#H5}V&c9-mO_amnJPY6PQ6u)}%5ExnzZ%$GyT zv~Wt&E!!lYf4WAv8K?8_6*kJg(IF~7DOL-Vf_b30W&@Z3k;LnN@GxlO$Tz|izKKz> zmXmv;J4n#<*~~Sq28wMXgh`RoSrYIMo{>(Js6d@KS9ZtyR$IHm9n@OMe6OC~34)n! zl|vs-`^WdPWr#6IA^K?DOZ)UxT$klApTK#+K}9eoH1I3HkX;?mU9E?1Sdc{8+NNmaRR+=)qkMv%!ep*u=A@NR zON0)?N>~k}rng2sJuNEvT}NTU1quSMEhSEV$Az)+EiGVn#>9xDDBi#F;JMS9Lrkm_ z9(uoE4I`37;RmDFv9mX05mu}ILA#zwsB6nYTqg4p5pPRqDZ15cVrxrdmN0Lq_`tby z!7lA*A_X@L>xq5IFI(};M`bNY_2N3mQc>-CyxPi$&3joC>Vo)6vXP|;=FcIQYJJpR zDS{0CcZt-sfUb*D96UKB-C8ngWI|NW9HzNdVdW~+z<;NPG559@3^n`z0HUmKX*&Y+zY}^>fRDT^^(Vm|S4U^b6Unc>pguHhqk5dkxn%XFW8~ z3EMw5X`Id!mh9Z}o)(=_0hi7wUT-Gp;c8**tA>v4{2n%i9dhfY8!uCyrU!M|E9PNq zTPyZ$(j3h(>R2Yx#+%FAFZt|<43-4ooR)K{bOEpIj@vMXbqu}RZgJ?0n^#y$eAgvN zFWtI}OX-Uzq_;_7^=zPpZ{3i3=Er?F^ki#-p3z!j6{mBTZj@d$;AwL%y7`|^`@^PN zY_9&4Wame`=+tpm^|{x?1*CoExD(H$$8H46lFlQCmww}BRrEV3>&#a3=@I%#&o}aI zE3G3;-7^0_Uay998{j=CIn({{v7qtn>k;_8Ca`hcrh(2)hepR>s}A7dR2+CUhtauz z%i}*2dh$l7vv1dO;RN8ayfAHjvQsBMn6$IYaJiRP+dRF%z0~P-H@||WNxb|RqR+2e zm@)%4A5sLA>D3L}(iC}dC|28D|Q!_;ICW;n^#Ir9_YE1Xd6)!&_}Ig7k#?>aLm35e{fj8J|88(dSShXLHY;^A+=WXVdL`%NuGqhI#l3*2`avoG zq>*MmM%6-q5Mz1#LpWp|1nWh_G`0xh?{z5Sgn!yACb_JWG6pM7-}|M}@Hj=gTO7B? zDA3QyOoNm(Cf<}buA&_)AR@elz)>%NN;x=u;pZTDiUSK6@%WSNJ>j?|sI=LUh5Ao7 zbf#kyada_*mDo>6MfzU_RzDz-e;`6rk7TVLNc2X81{#pLI>Du0sHCM-H{zDYb=UWV z>ENFJ7Qc6gITJl46F)_Yd`gg+93TEhgrMb1Yz_TA_VQ%TKb*%31Fzx5ur+e0RusNA zsJRqptc}fOc?pVIn=pnsWVlEj>&635KqG${d$Cs~o>E2lGKNgdo_`E`R{%HOfD0bG zFjoE7!t@_3B+JYjQZF+vygx^N1T(7m?dkM}eAGQ0(3Y~~2$1K8+9Ln_O$Kw- zy5SX>h)-LJau?Zt5W_Z<{_G3T!&Y*Il1K|H!&wyB9AW-yYh;uX6tLsQB_4o!i1KD~ zFHfBG!;+S%&hA+hB!9m*22L$LIV6N)Wq8;MLere%B4;2WF_<5nuq~Roc;U+C5GM*y zkJsTlM-#@FmmUrh{Mk;F&~9SG`XPmGO$H^#V`#;T=82)|;@7T18<SHhX+Ww`$c$9FpKlOO4dI!@CV`f#nNUqnIL7c(0ktHI3SK z%Se$dss?o|h4KJv=AT?Mubf1l*2HonvBgS7Q$Z}Plm2BoW8rUp`AEBp6=n(napk32 zMNGuE0SGs>IZq+9D^%an^U@QRhX??n=|tdR%dEGV!+NU3?LWS;@%HaVX7uwD2w zKsWb;ou>zjTe>m%EqQ9y=CY9pl{nM4>AeCwHdNF(1F&h76RzcG$;}F%uc0Vg9QH*v z6xGc!@N#})xof)ybX1WuM8a*~vaP%dbe-F|Pmoe*mn}Yn zZXi$1P7S{(b*j)5S$npyD~9|?K|~}xo*s};luq2?`WR((i&i{L?D&;Zo5kGRY-OmwlG0L)@*_dVZv`30p`B|jz%1Gcn&=V z^pAtKo@P7u0mrAf;MYHde&86ifIUvBpPvQj+rXP_2Ffo!U{Ij23W}fvUQuTUSjWfb zwvKH|^D&qPgBI_4N%SmK$9H`bIm`DtFqE!gU~S`wL+i!uh#xYpLHY_bu_<*uUl*PD z86bk*yTM@Ndl|U5vU5R0$g{tx^w?$#2=O^B;Bh+Q15S#;FWB)Orl$WkXqm13JlK97 zzuSBtV_;Z6kECOG?})5)Sn6o&NXr5a0KBhnAPMbKJWPe9=74nv*op3`ADI_b?!c2N z(Cs__-PKx`DrYax3*Q0T$y2#Lu-BB3uw%z`t@h)f{3aGR8oA3!NdIPhPjM%|0||=( zfF|v+mLBBop+i0tuxOg^N2dFLeG_RMhSM zxjifXIJ;neNkQnoSI2W7$)SJC0O&F=FAU-sc46o9tQ22bZfU+{c+&cv-<4;#>2WbK z)OwV`#C!BV9K8&jW;g=>V0i(2ax?}AwJt1b33T%kz2DH=0?Ra4J!5wX(ANZC3>^bf zD&T7haQ{^#A1(kpUp!q}bwrD{EM3L_=v915f9oaR@{zP`@@(J-b9p$*6Y@4ZqlLfFbl~@f`5Gy#Fs0{LPd8qtR$72z~& zs(nx&lfxf&OXc86U~>zx>-tOa4{1sr!t{}^uS{=K?J^vnRT&DoX4!rtPmV zR&g27N2RPm=uV1xoA4H0b{yBQ1~N&IrQh?V^cE@O19TKck!diL8kHZ&B&rc8sTaTI z@gw&BF5n$p@NQU@fy5>&)0QRPn#4woU~>SJvj@g13G2YKBa&t#Qty$4qU$7OY+fV9yX!h>UZanj7ehIZ5+TGHFIh=4GV%L@E9vNIVBK8gj0=Muj@k2TZkz3u&1I zgnoNUvDjp2^QjX3tea0#+=ZBa{|eK62W=rc@@96Yse|6aB-yv19;)K$6GyyxgrOdO zIIRfQ7NDzgNamcJlt)wGy7E!}{`QSGTW%>6#;~0^WoKC=k=~I&8i^)2Y%>f$w)SUBI<+5+^nC;Iypom*P2_j2P&YrVB7Ql)mhWjN=s$+2_IaD^oC}ze*(-f@FI^Jy zX4SNu%ao9Q*K@!oU>~L$X8kXKH9v`WANmBqas=>ZxEKTV@%cEu0ImR>Uw5!lMTYI{ zLC8_>KRzfWf0Bj8!Mt94m|qow9@F3C^kD#Aku>|}m%NjWdFt|;CJb&}t5K_pZs+di zx8rScpfRUp{n~3pT)vzAD?%O1SZj7~rYx7MxHEpp@yRFP$3EAy<05f&8~izXd-E^1 z^`VXtBq!IC%K9s&w}7Dt%(dN`Kz<&hz<4=nIuE)UB;UjR+Q^Q!NxoCQYyTyJ=l#?6 zc93>A&5HaYaF-)gjB=~)oBc<4+f^Mu@SDTo9Om(q?Q2*=4_sF>si(nAIm7DpfKS%? zcHM`QdWYk|&Jp04LMuhBUBby6UVvTuL>1=2ueqQ`RUafoev5*(ZuP6Ne zO!PFu0rcvy1epQCVx+5*LUAN&kmg(RXW`>@7<-=9f1#io`3N=+gD}a z4))zI2-f#_qxuZ=ZMS^V=RdwaP}8`$4fRV#^ytF3TQ`i?-?YhG)v;)sh>=F}IH-y& z4|R*Y_}FO5`dz=cWwM3Z_dJY%(=RuWfm7#J+wtwVZcW@CNVg>_X^n7yaS8w7fs=gn_rE?Cqoo zKHm2G2D%0fX|t>GI&{!A_au@%U%K4>d(ObEI<0)(bfQ$3+pE@d8FDdCM)uy-6L5FW zgukWCsO#}i$9Ep{_3GSmY~;0TIWzmcx^-16+auex^9<$%fkQu_iOnX#FUSpcdjQ8J z%K-hl=8v6MWZFSE+J8tCCs3e?kD)heaICL4$e4(P=gIp&U>6BJE99uD4zCnXkB zQvG_S9)fCb0~k+RPXW5hOSw)w-b2AdHePQWn#QAKJ^l zt9l=`KslGZ9;TnJMkNqB1&d3Vlj#xB5uy>Bl?LfvMRaW5qDHUGUkfuxgLJxFHkUf7 zJTFpPnAX{Agp9FvN2oe2ZF2$QlCnT5sm`br@96cUhE(E2j#RFpf98vH(u*3+o{E?- z8G6CWdcjB{4;ALu1hQ<&kgA`nI7@%H`wP~cwB7%N_~dC1-99+5CsESDQnldg*f^NN zR7n>mDcHF#J44bmeqF5XGzQ7@XO}F7{?f*yE~L&1_2@PHn|Yf;J!%;JLy=v+0X`U| zN@I1oQq_aLg5!i@)rwl-i_4ur6A^pSk}jc$cUi1Osj0CBRIp52dP)7B;1E@^S7Bp{ z3lWX~Y+gnd{fI|B8=mUNFNn&YFeZq6#+F#}IOqcc2AvEv7!gfBw(1+|hp_`9qK@%$ zm(~a zPn~`|1AG?@_Vz(+CaeID&pF>AgKrLdfCVN|#NvoT--o`WI0-i~G*g(xl+p^#@#D{v z*P3r5mgmhSM1%zs7cGX`PBqAOX*RMIFcqzDpF-asHyrz+*KR0=9aj#Z0Akt9%I zvDv&VNG0JdeR>m&!q!yuQ2CeJ4atK27v}~}sRA8;BJ(lOYJPr94=8iD=U1Y^OM{fL zYr?CL(>dv|KYhLP74N%d@K`f(>LfLWScr>^?J-s8h^jXcm1u_^y$zz4(Lzuyedt>e zRe?Y>4y7>xHM^KZVKzhgq4Oh}j>@j$XZ^M>3r_^j3-Rc;X5F0B?%$6)i9DhOM7# z`G%0c9~PrkKA&IgxTI)*oo-J}5U(ksrfO9ROt?%o#}1z;kUH{h1|TP@g~W~%e!lYGAiY%@YCV!b22Lw{g`dwjougbjYM zcR>FN26};8OoCr9E>H=T|J3VTqmf#;` zSH1n5!lhM@;DM&D-{3VQkNbbcNS!aM>hJhZuPe9k@YQ@SS0vgtcX>1!;QK4Wnxr-; z-NOOvLv3)`UVQTUrlx!P^>>f1KsTGkYJQ3~|1NAm0zuQ$5<#o`!Ce)X$AV~;x5?6i zYrFMgYx-uxx`Q=Al(W3f6ZKByZAHAVD*yELaJl^2RUxF=#&Y$8RPu!9?*?I>CZFqj zMD@xMURRSl=bPQ8WPSS2v8+1|6RN!a`rTFC{bAuraq2=lS;uq38dI|RcXBqk(2e;# z_CtRhy0(kkrfcb;uF5mjXIrh@dq}OPWdf0K%XBK-wQalY85xvrO}LrVY7x5z;FVDi zEtTGvcWrws76;qRP3UvGs$X9&eqCz^A03D7MgJyjJC{kT2?yk&-8y=?m(DUwuA#Z}u(uLJlZiUY{tlQgrl*4!$eLfad z`Q5>Ng$q0c&)1Wmym~WQoIA(QgsJ}&XFR3(`-ZK$-K=HHOf93!dpNGTtKOZX<-lQ+ zOB@;FWdYJ@e+={eu2A0R`XsYBgWsKW)9mfssn|sRJNqI3B$C2ee1BLu;>Yz+MV||?dImLb9WOKWv5cGc1gA6mdW`4xr z>B_LbznA>Ff)3sE*kPYpC)f7)KQr$lP~mv&VGG8H0t6(ySbLWL=>T^bJqi2~i*7uF zTBJ_{eiXO_KFhzWg7QJn@5N|gSwBa)Bc*9MszIca;b0gaQpHh>JqX@W*`dW{sDK>w zHN|RJO6zv5yfaqH1<^SBqoTddv`3tMMNEOyuAOp8j@rh*pZno48>#Y zsS8$4)j4Aa8TS=hbvw$L1wV^Subv6io8tt{p1EZKQ+9fCozFdA<}OCHunT%xj$ z3_?iMm`VLYg0`nJP+IGwjJ}OzK?;WrsnwF!O^x3;HzIA@5xDe|Br%FYlOkq}FRP9s zjyXlznjb;t&ChV*G$$73S5b-(rO_rG88-n}Y+YK3D^3oL0Z2rMl^1>x5h=Ft?-|)Q zxh3Tdvp|R+{#3JKJfl%<9e>TzC{`i7-0fr%YFC($`g(6jSr5HB%_NIJ4T*U(sLRS*&1%4LNkj-A&7LOe3r^ zWn4CH$Z}XDd1-s{^Yr~y7NVKIC^fe zG|_~K7Y{h=V$&|o>TM5v_4BfIdIf~tv4#<2Bws|nKZscw%q7YZOtG(i$bB)RE3Vj1b^IGT z_RZ)!25(cez=1+pKP?AyrTOV3VZ(qHh@BlPp)Yrka4(SvQkTN%uJIlHB#aSp?(;t>aqtdoAo;Js)%)4xoU;QT4R! zqkKMgDx0n}_A6u;dCv~|U3myvE{)RJ%$`<4)p)9%mJ{Dj*FH|#C)oLSXRZG)1V|Z~5zU-8@q2d3JiEcdfscCnvlt@_V^yd-;SvU0F?X-302-yo?3n z21YMx-sa=}Ep9x_&~kqoY;{b&J%s3hR+|Irb>j1$FRLmqqFOo>XKSqSdL3aDPjUIY zl(QoyV19b;Lk7JGtG%up#g{*WNOj-E5t7%pW98+%keW{(p&vbOlJYU$&n)zTkJ{D; zu92H7XGO`rt%i~*42I^5-nW0!qjhw(V>@r+R6(5Ls&?Ejliz?hMa|D^$gKQ2c8W)x zbA$kn@C;4cpsP;zm%ZJ51{;3sBc9i%%zr;@Gv3Sef7!f-_hdh5x%dxIn$tg`IpsTy zUaoEUp5_Iw&sj#Q`F0^V_n&}<`d(FK9_K~Va}!zTh)` z-sk%`p8Bcx7s#j0&Sk<)9h=42^Vp&Ft~Y=2^ZnK9(r}|IpzBl>!}!zqxmz;u9=Q#` zc+LK{kV*J)VrZJK-j|syn7yv2zf*)upk*8`zR4fOvztFTS)J*yDA*;xvE05QoHZ!t z^I!Jm1Ve-W-T}>a!Jm7NNHA+1LWuW7`W&zuMCu_&>p`b;i}sBB7JZ+11b)Z*fX?3h zw6>R)piMb}qM1LX>VljMs-$7hx=C{tNK|XT%M+i~lGFIcxi4>yMqe6^e@Lr0P;Ts;dk22ES!w8g{sY%Y=prH2b8O_G$hR%`6(&6ofu^~JzR>2!q!hph_D&ODuoBE z|B!lV(CVlnVlS0;4a9Fcm17>dp_0EW;9A}_A+m~*rA%H-k5s`naZ;PD@`T`*nx`Sr zqg-%c=L-sPrz5?QvtrgQp)sJUZSCPqEFl^BS@p$Ki}a!dNzs;W&N|vDIH+U+A@VX$ zhlJs2Mvxo{zct%mb#&-F>9Fr-py*d_E2IGaG}&)8{z#@yz4A6y1~7?5I&7+690G>5lvZVgmlIgQ7KhzTQ*Ew$VL$SoKa8RD!_wo9%Pixh9LwJTD7Kz z8zQk$?j$7*yLf#p1OeourD-$c>OED7h}4dhOQ$nBtauAL5HbCoCK%k8MB=Pmb;gJ| zR&hBb&3eTFWZV(W800k)OUI{JOgNGOhC(asku5Dkb$IuK-@0iG+y@dOlMtm#t@c?e zVhPurtLSoJMt1)Gth47I*$wkQT1*o}gX!yxjxi{NLX45~`-=E$bbmEpkHqj&NJuay;kAXqDn3U005|=>UU*curwh=sZqLCOn z!La&o$(`X~lf#hZ5kTnjAQ3Ip&3NN>^fK_!wDko5BAu9f0pt-_Fs2x$@aC)Q&7 zH|klX2QAcK}Hq==JEgOGXhUCkl1hZucBbC_czF!C3-^5PUDMYxeF~`2lVqtsk zBbC#VvB&bRxgfNDX;YhdoHb;@a`_%*d^#*~u5L3D?C2^O}fpEZX% zHJfjyZa+Nf$|tEcY>)+O62@OFJJKjDzG3$;s|3KKD9dOwoC)L zU*){lk8O{aWs>Fp!yVWy&;buD_=?P42Y&LYXLy@>fPORwAAL}U8Ka4GW8KQ$0g!v|9r9kW+;(~*t$m_GX_M@%4Z-5q>jVgtNp zDoi4Th@&C zrs&^JzRB0PW$C@`twfFiTAuuIeStOlTOW_O)d!bsyM3s;>xh`#&RsOoYt94m`qm;(Q@c|aHr_M-g!-axlluE#?t00S_}=FRMhSI1 zpYD#fJY|944L5JPmKDt|zGt+{y3K>#*Cy}A#aHQ0_X$Y&2PNqZw^Io1Nv@q+#EH$T zNpI&#itP7?Dn6W0{aEgI)7|T05U(vic+;z#fB#&8%lm34zX_QGbO(RL`=a}PWO6mo zwB%vi)Wz@S7o(x0@0^JHK_2_&f3)Sjv$1Nmw(hvN%JZ-V*r|DR8UybA@ z4ut0p7lasEvaimtrVX0cr-7IZyoSZA=nU00Se{FT$?Y#YuhQ8A9gfqVK?*l37%S&e zT`wmNIptrqGQ^(?R-jrT7DmF0Qset_5E zuXMLM>=%XlGNT;2+4Qt`5`*KP@Yi)sXHbvcCX~#lF7+gAo<>``G%faYuRwFZ8SHMC zZf-cTA5L;HFPk?Ra3R`0lff_CG!1E5JdYaT%@#M0jV^cTuGU_1@qHZydoua9(xKUs zX!aW`7+QvV!<^(ts$1?|u6R3MyoOkc`8$SxQeHeG4uOwuz|b1t-=7mN!{@|1m6I9J zL%8t*DCwWQasCLAo{Rp^p4S5u{qi}J;P7^Ap^oek&7>c_6B_H?0=XSgDL;j#Fo(ht zlMt$$*nVbjyh2n`rgB&1Oe2;YFIFREmB7iB(UQx?za7*wxyqF!=@)gfg-}CcUb8mw z3#&OXP{Tia3vnAzcss8Du)d*EuTge*wn`-N9H`V19U;aSC=^e)R^;wn2iS!SFn;!C zNx4!+!fjhyAU~C&Sz;ySB7U!BM}sJvu_M9GEG#@s88*(q36)iX>!#PAMDIu9C5}_| z6o@H0`T{}mFJ$RzUIxn$wk9jf*;)oe^jJ-u_|$gByu#1|CD=-!1l9-Pr`qUJf?fih z!^$sJh_7@rFqK*BmGEMym3}dawr)IC`w>nim0y%q%GUZPq&8&acpD-qyA_$~j0$c2 zC)KUtkRJWvBFH`^=V;oIk$a6go8Ll=N;G9Sg6hoVQOqf)oQ1I|X(e*s8|KC(6nku1 zx%p39xsVw3>k>7bc(M!h#Xs$kkv9wDqajRTG>WrOjoZ&IsvSKq*t157CoZnEkF< z79k*I;=%^l75^#fF}!@q2Ai{bQh4*1foa+xr93W96Dt9}MeFAvV-5X-NJ*$Ov|!5E z0+iWL!Ct?@8DHfLqUKb~h&kFH)UOiK4cJ5G5mwx(qep+zVsqbvR?pEKo!P7YTFD&* zOF>aE>R=(4rE-=&6po8b_WUk`Px$xF_}I=V5xb@S!4Z8q^^pDjWorp&O)LU|l1m?2 z8{BNII$%a~-jeA^f;PK}<@ii}{`@@?TBBJVh0?4wvxW|NMpsx_DdtpG>?48PV*Ebt zO+m}wUc~=q7R%7OH>b#Dx8EQk(*%L-YrS%ndGc`u!ecsYeo5?!!K_K!oVy8{dxgHi z+*c*1c283xah#;3lz)oWDjgyf5zy`tkzc+w-WvXBi9<#VQY=ql$B#r2Dv10n)6AnO zONc`>);V1vFkQ^SB9J%`Dw{u7amFzrMw>nx^dn4kDcDG$(Il5FTOe7$W+Q4JsYC4` zrC^-KH(L``kbds-wVW5fk2R6DC*jHKPCzsnBkg3)Ntnkn0(NPGz0s4UdUycECBwC7qYS;wRnqvEX!> zByRJbZ=3w4UExdaPldStTa_=%MvEPQwzFjb2+{rsaQ{%Ot^xG8XU5_LhIeJj@V+jq z?w>vBe;l=icVusV+$dcItZlxslr$caR9>jH*(HYqKMtXiJ5H#~UM zvCE?rpzAO;dxFbM$yfVuK#2>~Hh9aX-N-(F+JPH;cMdBor?ll+vD!nN>f!LV2sMpv zJ*W+I%WMd%r*iDx&d8RHN@sO-C9uLB2hn&~>$;8gb!GADxc?Sb(3pK^^FL z1q!~M z8fSIgMpt*Rp5;{9wft&2^Ckq|_rPYeZF+-to}Si@nuD*?FWan>kpXa<6k1?EX+snbyBMyeF&y4|^h_YBI&~a)S;*cb{`@!he2X1}w8ZdMUb#R;cG&tz=VM5XLulQQm}#1^gW-+x`S{nO%4zzAHT zx((qn7WOr$!=BovXa+HqM0FAMXI6;*ACgQPag0?nYN{10f9he2`;9)RZ9#$bgIx{Rh{!O>(Z~Y3QcT%^ zLW>>nwOcd59O?^eO$kZQmk1e+R4uJBl|4f)ffgHUm6E(jvgq^= zVhZY)X_FKTt2Z45r~_6`{KM|L}YOY5iZYN*w;)p{GeNg!cXGu^v&8fGg3ZB9oHEcb>zSbe2?U zOmiZXYNJ*Niw*5_l}RK1)+)e7?I1X`H0w?oAE(&g7@xs@k<66KQIL|Oz~)a}%Q5co z;T&)ms#Q3rR2MIhXtYH2@XKH|^AN)Y{)P86IY`VTCJQfF40hHwB=HZWm3@~Eegp~3 zBk|gjvfMaq&i)f;f&TGW%@>ngkuokTs}7x}Y9>uuu~Bcu0njJC!uQy8GRA}Nj32W- zQvahN-#LP!4W!7_hfN2XAq0v_+)VW?)6>jHRVYsdS91^ootdnJsV1666RL`1Iu|Hw zH!jHl5u|8}w<4N<-U6XGppFMEU<~aM<@+G`M5m*Fpwu3L)n9QFPA=X=}ld6FbAiOlzYE!IJ0F zn;M<~?V7z?V6VX%k9wnSN8>Ef+2&?L`H52=(OY-vPZ?IF1H+PCeMpjyaaU#iFj)eo zMNt$uDZ#-)e65kD#h|ZViLK2z2|M`t1F{Wz{1KfwuigvQ}^|5JOlkz`%yqx3$N*1;Y^|ih~GV65r?wIcxmC@*yXbpT`iI{HeAAHv#Xm!NPA{k|s;T-G)q8OP*9E z;Rx`GZtIDa^JJ)taSwV$+ibB8R5n(E1SAv_)WS@M-B_|@4PS^t#v)NoslKk+$X}OI zWLayq=t(%iqNw9IQ25Q_hn++@IhT&~STRW_l|#YYg@_`=YJJ;oP05!(s(4SqGH7w2 zL{2wr*;W(+RYK$L{@tHrFmN38%* zXN_$i@Y?Rv8%-1>c+8p)(bW!KZ&-PiZaQlss2Njxic|N#I%w1Plf$lbzZ zRG(hfu7I^;`Abu(daHH=#>2)(dW>L79@pw*Ik6|7uEo0ObqM~4q^6K_bL>ie|0mB?(4JGM`P=>w^qKMqIXNFe*W*hZm%u&RP;nM^y2ZD zZOGgGp|QX5jc^F>e)gd_dy%iC<_Xem^L3kl$P%9DB8bP8_oB0SQAXc)U{Bt}Jo6t9 zqb44hYifn_=4~Pu9SFOWrj7sFwzf5K+TF1?IXerjJ(;-KYBADusDGcU_j;x_wmwM^ z{wb_~5a`|r9j?RM`JQ*4>7|<6aJCyRnO|N>jwmz@l|GQ2E2G|z2@xWto`LO3O*-ZU%Sm=JGenvt#!xwsEM$n zex-$B!(*JZYu%B*wd| zzkJE9z1R+ONz$0qw*3HRT(8G)8REI19cLwt*dx{r)v~~>mqd=c4)P9Xe>v!E5-8X$_*=90E-LM(!NT_ z!x?9Wb4U~jnqEbhtk8c!ogKj~s4$->ix@LYdBJ9l)uUyF9joD*NybzQ59ZLyGx9Ic ztzd*{xeR^(RmsX&Lv&iK8#FMYW~vbWAjP7o2=zlGKg^0d0jm|oKp9kSgWQLzS?a7hDeYZvp!#?0 zj*OzU5IW}l@M>7gaYabFZ`4;3O-j{>bCX}TI2|G@&0vl7A(UxNvJ~CCp=p1ysx>u7 zl3o;|NnI8lM!$at(~zge1q37uwR9wS%}*Z9DAMA&+y?^tOu%?erHFh0Z-g{a*b_@o zX^AiyX#p0ila9pSy<+R;SqPE3z8$kIl8Ld1zg4Jtzhg!mKNYS)5-(;$Ipv_&!GL^+ zJP`ey>pc@lEBQWvyE}|iga_x2duL$(l3!OO}X(72*c8yLE!YC z8h6F-0Tmxv0~1r^R0~eC$9`Zz7_)z)QdIq|8vNs3f(jKn_s4;RD&>U6eI)6cMujX2 z^%;97v^{dA7LK{I@I>=$YV{AA6hbiG5s~6#zLD>P8cm?}fCUi!*rx*|*{*q$zZG?d z7oh6rV=r2uST;@>I)2xHkI7j^Qn--FNjFA|L z4-cvPiR1T$s&qVwJxM7O`}wA%>Y&4?KBw+<>$)z@TS+{!N#Fj*WQ5tkK3=sZXNu00 zildp30!xZ~0$2Pb{*5H(?+T4sm|~3tU1d>a)WHSFk&bk*q!IxKCJGyQ#spjL5@+mIu^ReKraEnR9>lw#2sg&0N5b(}N*Mqt3|GNE) zgX?Y79y)g0^Sx=iNznHPV4cz5li*>>KP}sZ81&#WoYV06A#iHQncCH~5 zuGjG<{=|AM*sv7c{2ttKBsaD7=VeX7-pB139m$lPdn+`amSLldDr{$(8t2rDCtgZE{{W7+48YY4cl4J@U) z=veM{?&tTNYDXsay8n%B-$HS}650V!6|~zrudQkfIApq?=7D=z6}1R(1zkL;-%ou> z>goYgE!EQMNjdVA!9A+P>lJP(*6LBai-P`PYGF@Dm-l1k?f!Lfi_(3TtHrL()V3+z z4d3{uUCSmi|3!+y2S1O^>LI6p0(DhW{>#zzrogm#oJBnUE#93*0ROq?;~(pzE5L>O z9+ZXs`;=MQ%6M13X~W}DZ-{S-f)<-;=Vw;#v&X+q!%Lqf?fra! zL6ksCjQ=h}DM5!uK=5$h%5zmi=kj)Q}MPyBxEnxp*rTln?N zvQ5Ct(#9k)pGAjB+}iG<&XuppWcYU1xkZnEGJ$^MIW-OMmgw1dM)jS zIDt?^{Z2;%6nrOu^h&inGl9JglKYsr56JvlLq8oBsb!fonxFq@YApLSVT=NKQf%UO z6#LITWl0fEv45LIib^qB8Xgk%+Tj@C4kv#H!eGK-q|Y*>+v&{9bIC6}w#qRVGG^hR zKw2RvC9Rx0KH=b`>V!nA2=L@cLx(DkMUki@nsvoeeekO=7KH(&z1c~nW)P|B9MpMJ zP$sy;M&0t+Z7aX2PX8+qU>5sl9RuCvjjeGrlI&MDX-v2UFM%Sg&W6dvJ~7+6XLQ?Y z{WGcp?^OcRN`?hxh+tGvogntzNpTzxHpO_Cvywc=np5xKI}UkD;CBy+E~AyI}kflze`_(caVhZ$*}|k|=Wt_>e)8wWVC61O>nT*INAShv=csm=WeSf>;j zMliLfMGdcY3FV>o7asrewU5E5RBG6HO=ogYBHIDf#opPgCXSpLfqkiqgM+Bt%pXhX zWiUo6Q)6N}pw=@*1l*`gT1h2}LR&Jdw;@Q@0WORslD#^>Im8+0R>s$Ow`>z@uJ zCgX1Y{{jSWiC@;gt|YT>ex!jSqMbh#jDEChZZQx40B?1N&e6}BiKF`HRZVKkSDs`O zUzL-;b5%{_r&ymZXfjkJ?TAc3?)MkGgxZ%Hx7n$)DE(yxgEbB#=At%vFN+|(j3x|g z=7fp%!&*e?kfrEI8!swmL8Mfq@GmhkGa52lmk@(YBXWXkCEZRKS$!3y@&F)DBl9TL_HO$fTxUb-fyDlLA)s|9< zm1>jU(XNd@&*&yaAMlb;D(C^? z0-}SoR(7-5QNdhe>6V)0hi6#*^@M}l)!#Nev*p9T$D%?eEuX;Aw1l-eL0UeXNpdSe z2Un#Cd)sDJd6@ZTU(a-rXG$62+2f)2sMIRGN@dS>Y*vvL7w!()K&He%>@wz?>J+ZE zF4&(}s1<1YK^0&!jjH>IPFj1H|K@P5uns}!kW8wGTMG(9Rc87vix7$yO-_pYOUF*1 z^BP0g*lL1Wu&2Ks2o8D zxn%RZEk7GM*mzha89YNa<2C;qg*6<@5xmIEewdw8@M7y44HIJSmaoi%j>1?xj1VEL@k z4aCO?+Y>jF|0$r4R1u}StP=n?cf;qiTBE|d!rRR8^#{}oGFY(?TDG7+7>M+%w~eUX z4!E)Ep_GguM>!aOpH2bjoCOtH6Wc$ul2!+t6A{}!r*-&u99>VzC){6Y?WKiZxmLNI zWS*A=Y#7d~Se!;CU2UI*=8O===K^PzEDT(F-DdBv?OuFtpvQX}?atHabeWJ8+T34l zUO8fyo-DfCIl$(8Ud82Z2AH^BeG=z_sp8?@xtXm))1|&vT3N z+Gj&+KamBy4enyt@^a@#DUl-L+X_4KE*p@&jk6}9kGnlyQP)4bUnl9G z4lK9VD)=^(w17p33cO+zOX@Rb0U$n`E=Xhpcj4#XR6X~{bjv-Smxuv32U2{wb@&S><}V@72Ztx$yxEKYwEHWxDx( z+j|?#Ku-nDqs^_7tEJ;i zKFhe{t+XZGe0II_-E9mHIQMAgb!lV(UK|eKGd+0&ejLedZSU?RA?3O)SEq$T&3v6} z?8ydZbt!0OrPSI~B~COWzfJP3;cxTJPV@h`>KRkP@A5c{t|ayyIzL%Q?(*7az}|8> z2V2;-FF$T+Hyyq#7ky&rxtVR#s8ur9z2FLqyvxgnsH_!K_;?CJf9CgZ8!TStuOfE3 zMP_O{SizRFU8X?py#8~{xc;1=asc!XcvbL6oH20x2q5?hxO*e^{1?z&^JMn%lUa!E zohLeJ+YqGX2^FVVBbU@Ce*3@eEzGtF)*CW;Dt6mvX%F>h64g$9Y;w44t#rL(lQo3q zGJGA2LdxqbJ3gbjr`a3+D}VgHcokKGere5fxY4Nbd0Ry-eDPqJ^o|@D0ro$fLNo@F zKJ0bPcK#!7`Kex*sP8olkP^b!5F!p-Y$bZ68TRNC7Ln2>nKTj{&NKFSva7@`* ze+dR*GG#y1fg4wpP>4mk12EQ8v80W1$c7O~i#=kb{vwR>=g7kGX3XZuQ(XrFopNy+ z!9;4wH@>lY1LIhd;c5REWu%|QBmv=woE!PAto_?$Tq}$1r*EO#bhD(@9Z6+_^b57! zslI8L6o2)%BKi5{fi&XjV%iw72Z_$P;~Cm1l?UjBwn&YI1_G->vvT}jjHC2N%hKFb}+QX;q+#wr8p859ZO9b6CqIu z*;kRmns^|fFZ9DLnPYWZL`pDQm(1@s{V8V0|B+G#rx=H*(t1xnY#@l<8)_=W`bJu_ zKTy-9==jqlfRXYf5B6HSnV~45IY+q9_RWZhXVzMku+H!ikf-SV;b%1_Vm+%PrVCNC zD)bXP!@57k=q>ORNo3Wk&PPO()h!4i6% zsqW*}ZiK-Oo#54DBzKLPfqf_4gVHDEEGu@jw*X>>7qztn=|nJ$wWnlgIec)wPZxYG z`QGJ;^MFcEcuvP!w-hSGdu@3rRAAS6!Ee=B_IAm2?35`08V9r#BD8qfGebqnUFMpm zN@=e}X_m&Wm_wpbv?={aLR>3Oi)RHf##lRd+%XgxQ*>SI;v5-ZtRpY9JVL=0*P=yv zvM)>Q66(_Jn#MPRcL+P$OPWxurX5sINhznRD1zJS6mJNrO9jZqFT%KG&E+`@IC4NRGIBy>y9Zpxe zZs4lJwR8XErlWa1AXBH$q%LEn0i}mrdh-M`c=wWEH>(AcqS(yf9*8CXFO2U3WAF5m z7JkSYY^wPXmE6Myq7mm6WeC5-CI}d}4Qo@E{U;1&lQrw0?$Q_r8KN2^(fr3BoQJ!L zJT@G);Ci)IRq$8Eg+v7YiSL^2xg+fLR^ykfp6)1rn@6#CvuDbW`zaM?>0UJNqx8Y? zD|x_7d-*BYJ2*-(u;-hVWmZ)=I4A2EEY`up)r<6tm15t`+P|-RfvJG8o7DG{JJ71b z!`cAdTh<#{+eCydM~IS;Qrzoto2=(O*b4)9g;P|4(@UsmlPj0iVY` zkHiSWfI~oe#yxR&A{0^GgWC?6%;cBv;x2SNk#p!f7GNGw>tqb!iRm%Xg+y~X_6)n*DYo4?z{*2>mH z{W^i^Md#3|3o)GG!z1)}Kn1+tO#&@t*Cr zjvl{u&ZRF+Laet9d4>Jiy*%B!YVl!x&lm9bpR|j=>uah7;B_X_!lr}N&$xK|M90=? zW6sAuoCADDCK7ZXH(Tn&$&DZuw~czN4j-D!)WhvzD?=$Ar&o8+hEvw%%ZKOd;`M7s!GMo$-9qj-RM#U&+Q9GAW_knU z@$zs?)aT#*86hcEa!oPiS?c!rWkXDFy^pBl>$dnAa{|9C=1*F| zo+S6IIYo6gDF_3Pk5BHX|Zznf>b_@%4uH!;xkdemD@ zN4Mh}mP1znhVy3-e)RQ+(WlHdz_DXbF1*YoH@EV_cP{lB+ha>FQ&xWC1tF5*>SoJ^ zuJ$#JaH#_n2I--n-t#ur^Xaw7P!n+Z;PJfD=k5K&U{*}q_I?=*Q0i0_Ax2bx@DRtfCnztwj6&E zet}6TA8Yct;sy3UY%j8)q!9U60#IOy#xG0PjKES@8}h-^Q*^u!6(?TMt=i(4Ri!eNXGVN_yl_O}JfmJ^+-7LK@rrtQT3dwFSGXt-uiY)wL>6l@ zWNG|9eU3VoAZmgXA3tP)dQ$a!yLqNG=H)FM4yNEy)(^Q+ir~p0kgqa@N{vRS>OgaE zDl4$h85ZhA9~KMilf`>t&^P0!cm*I=U;2E1{NR<|5)vN!PmFbOtwyN=yPU1e7|0)) zn{mKz>^&XS#4KKf?VraA57I3wxj}#4RU|Vj+%2O&0407NsS^c5^&g>R-hwDVh*c z>hCesnBK+oLrZ%MRHtf)4wm6SM>W&?>U!eYQ7}uk%$$=*p%Fs_Og7hc^=fYuh`<&4 zs@Q((<}!S>pF3+voCK<+uvA)jJAN%1mu;=9xgpG{_>xIi-%(b~x9J~mDbIccF_LX%zbrW}E_3;(T+s99TLIZ=@iad;M|qoWzF4BmdoOi<}vF6uf$8M7jv z9|)Udb)e!LTlPvgfrC$$N%>l^1{ZN^VM_HbHIGPVOREAO{j0tXlst!P!GEcE*!Xa} zw+~3tpj45chsUM@xs(S+34S5WNMG1A3UdWtV-hL6t<9h;sMIk{ytCw>a#J#BhULON zE7Zte8O2O-Z*oa!wyp7N^eus?BaUO3XkHvtf+i3c2Gb~hW9or%q*TCo0_%{d+Q5+z z#1@MRIKAgpa>6&mXUd?Y97_5Ou|@j^gLI2zpcVmBBoVA zX41UpdS)W__{tczAk!UraDlMoAU|(2M7Q|YC=|uX-q4NE?7|1*ey($geU+?Zk- z%Ngo8PDYv8cpbAwn;Oo9!dgw0QKK>N42C%EUYk?O1?D^`lc&VzPX>(Q%+T7UaZ*A9 zPr1oa#CNrCasn#B$~jewY>Ir_v0Wudj=t3yHfc~=fl(n53Kq#1o-7yP+M4g^Sf31? zPZ$6w3+n(ueX5J{o#QoRV5}~m?n3zy`g`QJ1O99))ts%pjHSk}xJQ-|ZqTRbd>z->}d-B2A)+mvcFb zWDnElTvYr5#vx%|yZeED5s=(wFh4kZdQAD70_K#n4@IxNS= zr~Bf0q)LWQtss6MwPNXC{lZC$8`+sTIth`iP^&>XY-r6$svhSmScPOhXRLYqgH$?X zX|39|OF#YQ%Q2qu6umfqXa;2E8-a_y8kviosP#8=t?{U^K8vL41?J^> z$yyX=NzFKI3EJj29?UUwnTYV>aRw1~`kDj_)Xb|iF|i#Tw;-r?$Z^J5nA9DWzM>Is z+-m7VA0hSDm7}P>e0V0Z3 zeK){v-L(3sO*V;o)GrkLy(p;-ofE8Kbw8osE9>|2g1&C(g z14Ksp!3-Wq9#iu9{zi=OLAeCV$4L}XriSr*eanL|2YIG>6t;!O9AO`K`aHv)?)$$3 z&js79`n;Ek>XH;+XHl2QuZc;RRHxP)w}SbqnSJW_M~8|Ulbh{k0-P@#T$Zl$+Fqe+ zvt1<;dY)*Awl#bYW*@n%H$VQxof~i{ZRjkwUq*R<}f*wiu9Pi{V%sUZDbGD}K% z4nr}IH^^&wV7Qbsa=)59UW+H}Ji1vj3r37zF>xL>p|flv?s41VF+5#cpM z*SNU1_5%*kr}!*BS7o-n+iyx$T6}!KoQeoGZk2unoW;`lfdU7n1Fq_Rwp4Ap|7m__ z%2Xg`u^6?XYuN6-Zdz>V_PO-yeqM+RSI*LR-|gC7e~jO%T+R_Z_kH`5rlEW1Aw%T8 z?wE^_w%uysWNMkSZ(jS-^2wp;G`&B}rTaF!8Q5|4nnO3^)gWEzMV#X_VLy#O{K5Nr z&No?>Tv&mT?OH7qf01(+ODq@qs=xI7=>b@aS% zxy#(`dO;uMmj*mNHB8)==EhY4@9?(;KB`<&{h75z&_0BNr4>GhAkBYpA<@j%u&?E@6BMkz+~&yx#Wj zk-Q&kJ^o!!1BXQ&0N|G)g20FHw64xyxISNu@8r5ev7g&j=Cz&gvjd}#^%jv!*m>0f z{cS0FT9-{BBX(EoB3RmcB{%jYB6GiA{?PP+`T{(hFG z=_kJtFUG22z)>>NEJKTV@I$@evCy-#CIzObvL+W63%7*2es}Med_8*jw;vKtj?=7r z`LhUsd;a1$SYkzihRTCLKL%x4ZEEPBvltecidbKOIp}I28@?8@1X;^fC)uTnDcOCv zTa0SQAtSeXGJg6y`QV&kg5sC?KkC0@PP_+gp0M|JLx7-J2Z}xumb5-S~Y4|7n*Waz6n4R zi$f1iHXyk}Se3JT7q@PM443mw(JoB4^NqMd#0o}>v81FcBF$KB;-pJ~fn8}b?H$Mx=7=~U}&fLB<;j~XM3n5nZ0~;;|Bg;6wy3`RpmO=&Qi=@LuFCJ{= zl`fJRseBHTXVnT~U;dduV$i?7hErGt1&#tN!aBoBrDm@-OwWv?)lBi$ zNXCg28$hGrz@Ha8rin>6Hno>d}F#Q3uXpVZQ zNrHomHf8XZ{WewyQI}XrF-94VH^{F1_)VyU+QPG6K~^GzB!l7TZqQK?2SeIVLiXIN zWEG;#9fz~8IT_`R%%v!lNVoP7S2@W#Xe$3!zKyUTLcos5?v$&n1ZQH z^fntahJg^@1PB{k=omdONo;&!n0otAvJ`Wu;Su-W*Dnaci(ZrrF2AgFP%#s)|Kg5Q=RrCsFawOXB;@ry+GcVGH?# zHOgTz?kY*~ZevnRn{{Nh(`1?Ldfe}XtPJpt!!z0~YM%oVS2V3~r7Q|Va?PRJe6e2z z#c6Xjmn55wGsxCP73pe93T!s><<&I}hBZT`&`TueX98JPm6Qu=Kgrr)x!X$+j1o)l zV-?N<=J;cM^?~uvQb2`Vc@IF#XLuZ7AV~07li2XjCC@Ck>$`kU)tTCSWh;7@y2ODs zH&46nTIMW}s(DqOv8 z%x*n#{5X<0Vssgrief2ddeC|_EX{6gR_mNG{4brUVYQNwyMY2e0!o>QeA6U#e0J64 zN@3xqtlyNLV0$0zCmzZva5?4UL=<>!3q>ODTF^L@&`7BAKI)_ONx8gds$N*jY`Bj6 zCtoA_@;7>3);q-};YSHKL_!*AEiM(c0{a2YKjjd`afEKJ7Wop)e70)!wv}oKU#B|> z6byWsR_#5{NJ8gzW1s&h*DGZdy^(P`a5a?lEyy*3aj$kVrG}Q_CwJ-26eKue7`?Wq z#+sk`nr~SA^ZVaY!eC2-A>&5|v?%#JrnAa>$^#OA-h_S8XDHtz3b|p8zUJo2pk2TL zS8qUxMj$$MP{K;ubKbyHnL}$T6k|GQLMH3;wXC#yo6q|z85Nr9irckrCqr$z^|kG| z};SluQPEHZFvc>^Fr-=Yf!>Bd{&pNMFuRZNY9`^z7PyRA`^)`$RgMVDMHsZRY^cj1emVBUF zfTH}y)0f-thldjt(09n)9v>e)P#sOgvAa1lSxp^8K8Dqc|85pL(zZSMH3>j}roEml z7reegRhK_s>1wa9JqGTnfc?6lqo1EFHqP(ufc4$vi^>noO3;yQ}5gjI`8fnKG~(ZYRhQc@+1j}_X1`Y*2-TvO(^((m_B(t zWH}J@Idonxy;r%D0p|~r_`-91uG;*e`}toVAR6$y{XfAfFN`_lKlW>=u2Z+3X$^qy zX3(9^lIIagWsWV7*x8OZ#GKsjd23L_w)MkUy;p#(hhwTurv;+n+9A^|bbH_Hm41O? zAWW<0r!}&gem5=mOS+l50jPg>UZLm4&$;P%d&9X}OU7zJ#o_9Hi*5L_VcZA+_*^}R zBI()Uh3@%`-+$&w_IiA+^zeCu!S=Qv*5LHrhmQlr?}L_ozq05iFF;QmO-%a$xxZV8 zfZEUFuOKIpiP+ax7Oe53gXs5Zi!0ER-2<^$(frMWV7_l{bJ^$p5c-B|8*m5CT zZm>T~U8D=(Bec zbdD^EQ9QKQJNo6irznow})J z!_(7yz`$i7zB^9gOk4PP9wAlv2dh@ZV z2u35nf1)WHWov!PbsDlU-%^$!|Hl2$&4=4J3Y0Bq=A68pl^}}`l$@x?OI@HPr{Ffx zL)V)~-WX++Hi_o<`1678APY|!mfB8C z8G>E-+0q8%0If*vh1gJ)>Nr@AIjcd{= zRrg5@nGae_z$6qui%lkbtZ3_vPuA~R_^pjJ_AMyy1YWgXrk7w6{(@VQ^E`P(GF{zj z7O|Sly^}n{Ww2A4Z!>#x5g0i_jW9p>Ca-NoDBP+E_q!FYB_$5Dy=qM4r{Q|ON(WhT&Jx?FDDP_0&42tE30&z3TeW%QdkOOgTQsq6o}Mo4a5&}61>d| z)#>!>2F;v`P_gzs^snWMz2!9t=d}#s=Py2HTK+WqtC`|SrjvF_Vr^T1*z*+?tXu)qWxPEalu|@ScQu;snIZJ(F%=-ERa7gDk?MV$9hV-!rS^(COB#K9u=87oL{|&UDWXcY zThfIza||_|Q5^X#FBwiy%@8g{GuP z*6ag}e*~3;&M0Ee0O~W*R$fKP8re2!E+cOt!Xzqcwun06afkNY6Xk=!jK6uf@Bd%1 z0xc?2L;be^A6@tKBz}==8T{p9}zkQpWy~H;5X+Vs;&((>~Z-G;6g~MDm z!S?gn<7??Itbn?4SU_vD$C%ltzQaf6nrjC~t;KboM?{Ct&8O1v=$<-0k%^rjdh_Iq z(OFHG`X`I?^!@oHHgRj2=lasz7T3!%KJsPPX>{~H0DyE%2*$9|?WelWhpg+X)%kQ; zI-$4w=Fvj5`50dMq~o)B&)LD_Y53eyE0Fs#e%lcLu|5iTyWCm^)Zu#V3D?^B>|_A8 zy$=VFx?MX&iMqY}X3u*-7e0VDea9!$_5OjfhOMaj)@AFCACc7t#asODhma%kRJA^r z6+LZdA^o^@7CE;wq&~WS1LMm#KW%@n4s&1U0t6nV3-Vb^-kfyv6Hw6_IEo{-f}1 zAnkdC|KSDhBY)j|YYD^r*_I6~u)#-YgwpsAv)7yUbBWH%+RAkl^o-V?N zVdS#955EGDcy2L~A#KC;yWPlDpf?Qj?e%6LxNm!g=kQf6~V(p%Er^T;ZcHD)h;5$K!`hC(yiNLLzlM(M@nRH{p}l_ zGZ-{qjcHU;lc3eLPm$#H5AT7tMm=4%G2)6MOnaJXhZ!l#vv@olfjD(lkQrB%ubP0R zzmI+J#UD9#eKS}6UJMMEb+Qf*&gk!U1pJ~^*?6&tIf10`$*H=Qdbm+o4S0oUEGurY zzTrwMf1MFWh!&qk)36fXgjuUJ+#DPdTYfTqR=*ZO5tOI;RZEhX0S<>04aA5WU4!SR zDDsBVH$?b4)A4lT6*CmuB7s#zMd$R!d1k$nGC6TZj{yQq5#!RT6f4GQM5nTn6?yms zjAk8TRHC$H&#I!im_I1n#z_<`SqD! zG2fwHv-cmfO9)$x%r!|;TxDSH4#V_Mift_uYySOEuUWT}Qo6J3b4Dqdr#rq+`E$+A zZWv;QZf!RbQZMS9AMb-0M!w6RC~nw4Gp7ZWxEH8WF;HD2!`Ydtc>Ht3B1%5n5+6_)}Wg(Px~BQRH5CVx=`J*7@s~Q0~

Z2ZK@@79PsN?GhY<_q)<34PBvbEis5Mj>w1 zfjkw4&WN%huZ6LDt$GD*smMb)ck5uy-BVWM<^GY(kPG zOJU{~{G@Cm?Of(aDa~-}L}j?<)l`lmzS>`HU(PoI(C7i+Hcy!;=~EY!;r^BJm^Uqe z4D&J#5%>w3f*8YdsyN#V&K{Bvt_yis$cHh#bIY)g$P^9q1j7dHP6Y(Lx1m7@3bp7iS2@R=&BWJs+-Spmj zbaS@49}hQsUxp)JcO7pt@m{X5ePVqcEl##*J>67tY97t-+{fV(0Q9l9E{cOQKcl(q z0!|O_TUH(C=`^;k7RSvw4%HOATzn_z@1nZG%e}U{F3S;-eLgmA{BJjM8ko3loAg1q zp4DVb-j0me4BG)ufo!RohqXUz=3D7I7VQ)|eaAD?dTytL%gLUn2>g%NxjLV&uHy)H zJpB4@K~5i_Od#}I3~>AAOMun>TY!!HEJgE@#{GkVKj}+_|76FN#z!lH&;!Ci$!uQ$ z`EE&Cru;1ngg-237kel`J0I~bRSB6^U0EU~6&z)*b>1Vo+CTc~ciCz!YB%wtE<<5S zBKP?cFzV9OuZE@|MmUTR_k3AYSUs!@Ph{PF5sJ0iD6||I?XnN&7ImpIg7n}?J3oQx zT%2{Jd7@6OiV8}NJH=g9k2+tD3`H-l7o8xGLz6^kNWXS4(|CS3Y)Fi2Q@Qt-{EJ(U zHci^e6t`GH-wa#w8+l%lvepkOIjAIACVJBaOC0H67#SR+M%0Rue<7GTlv zFfWd2L#Pt|!22{0Q+pNe1|xD;w62g}4-MB5M_DR$(|tiLAe-MFqR~YqRm!VszTlVmU(6*ZB0zx%?7>79%G28 zdI@E?ynE2Gb6}E=&H8dkF8rXLL<%YZKj) zL>3HIT821~BK&gz{7?Y=Uw@krZ1b~#?#a&v>iNl@4=Q~O(5#GOgNdo#kMGW67^Ri5 zEEY+!`V)qWoZ6`3rI=9W@fB;Eb=Y&1;2C64_)WAi;D{Ag<`e4kVm)Y_+L*o69{9nu zM9hrPYD$Z=m@Wx`{HD|NL3*c&I+5HaR&<$3S#JtlN`$%_ef1}XW92+Y6SX!CAzG=^{_DTyf|Vw_|q z2vBj_MpPpqOO;M?47+o6w5^<}@OyhOVF?w)556epSWpnmB&~^Xrwp)V(K)h{vGC~Y z!MG*Z;_SgIJQ+Ez@7?*hk_i+hfs>6U8%Jw+NcZH^i8l!?4IIX@tr)!sH!&mTY@Io; z>7WSXe;|4w@*N8(~qpJZ?Da1Izp8RfIu`cDeh5Whs5&AJ6tQ3#I@e zT^A>`wUHoBb2LnK*54r0ZyM)6wS{g(V@&%S%ZtaM28SXl$-J}s?fU0hyTR2dWAkTA zd(l`n56=-Wf-pN2o;p%keknryB_3@SE?yJ!E;IAAv{fZ*y>biH7UJg7Bfu3wWd}E~ zp^_1YKk#<{b|^-J4yfC^Vr{#=31kIjM$MJh*^bz~cSf-oZ8q_}&JaEVMo zHKUB49(tNBUp8P~oB92CYF z`w>olYgGhZxYIKg;J@YXHPye|yaC0{e>>vf-!^?o*M+Pn*luxHJu}dp4Wjlrc1a`j z{(xAh1pCBj+Smtl13F($f949FC#bb#_xSJQ*Aje2zhB|^(AU@#y@~AKpl{gmsT-*RgGoE$Vlw)MGikA2keJNmu3t?l0ujm()=2Aa-YCd&4+ ze1dh6=Rcp5i{n3zd3@DjsIEI0taf|##g-#$AZs);@w&PC2kZ_kk1i9u&k2|6H%*#3xD#(2JzcJfBJlv> zO!FR*w2w8Opc~w`y?|N(x=)R;znEd z{OK3xx4H3vy&(0t(pwsSKmON^kJ1|}U_f{BhlLU&2O1Tes^-U=!`R+Uo~uWZiv%v= z^c{*ON|fj{X1kaB zvbq9UBgD`l9kmrGlH7HxJy5kQ-DB&vuF~MiR-RB9(!s~tL)J|!1kR@PMDDx%DvPTH&o7pZV6R7 z(lf)fK-&gUad%G3-_k@kZJs6Mm0*MV}9}nk>*q2QGLH$=2YT|m)l63*M#$9V8f-#$p$N&5v_F1&*E5wg5+uY z$oYn%beO(>b>R%8+IHlN-!lG2d1+O&LE5WUjLCAGY3LPEp?1Maz zc4l$k#4Xt@I!Keq(4!GjM!ut=I(YY|UXv*TmK+6KZ1EiuxUC05RFAwc4Fi2(gGNIP z1V0-z*C)SnI{Nn>K&Yg(5ozeGSv26@P=l9aRHkKMEcQ!Kj+?1SXOQ#-&ffLrBg73$L_er3 zwihYr$uJNv+wovOqKk^u27j-0E~JD<$P({LyhMqUAJn8@%+xI&SDb_uKrLj{BN6Ge zrp73>&YhK|81-C%!I$u@G%*fh zz|~u;W5Y6d3PsFtmRv@kF|qosb>x^TS5oCtnv%s)4x26r-9!`SBl5f{AED-(n*iqC zrY=g{a5*iL`|BuoZ=&8z&CEc#1J=6)lO!ctmwD-Na8xv6lD|`oS6OK(ihVoHH?=Bi zSHiIPPH;0Dr)c@e525&bDc8M|SR>2WdLWY26G^w;{kfS+_;@ueO9@YX3d&j+xzJx& zHC%-fcyHbuWhJJZXF|0MBLTK5i?GLux?J2PwgGSR3zJ}G0v+1dX<1M>)1Y8qK%H9k zv+#r+om$Ury09oK08Y~Lpi zeEN^C-u~^g-}ugs)b{I@Zq?Ht=!NTFDz5YN1COc4rq^E1UGVtYFKlrUJB=rS_nyui zy2mbW9q*po(zkp5xm0qu6<$C38^`Q=(sv&BFT4Nrm!EPrd342VH+$vKM=!qhbmKYk z7f%)j8?3wjuTLqibkQ@rAN_-aUvW1)V%tA%@?N3*)fdlSdF}esPb|3Z^fk7>api5O zlNNk^zh_quU*GJa$>oPl)_UyDXYP9*B#r%*#6b)4=MD=;JUTfQckbQq)D2$P;M&*E znmfMs=BvzZ-eY=ifAEzzmR%D5)8GF4^Viz!tw*1`IPdp7iD}Tnf z?*lHcJ#@^~%PhDFKV_dQF5BkVU){0ZwhyKD{#NF;16Dk7C9A2!7d|yBe&l!0KGgfE zw8L5tpLhAL&s}xgZslVP;`!*yeFOWkuU-r7nAv5SZ|+DIPkqoBe)!dUzBYGW_ibst zr1{5vw?eHI|9s4Wr)-h<+8$3H@jZFZ#=+k@{iOqbH)qSMR#boTYVD!@{`}ybo6kL- zTldO?w(fq;_5YFoUkdBL&G`Q>#Qp{T1JO-is(k7A&qQR(P+?Mr#fkp;^*@DA>;I!= zzkK{hjHlzU=-eaGUTpo3zBv3RB$1k!&NOLa5EqM*Qw2&REZ;S{qSOP`GM-O1jlP34 z^KMEZFb$oQ`pGV)zy;1~mRNT($%)Re&o*=>C=Ani*p7h|HlW~AGZxCW!>7p}-^&M1 zFUwFRf9$mvwV5{DL`mt%T^`Bm!(Ju!WFn)coKnT4wJHMWO1hL8Ax@PyMp=%>48`mB z%c_$}Fe4*Xs22mdoZEz-3C_0$tdeKx(e<`SQCv$xlYi?SNodV@DPCDBA6+OZoc2b zq-sYlKur~CjK~57(t%!VVEGo;sK#QeE)$Su*1BCEuQwr8?zP&yok;>Ywm51f+6|4# zL%fs&iG;@QebF8gkm>GCZQ7afStCGv+WG=fSk> zQEs!6=#)Dwm~zLIm+SL#BUOgGbrDH*sCH4d`E&>-n^K#ujxpU1P{shzOj}85zJ+B6 zM7G{;O4(W_oilqux#h4mxK(Hk{!2>5zkXd|ewAO}(s1Wzmb>d=coH{IH&L zyZEpzO`ZM_)_uN0M59I9@wn%89j#(OvDaV-7j#Uqq}IE%GwHHn))kRTFapp(A`Q%? z3JGv5d38RQ@sYNX=nE2NOx*({vNApt_>!l9ai~l;udK{-S~%nrh~1adDIk?m#*@N? zmFVujyZ+nX@t=QB{Wn7ig{C(sx6-&%kExN8D~$my?0f2{fj7$i>0sz0gtbSoUzhvC zuwEahi!g`M2Byd6aC-2SayHcss;1MHnIT)$h#?0caEckTTpg>8jDF3c;$)T?=M94P z*tW?xQQ0lhbtlsgi$TdXf*hZ6bb^n2P~2`&s*(VhJfAmpQ)Qa1ELLhm1+g|ADvL`t z8Pw$E9;Xtr$YFSz67ekGb|Y~(hUhst^)@B7m$ znW&3}&`YN#a5tqFK(VV&P`*r6?B+PCC+cm3<7FT@1B+&0(F`n_fkiX0Xa*Mj|7{S4 z<4Yy~!DsS+Uxa;<|7?HiCb^}6|BxU|ffS5<9{mr#H1Z#c!pZ3)5L$xzZ!a6Ejc?m| zI6mf_bAeeE?1-aAFJ$&T^t|(f@5HZvzk3KQuXEw^o9yA+QZ z;+l)@43R^l`%a(p7=O>pFVDWLvhaj$ZhU@+HHYVZb(cS{{LQzo-`?7J`Gw#1&ThX8 zZ*|_|7w!?>a`_{Lt8RYmjW zPwnX0Iorti=0^?wGTQ7`{N}Uw*k?)j&z>&TU%a(^ z;(Pn8C;jD(ht@rGi^pEnFZ$_KPdu{a%RAlv#JkjX8*J8oZE~Q0$bOGp_SBjW9I@d2 z1GfF(y5mkDUbh}wY4~jB$JRC1T+5xk@~h3~&wJtBXV$G=aKLL3 zJN)(Ie|gv=A6)-l@cv6*eelG6OPhai(){~3!WQhe?TsfN{ragpESJ4v^Cu7Z-QBl8 zyxywcJtS3MKKty?ub*78>szB`{=Ci&hfCXEvdZ_4eWAbNYd5ptCe3xs6E-^R8#f+3 z`qSoj-@DSLjaN^cJ@1j79=DHvbnjQUyVv@4=ZS+KU2&gd&OGa2?JjBV3R_=lY`OUj zJ0Jh6!-v${vo`|onfE!@|406R>8t-X)Bop-v44gC@KL^De(C!EObRv~iW43y*w*Lo z|5Nz1{y$$z{)0}#>_zeGG?ra#{ZDyu_)mnQz8RK-Brau2!(`3@+>t?$6(x#D!%w35 z2~i(e*(g>DT=8a+mIC{>A8%a>JTPQ)Q zFqkXTj3w#g0>>8`4L9S9o=wku&kx%q-IAZdPx8je%elhq=~L0KAxm?2KVlF$;aOHOM#P%Ah$)1PzRga!tdtEWKzJ6)8LJI+=nEf^kDj*Cc=%Bd*&i zszN0f!5xc}>z-UL)*7OOTihfn`=l>UG?~yaBs3zc6OS<-k@N)aYjG}*ia?oS zs!J0g49byRZxtOjXoxLo(i>&y#Gn{V5*8c;0*06pR+)4L9f8w>N+iHU8E_^_kRV;C z)rWdxRm=3jp{L~juW{?YQ2!0e21&a-lP>%+^Pk1pZvMu97N`GDeq3YKw5B(kA>h;| ziGp7mPB@p%n+R6I(M)DKmHSdpYj-(AtOSHQiAILO!DBkr2zyvk?-jaEjY6t;2L!U! zsH`X&#njRrSVcQrj|m-)Df@*68H~18EhrS^)sX zprfT)VPPya$61W>yG4SenQUR~J5GY?FG5D`ELHECd_s!35-jBdILzB^4=d-pX&A_; zF*8!Q3>T!>&>89jkBHi%giNQ~S*BdeRWV-8LIlO}M2OUV*nqN4If)7ehZONaVh9W& z#c8Q{8`085(6!1Tl0o^t&;eZ}qt^m4TL@h&QcFT>X!?FnvlWVv6XQXu-r{Qsp#U@! z3YuyQEMr^$?)qm3p&b={xu$05Dp{>3d8#$)_xPG2b*mB^Ca^?>msAjD^pT$I$z-i7nmw*r zhJnsdtB)AQ7Q2mlM2q8QJyxZ3l=jfdz~~^2Lc?y?$`M86)2YO;$g^NaHZw&&3pxqg z&3AxeI?(WHifWXsbT%F6!&1*G_Vd~p$}=V>Az&(B9{7VO)3(I2U`7CUrXdOp>_YBTlUW-!kT=9$4fGni)v z^ZYM02*Zh`lK;%~fA~V|ll-T!$!hl;Pck~%?01>%HLo0ysJ;{t##_` zw;w%X%at<+qlI(t*g{+5u$P}&`0KYGxVC(b^aE$phpv@B_|YDFELVMU**pI7UU!d! zPQT}h`U#s}5x%+iRabV`I^12wc>T5f!Dl@2=wUB1mu4T{YT45ch_5*R(49|D%4=`- z+#7$|`zIG|xW~nB@9`nH>Yk5%=iKF2KYP|iw=BEL6IY!YZng96*|YB4LYej2kw5*) zNk2dF^^<Ww_km6`PI)DUvu=K7vYz0bz|m%lkQ!R+59E@htb}T*3bR%*XJz>|G_qX z`Ii{{!f)<>;>Y$mAGQ|0{=>_5UZMNYDVwjd>b_T8R#JX-z``r;JMx_K8z*o5!<$#Q zsO9HhJAUBZWOdKkytzvkNNziR=%lB<{j2%MDSyo0d&^@No^rzG;wr}8;=WO7GtOr|t_{&5|ryX8u^99z2(fAf{occy-~vG{U# zt@<->{Ol<0@RSr^_0lPqUv|tzS6oxxWd4O1rr-Sa@7%(^_h@^=)!(JZH_bor;&b~e zop=J&(|$kC{MJ!lJNAsH%R8*RPl^W|Nn6PHx&CM|C#asUx@uH{70!5 z>e(+{|DS2>*@Z=B8lT!_`1A9hPwoGc`||N0WipM!(E^h}M2%lu{$ni;|Cz)+v#$>X zc_ia`>gF30#nzCD z)CeFzsVy8N6wQjM4QGzsR3Z=1{MM<#W3%Z86 z-D>0v8e^hB5R$71FaX8Wu;0#jCZy?XU#CHtLThm^DJRXk1J?|KXS9OlgI1`NU9gFE z8LvmTZ8_I;eQ1z?fQr;73!KqLB#&%Q5HrEqLC%5)u} zJiU;f%hRcGBRf5H3y5Re*OX)@kR%d9n&rl*j;GohFXyRA&T8_!6T$JYkjqvEiADjl z#C}rYsg5rqBw_Yg1n5kCXe`E z{3rhM@t?)oZvMu97OVfyxWLm5df35qfZ>p`Tp!ihuGHxangf&5RNAL&VyYCQNw|_p zxKIr#Hd2b68HElO^-I-EqK}YO%%~aA0BDCf$gNZxL?*#kSYNT2W~!d-)$OL&bF+Q1 zUeei8(pI6YX(#iLtd{$6yVk1B&}#aREzGy=KvB6v_cU zhyy#Q$Pihrr2N2kI(&6(%T#vKGhI6~R3e}+#8|e3`N>hD9blc2(c%+fhY&3zoRp(N zDjtoI7CQ7e-yaj|ASpR{0%uA?&K2lUx-|hHb8JDCe7}-Q*%z>oe`ndm(I26;L$$v^8^Pdbu zOaAn_0%_mk3yT{4$jR39=V$t2T2SjwglL`xbAij3hdp-$P4_Xt9JwlNzFN)f~29m1P*4Krl{plfFnWUddQ&62G) zg9%UgWI%xhUS*pemd=cZBABBY8LwJmoFz2{&KrqNAyY0HV8@4mVYTISyGRF$STaEm z^BqI176dMUqNax05jaT&3ARdRvLQaiKoe~z@CieW1*KO@he96#q9huHZZgHBCe<#8 zmCW+648j6dD&^6*2~WpgB&1078ail0z<($dLQs;RK9Bx~{0IJnECu`r z192RJC=5dWb^f#ekr&-ED4Zc|vC}@M9DC{eU)^EBzH5C0TOm6Cje9Grz4-(r*U>lU zUv_J_=c{vT$8NCusrN9idylPu_3InH`{>}OQ5IbJo}KTQx67f=y;q#gjt;%(_-$sZ zmww|0Wo~%j6%X7f-F5c*+um^4PR@mU<1at(;Jkw$nScAs=Uw{sYd>h-{G$c)UU>8? zCm(VB*5wU$tX=xbT324R%X7D%bdi7JKP$4|wE&{hobTTyDFAw?8=X#=CdS8@&39<}$&9^nuvIy*9q<(5LrZxayx@ zeD?5lsyF`RoR#N1^P2;Y-TzNVo?3Y4tj#X?Lv!8M_Ah=#d6K^Ugk-t6m_ zyYp#CyZMoy%zEpMuYG0r4Zru`jhC!($tF83m-=Z_Ub%Td=R^0nU!1wlc28ZpL1zB9 z3cIa;?1?9*mV1)k@tXTjI_t!5#D94cIP=U0(`W2<&q45>0`|KzUjOC^v)-Av?O%R= zrn$?($34xykh^%+W5@pC#a$QV&PuJ?dc%G4p-qlD_pOU&zl&1+_-9r3xb4p|cX;vY z2bVw7X7;E=`juxCetPGY&n~=TlXLfdZ-X^YJMD9>|Bw9te_H=D)Boo`W&aBQsf8YW@RD)ptXi8&k_C);>F3@mN}iGjcKZ^W<8atY zDpEiueXRlrc%Fv9B4;bj28mQCYlx>JwQT3w8p?Q_*vjyD2xKQaNGhKq3baoXy_2p%}r7nvEfuGFKQ>DQ9UjC9+Zzd^{_=1i;3YdTW3f@P&) zs%2+dC9qZ;M}-bq;(>Cn=obnjvp5zRmCX&ku3w3&g=#5i!(a}}n4ZS9B&tKCnqIn- zf#5KNtJ!R#n#`k@tyJOxgAe zWf(=Xd}+`FsYFpN!95okCtC@#Y>(J9&5kB?u{K=}d0bo){SUK9^AS}4&c&LcAXjFR zj$dZ}vpCz$fAb${ar*xVLNCKAo?F+-fEI9(-h`O;h)gh+$cI{3Ax8N=E#@lSQLVxw zwNxrfbm}dZnV%u*{*K|T$ax}Jrl^J>fShkRJA-l;3!WN#!Qmvb7EU3agWU= zM!Mcnr3}_kq>!L^cUYkFFg&3dB;WH0EeR-<1U~B4kPP_W`X5=$fS<*G@c-8TOm7N4 zh5w}6iy8xcR;{;BEA<9^R;{;ATW|@39?8|HScpQSSBYa5Nq0t&Arj3=$y3;DRf38@ zsY>vWmq>=adZvSUe${hX0m5uNCqqN9OfW4o-;PQ)Z&yp@kS^vBGADPJ4o19pPpl?`m+G@rQKNO+3hvV-x z=zpO>7)~vf{AZ^A&lh5!6f-bPv7f`O`f@~zItWj(su{x*X}q9+WM%+E?IWB-X?pkcg4nc|EzPyqpw<5 zz59a$9#0kz>5vcI{PrCu>{kiCzWE1tZ~E>V!gAEQSG^mH=N|N((~iECUHNPK&YSnp zFHZZ}F>@Z@%-QCyi(j~UlDO`?HMZH~#hs4ZVVV0+e-}%>zr8wl8|Xrn-(^#1?`5q0 zH+o1oXVW^e%8~CJC~w#LIZ|5iZKpCn`Q5WG+i{&$^cOd_Tg$Av;R#o+y~kFMp9LJx zo;5eM-tp+Y(RyDw`Oz0PKIeic(PZ{o>s8;m>W1g6xfd+Qd~g31HkeaA{eC_7 z>I>H#wb%1+p8CzZ&UtDse$yIr9zJl5`1RdiAZ9NK|JmT?)i>IE_AdM1chzvuTa<@> z(SGIaKL`)ym_IsV?ZkE~~8@A`fB`X6D{4Y&C1`~5W@-uu3F4%zqv;hoZ~ z`)7Z6<(yY8J8yyi@`2Ws`y9B+_IG{tt?LgRuCm76&o6(P{C(?$;J6idnS4H-unc{G?YKW^6ZegWBAlQo2JjHtyk4vdG3{G|JYySyBmIRWy#8& z&0cpUa`>#bjC&7xq4&;@ce(qFKg@Esc9-8+KW(z7SK8{{?e8S!{AteGdmXyX!uir9 zy63oW{&ww^Hj4iIjoUXk@W+KKFZtDpNdDB7HbsA!7am{fh7;6zug%+cvP&YJIr7wN zzusMMowwI71+QNCIoJP3{{KI${~I|0#U=_|Kx=;`;PZr-whG7nlEZ7l;2i91&7zshjpRW$bZe0N7)*#KZNv zY$PT^Gbk6Q@5okMr`mxCFhhuZr$tijlAZAp#r0i83~;d`1*%z#jG)oRfsv7~qx?9G z8(gm5WV^{0H)=5|*3Z@xf@=mg8jTbc7l};MDqCo*(nSz0@=-EBV1`8x2PSSZHVL%V*2Eu?!sWQkj$0LaNtie_)v$5WZfeM9W+uBVspX?4PX%DmFl?d z*VEHz7HhXWq`2rS+os$T`{Ovw6Rsnb2g!U=_GDWd)GLm`Mv%g*5!g?4hyh?plUi$F zM3p3Ik6Khm6j`vZ(`*_N8r7Pj3rUr4hrJ=)rFw2a#>B8=o21Z6@jF6##*sFphW$!R;BY-^v{k*&*)@kLfYbTQ3L4icWs}HAEa)tN z#U&BWxedrp8d9lC>SGKW5*<)7y|Cu6I62Q6z_wH@>a;i-i*hqYI=x;mRijd+Vw-Ljx|AD5ecM5rV*+kAwXA8m zK#(5}`r~TCh`c7q)A`5}ns}LBk{n`kQ4Voj{5u!hlyI>7mx zmqS>y!WadX>j_bW0j*3`qUwukcM)74B~mh;o*+)%tu<7KOgnH1_1d)pnl{AxFex)8 zmkWBb%4eXi-j=h?29Rf>ny2-2sNL`Sd47oZQ_ZGXNf0e_7{T4VXLWlcj&HXIJ(xk{ zF-Ntd`b3@3gJdqzOc($jjaml12+t>4C4s4ORiz24;=r?&HX&0u(iSU?poUvUiIaq( zB1+8yRIcGsttDHTvJRLHuhZ?C57%xF`CR2BB}jS_3eg^835 z2O?P+_D01jk;&24bRh$ML1_1U$*Q!6AM1Z8kr{p#|M5TOKZ`KWr}7_W^4YcCJ`M8# zEHpwBUP33jyxcJcy>^-d#jx9|k@Zv~=LP}8(VQkmx{9?rDiM*x?f~f%1*=k(dA_0n z_2~^uSuLrfj#0y7n-5)WTrVVr0yiL&dJWA9vSg2AuEcRzP2!+rHmT+7wakPsOdJD& z0Kp#Tiz!s~8|{&gW!#KE8W~#3DddK7goi4@`nZ$N=)I;~>REZOHo}^|H7Onc}WX>w{Y^%~q5S3A{ z&`kqS7HJL@Z(@wp>VTCf$oD|ISE@TjgXTx&q2|cx5_)3>V?Xs|>aq{h(R&xT9~^Vu8Q(bm zsCl<-U6^v71j@5Xdgy>yEKvSnRUZTH)S#l*E@LqGYE41 z=hl4AUuE~(@BQ^I`ya3u0sQG4gF9%wx#1NjUrCW9+BH(E9^ZKCeEBKm*k@MsfAh;D zp83uJfO+iA$6bEKaz9m9yRmc5p@&~}(gF05w>$BFv@8);B z^~9IoT6y2ZbFchm?Q>6D&tJ`Y@HH8o9^-Ek#C;9#OwdB{{R0i{`u$nAMg|W zXZp$+|NlkUKMQ>0MFnXF|FbyJ5Q@B^X@8dfhgm8E-|0Vi5d#q!1s1g~HVyV_VygRb zuvh#H{)0@904*`vqM~V;urQ&gAH+ii!(a3_^lyL5L{iodTNN-$Pw3o7M^)Bn$It*# z6~oL&K!|7P9#b}>-XgM6bDg%R@?nPl>vJ4KJ7NtHTPmCdr@x~tLl+l)5RjsMF%4o) zovjS3rBx$6vZs)j2C?oxn>&OsyY3jY0#?_|K}L+e2V|X_0IfP){3MTJ)dp~ zf6ZXE(=b6}=$B&(&D829XAg;f$e3)a>O*_@D%X?6ko80W4yPAQp;LY|olqJrf0TUuYhas6X*9DaIr)!ih;;Z- z8e+P{K%i2=v%INt)smPNix!$1kHl)R$9j6bAOuM%J8bu%hD!Tb47D0z3#&?fa-xg4tp`Ph*Kz4+TO$K#31T5u|R>V29(1Aj?ImSlgA`%ZZxESMV7sMNxny!>-wLvgG z+rkYVs=>Mgbd5YYW}E`fIN6j}5TJxdb<@>?ph`lS>0(^k;6<_8QRHTVtA+|HW;z9Yn{00yC`JsMcd9RKGG&TFHteErIqYwaC4W6MyGkN6kn}&*T+9$|2f1_?hg7 zSt|32i@Vi)%zlu?akD+iaU#@EhDj_3WP78)%V*o9IZ!Z2ZH%R&R`bhHVwjiXY^~jf zs6wUIgL7;tnbDGAXE5%xT}DKRG*~634t_9bt7bdlST#D})3L-^J*`iq$DmP+YHcD* z6Ajz-NU_$fm(>(xjN59R8fROTCTAvnQUdg1lEZAH&-Mk#R>%FmfDdazu?LlD%C5>~ zPUK2h-yoVQDXW#Nm6jYorDZsyI!re^10EondN1lC2vN^@jNeH+JzMsD97>6hVSCb` z)a)fwVX};iWuaYZ#%ZFcP1v#3WyqLqCnP{o)77C{bNYTJ3uo=1nOZa~?-j1|VFV)%*>O+bvN zJS`$76*~__IMRVm)hT%1h9s+j7G76)J)ySZ+E2+gCI(;dH z6&XTrIM56Sn&Ch*9O!?$Ey|uRjrt#aM*s7L*eCTrS8ln5@SoTJ;L|App&)^Nj{0u| z_z(IYbScpP;3$aVC=9~Tzpno|Mt$O;51+`|=dShm-rd>X-)z_7nwK8?i_?#Dj@)#O zW#`w9*{ie9UhnjO^(1xSyC=TGE^}-2`=1-<9-cb>nM2-O?f3^4?7nBPJ+$@U$FIKl z&Gc=1#L=$J@Zqg{TSw2Ic*(8trhjnny>i!wx4!Mp1>3x`#X)yGG(PWrw);eef9=kR zKKMhX_vbCO-d>HX-pE~c=vlwJ`}||mTkUxEX7{{$&F|-Szq0bZljok;==?vO^V{%< z7c4!zYTh0sI`8Z)zB)v80ipL%-FDq=DoG%qpuyk6LeU( zL}cjr)8y|EPs`Wu_|gs+{QA_vVf2G@FL+@0oy_^)-EFhS^M^E-TX5%3J4Zgb;HBlZ z_MW-)si%Ip&F!m|R@-2sg~gj6cz(S#cV74|w%xq7z-=Emb?$<-IP2_tSE5dF4u0w! zv+$>%Ui|e37F_3C{ew5Zd&xn{<<;LhTdsfgc^E!xrSD&T>YHcnvR!_B#f5X1dvBHR zZqU5$unR8Ezqatvn||@ZDfi5uRo;E0)YY4k@9&=IAA7-Xwm_(25V+-_!{!gi`$&}z)86mZ+i0R!JJ3L^*`tO|H%LUr}aPZC;R`* z)c^cK>|fFUjPx+XzjXQ^Sk$I>v|45&Y2rU^$o)6=@u~IS)Gwd@ryLiw@^ma{q`)k0 z{kI9dIQpLlbBW#<2@rTB@-?K5*eh^*GnSY zwrx6Dfoe4k&gwi8;g}QgcvSbG2A~P(AU%l5a3;+ls??IhvD3?!1-8qHjs{b74K{hX z2q}8j?r6RtDk5efI?~pMjN~SYf(0(hzxBf+FtRvE>V&XTbMYeNNFAE9GK~p=3#qy# zHHcDjLJo30sG02w-H?{399MQmbr(U(d8z~TfIgXv<9O6>LY`)lBQi;GL6NTK)jTpN z+I3dut!A=AP9n`SJ31`25elpIv=&ygl0qgS0y%fs$J!FqkBS&+m8`7TixNW-Zd5Um zU|G{7TBcEH6H3j%E#K`GGeTx;<>6#wTq6ix10*&NX9z}0RdZt_Bbg&csCab8YIV70 zNXLyb$2YSonsY`>l5Es0h9ji3r8Fk_kz9`ZHV{N$UM-DUjgXZ)6-g$B8Yjd{)N~@T z$i3=?(0WG!qpT*j4{>Fe7r~aEL6ROr|z-=fEkcw=mwvex~ z6S_#EmSI4U+p$y|OORy5GDwW*9y=V23lpR+1l_pREgA}+E7!TPkmOPTpNveSSEac` zuL~(**k~fAGG<*hlWTPbUSHv0Gc;N-J!xW5BZZAQ7)iud8x0czHu5OIr>e4u6xG;e zqGV&#@XUHX@S}FFqmfxb$VMtFsUvPYRvBU-OtO66=>%Sc1a&kJqg)F>*|Fd^FiUUg z6{+qHO0?dcWV20hP!T=Sq^gx*5M>hG42Fchikcpo64Qm`z#b+i!mv01ta?8M`eR8& zo2?EB=Ax3FX`7x}BoMyS=u(ltNKfc;l_Wly&_fwiQW3>;q4|H60IC0Wp)Wi8(~4*a=+#?sBZ;J2HMrG8 zLYgnpazGk|wh!n0yn+h}Xj0Om3PN?_%D@uv-YD{V2o6?)L{n;{0es9-!IGJQhw#&Ab*drU}m+f8ja2CP=ms=*S=xjadX zh-Q{9QHhCC?y^=(VK6gWzza^bEsv}iD`rqXMgF%TE&R5s)MqF(-(D(leUE zFvn0;u;2^~n*{S3j5vwR7%>s3QV_F_G(_mSP1TAD8X06Ej<^h81M(oI+hm^})gY=3 zb=ske<9fl7#H3s7Ht51=`c@n$-4W%YRgKg^5F=^cttBM4GIR=M8PMwW={r_1sN}*0 zJ4f|qYP`*u&y4xZn9q#)%$Uzi{8J=Tcyh7ypPBPNUrT)6e;z$^z1i7`sCd53zvFtKIqO}@}{M{Ex^ae^Om{y4<{WK0au=I z%KdvEcgDr*y{yk#-gPHnX}~V@5_n4&?5K#)4fYcyWer$ z5!<>eAj@s`#L~yDv;(HycUyAKl}A2y@LwDGAFh2X2=8{(ZnIuoF1J_b>a|~O-?-Wt z`%N~ScU%9X!WkRfy4o7Ip0dLGKfCLfn{LTwN>A^4$i`QE-#d)o<~aB1BaT1wqvK9m z5kL6E@!@+Pa^iTs?#&nM{@}Y?pN`6#t@o#&9&RFt*Xb2 zKiWNYPnZKKoBS+oCe;#qes zf3N%sxy(;LII^>cv-7=2efZo;`FEfD=)|4>@aL7TTD_+xs*`wsr} zhaXL-!cXdB}+6sTY*?-Mh!2AF2`Tra4|AT)1{11-K!u@>_42HpDz4#bpD>=g8R=G)_?mp`VU&Rb%2oKnT@3dfcY<6V-fu)&y`z>t52Gt;-nNwMknxe{ogUQrmV$Pvp*ghDak{L9D-wD zwpt-dJWjXU5-0d%zEA^(Sg)Gq>J8b5u%Q*WN{Z4Zc$-kAu8#?v!Ff1{wZNV)*?6oX zMFew2w&YLt5GSp+N;<#!jH- zu&9W5E~!=8nUa)78vrK|P%kYPno&`4rA(%i$v__DV<^_^Odr^|WMMiCYP!_|Lo%uq zC%lGnY&%;SmfL(Y3HE@tLB$=)ZZ$@os$p0{-c17#b}J#MwIEP{Op7eq{qzK(u#oJ4W3`=`H0>TCSNQtKH9}tx z;E-yi{Mbr*brZ`Bb=>Zhs}us2qY6R;{jja7T93ojOqHuS9Nldc!+I=@1_DbOU}a<= z#k8$Dc_fI!30sQzl-w_Lkv`vP2CM}FtqxYu*h;zv775gE52#4hTSSrYMaE1jE?yEm zQ~vl$N|a{Kgh0B7r^_I`q&F=$>p*DHpHT zM=7e;notCYaA`z}8ZGLG=QH1P*>N?N;9P^jDX^U8_yJmi9bU5u3hkPyvB`E5mHc$B_ERJ%N4Zf3ZGxcV z#s)}dU0t+_P?BqMRWFpL^L)$BqOPe7q$Jy>MpznR5@@a87FnR&$d$5U*2-%#6DHKk zsLtwEy_;wNS6gQs8^#t{@wEr9>P|KdNNF97%T`wx!c1Udb} z7oq>p{yQ=sUicdCT=B^jh1)hiQD6U>y{}q*@9(@x?|iO&-C@7pO?~K%3{lweijS|LDV?vWJx)eBgup6USVB`#p!W_d0N`tClfe zx#Dlfes|xCe)X#diw``r#%lLB*WSLCTmR|ITI;^QC%MA%7u@D=x#bmSp1UJx<%-w8 zQeWq-Coed;f5~1KTygi{*%Q%^9)5e7*~)ropei$8dq%};G__tJ{5is@?}+-{!@Z(S7sS(#XRRpY@s-WbnI zuKUNz-OTN$uQcn-n^$;fmm`1nqnB2Bp%%Wi_0n^XByYL+(CuEn!3^&@s&e9<*K7U5 zKl&52%k`K1mpJx_bFRET2`OmKp%I0@gKHtN!3D_hjc55PzBQ>>TpR3RXV=ye%M5r{efgF>n z^kiu?3fiI!QR*lPL{+iDRw!U5hv}&fHj#0r#VF|XkC1mHLT+FP%ZXK=6d({tYZ2ZP zouaF$!@iG!#W+7~3`R(Usn$dTQ@9{EGUL)9#u*0`bIjQ3vxRXv?l>LWwr$(CZD+-H*3G_WpR>Qb|6tA&sM zFUG8QjHL>rub`Eq%?X;Ak{ibtD^5wNBbeLEm()j|km^#DfaS80h;6S49cpFoVl5)b zB_g0&c?;i5($(K3BOyU5->_J|tJgr|zFNgAL|rP@M;fz=TGFgHCMSX(L#5cRe$L0( z)nJCk6&W5x6BbeR%}pNlh)2!RD*pi~8<=-#wS_OKGh(ynFh*OtX+cEfKauPSQKSa( zr!IBSlRHkh>8HBI-vD+>BP&Wc%5KFdq#cPCRiA$MO0+)<8+BqBDqRKE8kojLT&9sA zB6iDd$RZ+A#1ZwjjYLUeNzn)Ia#ct#sl@vW=-kV4abnFVh;bqrry1pNBUvp+YC|@t{bArtOOWMS&*o)t<)?@yR?iT z*42^6>mpqr7aONitNG<)sKtY69=f=x+$>>2ZHCL|}btA7& zxrWgev2;!5+9$RDZ3p}ypGIc(FY~`mh3bIkjHC4WxBRNJD$C?pKSj+-QL#YG=clz+ zSy?#rkLSU9jSfU!M%@mS*ACsI6ykibR(lb7cn0oZws7(5Z@QPFmY)LQkt6BOcVImy z{tO(1LiJZcBWLNrP${_c8NWD|@UNQ=_+X5-e=EBV^Ufx$<- zi=sr?Rxjy{a{KMM$O>Ds;DCE9T{LpDaM?M3%RdEZ{%>`Wg@F%CXU zid>X@ORq`}Tc+u#_&kvOTt{W$!{GF-tXM>(AWmj))aXor<+GLd4_jY|}2~-CPehvB74)yv%p^YezNg55RKj+Z8`uwp2oWT+@Zr9IjeP!cM zuiuAXZbekT?x9S*T_Vm!5$a6x`yRP(T-{9AFx3ri_3%DWejJ1dv`r~uP715F+b&JX z@teHD`=Sx#PkY*CEhKv%0NS(#oL;JXm8I$07N{%eMK8>E?)Xk?nnKDZeD4}Cj|sYm za*pYF%s-c+_SDXGUKgI&#d~*lo+aA7M{i56INzKfow^0Sc}+8(FM#)q4gDWL=QW;` zb|EMR>8hq;fs-J%_Zk&?mz2M6ib$M?UFhAu1H%IDhu$+h8tE+`VF{{;uO><6H3HW` zIaOWT5gVUauQduh%D||`5yBl!r|MPXX?y?=;&Ke%LGF_`VzPkO z@yO`#`K9VtALW@Wf~WmP*Y_7L#Pnt0^s%{Of34H`oD6Jwlg6!yTfMnUdG0#A>G?9+ z+R5(R(DrRNE!dV%GPUCbhORwa+sR#L?tXsrZg$#HcWl=N_PVb4eav&q9b^#s&xxFu zC*FJ9_g`we%=JAR9i9~%%n{czqI=|gebzz<_>M3B^NxG%h8}?zkf6;`eaYl`zG9#K zzKPzmwYSoNcYlk&hQG6h@K-jq1&FhmbNo-`y8cZ~JM_E;tI~Ni1cGw=B2A<4J}Zu$oQ)52cRx2>-d>&6{xzeH*cD4->KatB4LP-*pm1 zClHto#2k3DXZZp)4XWSf7||C8@3gI;*h(@5$ z6Q_UdOw=El5~RhN4Vi|dxLAxF{a3E?HGku%HD)f1KIePsj*~ai(YKtF3hcX7;h}R) zC;?^zN&mF1^`U9vJL9SpRji$kj>dOMWs+nGmuay(bCv0edUM#z0sht~-~9Yj zQGRn+I!{U0fwBbCR(?%kYt~=1s>J5{u38Hoc_ahVpyN-=Q631R?7o1w057m0V-UOp z18BBQv(k@fG{AzD(Wa}gGR|x$LK+ALMMm-)#p))V)0(}OgQSfDkj0Vj8W!{iq0i3m zAO5&tg*9z8b|{b&W}6c0H38VTu<9moM4Dk*?5cH!ezACqk60;D2LD85t;^&2*H1&s(hE+Dap1UgfA5@5!z2jVmq2{d z{0OrKtwf|@k0uf;x=@%lMHM7gARo$~=u%a$M#Al}1gXFQ+DO*B@-Z$_Cw9W7O>pggIDCvhp!@BAcL_ExxJ@d$$OJld?>G9WWGu0CSwZB(bk zOwdT3gcS`2U)?ZF#-47~ef+vj#X-L&Tou4B79@lc{y-ONnQC0lVRwX_ordJSB@I}D z>!A9&7k%8>#l!JCj0Ace3*7vtUfZhuH3TSwar`0Aq%fzoChkPzS3;pgwego>M?@t- zZU{Ad{JDawnQG1wyQ$TVp-)YSw~>q(%e9n_4IA7F-L;2dOK-=(c-M-&TD<|@p=};$5%%PMha@9jHWg@tLBnz134yZ7mk`#?I z%O375&`$8dNwAwz&jdNC|JiW|(}HLcN=$JwX0R(Zf+}(-Ipl${c8C#INsGV-d?h^Y ze6=ymrr@8I{W~L20Ea-WN$L_bn!j81B1uRaM71|cf*q^h8)9O)P+cPve+==)5RRvo zCb>&Bh)KW)xw0~bxCyDUQN-s`q}c&zg6qXCF@aJd3zWR^sxlQTTMyI*%MIImtTE=G zmaL>+9D&h~_zehZgZ&iNVybK`>19 z-EycP4GBMLm(c&v@Ixny=5KYTJ?VI^-LsM;!FhleRwD^~6lEl$dgkmjMy?StNP^I} zmvPa&`$uO&dz#u5i2?i0($bk7uy%3T>+DL5hmWS_=rDWC#~zl8&w@%MhRf_quaBj z{Hh3lEsLfHiiEYy-Bvt*IYc*j9efGs+~)FoMs?YHoiFzMefNDyP`a$?H)J4F+de%i z67ve^Ih?sC*m79&j`=v-OW{Psd8dQjaUXr=K;!VSq@`2bdEELsfA;bCG*-8{k#M(0o$%*|=BN@>ya@zut1#$7awa+`ifppWXt5BHnTIP}Qb<*G;>Ae$iax`SQ2& zwtUHPu(yy7@%hx=NA&R7TQdFKTT^Ff1=9v?#neIMVzY99aPRX27Y~gKcbiNhE?Ro8+i@EMuHtqw<`gg7G`s}`=eI0nx zx`!z6@#-0(N2j~_@n>4&g^fUe7zjI zvAf^)au9d{VldyYKmH_byCL38^FJ;pRiAG*J}B9X+UImGd|CH6J+L2ZKdY;+VsN>i zBwbu*{h8+zFX^{_lh$h)BhQcDqt`$2VtPNj(58QTP43VE4kx@%f4%exR;FM%ri9H4VSPt8=vy>;)e zN}vknuu(BRoV2P0DP*ajQ9{rev0oL>h9S!h&ij7XbMfBqXyIVEmZ zZ(n&=ob6bd8bVC{ftb$)7kmre4>G)V!Q7Nio!#Vq6Ue;H`gx@VQFrd+QNU>Q80gmJ zJ&GRXmWqsfKsPoy}xo-IN33e5Ure_FEUXS6JmI5 zyt9)k3k8RqlFY)^>9O;gv?a+&bYMuDViOZ;DpqsLrBdLc=|$&W*(&8K{Q>2l7^DvV zu@Ke?LQBS!@&8N#!qk#!|B&+v$UtHX0HxC$mv%pJNzFAPN8UvI4QM8yh z@^7^I!xwBy=B_AtX>(-4h(z1gY{dK${u-|SgfVVFK{%zznks46Tr6j9Vp^*-m!-Au z;HOwp`~z2S1-=~4)ecgk;@V%#?9GULSd`eS`a=y;xI?@JSC@q?d<|L!%36po1Y9n` z5t0OJzCa2w4AKXtE=1UV(Y}nV6jQ9JGDn!%1lEsKz~E6OYB{)WqBl@m9`g;S2w*Xx ztg3b=761_!pAZ zqltK_WLGw&pO{>1Y~e~gl0^BjSf3lEnjX;qB5>^KnSaFD1^1`=L57%b6K%%s-KCov#jKF)xhKZ3! z!zI;SB`?+4O8-JP=j2<0(JGeTwQXgN6xoJebOnFe$}UHzGKE4uqoI7fB*`pP7>9+S zZi+%p0M}ujjW5d(R>V1M7y6ZUeJ@iM9FQ$p^v)D}fkOvD{EBmyJZV=#8CW-Lko)_w zBOw&OiSu$0Lv zc*rsG#*hgCdkCYpohKfK$}pIVhrBv8KF)HvNej=<%t=n-fGj!ci!aLap3el}hdH3f z5(0uHO{6+F*}H#0oK%2NwU7I!0lP}bu(S4rbt0+y8r7EUvTFN8+3=t`j3Hh+zPf@` z;33AsQl+I@2`!*hp7Qf|^jhJM-(EU&jbVLMzp+*-C-i0+S~bf;-TsKx*P*Sm{Pf5f z(rg!anBd)(b>${j3NoP~{iikpJ{eA`$W#=oN~d6gLvw~rY=L8EC9=1MWOtY^1v*uF zm5V{zx|~v{#A)Mj*qcpZMHWW|W>>9hFwQH^p*2i&eV0U5@MhOB^s~*1L@pLEx<{KJ zVY$FNu~P9bt{DQ+wy>*K6TV L*d3QWlOXPHfyLKSk1rk5?Sc-+_H&Zh;#;J$;G7 z>2F>XYZk^&Q~)cpFwcW$;&pvk@@$9U*7dAt zzJtncRsH^SRnzIY!erArtkef6!P{BCO7*r|vzi_&+3x6X=h1)a?dr(P7rgiBI#CqzZS|*e`4P)C?~t7=p3thtXWTQdZg@s zOX)K^uiKG%iq6yNnJ~!R*J+wLg44ACaCakyi2V)Usj>a2;9XomAmi)O2eZ<7Ol-wo zilB8T-7}NlI_aTYI-_G}MS@?V+2`-{fE%6fkm7C#$A^2)FW)!LN3_q39)pfao~U-0 zceYzQ-;IK|8J(ZrIKF=_-yrpTW^G?n2v;u>QD@pb&sy?$>^Y4}_?Bgic<_7r|GaNW zPqY*2HeZ2gk6&l6Vmm)^D|kI!W~qzlZM_Z~KljAwJ`EUi2s}?MpsZx~40X}eKux}|9 zfHUh5Blz_j`~XY2HX!un3eO+ec#anU=IW^7U2L` zl~}dWOGrum|C~irh-&kX9;`rQBqsf+O|n`ON@SL1uv?E3k>t^wjuhpJK;14(^CfF+ z%v)Pis$S8dAPbrGrGkUy%*cz*p1q6V(=4ntKyg)PooQiaiow-mB-iC|*tV{;_+~75 zjLJ(|E_$(R{W7LdMGNws13WBwb!|^Ua+IN>97l9XtXCv7NTsqdv{3!$(!E2?8671` z-rDFnuQ1^yLAisZ#ORwVe5zw%KK>!x{WXubKJAJ>o>e*&Uqll6CA&B7)ojaF#Lr2` zwlJK_FY{;#RSD`?JWPoKDBQLShDtlZr#t2TbY`Mr^+YKvX1?^Ap>_Y{^>^_{i6=de zD@bm%F^&f`lBGc|{!7+k1sY~{j~17qE%z}>5JidAgv6A|nU89=PH=k+JiX@OP7vg|pd0od+tgDk%dFOiA>$)r6^OJg z={SirCB-w8oa*H*NybPs`*B3s*)xx|v@=yn-UV8^1^R$Bo=$Q$8qPxV1r8g;A)s1u zWt5c@Pbr!7Y=lf`^2XqD_oCa>4Z@J2%8&3)nGF9~v1^J7KB5Q-jiZ;LVm_60B_Nl| z4}$oV3aWA|#UgB68z!oG_S1uKb`h4-IP>Yz4Z6veM8B6|IURQK7IC>pm`RqUTzhcz zD#)h2k7kd*{m9i4M`=zRA<9K1Um!M%$uNtQhDWB@?bH*#2kyPu*KXs;tujb{0~jx{ zzgmDq-*6Mn(z9d2uLgxr-+8Yb|DUo6av(m6HC$ShxCY*>H0I0)a7!Q)t~Ep!P1%Ct z&{Hsi&D-aQht5B(I9x`bIzV*g+=$3kF&KX^Gfe;nbag8RTgMg(X0eC~`cQpFqzwpU zs2>reL?5Bicxc9-PpwG%5Iu}JL-`zumVby6$ky;jiB}zyg+>}xQ9-GOkqlduYxl-3 z4@x2_jD%!}LIQ#cRq-F!lWaH}S2ATw}HyAD`m!s)spF2 zMvEY3ONm7q#EQjuCPFcx6L+NJwHmRjwwEX5NDovcI14h|x`)lTQANE~ zs0u#=rSa3~e+*y3*>g9TQO+2nqkO0(`anMX=QOAlpDu0>`z zVs%cVKMdBB3JfLtcVi1tM@}Ud89=9Fe^Q*2uwS;6yn3o)+ABXxlV*+9Se!Ms@YBX~ z%}@{*wG0H}`KTNg9k-TI8E8A~ZkB2O-|Gee|Kls*GXjY8y|^MF!R_74gY>O_yTFiYp9kU-eA?di9`G*%RX~rnuYIw1 z<2wRMyfFVKV$bcH43_85(+k-Y4eMoTH+9!f=NhLhPuJBiEsEPQ9P6Hr$)D$$9uG_n z3)i1MH3QXKfG6jt4)YIpu01p34*8Y63tD@vCE_f^aB1&r{{?1kd=FnbyxaPy>?#J} z`)s@(ryWMmR$1?r;&E?(_?htb&P&YaqFeg-z>NLg<<}|Gu!nZm=dQTYaW7W|&}D2J z!5P>&js3apbbznpRdUenxxlcqin{u~v?av3Z2x)q&8Fg;qs&Ul>5*MGX_;IA#L#YE z3N(b6+x>O%EaTYTe)xC~9+BT9`~>X9JiXpVuSjHEdQ>)?Uu0Z;u6f@t3;8^AT>5;r zfA`I!0oU%D#^WNrpgc<@}NyL#)acU!ia213H0P7fEdx-9_j_>L9K5K37oxa=1{N^?zPUsc=za~C6;x=)X`F*#q ze%qz#>zQ8NzHG?<8ky>PkBo?EAJHbQnV-S`*wd4ioJcA(w=3B8dYjKmM!MQ@OXzTF zxZ*c9E%ls@!?nL3Ah+Xxnc`FXi>SGGlre1Hn9?2K?zNM&<~h&c+qqRmo9#s!p?lL> z2V5F$o6&hm_PqAU$X0B7P! zq71S1eYLLHd>!7Y4zlNTzEr!69zoE5Y=0077Qjk0^1^E4YHaItG6ozuqL5x+ChAKR(Q{{nr!^Z3)G)Wv?nm{NqBik1MIjtc< zXr;yi7g>T@2pYMO3mVt`tJUYiWkQ1e40=B{*`L=?fjTcjS+PWLjw%DAvf3mtYz~U< zk6DpEEt&ZJ3T5Y@qk{e}iiGZ;Q#~dE6_0v}g{YqkgpY?BRB0+5OEQ9Okvc{{9R{S1 zc)c|$(v#w7%|LtIym`xxDhiN=rF!DtwmNG98M480*d#CajU^ zWs5{ruaSGPCj)+u?Y|gu4@B`5UzxXiA&hC5M3W2GTX8hiX{oF`Zlp6BfS6hF?nK;x zn3h?l+fWu6<@5cdX^L;O_!?;6AFZ^=l8Ou?)1M~GqT$FCDe%gwI}#~DhNplLxPhVH z8ed{8=c+DQOebM?bas*W4L9pDE{h$&+PPd6q_Ik0!c3z@8qtcR;wYv*wb2YSj!k6< z*Z6%`YavtvZJ>xoI~KWah5egCf5G~Z|5ApTJgBmtYXo!8hYy#%FPn%R*)DcI%0J3L zL{U*Ho3qkV&TiEo4R1z}r~;%=+lpxmhxlm3(TdDCvjy7V`Pw#nP0b4Qx;dz+k|s0NP_g+*ND(*tiv_TUDX}ve8v@c~rA+l&tr#oq%0$mplbY+tDr-%)f zf#@&^dcAmo8FQ#8+d`-)X9iZGBTW)ytZQ0H`j}2doDu{jzG6XMwA`JHz_538;H-k< zzEQJ5>=`|a?ie*T2mF&4NoFdevit)b5r9RwRQX~lB4^3>pw*G$gBd6&aG!Hliq~d& zs{a`h?r70nG)4H#%rXClSIDDj&%GokC6~7{E?ctMjRZJItm>QX*@z@lm8mrI7XlFs zCemB1YV;RM;^(~U#0z!W`hg!S35!ik+{f=_nE0D*X?hY7%Q$H3Qd|` z0!ZlP@IVMEk3uD6G*)vZ&~o~Xxz!GTU8tC~ZQ%uW5#qetxbO7cx=wVq-PY_>PI|kG z&c53|Jm^j}ER-x?y*|XV5d{LEl5UwPxGp60@oIse2G)M=uQ|UGndCl9Y-w>OvLIBG?WMtx|Do!(jS zX(;Nm*XxJ0z}uSRz(CYab*iS%0_0)NO46a(x$gew-tgv(s})|OKJBJ^R~CDR_ZIn4 ziZ5`TcIURt#kJeLDutnSqxIu)f_@v&Pfnn3e75xbdYRnP`9RThf5y<|S}oXhKOs-$ zTRT^mQd5(ivU+waAERO3gpRNd;IuoMK+uTksnp|j4SFZoIv(TO=FIE*dS|e6TmmV} zy4E^gWozcUnsZO_`Ix?sl1^#!-S~Tsdb$N!Qv;m%+Uxp1H?lpNKtUptV&Du1n*NZl z7z$6R?*^bJP0^iMH)9?9Z+q=Gd|F@=^9lI+okE^uc|3DN&#vzK-gqCr(@@As#iT?} z3kqQ=8K2HSUJ~;X4pcf$m0Tv@7+ z33t8YYS_qd2!Gfj%FX$!^eH20(>lYxf=1jYB5Rnn?6drejy{uHA0BBZX4A=_Z!XK5 ziP0jZzbp>0QUhyW8|0jpcNE63?UPN$ULh`wK(4AxSqbVM=h2C)M$SDHWKvON}OM#wx%bNYT=Zfa~CmYxyJCFf$-4h(Uhx#s^b0#^S*7 zEXN-Ii(#TN`5DDNZ&6g3FY_XZAIDS~s;QUjN{*XQC^B66G)%$j zEbSd;9kUk4aghkdR1IhJ+eAv1O3{{8^jF&C@h*;zJ(Y-}{SB!FD-w=kPxY*zoOp0~ zRaB%(cuKHEUEhP1Sm0nTv;tXbJPv2-uz0X$-33SurlOlj^T8`aefn6dv&-TL{0bE{ z9E(5c8hiR>>50;>qGV%Bzg?Oo)-38&5m?%m!M9ZkF-3){l`(!uWUekH7z-@?zoiq2 zxnhD7tg!V#*x`cCxi)o(pjDuPH-%bL8O^FP6?&=z^#*N;0ZJlJ#T%Byi64Rt3*pKG z^M6d{MN77=k2FD*Uc)o|q<{B-OhnmnfV|mG2BM0#C#@7J87qF2u=bot+k7a8Kl0H_ zud=*{0&{>~XZ-s{=K`=CTOR|y7{x&OZF4|(awR1)a_GL=gcMhpqaf7-e6t??7+IBQ z;YixgI3v~?rSgO#DOaQrHi5H1h|a>^U+IWd$ojnvwm*muq-Gq2ivX;~IF+2(<7XP| zJL=M|?CDf8btb!b>d&}PTuPbY>C)=sDovR=zw@+gVSoGOCy4kvg_MO6p~>O~{zhm4 zSS{bQ8DU>Uw&K`Z6!SoB3`un}S1)B`Uj3W?k%;z701wpECNq5eOiO&4OF~^Nl6w)k zv6McxmWp=Z-*N;B7%R1;x4?O%A%6ngkRZy;+mhDm=@S`|K9Nz^1VR-kUs=AHStikl znSU8~SY+~1ln%om6$v4yC>+Hy$ErTg5V$TYReH<_FK(W=fApdVtjSo#i#II5uyMLK z)9=N1=0n`*be-f4(dJ0B9R8zY{|~GZE<&oWMX3QMU9BvV9a2)KGxachQ&~%d!UTR{ zVf?H-ZY`*Id<7YOUN_JrwJV6nKnMtwVqlWTTv5cBX z*h{4T(`>37^ZnoYUaw$Fj!{}^jKL zwNAtjxT`1Jn*xsWDfXMO6Rn0kvMf00I0{&PjJm)`B?ICO*=z`Cf>9iPxJP4j%TTlyK%5@1RnJ9>_PUO`K8+wbx-`h zc!=+Y>7uONjS=&@`L?#37pMJnsVAV85s59K+9B_maeGX-D9F&``XiM9=xPhGU08#jgA7sR=M=a~0XyGA$;4@wmD+ zkc80fmGo#g@^f^$hVK3X7ql+yEy7m(+!Zkmf5%*}Z3h3S0x`-Q_SLxhl>YOhl2Tdz zbKl{5tSd2UHYH~3p(opY^2K1~I7~jEc{+x9&HI3OPS8AGyy_`W2u#7Z_pm8BC-8j> zx;&U}lHS?}zH~jyDKKzb5xOUJ+>2iUy$pLAeAvvbZ=-fL@9)v+yPVk0oKMDMcsO$2 zyG8`QJ4HS1t-i?Gfo_vED?A=E^54vRe&}Rg*NHYKDf6kf-Lox%@g}uLzYqeAqfy7> zw})f<9uh)=EVpF^ZQn4t62~(axBV8p`YGl2&Zdx;jtGA4=YfW&wbLZGZQua=jOt12 z$<{&|udap>;<-2`c#IB&`1RLbE+%`I&HKFGjPJweXLM@Ic=_3$Ud44(*Wbmca}DVo z?}b(0!q?vD+t?VXl|&2P9=~Vc&OMOB>x=S{3n(e{e*;lxQUWWl@oeY&=K>CCWpXJA z3*_X+au}<=FANvJh4-gdd9!x4s+fsp1P50i!_N_&)bA(h*wVaYjovGx7ENRsARgg1 zG&E2{S&0{Dzk}Swv0+{MW!wzdKftw$0QIIzV(glDg#ho`esNwsqbR#J%?sxwb_1bY zBXO;i0zSQIbv}MB-G@Iqa3>1gNeOBluB#Woq0$nyqTE)qwb6OBp`9n&%kbb!q zXNJG#@*p1ti`A|hGxBHR&zPCfBK8O823+;mp?ZMnNeK4JRCk6-hM=_-jHY zb}!MzbYSHRGY-Z*La$9gS#oiZI2FUXo=Y_iuVtORA9`Ap_BH*?cM+t8pEK!6CG0cy zQ`9y&bvnSC*f%3Bh09D&kJDCaI45>bmnlKULzF}wOKsPw|5*kN#dHZp;y!ln0A>gm zNg?Pt_d$spZ9SQ5ror`Z1grem4O)O5sR3d_v(ZX(xOP=c1oYBCj!h;)NEIiSjAR*> zG~A+%oM;+>J4y~*FhCK-j{5~1Hx)t;?=*Xt#(SDjiO-b85xr*WFg>+*wduQwDM$#) zikjZ=_m6_--F$TdlhJ5?d}CF!MSIypt&*hQw>lZU+{^-&oQATd@DAKe&UbRZ6oyEG z*xGDHiy??sI5ON*=fFU(MRge(dqpsDV^BSMOdG8f3G8w4aGyG&i-b{2x440l1oggWf+F1J6nFB%Vig6|I)Dp_HW@aBPd21T+ zqESets!$abA~&>^jztH`k2RX9`~=CRIusZ^_@lxEIdohhz6fl07D$)LywipHU~>HK zxnXNf&_Q%Jnb3nsbImYh1@!$;`DZVmx0t8-x6$+9PQV`p3?-yIW~q8J5ST0HO6)!bGVv#hI2!4q zU{$7HlSo+d)J1c-3FxA^!%D(xH)o{}0w=zaj_hyD-_3l-0;(Cs7;C<%&_f`=YR=7` z<=}hHW!zSaU<_}iK}zz3GEqO9RXkp#J8}@*q+F?O%hPB)IUExr=R!p_bmamE9wBD5 zU*-})M?v(Il$2joFh%S_5^zWX$pWczRfREz3nEz;)|`-Kf4(p*(^`MM6m<>q%$-2REYo=f=fMd>3JU!--SJr>AzZ@CE|Bx>I zhN84}=pxZ5H0)U(WxuW4h4*7+vf1rMW@Y8mE*@$P!tHXXqGlSXvn4gGN>v|*8ZJfk z0WWa^7_gT4fgWm)S?E}jiKG5@evxwJm2zz&#+33Q7(#vZKYP`5AVXS;2JBaorN3~3 zxk{2QRnUBMZCoq$ILg#u^9n&<|D(FoEC;;*9rryv->R!a_xYa!&hP8pdqS_XlpP&2 zrkfn#z_zy^kDM;-KrsuHP)(kWM;Mq|i%3ePk#usEnI;CgL!8Y-z3D`rS8V=ZIx*&3% z`88nQl1A|7&#kal^pC9XMv~*1emri`tT9Vf%h; zPH7K3A4|r){Q80q$+|NGwC-gUm=d0D`L1^NXx+3pHg4ueY$s`$)tJ`kxSg!wc6y~a zOqu%bNAp?ZQhd}4@Hf!2HESEadsfqR664iX^Iu^$*Cl)MyX>zeZ1BKVOMaXYJzSvPUiD$r`c$DxeRaO#qHw+~0eP1e_bhTfJMdUd39y~wOd(=Npvk-c@ zPIG^AkxVVlYGrRo3EYi$Sgr?h^dGuMp4Pq2$GUP1aqZnDI}gp~=rOY#qgy}R<>|R` z-wz}Ut{Uufnk77%tEzyDkl*EGTPKSNgX`oKHl2^Au%C7-EK;<1^+g*zR$~b{Yj0Cs z$(#o_Ydkw&$qT%OdoBAmz#@nx{QQpS&6~9VV^Pmi*P!~oa!>r5mx18sH+J0X+xv?M zZGFcLWb4as17RDmdS4SwzcssA?m-&vbydx>Dd_Gw06RmLlW<*;eVpCCe7L)X$<*TE z-Xn?tazV@RjegGBQ$^%{UqIy7HcFXx%LM8V0eu^QxjURdNKkWtuTSi)_eaPe8}{q% ztGph=^qFt4B^R)RAGntZrw>XR=m?E0h ztOOajjYZo8keoAZV-DNL08c7^t)73ZLMws+KZoWoPL$}N79rz9hzM3Kh~yVS;fqGh zgHf;)RpcU9x&lAHQJ4oL8H3qFpxc64O3C>jinUy;z;8sw4Pj&y zMTX)i6^b-j6|=uR@fgD{h_V(OIkRiG&a$SGfq#TT)1eYL`TcnAi|j$ zoBHE%_@~nN7>j?*1ww||P_W2Wp`u`|1X~QQz$pGsA;)j-OHYat@gINa3mh+B<6mR1 zjKh)X8D^|#T)qNDuU@^ODo=oTO|_2f#p)B)qrNjvtv#@+50F<;esYNm@~CRov3{Z* z()t}Cu_0(WMg#MsGL(8}bQ`IY)< zZkL?V^FFhg2~@^X;Kzg3s!0L~E)e;7Hb=KW!ZcJdSYAdu1cQBx3NghYmDR2{E;U@5 z_{ShHj0?HUFHVJIJSm+hh<6hl3X!yGw5fcm@=RJan`}dHq%q6Jwq339l57cAC{@Pn zH8Qg~M65%oLFWfKM5C_r2M!LXPg8J(CE2%Udh}4M=TwO2PvIdHhvcs`G<6`_G-Xn$ z!;=691wTF)8XFqf9@EHuM0ObHr?R^)v?ym%E~G|ui<0371_vu2P^u@2-?%Armf=_AH)g&(VM_ zOx3pD3MzZ5fZq$X+>6VXlZy(G2$|n0*Gm!cqPlMlER)iC-}ndtuKONBi%xd{855yc z4}Nl_Z^DGd^dtb#NAs?BZg1+7l7AhO3hE)-`QOwkf zUEpGjw&N-fG8(ANk`0R!eF#}#38M7Q6Rm5R+Y^jN@rgfJUqBCr4v8%1GdU#K0fzJG zp&wN6G0g6igp67pMWLw5h3VX+v7*cY@O%XtRPb138elHDDVVSj>nBKs#idHJi!5p> zHy8EmgG*-Ri_Rgun&o?{DM(JP{njFjNG;N~{2)Bg+39&X*l%h7Z@lgZd^dY~yw3DI z5b`Fy1p|Mxy!#4_{&?1SvHBAeB=^4V+uXY?PI%P4CqVg?``znVh9(wEto1Clr0I3wU%W3H zst~eVZml+^_%9kq*e3-Z`*jBs!kVtuKK!Dht9S0sx?<3peQrP=mY3wc0(6Z}CiFEv zx|Q|10B7b0=hd1Ip;hwk#z9A}UOCxKU#j?j7KYe;yq6Bs2)$~r{ySFC-QzP*`Fs+hk++Xn&m?ay<cFE_4uVOb zN5uptcBa?M-F&qAuZJS{%X0k-rxBmkdBpbT9;dBu1grC7TS|8KaMMhW=LG>Re#0wu zR|W#mCc?DE_wGSpt9H|I>kaw&$~n~iTDb$y*D|~d;KrlhecoihX5Q_%%l4y|#ryX1 zgyEaiNO<(VlHEATMSEaQ`JHJ-cDY8M**bU)A>_910MpZY{&}~5`KdG_7|Z$rhK;qF>ed7&kE-!rQ*zkJ;1Gw>z-!@QiVdl*9WsLOP4`s@-XVT-x>w zv*WHo@2`28dp6KF0tj?_J<)$h{F?f*pN#|pi4OG18xOePE&cm_Wi5!|Fi`{S&w;~} zDbSY>nDOSTmerbKFzu`*#PX{78~T(E>n$&c++CoHCe9dX6lD%RLb5wlut)H|(>Zy* zKo(b(-H%qoe+3VLDBbPl^>XgP2omLJ4f_8SlJh)d+E@WoaY2mNW@SBH$%a(& zZZ;$eZRgy)|7?j+3(Zh`0QV!h^amBIedT_-F2WPAo(~f^0V@Px8c5i%O$Fm%^)b+H+ zMY>eDQzn!$p&}#UZ|)8A%S}Equ@+*?@!gllY_{n+McN4_!x1+!9XJ_8yP;=395FGu zFe~LL$k1q7T)NZ`tB%7AcaqIZQ^RZJfYn!}o_JH-rs}}^a*&fpvS8OnoLI&}|5Zy@ zNC&=bI4@&fdNHoh1dHZ1npde1i`A|=MJYv?a4c#^#x8m|R9W#o>s}w){p0i8Lz8QnAJ-eOXD=0(L1$>RKU5Q?QIBwbIcm~>zfenwcA`5a3#5g&~13zVr(cCBjb_kwq3hACHJ)8apA~%O&^FNnY&^fm(9RbMS zpSM_2?C1IaP@D1vO8@|>I2tg=UFJkx;L)WIpUs$xpwO%jVA z@s5$Un$Q!!9IbxVm^7LViGJ#-+{2VkOeC7M1~}A(O0sJWVz=nkdcZ}t#l;d@h!!H| zia@gt$_VJomJJE1-D+_u37RTksAx`|5=>h5`4OzfSC!k6BH#qpkQ3WzjQL-}F_``X zN5$Uat~osr(?9UA;aEX>EltN*2-hoAQmF&q5Mf^$bF@j#7hzL%)3Lv}am?4eGPA*; z64Oh+DEzRiQ+lK#Q5^hf$2Pd9Se#hzgqM(Onp|&C=LadY=~O4zFA2?;0QW&f`nU;o z%EX^l7A$su&ItSN5cHbNIDrmqwokPzg$Tpvcp2L{9WHuvI;D{Oh_dTe94D<84g;9a zM>3DN#-BdqpkzsyOKCW@KeYD>$RSjkrqNiWfofze0O2V@b_g~XXu^1?d#Q_}>I@76 zW(SzcR0r04>R0UMHMk|MNJm!!yD=JB*#M~!!(m>H+4bqhzZL+E9#q3Ty{mhGwO%s5 zW-f^(Bw4|7QM2FDq4aDoLJD~iFvNL+=D*4D6AO@~Ru1s;HLx|Jw@}o6IKB*0-=`8j zSvGM&SyicF8iEQHrOuZM5IEDuU2x;^E!%QfVH5<;5}LPF$6XHBU6`l;RJaGzGTqR@ zR{||NM8{QKcd7qd#!7i17(i1+iElHi+Cg7>!sa!9sVOVGVw7qyKG5n9)+Qr1^e)6P z6rd@c!8jn|SQ!&<71i9yerOq9P^29V8JCcLW#-69>8xZ`${tlmI}8yI{-VSQf7Ke{ zSLU{r`_NFJ_-JR&IPdz~>cUFA``U**}ug@A6OL zUf)XKzrNSpFUa6Hv`A7cP+#C%PDD?uYtgB++k$DW?HexXkjwu^)Hnaf6>v{CZfrMd zY#SRJjcwaWV>L-*+qP{djcwaD_uc3H>X-8e+|S*eJ7?z1Ap6Pd+_YvK*k1prba`TU zUViTM834JZ?AM_JC^>?XZ(265Cm>R|Z};z?S76ug=OX|Dmp7QEr;nIw@bX@*?puam z_D|f;3Cp0g_qU5r^()VNg|sL@+n9#gyV&w3c7WQ!G~Z>=wm{3fw4dHdw3=I0g&LPz zorL?JYu~2!sd0A#@ArOe0&AV$Pjb8*%RYvW$1VJB4a*!}mvgN2yDgM2Ug7Zco-?Z* zdhX(HvG^Q%cjM$Sq{#-!zO@&Ge!attelI6rv^5RK2dMShdShR zgsS_Bj-dp)@5CqtdrAAgne+)a>qF={U>Td+sc7EMW6y8Fp3gLB zwMD;!xcP?Uyt~EuRI6s44?*YVkLC{Sba%su$T5$qt+SBN&UnrQlARQ#-`yQ!$T-1k z#-Vz*3#&Qo^XGPDm)-TVhr}At=)M>K`fK%_b{Wg}o5zqmUE7>-hvzvUkq=e-^~)zE zQo&Ew+wh)tx!CP)-<+e>cRtv+$?Nkal+%E)`{GEB<30KwSn&e17XZS1Q62;RS#N=% zINJqZFotndeZJ$+hacKN)?}O~0P>L?>2}>03{;`t5^%D}&-)Ru8pmch0@Vd3jc$5% z<_Cws&iM$Cjyz&fNhX3Otrnis#X0#&H-7N;Xa?_IQWm3&9OS~zu#SRTjOIBvaYN0( zZ4t8w7C&=tw>dLHMJYZi{SPs-aubTGPWRtEea<;)k(ys@)*pg4d>-8@&1>4mYq>$G znmi7Su1ul`nC+!90wN3%qLoss6LJBDG4URqX4tAcL)SNY79MVi?Ivuw{z z#DRMom&S4$C9^$Fx@28mS0qDC98>x9$ly&q8lr|U90)v0E z-XxoA%+K`MT-*C{O5R2x!8W^MO~U4Xr7<(@nWgjmD-Z`E+B=Gw&Y{wxuS~@u;zgH~ z&@|TS!-tj0-*#gO8)KVgV&)Z_mpR#r3DC+&tj-G@s2~(+@=V@FOH~bMbVm~#ST=CP z$|z9V^JUq^avI~v;zHO;pqJspAyLghkem>f%~^hAfP&-StSUIJfe;meLRy4dF@4g= z!uSXX<{lJa_z?MP%7R4j)xaw7m9tKfsSHer`p3>uV)b_J& z{pD0%@(xiUWW-H%xfsH?M?Mcl!$1-=L3P+DvQ;ec$N{S*$8ON{mP1gBHlqghYH9W)s=(U_-Nb%Zq(J)2Klw>jHfPF&mwp~hh z;hzGRW88H~AUhnsSbhZjNxbc;`YL&M{ZvTHyY#3ArU@8qmjWG+p7@A&axmf9;S2U! z^~mDCCr8R;g=hYe&{LuL{pq&Z=6_XzmU3L}@f{^GHO*57j!24f(i^|#UD(B}L2oT*~2 zk_b}V?q!=YG&GA7*}9oXQgX4uC5Fg^Jn7 zpgRaCcwYc4{HFpJa?9=i=<|7eVT$E(z;=|Dscg_}T{DqTVr$xM-pq)G?YH1NH*vJ; z6S<#EOW!;M*EMc-*>c`2@p<5W4!z9yRr?<4^vrQ>^E$h~RvCKL=6L$7_A>f&4UN(E zVWCEU#eM|eSATaMrU&?7+(0{C6rX@VmJIYB)D(evVsmw@5AZ z7{EL%6*p}j5w*S()UWQ;12)^<<|Doii?fz}{6MEMEm1SN?%mWEnKPgB^_vQI{1$p2 z=I~W74Gq;=Zl^&pI{qI+WqvExWsJ$j&jI>v=&u&na{97G$t!QS4NKPUOWalFoplFB zp}`rpKJc#P4rYzx5nh(GSANM&YlqY1;>ewefZK@_qOJGV{cRqng6C$PtBD~_pzGTT zKWFm;KmPjl#~Qp$PwfG_%To*OWV`9R#FE~@Dq?hfP7BgzQCITYLpuyn&+2K$^0StC zo9*fJl;>ymLyh<$#PVBN?VGAmr|WWC;oFvL$EDWCT`J5|R5HL|#D|dAj=*!*+&8P; z--_%(Nu5U0f<<`^K5zDgxTD&pU_fn@7*|n$=j`eJPcaBy#j1o_QD<&Hr}kS z0q_5EIJUu7-7*lLL)EnQ!`P?W?_b8c&l$Uhr;xMnD{Pm5{|(1iz~nc|ub|06Ad!(b z5peV#BL9UxBjLUdc#uYyoTFU7zf^mD1prn8*JI}VcECyVJc?0|DGx!L{_E@*`FTY% zSvlwIC6kR{(#m-D&v2dNtWQ+D$Y}C&kQZV}13=x20P}tI_EOuSQL=^R!jvn&4l)(>;3DVp?!>Ua`K4q_6r5eI6iJo4d1OQIA_e6mR0GU>(Ygf6L_I0TvA5hKHBd8Fp9`jWDgy-u0ZZmz zsj_htyI31=QP9D$~sReNZF?b?FvA>ML9^4L z(@ExcInfw;=z6MPJK4;NiaSuB6@6=)nXtr3W~#7Rlf+AmL;3Sm%fa|XIt5!t`b8vM z`3qxgGR?M^r~x=J>2&W7Ow0JP*IfO_F8){k*3}@5BobIfhMW2-wPe|sQ#FNNcsQIS&zF@Ha!BGKl5{!>XRDG;(GiN`dQ8F+*ZMUJ zSFV8Rl)Fo(uH6iwAO_@1G;YZeQWC@6f_N2`J9NlWCOcSa^Ny-Wosu!nXqW+Mb@X4s zeJA4e=>$dw?cB0?A?44x)ygEFhFulWq=>jhMoai$wMRv$BdmjjC%xo_L;Z66_7_%0Oo(?FvP(%r4tc~m^<61$nK+&9lks;2o9x*uAstA_Ww0%QzBCO!Hc(^xQC?jjp1D=GR%Pb-S4gEk-YoX_RHA& z63{LqbAJH3+g#*GS~eG@wZphklA5(?6TeUPx^WY$Fi7;H zj^(2cht|CrEhoesP|>WAE2q)Ffi@}nMl4yQJ^w48cCP5h<-ahq`f?`vJejzoXWvgAOe_;1N+x`E*t{=YlQ_r?vF_DP!?{MOo1@{}Gm!4N-Hli2gz@3=~Bb48SQ@}LD zZI_>&K&d1jY=PZ_ZMwVB4u$GDO&7JxSeb3DtA8yiTIcmS0(Y05-{5*k{G`Z4-q-E$N3%O#?`&tT9lpAhV0uRy2e@h$txc@UN%>+ z_1w2AjZx-2V2Yx>AMaOtFBZgJ(W^RQ(%HL>Heq`H_%)F~y|tO+QBM1QWRpK@f0SB3 z>+ZjPQ8aMU@jpgn=(?Meg;!(C>#`f1*4&J)VP8J1 zQD=p^ZwE^K5VN_H{+j2_X;-RmG0onxcrJ)(KW~GIfoYw#_ZVEW+T4GZ#Yl(%GjqwuBqD*Ncv>nqT$Rx9D0OX35;}qKSZax}!0{ z%QYSy&qUf!OP$Ws;5SmWAHK&xldza6pW{q-rO>U;O}%x%(pIOt`^OW$%_@-_b7d&P%uZq9%79qs^o1@eDez)!`bQn_lO4eL8@n!)ZGszBwUOrRSp(iLZnA zR=7Ffj^G%me(TrG3p9Ttn)+|FWxf*!+}eVE!umk!lle|L#sUw1ct3ZbBQOo<01yDi z4aaK--6ufvbP+k916JE^iL?!&IA)8r)2kk7<#WJ!>Q=(yF{s-Wv8YkFp@}Hb|k_;yVW5Ir|l+MIy#!s^Hn^I&QMLAcd zqj>w2+Mz&GQ@2V!3^cTIC^kRHBpeNOQb~O%i3vSN_n%|>kd7(QS^Du5Cd#rO&Yg%| z9;O#to{~wTQ`0f~TSLK}ZqwX&6h<>YMpKdVSD9n^*|(~{)Pqrhi3CHzo+@(^Y-Iz? ztdpViLr)`}P%vTbf1Q&Q+s??Ne9frVHm7puj2nV!&Qt%>c;%m?q&qZnHr3G<|fPl(~He)qm*EJHUu zr~y>xn(o_i2}I5T29>I9N0@u|e*TZB9>a_MMH)z)Pzzrhpzuv(glhqdEkM{|c5G${ zFCp@K>2)ETV?r#M-A+K=tfDkOnd%g=nWfR#kRRw^BbuCGZI-T4_^TTo>{RA>>KKk+Dr|meujle3 z$Is^Hv+WY8*u>v)dGWdL)w1P^OLnla5f+4kuIoC#u2M!RiY<)*WfT|D8V}4Nv_n3*kZF`kgs*}&nK!CwSa z0fxtT1$sOqt4RTUDW0enggALg# zFsNDfU3v*qPf&FU$(0Y9K(T0dlZhBKjHa_Lu!`{i-vA;bd?$^4o%1t$0)nhUa=_IL zZHv*@UcbK>2)kU;zA0}+2Ov1*1Hma=K5?LeU&7nhm-8NFPhIZ4!tb-X9Cjl4kE;UR zly2u77#{bopy6FxiJBIU_VdZ-hb@(-m;22UqWgcWIYf=~{FLrXdA@#gu8am7`W|<# zwoOIIzNU`}ybTIlCZ{ogo>@gVZo8lc-^Z&r8Ak6VrDsBv+b1g-Lh!3LprOplxzB+u z_mD}V5NMLa*ZMgD5`|9We{ zLex|3Hp~KH=|NByQFo%g;Oa+-x}I#b{d$Vd+3Grjr*B+eg1sP&z}Z1w@YU8=Sr4Jh z)38Fp^Z?ZBANoHw_E2e`_X(8CoSimRDb*WKWg<(ho)y|iyf?RRTZ}br1Jp4Dt&3tr zdpS#2>ldneJQf|MRmN9c7IAMLGWwnecagqt!eVu2&A*z~;rOj>I&-}Y_|{pf5T8$O4^-`f1xxG3E6d@d%h5jZ5UbZew+HE8%W zT`{}zHho40zPw8F3S{e^02=!omW(&R$L)KTa;7_8)RC_`*P0~SM(i?Sv3uIO`xH2} zFUv}jJ3k9L+_aus?<|R~+)D3{MW!~6_gkhtD{m1TH^BTfPd0Sj{)@i?h@Sj1PJypM zk=OfxCo&R901q(jKo@FEVNC<1V|RA|Wxqh`c6yG9ghvYk)zRS1nLT9}@9mn@&gpc?_pq_POB&5Txs&+i+J7$&J0W6EhEym70*%>AKNKlRWY{X!+ zn;pQgFToj7twKRlC6+Cam(eZsdvhe52aYx~OBK2Xm425i(mE;twK4xu>L`(cGb*(i zk|ICjFSeHA7s!D8$yGj;0W>LR#!pd9x{Rzh4CV+Gj!;b1sz#QxXQAbsCtetxk6xL2 zC~mV|+2dn#k)Y=)Efeo90KN;j=LT{al9AWbBC^s+FdbmCQ@^nUU zFbX!2lwJDS+Ou3M0&e(EL4f$L+k#|5A(G<6nRw2rTBhO(sDvwwGswv2aaT&{Iw6U8 z8c$kLmb{@BCgqGs@Cj85aKQ*GOgdFKUlQhvWCQh5cNv_%-zpkJqGn|yPxl%>sW~NV zeOJsi(utOMgn8}a%Kj=9aKMnMW>qbLmtQ2VAwD~*Pn=uKNDxrtC9Ba7YrU zE8-K|h{bS!NB%RViJ`D=#4RlkbL@J8q!P@+`j-@BD8oEYy;$02+6BiQ7&j7zrpWY; zmdETWu-#Zo0jC;9r9RH$mQ)!vUrRyDog4oo+3?3ln087eSh9N4eKg zs4CH@=3>}MLSxxoO;#)q?yguJ6_=qq>57{I^HmsuLH{o1pj8M3tNua49~Er4l#e~kcJX;BNn4!Z0JHmz5wH$ARL&ofy) zlx;!PI;u@=xw~pTpom9F$VJd%nXut8OSgyy`zu_xr2dm~$ni9MoApGV0`SzUlr1r= z)cnH~JlZne>1QyLiHeoXe9R9VaZS4}%Yw(=GqBZ4z3SU=V_~+zKUm8bc!YX1Ycx5b ztFQwUY>0iAA?o?xUFUuruAC}q%+#xup*4wOo`Wf>qEs@;-$84~G+3fBo{AKWbUc=( z@7_B?6|^f#2I8`3_vPc#rT_1EQ$+esIs?K|rT?(gK@dC5yn7qi0kP9xf5;3mpu(=5 zzL0qUZ^+O=WMKv~e3?M!3GN=Rp3dXPP(af{TnnM&qLu1NvGM@Hm^%OaVBRs~=g43s zM3=4l#U?y`?Zya<{VQ|lnU}Rfw!p=cg8Q&tI}~rAu3H>F6V0o&!|Wn@O1H1bZnfHe z|C8%@H#8K!t%t8)MHDozm!C&Lr~cUrslI@1#5pZYICk~dhv#+8^BZ`IfSbnN51;Kg zmqA;7Jxy*{S~@KLf-&_-{Q@V>B6Zy?U`!5u!^3UH8qvkaFV7lXz{XkGG*O##$pjS9 z=f#suGjOLhigSC?%d4dc*t!+(`q-W#?{j-aJGJrrBB!TqUU$#*Q4>n!c@KdMV7B(& z*MFkk_FGe93_H$gU+IfE8R4r3+ApmFFP8gZp+PM##Y1Im?5d-7FfyW9jBk9zgy2!+Go`G)CL~ z^I@Z4*{js$F$Jc}S?Mm`$1b*c|KvPoYwrxO-ToTLx#2j0d9CZXYG&U5ob|XyvrGqm z0mk@Q`hHOf-{NzAU)00ZIJV`vTiNlPL05F;qu{Jmja z=GU;Fx8AM9wHs%e#F$Lz{jw+B1GvLpc09gvJUPkrQTzD+TVcTVqhC;O+Wmidzf0zy zCwE&8O7Clc{_*RC$F5it9djqV?+RZz*+9~dmk)_FjEB?bX{y_YXAnyr1NpzrW;`_Z zF*R?bA(Ktya#P4A;ie7~z%?<2Aycf&%<8d__DwGS5c3SSkub~Icd85}!_5aP79$|C z4*WDdqBx~G`L-APi#W7cyo@i?uGgCy+zYexRE9ywn(P?YyO@M|KsFg1#6%AYggt)T z;OgMVgXk8)w*o%eyuhU4);on95G3&!Uwn)Y#?7Br}0`puH% z;5G)SNzwD9!ErDecVaCgl`J^I&kT#Tjn@sw5gYB)hF?OCQiJQnxC1hTga9NzyFiBV zOE%I~ip6-BTzc1=Z~~Gj6AFWu++{>O`pJWJ0{TT!txF>{ut&*>0kE)HH)P9Qrp)D8 zPuh!TI?`bRK{7V$tq)3D#KG($G9K3ov}gD~n=~$M|3WH7p%R=hRI0sn(?W(6Lqh)U z`a@?JVp9(ag;1${)WeGw=Du5{;5U7SddYjopcel1g6$}l#X1Cbg_EUyYB)}bm$mfOEIxYp*^zA`Y{zD8b*yZK za2RC8$i||wT3Ev*?FkU+qV7LjOG|$-E@EaYA2nXVi`@9N12abYac#`-Z>)j1z?Tp6 z>f{XIKH#;D2UrrLR>BO1TPsBjIOV#fJjYJ~QoTZQ_92~muHKB#GlV>in;?5zKn)Wu_ams!OLe)RWvZc=kj2QkwK z9^AqqGenxzlib;&3R3>I1c%kp|V4n)nel4^YI9L zbq&M6ZD=4FFbuS-XTocS*;)VkbCfw}i>nw#n5nSXDZ%Dt2vKb?auxdj%3k<0Y9%Jf zircW7Jtd)lYDF!C6G@7KF>e6*P-F%PW7!%`LEbLM=Ct2kX=>mnX=YtS5?JJrdQQq- zG0-$4t62!|+XaxPA-BMz*P&MWMxwaW&lbs*`2g~BKE;6a>Um()8L6D$aW6xWk53J;qXI{ zNR??&yB5CZP+k@l$6fhS{mcZFb&8i>(W1qwZeM7=uqx(|Rh3BjMeiIv`UzFHy<`B> z3{IS#i;8lZV>a&b|BY9DcH+q1BMD#{H}E|acl#j+pAsgE8$?QBi-=K%3|@F&ke{|c zVA7C3U?5=skSU@Gb@u=>>mHTtJ?wwDakLC-0&h?DC3G7iy?#*(pa|S0DY&%(d%hcz#} zAdC+Mz2o2_@2983BRVG;VYj>G^<=_y`_6)XX4AoLgcyF6``gvU)H{L0j#owYN3P@P zTS`^yJn4>@L}q7F^EqzQ9rwDQW*61-k!!}1Z}(Tmr56D39FKhlqd%J|chxx7`4Z!F zQ7$8o#OK_XgG{JvvF_E(^)N%Q?EMrRV>fN{F!aiKm7Uf!-K4PTFl5DexzdHs_u%B~ zFyH+7z{u!b;Arp!k}bL43zPKqKg*&Rwyqf!^nC|@?FRf?cwFT_ zE*-?|qr2V0qgGk#r2ysJ$&>YFD&iwrn2%S*)3< zX;c7QNk1ITox|A8Z0*c#Y31mm)4k1jHRQa!7O(p`X7wxL{{VWoJ_ivI)x#;!S9rT= z+_nc_i%yw)=IFd;ejO))njQNXiCi}86*k;=mUgPP9l!iAfxxaWh@u_)CE&yh5SgVr z2KeU?di?Wb3J7)&I%7F!cS+Y0-rn^4I(-EI#DRTZ$xf_rWNoW$k2!lAFAB{IjB7{) zAUBCIxD`0K7GZg7WLY8`nG!#ZZe4HXG% z6vS@UDH$1cl^FAXk#vOS0FN4N-_56 z2{V|m2(~y0u3Md^9&a0aJe-LBvx#N!H86_>6%8>>c$#8V$uQL|T_}K7&^T`)F}zwa zn1=5AYd|Tf|3)T8gU25X(Saf9qSo*&c zK5sASNeo+6*a0EmKxxu>;fwJ+b73Y7Lo60PrNOIwpi^(I^|@SdAymsq(f3k$nt4t2 zzB`9N%R|~9Ro{FoYCx>D*0U@bjO8&WK zu$98(-`2UQCc$Mo=m8pksRBs^0sCxK0Mmjy)!mhxb6?q~wfy<--V zxP*03GFsL>BG=~Lo;2d$^KRAaL7%F1=ukf8qoDeV#Ev*XAbj-S?`3N7=Jk)F2`)4c z{We8|`Q}LBF36%op6dnvE4xK`YlrcoYZeY}wknG}KjbaE+kdz}>N(Cd9>iI!*+}F3 z($dK3ZE8K8;UF6Goz6_?Sfh`@&XC2Cj0z7r<|U`KFRVA~kz9yvj424z?Kg}{S2>Yt z;A7Gm#O3^q)UBd2np9E|B+@2@J;#84b!nKpUTyPclw1b--7olI8lgLT`UV46fb@dH zE}%5Ud*i2^Hch*)D}b}}mqNFA)P_yKu{PYVNki$vn>ZY|P_~PfixnL7Y^Hx6)jJ4I zs#28|-jSk0CvWMYMhg!i$gnkKu0c)+eLrG_jkZdZlsZI9<{6^fTqg-w5SB$qt1Jw) z=7-}gxq^v>r!x>}i~v_S&3u!!EO`qFl+?sS7}`#D8q-Isjj=~Aj1whTzmH$^A=k?GER-#oCPij+y`#n`G@~fvv(K!6lGkm|Lk8dFQ%{C_5YO z#lI=C7-{YHiOT;&wH+e!cCIskf}d$LCLGg%tRQHvFbn4a-neuoqcB7A-7NO>c6(NQ;VN?m^3=#n&}I z7WDF~`5^l@WaX(Nx`x%t^oQQL+8LH4`>1IQfbNNw0R5<*TxA`4*zPBZsqmIR<&a%; ztQD7?tBZ>Y9$OY2w@SkyY#}e<3CVAz*hdYb6_jAsON}wHArfLCVe>-OUtt{eqTiZB8C0<;ObCb(Rm_nM=PPM{}Tg2JX^3q=Zl=CWPMVgP80xUJ%Lr|o9^ z-$=XF2MMn)AmMce6o!q=+8fQ zZ$>%28)@9y#Djb9IzAKi?Ow+dD7#y~`I@h{-iewT@OviIZ-`XTy`0ZSyJLCZe}-}h z80LlhwZHelV1F64J$J7Z-ad>jXSam(ti#k?xm}O|iM*b{uDD#ukus-k1Tv0zM8 z#|6KE8m-B-CzDOJbjW3rP20+5V6%RKF0*+OXS7dHv`$bwuVL8*Pr44SVaLtTcXHAu z7y>rkd+f)aw^m4d+^^%NKf9c##Y*%H&T=Xrm|n`BBlH1xgZ5K8y1c(jOx?A2*1Q4qO3ZEr&G#uNu~?=C977 z>;sTR0Ex$ZTqF{7liqW0Vy>3&{R+YPqjUZBAY^^}_pHovcI{v{t;G(05oyf3<($Ap z*?n`6yGJ_UeWZ$?(9891;&nu~YtSv@^W@McMR(GEvti!RJdtSIZ{J#;!M1KjB!|&7 zqU73hzwD-CT;P(f`?XJkKh@jb_hY1UccEfg(N5l@5$8!nZz0&8oyrV~h zjfe{PQfKg~8iyUt_j`aOrnlrMW$m`E;aUIoZQqvy@cDAVIsLhlGSx9Sg#B-XzkaP` zgea|*)azldsB6vMCjGYs>TBI-Tg~RjJ93#Z*xlSn%*#ty==@v+CH=Wh>%*IuUB~NJ zFA-r4J-UUv%(Z*9xt+ecfN{wou(RJSXD2gq*RQjD`3*soY@)Jjtl2 zbXcCgS~nbM!Vu=lZ(q+zY4a+3^hND2q4!6P%Q&3p{)7|ZBxd+#tOY69GURpHxs^^IMB8XRl7t0Hy(<-JKS z8JTR;0qPF|{hU9MIY9rd*Lc8ipde`x>(|yIP%z&X+Gv72BK=hX-w6~|(cKJG*nK|+ z6czqUbqHWC@#8#R^os;7{B>P)t7!5t@vm2l^2fe?IatUV@v%h2g)~SNovG_Kq6!yN zkniLRH8;v`H$t$jOBWYd2@nvo*Js<9oY_+MS31E7vawhWd{S5)g(guPXcOu)x|Mk+ zj}4gw(6aC4*{A%7D1?hbqB=^|D4a8;o4ad2jhjRjJfM+g!;vudN?pn@Nc`>zv2HMu zIf+<)DV?u_A03V{97-@a$r>oyFTkHp;Y_?I?O37!q2>B(JlJ>T6dtpS{IU4-bmcPA zx>JAHyRv|il_Mz>W!jlb+5+QuWq42}@@}?P`P-@$+>N5FX}_nTijh^w&I4O>8EPJd z>6p*=arK)pp0Fx3PMk!TQxfvWM(@pWC=Homle&KFH$k?t$Kz?gf3>zF((3hZmDMu^ z(T7jO&KC9UdX5!~OjQliAf_r!3qFt-m=su_NI#FaaMs+_%=ax`bBh+y^H-g=2`yOM z;rE)P6G)$^<3O~_$X#zX!Eg^1T8_&;QL$JhqWf?N=EIVPxC=pl?dl>tPoD*blHKCW zMB`-QfqZVMC(p8Y|9qSH3Nuq0mQFkIeW@U3UK@&K_Ii&vbDy7(bb5A6hzXb!iySg$ zr-{kSnNBoIXt0Vyru0IXrmS{9B_+AaMq8;w$V-zG6%lFH+Z3yiOya6Da4dv)sb-p5 z(GjfFa%fMvS(5r4wnEP|myTB}MZ{Kz|3)xRl*#rAQzA%CqB#wtSfG9i#JM{+ui#-R z6}gxTM?e}+D10i|$^S+C5*QptRkNCSnNIma_XBk^WZQB2-RF3m0+lTyj~cAKa#$;NhWN@>vIo7<301FZF;bdQo9Q*7=_Ha!v!r)&draip^cDv>%a zv5kl=O33+sqr|yhhI3b4naf4$goj~b^xJn(?8yua5_=`efKC9`TN#Iudaw>t^j;X^ z%2zA_3})#Jb+YlG(0kcbEq}W64Ng`pnz$Oh<`t7X7b<2t=62|Ky`sfp@WVHo4wa}R z|G23)4kX0>aMaNPsTwWmMV7Qe`k_S{%Rv#PJ$xtrXgm)LT%mR?!h5um#ZV1~2#&69 z@ZW8LIXi!J$WZi`fQ^H)H*$}FkCZRcbqwy5uL7;ir^%6aux*#>_2tF)1G*kvchdDS zWmB4zehgLBfOuF$>h5w-ER6>QzC4?7W7LqDU7}s26Q1I|0R(-8MmeV8!b-428|ult zFXi-{=4MEQf3-G511KTC{OC4-uF$y^rD772?A(Ass0=YL;_ImIf-F*+D`9;3+SoHs0SN)v5ZEENQRaYA1l}+ zBb+UdX#$1=gt%4R-)R)sA`}H@l3F!sRK}{rt=SkBn_9K$O87N@P%7J0SfR_wPc$k^ z#fX;U=@87(<6AV7na|KzR(bjqsuvu&@Ps^A7|hEm+KV#Vqf6IOmj<1t^pq}HtC^hB z*`&BE2a=-=@c4^OExb?o&m!PV{`UZ$ffETy__r41yF4q7RAH=bU` znCZ8{wZ8o{zMa~ARd-u`o=1#%Gui%PMZUP1*~RZ{+6qk5eSQrCmLyyTT>(y}X!SpC zMkBC2c20+?6QA|>-Of7ILu43Rn|~j|G!XKiw*v%PC+h40T`*#mpB2H+fQQP06g?O9 zI^OfcDC}Ayei^u!=WV{YHnXS{#_reTVC1)`*PQ{0?2?;V0)>mmx1@o`91URJ5JQ3Q z!$<#X1=8CoEFj3Pdq0iew?3-tE3Rytwl|p(=r}UK(ROq4jIHl9uuNpa$ah%Q-%(N> zyXqT;?)x-|g?!O1=$Mi-C!u%aBv*NPi$U1+S#p>&%&2!SW*w*N-g93dBA|bOs;+bR zRivk7WO=x@emvqA4H)sXtx(_EvR@?ae<~*G@qK(v5r(oJUEKC{DhjU2$Resjr~U|C zRexH;ezD0Ih=h9D!tj@u5>uDNt0YE+jZRzoC-ZQ^6-7@GoI?U2i zurzJv2dcTB%ZVtFnH9Rh#M)#?vOXHPKj=Yyy zuFJysonF)T*jB?Cj5Lp`YV8hD(>cEnn<_$i86AfS=x+MErX%IwK2EXieffF9s0ycA zEsIq9VOqs5(dP7>g=Ud)J~r!DQ)^pBFqL6pw- zC~BF(@7Gc7hHVQ$=Yf#|L+&NWyf!Q*|M&IL*X^MA7-+hQ&d~XJ`rq)|0PNLQ2L8v# zY;XKQ`vpPcQ2gF?4urro!lJR5Vhgp-1+|3euLC7szg}ZdG1$;(2gz;HN2V%(Y)3);cf+2tO(@eljGDi!WvXy73Im^~+?LCdwObX3rk0ZU4D-xuZzpq17<)7=~ zhl%M@7kx%1;+D_bAUg&4n!KUQA?2H7OmI=tqzQAeDC5w=rm;o9DxuA%rx{>~*dVov zBaWx3p{CR;C0=#B{=xWGi1oLyWTm?bKApY)J*(Bfe>k^atxtaSz7g8_6*hUO zRwbV}krzsFYW{77oK|2bF+oFq_ny05bphJK5E2opax;-i9v8B6uYA*y-B{rbCFJqm zcSyNB3N>!Yrx@M~mbn^2bVPdE{4-_|y$nG%@j|JbhRLVWRD+#zf=7~{+X5Er_;00t zRs$9S%^vinbb%_XB4>1%FWhy=w~Qp_;nY9EKP5GxkSxPa`RsYjv~b!KneHUpv~V5s z#(3gqZxVjfQ8{G%GkC0oLt+`CK;iH*z?xVckJi=ZC`Ey40!)tu4mQ`%f_!l%iOIN|?L{7c3@rwe~Z$h?v`8 zC#AaRE)k+Ui<9cpwo(apb(J6AgIx4?Tr#9(LxPaN5k72aXMYqN4w@h|rSh!QX>%zg zerLgD;upUb1Vy~_Qa7YLtQ*f&Xq#vayi*s%P*T{fLqtk7<>D;LiXDI_h;yr6nc6hP zSzubViHbafz#$o4IyK{ZX2*f0e~j5GUpR+hRbW!=J28{9{KMG7LLMEu9y1>1avKN|BL=-fo|op@?0g)4g_VPPVxh68M)-bw6j z0gw&)M^40Wbe=?kMcP7x}NjDE>$uqPxJd9IIe4^h)7>OAe| zuUtV4Gx^_`kjpm1oiW9MYP8C(5iz^)+-nVtw3OT@(s%p`q=fJYrG^T1I4EL8iB$!Z zD#B=XzDGwPqCbiY5J-4(TqCkp_i=iBzsPqBw+`SiM}xu-~>F(1w|RX|t?*JbAj!y5y0zXPMg&mhKXyVEqk=d91ZB+$ z4Og#1N26cjC0)&@YSaAfD{-$$^1%6XFXsvH7T4-+riSS%ufpf+cyq9np4u^qUN8H- zlCDmluf7KKD&F5utH?PHk0M*X)qI*AuD2BLgQB}%p^Qf5l#F$=)u2|4=Nfv<8X{kc z%;rI46++G@{h>p;QQgS;k$^#8rbaKx=;mzY*o)Thi|Q!laGwtp0g>d34|Q} zVrl{(rTYRJ@6EMy!YsTZs2VR7o9s$gs zr)9{GLtZhdk5e+&nSS?k85iwS6zkdz)0^`vhl955j2z7{j5(@j`fiiw5g$h-YzqVeZM}(CfZtwT3HWwNejWo!E&2~LP~#%-^c>vs4sP3|4f)+85Z0Lx z_7FB`VAj>n3v)88r&TrDkvtzl)^4ryM_yHL7!{6KmXkZ!Q3^A13R zsV?5;Pm{;q$P}J`#HIRUT_;bk&_4tTDP)oOtRzW^U+T~&6IZBiiph#W&J;$(cqd7& zVBO9oDAGurEA31bfp-FN;Gve6O*MC~z%$$S%?x_>Hq}{Lt3am0m0L7@tyh7}i-8MC znjr@QCH!N-09Ib`PyNhrobv(6nVr6&N#j( z@EXn+AXy8Ze464kSsa8cTCY4V!G#hGOTs~;grhFulaLe?h|GP%mZrCJvVT*{?a#{KIpg->>VGv$U&*R*}P{oS45n0(_QmF@E}qW{w8hbWM8c=Hfj_Bp7X0<)xW* za~ySux8*K6(fqt6WxCKTGtxSSB;y4q=pkc^aKk@K$ycKviE|Svu$o_&)tk$Otu}== znpUGZ^wl9u>0?Q#eDE&Z#5JlaWm2?F>_3qWao>%-rA0eM&}Eh0Q^NKirZ6i)lg-OJ zM07%Fz8_7Ft%9N(ZDcRknJMayJy*%H@|e3V-X4ihK`xUj=!=r-Bf$s%e?*<*LndI? z?ZZ@)ZQC{3HQBap+n(&2tjV@*+qP}jeV?B9J?A`M)*ocG+!%I1U+0W!RaHPO#c%E-<~sK9vT^c z)Fw0P4D|YE=o(v)9FsvLU(q_QRYp8xfedQyKLwjQ<91BzZxDB8lGTq#3yuB5oQ+s% z{dYvh`WXBB+{07=i@Duo7x0(KHq7K;0C9>W%~FIMEkEy(sxaSH z51G%oGK}WMUAI=fK_Ir(x`5T|n-`Sf2v?e}5XhBsdT(crhk`tP!OUVaUJx`td$*XD zva2?h>`N+BD+Md8SidQ423N&@-P)*Z56UUXB#W>5R4HGpGk3F~!zlD8h~3C?jNa`O zF1FDy$UboZ3lj!@Xy*97QZJgK3uoS4#^4wAGYe{wIRyeH8d!9^>EU zqD2!+WJr`K0o#F}MlT!)(xLu3{wuou*)6KAef=8@9ZR6r+a8BuEjEvocIrk+XEASS zGRLPEH{358H`R!8G6YRW8`c;toBJ;%T>A@@K(RrAod@#`)C#@s$0|(w=Ue+#^qIE_ zy_Fl(o9ElS7Q(~MalM`!b0~03^ySaX*^QRgwnL8@D2f|PpLc+>Eyr5%B&&j9vU|>5U+Z%D!0mm`>gCOw+n(-iOuVDY?cVR$kuN5Td6Ei7ci*+kARq)V$jZQeF?Q>&X7vm;C-kt_H!C5 zuhDfqZW3qwm`Fz5|ImC{6VL_rKPQc$pAI3~`i{M~*m_)CbP0D9klJ@150u#Xz2sP@ zRAl$er%UUnX*oO}jBJx%%kthY7f;{;A~StF8c>(F-$J%kM{_89fS%V~VRmarGr1Po zEKN)5I_|zE=_|{exAoaO0w&-mBl13Os{SAN?)>&^fw!;ONd-42L01|5)Eg^tnn$sO z2r0V)n^0qIJziEZe2o4zA8!p~$z4Ti+5fKq%b#0M`)8H`-_(YC_63xZ&R}5#cHj|c8$TIpXo$qlhjDUh)3U2Wc#Hr|`wT4X@ z3#mjdkh&#n6wb+05 zTtF-r$6!LF5Je}*XU>1hghAjUBQE&S(rt1M1-(4_*rxagQH{Uz8>DmDvR+SxX+#$xpQ z#<_D8oaG-#q0`zSh)j{VQrT!|B>yP;M(jC`Nr%RLMD?&{?T`jJp<$W~1zW#P+%*b8 zHpy_4o%Db)5qoDW3*;V}3WG7+NHbk=zIZq+y0n!0s+E(;z*#9*b58QS!4e#$B5q?0 zjFy!(yS5pAulPSZ%27=88r38kG@58pt3(kxVZr=)7C9 z0Wr(c^5wiUUWa+~tjZjBddV}kuL)4pqK*vNI@G`%)9jbhjJ?TmQ#z;;T4}SlN&qUtEfp0Sp zy8-^ZNOpSD!N!+pP)Is#9F~1j6Ev`_=ZmOKLA0>n-mTchvqSk+b_{J|l?!eRU3u99 zZE&0nUp}_Vqaf(xL(uTBuJS}M>W1$qnQ@hRv!TM>NRkq?DA6tROzhAkBwg!Mnsp8< z&%bQk351BaNt;CTzj~Q*ly;h&J%su%t8HAw7qpuw)Ms6Sp7Z_86vm#e0JR83Jdo%n zOYgJ7{1TL9~roB`Q{>37Wupt<@#SW6OeBhv>jl zJ1rLKv!BCAlX(`VsQe)KC7AF~3YLITE|M3mhI0>xF=a6KUjdeb8UhbKALPHFUZHRHe|`B~)#Os$o(mS?~~xp9cG3`-ItI2 zpFZd*#=O~oHODTi&8!NSC$|)|Y<_gh@>uKM9mZH=_-k;X@>41E$$o7~j@UZIKMg`D z)Nc1TV6M9Q{T2TupCUi1^R}JNQ+QoUs=b-m?a-8(gR{+Jy;L&o2LPB~mns3kGe1`7 zyOuJcSQj5|Jl`-!wm$YSHlqYI4#u0v0+Lz0s$9>1MfDt7@)KeKm;K!Bp$9Z#&t3 zrS`0KDzCErEFmDfS(C*M?DzKrke|u=w;h@K176i$(T>=5FE=(tS55>p51x)*YHDu# z?n=-?H?I6Y#(T704ph}m?LCd=rsO(5t6u!vCbtinP6kmteLSyV{aTNb_RhS!-G-2( zY`^#`ZTs+h1(rZ*Zs=BduBOfj8VEg?g4Q3`zeZcgS?^F~@ikEUz_TsPKlN73SqTD!>6BO6Qd`MwbjVG0`f}2pMXwsg-k*BcJq| zvYlOl)km0Fn1Z@dRzi3fCN5tR1R9qvE<$18GZQrcGER~osPq_|5~vip{hxTEEmrF{6_}_fxt2}BWTLTu%*THw&4D zYj7MZD?&I+=8G6Aqts+8=81b{U=awkJVw)0c^?8j|318O@9nPtnkX{4#ZK%UQ0~)S#+$U8i3) zsDTQRB(q!ZJhonX{sDnq5=#M^jvas7jFh~n=$V3;Xd$uS>Be2S zk5vS!pyT5|b6RamXr9}TtjLXHp2mDu<;~=JQlSCvd&#V$NV#WU4@2z#bc1^4{L*d? zmv=k2t-2ctZS?vphZaQ(Rb`CZZ9pu^*&OEQK{)7Qeq`!x6j1TOc_+?at()~)QbymArNL-&LbXqo9tF{ZSkg6f8 zXgNS#c!82k%ZxKe*o!=YN!_hT06yhbY_(7}PBm_JBtrqGz&4YA)5AMHb09w>oi;THQfZMF_3{t(zI2~}HaJkgx^m`TJl6^jLX zNAsmwIZ2pX2dL18#_p5ns+tYf4Gz>M20yU zn9`vtdnvxSiosF*tIpoWvF+c^c!|F7rbeA-p+ri0qR3M? z9+vP}u;ExuelQp7*nKcqlULxCBaFF>LG?S186?K^o}Tl-$a0yE1wVnxgFJF>9JxAPj0eeOaihvr5l0XbB>1sujY*eaTG_ zjgBY^^HAkpOBfOLig5S5-APQMhQTKGcKTlSe+4LQJbnG<{*5ur{hyXi{lfp8(hsoi z{*Bj^Cy@*aSSa(?118D&VP5zvVI>YHEm*&pj8I_`FT%4XNP=|l80F}3%2K8UH_IGB#o^DOc{N~|Dw z-xvSTcN=mp+E{rvSitpr+VvWNpl$T)-n0FV#CX`J)r-D-`4Cpyd0(S-2ei5FK}zd) zY_q`X`<*vL0Uj&iQ`WAA@db+1H?Pag^*-kYa;w^zzSdH1vg@>u$UK(TQgb}7hkBY~ z&jF`Ru$UW(@>wn?LoWb8z{C6lsc_G2oEC60?poKc>d4P=+yQt%xbZob%h)ntpX$Zo zb;5U^A5-Uw>|_ z3Y|05w(<9DZr%NUp#3@gI02`YhbM@1+izU@V3YobIvfJS8^A>pk15og0!CQUS!DghSSE&&B+Y!<^0FZwsDED zfA?E)U-_Y;IiBN_!OdY^6u#58c7%A_0fFZD)_rW0p2yy>^0PjeN4N4+_uD&zy}g&y zOTeYArSr=`coODLNB59viCvcWtAbsGdG6(P%KB9_IEF%;JHOV=r~0I~p3mib2u7=? z(?=+##-mO(kZ~W_(*}V0$^Zzkob>q89_W_==d7cvd~e=?L=eLPFzncvM%Wn>?}Ttj zJ=Wq9-k*B@#xh8vXtccG>%P`C2`U8T~1% zG?5m4gK;-1+Lnotgsg)cd%|`tGqwpNJT%;g{qGiD}4fpqEIJVzykh+F^i< zAGb1V4;DhIz(v{SGt>Q5C^c-q5*lf^WDP@(5h5Q|4-LYov-loOY@Rj4FItZjAoGJ_ zs`Ov*;lBq1h#n8O_B-Nuyjgrc_i+`y=VdZQ5*lEq|#n!3Trz zDrk839`%dp7Q2$~Si=|jkVNbWs~>MhEMh^3ja-Bihy)}5#VL|rvnsNa^pQl!vl4{T zp_fqi5yYghELS~EoT{E)trYj9ss8IYfrn_-m>?|Kj5;Tgi`{XAc3K)UYYyva_eTz7 zn-T}SHX${H*pAzQwusb_{{<*(0xSdlY68md-w4@AQaTl2gTL1UpxyyX|1-|Fhh&vM z=^1OD5sT-ggA4S*y=fWo;0kU7<9M7XYVGxAtCAqm847E2Od#>@7jF_WtNcZq1nS}u@^LyDR84BlTW8*# zLC!if$7(+Fnpm(5a6$X#hF~}iOguZH68M&}$A+|jQhx<@g=J3Kim?=Ort{=(DooXhYA*DPg7_{!9AA{U36R*R_1NYSGA$H!OJsYTOR z5if6;gqcLSP1_m<(6TCXGD_)W9*CiZx$f)0PiT^)iJJWVJs%RC0xevaY9uWvc=(%p z&c5v`D+&Lx9RDX~U}LyPT|zYX5|9@-g~T$}0}?OT(8ij6ZY0?y z#0B%!&6cMGojZV87B*RLZ2;7$vFtpF@&} zQW^Pq(kEGNwU9?qYJ55ox^>l`r1asa+WD%8RgYbR-y$taq{1XbLvA|FZ0F)r85x$l zq$AZELku#{A%gSa|L#kZFVnJiVBgKk=JPazV35tzGP<=TI)qACL+K%&=olz$d$N8W zdMUxvda52|M`%^FXd7kcANi5=vzDsf;)f!PrZeYaLuEMr`@izu!$d>}?@Rfg#IEly zP5&vk%bje%zXyoqkQlI_z#KCj0{ji!70{;#d4K*2OOvzsDN1C)|9Mh;m_>a~ z0kGX$nzw3<@mYC1d%?Yjdx}OXK(4MgBn3P=uJJWr;O75=n?5=JbuYIF(zB=*Z>+7_?P?CF6?b@imb2~G`=<}{7 zzVm!bFjCbp`hYv>1f%KE`+qFeD8ofd=4moN(_}F)3YEm zYT{O!VSD$wJAQFV(vTCFjId9%0xw>83Z6C6?CG2gn0%|+YG9p?{xj5o%$oBf5(w1|Q{5vAeM>C5Ky|kLb0yXTUDS9oOWELL9 zTI|uepuNU@l6QJvZjD(o3^8;SJ~LtC;1SA3(Xs}4?WKwqs#H=;?<|Ri^sG&r zD%TZC{6Mg`d}k$e7spDjQ4Kx%ZEuPbiu&9^PX5i)YQ+8r!tBDEuWfiQ=#}wedhkb7 zp|4bU??91HR%opl$)YuJT06mfed`xNpBrYnT)g4{0|m1cSZ#0PktczTYO>8ggiM#M z1+X!}D>_~kZVAkhH4JSmBSodt2yh1xEn#r=!P(lneOA#}5Dw^ML1(mE7i*Kzf$H2r zh+l?mQO#huKg!p^lH)DelJ{Kt(1eum=S*1Ze%4$3mYt{ohub2ShDXj{%gd7+7HNh$ zPdB;U*#ed@S#TVt`wlREon%@EbTAl!#z#@<`3hhw*i!ohfvu3(wP_pRDJYF6efg=s0*4%^Wq5)}|oj21{W zrO_JO#5J|UQ(6|?8ZFMSztt_7S#h<%Ns+7lxwnypL;s_;<;c8*qZOjlgjm>{byog_ zEJ5yFp_yf(7W)9EY zH9y6M#C1-gN~)(S&K1M%aioyQY`n|{2bl*sO@y9O*xjapjt3pX#Oh6vnG2-wS!2Q- zx?PC-oA%-l=vF(${Qx#LydC#)jEip9UR*n*jkCIP{}p=$K|EIlQzvN$fAbj{V@~(0 zrv?)ax@f}3pfQu0jK6^^jLa%48?z%>c~0g>^U&Zrr}%JX$%}jK)`D%d5-1ZDV$FvU zRha^9Egy6#SsX^mlW&O0Fx4jbi&%$&ws=8y@;gFr;e0>Zcrio5`0qXz!_M``&r8|lp`W#wxt|RlKX?=8bu)n@QgZ5LBmF++k4l+=wZc>GRuRs zQe)D8JGMkyhSEnC&{Gy%HHj~Y1cnm>7#A-ihAG2CQghdFv`g`ka5DkI{DE#zR%!D( zfv27zM`s3OLVx_?gc9JY+`XYIV2l*Z6pXQcN&dBp)W|pkvKaHREdM_NhC%%)+Pf+I zpOA^2;n#9t)_cVour&{Gb4!@@n;5TO=~m|z@l*Ga5KPX{!iu{L=nC}QD|UX~xODMv zL*MzjLWt{Zy};Jqc^TQ!JPG&CsT-_bfhl42tLp>pvFLiYE4=!6=br`>Cw%V9f3fqJ zNW`>_s#>IDTwcbf|cq>8b(ujCvA|1g^h^>29i2Yi}Em%;*8@wr?vt?~ax$ zJln5(Zy$`VeQRaI`gW{pZRGAKQLVM(oLajkmYqLj`;ODLTLB7tAyy5;6A!k?c=I;)=KJsJ6Ysj6F=73cAs*? z=yQ09ztbK<#d3q!v@ZKBdz?^H<9X6`Ki{(5dYlc5?|a@nQ4KsSThaF$G;lmENyH^@;(n!P|5hefwK4|8@Py6GrfGx2LVU*TbUq8ICXKbujmJv+nz} z%y)d%qSv_0^l{@ei7=zP!~ayhZs;H2_r~rpLAY(NcRP6rrSGBd3w)x~&b@4!FZ^<< z&2^igsL3{svCsYAW%=|IP_kI*J78i1>$||VE@uT#cDnLLq6H>cG8k8#vw~F?cqPq!BC1aQ!Cu`ek@FAU92IDS;CN^{sG$9aUtB zx>Tycxcw~c)~LOh(?Wi4QmeRsHI`sW2Nkix2XQ6vJ=}ixDLU;MhySOS;sk@E9@N-f zwpDI)r4W2#B5{A}Y#}MG!g3zjbd4vX9oYA(LigO{@mMq+Go{5JHZ;ZvH!4#Ohf{%J*U- zUK>bb-!l_zx~Kl}D6Pj(=Gr%G5e^yH&u*}3fES0XmC`pGkUY^)J|tyX!&107*(!gW zA!K+OPc{YTkPs~Pg%E~2g~pv7wFEOSo=^S>8QbcXBT56^S zm%+OMHI;e;y&mf?<;J>FvH~sK6Toh~|XPkafw2VN0`Vd#YzpXN8nkx00AO(iSV4Lk8KFZI@x}OO&M~IOklj z&kXUxkugK!CM{v@QH|#TLtP5RkQq^+WxbM193b7aJyV&c4gbAT5%bQU59yYcxn1U= z$w-Me-{@Es%6@7%AaQ^_wMQXkB15CI^px@Cqy}=JGFsa|KQ z7wZuPZX?^m&((+Tn2s_x(6{o&HsgG^IrAVHV_OkG*!Vm|f$c7_4-NswzJ@*>; z;0}1$SpbeK(i18KiD(w$3U>z4)JgV#LB}9G^%DDp8k*D)Q|Hk(6%&t0tBe}$z8Kj` zn4m~BputTEF@Y$NPgxHY{lJX=L7#m`i8n^c%6z3HR5AOq0Kq0q9)A6UF-8d=f!=)I zraoU&uqZq3!?^P2?yoJOP{;*4#dI4{ToDmPWEj(haNQPA6b0H-nV*#?NiG$M{V347 zD%PSsTW94ll}U44M08_*=$7b|ysYt2L9B+mOCSL=^f!!9w!hPOsXXB`@rg}nG@1LZoTsHRx=lj zHYpR|p=3m$Vg4((N}zfp?Aqgg?4ret(4hpdFI54=(ElvB^3LV^I1^viX4{*t$XRz& z*zj_FPI$;!eTse@U+HNWb$sC`_X%Cm7x2HUN^Sl6d{LLv>7r~D_PI;3W(2G~h4CfR zW&sw1wC!rmFE(Z022uoEKESOi@MZUB7(K?5I6yCM8rN{4ZaO3qarmfGt!Y`^n(S5k z4{EqxE8P*fAzF>U)bj@YtN~-5%_kb46TrBxk67=_c1*}=o8OmR#Iwvw;9AQ;knwbk zYl)pE+Cd=AreioMbehekf>O}lDLN?6+Xbd6y8k9?Uy3j5wfd>Nd*s(sH#UUqQ1A7I zy>lPL`QLo*2jk*g9(njrE*?Izoq@)=TRr!7ae&J|q;h;Gm%9U(;9cN|*&WZyHD7k) zF$Yk^liNNGS3V%RCH`)<%U?4$y4uFL9_PtD{sx)0Zv1DIQg+LAFFY+ikCUW$u9GSH zD$^E(4jk=ciLWy`92U~HK2HpoeFK)ci;+hQgsslOuG1Uu*ha~+h&%7G9=l(bJ1u$E z>OO!*&;5&*DnmSa8Bebm*peIGi{UN8*8M+|N+&yAm+}H`9wuRD;?=HUE1gL?Zw0|_ z-L9TjUOX*Rn3>i1*YVb!E$TyB>givh_dNC;3vM;Gt2^7Ww!H*bS#C2*D|9V;f$ocX z+%y20`^~tOEm*hN9Xr%4r?t8XdoNW$)t2$av~G^Qe%EIX!UYzN9zE>SF7n=zqGUK+j1Kgt3M0I#1T?;CG~IYr2MM)cLd z+o%Hpn6Q_2p+!8j3A<&BCazv^$GpmxOFs&FDKmu|l9*mPv}n7wiNnr%3&eKl8ERMF zRpK(VEF&=4cqfXIOp@V31qdv)B{G?#uwQ+`L4|ikzqW9f=c_N%g*zbD`+og_wUDNC zcFPwVhJ!T@QIg8gVw?S%l@7_C3}yA&lg84lAqeXjSauU*-c7ToEt*%AS1p>(Cx zvoYHY_3^8MOrz?^&{mx=kL)ZY4b2}oSk3Zfqyrd9OoLQc3oxZ0^kKs=G)y9&Mo9s4 zZlKT9l9)7Ae{mhK*JL+1S1zGJmMVTqp9fyfc*nohM04{6csv*xzx7#>&9AEZ94#eJozsQK?QL7Nzb zFXYK~{+O=4rkF=GnE1&Nmc#^$Ud8AM4k`7Z@S3c)HH}f7XeC}dcCC4#E)VZW5Xq`o zAx6ehEOwrc8aalx$cuvD$l48EKAueg1e9LLxm|Bzh^*!U#>(12e5IaTnWnjt*gmYC z4Dzs)(Or>&_8cu)G|F`f_fcdXjh@UHL@X|GLd5$NG1Q}unaO7LdN$PijQ6IfJ+I8{ zR;)a+)D31V0=YakCNCY0*N;RBLIFKCjL6_!wk}}Uv_a46ga?kQ#3Y{-C@=#&zSx@U zSF!=ztP^}@0{?wuJT)uNjtK#%^r1kLieJm+4dLsvpuC0i1~aV8q*0+hdB!P+Sbc>- zS+m!#oVYL^Tx-AT)vO8^m5d!oQaYgJC1JJVBLYLLKos;CV+Fku-6w2h$O{{D`)F+$ zcJC$Y6(}0yH1H4&3B*Vm`=qRrUa&Q$jf>dNJQ!$=Ky>nt#G1j{e=Pk&iQGaIF((;@ zSN0Mp4(W@hdOVOoIw)_0%#qT@z(yW@lI2D1PyL42-s&QQ#bV7e30fk4(d zo)s%|oMt*zucx^|LiE@}F`O7m7Gn*XQ%A;91g4Q0Cu1zEQg~|JO9h)`VD2>Vd8#Q0 zgBqyafo$D8kKdN-bfni2m1N5qY-ZC;of;KT(-*=D{uaZe-8f)VZQJ%^{eax7kG%5q zd5{sh!elYGwYG{z^+@W#EmQqISVy@*3xW;`Ns-p&=AgHv{13gdXrte#Vj z{by0hs#V28Vx-&Px-G^sGAc4`LRyhlR>m2aTW%74MJ~*4VY2;#$6#^i?}$J_qN6IQ z>eZ$w<1!V|5hdlhD-9kzxyOo#0b7|qF~czsD`Powmg;5p-`OVCIvwzmV!TXD3r!xm z6WUG9ny0l`!gp<PW3;vC%P^z$Gf+Z-&F5~gp`gD@8WSM8k9%TN%eBN065*zZ@00aZ3{3$L3d^oNy z01wM~Jzu*}-x*IKyHt`2uOzSXpZcF+pMbBhAPPT5umhw(UvD6n`vJYYzNJ2}z94nO z6*#fJ#)Fb4;||bl!JJ^zJ1+k1uy^6wBTnn+%QlXP-P_6GRSt7%jihG`A+`H`^I!tb zt=s>Ejc^r^-JteEy$gSv%&XebY_BO>-FGjGn%1V(*Gu_6|Cum)_`0IUxj#_bRx0N; z3a~!Xsla!cRK=g!bHD|q%P-vFR6~B3OMl$0%{jyOnwFHK?_V`wr}NPn%;F`t;>dLO?`O}%mJubAQcoV~V| z*_h<{$Kfr0IUsLt-+WLqUWZB8bf5*WYEu0yQ(oS@J^WDPbKH1R^DF&2Qrh_Jlgo7& z`ov}TW9xbnR<}9%>@f(-a9~bZq(RD+G`aMv#C*iNsoR2LAzG@tB#Bt3cU3VRf- zSW6|H*|PuATf0wW`Hrs$@zq09TXSEROSQ-Sg6TXAK~$#xY{y^byJ-yWQ*ORx&+Y(7 zR(zfZZeZNK0lhzgeqT_r#z`ms-6hYqpHS>1q;~~8z+h-}f;~-~15&TKFY(vm_x~`* z1P7%s(luuDjYRcyfYc1Jz(UW+v84(tN6tyNJp?6iDUyn}d5OX>Rjx6G0yuN7FVM0+ zlNpZs(O;*>easq`zw5I{#3UPeQjDQXCM9^yFqGaH;#uG1xK92i3t?KjQFZ9q-yLw8 zB+JN7;M`rdGXE}zA6JEO#JV@AXR5qlSZDqCGAz-?a|O*a)Q%-k=`6=Qkibo95Ao0+ zKh)_#c+PwN7p=iIA$o~$(ylZ%GHNnjEovJljrg%ol@3|hDYiDm#1*|FoDvb3thQ25 zh7mLhc1k;v`F@ zhzMaTf%ectqTAY-7+K(07S6TGs0>X9jG}2#F^qI&?0fkJ6MKtgOMGZ@SeArWriQP0 zEJT}wBV)BR#L)4M{`?_MZOgQjFR>K|-t=D>5dT5-_FL6}IeK1jRB% zpw|l?Ll4?Wj#w5b2p{>Br)7y*RkvjtiIm9xFdc3ob%_;??nu1fPQdvn0wrVGVFnwE z21&?KAo!DrJrLo*uy0BTxZ?lHpX-2`0;~cg1IaYCTqv(Ez7Na)E?~YQzH$IHCFpW~ z4xM@Rs8M_#w;s1RRT7$yauph|OZn6G&A2E8B}>hGV|*>PoK{vic;ng!@tLqj-rF)S76U=%_}Rmdun zaWLiSdouL}CJPZZTBcH>mgHxoIB?$uo8O}BRp#W2(syvk?8DS-8Tk#Cb-AV{`j3k-G`J;x_>|6o=vMG4wK4qYU+nqGufmjm16FF!`xjqCjK5 zuUe^Mhv;>n)0R5r%2lEf{*(VQL+MZsWtwbH=D*VHzhV&G?-vgUmbnJ{VqRGTgsWN} zDwMn3fq6u51ysxkdAB6r2VBCBghA0Gd9Nr({yZVA@Y#EIO;SEXEb`k|pFG#zvXVMJ z_U7+_@IJ@j9G{1G)`U4;_hB8guMOt@*W@?_P3jwu5n;5r)gNPXCEFbf#~g%9p4VoN z%Q37sIOI83Nd|094sNCy)Ak=~~9_`_IYG zZKvI9SF&oWU>>F$SYclPx%W`?Y{qTQr{%KjNN)e+&upj`$cveG)#I-8r6&QR0fQq< zfY&@R&~az^Ayyk$%|^h#@%hCv6Hl1qvyEJ3o|@jYiKDK^cMwGh;I@80&i`07=Fn+5 zaP0BeFCwk1f~pU(vF-MKfPB^3?$np@kJdLlpC2J~7$;p+YXLmnt+vU_K-dlFWiYXI zpKLEaN$(51Qg`?;O@+MbJ{&)NbUH(?w1+W$*(^KpsXocdP=>3!;Ap4TBU?e>!}ZO{?0R9 zyROIHu7fZHEFS=>(=Ddz&R*q$KuxZ82*=OuX!tvhYk2}MDfg)<4&jxaRxZ`HTHod6 ziyk-oeImeO7~{t2p13-n?+rlyzDA_I=PkF}CL$zLN*(`ppOLv{q`WJsWNuQm;_7Q! zb-)!t4`|>MXUgz#e~BpYeh_l{u|d~$Ax?-_HuL46;(1%kc)fF&*uWt0{3@I|BE7&b z-0~r9MreA}l(N2W`qr3QiO8^hyldRDaXGI~sM>|I{#YjJ0{{{Ldrlq%Mpw?iW42kb zfjv>r^q)}DrFD(9@rNP;8o)X+)Cz&Lno(n7npli2|L!_~{E7I906I=iD`eUz24#D^ zjt(#ZW5gc?os8ppcgcyH&^k3V5J6?FP!N+AiLY+IUn3u5;FgR#NP#t^mov~=hPxQq zr%zf6bz<$9D6O?SZb@RcHeQdZ6OBhnn3F zCz_3rIvJzFCt5Ki&!Zsih`3FZBsfrN#b_cG9K==<`q)Rf1gesa3|gTvnkq7{h_{yuiNEmBv*1(4Vt|w2+D9Ts1OF*~2A&CaSR8f5;=}n}d z!(gl7x8wg<2Ns^*aAJs{wce|Bn|Yd7_zKrbzW2|cpJ9i7v_Pv+B67BaandFQ`T;> z6aQ5RuAa~sf0#N}K8$~34+8pcGeR8r{!6G>x;u%QE0LTHTu?W4iwWjWP4$R& zv?C9XKvrxBMhitz(?S)gviAcFV>czZDBJ|mQkNykw{{A+bItW@u3x0@nz;Y0sPL0f zpArfFqBm>ANBOdn9>xrU)R=nw36M4m3vp#CK+s{wS(8J=H_*tJUM8In?&L;V_hhkw zG;JktSgJkd8e`6pO44eFg{LA*6`%AOJuy-($hw51DbuSAHG5~EN*sEOS8_J}Cx8KY zCCGJLCNlv(LA+h-i7yvuR-O=WAQZOSClf4-=|xwHVC2+XRCLA->z$|~I4Pt91~~^} zPa;R0bm8v`DCwol3wcBQF2HoJ3b*ipq*D`G;OJE|RoPZRNcJ1@nHOb@GKwc*l@YEFj>X3DKe?p(0)!fqm`c~>j?n&CJVCLNoVoSQcAy-xY;qDExuxCC ziRho+wwoTbM*pVfIcQ#l+lw}$Q(zlZ9*{{;!Ghj3?jFAj$7Np>m`N4%jmh`kiuF8TDp(<(xsoc@f6w2t-uR z4rsRae7wV?$HVko$zK^i3jVLW@BF9w`o{xUG=U#HmijNb_o+_825EziaQ)wi zePA#!3aB6e0u217ZY%u#9d3UkP%<-cHSxml_c(6$s@NJX@Fy^LB9PE}D>ziNl_onffSX?t6$I@uPu z3=D3rQ`jhsX4%Fp^KsQwy&ue?s@%j zk^GL()P28wlTdx@5@4F+`zm)omQH(RXy?p0n@Ee5mL8 z$NJV>6Fb8d=BMkdhj;Wflbi=#>Ks0RkB5GAeYF{%a^C&UO$43p+BI8+N-&6}M{^A&(hAU~=nC8POY6 z6X7CeRqPM zH;85ck-l-3>-eT!|63SCjwTCetl7%*#I;I8P)VwNqY-V%Xx`M?^5+?|tKA7=noa?f zIcpxq@NY%O!6@`%LEfB1loDKM8cT`=Cw7`4)w9vuL>ZbV4QYfVqgj@8X4+pUs>aG9 zV%2rVO)FvvLS-;Tg5M`s9OD!2XiAb3}}->^0hQV zzQauA< zCsCUU*%^?9W8l>~m}J7m$<*zrkbT2M-72T%5Y1;#xv$FB?z0jkv00)u7KU+*PMNzM z6muXGG>sRmcvQ=0c8t>tK>OXKS=8{&oKg&tazvEtm&HkP^$6{JPhyTEmoi|3U(n(?fi_{E)Cpca1kh2{yy-5IGA= z`opGE!BSl!nJ~@99V`<*yWl+Yz|M5sL6VhBPWELB9%>(+)7g^v?QhVcSTD=z`wPPj zo|AQQX+q9YqJ5u03>BYTHzF7>c`Wu)ZzRyDJ02fP0KCG`mRe-jraE56d>GD^s=_0J zG5OA(;M&a^uX?1OT+VnS z+T$e^t*MrXFk-Zffd(@!8gU8vFAAu5yTQ_GX0?4`tR15AykrA;@&x@XP@a2p4-?3t z=Pn0w@;(|kAojm=w{g*lMANh>4{cr+z@}w_FHaHIc(h7+0Yx{zSEdCUh^$5eqHRog&M|(x`w! z@^elDmbo4c1y&*<2qjLA$QLh?R4yj|2L@V&sj!Ho2`Z-wlw>Kg1dbMzmwh?lXJ4VL zv@`CE*BDbQ+d^5`4nl7%nm;vsC~4pwv_;YHgsq>&WxkGu%9oz(CFJ8&D-0ZQ;WLCG z>{0-FKkq?SdK_O-_Z2P6zZ$9rqk@bJD;r9!xAdIjO zB(v=IBDcQsS>k)J$^ZH7!`w(g0a+3?QVA6LLi~m#DF^=??yCUU_OtyBY-bI8j_C&8 zB|mkCx7@t(d0lz!_;7FC@8qoX9AP3|xsPX!QD)2Y#1bZ!3A#Eo;(EO&IgfE4d~i2! z-n0g~Zqp~OhVZ?IAYHYcsXwA`>$)9(o=KCRf4<)=_-gXt3%%70PIH#ko#`of0B^Zl znmWufy+`f1o(YnAj@N}t{Jj9RYvhdjE*q&i+l^Q48;&`IDKs{p6aD^-TioyC!Yl4) zg)_|#zS+V#ou8yXaCjIeeY{81Q@U&q|D<+pbUIC=Wk_t`_m=f|ABKE9tjL3QmggST zbKd(IDlYCHW(d@@-ankz&oQqTH{#2CoGKkho;>eHF&%5R-6zc|V$8Gb^{vk_LHk#x z<@fQa0M46#R}0W?F*=u-=5BhZpfw=N#p1o!_0A&9%Xhk-_hI~uDISK`jYGoUdojs! zC7?w;r>i1szP9~E#vJ|h7nApfqp4$LwVg)F>GkVNm+L4Hi7;=~R_Eu(M2nZ>lQyMl zsC3QEpsX||$ea9aRi9tN?roZ|Ff|rgt+|?Q#m7AoZkbE40~nlY+K+fH%4X3qDa7=S^y zn|+zWUr-OytGQ?$(vsf-uKT9?RO6ojnl89I%=C%X^@d-!8VEXsV#d#x@^a%vKKSJAAol7*o+?dJgQ=kwxoJoAImfQ@tBBx%Few&; z&h@bsncnp?XW3{8bQ+BKYZ<$eTOm<}ne-cee##R?ibvZ&oIp;7J-LyuxTh}1=Ak8 zOvGZ=>ioA@D@!%P-+V(Goq|URV%}3km$B)=lDzQtB7EU2(U(*hZ)VNLEgO@4Syqn1 z)l#Zx>Jqf6j}6sQ=M}NW$-@p3N#XF0v|TVmz7$m%Qsq@i3T33cKL|M>n$;`6rz`58 zJ__KgO^D_PwOb7d6p31ywKzf<3?J= zeMLq+WWf<>mWf{^TdSckKE5g&QTG!L0snW2DofZ(w#Iq>HCp!c^&)1KWSq z+&>qmaHQB7E!Y!IqOr_QqSnYlHR;Df``Znn=-UH^Gfs_45KL?~$6lfhR^=4r!qhQ0 zc?Pt))urB>{IVrvcw_*V<>zfaNKu@E}@w+VgYEtAh2g)8u<)*!NN?!!_{w*RP6r6(-w|I1r$ZJ@2L7<&OvJsDkT z)77uC8LnRS$q8d$kcPLN>nEXWB)VsJR<6?HsVlZWU0;dTRvUv-BgH{bxDOPIMc4+ zn5*%Yr^CfP>UiOuXlM*f^(LCbC`YChaU>e}ALya<3q72^k5V6-Nfx&cVh%2pf%U7Gaty7{~JwogPVN7;23BOp##oNAh7|M&V+>n(c4v9OxTPc!>ch0na<)`Un13k*3w54?fGvk@NB$QN z3CecG`rRc?Ug*?6=emTB&on+(J8@%NvFB{uCZmG7!j`Pf4%owjtL1LxUNN_z%j0|9@T!0~)?R?NQG#)*-EN}i_ z#Y|io_%T$SGiRIZ0Vm+%CCDb8gKnZHlPPYB!M@? z6qOq%dP8`Z^9dd7`wbX4$P7;+krdS31;TsE*5Y+2;&dW7s{P^X{LAw``3x}@X}ZfQ zaV4AYta%Quprx7nI(YgYqgfqUcbrrDZB~rx)0{Db2Z_*x;vD*T@T=5M~YqKuWACK4T^eYzCBE)S5!W&V*@QN zKO!3lb%Cw7uj<{++c~KedabzbJ8chMb~es4UaCM(T#3s$U#X2Y1wUYwc6O%c)_!O? z_q4`@*VFOL*3%j;>tHDGCc_$S<fwz_`HBXL@;pXVKhPF!? z+G7wYgMOpT4|l?t`F`oXlUv${g#SRJ#}!weBIe6#UfYkWxaYwjW-X7{V@5)}c+b}4 zu6tR#XLCKD{CLok;J>K!V@$GR0-6k5cz@F0iI5@olVq3a#RKyA#+vcNCl5e#DtE zvQ39S_vsGg!}VsOb-I7r*p6#Gc;ZLvAYi>e0s|JiroXIhMsB;>b%<*?TvoI^rwmW~ z>}56a`#dE>tmRbStmj29t-O4NT6IQih0{#6RX*LO-^R>T$YD=e%}mY zx@{VQiV*pl5FRI$XMB?R_b)OKISsR9^}1dUWsh=LDM91m(){&C*E>Zl>)r3$pQpnC zJ_FH&DlG)MKQle|nh5!5J6qnhLIJPa=9D_WysU1iL608t414#W=NAy~v0tQoHt4l` zz2!Ei*z%}?zxj=SIn6vW%|Hv8@HX;_fA7mq7@kI$12P!_pBNAl6`}-ow*m_oV?eXD z1?&nes&GD3_VJ!j5`j_i^u=6lHlpU(l@l}&N-ntTgW%O;orVovlv!$e9PgG2WIC_!+ z8eOb42N>0<{MFLvZwm@_8YMM1$$HZZCuVX?ilYXhwOY3t{8?#%>JR=WWbT9uA5TB7w;@C%N{2{WOtwkfELUy&5 z`KPm*piGuLdg_5f*T}L46GTH2hXGMAU3~6hm{gTIuC{&iIy%pF+1od=Pm#%tw`A|U zggPXrWJL;Wg?t`rUBHF{`^l#D_uu3qSC;<@`ve+)gojDEvUrvXf1aBu=`@M(uvK!X zw`4Sj4f^@fn@CJNS_(dEL4VkZp+J3AiZmG*3z}lES~)BY-uw7y9|FB%RTKI8@fqJp zlp~t8M;FF5P5aesQ{}o1?o{LP+RxcREeT>H`g(qL0d>XhyU$Z&x)N_2_l45Lh)i+!z_QRTtCWA`SmK^1N^?cC6fTeBr8)O?RXCf{iV# zW!dladS7i%nhB?CvX;Fol890LmAJXo!xrIcBJINE>ASR1b7kMUtDDJ+ub-sB09KD5 z7gQ%fl=)aONwxlKSf6e_oOgJ385s)b4V)=7$rkA&Zf?f)Mn2%dS!*yUd91|oN z&b5aW>2>Z(CB^<15K@q^Vu4WK)S5?v8^ z3lt$dInq)Yxx!(Yn|_#3WeK_<8G9z%#%E(LsaC767Qc^HTa@1rM0aG;yiHRBG~I+C zxJg1w96(E~X0^t%H~dm#;T)A5N8nrR;N|3qLdxBBCwugAs2zXMB-xVT80xe_nBNYg zJzkqDM3>e2{{RF+7^XUdKIMNo00P|Ry07?4E^ag~z64i41LCO!1tJ}Rp>LQVf4{H! zE98)nZx62v4&n@11Iod^>@X6}@EP9+=4TypJ`1{0+T}PcIHdCNG3a`oe|8+yY#!`h zcE9AS;$J^5hF0(gfGpS4^+5&&kpREzOKCe8+ji%cr5Ff5Uzl>ht(NP!!=d)f_2gQn zJLfKagP&RAaZHy{$>c}>mbJGl0JnngX7&^F0(7_l4FCa6A$AewaZDI}U)MKgEO>m* zJCNkGf$53auZPwc&rEkaf4FV$=GL5203U1p)BHVO=CtrbJ+vn)wR9^vd?@|JYe5NN7UW@7j^Pcw)Sd{q)>I zaMO5NgUi->Z;aGi!(87(U-5gi`TbbzwEbtell19@iN{*{I8(J6fV62;@}Wj+^NZ4B z=;2)3<|=clWmBHpH^U?SP`~5kzKz3%t)dQ4R8!+NCGGXIxaU(;&2t~YaptMR&W`i5 zcS(;+?Dr2&7f*YQw>M$AJfygobz7vU9LH_24*Wao=i9*SyT28FPYQ0!R^pj0b1AXp zmGmuXte2awPId-*FWAqe626TOinnh`?*#l;OGw3qVd{Qzcx@AWgm#^ilJD7V_Xs1! zFZ9M7cyG%-8(_DI+ouA`9J+(YpzB+Z*Aw9j?uR)G=-6$(I~ueKQ5Q^qFmd`HqM3wX zmlPIVhD*m8^jiGI1xkVX+?D@n^fps0Z$|n6N3`%j;mkz=>48~4N4#PlIt@mTg=dSj#B9^=Vl^ORUgFG z2c@2?93rw?xZ1D&Y1(n%*rs%Dsv*ObOkw^P*8j6IB6xWn*?K1k=R0;PUJDJ6f%!id zm_vFP`bhr0Mxbmxr>|TIe70h2>}Mgpd|~~ za}d*%nf~bDi&?mZv?(XQ+SBEtcWGhIW${tqLuclhDTUxd_pwcXuvS z?!OCFwXl3xDIwl6qV%N%MA+FUD`?IYgBb;eJ|~a}5Mzzd z`xJj2;Ir%=jS+S4p}ZHqs-U}PB_#fIqIs}SRX(aza8wR<@X2G7U7Ci+n=d#P^dC%V zg^PY`8gyDxin2Ry%*;>9s;7=V3%TNutSNwlG$f-aCr)lUkJv`~u)$kmM^CJx_+k3) zKg9g)Yk9(};d`Ru9w(4GHZ7e=rtsFlZCLjOj z{S*?%>Ai8q~aoDM@(&Gz(kE&^WQQb%3jzj6Tz+L|T z3|;FL9#@^A-)i7Qn0Tz3BnhUBXhW)UO^)LMRlMCB0;-%-d2H(b?ozYmx4uO+FmlCN zx9=p@99Dc$kiU_URIOAholjd=q7@4Q%%g4sNRd$D^S)y*p6&FiLi6UxMzE|&X*maN z2o)hzh!IqJxPBu_Nsowqz0$zq7?w)=%8r^wgjX1m_U(j8`DaFbK*bL>cZoL@mbn&k zTRSfnGNsr<)GYN^t(hfgKE?XfwWP#~C!;bBb_Cx^h5d3lIqp$Wv&3PX`avTtMp9u; zdK^mc5_Ty3FoPR>^cM}bZx_NZE1@J-aZN;e_~E?e$8lY832F}x_{j7@qIquEK!V~X zsjdpvlqrux=3Q}*Z_UO`>Eo*BjSpYdtlsrawfFq9>c9pA8}9;8VL?p}==J)p4@}>Q zAg8b6RjE*Z5Oz)3`VT}^6b_YspUn`KlU@&jT0?<1sd4Np4rvKk(<%d8Y1RoURJcer z!lU8PkB}l;GHH|Ixg@E29h?#RuDIj7+(eEr0^`NSVtoQFy7MQ0->CdimK+XTjm+~H zC`0Bsp^*YX6eC9mHngZDLk4w%y}&xcHxKIgl21Gck8r#!shBhqOsY4Cp)zw+PSS@8 z_-$uRlf9mI9YP2nX|@Wi0t`dGSyhgj)2fszN|qsiWD0sUGgM(&aFedVLh3%@KYCJm zY@E5#HYwou-IMW3_?L?;{?x2nRDT>c zq6ch9O^>9_lpZzLs?A5;n^H<;jsi2Bvn7wy{~v&c5P*a=!29b@=#g5#$DH3R>7Zk7 z%h^iPnNTx&)^}Ran!`P*`YQ81JBag?`w;DW5e7We_dY84Y$!XZKX-0?n$NgjuN*ay z;2x8ZudLtG+cbbzW{)aF!QOklM>LyTzAGH?kr{YoQ@db{GsN&b6e163oSAY{P3-{Z zd5E3q;oBd6C(!X32hLGT&!8cBJWf{x`o#R}7@w#qf@9ForyD#Y;=eXQmP2cuN&U{#OnKF8K9a)-x9GvPO zs$to9-hxqnI#;x~ZSJ{vPe+{VrFK74+!SVUXx)<>uf_VA;c)Z(_Q8HcN?*WAbFy{+ z;Fv(!qf7>1Zu5DTrN5ps+I7mUyDA?^9`gXFHy)Tg4ju-Z9w&TRZq&GJ_1;?Fn|XZJ zDEUASold^>$0P4N+{SO4$-uY00k;bdw`FQVeV^rICF_}t>WtWryI|_n+!oo4bRCBp zdcSwK15JFbNBy{CTp9DS=LEm@qt_Xb_c~NMD}euF7Qp>%<231eePuru&V9)L`(ZxS z&+~95dp#lhms=`siB87|x?KTljBlw^q3@8LZ5PGoeOsz;9jA|n>CLkL!ZRzQ073Vm zf7!Eb-78_RYIa+`@2<>gChjG`HV1e)axUxR!F1UBMvi;kHKC2UoaV$mn87ja=_c3E zaiM#x^Dx=f)Z!OAqxsn6#@J2g#rm+};^6t(FXknn%@;1$Qi`BffS8pWnTgwVHXo|v z$;e1L4%d$dntKu7!_c232f1x_4g&9+moP!Sg9BwQ) zW`uojxZ_lKMfOEOpwK|eLP5O-Nxdst6E%&t>6b8AmM($&5d2_d)V&ZgKe+}vEei)L z1${tM056&NpH=dGpiIOyIayn9h+GnTf*FS@L0(GQ*vOb11;g+;*Rl9O(#GWio%Mz- z3AxATH)I6X$%Qq6v!Lo-PlI?#iAA?9Ha+f4u!wM{BgPf(_=ljN{+crY>r(@0*V2pkc6SV?4BYP=L`b}Ei2iWwT1 zdoIWiJh?Cqy0c-UItteoW5x4F?TAy2x3!u1U2!Mxfn4egu5;@|wb;d3m2XSPRq&BY z^9)U$z(L&?FQI(MwANaLv0z_ao%nm>ZzLlSt%;HY7{v%^R7SAHym{4|wts&#o3q1EEnjO)!;GM9F(1u|ep{Y(hI67ualpmS3y+2GvVhyi6DhnHOiOO~ zW4?DJnsRDFA4Ii}H*dORBRK`9urx^o71!^K@@M(qCf4b)7Z3WqC>GqUA=lMBEU}_# zNHgHN-9zGW$TnHL0ddUeCqiGTVX;*)LhWg8ek$?cF0`*4+MW>EVuIRgACwSdut?rF z?cq_`crE`Gqdz>%vpgwc2?bnuYcL7Ve;tjfPWSsq%g>mU`YEBD<=GwGxmL4%b_ zs4C=~xcwCYgp%37*4 zz7TEMVK~;Pm*(uWmrez<1e%&!vPl$*vuc|qZl;7 zq&kPZI73BPVy1ApI_w4iFol?vj!M2o zn29Z0{A)=Okd#Sl=bO*UE`tdwUt0m4IxBoUuP6LYRz(<*U z>xV35fJl12mG9W?lJ7|1dy!$22F~(?G5M~c1~SINr%45Ly4*TBmNX(|b`A3P1U_pH zWTj6lKrJeBfBzGL=%?Lo%M{)07}VBox(4{@Vy#?*8av1%$~Z)ckv>f??8;STwHd)`C0A$U^ThQH>k7 z0OSWdBwI(3GJ^3Sgl)!V?((k_Ia3Xtt3u!fOVukIsMWDIJUbMxiYDD*w7>5_@)j;v z7P7mK!jqPWXuXb3Jne}v5Z+JyU`a9&jKfboH(AVFi9_J#r5YfT>X&GmXBZP8W|v#+ zLZ;x7!%LpDl@3lsAsckz_|d5~RNbs=q!8wy$37aJRWBSM0e&>f2KMU$sv6^)-RiPr zzItWQ-RkHuu0j+>BOmE+YjpC1Ng~Nls{%{R! z*cSRY&iMw@7j}*NmtvbQBA+QHj_mFl%mM_>@7a}^lS8ze-gCAyiEbw6XI``VCSK#z zFSg6=Mb|VnUQ_M-asSi(owCRK2+2T`|q;`b%lEbJf?CcCda%*E56mnftsKBAY*|>v42KYXN`_ zbUlAm_we*cZgYK}P+O;5x7`5n)jjSa>5pVPe3Woc5$Sbk^H1Y#8R<1_d%59x?`1fp z_}M-$===F}Eqz)Se-eB2_ys=zi{_XoYCNosK$<7(B_hYyJ=fH3`1X6Z*CpAV$w2#O z%4VOtT6sX^W%FY81mK}>&R|Y&zrQ7C-7pvdx=r_&r|}-^v>G9v3D4_nnLKsH7M1Kf z_)@cWf-;}9s^1D_d9XuLM#k1lNetsO&jVQYIFpjC<&exvFwm0a2-`j9)U}k;W#ieVE{X5-j!O&LO)sb~~KK9@h8)_fZ_ z>b@!IdgA=hx=!z?@iZ!6?*`3p^xtOayHD9MxErqZ08TQAbiMN&t`4U0YxHj|FOsga zKQ58ybfnHNuuS-Q%+L?UEcHG91-XK3b5XcWI7qsM;JCg}Y z_jRWL`r+??y`muzV4=qODcdFZQn9=hogxStG$`5^^wav&O8eP}H47*f4yqaEvg8vx z_AuXKMU2tS1n=?aSraH1AN;>-guKJ?g?#QCr`PpAiOWKK)RuL~Mj;Nh|cxIkZ7=lFlKC7ZHCG5Vk z7nQ4K`76?N^Gkyw@p14X7b95_%rzoJ$Zrw9990jW(ZyhbSprg^&Ha1uQ$e&~_->>s zvQ&fGb$Fq~$nTDgJUqC40Mf<$%(P3HR-Vw}-vLGh=z{y=SgLJ5v9$2Njc zI#8cI4=7QyCng?VFZPel)jd}MYn_FQA(VKD0zT%*>nG!@+ApPWHB1#;D+b#DcbU*| zieIus%!7m!r8pEZb7b08l0RneBm`+yXy}_)V!fh$p~UAgCMf!O;$^kXl6IB%aRgVm z$OmYWY#Md0%F|iQSi?JcXMdt$vCUCwDo8hRk%)fhTRfF<$;BBc9L01F!YNQwQg7?V%&doK};yyc@|Og{((3W3EU~_S-UGAcVOUW z_Rq3nsb9{jcyhhq*OD&&r~#!3V5lAi4C-E5qo$tt$_PGEu(e<$+!V@mi%>jT;~Qe% zW8#&})5iRhvxQD9Yk1AZB<*&TP-k&u8MXZL-}g_0=1V^)0p36dl8ij|2u%Y)Q1@jV zflvLV0Q$VBz+x1goKQcJK5U4rTFr4orp|8sq`;g&cXen!DIAt|oqYjKV`DgGDvU#t zQXN+TW#R|&PNd)f3hsdKFUVA@$~i*i1vXB5CEucK0raipIbvHJE7ss8cg;x*0d|1R zPGW0H?ROmo?qUog2T3`>g^T;V@NIXUVa^s!xQbyAkm z$*a|5C8w5yC%;pv*F*l^u%!K@6LP!3n^#)>I=FfYy5k3cQ1wi^RkGK_KWcb|OM<+2 z*9gt(HpO*Ti;j9e%?c0cj9nN`VxrJYo9qvpYPR4TQB~~SCSSr5LRvvnK%TMWYgReZ z9dj!-Q(AE<)U_e=HsCBsQYaP?dylqk?)`lST~@W7w5Nz2E->mk8K!{4K(c#5t~7W5 zXXK~1_P%|@*^^EFPNKKYy~)sxfE%5mQ2~Mss&7T8;H8dS%X@JRc?2)%mcb~OFtH|b z7M~4q)X8Z@^Az7gnuwhF?>H975qPT~S(m#4)ExZ~yoYTFkeGQF?kXxxjVFVx|H3Fd z>ydHc`^q)6PnHuMw2EcCR9v-9Hw($FED*&6RMn%TFe3Nl2j~{D%Mux38YV}SH}*1u z6{L_d;9_27_8Wv>;ig~75_0^e#U~|D5AQ9hw{n2NB1R&LAiNrXKZI2kA%Z7SUDJUB zgZ!h&1MPCIiZd^R(!8=N@=)MR2e!QLrLYV_1aTq%r;BPM1k$C*NOb;a6nZT%t~LV+m0@3K#v+*?kCIYs_foEl z>DxUDnT+jd>PW+S)Z+4!r>cu^c$>^`Y?^c#}GL(hNjUQaYJ%GP!~Mgef)a@TyS|^fFr^7O03$F?-83&5 z8e2(}Wv$ZjV?kh@^@??$@4o-kC<+P2}o*^OX_py#5+ z^<^Uc@nN$mHQj3x>AKxz!R>jn^Pcka?lPHB$Ne5(d{?~ysmtq%VMV`tH?o4>Wv0(f zWt;o;`gwC>&G=IJD*Vh3VEV-V4m@eQ?-`=I?;AK0MdEQfe!l8BOXs|c4jtq7%V$4M z@UotVxWPxKFhO%}R6F z9T8K$yAJF6xB6xL0aSK&xzc*=ILcQoYujZ}6m9md)cGqi9WGj>f@^J~(2 z9lW-DTbX*jbX&36j`M{bt9BpqWz2e#dcS#Iudr>d7qV%s!XkJAtGg!X0R*jqA~28n zLK!3AMUj|7Gr_YTo^nYmHq zyI&JsfbG`SZR;J^c7AK|E1k<%KvXf%Q%1#HDiW^V<1kA@LA0FC;R!E`Ev>g%Llvm| zz`kgpS-WeAx!Lc(0xVtkz0+ws^^;78fYcz4ruXn8y{#w=6K2 zKdcxX0mg`2ry^3ebZ#IkYrG&{w?+ARq#SC(lggG225a8CL2mV>t2i@+mG;-Y9-HQC zuEmx)XfwQ04JoEseN|i^SdG+E3Gagn0yR7W3{YRAK*+3* zfbNuA)w7;pOD$Hu>&8AKUC^KUUO|(R@6_<5{CNpfTfo8=5@vuj?F_l_qI8{@RGKIe3&hs!SrHb_qmKRg5 z*q688N}3W8KT!x#u$A(XH!YYQy1T}PsDd(H6+`S*InR}X(Nb%iYq_HdOhjFX;Bm+V@??+P6qT7Kfa6k)vdTQKknxsUcvwe=)}CTb z*1(bT&s{*+k02Fs5|%!LGE`xd*QnmbZ=15wK`I%K^IWT@f}HG=n1PP$7k`70xnvNH zGO`tH)-D9j3?7}~6%j<#gd|B%o#pC6{+1sYc3ZWk*R!1_fd5@WM3p2YTv8?~aw_3QD%fQMxie1JDo6+(>GyrU{gpjI!I@u9lQ7b$*4{%C zs%b*9GAA+FRjHWKNCv zo~_azq1693r0(H@hmA>!z(7f6vw3kt8x|UkYDtXIWnsp(eKPW~xWm%K{tttJD#3!` zb;zzkOVZG3ilGP-bx~xO%MkL^#40HkELC^TT(2n@<1?8RRh{B*#{u>ysIUUGrPSOg zXx{zC^-Ajy^z*m#Y$k{Yp7W9v5+(+TDvDzi5~C}Y0XSApFXuC4oyHT{tzii?NKWGx zKF+>20y9J;WbPwlv|ahDK*QWguWgS2EHlB+7C)CfMy>+OcohO!Q!`OSNujs^tj_tu`A$ z!7j^B#%lifz9nI=iqhXslt!$?Te(QV@;aN)TP-CiI=v%|j}xhzt4Uk55O_L4J>De~ zew^&S3h|mP#q!A#LWEvf=qZ;|f}_isernI#MCuWqyMlv^w|Q}FBVdI#Bvv#LXrRQ+Hh^s+wXzP?4lcOXW)X^Xq}1WUq2sA8pa@zVl7r)>@G|6g4PZ zvP;Niv`wdBqi-`MivqfI*ixZsTKH42K%;<&{VycJVGA$aE~oPOpJ8vaN%Q}OVSc2vzdJ+oerD4kZ~FZP;QeYwMHB`ENRpnZ_w+!dCkWL0 z#S?#J((z-7#KC1FWPh9iSzCB3UP7Z|Uv?2&z^v_@EL(b3Hc2@^PlQ*#pewJI)|Zn% z-H^8JS5V@Bn*qY0&q&)%G8&$qDfFfh4$q6{57wT}i*_{E9A2-_D{Ut`{nL*wir8Rn zJO}dujedW5zAu zokdMY!vIjpvYhrv(W2r-ITBAVMzcw zsC#nR=jm=_5g|r}al9a-+j-miI5UU$X2v?lcVv#XD(d5EF(c*GMfTA5zRwe&$m_Cq$AoWiX-tT?nqI8HreRYUg+_2o;a zSN|MWw9Y(|@vhN*%R zEhJTE;U?7Y0mB!7U@Pq0ly}P%1@}%R4(9RUDd+!Yk=l#H^Flm3gux zr%0sW3}8u?N^lIWQ=GF>`vn0nqMxy<*TxiQ;b~!BQ2(3mp+CQd%#&IS3tggC2lJzl zL zONJZpJhXs_a`b3~aIz|PtbvnO0Zo52XpotC5|OEpbLoipJ`C5RZOc{uQao}ks+ z+?Cv(ov=et)#uQcKZ9=4@g51JSqkKr%*Jm4Pp%gJ8{~#-)66*@cu~ub5T6pSgbvQ| z1N_9pHetuOwQpHM_Xy2@;@X=CvT*{1{vTT?GQID+St8 zJXMbUo>t%VjXlj85pJJ`{IZWa3UY>&o04P?E7rUcN-ceCMQC!n3JwSFDk=S}GyW{z zuBp`NaYQ;YY@`;-%=3t8#kvXUU}Y{13RZWXL@?h07{RazUCB@T`IwyuVL6<`&yucN5nCNC+NSJANhjKffN(Sji_+tm ziu)d{7ciBFZmM9>OU#`aMZ?EDyWT0e_D%BFm&d!&62q-Q!7#0i^1O5?!5^XGQ?EYu zJ9)rU<+}5_O5T!i7>wql!z!0(Jh2YpytcmuS4UR~M))p~HD1LgS(X&jw-aYDyi7Z@wU!vO8%x$oE8?v(b^=RJwCz`oT!&tW^CQQw~AeLv@?zn8uQ1~MKq ztX)y=;>>{LeD6;mvpuY?UODt~HrhS*55?(j2T4coPB;79d>`fw6W}AM?ZodOKjx4ux0?f{TaRg+-|P;VJ_$NY_9$>!MxIa!}`6Gwi{jRijkHVn5Ay(aT|t^Q=a2=-bu;f za<%Q>(bBNgJ_2<9ir|bo`qMoVIFVWB^Ei4mQ@atXPWo1l0DKtWi1{+;JDnd3%2)fI zt&a!sKl#gm$~`VI87pxUJDvd7tr@sA41z$l zAn#%j64xj6SF-pymi~~RMDy>k9*1K;j73x&S{d{V3P-qI{^{da`KOFy{$TlTYTXH$ z#I;~P5Gh?0NClS00&_0+teHm){tvc5{%?JW4M8*&k|vWRQ>|Tv7GlVD>)(Nmy5kr_ z-8#$4T{08+iv=d_nO9-3U%dy)-W(j@2abvdxe0XfjvgARUPHd4y@8v*{n_>;d28t! z#MYFk)hxG*#Dl_r&5J3X7C$&D)44715aoWlmMJm3LpH!!`ll@iiM1Et9GdXwjG2qf z3`K^Y7A@bCDwC5y)H&i;Qdo9{b5?8ohSbnuB@aVHNYKi(qRzh{KP|_@%@11FW7wLM zBb6u^dbgmQy`}KaE!CU~`veMF_f}q981=GsR;EC{`wOt$~ro2#}{PTImwWhH>)cG|c5rl1)XRrsr0k1_hPD zpp*?Nl-+Py1u#&=X6h`{sk2&;7;}*>Ci}=oi{|1vw?kAPSJ2Uo2v18uMyr6I9oKi2 zOUvKHr<6Vzwxrc7aHf=XN*9>6X5K?Td_(sUCjiHQ`X8pwu{+anS+{XI9ox3;j&0i= z+qOHlZQHhO+qUtZ?0wca>wKwS@QiUkRae!V6M?h1P31u&i1i_6{^*bK#MnV0xcNmS zP9w7NmD}a0uxiY9WKaTcEVP4T*;;Z)47*$d4Ej3IL@=Z~aa3h)``E=40%Ior=SNaa z63sSkPC~PxUTxgxcO3Z2ToT1fDEnB8cmDlgi**Xz(g$uXt54_VTu@9$KU|Ci3Exdn ziZ6OXw3fUvHz>(2xi`d8OZW}kWI+Z0GmMoOS!Bx>y~qbi9!;RHBeqF4bw2Slkp*!ic385 z64>JGNFFBo&?LdNxCRHz-?DXzA$wqpS^_N-@!4|^VCfWQUVS7S_CZAfm?HHKHkiLW zS$^DEXs0PM3e%KL{Fc;2FcCs(A`rjT{wWeyY!c!kTA=)^hCjqInib0oF+n_v7lel{ zk}l5}FqDU$wzY2W6nHb6rj)wG^QzjaNj9u0Tzp)F9^ppm0(8+0-SGFeI2tAgcQSt{8)d}TskluD2Xrv`vjBb zgdL$UUcNPs0i(4(L8i&iq-&=nL~xk$h^&&fff9F|!cZjYBg!iVR0x)oLnj+1)Z^!b zS3l9&jIVU~kR(Ml+%OAdQT5-6S=rq4uyr{bokLU56}LX{P{`jwVk@?YpQ*l1)(s?P z0!B=geX*`fXw)|ag17VyNE+T^zFV2lYoxe*z1f<1O_4MJPYmv2DiSl&8MFFm7<{s_ zysK_9jZXJk(QuFe8CGUgS`BKFvY-q@I>-P+12jcqF++JiyO7yix|ndn5Zof}y?Kgb zCh}qO{}rzWNNN7l{Zl?LmLCAQbL7nH4BLh7U7tO`9neQelcd?pznXH3|G4uBsRQ!~ zsdwvz03t^x_|?)tm(kVXcsEh7G1KZ5;i=|>qq*06>8iHr@8#=r9+p)tZOrZ@wPW4o zH7et&EN8~kz4oJ|*6+;v*04KrQ2W^$Ykjh|&FSs=>N@{KXYW#NeTURq9vz_fHEUd| z@wwk>q4z-Y*u557@%cI?cI|BUy^UY-YWhW4u@x<|9t_$?rycdmmKe}Gc zBR(1|klVWTSJ9(6()In@q%mG`Q^WAmU6kB@xY`sgAn)5}r@uy4l^M_mNf$jDcMV-@iJC!jSA^Ctmy8KHc z{hVoP>+UeNL?5ii3G_zyw1wOKLSU-%y;-kz-Bixy>(p1tdM`2d7u2rMAzFYn0IQmMp=jy9(Y=;{! z`~`6FI;_&&vP686?H+jh0P3T-^A=vwLc^|>(KQ(ym~c2JWNKqSmZ{XdYIpNxqj^Gk zSI2!m(t~&XHl9sAxy|7`1<`vk{aw&BFsR#gz_xL`6sr5*c1M$FX% zy6+m?H{SI8IS0-sZR*>3us7p9_5nzE1>is9ALg9*?9GmR2mXA2D@@%100b*ibAP=> zfa%>6zWd*30jQJYNV2KK z#y{Crz!>BuQc=Qr@re&ACG@HJ7#d)ra0Z;w+={r#A3r$?If({sR8l74tqFvz=30=# z<k&ISHA(Qmo2o$p); zN!cy*Qqt+l--_kUY#vdwy;uOeWM^~;Loq;!MxvrMfJrd%m*_8H*wD40 zRL1rr35K#17-ao&iZ!fSQOUqS=^i=tSZtYC!ZLSGIf_NkzwMf=5~M-tRwpXs0h@y4t4gUwg5X z7N}YMnj%K270$qYP#FW07z=^9EA^IX{(g@U>b?q}p>M0c;XfB`=0oLCCg(lg2|qFM z&n)_N#)$A!j7UI-;w@mK280IpjwgTs933`PgwbMcoFkQkjMdL@AkJEazTJIkvHlOz zt3O5tCA^XS;Bze*rx~d_Kk8#8xpRmBEB47qTXG`40cUZaixJgmOF?N$31`W8t361) zmgFYA(12jod?;&;0W7ns57sV441axeudJw|z;Tty@9_{X?U#!(?HUE6zC!*&Nb!15 zRSlBKUu~lK0Wm7rtoP%&iy)$C#_d>>!fQ^yug-KGIE3ZH*z5Ah7``OXiHaKkjw)!) zA{!0%YO z>G+2-baEB0H}1f7SeezI1VjY#?>6=Bf^*N}h!$uWLl%#9zLM3OcHa?ythFD}iGfS# zDEsH0Jh*XUjppbsXX4^0d} zSOR!@Bp2{<2DA~pjqEpNtjvTxZyp`KWP2cuL#4sO)dx%+BR%Yq_H@lDjOacb(}upl zb3D9ib$^^*9yHsncp?1p9$C8adWa0{YEXM^cw6D2Z-0t=h+yw#@P7g9_9DA@pRD1^ zX}xQn6ywrw+tMq79d~yw7TfZ)z0JGkeO%g|DRpEv8ootKnNX(Kc@BvcO_b=>$zA*7 zu5exbQ_0b~30u>eGQt0N>Za~$y5W{9anZ9F5_GxkK#i}!ZLl_e_R!jH-`rWt(arLp z_($h`Q1-!p(X`X$aXFAub%&zC`7=D;#=!0HP~h5^e(}q(a-NR5$U&U!xGOKY?!24T zJE``J)U$4@Qhhsf)m<}tlIi8l*y`T83|-;zzE0q_?Yz?D^EE27o1UJzY@_&o@LuaY zC+~MdHi;67>Ac+y^lb{aUw%J8)qQ`PIk|Rws9eW)dFXb0vON{zOZVK?AJgl6Iic12 zqR3@S@$vn<;q}sA^EBb(3aWdNW%p_GJz%&Rqn_sa9NMDOHtk@?qTYJCtp2WnJ9P@Q zW^32(5Q;0x(p$HwQd09Y3yazR;&T0@RB*G55yI2E=f4)_u;1vc$Z$6>Zs3)iQ-q-l3fuH6)7#ndo z(`mYpy`@jCj))n<_gp_FXMa|r^YNJwGOc>NwRbySdZBuN_i~V}xU%wC=D7g8nwa*0 z9(TPD*GpA4yj@IZtbB9y03a{DN9v?_JHAso0eoQqfCfN-@bSkZ_@l72#Qf=l4{b{C zc3R(UYgs6B>s9-Wii3R20dagSfEo5VUxcu+K_sD}`~D9(1H#YHG9gx!A2f4qvT_m| z>py>By`qbEyYxd+Vv=Ky7AUz8;DPbMpl7Krg+j#v8sKIx-&o~JZQ`)#PM~L+RZGXAe*KWi6-ygL#HCSW zYLgvEeR$(}Rwf>@IHC=V3*Fr!E#boVE+_sW(zS9V)bL-z$Q6nAJVA3`xtxtW%~|&$ zWB%2k#Bw41RuERrA6I9a1dJ^kReh+?!Q{xLD%6HeSgG>+Rt+g;&-GVvD8s^8$Fo+& zWf-7*pai%H<^#&JR!U>`Ed1E<0!bv*uq_q`U`vC=dP}nfeHcR6P+XuTQ&uS?>1Li> z5#EM}KbWne$W5YbKp97580&p7$)KZjYW4F1M>&~Mik#rEnMMc?Ubs9NE~bjV!?zI-$O%v$DXJHbqQ;E&eHbD{`nhQFtm*t^$ zkqASx6kIs?(j_GXf71OCR(bKH=i0R0g_oD67r zM&x_W8DpREMYCvovjxPV7XxAlP!h~*vF74|2AwmX4kQRUe^DncT(%gtraQZnR-Fir7(mSKQ{HY6j*NU~w2)E}6KItV2MIEXT0shlFzsOdEvfvZe%Ox1wLibt znlljb4p14cEbGkmJ-k(Fp{dURIk7?hp{%h%P)(KW} z@ZkI(O*q0i8(3vxCWBz6*)nkH9P5Y1>ghq4q}i|CUj_Va!fQ6TC#ioz?cd)REQkv1IRcb|-f|RgSLh&~H*v^R|nJzxn9aaX%mPt-fhi<_X`K0%^MA zGT7<)vVCQ>H|9FsSQp{4(bMMrH8j57!8d$mlI@M+b(}o2>9|+D0W-s(=dZ_W_rkaB z@gQ__ZOP|87~Zq}%(1NVeumuQcG~^0(oOym;hfxRI|E<;+S#S2oucl(@s|8Fd>W`` zyRqj-%X3mYpjNA^{csOoQ2Nr)^p6s4IQ|0Z8hW4} zG`^#~VB+2G-JwRs-}rK2S0)w~(l`6Fr7G=mz7^SP}h z*8KdjRRi#Hca~+-^cgdj9jDK;KiT3~|MzZqd$?Co>Ad}R{cxk>aBMSz2Z8hCX;WZa zx>3FJa9gFEt{1H}liK6pm?c!vhYxsMe9;q^f7xPIpJ?^hxt>yT^`h)L zzu0T$?tb5=rS}1pY3%*y`Q3Zqdo}$s{fUTqej?(S?2C^9+iU=Zra@yaWb~o@YsyQ` z%oU)(=i#&D-CmMsN(FH(?6bSSZN3DRIiU$JLl8jFyBr6n*pf` zebQ?t29mydPGtENUJ`xG!$IpvF1hB!xBOB4zBQVHIxV+dc}U*SdMgdDux=)JD85GA!wa zf+xl})x&TCgWc3gQP~QGrqezWakBGhvJW#d+LC->rnEsW?T(x}U=~Erh+{tKJPuJD z@(q^{BGM3-QfzQ1vuFy^+CMWjm?HBr@%embu$R2Nk!kr-cV5%cr#^|eXh3->=DV;p zG~rBy7EB`?@p`qwjs7ifc>QFJZoBe?>y;SVI+ynni3VqaB|0O)Aq>M1bbiO)q7q>4 zstb%ktVlmbOP7Sv*m;T>3XXr#>4c>0e}R>?2E2@o;J7LB;*>*J23W`_{g(R{jMQu+ zvBzZ7s6{}j^_X}VS0X)->w_8_Wc;xLK+DNTq=!Xwv4AgP4+ytdbo!|KfG~(*cq>sX zVJmj&pd=r;tTAOP&K#H_jfaylUHcS+rOGhH3BdoIt-{E}{q`#_r_~6S zFi*W|iql@RZ_NB95wXwr`Lmk!zJj22NiJ`8{5iwE=8I<1_7)1DQ3m87lS-Ul@O6 zDyC}3b=v)-M`_ZIW`42d6w|WzOhV*j^e-twb!tI*N^PBLUM-fc#+XWZN6Nuw7nu?j z0?VtwTD9bkA`8>Oi7??bjt7|u@<1Yllxm4h!9o-qf4G5`#+nICO}>^a2l%2n`Dd9fJB2i8ae35m5L#w%+ruhLP)T|(uFxx zB^R()17@OBaQUSZE*(1J(CE=YF-N^(dfx+h&FD#a!gHaiX_S|7@6iNWrvG|C1e-w% zjH+^O6hTz_dO@ylCZLYg394@gi!IOnWFn z3NrUw1H{9vc;sIbhqZ;aP5gmontX#$UGxBL1t--C`4JOS+>xSu#GIYHYH>u!mf-o- z8L6CFz6I3m9RF@PsiQh3%EVOel@m2FdV^$K>;y_IKeiCn%2X0`X$V{r8r{-BrLh7G z3}tr$V%+aog%Ia#sRH6YY`gJP@dj&Kka`91a*s0#V!0bh@hl%y<0!;xV)oC*IgAFI zy#7b+g400CTy?qt&dt(O+FHnEdu8i?L&|N6idu_5c;G>OvsUT8!gDwNL8BPtEd9j2 zb|~8NASg&dprt`k%^b<*kl@5BSc-y!m+<;Q594IoFmQTB_QFTVP)VrIR-)@ zQm1*>uFRx9zh0S#_DnKOhu!~EP5@WH$Ov`n@9q>9{8W?-<=atJODG?t>8zEuX|Kns1LiPbU}G zPZ`zk%aA46fN$VgS<7rsexGmiaod&iBDPM~4{BMADISvqV;i1QaeOtTBP~r&`n!*k z32eY+JMs2E0MoY%F5lnj=e47_kz?GBZHW|wi)lWaj+VSY-xxgKVF$U(g|9hYeBQ1b zd^|2QyQSyN3s39zv(BS#z!&zlm!sCV)x)qizSn+e%pas|FK5GN$PYZfZO@51zR$V* z*O-q3^6j0h_Or#nf6%{vVkOa?jzhJQuCB!YQS%ci2sYoW>BC8mJR`!()fNbE~hbMFMZD{0H;!_j2M<7xP~ zW~V)Ml?YZh^VRH|?S}Wnw{eg0=U?V={ABv;nK+}n;Y^MUU+3xCoVulj=WQ=m&-HE1 zwfkW@ntbbPQKT#DWd^Y4Z>r|g_RUPur}v(Mo6MIBKy&?oQ)^Dvc3#?Kvpp=ktcm`z zpN?J8GF`}U>2_K!bIeKe)o|T`l>3-V#ut&Q@l}4VaxSCpKKuemd;;J<;6=Tb|FaqR z^WthWhi{`>$zzd0L#lZ;coTk^Mx#$3Xo{&zWNgU^!1vq2|j zXeN0con;knaFPm2)rz-3#c*Nlt3RpD=~Sq_1)8zas-DEr)sNoLSB)cfH4Fk)ef`+1 z=+gCe?Pm%}UcmAmJd*t%E@tQv7OC~=zu9Cdvgvw7g=pKN=Wm>`g&6qv@p2X*px`gr z@}&EnVX>*0!GRHsBFBCFT9pFEWkOkpj#;B`S6M>ZFUbm&re8rMooqm#PHQaqQP^GrU6G-R z9VD2ooJC*s;0;2)BDy2uluwap#_)tq9Nt1MDe0pfOQZ`qnESYyRIN$rZDa^boDGNM4@z}7+lgv zVk+yDt+=J&V^IDKMViTA1of~I)k^gd31NI^=pyVC(kupG*vk4U@pUqGUnD6&tnTyh zuxlo;G$0qoagQB|$iX-aS#-&(NRqhrTs_tv3>MBF!sO6V9xSVo#SOLNC%8M#fi6gv zB~V+ZwOb)ZuUl3|To}Nh#S6^iiP|**H2!lQif4(${gnROKnt6~pfj!%a5wrYt%Bmo z98i^oQpTGxu{u&{-=f$8D_cF-Q(G^?yXG*e3whrsj6 zw;Z`I$oC(vgCH$C;5H}t3_#poy-8Ux$^rtq%^_nq1hemP);j)dE%4Hchs?mD2!0p6 zcxu;{IdjX41zVq$9+w;?NSJU*RVc%3-$DsuOjdelMvglsOK5!0+JJs*%|QKhJM5H% zCwbk*Pk@V_6G`*pDo{51%re@zzmg9k%E&3C*R&TGE`_* zX!w}FE|%h)oiGh*X!HoMZ6u7DL-bh8G*LH%)J+$R^cpo)YGvwFD1{&bB}SKl7*0#fRx5sA zKaO9RHKDv}Xv&Lp^tEhhuSX2jB8w0dsFuD{3=LUj{lfCtV(~-_Lo+!w4e|MJ`QE{2 z0FL`5=C}UE=uFCFW=~$ zEB_Q9hdE8LtvSv8EJ#}~gEI2AtY9>K84w9rtI+ z&@0Z;W>HbYOMsW8*gf?KOeJH!4uQkHm@ZQs>#*7 z_MX>b-%&f=AFChi*)3yD7ddwGSm@i$ZJe#UQTX(%rcDXDHVpLMPNVBHWPr)+ud6Zl zCj3cVqCa*KSLIUHU!xN1LQ9|nJv$xyfhWHkYtf_Tb+>XdkHR%s zvbOoowmX7fp?aO!>=-;Sz1$+o*vQ&HpI&+?q1QzLtQnM4ogBxs9`0}WbX>!A;M}HY zXpNjS;e{NZ9Kq^g)3Tlzn?)JR@_J9#^=w>ie`;WF-UsnftM3c!+uB+=^fBA!bna7K z@Oci)92MF4HFx&EEt`LF&!#-1Gf{JTS~c9%EBKbErEs5&Zadag@|@UcPv59@Kcai$ z@QrMceJrY65Kj77Mu=s48vZTwh9I?Bd)R@d_c!q^yizIDLdpw*hfq1Y8n2E|ORG=$9>HU-0>k=>Z%h^S@`)FA~4`p07dI z?awuFcu9K+esu-^=oW|q+G*!hXr+>k*5V@w{79v)ldXSlxYUbY7`+zQNVg;5Eh1d3e}9dF}aQO)o`q z!dqwS{@e%eeUa7yr)O9eaq`wRC}&$+@96u!?9u4ca~q+2SFH4fPBAv@>wLwIm(jDm zU}^g~%Rcj!c>p+g1^j^MgiP;!yUU+NK1;5m3f4{k_gQDwv1}eLHyEZ;%l7gCye&TX z{?_9Iq|q61BCA9(>+e2j*#n|gP|0y=H`#R7C2b8O4 zHd(|7OlA7Y!Z|6{uYnq%g%zp@Iaokads%m`pYdSzWYEd5w?fU`%R_|Y?o6nG5`dru zPaga$EE-*Im^i&}ti-6$ojvpX<{=Wv+@{z;YFz%eBPVh)8B&42r_Wv-R=C2d2}+H5 z%_I-YlsMbbfO<^mDO*H&wl%1TO!D^ybh&leQ}+VGeS#=;T+1)e(Phxm5Jqn*Aeq8S zxsWVEU^MY=-4r8v730mDBEotOs=UltsK0qKr>$#=b9p%zQVLz*qxrD3=>TzwY1zXF zR>Ralt)@}gJyz|MLklqzCnl|%(`LwI7 zrCArBS@l(J@R`V$N z$?`Kl%WTEz@>mzYW$N%#DNFsxpoc)#B*hoH{cit+-IpUJw}vc~KO&0<5>TS*M}XtI zXt$8wa%SIODlnQ0w|7%~7todh&@6w%m>G=5ro0FLngCj!A-)gzhZiS&&_Be~0bjK9 zPyD2*MimY_B1nW_WnLDcfK(Jr2&*AYs%H0cf_$%}q+%seZ*>ngYM~2a3PW;i3PB@bYhd#%1<#mECf{9uh%8H=SGixF=8dl5mqCUUt4b)PpXBtdd z%3{!>r|Vydmc4^vP({)wQSTJY*(lOo_H&qF^LiEUJUd-3zn>$LdZ9HZXZ$h4*iH^RRYq>bnmb)EUyjX(kKSoC~M& zm#RWgRnTk2>Mp>AWElm~@TMNL$XV0#(e&KF6t(hOq*RTJ|2kXGpc$aix<*Mf2?s{O z?G**V%HUM7HQ{pi&x5WC;A-N20%b+SubKOt>z%KXNyclUkD10m?|$FT;3`N+FD$eo zY1LAbsZkr@b~x4&ZMmqaBf2NbI+ z!cAoHUOP?DwouZ8h$;{l1<6KP6A^9eNx6k2qp{VjD&V96x+Qa#gN8F$lp5_v<+RIW zxMT*=jvVHPK?1RKM|SvB^QbKqVOGF5P2qOq$dHKz^?w-l!#MO(%%W+UwW2zyAgbXU zrhu$nMLOlDgk3-i5Xz%ZZuf&MxX&WVP#YrcS*c$63A?o?e)J4RjJPdsZuq|{k3vsB|;iNgQ)fW@qmahsWtn5<@E!HN%NhKcVv~gL8wC&`zD9h^0E6$p(yo}-G=Dj~*w&7JSa!X1Y>}gH zcfB(`A;)xjkM&owzIYsGS+<|Fqi?lctFC!o+D5Z`+lEcZZ9csr-twG6o?n?xrG3qP zXF2LAvUgbwbtU(hgM#hf=-B7T!1>-D-KIV)`#9sjHV-o&Jc4f*bXdE6*v4?3^}=Uw z8ZXnre;$Xf;JmFPJ-BYWT$qtw(qBtH=k;`lPwZr{dwjrrzaDy@F!yNf)p^$N)kWc|0X`9?`EFx90I;uRjHxoX|z!+i$|njeUrWe02kQp+74gnmbdzc0E79 z2CDG8?Pf?N+@1u!>idVNwHw~a=r0{- zC9eW~9Y4E%re#v!yTe(>U#F{Wpf>@BbaT$PomVwJms>olYsYd|IzCwKBU|yDOujch zH#^Vmuk-hV^()&;e~e>1^>jwuN?d0MGu$Gb+&@~D<2-SEb@qA}YF-bVZAb7}E|y4F z+`NM4!Xd5P-(9qL*>Cbr=dN1*oFK^q5BIxruAr## zJePjMqa5F;Z{MDqwiMuXxQ%7#&f|TbxmU3Y*tWU)eC=|(R;Ov6ObYRxyaG7BeTUxo z#^mmD4y8W5KYCv_i`$cD{41pyKwY=bw-R<)NOY-;&%1JF z@Keru|Epa3h;~K7EdtgF4Koz8UpRL#5EH_{5vp2z-P!*5LtJY_6Oib{i8 zMDlV6_F&_87?Q+dzDPIXw5VCE+_~<)APHehxOd$pS280}=~(G3%O*<^TD&B0Jh`GV z#3O3b4mrrypUWajo;i}w;!syu{r<&~16isXC(HJ1C^3#K9JKs;9vU^sa_M(LePr3i zY`37~!3dd#%$2+ILZ}OOj@wKpAbC+?=PnD4Fs3pbti7=?+P1diRE(r_;3ehwCM(Ps z%`?JL=}>?1yx@o6l zxm;!_g9>FU<9E@K7PL$}UrXt1c#dIV>D7@2z4mi9ZF6L(1!>CqVv)D1yl^5u(#50M z86;d~TrsX^Na!j-0^Qt^7n*nyc8F8dDx;G}{;T&P3L?%H>7*!2A&C+vD&-tMDRLZo z(5n6UkB=)c%Ow;O@W%Bq(=W{q=mD5PJATKo5S~dV+eqI)=|`Z>1%x0cW;|!-2Ub8& z%QH3!{#Cb`b>EtZ)mMg1NTqN1E#%Ux`%BD)r+82{#w7$7)NWKULZ#G+5No_EJNpp? zrujjaHXaLBN~C_bHl<8@mshoj6%X+)(y&xCA73riKNq79tXDXBs!1u1>erI03lq_T z0z^31JwH}TJ<3E%h(`mIsO}sCxw+FU2C~dNHtK7qVc+`T3ov71Q1KS6DPxBg=5v4q zyn_L?ZCbI|zEIwDinM@(xRB@wGBJ0l6Ii4};$CV}kv1orbFN@?~bU4nIj1pGP z^B&rEAQvk|sU(C!kh!drINaTpeC{QeR#=&C*&=4)ImprwMJ~{gk2dikTgB&=@4ICA zv&Og5YX<;BMpVNHAR)s`3NSS|?>kb5fxOMt)1OTbXa0H@mpI`*aL}ka&r%H$!&(Y5 zPANY(Lh?w0im3oCM_2Le`{l?_GGOkl-3KHj6S*4@fl`z>Cq7SXP17vHN%7L6Gug)csdB3yGu`Ka#TmCZzrLXbMY# zxTaZ;3|XZ>-a3|q$ElP2p-^c6O}Zp1*$8E=hyD3v}cxEj)#y-)_dp-x)!zq`kZ zSfpg?q#L%>V4In}aY5$o2$pZ0)!_pfw!yjRR3}w`wdB9*gB;afODoR)|2x#5rmQ5u zNbdf;g2y5pUBQ1oK^zBeJ()AN`;ptIb;*7^E_cI}8t z*?-HxP0{gg+_`}R98p(H@=Wl#&q{nV=K48xsy!ww z8`yY%lqv0tUo%@B%uW|^gMkCYzAq^cJv<+s__jU4_luqtncn(Y^7K6yD=*uhTRbtK zaC@Zs+q^*CGem zrkn3=c42RW+j=?c={jcF{q9`GB7u4*2giO06o0F(jA8R45MQjU^(Clw-`SPE;Y?4= z*ZU-Cg{}Q=ugc)Cz3C=1^B#-FTb{!wp&(`ZdEOCO@;ya-ul<4D0>}Q5^h70@lCODU z=_Ka=9)n=TpYrcKss|vou4=j^c=}aA*QmjVG$b&X2S6u=NOSEPSIYUabY$%+U zpOQeQ1;b@PT4FpjMpdI~clgrVbq^@?N-VzVyI9Ak(xan#lqQr%q)A8%VL( z^tVn8$w8irT5Tk5%~`aOFti%xAXEK{-FN~XkJ+Q;9 zM2ZwO5BJbM4`z&28+9ugVU5fJfy)N_YCRV3H5jT4y@3|h&ai3f%)TX)iHC#x)cL_M z!2x1R!6%*~c|Mh7$#a2R2HbsM_&_2xm97{Ek+K{XFqm?=h7CW$Xh!g_SR%I>xkpAgB^@--f`orW2s*bh95=}Lp zciF@kymO{bG6zdCo4h6W+2_;#_9-23r$me|vzHBlkpZ`E^$W;@Dy+q+7|xW&Xx_Mp z)~-}8@@kMlsR$EHn&Zc|93ot+JL-)7t3ua{A#VXs#dT6>;Wnr2e`X1!Ni+%TU{aKe zpiIwsJS*FNtf5j>>bjX&9oC*5TLr^B*0iBfCx3xeU?D$=geKkcM_;fgwiyZ%TqOBj zxFKL1im|Z{q98x%uY-r-g)U7I#2FRr%A0I?t{SQ)9T%2b<7s9ob+2$z1{@4(P(B{> zG==FdC1({FVBu+pVYG&T`TM~YAkgFUbFB2gu4#j5fWidY^3{@NrY86~F5YyTB=^J< zB*aRE>YETMWXC)RINZe0s+Mctvsqw@byIo8yjZBn@`M&8`n8%hEgt_MU_7LI2>-r2 zDU&)*Z8B78fyUObNu!}2vS=zkMdl>j)($frJ4NS4g{2sY820h%C*T)_0%`aY2Mk}x zNCiW>gc8;&moLhp5wgdmjQ*+6#MG{dLXL4Oo^W`wR1s*yT*jB6^lQ^~hI=(Dszr$H=F#0t zaKlmC*Qf+Gd(Gek$fyj4>cdG9Lr}TB8Wx*b>T1MQcTxsn_@9SOs#W1KAe5g`G3Rm8 z%qm{NYT{x=UK~MxmL!7_1K*seN0P9LROMI>8>1U|?Bz!vflTKmn%{sCA%zP#vvoOs zWBvmlqLr2nD^4(dP)CVr8jY+9($_5HLFw%NdlW%h$nGZtUivSY@o$47?MDAO<5K1` zT&*!31;hDbg(Rnr{DYH6?C=L?jbsW<82+9QPg*%!y!%3*3Vv;UmIIT`9HycAuZc`9 z*~UeMrv3vvcOa;?%1voSm!eU)2Jv#VA${XfPiGN&ZuL#`Ws_3V5Rd1j8T)q|Q@roe*5{V5PR0XKI%ktRF^C3-F^I`Dx*xuJS)n&nTKE@F@lUoDo0)4Y&wK1o6CVlriW{%%yx*CAr zdbgR#yY+T zsde2y@?1o2cNs<9tPW|__*{ei%REv$;d%BkmOE4vw%e?9o>_xSuWYb?-SpJj92|T& zxT^65h<`M?@58hE%Dx{YUFh0<<}{rAw8fnTHCzZ9eV+C?xZez&?a#+IQ4wmM_a~k; zOdQ_J(J%Ns@YUD#6yuK17M|ZwJSHhibem;f=Y(pwp07+FmrQTBknEEg&f3=BpBk{F zcL|H&pOozJH<#T9csp%}u~R-Sec&5JKc>0;x)fZOGg4m%I5*EKsbwC+43Ad6gtjxA zo4Jl;k7K`v844&dUo&krp6AL27e40`=;fOpuSNEiA4O(fW(&N>`D4x>&kpEsuM_sN z6}64`54G**``WfWpO4FD6qm6N^2bz}Swojj1|R#Uk8Ij2vFo;e+>K0RTl>-X3tXph znKHGQ1DDrl$*Pa(w(osr_^&0|EA-?s<1ZeQtkxIe9=?;|2c;SC5`6DHoEx=Zp%sN? zbrT=!FWwH}TZZ!$o21po_M05bmZ{}=WVBLKfybL-;vGbs8UU@79MBl!bTVJmje9Hj7a*f;6 ztl9YyH5Il~mp-7xOs0K4h&&dtmsSV+O)Uayml7Q{hciSuz?CVHSPLq)k_D%-UkM-@ zJbIemjleI@J2*JZh1D25NwF%K9!Z82KISmyjclNfb4wQLb_b7T218XrBvTgKj{0L+hV$q2Y?1+spn(uGN%da1_Q zpb{F+IDg0~LY5kD4MfWchCJ!|Kj|RR9cnk2+s$KH7_w0T5QsPK-c~aZbK#EUUPl# z77^Ia^PFu1Q0lYHWJrT(<69`@(M`a!OLJfWhau6#0T5<(%BnI=W@?xn1lj)M{!^a6 z8P6h&3zlPK$O%f7)#qpekyY;F;5;rN10Y5BL1U6zsGL!Tgi>q zF+VYNjsDZkw$}V_jyd1v-!{G0TBWI-E7MK}gJ!${q6;L8piTuj zdvCrSpb5nWa)dL9q~tkac69Vw)vl-~tfYLU$O&r(298WiRi#8Ikhl6tm34DkY*He2 zi)XtYOD$pk1-7+^SPsa2|B0b2rXH&WGMVvQ&*0SQ=-XE2BGG-;p}r=cs@H}xq^rwU#+;Q7Z}e;wS|px%;Q zNwKEQW?G_u!qDE);$>Yhlu+_$oIan^JV8?kl>qSv@JBIXQN&zQ|*% z*fp1-ZNeBE^8S`u$G9|^C&;u6jt0v`pkZrNj2mC|imWiN=Tj_ai9;6>;&n6w!6F`{&mwm217R126|$j8AWY4|C=Rap20KKaSSd$Twu%>x z&@$J>!E8ujo&qAP@v&iM#9ZYJq|O}Pqk&*tKl|U}tFKk- z+0AkMLtT91)06xV{+@BE!1vfy(DVL=4@RH}BSVII-8lge-1Zy-NYDd6@qY`+r}h?a zc_5zmbnU|GnPJ+hiQ*GTS$%FK*n0oXIa(goe*8=1_}+bMQn8MX+d0NFvVC{UO^>Ao zjZNRPjnH~Jb}7oIZt2X{S|AhUh^bB3}x;Y~EeZRlQ{y$8eQ(zTD z$;6qP-}j{+=c#+DtLmKZtiNJe zdn2|D+hqLYUAG=(x$!(bHqY7rQK6^+-0O{dPHVqi@#Fbcn_bp-^*TH`)^VV5vsQU6 zY~mC=$aWnOH-Ri)+VRb=Sx2}^ou5fou zkBi|r-3j#}^>ti+NZEQ{6p}H8eg1giZGUh9Y>Ffh9D%*0x=hb5V{bPQ12!Ob#{C}7 z@2Imlm~uZiA=r96K=;bzIR5BfwcZ@#z3#bx6mdnUsQK!Ae7ONkkNthSj}pS_99L4} zT;7~=ckIi&>hhcrTwb*3l$SZ}RN7vKM(S)@*9FLI7rYUCOFBQZnPR=|j&#&EUbfv< zlW2J))tw%%OW8gB-E`Rj162=w z5UrYL>z{G$U#~XHoKJ%#@SJzWO1)TDuRQMwJwW?uz{>0_{Eo+CM>A%%!=RDvL5o-4 z(@NCIZe1i@@5kv0HV|(VIDGSgXL$V4_I(lx_{byHiUQv=^Je$Cn*wIku9*wkP&TYD z^4WdOpv&{Nd}%#hqyd|D=_8qInQ@eD=AkoyMzhdKz`8iIU>da7hnrboe!B&o)ca9k{SVp7DE4@uTd`S|uJ4OYr3Oed6lMraBhBvctRLFDzY z^j*7Dg#UW)s6`PJtT?6@jM9p?G_BLKa;gXeRF?IrEK2D{GqW(E8kVZZr&8z0e^|~^ zP-}j{=gA*ziieKq%aknSGQq@nXB;vhVUinfmjmwm&HYQv2YzoUFx8oSc(=q`vP+YN z+$Dn$W5ZOv#&b1pN%P5|JYh0fvlg^!mMK~z#zGLqn>^q^vvtTfcWU>NvvB>Im)LL! z$H;)w52H=;hsp1Jq*F}o5-p8V!n!7lB*nlGOc5q?1!ueCeND$e!9@2pKg9W(N05nJDA zEvC{xr^Im$drL7}8CfvC5xKM_Gjf^HR-BsLxWqV8ze`*0sh_jj|5ufC_Ae?xB|~P> zSZ>4*_f}TKCg;$)rC~u$eTJMBmKh)(FOWHH;t;jffKK zhK@8l0`4Rm8IGY!g@w%hjrr2@IP z^fY^%mMxU})X6`V8bB9cv6%=lj0D+3g0;`prD-ow@v&=3n`M6kJ`6}E40$rIp}oUp zpwbhdMsspE&zi?NZ^!}&N+L*gCT=?jcPvtp&a^jU93dlWA;XIYXlv=Sx6?9ND$Es0 zsdkHt+B!e0EvjPi4lMFv2yIg&VzHmAxPT{l2xorBA9=dqsg)JwJJ_Dt8qgI9e3h_0 z_Oog~OV>Ho1Nqg9WG*C6xj63TPxZ{iQH^(vE_m!Fq8+6odX6>m)R%RrKedMqp? zDAtBYmnOAn+L(qLMpC}IAd3DFy12m1qjfu|E~0YQ8hTAm+QSlzbU;`FFOiO^8L{EM zl(jTj$7f!Id-R4J>ndEEdZxzjM?3%7${62xBwDgmt%=+_mN};Ag(NuT+BJ7|++3bT z`n?00qgY5Xh?HE)5{|E243kul`ngShSR}k@LL4fA#hxHGZ$33PZk;!G1rmLyDiPWp z+doMRJ@qmh4gWu7rHKIY(2wWGDfH{i$@7p{rAnOI5NZc^9$M^4h z7cYS%g8VC#CJ>mNyye+qcHjRV!~_3%2RFzCcw0hoQsn@IS5ehf2bcQwElG0O!qs^L zP3%BMw|t*Ns{)S9E*3p$SUqrGt73eYeJ}a<&u~;Zd_R5I#>nb=AoQBdbHG3MxM69j z_CLjJ+wZ~pO{%)5@Sc=xr?jqOx`otEd)=?zy6PI{^>$Vd#bzS?)(xL*ay{LqW6w^2 z_m8I)F8A=Qxturdd$%^Gd>(%txpEazj(z=d7Os#(?Ajr+!>4}QX<7xjf$u<&ZESJA z-A>*Pcwc{{h<0(M^yKQOv(E6gzal@>tpm%EeWz=?<~L5fn_BOAzfax}-P4!8J5XW0 zkC&BrHeMszh8ORqbs?(T=4*DnhTq6>p`XWpo|=zB-#2eZv7-8T0sbh>=xCj+M|RoQ>W)xWV>rBqpNigs?CVnj`@a^t&{lZ`X-OAn)NHl9n7qdk2KY}=zN zoL})g0~@&-$KgU@OKi1WjwLoN(svRcl@HrqM$YSD>n>z=>xOZh2dA4-Qa$!~(>>c1 zJC1O-UoX@*TTKAI+nSU(d3e9$$T(cyi%hE8jWu8WmDjSm`!}Vs#a8Zz=?gjsHHC^d zmNg~d3D(nm;}A-uj^;V_`W^E@x>PljM{tU`}aSmZsuIl+wa7|^6UuNw77akin#Ag zS8vPDwz?u9KBib)=?vZiyNSW)$wQr3*~FaTk{dsLo)Q(2uwhCA1n~!^mSI#PWn3e^ zjFdbib1^0*hDa}h>E|~4Ldq^{Kg7T)B@+!{X;E%GZ9a8cYEnY%4_=Iv4SgyN>!RNa zVob2&(|CKRxv*u17P%p9Wv(K+ z`m1JG6RC~(DQt*fA=<@obYUD$SLNY`It7K2K=y2K!&=^AP4`|>J0h%eBk51$M1h3R z$=H_qB&_3xWpauz&3@W5;oiJdWM?otm8z-3f97krlx>r}1|-BkDB+OS#I64PP=%rj zp9#7oKX`HpXS(#q9ogrn6t@3oS*xM=QErd~Yqh%AAi%o7R7~zXCo3JXCCC9^p1lso z<&rYa4s+qgymMwL1AR<}$T_=CLR!bko0CFZmum-YK#SLEr4mK}9f?!cL{tF1$lWgS@|kEw%{^LIMfvrnrn@ZuYTGM22yZ1NB-+31IfN^jq8Eiog++t|ry##&gM5r1OWlST zY>)t&uo~$0pe5isNy+>C@PH&}&;tvdbl#vN|e7WoBNzq1<^tt9Bcux$Y0WTTEee0!) z5nU3M`*>k3m^aXjvvQAos<3V&Hw$$;H>|)^E0alG*P)d0*t41L9GSw2u)Fic-tmsS27o< zj97uCe~krOU5H08NDxg)2T69F-~IA-SZ{^VR1RvOJ4l$?tQO}{rqM2YMKRm%EF zD2$7`*&vN+qLMpPOPa?ukPsTj45!i2cC*v$Al+*OmO6wTky?JDO+{-?ljqg-!zxrC zLO7r_@(de#SPI^@BU;)dJpPzfME+^_9kSO_SWnU@GV{Mou>YikeTcCT2jqWyuZT^j z{azH;$v(w!=pM$^uJ|JQRKSSop=9^JMP#$zA~HEt|M$jEv$tRMU_CfOh=<=oGT#A! zoZt)@^-=RPpXdJayzAE(6}L{0_tapjS=;-t*W)mt|NZMM%&J8$Q0snBP0OjZ1lRMr zNDaVwmNv23x5-22jGNM`b20QR>J+zbyaKVZ>Qj-Idtm14bdY4m`xWdqe3SdKSHiZ_ z41kY{+k9NkX6Dh$%~@@|U%8@1!0R|Ao0#qe)<%9|KP?Ar7;bBrJr$L(@!q^G@uhPC z_vR7HwDq@clyv(5D3?z#Z@Xx&SIq&m&zFAtKX0ad z_m3|8n%{lP-e#sV4yv*O>~5Y9rLuNTH+|m=U*s;{(`+Bc$JQ=etX%TAUpCVC5;Pr_ zlk9w7YK$Vj8EBqQ%j-M9;|8x3SKo88EFrdQ-%Yz-zuQ5lXU%8Fj}(*m`D~f5%m!93 z=WRF$8?WL1v_E?65AAzVSIB-?ICb3JS0DSbc8FoU9s&28EN+vX23a(^^sg@aKYiU- zOVDb#z1`kLzmcA8zRs_DA)|HA+Baz@c%3V`c>Q);^?6P+NQ%dqQJOVTQBAg+l)U=1*)xnNM^#f)bU@ffoJ%?>34Dx6# zO0lUHQ?m*s z5_G{pX1*!Eb3G=Y07|T`eEe^XdQ}y&w{Mr0=eJ7>not5Rx=JRMIWkb0$-faoQ-4@c z*aSgdls}nMAqYKoP1m-QTYpxbWQ}#PhWwSkG|Qc1Sk>{Ml30l)&$huJ3)Inab{M81 z(MB=CSGC>}B_lytu5f4_y>@ggBFKPKI0HFBLZbt`*weBk9_8YxSX0J69Sk2)Kn!$D ztjBuyd{P}#L-77u7 z88wO#rDNADY`z%#QMu+jEV>p6mV1M>kzhw`evKK0*)xb+%262u7n*yj^v5<#gvdi) z^U5=MC!$9NJ2Y6sF}TH`Arb{;6$d$Zrv)F`yH3WbLUIYFOIT6QcD(=vOBdu31kGP1 zFz)>V-02ga)pK~M<@PaIO^LSh2+f{>B_rj~k&a9)62~#zX#hz@>>NdXOsKzW zdi_O4XRVMm6HN4WF=~Lzuga$&esKjITClYaUAt_Vq!0z6fyT3Zjf64bUN!+S6Z#~u z#+=T)3259M%I410qJ3#A{Qf6!(Rqr3Dl+UO0V6OxwGP%LVqqBzDrXF9v<>rCn}`n1 z-IYIm>reyj_^G4A1etb@ORlc_=k`@|jZ>xrPcRb0rO%kt&q%#X_K5IgV+KVP@Q`9M zAia2N@4fJAN<(u`(OD6{WyVS8CRubF*EFjSHNY!?#{;vQyT=D z8c^fk*)iVNf_C}`UUKAMHihy%%HITTsya*in(!{LSS4xs@h4=(UPgr)>SK{Da&xba z%52&wIPU%0nI7!s8jW`r-BYbR6H6f0sQNVIJzCR*#^C^{OygN@o! z=t^c82UTu~Nf!P}O)-#S(Wl&)8l}cBYo~;L4;<+S9`Q*!_V2mnUGq7g+tEM z%6r7C&7M{-@%+9T1f-CKs!9MSU!==A$q`ukc`ewBYWJ+bjoPSEIVwk6RprG~GX4z< zm`#$f^QG){V)%MWP1Q3uKkSz)E?**6HwR!tz(2vLx2k)rnnE_QA=xj;idz(i8ZJCr zFSLOw`b9@|;LD~$$e*s>+wVVdXu2gSQ_O+>;XR@V`F&F5xtjYMMMS8e^^D#=?+=mz z_(|bk8&+f6A(CI=D#Zd;@#KJh>8_ExRrX2{5)nyA+MPP|ir(|5N^16=UsFLF~6UPw_Gh2_>m-#MEyblj2la>yN zcUtRrK1)cam(5L`6JBSjLlS)jw+Y^+f`vGof4FpcAME^~Y4esP2N+}oC-^S0aW z=lox9Qwf@I?!pE_u!d0$g{tE)KtWojNPGsy&uzLGZksZF4V)I&sLn z-kuQyzN78uAM3R{wlpo1xUc6_SP4zCo)<4IYg0p5bRWkiX}B1z@JVdFZ&O=ejXt;g zOb~s~$70)&O)Fe)<9S|Hm-a)tY*z2Q_M;h2Uy~~NF@D)TY)`ZOervw(T(TQC1zWb; zu4&A7p?;65ZZ#b%n`OM-pZC)rQGDGmy%4cPvEI+|KWWG5@?+7VM-1Tbb0GaQ-}Ng zO{?n@Ic?*;0nf*7M$fJp@L&7nI(A@K`WW!F@>|=DH+t>XKDILLw^+*YsThB@?tK6H zX?CBt&)05ROg0`Y*319NW@7L`7PKr{W2zu8>CRN9!hncgB6^m(Qjo~g!bA9`s3W^q zgfFCI#J20CKy><>II9eC8%pu4pPuTZNLwZY0W5QN6DbkI(V`DLBSbNwI;GkGpB0=~ zD@R@%&8#Unw^{1!M^e}y+EK9zXVQ)NGhgj-dn4Y^$5yP?0MnKwvZ>y}d;=y7**qJN zw62;z$SrfS#Y@n=Y~xx>0vV$tF05k9m&8SASmMGGpb%NBzsK!PGqNc_ zlT0yY%Cg#q3h_$1WuZtdaSC%LJYC znTb1h#vhDLU?af`JFh-YFNGqvUZ_1gfJ%R zZdILSkcH9`ex2GZTA0UHm7iJK}Hk=6GWH$Zw@=bp=(f_CDtWo}H2RwBDLP6*L$5;{p zoxw8{t%yM(B;uCtH0F7S`QkB3cQxdeFMohJ0*d9Yj47CZwk)_Q)dD38u*_NbKgve4 zs8l~EFIw`elMAcHYDYM0u%qG8+4GRNGK^i>YgLwnc@Y>ZSdZWckwP}gLDlu+ z1Cy->lZ@5&h%jU6y;o(y+0P(9yX(rDWHQD71Z!?e7$*xbLddg?E$U_5k6?_K zr}QERm6tz=JY1lo6E}ERgHD4;j+a`vm?f$GkJ7RnG?py z`wR9kcll>~<|-n2j`Jc2D`iGupqCC_DG@yz|LLT2@a~a(#kqZSMUex>;&@M{g_KZr z9IQFfM&>lquXzJlkM$IYkjiXC>u_A8j^xypzp|Y}G5>mbl(lPu-7SBYMLDyll6xix zlC;HE(yRaaaBceOQAqYXh7egOkHgR7&5c?tPDrRCkyq`<=Q_3u6XS04C_j<7Jf=;5X&ua=}#rA1h zHR9xk)B6hAt!XaEb5{0Z>n(?imecZi#d2p0P&g&mx9ag8%w;CEv*Ek^^}hXbZ3Un0 zZsNHB@!Sm*gTHq9ki4O7DR%zssPV|sbN&02#@n$i$z|g_+ezhXj?+~9Fuhl{_?=$+xf_8K)iE-%9OZP(?X@J@M7w&wt32rT#{o1wTW$+xt#u3nNf5bKA)7!CJ zw++N#s?Xzi9X#)tV19qU2ChV@_2%kbO?w@KOXbyX=WZ11ZeDF{^mdKH#y!DvSa0`t z*ljbYsnf3YTBVik^Z;tI>fZ9(_DJIT+AFBH>?4}yKGf=PaeLq6p7k7q9%_4bgVT2W zUP^T)+_aNBKf?$0^c>bUkysIRoMv3(u0~IudyI~l-o@_{*?Lv@Zf2iTlau1AOEk7M zo3`7FomMr1DhY0u`y98a$|@Fd*?Q+T8{IBF`*<&(NOnB)ea^MYw(hH{e7Cv%c5ZT; zGCl^F_;?>PtvHX$>U6Fv)YO;&=e#}dB=6mRuXL=LpZ_)fQUSiV&98h+Cw)E~S5Yr= zWOig--}&koR8yMO%sCOJ)WV-^Pv1T&3%}2gFtPtMXiqwvTmPY_K@i5560DP=3oU0$ zCDo#Br1=J$(1d`bQcpCROtczHF-pM`Kcaf#^OFaFK=!x^o+4<12I#EMr=ohEOb;B* zd`tOnOmE~;vp8m^nPv{w?!+;3oE~%Brk^1hL&puPAeJ9D$qDb1$=5!mTghDZu`5Q46R`hU%l~tV200*} zE9S=hedt}FT!T;nxgl|+zv!PrX=T@pxysJZU_y_{2us6i zxOs!(kFMw`ibj=k9xMAwNxbC4kyW-a8^|cCNVunRVGeq6p7e*~`dK|7zq@u-rbwsH z)Fq4vKD=1Io-C(SivbEzvD~x#OaAQFKfj|+z!jWxN)cNabiA2yi%|FXDflBhxh=iKf#~(}8 zN}`fVp9w{KN_$wdc>i)r{n<0*vB}meb>zy0rOP$ORDX$vN)n|L?LUT#e#TO}pc7I7 zhzf+u>_D-s z_UI-rW_r$!OVP^{p9{>y=7?si%!}6PtmsQ%EID>^4gh*#dr(Lpg%fB#{)ZjM=Mifg4onBn)*b@4bWi;O4`}p>C*~}AR)=8-Y)XaZ zd%*kHIN^(8-ug%b{*F=vlEoqS&KVmPNPxDeCNMWE;$1;$GOXMhkw$?F2O~8zqf<3+ zBK;H!;AuNU6fFD6_TKW1lzoyGH5I8+5eMz?<@^1Ia3u(vMUONImyEwOt{_RaK$Q9Y z2WoPa4!QJ*H_0%%Yb{#8?UFpWahIHHnCnk@$hz8VQxKMxf1&*7VuidHU2xMI*_E^pS# z9vuX9C;C8Q?8K$5KRN49FwPMC?dKY|ACy*{oi0S#v9KElj0 z<^&$F+`8jFhra740Hc={dfA$}`9;7mJy=%%3*>e`AIIUXYEsw0cqSe=_`l?0~5l6l6SOU=ql>DO+m4E!T^fbxG- zVJ2oIAYD-@G3@Md=9(%Yk@5 zxEM?Ju}dLFS!L+YFrqLUm}X<{drTwBdKaAqM`yw{O0H6=L>h$_%1Kar81>ndbqbK! zcFC4>`21eJOB2PIYJE>ro5=!Z?*1}QCv^)()(e|{j}uA9U1OJt z(?gS6om0i*drd5-VUy9!`t{bvXx3KyOb}N7-uvg;gPyDGb6?wfM_!^FA74E{y=(SG zA82LQ{WzYc+Y3m0t__;eZh2l<0CL;)nAvT4FQBBZ&8!wNuHEIr#%^EFPxBg?-pFf-4k#6&oG|yb8 zx&0*XmtL{yW~v%hZ-y4nLMyAd9?indcdUCwn;)mqYfABxLUr36z-#+; zY%?eK?{g-PSC(@3YeO=KG&Jm5T%`ttuXu zV@f&O=b)1jty)~2j*BjF-zBky3E>+&(#dR(GY@z@iN4kwrHvzC^ZN72l)6Kc21Tsz zen1r6=3_h>@MV&~>#}7msHf`WYP9#l~UTVxK~+xBIN7s;2#jiS5a4b?5Wy zTx-kzP!Ir|83p<^0sjuAJp-lRfo$_%C_u@D(e{CMdd!Hv%=fL0A z_uqev+LL~+*D#dQsB3=7BJ04P%TN`iCLyHk{~B~c!9r6Mow7&y{qnIqM=GS8A(vML z!vyzPf1kBut8>IQIlcu;w<4=h^3j@A8Kf$W6R+kLlktbJ^4F#!ct;3q$@(h~axN8z zhhnAI#yuCfW(f|U;zg(X;#VSVj1e^3u~ZGnr$=sp6Uqx#2~*U^C+IcwV;)X;6dg1# z7@G@DD&uFTWqt>}o)KfPM~}?2Z!mGkp2`jz3xZ0ZB;x#q$Y`xSa*(YKbnGNLv5XK% z({IW!h6apF=-?hxiEk4Vp#(@;I6_{E+87A3WvzlUbt< zI!U8Lo8=*>bcq3BqmDyIU`|{prF+i5BKqu?BDsuCp>n=7=NPLVvU2{m4Z94Qou^F2 z=3h*PMB9UcdGf#Bqx?+BbC3_a_WLdt6|f}tJ=QDOv6vy4FegHSC0IuM_EpmO!x4<< zN027?oj;LfVbm)$!M$*JYNdQismlqZa{srt}T|rK#xA4xN-?UYEo2qc1ECq3gRTt<0Ml2 zi*D{RS&4*s4SOuUP5rA$AIBm4EsVhR{IKEfk#ipi`1YM#J>-dG+J0U0eK*~*{OD2n z#c9z;1aepyZ08>8ZAAx2W1n?QF>H=#G8gLcN}M{gKbEGjW3uV7Wn`zCwW-j^U`=aT z(wPdISD-EK<+Gf*PnoEs;ltIuOKcMXp(-|AOP3dzTUGT2m(1?fvHYS)##)`&iVlRh zSi|JQ<@|UJ+)attFA5}pje=UKhUixNEu^)=4A)GNbrN$ZsAy_r6mo_d6@og;-|pa7 zEsch_V4BFqTdc`rAQDuW%T^TnZiyEUMW%A(7&w}E4qMoU#RCRy`Y`vw7L4B}<)o_D%Tjyd zcxYJ^$v-a@wyFtZ{aNSrUgUD+vh+^)X3@TycDL2tfd(0ZRLuoo9RmHo9yBuY=sG!W zX8=mq#^vPX8`%fBx;n)0%T!GS?i7eG8t7dJ7RI080T1iv$^AElItaKSquxz zWAVxJDgy+%&`=_MMC;~`T(>EYipA|7+Y6T`!N`>`R3blXheR*yFBkaDOCCgo%tQ!4 z-+!5oc$QAWt$Oa*D>PHSp$t4tZ*I zdF}^SKox=2yM-o;F>DlS)`U@gSPK-V-!;z12KjHp;#qrs-ej5U0rETy*EK*t z!h*@Oi%YMALvHa5B_8phLLAZs5#IEk^LDad4!zQ9dj|>56}FPNj!KTbfeT5oe0EnV zteZzK{m^AN?N0|AqLo0MkL-OfeN zNm@Bw``KB3PXCtrygWoNN~iX(;_}NM>4Mav1v>4I9yYdnr#sa?Y!>orypA+a64sbf z337Emr_kUy&U)ljrR-X^kLR_zzV@$(Up^vNOjvy$>zHnI&XzynM^){v>bK5LdhV)D zuE*ERF5P;X_h|c!Qazvd)56rYSlxTMPEfBU;=CNYwwhLOaGMz)zB-lm=_C==X?kz3 zdH6cP*32C~$WD77Jzc-DoKEasZwG^1Tstw}pH#HAy}ljAQ|s#7FEM&VLk~kvR5Vm} z0C6)rn;=*vwa^Pb?u*UAFYb@saUoh^Wbd29i;Yp+$MI`9?5CtQ_%+v*J%O3Ym)qH@ z%zWwtiR*YV+;jInd_IIHh zwOsAH#u8cJ1j{>jqh7B2lU>r(w4ZaH*s{lc;>rprB^id>O`u-)6po)ft&jB<*W1H$ z$H!z|)x?(b$bC{98%LExy5G5lm#*tn$NT414_m9vCP4L0?pa$W!wH~y!m9<`svcB? z->SbsuBz3$joUu+bx69R)3h3C5VHfu`-+`iWhBL^ZC$$9#DvvypT}v@7z2UcA3(Nu z_*azIoziEZH_?^e9bPjAOQs(3DQ*83(LWRK^Pl@E*S8sE7~8=CV@g~* zs;G0mb;1{TtFj<#J9dJw5bi>A?JclO39<$2vIUtCx;C6;VI0zUUsTPe4t;Z`3I6$I5a#7OpR#b(UmYu3NjBrSqmp8j8yo2 z;laJ^GRZJslf3K11B+=%xX$caJES zX;Wfi7n?n2ze_}U5wk>FkPwu%yb_fd!ZqMFs|HB~R3#T@tk?pPS?Q4rKtH7@^T(2m zenh;GcdHSGCGM%Kp`?{ch>{H6v80=Lz8GFqz*i98|A71;Qn~RUaK#9vb{?S!E=42z zjqhwAkbrgkYY+k2X$>J`8VIlfWgl|LO5r!ok4oeG9)tWmH2z%p@)5KQ&^om}QGclSq)P>!d?mxdX(U@bmR zwQlc*u+ZIcdiz8`t=yjl*b^(&&w}C<52#;7Ia02iLy9mf{kSKdlV~BJU`FauMZ%nj z`LQU3(1Ye`Bu6Qrt$;2*DGU)7d`9w2Lj#(c3RJ#3*C%e*3!Xn}C&8cqpX4rc|Vq6Nc(EJr{7(}Shm~;3-_hI(e z?5b`8Sn9jS=g2ii*9?^25(i%L0aM`NUQUATqY~k3i3bU1X%M3;Rl~sQN5l+%Kz}$& zo{0r-I2&QlA;F}aMGrKlneIYX+{xl#ilqi>J?YjYv@UqyZ`Coju0=F2k|~Oay&ZBeQ{pqi!eV}R-to$WZ>%})x)xpS!be8ABr_RE8 zVni0yng6#u0#$+_)3pgdA@X#A@1*N#A7<|=@n&$J&+qV&(mbdG2%(DKsN+MvSNQH< zFYu9r#Gy(`ZclyJeD9b2JgjCNI6L#tdX{x^*IvG9U2Ll#bThq9cXXzouyyRuJs$^h zH(H*bDY$*7t$ZJQP%b4@W_-N*?|j=PJ!&`YM>#A#SiI{`wQZIcc%Yju!xd~Z+~~Yv zp4Z1ZwAxS0Ju~Qjj?Y|d<87$mXXi0q+YhV5J#B7Qylw**yCH5k_;@Xgb@)fUXb^jo z;}Kk{!0rtTvYLsfYZ-GVc+U5&CpgWMSJ>_L*Y%TF*^}5Wq1(fj{%x^b0DI?~?hefr z;4Weg73(`n*gR=LZDq&Ly78{`WK!KJX$Xqy>nWzA45xQ8n4`vHM}TU_slUq4bGPCZ z3xR5;!>7xL_w_LNDS43VW}45g#Yio~VIIS6`i(i=ZD`tTGr@B=(qpj5RPW>Aa{pzf zvS&dvt{ehyc6IM>&i2QbhF`~PO4y3V^P5h~jqgcUS>NNF$n0>Ht&73K;Xb01pEs@j zqD%z_U9ZP}S>GzE6gKyJ&u7cRdKZZ&-i;o2koGa|(W2FM?-AMPFE`&ll&@yLzbINf z54&e(xGoD=??4qey{(r;tr4r?9goWQ7m_(-DV+4~8n3~AH=L#|iLjjJqZ`#jv75_> zg%ZFj!s9uXj^ojjpZg~)V!{gNbI%3iMPKKuyH`3a*XL^d1Gk6^e$!)V zF5|OTUG*S?oguaC&< zdhU;FMaql87r9AC7HbPD&l2CU_3?*Gtk!YR30fo2kM|3h^$GFr_|z zEp>jX)dn;hXu>3vz68VD8+iYZ?u)oO**4?%l5Xd=UvZ0>8L5M|V|;;)gx zdQ7z{&K1#crKe!6m*rAm^OI89|H(vW)kB}4Z|yyZn5bhv9zZI#VYcsJ{1WmOe1JPl z%c8_3ZW0z|81`)>k29p+`pM{+$Y5@o9Y8cerAnq*H_Pnw6iU!#L2D$hVLh8b)9}X% z!*`KtX$mg6Ei1fI&GS!U!#%&EB!zx<=J}~TNf--d`F48b!$i~pU&hRRAIX1w`jM4HTkA`qbA&CxTgA4h=%7-^2`+ zi-{%~ccm$acF3QHK$$4RNJ?9vOoxyLD%Ta5V3VKft|x4zRwb=V|W4$oO_7|xO@$MH(-DNrM}~`_e^nk z)9!QraLfj0OCQrfgH9NTB~vmOS_(OwL*^STYo^kNLO+58{QrCB?+x^q5T^9sMWi#n z1wY_tOf%g({5-omiIoOzOLi!4^V}Sf%Wyt zwm#R-t?Z<`eG90TKc}x|xBIg1kdM-tHYP`s?sT;R`!b^AwpF^Kdb%6OQW$^>RDkWb z#!>KX2RbD?n>WFzc1fNG^O?>l-WB${Tpd6DFWQ&6x4dm$U4c3tZufI9w>qz9cvsEW zFgw5bcm0`5$4*Ky#(W8ed1vK&D5iyaGl!`)-Lv&+|W<#ZV(&C}6)Ja5V;ub|dW_3FZ}cgtRdUKenvlh$S7@Np7frMtGb#q_24bd$yzA!=~!^58TsC)<77uNCVZ zk;h|pa?S{G>Heh0)_&HRVhhWgf3nSyR$YC68ja)ZI=^H3ZbjQ=x&$kgh5eVW=`;Hz zb?fW+D);sFQs-J{FLK;#UU$_8udnv{t!L^;f2#=au7C1XM1|+`Y*DBC62zs;bKFVP zuQbzPbMh*7qkGlcs%BdewI|f(eKj-kEW3fj=Xv~my{*=B2alGmv~`XG_;P{oxZD4k z*Zqk68h@bma3f%*l-_c8ZIwRnzy|(g1K$TEg88y$}gmZToAbzcxUJ`ApG-8RVSq1evW zhg<^l;(${6Uu_mZpy+zvF5lwff;Yr#C7-ZP(?2UgBiY_q$zER}Or*dc>1X zcP<2DaEmxXUGlpWxx>p6$!sq?I?z81E3s~Z5+@Ftt$@TRF<6y>Q8qw$a?pc8@?h87 zg)$FGZL|$wYp4Wy9@O<=%!urXfiX?iN;QHd@MmG^#Yn3sPNzSj6j?;h&z$--Y&b!V zke`P6t4FgSRgAIGB*x(%Bc$qG2yaS6$z%CNIf$*Q7q<%1lXla5ka!t&s%TOK8-^%k zeJWNglukpI$UTLmkX6A7Z8>gHAWG=uaId137bv~;@j&Y=9c{Ub0!7?!30u@gdv=O) zSA5SNiKTxhR}N7ZkkZ*_%p2;~<-zlE2A*{@8(+Uqg+*#gt$KKMu|=n|mB)-7YO z6*KxYIw8MLYKT&n~OkPOCX2LdO291ciCiG_v?x;}T(O!{rwqOn7tW&7+#5iH|Qbd=# z@Vdialb}xjKhevp@|{cM;gz*@g{e5i*~xmtf#}uk7L!8uJ<3&bVBfLnD8G0T0NUDe zfgEfYD4E2WQe_uGi0sROkXs7(-W{tcLJ)&q=HM{W+6@TEtGHhSVR}=Zdl;5kIg~B=T&j|KZ*wPy@Tjn{2 zOB>BdYP^(Tcb$pAB2lBOj+x>W?HtYuCULS2zQ^SCkqIWHa(}nlzyYC!>wa%)qjbLd z^PqJd!{xL6W|I<6V%B3bgWQ_Hns`1gGA2sPP(Yy4lw+f_n(A!8KTL3+@oy-L-KI?(XjH?%Kg=+}&Nf zhuPVkcfXu}@H}-_)v4=xEx9t#3=@ca1j|vFUSIAyG;wujCy2zDOonyZ)Ps^~|}~c=(^o&us%VD(qu- zcCsHl&?3#DtVW!2u=5aSa0@4!#+D%2Jpc$<3`rZ0Wk!-qHjaz?jl~MP*KAzM85GgT z-w5)@EpBYbK|K}KCZPUA$;!A=(5hJS&79F!sG;dAC1q7!tUW=M6wI(RWd=jiYt*mc zojHM~ctWb$JYvEx2Ry83cPHbcB$CB?e{M0b+oKuwGVh1^X<@|0{6Sjpf7(E(MwZpX6 zm?98r4aAeDu!x~$Cc!Pq28k@=VLEQs#)l05qd5r2=F~*9((NO~&Qzk_B>h`r1(DST zHs1d~0oZ?Zw|d{+Lo@%UyL~TV-K}B+zk>q}V4)Kb17<#Y+q?K9L0EaAuhH9)+kz>i zw=F5AU(aH@}Um>vq4n2nPF?Q7=AiX9E-! z^nQ9EjsJYlYHN6W71h$W=olMu67;+QXYt-D@W0(`{H*D@|EEjOaNm-(*jnN;=O0t; zBt&L?-}Sxjgmp|Xj@hEdSbV{{77^nbtzm&Uo zD>_~B-0lZ8_`W_(HnnV;-)bW0H-ocR8M@v=?qgCqu1kYBj1a7*Id+_?p(1;^mO}^6K{JZ|Isn|J5LT#?PkyDYvivg2X9Zruzth_)*>0*P><;Yv=jJ z@!`itw@mssCQmG{*Wdw?=$LDL?>y;?DREqqhOyn%dA+s$W@2EwC-YnG@Hv3bWoh-% z<9?RVZ(B`sMe4G>KBl^*#PQh#u<dJe!X+|3c#YUR0qbknt)=;X=t zcsg|hf~wv1vAArgn|!rgiHPJs|JzgIaw$yKGf(4?jOVU z6NA!!n&+xL?2ESI@*|`W5UD`v{l1m zmmD}L6B$BpYlIn63&}QWb_MrG8Gn76Z{2g%DV>sV$REf0Gwy1!7T}Ou;(z5Q72q;b zHmA`+UGRtRLD*=yCP3F-(!f%kbpGBjpc2u&jkA$+hUD}ts_&-`(7R=NIc zg#FQ2k}UG0Y8`RRs_)q|in>#RT=D4qTDkRKUC!TD7U@Njumf|HMKkg+Nh%h23%b0_ zN>$sXtI~XGs4b`XO;&>obn3sdaF%c@(U>ay31L;LiU+FxY8bCIlPQUR8g)1a8y*1I zPEj}PP(BaUuK`n(P<@t_KD#rj(+Aumo+Qut_9G&DHXVE55!Kt&Yt#{%TR#}k(tiC! zl~VRNWcqP!R?HMJOK>PK<)peqpz;E%j(QZ0GoC4E-@gAfBhsWKic-vHS)Mgn8vmFI zBh@yv>_=JVQE@!J1$!AfArVI*p-Edb{d6uu1pns~i6=!6G7Artv8HWmJ=DTr#GiT3)mF_4TsF=5;gXY(8Dq zFi|>&Ukjgbs!HGcO6d=H=nLspVY?#jT-zmgtxIqtB8@K2?gao}gH0Pt(cE6xBJXMMdDn@3ThvODjtmNG6Ib2^loy z?kgo&ZngOR%%P!5_$(3hm%mP2U?AXzm3Q#jd{U$y2Hn20!0L~aWTU`JunX&|^&uf_ z()IoiIVaj&c|@^__#dBjQB8J@hZgzi*|62bjN0SoE#;Xq$`KcewT`I9`j=0X^=d-N zd_D2ReiELd{M+8*WZ>vB#z2IQ8zu0bwu~^ra@rOE}Bl^~4*{Nln#W#s}g+stA0^}Kx0FfIlhK3qwePNMt=!C=SOd8Os<+6z3 zRpd>PUMSP@tTfF_Pcye{UUk%TTO*-iY~85jQ%t|1?nYx6RVO$h`Fj)PSa6iEW2MD1m(oy^~2Q6Jii!(fvyi8m0bd}%9$`T8VYoLtk^*h_tE8*_0d z6NFL{Q4pep5;TSvRi=kr!fP5?G83e28m?BZ^S75_mce~206kH&GyANu%Tkz3IbSZW z%{pr$`nXtDNeRv2^<8QX)1t2`-6%iPfN<9voABdaB2v~ARvVfZBYq^LDNM3mZfc?S zj2%bLXy!ix(MP3QC?$xd)FYm)alNf!=R$J$v z*pU-ILThR}!S83BC+MFSxJb`|`mf=eki9aS@W-6g_hi>a#-*xoB5tb|KD1w;DUvg5 zHE-9Z5rAWp$ISEyqyDPFv>Td{{xhS)5z?dbnyHm_?MdC`neT!d$?~35kM!l(6u(na z4`T&~UB}fB>dT`y?TsF`Q`*6Uu8BPRedz7wX%yguNvN&j$wgvQ-jp_j4G|Ba-Y6 zNG98cz;0clR_uZk}Ib zEw0=ac0`@0Xj1$CY*{@j=OEF&eWQ*HahZvZv8`RHU-QTEBACPze5_XA%J86*b5>I;eil}#D5TsyW<`BVqne1{qb%j~~%^%VXu+9c>LC60cDIr_4F?Q+EYp^McXz@V$jGS{T7bmAW zF3t(#^H8j$v{(Uc?W#K(U)-(8Q~U(7--e&AaxgQwB#Aq`j4O&);1N<(U-x;oK4+EY0xb29E;wo>Wm)8D^=*cZ`u0=%9ZW#$}4B=`IP6pDE zQjrqUB9c~64d_B5Yyxe6L{k=?DjBTV9B~kT5EWg%nIPvWeY6+W7<{{0(09*@ZB@J& zFtY2|oXVWiz5ye{KL$*A(;Snd>^u4Y4Cm+I7YdhT$gyj&ax+C+(n>Nb5B!*sOhn-w zw}=1JSB`maGv&If6a6Ldn@)=q8~aOIyISEJG!>hOpz=9LBb_UO4p%K)zBvC-;%9~& zqlW$zLn~lhb~duumL~0spuYDT1E(CdNr-MO_cM?lsqE@DDX8p{@KdHI zk{A)^-M^RGuSl}7qu&|b@)fikqH;qhIHU)Meudo?qfuoxs&X+Szqmu^zSn6R2f)t= z#Vrb*dx>%)tzxaP;{~``8H(eJRO$3++&NL8!S7mA6@_!~8jW4R!sj;E5 zFquc?4H=z z4BFF??mrgjGup#k7@S$8uU&sv7Q`-BN%_pgwHMH(w}h)<5u_y5uAJSm(FmoKhshMr z!R6^O8Q}FLeYJOR>|rc@WTgTdxZ6Vs3B!fa)4EmfYveZXQK zXR)G=L{*)Tzjxq8<~M&UM-tU@A^m6y||)9!D~Z zpFD*z)PZU4>=>J5jmy^CidO)qgH~j1m#8A+-R$3wRjD>HN>K(M6Rs2(J6X&uZrFFy z8UVej*W9a)Y#e~qsJ042#!TE4>stRd#Dctt57+tE{nnTAR_%OFqzYr#@K`q5Wk;iBlW*7CE3}F(x2nK7HSM!GJ5(kiSS7+Cq9E!rUZ3^^5f2a zjs^ae^XW{(6&!0xn4&^*E5UVqh{^_H`!nfFm3$w87-NdY&!U)&98JRJ@yE6LDq=t7 zMZ028?qMkt;)t^2Gze${K8Lg>L*G{O+y@zdH)K>8-%ri*%bemRI%u~qOH=+X@ANyV zEYGrFB!$kUS*d9*$S#$OC-&zE z&;v0$nSLI57d*nOg&;tz^l10l2K<5E<>qn|R+K}WQtdvuY3B#9-;{A$?7TkksvQib*0ieTeqEW*oEmJZ5L|IQ z?s$an9LGO=znRoUFJ8qxd&ToPs!`M1ZQlX8-Cv})Oxqn_-ghwDbWgZFpT4o#>Oa)V zuj5s@jm9Lq=yjW?2yArT*OQXCL;IdgS7d4MJVjwe9KN3vt{%VkG$gmbkuw)xxPz0@ z1bu8FxPwO1KOGj0)muBxp9|a+zze1|nGQn~kMs$AfIFd^7UtYrefQnN>xj#oo_mSm z$f%)lh(TyxRn z<1A&`fUEzsZ35sfaq4rr0B-u$_#Oy&RX&|%ySc{PkRVoT@82Om>K_mKaHb15RpDQr zKb%AbOLP!+whh>Q5JulGHg-cfJNEORbBcqA)ys1L=T-?E=;~#%++aa@2`i9yRwxH8_5#EMu$u=HP3Syk6t^o)cr*{FGrp? zKy-cI-VX>~wElHR4VBuOR~v=vTb}^>=TVs!IQs7TSvt2V{ZTOF`Kf1b0n%6Uv5@?* zqJbaBR+`N?!utFP0b!I{@^)pK0e*RHd(+h)WlJ)A< z4&529&*A}f#MdxHq2gr*9pE?9>5vn$M7ANtP{vagW*ck_E?Ghrl?pl$yPXUUj=sP5 zD(d*yx8|!xFw~$bm@E}s32muwnunI`qeJBybkzOAh$B-sh1%)}p1O!())I;xVoqOY zbXW`>zONI-t%G4jg`o1ELzeKHdh>Sr0_jxq<0`qnco=ULF8E5SbEuCurN#aGEe#v= zZyE~j*wK=XQ}xd{^D-2C3hP)M(nEhVV{$p?iMYHmW&D_Bn_=@CPUurVUd1o5VoK#P z{x8A;h`7@BW3@K=(?L**HC(uM5OjKz_w@3;9%7 zu1W=?bAU*V?RHz-3Ecq8si(&3(HB3ff$q|QsahNqnz;dy308RCm1C4JsXEZ~2)hcw zXX#=Mi6(wC+BOtCHB51jWzioWoKq<3RQ9Z&bFm*06M;y7_+d}ACf^0CA)=~vd0TQd zq`n!C5QcH*TQ?Z3#5cPkhl+(l&wu8ra7wh9cKhb_34!9`94sDrvqp^!*)9l7Vb{{) zwDWT!zlm{@oI`0{U(@^4PBqIEL$~8UNEzHo)HL>m_0|ly3AQzYXZ`PuYfxaq02aB>f!fQbph?Quw2KcY}Ar&9` zH^XouO#X^>g6?zER&6{{@|jXu(WovbU=)IzVxop^?K4p#=Dg{Z#|g6{_ltE z*O`Vd9|@1>75gtd)5ntWUrc{>ETWdB&qCekX^#~;#*+`=u+s5$s>;XOE4w(fBVo6j zw3#t$tkUVmC7j6E%YJp_UiGwc!ja8i}SLhL5{o!1zgUOvPz4#v8fw+AM~(3$xdY!6Z8=nW>n~v(Fq;?82|I zeW5fx?^KJQ{jNwYDQ|;7iS}E3-_&RM(vo~eSffHH>Nu8oV!^vOno62qgj4xgatwtx zEgnlDeF$fPw6G(#RKe~x%{A8oA^rafBo-bEvGdmp&>5U#SLg!*psiB!Z*5)*a)%hP z{KEL&h5?3Q4hM^FVTjFObmM`YL>xg@eI*w?;e2O)9h<#1d?&CbhSmjLO&}_O?^f>y zdZ9(pA2iRp!0~w!Kcm|PG9A9J|8mqoX>c4#HKF_F`!F-Jo6@tidYEzxXJ}+L{OWbls>#9omX;DO@bEH)j1FWZ z5|20=2Jl<8PDEGu9FB%Qg2Ag@q3Dof-SG{HH_u(0w^dRNsZBssfJ?8F8-vRP0T+2_ zP1kc0eqEg4VfWPaN<;&2^Q@~4ouF;|Iy4FWiH0A*buywZ__Ax{+j!IKw9!ony5%y{ z15b|KTtAW?W^eIUoOSn6UV1xLHOfCeoBZrNDVC`&6Sx+7?&8bHF}>j1OUP2!#e?tw zhLvOhNsv;$sq5FnX13?o8c(z1LoR>4j>6_mBW>Hq)43Kcr;W)tf!Cygz>Y3$!L`F_ z##Spbr>UFm(Oa*!fi%HXpVMyiO^0WM3Tvms(=p|rwe?)SosZ|}Lp@rq&wZ2#`;X9O zUF6oT|70e*8$cgOQ>TG@>bDy%^zy~3SEom&Qv-T^#SI@|OSZOeQi&@oa1%+}O5!4# zZzBzE(hCxP2Ujx9PYObOeTJK`eVEM~7c;v|&0QtF^TWQ>UGP00Hgyq{d6oeqyfqwN zbU(ZFbng$SSC0~3Z@A{JtnD-zk@|j06U6o)44m+7=_=5Dx3s%tJm7EcyA4f8s5k`M zzAc_GLm{Z^zic6$bzX!%>%2Wt@!8nP&!QWm2k|F=n*g(QK@JHmAQ6z| zd!qQ~#b@-%7CFgSzBm@e+Th2Wnn?(i_s6(Y_*;J2z*{9vTU#l(;p!8Evgv#A%s5N) zAi0A;Gy5WRBId&0Uxsw-Z7r0~arwwo;^f+m7R7PtdsHL=afs;?>0flo?3*u4Pkavm zb#9vmG0IE*N5@3Jrh+y^k;#O*W+-KvDM9rnGE4zb@gK+6)|&O!AWTXjG7Qg46plN2 zn!Lvi5oF4{^dP9bmR=tzCTgzGD<2dmru|Ge0pJ_QlnL(nyVsJ|xvx5FD3!+dA7mc<4~zhP#>2c8keq)WaDfIvixQ9DTNw` zgst)yS?mAal^1-!3dyrpdUrs)IW9g|-BHXr@Bb3GZ{w35SzKU1Ws`W#R3iO5Up6Rr4!LI3p0~5T6PmgfmapvIavkv z#5tD?&3q|<+ZNwMgXv0CI8oXcGf`=ZBtb=9PtN5LMSKL8cTzL?1&M1Rm_6$Q;zWcE-?T|M7L0R237JVDHb}q)XLYFU zugT}EP^t3%lVo;i5^Omb+xsHkVQ`>g9$Fby5~8$)zRCGfIJt>|x%`O(Z*?gJ6*m>5 z;wH|}1iup85w+6f&+N0Yl+^4fl{Oj_3y((@jKU?)|7bqL82zG9OrJ_}dUs5u3jvW? zdv)=1xI$@9T+_t&F)SL}+mlH_LnnW4r1|ITY5iNdGCn(kYF4IRPM^e?n)gC2>i7>H z=22pp6ebNkDE(a9fI19cv3WSkmBTz-BZE$M_#5bf?UT*oDN8)Y(Dc{KCh6m^nG~g+ zv15m=;6~V^s_WKhEL5etAWu_6#dlY^z~$#Qt{_3+Cjxj#{osmGy_k*1`|Zji{T5bTi%C!Lq)D4h(`Svt$R8to6gA= zSG6%1c|w4%umV#MJRb?Gp`ajcluw4P(wkeG%tK~0DGAL&mZm0{z?jy#cw#xER>652 zl@!_<^iVRSG+*tYLi-I-8py^_csC9^5A}B~Xg}6Dt)#e(>N^@zJt$B*%8^34O+Nh6 zfU4-#7H$b<%<3Ae*pSZA=%h|IUDB&gpn3p`tE7srcq?14@*9jo15g5{_|8pqR_TxBeUK;*ed0GGt-{|+b2^c)CW|)d2 zcv|IcWK8OPVfb=CVm$PF1`7$3ehDSSby76=1qLimd}!mQ>~NJ~Ep|pRIkH_zt&AN$ zd9KaN{Q~b~OyYc6_TcPw6Z$^xF@N9nGgYdj?b>38cX;`!N)sN<{TZBs1w*n`S{$p& zisx?sR5fuIO0@A5^ZHC=t1R*Ig=66#Wei!0=5@r|CadJRy%?}#Tz1| zd8&q;22CMLu8AUVYurleRfRS3%CI;5V*8H}-V!5*gCTlQ7lhB~yk3w;o57U#!%i;T zO-RQhDdsQ>9wpw(=@a^k{u=^>05v|};`-&OL+&<_bvEj~m zH{ad!ewDcN==0cyz36EXIihF$hQ7gnkjLnoaXnHJPkQcU_9{^(QA?k16r(R1kHfRa zbk2qD8xKAoli74U`DwM*be8#6-ti7@rx=`aTixPmvIjYoRN1Worie+&y-4ejboq#U zZYLFR79ZE<-<}EYNqy>9z>$3uIdNu7QsGxNANfsd`r0+w(4Fp&yx>`{H*m==s;iFS zwUH}$Ze@J4lTD8z`seXAjBkn_7-Ymr4g1z)mZI_F(R<&opgPlQN7G9G?ctJH!zD@o z(&c7+M89?A;gX*gjj1bG*GNz#30xoT`F52^Ex%Stnq$qNr@u3o4~J|lQeV!xz_ ztNX_5HM=_^&^A1NI2{8a>U?!vQJ$8wI&X-68oZtGl+kV2`jWF=4^}#@>RCh%UE5*Y z&-o`5-THh!krVv$>HZ5cGvI-5b#9>lX*``@&OViIUL$pf{CfmS*>%h> z;_5h$>LIVU9%aSwebD{>F0E^g>3DCl&dfgk^dsQJ2@hvFwl9d_WfNdUtU&ob(t2B(-dzbExPmu>4OdpS0t=dA5MwQ=FCEoDL= z8jzmdH`1rgJ;?%nHbBB|;~_>COsnO&XzGdaib*xi{$F*}VR{4#9sk;~Lvv>fbp;^a?|zG> z&{#coUJ$W7Q20ezTwYJaVJSOUEYy}<{SlJ_{|N@ug`62~qJ4~N2MWKLw>*}~WT<@s zo6f~nWwEuAY?(w0v)6yQmNxUs6I$zX(6of%w@_xZGSVs%JD1Xoo{wbInJudPO6R6& zMpB*0w&hY)tQ4K?9YL*?>LALR-;XS%lJQ9z`cFuu>bw-%KN2RFS?TBCbH;+gWEV@i z9KHJ>7S#G?84F!vx`DSEF=AP> zSXgE~O5J@qn5R)PV$cz}ASPGm?ujXY+!52-wK!|a`R9k7pu9STNt7`6{o^5xNJ1vsQ(lw zO{tnxX1jQd_urW6%A$J_$74^X6*#gnq6jz^cU8GK9^&`$g>KFr&j|k)aS@bZ9M<|#Q;v!;&B4jJ6O5x_EN62U zxt8Cy)cX&U^C&{p(X=&Da$U*fA+BnwO2L!d)Ep%Ob(u_`X)X|UmSMB{N|!&0FO=i( zfvlUq%@(YwI3Lr%Sav7Qk)zw5R{3rvS}H%jF-5liHa4I#rEvO2C|ll^tWEV%nYyb~Cl=Vmf3KvIxsE z+tg^XYh;LGE5E`=s}iKY2azOLC7wJh6~e)_IlXnzQ~frfyd^Gp4z#Y4s%E}FJDbEg zP3jkyb!PkuZaHPYdc5SI&mD56UuV9TjIw8_{+CG4e?0GEHJKznrI>?Wu9=SQ7_Sxb zvcR5kTOsZjzrcX_ky8GXp}s(+i2LHOE>7QNNUB-BB|Y$u3hWT377o2Cq7}Y!GB66+ z6{%Rs=ELTo+;IF2nVaf>KrX6Sw~RqVRJpDg3D3CDIogp}$wGC!RkJ!#G*ZQ$P8r2P zf0$2&u02`;}11R@CJ(uk$ng|M&u7gfk8 zsyINV*rf5aKl`|Gazn1aYcHgmFo?3q`T7Nfb2c^h(@dD0SLU!gi>e}rX-aK33pcip zwf;?xg|)zPSzm%h#Ty+Rz4g>&MRn8Ot>(c~&5RCS^fvIlVK=)r$B8lhUjZM&isUap zez1`*A>Bz&^^i5MInVRUkMQa5;aISLxAg}AwU-5u$-kC~eHP9?ZvYR=)>#xwli0S^ z?HN`;lBfRgu>4~wt!2MuK`6R6f|p4T<)`%Hdt6I|1N0hFk5yiPcTm}X1_Yy!N`Bmcz% zs~>xDdLYX><&Y!7l+AJ5WbJ=l`B5azyL=Ko6fN>U{~*L^zs|fi>s#yJ=faJ6U2gK9 zC5pB9zE-|wp4qe|^^d4$=ye%@PZn?q^rkaCA@M-Qo7oBl!LBDCZGinum6t{hmeX!S zb&l80FnB`7?J4HcB*O`<>pC;0%17_z8T{zH!6)?MTtJz&{zwppep$Ebdor|2^oDHI zI-#JZZ6dQB!`0JicAph0xOU%wko$a{!&+qHco^?A?P(kQaxj0sp`2y5sSOx8i3B(S z`QG{|+&mE1PlwlS*N%sFP8CSG%!WjNa_`o?s;}MY%JOgJ3$(1Av;sL-56Trb;pCi? z6qrHoz$-rv@b12qmet=zv2SjxxPpv4|*BiqL1ooDnYv!y5Jmpx)+0hYGMleLbH zrbRE;JbHA`KdoRXZT7>=hYk33<+Z=vLH6$yD^w{&4RbdD!x*ow?0CW4)}<*?f;iwu+z1qi(_>uJkn&>u z9@%~H1{ryQ5FbJ?KJNEHFFBj?-dK<{zeIYUp^u6Tct@C`rpvtKP2kUw=;?-hhbX@x zD7L$3%-p55?)%)S?)cFAK>C;eC_atin`N zS{2#A`2mz4ap&T3lp&lKWj{Vg|4YPA4y{esuw2aGxyl8xwgylN%HGCzj4p6iz9!7HyRbi0}WvMe#x% z2<2MYuFi<9cph~{dC;j#QAI+NTDyGAHW31!^xQX1p{Z{gEwajg$eF^FyN>@PiPJb4 zj)n5kRQ%G^R*r*KD^@nGTDfeo!rT@1^bE>CS#WKI7b+Oqczce~0J5o(kPf`0UoU!L4O)YJyA<3M?#cHfo~JNwWo6JY(TBflX>Zc z*+wE+rM%ck8x|~X9cHN0F%^bjTlp$kMM<+t6eb?9UjXtRyMEdglsv6-(*YNuOMzxU zMpbVUUlo6FvZEX?N6x(?@2t=h zv|pls^K4EuYJOptQ0p>Jqm(q#($Tt1-Cz6j#|v!k_eur|_!^DlNb}n!UQzY>h7Ev# zFZ~G_Uk_L2fF2V1@-_`H22Wt}5!`^Tt-&9LHyFs(n^|^q2H-`36&*|w8r90!^11Ne zC-H8Jc1fla-hv-X=R$D!62TGK*}PQTrt_9s?BlXo)`#LmV9IEBUXjk0l=rxiqBk6}^rHG#w~rBd*pCK~DIwLsDd3Enae<&-rQ z3&l|IQ5+)I3QQi_YVxL--KT~qmy^sIG;k8vA+umrr zY(a)fqL!vDT%nOIDUgTH)QsLUHJe|G@3!N{Q8iqD>7^_eTacIiozJStW2ve=1yB8?nJ$Mr1I;?yQe)O@V zPn(8{l~DU1byX%cO)RH+Rh}h9MHAlR!+q9O#V3vV3Xifv2N;azF5l+M0x7zH&yq#N zC1s0+|6rduYlMSWPiPC5j4cpua3Kc{krlqj>Q+E1&q_u6?Gzw%|Wyad` zw1TSf2VEh#IFZ$gf9GhtX&(P1k(h{7jbbWLmtR=K=xl$>YUve#Yz_QLFaulvRhY`D z(GJV6PH{>IiQsUw8f)q`7e~{pqKUuBrzn(^7v!my|BEdirJ)l4W|Nd>xN4d5SGM|_ z5!{k(b4ivXeky243!@6o)xmlsd9ThRU;P}Xw!Cy+*#;;1?^&)M*=gxKN%M&7B1!Wd zncsTAU@Bw##;0F0sV>=?hiU(jD2OQ8_Xq&a6ti!p<)5I zOSl-X!$z~#&907j-AKrOVh+S4+GjYLSvHx+M%(B1j`_0tp^XCAb=-h{pi{MGt~2n{ zZM^C5ynXt`uWlXWgx3BZi@pikJI-8K=IwYOz4-ZE%LRCttbKN)tj_P2p^KyAKI51I zI6HB2YjvIL`WQ!hJfsgPpn0;3L2O?kPgiAb=$*IV^19>o3gW)(>)8djb*BY#E?vX7 zm-nv6+~_MwUxdd&T~ZUs3n?;l{RmuzoyX+}u*UN!MqTG@y63`W+nrZ0YO(|~!wnh6NnGiht)(;OU!A{w}@8!Ev>gCms8@6Tw&WMjKCM1BZ zMFjoVQ~P^}#(}_TCClSSH12u5&}%jyr}kmO0dka=x@=A3gXU{JsV3lO(StFB*F2+V zz3XaGJFA($Wm~F64&5rENtx-V9l9XI{gx3Bs*v1m3321nKHV+>+s}PO(VmC^zC5}E zimY78!Hsj!fIvM^x8oj`pzl^bHKemo{v4ajVx#+fb8+Rdpr3@9XyTtXL+u+<4iU#= z$U69@e=KE@l-}Z=FGk}zFECq1_c|d*r!C$`XPf%4Zq-!-& z!R75dHKm58(D}Zl3-AV7Jo0;;-=qkkS3}b5AyGYVQ<0JNvj_;J?;M8^!9~dBGT@4N z36OCQv7_z|hio~@PlC5@0RIAt^QDzWk_M%^n;|riW{AT6$DA-~Y?CnIHfQrk#O;aT zN#{I({%?6xdv!utnN;gQnbs%w7^c+cGnO-drX<#x5It4P(m9;oABe)`{R^@4xqB)o zR%8KTJ6psBGA~$zVaRM|2cEFK={l3W9_>Yu2|D8b4h@xFsGyeDV#cM6Ex#+&yi9B@ zS}BGlp;EGlLYShm2!V)^;oJ|rF3Sa%R3thz@4BH+%?Y927m05QgAqom^%mp1+mBy-x`%&a@Z{dD#LB-BTQH9du6=Ka0_XQ7ZoiU_PW$;*VygSG?J&l z{6pjZUzhPD-?aa!oNr;vWBU0IbLu?>7^)( zL<78(5NRqP$hShG5S48&%aD6sj_)%R|DDQ-SWO%J_b2h;Qi5;!IhZU-DvF_fHrN2vL=jnZ|{AV~($W%-r85nLV zURkOn{24B@B{DFtLUf>Yn&4*wV~GmNpEQ)DNru03&a_iczv9D9^(5nSa$d!6ZuuaJ zAHx}qdD1KJna?gd2ykH1@vHz*JSc+1(5PN-4^j!F!#E-;ibrbDjC{|RoGru<6{bu8 zVq#0}4>@Zm#=+B2GBKBo#T%5u>Zqb3Ub9rJiqy)({CW0P3>h6gJ$QwaMKs((!Gle(@%*IzqBkKs@}PV`{G)x@&etM ziFqX*cxR)5MWzO;%^6pC?mS{Tt|c9b@pHJ{#x}7U1xoWO_>;K2gPSEU(d@C)R;g}u zQ=a%}*d781!%WCG0Ey|Z&v}G6fHxqA6=&4Chs2-IB=To2ewc&k{q18->-~OxKrPK%hD_s~ zH1JHKNLG_C_JW&^xCR6Q=8>?m6y?)L=d5=}YMdT%;?1``ligiZ1mN_s}m*u9?h~Jf}Vp zI*!E5uq{qry@ZV2b=m)KV!8nt4nCX%YZ&d`?g_UohvERk=e($`PuNfb9N%AuFpfR< zh08ZC@l4DE!hTAnv5``%$vUcuXMKJs#4H&_1H~gJW?+KK2fpqqty)aZ0vX=_KN*HF zVqj8sr-0d3A+Oru%+EkI!5bXCTdys_?@{@9@>qLISEM_yM<3R$cs!A~QLe|FR~Ccw zikdWfrh6`{gmeAQn~-@5ZDvh!HBIM_($F5&3Vw*h3FOkc`oP6*azwHxd$}jBb#JQm ztg^5j2F?DgilJs+!ujFm(>!yQ<25LXVExqRVWzPqRwKw^wyJO`LxM`Oail&TNtkKh zN9bkue*81zZCjPt=fi6*yg?xda%nQ!>Nx`&*sdEn)}WHMDOGmbU)^<|E-f&8QZT3uc zXYF6QE|D+KQJjD^3^g|yhbfv{^9#*_UgX(tM;G)GDU3aW9&0|Y(kUcwv5+&bN7&#{ z{l*sGi_xWQ@3$M1LQ&*XTW7cz;nxsCrVLVu<|Q@wUWU>0VLz1QX?BtRtku4mMGQhk@)^>`c~o4a-t~Ob35In_^SCr0#bLT%XdXs z<@NhqU0uiZZYRTJ1Q*x_X`W3m+xQsAyXw6z24)Kym>uQ`f-MTzT(y2Yo%x%%O>H)* znhaG)1FPE)X*u=BnH88?UK)_!P0lyOR>8-V`7TMVpa3`P=q%CB2nbbL!)x;@`g0Z< zx)z_V!(I9)Fooxq_WW4eZR38CkbpkxCIxr8%6d4{<;*cnAf<#^suc85|#aA;=5T!i|X1#=Pu%S#1YCQ1k@`$dfQP$5a_XHc(gceJW@!E9l+ zSfK@5kUI&9mpylMD4dJdScjJ9SE=dTqJxgOq-1FlsB6^BLQa;6@Wd=Kc}Cp|%QlrS!vagttG~Dzpcx`DlmyEyk88uqhzsbVDdZ9F z9P?%`l7^Ls;WS~SHDE8@!zu3=FgUId&kL-(X)S7zWCek38O)Hl#PHi^T&la31fsP^ zqw=3@>Bx1zW#zt>SzIOH(2bU|Z`IKa6JAf|Uj5a|`3xPFYl179e zPwX`GInfkR`uo@*BH7SEtY`6T<9aPIyRwpgZz#Fm1e{2da7&1g0PAhMUt_OBp%x?Q z1V_FK55fVmtW0L^XIr;UTN>U0&%Bcln{-K}zrYFodwq0-Mb?g=Y_p%3N?19SX5>r# zdItOITTt~LLl=kBnQapfsnG-)6~=PuKVo-EYI7b}-4A~Y(u~)a*uv4B$uDiChsS!q zD_xYd&`IQ3M6gSf@%uDCB})*KJBl%Uy0;dDS?YJtC22t}1jTVTz;Ms7C~#zT4vOhe zOtdn>UHslM_C4vj&e7);-v?Zimc}EMG^9l9KcU|Y+~#ed{tK@9D z(Tsl&vn&5m4ZW32ZqZ;8`w_u?(jL91q&MeM87J<@R-s#$99D4i8>{gSR-tL1>H$(QTOb;OBZcv@Om^d!vGxh} z@2}HP?86U#H`p0DR}6~SOpC;)3oNTI6?9cEP{nP>EjZ8AWD1p4F^>^F!*&d@ITJkt z>0RhW$+GgpF(w|;$g9Rd7FCDXtGb+Ge^sdzBIM^XlnQc5?r(!pNb^}UB&=L5S+Ab! z=M~=)kyuPHEIOnGX%BizA;o*aR}~){$$o&TxCuMWz<(nqs}LSlTav4_S-gg%T@vZx zNkqdW3CcbWwZHFd#gE4x%Mv+eqtco5MyP1Ueyi0CE(%*JZYM6HcMRaR?&0?b8S>aW zI)))}glv_0H(--Jb1#foPQ|Ut+$tlK?vKBR&~Xl`h1H78mWC3{8k8Tn2WUr;vB?|a zVX8)2;U6;*!|Fs0d3n^+3I~#jaqVLMd)S}%3tER&a>-jRYWr?&;F4bM^;MrSE8vD|hfb^u^@Kk3UCneC$EFcU!7akDYfLoCSX%}So)gXn6@ZB`el#`~Voa-nhap74=Z zHLaXOTqo^U<2FyRyLzE=|HaffMOPYa+q#kps)9;Vv8{@oidJmf zuGqG1J6W-9+qP}nS~t7hd-l06<6-`%JumsI{TB>GW!aApmT|ASTbHb-AzZocc}Zl{ zX2$o?shz)W;WTd3P5ne$xh1%+kiR1btA%g=$h*p_$>`bg*n*bOX`lVy#qa6X^He#= zo9agDogCev#q=ro5b!*{f+FYQoNKbXfA%)jbpbMXzkVMQL%Fz19{tS(>}h|M@zlQc z<}j5zMhL)YC?Fhx2}IQGQ~Y(8(>SfTQev7Y8Ra+cHg^%TSe*l7&^eG=5!PF@tX#9j zz<~#N7?Q-IekjszI6vj}9sPw_Re0=XMAW94c2b8SVG5~sK$z|?ZX3r?Xz|@z)NZ(O zt@)>^q(5DBLYUIS?FCT`oVp3xRDQfLQdJ@fS3Xlfu;eV$kWxc{bG^e-X)s%E!zv5JXH$9>wF?Z%`p4D2>pgxAUSYl)= zz6pAo1p7@O^C#lk!je4AGepchCE!#imS43{w!hq3gVPu05 z1N#GI1<~L=LVtuYJa{8cDTLz3zQy+!nbII72S(rnl~~agdMtmX|5_qeo+vSwfMllC z;;}!X>WmaD4WVyx9C$fK_Co8vaa zCTK0DiNtswem;F2!4j{`+H4{%i^ecV0x3rlc_Y1Q3zcDQazu~s<%J>`idl&LA(TH% z3p0s|zRX)bznm#NlCg(kS!`fqCX2{1=*iyYDinW)_heIw&|v!4)2Z&kD-V*`nE^Jep7ZqAaUR}H zjm38qXm^-?L>CE&i6%1nmJ*wmZcuPY;f8b&E{y(@^Xm6+Fe`#b&L#ZU_tGK)0jL78 zCV~EiqGC#tH-k^Zbh`Vv4L8%l{Kd+i0x%(1?I7uziZCc2kj@HZv5=ohn3KdLy|I1 z5c)9vH%hDp6OpArZF~u{3H_B4sR}rwMnwSS50)Tk36`zzW&{yvx_uI{EW#KZ)kUW$ zB=jqiRG6`Xg$DX&YmKNy7u_AA^lyn_vi8{Ajq2tjJejoL^Gasu{2R~$&zK<@bz7Dh zu9<)4h;CV#=k4~F2h5KP?4~?Dh*Jr2JOp9>A*rD3`=wq_&Fi~r)yRjzCvYJWX}8k2 z>!m7&yywQki=ApG0_)FDEnX25hyqf zb5iF3@Im)Zo?iW!jq;iP4sB?7lv1K~^&F&&Z}aY9@jg0Su; zEicrZ_&7~8Z}Kx7I?<{zi0WTDXF0~TGeUh=21}57MCzTM7WCqg* zwHeSy_h72K48#Z34T5ahKkkDZgi@v-$K7PB;%L--G6`{qQVn+}qo<}grpoWe|6AUt zU;_k8t_nc1bx+<~!X7K$jeygIi%#gzK3QPV^fbf=%X{!E-KT&j!h0~EY*+w80%2DR zNYe(;ua)RUGTPZT1%`d@zJc9f>7;Qb{{Fo9(>Y{xr;WRHo)&$5)ypa~{-V@rqP1-b zUPt@xLgs1ndeB{_**1`KOZ9O4yO-Tt$3S4bP}DX);A(G5`r|?Y(6T*o_vBq{yj6YJ zz&0#```GC5LUu0ySy}$%+p#Exz+)qH63Et+ji6cC*xs7aazc34slW?V10^(Vpwex* zU~k{EUA14qeJlh%wZ4FJbT~PD!bfxa;JRLUjqto(DVhR5SFC&5rnC&&u8Zb9owwiK ztvXoblRs#cD_sJ0y17nP+SuBkdi=`mkr(eKc1E=W`JH14wgwuXA~2XwUh6 zxeL^8S*^KgsKR#uxt8g;%(iG;y(+qP#FL9?av4{ct1!wmzmE@HcG^pL^}Hqj4dyvf zafzckv}$`syK8t-U(#vXM|)#i+Iqa;YGe1hMgwZO?ID#}*?#H@xwZCZ3^aL9vQKrBlqe+EcJBjBfoVqbBi>r|x1;Fde8CzB=jt$#Gcrak2)T?{Z{gyoAo*|`e zp~Lnl+2*LB&D-rl&Y2qY|HNgzk0vz`NO?E?Irk*WeR9hdl&8D}|51t)_qfkB#?6aTgy)$1_*jd{LC_IqNV+sqvpniXPg`mUiP6~DK#UrO-$>Eio#WSjcwE+0;Mazl)$9$sI==4wQ}*VO>yP7%K59+zt}+y733!oNRdTyrL^#12^ z1DrwuR8mPnySicze-WUPl~Fk9r&|g^QIEy^1)IAU${y~3FK@;P>Ov=@aaZ^TQ~hX2aA}5iRwiT2pTzZmkb{{Sv*><)7;Xpr z+F^+$zzO$d-ptf(no=VUgT9{h2ZmoNr0%&%v+sgvL+o3Ze=_h08Dj>1f3F%K3>c zeAptZy=wvSegPQPIOK?dX3C{2v(@84d(^WR`*OcSNF_^Qt#SZ%ZE&QgW(cFLRyFcA z6vKNndOyjeyd&<*P+bgd33wQ5p?Lapc2I%}mH58rW9D=d{DG_Rj0?{Ib^U5F=O7-=9DAj^mmjO>_geL`5$%e_Udq7Y!j+`@;)h$<)P zuFh=5)R{E3jhyZ%pQVo})KYG0L_0IA49=_=t^ygYs#m zH@PAWM0HI#^8qzs<+;#Iz|68y@O}wHBpFFP!EE=Gr zFYWkkik7bR%=789ZyQc{`-|{>5B|?rF-8dASh&ZDkE7`^Gl2JA?e`J3$=EM1>%k#b zox6kROjxvb#1Gw^BUZJelRnnxjY@QF_sPbw%a0MxOQIn>Pmr>GwD+DaM=&IUW=;R< z)q2C+?}f{nE{?mD=qN3oHq~ZS=Zke*x^=Eq%fMbTgiYMQovY}L^PRIGnI*Pm5$)5X z;LG>V#4!LU$z!IaXsL9`@JjWzybVBbcfAg%Q}ISgp8TBCD5|Olr57bdd7fc;kgBMC zCPi0bW_4c2?jLkL#H=-Hdl&t4*4mECQ~q=~g1n5jZu>|D_<48A@)#znAOP*33EdB^ zyZ$u@(XKv*ZkVCdx=HLAJF`}4-GE&rZF$uXc6R+e>W{bD*xS#vqI0I**kkK@JKwjx zt8@Q2%UXVYaK6+r1+7JC?v%XT;6IP+fQsGEjE8WqN6FkhW7Kz5k}Iq3rJGIb7C?;~ zy;RJ2&4wj+zuF#(>ngMAZvQROwGY__kFQumKcd{G)gAhkdAF{{z0(xYva1(7eC^*h zDg)^*KW|E{Y2Hp)%-6H3JRjd#g12rjW$4<7Tb_o^Pww-qxj%%Ro6uPWbZVT|pR<~- zzvp&!-n!U)MpuFcR!g29wH$ylfX@4;rp~n0y*#0jxt4}hNW9lE#)sr3_s?u-nKJE` zb8;D)tai_)77*dEka5S|naJ?OP!|`ro1UfFQ<-;Whu0W78oO3PUhzAm8YDvQgVq74DdCag zv84}r=_KS_;YA70zjWKUg+jZi=EqLuP-c<}&EFgd-tG`w`SaokoPMI>zUs9W7#m9; z+i(l*Ln>7r;Rshgg8yO*mkdQx&jdHl*Y#M>6GR9hQad-0SGBFS=o=2u4m>qOO+H&J zSJtTDwGpT=7jnsk)@@-cf6PY-(irKFC=X?>9sc9f6c&1cko%ZWx}C~DAO+WVf@)D- zAfuS9yBs9J5c~7Vj@xg(aPQ9!be`r~)^r*t?HS>;1eNS2e1iHA9hTb9e|;QVn3!Mv z*2gHkCm2Vi(EdOZ2;CBa^r|(AA+1;e_AtbfyHx@ft2b#3!WUCs-5G!5`@t;^nJK(K zZNyzjWf+NMTVRMO>O2gY6UzWm2mIr}p?Um*fe^iC;U7-pQ#HibnlEc>gf+I;cuM~u z_sa=Nzd$K1sbC~Q+IZ0Nix;l2!RgKeCxlSzn=HXh@pqe`o|bcI$M2KeVklaHIPpu; z!8C3yz#|o7#J%&k&^x>dq%a;`G@K7GoD6O)gg+CFOea|ZhmL4XR78*%xz0B~X$_|Q zOQ#_@>%?kRM!?!YEN4z}A`UNj;#F82(bGIVhT7qq)jLB5Ec9)SuMV_`#bzvLL0x;C zzBrPfkethyh9rv^Kuf{2A@-j!u$_)ci_~8}#*|{mk0OwV%l#$$ea*0piBOYY5($+B z6|!_wu^)8!YCS$4Qhi^gste-K7S4% zDuB5dTvM`rjlJZ)W(YJ!s+UKSa&$pzzzHN`&Ym!9f|Ps) zZk2ge;f%*}!l{CT+3arPV3uIWxdQ!|dp|;!Ltbqq&&)vXK{}Z+ISbu~kReEfV>SLF z40I`Fwm3ORseh88HS~1GzcAoW9?RwQe?8b@B&_p~K?!yIWet$eve2-qxi~7N=;n2t zxiTKfkd_cc?J-j_%Q6*C0%TVwaDLmHaVLt5oLrU_@&o#2X<6 zm!~86hlMdz>Q6d?<|zG|Eg`W`14H0GL8rA)M8v*k=Rly6L9ujQ_Fj>~hw?cy#kZuk zpZJ)<6Q&+_uht+P(92Z`h-@k%wcS5Q$siy{dM#ITO2+j8#h5dZF#et+(MK#NaLt4d6C9HFHxC&CmpMZ)0y!QG7}+- zZwLCQp^~<7h!4N;e0i!UJ&R!cGHuJq)BnxDhR^xLtbjwA_1D9ok*Os~MH*DVG#2{# zeftodd=r|uwv8*A;rsb#c(2-2S&(pxLh8kBBVJLzS4Cuy`Ko~r$@tda7Sd`aC}KgD z4WT&gFD0yEYe8U#W~5?74eY`$<>(VC(GT1%ikXURaT$A5X;XvvdT!gX0WgCCz3&wV z4`8wwoC_9-)MO9x!zeEn7QA|RRs+aT5vI$hEI2Zu;GU&&cMDCH|G!>rRC5fC{Ueld zO9I6A9~3$A3q{89?hWVkI{GsE`e01y!GQR{`s{m02jz5qSuyDb3}X7}9TtJ6~G)-tW&|PwUl3u~c5{ZhPCOcKGy*S_em!IGflwo)@|r`g7@9?ha2{ zSssb*r$xs2Eg!%7dKk~j??>u6MZ7Mmg1K9-Et7Hg@LFGY*VY{$C&RhCThuvs`k#Pq z4;KQ!WmjMew;RpLFg{HW`pDU#mjhAVGnqTJAYPOG`|QiWtP_Caee{c8#d1HJ`qlY@ z2RawAHq)*d2x}^U83A6sJk<3ft6bEoOh`~#Ll0@ST;u=hL~FjiJet1^?3)qp)<61l zrR~O_bF&l}QnsaL{$k*CjZp1z3iDRy9<4fJ33Q$6oWgG!B5WJS^?rTSxiZaox(^pA z9rbMhTwS-e9*|Ov|7GC$w`VT%v34+!d|39m7W#n=)IQ!WXrxEuIDbE)%@}{7Zh9(& z#`PQ+>e^xLy4eu&DmntS-$)sEwlACnx7&-(3&%h4+*h`^C)!6p@A0JLJ6xL%3P0UM zYc(pnoYfY2wNGce42vaizQNvCe1t#YD=pux^c*_ByUaKu=v+=0L3bOCQDakAo$+ zzZhHAKx5#`|6R~NRei2~iNu^=BJogWZb|v0{~Zuq2Y48tYF|u7ptI%uX$b;8B20QS zJLO*M%TM15Y9k*lc(1$O08JQ6m?%3q^x&!WV0|IyPfZ}!O1{zf24ya}`=-sIAe&3{ zep_hhpNRM6TY|3C6*OcWc2eaNBR6Wytio~$#KGh>QPvbJ<%oqfh9u_3fl2ISIFM{0 z?WbkOJ2+9qQYLS4%F>m$QI0gqPDQBjKR)SIoQhtvEkZ?F z@l%GDK$3&|P(%{3gJ&xg3pluMo@F|wW;^6s8jDikMS3jY;&+f>Ev0-&IFI4i5>u~1 zk`)U<{|?MWN(m6)J~p4HpN1tBrCD>urpq5N1EhoRI~0sd!3N~>FEURcVOm%$J7(OS zm#9drIL7Am~y`6S{M%1F9b$Ia9B6C3F&h&FY9HVEWgxDgXQw8j%;g3gHe6hrQM^H ztvyDl`pweM7npNEMtLM(CO9x+hk_8?pTI8I9cf`wv;~h@!1#{`d`Kl~4O>YxYAwpt zCKwmK%#K%THA&P0@c1#^a5-|G(0&A9{pf(;$960JN#nq;`-4lyWqlpOC0TEi)aGi% zd@@7Le(`3urs?y-+xrN_1`#LhE-H52ZxfD7vtXc4&`6X1B}DYQ@#ilcz z#Q4)J#m+~m5ZEbU|I5)IHOo~kek85b3BIMzEOYST5&fY_PM2#^gtAg2C~r%WACntV z3r|C|Mng)QrsupI?`W)fWm=HM#RnUOdK|xuR0A$MGziB^Noi`mY(fSJIm@`?@?*^_ zrov<*02s64C2U>|CEj!$5LZDq`cX;0t13P?6bk?=rZ$(( zI3FlvlFG0|ee8oamRQ4o45Lc79j}Pz%3&)TU3HfGixQesVnT3%f%L$aZ&mhV4un)rKnP%lfzj29BKDb{GV+xW+jGSqc z0ZI*c1oLi-FBeIvDj?U^JUr`U$k?m9lx0AG8~#f^hg!>Vx^e9;D%`Vd|HDP zK}>*;Emi#QqprDYbjhSNawQbV?FK0j$y6`gn$xgE3%&7X(`L82GJ+4ne;93=dy0h- zACXvoERQm!S0HPzWn1^-s%7HEv{pfy(14H~QCmZ337ZP!mSe`lv3<5xa)%(JLP znB!QXh&3vKbf9{y21IdMOq!(ciBI>}N3dYV$%PSvkMg-NBiKoaI=Kc2Ex;VZEr%T$ z$BEg!o;pDwBJu{?h10kvNH1)FFYy=iAlJ7dDT=HkioJ$n^-0hc$$!e` zVC099Vf{+^9!C~#QVvmqv?pY1ryDvOaW~FB^}l8OS?0TVA86zKPUlqytFLn#AZum> zx?027?hMz4zHA##1-?x!o}7(uoxekZ{vK!?#H0B6r^4}gI)~|P7f#D`<9iR1mwC5< zxoNfE4xKG1Yp>ec z50+6S5u4YSE8N!}$}aDlkqalk*g9!d)5`{Q?M@-nx0a#zT2WfSQS=jz{geUSR?Epv zQ|D(HP32{|$2*?4$75EJN{f4>W%P=D1?miRBl{D28M#K=)d}j8wWl9IMVv5%gs5r1lfSjrFF-KW_65QtjsQuC<$si-@hyYn3OPV2hISpz~|? z&&73-+&-s|1G*)S?a%=gErX@t3(l;S`%`y->r)Y1$0Sm^51?H)l&0#WN}1g(pW#~K~?4q9ns-b;ke8I_$-P9lQaQLE1f_O zKnm=wrhdJ~?{p!zO_gPoJw7K*^f9+XSy{0BQ z&dca5M?YMvpmhYYI!bHbbgb1rYL==r{*_Epg}1ca&El6o##_DpGWAc_S%2(Hv@%J% zpwfPQSV1^%ywKTv!tc22g!Xo>x;bLG5(75exedm0;yWc>@45gcT-_eE);!Ni0j-a@ ziBFs_9bH-<*VfjgbS})ThlSiSnkOOn;^gm|+6y}8GX~b4J4u<|E>{!S*0+z~TOjXf z5UArne=S0YXAKCO9U0V>c%wtw74Hgf3I%HUJ44Tcb7J_e^Z;17GQ1r#UL(A6(AAD5 z;vqX^*)Op-Jh}^z`Gom$^;GdutQEJ~q}68s7(Dr26O-+F_lfW_1Uew{ee88YjVMl` z@NiNJ;%`m^xA{jq?g_a~{AGV(7Y0=XB<7G9 zzQg-L@H0A(cixh5L9b%gYK-I5h7kh|u$L~M^hd%m2nzI>%~+!7h-c=YRZS|>B^Rsf zV^3n3cAV>dRN4$CqvL1dMp-dM8^32Vjmw52fgD|Q;&G*F>#0> z2k;{OmL7lOSfG^#WfBV~y7a0SC^sbqdlb#nBtL)S9YjTr!YnRW#U-a8!r&oDgox{d zX(_ck?arrZ%VM9HTh_#HOnxvZ!ODldqg@^q{wQu%rhH{_cTzb zBosO`BtlWE9X`Np&AOHD>r;w|j^BmRL-BA_WqSF143KCO}s(nj}Jj9(VuDkQ>9-=$Q4d(-}Lx(m2x=c ze-E-d<h)A~~s;zVffX941_aeB13 zjFo*pzu}Rk^yir}1gcjfDnrMBI>Jw9f!Que z*zPX#&&i^hpMUb>`I%GL>oamG*`f2>v~ohQYXr}DG_THlm-u>0OAo2o&v@f;^pnmK zGswF?f{Lc&D`lUCbd3xj?epqci3okJ5@PK-dW`RGMd#m9VymU-;}s@yiG>lRb)B-z z(;C@MwwbpMU`ogOAQnyuOi2vTxPKn!T0l?4IrUQLn>1bd{YsQ%O#5;{$89BCrj9$` zsXRA{!y;uOB z@S*YfQJtrt$j4~MfUCrWvyHW_S903a1$h>bo)a!Fin$yq(u@r(=AeFKo_h2_A#D0L zG)v`{9wtw`OiJgjIZ@UXlVP6D&Zw?9@%}TN}P68&&E%FIjB;?4fEZK1{zKlpDIKwhF4JRojIXIX! zm7-)XKPaCEM8y(>tBqJ)QBG{hpeRQKjTA8nX);teOSlwssVmeTl?VnRp7rf4)QXh_ zUu&1q{iVBn5a-_MN-QzZ|6J!wm}SC&A$-%U$-kdwiH8FY zumGTc?`O;RxkCxF1(gckAJ1nmC{CY;q}ULL6F|L$vE^fPaKOD(rb8q0sRS#DfOqMo zK=Opw2~uIrIU@WMFzRN`(bkN4C*u4j*UV;ePtj@Btu>mbP7gq2>OkRKOyf{ANk&9B zVN4abl`Rf8?FwX!`q6Z)KB^$@Ndc&IX4E#LPr0uAL3$Rd-7)=CVCO_qI3F{~??{K* z%&Rh6NAoq$N+I84II&BQwUQ}IWTmDHJ5X#_MQwTq(4OSVy{buFlYyZrS&A+HiA zX|-E6US3Z9(Y9ohbd`{)mTbEiGr)>dC0$yc#X@OFX>@FkHk zxE4x`Y2lFgtSIGZyj#er>M#4hDs#KNE?ffaOaWg`_Wx6uJ^_)gZAV)JufTiBkEtfc zPF0Y7USog7mhUT&8QdQehd&0?`Uwry75)HF#S$n&_bu#n{g@)Gv)Vc#C(o)sFuJ(I z=NQ{M9;V4^dkaLKzC2j75}XJevOdgu-TBE@-ZVC{R9U*IRad=vK_xCI_YqcqO{2(l?w0fF!T&Ab9VK&^$L8@$w6RQ>#Yd1 z*5@MvtG27hv%kuw$0Y1RcGoJ)R5>HpTU9rzp>><%;@Uw3xysgOp8up|yQ|X0eczSq zOUm3O=&n!30-z$c1zJ_ufQ-!<`_=r>9!+68wLp6<3G?JXY$>;iiN`Jc|6Rz>f;PSd$ql6XpQhOwek8B9(-WN*yzzoeUFMK3#??mp*S~f+tQux1Vj1x~WCC=o?PE!9ZHP ziPbBA2D?dGiDrq*`?B8O_lXEqZj&3pcF)bNN;S}Y*Sgmjrb?Cft&zlcZ?A_inxl}% zrFIY?90WT2wBANP^Pa{8y(kZ|m4GlKha`93oIYh}_v`L{8JYfOx*K6RxxRa`N9#fdzvju6{b078^g+TnY-anCg4>KGmEr}F zg;;QBdU$l?o@0XUl0_J4u@uSMi_^66LbH^kxmsf+p|K;fKC#<+#BxkK%zlH8KgR@H z!ln~7$Mj(xVnSh+(;WBe<)nQrSWyw-x$_eV)T+ZGVGvwNztIkKMBt$xHZV(Y8Y)WA zbC-(+b8JW)#@RB%nHA1chqbFZAmI=juPiK-`6pHe9g2qb_M!-XSWD>=gZ*f#pMeouIGe=-jcWq-)@6GUwuLCM z>oYB!%Qf-7$2CjzkutTY(5iQ<*TAmGMYc^pb$u(_op)Z1pmq_3wmXhN;n>a>0dtX5 z$Tl9Et@J05KW!W}_-7+VY%UvO48##qL2NW>P)ZzYO4dK04?clP_DjTMFcY{1%^(4C zmXrnT_yD~bQx(&u@PG_os_Y^TCq@Y$(x!i`c{ll^Wo3Q;oPY zS5tUQ@HzIyR1)S!REznv_O3d?SOcNxfAD1DOkhkOJpgnpdAAl`fiD_XpL)D^bD)Z1 zOjhL?2eV#qyQ%?>djfwr*iv%iJEbAuu$a80EO!~!!S*FPl5XrIwB{s%glQ-}85AIP zO%Yk;^baOj+OkEn7Vf{^Zmd=~yD}FfFOcM^a;@y^-QW&K%X4{1l6;3c9K3A(oYor7U?g7 zv!qTQ(HG^%@-j{zqiy|ReV>{F?TFEadn_zANkpWFu5|9WJxbKiyoPboW zS>1l`K>P0$S6X-`0V_g4hn59-#VO3%`GNVjU&pJS1jzZH=KcTrLJdI5;}| zk9I&v3OKZHuBDT?e-O=?lq(8?Dq}QBt*In)>uSjK+6gr{62IGWc_9X-5(5l{n%}H> zo&`CwkZ^DUNA|^Pg&@NgB39II4$;ORj?n796=*|7^H}?scCu{0E!pbbnWvM0*>_^wz#V ztZ?f1j6-!EHFP~mv#`PmZ>{})^3S=#^7fG_ zTFDt;dvkUrfP9LnQrW0hzUlrM^)&I@+9ix}a^!J!o_|T(?NI25+I9b~A-XBU-Ob^3 z!@RO?be&YEP0W4o^({*EP|;!1u?={dC4>7hd+=7#xHAx)<@NRAcG1x%7WK z-j9b~XzbE|0pcfUo~{D4yq;{a7Z7LxH~OaumOQJ+djPB2QP&&8H5T*@%Lj5f{et;e zw#&Vbi_3NE$b%<<=^`>4O$bQSO})PV1!1!bRG7{KI$b-rch9OmRB*-{o2!fRH2t6n z2%n<7aR2jqzP0IXc)*srwecK7e@BT;^{BhnmmR=4=&pN9n;I2iF?zYtlTmG953$BIBRBMKnvx_76g|)wHS$ z+%MnW&zsVV=oB*R9>P`VX14A^1Yd>_HW$~WT#V-8>9ky}98Y!|0ejlGR~@hJy>TMm z6K|lpXOQ(HkokS!&f91g^mQK$1@Uss{P6_6i^#4bCMS}4tb={|i+GrV*q+{w04*UZ z`7vKRNm-7&Gk^}DC-bl=rwWbAiuiYhUKF2H9W;AOt?zoqEdhP>^5`P}!@ki;1*@Ie^%5Fpe_IL4Q=dQFIj zO_uA+9a{e_I9?#U|BWIfg+d5R(J+)T#g0hKns?6!S6F?biUI{H<&vVZ@nIRwk-DIM zE#>b#A5-`(tKN!d9D_?|;;EPgchL|FV>BHvmz?lF6cob#mYvkzfv|)uXzv%JH@l zlSHB%^W5mqH1dA~C*hWjBB6RJDihiwQ!resqsGU-#KKi`gOJSNj#=yimgcYw4*zg0 zQ=-fnP8>I&CfJMx7Ajk|3YIb--!LX4APXT}D8$Lw*p#m2AjR~W@s2i0NOqYO97Mnv z8Ri@~Dz;ithk&Z@#Hssk0D;Rte@Or53dr;JKjQldNLe0YtX%Sx|2rh&zzNzad=L%# zXdFM;j8)yRMkL3+tnANA)i5jg9*Zj3{xdNt83yh?yeC-U&GSNrW{%&!a5xADlHGqx z>=@2&NhJxS;2spTQXKC$Nkk$KU!*DqWDVLgRm?Nj+2sg=Llwg-1#v3A^#s`5{lY@e z)TAYX(H%86)|e2iRl2uS35l<)bifp$c4AmZjP*^G4b|Qxe{*ctKJm+eKmJE%6|-~y zv$6%HRFGJ~Bmu^-$9&AOrSdS$OCw{sqFHCAMRf7+>SdeJ@+5qSo8+n!bTvo3ZBw@M zM!B!^ze2hG^p2C?3nfV!!oG}!_ThPB&xRyqawPGL!U)sqVeO`f}nBAjKVq-BQo)7YWH86UOG$t0uG3NPTo|dX+m8EUY?4dMzape*0}~n)1LhQ6A`$;v>Di`eaP> z^cKwtibq(n4gzQJG|~z64uq$4%l1H@NU-2CJRdtHaw#)yNQ=f+n`O-Df3wIq)N2>p zEDYDJzp#}E3e)%$* zK#SCOWLy#~X8g4{OEWuk{F6)#z6F4EfVc}Cw+B8Q!a(j+p#GyN6D$vtKJCBd708~= zobf9CIyL^XwKe+e2eN=}zt3~*{Qep5D{uOPPww3OS>_b@0S(#pbp$R)!PHTY^85w1 zeLHNfpiAl4=rdQ;PVA0uay_SgsI9BXb7tS!U0UJJssy~rPJ6pV27Wqi2Zm=McCYRWz^Pq$X951F&iT-nVaYcT9Z`U3faB={!{i6tTIS z)ZXa;%uc?aC^<>IpP;KuX~6-`rWG1Htge(cv!gtxRo@y9*cR}(%`QGj&dIiy@Hg20 zdZr##sh{@>csFYA-N3Q|-RJ1=-F7bA+t#jbk@r*7&e}x?%zq$zx` z{qnjm_}t7m^RBjQ?r~!Mq=8u4PCCJ=-G0Y-X~XB;rtHA$7w{=5EVFusrKdIc>ShqQ znAY)n+sm?Z0dRGKWqLa7g3YZSEf@ z(tX}^gyRrte-d>KxABs4w>3-AX|ikI9e+GA{OY_P^#t3$cgNejhnA>F(HUBAuTNsv ze$2~+e#%H{eVY*Kc78fmb`T5MriE;#%dw`)%@7rk@i& z!G4vJHa#8T%kH4)d8*ysyAVhkqJs6+pU>Z)5t8uH7zuy^3^{Pb%;Vn;a$!nEu}CrE zP|x;^$cC^lv(2(!z%#E51xpoc$nTlEFf^<rJan#M9GX|Gvnz7)=3sQ2xc1Lo zGsjyr>p8LW&g=f zJLr;<08ycBElT(c%9DjS#j!yfYk@E8GCKP;o1HnxLkffCR=Q+<*uF$gc;6=~1zQoK zVdDZ3Wq#awMbJnPeTGj#P@{olA01jW=04Gjq;Sj`x;Hvi>!u-=fb z=KSI}+hhT5X-r{D01t&|s(IoYb) zk#`D?a{a<}wwUuHw5L*|bogX6e`cVUhf{CgVNR4qaLG)&2m+(dBi zzqP*nbLVklp34gj)lmg+FM}zlQsYcgJcRLB%i@Kw18KrAEQGNCrZ+JP?!+*A2;Kc+ zhwn?~ z$h|_-GNkqu4(_6hl45kese1eQKM8VC`fJ3r>6~~2M)=&k_hpFGOBVwE#5=oVsGGD@ z;LOWN9;q3s%~fX$Tv*9e+|&yhkMY9zRTM^%zZHtt;q^$z72wQV7L}{V>3f7PVFGp( z#WEk`keh@eY!ho!c9)&ntB1|?;3*<>V=zk!h@S8t0E{BYI!d7UmvwKK;BQB3-nDbi zvKNoTmJIjBJ%V4s^{u>jVMpx3Fx43y}_tP6|g7roh)OK5=1mk-@n4h|dY<5HQF8vcD2PLu_f zpD=k4;bo=INIGOd&}+yrRzf77C)S-ZoQ9+}fubK_6|Jf>{o$}^i`W@L<|s>#Qv+2m z9Kzf5TWgHeb1Vh|oAMr>HX^~P!t!ieHz3Vd<>H8_G#*P=oG;cW#W=|If6J#cJOw5dFiru1`hv{%d5Wgy^A1k&byX#flitqg>c?!O#Pv&3KCniC=<9+Tt ze-(G_ES7nDRD@~!1H__Xf~_Z?4m?HF@MYNvLhYOT`tsHkp@il%)R!C8(| zCE;PFpSuzD2J5)?=>a z=X!Lc|Mc{F85;P@`ynZBa#_&RFx-IYDKmwe&YRHftw#i>;h++myAt=IXCpd%xYV8Q zN#bOB>&E!f{RA&rv!(~(THtZ>rm>9;aM`ZG>N?<2+%-N|bpAM;dLM>o+OmuxxSN`)N(v(t86`qxbFDaYCoIVm{jvg%JY8)$a*y>a9nj9S+?wZFCDcAD9V(MGX{j zM75DZ-5`KNyyQuzm`YeEcES}}V+pfn^tRNAgHRJzJeTnyMhSe)v#^P*}XG){8A+|n69c5kVF>D#6zc87rHSG`SmMs zVB983e(F79XctMn3^@K6^jTz~Mng(pW=e_iqXa^cQjD;31(p8fI~H)9(oC5ILkpYT z;AY=36oOFaP+{DP#tb0N4|a741Zi^f8FFVO%}FO`_=rvnESB$~Evs}!Q1fM{nbdPH zzp)hO|CX*fVs;E0iI>YY?q&V4Vu);3O&~nKqMbgB0ZFwnLEhT49FJVD^5akY@g9SA zDVXe>o>acNh>g70FjS**V;x?5UE2Z^;}bCwxeALI@2yqz1A{U}42bR&YrQ|JBc{UHMX-(F0fg%2uG za}_HXx7CBIpHG@%m|!n}@ZyG)Ax}&%z=pWW_mk@>J&ecgO`dZ}FT>)uAHm!Tm zD~T5#5Uu0$F&d5Z!eI7;NdazZdKM3NYe}h;3t~E94I9!^=KL*&IuQ!QKY?!|_)CBz zpQ9Csg~4?S9>^2G#446FB%Q~vjLXF@Sh9~*LO5@JM=)zmFuQ#82C-t@W>-0a_)}40 z=>}{OF_-nP)^VwPJWFuA;lSZ7m>8=2_lz_}VJ(M%`g4ac!o3t<(f$7v_9Ka|WliK}&P&3hR_jo3n>-_9+g zSuks0xrUQ0xp*BC(>L9M$TGuXlg|K(rbG?K!};m5 z3D%W9ksP;0YmCAUR|;)9+rbP-(;Dz_*c8*mjQz~m&y4-d*w2jp%-GNWz5%6SAH~ec&%d92H+*;7rc%5Z7`snco zAC4A#lYQsd70%x7FH*gC+TS*x`zZvTN#DBTU(dSZ&Tx$b|9IW9tFG|c{j$iKSz=#O0aj6ZFspLhFn{@eFow;=wr(SCcN=ZfY!j&gNot-XJL<@$qj_ge9p zeS62hcHugI`2AnbcPH*gw`sKT3&y9_)D5@%?l;Rna^dzP zc*A#&+Z5U4MSe~RxK6%fjpw?LFZ=tu9x9yt%B^p%u+}XbF0%35-|H9TANuPC`{TcO zC}CVwhA%#&e8uA4sS6+Rw07hM%&R}XTwbWU?YeKyJ^8MU&OLhtZlN9DqV{0!d+drQ zj+(vty8aFKws&DNi=BA?ZBe-PlAm1n82aIzd*0YN7`oHEe)Baix@W6DKDhJUr;N7! z!@ajK4^-n1);;FDZ7S@K5Av2gZD|--XpNhXd!l?kvD#Vr4R=`M68J~!Bo2RVbna@- zskdJ_OI+e>-v6J)|9`Llz~Gnke*Y z44WVe`EdzU^JvFNd%l}(`GWzS6`(SfCVFKW(^?i%>+~!oF|O5s3T2c)m}^NannT+j zIp~Q*sU+qHRy3gNWvf>*K60vv$$XHki|wFW5l6P49lO{7&DufE9@OgeL}uXTga%-xP?eJz ztXau4LMcO+RTruddAV3>1QePnN#jgheG}sy%@63gcm= zRqI>0Hk~OP=wO3-1`0`LP#N%A!P>lvvmM8(whsCxD>zUY3W}$X~ml+j^r^zir z4CRJYNI2EJ+sqfs^vGKf|0&Je^N(8p6k@rk2tqUUKi_BnnV;q6Km3QEpYwm%jD-mn z&09hNs0*Z=vdym5jWDuYZ3pFKYFJ9gk%O_+Ky%Y>GMgEMQ8y(!YS^{ZARY#?Ku!1- zR_h}WF#QPl*w$Mas)&TK;8qjOu2gTe3b}q(?^Ha`i?d*-ri{u27ZkER-w!3RCfof^ zoN7sVAac-rwoz0tCI=-6Q5~?^%24U2ijXb#@?y)dMm42GmqnX0QHCrGBpC&>20miD z?euiD04iz;%mob=K?BR<2HeD@YI)7Bbu)g4b%H3_qpXlc{WhKF1{jldMz!gW$FNGW z6OWRv4xo519E#mUGwErv5DQ(a-_J)`t2Q7kM9621z?Vxw;OCU2on|>NLNdK-+)fk8 z)EIXt8i1;FYtrjYr^ z8uvnCdF?Ng27r9ikDE20{hh<2=Tf?m$(b7|TpfyI?Q16Q@hk{hgMYIIqig|O~ z=G@)Q-k|ZVEs*eg_L_rSh8Zl#7sMhStDq|1xep#tGb_E8!WV_!? z4Te5xnN^)ifpOMLH=Sgt_UT4kXeI>Mbo^F#tR#BMV5mD`sq7T-1{GRie>zuyG=-y? zqz#T_VpPF$2CKH3jwcRr-05X1q1n+Yn%l(#$?hPCrHM3MDlrYSWZ`aG> zW#e<-c>QjU->)*;zU5ax6K=kE({P{3uNS|25C5X$A3NvTbaa-)P^P-nj z{11PBlzX9n&BrG`qik9qY;n$3i$5T(VbFIaH@NPq%P&3Tr6X@zt^3QyaT|u`8uvQq zlD|3mwMDLb6E3tG6Dy zYVY!&9^GY^51GfFJ?H$9u=`&3?DQ)1{Du2ndntRxlI3&W-gxCdA8PzIdBEly-1Zyx zy-%~ZtUY?+w~t*}|MBayAGq|mt)&wle(|OC7N(b+T(+4h-hJ5hiSzqwZM#GEt`D}_ zGw7{=4p+?gBvdhOEUhmV)qdiGIIUHe?n+}c?BrbEC_URm?>o7zi0vE0_{ z-XBBqbRY9)|zl%I2aH;fw= z6+2B|s8V#wAo?9IFuYL*DidCXYC=*kL_9#sr$)WDiRJim$7Cb0)8T7_GEeqXW)5qY z(Fts8qe6_p2G**l97fAo(`gtqGVV0v!YvxGiAhpv2^Qt4xrr(xrc`#l>547m28nto zm*Lv|vK^5rw>r+mCZFquev+i!Q4NClLQ4fGImW#%6Y`-s7RQV}b`h-9S7MihD_N{m z9+6r_U zjxzaXr-BU`EeJ<-8}uihm#Q*~LsrqMQdLd6SPX~dDlqEnL@_l0s|FK|QHrZf+;+JU zmdZ+#7Alhpck9LZ$_mtFvJ( z1-F`7BbANQQ5?2vOcYGQakf}*4{TR7xG|O#txA{b5)ojvMgeT=nB5aP9y_iSD}9K7 zI}74J`FSBW{O1s>v0_%8IsfN#|B1eT{xe_8%|HBSe$M}4YvMHC=~24p0u_j=t!8+$=@B1Nrcf;Z~59F95%NIfN(4Zy zkd}>x-xY!^YIa3ulI>P>ebl3yayz6ll@g_id5@&ay%8}PAOh0vcG*h11lBWQ)XW1B zIuf)<8aDM|E(hoGe&6E@olc7I#@eJVF_4@vssf1cy&;X~Fp(ljOo&6AO;);m%1i*z znDa5Jo#T)ymeJEikqY$?0&}`Y1YLI&(;X|}6^)t!LNEd+3D?54dxMU2pppIb0ll z>P2XUU%&dt=l^hyaLt45IR~x#i`}1`^Uf!yZ~D~2wad+4TqIw$h7Vp>IB2VFp8F6y z_4GepQTydzR@kOKyT4=Q!#nog%)f4>y#^=cCWRyR-8{JKr|Ye?)AgsGzUk@h!3TG} zz5e-=J+Ds&FMM$9n=h_;-fkel9xcM3kB!O0jFx`R{cnD-#B(nnv(Ag>J^q(X(A%gJZ()|$pV{%j z6{;J@N0VnAf5KZwZSZh+h1&j`t#NL4r}igXt-APHw=&XSnu6n}2rLIt$`I z%pr-LestbVr`WGw^K0eNYd*Q`m;tJw)8B)&Rci*P*qd(oV z{leQA@85rz@X>|HF?I2=%4=txy4xBL;d7bd!8`NS1JP%_ zb(i|sDS`cZru)&K&vBVwXL;k$btnHzL0A z@o1+DXYaCqb=T$hJ@BPH@I!;mZhiFBhYvk?>9v2b+KE31Uwrk4tM=CX>3P3xZ~g2d z2mkn(Q+`Xl^TElxoPT}&(Fb3)x9;57erfYIb++?0@Bh!@|97ze+l>EzE90B^kDU=( z#qVAHPb?@##5+=o&l>U9_n$92|3@i&|NKXq%=v$OYSVo*>8HVDH5n9J=%f?7yqNBLf*}=aRh=4-3wqu55W2`U2oP2@ z4ei8EmR?w4s zNXp9TdK##jCCz8_ayqULdY6yMBKjN#I=-B9dWE^Ws>v+8G1Rl z8!_Fg(P|(r*l1{Nz!hv<8(QOBxzdq)VyB|Ds|d*wk7E&U(%&I8e}~&HXw#xhTb6%Ggz{k zMF>HbEK8PEY{|AHNWevwEL*l@TavBNTY$jO%h2mU=$%kQ2@q<4&_WNrmw^OA2s}@? zxw-ce-etml1l~RC`%d|Mj`eNJYp=c6`uV>$m~^|yPzCc9C$#$MoL1!|6)Y>oVo{8G z7S(1$tW@*bcs}0-rjsUwSuS>iqRusi0z;6ATGvwzBx*C&Ub>MqZL8uJ+;R$WAbnVo zWuxt)1*Y!~2O=2&h@Nh+1{V|wWg62MxnJw4eZ4Ct1IP^gsnq17~cXsBYYT?(99 z2301#i9+b2SZi^>bYEA^g&n<~NRdW?&Q5St&3Ipl|NNu=Z>>VRRG!iQe4F{t;w(3R z=Rb>c{!dv(Po1f{x_@wdW*yHU^J}dK6JQ!CR>8h*{6|v|4VQbZb5xdl>n=Un&We|AY%#{tf>5d5`8kk;%h#{VsM?`*rnyb4Y&?|4F9*@BQEEv0i0cUBQ+yw<V3GC432kP}Fl)P!^*U+#~yRBV{#LEz_7 zx(xRxwK|@jh-B8RnUk=|B+MLI1j11P(=l#1BBpl)Z!3HuW*kng_mN&6t-2GpJ_<^~|828PxN?&>#%Pzlr<@pXvYewb(1%jkjyE0i(wm1Z|K1tR-5xt& z#m%w9FMH>e*Jt5>Uhk#uoXb|K-LS?nyFc*E8`nIKp7iIFj(cX$i=um8+x4=!gB$;F zGT8aS@oT@d^Aj(fwAU)*4TDRYz%LIt{^+BQIqOfazqs#n$sJy^w>@Xe6Eat?a?->71)1j z=Pih_oz{Npf>M#j$HV%H3{W^y=PgeCOBtmX}|% zL;Di*duLuXUSWy3yFBq#_)q7J`LjPg`k^c5E_2WJ-@D+@L#sbH_?V;SFG%mQ@(Vxt zu739JPU6<3^%FKb>~!}=ZbA3?=DhQ_-n4Ytx%XJ#A8)ZHf7hO?Er?`twWIIMAF}f& z5C3uR4c`AayX>l+Rc^ZWxW}GQ%=#+DH9wATf2&-&?SQA^6^~nGtLr{}y{)>Mq>pgUyc+{>UCV35kXIrJnrpj?bK>EpzCh z(Qemb;stjVg%AF6`(v|rzUSSIPr5RT|YU@MNZP@QQbDln8HJ{!7mP z&*J|#u>af4`9EKa{WJV$=wiMYf7|#EC_0NiUtI(xwUPSr{O2E@|MP9+KZxjX@bq^? zRE5RmKaIuVKeCkdW!bgHD%R{lJwpX3Vo(p*GLlDaRPPSa5+4PHP-_b=T{`)HrYqtwOZXO$QN?E7^@>SuoEdxNv7YoRmg6@tC$Kpqu3;); zHWjf|t@$lynxT(kG%QzmvQ0G-$uSNCUQy~KrrEg}rsZLyRSddRQE8jxAnMargB8Gp zo=s#5gK=7Nnb{R48!fi()LgsK_oA|k=mJtH z{!jOR^ZHoYn5iNDjsHx(ef(#!mYcuxpT#-q8HJX ze$h~{YB+4$rACmh!KGk2B;AULT#Jd2L4s(99jfIM+E|j4*%-ju!)m=S^q72Y5u8cV zHOMZvYZwHZH4RIMgBAf&1X&t)CsI>2n`T^ys~DEBbVJG2GfhA$L1qb$NgnnyOi&4G ztv2F7-8Nn)tb%|I8it%DMc(MK$wDO2&=5;IPTkKn;*nLF)J0$tD-*FpSRs>0fS_yy zS%-$kyh)9GbLt#XM{u1g<)lS2pQ_otF6Cs#UB`DO)7uCtgETOaCa$baDn?9IG}OkD z^|~tNAu~bK5S2DsZd@ab7H4u9yA{ttoyx;iEIXlUU|Q_P z#UTY0N3@sX+pT;%${QLyXp&WRDEVp+8c&yj4r=-V9Ws%LL)8l6=p!r=5blK((6 z^}nyfKF@z1{dk8R{`LF^g)syo(r60#68tCqP2@iakxGLE1bqel&rN?^bE6NAyZG@> z`6IIY+2<{@{w9f?uSlWE3yxy0 zxMzj8_dH_1=Bzt@F!zKlk2~nKv&GC7yFSsp`OUL#zu==Ev>rO?u^YyBKl9}3MPr$( zj(`RW=9#PBgl<{^@49BZ%VzApXKlV*>clsd)eh%AtT<=Tb3T4pJoU)vY zaM^gd?cdt+{nuw7buqBc$9uCkTs}uhZ;c*y>7M;J_I-Yzt$%Q&d-kQx*XQADEb~t0 zlG4pT!Z-fl?oSh!pU}SbtmC)XdF8LdfBFZ{|A1LIf6X1gd& z&!4&1v6J4~*Uq24^@Rsk-(Gf&ejXnQNJoS2{a!(vH7m@49+c{)Ic9z4s9vKVpYayW_OwpGqCQ$v&I8r&AB^ zw*NMumOAgfaHIL(du;hrui5+BV;;STIkCCaZ+d8It&6UoyVVvy*-QV!OLuvHKIh8& z?)59b9;{%NZaMSWo8$dvU%I|^!xm?Kzqas|IZGb3RSo#fyWxY(x;NhO{@uA9rU~N> zTg-at9+F5rD?X9> z`Jw(L=l^H%|C`tUZHE7UJ@(J=ACO^1{aeR>Ai*J_>F+7g;gB!Qf24nS{*U$`vr5XTc2!R>1P9hUWBL*}4#jIk zmv2J31Y#Q|D0VzrPWuBSYs7+<&i4x-r3}ov4S-cK(e#sO0_!x%RGsDu^;9iRIbs=c z*iPB4sQ9prI!ae;(k3R>Y>$z}x`2tf+=NOgWuO^Vj6B*KhSN89n)|hjLKlylb{%g= zcBf}a^}t7{hQQcZQzjYS&Wx>GIu$b%)JpJ3P6Qx0&kIOV4m_oc5M+MHTP4M23%=D0 z)I_E~(vw;q8K(<&sqAZbqUKJfnPW+4$zjMLVi|yam-uS@heTt>S=Cym>VU%iWww+XpvZkd9c{ZBntJDAsfEG4t`0XZArb5*gkuKr1 zC?ZiH#zIFZ%0h)3bjg;dOe|RO(p8=rOgcioR2I1?kn)v+3JhQmNwi!1DBo-#wFcR( z(1b<>4b2x-NTgC~vcghaZm5~b*ww3`lZ=ucg?f}&3_^q!06s7%tXk-StTh-_GDWx7 z8;zvKu$3uSB~|R#I-Q{z;-=E6Q*kA#lCCPkg%p9d%FU3^DgXuNYxJOEIF8#WN6m>p zi9J(}{-^uDjYpwVo$3GfH~tfU`}ogdEjRzpf274Z|3`@9X4NT{$W#ItOEsa2rZCvy zGilvR;De;zvL-aFgb^ExE-&giDhozQg75H-O8FUFVI7Dla_oex`UcQ$3`2+yKv%YE zcv4A{WLq){{i-L>V8)JWf*|tQd=-l&l2=2U@ftOj=0<(aEihd^lLv%KmKs?DsWQ?T z)9-bwD(Sl-mmIa)MmsU^xnX|dqqNZ#i-Dw%ln;leW=l6s3C*&sNFW=L`|YbEnar41e^x!j0M|bJ_W_X z*VX^+zvzD!r~eyku&zw{HGTTfP)t-u4m1E-^=i^+jhiJchdb=V^uYu($Xk`hh%JGU z>vCmNz$6#5>Q)SeIYtfi-pJ?6^-RWSV?R-X+>1sFd%WSt0n^8@&y;eF6m%DtN zCrnPKC{1-rN@>!T&0eAhWr$*1Evh9C?I;Wopmap^dV@kA7hzV;`3RCpSJIAdj5lf7zi&C0eu<$5Ak345AqG*KNv*75RT(trT^PS zD=Ny$%U^x)qdS!OYfoER2$BQ$ndi5izenP}+&QQ2_Q<;HpK#S?3x4^V(|@w|v&;S9 z`9tn}r1IRn)5V909d}uHi-ymauMXHBpLqQBr~Kw-c-G{zW zd;8L5qd#mrK=|{N>IJ*5@Wy&CZTJvy@Ez~Jbio!y{RnoaQ+|5D!e@@JzxU9q{r&Fi zJaXsio6@K4`pC~7Pg0i(_ie0RaP&@pJayll?tWsmYp&n*)>D4o-ThvseK-6uxAT2> zWX8*HaQ}kBa`TU}Z(a5m&#(34%ig*k-{zxr7#{AjhzhD%&$e&@x;lJ|of+!tTGi_Wd`<}frarcfFKfZqI@(s4U{pQOv&C}mI>&WEO z+yABaKzIF94th-Aw9aX8$LPyr}XXPKYAoOWGvEFN^lli|I=9<{*zJC2-Qnt4BTPB5;x?4 z2AUi8sz#^CXN|F37TYD7pz76Zu?F)sn>8mPtK=}l!67-r3Y&&2xF|G4rw-;POr1#dJTEJh$LYZ9t7F0FmvP3VDrJ(N zULbC;d1#WOiLsR^5292I=24Q+6N$7Cw8kK-QXZV_)jX$P9OW}<*KYNr>ZlLmu7|s( z0YGVTSmhc8GBb%%A(Bqn$)0E-1yHHOvQh=3p4>5}K1a8pj8y7C>5kS)st|>a60FOU zBLJ~`gh;d+4#hTWff2@0P3y>gywD;^hOEX)PekJ!L@UKU2&;xqRFuG@Cei@s%lVR0 z1roN={A&D%BQZ6fNNGwdZ#r0;YD!i?VVkUI7o2g$(Ry;r?LsCu4B~o%XZb3qC1_m|vQ)jrnUttZV6R*Ez*33#ssr4i zqZThRwI1Lk`$eMQ_laCKH`L*LiR`isCyjJdJv)v~QBe#S%oUq;tTD{F-JX%v0%TmV z+kLS$bsGVI;;Cn{logO@MugqIOXO3Tg4C|M)im68*`Sf?s}SrVOeBrNTB$?U3*D-w zL2arPxvUQ;y$peAZfN$M4(jT5U1-+pYD9)ir&t-$DV1W#NhtIucGz-dLI#<*2Ae6r z$CMgEGEW1GT4Xg*w?@0gx~%bdT#?PVpnsKeA-<^R*XTd@e?x~!J~LA;{5JES#aV9t z&VLr?{GUPxOjHu%e!htTvDhMbuT?C=J*1m)>f%`AbwzGag{qf#z-lGZpe&mmOC7X? z)>2AFfEx}jlvvbDkNIE>6p}GsR!Y@eD#oFDqtfi9l`+JIovvraePP&dg`+})9QhL% zPsN(xnW`Qn^g)nICL^eX1Dqe4pg0a-UoMA3)T)T-39kvsqU)4;jBfR5vE5Se04u|Z z4l9n>NiicqBMjmCWC9E^ATg0myA#m_JH7XHz3RKZr$+4o+sH&#-6aBPx>;q!1XQDf zvNVAb-C=)da}I(jirFM2pvmZHgtD=jf(ki^Xh7Ye(@%z@PFaoYiORHOAC|OJ&vxrpq0%t7Py=LBx;`9u!L3(WSTas!=b=*Gd5Wk8am|}(~P;x0sR~{ilDA(SBiwm)F_`R+j+4`wRyxZ zr*b0+X(Bx}>u0ng%_Td9Ceo-2B~>+PE*lZk#a>bJeTQqMEJ(zIWKg9Lfz(9QX)@{J zxGGm+v!r8_wqt~njt@#Ol(? zole070&NX#3~u-tKAH26`493R@J|X!p~UC#&riPg;o~?8rV$v0w*GG^&)L5N*W5Bc z=cHSbE9ZBtTzCjp4lz;bd z|3^Rm{efFOom}G3Yj57=rc>URkNnlKOK!a3*@v#S+Rc}0Kls@WmmILfyPqELQhRyi zt@Po`zPS7!Pno;AuAH(mc<7FAU-!|1^_Sb>@NG7|^_Q0}c-dZQS@I?5lTAN5^aFMG zo>=k1J(ew5A1z1`^wKQ?787{o3V3myymM=o*nYPykM7k@>}y4?$+GUy7%J)U%HXM zy|Tx-=AEtWHw2$p{ipF!@7DH%59qG+g8r7kizw7J0=@FDzyKV(YW^PtALM)pggt^Qi;v^6T}vPtNUd z=~>&(#+P{If){Y%m4mtq5d4A*AA0P_7Tj6&`5%@_%Isg*(j)#&&E{H0{aWv`CdUfnAA}e*bYYQbV%94Nm8%vX2 zp$-dHDaC-(pJRq5l|>fmfPgILAAUH*2Q4Lk1t!X0M0R^Qqo({$QY?y+;fZbqGZ<%_v(y3La7n&x* zMdd%<1CGmZpA#cw|LudwX>!ruDU1K>hmw1+-yV(gAHAaRwio*P)rae#f)2yq!e?m$!SqF#zng|;e7m=W43DK$!#OZ^rL*jO^}!uf(E zBr{1Q--%;MEgRBsLS#9Y7m1RKdjk*gOI~Z#mvdSt<$7^di1p@}sKKQQFpTrHMjaPB zLY{E4ygQ5_HuQ3ws;7x$WOJb)PoGeCGf{%AdJVmr$5jiG4cay;M4TN1d6g2pOjc#- zs5%%oOWZ`AbctajsU*}OkjJ?e%?;_I#n~Q%m5eGsD3P@hI5MZ1bf({-f#f3pDUzA~ zc42lL5F zay&rw3D-)A4HV3RWo1~!GJ1+hgk{Fb=Wsq>PLh@B2&8bF_q$;$CdTt?kgZxWgomSXw!q;<$Vc@O4MS`(E9({jTco1UHjZJV zb}>#Sv(={Cw6PF_Mm7QF#CW8eaEGYXdj{gu)Cd7ei7<*SFz?uInCXI(zTa`A7E)|B z2IEu~O^ci}=!0FpT*z^DGLhA&js#bHoim9Fl}5`zHUkbqOzPP&-Gmb{DRrY{r8tV1 ziB(rR$+qiv66H458FDFW0`XGTN8v1=uM|jMC*^hwz>ywfuIz5#i zMd39t|5JD!=bCC_M*H(wUC}9{U&wywZ)B};ahICEu^(`8!fag1)0CIZB(jJNn7Z$< zv{vH{F=C5U-mWU>c-V|>X6)8=PvWSI2DLcDq*JY283kq4OAgXy%^1*qJRUg!&9&-+ zF`_#iMJ0LDx9T;sK#hmK-E=9G7f6C4B^xY8L5B0AbhTCqx-}+W>#9lK6cRb0*%SLn zO3fKnM(G85hlU229wh5ErHvtCZOlkns4{`&A=@f7hq!^smebWmyqM%!wwd98u-EVC zgG2!jOBpK6C!#jg)QM&=F;W7j#G+dl8%Otovzt%fh1ZpWQ`^wJcZMEzH28kIdGK8dYVrU z#T*s6u?+4avw#09lgGPpZ92rES)1giMq~AwQn9O4>~8 zwizZg!-Qs-&U z2>4CZ|6pkdhCmoa|9Sn-zQKCLZSQ`sesFo==}RBKIe*AwKQ*(Tocz-h$S0OKVR!Fm zsG^;B3v|#)FWs{A9ak-X>e=#3g+1@6e6qnZJHNg3FYom1l@7Y%u@!!?%EpImb9ZC8 zjWim3=11$jwe1yp8h-gtH^1?Owfl=_exEsTbm^NP&V2>!uZt}G-Bo}6)&W~>djA#k z_@$12VU_(J-|8nT+;Bg6?+Is|w)-`6*89UT#~%&+=-|T+d2_9OZh5f z=)8?Kd~D8LZy!mmyx#K*uiO2DEkF6~>3@FcrmL!#K-;bL%+n8Sb>nqQz5D1p;~n$B zQoH_Qr=?f^;W`hUswZFD_x0HypK{XUciwQ+Gnr@KOMLk0LFe(C4-bT|nDe;v);xIC z%q_#s_WRBEwtMRE>W1^K=l9uSx7~O9@Qiof+~A?5ti$GRcisnA?bm(rpf?)Z@Alkf z@EU*GX?zdgf9{A!U9u@Iebpl;7jHjryF&+=l{dTKyBF_&#wA<1AvkycB{!eNtXO|> z&NAcISN-#2{sq=l^1iIs2Q?);MT|Fii2FYf;ae_sECVl(mo z>#%=9|C3})b3%MUf%2QH|4E5-78K|rDmZ2EOX`0>K=_CK-@c9dA4rI&_h3>&_C>07FjE~?l?uIddm@qnlrq=!a!YiuTBFu|!n4(wOUfig5Li}l(1xS+?(#2-Y{+(wrsE@urU zDP#bPC1lV_fNryt5PNaEoXt+U6+FyZKtHIqOi3puHAy9dA}myFW1Itt#!wiOy>!vd z7S!jK4~+;!D%YfvBPBnna$SgPCk zzTFwQGL?(de0RExBq$p!OmM6ogcGk@v;mN>`2`_Uh;6b{s$@z%q1XYT zFxPI_0o-hoo;`v6dP!_g&`BT_eH)aL^<0qEYRTTPondl7GpC7oRw)TV4orhJBa%98 z-TF%X-?EEBZ0P={5K9N;B=!X@Hvf0k7XPaM0l$6vpT$~k{?33Fr~g~tnOSOA?7B;-** zELF2zjH*qh^AT?MhUGLGpcyG4IHR%VAUKJpA)!A=c)hwIr)svHX;$TaI828PT&c4H z0G0Y6L3fI7k4G##R%@6dkIGWNCv~IFIHOXMS?n-$t}scsv4U2MZ7uH>v0U1blB%9I zfUH86V@=fb39C2KF`L3frKjO_NnxAxfM*iL3S)?kj#;CSF*e|3!>%L+ZB#HDy=-eV z1|l*jqlqw1^+}kByrDSEx>z$x=dd;$)qO)RwH0C9ns`p1X(;WI(h^)eNJ6eivwolrEH1qbg|pWRmb(fhs2vWmL|J(pVFyU>Fiv zsh%4N$*F5*GVp+cRT<2YLyB!1NgF6Q?j!)GYdoW~QHYk>o%+-(CSBL-PPa5kD#nXO zD%t9%I~tL)0#=z}Lo;k>h7HZIp&2$b!-oEs8H6FwHG<(I>^LJYLlsUkLdwlTA%jO-p?Yym^zua@t-KTzd$S%q& zFP$}enN3ssT>q+eOzQZB*`MA2hqq^4@g8*Eh1zeP-{X&`DI0%xr@!pJqZ+-A>9~hfH_r`|Z6V`b1QRdW>w%J8l>gOXzZp2&dv!>B>si zo-(@gpz_TNcYJaI-8`pXo%Qin?|J);X5F{vtieXvCogztz5PCV=9)|5{crm5jW2f( zcz@1b$E?G;3tu_)*fWp6>+J5TD;@Fb!WW#I^-XVi@##C)Jmr$y)o(vjyMLw5!rPwS zF1}-}=r3pQ(m3$sqxLBuu-$8~T%BWgB;dAgJ007$Z6_Vuwr$&;j&0kv?R0FjW812_ z+4t;oKipAY>IYPfHP-XYHDA6``@7q5#%$+(YKLWjZwYH15HLR0y_HjE`?*~cvqEi= z-FbuZPXfnlmv_>>ed2hQ-o@+5^L8B4z_UK!@1T`ReBOkyI*?CX-4Nv89WJ2B4YaXST&C-ST>0l(CV6L-enyNMQPNpKvJMsB zdvUuRPGI~i`ypGMT;eD)c@Bc^C#eK;OehNpCImEOb}ZsGDtTB9Yx>H9w{i5Lg#Y&+ zeOpTH5r>>%l{j5D_Hj#EA^ivP>Wj#rLd&Zyb#^PGHl zqY`-Z1ZhcvgQRu3>IU^+7g&(FQetT;a~BSZGS>3kvthXrrl(c~7b9A^Sm&$Un+6`4 z--;Fa7SN4Gnr5?&c!R==mZc!&LxaOa5mxG44cwcBLGD#K)!014gQRrO7AigV%C!+z zzmmmk&?G|ADA6a64vq20ltXT-?((8fAE3Bnan%E_BMGcBwxxdM(5oA66hYaQ z3kOmuz5PjxI!&F9R2~BZ<>9S39>tUM5+pR&_LlP?&YOj0+Nm;ch~&J-Zr-tE$8E81 z4J3na8*ddCp2pUh9{62h@l~*L#K*eQjy%`$1s!x}VquwoX?R-i+$8L&CwDBtQw=}T zx~jptooXN`Ne~1^S^WMKZ$UjZWl_{B1Imzudt?I&iu~>^^Rp?r^0zrh-NG^*3t4n_ zfySnzhzvQnb|sXWekNQ^<_0HAMEbuCC0s+2wR%d&Dx>vWE!&RDD;!7aEWyzTDb9?l zLg9>Wn>G7^ll@w4@!Sks&2v)gXnjO24F!n1t-?Z#;US_#isIc@!T!V-#=Y8kSl;Rn zF)4qPp=W_ga9~{(p})=l!?_oM^oU0Mx@bcPWIu!XCpw&VVJE~>neD-_9QD#+tYI6 z&@A*%B`T)eYy^*4MX2}M*q~I2y6Lr|_oOyacHqr1u!1X@kFafV2 zplO`Bj^(f3R!Z@Y3!Q~-4U!;}pUJO_jS>ICh5^kl4<}#z9bw;DWi|m%KOMB7dEVZ@ znwV3bea=F$!-!~CN;7|pHNQwoNtZF=%PJwm?x_e#W5SCtL7gJ0qD}O#H&oO*PiYje zc2oKoZ6x*?ZZsDfGz2YQ0VR!E>l~c$Tl!bXJSq4XCrm67r+DZ?8^D2tdTtE!E^lD> zRUwyR(_k#%G##z)vVlL(>bG=ojm9g^|j;Cz>{Q2o5y8N}1nsb>uh|hA+-uM=J}m#Fy_fmPF@~+dn8- zW1gTQ0{u%E^*S9RcvvKqtIz?*!}xGir&?L|CyK=>#mpQ|x|p9)*kG=m>m(|5nb{&V z&1FM|t+_TznVYsKhB);jk)aX#l!;z6lL`KFNkkQb6?P-W?`-0wS=pMGWP8!qrJgtw zvN#mlbT3h$1IzH7@qxOkby3wzGa7WgdqrC2gHaK(nY1C}!N=v^ed)8Yh1wZS*(AzJ zNn%KFBlP zb$*dhzx~5*^+uQblG&L1LWA>iRCvq~#^MW5L}gMxfht8lO@B`sKqN z(Z263tfnnJV1~txNiq_$yYp{d!24zm0`IIAjGt+XfqnCE*HN0jr^^nh#7^s0!jMj_ z$V&Se-QIaz{tG|gEhMPlzf7judro8_@9jeUcfey(80RH{b{&8zU{x+I=O14hABXPM zyak4HTTauenvJLn0Tj^L%wIiVm339Xd>h|kOP!O_me;`q;9mJM>QTN!bEGoHtRisBs^NgJeIs?hyF>EFdAB{WjIA!@uQY z|8NrEGpZej=Y4_eW6-ib>uz8^@>EwmUa}+be76uri0@3YJN*3kM3^x^z%R+a5$gl;4^Pd zptTpfGKA=F(Lt~AHZK$LH^6JcFV4Q_c!u&i#P(@p^Wlcq^H$d==DAis9aXMk_smw9^vX0s(ljIWOGoN2)RMN>qKvWQ$Pov4Cu zF=xP@z}#a?k#O}8ik`kMV2B<8nBnOZ>A*Eys7;X-8Ut0HVqK!!#$H};sMxHXAIM7( zX2zNls~DLNMQ)onv-p{BQA{KCvqdzA){T#DI(pj{t5vE0saQSmM4Y|H6ut2bjDXzK zVVHALGmm9dP9*TK*^omkXvQeIu2|M5IySyj;yca{I@0d1Bc+(uZwFKE+NZ&I3qZSRMf#udosc2F$WLAk9r+S%^ zJ3x?w(x{WkRgqb&IWaJ^B|A4INl!&kvnv7H3!QQVTLk|noD{odssc8#{Jm!zwijx* z>RoAU2|KNAT`rwGpTx^TQnIv3ku5b_i}I+|p!#;5%TqCAyk^wfcQ;P|{`?rzXp;k> zjfLc#Js@HtNoAEM#lf;}w6(|r4dAK9 zIEQ$#s9Jx9+nCQ(j@O2>jlxFlwpAf;OE=qYQe}O%KqV#y$WOcWP|Y_yfv|LoS38ej z))may3cfj>Kc*U9=1-8q&ghTQVo8`f0QuWKO(h{iAO|Duuf$GF1s@1~3Xgk4vL@PN zq)@nFxI)>aSohltRLeY6ubt$m$v0=h?2ll&d6^x(0qmbYn`vI<8>ARwWbQv!SjUY9 zaeT&?94}2sMr_n1=t=X-1W((wqGKQ;m|T%Lu^`Z_pMI*K*JCA%^(aCPih(y+B83Fw zg>!7MhYF2Gj@JzbU@W799tnhKis8ToVFMmG0ib^W!=ZhjP|Xo58i6j`dz-Jwm1lg3`^#G2rs03a-HNbA_rXJA&O?O!LIHzU--ZkZXWM z5DCL@Hjsu~WQ41zxb@RMSM=UK+nk3-!u6uNV4{VMVgHvtjGMywMQ}o)^fXA3*L(Vp zM-DQo9D?G&Z1b2f9H}BF4YtmTOfrP1_{HCBm<|^m5vn)l#^t9m(o&sCD}2_%(X6HL zY>6eh;tKH2Zvg_pFr?GH@1YC$Pdy$ni}^s9d01wINmiCBE8FJ>@}U*%|AR$9TxMCi zVs*$wi}TREL@o3@bKDwF;aMTd|DCrh1DE1k(?#Y&wpu zg*hoNReHrxnAL|5Fnl*6Hfiu|Hf!{9Y5v$`qsoi#hdJ?MZ*|vAzZG{}>GCJ(cwneq zF@wwQC=*@dx_lZX3-xgWhU9e4NN6u8&8#@0HR|PmpVZB<;PxMj#p)~_h0~tkMl5dyV@XW(Npj5bu*Aef3?rw&Gu}LnMO_2cFi)k?Y*RExS9$;Y=Y2aB zw;~U>6{!$$*fRTqtr#m#9`-ZqkiYrbEZj$ik-&EZ4PgZJ`HiTto(TBTKYIb1P7nh0 zj|^r57KlKQEn(#TL#Taz6Kc=jBl!$1f#Q}8&i@h`YabXgES=tLM&H zVBI-J&Ykb_9m~%)BjrWE%z4C0|9<$$z~K4Tq6eR`O0PMiv$Iv(k?3=*qR#fMY^!F| zc=HChZ%5=fY)s0ge$-uwX zI^WtXjEg_P<^1(1cvH4o!4XJF#x%Il3_&`L(kB@cR6`ZuNC>rW?r=Pb}R&+V3+)f0k%=^Oj@ z)07$mS|1O<+toLp)~b1TJDuR7{R|;tlBVxBt#EWf;P(!7xxAjn?{SjywwL9yyW8OW z^(PO{{UZ{Q{~08e$NoXC&jjx`1J~O6P3DMmxSdF)0UuG*JquB z@-6-ggZ62IR&Do5^u|@ak6VHlZeDZsp3ez6_YRL;+*V$T&BYbor$@3!sZyFYuXu`)~fd0?fbt zKI?-60=54$dSm+c(;Wzb391MwmLTZ(v`gq86ylR zNv|uZ7F|AOCdch?h%XpXS&=^5NS-F~x>sM~RDc2ZW~*aQLBo(lb?ZqbTjwB~@9d^3 zvNZ5J_zmMI2_23;jkSNc1#im1J7%D`;;Gw6C7cJJbse)?w~PXDv!b9pCA5AuEBMQ` zv%e(~{ukf47gtJ^`v@B}nn@gGCQEksqH8>joP#nKbt;8kYkWAZy8Ef?JRas)`T9Rq z2}GLgf(@ryi)F2vZYo}|V%wF+P*9E3Kh04^LP2GR#Oe+~Rul&3I2EabYBZidA1;(} zf5O-QwBq0>piT0WbOvBSs_In_R_MnX$&6bo6PCG@80jBox{nx*KF>)Sx02Mw!uc2zhQS@m8cR-s6_brqIy znx>+bj(f`~tT-1yjqnw3WY*w_Zv5ck6Qm( zxUh2$ZdFd+*-yOs(Ng&*aZ1(6L34pd>$eRD3r{8Nn^J|Eo2WU~v72RL8t-_Zet+cj zVZ9>CK9e+U>b10<9o^G(r|9<^JhDNSa-h}v6eM%vvsQ!ttg7ry98<0&QqXYK$g*W* zsH^?b(oAO6MB~$d@V3*v-&0gVl*|>}rl5}S@@eF@b2N}5Ra}L0Wb@NQAUQ&g$kTtM zS?1&KbeA5cSt!HK+on4Vg6OoG$)uWTEt4!M3KKz-C&vq(7PJWxCC_~XBK-_T2oyX;;wkXsPn(?1 zg7r;HN=obZvEZAHKFPpd-`v=+v8l;h4X7~fG8IY4tt*=v)$C9F9nmc|A7FynzIIBe zXDc)6bHx4CR>uO=O20b3`J~iJf6ptxe;83}O0@sMVuz{-&W>%PEea)3FG;1k7ithK zKBlSO5z1aKK9VmfXEJ0SRc?{I3?Q?|#Unf9Mg~DsrgntUTG9^w-Ny2dDdxhtOao`k zSbg~}{|4PgXtX9a%2IWPqcZ##$bh&ES^~~hY(Dbu`H{!woWBPN{O-zdTPCPtH04%J z1&Ca0%}{-7wn#baILj^&=srSyPz72ADzz9%srF94w=L%^TaSk$v>L#WR3A;t;n?9* zOc+##d8=#Y@V7i5tv2C>qtqu%)}zXTWUVr#RQy1pkSE1`JH`}vdu&Pby)(x~^Vy^~ zn0bXa5rmFt(INJ_i@B=Jc~POsd^ZwoSPsaMw2wj7v!Sr9bZM8I30HxxZ@!P%pJCMg zQvoy-NdQ>@YnLP7Tj?On$Mx@l16KP-l&f^CjTlZ$fol=}M2M^x7N}nv3lnh`G}7eM zgIfzM1b)-p)KZwM&KbKjG!%I)#f!Ifk-%V-Dh|VN6Hw%wEltur0%C5*R=$#aGQB5C zbOskSM%uP^i)bEhbopL&4!-4QK|+OXC$&(}AJP@6PTf_l8vHGLDV+nm*N8J{v&d#V?m#>_^e|%l9V-12n(`QOBZ<4@+IO zLyqgEGi_Ljibv8PU77>BgQZbe;$Wis5{Ng)6!1d zv1Vs0S^#pu->>ma-ni8FJ;b_P;3!KL-s_Opu7T4|PK!!S&$Pz`CBfev#_qe}w%K;i zv%?_xV}q8Vug&btt?trhqZ{|fI|+H=lhtFtGLD|wfT{OqmA_j&zbMyUx=Y+hpC)B$ z;Z_oM*ROp>W83V+>6!-3uLewnJ)G-3-@W^G`nmpHwA>H?q7dx`+PfxR-z7A(@5qiI zyakR&HaIRWJ%PM+y>~mH$9%i5*%v@kAkg7hV2tu<7s_)67=ZkJ*Og}^3^!1R2h<`O zO}cdk-=Oghyhq(n_R}|{Kdc)wKV}MTIm3Ro(;pFDHp0KG^xKTN{fC# zlPmKeEC;4=bXuvJf5JeH`hlL4*$tI6xbG||A&v)+3O21r!+`s_{LJFxAb9j`PX);Y zA0F&t;->l5`sr1&&oNP~OPegwgbI(lfrZ-{Iz}3r7N{nK!ju#y?hcDqt*g37a{Xj! zz_G|8uTZIb`oySxEY(%JHg)A!V{H6shicFPbVoMq39TsMr;cMP3+%6&vI(e z-|&~ZMX*v4C+W;*178!Gl`W8;ST!t0y;%xwRc=n@S`nET=(cRIf3ie}^XJOV_xaSu zK$-$$F&hA3Vah}Ogzk#qNr(LSu4DR94#dmeE0ZvCMuuU+gSV!2IFP4Y)_X|1l@XFt zYLYFg<3F2B?i2IUA_|LSDQp|`@IZqJiq&p=0V#b^sM1DC%2>v6)!~d`kxs8Snv` z6gQ^>?g)*H-hs(R%-e(%&DY95!YXtV7uQUGuk|GF%*ZMhO3j&w&QP8c(a5zMW^&o5 zIPr#Jg{Ll{ip^iMTcoLsFLV8r%;ak{6Q?PqCPwLiZ>E-uu#|N9N3?96jQ2M?Gsw4& zJike%eU&+ciAoY`-|C=tN?wNxiI~oO?WmDfGZ>9lzDTBJ^Df`Y^zV!y0fIQ1T0}{* zRNARMy19%h%%!vmL&C77wiqZP)i5l}Jyb1Q&m&tc!d|iwDfNoOuy)Tuu|zF{j@~$W zg!XLtT}<@v6=`e>DsA?TgP;=Xe7OjSvMwyvROUYvj>%VtIEt-o6ROqF{P-(T(Gcnz zepPU|U;6(xq7!0uWYO6cDAeZth*YeFd%R)g@817@hMl;~SS$nc2_Fdgvk>@`fM|&d zD?r~=0=!$R?6T@)R0iZ^jB2p0TXC)=bR_k zzt?qpwJW4Q$?~gOE#%ZkV8lVV3NyvBD8d>D&`> zPNR#+n2a869DQ0@>MM~-^cZNKz^E*#6^CfTT)Z7!(k&1kri^mAr&zFf`+pgpCJuTW!~C8%&(6I@a06b3r2^gt6n3~jDFKs^HC%kcJ$^+xL(8xK zM12;|7mIE#+rsb->d*ZueEfNk9r&(-DQ9>eEIp1cas>d1tZ@R~QkIJ=T~)x(sh76) zJx+_=&;B==>zCD--R<*dJ%RT7{Wlvv$7^O)^F_>BKZ_LB`4MdfzhU=5ZyP^gx`qGe zU)JrF1dm+5gf6!3yTwtIww`M|j}oVmDo(mUE5NviE2YDhx>+pWCvWA)z-Sk}4`6k- z=QY|dSMMxx;F?k5!~W-uWB{-RciCd4=OydKoxqt9z7@~bH%**5Ry0V0zIy;ySr`| zrN{64&`R3pR|s(J^uuus0p|7{6Mme;4KEl=ED`!Wi9c*Q=+J_l#3l`xI^LMD6--ok{3# z2d1w3Wi9i>kV{amo!mI%J8sq@5++FYb^2aq)oI?$q+xVHU^4~)6oy9>I?apPaxV(Y zz7A=g>Ktlbu0Z2@|7;&Q88&=hcE6?M^>p2wMqhB~*^K0<0A2_*KgLCphe8!l!|a<$ zQ+pjYd)&A4Ke$(c5&+<28Bm0B@R15F|D_4#?C z@&R=1_5S=TZ7vdGenWUHXK(Zt*U0oFK+c6@6;AsCo6ST% zyaZq43a%tKuQF8+cD9^Z?LxJbo5FSxyJXAq(Q-8>(Jk`Qw2WIYmr5j7?w#QeMH7`gl=h{0Vq4j_PqoP1njI9u-;S9x27hC%Ma%E9JcU}C_ zc583Ckp)MZ)|w^T&nJ5=sFG~5XC#mO6u;hzWST|wLUGT9f=Dm)@cYz}#}O&1IMd<< z`}UdK@5iGiuMa z2sAX!Tzp8x7Fgxe!~hsw3wbw(WCdGt1BFusE4}O=2oxFrCJrhtI+f{7V`y-)BH;%< ztb~u`C3nB9flX2ca$4V&>O1)PfsIC9r%DWwwG1hNGhW3~4*P~2slSBgro5n!R19e= zBFmC+R&zqbGmA$5vb|L07 zA*xXG=nT))BS$mleu&Jr?aAs+vLnUVD%t%yHC|TIkFTf34qTqfPg^?AH>i>eOg$LZ zR-BQC+xasWkGJM1;2>ziU?tB}xTQ3>VrxCxz&czJt86S&y9-B_(lYP#$h!K2DmW@X_>v!{g{ z$m%C-4~TPgy>&5kTstnYm%CAv-VG%yNoVOjq$5f- zp_E~&Va#JrrP&MD1wUG}7gS{_8mD3<9?S|y+D3d0(eUc_WV|DUgA&%ARjIER7E>Y6 zbjF!f4#z7k;q$MDk$>UUX%1zlv})!|NSbknm|VHHC@#?wr8^MEWa}i#v7!zaDP`6C zSj$KGwrVAqqB+DY2D8!~%0|1Bb(Jz_uh<}lVk90(wdCVUbA}v9F<~J#mgiiIh}78r z2wtc!iDx3wdegY*%dqkQ0fJNj1HL$QU^CN?C7o!)*2$4CPjH_0EtPRcSlIqe>q5*L z`USHV$`=WkS#ZKT#}{H}uKuk@M{_2MKkQHz%RtDM?~}%y@?G28JYHJr;8Ai^#>bp^ zHQE`u)y#;M-Y}I#eBA?+ArEGGCTEibNd~omRne&z43DmY<7ye-_%Xc4hOf-Dc|~N^ zmJ^6S8=izV)Rxlu?=HkN`>gT^s&3g?P=CT2U*zn_nx4u)u|j(4UROOBi9Zl4@OQg@ z%nMH?J(gp_r0FCwSL<3ghHDG7L}?VVVTuoxeKKF9jN~^xUtwxn>Nbi{qFSK{K~J}M zMeDyCNX_KDpIulOJDjmy%XkqTx@XoO0!c3V6lHGB?BHr!3B0k-m2#iUP zsIy5i3V+Sczh(``RVko9ccx|oHyqkVINy{YxqM=p5Pe8k>s}TmQW>`ndO9a2heuDc zUF43RCxM=v)m@8&Q5AK^ao9j{9!Gqr&CMD|?)`8B&XiCEPg`t80|3Wb}t9cKak zfTN`mPVs-_4!KR2;AvNDyr(&c?z&&OyYdFFlX)jMULK3<|8^XzeHYtyHjf?8>c$c^ zriuc*u2VfOJC|4&T72-jCVKj^I8Uq9`JVc#7;t+#o)rM?gVwuVr(2_ULF2t2b!ofT zZ>Ap)-v#Fxds7tyVBp4n=YsphM&Tmqs&4Ci<>*@fDwh(GtBX$ejE{5o_hwKShOD=^-qaQqqv(1(KL=dcCqg`(I zS1fDNB%ns@hETidcn_cQ5?UJ2%RK+>m{EBzS(Yh+zktc~vqeJ71;vCq@+X-wmyzfQ zn=QjgEZ-FUfEkCyS|wy77+ZRMB0jp%XjDN&By7C``$h1$tQ<>aTB9K=Y;?n5`bE@w z1uBYN6uzpM95yYrwj84Owh|{a8|&F0Bc@hs_btqgRFqa*juZGv@TH&@8loup0m-`< zkSi?ia%8lB-Sa|CUV2j6dglKc!KZ)HY7?GCNLOnlzxSVzl8Z}AWkD6z|1f3AS&|(7 z6>$!l9l3f%y+VAf2rX2Og;hq}}q9 zGB2+%$a#KlnMurj++Eq~Jvi|OCx~Vj11IC&)(Bz3q`Givf$PTT%PGNC3hJQ%gd$oh zzbb~klUpzWA-iIL6tVIGuHdCPk|;>dXNjg6oFR#Y5}xx!9e12aM9nAD6rGtjOxQI7 z0s_9P+*P#RLJT90#i}rSw1d7xGu|zJE&(c_Hin_jtM#s4y=9UQl?tE(van zX8YDrAZvzRgW)aKL?o4vscf@uKOYWtB#0uCJt=a-s`Oi1fNWTa zN|=1BJaATiML<0eGNu5HfwP?B>%N8ny9D+VG6-i6ih0LDozgqCb+j|`-LNQy!ze$e zg3A|vk9P=pwz9VhBivbbkX@^=8LY?$+bS{UUnI(rk9x^38IKfvJ!`_u}(xoDZM!iWN?{D^d zv?@g{K0L)(D%C-$08L!EXzRcB3*_N;R1_pDBS<)?zkW%Bm~7%6hz$}do|Wzmqoas( z6_Dra^G>Z^C2oR5b*CK-MV79!Rhw3zWHF+|I&c(Q3o%Ch_$l0!RU65i>xqEB?wu-w zP6Ne;u3}bIne|JJu&9`NX5S^TkwQ<5Lo!Hg&z;Nz+aK-X$LZ*_@hqmybN^}NHX2$( z!vGQ%8ZS@YjXQj>*ukJ+lGubH7JA8&KL~DCB5$IP^w#)KLo)=7>48FS&Hs&x-vhoQ zHqyT2PYZeA$#+D2o0s!jEmj$D_5C)Z9xRz$5)z0X0zkwc`wcNrkx3{X?Q8ZSFO0+A zyu%}vYUllc^CkfFGoppkWAzEK#%~AN;Nt*2@qKKu&LY*v((K^X?|I|0LFRgwzz?d7 zf%~}}*ZtRd+a~kJ%9R4J8M+uI-~O)@z^J7VyHj>AQFz^HO_jozw@peo}gc(05&VgxJT` z#jBwW&wF8ann3QZZ={V{`;9;EP1b&{!_MY)(loU*e|_z>{pvb&*WmN+{K@CP9r-Zi zb8O&xG+u&O`*HVtLD;i{SnGe%vrXWyt9hblr}T;#aKaD(^YA#c<&~4Q3w-bq&^Dj7 z+0_MTUkcq)n}4#jjo;7iu;=Gy1k6QzOK>huGa>-0&FVLM_UGLn3|h|BCADigyCx-| zZJieM-pgKPIlV{Mn-;LRTY&8cb-lAEXMfi&HbR2~$eX`9H+}P#JKB?k$^!Yqc75y5 z7d1itSDOb}4xKOLO+JGqp99l<_@5i850*TOv^!#*kk@}V@z#Ha9W zp28Jy5jb&2$O;b~5gXM=0B!F5y{`5$eNu`jRA!W)8)uBMYc1jY@U9(ro)e!GdqOME zqRClu60)!wRc~m}`rYpApz3h+bl03g?%Q+~cL=Rei7{!cRhfqPgFef-YgrpA1}igk z!9n(A*QE zdbOL)g3?H#2sZhEZLc;D`#m&eFcTK1OVha5P+ho0p86N-V0Fb`P&|n=+@#i7_F_01 z-Y3=4OnI1PsRipzYF#vGcE@FZ**3^*KJib!<5M7|DNP!Se9b7}$SzgK~} zmy_A~5HrO=X-s0z#At@l?AWyPsdTfBC+K);G zkBLYs*$0|QB>JLx#k0r?PSNdI_s(@^PHEHw>Oy(yfW%Ye)U$8N-OAM|c>+ZLc`*cH zLa_`<&`v)YPp)R;v^Z0Nvl2heN_~E;b_o$_D10J2h1I(2>EoCn?{d0(<{(nKmty*; z+AxM!8K!yW6Uy0XH7E3DC7WWWy-PYn3RAT*n-3||&=3MveoQN%Hj#sLXV--rN5OjwXj!W21Hg5DvM zU;s*SXh0X;oLuN4UX8>u#jN?eNGWnvfTtc8hieSmq^i7!$=gHCMMj~)s~{glQ5sjU z@e`bKd0TgKYfSw3URS?NzGj8b`eI7edDN=wd(`zN4`b$%(QB=Q36{y$bBAM0C{AP) zD;F31;L=xafAO7TW*6tql~0hwl#|Qj^k~!6CxI+sBd6qpfrAt4-OjDqJwc7qyy7p# zmPe#gFa37foiwZROpg+`WnTy-NC~_0o<$W-9&@L8@>e`&=~1eMh^ePgnm|LJGfhlv z7Yvo7tl{`4-g|h`sI4MZj)rG6H>QCO7N%EC>PV2hOryj(5gqJp`3xp|KQ9$3h~tbK zsD+))<@FmGuWEbZk9yr`D>?J-+_`fL0;Dd%p*DBGa7>ucItw&ID9%j#AebiO;X;q^ zDX%gtOKE?8%(5Vp&66k+bd@z}7K%)%c4B&Ag5bB0{ki>Dsa+|T1}a;a*D=#9-f_mz zFPHR_fQkVyalejNL;x~S=;S`YAlNSv`1>Za=9^y&Bu*Sv3>M{A_(FX8-d4ZJ{|PV& zPw9Je`0s!7&3(Y54@R}zjq`lUkFFlep7$u3TK$(`xA_!KzL(V9t2+y;jK4U%elIID zjq4O)bOg4(0I@9o501^(Ay~fDh=DiuYv2Q>XT>(bT$<)Xvss>W@1ig8_k>P>&;FjlmL3-n7x%N|`P~Roxi5uq z_Wpg9h5l@K|e9mc<1I#;Ny;lzpjNMORjQGTuCAW2?H z(?u=DPs0QjJVpqL#b+|^!>ln(SX#nVCOJ2K{UZM`w)pM3fI3qcR?0B;Se{J?sx35G zA&V6zl-5>(HOt1!vYS0(@Jv=o?1k$5%0K!CTqeu0HXpMPgN0tM{gR0uvc(+<#H`1l zb>K1>EG(QIIg(^ZicMU{TXqCTe9|<>f~__eyXdk$jx|&_TtarK6_vC3Q<(!%65NK1 z$|_SY6)Hk?>C9HJiOLmA$-W|_Sq7A_MpA1;_GH9ZJ&T{$^E0&-f z_rtPYx1r2=OfXRu{oQ+CLUw`JZP9*nk;vYKnoBq;Hvwl;pJvfc;lU44L%9V*tx-~! z<9F}x)J~OxKy&b>YPra%av^R1y8IGxa?$hO;tHuH$Re_Kx##SVlD+$mz9qBAw23-M z-qiWA(A*3ZMm?(LN{Vw&o5 zJ8+IlT374vbw`0Esr!xKLk-c2tSsM}>~)+(Y3BJkTJzFv^D>c1&uPUXIGSN>MA+{P z7Noi%>uM<)gxn@yx8h$)J5AsK$ypyVtTUkZ6_KG8iQLtmA?{V}SOB(Z`x6t0jQPE@ zHe^_1S2!mJLI0iy?JJqk+ri%u77NS%Bi1T6O*b&XhQ@}MkfK@zE^W#8+&s{}IjN;6 zE9W@M-jrX15oo``bdZa}Q!rA0rfYIaCANV}B)&#z)JV7p?}t{7L@~c;TRb4dYW>vx zyhJ*xq+q56A_zOA-_QMs&yR6osU#rt&4%WRqDFAc(KT@9C9vO2iKCXYd?rC!H&L&pT`D6F&yj`jK3sq zQjzQMESEIlDYyorlFpIQfuCFfQ$00O;b|!!Dcn#H(XMFz*&U|f%X{!LAf3%*ogK17 zQ%S;ftS#;HL$=u#b28+o<}2eDXWXnW1<>j{IX9Aqxn%xbi{ zXT7+EcH@z+I`vfSE5~?lTr!mZTc}k6G>%UAiBA8Ub5gg+%E3{49zbCWrZ(Mbu1OF{ zo=?bE-dS^=H{3|$={0A2Lt`fS0gY2-nt$7Z0E>>fRoC3^EE4PTlj1yo42-*ZlL32T z7(G-))4{uzJKHo8yW!9&#J6k?azgXhCK2yQXLS0|b-dKRdp!O#dmG1!QQW|?JaSP2 zg+309v>=hm2!&gM$GG?oJ?=P3$3Ay4YnbbC{0!bgh6s;~$_ix@wGMhvat6=W?bXV7DQ29pSV|Y&?yKm@dRc{Xu z*o8>(feER*!nphCBWW!7Z|qDwZ*mdK6TYnGIoyqbzm{}EYUyIt66li*|9*NS=;eg0riqsT*tAgP)X*L-@=VUf9a;sJc{%AT!Crp^}jwnf?W{I1mv*s+3 z?Jktq+M~EpHjO)Mpa-VywTl;5p=lgg!9j(?@Lb{?1T#FdJkp)tmJ{T{{!5PXv^-_O zFg=wdw97EXfIe~c#b{=(+Vp}0ewzUfWtk4f?@FZXQXtmX&kblI2iX;XZNqZ72-IjHT_ZDy*XAuNRUqbg+#^Lj0Hxn(oEb!N_5P+yir7I+=|`|g&9LlPzXHb!ndKM z*tPeUFqi}}dUoa;1UFnYi7vtrG|fN+#Z$}AX}3)@Mfw*VH3)`@ufm#W2ss9U2_#Z~ zrSpJBShl{w6@hlm1YEVkj^cyApOC=wyS$K%|BZ^ZLU47_o1=g3epgZ8B8-1d~cCy&-8x_~AV(@sN~0IAXN3 z%(6W=rc7=u6d~DT+S*evx4j3J%xzjdvb z*ypYhD;$a3z=^fm!7(%W+ut*n?-Qem8ujLCQK>G=izKp^ zUiE*N`o{LU0=3OJX>2rV8arw1#~QbNnK?7>e0kO%Sl4y0 zbrUijTEey03Kjn|(8Xi)&@*iW1@4IgfFwbpu?N)8Xn&^03h@L17j|VIyqu+tsoSs4WPcYjVH(;gZj~LvXJULWsx=_02Si;q#4h zVj%*)WGN#^a?I7`yvqB19_@5sxyAP}o%qW8qWaQdHQ#efbbI4K?E!Rp$$VXZ^?ZfX zx5>2n6u#`>b&EEA@v$<0hV<6OtABs&OXRfO&BfGxhxR^d*wQ=#Tnja-8qfqe-EWiX zy`PT?C39*Y&4pgC96cT(;XzmA_-5SF+`dK$adihsKHL!Q?WXX%=hW_(xBLVwCVM|i zeGH`#Fn2zNC2@gg#TAtSTlO95TF!?^4g%mfE5d`YNL<%ySP8GkJGO2vYodS!tQa9T zlegcYDI5k*XqtXUt>9 z8xzk&oA0e#=kjI+3BaSf@j4{5^X63=*mKuM-_vpN#W?}Xf&1i2-Eavn_>RF~?Y&Ml z+aF%d8s|K(JAo%COS;E-15_!UP2+Gq$=#l3Sv}x+2OWwP&k%L~f$K3478hg07o)SHzKwk6SpAognZ47`#0slv4mYPI!m^ zw2Z!sTmTTAN{|FI1z&`OGOx&JOXFdML^JzF?tJ$1)+Bb z6!K1+zJ@5PIw#Z!E1#14sZLpxCwY*eeT*b5;kT6`);gf&IoNyT>Ip+`RT_1U4*B&{ z|IUoIP(_~(nftIx<H96Frdy@U=>8!n#3y#0Sh7rKRiIxh5!h zAPuKe^mL9TELP1{sj~}^g4uyVaP9ot;zM4pF;>3Gv=8JHh!GuDW&WP{<>>U-*Cn(^Agh}}q$a{bjCf8t+(!AU6@6V)J8 zo1gB81s0IJeK6)rbdpUjWiuN5->ya^TE;&EN&G~=RqfHKwPwi4*Kh>#0&$FKbx97W z`eMtGo62fpW=IZ}c0-PH^M3&?@i4!~H{Hg1q|f7SCCK5XExA=x_cmBgd`YTIsIcW8 zAV-iIpSLN3K;5miuzpE2+@TXSg*kv)M`Y_fvUz2A%5o}2cCm-~<7)SXc5G95ii<6` z%ITxO_PE%(9c!?PWl@zskLFK;0kIWBYXF_~aJVI2VrH_Sj37u7BE$5+%|qDbuBU|X z$E@UO$f`4u(f#D_>$ZTQ^E>51PYY)cdYfOV>Zh7UEdzYP3Z6P=n)xOjVR>0T==9-N zp-iWVu3|M|(EW`$Q|7~M0SWs&wdpW{YPQ%94@xq4$Q{3zDC}Q=Q}Nl$XQ^9xm8nqg1Kvam=+o8Dz zt4yV)6%nF5JqxgQT`Klw@?7=<3sPhwA9iF!IIWG@ocnZZ^bty$V#Hzf!@>yjA{+6t z!Mo_?X|N?a)A5i>GgQ{ic1^#lV@>P074Pvo5ne=HguAyj!F^rvL3sw?zfU&c^Se-K z-dDM&gb$S?G(3-rm(-75q(cj9y^3NxB;@_C-|#v+MSfHo(g96LB8^okEA-m*pZ4ik zXZYZ7>+B&J7L%kuMdsG*mIDv!l4u`Z35rQNB`b@#F!eJDHB+^s{@8zoD<_1sup#rT z>+I%mo{J`H%WIR3I1$9i$n;fT&PC+A+3QXPl}4O7V3Nk9Xc09|EF#U@br_nWnOad}feuQ5@iL*Tz*Ym5lHatb`?pzZmfEtuvv%z%+_bv2Ant6%LnKook{v zrQ6QrdivAR=rHfnHvW6GQJI>Y`Ke#DJOPSeO+x?*g0FL^V}@_9k7TAt zE(Vta!oaU)arxdpR+0m4yZ#e*LYIhKlgADt1Flj0)Q2Jq06*g3d!yb{`rSekRi|11 zq)Tyj-He2#$36L;si^pBrJ|&PccNoUds*GDgp1Ok2MFopP4<-BQ<)^FCUqvoWt7JB_|WLF#&+IGw#BjplV2h}(Z>_FnLOESBd$kYQ$*8g z4d78+v+16{k3y~=q}}*$W*^hN+Yv9oW$?EK*5)dv_`I7(|`@6HOnSoTH)1 z$Qh$o^|Th=QT;ehdgbNf3c3RjW_PZK^k@O|#*+I!8zDhiB_HZd?uzfD_llm=a*X?z z-GJ-cjxbdc&{I}V_Z{B3ziZtsR*MjP_tQ;~3*fln#Q#dffai0PQM0ng$@qDki>dYQ zrO2`J<9TfJX{*%xl=h;?hker~5^3cP{BRQNo2f;r-@4ia_>(ujw8rDQc%^v>SPL3R zNGaROzv_927HaQu8=AMxai5S!%XAxu%x~S3=Nk>x_gOMo$vf}f_SrMT6?$n)BK1BE z^K|qz$_aJJ;7{8;D1BVo2JYlYjFUFVyS(3pGBr(69j8pCFT8Us%P=Am=sa?sr1J$d z4C3~b69=pe^^xe}0$#f`HNaEJJL@I(cvZeDPrBlY*)Qh}hTedl>&$NsS23hMPT|}9 z&6mE8SDwQc(f6y{q_1(9IwZ{^uc$P@$J46T|H`C(G86QM4TQ zOJ`=mhnY0$ACrt8Lbl}Yo)~H7h+3Rr?f2tx zT`>6=|96Y|dDzjmX>Bkx^!sO+s@O02y;$wUUn6VyqJqxbX zR2#BNZ4`%Sy0;tu*Pj$;+l{plV%8($hV3xO%jmu`tmy|+B zTd8Q_=fZ*n7hIRcqF%-HKu9zYMOepcjl2n2h4R;;=GeDMts0#bwKVE$|IhDEanbth zmu~m^mJsJt}{ihyv>PSN=8`{O@~r?u8lPe4NiE; zn2|$umy#i*G&2Q81xFGhpFzw!F8)qR zXYd=DygW2~u_&EidD(4msT!h=k3l)Pcc-ldId|mZZY#t+lR-tXjLoQUzr?V8(T1PK zBpVGdhz>wYyU4gjGwNSj1L$_}d-;x|DpdgkEvKy|D z+>cfYh4rTJ-p|W2d!d7?y>0DVc;(e1RsSAg4!0}zc(;*%K-34zGm`s+#-w3R(ariv zR#oVM8(7vSw+UwYPkNk*1J5`x*EQQALW{=)tHy-shjtDX+7uMBDmTbnOy=FGM5K-H zC*d})qo2hTcWx6a7JNypT$D0K#|!D9;0!W2B^8{1*vG=Cj|YizRe26e^zh95^{|<7 zRL-KyMtZgg`1209*!0{uH+$g@NJfA(BY8^J&s~K^mzs~8rI4R@tGkezuPm0%;QT@q zav@;$500Qd^q+(o&5rRXf4%rqHq`Gu;O>4(j1bPdb1xoAx8O2q$@KaA?6GvZp6Auu z=3DzrTAjqSE|vB-D7^c=i3R8zk2*oArX&hP9Qo@-p866gvdGxN0ou=WTBK3czu(Z5 zQb_nIiIXZk%`_W0S%S*=FPuC1pIlVz9Fe%Zdk2*wSGB4)5j8SDE);v`(Ea zrd!Mn7;xCZ>QIf`BJw?k4md|uK@*VW%aZsQ_JTLQABv!;tQxGK71K_fA0~>^|Czp^4}}M3l?J0H1E)o_Q5yGVA!Ho~$7f z&wx2l$q#oH;jZPCIKQDejyO zdd=;8a+snxu=odtj<-aSm;4_D6k$7N^|Z@JwsVmNCiee(ZhIhi@f($1r!PP`HI$%L zKr|nyYycMu+(#SVZ;}1_k9kMv^EDU3R*3%=VYHG0%wc10y-r=%o##juB5AaEY<%83 zoEPfY5891qzFH^k@||?<(K%|rkILHS*-d3!S^)(Bf{`L7R5M6G3%8O>v5wmfZ#d(I zYnz$thY@Hg-0zutF6*5u>o<>^&GJ*=n=GU&A42f_DB4wS-VJp99?sO{Sf6bPm5q-(v|KV@BXiptJm3TnN{A>8y~PF z?p@!L<7Wmc5ox>&upTe?I>>rA&(-v?sewH$;B+}3ZD3P(F`luR?c-&*KWuuw14O$J^I+9HUwYY_xL$% z#-O$m2-)Q9PfvEb{X^r@RrR%roB)y9JxwS_a^o@5X1vw7PgbAMyBf4PHTYM+3vI0L zzwIM6vU!$O2|21io$ckX!A)ad^Pdz`N-p!ePZ7g!bx$2OQB8w9VmdqoA8Lc9*E^b5 z@_N=g0YC!xQokG9=}LF;_l%D6jUeV+u21*AXtI0(-=wxnj(HoofskqNnoq|zMbZ{# zOt$2O|53yC%cvu#-&v!(LpkyNvE{NsVf_c~r_HaIzJ{rOYx146EhqCC_8Q!C1O_*P zd%+h%4R3(% zE!2de6zq2^eKkSUqCvo7D%m2|UYHIYI|;E`Y_Q|hvcQE>!=FrDP4)ZB0)g4LjCpOQ zAk8X4VGS*Kk@{4wOUxIE(fhW4H|XUl;T1m(MeDn{|4xo6_?cDgq^4X@4_|8J} z>ffU>WHwV_h9jAl{%1RJoH*9_u0WZ=%Gvj@}r&TuZ${F)@Lf@aw$Y(_Jo>8L{viX*DXQ$l4qJh6FQFSrduzr z>*So34NwK+Xh%;oXjPcTKc7+uC0>vV$w?cEB?Y2&Kr9|Fk#)o6 z9t9>FXUbvMKL*Qhys4u+Rd!p7*85O~G7X*d1Nt30$X@Z&I1udeR%J|;oYWq|mF{_V zbug&&1vT}}sjn16A;CSeb(=CnW7G|{k>GuyrJfb&#+lb?C=@QheGY6HnCj_uwUvTy za0OZ|?N@$Xet~`MvEl$Plr~0zwMaKpq!bsqCRx{CO>7OOWmTM*yRm`45Y9uvG0vD3?8b1Z0+$SO)Ag(YPqe2Xi6-^Sys{0i3*pzE5H z5_RlzRcw&SP%57J&x(R+R7HQ5#Y+Cf#robFoTQ@Eoe+%VUI8yLAht6cRak|4`#t*{ z_vU*abQ}U#yh_DCWc(7%p*T78c^`Y3WfOE|@-dp=#cpaeibZiN?jlqg)(dl+;D^H9 zJ9n`|$O0OIr9rg&J(eug5PzxbGKKX%oT{~pBCVEUo1F=5T6cFlZa13J6SCpn^xP)M zvSr&#hF;(&@1b7n68*jaaALLf%La4jyrS98W=%ikFfcxpz&(!wid5Oa??`XfBZDwT zE_Ev&t!~=%zaUSQEgJBWdqaKR;@t> z(M7RJ4$X1v6NhEiqA1~JK2ZoyzC;__yf4{#A$2feu1!o;H_nmKo&P}7y6FDTthZ1q z7o8$-#3z9E8;;J{qKtLb49%ixQ&mwLg@WvdF>ZQ)7xxvFFzTSN`QWkykGYAQwy<^H zF9?g;)>YhyO+Tc;GxBOf%}5lhA2@n*q-Y&#b#bBkZF*Mn_G---)tM(Sc-SXQ!pIv2 z#IaP9x!Vm7c@}cY3P8P~3YJb$)JT$$eTH#a!EJ9O*>TX)~hwv`A43}heg9-aKW-X&DsS6<+G z&3jwU>Tv<~HDqtQB3HM~)^zY)f_G&A9)M00mpNe1Wmlt!-=p!H;M2K^@us6b(8Ka7 zqJ_aHPFu&e$2PhBBDct+$2LRKBj9H027YVYm9yg#=*!;)gr^ti(Ao8*4mjUOX%>76 zZ)jOB_a2mYd}I^aF22BhCGNXPvzj++vb}e2Iig?osg|pnygY&4t_6mUpt-9Ky_-SAWfH(;=GHin z*ryk%M)ma32I!9i=D~L8>;W%TI5rMC^KnXilrV!&bbG!TY&|@wq6)ddUs`fyKBZV* zd%eF45giFqZ-ILQr+d8DK$h7aNbUdNB$+LjJOk2NNLUT+x8o+(!BI`%+RG?e`t_=t z4oQ-Y!+aD@=V)HH$k6Dn(-6;h^BS0D|J~t~ZLsX_`!>Mw-f#%e{n@{kQ2}_Ld79ju zqrYRGtIJn;Z0PpXr3jxl`O@W4Y z3;ICBs}Im<3;3{#ICG#pg?d}}I_^c2;q|9?Le)EtBft@GGJKBuaj9`PU01d2^;kTA zRh03bw$SHzcl!gar=t%JWf*)icdHmPBe)UTkr&c=U$q_`h<0b#^I@a*`Wpx~yaxkX z!PAxtfQ(77p`srF_=^q6SHRTXLI1f>xD{=#)#?m23QUXEU5G<8JqVX@aj2HG~#J0br$V0;RT8CN_mU;^(=j2QTD#E-t z6o>3s+S1?L3zW(a-bkhs3iR6bMoNC#f5+w3RwLbm6;W7cqD`f3ol5V{E%qsho4Z&V z3yWjcZL;RFPCmGuxJaiN)<<#pLxsQz$(uQvI3OdtBurhTB`;M*-t?O(INFXrGg&d_ z{DHeX-JJ^M>5Vhg)|(AU1HVA|rx^z)WCuS{dELyITro>r`7?!%qGw_K#*UBkKZ_7( zK}xi|{H=!zbldYx<8R@cwrK?#{BhPj2)TzB&-71VWsC%9+3xj9<>+(g_?Y7c=|nln z0DKwM)kZ{Kx`|9jk-ieO6H(t0sL?UasbGuv;88 z2RZ`>pD?r8bK?OaRAL!+9g%9LOq)$edOi-++=d&3lV3)`jfCp#o{SKDy1Aez9xUnN zuuGn_u|kh(Z~^zGl=Tdaf|FY*tw5m1db_=`C>Qh8gudkFU>u@I2N&ajvTlTqh{qXD z2#+f^c^QZ$_rS&gUsRkira2KLhS|X(C`nbxWn#w+H*@sKD;GJ$oFKEY;}&|CMQWbZ z%z;a8q`^65H=eW}RtVyj9{#tg;PCFxcEz6qliTkjIuPL94l-=GFH=o)KSv^2Mf2(l zxba5i{Lz2WOef7kEOc<5!JFn8nQE0!s;hKoo5Hb2%60fq+TOaYMfSx)QeEDbZdkQD z&(-@d+EL{xw&P4y6v-xU(e-9!>I7revl$cFa%W-29{x%bjGVLQ;<&7^BCJ&|wrvQe zi=xLVwHBx37<;U=l4(l!U>qS}tjw}8eNnRGGUDfx0@NpzD4%fc`0*t~xZpq-n-l%< z)n^lzpjE1NexP12xhWHHh;)I)aUC|I&|=bO_4&J;rWT}wWFldWA+9DNe2X0m(;s_{ zG(U@-_F{jQ$Tf0VDi`O&t2kbyTrpB4_eb6`H{Mk9L~lz;3=*0?x^xoRwppdwP+S1d9LSzm)MIL$DTOSA%`-r?)hy=lM#;qYrJT?6ZOeisu-+#$Oy zj$GzdqV%*f9aOHbALr#`7rqH%)kbMT(2Gb`@QiYCDCXoh_+#=yeUb$`D*Bg!;+(xn z1Xy|zg8}c5IsRO$GuqO;m&@>yFV%>g^WL?_CX^#Zo&9pJB$~)Ffgv~wb_n6R@Uzyq zPs0LH$>r7*hr7RcK!uIuOVt=I1vDwxq3rh$Mq+e=bB%s~QWsty>vMf&vS~^rhG8uCG=cHFd73#J-u1du<`0(GJXYr<2p3_D&+Z?yp z6!m;g(Q@n@UHxwZ+%}<`x!W4*ncv&(dc2f?C9*^xQ%$7XcR}Y*w)VFt=RhK#CB*6L zI9=uI)_w>$ZCiHsCA@Kxb6v{;r9{_ioQ0bvw`h<$b8e#DF`~(3q9dcT`k! zYW*hjmt~H>rqD~2X@PpVt)JyIy@ue)-Q}mmeR&sp*D|P1;sZ{4(d>2}7-Dv>1~@e_ z8h|zxAiUTNeRod|9km{(6+hl3E~~{4RF5Rk2uoOPiJHe+3_4yqx9ThOoCfU2v+VqE zz-_GD#`mXjk42~kWnJSeHIrTTpo*enhw+b-jn5d~!|BeK;|sdV4`;_|Gl1bLZbEYh zXrv+wumr5cA{_6zImyi0>J$~Sxq?O`g+6Tw*+(mP?DQTmcihRy?iy*yvG026vJ6F& z18M=ET4K^u{NLBkJ^B4l-3h6SlQ-&|j}T*&06dD8%iC!lz*mLWiJLU)puVfmCFwDn z8UrT;w?Roy`4qBc-lJx`0N@>QyQZPjDlFkuORDRr z$8pa~p9W#2q!4(RQZv(kw#Jo|&%U}RON~JD z8s~H9LVnBD+ub;xUPB{}eOk}Qns0Q68J0f#O^5_0Z>~nWpsq_UZl^liNYIoy9`VzM} z;zZadMF$L;zF_~rx}aYI47@lU<+Hl5k(Mr5J@hlgVMKa04=0t&U`Bkf+P6_8_3ZdHyC)7Uo>@tw6wj z?Ho35_3uwE6bmEAeBe42^24jD+9a*KFa-Q?t@gp1UMQxx#*cXCmSD?$zdBhDs_^CS z>*lU17Yg-pDFx@wnoqLrJZ#i4Y1Yb)v>Ig#wTNyzFlF3@vvqk*g-UM4@lj3k3@kED zzZa%#6KQ>nYcg%A6cpv!26$shl95Ss3d6r;O|ArVnF2e0&%m8ub|;q~vPmVKDN4wP zVN|>rBp{u!U`adiIH(|ps39SLJAn209yf5-XfMmi2#u@TWpPITf_6WezWe8;1Dh|& zC2E@d30%!F;8+P}_~&%b1(wDw1Q9}yYLlC`K_j4JO4W)|z^VoZbVXBBaw?iKu@w)J z*cV@v7B0L>^H9Vq&^~=pufcdh9zG9HN7Y{-)cnPuX>}aj`ja++KP#sV1aHt}XmJ`V zbvQ;e6jCVaPLq#k{jXF%#jTd+)9<04tze~^X2EZS`OCSD%0g<>jG|}hJP>;6s%7l( z*FX9whppidBP6U?xMc>!0pslqcFA}idNYSee_uWE0IKU0u+suo0iP*2aB=pz38`N5JD zkZMwyy+N>$8JH3%EE9Qcw|4*KIOu`qrf|N0k$^F(!+`ME>diMGJSl+O11^3%fiftqV$c&jFHR_n{~D_bHB*e1Kok+F4%F;0kC&$S58TKaLMh z103~gfmqC=vifZo`r{656RW`wXA3#`d;r&p)wIx|VGHJ~_ANrmHRdk1>%Fd)HNf(s z<{{^#_*=z3X}=}(vD&d-{nUQV7E9Mn*>$tR%Ou+-4ld7O^_XW44HqSt$2f_jTIWwE zdArd2Wz`IvqkWxU!2DuL&&vxQss3GiCBV;ZzXepg{m!?<|Go!|248uShE_}02!^gY zHQ_l@U-4d54rn}6b~C?@9Cue_KV861PwReg@2%)-sNu$4YwxD4cY>B^-?V)%&9~es zc|vhV=ICUvz|dY?HGqD}BAm}9C+CwfMS%c>_YuSY>|Jg78`VTRPv#6ykWLK*UOL95 zL@W#PeQqaCZX5@&cy?Xe*IzW#>$NvJ>F-xOPdi*2$_h3w*~+q8NGxJq1AxAS4#24p z-!xhG-1C1KptJX%Xu{J+r1BcHk`v9Xx-QDt^MxpGJ?>+ZV4UPMNF4{tCT!9jVcJIfxfsvaPA2uUvwiU#jc!C2P zkb>v4lJCSo{nKf~8xYtQWQcIyGkFDm(b*e+M$4Aw_`2N+63Vrjjm<17i7)cI{Scb7 zd;;(Gc!LTkRK#HpWlZVR8$WT^T=)sRfJHrj?(IE3Fyf{7jWYKv9IKx}xrjlRouzVC zmP%MW6lu2pYJhWJje@6nt*%z2ZDYBX?28pswwBD;c=Rk2Cmo_2 zVphF}*6?E9*5u+tUc?JKsz!$0PcnHS>%J}wKASH?!jtl`CU{Q2lhy7A^D|jzvMH4G zCrO$bBaEm~oNeBmg#=hs{Ue$M{@M3#{bFi6f|<}5i$8BOjrLgWVRIQ59?()&bhvbkVXHd@UNFB27$a=gER^)RZ&DiPQk z6Omnma~atA-vg9vm)N`YaMCX;6F5{irN11nNLVh=NSuVRq~q`&iSVXFynG2I&(d)a z@y?%@^d2vIcJRiQaWE}!gezYj8IR|_yeAJYJ76EDami*(vBBM%XbN>ArdiaoM5YZZ z_Z$(&^BnTRJYN_*c>kL5gKfYE>W67bnEd^yl^sWZV{D(xZK|uJRCTH=O>SRHN%(T8 zPFpw2tZWw|BwAPIUQ&>C%OJ9iN9`u_cIZ@GB5`*u zQm^)PMxP{!?oqSxt)31LAyl1`g9qb(esw?JsQ>)xf?s1AzkL8A+{sbBr)%E`ev--& za~+p<$&DN7)6BcU%kcO9ZN{OgzrqwQ;&kp8h6LhdFdU-;Vn=Cp=A{V-bf*89{W?Xf zj9;SUH5YVW~as0wMvnF{3o;cP4ADa{E43q(@$PLe3WrN`tKIDt5Pi#^`pFr%Bl#b(uj?N=BF6UP0g@C2EH;EJD$l z%UeAaw-vIK%|nNlDrALCAlo>Z4MTH`$Ump16}|`$k&=Ho@z5um&%5*C3oN55kNNtu zdcJfAQKfP)ix=Z3&-UnTmBm4Gdf=dxd5c8U;J?!P2%fS$yAVtyF9m}BK;k_+sCdSo zVegsS6;$cpKz!#t+Ku3FaN#IG8!XR6NEK^@>6jj?JZIJxXHlrOP#fMXoZ{6}95c+H z6Q}Z5!dw8`hGk3c$Tc|N_u=1*mAq34I4HGJ%xQk-L6QZlG;JFO*|NLXuV`x~BtyOa%KQq&NYCn|F;ODvW_>o;k4V&Tp4XCj+^^ODqJV43{i_J%O#)x@9bYg z^|RXLJ&;;?d|aQ00q#hBDBT8v`v6iz6vhXUi+}-8A0Rfk7r=sEpoE$6ay$MuU1uxQ zo!@g=W(u&zXJCbY`RhLlcb^-Tvb?r9gobydpRIrPrg-oUjL|t>DfyGNFqhNfw^vjY zJ?{9>$Z-sN+QH16uL}QR2IdMaA|?qq8yzQQ)_=4d8id2xj?$ zPYj!y9pC+yO=DK*Q(a%^rv3bsp89L{ga{XBLNQmyfsQnn9!qCyW3o(?B&~_)dR}`j zfZ46@vtC9Vs7)orNuX6yYnI`k_T_NFG4b>ej#TnV0Y5CR5yF$P`pT> zha3E7sN=1s>9mXQ8j#qA1bmqGSmN|8a|?buLPI_9Xn%txgZ1Jb%QVvq9{CEXJI=#{W7Qz=JMi4fH5RH0-1jDt)Q~MZ&9=&DQ!?FxtV|R_-mp1+RJ+i$MnlT_ zytK%DnNeaTjWJSu7GlchWDLDf4;!O(y3<0-_;+rJ;eg;jj77W(rPf2I zGEQyTCW!c|(>`Ctqt~Jpk%-Qr#m7zpIKX*}nZ0rI8gW?^^KSa6xym#r(o3x9?v--S z$~w~Yl>bnP*tsgzZk1=w9>&qPsy#7ibYae#NB?T)REu0PWZGjbehExXdu@!XD7;H$ zn}I4C4H4&Eo*1ZSGR5hc&t0kC%&;=mbq)D zTx_6f00zd88}p`&coEZA6_%W-w;~r^4SGg+r`pyUFDTW7j7A6dQq-);y{g~g9UO6u zZs~!S3SE4e7T!N7-SryIf{B9ePc2Z+G@V=_CiL)C{snK}`&7n64oe~ipWYIeO+ZDAUI@svb*8J1O zKcy2Di`iP7hqzm1BL-UJn@~0}b^{f6965pbKBZ7$Gv=}kC4Fsz{bVM2%jd(j0(%9; z>n`JZ3FfQ{#M&}Q2S~RQ-nAJDfa zyJNq2Nzy0=Ml_Bo!lX!R6XrGw-!l|wc=xNjL)*Ao z7|Wq47gcK0hKnAQk^Z%{_=Rd^ldscUQLa-?tPW9v!Dei+@<;4;TN`|N{eHZy3YK@K zr)*T(>vQBbV)=x z_KTJwHWjv5_L!di&Qr6Qe^tw&)N%4LMq^4$ZD0nqaM z;I3gW;3jw$z=8;Gj8GKDd@Y1m-FBHQ{c*~O)@fNM`P2b?E9o)bu9@`y19%+bT3)#> zJH7N}?oySn70mWMn6w0VIeVvtl3H6F>m62EM?dMZHykL(=rVuYMu=`@aCHXEljCU< zmm0Q#-=Gf<^)-9;Mp7#4;x-bFK^n>qUFT_h%icGS^u(xz99AXbaGCe{g|$|phcn1vkrJg z4PJpxP*MxCmMPvvmV5N-Rf+8dV8R;6e=Gb(bX5L^WVzvq@;cAe(IMEKeS74_>R-h6 z)OOs@h}L~iz03^wmp0RkHf`@`nZxI~aU4xq$OX8IBo-9hE3HW3E&)Gm-E)1=fg0|E zOZc~iF8>bT@w`udEOl5^0MWSjr?-9X%M6RRg?y%EQM-|SO>Xb6wX-@wr5EEkAIzkB zw-txY+fKKa)oBdweKQ^2^Ed!rOVA$kVL+#|F>r(wG^LpGHlUnh?|cUhpPbz4UH@72 zrN4L{ObUD5ZNbo)W+M9W!WmD8A-LA6>{x7)B~|wW^__c!+pRy-JX@_^8_d?`;E}cg<3IMj zuRl1)9DQy%`8vBrp8c-_mr*-_qRD!DSC4_>S^ovnKc7JQUn*GAD8dXxcq|lab@;8# zq<8Q4132yzMq?f(?@3Xxt59jw?ZnF2aTfqzkyOC)ql!>#Hf6jaC))JYa1gTnJ{`Ty zRC>SnoIKA^`TT?@@s-!7h3n`|we7wxTN-$CskS9^DB&cP_K=VObdx~902YCtl8yq?Q zq~tI+MXFx7ONMC)QK&jhBS%3zQ(Z0R#k$DSmzxmAL+rLqe4{9aU~hB{xfGReN(YHY zn)f-GiOcBa$m&*TafwSTdsQCs>V#Ped+Nn(sx0$%uu=jXuGM`qTlW1sty-DwNr=M7 zXPBtH#dC~g$g=o{2B}%?*28$plnUP84PmHV>Q0@#7ADVlV5v@A(ji$B7(9_a+$gZ_ zv}hn$D}FlvqcIJE{qon{J5N4CoM)Xhx-iaUxO+-t_*8)`E8fCEzT+oZQ~lo-YfS}| z41q)l6>YJ7f9C5B8BeLh6E&45H^J}y?3jO*muXC6MN(VwZI)T`MCW9cEM>bC&A+@pvk}wTm1_D+G=&Ow8kirGUu;bcE#=7cQP=6cu z9iRWb9u^Z~_IV_WJ#cB$d+xRSZEB1VlaY! z^Em0{a6Z_v*j8gZ_F1_q}|~ z)&ZvRNh}@Q11C7oypTAu=LWrm8_n5Ry-J1r8mAZP`j*% zn$=ZDd|6EzH&?>BcUGS~u){ioxIi~~iAag2(i_1&*PtspJ(S3&l(N8#&pwY)w=>WHIsYO zKUqIq(C8Fxo0b2OCA3P8rd4NgK)V0liNd!<%NGe@`u%(Omfzwig9$tA5JH@`>xWrM z!xY;&|Nk6t*QeRI?o(&|@n4-arn%3#gAoQKiUGcd>iY!LFu)C|8`%vh(RX8*U}@z4 zZFR!c#nHqQFlreWe=8Z;^g3^TYU&VOI}e@N$lSK<4H7-8EeP-&`0#an4jMP$b4zI0 zvJ!HAjox0r@$i^$!Q~U)JWJ^bn_0WL658-uY+2Uh;Q?kBk#3wuc%N_h9KqFWy}vte z(S1C2HB`TO0bO(aJ{_=3_P9e!g0_rz4QvM2hJf`|MWQF8*_Y@15WjxjHb-!||HSJ> z$oSRM1g;ElQUtf%EBI70CW`a3JW5|vT$Y}+c6D!>^ilu4vLE{Vs(S@fcjIo&@A(C% zh8GRs=tsFj>erVra>)ujbFUF}NI^m+E>+~c)}_C6zaq~d7BpOY4gV|+nO3EJUsWIZ ztN^O$em_x+UO5AmY<1q}CMdqmi?7NSw2*EcR{8ftfcblFH_*@ya{_FuaL`bD?qTe! zZccPZ&iJkyV4JUvBfXceJ=Yu+c|BS_`(FZ{cHe#jA6ll2QPW6#u5(*~Cd2bfE^l4@ zz%#?_x3&A0YR_J#bH6uan~{`h9pK}nAn(!E(6qts2zCCx08rm8C9Ceb((`4jgtT#^ zX1diT$sKN7al|*vJ@Y3~!vy_4bu&L0kp}IeYhiLk&*!PB#g7_=!Q&$2bnD~T&uaiq za)K;4Nx?w(b*jP^LARzYy^i*MAt#{c_I6#c_Jwsei@7o#;Cyd?%F3y3L1ls-tHCrRwrJ2kONC}Ew@`IEflBy zT@F*Wz1-M*m(81Vb6x{K{_8oe1^4DCgHirtbdvluIw>CttG^8|0^SPo(I|9uzE5?2 zs;n;)AfatBa9`m8m`P5f74|V_>i6?B_l`ZPO`Q(iav+NN8U$SXtW`8)mzr4r(+q)S z;x86)fy%jVeY{suM9Y4qSa{J94NIm%kuW)5gFq$8DJdXN4LowxH)IB+Vs$$sCyjPJ zCyAS|0oUTF#}a5nHGEtuBpwa6d$TkGSsnbcJA?=;WlSF)f|I;d99+GQKSz<5tU(Bj zUZwlB5-vR5)yAr+DAdS=Cs3(QeyfZ9?3%%SGB_IW7E$r%KYMV@=t4#ozIv^nr&c8< z?)XV5bckwse3)4{7}zQtN;sgi-!NHty75;e6FNl6ri{O{8^YWrBZ@Zh3(+Rte3iFp zGgvGr>0HI~E|NATQC@7HGt#liXGlV!LWDyJQ{Xb^)iGuN9!kf;Xjx%633%of_-4Is zKlHzt`ljf*!nWHqY3v4#ZQIF?8{4*R8;u(~X>8k#ZQFKstbOwR=NtbyH*;OAyEVod z@B7SWLOGuqR*VTD5>a43^`DslWvob2F<0%%oNW8Bkz~>m51IJ-6xn=yA<+c5K;g|M zS(HoJQV64lg0tYtJdII6Q76kBFN}6Q{Gjl_K_Mppr153>GTE71gBlatqMf4cUkSwF zA{z$W02E9lcw!M$R~ZDds+3Vo4dfyU_5!@!MuD4Bva9(?Fe{?!g?I`MMDzV03ioFx z6UM4q%&L6!YD0$9!{5=$lgqJ5>C*EJl(6eCDX4_MLbJaw+*V-o|7Hm-*Rx;ihL-sX z;7WDADy25vymQf!4%7^zJqZ1w6XRqYic29Jri$2mVOdw)T(mWUSR$%(Hye0B%kghY z<}HuyJZVU*RCdsq%~Brj{{G7j@aX^k>!Sl*`|d%=e96Ci^#7Yw(SdZ^Fb0L$2j6&V zaH#FbqzvUosI4S9nG*}&jGKNp&E#y<{0NDaP$<${aA}xFy>sc3K1#w{YB~kCO8J(v zGjXJlimGrnXM!t>Y&+YM?86^O0h3Z{^zCxSAj(ZR)p>q{Y3jbrVkV_Pv6$hhU*L}e zX@Q1|G+YrjHu7}o4iP^=ew#Q>mB$T}c9aNwh_Dni;=>|c)~(s7A^ z%?Xjpr2;rnhV>JuYT98{4QD4~4<5xk47%iU5t;1L`lY`sV!J9(Lp1E!L8w^9twg-w zP(((Lt#G|56??TtOyx7z$n+ZX$;B&QnQ7*s-3j;{=Q3UEY!xwfQ+b)J+;UVLKk6zx z1$)Ns6hmYiQNHxWWXzned>|pfLvDJ7(;o8<;1!wQRIz&f^Ps&(GVxImoY&5ei*;g@6A# z4nCFP9a^sF~H+po-$lYVlSU<~z^W(KR_T7XQR47gP?i zw6cDq3+vtQX1yh1Vm0Ckb(=C$)qctYpFWQ<`%`8f!<-v4s1ZQ1|4m@2-8R`mou!%$ z7OoybqsXmbJ(;;_R1*OcA;>4Wxr1~#UIg#}X2$WD$f{eU5PNvEQHFdIefvDLXC=`T&P?UE$^V59b*K>I z1L0FZ!$(g~%Gc@@w#K&Vvcx^E2r1y`}^lk%=&Aw`YkT~7C%?ZDYty(%csC;NA>d{s&tlC=TnZ)akd;hY-1RzjPk9uHVGrnXs?U;Q9Ir5UsezlG-51>~uU3;N5;X zV6^wLpM5(5-1PZzF4^n8jv>Za6rk1IX#@57pHA?fK5wrvIrVkT9fs{z+;H`0K!cLU zI>kD!Cok$3t#7pHVhrmIV>K@;#ytYQw}1=hox$t4C&X>Qk-0YB%~}=)3B#&cZpC$$ z^AtqM=U(zw_BQy`x;^=#0M&=@)$y0ux4CVv?ettN8igbf>ur>uG93ARQ_#uO8U8CYWoV=1$3tC*51^7_SQnwVHlOu zdV6~!#MxEa-`gClFH(nB>IQkdRC-S+YaE9+KXQ?<$19w?dKu9 z`)88{m%;ZYXa6VW=2;_Rj@tCuM%TPOr#|YY@hScjQH_uBvN7j6a5p#W@&28>rQ>0Y zpV9v*d?7Fxxmx$F{Yi1Z5JJvUC!P0ca4H7iUEd}k2k<;ESGVnaXfUq^R&-%@eCSwQ zdwpkn~K{*eEgS&y;r{yQ{gq8yoet496F3H)2!d-{j} z*ft-?@*gYk+QZBbX&P@V=ryj6=waJq_Ao1?f@;9!$kRVd8p0Q+=J6v>FEFgBkRnc7 zv4kB}c90s4z`VdBzKEo4xk_3uA0tdwl5eSD z?eA>w9jr?Fk!gGy3jI16RPi5$lttIE7%r9fZ?LEIsw{kijK+q|IhZ@lGe}m6y<`z% zIlWC7A~uu;qoE`!9OJT7fYa|`B5oQ5H5Fw?Wc>7Eot$(M24(tc#)Ilg0f4#lV))4{ zIzIZ85+X?!W@ctl@>w2wFQzh;Oo^Go8F7K)5T-irr~;sbW9-5uCVDtZuoa zQJ)F1%g?aPC2E%c3Fr-xK2*WL8{2fMp?ZU{M{vG0Yrwj*(+`L?WWGRV>qanv3Y*|u z`!3Zy(tb`u8c5${wWfZXyGLpL8UN`{-K_WzN1UZ2_Sydf`u*tTKb{}ZIpFS#SlMmJ zQy*{5nKcTil)!P-hbi2kLYyB;n!j6sq36L`#pbM6j9`=@TjH$UShy=2HTHby^pp+b$E55+-$6h~{GPWvFx>;Fz{OJUQSGr&QEQ6<%* z9}`olNN^I0sc;x2-b^isI+`lHw8+fnqKrpQX-VGq%8+GxX6ZoD<$fZ^Oaeil3RGnz z_(ekY*d<>s5+u_j#U$%V@lse)mj}(ZJxywaj&|vn{X<;Y8etU!QLb$4ufY#TA^FVM zbum1e5)xGusK_c0qBYs1_)Im03+Q>pemwL^rJW34?bEbGxsc|K96q;sNVUnL-&)%y z`{_?2r{GYps(&-Gi(7>@=!HPqAX^&Dndu79(&vJI`D*kl#s~D3Ge$e~d&QoEejx|m z&1i8RMI{Q-fG5rt%RsdvGR(KhU;V=HKV4wwpy|I~e>dnBlWH^SR#Vo{NY3*ka3`CG z80ju53BPsVvTa**fd=xc1N)bSDi4 zr9 zNw}KfIm8M80AZR=b;gscgfQuDWbrco`gxsL@DnI%k{84F46oyVS z8TQpD9NEuPX2Mn{e4XEsC{^W!BWK$!qR1C~du(hmvu@277T+m33{zoOP+wr-O^O#tjsIs@W)Qd;pOH#0GC_7>p%akF&50-z zNrCsfed4R_9Mu@dvZap5mX>jzRZ@i2fDJ~qE2bVOBRuKz`^xBpAUKv&NdU+sP< zP<`Ein z2I$sh)#=%K2(b#tX?V+S_3jV%W__4D$c9+n^1gPz8ZLuicymZaYBG83{gondRY&1{ zrYx=J-uP??>=Hk(lR120={)T2$n`t8DADt|Up~ig-MZ%3Ed3yS`tH6-|CadBmi@Te z(lB4paalivTD4P+2)f@}dS9gd++7fn@4PH?)$={*p6BEPmYX8K8os5lhqyeXN67;y zJ{o|3*(<`~u5sgXU6*JxyIcAD6g1Idku4h@tV_S?iCf0c+Mv{vqD%v74`fN7(0}gTp7J4iNKO3VuBY6(NjzT?cyoBY{0H!`H(QU(4Nw^(HU0NHI@NUT=_l`6WQ;sR9-FzrB|T=$14W zOP}3~UeLLG%DWrBm+WXBv~EzdN51~18g#*w822HRJ%{W_3d|B!j%(#2WyX%AEAH&v zNuCK{`WtD0ltvIvs+4IbiH)dyOJMA7M3MTfHlFa8O?y(!Jv$!^HA!Uv%&JA)Y8da# z@3a=wl~HVZo!$z5B;a28Y#DQ~aQZ26x(pNe-J!4wJq2qlX7qzqH>)Ml zBvz*WQD`oel@>08CFB@XEV&l% zl|jw>U2FC>>+2#NHeap@)#rqVVF3|^Rc@S)KnsyCBbOV*Ul?4g*Yt~K;vILI$O;SXV3C}atSVHtK zxI`hS;U*iBaw}MJT%poG@^T&Sej5@LMFJ3uVIrIa10JKphG3&kiahze7?~>hW>zL` z5hfK|y6B)$I+(iMuLZGM+T^j>`|l{j+2FD#*$r90J-U% zBiw{m4(bB8Hi;;)PASDQN+RypEtp~PZ1bMXgbKo3m1q^u5IC(W$=Y}9Z>rS8u%orA z9Ke_68sm6{p$^GyoahHFZ%aZg<0|2zY38A3xL9eYX0(WK zRTE(5>}=u7tdN+C)-H;p$NPd44_!)VO%yDNHMd1p-Xocw?HlMLuxvSvmKdc28kmyI zcp-{@%XVru3d9P$B&#N0k^-3$J~@qjpW#204%?Va-=|)i^MWAc42Psh^`THSMH=%M zktfDn=#um0GAqnwoc}`5UiApKjq0#Np!Nd2!^E zpA|4Um>uZIvgQdSrDs)e-}`l{1dEuvls5O<4Ld~9ho@u+tJixN zP@OlYNhM3EEY?!Zv$_oyU^XhB z2drQdWW9y8YwzM6{o-ivVn`-|#GsQm4-*<>>2DSA`3O^ZsffmqK3^a78@{Db*Fh`M zIv5L9u>i9y^C8dw!m+=*^d4w=9Q5Au8H_e?{7%UYe7UYE5^_%IhRbMJ(9C_AjvWw> zyJ$N+em_pCNtQQA3US2Bc?>%BZ;`VDx4oy%t$e%wIPOUS1uA|I5*P+}`(LKYQxIcO zN+fK&_Ne9nsC&)vHIM&fB8T%~46Df9FjMIkNM@zFgP-@z>F|ZR*TnFr5p$ zZ=;Nk6L3xBukkGF2I@t$Sy#>JqxpXT%1iAL~^u@_D&_~`?Qt1m-*X>=t;dRf| zebuHc+PQvGIWJ2(Lw!5}Eb5*JXRSNpYX=ycJ3Ka{?7Rq2HmTZ{DJBvs*p(`}=Jg4? zUh8q)zsd23t`)zmM=^GoW8Y?!EDNf=FILue45pOm`n;y^c2M$hY@O=f?O3P01FPTO zPws35+B_C@-8>#2zq#9gw(TdWF8M&VUOcdCBV)!2aO7_6PE1w#cU;c^I^SlW)cLwI zg!Er7U!MFrOX?p-OOl@O^lOLN&8PIum(Ll?=vodhcpp6uh01PkU$tRry-%V7Tn%fF zUC;TwU2fHbO%V_fPi=>jsrGJldMj%g{Atrr=rVRw z+R^N>|L<{lp^6cKQ}^H&^z;n!Pxb%Q21(|Rel@?R5t*HVeCRKGw8!NzeYiFm-;Y%IFDVM;Rc zgrW#yQ<^vY_k`QhzaXbzwK1rSjCh_-Rg+cQODY0Ne;d9kqm0!zj;F+o=n~O3`PI#=KS9$MEkqKNpMMaTBp3UaVxk(nW|d5LbpG>Am^XbEHEN%|SE`g}R7U46<xuNb-yEIwZ`I_>F(TD75hYkSN71aam|c=b-Fr`$ZrQd6396e^zF^P~r|-^(OZ zhY3=vi)ncvHJ&F2$f#)Zw=O7-;XpqqZ;+LT1#?wXyc($5V=7C);mBfST z3h;vA%>&0h^y6w<`7B5K4fRUNeAA+#yTZnUTnnq#QDQBy9W>a;Sd|3l40hT@-9$5n z_DKwa%W%LQVbdlwZIw{0uuj-R!Ptp|sMic?5~Apk?M>wU-@Rs|6PcyJSiJ5K$YswS~?48@4W;=b9<`qx{@MfU?=A_EKsIM*Vfs zEEeJd@}oqeB+FtgPetp~1$cXHz33uUvcs= z*g8`msi$FoV$e6wgSBC5tE@63z=PUVyFU5TrTN6*5)BT7HX%B}creFhCAqXq1_(Y`MU& zCO7Z9W)u&N{$35#RE~h93ZXINYMxYcCBk^XR6(efS_g2ahOgOac=+Ad4l3R&hl87CM6gYiNvx)L`ElQ)ssUR&0P%)SOK30;0A zSu&YYeM*LQGGKnX@Jf~iM2|nXX5;si047e&szMdUJmY3OL1}e(O(H9j?E5&uDG>0}FRTHIDT_roGRNra-1kt61XdCBlD zZUdY=h!%V)aEZ)d=J?&bc|}HKrew7xw@e8Z-{V{MR4R|b0?SR;R3ImtUCRaISgInZhb&2>+imIXQ~r3_DMYl3f>%8`HHjk_ zC!jdAr!cI2u_h9AV4RLalcQ9iTtl}XVZz7oeKzHvPxSpV6&mQ4os;#AV2%BljRAiD zzJEON0Q3hqHp9wIt++FkEebX`ehdn&{8RS9m}yr_#+xhp1NNcSK{}?X9dO2{L=Wf6 zWAE8-gGxxAU^~@^BSb3H6ijmmQ<&_z;0 zC0p1AbQ`PhXKw#s7bcq0&(89PVb{4|)f~;cR`=`AlaRyo1%{q3hbA8HP5e|} z4er|!_v`k<*~PeRSIowXBKw-RK+s+A`eetkSmn(!_jpc+rq4#d^Vf}JzZ?*{lDFGQ zKE<{F!X78Hd2^2e+NDaV8z()ETjD>9{?Kck-0o;wXM8lM;rIHqG)APTlNU zJlTJqM$WEVyX_!+93fxk?B3q8n>3DX-w(r`-mKKpen7s)`^;-u2s;n-w_HHxw%-&< zr++L;>56OL-E{SPf4g+pK;<~&dtK6#2RQwMV_)dJnFD$|AG9ktv>+_1fUbmhg! z@>HYm^zM%X>e+oKME?r)1R^%oB!KqURiHsj*`P298~9|N!HAXF?u!?DCZf-E;C6S+ z3!oM~mAHx&O^tl48^29Ymg?lPs|LQO~Rn8&{cP>zo11pOp1UF34xOz<#yie3=%E-7QNaF~8 zqzhK23zG(U)k?vmRi;>>NL7QcR-eTPRok+?mDwP0g0&?Ekf1L*@pA;>yR!UHu0w*- zGE^9)q)M^2UJc|`GUQuL;#m`A1RBjpen^Uv!?I&EgDGIAr)ZOCWBj&qBl#TPJemZIpGD>wsB6XL;H9MPD|7vB|3@y%mk@bn}7ZCpIiR%${qMpv##H(|byXiK|D*`B8Vhs=+ytUPP4Ek~Mp2GxfH~hxmAmRu2BFHe zOb=0^3VpJ*JEQ~+O`=p(3l;a@iye89DFtMm>aSgj(C9f1&C?OcHWBWi%d$wgr}{oB z=;a2%;7bHN1qJC?0Gk2>!CI$Cv1GOG!dt%@+Qo~L|AtAa$}Hq%R)$QtaE%Vt(K`Qc z=L#pd6E(U9=$Q9n23#SNS7MDLhi1A{=5*^|@r6ZeVS&P8XVV@Qsl>oNB5EVSkeyO_ zaYO)kyY2oJdLLWUMmCAK7|#Gg&u-Rt0F} z@cSyMkP7*+YT@-_ETWb~siLZB-y?a>Ox`B-0^kMK>(Zcd3trMH=KB664~Y-{&1?pf z=9ka8|5j153)z;xKiD|8aB4^xOfG=X=)%3I5JLeV!(q;AI-|*avSui<6f67r_?ot0 zeXkOW3;ySO6O-ndcbCT;Ix1%7L8YPzk|E*)j-v_2t0li^nCEaFtqkRI^2>KsS+g)b zmC^Z~!tZ|_DDeNbH7fgsUIWNjF6jn>eh7XUXA-_> z`R6ZMo=oa%`rqNYTl_G;l5E4!d!g>0c+dUVi(BsYt!!Sdf9f_M^!fZi?$U2Nxxr1H zAgGOO26vtfUGtDGc)jv{BH(`tD~emSdL-!4ysd_R#9z?s*^R|V8~%9iAMj)RHvV@* zO1;MA{728Jf9-|S&+BHV+xqS6$MtaFH2>>aX6Dv_Uc*{)OZLAWHTdi9oBZRW_ruDf zt=9LO=Y&1v<<+OFrZ1sd7j7rKe@A%dD$XryS66P1yM_luY!<7$=H)-%6ph!cN2jGZ{B{(T?crLu^%S%2=mvQ4?p$)33Opry~VoRbNjH0-LbU3kE6_jbxGjOE7; zyNAUV-#ovB*YKE@E}touj_b!9&k^@r?%TjPzZEL{9>-p;^!9tJ{UmiczTIkb%t8Oh z&c~I_N{CQ?&hJ;e2Zdi9k-Nh+*`H&`LF<$a9hoZyQQK?viR&hB@a~-r@?+uZIsA9a z4M_YR=lg(a0QYe+dDgNV$LIT}w|dTVxN(v+j??9O@%PyboK=hFAr z6~(2?We)BK0muQ;v}S0Hk^eIsU!HvmR8)6eMfvd_JL%5-W_u~msMCnx{b|>i?)sJ< zQ_T|&I6wgnXb(AGcR#IVH_P_itl?ju)9U!_Qjg=gjiv+aO_#J^?&cYN49>Har$1M@ z-U{If(*dZD0*+n$+6&%K7kux}U%k=~aL&2`i#N#K|E1+0{CE77LC`r7UqZMynoo${ zi(4=)UrIhfx(up|SqPBk|#PL$^B}e2{ z0_Ozruh6PQ;cq3vA?SS8%tKC_+%A2>Obt>bO3s?pHc&$`QGpPPF1CQ=fqGJ#ftPQk zGg_318I2t>!sVR7NIU;pb)dq9g>ceD%HmAAl=4L-M!+hc$TM6!5?O|xHuZ82`G)P# z79Rt$YW?D`S{Z(u5)o<2s2LJJ9!5Yd^NA-F<(!*p!OAb7=r#t^u!=VMxPr$iXEP`> zP!3U-^>WJ=SJk5uy9XwaxXzMTpH%t9%LTkhEc>M5P>Yb!x4hL-W^9ttMY9A^=wR&~O+^luN4!;&6WmyiE z$j+)huh-R5SAavC%@dZWO`bpq2vnFlPCKn&3as*}FkzcXm?YJabH*u>qb>9#ueYiy z=Cu+{hFSwk3stW(dojrmv7?cBe#wCu);VbHe8IxLTg~xkp!KW##1DPA`;Eoq+nV%a zp_cg(oJkoEX;g1?lvk$r7_uTk4nmWdh8ngBg-f86E&ViqUG^!@&Ude`El=unKVVL@ zD21WkPXlX##Cbejse?pL?l~*f{U;ii^yb>K{s6SjC zF^*|xI&fP6Ncg;d41j0vDPIgTVrGG{sQA!U(J_SAzlc{oFmohXDsuM-;-_`Fu|gGw(-ghm;Yt(GCp zDT4;woQO9Tj^nzrbaUxUs9=?L48p`eMX@5+ZYV0qm2uNvqYcL-65S-Cf-@EEE^zAA zL}n`ur)ex~{Munrgm6`7{5~uZ(H)oP4_g7=hpQ zdYa#?Hn3U>gc<}yFZlG&DRn8rQ+kDUYfXzTpQ2pJPhDwj!e$Ejvdu!=ddcyXszhB9 z2g`{SE*8(+^kl}V`UC%39#^e6@apzO%bMX-leQq8+QCngw|AXRPB)(w!JNGvkl`=V zL{`TH>P$}uc?`zE2{D!x|Be-qINY<@46=$=N~-&w(llR7%KQu?hTeniI%dMUN5@26 z!9~j+sL~q|>LtKm$yES6JHde~3=!&qOVfmUW(}K#&5Hlp#ulfBHM&v;KRy2Eu!I5L1X$0*Z`}D~S7H zapNTw@5vDOhTGLON_)C`-c={O_aIU&d({omIVwWwfB(Dv`l;JJ^7%ZbePv(0%B}aa zhjYvB`lG~GEt|KSW#zo>$=;fgB*f#bvh0uf9&>eCg=^VY1AcC|}13 z&U?-9eicG#*RI~`HV<)h9fsGj5Z{8|-t49OSQfMCt?usMa8}RzxmWET&7ZSc?y)mO z$mew@U%RK)R?svtW!>cz@HwMh($lntc7*HSIhfP2DAD#9RMJDM`(Cf)DRLL9cXwgs zvvh=9W0UKyZQtTMpy~Pe?eo!Ez&LC zS^45t33MK^hp}fm-Z34a1}cSJD#@{fS%XGq&ffFp4g`NZCY^6+UE<9 z1~;d6J$9L|?TC3sYKZV!La8S!(f?e)4e{_@J@ykwrR!U+a5d4Ym}7RP1XHX?mKRA0?!=Y!~H`L(|j%^ z-2MfO+@F9L(6+-T@~!>5ImM?x{pFW9nBGDb2!URfd7cwO8r4-H7lVhS)Dn!m3^vj)Gtrmw-GDrV=ATq(`;< zT+2zL*fqYvq$eraAaD7!CDYJ7znLa6r?*&==s4c49#4T<%Sl^mlf9H?l_JZo5Y~=b z?j(LkT@l3?g{?Bqm`iqL^6dU}--!4mdPe9c7%sWV>^r4&Tq#z(c(-MEFc@Jb-k@FlHGtL47zI;gaz%QEahb9&%8hLc9OD;yGX_a z7*1rfUmpje(ooNhY|MmN{kZ@jUWe z0bgG9F3Qjwzd6}F?-di&B|m zs7;uFe&MNI{;^n` z3r;G}59Nw5#q(L zG>NZpp>-jwKOY``U}VJQoQGFbw`FNDUwqY2T2BWH=)sc>#7q zf-543M5ZKN0Kyzv=I6cQa)G98<;Y_6_(7FcyZyLkhEm4`%BW#uFdpR4}Q&)Wwey023N)AG9@f8eSXBYgAQAzYRiLK8s?n>n7T zw|I>z^&Y`G!H%I0_1}n&0P%`qms2@iF(zdJN2DLyjl|R#^+I@E3l@y zjmPLzaU}RxsVwzK64+uc8f7GL+hK{_a6PKD;_w~&z`HUwph7vgdc*d^=k2l9;-f}IWXeRteiz9Y&N{`q z&-ecTRH5}_IDT-}AI8EAbbW4-`;;r2xSjhS)ma{sC<+z0;@5cl=j*)#OhE!!1Vv9f z2(Qu3!P}Divs8qz)Aewbuv+^WrPCDgI@T7+_aTT=-}nA#SUsj+wq>&uyR&Qjy=$i+ zT9$EhZ{-524}uWSO6bGg-)UTulhF6T_JFkI{c+lS^XBSvnAN_O@ZF@LYD#N=wuzC% zjeDEpYI80+PV;v5$=`Jb!#l@^*XKCUy>hnIV|5V;_R&pmD>@Lw_q3Z6CAYJ#c$Sx#f9qpg!H@m@MsmuE(wksC(K77U0?OR`RkoO>{*j-QxB* z_U1#({P>HqgalzO2z0>!#oZrj)UTEx7k#d5OsHfy`9dGTxbxA}Zv1Z?@*#Ef^A_5=nc1Guy1E zWB;=6$F`6ezV;cAAVaQ>!~5=?{?o64*1)I)L4Mh`cA<=M;Kly7 z2beq5GVR|EKjkM<*oq~;TnT>;*z0>n7GG`5`UAnMYNJNYPX#6gHk56GM_Eu8X=(#? zrjeF@=cS2He_v?Wt&sKU<*kC^eb_Csrm|!~^Ic7qI07yI6#tvSNKRpE`Jb{;f{R!l zlWYa}bcTu44K|6^_(9lGyl7JDKWhDg5z*8!`2v}!RIspIgVuOy?RmFy0( zHYyfp36`WCRro`Ldw~V5DSx$(Vj>5_do#CbC!@I*5@4w@dW%*au#OJH#4x(Yt>mlZ62*!hjdZWTgJq*PE7Dpt)0^{ymfm7+{_w5Oc=`U zILZt_h*;-XbHOo zu9P7Zs*jK?&p_sFW|6Ya#v#x1;%@e7&LDfOJQ^cWk%LlI!hYi8k)y>NW=f0}V!{7M zwrE%IHT|e4rCNz)E~Xn$EjSerLmejkf%}!kP+G0Q&Ii#V)R@aur&v?JquMzn=j*z}^Xg}gllQxp+*a;f{lriTn)u7|} zw(@(?sch>Y^q$l0Q#Gvd|EQnOfE=DOA2(YuHYOXj?4 zqHzj34di*z=Se7ixC;xVl5o8g)BkzsNm;YoCY>3N8iuNm#;P=O$&wbcnl=y%as!Z; z(0J%j7)~q%#7p?O@4}R@o!F}EoQ*WpGg^C#C?~b*0e@*BWr)ixTjU>Y{%#az5Eoj0 ze7{Hi?B7arbjN0oB#F8dgKwJh*OKJEZ==f zJkmt{_{r=al@TVNm<5ak9{b?QW`o&>O(frEu8u#sA zcAWZl^r|_~llNQb`Si-c45fPe$K&|6-}8g-Rz|<8@6g6>{4i4cev$O{%WUy+f%V}f z0N}J{HkvJ`<+nIcK=@%>_0#lL%H?`qZ}TxRS5D9C69p_(`o4y;C&VmgVg$% zHlDI}okhF7;y;x+>lj?X;J?fFmSoKF{Ng%p4-B8|G?b-PXGGr#dfNlzN}R zA9oa&=YC$>lJeJ%M~TaPtwBgS9!tSM#!(}z`G^A8%xhF3c+ia$h&v_XvlnmCyPI{N6|w>;SNBdrsez4 z_GB>*@;ue`Z+m-o2fFdvZwV0Qx*f7~kx%=Xv=J`azkPc>Vw6w+cn*!buHA#5(5k@m zQM-9XtkLZT#=OhEvFG@=br|0!4UfJ;8Tf|7zwSWePUt$bgNl7Q>}y!;pMq1m^>|*= zkDFIs^7^YA3$6A2j}}aye4g4^bE)jW;HIlR_bbBMobKMwZ+x}wDg9c2dKD9BWA=Co zUH4DD=PjE)pW93E@~vL?#8&>Jw;;=ReS~TM%&$#tQ{z`6no=En+=6{JNWzhyj*bf= zX0lIz&A-rJ8+5#W0$6b&j*_y$iC+kP%>B>VYElG~MCaJVvOeQ5B^sE-ds-i(W)%c^ z=}4SA>+5cyy=jvdfi#+6@1~7zb0FQ8apqwNqZMNkCM1qhbz0E9TF459G1yyLZ6+Zk zo*Z`No~5%*7deT36s=LOb}d{t^>Bxf|5K*-%s7nQifGbn`vBhJ+a$H1)tY^Wa2fST zQnH;2hBZ+K3@<~PqNHJ_Qa@0{wfz~Lzl%9!d=+7K5;KBl6T98E=>&l|pe!(C%K^wA z&si42O4r_Zj|d*mKz0aT?!>0q%e58}w>7JdKqfoMa6did&3S>r?0Y!w zDorTTycjzSGepIhaUy}SEac(uI?anzG=XULgCnYdLIDO*_UWtdWh`8!W`nm5EV>i2 zY~+I)o*EKtNg7rq)(*qdKWCh%nWzd>$DBM!i;jCGeK#^22W3>*VDK*wUyUmT`}i>e z(ph+QUy;sKrp9q2ika9b1y$P1DS11uS02c67WNb&71w+S z?FS-+A$H=k&_vKvE49Cw#`^N92hkMjFvxC4CX-O87g!_0)N`xDOwi@nU^zgsLAwNv zU}@40z=0)FDzpw!kCoawryGH(>c-s-`OTE4Od76IQCu`uYBSNU)N@QwVEL&ORp889 zWfoSpkrS~rh{RyGh(pqCGNL#w2=@_FJf2geq!0Py92+gm8e(%ngnCKY-_i@rHgI*# zN@%Ev4hB%Xg70D2Hn2^VoIN-OPxq?S^Sf|Ys@M+6te&z*>P)j*>6YjeqoQ#nTne>u z@8I~b%GQG!7fX22&7euY4^8>MQG#A_xj|Jl((MV@&%dFTItmOWuN1|qtXz%fiHS-P zF(k(n8_;^G@+fwYp>!xMEf=8%F~X=gKEzsb<}dxy<7{WfamWn!_w&+cc3L^+Xo?~Z zwUY(3OWoTiJH@|cEAbFRCoQYk{F?rkfkDl*zphl#uf??*B&&Q4=P43bS$_HhMl23^ zyOLapgLCRrFb*auhp4nd~ znx0lwp-V`hR53u_*hk!4qkE<1KAxC=q%XozIDar8p+mIc94<7-metj)SYrkObJAe; zzu?QO{bRUp@T-IA4DiJW13w$y-KM$m zWc!ETzxrup<=Vl^Y#eur{yB10Z=2MH%yy53l}n$3Q#&0& zZvWxY4=Qi`?a7ZGc+9zS*6wr9-uszc;u!u-?fWO*`ru~2dQAQ3Hh@_A9Ce?^*SK<} zIX~TOS#FKX&;9V`tqzBPanl`3a{JBu@v+CudiJ@(@1OkD zvFDz(^F`ZMA1e8WFxx+Q<|6?eKWnUT!H0)#xZ>|`d3@bh&i-{yVaDY-Z*2QKI$LL% zdZW7KfvL;SUU3*+{K`82@%HNPtvc^Zj{i^N|KfN4+f4lbdfHdBL%gEe0l%*xAlM8-#Y(^X-H%>Sn5n)54F6o{-Z67{{(&vfzABTLC3nCw+lT0 z4%MJiu35=ZpGUbYn5ZbdQIjNcNtNh{PFODa3CF-HYAw+hYphu-4J>@b^F6B6iPJS5 zAaIIOdnH|^a#meSRcQ>)u{mj+W_qRWPzsY^pVr(|(d}`bt_ysVvO;0PWhg<5m~5f~ zXqaYI#$KXOliREqvx9+{XS`wFQClI>H7jE=t_H3>fvF);RymVQH|avAJnj~X0cyf| zpgiKyVaY8cAyTPSv#~)|imo(WXiak6PMS~E#^Lmd(CnyGlVokcQNt!QVjM;sfdi&m z!hkfRcLsW#rc~0x;z}>)X$+r|n(2mM%8|*+a<$Le<9-`$H^oVy>-wbEo37UNhWi-l#bl+;4`1JLMtBKfmr4a0dkw>@@*Y&Ds z6-T>}Q0nD?A*dyL9UYHGU2E8jc(sBTz3F|=CA@?>>B17s~nR#B|LZwc;Vd zfcUW3aurVoY-j>SVw25rQZOj>Y7{@#;n<=kND|LWHcM%Bq((J!Zqbyifm16*b%&me z4aVjRa%?d`VB2CQkJl7w!6}Y07Z`#lG!se&EKMjOpRdS`IA;YdhA;Etkjss9d1NHi zvCHeN4w4)LKBZuFh8@{hGtuGFY+fGtLoWOuKL3p=Wf3wnQ~&2P|M|jgz{S>o7H+!v zhyN^0{U1qdH(Je7t!G9+YMib&#`Q2LC4^dwGv%5y_F8hLZJ8X#4dG;OK$mJ@jVy%F zi0tzt-AELNK0L7^)(Xc8K#;?#*$;_yC|F&cZG%G*Y3WshOb~JcohZD(k~xz~MsY#+ z5O>VRU0V0msvCBNY=!OuaGp+wX19|ayLw))3QngWRt=gFsEh!yBf6R>5MrX(wCW*R ztw-(1ue!sDT^YehTM_j#kW|N=3Nud7WYuBme0iXZ`bJps1thQAT6YknYvzO=lS&hd zgt8J%1dDdY23$z0_9&%70AFA!G#pz}3>)I6@i37|}vHF(m_;%Z+U zB|H5>I)Q0pBU9nWgN((OfOy=i_jt_6S;KGa{I`G3|5=#x-^_Bp0Wb<4+C(sok(1C@ zC4qrMp~nyHu*uPhZnCLyZfsyp40O$rPJw<$;Kv2r8)mY&kEZi3z%)vg2Gwc9aF(#@ za-XeLF{?$^QJ5>aRh-KpaM?y1Bd(Swg@9(fY6G1HY*MTTT5DivK-&){F`H^dRBz~o z5E2y262%i>c{&exu%^>-Cj(U=3Q;C)n=E)0EGlYzFU1+9wuKM{pbMvkz?7@mvQ6cc z5dl*s*UeQkP?f}MQkQ|GX2(L3R)VWmH75+jq)saAXk@be+(3uhKsV>2u+c0w`dmc& zy^J6v19Qxm%M-rAE4dG+BBZAjxD>hNkJs zWRgsh=`?31ZDukxlSx6ODJm*RM+A}HSy1T$g0OVyO^~h#N?$-w@HZGbw){nY6@Hy^Bs05aSn{O>Xt!?0zN{~&YuzfZzG%zyUVA31Cp;6GU+i=t>6g%*SVVE@E_ zvdaMff#EbnWN&u6$|VwRy z$L_Z0A$z}4IeS63yfY-FTFhq-<)7ccJn_KJd)FPdIo3G+_`42HWqvmKKh@K>O^u=gB_;ZiJEHp5K1rtoiI-yIp_VmzFz!uWzYk_TJ2D z>p#B9>YM&%{vOS(?tJit6BnX?zU7R|!0&E;`7_JEdFbIA>~=HxjPguDK67dK&xwCs z<+caTd&+sS`FQKbeP2CgUT@!Hewk@KbXxDt(sJ7FgUh}rJbUFHE55Ol`P{{uN?$+3 z*ysGlqnCYY;U(jr+!-8a1}-+6SSOXt-W9su#p_{cLWS;4o$oz8r8-8Y~7^#RM@^sDpa9WPw5^~<+@@`HKxN7U)cyZq`n;Y#QP ze&LoE9&CT(>gQLy`;`;Fp6#rE=QY>8@sl(5uP)~Pf8YQAd-)HHr$5Yp=JcPRi2W=4 zr-k(^?T?9Fmtp>+GGs|hLy%h z)~j0#jn#Bqa4?`c(wJ17SRvPy(wS-9aLWwVmECcB;5t~YI);k`YPB7q zR?xjcqLpD{=u=g|F&pi=;HUd)2osu_PAVu4o5c#$WlY~g+hcK%%jYC)noipdQ>us@ zX^--Fu2OePT9y-mS}J8CxK6kEf~gfn9vRYJ&0_+6fOPx}r#d6B7b1h9-<%AYoY1Lz zO>BsX787^!)heX}<=8|@xgg?;BfkRLIXh5Grkum*TuX`t&L~#QqL)sMhw=mjc$$vzpoy@glN}b2PODb1sbQi^s+R)quvVQp5vwpB1)$L=`qOq1nvRQBeUL4y zh+uOiq!}PKF1v>7G<&LD3;`Z>F|q~41qQb7*tI425w?hrh|@EZa`KmGA%QQ z)lDfLm4>ZUpR0{%t6ubrRG#vztm%@ys0q+ap{HA!a#U41dcBqjb%>OBuV3kOsixF+ z1AJidT-Pd8{D94uYhf;q`&O#dQ-Y*m6uUsJBV*Pi9YBgNj7wIP7$p1GMTst!vexX>XcxZA9cCAXUzwkDXT zxDZW*vjuMJoL@wuneP}*EU9me+9`X0IUE4B@u`i$)!8gteAqw)ghwJwq2lR4>NJ{A zWF-_eQoH5Y5DKz|Ng~{xcJWcgv?HrEyFjU6W7TZcu8(YF$aO}9LNz&%pNKY8g79vw zO1f-~9Cbt)!^{A!k6KKj)ErrKthL-^WC3o0;3BwQ95^7KcydKmn$6G`1j`H4MX5RR zji?l$Ifk~CEbJK$p-B#r&rF3BZ2iv?(pqKoZ-Ea7FP(p7V{^r$V=GJrI3_%7RsCrBJkJ8;&nElqvSIeasRZ|3mL z9KM;uH*@&rf1kk^hA)%+Co`A-`y}kc{O5=I8CU%K`45a{GP4h0d~x^>zAW+|49#Q_ z2+J--|DWUku;Xf1{`mUFv7UUScEOeey0^IRPIuhJoObkH{gqK;#e2^cSG(h~lTyz< zn{0B@Ch(E>Z@tnlw@$0CeE;cd-gz`Q{H`xu_6Bj*wXf~g|7LyD_rzOX`f2Tw=Pxl3c}<4YIur9bgSV%|AFJ!ir7f54QJ z&e#^t9R0=$uN`i$^YgVYamI)4zV@p-pSobDqc1%6+Ivqscewfv2arp{f2#Lxd*9l7 z`me7$dE&Uk4zUhe%a~qx_sToIdfWo7{TU6{i^9bc<&nKmO8n zes$-;C)e&Nz4zJowmOQw@!sOIZ}%(9KlcWiKKj_tzq-`ZO{`zEd0=!oNp z3(sHsw0YmZ?4V6Q&)&7}{PTBt%-vQ4&f8-pwzR@QJ6v+3ded`X`^v`b!Snko{dv!` zo?G#N%f9frRSvpu$KTC6;+EsH57aJQ%>Dnq|Nl4Zf6zJo&%ew575?MpA*lSR)Bi+r z!p?%eR-_b5;o|e3kL>^Befszh3oDEU%|4z@Wr_JuYf1D!qE?lP^fce9lbBxi2eX)k zwMurUh-bOPlO~QH6Q=3Z2*l_#+bJ<8b!0u7-GC;Of*WeK8ORl{+Jpv1gP@1iu*w3o z5MX1R6=0lgDK>{|98C-yBg?l`s#b0rN)aw*taQjDrA#)%ai-GhbQ%&^1gW5@4iG>o z+rtbLb!=)l?pI^e5fTpbOxy0$QzKHUxex^FJ*$~Zl1ZaFD#S=;5b2JiRJw!~rDI@7 zak0mV3SHs*q9u1kl2&D}A8{FDP%9v1x;$#qEfnkJta@%hro2X+_PBPloAvo|LP$W9 z6gqB>=VjGtOr=sJqV~-72~6IFCvJWKs|2VwqBMdsB9us#49Rscr`j%8?40MdXcVB- zO0;zRhfK?Hl&0)~SSYqYBSI=&tY!B=yyZ2=28`LV+!9K>*a`_)$u}LG8FTayva?du zMbr*JCq*MD7os-LSLHHqj%;r-qWe^$!IEsl0hgi(544+Nam#nY*%ACU;%F+ z<#YuQdgipy&T2)x$Ce>a%KFT(;i#FOJ|V$exiINFBO8wG<|IW{g4CcHwqs@%pbiEi z2KU7hAT}Ld&8L-=3c4eQY$ww+Bh-gMmv*I*AxgnipyZ8YfC(&&GLMJ_h{M;Gf(a%6TczxVHj091_-6&(#S)BSgt^RXOtSUKHe%0yfTuvT?A}&P0X4osuIS$QgB$CR1sZ(nq;iu`#_{i4?crfKzBGvI$rut=Us-6JyIY zR?18}BQNMfW01fcm!*{i$mR1XQPUCuCJS9XQ0RoMq#J#!m*mENF{GMW)wMFJ+c#td zdBKS=PfNDpwTP$IAfSX0T0(atC`g!(QV zCLB)(Zm-No3QkVaV+|?*aGF7w<|LO%d9{$|L_$o}f{+C`6YpuQdf*$&$BNKz}anL1@A#nJ@DQf?B&>Np-W^SyDV z>XjsaD38$uHlk?^u^3WKQY{=;Z6%h0py!23(Z#I-qjq!}_0zfP#BF$8i_6zwc`D>- zuH8uS4PS5tLoFj+l@yx2Oe>!oSSU0EWDeCj=`zpNqt?WPk+v&Dn8pSJLTYBxS-g#p zNfIuqqi!@wD3y^iZK~NK7c%^BX_wo8r4yQe5?UWuKcF32{J}hc=Lqk*8aBU+iazRNCl?lQ+-Yy4_3n*1np$`A;uQ zSnUgUophjV@AvqoPn~eA4t(W|l^?yD+2^Pe_usnbavQyK?sJbncYp6EJFNV<+zz|# zcilVRT;XkG?S~65`fFUV&b;+5O6~mCCWVuaUiyhL67NuYbZ7@0ok;y8OK> ze|7y6_k84q+@3#sum>#MY`HzpIhUeeU#@cDu}^RKrTt#@PhB{F|F@s7oq5#-+OsFU zaLenP43~duG57!b{{P?1f6^b;|6ur>|NkWHU*SKKVLR=A`uLAplu@OqA#x(3i_L%3 zkLv$Zq&|K8N1P2&glEHz6-HZ9{^KkO|LN;prii)~cUpw|q84@lDw0XEP)jtV*=raq zYP!|z#4(cyWW@YvLis44$y!z=*71B%r$hl7H++k$hEp&fbcSO9#vv$6Kz$H`r+Qp& z3kBUQuwACh^Jtcj`LNiblBnaNeOf3_YFUEL6w2Lkrktyx1xo?}1)MZYPBzP+r)7hh zt8fzn#}PUs$RX^FV_1`<)QBxeZbnWyW!9`>35BOjr6M!AR5t?Do+7#?qmWiU;rXc~ z;X^3mpcH4bHN-7IpqC*>C6scrjoAW*W}#Zlwn-5p#z{Vsn?BH(Me|Zc>ZHdB!RIxv z)UHViJME>4N?xzd{#?JA7EOjN4CERu(0#cK!?HJfARcN4LR2R})6Eo?vi_Ta*&t|9 z@*8)n=|( zN{gO=kfhm(1)*55Y`!!VovG6C=C+&)WL$OJRFMovZ29{G>ve#oSV|Kb=IzAw4zZTrXvAV3f-ja;eeb6ox-Tl zDx#oQOeRDGSB=TA3KgfOt8=VbPB$|-1;fmCrH1nS&Id1-o|ENpS|3@6=t7B~- zt9lD)=1n2=`(3Qopfj-~kCY@^&GykeArl}6niy58AmO;(!5EJ*JTEOmZ8qTH*)=E8 zAVdJdbA_&5X;d1_pq@1AjF<+&bQkSu!)~kMCM6#mW4bPpwQ56jIvrcEuoT))VG@#Z zJG~H?7OGJqA;X$DJ1`>$^n3XzL&4K*s#C1?Su|^zY&Y~$xr8zY7?sX8X__v^sKUEB zSP!NE)@<_WdO=qPf)a!Vs#9rIHl4PdGUYhQ>bM(J(*3L|yCU0Vxe}SpXigp~v@%9J zZ;ac3iPs0Ek*?&z0#S1c(;n9nNhmD$ru`AxN}@rn-Ey;~RGuv9V-v#ULXn5XB5ayn zGu0mDfnve44Nx!H!GG}|S!O@3{|||Lz<*?h3>KUJFv-W4b^FNnJ#x_+xzaf7H3GK^ za_y+CJP zPiP1xF={81xYmP>$poa8VNfm`c5U1>J)ql5B}FIO1HBqr%E@MR%J8sJ)p>~2hQve_ z$2mOidL!Kgjodin4UBBRJ;+PWG?M++qzTmW1WI_ZLfb7N^oDA;T=t3Vl!{wIJKgV> zdPs+Kla9wIwAN9B9;GI*PWJM)A!YOo(*sc4gbTDdrALkIv@;U8W|-2tc%kPzjeJxb zH6;hbI)YaY=P=J4=9$AhbC_oi^UPtM|4f51EW1qdA8aoF_et1?`Oh<%E0kq`|6o~c zQE8|wx)}T?yDah_0)w)%f8eF4|Mu*9-+%Zock%`DnT?)!`g7U+pS?8BfA<>ZYu|hE zp&zAoe)x(F>@#k?<;Ei}ef!9DUQXMi?`^rqYp2KS{&KIK4gr6A+`_lt`_el7i|TJY zw$2^P9kb3=Pn^EfZX1Ee=YIOuW6keBdRp)d__Z6JP)}dS+vdIF`s@15XWyQ=uo!u9vL z^?@UPZ~R3(E4#uQ-(B^t`%AlDy3@qPfBSAMoOkte_uMnS`+|2~eq)yv#wVJ;jE;aF zfBCE%=8rGgsIgw^rURIFls9(T^2F!YtKP{c_^H=#2)^4{Vuw{*FWzUJH2uAbjP*btvA6hsJ*;_e#v1^-E!!1 ztKWR-=D$8-xaTANFP*g7+K-<3*n_owU;69LSFYAOsJ7XG_F=i@_kHu4(&?vdI@sf9 z_kQWYohr*!7A)634|)CB-Q25A*>3*Vu-c#^@q1L{<>>)$P=et`_k#!eY;$~ z`aN6B+wYI7J-g2OU;EyEgL%hoI8W|hH`-xxI{G}m!og=-r=RfceMiip73hY2FWvT+ z*0m2E0Is^iv%B8cJN1QkAKdJn{9^~NdC^XfpOv>Com~5)KX0+|fs48S-}nFjX8r?X zAJ+fO)&KlN>|fzO=?W!4AN9u6Wt#uQO0ks4MHx|wPQ3X1=cD@nd@A`*S}oSXSsWgz z#nO`UpYD>>f6FDQv7auGU{x8jRXiI4LmjX4q{ziyuNR@nY{>O)sOsI6BzvrzwmYt% zFa}*u_z6O&hR&e9$V9B9XOugEj5UEMQ=1MNYF>+=bTM-4X*AVU`$W(z;i*&=hZ4bX z#G*Lmr@fI`b)8BzGVpFk?glVfrve)AYo+cec80YsX;!kOe!ddW9N*Spq}_F9KS}860k^SVKEP6G}Cbk0cVHmkm=UMY?_-6Xw~RX;FKouaJ`@8 zCw8k5_-4tr2aR}O`f?{PCVZ!3XhsDXrJ&h80+qC@PsK{9rVY_hic(my&>yFYqe-)* zCm|hLo-(R7GbzRxupz`}1_;^n;(#5rKTBup+&1G zi!?0IM$+8aRxmxs7Wra*Fl98r=I{JxiTeMj*&buze2;{H(qI4$D5*29SPF^R z;|ZFomrN=#MG>{EiR2G0BWzOrvJN)<3|+9(Q!S=(wMJrG_ z>td-YG$=}zV;e224_E4eJi>7hgh)gb@kTa3ph{Fx>=9U$=UEhp+3~P3&X+kvh;fB2 z&_=G%$(QMRPjFz&P?(yU$<{%_^D1?!M`w|;LQvgqx0rIqeS~ZQ#%#BCkQnRAOtqt! zOgfR!Atw#E8WC#`@k$g#QgC*4>>Ovf4 zTIs-OGu~(_5-7@9y~)571D*`jra&bLH|;WhZ%VOaV;o2f;g5lFy4>pXLlu&U5BN_` zW?LV}f1nTe&!V-l`22?G&R zZKh_ssN@F_QG&)uLybllR=2DSH3Y_^4j95|E#E4Z2b?}s-60rTdX0%;%5F(vt;SRu za4Z^A5XX8{pJ%ceN>?YC=}vNEum}*Y(w5R;Ia|hEwwk6djt-pSHwijNyP^>Q54>LPs*um$~{Neke+>C#}-(83{+lUS_gFkyUbns_R|A7DO ziu1plobn<5bMhyOPtq9zfwP$`fn*SPdw4Tw)A#Yo7e1Q*{P*&2=?ntFAHqNTed5E< zWU~;8K`^@g|44a``rbW%IBB`f)(D?jbKS3ef2*tC{#~?BcEg={dB6FiwVwL(ufNQ$ zeAXt9ZTyuLE*f2W@v4{pLVNPS3tq_XaK^b;ZDnlz?cXw`Lz)+pcXxJ4R#<7d2af(B z{-t*|TYJyHKDF_c*KP1dh1ngYPCEAdZLfU}JO1^R7XIkT)rNyF!clfh}0RYY|MwR{Q$dhuXo@4 z-j8yJY(pOK^dEKboD07eU%uds+jbU?I_8+|;}!R3XYKe)9dVud^fmlkv7kK2Ore?3Taz zx8K_S<@xfNVn$QGxzfQa{$}UOJ}XA+!dvdR|CV6R186U%ckl6?_Ri?-y zv*0yU5^{DSIh4zTMPJMO{cCKba)Z#RLlK>jx%Wp^E0SKh2*|n|vhM>Sks*gntr86v zk(Fl8b7fr&S@Lh+6ByEyn~3b_X%3qGA8`z6EV>Xtkpr2AP|xJ+exvF*Mg{H21{6x~ zspiNpub(zpo;a10=Ie|WErzxENZhUbhKGO%c9EP0$VMSjczm>iuL|5WtoG# zU{TGPW~JP1RAv{N1-Y8>-(Le!q{I*Dz1aVgq$0>g-=`hvZwaeGP)3`o(5w?wO<`0T z?V)J^6-zAF2}V5|=>>HS9rQRgJFJFfTk|KBOtOXgG|FeFPB}g4_DA$2aPf%EjXDab zwEXfEpklaSi9?7=i*`b1@^&3GNXFxQC#PU!JWhBwpCq7=tu*UBLX-JqJm{o~I^Kr# zj20OH+pfD-8dj8Yr)%bXKW(NBFU8@#KGG0mPZ{NGe+;(cq1Z@CY@rP){f5dBd?hyw zN=z&PZ6+UTNyZ-zGHptbYk?JYJf!T_JEAp2Eptj5lH!c>E|@MlseZlnQ ze!x*hAVZ~TAJlXS2W(rjgVjnk}dzS$IGB__siorHUl8C^`AhX$LxdKkYF4y(y5lLL{snm3%({}qMn%5fgaDr)th)8?Xcxo27M5qGO31623ZsfJd ziCinWCY0xdq^37Yfn2kyavf(f6IVe^HK_MZ*QnZbU#}xPTNn?SNI?L-4?%1d@&i=U z+kK-14m7E+k4BPHb=X2Y&Xd_z0Uq&vG3CWrg*9?sz0V;y=r|eDLRx@=XWD|rSL(8YUmYod{$+3W77ItSFkyxo0 z27ZC(1}V_NJ)~}f>6pt?895&1^E$_*8r4j1T8gS8+?cRtN~Oo6T9k5uwms52Hsg&j zk&2C0r{1TA|5vp?J|b0cKRws`=lz^vLPj6Uewbx4kGP~q%?IoUSrRwfFKJUPRj?sp z+5?bLPs(XLoZ`wUv*FYEa*ZQ&spNa*d;p_#mzj)65g8aJ`@~ zOMq8!I{i{;dS(qTObW`d;7A>Y$+~2|>W`8fQ?auVt<;-FT9~?ZSF13MQI5_-riK`) zY6%!%(;!#R_w<@(jyxxXg?xjpGGigm7oc_-lAKOlg&RzWcd@ikfwF0|ui)LNg6BqU zp3VboM-Dk_&=d3?$-vrJMf1MfvWG^i5a}LdOnsV|6zxJ*tsB$Cto876nzN_Qv{B@; z_)r0+ky?%#Ua5t5vf;E(NyIdZxy6#Cw!)b!7@3Yz?MP;m_UNI}8?w~wN_jTIi(rq+ zP$?gn_IiR>tT5yUZWe+(Jg=tJbeWFE9UwPm?GOKETz#9!2naP51T=|S$i#SHK$#^%j+u*UON8GRo2_*yhpHo?ruG?aEH;pht{s# z?toQq`@y}3K6%C)R|Oj#al-cG9aryt#&(aib5HgTeB`V*cUkL4+m_#b`Qn%IJ3h>% zZvWa>F5JRjKYioE z@1B#pW3{t`qb|OE&wJjya&%nzF8?>lZ?|~GI{EGkwm5#1Ti>o3@+vn%zdrx-ryRfM zIj8Tx_QvGe*Wb6|dp~*S<#+7tB_}+zG-OE8cg?0Zd1zI5r*O^S`iE1O-TC8NnB9lJ z{`SHH*Gg})(NB8|kKS?3NAFzIv6KtqUw{6Z`#0L{s^3@l{pn$Mw(Do#d-v6Mv~Fq~ zd*u!99SDAXiw7JlU$<|1X{X2E-1`#n2M;~{(7yBD{n^WhtmFS&I@I3t`1So`mG;TU z-EBrb9=MSFL0CF9E77Qow^N1Xlg z=U#mK8_#{iyii!-NCUm<{&|mWboNut1y`K9a&&g{GwZE&&1QSwu<;3hefX!hJ$c71 zZ$0^JvY7k-egFS&*8kui?*B9A|34Y~7xX_2Sp*CG#{{~|uKp*HnG&ipa-uRCvY7fG z1duR3(|jb|g@OL1ju4tpOS}YBr~0v*D=qc*>6uyGRWqt6KN#wJcB+n(Am`PK#8B z_hJi7Cs;-uK|Q^YQyabj`6L9xtk^~xDKN?i&9sM^rG#(UkvMxX@@b$j9H+6_D$eP# z&JM`fE;!k+%cRM1q`8Qab`iOThysxqVPjaMFgOQwgm$+o4yO4K8x#PGOR+VV8ugs2 zjc6r{4OKWyn%*QorKZEAF-kKy*&|$}V%JJsbBg8Nkc2oVm-A{_2kZfS%`=xy|07lk zR5NX9>4IL)3wj+6o4-!nXvz7Mj-tbIZ#Nwh14D;hE zE=sQ9B*nzhCjk$Yi(Yn64k~7t4Ua~m~mhM@AoyaC>2`V$OUb(G4`Dvr({ZlLZhJ63{}WhNPv}{ z%DCpBYTH(Z^^88K&k&D!=PCaiF$feQ$NQ+!-#Q%f-2M@sJ};GcP;xOH!^4YK1_{g9EKb zbfa46%BdH^kB%x?SaN|gxj5zEk8~>wR9#5DoEAE?08W3o26zv8Z;<_ z8yQSlPvIh@PrAs^)qq+ii`GFZui~u_^gkn+cRsHFPx%A=Pq9PEi>?1z1dBe76#Nm_k6d*uB*k}GEcq+cqGiF~d`!l~AH3d%@pIy;;*kj;7;hNHb&S4&w1LaUT{rrqdZU}Jz4 zJD3T9Nd|M8fRdervke#t#RMu4`EEmm6<9KoV%^YtN>XpffoxXg+4H(!xjw*71;*LISB%wmU%V43R5=lBDxcG;wG5Lrsyj{z#h0CTCR9 zYNL;gw2J2daEEO=!={n6T4LU5W34%{&>Sq9gGF<&Xbu+5!J_|N24gt9O!A*O{m&<2 zALc)qBc6Kq-_L(CP&P|s5Gb=4_1|##pZHID8Q?#ebQ&el*}BL7b^de0>U;n3xx0`0 zx|v%4ci?qb?D+c=3zzNr#Mi$G9)7_qt9*OE)i-+La_XQ5KU3f?`^(D^)hYvUK{Pw({Xq1vxOQTxgivEIoGWGq=} z{xji^4{G-3&41#W&T-R|OBb&6qV~{d9^YPl_u_Biz#-$WTzSQH+%ep#5%u-s%%Sj$ zKY&^1o?AA3{)@ZED=O!#S!n3Dt^e*>TYd9_ZFf8}b^n4pg#OhF|N7@OkAIX|<-%7N z3^rc%idW5}o}ahw6EEEJox&d;zw6y~g|FuxK3LoJs)LqWWm{#l@BRQ4&VKWqAFjUg zm#=(mmw89-_{WFN++`hi@Kx=)cZ&0uhW~u_Cs(|<-r;Agv&Bkqa>$XHU76n&ZfjN6 zIezE2cKh5`3sCX!mw&IXvm>_MK3D7{-tg`r&MM~|{L^hZ(^q!i{NDU7J3O@iS?B+F zqmA1a_`=;6FYH`eWTYF!g<=cjGyxpPaJ^jFa@+F^n>VVp{opaRY=P%~|f8YQAoB2=XBl`c$>3=>E`&al+UV{|=Q&;~jQH$MJ?ufIvO+;~t@{ffnjc@%(6kP4C75bp|g zSuqVpb|yp42}7ub1U;i}*JC`*6SmbPq%f1m6RlIpbi^T9F(yVuP62t5!zTGs)K-)v zQxH2{ugru_7596iEa$=lxYR^4l&7c=OPTrdxH+--frwS2dI`e0S^*GbNOIwbU?IB3 zgA_dp;+i^bC&QLuXS2h27KOKa6NrWlgwAd{X0-6HJC|#SR1-Ar1IGu)h zcNiKr6Nn)yjk2j+L8nowLC11j%+R@VA+A_jmkp{&pMZn`*l+1juUbyGCuI!imI^Xo z!KRU)Yf(X)BFI9jhl@+Yf4IMCfKvb9VsoQ>bNDe5%m1wO;HQ@VEXi^6cmA^^_1{D! z<1Mg$;6`*0cH!j4q zHV!*>1qGuN;9_mHOf&=y*Xq4aX%RZ%+#i`$+ zqE?Re640mte6MUwEia4b1zltnNwSz|+@8W75&F%3vp#NO0@pG^zYFE;@i?c~L5`?J zhDXA(3pF*MTubY%L0NE;X{*iHvgY*$JO-wwjbh3)<#y6>dxmEYf^vr|i5;9!pfNoh zmq{Kg5TgMPu+{#U?=oIk`LFtKHJPh@9RFcH;6DY1#1@9oQKp(|< zbTue9>~>9taNa2p%|R#O=s2-a1Y-bJHU%-tl#pppqZ|E9t}G1LzEJZ)9BgR=hG~f7 z5PldE>eK0MqDf#qSA*+crc;r z;RIG%3Z=}B&34o^>Qh9ub7i^^$VH$6E6||PV$r5Dm>}&EhE(M`*Y63_wiNps+YusJ zt$9mW_d5OY*fCNm){t5yND5rrTXU zOjNUkj>POp@AVDa%4PX%&Blk52%~|H8S{L{<+_5IZBMI03|0DgK=y5=p2ye$T;*sA zE>SVbhV{5St{ZJjpV-5AGKYEQFwY$3nZrDDm}d_2{D&Bf;pt_O|KQME{_m5p5A&ba zw+qVx|G^0uL9%Hiy%_u_{ZIS{SqAtI3c*Nr=9ZVH|Ihc)&cmV@-!>Bet1_IeAv{o3DkkA3jC)*9Cw^n*Wk=UpjH*ZJ0Yqn|yeeev0?y)9qn zfA_L=E_$T&&bphtz#YBCH#SUt|Bhy7JLBc$Uw-N9-#C7cpG(hO zDD$gj@9b^BK7RRXyPo;$$A1{?_^We&`od;kIppF8I)8clCtu#_sNhE%Uit9ZTO>^4 zU;FAM2SwkRtg>l~e|(Mb_082c)@saqd?oRU2M*i$gw3z-7#p6w&OMjl=1p%en1A$1 zz}A`NUpZ=gcz?n5_um{`N4>Y@H+SCffeo(v;d(*-(4EfO7+mF)eV^LpigiC*zx=gR zR(^{->Dp%=QD1%HH^$QNpD=g(nOB|v+*@ZoS3YY~&^`{@r86jJLJb_JuZED zxr@Je`t2Lmxd-O$a|iR43r=XgafNQJ_UMJoo2Q(*U;XyWw&;ELwbD<2uCcy*!)kMbp9M& zeEnX^{O2#z#Vq=U#s;eZe+Y6HsQ=^`IMoi@rE~YBBf! z`~H8~>;HqHbN>I6uz!XBlpE7V{HfzVkkVlhInf}Mkr%iB&!XaK|6BMEG8=9(3u0$M zt+=H8M_dyAlk%{b*P2s5@$;FuO`AZ&PQ02{a(t00H?V->`?;K6;l(PW3h8=+%nnZ3 zBH}@%o|_F>D)^~!ahiy2Bs2&_R&zj-)LO6vCEQTy!yYclq(Wc=KgnU!Y_U$|w4$5E z(Ac1TP1T(m*lnpPLJW`;#}+5Ob^w%J-fekg4r`4-HZd}(5!BD*rk!v^TNOCnuCsV6 zuEV_!KQ7B=9vp>}n$mDfkzY-hX-@=_%3wk^a}y6Xp?)=uRoP)Wmg?@rfiyfy`K<3x zTY5C@GI1WPm?^`+N^K?YJ8UTt%B%+9CYJJYqXeI11A;|kSgjOeRIB@p6u=Rf9(v_y z(xyzEV|!(RvaMsQla6h7Y}>Zcv2Aqhq+{E*ZKGp$Y;~-awQlyg_dNT4sXs91d}@wS zRqyytV}qCMfk{-NiF-KNQqSfLEk&}WN`BjHydueth2OZsSC4u|Mm z3At><=Rt|96~ea>hDnSp8(U|v>i1~nE5fobq~Jrc+q{e#ZrMORZF5V*4#SHhsYUV5 z{1WXZeZ%}~r65Mf_ixIgJ5Kb8l+`Xa++ngwl;q5|c0l!~P;>=Kt*>JL4f}U41$BQ% zUE8>isTS2at%!rr?-=!&345}x8Bg7!opA@oRVX7H(cI@a#?n@H-C0bVW}Y?fqHQ{k zo7Q+Th<_I9jCDx`N_hn~E?3W`XJ4Y+x;SgdKHI>}B>&JP%l`K0re5eZJZf69$(aHe z-GGL1DiJi^aj-w~Q@H^6ps4@uf6pbI1uA!6#^6FTtOiZe48g!Rdp$RM{9$;q>zGk7Y+wFGg+sqeXb5#M$BY=y5kEo=FT>KMsmU^U zis`oZ!YETEOW8(Cfya4qQcW~SMQ$znO`3XfkjBOK7>eXW+2i@eK*l}JM;UP%izrwj z9@pcc72zvCL$tdr`lLi4Lz>qP!L%~id|c678pEwzvFcZ>$C9``cWX80s&ehbNJs%+ z?LPuNy7UW1yQD08NW7#J7^FXhNS+x<`Uq|UYQ;X26Lk{DK&ctD?tJSqL?oAP8a!LsA6By-bleSw*mJ~4(efC*R*-BY-FEaz8xpP>F&6ZeRuVUxJ#`=JW42^KYgB&M1KAy8*ka zOd-40myaC@CD&V>+sU_=zz!gX7GvYI2W-w(e*f+j;}^HN$9v9js%XDZMrO~#+%uzp zII-Q{McJI0=NL$TgV5#i3Gvhv_tyuovLmE>$Yd*y8sIjox%MhV>fmphkifKQar~*& zW6AH^A9KnCZVwoSB+B!2eQ6c=!mfCBUwMDV#29dVboLv3_}yKvC0@V0k4}c@{Sb00 zO;=PBdgeN6#dA6P2=qIOy>#4aG1@p^S9{!zp9lQu^X%>4(w#oqHH79i$sYVX<@a84 zw0+Kj)C|G`=aTx@@9^)4&}ckR^N`75exn@-7$qk5__JScCrX5w_c?ugxA#O%L{8hE zado$UtzK$5K4)rzKVe214AQl4odoA~8jSXzgA84_?Y+b!DUAz66TGnVz5R&pc zM3w3f?{$l6FVET}q1$eM>6!%o+CSraW%{qaM$d!F z??78xAp0*QHrut)-B&&~9gk5PXuf?l(D)0#C&7srgXuteA9%oYPkh&XDm3-@?k;Xt z8l|0x^%aX9c9+k=TyA>9$W6h^dQITgF zYKuuav$8ZULYBlp%htzpc4=%4)b^C)(27CX44c`t(83XjRPl*=IjSQp%}LjXnJFAS zkjYWrtz$OHIx-A;m>NU(!F+A)ME>d}%XIxET-HLx5;+=g;e$Yzrjhr1IcHIEYlEu1 z^eOLFj7qRzsi=VZ%bqV!Y8t>-%ujS4X#$s=;Ofri1O$p!6EY&IQH?6FI4#_Lub zkYk4xba7U|^~Ud&+()6*i;4#AyRd{<>Xjm$i@~6%Pw9KS*CfF2GO|O(jotAky6QbO zh-Ild@Q%)!=~ok>Df3mZXR&KU=Jc`tShVQQYO9Qfk7b1y9KC=R$fO=q!IDqVs9{2y z;*?Rs3$v?~IG5R#aqcr<7-d*H;PF<~OoIFqJ5rIu0ajz%E?I(A;`=18J@YuOkWAQ- z9Hl$2HY$51rBJ=38Yled+_8njM%ns1y1H1Aw4_@_-ZIGRYEMRwoI0Qxhop&0@m52d z+CH)pyXw)3m0`JCS0T40wn*dw;V;biSwnQ>x21GHXpCRt_;=_OHl8NTl~mulY2#p) zvOk6NL2(=(pJx74|KXoR_4@*wm4|0{KdBAjK$BrfAtGlbTJ&Ih#x)k&tfiHy!3MR> z*DBt>!=YeSjd|N#%XV(vsL7>7S7eK`ZRAK3;N^*Lt^JB4PoSU%I?kO)SMM52P<#w* zj>gsN706U$F0!1u`DvW=n+*=&sxiWP>w-NI??@E5HQLNnFvIG=X7Mso@AU=oCduMF zliYqxeyphGz~9Fq*$sU-YnN^>l9+~C&^ys9Hc_NB*c6w9L6Fq0O$>Q0p!23W zi>$f|^x(9p7WXkU3@55PS_c@TjG6po%^8z#p&1j%SZ?SrD=?`hd;w2xqu9&SQoSpOcR33oE^9f``ApsnBd- ztg0Wo7Sx?vaqrwGD@NEW;VE%!t)km1dH-nxC41bbkwc>VSADM$%Vq~o-nxjsIni7@ z7B6zx8S#p1*~ItjdXG-|AGHcGa&sjLJDTmJp=h0iz>GafBUf2C?#|W9QQ=S%sfN_2 zqD+PvUr8|Xv_YhOWtswHk4>{!I#+nAOrJ;^8wPrPl?gSNul3+ci;BfMDM0@R=GQ2V zvZXNGjLyXLoz0^*UYh`BPogyCH2isif-mv*;5u_Q*rLG-Cg%T@GmsJT82r`NvCwNd z@IR~_eCsb9Hlo(1MQdO`XwNBWh~_(0U-TED^Naa!gjZpvRBnLJ@ zM?mrO5Z>d#bnml>=OtM#O<&`A_HkVM+ceP*q>#2xh?=L(ZQuf1rfvHBvD9s)YrT(I zBE8Z2zd0kLK5t+-H3O@m`zo|$*}q*FTLZuqZZcoJ;C)?4{pHu9vPN=ta>BJn_mQKm zLBQec7DW2C0MFib^(or8?x}si2bs=M(}Pz37uWY7-3E8P^&|D*rN1_;bvH3Cw{`&?%p8Qo+sejPK{ z6lb*yy$wko&()|^_iHNcR=5@FvS{)i96yEHb9uQ9r)zbYy)-A(U3(vMp1n`^^d&Y- zS1~=e<+4 z_!#2K<$HCOe#>KiO4!`rW9+^xfIrK9#+l0INfJBZ!cn9}GaC$5c z-n%+tM)wb?2QJ|RqX2xZ=)z(Wr}DOb6N{J?pzLk;#R|TGyrFNrg28@$!oTC&>n=Qx zyXyo3z|__>QO99O;HGh-gh!=A&of3t!10P@P5Jekr6J#$<67VA(Pj*h-$oVjy)9u! zTi{xc-tMODUyHRG=RqaMNKIb5URcN7f2hRUZ-7rOqO6H+*X@VqHEC+2Z6oXa{!O~O zxYO(A)!a-yG0^&f#-g`x z*P7}6zEQ63{iFW%e=-)so^~ysL2r_q{Rct@(X}wUodDtv?MkH)?WnM5s6cbjw|*xO z@!MCAeb=t>Qf?%ZXEHDRl+yi5pXk^p!DdsKQpEOSm|6vsut`kSMq|}+vcjF5sj%2H z->A&m0WT5@O*3bQe%450Sk79?3#VkL|2cg@ah3kvJJR@96s8Q1X)sv4HGz7xM-e~G zn0pl5hldYEGb7@S8F%0EEY^5jlED*qS*F~PZnOcxzN!#1`!xF!Ohl^u$WkLo&a4FUb58&r*N-7Y%DUFjD`?-SAb$WFnR6hl6-O0jgFiW`Cw4#0J zjw{W0@o{tok4@nwMI=?oY)S>E-096naYn%xS*IG0|2XMF@y_nqo`B5M#p~}WITmFqLD!%TZ4-W{3by&<%61W~Jf_Pk3G=A}qxrR?R}3&LO|i%@CwFtyZn7 z!i34JA)U)nX>q9^kW;K<)dfu_d-UoR?A-NVb`bVk@cg?tZjKIdI5bun?sx_k(UCjW zWJAGa(ML@UW?Tfw3Li}IT~rWE!z-g5BxUo$hAXtI3Zul)gvq%$$rs994h4TDkE$D% zV~90^`VBzW#1Da3RX{yO&BdaEy#P_7Hxck#+qiSw!N?s+hJp+;-#TdQv16dIwk$kawAdA+F&iQw=0IVl9yM!y&b6)Cz<^xWCLZ$o}x$9d%Apc3lkWX3m> zU4lFaAcsudmepordF#V3Y1HI6N0kb5b9iqwRfd5fjZkb>F4ce<3#nO15yXc}$~P*tYFxj5_w3c>f%oCiXrM1@1i&7ZANp50~HiQTd{DPqJwB zMx&iXo*{>b;7P~(~vcw`2AxDq3PJa$iJ z#XP!ihF(e!@e;PVKZ-O^`rM{>1sb|!uipP5-1V;62RYsVgn3BmZe4-zx45u1?Euwb zZ@!GnPXLz^z?2DZYeM&));;Dkuwy+xJ*QOQc@NxCsD}GJX1?cfEHgc~8B*9rXwx(z zm1)c7IXl5{=R@YB0rvP#a=P{(tKXttncHSmiud8Sm|IK0MVOV8^?32T_horKL95j9 zs(bzBQC6;?q2F6ECrw$L1k-b0Jm{+JLoRH%=ZF{k@5jKFZ*7jF!?F=w`-F&ZUE8R^ z!}=*``SYQ5)IY(?jnKNL`16g)AXDI2zbj|m3GWk9VBe8`oH$|M&DP5=76WgtZsd$+wO-_Bl%|mAgt$g&w2jy z$5T{4kAHpXO%GC+_wn#9czq+**Wc69wc&&ru;;Y7-P-a8XaSE}>wi+> zm-AlNeQ!wTo$nWT33XqwY@6;gIaC^MU*6ULwarDv__^oh4q6#$da|S+A16y9dbo=9G>usmS@vM>0^XQbtn*Ne*Y3qi8 zZ{X-DXz3Mn`$UW*H+KXAWdEn7Vnib+GG#6Y_n{jfq|T$`SoV&^ ziNb@1`^}9vafVN0beg#XwtI!a)oXo5O4zbl2G4M*v&N~vGl0@e+couF^R6XILA8q=(!T2P@qV`*;zD@bfZd|Fu zBzh86h3u+2`WQ*#jELt!*=Ngs{Mar@LIvJUIpE)W#{&gGGUJ$8YK^O4raty^&vpj0 z#bIXj30fN7BW5tkP1Bl9MUI?oAzfo@`s5?$C3~9AQv(zvvLuWis$3I6>jWO(vvL+# z`S+CNLtI-lE)#OoqD0NupJzH&+4K;O#anxzOyLA7pPUd2J^&>QI^^x^vL{2F#Vsxz zMPJBkg^sd@j(Kl*aw=PPaucm#Rud|KE2k&8W}6%EZ*i@`89c&q%B!EA~r< zxw7D4l3e>}Y$X_TDP~u_Xd0}8D>!3XTdL(P2kqnTMHJV-GAPZbaQIH#8uoKwRP(e~ ze1d4uEa;T8%{MF*sCP}&bdfKX3W*Yaej`41QK^#;77sjt_y*XlMZa>Vlji8 z)Y=U1Z%U$}0+z4ogzQeAj&u}M!pG0C=~O+JNU92?8_Q^~@giCN)06KmV1>f^$vgFcuwjTWneXCS*dF4NG(Bn8*916f0Kfw0AErjWa%VYHC<*n&~OoEGqIW& zQ1E08$`ht~V^5#gw&xl?6O=F17dLI9e|R$u%()xyP@gik_;#(p&>yLt6OsZ>>+sC? zWGa77QU73*B;}6&a`!B*$v!{%Y}L4}3@~lWbKqS3@sm8WQB}RV5!q)YRH{jM{>KOl z66(hWI=$w*0YxgqlW>>HB&L%E>u)M(0f%P&Ny!VcgWqO<@UfrzB(Yr~qAeJ(;j9hk zSE;U>0GS{-e^N|8olmZ7HqgFy7mmEpni7C|Y6}qn3m6IPqrh4^_fSpLOC<_wxrg}i z+inzH4Hru}N0TJHH|bZ5P9a(Bqe!lj`i}6!x(WL7YsLiv%S_8%8};fnT?LAZjM49| z)rFPgV0|cE%<{=-?vS&iUkq3!N!1ivnMnL|K0C2EIJ#;wsGBUSQf{2{rQGQ<$4#c; zi#Qo_o@iJ!&>4U4TCl=6O-p7usA5wH!oL}*ikapRxxn$UR#!~P@T{~!#!7pjLr>Kp ziZbfN3?jgx4HhsKc@5jkALUt0Nwd0brNpC%EIs+jRvN>s$XHgAX$`$m(0#q0*znFc zicQdyg#;u^jJR!@*G0nxB|6up&10$=yNv`366o-C%QR#>9ZQZwZDMW_i~>4pbRuSE zGa@VMn?p$ZGiY=FE%G0?c(E9-?O(L)=fGFV|8(8lom>9L-CH53XccZnO4>*IS5%-9 zFd2aLI^ROCHhDe*8`dugOo#*;3Uszmx)=o3KA$HD_#^dPUYDcvVB8M`y%>7v0?s5* z89%l(+SBTbn1)i)QD7Gx30^|#8kP=^6M$ZSZys9l3#!|-?~|$%w$FPfYv<{;y#|VA zm)f$sF(z|*nhIx%+I8qJKFr)KSqGrNs4hhM_uPjr~$TAK3bk0VC2SIpzy}1V+2*mXBC&o zeCPf{XxDiH`IrOp`ic0U9OV4AtT)rm$24_gLD0DPVM};>-L#AMJ-C@~&S4;(TERXN5YPTb>*1{d(>{ zFZG>QE_RIyo38KzH}+RuwfZgC`y39rltlloD@ssZ28!>zEpA8=dPA^wc%G8aRnB+4 z?*9$z*M0<0D)F^EUa0x9MqKxd4|0vK9k|~_Yu#-o(fd0+hKZ?C~LM>OTCuiw`zFHnlpAXB7EsJ*2lE3D{X$}E)b~VQSCZbot3FDWy;Q* zfF2-jP<1#siA<{*;!iu%!-E(Nz>RI3Af2&e{f2a@!e56$SdTMas%<;jV1sDx%`Gqa zgg%fC>(jPG_pmWI08dhr(@s$?h^KD7o%{XbyIfF@5bc6}{{%~__!^@bH4J5%L~RC+ z=Z8W8%!hWNS|fmh$xK2prmLxlJg=}5!N5h9Q7M|r0ZCFPLmsg=MeQ7E3A2`_b@4qk znHNR5Lh@?uF(3Gdf%@7Ilt86C&sZe=!!AUhOpnfeot47bFYeqcif(ZRb5^xbPt9u{ z57~H>X<8v1eCT|3$^)}PCx%`G70(JOXldvCIQ0x7PI!YzL!Bc=G@QE#O0{gy#yY`N zzdS*-XrV#x*9k|1%i_gKVd0o?h{=Gfe~tNO%d|X9UK;*A-1Y?Ky7(mRRBqFxl}IM3 ze94h3JNH!9-&~ z4~p@t;QN9~X|P3S(`d^~XLX`gY1GQ27!IgLxg%jmWQJ_9EdJdya|U>1GHi`|r{sU( zOHxBLZr=q%*nc6cRjlFpVK=+NsLV05I+&U~f^t5Ao^L`|!2(8-V?v?Yb|s!Po)&-Z zgaEL>o40vUWUj!M{ICrWb@j8~SUEy)A(-OtdUPa=iL8+*LZ#<|i-|~a39Hpq@p`0q zkxV#mB!*+&MA_1zv|3EOWBqQ$7q{3DxB>g7o=i0=`4JBo%#EZo2cnq*D7z@!C@U!5 zOr=&1wOJ?)L#nCP26E?u>7S#8(edJ~U`N&Q@gC|)oTK`#@A{U%ZH!dx`EIe^!+gFN zrPKv{L#}Q~cVp0H5#-9@x5g@EcvNrVRA8$5sq9xN1e`9k9?LZ8TUHQ+@w6Qp((995 z74A@ca!^R?jY)=ZHX8^uFl}@dN#{=@bdbxk2HBpK}1H@@EC2F3GykPgnNA9ydN9P5#z5KWN$5LYe zG%(r5oIbGr`dLG^8{8=E;ioP~eXO)(FSAFjo5(*ZLJFcpi>icDZ;a;TPDT-Lc$@lB~@|bcb+Cn>`@>Roe)pc>oiV~?)@p%mml0_6evIqlJ zJuHe5?p4C8zA2LG!%!y5vZ`t7Q=G8c?Ic=~Pl<*(@sBM@q3@$eg-YbN6%(0GmZ}hB ziuUe$!-I3A*S^9kdA zDXRU@Fh-E&y>Y5JP086ak0H0j8FJ|^-D~?p+nTiFb4EEPNt!kJmI+>r%bfN93dr}% zOg_;2N-lm1>`Q#+0hw_51kHdxJ|jZ^QHUJiWC0L>Vt{1O-Yx`)^czB6o=}+B*Vug< z@Hf@ny$^mG`bfYL^>L?~NBwkG+ac54ujj z%;nbKPqaL71dM&1$jqe04WC5w^*@Cm&V4S?A8Q3REl<0`%t?6?_6K<%I>_-m?}*{| zdM|WG)OCJ-OV4fi1CU$wY3W2@z8&%Y==C&n{Clq?_@ZkwFQJKQw0n;;>|=t}+tL2F z?(Wus+jwrLI^X@3o~gB1%TlOmtj03HmH6e%yT700>1J-);bS}dqu>9AE#`+Wa2u10 zkT_8*pzlETviI>1Y1p5<^c?*z|K!`=tr|k_y;A(#{?oHFN+mCa^_Te3iv0zHqi^@9 z{hP$PE54T{-6(H>Y8#_oMf&*}!2`3v^kt za?_yLb(}R!dlPwInhrXuU1Kt`Y1T-~>>itc1`Y~Lf3|fD^{@r>{qfa8Q?ke1_1k`H z7wEl|3gmr@=DEMI?U=6j2fgfa=b@~=PuoTqGilrk#&2#{7#>)qugijELT6r=3NWSn24>HtnutDS6xrGTZ2bJ(Z)^~^@()ZMK-KXg~=-wK}EhD5)v&*rHt&o zZ(gGUDaS3^S_|o&)2BK<~((@{#+%}fpF`T!uSidssQY>nzRE{Yb3=ci2;EnJ+F$GJEfIrFf1BI({vd0 zSXGts(HK;GMZv*~?lyB(+ol1_kTP{?s7>nSGeoB$GGv#Dk7kDTDQ~5GGXjn_qGRhp zB4-uFv`cFgB6G?t6;+C88Ukc#ru3M(91GsL4P)+Xdu`N!c1CDgGL%FdaxNG|8S|?T zFj=lR%tF?3RApP9ML=yoPHD&)5yG_!G_F+{1 zSdfaUjLV@DEA9AC5jOsxS7{v{r+rw0 zb-|!)$e$8|XJ4NQvyUfDr6YAaaW;`1CE=*9LaYf=ft)@O6gNZZH!WTLo;~9`vp!!bA2qR_q4AMqLRwOLzQwe_^GdfAe znczi82c>lWP^Ron%(6$>qD^r+f>R$dLAgiFRS{B|bIRKqv2HSmz)Z5I!Z+|!Z8~Pw zxKIF9r5q-?fW`h(uhTOfl5G_vN~hE4At;wR2B%CX{Y$D(=nzCW%r(4CQyYI4zTj&PTp>2G1^_Z9!&*4LnsJ$Rv5xa7Xj#hj8_-mwVDS)Rc3a{)t8!sP@ z=MGLdOL3-3GzHWn-%3OMMAJZE8z?~--VQVkpnjbR#A2Suen-Uz^|ozk(O$!_`=E0* z;qF|llCV3l1VQn^I}f}$p9za_PM^VOFqt1HyYE2_7WB*&MIRvkW~~WrO@t`n?L^nT z^W#pYqnpGEXHmgH$`+a{vGso`<6gG25rhVCBuHp=@G z%3Zw~9-Xe`4|wi%aJ=KNNOPu{?X_sgt>P|ClG6{y6J7hx1v1K_tZApHtg2rU1LTmr zyLG%zBHdw_Sv+zfd;tm)KO>xMT3x8BM=h+dtM49NrOPo?26HGr&ln$lF6$bCL~n>T8| zdZ*rbI6C0+*UtmkO%mq|_Ir-@7GtFO1f~<`w~bpoBPzaE%W?UJ=*6`ng6Ktaix=1h}o+ zQ_soncwc0$*{ z`Ai>WEw0>s{+E1#gc+@zya4`7OIIT*l+LxCgC5kEzduKNHR<|2@Za45 zmT&n0tKAFC-Vm)189M)~dhFh(ypB4$*cf?#q#G;((93(Od7&^<5-Tg&|Az!y__mZOH$+%+L8>a`$V0;33=kOYO>+gLFUS zu&Dccfgw?tC|LAFWMle|sh{PqVILqr>@V}V-1Pw(NUn+11;dEI(_8m1}ngC0f6aAX^H1 zu@a8E$^YXiFkT+2KNX7ov#++o{A>72w2bI04qOt&oc&Xt?6irrIuI#@x#30Me?RR@6+A<2q$tWX7&*iGdx?H~WyDL3&( z-XXpX@g2)Suv#qrO^B zWrMI!J`LM7WPKd4Z={9&k2GMAM`T}KQEpGsMWAoe;3=k-zNH757~-rAsAS=H8slC*BSKPCHckA}l8HKSiN~K1DOz;ws?hl< z1uyQ@N*Cj$7{&U@iiHZ!9XlY?xS4joz`;x2H<-#;^3V#PZX_8&SpuP%O2pSCvjHD6 zK_t5ZAf1Z+6QR%Y4(1Qg5uHylr{ZBJJG{CIa`Q>3BsjyuwTZEH0X-lRn;?Aq-EOBI5+M+ z+Z6xGXTNkV+b%bcXRQrYUdV|L57FnmNuw%&JMzsUy*De~4WakRCYNSPf<2bUd4jGz ze!dC-2bX&)TCxgBVwTN-M_c9n>7rkTpGl%d4`D5esB6s_MV@~Qg6kOAG&&IiS^|@u z&)=~>P`i!miSczCDA6(sgf=cur?1MB!eoUR@!X8bR*{PJxKiroqa2F(X)O$h=O{`W zxY%vHAxe~+C@i2N*oJsTOOt8L*^}ei)JKD?g;|3e>8ioi&QQ>MQ)G(3I5b%uO(2ZI;I2pZIK+v$V&Ox48uqf|QDEk>cw;9cyQrEF7|pF$p{=4B z(4PD&%P58Fv$``|mUK73Tjh_OC`q>COd=#%z;KDEjkHtC47eX9V)-e=_RRL*vIHy~ z=JFBAhG`bAp%F`BT-Rikk z>e}uLs4iv7nCbFcp&r5}T0d?qJ|(J~1+D;@*1JFNYkzQ6jD9$1`?+yls+2ECazY1J$jlVwZvb%Ff8 z#=EPY^MO54XPZlx?T6>IOf?`c#C;)#Es1azL<@mZIxa*iaWGSGS6gev@oIOm=IZ#p zEn1ZN3LT%{2R~=w{Qf-8hGt{1x1=ij=DICI;)}u7mPGZa+JG;4j>ry&-r1mAQmF1X zqiDpr1g$DJMl?OW|Ry=F*`szND;Dv7I)br{4hDbQOWI!YF zs|%V9`7fkMcPzdj|8LyYnTMuLW1mr((&6XHWg79|0NxV>Ok(A3-QG>D92!1TS&Wt) zGyGv6Dyf6nbvqvc^4n)vyh)A0GBR<|6`U+}aEE6E$X>A~N-k(+6^RcYpxA>mGW!ly zr3LAaTpF%sZG^l6%=AeTQwP$P1| zL)xu7^6an~HxXgHTGRWj9th{>byo7HDI0FvBf`m2J)B!~@l(zl1TDfrtl-7DYu{x_ zRCtlTRi=!n6y}7w^wqKZHwq%N!NU95yv#1I8nqVluKCDi^2T%%02aZp=`r5v^S{b;!*EWBdD$TZPM_f;qkZ zCK!2_YW32w;%}~S(O$+2uo#$z(V^77L4Qrq?02tQIY5L=;E7OaMp@rNU|H@-{^u!3 z2NmV@G}y@~Tw)14Wj?4cf~u3njD69?I`&Zw1CnHuft*)UaS2(jg%E+oDf^ccM4svZ z4CnQe{HXl%*Y_Cg%!zs^fYCS;A17ig#25P;VF4ktBtM;zQfdPOo}C_=Abd(Yj|p48 zZ&B{+FOC;?W0G`N{M;^Jy>vKd`{-U{1pKW54Lo!WRXKMwoP*JhW8)kjgWbw~vtzSX zn#}4~IKu$hReGhmd8E8=>ms2CeWz%@&3E{!-C0OdjD%0-l^Ks|XoH35G}Cx~%(yd@ zoZN7$*+w1$n}3z2Ig~@fL^@_#WL_y(AOFls;K_v7I$^BY8Z$E4#r5R(uSIr|y=$Yf zvsOe95RSvu)XfYCv^%Pt&(_(f84@y6_A{npF=w^^{I`IDU=Bf-=R%-b&>qy?*Pf`E z1?bkXM8ucT1G;7HMe%bcu#GHhJg{Z>6mS~qn4*LhD=vdnxM1x_!Wp&}w)&Q$r1@bA zdaFMdf(sX&IDNHDcYJ?jfg4k1mmxhW1J&LGBzJ5<{$mlu=#F07MdQ$^f4gA~ALIR( zlu*3_JRV_f-`e91J}t55y6t6N!q`v+Z+6JBbN%@H>i+Z{l+W9xcVD%vov5R1Ui}T} z2l+W(+V5VU#RpEmymHLL-N;~QzO4)0`s6=FoGnH$ae8z;Uav%KqpunC{;mEn>HrWw z_lfbmtex&~Z9R(G9hR>X`?bio+(73-Ivm#Y4r0#**vz@_&rSbc=VcO##y;@g6#~Mh zwNGRpjJi4qnZ|Ie>H<4B=5$}`bpDztYd`q79nb7&#m?!EZMp44pz2)D$MBCv&8B(; zcvd&h&fTT=_n&+m)CsLyee^48=5$Z|8H@Xq#o@YZd48-EpzK%Sw&B%{Ow46D?_(wK zjA|t19j|*|gi$YWOLr%`s{fgZ?ASr6e+4w|_|SnB9a&UzL)F=zsNV10TFZBzRD5VT z_CT%U*>hZXRwAE~+yVka-cgc^QQkl-4lM+(f-=~j{s~Nk-eV{MMtG2mra^CPD zTto4F623imyL#JyrH#I=UK>fEvf+4x_2UBrdt+FfX?*T?|MLS#1_0VU&IbvCU_m{g z0X85gt_9>E%BQ3Jn+i~$o&2K0SS$G_{TS4+I|W}mvDtWbkuiXPc#+Sz{(JB{&TX@d z{+k>CHaicztPv9>S5cLmrK}uQw}F?K;T7-srQZ3Fj9A_!c3s>v;VWyRSus3ya{pK@X&vRLTNFuc@%P#juM(#z`oHpBA#J{S@li4cyK=3MVw zcXz?AyN1f35J}=q>8)&_%xqHrVSyT!ku5cgZs@5Em1Anjs79KGq+`+Tz(y?ia@3T8 z^k4*ENvZVi+!_G_^=%mXQn5_;3CZ23;M`1;4z%X`dzN)$-v94*AcJJ$WAJVH6@VI1 zZIH(D8^BGvZryOz<^5V;7!2mS$9qR1>})ho)Y*fDy;hU8 zPW^_M2{XYmyV?)su3H=RYPe&d5<>@w62|gK0mKCD3 zA~=Mo1zDAn-<-ZCUGXLo#b8deSvQ$hH%XEZF03RA_P-85 z3Kh6jp_39_+6&K2U6Y8Y4mqy2xsA>q*3OAr*l0iK^zoP{W z3^Ra4Fbk|a%DN7Hj_r1Gbr|~{BiL>Y1t*p9`zI<*8|SU(=b=qJkucwI+ry1hX0>$P zGMy#@dJ)Z*mbTczr@w?{p$>Owjk9VEO(L@?J!KA~SE@r8z6SNVh$Nm*TjuOP70PI` zvdRsajGtiM{5IrIgO37qr7N;kX_fdoG3lm~=;uLjhq|NSe`)zD1h3K9alA(6<1HX^_?fG81u;pYSkZMY}gG-`mo$0!yuhIF-&_p(`HMzo5;hn znXi^?;&R1+8F*(*v->khTYa1Q6`p#o2P*Cq@>jR+A~dz={kPOQm_Za+`T6xlJq?8s z+6Xoi+nEeqY1jVjVY5qt9tQts6WeyblwYst74oC)BGVM%%F_v12BFihxp?sqqLu~CIj!1+|s~TOLy~OwwL^zj~cLm%}A(ul7NwysmSbWo& zb;akip$4XZx|NC1gW|2Ts?mzzK~PO1Jk~95rgN1E-B0JpgC+V)6VvdN7Hnu7!oJGQ zkezT=Eqcy&p}6h15{Ak!{=BcE3k*^8HB-wN48>U zp8RxT6B@Jd+UV?~P~i(AEA|?{!nb2o+LXRiF75x(=bVHs%AZT{OTIGwiA9I3LzRAx z6m=)g*2{j@sGAZ5qZ-{T#=BPdOBWmU!>}1f7WB>H5ZEFYD3hUZo?nA+VOL4ZEKN_i zG-mX;X+n;w$ZB&?O<5iI&moY^1V1V zc9`_eG7NL>nxYS5M=)lWU*Qtc<)Qp)wnPF5-d_(7crK#)IcA zKMkqio3oY~VSX~p!xlj-Pm334NXnLIByG2?)2bn7+(<5Y;&AZb9>cT_%oi%dQyq(H z5Tif|ve0VFnk7VJz<|TsGH^0R;Br=>v0G!z#GcN0&HcB?f9UHq_y8GaK$&Bc|JMx= z1X=E0I_ll){RXjJBS4HZ>izfK?@_O?;$bT89(cbI`*ACsf> z&-sCSbv*OC5?9p_Y_ntAd6RT(+qP{R9ox3ej&0kv{Z791 zV`gsZ;#@y#)v3K}SIyAywVv4m>p!_lvRxOeu413J+`~&cnRP@`);8beAM-L0vYc-^ zmGdy-d(ypk&grea-WPjT%!>A1`5YhnlqY}De{MF6^LV7au3tWBU)PedK|f3Sh3azj zOn1M&eZ?|v8IAWDR%Au=V5buFy>fbf-(__cHGl2XnT_!sv|3N={7HFM8+3KWg9TZKdaBy>A{1jcr~|8ULV!5NZWQTAs5g-h)E2Yv}|Jd$iRT7N(!*({8yQ%}1d zZ#5cE`b6W2DltwWm#cq`MTjV(@MMuntA8yIqmS|;v-S1)h-npIX>GT6}zFeBGt%76Ei#BQIsPi#m=wG&kGM z@DsbXpLUWmP_s9T)QwIW$N6xPeK+^!*F?GPW1IN6o}nKioU<)2DcGkaF5kbHjV_L! zzq~ZOt|~qu2;NwL$>o)o%uJabE)?K@yHJP1r3-2-BdOC*lzkHr= zFJ(I)r`SBJU%rmm2~MhJ*1vY)n$>Tg9PFDYWviO5I(08nIjxG0j6Gwr%_Np}oiF@r zJf6R9@7(8A<>^RN*I&9OuhP6%i|@sW~fC9;uSXx z+m?wOu?1qJRF4@l3b(g$$@ieuo90fS(inc&CgkVfO3l=16p*5~JY`06JgCTVIeY8j zaa8>K5=$Y&w|g@L!;Y^`aH^CE63x~s)Z9D_iO3u)w`~!DCVEXPFdjVmcF|JvV+a3y zcvPHQ?E|eW>t^+g*1BB8OWNh?rQR)E_v|HC`J<|74L@6glxWdOq{UeqDhWavHOZ~; zu4ICCsED2{^{2*3#S@-MtJJEZ6&VyN>9%%ogxhAyQ#ASK^c!R}`n`!1+>0=T{}e)5 ze0qq_hOn-)SE&%CjUuUad>3&y2D{#UT5*93yn=F+qkoX`!)(^m>}yopW*-h_A%P^FwwZtO^v~Z>IR~uUx#NQxCJ7J>^A!Q-uNkHSE?;}tCz`}LT zR50pr>tWLi)yHnW^xHwDQLso4J%3~ph(#9hnt`2{Xd=Xrh7vCT9Y}9YBvFLofAUBL zKkAhyO*^MJ2bNzZ}LvRXid5Gs4W|w+ize zEW=_9KVkP>G#5P@Q{F$(np%jGyy5@QUT_q#X_4p0hSykwZY_N&s2+0Lh?!^&QXs{+ zMHO>a{l5JQFb}T)cD&inY=2*H0dRCPfDM=-$wR?@H3zRF?!`1B{a(=5BAKv(i&8a4 zZT@0OgPF59R2oXwh#>}S5=V$MC;as5Xp#Z@Pa`1{a1^t@<{c!fo1zkV==}Q=Rg~2G zDUAo;1|Sw7kie&R#VArwJ*07EY3%qjW)cvW@;~6OAr`$v5G3?RX=8;|>MWC*{}x?t zFrc8@tHfff#od)V`8y8rHo}e8rG|i{i}pcfOFZBFE6)-`;4zM-0MAzC3e zZ;}a_w%J_p|Aj9{NGZ9S=Q&@pd*AM)TV-I{YxV7`>lFYqi1>HJJSse`Kd=|L2Uu{u z{{EE565cZ3Jw$emnxyo0>Kv z$C43v*xu|co*uE@yn}8lU*j$t)V)auA!(9)TBd=nrwBH4_?w4qicfLu-e0pNIc~nr zAFGS(tC#&~vhDii^)AK#S#dSmA9H8ZnLc-leR%6yJ(AvU zB0JI4-SHh3Uo|f82QaM7erQ&U;k<2a9{M8$(&7ez;9pQ3C3&eCX#Dt z%92uNV6GE%5w(-M?a@(Ny`O45-5EUYQqx-kUXPOI8d9otxH&uLJ9b~#(YH8F(5saB z&Ji4ASJJplUO!{F?boNfjr=|w&S~5}F=DYxuKcYn@S1PdsNY4s%Cl^BUkdN`8qbTT zk&dRdUbAto+Vm^leeX`usViHa17j~-M{U@<8H^`;e11=)x9pYUSpBy4hWdqni*a=v zy0M}xo7(-PE8C+_kL-D9YH8)vAKU19Rf^io^A!AWZ#v2Il-qKA!Ko$M;W2c$ud7QB znnLDl$@jdQ=9oD?KaKZv)BMVQR3S^V`vKJa0De6JiNZ!-fYwpAdjPgy9ghSWz#K2a zx}rk72Lis^4aEz!BfygLq z3nD1JVzZ8ImFt(cbuuMjq;m%TA!0r8`nwL4^5+lMyt+yaTCt^dr_CC}Fpa|x21q9( zRB_T^5=?^XWINbzBe7J*tCq0XNpWiqk`hF=F48;znEeZe)$ss@$-H}+u~P_!6F85o zMisDo{`~FpM1w3o`MWszS<+Q6Jd|?noU(yAXH%AlaI~_Whp|IK5x;Pq>H*F+bftI; zix3JTGibg0a0P;>3;ewYn7^RQH?X%7Eb4Wb|il7#?GqV3-N836)&t;-9Q{mSX%$sOwx7rF<%;!Yn zw8ExKeN=$3Ux|ox(L{UegRN0v#xuya#xqwnU|18u&Pe#M<`q^As*QLW^vnVNE{nr2jUy(#2I58^K zEGr7eklRABtXmK5#zRe7Wt0UER%)I-P^%hhMGvw#AZl*nNgjo?&gW!ywX}fkMX64g z>381GHK$k>Pd$~tsHPL9D6a>(OjEKK^O*|DU;|w9R7L8m1-Zb{+692{5%2^w zkJ=a4!{v8cjb_DT-`@RDS!HIe(jJcrZd65t)Q@qk#a$|)p{jBsyF;tWNWUwfM1^6+eNGOUru5C1{0=`;5%i0mYZNLp%mReco7q4Z0OPWUpu zEhSvdvkJdFR-y{}cdi(636&OhDU81~{^*r{;)&eYiv%TO>034!QqZuRtn-)2?&IR& z)+BuzY5|}MdVHnu62V@Wwsz+IEg`Em@nQ||<|JAQM`sYq)xCi>C2;TB!iPKMY6^(0 zgK!4{SqFN#TUV5eP68@wsS?7~y)9%_rgI+u4-5l&^#TODQ@#SFvVq<>`xRe~p=O&v z-WvksKVlKRj8@Pekgt4i2*QfLgY;RRCO?ncg*A2R`*Q*Se5~!2Z5yFCAnR9MkNJkv zj*2)jG4Baq-)&SEzGr3E%T9(WTHk{-aQE+HCY^ajz{|}XJwm6+R=;j$%k`}#nor@> z2P=d&7x2^Zif0}WpXR%ed=@f1`#e$ew+!o5cdFxLW0=xnjrJghKCARrl%S!?>k=+{ ze%a$If|D<}-ZRi}$-^f-m>& ze>l%IZ_CW=*q=U&k|ww}uhN5Hei=&=HI$n#gDR#p9M?})G+qb(%Auy!^@r-R+x3!H z^^2`{&ck0vsdisQ9dvFU=?(*Ut{ZRs1)i3BP);zP7yZ6%CNYpTjjtEf^t5ztj*xHd zU8Bag1jdWJHSKP{jJ}pg;$O`Uqq8&7x<0N<*sW%K#V{{Aw=ILKFz|hW;-gh5C0jkW zH3Z^4YsT|{Owf{JpE}PIJl{o(jLyC5_Rpnht-IYS*{p_5{WpIEZ5G!>6j|N#xvFGO z>lTz)*1jR|XhqW))$ZM=v<~U6HQ-H(=hREB-9g8AgXwo1%TU<1*SY2M+wsK8ZJdr} z!Tq(nQ}8f>*QcUaV8IKkPS;Hyw``An|6+{n2=~G*!ox;eim%fI&uPLjFwFXjm-V^( z)3w78?;O?eYZ}37Q6&?js^KJ1v$-cjJiB%NJ!ip{lg@d1LOHMr036jA=k1b@<9MC_ z%z3@lKF(q4c72;Y_U>H9MyPJQk4a*FJyhki1$@SHF7p6WNHc-Hk-+W#FF?WFx`T?1w4l-Gfre<<4c@F5Cdy&mozXh$??z;<0 zKSfD}d@yLjo-bYQqRJYgwqnC7<-`GjE2?V3Ueut(dfd%a>|1T!WtaF!y@-_a#qf;ws#rn|DLBeiw4&JOmxjbtyzDop8YzZR zm)j?XO#&H&5NPJE%;!uVr6jdsFtP0FoJ5${&k22xuKzn^)vCXo(WrLf%A@SOnY{Jj zVI7gjAL9nVq_6>*x}*oiWDj_jWu}Ji z9Ve<+qUB<)UXE>}lu6$p8&T=TaSfsHKouXo=)EjVO~(NiG_Gcuh*vdIRD&c`BuXiy zUm51cGc)7X(-o~?Xe@q>F{(_POqKgpzXg*L^<_?4lqzVYq)2OH#wgWK_FL&?I?oMg zJFB6fhFFcsUex8NE`@~EGcJ=s5)g|u*8bgtS`phKIZYH8^l*V0oc+Dbyue8g-Db~?x5=;LgN3W5w%k9b+3q6hI z!kpgLEzq}8EIoL_3nqlEJ&6*}i@}z!J;h52(GYTr@R;E zBvSGa>&J?5BHEf<5JSfJ&4GCq5bA8EL5LGD3}(_IP`oEr07sP6neLMuw;il8>5>84xCq9W290BFMeYDT zP)NN4C|*}MNtXYqJ#t%dxZs;Y0#}#R%wPubaYFIAU#=;r8<6- zc7dW$r&r|${qNN9O%H1W@kA>kkcT-7_{%d1)jds-Zr zVx$OjbBd@>d5&^tEUyt~Ga0y0Yr58Zo;we_Rvc?@Z&VM zWo)|(*vk;Dz#)<_fc$Obp#S>gi|}E(=N|%{nC%9)z2Ph4U`U58 zyQNE$;|WGhaW=9`rzPOp+2YvsdfjT#)t18c>BVg6I$+@rz*p=(o`1Kn@1lYD-H>$q zi*>6b@|IR2k5Ys3HRO7 zG+@iF){FmsSNTV0{qx@X8PLRco}xMuO7PiRvOfuk=;<+b-%RmMyu9o=$G@KfjyAXw zxU$_R)~miwl5<;H6&d=DLN4R_4C)MjUR^BHsl6;5hq4-^Y&)JxzOA!gwjKr|Y`WIx z6MSjSDFE8P{40vLb6)P(ZF_vzRYIpO4qJfZ+6~Vic5IG)5cAZk6K*bW&ePN`JP#Px z=+lh=j@<#}vgIWmr#&#+i)POH{f`ut?9k4p=fzj+^c0-^X3n70xr zA~OWEHT3$9hA@cFe))F@j3QNmBYVndHG;W`f0uo5{+fT^eMMlOLMN4?JF@32r>O#p zN$vuy;^Mhbp6k|t~NW?I5_WF}(6i`vUAIMjJfl_5iO^PU)q7@-E3hcExK zA8*+$k9sy}3qew9{2+{r=#YRz^mM70qesKa=N)7I6F5%786y>tj7Mdb))@N6Kw0}q zfdO%sj&0sV7jxh zuS(=yVVlbImk4T8l|{YISw)E)~pKg?zVZxt28-KFkSC*)X{V)uys_Ea8 zBq|}{FY*w?y;Va+OmOZLze>~0jx6D1zzw;Mn*6+m4J5=et37y|6<{jrf4csr-jsDT zX$$FtFDVhNo_H%`REi;LT&q{6%>X6;TD!W}8Hcp^v?8WeqD>5igQvvSV_*us<(pe} z+o(C-$jp)6qbPh4V7M6WQ1};f2G;-+$=R;}r3u+fbDFZhsX}+y)|q9!uf!ga=Pl z5%tA5j}BY{0bn`eh^#f=_6hN)v397WeW9R-HVCcW2oT-I3_}n*>cM=@TVsuY%uAs- z)iLFlZpwKzDT*7~a!o~)K&6#I&}mUPDgigJxPnfR9!pE;ai=lAseesmdx!6ln?>nZ zb{uNuCik?%@k|1wy71=Y#i*-4qsB;$e;Qo6v6dt&TXQTRgL7kmp_W5Ku9`4oOO)A% z1dW-cRw3|Y9tbr0;e}C-cPE>6Z|%7qBHf!42C21x)KFJ zTlj;#CyGZ$d(aG{h2m@X!aDB_Nr*)KYR6NG=21UmH4K?@MG;uPlPea|l%|3UGbFMn+qkdbQE;S0vZ&h>q`wl8;8`5UNv2h*_*(fjC`Am(vd1Br zh+8Q|)+#p576BIaXn-P5ihrEA%YdYS&Uh;ZC)8%bja96^WTdQoF!mP=3%e4>FXdMr zzU5*=NM;}dBdrT^{MA{O`~@2Z67Ec=Z1Ll?|Akisd7O)7@{z;o3laKG#ST-w-e{j-(vI>Agne|JFuv>C#%MJxcfaNKtE ztN|cxybX2BF}m%cnnou1VCjAyEe@9)yf$2AdLQzh|LT}Pk6m+?*jrFO-gw&&wYV9( zR!JW8ZRU9XASqky4SrwX(_uJYO{>XwrQ1>9mQM2?_wSJ6mees%NFXrVe4WYEW>?ML zxRyV?3%#Zo)X_QrNYGgq)w-%xK8f7+FwcUMSyP#i_09m6_Dr&IXVv>0=NIth#La4* zRolfp?L;}pa(^6?6WqSJ0|EoKrT5X-8fwI?8%{eE>zVf<5eVL1{NxYg>1`7Dt|mL& zHXjju|2S^p()+4%->%5?VMA`(8$VsVP`YkddcE~3VswRCyZn4w(zIQOu^q3n-iX#+ ze@WU%_Qa3cXnLJ`dOWV-PeFHN4Sc*yLzsyxA-AMpsy*re$?;?PtRNTB>U+; z;e0#^u)G>Zxc0nE)CIhbGe31-RF-h7Zhd;)z2ZIV{`VsG9pR4kar@?fhQdl2XuSkl zU(;%IFtt`ND+7F}+6KV5p6|43gjrv*r=1BkHtH}Vx+dU33K?)%GPfTUs#)>18VAWC z3!EbDthB1o*u{WGbZNg%2>TgL$By|heU~g(KqMSWIIPquD6-$CWo5cqIUQS|0C5!F z0u*ui-L1_wrOn=d;LJwyG8sk$_2qX$rCQfQ@0l~nZyPy7p%}|Yf14xPtmc74QfBZ{ z=@36NhHlOn>Qv!nY~@KOs@fn+3X~c)Dyjr22E39L8XUVgY?CGvR&uV+xKgHqTQT`U zVgoP_qOss`s??za6S?e_3d%c%sYh)#S^+!s%E7nQ0}A@61_M*Ewp^Oo1H|1|DpM7h zQpsii!h@zic=T-Xs2V3x6pg^sLKBg(Ma|fJqU-P*Jc0Wg_J`waa6AxQ~cu^ zZGU7h{6GM}(SyQCDyP*ntbo({C0vtw(j-J~6e%)UX);(FSFV{{$@=;;7@60{ zED4qTNW&@_)J?}}*CRW&1cisLpnt|M6L%v#gX$UeF=`LmB9 zK`vY(4ljAwJ6GYp7DhF^Bp{%de9bDMWlshyQ3N_9*|L-dx;g|^s!3D%Qi@L`YQW0x zdB{sCvfsIA`iGOi^PG4L(Rdj#_BqECW=85=niKDkg`Px-WT$^L3gZ6I0H%7S8YOKR zvmM+%aqD_a(XgNSSjhTh3lcf@Dr?=8f7l%EN?huxTA*N5;HDKA2&6u;sv-)CO{GUb zjR(^@mPv)1`~pau>ILgau9A5gyt38qZ7VsWO)bq=|5pl-0*Gp0pMOoAU>XiE0;;DU z9`$^R>ZE@G1evl6?pTROG=Ib&NhXRmjTj}tNB)7F7||)BJXOY%_)YAO6<17cnx-Rg zgY$V{HjthijxyG&?DEgvNSM)T%XM3By7Vb{<1LtdQLFa#jaGdNC zswp6LnIJ3$PW)!lNoz!ge#JrC*^^LPs^fv5lNS1;{qaBfwsmuD(LIA!g}|4hFCd5W zSp-pK!MYD1nA?w_9Lm=brs2as2senc8)B=K0ylk)!X1HGK)vrImhh6f7L=KuHw2WM z)R|IRpDW3F-3Fu5EmGfEgV81!8{UCQY|u}H(6~+mvj_?fy%LTqcD1~d z$VaWIpiuWF`9wRuxJOb=JnASz&?^IBV$s_ zQ;OO1FB7C;XNqJAWFNrY8u{Cu2n90Ew(Jb~mt0eukN$9BqLut-_dlskWIU{K<` z`O%2jk7clD3PGg*7d}PdQ*&>=mF<59#?<@NU;WlC@A(+rolqopa4{mA9~O4myGvmv|Y4wuWCuaJjSTvHZL`YgUhqv@zOequh-ibCpnM(t(f{X zI!?n^a@d)d4$S z#PV)7lb>smC(frh+49A7&xW_fb#|ko%l8O9H{;JP8k`l~>RflH#$&)b*-b;87n!Gm zNmWj(^@T`C?VH1pX&L?K=&N>%r78OGwoQ7%Wz^HIu432E{kiawL9hLzae$|>-a^=1 zv1fPfY}rG`d5t|a;9T6A^kR#$Mfk3LCC^pM*%H_qy3KtU)`d@K(V!}&WxrgZNRaw? zD52=+s_V6+cx=t)b(q~D<8yr)P0)1;eR=lU!*i9~@fxWLIPTBE=a}}|eG1%i+i3&X zI?fZhb^~#quGpV-y_?j|p~u6VOitLIW40={d||fDV=o zkl9^lm)_@r7<4!UBLpqXPym+Wxn1|zX_?&6mVEDp(Csc9;OAn_mFJb&thg_y{o*+N z%E_@T!I(|g)_f7 zxOQSy+CUWwSZlJ=KEkEMATM(96!GPM#;hpC2^JwzVcnY)d9!}zCMe-7%is!XWQzKu zEdB{XK_(Vm%__2fe>IMX)nneOIBXW4CbqA;f){ICRtFH;^6 z;I#egPHHCDCRj-e_c$`uQW=$16U&-(9$(FMBVIZBE6WJwTvG&uzdkr3O2Z8c#Gt$lgS*tiEU#FL_Yi19OkyJNW`bO< zEa^3(9~ekF%kzQ=iF0ip3}Q+sB+RO{5Jt0=;lf2|i3}o?CeBJwjt0zOB~YOOquugV zN}Sv%KRB6+Gt%;P1o7&n(0IIfk}Hujc2k8qF+v-c!V;8cZ4hqxR#+S^^&@87F{)t9 zYt?YW|M;=2lVTciiBI3KP+6|f48Fiwseh0+a2y+Me3T&Kgg%<+GXal*_XI>QyRXv< zwCuo}oT5`8N&Ki7#l2uQlpkN#4`>e#p~}YIgfb;ka08dhSmh4zLd@n2$_4bccARPR zzedZVk04rCpUI%TB6JjHY4@|5wz57E9Z}qh&kdki=yIB*UuJy34LJom*(a5S3#Y@M@VX13%kkx$r8?7IrMC%wzwm#NaGYhQ#rP<$0o{=o>}B2vO1(z5A3A zN3%|iAzBaF3;w7odJLESYoV@$KhWWlC}xjX(i9J8g;;{uI4f+FZ;dwe$fYO^|H%dj zW98cQyH2dnyk_&4vZlGgGcENrW3C!>la)-XURzkG+)+^&<>PvYqcLEITr6HuykiWP zZwMC5I5p|a4jQ)mL8Iwj$02nhG#+ajVXgSv6UOR5P76)2as2LeL_n`Nrp#kmsLQB} zyH3w3>S17_Ss&fsUxhW~wrR)@^PnPqI#zr6WG3jOT%cO1enY5OzWEsha9`|?>@;CR~4hEIDxj9=P1n`9?y-};4qyOlFD zw!dpZ-fGzROmmpsXmYp@M7wmgTjFl-;45&KS}l`)y55E!^WL+S`M6zwXtXsiqV;sy zyFMWALOo4~UU#ks{IX5&FavnLvetRpuJ7Lj`|{mh1V3LUzb1H2=-h96?yzHgI$fnV z0D7LnP_j4Aav!gG-FqI#QcP{Em6@-%d+vtefCrLF_s?Z50ZV89^2$mYiM zc#JBqS*W?})P^ao>9Kc=IN%M`LGCoN>U)sf)5t5>zPy8y+>B!+kST2 zV%;?-}Wt5 zydls@U$_*O28dNQHhw9pV*|^6(yc|9j_LSX#*MGAJ+A#@hQfM|eh@%Rt!Ke69MI5oyUA-s~w+WjdsgaW#Cf zA#F^|DJcAzui5e^k8XjcNwbz@>;6wxC$j8Bp261KK?v)ji8xLwd{cj$zi0Wkuv-ER zn=2d)4^OQpLzc*YSTIM3tc<8Tsf-N7+ynkBOn*=QB)js1N_mQhybp(t?0l=mjqweLpV&i^iLX{3P!v-}EX_1YHwTt7^E zKg66Z_K`4=yJS@D1Z!1FLiBA*V=tYc*vzGF5*Sr2>;B+Rt77Ga6b{SdSVbGr%m0uV zl)ynRdRrNd5)PfdQ4!Bb%`~aBE>|L6Ogia?E;a|lRo-uuU`6cShsY*@>^^_=fPxKs zBV@bLko!X()fo(D!5gFJ;D3=~A<}~Cn6Vn4mc62I7&@r&_o2)~alj!2yj(jO<3S2$ z=AJO6T=*ws9n!?yL@n)!LRHc*)W&syz9wb)7-40CO_!;%2BURYWSdPsi2q=W1;Ra) zUWrtxloC&Rc|Rp_`QirZ?=jkCR}^n!DN_9!1>6&_vP}v2FqiqMX6{xJM0gQpz2Fk_ zT$;AWe70QgrOyr^OOesd^>^v6D{wT!-X!faG#V4@B`2c))6%-tfs#TGx`RBB#4-wl zxI23nqz5y0!NxanSsgCXSfL0~n>ON?m*&0$UhCEHgdlNZJz73)V14vo$})4M^I;wn z3QwUJ2qxalWG0T^C2yHJ2P5c*Mghd->|M3w&TtEClS-1+nDWlVSH&aQ^Oft;5{z6} z|AO`4z^o!<$R9NlU8(8{If+X*2%(wG^46-}TW9H2it4uqoN>yJaSNlB9UMyHoec1Y z?k>WTBl$Ip`7=b$wa4?Ap&4lvPBn-pOqn0U7uyTNGZ#U^;d$_pk6MZNrv{8_hPdo< zez10i+_K3%Vaq|rCTS>#Rj;AySgEG!SIA%Oydo39wHF$*6q$%t1jVctaMk{E?&xFC zJg5AwX}J^6JaeJc&`OT3=H0{5U~;!tB~#lH|< zy&nkT^Pv(8ti}hSlpb)wwqf%bMCLf?qW~ z2K1SLp)~21x7X{=u8NBNsrys+1{JX9wue^t8T?_)u?tDt4oeN>t%D8sC5S8Kk-;WMuI22c9M(^@?dUMx}*sZ>6 zhcor*Du=e`pKo5LwUY3ujvw0Rc%K{D)AT*3v!=7xli2{@9%WrVljj_Ir<`oC?e{S_ zOC66HiJa<2b*JH*2e=g9_ryJ6IgEq~c_Tl=M>DH~)MyJ!U@jZE>o&e(`*k1JmZE#AHd^c;BvdiV1`ZmXV&}TcyB0yCzELBMz_m$ zNsQLRN8ohv64&9CEM3Qm)WZOZ$;S8xXWM+#ADOJ?BdU8J5O7=1<4JAL2J612hfq$} zt5;^-?78>2JF0zpUkzPerq;`-Q`zgzU66(57QCBR@$t!(m(F{5Z?BHFlA4LiPO~?~ za2#IQO~;9SM>a~C#aXn*XPdIIdAi9o+%A6pi961*hOs?i1iW* z-f`8a^EoeV<9_s#6w`4PRZ)|PrlXS8vQs;$^VC64fF;vLt?jAr@)196tFs^6@T6%t zreyn;K&|y1U!F9TzNB>ssvr5^)~Gt5p6(@(`4qT4^+NWgh;N)f^{sP>DaS~dG7t_7 zTq*B-yT4^_+Q+xd{V7@e?cVs6oWchz>1O#VKnPZ2P*`&@)9g++|H(gc)ZQ2{UuQL{ z@3HE?eo_)v&1rV5C0BQc@*b?;Ia5t#))y|sQE1^IHDA#g`=XE`z<^OII9Q#4vlONi z9`j;_P$SSv8nH-dxNf~E!psRnKNnzPdIxb-p+Ocw1zxLD{if8tP}v9)sXT*?iIc7Y zF*Od7bM0zOhe-y-tW1hiuCRDPTw-cj-AigGT?K2rRwn7DkkLv8yI2G2uND&li+Lxe zygb*|8or_eGu4uCE2y1(S&mE~&P%&%&|TDQ0Nu=N0v&xTDO6$BD6-Gi8#DIjpCepP z2KtDI9@n3AEPsy^Chgkm7-IGkesR2n2&Fm8aO`FLMQ)d3z38l;8Vr)4e=nSw$BzJ~ zMitkiNp4s%#(Sq~ZR5@L*g`TB5`bQPswtLLjpXCB6$Z5AE+pPYG7~8>Od*{f8aPgV zY)&67*w9vHT+M!=Y6iKcfsvu!-x28JcA5!DfH*@mOO}xLw&Y`_-}I8moy>HiUSiNc zvi+?}66>uYVjze$WE@d|cqdMTbu00fhXRWihWZ{-2Nb+0XhMlI<3_~#X_whJ{EVu26PQdjl4t=e*MMv3~UkRu0w6S%1si>o4Z7|4-$Ta`EMz z{k%T*S82{N^ah;1{MpQJP(z%3^$$;hBVM0ksbVaY5+eH(rjVUcFkToHR=L{*hkNZ5 zJ|H9qDq+`z0O_2-5a~i}uBs#l`48KojAKZZ*)CD$u_9VT#Oh9-M)?*zwzNYbTol5) zMKvwefuH)&Xvll~LfpF+C0|Bw>^I-TU~#G<*%g%ZgXk!Y0qjk4PPr-eBo_x#1b0^I z&N#eQ1s4CX^$;|tT|~3MfxB>&J7fMo%)gVQJpR3{m03|_N5wp_BT~@x(n5#vRwgt{ zGp&s%`^0{IA$HZ9Ww}@ZA(jy3a{lLpjq`^%pcL@J7PyiX(MFSYh4PGG#%d9xMPN+w zX7!v|y9&L8d*X2Pr4xWVUkio$_iw6w{H9uIFVFES01XM~WiB{lWCr+PD$oM`;rgOP zm~r1Ambk0E_+G@HHBf5Z>NgGlp?ei!vj~hXggdS&V_UjBgpI9P1TkI`3SRPG=0*xO zg+RHo`&+5@LW@-?wdpssMN;S73P*uD-5j_2q}~cNp zXZfW$#J{55L@QI&3wU99 zXjS>rVGf#qS*Pzg*!b=&y~0%{xfqWAm12-17m1|zd&!xfA@&P^6@|j)7i*fv$&`;D zG7ts3n75_j7+`9Sqa@=0X5Kve{V6p!{eQu?_nUCv@ZS(X1pdc4h5NY^!tMRdxdJQ^ zGe5=UBzFJ{Jue7%yf-<6;5%ZNeRcmK-kTED?Pc%t%N$wL7QkJ)CA*g0;PA=(=$`fX zrAHWv%C)aulKXpP$<+_QcBwqhw43L00w0A7uywRHuFk7Wg6>ybthVI&;F}q zy3@X9|7z{2Qg}~z9)J6hr!8^Y=XoE#^AiK3=P@Ii&dsMLGS*|Ndnac5x??!abe0*= z3er~Zym5Apw7fErBhz-7XL5aN&8FrXC@te-W_exr$X3^!vczR`$YVdtIqcPo=e!5! z^)#<;t5qxbbk!8|u}M$YdU@dKv7Ym|zH<<%y&ErS+jTx_$k%bbJhy(Je(TH*c+?A6 zc}UQlt*X|xfxJ=uju?CG`ej42S=r6@xCOq5W;%_o_Tt%MHUBviC7n6P6tluBexypE?I3qOs z2zS4)L;AA!@LC6cH%&gu-pvlrx8$e9zMIxmSo8XPUT)((N;!Es?smv-e+=iya9{57 z>SXtftusC^iEd}JKE68I@Z6VNS2^!B655|VoWmQ@gT!!kvGi+vi;9SU?yD(>>^={N zna3om$N!s9gp#UC0kNeo+8$@|1wHw!a!8B zIz|)MRXR+LX3wqeUh>YhJw0Fc5~Y{jO~<(CyPamr5 zJ3LPP3#K5CnZ`NjK`V^s$(S^0C+%60VKw_bM{I4lLc`5*_>g(vk{-2!V}33g%> zP4{k2g%Qd4Pr5J=>OAr!|8uAPd!4Eo7KBDK*;?Hp&T2Ft#lsXj?-?1?Uk>aK9HPVt zp5U)6IYDv1AN~g&D9Mv1(A!LDpNcNm?j~0o$6MU^(OwT@#~&ZvHQ^)LrUIYC>OX+` zqxHXxgQVCHApSToWTipwQ^_0ghBW7gSyMTAYh{(vQh=VfnlUQ;?M=F-y zAqG;#s8~2rrDUQ_%52bqRA%Ltla9XH@%Sb|)RcBZfN`n_&((|?gpdeHi;C@=MZoEy zA2YJpscHEppSC%X0@u$CKL4WD@VJP%fMS@(Y#3ETW~Mx^iu63Ae;I}8^ZqMkcVr}y z`f1Wk__jOM%M-~Kdn-R!M2|40e9a8zb~Djo)L{{fLA!_>&*Z8Ho%OYlqx|wQS8Xfi z(=#yU1Q97WMJ&wZ`psKlqR)k)cFttrD^ifk&s6I{1mwSJwgQhw# zBil+?4J1iVj}xxdR-`s%rq05GP`vzBmwsjmt=5MZYDsN{E}Cej8@JbtGBQ_C{`+IX zhcBol$lIeYm)J67195kAZORPc^ z=FX!ahS1KK6;L*9nZv~8$03~fdhWHlyAs0WNK`+Qv78PI{SnZMV}F)RY~SZleTR8k zr&KI=`>g(BG|S?gZ+bzh)uUUfpfzUj-$a}-8J|3(@;0{?UH zGty&EtWl^HXt*pZQ_3}V?hFCYo%42Tf z)J+u6%B0gaL#%_VOwn#J=_ZEV+0^80!=JE{Bn6jy7n<0KTu^l|fh&o}#*JpRU5qjc zgPd)Cy-;!4>3ig)M$3k6Y>^N*jz;Lx%xg90?d ze87>Q5%45HCZ!&09biVWdITzM&U@JL2SkVp!J4B=*W&nn%YpW7S$O)8Kblf@M#gRK$#&T2O9S7LIi2;4 z&5B|aA_(i8X7Qe(zJ0Y;Y}R&I4YUv8gCd|}=B+A4YNlCoH4;X7V^VF%ZzG#+)L@Mi z{Xf_qhxkYK5PeT*;Re2{#Lj)nrOnZOW8D4%CN}($^YUd^zaLO$UjSC%3@08HJ^*KV z%sO{F4>i_mo{@`uSnz;x-E#3aSZX*un>SlHZQ^@#@{Fgrvf&b%-RT=v=->PJHg4pv zOd0FJ0o%Z{@=A8l`>Tjkbmn8HRpJ4`mc4djR>IZtikrY%Er`-Y^I}QhyhZi`^xX7t zB&%PQ-8uC`KBsF8Svwc4f1N0M2lHK_{xNdfB*D&r-OgKCM(Nq4L!Zr=F{s zv5l2i#d^+rjp78JDjt3KYnLBa%}+qDO^n)&dxH&4Z19?OeIp~#e!yU^^YFuRgh!9_ zt;-s#bML0O)%WC*BWQjplhEU)Seo{U;T8n7f>&>PP(QS_ZZyZ{_jb1=(B*TmaHLZ| z;XLenl>>OX6JR~`x!#-Vx?|Tl-;|YaGpyd(BCPctrY~0IShcCGlw;`P@|xf;c+Bj0 znYKdNaJrzO-T3H727c^{xI3*3{4={&?0m}6k=c4lkIilKn4^4Y)N=uQTv+#Rz7O7Q zcY3ZYAcNLTGgcqC$)_>m0LWoZ}cx+J|^558%~6L zRK2a*IRt8u>~t<6UjK=l*-vpj?~}@BX!;fPa;UBN8iyRXukB_5bGo08fDF!;*(gc& zI>w1%?yq;+f5?`OWE6CJcR_G7F9|E)(i^b#XKw}nk-%&f7{Iotf0G-ZS2u@MrP$m4 z0X3fCKW#tG*BAx5eGwQJxB%bT-V>^vax161mi(}0CR;dxV zHV95QpLr=1th1ka;HF$jCF@kg(Waw$Mf4SAFpwhm@BgJPa2?Z;XCL3l+glSe3FhNU zMEIiDp!GF@SQTFJ^|wO0#?)_AE8(Dn*F801S(U9}a=B~HhNW~Q*&t|^WE+LKOyg)` z1Z4liuQnD7%L<_<49aYzRw~nDJ-@2OBBUZsE00TqxH&ITKz0>>QzG-|-eYH;xR~|fvt~r>WaxB?4C=acUm96`80JFFRnOVgxE6+k*tY%@@?N%=H4wNHKZLwV z*se13#GEe`gU)MWlKlI{Nz05g5%Sz9epkqtPPza?X2PL`TLKuJ9>-k&;G|U9E z);!L1oNsU!<5VSqe!|a9oJp%rp%h;few>u!XcW7hd(T?zn&2oakdgl}D^QUo-B8;< zg8NFJ*X*%zGw3voUL=ULcAu9PIE?+*SW`@4SO*d;{@$9Otny58(u(I~c>UP7+QR8pIVANcG5g>}nUdRH!*WL=jp^Fs@ z>%`%etkMCy^ckR_crwR+eYG{ZY2pqB8LcB(xgndLirKF|&gmh;ZC0fz@(t(hDiZTu zGtnqOqPUSrshE7R#Cl$A(xd7q$}1ko|G_aVO2UTOS=grDX9#BqHC$BSvl_)zN7?)u z15+NP;2J11E%GBzV5%};LKQ(oNhY=eU$vxBckrn@e02pqW>_#__ADeu`VE-^hHA|U zRtPUq%RcLtGXpN89Yp2u?=ej*LpL8LfdZ(GUB+=6hoGoD+R=Ylt`?9eEuyCU^QAt7 z%oJ*H4cms=Z3u2SxJsQOILCc8+>(Q0%3|5mEZh8l;Rvwge+@nY-EF_3$bHYP1j7zA zz5(=yzC3Azv>bYerawM2Jc*GtJ@xOMKb%k1$0?bl3aI3EW+xdv5G{NiHsxPTngO47 z^mKp$I)uQCKqufJELM@lIZc?zC=#sZDd%-KlG^<|nE0wGJv(Cicy|f)lUUlfZ8sZB zU0>CkuKw_eyOQ1;q&Sd#&^-ayHxpyFo)f%Vs!=e=#d{bSi0 zz}^avai;$3eLD!nX=-AI(59TA{-4nMt;-C5^ZHE16KFz zazB;4+0-6x*u{Gew|nwgYM1eeH-~drDL3%)p8)taL;Tzambn(JBGS9CYMeR}+>Qcz z2rk{|t@4>m(6;xSd~EF{$$FrDJGxU_dpt`0aD~hBmY{;Zh6%HCHeu6xEkD2Mqj@U2 zJ$AgPuFZWqr`?{~av4N5JspMma1nmqqvYs)h@U6FEQ#H4h-{O1{ZP&><={P;O5yjz)Fi;K zi{rjGLSfsF)A;X^F`vbsC^}E+dng!$Ypyxnjr><-Aw3_TdpCIdb_Q@J@EyUI0SuQF z4b~rfzFMwXc(Iowd_UqSh5MsClYFMH0*-zctI;)GhA6%Sy>i=;Sex-S>NS!LzuR<| z_yvFsSj7F+G^0h#mJ8#vW?4|kM3rg#dyomP`Ln$T9^XQ}A)YS@XyKd$?L6)=SgxB1e03xRTqa6FoZH^oXua75|nCDhm zsy3T{3cx?SY@1jZ%8&C0tb)HJbqhCFu_;Lj8PnTCO}`V2$PUW!%rqaEu`(NKQ~1!q zaf>0>xJcvuntqvr(1;mqfU~fWW;B~xUqrz#*Dd2gpEenB$Vbl%j2)=Do?ouJ~qoyGz&;{0b<3E0vPs(5070OUE zvz#C94F@Y|`KB{=sPatTo+=zduxEJAOR+A*no}f+VF_&dfPm{s#;h6Hy<9K)?mw94 zN_pT}QqxeVzOEolRER@YDf82*J>zA~&oS3yJ5kV*1Ln*e_UtW#!YTj?tmhxrUQQhhSRrN*3v=LVoV0 zW|l^U#+_OSQE)O~CxDauiZCg+r!_T>O5(VY4~x~)=#soCfx)oDB|B4n{bY=#$& z{pU9*T)n04l*+-@eJ7q~gJ#E*I@3TIA}vita_}eY?^(H_(?`uInaKjSv0dF6X`UQ1 zvGG~DggqzP#{@&;uLXHmMIwn!L5g9gUrtnb|LU|#j>a#TYZ=X6J(DEEb(%%B;VN@(?o*UMHh{)p7m;{Z1W|1UZl;1<90U0 zd?lw3#O)aob?X&KoyO5M z%e0GS`DN8}bqctHq_rATv_yvKI?n6;J1J}5wTg63qT7Vs$)-~5GF3A)i_`xLYc~hO zpv^mbgAWw3$wROY`QF`&0LoQ5_s!W1xbHh2v?L^H{b!{~!N<&G@6z&#vdo;*&!rmA9 z^5(RADClr&kKf@E_enrgLe1A=qEi3kB6`$z%>BvJ^oTr$FVAIq4p`kg{WDS@H1VW+ z6nvE{V6J>~0yPD^jf{Ake%X&}bki|xPIBE(gsbTU7A!?R!fqJ7GCRUOqgWHXU(e6c zwBk349u15zW)R%EoMaqF$fkV&tIB zM0X&F2CD5fgT5BLdan;WI5lREk@J)Hsc?J3G@tU^!~I8nw|L53S;s@rcxcUt6tl6j zckMl~@sW9E$LTLn-uBd}E`TjZxEZXkX_a-Ks9$q`Y}wl5u@*f;&%yih;z@Yn?RK~` zojhrKl=E>&;w+rN{W4W(2XpDMTeF=-M+xk8=|jo=xKY9)y!(*f&T@`nr)qZZIC$Av zgu4QsE=~Y?-r&#h{g&ce1zZNhuGE%24hIRdIyS?5xgFjwaW=0uoHrKEE@+G>#k{!) zH)e90BpiKM9iFeRrJYf19_(3LG~PC4XZU%OkyClh8+PeadG8J%W4k;~)|W@LFM8f7 zBCC?CnjRlZs~-1tpM1v7zzfgdZ|7i^Oz>TD6o4E|X?T|OR(%GBnxaz^3i)*1{Ni~@ zcoD!RdS7_8zis`D-^}HLb1AC(CSmvhGYOtMhB*Q66`JzrItcLuDf9L94S$I@2(gs> zi^D+PWF?hEEe(n9avHiKhgC0JqkS8lHE(-j=NVY~SFME{Ms>!j-wxqsyajf3vyLQ? z;Y?dLziK^W%yi9)dn`hX zco7KUUyd!cW0bLG>&D0UO=iI*8aqPK4EmehbjFWON-7Bty+-opr4MzZxHGDVRV$Tf z2vwKNUDRbg{&|Q{HQLG=|~)(M2U`AvceUCt1lM8 z%z(oU)IgJA{1Hf_jh$Rrr^c#G@g%SbHdk^Mwqge#HG*>YfvMm|!Pd;)pR<9BfW$nC zr4}j*WqL>*zF!L3*t6Yj!k(5jx|ZCI9U{(Ln3k#B4VY10N{YvDT;)8tKOfM?|KjtW zuMBE&;-+eSnIjul2u~I>ZryWbQIet`#xUJ5%QtF;ma7~{_n%9?=vt%AfTvIc#+x;F z_s7+6P}e}ZeOYv+ea9^x_8TCSoGr^XLvKYywbf2ul!{|g2uh23iL!}_uqa#-S3pL# zZVsqXGoe;QG7ydnKkZ0_)DlzD=vK7{j*9#L9VL?9QQH!1%uL694>4TKnih=+)DO%8LR+z#qrj5C2S%iC3f zzMGBMVmCji9R(P)P69gS+0#sP;;(!@m*jW7&ch%w`u_@9X?9;r>fT z{?;-3!|W$z8=z{^NNS57r)}M9Om}jwrajYN^4Z)hZ1>@y*Mx$ZS^Pt$zd#<$J)JCi#* zl94Rsnqbx9f^e$aLYDhhk4^8nFPir948P}y_SvYE{~Z+SEytntFniG|{v_Ysdg@w9 z*t#Igfp^W=pD(-k;`i@<$dGoyh&>}$gzI7wY}+Z1jiA>uz583bok*i zMp>ipS-Qz;%TC~Zo8ddr0I9lCN?f&|BGHxk}fy68P7moh_8o z`<~HRt2^R-Yz7MDh{ZND7%#P z1GpTv5{97I*FcM&y?oF<`x2+&BW{|WPnm=pkUTd9%9rIE?sl8{h7viQBg99&F9nW+ zO5P~?|^OKbkNO14^rDi;K|$FP`3hPn?!l=t&GUprkB%7?}1qmA2$mP6qD zY3FDAAo21t4}H&1-@hg2GXZbC`ww7C5cu!`+*iN$3|5T-3<0iPHdA_CAGV3O;uX>l zeu!HC)&KmKmhY|hh2Xph3Ze!xv4&+01@Oyld$y#_>= zZBfG^bONJFRA_TnnWK|cs$B64P#oDu11b7b(OLI(=W>#IR;U%4ePog{$rG4Jc|je_ zJLF%dqG1aU+f1m11ZGezbw+%;g2%tLj);L|xbi{0|B4$X+gr7i$6HFpt zni5*Vc9n3e-Tx- zD&}_1z-6l@#KkEYOSyH89b8s2z=g@Om2;O0OM%7RVQkm-p5mxFHCpQBMPjMa zoBA1TLCRbl_R#Nh#MYLosmw2baws+}Md&#70>~`H!H!%Ak|fkdCR7lOIrJi*v@YBFe`6zt@=LINzF@Hkpo%(1b`kbk6GoLdRO$0i_ z#lYI)@kSQAhm;pZ41vMcW8=h)8ssyNNuJ36~ zvdRh!(opl0Lc7PKankh06a>lA9h~QjN~Bw)Ubb?!J4Aad19GuAZ$e+iwJM3pY-bQC zB9h0@sNwxzU(}jOf9Oo#n@AqNRg=)R_h4AZ7(VW>Mip~Qv?no$V)PE0S+NgW4JfLa z9+wB)B(m;Mbz>tIEeehnvb3f#|2cb6;;kok>~}5k)wwtnqY;%Yxj^EUA^&b!TDU9` z-=)`LT3P<(T7m?!nale{}4{K^8`xD#f!_#|xw5awU3|Tr5ze za3(k^V}_*6EHzL$85h(CPTdQtO40Qb(V5Js@Kj_}Taz0^UhkNTyQRO``b3KV$h>2g z&$pndIOkTyAamVXli4t7K8+aFd3tO!trOb~WAyWR%JjZ%r%@se6BvV>Tp=wpJ;GD~PjPu2Za-&1^8m64(--vN?&Jja$dp@|>46)oR$fg#%QiHf!b| zbNM%4mc~Y1c*sP@#D1%nss65ISY=f+B#B$lbZ6|gQ8CTyr+2$sV31z{7a>wy6-#Mo z5g!xua}U!TONR@x3<+lix)mabMkDq|`&z99+F%BS1NL$C4`Zdow#=*7YdXv+qq+Zs zR%by@7y#+Jc?CxVE&c_0nIv4RAmoHpC`Jy_J4O0mT8wt`MuHg2>G1Z^i zKzZl0i$+gG?)R?c8vrX-X6p*esrTLGksY`DT3@a@MdnGLmO32-;S142BUXoVil*%) z2JN)(lEz_Qm@;A4M{4&>*JaZpta;A+^|8lug{)nlfSbK%vHLy#?b_qUn;qvrwK}I0 z%qREP6e~HCFG;f9i1g5k1UXpLNz&HNPnX zPAFGuctTSY%En`QJ1){NI5w4NeViPQaoRGicG=J#7Lv{E83}OBbuEYTcg7=wCi20tE55Rww)Wa~A`wp=VUv57Z z-pxOhKOSFVxq7MQT>R+U(%DV}Ut{ZtKG4kYiX%n*;<7c44SuWm|LO~oOEDyw`V*-~ zVPqv$5ieU1kc7y_j9dCFMYo@3)bZI^)P8ml`MXuM)PsBQ#fg3s@}6J&!fbVpYz6;t z%!~0D8J0jxKI%hI=G!+;^CM}#5~PDf)?dMRp_3HKeDbCzblHPFI&fZ7g8rmY3=RuI zjDibUxTL|q|B99>;W`r8MZoI+zGaYnK(t{~4de8k9b@mPNU)F`b%9twD7k=Lp@eVR zl&34sLI6pizs2bpQR26eBN&A@(~xTFp8Z;wy5APzF#G^3xBI*jmTG_x}_V_a8k}>)j=FZ9JuU%L18rG zk&w@AqXUk)ttTk5&ijUj#=+GjE4PEe_Gs4v!1n$Zv9$~uAeP+i=2csQ5-qtLYfVs-Hof&ES0d8e;$LJ94VXmqr*VE(mI4Y(_UpEm|v=x6OIUD ztg+2ZH|LajVfwG5(L~h9f*5;UW4Qy_q4k2rL{gRUQ4}sA+){HRD046|_NO zJyZ*vt?0>m-rr-NVrZ0o71NB7#&NRHAGDSC+9#m8uy4@qKRTmw+4*X>#Ng)$mL2n8 z5<|bQ;m+AM_>9XtIaKT|;(`a>0ZuNyCY6nBJN$Qq*T5qIM3>H&POuBsUqEolhzisX zM?}#t_X$qDv}pMvG1Bln75R_;?j-G>D_}JmLJXIKL!`tG^C%KYLTXb$D*BGtfN&=) z)R6y7ILtse4xVA0ph!{ZP;>tu6D^{Rx=ODKbOZYQ;$7vE{dpJq)7Eph7ENl*2f3P& zH5kE2&+pV3jyTMSTbu+$LWSAK?=*CA1H^6Zu@h z)3<`vvBk^-xVhhq_~1)_L!92g#t&rZ=nK)N@Hpcmd#7Zf>~t-&BmBl9+2fqI_N`pS z`xp1E$fbAqku8$`4A!EIx_4wGPjJOD{ti##DXS+n1-hYF(xAXCfnaXTK)8`^!MAqN za+KPD>86B9S8OWjzWLJzIReW4WQItKx(Jw*Y|tK9)^hMa1sgSrPRi}Czpqlclk>37 z%GEaPk4!s%6@_)XOjn8xHmRfEW5$+8Y|;GmXI9bTDlco7tkQPzod+Gv10`W+bV$}BAfUB-lzZPQhfwi z@pnLY5qm}9?gT%nM$NpTw9E5?V4qP!0*FGUd~V4(x3h+{O8t@9ZYNP}Z>8FOlo#rmoS0C8N6=0po|AZUV45zD6sa){I`4 z-665aT&{rYagkGwo41HW(byjImsYes&Y>&V{8)Zs9B z&anT!t65&V(i@km#&yiPG8?>%i1qQY;mlx+7zuEira5Y^1--*e=rC=7;zpL&P9IMf zdi`8$O$jy!-rD@c4^uOV!tf4Wr+4L9I`tix9S$h}cE9~*1RFMOV-C2=Yqv_lMf*2uvt|sht+pk~)K>s>h=^Fd`pHcJ$?$~c%aBcB&&x{IRMqa^2iPRUB0?^^?Pcb|GrtKbHxTcJuU9p?ndyH zcRp#Gy<>4~lX+dVtiRoNtgjzP`_<2*?G9s=$P1WH;kWAF{@91P-&6H_I)<2GXjzxM zhkz6C)K=VZI%sY6JV;`Z*ZJsaMd3F~Tu3ciKFhDweQJ7sMqc6fpKf>60PGD+VW#^y zS=KEL^se7OU&TBZF|eZfW0+ni6)N^vHJ1Y=O7P2`}IOHKuBeoZp+j z#PaavU38v3)~asv?7fZ9(S$H=cipmw>AMWSK3cxzO>Di{^9ZEsU-I7uN*)~0x?O<} zOQll?u=(o#m7Ebglh=af_rNQkr)LPj7QpNb;79%`3nO&=p&k5KeMiWZuBk`CKx6H7 zfACKEvb`&iRyD_Bt>*i2gm@}25BVa$aKdDlY;)&`cDCk&J37Ch(!zzKCWJ8Mnr6i` zi`X1Irn%%sda+#JKbuA6$4oH5MN7RN_!}lFTCihlR&z*|NRTa^0I|}bf+Z=!tXM+* zUjy&)HF4Qj%?O%rXer_QLIX#z3cHKe13fWBITmJFC6iVI@UxBduvwlTj={ySI7y*` zGrwi*HRvPK(qzprwKO1Zu?y734?Dcpl#HO4{+0zV**NUDspM_ra{Mee$yj#6?L(er zf``_{?q?2xTc}IG*H}u}Ca6Ti3!6~ZaB{Mv3MiN#GZCF)r1a;WZ{$-Svxu(C`xmOY ze21x;{@DSwh-=!OZrCY2eauG8+V{01OK?6-36f<~vd|+;%}j1r!-l>HeBCWMW=;m+ zJR!wZGK&l*Enr9gDI-uJM8Sj30xFxGxt~y;I!{VAq?UCV8Oj&{8VMj4g$a4@#Nf9s zNcJc(jTuEwO;w>aSMQJKJJ z6%i(HPa-)QZVk*X#Xi}|jA-;fYAsCPB1nZvCobky1VcuJBhUFp9!qd{>2AI!7l!RkmMcn?=&fE@Cl+MV98ncEj)0pgMSV;+eA~ zkbK=441tiJ94JHs@I)A%mOib&Bhd7e4!(xpJZI@UdJkg@5w2dh(^jP@D_?C> zqxUuRDM@!k#f}q2l1-4juitd-G1Y3%e} zuG>rdt8x2&aez-i(CLedTHc6h`^40sK5JH;nAdkwquRj}KV75|H8nb|wo=jcBB&*= zikX$$;IqK)&@U#X8AupAiamei#<=y-N+lLQpK+sBCG#Oz7`Udf-aMhrC?DdESv;$T z+q7DSEcnBajPoqZgqlyT8yF*u>bEOW`pToof=yAv&lRff>8Nl#8&nmu-R7Z}#*5@U zMb@&3WTO=`*}upp{bdSd)e<8Pxgtt9HmlY$Rhgn?sfEj6Nv+sc6bd>wZLq|>$J~C0?kNSw$&7pexh9Ae>F#PSI^o{vX7ES&6cQdq1gSZSWB-&ZjUt z8;h|~zZd+S6SAK(X7@Vvn(#jJSO6Mg@2eaU;vD!W;B1@kcDnfxfdiE9YUdfw_Q}XX z248OER`t#wtW>+KC?&Wqty7X8YNzShfRbg4K0 zLm|EG!>ZTe>4jal%7P^YV@|QtNo;JJVorJZ&;itPhMu7*1(8l_c^cO zsNpL7$2;$3X!w~NlyLuAe?>MiwRx#%G?4qxySA{cbk=>_=k)j%P0w<2^AW;3la0G~ zn*xr}&CvOQ?Qy23evoHDdVA~N0QriZOS^cBmUF2r*y}>gyUG{T^K=oizpS0FZOwKn zj`yKhu8Eq`ePVI4m`m5WD9`aWB>Tkvq_Yc`YV*`NQU0(Vdw!?$IKGzx&%$H>Sg4%i zL#E3kLdS=Irv@nUdey$6p84>Yo0lWp8rkkV%-J45Y~3#F_8!Oi`RO2ck}}U8i3PN^ zp0d@R-*7%Vrhw)WIuBz!_CVeGi0QIbQgWWFQ{4@ohsRe{OYQqN_e+sUpS0lSvCrPn zenf1Xn9I--tsluoBbob~=o3EERZ(iLpJnw>B3fqZWfQRGfwt%W6T}&JfVwqMZml(l z_M@;+E$%gtqZHu$4i~S9n}~)Vk9Iln77LPp17m+`Wi9{Sq3B*_Q>MlJg2QJg<5VpuocL2e~?t=W#?)WRfC zmj``(p*tXvvt~gO&J={Pfs5N@S`_?eF*(2FL$PqP@4{xSp$CsDG8{oEr8}KkV99Og zvMbc529Hu3rCN{KB5I%zy1y95_zPW03ZwC*FF18VMZ2PPt;ym@nPIbZq09ifupZ7i zVATc-2PV8(r)q$LSu~(vbg?)`(X~?)i!Pjk`8E=n@u%htbu^OpBhpwpf^FN{7V(yB=hnKZ_`(;ztHk$ef|gIA$4He+Lq|=DbLhEX zxf3#d;%iEFMkngD(xUbyHO%*!{neB07>p|(s*Z>`&Gvr$A$M#(Tq?69*S#_s4TU7} z!&gKgUso#SUzj33^gvn$!t2k>3zlR*MLMou)EiXQLtwd!;a3eD&>0&|PZ|tgT%V{E z53o^~{YX!@Ld|&83P2u)pn2#IfZBg4P-9wa>pLd9WYx;Z3^JQ06L=&l)wNSKWK3ob zt>7W&A%j@|J&yl6F37sCWxZQkg8H|Zm=HczZ>>d>Xql@peUHIAyeL zv2I*e7fVL_RcZpSakFY8A2Zy$qm_olEjctK&X>b+sT`a|svgT`{HkwHtQnX?SzlX` zI)6!mihjQ^%s>lK4ya^0@EG@D3WprzX@{LIQ5YPZt0am^MrUp#PFd1;!c1*kuOd*kih|`Rt&;|4K%5jwfR2@R2f@EO*)@Fo^5y(N3 z+%Oo}hU>1{)G?Fd(R6zE&S|VQMI#JbLM2K&>0hb?f9zsKcia%Z2(%b@HYhb#)671L8spia#3@)Ou)52Rj_{Pm>x* zTrLZLZ`fFL3LPeFR-x(&XH^xK^=jT}2?gl-ZZ*KFrOXH^1W{qn#$r?(o8qu*1diZ> z4a-sUuSSi1>-QW=rD4#Ad zaZ8NzMKImk#6a-~@dcrCRqQj<4D4_{AsZS(=9I#WEzZQsv{^?KOF`aXI; z*1V;1bHBaoUUvN9ax6Sz^uhAQ@7QUkKg6L-VQji`mjgUerfz@-Z*sHzp5DZJS}#cD zKSznkzZYhsoN}85{WUkGu!GCh3Sq$WT>S*g%*E4$zODCYdBj^i*(Gh)Ey&0$QO7-= zBgQ-A+{bAo`KsG%hKCkJuuaQ(Ij7sQO11j%_)vpNfHlp3+45#J0XB@hm$nA)-~zax zJ_reVpYvZcV{`q6Y>!quvuC}Md_ZC8K`{lXr0i?1gXixbX6cnzJa17SV?1D=-dh}C zsHt1B=oPQ;C2?(yFKXxf+Out`?>&@pHCHX1v|dABIO3i_qyU%w%9NhhS-j}ULW|e) zt+KqA(R-xLdiQbjIHA6#)N8j& z6~)gvb}awzE#QQ(WvIj&eEkGR;IT|!`C+vNSBRfOSiR}}Z^Iur!{>8GK66G4M4Hyc zw4n1Xu;^}Nb05Y;(LB@hdtPT$IeoY_O1*0E{r7Oe50cPNU%z6s*X^2O(dP3$BPArv z;eUyrs_nWu*v+)JgUad(dH?UidoFN&bO&%SV*dbO{Ab~{*7>cx-SHvtr{F|cly(Tg z+US1{wBX$J))|1=a&1-SWR=0Wz{MIr18?HrtN_nzko+dt)R5!Pxvv*b8zxisR zbaFKKKKY`~*_UN|pA{ zNM*}0>&7*x!d>GKb!5Jz6L3hR)orASJ)Xz0^{1%UhKDL2Nn7FiYag`7X!mA;ix!0# zqrc;?i1Tg}3Ce#@QAY__V7IiasAQ1?!#61CEe>UeaiKB{K^vX&1a zS1UnLiLIAFRkV----otQ_r1jGLP)U;CCIQ{-HHshCRyH`uY>znCpD%hb_4%0l%+m8 zD%@fu=qvR|3h+Sub9l*Mmtb;3){vB#^!u#}(-?4H!i&w9ze# zWTncN1BMC;h;?ZVC}|hlOfx&{Q7?-)L=BU+NgdJp43}^pewD`+-KcP>(1dRFALEpT zGn6;C`Ys#=6HGMTp(36E)Aj?Qye-#&0zWE!__0cbI))WinGgntbGG6S1e}5s=R$>}Gs?j){CByYTy`IQfWu<2d< zLl?si<_btfq~dT5Eo4D1;;Az}G2j80<=iU9R8E1zPTeo59}LLn_NKWv#UU9wP< zbK{E0TzL(cgs4k2Vj8q2{mF!}Wo0Ic!ui?8$6%$YDB_EPU50QIkQmKrip@g$sZ+)C z60+$N;-Sg-+6ID`x=6>}Qi7OO(#efztTZ5EzZGV%j)fzMyrfNyqLD{6cafN)eZ_a5 zGlHnT7xafaLDE70-ko)Xot-brCn<}sId4PhRnq4gn3KZDmiY3gh(vl;y4vU0uTw#I zuF0ZE5e2x{l2of3QcYq0N^tz|Uk|G90E>N=4^pRlkD3=0EI@M=Ftz3CX8%iq!7>8H zQdO0(BWy!6rUs2j(@|&+X6ty}^poK1SRXM_h8%yS+0P(3T^pbz8P9LF-&sX{a;2&l zw^rM!zanhheN@U`FbIEzm9z2^h3RSzKt&b!6RY6+|2a=Ws0u5w8FV2tRXBIuQ)wpL z6IL^3!QdXC{8}sMg8MaORgC24{juEyq3D4yjD$KyU#ON)HI`!N(lXot9SJgaswC<_ zgmkk)Ld!_HRxvW|d9cwhGdV7MrXvce^sI3U!QQNzV@0`qALf7q3XQFx^?2@>{5H?Q;re&E! zS@9X=Sd9r+%`Oo+eY`Ab=CF5@201vBEJ2_x28BH%UlSsvJA*mDChF&cbzJ^Zt5>t@gKM{dskTA>yp7|zcjk{_ z;?=$;uI@+a-u(P0@%?g)=6*9>9!wpl3HJWp8}5o9U;S=e%p$uPkD4OYH}(fdVgNR| zN82Bbz6(89Hg|^K-Vc-vpf%lxXHz=dT0YJw{<OK$hr3Af4G13A)Z=|*Qjb*)Kf)fIsyJ0ByK0uhTqh|qrPS3aWrB`$NI(t;l ze-HM9fX8b7hp=VhPChMecc8L5_wKE2#fmL}$bZ>=&3WaCQSV=QubQ$pA(+;FlMf(n z|Jo=p+4Dwin(ACLM$qf@`2UDH$L>noXj!LYvt!%pn5$#kcE?u7wr$(C-LY-k<~n)z zK4a`JYdn8o-E+*Unspt{?yai0w3?Ldn}n10osUG&{XN$>dy4Xay0)rc-ydX?+H5`u z*KuWc9+`uiYBvbtbJa5#J@j@$W2|)jvZvJ1p7s-)a(yK+e`=Rf)!vO+Sy%gm)Q!M< zPj2zqZ}PVJ8FB36*}ySngLl-`@pfYx!Qg!up0bdl|ImVH4bSNLb=nlod0Jy@74~)7 zc4C_nrMpgbo$a(-jc9Ud->-7w#Mi> z$joVE|7)9vw6yW@MTmD_BIGmV`)`EM;Fv?NKzDlj@C&#A1ctmK1^U!|nHB@rTMYF= zfDcfTC3ju(K0-yU@KWVy=&g6WH#v-#!1<4_TS8Nul|QqfVsf?_*=k=(IVo?1wxMMR zTE8ZBxx`aD&B3^`AML>M8l1{>^4_Uygkt|Jys-E_(V;9 z5u<{8&zGiW!9p8%+6Wc*5zXSmi0aXa+t4*uImF1tus}|-S7EHnB-y9dlNFPd)KmWj z#o3Hho*h7ekdyo!K(A#WpkUd4joCrpQ6UmV7A+o~h|$+;?d*sWKg|wlJxjH;R*N-T zx78P-Q9k{mPo?Q=a|#o0b#D>{kua}=A{?h<#ae7{4!65mxr||Mi9;7v;Vm2M+?8YK zfX~Lk^eT%v#R`r+lPOVAqVg{?Y)UtYN!)in?W?ZI*>6dZdo z(k!-WA%m181CwL{|GcV?RrE5$iloG0Q=m_l{X!J>K8sTbM}_tno-U4Rq3e_i%T{`;j1%Z6{nIlGE^`$StAK2|pD7=vvINZfz|kR> zcb(bn?>QR@?A-=@vB-@~0$!#&AAqAp$|Z}lT(Jy4;FVF$MBw5@SNnd0r*Z!ph8y&k zX{iwTCy|)w$vGP&J4Z|7H)f!mgX@Eqn7>-D}`3 zLY}cukO#%iFZY31?-ACC3Z|fROI98u!P*@XfOm5Ny>qTI?kw6RFIbPL5V)8~=uFZT zCKVPQd&%9Hl9Fn6cCg#N$&8zoE0U&KSS#`?=cywfiK@F8GfKKAg}{5*$H8#yh2{(F z`|GGOs_htnNAJ|nEw~n^8kOmFNy3 zhae>uqRN7H4klVq>{bT-u{?YB>Q0K6)F4cn5oX9&6kMoT$wK8V1;fzaZWb;(?ofkKW+#(c9U$+t>5?J!nx2#r^YtTQPhWWOIE- zc8_0?AO(Md_mTN|1-#|#yK=qWB6$Z~c}|?|{`y=;{G4^@!9?1y`c_6KUD`^J`Jejn z)q3haNilibX9RuNVsdO>MfAK5gH$>RKhJ(xhGeC9y*8Sa0SLSLyGtk#y)XKXbJB7) zFY2ml1x)VMT68`{>aT6QhVS05>|f`6CbOn;>NlF@fYv!OH9XcCBa^0pjmwjC%g&x_ zbjHokgSnBa`iqe3t;Q3!W#fSH0zQY3uDb>ixpiY=`p+#ADc$BR1|GuageE#x#|epZ zz1C~JM(e4yJmm9p#)rFK1@p;XJ!_wKY;|@0Nw%|St`ZN)z1wbORa3NHt?%}knckQAIRMPIc`->26wew8n=Tdf8*Nw~z zk~-sbvu;w6l&{fs*M9V#&~$av^Xdpe!7tZMbv`McogyvSm&L+T~pZ0*a0x3+-LV~E^aV97Rxb9K<21V<8*BUM-uMaswm~&g7l{HuGro)2Q zQJE?eB<#+`aqXV?k72nQ;s#S)r-!cTFT3faYR~H@BY&t2v5EG-Wth|79e~!rwKCHW zuCWi}X(4YuAo+23)AUmizRk8*-QzN^QI(e}#C%B=Ysx!N2?!)S0t}{{^i19WZHKxM zfqoWcM9=7>qt^_;KC-4r^wwWA4kWD4AIDPfKu^L~ByP&uB*X7Mi{#@ZAl7}qPinO) zRa(I<*?O5wx@S8m@*`-n_2DZ!A#J@xkt649<$`2>4Ut4@;RcN?rZ(2q->40zBSmxh zidgZ5-$9AoQ|z}`Hx!%pj68c0eBxxQ4A_EpNmPRFF=eq<1a!|*nvkSv0%naxm7B7K zS^h*Y+4EyjGYa$RAVIneDo1HB7Zmrx2C?u3{A*_~UhBaF_5mdBFs-DH$eJP{<(FDU z^jS1W4&5v9X!1~FQ6M#y#R^zT#Cami=jdhrBKyVy(4h>V9{LsPDhfQH0xt5uDq$?8 zSy>6v^m{b0+2PzX2vv5_hUg$Wu~VYMiC znQ>#&qG8`kWii7%iJacBr4D{5PBk{2K{xzH@{@qFMNClHTkv@6 ztu>H;H1IDpC?en3)cc&pcZnf_zqb_Rp?B6q5Gg`;ug6 z9u0zYP`X*{cwJV^_E;rD`h5sGH&fVU2Dwj^VW7c{x@6@q-cq;1XAINGkZ78ZLtWhQ zYo9d3Ez4JcC-7yO7oP*T1Gt|9iXq<;A@US#ae^ZYmyQ&)VsIG;Ulb^fSl(osqUR~D zF%8IKn;$uV>V(F3Z(M?7QyVmng$BmAfjosp?txg$kM2()oA|5Cs?+;n!}DqPidn@H z+zW0Lx)*O6Nz0}c@{l)Y3*?4gtw1JYub~$qANo%D%C#pE@KbbLP_0i;I<|?9j>Xn< z)zhOsBdEv<=UX;)f-ct-qeR>kR7+W`&VgK);312fis7Ng3$z&^Qi#_jECwiaRHyQx znv>se8d5Xw==7-8&p{%MU~nwGi~Ow27l)&LV~YQw--zk>`eVRh^G~}N;yCjj+@xsy zQ8*tQbzg2WbqspbVWdAlzIs5sJnTEh-d!J-q@W6D>02Bf2HLH#wAZlDn_=;%%6Dna z^h=Bd%bxaq&Z*!VFYvX40Pn_4pw(?Qfc8}x#g4dtY6o`xJX#3c&uN84i0ASNx0X;} zntc~L;P(P|_+Io~_vt$cjJZ)fn@3k+oU#*w_>g_EAX0~ZzS@*>M`o=2qeKP4>1)1v zjZsr6UG&`Fx}8w=hzF&l`c;VgOyZPX-4*>1G$JS{1L%}da3$2L(kvz-oqHTQ1GT@5 zN(FD`%*+oj%{q4H_=D%`Oq;F^I^mOY(4`F3j{HcrE3WmqFaQK z8)QW!rSw=QrTE26`LqJclQT!+P=@&^Y3=C^AY4O1fgBQ8XxTsG7yoDq%vJqXXfljF zH~hq+;Yp-7MeStG;sOxt!f*Q0DAvcDpqgOfgGi!|8qX7m223_r;6`p``-!mBnn7Yr z_U2=&vw}r@$zca79k|8=Cmw)bsuytI=I6}%IN*)&7=XoD;tQG05Z<;6IB<;v?#!!= zAjb~&@B_J?Ut-<}k5Y6lmm6GG$$W0Dt|wBGc@69Iy4ps*l~KD-jn79!okO-qvX|+a z9%t|2*I6#M!&xPl@>yG;u#nnjVApQh@o~+iTc0PURz&5-hlE=Spt62q>e#lB*wn@o z0`=`#`(Z)uW7uW^diaj({Ea0dGmE`@7VkAW>|xo zo}h=3+-W2Pf!oOjUrh(C`qv%3ZudKf+-2k8ENxEh1;$g^ahLtv^wsBjc1U*x(9?GR z#+qiPPHw|~z?Oa0JSae~Ud{92)iOopI?4OvMRhZZ|7Cwaf{%aexFDcexmCy3HQCMn za-3kZ2lC21w};HM%Hd|ZrsL)+%caAmggy{+8mxKi2?}Ym>yQA@`H^u$co%rDvBvmD zd9XCDr%K_oV!Fhc*S3}(Vg2xw*0HhuX67ely z!*#=)FHy8?aw#x*^#tk|zxxWNqVkx)bIiJB)9aQE%D+Xg?wIFXRZfC_j?<f~^*g1B|=^hHrz zcBcIG5r^N@N)Dfen`cFu61MOj&JL-i=sc+rBL0;afquoU6v4!-+D%-T^CHfv{l645UciH&J0{%Rz0?MJ<&JMZbkAk|Wj<#6TnJWmxdN-Sybw)%*I`zSX_ueBdze|rP3$Q zw=_}=xLAQbB+KKTAmbdS4l*jH*_H3uO#vynutcLgK_oGriD|hE&O$G#(64b z(MDVdS+4n;2fVuR^LJf*mZaiLh&Jis9H7@Ch zApYW#G~)`!fFkgdWcR(nbndNu?c3l*c23Y4I{y+X>f|y`d13f`Nl6dRNXcXX-Ji%p z^FLYaYt#G6I#@8m6Wl_1Oc#>URoOYx>Prw4oryKg4fu+XfPH{7vks8vYv6kl8%GZx zrvr`m7?*&a#ZXY5y2w}KoN|22b8l2)*N-3Lk{jpZmi_1@LZ?gJd0c5M zxeonBGo-J>sU@*qx{BRz(nST|uc<4(AYmfxTRt%MSQ2LFy6j@DmaZ9Ac6>=QZUct~>27WN%MQfwf23{q}uv9(WD&?j3v?Zs{L7gfFpN zMY?CZws3&vHh|1Yx#rpf0n^>WRoZ*p=ZEHR6um~MEm)vbz~bwm zl5ebMKkA3Z(0`ikzZBA7pmB1{8w3n%lG5k1L@jY-E}hE0DkLu zR#M|9wtaW--4?$!MpwJ|l(ChCM996Dt%MBIqouE z-C?%7wb-YV<8iX7#geqF%lWd9QKM-IP}HX4J$%OWV6^fY$F+DZ{Q{i|F$Ji27TydF z@5129X3`>>*_Lm#h;b*ak+rZje>F*EcfL_rb~a2zjC6m~jrEIOc8M!0-QSoqpfNW( zRv9h!pNlxI)j#W$kcg(-ogUZLkH5_OM$wy+wmhIZjxOOWmhrkR93~&~IZTtoeOh+U zo<^m*T!*{6l4^2uyh=N6wXcA3pFmf6p!NTX&;h_3?5H&39-j}f@GSL%wK}Yl-fyW( zZw+|-{?CU=Vv=Ou6j`F2x#nXeE#(Wqx+WDsBh@b=d-bdd4qdBifisUoUzs?{6!7KS z>mlCF{{XLRzT5OMvp-0erl8S^lqcbp$(HB2DP)9xk7Hvw!|=m6143-37gxYJ{jP&a z2T{tH__7%byUH|A;3Dcf!X^82Zn9aSx*2*^4R&%yq$-`YT9xOw3l+IQ;TApOkR&ov zC6jc5IPSL{ZILPM{@4wdqMR%jE?PA=TJT47=9Dh87I`@m?JpYmPt*cogyx+!)}_m# zFm~nLS40G2ybOC{>eAL$HFJH*495c0{1nPxni8fR-}QPAentYn=Mpvhf1flc=kp^* zUexNA_qm{shsn!?zNxfKahuevOIo@`PbakswumBxM+&r{8Ugyfd>0kozbEiQ)KVaB zp=Nc$7zKR3P6$b&Nn>eTh1&On(jl@wK`PBFO1@I|TPQyxd~8U9j#?Cy#8*=j=MQ&l ztp9{2<@K_3>YTI_q3r;6e z4CSEU!bcvMFxbP?;fzrF-O=iK!I!xB#JUeMzTyywIxRwyN%({+O3C`U0*l|=CsgTR z>8jCLf&Ha$iz3Se3kiRjaO9(PdgE8cV+JLwg~|jObY#F2rgDd&IJq7Ttr+0Q<`IV_ z|87dKnN<#^duE$}LBsvZ&!p|+%CYmvlBVk*8&S#EEk(&=8pY)dJHn;P0EPLDUYiMK zZq7=NB$_;CsVEVA#J^f*-8=c{EljC*<+;s8{!a78qkvB6im_8`L1ppbw4Jlu9upok^fmZ!uyi%*?AqN0E{md@SCW1@*n? zSKyO^7siuK?p?}_n=YZ6MHmmNlxK!Qo6qILh{EGUx$Yp&oSd{ML##G)@=Lf03)*`XMAKszS`G;r9cfJ(T-P#4palAT z0%?iwoSDysRHriv#97Rj#HkUE0TkKAw1{WT@ri@nR-@+o@|0$BBf_eZ)Jv{Ar*y_4 z-K@ffe&-QDn@^66tLa^U#GTKw&wWUx)*qHt=0qXq>O#>j#4Y&N8KTKwo4M$en2!;H z6M0;6bgf`;RP5tzi88Uuy>TC8@Oi&fh{Dy!uLS(%Ys~ShCwym|q<@?}>9E#Y3Xsa8 z6eb+53Kr`BX0cuHz>0jNjH(8A4(lAW^jBRvEHy_CR9CqNrBN?pO4R3B7fu7u#Aj=G zR2-LW8ikhvRnE74hYpL7?%73moRqCBl*ahgYb;4x2VO`%jzWbXsZXp#IpV21n^2qI zVG)KBft>IRl8yb|WTtN0mV`GJYSOc0d2nbmi$wnmAz7#gmGgDxs?oEjGP!Y-HI`kh z$v9`?%v0T8#kVhGrBGO9tThLQ3a>^mS*{|y*tfl?#H)L2YIQC0YaRYP&47=k(lq#S zqBi?mTmHH{vjwIDcd(w^z5@DLUVChZdb2Qj!8Y9d0{Hg<8P(3KcO|HLI{-1CiWhKE zDr8a=P=7n{H4sg(kJ*wJ;~~aF08r@@K{SuC>}&N(tH&eWAKJ71q7LDU{D8{<$Z_rY zeLdu=ei~AP-vE^J@w$4)wX)xV`O2|P^;!sc=dB%>4@}eI5eKwgCXGgHlDlLkt(xzm zWrHY+ZTjqsc<4QTSpc}77b)dPvK3t3A1_A1Dk>Xp!a5XM2pkU>kJdj|k*@y&bGvM} zUw(ZJWn{1IElLr7tS*X0H}~vkhsb&}H0-T)eDf`C^E(WCTK5Y?u3pbQ+=$yUJ>XS! zZf-IrdwAUs(NmmKIzOAb*gX{G?#Ag_2cP`L7(2#m7<4iYrJ<5u_A4haLGp_XZl>Rl)wLTmZO{Xwr4L)`N>ehlotnNo* z{*?UTd1!kdn;HV>n3Sc`+qk?$hcK$Oo9*H<^1psiJ`i>*MPuY`@jlhE5OT!4n9Xb5 zND;If+$OXX@`Pl)Cyb!sZq#o&S6npS9d&#>sl2=GeD9Vnz%ntDr)~8O?`xHmzs1{B zI+k}Fgl?}(mY7l;^s{d6Nm}gN>g6^*Q)OX1!x7Uy2hqopMFGi!;=m;@LXTS)Q``Mk zu`idkV#WrZp4T@P#>8u`uh@YlZ|{=z?e-U4k)De*xR#X%iu15{xY13=m8=xTmo1dC zDn0%odIIa7uMr)e?kPiD{?@Zcu`2K9^3|4Q@BE&VA^`u%4VE^D<}7H&$D4Cm(kOL zgO7+lIzjp2m=haGqBo`xrO=k=vMCxvd51k$0iqpeSU;obC7!46W&@V}eDJTXKyC#Hd)L=kd_PeQ8Nj~!mQnE+CE>iqhzllTaCgSI> ztj;nH)&)rpsx0Qd%Dj*_R#ALd`+PpTgt$hZR)7kHoo8&_?qX*O61@6*S6S@@UV(1^S_= z=j5F@5r-8{DT4*KCYybiK%a!3=^#_NTxsJrGZH6X4(H802UA6Lc<^9+(2HnDOQW&i z_m_k%z8aBSrZaVUT;&7T>kn@dQ24#-P422G!))P=#cj~%)TU#5k$0~XpRL!_bds0I zgOQ^s;WP{__tSx&Kab6#_%XBZWxfks| z7|uro0O58_>GQ+p&ERNSKEtrp>IFB)1_~@@kgM`nB^m;&xyXVzOlYPa4DC?G)bm)J zH#wzqACYTelXXb<4Qu8HgFH)T=!X3%NS^21+t&@E6mZKig9A&R73fjc<~Vak5LSM! z@!`tFx!{zl|5{O^2rgNSkaoipj$JP4u;ZGQRZIV-W|RxC=4xW=Rgh77mZyZV(fB2z z8cv1ssAhx9*HN0kI%zh~5J&3A^~VXan95s)IfSEUELup+Uk;sK1e(3=lxgN+vWLTz?s}MoRJDZbc;reLmCY!liI#d; z3s~JfqRi9(;1qnYYbY$_Mn1 z;~WrVP!gayNMJmc@Geo9FDDl!$O+9?;Ng|-QRt8?Prdh#&j}62GN~w_=eFH8uBmej zr$<_aBNAWt&{xKQ>8Ei`P$xpvG3NWcAsnxlkI~cqOF3;#=L?uAI2HC~`_+})C9ma@ zidbAkclREeT<2FG;~^nK{k~-gSqea1z0Jw-sBjx5qq24Ey@R0TQeecUR-Nm0GP$?YNA~F$P6sbrj|*XK{^t$_pliR@u}Uf=VLz8p+57pS z{2P`gQdP99XV%2y0q4`XfIadT;A7vgK2N#XI6Hfe8^Qm!SB;d}Hu>nW^>~D~e$9EF zYpZzJ@S-_(zfAZ(Ec;I9XjDt&`0arHGfA#ud%uvPjtjG=hjkt##Ue7BCZ{q zHD92KJ+Zue{?3c6q^;XLu1s}cRnT{BpIuP51#NE_J&R4RIFR)GCFbJZSti75TSgz_ zr~Spa8I{w0ptT|e$ZdHyi=YB(18)GmHGqyae7FzKSCxM()2&`#Ev}tsOOJdmH8ERl ziNL==G&wJ?yxCEY%Ri>JQ;1iZH~rT97Anh}Jl?i&^#yn?8xG@}_FtlF<%Z7(&$jPo zBSi%WEzvnVmX?pxKK$?f4q;9+nY845jGh_gj@FFPq^1Wxes6uHpryMCz3Ss%Kymd zdUrWod%^+zz(}1q-2=AMnls>l7p0L}m}P*XHWay*u*iDaz;CBGd;W;!#F_&DNx%{( zTafhrtbF+CY0#j2U?*3P5b(A`Sy|k}KnskNz1T5lOGT%s105Y%$}shSi_@ug&)UX4*r0?{ZYI1fg6YdB6Wf)zka|X8cN@>&j_u-WY z1bmR(xa%FB7R^~2>&vJJy69p#s&T7MZILukfu6*dvjm&#xHn%$2qHR~d?~EBW$x{P zU4$9IWyH}P{$w$HzEqZxHA*XD4Co2DN|*52?^*H%&>=eI@-bcSr!4ft5u~sDz94s( zbyi9!mrjz%C16WGgqJS(RmOp`{jk`~Nnw(2lL8B!2$BWQLjw=RITgV#9@)x|AM&^2 zSUO--fQS|X#Og)T+5a(!eabC;$LS0djU*sChR}UhEOT| ziCxn7;bF6-FSqIEPxIl3VmQg7LpgxwmxNWip>lf0fIokZg#LgW3(P!yF{oz@vV)1& zoJmronWTd}<>Vk1o|wN?F`6!E9B7>;qr$~mW=Q&?LY!j<=YTVBHDmxEHJFo<=0G_V zSn)iji9I}0yAfxG6d9dv_>l7UA%(l4R*ioh* zY?8xOy@_0OcrlKiBbMZAC^}fZGMrj0b+T%)npO5SOTRO0SZ$)qSViR~q6IL0RcVSF z(^sX;`7C2idMo3fO5>z84D?jQsFA=viFvUh=xbxrs)})19>|RMpfLy7IiBo@l6U@e zY=}dVcO9&dE>bumXZn3A|AS`jAH&;E$U+2*m*+=WMCMSC6MjUY9PsRuh~S1XlhI@* z)rnOa^%Hv`p&&W5ReZk>ds+u{s6mxeSh6$$a*BVHTs?jh1%KXPge4r$J1gIhEk;bge(L1A7NS2Wy$`za!Zm*g6 zLsQ_GkyfFc7{2zOb53ILd@Bnbg+=I={F`^_0zBitlyyn=d@oL%+mSJL{A89S_z`F% zE1S5+ojpEF;d%w+Mf43&#oTCWN=Qo<8K7B{9hmYq*-K$Xh)}l30HGv@r^|U0g5UfU%(J@q_?pk_sJRH~ z#$+eEj)gbg9Sb5cBG$Eg@A@2Y|8#R+ zVDokYWBULMv2YgV^aUb;1qSjCH*LxIfD)D~*cYXx*u}FfSQ-TTI{p_)A}fkbnoL(2 zM|&PyvJ#gd!y)x7(S~9;A(^APm^sHeX&AHt$@vT{<2N(T3G_Evg-e5R%cdb?Wk6D_ zzFpT0J5v=Qc$wc$9_o2Zq(Bo(!6SQs)1TNW__;IzZWi(5o|Plx=^m{&+d;|?sGMEE zcT`;g7^QJz_5r8?LgpdM_A<%t02P7O?fyLxZ?>GEc|?dxGt0|99WUqr?c>WWJy}t> zY46sh;-1f!SE0RipN1z(+UvJyk9{010>`0XITZrxZ*AmmCud2+?UC^MMb`XUW*1k_ zjnC&My9XTdxclzcuc4s%}2!Xp2QYSZp-tQ&Em~# z8G)bUX{6&*qgUxRidI99a&_NcyIf~`ZR=f0;JlO6)1%a;|LR4cZoj#W|I|W1z4}mx z>GL$cx=9+Kf)vA{{#n#Dy*|%n7W0^>cAa3ubum=3y=od%Fi3loKuMW(J4P;caH40$ z(dqm|SoF;wxjd8UaN8RhX)ztL^O_vt$OGD~;Vfh@YB%aVhBe9hobT-GshjUdVQ^mj zlUmYr>}$C;SA^1Su+RGI{BRHz1N<{?D;WH=+AVbC<}2}ab1 zFH*zh6oJrQ_nQblI^xP7YTG_qEmy1<($D$cOCO;aVyl?h^r83Q!LR*TWO6d>Ji$ZB zxW#umcXFmx?RA}eMQvX4l)|@Q>cVYNuvIf{spI)zZGHFqTfF%R7Gsj6l= z0kCeII}o6{Bj9fT=BJ*X3R5_0u!BXY%k)wgth3D{|Aw%*!aeIr@?f3|=`1hEt5T*b zJP)#Bt;PB$hp2QYC{Mj`scVAeFbShYJf9uXrb-Dp#Jd#{=#RiTq>v}fmf$acS}$oe zYpALC%fNXL*?7_UefReR_Ka1*Cs8<7=p*;(!i-~HbXp{-8a4>KR((9WWq!GV*Dq}U zDqUqEttP>GWff8TW@56%a-x9Idh4X0?S<4DH53#TB31KoiluR&f%$BL1-T2@%VXGr z!jveG6k)=~Z*4Fkv-IWJszs5uWs{!N5=AW8OX7L2OuiJCVL0N}xs$0lQ);h2#WQ5| zsF>~B{c7noXla8~X-sn|)J}+Hr{V(y$LLf@h;x!AWZN0xQ6{2!e)H$U%=LC{FtNzO z)epD{M;3RFjtnUEQ?mX3FE01mZsx5LcIczVaEtcIaq(UPWdAR?jy3aNaGe58dpIFv zwGJk-PLb`B-KtY}9EF{fji`jM{hLvx=saMNpPhxv;+3g3<0-*lZpN2BSbVNduzjtJ z!-}NbhK0nY)Rcf1+QD?xD$a@*7q$j6FajH2JdW+~uP_c}{a>9`1dSyYsfcEm20KMK zu|Y4-K@3{uwt88eAk@XRfGjQ|?X{13ia{MX9JLv^-)2u^E-T^pQ!$;{34 zM&$a5QiI+iG?<~fLFgffg8};j>W*4doY@B?G(RgZ#rRT5y`v(hSavKuriXEVMwFnO1^ z<}8qYk(({lSP76z+mGA-6Pf$;p~*SzDPt#{YWiBoQ-4sYgih5`e=w;Or-w)P9X0j% zD!o*x;D>Df5FWGO0;M;Ty$F@2W&Rx|FjxK)$~)~+tqx_W$T1;~1o=iUowWw@?5h5EC`>9V+7TGGv08IhAQodpY(uu^H^-&H2| zK|dwQqE-q7plhH6c_1{ueR@nguiq#`6spB_(Wbt-QWX0@7dRf3Y^esMGkn*gz^nv!=F0@QGrR8 z_{VJ~q8-ew&dS&BW7oC*Pg3sB|JMb8E%51Y@!yWUz<J# zWd2bw@b@=v6#0gy*GC^K4;il*`R@Ea2dw5}F$|Ma?JlC)ZKtg*>Y3-|Vcp^2FSgrX z{d^{%;y7FMs%u)q_Ll8y%I(c5=JEOuua6@>pSoKy0JCcM-HV>B>&k0SmtuQrE4Suj zWmA#S^7dIdMDzB|-Fo!cKuK5I7ykr8i}oW?o{e;u!@!l=1~4Fm!>6KoYk+d2ZV}ys zTGJp1{rZEiZk`Kj#A;lwJXN6YtP1cABCe+vHPEVvX|9-P&AI7+c}G^Uy9J|lU{BBEfbOEJS|@=`ItL{8H<=Bpb{>D;Pwc2%wOV{kg#`+DzQcKfMY zt(y1va{^-2w%;doGy8kp6;oR^nuOpkgGli;zr22Zjqt=+ z11wuN`=bUWQ@Y)EO*j;wIz9G^w18JNV{vdpItvVVR1}ubVO`!tPb1?KVkAmkzgU%~^psx^;?hIkIvuS5t z^A0WH&m^I(PyMX(Y@XY(caHWQmEDV;td-YEp$LW>*k3@6hGbrwxM%O`t=3bLVO3l9 ztfu8{)0%#zXZqKHyQr4#-+Q!K&+}tvrrS#zj}u0iH4G2%?N@gZ+aVf`Z9u>y5NPo2 zYkm7yE7G6S|8qO0tQ9nIGLDL}ZT+Q`njjS!k!O~2To0Va`?@#z^f5eoAMvT5*OD`s zKlVjma61Ax5|+pgEQFUsf1hF}TRW^w%1dB@%$gniBnv7rc*Zp)9HH;!s8$Bea7ms(h?*lorX=Em7ISv z_W2Kx+_Qf92L^eoTjLh4%vH=+8`Mc+{!nzBA@mCyM~9$3D{xjEZz)V)!+fkHgT@b5 z$~csURuWCT#AHJbqRJ;VK_891>#Dtg^o>$^uxDl-ZDiSfjl@d)+hLV5k|auQ?dD)C zs3BYZtU;_-N)>i)J_9csms%#EI5J`S9}rp6yRuf3V!xq19oA|&hPo5gJ&V&~!g^bt z!Ghf)4gq0Jk!|V^6h5+OWnESXd=W?h$euB*5`G@|l**dpG|fLzQ0)hbHO@=uqOvW# zKN>lVEK?f=|L%i$_o1YFI0fo;u&A9p*obmd`%3O}KBSuy|3L%C+l>T6Q+ppJ> z;@MvqP3CdSL^0j!cdbEC+GbxzU!k_4*f~yfbxdQ^;7Y*NLB{V424rdlm=uf8|w?2)v zpeZ=7g;r?x!OvD3T2yn7WDR(k_KD>IeScPXk25f(IzHSZsuHL+5#)ViBUBL`d~=B* z{bb7-avFI|f1!pAQHdVgJL>uCBoFG9Ah&rd))3!)m}V?817_ngP8L-j8FBi91G#;` zhn}VHFJPi!1%3R))G~-y+^4BRa)!^#bp8V{E-ydRmqO4)2t@GjG)jetXYRW^Gp$nv z3xhLP=%YqifCF|Sq1>Ib^DiM*E%udC3fW)--qPgn4Xu;_LAgtjfF4?Xb}@ZFSY=>n z>o+#Ejn}U#_@9QwMQvnd4pX^*(8IBg9vxPrg-Jgm(~4>V3n1K?L4QIb0_rs`2GYXS zQOuhW4$tyP^wIKk?$6k$68b=SV(FPeQcOuoO?H&a-_maC9&CFpnbOISUMlq$eklh75a=U z+;rJ~e)c>M8+@uP3!O>~7t$zcJx3uI*VK$zLYzh)3NK9ApBICwt68?pj3_OIEsR2M zA4O6@u}FaeSWs<}zji`QC85>@)?^9N6^pep0T5XWM2!lTY80;w(C6~S+vn!t8`s=* z2T_*I^HZm~#-N+^6mB!VSm7sy+Bie3LkMx+vLYeU6wv~S6QVl*RBofw@!|iVb;iuw zX^%ba6KvBBav@;-7R)m&mzmjj=z`TrJWD(o4shreR#$M=Oha}~nVfNsium;gLiQ)Y zPuc1XpEd|#Ah-SZ*@LFQ_Zs9Sbz5$};L2BFKHFEgORw@CXK!w(9-TkS0v%N zjJL`%sxWpx!7|PJe?LH1aB0DRJ{vyJcS2v^OzCM;v>AS>Zph1qK``J=&h^*B9WDUs zONaBh{JV19B6jWkd-Uh!Go#YY=<&JY zI|F_N=Y2EdZ)D@~8U)u}&;GP=)S=^Yf*$f|7fj1bt`tBlgQ9D zF3{q$zg8h@#oKkeDu&nb+`X-H#M9CZda1a+e*%zu;v`+rN&=K_2v zUKav@^(d21yq_!Ma8fm&O(u+9CB8Op(>gtC^qYpt9xt;z$!j~udTE(%r?4FO&s(z3 zdUSe<9_Pssz#{;U;5v{4xO!&$)j-{N%a0o@i)_Q!$XjxX6kuog7;I46bQ$OfMve!r z#o={b;8a>aR_*HZEa!8VYMSi@Ts&UFh^9hk_?-KpMo0yO@b)(O$QIIL%l<(0NoyZp zj?~(2y;D=eYXE7ME1qsWeq6qqlu?_cr^kCf2I#PSZXPuaJ$oDpocpC@uabI8a(awk z6Sh4$%58He7ujaLp1o2MHi8Z)yKeb}sJUubcy31o^<3DUU#Rh9OKQJoTwZZ`2FUm< zZaKQFi|#34ZmD~ITx!+0+1>`BYWZNqrV^d3dTSh4+QDbKSz2mTf@9MeW zyNj6))l}Tu z&bf7CKk7=j8iDk-TkKaB8pz`%A)ePGj-`&zb_?74Q58=H(CZ6G4+NTiLIvL-y(6*b z009v%WMA`3oI$VsuhUjn$Nj|{t(oZ&JAhAM&kGXC^I=-1)?b~hj?ynuhH&6Zp0={s zqH*XM0r?U=)^9PloW8e!KWd`5h%0j>#fE;c49L-^vLc;1m@j?CvBr^&7cTyu#nrJz z8Z4DjgJrVkWK6+lZmp%o2pt!~&S(*&oTobl*g8nq49x*=t(tL`O=i967&J0eYr)Qw z{|c&=1y+11L8NyVQI^I@>8m)NxRtpo6CH(QMZZ^HdC<+~dUU`eGaz1pDnN;90XFYf z^sWWTZ0Rg$DhZmSY{X&d=}IyrC&#V1&(-Nud|B|2Fj>>L0`ve?yZ&1!Yr5Zv(+VCk zSM^`SRAly#{Z_m)>6CKUR~n(&f~UVYp+-Vyx6DJyp|A=T^AcfFn%G^wG%tw_0WK{w z{kw`>MBv*$z>T>-oxTQs;?|$Ccfqp^e4AYkaek<6^WivWZWS`B3+!b-%k?!EMIi}W zX4~@mTj)3j)^s9FNOQp*2%--m|4K#o%Vvnt?6DRcR*e0$QQ?8W%QTj9VhP9VFie?z zgRgn3nYN+qN2et)0EkzRv%gH}fMr zXm+sa;A%N|8S8+iGV9Km;JR7m_8-Xy#+23ZFyKY@z$~;QqwOP3mg&# z2uE8@>3vxeqUE&A^tY`y#tIK!ri6zW3=Sz;)DXn}!X#-WU@p*XZoLYe2vvqJ5!wSB zZ+;;yJ|)w!7-yzPwj3T#@vpfLhgb@^&G#E8EE;U8oS%QQ=j<(^{r7m)#9mtU!UpTO zs{|GEGK<`UWM?_a)BD2rm8Mx!Er%zMdNn07;|^fYsf`l{N<0W4N+tNF+a1=$9GX!N ziZ$6Q#lM&Hb>qk|XQHy+vvl#M;i_t)l&hG9uUTO9w-#?H^b7QZzgF|wlbOobs%TQT zZr8H>5sbbWxd)29sA! zrnI5*sGRrMnj|Ks`@8XKxOIm>{OjydI8_O+mgkzJs+_ie7g)#v)})DA>@30Dx8=REuhf~pu%rft*#-$cL&$b<` z8qg<014?3d)3pIc0gLy!Al3Z{3BB(V%nCz94@yeU?dLJ_4Q<;98AIh~LzteoNl4i8 z*5k%(dJC`9+)Xo9chq*<*i|gibBR~NT8p3in%h^JV0XSFThi^~i!SZC0=Hv#N<#~r zXP;RJ(_46dex32y*jC#(qdeqrF|Aor-BRGjm6Tm;Yl=kbf4u!C`1 zvnZ;$d4Tl%XIOLi%Pw@2bfNI*>?U* z>ZxS%`n0;J>9uiX0u5^cdR*T1hiyJsXmme5rG00j|AIVA>I{z5P2C&rFi6!+j)oul z5;ERGHmrR>^$3Swp}=YH9o=iJkEECV8gmYY2_1nO1lWs%6b44$x^=0^jFnCPm)lrm z-}CY3n9pfunkxq&89*KMX@a70l^j_~Ve3n`WsPx}c<{7#Y$m1sz6^oV18R3Vv4Lqp ziA(8g-r4o9y5@`7h6;<}WYvA&2qSEAH%)rhRpK)Rov3ym-rR%iUO@nD5QLBL=ZyE~ zi5Ys%pkF9iHjVG?M~SjczY~wJ`JUf2@CBIQn+W=+#|w(XDAF8|RDq6r-_L)G?WCL< zTgsn98B?f&JZ>c1$eHc^xfFz`q%tbe)c3n`n>wuDx^(ZUKSLv3lzeHD{p>_JkCiYf zGho#w^0k%TW5_$3AW0tW=WksB0@7OydA4EWnuGY-@Ox3~*h$p{67ddzl`&=qvoc=R zHwlz>dJI_}EF)G5%KRm81vz{#Zp@OV@o8 z?pW~@CajbVMnrK*#D=aJVA&4`f*nMKg;NLarl}2_^%$-e5V(%PlF-V2*B3%-75xGe zlO0*5EBZ7|z7(dBtDF8;yT3PY$a1Fr;5C!1oTXt6$!4b6BfbyPn)as^A|KzVJ)5_UP)^= za9+uJB5zhG7YI_EJ-Z+=;5GH0hA5(#Ct((jpu-F2LiMDVwfrO)im1*~8SIWi6lfQ8 zC1w4Y-z=uu!M29lps`|gvJNq4hY$h_%gQ(DTx?^5BNVDh5FvVggkdSF;6QS~WXNLX z;*>~Yd^P=@1J_&7-beiL1v&)xeV zIjZF=MLs8>{9WWFAhLe*W591-4{fDDRD(;d}LtfEVqbQY7 zv$!#V*j3oM{U3xvt<>gO_DjP|Ml850h9md^PeM2UY7wf;l=@>v46)HhGFHhY*8R?i zzcCX_l0qXTbTSSsKXdZx9GKD1kJvHHczhJ&oUT;yaL}V;P~51B20bvDo?gKf=o&G2 zsE^u%B!;Dt#>yqCW{Ho6{r-`*`vg^;tM`DkYmm5zdf|40q29aq5oI;;%Am2uLkv<-s zrUJdG8%vf`7ZyW851iMt52W$wBN15ajz^OWwJqki&=YHQCvFj$7%EKv(s0~^0VW`w zPy*PXH3pfrNsWh*qHK0?*qJ83k(Ly#26o({+SKFkh}^YriAMyB2ir<-kN}{#jpfQ8 zC6}ZN{+uV2sw-mZ%|-ExKK|C(Z*yGw$7nq7Ule6fAMF}}4~>fH;KcKE9YqP_&yy*Q zQ!~9(kGYy9L+(jmbxOOS5(WNa*=ntsBBZUCE!4vJ;eeT?*uI=S-dybFhp|lNH=&A} zW0DG{-XHE1_Koc$lml^nJS4SL$stZMh~R;| z6af+|-xa&33*s{kLu~P|jtMDPV#V&=S^qPLB0nELP~NrQP`Lbn&l-bapC>UNcHKa( zFOW;Y&%j)R52F{9r=1U&SNs?{W|=~mP3nM zZqII!)poo6M#Hq{QI`zi)=jbYi~Hx(2#U9@yPnUjF0htmgyY(6BzE~EhTpO+s9r7e zxmWi@ODq%g(5&aWiAkQd(_>ogezPLm`d;BR#Bpu$QQg#69;V}TuE3$Te*QSn)cp{K z_f(1B4UIG3vD_@fu5J}c(lG{|bRxHQ{5c_ZapU1*G*+~nAh+gvqf^tlyH6LF5c3J- z0bcj`yu~0z9O>;Gw{qBd9Couop6w$oEM)tXGI`X+Pnk7 zz4T)N+FqYDvAnHsXL33A582N(-@kECZ|Jn&*0jUq)Gu=Q9@)B{VPc#FR(dX29W>Oe zi}4*CVSc}x_bUKdlL0yx1J6_^(RO&@S}#^g6iYU@H{69BFx-^TeIjb$B+dMz8qw(65 z@(TDkcSF(j8Zuc)%@E+pX?#m5O<7=*@nE?KCbF?NnpVFEhRK+ClHJ+!M~Ey@6J`9% z-*szOz5VcnxubD2ioM+BHj?D)wIxHtFntY#Y@OQJZ7A}>TJ_5T`AvX8dv8P^13;FY zuWH^1xqSc=g2y=aw4Y*;X7;;3fWc^E-fCM?yQU2-?jhJ+?o_f)%9&gNve6mplTjuoo? zClU&Ek3tc81k>I2`7EeczGgU0nOu`(=mJ5a@85u6%ZAf?ytW$)QobDK#V;5ST%w6S zT&O`h4!HrSgaHkRNI}?LN8tw9{ig0BO=r{0W?q|kgo1H(TtI;*67bnIDB2Ogeo(lJzo;ZMb78xat;qEviyO+}&+U zs1vfUeiY6jbk11jCO!g!x;67vlELBHS1x3{w+PMD`NH->6jIyK)e@`+ z;R~4At9xNram^|r53|xm27Y{74lqcFB%Vx&6M(v!|KikN)}`IBcl@D%l=!j)NlZpf zfpg<_Ra) zQ(TP`qGai1fCHd;oUSYU%e!(QJ9ejZ7fx8)mi@!niLko zMs|^MgUEab z>!6+0#95zuqaVCL6KOJ>aIdTl3+7Dv1nu0w8=c-|FR2cTb?jwyxsXW{k6^_wc#)%M z4YvP!{?WD%15EI~{V{%{id!~e#Il==AoW5z7u1j&8L>MWJsxiFdYU3SO zec|ZeS$S&K1mu401*Ca_=(P1ATT|&cA5ADBrAg#(IF#?Nxj}2iIaa0%X=5lB(W2)| z4lO*gN23)}WcL#CkOnYSj1Gl^zP6!UkB*E8MvK{wT>i>^^r}S6PELeRx!>bnBB~(; zx~%G;xeCjXX%Ldl5iB7^=2urdF)5@u6$Sqg!nP=2jJD@5W*D#IANb0HSduhO^q5sbf!EM#~mdWz|l5g)qodzh=)(_%inv)3u_rg7H^f$|H8^ z3ML@q(&gYyIxX{~ezner!y$eh!=*lTY2C9!F49@_!BQg{|74DhO0M4xT^FjAd!bTG zc@Xc=V;>nS9y}JRQcJ&o1Un&e^T<{drm@y0OUCR)!8YzIO3{`o4Kg|y<~v`km(p<* zhj;@xY@7(fB)=ORCrAB4#Eew$(71+|_Bn)VBq+g!g9ne~;I0}Z{1+X{N;;?d^PXMT zI#jer6C;hE{duB+TuO~4BL6q@rT|5kX$yM`H4|5%m$7sOJYLY zU34W&H7N!!3lgPNj?4XnzWklyukRAA0r3Ul;hG_K?(2Qe3@QI5V1@|O?;daiz>(C4jn-#;VETXo@xGymqBBNMR(ue7CdyF~-29$Cb?O8L`j5moW}bf%nYoB39!2#MZ$NBL56ZLh-!obIR$_ukRa~ZLD);c-HB-+aKnb8K82XP;nwRFCC z9v+!lx@9_R9O?m=w_+pBy4ts8N2*&Eov^c?62k6c?HUFX^fYNTW99rjE*hSdV>)k2 zzaHa(hf=RbPiyq)w=J73b7Xq9A5T*WF?P8$0TkV@BS~X={Qm|+GY0KGS>Ke%g(TJ%Qr7-GL4N80&dyRIsm?(nKC}*7Lu9$(Q^s7x4&{5q>3Qd-4BfC8Q+b z|KaB4RFk(2+jfiiAY;v%y>V8ix;lA*FQp%iCgbE;gmeH=$swK*pq?{HEv@w9TQ`f% zINHutl%x@H$`Uaty*th!F6WROgsPin6)9ALJpE!rI2*l;#~AvLU}OkwXR}g9Oy$ZowKYgXLGUP>qeQzum-Z;Sw#Y zbScd7Ed2D}6IAKXRSRi#Mq~FK6O`uumW63k*NQ~lFUe-tQXoz|6qWJ9zW%~NiUc#0 zAn>*nix+VgHczBcC6k|me(RUTi5Z}}lg^S^>ZDQR;<(u_qFo#1o-SM|$$H8pynM=HDu#mNN5otILDYDm&@(G`! zO3O!rwFs&@zFR>4bC}K9T zgP94rwX_#;KqENWU{v@Om9Eft-)!*Po+%6>S%8ojRZKnEcxHs9nPic(oif@z<7AUg z@m#&XCz6n;XhkUv>2f+UTlbb@IVD%%#akiZ8CtuACrjEKtFKCfpI)EI%Y2#H6xfQ6}lveM?}*W zxCe;*LZ_j_piO#8H;I7J4jKt{mK%krUyXD!!ToXUW0HckQ0_HX{U^{Z{U~`XeN$I< z>dZM$TfUWk_yBJ&a!k|P`^?8zI!LJ|;HYG+-5aQi%itEI*%i;02CjJZ{G(30mPMYJ z#4Kxmv!!WSI!CsBD=yxK%KwTP*?5!{flNT8kEgiu$z_nHR5b3~G<0^9Di*Z{f!J72 zdCg*xhU`yGAI299AHydRMwEC02hEP=$Z*9rnOIXWNmM=ZlsLUXO1ZLmHnr0H(YGtp zE?7eIrb6ClK50x>kK9HT+L23Of=RY&+mzW!i4=ljVUyLAT-@d7=>jd=kI7UCI1aC} z3H?RZYgesbt2onTvw3a(*3{SJSdetsQ^AA8>AVyIq^UhF>ozK3e8 zf=cdJfB?|AuQ2;kD;&QpwJntEATV4MUPKByR8nN@pE12fy?jCFXmE{J9FNT#v?5&` zT3S8+uVQ!Br?dJz6@i{oEK(!`vnp@xKV!syCy_4NQ$;)341Ol1Ge-5wB_T>o^CDQ| zE$Mn#N;LfmviQK@n$txBs$B{W*yeuf1GKzGD+Ztn(bGr>epBGck_k}7v=K7 zxbl5#c35AL0qv4hWi&VKYNiA@M|`BU6kP`QEMYi=z{w1VKl0@- z2v%yZ#grcg$ihKs|E(YH?rYz@^?1k$Nm)T-L|XXLV4&4)Q_H63=ZAqCuif^)$NOhZ z!@6}l+ZUC#2%;|9Iw1VU@Co6|w$+BM(=E-8p6!AX`?g)g=Z&xTqn4{OOA7wup%J!^ z%fRja^9{n~^CY^L8%tOxRrkx48ljfGteMP(KINK4G{Me>`HUTH$KBn`&YjU|1x$_a zfyi5RPveqK$?@Z^;D>kT3QVT@M2q`0VhLbgqy$2 z`5YI}-kuPay&vAfTE9d^`Sa73|N1CnuEWmTBbEqsJuTF8o%a0s0BlLuV_F_rpnKA& z^iY2p6e>ybeLD7d+Im;j)4V+@e0kTJ(RjB?_`Du|(!7D;$*SGCOUXS$hj~ zy$F8{(sG%X21k>-nGP>{95SaCJEQpzb$0xbp7QT6i zUq23LtQqYpcpS?Ws>aM3*q+z+vZlH+dd|`##kKoWR9~W3DG=Tak~tN|*mx&TQ*)L^ zZ%K3n%OS8CfPHZdSuLj`wrxtKG{oz8dmfEIV-}H zS#VB1I(6o|B}o>lI+Cl}MTktge*10l==AmSTo_2piLCimV;OUX5}{e9X%#PAorKp* zIkb+fFz4;s54}6+_Muv>Nc?FpA5%}cP$W+9xBXOq^}zE3%t0z*|2qq`Iu=`@VhsfZ zV>wypprt~N#S&G?7SWy}ed#&*`Zq0+d>l_?`Qm#@Ba!A|$f3e%5e2tDsRghK=;iZ- zLUq?-WwTWJ9@NH{+=weqJ{98TCdiL0J`~@v*r~=gv|9w_M2(u59;em^ZyOz0P=}UT zcV;+*BB|z7+D+oOg(Jg+wX>v^_{+H*7?{p!cSnQ&e4l8A;-X$w&FxlGaDbNPAx`~0 z`ofl2mE)O%>No2^QVv2PZ!xP% zaeI^C9R^#;(Q&GmgVgk>o~HQ}MkB~7j>=D{dh835J#$cG`l{)&o={@7X0(}Bxz18Q z?#0DIzg0%0s>)TBss3IuX`-7IEtBd0Y_?q3Ce7m3H$uf$)L%Ea58q&h@xch_{6j}E z7ez;=N#i)Yph)3TmcJ#YFjf6e&;lo9N;;;R!ozNnMtBYU4_H=qLe;x$z@-}mdhoXv z<0zL%6tAH?mGoEX*d-D**^40f6gP6Apj}$=Gj)L^n?DDwQDArB=9FXBU}PlW(^GdeW0dE7r?`6iQrqt$ z$AMpJyZYb4KwZ)e?X&8K^~m2E%ina!H%Y)VWj%KhFG;pxE{n0MB3jg$eno-q!9i1h|RG!guM!nI^}(@9Fgv*wBt(Se!}mcV}+G#R-%oe6N?>2DHH zv-?yCQe!3L7P63|DOS(fgmTo zb2_I>7P3;-d*(Jys9RoJTd=#11~}?ws(cH;3*4-2?0|2fypQJ3sS`c> zIZg9gFg8wS+%I;7fTMpeX;Ry#J)Kfd=V~)tPxCB8+m3cV_m?$a!7C%93opApy={vG zB{@EI{-M>~7VJy+>BCDip!bp63h%3zoCjV|hAkCHneSThvXREGaltX;VH*k980Oup zWXJW+`!I_+fUR&AvoYBb=Ty^kvvUIIuyK7$UrSNdyd${EqyV~GdY)I^jhkiG-G7GB zm)@}H&S{yd*^f;gzuy3tACuRb5<>23U>~?8A_wINZgXq{j_l7WR2YcE<~wp?RF*MOonWDcKyFLpIvx6C{1$0aSBgPpYidkm*ZQHpE(D_Ow$ z^+Zce$8N9?A>YTV#z(>(eHeYiD$PLB`wE}sPV+#v8$pMhM@97W+kh>$-}56!&9>iB z#q^qkHt2|0>=KQyeTvDfs%~p$PSe)H<09wF-Q2?Q`pJ_)*f}IwwX;d)t7mkxYS=k< z$Kd^*c3;;s1L`>ff$Tp~UeSO-Gbf;#U;F`}aKQodCeRT1^Zf;&R+|l@ZAbWszXkTW z$Hy2%bo8aaP0H2F@rq4|GhHEH8}4!bi(FpFN{Fup3=gI`Zy+5w7&-#P(STIJ~JUw|O^DyM3fklHOy;p~)typ2db! z-Vyu8f6G)B6o;~U75vSj;gzV9^<8uG>wXIfbt{;+qAtmJIhVjeG=6dFh5H=X0?HFJ zzpa$k!>%Kwldp`aTWg&xLf+yPh+hmqu%Z8=81vU<%D>dJzA z;ExyvQbtnh+=R!mmY)I zP&4tNBwupzBXUrT6K6lU@an8!;&Ov*nWagH=q&!iUzQ@o6?lBH!eiZ3SP9BmJeAAF zc&kSjUuw-#yw)l>fpq-{6HPSAMGIUZAJt`UwldZRCE|y750z2pbbiGHd3G>MN;TW0 zjQ}0i)wU{&uBo)4>>LIMjlh|uKc2d@C;zBz$*Uyg_b7yw3QTG3mL-bmz6y+yaICt# zk?@iE$Z53_+H{&XlO85Z+Cg*;|0V&{A4-3Y?ytpP!jbPm&sikECBOOqYp2pk1Ognh zdoygD5?9&4Nb`Tv(

vCE7M6XXXFk1^1B=cC=_4@UVdf{!t5G>?nJT*}e!JQ8(r4q9AfydW+K zRU+*q^N&n4IB#J|R{W)_OcCqkO096&x>7B;QrGt!lYLJ*HTpSKLnyBHkXIYxWU&c>lgz!k9EK2KALo%B<}VQYWsDo997|OrypIiB_nLT!hRv z@l}}o{%di@j8G~9QSR>~RUe}~KmYrnOf!30c5k26Zbl!OD8E&2dM5Ncw~_|B*&T%2 zy5+Qw76RRJ)i8c;GtLYS!i)LlM=mfd6K@(c?$`PCFkoBU{2}=d?GX^^NR*j617_2{ zMI2-)l&Dk5KR`p$j9sKdKVZ56zc3>!)zGNB$43q^x0|b5qv4u7nDCcw8fO50k^iS? zylS}#XJN4NTZ6Pb0m+u7o>dcK)6kcvLiz`V}ru*t`mUuzALPbefS~YY@5&F-U zV14sWLS=%f7zp_C@oiYqAOrFplK5^Oym;K&KC?%B!{CtgWwJ7h0$cfzD9uWoW^|JAZfo5Te)TvJeh>N19S&}AZO~r)o^j{^naEb}*o098zMaNOs=|la0CAIy{ z!++q;!)}wju@S=#U~$~=-cPgqXApsE{3XKQwBKevJ^?ur-m88;v>3MDX5MEu!TjOi zOBnaR*4xLgbME`sIX58Ri2=Ms|NP5i#iisGauCy5*NV~j9g**;0;e#k0WaTZI->cV;7Z2l1C!Ia|#CCjYv z?MrQJ%JTxv?rOH%4nwR6y$|YA=-bar*Vf;xR=f^4+}?&LeRa8A!_0_Y=hO(>O`(A4 z5UQxi!ZCou%#4>Kxwe-mKHKe&Krv7!XYJwB#$!pZXUWIu>2r%l2*Qr?n%kgkr|oTHrfbFfIn>A&NKow(V={9AdR6ucDmp)v0GP5fU0u}D2To-3p_jUu#RagAon4* zi5{OH#-QU&on_CWyQU3xPV7!YiqFv|zuM%xUbP(H8#SKJ$2C(dwH*K3;O8;hLs^B- z<2Z-h>hUE~_I9$nX^K#`?(@D^kE^BALV=s#;o`!Xm>b~fj&Ft2ZRcW}@0ml7z^0Aj zw{6RI1fWc>Yolv`ZRzv+Wr0KO76rH+u|f1A+&CGH`ZU|Xd0(}A{uU#4^=a8SF4y9F zIK1Th9vxJ@<_Fs8DYJdLW7e`I1Gug!x!FGK>S48(5Okh^w-COZBLAN^=A41|o$%KW zkj5azEm1UHbcSB*8bH(}D0CTCp1h|WC@B*enj4<+$oI)+lUBP%-$i;_xXYg0{s zZL;p#=pz;rZ0NE_-vi^oYs2DM>TtpvEKWy-!lciGXgPWkQD)XzuxpfZ;l-UGELk$H zEK)K;3F)P^Yay^Hz6ZM?rE6M=f@Tr0Xd#WM91QU{5J^qMqo+rr2-GE@%$AcPKt~iM zCCJU(tQ420xUKLt1@jl>F2>87V}Gl*br}`@(f4=uV? znWTcvzHG20O*hNtV8A-esu@hJAW&h$B*=8MvCmo4jkp^yO>NQU{}#8Y3>~Ckk>50> zpmAOb!P$pY_*>K6>D29?s=zl^dYgtd+^f4#Dx zWFDRBdZR$>J?+MrScJTjS&;%ZB_zJGy_h_A2>+xX~pMf9n5{4|Mm=9PoRc3o(MS0=nBsP0SI!E_$j zab82r5mXI0P1s!%9Eo_gJoDtjHWMmr^}k?`-+c0s?v~X1-LWlq1^1mGcZh>1zf6P) zfn3efjFDakZDWhik_r%+5p-f0`p6d%^eV;m+RYM8@JYq8YXUX>V(oOei@7NVQY7_p zQK;c~;jh+JLegOC%c&oOj+1kfChS1 z0S$(UC>mc9IgXPuvuw}f|BM4agw){EnWC?_$BAE#$d|a9isAcBez}!l(~F6}568vs z0Ul1~{IK>h{}@3&jD4Ogv&D7L>(usTS>4!^J`Ii^pWzYJpTo&oR4w&%Jy-#vMmk)s zc`wCMbU%bFSBO4pKi(%)m-KdQILwxC)c=u+)-;HDk~sm=x;&EHHoUG{^S8UN;L-cq zgt9UFN&Ip$bY6z%QFbf9Ic)yj6N*p=epHJQ z+)rTJ>V9g;5xBp_OxSu~ENSsJ9ny$dw?x%>Kk|CEsnm<<$nRW6&EM1TyRIbBFtkV? zUAR@&0=ZAq<*rW%{;VW#pQ7ji`*awtT-WgAt~>AhRUn=}`}voE)lnH{ZP70FNwXD|0K(qc}}#{=Bnc)wm{WXkGGc!R4&wdei3TIOQ| z(qPN<#mG*VRSzFlLiJbm!F$a6@@19NO1`X@^;DyezuT>G55l%J9BNIjTzb$@YDIGePOT;t<1s z*kvF04DcJmcyK*;fOOK|i%8h{;JZEa*nqJD{!b>z5BbI~;~Dg29f$z2HU#7P?tQ>0 zI1(tArH5zIkPz+o@qa~zvFH5$DlTPhKuts_Vq!1(ZHn9y6(2m`t7_S?2irnShSAF7 zLmQFQAPb2|$>b3<2}^Y+A`f8Ol;9A#!YOZPh}M__(a8AttLMrCQ8LIBT^`C2_F&g0Eck{%8eBkuvz- zTAgCv<|$+zaAsGt_Oy$=G}k zyc9fc$ZsBedn9de|3U&d5}&gl@rb7IV||*7x>lC`_{^$`3dE!3p_3BVzFE8N`+oKM zN+WI($_M_HG_m@EfAFtOZ(#WSHnZ4}aM>$FoEQ?OAq_EZ9#cJ6r4V>1H)-6$`)NU> z-&Bodlt^ie)NWUTPSt6xj6|0#KcB3*f_fpj`YVI-t0d?1Ly7a@y){@|Z;DHT| zpY<^D3Kc*2Chg73GUp}5+xR}nKmEE(ff?$<)Q=2Kb)b&G7{3F+Ka^O|61<=_P(tgr_FA*`~M)PTQrTjw@rakUukD3N$u^fWz;oa^Omk z*7Am7h@MxqSiL3bwc*lC{Fd}{W;T9@f=uzp&n3%txu>sSV2|5)|c?BWwiU#-y>ZFy-+3;Rq#hlN2a+-1oabBBCS>3SW?;nm>z zaua%0p?af^H)Y81Uis?fT1Vm^T<$`0?k>z%d1p}1ys$y7Z-86#O~eH zNSU(rM($gGQ8AT^8$9e6uLQy1TWm^n;(SnY+L!ROjMOzPOtIT*y=_Dj`!NxRG{x%M$U7WEDQ)HL@e;C0(ydNcsKy^q59+jfgh zh{94hO=2r*Htm+fW^}NuKO}%pB!?$@K88p;BF(z&Zg&NKomX)Se_6Zk44=2=UzXC} zYrKIAVwa6)Z(ep3KDC1^BgSgn7t2@4y#3itue+&S{p}eyT{Bz^fg_#1%540nWnJ`L zZkVLo%HQN*WSwGk&H7N%BMHVkh-SE-zKQ{{wdXqy29usL-Y0gty6(=j2)3oFC>j)= zDI7lzYdlA(kEL$9) z2zs@b-vDpFVj9-*Xqxo^-!z`O#gNDQ6U=gk{kCp4J4f#ar&cOk-^t_{cK9z(&g-9v8fG?&Rsd$x zfj3o#l?Z^wZ45IVrx(M7hQiL~LGa~+11_^1him?5qhUO!Xai;kYWvkcGq$xmIdWX5 ztTrJ={G*jUd;2`V^W`O}rNOd`ZhoNs>t6FZc*;==mww9z`ZK-j_&X2iX=E#BtNUMh zN!IIlQ_z;*)Tbf$+h#O2fm@klaOVqGk1^rqI|@-Tisp6E1^d5c(7$~I6h5!W1+yxL zr_Wd&`-9`>N}qE&>`;V_!UPLRN%mk46OKe6~(`r8)0}MX9$nH(4)G9 zYR*P)Yxggm%Gug^m@;AWFV3m;w7tO6Y--u^BEt&B^zJ$3-D3pMJ$|^M;)gb4IyMgZ z2(!nZv}fK6@r9oI$y~wOt(aZ$#tQbt;fE1c>)(d>vG7{!#^JL@Xw}AlJR6o7YRhML zIf>BsvVRR{r9w8~?jY*S`&Wsw>(LAObkvMBLcFN_nKz1rqn4=Qs;?|1cBb}>Ba)Kt z0#M82R>@~cb~+ZxS1%e8PeWs1&1l%q6TZ<6=lKtgo+Mx`EY%f5mF&eAHfFNMv}VTP z40$kASB#2Rj1^WD`Lr$>Knu6qlC$+J6&b-m(kqG^?7|31D zgTZ_yghWsbzr{GuElTkCW-Z046+nC^X09sQ0i1m`95eMC*{dA&=U4J?Q;6c6?U5p`VwkQ`A>xWV2t!UQj z(KqIY#8tajLL7E>VgFlNl54qHl3=?y-*%2ZBvA^5;)?q_`JlBCW84sRjjIz=uq(6y zAKOprF~sTLOTL7NXSb;TB-zt~v&c6jEsdE8ntk+YaLmQnEOwYG_{$KHjI|r7RU}s2 z6&~b!3=_*jVKsHj#2x~gD{ckYuMod=uuRTL8U{ZN8_DCqB%nnm!WbEHNB%58lODet zJq!`;j@{!;IT2?tVKu-iB@4xEMNpy>3Llf;Co(csiX1Vl-n6%O4^*};Nt8+)u~BL& zAl5TTOTCsR>zo-A%3*;0y~PryE{j7Bt)4?8%a{FKK6F<#HGMfqkvLMmDoQVMLvp|X z&jb}Nkbkpau^l&tTsLn4jC-sU<)}D*CD)M@_P_z(e5defqthKk`6zeo@&&}*lfIrQ zx$RGVz1t+Z_QDm)+^ITddBT{A&2afJ;NMyakJBagw>&f=whK@I=p8ZtiWf_Gj9atr zoeIugmU1;)JRL>dlveFDP<7t=HfNDIUWO*fo<}Ue40dkc#A)|{uUUq%;KW)z;UUhX zo|xZMy?T_uz6F*+MME_VQAOlmcU2;3w0JHp#wELt);s^1x-0sSievglB3p+2yEZE=dfc~mh{#X?3h)JoJ9-%yP6OC{9dhnz&Gp7DfFQZ*9e?^TuJFQNo#&)gl1G9~uGV3aiEH+jOzJq}a?`}Lh>p6`?ooac; zpV5`yxl1Wl5fW0(y{H^c5@_cmiRTmIP|i-)Y%m^{mhmY+i~@?!OXFzRbSRHh-wg~Z zqY}|{p}$#}OLuimseRPd+}YFh93dX08St`1nT6g?GG^lrvlxL4@AFS~20n-aGyjJw z%Kw$is-TDMe*Yjs&zgp&4#;2qI)w`C`i+5zyJ21dqyl*_olK~D0MJP-MY1j|V~o4; z=LV5io^Pwm%MI|QZ^jmGo7=NV?-RGvak)c^Peu3bNoA$W{HkQyZ?B2tQU>{B$`cQ0 z{Dd~+0h3IqK?TLYw0*ywwL?gJEVR*spqzem<+k>kx<%i0X73#GUsRoCP+ZZrt%C)E zyGw9)*T#aoJ0ZBcySuvwx8Uv&+_iCchv3?MIrrRpRqxNLuKv5bdhEI87~^w({h$P_ zJzbTyPPC*~KfZQYS2vA`o}fK3dla%i#WPGCo9#%~+kpO_J-C^NsyK{!7&+Az)Xt$uckvb+{$YWx2#^V(7ywEWJ z4wT#as{5u(kj>P(LH5{Ll5Nmo>~KG4ukYJ$zXh5(1WT=)giS0g=XUNOEgN>sJ(gXy zA7m2n*w=a)+g=^o^KoB!u)WL;JWcVQ-&7S2kf={KV|&HCeSAd_a^J+Lvb`3#KQXqq zY5Ce{dbZQ8*kL=jz_dvMaG%JnNr>bB`PMCvwBlPaHq`59IT5;{8Q*+3%Iwu@@@{RsfIQCWTG4j)b6b}mCGPb&=wWZo&=tIT z96U|m8Yc3emFZ;gcq}ce4$*fWU_bSp)_K3xM{|qztrdE!vyeTWN(bE{@@C6+Yt$Xp zJe?b-U-vpn9haK>bsnG25WYU&5eRsWfp-1!bDDSbbs64n=b!X^fe)I5ZqxEbvO29? z#J=W%^4tl_UFOqairsd9xZmGi!HZyj@GBVg;J-Z31F(m|kAzRGtbgg6%U0qDmLjO~ zVVg`C^!L?%h{OOiqxS6N$uN>i-9SBK4vL?iR0Jvde>vp+YB#rfW|HD2k08YhQ?Kwy zHV#kQEXo22&sO4-NI&qck(UkEPF%i0zvwg9`&X$PXJM!TyO|V%K6HvJhvQ3W@*hlC zmEL_1#?Q%eYvrwsO!Py+RB-;qnuf~$5jDHqbpqp!?966x{3U$aB z_$o!GnvP2gGJdNfrv9UJN~zX0rZ%0whYr5WOR+{2>jyg7Y0RpV!CCc8(~AX23d~xG zZK5{oFJ&0aDCk*{-+m7yfahf!VU#|XFVw@0{S`tGqRbzatokiaquziP!P@iZ?4+tf z5w{y|m%3DJgjud+c-SSPv&AnJAhhQSrivDSiuJ%ohT_{V!7?DZ%U~0$v^o(q>H^s# z(i^xsgd&nP&RhD?qAieq@jIE1YqRnq>b!bDF)KQ6}<8SB!ZZB#Pi*u~HN{Wrz&$ULSWxA5h&642Nj|6i>hdIB=w?^TC#5- z4rhR+#UK6X?1+V5UN#aB`1Kc9mXZN=Mv>*N!Ygv=mtzznCebo}e93yOS1p8VSFvlw zYc&vz=_W8Ku5Cs^6$9i;E(o?{`0v|S;Qf|ZIWMZ=XKfJ5?Z5;$v-a|c1ku9ptk?9n z)wr$OnoKtYq9`5BGe&x4$NeC){IK>2^sZUy1>)Vp3=eCEO{$81e;Q)@nfrqfj~}A)iJA_70z(NUHPi7@2}4jB3xwy!f2JK4Ryb?=Dj+p)N_~f0rO- zjCJad?%PqHzVvMU9V#zsT$Lt6#fOp`GGS1cR&v0ZOruSwYuBowxxK9C+=U4p)|LKC zz^y*x<|UMD1QD8Sxg4WX0~PyQi7BShb><-DeYVUxYjIJ%V6+&+bt$0YE4$_XL-|z` zBW;~*9yv}pbU<)!8fQkpm_h?E8Y%vQ9f^wuou~|A&o)Q493wJv7*oMDSZ07?v1y64 zt46{rS7&MvF~BO)sC&-3WU_zx8hoetuzgepMhWNmf@x(QtD{&<{WvRz57T&5DfXmBb;h%pfV^WwkhbyV``{x5G9jf?q$7gOh>0jOkhBoT zUBW~`3J6zx`gh7KKp6tP0|t04Hdd45g2pw}zR3q25s7MCZc@SBlB9Eifzd|g>R_`n zNhPNQD;WA+`m>aDE|-H&8jcQ`?nRAkNV~|YV#eIz%N4zG#!ThD&EJeXF0!j+<1)L{ zjH7$w5vg`V%hpQy3R-lI{s)sfJv<|0cPZ@l8opCf_}@l9O0+|Vog%YBpi%z0jYka` z^@zmIGT0em(I{iCSw_^Udghx_iC{6O@O6a*6K?17DfU^21HM&~k|YxAO<$SfB$F);M~=bIWm?c-HIzEF1IdQSO+1VzzvkF~*}k@L&d_3U-v49ktoM%fevy@XKi*c^|K=Y`w`sF!obJ_l_x9H90BhTl z>LJD_VFWfYy1J;#f8+7ZG84t%eZRpR^l;X1)ma;D*Lr)Yx$XF|9#Y?y&s?UN&RHt9!2Y?EyVQ*V7$WNwA?N9nR<_a!$SwzYj|~<(sBDE=gT0m6d+*k~-;WAi z4T-wiR{lNp)LkUogZF>~ASba0cO1|`i1ib|@$nSL{!N+0|9$1SRmZ*BR)dIw>HQGi zc^JpQOTuzGGu7FVv^*v_0-(|_NIq3d;%thQRcAJhZ-tPTBqHr&q$pF=0V66mYQIYT>B79u@G;h@U{CM>h_7Ek@W*znAX zza)qkmwAXPRh`T6wL~dR!#hOov)QIGKX6KEm<~jo!)Ktnx(g3jKqLnwPlhCy~ef+Hv^VPH{RrFuXG(m`&rEk&TxVVOb=_ZASnN#(j3C*xo zKloYWG1R|u8f^MGvz0IaT=YYY3ciBXE(^p@%VduD8Bcy0Llx&qnNEL1(_JJ5dhwZ> zyaohwZlsq^LDKYuii$j%2VGziBVX);Y)^`bH3Y|4YrE4rmAM=Sv3QvQXRFrxI!V6HhRj8Uu}?S<8*GbZz&c!H-ghIgo_R+ zlMsoC)r67s1yd}+q`;_z^6Y_BpYRE>MYj<0mmZ1mPe@~Z9EB02%4lqaJTuLoEP(rc z$BVQ%<(;>)FS8A7+Genhj^Z7Hj-sNF$1Oxk#3Rj)tqdwsHq>6~vy8V$p~Plh`@|#r zP!xppgtQKLNESib>`>ZxoSH5Xzk=BC_jpcY&_9fRcCN~iR?sfc%JL-g$2BaLvoIt- zvWy+wHB%8Dzf!Q^$)~9O${3W#iEThrrqwNlbZcNhfUhiDDc3Dk(T4!61OE^KbWx;UySk^p=nbz?qa-PfFo*bP>@ck5iYIVg?gp*H1vajvKXBYL2RK8Oie>h+QaFV zIE%!?e4F+)w1M80SPL$6z^bK0=z%bnzz@scYKa3rw#D=Vdcjhi`awf?YJn9NX|`p_ z`&m-)s`yY7Q1JJEyB3ki0u~uLnSgBS?2|gugEXV9&T?2t#3Ds{EIY7AAeKJ;5 zZSV305w=Nbs6VmG7_?buU%pi=ggj8#o3ZcD7E;^h$OJf+#2-h+@O%w+Y2f_(P=`ik z?ZVNWE9V+=&Q6;_WO zjQI6MR3^60fM30KR0Lk`;i65IYT=tA(EO}>%HcO2GRHum8P6;tY*xKzSOVN@_W^+Y zqqi69O#tl4*gAW=EeI}v^Wj61%6g@H0h~M~e)e{T?Q=-@K!Kc3fczhOyX!Tr7(nw@ z3n=qTsEthRgs54hX+zJlHPBRdnkP8xuC@$EaAw=>fzlo{mP8_O>*P3fc(l>z^S*o) zkMc6maI`Q{6C=HB=P^%guc5hlywnZ;v$5)NG(4!yT+8~#-P`7WduIIfaX4#B42t%X zd|QQ@5t7X3^s$VEg}dE4&|chB%s%*AODQA-o;;bIQh1)YO=oHZU!mCeFI_kcB@=5u zi}?f_158?kOdr-Yg-(4BZWe|WiTvZ=AtD6c?iXOMJdVR}xWa`LxcXq-SgyQog3CzK zaNtqe`0D>oQ*Sg`4CR09@W*d@Uh^{xY;F_@b6-DO{QFt;0ob5#yK?fn25&vNf2h;- z&zNsN|DAp!Th8}*yT$?Ep@Ba)9GhnD*A6KhFTO`3d@bKc-VcKx=T@VK;|Vr>TYG7A ze9}{~HyG>ZPbKYMR;cCQkNy4jD!BR9YwkzQu3;az?Y8*5cZb8bHVpliYTj(#b)Ls{ zX9}1vALsv^*Hq2bgMh?0r61f(o$sNPID%ZhOEOcGk3nWQ zFO$g$=JfP|3lQ2fkczFfw;FvpQc$NHT(><>RcFA4i$vvW1?n z&%vr-FwtE;^y3Q%!2W)$TVFfiUx%*{255WFujtDrc12VFMGQWBA9*7K8Gqb7&vX@v z%Tai9l8sEcgW`Ee-oy8`n{6qgO7a#YbkOo)A;J!51W8~-JZH@~OaD-7X_h!4)v;dH zDan!@N>J+>MbynX6*;P+Kxq;wZL$JXLiW@cA+@c@I6DS$^Q6KAuTtbXW``n(_sV7s zxQAa8a^_{l^>CSVfIxZ+?aHE9)o8($MrS_4!i^YbN{3_VC8g6rKZ=P;ROqBRZlUl* zL_P@0<&Lg)ipq}i5}H7F{5I}-5@6n~vhei{T@d&u3qM6Tic+>3B4~fLcB=a?GhwwPo}P+iMtB4XCD&jt}CsUpJnG}u{DF|gS?^@7};(8}L+~XpGWaV;e%9+M1uWCQYA@xpUO%*MNg(rsJ=STObzj23`=?(vS z!`GiJ<$lXd+`}zYju9(B^>Bn_*w4{C^ln*9ik(|5c&@O6fIydM%*QHS#zP23%(YJS zYG74am%_$aTPK zawj#`1aLe9FoAai#q8Gwnr*O9!*k-Uhj4- zrPlOfW8^LOE?}<{_ zv_oSXbzwE3t*FZS)c%ft^-0FIbV!*nQ@#2EpFLK%UR95Nk}3W5Pc!|AOU_gd7BVS} z!oNn0Y?FgBS#HKH{_fOR6}mz2kYSgB|g@^O5<2jQn(_^ z7jp_ix*JThM|N5ic_l4Otinf^OpWoPrv3XaWeXG@(W)c;Zgk75y6mC%pt1wsZ%wQS zznfoa49n0Xwd5L_+fEkbb>!u;IEnFOFjvq*i8DIi=InLQvEBvJr! zBSYgZDcQ#qRwRmJFvozXVy+VX55rPu*?4t4br%}*=~XHwOESiA&=_{faO~3ZNKp(?QBJ^Tt9vf%=JFM%E+lslncLTxen$XGGqnG50|`13Ui%M?VoX57VfW0H($MU@mPf)lmWo(Qd$>NU?wdwH&l#Sz#Jk= z7K8+Q-w9Y+ObYtV;5I+=^*itye>AxsI&Sh!%m)S({DA-_?S*|0r*c3n zqs1NR6$0}{BZRx>wJoC2ljyTG%;Y+cSo8OKoZFsvAzs@4DFos2THdWe*xPmd?UA+d zzf24+X~n8pA+p)thE_Z~-7A#5YO-~VrRNTD4mXI|svqU!PYsv6g6Ug*vg-4#N^W%X z+u4Ben*8=gH*>iwH054fe=I`4SU12n!r|6=S?*#!w+zT}C2$5xmVNwkYkL6A zy3*T!ym{x>=6e1MdlG7TiMsZ#HExC|K+5H^qP zN#=ia8v8d~T;&T~s#^DYz~7e*X>3{Ke~Q^D<#l&zt6%F})Tb_s={o{{c)x|dMkzA* z9O@qKkp^e8gS)4+n|*y=Ah+HRo3F1O_Tg(m(=uH^w-OotedaZZoE33gIMf~0W z-fOXWZvVBDcuxrA@x64NPy5=mGj91Mt=SKlR_1TGy_rpr^oDjn6D@k%gO`;%h29tC zaS~cX{Chx>J5}zR{&V3^=I*_BSDMUvuX*cBcucK(?8iACI!!Fkb2WeeMfdveAC?^( zw(0S_4^(r#Jl}>-d%AW5NUuF7YWUv#P6I*}w|$~ZFj_AwLhb1UpQmKG01e&xmxE=7 zHeUI95%&IT&(E=To3{L~qq#?a>IY)obGvZJ;W8d>vu^m#TSM14bF*VR>^ccX&y$fzZW(^=#P&W=it z1FS1!T@r1wzVFe9i6V8XM7D^Qo&VJ@(H1_}i67#y2;pw$8dCe|wt9dY6s)iO@xGR_ZE`~QQ!Co^SvT9@9oBi3%g$`tmr$$7=lZVDAX%a#g!#`#3 zn>}^hjsZtRnBy?i@yNmECh59i2nbpn)Y}AK!925AT7Nf~tg>}yAq}-69)63{wQ>&S zv*|1(J_`J7iaARTnk7<#KEqZo{PwUQxY1fdERm(fCZcxlRA0L|BDGHFB#x(c=G5_{ zIaZ`a=u}d808`majo@(2NK3LKYO8Gg&qi4iW^;f?h=unJ3Un8-H!*vP|YuV{2a$$1l?QoXw3$)1tntLGMZ}XXi%X zKOO-wY}VDd=sDLcCHr6;|0KazaAeBF{bt#+6KjBZ!wS2SWE@Vob40LMxZ)w_Q)2}> zUIY=B&Q79^v%6|Ex7{mM!U%~08|oxf^$LY$6l#JI(W`YRzpS=IBYO)|Nh>v-uM^J| z(IF9{G?J^&l}q%?JG!kS7UiVOxWG~KH`GZ}3O-(>kh0>HkjZr+^VdqQ2e`R-o&BSh z0S0O%8>3EH)X(Fd25efDBsO+uEgsxK38?2I9ydpv7gl_s=z@+~gj9k`;t}e`7mxc> zHRRT#H&I!=RR?=M2%XCp6ta>bzDJ>rYFRfhjA-x8o?-s=Zt`ay-Xwdlry0u(nC(-1 z!Nj-u(1oZ!#x1oPfbwfj9PAXYgQGHmyEu*2?TPn{{&s3D8|K@BNBBzhG6*v zBxwNcEBmzqxA%0l0QYBo$@f&{rLG;iQbB&-r@tsfw^v^0e<<^v=e+mX?b>%3&U&!& z*Nm!QnDuj$uRHCR$ky$9sh<oZ*5PgB_1QeV`^UdRkU!lbw7SOWB7Fck=QYi zbq%Pa*8@EYN@?gjTxxHBtz)zaBIOf}C70>&Xa=|;BR_c&phJZ=p%ySkT+ z0jce-Zgpn4?$Zp1PtLVkrc;~uiv#I4j&~awTlSgf3Oa{Z4|dvQ57Vqqn)yEzx^7oP z({$guw$h>lnAe1F)H+7pA!nKjfwipQ4^3g0G z5nI~t2N_|L?9JHL>z=czxY9%g$Wc{9?B#Nk!vS>55n~ziu$c_$EfP*exPJq1xyMOa z%^F;Qsm_QR(*#iR4;A9&bU+`)xHDVGQ#_(TYp84Dx+t`G{n3jmN++6OU%P zg~`N{ujTcDR7>9kV%7 z3bDjH(D%JM`2yLR3A3^)`Tua&=Qz%d2I`2Z$$mHZQBA1E>eQ|bGi^2;g0vh^XuQf5 zYMFxY1BR4y%mtG@Q*Jg1$WYvf811Hu&X``9Xf)wNQbJ$`P&$vo(uRur(S9lr5nIb( z(whM;wlw)^YB7FrVt4RxuP0EUeArddAOU-+YXx*k{UfyaE4KD88xmHzT570G{3vcR zM-bGh5&=A872|s4SZOAyxmzC-5elT5YqPXST%_Gf%BC64c_}CM;Gq-Vzp$_fS_fHa z3(tV%g+r&t&-xmJS{M`)SLVY4)TfX=)hBDP&~{PF{(AuqO;?*0Ys79q$Dkn!;*~X$IS_I z`)(P3_J!MYi{SC_;%Ss0@6J?!o{C9UH_=m3#4@jk~vH$;^ZE_v%z*MQptFV zw3=!~w<(>5B*t>&G{H4%M7NK3|+ABzy;0)`K_f>3LK6v674F2w92G z;O5)+Pu3SAp2e6ERjlcXilJ0|tdpoPxgnmqO)w_g2iX@Vn*FR$7HhmFzN3jBnHI>U z&N?+NXP3n}+`%=RnF?Ulni3hju+wxmFOs=s5Fl$d=^|-g(fF31HTK% z?A1^XlJO`E7zTn-wiPJ`>4BzDoAH$u_~UMOCkdFgdCtwv)bpTSwE=ipwdl0= ziZpg#am!rJ13Ap8`Zbfh-zpz>wP`qgaL)LBl-%jPgTlFa#5>M_(_fdFvGnR!+f#vC zvi@2tzm{a$i53=#;%z{YBo`e+hD+N=hwd9wZn+P8I+=o8J~holP6$0cql}s}bP3cw z%eof1x$fZ5SCGwP2S%Uu(sz>X;^?vZZ==N&JY2k3yc+b@W2mO5^0|MT^Msy zY2G%~#&nxiOCFX8JGU@-&@qP@sTL=12p}@mW+^U|}735XapiwQ~F`)6Ff_mfT3Sy$Bo&A8(Z!rt@UE^1J z_hEfH*olJnBs)8tQPiht0$(xLWdroa?BA2gcmI>|ZV)P6Z^iI&1eB_~T{o9_t#&oN z`K!hi#_NK*yPKQGr~dG|WZID2`*xq7ImAZLd_cWGEPbo#`TQfR>e_8osBH7*zjLqM z3(8l2k&jk95V(3}c^6P3ia!mWeFdisoU&$}&7Ag{K3Co4Ghcx3#0~%_YO@L^f+)u> zW_~a6tbliFO=B%(TK5AJC25mgE~pgU)IvihoXh&mOL$UDq)P456g2jb2s0H6{-h38 z>DywCk5hd`nHFPi5%se+IdTT&a^Al3C8j0ShD1i`t=SRkeZ7Y1VMxhz1TC(Dtf5&{ zuiP~5+@y8`j26=J)k9gTT#4lG`SeD@omieWj7P$MrXCmR#xZ}>oMKzG+x%3}^Nneh z6z@nAi`tSpqbc86E%~E!_06%?8ZT=aQh$R!;ee(3=-4%Y7WhGCLQT~oAe_|mWw%Gk z&O&rdMb@dFMW6Ja#R}BnZ_Pw0HWIa0Oks1Z?0-&4a^nwd>a8+v`I-sXhRT~g28EqY zr71s8i!lzT2pQPg<;HB5$IS%#MdPH$egu^3oZ1ijx0z*<@zG#f%4rO5AaX(u(8Owg zt60l&=+~k|W06{dMWTfs8CAOks+87#)h8c7LKyn;(=)~@{nZLRjHUvLRV-bt0D3|y zjbF+-w9VqMBNCo#l0c7Ac?qjIwBAX_()2T%LvM~L4AZz7Gjv2J^OwUz)Vy50=NMH$ zZgG@hm*z!*t_p|xs+@f^1>;9OX^Ze2!^+=LW776-kV{Hr6Qr6}0a~QzbXxO^)oG`S zVOHNyW71Tj#RbPHvN9!RWL>gJldmYJe(P5~tgHMrQu(Y|63K0qIgA?bZ~j!9z|6cz z^#`9sbe)~@Z?592QF8qzRYi2yN=B0ijBN$tQj*KB=q$e=WhWMmAfqsfyr2|sEwz64 zDueScx^m*n|0yypjbZ`k<-qwf&ok-6sJ*T4=Ai!_dtc7L?3lvZ%Q~SdaN=p)yGSw_ zJ5a4^q-)J0R12}GrN6~Kx*%H^%a2O$+S{@#LgllqiWUOG{00`pYTBT>>e=yM2n( zZPW8Li*0l z*JmguUeUBfxh}`KR6w8Yfks}EEk$bQq#Y_){^tzWcbKyM@SNgxRQ zPFdh0B}7fdxDFhGPqA#q2a3!S@iPJsO$81W@vSDV)1wr6>^Q9g_yY-6lfK1Iu$+vg z)`U}e%b`k|Xp8+Y4Cz!~i?9{JMwcU?#mWZNY5dhyCtXG;6zR-`4C9@XxQieM8V}>I z6Au1h(7>1dlNxXnIKp``AA$()Gh8}i6x#fXCq)@+s*SEkqAc=ly!%yuZ zInc98En5e>bocWA;hWj(PQc&9q$vLV?>d;I=RfPyCTJmSipi<2H>-%vAcjFEQY|mGa>*WvRZJKcXhDZA%PDNdl%ixS3s-db( zUgyO{%-zbpI@>SDjl{j+cEOsAE?1!4Q{LjrV^eku&lKnd!#Uqm>*c`wO~7GJQZo0a zoqCu5>bjk`|L&d8DZ@eULw~z_ZzF08n3^6Dd|$NX-L69M_35IS=wm6$?L78}p~ve` zb9}E{&z)xDQkU0&RM>UHBR(>A#`?BL0Z*M3I>x-4J??=x zFKW}6-rwsNo?sr|IHx00+q0`(hL3hSV4r0#Ja1_=AFhg9{NI~62lEqVd>nTD#F zlUo)gwpH$sPdST}OhTuoyFL0OJ=a^d*zIpP1itrcXK(h++krsUTEBm{Wz78E>xMnf z$8i9FReo*=3~{5Iw_PSM?e+Xo5hu@sho`pN-EC&zsB67?+i%IJ7JeqjWn{V`&bDdO zyHUZwUm9TxJh#7{!^|v*d`a}PAUhhMXEWQhk>cKgcPoGTL#_5*+O}RM!0jzNzW1`VQ}AhzbjHWY(EVzUIefVq zow@#mUfUHo7VqZgKK2p!TpJ$my)#nQuzxO_J2b7-ADk{^u36-^XSJT|a*I8a=X;kH zZPGHX?;qm&++P-iLwI+R^>pcBxe7SFfk|i0d;YJ%dE^B!h;u{oYZ&ZL@aX!iSVWSJ zZ#bW`=RN7~D=Hm*w3;pna|GaqKJ@$nb{mgKWyc_}!Uv>dJF zp)GmomBQ@=&&A^<*2zKH6uv~xFK7}~8b2}Lv*H(gIo2igk}DVKe>R8Fi3BykLXez1 zWC55RP~;@p%h^5UC{k3o`NI}c#o4qI!<>o|uL^szOL7t_3W}BMyi)!cC8^3%CTVmc?g zR1MpenM^>@2r2oqFL$Pt`2{|9R2X4wm1n+9iVVY`SyYn|EM@v(M@u1EEa4*I?r_Fw z@DdF%R6=sYDNnH){YfBBKjSI5&Yfh(F8O$`uOReG zVQ85CZ&O96r541d@7fKFV@V9M4GgS|D65~J8%)Q-8pfqyXB)m1&DKrir4vakG)T&< z*sc=jaG8D(wb|MuyfX*t!awC*3wS0`9}mve1G@9Kuidwv==*=55xc$wuCtK#7*Z}4 z;-uyjjBy%s#zTIaO4LtJ&W8SGuAADmqP!-Pfn-yrlggWL7IfLNERy|U78e_nCOsUJ zO<=(gHr(E2NeQufC*eq5;a%4!DM3A$kTf4hjXu^I&fBDXGAy?g5fQ>k<-$45Vr;;% zp!64m1&# zrv1|Dv+&J4`Y=)z0p4cW38MJ22NrcGk(NLzKs@*WCw%3EM9hYfd&&I$nEnzV`w6Go z^iMl^C(#df!Letxf%#( zCkS`rG)kVf%<9DohbZ&25NTD%G2`mM!j9*c`Xr@8y58@IuB_ zQ>8=l&^My#Dv#hOQDIJDA6LlCB^yr{wqw@XK+S19;od zAviB;SvW?nQcqKAFV)T-|6nAzOVv2CaxtjAskC|2i{7oiTx93LDOJ;_V}mNY)MkE& zVp(d(CjEN(O@p65R$#${8mc`->uF7^6Fa*|TJPo$K03OHv>kR7(p;l18F6f~PYI82 zeKNTk2ZxvlAz2yRP(CZ5 zd_HLs^EhiWPFxJ;tMM8Zq6HOJyaj?K)u9>^6bbgnY4H%l#;!%fLQ;n)Y)V(yw}I}C ziw7-4MU(y-7Pex)BK$CA7#h{wah{~^;?+dU`v;W@#o`6jWQZbbIkEQx9G$#IaMw@vf=?(oE z1!8w$H3%cW6h!@CdY{h$VdOv;YLvg}f3)#*n@wQvI7~m0r!X_KAyIuw;+pvidN-f` zc+5dqa+fgg)m-@%pABBw&C|0CHTN@8I=*aM;;Mbm&^t=yp7!*x_OI1F7I42XILxj2 z)VzMT^lLB5+lgqBwVme44S6>|i|{IFrz-lk!ExPc=iy)!ecv;;?bkaldsEoAO-;p% zr+KM&peMn*S7`R&yjK-*wO!9X-ZDeyG?)F#-L;U#Rn60t_x*-;uMX93x3n7GhcKWf zU@zy%e)G(I{N-++9OSZY4BO?gka)M{efW{grRUzR`Q^Ki=e1_s>!*gEB?>CE`y_`y zIxOp&&Iq>JHIAJRxmG4iUqv}Y!W zaohhCCEVRW@V(-q#b2q$&pRH#w6UAY&t>=kYMj3BF}nPBB;!r=&egh&5ian#$;PR1 zTs=?!4Bc1;f_i||a zUzGLgJI?!9ZxxN?19>F;(%YREwyz$NKZ1ix8%@sFUu9>o!7ht4cA0mrZ{W{55XuX1 z*ylEd`Iiqi_@4~o%1emejR@C!$mPkQEQjTLs06*s7Xn(E}sKsi77u*iM@|8#8Q{&{r;1bM)Ep5ymuVn|o2?5~{j>WPF3A zl&|IYY*iyV?$)WCFQ;O~m{Gv}EwmF}QpfuZ+CS@$PVr_DucL}{qfE*0yq5@OVkFD> zE81F0tX_|VtV=D1b_m^LC1V8@6k|(>j}W-Phsnn6Ybn;zh1nRIJT4OlwM#C!5r%Z4 zueo04QC8Yfq;KniCvB8HOK8M7tH)N{IL2=^XI+}PYYit12^od_@6{&CiC-`_V+QN= zCAi1tXQK{fgw=9smeV@4W9d*XL{U)rvCiE85%oh@m_Pzwd){oNya*?SVlSd$&B;Sy9E&}Z zHG=JwtmF|^U4;M+ss$s5~M5YZT{_~d_% z%*x5>44N_gfPFiAnL%gd_J7K!S}9lL>bi zSW6`-7AX@Jr^pSPp=yrHMmvhn5Rt@Rfi456On_?q62ZAtkqDP7=}N$kk+j7*tJbkp z`Bc0+TN(^W`pv+6z7`rk+m!7RZHQ}~YHqvYdec7 z=AWRMXD^6xs!`DIS>i<-m}ASDY$E}re_})r8*ErOgIQ29U-#=NZ_cEaKZ|1Qkyi~b z0MdKlZLmDH<}{41^@2793RUa3tR3D#cQWY3#ldZ zjh1BOADSKddbYYT2F%W6ya(i>nkp96mc?O7{ofH|WaE-5D~Ms0XiD~N)+`@FP-}5+ zha6AXp_+`_%^(R-pcqq~@Xv%vXrKV2?55ZhT3Pl z9B1};+q4!^$1GzUMR_T2fiC>F$Z#Z#g6|Snhx|TTNrhZFPuX-oU@@_w%1^(cf;X z{k74*7u*LY6Tl*ri=F@1Kf?c>1oQn3*|DxU)w}RM+IUnQM2?ZP9cEIS$D(^WKHFi=1b{ zhU;!}w_U{f9^3b>ZSo7vZ(EOuTP`2ij`n}HaaFr4@N$z7P7E?3#!cAzUE;Kg5p3W6;i zv;FOOlr?u^U(s5JX+9i5k278B+7-d<4kM@yzlZa4tgB}JJ*(?&&&`}zWB_QrQ8jqK zWVt_8S2i*{4m6vs?r&LSTeE#5cifPy;klDlg#5g_-^=@`$xVf_a=&Drb~>5oTjYMu z`ptKrd?1>H$KNIWqxLS}RyJPXXZLe4=j#G-r$CE#kJtW=@KUyKyWrZ+Ej4iuIEArg z>mrAH$paimlHb;U+R6C(Xdh(iF1?3s2>hHzt=e5_L}1dbUy!vIqz-T|JK{-HLnGF^~Aa;UdV5c+Iai7eT)o#`3z>F z?1R%Qzy$XN;K@&YHTl%nNa!N%*Kr^?rp)tH>o<=5q~&bcBgv`pG#JhDtm+uB;C|gC z*sVs6O?8p<8sAL;8lV+P$Fdd=%H)~jNT-3Il~UJ9E>vk$8>ePt9ZI{YSMJl&JSl-A z!%Ay*DH!-?r!?ezXjQmRLB|)VKAZF{5p^1pRumsaD&w}S{SWysje;2-vswXp3vrxr zFTI*@H!EZ8ue>z+PSG|yt*=n*06U47?--AA-ydOTZ<|68#P3=cXPnd%_CsXji{%TdPMDcZyw zbl@D^9)C&F?;(R|+(@zzmDs>Ahh{%n`r^0W#1Lp!%3T;-mX0XPA2%AMRHKTvQ@s_&2Q^Z$uA)g}E@no{vnvc&L} z8I~+Dh_69J@TFUochSAHN?0K;Ga>BH4v~n5g@=M2!UqPa)?irp|BkFr zB3Ajtbc9=nV%7pnrRkC@C z)1<41=Tp7!vOjf6luWBvNkUD3%r53xxvWBpH|8eAhe!uAQGJP>llbVuipN)kDaR!2Y^uVn~Wees0q7fgx&Eah;{s$+Yzb)COjrS@4;{OQkbsB{MeS=gmObk_$ zg|HQhXl@6qT8A>WaVJsc#o(>Ouf4zG@=M})sY4vUtY6mPtQ)=1$tIwZ74I_L@Estv z=nxLEgO4(jMzJG0hNZvC9y*YUr6nOp{0~##6kS==ZW-ICSQS;AifvSE+qQXEzV%HgP{l^B>dDuc3fzROR;d+5+ko`TLOjYd&6bk}8E+Ep&Y(-0Xr`+*y!F`jQQ z2?0&mT%W)>7RT#Ut3uAZwk>purq%{={n(oGXD4)oCN`cvgL?CM);Zirg@uDN3Lqc>BOP; zBUHd|+e*b17-997!nfX!AP^As5wM@{v_vprXpzsp@oV+s>4k@f!!R5bZm9;%v1E>v zw{jq{Nr!PDMjpc|4Yx(3B8G@`LF&P(P8ZJEu$7R`NmMvTDos}04YM*{m(h-LOgGAw z&Ka`>a;y5-wIzL0nrkViw$%%!JV-uAzJej_XE>MA{eJ4Wm2%wFYwY$_^RPNuOlo1SY~zxQ|Xu3E{s&s4L|%t;{4M`mV_Yv}ay1nXm6{DQ+Uu z4I#-Y`*VC5rqea^svljnxZ+}vg*b^qZtuIZvumi|Fjou2?24@@6ES^ac*@-9x=aV? zVL1He71&mt(ja}}%czjLl~fcV0^~a8BEOT_4@!4jHZ#x{q$V0op_e?=bBv50ot=hzq<_AOutl8Uy4r1%gP?AWFWavHGHbxbHJ$o{>`5 zfEm|(A9pA|J3O0?+g)KOdglbZJ68s7$N1O!k57l>0$LsW2yc;DIUlW>KHYXZA1(D~ zYhe!UcT-HZ=aYh#gXghY*IOoj&uL*quWvb7TL3ZhkS6c7-*Py#1YPfYJUI4%MVpme zUQi;dNiex%GZbwCro2MQ#j| z?A#J#0G!djZUD}vblxLL?8Z8JxsKM8Fjt5@pBe#D%cV2jI9~5U-`|6w&0IyHXG1*mndSK zz~@4hKF+eNcun5r!{mKk=XF!wwpT{fG;iU{`Gx|&Pp@8!wu7K(`*}P0O0FAlD$d?- z&~59Qz89EEunD};d+vVhmRru7*k)Njm=-_3RNXSKpqBT1`b?_Z_M1Cc^a+2wt^=8G zgiwd*)HbRgzGk}3Rk!buJ7lGF+)=OBb_&*K=<{8L+>$IK+jCdF)wEmK@bca>3EbKY zPH5QYzJ1jnKKHdglbu|z+34N@p?L|V4Z2qvGp_YNHU>Sm(fDtud+nHf9_KY|on4Gy zb5J^-Mm#5Wrs52`@1QU|tx>wn9#MDvUhAt+H-C%(Y<0Ody{>d0ySTe+INFa*-`?_e z96tqG1vfXJs_j1AK>%D(uk6Q;z(d~RZtupoIYngdxIr3YTTzpX#>^O#}n~DsmghN0Ri{%QVH0 zh}1d9QR(I~YPR8T*}>s~=E6l%mA|JzrbUA1<}|;B$H4k4rXw2IqjESPZSw2nfXxV7 zGtB{|=0`bd;?EfhY4%^lDKJO%t2mBDdI|T<&Oyz3B#oiuZEEs9LM7uq2eC{4rWlYOU?I8zbqi$N(b_Ro#+;c5||KbN`BJl|nve z|5aeYZ8&1cY8^LH15x!uKX>xLrZJ;(*_Sn9%~5%v$vLdz;VW2DUDCTb-4QN-5ucJp zSc4ebb-ivpIzgH$Ycidw@eym4%=gcjmN1b*tagP_F_kFp^exQ3sTvcF#8*?F1RfXV z+wQN)W5lzEL5-*_wmFj+HUHq={z)Q9;anbdCmC_nAcc{~2PFkSkJ%Q_Jlkf3PX>8NOe! zQJo?qBqlml>f_+IB*Y#JPYpfDubar|nk8C%6*Sg*ROsvCJ&K|+8P!xtzp3=m+5BIU0YZ5Bg zhLVS$YE4;>MyfTjKJvz>gtduhv(L1cBVq9%v6i%3s^ExBZe->uR8g-rKz5c2txn%k zeMGkI!X!OjLvk!ZKjD|;uf7m}=K&69N6zu%10F%*)b#{f?G78PjuP!~C!x^NzR3A7 zU)LM)N5Fg8TOQ>pXgO0=uSkjEAHw_fOIGeCNn1!6PZFZkBUyr}nYU1C zV=s}`E+&b9p*KrlBo51f(Us<^wehEevO5Z1lNG9onO}MiVaB2o_yBO+6&dXRr&|+$ z@%^xOk)m#H?`ha_%tJ8%#=BFQA{4vTHZ#?OO`)?d=QRO>(;G?R+T~^ z#MFlpx;pxw;vRx$_MM?$A0}praA2WoWxTiO#WNzurcT8wVDR-Wwt{kHO0iA z$?{d^sn?PWC57ewsBRK&!$?tlEB2%t{x^kf{*QIvm^S0PgVYkkElCspvG;-ttyHuW81UQdM0*`~4k`)Y-`-F{emt7GQ9KdT( z{hvhzwC?vmU_Y6FkVSCe{=tB!mjNac71jX8sH%+^h4DXkVdH=JxX$ybRX8cHTYd7sooG**z|cnn$pxaEoZVovvH}NextD4>)yv-dMQ0O4dZ_B z6}YS`!5*s&zu0XZjA9xPh591IlV`#kUr{5v}KtQq^@oEm81C{jjPRE|?TyLa z?=ZAV)59-m2GnA(;U{Uo+#kp1c+|C%^CWi>dijmPXAx#p0A{QAxuL86N%ZYE`ObQ( z_f6q>o%dTXCT}~e|HDDSdD_#)hszF#WC#Rc00CP+Axm!JUS^^}fS>!l6K11P051Oc zPaDRld^Z_5fib`dlNlr3JO@Pu425j;uutR-8{iLA<^2j!?iC7zr%(r0GfNvJd%y4t z*ykVoYtlOkg!1ve^RprO@%skU{$%ihKo_kjWv3Z7nzYD}FPsRy+*?z@=%=w(gZEad zqA__WaM#5v^8(@9_f<+RM0r5mAGQj5f6{>O{A7^ETi(-zs&p+iC+Xxr42J-JIiYz} z5^Hq70e6M5rPZREEknWny;ND*#I`(?G%<9sD{I^W(QJ@HKi0P)}pFQqK{!gx#+}KY{@(k4r0L zq??*uUpw3bM)UDo_pid8D@TUh!2n?p=i$%5sIl0eMSmLm6gK6P!{dr=w!hF$5`M2IsoJJS=s z>rbQKzfv&j+r-m-Q8^`kE?3-@_mySQ4y6D3GpNAymp;jrDPs9NKs(E_B7$F5h#}0* zn45O8ZOnUq45OzXF>-*eV*sNllRZ*%i(HM>-n7#Qe(Kq+O)W_j?Aub`f#jpPd_C>j zG+4D1S`xmwul5aft&#_yN#TuS%N9yZ;bzpxm^%;4(vg^wE6+D^L$G!{iVIg5@ovhF ztzu*Jm*Z7hSw@sPqkWPAI>P1dqv#LcHU=)TeuXBIH<@;|wqltngG-Ap3L|%jL|jHO zsGuUe`~z!Y#zmXM(-I`t)T_l+Wz0JEyM<>x@TjK|KD9};&W|>p-;UC^+V+2)f{Zlj zSTzenD+AW9Fzps(`-+O=;Tjdw@sDx{%T`63s@c~)X9-;gBsQ+%!sXp{ub(7LbUCCg z6YCt4%T5DuZ;MQM^F-+}8@icErOgX02P&jvJ)GHDj@o|q2X{-$C27_MQd40vZpg`| zmAk5$*I2pQM&wXLaIjAf@i@~{;ifAsFqTBiJca+;44o}WY?xjq?=PRg;K^;u*6-1% zjm221zeHvc(f~*Qh1^NJeqUw6G@R1ZRd6JUL|)JJ4OIureAKWow;Yu}hh#ayT$^w# z#|UwnG94iemcG;h1xmfB2!!-!VNEmJS0sH(jKmi2$gZ8vlp;$FR3`1=og&s=bv*7J zoGelu<lle1i@0w8S+)%WKtm?17ng%J&{`HYc4BRkoM*Cq0%iXXdVi zva(~NDnoMP&&-uQ`#M-9%Kgi@OuwhREr<6qLR z9j&%C7H-m;4CAU5Z=qBw$ZTbM5yL`Ug+<>?%Jhym&1Dh}qV=jUm64JuVjCVJ=%|y_ zG#AKAS!csz(c+gRhz_D;(+K;Ci=9q|&b9n}k|WTnuRKNzGe`3MV_-VI=f#+ICH3Fe zzzoDJkX1H2mGiq4&mf&n#!vqbMEAxGcODxIyycx{=dFR>zmG_s0ovANu34UU3_wAK z%)y3M5E7s7U+*VhF_uBQR#+5{%ptx{Z+R+Df(d*CTqxY1`P^`4x^EL})P9KDyw4<^ z_6ysek;qSS)lDPX_pzH-XNMdT{wxC5Pi+sbSLG(xKF%e#1=O4X;N<)+a@3Jorev4L z6>44Qd(&ELP0yq#;BCyi;ip$L!Lxlw9Ix$`+|HQ&ZPvZPmSsxP^V>bDx_(dV70+R- z!N>m72)CEbAb+f+`Q^{!T(=efhx-1lx?P3Z2frA})>Vrv>feZFC$$VuJ6sLt3i^cG zPmXsrFW4Qu^Va}S)EeaCB<&9^J(P4+SY-|Y*!JL*qnYv5JaxwL8$ zp!lvDefM9j!^K?_HW85IUH-{_$V0dN)sM*+G%NY(_%3m|$lAM26j+zfJ7d=~zJw}R z*K=D}1;Uf*C0SY#ydEObw#iM?p2-0KT`amCfirv8d4Tydrp??ACr}ZSZi6>yt4#O3 z$*=W|*7KGlYs-7TD(tdtVCITjMt>jdGi&AY<8m2Xp@n$sIesfv|LWqo?&I?9d0P{7 zx{Qdzg`2OD{SI??m6ydiMWg>TJD)YF56Y#}f4jOpmcKeP@Hn~~Si*T*Tw&^P*eQ#h z`t%0o$Z@p2C8#|+RXd%vwf5YWFw6XbIaAVvBN z2N_mmynw``XB0t$3Oh#gf2j%OKM!j_8E}{|$*Q~SHP1L<$aTgteG3j$B`OmFL#0X* zW>fxwU3C(EFG8-}NxYPYHk*)Rz;`6?L1VL9n`uJqL$gi}Etn;UEjL|=*)Z*=gVSHd zlZaJ3d=rIZKt?p=MO5psZiicsUWy=4YlHrBVKFpAlTLI#<%h={D63xtSTYa{%i@Ho z&b27<HV3ASP-M}wtsxb$Vg1DWCrT%((_TFL*PB?!1)N;$F0byBTIG2hf@3_uS@Fu73j9K=zsd4)2~#RQ&YLm1lxl!46$9YspCrl`HYHr(P? zi!rv)&DK;hk{U8pu@=%ub26C2|B z3Lx81YYf0|WORc`*Os;*8cU%{8tcp4wQ6Uly?M0y&KI3UKBkcj79NIliY>%zquq0Q z>}Ede94~fxf5A}tEf2&B9K8o%bU*cF{mk!O1`Qc>e@(vH_Mi4bGV`DqcHs&1-_EgT zkghm{RwCs|J(x=DDtkJ@bYc+clf3Qu!OI&dxT8vAQuye5u-&BeoSj(JixRo8iS(L~ zh0?zX`kkbNL-Cv};d3OWOXwcpnC`cVHRYW=Go?*KDa6_jTQ=wIkfIZ_Sw`Ia=hIm5 zcNbr=1p3D5ajT5jG1)5Ze`rWc#WAIhd`~z+2vN?Rjx7|L3`?@#qAzACt#jIv(t#g5 z6%&zu#Fc8dVp<`?h#a7TK#9bpp@M!ssl|YC=82b~nWAfmmTa^tK_0DW;hR>WQNcz) zKyi$$R(m{E*;}f~HRVwB4BrbJDTPN;m*Ce8m#o~b56%4hT+&e;v99R03*1T73Wb62rmP4H3;tmKtdn`&8>^tN-TV#*HB* zhlqDeS~V)TF(WZH(BvmZ>3Zv;uG^*7*7FAwH)$zUYTL0DhB^Nj*9D_g5tbY)=Mr1% z_Qs!b7cV+K`}T|15Bp>l99cdMSIhk=XmQvN0mzv!rI2MJ+NoeD)0!(x$GVh@tBeJCaV={E`!o_ z=LlQ(b^PxEdIAWrRv3oB;on>T}~72CRB(#N*OyDzTaa))@H>dG|4Rg0%{( zr(HQs_QQzFuKY&LuslXqwg<0ildOhZyz`9z2d_JV`B+GPG#?g6!0WH=<07D?r=Ry} z=UVW@_%C<@7K$GNDDZO(u={m6pTA%g^N%ZV_e*6qZO@5RzYVzHg?q_Sbg0 zljr&=ce{^H5$hDw(bWl6J72+rabHWqf(~?q?&5qLfYWq{E8A`*MZ{sP`tO%?-!7I?Ck&pVh+xh_C3Cx$wB(+X_tSDc zj&)!+@A?{hwe2aq6@X6tsS|vc7vA>>t<4U)?=7O7Yv<2bDjpYJxA4=PJ^o`Yt11Kb z$2tCcj7+va@%fxrHao-5`p=gFT3kI%-X%5z^8uiN~7`;~0J5kBYyrcLKu|MS@Et0BxP zCVrdNPJiFku~l}`hKsGTxVSFo(I$Bk#-8UF+gFXMPwOz?@B2tW?T=`7_r_|H7Y8Oj zvCijC)Q`hglF3Y$(KnUONCa4Hb9J)Svss>orBxeIa!|Y?8r4|8}`C z>+$?#+J=~gzQ=LtPnm9SKS`4gqC;0Uz~&Eh$^CNI#hPSq%d*Pz_1RV1=EhLt=%;1X zh7;(bs6@w|{-SYOkD&G@YGPY(H(aF^sCBxO=6F=7VKLlES?9j>ybZVn!d6P!qagwO zH;LmWkFIxe{7;M1CSZ4tNZgu~^T-0!PmG0>+1T(?WydTe9=fzl7wGdd+{! z0@JQAqy)Je7mvSYxsb=V5c+}Vd)j#<9^WL6Z5h~{;*xlK!$0=>coQKqY+T5nYA_p% z#mnK%SgAn~^M4(GG;zz)SYw_@)kyq_i^hd8&xc8l#52HOELUykjdfe16Ae9eD~CEY z#bqp+8*Vc-HQ~%cA+X#zmk;d=r)A3*lfNIWFkgt!iLZKI9QoC7LvKoh9TetEVY3q4 zppK_K-*n2+=#8;dbh2^%3#EVXnaU0xN2Went> zpwoiyI?NjROGVw>xOoRx7i}HC1p&*T3!d%Y4ZjqoOpYnJi)#hVbv)jKWj*XHXesNN z+w>wGf&OBP0RM(jh2FmU7ePJN*a>DFPe?g}h=ca~An|e~#~uCOgY)iW_9@Lr{hc|L zxnJ_0ziOn@SlacWS}?u5={+_X$C`+cXzsy&O5E2d(Is3SQ>UIEpL?OkS(a2hHl!z{ z=%c&KB$*a}x2&2wDS|IbyqAHG3v$y+&yVp z5-%AEzBxir2x}4gt6IF-zI0Jai^7cZ7kD6b0NX8|!j#2?6uUt>(o{e0C6aUAC;->o zDV*r>lWgdyLVz##Hm|M`L_g+y?*Y;({B%fHS;3S?dmze(lt4I@Uw2$2I2J25s6ZqEQ?#Vc3pWg(PPSfWYh*8!&OB$TZL%>`EHk-#*;YDGRv)D|@gWL--SV`r#|8Z10t!o`52nGTR9ml4r!`)llkVTOTm zY&vC5`7eyc3?{`o5S0qg`J!1{7^AY@m{Y77X?>c*nik@RujVP9uzo2yW20MVLJ=ua zGbH3tl~KEv2x+fTpf*jaO^wh`d`p-=A5ev=ge)7Z)>MY@M1)HB`9V#DO?-aOOjy9l z{E+D6rh@W)XZ9?+6;?M|WGNunhBEHWAY z#IH^5nP8#l@4Q_>X&Wb}*|HjB2!RSNODDVdj1qBTcs<=ZRhk_0MdPZu#&#wAad?xE zqkFw(MAZd({*Ci2!p-IqD(LTotUuG$a~@J4xY8{-kT|knHsIltqB^0eZ_k-yfAkyC#S-W6dnHskfj zl{VcV@Da-VWxk+mE@macPl$|x7k-OHAY5Nys!3T~`(R2tSZ}ydj!;OPekzaPAydpd z$<1Fgo6%#U47)%fAMc${g23*O-dLe%axRRGT_jNvfCK5eSz?i9V(DQ#p-EsA2mWVsPV;+ zD$+iFDb5~{!(vv>2RgdCJ`)J^GTP2<9j-h`vgoSSx%XCJyV|$V5##!s=}w!kyxHEL zK011D(lI$ZA1-5<{QeDGwq!Oxwv5=-eNe3%E+Y`+Jw$1>UcO*;Jy9XXeR0FC*?FDY zDC-3A%hm6kZ@T_~+nR^zhy``(Sl@qh)FBItMJvF=7mEi-9fteL*2#s=i#vgK!#QH6 zsdGZ!0@gT?{(3$mp>*$`3z_Hbx7GJQ-!31Q2dDV!*%`Hlh`iN6<0SN5##=Hs44Z;L zr+XRs^_SYTC#DM^39nk5-#*k;$!OmelU8xB%Z1$YH2(pf_xsnEk6!|w1Ad+A&LxF5 zofAw8hI<5|+Vq4i6M3H9+PbC5n_`0XvTCmdl`#Ih8)y&@h&$hXu@i9$cFTP-D-y>iG%zsm)39euN-r{`os7F6(cfIIsU@zs%u|yFBny zA62xj>v6TSZnM7YWj}AH)wRas+$&>oZ2HOpcsH}97VXmN>(9J_7p1I+x`KG~GIT;?+VN3}79Fip_yv)h9sNOk{C zRNkG-_pn^nGs5KkDpNx%#};cl0v7Lc^WsBEavs#_P7Q zYQ|(b!?Wu0_N0b-+x@kHv!{{B<-j`3_Vw~jM^u3(BYf0YyeEZb{baID+f4K>^?85TJ)Wco~A=3*CmLiirq*Q)%njVl1;5pXBb*(eTMKyFN|aJ&mJMbg|K_MC-P$kv73+)l4JrniMS9+8f+PJDbH`dZs8O9n z%&n8b-Ac&1D)@j(m%P+3sL!t;-iCc_8ctrPyj;M zmx|JCPDRo@GY0t7&Q;uhS+40aa!_U+#d3;qlqrcjNDSlo$mOBWE~MaPd)8ii<_lgO zJE<_LmZ3t73k<qK7BZToTQJ4RKYHScfT80ReihZ0#Ml8cdP?ojOF>|yHBEKq(YQ?W|rnz&oKlYUjVNml!9cQE`6wXDy0@iTwr0^)eCvnjc zxyx7Vv0gK?2$P)0rDh1v|HnA>-xjL zRu~RpVCai$556)`U;o3t3W9JyV*3AMq5>XPyw9}xy>jE!y6MAip05)8k=gOuSL&r0 zsjF*y-*2t$8L?iecEv7OxA4$^IaJnIH_*9lJW^=YJ?;_R(R;X1$kTaSIoDNkxfYD_ z`?uVUq47xHC39tmx($p$X3SZ|F3nL*l>Blfe-oHsALz-^~kl~2_)UMqv&au9|!l% z@36SBEeCb`JV}1geOcOT2`I|qif@0oTfgfg#|`BB$Rc(BV8Tdy;rH5sYU{c@oK-Va z>zna*6w3UVV;7rvynOw+oKvSk%=1R`+z+Wf_F>3rvL zWiQZh-Tu})4M6c>c-|InHAt}}ZZSLjt&tMtUT)BJJO(RxO8BLLo`t-w>T+EMbb+eG zJ*EX))Ia>Kdv`hpwzuJf=ziM1u00Dl&uU%2g)w^EQ2`r@sGqeTNdEd|<-TZIzjoGk zVu4_;7(cq@+*LGuHFz|1|4ClIZF2d#7IE*iS!8Q@UgqSepl}hqKbcJEKhNJHs(6&B zx8EM`5ZN_YDmg4GmH4Uip6(L#eC$ynUbN;RDC9hEc4(a8@NfBE!F<(KPETcP+2_97 z>UsP2hopIEaErVg?xSXRuM70j)cCIWSO~gp0D+7pUV;K|o{{&L3#nd5H!=AODB5Nd z+IIIikOG=E|K#ZyhxK1-9CCbLQfzV@7kNB@R*zvMzP|g_2Zx~llAVF3zGP=dz`R9S zAn3nnR|UCogxXf#KjK4DS+vN?w;iKON6_=CleDA(e)BGpSB1Hro7EF z3g&rbV}-X)vf3jpRT275BMIa(XfAzCtUZcCqGV4rE<;N)8ZK#E$S67#;(^w-hVCOG*t>#U9TvMQC;vAy+;nEG$RiEXAaVej){Ain{T2 z?p&imV53$E7^xQdk3P{6=2QNS&`2}kTv^mXAhMbbey*uit!lj(sLy*Ij%0@-FR4JC zE6=4H(wB1$I0qOC$=B(y9a&I8wh@E7UCw;`a`eTI=B` zaNH03F8^amnVVf!?d=y;>pS`#O%cMUY1kgfe6Tt18GkNH$)^+EmbhYRor;YqsT|6Z zpp^aNp~_5v;7pm?K$(Yd6AEoAsMucQpK;qZj#f)?M04_`FB2%EweCdYlWJ(W1N(3K zx(4v)`wZ|);`W&L)hh*PDf!apm}B?KceHYS)h zP(;Lox#N zqsxMin&=3vfj9EABWYKgpbuW2EV_s8<|Q7i`bP#qy}mo&S=ngv7}62Zc&YrieQSCF zEsP9^h%>2ySTdTpqmkTnLUL;H<+qI?@t(3!(>B3od%M^;OdfkEE~%?t4t=F?qyf|jd>ewEMJZdZA2 zX(||wCJ*AF=rSPLwy%k7ng1b*PK=I++4ZH{%4gs-$9D5FEk={tr!=3mXl#?pxb!4b zrYV?wNW@qytLVD$<{sMz_SB;PHd8SnCCq2v#6u2UGEGOPV%5LPX_I|guk(L(vk083fr@zjxLF4SY!<&4+x+uiA+}@O`^8wn-GQ?8OY|Sq;5z)JyIF# zpg%P_;Pg|%-wPq*wO?0XkAlNr@qwpx23NETOi7M-U1AxgK7l$gZJx6n_bt1-9J=vtfA+im8%z@{cN?C^eu~B6Ve0aP1-@sc zuI+}5e$zey)^Pg0Hs>&QUqYm>>9l#aomFN5Zii+7r#l^U3_e%BR1c@I3SWVs&(p{y zm$CY%3rS4fZY7l4lzCe2Gu=^>LbX(^RPwlxobtsSN*ebn!`e`^IpXvn*qW{w`0`DL(p+M0nx!cw-q!HR@3oy zMDKV5+MW7YI7s)neB^TO3_9CfDCxVH>v8S%9k#vAX!?sxF#M9w^S^JcecV`-^u+}kgAdQT(NoHWn5Z}LO#=fzxD%O+^=qLCLpuKJeo z{e2x*wcro`&J-}&wp-rI4pIU#X@i)y#crp9EXS_+eQlO5lBXOvkoauyIHNa3OdfwNbznD)??$m2m?PR=bl@ zbz!!q_@@DN}TvUpi zm>c1=>wD2axjC+Cr}pt+qL4R?P6(p$fH1`Jx5{8{_t^krd^oFAR{^V(_i{t>!MnvB#LvQ*>f-Kym_5;C}y3;1y<@!#mrw8$C$(G0fg&LuC#v%+CU zf@hX2$&JvqdYdIqRmowFAS-i@e$-#hhmL(a^JEPWa$O~HyHwJ&Y%%V3kC?`qO-!o( z^#ko&)Nk8~CHDms+2p%*)uh-5=9Q=-gu@ZGA1q1Ia&}0{=mR(|iJO68r>?yu8j*I3 zqeh0+Rq_avX5Y;re2)X7 znVxwS49VAsV3lppoB?YIbVku)QidFJ_ls-fQyHM}BqWIP>OoWV-EP+0{)@#Eq2F&} zd<(Hnfwxji5fVsi^CJLWwHxbc$!IMJYKR~jt!@w+Mt@-`Hf`cyA;TQm+9KVb!RRq7 z2T8uYfX9}5OOrdAJqmvo-sY6}2i;(`iAuGwy#KRUf!?X)V{!6X>q|J93ONkQZ)Re} zVNc;=xj{x;FP?4sRwz#7rY;c`nvGyAS>>`^Sr&9I1fG1g_zhJAlyS%iY1EDefA$|# zKY!pP$=LlIZ4phwn@y*717~0=9@;#ZPDq@J9F8;WH7CecXy#=R5MdYZcXFIW#;j2O zhTZMl^CP&{A~c6XP|;+~6goV`t!YYY3+6TL(?O1r|Lq&7z}etE&QRr`^=;;030m zO^-hAawRm?Gsu|4oFdgh3U$XsfEn+g`sbVpmK>_=h@D`^tl5afjS+|ut6rXtb~b^a z&@9fN7O~<2Sr{xMpfRdKig?5yAxxOKt5*+wpi-ed_vfFgG`^JXO#ix6d;E3fuh?su zw;!phoiu`W6ckKWu2?I0vg+VPT37GF45>8=_GY~$s!Qf0H2YEt#_i$k1^7SZqk;P5 zqI5};sRP*|NexJNv8S|3?t4M*TFj5~l{$ov5b#1?;ZrAG;!^)|#IDCp?1RK-eXQN5~tcUIHB6&dv04+fd7`g^Nka${y zuETJ59`X<$@-jhQASn?kTxfV)@=th>FlZWp@gGh;ZuS>tMtdiI6b!p=-VzXMnu+eb z<`V2(#Tm8rf5;fEb6>6+)$JJkJSO3NE;hil5tjiyP1IcbvNTLFmQ4~}_-&)OtO#oJ zo7M~(=pF74@A#fu$G0CvKXP__w$TyH=rs<KOKrP0dIrv2A573`CQLg=_z_0zhK_-Az$E5wE3$Fz|oXrNL&bw@roRnqXyMmHsi)7xU z=f_ll^O(xFjV2|Z>r7F9bk0Bv0WGU%&TGE+e@Qc&#%nm$h!#v_R%iZQsoii_(Kiht!uq$bS}AOIVtd?55u^!f@^_@P zwYM)FOVYb6ZNi3Q=IY%6kK@|C;<^Pl|1EP*e7*xm;djpm{<$=uPH&wzk)v+A?=!`& zI}KtIkL5VCHv+W@1pN>4mSw8F|4G)p(n+Vm2jP0)0M+5u32p+N%pSKrQI`&}GG|OLUp$mdU*YdnZ_j21WgKDGE1fxCv zqtp%t0+&ZS`kqHm5mn1){sJcLA5fR8T6YAC=9S96 zEu;dx8i|Yv_(A^-Y4_$##O6ZP?q$1{libpHNH$`mJKS$+`ywKD9i)cKdx!pL?I{q$ z$!yG$*ufMQMHwv4>AXa;PNW=)BV;^A&K7CjR$QL-CK zBj7|l&66afqJJD>kZ~L>#Ds3toPw9$xOSJpAG(+B*ege5FI3XD6ZeCO2eoFkgdk;7 zVZUirl8%I?ke;*`*OZC)6=$RfJ(aVi7DC9mgfz}Oi+8ftt|hBkW2u7KiQispfmluN z#nVy3_Q{Bn=naSmBWyW-G5bm@2xnrUcc-3eTh7)jQcw?4S!-36tVd`UWQ8Sg7~;#4 zQYMBf4N(7Kbj-KKV_I*rTy}QMZAKOln3iw{kKNOhw0nrm=9lVyPq%WfFE_AO4=gY* zyYpl@MM{FwKQ$fc{~Lw?jguyckSgcSwRNl3t7pm@$f8y7s#~i+ma$bEh#jrjg$>E2 z+Q42p;pN$acHIE2ZTnK8ORkRIiNKnV9)TyJj`Gl`NmilxgR(W8gPdTiSPlP$cnX4T zYx0)7UbO~0l)sazLw{}GxEY*_8Ba9XDpfj}c~r@?av&XwI{7S8xGG0k1dXy@Sv(Ny zT%jW_t~G;^4ULUD5X6@nHHB=tq50%aT1MeJRFdXWVFQh3B$QX)vH^sZuuLE z@LB(aUUV51@6))qr7L9-PhqAgqW%M=?Z7z&m5w4Qfokfwu;1)lgzr?oh%D))9+`xd zRj!yFtmH|JNMRxuU%~#PcOzcKt#@_WW}LJpc~2>4#j}I()#U1xYaD1amVY=Sc2u|IF&L>`)r2df#X_!{oJ}hX3#um{Y}=*~^1pk~|8?&( zROGNlhz+ZWm4on|F0L}QJE7TJ`5bhjx!yPf#Mga#dYLA`E*-MU-~onP!vpnQ9-%bw|ibJdzK;{-R@+DvMNlqaSR#C%v|j^cUQ z!iDK+{#VmlqDTnHqM|_i4*PZ=N6xtf~TUP59bIA#%Gcni?$ZNb+*}#x>*G z6s8qPZhD;piTtV|S7TlCdp-Dno0+l2k-mksaF2iK4v;va6a%n}c+70GrIQL~GrGD1 z-`v%3pGSxD32<)B8TI>Kne~(HL|T2N<+PO|rkd)F)^E-z3e^JAFZ$I_Q2avN^f=;@ z!+#3}WJd-#DPdHikWq>oj6`{+KYCKs;1)q>iFm^iAM8zKE5Z&@Sz=4zR}7|9u8irB z$Iu*M%69S5de!J_r+cs&c-V?vVBO39ocUh>&3#3GIe+o5>HqLAFXM*&6~wNf6dZWM zSYr4G=4X;F+6SzREOAx<*+J*~jIPl$JF1__OzX6de**V)f7Z57Z~ML9<$QOQTCc9_ zz1HwsAA@hDZ`TV)@7nR5bJqt)B`8MnTop66xNK1h7~WACs# z2apGfKfZ9DVb|zdEP51Guw`PjZF^6Wv<02v*T}k^+fDn~JvMI}Sho&xl6*dqK8@+2 z=6wCi)Lz90p5ZM)m1{?8=YF?Ul;8hh>YTsp3fpeoB#mt~XzZl1t;RMQJ8A6f*tTuk zwrw`Hjh%h+e&-wKJ-^&z{Q+yN`8;#3dtUZ0aOc)Z`cD*HZc}g>nGI)Db6l+NAxmwJ zjIBls61F-%1us&_w(kvFj2XaT<#TJN@!@M3z;22B*3D~LN@e|KyjfMp@l(hSaJGMf z9edq*!=hs1V)=1q=d@Ko!1h?5Xy4m?XXt!p?L4(>+w;PsOt<4EbZw4(vGQ5og(vE% zaRlHzf;q}Sbk2C)`GyVn0EV$Ne@^w|gN~*Un>*k07l^v;kk*0w2%gI>O(q=Nrzoy< zix=b^{F@L=fQsjt*QwVAr0veyv$Qgcf{q!M4V|6K{X2kwObM{kJ=K)soxvJ5@kV*`(0YWw!_5kv zO&I@Dn+~Z;41M&1fqpAFr(DMyKglYkCq3_+oUl+EsGdcfm2g>|22Yo-eVT&SJ?$yp zK9B6s9q;hnm(@*8yg);|mUr!}AyX619i(ZlW-@&aCrxPA{I>J0Tejlt{B+FxJLRHFelS{(6Yg}HbWV!DG*)JLue69H3 zmS5=Iv9O>*NTDn!fQsiH&e!WVen7TVTn}b76)M~i5Z1w875R!shV~`{! zq$14VYhfnoh`e*tM#XRkn(_Im#`r>6oE&ty3<5}&Dh`R3@r82=o%z<%aglwW&DRro@)4om3K|1jkwpbj=BWhWu8 zu$<*IPe4nKDJlJhJWIYvh_HWzgWG_~A$^o8*R5j6Gu6zPqQV_aj5zD+s1{+qFHRyu zK7px(&h01Oia9rLFL)_xP19Fm8TR9}@f@*-ESGM>@vJaa!RmKOY;a$>T8mVd%k&qk zWJ-N94?i~g8mG?X8`zo(=4C=%Zuar#5^%@5o?`~E_X5}fRav*8Y0wS^H-(QiQp2`P z456CSmPU*`_)SG?yVFW)|E8TBlZ(cK;#|8&Z?Aenh&!@kXJRN$KviiGV_I1et;iw= z8m{24v~w}y2NzXJFaHzjOh6G*BB~qESRJj?t&%r~n{uw41$PTJU$2x?87HVmp&IQK zq+`YYz1EDZdRlzG#nyHK{sWQs_h*F)d6}-7JH=+H9iU(Yr$e{)2st4OoGj1_8_sN`FB4W}lL( z?7)bnt0W~9N@^2)+Z@gvMx&zK$a*mfz6yEDm;$qMet-(n0JASSye7e^xTqX0`CoE4 z*$yHZ&6&i<|8GR~AixCFLCyovl-~gYgD=G(ufOVNsi02KAErnVrf9T(0=ojMJFm#? z-(HY|DPX96|AW2x64kI2pT9{w@4mA7I%m1AGuL*m1WXXyuiNBmA1AQ{&1?6RQ${X) zD)FhhDIXu<-Cgs=6WtEibtzt6rX8;4z!T+|x268UwyT+JpZjW?7B2Rl-33O00jze! z{TE%p(;TV#X4~W&rR~U<>l(avy6HG=%+Eq(4wnHVkGW8B;gZVbIXAN1b(jl5e@^-o zp5+tbUAx22q3>{%f6FtBOy{v>>Y4p+d$o#*40bKBaoO4SJo0ck)05S7-D9c(gt=GO6eZIqa9>!SKf$V>&{*<<+qrUA~QlhqD(lJq;f^8z-b~@Cg z7Zt<5ed^#Cr9H!6&hA)!zy01{kg~Lr*720w12Aei&q;lqIKpH6c>705^JOUC3V55X zulE+&LPLg76z`hjobRZA_LZaSDs4O zZ~U%9^w-{iAkva9htF|!hPFQHo<_#*+QgGY3!|V8b$;M7;&1~k&*z2iNkWBB{Yn$` zj`O${(ber&1*gc%_JwYa^|PV zciogZ%F`PVgC|YGc%$z$!?MSlY0zy(4rd-EhYOqlf zAhR?H1xq;$Ggmvci8|x!}ZV=x=~{#G$5#7bHEr3i`n2yRY%j?ypDwJ z%}>OTLNl4C%2x=prVTSK>0_Ie$&z}_O+3|N%bI3~?9{uNr%xaqH4fNa=O>~%L_jC^ zYZVjQY4{vr@~oX5Am*t;LJLrfo&(JY9%_gORovw`v)7Ob2P= zg`Y+w2>cIHn+qlQqv?boWFaThSK$fi*+GC)*@ip^8W&sMxUi&ZxOt`esL-puf;lw` z?)p->3bq&Vwmda;SloF)Yp;7dEZ6;bBNSO0@?9~qsskH>v^f~U28Cr&0(Gm*Vu#`v z>I$}{v=4@96mfj%C*R#cJ2e>-{v2;vIIb4ypNxdGgletF$_sl%exivsYF#zaOop)P zA@We;qKz2{YkX3-aRtblOn7rnJz9)0Es*{;h+eApaXJz7kqR{PNzUkboB7BDDVsB4 zdXDB3s6r{p$XFM4_~f?a|5Rm+sZ^{;C}F1NR7HYHuZ;7T8Fn-;ftGUCW=36!6e~|F z%xzZ*`zc1e6~9s3OExFml11BkYH1%^)_4ESUN?zo{*ckD+F3woEFnTr;c(D=fbTv$Ue zU=^?jB;b&HBopADZj-@{E8=k^;v`{)J4mLk9(c=S*Vh&jS()u-=VR8t{{8+U1I1|M zwo@~dfhP>#WKe zwSrBdK|+&kgFl^SOAu?ix|R^)S(G9BnR+AzS@e0Vfy(JeY3SjBamP^7eEgBBZ$49y zn6d`z{~HfI9)dWLj0&Ft{`ViyL$zhV9wI}p0l?jPrZL}V&NI=EK}y%};Qb&O5XZ;$ z2W8urxFV6l#EJGDJadAMR~_f1ulQRH95<@4ZGTxU@!9gyw_Un(T((@#aO8668FhXr zzi<7$K{~g-pKDaz@u6I|%7B<&x1LC;0ld4eST~e@-nEsDOs6&IQ36%oezBM2u-)(@ z*z){ceqFirJXvB^Y`Vx{kYXTk1EaQa>H~9x5@H0eRwt4+p@1dp_=Yy4yRp zGchU9F8nIl-Q0H;r)!=rYz(0_?=QPY2J$)|PG27fmsXpub2*Q_IDPpH+d{idlh$M0 zNBCuTjdDHu%%+2+<4K#WreAlI=0oyt*bI&{+E*1kRd*NUvkN(!OjZ>^+koqxV}Z$v zmE~lhbq|})38X1elL>LO*d=6{j)7_6s@DP zj?3dXaQdqMtcq6o#zKPcP1|w8ruyU3F^13UvR~Tn?leul$4Rl~ZBUo!^8V~X*>U-@ z$9RR$EDSfS!mjPf#&FE0+35kZ3td0we)z&Ud;Nm_wyf>^%5_L{xP(KWd)xY4yF;Df zbs>NO_@Z&8n6P&Ha7gIwex%(->BG(Yr=%)F{tf~RUyw}*wwrBUxs!92L%9?cvZt+ueHSMn?Rq%U{$S-DE81f%yAybndTbTxrSL`!O!0BdZ* zT+aXu<#}n$ZuWY}&2BSTOR8#6_|!NeMN=GsqO>J_t7iGiYDX_%9APqol$y?Jni5+0R_hYTf4pJQ<>Y5k*gNGWBPUcXLqQ${csYz3cWg{Wm5 zM-F3rOKFaksov(;fY|gO>H;gCWbV^f7tYvHJ{&nhmj^#iN^c%2?eWD~?`=A(dgMR6 z@_p`c(^jVV3OSr8cwg=MMX!=wCxr4Gaymx8S)kNLVP>TI_%fbfK8=U=GZW)n-%rok zC~h~pi()*Nh%DoJ7r0P=@QmS1YfNc%D|hfRrdrzNEPy?z1>C|!)ycBs#tP);^JS0d zPfY25l&}gMgNz$o1eX3z4AsIpL9t&KYgA=hF;Qy}gcbjMb{>j9b3>B5@d=;NX!EmL zq^l?|DUvBy#xplw_HV2EiB^R64+FD1UUi>9t*jM>Uk-aSnxy4-UcuifCpALW;DF*$ zwU@|ES+1l{;+%%Ni&<$=8v{BQx86Gv78_*CytqTk9!DfA(YAb3CXva{M=%MS&W$)@JkktF z;8P&l#0$hT0`Cf*EOAeN0J#3M8P15*qxVx=63^+&bmi_267?ocyCd5?JodJiqLzT6}(a5bmQ{}K_ zqVI5iG!AZ7d-^G6U3i~L9vMHvdRr}iB6&AllrMPcqK765>1bUz31s)L3xt8@EJv#) z6pMa~>h!P;8&$f;N{2%9q+C_V2xiD+_o`*tI}*V}#28%iu-bFUC`GL(5`mHf^{ zWc0j!6wvjGJ4PFp8W_2nENs^D*Rv>DxjhGbjyf->_k0|vzv-85e069gzBHI+o9a6) z_Dj$^97SFCeC}$!gPzVF8QlR%MjTV!^|X?}?1Pi@Ya*SxS2hmUD;{r~e~~Mqr**1w zUZ3d_$(qpm9~YRE*ZxTIyicRr(mRfyV)Nu@QLf*g2{_JOdxOt=ytaZ;>>MGSir-5j zTx4{zw%@;+(N4BHUgH+j$xMCPZ@61J9lVe7-fkM{n>F0m9$nmz@tV8|eXgb)LEfJY zvuQ-u_lrT==qp!$Cx?ih<4;?y&Hcjco3pu`E~lgYbK8$?d%Kmy2s7))+r9J6&pud=tj2(ro3a(cq~CAv ze2w&gv6=gZ7!TtV_EYy0m{p5dYHd?e#Ua#7q0mWpIT`Ar(eX}&rQuNPSiblAd17r{*eRTA7dc8&WLz<7R)MT6%hM;o)H#Gz+f za{S8u=3k@%n2cPtWgTBv(jpJk7{Xw77B|}0^4X*tGyQRKPn}}X&R2{W4J9KpB2%Y* zZEOtoPe%aaRVRb)IHb;U`>8@pVm#fukXFdLGCr=rX|n&K7262!C)jZNtz!EEg5_sw zZJkmNg0Xcd(C1U+*T5Coswr84UxP}?5`#LtIoI5z%a%mBqWHFQK4G{p z4>r;aCU@f)5&i2HCy*f(I*_PpCX`oU##U;qnnX7u;l!g_7J>j{D!Emen&h*1DrHfx zjVzNgy-QGtiS6ZEKA~H&U7hQaZ#lSxchY2u6O@{&b0YX>EM#AnVFS9ZcDu9)c7e&9 zA@6%#X7$e?4aOA+&TK1azi3EZ{sLD+8M>0Q!*3b#_Dh#; zrPJd(M5c=0vHXD{QUOb-a%#|0NRwcA z7AXfjKOrD0B~{DW#bxwLHM}B&OHa%e zlGhj<4YW+r^<23=@c>XXT`>5Q8}@*d>fG6})Tc?Uhh5&-rXHM&@|A zQ0`+H7w>r^8=?MC$fZ!oQ%w!>HIzdQjNO%>L$I^cX*Pd!3EyIz%EV3ocYvb63`To0 z0G|?|--bJtAiv^|V`$ue{1JNaR}G`M`tLJpFG?|0&Kn#b$La!9IlZvFX_=eI#Qx;D zvboNEO+9-FOP_ThVo(s^-*<4I`1byq|FxB3pAoj`(=?TD1A5RUV=gmS4xaHl1^HuZW);n!h1Doc?zmJH=B!SK6o6m#>qPCmI4gui7 z{0E)ebU6#Z&u;jT`l(R}HnxSW{h-`JwufU+)K!oB+l%X4WJ>jm6SbM=dD^qS6{CmG zlhJPJLd;Hj&)w}QzGaNt2vOeEjp!2pYm>JRBE1i=9M)!-`(Fw)&;nwwn1HC28i)eG zak>1ekyf=Ep&Vn;+mQ3Qs;X*P|4eS`IwsU4?Uo~@RdTguY=XQ1Gd~x14f2g-Z(ujnN|h^+hGc6l70f)~yZM7W(7smo=ZEKmzDf63* z?In|)yDgsab_@#}mWMNH{Ld#HcJB_Sx=|HZ9?@xWTIt+PKBMTDvR3#T*o2RIz+gw8 z5w_^eM+E*3V#zE-0s%!_mT_-034KOZmde2>& zs;TQYHK^D(x*S3FbO^O~ojhlQzQC3sz0X%U;7%_!=v8PKl!zL0Y$NvsIzKuf7GfWO zy0!Tnpo_(|kNdStLMp107!<({D_<`dRghWJ&^zApBG209A2=CGZ5)3X9S&$FvQ?4s zyzfqaIbTsSpuUWffkZeBo%D8Ab&j)^Ch1LTQ#_+Z8D}<5DO>5k;?&Md&eciVr;UF3{Ew_Z;oQa!8|UQB-@}QVp9zseW!mb>z6m-pZq%j z@R^4xrD7>2dEMA&YH~*;W`V!vu`eb^A0-|8qi@4wKQ$BRpF6T7*pHD+HSfZsz!5URX7z=TRBk)EAIm< z_@yjEb}yQ3gol$U&yJT0=})qcA~%IUtPs68(wrze#!z*_MW}R_(BVfg8(?XqfboDL zNzAR7b1=%j@QeN@?1EC=yvr>b)EN{5DJFkaB2Ruwi{ZW(3mN%<;F`T9@3Qu#%CEjw zL9s~fs7g7?ehPg_K{gc3V62_LkU`_7ae9DArXf_?K{$*kQu@;T#bLE1({?DlfxS+A zXsLp+2#VN5Y&l!1xPzW`uMfxJjC|4fv=*+{=XdmnlL}zi7)AuxzFW)C`A|8`xv|OQ z)A#5;R_4=S$WjAVsqf(_U5(r@ctSof&(Lcs#>)_O1ZQX%L=Ib=zL?r!tz_oH*k#X5 zQx=cqz;Y}Tx@kEr1!#$MgJqkjOeTi(agE>j-FOCD_T(w0r6#|sz*T~7aBF!VEK^S@ z0&PX|;(jF?jffN!jD@04u<)%+Ist!$7LZm(A07;Al%j^F{)r`a_-bbTQAz~g=QB;z z{3j#V8XsAtef>An4>jcdCIhu_2+ebs|UYu7SgJvG~#V9gAKz0&^dMni6GY zY@^S#!U|w7tH$LeBEfhZQlUY6Zk_NXLhaToMg;iP#+k_qYWMCXgwogqdYElbv7*C& zxUdgZBUDw0kA~Q&q@&M9zeyVrgqk~T{I7`r6Ce#+al9{iT7?L!aNZ%pz*TIDuNn6ET7xs^GNH%#0rOu`)J5LP@n z&%-%lcWzTEFB92KEe~NNPUp8Vuyh3XEL@6FlATaWW!SPPVYQ-wF{h%_T;~zf^(Iap zON@Jkx&$`7K)6!p3~a&p#~=`qseyq?OAq;Eare5L@svZdblFkoJ;2xQ{PZa*+19dr zNby&CRbJItycK9`n8lLX0axYVN9ol24AZXY{W-MIu z!RLAd%Zo#B+<6I{m}2JEteCT@P{u$N9TQygoB3BQLVF3lu}IZAQ*f&2klF%T!_w0~ zE#Ex1>ZBe|T-pQg3>des6tYxoE(YoPBAIF?Ts#$ADxbtn2-KRC>b1YQNnoXt_@BT~ zSo}41IzKruW%0PQt~gm#_To83?r_3i8gsHznK|Z$4aaGLqvo4F*4#$?hC^+7YS0z; z%w_EW!DTJ>+dNqNgpwL2tO4BeNmER|c)+JpKF`O3cXE)5!I%QMpm`q;{^YNBz0|3p z$?P%EVCP7jH_`mHKnq!v2XS)7(5am+#GQcIYRs_cpZvBw22S$>J?lA^hF*4-3&z9ErTu^XQMVi$LE01v63;}1es6tM*)}@*GGX> za0QS^@7VWH5#n&b^IMMe!e$X=c?6&9BZ1YH=Mh?8(Z-hLX6*)jkD5HR>()cd@>Ykj z+J=I+X#%PI+v73|AyrSuE>$t~Fq@<<4s0YyCwc^|)7+t*6xYK@Z)6zFSQS@M?uCZOoE0oo=N_XRM zSeJHe`>>vOnV{GC8h+;1HkjFz&3lDh(b>+#v0v`IjzHNQjf(^;`1OLp`Hj@!hJE?oMf%&HN5nimL1rjVke8LQzB?DZ>I z;Mec>#fB^B8=l^@bwp}D#?EW>;I=-FCMlPu2;CpbIJQ?``Hx1IBOL{J4{tGJ_&!tD zb)Pq;?$T!DVqRlt82RmcQzS0CcQGkrH*D4TKR=r6Sa!G`0-urFMKt$C-&&RUQ{6WY z1q2Ltv<13AnfUyz?wKBU@y9tlmu3S5Tcn|k$(g_li!Q6(H)`x2AChI?>T!Ygb2~!d zL*p^W)^V997AA*U_vV0r*A+dB8R88l7Vu!uJA0LIYj1E3x~kdwD3El;Q@qvn??xIn zzsn%Mz}i1QM}2SgcY62DajUL1t-Zr#mO;KA`)0l)#(Pl33n=Fbl>A`|YWbhjiE9}s zPKKZoAkEP6Z3UEg^b3h4#wrtZD|pqjJ|b`dT7J1*0&(7FhbYcrQGl{{-f}`SbKY`v zXtrz-sKdsGjsM2};>s<04zE=kB~fS^K2ecDw4q_Sm`_SpfKV-`a*a3?uUEdU|6939 zGx4hAsKX2)&&0E>5v?p}l39VN%|2YWjwu~kFsD660~t4Sxl003iNi0ZG*aA_ zOd9l5y^4Ktxe?B;RC+)&hh{BZ&8T$5<0f(`P3v zD*WPb$HyrrUACMDtn-G}QD&)}PHQVv$GcOP@Pz1tQ5`l2$=0}S;33%5R3ox$Cd9a= z9=Ih5P{VC7{BLuUV(;S;r@s|mt?kr&mJoA$Y5u5VGae*Oq7hSg4 zC+H;kn!K>}0Ba2|85et&f&W6~HTQ4{tPyJes8)Q1vt94vmqp>RA%)uLQzMu%T!=AS z*2-_CB}A&Qv@fjdzu%(NWLEB_g5-s%P`Niuq+El!b`!5^NV13XS-FDk8Y&M~Qy!t1 zyFab!WEp$kUh{W`({by=Fmvsr>P@P-$H5X&rH5`shb{UYD0YvS9cIgErK-YBCMe?n zuqddb6eMdmod${~eiC^;gVFP-vVYT#HC0hj_zp%r4?&hjmJn!3F_vf?FJl@nLy_X3 zOfg2bz|4|{Hhwr?C?!FyRHQCct`bL~`g#&7iHTv6@AMh)c~Z0YY%hfBGt+U!cfRSk ztZOCp)Y0(F^6m}qfGrg#wQlg<083;F(OdP{!6G_knjc-5o7Rm}a%sH$!t}Va>WW}) z4U`S9I>haNfrfvv+hq6{%m!)3pB~jfHIhBx$z;1C^!Aq4`SSuOr1tzTHYO3tOBd4NRv!^Ohd!bV2{^wsh{ZAy(k=!9eNW@ex z{y#XOa54;I5r^IC^e|=V>Eum%cQiw*R*jET*D9spBp)% zgYG*vjT0*9QB37F4U@(&ZRQvTg`@R)(Xj14_It&AG--u`7`39Z(?aeZWPUFFE?wO^ zc5Ib~)bhKI4Y<1@3LGpc-k~Un9(+irDZzn(_wB?o;%UL~e-oK0sDI#hsG&ET1@cuR zd+Hg*($@-2X~j)sM2jl{$3RwmXadAw}>5~E9p z${5!Qpg1{_APAD#OV(&;^ZO>%-#N+cbJ<0T#ah?rNZM^ZH0KR*=jSDKW=Sebvjkb# zZ%t)6apd6XiJJnZHK>HhLj(^TJY}9e?DZ5rgnQ<321M#IXnD5E7c-rsLa&xXc!Q9Q zp{hK|=yDg*zab1V>*sAc)Gb=l>Z(-Wq}nC9WuHxQoA+g+5UhrW>RC$tV8N8m9*#7# z9wuls^ZygoE=H{K#WDz~sX!@c;YmMAE@mD^Fykx2$Nt^nn*dbWq@(`JfZXycxIE^c z(nb=VN!9!aLOv9+C{|oJiZG1Fw*)uQ^aUn{vLOfk0A_NMA8asfI?NlY04C>StKKQ) z8Q#aq{~Z7W;_u;JbU^5|9nd?~9ud$CL{RhcI?@Y}1Rto^4D=!b0u&CeKSDlc-jQ#o zZP_E0ae3eSfMzwDhi5g6$3*R3CY}LB+;*Aw9{j+i+YvoW|ClY;Wi@HDpgo}aj>FXQ z#J1O^oycKD%}&Rd%LzE}(o^2ce)qutI7WZBP5Mg9X)TU%r^oPp@kRQTkFg!c?edJM zBxftv>r)%MI408PrXokzQ^{ivvO>q{_%tD6rM=z*colNU!1+en zIlN+rK+|&-Z$OnOA4j2p0)}yP@gN_g^w4YFL=Gq z_ZX||^s_bk_L9YWHa_~bJbT_oZ+m5-=^uRwb(|i>_2If5xa|4QKHfjf+Bl#D+&=Sk z^|?x1J~8z-KEn7`bRSHgJn&Rg$&dVj z939W&1%!RkOL{8LoUL3#PG?d5E9$(C!1=zEt>>eQZAv0dbgnaTuY?^i^~37c-P|UA z7T!;enXXsk&dGuh&{+{*3vbrc)!!2z~)%#dF zrQ6!zeDQd>)3ix@<#Q3Y3%{gzFLrX_)E$eW*X;jPu+ z2yU~L_l5O^<@q^PuZT^Le3xad%&-ET6kdE-8jnt@HDzQ}5iDhC%RAW7J>sE)6{9fW zFDm|HogSi>vpXrsgFX=~qwJ?I`p+2;-tjWaf!beil%$mx?@^gW>hHhfOIu~Rhr07& z!FWbx^N|!7TY{r61e>Hf7OL=MN61CPcNJPw8y(k#Aa7Qr@skBQW3o~ve637lYNSCdPRp#7Ojd1Hz@1?|#- zk)mrn%KDB$l|V3t?0WN~X+i$4126YwyMH*jCMCGaq#azHBZpmYg?a?8Q2WUH0(1}4goaA*85maB&`o1r zz!p~^H1OaHJ1zU49D%$Xl>Ab=d^?$z_AN=VIz6@zK~^!{lr8F_wq6Lck9nz)7R%-c zXFQ(`H!f7qPl%^#chdJGQ>T0wQ8!0bBiDE-yf}~I2kE0qai*XPL+psERdW2HrH>4y z4g+3rek67SWVcQ1j|=7tCL^SG8F)A|K0)72lI2K6u@y~RbZRF-<0CbR)Rmg&jA#O9 zn?Bq~n1)TM5S0?C8Bu#~3%J7Aeb}Zj(Qowe7Ij<7xtvz=O=@WP8WrP*;f9$wx3$t# zki{5OQT1%o<$TO^;fWdtq4R@%K|XUB_`Sq-fpk0-2BemQ%_8*b1WW#sd$jI-ILcE$ zXNJ5a?U!oRs^ifVbKgk2rPUlPjFum!3?R%8jS8&ZY76?VmjMN$E-y15CC}BM&H>)* zQvvI@8Bbs*_WidmU*eycL}DI;crvG3bPXCq!um*<$LRwSnI-}wtNur zqkq+UORA_cko)+1)l<>lIoin1;)Jcj`F9W;@*3 zYd0BI<0j@Jt;>9ynLLo{)VR8#TV;78Qyzj+f`txapdHt-R~SR=%2b_{TSWPr}_ z=*_1D1DBZ>0v{dKS8!F0atSLZ%1Ob@xsfB2?Zf>z%{BYKj>1+O8K7F~)@`|U-A{SO z)+4N8uBYsdzyVtxG9BRU!NLNzxPZ3z(2_$010N)RnBGwz#LDXR`p8{{P5sDF$){*~ zcDI^$)c!u1YeyHz-uk{gPnsd{xRx=) z+orZ*AG1)jHF)iHzh?5>-r_ue)#78Ha_<9p^|!Nb+PLqU%31S?B1Psz1?Eg(TNjfx zJnnd$AF*WpOX?cznw14?X?-*(e|mo^^Y&cQJ)bzxew?{kJOt%L_P8xB^|)_)K3QQ0 z3cT*sY+~Ti`zUgO-qo*t#-yT#063qfHhW%XJ!V9l`CMCvnC82X)7|<^(+_2|+4`4* zYf+vTkHIa=3AR_EPxQ3c-a92Z8fSypgEQNPX1i0{pO+aWU2lhHh}b?B5mSU$fVYtz z9u-~N$DFRV1=3@w=kC8xkQH>Rh7X~g>#i<3pGQF*b}lb(*xPmI*DX4aabtNE+Y=Eb zbl&4~JG-r0F}!El$~Bs=75_X!et0fA9MRel-OaWiC#*7nzaXxDQ3Rb$CAM|4HPqpptvNhd!d_>-}Qz{s3n?DmZ zQr4nD6E7ggPmuh({1FilI%5VzB<6(zIyDUuyG>XI9TOCzD*j$lqAsGm-U0MK-{t)K z(qihYacfxA1t^mGhxj*ni{Bp-L$Tqorug3rdeJ+hL%v;_);bK<5nC!2{R(4q4|Pps z)o+2N37&5Y!ibvlp{FycuY_Q3GU#3&qfXR9-g5fkMm7s^PHh~EvS*A76@hMkHGbZ9 zm&=&^FVMDj!J$D4+IsrmWOdAvLcrK!zYw`u5@oVgJDBexzR4_Y)Y|&yj8zpZp4=YU zf*B6B)ag3R2(yNA-rcAme(M$!)r01mYJF|Fy0)`(dLo#mO0T6)-P*KTi6+uex`|4Z z$7i8t4pwlms@25bvh74fs;1zCaNQiS@Jh`f1pX6z5iT^}4-NbQ;?)YgliaJk2F(F7 z&WOeXSdQrf3CIRf5weU0)={BybX6y=`V?hP1c{+v+HvOJChZqP?sL3O;-tFt1V`Km zM1RuCSQ<*(HorklVDt&AAhLz9W{4opjadiOyi^}P-rAfKiNSEHv|!`Zs(V zFr~30Csr3JJW4E=gXY3dzq8@Mm8Lo&XKNX~zqq@=S1)kakM0aKBK#d=a=+5p=1it{zER)#wb*_fExu+GDH>ZnlF#EgPNmMk6ogr4N!#{FiTsf%GG%f=Cw= zFsnb;`P6Q$*tnkp!ooIy%;HffiB=B=MjC#NqvRAY++!-M2v)PP>`>)CMY9pX@qJ5N z5lbF6j0LnwAm_MuK#|5x7DfifC&f@RB|GJG4#<54@OiquH?j;!wr+o|00n+^;`!T| zY)tBa3)u@Up@0>ciEdJ>4-%g=1tY36$*R|fDdE9#k&t3T#X_jg{ibq?7(*HReWDO* z*pm~0Fbv*1n4Bmn8E*+FM|#WLA0k}7>*TgOH_iKF&M<5auAK>3a_Z1m`cM}PWft5R)7)-RkYM(< z#JVzt@xwP!r-69CAumByi*PLnrCfvNt1A?q#I!{jr%AKMMs`xzm3Mm4f7}}Gn6IGk zPrY^x6C}DI1}ejgX{ZEw)&jcpS*vBi8qGnyvh^kvmV$NWeZ_)h@hmz}T)(!@^82|3 zJ*Ec%p52`wvn0h5FRMX7&x^d8F%WPhaOnyx!I_`-d`Fgs?;8x+c}4v`?ft5MF>=I< zX>JTJv~fA$Eq8&PBy0C401`bbzJ3mx>~6YM4&~XDOw2axkH&Zk0$UGR}@y9ht(n z_1$nuMp!rPQIlFGqniSeTY=P$na^+!V}cvQV1Qaq?G8@cQ6vl+ePPtgb#{Z=~P{G7*x`mhx7kXm-NMEF*b29=FRK;VRI z1ZwY*w(`=C#&H~Vq=#UQix?Ju0tYTeZS1@YW2S(q+F>|jy;AHcFAio?VEXk)^pD{~ z7(d^+?;%oE+#zfshW)nzYn{N!jhX)ruMb(`?{9W?-yZxvptJt>_IuoZf_iB5Prw*z z7?tcDDd!{SGr;EuFocAKO6a4^cMJM4C+Es@(Cqre`R^Xk_aE~ z7o}T>5-O1RpHZ|F>O%2$5LcRmia`uxiAlj{84BjrqSbGQf*Qb$guafg!{A1L4 zYs0<{lUr}Sy(y_emrH!a+h3H3I-Ewz)LXL9O@OvHiM1sD40tWpBa#(+U%m8Tk zLqTNGLYg_eptyc>iXsx;mYad?p0Cz@z%9{5miU3=`CZ#}6Zs>N{qGOTtTodeGDp>{ zM`;gna|myr{CXAvB&h@`BP}8vDYgxxiaaC9hGsoSG977bYqs@GW z@sh71%@#i_xx0ce&f<_tu5;s!csn$@%O~lAwMbfp_N{9($)3r@t>O^!vi`dDP4tOK zd*j9Ir&Ktmq06xT=J-EKj3S+9w1mlL5LIa^oM9j<<$^;Sg5~`>dsImZ4soZ(_w9<4vqv-?Oo)!%m--Z~X~fSbfPFTIVZyj#ycYdT`;=5owD^*L)!0-Rm{0)fyb4Z??7BN+ zsza0@zGU>dnMwWZ;0@F_6EqmP5;ENy#3I4spQeWXT*m{80NRf-=-3+$YL`{GRpYNW zj&colP)YCPwjA zMWG8ftEud8#0UvSY5to&%=b|Lhp2Okjx^A=b;li}JGO1xww-irn-$wOI<_lDhaIb9 z+cxWF-?PU#FKg7O$9niz{d3JZKPSwBU)4H{llvV|qYv$dxP!%MZf%yVWC{$$NZ>EHS70DFAfg>)b^oIx#UBv9Jy=$sL+e+QAi3ZT__K#K|D85CisRBohhDHA zPs811JH}B;kSZ<$8au2pCRUcTlCz&DhR25e5V~^D9IYh?LZ)?bmLJ2;m9Il(QknG6 zNf0Y13*1h<0|tvL<^?(>N=*kJWjNFl0ff*#z%=k`}4oE_|Mz8)+@(jBTjzc+SDJF zcHFSF^)7!0FpX!khuVJEI~N6)D?iiF8V=p8k5@(+!S3T_QH8A}?(Oh=gB^N>j?ZP2 zZc6*|^mt#Zq9)|Cjn`uaUcS38+VR^h?%H{4*87QDTWgn3F^s17-lXCX6uh3N*VAfx zXFSL`Guz{zyVt|p0^_CAiqSpt)$=9K`1SGb*S58MhqdVPobBecyB;2{%In#hwJ`J< z6+P2`{d%41p89ICUW@148l0@LzwjT{;d+Sk_MGQ8d_9Gyto1q#>VDE66S(HPtjGQO zH#w!tu~S!&JfPTlhwYGi{WQ}38NK6imDl||IZ|s^`nLJFJv=}=wmhoY$C%T3ZV=t;YQuOn{6Y-^A49i3R;1y zSp6QqO?*WGN7&9`fAgD2m^kFx=ffx&Kr%lg?|#V5!k^Plhu88Jgy-A+kezh*2!Pkk z$CjVtI6Ba?`F8TZ3%4FbbhRV+?E49#`jVKDwZusF^L@EK_Ra+7J#d(%T*kpN7v`QW z1m}DnK~{j<_wa#DuS=IRdoi{2w$JQFvQLwJD_V}T^2zwhuWtTUG#U?|Jj!NT=MlSl zQnhgFf;=+k&K%)g+l9$8okW~*El70Ov@&imdgmCHy_w4pLaL8IBrfg{c5vJ8Eu#!7 za6jZr&18<2fz!G<+O{v;e8qRW**<0J%u% zDqsDV=qwc;dnm@5W6a8JmN1^jNk|3>>%k8x%M{Du-(Pa&A~@&9oWl%?iFijMck}B4 z=A1_v7i1Tf>O`<)nfmcYe!QWm`juE+i0XOsb6;*Ot^r`p?D=w40`%4#{O)=XaI0lU zZ=oa->3av&Y2txBtMI9F_MkTlza6GjNuCR|2(7RYSLG=Q#cDahkuDq~E)^1MdlDx<&zUd{+;`dni4dG!f{{ZtHCpCtPFPr}tPYKk)KOp#m{5kqX!^pD#+!dTd zdjL^GDsMCv2{}MaDl=@!H~HpEuQT+=^2YW3^DSAzsl+h6Y-~#+l&LJYLZlNOD`w>& zSxiyhYWdYv+=5U*cz;tlzCVCA_V3jc$X-=cy_JQXSs+NK`J;xILYGf5A%U`d5*d;4|jf9=K8@OJ6@u*I#bX`8)Fam(J{B*Hs4kIS1ea-SsX6Lws&} z;Zc7-ZX^$lB+6(+FKy||DNZh(dUjVTPEn5DZc?snLcu-ct@%zAj$dOiU+wN=kA_k4 zDuqkA0jEMt#Yk|xu=tH`Tz`3rnlv3=K9UtaPv(1U*D`$^!g_R|RpAD1g1g3Ww|Nt| zj0hHHj9zd0P)@C0-*;}Rx3K=Sl5?dq>`}TIRHt3dM5i(pM+7DavM}4hNLXtfGnI!> z61AUHzj1CAntuJ0%jxG4fzQQC$>i&ete$*oegJJTUH@RB#zgL`8P_u{J? zs6k?~+{IRc5YC9-3PHCKPW!#&OfEQkwliSEP}Ed&2#}=#H=5JG#As zkS5N|^(OER1LAr`jwGQHH(CzA&L1BWd?dY|xl`2LxfH#+(sNrc8InzF2lZ@SzP;(@ zt&g)I^L%?2&0e+}c$nHeozTn|T=m~c%Wm~Hn*Fq3f+1F{@gb43>scMhU9w-Na~W7o zmi?GEAm9s^<#jld)WyTMb6>(_5O~WZO~ysqLwff0aeVr5ameqJ2iljZT7NvBLw5D& zS_R+QN$P0^c5mBLzYhI|nO?uhZ1d=ggpcnn7`63Jc=`7yciPbZ2K(&8JGSPbm2>r1 z$6l@lBiG|#Yus7}U7q`!@lA0}+NaYqy5~WDE}SiBAeZpfHzm*O(5%;6D!0qbL6-4u z`TkN@qt~(Hl0MwNm;Phj<_P~V_hGknIODe3@YMH0cifIJ@9jG5tO)n2dzB^nezbQQ zu-J`V+VgZE>ab!58h7V8e#G2bJ+$_JtNYx!RpsD4IxX_oBd~*WYdq`r+=2ysA*6ac z-nr|}?>-KY+=0AD8Oa7dL0liL-Gt7v_~95Eg4K>wB_44--uDZgbzb-{{jGTdqOa=^ z(F&^`?F)6Qd)IEgAKcH?>>PN4+H0VZC4f`ca8UP)jX;ZrdGyF8+TzMzhxMVWUP~>W zo7oY8Ck~(OY0WL-^4#|i8v}8I)$U17PS;!fb2ui5U*js7J>e08!L zuY%nfFNf!^z42b3>D4zzPOWi_+Ag)#<2-iCDyiu2pTm2h<>>-$cZ;1{9tw@8_6zLk zAPARxgZQoXA}@KXHGj~3rH_$sW?HiNpg&?mqGJ%yCS^TAe`1>$RUMUr&?gnxAhT$vWsl;u z;vAP2z*GhGqmn(UO(Pg@oJHl|>xL4_?a#AmnG^#s?e)3lJhBktCBOa9b5B{ZA~;3qp{jz`kd5MZyR{d`?_pfh<#NR7 zi^Usu3UV}MgfcQuikIl62k6w`7Kr09)NxaM!p2@jDYw4wYhdm6izBWm~=acC{=V~j9 zEMR%0Xuw&kK#i>+oOu+sV~!J@mQ2`6wNi#qPtdIusx+EytBPd8y1-WHafoyNh<7X( z9qvxE(s5h6lKUpYae_A2uf@yE#@?^qiX3O$mS$zveYg&vSM>+WepstWMmM2!B36xB zPL@PXDLn5g%&x!~`NTFZd3U`Jhv%S>R;|J|{u6Tv@Ppe?$>GcO3px{A-A_Ielx5ra z>f%f*1}SnM|E1D#c=FLFqK)L=EM7igs>3{Fz*9(E?;&JIA5MDf+KLRjC`^SK%GAZ1 z6N#*QfR=_2(a~E8M**UPwPUE}A7eM+JXj=Dy_t8<7I(@w*m4B<%1APsE|odP-dGLK z-ie3cdPp+o)gVRnSjye-Y-23IrJM}KG7F!P|8vdQiBRaa-DaONCPnS1VZNB}VR5#> z(n)+^f~OVs{|U5E?^#T}Trk-1vq4{%+_K^oE@P|~&ss&ge0Mgq}O9gaX@ z)>JE=3WPG(c72ai{7sTO?0`aC1D9>6Zln9UY7oZU4euvJBFN^0b7PV^K-(q4oJb5W z=9dv}D2rn$gL}3TWTV%Z6g&5ob1C_BhuX3&*Fe&m2Tx+DyGj1AJ^>v>tb4KA5FDp9 zQ-rMvq;$Lg;9a|WooqTDQV?xB586aV+JU!mLoEi$!o%4gy1jXPD#vl5OzBB;Y=jM@ zR8~h=Yb#f9vjQe&H5+S1n35!J=;%^$?vyVkVN_%*xS5K$2sHB-?G5Ud4=k~m`Nt|c zBdbXzPL6v)Lh3H`My)*6n)$L5xVZ$*AzK+f3w^BiNOr2%Kg2t&DkkWNn{~cOcPdRO zb?*tFBOT%OST#|~bq;Qvo#<*7vt>!Ev-H^Sa;2{6%invRkqf zY;E;kw;DHaOLacU;ym~5U)0nGUQhWwu1@e6ksrU7wR+tG&sC4=acLardjM-A@qh=P zC;Xt^t|5%zl3whMw!8F8-uq=ke81Pri?>@;-@CZh%eI@qH99|7rDf3Nj(?p&+Y6$} zOKrK|TyXoyBHxY2+Iqd2V)x;p>|^`kKY2!9RR2rfkq^tE=yaVn-hIA?JvBim^ElV^c7Bk0p~pKTD=gW5L(VHNv;2 zmuaA;0dN{Np3$Jo-u^;z)Bn8sicbd|dBq|7&fl}mZD#XPC*|>;@32ZrAahB!A8B<&s~2_$M3RHuTwVqxmTlsu=8{gVAP@u3pz$?m8L#77*Xl z(d4zG_}D%uc)9vP_$6O=K6xLsK)82<3zohpS@#E>(R1VX z(VCuW{Gc?m_%4v{Qm%)D=c*0qNtQ0haj&bX_kp{OZ&9xP12!h>G8e9 z;~`A^+I6BR((AcDqZgy$!!FMGg->oG;B{%fz|qh9(eQ3P{|+=#_qpZ^YK^D(5|1

_3~c`h4M{SuUMBP<1%(YEOwVPx8dh30B+*D9J|mP?j7mUk#3R8GT%1V`J|9X;tsytT}h*ZcrD8Q(g!u;?5>rb;I^! zkAj;4$h>KaSEU$3od8vBjN|6is8&XtP$`t6QlIR<2>Q=*rG<^dJbJ?1ddNSaoCc&> z{zpBglLqCpXtDA$o};XQCp5tq(8hkS0Z0E;Chu3z{I;@O^|&?BYd#%-Hne%sfJG`R zo_eV!{>98P>E4MdR?#g1n?YtGP{{H?vK+%rlbwBIk;0rejj1m%N3qhH#ia{AgS0NUE8ilU+@yWCdHAVTlSV zD`1r);`&7b<-5_}ANs$~)NX~`G8n_-Qq6Mn@}|7wF8}IHsjcBBrZW%Q>KfNEWO%if z{CqB?hqdBO>C7xmS+#H?sa})fAC4x@qo?BCwemWL94+o)c%~D?(XP%W zp4EAumDjhdyB5jid$tbSh_?cHG_k%d8gOqVeA%2>OV|i!da9Q0&nku*)urq;x?or;YO7<7 z)m&`saH0@>0U06^qCUbG~v84zi-2JKu zyJNm4qznFq^`OA|8~IWY*EgwaDLl=oZ<78FuyJKeeyHi{z>CfW1r=E=YFB5ET?^Z zYE1KT?G;GMvGEqG?my4x6PgYH_QzjVX!^S>QI9YPR097zEUn+9o)BBCX!@0nTzCzc z(bjcXxbwdasV)Ja3>3KN@jiAo$1mGnD(mQ%KbuntL1T|&tqlITw)vh%46TNiwv7qp z^vh2^kEpFVAM>qC0uK=rC%Wg&7ajojIftnen7Z72LA=i)4~4gGBEXd4%?W9o*WxB9 zp@nl@QR_n$x#!{HEX{jx-TA`parxEkCZh%DZ+em2oA|creVq5AZcy^7i65`$biw## zifVGKd7a!GOZR_VxY+uf>j^gyv5#Hvd^hUcs@Jm`n5F3SZS~quPv3ePtK0BgyW9e8 z&X3o1Uz0ezbgnDL8oV8-OhZ>)zNMCV@E)F+$fnl-XY!r_WB=xk39HEJy~eKUiyLgxvBhsA$=qg&iUsAn!Ix!DWW%>uLj#wA4Umg%?#dy}!C_szgW+4J?mxobxBcW#&rjqJc|BZJ z&9$9_feu^(z*hX0!QY z<1{vT4AWrQdw>0?Z|{xweRsm8XVu>a$m#O-Jh;ei(a2+}}BK9)r_M92UX3ANzt*WG^3Iy@s@ApGi6pa6H&|)?Jb=1tauwcV9 zpqrRO$f}Uhf@6uhtJAu@{=gYaO)6c!K$zu7F4<77JpjUqZj_@wSf}kab};|u{$a|? z5%-$55(PtUfpA~UMJT5pPEcZHVqFd;fqU28mVsu#x+H4JUG7EB&f!%Zxpv^4*syG% z6=Gsy>qd=&5av@Qd7Z>_j_hUJPc2Ur>5{rDONB zDRZH<6u~d{?J}frrL@~DY(er6A1Bjy=Lt+*Y>NaWVRITL6Q+D`xn-(mTLOe@J>@?$ z65WY#&g?P+I*6pFH$Qj1e*A43l4hT&Dc@l$q0oQ24V)Im2QF6>26wFZhSQEnH{@qe zOp0mr&h*1vXjqv}O~7u>|K|9%L|va~Bu0G0VDVT5i zKMA1ECbACzP3XF5&U9D@Clo?mj2B0`Mech-BF%?(Sc6&6)3dK4N4tH%3c|h--bySq z#?-@zKIf9{uzVJ$klr+!SwW)fod)IwPbnuNUA)4;AzN~cH>+lxMO*&(OU$=f&$10= zRdfQ@7v*409wV;+XM@-xy#fyQ=#2j(T0pjelj66~zFw_em|TJxi-<6EkL^U}&iZGR8zP|2!5`A1bmoFzkCiakWP6Mx+QXj z`7@I_2ZM|@Tb7cFH&$$_|J&$NBC5JG760phmh0M`psX6G20T&RfQ&|(nG8GK4kg%A z30ktHFE#|2LEUfNs`m?v;gU#BnOZ&2+2S%Ov1xE!$dT7^Fjeedy!6I*c`6dw8uwfp zFQ`EKg9$jUlXhW&X(XJ@0-N?q%>fH~p;0#+ELBd~18fW$<=^i7BzgOGyqVr&=+izx zeYBLpWKWjhxGH)RtqI-|<@gA^payzKENlYo)ZaNM2V-=bCkH&qnd(v&C3?j>UcW~v ziE{7}Aw022h7^Q>(dz9y)^}JuLIXUU-*VFO|MXKBBO?Bgp0Cg_qU8A=A7*SpcRJ)b znB7uML$T4ETt~~A^8{mBlUNK~Z3xXd1{>`|Q}X1PRF|vflfIQ0D2SCIWTSxy4Ivx2 zNI9MSKdW#_d~Jgvk!A}%9%0`VA6PWVc4s2#NdtI^{L`_^-##V$UE?&bD3I1p!Gi1 z9^SKk;r{7*LHWeg(=(^L2W)y$!|$Y<4}qXd-dB z)lK@l4^Hs{?ot*o7wew+-6t>s&AX?J`5#pMSc$zyJiUU~X-k@p{?7Mlw8u}{m)Gf? zwp|IHI~|w1pE8s^V)oUb?U&?i8*4-F=OKq265IF83nUxCx49$aHls{)$T#)n|2haaiE<`6!AayBbFJ83pma$ zap;_;BVYD{7L%Kjn+SZZ*1|FApKZ*)n!7>BUruBG)85H^(EES#J&F$Y(k1@8Q=mSy zaU+-L&Weezn?5N1-QWWtkoXxKWet(MEJ0H_mh>9mOZHhbH>&hqD=590%>?=YZYGqi zRRjpllde8G<5GhvMUL*yqSW9`jJZD=qdT=|l8I-uz78MLyngPfqWo7v4vAK0^BYrs zCFgu3daSXDeeoEngGzH@F%cIq*Q%2`DxPdB^UVT^mQ{^?Y%JvL8IcEX--`E2tFJyx zrH8%nY{=XmV@yxUJsX^mtJ&#HK$0%poCd>Y&2A}bq zNyNC&tWc{C&hMubpD9*jf*T zgoiSrO#5qzVq}5JVv*J?k1#xuXDbAnKo)Ow)vs=o_`V>MJx8z_WB#S#^%+EK?wSqd zm5ky539s{E@4~`(qn50_EdKFyeI0_kncKPKRA+; z9z>L3wxy7n5`--D12Ymc%qLiY*_zNUv=>U{&XWl76Nu-3=)z6ujW7yxl{jA**ec-M z1vJ%Y`)qCHI#S{E%xOuTk6*Qe=9FCVh{fqHUE&DYwzVtNL&H*|LZP9$<8_8A`RwFY z6UQG*1elOqq{#NOyI0h3?-5zU5ywale6c`ApnbuXUg-u@-Qbg#SBIGS`p!b5<4 z@)OWN_DY(7Dt1u~m|Jc9!?>|B+?+z%K$F1UALSZhSueh&V_9q4KykVx+}NBe&aR5Z zc>2{VSq7Wwjip~%aF*R@WJnoZdiG1*jlyZt#jqVkH1OFR{7BF;ZX#){!VScT=0V@9 z4jNFa+C-aBnJHWsAZef~tugVo96Wx?N+&Ys#qHe`tBtZ(?rCHrI)_@ZGlWGgRZiIU zpaz=jP{Ko5mr{@}a0IlGQkZ!qWCyLRe7{)3kU%a~=a^{x*>nfMoJUGk2Y3=h{ z$YRG^F-vV#R2pkpJs*ro4}+v8T9~w13HgOuLzWaGSi7m5n6+Yy@+@#y6*0{&HOO0n znJo|1skA6WB)c@$8u2(~tVUpUtjg_1ACxF&|CR26@mT^K){Z&F2ZA;M$D^QuO+QIq z1^rm?GR)abx$?q^8APq_88g{NQ(5Ok)6|)Dvz0X4l}37H@DK#IV|)?V5P=jFonw9` zZ11b?5QXDHK1EM5MldvJ1F9{LX+oE!+wP?^J>Aujw|Dcafg+I>K2XQffze9pADQqo zg|t`5sBYK>hvQK)ex3E3M{yLB=7ADrzOlQuveXm*LY z5l;rrxNpsjT)#>)P$!h>Y#yVX)39730*bS!rGAWr7{>iJs!@@*h!*Gh>scWYKR=YH zRc$Rn;1JOFcPTq@mB9iQx@9t{_Rh9<_A5D+&%j{=t5us2A(KqR5=4b3*HWQoUOnHg zMs-4h|4L0X)S?F&UznG1?9^Ux7zNeI_tM>< zD$9T*Sx&_cyZkM2lLCUdI-P&kihQK-TSsJ;;!Fvo!rh8+0u}<#9@|lYDm0s!(Ekk( zEsPk^Kjb+;!B^$>m9g(Ez+Oi1!VmNrEKDXBfE7w)H~=XB@|NzyYztz6Cqas!47Qeo zyb`(rTPLzb4*I?$Rr5)oH69h1IgZQd>5Vv`=K;a)eRVq!CFU8StB+aPs=VMzAu*9; zj_(Svb-i`d{i&{JGv5%@GD0GI(XyXuvsIecdRc8!>vLVAY1m`e$(pZY@HWa5-UVv( zUNu*2OK+6y>V>wb`3R3^D9Y1!Eo&iIbvUG8tm|cHs&aa`c;PM9e%gFiHRJ}>V$Zmx z-+81bB0GRqpjxl$UAXzWS9;zjWr1FoE6cy(TN!$uhb1)yZq+Gh)H9>9Ns`EGY_z5WM*xrKf|Z@V8oY5OmjlDX$Mbc*Jq=p z+}ElDtjjUP!^_S`QrY*%kh4Ypn%?DRldX+AaGP07O*=HCH9PYS zJ|E0Gs{I-Hy-sXiCYv7M+;*79tftOW576}FyaZWy_|9PKAY+pfx2H?b>!a!@&)3>$ zh!xXd6LwL@^@d>u0x$NzK~jLc^-^+{QMGXv2}a=Gji-$I!AwpdNikO4p4c|5zQ zUp9by{v`Q@=uD|mSnJq$eft1uzk~cgV89Y9?f^YyH}dZmS``)@f;^x=G6@lKx1{9? z#OJfO>GV7hDd_oKGFwhFV}BcmLVPahRnbQHJsdZTyIrQ ziAWb(Uy?K_YlNiP;oD^!Mv6KovQn)Qs$mpCor;iHcq*J?1c`d8Dis87JgS%f(?y=V z@-%bGGGG;ZN_yl>qM9a1yq$TGU95^|z@WA2@j#<5+lbiAJcvf!wz3WPTZ0-4ej>&` zSx4^Xj9ipHWT?DHU-&N9R52gVeEN!!KJ9KoxaKgy1W8vOHWLj`Txtvpbf1~39I!YJ zh0?EPTt=WMLVd#SASQ~vSZG26ePUt6AObiV_XVe|)N09kWuk97(6DENo`7B>H&&NY zSfp@q(pBh8j%*bt+bd|0p+V)6LpXox*rWODJgLE2IE*q!yz<(UqLN4yCopFx#@9bme<=MKn5-4qvvP?kPvj<`{swCB}wf~Kg;=5E2Gr=fd zl~WCMDdtn)qR3=8PO+yl(quR`!yGV4NKmaPFbMXOC9rbmlD_(ZPLepCHt0KEbjL>& zsa%j^JSz4}(G4BK1n;Z~(#b!c6HJqB6#cg}>EfJmEA z;$L=Nj#*o_Ym6~rr(S56dfxIjrlVayWd}6%K@^0Ah^DRs+65UEWEY*WBe`*W?h=xj zQ}mL8V{dcv)Q~rW2?96oZUi+*FL~%Q_m+ikvvHOu!2*~_yghV>#%gl;WQPwq$i{NG zQWQ$f*~qCJy3DCb24}yu%L6{wLLLQQ;<%<}{n0xbRV|4sPrg;9&<}E^c`b5Op zJlF2p0h6Ao6aEvSdO$^pQau2o(-yf%I)S}iA@#en0#9&ymHnJGH=+S^+pSWabENCQ z(+{VW%BLJ1-mS$b@sgZh-<)IWDRS9<#8{!a$3&tSQk|$r(|N+}RUp{MpI%f8{quyz zYaJ>#j&iLD+%JX}_UtZ(DG!+!*85)Q3`=k6VvFEjV#~Q<|Fot~lkVbdl`d~-_LGiM zhG3wcx(MyNinS@~i$Pt8X`ny*ueOjBdxXzTkR4gcOx-C+<8vJlB`5Nd_6e~TB(oF< zSi-wJyAOjn#6%=Nw-;3iONtC6m565V*kfaOYR_W(3Ouu6u{RM_as6W5)mw;cB??K6 z`Y2FRjDaUAK!;2_>Kq8%pXo`N^bs>4ar;|sp6Q-70}Z`ct!CV{t*qyPh5o~8#U(h# z;La5>Mg|obp<7N#=15Y(=2n^7nym(Pw?H|H0v@ce4RYTi>!(cFzlK9(io~A{q%u;n zPFf8rIlsdNh~k=q3=>%SNmwsi?+KEp&CMDG=nl{2e9`cCwEmdy>QTC~CYE~{cg!*9 zkkf{yNmTf9<9|ySaWrUJrh9ZD!#y;v2tj(W5|Bh+`H7xDN}p{yC)yzReb28^yKuEsmO}|B5%cyv-u2;nyWB2FSB4f#i`CPi4 z%kXX8Bs9?1r?6jt9RFiGU%>yUYYVfk^X67uV0o{GKW=W*yVFIYsOgimt>Z9hO~Caz z^T^3;RRX07g?sP-BH9Jw3 zwyM{0e88^B@7G|*=-u{w+w%Of|2U4;T9E!Phe;nO`S>1u$`E+_Gpqls9wh9vW(s-8hN&`<{wrFtC)U(`Sbjcw%@wn{d zcN?Gksx?h~Ysk-U9cUQ2GBf0P`#W%VSC2@@dy;TxUhUd1ogUQtH~2OB;n2`Q?_<&| zPJK9jU9a;rO18eA_=vyFD0ih#_a0rK0&Z zbRHdTmDAOI?bdyb#~o$9cklgu?6e&)+7jup?RYmFS+Cz{w{vUQp$)p}+K+JR&6Rmi z^C-r@$HSy5dn>8-`Ql{sgmOab(B5hI5aZ?aOmp3Dzw$#Cx%P9vG4^u#9#{{u5q$To z>u+Y~n6sy^cKP64^7kFCqMhJLe_4D2ZGBaHrvrL~Kal0*9zgH*!+EGdI8$xMr@s(CoM;-5fvDVftR-i+Q> zwZ-U~BmuAA(mh$4pIb{pC}{ndn+}g4jtb(Fmn}sO7J!Y`{E5Xm0espGcu88c8eBHu zcT+yy%?WCXb%puraGMmhg%n58Da)#ZH~8G(o-fw5sF4-}&j7k`OhU50zEuJ<|5hkugH`H=c^~FKos}uL7X<4FQYfdr5_1x;p$r)si_&{v zuL+135kl!=ede(vX6+jCm%`t}o)u9nzM&>RhbGoe^e7V>o2aP`ujzYmEW_qhB`<~4 zaaYKG4V`K9&6(oDr}oj`gLlLUE$Fo5jUzWEkBi=ki3V_W$_}P(3NaA1$K={bk&~aG zB61;mp%hqRD-;y}NPXrp{KfGXFf>@4X}rupc?i_qcaWV?s7*+c?d@=@D(XlGno{?8?0cVqFJGy>Ql%Mj(y1`S-HxF?PAp%*u}!+c(DFf9jeE4`JHL+X`eSj~*cy zq%s~@FPf?2O$cI<0#(*w9+cw#R6rBVn{?)}hnV53hEb)Jb<88@M zp-q*8w+cCcoL7c~h!BrdBi;m4FYk+ArBXw(g)I!vb!M#nsV?&ys+#;ofj{ru2mr2E4$x#)89AuvR{ep8N`4VKp`j3s3Whuf=|LR~}KLtHcmVD!dGS zK9E9lm1tT+$F8A*%`$-XbRmoML+knAs539Q)cqH`tdHSvF=)i>ZUUfjcrR zS-LGk!QWp^!AjWcb43tD;fdMq$*%EB+CQhk#u;)*Hq~?!?ja=H*r}{;#fiNjaQEAZ zkegLZeb8DzPERnpIG+Z3e}j#hGtq|FZm@Z^#nEtTWe6f_vA!6KJI8bjt@Ae{xPZ8|^=0K0 z63nOZATBN$vPqss4JjLRD(uruhNV5Q27)(~P-UJ#yHgg1o`7X$?dDKVW&ZDY+2T69 z$^(5n127r?=MT)y&}%-YpftlhL^+69`a4`P#y&91AWTxddWYncXq|%f@h%ZzNr-dvYkfCvHI}1RC__e zV0gGvRm#a=X!SBio!d@Xr2Foh`fGEy1($#g=tv;X|K;in)ihbPJ~MRMcBj;+$>OpQ z@29T??0WGUisyRGcJ_81HRBs-*)_kxcqBj7j6ZJjo<&O5=^UE*-+igh!-^VcoYTIJ zukarJ9b4#%AgA2uxJ&-#k#LVm{-dnSCZH<~EuEv& zIp2TZ5U{7mv{#c2XqrPDQ3P1E%NhXI>Fs=l&1Pj;#69CD71BEUYSU}G?#?|FbF_Jm zp3dShS001SkocbFac9v944!hLpH}uaCG)uMuJI-IqCb5e1jqGy-Svu$#Rgu*+!5+@~Avrp!){Eq}$SsJM@Tb=JVw$(g$c^zkG7 z&T`e|^XASp{R?Clj=a0MJQ#=e5!>yF4T1&#&uH|z6Gk+E`z$V|;X@yH>KB}G@xJxT zCy1Hu>$Flt;Ik9+R?O@FblwD0?R;Fl)dgCljL%!%+MBRkz5Duh^~VT7@3kauogjVZ zAWVE$#|=@NRnrNg*Zf9Q^hB1^`5NKI=T|}MWdk>6uJd^3lC`8xJlRt_fH z?}42zv04KQC^j@W?}z-^(a(r)dRS@N`KzPFKoR>9O23@hj}RVJLH@H?fz-MsJjAbea#!vh3B}c%)ReC235Dm5CA6 z0|pajUmN;AAmw|=@<&XO7un~+S=Up0A&q0LYlX;lh#?ZK zKsmQ`JkU>rB3YR-QS_V>DxL7GDPf5IQrdNAEY)}yS^Y9wREF~kyyBGuV<>)YS0-`% zUY$V}Wt9V#B@9I>iEk(b(_&qlb2g^jF<@E0b~+07hl<*=I4DjxvMNjy_!_hdnb{yd z6s3%j(!m5VNSE_f=(53q#a=Gm98uC;oi=%tV=A6LVEScAkIDs3#yUdMxEDlesZ^9E z!TobJfmA?K34psND=l@as{5lwp-Shi0;VdtAV+4_@ZwQH98!%utF1ja*WSP?wPL$| zXDM3us!$LtWZvhgR8x1eAk33pd%R~~w!uivpoh_nvw8JT2IoS>8dg|p)dsgg82qBO zQJx!teX&ZzMrg^s#+nFtTTh_> zr0dS-3WpE%n?{FPD6ARz?SwcJykBJ2Rpci%<^@OE6LVYiNvz&{q%E$+5A%7VW**Yi zYNG)hPPQVN+f=@In!TS{r%YfpU=PiP=IRzR(L4Uuxi?{KbN&?=A}ztJab(uiX*5KN|382U8zw`PUbwh zrXC~X1aIeHwG=!{lqXz=?*sKJ0ra+#{ESgcsWMF5@6=qCqL z!zIkADK`C~$V6OO0@7}buMDM&Z4BPhL?bFBHj!*8)z45E83ELV4rnV82ugKhN(Ur) z>ECGzC4Q8-wMZz=38ECTx#S!{t_i=Z^OWK{?9iz8i~&qz9=b9!QP|gQODg?33^8ux zatITy?MXid^F(D|*ak#(bdI7R(czVv*JnWg;Zg zhD~zMfN&h#7;yAvTIJH>%#wwl-=?H$vLK1&I(Q|(oGPa*;KE9OS^jr?S|CRV6%rPM z`o8$oTSL!5ASqhKR)x3E4;V?*91T`{k2s@pa> zzajeEOZM%s3Dbvo-Lz2NL(uJ<&vF0dOriIz?F&wVIn%mseRb&OqJX0h=)3vq&r};5 z%u@hzbi2o<*Y-F@$0t|eb?Qp{+%JZnZ}IzYO#<3?Dv|TsTzlWo9~a-(WV<{kv)|V3 za{&O{ORF_K?-BRqiSZ@#(y|EEquj<>@%hPxi<;2h(^lJuIbr0yV+Ei0&)vr}O$J{Q zpJU-j#OV&|w+x?y`7aUSlzn>Lan#&qQoybvl+tTp!oslQzFd<99<$ENKXG6)&uxcR zw$`h^`AF^XklAh5WJwHD-Jvm^j~*|_gXuMzw`u+|yZdSA?89hpst(!9DRB`4ldFVbEoRpaR-PWr0vk0*dj^Wx$Xk!c5`t-PVl-6E^3T+n<5L4x9`4`|yqXlyr58ryDc+qP}nwr$&NW7}+O z8}EB_p1aRJU&c>ZW6e1SycpeY?8pwQ+T$z%3!kq@>zVPNRK02}@1|RwM}ysGe`f37 z1{s*keK~oZ*OC^o)(d-V%+~`J(+?miMFUnycZ$3{1Z@Y~^2H03a>Ee-;qD zuY3aZkw3tFjn6^vVmlLG1tR3hc#^VgkftvJ4g$A;xA_cLK(*Jqw|E$-#K>`!*a^h$ z0>H!5!;0ialqt*@_6Sd)%+skx_zk!YNip}JR=$yyCIX=gol`=-46MnUT{ejgm)>P^ zpSEp0wNK%Nhk<#3E1qG-IQst8fVhXjUPj^?2yrgyHa8|_h=_Q3i5Ivz7v%`b{viW% zG?~uqucft1Yh*QMiB9#K;SVv<%61HcwVXp-HsqQkD_wJi6J++}a|e>*n6j))x8jO* zlD~*eB%!nk>mi|(ahVbsO*sK0YwVt(*tg(y}hqul&;mYGWRrh;E7zi>3h zj@IWYeih28G(w^&Z>FMJiYQXBXF3#U3smLeg#PACiJ{a(vu)8686Z%*)zz1Y8KAys z7Mr&E2h)1m*oOjcSgS2lk)=-I0U?)QON2Q)+Mf%Iz)KR9K{z~3i=}9uMk&U@5reK- zZV3JrsvSC>A24J>e8~Y9Og|3oDoTKW+xhK&7C;$m)>}gC8a(GzZu!9_Cuzf0!RoLv zzGiD%^4uA79l_2NP_@MP6Q$xN%d~9Y^GhVjPK{{5Hr}*DLOgN?xqXCoOcG*IYLlCL zg1wV;`@H#`h?bF5y@e-<`8@7PF4ztwL4h#Ef{Oy|4@hix&_Z3}Rncfj=nptFPf%Rx z(~3|uhonZyc?;nqZ}F30R`tF=x@RcpkSO0pMvi#tySgf8l?~2c=_{xeC6r z1CpJNzXc=tLbSP6L*w5O@LT?UU67|x7yNK7Tc3mem?gk$N=`)%OXsJ{pQrnA2o#!2 zq)uVW*5btH1D0cv!IoYi$B%7A4LD&$yknQ-2J6!Y$q~zPm|bC(M^YW2pegN$1q!c5SQvt!OW+f-FIIJZOq1I1mUZvaSmIGH-RAOOa zk#kVd>spkWLF_dH1ZCL{IuY@>1~RL`wEq+Yn{HSP(ucaqFwV&*q0^{5eh`hS^snBb z3oU2&g(}ZyNN%JJ-XmgzH8#xQz{rpin=hxana!F(0rAT+qd(}B_EU|2*7 z;HQ3V`A?v(zEcAweXsdDBg*=Efs8JY4dMt6fSXa{WPd>H*R2K2AIEJ`ExGv%3p*>7 zsBE@$$o(Ich^P+E8G|Dpb(t~J9jR(vs8$V`QZ%OlZ>TXV7YG#B#)jsH(A%FN7%Jh2 z;9JD&C<)U_PrnM`xr=q8u2zQK@&k@A$z7x!*i?ndZ%U(1a6~7qJ2Y1BRJ{Xm>Hbb0 zJgqp~W3_<#NuXu@J|%0G%&b?HQjL`HtO#tGI9He;xA-NFv7uM~n~1nW6oY0PHiJd7 z92#XDcD~{ev`%GYQfo>y>|lH}rz_!jNoa~zF||?u22r=UfKjnNn9HO_KR{&LAzG|j zjN;CUev_~i8c86c4wE}lD%}~)tC`}3v=ufzcT8?H<+WkXa!kcJBgdyp0K6x?0+Tq( zHArz5X8_!6DWfQ#>OJ$n@RrX{1QzO_0AP6n_V*{>i2~R6w@C=T0AJxCj(C5VP(%B} zfCIpNetjE|m+kNP&SXZ2V#-gt&yz5o>X&-Umm~3Po0iY!aFs`r6+ZL%)SHbOx4GHx z%k8?Wy`Ft!xcxhZllt9rb{gLa)@UxPJ*2mY`E%s-X>h1~x;1XNmHRsXReM^);|yVq z-|0;McCULpPkh$X-5>?{>~A>+t+m%Ex~r=x;gwF$i$qSk50H+Ra%uYhcMRw6Mu!W> zRX-OnpEv4%-ZwRTi(RK*Y+b9pzQZj?ZhW^G0%Lp}){hHZ6#8~}-LsOfXcu;kFL~8h z1lmsr;c1)a9qKohF_~D&2fI6_(_O%&emv644w;j)A?hjI`=^gkZ93syCf^Wzw)W0{ zT8m9%Q4{s)J=P76ceC+USiRh@XA`xFEW4-I%IiNDU|37~27}*6^eOKB zvRK3v%rlY0P4~J%HMzCBva@falC9rsjjtQ$M+-pwOW56d3yFXhuYYA>vR9qH#XQ${ z9HZT%J!jL`aV1&vX9qCCH8}ep8NXu6I)lH{P5BYhOqII5&NJoFd#pQP97i!L>u&tA z-Ch6Sis#!Nit8GyPx~_S94g+7G(q3g{Gqvp>=@~ti-E~Q{mR8^2@f*B)c|CKKzj54p z3+Drjp~m+#uAXTZw*Q3V2h6F8ubE$ZjPS6@4oCz^wNi1$wc{zJSc-ygmw{@vAAasUat1NU=rH88MQ#+tMm zEXh>n^x`A_!4#nUdG{u7O3HJ5=sKs6iGsQ09|CcgZ)drcPwFgz1iH*UX+g|LD&@sz z?3@ypSisvPN-iD0Ot8x+#ro4Rk~6GaiHWr+7%{1dxmTnvMFL~Ui1#>r+^`N&C7Lr8 zKRy8!K^voaSWP(dE|t4NRHk1?67`aDUl|k!m&r75vJEXPv8}p|twOergPFE8&`f^} zVgtGo$zw=vD9R`H^cYt$J0>vIkJe6{sZJZiagWU^?b)_R6O4tU zTs>sbSovH4S}!;K0!dH+?70MiJf=_J>|$!&#nGMtVxgiSy#a&Nam=^O&}e- zId5(N61Z`_DMeVf(K0albyVuWscdr4jH$bIk@+hTPa4n#CgPUG-+5Ce#=T377vjFZGJ3+a{0a`coTjnn z?KaZ54039n$!O<6MWN5Dd;8FxnPx5x4kVYgcKjJ}BU&Eft){)2=$BGyjETHB(6K%#5|(#e;-qAJkLZwyc|4+ogRMXui0lz2cShDY5oMxuTOvjV^$y<6 zc4l(3D1=&&|FsVQw@-uyKBTU1yGK_V64o@+hF-*`j`!(f>8hoC+vb!&=KqUoUTU zY0NZqP$2&GYuiplMNW`QjZR+GPzYCRUU{B~z?x*&5;GPdEzwy&L^I6AiOJ<$Zps0j zlDiJKqY(M<+I14Hwi6SuIPA26!1>!*r3mLFr(kB$Wo<&%JS1evP#byVktmr^Rmo#q z!pka?5mi|>cRhB+9sE}y_1ul-_V9>NppAYXBN6LXM~a3mbL~(ns_@NGa6UqiRRk{- z9K0 z0t%`hCYm>2$?eNh+ibUTvf&dPS32RuPVlPHwoFx^TAGvg?ni8tKt8}Y9+V?l-el2Z zK&tVZ@ZIdE^uW4e3Nsoq64knydj<}Agrf6LE-q$>XA%hNJ-yVJLQ7o6pfpR2LPQF) zBNuUnCAV2jEMTL{{tJFN;J*|Oq0abEmjJu&Ons;P z%lF4D{vZHhWFm-tqBtJ}prBs_Kp5pmqyl=JpEEF%MMtpDwBPo*pRNDBF1_E8@UX6J z_USROnvVRc|DFZT_O_;JsC;!Nqm#Y!zK(~`_vm#Y)V&yrgLhlCUHfufKcU{H*|6a_ zcd{?-$lhIRpp!-xjnj_UySllqgUoSqUR_^{)9vFao`^ulCV8I=Chc|a@Z?3stq0-H zjoui~X;C@7j_3O7O}|6taynSLr4sJ8^K%*0_Q#6DTc^1E&8OK&Vm%>nYGSqju^MWZ z@8DG2okycX#m{WBR6Cu|-`)1?4>`ekLl;&JgcT`LCzHhz%Eze&e~ReM6$qg_( z?cUT`z_hY_E5IAjJo-AL{Q~XpW&s$}?ItXCx1lq8hPLZ)A#4A&di}Y+|C?Vsej)$fE{m58Pgq*~ zW8+KQ*2>pIviyzrjBB@$v)#78EdLX!2ZY1fY_aUpQ|V#~O&;gjbpI|e|9hj{2?&2J z0wV9Jd;;l5IPM5@5fSca5G!8)y(9gq2BT&|{UxgP`t(Kdp1;o@fj6Jrv-DjM-BJJ` zp^Nw)<3zvbnt~PuO4Sir{D6a*h$^pl1Ij8-wV$^>DPRYrsRW2`l!`QPh%7;$1>#u6 zCH6lmA^(JBomxqXpo!ZBfEU*&vH#86wpJ3wb7UEpnzl^N*(ZbNQ&T3HR!Qj^u`Dhm zj(rWW3(>@c@*a$%Ntn)>0w-gkAGRSzwICf64lH6fEBC=MZv~w!$>C)o;6i^RJvrD5C+^aqARF&WzSDv{7(^qyel-t zA~Ltmbdpx54*UA#QFfz}$}C7`iuUC22C;oMj>UQ{6X`^)$}jfumWlDI;&lr>DOT1t zz>T0*r+%RIBkD*Iqz zyhP%w~V<{p5w$Eoxa%NrA@s`i1KZ` z5=aFlm5;22B4pEo+SDqijVNnYd3TEiLExmZg$~;?Dr{Ai(jK6X`+jAL(qssUIQJ1M zcw`fbjb`@-UF*^2vMX3p%T>87?_TtpDy{*4V)Y;lH>-9JEsO^s2D4P;Fu}FZ71~v< zvtBJ2JGbu&j@wXs0*^mZjt;k?h>kY4wL&2bU~4rDDQMAQ*5*H?=GB>NMOe_r)+ac# ztrjdtnBW}n?|M|W*{muR%Z@K>HQ^~qr(2l>(iqWV&JNhIFaDq_p>{XTOIYlV_%lBU zUvfUl6RR~cBXhSRd<)eC{wq{NqYD5+`?f3Epy5@ofk+2vQ4corevi=~u_k}is|?i8 zrd-k_yj;oymt4CT%#!GGuQ1-mSYugB+Nk}C;*_b#U{r7_{i@h4G?d6V2+p0lbQdNf ziwLtqa%kM&R6Hw?GV97!t==QjZxyB3kf=w=X`#lt{4q5UT3ynKdJ;C+l2K;Nll*XVFMyvCVPIAf ze;6{-c!rD=QGjKwOT6Qxz)eVXDVn<+JrKg08d)3^*<)r!J{Z!&Se&n_`W|d~sg_@< zfmD9i{8h;beXYQfqVHq_%>+LO45y!{4aMvQiRFhrI z84+HR--ye?sayxxmLc_e?rkBU<+E*r5@pzBe zmcb5&Hi<1mZ6LBlj69LEbs*wI1WhBTK@u$5_y1605oT4XseJs_yi~U-Atc1ygx0Dl zg)*4BFl8|=(WX>eS0k9ZS zq~P>hBHr-767e`s53l==7edrh#-P8%s9!kW1!vLUd7U8Nw_Y1&aCnMD`)mI2Ps?m+ z_3hV7TMk3@UaO}sd47lVi@W^F3xB7POzBUv8SN9i?)7BveA0a2y=XSW(`iwd;{q3M zo(E3jWh`M{&n@-{I~+&d$AhfunSfd2Af~3z@KnxX8#k!!4c~)G%{`zP3vk{MYS-U= zUtPPyZJJ;1#WQ0IZ|v+xR@Z!f+HDF!-{bN1oeVnl-jVNGs zo*stPwg;AsT23ED#>;c>1%0jTUdDpcZ`&?+miKtP;n76Cv=^3)s zw(44DU*mGj=)9TtYu_*(qrbI%>6Zuky1(DN%@Tj`0j?WcuOIg&q}9?3%x8WJ^LvRX zuj1c*?zrPQOpiAvm#HsW+qjL?>~aL>>aS6A*iSw^zh6K!NAvJC0p?e0P=Dv=xV>9; zPXd+~3H|5aZuf;5w4KJyE7a|~0BCXp5F3OKX+HBhhBfLr@{|f!1Y6SKD+hwa+=0n0PjhS z`;xW$WpAS=(RVflHg5grGod_Fn*Uv;HPT6Sew{av&^-Tj5B9Z;j2?Pl@XUS98bg{z(b zYt?u$bP?zW^v4AHdwlJd&G>)Vee-QTWCm(Ae;2?$`L`|KV#b5=K#Fch3I?aZ4EXVrxURo+-zoI(*VU0g{igc?2rwrNa#NASpQF$_as> z%fqbNY?7Ub9FO$MzD*!xTa!pzY0;e!qy6uvkh9>=hrkRfm;FvJjnsSgl#6vTX&=StJb;tIhCaqqGHprtY{b=x>Fh!Z*q!lTfKAd*Dx#H#H!t~3hIB2l$ojpe~KJygv&v2fthzjGSA?N|nCU|D90j#IQ6 z=JP93LV_z|Rm?7MLNvEz_~gOyrwMfdkET+I;_xK0tKX$i7Z+Hg98G#PSZD%6OSni~ z+OtGLBm$A}T(vO0#S=WgII<@1d}K8%QEALh}mL- zMvQ=&mJZ%_u|FIyJELBl9%H|=4`o+624+Th^=b$qofIYU;Vs5_lt?9;lrM;gB5 zyR30yh3Z>Jk+_Xy)jBfdf22|Bqzy>aXDP@OGz!gYtne(CWc#)vIa@X{xUaTJaUw-p z!?kvt{>IdnUR3iS(F-pt!0AHohc5~_z$U<+b#S011QE@E+Pe9d<`n0X7!4tm!_Rqa z0=kQ>jD|rQ>qCP};nF%uea zcBpt#rHTpO%*&JRHdKZbW6F5a^IRP=LM5#=@z1sW@!eLj7EtSgg_4<~RwoC+C{{5^NWeiS#sAC6MSO zoH8MfJ(d&~e>lxsOl#F8-8miSEVPY6_vd@QB^vm!R6HWYYN5GdTvBRuzb=&i?+UJ_7J|Dbf1*y7%<2p-pS> zj`u~ZY9N1aA9?c~RPC4h&U=&Pl+DX=dpnO&Z*hK99hX6QYC7LZ6x>N(BfvGj-w#)7 zE#1qcKmKZ$uWKyZe7Et5@LBYE{UJ)Yn}sDe`fkH>u|7wX*L!7u6h5jrwq3>sU4K^d z_#Qi&p!c1j23y@0#%j{W&)cl{Ff%w4N^%oub&^lu($_zzxO&BN5V)O-q4wd@zAj(W zx=W7h+pw`5+Z(t0@1RxBXof40>)OjOIRD1$gzMy{0pOTQva(hEd>7r^tZe|aa{4*X)f=tHxFV>>DNs&$r!v0KHu5nx0{E1H&fktELNw@^`Ad1R(%aUx@BkHjX%Gx zmFh9~yHyEvzwW$uJ(>Kk!omA)THjR<*2HG5mxOq|4~}8a*kIq zzggXlmR6VlZA55ucYi#Nc9Q3K1!>J&V)K4RxX9mG)S-DCl$(|c>{7j+v)#S1gLC80 zalcLWo{4SaKZG#9IqT=SANTKKA^(U|>}T3Ed;Bv@yHq<#y)M#Em_mvED`>^v5CJMtMbZkq6#-W4 zGDjIX=~RnCrR2#bqKB}QV{9qRX|-&qnHp_zLjxe;xZ|AZ3&JxhwnVwJXyZ|sDhm?T zOX0S^3!sQ9k0Fs^PKep$D;o67pvW)U{%R2wQ;K)Csx%)bfK@(P;8vK;DUJW~lHIQ5 zVlq^qF^>pjN%{>{Ng>RY91qDXMU9w220837q==f6gxt?{%@a2JECNzYWf5VBx^;1% zONnzbEToR$wCq8LF<{Q7niF$>bmcUzNpeWV3eMSjSB?SEcWs81Up(8n);CYe}(Ir&&{knRN`T4FU1~ ze&DA20qF;aK%lDDFwwsS(+T^6sDBS)+yz09+m*-OE;TkkC8sB{V5)Q@Ej`k~$Lyr) zN5kVnf7x!#a_mEt8>?D?ktQ@zmL`SGQ;|bCw3B%mAR{Xk35?#eO9vm3R>ofuBa_yO zfPs64;EhHgYBN_e6Sja!mJjpEE(qpDz_qDPZ6H~cCLpzMNB zxH$Ym6f?u`=6_DLvED+}()yhMtJ%NE=rdP^?cEZSUZ_dNkcyLLGFFQfj^6G+qMB@*=1-uxJCiK~FJa-U$1klc0wDDsmJo_qrvZ z`M_&(I`K$H6&=Bq5<@wXnHEcu^G*wmT;!H7H?5m&`v~_X$-F0P#J`D-ysSAnf-95DsFL5JcvCxOw=PjSMGf9TiK@KlXEY zPn5RrS;XnrH0sXY?LVDSC(vRb*!s-q`_VRhvzuAm^S;*9pBY2%`5s?Q*PrWn4W4N( zrVb+Sb1{IiSXnv!)y?4f`;H&zFm!|`s@t;<;XB-562BDj~ZR)`2&adNj`~(tt{S-Tr{;8hz z%}gOAJ~cDK*8|nr9Y8o?ZbxyS{QD_C;p4%_Lp?()zArMzOGxKkoul_SxSGc?N4l-| zPd zclYtUF#2~9UE}El(h;IZ6LC$)i2tmAo6o@z7I$&DTWteFog-`OBNfBtYS$k0)LMr2 zetqj^EbqF8R( z+-zj$M1%88(Z#m=#~X)@!uFPqRe!#(KDTJX4VTZCDN=_^JRITrePr$I*SOdwU4PQY z3gS$%KV>e|mFw#8+po?^r}QsH9kE{9FXi~pJr`h_yW8TxO<(u!hrMn)e)sBx{B`G+ zJHf6?@*O@dM7hn!925`NXih(z`#+^s&fRQ+j%(d7-W6OM?+s<=y3ffs?W@RM_ol_& z_xpwV-8|>TzR6rYh*d7DdRh0aBP?^>?ycN^Gt#?0?+E=KclA7e{V(^|xVA3qVAYIkkmnMzfW;`!M+>YSA8V-n@$dYw9lWsjw7 z81~eicClH~#FBPj0Ng*7c?2G4=&iD~tesScDsu6E1Mob9Ae5SY+QxW}+;>sKe=D}} z%xgh0QoPUbQeR|2ry+~Qn5n#r%DED+<6AVOhTS9&wT&}s<3M^NGWDnY4+V|QCT4yX z=ao&?QlX?yICdh7$|__vK=@=#7WuN!2?&;}mm_R00W5Jh$PtRf?U zt3r(vh#Jf>wmz1;ze zQItxP6+3-dat+V;5+}~V2DlgcUMMlfV&D_8K|8 zhw6sRN`qps@{%vTwWvK%Ua|?dZtXT!Z!;q3y^5l=LrX<+Y9l^lw`#*MvTOle&~gbP z&R?9DX-AQPWyEy&a%R_)UM^;14#crmut_-TJ!%>c*i}@^)s06kPFii|)}7n}FHVJ4 z0(l9bQ0FQ2Q4-ZuNAS%y6OLqb$;+IRiWWkQ*!6bG4~u~VHtmCtu*q7nYO1J=jh5l5 zq$IOQ{Y_uH05+hx;Isc^qapO#vYk${PEP((qM98ubp)(*yccACfMf*{cH#O!k4+uT zBH|#`qX1R7SKoMg7|wne$zM>)25p2XscI`zI*gK2;*gi4e+7s4a&&}dDppfvP{#Ba zb6mlLXk6O%a+QG?2oO~9lqN8gn9d<9bixhhVW~R($SY%#jc}dIX5@i5Z#Fy!DMTTK z_mHV+Ntx;e38d0Nb5o~_xRYiGKmQqy+}3h0o~(iHKgses#K*9c3fnZ(iBah(>NXCQz(Gz)U%Z#Zb@-QZLFOphnVJ`t$CRG4*<0hekm9c zKN8~Q)BTE{ltk`z^@a{Jf?K1ZVlJ&zaA+(^+lYE44tsc6IBX{?2En864cLJwhSC5tn^2 z;a1ZT8PDP(Va?mX(=M&g?Z&YGTc#^p?|o-T`|Cd8r-{!Le!tg2A--D|lPdQ~8BGIE zdZ@nt@t^$Gm-P>T#ZfVThq?5{$L5Xm_H5eYaDI>C+H0M;{$@$?$aN>M*45AJ&Fbhc zOLSY`$L;jjUr+7lm0fFxm7){Xbwclp&zDd0W@Yyt?_6-dmaiM}zfAW2!kpfrML+BB zH*Xle_G@ppKSKNj&wbf83`c zcq5lSA7A3Ojw`lvC>-03#H)RlXP%qHjhyHD*HSzOKEnMUfk+2H^$UJvQ2#Cez4ce1Y0K5ey;2{J^Uaeg&*4@Q8Xce;Lb!C5=+gBnC;sRw}&7~dERzA>| zGFg~G7m+Da;#s6?NlClY>a>{1gpAucgeowBfMGv}FDuly9D-g0GM1o>>Nz?)7UbVA}g^{ONp@x%|fzp6jKkaI2YI!wAmdnA{Drm{5Wyk()phWYh z>bsKmG<4%t{DNdzEgQspG%Zruas697&=tthw3t=U{L$}w$e-W!yJPNsHVAIz zAnK?yh~#}k!79<0h@xAf{+dLQB^Z`h*u|QpJq*UA8B*ztUe&y*7B$%t{=yS!a>>GB zDQAgvr9QS7Ppi!fkEjhg6*((6DldY7Uo`v5Q05ZQ4%c+m z>6(U_q2OjO|1BRe=N6_AV0Esw?kNg1rLvUt@kB+{l)!E&q$o$mw=+7MzDXh6!f3?eRN&}cAuxh6V|c^JhtS1uzAGofYhmv0%q z`K-poN(*%P{%H<$l&nY){73qEDap*RmI0wG1vDX=E(%FhvS3L-Bhm7NiP6!04grU& z9lAO-7h}D-vT?})GpC4`fD#TLd9MQCCRoWhm=Qfuxv%JHDp?d zl1y14buuKzR81RG`WPFO0Hf-cqVmBnHu5DIPqV$x{yLJG`)S(UssF-fy)|-R5?m>8 zYQ_Im>3haCpK<5Vc&UCNgcfpy7gT_MhX)7)vVjV4fk1(=DFzT>qBvha;QGy_Y<%zj zoOo#Ppfl!~Jzo0^C$%rs^U8Jo)V5XYq&wFE%-mRB|7+C>%yL-=gzG_9H$$RMBvsAaP^X#%aUE3wm*j>XZ*S@|52eGzmTMesdSY1mVK<2+&g>}`K^>pG{ zu1JA*E9JAolj2qKFms@t)BDHj2`+HO_JW{^7r1lXpYOh79nWB_=kxESp3~)}*k6*+ zd));{;qN~*QyqOM?aZKWc4fW8fAJDdyLlPqA7tvVz6-EO-<^;Sq2Tw%^U*PWBD8zU zMkCOBn05}v^t|g@fP1lh-c;4IuW@`0-gc$>6#?>r55M*BQ;@SyJ6RJO(-chCFe zbh^aBvg@9On@!7i2UOYn7#qKgy7NCqeT$nf{eeCFz4U~xbCKHq59T~l;&rW5z5BS) zcHVo`;>DACn``zy6g?XTtDfFG)%aUFOWmHStvCFhz4m;K$AucEjR=IjjZ&~t@PO^ z>$`d1Tu#};*SB-^Jx-R_`adFm)V4g1gsaJWzCQhfV|-0m4Mw8PySu%Oz2AP>c3*Xh zw_EAC3Uh6v;Ze`KOJA*}Yu9p$pO8MO>wnq2lHKh;|8do)yW6?{Csu72$NM!woIvbK zSY7|^?5TbGB3)hgAszrU`~*fl_&2P7=GRyG5&*~3)_l&CF)6T&faBP%Hpd5_947v5 zz;R!rul(!PS$}4hlS0VKNLVW|Gr_O&Rw95h{rtCypgJyj`Im_SiU6c?g;p1zBeh5y z34#o_@IMRZvDru8^y-!_lPC*$n%Q<4ciJqfB_xXgms;3yd-LdRMX?B>$0 z%Krh7QEYU7T{5Rv&Hn?DI%6XV7sRN?L(1S*q7^m$c@d$P6?_S~pG2#GEAQJmUZiKs zXz7SeXOr@w}iPEqe`Bw8Dtz*U}*sZMc{vslCu@E%DZm?GssBpk?&05DBc_>^WlnGcE zE*jPH*KtrBmT)@BTI&oklT6zuDc8ah3ztK(q<}$T>|P;Hub@A6qHJ8!=;|w6B!K^D zo1a3uT~KIkvgD>hT6$zfN!07rJo6k**(nA>kiXM1o#iH>26plVdLEWzMpmg%6C9mNm+nWm|Jv4&rDSdz`S zXEn{LZ>v(4vR;F=ucuMNaS{6uYaEDj62A7TFHDQH?`!V{Y_D$y(vCSiAOXj}?;eD) zY72>ja|le3=R*ELstIzrWxU2(#^<#K^OvR@^dVinMgy^*Ow7n7YE+Xg^LkvNT#P() z*fDBMRjS?k;P723lF}rttFkY#A!%NpAr>8nQ&(nk<~3fthsBgm7~xjxpGLW6(*uY@ z#Hu(c;=v;=cwo8=ya)n58CBJv4l0&y35Ip-Z_!a0 zd?Yp@e<9-r%i>WBQQ;^SAPyOsN%$7OqHvNf@P7D7ct!%G@__%s{whB;i*WE!(IGGxl3Rl|Xu! zbb&?yD-{ShvLZE3pj4OgDAvw4P?!ask|JmP)cHjn>tH3+37;>w3gya@ijHPh2F}V< zvVyPr^=l@(3lHij2JM-do{fB=hmTqjMCg%?A-g5pD>o;Frj?%hp#{?YN9}OyIX?fX zQ(Y)**+QX}3QpcRHOJUu6^kfFrX&v9z;wwnf!*?N4=_`zem(lqaaIUdnz)Fc#%)od zGZI6?5m43mJ@XSzbhy;xm{_c=v2NZN0$I~9nGnUAj9LEyU^}iz!IID!fAb9x@IMSJ z-t{#*O7{a0Tnr7S^fS%}5?F{S1|&B31N~7>dHcO!KB`}q!m?pmtM^)4(awDtx#wZ% zI&eF-z2IhZT3p=G`3yY=zwjA=nI!-YJco+1lj;+x@f~EX=(fAS{&6ShKO9}vi}1ba z{qTR8>GSsCVL8Dn)h5tM^;fz+@^ef=?Q5AxV!(HPe__^kLaJ|`x<`WF7EaS}VVLf} zm-MOWXCs>Dy};A!f7QjVeqBNLCnWKG zr)wm6@6RX{U#BI!-+Jc*g6{*n|LcS)Mew&4`twhe_f^;EN;UtZ*yAZm{ZX9{pavt2 zZb!d^*VX>>zIK(L(Y@x8KWX&~kcZLd9o75J#a~HqJ22cINucYtzK`M0 zESD?%X_NX(`pf1^TTj1ez0a%s;|gqJ?Q`y-jq|)^@#br1LH^3E-QkP7#_iV-t!R(y zAZWb3U!1q(x$jpAKd+O$a!QR>>eha;x_JN%1#r$LUoFAC<{2%81 zf&zqm=C6OwGL-%g`NpFLer>$Xim)t^nx`PMRTk!N`|~vdW>@F^4Pup(Gv8=RzB{Ae z<^N~nRU8f;c3!#6WU|DZTB8kuj#TfFDWoFKSf^r#QHrT#^Q!0^AoEefo6u~k=Bk;3 zEnPKFe9pX!^Pc+4c%xQD=XssL0IS%-fTNgi*>S^4Sgb+F!27CzQvyY-pE9{{U6HmT zV|1u*ZAy`jQhKz+h&8O#Aq5p~Ax2}-ndigRlBkPS)hKLhW5i4Y%cYbkn93l<(?%4{WW$wMCeW^d{W=H@zI4(U;`P^dUe z>Bhiw@*<%ed<|j44_J4Ek^bYtgp+~5uqdQMB%&0j!5k(THPt+bIaQ6Hc)1SIYac^x z!ovHM9Ebg`6s@|!Ov(`^b%18i~u&HHBkvJ5cMLhg4 z!6P@8l(+Q2zxx@6U8*d2`ZMyE?%mMf$WaFpIP^OY-z+=-Q@#cu4JuB1g z7|C3jV#P<+;4>LxrA(<9my$q+JDk>`T&oOi$%3hyNGqgHx6UCL(ItFNha|QH#-awe zT_{&;1WO!A$WH`U=Hebvfle)`R*NDiQJV;t4lsNrDl|6?rR*SqJ{CGR>JXfZ@2CKA zRhE1;V7M6HJz;9`X#To?$KhhT>&MVN?>#3?f)~LB)~04N=g_Gf7xv?XSJnKCTr|;I z`EU%E(pk@3M4(n-hT8IPqaVms&)OkZ9SY;gmtD-%_qrJjL%EWCs;3X0NTJ+HW;pU6 z%OxC7(sK2&ld=O<s(e%RW>M=b(I5 zM3cLIPB5k<ml+cMlSg}C0N z{*N8!EjVO=4rYVs8MW;q+^^x8<^}BmaE11poD9MSS-l?@_QT9Fgd&I=x!pp`1T8mk zu@yyj5B5mF_MvarXOq?3bZ-IGXNM$@gQ~fLm!7qP?ic>I%xy2lnbTf@g@(E;&9DBI zHSRke053nqfO4s6zh{jm_tyj6^_Ey}AJ>~o^<`j;!C_r^D|DP;PFxq(6`rQMX#?xh z&~@(;aG{mT=zmaQ+e_%r(L1-6Nz?>Uv6LO&U6b{@y20_aZ+rT))hhyi2yG6>1Kt+P zwssUBWZmyhEA+5z@Vf}K`>%f#=$RMO)P9>SMJx04CB1{tzTMMYl7Rc2gQFE!o;;ko zWj*|kcV8}69{){X;lWIwKl_^iciAj!^>bckn00fV6kIn?07$Lgmyl{^fr~esoJ`GF zsMplg?Zi0zk=Nj+!DBbA^0dt2k0YgvPN^-obtY2!>E~@9Xo(<$Uzwn6uq>!`sGWhi z;h2VRO7tec_EBRC5=7B^J2Zc^zN4UN^gyubBz`%YD+pGA9O#~PPPe~iUDay(Yid99 z3f<344b)`n`QMkP=72j(rEP(bmU|>e-O`r{+*HS&%lnGE2gAZf+;%EG`-Aq25q`*# ztpa`5yB=%35d->cDwRC8j;Je-)^;Gg+wrB%ZCYoS#kD5QbCaW#v3>_fg&-mvkS%rjwCLh_30_OL1oaF!FRwd6 zY%7C&bLGY3WHPhfDtv*FN7=uLhik$8hOxYaK+48dbAT{(z3El=gxu;S*Uxi{CxF|> z^hThUFK0VU5YO57d(wmaL|3v1Hz8xZObuw63f$!F8_o1R@ zBppqZc6|1mW~JN!xWVK_Uvsh1ISlghC=q*6!ClbemWE&{tl$;PJOv;R%>R@OS6@Ss zCSJK_gTs(kircRRiFd?~T|{c>3kCq@$W7C5P%2*Z>y)#+^OV1TSY*i4nS)uB80M@E zwz9KiccqO%LsM1vt`o?C=9qS>Txcby(`2M?<3>S``2Jd?pO5~*V23t-|1o#lJKeJ1 z%c5~F^J^jO&H!$zc+EYXli@%xzBU4#1&-Inf2G;+>}oGVT9>18OtkLf3NHHW;w%$jC;cgJJMZZm;C2iV>+^@0)2!Ic(#)gDLyFMgvO$`^N*ioZDvZt~;%p=&=i}9uzlbid$@}IsKWc&qTAK|Pi)Z(cWmQf?zIjN+F zt)s^c%B79-!xnd%*9yiUg~a_HrwiL&i##=*FG5NSb`YpDq9%kYrosJNd1_)Ef6Klh zs#i|~b0AfN>4f@95AOUJi$}-G=r{1RYrfBOrb=2ua!Ff*6j9f!c>cEjPFt$@^lgI< z1)rdWs3cA?Hj8N?;UvL?LE7z`$Xx9?-)tn#`70!uwm1 zx$^Z6Ql6_7(Wrd8()IRI$<+7>avRS1-t-Qd5Sd~iWqCdb|_T%$u6xuw|& zaR82D8V;pX+HB*FSHRlpB!q(riEbv4OUxAhQB|vZ{#&InkU=_ZSnNlwGE<~|$tj-| z|DTN(GTX7Lw~4js{}$*HH{jmy+XS@V;!MPk53~ms*+3B1`uqS0HVzs1mPEM&&4LC8 zLH|I51GmNEp&YjZv8a{iFlT*I!;BO$!1PPDgD@f;z~IEv+U7K4*1yppTO2mjs8 z7l+P^2@%J}(cR8J%eAF`P?CG8<3TiHK1*OXbK8xaL{2ModxF^3)zGh^AuZr`eQR^I z{V;a4*Aw(5+_1hk%ApI%ZTZh-ZPW5ckye2Bc#x&_CCR_)%vJ|OzpHtkbNLu9!`#N5 z+zXP4m%|1J|F}(j+jX33zg3e`=Ig;uQsd-*n3aa*I2xVi3DMnWp@oO%{U*Lye#7>U z0j`q*o+irxx@pIb!50>h+lz0Vf)6)u?TrsY9nCwZHC@VX2RfDZzUnSO$6B?L2@FSg zP2$F_;!Z11&_id;WjmpedpT)!ouj$D5tE|7lJ%SWlqy2imd5(XDRkxePS3tLdVq~V0TL75?!ZdaO^3}lR`X3PM}8WB z5x1}RW1dutpJVjVRz;V`->4VC_VKuj6`xj9mbBZ_+bLp3&who~c@po}6@P<2iJFF5 zwxw7(dZ*p}zQE0q2SxKM5$+mNz1+7!2TeO=`|~Z5i?_r3&BButCA?-5B^<6wUKYRbD%UMHp(rp5ahK4PGNRl2ap=D(IVXWS8|<0%X*^cw zXdWIVw3Hx*C^*`wj(;c5;3LTgcuR5R#l?L&bx&Po4Z@&qg1?9T6WFl`!c%S~V@+5} zyCI1tYD3=;@Hsg51NA$q(SClV{o+TDRVwuP*B>`4vqhB{f=8mlfo7`7djA?b&7ajA zP^PJnLUoh+3sq_slXmA&W<^3OGU5dNY}>yvYqY6^ax`z`r(Uabv>dpS8KZrL24;L~ zd6DMw!%V}1Hr!x4%_?2Y^HFkTn4di=^l{~S`O8&g3hm!ytX*_Y;)Ao4Ogo%4jmvyI zKfC-{>GS;oJMOlURlX+%$S4o-X!#Uq2BR)hMB4qWp;`rJ@*|q@rmv zr?fkAZ?{rdP-RO;;U_~mF;qUQp8zxFl;+p}wgpR2g)XEbe+o`d&-fB59W9aZXL$)Y zPoC^aXR87-Rc|b>Fs8v8*ZNN3ogX$f)kpmMV-^dg(eh;+zdpaY{8~|J@d&5&Hh$!Z zk9%j>A^rQF&pMyan;+G9gsQooe7h?A-OwEQqYt0mZ?UFXTSc}srC?Z|7dzq;8bJnS zzhy@!@{z@|zEih^ykO72LuEK9`OF$CtY~xof!{LyWn5hpTFMvN;iFO$N`y{r3*%>9 z-2_qh8uW2XvKIboV%QxrBC!$#VgK5{XS2i*?6W2s;Ee9br=>-e_fnHUEdLhOq)hq4 zZSQpAJV&9TUHMN4XL*$N1SL~#q_cBA+dfzZrYxpoE5gFz{M>jw_*Ka<3PVJ_R|zux z+B_8TmWr<1@<}MC8hUFCQ4||B?0wCJBXEFNe@AM7>b4|iNX&Bf&)cOEt| zn^9FHUFPTdeVVo&@iR$TBDe{u;DXeHfiqK@9!6!WSkS_tqRha%L;24$NA7CCs^ zvxe`i1E`5ScfP0Oe|9V}4OPUiFV-M8%~}es*C|&do~e?hP?P*&&o6cwc>E+(vX}1B zQ)Gbi2KFzn42FK51GoCl?z=RmKMEXMA=3M zKZx`I`qQQaVhtAAmI901*2YZdKnG_V2wVHWA}I=!G4Zs;fDkd_W$_mz+)zY$mT4maX@KgIREgKx{yvn~QHFGVh)3@@X+dl|2`|{#|o#t3h1~C&f&!5p%<+$Q$ zn1pfoV+ugihmeWq=_=^|7U(WK#@8mL_hh-}t#^s;`+4-Vu6bl=-@AA%_mYP78UGdG znFkt#3j8@}3%mAH_qLLFCuJ4t-$0@&1z*>#&(svk z1n(A3q8oh;8Hu`pDRas<;y}C3zj3L0=g01k(2-VdL6^qcpslRZ))e8>czH+uZJ>Zd z{oJioE1>g9KMwsY%jwxL?sb*|;B}g38|%C4!#u;k0vvzM>0TH4FD z&aJ(ZWwn`p>}eplE9#p_T9ZZ$F^!S`@xMi&zFkiEnbuPs{{KT zs^Gz1@6*BgQ5DN7wN4d(>P{#y6J$o52sFRGDZX9=_+H)l#`-?Q0neX6%>aV)Isc>U zcP2eaK}ZL9zI>L9`nsV=G0^^;rXSFClDT}xB5*tms)5Vfi>f5L5<6<%;P%Y|3Np*L+8F)lIhm&)kn+<%g5G)<(VIEkpYw|F5iV zPo$bQTLJL)Ds{V{b&HsGx>*0N6erz+f^1Jke#TY?aU6Y1=UabQicbrdXQ$8e>m$vd zdI@Y`4=ZRCAbxjOJN44&*a?~ILk%t4QMmsbwf{w^S{KDj2b)o$LOtr^a+X<{a7i7U|W3s*va1)x1dP-{Jq8qoIxKeM{>CGo9%9|N_Y6SeEp~0 z(y7OL_^xGG;Sf`b{BrMu2MSWZwltjT} z9^+6opP-w%YZXh3+etwGz%{_ylLuwhn30tQ;TqZx;fUIUDYHTDYKF?}bmI>t2NgdP zhvGrSdP#QUTApf-Mj&NA^RGV;5XK-YQ$Z-HtfO$vLKE!PuAEDuqV=NUbpuvE@a81y zv(;3iRI-cSDTnb6vLd!sWVLOJ!*Z+wvRyjWMthf2w2VQ!mIYM|f>JulIWuZSYFzsX zMfPJn^zg^~6!ZCl6&uBp^diG~j_AiGM3yMdP^lN8{jY!w3Gu6#TVwym~iapx_W4{Pn)Lmtp z{X~o>__vC)s|9)n@{dk)-bjaX5~i1XURVkKqbt@dPPV~)rG^Bwk{qrA&erh({)l7&glqMA!}HD`Y?GA|cU(t?$`i?+=( z(e@Prhj)~0xha6(f5=E$uYV+zfXRqd-UGq+r+$X8G+#dQS;cAE?m;%ZsDET%4 z;c)%-)(L$rBtgF-O$>*y+y~n6Eq`3Ar@WG6Fb>nANxi}Bw@=Md;(6Zu+4MPl@*m&4 zgisqSqIMYw_1Huz1gH@;jmA~86%~}8>9nRPw^h)PFPA~Y{_nV*taw$dJ!OV+lRm^n z`)XdF=|*NU;{%;Jvm6HItn;{~aoq|>RP_$4aRIC4cqV+#d@3=w2=<1z8 zKmJemoqg}VseX?Qc)dPQQKhe=PKeYI)7v6f1IHq~as#{(Du0h2a~nx~RrL;T_?9fumO&+sW4 zEsw#L|4|4Jgf`$3TyafGWSvbtGwyJiE*ZYdv+j+OEn2yM z8MY1g`)2pts%R2d)IOj0pAog*@+-a`GTr{7=Mg?wktH?UZ5dY7mD+$_-^h-~6ACp> zHY%NgDI7N*w-H^RJVg8tt8R1L05}t?x4%TzJ8x!r92*Cvr_paR7t`J^s;6r`Ugx9r z+%A3292ytFgqSyQyw5|S@0Qr$Lw(@ZnVs)ar4*6Vo%hj9w0-xX^|+nuA;MPMMc@u1 z0@T|4X%(y0x3yz_@v;UG=sXtv6uitBa8+}r$?n;E1I%0{eSKaN5Ye)YF~9ITt4@p> zp70g8Y@e#O4RAVbel%>#zrLxc)?6xdBr<&7{PSYxM#RBySr1{`c(A#B(0yEriIEBe z3UX^*3dC*P^*iG7ED7;>8}I-EiW??R!~I{PvK8AMR?UV}W4rIVD_J_O`UkfgJpyba zUvR+}Xs!Id?HfGj=d0~EEl%m-2E7xnOB-7+8v@fz{zI;#HJ%$m0yR<_YcrS^S%S&J&`vPAy#4Yi;k;jMRtzv5DQ@`^&0GV5!#5j=73G(geA7xy zVd2nr`h^Ru&X~z(7?!NuyZ-Y<{D5Dh-nuD=r$Qq;&+Fe#>4*2$c{7}%mX3&TW_09F zKy|8535P(=_{FSn4X-r223HPqMxwx`Cx{_-W~jrgRf6nX3r=!uVqr8lE!1Rmn&R7W zN%w2ns_Dz1qynQ>d5B~ZhQ>9b`=Uo!#FCZd394F#Q_jZiFAGxI(jZLufIc?nKRFnn>`$Ab8=GWoyIdJ9~nGT0f1oK4oO zW1Hw>!3ZZ8z$el1Dy*KRmtjR#m(dHTkCy|7zrh- z%s0rlU$vpkSa&JwI++s+C0qGYTen%XN|K41bZBy#IgMz-+gP%ERz^g%*aaLy=H zjDC?Q63cGoa;Sq4_R}ZHZAwtI^Yry7Yd;~|!cv#9tb4&knflHh_P(hfY@0^@j^`Lo zT2c7tsAeYW)crZoI_G)WaD}KqR0wr*)fCoI@VnophW~u# z@(HHX&OTl$n(wn&v>W_ni|_JPjaTfedY9G^SY;(~ui-GW`2@R}M&ci{G?kGZY6oh{ z+1K_clrvZ}2K+^=-gxL0pcb0=oQi&irZ2+NiLfpO;Q&8_r(ymhB`0e(^O_>=f-%Yatl)#fnwYpY z#73qGzV{AV6|E}pAC%8e<91mOPg26FqZx-yr8Z*o7W4bGR|IpVZ_{s5j$Mm>#9k9t znbGFT{ZO-#I{zNvWGA7DC8s^;7bX2V7vZW055v%)gDYRJBHkexM4!R*r}~>!I$6i_ zhf=-5&<}pN3`fs&k}Vvnn-eKcHMB-kKbv1dNseF>F)s>L*30WtbQ%jQjBa!~(8577 zjEnrDUq9&onEV&oljwR%3RaXqu+2RbdH-UGM^>*KFLCjHg3zNvpYMIWc(BiuM+rns zwUXH#WNh^@Mn*j$htk9)1IV**SNY3gO(_}w>Wtbq%_;5Z6~zlR>8-h>Y}7akw5^i3 z3{G}LyqXPyA_sV_ADa_wj=D|&J!4Mu{N@&Wa(Fm#8Q@$0Sw?-YH9I1^$??&gZsJ%LIwFv;D^Y znUgjw%@d!`E>PyKO15140fna&J^VjD7lKWc^~u^-{9S76 z-z#o|wWth>HF`-&KFUfXbY#h@@)lO)UIA&lZbGy3Oz&uci;h^^N4`>?3g-5A6^6E| zH1qE#>VwRDzT#Q72zl9H&Ol?ocJ3UM-A!IoOA|>;nFyNZqWG8_lv3S^Xbt>XY3(IJ zuax>!LD=~}Ib|cRw!aS3EMvX@UpWFu2Y*He>pi1!^FSZ9o8q3QFCW(Lm!MtHJTgfo z-jJXbnk&-%UNG7#-xVn~`FF(P&qQy_Z%5moYQfLj45R!TG-%Bi82^nYiET5Y^d51L_>)_PTB-Cp@_WAXJ3aDf(VR-;h!e9=hxs^*8H0^el&?9|LYO zE&cAP{YR6JshI0>d|j7&1-INrNDDTQ^XMo4FCfz0%GRP~u))a6GUSC-qJb2iBQ{a4IyNcBQQLXc7mkZckzo0m4 z8D(gF&@JnzHz^EwoCkC#zlvQ>xi54dRbTDdR*vg+ih=6QQ(k4CrbaBwJDJ{YuJQD) z1`9m_&(Ds!2#k99_j1om@<$^6qZEJ;)E)$4)RcCgZi;}04f+@N-s>mNR6Q=%xXy>; z7qrNnUz%R8W#ApUg#lt_&(yYP-)6wjK=)Qhn$JP|B#j74PsgzGvZLo_OZd53HStS0 zSFS(=+GZE13t_XHr**44d@v4D5MX@7b4KDiyU62z(6{KY?wuNHnRVUz0u6qG@~uNr za-*TSKVCFnY4E+BcaT~kG#Ke}jAcw|mO3*ukGcD~V8!d`Bas_74^Y~S`L~>R8w$YF z@O7?Q`Xa~AZ_55dI7l^_AOG-&qw5!o!IS*KgM*W$GiA5L`qW8rH*7aH=ll;P?2gqY zJ@Rn>d#wuMk7ja9)nK`Q%rJ{KDEm<+z4MNTa18{z<;Ej6t>MaCxx}=zyvHZxI*zuy zqwK}ZT9_r?G(e<^G=;z*%);-{iTl`J2HIsxNn69BGXZzwtLHslEpTEjps{qiWNjPtQ6^)mUfs%HYzW>=4G+#@!5@1r6 zD?!n$bLPNLYc~<&!bIb7kNR-@8x4%Zo+DPsyD>2#e8#9b9fG@OqTH^1x67(lTBLL$ zpeAl-sYbPG&KO^C6=*$5&i8&=etEf~f$XWN-G)~(p-E$l3KLx3G zdux1bF1JNy?r~Uw5L=m+fz)B#wTcEIvgr6^Wp_a(wU~JUX>8eHcCEh};GvyLX3R-p zjfRArJDGsqAE{CfB_HLb9S7uPhtL%Z$iJuSP~kBswa)ZKi2X=ak~zIu{V*Bgkd}xb zDfXMSO9Dy1*{c6%IGlC|jhw7d2zi#nC|rbG>&0JnX~L2UQC=I4SoYJtq}A;1Jf?gT ztr_-!MT_dcf0M~w#ms-Sop^@Z7#?j?!UpAWrJGR{9p6Va6HUl};-RA)3vrZzS!-Pj zt+KsC@~S~t{PSf2Haoy9KlxYsZ*6NOCM32zB^CHAwX|~WY_d;mJSIAVg7r|tODK2$ zv5bSm+ce%P0N1kZ-J6Uux)Bn7t{SFJ4aoP%vuh2~P3iBOGwEmH8Fr zi)j1Obl{d>=8QZ51I+Y|V*5J$Y`ZsX%*Sy3m!tNi9=&L|WUrlfBm;qV?A zFWmeJ8-AU~Yo|z6HJjUQQ)#gqz>PX&6)2vl{kukp?NB2bM#qm6|vl-sn2NP8Blvi2oE!pODBXbG8%P{XG2I4%a0aD*4#Xl%`>A`^$x!q&Pa zaK+kn&7*11N zEHEW?P??clJ6^uuhui+|f|rBzbk_ZZ_Wzbw76s6xw2y~AW(ms*(7%hx3y2mf>D&jHlSK312mm5)_`oct*f>s!M& zX22#2ja?d((3+loGSa<2&)Ufxm4K&R-MT>er^mQiir)9BS)jIV%pshp^J=@+{^hpu zh?rkzch+#J`6Zz3>SS@|Xly!rSzs>^1y%3uymbbvmHtf-y1&%kIt};e_@L3|eQ>ge zf7`jmceQmSvLLGYYLz{ezARD)%05PA`L`<6p%}(f+cD*Q^uWwyu&t-=3pgRI@jGzO zq$DJ|x#3p3_zm)eJorpIkS@n=9zAiCPBr-Ht$8hS8NM!+yoJ{g8ZFUVfMUv)XnWSyqts-;e8fc|9gZu zh{=wrqezOueL-vS=tWz)o_aX_K6NW|`)pz&aC-gwCaHJc3;T6U>DpoDG>h-6v9IlA z*rkZiC|`3e^u}@pvzvitG`DT5rBkTu74l?(CIECWD1W_yEIPDH0iGC+YYIELw^;B6 zy-p1f9K3<{!*C*Gj{wk9c&Y%n#B%&(+(BSxfcV6HSk?0t_y!eyg}#EI+?r5Oqct=N zx{bqL7BIn53J7>Z*vCT2Imm0QHNV4piMvufgZg2-A?&6jcN}L(l=QSgC|F{lS9)l8 z?&VSR#ZHU`#6-uq*&UW`bW}O!c^Voj#7=p4^$GLEr-iRtgp1GOu~GO6F&uF5N!!vv zIO00{2pXa)=qRjSP4fh}!#asSWbnVtNy&AeDe#xcg=$SnuXij?AZbzlv}?3!SnPv~ z)-T{Fi|3miWibDMTv1@;am#DbgeaV2Hi$W}S55tSFdb%uYjTcr6b`2bKM9_-blV)u z8m%v1`aVPYUjU8BK5|A=j7HC4D`+)QI%ZgJo*Ot) zCuk0{CLLod>5Ps4VYHLpHc#1Ji!{iG?S!m-?OeK8jf~w#hcr#R;rELJnI~dGwrGU{ zrEC+qx;)Y}whI-c9A}2wNwOI7xSPs zS%XcgoVyw*vzUQwru5(&AoCF>#tL^^#VC$=AabJY@WlAX^qsNmLV>;F+4t`A4?9H- z>GWpTViezQU}=!UB3KEEGxTuC>Mr6z=2Y+v={afe_${Qo?)Dz>tAyHRvA~FQ7AaWW zD>%5zrWd%7YE7^h>J- zYoUFic2okCe7XxhIN5oFoWIGxGoMpN&Bzt&m#=(Yn<5)T!!AR#Wpu|>fDlrkKHIE&4PAMp1!f_AeuUt8(*E60GW%aFWhs2AH7RMTx5lq_j z+ec!`EEVNw${v*$48`1Dvr-hLS(pDvOI%GuD3j#Eaa)o3bf4a}K#!5d*4buK!sZ-C zu40KSPvf)l9)rFe2}Lx< zj^DTW$})=!B?W42hzW}_+=t3eQJ8}&^_8W1)G+iW?TpJmE3(wSRIP&^tb*cIK_$Z1 z)|I^931wtVb+ck)p8n1i$_SQIx1%OU$cg{GaUr-m5ZoKrq1w&tZSE1Dg zpos6%lp{_h7x0){6nX1*ymon*U*J(Q-wk$|3t4TFwc$TSA9yHX*;r7k%SnHoU|-C; z4CU%O^`JvObAdH$vOr^ZSDAOcN6!CN!~VkfT0V+R@KdRtZIoabMJeZLbs^1t);bEW zQKJgx-4;{nv+=wi5Kcgy+iZ7rP=;-T1Si8D&JJi`b?{~7J*dR&w!LVUEsTwVPiD}G zGmhcI=1O>QhNC%wX>k99PbuEdm~*nTL?UIyfsE8+D=bFsNVIbD!YR}fT5y2nd0lyq zlo&jEU%>Y#J9wH7Zf!Q2UqLBO9S(J70c%r*bg8?x&XM8by2jfLmE0XQnoX4|<-rGJ zqj*7*!Xa~!7UB}NryldvT&=8DsL_XY|63r?MKYK{VM9ox6$EWW)X4#I*=R+2P3oL% ztHF0Daw+ol=cEtyk3YF)Z)gu&uLxkGCp379MpZH;L?|}I^&GADmC&j)w^!jDANN3H z13(98;YjbI66pb(tAnQ7RUZYt)4KzV?RRiV{9Na0TKwz^^PjURc(i=lZ7(T!>}#|o z0Nt-XBQ4 z?`@m_GWk)Fv5SN?8t_|Q)BSr;Lt4r7?oU)6E?w|5lj z$(UOu0V=8OeDIyLy%aFNEFD6*gYy-xf3BZ49BnFmW)Dv*-Fmwf@p~x?4!{>l+uW`% zC28M|dQ0hi9w;2`UIO9I7mzd#zmPo)^`4Zhx6GChTrrdKS^& zi4(wm^aB?Zmh9SgLT-j%d#3?Dm9OVjoxo8wuf2^og8kcDQs49SP`ug)nuCsNO`X16 z$dJWlRrmcI{{s;X#Ba5lL|GxArR9DPGO6GGZ|D;S{6S1|KQoAC;5*kzLk8%2 z%&JUt+Vp;yT3%A^OOeuZWV(Jnmznmvy6DvCg`U!V@9{fUH@CRDi(9hEv8{0#9^}bx z@b*aM;1)VeA@wKaJ5^3B^2Dly zdWMo_jp{X?ySnd28fG2|w%#$I8QfG7hr+xx0-;Yp&}KKX733~+9K(_O!T{{}2t~Mt zy0$@qdT+VYMQ=zD3N}Anb!#=A?1c*w~;W6~;Uw|9VAH)kPcDn%e z{RPdCZ^FpA8gXK4#1EVW90}lzRKA%en6*)g4wEXjjeir#xzCWzS8JaTq>Sw$D zj93vBeb{|EwdYjsF{L^YmYR(PKM@zc!nrksRA>Nayb+n3U5j0kIsOVSrFT!eprJ(mx(*1*?cn!&rij`-#oZ>@0>kR|6I> zW1V0`tPV86wgS6+PaRnG5*~uJdcYw}{t;+JR=2=@`$v3#h%7p@dUoN0!;~X0+rc2= z_#r)t_c$5>?ZP>SI0)$_l-j&% zt{`%^{iL6z2Ff_)bn6M#&UzO4p7PlPoH{hL}hXdDa$CKmsqgH zw?@PMWkY0*68!^lHxJVz?H8F8vmm_qFy-7Nav;|`g)uRNq1}u~Rz^3^tJ#R$6SjEk zlr%bLU8pq0%9wQ897ac>F+f7qx?{{uAw8)O^wIBQj4e6|Ds`0x(P~8HO1pxGlKZ>d zpy4^9xh#(|15;z$HG;&2R<*{1!;Z`H>a8WnGl)_>N{PSjyra7LUshDJcM@5bv*{Rx zj-U+fkNUOX6&|Y=(PCXarTfasqV>}@6DfLCvTbs0c;8h$07mPa43a1u*zQch z$%w^0xg%nvb_(qVi^=sJL`jX51_-Br!nwn$BM~dU;;!fjmBgqe6v7OvphqTm^&wSo zHTM-ahS|D@r~E;pb}>!+^{3{yU|SMf}oZ%;|i7FY8l*&5|eq{ zV1>pLNo{?sLWw=o>aQxHe23|#IsYwCDim_oSJxAf_uGXn%UR)5k<1?dG1c5p(0=rY zK%?K}B0Hy1iWXU$u40}jXl`^zjk-Y<<;sv6=G?%YU#D_g(`oMK~t*Q_zmrsp&R zPr%W{8TZrMM+W<5#fyhQXK1x%kp7aAp}XA2xF#&v9rbNZKygt6 zpa>vd^UW2=H9Xr#(ctsU_4ahE-#tz%d?Swag~s2rY#p`SZfz>@`=;vF&~;%j%srxJ zKJE|8g1oP^8T@WLr(aL6%yVt~USg(wOS(Pm_vWHBBeU@~{f!r&8`Fs$1S}eHVuAve zLDS5)LmlOhxaS?D0b{_@tNrCxGMUbaLro;m?3!UIZ~Fi>)}=B@MQk=dQLXSb7L&k0Qxrtue#@9*m4LM z$E;PVBUt?mT7VoG`CdYr#}#>x|GseRJ;ZG3clXC%^=yLsW2I_Z#%eWs?<+F#&NsH6 z&NB@Z6;><_&(Ah$dyYxk23`pjye?|Q53Ah<^KW`s2t4h49Ni8Pfg~;Jhri_!CX{XU zJObIvB6(ek!Qb??}t*tak%SIs}DQLBG>-w?f`Q zJ_H9!hpN?m#g>?uYX}Xp_@_r%=B{;Yfjju0uA0kI0G+7G{o$1yEU{>y2Q7aGtxkL7 zpoNC7NU_iA?Y!0>)u^m(oyU=GHTa~%VRI8Rs1ic!iFUPA>6aO1bkRCkjlyD$c zH)~-%HPq&2!(QVO03Ux4P>~@z$tu>7m=L{eSDyS0!HtVipn_`8d&`c;lwL7ym^O^& z<6oCg+S!NgYVeL|Tq)+7+@l$A#tH$9dZ9~T{e%R3wv0R-Fk1lP<#w-6N~^Wx}T)8opuq@TGZ)ui7nVc411{Z;0O(95x$wNWeC0 zB&`U>PWo78+?sah(bB4B`he*5XcI8w@lWb=FGjcBaJh=Q1ZT|!G_oxyvhRU|%EM&x zld0yB#+~GUlVNJ@W1aXe4jU`CaE@Sp>5LkNb5xS?q~s zWaYsL`%28ZBc;d-dn1KoWE}s7be1E60~LeKVva2Y8@Lq$>ySnuteI1f?8zn!boa%W zIq!j&sO5{}IppSIGbt`~#Tg8;$LN%|$XZEA28x67DW9`YmGUTh7g*|*p9k+nUL#81 z;($rEW5*$!%yH~z}B2)WE;9T=G$0#xL%W*ZzzA#2`BaT!FEO!#G+QOI> z%wsy*q+jz|bPGBtDA8`Q6fcHVR90l<51U9g>(NVzW=}+f=zKQuq{sy)q0*N)iop9MhQ(Jb%hKd_>|R%qVSE8a=i=XVm8Xy99j z1jeiCIrO2E;gJ`#JbBjA<(7%J)OLLn(_kyynhY36UGGX&?0u~~dfN`L4nLY;sopC; zr>=#ZCuJMF?PMEn-PEZ*5gQ7b*KWOe{0ompLVFsq*99Qy2Bea1b-XTJzP%=JX!;y? zPy~2E%u6o;ea#>dhr1ENGa(;|)8E7g-2wF9SRC6oJdJlIZo2<7pdK=$68r6}jap^; zUCu%@25&ZB!ZP)`(*2z7i#=<#9LH-ULxKNf zhKYHDd-ZfxC`bQf#8ZlN1^(*`_qLFRo3I} zfnwL&8(yu*CCqWfNC3~dlHdD}WfIGsf`4a|23(rX)8&Z)@S!F#Z}Xzsl$me(-cCV6sr&=oOe?zTyl z#WT6+Y2|DJaq~9-9^Ljfjvv%Ca67fhHS%ofb&uSQcqjsFu5I%q*UoLmX{{nnK zlWVfF$-XBSD7yM?P+TbnOWa6%hzAsa4uuY$0k-3opx@%#pP<@JfMLLX1oLu_(>;JJ zVaM`|Ej%thE@U5a`@S`%eP8gED|(MehG=s$GWI~5-eE1jKPkpeg2||s8itHDO5oQL zk{i2TC2BieldhynL=#+%N-Z)>7i|rGRgtV=M+pLn6Ak$!Y$EGqn5>-Qa8nM^4}v#g z$dyGi@!#^9vqlcklk=(7LXV$6-o^q6Bu7L!*04^!vZSZTO5=@^}k z)3NQOV{~lWwr%b>>Dabyvt!$~ZD&vBoilUh%lfc?z^Q9qv!m7Gs{j;=8-x-J6)-06{CO-$ggo^E{?YllFbgesCWQz2aUqpjE(L4Cye_7+ zA})_{$6!n>CgOYxvOMS^5t>V5^?sa`UqtwFoE$hZPLn}6B6+Hz^P-S0#Wn~dY~hht z2a*9AQV-T$rHP-?>AUL2n0sVk31!6=u1uH2Mo#MT$xR_D1R~UE{4NWB@0_tQE#x2P zUlF-k9e#)X{To7vN-rIg@j9VQl=O#PvfO3KWnbDPamg|ZpQ0%1cg0gK>3-ur$^tPA z8${nnVaUlO2YR@ntvZ3mU-jU6@S497!o>vhg3vaaQ-m@Zd6Ck}ob1@oV|Y@*#qinr zEbz5LqD|6_BlW2H+p3bB)cZfjZwhCyq))ut22|U@8+Af%h}Vo2n86Qcv*1bwzE`R+ zK=CUzzr>l83M58~u0UKLE?Bw+`KCYeP2_U|CGH6XD=EV`?f?H(?6>abGg_xtDxx$dN7@cT9m{<9LnffO6f`|7 zs~r4cFZUWJ!E|mfN|UQUlyzG;OL3WUwxAwA#8Q!N^aaE!Fmg!PfV0m4dj>SN3<{dMB;tfJr3=BO1m;LUcmR1U! zX&UT8KeoK$@{FUOa`Df4S%o-89cBm`?VoiUY~)K-u3&3Zm}laKjJ%Pv5wmpx&~bm) z--l?RSWoi~F~vmY54&#!f6aPh?g>7GfEvnqXE`s3o4X4=*OyNc&930Qwv#a`Sfkd% zaPM?#1pjD{P6l0hZ1!Bo8P6T*Yve^Lm?la8g;@#eP$`X|&|WQs8n#^~F(WJ*8dpdK zs({)RT0j_b)lS!84x?2;*`TVl1RD2SZ#Gc3qOSAd%D3n74+ zROqKp$xkkUlK4Ixw{*rvXooT@1S=CY&ftOFiKyZg@7P3Fl+*}9MU-sJJeo{qNSB8t zp(2UGc7+Jn=&qUuvvAEVHgC%R2`8^T%wN}Fj;FplNmz&1%G0e-Jo1N6>hfJFwft7R zA+vv@R>$-`TFta?6^AuI)2A&{1`YqG`zzNTv z5JoVdK43s1zL+neJ+x>g(kH4X0QXbpqokJIYhT4!!acC@lApS|v;Oe7?D8$T+fV8Z4Cj$yx2VTv~C}5nt@+i=T(T)0J~9C)%NzT=Q|3uXO07! zjP3=E{kCVeb>EEOP@d<#W(M7vmC!$lf3CV7m$YsC1}06k#^ew+0R6)Vns%4L+dZ$} z+t~s769KntX3mG)jO~ZT!x+M5PS3J)-;SdpsWl3Lh2859@2I_~e|l3NlY=#j(;tHZ z(Am@=@#Y<&Dn;speJJ z-CKtK!38{qp4*8zvCXbC&F8F}GnMmwsSD4!oR_EN>~^c|rma0w;$ZTWyh=9=tgz`J%;(_;($ zp6y2wa0Y*tvtwaME-P1pef#AlutK>~sCs|d6oK-Z6^H?+DVF*4u*i_P@_y^ucir;! zgbGsMuh;llcQ93g-`IDEsB<6kEZcVRS8dxDPIEWxKUVkVjbM-D3w-ht_`3SPl{TH2 zliqvx13LQ?{zqg44D9>pIWP>^_%)3&3ou>g71&$hrc-t=oCeq0xYMbM(zLZ_S-OlW?6Bf>Y1q~B zcyW}H@DE8B6rdlodo4ooRMEhy5fUH*S_ua2cbsJ%zec4f@8M)v~z6yoZRFsYpSv6$CVECGVXpiA6bTBD+}1e#DL|8IY|DlLmrP)>xF zIQhwI-5~j5C&ddtGfBxkDq|Ig!th_*9ujeft~C?Z^q|i_$yf_(6UK&**pp>}qNbC$ z|H{4_qoM|76)vF|3E#+s$;)at&|*c_p-h<(bPiVKm_t)_Swb;Yzla9T_8pnue-k|c zmT~v=KA}JMUZ)M=*#Y+i4i0C)MDogQRP9p#M}Nf}Wf`(12)EtLyETFB}~SVDT%s_Q(*QMBM+CQ=vcP0;v&dlFG`t6a0wc% zxjN|%kpl5d;bqF>;;6=SBnG}beAeP+0)SLHxpok!6d$uQwgje)kr=N2k@52Zj#H!g zpAq?<9RiLXmDZ2#kF>M`_+laC8GRn@2S~{Ve_l?JavW9i$fxR z_o!AH?+w#)P?VaO@C7WWrXZ5acci-%+BXlfTvZ`!YY9t2TsQVTshG`O*ImYxH-qv~ ze=k01FDQ~gj7Gl~rX~@Ov!>k^nnS55UQI%2l~RIihzt326Ie9#KK3jD<^M3haR6`m z9&$t`?&Us1CBC{_)+tuk;7j-139OcbISexx&7W%(hSe_PYg|#lC`g0T-as|Y_XLKe z;4#yPrLZb99GwjDZ4tt}QDc8xwOTiKQ1-W0<<*eQw2rV4b>SvWhUe8Q%F*_JaL8B2 z6Qpaju$Au#mK~T-v7=eDLk&e^wfsq`G@%fom~F#Pr&%NB#BtwkPhe39hix<6Xat9) zQomryapYLtt=HiD#qCK^1+I%T$dY2dMj{y|kvFqwb&AV6`R*WZQ#Y$F=XU03nofr$ z5l>>%X-jCKNy!@ND(b2O0jjB}-!7Xb*c7>!o*aSr&b5)|Dv4RPIEgH^Ca+wYhbO+w zl;zwYl#x)U#ik!e!(vE{3({mQlGfGCz~ztQ+$c=SKb$$mIh}bw@!!#eh$F1Oa6AW? zX?yLN&i7dWAoO_D?|i#l2N7_RMvf zDidq7wE6LV(EZ-oiRd*U#n5$bBg7awRZxFijIe!69sF{7xZcyfJ!)4Czi?M#`$Y(= zbAqeNWfCl<1~{VteC@KiHN|k`cCTTZ!Ctq;@OpjGae}m+VbD~WJoX7+ex4dPY*^3& zzCOT@bigy)w!wE>p46?Byp7yX=|ZZ;u8V29eSr>HR#PAQG9xy8-ZxDf4{KRp(sb`E zKFiU|bS^Q>c5M-%HBGiT&s!>4HA)#>E&zinhOEC+9XDwmSKFUK-1MzSL}p*U&(`i& z4CQ=$p69RcS3Wa?a0DH|zXE69in}&8+~au66qVHT8Cvj^0nF%f-S+m*e==G_x8t}F zTbRSZ@7W+Jv8~&!O4%4~RP%VPOnH(3l+fFm+xiYuVf45TrnBR}4#jLwx9E1i47f1x z6?!)HY_ebT*y8Mi+Ah1Wd7dp9A-a1Lv^-zbyoGjO>D=uYi33ND^9$@wY%T4wNvD$l zKJwQ`2^}^s@4r2iuIr*W_YRs6+`r;(+5>exYzoS{=RI4#U&2$G-&dRE7@B6Az4V$3 zORsu_->x#gYoENY));u+j-Qu1Kbw^RopUJHc*peaJ+0HxBPl)a5kA}Ndq?ATI=6mD zi-^Bk)SrsBZ55|7n-8us2s|?!<}^Zcp8DXTCQYg4)BqhWI>5)x;p=C9v+MhwH^Glf zhMK#L?JFSS9uTkw;MD|%{yW+On$3Q{F`vFY4ZQb#N2SIkbYkVy#g$nv65glzs(?zL zd#`dd=qMfv^%1ZUdca{FT;QqKzH2j8ONK#u6Icg6r~?@rjz9^uGqp?CE|k(*2;4k6 z8xbAkwb_WK=xEd!Stoj&3^SGjXxI$c8ewKK2Kpx~A`B91K9%S<-YduaMHjTHC3Mlb z8xgjueEQ_DG7dYQemS$f%~NCYSJadEl9mnN39)Nw1-c!zYpyArq>CtcfVL_!;bNuI z$g_AZ^#E0Ps^w>8GDC7nIZ6ys^{5N9Gn1`b{iD5pu`=w=K{-LAvR*OC_kDW49XD^D z%Gtg)j_E}=Z``adyxb5|nW+?yBKC2dEZ>~6ogodW)&wXnDUmLwn#6))DVhQmjJ0m* zl9IMsO^74{O6y#!bzv=<>7c-}J+&_Ah1}4i07UT%b~5M*v7nD6P@&9Mlk$nWjm_$j z+1@ZW?)rskA<)2@R8**Yeb@eHB_*y>88K^knUpzSO@#13pa;axctNc;g3&DHV_R7j zTBv5lu}WOEmg$87#3-4#&8Xw7j1p^+I@I_dPO|exx>H^nL>nlO;Z0Fd{3EF(UHT-^ zOWu5^AWp~E?hW=mFwSbsGShDPsM#rd@w~yzRcP*2N3;||qZwH}Oa780R&Q|2dEywJPeLDU^i$K|yK^7Qr%D0PI8fW4|qWa>R^X?>Sf%`%<<0RxI zH@q*}Ze@(T09i*ra|Ep|6~f@}fk=in^~BUpU*GX4{{O_IuD=>M9sy%`!}bTJG!_qj z)Qu%A|5j-Nh$-u zQkRNUieZ{;Y6aQSCds|DUyZ^*O+WJ|G}^TM$T7NNjEDUMm`2*dUZg8nl1 z`@MjUlM*JHIcHx-H`jNu=!v{+kE~p!jEVXTCG>|RHkm{Pr_5845YK~OBZ``w>(v@n zJf#Gc0EO6W%|Fz;TICR8QkY6tnw`5f8{NlbZ8=C{6?;TCR$i6}iLyN7fo8w93kL_BuPb>e(*C@GFK9!T}4_(zkqOCj}-;3H+FSf@ozHK+%R z9wDkn;{^e%L=~&~M7~QH4y?n~2io?E-~C~!OJ^g!;;8OH43Y({DfJ5+m6G1=Yal2D zM5ThVXXd^>b8$+ZU2*4_4G3X!kUjA`=rWBXpbEsd3e3v-|^$BVmB$l4c7KuzmcZcFg>V?f5ZFC|@$71=3 z;x}rWge{ZV`4hQ70LN}(bvpC&{~JvJbEI242H-v48=|cD0D#ea3c#BHbyfEuXdhD~ z`!)k$qoA0_NsM`!{+&aW^N&&@A2ZA!B0M2uf@|Od@x}NNaK#5SdnLdW;r}4{XqY$i zeQWp!uS5!=nDG%a<}}wQ#qe?O-$KV>lJrTi0@m|zF@=Z0Q`_g^_I2RL6EnoHv3Hkp znCgC8Bniy4+gb%21o2dRXaCuiHpB2+iCQmtix^Vcd*sg2>Uj#m@qPQ0+IDx{LiTrj z_2Ncby~%bOG5d1d+6=ufX-sJ?@VMH1?)IMZNjlflggmKgzK2iQ0$h>xL(T^y+Ny5N z`fPDs{O6hdm#p2c*a>ef1zGXQquE2k}f|AN^eaEKR>}vQr0-fHjyNP~A z;QkD$vemo|KmUP~$pS1@>v7v%O_P!RR>YL;6MePnS zzmJF3vn;g-gl=<+!;hjG@3EI#ix!4D_JZn`;fUc)3()DUy7h?bONaPLz2;t~<1BB) zKi6$|$&)=zW7&4LOzQR#TY%5-O*UW8>BHs~t0pf5&Cl7Sp4S5Xvf+&ShP=;1wc%-- zjq25a{i}C#{4`A6W^Ys4WSoK%L+*Ye|_Y4(Tl#tq%K4hND z9Lmb*{pWK+c5@T$B)*pG@AM7T~fKLtoQTI;&n`W@% zf2-RH(WA=fcrYWT-q}#UrzhA&Wj32>SS!cX{#l%YcT+Jp661Ua5|;y2>n#h&`Kz*_ zHIr5W$|evy9Zb|rOasho7tSW?g`4KC)JxDMqxYOMa2PhiMhoS(4Q$*qw6{q#z+;@Mr2ow*n2<1Q-?ny`xat(B%bQ55r?xQ zlq5D(+|9jv{FV2Ym07GbntD-If#oa7i`9_rpgaQ36xJXn_(F^Xp^lIpmjPJyTcmI{ z;dtrrs3s9nP%8muuQdXmaajb4Je)=g1`K*wsA+lm~t^-k|rg}u!`cHX5rv`7%$c4fycz$>z z7sjmh2~=xP_gb@0YelB4+n4^qCLHDOy`sFD%|od|-K|v%U1kYRmaiNoaNaQ7SHIPa z&1A*oyiEVgzGxZTY6FP~KFU-^CBgyeL@8fp8VpnKf=LoVEwOg6BqUh{sR5LWc5z5o zvEDRCpBGZes99;6#gp^LC4WQr@9aBIIB_FbO3^f?<@4qZ+KVH&_-CpoUmAwBcRI^2 zA@{0^FZIlZ9K<8!gr6UEPyOEX$LJVtrLQx-JA<$dJZ*!<`Lb;V5y&&sjs=B@Hm=w# znr8*d7bHI6O4N~2v!B`G@OZ3;B<{Hg4n`=>Xb_UwNuqr?7x&B6;sdN9c#FuVIupB6>pNe7<#dgTG8;> zDdeBUIW6SeN6dj>lOqxQlu=V(2Mtu%lnb>} z)<3Vl_GJP%;dMZ9Jds(@@vPC4dFe;M8|K+=YOydPBS(iPO&R=8D$C?GMC3b6LoI_* z@EYMqXxJ!_S*EyMDpG0=xzMT9|7OMbQPP&6suWa|MK9;m6tMK6g^1|oO6tm27Mo8* z(i9)4OZ-`S0aKBmp@L6NtXriMGs-LhU8@{+AYidyHKgbysIX8Nst-mGm3CUy6eW_B zXp5Z@D#t8z(Yem6=8?xChpJ~4w~IOVt3s6T=9`;r{ud{+4>Y>w?Z+#r9^9P=2NS&R zLWNMDq(%y-8%;LWs5fSXgQ_KCZyV8pgu#Onqy*12Q zPB@V9(}qI9w4M55bjm*VuKNZ@JZ<$fEX4<2F=|}$t0abU4=v`Z-U1hMQ@fyEKxAL#C#(+4@fbl%A{VHrCXq^N50)T1ytz z$4dL0$u@oWPp6gvXKvm})=$wq5)zf`U3Vzz{bV`fK@0wLsKWmappenlj545MFl*L0D0Iv2F4?^l^^cEa}TQaLSqkn!#ew(XN$ zf7Yh_X7_QqDn?vT<2;XVnuuyt$_CgBu{vFQf6cU@w!r5FB5aXjOc+-CJf#LltLXY( z#W*!@d_WzyPG12YEDsBT{x#Y}a7W=OIYHMAE5#T#YaBaD#1W9|&a> zwEJmTVzh-8$5*c-JR=%7J@u23MMv(Toq}r9UZ#QT%N$Sri}Yyt8|~~~n<^X6^d9b) z7a|NjjjQxI+lSU}!>&t%THP7GF84|)MPE*@d?zC7Htl8h2kUTlz_A)pHpG)Heum-*jXiK1{ z3A_wV1qRA=K?*OSDbKyUP5^He@4o?})$kAvqoZVWDhUV5Y~Tm#G&04W6AMr3F(uu1 z7>DA9t+ZQ1pFuXPCyZHFr3TSrI74b{K^y(}iW?{xTcrJM>BlGUm zn|riD*<7o&ARgJ8|PELQr zb{)8j)yoc}TD50vqfLtEBoMjmYs^~C<1wZCf=0;JbsSa#4iU7VL|MyHL`W4HQSi2t z!*a*YlYDs&$vzzuM&>w$OU+81sdN-_XJ;r~Yy#)bp9rg4@!FM^Kx4+#oJ^t0+zvD= zP|(jytPo}-S1>(2RtSWJ%`%z3%aYaw;F&%xZIx$)@kr)*S+Nk{WXeJo*7wsvVS;U` zugJrH{?Y*NW~$WackQJ$isdRzwiMJeZx(Kr3i|9EcFnbhqDc^#h5Jrb&+I6qfe;H> z&2d)dAr7}O#@Vku2Cc}#cr&S54n_+^g~%8&72C9a-=oc8cT5&r)q-*Nsf3fBpzN3n zGEv@T{CssnSisnp+j_lRmk$*JiBD*OaJ3OUdVCl$dFhuwvqEex?p6Qn~v{tb?O>e#?1ZthbqTL%*ok{=#(SekappFoQ6 zv#fDODU1b*85OhQEl_vrY;>yS6qt}@#(!TA^#vemjyZamat7uQIDRuit=R$Wxvyow zp}@R_s{@i5TF@fld|dw|0rivGE^S@b0n-A~5g%21vHH`03OICBXOv=u5IPgZYcKc&QIo*dJUY_KmqwFW(!!UJ7TmZ!^RuTzn$@Ee^>v$(Ob8cM=B<~5*H+^8 zTN4oeS+5eT(W%$@wc{l*qC=M$Ho}mLu3B!_?x{l49ulgkDI@d;fF2pG6;8`H;hP{^ z5crR`d4KcXbW?Bql!+NL6X&Ir%r!Hl-N`xW?fq56X2o}l@l~1Fm{H1?6{UwQmNq78 zC6Y49lSk*wwHDK;|2d>?_){4ja04!ZN~30)dU3#nsqZ4|5~Pw+hDl&rI?Fdh`kvt( z6co6DbW#x?th{Ywp;#QLw#Wp2^s5PV;a`9>2(^?})1O|G3K13!7|*sJQ}FAT*-D94 zOX?OW0Y4Nc^@Cj%#TpH!tm7Vo(whHLj-QK&JA+#3W2gRt@{X1%HU6FVSDU&X6UG5% z?7Tew;vk*U)Y3@Vyj7%;-7!+3i7G)d(sX!jK^Asd1(GPxSBNrRyc{$GlIqv5^4I3y z*kMBLV^1(r1|_OKJUOmDL(jrwkf*{T={6rIobyO9)6EFuCPgV3PGqxa3aan07gGjC5;3>*W zKXi<7?v$V-iqT1hWlk#;iY@akD1=8YW+XfVW8OqGPxmY?GyBi@f`gLYxdA)nn|}m! zC)|nvJw`WQH?Ow=;B1urcpK&JsRv8>mMCfn_!%?GEH zWw$JcrDC~m*Y&D|5;vk8J<}^3v1(`Bn~`2g0Ix#ZP{#$XZC3^56|#& z?;lvTD~0a$cz+`nGtHHS^WnXICxYRY-R&dif(&@ayYfP4H;L=8)u{34qv?0!<^D>s z0<5fi$Lx)92~D{_h?rfCn`N9ISs33IjZ=I{uKAE16b7n!+b%cY*xyINn{G3Be;sY8 z0U{?kkDo{wwhoKgbF6j0a_)03U0cm^j`^@NT|odhN;nWH80_609mj)OcYNGV+p+DB zd4bKm>2pz^s#4u6T^^5{YHgOt2R9kpfatC6?g>*qjpwIB0FTtK=0tYigZxWGb~o<} zrGH->UQf)>JL_iq zeI7tM>)I>qao=RM_C;sAOW(!-ubhr!$V+>N>{nNen&weLOwG(8r|WH`(NizF=ly9! zbXUm0?6i*quwnE_Bsa8p4jrbL*3un84^1FviSs(eF3Jw zzyW`O(!;=OV{cTTzX`#`*UlSI|Gu4N+9~!=LQGFL(A(mZ{XO)U&qaLBS=mrA?$7q) zc4rO1J&UUY+t*8dzM;#o0q6E!cG?eI?nGKYrdU?^GGFK*N@7zuy{k4J;XZH9Z(K?4 z$0=Hvuz*3hJ4)grsCn~QWFpNPjDj=BBt`7Vl4nvOEV~Y9`cFvWKBxUr4jPI>=bz!O z{ij~4JUPsY-~mpnn1&tJJGW5}l+ow>?L#c!L?@Ok3zz8jtl^kq@;ADYnQyN0d(K5_ zC0MjK0rbWC+U3<{DyXugFkb%-I=fXsKM>Mx<}j;&8q4AgqS9^$q6p_3g>Yp~U}C3J zijYRm8_0kEJ*NfjlhZ8CMG>nZ+`C4BC=1dUl!>;)-w45tJHRSj$b^ur|HJ+p)_iY0 zef7Lf#=JaGWNbXXSLrXczoQtF}qH=`=_R?9sB_Qn0{$3IJz`TbmGX*4J-4Oovx z!gkbBfAYliZ2HGDd$6k!R*MZ5h&6MQh$P$CA9&?I-Ps1E1gXc2$&gWY8Ht{y0;(56 zIR8)xO*&y^8kf5lvut*mKC#NG=gPbZJf=Z=m#la<^3U$t+uB>q^ zOiqE6%akUc2l#|LhrlL0{ep??^kr9TDD{TNC)uII1{(ysZiXvR9@)2X$kqHMb=53J z#h`I1i4!`z=Xjxt!f?d-e%}cQu-o%aT?<7Y4HPV_RYmgq*x>l1wMM3EObBL6i6@-y#xHCDiy7O7YfnLVXa5icxqAq>&U`)Z%GGAYQVW15KLSgC*6h-dVOVSS3GpmxC)1>?| zfeVcWh+Ud#mGZnI21ee*4jL|uY4)wsbCry{GPy}(;>uNO$D_J6{(cN<`@XaL!O+{NWBq2O^3*hIodRJlSV~G&zb_C_NW%7VC}? zF*nsZ)QElKEYoUnoaUPSpYh6o&*)DAR|wphe+Fz1z61c#(D88HKAx}n(1iDtQ7B+e ztX>fBO_^DMezqx-Ai99hlo{z)R^%5xR#+Q)m; zNv^8(+2_0C_%J>N&tpQVU>>nkk3X*|n%gWiA^OkhT#o4aMoc!(d1Hy&cHH)nS*T03 z_Tk)NGjR1>&c<^-(CgaQ{`4v1_RFD0>aP<)yZh+ia}Jh|7A3((%{dEFc2>1#)IsPc(+pV`GHm5qHp zN|z(8^L67nq*QXzxbSt3`!7rHb@Xj%{d%*fKg28B=l=I_Ch)XtfZ{f}MK5Osa8)Tp ze=09$)ALm{>`RCN=-8VwLxN_=)HSg>c+diLEI?KiOO~+9>9`Hy^kikeQ9KkxY^i@X zaRZ&c8kQ89d0V#l+L1)od1qSFwTkL)<0$azUMeGR=i->BR?qKU*uR`NpAk3BZwym6 zUo*+HR`v%;Hl2LyK1mjtuRNXprdY*nlE}#N8a&JKeHA(f=*?8Wj}}-FXmfJvetvLQ z_o9Cec-v)3(QjNnSA1iB`*qtpR;{2BcN!vFc9eL#4?ctY@ep73Lm7U?pie$?FTiII zIE+8_iI664kO{z^t{=?U3*$tLdr)!x< z=hJfczImPA^tt=&Sq=1X>_?1m>AYD%zSgxr)or*gyUx-)Z2dnL7_tU9?ffLMh{3Czu_1u;vs3iBRoQ%w~{+LWP? zVhB+lTUTwtD0>i7r*O@=c#e&wAqY}-thTWso!^u$g@0uI%XS$FnFW~aJ4AR3eywqW zS3Ti!aQ(6LRY^%2T)X`5*o~#lW|{7mWUb0N0TiNKX!*;uSNf0 zJ3zuXhuP&g$lYk2jL&3sSuu<7uAs$u5sVEN@3US;g^zbWm;TM*>99~|bXGEuxt z!{)~(p!4-6XG5ImRamlRo|Vv#>t#l*kcIn<#WB}%mMAUD`LlkRdXaD_7^z>HMQMa% zm<1(TuuipYgLyKXK<*~J&>uuNxDB?@RSCX|#n>{B{BU*z z%H$Axxhy3e_kjEk3jkwDkNO(~nTd`^VRGTlwkXF=m5hv!MW-&(RfPm@Z;_wiV9m1V zsE9H63HnT5Fu+7Dosq-R3Yib$!sD8gQkDygdNC~5T^_unOSYK7q)jq2QW>H*NVFUQ zu>k!Ckw>Qzy5jF`aRl)UT4n|8TCOD+;-J5n@xZAsKHYM@X#mPW&joOPQXZa=ti5?% z!jnzTsXk<0b3F_-AwWkKo+O|D&b)6q0dGS{W?Mk%GW$fGt`gG(_3w(qJ19aBxJWtF zMDBvjjqnLF$wJ=+c{o?F-{?_6r{H4m@6?kq;$Ts>Q}NS0)HW2=nmycPGsu69f)zA0 z^~z4c3yjOg8hmg8y#qmq#RJQpsp|3_#qk6Al0^oK4d%K?qWh`6KFDkd)&%BJJYp%U z0X8U4Fs|a+{$~=EE3$_Rol4Rafj>*2iWHaFn3CzA_d!mb89PmW_-N3_g!&NHyq<78 zXoplrN^lg3kQV6+SfmPQdB$C-dn%}keNf`b(TOWfsAi~oWcm$5JJ-Yh?yRz(C&r@7AI=34Q zZpiQT2YAoh=i85`nN~|JOKla+hhCwVx5N&bUKM(+9k?K68P`uwSrk4W-(GfONa&=2 z;9B9&?ZY~P&shmY!SSWnp#D-`QAG7==l#cY3b#Y@!`-@6j`HSRGB|-R`O4W!DDdU& z*R>V5ZRbOgoc2@a4uQ|g#;>U^!@+s>F8wMSd_Bh|62-1@0*&*Sz|}P3#)%Qxk|u16@%yn2LN7TNmbTQit%Zk4BptC0~u}sy%pcP^!Zz02j=!aKw{ZQ z7$+YGP(t<-Q4a47>F?_{jw5grum`013Y5lkC6Q2K998<3)VuqAK8KPSlQ#ZHDC3)L~>j^8Ry!(Z5UmM8PgZHW&|Iq1*hqv7QWa za_O;HxJwGM6d*)o@d_w_Pbi>P`~6`|WYv=9j!9iSi({Gp_cy)xkyKo!8jD;^xDJ3? zd;mrdFY#{QyFTp%%$Hcnh{iz#Mygrd5PKoSi=HM14RSKsnAI;x+i>9_yzJv& z44moORJ6EEHrKQ#=1lEF98!ekuN2P7f{UjCC#!7!xUP|42U6)6W^6Trf=41wO2b#= zp(Pm)eGhwyijINrsaM0x;8BrM-`JM{N-N=NNhSAyZ)YB|Y1{~eMZ zpsO&LkqOLfY$s>_ixQ$kh@y%-ZvF$sF({(79|Ug! zvaR&&CdhRTjD5&SU?Y2mgOP z)FCon=-NJ$K}!O4q6}pJF^RTO8Wx4Z;AX^B&M`xZ(E&+W(sWZRp$w07t_+(lo%CbFea?}|K982N z6R9Z!N}lpLHAqJ;T>~&j{bb&!6i+pA-}t8*J{+9YJYKLGlH44!Dh`ImSO{AWuI-DSTfboR)($B+5%T&;TN>j(?pn{R&1#1+JjDY&A-O zLSZHtB^TBO+p0t(YgU4zboos&I0$R1+9go&N8CJpx|LEq4#i6)P3?YJo6wRc8FN}o zud>BjcyX2a{~ISg`u`xJ>HNL|g=QW;x7~hspYZLeR&Z^10OgSaj5q=kW|mKZfu9M$ z*zKP0pOOb0Ftguozm?S^gAM?E!zugjgqSCoT5+C~S!%nDCt+Lj8F#ULDZEz#-MH`n ztRZpx^S+m|q}g~gP<0_fu_3QxJ1X`pN0+CIRjK;N`zcfnxA`f2%dT;`+D@lqMF(1k z{*j^cu$Q&s`pY=j=saQr&AMf@{^73cOR47LE9e%*Y}*Fk^S&~4a}Kf#e%kwOCu8~L zQk3G$U?`27&+!csj;GeY`8Ho`%uE|->3)oo6}7!_-xbX6bCWz7xGCprS#UdF6f>Q5 z`(~t-81tvn^X87hHlnj$!g+%CRP59zu%YI=vErN!XxuZt^>PrtF4yi$_nH29&EY;f z{k-AwKJhh8-!Mr0%%HGuj`2C0jl)yk{W?F{oDL4G7c{Nuw64Ih)i_Hxnp(TvoSc52 zewA}QgumEq_mcX2uHn187+oA<%aLH8)-XRlR^vK9Dv?@-pI-UPeeP4^9KPD&+W&EL zJ8fs^rs*FML$vH|J4N)dmr?!3dH=5ugSP2uu&ZCy%dM+o`j2bL`BOTHK6K`8w)Y(! zVrkEQ{-E!3hRD|HDwjh7yPDqX>@uJ&&2?DRDSE?T7Gr(PrvzV)0Jz54(&_ejRN*G) zWz2KBM&S#*-Pl5wD(K;K9_71M@V$*JI^KFMiOSyab~|YhN$GIw5ki6AIdeD)ulmst zKYr!aZ`6jhW)uOO?t zu6$BI?3%?X5IN@c*gCkanBE2;p7%Z1%=7)ZN@6DP{rs=C{@?dvg@HP?_wXY$xLV+d zrqz}QYFsMUUDK!7+uRpl6hS6%;@!wuPT)=#Hp3I@{+w^@<3$eVT0cuwrhGUbokjo+ zRH!W(b}l_8+Fj6!5UVwpxJ%GiU#-5Jn>rCyzuB%a!IMoW_))iHqontTNt&)j?hs{l zFTdu)`LC{@>)>bw+!DR$q|7F9<^SL*UXN;btyCR$2DmoqL`;1I7jVECLSxf@CQS&v z<^JGs9uoh_zgC8&u@au;smihZ8F14!H#F0|>Ce6Zjiy|$X#C6%`qmTg6 z#REn7SRCP%>Zb4}fuFPW23VpS`ecP8#+8QT89O_bG%U5sR4G*=BrQsmv7T}?s^^|8 zF8U!2ScI-(X?DkaoqrQ6t>cr&<1?0H4e8|ij7Du04?%2V6sU2cnN}}K$5lHub@~la z36j=&W3MCUpwwePI!@%W1|~JV7N}({7efx8R7lfmmgvYNic*V{V$xNKQyMCisZUn> z%Tnllw+Tif z3%$mshTFCN%{>(a3*jd!66wM$H0@l>JIcQZ&tM`!7rj&ODx8EnEORFB7-aT?M-=S) zbSYWoo;Y0whUb?RhNYk433hNj#Beg?u^3qv<}&r^PX!h8CBuqLTUf$%$ShT*k(GQV z0nsR7G0CQhavfYPmQq=s0mJ5vgQ!ID!T#divB|s~*cE`&Cp%e=-9itG#!k=G)D86c z|G3vlK;i2tkmTtCR^xJ1gd7eg1RqwRYf?7Yr-h6&i-qndO&xi21!?7;@zTgD)+pGi zr8bmJjlbE9J>fu^yy2)JtQ`n4ULd4XtQ?Wd)&g~4^UA2ofHty<UvQMn%~t)NP5Sh!-!CXNh2xLRRFWk7Qh5Bt>(?HO`|3bU$b;U2WrK`A9^)22Dw zG#7rj^4wGPcQXHfykjCJcgKHiuHFA*3g?3A8}*%PAi8}eevtfv2`s7F;U9sR@umFt zi^$qi%GVLZ8M$%YZKHP>^4e?V|7LwR%x%l>HOlY=`jOr;U^$4fgIn=-$zeAGmDRqV zl2|#Cuda2~3ex;&)z@?A^B=S6c!Xz&xGWW_vz~q~W32 z`h2WRyKvZ0Vpe~<-kv{Cqozrb2V{5*_}<*8^S_#Bnea7xC(g9mwm*-C4SWTE_9oKl zwp_d8!g=bD9oAjM@d>l+f;{dB^lk@W3!;DDy)k)s!`ty zG`f+X>#7giUh*+F6aR$oau`2#zN+&Upi9uaW;;mJ={02QQy&C|N;5vQn0dEWUA+b# z%yYLwY&#VhsoJ!5q0X=Wag1MoYP;BWqdrFSc`(Jp*J*xO(v-mO>sZue#%nkA!j13H zK&{K`2z9)I%kKjysAJQ7?%i6tip^Zzu1^AXI#uZNYovP~pr{l2?ABE2`>e^>49$9n zciBa*tXQUTzQ1bo6{w%kRB7xFMOS@4ASBTDyrZ^0i@0=4o4DdT2~9i`@5KaOV!7Tp zFMVN6mYRkiOj#;9OPyzdRs5bArV&2qpQqxU6&{k71r4q0RWA{e?Wr9eix{3)LFuA8 zZRu_}4kKBY@>yOpcR>XFPm{U*TZDFyRG~6 z%lkc?ksa@?Eqwn^8tRf?e-(5Te9XT*KbFoF+_c-in5qw&IU4f4cA=9`OeF4?#7H|% z;faB!nj{DTuxYbsPk6EK4H*m{%gM%k0Ou98^nPz^cLZGRtq1{(Ppz90VMPpyDOUaR zLj~yBLxyFT7iJ}5h-Y$&$k5d6U`DIg&iA}?OWm?bOb3RG$(7>7O7$wpnW&I6oCebO zpS$zfzE9Yzo+auuQ#RR9Lq)zRI!2(y2H~-uG0tEc`(wnTCCep*=EcMf)rRBdEi&S< z;Cg3M{u>OSEMS$kLfCbQ!gChLlaS}Br)WSEV$zcRej#-^9qK@yzxG`jOF@ZiV}#kl zP2&QrpnJ-7SWamG2a*(pir2r9*=6H#G*V_6*WO+V*OeI%d>=rs%lNb5yHM#kxmPB| zD|j11eoXA^#e47^4nFEp9IzPfwkKPE+i?JL5xzsmRHu=LlYkoDc^W&AWlwa4NrQle zd&PSGahFTiWwd*q7A)tqIBCcVhA(s`JBHa>To8pmB$f&-2bBa9`(i(3=5hTrmbP-%NA%z6F0QqLi zm`N7WnzV&Eq;SW-%BI1|nqHEohR@dv4 z`sP;)%_p<(+Qim}S?4S0*`YN_{559(J0yi5!uozsK45fqc+zdfc*-`cUPqDUIvFb& zHAjf-R>~C#COr$oCM;!1*+fsd&Sm=Q`^&JzD`$taOwa(^D%Rukze;BVTGkR$iinlH zvP2xzCg*-J?}jOM<^~zP^oX~RjK<%i{ZJvrvBWsoA+!eqnzHw8sBz2?IA#mQn31b8 zoOq}li-3Fw?@Wnc@DK)y6P<;{*~aLd7A)wR&QD4?BP{`EB<=cT=7RC+nV9<6l=3tY`K5cqmH-Yd zaBwCBxd0ajG;-WXC9UGeiqf<{gF%_u1spH-hE2P-@3FNlv{pRuWl zs98auE51r#!8ZVt&35(z$pY?&pU%HKN-EeexP{gZ3LDoexf=eEcEEi92p^M(8b-@U8##nh4ix> zvf7Iet`RL@M0S2Rp~f!bOnFr;5LR=Bw=wb5;fAVK{VA@|t}_o~9}}cQO>Z^QoFVrs zZpV*mUi>3-A#@LhCD~XcX+k)(GG97i>o0`23O<-mATjSu?myEKw4?YxnVBkg-hJl7 z762A<8n-mba5$mdmk`RuAmmkZc*wr_=43R82FW^smR07BY9T~Bj&tX^^kAp&>E^<% z-H5~1EsXRCj9d)$Ld2(VKXKx{EaA+`0N>-VF+u^RTk=s|O*kM~xSw|>YOQd2sW zSIT26t$eXToQg2yd7EtKnrv487Q&nV|8X45ZSZ{vQv#Gy3A)ROV0fKki0a(V_zFoG z1V|~7g2n4ofS^DWUy}3<3+v4~Ez5_JunJI?qpO@s6kINeW(0#}d}tGP19fs4DDj*}7NzRCW|6|Y+5R@-{7_fr`$EAC{Kv2DIfadR z!Fcx)jjLVmHKpl#t?qL1cm~z(AbNOTc1gkS=Ds&|<-WZx9fz6DsH_E;v|-hCqCP}O_df1B>5HJX+-hoe{EV8ZQF?p+I%z?H^EzrZp_#>h+u-&w(Qib*EdJ@W zBmBE)imGDJ=54vniY>GAv^KBN{bJE34B=}vLcIxKY$*eUmx_j1j>! zQC{AEIZsA0I|wDJsvBZ z`AmTvUXdM5YsWTrANpQi-G|z`Z96co$d^Kdwl~{HLl#y9uRY*xm`hKf#!nCms7oJ| zqE$Qh;oDhsBl})-XrXv5Tn1W96d?Q{n76@gHqPDE}g=v-MD+_3XkUf*MfTH%{l^LTf|l5nyWg zCLP$IhjeR<;o9JJp}WNv7QkW&5^U;=nF}o05r&1jmg~iTDpVR{^}us99sdB#h4(5p zY0bc(D^a>#^epddm4wcR&i(ktN}0PltXTk)K!?+kE)j?>+FKLHDv^udOZ8}JE~8$@ zQ#F`uwPU9My=xgYX;PynNg*aM(bL~E548ckVOX#n*{V5T$@=h9$nHcZxGo$&4zK=o z&xZ{WmviOe|^#wzoL)dX%=H9(BrKIdfK@^Mtb&3NQfxIDS>9(AV5*pnUaLxGFp(jdu z;~m4D3%M)+xs(zWy#t?F;DwLMxBs=p4{FP+}dKQ-3etEB2@-H9rg78D7#d;GiY zsrr8&zQoyzh5YfJ_ls{r@zQtq|58$OAn|>3s`x**!}GgpH;{3m#)Fe^FL7IguwtRq z*d1_swcJv*+OD&-v(RE*B_~#j;!L#UQ>TG!6iN6k1njMUMU0+@E02B(|9urxw8B8o zW5pxUke5i)5}qI(0BYXLIu!SO#3)&Jo)(bg=vhc)FB*vpa8Z&%^2j>rFvU-n^(mrW z&LdM0d&te2yfT)u=KqValcb@6jVD;L#ei#%-dP~ufJ<#ev|I3-LAU7LDU~f4g6{!l z?ayh}Xq|?`(;b9c7bkFumOvKnwJwc4Xz8T>$yA`tt~84260?oZI!;@l*tAF*DP^4B1h`1CODjpszJqTW2xGr) zS$)B`?0vx(j$HR0`03B$MyCq?scPR`rHqS^oWzm530u(GJBZa6%ZQ$!{XNU6&a@BRqnU*jb;wyR2By#F=a}q7br@;!N+xz2@GN0$ zFI2yJ4Sl9^>ECI)oagO))dJew5?<178+mZ>x2z{|OtTn`pLw&TK?b&YOvD?!p$%KtwkkH{7<6s ztXTz^FCb9r1$k=H${J^b?i`UAQeu+{F0B)S`ga3j4W1PT1wq2q-o}y%K}k$yY~Y}M z<&34c8F|#316Pn^;6B}n;B5Mxa?9wJ&q&3j9Q;{vmJW)isDO2Ttih{8=*^jWMM!B* zQh3gQ1zzmGSHg%pYEJX1DviNylgM1O&96tv6 z=dRM9x>bYuJl{IQ*NuBCHt3xTCSdqCMcr&~tR{KQQ-lP z#n??3f2p_l+P@Tx3>|gY@6k2!cCGeC%KLuoli(8AL)yKFd6IwL4;7hpIn5IU>-}z) z>U4NCcHQ=bF#ra_pRr z8u)2zY%fykvuLp_c%JLppo%#UZE2Sr1POGXs7Q?}GbiU^y<9w=GoDlu-y|`6VuL^Cd{pCd4W$RZ{LW7V|#~GheLom!nZ$Y`o zy+c}h(*i~j-h%_9#%>rmP~Wk`vvJFFC_Ojvu$9L(A#U45YXY! zF~QH_@EBDE82qr$;T{2Z;dNTlHDz2jJc}7Ailk#MyXfMrn>>k*1Z*IU>(+|KyY18! z)PK0X%87&R|cQZ~0#lPo*kd~d^LG**{H(8ys(!=WS_OIX1`G3cU z8H#^p9hl3Y+#ockFdE04fDJJL z?rgUF;qn+F^vm0-j=^)RX0vVX;L*4cIaq@%|By9vmolK}_4rNH4p7c^;<&4C2u%|m64f^^2U z7&C!A4}{|fB^8qdraT-S*fdRNJW0)th~sP$tkdNxvN6bcxw>jqDFc_zzfqQItmhm! zvqNZ&$;f{hgVo{#1x_qP6kM58QU0cPbM47w15<&KXANj_+GwiT5hdW&SFJU9z!q{! z`{#B;FZ^GG+1@oI5EYpc;gv@AFR?+cU8I zK?;*iuzHg6tb&z7a)2a3wB6GvKpRX$3WtLT6 zjgd#d-%dsLu$6YzWSF)QHpbnTuwm1i?`4Ou&2!dRp*^HTfuxZpJe~d`Ua8Lhg##+a zO$V+N4+($Jivy-0RNW-R(f|4}f};(74<>aaPaD)ST@ISArx4p9+Gkl1^9z^#vW!`U z^iLzG;v{2yRI4Pu|7ktofM=mdJ+AEj$Fh_WhXy4@Ye}+; zQlB6V?>U@E>lWet8%GX`N9)KpCH*TLy4lM6F*bUMdbn8vY`7oB)NDUq97>Dc2GjzW zUvdHU_zf_Nd&XMI%H+B=+Au({^pjn?xk=^=p8t+JU(fCza`Z8u%-*1<|GVwd@V9w2 ze`Tmbm9OV{y5scwe20B+3EjZ137sr4gwcW~Ji)i-eE}W>UWSp5>{pyg?z#szmvrot z0atpjcIVmJ+I31evEHba_%(8u6@PRqse?#1-Qtig~le<)@C1xP|M54UJP+|f3(D%PWN=Se&ULW{Gc&#&+_=$f~R=WbFd zDLq{SC%tnL|KuF~%+_fzPFycdb9cBx9{GMJk%qT%3s(D%8I#xUDC2*&1`Xe#v-nxND z0aNgC=|+ihjG( z3(wuWC}Fe5p;Z;(JzF5g$;C5Nb{;~@hd;?CKWX|Fm(z@_+Ov6s73If0B8unK`t9Kx z0nrvc=%zsT=-py0L(QY9X(ZwSFxYJIJWfZu2Oko2>SY_U~-eL>5VHg~FT>Lw-5GdrnRM@#iZ&0ko35r!6 zX^uuL@$vpvOj3n+)@1TvvZ+-9@h7#ddq=Byn}nx9kU z%*h>KyChzv1l=~MM5Aq%ib7)eACYq$;&-R{eH%*|L1$r`0(V}k9j9Ei;F??@5GzOV zxCkmAtAH|gZ^kRNYT#K*j(yY!w_GWCMLxegJ#}W?(54#`8>W=>jfC6^vtS%a!b+7C z_OD_|Fcc;Ch@Nyuj$#BAX%-HGc4;;x_!?De;c|bnQ~SbM{s_?pc}F#n?)6+ieU(Fj z$Rj1Sk_d0vpu!>V1nVR@X}iOA1ylr~k&a3wBYP;qX=X;$ywqQ26f9i8Mwa|iFFKGG zN5JGFdg}UO&$L4D<23|hwlfai5JAgio}lu~x-7jy6$us(h1OzmmU5>7;@8#Tn{!d2 zLWP_D(O|s=2rTL&~gm5VCh3eAA zmDPUMpm@tfusa1FWqiXwAY!a?(<+BTHW`@e_5V|$HHqeKBqG-R?St)8n4$PZquTO) zOUPQ}@4)-K!;bHZJo)p@%aqUt;B$xnUFZQcgR4*@Q$m>@>VDHoAM%ZHl$+yUAN+DC zEbn6ATZUl!8Ion!raZdrKnM@vZ)@o3Hy-gaO{o39zY&Z(G=@(1cpEIG7pfmX;9vUZ?XO5W0 z8!a_W);4Pwh5%#iZ=Y864Dd`yXt)1WqNFTwW4t(OD8-jD0yMJmQ<(G0jZFziM&JZs zHW!i?J*e3C=Z{{%ZCt4cQlSp3)@R<;vHgA7Fa(wgiE7dx!2ZHgmXb*c)~Jf`&w7j2 z8*c0z^*x^Y5DyvNZ+apOGd5D2{xJeE@o$&(rQoBBuZgf1B@Aw*gi(WEpA3quG@Ikk zKm<`fBnwOVv0%#m@|CM9ebsV&AHr#QJltRi9{|ptIoB#D?B|D5g3z0S4g<6<%F$b5 z4K}WEDi^9*&uaBZk(Em6Mz*Ym`QX_>e=;2+UG!ksjTY`VM>_A}M)%FeJ*BKb!7@eC zH5d9r=QV?g3d9(&L@O&r{b7wzLt@4_X=Bd|6^)a~xQH#e2pk)sq6pI_ zHN1ZSJ|L53TNd0k!G$Rr+Zadk#=lYGI7g%y5x0WnZ?CN5LrM!FM34rJXl_V&5eE** zy#rEdVK;p$j0$g!M9-g$qLHM`5(pGYYP|fXVI?Ax5Am@}2j%UE$!?<+`+Gm}MJO9> zll9EPdxfwA+5pN>lZv9LWKnLwTnT$J4KI+Q;9q+{M|;a!wYuRoc% zL$$T;xPf}QwmMYTJMY!j=lOg{QZgg(y{{C9kgjk^;$YyT={j9uuYBHbys~9}ljM6l z1z#++s<7pz$aGw{WPakiFVvj) z{~RL@A4ppFX?VLjX^q6SZGN~-TFPDAx=NprPj&6Fz8HsJTzmPF-l3}JQJ*26#(rK~ zvP!T0b9Mrb*U!iFf}_mFN$J&sv=g&SCeNgl`_rN5)}^ZI{>~*{%&v#)u5n%WjBvWo z)gpP5nte%^Kg#)Q4(gwM^?iC?Z>#E)(p?Q_;R6L(fApN>-~4Z$w{I>no~=4?8O9h~ zZ@AC!crJ2_4&Nu=^Pt8%|Ft<@1~m*Yh&_2Prr3FVD$PH$F1P>UIdvYZipxe!m&VdwKM*X zvxxJ6u zVWA|Z$%+-0E8ASGcDXts&KxbxWTOHz z!mTDXyZ|Mar@GW<0&38m2wW0nLZvMVaz{QVE{oLW;hWJfhk5=WOxZjpVQU zK~au8N~SuQr`LlJx&~}`XK^+CZ`jn>tU~B?NSZ{jDskqk<@@zwbx3h~z8Y|lUTAKT zC_kO;@S?Gmq66b3Q!fthnG_h%a190XyJQJN;kvR9N%lcx{exqB63JT3@9VyU{CptI z;53`(CkcLweXL*_vV)#pj6#ao<2(q{vC96p7A1br@6DF%soQv7M?}j2;jU1Wp z0V!F3Sq1V{}e4b6})1~qr?G3v$)>`uS;%{4Ss{?{DRVhB|jC+ za-?+`??18p$pC8;oD_H(Qs12{t(t7CJH<}dgP}~KEQj9D7ee}*=iFQ{5y;uOc9bTl zQV9!|VMJc@`!dcTetVc&1R*gQ@LV~#EUHrgY08^t{I`|QJTy@#I6_K5ks4K^Oi@YY zdp|9m(M~*bajp=z0J9dKs+?$z2$daYwi;U;&=j03`;fk^-Oh1dJpNPiF)%SfwH5wnCNNW6c#KP>OxqDR*^;}hE}rRGocE=Nlo5LdYxVGKrXz?mk@;Y4{*l7mzGTe)By7=R%as26YcgZgKIw4wE}`UtV& z!XR?4++`$hsMIgnEg85t0R-FIoO5FO3*d3SIyOQEAZ6z4U*;b{Vq_vb^dlqHb})5O zem?i16*$gQGqFC84)W&2$L4aNqlO-)m{Z3r1|^U6cmENVVA9GxG!wfB1GlvhRou9w z>TSiasTp0A;RV!kaV>8Siy4z@g*ha@C6blnmkBD`)ZX0x9fSveLqN}uwjg;>PbkAz ziL&g=lqa&4{7+e&p(JvbwffgtMqSE$elsG(p?g?A{9qq_-#D8e&Ae{s z7@o2~ogcUn#J_GJK38tqeBLCXWetAf$r#{%@FyO{Z4KzZE;KaZ_wc)b3c~XqE;6-G zOFkX$CE35uX!n+2CJeL!wIS0m%bN%9+j2hGJKPez={@V3b{DNKu>Tnl;m zCzdi-4sz(Ov|lo`ftgJ39oPBmecUqKC+ga?jt9yk;nZVS&&z5IldJcBB%533F_=$$ z;k=fgKcD#9T0u+>E1}xFZkruuKp%%);b=a#vwvgyomlM-3(~GSPPkX)eQF!Fq53Fk zI`^2eRfWb0Pj`{bnBI*K zI}@%G9+SRbO=2$-&YgetOQ-AM1S$tO?f+GrnLu?pumX- z+nu1z4@~}>!xh}i!gj~rEWqZGwm!%=8U)h(e8G9(zs7twEB(A{!v}t^Fi~^JDWG#*3zOQ41S5zNBx62sq99_=1U2j@ zjN!0N3vGzdpTGCFx{~sST?EBpWPeWni=Wz~6$N6nE6|Fz2C{@S;5s>LD5p&*K{&#Y zF&gmi;YLYG=gOJ&bak0isaC3mDRj(1M$Ya-jqUEM+leF;Y1z%hV&>1-%>W`PYzLmt zZ7^Uot1lQdq-SZQ%G6TYr%CzIr9mH9j51*_LLKUdU5iO5`~R+r($2S*Qmq^Rh;I0> z36E{?ttlc|Q4VdR@wv!&?I(WAo-2(QN>8hboMxKONiC7_n^MHiS(TX~`^J*S+dwmX z^GZptLIT%Bkzz=$Hc6IF3ZKi8cB+)YVdkO6Oz4DOJ!U4`#a=udkDU|E++Z!vWXCZi zBj-xNP!Cxfhn^utz32pu1|x$5K*qs!5|6#oLejRvf}E}zyFs#KbNIe7@urFsq-9qW z(1V}<-69A>z@H#BIuIhTY3{}pQgvUfp+8JisTfCNvo_SY=JIidm=vlZKQ2LrDLfyd zAjTFEHG7{lBUK^^g^34z_b0uKfmknQq$w(rs&qq3O%#g5FG+MQ3l%!tJXy6r^{p_Z z^VL+fdcrh^#%!fvOq|K-EU_{zdm{nV@x5l@(Y{lH%q71i=`_;cpV0lCu2;gqs0!nm z1VbI%8yA)00Y4IHW!Q&vP(pcCwi&Ym4D^iGG6x~Nb&mu6tLc#9Npwyk*ZL^6<$!;e zDTSjZ1Qga&6Cz-9#B0%M^yCZ1I0vj2;?pI^w9IJHdmQxd(G8GZ1e$i(0xG4=q~nFr z&O{Y|V;!0g-9m6NSlF}Z;T$3rz8CQe`#9gk2g+ zoaiBHiJ9_aiGM{ON(v-{_O*&2HqS0Pjqh-uCO?sE9?g?7w7$Pvw=fXzRMiunLbd#8 zu5L=5x`5J5W`v!&@aXp7Rbh?9QZEn>ELN1Zm*iAk} zWAzFP<)-2h46GKmV__(+6l3ng!uxJAXl=G3WSa~n*`0laEbQNG!&#;9u*?lD&jgac@ r_q9?4Hmj$o!;E4E$7~EE? zsZ6;jSD^b z(~y4s_5vh;3F%*|VVe=iqyN6(Co6HNxM`x7y?B1MfxNjVyw2FPqgAg~vrUltp0EL2tX4f*m!sQ|CL0!$g} zsKA=De6W|%k`irh+(9ldTs(FeUL24czm2Y5+U+egj8l@MO50T0k{zj-nK(XYB7`YS zSCI>o9_EgG@U%)YD+RNn_9vzYi1c&C=LaNXhdby&uSIqZfK>(V|;nKCX3oJ|cO5q#Q*HE7~O z=e$I0=Mt*Pl->0I9Uyq4p3@h^>QA%ZSw)MW&hVRoSHd3}pxCRfPpCkJ1c~kEr4kTP z_g5^!&-dE{Kjpt}MnAbs{s}DL+>mhfUL_^4mFpjkA-hu+^r+gX99N z9G}Z2$`psRtp4sJKUEi1y6@T*0yp5JkFfJBM)3BAdxD$ZZr%j;@G2zxK69e*9n>&;>iB`eLld`(sszxrC+(a?=vE-aDU$N`Rp$jeQ|d2iP<=f z(w9e#Wjy7t<+!bTYh1JJi13}Do2z;~pnAH@_!RzRzZ!SH9aMLKvUM3B3a@-U*8;V? zW}WIa@%wt59iV=O*?wF$v|re?pDQt3+FMY(u+$#&MOV~eIIahUSGr8v0%8ZJE~?dJ zt-zMh=<0ulnQDX;r~Lja%W99%Por>1xNF@4W@zo#bp z&gFAoWyGQqPXHcLv1NU3rUe@wc)yB)>gE;>4WN5fPn^~lY(G4@-Gg7Me zu-dj<3*A{?b*^65{Nftz%`eMMAkRVO)>C-ZR?9ki@cZ5?i1rIA_SS{0uLJ^@`*QdV zz5Ku0{m4>=L1FoiP&%N#B<%cSv~8i5K%a?MLQ=Ko*^jMT{?1oIdj~v`fFc&Roikrz zhd+<;=AHP0uqa z;LU+uG0$)qR4}SvmtiQ2)3HKAi!seLs!Zdd!->{&=@C%Cwe$!CsiV_Y@B-LGg%syB zHD(}^n=I)gSUJQA#?04_-)f*Q6I2*7oD&<%)#5Y=t=SBa^GEILHyPASIC<&KNZ^La z*Rs)Fc==)AJ5mu+Gse8^0>_`c0Vsz|!oZ=XIC4QD4V-$D!o)Fe+)$ zGmdCKxB-!PP;I_@Gj7RI6H5+Z7|5|+jo1XBYs2f|?6g39c|oy4v}{gW6tB|2bHJr530atVSs{$m8_FcnVrcuc0Gt(=^)Y}P$V zI;%Dqd)6kTj9!raEJSAu<%R`m+s*U)ENWtq^0)y(1EOq5r6&JyF{gW~FL#lGuTuo6 z(za`K;uB(#%~_PmHOG>%aF3*1GNepblKaspn~id=jcZr9aHN8EFoWX7ds{8p&gn6~ z?Rfwvlfo2Bv0b^|_kWS)P{y4mu>U$hiX`K*CpD7IgpU`4wFzlJgiLHJAY@r!XLR zF?!V(qUDv_dsIhy164Zr5!!rA^{xXxEd*feK)7=l_t_f_q~p;hUNTs)a7@4M4FzVr zFkP~ zUyhX!U;KNbkRDUj_LyyKfVSwmwH#gr;XcUNI8Ib)s+x@r3w~Jx!cP-BdUpp}WjJSD z!M=Xps4bl@`G@MJvNvjztOikBX;yuDR0^zkNj+tR5UvxoLKV8S3lvoi%CJ3MCR>Xo z0wRPco1hVgHb`XsA?HIrd#8Wb^7no7(8hn0j%mJnq6g%PPp zD>&*D`tw@&+I%bgT#nxMN{;?>Q_}isBq~-MrJoNbFi-=9WK49wFkFWL-`J~jmS5XH zi}bV8^i@H5UV0#97o|X3U68Q2el2LN_a1ySy27J;RDzBTyZ*L1wK`X5s%H>KBks4N zq_D0MP4utUB@tRA2Gc}>$u{q0QBwLc?LZiRR3w}^d$0V05Wy0@Va52gKYkeSYJ+jc z6HLu+4Q%c}1{!+gzr}NOCGZ83#<3$rGGwm_i>xCu;}R|zYC2NDYQX#z`!}>OYUH^% zR!Vx@%>2`t{aR>AVEG&`eHOl&OdCD|9ln7K%$0x}t)>`PPqs~-h_;N{?mlU>no#yu zrVg@J5^ksxM|r{yGI@b<=V(4_XW!8m8RQ(ow_W+d@RC0>eL# zwv03QgW|K13=Z+*55)xdaQuYhNRdI{A8~qP6`~(y4%|Vb5^DW(O6*I}q9ZfR%FcYs zj4Tks{~h!tNu$WRfHzW-iNW z>OHijb$|!m^7(r2qdwnQxxAc7nbCjjet}d>vTaA(U5_W#ZN@$hzJKoN(=~eB#7+<# zn31aM*}sU(X>#3daw1M9r%dVd^X>mNnp~l&lfA>+{~|yyvT^?kuc#sN@wgt;2YB7h zy*=@{$DU}PFY;|{RCX>K%~ouNPEAr)Z7?^ z6sTvqn?&O_c^t;p<*O5Lue%d}+-wD~yL5r#4rq>a6WUCZxF0(nJ)DnZFMW2*tll4^ zE)X*Nyx!mL&)7HXM|YvBuFqF|bJaPV3S<$yjx8<`h&mpCj(rtVO_dkxZ~NTGmPeN^ z@3xyQ_w%Szy2#$Ug;4x_{C{q%thcnEZZRvHkEu^aaho(w7U%93ju=+9w=X_CuiT!> zy%AT2Cv0jq-lTVjXl3afMzhoOm>rKT(^9$hTQ)I_I6uNbJ)a$U9qFC!*ToM*hJ4J2a> zAoq>%nubgF&O@7yx0E${w!H|mA`(PE((}**Nb?;8_6YJT+y#BH0zyG5rF0)OXTCnw zpWql{#9!B3f;}Zr`dhx8PM{{jJdnYFgmBma2G2`V_2=Eg-MnNfj5>7MDcRd2)^3?z zUS{aeRcPsX))7?55?W=X4Z-kPClcP%FMP&Du&!RTnN*OP4X$Jzv}?Mx&{JMbMRME% zz&KlDCh+4kc}JRzlIiql1DLuu7+J`S!{UW)&4Nrh+y)%JdCxA@qE@NB6XPp>bDx-s z_7J8Z$K=+UBef=0uKu}3=sHUjF{m0G*U(F8^Pu<*k1cT|h15yrDZ+A8KGiaJ-+0w) z%=tmFeD*|`+Ty#Ws+~+^!K&SKB`#3aJ|ssnxgkAt=YwTg(V}H8g2uTIO|?hXw3}tXT4e*KlFOaWr%T6I-dqbS>5mT8rLTxk)!w}Arw z*W3Sk%^6W3%6fFH$`(u~=cA(QPwbafG8IcEs|7)z9upOYMmWk6DNqp2$-+zIA@^vt z4ga-MB6!6!cbXFnaXCQvm93Imm zb*4snJa~o>{8|MmI#~w8K(ZSn{lV;sP9db3g_;vtmo16vP;n_7s}ii}mbE+pXjg<- z6lBnGgl07kEuk`2jG)d;#|vrkz+pe7^( zQNpB-S1FE!DVF~lvG0lfxMWNj;MjtU6Hv4uiGRZi5#2Lg9naQLJG}=>I!gWU!BklT z4}o$V&?=-xG*WED7|mzgy>*T@Zuv0|xgx0oAQMKra3GRH?$go25Lu|EBG}!wEFQbw z2MeiClYvePSQZqgGv^uDi-Rbj)>0^o3bKYjl@>C9BcgN?EtYa})0`w1w!>5O4wH-a zqy}dql9|W3&}hPVdJ`s4r!KLiWRV6qF5BjFi2@W#Yuv{JMJ?B-%uu94<-__MM#6_w zyT30$E?L|nsYb#(So(EqBqNCblW#*Pxb`RlzvHgUK;Q=$=+}o?Dd@@d_ZJVPh^OZK{_7g7niQtzr}c02 z&LB|tm(m`8DXkrrq+xth!r!hI5T5M&&ifWGXpZxA^6Jv@h%Ov(&2pRS_F(l`LTKAO zIy1Kq%aGRcaI4Pa^ZN7dJnO1yts%Ixb+~O!um0kIMz3jQik;)3w&QAZJ2&yuYoqAq zY{?_1)~)fO?3JF7xQffH!nr%DiLPs|j;534tJl&*uKl7T>*z}Fk?gUim#nShzT3sM z^7EDHZU1R*vF-IzzKv$X^&X6(1S-?}ipkOU1#nj(Z=3mX98uTQS!p`?67MlVxM8xj z>E~lxhv17wZ&qKvs!rK@|}o`_B!~R_PXvI?vWS2L3iZyJnWA<8tgIG zBdxhVlJF=kbg@`uby4>ez=)uGdpMXbv=-~%b@dHoRHsqU$lR@>A}=@oolJe zWWT_ocqp=qZy?k%889n5)dSktJ56Gnd{|v6;C1$j!uouhRW(z= zH+&Wz5x4N@lHeELlKJ-6D|}pfO2soA2O(&9>+D;dX0&dDi@bjCg&cg{$jwF1r(`j{ z`}lI3oFqcktV z&!5utZEFy`x!Cp=vv?i0b{rd9UPg92Dde^;U8Bp}HwKQ=ima7i|3_}Fbh{bM3yy= z%qa>N0-kKDi3Zx_^+trnArFsLIFlO`n)Py0uB+&Pq%x)Yg0zLvib@+ywXwXN24z*r z>P5~P>bQl(3!>#XX&q^Fxf&ZI@O~;#Sv=RYhU1drW?6&o*2J-phZrG=8bZD;VX|6^ zx^68~>9)9_Td+Hgq#%Wp1ZTv@fN@&@$GVxLd8pHLg>HrDwJUCet0r_zfmnO2N%A07 zVLKy3N2I_L%Vi@UXRxl8_6uq*#uH=Z+xgEVLDO1;KWFt*||+CHQ$YYr<4#*dA!S<*{0s zP1|Gu?!qorp30P^54WEr-Roq;_vN@o`;Is}_<-7_Tg|?&@ zjkt*6qmaf!%kzApDeGnR*0gR)3 z6{7NfzseX@XGC`6x&u)}2n(Y`Um@J8%|RsxNW*B19~5*2;CQP>xw<74Q^+_J^=8*} zxOkLA(Luh_PL;(RW997@%a+qdS?Q6Dd`B2ajg-=e38-v)RZar>V?$_0FyBr}xr(M` z>{_dhgBc`YG)+q$rn(#exIo#KoDirG#Z=zt7{RzWxtIWNB%o40p84MT|NM*p{Ll3N z>5-A=Nj-$0L>jfy4K0VXbMdS%236loRqSzZTw;4|(FZ*?CKj+}$oMW>EY$LOAwM)q zqG7Opwj7TEDP|9m`hB9$IRY|&bWO=rTb^)bm2-cpF5R_W%^k|eiANV^`CVK&_sxmZQb>qIUiOU9H*1Q}LEzW$ALNJVKM5Qnz{yAAoBPixS3la)Ho5u^Ww})k8b5yj zEpt23(Tg9w&K8efS$bx>Kb*0sdE1tEZ*JEyEwbyM?Aa_IApBFO9yk?l~(gd)?MgU+}to;)WL-06+67`sz75LE9{H zq_}bKulCOO9GyG!Kj%M-3={9aw2wKPxqXjIfAQiKTm9zGN5Av(WoMM%=_;Qrwa8m? z`;qET658sIV)txw!?729l6-T6cdj9p|AhbD&fxr8*ESxe?!WNdIZM7c@5pzKTkZ56 zZ~3tBw)e*EM=v?^)vYc#;-h6}?05A>4_$NMduz_TMn682`ysf$X^1wCs@+G8$iL#Aw&9H;g_QrK`Eg?CJJU*y~sj+jOE}fVNtl zTx00e5VG7b%3%sqC2cTDw+sp6!@O8cWMb7Wl+*zb;duX!O;CTayLv5swswyYalPSRBm0F=& zz(L!LTnLgZQVei@pcH~+A#X9A(y&n*w$iaAO>mr=%r8jSQ3_J@4m6p5tZ#D#SMy6; z3my_k#%Sj z1C$6BDJxAj#JoY+L;1oeY*$^gL7PsTFBD=U%glZ||Hn`GanV}v6K23Z|rB?WWJe4QQ(YA>A^ z`iYU)47$G6PRmYSakaoU2P{oXQikpH>af@lZF>+(F$B|kC|7not7@kCn!7sZlZON)n_RoOerYz$2kntJfVjx|3f(Zue+;6w{Oa9+K~SBTUY^11{*6!GvO2 zVw37*G2LKO?b?|0nohyuYvTqs9OP3po$J>IZo_dAu^2-DT1qfJP*O!D*DUKzn0LJl z`9Hn?+tB01#+3hj?mys<&wm!`cJojFi59|tCNZ9_mMASS6EW1Fa|x-R5y@dX!KE^( zF$*NJbg>_aL%&==nRsW!6Jwtl^SB--$_*uNXLC-$SuPJ7M$o9M^>HPZ8#F7hlPTrw`uDc~ z+rQTTEX@9IxgM{^Bnr$V^H~;gno`|GvI8ci<#TNbl$r)s7;x1fF_}zV-}PiR1t-Kz ztCQ$73W4-nN)KOraO=Q}UT05Q z_Q)%CpX0pscJ24WX@?y#P1|(a&DXqtjl%C2n?9}d6aMA=HS0S|Y%ZVv`nL1VT6UXH zk)vOa-~8IVoyhU@4{tbx0Q5p;{}tc8<`J}s^ zJM)QCUY)na`PyansUKW;*E5fu?$i#v|CMb4OSy6F=&sP;ZNrV1-TLVr^M3#?ZomA% zwXZW9ynEiEvAtub9mmdR*Il)htX6luFMs3}*1j)Y_0aV02E7pYxyfZ$55=Ye&DmtQ|jR?%eH<9o+cnhq?Pd zn1ABz{p?5H|MO8VRZdv#lZVeLTyoNqYwfzhM=Kuo%AbYOHLG@}uYd6R@4R`|y=Uz6 z#0R^+c;D`a?{R1H*;B9BV%>QMT)8Q+%ZKYGQL@?y|`y zk;PcfDqrU$4&|b@ZdV23I@Yr%dgUMH@REx&PBU9dXeoTRpz{b07camOXE} zaQ%H|y>a*Ed%cEi@ylPGw#BXU7YF|0&BT^JV)+@zEI0pcV8(6t-oNOF?`{^m?8Rlb zl>T_r-hb7anKxfQX`@Y+Sn1<)jfXaW?cxKT*yXje-liTne%^1^!nR%eqmTc*(-AxF z^XK$6$O#9Zr<9s(Z0GC#as7W5|G!`Vfe84E{sT|N|LE`Wb@{eLEDWd{3u z&gL|cukAm@FYW)M{P_H*J}#EUuvjJoo?7Vr-^7LSA0bS(*%pb3M9m+CJcPwO1rKs@ zMJT4)eojmAa7L7dQL2@wF(%Q#i`fck)KR9465J?TF@pkU4WU#gKCl=b0);4s(=9|&zS3y%Ub4He;pq?w`VZ6f+ib|9a;+duoX6=H>>xm$i2NgX5 z1RYFjxlF$Z5NMPlLn>b?x~^xrfD?E;$%lAnm|_hHV2N=V&yCDH>7^STp6SGD8J|lP z0|+t*5g8`!;+QwnL2s-fCPUGAZ0wR;Zm82Bo2?=pdIXXtmkHTX*6nNgF6hLDI$IKZ zK-N%C&}1gEcXniZ8p1Y*yht-A=k4IOzj#l z#l+;gktL`$JFH~KPR2othKR%vJ||LK79G7_48hm=|p zGj>UgNqL#Yaw#H{Za6BfOSy5}ZDh&~lx{FK<4z{=K+&UoEi9{|Bd1A3_3dnJXbudL z>xEb<)~vFLf(2PLT9&I;k^mBej0Q2^W_d8apytE>*Zto>I72v7%Y&c$5A@^npM|>J z{KJ2W3)TMzt@%A23H$kSELqPIVOMiU$qbGn#X^Njb<}EGO^VgzP?AbMuT+JhC*~|f zR9ru8V1f`I+az2Vph$~RVm3)N3N9=W{V{^8m~5E6VLDR@T6HJ{N@}(qmExra54RZ> zFyomlJM5(zB0j83gD_d{Ct`(ozL?MkqkbQyaJny&{5Vt$v{#JR{G1mz)p`MU#$yle zQY|pUcp~eTg^ner)8$4OxN;2kR5KJ{l4%b|Bmq=C9m{unp3);aGT6!jpgb-V6=&#Z z5*}f07fodeM6Z<$)FJygn~Qa*I^c`8f)9pB+V+8gX&O+Gz;ja3DpA={2cQO`S~FDu zMXL2sBMoy9)Ca9ezQ(aIT#p515NuKPevugdm;V%q$#nh-{~l@pWOkR(p=%@p5E@y!(9O!3VW z-%O4FHXwq)evtk%wf^^=j4$|)w8(tuk{^Ko;5eFq7BtcM8vcX*5dDWpASgjh-rcwG zpVUvP+hONy{PB(tpDtefLVfNd`qPi!a!{ss{nIn<-T^sqi<917e$z$X{OAb(onz0v z(u3cLKZ>um|J#Mxg!a2-mf!HS`|gr%y7`zntJLHUvDc%IeR%IxpC-+VUpVx+Q(r!l zo%2flkWM?Cz1i7Gcf&;vTVvxL=6>+X4ZxfE{te?T_933`o_6ST_>kMz@88Gm^_=d# zz3~=*-v80tKKwNP%5n3TuD^TdcCEE%t#G$@;=Z@c-syzf?mp|{-j1s;@z?Z@^=G%A zd*G+H+#%u8>+H@58G4!h=KuJ>wlGkN$6Z5uIfN z?9y8T3RvAzXpt<-s+MiZa-mu-vSrz_Y{{~<5PI)~4oeTchu%Xkp|kY1^d4$xfjr*u zklYFI4-0oFch0;x=X{ROu`kKGW;FBl%@u6abjs?Boga*9 zrufz+nsN1kKYx7oLhpQhj53W~d#j&4--qsi`WFPZUp}~YSb5?(>8#U__|?xAye3?5 z(|xB|J29{3m;VJceSwqT$v(LB#m-;vJ^qGMj=39-Ew=C~8y%H>|GjCmuU&EfYopDU z$+OBmi|&;C^G+}B{Kw@FT=cw+I{R%&Dl_J+P3FE=ij#wc?SLW z{r|cD|AG5|@TvZvAIiQB{{d?$mHx@ie?!x(1u2m*N=NiJ@Bc}ErT))Pk^dlRJBulL zejW#!U;dMyAO6z^t$q>jdwkPq(tQb$fU?+;YL!ZlsdSl1&QnYIuBpMz4g^QVG3UB0 z<#&mEj;cbjQqN>6vBn^xX{J1HY)!m?jsbykRjHmw6Jm=(AkS`8NfYTBiGb?Hz?!D! zpjy<$v|>JGJ9?k$$f_qcLt+f^24a`G5HP5>`C-oV;p&KQ6KN=e4AZnE8dSmTLR3N? zwF{UiL9HlBMxenJqzEjTCQT7`&<6EP9SB9Dnwxq)p;js#k>V|7jOszT z5VUwKk*#(MF*U*_scSWGIhMraX5SR^4p18Cjqk>P*pgA^vkf#;9Kp2_BMH1c;#&ne zH82#fQtAs`Eg6;6ak4Dr)OKEh3Z$E#yt+dhonqeu5|SUwUO0%i3Y9n! z^v7e0Cu4D|TIC6@#tlTSuc*0(V`NM(i>Z`0H0wjKlmZHT$xf$oUB1xC)q8a?Gl2Sf zLX}0#C&zBQQ*JfE6l-SHMthP?TYfa^wK%bskXvZaY)ULpEI?^j;!7i*X{Ys)R!h*- z2n{ICXv(buF%Eovz$bA+LWmJTwJYOZVaO{PC)Z}Zal91)X=`$y(Xhv*dM-uSwxZE^ z&~1Gu{U3gwiw*zT#l}NwNJUfi#h)<$nV)d;5B@Vh`ahx=%k^as?$HTA7Q~5PFk@OZ zrNVA0KCo(C(MqYL+ap=jp>&^`H)~QILJd;}JA#PUi;OWg3^!+xgk}Rh5--F$*?v)A z{eW?L9Xk`n1|sCK`7R6Um5S|hLq-_#g&2y4!$e5ic^l4H-LwcXdU*)+%T5(enZur} z!$CkK^C^jJv*N&o(FERBOh?qXR&nUqwvJ;GYL-VnS!n=XRE9zs&hMyE zN-6MQov%53yQPMPl92=iQif33$%71z8^u2A`8I-~X;sh(Qa77arUq29y-~)cYf=Zw zI!?Qro4ADn?bQp#im0QZ%XM3kCuPbA+1FHK5NGT}HObTxew(T#ZCeGfhFJ|su{$XJ zeg0cr;li)${}I37KUtfhzajt8nu7lIW8HwSo9p&f{XTLt)6b8pscKM#Rnus+?R)}A zF;&kGiz!M2b1GT^<9SrY$6}A6XlUS|kf6I%S*_E0IQb%Hl)zwcjUJl=wCktsdI7LA zwunPW*l9QrifBf%=Q|OX6jOQ7D?#OfXAx%IPJ)dl3M(YrV)KHV$Fedir?hl2j{zv# zn0N1kDHw+}hpDlTF}*^liDNBBXONx>!y&=-i>(en*_LCK#O{&8RmgK3fId$BL`pAFuu#D94HL&B3Q0YXsfo9O=# z|H6NW9|8X%F$5;!6ih(hp8s67#3;VNrq&Kl|fZw_S+P?``q#tV4Mu`4dR^yTaC{O~4gUw7?ByD$0dnmhb# z9=~j{XO}SVygjkn#)qCA?!3aUFIZ=*4NraTn0-Gw zS#xhaezVVvhnxFNA5z3ZTf>h$j;y-ZxvMU@y7$}DA7qx@|AAAZU7ma3gFSCQ@)xJC z^XMV>6PHdu^%HX8`W~a$tPdB8U-N{r`f6t#vy6Ph^JiQy#BP7&$TN1iak zPhalxNA@o+u*Tw}Ip9Xu=U;n$<^ja`)>n2u=APYOzy63T4te9^Q&yU_OX|o!y?gxC z;~O>swmNLfWv}b4cFj2pEWi8vi`{+T-rM4zF4tJ&n42~Q=~v%NzPadQH{W^xV|SkS z>e&YL{BEnPzSvB4v7@#*dBHb2;Z;B9S3Zh3{`pP!Saq)}hSrDlWq;rQpZotGnExPO z(f>0w|MPpXZ^3`G6gv#tKe_pD*d)yyr}aFNwiV=?^PjKO|0)0U_|N1#MES{bg-D%$ z{h!kO@Sk{#hzp@p5qzUAGD3?6ymY(e45(Jk5ZyK(!f}M^>p{H3_v9WF7Cj_m_J%=| z$rlZQw^M@EFA`|KlTlmo0_H&)P*r+N${MR?FwB^IoJTrM&(cKIA9XP!C5mVt^nG#M z>#9;emW|>0@xUD5*;1ui^0lDQ0BTqj?F33!iubd6q%sAU?|0CGKN^71K;aEVYPJwK z7bNjPD1~CP02+3zA|x`2X1rwJ2tb(~sFKqQVq@5A*IBTaLE@tVXm*Jn*-J!0U+gvq zrfVc%!@(Pa5{G8TDFsU4IG8nsjsT?7X+{wFnvmx(wxshmCS%zFqAKFpN|cRUY19ZP zOQ{kVC^1N{*n)b&C_+2UaZQt(Vh-RX(D`osCzZysYy(m3tFnf=cvj1l*(|tf;43`JQ@tJFYojMQVjz!^A1pEbZ@ z60B?WG|Q%2F)X9lv9RlgzOE$<*%OBDWP2e*34jn7ZwMmZRYRhVl>6;^x}NIFd|$4N zi;4^T34upqRzXs7-N|vVUaUm6x>s0f&Hhcc~%TVY06Kcy65Hqq}vTD3!z z+anok)tCU*M-E-md)cU~;bb$_?~xV6X*J@zTiK|Pmll1SGf5H|Ct~CAJHVtLUY_!T1}v-#2O3* zN-3<$$Iw>HQ0zp8s54~EOw_~?*KQAn@f=gEcIBE(NMo@Y#_cdD$12h=*9~HT$=gXe zTY^NK?qOO7a~z>of`z6y);+D5s|_*66jXv>i#^}XmZ&;9@JNj>P=g>nq(B$w!=a3b zvLFR~L+DgtgXsvkP_iir!xhbq6=f}S$fOGzZp-SY7^F`k?Hr%XdEH*QCn!K3XY^!) zfXaD1a>r$p6XaA7l(C#WLJ6lu!8n^vNCS8{iNSJ8bDGsAnaNkuRtX(dT{#X&avC0m zUAl*q>aggeL>$C}URJOrCGR@6KXUpls8#B_l2Dx{x-26SgOgF{AE{U`&%U#{)52PPkIRq~*Zhn);b`rew|1Pl-!>c8 z&^=z?Yuh^?T6y&=Pv=(~kL81Ix&N-jl23p5-iEf&+_7D01Bs>wlu3Jg2zfC&%6X_!6rEPXx=q@uAyzT|9xh=;poOx$>nC_N^Xq zU+2hk(|eu2+fz4vy2?Vp-fzD9Qtssb;z?(t?RHvm&yxb}n}{mJEv@3!>; z?d!x@TOAXQeQDdXA7j@1?3NQ`6DTC-mQ&{9@4QZ~aKm!12fsc2+@?9>f-~-3?bP=! zSY?Nm&Z^w9?J|pvEI0Tw+;7tZN{;$3?AO=toPsB>XA3==bv}a>DA|kyIp$2 zt33C@_@F04S zJ{}h1G!PpPYn5z~6d714YT0}$HIzVt>3S$!X?l8K$mz1%f(srWYQ-36G8Ly%AC?(2 z)yqa=&<5OmHvvu-M~%}N&zAbdcER;fRT%ZLL8Vm`y|&4w)NHJR4t#+x*YpM=qWNZ# zEE|b57Ha?jXs6&Ru6cwnW})mjuEug`iKyn%iE72PyD15_lcb)6n2emL#)gfK>~LjF z6?#$9E)+EY1grf5mKSTetX}D8XpX9tI*vjXWiA%xplqfsPLgNTHLMbzfNUyqKr1^) zut>cK4+milsHB-@J6Xa#-w%*fN4K&f-N5xyYgo>W>Kxq&biEK++3E=52IR2fV=@gx zTvmj%t}7WO05N_0yYU|>n`h%e*~-{uq$Ce2%~}Fx67^;d2?T`gR9m=gH<&UZ<7pz! z*BVh)bW&p?)4+^sd#C{Mu^elFcq@w;lch+lj^#&@(5k0PnQTl%$uX#dY}F);PAqB& zlHRN3s~sWe!tx|@)=>^f z9K&NlKkTX~({D*l%`G}ZKNB`PhUxgVYyluy7%s?tW<;b-9c6Kbh&-j_8w_uYa)NlFkFi10GgDZj5R?6Gh3_?>Yyt$(n&a|Og-9`47RRhEhIitW%cxvA&d9-# zHw-5`>O*=bqcz#kO8X<$VXt!Gb4bWH~uXySF7yL(5lGU%{KhPKaXWq5( z&G`>YOU=-N=y@_fApJL)pD(sK@UQGABa(w!&~)SAAcVLIMuS4wLR24ZLrJ%fbd<8u zr}G)3oGPVE0%HLoHN=NPIY{_=M@z<=F@7lIJ$4K?8?97AbT~9b+P&r^@`z9&M-4?- zjSp(+@>r*;5FMg`5h)e7FR&&nWva3AcoNUBaU|prS)em8T}u1CzTy?jWPM;;7y@~a zS4`1hzDz3}j%wEdG|0Bg{jen`d!2N`6XkxhN+pIgUXq5{Kuk8{90aClBR7hBS%}S5 zIH+gE5)G|5C`u(`2qbNZi8a$1yOqnMvJ7&XlkN4Y7*X(H$S+!9U#~^9)m96!d^M3q za6W3uSX8Wmqh!35ivXrP*>+)A(P_Iew#zX*C#2F)NslAVP6}735$$)KDM_Cx_A|wP zrr6IE`b_WWn>9nohGvtMp9Yt=Sb;gCg3_g?tu*6XV4`A25eOE)-b4PL!} z?OX3{bawu0XZf|`@#}vDpDAyA$zC^0net<|-zCpJ>fMjGKPtHz@zKY}#!r9cfqg$d zf7eeA53fG)XVhV-HZ^^{b9VR6wP&zTKKI52hpoA8T3>A0 zD>glLyXOzQbFk#Ir>u9;B7eU5jNkmCc}V(%{f`v4dq6$0 za@%EBKfVb0=ZC8w&pfgD$&55W+M0v+=Lk!Y4^*~Y;m+G1KIXLj=_CKN$hQ4m z_$&80V!u7!Id|i~tUc$g`<^`bXZx&u$;U$ShSOgqUwe4@zufi08;!&rZ(n-h{--T< z>>oPseLz3?=Cv0;ezCX4FW0&K*%vlhue8e+CtiHOVz-`g@az>g+V=jxZt)vonWz7{ z+0FZ1Kf3Ja`|Z67|MnVhpHP15gG=}Pi2uz}oo#2Y^T5Y1jXpYN#l?3$=bn51I%m7r zPr5pO)SZhcvx~WNpPPGiaV96;Cb+B_90y{{P(n|G@kw{-ybEFf`Tw^S#)&;Xh`) zO@==?{)4Ak8cW;OB+<)$bN-`#rT$Otr^kQh36cxA5-H&%C!b&bW6cl$Y4Iak%?|U) zSeZ?hMr;PC6gxezmaw4+A>1fzafKY((uZVJ_Kl7Zr9|1(&7KhT^GvTsr%N%$8%S-5 zDGn=*7%x?Tc5IRh*EJFJ>u8EK%fnPdY|xr6Hin?a*6mEcYI?O)kaf)#=XZ=|hgOC| zZpgVPpK4hcVCc9?Xgn?^I~7C?!JraPu$+yB3B1YSMQdQj%Q#B3K}RlEC89Y@RExzd zl4J+PMB6WC0FTylsZJUV^|sTA3iXkV7g}8;UEq=xw&ypzLYV9K8m+Jy1C>G5q;Nh^ z!YG;Oxy33TO8{)uav?^+%GG?|XrcwG-(+c3R@h{P?#ps6r^@L7X~Kq+^FnQ0RI!?> z1;eN&RB8=lQ~`>i%X~-upVX+-rz%v&uo_?&FGP9RG)%9_4%)(SMAs0oE2?Zm9weYz zt0aY8gHA}b=13zEglrc9Dlpuk(Da**QqGLJMl1tKu@T`QL4PcGS~o~@XfWjM#;A%g zS&Ko2wx)rDB$A895EqOA*=O`}xoV~`*#HOG`T*;f2*w(W5{(uTfGVQ5at_v33JD^r zB&uXvEDhR)WItA8xqe*+0llmtMMyV1H8QP~1kR%-ByFYCWCtnQ%n%kw9$&GDI#u_z zZnBd^qaKA9WUMt(2idFzw5>#v$_ZTuYZg12HQBAXe8s4%B(0*X!L$guJxFpKOJ!@r z9voM2!WIhUVyS`Gs|CIZ0~HRdbqd`;s1QWR#`Ii$9QE+_ci}(MJQq7k{gaC=Rb^B8 znik9du3F;X_z(Ki<3IBiZvM`H)cMl?aR-TBE1m4JNx%q=a-Zp!@Qg^gdaqeAtE8QR zY*Z(WO0zd&q%KmeRpR9~Cz4)R97QoQ3FFyX-3{crtO86Ji?Dn}$_$3-F*DiWsW=6v zO%BWU4UX*<64i0sLBOWebE!ruo@lbZoW?>fq`La3l*WNPQ_}fzriy0lm>vbR?TgJC zTF`=8QH%NIM1_DVaksC#H7MgdDJJHa65JTn{W@C&$C?d@O}3=^uvwAWM9z^huH*^s zn1O;4g?crIbc!&X0JU-~l@v|ili>;)kBw6ak+lsRZF&F^hh+h7#sV|0k-Zq@F*Vog zHrPP*6aj;rdAdPuDVxA;CZwWHJ(g}OU0&0{E*2HXZ3Aevt8i0nXT1L3`+qzoWqsZJ zH{%QbquY$~jrq^yLi$(!^Y?jhz`qWJo1b}bHHK{ixscb#9uGxneHe~}yza|Vrjez~ z{jM2gU`VL-ogR!DR!Z>`Jrv2f@hsey#aK`77fa0=&{Rwc^Hnx#pj@mjwICAXDU5Wp zgJy<=s~}SEAeFo)RYxY$W5`OmUdo}gXF{3~C%hyJ;1TGShnb{1tmy^V(`C#Wm!$lt zKfo;3&L_Yzs?#oMIlYo%6%B*!B>7BH72CeSP+G_VIWDN?>UODIAY0Ce6w{%l?LV_RXD5w<;Rsb}wcv2yx) zhlhW@>~W=0p4r>NR5mRa?rJ=nc%=4RXPYJVY0hZ<;SbAPLEn4!sdrouE^BUlYkQUV zk^NuV^ojjXTjz*h-u6)Awxt$&euFh1vuE3tZSg;CaQHRDWoy@LUYZ-f^70iD7yo{> zgAdiNJ$$93ukS3q;61C(FxJ?7t#p5VG3%UfKG;0v+FkcK?_%(wlWw_j=XXoDpJLD4 z>z>7q;un7X*NqRerL7LAQMZLRUU}mUH(@W`z2u{pzIoqa(j)KO`&;wc*FJt^_XYOa z^y!^v9TcCr&BoKa?>&3h)y8`3uY2F#S8Tm=ai+#T_R6moo4xVb>+Ze@bK-65|L6G6 zf^+6B`Tnl_3NvHj$y@Ao)Q-npY90NY^708+9&ywft30#p^EdBy*4woiuRpW&KGjpQ z5428vX&mf-=X#rd`tS#RZO+;+u5{|OWzM|lgJ&~u_(x7VcH8L(&AsH=+g=Sby-~f2a7`dDpx??d@Z3KlOo!jytq+%dF%71T1>{!592; z--TywdG^ZHT~>*2Ezii2?b=?`Z~5@FZTuIuc=*>VZ@YPP({y*M{WiaD_N@DEoAbPO z<>DWdf?ZF4=NIXPcHHnYXPJGVYo1sSUT@CQzhC2W_5Qd1zW+b>|35JQ!MyMTHM07YwEk|iv2^F@4e{=rxmHI!;pBVp{q}23SWwTM5o!p>D z$@%3!?fKz9S-p!VVwMTTu7w| zWe3Adx`oFDOC^}7hLw}J6d;JxA4dR4c&$dUz@)NuhoCHrD#4^0fE9kknf@?U=0=rq z-{8fT=ej;5G;L{8wbR3klP z8bd1?c1i&m#p^9JKuAhOi``_Blw1$U>JnH-oL)Wxu|R_0j$E+&8AKXZs$;@#@G9-4 z9Nkv?b-JfG3e_r@mfmQVCOLg~V3RsvW-$1>@gFgl7wov(NFzdqO!S0wlYo7q7NLmha>vP0VV}dsrM5iDtsx~DdT1Gm2%wQ<+GW&mddaAsOY@j*gbqa};6{Zl zbc|%X9Fk0<>4Jksxt6b2$Hr&~RWr6f;);_uv7-Z7B44!fv8p+Wik=rU`WXm{n)av( zLSl~3234fR4h22iWzyj|-j(bUWU9F?n=g-?99Yi-HEdihf`(5=LK@RKsGXYJ{&lMD zE}1Z!sg`XI=|Y-rScse&R;^O5L&kF{K}xqqiJpPOZ2&_n){w3xbGd3?^CBsNi}eas z{Vx26``i3C@Sj|4Ys5I{)cm(E_|Mmt2Y;;mXFkKtKlso5=>JHd;KgJ0CPGNS#M@1_ zSu(7YV5pZX)U9H{4wIo>tfM2|tBGm5Ky-XM-XkQHYEWa|4hROHtkfK-9m?PVs6`Ah zM`T*nMqwyqO{s>p123-fa7hu`!T|MEqD`VX4TSPsiD{P_4yLvEL9S*}*@4Oe*>-bK zYcoYDRc7tJD54@>g)p5dg&j+&`++ID4clm_ZC~k@TS&KRDT0*j@{G#Y)17!0=t2k= zP}9UI}Hh3R!lWNE634LPYeF2gx6#%2*Fl|%hz8N^t=LCZMIN)Cg!hNOgPm4@yf=vZQq}xd~ zv&CMiP#EiqSTQ+3RFp!WGxaiKAcI;$*Ry>V%*5+-TQ#+QEGQ2rp{C_zyg|x}b9r0K z4>T7tHGMEBIYUSSvY6b&Fu@$fq%_>;nk_OL~+i2(oGGkaK%;KahXDQmP*K7EI zP^32R6tJ|Pq6kF*au&gLSg6N9dWMbIjE{+Rg{x`fN*PMU=xhrfDEUB#=!QP<{4&}} zS8|eK(?P$Ui>fLCSivCP;|7RA6GSR0v_vTj4d5h!o2t_n9Y<=89Hd%FWJo5YGRbUN zv|EGmSShv=`aqz@07sNKq?Lx5?5Ii-Oe!VfBr51A>v=+KR7(af4&!kc3t=?XxD{K z`GWs!N?x@paKxAR&+P9NpCA}X;RpuD;}}J4IJqF!_#B_C{MG#Df42W17z%y4{b$zq zzWg{s#9;~|s15%u<=N-Hb!=&u)09`ctL?na1=IJfJ-Est*2%ROZeI4#-;>32m)&yH z^M7&s;^s|HZZ_k+{;XZMI*2{~>3t8v_!HI&5*_We#?I?6#4N}Z`=_sSEPV8q5AL?s zdG{_lp7qo-*mU%^$~}*voj*_iXzokr-R->f{wFJ6w&J=gMUNkrpMCDA`p6A?J^lQy zzgz5$Z4%p5g*A75=_cV4Kfd4tM}Bzm?Q;)zi5XARm+WxcE5ArDa?gr4-7!7jt~&PY zSMGneH{+I8AMEwcJEK3N zC#`_2LW9{ISUFGz{M?lRFV+($| z(RGh$2cNnvH)ov#j~KN1?A&u-e1C!dT|7yv%4|DEA2V1;3^U$5Uw_{JQyxVrG?|IGkF7&&P z&zSvyy2P)z4=#Or+HWp9=vHf~OXl($WpCQ;!ZnR+D@WklY`Ev88H9nq5~Qo=Os&iftqkKZLnD(8k)85$)bTKs%fC7pH* z9Z+&gnEV_F2`t@XONCKy9$7IvPE*MVVUqsaV?0Yciis*#4&k85_Yud^+Po(M7}`}5 z5bo4cq~|@J zu%y2gr!2)nqFU4&^kJVZvUR)ozh7Ma>i)5bm(jB*wdC znhDZn7c5$V5&3Qnw5Tf8m?Xh04*`r;N^=}l9)u`D27an&@QCQtvvJOz9EIlO3#JKE zFxPPX5e>U}q|CR5L!(`UVWB^2wSjUB9+7xcD^&4%E8y}80&fMwtdWW;CfAVFpsCTK z*$w$xCnZ*66zX72Nv^f49*LNOk^&q-gZV)%9M<@_#CKpjQYMKtm@~5psFNs?bUJKk zs4&?aPPgPSNXD$Q?RbMN=UOm6c|D*o@A}Eoj60fKP&%FYy!iOHq&3OtG&`?2`L890 zMEH4$VY0LYDWdJtS~tF_1b|+9pD(Yo&&z1TEwsaum~yn%Kc0M6(7y=sF#d zD0nzm#@)aJINi4TrBaos7mLzp9HBzW5T$|CmJ2};>qELZs(ZdVgcud=iyh5R+TP@c z7Rs6i4_91(Y@$ZbWK&9!j3S??3e^Fsgr$_0S5(g~_u3YfOf*$#TpEnn7M!C>IF{>z z4BJ3zeh{>Px`IgwopK9&OXqV44bkmR#vDbiHMt6kSt}Lb98)NQLAzGt)l4Jo!R!D^ za0NjZ2GxWP_@t2`A<1{_1~GJrLcX3N>*}aqSB#`dtE@)~ zgPMj=Pcm(i8$w;b)^M9OItJn+((6?nAmQLJ+=q>#n^)5uo+#D^2o_7CXuIM!#TGLR zOU|&1hi%k^#@cw8Z~08M5RTgMiPuxe7Lf30qeYc@mJ&?|q-ukj7$@CK0V6%LEIN|j zFR-xf4O8jR;z(*}tK@8gFGI zg-uz4PB(xrdU*bA3r{7fD742Xl!QyuY%CVi^gO=}e6{0Lol}%1;nJnMs=90&UAAr8 zwr$(C?JnDPmu=g&{Y{;j^Us>O$XI!uxmHF-yn8>p#EI8R3sdM>=f~!Z#9brqSrZ3p z(~a;7C;8k|pE@enf;~Gk`=+cydx_9KeJ-wSxs5pa z(6E^O6w0GlObsj8=+ODsQG_!nrSWS$AFTmd||T~YAx2n=CQZEh_)GBH7R!U{;DR52c6p*71CDEfAc#0sf97rL{h zDN(`5Q3+sOeJ$g^NeD*%TIX>~1?Y4qO%j$0f5Ag17gJ0HoE>W{VY&kQ(o7&r<5@Se z40)8Q%p#wp>vJiVnT9;SwQO{sKE+l6K_jK-emhY3qs zPXMQBI>p2CQa4fK$FM%x&Hlyuw&zpX!|sW>y|4OJlEtgFJ0KDZ8s~9!ucEhhGHwYz zZtW+A%4gXv!xzrVcTnL3a6ev8<85PnpT2GQpyM&g8rk-I=_-!X_Ip0t&>^XL&$|F{ zxL;G^^VA=l4`!%+xmNGTimBP=s`$K}S=mi%1IR`)I_K{`5V`OLw*7m%PRnl`Z?-%Q zPL!`2F7PGwoQ@?($GxA+Nt;vRV%9tHW=TDO}YBd5ybz=)McW+7Sx<|j#V@jM*QJ=!y!xPKyNjC-fD-_4umJc|@(Fk`+$jN& z&9=#2TR|oB?SJPr+5DsAs`V*_^&9xchmr4b{N9kO2Y^e7X^1aL9W?3W^nT}!No3`H z=V>=?#Fu-QPHCuCEKVWv3krKA&l+M@A``cdjU{(Lm_Dv|XU~$I1I?W;l%2ueDq@+8 z7=~FFgSmpAD^Y9rp@3R|0P#XNX^xDo3n5P-ePCt1euF)FgY8x#E zFPbD+tDeFfT1%gn%ZwEp_uW0TaMM!<^bwWl1!l?4OcV_YL%!tb8geHx6m47kF6vNbq3L7)c(+oj~xr|)}-$U9Uf zL>)mEsm8`UD*NCBC`(?!NdKBZ+^GkIouU2X`~%0qu4vipSv(Yjbq0acdiWTQjU1eq z#@&(Ls_+j~$uXtsh+(d1&9L|+RnhY|hV3f6$WX1?qG|_%m6x`LYq4$hA(3w;O;%HI zngo(6_%_1in(%zVKVdFPCK6rbe#c56_3%U4X(?P*VClS1Ol!C!%A&hB;Tq|C&82Be zAzuG(#EYVN7X_tz378u~()5+7GMRY(Ll;i@ah!&NOzcXU)Dh?<$xa#u>clZ&7qS|0 z9cNFW*##K1wN#b4^OG_2NEN&K~GE~e;D23zq>vVG7Fdm*H=N#m1*T>s9Z?Q<`hD( zaP&4fCP+PPNf@iEafJO4V+hj>19e$0T!N6GM35y1CMk&w>NR6%Oxi*Qj+mw+-CmmH zc05UF1FU43A#8N#=!S9K6l-vYy6j>sh}rScr(uHQc7}!pyZA&DXl}Qv=m+1;0q2}C zRwLB35Xsz+uG&sBAu^Nh;;X@PJWYq5nrw6{K`C|j7_`>ZD zJ<|l1v-6Uuz)>5vTIXbB@M9T@PRZjZQWW~qseu(t=SW@mdCP!$3p-taT=b{k1wdJ4 zH9!kd0~a3Di5{sSxNo@uwAi*8x`)Z54yxgN-9mO<6VzHA?}hKJdy${&T58bSj17hE_^%^b7r~8Lx~ps?T?V{ zMer{$NrjRL zWYrL+OygKA6K{H`ZhwkdB*v;&ne_?Ku8@77-r|ui$*voT++}eP+hqvJ-&ar2Z%_x! zQ?p$Tz5#kR%xyD@^V}+RHUTPoAh+{ z3(Zbwd$>AQQi{9rv%S`w@3wpb_}*5q(s)_iGLDtf>}qTr717&H`gxYyUH-mi>(Fw% z&Z6@s%sk5Ju={|PRylhyHr_7d7qxsjKXHT<%5vI16Wyg;zb*_+Tz;JE#ZqqitlagJ zj%?i>z7C@0^zCrEU65?cHb8UR_xA_onC56(UEWQ!9@n%NO3sMrejF8VD|zK4<#JSh z^uKy{k~`k(z+3fDUU^iwFPP5yEtA|)vRxi88<)TA3t2Wn==8`M z=l-1FKQ5P!;Ccfd)N)Qu@bm6EL~Fdqb4O_Jxt(q_kC-H91t^CbA1-Qo13-v-cu~J#$GuOZQX`V zTsQ3G4uB+CY1?hz^G_TEjaRhBdCA0kO z9BN!ISW9iclbIjp$DwL#-P@ZNJ6G&p2bsXDzfZib`3%4sj%B#p4=X-sTCd3_u4V0B zWKGIjTlEfd)LQ-Az`AxAYI&TN64|P`PSmuP{d%tMq4VQ(k&m4&OacFAJO4AllgCQG z0e;kyumFL3m!peNDF z#8Lk|-6&eLH+U5d;%V1mOe_FHBpRhdgUtuyOinidm?Gqs5pI4@hbzC#l4-oGK|OXz zRKc7)^;iY#s(~c#yg2(;2jMShcRjc+<~7NE>Eca#ES3i0n7bNgMNtKyhChGvjW_Jc z%72UKQSckCosMG0$e32D)@1#X=2oO2V<-X7gw6O~#WV(OWC#z?QT~b5B4W|sUz-)| z@}5a12uCQG`8jQ`c6i$x6<1s8l0&NCoOzhH7D>An4y!HB{xWBnG2sa zB~uFXl8u8vB|;pS;9O;{qE_0wOHg)u1~p z(_H~oD9e>}B;2`4=`s*3srTe5*psZ9An8)T0}b`CW)FPVp*c`46rG5pcgaRj>8}S) zk}Yim8>;uIHF~~x73nL4Vn&+vELJB(sYE*AL6>iAKwmHtsUcto&8{>-hS;fv7SA`!0Q2(vVn=*4ge{ zjy>BzsX{=lN4K8zyN-u6%ur?E@OKTSLnRj^x&?m_>6>XkP2}-UKJ7`~>kJ_FTW$!4 z%|BH|c&t9qyhvMxTH5?s(lQeYdCNgrDiA7GzG=-Q5Km)8vx*f`*xqTeW<`K5>w&n9 zA4rje@@&l%YzTu$Wu~+;A4|&2Kt?FhQl%6cWij#z%w$K>qy6s!N=Ecplnx3t3cqmt z64q?OdO)64{}o(?K@Sk>guv|H5>N!XAhKB^Glz!gL>&_=*6%x8%2ZjcFS{p!FCbBM8T z`aP0gX&6Q4YsbWr%!&C#*f}K{H9~|Nh!m!WbLqOpNlAqY#nLgh{GJsIizx9^&tm%s zf*+(n;vxZ4sGdUt^OLGdl&e|ufQ1haAe00Q#pz2DKut3Mr9Y{&kJ;iH`nTk7hf zs%N0Pl&@`nsM76AM|Q{i%Wa7)c6E0qOwX}@65CGQD=Cn}hKN=D+n1jb|7&qfY{zxU zF1H#LEDrxZ&D}Q4%g<>#wt0lk^P@>4thVl70GXd<&+8b+369HIiQVP*L=Y33jryyU zQBaN=TJEV;SJ=h~Oq zj|ccTx@B$1?upnO>!}a2Q-{y#YkbJexVFtFtyp#qklcTfb>nq#!`6P3yrH{I@s<{Y z&6e#qmzzgRx8oPG}5 zTIsl7mbP7Uab4YO*I7~bEpJY7>H^>Z#%}8Gx6HB|L%v48CwSgJ&Ms=+=4-zra~dae z-Sooyweq|+5bbc1d2b`W6?=J%j`Z|iD)ngXkI!OG<`1%7)}KNw*seb`lDC~}+i&vj z|5>V6wd`hqdu}A9ws)>iUkoWl?peCJm$85rEvwz8?$X+dDuQ zvEyNuU1j|RsCV1Bi&a`F@W&)T5zyB+H}Id$f=DEpNG-3YsZ<|Iq;3zV+-R^yooF%E zT9yx!Jr#oN4uku-kOU#RL#O4D7-3i*8Gk~&9i5POLj%yqz0AH2n0R{+h$iN@&93a8 zHDC0a=a8MI-7Z_(=v0l|8mjpo*X@I0S4!4(#W5{TNPWU=@`1dlfeCYuY|~^Z-2BjYac&D z^1>b9V+BCQa0J+q^u`4Qa5s{F?Y;woK?@>fdPLoicGwQT!vN}fyL_t0VJCc(hqF^{ z`9<}CiaN>w1GFK(VQV^SxqBm8}Yz`u&`~2a?ZmLi;0KQ1=417+C>h(AjfELh)DiIy><1wDbtmA>iW()f<XxJ}Wn7b~N8;COUMVkmhi!(|OkET^eYEox}AD|f;;nIOiQlAs( zs_obLHY{GA*F~>p=0Cl1vb+&UIux=n7QpB%15LY7KnjOgXDW68ZH(A#9A;r6H4zcc zM0%906`FJjo97n~J!BLV#IzOA4VE+TnZs>h?V2g&$D%w14vod=dg6#OW*2rl1VzOh z1cI78N@r2*`%osvOQu^qh}Wkg18K=^ke{vIyr|CO{>m54KjrL9P8&A z#kf%$!kMjC|K>@R2SU9YW5=aMHxLmilKh5NPb$`OpGnsqM`7vzEgH~avH?v=Le3?> z=o`i|P9ILSq)BDoE`UrZNu3Qm(38L*L>AOum}+Q>3kM`mA4ox$C4^J5qReRsNjDNW z4}nAu%S6^{YoCx0{X#WQnoU5_nsBDQ}?nA`_UF31};e;!Tz@$k0!9>!}>D@t> zG~FSoPJ%OQ4GdaVu$nBVXv+?;4u1Bo(*{NqtRm;e5c|w2K=%Cthw(L$KHq#>KTZ4v zKy3)XH^3+y$i%*hbD6>|aukWC2IZ(k{jr%5;GNf#!n#g*vfLbeX~)wR!EV!&@7#uu zCQm4@I7A&)(3*DSo7N3bn;BI1AO5aHP5GTIP28L$TEs3x)-aJ;CKhr@uaL|LCU6n` zZ|Oo{`-Qw{d-kJ7&l#LUwBmUHc>Pa*fiMt)hK1>dPIk=uL3D7z(rj!0xV`d0BfUyg zL!eoz#Uyc(Pub81F)xNg^bB()Ez9FSUKjcznkIjzk`2V|iC`4n}S?Fp)~m zk~ia)C0wo`dS3FxW*B9r#|92dA?5Dbzk8GjK|)k~lS>^EEeZ0&uKYqd0-WWCkIDuA zh^+Jf3s&#hcbR26o=Q7nAJmD0{q%yvX&Moff0@J$>l? zX|73EZ0`AO=+5^KT(({Nn@?3yzFsS9RK==Sx~n91+P2E~R(7p+InVQvz1@4$g|%M` zUFf+Uhbvc@3qX!nWOzD9TVC*7HyvMc-TJM~GaYt01IzAv*SOo&zJc0H9foICMmOD! zvR2EErQe?^&~92sk5G&!#!mwqsT%J^m4L?wd>Y^9D)^Ufo4BJ^-Vb)ir$^80Wv|PZ z*JxzfnQ!0c`chwr9`{et5vdhhk2mv)apbI>oF2D`3sc+Y`gYX!%RdWjyyw+9S829w z#zQaD?^|AOX13skZoFNF@5NcNeD{4@d{22e*9M4Ozh*6SUW#3!x~V@s^6?Z64yS!#SIMTjV;A*|7&j?)TxvTG+}{-C z%JbH@A@O-FgU4-c>$`3^W^^-r!*|`?*#E_+Y1gY(a&@bJ_C2Ibr90c0A2X zHL1<^z+Ex9Sya^PGCQ!kV`|O$6H-D$m*VzzI@Y}G!QuISEa(3=L-$fPrv7uZ8z_RY$M_EPu?(?bD3GX71!flBA%d>6KjZ9 z$K+N^k`5(V6B=f*q-FuM!Ar&=a-H5a76N)jCXv8!mNJ;4!pwiMt7A8TPDWTXWzLX& z$)g}Ph{s$mGM37p(%m`at%fYKH-?UUcHu#R%C`u)6rSvBvz&z6$Q_DwY!V8F&t+%8 zD3qK7y3N54iW~@5I19}-*pvTomTA~H;dUxR33D1L26k~X2Axb8bE{7fW#?gubD~7~ z1FO?KWzukA1VbEA#$cIn3;P~&9`otnKmsXY&Z}(o854j<$`AQrsS*ZQ?Kf=F*08V# zeGbk3P**0iyB~8diK~pOd zH(4$XqW;!Tx1=+P(2v+}50GPBYk>x@mNiQ^V1RO*GH^ABAV{u#eJhEDB+^;X;-Es- zq}Me(b z1Am!t0^!2njM=_8`S#|@R2*~DH5RV7-aa$_*;Mo{`0D))>k%hc;$>(Kw<5~|pbCG(cVU`by zjY%`3a9f#nQ>AtyrmNExEya={iw(Oih;%?zWkm`+{hy6#C`!onF820peyNZq*7Fr5 z*Ew2v&Zm6@Du^*4o$}amT{KBS$l&vRn|ydJL2)h2+*&{y;1>GinywP?+}?@&dedN& zB94Jm_}Bn?6b9AbN3{yV>Lc<$PJeRuYDRGxvtV-wbA)JUWcS z!4Q37C|oh#CJG8O{25Ov1xmz5*{=*PcX%6+0&^gZXC^8=GO9`Ar7z`zBag@g;%Zg6 z?oUg6AAMNikvy}Zu_?-=PsjYF%5VYKOi0sOFos0rTyedk#PLy|Hi9ra?98aZ-vvCkrcfhdj+&f4=NQ@HY6ozK6W@ zE#{8QGN*9)WXmBU6x_&{XiK$fv9+$gl6W)*8ipp}6i|*}Ba{R)NV^WDiTohAqd-qg zmL@AM6^o4wmZrMu-MoCV?G@#-O~MBG-8LoX>*rV^_lo>iQUb4p!<-#H3_wewl{E_;IZDi)U8^nH79 zm2j|}65%zi(84XYW7+;$d$VR)_+~ZbZrOOhP|!I(q?YZxUzjE;^<&$>E#>C#a=KRG z(z(9{j|*+Q;p=Vr$TIsv{JO$&+L^jxIT@B(+5G$LZMGApw|e~V>wWujqtvcz%g`+E za~^qS%MGq+-ugD$#FfyEEBawm<^Z%Z{*{2it&)^{oCy` zA6=N*bCODw=k9#~-O_6mhN`!r_I=R9w{K4IJYP@f}qO!ItMMYhrjXvs;! zw{!IE@!1(j-O@PEht>TaaM-|;2X3L5b@KDv&e{KCr>D;8)yL6~J;CSoHBF`p*2#A- zRnGO$|2?^q=5CXwbhCM|sAp>C(xP>~tR&ZYRsoX7cQqap%llb}X_r@jA6cripZke- zyIl|Cg!*=w_(M$bN$Uq$(%*u0wXJ>?ZyT~gpYE*(v3{SO$-@d5(e6p_x~ue>T)z<0 z8nVNh)bR~5(_^=(%*n3UyH@rb>D-HSLuxd`bNZ~{Usyk!V~Hq@U!{S*0mzL2ZrlOz zpP(Opb>(+}jqo44rU>VxFdsW0!d*lVDmWM-Y4DlqBkoq@%a8j0=X?069)77VU|{Gy zNLK+6kJ{&}%c_IySq!8+C=*3bXCN?H%~xoYlpOlgV82q$k*|WH-moCcE?xl9e7+=G z5{6dn+kH`fHBGE>zlO4zMktTN`Wp>n6|+kdT_QUCJ%bzdA=oxEIv<8fo<|~JFH*kn z&_H=?LWiodLj^I+useN#UL6JWjTbaII=O83z|$3{w5^V;Rm-~)DGI|tx-bAZ?p6Si z;x59v{9tjyoy;6P%0dWVGn__F)}$3$zhvffhfbO@to z&XIrmL}b1$*xy)Qh6#e|bnp~t9WU^gS`KmSpTs*@y~X+tAkPfyOUw?KKhA%0tw=4? zBRvx)Dp&I}QZ7{L)W8hHg&ss&tRI#AWu4~OE&<33#)YTo5a!u*Fntbe^RK$#fzT?g zCv2obbYZtBrHxa>1%uG~vkw>clnW9FO<2i$aQUi+;@dQLTY(pD`=Q!wF5Eb+UKV1h z*teq>Bgl>vXg{ITs8~nFNo-zUI2!?(#AwjOb+Ao!?8;&F?+8+ggd38Jp)$I(4IoW= z7|VeIF*LFIqh=irBZ!b?>A({$u5ERg zozshVqxlC)lA!8h)A88n*=hR(ORi9ydm`82c>4XrrO|r2vu;e0GnW9j{YE-CU0uAPj zSL*Og1d)e>qS}yLyrRT}^%J0$2=UnpMh0opWef$4wl;jgk!%RQRMpc1`nlWL79M#5E!zpV@7y*#UsT#Q3t7uxPD1icMwBVjfb3@efTkQ z2l!0Fm$51vBzTPn!Eg?Qb z4w!FWW>ShMh*bMNGHl5zh8Z(=QeC1?&&oaN3>Xc`VuW0{51J(l){k;7%NF3Cj1y3* z*`bPTDm9zEGIZlE3Y!%=DJr3$RkKA&F-pTlA`X^dFI@>A%N6yF_Y;SOk1N`URK=fqNt}A3W8+WV>5tpx6kW@%&1 z?KA%R!=^lA6mH0OG%q^FggaRFLUy7=A?PCgN8)D#W6X4L9Ax~LI~2-S223b9^c~hB ze8hwxVgk0?U$AY0F}SQ9Zs@6UOhBHZT*;j|MC|`5^{YE8fV!JvK)%w2-;SvFw%@y0 z&dcXZpI>5mNO%7JsaiQ8)Cd2IEJTj<_4Sa(+Xs;0qgd*4or)~Iv9s5nvbMsxP zJpHj%^}Z9SHI|kOV9(GryyB_#a4%fZ8SWepN>``(x9F=df~HT0N3&n=Bc5&TBR1`gnegXVms`lW}@{ ztbKI*K97}Br~6)bwYD5MsUE#-TH>14*k7Z*J;=Tf#r>V2oq%fR!KVeNs$2AIdYVPZ z;C0{r0Hk|h)?Igm=r%8q^{;1YJ=oT7$}A@Ax-WBcis`5n@i#rM8LVhO?v~Vcx;KNk znlGt*QT<%=u<^Jic&}1Mz2aYowqfit0cejBt1A2VG+!@BVF{*7g z0$u+|GnD97-}$ci_FAlXN_$?fGsLbx)LPw@UAv=F1p~obmE(GD%lW$ND2==LuDV-y zdd%9n`lfC&{YFDhavm?zGN}En?T3}BW7v9Jl8~o$EK{JTGWt+As`Bye-(vb@;%u8& zoEqJt0Ma`~!*R4;b=RAX-+I&Q-pe9aHYZ(djL_a#nt9$wA3t$v@QahDlf9-SV8 z7NzA`u{T^AoeKuBG2I=DG)y%Tymxnj6E9jG@7kQ5kZ+1lyhg2RZhDuEcL1(!K#yYJA8c5nVae)$*6Qk^fxtP7C3slpAFhG1fhVrvR2Rkkif@hJ;NHF_0CX$6vw1;AhC0Y20?8~^M*3ieEF*Mu zL@Y(uA~Tap_C2Lh24|1!S_{Nyz=5>nkYtO_u^?NvCq}AFfrS=J z*@G^J!KD7XYzYgIU1!tuB>d}cn=1rUd~nCUYaFO5fBC_|c4aS^m2O;PuJ;0&YVlrx zxy0QiOTm&sIA+}_#Dq2y=*^d8o8M6JqqqgVXT~|2cL1e&!ji8_J~bAz-;Q{2uR_(p zjVkbF)+4$6Wh-hxmT|hYWjia36w-jEPSaKZEQ?4?!NAb)1tahZLN<(^u37LyAZ?*o z8lgNXa$c=9<_Z$jt-+rEWza>bY_3tI$Ly$zbX(_JjFZO6Oc6_I(XNe*WGe2H^lm5Y zxc8mM4=DZ9vOj-oKJMo``rSyrFva(2rtl6pL~dFp64t#i@JEZ#xA+CCkDwZy`?o@y zQ;eQL1Py6-HBhF>*lWr&4h%Vnd1+ZUP+Gl&S5 z)5hYhh2HjFuzL`N1qsQ8T?rSvf)(?yQ}vHd#ZsUucN8(U2duvkCk7V#p#pVK6QdB# zmP|rEVew_v>X8pKW4?3@XrTc^Dw7FHf{>z&35!s23{cVpIsZQaG7n@sOU&T%KV|Ct zS7=s6K`orSo366BC5p{3HbRV2tWp6X;_P}9g!VB~o`sCaef*}2$4!J#(6FpK@RX7I z2q=oQWk*P9u(ttoMhHEvcK-{^1dL$ zB)bsC0S&L(r6K`wX+b{fKL&;=*QGMva4%`2_$c}se+VRr@Dfn=wNxACHs;6;6YjZl z*TsAtI#U{QLZ2vMbdAWN09-#GQ0HENK#;wx6S}Y%4rHJ0r7HdvGfSN zC^RU@{M%g5d|6trOEthXJ=(k_=&DU;uNnEmY0f=fSKT2}o?3m&ud!G9|EFY>?E6Ki zBguKweUbeqM%iZYq8DlhSZ20PiU`pmoLKa4*$?=m+#JP#nScZE=0B zRqb@GkmV9pD#hh@`<(p%o(9gQ-M*nwd((LsnMVCG?c#NPd%@Cze)iUBt*S!_;66U&1HT4FRQ2N5p4p;FObSH71O%d1LPZEgpO;-^MY;@y^Qq zq3Geo^DBAdDW&V-tGFf0p|^fbw|Xi9^kaGq@RTj~IwZ%Swsvs{U)x5U-LkD@WqUhq zs+BV|^SV^u`^uo+eVX%;M8@;Iox#WVrp?D9<@4}_?)obCF#~E<^$yu}an0B1dk1c| zEX%&9b{F)*cbDJ+&-+-o7l01#7f|zV&)T#6cp&S_>v5aWnI`_t;eMI4|4i2Xy?oj1 zOQiF;R~VMZanhs(ILCE%i0$FjJkBhAq=M)EED{QRg$x40+x8mx+Hf+hb??J|SQf|e zcppOXK9#Jb#pgP6?yb9SpQ%mQ_FiY<^ZQ(_d>^@Sp9(t3t?lj@w@dQ{XdJ9sVXM`& zOjIrsyFlSw$eQ^!pR9}Zd~Zm#ckm|-wotdH?5i-0NgJ5?q*i}q-3vt+*tb;uW}pa#FKOy*`MF$83B6x62^rd@c&Y(1u>>9y4f}Ojf8lY2$ z?AiPB$-`*kcSE8-aj1B~3K5YAIFrmx(V2)b0tH8_ihslR-387dJZei+${!ILh=I!> zO*(4W2x6>C%_XjR8 z$zMvy?tciEWi~|Hs2LKhDO`4X0)wPd;Jt!OdThwPw~rB=119Ge6r6xBi_EhBVh1xe zaz4g>20%K5Si!H;(8Qu*9Tf34{E&|dSGRbc>$}N;ppAi(M7bA9 z%#qam&&7}a9*#<>&Bw2rkx&@Cyt4$?DofW-wX8YBhjK=k=AvMdz%Ne_gKT)z529^= zZI$n`&W3!%SDGsGnvhb|??d9DF&#jfDNpI2X>LiNgW2?7rZI7lo{qM+tV%$J(A!F~ zbT3&)u>NxM=+47b7P0Ir%%R;U#WL3}nGFtJ2xl2)%J@On0|3q2uWkU$ z9}$gNLP?h2>rBBTU~FQmM~AebW#X5iI!4Kaf|ksB^c=Ribp%!vBUuNUwoKE%`q`T3 z5$_$D#oK6Dml5aHdCl&!zsulIL@W&cHf3LkdX?@zq;{|}HJsxd<&i1Wq>d*4=u)G2 z`WZCOAzUQZFhuRgf;zzH)8KI+b{faIw&V_5Kh+#NXG^!Cw6Ys%rQ}h*+wE)Vo zdxvGnh!>4fr6yO8O{f18jI2-#{d^hU_p4yXTvZAT!3!e;t^7n>cxbwdx z(Y$8>;`~|2m)~UX3*e3MLju{xnwUAX0L2n`5f_Fe;NLA8f@8A+#UO4&%!%~8>fdY_ z%%mXeCl}IGEVY9n_PrJ{u)U4I6uDtf*8`4nxgJ(dpVt_Hv-&m;J2`T*sZ8=HD zvVAy)VMQV$o?jm&IC7mngm_~2A>IKqbGefCi>9##&tEn@%_ZLqjfQIsaFcPM%5o?iK}V&^AL8mt?66;Qt|_* zgyws54>N%aNolXNd4+P3@zZ&mr+LxCmS+uuYj+(Q(UqAthVPQi@;i!iK9l#_LaojI z*apL&_Iyr1I@WPQyFZAj18LE{sgi-)I_S$gf%knn`|t(S(Qa${91rNQ@zu4Cyv=g4 z?YJxq;7?!lblzusRL*b@tMhf4EDa2qVq=%%IvxhF0AR8NZn^pR#(nAWdXL1x zxtlFpj4sTqZ%FsK)%rZTnb3&)?%XX^F8%0r+YCw(+w73AKcC*K-rtvModKTn zlSc{dQXYJ)`ZAhd6<2<~WiMG)C@1r%Eq)y(y0>Y=*(pE~_AJf^#yl$`9o*0x@*d}h9CyPKz!?m*-0UiRbgPvA3q4)3FI+m=nU3g0yy zKWhEfCdr^0;q?I1L%i64-h+3$(Z%n)8_J$ofIFVrYs0?qju8N{>fJpNQq)@+&@|Q)O^F4{&;RBURh%1Fvg$HTMBwzv))y4LSb6Sb=td2nv zQi>yGi;n1STnrPE{Yvs=)kqO!5i|3W$5Sq=AUqS6y1Z3L!D`(m@sma{;r2VOrlohrXQE{PEt0j-q6#?DEl@-!=nfJtouvTLj#O zlg@yps~982Q@66fvNpzLE4qfwN|jYC?OakztlXNbdes|w-%CdaY~Fo<+!a#GG_1wS zic>|IqABRjD2C<%Zc;6~L`ZE*u)rV&(PEKUAg`D-4Hlg6H`}4%uPrIq-oF6O~#b^G;N@#IPe@k4-6-VGAdWBIj4o+QRCE2JdYTykekGG2t*3;v`jV@dFUTc;;hxr8Q96IC!g zxDU&V-)2r#Smy#)Ufe73#b&rya8UOuCsc)Pw~cPT2~3hcso8L{qBytW}sEGg^= z!irG*Y9}^#zSp)+##oT98M>p?Ma1poH$;sLa7QG2$4x0Cb*#Il_mrR?mlYJg_2k&X zN6P^M&o{C4e?W*zJR+PjLn#M-I`7sV9A=muy37U%1==WEW{Tz~##4?QHiWm4Dy(6zix${ENWh@NXd_iQs-Y7w2u?Gih$@Iu`3Znrr{1#r z=2pMoKEM`-JAIlsVxV6B&tmG6DY-DCvd=F z#WYQzC&|h}@BgXZ&uNhk%cpf2@z&BO!Qb5=Dve&T0z!0>=Ru~tLSwdOGZ#UCQP8KU zTtsZronRI%(waa|vFtpDol{1&6BZ9G^!{bgiOP+m$*^_yYRvrj4$Dhok{r!}c{Adp z7f#=kdzoP<62{(%e@{}#g5d^*F(R{FdH~E3&rsjO`&^E2^6wFY`bVrF{;=jKEftK% zV~Gq)mO6e+sX-S@*8ICtp7;W}*b^7Zs~ClVk@dtL6#5YibA({ty;AFUd4N#t1Ox{^ zi>kd$nG#8c!B|PKA+&RWCR&Z6W~t_Q#S+8r&~SuffJGY&BT7Uje9YEwCJ(+hO3|NF zv6E+gDq%|vh&Meon$jP3SX9aXE#G-D>PREKY2QpsfDf&Rp9eUg#X0D9!>5iDN7JPp z|I=^rKR-_SB3=()mCApjaZ775bKEAj?)9EO7RGuzPRg`$H?2A`KLhyIczRBX2SeAU zHeNZsjNGV6Ya88+wpNqcm;Bhg#@24|AE4jPmEgBU{M5TlJ~~fkKJ6QYu%&t!PT%oq z@6O5W@O`R&-PrR_QB$0hoYZ>AU8fk;&%^RrRP_#tQb=xm7Pz!l;Hhoxhnl!*9lw&< zaoy_nduYV(^a9*b`aP!VI8K3H`mOs7 z9w#k6IO(p6z}0yBM71*9x4E&cv+kAAQQ_CE@XV&X7|s*!;KGPWq0fHKI5j2l#3{9%{dx$51D< zbzj$*rl4(k3`V5**1x~SKN($Y4t%|v9c@4He&79%9O{XqXtUh1M2M#Z4IIbHq z_%F^X6{V`3r(}C?bnS1Tb@xl-CY#fEO(Udyy_UB!U^iRQ_`2R#bS~UB?OzIevtMqf zPq;h#mrMKLbNxonPWZaEK_9a_37&G1Rim$aZ-%LS7fv!p@_H?{HQ8#P#%0-p=ix?3 z^~V9PL02=`-DZ?ZZ?3yEP)A^ zwQ^zLWke6U$)O+rS@Xs7sN~mGM z5|LoFl)^d;4TkYMB(9&DQdJAwt@GPKYg?KVYp2eX%>FG45c;jSVXqq|HiU$GjHv`& zS2fE|U2!dd$(Hh~Op!4Gjl(NFQCX)EQb3}?dZaHadiIiZk#%oTOOUrlA!%R$8g7%? zbd!OQSY^I>x2YcpHCW0Om}b_7^&nysV}`9#r!7Zq3wWXqFEN&aL&#~!wQYt?uQTkLP0|KUgT{^9*hypCwrv}YZQHiFV>GsH8$0&SK6##Ve(!s}%zgg{>zY|> zX5Q(-MiVcZ&xhym(7yZo+4tG4fXNq6P+X>=daV-%gpzL7LdrZVmR<3~i6qwa9f`%b{#SW_ zzp(d(u;fm$)}P2x<93X(+lo;lhKU4YrG|COI8x6WBF3omEN*xYZN9m@`=9jvx?fiV zh}UW|u4vzpKMYwmqp2`vSi=-MzkLI%(yIpAo;CF5MzzwtHkL`L^}R=9lTo0 zG|N$(=_gIwyk>xNTv_Tt!5Zo$1hGGfX@Go1#GB8ub+bNHRVwO3!M)59N^h_yFU$oW zVm)!WHpFM^yw?%mEb?a!vqk%h9hj0v5= z(9IPdJ`^Shx*08+ob9x&K-mwn4gpwlNUB^rCQWLfUP?hj zjtH$GJ?wVldl1%f?EF6A-vZzV5ZQDAfF(cxy=?ZOfquKQC3sn(A zhI$u!uNz?^V%5v{Sizf$59G6i&O{1pO~p#Gs$I^zu2)l~IYEMLS?DpoEu+!Uzc!c&T0 z{%Q+A`exq2UBD$c7fkil-{RL+r1s{%@Hd7r$AIYQmpK2ogem`;tSPk-hIzmB@Pe3( zRe>rEEGw@PQL*$qZT|vRJ3xO!t{YsW5fp^P(pr?(l?T2?=$MQ4Or1Zc-_WG+NT7lL z=pkZoR4juaK0~6_{DL?sA)8YO0ue{R{M^3-rl*h5GkQ^@=$Gc!<62#Wf^h03!K|=E`tJSb0{S22Pl0Q7sFzQ@ z`6{Z~>C~zA;}oZ-XRkf|Gktm{w-XwR7i(IF-RZQYp%iCAiyVBl4Eyn_`_iQ|?P;HU z-+9nPthbWX_E_B2Sl75*+`~grKY%^`zL#{koaM8Q*66x zgXsNwp|;_@V_hdJCr{r*WZk~yD9o(xCt}?lzjEB? zj9+oxVbNFpVo_^7KiTGX-E}Zni^50ub-;eir{(Luk~bN(q1X08JeXUZ8LIAZ?b*2` zpXwrhIWQD6i&=Yg?e(Gpjl>^=_HL7btv59mV)T4g52WDExq0e?ZO*k^p36&}hSaJU z>xU^68}n1|Y0caC3+%;6yRH2#l_TG}L%a25J^RkCUe>`kg1<|vOPogu`@A(^!(x@3 zu1Q``a_6pn(B4V1+wlRt#`Vfc7U0Tui*0|TA9Ep>^ZH=U)Xrz7)%~<*(_?vm7{Arg zA^84x;kzr(@O{e4J939@Ltl4gCtyk!$lZM(g|Fv{(6#qIpZob#vRQsv9V_)|o!+g~ zUSYpn7?y1}9*%rF*J+$J%#8+bcf8vD`I&{G_H$ajxz^$2f$P zsVE0#I|bVk>73%?lsAf2n|`WDYsdf;C+CO*Cm(3h{*?KUlYe7SfhFom3v#67nOHr{x9OdH z(ik5kuG_xZ+u$d3$dibauPnQ%%~fE)7q59&hmD=Q*Tc4C^p zGH@fAu9X@ZxL!Nf8p8mqd)4k z3QZ|op%W=40aU*p>DJKC*jhIV3+c)j?SKfw!gjRG*ebrWyNYD$(Dhod`TKX(4ZlGA-tm5zoWp3JgL(>oh0pwqQYl;eZYmSVr|QNXAYEd zMsK3O!nw%by!aPwPkBEY`?#MeL(Zlf0PmX3GIkFxeQC<{>YLT1EvHSz$ht`Ln&Cc( ziDS6#1|+qrz^KW#g&J(}3dr zobvd=03@=LwqAa!w@XOK;0*N!u-&q6q}e}HjdV@DcgX)|D#{f(1@|NABS9NbrCWZ% z(VcMq-AWxP!XDSB*<;-@N1;)g319Zzh@$oyQ38h?#gUycQ}RnkxL6k|m}8Xy#!4u=4Sfu_Y)YoIyoj z!{wP1=j1tNB`gF)8sh$Qw^O;S=JU0J4$s5dMn z1yT#~L0#fFfFJbwuq|5EHshNI27KWDZZ1RG#%DCAm2$ShRBDXVB>Z9@QHRn=@}x6% zXNm8YCtiiMT>0RP__U$$n`i{3>nNeRdv`7U3GsX&}@QGVTuHq2F&evYJgL$E}9Jj)t;DAw;&0Dm89s1bXh zxs!-$zy-e1sR>+}YPt8HH)|2kHNX z!JbI#!NE#$QB9_Qc3Ju{ypKCOMZ&8VCg4lu`y)*%{6PQWgD z!2ZwAz1np9HD~Va=$YOHA2`uBjvanKcRyES`*l|?hA4#}?PvRHk4jD>?>AYkvpgrY zZpup=P$(@ImJa8}MIMta?+(mfGe#*rct$R|5Qzhna2%t)+qUK-1x)R>IPSR8^6KHr z<*jZRW_9y%UYtbEM#N7%tJTv5eY60CbP2URkC=M4L0w9wgax#uG*Y}yH|1E{?&A;X z=d8T?<=D8P3%#^74-mg6dO0)6d|Y24W3>ysXqueskuK=8I|1cy|GARd7j;mnTT6Ezl^<466c#f zjkN4;I+(k5ISSi$=|-tOK6m)h#394p&MB|Y)mGgt14bL9T&u{J4x{_yID^Sn}lsSHa$W8 zuo1Z~x8>I3Yancm*9N@j`-so}Z0_N)UFyeOJeO|gS`+Offt?BdM+@xJ`#LJ{(#K%0 z=0*Y5HeLO-kX&x#Tg8Rj*LDSu<5M@<#E!wVUbGsBX82R#FqxAKyo>brSJ>1(T-JYpMKfnYDLcqY?92_t4RB%MlJ5I*bh_Q)GIvYU0gl!NG9AkeLUL)TWXw04g z-?~wh0qURxA##l?@vyl>tUWR4Ijv{ycf#qzzELM)rNDmcq$ytyWfjuPBy_*j7lkXO zABJJhsbwksSArVlZL*Q6=?Zk9C*Z8`+O8Fa-5A_AIRc>saV)IvA8`_%UYJ8!FvTw( zgUpd86MK=@VW1>Cb|PvimWUwmN5NoJL2|JAri*?d`-^~xAmmm8*{U7RJ}na+g(>q3 zT;FK^&s>84v~lz1X_wXn-w26Q1n>(2S(1bg%EwVz8c0_gRA{79Xq|qG(SLv(| z!ss}bbex+#?j}tUzcY$JoaJX&MqQ5tmwe^;jgx0tx>qM+rpzFBG{SDQuSzYwTl{Li za2#pKLj^Dtec%*GEE9s}k2ICb7%O_avF1OOzTsmd1UK&;&T;nBZDf7&!EovO+&8qw zZ7V2r71_!{hvq^|rUH(RrHn&I8ctqneGWdd2mxNMWJZkcp^RU4s$tU91!X>{t%sr) z64{jeP5|BDi;)G2dyLuv1AU`^M^r@uNaGkBs3=$k;Rb>~O-F=jrju1>0#Uk=9U_$d z>|u6b(kzM%gdY`UR!lZGR`8KQ#_}0S7C*)it=yZkuGHlN4)-^j)Fs6cr;81J;;xJ( z`|Bb6+VEDeV4@9{cU69$07AV8(8b3QJr7&89Z`BS9Lq=JoN-G^O(5A`^Op>sV^um9Ath}!y zYWjgvwrUK(Z^|IE{fo3R_CVZt&oSkLhPCuDu(VygymGp>OJ1}LcEOGL7U*37s?!@q z92Uv8eMF7D06CxRQ>`W zL*umVu_L3L{84Q^dg5$l^MevVisH9WvqP?-chDv&E_+>fi4;kp*g_?l54$Yde?#LC z)6}djjSSnYB0|nP%amoHERA7^P5_bo$UiZpP>fo%QN_?vKeC`%LXAL%q!Uo4F!-B4 zBf+pIabLtVYcE(ihp^?=T8;LHNCM1{xoNogc|=C>{F#9V6h$|3?B?u{J0dwQ>6zYM zkHR$xH{57#h*Yk02)yzyZIyHQk%RibLRs zX$93O&?iORf=pD}cQD6HW1?}TeKznQTx?zC6hod{EIbS{2Gd4teFZZP!H-LkqEnQ~ zq}@Akobyn4Sm|jP18fQ&io=phjf|P9PICiUh$X@ER>ZjEhH6MQk+@P545{&q-XR9R zDGYy7BAWVX2iu!D*}nnlQTr-Yr0lCRLN9~aLgx16Byay&J4bF-DPI_)eY0C!133`N zy}_r8l!jfFzSU^PQfVZa!vS2=&!f^iRq+P;5hg?pyI~CYHDoHed1W;wmAk_oc{AvZ z8Y>%#osDSNivFyeh0Oj$3$Aj&X}vLEDd^E`RBV zRQ}cZel^mwNoDk~FJAZj7v7;^KMAB22ZNs+16b#laGP zIJ2gB4MWvKyhkHB`fv0kj>Ozap?qH3yH@$3bw(kkxI9-0dnmZ#@D1{02&2F8B{QdC z)-ER9jMX8@ooGpC`n0BFg#}!h*XZsGC?0>5L#t6X&36a2L;d`J*xi@F@La^)?hMG< zS0ho{)DBIQ&t*|f{ttkVBZ51Q^?F|k4X@sF>B&CIKg9GN*^t}xd_c(I{Xa$NxnZxt zJs+VVJrNIlU;T}kdETBc9{57nCozl792(Fy(*)V(QXyJ0|m0NzJZCZ4B%D%7ad2(CN{K&%( zMgF*d3(daYPyKN0-{0m8WZ%80%<+C3l>(D&c9?#wuhc)$cl7HnPl1n^#)l3hr+U2_ z`fVaFnasQ2K~lb`-pAx>JwD?p%gS5aau%ppl0%6WA zyVogWb*u;Z3)>4J!NUTuhC7}IRD=jJe_Fp1ZuxuAu(;%9*i(pw=P~WSL3y0@zTi@d#V@~1vdO+(IkL&7%v|xR>+OG_A$6GD zq#oGV>K@t~aF~4PyX;pp<*Yg^lVat%fy$-8*TX6YZPckbL+dH@HF)&ZfHhvbYWkiw z{otPW6Si2XbL0(|IklQcq~|V~DR1ZEql8jE24Gf~Z>ON!rWG=uR|}i2_8Dk0f6~`& zUdrWK<8Eac$>$~6bD47w>;6zJhLG$1FXE+*{h(9y;!~Ec`xtR-jq_;wu-7>NP3}#? z8EAR8GzjcrT5)39?zvt#xOIzJLrdT80&1kZ?#n*uIgWCys*Usg1-h6k{XM*2f6%FV zt%j|6*u@tEzPzTS)|l{Qz(!pjZT=mF+Ks|`jI`sp+sr1=y4ZgQFP?*i_MBe8kzv#F zU?tNK^V%msC0L-iIbw=;|GSkwuL%elQXG8y-ZHmb`!O6usw#=D!*8ZXZwQK=qLBp2 zwXB!B?oa8bHH0hH*1q!l8{8W9EB^RK-~D5+C(KOY?)7eM%kD85G+0_DZNL|n%jA}Z7#v>+6_ zR{=NoKWQpP4w4V#K}#aYkkBH>t`IuDTcW z&(3A;_waYy<%I@->Lhei7JN!Y{#?>!hM=TIRxm@!gkpQ)kUehnWpf|fVb+xWpy}xG zd@^eq{v$MuHG_c4qzc5>oc7$>4|1(3p+FRMI%*}Pk^)hb2qG-J)+`;jN!K1K2lZ)1 zuaLzOQ!Y7w3EpAluNddV3h{TQY%_3--edu<0ZKud+;*i*eXVMe^=-SPFMbIGuJi7-OG$$!tPW$}D&*epdakC1=Bxl10C4Q9_6ofUL zTF>se>$BOW7%5N{hJ01_SrJn@ACTfekF#tSx}yY0TNfT?CR~zV2b2(cN|N87@V#gt?vf4q$IOF}ymQ#H!Q&r%c?N26 zZFk$Bs-Az3&%=KW+o_PWV=s2@4bZL)4p>$xenr(!)X`bS=@lAM5AZ>ZW6M=b)>jrs z+!Y!k>x~2Y6EDQ%cM(C zTdKqb#)Dx-jo*?>)Xo}H5*)uIMno`kU?XIPXnyJZOYv+}zYr&-pmxe4RVQ==|7Et4 zXj4N~;HN$J6|oEZWS3B4x)p*hj_dmCFH40}M}{z=pEwfyEeil{Qmbp}MkG^rBdVo2Kyy;> zL*0CBl!S`)w=TvUz!;3kx_j#HP8_&InR-rPX5DZ8Fd7vt)TB@^p`9VeN~ppupWwi_8Fh{B%Os6=fL_*=dr-yNVZ#KvadNK zPs|$UqSLX*J*>i_LYp3Q!QT*iFm%xb{#22(?8mc6D0YRtE}p?Pi&LgkbA>hV>-d5; zzD|Pu@Eu##zP@~T^dW>-#Zsm%&t+__P6^xIWEsaf8gJna;y0G8C2unEOkG?~7!MuV z+Gdk*d_PJKG)CK0SHlR8l{zKZAXgVYm+1Q|rpKwg`$Z!=Rd-)2pRv(TJ}w=O&j zS@%7}70MSXL6S13bs9BO6vX1k^Ke3>X~B;eJ^uoD1bJ>%W>uEd-CrozhWVrKdYJEeM^JW0&nB;&? zMa|I8a8fs*fR1;rR#~3?5gnIz%nk=a$X>_mW;|XIO{@JgN||_d-#q#Veu*%!8u^yP%IHlqgI$zAb1l6dcq0c&2C zcYS)a4p#=*UIDKc?QT1`)sK^6zFidJ-7lQQV+ufrARy3Y>uC@-~TNw~| zML$#Tz8ka^Xa|102z<__L+XCoJ(&b*d(34X)R5C#&?$WM*V1!c1CWEPt#s}_l)mYI zRO5E%a{q&f&AAS>({q^}|GtOz`}#9p9P~Gv)RoIOSPH8X^lvr&Rd1U2IYh^n%Wx1Y z)n4d<(bl(tUy*&9?g?vFCB(**drR zW_K@R`a|v;qUW?IY;E)U8o8bQ4lp}A=Vpuhpf9z#$JFl5^CWcH&SU3ho#$@I!xJJF z;@27P-##b^lmjp7q6C`Vel= z{k+>ycmtp0`Ur4oO{XM#^j`W^Xc*2H+e#+*8%ialYtxZpkay>v{wfaXKSLwtA+;p? zqDsBcnqEnYID@Ka3kZ3mb!PAIMjm7Pt$RN14MB)r-&?o2C~7>n#MpGY_`Pv4YP}go zi06V7daI=hf)$o>YpiZ(;A@BfMCfKn?SW`nCiJz>v}k1-Th~?vH91P3%#s z4T+%6WZ=JGWh&yeI*x$`%GK!XDH5fo1FB6xADKKVWzAf`_#8#eC^jEiSGgb+Xo-2D z69ri%$T_CZ^Y;q8HXZqMfNacz>A_KZOv*IH(bu|$%lKs))p;`1(8UDx^28wJPw`UY z`*;FUvI|Ki25LK#ur%)&W?aD>4ItTqavh3TLfEh37fJ54ucHyCUTE|HePq`~8lHZ# zMM?#;vhLNq1%~oJn&qg3IerV|#`Ywr^I%Ax1;vMkZRp}(h|bnX#2wNLI9$TDVFSVn zDT|hqG>1@e_nZ@T-wa)~$;(NUEJ;LVB%~5K`D7n#CLNj05sD_+8ObDCVxHy};3iWz zA_MPO3cj;(wQ~)n(=F4~vnxpLzmPE9XbGl}R66rss-*|)xcF(N5G!;T)wh+17N~Fc z&NoMWBc8Q9dug%`Et5PQEINsXIXs&AsRnOk3I&6W>W~})eDwnsTgLGHvdS?+Q)R}3 zec?ZE`bz6888=DtBC$1k_h5mi#*H=wNHkP+o%6!YkGtBp8x*!WoMzyaQ7hAC@>dQL0;67h=)BaDovQwm# zIlh)|L(%LxV}c*C3CT>OYz&i0B3)X`MR0khDkIm_9sA5b3??mb&M#z>KpPwRYdb-7 zRmrx1#qgsNM_GBAK(X1{Jp^v3>e>|7NuJ!akLTK{SwCYX)sGoiEz@chYBAkSTi4&z zcA|&v>Ae!zvpn=nDkOzeuJ6twjoIRpZ2dI?su`$8NuTMWN5uL8Sa)5WKUq=YT3oah z8nA=HG`o1yYf?g=S3>nU(O$m@D-`^ai7l=9ZngmV2S+U0A+--8g9_n$c7p2f2fr4t zCj7OoZuY6v=&#bKRLGcQn+e%U#@luS`6RM)@KhA8Wa1cS!BLrzNeD@k0H*nNFvlzS zee=cc)5ku1>ldF@Yqk0MYpxzaED1WIY`6&m(2x@2ilZ`4cbZnNqJu}GT)NRx<>B`t zBN>K0T$~XPz2MM>?1>KKw;`dK%iqdBRK%758a_dGo43HDF$aJ+N*8j-h0f3NTwsT%)Vp8eh5j1 zt=vE#M;^dY?3Xdzk{&WaL6gta=x&`C)0Tq-O~eczNQ6q+MC(ydP}wF(xFFqqp3+ni zO!ZUQmX+)a*3bLv)~vp3&h2t6v8^9V4TpHTF8!Li#=Avw>ws=ud}7!|Ti6o>7-6A|f>j0O(KMOfs9=ucbf=vEg|=rq|045y>Qg?aH(x#R_eQWW zz0dn3{kE?nd&EAwV8TG@HQ{~b3E$W7IAtmk@0bt19`2iiL%Pi)*{cVZ>bs>%y=>5C zaSNR1X4ey0;C60%kmusA8uz=Td!Y$k=SAI1;na&8(DMdncsI7%abA?VR(IPw_Iv8q z&cGs`OTUa9A?=6S`@LEK&v@v}1J9PG<9SQhIB>%y`hXOqte`Eq&f*K>fbhPem)o-! z9f{52`Mc$zL5>?RnbV_vyOtQh)0?PDZTpDj^3Z{)jwQSOSB+PE4Yd38WNznqNZP|g zTTJM?24Bhh{;KdcX7+wj;-uGZzL^_woP!B&NaY;=drfH)3CRDhr+c_|OyBnA2om%@ z)~o4$DmMlga$h5BKy#=6xM(zmmL* zWn-O1)^SSOPzJlbO|$LrOuap<_R#Fxc^lc3wJj-fabHFwiH3zMy!RebZ+pF_-23q9 z)lH?3M-RRst9wKzr*>HNNaeERN&#;bPg{ZMcg@c>oeOJLQymr{AR6DQPd^i(*3-lM z+H3U_FwAFVv*(^1%Kf2YThG}IDDga(>fg_+U5w%5yvM{=^>^-Rde!Ug$)}=a#{}4} zx^mW)*tq?dvx|PU>nwi)voz=L3R`Uc6rV+{P%gWE^>gO7hx=B^G2KVwc`S;Wx4Ex# zF`F&->6;e!;_7ocFw?`WU&XE+04T2eh$Y-Q>WgOG(bIL$LT2mntu784CU`mL$R2M| z2OZA4uDsMF=IYtsIGS;;g${RjJ}CHlh!5C#o{u;_e~`*vN4l|oznN5w^v(kJ9J~_# zt@$_}kC@)$6X`t1&UOA+S6lLBDBtYG=pq=EfCb-w%zvnT7Ji!L~7l?|12v9L`36U=x@I<>GKjkbeIX27s4D|2;L7u!4+&IR{CQm$>`fKmP)jC!xVI5P;iWBxqa{vI5J$K+PNh1zxN%=y(F)S zSSo;mgJW?~9tp>dKaWZ>sy`sU@`soHYu-FClEg;NKuG#2C{&OSgYoEj>M>z#%;qp^ zI_VT_0D0>F6&{%p#*&ycO_ZGE-w$GZtC{$~%nWfRL32;tuS<+;%+h4=m3bBm(rUz= zTi7WUWm+(mH9QJu3OO=Xn{~?&&TQA3iu10K;qfxZr67d?%Ie2FcGC2OC2V$_t^SwR z(}!ObvHuc(&PosVVJP-TBP3z^M`RrHnSpaL*Q_zFU8&NGq>QQZh+;DkP@QJ*$|+?l z0UI@$XJ_SxNj7Kx>nU&LVdiq8#<8+yzcA&g0B{+!8tCR|7Rux|=69sf(asb#7FQxy|&@n<; z6^%_omXPnC)p20U|IHte7Hc2A{TPYEQz(U8)ZbSu%?%XptZ6z35g%={mj@EViO1!P z7jUauB6{kyVK&sPJ}_}_-%c7>(yUf3VbcCv{3}4BQDWs%Ec#_QKPLtEo;Mb3@4G&q z``0(s5F>=~Gx;tz76kk9`Z7%R1sVO$K0k*1DW9>qZ$ zGDTyc!k9>5yd!&Y&rI>nQmOe%d32Q81k$3SLWP^N02SQdDon_H+7{Rd0SS>lTSJ58 z^S=TGrlyrYSvINELN*6RTXeXO`9}t)GFas({D+E_P z5>&-frd@fMmK^O_n@S!`@zkJc%c;v1(H4g!{bHfNU~>h2z(xP!e}qr;A&uE6&?`IQ zI_1BaGb&(4U@A65kG@s;Zg-%`;{h1hfuAMFAq_BZFcbNe(l&xV3lcApDl3j)~q^=(T?JA5(eqEMrBlh?EZ>Ki8 z&A#eiO3w1LH<4K?F=sU^e>MzF=2C||zVa(;4LVmQpBgfxUg|5hQ0|V#4MzVA`Z?>Z*l6PZbMumiCerVY7#7?uDx5VR_hQhJHpGSpC(1#4;<1=Z(i6oaGifNq8QU(uDz)Axze2 z<^bzh$H_l)6BS?90|QA?#^Ed1Gw_%VFi)h)eo7ATTYW`=jMY&lD@Ii#P-SvLVm{{o z|Dc}Xlg4_Jg3M~b{aC2r3%)6-b^M$Eu-G9K^xhLWrw`mm;`&dXC>!GqZJy!Np-u$w1&i6W-SlGKiU7S)9 zUJ6ta zY`Js9BCP*%ir2PPf0A&g*ZsGj#iuK;^CkKiEa|&fBIQ;=|K*3&fam4QR6V`T?TG|( z7yPg%{avIT;rqJ#FoCbj`&P}<6&?Pl?W5u2#7)8*Uj3-9-TQN%ZwuJ#oJv2kcXbzk zdh5v=94p1^*q`gRX%A|N35?cxq}poVVjZ5;11(y?j&a`Uf;V@e?l%TAdEK|}6Rr>| zvz+f^_bR@nvCmjDuFa(s z%f0DCC8u{^gn85J`O>Yvzwl7YeGtrM+xc`fUu43{alL33VP(6`K=&?m7>IT{ZI}$yT&YnN`-DlEz|YL~bLrOy=az$&&iUW}YefEZLh zq5dM5qEyFBgfN8w^;__krH<$A^rs}`}jH*=F3))$OgjDGeBuzoUNsuE(HyonqmyoyjjDsNJa-8KPxKL z$WCC&i$>;`P?yIK&e7?PG$8FZr=8qA$JW&iYBIlcpj%z12%kH>Md%rQy1Y)0dfv%3 zzJgK6yt`-$F;5dAn5CA>u#t&)Li)V^7@YEwAK+>t1Afs61DZI0Z20)Ya6RXlEeQH5 zOPH0w>q%-78C7Ebo4xd3ZbHqvo3mJv*QZA9gh?a_-b^~Qw5T)5H_#0?FGjkH&Pfy- z{gZYQY^f=wS;qtuPzPkgNgIo0Y-O?N7m1>F;QV6cjY*%@wQ<49!Bgr=COAKh8Cq{W z=psIbMX@P?nEegr2gs|9Kso7x`I}d%4(hw;#X&;OB0)PH_T%?ol`bJ&DPf09LrtWt zo`R!d@Ixe|(Aco7kffGsB5@-FF6=DQMnM`GvgF?F(tW*f7jjL~S}L@#RYi@-nnem^ zf8rlp8AsI&ilGhN;dam|xw4k<#9n%idt8dDuD^XG()nEQ;bczH6@c@u`bq@AD@<_D z1D{_itoLeq^kL@PEQY8D(SNZn`Upxqo4Cfqq_g3FcX) zOxzhMV~uiUe^LI@pvV?~5olXAgV4U8@7$!%b6lGH(Zdido@0p~u8b2>oFTXv7rq`q zTL5u9@7?lmG*Pj5Cg)5Sk4o9H;EQsSRZG;LAttS9|5?1Blm7!CIRp}seLV?q@6jW; zJM7sEyb4U{sd_$qLk>nm7c7>?1EGHe`eJ}WNi5QSiDx`td^o+%)_&Z}NeQ-1Vk-Lz zWw*a&sCB=*0=wo9&r^T$Ij92UbAR;oL;_U?AKY^T;gkUV9U+3&ilM-b(>z0B@L&#Mn{TX2W7*=E}(vs0Y5 z-g)Y~YSw&3Y@sS=V5o=AZe3)vYn%?%LyFKVG zrt9tHoPT~U8CQqwy#r)+s1?Jzy8;B}Pjl6~&11Ik++UQdZ92VIS_R(O&h$9+H}Y+| zB@fcIyL=00B2vjIHWjc@U+?r*JJVq6u4(yd;>*ldKKSS3{tpxcxfe;#7movHBui0#zZj*$wKyJ@nty+**M|E@8)g`SiyW1pUPGkTO z&;9PQ!^UYVez=xmLMzKzt^J?~cB$0`T!^$`dkXDluz>7pJ0fOVzv^V>a^-m*hWNz! z{Lr<;jXbW`x^n`(t^Ibr-@?0Bzwg^HZO5kT)JVAbJlxVubi>282I3odKpx$+-wfE( zfBCO=+yK^hI_~k-xY2koEoQNNT%PhZJ!dg^&GqX49Jldc6L9X@^0Y6WdJb)4at{jy z7UrVw!Y41mY%b@HC+tVhH5-|Oz=14C#N|kDJ}nxmA3719b+m3e@9m}sycKEEjN6t( zq={?fp+W(d#CWn;alNKT7PBSi6a6Y;cVrf;S)3^-`jtg!9OB6jiX3fc_zxWcYo}+V6)SjTCO^zr=9W7Q~p3fnQbiZV4m0sE|>@cz^IrnlA_|>F6l=+ z6)0{zv1?5~M?If!XyRF(n$6=4SEX$b!=mP_^5+@j<-h{GQW;E(sR_`0Z}`l0>N zPb*z-@B~z}78-nA*kIiq{s{B|{WskNe9m`E^Z?F>Rwm11A9jPBJE1Bk(#Rzkt`N&S=}Mt*yErb01nXp|#cIRrrz|RmF+uesX;{+-?^jTa@_SV3 zo9vLcYUA!UIf}uI!HyI3`2izEk;x`<~blFlV zaeBRihSpO=C84g=$o-Uclb48T$?OeuIwzKTKjx94)_;|vdeh5(aafeC0#mmEz2rWu z{mb$tn)J$r-J8luWEoS``+Gq}bKPoT{H=S?O(!Pg2x+s_3C89SBLzA?D&<Chma7jTGD?J%$q4B$(b9R>bXPFIiF-k|`%i~CpgOJ`TajuXDc zlHE*@FM?-2|29l_L>>uUAK}LwhJ2XDW6xJtusVW}nLid;z+eu!TB3Ou)?8a^kLpDx zm6heQzZ~<`8i(QMd1Zu%4g8)zSu8|O6ARLm{sbPBvi`maSTYI!M*(AuZ}=yI?Jn7} z<+mmaKqRg2;X8gJC0t$v2Y@L6CkRrML%Lb(MVxSO-k^Vxrge8w<Y# z*EHapcua>tmSu(L!I(E!gMX1MmUnaiZiv8=MhP6sJh$qO*4Ya5Yz;+B`=jtgihl8M zS~pDzP5F$l(~Z6O9zkEkSB3?c)?e+E-vo9g6$L3H^&`FQ)<*QdP*ayVFX5?_{)Udx z`ZP5%L2FNBCdR8Pt<&kaK>ZW!uyN-8GedHqUoBJ`B#W^q`E!|V#b5w7f5P*l=!`#2 z!EwDB5`Xf~G~V6B|G+yCosZm#Ob3m!Kef<{8 zSbj!%*mbpaUH&ERK@ZvOO1Eip%hRsyeH}<2lI1i~>@{o>^}veikDa7bwHNnOxlf<@XNG|L+QyzulgQbJ`A{}r)Bft|)zj@u zzGqdrX+6vHmsO+Ot%vBsCs?}fRnAZEc7LB1Jwa)UE&I+a0go@p1@)?&mQ8*4);p*D zZiP0bE4Qi>G{6PtSowCFL4OI}KjnQAthEIvw4QTlWi?G#JkfLUnzsXyd)#k7mTjIZ z*X`h}=&d8V9Miq78$#*aCm3T#)2#?RJ05yv<*FXHo|-kS*U5V$x4dryr;>X(_Jg00 zH%s8?T^2bO{-jQE70rKuRNiX3Rz-$$UaxdBX&r7wKRe(`gj78)qI3w=s|xYPc^)bk zTUcFNw%jh4pFYZcCx1s~cIetKc`t8ty}fzgoQ&lz2VY?!a~uxry^7&`UfIMx zEVu1-70PwKuP(L2Zr*?3+@-d@Q#ve8HKcCoKHHj$ zM7)t;ghUzwpUWv@ci@Zi=5f6DG3!IU3>{^)psmX5j-zx z(kmPDLk1TMp_IwrPhDzFbhBbW{7-Uv)Uawx1mLp53gcW@kJeayJ8C4L1oIm_6`;=| z&w|G!3%vkcf)SC@CK`61*>DV>fjoq^Oz$c*oYr*=ZP+i` zK*@$E&{Ewlk7CH2GB4(tKncMULF3Z&wr(BR?mB#y4$4x9C`ryJktKD3$LR`&9Wh}U ztQM&`wP4m%RfsT`;&0~LmHt{BVZ%Hh^^M4~#KAyuKPW`L7{{{ya+F=|+knrws^*`< z#d8tZUF^6*Ne%nYmavS1XVbQIkzp@o9FEQRi(wV&2&QNQ)H!0kf{M)xd-<7XY3k@V z;q@xFNNs_5gU)zWaw>+a_TuSdKIxfMp>NSvg}S&%nvfKCmW2zh%p?9Z&5X)qpw<22 z*oSb2kYAZLY901ud$`KJWr3C`_C(6nA;k-=3eLB-CXCp3UODBKfuH)N#~h6>1*))y zWe?8;QgO^#N8!ZROr7!ue;L#&NO=Rir^Aql`?=QW9S3#ugPHDyf4h>{1c!HxSh6M& zyLELOqvUv#%7u0CqEdIXRL_xW*46GS245- zVypgbv3P_L7#mE+3H8O_RXoi>$m!QNKtb{!8o-yPHS7)j8&}b==z1E-FX#vD`#AGy z`d#g4Q4LvArn{Q!)S0&fwox6Y<;iD=(za_>1MS67-ACz$W8_u^Ik}ihkdd*L%I@kT zl&-yVk>5`DDk|>=e#Iv<;2vqtTh#PpSWo#uLpfpdPpYEDIM(B-F*_NvhmGrE4xvJS zpR^8^C{b!yo0!KJCc?2WV>g(&x!{7UM$&2HQEBkjXXa0<8VS!?=yNfQC~GJ)q7=)X zY#0@HL#%**VdN6Pj={3%k9iO+N;>-{iB>bDzw(2>Bly-{Jr8F;_6N^q( zGGlEVioD{ZQL-n7H8q9wZ}e3ch2b6bS)tmbOC|2XLK>`Fy&*1TTYA^HN>eT@OSno? z3OsjMMB+~XrI1y|A(*^vpzn5Rx6M*EF*nBf3uns&lP%CaA@bN_q;by@|L&m(`Y1Yo zlh+Y)ys^$1D^*aXa)>dkU`c0eV`wUmI*F5ICO4JONuP6iUfFC=N5~$vdz2_ z6v>!mK;kqY9qPwXON)}q!da=*XcCbN@Rp?p*(cPV!4Y}HO+Aq@(8H>(99De{O!@3QlqRFOR>;C4zQjH;V3_qT}4`JA@lw}0N+3$zsyL>?Pj|& zu+5@r1yo!wr+U>fP{q5rqjX0)A50~_Fe(~DY#NMY5$0T6)SFy}$I@UP#Ri>5!)Pv!6Np`QH~viYC93{xi4#_l3ki`_F=V&fDuN;6K!CKwvOJ)1ShB$bax3 z>dW^ZWHy?~*=VLP^0WKTF;~3X-gx`7?|X0FpXKCu^Ly{l+jJ@Mw(EPjKmRU%>>>K$ z{kQ(n<4et3=aG|+mhb%WbSv;(V$EZY{qf$9KYY|a-h)Tpx!aLX#QFQ)xntcG_c-o~ z>)zO;GyT>*+&d4Q|MvR7ync=MmS1n%$38f4{rfgpWACek2=uP{|?iHw#_!*ZnS>?OzFIJ6GeQ>j{e>L zvo3t#%NuXKsf(!iod3UE|CwE~|Li|==YM`7 z@mc&QiH2buI9)JH5pDsasN5|}ZqFCx92t(;+N5mPImPP~{H&ZHRW>#D1~s!eokXq)&emQD zJ&gTkvDP8#t&!0Ou#}n_Fz(P$XUh{i9;KP44|dJ`xP?xOoKoGh%PKc%jKO%w1B^{{YQ4mcde|@wXZcRFn&iN5+NIfmZgjeJq!Eq{Y04s@KO4>r zULM#}E5~^KW)#^;9biSzWy4x!VyA>!tt;hfT+oWCu2!h$NEEVtoKVREU1qvDe3-7N zU9?KKxoL&1^u>Ybwtzeii5X}#thGmzG+9DL)ogdr`s{U1v7mwlx`K0dgV%{ZMb_km zEVj(nK=HMF)MP8=nmYk>l&pR}|4EldWw2?bvT9E&7=-AHK`WfJ@p|5Xd!uyDEhTkI zWNV6O_)wFpL11EOK{e;bT%ASQOmJ0<{rED#Mc0w+XKuO)vrVJl9T{f>R_4qB$Hvfj98w zxYJD!h$_|~FMp-irx?WTKjsm$uU zY^ExK357{c_be!wpdd{NQj16dYGZ^mQGGPdXQwrxWinJ;3_G}3Lpv3;-yX4z>4+}t zek_|}*y0%#WDC8Jqe01H9Yp7VUZ3vvy&}px23R7cs0p>=Alv^u{v$3t^DA!tU5br6 z)EJ)IL;O1X&!S8>|K&f6(*LIbcOWJiftB_EsMH4ITn9;$Hr_}mCm84;rJ$mjl`|Sq zBeao-_VEtE^tl-HU?r2X(wI$TYlEbuPcUo(G_n#=&oFkaGc2~)IG^u_DLU7#61{|I z`PQgc>7z9e(W-sKY+7DM>g2M*U}6S3ekE=*Z;Jg&-44Td)#Or;xoM-S_5#S&@#7i-2VG^w2+Bg{cBdjSJqZTpk z)?K?bsS~0~HBFXl;ZC+L={y86h%meT0aQ+v0m4gnqYNKbm7r1Y>6FHTOik9sfnOKe z&7s|>R;rzvpj8FUu9=-SW2ex9xt1xB z11t zd(GLiGN8#Z(ecYVN-=Ch57-g~0oFw7x2smGIthy7aaXiEa-})4?UvK3c%?>4fFnpR zqG%nns&aR1OZhxDklbj@ln}_DY5>z|lZf4Fqk14(S|hGy@m>*0jcT-D^=veB4MB}_ zNU0-E%Tz5-b5u!oBcE?GSv)6ZWq_}^Nx`$Skq%>Q$E}wvrZNRntUZTCb67NoMRQm* zhedN(^gknz6rK7?`VTp`|Mx}2Kl{%|w=H=1OZOiHCSVLlNQ@*th5w|!ivB|qv*C`V z2<)@_&$)N}Y?Ei+xaNZ^q1^9p+V8uM);Bo#mJheydbM5GIcd`eZrbrZ<{tUmv;eT* z+x~%rmO9`A{5OAEeWe3VyXr_Q*!j?@b_KEc;Nk0qwNC%>M;ATZzxbus)?4wqZys>z ziOasb^l{(4x6w7%7}(W=%OBc&mCc@cagF`9IQxZNUb*_I%@==gr}^$3@4c|gzuSMZ{Fztp z_{Y~5kA|zCf6pD)U46-3%l%|6YlmyMI^~y#UjERkXE^&}au*}CzX z%RhMfq|DiaZ$9wAy07f?&1Zjl-J!R>_|e(t-t#kP%dK~E;&-;m+_?0U)yXLjpP0G+ zz}!aBACLOz2(k!#lb>p>5%_Lm)Qyx_Svesj)- zH*a{9v)&e4yt3d=d;aC-<=)+S<;;?M?tRKSo2;GBt#{sZ{qy&@+Iu&DWT~*`RNMFH zU5~r!q15h&zP;dHe#yhA>z}kTTW|LI;Rl?6EqnXfTRiu{Qu{5J%D=Pu2K&EysQu)xP|+OQ@O3ev#%H7{I`GE|Hu8>`H#*Z5-ZJ?(`F*K%Zuti^+oX? zxl!zaR;5pm0tPG+VHXf|93h&43BXbT0CCqN)7XDc-&X;p_+-?kaJEhcnTOG;Crp5(zIJMNU@ssR;2v|a8P zR#Ubrsp)JqOy#1=NL~+Uiino<{ttWS0qr<-?R^LkK=cwqhoKC`fVwPE24u;yTx1nn zlBF;Ma+58~MV4&Yg3!y5KxhGm&JcP@p$~)>`h*Ul_dpmJLVfi1dEoK#65xe_F9hDZ zd#zdbF5hL1j?U3O+WV*d-xwomO3WcjB&R1-p&}(yx!#CN5jDGEjQdewwhWB(L{+rq zc&_i@cr_c)On*=ZOgAsEgMy!Lx_MvLwO)cjiP*#)=Lo#Ti+r{$OYt;mVCrO&ld|Ns z#;z=(Jl?DI8`=;9ILt7=A^*wAO^NJ}HMKTUTnKJAe6U>17Gk>IDLO5R$>ww|uD6C= z6qCI%LM^HTpuikbDbS?L11uPExJYJIwgio7zEEY9wr6&tgwrGwS~FkaV0uyeCSBkg ziB36JLiHZYr`l}1$9qLC1>l@*k@}!90K0T0h857(s7NSXzg9vByFSb}o4q2RRSCI* z^T{&UA!32j8P&y%(^2qPs{~k9PVq*Vp6`f~iPXVz)N`;tlL@+Awp|zs9e9);XGan` zvZ+i11q+ceB6)!x2Bt@Jk`ll))n3o9)}mFZ<-VZU3Z zB%(Q4*-Dua_!gh9tD|lP!Sp^rb5zk}*%FqFSU4V}!VKAwg>O{Fb6r~glu$RfB=ir0i5KqXULu9AX+j$_L{)-4Tlp2qP; zEKUzHg>v8_c$GkkRSV9P3JxRm>ICRORMK(KF*L>pKu%1Nj@YCUMXap%EiaRGMr_uL zR4j|gt*DN6b-L0IgG#^6fFr)3ioDn)>y21PYmhG51FA}_3E6|1g2a=sCggjAREwyR z5#nL=z!?sjw%JE=Qq%O%X1$(H8Z=HhUIJtU+V-1@0CX7+!U76xbIm+9V(KB6RN1&& zms^!m7EM$~F5JzjqkNT#Q!ZX0nr_i7)MY%Dk+S{zU;xy_v^%O0r9z`@;{%iStJ$hi zq!o=cY8>yYodM3o1wDXbsWBmAnpw+Og~1?RA2o&rsRjdhpN4u0IQF5+XZ)uoaN(En zpUh|cM|KkQV)LI=^ab@l|0oFeKk31htEtc%468zKI5hK7zgN!|fKfwA364@pq6V#N zT&^V=d^*!6+v9AmEW{}|7ud0cF=~SSCgWivr_4e93^gie`&F7PjR3f7tNJJeNuSP3 zL7_OZhV4vJkZU=|mlGvUG88UWX?d`l>4_RKP_k@GR0Sbm+I_97@_@*c7^N(Vd81ZH z1Vwv5%6cn|JN9rC_fwPSiDq6lwH)TKF;6Dtc19tCIM_>S)nuD0>n>omS(X~a`xzW= z`d+Eukd+2n&6+S?uSRNqltw!-BG!hTKEc_OM}i<25K6nBfE5>(qap&d-4>EBRT|xb zjVf^#A>DDR4g0QcVl~WG9KMKVWd|R-Ac^${iBv6S8BjAuf@HzgXmtdPrv%}qIL{R4 znc_TCoM(#j{O>k6PLbb9{xg;T`&R68{72p7*z4y1`}q$HktB>k6cYam{D=Gp{zH8S z_z#SrXdHzQ68rl6=j1iz!Mqj78Xr%ddB+te-9oK-)A6f5wX*pBi)$ZVTkQhjj*mOt zgOV4%Qi}oWw)ZW4eBKt^)~oD2d)X7Gt+LY7xAh;N^LoZGj@d50X5+EF?%iqb2Uk9F z!<8@1tS#K};koovkKeyMvh#gs&&b_%;bmK%vBm>up0wM#)vGoh^=^3TVPx+epWbE7 zA8dT{Bcme@zkTCX=U#9CdyKK}noA$!>|28m+w!);9rAs^#?bqzO$KvM*(hJ z?EZI`wbtI*+V#ED?4SI6sSolCvvX&^zw2{Xz4P>0M?P|6wEk6ds_dozYW_oQ@XS%K ztaJZClJKk3;MP<0)6QD6Pk&LL``o?H9I@r`b5_`X2C()qo33%(^!AcRQ2NXn)LOeP z+<1Yy)Lkph+wTcx)7=Jtl@7b}#yf63VE=oxSLUcYJ-5`Z)^W3sxb@DHc0Ol^lg#s0 zeZ2B=V<+~FL!Indr|fVg+8eIcyfgpuMTyOiAH2D$wa)E7d+OXPrCG-x*PnUjoV_-m zdDKI5n4^Z}g*U(_EFYx~+x}-aQahh@d4-(`ZyG*u;X|9exBlGOOZJ{2&RlPc9Wx)! z_|>t6_N?`m-e=_(Z{PgXrDvTzbHkRt%g-<9qqAN)_SV+NA8j%C^?Ap0zvS+|XV!VE zUb=GBJot+C1LgRsIk^1e^?FD2?pWe8|NouSe}f@t%Kv{G_BHsAma4g2>-)!lL{=T= zokjeE{_6EV;urS+ale23XVLfTPW3$Mv#k;YuWGvHdx zMf*asZlZk-mRt-8x?_RrN23vxZe!V=U$ZP&h4eDmXLFd;RtuTD4f$-|moyFtOs-LF zYD~S60}-BW$Iyo0*G!fky4fPd$1uN~%yqG`1-e}iZNxdOR2MaII5Lo8BcqCdmL#D# zI!OBi+Ulo;9?P|g&A@#&-!l~6Qdn-DqZ+}=0A(G-TW8-5f`WbPkJoT`3hKV z+76HreYek6phh}hZ23KnA&OQq)iqI(j}*R>M8QNPg!x*kq~(b* z1uMYF@05o$6N~zg5f>D-AbFZ0B%4UJ5GxWP!emEQKAm-v^;8Nr!IoN*8)cGW%zAww z*3kw~N^!Ze(o>SPgh=_xo^BT%6f1{jA4K~BuM~t-QKUm&35E)k%#0XOAEcE|0rHY` zA`!=cL@W%(nHbgX_lv$u72-Y-`J*-xFWG?!*Xdz8tYixG_@&$xM_2N4PK?H>EZ=Qso}#1+F@% zp(EPh%yaZgFOwrQX3^UKg$C0M8Ma9f9dsNYyQ6Xsh2aK{ zGGU)qTn~l-G?^Oohn;@cM+S!3=8~>Jco9}7Gufao@FliA+0lBXuEF|4bPDxMp`Iz! zGlhDlP|pM`WXmp=Q%!iQcYfBxj|=Tk?|oBiO$w_@5}*M-a6_4LK3C%Nli+~qcP?%O}F@5%kq zyz%HIAHHF^C;0h)#QX29uz7R(wJ)~BE2pit;;f5KIKWzN=be^5W4XK6zB9P@w{PC} z*Q+;vy|L49w@03T>FPKBIPC{NeC7OYQ-{C$LGj9S{vni%`K|ud{Ac^!M|&*$ z#%=sc(|1_7d8w3-b#=2d`Y)_<&(Bx6s&)2>r_J7_w9-uNyd#>|?(yRNOLcH~ z%ie9jIJ0_&_VTO1s>eNvK6(KSJ-PE4$KG&?l72TB{p#{HuG;2_6HeT3kH+nPKH?`m z>hx`YRqx;Tcv0JC;W3?y56-W<#=DIf>Tyf0d?UTjvfI3$*nQ(p`@^F*TTr>|$4l;U z4gZd`_EkT2H##afU@Pf`Wx5AmeL?z>>uw3{O|RLe`$1>p3s*d7llcex)lR`iQPJZc+#H^eMx`g z(0j}W{<`*B!WAF&=iK#&Q^3QPdv}S?{Qq}Q|7}YD^INg6!+*pK(o(-~`ftg}PXWoZ zDw2;{U%mcE{KEb}-$(v~2&^!kj2#h*!s7Cu)?)Ash2;5$c^{--L-~TMHt(mE;?$QB#3oXXxjh zVGeC%LdfW0c)M@WWR5e-$k>-etDxlzll?yLT6n3ZtCeQ06&K7d7^)!7;}#2mY{qq5 z#D;rSYivP5f((eBmuEzWr&19dbFpSZEBg&AhJej6)XYhWU+zQ|TM4VUpU484gxAb; zH859cm2sM`A&6cfBx0bX<9Qv`6E@PwiDG-y;k2$eP!&y!IJRe`3j)G^(8qv*FU05%M1Ev#4xg3sb1aFkvJfD|amM9G3?1*R&3)Mll z2c+7CrUy0{D5~}Q5=&%pU61OFMe^BR-RTV{yQ3_(x+OC~x#kedEBSa8C;XUR&Z{z3 zCjlffon|i9srKOj!6E~pRR=C4uu-GZrt@IO3;Y3Bql$fOTut{i5l#0R6-hy=1ka0R zng-hCC}ESep4g~_11s)&WG0&zhXfOgWg7Jo9*fK%ISDU=q-C?&e8?u7?I>so1GN|D zYOoG)u_jXy>kUk9`mEB9(%mRWcBrb=?H4QbSQ+OP)N&IAO=#A@9aqE}R@5bd>pOKk1xM;nxzY!vGuH-<5O$Yw%NXjCvuk}Wx{mwmMCwz9qM zplXbw7+bAdLy3mPVLBQBL3PZ6ffpxu^4rpX`#b*g|4IL?J-`_jsV8gwq}%8u#>qM| z^5cCw$_akHo(Q0PW~Nvy*?o`o(R!u{0=4=;k;RrFW0^{hsL)ulQfG2Z zwP2t)*41i)&@j!QQAK!hlo_{M`Iv4LK)O0;M(MTh~@GrI<86(Ey6ij8CP=!qMXuOR2|3-M@HG2%$3y5_b9p}blL;Z zbBYET=JJ_{kJJtGzE*MV9^vTnu10DI}HApSO5HT{zKrO<3AXJP38Z-4TJVu>Rf2Q9~}7^ z|Jh;MBhTNl>*x5-N#80yK~M@tVH_qf5|3{MZv<`dDLz^23;EA~ul_+W_zURI9^d-e zV{u}#nqdsu>YqZM!?rcHS(n~(^=HB@4~{qYeQdDAYP-BjY(2J~cP|*8yVMUa;O|cV zWT^{oUgE;o@Ytg+9@JB_mUysI!lCF8j;M`K=#VZO>mk zyYRppPmH~I;^t2rxrw#{rSG(6lOBF}`NzM%m}!2TW1ie$n{{7U?T!tn|0ule+?#&2 z`mIOq$2{`8ZC8Bt#{_ZY{@4nISDt_7p5f`OTcwQ)AK8cGw%BN8!ut`iiu0;=$sd1E z^-ehZQ17FwcUkMHO>a73Q#yC`;fEb4uaPKSw(i~+ZS!>TwrxL!JgY)0{{!Ut0$%eA z@YzFuxK@Am9Dr)|4}SdBOCCLQ#TmD(k^R%gtCnxdc`yHNb;;lB^~)Z;^rFj;TQl=4 zfA3!hOZ;NS=5r3d__UjMx$?5>o-)<-mfHH^G567Szc1Xd@xpb|t2g|G2dfL;YdyF2 zU2p%0KlI6SpM3e0KP;(TReyB1;oKcxV8Jzt_bz+?t@EFK?Crg-jZ3HfrMbQaBld(rhSST8h$g1dM>~$dleKvNzFbPS` zQYJ8Ur8hZ{n@;8@|F=1;H0jZz_tAl`oRG|z4F;^_e1|C_SjlH~iti-cHZWOL@i3Dg z_NhXw1o52IhKmDKDO1(VqS&aB$J&ER)3%C5q*aHkJ`=RYGFkEw5*afhI0O=j8sjMK zR*FrE9Nrg`P!SCKT|0sL8LC<7KmjZg;z$vEZ*?c@Ebmiwa81T!SivqT#tZ`CzWHk4E1!B?4=qJ&2)2PLtqGPh-nxiqzmELrJ5Z-mk%mt z+|e3!sWlu`p^WZ>vRnefK{jZhc`qHW^i(z3V?Jt`BFT7Yqob91E^2~C zzTe3=ZG%brCg!BHWT^yHZMak-DWa>%xzU)+k81?PmF*~!^MnrSmPhamlBh&pY~{R9bvNiaxj)Wo5TQb|2KE{=3%Tr?NGr1Xtag2~h(_7jSK=UzwUXi%I=3I0=e z>wZ^Lf{VA+0H5tOizBg#57IfN+{(1IAP1CceV-{oV;#$PqGTKD1a5Z#T3o)-6GnPL zCXlRW`#L|2+oiB=vb8RO;>b{F323vB?~0S#ijkXCxl~mAFkV!_v0qC~Vw)7?36#?+IzecTYaDNyC1ug}3Y8aO9E1wGlZ(uBE9o$6)3gMFG);%BkCc9V{ok?91Nf&pMZ*L+k{!y2V;OzWH zmN6`EM|#SEkX)~-QdmQR8fYpMYgt3o3kp~so0g?3H5j1$09WchsQ74BOJ`Gto_A6R z>5It@)*v;jn?v&sm-fs$8yH#w}Ll@HvE+T{P;`w&))$c6#BOVAdG@xgdzxp!jXRtfPVehycMpPd-jU&pWHZS zndMJ3vq!&o=?Y7)djC~tBI+EwS~*ybm|!|E}6nNx%%2`=AT(5 z#+w{`+1(poasB$xg4V12YfJ8a-u`d@b)!>uc=oI%*P3P=d|6|ix0inZj2#MxtS&B7 zxbN)EPh5SEdE0Dx&+F4R*!?fB+>&_?_{H(R`)J0r1I4AAg~p8OSKo8V^-jBgK<((` zXWe}1W*?t-*hWY1ek`-!wtL+1;!V>Ydh^lPMhlS3rrr0>aeuh^rrWMvgMX(r_vCTnKy{_r z8$6-^@XxmnfRumoo+S6ygZQTaXd1N9KLDUrKCSXu4*KE2OJA_+5=(v&5gN%i&0RS2 zrT4}0U$>fmmAcjnUOj&0h0D#k>y`62dKT!d729pOD>qv3m()$v z?>%c(cDrV+(sswMyx|j%ocZK07cLk+rR}=sc54qdc;SNXEAPJ?F8JBf2f=F|NRIR_ z*Up{y)T=e%-QcS=q?}k)Y$6gA?a1gr8gh1 zvuR>WHkkMOC4NBu_UCi{wEs80|3C5n|6&02b@)$wivN5o_D}iGq6B6C?-G02e+F6g);6reEsY57i$WfXZ)mhF>+ z77|5M&%>3r3)KpfFBWAK5FB|?02_&H3lba~6AG=-(o~9shkULoPZgE-HT9!UJ z&?KOh3;+EZq|=G?=XhW8Kj{KVFZw%UXFnkg4x6l(9IhvnnKtQGVWFM208IByUM&oC zL$(tojdrM}-=+#syg_p|4)qPpVd+F7kxY{flux_KIKiaZx+=>D5owV3JfH1;utJ z$>wsbj1lU1g8F{rD*a&*o~6b%~0ipVYn)Lhe44jgBVMrxFFo#-&MtV5N5VZu`0hlU0)=(-}?iRA1kH+*=KIfns zrxr44-Om!KVPA^uTDPDnIz}a>7>ef&aU{4>ok@Eg4ZtI3*sjEKj2UQT!oaCmt^G}U z|18QGhJTkc#K^cZPE6$tKg|zD^p|VDvERv@;o@#J|HXe6$IbRFG}o}$Hr%%{KtRo4 zphWn>z(8l< zLeZi^!?I&|y597xjNmk5X$s|3p@Y|%TrE`-oq%=pL87D@<6$d~z$jj5_KY+!1S&e4 zPvU4i7YhO?){<0{)D5fMqmtcnP7@Nf&?)#e5v|CyA4Z^03s4H|F@9FoWBC%<0+Kxv zETlWM>9rimvHW4qlcTXTc_fo#L*DjyI^Cr+^4M%w^QfJzhE-YMVLjuPa^qw!Dg#CW zAziVe72q~T@d?(e`fSv+vSOO-aX}doh(?%qvn{#G4rC-&63f+bicTTT1XW|JC;>E7 zG)FOHRFnVH&B9n%V!y=ACO?_ZDsL-{Fj+C_;^LI)%bJ><5L7`$wv?V1GVVp9? zP9__{`7(tyY9ysnx{;tep4ey%J3*ePcqmZ=34{|HKq0LcbtPlw@>P*Qb;VV6!6Buh zSB(|G48e`G_P`sI)w(~(=mpIg^Ia&=%0WZc1ip-Sfg038S|nai&}gdP=K3)zs-^e} zWVfnNORf*nX*l6IIkh-$wvzTxZGw#&k~5`lyb#7n%mA=FY&W8KeGo?=IMIV!N*>D$ zJ*Sn6yQrOvFpR(^ zzffOa|LxY{rrLp*9Qg9;YaaRhotqw&+;Q9W_g`(nXsKQD_doiVJ??typf{da=APIY zm))JaXSQKhYtLM~wB~{rTHz@dA6vNYWc5mU70ZG}*TfJ@2_6p5DBC`ZYT~ zWhp;KlhSpOWgINhp(Nc zZ&kg1@H=_9!|H2}7fy2?I)+e_MXly?%Bdm!|fQ zUzzw#Y{OfQo&Dj$H5$iKk47(svv)Y}@a=wBo|Szqefcie|7`tp_qgz;Ro*@NhN}*G zbiCu+=Wcm}Vt*Xxe);^*KKRku$e;Jw`jErsOY4&BpO@Hd&G~=&ad&j_ylu?APk46U|G2%p$*nj2t|9GJ+JD~;yY1<#Hn;00uZWJl z|D`uKetTE@o`dA$W?k5LcK26a+}+&pN%7&|?Xdg18$Yn(W|urX{Sf+w!%M%t>d-Tn zdho3K-rwL%^7k8^`F{83+h2+-^T;)OHJ2JM|K`e_wuJJFCVyk zTd(Zpyn30He{Gwelo!ta&4WLBbCJ{k)c^mR`~Tpd*MB3X`2V+JUq}B<<47|7{nLLF z*%l(O>Sz%Z`D*%ai`d5(_5XztWbvr6csewSSk;E6k zhMX*ADZpu9isMc~8_JLaJDFsXTty{9YdpZYe6OCdtFT47nStCIw=Ko7z_`>(rX|WE z(@>>L8$c$q#8#}pREk2r>N*}%>emOpU(Ja4m`~Ib%~nqixQgvG^_<2HvB(@KBhzpa zbU907lnlhNN-tF^tHX$+n}pHSsa9VV+r^HEj~H3doE~3?Tm6uXX9G58D(2e5sQzlGU%{%BP@;c zrE#FO`lbxjGCAp+>A%sof!P^cLu1W29`qox%9lk^EcP)xW%%5X)59)rXw@u_%h`Ha zM~f;MMrt)=c-m;Q7rEH*?_F%6!IH*Q-thaZ z|F$^W&EFW%;`IN?cvTk5cXQPs1Sa&5(iqJ0TMc`1foFXz)Gaie94A0T~TKt*{GUqwcLr1OTOxn zdQVK%Y97+E0tB%`I6D{z7{yyzpj`)vASw>6+>lf|B9v)!=|*15m@w9Bb%{)gZpFN= zY7Vg>CH1_7!UdA54(fz!GPp*d070Mw9U~J%7EDo~Te2C6PUPuk*MoXy%Ncu4l-Fb; zKj6h~F$q>+I~$OaQ7Y%;wh!w?z=lJun&~p6sD7sZRuj1J%kyx{AW>TGw9062&r~5Wy#d!R6-&hpzhdQzmN;uWXBTZ zn2*pFEkZ;N$ATE1PWy>z2g2*!0OhS3Zr1CWdJ@jR6xC{RqL zUDU}-rI=xKs#GjC>_bi(?+oK%6LYI!qX*USdL><}BIz7jt&-S)>;mPfra)65XbJ>P zfuJc6GzEhGcN;n{~Ua~68{eHpGD{fM<5dW3j7EDF7h7=h2uyZ zj$>b+{~WpH@*9+Q9KHR{a=AOL?5*OG2c-Vv7lohW?5U4F#>QV>j~d*&aFv|<;f0sh z7i@j_kIS#@dYHBHt$SeGZL-BymmL54_UFwyV)k5m-=pLQmR<3k$Di2rm%H6`>;Z=s z&adyg--lc5cF@c{SKDRpt=>BP5@hT7)8?J9=iYlLTW>+V_1jlopMLmC(~oQJx!GG6 z-Eq@1`&p0j0cySLjzBu-~q} zzSRL+&U}x3{^6akj_!FAy>!O@KTywXN2lJkksi*B#ox$~YcUUKXrR%4rA^Xi>X z?fc%HTOwO7P_+xrcl+m?b@)%MnF94|*+Jl2n3EhF(gB2_UwWaM@umK>ll%x?B8 zE}%?;UD(k@G1sa24JbkN#-?W1+FUuFb#qnJ$Fq|?gAq%jQ2{Zyji%LDoI$(Ya^O(V zNCjxF5=dmGH+h(lGRX`-3P`1H4VuHmki=41BdFx5aZVX0m|h1PWvX5vm+LMvY6Tqa zR&oX~j+CNAW2v~Jl@mG?DZRTqr7Xe>75)ZM#Db>Z}Li ziIlDYYTX!qGyanZGU+Uo7a}Rr46PY8ASf83g>K!!Et+A-frfdw7{}_(0oICCD1-NC zRwfeO*h<3#51&^lZc@hKnp*Z6n2UC_VK~ZTiD9!W4NEWZ(Aq2^KCoJKONPw!f8tr!41&eGdrDj4X7uhg@ ziscv;kN2Tsu9gLY0X|OmY|&D66v_@z)K*2XFAUjgMJrlH-o>0IX_{bxk*I*zgQ{H< zx~aGel5(LS%MxJ3)7@l1MH#D6Xpwb2R%qo>%J?Sf!niYWv4Qn>F4m&J$eil`^Pl`j z2)}>)XR)@Mzww{N>Hm}ET#{!3qLLo~cyeSWgp$h!LV@qAV1e>%#*b7DX&Q&9q1**QJR?;5RtqFQK3YEN3Nr7XAj+Cri$#il< zsFjCWOvqxBI~0QGDuWC%sBVcpfdgf*4-n}>;0auxW6VZWv8u%y$^=e8H>*LO?WS@q z*CkS6v5vzEQPX)*4Smi76AJF9(?}_X0(RKbvsIqMQ}IzF6So}*CyFK_u#QS62_?kp zy-{wcR2yl~B#OMlWQaC|wz>r#?fRoa8_;X{h)I~pp#K^F5rzT-eVN>*^%?(JwBWil z83K!R+`h7mTUuu5c#&#YrEaKfFk`=!beQUh$CEL1fI3}DqZ4gE9^(@o6jaGx zk}Oc_kV5@@Vb~4WdZ&`BjF?!HC?v)#K5-~utjci+(k474j|CZ8AxWtqp-A11(V}N7 zk&3{L{;+E|N?jLKQz$MpTNys@!{yA_0w@Vinn;=Qc&^?jtt1XPgNc9lLc7w1$Xtu} zoElr;w1h%{okrW04GAg_X~Tq)Q616*Kr07v-mf4gujXq5h=p5|J+2kk$VRn|6ro(D zgxR9|edn<;!Vg>R5eb=-9{rm?-;uMPE=%W5V|CIkA|GgjiI-^mX~q z)%&VH%tSkGwf*IL9J1yL3uc}E(&MMyi>~#|YVGCI1S8#h$yz_I?>PI=t@e5H)TM=6 zw>Sh?Y1#fg?`;15f@fEK=g7;aZMz};&Ii30&O31FU9Sh8JGxnY{+#?x)893YxOdy* zz$^cFlDXaV+t1MXogaAb)F+zHzPHStFW$Ug^!iU8eC(R*Z$5Ov%cbX*a4xiOnWZnd z44!k<>c4(>9df-_yKl}|;SoyS{Ym!OxbJb9X%B*`?0kpFjIw&3}Lgar77axm!_3{wa5z zHFKAxFPtHtSUPvckKc9e!mWoYOa8~NmObOloj!W>MRHB?_64Up%dBV3|IHeS!JT`Z zJ>NU$&Rw>9=4|TtTbB6iX$uZM7@E)j>|_1>llOibSn2SeUU%8kC;8%A$FKBxRihQ{8UM}Ba#ls$O98HbL`pi;qLtIg=2 z7H!8QYVIeZcxAqHHt02{u~5z0OoA91(oP%`u3ELn_hcgdBiai7fP(p4rD>4z*Mu0_{zRRHG*Yr zSq{-uVt;oMlPI!Cefl9Q@z+t2lcyjn))W;YhGoZ2Bfv$C zEI)CZCb9Kg?VN`pm?#PbM<+;85AFk-xOUaYK)6vBqNzuzYXLu_Xtdwn4L8)O3)+Rm zf1KR6aLDzYT~Hlw=^7M=5t5yUH4bnj)XNa z)au}sqFN%KJS5JZah)t7E0AW>9HLqYS;Z5cN&Ktr*aO3YTWPWlJxjEMV{1IUX#XeE zUhT1&NQ#^km$8Nr)#el%40fd^xQf}115JmQh8(t<(&K@jE;`prs?PbsIDPE4DjYIs zYi)`x-za2g7%eYK%7|@SMsc6imx5D56n-mkcBIv|S@08O7~oI4`w9)j{{G13jO{r6 z4+UormVlC}$73)*&=Ue|c%xa@eQd?BMp6nL{E&CERl?#zcC}OJ5hlEgfukBY5kwijFOV^t#;H-$o zmFY2$&HLEcve;)LIivJzl?2(icofH(v{R75xb&n+rDIgWdC}9^#G29Dy0sI}Bq=8y zIz|-D`|xhdbd+F)uSf^{gnwngnUWoBU}7(|XfeCjbk43Y`-)zItS-)GfU%~Sd(T@2qJhT(SiVn~M*Z&*;C-Qi)NB|LL%wQu zT=}2Bre6dveaV`5ImAM+F69U1qKm|WE=Mm5<=pvXPmZz=pLB#2Wdg|7&FbyPs^gZ~ z%q0H(`=dqynh4)w0>QC6?ixO0zQ&5a(LfiBnpJ@po~EbqYas|U9S#3oIJla_s`28? zLp+L%Sm!UPj6J!SV|uub-Y;q4{NmMXrJ}M--^qX?zWFQ64ErL)Bb5nF^6SWU(~%}A zR-NbcK;2NT9t9k!S;`S`bQfzLJxg}3Ick%25cDLgK_))>G^!FBkXJOJg0n z&(7>F+P9xDPt=2sH^k|l6?RiZ+nhDEBNn5!p%QsVnpVQy=H5ZA9ki^Ep#-L{Y zX#1|9Bh~cS+^ZmN{n@xixY>k;h5=45Xt{~7;_q^C){&@Ek9jo4%!6Ml-Dkkm0kRN3 z$~Q!o?{hJZtB23i+M3nAFWzrY`>W|ML!^IduZZu6pHOe#es?(W@`-f?Kj8PV*d5r3 z!6GlKH*km5Z3e$1FkYbabvD}*(U$G&5&N3ArbB(i`|_-;6*sSAGnljQ_o&pRtiOGc z7F2f;V88YSvF}|Y4dgTTG`r_{yN~bXtPNv2x0UwA@adulF&9uox})`Q=sv}3kKX50 zu{g)=`tX9N&viW{0c3iY^WAY+fhEjn+dSE?$+9v4xUs}j_w>@q!2UD}Drm)&=Wc6%7DF_cf>U zqS`h4mN$*-B7sit56Y@m!A`lPTHO~)+#4poeY&%MynrpO2k86H5{KM}gLx^lF8tMP z>tNC{JGPJgOwWweUf@?A)95eO#Xf%(-m^*i2tnvue#P#3l+BNcr~N9w`r(+(9=}EM z)7rjc?YAh*T)(xA5Bxlz!&lrD89RDD|M7i=Y5dyWWr?Dw{FxoDqSduTuQ@OO9u3Yd z(-IR0!B?EtzR||v0X^pD&C?ry;EIY><(&}<-|aF0{)G>4i2r04t7^}G^4CC+!{WsH z?VOgeyuOJe(_gUu!^A?r;i`!9`1a${UPiBe#`CsT`WE;Mq2O?Y*Sy0sVxS7VKe`vR ztGcw?w?oN$F?Varsnz<=*_gwL;9tx;LZAO0j=8?hmBXZ>>~_89{hGnTI7VR}K+dn5 z^)Cd{e?sMb;=xvTe|J87UyT_#z9NEABnTT0i@6S~od>W5+On_TwDWIZj=@|&ZT)pj z3Nh0<`y(SXosWYn^9piu5TV(Tj9Zu^vObBNyWChH!YV3_W*7&XkjpX2XC-7QF`IO~ z6JO=QGl4XOVr!vnu7l>tV@|n6mpUFi4K%qG=qIO~k_cqP|FPhGOE2VAM42>UN?|5# z&ca$CKO=k5EXz_Lm2?6V6yQ=!ZzdecW<@K<6C|0|NVAaKN~CsMt^Zgzo&xc!9r(aM zC(t!V-Nc=7^l{(Q_t5K*mFmS0N<025U6F-A5oSzS24?-Joe&ar)u_rm5v1%kZbm0s z>&DZrovK1#QNiO)SP&V}7oqZPximn$G{>GJur^sv%Lpv+m*%*b;i^pPx&9SKAp=-s z(rEEkby`m?2Z>kt@^$b~J8tVV6Q|V+YCNor9Z`{KMbJEU8H%B5ByrWP8?0l4Jo@49 zr3V!5A!%&u2^B{y+m-bK?D`RgV2vb**q{r=#vd-|(yzt!bLMaZ}g$1$P9q9VuF>=ym7}UIFQ|HYSxldb+?qnyS$Vk-S>+-~B~f`uq00VH>9Bxvd8jfyTiu~X z(b~}HP5d2encsbwaQIC%o_MNAqfO{d+ry(1&=4U=UgI$*g|QprU%+@Gy?yDS=$Z@+JmZCQ*;oZ5F|tsx~$` zC*hv;+{cU{6oJ*LhN$VwG7gu8B(}Ks@BL4A*3``IC#60(P>GG)h~+z@=rzEOlSh7Y zE{lPnBsd_MD_VKXn#d!6`TP}UE=(K*KAw3=<+zhwu~VLuSTj^S)Tk%F0)%CwNjr(y zD0Yd9o&O^H+G8DDH`J>oP&qpKsD5JEOW9wNxIkLUZWTT&vmi8?6%B_V1&W2v{Nl-4 zT%v|eOGTA$7UkOrm`jE!PUovLZ@8sK>hw-@ zi=w2QJ@K7sOySv`1o7vO&0r@l zbb_(|Ei6r0%Jw<*je4Wo`c%oH?$~~}z2CQn6R|&OSVHr7Mz>l`32Q6Lw$RT-;ez|T z5h`|Q0yIJ=0I~tGeXaztbFcj>fp^SRek+ak{UWExDlVMM4x0FlDa3!v>CBxQIi(}t zRNJV8CWOK-jXMoX$ZWIiRz{^t_7{FE;w(Yt@bnvnP0D+5T)(H2i2r_S`lr)R2)p)UupY2!S>5NAjt(iHjiK?k*3r@)G; zPsq3J0W@nc&`VX=9S*zer7F_G^I^N zoJ2oNbItwlnAYS%!WsPzTMM2U2KGk(lLBhp{f$5bynI1XO4=HM5y5@I{eLOrBt|%4 z(Alq_fQLb~!If*;Hsjr#T|Hibhnx$YRlvy`sr~ln*%x8E{ag*l=ZU%ou=4@sBOqV! z%mMJQ&&a_8xF$zBK=+;{bmxA`Zu9fq!a=lmx!zoz>p0$mn){gXzRxVPtvjspdEHYu z^L^nXYd{Rj(beQja!cnb0x^|yaWY0G_hhsWLeh}x;E+~qa`-W`+Yf30eh zKIDwK+u65_#NF?<-_Jhqo))g=y3B0dY>lP5pAC23>b4xc4ISS4JOqob^83teeVzkM z9Byk^er4mR!?fRGJ?dr(qcFFpxnQXI&l3qUll&)2oRxGckS}{qO7uo zzifLNooZb#jaFb83AhE`64KOpULLR2&+C}V-sfqn^gDLsZZ95oSZ}w_|JkhgTReB~ z)NFDnV8LwQ0r5URs_?tQosfQm`ac+9)~?*_xa=(78&v^i^`2IIlYT!=>dEMJ`F`E` z*7e$iZZY(EUe0{)t^1Pnp9WqZeciV9mZ4G&?sqg|^J=c0uzai_5@z4$MH#*N+5y8= zE8ea(O&ZxTb2{fYDH;aPL#{Vm)~lE_;WvcBWxFifF}df}-g6s_+oz!xpZd6Va<+|5 zPAmVeFCErD{w}BKx&Jy`;T3E@%c)U_&&3N%bEp~oOF>ES`{sOnvd{OWQ|*{)Qtg z$e{}IjlakN(}1GyRxQDdx;)?!^0M-sZ37y$qnFYbWgitF=?Y~gKRrb_oZ2LR8cC=& zDxF=)$$$UfnX$iPcmt>_;nPhUabf%3jYy6^xZCgxB z_V9T!y&xJ{3Mm(qMZH=vY9g!)vyQw=HtIU<(6AD(Bb=a%^@!@jluIl5J*5tb){t?~ zyINIQau<3so1fLo#34u*1*Ph=G=<{9`5EHi6s)q^Gx2uM>u^zQ_YG`rG%SIlj-)D3 zovAvL4R)dM_{D3hpI-RMV>nrmS=BIJRGH%*hG40iwiX~8)OJ^!X4)yNauRYT0_M&E z^cpO-VxfO{kW@*}pLvZrj@}k5-|P3ZOSEBRN3P+*2Do)*p~)AlY=m_Ty`!geJhjVz zcrvVi8UvDS=QC)~>d9!+QMU=fk3Wf0UAzM@b?U8`e}FNdDPwJ3!Jy9IJpU7Jg-Rqf z?c^_SX+}^q*$Ol`Cjx+1nu$`szb0ZxfLo*H|Fk(`=<{&xockm^CnE11$CaAAc zLN;#~iJ%ZcX;sO+etDrRUHL8KK2EEHs0%ay(bR3*%(ip;Fm*`8<~{ghtu6|NhpD3H zmp<*Oj4%RP4*6v1{KNIF(rnE$aaN75fwUF%O`Ezrxzn>T^Xz5M8bk-XQkKG-+cExb zMyW8ELPZ+#ho)mTK^d*FcYqeQ2+6_3u(*mZP788xQeANnjXv@x^VpE?_T;Fh!D&X= zpH7r*7P}qUA1fhp$|8;G%@5Q~ReeV%{FXD~i2LFfEzVYoi~c8=2`c>PsP}Wvaet%qao1q9fTR?nqrL z7om=bCnd4_zh+o2t5TFKsnPo%S|SV}oQp`zJQy-mu8gx2i}3WLa!|s;i)2krq)T=l z-((rXQ2drmuY#tZ@fE5tNl+~}W*AOYA$$@=L#e8d5}h!bv*$r75t<4#=@8&kM8{#~ zlYELLh8swEF?4Il4I5Szx6zQCj+HI&9yj6mai~R$xtWlIOMS-Lq*H1K;hcjKm6=#2 zk5aPX+`R1N#(Y@Oto4*>%{Kc7qsTSx2Blfv9KSfl_rvo}1Oa1!CZ>_o#jkLKwbQYX z^-y0wq31bYKLPp?D5{pk31l1c3(fp-2wa;NU9hW@q+`|I1ncGt&)$q!Ulm!$#5!$d zlIAjr(bZuhnu8S*-(&wj#r0#H(oj&i-Cw z9Sc666BY&IA}sx}Wi2LTZ(5GQeLh+Omwe_aZ9bSNhF{x-y>WWh%f81#v6;QMEXEkI zuc!f)q+Y>r#MZVbnG%L#xE#}IpVA0loX!D8V;&?se^adert1~(0tbs`D0yOsKUk=r zN&qh-QY;&pj~EJ8v~WjEH1JEDLt_ZKoLBZG#fhHkB{>5x5Bnpd;r|Y7fBc{D|A`tO zusHBH7<~-^p3(Zc9Kr&9fy9PkhK9*xf>A&u;GW=`M!)}0G-9d9LdD02kGaF$t=^s& zIm8{G9rS6hHo#{CZk?{T$HF=zf_?km{JMsA&#tcbb+)g2`j_}utmvkOFObclt|*jz zmY}&cy{)w##OsO4Jj>v-@%`E6)fvj?Zj^VB+2~g8 z0=J){jKFoI1JR+u4v6?nh^TkR*VE)A`5eTH&~dRu_>^5GZ%Nm71-c7dREX277d2Zs z@dk^l_8w{RCh!?kzolzA+LYm2{|9*7hrV4sF`@Ny@Hq4yiPPUr?Ca+`Zu#KQDQVn^ zX~S#X8FDyDLv^~BP{^~nd0e{WB#hpjigX}A6nr0*cv#Wh>XPc9>$Yy1zj~U}pg5E$=P|o^WN=#7rYj{HmQ}o{(LT|!)^y05hi5mo}%B6 zP@bQhh33`z09x^RyDqwm)L(~qzyI#2`aZW|v$Bd7$!>pSJ##e6O^Zsmu1>)&$ z6Yz&$$|~S)iPN6vfaSD+b(S=5rrYb~!(s$6j?wEfEX|$+fm^5DJSljhYKQrR-yAsW zZ90?$cm=TXIskFnCI;Gi7G786Bu}=I2&TcR9yREpAM}0wV#+#K=lU*}-zGb{1dx0` zf@4;^KK5}p%gPWwo|;r`yHyA@tMbH=7RvFrc4%YyQ3bMsH+E>Mp?gYsJ#4a)Vtcj+u+U;T5jK|b_CFV{<#W(lCCQdxMSi@pG&RYzG@?B! zOxe}2j+*8?hYFf0M^9v93hsduwmQ!-t=0vH=R1rPBzOxUAt^S90j(w}hx$jTJSda`!T*2gYS7 z;td7UnB`)x4jUEbEJuQEHR(y$s7V9~rcM%b(5#sWADK!YL`xUhi9wg!O9}sl@^JdY zXv-|(N&0Qllp?E2(JVMuyCzl(9$cV;gLF}{UiDfhNlt|cEKX!sz6lHlp|Mf%5H zUN$f>jYX=2c|qCb$G#~!jJ8fW#J3hN?)nQ3u9~B9x>oJdg)%8|6ZSAuW^5^52()(% z551B*QGB#ub(|VPmaJV}=d`#Wo&iacBF!X&B0NUof=Y+5bEYzSr$L}hPJYweB(7;xW%<`avQ+9-93XupJC#@RW_z`ujBe*OvEX*L79VA7Y z7>wEz7gyWl^zw6s_cf+NpMrOXgF$MJPjBP!u#((YYH|*s`v^u~>;Dkn|KyApM@Yv} zOi8zt{}4{Ko}~8=dDe8*+=CChh){R7Y=hw5El{eM2!Ld+bh$F7NScEQTFV-T@HpZ@ z7lDrdfnbWFMjHRM^IMa__y@*Xr`>2a{jzsQ^Fi^e+7BYqL=i11$^0z5rIyCI2k9(km=Y1W)L#kB^zl<2#q7qCRTWRvW#kt>XAqtA zy2hY23H~^nXsncSR?k?;V$|FzcigCkHQzWoN>_4lQS!nu#l%e%-dM*5s11$VJ*ibC zB9Sr{fi?;gIn4z>oupHaNUD9FH*yt-ORh5ONQYMc3-;Tp+zvD8_~itV8R|Cd$+J95r0~s6gccT=c@*8Up@xtg$aANN@O4w-cAvh_ z=;OwEl!~gPSpL2F^(*t@k5Jpjkc*U!m|Zb3BAiq7Z&KDW7Yf5t+S6(1B*)Aao&-Bi zkJ6m}N-*`Bv}6(I#3?cR!kiyI=36uE_zfbDmv~ZAIho6Y!Co3A<$S7c`w_$kgY94n zvXzS1D_)VCAs2tNP)w$>Yf1V0?YT0umArC07&o?KIt2SGa`V#)Q3rcrp0^2 z<=!6vQA6;UL$)CwNFZ@vBw)x8E}8@`)W;9lLGZn!2?ipI0ra9RCYZ#z;Aqe zDmu>NKCSF=_{F(H*WlJ{Z*wcsJb8DO$JcP#g<00tbJXxC)m7^yp$?A@gH(uZNNfbmrm)*+AVA)c`XMuzfzKiI%R4-SSHOS4 zT96TVUJ1Y2CkOz%U*Gy+QcD9 z+;YNrQ=pM@UGn_)&47{JCFTfvcIVq}e%JIgE(nMTUS=<@d@e(_jjUd^&F?U--SR(u zo~5Fj8~AR!pAfoiqdMnyO8bd>+5Y3b?Tq7pD_Bt}%Y9n#jm!3ZMu-FJ>h7Al-xPFT zQ9d<|D{Re)e_+h)n#BH&QhQbKzL@#$zg~Nf!->;xt#fm~T{kN(L$D=if80(J{H^;C zhMA^$wO}Tw>0Z&)@ep%0%ZP8e-AU-Yqn;*kpWY%cWKf^+a-!{yI@aC9_V&I$z>3RI z*C#xq*KvQMVj&nzM2Oe>!hJo&v2#*fYUUV@7mwup=@)%>wABs6pNuyVD8QS;M|QMu=&3+<49&kOo?-c>xDh# z02MuO;J)6H!<{tA6yjQC`e`#+{Nyoj`V_n_Uy9^U6c)$+YU)^WxF9A-R~Uwq$Er|~ z?0(ocI9_Q=t4gJZDDCl-i9kBC042&@^{+x1jBhhSJ4$GUb&sygZx+2$95uhcCx_Zw z15D+WA+|-j)$Z^%o%qP2)W$8$g&@j%;>hF_I^;iaryLh@a?!jc_e%6TO%2sC?2*go zCr$V4r?7*3*=$-G(#?yIGw|U?3BU|J=Vc2#Gk$oh=R;_%&QL&$&!J+dRQ;LB4O>*3 zFcG6RV8%)2O{NVQ6lSAbWhptoRsv=5B8(^%6u~$ytVY@=OB+9>MKB4;2^jWew0(u=O7(Qf zR=6ym?+?GWw=YN5rFDsx;;K)S9mQEBZQg;DmL}wY*jbU4b4azSF3`9$Pc|X%`<4t; zi?nKaw#ByxlB_zQgK8obv9!AN)HjBr$xft&@F|)+kYsFo4voD8EKdrO3D&p?u2A`v zrpz}I=A?6P&nyw8J6#8FT%I}?uMCNG8O@pVqf33W>D-O1hFiMLIciuAQBszEXiYr8 z$4!|RLatS6M`r}3Xf`)WqepbJEtZ%v1yj+*8%^66DB=aAuFoF-O{HOwx&<-gHuE}6P&63XiC&#t~BHi54=u`dai-|t!4NvgK5#t|ls|`R4 zl%lJCW1j_Vqh;ZgMNG@K- z|C~pupvhF&k7nYqjU<#5ZV8UFnp*k5<~SOcPP(xWs?h^|%j{q61kuY{3xZ2<%tGus zuvE-M8Fs7n-p^!Q}}&ow5m2DAXENp%caygDV@y__bdU4gGff$_ef?m zo|6K)3tmSHmyX?$zxe|k&!(H$Y~)--Bsz0lJ?_%mMI*aCMc5t=9ux+XCO&BOaLM3H zLMahYb__K9F54Px8Yp{LpaGZy=E|0X!2lT#!RPAPn4X!27MN9RSH@!>Ms>0&op*U&MxkM zU%$Ybp1Ukt@1C!+cDSB;X}@lJ1O(3Vvv%~w`3eNqKG(h7c?=J095e`cZQd+r6RRQ- z3A@D2TIBRMyfVTGJod(Ga@|_9+!NY2BoK3dKcF^gY&k3*MLv92DvtKV`4@Q}clG)G zTcdQ~z8XmJ>zHoy`y6e+yhXGHj^C8c_&F?Z`#txM=uG^2FQjDTN#457q>SUbsrfg` z`TL``PyRf0JqBtX)ty$)=cNM^??C!Vf++XH?g0S8toUbD0N+ZY=MDwEQj?bI^niq_ z4fl&NdSEJVDEI4Mr+LpnYM-yqG9G@Y#j@9SWCcWbrLVFEsy9Jf(XkZUn0cppEM|6Y z$arZ5S+b)@W&6w?aijwXH!|eTzl)Q<1&|ISZ`hre!&ve9W4tC{VH1Rsz}ad^3)yW8 z%>oh^*)y#@a#!4|mOq7F&~ohyoEk~W)X;1iu4lOlTGF+#5ofZ;pW5+?QSiWCXd`L| zR0Fc3S5eS86{EfpJ!+dIofVl@sZiX6TO(0Is(Gn|dF9_=>fWjm{L8EOY}FT)YC8<>joR!b(-^D3iEgD3CnK1mg^6*uK;Vm2kM>9cXp zjX&}MrXg+j+!clu74{R2-Zk0{Jmt;sqxVsIodP{P#wD7ZY?@6j8ACi`U8rt_kAJW$ zDiYu{!A@b{6*9p{xmLV)^0jU>J~7OrB%!2Rg4JQ7mBqJM#b_yL<|jpXi&|!Qm0JG){CTAZrs*8IWl&ZpzB$!Vh39_ZN!gz&8%^97#z=o z23+2o(S<5=L5b=u3bq4R#$&J-Llb4OQ{r29>B&U<;{Gz9bT#8)Eys$(_eg_QNV&;V zoA@o($=+U)fTO)TO&|OmqV(lB@25&^&4}a=IWST)$8IZ*`*@R&ndUI8I(|B&gTpvAU?AAbSSy5#No8RfaOP=ua>RPuNx&@fYZqPOvkBP$Kf1HS zH}U=QUwER}m=ZJOr~y^96FNP*|9du%Fsg=4!7X)(4uhOEVierg#3HOXLlDmE304Jz zp=}}q7JTH&L%gTeGzjK7H0aT3NaLC=F-FdGA|5Z8EIOU!GBUwV-VR?7DCY>ipO?d?6kxGuTjj=&jG6nB$_>z<<=(f;|^jee8sywe0 zF*YBlY_ib2K2!X=IvGstyZF6!j6;HZX4Vz9C1fE9+(NlptAqhVG?wLtcton`N_Eex zl@(*OQnSh>$x)Sso>T_{Qn!N%q(gJrOmRvL_RxvhBqqrhR2I@~4o2tARtWy$i|d%; zi;Gm9>F0g3NJE7Yhd!Hxko8|iDC&gYhx>h9fUJ>c%y&dFVBclmIVv9h3eqqxoSt() zawP;whO`=saEQAz86Syt>MvIcYBLtLSFT#<*a~y>UTK#wYb0!pfG#xiXd03n_l+AO z%8NoR2`ORtVrcP~AFhAl?|uxF+=ud&$FM-t?mh;GB}h)diJFK(8dm?DGY%zA7?_c# zFV|9T)DaUGQF5)ZpLI5jCx}631U2V!p-Q_rE{tnXR;^OFP(`JE6{^g~DNG*}<&=Nk zi@<_cc~Zn*tKAvL9FV11Qev+?o>u*#u6^Ap$AzqhrpY}mnXYc*ICbxiv#y>=-B=jeRsnFRoi}8^iDua z;Pomz;eGqj^IPe4C2nghVUvN;-f0(%*4A}{sn_Id;w84-HPrjr<8X9-gmFTm&VMjw zRQ@}j_Qu=$iqXLjFw~dcwf_XWaGE8s3^I4=lID1hRnsPw5x5(8I{U9*@9VGtwiaWXRZh%b{4c|8qBiQ% z_x^kk&eAtcArhK}9x{k9!rJfJ%+`*2-X(NxJCBsq#UpmNtTNQ>NObMo=RN14D>HsC zGOrKwZhcN?X|F$%4tI4dQhYh}pZlS5yI!Lg5qDpL2=TYxsr!69o=OC3YVQ|J`Qf z4ew}Bgz-Ak!Y$ftb!7bBSF3GUx}^2JWcR7cTDpGrV(S=1Tv@+8o^Qy~e|>C=6Sdd7 zh*pWhW%T|Qrv!=dKKNV?y737ccI9qV-$roH=Ir@xD)`%1Xmz5miu~VhGCA|MbPfiN zw5lrFj^n6!qaNq zKRRxs4stYVWBL4t%s=d(WiKz}{JlWj-}rU1zfLkNX8!}T7t8)x=fH>K|G;dG2#US` zH^2Q$SC=oXB#b5y=W7m}_|Jy-`=FS3X-#~|7+S^HOzCS(H~Etg!|E8RIfWF3yjq*B zjF*C&c7G^;x0SnBi=#jjA_Ijt2&>%6CXhFgWEC4VT8BDFDIrW*7yjrA(uUosP)`vPFcDEf|ThYt4 zbU)a?jL^Z20!E1@#abbY-3HAvMg^zMi9B^}u)T*)+{iNXDdpoH!EPm@%9DxRA>3SO6L6H3TTsAe-)i+{jpCi7{`)_Bi4^vKT4R1pcmD7Lf~c)*_rKk*R2>k1R53 zB#SU#Zd=5shg}Mvupb`vs3Ug9=CISThFE$3!+PExEpa5*y!6n|m3EMwtcD7utONPs z`!kW^P+;BGnIx5vzaH|l-ge0CJo7VT%M0r z2y#ZON)7YMz5w%w`fxNcM}#9WwMC39`sC0TlRO~nvM&Yq+?bmkRp-A2T6CQLPkC2` zk3gk;G1Wq&a>5f(2u{21ZJD3=qE#}52N*2)Q5Dgw@s}HwH*2nr7QlcfzDxofe%f!!D0?R_SZ~`KZ(&x6lTJ5~f$dco zEfRcd&n99$xX5;J=9Kb;l@iy+1Ck`6=Iy)sKal(WRk2Uu)hJ`Je@$k8|9InZ#X zqooNK3U~z7FBiVu5@S*-g>nhi?b)^utx538p$s8u6K*~1wjse%UGw(GqgKMtS=YUg zRQqrkGluj3JAkWT1x6>dXM$vWsK5{9QOd7VFQ1-g|6PA7m<)YvxY_u;0sr*xp33|G z6h+G-frF8P|9ks7?FQ4)@c~jhT?W?seM~qYZn@@moqbt6ch+mJe-=Pw0ir+VryL9< zvt4Esj19`QgwvVrKa3zMUV=y`p!2LVw)q z8uSADQSXx?zWgn$f{zt=Y#wa%gI2i#&D^v(y)zq(2F+`&Wxn;(vsu@DE9#V=RxKrS z9T_=-8yRcqYlbE09NrJ}Hyf)y59rQqU%8&|<7Nt5Rjy6W4lfIF0-wL#%$c!2M+P2V zI*_*|x5a(;uZNFyKHXw23A1`id_JpAtF95VkNw<-J;R~j#wbhZPXTD3-{NuRSeoDK zur=*1k4^YX?FL|=i32#hbBTX1YXkK#@$u~cnyn@7zU}J&Mx$kWj3~xi2Ydzbdf4*0 zk+n!VnWWWs8@!)zMUcqVw`b{g{(vIT^c|vY6MzR2T;j^4K5t$>_vC$k<$r9U@b-1) zHJv!@yzX`G>Vjwc-_!8wy{?2i@HtOArDZqVyv*wG00%?`vy*PF=5kyny%=}=Hb*6L zzg|BKXJ6{+=QJ;m4SSAq?5gYcTG{J1jHWc&wy(a;(%Y{c&aJ~cQot)X&>e8DV_q4& zg5&DF6N@xol-`Hfsb@`#^BV^V4Ss$9w|3f?A@l9oE0Ti>{@#C+7~c5z!ggJ#JGw9k-b56*i8p)AOua3FwfAwnuXeAkm0ij8K6b21<0e2Bly&~O-^=R6&iiIGy zV-9QDNi2cdTS!4^HaC5tMw8Ka&~Aju=B->TlhMtKJiw9ZUh)?tjJ$GQB?K)A*G&5< zcbQRjNok1#Nfn!2XtfP4nL5y=CezxrgC*IaU5c5Ie4c5%$_(WaG?O4aFuqE-kfm5x zHdx0gJmf)DYME{Ix}Un2eO{Dn6)vb;0yokqbs3U}Z1L|Ol(2m)5K6Hn+c%hKgzC-xsd#RL$~rCapf$tJ}PSL1u?ioO1H+kt&3~psZ~01?N>sJM5VLDLy_(- zHW#{G;iB;Ma28QYFPKedieEL6or^Qz09^ zd81AttX2Bqnl_kV+w>C|mego#nB8QT9YURgR7Gn`!ZasO3T7&4aUz^VP5ngDBD(?V@KGWEg9?nGEUYXWmvf^&VGZbwaVkd|Euu?x(H!}f zZJuxtdJ(KNJHbP4lh?SH=5-H9PlDpcS%az#U3stEaOU{QZ37O zwti+U@UyJ)x@V|GUgna8H*oA|)w*LSMFR$`5^ElOijQQ7mBwM&tUT$L~H2mdB}pp`oPj z_}dv~eVxNpj~gdgf_v{iu5Oq2BClFb;PEQbZDgJSFlI>OM~(GDrj|Lz)Wx#*p+tcd5o@;S6t_JrZ$1E zL0#QG5y0!wWyjbT)O#K}K=WbWbdeCwuCevi?oigsSKKqnnaT%9hI;n0{s-|~Gt=Rn z-8T6I=+^3)#ozTFd13H^1HX&NZaQsEP_2r1XTCV}={rW6 z6m(s597?7Pz;|1BvwR;CH(bl|-ZpIrtgBt%o@Zll8|KOgW_(@`l=oQo$tC&{ZVB1^ z02;gk+!kZO7N`(+xgDYK1l@lPE{i#H`JcM9jV5j#S~raQGQS3#EM|AT=fdl}o|d1F zkbl=K`r``x%WA@yPIBo_rq74E%f9`*Y9Qp?G|*u3RU>O_ zVsP(h&mWR9JVeY~^?C84@1MbhTHxekeNZL>9 z!yF;USzCb9w1}xZSbf9zi3MnjBQL7n3oiwgh)AFLJT9;NwK5+SpsYA}WFSN})5PDa z9qR>aR&v9GUlNaybd@Jad0$<$#5_Wm|AX&~7sW$e=T!t`>|Oc?MYj1Q)(TB&MGCac z{GQ@F?C!WvVSHT~`0E^FrQ@%nY7+R>K%I?8+$c}DS7+ivW7mC8A@p7th20=aFRGe8 zywbv-^{8~8Ifq_aZ8pc}uyUO3p4a}l!7iCH{s&+3fL##u8HP`v!DIklwUa9b-73rv z_?3>>D(ONL4v@%7izhbA7ja{1Itc;>7uI?MQfrDMNE1D_P!R{i#nxo(GCJK{0i^qp z24-~$jDqDQ1ZX&Gv@|*!tBA9TXahwT5CO%>HYP_B}@*O~i9-SaNc{5j2fmqR25>^&v491@xTkecR7} zxL>!yaKvaM5MAxZ25em(-_+auV-QVaM;|yLuscG|=~t=&R`%yuyeP@1%y{4oCAbhW z`6i(j&QB~S z`CM%9($$Db=+;?_v8{XyC6SH|IXLodb5$fc^014w;`YGL@$^v0$J^Pb6!7bVeJ=j`l>wUNfii(bvy6Xw{-luh_G^1|esspue- z^*AUlo#q9|T0TWP@J>pJB6Mn0m{mEC-khvvZNQ1$D z>RVan2qTBk5?_ir$rTwvMnwaygIQ7J7m z?wV3N+3I^eaaMW3shSxWV4trh)@}!WkiRk!dyq>~?69R_2`hF|yI{4cMA0V^0Q7 z@s~+yls8PRqd=->DJ{9Oi1dS4Sq?X6xjok{UWMf9|IA~V0fgRX7G^Ng=uRG$xzpZR zl|Ibry#FE2Oc9|jtVEWE#vZ=_Nx}-r&=JF@2nowg z4}-A}Gw7(zn1SH)=?-A=r}ujziGVbS2=bHq5TpRx*NZKym?Ho>f_&M5Cv0bY`WP5p zG9HY`i1~DUw=M-NN5pKnF28>}LW$5t#&0;CPU(7xJ(E|R)&g7PdV1$*o=)n0qf+EJT5gP;>*247GTi?y}y(TsA4_jJ4YWAfWZ{aYV}FE;;j zwtLUR?t2>%(DyvZ;&gI!?@YgOQZu6jDGRj1-fvKKKPxh2B5Hkn;|2%U|odfQ~9H_ipdQ@ZqX7Ud#D2=4VUE8@#h=U@HGk=y4zEHUPc~2Q1={>IT zmqgRA9+_DUyH9mo-l*ye0K{)vyWCo>qoSrct^3HmtHCb3cA%UmGcLUi0t4l`&OcT| zey{L7O?$r&mwbM{ZM~hqx%=F;rQog8w(QuZ@LllVgm@0)fAp4#^SQ0l6J>fHMGNG~ zTU#}JeP-C8e%sq2jqr1bJ0DA6a$-%N`f&3O(!T@+qUB70($YXZi8r3NfY`cNBEO4Q&^A0EMki{%7B?fO2_z3m z32OYzxOo@{F`+c2ildKb5j55juXJ9tJ*~*Xw89J=~S!Asuf>pxUR^{ z|KPriOK1)|s5fq6-B+MR#K?3s+ic|#Y8(6kUiMzQzkt(%F z)$kF5_Y94v0+#Ht-Z67l0L|E>pRVYll~4my*9`6fL^0p3PIpBKF7wRcLn2|q3&cuZ zUO8PBo*s+#fEOA1V~1@^`e3e(oUuQcBzYC~=#b&^ z(yE%6%s(Rx^Kq_PaZ)8k;G#_Ixy)-gbG7z%&6Tw%%HeGa%9=cX3 z$-+#Zzp3l&ukq$etJQiFcvubkc-ry${hyk7Pn*^jXdd^QBBOyb!ARf`2n52y$G-v; z`md&5>Gaf4J@ldVMy@x3){|L}A+ANvPd8jdSH956`^z%9u>sqHW9%KjRBK+)XffK; z6n`a;hNm&vhT%Voky7Ru7go;&l^gph1!{KwxoLAb|0`Vd9WpZe#qB{LauHqkD>GEM zji@AFAvt}|B~R-wHsi62Y8pWdA_~oG5DM!x`Ci#?*M;0P*Nsk^#}M|J(KFNp9CXE= zWV|^Yeq}R?g66Vl3a(UejN!yL-?H_wc^R0?!nB_#(yP3fi9(7f!Ilxwr@xRN7K4AB zUXYEI|7DXDLOQT01-c@_SdD*c*20fmvn`~Ej8r_PZUl#a5bpWW9>sqO*2EeAW@a-| z4L?L6U%EdcsLJxYTj{2LuhL``_@|IlVzdY)+x|yUv!;RYujQ6e#zg~M|1_FoUA?f1 z2dUL!7CKf|ICRmUdwKdsGh&{^E=;mcj`1V%9bAn#|8$0EyyKbZfZ_`=K0a;Go#+Sh{YM2zGxy}s9=ehEW2@Ca zNPIqQI)Dp|C@)}>kW%3oVWF(DCBM*;3lfJ@iC!OSUaz9>_mAX0r7+xKrmEygssv>G z>h#5W4SX}2i; z6T>`{qo@Uij#Fj1Z#1g68m!B>FHqUTv3}qz{!{cdKo<3+g+j_={*%u|-RL?;pOj9< zhYuObbHU;t5_F(7gGiAEEhig}2wB-wz+P5fz;EwuVH5$Ses`-@_bqL(XW;QsKHW|g_Z z^yO}tmkq$=vvL+eddv_6=x2gh&>QqMLCSCWpA^Fi^#XS~0hL>{QVTMPb4wG;H4}p> z%{8ey6s0lsjA;XHN;=NL4)RdAYMiA<6ekm$Sn+|pK@0Wo{&Tn@O0=?Pa2N6EM=H)q zS|vk`r?q(skoL9r_aV6^LKXWFPsU94GWl_|GB~Ys(T%apdk15U__S^q7Fe)j zhgRV6z(YU@c+Qa*XuX{6;EjJV zefX$#{TF^UeB>v$xCyXPel7SI+=k(@dwFdr5dhq4<~R}AdIr(*Hr^D4Wcto)Ig6iF zIRU?wfQGG+ZJf(jyteO;7Li$C0J}PV&-#8&(_g6@*Q6Cr7m69#O+Ah0B`N%$@A4_H z5WL{4U2-c=);{E!|HI;_!XV=7g{N&P97yo%uInU2VH>+TGHh$B+6K z^_p9qpn=QTRk8ZTo;84*$6@4DvV8aTZX1m5-3+^V&-(~QK|{ipk~d*b3tLJ1hKRQ* zVdqr)&REvphh@OQE*psXsOIJTCZW)Qw@ zNL+G*a?RD-wl};N(Ut{Pe`mLPhF~GJ9}Lk5;GZwIJ~q7pJRh$|h%lD9n7k>tyzaLj zTf5-Gd}|rcm2BQjR_l%_t%;jyk3K~>EE}ze8(bu;y@ta z$JS@tCrrj9XiL%u4J5hv5Dw}(0|k$iV^3Ft<-J5K*IWtcuYsx_KJIc}h@{kW)9k+` zVQv7rKTlJXQh%0=7_}4ChE>R@h}%G55HdaZg-X>Ur8Oe3pE_DIRu2AvQ)W3^uji55 zYXp}!ZjFzj!9~otCms=$JTLqcFU0|Fq>!ySkmsQ}Og&i099B^lKI9POS9B?JH&2*y z8o{L%SzbgfZ5ELRIs0ZwYvGSbn3O>ap70*Rd|g8+;Q-ZMff- zsPyy~rF4*v#b2ynctOYs0b{<~S|Q64Efyyw?%bvA~!PY5)nN^##piN0G`SbRq)ki z!#*}%jm?`Xc)r*}P+*QD&y9o4G?4PGYlcH>2HZOe{dtPiPt&Bv# z8Og?ifvvXNX(6t#lT2t5Gc9hDSV-f9pL8KN*yx#YDIo$bEVxwk@(7%5$I*}@PgSD0 z;{5G8PGAFG7bj1z1Fx{G;_zxDosKU zh8mY|*eZWTnGj;oh+>;`1{Y$q+oCwCR4Wo9`!gjXX?ZlCd#Uv3;7f}zp-Z>TdHjt?#2!fQASwwq4M@PyrE7@7N zJZRN>VuD{?io*jU)h3DrLkQB@3-~EzMo51h+>U#j4r3LRU~|vz3pI_8^_t})JtD~3 zsBH`W%F9~#m_3W`snF!0i7P779;}DbsARdA9qI~_l%SDvoHhtr95IOz8~?8Rz((6a znt=WNZBT*wU{t3J>{cw0^(;)-v_x0ro_xMqfz}*iZFr`A*%s`FroRs*k0kd2gr=O9 zmO3k}YiZFu;%IdfMWs^qBi}*+wMAXHCY31eky*ArJ@cz!PqsY-8gc-f&%js0Ew1HX z1o?%u0c=%UhD-8frD|?OE6z+g67?~XIx=X@>PROt9%l|lHp-)bd<{lNm^@EV&lHF% zjO)7M9p-Wfv+8?eleG)=$z4!?ke>l#8oS zmj)kL$f)JnJz_TRCW|4vz@rlNVUlWy$Xg=3I`Nhm_2!YeXw2k1$6K;Uhf+?@9IR(M;0Q({8kHw*~(2xO8QGz)-r zI!q#o{N3FK((xF^iK56^w-}_@;&fRQ;SktQBE155OtzdDCu?6W`d0gKaz7q-+)op7 z?-rqL*op&2HtQ%mR;;|~8{Tiz=IuAn@x`7W=8y^RH-PeX4~Hn;)jsb9DQdXA+)>`u zoPL}1HJ6n7o#rnTExZy_4NqU~SUg+4W2@$s*9+iJT}>CNJRg^jmE4!OBqN>}C&dHLV?vLmeb~PeD?=UPq z9@7jA!OQfVb9Va_SisFi$db=q9I4++@mGdO;wLxqW}~u8{}`5ZgwC_~b={!7=2gPO zQYw75$5S}o!KTmldzRYfO(NQ~*LmMtwcdWyggwhsjga2$Avi^)GqK}fJw<8|pb2E- zy`xGrEHBD-9zb-SIyCX^(+a}i^F*x3H<$=qJ50XE9m`{1b$LBWJepSE z^^irt@0>&28fNQ>vGd__`pR>+Y?Ti1y2RyfbIIp0avZ0+*>)a(RK522dNl3ncP9Vo z^`I-jy|h;Al<_bc65{K188N<5J4vOkF+;Cz*K#s8xe!DIa!Hca(=Y2ZdVkdSbN^@g z=I8UMo#D&g?U9p&^gQvU>8~8U|H9-cRpopyKB&=o$TNO^Kx#8j$^dx*N2f5Zx;%5l zX0K=E`DFxrfNV!s&3BT0gbbPBX|`8)e10zray{JFt35VPW6Z-gIw$(gcj>Pu6+&E%Wq3OC)X4$9R>yB^8co??YxKd`+ptEH-G@2AdY3ww*Icbv&|=nei!d6 zf7_n|W8YgH6evX<6kg8R@QL1Y`69qX>;`Iio}O4+PuGV*mmK|*4JyFID*U9-$Gqb* z+xSjgt4#A$3!4k4?4^@Kd?MVkVdTtJ#qSnGwG7V^Xou?W5QGDk@NXohN~zBZPAFm45Z02z7h7f-$)p* zzKvLKFT~VK#bRktBh~1T+sLFT$UA`v4U?#F+kezo>Dizgh(oJOE*_gr* zFZH|ZsZKC0TPyPf4Q@#|15Ha6KeQx3uGhNOU=Dc0Q;aT>tQq#=b zaT%1tE+MrXw{c^nd5_YS5*fndIJSz}%5f3(ywfxx#s&$MQ1BHA)xB(98?n0ed+VUz zIE&-1_%u;k#zpB^wS=>>Ve^&r-z*5|DHi#8{lj->DpxC^*`NmM@Ax>tK77jZ}) z%v*f3@SS~&-^Xyw^_BfTUJG6rnf}!)j#P6 znN7y;%)NVkcLc7VrU951|KVU4to`>K=&^fg!`vkyVwfkIDkt1UIw}&%;>cx$@th?w z-$^~RrN54SQ_v?Cwj7R?mlJ0nq&zMOJHc1bZx%Doulj2DY0j%0Ht6{dz3W!j|+ zG~wU1CWjVG4dJ1A(8hWfPkIZm1HJ5;mFWcL=9x8|q6$(?-4#wpHKZvL(IviSvl6r` z4Zt?>hMVBaT5MfE3PB8F zjQ_s*V?)W8+5-akQCBZTiYI>!$^oFH*BQL|^& z&pp77z+Kvr^oO~haVyjbJWL`5R3}2TWg;ATB)UtLm3p;ku_lHTO8+Qzav4=||JLM7ai;vo&92W@7gRSXIs(B)M^xWu`U0}Q%NLdf8%#AyC-aKc-YA8Uez0?;=8I*PoW$!E_Das; zAdE$8kqK%o?&IJi)u`uq7D1bXK<#bm@e4F`um^{I@uPPvs#{v zoL`2t%IPPjP<`?85M2>E92s(}EMkQPmED?*@dPDVB|--5Lgn2A_w;|k#s>xG=QoDL z&%lXGkT2HF^k=_LW5tdA6A|oRhe$F7Y?z*4Q192Z);udTeaK49z-zlYyh(K(0@z6W@jcm}jq z_gnz@9c9?*pT(Pv`*Jjlnw{Jc>N<5a*wNHvqla)b67n5Ri|b^q-(;!gZ0-#aETuGW zRCrEsxmVqs%-!29f7tc7)AJnTgu-9(`?iQgbDG8-2sr*-pIX0qsX7$ahQjlC9LwgQ zmHiwhz`Bg%cX563?RZ?Tu!D;hcxHc6`RQR?b1Bx*^;*UO-kwtL6jF@3w{n^PXY z_EWbGyN3Ro;j29U*O@8r&X3b7_wKqK(K%oTW6dQO=gXb$ev#dx-Rp;8yKT1bI{^nD zx94$o5nKsh-RkrpyLjjCD@f)A~!}QJ-Xqv*yY+gPS z00sG;(dV!Tv}tucUACxc?2_3fjtIY=&p>ckZhlX@$JMDqD03=snZdiGa!y zq||GrFPlcNUO-zH0yAGvzAwI&+s$~EA5H!HtWN8Lr3IoAV}a*WkV?lX(+=wC29fC> z3Oqhd0ooT-q)tmGRLn1-nsPr$=|e#?{lex}Yfbbhc=Zq{BDqGT#4|lOW?(kSd8|?M`%?VECr(QC z3qK2jXgq+kR5I(o5q=kZPMmrBmHcs#ZOUEL zYI-D-j1&$UL!{AKu}20rD)oy=jI+N>#tRoZmK3uS)#7p`W5*^IJuTKisLyIQOAywI zb4ne<`qlLV(hg|RjuusS;0CjcUM(lR=3=x8WW~Vt>{4mG*MRur^4x^grhh4*$woFn zg;!2XKeU*q0BLQuJP{9}mvb7Z5xJ*P9SmfZfM&E`ppvXqsq!}>`*Y$D#5ChvC9Eoz zPkZ91%YpA{>ZBs;T{(|~;PR6|yY5T{9}*(S$Wkk|1MUp{My0)f)|JTVm5$hY8i8iS zDxO^JaoD3J?kD-d-^5dFs5j%bA5p`~bvoav4P>X=#)wCFn!1x%um4_J3Q<9q>Jh^+w{x$9F5p2gV_kzmO8`up|Bx;j{IHG68x6r!VISJ#1O82hQM9UZJV!r?Q+*P;89#U zS)N#iBCI=Xtq%f;YAu)(K|>sAs8G9fi^-3)LSgTHbq@l0_b{(r@;X&ISOVYu0LxK( z)8P$Dd@DN?Y)c`ducjRmnEd{wkP&odG5~8Tk}W#X55*1*LRqmzY7+55UhDFItmp1U zOTUkeyGD)&!E_=OAkr}<8~PRFV=8E)3L{Yl6Ridb!#T#nf^TMFoh2F-E`A=6uUI{W zQz|`ugoQm0`|o=MF-0n2n8shhO_iz*26b~ASUCu{8viMu@ls*@<5eNdyyr5BHVzTJ zD%zPF@ItIg`7J6FB}B}P5l5xxnn=c^vgS5t6YI0zt?V%64O!&I%_QIsM3t5Pa=W#H zyy)5v2E0#o`!#m&5N!~m6a(ILIYOCkK{(a$Q-bD@(TEAIaP4sAoP%7YJwd`M@3M$k zBa^j4Fya#JTV1JnTxhH&ovpY*ft_kG{UwiZ7y)B=EZnLa4sI#kDndq6{28($qK(`N zaS(<eO0{ja}Lr;l4KKY9R6oy|~-MwVM#)ThFQHO=5b*=I2S{TsZ z;!s#wP+uZXkA_V8s+-S540GQYSMe~534U`ph}fylIz}B)qW#rCXU zU$d?XH!&lNa~>wOwPsIwGepx|R@F^fQ;z1_|H0~W$H)&Hle~K(7dOyVM=0QtNc;79 zB&ZkQfGPr;DmYWKBQWys%Y^>D9~;8F*Zxw#x#jQj>y9&^^*Z=lPKNXN+1dMjscwus z(1Z<8J9m3=x$)}R!)^J*=MHoOiEai>r*=#__W!!l77_s2I*qn4cpWBVTxN*i*mv^l zm^N@MZ5DP}*-d%6S3homuj{?9b>46r#x8cz`D8z7kez=eZ`kX*xV}njNaj`*wb;;n{P$x4hYV+|49xj#eGC@PoGZLI~T;vW5cG zye|%8I9i=h8>uwXCE?-98o-XdCwCbi-pV!Qh)-P|q>G{0xy0Qy6-EcYE^LvhJ z`*m)L($M!Tgqt__7krU#159m9%ZgbvG;kVysO3_1>vU~@lmb)0Jz9P~BMdI&6P(YoJ^a0lHS+QZBl z?zGeBx>n!rd=;+LhoBg@&ex&8?440qTx|2){#;gd8X2bC;`K z@vNuArV2v8btjug^Df;ST-&Z?x)k8!8L7VaCvw+xj%v;_@>dS&kW$F(v^wU?&;OJ@ z_K-9@2!N`e$v>6%AT8g0&p>LCWQ$OP^iW|y^5>=x@z=RKKzGdNw{a_iL>!d3)YCt& zG4;fsEbN7j`eig2{f?|8=KlUd)UwdBJRZ9%VPIvxjC`jwOSxx9KrLPcQ=^TLLd9e% zgmZcw70WOg<_D8ZjeiSLii8Tp;_Y%v-j)nG&+!7elj!@(CrFm#i+^_{JAbl=m?kBV zQ}4ZUk>TJvrdB{N;!`86v7rc-7%f{_vB~cYdm5(?VcAa`+{~cqurpFvQ<2E{8*jNSmd~>X1yYo z90lj_!(UoeI!6WXf$^ph0|e-ix)=Ks0iEzPuT=U+?9p3s-T{rj$Wp>9Rg6B!<5*+) z+Nj~RM{%hNV@U<&3TbfNn`cl-tV`KA5|;8N!4IdUDvA;DHXVCf(y}qQZW!OIcz-Sj zmy%6Y22Zw1n04Z22aB4`S<0uI5xH=wL#kL*nhYUM%YH{hP{rda2QK`1Zzb0DE8|FN z`c8vhH(JX{r`>HWQ!b=*?j%H-irS2UbO$y^T;9I@{ddOnG_5erWVYHq4L-SIZiM@M z`PyNqkTpcS-P~o9^+BN!EBu2RLCzlu$6e{(zewhoORHw9eL`Kb3WidHt&Iia#Zesv zGNi`l)F;$7>!DPS62r44g8_+0^KHSRkFR;ih3lCKCki@|{EuXEsgBvXw7!PH-YDppr7h{l1 z>`xPU{9#4cEq^HaYK{vhfJ}v2f;)7ZR64& zk}g8^Vh(t91?y9v1|ca`m1tK9m638AC=)ds3glIo(7_K{+3eJ-aV+O7*9vUrqK&$gCLxXjbuJD!SR%H<~Mx~e986sSh@l_ymPxAM-wqeRdK9Y-OcNJJ74k)&)vdB z*j$Idp+C$cPjf%F0{d?=kcntEdYld^&Zw;UJ6?=weP3TEK3Z^ylIYuaW2X38FzK}f zJ}f-t0WXNi&o-Op$UTgDr*w{^t~0lAH{{$e1>^i4Z>}a4?(CbgM{aG;s+A7&A$Xbl zbnT0ADep#;gAAJ%vs+b*y1w&IrPY$+};t*K{iM8YThT!J-aP64^wluB4>6z>9yx5DLqN&xI}d?SulGbE70h@ zU8he9#ikeSTZ25nwDZZv+e+tSg(9V0Z7WgLaaF*<-0}YYJU(AB zP32goe8mMSUM>o$>Aq|mZq~XPelr6=6+M341Kb*9(E*Cz{Zh9Qlvy!zbkS5AjPWpsQcQ99j+E zbIJA4QNo2A{~5AC>(Gnt=ghBWdwb{iLv32W#jDSH1YgM7zBJ^`hk3MQ;C{~EC8r5u zYL*qAP^CdiUDOGyw~3Zdw-1s)Jg>n3ZYopZjfFmiwbX_>3cPy~xwu?A+2J;FOAmaX5ClF{WX154+vzu%DA z1xB0P_>amhK>R`)G|F8d?pC>a4b%OFLz{khHmSzi7)*@D&dNwdVHjZ3s#$jeKQuv% zAdGtZF2yV)sNc3o0#adt9=y13~ zvOp@LK>vw}$U*x90j@IKFfTF2-#N9`kwb0DF;LhP8t3xL{0-nFi$e9pueReeIl}{9sZ@h_m^Eul zPF(1Sh2%nQXqkTGZjb~wqk5g^R=R64kEE3kaRu2WFjxwa;~V5|T|wfExpY-0q>yA2 z6&!T_I4nWcx`iQAXm$!;J9izbB0S2^q^b?jD%*t|JdnEZV?mk2O>33m{%cz|f`!3K)y$h)9a(x4 zj3&gDd?F=8FC8Yp3925yG;OvV0~Otxi9-Uu*3K6XG&;4#l4$~>A7u9y6HkB0VR(o6 z_ z1XC%KuRCq_C4^@>xNbk8^@e@d!vNMRHaM$r&@M*caxRueQ@M;cNeRumy3dTM zG&%io(IiU|Ey;@0BMu##@I6H@r=Jl++$d^9I+tl9NhCaISN$V1j;Jr#sz_o%LwN`- zM@2ze?ax|HIQgO?d9_XmET<{MglnZ{8+48QCGCX85>lu{7&Y+;_B}p##r6*su9S5t z@5Mx6xXUoImIKe9f=aSMNHxVgEwtlc5nV>pcC$A9XJm@QbbVFOH@~kf^YBp0t31ie z(Q6KsqfjYeZKL8 z0UmS4k+hocuAXvU3P`@0DbU`reF^E_Afeu``8PN1EWq*4@360tm*MhL=B1<_Aq#b? z;c|uXeLfK2b#xon^O2sTTvPoy&=&G(b0ZIEc04&1ITODm%yyJ{3@k}~Q1^Ua+(ZL8 z&V3*5+)0t+qj1f6^7Ni+Py05luXG}gc(JgDr2Rt7;`@5qg3QsL?=-S`8P0eE!r9}OWR`x%bkslAJs7U|>3ciq1-T)y_3Tf|1bfN6-o0Iym+IO>tE?4LWdk1MdaPE#`In&vJTz8Vsc81&u~CxdbeAAg58pT+!II z*cyHva`kYwdOaiyXq=CD3h3V#9CQH6HA*@i7W5JXAk8lU!+|_@5zR4O)-Mt6c^uvp zya&l|9001-hiQ&U&z-DWCWeofh2`vutO39?C(S&-=eY74zxRID-~y=}paUfJ_`-Gx zJe=W?_XZ6+U-DnO2POEorKK$J{QGypapgR`JFseR-*#sh0Xa_Vx{6r?8Ulh^7qhjk zo8|$N@21PjJHvWyXGf#A9G@;H(|X>PJv;k4ep`c4H@PZ=rn z-m{$-o4!_8s{P`jd(|CY(NNoXJ)i%?k3heA?og1GTF#x%o@=#}*W2GR~^w5 zyGKCqhM<ff#yLSr?F)?ZB|Czj+R;ppM>eyJZU$dtF!om$v&iMoGh+>pC6tdv}+S^y_X9mlby3( zPEQ+2Lg8?O)8nt1Mbev!t_&_2*1;`Lrl@L#-`_#dZs<~Tvv5EwP^54EU95xq#+#}7 z76tihUMFF;$*K-F+%lR{m99jITDVm-mh*UoEq8g_+7kQpcUrT8(aJxCJnqJHQOG4X zVC7KadT8=bMwm-~8-|p=dXaG{wi1;MLiqgsU@$doBu}dHFv(&Db_5yx+Wx;6$YO1h zswY2yztfNwnF!#_Ot5gqV}GjkKL|zd1;HhvX@dRCbMeFZbXv1%(~>v z-;EWSnDS4VwrWIEQBwG@XvSF;#k+LscKSto7K%K31Ai#u%z7*xDW_gR>X27Dl)*}2 zY@jDnBXyQW2jlO%xeOhXPioCyi*QJ4!L8pF^W{Sztb2*uMF#I_xielad_)o!Sd;;W z%lFKhvTN`zN9+!au^PlNbdETGE%s4zArumpy#mSL1trCXf7NJWdtrxvuO!4KpeZmW zlYmk|GE%Ad4R`1;ks5lCS82a5#7y&My5+XJ!8-a4AG}@#nC@Q=9I##h`|GOf0;OR1 z>W4>yDQ=$@3_=na2#ZoDF$FO4IJ?9*>l-1@JE>#i+ zY6fZ7@Lz(dW+<)8XjoFgsmN%N{&6)e(VtAr)M_R;F2JooKM6=hlkTQ~*`Bd4yiQIZ zTsduJ+i#@Z#=NWE0)v6(wwju5zbKSn{kD{q9J~sr0hXn4QvMB3-9Wo};L_nwuVXW> zZG&N1ymB2mSU%P8cb*A_u-_Gw4~^#olPwjz>{XJcv$+j}NXYR;G9k=NnHDIrUs>U_ zEQ{{=!SEQ+smxOCVmFvETE(ZDegKl$iyuVEv9>jRYHM5!- z*=bfCyRlv@iIIyXiRwKnEXK8#?h;Vc?}CHa=L5Ao$m14RF@EIX7s8TfYXw>gxxGaX z&V~MR!t8$nOLVl!iOa{Fy<$eSM>MncGOIFQ`v1WGNzeQnS|9cU=3C$Y4YGuGIrsZt zz9~vc18hm7{pByGvf(`uKDqfOu?WuXmu`zvq6b=jWqK;K4$|kp9#c#Ki=k^DXtus= zySK)(NyNXq=e8be5qLkACc5lGYhSLWz|vnaow^;RfH|)}`^r1Ha_pzD2N_)}7>C5j zzif*aRTW6js`7Ua8LNSwC+5MO?^q6yFS+01t@SpJpUyHnFIXx}Q?&EKGD*W6j(fMazgxclm9*2(8R@D)~=TzVH$4eBRK&tWX6I2W6VG^y@ zy}jkU?O%aC=&|Lz>mZ7r$E%Js2WU16^C;YrQgbb4-!KJt83IGd)4HeDX8^bxP3zgD z@x9O4>i*Eb5GZH>xok?~@vfvrbozh}j*1xM>~ny3*~2wH3_Z=Y;C_#ok3%%LJxi0? zAPrypwgP#t?s#9^&h0R|<`18jf|jg~@p5y9kD;G0=JhSzZ~H$(zFIVH@A%htihzk7 zfS$AA`4gm)tjsmCrepYh@1~_Jia8FQk}81VbIII;rU8RxV7klIyynYoMkkT4$KB$p z0O&C7!uemm!0KIT5l6?JssYqVlqr!ns8D(t1a{nCG}q^CjkWP8=ydxr@14B0qI2Kt zx~$Nr!}Kv*?w#GVMRShpp50v0PTpl<`IM34>+tbNe%5BZ-Fv~X_OybS&6}z98W?!^ zdEU~ZBbcn-YQ8FJKaSJ_yey_^Ut{UnI8JV<_DoXdhy*l)e(LXof@(l`NRx-4tDj$! z>wsk{rSIU*K70*G=2tPCloemPJ&FDnpnLzFC@ilhncUAZC+A}*Coj(4)}e{;CQ+!$kfk_6%EJl*+!kuq z#bk&H$0M{D0g3Vi{Mgwu0w~cUrzQhdOXkN{f~LRBX(XyN;^jFf$#<3vh?vgvnT9eU zs%THIj=EEbLz2uOM&e#rXv6N6eq}4_>s_jombcwdvf;SxCe&ul?;ZI8C!{W%h%;In zxNC~l6I`T4fd@$>@MwbUs?4#DbhY`G_^tP`MU9ryHEJDe6X_ufVM7Mk+qxT~&d029 zs5q?Y?NC;MX-`aE&Fb(0)$`1(Z3NWpqG!S1-Gcw93t6`C61F(d%o8DPn7OOSk#KKv zKtKg2k#V@b`l*b>CZ=XU9R9HMVvl2WvubN83uqllZ>_rQaErMy%s}A`qTfh6 z|73p<1j+D;;MhQ^nsDU&idXnIhA#?6opK-IBSK$dH7J>tCZT3>q}j9FLK5+X2 zd9^qFf#f_c;BN=01-9wcZLsxTJ+K%9F>wsKx>%Q`o}bQHPbQlzD?1;-?Y6r0HLQHWik0g#;mb z-5D&{S*HPBs?#lS-{xaW5aDep>S9!#9q7K5!g2=4vgKS&cbYBd$XRQlGR-okdrB#G zsJSU=ivKOQXkI)G^QoI3uXUIwX(J<9{E;nrTX(6%wOP7XdDb%83{md^I|Qz5B<{Pg zFKtOR5uYR}^;cUF+Suott5mePy7mdUZkmY=m}8I@Kdo8i#5JHE^q&YYkPN7WeW_Yo zAx4_BWC{o4hsie~*e=v*&kGOO>ybV#F5&_&^Y##v)n#glxRmmt!L=Y^CB z)EJZxVq>*jE&e+8aTdB5q}rSBhlADWt_%s~ZyxaYQO)x5TvoI-GwcRuq0SBUX1oON zC(=Z_x}-~>1j4vdnHw1A^4!@8%O*87n@_->J#aOBm68tX1FJTDm<|cz>RK5_y-b3j;R9&M=mvsmYforSPs+6qbmGaE0 z&orJ<6q|OTwS<#IRE?d7R3H-N3}sJjU!`4K_oJmI4MlSPrM?7>5e127GKbfkZj&-k z-i3X}MVWM9rByUh1T~o6l&?wiUwGXj!ucseoA{ZK1_Zs)@8*0Q$sg%vy*<4lX9^i& z3!8nuv%QBr!+=I0;Y6*-w5&pKOL@$#BCpsH+Wj!X4SN9?yo<4 zgEGEuXD=_Ri110@vYuD7y*a1nouOOkUpH|w=$VlDZs+8az4AJj=So0Uqu-=Jo>Q_| zw6C)$JzRo-=J($25`K4k*GuIdCu)Yn?UqNqG%v5J7`>0t3~L0nwfhEDHJ_82vy_kL zdH0l_%RaQ0wYLc(J*VA`MP;mw{?1Ro4|%Lh_l0=%=@%9?{e!!l9LG3cis$u|O`OWC zt$WjfQq+|W`^ia$j;)3kBHw}0zHh50&OS~vN0%h-`k}lolYs(2OY5D+{q(0XfakN; z>lD|jGm?jGL_u=yKZ0Q%JCB3C9KPE7E)I&Cd2u4^nVjsXY^QbaBf5_P(-J-Je<q= zbKtf*zx5K9z@hcn3aSkg&mKD3a2t5hhFLe{8OEsaojvTRWt^AM$HVek^9#cRvqVoH4hIm3098GLx~fvf=cTD|vlj^z5ch zb9kUZcPGR4?w%-Wds3T_86|z`;WQ68}k5(ovRJw7P80{hw>5 z;)};y^E23#uEe*yDxNCF5;d;931xxSJ0-dHhcL;#!R0NwEw;|H#5a9iK;*k=*&$yH z17O(E+>Ub^aGn59$SK-ku&%xov(^1L*|Mqo&Fdg|+B?fvUFIN)*kCTB*Ek@@oWCC)YxKL|h$ zrm6tvUfLt6yCmHqIrrGJoYysr4b|$i^3(>_TNTDfvI<9O`orh&NWN)Y+^M1xh`vbj zGE4vJl3eyJf=YrmK+YXMk>ci{l1Y#vEjMteT0A4O5OGB?-MFV{oD1}}VE`uYKvT*n zRuzMqG6tEp&T}F zXA2dcFT`1UW|^lt_AEiP8^KkJT!=vo4HoV^oy(D`J^zVCyH%A@T~}KAF{=_ql39Au zY!P`y=|j~2M=M;B8gcX6MlE(?>`(QJo2r$1IJSfu6K7z);aqK>3KU-swVF}h3S|Of z3QbJA1wy=RXLJ&GE&>WwFSYT%mb6-D42P(ZF!WSOo_Ve-x~jqsdH-21lqQA z#T7fL*tTs{Y_nq9wr$(CZQHhO=j-hA?C#Sy;|Hvp`OLY-cn4jA1B6-R!LHI`xWg3Y zC0s`>HrHFz?K#KW2GZ`22M5)*luAQw?f*07>?o2Hdf`WfXi>!W@f z-vjdBFf|8Xw1(ircbZ}_Hx_H2l*>cT zcLDX}H(!096NHf;%NgXZ#uy6pxqhF%UF*f4E!J%7KU2w-m?}-x%jf@ErsAi_;|>XB zSDOB5EO^RRaZNP~scGSknwS4AFk>G_OVa=ojKU;3DN{hP3kQL>xNpTvr9N~mTc^j& z&)qFCce7W*Qda!ZqF)yIbr~&GqoD*zp$m^C612Q=AP=-qPslSG4Q*S83s>}yzIoDa zDFsYmcT+F664}vIL89U2SM{>#i6`&@k9lSY(%`DfxRv1fi32b8QeNW$$5i%jICC+I zq^k&>jt##AuuUoxAwj=0<{vP{6cnizbg7{*%vWJP40GHHvKNwKp1u8I=q*Zy1fw5= zulgxh!akZW*TL>+f-f?)0qPE`GCZJvLes#gPL0<9rW&ZcdSIajfu z@mDn%8`scCz^sC0%Cd9|1!Ymutq-)QeG4q}x$%Q}33B4+PaZwW|2uSYFiKo6(S~?$ zntbP`@j;4DlM214_jme$@xrNKB+weFhB&rIuAOxO`k_ z?wN~JhgL}D7-YI#HpWTXe+4iAMu>lpb;ie(1Nhb$FZukdd*e|-vGWT+zz-}L2O8=H z1Rwy6`Rv;G0`T!8h5i8d>Gt_}dz?^UP4n1gu`O>Tx<7Tac;4;>SrF^^Tr{0zcOPx9 zwCH}X^4X+qUp5aq*w#K(#n5z9`J4`6c>{hQ{mt5f%kfyg@%B8W!m@DC`53y?)_vW} zf%_aobGdXsX@IzHRLk1*s56?brR6ppd65js^8W5X$7`I=cbV~ddVZjDb#L9zSN-;! zKsC|rewI85q3U?(mrnW6KFgn=d%a@4(53_Z{3@flZaYppCOTo%oP2*v_R;pZLw@0G zuHUH4!MNaYKf^@Na(iQy4CBJ9t8qA2DUqkD{6w>#AsOk$vHGq!v~cNp3y{QXzjJAC zf8Z#=>pq{)sBF7x?)9Gigx%bs`5NEyaW`(@(gll_rfu_dyOyw++_)v%vS3rAeU!n# zaU5@^!`XZKkH2az=e@LT;iZKmxaWDzLX`*0)rIC`UedZ-AM5B%^?3SwEa%b%t47Cr z{xFq?!@SuDXd<%{t*owe2py zhuW^|dwAT%Q|;quouGZ_*reL)wDN&<-4y-Rzhs5ioxc6P79wR?!7 z(ZLu)1AE@F7Is_uu%&O)dcsSC4pxeQmN3%?l&v{qM3a zdY>llU4PdHNldXKdo5R7{H%+3B~ET#17Ag#u=1^oxP~QM!zN*~5;gy2G|!zryCvPd zLGlVvGH;Xg>YJ@XAq!P4o`XoJ%~w!MvJKip&QPeBj4q)zvo$hIR-kFd>okpYC2!lN zSKlNIIG<`z)aA7iOVPt=D*4tGME%)ZHkBPqvFMWLel|aXOuAzIaH=h0jRH?HUjspX9H(%v%Otvo!lS1~?E1tI$A2ILVR>LXA zL8>Qj^DJ1zG5NSp8dsRnD2~7%g|ouc_vc9C((zB`(t=x&vX$gkZL;r!PS&&tuSpVV zn~Vc7;Z&H`DQiCFqKqcNG~B4tFFAp%5A*MVisX4|sU4wo|D@R)sOA!KSH9>BmPUez zf^ZttdpFzM2T!X_X~<)Gv2kyHhd1|WtF>Qj=B?F%f0F3$1EOW`NhFQGgjMP6x2+I7Qc6l{x@TXkL3*$FiE zoTJ63vuuPSzv{$jTe-C<4XPXwmCD)se>u;|)l!eCdDqL0a9Vd$ zln7fUR=ft)#geNKZQ%2-WaP@R$VPJWKqpQLFWSdv0T~P1A*qmN*<((56@B@n#(b4L z!vAzzUeEQxlE-DK;vPZ zTdAYC?ACV$t0AJqs#Nv}yrpJEGMVrrv$m^eEd$+YGia?!=+6<~pr#MmLSzjI;#3N6 zybIK-^|Q6?{aa=Z`Sa(6)K25|*N02JW6dMGu~<&`$?wqv}fjb}=-Q(dff0JP8OXDVDlZ?5*l7ac!uGte63cq|a z0sbbh-krR`--iLDER1#w`+i)xlqd*wYie>gEF7jVhO?&**NqiX4qs9=6jB|V0(O?d zrCYvz0Aof4%aXgzRY6bs{VwLXWwB1`N0v!R;-}x1>xNhui(~k4VkbcJ)P<1BFi3Vo zXA(nUnpbvGRa{c-O){dhSYuj{2|t)%J$_2#qnV$Zh4<`91SzG+c19X3!X zz*4!>79ARm8ka|%Vd-FCHCN>|3j}8YDb51_=@TZ*kYr_?g4*-L%_@@qg+n|J(gtiW z5SAU%YWAR)D*yKa)kq}gIncR0R!=ZbWN9Rn2{Fr=ZbUCzV*w`$QJfMQ7@XE=%erRE zLX4+^uNXoqC4+cQ=};BR%-da{%bzh3L&WC0B_WOpoY{c?e+6IxE!+z*|9->!f*81y zy#jy~86N|>qk*p*UX^!wBeI^u0G1-nE-KlEWLj&!fyliMvO*+*6*Fy z!;YLQzFVI?yg%XsIXd4~Ej3@abzlwa_@H|kUoqnjr{*EoEd%MY6>K-nLw7-KDb#K| zl{Y+c#i3u|j9-rido zF4s*uXSEKOA1NP4kQQ~a@qFFDRCw=)14R30-;#7!L7iU@Mmik_GdUogoq%*zW5;mZbV8*bkq=nYIfLvhEyfsK4Ky%V{0i zj(0iR7j)v5#V4}wOZ7IqE}PrC@bP>fV+KCFm(o|N@OXC}Yd^q_Q;&#hxAQ4s<0Y1! zhw1K}shkQLr)!{;Yi^b6k1u;VOH&-T^<+9r#~*M9UAER;yitml$6X1nkS^~*bQi1o zbN$|1z=wA{_Wi0w&s)a5C8+hS?0CccPNE5hZP`}}yUURX+81@7y8DhB8;!Hxds@Vf zNX@qGN=tgjzmckk1)Lb}4wp5s9gpwmn;hFcTG=iw_lvpOjUMujIfINzzQZRD3*FaD z$KJb{tEPd4W<2%_>*}x7ixaEH_d63DH$|84_`Rx- z%W4cC&s{D393WZL6naEVRR@|qLEH%Y|# zy{-9e_~i301`m{OlksEtbD$|jM(6CYX7igb8UWDvena{OIe3i(c+wpCU>=G>qZMLM z0GwhY&Ph0PUNhlKUeat1@l}o6;|x=TenK{9_%?mPo3LTm-i)xuc@ShAWJI!v+cm+ozSY+M$n1 z6zp7xi7*(J#q^NUE6JJ{5;y#I*nPC?XHYWhg9c(g5;H@%VtHF{t5Fs;01jGuSKC~uvwRzqKQrvpA`p-+%<^X%5A z?CyoOVz7n*@{foWahg0ubK%0c@c;_ru)?0GtR2#LAChto26P89PbOZ8h2a`Yog|&z zTh?Ld-)IyVKkdH)6h@UvHKs+4facKFVs_;@mrq(&+G473p4dzk-SKD7F%SmZUU!D# zmvZ__7bpqLQR-4YuyAM61*js0w;pL;Z|+bdvm|{qDVgtwL?O=4jl==qBoMX1x-x-s zqQiUqDS?3E86|&xrv1OsH%3o>2SRclQiR6dkx0>LWT6rXBvN+!B^jbsk}2|7=SKzFBfR*S;OCe z3UUKuOw?PL$rUqH1l5d$WaK)a*pKojPJ7$_-`10iBn|^1MV=(B-oVPB=RIk61 zDs&;i)CEFJ7yP|zc=le94(2H?2Rx*U9>Ect;N6_v`qWiG$%%ltQm~HIKEqqKbScp= z92ZT4MPzDNA9~hZzgYbxgI)&-q#tM3O&%jws9>YdiBFyC3DY}FI%SP@`xyaw-1tIa zW8lhnmJvi*&heKsICqMw8S|Cuf#6?X!!iYoe$<+O8{eTe`ECes=DG8u6>1#nr^buF zqdkao98W2445;O>nrtCe_`#faxwBlb@*`F8XOFb}s|Nmv1Zag|tjv=N3Abftj;184 zP`_O1S8x+T1YpN5QF#MluQCQu;UWpB$DFQ6kWib2CvQF7yE=>xNhG0o&QMQ>yWllndL&d^VESj!w{Am!29$%>NdbrLVJbfb+N_umsAE%kyrve~SSPyi_a7{bKLlc;LxyRLLt?d!2=Au!i-ObIq-y+`PRh-NQIK3h8s(0J z7+8cgOehQ}P?6Sv!Pw-guVyvLM=1|3Wmezpo!8(YMY7(VD5POg>*;YOXwFm}P9;7* zCn=OUOt>HpeP4S>qhO#EsJCD~^*r%ZAyCPJ=m_n;HdjiNLwa_Mg8?TU*yHc2IKlA= zMq!urnqo#qdaKsJ*mOfwif9d|#(4jL#7ou$w}u))Vu`%U#I)vpVhwWxVWqL@*O^Gb z->UmlFW~Y2*BliJTDN@IBLb>)~Z(^Vl~cTG#PpA-II(hWC6}89Zo%?dzc^=JIak zWD{g@()+~nV`2F8;{l0I+jfK~qq^f=SJS2t@W}0Y1X2OGj5LW+*I$9{AzM!I-lhBZ z6qmI9-ZxF=Q)_3I}ve>Cgicx27cnM3<_A*-IwEs*{)=BlKYLc|n<{{fYf14tu z!s!}ImtFkm!2bH|P6CPE*t2x4GV!iEdj6W-)9_qyv(>8I=NhdxZL`< zj26pw5`TXa9HB$xyp&MQaG~-U#7xL$0}eiDtv>Iw2d_(L-k#fbyw1;AblY!Fr@F~3 z=iO~jvRnjj)b?vt`C9dcJhokpeQ0a00(b_qakB1~(Ppaj=&-JASHS{?oIU?7lw5OI zB)ku7;5ogFeSS40_e`||(hn~EHu?5{Q@o8UMtC9t09|i<3#1=qpLmYLKHbUpM)y96 z60uU=)1XIeYycC^XJ&#mR-!f5T)I>MGSIw9H6Z!z`3QiLdsfz4uaOl!01cf6Fi?a} z04RdV_Y3zc;D9e^M}iCCBO`OP#?lu$&m)ce)2&DaSuei7QrWZ`p7&MA&sVZge=-KA zhy|6eArg~1&L7}H9L_Kb zDa1L-Un?feQjeEEz#BjOOF<<8T!Huj3a`oZFJgmTRI$5gs`x<`wYi~NZ9pAKpF!`x z$O`0H7m7|zoIxC&`gnPmKLP2HVX%ehcZNMvFLUwzts*kE_F@0@pUlk~_KO}PspX64 zt4j!SXqI`j{J3a((*FEI^#!UTRkj^(y?})*&zDr5^*4)gR!Yl|n}38VqRij1+vk=) zL~%YefLhHsJ#6f*S5K7$&I(Qfn7{E=hM=zDmpW5&Flm?QrQe@*PP3HdF)}MrFW8bZ zWu^wn7p=cQ7%hx(>0?r#k0Hf0-4o%TymNpyQdMCpo1+-jq+VZ8=1GQKvaeaKz*32Z z4=6P!g=dn&K`b!@1SwS>n;$vOsU9%LHeBlEgdWM)(V*=nZUv8Xq~5TXk1(kVI9h7K zPw^9K<7M*u1v>_Mca_Bp{6M3#5h(BvSXKq*a#Zvz-)W3SRO>-vNePLU3cMn&3OhJD zX$&=-i#3p;I_V+9aOF)K9Svd5wEaP0fT>zeWyDjcH?HgB@TF!TWb`{R-or9yYpIf_ z7xK+GA?0xIlT^fI=GhG%XZ;yq;=TAAK#;0WB&HN}M=vH3mi~IdJ9bNa%UT1~$!Y)) z^qH!+7mZ;~6FzfJH&Or%a$8e7u%>#;K8ly!#(i(;h7A1kdNC=5+=kB&#Yr0Dy7DU+elXz$c# zCCJ37wD&y+Vh%Z@SVLef{wxyzjfN<_-iTDcDLmC+s3OzgHxaz`o(^C{+l%|Bx$uD- zuIV{a3bt;zsw#+tvpgpiN*EwfpE@Clx^ngWiZp*1-br}st36%Y8eh4Bsn3H!R2#y^ zfC~PRhBg$&y-s|g7MER^OR4M|&rz;Cy)v3N(+61wVkA%vT|3m;d#*=y^Lg@alQ&3| z(*lq^_<1uZp_Fd@Z}?3_<#O0hmkbcExGq0mFm}`5M6;;Bag)H{jHUA6{$5F?;&B?r z(KktTSuFJqtEIi3At_w^=7lG~Nk2H^HeUJF6$OKwS`lGv$}BEtBBdtfCY@gI6+1G5 z2DXAJw}Lm=7F|?g0Yf0e<<_!YGpA>zRCK|gxk43K*m^5=ROwu%)Y6Hhld*m5QARLu zs8PIpnT%nnHvZA116Eh(m_AL?l)Wvo<>(^_B(<`q98CVl5fOXIKF_+zu!}P0{F0dZ zDHteilDW>hSPjZ@flQLIJRn#ZFDA_1kLJ`1u6I~wF~l_#wNZt;EwB&H#b$*e* zel112`O2&;x8`WeIr~|%kz>~$Rm`^(_jqp)!55TJzMw*$i=(SREaEw~WW$aIiF0o< z-;U`YGl=Ma<*_H99~8!m=*xr@aAHC6Q|Xv>vm)~b{t7Q%EJiHyZx;O)?=GZ&1um8oPDgGCuQPAlh{-+3KNoE?_j5xNEgH&!H3 z(d)*~;FcT@r^zLmU-J*j?}G(sJewS1uWJXARR-Bl1MqBWbdgL4UdgRYh|9Fx#zPO= zZHMCyH)}R!5jNeVZU8P;r*oSczSbsycnmk7(*4D|rHOCT+vy1R#jo3;s&gy@{qiNG z06z00u+ZkAWGZXx6^HE(UE5^mig(?0b7=P*oMBt{Uf7|R zyr%zHw=&^ze7<<;;cICuuPs7kNom~=yn1eQv$?3UE zm&9q<482Tn4n@ULd?>vV+&X-<~n=&BnPhL z&_}^4-Qv;uUxxA4IXD?|R`D|qc7E0V3HzmDqvVz<;ZF*KAILPLFo$7zZ7OL^^-@L4 z1`Bb0B1r@pVL%KSjJNt_I;@Aui4Yuwh$&NkXvXr@X#07a@LXlXV#B9_Cc?PFEW#Cd z1jn_5V>CXDyS`#g+%1@PTJ4J#acjbePf{}!&K~`#%&+oQG<9BdyS4NXaUf`qv1fKl zUwRvL0p_I$X1@4pto!<#;1BZoTw=xLGQ~`yf;1ry1;t*11;m@#Rp6{zH4I;TBL zNG3f^6C`{pVy6s?NDaHR$vDgERl&!a@2zenA(mB7foQ_@m7K_rz17&3E==wUcJq$f zb>V8?VvtMZkvYN6IaP|l_iMJEQ^meX#$UD(x;SFotfW)}ML^lD#e7*<+9KqQ)l9+G zs*nI|sob9T;Ae-%5H{l@`1M5aGtlR(_F!Z0m>wGu;rj!VrDG(`5DGmvlL>VS{HN6( zC~8kI&)~}MR#&aTtXqf-d`B6SnXr+R>V#3PtanKut~3afaQ6?)x(FJukB0T;lF6%b z3J^i6i7DL-`I%kgYXTfOp=1BVm1qw5M<0J0hTymhU@`tasCbR3#UBg?{Lz>E2cl@Q z?DN6;G1KqJ=JS#hqz<4#=Y+IljQZC^OmFxebtvZVnL{Rd^jug0G0+%fMqMSU7sL$8 zvv(}mK@S5CQcvnZklOnP%LoU0zR~aLz&!-;)0bN|K7i zadyJ>%CG=^K#NcI!VY&ogNT&0BX8v8r=ZNZR%L$r9amLmNwM(ePh~g>W}D{-DMVYc z_=hqhenV;!3qU8R3m)t4}< z`isROPUR&mcYiEVv|^u|ve{!%vPUsQu|S8BX;6(erSg?$&<)0pOp|0IIV!>);BZdz zjV1p?*VFI7L10=ZF&b-4J|p6k_oh{v5hL+y$$%0L!*#6syvs`N_s=}!Op<*o)|#DD zeax7UA$p;~evWMOC*@()T_Nfy2c=7h7OI>@{nDIS!qOUV&ef=tt5?j;pb1)-*m`XI zdRi!x&z`803bTPm)f79=CEt(IF<+H^mUuPar~BO+8>n+y<~4UGc)k zr**#Ka^vvkQlqh;`+(+r$NX=z5vp#Sh|H$zuqs)u=VNm{nF@E^dvEJyns>w%wd1K| z9>iz$*<(7|b1zNZ0f0EoNY zPk+eLM8*K)0;-qo6NQUq^q5rbE$;!onXik5lAeFowVdB8WG$S`uMhHrdGI(7`X?>$ zl(U&rJL@mW(Q7RkmZT~@d#%_6KEoOY={2841KAl}^6^dau_I!tLWzt}I z?nF=Cw4QTn?%I!c!gITkGTD~-P+sP_zfV~1y4}}Iro+1%|Nf|Cc)3FE*y(U>>i9M# z$&T1AS;=%Ea(Ui1Vb-BYkj#8qh4rrX_$mm&e!IUOGfBMLmrObCe7@E8nB=(}ekZ*+ z=@K#Fa}ILditAAwvuHBG)2eSMciDzx+hVgR>9R?8S)#JQtKPb0b`tP2$zC&EQQM;^$7>R&1bXtg7`EB!dcDrbVRI}9FeXFXO z=`$hP<8~g~blViDJZXBh`_JnkN+r$fL%V^=2dD*eyXR`E#l|>e`aRY-_-%j!{(3?q_c-;0Cl+32`+k#H=v+W|&G&5b7V~-aki$qm1SYIM ze)?#q_w`rn55Ui1o1B(BtC{jRP-m_TL>i3fNf11FF_|6X#2gI?r4TabhCJ=}kvb)T zpdW*&U>TCg>KHb*xMg|3Ly#S(qNAM#kZ|WVxyw0AAaZattNDY$@=&?fY{ZB-NtM2B z3nD}oqgZ|#clyXX50yGqKhctG@0TTN*e}+Y7R1fFTXVVv>V4!2yw}V>j*N|z?@%_& z6cQ0x<^Id<(O^c(3(Lq*ni4CL$p=Snc)t1Bw9D(RsWpSxt5%B%QhYo-WD*aqpkZ8K zoN+bzFx*vH^p|j(zrv)$E6wxegbgwyef2|K+n>7pzrqhUBr_7)+E}Z9% zyKb@n0P1__)I^E-V{h;bP1)cHl45r7s#Uchw^g+eOmNTn)hpOO@{G2k`T7be4aU@i zE33fC$X2DwVW>Cf5ZrmTIt`ML^`CiACCix6a_FSTQgLNB{3ueCa^A7W!d5Ly1Xfrs z`E;b7aKP;|@K3wBP-qo8r-Z$6`zksCcOm@I$4u}b z4C)0K(njqvJy@k^XaTySP+*;Ng>G00y z_r8Dip5PatJXz72X^aaqV>l(86i;M(zNyYY<%(isD(OHLTT-l7#UDEJ^Hj&bO$l~$ zS73^ys&pMua+2K&bw&mSHDp*$_sN4my<%uTy!-#42MNbUr^7{|F9;YT*yW8@@YBkR z5M>3DKC@GCg#j<<XpVq%KSlyaaV?MMlbiHj1r@ zE?@*@+QFgqbP+^@}sVd*er zn*-w@TT+q620AC)6T1Q$3>8Kc3Pv*DrHMtX1J$W8wacL@$%P8$IN0uG`m|mViw*)O zpU4L_dJl`Y1X_+QGxgth3e^!vDK9tXicGpuR547v44;)+x?d8l-gw%y7lZh%+^;Cb zeivH3R^Zu4{i}017quY5)Tko_(>tv;;*6R!;>%E^Jhv6aU7C6$tPW+BM31J(Ij=Jq zy?(S+8%2?cf|u!$Nr>;i^5B!p51RQd`VP-(IwUAjtM-=2m(2>8j3kDrv@$k%H*PZ{^GkSCb+`NV6QQj+W&_MGmKrj7jH8)=8I# z69v`&8%av2B*3cWuNH;_JFxck6i$>wF#EIePWJ?%z}oE1bG#&VfqLY2{M% zhEu}5PRDlFag9&xna+q$>$t^3jK@>#5pKKdcBPfBl$R^5&uk_v<<0ejv(JFbW%S3tTrq z;>e87^JPKQ$_=|s%G_PYw!^?__(IB-QyBDf$6lDEe?-dq!@P@(W{!^Cb@GR9yJc;W z*CI)-H%R+@bwLFl*V}%CH4h|X)#B5N)yvP+@v)y4n5aOZGOK)9^OB7CWQ# zHHMArR9y=|i`V@Pm2LCni$~Vx*yrgL2x4Oj0H23xnVyQDCHG8bU*X$< zH}f0z883*Upk6{6!U5@i=!@+8hpfFMr(d4ixjRQoR|ybfc_ySQZXka+2yv6|LSPTUNFhQxP* zp;tAZee_6@hWdHRI1Pg!u#X5p8>|h z2>&Fp)^|*#|^=n5lfFB-1 z87#a&NCm^zs6c~`o;V5~TJ-g;YR@i1zA~<{nPX5?iE!#v&gd1dOUG(VGfyV41(vlf zA~mW|W7+$4kR6^nB?x?MC}zy#^Xspr6;e~&VqnmGp!(%+PaTw~Uu5A&gc3;18OW7; zg^OsEZg5P$I?T}Y=+ZQ9{hXI&S%6FVER7LJYfZ!Y0gPcqwy=KNIN(e?tW8% zd1(7RiqMP!=l<#dCM!_-A^J*9Lv^r#*GWootdt%)2oSRUaauHUrC`oD=p7DqMlVzF z*1civJ1a}k#~00qOq3h)j&6+i<~MMY5V9Xty~8u=d$)CDNfW3Kts{Op(r!3nS+Xjk(KQ z5}21G4PKQdN=vUFTn0j8f#LsI#~$W1FACVeB{l93qpu{8rydm~4kNjXI?>F*DC? zmUoff;-hy5VbfL}S>YI1L$I%gv*y2q_Ez_;zP%Apk(`x-PXp%x~=MG>gV^Uyq6&YZ3?->xz zNHN*hnt)?uo1K<&Q=RE(P#N_b(i|Fyir4f4;|GKUc`H7q=+_{SJ3%M-g(zAeU@T+5|H_7dbg&4m zo#d1#-N+;7b=uab#i}ST)SNdcoGhl~(XNXBx+*BIK`pT&UABt8oR1M`8T$EFJ}qUI zp{%=MP~F0fx46IlmPLO6t7UK`t0I7~H(kw!$>4D;Wiiu_$B_d{eVmY~*E|FHn&s!I zxRB$qi2wr_uFuR z#^dLhFL#EsfHxm4&jRh2EuN2fhx>gGxEY_5zcXKi?rvWuxatohEC@GTmMkDbHN?_h@(RI=?Tr(I%rB0-jddiCmVw7p-JB)6{LAoammLqr3Js zKBhH&<}Q41rqu&~=8(kcC}|sAmOc6753oI|Ajbbs>EjNc7l5~9 zYJ0zOEazI|WpwIXvW78IcF5;W^W^9q>ciUknT5;pD}rX5+t=;c>TjvF<9;}N&GFa! zXjba{G1*rA6)!~4ij`NP>%v_Nx64ah$TxG#&Bn{CEZ}`V$1Vkr^JIGdaw!<%7~8wq zXT!aN?qztKZ{_D+eA_E73#0pL`sE^{;n;Iq+HlQ%8s#=J)Ad9)cCpRvz9qsN1^^s? z;(h)clmnRV02k!C!#8iV{o1h~ZKj_3i03eGPu& z@`vdxNwK=CnFa~U<$Tix4MNuR?uHS{iHuue7cHUTDX1-CKXJ)R1qRVeMROAtwXu}4 z;HP^FOpsE7aHjnE3u@R)gN@Ydw{^(h+pxqL;OjM7=?AhcP|J`hu~^9%s*fAIGDk2U z^;c@nMuqXM(gvm$ST^cTr92@U4n0a zaih3FJ`Adz!jn5KnhDDw-gq}Td>E%tA=cesrA9A(#ZjjgRv*>9+Ps6?@>vYaq_l=7 zT_gXp^pZnZFt6SpI0KI_!=`Mr)!^8)2xevq=0&#>f5(o1mt{e;>fqjOi}`b9%GkU#NJN7O6Q@Ko zISJFCEEDZPvN57QYy}@Sw7TY#rbG!VO_VU6DBUnqnKiY9D5W*eEj z)gkY4&Q{I}{-ve-MPMb6)rq$>-YL7<$a2jJQH$-3 z3K*mPU5EUQCs=7g%>3>kcnPR7>y7z>_J&M0`-%D*nHQ^ zS}WMWjQ%k6t?sXaCM~~;RkVa3xQ_)bEV!N_4Ty%ANX6H1Jr<_mae&m*LJm1Y{COqK zYbU*GQmBgx?z+Rj?$F1y*sG(7#0b*MHEy=%4+>O~8|WujW@$)Q4GDlcLTS)|EX5pU z)+xq9Q8i9SWxdwy(n}nRtRhwwC6x(TigILHnVB=A(+u!}zJY`*W0w&U8b!l(`$drw zftXP?ZrO4HgK7`d15FH+bQ)`EG-{1_a;Jma?8%TuuvFeZSgI_eVBL*YTR0~P{5969 z$0;^8fu+|L;hq{OUx3JyCo%L(lwpEgou)zZxjcw4XZaq~;z3Oselrp*O_?nY^wg4z zDpuKp*f-~OMs9!V=c+tT_Fb^v_?Yw+62nIXFwt8Mz#^8E#+PTLp5AqmzdRz2h*Rf9 zM)6NgW!|uDuxRH-KiZJVIls-)XX~ZlZ3zoiA#qL8n}kr9$g$3CjEfpkPE_Nsw7j~Aet}7FzjC8 z9~JI6VZ#x?=(n;D8ocgRv*wp4JXGQ5NnHnK7GGA>L5v)le}v(yGWSlMZVksD68PDk zmG%EexiC)Nc9ijfMSJ4D17;=xUN}Dk_hEksulnug1&=#PkUtYYj4mD!@SOn2{mFNw zsTjcsGhn|#UG(6*o)gAw_w;9Me`D#mOrCf2)Yfc6!@H&Sp;jKBz&z>DJ`AN_m4e&MN$q=V^F6p#ALear9I{_P1lxZO;!6 z=eFb}Jm%(6%hPuMa6p%DFDpVf!)M7k1s-b}hp+YW&Ek3M5nDgaB&XGGizm*hANH8L z^PFI*gQ;thPRHvu{2&)%riah&0vDY(m#_WIY2#DGRGZ_&ZiDOVn_uTf#O&F6^8t@0 zL&pkm0M`_44bZ=S@NxIJz|(HhY=129&{em5&;`6^RnV#%-N0^pR6g``JY;WwfxcW7 zy9|!^*{z8f8yWrjU*?sy{dl997m1N zx~Icrf1*Brc3^G(*yd}leb(V?w2h0PTUz8EwqK4tU&2sBQB}5uHf~AxlKR&_a4+#( zZpZ0%8t)pKK4#vxK=?Eak65bJFSeXE3UaJm&W(?;FYmUUZ*)Ir-SN6fFRi&-H!ktA zo6=h^pwb>x*DP+4Z}{1~bai{&R^DECx+kmBbY;RN>l%6*ByXC|Nd+9oDwp8B@v&AR zxM$gogIb>1@7hOj)$SsMTCz%`Y)u8)!^?cE6`=?seo8)ZUuPAk&7ozeO z!B@8nYn(9cD-)4WuC_&{-#R<4sD);fr&}l<%ui-hudGmP zBLBs$AlQ=*s7;a>i@_wSfXWLbc3_+oOJ)6yNwQP5OG7r43Wj@DEGmP8LiuH;%`|9S zPLD17*M|NQh&zg<6`=~o!C3h=RqP*^{<@h%RkTvfM}hxl6qm6;%lV}vxw^rZb=F)x z3Ubn2I1_>(UMj2E?<#hggz3J2ns{N1wD(XfrJ1MqLEaQF6{!@X zUCEl~MvP_M;=k++QZIg2`%B+929f3G&msz}TJLdiWJn0G^NgQhSnUq8a5DEM^UMmS zSL(Z)1ePTT#(^JpauugLrrQ|5Q^JdT$D?kB%@z+!nhhnJE!C5$ zH9>^v2m&#G2WI~#yp3S~+t8OEIFR2pF)vsKm>?16r~?@n&>48kL)s~~-CCoCP{4l|t~FAWs>;SG~UWCNH55t5eq#D0^w)%@8$eJVy=?Vor zKAM^8oj%Dz$-c|EIkiIA43qo=Ogf|eOhr{>M15oQr?q_N&Vk2(Qr&Z7#&IK2KB#gT z0TEWPI`~M5Wx@$l(070`ry68U(44a$w32fci#w%1E<5M}PG<=dE@gjQ%9}qb;!0n% zs#sgx8Q7iP6fUBUa>IOJj|L(ar`x*dO*HQN^S!4nZBHKnGzQrDwjrHqDC3MFGcTrM zA$3Y`LT%&_11hM#fM17WD9%!-Spn}7s8MvW)HYoiE>el(ztoD$i51x@0EzlXWD9)P z7C6jhYqT5u8wzHvb}bd|9D_ujNUS_UT=#dc?}I+Gtkk%UY;BV<%i=Hr2Xc{l>L%fm zeKkokm0T5311~=dELj#tz9@rTTD+`TYWb;X$JOpoFvp-C)zJT8>a3#TikfvB zAh^4GfZ*=#?iSqL-RTf4IKi!PcPF^JyL)hV@4lRK{(H}TsWE!&*WJ6u`l{BPF}g9f zovBWk1%)%Ykp`=z5fAAN@OXT5+1kbC-75?gI?$GRVfwxHBTFOS9Gp%6aLb?+zg?>k z+#wKLzt;Zw`O2act^!SH{c{R$(FK!H1F~p#S<1HaORR2}_GzDUcM5Li^WRvMV)vG{ zN%s?(68?>ehhLP7>GwTzYz+(S@`C?cz;Cb$6wkOb0B7q*(ABiL{{Wy7`B2z%_vlLa zTXg*Q2n@6b_;*+^EV#G(3rIYlMNY+rND}M;=CuHalaAM;4pKS3xE>5wolSrAQ(y2` zHyYVjS!_CA_}GCiUml^37)Tv&dtT&ct5qR;-ynM+e z={DdyZoQ>ExH1eJ0s2{|*JQa4C)1ONPcM@^kH@ZecTeXqwLeVHu^xS5{&uCti37G( zQ<(+)F9Q*qxAst%?cLK`9Up&rT(5gAwJ66Lyash?mxWIk$@)9GTc%e;c=R#>4}T z3~-$2Fz`9G13QAzObYjCMl%0MgBi=gzplPg(R=F9-8?n5WEslEOwNOz(-XUVxVqtJDDZho>#$ z8E;WcT^N3w7xpay0H`JqVVk~Y1#p&dX(-+0F~VEI#CJ3xh^p`7zZh!d^L$*xSQ>By zG|SRl*1v$gG2ACsqgnZYI>dQ~HcDO+ZT@xG9nXLAN}0|7FvuSjXuct~-%r!XpFO2bz}>?xxp!s%^ENboaT7en47S$Xp0C7477+O;-%tS$2}_4msV^K#hhH0 zhglNi>ti$7vQupDU&si2DEP0N2>2@zH)P1|2UQ7Oj%Pi-pHuYC1RX~Tj5ghB;sndd zhH03Hc?P3%D~W2B!j^sl>x)_=;!)j9#KKh}Jl+Pm%Fk^171;&zrJKe$>U^FY#)IY*>riX5cw{h*w{d+>}tCgtZZflIsD#Oxh%uM zSwr+Oy#BA8&(X;Z?St-nWYqs43qzXyLMMI_9oKQB*xi30b4eSB?a)9iD=O!4VC(x! z_MEh~6uHNu`13Q02fD15TZBa-Ajx^_0%g$fQNNQj54Vb##dGk+)UxT@Dnh!DMX5OyXOqYO_O&xj&@nMFbCq zU)bza0UfY`FI{SRs^5k`lM&6E5>>^X1cu*|bW--9el_vh^t@Q4)0WD!O2=e^dV_Gu z0@140zDJT$y!e`fG-i}T*_e9b@r!2~X#xe)Vl7ut0ux{EoBh9c58w1PUl0zF_++gGSr!N*9c!88;1QCHhTEuav}&f5xJzYK~(plt@Zcv2wg-=;USA% zj2aam^uv!rvFNm!EZ)r_TOqbg&cgL6DmWI1UL|Ebl=aE5L7Z<(H4VJYx|ukc91tFr z`st(XA#{=vOg6vC2gv4F{3f)n!Ih=TF%%%g(5xFBZG_x7Pe7u_zI%a=?QlcU=~wAk=~q)P8{$w6!3w&X2w z2ZKJlsvt9sKVko7 zw=D=XDvYd)z)JJA`+Xgj6s4$5|I3*Ti?w6vvLcxaa%Ak2&)&y=!fdPOB0E+fo9&XW zAX}7puffO}m7I?Tk2HB|(@7QST3WhF9v(3@gCFAx6JH&HgF5X%B9wr0Lr6u6-E4$fC4;m|J+E%nnVIlC^D?* zj%_iiheAgpF^wYfxQ3<+PLySx_5Ul!^1Q|vly1~yX(veumury`p*2qSytidC+$_!ZBgt0a%e^(thIjO zrPuMe9s}qa{qPEW8&&Mt2TOE*^dNgd6UwYZj&}g|k%ik~0MiXxat{92<$5IG^DAuz zuupJ>^4h1aH3ED$=#-^=&>tQZ}(9B@$b#h zhnlie*K!?hL6OJJ|fqE6E8{rHz2`@0Kb z+}KYyu38d%$Hz??Cvv%x8gDB0FPGky)AY=zj@Q|Bya7gDiGrlve#1049eP^^?oKBT zub2nXF?Y;eAfOTZIwNODj$xAChp5fvE4WT>Q}^n#=YT`l{;2&5K)tu!v3G+Tj*xk^7A>1bP_o=laMXjq2L(khkRWs8O{G+`1;RSZ@mN^5{=}{N->=S`cz?X`@;mp7KRrnoXT|>zQJh_>_Z-BeQ3x zevFyDJGi)mZj}-aebq_3HgGEtaQHICgDRD|?4Asea z)XCCW)Chk#xS&joGh&aKctv*#)|=7_CE{(@2d<5wVYVgO)Qee#rLXD~LUb%_Jd^UK zs0$JB(6ph{Dkog8pFQ>X&zhF}HHVcR-1^AU9B@tM&uhPgc(8vAnu4u>j9bjN9C_M5 z`Zx1%+z)#sT&2xpTJ2wsFZj68u(eMf@E!GYL?||x8?wlksHotIWBh6CQf3j3^Rkg` zLnAOf)6N_9)eA6kIBGF=;2lxa600{V{kSkvb#N&0zthe=l&vHTaa=+NuBlM_OCn?b zNKY!~l&x5%?bOL`Eyw(tEAJ;jCofALTzHW3>({IKDMgwA!u&grHjzY8uL`2CAZ@tk zrsdr2*gl!OtXY_~y7dp&AZmH!MF>p!HoS*Q);OE2gD_fT44^MD8Lb5vAgYt7gs;rVc+4-W3M4NCvTw~aze zpau<(-4Ep@URXuw$C>zi0%>*4n|p?bKhWHK}tfiYNj8G zR_2rs$g~zqSIg~rmJ-Z*>#LvR41{~Q>JEu#kIpNkD*3WImHqkL?%2k5AR}~d;8<6b zCE?n!WKxuKCC}hFP1UQS2)n+H7-z@mWP{L=r?XUAP?U%5=@l_)-9K?$>(y{fXW!aOD+`j2)oO+LhPD8j}l z-{X%jZ#WcR%e?=8SA`|;2(b85HsoFG6_u?W^rRCV_c~3|t%NNM0Oz579dhPT%+Kio zjC=~B_C7VCSTN|$1QfH%v)~Kqcc|_4$Ex+1al=4LpUtf9xj^YF_oobS-FAIcsRfhn z^KD9Z*R|o9PYr0Ih-4}WP7ba zZ)dwL{;G%tyZN=`2rG8!Zu~on6KdILJ$t!3ifJ-1(m&ffT3)-uara)`s8I4Z=}&d? z`d!8Rx9gEiOvv|9{CfP778eKA*8U@O1l< zX`gTJacTW_pk#u|_q8*ipmWQi%e(w($i&ri`bBwxNytL}@?MzKrI9qiYP)rVc5t5A z&#VLdSNN)KotaKZPxvO}?vv8Bx4r48WR!ik&dXn2VEDY35$Dj>H!FQLZe7Fl?)9eJ z;EVE_al5sKO4>ZN`YPzQ+_P6D)xVsc~WWVh*!SmV+yjtJu3-R95pMJN55&4BVpeJ8?JvB^#F_Z7yiu^K*ohxFF7ji&tf&3(|V z-#_%b#iM%I`@m1hCGyEw@)W3FSGqES#BVkW_}>k+3j~EZBK={-1p-j-8{LpniCDbK zYlGPnD;THN(*`?dKM5%dQ7_plmB!W z$g!61?ckFEcUKJMj=kLn@wsAjllti{ItmAD#ZSiYTU5ozbiS9j28A?2%O|=?bWazm z5S7z(Sx*UknaYS@S;UMlSGawx_4E- zLXC4KJ6N;_4fjIBC=6bC4x38P_UG$Q=?}xi3yp8fA#QW=c-YZp1Q<&CIi~u8*RYNO z@!_UFXjlTNoy4ylxoJLSbTY_msw#14Mp)r56p4s+tR$&OVPt!@b}Bm#rIYs_>!gpN z{?vQlOEocrSoGw7VPp;>?0>&OC`eGur2vD zZ6Y?3R4liG=z`Dq?5qf$P2~mVtcoGKg)E*8K_qqf`@>KuFqFfEwZC$Z1Y1f` z&_WLw&y(^%f^!wps13r(#?8$>ybUG0zy-l{sO#1@4S*+EHW zD$PMxL}<}PK)vZB=3a=3(BXL# zUZVct`CXos_57#;V}_}2sK-{#pGJO}ak?PWrjzv?x8ytt8jA9)XjL{|Lq3-HUpYD3 zPlPt@=;tI&6q+B7*@a)+|M$KcrU3ra}x!FB;ddDUmbxlYY1T zBIENRbdZ2Xk0$igG@)?U52fj+s60)-tzDgJhFEgR(2ck+4mEXJtHHT@@ec_F4(w() zb_!&{qYs*j5?DJjX)>IoQPp8qC%NTAh{?dPhy4_-4$fetjNzUm{?<3UCv!wd)t2eV zMX!>RwbL4Xq2$IsFNtl!m>*>|p~_EPsn&EdCf*9aqCYp#;c3wS0=_5BPUFoI9s;m! zg@gL3($nue?p48gO=3FQ{KV>$vG=-sbDB41`)(8sy57iS)$zjWyTRan5AT*uVFNC_BcqiqM+f0~7C)#xQ9t4D^ zFY`>2jP}pCnk14(VH=6;Uvam4v9>(=w@MLiJ*z~g;Nd_JE1bIEMb@*r2vre zv1<8Znd0=n1@wfRCQ-^<2%gvif299c8xHa#avs9%0l+~HI{*4LqP!!#ApDH_^74kt z=k{Ct2SFJ8yU|llLDtLk`*X2);9Za6c87($(}ib;`<9s3hQ)=vZN(v1fY}xVqSps# z(f({_oq9y|^M0)UDtyZNQ=GbcNbDPSUd+PKJApUxtIyKF}}3Ow7f>mIfL zd%JA(Ftu%<-_)?Qe%AFo@w)AQRt|+4V0wTJ=>EtDG7H>?uzUVkG_YC;*v|l_Zr<*s za_dMqwVaS#X~yd9&Z%qXv}_(~>$@y<3NsM7F!@}<fSTN*bsI?8J>YzH;vFuxhPFN2i7PoI;dm2_Q4iQ`lSPQeEQTEJi5@Z0NA z9YJgF>z90=P>)0}N6%9iz>f>zY+y;HA%9?}p0@9v9`~nadEq)ZD)4$MwjWyh;}o=5 z)4mVkgL(G5Pko)ysKa%2oJ8*+K6b8I(VJiArosu>by#+G{u&kRsSm!- z^BFTDiTC0MsaQ%^-wg#n#nr5We~Aa)Oue;}&IfoLfS7#=(-k2o=PBcggdDOHHZ5pu&r8<`|UA55rEqzQuaR09&Kpof9z0sO*3=`LE2TsLTHD(QJdIpG)4r{`eoTz!x~pjYEaGbwf4q2~!04n+9jWZ>rL1IpBLE z+5yC0)D{BboW6Npj5_sDEz0c3gFFoipKSDo&JN5Fm#{N!DTHM<2Wz#(G2WuQ`(MTz zj<)z@PVr6Ix+M%Om!fLpZs#Q25C>S>tZ4P4sCy>4qlQ+$Usz5Gc~UdWp~O?pcsNbf z25m4)jdkG{)vPIln3+ptq8+A=oxhr9A{#vKLaR28LBjZ4l82|e?aJU=1w zj$Z2`O#)ZYjLV{i)d8{%{wU+`eQZGsW7kK z`|hdKLRcN=8WZOi);iD(3REhZ%>P!m;eXkUZIFiUaqt+fm^R2U{5niEw3BQHY*V@o%A=BD*>)eh48IfiB7Rw z>KNe{d(zS0fK-*66jn7T^5i=~U?iMAem2xYE@)_?HmVtGo) z+|NELd+9=Jm+I+7s&+L#@`%^BzM!gg^@~Y}MN5B>prqDQa$H*(a#qsYjq;Exv}aH* z6P&O{_j!(ymUec*a}+oJa5DZSYsxDLRDwfr9O<7eDFg4~gs(hbiC132Zn%2}+>D_^;g_89fi_fw`#q$JWZ#dVk#0}3{GNo42O+Blx#s|_^4ZT_2 z2FKS%M-c;0iUTo-shz$(A38+d6ERk({^~Tl11pNJQfZ8ZaL|t`1?2pD8XS)S^5|?3 z`tGiD$P`tEEd!xKl65*rWPLNR&`Bh|T1W};^Tho9#&gN*pO@NA&69KWkq7#}IU{`J z?Qpa+2|AYiwyn(1##Ea7l6POIAhc|}F&q9Mj59q%sts0up8-g4XTF4h)X%W~#W|h9 z`0E?B0JN^uYw}D)lU}t1O{ufC&;Gr^uxRb68Ql$FIJy)C4oTUnl|%4%My6brP)Iz^ z50!2?9bG^k#RXU5tf^5m9w&`28#jmW^+@3Ps#uc2S++>v%21kmM7Xj86_5!czn95A zupGs}w%P!A)P^OFeO>6Vi#{A9M%$~yp`f(ljY$$Y9k9?ltV7UBknD2j%U#-LXX6uM zY75hYH)ZH}xe!y&n`26we;mD1qK+o^)S@PQSfB0%GpUUw*~`b)wdFWk^|{8JahL~c zxD{IrXZ9E@IdX+D+Gn7t+vtZHQ%x^<R}x^OPhQ{iqI@2p8V32|fJIn97K`D^w+<>QKkB?8p`a@74mnnebh z1A1(DIv7RY7ZeU^fb#ejUnIOIToO?1|H~LltcVpUN0z#_YL|CLiu8JP z4ZH!E0rv^Rh4o!aKU-Z|ecY>ll{8KWnV(q#SKazMO~xE<-$vn1ZCkesqZ)0vRZJ=w z&hS0lfBvs6m?X2`D@dc2-^P5chzu?#H=pVhDIDTnl(X9P_d&=M(YYE%}-*WW8gW5{(mZy_jb#Xj>ncK#OZO^wfaRP@GsH=pDcR51uT{R5r zn-pDG+g7W<8V)Y+0{0wDr=AXL64qZ{ zla+ZMkFS6os_z5Ft$F}r+&B?soxp~dov|7t*G(=%=U(pz7_4(}(0l@b$v}u<=du1=yE=TB==sF|WQQ-Pa*|GJ+Hl4#0yEUsp zCd;tZ=w&fy!~2nh^!qgR%n&$Npdv6=fL>&rxcOYt$moF zopOAz?%!%09!1VRJWw|SPih2P0B0p$-OkD4`g&_uo1|M@UY`e8M8uTM>+6qkJF_O_ zxYw9(=YjoQu+^MhGCtR_^Km>DOfU3L|C}atPFm-=*R?o8=}8_l-numTo(Jh4b!?jY zNjuwGo;a6Q-|*R;oH&$UcFoCPNp^QwZAuNZ*O1? z{Eq3uN#Qyzef_rUH^j9ENFK_j!QDe(05kYq{z13_1YV5>Go=EV9Az-ymnUhZY!HDd ze56Oh_qc4SRWqA5R5}yfa%!>?=F|Z87yGCF_o_!$P~wCDltPgO3~*F=UoIithb*wK zA$ZWJAN0s+Nl_d8w@N%wKY=#zx{`x;zGD0f^9}1A1RVBpw6a}HME4IZg_`BvBC!c` z(5qnV)V(+6!8%5t7&|Eq1F(!Skc=!7|C;yvrrp8ApSDpbqB2?6Z0;F8fhhJ`4c8s796 z-(~9wff)r7`X$hroyvD}L{gvbbg=$!3ihb(9J^Fd+jnf^)%s1@kgw#!c&Lk^bp?<% z4M)A|6;~&VT1aMw>bVHeP$lhM1``8NO!ip+niCPsmj6gsbGcB{2HGyn>Grnxw%TGF z&%&=r#h}k!R5)P$6M^!0sD{MEIk_bvpIQ1^!`83Ff}&RWM-KTP`VY0Ql@hNf8grsQ z+x{R&I#>wU2a%+!K{`TeLy3AKF8l~bTVIwHhwpJ6!i$E1 znI~?rb-@bbji!TB%dVoaHzc!jP^Ab!!I}B4XYW-nn!0nNi<0_|)z=h)Qj|hYL5%n{ z7e2^@?!gs{Gvbv8rz4tK#siBqx)vfvJ0!#KA}!C1myUkAuoMo_kGExxpN%bl%*53J<}9!`+AF3R+V$QMfc<7YlM+Ky5wCoge&{Gvlv&#AZA7AtG$G zj&ZMvHarP;l8us$JRJ+fKegyZhh-rN|L|6Q0z`sQp-mTH@$DcN(9m!1(~9VmC`J$cnvSf&Iak(e)Pszk5k!8VD? zpWG%ql{tCJQ}8_+p4|{l@s`PeskcMI!#mVcmw3V{o)YFfD1Q~^S|hg6By>zvypc41 zUz9O!M>HLpc5J`ox7}l!X)B(RpU@gvl}%#S0^)(Sh}Wo$nyc&AW9*iMIb`)iV#Dm% zf=H+RBG)4H-XdFgVni2mtj$_=CUm^3)XAxlXvzt;{lL^34&!D-1uShF<0^Lo2QGO& z18b4Vlae2FU%|R>X72{x4mfm0_x4vUs438x)Sw@4dEN2yq4Io-{?@{y2_dVOJ#`#3 zA)BHhU*-eh+O(*qIbl-9v@B6{J5nPvRKtn-_gzFWN)XhpQgJCIx|QOqXGW=A%VP3r ztvGR6g4aLatl9KRoTe39ILSgnR?EC_G0zHMsd18m$^?tC z(b1_XW6g4~mMw*jW6T7UZuLfShpEYe`=q7znbk{>9&UQGVDhOk6SDa#f^xRV7`5EwQ zj%+Ng6wp>2vF3Asf3VK|6y5V!`Mob1y9CUdTkiasyNJHOoWZc_O2YzAD=Q>#74g>s z`@*wRwO?nm7;PQ%g8C2CkGQ)?neB!*P1d*+{s3wVPkaTj2l9S6sd4kdzzS}Oe$lkL zGDDOaF1f>rvk^~r4f-^cFEW?-@zN{ocfaAwP^6;eL(^9UvktO!rqchn5CaIKw5Pj& zJ_w(zzI6*{-psz{+%b97fHuwmD&LVyT=0Tb-@9wTqIt}wAE>bf-(l2k&W&ooyzi&W z%$th5wgq&(fi3*tH(|r4b8f@;$EN~%KrPbS2G#uA(#JUTQCDN18jwq) zZ(lg=?q3^sjpxdyGRa)W!yY1_VF-Tu;$;#R@EWuJbJx=8oMs!;npL}>OoOacjtUBeeQWy3rZW^GYAS1 zTzUE8?>pFJ!`^ zBX&LRtRBN$Id%+rq*K05A1u?o?@UMoJiX{TZYJEA^vqW2=cltk|C++>+ZW8b4P4%e zl-qXyIlUdFYQq7VPamARTGlJB?wd`t^mf}YLC*!-n|UAYX8_w!H}L(#CaRCE)j{J{ zjPTn5W_x)-LG)wi6Vc7mV;tlAiw^%gC`NPI->z&Jhl4=XYo5K0Ur=4Jn#|B;`?V#m zO#X?%z@)_m=EA9cYOLn_+kAKDSbu86C4sQF9Uz41P& zeMmH66a;KpVof!=sc6}9auBp4|H=dod0(K@-gfWLC?R|623#DD*uIr$ufE4tEm<>C z=7zfud@Kv^FBK`1R_8K2n7o6t&H(XougV!|G2ooRXYEtKD=h&@pu+82Xcbt;pVSAU z;x7_gVnJU{ErJbtzo-z z+r9w%U+ihmqy@hrZOF}P)00%xe{-;cDw_XROeH(2L1zFv7GhBh zVFQ(G{C(c-o8dpPnrb%42yB8`bB$o)2JF2y#G`WTl9JakG>!2^7FmywQfR;4Qj`=A zp#umhmme92r?%CM?Si^hn(UpX{0A}YMS()se<{?p&J!4W$k+EZ^NmmiMsRz7@z`qX z7Jr#4G&o4_XxTQl5s(@nz{fpB7>->}kucK`(~dUeOjJXn$Ba9x>x~S=`4`Xv9Hr6> zcYNT4C#$zUQ-1_hXwh+M4L1d@6o16pETRt?Gsb5q^unZh3r?Eo(=Q@16v-|}xlr}9 z*}&Z}C|R{pqRSkxdHU|~@C#LW)6Q^0^{<11{D-hh*itlH8ZxF^>6*%H8PL3^2vXYTeg_g$RSir_VOe{MjXD3Ib6%7?C;;ii= zQ1Bxe!9h%?V38dxE<(V}2uBhnd4!j)gtq2|KGc(%!;B|5YJQPZW#TfUUmv#UQlKeU zSAcgVJ`4BxntP_8l+n{n?<&W1q&%R3hjJRKtPW1pQ#d!v#oZ5aG~xgG|) zm%#q#uY0)7Agj^O`8obf!aaZ;C!xX_ZMdQzLGD-j`Un)m(Ql zqtq%+LwRYF9&)1GMamL#I|{w{ni)RhCmFoG=$jC?VxcO=SRp_3+x z-H>xh5?YIwFfIDzdpvV8d`9_Mp!|H?N{Mv4xiO-W^sxA+hM{LT0vHXD>P%*r zHW);r|JhI5YU+Nxha`QlxO^NzwP(0_owCdC^jOY4JsSAU+~ z2ViNF7}0=spWZs$mw;A=ub1scI#2NhT+hXRJH>!#>PxBV=0KsNJ);@vny$x#;q~P$ z4gt%=v$0{LXHe(Whhq!r@|D2rZC~PNu#QW-D6H*$zs&z}P^3K9`NmAtxyU6CegU>~-8Ab5#QH9Hb-V4~Cp$3vIhP6ZzUezpITg>f`}+lt z7q6JSfVP?pb`HALc}m(&7GoM}WP;s(hj+bXV%PXMO>a82x^X{+zmWpQY$w;3{2waB zhJM_o3s1kDQ1RzNy+t|7cotA3id>+7}eL z;o>Io=}M}boLio@`5q9!d$_=fHNZx7*ECASxHi~%`!mt6tbJ&Io2USK`hmVw_%3`* zMYNMt=OlKCLey+O!B~UayD{_^H@s_-OO6b@&Rt68D}-C7mTq?a zUTPfQ(^}S@P&?fcNlSv?Pi6x^>%<^zpDjaFt|z@Z4Kt>;)5$v&y?x;IjAT#1cA(># zM-b5KYS>9G*T={ob-s{kGTn2WSI!WI_CsW-lZxv zH42S!+Na-!c!KBYnjJX@UBQe|4K(qZ=;^Ij|sc8YX9J%sla=RbxeC#uAo zh@iC!l4iwpzR$i_FWKes^2#Ck$cdI?X|TEIUJvKe{eoV8*o{?ztk=^LAO_K^$6e=5glyW3R?M#yfRk9IUR#)mBV9T{HM@=?l@#dW(r7jK7gL)Bfl9h>qLaJ$a=^e0Hlw*kT3saG= zsqDb-*GAeB%*4Z({5>~X#F;1{;H=>!FCz+Dd230Uj9LR&m5 zeg=?EB&m0VdHfbHr3dcMX*Km@2UZowKTBGf-~N4CHYK{MW0fSv^DIUsuGQ#T3KU8C zkMW#8?fLu6I#b6v5E#kNoMkGmDmEj+P76GZnDH*?v{C3NG6skI$2B@qVDuEym=-@c z)+JtP$rMrSkRh0Q=?Ibb#e%2dLb&Kq&&+8sS^G;ZJ?K5kvkDmS%E%mC*v#L>{&4YY z(SGMoKvgIka3`WCriU~jTi+Bd=Q-CEE$>fxHJkd$4o$C@#ipx;BR=<`A9&#c3bCB-UfNg^ zAR*nuR^ZpkQk`Kkp=BoRwUa=jMl6vU2G>hD=zJWdlTqQmOa2Ff4vkp6EPb4xhOGR- zlZ#M&KJPG(!UFX*P{K99v#(82PPvFrT~B#2J&84XBCl`96`{CXq)xKp!?b8Q_ZDw= z-J?{P?r2UZqv~(WlJ_qpMpzTNwqAwa9*io2Rolfsj<^f%m3kx|&R>u-am+P2gsVM? zIYVhde=|Kp6qp%Mh7{{JQ~Fk@1Adw{^TDtg8#G7_8ix>u#t-T z{QdzOWDG}%{yoMY5-bYZ0?f^PPS?@!230XcYn69}rzcjcWx#Fq7aQIs(xkFXFRDL$ z!8=oPHCKhg?;~B^)}WP_htvHvZ6==Q;d9oW_3*97;JKhWQPwwuwilh6vW-mGjfyky z&BLri_r~K1u@PwZ^^Dv}@ZkY*i|_7i_?uUa@3L+cyWz@-ZlT|)H{(%s>;6^$6?3Mr z-+}gNyS?wE>-DWR5lavX;ED5M%PWVelDhutX$pKXKECz(7}Kh!@ltXk7}$8;Ps6Vl zc)$!|KHXlizI*F(8w$PZY}jV15y;5_e|UGMqJUT%!@fw=xZbw=b%S?aM#iHa(;HL_ z4`A0BD+`7u?d+95dv+rDhkoEkVw}d4kW%0c^p0L@OS<2othQtQbfUE8l=tr5%kZ}Q z#wEW1V0ADR-2P#e+~*c2kj{7CHy@k55pQG>ljfAu^buUf2;;}FwwJAbNCK)N1-_Mp ze_AEFR}Y?qVSW1jE*;LBXNArx&52*XHEaplMdM^Aud_Go*9n8RmU|?ZE8TWP=Px_~ zzNoGTQCoqae~oTKF2hs8&L>b?6h|~iov7lA7dK%ar*f&)Ui)Fopi_G8$xTW)rsu7p zxb6nyT~yRI@W!@%z>24v)5Za<@kxN^re`X94y|MNM@OQv9m8UvNisD3w*P{_N#R={ z;7qW_R!_SUkvrj~og~m=%Z@+C^^#xjybIKV(_{VAR^wtc$bBUUes+j4VtRXrc54o> z*bEM2>)21)Abo%eb#gcsYX8{x%kc+0ZO?F-9(HnE)p9QL9_OuR`+THJ|EK?o=aSx# zLT3EWG5DQE6B!94eu>0_QV=#?G(ajNxKQ3bToH?Usi=w!YSM zMLetjx9*~&_ArCtFDaH@B?r9YQP#D(SH{}-)5Xc4)hWvWt??;ync%V_b(YbJ+X-Ci z*}pwv#e%Y^2Gr_d?4z}0umxd|9CS$&l+|V0^TkYeg0r7kBRWEjNv%@ei`pL94_mFV zSea1Aua*nTZT`(+^J=tIO>d6KUmTi>W7=$tQtt(X4h8F#<*-%RBkax2ImSiph?Z~l z>l~$Aqe7!TEO9Va`Kse}iPPyQ$p#PqbZiIl8Pk3zuth(Bt5AxQ#-#c*B}%9bpluWL zSAOFNo|8$MP)djxwwOjWn<3fdP?_UDP(Be>??SQAY~K~@^lysH^B>Mds9&y{bq%v) zjX|l==E&RTfR0^GbZs&@V#POGh|Y!ihCC8%Qy$iE@4{C#sc694UHd zsg5=7LqiZYFP6hCHb`pG;69xp>xSrH!~xNDN)7z%6RWYTtOaz+$)+I_;LwdjlHSlmuvD)|n<52xONq=&CMiE0n}UK(Z5 zx(7@O%E#r%7Psc>Efg7PNv>v!$dlpdf2R^QBpsArC>xdr~6H3!UK)LGuj{5g^+JUdtGY zJ@@qlBZ0l1bQ>(IXbroTW_kIJjyk!ejs+n`Uc*vr*$a~MVrr(ai_(E>h^B=$qSI3#yydI4zNo=m$%cd$ZMkpHL^#&-4ezs_SdXJ(zkT zct%3EQc6s6SU3HP6~Jz^Y%r8*svtK_5pc}TbEOa6k73#9VXD>zH~X&LYLe&<8cy8yol6;9dLj}OjpLSXoGMg{zQ#)PJo$>Q$*137 zI`P8fR=2RGlrz$WmLDH7cK;>3mU7%dsmBzXgrfCuGu8-R1i8LBy$A=89|anMbJj{g z>JRw4h;P#qBCl597d>IJog6~QNqJ$ih!L%z4x`C3i()G_9C?~H6xWli-=}4HipqOo z+i5>tU{8>!(&bPoM+sGYbi>q(2$q3xT-d83YfAN$yo)n%MT3~D3|6y~uM&=gWJp}* zw25|J?2TDYn4UGzZd&7tr!ySvc_lVXqH}_n@lYO?THGDBIw5FPi)qc7fi&Sh6hmQ{ zd7%#(WPHf%_Bm>6oE4f3F&?d}^Uq7}F)L2$Tewk#UHR0Mmj#3OSJIP%iymhe9>}TTn#dwXokK?(TQKs;kK}fUI*Sj;lY%KY1%bu zo3^xMBB9t1j|=&qI~tGpz!W+;ZqM;T7W)|V+%T`nuZ++!vGa>Xd!SSJ}n;j7UZ_x zHWTKR?MCP}0SY&CRRB%QbRAjk`XNO7z^9t6xg1Y zRX;aBETF}AItA4n=oTfZ^={qy%07PHIQ)7=_l!dd^c2dOyvm)WZy{OTi39i_mnO!p znH+g-dlY&w52n;_8Ot$mv>(1${TLQ#e_Or~rfJ@uCGowKmUnvJ)7%!U^;n6VancTW zJZ$I2_jn5Uv`d`(m-ya2>~Yl))xCx4ojM77t&PJD5)w5G{cSkvub64sewoU_SqC3i zXc?s2WVycIqE@H0-qp{~wcyQY*)g>|v8P_WJ!WX1+l>lu+SV!NQD&PCoJ!SfH7@X; z391-?-}Wbgf|+qpR!GyE6#=`+qz3JmqLUy@(pX#opp(0~3zBCo#!D3!5N>!;NQ1ix z0FvsHxLjS-UZ(HtO%g9<_REjt>;j$E4*j^1wmM8MjOOCJaP?Ax40F`8+@6CG9h;vm zANX+vp!qL=lgpi|JkKpK4+F;`?b7Z3U=t|NiHp^YRSdK5$Ler9Dez+!Lf*(@PYji$ z;fAz^S6pvr{sk<2E{u1(`ktc$221V9KPyu*E4J?)J%H1lKCCRKi~IALd-f)}E~4I) zZ^4mZGC&ph5SD%Y%%>VmJs}U8UO6RmW@WNTunK{r<_@x~)=B2`#=v%kc2_ZuK&Sk7 zLmojDWN+a-WLZVFtc&z}bNl|8Y(&k~JuhR@%y^Jxi?Q|1kAV;dOrB z7jK-#X_LlI8mqBw+qP}Du^T%(wzXs1wryMc6Ts$R2BZ#y>kkm%{9TE4Yo{7{lMa z#+ycR5+-ACEKsTQ|D5gY!7cxu`xTZ<0&c6GWYtH=z20x3X8oIS=2dQx{?CLRe=4KJ zKMOlL+TsMLv3v6n9o>{M9vx)wQpsFtDM0~P_`Gm5U05ph-7Ij0cr=nTl((9ZUv%OG zi?$_$GQa4eXFOAWQ%7hgzV%JBvQ~@^Zy4HTF7QMoNKrNM{yN1XQfq%yzb9l6`dPpI zWAPhdy(KwS@>_5bd8$ad!~#zfMuMO>SrbPoC%qaxq6!;DsUzlh*#rhhoasqTL;&>? zZMX;w0D>7+~DpG=hM zmMe(qKc%rGHL!;fRAwqQIbt8YYM1ElB+6$L+KhfC#}g;~LM7HWwI)v-5)SIGJ+%35kAq5|`THQ{i?T;ynQxa^&)o1dKjq zCFENv2^EOZ8A_;)*?;CUVNKCCE$XLkur)pMPObNXOLwZh^LeS$ApAF{0 zeafW7+rP#8HzriJxx>nh&nmPz6)Uo0A0yH)ZZw^tX)21iP@ZHpIjt1NEH&K3NhUZJ z6o!Yd8K?wCv=C*{n6t_80emOa9X;mX)3AUYGp$Ke`Z?C=KS;As~D-uC-KX zO&E@QC>Gzlmob^U+gio$QTI+!3*}pREvt8&GS#xeA`?lEKZWB zp6nQ^pUjZvG}{dunb?fNynX%1YcNbR%QofQ`zx7hj822fmjch&3 zqGj2FO%F1!3|nX1&8jv_@M7W`6zT$c$tGD7bpne2&XOHZ)4_?{$~F;~B-EO%7%UWv z^)#>~;vfqaNkXOk^~-c;sYEcg>l=dz6FH(t&NAx*XQ_}<44dLXs7b;}+{UJwL(jA{ zE;Ho}#D7ha6t#m^DxEuxs*hgra;P6?9^?66x$`G8fFC%N2BlqquA}?SKZ@H2D!V?W zzEBsalv4355dPqxp3f2g?U!zU1w;x7sC?8{ntf2kQ&rQT{rVN5>oj$nF1ysndBY*q zk!=G1{l6>T?UVi1r=1D3E#ognV{&ih*m>*D6@!P>+N`L2eJIaOP3p`gKSSHd+GV{p z=;iuzlAG@#E33)lgp1L)_Gz;;OrL|2h@5Wzs zB(}bX^_6_a015r3sqS||c}6ZDdK4+H26-MuJgcvCfG6&HE6z)%14+pIk5lSb_ZdR~ zG5xmlIBxx|{g4N%avO8nwvppZQn~a?2blUdzNJs2C)LAkh9%$zhwsIwH2DMR_lv~H zSYMOsh?UplvqwOo+ou26xN`Zp=I)dE`ND2M%I2!mS?r^>{ZNMd`dME+fB+X0@v6C+ zL&LsMOF5Ul_2T}45Mf{=ukYK6nezOnSWQ9~OPtMP@UN>{>sbg0nUB_=gnu4(Z z>T~=m*I|u5VaNCi|EdQ6$>N54%l6wFe#_(?KS5V?jp);b`=#$A z1?E0G&zq3B?&*^Gi~N?`tV4BS6^~1`yBeJy@h6M7qZ68%-W5ePT6yPh*!Fh<)@)%n zO#c1b_m2)BJ@2jS-VLw%!c&)73mrAXWzB(`dFNAzJ)O2@k@V@$o-GQys;06 zm2G)@SqzQZ*YlVU7sJ=106p(5Rr-$iNyx8WCp31d^KRD}L)Y{I4ddD66M%BoH8Ba= zlK4v9j{6o{>hqOI_9K@I2=E~O{(g@+1^NzB1p%xc*N*smRqlh+rh0mz`I)OfNhcyf zl%BykHc*e(d20gb&hS`1wb1F%O*v_Zx>4d6;BRoFuhDr~w@ly&R2unUnCV#hxK20o zl9FF%rJNQ#N?cVm-NyvNaN4I&ny8U1OM0^NqNEKwr*R&0=3T;!&BVgWPSjun-<0da z6r;7qa_3}{zR5K4F>)hypE7HDr3SAB+c3;jC{YzZB1Gp5qgEui-`zAU%buAn%^GMc za%n80-R2zc6*iX_d0!NOeQN}}74FYx4icvR5L329K3B6fOR+Uf3a4iJr|QHzXSYTo z+@RyHR8Vm_jq|i>T>9Mv0W557NBxe_EvMl7k6RedX0}OlkNgSalbLT+m}k&UW{Kgs znWFnOd`v=IYo`$k9n9TE!4s3`7rBY>*SW{uCp@P6`1Nep8ChUb`Dr@hHD?O-JRx5_=VW3bm4&K5L_{n;@*_+`0kOW44JzQ zfw%RS0aAsl5PbuI9L1*X;pN4*P{;WV!&UfWgY1yW& zKH?K6~SGSC4<{-^;YE-wEF!J_A7sAfmfJAOloh=2T0p;LdiCj!XAj=w@i==k?tyK&)7z zZ9$LItx{Od5Sjb9A}f3J)m-ns&0Jo+n%35H=L!%Nk%e2$)ATTUwO+W$$@=hGN>k}O zXxCNIazxv+W9ix@8M z4iSQG7!d60o?~PE4kE^qTMfg#Ctof4d0Reu%eOr5dI&QmK`t)4t54OPx4W=})r9it z#{&pH_aE%~tIks>P1J_m*&x@qDUXXKN6X2+Q4;^>1GA?N;OXF5=gaHO_z3LhbEox` zr_T^d^&5EoSH@N)L)YD&DzcX2(o;wyR9X z`B2~%%EwFIjlP$;-&4rl<;KHc+oZ2U68X~_kbq#_IrQODt4rT{(rFd0O9FIR^pWlJ z0DXG->bUi`!na1~CWrx=An0p++$ix_BxmQl9lUv~I0mmG%;4Qc`HQ8jzv>Lfg*2KrXmZ7`t5Ym6c--#dI)-_ zLdkM1Y(cXKOmds@XjLaaVcWTiG>I$^0ZYx_J(dgLh&tmE5E;h%HKfKq4CN2GI9iti zwF_|LE^ZQPZ!)AZPjjMe^VAOlQi)h7<4-+GFt~~00vvX*LfS_V6uMHJ5HlsGfkw!p zNfGI37=K|*JWHnoJu^!Cq-ryWe>Lb~c|iWY8OoxSf+SWv_{#nqKYv9S?!H6FPb3OS zg6V+ZStg|u1^+OZ2=nMSD9@Z#& z5Bzd$B=vDq$#1CzEesgtj;O$>bk|=!W9j2X&{|W=Rb@rzjvOaofnKKQl(N;rr4YRJ z84D`^SV`)84wY=9!OF}2Sp|K|edsfU>=|@o3tCMTTx4e3gwXzjlB&ig?Lo~0rtQG8 zf4b+mY8g>L9Gix&N640;TVd7hRv5(2m4=+a5D3LdeWZOaVy>Zj4CbSaov#-gH$zb5 zNoAr`ogu3W`cGx2-%DU7UZ=j$7Kf%SUucVQX%OM}(ZJq_8=xhDvf7n zbTs>s$p!zr^jK0JSDef){Le^6lx9VA$tT%4mz0G}MV@@)fm~AeA0q^MYmI5lMk%4> z5aH=@Gm6ZWd{#{H+l#+)vP0QWEsbKKZU(l**_6iDuaJp@xFXQ7&lO6Bs-)Qjn^Ha6OYATu=&1^B8rt&ZylRHbi46h)2{VLUOx zLnky9%hG97P-tx+1B1InFXpYw8rgFd8;yF?02ew*E9CfzC}UZmN?nm`P&RF4K&~7LKb)BbG{O4EhtAW4@w}ZI0 zSb&CiX_B8y4*^ZJ%T*dh*EV~VJbjl{d50B4wb$Bb(g8u6@f)ON5ooz-4c}p8W}g_h zs^PRno&I6R-R*tCxcaisx28mV$eTv~4l~mOS&iq2WlZNY+t^MI(B{>GK=pJnrp8j_ zuk(`^!~o0ZHAD&|^#S%RmNOaL|Ec_fz|$tyHAZ`XH$!cYe*IDO#QnG`kQV{0r+St9 zao-lu;aTnQ5v;DBvvCEM+;X2v$_BLCbUlJ4Y~7v)%IUpEkXAMS?&_WL_qgjg`*b)$ zt4*=jy_@l6XdgJI_gMLw7Q>!GOA#7jg}GMxKAnKn{%c zk5&`kIqjv#>iNl^XEmNgn{RyV5RWxK5jv@RZj>i??Isp3YTXRRl6UdHp+o~3xt;BZ z@7O!FT3v?To>pytpRZhPv<-fL>T>MO=JzqPJRN;T`FRnyarL~>ImN56F6Z~&X{_#L zGldkhY&C|i`ci*)DIcUiCT@yJvTX`zJ`7@=%Ej0^UA{Seyb;%b+>VE3sM|JTxM=Mz z{tA;&2iZ1(rr6QG2o^l-NikinpUh8V%Owg6Lw^a$^w<4AO+kd8U$*rJnbQy2$#eAq zvQ%}@%$LoG)jcVg5&NCD{bT0T-4iaX#)`pQi%%$+rSLFF%On8_adZzkl2Qr7?hGk^ zX**<2QKOoaQ!HD{Z<0optbTesT?|a(TM61;bKJ$OnEd%Yc@PseuGt(N8}oX%x|OV( zjSMe=DihfZDQT^`15OYJ9rA2CLW&lct`#OCsgVtDhLAzcRISnoomj0t4kNrxjA^|F z#l2k~q6(8PexO4>1^cShI8NHI_^mQ95lkk3c zCxh;PYfy7K7`NrAxJv@_(m1M}u_)VK1H~awjQbjnECqXB5d%g_sReIp8AxqOEV|SA zr$kFkT25IL%Wze(@689VHbS!89;w}SB5Wn!b6jS1bnbO5b0i$n`n5AN@l`y+rmTxJ zU2J|-(p-*5XUV1+RTdIE3|&S$@ugoCHM?wI3#8jh>r%59?HaOS9jPRwI;pf}<#8$V z9Lyk%G?MF-(g(H(p#X!DuZmkkICdt$v#^m`33Bdx7?X^2JQOmUT01youtr5_5CIYS zb$AWRf`A*DAM&w~>sN>QJUq_&%=l{O`z=;u|G+0uVcm$+YK*wos+glM$%LQ(-goJO zCbDXnZaJxvLBJST&?*1i|9q=EC@tlazc4D8gOBI3p$shjQJHLZ1V}zXw9hQ2yIZ_c zw}jYik|%NAuvDdl#vybLZ$xRx99?8ktYapon<~fHBmj(UW$f}c0UVQCo~`k*Pj)$ z?XAo!X)P;X){i*Zc-=%tDpt=CFTzuV4g{1IBI^7zD>4U@Ci_kG^b@b3v2MEVmxCEs zv7~ktrm_xmoOY0r(_V`y@wa668gc?5=wAlK3+*|c50Zr6i2V*nv9#1NXVSQ3Ri$vW ze%#<_x#J+^o4U@jsIind$v-No8lndpXI$R1_~}T-M`%I*@#3s?ZQ+o4n_1EYT@c>+ zAC`VF)5E=CH!iN zk3mNc5|PGubF$SKMvRPh15XHa$~hQPMsNeypa?=&$D>TDkY~+k{`GRIU=#&^G1I{_ z8{)|b(U`eB^1y86tWf11=0vZYUa(IjprwO|Di>Gw06PapPFw#g$?OuGY$wlA`$D|5 zE*_U?dwdR^T);&=SAZBZ7Oj+asm7*JI<{UHaof^K0G5~DA}=^u+fI8lRh0)3&yv6z z+i1XQOtvf-MZ$L-)sl}Ql6*F<2QIWRvW9E_PyF_xYM6Ru)un}uT7l+9^?n}`J&xuf?5pw z`0?)mPlR}XD8Cg+;(;JOh5zGJd|B3Q%7{J|QN`nwCqNq@&yMeW0O)2c_x?f5k9Xd% z^|EHy$hN}eEq~LA0^0|mP4z$i01|9Eg7T}M4QgCm1{4GF)hX=S&vGyH)6R+T95y?4 zsba4-X5|QSr7vG^Gg#+OMrUPNiuG{pY}|vpajatULS-{EA^4elE2b3UVF4G55rE6On=M1!|_vjyq0b1;;(-a9mVO6i43n^H{xlAZaLV* zCFppZcY*mJSrX%|}^6Md>oDJk#U!OQQ9V*eh#G1}%(8FS^cZ{!a#WqPq)=|W2DcV;ARorob!do&tV03>=9WTmd}^d zJMfrzxA%a(w5w@jBXUVhnxNygZ^_0%4)oTxW3M~K=kqK*41It=xbpgbh_ht(0`WRI zM4{cb?sY7N((#xdTg7)o_t+O5_wn0JZYO=?lTj*ssjH*F^W3e{^dJ9GtNCTSnPt+! zqh&GxYrXy@X{%hyT(kVb=cZ^RN&M31gAG^K4m41zQtmL6?*8HaiShz?B*f}7zw`eT zzA=3_4>Q-jaPG|HBYcx@DVw_Z!;Il$_&)GuQ6E9yzwosAa?q3b2n%38%TL>1V_6wq z_=A(_(Z!V7!q+5Qvgb^?%WpOuB@H5JW3=qhf2D=QOONPq<=zX{pBmNC$vAOZvIw$b zC~IM(GaxK@u`A%1D&GhPQ10O!S>eSSdbFNp%(0Z@5CLGr@dWei$iY4u7SWg*b#Ntetd zv02_`q0i}ndRRdJgHa!F5a9VYJko3)txmXw5x(@DQE;T2>Y>~<7h-7{B2qI+l3pOf zfx05*c%;OBc7=p42B{rkezsx=4sB?x=uWS`LZm^>1|{!rq9g0zu{oqjlh;426r}9n zOoExfIZ5W8h)<2iU$a<{FzmTs4%Gx^;e1#zO(r-f{ilZ2j!s%XV+T2>ClyM(W)t&_ z5X>2ek|_H zOw-%{3~CM^S%xOR;G~i?6D(pMp$g>o&Ch2H8lmOC7|oGw`1yA)-mj`K5AK;%Br8SK${JFebaU}81mo#_4-jO~SMPJuQ+jV$jVMFbrTlHAgorB&A$rg=Upf*Y z+LoM2xJp;X%w~wAXw-nd3a5>w@&`gsP$8VE5RTd=M{0ETRSPC{fl@5tgI5Tn?cQbI091sMK%Z(pstN z^uTXE=gFv^JUzZ#IB`Gpiz@tnV&Ava{BTi}g*NCTn5V-L7WW(I3t^W2C*SZQLm0Hz z|MRa({9MGIj-Q#;cpS-OoD(ph8$;U$St?uwI|J-@?<{MXG|#Ff~XsPMv(tPYe! zK5Ca}l?_H|w0P#B;3<1!NVNdB(T?_BjYhTjv0&z>ULpzyr_Q-=pKJa>5(aGmbx`GJ zDafSRrG?vB_p2S*%i~`1SMq-VOr=H6L04J`=3D7VmRnLzps%E@#C-n_R<01U8$jB2 zBHWsfZXvTHDs`g1;5M3!HYd|;)kN81oSkL%P1T;o%eFne2=+LD*clc28XMP&?Kjk! zcupq9XhIRjB3uy)4QCc18%Yso<2xVx4>YWkH3C}XRudb!bGa7sv?^`bpxk&Xii@1H zMc3M}fd*SRU2^mp^!bu;T4^ulw8cvJ2_&K@OVso@ww$WM+z^R14`xfS6Gcx-$=u*O zUG=4RFAN%vIiJB$u{oB)RNhWfq!49AIv6Tzl~f|d4zSWbN&P>T?aOsU0ru%9UdH=p z%c(dA%x+o%ndqVq;=b0IbD%LYx6YC(sg>ocpM9Lt(16f<$C+oJY>37b=8O1 z{np#zrs0+9a=Mhh0xek!+71Eey^eZme4eil_I(-n^m#$^#g}grKe|Tgo6qi6me@d= zsp}6t&kVTj?rHVEYbC92WS7P^mXQIx?)mDSU1F84J!y^NZr5@ec0=m&%XZO7pDuGo z(~W&Vzh*vnqlQQNSOS+@?KfM-nX*yr0YZqp&P^uuxus1gT4hheHFgYw&gWO~m%YxX z&v@^O&%e(y#a`Ra*gn=jo}6PtK)#`_9V8J$>(zz z!wkADzDcU?c-hT*TXge(s3@FO-}IPW8SKHNzm1grY@S*`i7&r6)@vSY9IE#J1W(bc z`QltuUMKrJBX@jeO}YQK_zFTf0ucc&K*ImchW}fE6f>BpmA?vQvFqEF%6JW@LS`=P}Vo*+9o3^=p(G)7NnmL>{4Wso(>6}xuCnnN~ z$f)tV4lSjv)@hJn2>mwNOp1|O6M{-D3let|ZmAQE6?+u%-={eoEwEE82}iiik?jec zUkndMY6FoH>#3`9N%YC%v{J6UMtId3{4L>85Ck26OgAou#` z>DFdo@c$JAu#g0fr{ zM2#ObN&RU>l&a}JIx&vM4iw>j?v`X{l~ffqko`cK=E<}iesGu_-;EBaK0{l8;+cCw zn>)RqXA>ljORn>F67NG;vyMwHM}GrKer!hFd=jpRZH zXxmV%utV+;hDTwTgH@CBYx&MyAs zZ@(m0*b>@57r*h)g7oQ!e|;WNyqujS9~dKQLsz4d&1n zj)eN2qn6S~(e1LVSR>Q97ZQSx8VIj1OG1U#4V{gX<5ynr1S{c2xl1-q6-Z*rR*@at zM124zTi*u}4}I(-s1(Gf#h{p_O`_nQ^x^)`g}Oj?1TV*1!w5Q>dsQCBwfnsWPih{W5n8RG}Q% zIEDum+~0(UWFSR3B2a@BS1(1xBO-WD%L*_T-YCxn6;ojI<#KJTZ{cy1E221uw4f|gab6S9tItSWqezY)wu( zYc1F2D@ymY=eIuYdX@;%#o6Uk@1c36^Nc3<)#F;doU8uF!R~zh@svE* zjW|1-Jm^9{rv2dp7<-z#W)(<-X@;@_yS!6eOfS*#vbrKp_&ofE&<>nI7^2npF*yol z8(DX`f$dqCwhblx*wEj4*Js$cd)u6F2Yq7gPIbFugim^2G3`AK**VQ4EH&7TSUnz0 z6HnP)k5l`%xMs|hw$LqoT*`U_8liz-lkB!ihnaHwTL0f1f-Pq!znW-yZ>Q7CZei*j zPEppWo;snVxZ6Fa9=1M46sy-e<~CFA7qw5YKfJZCUYF0j`5e{F3hV2a7M8qjUWDl@ zX>Z=)&0!GG?Na3UoPuxq^noA_cD!XX4DI6!=$*O42DXjukL&!Ogl+j=pPML2OCZB8 z;BFE-J;m8n<>r)l#^#nMALm{FT$A2)!9nTMmUxQiX~p9i&>V))rrSRi$*nbJSLOcC z5PL`GV+#Hzn>_bzuxa(0efhy1_XpF*yl&TS>{p)mh1{A$A#W3B_3kb|m#xF{TrtiV zKGDW-b#tHlX0ru=w^BU0xxsL~;Tm_fmYb&$CX(=z!|_?0UH|q`Y+te~-T5##qxx}K zcr=X!q!tg`ZLICtM%xo;51-h}2jr}J>`fsn!Vx3*VAIIfy?PGTB|4oqn zIY6QBQK0Vn2mY?KXQoeK;|sM{?G#Ypw@hgN+h7}Og7^RYZrp!T% zgnZ)jYSJogS*ZTlDazkWF5BKI6Iv*Ubj<{cUnnV#nhhq-+uu^@*zft|5}2E`TrHK_ zjk-#3vq0$q%d3X+EHmdClz^nennX2>RqMx?iOC1*ib2Uk|`b{*p9vBGE!ekbNsef!c&$acw`=< zRP0qwEZo2Y(IO{ZwhtS$P*{l&W*V!H`BRaD(ZU9u^Bw7k5&6rGq&Y?f`6?Ne zfMA$kht*j^Y2k{vrMdz*C4$&0b<9OjE43h|KUJt7eDi0nyf{sT+y`^j7Cmjb?#Y_t z+_m`%wOB=w5cqUYgdq8TuB;FUmpT4AZgeJLR4Fg*R-3gg!4}>AM$;nIikRM^g4WyL ztXmwcv^8KncwyD&CYTI!k`_CTk;YMFjBf7|0E1a1!tB_92VmWkN#EBkuve1^{k3PN zu&q^LV^(ysS(44}y$~keORpWiW49siY107(`H{@=&jEFxJCQHE3`SXattR4;WWuT- zG5wg@ZwM&^oeeKeC-O|vC6&N+h1Phe1w8o-%(R%b#wAc}#D!O#QbG*KWbsg0?G%!l z?j3?f^QFB%P^D$fK8}<@e>#0XndQeOwm!Zh2|(z~B=F%P9m+QWR$B%V!1BBS#MFId z{M1HRq(ULtd^^b|+R7ieX)^reM7_b}o2izlIg0i~I#}Prik69{`|})3P$GGSrskNZ zrjHvSkGS(Kte95?rtwwFN&0h`j0BBGu|}HLPR4#9Sr*wP4}}#&l$Hv|5^*k7Iaap! z3!`g9-9m6feBkL%5^d)o-tGC-5*wS*{ggE>P?3PD&9arrP?_wf2{8K`7w~-1e=vTl zpeACjMFL&&?ZJsk4H)9aQY0)gJ{RcIq-?!yQOJQjs7R?O+X^G-NmRmQVZJT%K}HuY zOH0UtK)b?F>|-4iyG-WzzFCqiO1wI_4pxp;s6uySfsKHO5Td~7L!_Pw@6eZ|aW(hJ z4?*WJbMzwr^d-GxJfKB!j%IV9s($M`k!pIFu zNpf5pDI0nAiz^Z(q0H{Emnd_I;ARVYn6MSO)bq|Zmecg6^L%g!ikmfsE;cBq?YoIE z^v6*ZT$;tWW=#~2TyxVu%wYg|6zQyV1=L^~g;u&%u_<-5JJ_oBOrjH=rI@X+9MdaK zd}FnVDg=t6<0h{P>_U_hN)W~IvL;2Uv07jnKN>c>=>?N@j7xSJ>=W$rmHy^hO5 zx(SiP_p^Sb;vNK5u-pah{G($%-b*vE(s+e3fE8tpBcm!@^3C6t-xbR(fZJ@~&(T@3 z3l45d&kHgAL*m@Dwx?AvH>0(Zntxns51qjBPo0V;aWAbnB~c_oY{Hp~fd7oAevISgyQBd6x?NB#DR@~Adu z{=Arq2Jr!Gf0lw5KZE4eUY0%sKTtje8PP-d`}o^@_Ur*-5}Wg2cdA*6wsfyNUpM>Qc%Pa@QLgwq@2a}|z5d+d!)AjH z)7A0o-y;{I`Cc_TJWllK-Ljovn|9}>`HCxlR2Xb|&YvOcLI$vlJKL?@G;t2O+41ZR zblA6k>1*F`p+lnSH90Xn*hqGrySQ$NzddD5l@Uzj5YVTyUw=mzaS}x ze%!_Nyt)xl;N{Cc&fAsSZeJ|>6W?+)yRPFD8c^F}U|;CGjPU5in|X-NqXg@+YZAix z!)bbRc_iRE#7a`VRXayU$yl`5}(pA46$ z_kW5r*Xx^F`G9%ME>teJDyQo@9aA-)LjbJoh6SqexNIq>Xm-}!nMS^Q<<7WLWcgiZ zU&iAC+$ZH0;n=B%J~TE}d|5PHtB*@3o;se*Q3&79l45)wxQFbW2Mg6(5Gq;^3fC%J z)~tZpCtD7qzx_SD?mP~*%k(!uRf3>%*vXlpEAQ#tZsjN4TRhMx4J_!SAqivM_z!06 zmU*Q+Q=~mHKfr(6?VUt=%P9KF=KYql7ougW(pBYT^8o(cPXFZ-boLH{g&%Q!<2!cfJuPOVdjPaG6$` z8r01uXR-N`wyM0H&K!ZgT?!xNT@6hpXU*ekhB8J~VKl??xsdeHasLV_N}}f<^kf)Z zcQoG*{iw2#$eHa6Uq;r@gJ|btj{Lr_%v%WxXL#nO$yOJqAiF4nVU2SR53gx{0pZgs02VPt54PadSZ+L(mMQ+Wm_b%$%%? zVpm9rh;=wsnYn{cjA>>=@2i-Ur4xpR$?iXD_`OCGh2z9$)8tcR{ghfdJP#cj;?c6Q z4LOkcC^UM(`VGHau8p&x+VbZL@Ydj)M3$cI{A`rg7{Vx?Q4s5fg+_i6$;?C(05=$0 z>vDcHKGoElmhC*23w*RZSkK0!#IQpUT#?FjjHEwB%M==c81mFyfFuD0E=9bgnKCNM z5Te+!c4+!SG9KRb_r=0OcXvIOxT%(K0M3*S3)O@R1v6w>dXR*?AlWoaOYHI3Y{LRX$fQs=`w_#y>z7s#-#4VSrev(kCM|;TwKT}(5mx%GClQcNe^ICYYd&x%EauV(}+QPJs z4J_)yhN36RX6@5W1&sG}5^whU4Qbn0DHBNw3|(|0&R-zwRLUDqC1&9nl}A#tszS+q zOc1%$&RdHHR01|M-2R;W+0!y-{T@4Kt=*e*Uh(1c)x?;P z1FZSieLSl;s--82A0a2kSk_>}jcTj^SS4OU#$;OGzW0|s_oW{r62)eisN!A$0}Y$- z>ht|Fm-&JeeB>cn{YVbD?OHh`0$XS1Y3$UX&fya9Rc@tN=0A)$t@nFu94nII;JCpq zQe$dG29Vv}PMcL6BFhd)Gz5DCd=R2n z=rCNi9KGn#nB1pmpSgaJ2~i&L3#M)0^%McuFbtDbL9F&kG%Hrfli??xV2bYAWN?Z$ z`WjK;M5e+%r{0BeO6G;)CD6^XWI@lQRRb~smf*vuNyEs@rT-@H(0)zL7d~=SCK{rW zm%W!1{v0b>>}D)Tv5fF+vaZoU0^SKHN$XT)$d(0!W5kj`WdBDk%f&Pc|H+J3|&7+{&d&;%b6^uo`p%r8IG$ zv_8H@f_}QINMN&)R0a6=tLJb>#|B6&V)01oH8&#E;d0IQ5r+FWhE{C*4U%OQ}J{eu`{ygq*hBkA#nw>tD$S9d;fm)`@MZ~g?v_!qxj zdrY!D;k+^U-wt^5f8@ojcig$VulwzAdB?|k-YxbRJthGk{R}tN*;@{Jp6n~yUspNR zbz6v@=3qNJhg$lKv;7;I-R&l;V5^^337q{?IFBbNvfSC9nsi@FP!_wciWX~u#u=NQ zdz~EyXWs7ZuGu&1&erPOy^kZdMi09O?rX*y`BmP>$cKeLKbO59t*eVPJvaQ_Kc-?q z*PpGhp-Fux`)sQoFZR6496?*hpVCnui&7ttWn1{QeaX@v``y->2)yrc)q@{}K&*A2 zQ&>z^yEUqMhb3qfJjay-yUX7RfL0F9mR;B-&T`?`$6-ITq{^*|rbbzd8} zU9G?GXFhddN7v;s$(|{Expp`19^cik&ven}?}|v<(YEfA zkhGrFSubPOE^xI2ePQ=G5kXau_c z)!KwFuP?G7BB(Qm+%RBB}^IX z7CZckY$IiG`d1PB;h*9JDEfqjDELbKycp8}1ya9`?=5*s*xf~bU1NSSPzw5PIce~c z4i!B{c`9d1K-pxh7cM(M(ElMhco!;`K!swHJsSHi#7H$PMI}~RkrkW;PJ+^JxY~55 z*1?>LTrOE33nsZGzL2=2oX)im-5}Y!QakkzpYbQsTEWbYMn5ty^-@lHkUq7e<22ce z8@h1EWlTm-{eY-2*qu=cIEt!#XGJ-@Z0ZdywR ztrU~A-NqXkSs!7k5OBcCV(a$eV@#S=1Tg=4F|$*-4lbn4S+X6P$(`6NWk$gb5*#X( zsx8{EC&XJkiSM~&SLJ32z({?-ObloJqgC1S6U@zr-?T0yhoY^A(cGuwu_t-3QNrHF zr|BniPwgwyO>%=!$$UJi`8KbiQ5U)*I4@z&IdXSFTddf5wvQ@W09UzQ+(`T5u)bw_ zXGEu1*=em$!^qVqXGZSlE_kJ`v1+;tJ~wGea;4emexg|1@9{C5P#|LG-k4!wvSDOh zh|4N|1)r!ikBkr>o~ai+oQG)*Zp_a$^}hy(p-Ie4^OR}RM=v&>R*DhP%U#m7D-pja z>fNLC4_^TTD|Vk|0+Dkd*yI$IV?M$JZ@{Age29i4|7h`oW?~0-;yQ5x(aL0=Jn$?zt?hqJVhZC8V`M z(adhUiKSHR3rzSClCSqF!ZHIHGETKjbP$p>ykHB0Nmb~+jb%sSrN>%cp<_Wj9A$#> zXfHaeeOA~UX$Cq8*88-10|LU$x^hMEiC{_D%R_IHwHCv~>Jm_kOZDF)Ut1QzzMF`# z)RfH$oVA#>uwS5SS(4%^khWenoqn?X3iK7o+@(brGT3~nekJsonQxab0iF1%fchFO zuK-IR6U*8(79ub5?s*cJ*Zoz1RZI$4JMSMc$1K}{7QJ%D!TYEg^#g&5qV?7Bc;h;u zTCH(vtY2yfCSQyZVl$#Acm?DBGvjJLa2cURn}(x07djhG&dNE(Q}|g#>adcM6P-kt zvQiFJ7KDS`UCar!x$}53ShZR%k(Jf)HfY9$;lo$DPFUeUkDR6Z>0s&7_?2=4I`M|# z+lKvuTeKL2GM+doC0ojT@uKXk|A(k^ijOSpvVJG&Sl#K4t&XjZZQHh;bXZ}>wrv{~ z+qRvKZPe8J%{MbQ`=V~@;+)^v&t7Xk>+dmx-j#mrr=!GFY|NdDW0^x!QjE;9e5sCr zEfNF$H}Yh|gtpO3r<%#FRw>#v-PBRBMI}fDvMVKP6m}&y{wt$uwddH#Wh*vctgtde zTmLO%Jhf|wmDy=RF&j)0Om@yF>XP4Kt4NlIdHi07WCS$pHuEXQ*!S{Ox!m8Q9A?%4 zGh~Y;zyB%hpI$v=2n=zbEZU&E;DO z5(jptFZtc8nua~sc^v!t%v-+aMc7Bk9CNHW#pq|~eb6 zd#OfukZ4joJ)y6EkCBRdU#unQ zweBW5bfN=THcwV^&YQP6?P)tN$1%I=?u>CefvWEf>dX1lo=!g+eRp3fY@5e(d7cud zn#QYL;9sLE9<|D^CkeYcU#c0ZSIQFjJI)PU`aQHWJ=;V+Z(Gr)9elfIb8gU|JdQus zL5zIXHGv18zgjjO7W$w|qU73+FZ=a8tQXg>fG2S0ukEe32OFDv6?U)l&3!%@{C9Mq z$Z<8`p@dIFMM{@R$SevC=-Hiu0dV=NCi~CDs~c zomNulK0WTTtaUZxDz^%}xfC4S*ZcD^XrJi&lJMrPDcDc=@sOr}!vA1qTCqOGEvbFI zlZV9hR5*l?Qd7Skn32^o?nzNuS6{z{GJftdtiA1HJE(8pyn)cdbGz>`&@aCAXDuh; z&V680lDeXCs^8D&uRgxXaOR}6LS)jVDa9~gLr0Qa@MWnDew`ig|5q$z zgd-ED*d8>`4(R~p?;Jn+8`8Fsjn+*FKOr-%|4+BbQ#cM~+v|vUTzlB}Db`;+61%d= z3!C&-zjfza6^IhBGPO7oST*c9PIZ7Q6u2i;f>>$r8p4R7^W!O|=~VJT9X~D0$~18! zU4A06HB1<`%RxwR&KJN4spA-kC7qK;_vCuA(yDq|GXHoEWHnUdsw0523NPgPp2P4L zYM~;(OCg`7iu&tFcyF#fgO%i;-h&O5i^&)|J$uB41tkW-eL-W5KYKA`qO%v7X z)`a@AQ>0+^x+yvQ!{-0_@_|N~MWvj?B!6Iw+P2^vnKtacT5zZ0H2$4cUi`97y1*f> z*L}W!NJ1bVPeS7yHTE?F#j>aL*M%p7D^hCh`0vXyUDASAGe2Zx(rl^h&F_EFmCaI_ zk(5`FNN+vV`r?t4C|EY7_+Y{}6Rp(KeSgO?m7cXaf+5&b;V$Y zr~Xb`U52jBnJP=wRHYG-A5it1Daa&v{DyeCqEQ`d-6Xgr986gYRa;HIHGsoWY)Q5> zCMH*nd{?{87_Mb>Pc6h)l|u7HQf;U%iH_)8-yd}S9_cAi$vzWTdhDK*+zRx_T5Vlo^Y8FW#UZq&9i9=YaOP#wb6~96Pz`bD z+Ao8`cO}Vd?-W)CZD{|Y%b+G$MV67%r-r7d9^QwQe37#fAZ3$-8`5pNT$-=y_u}|;KCvqa8gqf}FOSQ@p+suUVi1NUdLoG74|AAz+y|*2uI(X^l7Zfs z!{B#9u$D1G7CvAHg+@}5ch>I$wX~mJG`A=PWK46J5u2w%{ta>BjKg+IQhx~bAR)Eh z$~mD}nmnPJz!2Df4ruwW}HwQLmD=k+*46@#l6CEyh$xym-=0gR)7Q29$# zzDLOfCX1VLSkBLwi12v zf6GTVA!Ar^iUf$*>|vBSRX-DdzskFXwRCxY8irhW)HzN41st%y-la)j04JfMOc4n2vban>t{N`Z-8g@4D|Zob zo#w*^%^%j-cv7t#+I!x~e!jKPHqEsVXyo{aM134S`JC6U^L0FNU!{d)wqC(tcDQU_ zitB%l95{j=F~5LU&hj0JzTzB zs*aDCpL5&yw)nPRwDa@A#kqGF)?8d!e!jjV`g$L8iFZ2P&w=bfijN+rt_Ir9q%Ryd zy%c!B%Y^lqF2@CI_t*l&=8lgC#KWlJhmfwfkqa78PFwR&V8|5(EkNrenx)HKg&h4S z!?U4P)^bPDRT(XJm3`y;_vM`Xgqo}F{s7sdZut(cfP|&1t()XapOmWa{oGf;Pn2FW z;DmHbPG*DD)qpZhcN?gY26x+n7I0*B=IfKu`2?De+Xh@w?%mIinXACi@Hz<{y;dc! zb=5x*x^=raC|D-7HC2IX7t2GsVfot628T1h@R}FkKfclsa(@WCmRN79w(s`!%fC%+ zZnMy549|3TI4nY?a7KDiasU=h33|E?*Fy9cx}P81$_;HhPqKg;j>!%m?vwiO*FrlP z04>8Bs2m-`6li;BeyORq{mhtK5MTwc6Z3}3clMtN7z0!{ptI*)sW^#t#V?hdGop;6 zR8R1F@=@|J{XYD8`yx*o*B~k}hB2?SuAu|k#q0-QY3BV?VyIb|OHvqnLME_SL2lD8 zFHmlnNYmpLyLJLpmVJ2l60z8oA_@JTkixn|#j8&u-fR3uM39N|FdADWTgIaRTe3)- zS!n$r!2%Ul6IqrYg6TCFYh>n&t$q>cN&f|&eOw(kU2clDr$hT;!={_ZRs$Y3aieUz zetb|e*)=uohoTC(b*({?6f%$b95k1*U3#P(g0W^4lI)Ihn-g!pK<_qDoRWYd=1Fx^I**b_>88S2t>@)M=AR9PZp`%t=U3@I#9DD#EU;3r)XHmXnA~$1&AISE#FGwgk|aZm;{I zL{~+9>Zhh8OKO2Uh&3D^A8bs085Wp%IGTi}Wy(dw-kU)6@8Ln{FCM06Fx7U>LR6*} z;h^rSB_u6ZUb=}{{;TcCDfv|Bl9E(nuF5wmK6Z>(i>4&icQ^G=*BND@I$Hkmnx zt5agXE`SJcV1q;E$eW|ajI4Lks*_lSJR<45wlSRDwCx8{61Hqzs@k^8z zrl?b7I+T@-bu3L%xY}RFxRK$8DuNt_+nixQs;K*4raO14B?;8<-t(;8lvMzRIq)R| z)Chj35LUBe!d+n*8vTbfa8szYuzF>kn2CwA)s0IMr56?AOb4vODbbmS7*WlFa4xwv zJvCA5tD3=vkDljI4vIhZu^0NF^hox={hlYx0WLZVftx_;AVM-9D-1r_(7Ih%(i~h- zet_1rOF*@?`a1?b>rWzN^n@@2nZ8J)#zg}3lM5sN+5NnK+F>C}sT~?8>jruh|M*BT zAz7e3vn(ZpIT;0&9ln08@0)uGPpt8P$0afuz*c6RLDZE$_zUfAY_<4}w ziB@PTr{*>avNcnL+04r1^(jUnC^sji@#p=;`hE9}q`yjnloL9_0sGrr*cz7njU{ne zP(Q{Vj_SaHSu}iA-6BD4C3wp}^u~u5oAX0&=lSm_`;WF6ya7Q*zYKv2eP!8(@JJm+ zS}O;8lW0%gajTL#9^~@HUop#4;oFt+hOSy9nvvFM@jS#oNH6O8T}Gii(^r~1y=jbd zX;tw(*K;Atq|buI;EjrKaoOUNK3DEp^NS%!XH$#R>Y2|y}F zwMN1_owuSZ5~un_EM_cv%l+|lW63x07j{b};K{ z<*gR?itFv4Zp+ImukM@5DO7Ry#YTo(W<%fLotx)b%8B%)iQdNH6z1dypuNH8jQnNJ z?5etBZMWv~X-NK4#OLkvt;VY$QG561j!(z+B4x;$f?;^nR@z5`_hk!y*mXIH={d!n z7C4cx&xLaqyCL zYn$t5{s8n}HgdLpd)$QBZ+GmeFM0c>0Rb;7OyU=8_P~l5+8i!jyX694H}5;jX#ktr zTmMv2!j;}{9{+Ysf@+t&C%a=kq-oIR3&rK@Sb4X;{>nJ73E(_q7;vSI3V2&bttyp| z_91)|J3WymoVa)!@{I}T)_ScD)a!74>C-x{Y+l1{@p-cSWV9SsUCIHBVRzCTdnbZY zIzH{e`*Hd*;GS!##@fR3QU8KUedet-YpF7Idm?|uKMzuWr=V+jNfWj+Ke~~QIOCt& zdzR0WB}$0kVh-p-vdFt4m}Mfe1FZ%hRjsxJK;hbnlA-r7w2;#M20 z%EbLbJIc(OTiY(ba^vYKb`gO`iUC%eW-ZTg*MvNV_DVmB#d_jMJZZPTA{FLDt9e_I zA%f(yJMCQM4kGI^ceLuE=n%QQv9FmA{JOuf%Wc$y7yM9-`kv|xElG&jjn1N$VtZ1} z&>mPWv@(fPN6OSzWiY=>a3xs6S1*CBT-Sg?3KApCbs?S5;x^jfW^=7-h(YWsnO0pMiRs}Jy>qEY$)YH->e6wv!{9_!lrGLED)I)ihzRF< zY*(^+MGueElg62fQSH+IWK}JZujTr($ea|JUGr$A1#w6H)uf0_VRTV~TFfPfwlp_& z;ij645)Q}EXg>X_2f91)M~_Ys^NtD8ATf(1?AX`*3k=aAKRyY;6^BH;!;*o9 zKkb__g}*HKAj0o6dZ-M3*H_E;?$n)pBct7wQEcF{8pc5%<84{|;iEF)*l(xNxNEpT zZQ!_>2Ti0~gdLI#`y$gEaWE+}pXK4yupgZyXKXm1Dndr8D)j=!ReHUYms%=8hdC!% zW=Olw^~1rG%HfL31lmg$P+@T>8|RyuQCUK=#Ob%(yA_C^2q~9KW`#|ED^H_u%1XoE zmVGL~h+kF`AUEHMR<>qK&9+ypHR&~~(5QNgdJP&(<3mUa*>d5!^Gw$iRPf|-p*CaP z;bzTHc<^OQha8$vi_1asFg2U4f3S+hl#u0%g0%D=Lo{=t&f;Dj#>y zad4jVU-AF!CMNeAV-^evu!qE*{9P1l{B1D(yc4!yi>kD*ZioSs7^ zcm9d`Xg+4w*$r|B-9B(uv;n6#Z_=+ep6=0~Gpd#!b*}}v);_LbIrRU$ZBXcK8aFI= zIj?2x@lr0p?kkOX%@r8SN^Y#ZSUS3!CdN$Ax=mYpz^XTS$ z7B6+a96eeFd#5e~)g_s?w?o|BZg;-8SB~%OZbdwR#RN=21BRe!*y7S+M06}ezP4o0sQgGWcv7J zp*ilJxO;HbnhqNOw#Sl#;q6`29JTrFv5XsJ0O9xv&+mz;S$o#}ukIL}%S{Yx+lRF6 z>6I|A*Im)D$3UN9oh`@<>hoDQ2+`Td#aZgSy85h0q4#=ny_r$Xu4GSluLSVAZvJPc zMOy(Or-3b95pZ)oLFFcTD>?(QJFgU!I4z}0+1lTheTaXS+yTnLdf!Q;sZShe=7*^M z`D@PJ-ZN^d;KAj}2urZ18jYJ2aqOY>sKCXth=Q$BY$&D2Kty{12AHmxF5L3rD@%8y zM;oFDXFjnPiWl=&Vo+%4V&$KkwLr6W&maHOKtoP~bh`=?>!y(l%vTG8#ri~TT;vji z*y}xs@K6MshW0hd;QAw#@;ba8rkTf9+5QKBQLE&ON@{ z(m~u=kw5BeNII6}NqzVb`=ip1g>Njza1Im^EmV~_OO&gu#e~0T^Ula8A_bYAPq~mB z4HfI2C|dDzT*y!hcOsp_r|sD|(^`n~m8}w)KpJ4lsf-=acFccQjuI7SgH#KO7le$C zu$;TE{~h#NV3r)frNc|gF}Erp^|XRN8XJ9?`>IfK`-dOyfIbsoRp}9;8@Gl_ICbz&=s= z?RD#N_RGy54=t9^+TB?eX`*!)I&S15Q#-S=lrcR=fsB(d7$l2|zPcYC>FniIFjLPK z#VS{tX)7s??W~qR0^N%E8?~6%#ouMDDpBKH5UsyCR&y`WHKVXLsnKA%TnN&Y%OWLE z!7F=L76$v0a;L5y!mz-y{>hEe685H@%};*#x0GxA0~=dXyNz1$>)N4SWzyOoF{}@o zx9*QD(7W|(chj0|#pJ?iT1UrKe~65f@C6VI$4hMd1*}C|Ny0YoC5Sv=KL;%Z9b;qeGXx0Mfp~J!{@F!s5@ z5G)NlAP6hM`HzB$P%H8O_$^q=BoTi!RTr9mE(=xO*H zEbgykH0#~IFAM?uk6lPxhPweZ_%GMc!#YmSK2P1vuhb!!gsa}9ujaCBUFSPbdMi$E zvifaL$(R?amtKFpPSWs8fz2ZY8U5-uZxc>6YI<7?^=dHwn7MR0U5?{@RF^0<+mCzW z=DIg41urTlA28ehZqTPR?Y*A^-j+1n4)3H?PIz!s#Eyw5|w zG|;}vkEiZZyL2{<+s;I4K4gq507B!+q;1H=+u$#v!}gzE#{~lVz#PXnvu@sx)N1jRa< zuynn|UI*@9m9GK`YZo$}^ilEJ`rP_V?HP0oHe2sm7S;6tA1ext=pCmANM5ar>(9t*L8yWKJs_V=}i#=hoF6%xf}wq!V+h>6{`pHYJRg5 z+e!ga5|`2{oRxJZ@nc@v|ArwD-q-Qo-(|RQ^VJsDE9R?4Sp77x zW2=Ar+Wo!Z6BImPev?CX!ji?10~%?sv%u1IraY>TVBYoCL{?b2y}=F%0WmTS_l%Hzq*dR$S;j34^G9(IZB>l0?ctt5Dsn|W$Y{#`aN2kOth1Dd54)YO^lcYcOs+v!a)wy zCkwTNKhnO@JlvX*I%TcYkh}PVN(yk7Ve;jG9O4DY;}nQ38|Um6=*ssV)7isKWMq?_ z=G|)45V5S8ox_tT3}XVu`6M_UDGJG}7tFpB1tU58K(WjzKm=yVz!GpHh$lA^=Q&XK zMxXt`XIP>ehr9OX9DI-#{pCiD48)BJQiv!K*nv~c6a$jxr=6*Slh}SqK&vS4xoN9? z+qPeNu`>Oss)1=`U^civB;goKSuQUN-^N4-`QjZoxfW<*F#ds1*xPR6KdZC{Sz?%`JozMVQ9m%AH2dKyC?#ab)L(`@XV} zPK&GOp}XQp3{k_>|RyRTPMljKkW4Xew|;JSwtXS*Dq ziEYSu88q4cJ;JG~Uve}k2gksXhpy$c^}>Zs;bdV^ zLmEbFXy|QZWVARuY9KoZ-99o1zk|Y|Hi4W*4(W}OQP3dA`9lpk~A*Zg(W@2`9mGQ+P-lxUN}j@4Dq48cAZL=sfowt`U&8wsM5zn zYMm`n$pzhZ{!Lg2lVcK^3zA2#luNNI78+qg8=^iDn2R*Og~w(w$_OT6Gd9w+u0$+Q z?2IjU&!8rKGgb9XAdzQt)Y=x*kGHJ3P*s*z>Ow~XHEw}O?Dl%N45{K+`Cfs!10S7cAi?p4~MyYd6$0Zw_3`jU8UsazH|Coi`0(RmYN>MYb)# z;T=?|sd=UZ>BGySrn-25d+Dotyjn@P~Qa zdm%_m^v?1Wa1FR7yams%ltCmaTv5~BFXx{PPsrx>sywd&CtUAhd|w#uxht|XuHg%*J8 zafp0W^6M-R(}p_h@lw`0kmKUMppE z;)4J8rT84iu}zyHqTCA207-y53>=`Hp=~QO$F@3%ssgY4rHb zx3@$we*uW%N*2(cXudJ%HXIo&LgnIi`7R%-CpShkcN@*G*XaV-DYiaG-#FGFEjMe! zn7pk9X_EA_?ju}trgFS{%wToh;OnP%uYtD(U!TFurtRl&afW4{=kyHuwRk44@*XTnV~t;bK*ykqsXOXBCX8^sn{Zb1EGls(V(Dk!GA`zoF85p`?T{?Gm! z_vY)dw65Lr7PtAp^ZTOxA3UgTrrpAMlL?W<

(BLkDM8S%`;Z}6OO#&SmcL`RC9$%l2pQ> zpfe=0Fz3#Av=$W#3DilvmaY7l!oLAX2ATY9BhPYFXO8 z#x#XzfnNSIZ;gLlVEmelGWwP+YS_=*hO)2NiRU`=*zQ?UtY*WmTnpODwAFqv0mLfN zH736rZ4#O=Ed5J#os(yeXTKER<|ai4{oh{7gAc2T7RIh!)XKS#@jw_H7!hph=sR z2}%7ZKUu<~Uby4!8s;Pme9+KBw*G4L1h=s;{$(xMC?snHj*b4VHt`#Q^1?r*9crCi znLk5Gl?qbsNR)j;lD`!~YYUJ`N{i-xZ&}Dt8ep|NHxed6QC29orP(MpjkrnDf1hDB zmXD~`z+w}Zs7`SjkV=k}mWhJqes4@Hf(?w`4HAfzW0Q$5jk*sXl#i#%F+|)~j6!dO zpe)y1VhC1>sPKIFi)RP-xg2`RAHmZTkMo&d=8aPYiJ(2L3}YF z6L7rM+IEqKh-lixf6uP}k%wOffCJ!{4#WOGRxIt*J7Mp*3CY+1ozRzhPuYEL^vRHk zOq^OK+mJLyYX?UCBnnrj)PCIB^r>1t+mZP1_o1f~5rx|)er1&#W@$)7-v_<16~k49 zO51#5hO8DLG0jY2UA`KwxSyzC(u&AtVkJUiUG6k7OPS~6O)9%pE#p&sp{P~hSbq$J zVeNy@oO7uuaf;+FVA?$t>0qsNTpn;Ef^> zjHgxIPb@8W#I5}HP)zD+3A12CeBlSTVMYo;bszUwyL5QxNL*{9?(W6>#d6<@^4G~x z;rf)BMAJ&;T0yRMfK4`Xs~izCN&*S&4~S9K(23l+y3JPR1)#y4Q!d~!EMW+lSKA1-5XK9seqYv8w}KUXS>rhf44+WL z&=P?hdl~C2gjM`_RaYfz8lQD$)sJS3e4h; zu#z6*{YrO(kp$|n2cHN~&zoqVT);$gFje)tuS5$CRIeUX+U==TS`GZoJk~CT3xy(x zgySN7(B%&n=cQS;W?ATK#XvB1z^A6tQ&)sr! zKH!W2uuw)Z*=Y{suF<%o;Lsz&Z+Sqt+y0q8eD03yK+(D=Y|Z;{lsB$(yEk3San)^r z=>KBn)xehXXT;kVcoqD#A!HNFYk%n$+`p`UiEXm|G4;o1S96_f{Ct7ys??YelfNw?fG=xJx1xzpHcm)FP6nE}7A_j7fHtU~?Be6Hj> zt8Y5jWDgs1NSAilJ5Rv_?;}H>aJ0AKHn;tDkB{ZnE!orSSY?ot?rhUd;xpNJ%+cSE@?PTZC!rQ7?ikLkekHPfXbe}l`ex=_0A)(o` zEb3+Qbo=onU5!_D-Br!y#<4J1mtX!o$`KRq{zw5H^8x$C%&S~h#@Dk^eZiRn;w2-? z3o#3@jMWj_;$;zVKa|>ICs;K^&>6?lC zqohzDjfzl3FsyY5Pu3$K76T;ZupVVI(h9dWVPDK$;|h5ACHfx#&_yY^wrH-<X z;-riCNFmHwDpm;B1x0@*JQn6m44>${_^}`yPFra@Bqd(jLMPKgl>+GxJ&Rvx^A~rA zGE6A1-`EY`q$Vd(gqWe=Hfv$ENklZLs$$?|dZP2~$~9Crzs+ZGZU~tckFCx-HgT!V zyGTP)Fz$+Kgc)JcZ(o1OZ1k9B{vOt0176DQE>9^|ORl^&*fr z|7U?pKc2Z0k*0m%zDu;%-hM| z6sv6OARq70t5J}s0;{2 zZXwS4vO0pa3j6%ZrJ?baWtSJyeo*7&_xL$|UAL8}Rd*Rx=!bb1cqD0rrWRVU$a528 z!7f_Dx6WQ^3Kv9iqVZsl)Rf1LKvoy~l8}@59v=TKGAaK0JL{n~)exGfu-F@4iQuGY zOOas<)ot4!zb;n-KWy5n`L{&YUF6dn>&&QqWd} z7tM%p`|YWkRYF`zh{}->$c)%aP~7y0(0Q~bO0g+00>cj1ND}#ab{4PINe^^c;uply z(%;Q7N{Hg=_k7w&lBiFR5}cg^{q2w~BTn6E!?8^LEc=rwex@R6LtvT|<}Hn@S1Ayb z1#b|+Cig4#$~Y}9N#MQijP#E29G3pr-W6))4Pp|8tt>W(lJ;arYsD>X0L+4_&o(gh8E$g1mbui z1u->XUpT+Yw~wB=;6LZ2_xpfJBR%=~d2*3yB$w2(4rX4JOR&Yng28E3ty%K2;H_ZB zJbaCxYn5se1W>rluqhFSQxvbVO-O|_4oEDHvO;T3WszoKI&p5VR*DlPYlaM0W-8#k zSTQAb3Di{=DP-|K>jtw(%C}$b!<7Xp{HPa|j6Mh-FQGOZPo?mlX9NZO^7?ybgjftT zbrbz;GzaU+w42GL^E8`HHRH+EHNp3R1xoY&;-Fdi&0u>{1Q8H1`UlAg!L$7bUJc4P zm^S-ikm8Sw1ibRy&bSTdf01loKK}HcvP2fdrsyJ;%Dj8xTCm}+A94M3Qs=97Q zv})@jK!<%^u^*Kv(;+Ys4@QWUZPtcb!y0MAO5SH@Ybvf_>%wi`e^kgaz>aJPv1(pm zAj#&aM>FP}GIQ|P(+V;8|Yb{ zb7R6l-V^BUu`(l|ZUIJVMPuRDLc=3`r$h8i)y0q@j4CEUvr8l?j_8*SoMpxOp8|@G zBl%`jcTecz3A#GN0_P&L>zsvbcYq4P0vORxidu#p{(-%J{0Dtdecyk+-G1I(Yo2k9 z6ShpM`YUsve5y8Xnq9e%o3>0{#0u5=aUYjw5CE?PY;Y}UE-8k$yT=J?GJQr&pWUa| z_T!E>J}_kFwFRaTizI1pO1;Crx7UZ-TdBeKyFFqIC@ofnJo^D)Q^nKn)88Z2wLX9uLiKRS% z?o7F^_Y7ry1$uq^&84pK?U$9xK>pT)NA;EpZympww|>h9ZhF8+8ykwx{Y%2O-d%ZA zO`1CJvikW|GYS3+D4_LeaXflsOXr9?<;hLk-4|x<)!P8Muwza(a2bUYwA9JR<6;VQ zABBPnJ-ImshtF)OKcsm1>_@eD-+}wM7lv>BxS7|$eHdoW^G(q(@;)K|y%SyZlW)k+ zG*iI*+7UzdMjtojN#)yKhb_l>m+LBT4EVU>9R`&~qwZy1BHRTSXEx9FypGn^_X0)R ztH^B`KcF{@gIqRmj_I2Y4hLA&r_}-MS6yv$)#&!V9u>}n9Y^Xw0^hqV?c|Z2N9%3U zQYdTlPjdGowB`Qw2uxjLLa)7!sN|J{=axs%g%u8)@!K#s-t7>RdnRl6cpcW(4a~&6 zlg2ybCEk9Tn!5T4csOWSe&6{#Y_aI1PRTCL;SK)WDLLkIeY^zlDUIkLceSn;U40n! zj*oPOydF;i?h40YI6474UKC=|RV*1?7J;ZyPaHDau41o#H{r*ho_3ew$5~ygf13im z8qBK zL;|l9;|@zfIQcRjIp+jP^FnE>AtFkXOx=dWP{`rSqhow z58Osc87oaurKg_Usolf;<@jDBFCw`5Gjx30So>%1cGPddZZNygnFmE81f*gJkyNB? z{V{9}8`du65GgTjjrg1@LzmG(%+ZRp32>b1*u6a5{(dq9#Cwq!Q7cm7_+mz>VYjzE zXjb2b728l~Q%1Zi^mF6QXeok_v}d?t1=z4M(r46oRK9Q$8T@UIYm8z_@Rf@|OU7=Y zh@Eb?HKvUe`YyeqWT2=3U(lX>>HbQcRoiS$kbV;bb8jW`>|R2Sv?7VkXLOXGhl*_l4$WIg&d>VMnGOBtZFM^bGJ z`%gkl1{0kH4Oxn5%^LiL%~V3t8S0Jyhn_wO z_jCP1&4iIR>oPAjIf1i&Iz2Eqi9%X)u1p>Q-jP)z>O=)*8uo>D=E17-D73tIgJ=Fg z8fO*P5x;T@;cGe8O(^`l8iN6AIw_Z7wfw@IV1(oyGY%3b{yY&H)-Nb4%EDsbb+MmD zzBKw0A}ao;=!M>xsAWd~_A)s{U?zh&r`C~yzZ-|rb;zaY^}ff8K*ef#X0TEI7(d#O zQZ1$KC<<(Ihm~%xYIYm-hw+0ypp1mT01cxw7C2J z(2Z*t{WG@YhtF1dzsm5jDiM6Nt2H~7=w%#&;o@u}vUcKBD2+rl&lXJ}ET6(0O`KjF zQT~1Nseq5cr^SjE(j8E)l7z)3XImO=eQ=yQ3l@RS(~h=`QsOKZcv9v{vB_vt8JZLx zVnj^b+0sC%ZT%_f)RK*lARwh66?rGRc`4<7g*^+q2S5t+I@;tDa-to3Y~{Je=W%Z0-^=AWVQcm>e~TfvFf^TL9W!Vrv~N%$!VhrV7`@b{r#Sng7f>ok6u zqMnN(I!WM5LM%uSn!qP#z1q($&*Mwes{(%}#BBI-eQAO?B&yFI<@EFrTK^UIPfP}r zT2&fZ^|EwOi?Fm})v6?QXCEe^La|>0M>SyKccMt%)j}fevYeYZ!SYz`H}cj=Uzr&f zy6{tM;7H8J~{2R$`Y4_4$TeK4#m+$kp_4M z+IYHVDOnUI|HBmS$)QK#xZs(eV)_3C1QZV!7#W-c)Si5F*BE=R0Wu#=aeeMSp?WDH z(5OOtz$B?y&;dUj96ih@R31@ez`(*Vn0kTuxZM0Y>#lY}_UX;ixOtP3)5;5)Uwu0# z|L{$_8qDBxc_bz5MRWtvgR>m(br;iMf6Y1*0^A|Jl*7A;Ax_`abU z_UJb|Oa(jz^er}c{DHn}ez~f7m_3=EO6PASYmha1$_O(~Cd>pUJ{^5pwLGPG8Q$4u zgFd5LYFyvus2{BwcY)g;x5w61UT>@Nwp=95p8rVhBE^%fH+I_3G6ADva4m}0pG{Y^ zK5?v9Tv-Li1Gy2{A zZThrZAM{ypsSjc>*SpO;-~oQD1F~4)Q$}>U&;GJJZF{piubY0pH%^@Y>8*r~F0a$g3D^1lTXJP~mKD_j>(7)k&yBTO`S&mo;!A(47q-k>D6w+HkS(wdB$y`ex4 z;5I+|(hL3lobS`r4F`VZjED1748hA8>6^{VQ19`F4 zxbh=Je2M?Y99QDGUA*#X*42Dre%u#{K)=i5!i%rN32;N5?9V!K*Ji z1aY|Az0W_!*y(5>YN?xp3D~%Q!M))|;x$y2q5|O21PoE!fjG|jM@n8ng*{-+y2cb7 z!aXZH(ZGK^c@j|rk|`FN&?t;hzR|{i*#lqW{p8P;C;@*SSssKsdC>dkR>NeLF&6H7!&@&p~`v)glW&+XNgHn^Vy2yKL^|I#ifs!p#s1a%<$Htse zs`yE00^I7BGj4qY0>4z{7X1s!{4A)AokfOs1c!--M5F|`!GFv$Z_6GCzfQPXXc?ws zf&6WNNO+s(?W0;H7cp^O2x4^CGr@@2M(#9DE8a8%oh#FNty2Vk7NI~cBC~ypw|j+} zt>49r*3`>J?uUvp@rX{U%)Ef0V!BO?eY8n$%{S~=lR30hEIDuU9R%i|Ueufq2i(}& zv6=OQ&7Kc-{j~1T%F?Ettw#_qM$r)yW{z_>t-7r%SGa~MSmnAIOy4*S7F25fna61{ z{_{kZc53(JGjHgJllqRHHauk96IxiK1**cEmGJ{wIq$^z)WJL;^~zI5rq1eo!)ZCm zTs5i$3xLS76SMm=9E{$Tk*x?ay+UXfaJjQYo!&7_+;MpkHV4Ox)Jc!Iir*n|bJI{d zLoL-$y=|hh*lkr8)HvO=zDho@a+>(nEz8S^@CjHye=RIWE|b<4{N|}gKG2j&F9PjC z9m)n2t%BD2@D#lD$ydSBl0u|%xh;cX{AVpGrZh2wNrY(zyvRH?A+b(;7@qkZ#!B+t zk|r!&J(4xF9&)ad6*;oGh?1_t#%?8p3sN#S;{^-JDBWHQYcMI4Z;kA~i2A1R%A#)B zI33&S*h$Cgpkv$Y*tX41$F{L!+qP{x=@>i7zB%{cf2oJ{w$``4Ip(NQql(HHQ0*2L zl^1Fu0D+W7!4r@BTA3OonF;N@mIOTjfj|)~tUF8*GH6ASJQAVJJcFG0ShFv9*`Hy6 z;Qkl1fT@#?S@w2<3ItVM2|F^(Exv4=2>xl@d>`<~{z@y8#DJ!+W;dLIgb#N4RxU8} zf-QrypiRSGY-hC!MOj3x`UBx?aX(TKtc_w=`PU*{C>9}LH_aN31B!D4jC9C@Py@!e z4k^|!StERNG1?s6CQOaG);OU|_qJUf4qvTg8NBt!xX|7xor9g9v+v2rlY$bW{>3{o9g+-|%?~)N1~&b*axhtar1FrM_lWCe~8O4H6oZu!0%WG?&RF zEWE~k3YLtveih$K>Q9vj+PexMiX2=3zg^&Bzu7OibNi_vff>IfNeg<@PAf5T?rRo@ z#1$WCt2m*Zg2Mz!S!ua7@ocwE8Z+u98fY9W!6Pj85X*!|lftZPWcbb~I0Tg;Zk;0! z{c3LvD^W;U>1hv>VuU8XbVt%^N>aa{gmT(wHm{;Rip^{y8s=8ujN;-vlXb!hj8>Hy zSFgcIhg3*l35^*XG!GS`;`pU9XR2+ZO^9^#sBlA)wY7E@Cb&YTCG26m;M&*|tlLF* z1O2^25CSD&<9W`yG$?iI1W^Ts8qQgD@<%k4rOW5+>V<}sY}2Z(OqBVkn^4g|+u1r5$=@dq}AQu(siEs>gbt7Vht_Y5VAL!QVN6KT_j3^Je0A z%z~nc^I`PpOf1zIzcY^}?`_fB$!grD!o+KKa|!`E-|VY#YZ>6ZsY>A@)}8169c(bm@eCw>S^Kaiu;xWhTe5=s??G>=0|9E{}+WB_B zRjvo>9FUo?@x2bpMA5yD9U*Zz8wj0Oa()u1_Z*$NkAlroeE;3rx07sc?C{h>GehUE zk#p2%ilY4%q-M@=s}Jzw>w<3g~*asi2-P zSF5M=d9m#-pY2)CdIm$@``BfQ|A6Z<5J&&(T~l?u2|M?K5tzK4)=EkAK2k>u-SY)J zD4Z{{_%sY0_G!(3zGjw!M(v$XeP?c5LEzVg&yod32HJ`OdxdLT=3P%=3P> zogY(Qi&VdD!ai=S-ipgqb937BdQ}`t)A#(-xT)1M5a_x6ps)7yz1FebzPa>X$aw*$ zXZG*(TbU$@VG=kD25!GTZdlu^Yk6HP#c;0?Y=;nf-04bI*nA!@FY}?4rh>+wK|9AF ze`b&mIOx>{l>23vWiaz{1F=5VAH?qaDhS(1lQt#PHB$i+XHEgH675iNEFqSXN6>y@ z!5U0ATK}Mkp!bad6_vz*mCqkB{KP7XDNf7q`p$yh^?UCm&fkZLU`+Oh9p3Mx$nwpd zSZQXJ9Bmj;F+y_?vhYtiS4+J=?FgnrmmbY!{|*=)TWTEHk0PlUnlU55OFv_9Gw2w7 zzJHg4Hi8lDg0V)lT2ikl%8${680p`6rBX0YDi~wk-63vFVj{>$0=WOI)yjD5b3%g= zEsc;T;$+}?)1+%bEx!_137>xl8b*;pdKHE?naaw!TCXoc%0V}LU7kOQ{`q8plAcXL zAT!KgjPG70l<&62;{>|{Qk0|Nb(3lji11hx|9$OSLrTUE6E9o`@ zj@$fV%o1UUn!OlbnBXI;ln4u-@2g|ltau$)!jM7$$r=W^dDBr^(wM4{ubrM$JySYS zB29gJ_WiNiS#w8PzPJc|+CO11?1({iOw^-k_m)D$66rRZ*W}lW&|6C*M_!kQWBM)n zjBaJusJ9=4B`d1&$xd}wUTw%^=;?z+Ysl6-n2TXT6aV1a1s&g&>f)tEyHrc!*qr;o zf?(8Yt3m{5>r|EU`OF|D!sQAK8!HMdU4dNzM$yf1qKauPm>5-qj##p0^lNU_SvIh* zQXS>uP@zwCFsZgw@B__pR_q;FQV~AI8qDiZh2u(!VB!bmiRwl3zt~-WC71W_aFKwp zYt0r+qx4&OUTZcG(r(&VA z33;XX+;*1-ArM)~M?)*`;!s61pv66knswI9s)V8RB(9z=RWY2tr{X0VNe-p)$B*Zw zICxpMg&*P75{Oso$gZ$p(rZE@!;Ev3p&cyQWyV}YMx_5<8dQ{HjUnxW1L$9~nw zq9#^1XsFkyd99S}2#$$6x?3vv2|WN{{E}d({Qz<4k`_B3tL4btVVr!5F6T1o$S8>uQ-V zY!$52kftlmj94}x?uk;Jm)wF4RcQL2@qfw7qg;dtbA8v8w6Hi_34kal9ZAY23Nl-7 zUfdH}RKAQTv6!|XJ7tTH2%IY zh9sYS9jxuR*S2&^TEyzX6+0%8W3^@ptLOCLAcR0!s?262OUjdnSdyK#e!hg%b@tlW zmESOJ$WQkQ{_EPpenw@FY1|cEsFrIK!n(4saRxQjC!brK#DK0zo~QLl)MgAdOub+O zkEd}qlWx}F&zFr;vRCTSmdP}#>CW^MZx-5nkH|;jnq_{qJ5Hk1Kr5) z%1o1|G!=Ng_n4i690oKh0PIK^lw7Wqj;Sh z&u(ve9v~j^8{;I`MU>`bs~10BgfX2k`yd0R;ds(MwlU;g@3k6t``YxgoFEHl(k0Yn zV3q~NJ_GfcHUM7!0Sej8Q7nT!ic$xBEovH}KMxIok`lsW!%7iKrG+BB@d%*x-Ba-t z&8R-%JmobhLn^Egpnk%(6omQj$PRzdp#|@oW_}H+I`J1}RlF$e5+<2Ag++#Ka#|_Z zr^^zbitsn7-0jt*OG-$drj&(0Pz~OtVZ}Bx;U>*xvVOVoLv~~4KL84?b9nY)nFRg1 z{qGKs7j$x3EPZMe2NIFjOQVH)CHwGK{AY0Iul(oNCrXyE3IgmM)*C46Zn*H|d}zY0 z%a8e@nNQuXpzA%E(q)Oh<#nJNDB(`zxRbnc<9Of-Ya{KdU*h&^h*EnUyq&?J;0+=^ z|CnF6X?aev>glo$hRoHzuxRyO%Df@rvi`F-UPIEllDt9e`t&)Heb>>EBNky`pWs>T zJ~ego@l;)i;``7eQm6vuHki%R->Qb2fagIbbg!e2>oeV zqnG+p<#3HR!r?05V2^z6@FLFs~f@VC0z1OiE++F_xfs@eE0in&#bP1^~A zOwwkoLN0KQlG}R;rUIj7tHrZ*N(FTNbpy<4{Yser`S~O=($yg(qt60Fx=Q0x|7rK- z+-8^=s57ZceS2;{`fxEq(klJhm_3u!Y+>`3@3|^{=M>x$_WYY5B?WjJd~xNm1#i(f z&9s<7Z|id}mDxKT1qp`MJv%USXdwp;s=Gbd*`u&W&wAy$6jbMulAA=@v>*Gb%0rS&l;u@ww<~zSW`s<~>0+QT?#{rl9M%jU}_~ z@VsX}&E3s*koXEBxCTM`wto_EUI`jZys*9sx?y&#o{jzO~gH{)MZ=RUC;kV*+QCCL1o(0j|QNCUNWxfZ<~`?s_qR%B9^O2GzI z_2P^EuY-;$WYRJ{yF8N&CCjAx568f157S(CRXsc^9VuP{4Ghk74)CAnNAWP3)pWia zBWP|3(`g^*Xzus;rSf6EO`&PR&6~<)UOl-3@rawhtkHF>l>H{sxM@&b^4`9Mk5^(x zv)ZN|hXwA8W|+o=Wof6%)z8%$yTg_gCbN^yO*=7UGIA4n^hWYW6`TvvXgowP#i=bj zIx{eY$HQ&Q|C{Nun{6c4XsH5C4xH_ zks?xQB3K<~Iki{~^S3OoutdhSi^r8w@QKs~8Jp$Wq?vNS4tF{I3eJ?4eJYcO4#@k( zH)`5Pn(OGiRD@T%wmBN<$aGqaPATHVqFObiS+SDRA=fzQ9bH&7W=O9UD;ayE1{OtY znpuoLL6u>&VBMxRZ}C7!MzLZdTSjXYK1|wv;Up|RR*tmrFL4P5qZbdE!e!z)Ga$>h z6g6ke3PO2caa++sLtAZCfltjQ&6%G^4J{l_o-V-im(X~&Xij{Esd<{H>3~FkCp0Q$ z1A36S;XcXlB%Y*o3Wxp~Mwv=zIA8mO-BYiEf9k*Jg#hg0&rH}(EDegKl)cTd9sF+?;Ue>~grWqLtKIi!<2fl|(kM6bB*HWKL{=64^%BSO z-snrf&dniM)54rI55gVLij@3#t8rApS4C-xd%0{fSzIz33B$4Ypx9+X>BT2Kr%arh z$=P=Frs$m$%oL(ixyJpX34AQMK{catwKGy;@mu9L52^rI=!7MFyo$A75HB-TnmaPZt@ zhCwN(5~ZwOrKH7ItFan*m3$>NLKolc>*p6?KHFn}8wI5&9SS=^UHYCiNjtp`|6^)lgBphjnmgEDxjMOnFCh*q)r6{=B`InU8cJ)yD z{STk^xpM9lLqiWI%wdtbpRUJS%O1R17WmO6eg6yH$>d^r{$p*A zAxlgAG2TX>Ug6B1?Df0@!iLGqVYbBZ^Zhv-23d!VIX^Vv#vfYvuW_z4sb0f zh_2xFF)wQ#k0W_yd*3JJZX7bNfNpD+T-AN7);8a(6gCRI_nJs9owkv8?VJym|156x zi<`R;15ZP4ww(7;!lUyg_;&bj+jWp%kA`7i`0$)_1h~P>7!BV)ixNL^bpBJsN{4e2k40_CFe1vX`Yte-tYPRTkRH{Id-)b`A|vSt2Jtgv}ud2(mF!h4X+ z#;lg&13Ru)|E}C(Vj%I^IB#se6H*Ckh(&ojpu4E5-8;DWupAz8j$YU8K=>djK~Y4pNW96-4Z}9Dy-4J+J*8K!1-Xy$gotUE0y)XJ*jwDF0{ig80Uk z<0t>U`o@I5<1-K6Os-0&WoZwg|JgNHmLPN6rrk;B`nyM>nt`rR_B{(g@G+(HE?VIj zWZ(Kp@QL@~ue@*%T4Cvq2Dz9v@A>F|&KO+?*5RteiC)C(R*M*H`U^CC65L$53%WszuxEQw3ov3z=qc}Vd3vx17}(<(W2 z$4ICb*J*U5+C56uT;JXL2_M!`RZgiZkPQ*}D@PzDkxYGRlNzLvu#5P~k0)saYpEgv z3hunTh~v|Ue`OgV&<_isiz1-(Lwg&VL)@!aWOool0^ z$;9Y;M#|Ml){7dqB!+vK1a%Sh#J8MR%_B&#?m8bK`m7m# zjMeRWXl0aZhAf88-#Agn1J~g@AtdHSCo+?)^GQT_N1LP}6`IH3rdL$KmyJ_K&(_R} zETwqe0^yA0r7_U$gp}0q^D%9b^k|`mbU9TC6l>&*osODU)GMjXp2cnDp9$7Fp^>zB ztwgjiA-{J?U{Dqa>=x0`;cE&*fZYn+T*wogp%WE5#{XxUGc?b`!#h{Dq&N++FT(K_dhwFD(oV`TUC4n|lE1DB$ zNUfB0Vvo+WpVuZ*H1mu0%u0+SMR%XI=B1fU*hn!BXe7^Ex)0{78i5=?ltLo zZ+Cy3t&pgdoonxgz|$BY3UEz{#2}{?lmMHW>uhdX?*!fMye45kwvcjW(9p$qur8rybXD~Px58s^y->~2uJlec4Jx}!r@HzvlF z{l4BUv1yp?>%Z4FY0%tm{3K@7*7*KGo#pTmer$+e!bD* z2kORY299+uWO8k}UD$8)S@#i7*nWhQ__y}!-E4DryELWWVBk!(UNvD9hdb5$eb()c z!6s4YbQ?Sn)Vz7Fm}WQFP!#j;Uh$Ke2F(r3T6<4=*>${1T>6d9=>zh{inozK@NbPj2Y+n56_*P*<^zo#@*A)aVf%#vmHfFaEe<8w*98gcpt?4^8S)2H^ zGbc5UF(}@WKZOu2`;F^m=wsxS0W|h?CYH9=suEG8(5uY&$KU(Ed=1vQ8$D3y?ynVT z(_X3D?A^&S?RP&xrkLQTSNR31g=7m?>Nzx}{*Za@$s6+VRFqc5L4J7&$)$Y#rHIq@A|OJt6%<>%G=`&+XQ zgIu)Oe(FKAa*J`X6vZC^1a45vjM$RL!f zsg!Oz$>bQyBTBPw5P{hnZ59n>h%w-qK8mWQ)#B@Xr`CkG?(^6r#$>TZJV_7R4^xHg z3#kjl(IH~Z42qkN1AudQlyO7|tVof6@UA6KT*-qoV6+~mNRwIyTmhzE67v&@gw+Fr zv(+^*-dmM=odv7{prLv%#J(YB8h7gA*IS`Qw#-x_{nlefW$2qdAoW&a`}) zcAB=mhJ(2O>0 z>h�W$E$ns+~z2^{_qSw@-7{(P_}30e(9C&?dFS zf`!#$Tc8ki)FlIo%jrv2bK*sVF)xnL(r6rq*KwZXn!?nNSDO{{OHKY@QVN%h8^r`L zSfem(9N$CaYctkgtQfD@l!ij|?ru^j5uI}kl3JtNTVxcoQMyC$1rC(b;cixtD(yD7 zMlt4#60`o@OPdU^$!U4vT~FhMka4(o8w|`Um1H7bX7kBWtu<>_4?(g)gvTFE&M-9? zooI8x(-?5d-K$8hERhe9r{;Teg?AW%73%0HyA>IxTYbM?TA+odT>LrbYLYt)P5Dax6nCG;*%;uu1Jm4W(> z+dv`aY&Hm14u15gB&Q0>R75R^wOpN7Ny!ohejXiD^@2u?HqJ(=@Q-vw8tu}68MUB| z8ku^PWZVyYS(O>~$N#`P2`()}D2@y$-4FD#)~I4BTD z0@TNXD~1*U*3${P>=E_436}w0<99y3!*BVjZ#)DNJ$slwCy%|c!cw)9Y&L#`p&#CIANVQXMDQVe0rY;k7vf4NC69=hy=iA+;EyW7*wDkcxc7Ut=&d=VD zfmrTCB${n=JFcbS3fl+fr8c+MiJ1mn>vYrf&P+Zhbp$zW9sa>d??@l49G-{ejOw^J zAeXBwgRa&$l^HQ_z0M_00-w`vhkfzbD`vl0-a_9osu%gAs+K`60jK*vGh1gh7gGjj zWtZC4Ua@{<0vw>%CjC|CQogSYZ26gK9rNcS|DKQg@aw0$3Rqi?b*a-!VFRVMqp-D# z(q^9XaaIO<{~4dFdgp4-$GjbZx~uCM;_l@>`#&Vvt`^sM#!NqV_y2Ipzju6?FNN25 zKP^GuOtn3iyrYxMc&!jS_ZLCK={WoD*3SOAAz%f?+aEa0e3R2v=gU||(s|a=@#!IVr+Bxg zCFpyZz>|8_Ht-e7dbeBrT{uW)`2Cx%-*!v?yZz-C^!)z|YuMvX$-Q7t%2!#1#T%YH>EiLd zeI!wgcGWDvfpK2+--rW}d}4s?Z*vzH4Tp`iawB3o%09`NqCik?9dq9$zU#uTyOrS( z2&Mj$jp870f}eMhlXrVCVZQj&I(bTma@H1bf*y4ce?&Yf(iCtmCXO-vnxh@c&U1oAVLuNp(ecoPy$`cYIZ#}QjkHC^Y}2LPvxz`UwYs0DgeY_2Z)R2zY!=yFu4?fIZcu#anW_Qw(8jK-s-nfic%jqczluUdV)ksS{A+A# zLjg0`GP!umUWWL#5P|OwjnR)EMKQ=0bgb=mIt{hW7J$Zra^8OS(-2EC2S>uDiefXs z^4G?qq-!`bsv0XG?dtgzT#yMyeE!$D%1+7?VukIY4x@cuCZqN-HPym}*+_FW@`hXD z9%IZ{fLqlDbTpxg$_5c>EVLv#evwMFT7@)K=0spO=MPFYe(6~e)@x13)>zZH(Ni|Y z3~2{K&AGS~6p!+2#S`|qJ+|`6T1EACB7`}9cg;-6yqyyGDU)5zEt4jgU{P{-die#T z0iT(;Rq6Ezs({42`@Pnki;UAagx|A>gq#PCEj3PdZ64LNQ=71Trq9C z&pp9gvKNK!`2;a2;$tepIJtD&Dmrg{}VbM9iwajWXMyVEIC<2Z`Y<5|f6VvUa z@enBS;xU5?>6wlitsEU8G@HzjIU>O+%$AiMpkHdzCy;H7u<;-l zh{qlNgWqs733TzGx4rlLzB}wtM&T*q5Em2kN0sS}fL}^zvDTm**;0;>?3G13uF{Mu znRxLlfy1V-5_up975Rg%7c)5lk=M1j%FDOuw?fh;g~S5{iAg>(k zhan@4795ua0@)sN#hxNp35*QbFr0Y&*$GIe;_sJHMbm;lAO6jV}#m(hyxs3ofQ@P zR-4cEjn%J9JvG9Nuy{9b;P6hR23uO4M-{I`&>}^)PX9aG0EE)iJSp4r$St7WX) z7yuT06HS5-R{_teb$(w&McJ4zc zB;-N@XOF+hri%2+^w?n_yK?0y?}TK7-2n0RNJuCMv~=k*Tj6j?tK@ zmQUzeTzVi|{68gi7XJg?*ma45scnXMWAxacvpn-#E+WKX@EjcFk#+hJh~*X8yPp z-ym`wiElu8+Xc=fmfCb4N&{`$KZ!`LdUj=-oabN@oz1U3ciA+|_5D~u$J2sg$BNXp z?RS$E_^C#djuYK}Krq>yZQiSA^DVAU_X+Eh$*s?@?9Z2NapxNyqXnKB;`B^3=Taa0 zwze6f7NEk-i_%_`^k-EGyML*~HTN!lmFtP6eJ6ok%NrX`+RatVu$#>1YhbFIfc7EE z`$a`>9S!+ifaaZnq}?F3$9r zppS2p2(!$N!{)j~7O-@=sZV}K>)*((`3QUuNo7MitGxCOfw0WgqD>FFgLPn;E|I$+e*o)^IYZo92~~3o?!M9q+?J zV-gRWhQCxAHm(cgy-R}YZYTYJxvF2*yR$sz`Z8}Gvgea;EfFStk6NG`x*kYS_-_MT zmpjXb$7JGL@;8oZ)~>%i&$qnGPf)%ozcdkCkKT5v#rFK3zM;FZb-GSI`Ps3pKRUxH zcsve$fFYPup6!zO_D|2#QRk@{mU*;kouKE(*O1nqr4q!s1v;_DGwAon*XoKT*lB;W zFApUxQax5d&;Hnd+$s86z9RpxP8D5&h>m6dMu07)sv8wQ7QGEOR2r}Lqv`v;GLL$83!}qK{Qoy46Mk2(r61uD9 zsp>m#@6v1I1U)T-38q9Z%$SoPRwRs=V)SO&N|C^lXp=nJT?cV_W~cf9TW|^Cosx7p zdqyEAsw>78lrEs@0x+s$HpFZ^5FK%El5=rjBnVh@9qr>$Ix_(>Z7yhThmkkLU2`O; z(4&Qbt63)yBiMAzQ<5Vy&6d%m1c_33c=aHeIl=2++(nv|h=%VkdXBnW3K{Bz;GQO3 z{$iJb3>rS}E&#>lC`zwGQ~p(Z!{$Y$A3Lu-Sy64VAyr<(qaIbR+NN<+*)vf@|B0O% z2}q1y(q1oQ#Qi2AO97oJIMwN$TW3kgHNeq%4*ZA1eX>%tXYiq%{s zE@h(CYZ$Jq3>_Rw3&WIG4(MnOKOR?=#Gr!QxWZX9`7~#dtyv;=8 zK272`+9e<>e?kb&Ga6w~Jo0E&sloZ9Twj8n30YuRLCT3fSSJj0=!sh7kup;z>@OK$ z&6qg#ohDMXNvVe3BC}Q&qQma9TBG}`+7+Z_C4J$xT5{4HVZwQYiQme>`g7SDmOP@j z$|gT$Ol82R{^B7sN(7M?MzJ3qJ|4h>C$m`0$)>99xH|5zrN^m$2d45%kZA8HQJ%UxVJ1p_A$RBg`BlCr?apSEM~A^)E;jcsMRBM4^Z< zdY>jkYBv42SU$U4IrcLa%^NVLMCmi14BF%f`^wJ^!4nXJ^at0%cU2+V;AXo1NagMX zDqhB!Q{=?*xqv%MRuUsi^1kJyRhkDH2iam4@68F;uKB^T-{oF4l*<4ieUig<>7>3s zY11UMk#<5Zi|t=^>b$b+wf5Kuzp$3@;CR!0$R1Ff0vtRXnX*mX$CEBOJ721PSxpf>t|FEJn($ z9bb|H1IqG|vJb)G@&YoJPU|Tq5*Q}xDc8`UY8iD>Y}&@0(7HmlFM4Oa?MXwB^QrU0 zxA{Wwy-@rW?j-dgd}0Hcq4ck{tjF6Ms&Crr8)vpoxPUe=sQjIx*i@Q>$FA*3l%Y~J zQ_cK#lF3cI14Gix!E0^WR74kn#V^@ZJN?SM6l%hVIp4FHddYnvuekcrLjaMIlj)Z~ z@}!*-N)gqKgbI~dB}_{a)Kxc%+Q_OyKI&=aTgASwb&J3S;IN;WRhYDrTg@Vrd2M7n z=HQ*A{~x>xa-hPG^dx=;PhEn12@dW*8-~!|nRdWI`7{ar=$N-^@30_hkdzPXdw81P z?b#$v!u#8&^TpGbbbR&SvUg$O)9TsDaSTaS_ovG09dmWpwBZCvSGCXfVG_!h2h&IH zj$5fsr%YmA0hZ_e$6{wrWdSeeP)ZHWw|?^QRBsd!>#ENF@R#ybPIrIH)DLqh ziQF^+%lHku&XZm9l=6>%S=nb3`^lWt&*g&m^M7On9QR$TeBBtgJQ`lUlo{Ot0zix- zkvj=N&5$-`k+**X?)J4C#2wWKoz4FUxNKQZpq>w~Qa`VJB^E$dAjfBapu!4Mty(Se zW2tS9?jiVXbZ|4_Pp^@9`oCO(`fX)DpL>Iw{hqc&40L?5-_1~Ro`!w@*w1Ei$UNw4 zQq~=vUbP5l?@Rx?D?PdN*sV!}{Jg*k$BJ!z7)y5dF)tok{y4C^V0IkcO)0M7xMJx?hp=(!yv#(gXkEk64_#Aw{Kz2v*=Pfu-MY#K1PfaVwRuNV=$ zx4ah(x3<*zCHODl^xL5I-N#N8)*dq0H1u8a#|Rxe_?LgW-Q&CzYIK~<%DwUNH~QK? zHqmJ?K6E$?3BK?5ifHJ(?a?bFB#u;X>nm;2rEDR6cCvu(&WgFFdyc0!%=sObrZ?qc zZMyFZbT~P^+zStKwD#0bTjiSHTAj|rSF)RW&2K?F7lPj+{kHwh_CYPI-7z2&t@2pE zn{)p-n@MAU9jTVVKzBRH#}JfzQwX9^t>&FlYZ`n2<{E%lj!QqO|EMchSvJdrGXdK4 zI-wk{i@*S^g~@-%9>Q*mVwP`Cp~Hvnenld5e8fzdRjC)SNV-J*3Kt!oGwF53mBXZV ztW$=5z&}IM&MW=i7Ern8T9Yz{RR5tU8|OkdnV|)pZ)Hf^=!$fM&CMShTqrG=xr|n( z>U0YgK+m&T4Q+>I?1G9uRx&%OQPBTgLfDth>M{CubS$Y9O$H@Ml6H}y9T7RF*yBY>*%3XA{P3!5z(HZ4l>qV>ejMMaBmjmpDI zht(noReMde!QNwjt$oL92FL=yj?*gX(o9gFS!oyKQuYDTlpKXhg>>H(sMHEDoI+Cs z=QgpYlPYlI!8Li}=_zgLXt>~@T#8ZW=8XzAlsiLCgl%hAqkTDl;CodO#^)?u7@9Q` zhZ-B=E=bx6LrC^uBsGoN@DV{y(z2kG$Vj!&|5-Q_rew?{U;p@pMr72zhE(qfQAZ;c zt_(ifj7nl}7BKgN1j`#{3{mEQ#!!|yJ>?c&JcBZ^6KeT%*@SgB*@+mfeh5I8&SLFy z)O;P~38nCe3qHEa&l|XSj>d_+C#~%~&RuA|&$UJjb&~yx^)c{jA9E=kyd4el$^9_* zOUdj3&b&W>(6lPk%TF$XtKn+rN4d1gw`LlzTGK05DDd&Qt}07j;uhuLe$*rmIp$Gh z7yKE*5BWFMPPu$n(o-V99-X&@MVVTRTQKbBhv^0*FRESX_Zcw z93GWrKb&YY_&c~P1C@1wJG&2jgv%siFk@J=?CB$tbdfh@J(c(9ml7sFq*x^KN;QsL zks3!ZnqD(^pn}Spwh?YC6_*rvEi6()7^{Ux-Yx|-{OWLmYSZO65#;?BpQS(ER;*g1 zOTk8M`u(2tE6eTLnvi?(T7^-*zoQcvrM`sJo=MfW!s0hYc~%qOwSx}XN5FH+u`Kb~ zCOF2`q<)^9`A33&^qGGq#^9AEB7T`y zW>K15Di=U*lr^ibj+&}|CWqO#}CbuH(eC`J%i&#ZpskEr{z%ja_# z^Jy)RmbjmlV}_}a=kiRB`J^@#NWCVFU=F7R_AMjwR(7N7mt53p`=0LFa?Y(-LF7Q-nfk zN{J3ScnvE|fgeG121kyAe@o~ke)oP4u%_%0k11u|!+tX@wV=|0uFx-&n-}#;Dy1nJ zLE88Gb8M7qh3cDWh2B}hLAZ5WqQ%AmK5Q5g49)(Hpc`SsvU|iKGTMgwY@K^BREWMo zSt)tWWdv=Kl|Lg*n`d|4QsQwp+Te;u2v8F_UkmtwjAfdg0WJNGxHI{0>OU~~LIRoZ zu+MiU$OZxdb?|bZbE~+tTx$G#K&Wt-Mr{CGKic8*4k8tgk5ukj&eAfwBwjCHQ}iks!RpWi_uN}J(K*XLJu^~(4jB&@C9Qiq5D?UjuE{Uw!x z{*M;VK>=$0+HMD!`?s+rlAeyi5*iHQ#~9Qy{E?w#~B$F)_(#c?S`e9*f7n zn13yQRouF7<`Jey*~+wmnCHiuAQR<7^3g z0n2M338QNf*QJ^pnBe-;r3jVj)hTr>^Yz2xCFQa1n&|QuFFTdv?Nr+3w+y^DLlJnp zOhlIY^b4HX2lcdl!hW$_ukL?q4g}3uw=Dgn?toj5B&w0Gb>oo>gEMJ9uAtZcPr=ul zT##n%K7HB#A5Ha|=^Bvc{ehs|K>D{Sc=EyIP8a|x$|5ESNzA<_9!rIKW+gf&5@)>9 zSYm@mk!q2sP)g@=t$=KatAwPwSd^85Q7Yq)17)>u&|qA{P=tx6Kak}ANn>Hp$ya)N z%zcxy&e$Ve^Qyz0TX%s$gi2H_9}Z%qmPYijjI%CL`sQ%gt#xNDZ>M~NWz?+EJU;N$ zI{2i+&iyanq;2g)vNh<`1-mL`5;ImEL076bL!Qb-ixo^WNR0Kdw`u(sM_@EtTn>Rz z9G&c_Y~7qCqBT!vBHgR#*1viWowHg<4zhP?-IC$3%IFKQN?C5_0!P592(oB!P{s|w zl^)HILd|x=4OyguHt8G~wOm<$b#;umvvTR`h+OUy|W_#+AhjoUU#=P?R2#c4C5BrD{d+aa) z@+H@iVS>m_h6IZ?f~4Wl;2QYKuJee7)r6xjCIxU>3zeZ~Ikx6rSa~bu-q`Uq-?NhI zENQcClOw}sx$*(%CixVq*I!Z8-8K!M50Og?(b3|%Y0aCR#;E1uEHD7ycKr;qlOgzI z$q~KcHOxV2IUv=e;F%|>+e0j=I`gu`qAVzP<{kF)^L56Dk<0%%_w@{vNGp;Tck^e! z2{WvxAd*#a_`1f5|4la}0ws6ZRZ z8)Ei%16JdT*}}nF8Ot{e;W~D_B1t@>`2yv$va0CWmW@E&J6kj&%bY}fD3cz8lS{89 zge%lhGQ){Fc;k$ubv@)qp20MM0}c{1BDJLs{(=p%@>*roj{@6Zh?C!xVX;s}8@8rX zx>YEM=;|`e!xRR{w;r=HOSWx zLlX=kmSC>?;^Dk1P!&i)PU>%W<)_5kq(8ghn2#8UmRYzbv(^d3JUm`AGy zd98j56D!gk?@t(b4Rvicg!yo5rP?0n@aj71Rk4$)^(-ylkWlh(>P+>2vNd##kgRmp zMeBx^f!6R!ggQTF3DpU{ONcno8{$hP1Z?VhMnE^kTrI`9NL_n;2b6LXi%gzv+$12g z04m`7_5q`O*{R`*{J2Yu)J{p?9nS)`)<~^~o$;pka%)BFk~y?U}gY%KlmFyw1J)WhotJ zY4Lgb=WW9OBkHW8>WZ3do#0M_I|L_aa6h=aySux?!QFzpySqEVgS!*l-QjR9-TmM0 zmwMe}?6JqHU31m^=47j40pzxx(e~=>g}a`-?e!&!yqNrlVH}@U_jYyb92!tfUBhLs zSniVkVZ|HO#`6_j`y5~%;M=P4G%8En`}jiGxXAM}tb3K$bz6LwD)ioU^J3c1)jz?(>um3SbH}i0-+Xy1efcuAe)VDDZPoda`5A0@h#JRvc);?s z)!uW{-p@j7N8A(5_r78q27Fd~vJ?X80)y#St< zwCAT6=O`2We@b9V?HgaKvpM{_4!)}^)V89{F?hqC(Su4mwa*r&bsdVE<2Ia&P2=>A z^Q7m%uBY7-l+(IbIjymk24RfunGcV*V^c3jblzuV_Tb$|4s0*K$MbnN{opn3yT@Nt z7Y-Ml6QJ_|cNQw&Hc?{-59BHHQWX$sg-AMmp$%8cuv@(DcV_dgTw&Yc%nruV6S_wMct zu=sM5%bFXz#%7&hg6B5ixazeK?65jxKi#&I-6Sv^%b4e$d}JL!m;?&&^IH$+bsj2IojMtQ$djSw{3hjG zzs{^y{HZ#~!^U9(+df*kD}|Q*1((S;vs3d1R3WuQ*7%+sfmG1gkP(?qRX3|7|E z(udTNc_p5w?2xo-DJDd!bK41lI|wS1?$WYao%&WdI)fCfP9%8hcEl#wiwWgksu z>aVovgiaU2JB!&I%j7g699E!Vg5)v~44Qloqo14n7yOfrC7xmsH;v6X*>IcyUJcf^ zDA6hFDoEEy1D(03(wx9Y;|3<3X#R$aYt|ycU#hMvKRMA9W52B-sf@eZEi5tgPdIy` zn%KA(e8x<0k8ukk1gC7=yr$yVXt8C(s;!hJR^5XjLStTR79Ixgcf4^j`8j324Jp`F zmkc>m=VYO*^Iz#$Xvv0Aj@L{rsOn=S2Y6SnCcDi#1r{{hEl$z6%UVR-jviY?{*#LHbbQLA*gBS6o z2U|v2s?;r`_I%hzOno434}PxVw<`t`K5*qLO2zF%jIt)`Hb8!D+m5dg@*)wbMo~WI zu%!Cg)Mwb6d~U8vGBu%rO*7u4P`HQQ*L7e{_e20ASB0MZn-tTR&a&t|%0=oJs%(Zx z8ug!pG8lNcJ_e8IS^5OV9tvcUc2Y^IV;2jS3UcC8tScs?L?K+&1pXm~85`5?oitVX z@#RvT(%gzBq@awLI66ltHWpH(xHXu+s46B|2o5bP!~zDU@kpaJ>#zdlyt-tSq$4q^RK8Nu0;Q3&3u5QS-62YS?lzmzC zd6#SnEnRy&L9!C4(FC5KQNE3wDnk9?+!vH16ZvX!m4){t%$Z^hO#Uvlwh=e* zNLd(il#}ta`tmUJt#8l`_K25XageSkFYd(*H-IMr4=2KeY)avSL^JI7SKC-xJuFvP z%!ZgV_&>Hvi+M)}+yXUWrf)O_lvp!j1_}h`OwB|owIsGFh+K&SujPW+<1|CRw~J-S zYbN-DWHFU#xJxn?qv7L`sX4xHDpFL%l|}_uGAHM2&PGLq9!s`~MySa%Xg&CG&i9yy zdYYyE|MDRWEA(%{eGV9&4(hcx_Spi)x}^F&Y+nJ$#eU;tr){Br_S~|o0`Lyb?>rhj z5DWs2HC?vvXhFYuA!Yi=rgTbDA+e z9MfL$+#cVtTiUNl^EO`wV*6gxblp~Ix2{(eHN{H#kZ$|`)jMD>>l#>(Q=fVX^1Y4g zH)cd9GPx2{TkxkqF<9dFd!dajG1G5yzS={4f&ByMVKvWOGJI0kJ4nhI?#oFF358bIWz~|dsRHj(3b5f?) zozTh@&Yc}vqPJBDb&piN_gC7WsK@esBA&+qbB1U2w`s>r*7*L#+?JH~^TSdGJ_ax2 zSqgK)r^GNl-f6w#<{%UfdlS^oe~E058@@~Sj}VzVyF-h?Ps`5+5f=4>HCt~x#jPHP zMV*H_z~fDe+d$&;-fgF4;`W2rNzhiRJKsUFyga~oal&2eB<%W1j+b}Es~)^|pTQUB z!{G5oC9lqdnl*IQeC#?=efvCl{ej(#!vD5H#=dS7xA-+-^{wkX&aL9uYPkJo_Mi1M z=rBTaUGI&&G4pPGiqt{!bz=|j1QkWQq~kUsESK#q(KQ9wxG?z77XCiV`LgHz=|z}P z>pU4dI|d)Nrs;|BO7HH2^q#R++dH+fgM;uFzs;y^;{K(_B}cPqLt?e&VMF0lDT?^^ zwvY0LhjV2!b8U6Ye=E!90Js}ZaQY3{-qeQ>d{eE%^1k(gTJnsL^00Zby*aD?Nc@2K z22R@sfXjzZyYxF?%#DrxKqJ}2;QrwuG;A7CR2P#9v#5E3WRqbVrC`m5vXV2mzQu{; zswG)csV!z9Xch4iYoYL28cakCig_~}JfZ;&!VF>rk5Z(%JmDCK(nZ!TlAyw19SW23 zB?oU0dhwU!fZaUVR{lPtQ6|a=8)QNjrolvu?Y@406=ne%eT4W3gqW3IL?)C9y*zV~ zuBx*X4iN11iu8zFIQ*BC(UNw5sjN*Y6^6b@o0hwOF0=@l;A}t|LjN@~yElL|CL1OWO-aXW*KtuaJUyU`AgT_{sGV`Z2h75eg$ICTvr5 zp#zz6-nA|BkktR@ltZY?y6)kfQ}S-NY|u@2rFb-NEz>}Z3LAwP7j?%t-HyV_G<;$q z%t-ejCf_>9NrAG!hAn^bKxSTziJEVYun_^_nM5u*!ITI0ZoE!o!a*QZq*wsmqB)rf z{p$(lJKTu_9UvPrwRJZ@cTc)})cw|#9&d;pCa7jy1-ea#sV)sN=!2w2c~YDX^de-M zM>#Jzjko*xB0Gh>yXyHCF8oL=WFzcE;#%@?!~z!V0e-OPPfTvVi)VlK*@86uly5&3 zsnx!G5588?C>vBPW*^va+nS>^-l(s9{z6N}Hf^j?JTW9RFxHeMB0(iF5JaC78zV$( zy^JBCP%7^aP&^fmJnF#B5e`8~#!<{RQL!=EK~OD!cFUlBx=CR=d21%J8dNi5CU?$4 zNHE4Vs5t&chvi&9B9UNNRB5_+{?jHyTK&O=R|4)rgtuOzSzQ{2FgOza+X>h4w**<{ z?CAj3_`kn2Im%Q1^cb;6DKbTyRwF&te~mz{9P{bHR-v*Xl5VyxmWv_699c9|u42D+ zz5Ah%YB*d^4|O8f{l#E{6=KCTYLBatH1W{^Oyz+ zwgFsxGh$V4pjG|+L*PSZZNOmd{Qo_UNkzwc!)x=QmT_qx$<`@2LKC`p$47PaoOxKr&Qc^om!2#6A_7fNWv1EX$yPS zy+WO^{F_l;sH_pGxM#76@#z=Eh65|MbOhvjKsZE%a0BIZ6J4Kt^f`Q`jLiV` zA*LqjPd!{|$%Yv9HnSfTut>aL%H__}3}%lc8}knFtA8dZX6NR^e*Y;)0FTcJ7f1yP%lglRdo+AD`>%H! zNS#Kh7+tXQNwK>JyrA9?UK1k-qftjHGrd26j{Moq`tj`TI)}fH*h3RHTxIjPa`0TZ zmx6BLU8hs803Uz3@NL>|&tpE}4E_fxdYZkqjkdL#j?G+QJ-$0?^1r6-zV<#lEb-c0 zxtec#mc64vi;T~fGC1C3Md_2UQ|kdgoR;^*ZQt%U-1T}6T4N{_?_p)Snq9+Tl}4*^+wHF7c|H>rONK}5eUd` z!)W<0_1Woth~vEybfj*r>v;D2dIFV@)4H{@b?fhFQI9ZNHB%t#;emz~E5v7hNa zz?q=1_l*~OI9_G&U3K)Q%nZq$>D23f)N44ukD}<~Sa2-+UimhS{Rpn_{X8id+dES)2eB$o_{#wNDTt@_jXtNO>8Tt)*l8oMZ#^EtM~j zA=eJFmN+NBj*o)f)EHT+@!-aGJp7Y|Wxv2+RxV=EuZOuTUl`-85-Rzk3n8PX+?hb0 zmfi^!TO?v;OHbs7IW3teOv`UC8ZFiD%HSFFnIus$D+yLDI`$)Ew%c_tPnpM1VjAM@ zE`ee%_bzeJ`WkHKH|uDwMSYW+EYhaXf|zFrnKn48z_`o1iYlcEFKNaQWW#CekWvYdy*Z8crGd>0tU#Y4JC#(}1GE}x_{(`nSifXA? zgxpgVQ(z_dOQ5r+(~4*Np&t(xhajAkul?A4tVBif5Zx9&Ok6fZ z*vc(gHcYZO*c_47f)ygLLYxrOUPw};nVQ9|AVCl6R!QZTDwj;Y%;b*qPxS>ViIzxm zL=or)L2hM{kp7j)ID^yz!}%&vW*rxF`d~+8QT=^?6p7bBHmiS}Q*jM#c9G42g_J!J z;L$swbB*V)Z|l>|ko(f%Ab>UFjrSSgu5sgi6L?q(j$2Ujt_jz48~74UcT%i7OVlE% z;s9CwqvR~RV37i8I!1Y?Z1t3tymp*tsSaK(Uj+76JT^HJ(Xb?sTZFibga$D#@|hex zG3b|SE=INsE$)0$MWJv_$)`WX#>6+uR2Z!W560pb9vMua$iUZR8_7Nq%cgo2qYY}b zI`pF^yP)hmE=J8=L!F;#?M7eCuA5ZwyrT`&gd?eJNClT5=ggWSNn-=rc7`d_B!)d{ z6N5xys;<#fs{%FuA|Mn7DpsT8cF?qjAZ*pXeaBFeA}+nF7K(~2gGz!4Ra1|~^T^X` zFlzs0L4&Mv)R8_mnul(jZKh2>Z_SCzBRWFiM9rziK4#u0vN?2)C9Lj$QbblEj!1Z9 z|1qx&^)xXBWC7d}Z_5AFUj>$M%mLn}x2J+2KVAgdUbs-@f)ojM-n8~*2fk|&%P`6z zsLsV6yB#FyArHsfV$$I3K^ecYd^x6i2*4my%(hD`|0`lW)NMwJ8tiE)#2(Q>Q_xL0 zOBPi~mr~Ut70XL-2w_&x0PW1Qq~s9fGK}7)^@tBL`)%3@QR(`(1OD4Q4&VKA+ZmMw z2EK8S4jTt)XWHqS7uE9Lc_}V?X${gb6jM!m!7-tjXTt3ZJS6RD8}+w zzXupZmm9Dd&W+LfWh$44+O;@~sAHUq2!v#qq(vF7~%FqbHHL)3-d}YlJp2l zwO|>I|MhfW(O?Y{{ZF|ET9YjFc7dipk(^MHAC2H0YTichlP!`*Ye;RdyY_L?^t(Cw zYmhiU=Zo`)^G549l|`VO!XH+iJeo)i;+OAThx#ujkJxY1U>h*Y)nCqY=l4cXE1xex z&hkKb0gV?3tm-L;QeW-oJVA!Y=&^7c=|^@q(}C|(w|$blFy)- zZGU0QpNKpSiyIl?U&a4=?uYy4QfKusI!`rh%+?OBFqdvV>^vSRIIei@9_s71F8%E3 zy34eFKmDEU*E>k{ES!p9Pw4#!5@%@O*6g&oc+~wvc>clYRq5!wWFFGQ&sA^?Lq=obBG76L5a6? zcj^b4NO~@{nnw(seS!Mqoa5`*OKP1b>a7@Ye(Ruve)$ih7z%amv-8{HF>$%+D?~zO zyK|@0a{LX?zl%JVPfJ6@J#Wtc-V@(1Qja)P;sF0X5Gzq@k~M>=_yyfEbaFOLFRwLi zpPt+`{*A0h+iCeN587+qHFr;QoxJKZDr_ErX!T{PI_6lSYW;RJQEgxD?G~5OrE44? zFKYRl7dAn}DchV-++HCgm;AIhC)2qeBzg`ngnX~^se-6^JSz`38J}G6z`=EQ!l>Sf zY>$nqD6EtglAP%tpS9X24~nn%TPqb_kHt~Gw=3&ZAGdn|JC9pCd|R09wu6V4K@LyC z4#z_GxIuYt?)p=9z$yt~+TR$oroRzfG%>mBN4x$R@v#d6!fq-~w| zIS#)MFd7)#{C78cn zlvy#NIX-`4|2`AKa(X9miC=(RR^car%G<{?*wLXdeR=U)_D_!gBHN`Jn7-5ye z(6_0j`4!X{`tMqMq&Uxd#*C_N%9?Z^dT=MN>6eyM)3jkut{YciOq#WG`sQ11RbYM` zv3(mVdTyVz_~_-xp*Gv?)lkTL zESTKppNgCDcR{mzuOazx^r4WSixQ9COULk=>ZyNWKoKRTCTbQxs*Bh>hpcfz_RW3h zT>6IoC!RAQ^HwtZ-=VGC$DJGm&+C~SM4=<*m!Gi&=1K&0F=Y&^^w@3@C(?)pJpKfO zkxFj1%;&A7TD8}>+hly{%BxJw^v)P1V-aXyJ?Lvgpww?}0*h zb1PoB*9hf3xQdR7HV6T`Gm-YLhyj!!ssr|zaURz zmDEy6hn5;H7*8wWh3v*Hm206^7ij8j)=A27i(}BFOQXOYR5z1)j4&!&+kGc%1w4H4 z#vKQL({m(CwV2KVJuch!rRDmRgB-TUs{3C);hc@cE`9?xMjc7_((ucYp_l^phn}j5 zFb8(&`@=-#^BTneEOi=5Yo->h9MY)wy@yu@aac#)Wg&>qTvzb1C}qUT_r(N4A+(Es z^G7#|DN5c_EB1%H#j}OllqZp_hWZXH9+pABcp#U+ol47sXX}b zG+htbba;$k|Ih9%fF$f z1U{WX#V#QxFhqV&HEluX7hOBdlKVIg5oMEK4?4AMq!R3+h>c8^T1r-Q-KmQdox)+~ z=A41Ty_D9(mD#nM1PU6uaGz1WE+uWcl=*8QQNWO)Y@RVGIZTVcEO%nU>01JH9{;mNF;Tf^IcISiJW2YMs)uN-b2f7QB#ue5^JV zEQapS!!HoH#nmk(YXnOy1%Qh}u3jAYE#k=9zc+orGF#qfnf{qj3L}StNg=R!i3iN|>46N^j9abn5zyG>J zBHuuHxcQmQ$Kb5V;Q4x?93%Z1ySJWQkz)~O}PHWO5ePdZE?9sT{^@=g`! z*?F|x|4N*d^|?KyHhgpj%z0e_q1=P>!%yf1l;ANww$FfY&z%}z;ePn6A`1lY>jPlq zvU8N4_Of@%l84Ci5cEO}dX2njk>jWZ8a>X&@xDWWhO;MnxxMTwY4z}k-!|yu_!4`) z_GF2`>8&=M-8;~wy1jSvLDKeEhgsb(RO-A(TSJU}8x6Wb%9W+%@_+U%Wj`__?jK0l4<2%~uJ)4^Cbl;I`Kh z|Me~@>I{yv{BEBp3iv?Eq{a)W0d#Uk;QadQ5&1&b&9{7^lW^|Q&wQj5n?G2~If_Sa z;=?Ttd3s{H=ThZ(_u=C{^U0l1w=S*sx?UdqLPFh~$tB*oTN09Q8XvUn?as3E@jztR z)44t$NALW)1UjaA((_$WMGRZ=v!44Xe@DrlJK*7e{`wZB-v>BA>9J}Y%oI%7oZHc`HreRBfp1lU)r`nJ4 zp396Stjx>K>+kOLtp&{ke%_#S%af|8*lx$Kq-!Q4iF&-w?W)AQH=&r|>+$aXjb=t) zmDQtFVo-bg%huKOrC#fQi~Bm@#OE&XH%?#VArT6xu~Ver0R_Tff4JPT+B_Ej1zQNIer?sLrFq|psj&d&n%fO(B=!dx`^_s zVVSk#RF!B<4d?Hd3VpGH*g~!Lw&4Ua$-i0&+~rG)2}by02ldmSQL(V zePv3+z&4`|!6F>7h`sl**@aRt+||mGJlN-%!r5n)#SVy2soiKg<6D(gu&xtor=DdO^COC7>x;Q_M4q3&Ip3T z#SUOUr(L*5zOsa`3?MI&cXeEt%0$YSy*lKSP>0L1$TXM{9Z=g@P*z)2@owkDatZp5 z6a&2x02N?Y6U@CZgB0$TQ4%ic8Z2d_JSyb%?YZ2M&}Oz}vD~_i_*q!K_EeH3#p%}{ zs<|(pdwAY;3iz1m`yLBQvXz2zdG;#c#8+uB@%5+7k0cp#E(4l2e*heRe%9tapBv=( zGd|g1wX!D9R8ZBwsRFp@?><% ze-yf_m%|zo%*v>Le>D=vPWKsirBW2lfoj?iC3DZBY?pJ=V0lv$pA4Jf3<@Kp)iLEY3}4`>PO6FlioG&KB_>+@EV1i17NUQU#RsKl^n=;KHtQoe zL8UbIUIB=SdL=(wUME>+)Gt=3UTb*!ilrES;_5W#s-Mk%3q&ZyP&=a7BFCxPvQv8& ztNbN7E{y++zFsQ%gj#>@YY+UgVC*DCMDGK*J}K$J^Z~H(`O3IrfAlzk;=Tbt-dm^7 z;hv8|1@u*p=BtA;u!l{5hzp1BQ-^aS=UbJprbN;ylsp(F8(0#6+pJ*tO&$ z_#s<8%v(Bk$t6S|D%$nxh7~dG9~UaKk~zibhH7GvdFiCg>`L}dNuf>UcE!R7is~`N zN%*X!gQt|_KXbFh`XpUBB{)N{P~z~7P+5ND^Gk(E;*$LOW{V*;_?sCgjf`TECb!~TO?A zlGZrxI*drH<2U^pRqf{HoZRKH6iKDq^fvJZ;5~a^w9~tAZ}jtCp_=$ODI2u!G6};@ z)lr%Tfc{dv!k^bs)ApCaOWvprUA+(e3xGC7E8yS}G>bTxh_!OJfV{v`bF9<3#iD+` zr0H0_KswRor1+MCx$XNB_QwD5Pd+ZAdu<4<^{Nv9*iRT{ADQ%eFh>M*IJ}m*c6V>B zg9_TqSQZvMSxCpN6}oN2Zexyx4f ztR!qWPY{wH)UMyHE!y`O&7ZB8_HaKrs(0GuF6*y=R9@>-!;y1*!66@2uXE-MZBBLX zTcw*FOTTD|sPZ_N&+J}@EAX4y!TZ=}*)7B^@4qLqT(4@~|AiA*eFU*BYrc6n^8MS% z1$z9If@AWrIA}-o!2OvLqE&mYLsz$Nz21ta z9bzxdu3*(hqiEnZJ+MN~3%>iL?Dv(GZFogO1QuPY^=R2FEKJf_#sfd2TLQ%D-mzYO zas>@?{*R1s*(9lCq;+NQV)%sN5*p8(W#p1vDJq)iy}zW%=%hnq@Y(|BqW8`Lny+-d?>z} z1q;?EuzsEg501YlBMng@!eo2(zBA91(-bk`#jT)x0H(O{H z!(8!A8+9j7TgW&Q|D^l1=4tt=(4S13WR8>h+j$Sc3F}~&Jd%tHPE%ATb^|(u3{D?jCytLfWl!}+lk#o-YcN!_ItJ^MNj74zf`bzCEm|Rh6rId-h5G4Dr$gIW44FjT#q!hO zL_wX*#QnkPz~UlvFpP{^sd=%~W`jT~FLrO@A2Tag9AhS&Ovoh56Q<0@#R0`yBYS`# z)q%?*QeQwe7NI70(~&`p`fUOk!)m6w#a7djB9b@6g=XATl#)S>d(+avg%j#qLc&j% ziROf{;paTAss#gDi3l+83H$@D@Y(doBfxt5`u`OEqj!$)_88IRv@BhyNZRG0F|Ux5 zk{twxcQy!;aV|(z9wm`bDO@BOC3tIO2vP7-(vvxX4>f$y1W9Ug8lfWf7p#apDERV+bgp+>=Kk zR@)US+#9y7sUqsoq}CL5$QGzo?u-cn;3z-SIq46>GFU<6EXO7y3uHS@`a_TJG))dDp=tSYN=!_Mu7S58%F=!|WI~Qn2koje(*3jh{O_8A?tcoDN zKbT~nuz?prK%WwhX&}idxDy;lv#c=_IH{bBwG7*aqgQKM&bo|nT96JY^H>_l4a|PS~=b<+#n{5Z-ljxUX7uPx6km; z`0nMtK&qwks$goTm`JA3O{9?cn~XJ3V6Qr< z9wQ;?a0dv$F(u6iUAg*y5k?M1!{H7_6H14|fg|h@zMPoM{IYGj6MDPV=*I$_!j;@I zx4i&))FyL$oBP%+HIA=^Fb$n;qFwf{kh}t(Qe`#|2Psd@N~Xc1eofYyPAid_vwXr8 zp_WS9iPZn1k=|VZKpH)>Oa-KTF_pD5Ua3b>Pl4|ocum39_PcRY&Gf$tW z?KglA?F|=r)wj}DzW2;~2Y?eQ3>RpifAEfa54t0EvHC{B1S2%VaSV3eZP~Sc;=diI zq#daxyhDEoSm*FHj%wt*OXca!)v<57)JpYa+`JjcM$Ngo=HH50?r|OaM1w9Od*iL= z(=u{eU7RuUUuUQSIF0+`5O^S-R!0^evLnSeo&21e3%4pRZ||!x^|HHH3gvBpYY$=P z8CkBLH-(7qpurNJo`g2=AN{KP>&e_3|6zhdwn;kA7{Xxv`? zw~I(rk^4Tp2;@5Z5Z2bFgU`6q(SN&G1LWFU%XeAx`JGr!RhDWa>iK-czI^dHx4NqJ zd#k1bxenvHa{@cw_HN!)A3IL23FmUd&51e(i&Lky9Lpz&xD{4WwXBFAekT$~RP^8Yhve+}=^GL=CUdgT-~& zk2>aw$EZWes9BC1k<&Re&D(9R%V*|;_}J>Zh?NW=ruE+EQ8GrZyCKYQv$um%i=%x= zX%;yhBF*#0cX0O^7;@*@gw>cC;dVc-@i}f|?Xt@Xw4E)nG*+Q!Oz0FD78)p{Ls|y*5pQPvUxoQO z3VxvMln=rrLuKVJvjlz*W`$`WR1cH;v7Zn@l!HWqN~jLYg=K$TWw`+5u2C}Qn}@sb zv)zWuyk(46S&)0HESo^20l%f%i+Uturm$G4fLfKiWP3Dv9S+q>Ee`e;0`S#BTokis z8TYrtx2Ljm1?%U?1bP)Fr@)x+xDaQnT}-ap5&T&UsY&^94aN=$;s=s_C$UvVUo%DT zKbWjKN(7DtmE**?(2jTu=rR0&|sh1Hb;e!dzK7C+NmCRKrb6UTS@8K(w=-8w4 z&pmd-&*nq*a5#;!n#+`Gevw0QpQfZ?0AdA(E->a~M@E6Kiw;!c8j$8X7ORk2qca`a zuK4tYTl;+F{3#TqF>f+!e=9y&fg)c=1*+}n=iPbCLVkzAL+--#l@W6_gu)79jg~kW zfBQ*(figeBMD%rDOt1{uv>rBG7P(HE9xd651~FMfo%B0Xz}sGz%9D=#$&RIVIjg_| z6I+vH(Mm&%8PAXLqqB0AAx3y!VNO@*UGj>gDT(yx2$IO`W3|L;2;^(8dcBaJ5VDe< zL6M0e7&8eIFVzo^jV)nNHt zETBX_Jv87r>C~P3)Z!Jeu6G3RiTF9}Gdh!X^D{d0UGzG)OMkF2BtpFwJ)!^w!OSvi zk@H6q=R88Fqxc!xuFBL>IKh{CRpQEwo4O6Dl5Q2_1zZ#wa!cue*?IB24cUDujh29C zW;)q4u_#j^8>0gidbQ zuhCyJfF}OVUFGPIaSPXvbHpP-dLfS=sJLgx zT)ZsiLyPXZ&)O$jCYOK7ai*sv-_(S~pdu#G3)kttSv$-BJNfK1STaiLn;6}BjFe4+ z9nu%;w6WHbEyohOBHWS!uZAqC!5Ao}{ruRO`ab5wd#dlLXHkkcju+L``@8bT`| zsO2xiSF9D~7H;?q`cJU&QdtWug}}mN&des+1t`~kSL)zo?y{uI7%up~0&ayMXL|Pj z1e1Y?dy+r3LX9hc^P~GEfZD&bRPO>FuD>@B+y~wT{CVmJ&QYfge<1+D90BEg?w0|2 z7mpt|j9onlP8-_Nwk$fgTe>yv2HR)VuoHka(-3rf{g0=YM&h>pt{cPUTroP}b5~3p z{`5+-_u1vo`upleEV6CD>3Dl<7LKh)NZpf3ozz+1CS&iL*S|mEI;W2;6|-)m6}IQ@ zj8ldov$xAj08PvMdRUgWH~xY))Xtq*^-A}eu9Ny%En3m5xl+E50lcy5oHehj#x0#a z(_?oIBEa1vWk}SzGJ1d9MA@@nN~U)5^#@$a{A^I5EtV)j`?xV46t)c*60@d22<_;XjlD zfiUIu>7Ga&?@VEPfk!dK=Qo}Bk<&vnv7cBnP0&WCI8ScJ0OPW+U(`@;hHm@Y%#!`Q zyVKFO)uqG8Kf4O=spQsfX_xo(yA9g7kM(mZY_J8Y@05LFE8WNKK^*;b4hvq?bWLwY z>zeib=dUJhZSf88dH* zZ--RrR#RO>pm#o!r=EIX5`r$N)JG0y+@v)JQC+htCn`i?m@FmIGyR6VVB$?ZB3eOw zDAK*0AQ%%N+bco|nZ@S07Pv{84nIf3i;*cR{R3*TI`=cK9JseN!w z$5aKe$c67R5xIn58AsdHTVsn#r7n`W4Ba#|L4^R~8>^zWuVYfe-M5?_h%e_AlC>Mn z4@U6RC3#HHyUbD!$MKf3B7uyu?=FS&VvT9}H;YTu>T04fsbp-wv%di@wqfJk;<6_FF6h1@Zv%f7XHrW2y2$X`w)kFdv0x37jm&(6Qk=alrBW8kE?Uuy zl%wIgDr8Z7m*fWIRYk~5dxEYJPb1@4>$5} z@SPEY8>2L(dqOZMT0gXQXmrD)V(=8dlUtM>bLRb8^!J}@p@s135DkAQs9;j#kbo?S zAC10to5i?0VX`x;z}vzY@B1=VMk(kn1QAmisC#zMVHA7%*w$C&AmSz@9b7)>t6P3j z2&GxK_L5=4>Up!R3%jR|r~GGFDJpzdg>NLZ z;$_IJIumm3T^hDhW@HNbhlBmK|%=i~s04rW6y&moX5b zZb?*PN0Nf%sy#dS#t0XyRwomHG3P)r+C1m#Y13%I&1Pj(wp&ClEUE=6AM07TMe4v) z?1;F{jt-ESObyB54AiCv${$V!~N8Xx3Nkuxd;y?i>E|g%y(GmWI!8S%=p$ zW@Jx@D{-Rn1SO@BjR$f_sCL9d6<`{I>E!EfS~9J1e1I=*ORLNus=?K5mWpJMqN)0 zI7?A`NE~>(QgxT2YmWiI6N84X5a;kKu1Z=qNB7+8H|@3#U& zyouG#v}*MMeN^*unKJRwcJ1t#4%@o5zh$frc31-rM|ES7V#2 zh$oN?ye_3fYJsR*Jk3sURp5o1Wrm(}UF)pdbubOM-QZvd3rq^ueC$tm@9{cfoa&~z zIThWXYTO#EZMjiL-(cssY%lK~KssoD-~jY`Q2(3wSJF*e`|9vQcIjis;=qxjXKc(YkX*#bB1g#a8yB_woh+8&hUU}?`K1FvfC!zR$;iTd&H#R`%5XXVLXI~ zsC!T}nJkCbVft$q$D3u#C$b5=`HBjcH~+BRQ~1pNq5S!${X!A7c2x_Ospd)^TQEZT z?F0Qh{z2yZ>8CzKodz=dALIKMIffT`Mx6r23!YJ<0)vxpT?I+Q4Zmr)4b-?MSExTM z=BVv98lq3#`X$pF%FuF@Su!7}7PS=Liz&wAt7NX)gg9=P*+T?D$L+xya?i@SZHB5* z&f3-T9!H2YaMLx3xh~E)`*x(<`n!?4!qxw6VWDWm@s@=~s2obc>|>s6OG~hb8@6P& zMj-f>ocX>`fs^j_%ingpoPE|Ub!fJY^XFMSl@mnxdVJ1YQ&UC-oXR!~ZTvKa$h8+vW7Aop5e7@0sb+KFc{{6cvt3tYCDW* zWimrvwBKrLlPK>(A@-Q25ap{}<%?G12LjO(IeQ*BOZZLJggnGdj_cPWBI)DlAtLDn zn4b_aVj8#57xuwF>EDJ1%;>p(#svJLSQ@d}s(jXyE-#+*;V_4&|1ns=GOjkHgBF7` zlz;34L8Jv|?C;o4nt%yWmG~X{5TQ#L-mird&pEhg4&85N&(-(~$4PvQq;{GHO+K2! zB3hQTgTr@3k}_u887b@sRkE`v8y4bWBJvk6gp)rHq$AF(nZw?)?dw$I5DOPlh2@U_ zkEwTTs03`+K;tyoo@%mfPffP1$+oq!ZQHhO+qN;2YgOy?zGt7k&zJizT+eecg-*ID zRU$bVD{EAuRYh6r(eEkUb-eb{hVnKgL`HX7b(%-KU>$`fB|ZR*qiaedtY1zJUO7ER zQ0kX|4Q3skGICgkYO;dXcNpCr2E;spn$<{&WelGFrG<7Ch=-9nvL@~3gyT~h8Ofw#IBF&8dfGy0&{_8A>EGOt# zaG~IFlxDQ)S8JA#rKc6+rbZrDmsEl4_KrRf%{<4uEf^Kj_et%rPnKH_a} zIYQ?kmT^eOVr8jzITlEHAGq=jCIX)82*#m^O+@i!xz>dRC5W8yK>7xO04HXZmicn# zxg%T@1Qg!V#q;{#rOu3w=-fh#*jqi+!crqf70``r1=&fdw+N*x{zY^Lo(VW&csy7- z$qMF$SFst_446woIIgVQDgz^)&XhPYTNJUalq&744vB4Kn8I|0ybwtgG}MB*$kb&h z2(Jt&Mqx2V&{#@x!O8A%1Ly=z1{cAOA&KFjL&1Ymr{~nKs_iX1vjf(G`jQe#iqVGz zogL{71Hx5@>cmh{jq5~XcKKGeO6jFB#d<4J(sGGZ9)n60FB#$UU_{|cZ2ks+9$l=E zehE*p~5AnIIs0A42&Li{-WHcstGSn1J%(X2BellsgkhIeD0GvPW-{$<0 z^k994$NotcU751f2dQn6a!eJglB}OuAa<_yb#o9bQ&S;OB4$)b*c^UNS|L=@)BFFX3eL?QeMIc~T>?=!Mvv$Yw)cH*GU7{2m z%74Fh0R;151_Jm0!rWg>2nOfn@Gsv!ol2V=>_!H}-8P)S9nM5AtGy;JCmFk^7n}&2 z*SUulu3%0B@af&eLBXv0G&;R2$Bt1{m(^T_ZGT^mIy<}U$0aM@G20xnE9co;eDBjV z$1v|_cis+?b9gMSDQ)F@9@^k^0Dy~ZLH>s)qg30b1?>acJw2HA*;M%6*NeTL8~0e`|w&c&kCUR(G1siz*I z+Z5KB-|eaZ&xZPqgVt^*;D)sL$IQeYL90#caP8Onz+gjfj?)zT+E4d=2G84V-#d59 z4?ruZFP5+MhRD)vmejP`^{hL#+J5_WRG{Itg_n%6I=6i$LjHZ9^L0@^oKcGJjPGrR ze^wB|ZsUZrMz?1QHuJi1|G*~iV+V1%G4T?u-q1x_ok+(K+GHtjRIZXQjwCIM%8)JI)C3?rRZUN-w930xlmQ{=bY zdTnm?%5L7~Ba(uEuT@DxAm3Bu@lzXcU;D(?=XEAir_rZhKEGV*0pDg++j;#Y-_mtawQ~Rfp2s_yK5k?ISM=`9q-`Ij7<1RJ8}{V@ z5sBMQfX?@?EY=4qlR-Axl!saU1J)(q+giOFmaE5g7dx`1;{#N1(YD6cmy;F87O?8%J%)pwq<1VPMeFLiwRilb(~2BKyhA zSq8ltDsfgzz(tEJtvZ?1pvJc83|3ZR1x^w`F=tQM&&`@;qD;%ZaqYv^LnCKS%U~RB zQt*vIH|LZ$Dx}EnNkRtm5Gv1SLYCu-GS{YV{;{%LV*`?xYe8W^+o3~3nmT=pJ-7Te zT6_@4NZXZibkQz3fH2r}rP8R&`vWPcKx=^K*S316hSwVH(w*mIigZ%m7=xh&}Eacy~xjTsN^r>8`| z!P&OsB7T=qy;jr6Si@wSQWL36m2&1%Hn@1yLT-`%V|O%8t#0BjlM=`$Z)ner=ap>S zB84GIM)G~i1h~FN$W1Ez*JH#rFo-}T*m+B#(lrtd#*bmBLQp}m4#jP+ZOi$-3J#xy z$PGTxlf~k|mO;dkDL}T0s*u-1V7@X#vupB%Ez_JAZ9e2&EGlt~lN)sZ%>N;Dn5$%s zK6HN91bUDAFjFk~?+W7sXg`yRX)aMSS{>bnqkx+vDp`wk!k=VQhIoE1PdU1P(s^G4 zUHq7bnJ(JH+%M^m37=dtER$e`n4Z&xiSz?{066k_l}^)}O|J-*h;%4j6XswW%`e@6 zUy%^mVyx~x-`C^83Q$OiD~{FREla-0akjKMSc?O;?wsFjUP??Z%!iUmPiqLmr4_y< z!qlrbQhe}Yjgm$gC3lbCN-9GB|- zoW$*(P|Qkp0lH^_(_&Wbt>E#5Aw{1+{rpg30f!hi?oN;9y{KD`9c0em#0`AXCXWn! ziTGmXF*97sDmMRgB@sFYNG9}mmMd!2HL|29qS2QJBm5yOAIyD?6$wZ9XYw^#>G~PE zD$&czUP$5i{d6ri=DvZgX%kJs#$>R(oPDPCr6e&k!*J75B|EPN5nMm56deH4k!&#F zL|g>d<((lT-;}x7ADh=Ek;Yhb$&=ZG4jl88lsPI^vt)z%rGN&7>6qkcNQI$wY)frr zVr{l&QC>7LNP(+FBeUvhxo!Na5@J2R&JkSHSt5dFxSPdh#eps~XlyV)O0C+ga<#!+54q<7=)O)qs159+5YbkM1J^ykb!z{$UNO&DX*c^kJDMkw(>9VMd1qj zZGac_^#wNg`U3Ag_W=yPi^P{JBL4ZZVa;TG9Fm^!xeY{*6%UziIuKZ;184a5oA)Vb zd(Mek9&*2aoLAZ>d=7c=z3(G<(3u)er@EZJKEb8(z?YQWn$B5<$!dV~Nll>dI3KDD zSV;F{-S*d%axW(8`w^x#{*|}I$;&9xd$8}F(rA~*_M5yxsjl~eMK)$ihv6!E43F=+ zW@+E1ZpxI);2~$%zrE+04J&NGbL2T>N?$Q%_3F-=Z7p_)-otxw7iNX^penM4u-C;;Wk< zF)q7n?>W(_n%1+NvoS2QpgZuJ>_(36{WtokN7oL|PLJyDRDK)X$3r7ECZx^xVVKie zSJjt&fxyDAvBt)ifkHj{>-P5yJKHK+{9;fY#^hZSN34^s-&h}pN^V%{X=ko*AjPGf}>mHdt+t)QeXh)*wZQjU? zpthFDX&Tx0s2|$VRu0Ovo36KG8)nd8ee11r`_$HB+9Q=tn!#n-Bz78j2rI1z+{ZM- z1bFv_-r5GA0;PLFn;%5_e;224n;+GkLbo2B0W&yEBu$%byu%M1H8IIWQ1RE?7UYRi%H&+|m^$0vBWZDByyoJT?<)#eGALJZrm93xw-22zjT zSAOCU3uo2;sx|+XT^CNaR|N%Fe6tfBX9AkA2-cWFbm-aD>C|v5!4>a-MK?I72*W*4 zS;FbmsM0KSi<5mCNXg;|a~!_JyddA1 zH}2)I{N<5f0RB;rPcY%oAt9nQ6=joe_# zyfTZ-5s@xnU?I)Q^RQ;s$q90|u3dytlGP>SxO5}}n~JVhcv$7kyhTu=1tz_0>basp zWFy@_j-m_B>U49R!4d(_#vj#X=pXtU)y+UsT=I{}%UFM7Sic`0YZqpk^?YS(iO!7C z#>_=#u)^9zB~5-aF?6u2_H*AF451~G%C%(Npt^o7%XUchtHLQN&vBlE2KRDvKC#7gxi%#tlu2pb;qf;DGoVXK~1`6$Of( z&`Ou>_+y!5M#m3t->q*7x{$18f8vTA#xI`4MNG4PsU%FEZl?P#*dzr76iI6eKu30e zt69R)R?|{SpAkxqIcJhh!YEnMjUn}fsye}J>Ju>-@V^e56gQuEd&mSgE|roz3^;#M zDpPPZH@#R{^wp(ZV(zFi%u6Ry{TE}9O0#a6ktjr;`m^0}-rrAeSz1iS=RjO(7+U$) zn!KdTcq<|gscHNG7xy@YZZ}J^HOyl@D;V%mg^3s+mm~g9lGe&_OoH|g9ry@OFV1*)5cnJp0TWX0_PC#;Vus7P zyYK&zc6ULaY6niAjiVK{fWIehw}MPDsOCI~rTt&!*)PxYfCZFaC@66uy*;2T?|-A% zRh!9AJ!-418Gx=w$@7B&tl8SGs+!nc`Ke&Cov zi+?pj+K8!{Zc;4BS^E{6Q;X3$i>kKp!}DexSku0VI!W(T1o-@fxt{ZFx8J1n+Hu|q zX>`r-dMaM1+?$^w6la{B0(=Hqo$ISywdU@=F`m3k0QCjVFh7Te`we?r|6O>^yd6EN zpZzNbw@&gspz_85TT!QD0wlhPnSfIi{W<^x~LeFJFxQhv$}Nc6)DOK_A^Isxt@zAeSM_%O^ABlDJyp$2aMN0ShQ!i{>HVgkf(Znv<)RJ zx5D8U4o1Im>U)1GSH|cAU#?&{G8{Ja1Tm4gfPX`4-xm2N*R4i5j~mrT?Rxo)>Q7?; z`_GiO_Vb3h$DrFaK-}!=m$>`&2}aW&1Xwmf;*BBKfaK{cb|j*r>v7cMYj6Jh3!eP^ z`)+nod+XnTHKYu`FZ!5!LGmgeT4~m$!z*QGk5CE}HjKLy88C07-nJc$23MB(y;I0?iL~H_WFvNvTpAhKq_!5lzKGM;Nfcy+G_~ z=wi@}=a_%Zfs^|XUuO;dMD{x+F^9peyi5!AO^5zBI~w>Fd54mhaDf`>9^3FLuxRfg zz)}Z6R9F2aew#&mxiZJQ+^u`&|LGD(sJED_DaqI9j^J*enu>IHTp~k>53w zsT3iMv~)**9Mg$Zbc8;hNs?R{W-H>#DH0SgogqRl%!rcR z9``FwIm7!1(v2flv)ADjY9W@ZG~`2yph?CeyA84lwWY(6Ky2)5hl;*Wz-M&v{O=4D!{ zlMT_Hn74B?SNaPJ`EGIY@{u`P6zNY$eayriK>E=g$A@GbYT@!oaEXkLb10EkrZp{e zSM@*SJN8zC;b>ZOfiJV;4JzO)v)9QqXE~!!5Pu2Pr5coi`QHlnspfCSdvqbCjfd|& zLHOPt7gO86p(yxbGODT-Z0hbT6Sm!`sA1EXp!pB=tI1fN$Nc zo1!EFL)#Feir6#mOZsFno7(d(|CxA^l63XpduaB_`uRVU^WR+2FIaY=%H4I)`xlsJ6pBI&4%$kXdImy7yAQ;@1r#j03=yTQ zAu2nC{aH}hXI~*lhp%uVGomh4@wn$7ui6+;K8)?mRpQ*EUas@f;NYyY{XLbIFXPWW z0~lQ#4f`YAKYQOP(avX5U*(T`-$TyG9{breKX6FYN~7?pme?oE=K%?9L;8l43BX96o7z zs8NPFyQC|FjhYOe(7NuwIYGfx)lhP%GSfs?vbw0pQMh*uIUcfZK8LOB-PW2olX zqePLonY1{nWL0)>twcIiE3;+OaubrI1d>RXZNz1ol+_3l+K$gOr3@XkvpnIWzk#lj zhpzCjQzK9bu@VC_aZubrOALA#a z5Ar*V5Gqt?T{-c`SGm|gER2=4(=rh!pt##_tm&!S^2Px^>GFmjRDrH$L!#Z|{f6px z!k}4J+cV{W(Ke|&Tz#_z$i%N8((@p%E51wYC7`~2eX2ngbdd1~_aWq1&+XxSi#?6F zpY_Tq>sne<7D4(vJZ=?e{@@3KKGQA)N^R=x?_u;bT>4+g8O&?z*DtT^1T8*%Mavs* z39t`TK5DUq+T8=>3xlZ=!3(rt%B zAI@FJK1E)g$39us)K5i+N%~Z;$5hq_ANjY(_Jym@f33G(@)zwsS)G)l(i5XjrZ;s2 zkNE$dhemD%It*@F?4|^LlDTpK4J`&G2=Z6@H;>vBfl$k*o;e-(pq&Eqpe zTtLtZ^oT|0{%<7~W>u%-aT#B|CaZl>IoxJt&6c6(W(PmZX)I>4M_cc_OuFV8RN}d5 z#kphB!npD2cKP8vi+!j(9lEn&_HsqqKMHTR?K+sc(-|ibiEh2@WtwgX%*Y*P1k@QB zcJK1nX&&NA6zFMt0zUmOcex+JN@rgt3zLThCPBLnADrfI@3U^0U(_>KSSZwW=!u}; zn2Mq%x=^}i(3{;I_9JNig(wF^Wu(a};F9NlflF5ba*sR^)Z%3Flmd)d9;exzIPmR5 zougR|V@BL}GGHNgI4I#_;xGFqSh{RxWEEr{OKzfto)a6qVA35Urt5WUd|55yMf0km z))f@;qLCWR+FSf?3;@O15lU1|e{cwIi5kA}~VE(`fJw z0_0Y=KbMMQv$hSU;yWT^ti1h7)yRwcN~{bNwEOTQ(A$HvTY_zd&E2=J+nkJ zT}CY|8Xs_>(3f<9`{iaWBhkDhjoV(qZ}IlEvlQ(8z2A72EhK?=Y0bOcdeTOi zX!X@viLksbs|jkul0znFxDC*(1(1uP#d@nOZ$b2O-@`^c$;zO8AP7a{3`xZbN3luMpnfkq zCbmd?-JF5pPs&C}DddoV=$y~h{P)<%RE7&zFRpW@4GovQ5Va-Ba#DnN zay(_YqfgufP4)r*EN}XI^W7MRm`a6Gth6Q{kx$~A-Bf92%;14w@!Ahwk%04i!LO3a zqyPEprh>*I7eL|@G1WZRFVJMUb!%ysNcD!wM~5o;lZr~nan}u1$mU5R%E1V~LUO)0 z9m$QxO;Bjib0(T%5r}8y+8xRA3qgyvFdEj0A;R;wkFZ!k!M&Y;zcq(4)5j&{dtiRcopmA3nQ~!fdZ!mcg&yuMq*&ssU>_xAnA;lXDNJ!wz+^EQXh2j5Y z6Dn8<1Rm&0XN2u4Z1C{Xwi#8vCkdnRqny8z9Qc&btebVsF;r=H zr#{S!y;n=vLu7mrlx|eW;aFt4dpI zh8X#Yg(NFV<0g}-LUxoG8E+|M;wYBJSEp;%s!Jn6uyFfRW#!ZrX7D|1!qyz+75|is zYgR#qm95olDbb^d(5)zulRdSaMq~B0Dr>z`iM$jt=&j}M(5zEj3FvANOh!gwregc4 zquB2{q)}W&?PY+dh|!rW9lD)ES`^gB*vKzm7V;Cf9Fei%Ta_?}cO{wfvK)lOE2fxq zIav;_bO=e)LN%7|p_hFh87sf@khC$I1dMw|m;| z(R}Vzo9OX)CFZ_Uoz2cvFSd_rTrQ}Clx(t`b%?)OSw9=)Ya92kGA;Jjx4y}$P{Z)M3KwGkINPyr4y@XMY z?fabOlj^$ZZoBDr^Jez<$Xsug-BvOiM^7%kf90WliEi$v?I|t)Sg?EFqZR>Yd5N{U zZxbUe!K{p)M@Hehjwg(|N(Dx@qNcySWf?B|O)_#*>=rA^`tdY-Re*672vNVWEV z#f`V;pO4cs`l+vr363X}f&w1nvHF_6`(Bw0z6~vtAC-bF!?U|()7}_it((3~mkIab zM^@F)A*|yudq!YM&dgicCLro0u?sE_m#{gJ&lVx zY>;D*JD`{L$H$!QTxF%Q(*hAaBSXt=L~n)O>)P4Df%K`hH;BTH&}qn_w??N`o$8}% zciAqd7vA%JU;d_J^&TMboHdRai0|g<8V;1(dPuM#)T(tQ^r=<*h5c@RovUMicv<(f8kc(AQuEHM^V|!2WR;j9N`0{nZPx>E-{e@r?gce3kLS@iIA#JE8~4ho6J1JmUw;nOY-?Bl7-W*HTT%)qMI*WtYd9MTa6$sRnR(0h7%nm#Z>zmO6Q z)ND!Uai9-iW9w^nWhzT}@-U|HOn69gT5ZTs3svh+Xl;%B4BE?cGZZQ6*s4N5`)Ut= zljmZKi7<~*6vI}K!;Vf^%CT&od0IxVh$0xEiKrhg`PIY!3uE78Vs>o{C?$`h;n1VwjDN!k*>WowhF!^( z#HA@g9(&b8fBF2@vY5{@$|x~0J8GN8f|FPg*@X+AvNIF%tdsz&@i*hKsPQ|_w*`;8 z#SDGO{amH044dO_M&c)sE-*|`1EiUBenRxwDDeS!15;!U{6>w8*8EdO^_xyZD&6vV z8;WxUBBvwfj3hdtB2H}dMjaKzw8OWR!#~g=tR7ucEg2YsV}}mn2WZq3>WhAoBPL3Y zV;)qxH${EK3)1nn-R#6l>{iyt_VOjAf}qa84vNWU5a-K8)orK3$Y9@~J!yabru+gsMGBvjx79comVq>hojm%zm0cDlpD7pb%IZ#VhbJrRAWRZ(tRQe>;DP0)Wkg|Vg&!ZWwJ*hz;=qRzdXASUqduN9N0RRWRUupMxV+yNx)l(SP@7d|BjIu-)aymoyLD5bc}dM9OX4xz*?Od6;lov%J0H z0k!f5jP}&MN=@puCbQhW-{17yg$aUA+A=TC087K+UY8Y}8OwAot6|rDr6_qP-nhA>Vty zF-as~EO2nUK%{%QEw=?l}vY;1QROJmJplq%?1-8KNdI)DwHRh;$OHX%2Yw!&m{^R!7T95T0c?XyybwW z*PHzy(!VJoxBRm%*;!<#JTX`IXTIKoy<4-{um751uI{s;ood$()M;xU4lEYvJFA$+ z_}$joBX5+DxLlBn?=oY+)~s@0-fpaVoLw(@+)D+0K&ye1yLvZ!HeUB}AHGeS$CWkz zE@n?ZTyMOe!l1Qv5&0dj(gACYUU{8%mocQD6?~Zi_@KbMs!#RfSGcwXO8A-g<<_>t z?JJ{Jbf?g6r*HS1-Aga%Zj(-{{O%L?d#^-us}OuGHune0`g-LZt{&*)I`)r^^7*t| zZaZ4~oi2;n4C~Khk;vM0d&`3BZUR2P-rq>=_RVDA(=+EOpNne*fc2O$ zPB~Upjnml%qiqJEyVZZ^=8*+GG|z8X0S{Nr$a)*eZ4Ywm^Cot}i&S zV|&R@WLhJ8>v%ky!-y5Jnr$G+p#M+F;Tj)qKE9hZclSm6ALP+^Wyh@zGpJO*arSdZ z)Ge1BepF|t)2;GyTD&9k7WmX-cTMhl0|YUCO*c;pg4{s;{{R&rf71&pv6`gE0_DyaR+f4*h;#-zzeY2W?&#j}iRjskzBV`7lZFV9+6 zlIL%9Q|mowX0BR(g7cRVxuQ4{^LLPCHJEeLIVV=~xw1KpG@fFg@JQ6q!Nc$S!t-J- zK(~z0*KTZ+(_4|{S&xYfk$J`o%?1E~c=zi3nL7iVWGPP)DaBxEKDulgl?CL=vTG^X zobjS)mxy0yT)-g4L+K=Cm&~B@MZG_)v4W>#(Qv7t6ZsNlCqjt5B@$ZLG#M1Y77prT8cx$$ETymPAbw( z2tvyF8?3c@x!<612fTK3TeoY@m0$5|{X(;AP$JnF$Y4mM~Y zZxIdA9%4n6%Gxxl2669usTfOk@PXk@NFS3TVahvMS%Q$)6!AIRPVs_BrW*u?Dvx{5 zI`t!6b*;y>ZG8#Q9Wf90w>T>^yNszN4ODBgFv&4Hf^_(c&|a)?JsCD|-7-7iOl+<8 zWWzmFt@kXm3Ujs=I48H>4RTY*ulkJ8=Ys;xgY_6WrDg9p%2Ky9%2ZWWT;o^0 ziBa%CjA9k#J&7;(9Ps2932e{LBR1lgv4o#u76tv!@gsEu%>l4mvuc(P&W=xb(8HFa zx{S~$f3kl)3RTL9XQ?ry@X(Kl3H6}3HD*^a2c5$lAw#w?Px7Az2wy^=CYs)0FLJE~vQ#{4vmjtwJgV^@<%Yaz`j)oN zM)8ReP$-3B3Q3Z=8aAG7VnrH^T*x!mniF2n1?QIpzYqnv+VpTZlfUZdpbRS{vqI+g z`)w4p4Ue*AKbxdWN|#c#A7iixeqvH1v`Lxt;-zJ6s7(ewIP7TYgs38<<+0M9C2?qp zkgRr&gHok22yYn zw|RNqEr)1p8I~}siL5a53Q%R+)aF-SWP8k{_O!|o(6N>X@!oSe1kXgu3_-s?8p_5o zZ!SBCkkRbTupG{1{2byS*2z=?$KvO*1zf#e zmc>rYzg>U!j?(_nV?%peb?7;13Q0U_Xyx&it5Br>C{@b+k*f^(Gq|ALli~V!!($ZxYB1`u$=acO4bI;+}yy1VN&D$D6P?fH`GeNk|&_Hj~~ zdfS`8?-i;5w0|nU?!^8vPVjsLv){^L;?}K^b04|Yz04n-y~3-xM+AHoy7YhUrn=2- z4gl_~d1Ow{>AG@dL8P3@xqlYjzB@Kt79`SY?*g7PPB=F8T=qxybQyoR50IPjq<&~v z)y9j<2_7_ku)kXY$Yuo#y-$p}Us;~VU^*gmbbxV03_o{)<3}Mru{M<0b`HZE_$@GUda-=_=b0R7!359Ki-4ZZF8*1Q zn2nLPyV*vpPwQII*>0cBh|ySNp6geFm9*}&@j%YysO279AJNzr?*?4LhuazuvoD%0 z;H5_}8!$lrvG{DX+G&1$yfKi|2|BwB-5zG_xZGKdnbdRkFx2U-=L7^#sBYRh9#%Xv zz8&WfsSe{4>hl>kB{K+ked!j!9*4h`^42WsxBQ=9?$A}D-s=HUTlq~p+t)=RTVAuo zRmO|mm*{47jmLoTh}Mrk+3ao|ui1&cog3x*p@V{Uofq- zd;rS}X*2Ztw7%L(T{H$p`#j^P+tNLmKL%=BT-^m-~Ygx zZB-y9$De`)YUPt3NstExchLTsG0$jKWD7s{Ac^&C`K{)p+uR3pZOZSD?aAJ2t0|il z%Dw%Ic={GRnwd~x-B~$W0bV+BZ|JXBIubs%hmIp!dd1-rPq3jM_EwlRJ1^JvZKVMD zAyldSm{7$x3ANxTWt8cdb6e>Ah>#RyxWI{_ZD76*&dz zsy8^t8xPPCNvBJuPkvQ2DWmk>EbP=BZYC3!zsPvy6-P$1?NDlW2}`RIFH>0w8Dh-Q z(J5hO#5YP-=p2?Sc3YqM#Svo3*2V6DfkyWBj&roe&l!+jJO?|8g=|GwNE6hQfvHRAc)hBR^{3t_HqGYfij4Hokch5;uCE`*dpmq>1wMr$DsmR~BIQz#6 zG$oO87Q_L>B)d5y=0OS>@aNX|pB3EpVA27iy z+qmA!JJ1%|8ScG~T&&n%kfB)>N6<>k1db7yqIy~KAYpTXb`^g$RA|5If*Hp&mlxLY zxH2Y(NmZpi<{_JL{rDq2>OC(&6^5lo42%P7)TJmPpLD%1hNC=(oLdM zC(*MuMYuthhW4wG^}~W)$(ob*eG~E6ql8k#L(L}Ri2B$dvyjz?k7Qi*Y0Y-NWai+| z&|qwe#GpxO1IN%PuHyu|Sl)S%BMCkiOhn*zGf(y@(4!~zm-1h?&25-q(Ozks8Z)M0 zNz7aRgJ;!I{9~xe907R(EQ%##^HMsCKc9vH`=Kq03nyHOdt3;CO9bDQB@@E{H{r!L zw>8c-Cqdad+-As!M=}`kC*zWNqVxl_^_j^5Qo=beS9|%~8snmeTUNCuKjvwB5vjq@a?!F1|d;Wi`R-+Z1Pm zT*hs20yjx4d4Xg89GvvPDcmsY7V9AY{~ZwTHxaZsmUBVYM?w9u7c&s|Gcxv9#r|jD zAWqaFMnrt>03Z+Wm&h6SFVPQ3MU0SN5${)@PVYIBAos?=_U7FVP_S|?u%&Z@vmTj~ zyZ(7n^SZMNW)4w+>(6yRw>*PwZlggmef%IY|Niy+`)`!qDrhpnsN?v5cDruFlloVMR-XYI7;;pxPg^SO=36m&PbwxLlngnpWeHvX5j zrKY{Jv~k#?-2-{m`8Rm9mwl5fy~i>8GZ3iT>)v`#A)if>M%xX9bcjaBhS1jWUJZ-UaRbiwZ_20KcE2F(cGx$=$8NfJ!{oMI_3Q4&2~we!3ci;3eB$vEezv?1 z!k_K{PEmEtCh>ROIbHTcR=2#iLRWhpucVD#)Lj2fcIIO1@H-5!t~~$-KQ%LdfTNox2>b^{I0ofjoSit{nd6qdhdRx>UxYQtJ6_+cRtY*T_fGn z)pP-e7u3~zj=PbOdOz|uR*vF1>3ZiYS{Xd=)kFE4qF;yb8M6d$+qG@edN+@9xKGgE zc{ghur-C10Ry!U7cWZp-s0Eyt-R@^~*t!1Bc+I97gzA?_eaeXp=6@J=V zQ+xtY4;x?PH^CDpD6QofIzJ)daqT3>k*G$R&lZ8Ry?h|qkGt1cZq!H*4ePf&jfa#K zfPl{vudMHKi$Ketxv6IhX(funZ*y>^g8fo+!?^3vz-ugAb_a>VQgyJ+aMK1Z!nQa$ zwD1lHcs|98cIe_$b@3n?uPBPB3a~4$LOE&WurB7APH2V1YTt13bgEMA1+udXlyxK$ z+qbIjyyIW&Lz52GG~+xxi_MM1$V?Sge-IO7pB|7VQJMeuJEJRqB{Z|(1e^U z7?OCrM>E~e;->K(Ca^Z`1*}}=Fn)$H`-k$dNcDps(WWoVL9JVlQg#H_ASV_{1dwsk zEJ{xIJB`O^tWXKkuFm&tG16F5f_Y}^k%n{%datF-lGTZoZ(wPop*$!SCzEFk<^5rH&B)(OPOGp$ zt7uU&*h_}u;I)=$w{&`YT$4PySp2?e5tAUcW*IJ&1I8zDr5MFJp1z2}poo(rO3hE0 z*EYrlDbX55bC};H=z|+TSNd~+s%){{H=gV}tUR|Ukv+_K9Vud)Z~}tVeXMhLkXx zjQh{$CF6{nJN{f-rrA&L&XO6fQN*RtEGclaf$tA7^b2K+JM>C)l%`4c_z%Lq-hSQ- zE`maBlD&)1n+7m=3r0I^LrmFhOYyXtHO|ON;wMjZ z%GsE#xP;Z)eZv_hjF;USyDR#WifGC+5iyTNM&of4LN0?aQ@{o!xKz+>PwCr89}lEz zG_NiWO~sWj&25#~<2*$<@OxmtQC)a^`*9wkk~-aT?eZcfk>R&tEShV5*pi7=!r8$$ zgIv#b{5?)EZ?VoomJOkpKc5sDflV@e7!M9+FYF(W7O&l=JAB_^$%aBne33AfTwI<7 z`E7sK!X)Bwy&|r*OS-HaS(wf0LbRTFnl&oDl|s&?)rTA{4JG)D&|>}3If1yiM!jjt z-83`*M87W=T0ePCE<^IRTr;snE~V|P!8`)i^#2|o4;T@&zyHD3Q;;|DVeZH2jT2*= z@fVV!X*#Plk{eXN<b`vIc4y?`hGT@jkEzgyNx^)9MneB288b3Rs_m{-gsX)cvWh+ z-ja2FKNgMxG#l-{$krsCbsQKCbn(cwr$(Co$uzpx^>R0UA2Dis$I3a zy4UJ%nnqEJ$9SJ{&i2lZ%*^$}7f|xykYrw(YsXt%{^FI7*S2rC8@qp(_a*c{?)I6x z4W82L2E3mwBEHnSJj0rLy^myP%*IA-`|gfu>}QHRS0U4TwfbOxhBwEH>G%vr4nPuk zFz9@JxT-F)^FE(_U$}`g0ACYU0q-}hVhnCzS5;i$T)&Bb0~SAr0wZ^Mm$e(lJ8c`9 zq%&^EQf+zL%mUe#+Pv4JeK_4eu5>%L$C`nAt_)jd(aXGc&q5(_(!5OiWA0x486plb(sj}{PkwBxEA~b>DtZ-J2It;E+V$&aHlw4&;YY67mD68o7-Vtl$_`HpX z0js2_v{XVmwY$lN*nrwm%87D6ICjfe>U}{i^9J60y);=sMKL?+Y-eIm%HP4y#PJ}B9N@9X? z4y$^`t4b!<85{C9)pbmdg`yuYyG548nCo*byRS^GO0U`|b}FPnT{zG(C5^^2CgUV9 z?=Tv4*61P?>Vm48%ONc!%rf-Ix*G(>fEu}lQHtswn8vgb9cocEZC07lYhN09@UB!A zxBj*8#Kd-z;VkCQ0Y@hslo?e;N`#s@2kkF9S-ShB;}j?@0y4{Uh{UJ;z&T#KVZk!C z`r=k$ClTJ~9Z;0C(dWf;#}!kthMGa_rvM;H^r#eF#y>j+;YO*G4;miI1mlblMPP{T zh}f`Jz3jrCH`A4v83YQx%lN<2O_7m%#t9r%Ad;}k{Rh!qgn+2Elhrb}B2J`YNV=r>r_rF?^E>f6 zW&yScSCwhINNq^ire-%jstfB_!uMg}6x$EbNljhQ%d?z7HUEt5BpB~pQp6y;Jm%h4 zc2q4+qANK-m~e1bNu= zLc5jvMd7CYW=JTDA`z79rBVAua|vVDoN)v{4WlVl{<_PT>`vhH_9Bp021w9k22vyD z2%Z|dNm)g;LrEaFud!S%Y+Sl_&ylXs=YV0Fpgujks7utB2}YdHb{GwjcMemH&nfLd9I5whr=9`0zT8Ja3%I=3pC?l zU9VZBZZ8E%ywWfGA$OAu)Bg^Wk4-=EpBm(!keRE%cj6(y`*itkBKODfXE47#CXoWz zAYUMma6Atvo$QX;D-rSbO;m&WXy;}wtGsUXed6Qw-X7zBS9cbDHEMkFwzD}^p6B1I zbrG!D19gscxz6Qm`BvJjWwr!2GnJydx~|FtD0FQulI?$cpEIv3+jxd>8V(O}SJW?| zAHAPn+n@V)PHhCd3|)UY4QUwaExc$hXiN9p=rzZQ4@q4m0Mcr*?0-0EDLO4sY! z?5NBk7(-sFyp#KLz1_X~Mlh!Kb!FptW%C))D2qL&H12|ngaq|El9B6{lD_fS(<*Z)fJuh_BbX)AgpQG1r3JE^xfj!3M zRK_-?Ddk=5r&?CUuIrLo-7X#|zK&?V(Wn>zpV+(Wr|iv% zHHGU8rvo3`>c&As(+PJUzWL3QizOjmMJq=}(aquL~i&^ysGdecSEhBa&vN{?_GLNE`cUy!5OVAX~Ed zT4b@$!y-KWcFfDw`~B9_5v|WrR6OcJzwZXFX6bL!=3X&?cW(FA71^^7vyu!|KkF=@f_iAvX*|1>-lA0tu@A-#+3?>6@t{9=W?e zNV$ID5D%2rrYIDJX8-i@0EPk+fhT%=z|y}4ECfi11jXg8}n|tmI?ud07lzG!oZu z_Hh*|TM(b->!B(V!lLD{6u}&mhB;P%&A5x;gWV=Gjs93QMFsx6%-=jQ<8zqMI}RHm zG$klZTr(AJW3uYzQYeQwm!k9F0FbpYuDzPAiDsCz$|tOl(VkKl+EvOmWO42RFwRS1 z$<5O`aKC>R!d2&WY(LYB6dB7ghI#WAh*wrl4}wvp?8DI+&J1bs4IE;nnmr%iSP59` z+jxT*8Q~MC8&n7$tpGyHdy=Jr>r}`#@E^#yM{oLb&ST!L2E}Q4vKT1}%6>>TR;ntr zbFfK$2_iY`_K(xY08W2cyyVlgm}t+=h_t0SDo$Gj)?y*}`9Uwye*Oq5^!?h!Ky6uy zI${oSi$DSU1B?)e93xQ}Jz7qQ;xgp2y`Z9$8!PbYhYhf4C}MJSEY88cRP4!D(hd36 zw1jia)7&JJ)ud#w3fa=bSt~Azrhk9(1D*QVx9wko4&u@j#OsW<`f6oGL?hA$iFHc% zICl!_j98rfE9+5t7XxWHDF()cP;d{<2F(igJ&c^dYCFiP*PNuMNnrXB7+Hr^90;A6NQ5}|jeMnh78}$l@&qm3cm)p_R-SZyJg7= ze9*uLeMXw_s{TrDjyN8;4QQeiCQs+6$4Tj!Xbn@92sA+x`W82+Sq)34P&LW3N1<`yL? zwlv5Im4qiB4lg2+K#7J1QA>u249!G$;4c_~lS7^x$oO?HGB_R~iN@@|u7R!SFX?H8 zrB4tD-8YTGn}?kHH$HD>&uzeU+@WvTpywu#^=yGmb&1#FMBwo6nNc`gdOS>onn^>G zQd$js6QR+(LvscV#0OFo-K1qY6FLhxe2s$)-nb%!GL`ptnHxIu0mbX|jvZjDZL0XMvoFj{ZEv2o-38#*;-f{*Fdmbc@8@yGE^Qx-y12Q0o;Ln?(oHH zGdN{uh2(XJMC z_}f?Ml3~N-b}_Wt>yY{}NUQ2)KU$S1@9f&k%KV)z+lH>iWKyrAfBwj- zZ7?agisI@TANGpt^`^%;+4HMNZ9u4U-Sx`nvWx^}{idf1GK+pgK{N|j4{VyL+f(6B zxZ3X+10XxJy6qNKH)ZAR*>e(i^UaPwhVN72wcg`|PI1c`WLDGS(rae-bn=s%GdL{Q z2f3eJ6xV%&C4%pB%HeO`%Uz*w@^$k>y^I$R_Jq;>okK4+B{*L^RhX@1`J}X3O>cwO z;Op>iDf>AVT8?K26lkvEZT8qIJ1@S1T~dGEBB~$uPq$e`di3GMaX+Xu{U+}`6ICv! z&(EOI+=n>F)iz%)`@N8Wt>^7az)Y+unA$eBbwjT%!1oa5z2U%~B1;?>74LJ1?Qq?7 z^Xu>)NZHl$nxtmqaC4A&?5YXuPyC!b3*KzQbJ^w6vqviM?)?*u2W&r{dRx_y>ug!v zOKTW!BKSPx-gW3jyei-9u-l%z{(M4fo_c>otX{vxFpu`U3sie1{c0FGB&cd}D_0r9 zxoUQ8d44)O_f*IEI;tq%+H=)<#tEPHG#g~=UevW~e!n29#ucpe-tX;JxBGU^b)M|R zm#j5oeBPY>E&z0VvU%=9f6ks?do{c^Zli_cOl^9nzuMYu^Q3&;x37=<1`& zx?X$c@CpVc@e*Xmtn4XFV8qM>PMF5S!5MUi}I(gQY zu`~tp8$tt*6yKxkSib^1#M`$gUWlmCE~ZGA{0id51@mq6jjbCuOfrT>gnNA0SwDV2 zvf0KZ*5z=G%#r*-;j-Aa6tinujk6SFol+Cd zj@sRe2!B!isu12+NOgrZ#5I8Q(u$hvAA0cq8zt_iY**;OBFG3QM%#VpyyDTC$Szo# z7e%d%M-2`=7h4ZKab#UL$YP&(p0K9fS?2!9VSdJ6SUcDB;}F$wddW zsHuiz?UA={5F*o5Nh9NKVAjeM@?rYn5$l*J6QvRyg0_We`T32|)rU#_2|Z|4Y!_u4 zui`mFk5nA3jkQo5M(*$PkQk^ON`SKGL@+SdyCfWB$GF|6_ zZUgw_h_Y3!s1*WcXZpbrm)u89scyQ^}Addm4fJT8`Q*& zS_=h<8!3qkJNu~+me#4t1~(?Up3Cf zTFJR?@S%i}pT)V%|5k;zfWnUc5}l<&15HW1Z2&<=pk!DapJpMTfYm9D7am5DpK9Cq zj%>l|B@PGfE)duG>jq&4isVuPDQ_ByQD7NBY~OdG;XVQey8MOl9X0fM`x(bqwdp zqoYMgRK`YL#NQ6Cc4+x1DI%)@n%CQZ!cVu{HU$-84>c(E!Z=L@gLWt+*=t3c2r6NN zLOMEuv_ApIv`Z7GRk5Vg$?qPNmR+Dz5L30=Sqt_Z+kPVB|I0M+j#5WWYSUh+k%(q6 z=22PU_VlBK+iV^;+6b3tmUe-ZM5U--7}+^oqG_X1fQPvF?8Jd|LMmv^$Qfc(QD%3dEgcvrZ0fr$ltm$24DRw8@zzpN^MpI?YCq?l-e?<@N!*_3dNp?Fp1nootBEWCG)jh(GuCTY?-`lvXzPFTk#tLS$ZFO<-sd}N2?>_xX zpYq&`dLzN%bJ;!J2BW^+4OioR5c7?3EbeCVY!p-5cBmw%?l_Uo?_M_3xxH43{btQ0b_1@JV5D%$s@b{k~{h z)xP)o3`9tMo{HYm&Rlz|F>Kx@SAV2&6$p>{R+P1UU}M^Ct5oqP-^QA!QWHH+{3xb> zvir7n9sh3b$anY>0&H2{b3^#Hyf+fL-I**7X{C;SYH8n|d+L^7*Y`8k%f7bW$y+GB zPiY%CZF#3>Igi0wI&XI$SkiQ~^+RsBc6pk6&sXy@J)cCfbJ>4o0@}N3*1|p~Q_H*W zXH$o_e6F$HFCG_L_ePiT-`ltG@g03zNMJwmhOO&QEyADp&Nii<02Zwx?+anemA+Gx znZFMpo2Zwfc5SY0ZYE_IHXJe&qj*GyA9AyyCrGz_Rq-{i^lW<247OaFX`p zZ8!JKG5{}XYGi6@kMC*BTUBE{Ij^>8Q*L&MSDTDRnl7cELUVs%Wnl}N30H@*5Yhz*9;gkWMqh!kuYzJ# z#4n=q#VEeGs0w1UrJ3FchZ}B4tirVy?WC3nYjo)hoUt)TVpz;j(zp&5L_ij36oe>h z1Ya^jG$<&}JAj#x=Ls&wu*IZ6EP$vW=Kbh9i!ZTW_gJ1HmT8Tjs&V+SkE|g9tFa6h zA)FfJ=hdiupAt)tEK_1LkE=3ZonGBQ(o5}bLC){sjydfr(O7+phblY)E#WeUPZzmr z6fH*vqVt%?oQQ6|VwKSGBQ8IQzR9k!xHw1~C&Nh^g{ClIiIGg|qD8I;iVHjH^MWJ# zIIRdB#4CpKbWnKmxDDR^a5A0E6vD}~w%O$uc=l(^QtUSkvO+$s zSexT@bA;YMs^(LvG$7cr&slZH-wc%+@HNR)uvytMbLZ1(JP>2O>P^w-XM&egUK1y$ObHgvbf=-za zEtPzhG=Gde4?8qEQL|Tz7Qev8Bd&IqbuAYXs|HmZUoxI<4w!$Lls5VO&qL1dzz&3D^~KJN>29 zb^w0?xCZfd4ETPK#{GcuQ2q*x!o(-0&)MTans(mqUN;|`Pn}nNTH9@& z`}MQIPYcg&-hQSFx7uj{(aGFPeF6YpG2&bHNfKWa16A8#&qHH7~J z1YB|4EyFtP_ywG}4_7cf)0kd&eqyJeod^YQOl4%X8?}G6ViZSr)x~W%WM|6q0VH`k z`|-Ii9I@-|cJExL?tR<#v;V#0f9lt(skvhzYHD?PBYgOjeSWOIEdivVJh%T4lnx)` zf@bVfr?TJS7b*@2B@OkzG^mgzb zV|1^1+1?+XZ$Xy>>iTOvFPb*3VYl&o48N;4Fd$ZXyCtXioM7*!AnS@*ZL`&Yr(1v) zzwNu=W%L&k;J1Yu_5SMgSW2v`=Hq-lJsFGOu^HFK&a2S#hJ}H(smp8^L~ME$!h?e8 zcu%RymQP0;aF*Rh?od|um4}E9xLI_+zJ5#OrC&Skng?+0h0d!kcXxgr#8Ax5cq|h5 z?q{w(4u&gLXZhavMDujb3cPVu>uGXcCSV}A@1`vMIbRPAH2r)DjAw9nSQ;1GaJnI@ z-gLTem*emDc+vK_txvX`=HoeD;U@4fi@ZeV-;v|B1+KH>RQo_We+GqCTGHI6Z@A3C z0$%GQuSIoUf}5|oyq5{K;cP3HmOH%Cdu4Gt*?o5#uXUR33Xece>=`P*g7^9m6Hnq0 zVF_?s+BIJqzb=WVX1kdjXdoE8YR1Q5`#hTH8-cBGZ}w2fq=(df>zh z5QCX799SYxR{g(6ETaNEd#t&r;l2_le1*V|@h`wr^0e;<86>g{>KYFzdvY5vx>flR zfUp#M7Kll5S`{x|4mLC3;FEybV_)KS8pVD_Wzr_eA0{n551}6T=`b|posT*Hmxn!l z0j%jmQ1#gzN!Cze>?ec{YphJuT;t!obG!Uxtny9f;%DWWbyu830Vdi;DVGH_3;9A& zdv^4G)Mn#h=m7B}UMz6=X8DVQa%Bg(XxU|RO@Oc%+bms5nOXCiGYVEyJ?GRXy}<0k$xlxo&wv$^_cS=L!~Z39&ksAm5`*5iXR4Pq8Y|Ab7_v$OdW^ zr3|e~H`L^b{5C~%xh9t6e~?;a*8}AsWXMJ`&bbaJ{*5;2klM0}ZVo{m__t_PtLGaf zE7kglA~RYqMCce+JggLGpJUXVl8%F3y0D}owg}^$-6u*L^dX{p92g-f&CnRL{!%;> z{wwCK6aLGdvLW2(B2Pjc&Inp`C@1n~Qc{&VRxW`60-M=LlB9w0;!}UqieDm1todvy zyLsfV<%m08k?}nZYNEI#a(7hTTulu^jVAp_*gkwcrcUTXa@c>{K_b>EWRS0ax35_R zY*C&p%ZAH@#>`Go%2k=X7A~G7Ii_a(PX*085K@DR>`y17aWg| zytO0IKqfG!tO7p%v*0cKP72$nXI38Uki+K3*-JywvmtTHB_(zzU8V%%Op|DdheEM^`_Loj<(ccH(o}~6{&UBSF}bD`^y`Gf;?rf%_+Q2MaG$A6mElY z_8N4|2*=XLIWsB9GhmKZ!1otNBx;YiYFogpCxoPyL6dX6a87Y5O&(45JS|ZZzN$|p zhAp^j%T+8jbdfwS@9)1jCGmwt)&8LjLHa%!!ktivP!mxP6=y;b+9Dw}R!1vgl-we@ zeK3fG8L0= z53XVg3sh_4mKaO1DBwF6gkS^9LJCnyD&{fG_^HaJg(V|C?kWn@dp=3zEPh$2$r6=$qW7%hm7JGL(#?xVO6t#A{nLiG|V%D>(VfGNBJQq)meJ~l2YJtq=_4jBjd#u!|s_XvpEFrFp_Z;;N+ zvaX|o6!MjL+R)z1r(QsFCLU7L*&`XrH$?17wq3j#Cd7JS^`Bqj;%hcC?Tfq7WX8N1 za`2XdRK-wHlMZPmuw8MZXoMU}2*K4@sb=@s8AmjF{wrnyUsm>bkq-U;yg(739}Kui z5=h^xUH+YkuWbybuT@_NhKVkhZ{azEm=cU!{zmBqv6l7?F|-d;_z%a^>gRFr@2rl? z(e%oN<`w6rLj1MQW=FtEm+$_mtBss@%WPOXJ#d5Md_nJPs;~V?cfHMt+x1CpF(9gg z4(_)mk^8K}u(FTWY3Rz+R^>SF&C236i~Zb2_3PU^B;6ZhmYla|XE9*ykFLu*bS{tm z)s+^52fTUa{m2G50I&n&(yfG`@%gzh%_khw{<$vOzMIimhjB_%dDDB){>r)ddXD#6 zd|mPMIF6`9Utwc6_vJcv~s+vCA+dWa&vkOKZ9z^VNuww_Im2xe$ldoS8d%e`nvrF_%5=}*k5Sn_<+Zo zbugDQHUBH(=aDa(MB6Ii5KA_mpfA;AJlbR>(PTx|Q~12)NtsKA#FdK*{Z+s;RL zQp-(4@YTj(*L7jQFHH)YO`FA0Z=eP6w6bA%&{6koaBJGDZjJ9ZaBj6eZO-;vW4-ho z1Ci3cJ;;b(-ip=n2_KdO=w3ArJ}IbfI26-GYkzL+yKp#s|IFZp@jR0GIJ({Jc3gcY z_+B$F{@g!HTUl2+oZ`QmsCw>h{r+3nIX}fm+wyg(N9ybFl1<dj=JZ(Jz$oX~k|a%9(LczWWv?osQL3I)m2uX;@Jr6z|Gbnoh1LB;Mz(h*U*>n_DEThXmg1PzP zj-VR_b443XoiOlR)@6#Ak(cJ|SS5A1Yh+}+32&=elb%0H*kYASR12Ia5JW|_aUWJx zsWBc{$e1@rU^`a^UxinbI#h!!j7Zc*l#y9)W(AP(!3UvdCiNAv{|$g?R_&xPO&-W& zEKWKE+p_5};$jMS_RG~-Q*C=gmnxSY?*=8)oGj!(z?E~tmm;~B1~vw5kzy`# zaMg?(=vrcgRmPR4OBaTE>T(}K-o_YgI<;R4dogx?7yXnn`>|Y==*|0D2*xgh!A0}$o0A>4is)jS#z^N*w=&jyZVQ)3$Apw$N7eTQJ4TAOt zou6NyvG{Z#$S+crwP)co{x}i08QcMPxvXQU{5an07d=nq#6yimE(l5$^2CJ{wG081 zX+0XGMitFW*T{!0=|iEKWN3OQ?^89z?odfJ!cO;H4ssVh*OyIZClJB12V*MBZ+qm(u=!<^zk?jyMg(H*3fz}a3G(AaFDP6Y5?v`aE~}s!Zz0@Jr&3lhP|JvZ$!33gEqyJ_rFs?7UPt{BYcX zghbDCy0J^1iyd=pTD=2l;`Des?kH;M_}I<-iK8rLzbBsH>%^oXkW^q;!Gjhtf7FxD z$}AR#naA?Z6nu zA$ihJrjz7TpeQgCI0N(n68-u42MMNVrdk2$Smb%jju`>RINesj#R+w)?V1b9D-HY#YEnEkQS8Xxs~iq)Ov z`;0I30V9{e_YS9T>T#Ig?0ez|yX@`JeLnq8>1FV`q0x8ujQjAj>9z6=w7b>wI=gk% zQf|Z1SGjb8>nJ9!?Cwd~)?+s=O&3qr?4`U@3ib)jfLa@x7_}h1I$L z8G+a6*$`pfBr;o9moxBdYETWizN+dvc$xtJ;SDkpXWIAOIs29KJxsuqVZ*F>{2jpc zsAOHPMgV-#y99XZtpn`0v+ITVDdNS$#_72!y4F)G$rKM+TT9pSMZZe~ zz5CvRdwEZ=SDnM{D3{%YXYZ@r)#k^%MtgVCh*dqj8~-ugby(~9)mOvg>^wzx8?3F3 z%jLD2+b%aC{qliN(_!7X+jG5F%GUXy_Xus+>S@J+X0p}bP{q}X!26CnGhLU)t_6*}XS|(=c+u;?}xnf9x=HoH%5TMu0p7yBm0sOrTM9RJ= z0L!`s+8TMG0Z$M1J@(gCfri3y7CjEMB8s%RdTYK3-{2elS$R(o9Er9lY%E4x5O@t- z(oA{F=COjSu`%qyaR;veFC>~tYgr>@9@ExhfjA7?*mJ<9iB1&9eSo&%I6-T5`YvPi zpd)N$CThNbNH1|)Y_j6y%4Y7sOD;bMxkNi1>NrK);U6(P5j++VP48St8B`nk?Wf3G7X6qi z9CI5}6xlHy+|yAn!2XJ4;ks2Cze=145n9yBPl#P}0SlZsF%@@F<;oI_9(Q6K{{?kB zO^w?5@o*d0g1q>ZfzT*fxQstPFwN(H9$)>=l7adwXD;uk?Rq0M5Ly#E23xL-MY_`N z-Wk-bSv2iz)ik+Wvd2cH2-uO-`P_mlN+51&lM?EACBGQK6Fh~qWmrP0R47De^bZ8P zqeBh+M&k`4o)zfgg#tmun`hWHKtM%KW`9UH<$I_V<%ecr!W8PtseGdE2YlLN7tUwd zV#E1!NCe(ZYBSsReC2G?-SV73@<8ty5U~yQaLk~MI5`G_iY@4R4O2spm zIau@);}&X}quahns6(RkMv$(xzKc{&$1RYiJ}tb*+r70gQZxRLlfdYDMiIHg!WVGSe4&{LlBSqoIpDf5YAL`=Dzbpm8##R!3&`lWMLT^o?pELUZ zV>}yf)RwqV`7AjKeL%%qUm+T>VjX@oFQeWpy@(Im#bFh0;@PeC@sQfERohd;#}iUz!@ z)OVyzJ=9jEY`5*N4n#t~BP|Rf5;FOrBf~7z#c9$=;iIGScUPA7lS& zC+>vlsyvHya7*`6stvO6)omo>I={r1GX&Fn(-0O#i8!-U4!YFXmUq4CED@Q)QCJDCWBIjC#7|jSW;)3ko25AVhS>T}+sS4&}ak5D7CXc*S z2z>hl>%2G(5d!L>O>-YgtWl`FEq}Ulwc7OpFVx^oTaPnKzc!5)+Qe5$Y$NJ?sP;H$ zue4AL)^VzR*8h#yZC<1_19S;sDkpFk2kRSqafSg)7$Cr03Cv)Lpq%c1Kt|tVzy$FQ zVC3PnSdH1+_I>g5nB(kmw(&Ts%6*;VHh0-}W7m5xpWAiK+s5UK+2g!u_LBgQ=IZ4@ zqd8U0mW9J%i^i9y7#wJ}E;r${pE7r09nFn1Ews&PScx`So{4{brJULQ+_&MjQLD&D@%dR}oW=WM5I+T5qP;&2T-6H;Rb zaGiV=W^sVXdc1!xeb0`)r+qH>TBT^hy~7)Pyyxf5 zL(k=mzc{aN2*G^Lg+vt9tnsE5bK2I$hkEV$o9opWS6#>d;+y!MzF}AGBLp(p*Pw#F z`w8#bTG>60+iP`DSL^i6oulFLmfO2#szb=t%O2 z`PKRTF90j}n zZf02q($yZx;#}RVk39uXz0rPs*Y0d1xeWokW52mB#Yl+q*EjE|oA*as93XAHkwZNA zDhGb_-}`n&eg!aa6!P!E3#w|to&&D>UJy6a8-~5grlS*cRh7j+eqgl!JT4Pnl`ZiQ zqd94VMCBAc74=#`2|9d}ubpDsYyniZKZEWJ4;6F zuUJPf0Oeg~O?e3;HYaGs9!RVy1FqtgFjBmpItF$2L=FzIhw?9W;fLroyfNF=4wu?< z-26XP+Qmn0hV2jCu0{k#CH` z{h{-fsGa#`C&~KS6ex)`n&o@W&BacN0}@D|XTl`wOt`Y`Cr0=eYlI0sNM@NqHVB9o zm7(QoGEf(Vr}uGC$iP~Y02e)}V>zK3OAmlC#_Q-d6Z{Eqs(E;2xpRuWBfA2S00kql zPiDcxo>&qVcZU=)CGEnX$BnonGZ0kpU!iH*JN1(Fo8w}dfi4BPf|AOX19^OYV3LHc zp9Pj-e+|GmNfM{R(iG^U=2W@_(axb}3GV}c(xB=LPBLB;fi-3vbNnm6ne_2q2qIs!VmK?JLA8F{RF|L|YD5zI$&{YAx0`d$`NJlN z64ihVmg;rW>*sAzbOPce@bt^po7+Z656J*%YmMP!`Dyy++wl7~-IoE3&q8_wQze-; z_N!wysJ9MZ8Z^quQ|Oag@YF5UEJsIi$uy~zoqC?>(v#O&v|-ZDWyVZr23?NB6NYX@ z0;~AT52s!V8<$xV*5}-^dH>6GAsG$9g?bfX-06>hVTYiZ32vK}n{feiA5P*Au>3fi zd47iXi5kehe6VqFB`s7UzOd%P6v#%?P$7omO z!TQCWVXOu%Gp(|#I;=X3U;iz|Ps6y0t2+Egcmwe^Q=I^xaBzZxoLhq>u8%*#NL&(U zhzf;eAdKeV&b9BO^tp}eQq$v0_||<5OgcA5!wE2~<2pMmbnKxA`3JC})a-l6*FLQ|NVjHvUr2I78dT}Q^mmT0l`^a z+hb1Cb`s0`Ez0rAd!MGM-8#_H)cWPapuXa}I+@_0>R8Y55{4r4b8P;6gZcfz5aG^s z<5W)W>iNN9B%l@cPa%@SDc@)a&TIJf>=)KdWnwXd7Hi^G(tx@V@Em z)udZzZ;)WC{aUMdJ8H}O1`nWBco+44Qjb&ZeSCgI5cLyLs{8S@9a3jrS4(=M<_u>T z-~Flo#GVFEzSF}0BZK>D64iDs*KQtB`KXSKA>(mxl{F>WWv2R#3IZEc&`>dHou20R7Gm zP{G2%kM2(?h54XUivPq`T{zB0GIEk0nY@upW49Y)cftO)Z1y4jZyy~ z)~-7}RBh&Q$;1PU4||VfJyKNdR99q9+59l-NU~xyx%jrW1UrD#nWWx#P1*y@4NNt8 zt@#}GC=<7L&M7G2mjCpw@29py1(fbWS)U=j35#zlwU9A)8jQFImE;%rzd4@uV|eck zJwlpCo8hFeQ_9h=S4*m_OL1pu3p53gtS@eKx2A@jzkXon61dV%w6)j^)Rn3d6u6~e zVyoRZGEv82fo+sMzCJUGf|X~?1}@xo`K+I!jea0;O6vN2HGS(s?PJ*RYUkvHdzOwr9(20i_R{A zt_9e4;!4E}(_z-lH`FdfrSAH#;WS$6!#MjCoM}u-E*p2ucH{ z_%FWFXkTF6h*>oPRa60g)&V(5>#zmuNDDgb7uYIsXc^tRNdk%DLP&xbp6KJZ`-$Sm zFREA;s9+=VBI{Ng|9#IQ9OodJIa@A=)=B;uuxn-M8liV5OV%WnA_aZX!@Cv+17S%B zxK?tQrXyxA29c07adCB;bf)`O6I13PGSZMavOaSpuZ?+%qWNc7uw;breQ9Kp(V+oI zE6sU4f_QC{IesH^VKnB^JH||SN%Okw0Bp7(vv(w_pfc6dgF!DAt#P6MA?llh;|$-f z8>eAo+qSVu8rybbcN?>DW81d5VUskrZQI6v`MvnwnVoBP=K1fLXXd)kxepMqcKh;r zIVn+xXhwA_w_(LA?wt_|eVo^x`I`WU52yv*%K*w*K3<&3rAea)gk7_@;DwC>y)aXz<66x<7JtaZ}}MXX~wyQ zgbO%VHV85cH)3Rbc98)#T)Wf!B8wGl$($McyvwTPl`*5c-qzm|;oYQXfJThZE^Mf; z$2+9s{=?O#b7P7AF+b#0L@1+eMC|6|V52ODgp-h6;DT?p2`$FrnHz+soqA9*LXn54 zX(%YrWs~xV$)P^|#rM)*86^GSS<|9%Ik1%$-~xKovh@`e!aW7-bu1DfY@a2E?+|{( z^kPI=fNZSiwMSc|6nM-qd}u={A^uovWYP!#q83#(CiC z8bH53O#MBKsPI#irkxy``^UTpdZ@^`H=DU>Vsisg+{=>%bK8arY7yto>wDT&M4$&b z=?knLljXFxJt0m{uq5BJ? z1O*K}c*a^-T9?nr6o3pVFi;^%ZDz_f4~4pD<%d+;3YCA99C1gYQKmr#u2S+cK1E5! zS&3s#H^k>=5-T{ai}M+rCmun6QT*Y<29*T5E|p4Goo6O{V6`qu?@#9`9Qlb21f+Y`9<%^iG1aW|IeUgV=*a&r6 z-TeXA^Apy1DU8NG7hZ`=28zS1}`928&fO?9m7I=A1nRNfle{OmmWv=Lb z@VM&dd^XFF-LC%*sCj=L;CUl1mb!ZQJ+*TAv?=)b5XUg#yIYVmA$*!n;J8tfE?^lj zW^}M%e%bw0yNbWLetH+B1+(e3Jv07$8WeTowTN_Kc==8faoF`*`Pz4JdR=qDwE4VU zKfveI-u7>=LrBwz-KWN5P3hz|f+VLP>!lAhnUV0RfGgXhX&~=m22RkyASu=B%}0u) zu4lk@!tb<+qHnhAaZ7FR!ucfo0$D2TwZr*LLC5Y`=Q1B1d=`b1#p(#!D%)>fK6|!j z5jKt4JD7aGp}`qnc}l$F7|s4>=o6CWX9+@_tXo>u(tEr*uZDd(4_`g^c+EL-GurTU ze#tRh-U*OKQ)axJm_?~P?UP} ztn++~>f=4$w|o8b)q{rbvT1kuQt9vH*bw2U_dcl|J{y#u-b$EZ)C?v-kp|a-^$u6HzzOp$%*jK{_WJSK4!bF$*J>qI^Zq+-K{O@RA&w zr#Fml-oZ~f9Mq?gK@1`~ECy)i2hx1U-kQm#54Hv|zFw3H2H_`(>0ZOh=*81?$~LXD zUSsk(^Tjb`tpA+(D=FTV`OB8x{+OD^(%(7bByLx}eq9dr)pW&{+B$t)Te&9X^j{xZ z2J)|SG5^$37{;QYBr?lFWpRR*RRg&-rSYnQW_0gMvpCB<$HvF{6A*#fAd66FIIrl4*JsY(=ss?7*aQcva{q? ziPCuLk1e{;<{OwA2SR|v)(ia4sWA7ZQ%vaVUkVeVGesmwQ-+6<=#yx%gZ?Nj>$;BN z(9K;GqGg{>LkyCo02_r>o%xlSVitS&r{>^<3Is&sRhsEF1-$jg zauu11iXh>kJ7>j+H7)=#Qq1^k0j z<`Nrr;y0xnFh&Vol|X~zlg>Np^?3zYr*!|I2DXv)eG@1nKwN_D&I4a4GsnGB`&FZg zT*dU)d+g3C`Up?YpSe+$c{g((R^-j*^)DKkv6!7pPzg-G;CYt#2 zZNvgQO$$aM&*Y0qaQ0l$DNZ9(uRYCM<1}Gs?y6!34(Hi68DnNx9Vpe|oD611JdGvB zWgKwI3t@fAYh2;-un$+MBt-g^Ekf9g@&uN}flDkY>d_C3lBY-v!zcfezATnm=%RgJ zm<{;G!!Yf2Qs&dY?Fle>#7Iq}-tLYuwmRP>bDA%;+ z@+m6dEIJ;&<#c}<*h%=ogIjgk7S~v+rS~2PljdoxW8?}t#vCs!$%e-6hglymbnI^C? zjx4A#UvLk`#hTxyL(a8+73WMKDnw)xFE`Aer(OIqEu#*6CDkc%Dj$*AnNpO8?4(-c zKod|#%g);BQ!L9W%l|F@tP|+S^)lLdDiIi$ZizoDHhb3T9T@XGxAVs*8ODUZ`x#?K9p5rJ|0)G|OF{Au2921{Opt zfRv}%JV%ccF3DK2Y&QcFWCLq+qAO`XkgirfMR}9~o$c_eD$O(xk2D=3|9{4d5!<(P z$^Ve?pRY}F;P9=adCbPv=JVED6b;t$8#F~%B$(9i6hPYn|AZQz#~EhA3*qMi2K}s1 zauatDu+=+k#~D2P(LUz;c>aElb!hnL@1ffTdYY-((&~Pn0lArsbpkxfJtq|U48~ho zdT@yRPU$Acz;_2E)WX`HR4t&r{#TS_y~p5$h0dF(g*1VUTeF)1x11N+?mZ6+#|QR| z)(R~^XMcGmXqr2w<7TKmro;1TWgG2@shy|(m8tGh^cOSl(MMm*QokX1=#mYP-2jFu zaq#^2?CCytenHU_>O~Y}_r`g3^(lq>q!4O0v^Emf>~4SMJX@&&g^|wR*QnRw4F7Ge zUypCU9})t!JZ2vs#eI|3_S9d7+=O4|e?Bt1%=WS9yUpb&8rlp>-5nqt);!^Ab?;mi zsr_4UBVO$&#u@Ztyd99eMo9ZCes-+T0RzFqj1LpYkG?iPw)J2IoDg&E7?g; zr3}j;k`2f8`;QB)F4vV|Ke0)HPhquF*j4i&N|l|*BQW%RFlq?v*F>T3#D(W=bp!Kr z5sGKT`RwLln_S8V>H8E!)#>8&2HT-ymY~DOjhv4vUt`f*W$miPsl)SKjAp-)!2m?C zdxlS&(zqdk@8wi)up1$x z8xVcpc(&i!m(q!uiN)2 zvErqBy!6)3^`DSi_iMy^&8v@F)T~=)al=#eX^zVwMatqMMb$iN+hu`m>f(lhuR*Bp zj|IzXzc>LfT(QL)m;leH$Ip(N?Rv_u5u#4|by9q1S$jL-h_flv+XMV8^}d<;uVvD2 z=7$8+w^?WY z1Wv-SYTEyk9jECxB-<lHF6HszG@N3=Xf7)HbEOmsS48U5+eC-OpUZrIFibCP}Ka&`^$hY?E^R;v+k^ z)MG{|QdDSJOV>a|c~qMZG`2~Hz~M;E2_P&qd5mJj#{II>`nGtR!#TGPTlu?b2W8ld zKe#$)s)L;Br-%4&)&*Jh3~fTrT*E2*zOPnD(G@Uc1ZvFs3O^(eaU0C!M!LAy+gn(!J>CO34`cTtx0v)5;kr4)`nY zS?jr(?C*TKy5Ug21iE6)=f#{_Do%+f`&2ChUnt2fdMzfHU-@x% ztY{;!J`GLa<6FPfOp2@jWFtnrTju>Y9e?MSFtzk^tBq?Y+TU&p^Td@asUN0nS6*`C zPYz{1FxafFG)1YFXoV1HvUI|I>y+3G1%lwxHnNH(-)j_<`XVc#A=;)ngkPGq=)`Po zD=y2r&+TureWx0!K7v~~EH69uO~I(Nu>v_S3DL{WPo4o`4yrJH-C-e=PS#PeJW$pl zwNSjSj2(8DqD;1>z$N!a{1`W(miO#$+v%WhG9t&1lpDye_3*}|d+;TtAe%S6~!o!_+u}3|VPd-uVUuvobvN1*tEEJ}n<2RzJ+m)xI9496e$(hk{ zkfmd-R-Q76nF^S!pWQB)^)ybyVM$fFNOI0AD0A@{o3{TTsO5o1unR(>NIi=l*_?X@ z_$`9%O(wwBG2v%Z8iFGOrJ~CVt1t|R&RMWJrSawzF-5Eu7SJR7Eo z4)55u<^Ql}RO@j;q@WigDjPq%TClbBzGQ_{nZr5`mb_j=yqD&)T;lv z6}R9SbErL*{`*SlvfWWXlbo9T%P@jhMaaqo#AA!7+Cqizj z7p(Hs2aW2|p;_1(kH~`Mb5m`*r1#;wMSmG%Pf_u!;#1)hT!(m$lp{pvvhFJKm5LF8 zJjgA%{$i2|n&@AlRX9ZGu!qd36<}25Cc^Ny#&{Vz?K0!kV zcnqX4&II}K-4qc43O?iw{UeY${NwvJEl1Wc@B8PqcB&kzhfN*Sy`CHXoX+pF4>#=-*{!rNS%EYgA8^_k(iNI-;CFgbTyvpK`1hCaQh?>ST3P0iC z+jvt2=lIjbw@N@u`$Wt#)Q4H{K6b6zjS&A_2+nZ(VoTGlRpz8E@DcQI*C*V16>_Kq z-hX}d^}KCPB8ma{gP>cS%@l#ItMyCqD?NcVx4(L}>$RP&JLb2JUbXf6 z>F0bc#2xblDGq&=FP~jrmo%HeMPC@JcPU#QSw|+9rvw@Ymr0rSD3%<7ZaS0GZqLsm zSz^~a-^<~aH7TOD*NR`2B+6?u&5i4_QX@2i34#weB%L?c9t4if#|#Brlfv$wD;2zX z3V^?U{&1Wddj@O{J<)$qteEJ$Eo6Z?;-0Y?2Vvx05fHZl6JTtxXb~@H>jq7N3wyzD z25}d#3~Ww3d`p(v&ms)U<2N3C2h#J=>FWPY3COk~1$kzWkbMn2N3oNy)JSLNWyYi& zA88TeL#YblF{W=*#yc)BT!OP|fw>OBl7QaP*8N3@r%AF`DpO6^icAf0D$P70jlOp3 z>du`emX}M?llV`UHML>n2jUc0MFgtIj0A#oG7B<+Oc^y9S2uJCe?nW56e8vMoUO9v zT;uWW)rnbTvXI!t9h{YA>4*qV^Po&>CTjx3!7`h`wdk<)NPhYxJf5QHetOoJ3oU(2 zt5sGha=Lc29IhejoK4uj+&xGufi$9(c#HH-XO3Y_Izfe#XGs-YX*@2702k0E;nS`r zo+WVBxtZPSXPIl^b+VR>&Tb|2o@c?>;w=fb>i%${lu8)NHW^<^cu1Rs`B4XyXp^J{ zS)ybpz8T|uooKe3tY)=j6M?t!FbKtQMC3cFZ6a%!3!$cI?NW4uDSpjQb)Cw({SZKW z>X>qnH)fL*XSxK?STy}0P`A0{x(@G7gOu$$ivKu$sx>gLoF{93HU=wJeo)9ek$hF3 zKkk9H*^%L@wIE)$fl+i^e>Ar+oh-RgSXr@UCv#RZOFyajyM|m#lxSL1U{I3SAme9P zc2Bj2SC&ms5))?@**{#30ec2TSba@)E>auJH`tZlwnA=Gc>XAwax#2Ne)VZatv(qF zjH0TzX|}++e9Lw_=H*GG6)|1$(rs~7SSV6*sUpTS85+H>DTIjx%lb^XsJcd$?XkK} zA4*R=hu|d{1M(G))nM@FF>ShK$`9KD^jrbv{ruMOM)6}KRZ8ArS*!ECm#s`FzV;y` za}o}5ImFAhd{WUUV*bWZsPhV4SXczQ#i?vI7LXyaq7x3s9^VMVMEKF3-(hAYY8L_N&YZ-P;BLf8K_&sAvjSunSd&!};Q$u*Nn zA|8IR9c`7mPci9|cD^2_pvimvfiOLwVOTxkBA1FWF{DtiQ?IBa{RqO>TG?Sn7JIS? zs7j#<99QQmNw5w&)$0r(4JBl1lj*iiC^Cssd{JFcR$1Ly54f1?Gb6?=U!J?O%v21X zoB+p3qCW;7g6BSkWiS{MKaSzIqMWOB>&`u?(A4Gr)#}oDn+RHfaL0C&T9GUbVi&i2 zIP<@-`pddfRMb6B{7&zxnnKf|Q^rpU=!Iocs7H#oKkA38gV(Za8d0&gsA4*mlzb9jv8^_24xRd1tnn&joGs0Lo9tiD*#ce6`0=}= z;xsMB+#GmZqb;Eb7lK3y8a-)s(8f3 zWWUdH``4dLT#X}bj{V<=1Y3}DMlr>IaLj@a|4UW22WtuaiDP?|G5cAA3a?nU0ZW_D zsP&&XHUy1U0Uh(1>!rIhny_hSy$9pb;x)z2`P^VsxafIe^>sji+3z^w@tcJ60EzE&481!%B&?Yalx-J#)?u-}P%(ABPR{qMTzV!%>Akhl#@p~U!MaV>WLcNQh} zbvUM(F|&=bL3CtoE9qWwX*-~^)f~|OxEM^5`g#VOoajBG@v7?X@5ceNgRi3|tFC(k z&nDp7D!eaY_}v!a9M9@69gP4af>o_a&8MadigJv%fn4>g8x1c8500d^x0a487HKc0 zkEWM)*F!U_Lft(v2h;ubET>G{GGlEq*hx4$RW&}Bb3Zn_pO2J?y^K4hnA@J}w(nmZ z8fQmK-Y&{g4uzlBngL+*pMB%>lPvdR17#_$?zh1TEWX#tP`ZweP1{eFkEr1Jj|75; zbvTrd;TN1vZT_9*0Uwgeww<*x*wG8`7p{m|%Pi-AP8kWl{HJl94U3NTqCjAO0S)*d z0o90r@O4ZWb?xop>n}}#OM%tTb|zfB=0=px>*k)I|e?^3$B;Oz<^F;0DfQ+y~?`UU3i zHWqHR^Eksly~Vmm^zc08H!|r`J`}?O@+>6jc_;j?^gkhV5in zk!WmBb@@50B;|5KBAcSxc(mhEiSKcCz3%j5_xtr5nou}Ql(EB48#BTrH~eLMLSd`@-CH7Gp^ZB#Ls5D6f&oN1-L zyhv1kaJ_cZ4b+k$vvRA91EVa0Y2n}ClWHpm9+$rcB18+*&D~`Wq*~yRGlpS)Z?xVv z{X!MM4@+AmW?HK1zP0%J6Cu3Uxm^9O-Y3kN;v1J9$eBSZ$){^ODYv#4nInGdv|n_t z7a{qCoc{|0Axi!_vEB%hE}hcM2&j@sZLT&E7pG3YDwRIy`&Ut$Y)7THWM#P5%zMBr=-w%>W3Jn@T16gw+@veKC(4-;tfq zl!W?Pp$RQmi`=%u`KwSQH(3ew=C>wFV!$8zZRNWX9s{w4dXP*BsR&AVgkd)6E08{G zM&O4$Dd>!H{-?sX$vu0R3A5lYXOPSC2xUneP1)?pGtykkzw4bVbd{EaGP5Ny`~J`& zhhb1uGjT@gsuH>RVC1joE^37r@Do5(mPQr`bJ!pwl2yMv6()@^@XEeyC=cV)>D`G$ zVO}+}o=JQyk@cUa@3GO05_^%CJzDf%aT-c>o-B2dBwXpk1C|;KCMdLbh8a$075_QT zf`*SKYL!D0_yc2VNX;hgkKNx45+nb@nU{qz8^C4~pED0mr1XC$2b+9)&z4QLS*~*8 zvox0vQtVG*y;Y1_VD5zxbZtVu=U1po4Bi>17HM!y?yu-Kn<3AWar{nX6e&z~s6M_g z6H`vQ|3km@*1C)VNq6yiT2x7B$-PVMMI(nKU}`oo8~YY7NM?#a%5@wll$*o(gur1F zva51LE6=9mk59#f#^tSP=1D#nBV{jTW$yAlsY5jmlMiD!#mwA{&S#A-<_l~5&2j9W zq!4XzZL=2Aw0Kvq0o?Sn{*Y^!csh!{4cL56(SOT1=5f@w z2s=Nl`SrvgcP{jHY)()OnhrZfv(54=^g6tlW_fVGKGw@#`-r!#a+BIMFq9FtG4wp! z@zd8A@?-NTBbYF9-H>fJa77Tw&YA{U5(~JtjH1%C=m~aDYuua_G|^aWdg|O{pN-fO zml0mgQiwryRzCgs zZn$iuYZSMxwB-Cl>m2sgnd+sv9y z;J6JC5z{X@8D&V_GNujOZ#*E<$CRm;Tv{|e*2RyU>aq`^s=I*eg2qp)3&P{ z+wb1t0iDO8{f$I2!g0lC@1_L;QRV5 zVbae9`KZyrFjLJnJ6ev%p?QaGP{>O~?84BG2Rw~c;Sja%GuhU@`PfH6BV|-KqKevu z!RR|c^-$T#<7+o~pRIGT+wNv)Uoo0r@eB2RFI+7JWMOz;0w)*a;4>NZnVaE(bLls= z(yjNJaLaA0OOSP4kh2k4qv@NydXV>&K){pZaz!K10s6)J`haR!eZD3vLy7Y|1_p;d zquzOZe2?Y$0H4;@^!m|fEtK9=&4SY~=NJvQGLIM8KZ>4}wl9yt-VD#Es$1fB-2~`N zjNmvNNpPqXfp;J}upkJ%xPGJ*D$yyM<+nJ$7R3=n5>MwIJOQ$LIVYh%cA6YqKoX61 zDJd3vmR*uXgf?XmjJRtMuoFL;kyN7}PNLyJcA@Y@;$8Wq!ad?!_^^I){Ds~$E)l|4 z{3;v@-o>9{1p_KFH9}+{vm7T#CgdqsT^3yndV_cjrc!qNV24au-g#+j2_Xk~y?5XG zQ=5M2aaZ&*^c2(?auuvu@5!t##TK*yGp^b$n ztZK>aPU-fGs;bQRjp>?mB!Ntwc%J;fE4&TyJ-$i9a($bP?NAokR*Y6^Xbwi5;f!YE z*3Y=3NBk%gwzAX^=x;D9O38g@xoHlTOg=&`<+mXKGe z&+jBrFeuI(nuf0M8zk)#0`iYocHrllXqHo`KN@mJE}f?aqFqqxI;|I4sgjZcia37| zBqGc^4BFGC8db;yi`GNG%4QT)u@7p|cLemeYH@NAPmSnDC(_E0W~c&Wz3!6-?}o8u zB(6#e&?1%5-~TqEHwt9^Z4?a8hqabBE>ayuj{Bg6CGRdV`TY~C%{!kbRQn*LiR^y2R&*-p+IsafYY$JIbXNV6@O#4!<@IZOFUez@? z@&h$RJNB03Bk4m)jY?PZ7E#yk<8p-L)ASqJ9sFi#5}g6w1_TGsfXO0M9WvP<{h`|y z{*Yu)L>}XEK@)_F5@g&}hVg{6V~cL7Ou=-<^(4hJ*@)&0sHzcR6>_gW7|bPzYQj2s z&ymAL^Vqe7sZblqZ8RzQDk|RQ6Yyi^qYl)sed5UWH0LIGWGqX9tp6m7SHjq_#fP zRZv=RDlE3N#w22``h>>2AxG>=u}U#@y7t1$oU;-`&mYVRtKqaNXy! zP)s$(M5<|T4jSb1uo94pjg^NfG?xxgyTvQD?3naYEjej2hOPPNv79f5=~N>&z_|db zF<5k1^CT%5$!EY1H|~}EJx6J=5Aq{nH+2E$CI`lzu-i_r1u*)!1cd?R0s4jv7ldxA zs(x<(QiVnXT}nd@4@pN8S%{U*n^*DKDz?cI&Sbz01#+Oe z3c3^ySCw*|aO6?Wt%$aBy0%*hvzq!r#sSNDhsu20jy>4mQYA|2w(gKrSiZGWwI@Ed z`vTM)E!OS!Vhx0hrpc)_h@^e# zoMg7Z(qb8=aJ<&JvXUxZA?BDTAinh>P>eE!3d7M{%DHn8ia#EeOiMPwxMan(Kw1f< zJ|xbL`d*zZH=|0Fk3$B7Z+%p?U^rKe@TbD?!4{|XXud|{I8>_kU6!l*1rj1r0rWg$ zbl37wqOtMT|Au;!I@uLJ-l#a-k)-VNVI zT3)nmc-c27Y#3QQSFp66mtKzX?H`0*WlVTH)sAvMU(lf%I)AwFNW%iWuAbL2zb7LA z;S6i1?-vb$8u{Rnfp){2r&Shv&$XY2>q*c3dP-zc3GH278b9Ms7Ze=193w9EZ=9a6 zZ>Kj-bJ}d`S{#_Q!tJ@VQ>Fo%*(#9*&1DHuDI-pZPclZRj5s8{Dh46A*eH zy;zPAbYE>y`&@30`}sD`{?a>dnf?*gki7Q#(GF+>JkEM;bZ-rIuYI)Ou(Y3@Ms)DK z`UgJEZ}30f>78its4nTix%+vSBjcc4yLLHsS9HG~ow{At^<5f)SVOX+TtZ(MdrEUQ_5#VKVV8`Mp!0YgeNpdsGP2_24 z5Du}vR&?jsl3RDT1NERKMw|P3XCOvUt;_2%#!c|4d2m5CD%setYk&^b4m5z~wfWJ@ zm*=&uIP(*bb!%*zvOHywupBzv-F^X+;wNF5}jj{6>$H5dCoH!>;&eC zf71Ja`p)qJFpBWO`uLH@#rUys3>G0DG?tji_*4Ff3IhW7`h8S?C|#@$`W1iAWZliD z@7YM2cy&_z#bEiOLu%=fMtJo5jI$O`N8auUS(WW94;4FqSXs2> z((apOgHw?K1C=Lj3^E zVMr=W4aypYjWC6zoQZXjNbL93u~+nz$Pmk_R184%oBxVyLNAN}vq9e3eNU{KAopDqj=JKBdw}d1_DX4F?__Y$r4l|29_{I3Zc$!zxX6hLOr? zw*(;C;L>y}x_n`2_Fufo^KfJwHqJ5b_v;}xcHbl>NEC&i>+0c^P1BXyrx~CSWxB*B z2aYVvRv9=KvT|CF;~M?S;V91M|6aljpG)}Prtn9D^5D49)1=rj7+1VutnoIJ9r`X`Lt5-y zU$>Gv;hdP97g#!_YkxwdN}qPOgqswG&Xec7X{NVq8npn@EZN*jV;(H9H9h- z9}fNK0?|A_5i=pQ8sdtgbiWQo^3)!p#}=cQTii>$2`2pE?>TB;PbvC5dgLad_%ehg6yy4?M;;b; z5&S1-fkKXxWjJ+B^^M>kQ}axUD89^=HO2#dsY>r|ai*BN%bpJ&GZJjaw(=8c|x(mDi$61LJl6<7vx5I4*l)O54(plaJ7TZLg6c{<-> zWp8%Arn+tVk2d->cR>@P7&o9Icefmw!adZq-Gst*y>+g$2)BR-1|rtWH+<)(BYeTt z@7zxp7bFGsfWy?NM|UTt9q~G^1vQ$?msi9M9dM#TO}FdK)q-trD2edpT!dz-f(1|Z zWy}0&|9rf_`_g*jb`@xrPr&Gx?Cu};x(XMcoI}?#d%>lZj>nxA2k+-ys|V0=V3iS3 zTJR$S*xGlO`!Qf8bI0H|KnvUB26XE8{?b9xb^G)NqVerm*L+0I_Pg*$-puK~rYT_f z`Z2__!Q*C6*ywWK@-#Eq(e?zaQup3VST%56q>3Oxv-9|M*z|yAyYVaT=`MID;+MsH z`}5@IJ%!PAw&8V;-UR4z$~*_)zS-A++VyJ&3=@F2 zne!PYABwYUjU|Nx;fBUvH`}lFE>BPqKJ_!$#PvS!*vAVv9D13W%kI0TZVxV}$khgi zzg<4HbLl##MjdxOlUcWO52!*QVc?DwTvbOejAdu*C>#&dO&S=Cx(MDnI(+ROzXI3v zcOihUb5#MiRi|KBEM7P!;0~uSQ_N>o@^kwOU{mrV5OWRY9>7k|-0=}p$NDy??CrLc z1Uc1D6w9D>BN9a}G-%scqGi93{_eoU@Y{aFwO(@W_@X&YL;O>8xTTRCRBOqgZL2YSR-t$MwiN|i?}4Oqw0PtjAEo-QInvD`s!$1; zHmPS*$jX(41K&l=msGeN(Y!6EkY-|qROG&?;?$4l5g?X+NI#lHmUV&Meagsi3$peG^@Kp%z z%vm&g_+DA;=5W#J?>{=4XoV5aiE3x);x?62=Vpc&v)XOc=C$QXvEIW|LBf<&h-A`< zHoEIAvKB=|0deJIe|gDbKKMQohLg<3;^|5lG=mK>lkPI@DKJ3E)v^1v$#Uw{HVwn# z($<){QPnmgj9GJAx{BuySS)aJOdgd92|*6~6nsi9OV*eX4g8p5GUhX(x?%-J4q?c} zIRg}Husxzk&uvA(eG8oWyPvSMKV+Dbu0^_z{t&s2v1$Jfc_Kx|&Vb2uS@p=*WmI}Z z<0Z5eCA7*lw2%``#XGsj{IehW+l&(G$M1T|%(3F9#?Mf*B9$(ZI*juEk<#iwU#^Fy zHbnFGU~hP_Tz?L+uT?KsOLS8jza2%!oJUrjm8wn@8%&~mC1v8wdQEbp5n671a{Bta zG~psj|83Lap|J0xW&UPtfPUeFu)>K@=g+ZL&5pCO>5x?r>sn0&r+ql4!7y{b*y0Fu zMtPbPe;lrkeMW<|J|lv4aNlzRlC6wsC30Qyl#5T(lz8Nei&Zo#!@uAE^rJwHk*eWi1o}>bME~eny3(Q?Odci}pa(9v4TFKJyId#Hf>!Ht zHUujriJ2s%o!6Pt7@5vu>rnC<3yx-96R$Gma1U&U-xPWet3jCGJRxvh#-OtagGZn% zBU_t!dTMKvi?qoW*3k7u!>fRzV_Nkfe+ zJv-#0om@>$>e+h${v#1cu#&;shqp3Oq?JR+ODv7_q|(H>U1;`aXcn{x=4>Pq7mdX% zTKm3@a9&9*ChqQ?l{9J_tP&?b_ov3gOgYiq^u_n3;KkVr!7z%Qk1`&DhKpMAzT-F^ z`#juQC;%Mm*XK9o_yyd< z23-Q5J`h_o;rAfOtG}zoQu*o*C14#1p7uODYdR3Vc`e!SiEiEg%<5S70UN!`&>CF# zD7EnIehCz^eY^^S;%Pm85NcCYyPfgYN9$mDsx5^-L? zs#k?ES78BOY>)7$0K3<%41!%=VJa@``v@$ByWSgcCIGjQ6@K0)N!xjw%lPm6cnrRe zrT@Y+y1f-Qj(u>OQ}k_G4mEWy`9J3Er=@%m>Dsg2-UeR{BYxg_2y9HVC-dJ$k6SWD z8?-(5#Cpv{n@D!pjl213xP!|r%ZD4P*Um#(&V?Tzp!^y>Sd2VPm9~qj44c@HxU%-g2uz4Y%+>OKDP^Ln2=pdqXq zQcx1?Bumwi6b5d(H4A+t1MF&d9$UIIWbK>ID>blln!x$>F2A#!t7k5q_ufg`W ze>QVId|fWSPWI-!9p^JBc6!yd45McA8lR)$WHda6p20=^WUpJyf@1_3aY4PAmSM0s z68B}h8k@&tXm#9JzPL&mI`ego(WJQ;wwc9jcHjOb|BL$Q_YjJc>4xV2aq=hU=9ZY> zM&V%wdE550{Q39jXRL|8LJm&#+j;u_^H%irxr%K?j8>MX3Dq$(9RD4yd=@@ zy4ep6Ulg7ZJ|_C@=dl`^ti8Vm7bCnS&s%S4ptfRlZF?aYBXIUFw0h+LPOszTg$i~3 zRm|(=!f}$p@kz>V_xp9j8bie;v6g{p9m#($-&>Ns%OkMy{}Rw4)N+Y?N8)8@-vR(n+jGP`5_}CxDGo6yeG=Ic?G2>#kK?tH^DFcYMqft z-k?^7P?#v`-mp-`F&|%{lGUSK(3rhG&ILMQeVETv_!*vDb&M59v{k+oYXXIP@=(SWj;|3n`TV1QOc{yf2T+Ags7oifZiF*)1R25$z8Kw| zwHjJc-^_(QVQZu*AjAqLDuc3@l1IK7jmCHg{qSH0O~r|wj+du!*Mw$Xj$DCs;&Clc z`|w7`>Th^wq%IpZkc({2YoPU?dVjJdFMkY0I2XJ?VBB#cosv>QlpU8{oohGZUyS0b z$!n5q++FG96u1OI4(<+Dgn)cFUgmcU^$G+?30{dsBLiF5nykVT*(hq1yRXcu4 zEf~WO(NzIrj`phV<)Y0GJ=w^jysoF;j#1h z&ta+JGKaXlBPHc<$4ar`a+C1=6*?Oaqo|v)&}&l^ZeXhM+_+*#;|eTB#Dsy>|{}j~+Y@9af6+`eSG|GmOwDBhX}!Ok7qt0kDGR?@i_3^JI?^p^X0>7Q^6i!V7gg|b26D@UL@ zYsXVR2T?wj^qA<&?3dME#C+*O=7z4~x?(%w_@D?c+ln~xo0@!z8Di^W*#jI8AD;Sk zm68x%J@P7T*kdHg&x?xINI#RBSR1fuu78n;Y)(UHl3!vHH8G{RyyS^ObL0E3T21V6wOF4Y~~sD~2$@P+1G1FeOJ- zIS2k;>665|l;kW%zt{hMf}$W{!Bnta#5IPZH;;J;D+Du<#yWAD_{BIjqu}a+w@Se= zVwP(AW9g)!)3ttxAKP3bNd3$e9r&GWDy|s&W=HvSZ`K7MBVy9?jh9qQR?pBh00w^h z_7v6;}#-&ky3*n2=!ZQ12!gB|o zsepQ-(uygoOncp`xE_#!DN?9RL_{Sctw)d})e`o0%s3lwj3dzF!wp|vW$r)3^JkWc z?tjqkF^Hz>8hHya7cj>8mEtPp^B+$fcnVWu3tD`}C=0BAi1pWYQidh8%6&6jZj9#y z$Ea=j`1SH;2ch#KPp|U&!6G3`Gt`o$eFGaHY;~Lfec=j4Sap-o;O61p$E4&9z5{eN z9z?l%yb@eevyd>h4Ghw(ku$?yxLw0cZlq-!@xQgL2EM4q{9JYP=vA>DZ5Q$!@YFN1 z&k^bJ?HApjS0Vr(^b!nc`P~sZ&6I0(bndLdrFdV3pC5L)k6cJyLSHl+NOfNPT^tnv zAD=PwYBev_v_D{U9t6)nzIn8lGZ4D{TYFRl6^}T23?8`o-pstWjO&`~oQ}+<9BsDm z36x~IPMYU<$F7@i3_gsu_#EH&^U}u_iXQUSIJ?)0QtCudlONn83Gd%Tk{Ko9~h* z@t?g}Z&*Yu7KXpBYgqW79u9SO?@P3FoIhqQ_1%puHu4>XUWZ0@Qzkf2+A@4?kIh$T z-XPjMYls|#!ELL$JVd{iPB**H4xqB7d9~&rR_&G}Vtlr5-a!<;{FaCF7bI?rMrIfG zC8j)CPFI?@$*s1C4-b}M8h*;2H;eBC_YvIPkFVX@ZLSk47YzV`n_#zQUf&1)Zu+;} z>k+BGG4%Gzr-h``|3}n0Hdh)iU4JrhCf3BZ?PSNA*w#c7+sTe?+qP|EVp|j2&c1U_ zJx`rC{Q>@U)z!6D_xd&7JY%;tbvDp}y!J#feWR5X7g7gF{8_PylU_2G*X_745V*25Jw zy}8hTOK4{JJT1CoaR7%QL@5#Z5Jv1qu zL~A!7+A`@vk)#nGEXGOvB?EJ)-7W}X=`qARxs~8V!wm~FwQ*_{yA>gb5t|w`nX;}E z;8keviA!fMEmY>DUmNjRg6z2s5ts?SN4`tK#?s{755(5-A}6uppe3s+;MOFGY)C-u zlStwc&7Y)%+O!uZzZ!b(aX=L%=W={Ujg`JIidfJx*4*n8;z_2hO$=z{h;JH}?ihih z%Zzal5;E1YMD&Hv zzOr(Tcp#HW6_ym8%VW(iSLek?L0NBdr0q{sC|Zbsd{bLuFOx=EZ|@U(oS*1BFsW5} zsLK>b#T#7xw(Zo9DlXOI^G#_Y$7fsA| z;Epp_8ZGp+t2U>QH;!LOGdLhW7ILjFw-O! zXoZGy8aMA=2$)qYr@t-(7r_a8ts=GiO5nSh!DrA(5V_=(kW4cd4k?&jxl7aL0g4@# z?-g%7L(cA!Q}@6(j=P*7Zkx{#5c=2h0449`5SwyT_!4qxnGK^+hz8%6=2f^oyKoY! z>o|b9GDDX5neOEodxG)r=H7U$%v*BWgGaK7MW>$P2#Orl?vCC+*io}(e<@9=Gy^lo zC{{f4-cr(3g>u2dLrKmuT#_s7eMZP5e1lF|uUFvuoc z3S|f7V*-#JaOhuwpnS*gX=;Ti{-r~ZV-(bvZ<|6JxzPN`l5B};ExCi8HMv#Mq>8_% z8gT;BCk|xH{>H=+Wexh5{vzxDPOGj`xt9P{iWtJO|8$4_J=Thsd-u-4?+WzwU~MwC zU?3?4(AB4H)+G#{IYky)QejnL9ou*EMGxa(HHq>3Rht4RirYF7Gb{4ix8YvLHy;Y4 zUP0?P!%++0(_0m&=6%e3bBZ;?1H-!Q;SiLf-w3k{7DY}9oFe$+k&=;t{^CKUNZe&$ zCK*Xsk4|{VV_UvBh`iX<__t(eO%yi1gX}TH1%fGo7C@%tA7~UwC$9J$1txsIsF0|+ zSO=Lm9cPFICE}y)Fj`{<=f9E~O`oMmQfDk}^-C*x#7V}{AwO?A6q5XDf;BxzJ zgPgGE<1h*Db*d!YwkvC`(P!&zd);_a`_2+2MAzZQ-m%X6J)uti(`n3dWT<89W9tQ% z&v~z#Gl#g_ZK|naqi)p_*beN>hX2`y(4($j{auzvraBA~^?i^Bbw# zmDy=Qx}tGak^H= zViWibo|a^(0W33`nmampCGpnW@5PsC8GD|q%?CJvPBYTB`Yn59Dc!6x)9wfzcRTal z%AGGmve_T={~6`leqp|_KXPiuzFcIf+BSy=ZFNvUXgRZH>@PYy`1gaC>Fq_3Vz>AE zNGc*PFM?Z|hRRUT0br~DI!7j!aV;|k5j|}A3~~`n99eyyB8-9yt}3j;HKP7#-OEUa zq*9!AmcmWT*J%kr>&V_k@lpkvNGh zUS8iL1`kf_`XQzV-|hC}%sOncI_bcBDrj;f7cG=s~2WE+pZH~u$He@UF@*rP5wCky+n2k`-Lb9Ch?oaM(F6OGve*B zVO{4$Lr)zV-&po#Je7tM6uav3Ls= z*TW;P@NHVkJDE16lrRJRxq?qhzfTX_Ngd))w~p4OCiz-!?tOd4D<)I#&oN%~KK zm5au5`~3RZZgOFL^HzmlI^+-p%ws;=28NKYbFdxBSZF}`-vUGOoeLp{{*d|EA0#N! z-!+SVPhQ>!NEM86Q07@YcG4*SN{x<}*7%_5U07q5X|jmZ8bdb6C;1Rk4~mEE4!`Tx zCu^*iGdT?s0zA@VMBV%&OQ6^I-IEK0o(iVxi*&2%<4Y|oWC)cYr;y?ak$$-&lWjD@ zvNbo+B%m?X!mlk}tW51^iZjk@f5K@`B^Q4ph2{xMQ^(>1@4zZuKy znFfB^z6Tgky}Q3R+${@u`3qA=QV@I011oP6Ixn6o`0k5arahNUKoQ%g$F9#NSKQZO z-aj*1v`q)_ue^NPep5EutuHbHo=_yc-HtoLil%(d7e8{`ziioe`SA`@0i#Q?2B-Ppb=S2LX$fV)1608C6XK z?@_MW#21^c;}jFyt_SWOCvQ>4IV3o z>RQvEmzU~Dd=G`}K+)}%r3v8ki)Vss&^-xZcI(YYg|6MTt$yoHv&1&w^D#yWu5gblZpKS@Esq3F`E0@q$2)7F4spW< zdqnl~rTv0L24AbmfxGj;10fdQ>m}vG9C*>M>CC5+w!5hNre=`8V<}kBm#{Pbvd5*` z(K`$}S>RM>3Iw9zUe?n*V3;yUF~!zUV)6O*SS&ZG`&Gvqx}?14DthPgRH-XY-e>q^oijgICFs@SI2yTyg8gqkpDm9j5qP& zddMk}K`BfIna(<{xcxuxrs0)On(u0_-#-K7C45gZ(}hcJ{-~rf&HwmvMhWSj2_93f ziiX7mLNjUD#;J(fS@i5C_D>XM{VjHbk~y;xi#|`7#NtBUcl|RH%2YekIl5-pqLY4s zp7=*iSI>_Qc^|gJsKPa`?+QuZxv3W&FEE)OHG8a8^8<$(9l)VuO(L#vyr=OI&ucT7 zpOthOkOEM%(8-%(GAhN`-*Gt0k?tDVrbek{7lyfYr%IH{{PqLCDV3~d`;rN_8p11O z2`E>)23HZ+ga{EuQP_}iI65;azC<}Lmha))^^b7Rr?y#QIp}$ zO6Kh1lA!EloBY6^tDl17rYgIk=dyH(?C+Y+bEx8m>1#rbw&sOUt)l zlrWV3I3`ym#hk#do@#!z6Otv%na|(Icn)IBvYa}#y~0Mb0~K_oKwBxGD3`U zTrfqxh15Z>nwfF(*MO5C>6ULZ3|w?ZZ~-b6D{%qQQgzIfDtXtGT2KN^zYNJkWdf@0 zYhb|Ez|c^cUa8$q1p{W3hKGS+(PZpjuqLQ%HqWj^7d()y&p4c~f)7<1ce^G-t?)}W zklHYMn2cO(*s)OW^qyV=C)c9)DYSe=8q+tO``?DJ;>>LC_)?+OoO2wo_-XxnS4!Nq z`lYH=!bczc+Y1{#my|d2+irJUS$`0}g~0DG>SpU|-kI3~73TsrCsZd~R^YvH2=cr_ z4c}#&59hwgguzr8eRmuJc+*fusIvHe*c!rzboMfd^xU!6(!pD5G9=arJtlgANx$$q zm5g^#)NK<){3V4Zzk&g0#^1>MNW;NltX-VLTn%K;v~*hM47i|R4^)GKI$ybQfq4>V z@O;U#m~c&A^d`)NzJ=VtI9b(@k38|U&^~SQ&f_^5M()19LdubmWC}GR~?MiC?_vJr0h1!Bb+@$q`N=7Q}y(Oo+Js3X(}Swa-=l$qLS+YjyO4 zqYyq~%m%DJ$tb@dwpkLh;rrmQiej}W3ub5lGE$~OZJLFVVA2^X=i@gWpY*4~CUb*+Rc(k4xYz0%oT7;s9 zSD@*Jxj|84<0?N3Py;aO{#AqwY}mQVy2;05l#Bu|~U;g1o3`}png z3HI-)mkqI$xgMP_|2Y55xdimjb-l9buk@OpFT<5w z`p&=o?mL+>)Zk<1$w4wD*iSn>;F5b zn(lEs`v{`TnjZc#@0?QNwd_{W zR(75FO(TymIN!zWs3NZI`qTd>a0R@(2f`Q)gMj#t7^grjVZpQnTm27td!fkoTxO)B z9sT-GXz0P7bx_sq7Zx!Ms!hj*XMs*7HSuTtr-TV+@uvhPQAxhG^{*Rm+_EEWU$Q`j zpVkKO8hBW++q8SkLj&Cie;`Sael#X3%!>>jP^57+#JrCNM)U$&P@~*r8(+&*R8+ioD5Xll-TfvNP(iMH8n>1eVbW z&e1+(wM8~QM`VbEkHjdR;Dg>e*<2GrlM(BzIQ_uXSscbaX&Je$+kG@xFxRU9_VZU{ z#J*7>#>i6XKN`I+#p=wI7DYx(IG3RQ2*sa1` z51PXti)f0QR}R1`MkTc3rO|}O=B90MO{zFt5Bh0a`&*(`#!&z6RKXuKkA+es7K`E= zpb;0OFYRwf&Il#u=m_XWUeV=?YQlZguyLWZ7i`Dc48LoX{W1Ivnm0?D6Dh4osYeH` z%7F)Lw0q9VWL|OG(84Hc236dEq?7S5pw?HAnoieVv$f12ZG7xszDHU`2 zO)&@}-nc|PcR{a1tS?fZgGY}-*@d~-w=ks4D!B$)hrM+8B5_U9K2BxKuV}Q~rCf(| zLFo@AQmk&CMzkcErea-g>96y`jg#Y5VBM!YEvbLeo{YfFx(=v;>1(wcYo`AmIKip< zb6SPRh7-28lP5ZrVAE1b)k_9x-2#%vY;Dt!CjbtX#*z}elz43ci}p64yS&f?wd^QQ znv*qK0gUrIDuw1W@4WJqa)q$-@vC+7&vE>AwDR_oHROz^;;k~?(`Y)DYV&eFy9(i+ z#S@|L&}r0=-%Ro-Fy`yRmOqFzsYoshS6$}+RO;LFaOtVa@@$GqF>a47jj~k8^2E;; zHvNm;3$h@`1=Et-E9g!?nNXY9l`s%0K(knMwx`}%P^weHEm&FzTGai{TBN2?1Es-X zW7aDwf)jm<`F){II#aTaeXe+*l29gCvVNs{F+)Lc#3Trx%^_0_DKLEZQQAs#zYbPf z+r6DrMP`7&5h50~z={Kw`K9`)W(o9i_G$a02sEHn&r3#3Wtsjbli4Zxq2t4_E~Qy4 z;eba|2OW!|x_I8X13~5XchZyzE-x z@l~Yv#iX$Piv{XZJ$^Ewp%wio6EEPTnF!;k>ToaRI_0_$s8G1fHLw#ON3cMTDL7Fo zQxtM2JVkymZbC5=jY#&rMGk_Xj`m1TVe1$jESCv|69}B}AX?aPDO1LwGC-X3oRvwN zhKEky6=cOT4+fvK%LQdYDYLyt{R6N*{3pPY4LY~O_45LMMiTqY7XJG_Wd@YD+p`N8 zNoFG{;kZa`Sk0^?AS+8 z-|V<&$JGzR|8)2>aYMVUe;6)dZu>VF0sCz0t=H^6Whxj$zXtzYkHG1*YJhqUcuopl6+5ltNV0ubB}g*HUio`Ri9z)Ka25x?w?eX%6xlX+s>;7ST3=GY(5*D z5$_KPT5TWRNzXzCD=t08@L`^2iY~PYuU?+>QrM&MyPc+M)P0_}CLT3SCyE$x0k^j} z>$ZT9DZJ-3LeA=jlpcFmH^laP*>m};ZO|+ls%z)#b6U?!RNbShd{5_vqWpneS9(^< zBJZAN58tkD(l%h{7JA$3Iy1q;m68zj+YI+3{5rKEr{~~!B&I`B>j6~jnqwG~u-so7 zf+@%vh?ocQ-T3>UZ@B77vx#;+x%OhR3~Vy_ujB)pidj!sru(mKH%!;l)-Pe$E?41@ zZ^XzuZjS=z-l#ioSSxv%AJv5WZCjQ;8qL{7uKZ7Yme!ruLO)b(bS;SQ48!9NtDFxk zlGx?j56vdFdd4j$YCa#=Yr441mYQ}PiIG>O@cegIp^u}ppN;b#Y7BPNjG0SW z$dJwpp-NlF*v#~iu^0)QhyF=0N~sG1s9FH*UQtsmZGpt8LAZy!;*Yk>;jh{wh)FLT#|FNm#&S94#ZscO zbWSA^u55U563e3u2TWv^w6Rf(Um~P7rr4=$U#EH(MsHQO&DHJlDqyhK2g4s|L>wW7 zB2XcY8cC(67uGSP{=Ny4@MGt@(*W?CEa(5Se1%V`W8{jj^va-wLtwn93GEeFwOPjV z(XkX)?AN9H@tASeYy2UIu+T|3dr{|OEM8N8z%rmE$IaarFa~xTAb3WtWL0-7LE$jF z)9HV1>#8e#-fs7*qHwH&?YQPUkRdwQ+)+sHiBBvBc`8nZUApF3%_Vj z)sf#o)!u`kYr^M|uhY`^tuMA9&Dc*{o#G|*LE=-MKfTQ5q#IV0Y;@Rm)U2u$y43oP zukOLMJUqM>O$q;){2rZ(<4sEOL=@!~;vf{Ccrz~rQFn$P(pRUWt90zC%&cWeL)jAd zC)i2-Rr(2u6s7yYU6s__bY(&%x7DhoVdcp(ZTeKd+t)z*sOb?={czsXAvSC8d+b zUYU;66=kl+K)jREqQ8eQDtulPQgx*)w>Xeg@~34=eFUSTDQ%X`Csw2lHBO6s-4(3( z8J{12oLnKKWBc;aEC5rN>P#lO+m)WOFZx%kZuIWM5G*#qC>_VWs(Jg_>vKAE+N%g; zp7SQ3ESKate}yr6k7Gs6jsVtJ0`xIqkUKDuiKw5XTcR%Lg4f!Is$#<-`WCTD!&N$8 zxKQIkGH+?(FO(KSw7zU0usyYt$|im+ZJjw>l}tu-B19{fL=${Q9afK*{LLjkDqpPy z`ZZFY2xU>O5t5-0Yb8e@g4T;uV${Nj1?tS$1OE0;LA(_kTe_WSdefv=@plc?@R0|a zg5T!)^4QpUlg*y#sq`9PsHSse_LX;O3dQ22t(UTVO-ly3;)+hkDnw?YR^K9({0hbk z@YHL?HpyWGj7`c!&9u{{5xT@l)EgmI8kiSI!cT&)9^doFgkJXUHFYWDr7_G6*a3<)ZEWkE*Y`sw2Snik5p- zLd~;t-5O50&ObqS(QXHUo>QPPR0_xKTfF^Pu)V!2h94NeQ;T zt*dSI6al>3L+q#wIKuSd>Ue(EENDJ5TP7Z<(P_2gbuClXaCpqjh~~KxwnVw9zi{z# zx3?HF1--~Wt;=W}3>RrNAbFo0%eL^|ZC?P+%zMY*^nReF_{Z3MrhE{95w00UMTPTL ze%_Mu>fL;HI#2a@bSbw`CL1=J=wIq}j2Yy~Bc(NLx<7A+#}wrU=;@qp@e&4oHs1~O zoM%5+feI{<+(6#WOVIMwZ>#3}2z@)@3thH)wbZe17%SPejbObD3)WM;Lb=A$I+({p=<4R^D{2&JDI2gMw@t0QM&jg- znbar_U4DxuWq4YJU`Twwl+%Q(*6694_a8>|^1{Ke`u?$e7k<&1vQ8RdGWsD-5r#v( zrI6)<=kH#h%@}l0ui`j@fkUE9p$d{PsOECYP>=qsgwu2LsmCMzAZRfbF# zo|#_BJo2)^4Dj+<;(HVt37E|ZlpvY>`Sa!oJxd)3HthNCERgZ22VDX;w&NxqX`HV5 z;2@?vGjXa~Y@NdRkt}_&XQL=>|s`o!Y@uuzTV;#ED#oey70k*4pbzhBfLRfPS8 z-@ILc5C$7(WK}_My^Cx(!|eY+A)|^c8lAzVmEce2k!egdaqQ-6;b*W_${WvlUYG=R z++6X{H(14rb!be3Jo=b{2Qbc0J`r&aHXH|6N3X&&lR8z1F~>2-36t_pWixaU4u|`$ zYVne-Md+Pz2e=2``&NLI!`a81DW|P?d@cc_G1EZIWBa@9&wU18P%Zw?~^GE@YWHU22`)7oda|afNIg3$0KNZ8h@LB%Hh4#!*!Zmene-ke>pH!vjuTj?ynN z-7>k)gUv6tHE@IpMNPGnWLK#?@y~Dj;_-w6ss1Rq00zYy$nZ3-1Gu2JJ}&hNQUti; z=7Q!Biz*pxmNh<;bQ&J)CS|;$Xmp6+^pCm?@y)O+aR=*-N?(nlG;@{qNnhDe9UCk# z{5bJYh<>-GWZ#ku12w^U_+y!J`y^Nd*72YB?+R5IPz(UW)$WvUH>tEde)_hu{omK2 z+dJnCXtBE`SQ=OCB+|NbkfQ9x>FlvA*R5e_(eD;=$%^0QfXFi(e3?YihMKi(gDC8< zqhSlkv+gtpr8zkulxMno)z1LX@=FdEhEEvC7*FlxR1=`jaSHuht_j!--kR>6{Z@lG z<}|z$k12*oG1-dZ+b!DU9#I-6#=Z@8`lnezhMEe29apX(EYi9)Wd}h*4n?wO?XoSH z2I00y#x~KVvfVnELALLtm{{pVnyI#=#Q`iE{*KhIS(R&=gB#qh>2EHqmQ&_%zlPA@t0Xtx^Q{z=2E77wv$h`%x=41aEPYctMz1qwIfRn|(2V{;TJ%PDO>_{kRVKx? zED4aTMn4NPB6}lPg@Gm*K~G9AR!SVc~z*#O3xPJ{{KzDr_D;-jE;-k>d-A z_+HrGDPI^rMc%)?hX}*K3`u<-_-eR1+3PPwtRT1i*0XS6*TwEOU-xcC(!Y76uA6^b zgnXQ@zr04ManIS$?K=qFki;*dt8dP>>Jl5FimPfTecn1fsp>9dZTWax?5;vGK8==^ zmM`uXK1%cmsyME?e(AS6KJ2tlRc3s;t;tTC+^*ijo}IfCW_jHG3;}e7IbgRPnOOlZ z!w9z;=C{WpK4(1NGrjMA61rTR0YTS(@@l-d3hwiB<#%e`kEA>G1JzrvWB9gYzTVmG zpq(Oy?mw$N^{z+I5qkH-ra$rUt(xAkf9ds{HPs+-X5e;=gtct59wjYToL{(FL%bVL zg#}Q$NF;wAAliaVkG**VHgyQ$_0 zefx`OkPT>czZihmxH5JI(@~Sd=ODE!0J_){x-76nvDL4g)3^PwTmE%u!tgPlLjzq| z=fL+o*;!FAKAU6hfXu?+T|cY+k6^m1WuUENgMwe1|13;`fwwk-0by>uGvU#0X1_+( z&6VJBq(YhzzkAOxMUeWBjYr1AcFtW)!C8^XM}*uZEA6i1Pmx7%y-rhQ54%H8?%kmV zSC9S4-xIu-tMr#WPjd2fF9{D(_^+G*2opU%7|(xnUQN!;Y>x^SW<|3tD)f z3p&PZ>AW9Ec&okdDO{(!EWw{D*RQm^6MkOuy)5WXrDv6Z9zR1i4mOp6b(?*EBbFID z2O0{2RpDLsByHdgfEB<#V@u|(tM?=@^g(kMU!uq9`M*NcXNu4H zU9GO+ufO1UV|a3sic0oU{+G<%W4t50`w}4+xolmJFOb$_2R|2p&yY7cYE!A0BT#z3 z$^yKw>mhTOccI9A*z5w~7#tb0Tjt<~DdS;awZmkjY!M6K5_}s>5u|w_5@_Jhwy;D) zjG188NEN?1;p4f9=vCj(UlwY>pW8zx7lW3n{Hp>NWKomA%5FDJja?}8j0&T)_$o}= zJ>bH%56X$Yr7dY3!0ipz&IpuxRjq8!0`Z^<@r*ukfKhgvUPDiZ;|1LcUvyO2< zC{?Ha@nXcF|1HysU8Za}P;$vmCD&8BB2R7j#pU?gd2&u$k}0%!qF@P&BObvd{%|pV zrlPe}cLtdfOz0aAjSCC1`hHMi1?IV)(8QUE-`{za?CX*P^aX$3#FqDrUf5iey0wqlz^EDyu&I>uSaQgh<;G za-^bGZsxaXB_84u{9+L_FgV|bIR$2Ji~+3x0_#F}Wsz{czD8&g;}Ro`m=TVVB5k7v zgVa@Y3#9dgMrkO$I&A_HG~`hOzECz*Wn^CQzDJ!92XT=lW-0CkRy*6on{`E6TsCx5 zlDz9whGq-zo&wf32E3=5>pGObu#4|KKeOK%`1Xa|yG~YQqeDeLf@nR5 zVx~nfp;NdVDlBxo;BHZ^Le`dipdQ^Kr4T&?R35T=-uobytMq3rgDhEdIvrLqMv6=@eOZ=q4CyZ9BjdreEiN9wt=RuS9b2JG=iUhPTOE#Dc6onSg zoMV*N0T>2y4Kh@wl{7`=a3Hr2O2!I?;Mg{t;st4QB$^=T&Cr6i&68K)$5lLikeK7q z#F<&$E7AmKi_=UNV5xkiinvDqv4mqh^0&!2Oa3q~LOrnPk=HVQyt@OS%g1z&13hxy zro9edlt5_!tm6ugE^q9+Z{b())U$TCS{w|B)Q0glIFG(3B}47!|FD?F$Y~E0{qYNN z-O~axsZbh~!w^U1=Kh5~$_SQ^q*|MxcC(Gkv67R*D`~F%Vh=<-L;p@)rm|X>tymlQ ztE3A8r#G`)X5PLeHt*E$(ofLU7kyJs=RURG>aESFn&@{Pb^w!_`Qyc!sFI_5p8w&b z4Z+}!X*83A(qaG$&pNDK^3%5*{6xW6g2e+UJ>sO&6ls?F**MWL<+4u&3y#D;ER$+{ zi4$bKTKY5rsEgs^o1uqLAAI-ifVD6^>D|!E>KdYeO1%hPWG zPm_IGKpULiF`|pqeVX>Av)a~)@M*2v=FqpUuG`_9F;}dU0X4geonoZ1tf|gxr|Z=N zIN*v?7s@}vo{JN+s~PWulI#35q%bq!OGktYRw1I^ZDb2nP|%i-aXZHEA;fwyK@g`EQW40G4kUh5L>g}BE?k}yaz*Um6bYF*r{ww0s9BC2f zEg@Npm!GE7+x)hGiq0VZh3lg8=7sBueFXiIW71SdPhN~C4G`jKgVNFV<0az=AF=Cw zv<9K71>Uvka|be_+SA{4tY;lKs-MRx@cD!moqY98A7H!`x6);M>H45Ni%GlH^9C^0 z2QK?9FK%_%jsWz%_WCoPBd%J;N{UpYQ>xd_XZBrny&p9h0oUi7zwW1rp7c-C-=Z({ zHGyAxe7ToBrPKXTOC8{LGTTe+`kA)z;Z@|mkQwmv;F8+9zPxs_3Ahb%t*Lo=&t|N7 zr-)y@N>G06x{jaXOUJJPy4)Z!@;^*vU77bmKheBd`&?g4)UW%v5F9T3G^w9@yaa4* z?#mif93+@Gd5sRl*f^i=WGP?q9hA1zczxQocsKtgnWgEtaG$Q{vZH}vztVz!ebC-G zcXcTsXm!)<@P1)NvbrjHM0DAF7QRmux$0?)-16SXmAYt2sl?gzmWBr25*T0px6@t# z^fN&sf1g3FsM~`;iaO;eAE%G)+7ruq(GsKV!`Ye(KoMgW=@pnK}&_&RaarS7j{=uW&Y>CRyq|N zMe4teZVaezqP%@>_zqb0B*-OcQ1CQzQxal-!w`axf3AGduFBEnsSTA-UQLJ@WWr72 z;^?MsONK7FY#K|usUOdVu>?`Y^4C#?V5g1a;0_dM6j3M#hV7`hR*guOa7m>fT8&9l zdaa|+kJDsuA11;f4jtr<*}+Dmzi;}N(Qto%P>i}^3ZiwAt;GpuqJeg3K$DFmV}vr| zCfCeUYY4Qdl5K)EooFf?h0;jC@!~KJ+dBHkhl^~HZ zNeOm}YyxxP5>guK94#9#W$y)UJw}SJFfLoJDoBg<JYB|Xf-h~Cd9qibmJ9i4aV zOWEQ#UHh@_1HLTL+yCbwGlHn;N8fXV8S_0%(&H6i?9z4GPwpMbH0@}d<1&j$v<7N@ ze&iUtbB^H#F$-W9qsc%Hi|f)YbSUu<}|@14 zW)&l?U_R>*N zyf~Gn5HUy#{#fjLyrEyg>AxCd^;`<~;KU?q%qm@#T-(EXKC;t2hPaSYuBDfG*zIFyw89D%?0*W=dBMXW+BM2X!{BL+(9Y0`7KAU*Yn|ZrHz~r$0f&JwOmK5qy6F zQ&9YNK4{&BGr_Fty&)s{dDR7XL2a3!`{==0!V){;`X`~&=K=7Y9vQEBV4RR9fgiwq zDL*xh)K0ANmb;TMfVrse0PsvdXEfGScd6mRf7!2?D9YCIt{vMzil~@g`wW zu1Ge4!}u+94c<2eZAf;U$r3=XeyVp;%BX0r=h%{rob#7qTA;UQ(}NsWa4Tuu803+H zye??Rg_DBv7vD{4?bbuuPT403%Y3t#Mj-*BmR-k!=Q`|O4Vtgtd}7Q|Q9z+r+^*jW#*6EZ=AK{~o|LV$`FmN$$tsAw$ z2c4Q>mTFy?Z4LfJ9Gfaf>od5Ff!1H-s|VW9MrMUl?dOC6nyMz`7%<@Yl}iD9iI8{Q$1WztB@XYY$L&o7)22kGXR>SVQ(j4apGy+_S(C~9pu#F3}#+BK6 z1K=U-=RPKZ-}f|zb!DgImrcFV8|iAaCIjK_tzUZ%j-KA(!a<2fyS~MitekJa0qzwrg*R|hEV=FxuZ(2@PUfw)YL!|vT8Uk)xU@q zVOpfqB>tjm+JVU@V>UgeLYJbyN)s2so;x$ch{b3ye^)aRFq;C!Oy0wls-d8U&83^Eu;BCu)v-v-&&MGMGaEbCk0wK6t(BSS40|a+>*WfO} z27)CJ+&#FvyEC{u!QE|em|5;t?Y*@x{V>n-ukNq=oZneO2`P&w>vKF~92kJjcpK4? z`l3>>V^RN|LF#LY(k%&bvAQe@3W$)~Qbo)&R%{Ka0^PgCtZ^{nela%DtM zHB`#^BPs-~zO$IDKe44&;iR)$gg#W>`e+E5#ovM#W>-jz4m0ahXg0 zue?(aQwy&CvtB-f`qN&2gxXXjS9QI>U6C;$ZR>Ez`oEuYAG;sX@7{kQc;^ONLZToO zZ`PaLn`K{IH}q)FQ=mFEp6zazl|~{aQ}tT@Cc=)FZg~8=UW;yk^Ya?~=g2!-=>Q*y z@x8(KrBj-zf9@M|E6B#{d%q1MSYwx*%>A1fM7)~A(U*aRBo8`18`*9E8q(L@zQYZ0 zZ{rek*IvMWFDqsyQh0lT@~s{-)vsO@+%Z^iZ&h3tXTZ-Vz zwDNuKHi*=zGg0qNTX`{ox0xm2Fl4u3kk!B;r7%U`u^1V$4*4eJ-N5EMfjWTd=m-8M z40j#OZ|#(&ckyI@Kb~PMxI4+sBVc#ekDueeYcy(D&oY?mnXt!AQ_-jpT=S4hd=ZMHr{kC8RWG z!#(DXW#jc7{_DQ)arsixHntDU@PDK%EKvuJg znf&I1j~tclJ>G;PO+pjO0KjI>!yv{!+8l3(R7kn z;VPq1n(*P%rtfW)(amMP{377E?OW9ulgkC-19L)-*UH)2()t5<(6~dot){=~{;W$I z`kc0vFSCBSaMGns0^BnSeR%u7x7`)s7Hb-m(+zSf_}gg<;20Jz_6+ib6k{fu;WE>| zHe6_QLtb-cQzoHL?9b>t(6cG<^X|>h9Ow-G-YfcW@tEyrQ|UrJ0x7;on6~AJT2~7_ zLoXFx(fW(jFJXxMLR0fsGt<*@VuhAi90}*BLVBpa+5f8RRB3G#1^wn(;rSdGa64jr1GK`!}6rd2$EWkm`eN{EaD^e3@Whz}rVn(A2O`0?pX9Fzu1%=xNH3?%l`U!FZgenoV#&Ld$ zkJ1DdEZMGvm1^B+R8>Zh$8m_I?CIsIefj<7lSw1L|2HyfJ+)*3ks#Sgmf5t;LV=9P z#GC&^2vfNSq7YLWL57(#O;(vjc`QRSP7dK%W*lLOH+S42sL)oPG1|>Uc`nXfM>+JP zIU5F?=rc^7OKVBbjO9G9n7@J)?-b=T zf|sNg%NN%Ap_FF+?<{>up#ENj3tDfgUOa|AeWUQOpg-CnmLYmY(=>bvuZmENHDOKB zFiD%G2Ya(w)I!IJo57iQ;8aYfcbiZwnoT3$4_I?K8reSfUn;804xcrot3CykXD0hp zX>c<0Q6bxhN$0g}?14;SN`}+olZiA;0AinuW`AybGRr-c?dWh%%6rLX)vD(KDi%M5 zVuOy|o6ju;uqp2K@?@3jzr}>?B%Al|+ix&=O9*nE8>y#>`sGq9pk&5|sZs@>5#%|4 z`9on)=Uy5w-HD`Cs^Kt!aPw1GZjbf}<<0mO_}Q=NTJsS2ck0a=(s^A7Nr>t8hPNTXIY<-V2Zm@&n zx=#zVtW4hmx0xg?kSk{>)McHRsMrsD=iJ>f^Aukia$uuH`Ly6kBlXRLvZqe!Dr8zH z!`eX~|8EgJhkK7ehXY1@xz(wxJIbI&zRo3|gE#@QrrUS)`g2jz&)8kuuyWpEc=VCc zM8f5|JDa!Po%7<vRDCZQP9CS{u9VU%V8kFLhs)^Iy)j!(D1O zZ5~{I^#1wN9bNS0ex`EG70AKJ_0>gf2>>L zXZRjVk!?Kp@Rxd#8oafRiKIPXf&XT)8kssW`-AdZRWU+ zP1=1|y$cX-3i7{uEYys#A!#MPHh74mW$}i(GBI{t&s>K$Yme zT2POFKj-SYP3SMSUgMgyny-AjhYskuY)D6b5pLUx*-udZ+hk0+tSw-wXq%hUxztkJ zta?N59{Iv+xEH;-S?6Rk*lq0kWZ9h9oYQei*qxoolL&2e<^~k_uO(=-MZK4=Jc|*PF(H(vR^MU1qHM~oH!4G zUHR`PU3IxacQE67aM`jHF`4T>{Wnz^o z42tgxQEfJ2+@uhJNz+Dxqo{})+ckyt3Uu`^S!e>k-IInvwyJch!h)W%lUgOFVwZXv zni!vb3PoanJ=66xu!+&(^<4Y0>;>D?j-<5tEUGc9RkTF&jQ0If;K(vquS)4;fC<7K zPL%gA*qE20Ke%$_n$_cn`>shiaIUe&^(zT!Eag*8o;xj@X`F^Efr^|%tis{%RTWId zg^c8*-Fq-vJQgmqd2)de@dqB_*q9OqxA_7OX1T|sZG%@TB%1B zf}hhQR`GWOUiOBH`t(vh4+RKWKP)F{Ftuv8_%qhSWna@VHQ$mNS!&X1xBIKtdY z?HUacmCms`!uwco8pr7vlolwA^0=wyeQId z)+Klahe%=UaE?$@@P`_b+Gy_%ii#9BNuxktw6`n7xP~cQws`>fJGdeyXQaMkG#e z*XpM^>Lrtxl{|wXk1`^3{HENDU@aLBburfpS%0OAI;x_6PNN^KE0S z8a8Tc^qOi$mDUlS!-I5fE-xliZpxj3AV4W_7ZO5`DnVoap$3Jh7B0Ri9fYKwsgQU~ zO%O`-r+8F++75rNB8~Cex60W)xK6H!%-ZuIRQ}_9ow;MaK#;2s-&^J@3ROX->MyEq zDasU;s)kI%bGA$$?-Q57cJ}?qIQ2`oz29*p91K|rLdsed1HX-$(>rKJ&?I>(_9Dnn z%LMmj^EeXmmG!rBZS>DjtrYibP=e)T&9R=9j%>FIcJ!m++>aQP%lsKxETOdT9I(<} zKPb!y)EwF@BDWOOhQ1_>yd+qc#CY#FQ|URnUL|&HpSA^3w;2p% zwn^rO$8GqbBpS{S&$xY6ItX*gK1^%JlqB_sHW3X%M$j`;Xxr9DFAT!AJ6A2|Hy7r7$AA5|U_)`(Wa9ubP}#}%cP;+A zLbLj`_+*usB{rwjUu@jCH#m`M#*0KeW^(~(uR zEwB07yUaaz>m4ceZSHQEixlE@av5Cga6hbF{hC;`t@d5@0IXacS?1`zOuHTQg^R$j z0?pm8*QW@O*L@dE;?%Q!Uk>0z^lfj-J@lt_%B{v~Y z3>lMG)Tz$*{B@xi)7A+%-OMzAVT2)Jks-0*?QhX4)S=Bu@<2*42_r|uEX{L01koBL+o zfck*p=W`E4<(&4rx@yCu(H~12;LH0QeWs*PQ6xRZ{mcj6i; z@OIi^gR?V(^sk7{E$f55OTF9R{`q39wb0vEtrKf^7-WN!cGKmtnq}o_>fz#977{{2 zQ(sK&?7lQ~uZnJ)QPBWhJZqW}*(QZ^Jl#wzyUgjFlbRnn`h9&Zj~zo=vw=Vslaua& zng7p?$YblWr+8%$bjj4d#}V#W56<>7d`$G2Y-G)BCgG0YiJ20%YZb7#4OK2|oNHrxx9?KSkE=vgw8PtXo&lQ!};NJozjH zg?@PH&gFc9w*PY40pPOcCjCdMocAQiZ&^s91daB0fYJk3UUT@~c5lf%^}uz#V2&cm z>dwCqbJkx_oVo9lN5q7B7dYe#U!sFFaGEFl>{ng6(F(o<7ib6$?hQ}>kzi1-xC_>3 zHsKhIi*D>Q5MHpcdbA*%l2IbJ&dvLbGvv~Q6ay+%10B(RA7;&qQylu0_|u^ zttF4B(drRuiHmxQLb`pRD>nE@jNYEWwQ+22A^SUqC)Mh7rr{`>$^Ixk!MyWO;C;wsxE~Ptx61Q1Q$?6_I-}toyOTA?KcQH(ZDk_t&eaKN8UbBSBR$&nU`TLUrPN_KYXJ zL4{tk%LQi(GzY20W+V15a5a)vFQ&h36z0tYzru*oe*NoSw?aTfk5FX7tdeKYsaZYR z2+yKyUn#nss8%`a_-X+rm%lzX{w`~-!3B%wZU925lb`6I-fBO`mCD#XKU*} z?X_HkjVF^IdJBCtEvJ&;QZ9j(pasAP{uD%w(pV1QwrsU;RblFAtSE7(^ zk@geA(c&6m@2Kr0TJ6|xmApLEy_x@{*Hj1t)NdO=#r4}$e84quVd}d{V&rT^mNLzo zt!|>cmC}WvYo0NVsR9rCa74e9;Py(#VS(*$mCHUYvoBU=0mE@06jAddE#Tuk7)Ffq!$*IebRG0LtXY`j^p}H+;bhC&#G#IfVccBhzLhk!XJGmU@w*WUCkjT`70JJ*l$NIE{o@7G!s?*!HN}$d+w?5>84#ekS<0a0BYbVc&XZjA;F$SvMbRU8KE%hO7vCbbX0V8>z7rOs{!?8eV+BH|Hxg9YX9Ai z4t0+w?|K}SzDHb8Y!+lz&8gK-c2AHSkEM7xTM>5T6VA(eMb!%XidZXnKyKJ@k+~-| zaf^ghQ!IcyorFDs06zo;^Rsh5ycpR?JP5}0=y=BMBD<%5)8?pP?+pwyiEO8-uNYaKf7C4d^AQ@ zW#}#cP??h{4Ly+CLwQ?ZCi6LKTJl_eL%Ec&j5<(7WcJ_LS2p$x?3&)Eb$S?r;A35G z@V)FjJ1OP3O=wPadK`W{6~3CM9qaa0SK%OgW%4*vi~MqR(A0%O2ASuak|{o~8;yDa z@E!&uYqz|dv?JW_tZ^mtJLVt@fS{G0cWOCcr?f86`8kORW`r~NyY@?Vt_$=Me{G!sk)^)SwB9ni5g%29A^`Y2*Z7OQD~6j+_-9e(~6_vMV$OzHF<%pV={>CnThQ zS$*z*ZZ`7>9L(mpO;VH+D{Y>1B$(jI`yD@(tPG|d* zz^68c1N0BiQ?JnAQz*~dwgLpovXk)`!))t(DD4HIWf=6V!--Upo$0T>d^a6H52cR* zw}|myp)2O!gASn$_ya(Jy3rrPhE6z<-;mCFQ3Kg$V+~V}TC%~yEh}Z1b;ixVdVM2nt4%GX zmtdHbDVTGS$1-4hSoa%h%2x@w%^w+TXWbhh} zBTN+rhES4_kxMqA0fulE#bK37aZLf$e6~Qgn2KbU%T&rrB6ge72%}|KD02AEFIY-) z@>_C_5h{);x>w)*YroGztylQl50gfx6;%uMO3L@LH|vM(fR#<=G(P-PwNr?ln>*hW{~h)T)>sSa7JQ zmofZH;UfcC`mrt+&)%2rlQ2|`0imeL0-J8#WR4H~^DWAUfRB9E%uL-W=xW|DpOH|M z|JwMIW38{0x{(VpeKLJ#DO8H_ZS6&@HA~?-1s=$m*DGPN$I_`NUcaz}deyWn!-;r;`z*U1-8^LVH3~ex_F@ zS~D0_i!X1%H-Jr2HBTj)u@rjqZ1C&8VG@;NuDWnb+K&nMnD-ReB*6d7(-^F|^(+fK zq?&YEGy0*o<@341?XMOG`=o^JehY<#cg|GtC{l#G9A6^r30J;Wk{s%7WEsnVcge?s zB4GL*fJ_ToX>K`P!P5+#!e0U6S++d2LzzY)0O~@x7}X$@TM}~9J>5Np#953>S#jH= zXKE`wbsSJ*x>dsPqF9<7Wd~w=t9!wzWYTO)I;NLymYtEPJ66=Lo)Cnws^FXUF33>BAQM6q_E|#Xc^7QuXY|8dU^=kMb7?^hoo=*Ahs7 z3xs4JKGy3qdgkHfdS%&;P*CNrgH@W#Qkd(`5|8q6cfRL?w@Ssv8{PS z8Fo(2Bp#(SvKr*z2Gwu-&TTOE=7NkmT9cw5-90KiL z1ipao0FfHd3Fdq0WBXQ$*vw?st2d3vUnV4%#bI!rHO_VQ6g&;XRGFS#>rBmDqF?3I z=&b}I3bgpRVkU~&EH>rAtmAaJD-$K;|KcGE7^y~@2`vAlPUrL~5Wu7V zF<+)XZZijG=na_nQ;Wnb0Vj_7z#d>URN)DJatk9ncp3%8bjxb`-NAWzJ)#Ym z2SSP=J)gi7+c=`Oo!Q_s&P((be1 z%s-)>0~41!FIpq#T{$OVuTetKMWv7zxM*{D>Aw4DUOtFST3f{BQ1iv$ZvHhZ##d3m z7j+-q%NW>)aGR`i-g;~|X8dwtN&9B8LJM?XWS#dX`$sA4M7&kKD!6pk^{mMYy#f(u zfhW#{PXQiQkjJF})GDtFlEP*@KQHJ!zy3zkOVi$0KBlJ0OoNtz3%qQBf5vX7V5{m^ z)e<0o_gb72)04kn%5M7%iS_0cg4YYG{^k1WYk}bf;6beIPiYitpJI#gWz*_*dBASl zNAx#~EK67YERS8zMz`l3)-K>9^O7q-4^lXEI%jve@$y?yyVH3;QmWHm|DElr2t6uV zrAHK^GQ1(Zser8lD-YjN7}bMFLcBJ8F8^K6|2$lR-hW<8ShDXp%vt57J``$R-s;Gi z?~1N=1vw@E*sBuU($=JH%Psxay(@rkUvGJJuZNtS^DuyHa9x4wv_bqlik-p?+0V&# zzuQ@ZJhfP|wAgVggrfr-LEI_8yHHJ@w>j2;-y*IM5=Nn#84ln-#-m2%C#lmJ<9}d1 z$oV;IN>|qn9l}&v<(~Djt&Tvpr`#k~KJ&45(s=Le!vnhH7VCbxK1~ z9{^ydrJNX5C~6R71h~Z%GBF69%6lu9;DuzokMKJZUwJh>nD4%lDqZ>;VXudxn+e8E zQ&4uziCT?h^&VzDB($%FzbNyh*dJ)4U1Mw5Fn;bc6kZv7mtwE_2SKdP&1WGvmsfkg4h zTVjsi^b6v@yt3S}10%oFGw31-Qk5Mm(N-k5lt{=*+Y6d;T7oLe1eooJihT!taHTaz zVqQ8d#xRs#n4A6~g6#`af8O|vdC^m6rToLY)Z7v)Wj`Nl5Nc?5ucpHHMy|4y)K=pD zM*&DS$)xkmBtR5FG~t#^i2TD`92Jm=D``AnAzr4y-7?;P$v)qYzwyj=q!ncX_I7vPY#EUYL=o_gHOgaYUW_PL)W5Eu=Jf{+ z>h~+~e~XGh1-@tM1!cN#k)zP=nu%-;ngQv2TWxz0N>r^>#4r?*lU$4oY(ISqvS)FS z8z#RLcVSNXj0yAA2MxZEcKw>K--7XOH6%RUva<9mtmtkm6XGLIWIXAZRUv&k%C+p^ zh_A>H&992(4h|CvBSrf2k&={K&~7R_4v9Ukf-g>CAPhYX=|Y);c`yqj4FO1LCMFfh z`Xy{5?`xxA>8@fih*Kf@d(zkDG$*iNGTJtZ+)2SF3CZQD#aAush^RFmA#i@CI2J#j z!nkdfox5=3$3jj@r*IwgKJH#NB;nXFf_)A4xXW!(t$W4FvGD#Xb7{^Ef1^W8e1{U44Kh2tpk+b7!3??t)iCDy(GMCy@!~Tw za)qQ*x|WqcGn&GAG@EG{ojbEq#mAQP5)=TZiV0YhXp)FAbQL>{>nQUXHKOr^!RnyT zKmU*%JO{)o^F<_6<5Qd{?X3I|B<<@X|Lz=pSXJ6&?z6lVAxmD(IQ zd11HQyDpAuuVgZ0G7Fc#LY>tVV`pErkaeW>HGzb@O(@7MIDk}}A-|sEL@ykPwUYPzxc|6L2gli z6NxP_g|O?Vp2AMyXi1DccFaBm4~M8(Mqb}9)hXE|mtHCpKT1r!j5eCiwlL2gyU)py z9b5Tuh}s%L0G#hI?S0aJY`py;l7}k3hm;C0qa#MdfRpx-pUWD58jvH$;d7}mS=HO5 z&gorilsFdZD9guu8SyQNe5lR+Q^9Tn+3_k-BHS*c1X^2i1X$wU3Ubm*IX> z!5oUM8&h7laQ@Trc4`H7Xn(Iwy2F;OR&C=I^JB|A#A!a|a~T9O1np=E`RJLrp=MuM zQgM>5{hX8P)tK9n<&FoL;%<$eOJ$!YaVn7$W?fL>w#cTPaZb{45`&L&gI`oOiW%9= zitB%C5Z|7QbKlTlI`t%7*P!oN0%OU8bx?L}^D|^i3q5l=7}(=6EXt&2hDVC#hzZOU zKSd@{V(EtTr2R0m@=+|~`T{_+MECeaAq9tic=^KP&UROueURR6?KZ|1%*} zeR!V`5~24wm3bb!b|PBP`~-bM{4gqd1SATy z3P-nO$C%n;d#;8#8kScI?QYwA+dQrGfRcLU_|K!|UQO)h2$}wCgZ5ljw@%Q=cXS=> z#l&Q}zI4>%Lr)?Gi2D3?rk4HAb1%<;w&Ed;4@eG?Dp6Gu`_a5r}-}7?B)+$ zr^>!1+Dt9}`3~2b#)iOk>7^DxYj?xyRi1XQr4ory;|=Pmy&}?pHd^QHb#Fp=mS|si z0p2+9Zt&Y=n?<*=P(n9*`(>29pB}P6IRe6ISL4Ka(({~kij#obsa^5%&x}r7PZ6`~ zH>38`nuGvX2+PzZ_}_tkN7FHXlKS4iZ-S7nyJbi>8d=NMEc0en2coDk;u4hhgWgl8 zrpVY&c_8?6Hg(GqSu$1a>$4Y)-R50kPNmAaSMbIx@x^TqJN|r??_Sf0)6{&vc2iAr z09!h=vLCqCvfVP@HiEtpaEE!6n6p`bmbF%aao)7tW!-UYup6<@0(8qyarANCT@&DK z_|>PDQr)q_0cbz}iwyMC#uYisB&(=D1t0Xwdp_MP)Y%E$P0H=B{RVaUUmjbZ)!FYZ zJb!G?_H?>EOJNc44>k@seg59gc_Y|4A>F)L+j+Zqe)YQ>@Hhq04%Bl>GWLI%Q8eCo zIi;7=saf{`io9XoM4adNof+=LjWFDwTpDbw_Z!^TJ-$cNu1jktPp$trY>w_`c9XLi zkv}5yIb3f)Y4*5S#peNdNS;ikKW+Jpi9A}pU8p_izg%?vs{(rOs&7Jpkx;1Bhi58C zLe_20RKc4(RJVnqx8?>=Z#K>qkrtEw_e?!!tU~8+n{((1jS%%$@o;0ESkT_>`U7Y0 zv-C51jx?8C9%sD*FBX>Bz1XXU%4_H)1rQjMtwjKEb$6DdkvQ(mx0R7lj{DFxBn|dO z{;3o3sU%DQ6|bs-{Y5yXx)xLM_1sr7;^^8c%*&PyZqle2MRFcL03(*xFB^U)TXR}E z?10Y$_x#F(jiI~QFFb!(Z-I$zYg42lJH=fyF#V16`;s+)PLuP)W@%o1f97Nt<$D?| z>`K-o+F-yX+mCD*-|fCO&Z07RRF8YH`admt&>SFK@8n` zkS)!wvl{(Gs3g7|f%F{i-;Hr^1tMEniOz+z==5C}J|-#xB}o!mL9hz)ej$C1D|=^I zM6zjnlZYk5j*30{vACt$2aeXCzm;D4#j+_hD)kkm_4EiV)@*!)#0Tkr#}FB^P4@b5 z8dux+*Q%$!0ec1qg18Zk`wVctgXAN(W;X3u-PYn4f%SyoT>Rj zc+of%**i8j4mmYfRrJ!~Gn`_}`WXUqIXqO;*43VuyBel}{-GWw_XNl86L*9rC49b) z0T{&`CzGJ_Bns*VRA)2L3er(>=g9J2kz8|{SzD)SH_rVmO0;VJFH(*|k-U#4RWs)U z--&+F;SKZ!=J(^-Iu8dv(3x6*9KzYl90WB%NCs6;ensK#gt62o-^84BR2X}f#ksEQ zsCtl!Mr$R8b@ZwT=YG&(oCo*@qVAYr4Hyamm@THu(!eT-uyfh;3T;oY%H@ST?12mh zgeD}++Sl+K=U$^~QRc+4m;n**)2r!uv&$1%U-?EahPmVHbtlqL2m-+M9R02})7@Y` z_dj|$)js>8%5A*_(xr&6@I5BBY6qY3;BNkgFHQ)IEw=w6^g8vFL!Z$bDZ3_2$nsdK zK)RDsYzWpPZ#Vo_{IZK;0Lz!CU=}$U;S!BSH&i+QlXQt#0H$|-M0PEoO=REO)dVkL zu?EkC9#5i0A)vsr4xVQiKhW0r9Br&rOecqq$Mi*vL+Tq7h29Uphzt?)vWdi5Dp#dK z{ZLdxUb>M_J~Y3EpX{^qIYdMAr9PYaz;dPA3WLayf=-%K1GhrCY!`8~B#z{i9WmRg z&PnKVQfRTLS;+i8~tF)MTJyJxQLHY;%Z~1I%(_RmT;tls3j51 zb#(Js59}mFLao#lx$S>s3G`$bdNDPg_q~|%MCZ94e(kgGdTJg4<*8TRz#lOEJ3w^) zifGURrp=;+EcpizRpt^MI|zr=_mPXLbxif3HvG_w$=;AJ_B%|bzm`|@W|lL`%a9BRhL;d7NRMJc0P@}x?I ziHc7*1;lFmdGEOG@fK{+i9d^z#l;Pk{Qj}df0ifMMJ-i&X7!?S<$hwRH;Gv@{uD?b z5&*;#tE-A82rYBp;c$JD)!i)*(GO$D9zna~$YideWE0Pb?Q$`8~<6DF5ZCa{GggOvMu3LWKrd?w}bcD)70+A*5dA1Fu`-5IN;4fBYx6 zMZN=F_3AlXvjItNc-xriXjHtxp#dKGPja6eXpr_>9RdzsttWy1uT=SWG&$eDy6Hes zCnnFKS7{CJh6%y*xP^Pj)Dm!v9OJW@H^NVdeIQZ);aZ(Oo2U-=#i)hwhlGG8w*Ekf6i+bej|jOy;y zCwBYb8nL5oE*=i_A5y!Yf=^lbW8N?88()p}FVGJmD^CZm+mjia^&Te+35kb1lSaUv zq%6Q&z+FQ2xpB+Dam;&6hiMkL2QCV78l!F0;Ket?XY&?W{a9Dh(k>z-a7qg}->3se zEy@_!@hG{MWj^I9|EBA=*P`E+Hq`V>OKT9qz@bcuWEF)IcNqa(qWW6yvF4 zPx}85yNsW(Iw3*KLMH+slhr(s(W%{w!e+8W z-I}#uSO>gtLp8@hu7ao z^*tm*H++2;r~90)%LBY)csGg~2JS~UPK`5t-uO%0_j9Frd4z4pzVbNQ)4bh2llm85Bf^@8Y8Z-)L*|Yh*4GKFML9zSg~Q|ym`c8ZVNua(OQB1UJTo02#(BV z&<_0b=c70(J5$bhnzz&J*Lly%{DOt$nW^`6) z$HTB(oP4v2C{~A2Q}`5TOPnM%oud_eL*;qOzOUA(W&UseqqgTDYzBcs=Mo8LSnhC_ zvOPv3!_R z$L3kMFw~B8WSF{24O!Jo^q!izoYfG=Xc+{OB-^Y%RE&6gO=k#WA@Cx@IEADkKZxd- zw29Tjb|a{`76Z-n!Yn|0vI{a%`hRSdkuar&+k#3w%&`i;IhWOp;z(*tGL9x0sXBiD zlf!`2^81co2*$5A+1jAaku3nuMKD4zl9UM)<=xz){gHBHd4eUO{pCr}JCUtA89!+YqDZpa!q zQXA?J7nadYJe_w2RX2OCN}^fkEB=rvhR+31DKAwLR8p4Er8~Saot7I%7{({ubQ<}@ zokTBhab(thnya*srFBke(2NWE>k|lTZfVTKnNM>T&t4#pvvERhmFbXJT*8^zROymC zQDm-N11<$HX%wYrD4`~5P<{JBpZS3j;WQYBv25Q}bO}}YD8z<}dS1Fx<8Q(a7cWg? zOUkJ#ZeK`lz-nD(Dl1Cx---poIP4&$S=Ivz!z4_+C`RVykM-W6%;+a)CU}82xl&pN zZRUIYoT}2gs>OFmbO%|a(L+{~r)7ckcu78(NTccWNodXYT zg%D%nVlHyv8$Fb#%VoGU5)iSA zSevL}R6lEW?WGXpUMdNw=*_1`iBeJ`rT)p{8dttS%>fTP_Pd{6FqI$$mz+0;2e;9; z%YC(@!>v^NFy=Co*T*Ar@;91bi&|X*LTTjo?T$HUtz7 z2z~Y~M@+A3|D##P&JiL1fSV`>t@ZMbgBf0u zu7_TH&8`X&pOGi+V=sG`NfLSaNPsV>t9;#ao0@elyy_{dUfZCo!MNc*JHxTPkKV-p z?VbHGy3lM?3yPSx={(4|neuvMEcf64e81(Z{kD$Xy?pa%e3sM|EqIH6=Jl){uT1*m z)I9wBR&(omVyw8+~KkWD8ze5)Bom`~e(#c*g zJgx_T&Cm*;{{D8Mh7(TT`tEgQ{xWB#uE0pVOv?_7<$&)%8G4YveIwrPHErxqj;<+o-hR(a&kTq7{_l z=W<<1+MO_25z!5fXc*tUajG!%^fTYs8+Mp#j1hdApmqG6n?njNfqezb)1H}i-2`)9 zyebx)w?(x^$+8s`cFMcqa za5U$yUAcx68@cT+25}G6V zLIvSu_hWzDc~TCgBsWd|rzvs|0U*B}zIWy)%4c*2_q|`mMAH?FktYB$KyKE4ePPQt zoI2C0FH(-hEVe&-h#zj&f3uOg4PLMnCA#~_XzML>XegmFP;c7pxXWFuqnXuz8+$qTYuURql3&*s%+$VMxOZysh8Jp; zIfO@(BPrsMx!)ucoPM}$c1w9Pdrq1dfp*}QZ}x!V(eb|B`7wf`**YSWh6lKm- zr$F%lwCh+si;& z6zqKXi-NDeD_nhd{41B>m|oEwPfC7(YUW9M@ zf=I_EGaXYG0d8#JxjkWYD)oqvMS0O+a~d<->6-ltSzFK4PX+S{Lsl_%u{v};sJZh6 zwz$N2-}pAM{B&UL)Qdx&Npp1re#3Bi{0#eEmFN|vw01t$3U&@uC&{KO`b4*n8cM?- zsiL4;`#H%*(rL>mf4)L@vW1V(ec>~b_qPrvvkm(i8of#s%W{4~`u3UPYcj`etg+HJ zbP7*}Hr?~D;%Csx9|Nov?>BtsTQ8_?;u~;O>Z^7c-_vroA>wh{1hQk-R)KkIk4Ky% z>9@fy?O35w(FpS{e&4j=mbjhX9y<48m!^2zDWe^ukCuG+CG*c;q!0-u9c5{bxljki zunIP=V?Q~~vTUQS(im{PaOHWy>HHo4tUkvT(nzZ#KaTJI0Z&xtEbObF4#;oR6scuS za>SjSZBGZ4u-oakRczoc!#cQpDA4YknQY+LdPHS`9n^wGH!bu76-@$DO3T48?z@kAFDNAhv~!$4tt0g2^Spmk*8PKS(8?z7N$Bc0hq?3 zB7MM{gBM7?%F}Z(m~7dSI`1PN3l5J)$x`5TOYD$NX@N>{^7;#k;cI^2eRSU$#PfuvWj8{WAG2pngmbIPo)@X&hSMU z>YW>^9vD>zFhWeIB!KJiu4NEkGikdNOUZx>nghLOx+C`-wc=qIf7FQ8Ld{9^36;*0 zo?{j1;C_|O2ZG^TY7Xk;r;8REG*wDY28;S^0jdKnf{CD+FaIr2Y}7unN4H~u+Y}H; za~=%29Y=WChulJf|LPJQ7@{8%;ZqS06|J<0vD@oez3P2j}hS zXzTUD7G%u)_OO~;k-2@Dq5Jh@YTsp{Gx8(6mgn1Hk!t^?WD1JV%tt* zqp@w<$%$>-wsDf2bMqbdz2hDCm-P=k`x$G`HTRkyg2AokTR#{bP~kz>W8;Qgr`QhJS#l{*Xd}zl{rZj2_F>w`w7T}} zZgz0U%KqL#T>OGJw%X@iZO*a!1?LuV9`FkDRN-~p@tTHy^+?F`e8l3lSy+v_Bm?L$ z-6RWyL>x-7Zv$4ZE!&GzP<>h~^(z|}yTmkV`Wv@-aktv$t>tVS5btiwJnVqozHr5xLflZ|7){`HR| zN0EXgX^{}4mx6#opU|TCtm4p2;pd*DPOcIE@GzbttJHvOJzPs!8um^@T-ft+4Sczc_@7U%@k)HRPu%_nEM(*zW9GAX<;v#{J#>F zc}8U-PMQ#-Xwkw&{Sds6^ z-Q-YE)T5Q8G8P&XDi6N>rgKiQ-@NGcvltz8OQ;+XT}>s8;X;Ts8Tt3m-^x2l!kHqC z`XRz3i*C_yZ4t3qk+vP3Ope1L0oot5K&SleO!4s36WA1M~th#*ot{!42s9*?7e6? z&tT*GTJ&X#R2Mv^o4Uf@ce>kRYlGaDx+STXql8kl>zTKnc(&k62 z*&s)VNHG1RM}zt1e}niVJPJ;2n9^OdI%f5Y6D;OGvDGUM)jeqYG{Ez{4w4 zo=Dl-C`CJG#eUDR1p(a6`5y2O1QD}=hJGO6qN--5V|e`+UYiA>nfavP3n3*1$!b+O45gXlhUF5=P3udaE?9@QfTm8>I_!(}+NGI#aichVAlcjwtPEAN@(WBw3({gG!M#bWSoUUwtaj{e7 zhkb~?iN$T>`-iH?_XVTdtvmBttA8r{g;PWl{V)ujL3)cux1dC7oMABB;YakMr%CPL z0*@0HC6HzW-${X%fR_Eum|aZDsQruCkE}#*v}%jFJfp-w1(O1{ccc00L|l8^V4Q)j zcst4SX}-atG*W(BH0eaB9A(CKRkFp?0ds!xx?%?@;lCJLY6OkE82AF!u%g3jp4?{Hc;So-X>WO zb@@Bk=kSJPl3Tyg*v8X*h+K{~S)5zvxathpxKnCby$J#zglZ& zzP3ljea?AWNua$>Rr_kx=7K|8wU3yyM*3FAdg<~pzK6l=smI7cFNt zkB5%xPM1*K4X5f!)}iW?4Df%;Y2e%8o2?C^_Jy$nLYdNd_Qda%y388xXP4Xbs<@c&F36b8m9++G5qxneS_Y2aec17Y|CW2S8^ki5uNHU2dipxV|Vjx ztC(Ud{Z0FFS9@|2jFXOag|qlLvQ|8>l=RQ`tn2LgU$GQ zg6~@v{*&AF5m2i!MdMQQtX*cQ1;T9}2pI?q7Cs1)qD;r=bLrYLpABMznn%w%q0U%WO)V3%xB83m=1`QwUSvlu z8V|QB$L{U?^(T}jO^|bXWWK*3ignqK$6SF92 zrO0lPvgLwNmT@LRCy#vaLnSsNGn95ZC5fWuvG`S|ht>%XDJN`eeJ7 z7K0^bi^t)Y2=-~h5V3d;cR84q4}@5$V!5{JPP5KgmWV5bzmfS zHc7S(aRgCD*fe~wnDfBO=1plqj8*Q530Lku+g~CPF!(beX!8}YCx6Iq@;Ul25oQ8R01A*7aW-Z5o(sR%1Y`lq{Biv7k={=~byNBq*azPl&Zk z5EF0}Z2Po{h$1ywJ*69QlTef?O-Yri)=M;ho|GZbAVYpN%o1O1_G zwT1$H&O6~}SXhj~Mp?GWYp%#&yA?&HjU?V0tvxpk_rc8APbpH#;uc8kB;odk>Tu<( zxp^_tVqv0)acl(*hQHo->{j)m*^C8CIL;9%b0?97i}ptAVAQ)55gU>wDZZxk8;q7< z7Vr5y%stEL?_~HYgJB?&>2bqe{TP;z<{|{hA^!;G2Ux@WzqjtcBewZFq8re*(oQj; zw%L*@%gm`&&Z8^x$YHFL?0(M4AtNx5cxbaRNxxeNXRZ!-z@+{rku_tl>|%_5)d{cI z|McC@!(DZ;Tn}?Rf@2YlV4(0ZEU%yHtB=;kH0!0cuXav<>Mh zCCkq#vuPqsMTOFch%h9+$83`0*`f=6>-4Ka@EMV?O^of945Bu;P~V&t6OP4rqRE@I z1f;v|l#?~She2EG9)+8*e>w?IRVBm65=QCigD>$fs+F&@i<=%%v`CV5|2^3V7biMr z(gh`g(~n%Y&=PSYOBuQ2(aeNs$b~hNZy`n5C{_>NZ4qRrcK%Zfj{#Gs0O(m`f-Xj+ z3V}lUHWqCqebDoviw$r8JmtR?Uw1)5;rx6(KE??$fgY{IQsj)5uG1-_+pUtu>p#-h z&2|`s-J1@E4gErKX-O(;&BDGX?)1|pm-+N3+I5sHd;yY~*9A4>(S9(Pb&Xd8=b3rG zF{IlR{UZt_KqPbKTq@r=;Bc|9YwaGuci*20z|n9>@t{Uv3+ZQ=OZ%Q_J~vL~U9_sr zF+K9ZQyp3<>01$m8XH!idX&UNS*5c|ifFYd9xn@OI%($NJe;lIlG$-D)MOeXTP#MR!=Rf() z@t#?n|9=Yv1}89J_-NXf;YUU~<{idIn)Bvk{=8yE_r;ibd+5W9^CEbMnHr}v zhYjElf@nKgpTwN`hIGBJ$5#WgTCZD4>2!ehLD!>_SLe5V@l{p?P!|vF&yxGcN3zS+ z(pOK{5v#6ApqU#_SsUQv_`ri9t|?M;Y7G6$J_hE38qWpdRY!SpmtL(gyT(xk!s5#c z_8DF0zorMN;;)Ig6U9yIaM;=pec8YqUs2Ax7uO}7+oZ=4+-&vN4M6@{)$2QZ(H6}2 zF9@c7&X0?ZPw${wE$!O|Hwk@9+d|qbpI7l}9y&nN0Le06=D+R@rn=H6^sgHVItPTPT^ z)#EE?Hc#E`2wUsd$jSJxubIB}k3Bn=Pc*>EOLlCEL?J2jmmnkUW)n=rH3OpgK zMvUoMlG1gtW~rOj>e_d;G1(h7kB&012^9FtmfE-!%N*Gm8Ug&rdy9Ia%eQykJhuqb{Cz;G*>wp z$MTB$cdjWqLOi7t?e?tO)j94eUt(^#_f5qRx~?U^J6UdX(bpR<{k6j6&X=X5%isRo zSuef*cQ@q9k0ncw$i8oYR|pZr95T}Fc;*XMx`=<4TNyue0JMN?V~IxQ!u!d*gpBx_ zAh3jO9~(b2z9s-!rm+FkEX{q8?SiNVWUu8#TXI~@tSjpmcBFvcdCriklZt;QW3|aE zMwZi?_Rtth9>cK;wSmOyhAIYq(Qa_qi_~bDXr4mySSe-JLmLJ%i;9GJu?z+t+p-fy zD0H}TBC(i}=Y*I0>9!$7#{ktBJhI=&EK;0eu&+@hH)3m38?}=_#zgTmJMpd>BMU!(zfpl`RWR zuV~VCihL1g4sxl^WUQj;#DZlKOc#ftZDfPabukaH%Z_Jxg?oH3k)BS4s>w3xcJ<)i zP9rJFe|4)y$ify%J*imV`NnIgu&(uSjFiPb*RBjP_PI=zi)1Z)9Ymq==7JFatR0My zDF4ICrCYj8;3CO~-tBFa5fKkN8@kScTj05HSs++MY8dxD-A|dCP2=aiB=eWA(O5B= zKGn>Bi#6QvTv>(2`l-Z-O^|lOQJv*&SrT&fitQLG(a@T<9cBP4O4Pdn;r zm|-YhmT(fVJEBN88nemRS1`R};-zjwNoq2x{qU z+eE%ca08||SN(@&B;Wuyd(f8(;plB|ls|C!myF9zE65gL^wBAHK3-{ws~5ccqG4Y# z`-Iye2n4bY%Hv}y%C}b43IgNe$&9ua;0!6A$$ER={V%0U5ew2UjTC8MG|JD6w-qVw zk6S3_KM9j$7PMVEup!RT-GTdiaCmLblN)LS4qE$f`j}=33&|%`f!WyTMZ~13{sbq) zYtiH+pPYXgDmK&dT?VcAQ`VAh4zH$JHzhQ&DBO3Pq#HHjn(3g#=Vlxye`f0|7?n}E zZg0%`elO11ycHbUR<`IC5lyaBxN6f-&$j+YZIr}E0MqnmY=-|IlXFxCG6tq}p`IS1 zpH@DaSDzY0g2W_QiUohwV=La?s?w9UOX*Tkzu@8f!4jyq34Y9P8+qF2YAriBZA8B- zRLrXSL!q0mekfmsxDR&b$VW~{{@ak}mM@O-CU_pq+}{21#JN(m5(dT#3q!?CNqLUt zm@BA&e<8o2X>%ShdS~s z$G_|WjY)a5-lspfi}*Fe zI21T{X|k1K?+c{HerCGV>bJ@KmaII8 zCLgHf9eg&AIw(6x5fP_4tev6RH(iqnqmk#VxA?MK6HhC&XCi;s&BDuI{X6tm!=Xt%sN4iP#?N?n6&?Cu_4^E+_(H!AC^=fQQVmEPRtJf zG5-tl?T4tP3Fx7SKB`OoaD88OTKQ{V*4jyx7#;ty+*94+N~}2LQI}wm8pd>zNxX>R4Yvr5Mdu_3VJhrM*z=w#}U|Vk8?+dDRHb`CWOhBDh4c>Xmb{_!UK}p<%b)Z$> z<<~{@>h{C^_-tSb?|$vs_EA7NK;34Q*RJ`B?xC9yh_GG zJ&$3Z@ORxJJ)KXEa`Uvk-9ZpCGWoG3 zR^W{SDOC{N1ou`#{7gBqI~e#;<4%VF5E8FrFn{C60FcF?t559n0g+HIT^VFJVwYb< ztyf+d>(L>#KeFBgnj#!$;D}0}SlN_hUr+wXYIWjCGf{|t+Ce!!fGfwQpb#U4jkb0$ zMH8O(3A<9>Ix0VK=5KCcF|`WamVYJ-NqFveb};|r<(F0aQ%yYZC%?Zb(^{~ZfhOIj zb;M9KV{xQfakL{zq-ECVW1<71O(JH(2+pvqft$p+L45x~v!`DJakz3}V6(~HJ378T z_Xhe>Ty4}ZcIu9~>Hu^!Hiur{I-Vr+Q_s7JYoN=h202jeO1V&fa3)y&RcITZ#!v5c zpv7>x^PvBv-ofRRL!nW^$;ZSZlsglU;*hCAe&SIJ1#e%cLpZOGeHh%TNF9c$mrm-T zS+$D0KhrYxsj$VQ)ds7moL9WebWE>2l|n78RWV(_Ahjk$g9+6#GFO`Pd$=#rI;k8gu8m_QW)cJF@)F5dG{ zI%lFy9$}APklY~QwhtoJBkF-=QnAt3G0I{3noe=O5m!b{DOuSn88Q498|M;<%w_s< zXhNZt4~uOgoK>j*(}~=4FKjo<&mqgmQc7p7f7`>%>ftAMfI(k)1flc5myjP?R8rUu zMc^Y;2o%s8TrWR2vGs1M{|KSHk*r)n;1-en1iw;ph+eBdFg}OgMi#?l6Mk2y+H{33 z=G`G78_X)=+%2gVA63Is@CLUT4)2_v^4F{D`Z zeuE@f`V|?~SL}VN_dWns3F`~dPxJ;cp+V}$Q{Lj_P%1nOH+1rxjJkg4mQAVVUJOM! z%|F20n!t4W`cX6aZjKZt2?}UXSnv{K>iRva6c=q}Y%;t_`G$X_3$`lyh$FUiko%xD zl2>fdA!pMo2Q;LAkRd#0i^YzZN;Bu}ZQY3-dJYI3uhd zzpcP^`-zxkLiciOeq|o97q@_NS))38aM)xz=EDjo$W~@GOu(Av)uhA~D+1Ww7hi>S z>oY&zi30S7o1~tGDhU5*H?P-0ZONJ(u;{ZsBn;*@DVBVvjJ15cU?e`VASQ~)gpxQq zFsX-&vJhPx&R3PTPc+d*`rM!WNfNm%UB^Pb>hGR*(+_OsSMWH;ROH?NE08LvLcurO z6aMRQ(3Tn_-vvJbpT`^SHoqHH5D`|K5b!T#drJf&nU7HRSMMw6>D?6g5Y2zTL*1X= zw85^P0Csx?YzAN6^h3jdcOUj{ET3L(q|_iD{8pO|$1xbbZ*t8YEJq_sK6Q&(cU5~B zfZcBD>TsJCmx%hUjK*6}EuasWO1vTkaf@JL(iU>LNLb}?vw+x>zPgkYRwpteosjFLNsAnBu$dOl`_phd(@K;ui zHE`B;Ud~mHGU}V(x=~_e2Q3??+(4a2F8ns-0G)?vYw8WJ(LHe+;5`*LzV>5n%tg-uS4ITJdSE; zt6M`p6yCEzko&DFP~ z?i{e#Vz9BY7}A`@d5P0%Z9?xp$LWZ?X(!uooB7%SoSZoWK2mk86aj%=>FhQeZ*`3^ zT*mjWuE@*Y>_-)>zK-44a-^4;?~^xEI$dWrro4~cWU0J#Zl}iwQupT@n;v&DrrM49 zH=rKEx0_eorp3<|PZ!Qv^|R~ovg(TH{NPaT>!!wRAp&2^hits2u{kY%VjEDe>KcD- z+{YCHg#5(ylF2RS{qFBQ$^FoUf4SufbgU&+-8u|c0oy$wH@$^1n1&&nUV*j=O0V9W zkX)5KmNa0_JAleKrIuYD!zAu_Pgsa0}Ht%nC-i%FuI=ZVdZRVkAsB-RN4)z z-l-~MKo0#8M$Z*o?(vTmFW);5@F(*Pgc=(X4VjN)+<47cf51KG_mBJX(gaN>!3%7G zcpZZIx5OZRqNC9-EhrJn?)vZIT38UuL#&K#Ev)f!A9y4SJR*#tHvhg-dr<|)2UXTY z*VdY~z|qLT^uE8-7RGXC4eg0(f`Z?^VK{48Qq1>PusKFq(7`cKvN~0m86}o2rW8E< z(?<%LS&ouXC`H7_SJJ6BUQy)ct!Y4$K6e4@eT@NtK3^p2P>QnX}gs$6jCo93X@i+QTli z{_<$+MQ5u5>i(RLn%ea#ZK1+3%W;zjdQ zFGVs7C4XY}CnTGZ;&{}v3*O+B9t3-Xe@@4_@r~lRH7APv3uTYPnVT6TZGn?m4m5Q8 zL;KL4iLplgqK9Jp9Qd;amU0Ouv4A-og-e5q6-6|>@+A{GorW-Sw0%YUf(}4H6q2He@2{0uSvWmoSDJVq|WodTWc^^)Hh=6(ej}@^91(1 zxJVE#beq^!!zUQ@`sfe%vu7ZcN(=esOg!~G&$J)TXQ~bOk{_WFB1f_^?H)qSKp=l| zrPn{LIavv+#t|I&5PPr}V%#*|&gfkLhPx+N* zDP2AG%6OuRSan((2L}#6CaowSz^I90fIusza$bOzG=fx=u+T%jOncCp_iJsmEvch` zP(hn+^!@GJD+QZvzaYH=;Uap>S!^Oja9bjp6=h=%v|3=+q02O11*5g{MBEC~Ss|`K zF?)dq-hrb}R#v2>v{8mZbNS&HooV6@9FBY&Rk>J`sUJO|XFu%OBbH#GqK9{+hfN z2cSR6)khO^UO!{3R9wyLJz>?zd*(!bz9eu6F;U8_`N$Ta?&l zsi{c69|);3YYa>KuVEHoq*Z-@X}w0fn4~i`JF<>x7U%moe26nGDLa;ECY^w)HGc(q zM9?J#ez=qhP9z-D1}XP^0ggaw;8+R8@@NVL$DgNi|75(T0*1t0XX=I)rmS!ML<p?AlCi+f5qCR(9h6#byL1~TfFyLH5! ztrxU9qyu3M$eQn%thFodsXle?d_y4q{`Mm60w`#F7@dt7I2)&?Ys-n}0V|#dsZDwx z4At}b+;?g1y0XKu=UjmdL7mcD+?NHY$S-{rcU@1%^?s0b%g!-d?+LD*jck6G=~?N? zR{KXbc0}2$Fw;6Y9feIZ$Pi%8w`Tu_x(TLnZi~C@ez>(hsl(=^vwr6-Bs?bD<<*d! z@I4+-<#J)~X^nT7EF*pge7%${1~6^j_8IyxJk_aHX?+8oJZ0;gJ#1b0b}wM^+TSSN z#qe1?v?iZ>URf+zcTOT96S7{-GP}4r)SW6GrW1BLpG%I(x*(;Vmpx28wpzxkuxGj^ z3Df(W&+IovR6hu%@|s_wa^nwmb`4d??LydVAZz1be!$4H>sv88X~*i37sq@08UHZL zR)1g%kIeqFZ!7WB*836j6QtDV_081ddkH+5;@f>weGPa{8w+wmwQdx9wOAn;Ci=j| z55>W{R5`X07WzBEp){*-Mq4>G6v=)3Vf?(ra<;HU&0)9(Iv@~QrTpVwyG(TDN-GyX zh^WUTgp6EK6w(q^ak4_ieM?-&N%seuH*+FKQ^1%+l-NPUDE=EIKbuS^Jt}1bOHn&C z+LtJ(e`cC=I>(+I_~>W)tbnQ+>mcV^n<9aiFPKI5lKd+u`n(a%T0bf6tTN;7!b-OD zR$;p%&bzAx3>hUj_%06+p%+pmg{hBDGXB{YGM%k(h!N8Wf6JXfr?PLarXpaE2AT6< zMnN@Qu%MvAhjj;*q+b}wT07Lt&5Far<}`puFUFBb>J7EepzT{wwls5m zn1OB%Wbbo~zj8E<@E>xqXF(r9-*W43S4AINN(zRiX8mK`{PLE7NrAU zr+UvJedw?&+xLHm83dr35hWgQDLcrBReAN=%aFCx>r}Ml1~b+LPLHn#YN%h(cvZlM{2x#7hwFZ|y1u7YFAYuD1~l&9>^jCdUm=sHab-hWNAI zzgMNoFkCiX26NaY)4b=;*KMm1vN32W*DY$PXT9J9Dq<&)m}A13y5}iqi!w8y zNxF#CNNzVb)m^$-mt1~88Tz5%SpNcsEwaqak57sE`>H+}Bxw#JDdWRe?z;u@j6(UdW}fQoYd>NW zXpHXtQo_U%?-^*RA|;NF7~wTw|fsyxaCe+N~tdN63@B zd-pM>Q$;ZeM_ct*j`W)yYpH$KN1GpXR^$%nRfRAaIG4M(^=B>~*WYd(6y%Ivpzh}-)Vy7&ap z_qH<=Ihf9UyOZ}aitzm|k6Sl}1vIq3n0^=1szq{L^{&)$?)s?l;6Fc=*^4rC-XZMT zN&?Vv{XA3%b{5Alg zby_G}PG9nV8uvCSBzY+kKFnrOcb>cr;w~F|`rf)bA-yfLx0da(bAt3bAv5XrNPEEu zr(cFH<~5xfk>xxuK+Q*&?$4QHG_C_0!)ZhOEnY5#TN|KBu4>@RHXFOHir0G{u8+%= zWwDoQbN&_pT#A6)bj5k!E!re~Wm~xgIQKl7`cJ!lc?C}NL#mD5K0a1t@X5878l+wi z885+B?N`=pm)m>HbLuO^3-{f$$7DaJq$adP8Dr7+Jm@C7EPzeZr7gB`M0s@|MmT45 zzPHxE1t-elv;CM4Ke5MmX<;f+IQ_UFgQbzgvmDJdSP4&$L}Ld=DoIh4{R9)r@dGHi zJMp$PYb=>f`n;;xuL~mW=fStIRa`&w7+?dhM{;JJQL_4#QJ4bzSoXO00_7)E5njFp z9vFlkn4D?0LV@6?i3>QFJpzznMms%tr>TLno~}WLhStT|3YO$9FWWs zP*sNF?w|y7aa1l}*sw6t@YgK={aERbSoob1b{>cP(^#G0tIiA~v36u5`g!4b$B zgg#D#>?UC;Pmd&%z~~?WB_>=hJs$;6`1i9Eb(Cb#yvi2yz~@R&roabsGG^Hk9#IRa zQk5A-0qWu$=xV9piBp>2O0swJF@gGnQ$h)1YZ2gb_;XDyJv=8q}w>sE)=Ij>&4 zK6KBE5Tz#9o&c_c5sl0!BalX9hiHd%2>KuN1ElJSQGO47O}a|%bO@;#tq2tGDitz%pq|cat5}w33t5vKucQxU&*@W+aI(732BtZDM-~U zGx=P2Iy`Rtn(0sSO2TRrZ{j(9(kL^Aq1TEX_y>hq0<&%{E>g>jgVM;J`|K!w=Eo?B zed9NQMyu+Ir3_6rLB)Zp@k6aYktCEDl4C8_#la-MW){zMIb(`;wViuaa~wVitTQ5JL5r0SB(oNi6ngREvi*@q97FbgSYWB2fTOk#DhOs_ z&DWH-5KzOq7p9CyASK1@>64I&L`d{cj4{JBmpW+Bp*HwdKS9)Juqv=WTf>{ik&wio zZo3S-%J5gK@lTiHWK6pR<-AvMI`(bKr(O%y?T)6Q0(c|;>AOUzLzCSG#cH)bBC{-Z z-64%FX###ZM5ckEMkNYImS>R1mPO3DTs4f;ciC z!_;^QVR3veb2FT*L{MQxu`(+ke80VETKjGzLFA`(*n>(Z#ma)-Z=#u`N$9~ph6A*_ z8||TbBSq$MnI=$};=ah~owj6s;i6?m8|D^uU+CvUSkV$cz*`nB&HH3FAd1^oSI2$$Rih03}&&hEkO$_~E zk`C+G;&5e1F&vJ+uT}DJ>v>7=Pu;0>l2>xf0;I}0K3z*vxW|jBV=cS2EA*oglZ4_) zFN==R3RID%8R9Pp2&Z&uKk#8luUHi`6hsZ0{f-{_2^}cNHTEJ|#YFM7LdxwSH81CX z5mwkA+&|VFmK3nqe^KDzCzZ&LDQ4&8ER6R%I9`Ymjl>R(yz4Kd02l@i2q^ug^+|9W zc*W1ZruX)C3iP!jMu)O_Phce97xk5HzadE zE_qr(E>ADUe1MB@7e^Jw?4F?8sq_1gmwL-)x|@51@~Q~pH7y`NIb?g|{+#*Y!N>V+ zX58VD%C^E@AKTqz&$5~);N?Qj$6I$8aVrZT23FfrjIy-xo zcCF&K`>-56%*|q~xA>QdmFt z;?b77S!&c&Ey>xz*uST&s*K0QHRSC2y9!Z$8ZTs?c6xyGft>$5GC+e{{rz>MkNoi* z)0e%uZO3C`P;k7=)wb=tDkfW5_wLsxpHq*c00ihw8ZcF;-@^!CPRRoyTez2rsvgSzyPfcV5ln?s=A|T#gMSl9rt}c zth!nw6=KveSqt>Q^xmty!@S~?>3n(~S;P04hMw|zzMZ(Im*uQz9UYtLi_)R%G@hF; z1A3lUMz$}<6JFFxJ#7NAJ@$U8VIXhR*1gC`ceJb%s`A||tkJb#i)8j2ZNUfkCrLa(ipHO@2heFl(P^e+wT2b<4D#Lo^V=fT?c6_fVX-iCQghDgq zqEU&1GyO45ky+%P#u6t&Iu`{}tp7Jzq>ht#8hgaFfEVbRMs%uikN^TO16X5RB2;p{=MNO*wT3S(hC{e#p!VKd6un5or zWXG}+sYxR_LM#kiq-$CIsU;OAAttUK{}AlpY0gs1(o0Ym3qF&0=fL&~XGuplBr!-v zq4_2tHR*`kkL)6aCdaLu_s@X|7y!u9+ug$+W>9c)pNMD}p?6+xHiM&YE@zwj-V_f7HdX%@jq%}5Gv(N)#oMElw1E5 z$&|{BB2P3gkRY?xgyD4bQ1MPZ=;`;*0_6LiLoh%%LB6t~@4!Z$XEli5|L4N)gz7Ga zl?v48=?OGZlonF$v`{^aeN~rjq{zI2w#z8I*~vi>A<@A3g-7U;<|d;gC}I(5Xh)Sn&){7Ow7ULZCI;58 z8i*&iEb_KuVgVm#fn)2CO33k?l!f)Y?ZDu>6cvWWd}0c2NS_-Zle-P_}{!uu6u2U8&@A5C-Bhs7WEjxS><-jV!sUdz>)CO>fOFtK}PQRZnC{H7+pRNjaQA#M6 z?WHuo4eYPMf#Hn*#!SnAZ2xUA7$zaxxICWfyFu3sQ@rl-b)5${ zJC(7;YR+1U*tH8z&O@_`uwmWlM23~NhDbQVQ7m)W4$kEF9N6_@A{o!V9Ny)1?Xzbi_tr?uyl z=ioX^v4jZC@6#(yzUZChq|@V?D@yuRhNE$BCWlWkdolO1|8IeuK_>)*=ict<-(ko@ zeIE%CdrcQ1UExrZ8t3qKlX=BnyZl-<_TUw*%o|Dw=Oy(4DwYf?N1#7K(`^rX@FLU_ z2sgU|v;zL}jturw_zGfyoWH3M`oIeje-40UX}kd{XYmqddXB)m0vU*wydMTm#e7%q z3Nm%o_haq|_)p8qG1D85@NcAj*X!}M;dmnn9OtlOro=XsHt&-)-tLo+e)|&X!fQJ% zn-mL-*}k7P$_ZfaIAJTDq>?aniluIjS*K#6@#JX$h3jpKCF z@cRKV1fN3JAkRH80F5V`n-_j<&>I2w1!$Xo>umscK6efOqQe_vbJ<7#=)is1H8`XO zcnw*TRlmc0n(*+d=Z)bw!))&8VB@0Gj-K2+H;u_$=4P)QW}{zN;_{pfc?Vj(bx`pM z@M2uT^0VjBf%ou}D+=&mS4V?Hd(hR|JCG||`ZdUPR+=x{-5QvicP_Lz*sp?UUit>M zbj}O%59!=j!^AV(_S1ZovYdMwA(HM%@9DQRaCA2>{z^RWt9vm%?zObp2~%b|k7M-! zE{Dm+vdvdR{WZdvKW6Z5?V z2;y?*c}{sgw2jg6ed*OXItM=C;AVEMZ%npV^Yw*?W$Rw*woPO{RX&|=$U*d)mlj)( zO4gY?e<52x4boa}zIF~Y>-a#@W3&)j`b%xN&W<0N*Pg+KY@QDw%m7qEO~dAQlPeH( z)AJo6@csq>T3Y|toy}=B8E};0J#?3BRT%m>kj(1aK5L>@7=>RgzLn~D=~geT>r3&9 z*Ltr=$mh9w5alL4_&i$;0S-bSG?2G55aIFM>wh@%$Aw7W#5XYnoY{Mbsbe10rb1)` z*c~kFO%f0AJ0+Ua`eSA}*B=9@AzIoVnIwnHe&Yl)rxHME<|p7W$(RiZWu)@`;Qv{+ z>Hj(n+)7RlZD4P5wu_5mUf+tAQexUD`+SYUKlzRns7|$~l*V;~IV_dGWPO9eJ!uRE z)$=5t+#&@wlcqoyH>0MF4kHl25-}5Gf2*zPIS%lcXfj5(ykp{^dyBFSS5~EB$HI9# z3m7fPEB`!y?kuR31ujEdTha)Mhhhm^tTPX8@y-S$$z^M$lovm(TpUbr zu!!cyb_W+!m&iD!Y^Srgs5t>rne}HpbBwQaaP3#3}z|@6j)jeKnvV*JC%wR`ktH6^YDkBn_S8K^UTnUjbZ`xqiW zrDj)2PUN+E&M;SAe$~iKaOw*GS@5Yp4`0JL>|RP{!=J?3p5i9%5__ z7STxHUYQ#yqYDiHrdF5CtOadxa5QPqz{);F1wpJ@twQJv3`TKSnL=f1=ZOrI{NNmU zWd?EQ$i2TJQz4L+56s#+@lPsPvxehkO8V!@%~sN{BH$AAGlrRzes58~tjYW!V)>eU zx>lAr&YF=4uLq0Bn%H<1}g z<#P`-m#Z`>}p+a)3vR-Lh#q zU!ZF19kxnn(c|G;0v2|2MpOA_YT*lRipDzP13rd;#HwiN&Xw=N-v3~bjRzmAmoWt= z;1BT;8A}t}YIKR3ihcY7RF&p5(mAA(ehGp~4-O0FJW3B9aw-m@NXoHTZ2yO-a|*01 zT()(0$F^uQyN0vcm9`Q>mN4 zZkUd#$@dzjwDp|NB;kd9RZr8#NRvdxo4wQvH0%41d1Ib9TcMK%jah1jmDS{e)_im! zU^A*D)yIMlfzXYHR#iUwX~kdCp5oi|qrAhbz-HGtIQqO?Q{%VlcSSvDuvmLym3vJ87m zty$@Hs$ZCD-~TCR*!nGYcjjy~%_YvQmsxm*GQ;y0M>?Tz#>qBpBz2)1* zzJOE8A;P@XtZ5Uu--~dXQAn8mwT4v9((!JxpI3)E0{l*#r!sY+k+vU?B@H^^l<9te4!~3m!xOruT^C2e6Pm2C=nxK`58DcxV z_oP1V+EYODqj@JQ$--wwzAA$|MP`$I)1kf;Uh5))4MXR4nk18=NI!wWN-S8yo|h!B z+j)x-2UGAn{y+g* z_bo^3gXd}&?3e5{h)e(Xqz`oopQgLpi!cP>zmmaf6ZST$RsS2`69GNoAO(Ay%~p}` z`Bp0PozRwb?$_znJ3LLLnu5SrL@UPD%j8sufPl+V?X}-)p!fCGl!-u_Z92`D$GMY$ z?@d=QHz~V9xAC?X550el&si7G*QT$@@&X_(hx2VaY)b>>c(Y;NJJah8Jo}Sf@94|7 zrhTsC7IjDuSVZbr}exKXhANVo{G+j{7swJ16UXzS0*UlQD-;1x)|(@%zc2rN{SCAREl{HFO}y`k@aK~JJGe{-a*qeRicQeX-B$}@ICVH+nwDta*?Qj&CQqsKMP zFhZl34xln^)D})BU(bVo1@pZiyEGU3Ir@)qv}`VZ3MyU&AnSz|C@$8a*_2;Jiy>=F zELSGm3-yqU%09%&zY^_qNxv>FCvJ{lyPGqKQxeTZf)*y&D2`I7jDN{xsD(Ce)BW4S zT%KVJ5wgr>BUeA^vLFd>fa$OzhIxX6MtA{Ed6V&26J;arvP>gdv_sg9Goenmd_)~0 zMVXOq9&CXAj_llDQ(&~UFI4gQ-8^@Mx0i=+L9dsCk0HBEQ#!Rvyr-zM8{L{~*of{1 z#+1xb%tp$LI*9A%WW_9Tni3CFC=9DDj$bn=0#41&H|*^AZ)CH1qv;U376CXJYC*Ie zkBN?33%61x8G+kfz+?+|$s*p%TFdb>_kob2!(9uvC8&!tZ#Yt|aVO-wXjrJKY=qt@ zL4sH`j3*ZgQh3F3K!YaQrp4rvxGTnrPJzw29I~DHk{1IS<*C)q?S~8fvRAuNgO-H! ziKh5^)&?09q~-hLkAQliU%!;d4OFOj{x%1(e+E~Wv+Hq*%o-!F9MoUHDy@N5L&IU>d}>g&)kx)wkxcj z#WdfiSF%6A&J_98DHW`!cCRc1aUxx%Q=Gu5cRHSOX5lm#y_>*b&gIIv=gPWqP>!D_ z?;s@#|Ta;jm`3WK-3maia!=7K71~nY-urYyoBk@pr!wFqUUK(OPP{9!~lL@hgKcvlQaGNhC zV~U=V(dIKG;n887iHZC}ZRkG;!29DcYAMyt50nCOB$bZlt^i}+i@r)X$yp5Qz9j7G z$B*sLL43A*_;Z)8<>q)?y$ulxvd)t#^Z@E8w0#c?S;QpmZ$q*xSruED7QBgo8?BT^ zI!+~NBor~0MK>E)*%aziOcH21+Dy_tt0|clB*IuYZG6W5Sur9obtv3~uyR?5$pA6g zAi1e*R2Ww}bTfohQ}eWI@6#RDK(sBy!di?jHAc?R5Ow;$#Qt*X<) zl6<{D*J2Xm79*v>YL~F&(KF-CVhvGhQ4vWD6r=)Ju_U%3FH#c759@N6X79&bY9@*| zvVGPr>Ks|Iy?nKTnP}68oP#Pzbxu}ESKY!u05(XweUy5(hfS8KWv#f9GdOTtOr6y8 zeNH3{d=cxOJXek42{+J=WEdo$LX*tlVogT107P3t%$W!8%>H~V+>HNMfJ-3KBEZ{U zdHxgr=4bvriQftW(@LiuFu3>USK}^Dj=13o%nQPU+(RyFs0d|{puvDYeNFgAt>ZeN z^zvose3wRG=S;As>jFn-$Mr;8;lq4c`{Ze;&>mM?50vwnqIE~o;hoO^ln=qi=ZbHo zrsv%~v$tx|?={4e`nJVq)9l>d?xu%5KwYXWGE6d&1B2d|Df$r~M46eekUmmv__Rl77^ID)g z@$CTu>nW{OVaIr5vVuTg8IGgtrtosx;_J1n7+S;sIz1QoG&FUbDbQxt&9U60+}e_z z)ixx<@o2DhmZ-JD#qkNX;ru-KylFlhR&=x*RAOC7K zZd0agTKkjN&K2Ij#9z0&uYDb+_#Y=NJ13mWs>`)5+$wWh@0{Na_^#t8a&;t@_4y7$ z9to;ULEtNRDY~1VFRf|)9TPckOLh1v}MP#LcSmP6sd4t zp@~W0zo$no+6j7gBr5Tk{w$*45}{V5@bpH7iD1`stOgHoJ5eu=!OT`JfRbhxKR~IA z?o8BN)J9gPvp)UHesjvWz-}Z=a8!vrEMxOKEvLkwIaD3uMhOg77+q*Q{%;U1TKyw# zh|1vK{4kQ9tgvcQj%cvDVfErwETdxarMh3W3XeDFR3cn?(u#mQ79(n5B-_YKyK%N( zyo5N*@uyCj!$Rpq7NzfS8DdS)arH4S{zC6OoBc_l)3VN5qKIXQx>YUMHi|>LU82pM zMDjS7MdIv#k@!!_{C>)4$fQu16v(ZWgTgf+XDX!gm%vg9+Q)PnO#3&~O=FXcEvop& z&QkkL6i*S$won$E&k4tse=m#!GpktgFi|CjO2%C zh$YPaiA1V2Of6J&SB=J8!r#sn<*N5(OiHOfS0m|pQ z+(|~wW=ScPe_065Z^02mlu30YgUgZqHW3-YBM)LDd**3mOq67tG8#~&K-8R~546SI!~ZbZ_=S(U~{Ij0z+gN{qRW=m29pi0PIeMHwC#iRckL^Cb<7Wiu*Zm49Yi+-7jVbupB`t{Af<; zk7;C9JmzYoW2b7k9AFz$kI3Pc@{(5AAI;0AeHxT!-Cr0Cs$dVv$4u^aW2Rhd$VswD zP^KmffRnW;XtW|Gq^%8U*G8@=4KjuXz-3phIrH?FWjuhguRxj0;^w3%p5xhy?% zOBpGGjhS`~DrFnXeb@u{UbCJ(KX>94KEg_w3mGm1R6kxf-hSjB^19H;7J+AnK(2)N z6|)h6uYu|^Fv`Y7lY8dRUbO>y&{Uyl%YTZ1;A*J&bXKCg#z&7HNnTXiax5{q7MHqO ztKlsaz;lF@StvHKEn01mkz`wV#fz+lS=`$>?K)E3@uNpY!A|aP}N&ePHsE5#{h*ui1T{p9~Z)jMVq9G6KrN8)i zF4xJCEfCB+Cw2-ttzZDE==W*3O4j zsEMKH#pq-O*tji=Qt-|o$15HN-1oQfn{Ed681H=}AbG;x_3cspT7jS&V@tc+DryLY;G6g{3eSDk|2V63)jC1%ws5UK zXYaWR9UqfpAOIX{fXIF9#8?gH_etmTUpS`+^|vSq(OVgqnIQ5OKkt4V++p)e+GtqT$0CpOC~+A^V1Jv?qv$KOcQ{MH=y`rf09YGbbO8r5>1#eM52CIgp0iqy z;AB|U+xVLNu#sx*oay`@we0PmRBb=|g^sg5AAKnV?ryieZJQE%w*O-TU%B|t^$VQD z|LwkbKqS`43t#!f_n1cl?@1b3_Rox?yzD zuVT5AmOzr6v}Wc(HXk^0{Mtu^1pz^>V^tcEg{R=oLX4eX${A@5H9}J`MC3TTcOWQ7 zO;l?CBQj;0sRTp#SEZjQ0|LuAWFA1_*sb{@izWzvDIEdDix;_ix&Z@76b6p)X3(88MPJ&?SWM3{8uDKiZEv zfM&sE_H-DkNu<;Q9A6kQkHoNrDe}~3pv16)xk4V531=$j;a`{7<;Wf*{RO|^LAU{5|h&baGfCa@!x-^a(AwK2rs$0&mhGF^D49*+EOk52LTjetmEe=y!(T6hK zWh-?+yp)CxRC(|`<52noN<5{mbRLPil1LjNy-2xjM@TNk1`S6HqgiL|jm94o0V-_$t%`!6xpNuLEKdpvRvZWf>-Y%CCgob zn5yzLR*Qv_VhQJvdmbn+BPoWqO1de%T8>uULH)2N6|IWh=U^&9%jwV=tPGz$qR3qV zW!IkdTX`7$FTvfm=wEO`k#WK*s|pSINW4;W$JZLUWNx*QpV(EzrcUh8-^u=w>AjQ`jeBGD_YrX>@g$Qt>K5*t; zg_7BRf*DjT*4nAcjgBCQu-Z@*6s3v@d3DfvrMTwwf+(~TxzYRzjU|T?^E%n`g(w=q zLI^r;B|0^QwGnAyG2~dOI9|2Igg67{U&`|Af%}eJd-7&W3FUq|OT~)J=6v}|684C= zi3T+IkO~7a$4y(zTZ>;~LO56`2N!Lu0niH@YOcd6L<$%G(qQk3N%`wuWnBqNsfyT7 zOUFIDCC@;1#6qFEa>|VGzn5<&M5LaxGiUUZvB}FGiBxhDzlD=)-RoqjEaeogqCY2B zXZ~CK?Sd&GU!mU+;HN)6pHt`guLK@Nym!8!Ul5>#DWi!wU#UJIUMYb2J-@y{0vTiX zQKOM^xBO!{cXX{gbMaa>8+EelCjN|y>D2a^xs-IzY{%KeSO7+^HxByuq$=rB_2@n) zX%upSS3fsy1$68eXjzP=zBd=GA# z84lICEJ^HlKnOm*S_Thtf!h#$AMP!Dz^0@WPyf?}y`8Ctx;H^RbLf|F{(iK;8wi@qn|Z9?GVT|RD_t4}q&3<=4Gz1Xz18+D zJMz}RD~1iZqbzm_zMH?-J)Xzu64DZOpP!%f-q%Z9wHHcK*WZy^yCHM;8r^O$(!XmT zZzjs&?ETvvuBr!uIdrKmuJm5EVAy*O!h=7&?L7}F0J*KNa4i$NznN48U{>bm-Odt`zJ}@RN0%#!pPWz>zJdyry z#r89fEg@^t=I{PA6Anzi7ekMoH)$%@r68#uw-+b5Q)X+ zvt=F{D^JS&?77Q|46=4L_0XxRXJYuTQ41>NWOHYBOZJYKAF0mekqQwgB903Y_=DxI ziRK`5JQ~E7!ZiQ5slakfA4V8SSfvlGL@1G~)Yz+)TA^DVWzI zDwy1oap15Ze=$3jte+#~(ej;!ZsBv$6Z0mW=Q*bBm8q-Cx#u|oCQ(77<#quj9lx7xM12gE&E)0;ydan)-c%VQBH4r?l(DP`7+dJob6tj52GAyy`zEB-d8zdgSY zh+5eC*z(^WzRk5m>1U2b4<-^M^S0UywuTcqiaM?0T@=9lyMkpinL6}FU_Mz^#LO-?5!i?i?%5$$(s3A4JMy%M!D!IeP zT9Mf0HOSB5-S3j!(hVI*i^auAf?KY^Yxtz1=L^+N*CLSFjgn^M*t z|F!1-Rf&&#^PQE4UW%{FG#39O8FK~T1{(pLC*eA)asg#6=!+ zsG4vcP^3)-;n2GB)0ID!MO#1VS7Zq{pPBSp{DOW>q~MUEO^G1uWLZrrP4Jdd>&f}2 zg)o_plRlh^z9DsXhn|?^mN}COSiBQ5p4_{4kZ|%W(}Y7l(f|~x9g3<(1FpCQCkX|a zrb{9SlR9xFib_hRIX+EkgALX34=H2rp#l^-&LS(xg%TB%W~n4I73EoKwY?>3T{IR; z=3PNO0IfDkR-kdI-gpBa>)hF+NS}>PQp+~V8`5$e>^#+^;T$ab)c=-G;1VIUaBt!l z$kZgz7whuii)Dr1>D<2;C<_cjLKP}gXapj>sXY+jhB0E6jLm#A#@cc(damCuVy=bW zlkF&NQ3YH^w_Q#%?ROFI=eHi!fz{J-1YYJ*IP)XY3XK{J=^)qkSH45owL4tz7d-ZK z({BgGGJMW`G@2Xam#^;r@4L^(InIDU9_rGMGXRRbpUk7a?&~K-OQ*@sqI<`Vz(;Lg z@G+b_?^}CV+*-%u#A`E1PN#Dii~PEG?h^dQX?1hx4E?pO!?2K!z3U?1QZquf_ln=~ z=U4ttEx*A|dG^-d)w|-eC4m#$c~ts#ziF$*H-Sy(et`R*!s^Q7tB(%|XFJZjQ@+b= z84lm$O#9C+f62n0wHdol*RA!}OmDoVS9l8B6-Z`J%k!wOU%k{A?77_o=%e<)2c`|3 z^e6Y|(lYx^_je=;{Fcee%q*WNZi6OZw4Z!OrGEEuPU;K8=G)hET*qVRT5{&Iah#B! z-zr|EJ>NU4Lg#UU4nfc9&*z(!lL-Redz@6ve)+iU=Us!9EZ-?l2!odSc>+d=7C*P) zKRdWPuS0`jy7jlN!q%-%&ga{MO&Hr!m+j9ND53w9Wo++`f8M>#a}YD+H11gr$Zb52 zS=YWELPglqKE8Lya{Ycd_zZ*ac6Uv@*Y~-pgTN1N>A1K_noKG@i6BwngV#A-mU!xV z?DECPX;3j+$!@}{@ide8^z|wnROfyR*or&y^O>BI@$ufy8T5=%Io934>~fbhTDhO* zfBW26;Wnwg-x+ov)k%!(C|55gSqq9JpZGY(n<16 ztn$vra$fiXwEuSc8!Y-~t^qG)EOWopEUfTJ4{9@kAq6A_iH&893MAhULXyvkPk-)j zkpmE*%!`-BVoYlt)eTf|bo`(InFzromTsg^k3r2*2@n@c<`PJ6!qy+OaiMJJ2P0N5 zBJC|Ys7OJ~R&5>5EMSm%7zh=e!iTr@=#pBh-@MWJu_slwHVba!cewh9x7j3YNBT+E1HB%9G#@(RsTLCOh;C zA3XvLiM5v4hfZBjubhQ&FcH^cIM+|XYK{$;B@`nu^RQllWbS$|r!VNMF>D!SY1U=7FQDp>=n(WrRA zBGiWWRmeZ67*vT$CAeu{6M&e+);@_qMuJy`!2DZm^wxmqA z<9xw>s}wlj9=e0UBIH96qRAx+LCV0SqddbzS^Ws-W^D~|imhA93TP9^1B)5Q_}?Ib0m&oeblJdccsNL^3T~g2M5DmtFhtcyr-%?# zGpoa&&~9=o2*pe$aLlmj@{7Axq(4I`XrvVnSH%%>J@l7P7eQ+muvo2<%OKHADmh0E zY#M8McndjhzKVk0AA8mjOGekp^AO9Hw`>5el(H-hQe)1y71Z}lgDD;CfVEHdRbw4S zPTc47Vto}kXhmX$b;C~O7W1^~Pj#c?diuXt7jt9iD*3$P z;LtZt;Ll`#+$q>^c~*w`dv2?1(ATds>2UU^zj!|cU2VT#b;ucczjPT8_?=^6*s9`x z@V0MS(@3}Kb>%n;Me>>dp>axOaK>o6NAWtlh4VW)UDHxCZf^fm-SVMz^u+4$f{l>X zzVhfy=y9-v>r>dZVF1s2r}2Hmeaeij%IMx%2V5-Ko#WXgyy$4=@P4S|sw8lk#62IG z@^>|3_q_6ax4YZUvL&BB!!V$k#c31Z@_9^s^1i%PQPBGu;6vbloqW#k?sZ)OX;z{vLXh^ocu%7R-iyr}=KbHi;;{>c;WkHU|ow!}z%6DJ<@kaQh={`PS=ym}h1QpA7%DLW|o#gLK@*Olx_js$}BuUVJr&V1> zp*;q#X&hkqoMXh{HJvL{^u7%~rf98ky)fS_E%~)ydWB7HJuY9{x(!2rKkGxty}nO# zbOLQQ&CT*NRSP>!&kr9PcD#kj*5A{)7e-C*>$uK!4~Wwcw(jpFK+ul5U9J6{I!d?M zm%>Vx%-rFD`n$T{D~v`aZihoQnug!~KMM7)-IvB`t%eS8w~_QXT&DlDU$iP9y9)6B ze_F5CqjAdn+v^N5NcvHB-56?u!nFX<7)TKDy=D2J;7P#p%@{Hll43z$@qZY;C2)W& zp#_B*(M`v79BlXzqS(3;SRR`v$78Cc=mpMqg(AWgPBQ867kv_7%D^Fr%TkI(RhNrZ zxb}$fzQbe=!p@RJQCSl(k*Z}aw zq5 z6CokdYfrc;*JRXmRCh5AO+YhRFv`jkBCTha2?hSj)DE4BFmH(aeec3v{6eo(vn*r8 z6!Sz_yb<1@oS93gTej!%H%6Lb%$PiDbs5t4 zNP&O8?h$N4*+Pnhl94fFG7H`ni`PW$F=WxKJ)LBo#s@(4*~mei{URlz5qC9|o0V=* z5^+*gDH?#*s)7S|Y+t7%VZ!@mgh&d(ucJgq!0?bc6|zA7c>!bz{G@%{(G6Z{PWK$F zZ3NQFyZB{@~3)3K-2scYqz*I*!kbw5;(Z;fUxZntA0t_mJKa%oP0;3 z$=Qm(B4FG)1WS{MK+5i0obvRlI3aCmDB=Nu3g;v9O3e2t1(dy#5}}RK?R!l zTT4ajb?n3$x+DgKbnTRDZD7BX`3b>xDG|u1Iag3Nu~o7#31^ z%5uUf)FNG#uR4UKy7X3_MlHp@@ z3jP_WX@w(u3{4h0aF$|#tQ1J=POeF>S3cI2^hAgo`D2LktWcJZ_1%%;8dO~2sT!XN zoad%&z95vW%q)~kXebgdpB+!ei=6U~jcYirn;YlRdf_L+s(h3pMc@L~e3&)u49rJb ztKp)}O?#W@N(lB!-Kf^DinEGjvJpOFhHxc0{2@SI?oD9Mu%Q{wvywT1l#jET^Knu8D1qeJ{=O+)IM#9v~(Gw_FeKdo43DUxSHb zzSi~cSKrw>d*EXp0k7O?H_LDT=eLZ+Lw}!*LSXdFH@I~Qb#qH`wQ;j@uJ?GSAI9q# zez0x&<=T1`XVCl7vQo?W6v@`U_%prqswCImF;4$k^ej|>8tru~*JH-6Yt*lkZ<);x zTm#;1X4@l11}Lk~-gUJKx1#C2_U^^;c@wr;6$X!W;k$H_YQN(&dFKAZfAuMxBH?`g;kG7ozhV11OA`0ak+s3&?7TX}VS4>1mGF3~ z$2SvZDOkhnXm0aDTKD^1Q zR}IplaG<9(T2WrWcfuKIWsc&)|9e2!J>-bAhP18*S|MIN6cKj8SX&F$LC`VkmbOU>GEq-i?!CMFQed-%giO&KWZ);VmtawUT^YO3Y+LaB1Bk z3tuK6OdO1#Lk{3gNl=(Zh@dhBD#b?4zh1z`p(CRLM^GA(gXSePP6I|rvg}1QajM{< z7$ZxV?oMG8C@H?>Qkut;Wqf=;waJNmB8x}NN`LHv6-1y2h}42b_64f@p7zEC5S8J3_k6C9Y{p< zp^rtD7xx?QL_vFZvTQ#BFMxaI> zcE&K}iofl1@|FMc1e;!WfQlvo39Ph4{u`7pT(R}WdAz6Ps#{}4X@S zg2GGk3`JMAsL_YO;*C5Ng{gP$QZU`Pd@~3qBdV!ByvTaXd~haa(+WB6+zIa);MU78 zS})6PRX^y+4)0Y6KRevsg9}e0s-jxYb*i|)vLerP88H}b!)*dTYKswg%e-iZ@NTp* zFVR6m<|DNa7a!9AIXi>1psVLJYB7hEARQtCrVK#LU=*YCQs{0s6?v_E-WL<`gpLbIt9#;Q$8W`e8f>R<oG_J;9Stp5u~FfU)oqB=j-8kwAxEOB*%WdrH8amG<|fQe z#uAS)<&hGP9)TH*lzB?zrR;{QFaHY>p`EH`Wz4h-KkPS5llo7jjB0Sbq-7MhOm{XK z1Auno8JJwMDs=4HG`MD(6G_n?0;{03aiR8b&0i(Xb0=H4Kj(hm$J0*5)DcTtKJ8}W z?9o~W$`k^9C$0mQv-d#`FJdeH?-0P(opRtZjtWwqBUZBd z8GRyUMs(WEK^hf6m+y}wEV3bcMx*mzO;9{3qJ2~9r1T=GN-pp}K8yj6b-AFC`$fBL z|5ew4>N)!!G>;;}Z| z;{1^(x(0pP!%c9J#mWIGIBKO8X6dTX6(L zn!i2(y#-Ab+3e;99%Wu<@xSE+SPQO%c$@r?oBrAR{kS;-Ukyt^Qs1B75rX0wLH8LS zEuVlyJ&|9*CYYdws83vHy?8i1-h2(F&*Ku$WB4t5PcmuF48W0|X1QyMRNbemBZcj> z&ihAJ-@bO7ZyOK!kgHBl!{z2pq5+16Lr(Wz=3uLaZ$tgedF!V4i9Q8i!|;HB-?@@k z4RE$xgTLWoq}XIZz>3y$x!O6=-d7-E+hKIi*>7aWX%jC_z-Ml2BkR@URmbG|4rOLx zXU!U*2Jd5=l)a+!8Pdt%{o0;;0nyuNOr!4v2+P%bPkeosY5#nVhxcpAm|uQD!iw46 z=;&A!bGHRH_|GTYN2Ok@^u+7EpQ26k?4Rwps2f}(*!MODe0|;=k(9NjwA~?h^b&Sn z-r?xokIc<(*EilC>e$tE&0KhG=zQ_d)zb6cZtB$PqMB1bC^6%*XvP)L%yedS?!&r6xYe#&FR2RV{*r^ zcBD>#AlLgj>R+ty;iO4e@q&hyfqt?4%=Ue(n*25Y%N>_>x95O%`9s#jwLCNW_AR}~ zfqYzV+bf&%AA2~r*I|OIw~=@ z62;f`lL9@Pn36jNz}l?~3w*_R2TH=eKi(5CrKF1`C5V&$k5Fv#EfgErmFrgEOMvz# zB1UlsFoldkFXNop#2wO{_Q(!nMm@~iMBoVO2am}IxroIQv&g+TjG$r*Nl%eGQ33iK zejfSeQM=eu(Fc)vD_hGq{%ts!3ztGwVP+Z!Fb%Msb@X-q5CB=bjVlaj10aXugeB(30_j{roHL zWs4CiB3b+W>xYCSNf6#&&Lxp5+67e~D_L;fNmFR-OgqTU@H9z1Il~}gF%4?~Ct$YQ zF?g`Keoz_|)-K$b!8c(q7qK5qjn%F{PvX8?5^)v2)HD4IJhnnqaS z2b={e>81PtxFD10CoRBnP1sg;pu0Y`1d+^z+(r9XLNbqoLY(UmgIcXuijz_g^`Qo> z*~zzfU|FmJ3N=HD_W)t|8!h1#lVlr2I2APaz+4BRv{q7K2?@jT5xxEB?NdtY$f!~( z=_XpxkaH3$nDY&ns#K2t<)ci{>Go&8se*iosB<~mIYUJ>1lhjnQ));t!Z

k*`+P zUR$|En6er+z=(+UaFP0tg7jzI#~U98OOU)9_8GYinCPN|e<;wDPC%TUASL}K1K>SkP;;r1p? zp|ex5_v+?i=ri>Ur!dKf9}R|pa1B`+c+q7%s3WZ6ND8aSpVy3FJ9~DG+QnaIBQ7Tf$Q4kcotL+nhi#< z`%ZG58}n_HOAn$odxj2pKTxc6#-E$~_F-zj*(+yJ4jHP8;xTFwWKv;+ z=rMC)#okXx`b25@#DDYJ&3LTV#jz+Sv=gyXU4|1S<<0=VlVla?PKJb}hJFkQOxXM> zKlWO8Z9Q~MPAHUc(Fw3zH8dj~07PnhpftcEVP`2>okG3+U z=bE0jxn~*VWtsf{1xN%}KzK)UD!}qC;6rt3^0lyD;`tpe?FSShf*mmeE#a5@)H`##w@l4~_3L?agbwjo+Aro+G2VOyG&`-YUj)#~$QYK!2fg>z3;t1PAV2 z>NrCV6TEH6`HaqSEyI`R)_rQ5Y3=TKE?}dI@48#*EYBH!?ZP3V_qG@==V7N6-Os(3 z<+;hN>omq%f!{Cb!FwcW$P33_c1qjqHB1?B;O9AqqQl$c(7v|O~gA5Tm5uZ%OP;+duC;x6qBp%IX(4^ z=f3c!Vbi-cgTTK_tKM@RP`o=@y9x|bXqfRU?Y%j9N{!9AqfULldRrQ;;oVJ4wcE5$TBx<=eJ)*U0deQ|x-{8xrhtK|HTazEINpJ^ z^Ep|(8dj3r%|Y9 z{Z_|!ZQCd0%}Rm~x9k0J`;@2k<93}`f+u@@GUv}MJz9E?hfx7O*H*1}+{coemCA&j z+@2(_%d6{JkNMj%oOd(>y-&$TKhKz|DewJL4uzd(@5&z3F7953hwd2$PT=t9mhI8$ zv)KEkJ%P(jR8maJ+Tql}&AtDN@~Qe#D#5yglFz5k2k`j~A;g&FJC;%IlI2AqHMP0v z<$GiWm%pFVTt=6hi~t^lZhljX?s`{&62>95xjZ6v2D)H^VWOsbHAL=Q#Jpp{&k=3KCzCJVNP>#G*ZI&%gx-C zk7V>qnDBqI{~U6Y6hVtRupBW_4c4`0-)plHaXVkX3yIb#d2wtwGJrzIQo5HJR)SFFFy7H-`R(zNp@ zE7V-V`BEGPD$*`l71i2)We(&8^PF}C*=iHMRzPJ8UBNNXIKU3tG|x${w`MeicN&*G_vgnac$0JVzr;1=^YmC9SYA-O=*1TrZc~17K6E zOOikTEk`842y@a?fSLAL@z<{ugLUWCf!WCs08&f;AbFbfGr*Zk>E`vT|@nj&fZyWq-wpBN{yZ;DkPfokB@!-g@ zlF2eP4m2lCMxJ(LClF|(*HGMfc_s~rY#~bsG@H8m)9SG4Y>1F>twhOAGQ#rr zd_b4(-MPygTzX?Jo#u}*NB5kIp&y}wDId{jQRG7Krq1t43FX~9z7FeI{zer19H=34TXc}RE4DU4H7ghKc+N{vG%5;#pT}x6+iX0a z@6$6N!k^}XD$rLi9a1|iZ4d<0$F*Ob){pBOi!*)fB|?>&h>g$Dpa@wFZ{FSF*I8lG zs+89qomS3E9QA!6yxFaaAPgF+$Te&#HNdTdI}$2|n%#0qC?j$ipKh-{N2%@${ptB~ z=vC?Jz4dWA$(Up2D3;Rh13T%8lnorTA!72G)xWx=@0$UcnfhhhX_acQO1MhnQhhi5 zm|4=ClE_0E$n>sIlng4A0_}+Rs0mA1~t zWFC{+$0L{HS4jTRlP}H6!Wm5m77Pi-(}hDf$5A0!Dcp0DDIOQ;_M?4P+F>{cJD9_V|mV{C1HcDAaKFG@@Y~~Qq}Kv8X3Psx?_nKM999ylOXS2!8%Hb%wV$kS z)Y)n6Yyh@n-W#tnkS19Ubs##fOOcp9(Pl~x<;<17S5!y zc-Sz`fy|WC)X|vtaAurw@e;}f%TH0(;fU?NW;MKyWZvOD#e=QC%tqv6IkI^f3LtDb z-P?G!hgsXOc(>@`Iz00{W0}m#qH=qk6YbKwN{EUE6H@4Qod?tb`MVssU|KFC5Y%~X zf-;&scH*@YOT4g8C2>zTX0<;{;=2iRoWrfB1YbLI+CSr62yPlfTAmsGihO>~Mdp5} zoqmGVFGZ4HN+>6JZ)xnW9#+}_oo}ZxQ#UC(v-V3wx=u~j(O4B%{!VWuJ4L4InU58c z?6zSY$hy9wXWqXE8z<8a&)QdR2H$jo8V=9_e*1Jjbw+;# z$mLA2Yhq((MGV{%xqs4Go8KBbNX>x;H6LQXq=mEx%fB8C$J#gG7OtDfWkGoRwMyT@{0hxMk+1#|?UTmvi)xMd==o4A6sDRGY#Ehb%Js z4J|uVw=}uB!}0?lZRYG&%wRqz!7}f4_O zu>o!SnMeA3K3+l+HL{u&@0oh0!X!*A8BaUg%nbY7H-X69$}Q{kKFmq_*w8j5eyvFQ zE4*xDZm1DPF-QDNeri2Vmp++EK1HA-HM|#=t(zjc0piDPCHVLsz%P_`6VrG7J+-)0yHEEqd?DV@ZwpFDz}rY2k>02K)|V9#%VuwZ`d~A&x20 zq?t*PHVz7r(uOcprPc2U&XmK5{7coNId+GvAS`ntVt8;_N=#cVh5lT^ zpvoMp4uZZ1NK?X#<)9(7l1K63LSIJj>(s!)&lV;%1u!Dc2mTTMj%AOICI~l_dye?a z*zLx15zHK6WJsTZ&4UE5)XxUzK%IH;k)C?v@d$Me!dE)H{< zl$#dS9|trQMI#}ssEip%XqHiN|I{!4vtpq zljJm*0Dr>g2+4w9A3NMrp~n!DRK%?QuU5cHByTRUVsWIv42b5YvfjXo!A9#gs7t&? zKejL7H^09Tvk1oMM|_h02mtN@=7fcxnBJ&1Car)~=MR=Y+aPo54Os_JNTjRTD;6OQagpHlOdEfn^9AK`sJs~E(UR`^wPRe z;NR~4u>MQ45tW`08CTX6_InD8qXx0oHa8w|*dZ~R)g=ALqBREc{%x6{lj{=cpU<`Q z&YbI3Bk>>5&tCF)PPfpB7Y2@o6qqGUvh#}Xn>#9B!6obK1DVgE|6v!^c; z8!Pj#{3%p}W!PREPtU<+PKPY`-|;eKjS2&tdAkL?pva+u&j2{=b>Pp;PdCpm-Or-V zoBEhH^N@4<&b>Bw-*KSao6_?a2^usCI8+MuVq*9vjMYC zH{ZLxiM_X^>ox(mNQW{ew?tLW=bZKoV5)lGr#3+9;{zq2!)d}A*{V>TV9R4g9~~rc z9|CWk}DxHyfqOdx8k%Bjd&f z-tJ9)wC-dp(cIHvMII|N>VzuFuGt$*B-lXfvnPS7+D_s;NyfDKSlr$d(8A$2)A97a z-q^HWHapqFxt$8fq zUu!b6cciXe`l)`|IQy^VSyg}QgdDuCs#&qsyqOy55Rad*F zwJ3M^hREO13C5f`m#$?VjccpP=KGNZXiD$-rNZxTmcs}h zDAVKe*X-a3ALGXix@2eP_!}Fr`kpZ)5oy$eVQ!=+gfEB%*YFxjScv zT@YN4ZDTB6kBR5KM}MPA|19VjQHsmp9gruo0=x9i4IMMs{40mJIq?& zdi2{LV*`DTc+t{n!LY(e(+byF3^Q}@W01>}vI66j0KxAm*Xk!InWA*&+`pLjz2{gN zMyw=sMCN=9AfJq)NsnB$1!ZM|CSetVPX|Wn+ilTu>_s zuB0vK5Di9;i!6_qrqyF~KH{8Iv0u2npE9CMr}_%+D8P?HD>i%GLRi-AxtbW+ z`WFmd)lhbxOkos>1hU*Yr)+Nnb-^*z*pd;s&zq`tJgX59E3Z#86-|LR zG&^-{9jHrb&55(K^~Y3SqLkIEB=(9H?D40!7_h~8?*4v zkEn4H1Ss{5;N2D}a?2q4iqbT#A3&HTQYxX`#f3T-Xe|ao_LDWvL;ScxsBG0Xt?jES8fAS3rG_S{*!VKOei5*iW zS!6ITSL@UhjpL`UmaUA^Dnb>@a}-W%FkL=;vs@qZAX837%}0njvMN5~P@vkfhE#2% zZVNz0k5lH{GKD7*v}t^0nH^4AkJgu5&z~qDo1|_c(^_1(S&vPG?v%Q+l)yuhV9xDR zsgy5O$PV!cNH^0`3t!h=h6q?hV=s$!H8VcNFTTN0GvMt zJQ$=xd*H4QbGyAa+jo>&jCrsD4x}i#NbZwl75Mq#R{o+BtUifjFX9J8@JX2hd*y^Y z#_I{ZN1tbR81HV_wVuwO2XX1-<34XAwl=w|NU=m%76)B@2O zM^sEqwvgMWW~{9Da^0t|A9&Gl<1v(?=I3zv)DFwEV(}{e*x|FKHnr~a_SrFZZ@Kp7 z)PP-+rMK*H$Z*Z(=9lZezM*aZn)D0cy^z!8GogoF?t4HprQfl?!`F42meE9#T;#cfmUtFmxc=InI;}ID0{DPwYe9j1v zV{G>7A?os)4acSzQ8NW^+ylmxnK(L|chtLp^XF9d*}#8EUG(5*buPW{TEHRnI_xc= zn4g$sOlB>T|vILS5Td0IWT^jZDhq2&$02ROZL!7xF?~!Bxpbpqif&Fp9me8=V#P!s}6LVy3+H|G&J3||AAHpyg zK{aCK?bC9-XGoRZHdm1qvGugrxIsj3-@X_5l$D}ezonSb;q%ORx0d$CH$?9Ty5427 zl-~enOkw&3q|_n=3qo< zl*!~k4Kq}X`<_z$F*Ly>{VqTH2(QsUUuH0W?rQlJhMF-*3$sT0Uwj3-)qQIHi4$fW zeg(HbVOWk#R{fP;Nj?GSxm^mcvZ{evoB8EW4AL|Ibl$Kb`i-_s=l+67X)u*>bs0Vd zk}N5&zhs|Tla@VoHR_^{^cZ3$@=mbd=J=pkoD&UU>7sX%q2tk9s_tAusktnrcqsKe z?nuloF06RePQSxHE!4VvaqhaGG*BQl--E=PD~*Y02>6R}Y7mkme;K#&oTXJhbZsy7 z=w3+vLZ!2fubn_D(Sr$6Su=$egeX()7`IYyI4QLof7#h=&n21gur(jL*{kL({lygAA% z9`|IM@+zA_6HeTL!2zGeY-6gMI1Pp}#g?tNM#IvrfM=j;uuvSD;}U^a>2|7?pt6CM z=+c8Ww>dlwVw9N0SuP^dD=+M7fFH%ab(CTvRR<11X@!C<1ag8Sw5J_`$8N6Lo??ZP zb>mA`;c5to!G64#41@|_$>9Ra&4H?0m2mmhxMZVTRkd8LACe-7DoKj4ra14WOy|@5 z%%jjWDwQyb??d|--p4pweMT}%Q$k${s!%LWSAnZMb=AtogvdVnqNIOKP-BuZs?fsG zq*Ud;Y#8&8z8`-zpe4liEW|GQZ=9!Hq0BE2BIhrvgcx|LO5+exzynb?M*X3ETJ!{$ zIQaS6958p6Xtu9?jH41b0|S)O>gv)7UVFU<)XD3=Poc?j0XcFhPQb<7@t9WuX2CGQ z0gAqbk1SRupnErd(;3!mvjrVW0#gLvT0ZACONCr#^huQvJwnql5xlSLR^mJ;W2OlH z;Yh_YVPaR~{&>=UJV9bdo@9uXbdqW0OlhKBwu8g_WvFdiaDz&Ve&|vh>A3VQ@4^T4}coCsUom zH8Chmh9J3Z;zcI3EY0VruF#aik`Kh*1I1@Oh^1^arkFE0MjsFTB`@v{y;|OtB4{BA zZz6dZQFnZTx@$SGxA+*(zo#qmnU=UYlaQVY&D+dpyW^V(DXTBBF8uGitccB zhcvV?_fH&tnR36RS_ON8dq@!bg?#LUeBi*p zKPG|GMcqJ$)XY}{azww#4|^&`6s8owQ}4ni=h_6}xp8S$<GX63enUyyB53VjW(u+oVqS>TM{Qj3Byjb@#ZEH10#yhZliB!=kCQ}G;2uC z%>#w{rrX)2RTWoQioPYkZ+}}5o4t==2$ai>*5lhrI6B}pslifgpEgn(kt=%*a}LY-v@)gsF!?&sP+;HbaS8&h`@JB?ym?KLF?Heb zozK7D=4d`mLl-T?06!v1&V2>CqC|B%Z!ep?Xge%i-Orbr_?+3ix2@I&^#iBa2p*er z^y@b^N{GB?ZrzDm&vof^-`fI$(7D!KPEYMUpQYU%XDFK<>DIRH$zBciCN}&Wr@GdF z$U67_bJ-s5AblUg@Dv`E&E}^!c{c%La1fWS_k=a@iRR`=Q!?u=>)}URrq|FacFyj% z7{QLwLo94{DCC!g&B4>LGNw1r4QoHQy#34xU(6P#444T2!)V}9{H-0+4D6&@=S!1! z^rLRuO}|z|P>9~<(S6;bj;SWK=H+-*SF=J3w5J2~n>#EMe+clUCS&Tcv1^A--46H; z9dgn7c&M)Hmu1hNHkO^L`yp}Q08H6uf&n81i`?qtb2r_&8Yrw(ob_pF7+&$!j}Y?S@=t;R2qYbNpTd4FDdv zXW?t-TR|znjwAhdS^JiZ%wv`ab@2J8vg9Tq=sl!2<447K>-Pbce?@si`3RW$tY!TK z-|HMd&VNBDWnfLO_mbXvg|P1|j)SB`o4^lCFxT_kAwYtZ##71!(d5F5{x8_)N&I3R zuW2{Bwb+C&o7ht+t!i0F3u*L+UggiYkaUJ1N{>dHJty&kxU^^~wae)SJqe!T zZ7oZ+KFSI$SX>X1RY`P0>YxBQ%9tft$Mk%-jR>}lkLIL@emU24+q!#^nW;FZva$-f z9~mCMt>mxJ{vx;iQ5GBTMCz{y&U@JP+ZjG7J&GFdk7gC1V?dOkXYh=(+zC)3N{^;= zTuWD(ou+;s_=vpNPZg9~3is!cRj8Vtpmfu%;YZiW1rqF=nc61`o6aP=nnn)D)*Jp7M7WS(f2 zS>(?y>eh-lm^?-_C^Oy(LBZ?8N_YSUWP9RLJ&T!2;RnXh5eda zmlgQUpzmXV@GaOJ8^X1$=S%PJlKlbc2d9T6fk~F?1qnEqEs=gI9y$FAf!Bm|EY(|LAg^n8R?) z*{Y$!;sv%{-Gmom&sO0`)@QHWdko&8D;pPk} z^H}(xA~!~_xIa2VMB z_#WbXTLHWP$ml&~wB~|){9182psaN8q{xC*;GFl?0?JOK*K%hq6>5|Z-Z)K3WN4^@ z^O6bggUYz%#*DM4uF|pV&=ha@bJgKU$GPx5iO36sb6BO)ay*>fDW$Yq@H9t}#6ZH+ z&id;rh00|C38$WCA&C*C(xUx8tgNk)b zh`tMD;b~gD=%U3{FR75%{TL(AyyfZ2r5e4O;#V(9m0Gr=EP%)PzV9eQY&>-8b5jpeLbapb2kp8%n~-x;TdG5GQz$8zOKiEj2kASZ3iLZdZomN8H^^_v)eB-<2CKX)hgZ5@Qw5t2N$$rxGpmocqRAtAJlzQ~GW1kM?IQ zUG2uVwoTs8x32hO4ZSj=Uz4J9@sxEd_C!me3eWEJ+WkJipau@XDV>3csg$Y=)@G^c; za^4W^b2N4G5cck3ef>y~Cu*MJoYm8JepY=8I$dwQ|IKAQiln|#t?P3I z<4s$VGpqByjo;ZYh>l{Hvj$#`XxP$mn1SrLZ|tf~n>*!um-c%od*JoY%()W(_=SkZ1zwtCjEyyc#^8U z(#LTqf$?oWr_$@9T^u|1!p;7o`hjq))36*r=kHLApyL~>{>$X&KkPC$Fm~RufsjGn z_5RX(jPz*daje^fqObFC;#<{z=*8VOH<8nI89N7_?RsBZ{PP~|vAtg4#%on|p3?=+ zO_}07X*wedxnt7l)4$4+O_(&!S=08tx(BQS2dAbqz`uqF>**awoV1hm)+`@QqxCQG zWY;a{f)-M8cuub;>LZrsf%g*`AJuX$VB72G7{Zy4&-&7;7G=kPHFfRRl8IMN0?rhH z>q>Q>f3v2WQ(*A+EpYnzB?qkHg8@#PzfXOie@3CFX=oYHv$peHg$1;Oo54*_D5Mis z&P#uyD4MzoKa{o5z~2%0?T0%RtX<-?^i8e(Cxm19oBk!~boJE+@UvRGQ_=7#w3_Ch z{3M-4QJ@FGp39Yt*Fh~)M>E@_c|*I{q=0;o;Rub+nET*KzI@ABu(28UARk~hwq7J~ zL{9feht?Jck#Mehw1^#i-n$yy$76Bna3t%7V4r8B6&`va$6XQaZ8~@RY;P2{?$*^;tYNM;t_shP zgk_6u>&z;{(vfSbm9GGo^qtaO+fL3*hfzHiQZmPZXbN~#z6LT4i=VAcS}Zq`Gw8ra zoa^3at58y6oOYs5#&ybdGdrutyivoS{Ke3QmeAq20q1Ympjn};qMW)I`&+XQo`!&| zTm^#^$H`?`mLa(ESWFJVd>p(dP<$4Ko+E7*QKrh}u zewnwx@XIXl?PldQ@K=puv}*XRz`xB$qN~q`+%NWxw*}xj#WfMDLZnTX35_ywo<^Fn zZ}C9h1@Vz z{ILMvk8wJoGB!cV%Kh+H20g#Ff!FwHGk1MT0qKVo<|`?PIO_{Xpi@dP$Lv)SB7|F6 zGjHw7S?F*$TipI#WHt@+4lw}Y7V{T=Hx5WyxQW|6fG~gkTU_rjgNc^(j~$<=G>Fbh z2iX$NyaurIhrBZV9iSUny7T&>oV7m!JOMZd99+I10{Kzko?fAU3&KV0sS!#_U_mY5 zMkCd6X3j~^p0oI8VaFO}$-Frls+GA_dv*V&+^qUdR(jAHC@?0anH^7_yl|v~LiwYZ zoiH-ah4nDWS`?X@Q);4SJ8cRt>t~amNJ(=)YHw)<4VOe|;g?i$2Of&=%R8Zk5hknw ze9aS1QI2?Up}o*JiGOj-SR-9T7$3Szck45dH;nhCqY{4236ix1tJouW3{=ScyN;zv z!iP45SSeyju5dBR6%Xn7qwjQE8t-atV}jg&JY7!(F9RQ#^DFWz*BLRvAD8Ph6}6Qw z?h(lOSYI^ldhf%KOm30HFtkYHq$&pM3FR#5-M$%xhP-#K71q{5AETF|M{3fh$=X&? zYlq6=V74S#CtKgDvD=IPcYq&1$?otc*`0p-*rNIlJ_5vKdtXI-vfYs$9>k1S>@U7> zVBt@;Tm8v)ov7oXh0&k^!QeL+SgVetxCrXgUrp;=8_zQdj9WVs9E|T{;dJLB439;< zn;EiGz^C*>ya}?Jiw)Q`e5S5(c`ncX?W!%dPT;91qwAC`=N7Uzh~MM+`aXK(CWP=~ z_$FZ@vhCC8{!FFowj7i5F|(Lb^bgAU-Pry7N2c@m0@jB`6auzR4Y#$9^KC{~n_b5M z{(7C>d8#w=mK&ADhVmBF6%Vn5y*?7LjOUWPer2KgUq@byW7EJysG zPl-3J(Mu+L?U45anU@;`J&pF`k&Ar5L801&M?tN1us9faU;*>(A-?=BFwzZQaTeU^?axx{6Qq>@L{O5YD zmxga81$Y}o$Zosj?C0CB-PLtI?2FuS3OmMdD{8CF?K!8%0KOO)0~)?^UFtv0E~;-m zL{SlGKQt%U`B7(kWz1OvV2L^|iIytNPU(<|rtz`QfY0<=$Lka7v1;RluLS}`(%T*x zlJ4h3b>7=~5ltTZ#Z`Q-q52vRdbb%R^tBcL1Gk2sYRU}o>iHulN9q%Ce;cXe`E?)c z&7K0lt~dcl2ZxJUJ7`Z+XF1O?FUPkzYP1u0)80!)b{!psA7qSSU~)v{uix#2P4k6I zHx1zSh9-6(=%Wn(1}@5|+Dv&6jU}#y$_r625d3P*Q;+-#_pIA2NFO5_k)pzY=1G$` zoL2?Sw&BJTK%bI}cR}5uRl!v*dnlMeKI$v5OQWGD^h*MSx3^cGZ5`a2b$g^_5w8~K z`Vx;MQ*B42+?|f0W}r}eLQ#)<%Nr_>NN$BRyzP&V6N?%y$Yd_M*Kyy*HHj9~LKK;u zyI&30oaC^0nuw{`ck+dnHgDUlY_6Uyx)6@;NGlCz?We*}QOm33=n8?IX!;pNFiOu$ zXn4B6_77wVtbE5JSr_lw<-rn(;bWS4!f3vPZZ{X?Swy;`zDZ^_P^6fYy+O<9w7*IC zF^R7b%*@%)Es?atNz@yAWc{$a7t1p3d`PUuS@=G04;Rj&1@h{@(qb$2B6f|15jAs+ zMSAasNK{!g)PE|LTHnUf&t%Ho(CLE<)GWu}>9x5m0HPRb~ zmH?A0>rIB}6$0lZ$VCSsh`x`DPbDexi|zqzeQ0C1Tj5I@=TLwTi;WC|T$d8#{Pw)r zyHx;QzT()awh;Mf^U_Rs$G5R+WO>fQu)=vsq9NeX;{#&J-B#f;?zr~?ibc(Hm-WS-RhWXb)yMR#G;t< zeZ%vFPYGpaDp~p2yMv*;LT*ykM)7PSlKZVxp=G(g_Ge~D8aJSqIda$j^qSf?ph4?xS!XTK6{Y7x zZ(UONmH-74D)~q=d|~Np>7I^ z`u4M3EHULql!ih&M~Aep4#QYnhW&5kSbSHdfG z03v@gg>dU2&6(>}a(7iwCVnRi{gpTQZMLMgIv@y5^Y8VeFT&k*`Bwf*L~!*uIj3^4Nn=*2>%OWR0nd?b$!cPHk?-O~zTHsgyfU`Wv6PCOUpB?A z?cYa3p*^)vxo-rePE#uC+DpGmxBn+Ncd~+S0kR0bMN!W5EL0+xaVomUN!HAJk{jd@ z`bDKWFp-o;-)-%SN@$R9m4K>AS(!wVOo}+AQ^1TF%~a}rp+ZoGXgzEGT8AK1yp!+| z)~&O>%+CqhJkJRgICI3tAkNchI*!iVSfr9j>}NGz+Z&JM1&yUF1Ja59q&Ol)6$nd@ zzle}>_6i^wvdy33)qza}?USnG>l(wt&MSugxV^EvE1F#Q5pkT0Wag_BtXge?XN{%{ zXZWJIoDKLSd`;yz;)T=0xS@!J5q*R6$3y%+7b<9t*99pD{*DI8teci8ML z@GJQa(fi>>Urv`X%@q-pgu|b1!@EzS+xj1(Ysf4^N`3c9bf4@g`Fz|q-kG$n1A|_F zqyu&`r#K(|thO^=xtx~-2lQ&)EtLd%H(kzq9J>#*T_?BvVxCUv81)piu3v3^UMHfr z9(;E9xVYNf7PdF3I`x_@>d-mYYhHKWXZUgiUP$-G+(+H?83mW9$ z^hI;JD%)UEZ1W1e~Uk}*Z1Or2@@gb5ynBLUrd4!1OS znQbfDvi0p>@wwK0JPoFhj@=nc?P1H)Hru|p-&>~qs9yPa)%DDI*Rn-_nq{lesI}_~ z({gOOZ^(E*jnTbc*h#5cd(7YX2>m#z7bu;o?7Zbnd1Uf8! zd49jUsA0t=@IUUCL}R8hBIk!GJ-?Ui`f7uhH!S&&x6z0#&ujSa#`)5BOuMavWymglIu{Ib&WJNL~P>}L1*Z$|Lw=TfY-(s$R~etEay&fz?_ zWPFHmiIFt%aLU`R2=kKv&Uwj{aqT2(>%4RSH-cS@^Y@p#OZCpjX1UsZ%E9BYoTj5E zldTE1sIdZfPHx`* zy0P{ga7yQg{im}aN9Gf8Nu1#i|FhCX9XU77SIW@dOA>s02FwBkz=v~3fYPIIhaks) zEirAMG*=r9>?nc0c71Kr!w?L|22z6fZo+H9WL`5amgH52OLZk?e@~Yc#w?;TQgQ0j z$er$h7pdr5khn)l2-h@wQcCSQCXodx!(p7x(HJzy-A9#XP+nw6t^TGmJSq&qYn)$B zVb`D($wK9ZI|&2ILRJy-x~rFsHplu`>-P85*@A{`E@|8#vd%f7PQ9Dk$F9YuDc_1U zl!b=x8npx;1%_84&aw%F%*HWot^x>pdHs(AcWnVJR3P$==a*%}jmHBy$Lj!??5 zh+;7{&XBKRnds3Jw|2)*+i_wg^32r)!s<|9dZ0ZyxZX>--#NrI(v033D^zEFCUuw~ zrp{~{BxzX?HolRBSO9X$i|eh+C*kmcu)%nbIRsGHneArjG@hH17jDU{QquYdW&U{- z!aQK5xArnC8Z?4bl44aThT&0OCHl0++nummDR*O~I}$v+!v8*4=U-AkIagC+sYnwy z|7s%u3R;ozTt25|{qn5poOl{r%0v}!#!g07E8>4lmv0}8>rh&Zu5Wb=Ju^JM%$kNd z<|r{s=e60tTt1FsJ74Yam$V)(a&H!O^44J`5u&egC!4*j8}A3sa~Z;no$KQL*WZLP z)Ff+hrX3qp<}%Y4Rt0{_mbZ2ajNQKt#Sly7e1*P|e;HXqY>k&Za^R1Dt(fmM0&&`S zh*?ihp7^rE6Q*0L;-_VoE##W;Kl%+f)WDM`_+d`Fu-c{#z)AlMVg{uCbYLpVxbA8N zdDewLq5)g~z*7>l~4&X&ygRLcBUTxo;wLZy?W%zM8Hv(yi#d;Z_>yW5jBK zZqgO#v{^qdFJ5kC%}|^dJw8j#lu=2D0gAF|klcmXVp71RADB;0wk_phHx^fHWJ%U? z5?P)Q9-PO`pC3+!%KKrEe}q(rmAhM%PKcgwKi5Q;vUD=K)M7gO2JC#kTet`UyHYZEm%*auFi??PrjjQdgPOl zb{L<4dS;tfzGiwFshmcgAWa6eYLyKCClF4AeZF}h;;-IIEm17$!BuDAgM)&{H>zK6 zG4ERhazs$Xvjt^H8I^lxKC@qkbZwPH*VE74Z81m`p)wV}AM@y~$Yz#;{?-ebx=xDs zHE*6{T0u=0g%|0dEW8xaZZCV5CXUQ1F!7OpHQ~&E3SYS&V}Nm)P0xVQwVd@AW|h`y zr8GIoTeyUN9>zA8z%HM~!=y0^65GiYw8h~uO|LQIG)(nf!+k7sMj1l9Og>I0dNPDU zD*3a7cTIwT!TWgvTZQ=AhzyPD1=0LpA(0jaRGmi=(zgLCgbK-BmIb6&siq4Wi>wjl z%0EJ1`9{Npys_@^qPZ8Gbti2=il*!K;TlE$7`#D$wCo=}sBI0tkiwDObo}t-#q|$8 zrVt=hjW+~+6}!Orkx|JN>FGuQqqsM&J=K2y|BWFaN@!qB(JV0b`Mpb?^rHuuIk9xE zcb)S{1l9AeWd z=sb>ZCoKKZVAiShF!PKtxkcc$ZhX|;ZbEp!N7e^lYyj&w^9dh;Zzxme_v5MvKLp>B z1Q>sJ)dsXbW;MOFy_cYbHu3wtu`Ky+qkshbjBX?5~&sIox@b%NdW(|npb789w z|JpTi2$m-o`~!XpN>h;+{O52}v;>@P;h-U9Ig?QmJL-F#`UKXYx4Y*Uwnyhr542f7 z+MI?G*pfaB>~hLYPpXFHD!ZUcfeuq9mS9-+ECMjLl(tv3;G++F;1JF)p#~}lxu*u@5HxR;sF<*%PjH@f-c6F6)#FiH~c6#{Q^+)i-`6 zhTGzqh+2OVMl6-nESBnw$in#Rjt!9flb#+vsjT0HXboZgBH}eao8o{2JBF3AAXAhA zN4+Q|U3k!il(I>KHTr;pOdqo{hc&$>Nk~WOR}(SwVLII63SQ_|O}D(pZ%ARhfk@hY zd1q4*UcPm+I|)a%G1(9YSt4nES#}QUtC;G3YFA&<3i`zRwB zXP_ysx=H5nu6*!|e@XNz$0vp137GvXKE-m1kit)cVS&K1T!&hPk z!qNoY(3olqV$AhRG}xO|yWH!5cL7V+Bk zTyKOl`}|>l`DqmR)J7=M?LJNbznnf|m<>T@4WNO5uL>vb74^E*>L;BSxLOUY1~{$x zQX1x8m)2-@ny$@Kt3=b|NE=8?tOb+EV2Z{DUM$8_=! zd9_#vp#K#^%`|>VNKc-(Mir;@nr8I=M@=n-E}6wW_H9T*eER> z5R0i+^0OnCo#3FB@~{qhg66p*;jW_)zUwyN08;7-XY(l%tWV3I zlX;cJS8JwU{LX7oN*<}X{VpU4>6Gh;9*Q^2K5i{WRkPE$cytrVGt+Gd_mi3TW>DFu zbX+&Q0F zdy)2!%O2^sBaGu8BS^gcWm4^WQyv)Vh1L*6t`O7 zbD}M5Qfz4Kn^o+Wh-#Ka`@PaL%`~J;D-&RXqY2?v;@O2O507t5lqy?Ow3YCVC9V03 z;6tzuUK%LXiE8O_`V;X!Q%a38EKoIUf!=hPt%d&u@Ea7Fv0udliCX~pI_WpyA#Y2g z`}y!w3Wkp+bwUCv9fSV?js@F4A4s8%7eGhGlN5oD^M@kd5D$1YRv#7<-IpzsE?fOC zw)UP-FIKt_z8LRs&-OgdHB9tW^*AxM`&PA`8+d{ai7$uv6^xes4z&(&j=MXK6*Ni6 z$9J@PlX~w*es5bpGC>g#mD+ANmNvzKid_%CD~9)ewj#X{WFeGoJ%5I*e8K@*HtQ~?d6*})VnG7~xCaNrz1_wET3rn8%_n3p- zhrcf>b-Oy59`6wVU`n{lx2M^jpXvJG4|AMs|G@ymKb*kn^;VGeb5X)d-d*nCbNlY} zF}8#MP=ui0DayglrC_!0>pq>PvSSV4A?cd$?u7UlVe;c4G(}<4F+-lwXApRlN}wM| z@_Y{?HqP^__ejyx_cjBu#|z$d^j~{Q$fSY}(3jvN0QmlE-;+9vX@_;u>~HH?8DrB- zrOB=*)6QboHICvpVh~6+{Bn^aKYZn521G}mVt?I!?Rre|XE}EA&(e?H%KB-=tF^n^ z&)nynl%{a?^jqcDT35%*abG6zQ&D%6;))VjhkZa= zk7-?5Xw0%yK=g;lxi4w}*>>O7L!xYe(z?~29Td{H@T0l1s0eQs=yGF&~5QAK_0cVFDNy50DX1IqCAwfFGo z4G=(ftNboG-?4N7_wMqlav?Y$9ZFG>8X4UH4Z2sH1p`0D5?UHpz~;yWc{bRTJ_yXr zYF3O8(Z^w;^NTJW=1Yc-Xnf~%AEYo@RHZW&FAM&fh?=6CaL~)wJh&8!tTP5X*p0-v z4ej>y3=6YP^KS_4cwZKcIj6r3YIAEU@&?d9XIV4ZLf6X&_5X>W#2$QU;t4Y?HsL4} z5N2m6?h7w^_V^Lr@eSh8DA=nMzw|?ydrbDrxT|QKP=o>fsKxlxy?cnQYSPtDBDsI@ z%u4o^)JDAMqgH*ThZy-Da7g&UzdAMuaK?*w$|Ws=N;<+6QdzZIhjx>6WJ2}qV)ZDC zCKGb;eohCL?SDs}^+Fsg;NgZ8brw=GNn#yuyySMTUA|+9R-wu^$h63`HcM{8j*jPd zr;-~Ib}S8N^AxGrhKC#pQ2X!#4IYKk)}#sXtKyn4z*ytxU%uOEbOYAIp&7(Dr6$P4o@Vf9(l;9uP! z37QOKGqAsHj~#KKdu%$?gs!$t(AlJyWz{mfqa~&Qs?boD zizK4BXvCehYBh?o3nMg8AtAg%r9(@3lNsTUR8%Us>qs;oenl~y0{@3i&A&GC{znzD z0Ba|n9@T-G#E!w~DX>y=$Wnw5q7{(Fgp$l`*yH75j`Qx-E`Si{Bt8@iQ6DQY)e7~q z1lJuVk?{HSU=s_OO0T#XXd+tJVjf}GY%HaIrTt-(=80t3H52n_XtP9WHQ|v>yTE@s zE7l%XaLA_>`wAIDbd}D&)xUU{o8Fzh=WWQWFg1s3<12h z2C>y!6X2_ZGhguT~>~&{9g!-{!+7<}dk4x3!sG~TlFE#DaMk+(r z_X`^BblB{-y^nG%{}+w{&O#K~x}S<~*8eEJmU)Q3k-_&MQL>lKWcb&m3 z<=NhUTUcYLcR8h+%lmkd2Dsxs?VL&QG#prI;W4Sv?d=He81X70sPlfvSjlvB)Lpwr z++Dif+yPHij95QUjPgCr%S$qJ1T={%@E*r!wRX<=dxf5Mqdv_DcH8K4z0J^$>N{KX z+zpyv8+yGfGvzngI<{Lx`R1-)oXEy?o*v4b_CfWyK0wtp8Ty|56a4&*jq$8$nCbK? z@OJ<6cxMZ`Vz=Kl8YS8C-*i2;YZzq;ye(A!aoNZ=vjzTheQ_W7uvMosSkz`dsTih~H^TXvs<@}RN4QaEL zd^`^AdrIw281&rMzaQ&EUbjszRE3W6-8^AaUx%|Vf9&&b6#<|E9CEe{9N0P?7q$O@ zOGdB%NEnw%uGqyq;SlRy4mJ01cD8t|UJ)>F-mqEPbq{b%(KMangzM&-G9LH5Zh`Qh z?KL`W+g|T*E^f{z^x^V8!XGsN3j+HDE43b%nM~4%wWJQf0H0%f!2sK7&AX>*oa|=X zIbHXUNl!un_k+|I@0G1Ay{BW{M!-}+XY2GK>h}Gsuw(|ce#ZpxglZP-T~(C(^D&O= z*uiJ_%~$`YK$_#lNBCqXAenLF#0x>+H=^#UX9 zI(apFf;ljjssOuDqI6eNwbsF$BLH84Al;BSODv^iRiuYQo?2VpDXMXlOiVa%a+w`Z z21|{4g0rvBr4GW~dL+DY&4zuDyel%~;}3z_tJ;WYq*!bp2lnm*#8*8*#?E+Kau5Z+ z_A14-e9)h282tvWAAj1|r#R@Rigkti)Lld}M1l!dMk}SuOXW+Xco|wGr6Sb}+3Aso zGHJe9e*33jV_&LIOj(e&q&ktU>t>+}$GH6BuwXX&gG`Q8qV91*M?|+hfJs%2eO@C{ zI7~Q_CmQN2i8RRyz)G>)$lH1zD@1NgMT6slTGd*rvvhOJl6|3%rn!Wjni%FyU9+Xe z*&UzN!@@${8f6T%6K_hbP{E!ro+?9&A?dPIASpa@dB4;oa)DptdocP689!pKoGm7- z<*R%KUS!Df2xTD7ZmCXII|V8hR5}98RuBW@O6%Wf>4?kP#q2u@slQ!01joRhW0;rv zzYM354nR|`Z-GNkt6J_6=;h(AQSuaY_pVHW!E+p-lZT4;_ZOF z4eD~YU0->+tzQrBvyZ)>@BISZnzm&A_@of=EVvL?nA9f@%;)H_S?iKno47d&WmH=n zqV?!juc|htF3@jcoiT)8#+<=33-=?&$pTHErE=aziYra_YQry`rrLQ7RmNWgN>{K`P&C8?D+M(WlvA&=S@PRJJ&R^h{7I zBq+_lSwJB{s)yYAog5K$$RR=_Ap}1^XdRUw>h$l)e|-YCcuvwK-ONY4>+f&Zwwg4F zf26x6R!5CVHW-PrQxzqx_ryAiO8Ilh^@M9wu-iNL0JDf^!3jV;>bqsBW|%1Ut0vgE z5GmE30P)RV9wjCSsrfaSi*1oAG@y26W(ukOSL05k^Qcfh*qnuR7Q==1^e~t)l}1(k zN7+-Q#so%ZQnJ3%#GxD4)%-v@)3SIUyAiDD)J6)|cy9abm{mBS^K7DA>T6J)IIIu2S5 zeBUq-Y9v_dO!%L;5wwG`tjr9XEW_^KY5#Ns|6Vg z*-10nuaTZaBF-uaa`UC)@j$Edt|}OFp=H_HH5mV1iWu@=XyJzry+z|*EmHGXvNwqe zHVE>(gfteG$X3gN7XJ$%z?u<$L5~(lwC7r|=^T(J{Z5e1<@JWH zHCc7g-e@iW_#63Up_-uwc+_xy#q$%<;BwZ|u}8swgH2KII85+jq^5(u?d`Qw;Lm!T zhF8Pu0;Z#ue-vGitAe%PaaJ0C!vLyb-imdPei5GaN{j}-ebN9T!BMOOaW3!SIKRQh zdnzU8YS-P{bY6#N6XtV=x$j{RdD@lZ?XRlqMomC7*Usxi%Ka0sf0wIu8CM-q4wfPh^$yuQX zEaF({^aMGM?R=ZR-!`y7>Gm2UsUM+1?S1UK-u$JoemC>D;&uOo6~yb{{}{Nh;+U=k z$E(~);^mQ+<-3)mfspo9)8KLl8C4g&48x?qVFP1$nAecj1F?E`XUW+HyyBRjz3vqD z0e3rOH4QTwYS)jn0=hOHqptm)4Q{vAh>mJNP1CWu?&cII9_-s~^qn&&USqV9s0KbIp{IvThjcbtAi$!&-6BYD-7p&{WWJ=kB_7idY76 zn90+W4lSGEJzLAFW%yv+`*ZH;3w%Rd&gdKun|?AO83NC)0F>Z!YQXp0&5C=17993B zh63P>c1jg8dGpbaIGA?umEc70=X>)95?bR)n`tR417DE)`@oUxrzEy(VLarE=4^BHtVtZj6q67zy31TSQYZs?<#XteSWY zVZP`(Sden5$d1AA3mQJP57!Z^^f&VSmu%|+zpq#76i82movnj-{QV?Fjozh*ZgE$29n^#+~cs>TnHHrWoTtt)j*3EKh8^mafOF zjf@!|%I--t=EvE0DCcatwLRXPJELdxEYr|yK{yC&z1?!DDtbf4`nTe~4{D)ylSi_3kqMco*#&?vdp?`Q{ za34Y2j<>;xH|(dZ`pR?YgcfHOJ9rd7IPuP;RNeVlg2O`{CZv!Ny~ne@lKAm+$()B? zNR20iRtPX!LC`3&{57@y$uV`~C*%ed@=c{gabGYr)E1)XK%6uxv^Q66bOE8~;?zOWA+^Urxgn}*2Etp4^VAuaB!`2kq6IW|Q znhM|g+UL%|VfMs%K1BRrhOp)OPHMqS|~Q=~>QzodZArc+8@=n^{8rouyfK%f#k zOiP?gR;V09qdT0cI9{FW@r7^K>H8V>C_cyU1Z$=%3yJd8e;g@`sOlrCWWPJ1O;1SgP74++?Sx%Q#J6)vX}We+4nGnI01 zFFTy!Z$EtpzaS=sJruH^M8gW#lqiPG5fq}3sp$?CYYoRM$X0)~LP%5DPc+BHO-?E@ z;hjkNSxppe24j^5)1RQTpFL|nazH8`D~cRKU17ihv0*M_G2lgNVNn|$@K^S^QU@iE z`@?Q2b5FfC$yWW#eC;aMGCf|`hGh&s%UCg@gPKA`3d{OQnNO;&2t@`W9m0__Iqw%D02K*{C7nhoWTZBf&<^UWK2KcJ~|gydF{`a(LTrevTgZGb;Xn;A6*%IcCmK z3>;*+0v1SmG6r)Ww@-)6ZUL;|sUtENgOV0UZ%AIFP6R3BmA)zTy-+{rLDjB3j|wh2 zRG`EHcOzyUUfg;CAjZ}@A`Hb@M}X(dELY&R{@FNzq-}5GdH2TluAcK@6kU#oaQ*s6 zE78MA$D5WK3ngtIWZdDcPXmaKgF+--$38kiMx(uJW7D)Jak?D{}Q7v+Y+Br zl2ClkO3pUfW;-kzcY`kJt{C#(Mtyr5M2_6{{|@J(5C?4bgBo9_ZL_^+HXR-G)`2-6 zxj2qIUNMIbyhp>k&mOr=*Ynh?!J z*eDMQ#b>W#Sl~A}&lQ9Ua(uVs1mCk+=M4c~)l?OG>>dG|QZjC03dL3yK6n5>FtGIz zaKV%VE=QuL_95d&ysi=djQUi5FU#j}nWh)#)*~W@^$~$$!Hj_`jG}|zDG6mJYJ-lF zDS=k~8WAr#hU?UA9FVAXg05Bk*&Vd^Sj=}Xff=+=TQ4rucZa{NEV?maT&;$CVp1!t z$jspU$F4L19x|)&U78iSni!!3VX7^PS)gJ>J^0(X4l#@n`p~eQ{m(XY|yu>cqssAK5DK z$nyEgTlmt+yt8?l)pCxp3hnO@A1ZqPgrZrcG7VFALfbLU$7|2caUOUzXcaGLJms zGqCS4gkcuRqz(62ORs^@GBfhyE;1)4S=7HWSRl3Uk72=O>SzvAL9H%87DhmuN9Gi# z4DtqVj5Q;D7d_t-3%$E>QzEIq>&x>|k)J}m6RKT8_>fVWAINY$(1lQoNYHa%S6_on zFCp^VplHWzT?g4*xM2N;VNyj?8N>096(ie=MiuzsRBEhG>**M2N16KVlaa^N{EpG6%&(s0A)kK#HTq{@j{thJTbb*>sLfn>HfG4IPi3sN4}T51rF z&2ivWpiHp8Cx^7v@W-dzE$3S$9De|54!TO!LiFrr@OlU$hR=WF1xqScu7wsFwbHOOi&G$h7b_GbWKTifXBdUNN zZE?Luf#6hY%j9b;sb)ofk;Vdv`a}M~FNx5IL<-thx5)yn8m-+W()f)N=w%UU<0?`l zBrLj07A%L0IsYoLL{rtk=8>rq!TysGcFB}~uv8K9Mi_TP`{Y1%CksIsK&T;wJXh7ksEO)z$+QT{S5?JhIt;WdYg^Zz!MW4VFo z3pe8ocKex}WM_h@GV|FnIww=?purY4w8)gYkdJQJ=+U2hCli#SQmQr7ZKp{^)pY_9 zfLD;IVTK33AyLIBjJwO*gafI%%ukg)kvJT=z=2w)cR}usZNXeORuM8ly&86WH|OT8 zm%g_B0_QsJv&e)JGlE9Qr+bMtXQKo+x_Gj(@4D!?_Ev*QEajq9xeFmdtc$M>=JTTZ z_~qXkYn%mg2$HMNHsMay~RIX1YJ}KWwyG82VGcsJW+I&!&5+p9Lkh(^@ zywoAYpTX)?nMZ?#UM%(~`@wvg#C&P`fuAr+8XdV*nJv;5h!UbP<@QbAI+?Aet&oi< zk>Q8XN&nAOD9o~=mauBJTPqgD{Zmq?qj!&Su^WRzts)tD`*oe7h2Wf!>|mt^LtH0? zFb0Ldv+DaPp4tBb_!4&E1ds&)6@k$xfOVi>6Siiq_pZG?8?>Gz7`;56I|P^14g#lJWsI3@;HR|O z{+*vT&*$wQTsfb)TUp2UElIw7ehTAS?t=NRYu0rM4~TKU8^ zbkEBR-G=>6J1AL~WFw+BrX@Nz9r$)qz^&Wu-500Waa!&RXaix^F*U8%QU^SWnRARa=R_CJa#aA74-q%x9A7^Dcu7m-6U!THMM+4 zUDKRX!+Y26DQz5X&8)=+PA)6hA|6&aj>*rirGzw}~eD zKM#_KGtV}%m+m8w_Z6zdzU}u-p}~V zvR+-lNwazFl4NgxfDdR`7tFF5u5HQs=WiKlC&{NG%BX*vy&*SZ_g*1iTjy64|e{7%mZT4Hwu{D7~AaRic|G1s~zT-RHsGuxmw{^jOvw}8$weCmM1&C8>= z(97DN^dc`nLZ^*@8|Mwe2GAYBznymLD$yCf-NGR1>!6+YZt_|Gf9oa7ZzCq1&C&Zi zdav7<6r&pc4*H^IZJNWu;_Oo?6{pAMa z*z~v~koA;z)Ob69S{9cA=1!wz?n(?KNdXV~e?M-#o9dF^ZDhM|U7nIR{0U$y{`1!V zUUP>IN}3}4qH(N7oRg6!;W9AAm%yH~yE~9)41U2AR1YyWc3T&aWt5dIz=7ns+dfq)>rZ$ia9g#2NG`onO(%w?A z1qxQ8sV9%?kE6G68fnPIEc$o52IZ=b>Gdhh=_ym$6tFi+7EDzPc%(vW)xl2nS!Pbd8^#IZgdf)m`hL6R{Y16C0RB!T>YB(0^J zGQN;w)AHgkApP(pYxl^T4~I{y__CJZ_@~%T$dr7u?yE{T6}L3AU#z`%cl7o!E$P|e z2697Xadh=i?73ZaA69hyDQp+x}VQ4&fuF6_XzSe?Lp2am5Gl;*flG2+T?uchFgQgSJ zQka3vH0Z7%RvOB`C?|CI6k;5OU`hDzkLVK&%yE4FOV5Igw7_Ysr0*aFJ?8Z7kON+=d;a8c0AvUJeqZK@g-H&8{Z z6Ad(tOw9HZhf@fFCfsCLUe*Tp6aN0$)VEqgRnU}Gxsa&g43*6D&3DCl%#Y<+_5`_W z#njLQsBIDmv3Iya=A#wPW|(pkwBC%Y_B0nas`OaFh-nDa7lNUh#oCGIP0fI9Lu|R1 zxZ01;FDnfJ$Gsfb7mz6awP}z~Og;Qm&q~oh@ScJ#^Oe;E=}d1syG5oVQjIhdoBNE# zyF?kisepfGH|I|#J}0E{QQqd__+Jb;Z~R<>FBU9CcqnX_cY_7y!6A4GnU~TXB{bsx zq|nL)6smF-g{AyG$L-q5*YK47>6a=gdQvTx168?8@2uU*dezw!ITp=efm%}ijJtTCIRAP*-Sa`za5P>mHE-geEc zdBHY@_?JuQYSh2Ae-qfW1a_2H8HInS@QC2C5_4g=kRE1ZP*M+D3u{in&SgJ|8Wi3e zFcX!Yk@2zZwZg|VR*G@xlMHZBZdsX1Hzi!wFH`Jgd9*U^dk|L#PP4KSa(-di%SMk< zSM^sk##LtA7lliNa=`sJ{WaQSZ5-`SdWNV;IoY0(eQx8|FLsirVVkL98n6iVnM6t4 zXv#7Ql)ubv?Cz`zEdp_7`8Pfw=+?t*AQ*t8TSrR$T zUcT{pGJ>jb7`K2P@tYTGY>XDyI;U-p`X4Vx>mXagu4k3FEx=0ZD~Ds>vElQDxns|} zhAD}tK1)|O_{6%3&&?00?^1?X%fZQgG`6AijN=G46Sr!B3N~yiF=W)}c!@*3Ia?QO z^O)(%$^L8|_nuUrd|K1ocAaGG_3!Z?J*|=wwx1;-Z25L!*u9Xex#_VFIy11;eFj{6 z!a0`rKD{*X5_4-?)b04$E*t{9mauV%UM_aCE{Yu=&WrH-6MbDI4gLF4b?pL9RMMhU zmU)inV!GyED@31tFXw@Dde2L67nZ&4AoE{IsV__9oj5(7x9V}R%XyM~Ed$nqz7OTL zo?ypg@Qv-C_qraBC4^qrZKLaeko;CX+vD!m?ri>xr_TfC^9p-xz6BnU_0+b5sgg&l7;ZO7IvM~pd796j(& z)##PaB%6VKLy=|{_#Y*}=h_mL`N^|iUGn%c1Kh~E!fjCPF>4$ zPoGi#r>4M2+4% z(ZR>6s-d0?4Z^ZS;;V$efXqrCL@wI!A3Aum-r?9%F&inL^1d+<3D^wbVSITl$@_n} zbxUma3L<#qP;SsI+}8It{KU~d%AwUq^LT4+ciySvZ|)rAEtu0kS`cWK^F)6S=_IyK*bc-}=qRlJX)o4|9butTWwYSn~=1Yct`sWze-`=KV zzEHA|Q&SYV9vh#tMx#(K211BlbNaz%f3BK`P#z&P-pFhE_iA7v5i4_2Eq^+xi)o_f z&%dY1yy6`WF!n^}Z=@C;O@Yh!$mv(bXk?{{89-6_mKTwRU#lvcEQ8;)7bDnWYLI{VZ9vUA1!?t4!;Mc;z{xoD}Sz4Ak8g;zh;Sv+h$%RS*w>&C@+w@tOr-( z(W5943@r?b$O^x*4`@;~?s9yII{xR7N-M^`H3AHh6OJ`{4&h9>L~;2%17F$*$%Lis z3SZyqp!k}gwlu$_Hi=?kU?KyDjVaKzhPVzpP25yoXoEAi~QhowVraau0GsZ#U!1{E5E#9!hBG#6nlTnYc z)3ls0pAA3wga3!#vp5vvL-y#CVIUrr zQ_EHRP-RmWPnNCBPr8=683$FBhyzI&O6N`lO(3T8<7>6K3>%Bic_+G-6J1-GxN4no z8mrjOvW;plA^Pyds<5j_!B#9mHto~MhYzP>KX<%RmG;tjvkIdUPNzZ^!+s@GOlCj; zskdl1k84o>hx1HjsU#Z|C2ra1>z{3iNhS1(3cUH?kO-^L1)Jen$nPVVL}Rs@+4Pbc z1Nc0J!CwstnR^V2M;u(?S6=K!L}jJErISm|q*FaRzq-@_i`k0kfU_%Cw zt?fL?eUd%dXa>=uU8roy*`x2YsY{NkOtqL3efS#AA~@W=b+M@Rt(ena0;z_Kx2i=> zjP#g(sg>o*t~`95$aE^%dz#djk|^E6SGN}a5Ydr6rjDO&uW*54ur5+AS7meDC$(NK z(~IM@l{TDBwpF(sQiC!MOjSdWWV>aaQuUCrJ9ok)k}9dzb=Wt{E_#E;n=S=SW&W+k zoBkgFf50yMcn^KZ`+xMi3NY~Xi2Gcqf1 z*2X(T9BIm%KX+=%q}SW$Jk$Q0#fMitPe)Qxkto zB)~Cf-9|EinE}^aOw)O8x1z0pBF^XeGDq0nrX4GLP*B+>$z|^WM|h6=hh|+n8Cc<| z>(>a=rsrneTutYM7O(5|VqLA4U1Z*KIhgP9oXb$)viDN3Xz9s5dZrE7&US1z!+q7w z!5T-3)8n*fpevBASGP&v&=ocKf^YS;(V3py;Up^LP%fw{yF4 z((h7t{${L6HJqgVX;@dUqsrq&sDH19bgA zoEOC#6`RZX{%FF}?DANy>m%{Q zchoHbKa=aK*t?mAfSc7bsM}`AH0|A6teuZj>l^#CX3%4rKGTLngnDJ$d5t^IAc9?Cw@#0Bq>6K`c ztR{>uJWIXil3?wWxx5ymzUStamIY8TBqWEFPebA;nX_(~hDmX84j3e-eCaI}f=ntw zQ&AR@XN>1&mE6x~L0}Emb}3O~GgbZNv5m;%g0#j{;(?p076#Kll$5yfiqXmvXKOx+(~50VjFCM@C7^eNRl-yMj_3%_#1~0y|#c3(-?$G=&ja z;9yHcK1|mZbVJWlIr1G!MD$?*i{=wlhhlsE?6?u7=E0j(H@iHNyRyx=EgpV4_3o z09vVzCTtxt^LN@&unE3wTv7rar#iWvnDc6Uq){Cj+u--ONmlL>sZN#jMz(8Wtj<-T z!=HFf=7J4h#@W@lHWYp1g~^aZ>1iC2bA|ldwd&=nYlXqtio^rI`_&xz(iQSx5~?Z6$G%1lw&@m)X_=7sJayWI z<1{#bFvZsjyFAOfGLiZwpfJ^BajNAtnB0WO4{|r?_fLJ}gLExUBp&1%RY#Ff_@{0g zaby>f_N@k9PNfJM{y{9KvfJm6ogXx8??1qJe*Xk{(l`a1!BcMas6a(aH}0n&Ii$$>A$^r6iGRLex1>Kbl1xr9Rj4yL2+TOzX5jCiYH-|-cZJJ0KG9buEx72K{z9co-FR!8Owd5h^|?E45cDne-P`d8Z}H$&0>N9o=lf?8 z=rZT@;FC}7^Oqm`N4N+)ZpP{L!6)5bzn^|aB^#b?;*j`RB$3Bsfpe@Ad zoSp8BHLu|h2ffDuOjPduNc&zD92CVPB1c1~Sr1-4|My0&?#3yYG^SpV`Ss<~fCl3f zCgRfru~(UVtrG}^ZpVqS5lEK?wmSE&p{|?F{Wu^d(6=UZKJMpze;D5ffHn-fj|p!d z&Ep8RC9^v1{DoY9i3W6A`29;Dw>zJb?k4xpW@z3E00cOvOd7oWHBCA0WYTm0=u)jU zuxlbQyxV!o>tAAGpCQQcomlo{_2g??6whjGrQp&Ge#DxLWuEI(BA{YIR`&_|v`4L2je+qyE1A z*`I^&#p18y%Sb!vnoDGZcZv7O&dgCkui8bue7zRo*BDy^9>uOpc>DA<^Fv$IeUGtf zH?}vn`}lj5e$QW?0X~J>t=kwlm#)hVmMn(dp4&AQoxSsb#P@sQv~0f{gK#F-ft2gZ zoAsjb+^4Mh)5muXxURO{50HRo4)^inU!Lto!;KCfT)z=a*B$j&UI&-+ic!z}GA{2( z<=i!&Eb@S9-8utc8N+dp=N)lc-t8Ipx^~I-%5|RJGZGWilkhwEGyHH2d@6YI_6V@p z2Y=FS5Ev=c4Sv+H<2^5?dQ<^E?)rHWmW`s(eReOR-`%tEkB?UY$15+BV{V)fXv4X_?9f=WA= zj6JiEr-yuTtIJ&DB7o|%1v!m_*rl(jjh^ZH*SR>#*9D*=)xHq2GfxSWYRLyH>K)WFI{MD9xm0WdWmJ1J zS%ErtNpxzSZyXHK>e?9M)hozj)u@ZU?Fn;xK8KmBrJ;X+9;555SFpLSr2mGc<`nxW zszzPSZ?tZvk?{~ItW8!{I2CE9=6L+2;b@V^VfF7Xl^zRr$z&M~-)LhYD3nPTf#E@9 zL0fBeJaWLvr2I-XIZ3%sl&9=>|K$ z?37nhE_QpUA;$xs!l)sEOgn7BYqgp3aTRin>!T;uJuWh7(}=R=$lBWZI}snI=3M&UA*i z?0KWxmNl7ZnzKktjJqXS{^T6h?>P{~=@NtnqCHfRib0jcvsaHIR=V*hykzBdC``O^ z5{l?UF@kkPO7Q7kN6?R%KUM6_#RRb`B^du$_o*Pik9*lje9B9ERB~Ik zkCN_NmlRS{r`3fO>R-k=wWv~lCAqceO8pdiPRQrG&&<-7l<2RRnx%r7{{I%`HUC+Z zcSFok-;ua^d|WqKkvx$wOxC;r-%um>euylf$@w9Hg~7vsf1gusKD0PGbd2%MC++UX z76rW9i2FE=BO10{op2~JaT8n;*LEyK(h&)_Jog!B`6mr7jB>s)Ikb2-s+|rErs`D% zu+PzpMFBn<%$xeHDcpe;ov&-A0gcoJ*L#Bgrr|c*DBE{gABKAG#ZA4A@`^tVbgxEN zh#_n%Hm-JK4X9Ao)B~Dl0&r@8Z|$-S07*_ApD6us29pYXlxf4R1%pxCI{v$Xvyoaj z;)jh<&kWZG7G0u%52C8-C;=|;u6;pF#&NuCfY(qZYUj0`$H$7}du(rRRG0H$()ofW zQyVCCPx&?}BRRqxr4tN8!unrpV@5kiKCUzOyu)O?E-$D%>we{uFWAQTD zc_R)m@k|2vnK#}{{<;RLJ~o#F*8Y}lH|$PUId)xddGZ5pcAu}o;Uq|AG+LlQhKr)y zZg9}!a?Z2-`TJuaT&&^q+-+`_N>*3b`pAmF&zqxdpEJXNyJP*Cs)1#5L5-kh+R=y+ zo_{wUC+Vg{cS>)<2foW0JL!P^qc;+t$7NKf@b`dFth7MXY>DTp`7=A~3>e;zhKIDv zrn<_KH%`C32VKwAvzh7bzu4K%k3jYO=H)HTfWy-3ZFk`7vAyS2Pt{_qms@{!8pz4` zsQw(A*DpeHM$f!^iDX?vaSI4J*YVz069)nk8esKr-GZb3d|qpQ+R;D&s>`GoMQKFI-84opbprPKsNtvUY!%D^^aPRn0pBHM%+w>X zmSQN>4b{L2*u#KEMj1}T@5>N4wW+r?d`fCG%;JMxNh{V$%)cu#+4}JHh zdKzh=LC;D4igoWo1B{g@LQ{t=%Ds;$6tiz@>Jf9RHVRGiUsbBK*XtBzB!fGW_#)$J z)SeRR)WWtc^P@GT2o%F8i>OqI_+Xe<@7!$scw51+ChHIzeEta}TI4b7c5%dZqZH{8 z)OG5j%YuYcL{U%bMV8zo%DFO4mIzwCJ`0Ws3@8EucjNV+Qs1y-C?ep6P8n4Q5inUE zY@2kkaQ;mEazTyj6DRk?M`%v)>{2*eBU`#Pm{W$7mygVn0SohUGnSmm^$$aUVdAA~ zKs*C|(MbCJSt`-$#{={XK^g_SM+CrlT7M9FSVyLE4;aT4Sd3Ofr*HD^u2 z)7qqDQ?ezE3q{^*j$y%c;05QASNUPLlE)W(3ac z&Jux|ctb%csNhg;qXMJ%LT_aH=Wt0O>P7M(h2F(S-l|eKgc6Ct-3ddfAC11P^Nw6( z?KAN(c-@p_vHyC6t@hAiRp^Pn+6B(hW6&1<#dm_aG$(0WP|$|`#>0|chO9rkarf*k ze>S&~z)h?gf}?bD;D6U<|LN~ZIxI3Z@mr%X#-039Z7n~R96UAG&*Yp_#epaEq9A5Z zKf)=7LgDv$82UezetqdcBPkd10DKhmhN`s&0e?S8u8AgC2y=4`y*`B|BBAVcpdAvk z<_RCw8DJA6gRJ3(dz-d_@LfC!du3+A<1U1hPz>9!$1Ug=HM)cO9Jx75#TSnaHXs(~ z@vUK2glpbezqvqg1xZw=@o%J5qP9h!91M9JR8eJI#1c&*ZhDdw+^({LAyW;$)ub*_8(vKt@KT9GyW3Fjo#&3>3%`JgSsI=5GW1GO#4881o++!kt0{Ln{7_&eeCBh zXkh`I*2&t_JN&a>rUv1Ir53MO@Z8U1>pM?76QAb*V^vx09|=(774@sV?N@a~_M`ZG zly)~KOwR;MUi!lqbt83J{dS7mpe46Ov?S1d?D=W(1$npQWTf5Z)27Mw&yezs+PaT` z{%T#77SO{z0Jz3x_QxTZk%IRlY78Hy5MRT~>|&tMRf2%v!=(DMiraNOUvnd~`O{?h zm7VA6`ayN~kcYwjFi3`;`*T+fX&t@uYJgcbkBxAnd|KzaIC@&oZqiGYEl6r<^|+9a zpnh11Mizf`yZb?l#=3c-N82%yqG{V9neNDIOYL~d>+X1)W0!j!6Ig=Vy7bAXa~N|O zy|}G=SAp~F4MaZ2bDeeVDWb{v(0%@Ljr*;Vk@a*O?9*ItG7!fv(2oBw|00Q!`Fbe!%eHK+5@oXF7G8ddfuBYt!>};54vAg zW?b_+x-AnrH+R|WMcKN~!8#XsSx>LWc2c?Fd@d7XPQGx}fCH-bO|Qq(DMe{8z**IN z^dBFKGqZqv-M7s+xVw>*{qU-HgAl=|*6E`%cTIu-q+XF2ueyGpcq<%V`k4QEWTo&-)C?zt<@se3Di+ z_{M)?-g*U}+rT5f|D?v^pCmqpDVI3;Ugut;^Gp?}c8Nw~ccL%(?z+oC`A1#eK&7|y zEjy-TL1qR6h0o#!N+4PkbQ@KTVR!Nn&MimJU(#WGVRwxGuU1j^`>DZb-rFep^Vd2{@Q%Eh*_$Mi#BNm%tCjPAg+; z!$$p%M-eaMwqclru30n1+N!9pd~j7GLA{|zyY+H>f z!e-hTmA;|g$1H8%8CuY&aHrtVfX)P+yh@#RI1LF>7m;ddIMJ3k--A1u46Ot4*-=>% zJJvI$KgQa!Pi>PF0|qh1zg#xKRZ;{ZP)exnhdb#`w7;ANNKCmvK#S5WK!Vlal=_d; z+1O!GbYO?pPGw!1zq1s-XDVu#Fk&Qv5e+k8M^T#0tS_u1e=h^%Zv>ekV_qTYH}`y9 z*kHeMgx9+X^bQRvvbC6qamC1kxnKX_^{d!VU=-5*)!D(VWOAnC99gYjFpqOMD^Ze0 zDINJSs8|$z|MrWPJW{hI*bp-X9zokr4DYf~HN7p42tE9x{l;2d@_qBKumEc8o2ypM zX&k$8ecwbYiIg=|`e{R>c0i=ZAl+Hg**=_}nM(={!b?fz{x><;(%e5b2$C}Ru}bLa zh5Su>XoTCW9V2GodKF@tA_2vn))ZGl6%}9o=NjyFL(LryNZ9N|!u7HU^T8=Bh>;tM z{P0&$^fLhGOdWrWv)(EgaG!meJOjWqX?bl2jf5+LD56F5t2SwAl)-wK=mX$X*G`(; zY0YHHyZpmto5Nx9xGdaN_i{c*1j}O&9%G3^Zu5T<5I&Y=*b1~UO@6BhBq?>MuWa52 zMR&eOxn;CrLLmrY{~&unf)j%05Ll$ng&eJ;)kvZnk0XNzUvZ2#k*YJ%iX(cE)h{6m zWXeVJgeU8nfj|fh#1y;^M9Ou`qVU-0fPB#*?~uRZd5`8ao65M2y}WFk-pXFqv=2_T zXM<=e;>%4`n^m89L)%6JFWr;COHI(u7qe#xO;(vIO%99`ARXdgDYVSd9ZPm$GMCiN z&2huYIdjN`cY^X6uB0HJ9A!-jK-us|Ixz&QxYVaYq zko;ds6JX%aC(Hq27dVjVEj*06tQp2ApS z`a0kyO}50B6<7jrygI}tjR>lt2m=p2U2}>zMb(7~#{XPs!CeX4tPB0jE7;$4Ec(Kv z;RkmUWJA>3^q0diQ(sDk1L@Go+A>0kA%s94xQ-_(z6J-x1_Ra)??r-zMrX0z(x36Rv~ zTRZqwHTUP6yBD2hXXNozsOv}n9uDZF&+J&|Y0BX!^*zIPms7>)_2qyfn#Yu2za?Pm zkJT+iVBwO^V`4vnHqw@D|FQ4;%xm;^4r=MTTo;6U;O12(#auH;();zjJpt3Y{Rw3W zpBvxhr4Yx~_XE4|nZS`?>wr62iX8=u2M!nX)US2r@V2puuf@%vcYuV%2^gg$djqkh+<6&XX>~U(v z#@%eg^E@d%-%L+NdoEohqdm!S$;T{P$(w*Ljbe@c%5f1h@lcJUk>z+}*9)fWW{98L zvHOTD83o7ZBl{_vtXkI+?O6Op(NEVfKOjouA{YwkW~jAswK#&I1Bz#d!cC_=@9lwL zTJP}{E7@E{ujIm+*zpp2@7azh+mO$_+kO7B+@^D1BN@W%lqN&3)j8ZHs=P9b^Js0A z;p23}$W~KR``nLW3sCJbYvg6eeBOILk_|dEn?owj=6GL9{|4OB+iHn8nEH;nvF8Jt zfx>KD)Y)!7IhbVEy!UlTmzv%J=Gi<)vIEVLs~oq=LtxuG0Rz^c1`OA_YJe*!J*j+p zt6sO=0>5@ZV(#hiQTI0*$Z~IHrm+vg`0fJrvq=$m^ zMqk`MiiO&U?kmSZes^Vol9`yaE*T;>+0$pB`^pCbQodZQB|tcQMNJ7X|EmSv^79j1eP0y_p~>%~zJ}DMfb$80mlf*_bXSDNe`ckI)+x!zWpG+*~Ot$19oMlTEru z(=AHrWA;Y0!=5izh;b;@#*3)!Ia}qhOmZmMf&8>w2!*IyyWsZZCQB{T5HM81tPox~ zDduDtJ|0$_$KQwQF$pgWn@9xT-`SZ@lTUKZ;(<}51|BF#Ut7<{d)&&R&N@2(sHZ9ImMFWB!Y zQmYW`lb4vhrt7GEAnJM&6a2lUZuVLNQT}IPD`W|~Qe@dwDizVLmhZ;EJz7aB&irJA zgeyd^<0heXw4lX-n+#m>nJ^Az0Jt(fdpxB=#ZkS(&gh|c4<($pq9iK>V->taJr((_ z=|7x~q46JVswyR;s;H}mWuayKQul|FT#^g4y^^9fx)3m}v}OYTl9?%^^MqiVaFt-{ zHE8Eq;^Pv9_?Zh5e7p41RTLop#rW}YT~1X&=7R^TYg7r``yi|~vIWayi5ql$Rx*MBA7iIaaV)#r^M zk_?Y3B`R{-xIhc$W2#AS$o)=86}U(2Qa18CRW@UZT9%fxjKMAtI&SN9)^C96GiHn| zcIfPJ^TcamAsmOZOsNwdCn-}7Iw?C;WLCKS_K)hk%w+V(d685J*Y6GE%#0OZM`MM~ z+%uA@V>Y-hFlIs&nPPqdtF=BzJ3(`KVQ|1V^h<@(DwSa)Q~oEddAOx$6pF?0hFAk3 z{nFGtPOFuYSlL)CG+)4gTY#iYH3AGCT7#x2>`AESpbVVuR5~``I^~6fmtkB^s1W%&|ky`BU*S{f1x0JKcm`0 z2uIEIP6He` zV6i4YUTXFU!FhbDm>W>ZEft}0NFfIy;yY*gixL!DMQSn3`VbGJG=sSJtz9pWSgZ8V z1al%pG#6+_U0MVQZ`|WD9I~*FQ~yt1vsv}O4}LwS0n-^EAB_EZpc8BDd$?XVh!h2t z=y!y0D8mll%hxFUhIo@r8cclhFed-8{hXam;HGZHb9wd!+|zHG1M*Edcq*KF*|#x=BR?Iw^) z_hwzf#zp4jJ$uYCp3k&i^PhtoCHUwIueZ7N?oJ(!)yw?mZSDhCw`*>`HoN}oZSS(0 z#oWW}Yp1G)!F(*0s*2|4PWz`*?(V&ckL6}_{dhexUEiySNZzq2-@7;D8W=2^r}*th zx%G=RwRB`q@n^`J`y|0Z(|5g2x@zl39s5xBWv;ucVqJh~tw|pga#i<2w$0tjYBfD* zxO?DUwn7JR<}lHE@Af|LIKAyG{B^HL^TMO@QnvM=Hb1KMfZFmNc{*@QZ||i%#ED*S zop~f4x#h+0s9a9>`C#t8`+bSrOcmMvWOj9$$3fD2#kkZ4Ipy<1$`Vw{x!e)=Ik-B! zWDD3?;>q@LYjz^&KD%5@dIKsPE=s~@`Nn&jk1G+h-RG?#FVZY~zI<-m@p2rD!n1EM zJ|~z}dnM5T1zvAvjTP zzWjZ@ZmuEmty!O~{!>5Adwbq|;k&LE-TmQLNl!66yPD5;;keo;$LINCm^}chUIyrc zzczp-4gkJn``fqK23&A3+gu>O!qYCgY0P54a-7}o!3OPf}kncIu)r2&?pF$SzhKM&nAFqRObv zoN0iaJ)U!>{zlI;C54)iY~B?wo7d0S3p9qD!GM=q;__6plVj4a?q3rUtS#60YO1(M zSUHE`s)j`B3MVP)((6s>UvQS<0D*8@Z z`REQhviRK|#!sD8hbHQGsgV-I96{aSN_6}tz9>H=bJ(Q-?>V^i@Mz)*QtVMW#%d`s zrOw@ag@%mLyu6eE=@EMycp3}_f*VX-REo`<86)?_4@B&17s7A7oe73WLl8;kHH?BL zjx4O9BYFGw zW3*|9IdvLm!oD@Bj+&suCIwlmc{ zv#I^EJUvF-0lTXVP5d&|i2@-OgTec@(fjgN*N_VRA}vRH5cJvi*LK^$-3Sc$#@x<^*t*fBOsd zu0WamakD{ZD^b1e%9g6NZZ!4emF0an7UEjsWxFQdRrNmNBGm$l4avDuJvFu4rPn_P%i%D56n|3q=CwX+J%jkW zePwU%fEz*2K+pDhRnBOVXYc)uY=+z0q~y(-$5Jcsn%XM{wiKRB=yTpY{ARQiF6U+f z+9sBomCIxBW;*{0VF-4=JZ$4&-W^yfSy@N)mU>o$Mi?e!#Q8?R|w!m3pF9O3;; zP1WsL-Nj?)aNd`_%d+=kT$9W7fB@f|>*aMYnq$6_I58RD2XxR3a7t_4 z+%S?`2dPP2wE)Ae3GQBES8OS=Jr21TWRD23Xhm?Hki8d8ud_bSkX=*CKMvT8I*(;} zeQukd#y9Ww`*lAzp#dHu3&?MWjp071pzfoO>;q}w^fD_D599~0i1wOsbg-=t8g(O8 zPE#(**4o8-&Yr#i-P=46NT1PqE4}q0RyULY{{#4P{sdPt!H`A=cl8{Ez#^p4_QOZ$ zAL^^(JFJ>*)DioxC~HsfV|GqG0VOko2S$L2$N8|(UcX+l^qasqjim71c#i97aFDB}R z;gk;&mTA&iUmw$!NycU6wpt)jtL7#Jm1LJLk2Sh1-dEXAS!(u4Tb+EUoI20Ah%bPf_6?=OPo};&55LD>KUw6xK09=j6||7{bK(bYhu=7kQf! zJ~NG8G0XEzEs^RXmHl8pPD=L`dQTL1*PYKA1RXUJ*qHI!=0?nv48uoF5aq}@Mi)Pv zt3u&4L~Rmq3W>EVq3OXQ!dl~ab{r@70EZwJQu>dMkL(Kypwb271J*;fqLw^gcLmOk zhs!1}&GxX6Wl`zUD0N6p10&Lfq#MFPf^C8zZt|R{Z~4q}tursRRFU54DqckePJD*S z^izD1{HXt)zF?l~_=EItKV75VO%U%lRu9?H`$aIVpWh`BNEDS&IDLP}Pa4K!3qgoX z*6u%%QVaTU#D>H05V4LaGbd{D+42kE|DXt{`epXL5aHUG!dY-eriuqQPf+p^+B!3n z{z|*^sAe!9J2;OLd4`tx5!|Ca{XRXX4k7(g*fDv--~D{|HyyDbbN(#P#34D$#2fK~yA#csfpG_>fVD(W5BOj`@P?-g(hj!;i~%hYG4A;;`R;2+V@)Snpmyfc9L#A2D)`Na`~-dmoo@V*UOwtgFSADn03$vfV<*IF{5U}zj?lWN65Xk3r#ieJ5L z;N883sq~!9U)T9ubE~+u09k-EtZuWT7{He`=hlDm9V1t7H?M_qU$>99iFLD)9|ud> z_)e!UXFpF>m3tlQye)7|W0VXo=>T)`v;OSvth>D)I*hh2PZMlSSvL)(QSd#_7}Sg6 z%wHAmnI?CBzF{I;dkw4Fb%J`bwjPtck2fFpobHP&?y1}E(W0vr+(8IWciRq9lk4XL z>D4P;?Q5?D)4aY@ndc0*ebc6(hiV4ihaDi#b0R^e6G*E*mpSPj?dw?+yJ4+$F9_cTe&Qc zCNl=!jaHFFm2oK$I3f0aW!X{$Q}yjpq|NTVD+Dcpg@h8B=Phu@i*BpEXcDVsF}icy zpqJ3?Rw*!?50xb11x{8;?gmM2SLJSkY5Z2lE)##HpSi55GIr9Rl0ArnGPL$9m`ASb zKrJBLqUqnxXV02K??#-QihFl>*gIr zw46FlyqL1Mr$;fFu2G%xa#nZ!8hMg7jZT1fN?oG~5mrU)H4dm$KcX0kJ7~&KJqC%? zCnF1&@khYLrY4IKa;cv=G z!!PthRnfFE{}#;~D@t7)DX^^S95js3bqIJlH%=7R!VHZuiZ$zeg_wO|H}RD+Q!reO z-t<9LR1gwoMCew4TO`9%@~)N_Ks)Jv~A?GSpm(gGFSvoGLyr6c4P z_No7Rk38lDLY$#YFGtDIEE?8{1cu183rCsMPuG9VbnfOFiGt1M#>R}!{U7qRq00J1 ztElu6q*2l8GjTg%ndHWRpQ?Uvy}yZft&oc104&Q))O5+O-syMCBV#$@zNum3{wZ|hgJ%q+w{sKzQ=0y^hotL=O;1l6eiIc_H4WrdQ=hq_};o~#d@8LXorOe7K z52j;nlZ?{{_Y?mW&>WZ&+{r3 zdxHz;HZGBlS0_WiqT}IpSb5F6J0|wb@v#t&e=OH|{CqY0hR-+l=jl$?t0Qsysbdyu z(}%C)!}H*bkD+rqN{jY(xL?g{$NVYJ#Ni+T!oe@qXO_(BqGlT}r0OZ0pvz~*EB*89 zgyR(Kl(xk@3_ai7fE!J`T6piT{-Oo7%7~pGL^zrS4O9&|!z=PS>WeZs? zy?HgB=1=R@k{xc_?YvkwQ%lKxy?Oi+E5WqKWfhiOm&uij2e1@v(1@womanz@y~pO- z=XgP?!SXiau%vz@fX~;*b{}ZAvu*deauQ>-t&=qEEkDPweZP@8#bvi-lwKqEpbBoGu+}E`m65gLha@|J8)Ml~VaK0BE-};!X zJI4FEnha@C={stqwsssA-QBiVN0ScUl-a%zr-gsh7m5XAN6@;>4A3;n%XngRI)Y0) zcJoU`Tk`SDr$hF3jqIe?d#(s!dv$;E;q$S&8`vNI@EyeS)HlM4=@~zIH zdp?hY&T-e4!@uS9m)R@ohOOsW7aNjxpkbiza7XLWv|HCh76#y+#5Mn#&fO}xe@zR2 z<6{(uVH?Zlb>N%q5i^6$=N@M>=%tmJfk%wfJN3B9-PdkS<0AeA#QKgL0ayc=p8eNr zuGpX_-fnxd6E`prf>zaRX-)Tb0KHBC`3~)}LF)7Egfa{&@b}gx3ZKIokRXFcL+yo2 z0kZIDg$lG}2>v>XSe56?D*nENVbcRRGxS2!Z%BBn4v{%LJB;)5hMqA@mWxe#r12j) zT578ft74@QaOh=(Fj|YMn$40BIxGWQeM2brz9}m0U~6uPo`odx#hgm2zLbx_@cCb3$O(?R7&L%2Bfi-Aq7fX*Cpm& zU={H4j=+XNQGAn{ZoYB+i^WMfKYOmsTPIKTbg4bX$S71%|Kn%7q0dZ`^CY(F3p6== ziy*W)*i`g)5?n%a?CH|Lgy!!|TP7Fi*_MQ`l(3%y5j~Qz)kArMmVVT1sD^#mi+iRE zZVqa}iT=~8uracj!(Y4HmVfw5rM)4 z8C%h`2s3Qn&PKXev3TB5n3RRZB8gIQ9wQ@RNg(nfmfx51E% z>QKLC`68|$HjOG&ZPkGeJ)|*Iv5fD=7@Bl9U+MS9J9EKwPVL=_x@`u;;M*J?>{ok+ zQuIboef8A=;e_|eBJnS5V=si}cjJb*e$@hujyDdXHlE44vq6SKKKN;r;Znf&+KrN^ zN7Fk%*Ceo>a(t5S!%X1~bRemcmP<%7P|m+;>B309dfF65f}PwdF(IK^8Ds4bsz`Ry z*#wZg@_gF)m<2|1Cxq)jt^AAL6L@VZ=|7I6%;mIN;IKMDrp!7_k;S zDcup=HYe0DFI?ZIUR5pJFsqtEA{#x`ej%%*hY>0YFCV>~tPoRS*SyDxP{lS;T#2sl z@$K(?ZG=vs$?{Gei(t|HXN)9sKt$SdFe8b}Uw*OtA69<_a$^bdBNgkcBz(IhJ?S$t zT1psQt+e6s7Ata>A~`nGdC@8a$7&#M$-MT&dz@Ec{d3EoO`uKR7zvD?{yqFEVBJK+ z47ca7ZUrN=G8P%I@3=ukDi6X{O@+8S6~QcA^2{MM^ja}iIf zGvCO99Q2 zsqw5d#GHU^!Fe^{(%b)gYRAM=v<&8eCMoz*Lp`VH5O*Mfg<8JfFfy1?a64$5rR)F~{ZIj$s>clN8zf+(1))WYI6Tsj1ebyy9s^C^aKG}8f<_Yayvw4Glr zuI-TDPlcLJgHF%J&yRWWU)#5yqnh>?%QJ(j#&T&o>fbqSfjO0_17Igw%@HF$fMqx& zjLAr(70*b0<@~R%-?Tgi?eUWWstiKZA`XtZrRy3?uNfGTf5+wyGBFBbX|kk$ktGS6oA*pW;qUFvt2m`>AN|$jD>~<9p39|>KTP3)7eES7wwn;*BZsUdJ@}p%kJ7dEwI6P!~bR&@m*c8$>&3nHF zu{~MYvfWQ*5zmd)?RaG&)cR1U2LgnHKpMc;>ra@^|Je|;?su=B48d<_@V)@HGw^rx z4GSbPzcx}&IIXi^RB*+#8MM-QP4xtrblWRS)P3)|RvMou5dS<)4}z*p{`{m>O7_e= zPF&uf3%ZYAPtnzd`QXPvbZB9UXk72lOBARA+20x|zQm<{5BX@vO0q1S2}9cqN^u+|+?wi6 zMMcS(WxSoar{vA*ZvX-a0sTNZp6yeRm$=9rJcwrz738YV8bwK3L-Yq_42>2!X{}}S z+dl8Kf9#N}3(_V3g|N#{3Z5azHh;-P0e(^`@hFP8M^hqIiu|;7d}x)Q1Yec1!p!j< z(it;JwkwoE*DC9#!r*JfHE$*}S$$zy6=JE{TZ7zulU3_#?Xvq4YKfL2Q}_m>#R^xc z3oz>VA{}_VXqn>JiA8G3%mNze`lR3gPBFaX+ftrrbT|@Bisk~_Ms>*)e^t&Pd@^ZH zAjbaR4{joMEIccc~!Cpz|JsDQOwyMNm$Rr&{sS-{WIS`Q`0rM$KCXArj00Xw_ zM}j^gY!r%qcJQMRuKuu{3;*TG{K6}>VDi0EQmY1%Hl56*&*r2s)+j*|F$*J3$VJ?N z#0S2xPi>gr)QON!xGz#Z2cJ$oF%22u87L2)s>l*&m)>!tsrKJDT4^G@ia!O$*M?hM% zfSK`bsV0^xQalJDSW>vDJk;WcIJtxBwcuhGE3T|tFPHJCu7r8~Dm@H>mGw;ju!{xL z)f=QrEHj>rpak23r)L^o*d(~ll16rwS*oyFK>VN~7A;kk2wat&3p3;2XYLpoLSnWe z8HWKWVHTD!BZeu2AGHgn*5dPYrWMcBS0#!KkhLfVIR@>&GE680>leQTpYDF6Iyj?Z zsynfj?VEMJlUk8GvTNLC0-@`ciq7LruS{=GBT!g8I9-N(ie{0}pDEsle)5N-nraEu z^2C0$5kboIT)i}k1`owXsEvu}%AGKs1`;UWQDyu)^I0z!*N!kfHk4!ZoP84g&V(^74OJ!9VN8dXLP%tc zbpTl_tFy;%XwqeHg<{(?>$u+VSIVEEonUbejl9~dkiGJbf`Ypf#(xvTH%)7Gt^8004>E~8{$zdVlyC})2swS&8Q6g3>3RSOG zZ_Fj3saaua4to;MQx;6c@+^@O6d(`kU`((2xcn1qhanIuq6sen^FlF?GA|T*bx+mQ z^243q`mK0?RIww=S}u8Yimw|fuE~OO=Akhr$g+c_jBw%R9)eTHB9(r0@84*?j+~6l zzu-I8;zH zk-`w*%auTpkHsbW{ti_u=CL+nod}y*ee|R7pg6ARShG_QHBqMY`<%?$dScyh>n;OA=XGG!-t_W3T(?3s>#Os(dzGZT1iiTxu z)K(Bb2qxWUB4GZ%eA;2d%T0HOzVgj{EicuWcr!sp35(Z05O)Arbng$*S;s}U{2%V&u504D^`H}tVH2vo*7j?xe)4qq#@p<$CZ);WE@Z@Hfet$w1Z8inE z_vo_-&lbXe?R=8c)4e#w$jEf_JS`ybF}|o{7P4+%9G*1seO+>NQss)?^S$4fa`SLH z$Z9>MSwvAhPdzsbMSnFs{+Wj`lt*zDJ zyW94g?@Hpx>OQz9&@VSX%1}ctT@L3(UFNGzqT15&) zcLQVXM-v%z{kUA@rM}%qbK4dwC4DT4@x8oM`M7PHR#P;=scBemE=5TJoY$6`S(1HD z_xQROwRVSSI=jmrJC}o_)ZaR_K3}gp+s}!TC))2N+y8PK!Dnz zCpXT!&XFx%mrIn_d<(6nYWyzRAO3edc!7%$xJ2*}a{TqI~cM^<@?^B9cNHE`DJ zZJaeyGI)GNn6|5J|qENIL8aE@(Bo>k24m4#a|>-_-m}IPUGt1 zq>q=$epfsmpnA*Q3-;j=NfW2RB?*k+FZR$NJx(n1Or|$T>*NsnE(kCO8iRag`Ssk#iRpKOwWB)a3;@7 z(Aa(@TOlYvz+12&3freBKDN=lK&2+O2^Y#ja!Lu@2PZ1rf(03D8e%=wRpzpha{J&> zFUZ4(d+HmPLI?En3)0wMf)Cf1N?1+&Z7c|U{>MA4GXJS-(YA~ix!>btY5Ge!LKq3{ zQgNNQRH1)b^^|46iXUF)cO36fn5YoB@Ss&*0IVD_8zdkYt288{KGNjq(2`{#VsC!xJ2cyai=(m;usP4qhDIAlGixIhd>g7ss z=e}7D72XQfuDG$4q<+Sehw+n=_|j@L(0gdW8T57)L}ZH~yV;ALA@7!fhwt)&heP?o zq4MkYv(|{=*rX-w3+4_bDQp z*qJbkJ6sri57*Zq=Chm;&lx6F;#VQd1}0i(LAfa8j)!>aqt<5xe60={`+!!w@^1|9)DHp&gMX1)Lx=M9m@`&nj+v#+ud71GU>I zn`sW|vf1<)L$i3UEk{?ZBZ2!WA2uIiQBf(>rdhr8m+9nUNIY z4)Miu+H!DkY@}49l)oBkl1*WBNs*^X=O!XoEJcwNLUR$3f?Rd_7bp=lpUhM_eGXCr zl7hr88RxL3K&i3?fJxA6wJ(29Hyfm8f-iq-78+m%J*7e7B9f=V>}>rG zWn>9)(AKTI*ec<^Q;X}i3r8E$es;`%Mvxi*A5-5HURT(yn>1={+eTv>jnUY)ZMR7p z+iGmvwrv|LcGf!i_u0?$@0<62-h5+@@k*tVjy&(mrdWN(hv*_^!ZML~LPA1r#l^2| zZPY1S1@0dkZnNr{1d_ZByEe(NVVxGxH|?xe$mMxoTZZPmZ=u4pO$??tPlXIpR)b)ht7E-Yg&~W(WH=`2r9A3#R3{_^ z`r%o^)Aa0H)p%yMZ^neLA);kP%HNh5D#XIL$_Fq=Ru?GSu`hHJ4BL&3*b6NZew#a5 zLWlh?oCYig(jovQ-)8>*6uuIA&+7g>_|lNaNkd8{az|131cG}1!=`^n>w|^-M0?y} z(r4qoj@q&F>fOh-e^+&mepXKpSa8M%w0X83`V-eUjr?8_>b_i1oJmie4zCd+@^xI* zAs#xZ?6~|fkQR$&kQomx8+2wrhU)ZsP6!L1*<9+0FZr=hQpx)AT z+R^f{&*hW3QVm;KKhnVHIJR@?tFzH|%>7x$QSEcdrSYRgFk#DiLv-k@>Sv5}?;}AXAa!a~`2+ z{}g#xiEglh{8d`1QQbY%d7z+kTkLYuz+`ne)`_1~q-bKWb5;xmqswwq z_z`Rq@EB9jEw1meyVc_T{^1BHct9@`JIMlN_%8xxqOK8M@K?6;Yo+dokzvGDl#>+iVQ5<>}|rlP%4 z(4B6sm@@r+!S*kjvQ(5!jnP7&9v$&sEFnl5YtW8u=Q{SRHtn3RQjcIYNn$fK4AlBh@}Y9AD)FjG3JIs7g#O>zDSRw4TjHd1vM2TGtZP=Q zs+5ozj06q1{P7G!Q<9wXd}#9T3p61~A_2m!Dw@bv;&v*J`3p>?UNp5ZUiB7eRJp9q zw3%Q8gG{7N<~0`y(~wtkXpW+bxQKs!Q`CB^4JM8*{R6SB+LYNRZ8>CAi*>qP(-TRewPME(xOS6L-JZCQ?D_o zO0Y{_^tpMgmQf~Z3B$jL$OjKU{zxu2LD&AHSB^-oHf!F%xE5kt9)>0JN>UO}k`%Z( zSG#_yL-sEvY?Pan9h^LwCRnLSoKlTgkyi=&a?#tcf~$02jz&#~Crfh5zKDWGi}Qjy z%xS|oT11|mhvIs{oA76uThWHpyYkxUvzBJ5>z!EPUC|rp>koRr4CAt@1^Y!YGjxyrZS|S=o)U$+f@I8iU75&kF5Q z5~A|x-8DH^ipx|Ci{?=_2~5*X`{-YBV=PnWv1ZGugvk;LP|+n3#VH#E#HnfW3n9(K zOWUD3X6VMWQ`GU43?TZ@(ym`3#z01Z?tyIT3z*#oDGUs7FEFio+5~n!8kvQ{Gnx7L zCAb%MKC4VB`He;+xKXq<8nL*p=eRBr&T$l_W?OLyCDZSnFn+IIwEGhfz}>yiY=E1< zN$!2t1uu0M0I>BAd;t0nfY&@;xu%JNQ6SyrlQs9>aT_?&RA~)SZ+#nNmx>xH$GS2{2BQTcIsxiD3vQDVm25xjNoAb*n!Y`=vaje~JzE zsI48=sp)9Uux*G0hQiC$ZQj_V;misrNw}%c$rhuy#HThu*@8lf>p#Tw_Ynf)>TwO5Mi@1(iHrI+v*o4*js<56!$JKuUn> ztwO}{iNcyi3u9#ehh5GT0d{KGb)0;iB5Z**C9{dOd1)`$>p0ya=f40Vk1ta4ta~6f z1%3b$!=K-0evHz?1iS&oM7V?cC?b4uKtW$2WZMQ{*NM->bh08^e?@m=oj@md)BsIZ z!HHGV8aKsryU+J!KB3mzv1=@i+?S&k|7Z2r^DmE;yhnkCeoBhg5s+jnmCttQgozm= z2e@~SJi&#dbGZ(hstDjVKGD%{JKm12@hb3JT1oZte0pW%61rM~dD=e6XJ!Z(X4|~$ z;V!RRzxfbju$hR~5M%DNnCKyJ`f&U-sChb`dGaGlKtw%8`jSX)vD z>L1NwJMbT^YzW>(b+t6a?f5k;0NP$U@TvH&>yJ3851HC7m@Be@)8?7~svH;|PbFLI zYk|{@(L)UfM;cUtL0OSKe4AD86HpiY^~QIaEwg3q$qUH3&KuNBhz9zlcJ&vx7XGPS zp3DBf*RGa`Gc`mnYWBUtn)E@h5^Y7mkFV5}4F~5-iGcOz)Rqr5UWZ7`n9cjK%lihK z0P3yxes_cH&sVxVx2_gIlZ8N_;Y4ToRmZ_lZZ6TyWJ<@!X@*&V*THQ~&(kO(JofgS zK9m6szh@tyWs9SO7HRA8gHr?5=JTbyV#X)g|FJ5WlhJh+ACxSD1U z^CVS`Qc5kn1Z6m>7a~`IVe4LWfcY)so=Z$eafqaH+Hylwr*G<#@lk9UxR*am8XmQ= z6(%Ud@akC^LrIr$(xWivX@`#E_d>t-R>t&uB9Yjz9_vKSFMZF9sq^m3V29OWZ3SPb z!h&Ld;%L*LH7u$&Qr`=j7ISML(o7S$Msp6qg_sM(#+4mUGgXlG><*<=(6&>}BdgF@ z-1k(+$5xvt{b4JXR-Oz^hATN)w}wS`f-hNT4c-RXh+nIX;IxB^h&NbAH!6OR@;!P| zp+ynTQ@riS%^u}2+QP#+~k*dlM=ag8L zdriE!RFL*9$w0&NF9$KP0>AhV6RUpGLq~qccD3TW zG9JVj?K5yBQMLPR#`;jhl~QI({;dHZqNPN?~6t z;`J>f?H8G>3GpNsO3F2l>S}TYxfCE!kYU4>#oiq(BNeWyEfi{vMj_5^7{fejrUfzA zoi&;Y=8Opj^@IKCeXh4e6N;*7k|aeOX@3tX=Mk($rQxMtoK?DUtRw|rby7Fyso@N6FS-cy7<_`6fZ|3w>iTt2P(@;FOip|35&4sDAkrTm*nTaL2L5b zY$t&ptrWZv)5Z9Ya+0C!KO}R1pcG5&R^rh*rN6PMiqm;UaTp(b#oEW_Ms7b6$9>Fv z25gSX@IkHOv5Q)>)W_LsK{c`Lfb)ay(YPRaC9WXh8EP&yLr@ghj6Fi5s7nX>uEBvRM!+m7_JVHvG10==H-kZjV8Bhqr$Wo46mMzy)OsyYEcw-7m8_2>cg7VdS#;qsCt`#viXc)Tn^xT$}0FZ4Yb+ zP`VB(?ROED2eB9AdhR#mphRv-5{lQk&y&$#mtr}e{q31mz%z+34#|~^9-0q_%m`?;g&izji16W@^6G!yD99jn){Jl;|7aeMno*8p|mF0XzL`nwuAe?{9nnCCdNh#858>o0rn!1 z!CHW{%`(y25xshO1MRy6YKNt+PV8YJ>%!13O=5gZ1iMw)lTGC)cEUlXum)0 zP5AQl2=qKQ_2ei8c%Nk&_%`?hbavX8eB0M~z9Ch2UCu3l?v8a*bGJ4g^cA%{Px{5S zKdy>qx`(?whoxl$C|mnGoh~qm1A1Xs)*Y92ssfg(c)+*!Ud3`YJwR&iK363pms|gk zz4tp7%oI1K{oOx>bD@uaFR@2U zY0K`Z1WLv2^&P@s480FBO@~{FN_qrzsg%Y|2S#H<3w?{@3qzuz6#=FyE4& ztESVo(bNmL5q#Xe%ZSM)q^(r)FHdQ`(AkoL=tE+%N3=$Zr?h6I=nA|NlqZo{bLOK? zk;{BnNaQL!`72N0PAbHs5x;DUmeR+AmP!SPSoCMcie7W%6mNoZl2PCh;M(A{3>We* zNrO$3GesKGk|a=|%G;n#P@PTBsqob=oFjLQPzlNty%SO9t<&8?mBMezD@~T%ON?Tj zTF@S=a24vy)KW9R1pk!Ao(Mf4G@FN!`+H96?tdZP`imQZ4O@;|&xFNKA~JOEad zrWuNfwDKfw6`7{(Ns+s%ay}}V_9qp1bW*w|?(o9C z@P6wb-qIVV2^RBcD^iB`uHbK~>r*r|*y6RER&%zDy?@!{E61SMjPf8aD7*Lbs(HAW z5<5j@aM>?W&Airo@dp~kBpK1Z|It>EOTwUb7A-MYPAF4BqcSuD}FqkKP8ETP2irEF?!ek&DeO2Nk>tdO?u2D1I8KMC zepq5*&ZNAPXeNg7b2f+vq3RYENe(!58^&{kTSYE4EN(h(+7 z@{5KVXChupf~Tdg;UzAs^EjVN`rjx63_wM5PF>nC;?{5*22bJ zsOgrQ#-;UPR2&Ic=zw1auh$lO8Je+kgjjRYg#4H^PGo_Hm2XNnwP19x=lxNp*gzJD z09C|S8AK8J-P)PBVnd}zv*QS= z6D}4dwO>Vav4;mJ@ZD>&$4dMcK%l=2zyC!Rfei0Y0&>MWcLIpEpHgN5)`4Qv0-|X7 zEO34G#Qg!YUry?~U(dvMTd0E1P``ICrJi%qTm0#t5A#djHCAGKUS=%*`fPT77AfwK zWzYJa$_gDdZ|>e=Yv>;#V0s7Ce%oZt^6T_h3CVW-XUvk>rwy@g&c-Yq;lroR z3UF!sWP!SD$Hy0w>P@X)lf=S?R?W)IZ9j|Ax=YiwqMxOY*Jky|kyUAmG!neZSd8U45s((R>l< zP737kKJ$Vz4f?F>f=|!&JMf(sI!$irvHh@bW2@;jX}Dh&y00bnJz6SS80o)IU!Axv{AB{@8Y?^6B?uuD%<`ssNtN$;SRP*CA3BFvI@LKYYXP zaR-)5*>-01>}R~&y66Mq-hr-XG9!de6003%11C9xA8GW&VypHox+m8jnfX>9Xz+2~GxZF5 zHQg_GLB{w}h9a+aFbxCAWmw66GEBbn-{pTwy|jG&D9@yU^7s>F#s7>zmSs*0gh)K* zzWsYqTmyV3kcgK3F^P3Hn-9iZ(i?3hAf?K>kVfng$HaiWA)yjZ7qN_w6s#+BY2qJ=@z~n5IDTr_W_121CjVwzBl`fd^aX?t45;q21|FHNbRGF|=p3zX(8ORha`h1IYka#4#Vf1^dEGK#)$ zGfH-n?Oc;cCKY6o9UQD|ylOSJ05h|ndH(SZYGqlZlboZ$pfZJ=?&8IaB^c6bN@RYr zHXCQaDPj`2GpR#VZWdGyXTtcIDBkyyz`hqGlO(pJS=){|zz_xBI{vh(k}1b3#%q^v zTEmkTKTw{ZkR;jUi8qtMv}6T0#*%?gY*d4=s!7Xb^ZKgYp{~I#YX2B!$IGVzF%q1? z26s1QoQrDAyYax-npn2AmeAmHV)A zzP`eneiOFhaCs(r-#6Mn{UkPArf?XMjD^2F1D8s8o#C%c4Y|~cznvq;3kSCbr&~x> zg%h%%?KvkJ@erG%bl^Ss^^~58!c7ZZe}BTHw%_0J0(RgkjYv7S)Wctx7kz=WM{Qonj80mi9G+T`w?;HeaON#T%9f; zs-$z^4oe>0SF4hn^7kw0I(Fh!*{;;_w`c>|bf7iyy=g55*H>pzoiF{u%;CLmUZ589 z*b5zvu}Sj$I_diN!_H7VH5o!V_&?){$awY#YZ><4M_GcL$hXNZnSeRH&&}gN|a8699F)f!rp}l`lwE|*yxM~O9B<|6kKp6XD5E%o)Ox{ z%~-a)$#?Ca*Y1y&A|5ql#%^`QiWZ3UB4fQM<3!E;Ski?0WtN?F0D@1DvJ8)PnJU68UbM!i<9CT^mii<=fuL55PqB|9sGxb_Vs%m(VdoY zWq&%BP0K&Y(?G)&^MVhPQSbI_FyNB&G2UdrXL-ce z;{RG4^x4D#hwlu?@>oRH_iuygasQCxKCJ~@df9W{A7X=aeXp=9t{Rq&HvFIC8Lxdm zrjv8maJ`OeHuXxFJqtUJt~``}LiitWwl(i7+6TPc?o__N&@WA`bW%3Rd`39EoTi4r z0B;6SH?AB9V!}S|JYXJ@vNvD^UI*z`ku|t0eP2HfU00k4HznD?&@X8DfQmm3$5eU>{`?*VBigEdvP zlll0i?^}bc8w`rNuKg;*5CbJ1aaWA)J-hAMW%9uG^?t_Xc5YC|)U!6|L>5@saLkt~ z)QJJob*SZYTz+)5w%4ET)e5f>7?xjU)wLB4Kt`ke6SvE8cB|C}J^1l=Y-+#?G# z&U3T~K6^SUe7D%g)W7soj}WSrerA7P$FE~%bf8T@sNf;;2D*0&P;jdxIY z{U)c)pGiV&Jw^P~9A16z?1h*f$0yCSNBDtZ_#Dy7Q<|K*=7YISfrZ-3K^PlZ~K9&?TJh#zn!C}6^5J|EHu#v({WR> zo8iQjN-G4Gq402u@J!J$ZlpPKn!PJ^@ued|RJ+xPJCE<6#D$afr5Pj(OCJ z2RW8m%?dk`!!(YN^5xqlA$*S-=c?!E7B3^Ai)Z^bq4~suZj|^Vc}zOk@+diq@t^!E z{`!`dk8$}gog5$B39}_DM@?Ml#0cC60h2@AwWz*#(>m+MLMzjhEF^mJ`Fr2|iRhK}4ZolGvL)>0`av#5d}{w(JD!^XuJXr%poG zCJTS&*ad8_1H9#8(ai-Qx()KcqdpiPMVtXG>tRmo?r5aq2>3v2q4=c>}X`|(1I zVI?Zh!=dBy2qn<}q-NHJ>$R#@B6fpEv`k3%ITwJ3cI$I>ZQjot1!IHsB6y;1ONlMg z?BSQM5F}klM>8=i;=OcXXOY}Wlj1N{dWPN{%y7RF&DL1QkX4-fGyAW$d@eKiz&S~N zyq>CjXfrQg#!Ux8%xBkyC~#S>#{@3Bj^knEuLRA3(LO$JvUa|FBRnSk6fTjX4tY5z z$?G@eNV8hoP?lw4d@&Xc7#d|J%y?+g@O-W-$UOe(%w`kcEEloUtqg;K(_9sXqTMS| z-T?a-(Ax}54n9*cu%YySyk7BdphoFp>vQwB`>n1rW~x^sR3cu#eK#Jnc$Y6}JCB|oOQ zPVNGKX*7%%uF)2xq~*3kvDc)~Va*vQa&Ax?Ey@Sgt!K{BqMj}pd4a)&%fw3j%Ln56)p zolD4Va=eoCi(3>V<=;tr_(ptbgN@esP5eLZs`?G%`r0Z}GF9o|*fW->jg+hZSSeUT zbOqrX`&A5|{PG)J;&qwPw@D4}{-IvbU2x&7c99(K9=|7r5uZwJy1?PQK5D~$kEUa9 z8K_CfWiuoaEfZD0^NT?YLLQO+_iqACqJN@>3Q!_HROLkJrW6hb+1#x=PAS4~{hh9* zObvzCMWx(O*EkAbaa4YH=Bq*Ev!WPjWF6_#@dlxracbW*f$d@~0dA4lP!8 zM=<4^tz8)FJ(8=-Ww-uHXxl8^fVg18l@TZsJf5erTOH`zR2tvSR+!Gg2>uFedoYz- z5+@v;Em9wJvt(Y0_%wp}hWq0roP5GYq$q<;k^Nr${{S&DUp>ZO<`f{?4(J3u;){?~ zx2fzoF98U-7)XZ)|BU)T0fvAgK}wN9AX6u9KCWvcG|(x~W!n4sy7IbX0wU4wxg&h2 zS->%DEu{qj2~^(L``0y)y=+kJ&igbnmD>5X=@$5@)AM;7IkHs!IX4z2`2J>s-<5~> z1Q*kRwt2c(RJ~s6`e+TW$m4lbRSmpVvjMov0DHF*51P9_Vc>b2@QJs0o_CFeUX5;l zPw02MN$k%c3*IfXv^y*&&;3@6MXK(2#%R{tt2|7wAXi z%Bgxe2KJ0*JI1w->;-K7H8`K@2=>WYf3Nh@Z`~a^$)TzATh+)8X%;NjEZxIS;InIZ zEZ0HtxvbmC4=CJjJ#3dMY+tt*(ahUG? z$YsuYp7y7De_VQgo6?i|xb8U=a-m=E(h#hBJ$}x0Jx4#!pUDo*m3cuPN<~Rd)bH|t zdm*;pYI2M0GCgT&_pGSRTjM`0J4zAS9M|nyV3e(%n*!i>C*GB;u95qH5tcD+cZU4D zFB=xQPK#5D{H{BxoL`n_#m_PS?Oq4%@R+kvlI+FSeeUCA=LvM?_w*6= zJGAF2$)%Kp=j)zaC2>pK_p{xz0YN2Omp+)zWdp%O6<(TkX>%0n-A;SXswp|fu% zd&yqmPDO~`bD+ISaR7A@A`_3Rt1<6yPm~(a*E=`U+rCZW9bWX=xtR= zc<`7FSNLb%2IUDZd5voBU5es!NxZ|4<8Zr7s0vt&v0^L)>TL?^X!E?9UAb*StjBdt z9WQr zDYvX9Z{bQvNKas|Mr>&G(y9&4I-&jkYlVF9rtkVCMv^hxq?kiyHJx2%>On zu9o1+niHKY74rJklP(LU07`c_wHSmtwP0r1` zz?%8VWlwr%9dHuXqsGfs(D)Ory!0x@am;uJe*XFGXx?=yALJ|PtW-2JoJ}PlU8lM? z{!0|7`M3jgFBWa~)?lr?HogOkWXXb{Cb3&o+vnw92Zvj=BQ zFDrf(T(fUhLz_-NvPaoBlt-3acv4NfRV8sT!8O&>u(R;-m&ip*N zzlny=Zfx@Bl^5Z2gCFtZ%I)a<8e_)W4?K)JRD{8ss##}qvdrB?6?Vy1ubnH_OO^%cW8hwyP3P-T4u||?p%?DS7w+Q9Fj8&{*O)NP<*Fid(?_bdaoR@= zF{OA|m~NBUW1|x7CcSmTY&2I$GXCzv!wmEEi>Hf0tYv|{()mO>Y-NN~jpMzu(bijk zwKL+ec`DXRcX=oP$3bO)T7Mw|v-YWD8iUym<+g)6m4FPC=zmhRh9{Kq-d* z8O(eC8O(}JO@m`!Q#cMI{r7Ro&yO!|_f`=YA~I{dE98hpXCghAxa*!|&7-DX-@ReC^CHx=wbZ?>Wp1mM6rd}rUiW-<>jYtcnUtwJMtW)^ zdbSOaTL}dB0~wkDKx!TQ%evi8OnczE4YgqZPV>3biNRO<)l9P{k&a6r(t9_CRY|}` z(L4O9*^0wu!yX>}*KFh%&8eyKet7KAlfH6)!#&~E$eq``t>a>DH$2GZ;YCRCd&05a zXaQ_~D{7OsJ}+M3pStv3!<+KSv1SNxJI;tq3Da*y4`*82*&cf9`&-}>di3NNBlwo* zviQ(y<&+k*D_ek30S_UQ2Sg7KHsG4H0W5aEtb^yd2k>JY z@x2z`zP?Wn#sE72*ftP@ip&G1E5qw~0Yl7lch^)W1kifFVqP{le#s?lpW3$R@qg`K zHp0$+i+S3|egc^RiX3npj+j24Qq?(`wmz2{9M%sK2pzhgYB!#|eY|gEv2&WPZFVO% z>~3<8K|A-L5?>I^JJ;jR@jZwd?Q03P-YY%x>)ksvz7!H&&xS?Iy+i2u{`Hpr{}niI zzvJCmGG`;Tk$=#s_mZ~Q)J+|V zY^}YlQ*?Aj1T7ZN@N_@_v?iMe0qcHJ6?zQYl0+}_KG`M;-&L=1lVh)lT02R2*`-?V z->G_iD^`> z&q0u~Vt<6&#;B)|Go>P|Q_b;-le1l9vFIoDh5TleJ4>g{M7ZBbCrX4$2TnNbFNlB z>2@AJQ-MG{ITW)5HH>~63mjC~TKkprmTH_3p-r8^Y^K{28`lzlIKEw5ER>Mo zmb1wZbvPD4Iw#5C>kbgm*ca%zQi)f#n6{L~Kr>RXiYrKiOPT0(Umab@p<-LlCJ~*N zg|oB%HZMY%{uWI0`^8i9`mxl}@Hic)NpRvFk~QqU5uVNANRp~RZytR)Ps)ZDv`i6d zW4LG{G~Gsadz}s{y;r1F&yuzL^a8yyy#F`a^Otd7{yzjMQ%P|4$w_(gtwnhXn~i8J zqqQSg{>#BG^FSN9iHCNHjASVpteieoS_|`X!ZBHI{(pwi@m$bpwj?Pqh}{@iOUrSQ zPCGcl!4M`QTnDFH&^x7+ewcT(vtvnraEtiQOvQO^Oof;6*Gy4`?^rU;PR+%i6LG#C zRx4>3O55;<*;$5$>@&IP4b4@8i&geLNd;>3JKl>6iX?VR`Vep$Jaul&zD1Ea5kB=% ztnuUTE6n$EIv+=o)$E}Wb+aX6+txtAeI0V!ZxZ%SbyNK5kYS21Fa zacYxy!GHeR4PrQzSz5}sg>B?-%=#r~)H;5>hs9|z?de8bDRzN`uKcVx)H2b20N_mM zj2Q8uQ1zi3S8%G?`hOu7 zgrWsUi7g9C2Y~J)2H!s|1}kcO-+&MW6q4~YQ3GG3@95B6!1up}ju=66vDZQ!O^WSl zzLq=do{3yBNv;o}HEFV!s5|b?!qc&j5%BX;|7 zd)awH_jYA|TQ8$;Oe^g17#s}lQ{v{eu{hFjwfzh*|z)4b{7DpsLXWj@(DR?b;?m| z-^x;d$(c;tZ3G$~Ro1RFil+IG%jVKkyH>YcvOx(TTZBs&dBJpn+HHv~>eTg1jPp@q zLB~Pn>z~k1Xdh?sewV}=T{&GBX|lP3pTGI)k#*ZomSF_zkBCFw#z#a9D3KkQxI4R} zn)-O2yMQm=QoxT=Hh`eD>}N#>KO6wm^!ZRi{B|5PLg0KgoEbWz|43bD!{9YUT+1xr zI#HKumh1PK)3f>rpR!TY^{x`@_nD2}qU}Ai;m+&mi=W=+cD1x*(w`m6_dNA`WJju- z!5@IJ_nNG*^Vutqvu-#fH6_d3d0*?pyP@Z%dh)NvjLS#j^YvuRgLC~fg?f!ysK>uM%$gFHzOIQ0`A(43L$ZDlsr{Up%q~H0imMeyakH zIsX>c10wJ40V$?foPKGPlSty@f5ex~K=ynkY9BC+e-f8%SQnD5Q5SdOpQUg@c)Q`Y zvC zhLoABqgc94gGu#Kr+xy~?SJJy;zM4hcEyw-J-YX7TIDabZo!6ijpppvULm4Fmo_cN zF}hdeZ8Qx)7F<4QPk4R>jc#`!Lz*#HmwN?`EZ~l=O zE)!^QWM?0KkltCv%c8ykv!}7)nsjo+!vlXkD6bO$PSS=T+ACm)! zPXW`K@Z6TwDGaDOuGR{-pGgJ3{Y?}Vp7`uD?YHO32vB?9c9;km0p-`wc21@75TKm;g>}03N=U`R<$oK z65P0nMu+LiSt=h%Gx3gYdkLjfu?BOfYt5GE+>_Q~6`5f6Pc9fWs{w85N7!keUY*Qw z_~jU+7HXtQGO~+yA{>u{D1L_SpkjeO>YW&5ow1dV-uC4iR!{orJ+jxqPHK&4b-2-{IFcM`Dxj9ToMP4!O)GE+&~*bg&A6rY}0t;^i9iA z8!hAPX9ioICMlx^o0+)^#gX!SX;VTHvbG3Te!Bo+uem%kgO{tvbrTjv+jlxkp&`Vd zjF__K!Iu0Q&2;4Dk)-6)2QoqW;>Ia9xKsP3^A6)~c|sNGEUF2Ut(IPf4e6(P!`AUz zorXir=|LGplk%i$m=#C3+%cg@aAPhPxhyR^Or;87;Pv9Ny4CY&$5cAfsctoF3-9NA?3jH6r1z~Ez6=BJO`c7s* zf)SoQppVnPQi`t+pBDDqrl{XUmH(q?eq;tF>LGlu3$^tgaS5(gj&jknBQeB#|-rRC_dr>u8U>}od<><4@ZP4g87g8oKMHHW=ZNVG(C+lsk*>#Lx{`LfuZocDG0oi)!ea{G@+VAJ#& zi3A3hm;LjK)W+~mz!~X7f2Mj>ZWHVjAsWXrs1Ms9sew;Rinw`gc|_Nui{1Mvbo=qd zu6@L<25?v?gvq>diMHD>fc*K2&1K+`U3921IJMS*!~;As;UZ2r5s=%e*z%n(*x|nH z?C71~dj0$SxWy#oShT)pQ`5P5gH27?^gg_wj4e<*bq+)GMvm*Ow@$X-i`UNkw6xIrO#qpAs?o!}_9tP;Fx#Xuw@hDtsNTSUC5;%FJoWL?=co5iMfqqG44SX6l zwX;^U7@A|l4nZdNA(e`Q1YeI+NYp9q&ln_hv#N|0w7db>gepwNp>MMO4ce}e($O{d zP}CJS;Xx*~Tqzw0#v6$77z|vo>USJ6^apBU*G+1qkdjm0TscwkIOK&Qw8Mu+Gjtp- z11#fgQ{#D7eEN3t$?b0HlP~dGB=0h?b5%~M!gSgcx5B*#%>uS9mrTkCJS{Lboy!_c ztc8}%Qe3Rb`uXRr9ICJ~;w7-iXTwp|*l(}a93}LvyI`RV!bI#Xn3t(6Er?U2rG(~v zwCb4Q`X=@|rB>nyVlnkAwT_yr4|=#Erv^gC-1>RQq==0k$;$E9N1;AOH~?*Gk#C zXsep-y-G0jq)Z8ad=G`VztE?JGqH|g2Vq>nL}lKaRF&|E;@9t7b%Z2Idp3Jn9@#}? z_T7?tT|6mR*59kptIHnYC8*$0UK@KOVrV1xyo;9yRO`vSTeV<**yyp9I>f@BArYB7 zh02Qt+=O#ZUV+m6&5OI{rI<%1-axdZ$y69YCdBpNNb0VPrJ%r8R;$eQe<ca-o-7>ndjt4mkwF+ZGa@2P zKo#62Rg`xrnFxxe(76;OhN)5reXGtaJs&BuJ}3q4#3wYLcTs=MG1vHt1Na zda86hMNE4vEsA=ejRy*F>>>k%@oaRCntoVS5yAECnouFiFqs$t>1TQOl1 z77PxBz;4%hP76_FnCXwBm<|`W21Wd4qe)$<40$M`H5u`eY08wZx%CenP{OWH{$|g5 zTnTlgg!;MI8$~&`>1<$^^}EIHF*m89g%>df6G;^lJY0dUSw?HyCK5`=tr!yRpsklv z3a2G=UKaaFRUjt9Dw0oJQ)nI+7?2_ie5K>45GF}-UIC31Id}RScc$^=VbP@b<^NxK zzp;W0{s9E#0G53J8QuRhFp8U=1H7o=w!QZz_O>v%j$i<5P76;JGro@q-^?ePM<}Q{ zE3|e*f_WTlIO-@mUygk0cN1R_fFF7w3Z~FE2;lOzN|!G_*DkXcdGr#X?EbuM+S4+5 zu;ig_d;rHj_zArmJQhXDL|t_$`Ux+q?wVw8+bC+bC`d zausqFk#k*(AVAOmaWurPQtSNE*3#_l-P-4oll@!(v(w7eGZkX0YZ1<^A8<|00 zQs{Mjs=QVBF0YPaez9o<7RhgXbs?l|&^H_-XLNhdaIsrA(EHLi-U!r z^K0LRu-^Ll*ln?=_iUEm?m0W|WJcMJTziNSuR8UKqVpK`kotV#*?qX39WARDy6;;I z>~z@g4GUvb*Z4Zw-#*e;d*ZLYr+cdOBjDTAKh^MWz0Mk|co_{D>vRP1`n;GPw9r*o zIi1g}z?Jb{cZBlLyS)!7FNZni!0PNA#d0@j(tGzyIl{9%FUhgBcmvKgLsWZezcx(y zSGvp(K&D+Ar)oG$5<4GVOK4q>J1$iuJku7p@omh$ZQ?e`J2HK}r`5P?**QE5-l58r zRk&SC;PAZf?Jn=WMs9ArruxNgz6QAmrhLEq+3^6r(Exz$+X?j|fbhG|*W?qhVGh_J za%H-iIt%RaaeQZ>yf>rxYIxXby*VUOJ?3idpQ}A&DYl#yGia}6CMkXx>aTv4|Aa`> z5zHSqr?hIfgF8yi=8Hw8>}0>O4D0ctWxcV~uYeb~k}>7$DNh&cFouhTR!V)x4HAid zZqp#WKN$<3bG9xc2%&tR*+Jo0PlA=PKvTfW{>Hk))y{ko_$BO#40BMOR*mpvQK4M9 z8~rzE;PS*P;b2v0TjJq12fuOD>?u5wrJe4lX#k)wVd!_5C}h6vFQNgb!h#e>mSyHa zxqOmBDamsQZqm-fNOcsglg2me77D@Bw=lrpVs zq*>(%vbR!!uNX6Ghnvl{C2_80DQyuebC_3XhpOyn!AYW1k7oH(5FY4}HihUm4U)zr z1h+34D{&vCByS`vQtbCPT0U?oT5W+~^VJ%WD zkuEY!b(G>X(JK?`A&d||Y2-wTB}<#Y3e+#4lnFC?%{=Geax^KhEtw5N+&k-4#WFV! z@5fY9%gAN(Cu%qQZ7g#?R-3{ktvF?-DU%VIazmmV>y|0Te5JFHtEhE2`mj0*OjiP; zd1P?bJF>4#ZMt4e(u4p6y}d`#iG@fES?)x!iX2PY~TUIyXI;hxnW2|8p zelkn9Yi?efZ4FM@h61VmufU22>N!B8B#)gi;DBHfBf?s|H&Mkow)i4jqNLVh8v3GA zNBXbDFW~h`v?DPUB|QJ!;^p)*0a-=aMqEm;M1l_DQYF(6&IwD(#+4F?L{%!G*+LE^ zw;)oSUtH#gmq?h1#Z~HYfAoeX%`zum;~9*kEPgd4c~DaiNTA@tU>O3Rv_iVBubm~7 zJH)3N0bxzE#Z_`*L2w=Y!Nher+hniBH_>r}>+ON6p{(ESXZHM;bAvHVd6~10@RGGD zoVinW4D%s)Og`xnvQQ#oXEKAAEDxzt|LB@gG@Yq2VEOg`>vwU+)5p(PBygp-)^xV>CNqe?w^JY_zY$LS~n#IR4=1 z@tLVbD*f8Z)uAx=5XTtnp1oFKtOfc9Iwac9ae4MVYk6X6))79hgHrhji5@5A`rw|%@Q6|VA z6M{V}ae*@t{m8iD*)ntYo}=6Y3)b;<(dC7xGf?X>NVO)|4j#rZM5b$J`b;2{+Y`Cmc!WQ@Jzifq}qYnw-Io0}AEFGCt?Wdzh?mNJrE)G^l-zmyO zh7L&}pd`nQwu;P-&)PKQOd}2arP{-e+hh#6>P_xNXGN0Ay0n{26juoZ@))A}7mxg> zlKf3^xWulYCh~3aKl0hq;@)wx)Axzb!`T3MscQ6{1hoC4 zzxw?B(-%5Ql1V}t{=W0zYxmlb3J~6hf*lzHy?c7_m8$~y#HwL=0H&g-Mr?NNEh}|b z4+()fT=$IQ;vXi(g4Z@OT`m!rOKMy0MsRFLD|`?l15Tw%Il^9!g}lwZD(o zG#ep~fyuEQGYxb2EZ9#{sS~8N%)PXTg}_Q zD}H}1u={pUe=Pot9Su);R_{x)H+WUIm&7pHoomezN*KPchX(RKQuL3ttI|46CzhsL z?)UgBh_*We>z%Gtjn}p_Gx&ZpK4<$d+wV>rq_<^;F$&mnW5I->qTnF9~RDH@|nd zeZQoiKc+-gMJ_g--5siA<-Lz*r%y9eRygi44lNM298VSH={yg|Rj)sHuYPdZp|sH~ zCzmB!wbN|)JP%i1vW9{usvb?=&I9qj?~29`Z#$;F z?;3fT5%BNnV(r<>t)Dt*eQ4-B?fvalIXoM7x_!U*$geW99!8>E+k63N4WYaq@0*@D zs`yBqcE`~lm4=!27W#83{!s|8XG}5hMG+Ga*6#_S;pDb&n;l!))vK;={9S1skERzo zo~NOn-CcvtwwJ9JVm+;ZS7M)rDMC$=gOjZZHlFj^C0mW7u%Q}$m3Ci4uRH$gbuGKl zkDZ>~xtN@->nrbRuPO(@t0+-lkAAtaz!nPI_M;m3?*S!t{N`Sli9;Xf7jSC4&VA8| zt;8n-+BnoGMP*A3_v8~ew7)nYzv&+9Eq{KoJ13ixDh!zs^{rRWa3 zo=5Tt8mHSHY(UNk0C4+eJ4QbS@HgEDw9IwOeaq`cWL>_{1H_l5TJxP1D2oefQUQU# z=2Nl(&)z>(qDf~(fG$icrZ6@HAb-c|`>C!78+Z{B)u)HoA=FRS3r? z?O4H-_pZ4BE116z0F^9Bhb3B^N$Sqmi}qeA@|CkKO8t%# zFzbKfC1Ko`vP!#7^UlM)8x!0fd$vj&k*qbFz0Boe8_e7SW6UQ!b|YG10jZZNbZeZhp!t<{bk9Bk(AV^i zr-6NkACN+yISFpZ7m}#SQ2}+7c$xU!vSJarr0)=qvj%@@Kb|Uk%ZC0}+CE_v$T~7n zOPArCxICfZ3m6)yY}wDDLthzjqN+~G(%+nm${48wQ~BL3v`^X@g@uBBF+#}*NZFHV z^z2Adth`JF&%7OFN@Yoqdpw-2#MRM52={bhsT@BdIW0A^=q!o|QM^)9tWLPeKQm>sS1Gi;Ds2x!x zwK3tMpK$sJU6rX2ck{K^vcRA!(T; zOd2eydH-jm2}BkLhK4Pc!eUBOfnAj*)0-Nxu+OTH!m=x6RjdQm2vkxXlwh5!djgto zWHL70G&i-t?L$gn(_7`GPZ*8)H0qHr!cHqKe5^d?5P>8-)(GE}F0Rklv51*T|Poi`}yC0**Wm#?2|dP-176Y)-1P-k=IzQTUq^InOKGu z-w6VW20CB_&>zs>fuC7`+#Mi*q#hJ7Aqo^M0Q||<=XIFL^|#9a?$e<>n=Y@ljXNH| zBZkX3f}P)ObSIEwYW?yl5S_xt`6lqA%hOxmYY*z`MOEwGwMOf`;~0v%DhU|@O3s#! z>*A4g)pc>}S@W#5OYZyhOdehByIQqz?d0pc)Xtt@;p+>3+t;umtYttf0PDrc)vdM6PF+4bFY1ysK&A6+NE!vnjbK2i_c-S zjQe%y?Bdzfy@JHQ)Af`w1b?8io!Zufx>ZyK7(Bj>K)7j}4-iMeC?~(&f4hp}_k6kf z-R%8Q&g%Q%X?y~f__VEc#qqK=alK|1yZW_mI`g`4A>QM*)6Ms6(s&RtgUc(;7qkV) ze_H)&X?QD9nbEqny~j6?SYPAT@i+lu=PXE?ZomHeX*GAf2BG(9hv>Ki>FH1mLT_W^ zh4%Ti*}Q*Tf!BdkJGzEpnv$c*xh22d?YiW3uXva_b)l{J6#i9voRERa{lBD?lrZoB=c&qB3Q zeM|4*{SORpQ-27*+vnZ42M#s9m(ySkMz`IT8s|8dklV{w%z<(;mE__7SnrMA*Z-k$ z;#^(4&J^yOBmfTW@^7jEy~wHo#??V%TF`*=?}wt39^;?MBq2vaj+W3eD=1&`;eub+ zJC9rYgiS1H2HP#>*BR1{DHhD^M1ab52qg%XTx@`dBr$rmQwJM%DLEv zmB@SUla3MS(o0ix(riX0Gl-PAs{~k*euA+xYp^p0=rwW{Xj#=9PF>jX-tK-AdXesl zaSZ*d0egybiqv{#8>o+tp3>A~7EkBuUuuz#9};;0qQD!EP{ z6@{Fe)XeRh6m1yFoMkKKPC0OAtwLFe%*hiOOrJQaY>vu(mVdh<4dT1`RIg!qfUrUs z8@BF1&$5X%8PuDunuxoK>adbCsAV9N%mhHLsmJ z%y|P4^EnZl{(_R52LxC8;X$e`@2*K|jQ%1cZphxs{(-=!y|${zHB#%(*sgffaBHKy z@Tj0|h;7*?WnPipi^;El6goLc6U@x)D9+{A?7y>CrI7&?1rG|7d$O7O_05$Ria+1Nns%tYdh@3#;m|Q13Ias5O{%>r+UaFrfi)rW>cz9o0S$R?qG{KD%T;Z zyj86rjy+hq)nG+@gV035IgQ})1`3CocvfMoRMlSK%D^BuFBC#~E9-H&cB#fZrLia} zc_o!h9F>PJRe5z9_%9`#WfAdfk^?kEtwRWIzI^*Rt-Swy*e)QCZ$sA2B_+PTNU=;) zpW8x%?jU(kikL6qB9GQ?9_OUPhprrCGgt3@&n(s03;u2+^Wu$|Q}jsC#b92IR+Z9I zY2%75NXUG#!p$Eg-Nr9QIX;+(F51)YMpBz;Vd`v*Bu2!@5F3dH=P0mn9HKN24zUig zfDZV@dUOgk#AYpO+&HI2YRK+#qzdaiEie1OlJ?xg8q_~`lM6t+o&4zONqUa?emEZY z1?~p<7M{F-UWj>By~Tg*IOQh^j)#;(8eMtGIoR%Y|0?OlaK*h!cX)Yyd;+ok8ZaU2 zSlMp*+P#yF?tj+2?9It)|JD3Tx93Bx)AZTw=zAY})ck(9P<5jz;ZfT?Kh?A2zGK|N zZL_>|Ecn8cxFO;776_-)p+9!o{yiQ_e?RGrLDz5}x3p5-zTbv{pe5A$n(!xj&9UvY zLEFc3@dlp2MQ1n2*~Y!fYuZx_W|Oy0xO3Zc10Qg~%alX&v>uUy`?^ZE4%D=y`tFn= zi`TJtI0GN3yMwy}IG1s{Z=TVz%(3idpU`RV*c$1|nkB#R)M=Y)w%x_(z6+F3dGF(_ z(0)c$?)toyj{f*!EXpX{aNV$LnM9GdO>%z-w~Tfhc)RnKNA*!#HGM8{flfRjw zZ=A*U#DAI_*mii)^*!qu^PMGq);P#R+i3-Wo?L?szJ$djcX~{RY5s0~9Xd#A=_cxs zIJv^F$;EpcNB_{%dfU9#x})p**J z!_)Kxulaqdir>1TC8@*O%F?o(Zfo;F)6#WJj^act*y!{(f`bSH@M|1{Z|U+uF&-B8m8 zI7hJs98h936?Nbq50A{Eecto6@MUP_XnuYL%Vl+Jimq7QB6i$w8p~T|x`^NDMge9H z0IoIP2#g7Ux2ndP1O70bO*t>Xr}*+|P-PK=@%x+V3;qd!{yR|a283wj;hScv2Jr7; zk6){sYdX~{Xx3=i5R!cf%)^0oXPT)1er~31NXUcdP~Tc9o$mXR5I0_wTyYFchm~Ir z?oKXXNst9D<5A&4Elj`TH#tz3*`pXis*Q|VQraRCp7e<{qxlEd98s?UNr+LCx-3gy zi0as_64^kbIVY<>i#*Glk_+sr1`&pV%3rJKM3G$5E7bBB@-&-#n|dTL*QFpM^bX24 zMOlPgWJ9u0eRE`eL3#^KK_*imq~jGYv-wI_m^$mFSg|#@P%o}E2B`oIdFQ})hJ|oJ zG+X$Qay?{sXj=bZ$*l{;*rdOlz4QZo#U$8D24?V#mW-*HiDw!dUU*Z%N)s=?o-YRIw;RerQMav8GGS7SOndP)SdM1;1v$*YBxhpfJZpn_^8SV#fTU6Q$f z4XeaS3N==D9jp`OV=9&z=ne=GmOGmNR4QN#7$s1Qz&GfxNsOt`9?No;6tQ5mOpPKb zCjCJ^fF;V{6W4HWLS|XK1Eo3%(5cA`yYvFvwJIDQ(8+KpchGQ#A>!*=>sQF(==5I; z>oiYgNO?FQI?gX29z3!it|vnaTO4&M)2;yO+%kZPs$^x%z>aF>2u+l>LRj?1p92T! zj38s^PKp3!U!!qlL8)P5mhq)|GK{%^CELQ)Q_xAjfnjZodb5$=Uox4L$LIrGzw?(8 zkDc>#8a(t^F5G!u@INsBZ)eSXyTzXagWw}tA&dp5n2end+54COJ33*j7#iEkgaUGz z;aA4Lg$pt%dwMuBC&Xs0!eGd%UP;q)C(abI_^w%Sy8u)Ohx~0u?)aHnl_DZ2E7|Z0 zSxg(&)XpLC1mH?o zQb&9{62u`a=1A&6maQgoB22uHSfNl{@!56AZ!KKI@cr#13gxRtCSWP66to2N+W4=vxM$(76EUTfVY=L zfTUvEV=wfPPIngFQka~)iBLf>7Zk-aC=EMa!Fb_HDUnPu$YPKm<9mP#$QcqF6dbsL zfUV45SzI!lA2O#Y&X5QbouN`fM1~DQWVt~iRwUMn4VXqTj7Z)BbrLhAkz|r0(*0wr zuz&yKiL~BIEkRyNUn6RGIES{;L%epsk)*zu)kNg{8*dSowBABS_Y}G)lms=Fobsx>4364ym}A;kQ9+}CUqGZADP-HMUc{} z1vw%V`uYHN@dsTt882i4q2VF9w$c-v;2+o`;tDW+azrqJniI;DXe)U8%*HIdg})*% z3l2>86=H2!B|=raR%XA;*Ci(P=3vpM{v%(iY(f2XH-&)7PQb@cWZmV@Vh!8be9n2n z#}$_V4TS>z{)wz#SpdDC$eLDN!eF!>#dv@5F_ZazBz~Rm66_kM9em8V_q?GUz?ZFU z@xrh1VYRd65NwICmYzxTF#wY7f-p(%vUX+p-RL>8M6bnX=`ZR~L&F@ZZSqCxwga~FHf*~@%jV%i?llv0-A39G(y%af$;R(~(QmyoeWSL0rZpp*(wy$R(Dn^v zTh%i(KMsTMBc#(kyN_?y!XH5b=%sPl_y1hi7<++#jSygibxEP5}lG8OjT0dNLTd_vxmGZqa zjj*tt)-k4ocKHg9Rt&|+YP&z1wXEoId^-$p38kKCe`*v>(R3){Y_Qz`ta4ZTS}id* zyLpx^|JZ5sHSgP`7)G{dzatEf+ZQ#xe70v^)t6DrXO{HmVaO4_?`$dxS`E3f!k_DOWRY>?de$IWcKhCt`D(E( z@`eLo-D+23``mm&#AQy4?BCZOO025B`w58yUO3{xs{(@3-*(Svb3K<3!s)j>&z|GBeCW+1KqaKWf zQLl__3rsm#xVN&~fM8h_A}xT$Wl5tGdrFjxZI7`Xm1ZYD6v*km$cE;~MCLBYdW!OE zVq$I)QiWahzU+G_SNs}ayum@+DozMYJ%AQLWw)+gB$3jZi3uq}RThC=YPcd9U%0Ma zxW$PrS?&+}7Yj>!#fNIzA6?43p8QSoi>@E%oBXR{>o^4k(QQYqh&5N@TCYgwFn=#9 zsi~Z^Sdfj$*ft#Wx)qPbqK)kFfC?l8Efj{Ajx~W5ij7A(tjibI+u;v08ePuYG?OkY za8#l)3y~tO*9I;_kr}AfGLIFP+~rmhP37K*nrJVrHmcHc(``?bSRNLN|FpH?7J{?3 z2S%IouCa@;GGOJ!jAj=3lbR4fprKka7lkIWw5m+hZ)L}N{sfV*B4y~ZU&9+ z1Rn7)&qP7o6W zow+3T+2g-^nejcgY=4UY4E~I1SWT(8K}hqTK?rN-^g>2ow;zD8UtPVRSN4z3WIByv5=F zppOLA%Xp<8n$k%wd?t*T1r;Je6HU2{{LX@N5%ffDL7_yV1j}RNpXUEI2#u2Rfx(Q; zgPOBZ$K{^s0@@`KySqhk2k%kB1MiTV!6uZkwi0c$<;i*dT z%slU@Fqt<>)<}4w{l;nFF|xFv&A4t1ABsa?`wdc>AJ)t)N31YLac?C@912yX(?BbS z)>n+gF;pwi{Bgy$L#Rm#T$ra=mMO=gA;&b0U~d4M2%`Wj^rYo8`}%&;^CkN|^RqxN zF7cBLhfc`EY@_-^A$df=;;~T54GtGdkC9}Rzlp#Uc&C?IovxD5|EA)~6`07$Kv7$( zF-$3Nz!Ix?k&OIm-jo55S1TH#Xy?}l6K^6_6x51KW;-H1-)S}hM zLju-VqR-GQfnM$)G&koEpVX(uae9u04E3qgr0f!8wK;E@hqj(SwBO|+tx6?PuN15- zVF`?;L2(EfMg0OzDOy8qhwm6{W<{~P8ny+lBDr*T{tMrUu}nMeE#U7g@?W3C6%UVL zELF^0G}d{xHRCFzQ8nVy8W(TtSOM?@i|BJdnYyT#s63;VNX5w}X2U9aA;G-ZXY4FL zhFo|M7VGekEb0J2H+g%W6M5oIh zDK~%ZV}z?s<2Sx*_K?rxA`rRT3*P6e=%|ikwaRhv13mxe>4A8*hw)ja_>Arquu03i zsWdh?)DcZ=sMJHqQo4eR$pTLT;K%}H)HOY+-jy_h(zS(OW& z!+JkVjoYOGUBfOHHR9bF`If`N<{|YQ`qiIr7A>!rEWTeY?Qe&tdQSzuUq>OKn=OY=4dFZu5_23bX&pM=4}YJUHP@%*UD_U7Cw9cHH;>9n zw!3z#;n<-0U*TRKwU4yfwcZCGvd^VgG7ywoR%6!!Qa@k-S;qK~zFmgr&3|woJ9oZq zl9-oMC$8=)v~}TQ-oBJugqlv4OMSI^{MRqk-k0R@cARG5E5&B-giwZ-1bRCC#m@A{dlD;iLMZf zF}sRTh_f&d1o1Q|qviE}lB5QYPSDvW#SS1#a8XDwnm~D_0PJJxCxgX1=3qhS0^Anb z<3Sl6rt-M$vLnth&=Q37!%HT{03pA#H=dk5=r$?fX%ta&Jyz%Dgo_Evi7^q_R7&Mw z5%wje`Xb~!iX<78TPEyG*xu9p0Up#=M@GD^abye?f{! zieZ84^6SBh+pp5F{0`){f#wBYausrRzxdu-bN*7Hp~qxzN8I5)*WlZiHiqeZ zN)#qj)6JRtCoFa3{+R&g9)*^*xFRXHaM1!3T!lgLGS^& z)eBQX?a?NYa^onV-nf5pjH*`m8WYzhr3J^$5jhzulETB)jZ>A%gOh>CGNc=28q>)3 z=}p32QT6dxaYlXBVpJ6)r{-UuqD?uh;(|$t~ioNR~ zTv39YDb&K${p_T@efA%k;nF!XC@-x!$4s9#)-2`l)^eSK<5)mI5Fs?`R|p3XGTvEX%gka(`fzn#El08)D^z z7049v?zOX$1nI0@FRl3C#p#xU3ziG%*nX|%Lh~j&UrJKx-ihMKH{HLIjA+dDY{q8V z=VC#m|3}_y%prphb|?XayFYNu-T!C4j4PZ$AMmdTf@CP5A^E32tK!f9y($imUu--W z(B1L%ao?wAf7yV^S*q4@AB@g2Om!WDLD&SO%hr4!B%A7X_PdjBz3whg{O}$3hevWB zeBDtVHoWOJ59^wIOEx=rdrUjOnrzd0)GW&?OtbDcn|mU1G8|WlJi3)%mxz1Ty@sT# zHLWM298#>dcuRW*-^2w<ABw;F4(^HCS+B8of5Wke48Dv zC!{}5`x^K>8?O1?@1%P<#j)78J9@`WE4$yeHootw&y^}{o3^FtHyxfs!q#dQO?b&I zE_S~8KWLto?{h@J9FxE@4_;o|JcrNtJ3gZ<*}!tNzgc{*x9J6^V2-cj+%MN%<%Lc0 zyC(G3CW7#nkGiURj`Fs$`A_1Xn%f#GE5)#6&-6YPHT@_>Fq`GP&rpFHWdA{gUtVZmromJd3+bvQ^bFGZ3R zJA!O!8g3LXS44i`B)tCyu2ab6y~Rik7Ol@T`|rj?p&C))=|@xKwH)skT0YCevVi@&LnM|?KQR+4l?NQ7AiNas4jy+?oaO;-41`^Q z*{ee+7HWff>UeRVWJ5LRz_}ZVM}U6(kWvPHhSV5rn32J+Bk%m}I>$yv?FWQjqi_gt zVs61Q)ObSX-%1l@s}w4EcBl3X%8|%{R^EwvWCIjJYB2J_KE2W9#HOjNTNXiwkZd4_ zfjaVgIHVXdL##|WsR@pyU9xy05PvW1huJFW@{mqXyg>%`K-Cp>VxgNnqxIb4zy9|iw&Xh|b(i}n zjOxzKovW3XOt%y%T%8O;g_oA3mxnyG)k1{~9v34`3!4tCcEd%Kyh3eF-@zaxPwu;S(jNZiU+C#?;=Z5T0MtO+ce8GLjn9`-B}GPJ4@hlyU16QyDFyE8FZv z5n!l>k$B-tO~U1B6luxpbr%6~+)5gsi;ntclRr zYWl#7R5p6hN(vdze9YR}sb^;IF(nAk#^^HC3*E8#)@JLhluqxyMs@=BLcb+ls8g9s zpObQB4E3ma3)>n4BO2cuB?QXuPPQN2$*X9bJk_}A}P!T#Z`_g7Q6HNJ!Zas=O`C0 zV-8-ZBIZOa*oU|ek78EFsNz_zD0zBB#Z6XjJYO(pq>_JU6Cv}A1$zbL%t|bhs4**w zQ+^!cfH-kP5;2?`9|>;JqU1uu9vHl)G#68uwY#P?B#Vq(7SZ4pFgM8 zSozQRysZwJ$m!gg9+tTwTCa3z>W9bqqjNrp{hE(Z*uQrlhnjUBs+eutccSIKWS#p8 zVghx#oIh3qHiaz%Cg8Rnnl+i6G3rkD-`{c;ecGO6H-6tuRw~nb9N)s|?pXQm4kBQ* zKNrE+0KNooZsycUyRFfNS}iX|qGZFRgNGBDOGa)OsP zUNb-FHmt6jBC=g>piHN`o^yX^li;(6$Y# z0b?*BYMqt01r2;mctA6t{78J}Jub5vrq!+Ae-OHA|J|Ke68ot0esg(DP2>;Qw3fUD zUFx*;4t>~s28z3mNo35-)gCneUFoFq9HUx1?F`M{HopeRsPq^^DDSA=y6Af8FAB|$ z=;qPTleW4>-oR@aYi&94kLY91`T5bc3g`J;_vIVvA~q$|F(e@a{cCMq(%{K8X1m^J zZrYRnZrotgTy)WkTKd#K?_`TsjuubMu|Lu-D+c9ZN(yt5f``I7+qAOQZ*QsA1;_TXTrb9x-mbQ zwYv}v5dU7a3khL=#ffkR7D@Y6mV2twe>60l+6xhzA{GjmZ{VmPe5#5;?X*JLVHAnC z?f=}pGA&VI+Y{>CqA6HW=K?}WGsnotrQ8?kIiEt*Dp!=yCPy8>e}(Ebp;G+joqLXD z)2NS3ANi~B&mj?cQ2J?hX0~ooUwr#9KJnin1TJIWe%*>~llf+gpBMFRcN(BJdRcWo z%S`Lo7z9V2MENlTBrKI8D7*j!9e=2J8a0$BsM(TjGmx56@OF}jJ3pk}A6Rjq+Nh2t zEk&F+3wM7i#JWBZ`T!?A+&@1}Cb247Ew@)LRTu=;nOiScMm$U{QbS=}8szM+f!PAz z44QHMQLj}l3XN6BkW#!&g&v2QC{`B_B8s~jeYCYxX6zwf#L|EQX0q6FEhsE65?dn$ zZOS9!_=#n(J~gAA9aTa-M4?r%AMAw7vsa*;4YIG^&pB^tHsAaF56XZMGqHbpkGD49 z1mL{tFI+T#{&3m!4EOSE{caX$;hNqpOd%)K3arhv@d!7>2J74*)ksXnAJ8+Rfd4}e zq%50Pr&wb#U+)j2P)7H*1WB)=#T$~(Z%4oZsWYv$g!l>XE7T^g8Y=X+qNanmA7i+U;s`)qW|*&c(T$7&LQ ze-f7oj&7%5!4)T}m=98%u_dD;MG05Ta>?eMBF2lv5Ms?WI^nF`G(pOZ*M1PbH)h-} zt|I7hdN$-F<-KG78ZYq}j=9=3o?-Qdw9qi(@Gydu>L z|xyAc7tgZr{!Daf$@Z9&*RMu;5!0a z_hzVmZ;v+bSHt4!oI{xyYapT2mb1oh#=$f~ff6seBt{e&s)E1dXr;YDX(sgaLi&p@ zWC1y>5eMP(0UBfj#-9pRO7PYsokZ%29nSa@z-y?3C~CH549!zA4K_skOL(M55tqLf zCStG2ACf#Oh}BY8Wid&tBf*d2ISjaYiI=Ezf&7|NJCkW!-RW#Nz_u;~_(tV$g$$sw z*}`PN$w?blvJm50$|M)0r(qu^8D{<~fO>xh&?b@h|HaffM#mX=>po2yvoRVqwvCBx zJ85iN6Q{9lqp_XFP8!>GW6#{2d;aI1`(>~B_`Yk+dbghadr&zVK~HAUif=QgT-a-} z0br#CS3zd(>32ksC_@BDlx^NB&gcN=1l;IwOupMNxTY)6rs4c@Ma;SSc{qWc8x8!? z^)tb*K`u4E3u>nikDG7sr|nPI*_{F(LCxF4UXEb7S38^SiDSY0t)654-Z$~LzTS5G z>F(B?o>!C5^VtHoe^XC0f<>{dMA zfx?;o;Ch(}^tf&l#s=;kd4TIiYM-?HO2lqzTxtYMn?|}~fX!>O)2C&=ZI>K2sgtTp zpciR}?2ZY$wL)>P28^+v-MGOAtUxle#-)%*RNq~QCX z%qO~?4FV5&LZ=jCeS|CL%%Bk2E?&Vu9Uq zlb)OG%r&ds4;{83>EQ9EEZ)<{2Pd|KLni<} z#ej%FCX#YPb?Vy!+B8HaCYL}i!e4)v(Zv&g#u}wBgw+MyLmi6DC8I9is(NM*r3HmOOnxV1ir$fo9pVZL~URJ(M@^GbWo~cZm zh$>~dr5odkoh0=2s!~cfl=(W18n!R*8|9lMQf7k+YLPdu&d8x820sNfGRe{1g$^Ri zakRxVFCIgBt{zFSODZeV?P+oWl}mwY7Fx3|NMG(Szd9i+Mo?bdGd@H;qqbU30hmFw zgWeC$hEWzvsNi*Ad~Gh6e(CUt3Dn5_0h~i-LvFR!T0aOBz7T82&TY)6&LS=Swk;aO zj@8T&oj^4mbIw+8ON$nn6p$Ypre;W6cIC&1(5&IA%dlYCBEyjq@g4=N_ zCQGuV&>Wdh3KDXaFh!_Z3XUC>>xiTckQ%)?YO}B&vz>tW!HQ+-)}%e7Y6~^~7^PQ{ zg5`vG7Vp)`9X6-Wg|;iP$}Zd<%tuzJhqEX~^Jq6MJtBq99Hrn;_;zKPAC&!xRvSx) z5r;93_{&6KY@SWbEVgWyqKhQGs)N!<`(Z4QBR-Hx=edc#<18@CNT9T3CpxzGizZ&5 zV%}0X`;_CrI1|s6V66Y1trXWkC^jZvY|%K@GA3EhVA_0#g_%BnUV2y(Q}cBYc*}|k zOa;g1JePw`hl^*+QHROSmZU0D0Rjsl4B~w%~=4+}^aizF~31;}BS~$6mXMJkR zuU|-2T|!5m%wi-$H6C>&aUGdTgJo=+{o#JziMv$4mf?3Yw`l%(M&LCx`?rS5>&=g@ zsq<<^AWA4%8RK;$EeIRPpoAx!Qee&HPLsk9$fPUVa|IoVjmyx~uSZ&Qh^p126k&a2 zk{(wcHl!|fiY`{32qm-rD7Ih<-s~MBFp2DZt(WtM~y@~#q zT$%ab0Pg?Hx!qr1QQ-&J&Vh!*&rRTs4BjB{%o}QqJUD?p))*WF{tMg(9H8$2*aH)A zgH@0oUOtX@=4!TK2RIb@-BkEYxA5*5b%A~TWRD$A0CMl0Nt19cKpx^2@HnCSS7|$_ z;Sbit)?My%wM{IYo@DyL%WXYswnu>W>RtiVcGtf&i)`>;0Sj3h|Le0(Vn5JMIFtV6 zpHExJBPMt7?w#h8H`}xP<87Yr<$z0^_F2=OxDA6+T-(8I^|3H3p^MfvEeX0Hop5_3&HU1tCdi%J4K_)`HdVdW1SUL_r23!h%j<>aMGRn@@{m5Suq4nB! zj~0^Ra-MlJa(fB8PZvFEx^G{@jU;oN?pS)eeM@4FSGIU@E*#&2WP!JRERvL*FPBew zv>Ma8{*N8cp9wds&BV~q=Zzpvz+*Ou%&V++6KH%nePDe7@?iuH%TJsoa<2OKwG;bW z^j>mpU(PmWwvvXwzg}2e_3SQk#fjSsoL9_c$b$LbcOTxWS`eCmkFNJvC(mz3+iolq z#Lh1-dllO~OD`#HQ?;%B_FGXdQHaH!c6?R_`mZOG|85C)U1I$_MpT#eJZ&ELx|e0f zrv~+xiN(2Qc-eYS$F{XS_8%8#w#W>e0=xcI71_h@S(eb{cJ^>ypHa1(^mLBAbe1Wa zZm%Kay%k}^PEX^3i|)Yt&)~cVVk8jXTkkI04R``KZv-e36Z&Sz1MV{m7e5r2$7^zZ zW_nY+`pml(eh=>>nM6={n%`}dMQ?{5h;5wS!>f&w<%{|1zBW+ACU^%#6tiWDKj@Y~ za&vZn|9P~o;=VES#LLMjS|@MOEhGK+K`7)sh-x)qG_7?T?+;uq)nYmi zJo*9^D+9DF1E>6luvO^<`A&9?Y?6*689d2RMHw+wmSK^vg^A+Y27yao>h{vrDR{~o zLeXqkBiE^K$HkP^^@&wnh#+A&vAsIdiBT{*iUg9=&Oh0@iI)b@e&|$28KKoGdt!4!@uy2!ZB;-zOHPRN<>#ba z!l%ydM>^ye2eDh$Yu3Sh5uHcwI5>bwj#%OTH3-jc=aC+G$}T~|#~Ao0-GRI(9c*eX z=1jlVwG#v)&tpc|T!Q2RsJ4EOkJYnjvW%a%IJ5}dr*0ugn|3&yPRsMmeYYV#85q)n2=Nk%uwW}tk zzz=yFd-vdkW;Li0=8*D~04u#gf-Q0OrD6>q_daQcMg}2DrFNjDhqX#BK zpLv1#PlxMZh8!J zQa4gFm*Ym1X*T3jrNj7247QM-!)XF6hEd|=bcO1*^re|6D?+dt38fxX_PA;~HN0Zp z264yf0j(v}La*?|-{TWj5kvy4xqL!@>QFBqD!x-Ct3F#?f;GT{Kv%{B#ul&~)x!2` z9Q^xbm}68Y@%K8oC|2<(S~7cWJEH`hcv8_|sc-X$m5ZZZ3K2h8*O-;Vhk1_%+IzC# zR^jFUs3f>Y5(?Q2eDCwlR9ti{o;YTO)Fhx~Wjc23!U5M3{^kODR*zp~3{S?5aq0 zWK!4+vcv#mT7f!5<+?c9tfQL7ssT_=9&&>*6`e5gq-E{UG@k}WEhE=-LCe~h;#;M< zPvrvj6XKPWxb6!?on-FX^sEk9LWSIMCbM}23qDfR%KxvJ{?tx`qd${x<7dOm`acb? zE)~DWD{u>l`<2WoQy9B>=A{fY@E!wJ`s{+4sUv=Jv-%O|Z3CzMZf&l+*E(L;`C^v% zkJ?Z*QQMCFeecQs%$xANe}G`8wCzFW1YN+80D+FnRaru}^Ft<`i~)D;!_V?(=EKSH zRH(xP6u9&)a4m2dHcera;tRd-`XAP7vn8M#AAk8!BmAV_&$+N-`9zuwyh zKAwK!q^^-$^*WYSp1M5mmi_&r+l}TUa&kU?w|Y;!`}a8xY;Il?IbW$xT-=WS8))8c zS3RHFJPJ7j5(-~g{sHizvUYOWHj$ES-JYUY$o7yPCw**U3=W6*W{;kddX+^7ZrHWux=)Dy~}Ovsf7>ZWt0^;_Dv@ zAd;EnjRt~lErOkk@*z&s1auv-YF1`#+-6Np`yCyoX=e29f6#GWHz{(zY9cl$MgX2) zyw;K;fd>&Ib^K|zc!3^C2;^f*WJtZ_1ifF z8(mi}Hr3kOyEqX!+uvriz+>Clpw3VK%9|E5#rM@4R2Qb21fNdlrFXX?!W`7tZ9H!K zL!c`N_#F%$cmNERePX>Lz=qS${2)FYB+5ItN_sJ;(8nE2yk0K%lA>hkeULfU``d3suf)9yRU{Q+gY_ zNxm|*x{LK?gbKRTDgl!Byz6gv)4S|#%GW&zYxzbJOtg_Yy`o`^A48_UXm|U}nYipf zU9IL9RN3br<_s8Sn@Alqd$cr`8TL);?2qdz`xU}|X+Tk4(zB4Cr)N3P+6k>!H4IX@8Fk)so}SYtJd$%=uQ$CFQIBr#&B)~=K_nsJ{K z!wzvS&2{SJv)NmqPj-p!QpEILatc0y2;wp!(QT-MCfqKI zZt=i?k)}k(xo2Xh;m1EX$utgY(_z=eKZh`ObodY#4R z7{XbD(CwNe#v^zAsln0J0jYC?%&_W*L>2RaOJ|tPUBrrUi}7}z(1Z|gf?3df4E{>A z&gje43a@=eLHDMMc2pdN80#4dsZCLkDGPkr4nGAn-3fddvTA4Rvbh34`Gu0JESsn0 z^7OkMYV&OL*HQOa$3x8$`Ec_H@ydc#cK4nkk zQ^=lmJoUL8bSso{e2Eu7Ho#xC^Z|W*)3Xb5{bP;`{If<$r4PwF1Y{__m+g?R3_a$ly?dMiLGGe$z$W5sUi5P^a+z;- z3_Eq^_T`Q9t$!tKNa1utehojowxxY%A><{dE#R1bdU%W{q7~CuFo#2v9dDq7NS zmMx_hX5)}T5xkgaS2i|`V;NEAq4!!5oA7`YhQcSPiY4?E9znX44PQRpSOIUrDw(R0 zpZ%*zSFVB=CENjXh6+uUjRrnGb?|2DHs_+&{M|nxN8eI-_gSPqA6ql-@puz4m24;I z3O*HP*AJzsXNb$WF@C~u489Bsj9;O#ViHue>2!NVtfm^0dqTqvJg%0Q*%GuvCzjc! z|1_MKVfIhOqY*ZwSu4DuiMI)4i$SX-QIiu z`NVl}KcAL>jH*BJ(XUurj1EL6#Rgo!w|9@e;e<}G!Ax!AJ-to$;qj#R^Hnp9?9}GV z!r`NOC4v6y`6LQocC(@5u=%$3U6G+XzHau1_e+%rvG4tD-?GEzTRG_G>gu`eSzgHJ z{~UO#zTD*`ecdiw`!c3Z>^s;p<8QmvviPy}#Ymof)Z5q>?mKSGO?+e%X zT})hxg}7(vM;ae6r6d*P)5Mm+*W>W8*0^3}v%j3vv&ewM&}noyx0JQP>F`K%3c>e! zlBK|O`La*ix`l6%+lbr?Vw=frQ`t)n-+o;SUj}|;pL4qZPO_U3*lBfftk&JK;(Qr+ zF$6ltZR>qJ-VtB4+`jqPdN#1Uy+(muKT;(D_ZwB6T@TCROzVz~Hrs&fjo)eBE}J$2 zyFVV!eXc;SPjBSR-VX^-%Q{CgSFw2pIlZ8qr5VK0i*+1NkEPzX1KsUyj{*VUrJs!~ zQzJ7p|3}P3$+66K&t-FxMz8U)4HN9s%aTNve#_LD*VT{Hz{B2`35z(N)117^yT6wN zIU|>DM4of|7QBr!Kt5dkhdx*rbO#EUzukbp^bIG_(kuQF2Lute?fN}+8x|~ z49?pJgAGBSrDAY=-W51_aslX1v!8d^kR)!X@ZIA^-t`r$lC>+++*!vUCnIo9f?wyQz1}E@)We5u)H(H-9!-~R^xxC zFyXwr`CVyURb~^Qmn;f0L6dQ@&HJ5N1p1*};lZ!VSSp(Pad#~i`*6TZsVlA)PzE3i zG+7i^{7Sx(n;imQn^B1z6KPgq)}Nrxoh*2iMW05GeMa*IbeB{KU#+1LFEJ9Vdv=f7 z3<)!;K$F~#etZ1RQDfY2CNZBj_xfx$-T>jVFTTxCljgQet(a$-IfA_ae!?xDkGL<3 z{Pqks_*J+n-m9oHmxohQ#jjYw5_|h~(uMF7m}X35G$PQzTFz1=1Q8>LC7xLwLAX{! zE>;uLK7c>|GR!@HoZ~N`ZSLYnagOrY;uCsr(uY|?Y>((hXDe{X4wP%>u+JN3LIq1K zoh%G_kDhfcBh7gO&KCJTAT50?q3!w`Smblrlwm_j{*;{gCP(5U8{S7nvgTvOJ}Af2 z7D&n4hcGW#XJxpD6Y+3R5*8|y(^d$pAD3aM{mhC-Iq{9OYi2W}sPRh4<~5~@*Hg?| zG_4grvd#H95}0sJt~yW^1yg{-RUdgoaVHklx1KMI2tjSmtQN#77gsI&p+tMaY>cia zR}wm1u45f%%6JyqkdK2-glfia3`aSpwsJKjuUGUP9s*}74>IdSd>+1}9=z%MKGRN{ z_gBk)cJE-jhMs&NP7}Md3>SsEo>!*Ku`#t~#g(H%W+1y%%Q%vdyvzcRo;7#gm{dou zsB66JZKRgw$hL`-XJnF|B!AfRWE_$m=<4Ksx_et*sJP1#`gE9hlUtdeWgBnH}o?@2Ia zTeP}VtM^>fVEK5GaOA6$s^kGOBm+fO)4yBqiV*UqGA;kAS$59ameyO9<{|B+F8!Xk zYD3qw-8kyYPs(Nw@s~Vn^KQ1oQh_LzAPwE^GMJ#COZg?OAUcYpMf(+p0V_5Mh-F~L zk@45u8YpOh9S!iQaGWhMhu5Rk+mM~2dJJY%NPk!(L^GCcnI|WKh(W-%cIC~rwZcf< zF){t4?H=7AjreJf+y!^v6}BEjIUrQ%m?fqv-D$fn(m>wCp?C2m#(+D7e;~ll7+)b? zu7F_|dqsF0E2ttc*ql!$lChS-MANj2asaLJZ8c=Gm!pC{hwMqd?tn2-)-!)7arx*6gvl zh|GavpF$ZgVPR*qHTEv&BEHc!bO2F3VL_NC?eniZBKMXRgi*Clt{f?e;mgSUt$}f= z27Yq!28O1y+#v-=NOI*GecR&=r(T--e@^BiXWm0Cjauc$ZjSl!906B8MZV!*bN=-X z*lr-YY*>V>nx4+ch83z?jzvT?Theju)Y41tnPm|ElIB@8(MAapN&UE3nLILc{q>0l zvx?jx0gP#~p%f#*&xJ$%6cSOWCrI1C{H58bw!xryVNDF102etT`1xRBjO9Ok;lF;L zjhz$KWO=U4utL_MuJRDuI_j7|9V-b^o1HmRAEPcF@>W+{cX!La*7B-WR@4|yTFKh7 zR?A_$!raK!qw(mZiE#euAD>~s;Mo_#hUc$#;tXG{gZAN6xqvQAru|ztM~0Eh(nInE z6Bc)}O|ufmw5nn~Spk{1KKQ~{fl13Vu7RJ+OVtO!*4m+JtTyBs zP%4w;C%VZmpaEF4U)J~oHHMWs_)io*uHO|1Fq7>*M;JGyeHpYIFR#dd5EwiVJ`k>` z|90f|TKiDr(+^-;K7R(j|Ly*$ylrIyt2mYBO*ccITJ7gznYuy! zS-sfAqk0W=J+q;WoL^enjT(zKTkA1ynJ&5mM*CJ&IyDcrlHkw{`=j!z~*}udLZ}n#i69_6V=Xguig$5 zxX73Q@Ug81HrdE_i=DA8zG^2VuJT7*1qQS`3^_y-bMNP~u@YV+d|Zfb_neOspG>^= zuH1)=1pB?uClC_xcx(mj(o)qr9e6qPcwN+ZlxX-F7ZFeTu<+9M@`HC9ba}VBuD6~B z9~`)4ftM8wsXFIW7jADvI{Aw`7Lp+M&gR5xhhGOwFDHFb=um6lV^1w5kp3v6}Ag3bP8Do)K)KVcFZnaKd4%YA#Zd)}Oo=RMUO zl;F_S2tu8H-yd(CoXtgM^nbnxUEJ&uJZCVwR3)06;k(Yp8NJh7u_$q=$5_@Y`791Q zvs(^n2N|zr9qxi(V-c)Qa>=P0tfyn=>@mrj?9`3O7j9qiMq%ymrNXb(D#Od3)3KVn9?}t

xOQAy>P3<1mh%r=?a06gIoDnza9)E3?wVcZ$*HyV*TRBT6G=1L{V~dG-hqR` zfKz7*?7|<1hi5V-g_=t8HV^8BlsNsYXl!c3tjU#pn8qUC`ltiC#FA_Zv@>mmnrv6l zImR?Yz18w5Y=u&!Ro$mNgW}YOMA%X5Zc+GH!(;$`{q@2+WA*#7qjjwGsG`+j(fNOI zhI#l$@G4A8Qzu;H)_&t>q8G^pUwq|cE_c?(7ELx=QU%e%dLjZ1utgQ}V`q_R;*ObgO`-oS!Yc5n z`*XO$dERp{1X%|=Wn5??rQLJze$6{cnULtOUvJSdY?ZD8^|%&pp_5;{qx?cj3O9j| znBF-{g+Dn7ZXbLE_o5!Vu*+0LVyaHQL0=&Lbmw~j78)+7;T6n%VU&O;d=Iz+t4<4h z8k-JbF^bG#s>)~|s?#EXJzNAINkbkE!`&q8i$(Zu&M_G2z}vuFb)WJ^-jvizyc&MEc5|5!?;ky)%`L_<~Bf*4W*NXa7(3#iMq>Q2j@mQ%9CTNPPD zITJAWEAwVzI^tL4P4VT6|4b*pPU6l+f1CPG0QUqklQ(=$>3RQWO7E_@*|ZMa0HWcF zQ)iOHA%Jn-VP6QqFRowyrdX$oC9*>+cbwxv`$E_n#0Qbq$$+}Cg z+recc@p#&HA^5yT6h-!;`Mpz@$hWBJf#FPjy=IqH^yf%YFDZMi@mALHpL6^BPO7wt z;wPz#+r*~*+p=u8llsc`oN_A-w7=2PPA$F4Tw{BmxaV{=;aKI&U;r^1aQQ%q0$-9abUwd2D2 zGBGfx?ExR>%Ii7lb5*YF&V4bqtf&jFdjaZLJU6#T=7DzK_-Z*rv$(1 zS*2K@bP(zMecQ(fKJ>p`AQ+9@?lSOxPA##o&gr!WzY|<Y);SG#MB*KnKn)1;B+hg`HSEZ>q25!?C4*D+}&lmFUz2|=%w7ITX z>J8scY+pwB>>uZ*dj-vEM+#t>KKK1kBfaYj4E`9MuQBDfn}})tkL4x+y(6gqsMIKG z!Kgf{;Fpr{Z%&Y?RI<+6giM8#3g6SotVn#R`{CCI0zlGd#s^Gm5%iPEaAYt_y|t6BbaY8JEClL>?54uRF`Sz$OD zZTQ)|m|EJD?mCY)u2M6Le=`W;Q+1Ro5Pkk`h{wnXsIX zCBu5uqutnz73EDhGQ3=^USnt1dzd;YmTP$NR}*ciY=cnL1^#oLv?gWB&(Mb$>O`yv zXjn(ub)(-&?f{qy1<40Bq{}824kprOp*Yila%rvlekY+G>jUKg;46qr-L3pQCIn=R9So;-OaiE_(nJZ=TN#se zD7UBW4X{PJ`40wx#<1rIu&+Dv-^4ROlt=p~?u33CtZ_U!vyVeWJ+!xCd%(nmMwGIQ`bd{ z-YVB5O=8dH^XAzb$3Bj^qj9t^-;A1BFmBZ} z6L%!+C*7o`OQ9Ih@Ka65M@&Rj;B)#D)DjvfT+z+sU3a*;Y)kYCQ}Jk zY3y$luFwxF!ezu4?_@iTMTa@n6quj8LFYh{hr-DD8)VahMp8G5iIj=|8%}9oDA1#; zJfpO?3IqTi0>GspfZrll=r3C(KPJ3r%U)5NdQB{WHtJ;OMHsV%!aj&OM5(Q7cUJ9Y z<%+qz;u0}YDOg9GIF|vqghKD%DYYHao%9}U!tx0J&Tt2!dcrdC7Raf@gQ zi&ceYMRW>pjA5mojcbn5{kR+WJFElHKi#^Q&{+h{QZkEFDDhs~OLvEhOv4|?#HTzQ zYxbHBZ3!pvL%xK#3b{$4l8YB|VmCrkKFs8A1%jJ;TMhAQwG%@}v(`w5g+HF*( zx!5&RD%8438ID8vLX(A+xOQvq+-t}(;+IyErNj1HhXf1MN_-l6w3o=bSEoiU7A`D? ze4#538-+6%qK^K;8yT-cpC;aM6qud9V@=Z~i(k(>54M1bGOx4zPXJjUg^%d?+}n5a6Gd=~@fI$A%T3mcqlpbc#Pfv=CD2uO@KscW*P|!1V6*Tg0^O zn&&K^uv-15%A$sJI?P8fRZqVWB=G8 znf>jsezCT#Z|jJmJq2kD4oasj)WjoV*Q{g1*Nu+1ItuUdFrr)ti>_iQO%^WNQZtw0gGs!DDw zdNOst!J^tbzmi$Z=$1O&krMwyJwyF<+%O_|cP78|ZCTKNk|>V5=n2)Z?vg>Wr|adM z;rXAP|HBB>k$!5&vCk9O{qZLs`1E9C8R%bk^SKjW0Bkx*+b^jCctNwsSD;-E{hf+# z;&k% zmvJcD_$x50@18C%Snl3{&L8zCp4-7LoQhqIg1}t^o2gCL3BG{7IiGDL{^$ANE9_&G zB}1PN?bg-pP0)E(o)2pSxMbbdb>rt-R@VD+UpVj@&)Ofnw^+RC@U`PaU(ulRB@`Ce zTNl4#y1N^}Vfa>%pmpluBj69d`}ggf5RyOMnxXAEe_kUGI3Rq7nyvfs?RIUzfzo(a zcljy<=gRXKM9|x_n%O&j8lEZ$(d#aKI_7cZpQC-5yZxt3Q*q6BRbDmbO@Vr67$dy< zCh|hB@#5QUJNV=s%nf34`T*`^JcAGaE6tjX*8TcidQ;a&k8c#Z&i??pft^5Q&!`Fe zT4GKITD#btAgXR|P!i(ZWx|xO8RmGqQ?)jPV>g9~Fq_2flr`aS0~$e`^tvocqQ_SzWSYyc6R|5V#Hb-3<-CkYGQJxkkOWn=!2C4$-jF3f`%8J zR{dxsZq>OtgCNE`W`ins$YIts+k#z|6z*kL$v>C_=_ar z7=~+}g~trl4~b|dI}rQpKxmH9-Ai_`1J9QE2MqI{SIjjdeIBl8mw0QH7b&M^xo?t) z1>$Pr7Kxcs-o&PKLt=m-OdabA`-W3)>$pQPeVIXsrDAKtNg#Slu%WslnuGbLOk5?fmSl-ydf%S`XZdK+(P9XbXkjYVlyVJQF0aXi(^U=*yb2;%9>t-K@Gu$*&~SG#Bn18kr#q@g{njFY8HZ5DK%=u z7Gvd<{)x%poWbFrL6Sc^yY~+=qy<=u2IWyc+4rVGG7Ju9L!5*+Br_iA^PC@swfk6hIZLN;BmI%XH}uOCVS` zJIDO=!{ii2&M9e}tX>Aa?~|s+t%8uwUau_8u(C=&M)i?B zp5=**nb5RhyC6`T7suDMm{{(g9wo8dYgVR1EmFf5mxTXu670>y$Gq-an25}(@%tR*O9VY{ggFoF+P}0# z@Ug=g5W5VlIJYpN^n;+dufI)S4Pidm3W`QiXr#GnS%~dK3}xbLE`#e_3KAgw>t#CC zFKkr@GTXS5=Aa-BG@MJKGCUOniD4+Hi(diLxF$U%X2y;2UsxDP2o>anPX5q7N%%GD z;mUdI)z4oZk+tQsH??uewPJ_}%BH@mOj#)=cudKrQ=z zO_-EADWRJPHcTtJnKLGz~3mqdd7Or5nG=~zlQ z1LQ+x! zEP;EXZ>+#C-@1oC1>JDc80`IMxGzl4s4e8LsK`l35FOt8m+C%y1QQ<{?TQ+aQ3`+gac>;vk2S90<-LzXE3NPoWa=VzHKkE zI1hn&8y}g#E!A4CBLTlrhU$_nUB9A{PubYKK&`=5(1d2E#U~MO&1rE0g}te}b;kBX zv+U)s@yDlj7o(!>e&3}jv=yRxj&2%@=UDI=|+kcVs z%GK*VKYcxI_z@jr0Nxr4M|J0ZPVct0TGZ|Fhexn=@7h4j$rI|lavfs?E!T89R|t%+ z=QgaODDvy-i~v4x)=9#NZMFjeoqK|G&p z6LyBc-IKWq2mj0Z3DnQ+w9zraAjf6d6W>0;1lMV&A>UC~YpdYTsF$4M)3ifA`|giq zb>K^|S+AR5y_);PTh-A6ot*i0hok>x@F(8$W?{cZ%c2-~{rZrX1N=xesPVZ{f&JYo zm@c@FLqJwbzrdC4cNLUn(1x)IPR!R0uQLy49++FzzH*)m|IKU|D8#} z79SRw5q@hx^E1HbblB^Cgp(BRH5vv>wgxN~Nm&$W@-3>cc z4w;A4cFM0}qKA<0UP76kiZMD=!|%t7Uza3Ry_$6b&38C1>Z&q)I97+3gwbjigRaJ) zAJ=J|c4`Gpe2o>6NrlvuJ2cTvua@BA_hqNiitXEyXGvKb3}z8C^&CT*N)mj@(UOl@ zN&$5syZV|dVf%`Tl>fm$=qyaJ#m|`yGy+XkI6huEfoC*!DpcjvYj=Kv;|RS<(Rn6E z3#`A8?qam*Lk9Wg$$+;SDZ;7u;^AvN+@M`?nfT^U>2nM5=-&u|`7VO^%lXz5u`mUw zw*vU|k21*9)G|5n1q)4Ie{`2){8PV{@B_qv{%AJ_ehgKsj4$sm>DRrXPmrr+b zv>A)Bt6$EwY-XqizFL(UXIOW7komm*;EHvFnj#m+`EONqFnIXj&vKH^pQV`-+ zjb4$7K_5405fLe=TXB$M)nJ_{*KyaI*{>kgR!ozW>8Divl7&&}w;`>|xr3wE42@1& zrYcbo6$nLdh94>y!O5R2cmDEOMSEG6suwkAS1ps%1!4OnF&9J`k7o?Sk;uvpI4!Vl zn95L2APZ6lCc@kbmvf7wk6~pc{_-$$AwM+hu$5P$Se$60Yj;Ag*1oj0{9?dS@=TL0 zQCXU;_ILCj2NQgX&kgy)CizBUIns<3i=+@#%{<+Ys&oSOaB(Wv-<}sCc==13)>Bf7 zpR|kzfHMgdzy-{;j{(+Z-}R;^gw*56saCh`G>}HJp=GI2N65pA(@yxyioQ&H3s<8Z zTEL>_XJmA2qJ7|{HR~(_FDv4XK(PvGNd*(EGE9V;A)K~!j={K3AuHwcr-;2QR+TdR zHwP7+34~t5$k=V2Dm8bEyE5yb!H^M5OQMkqL)Who7W8|x)N{^AvZUAw_h~6JtX0S& ze?gg+Aqd=H?8tmmW%u+R_7lv8eYtvb(s|VIVF@R+yJG&O%t#3`nIEn?v>Al=T4pQ7 zJ~x(sO8Eo+!m@q{|3A{o{b>17+}2Oyji=qKb` zOr=YqM+xDO(AGkTyh+f!^U%DJL;i{&cf-IjCx@VW5_xWHe3il-CHr@^YO^$%>2hQ# zn9>cn{+QnatMUJ2h^Q*_eo2hKsQBcbSe#&2brNaR{_*=-jb+S0EMyhL7|VlNB_+nQ z2|r1T>{z&CPU~;r5iCPC?1h-cZJDRg{J_cnYfYaOZjOdJnM1$e&n()Wn5IQz3MKc& znfAOAgzIg|-VIVuMjsd3vpLN6&g@bIbBbDN6qi-k8?Lp%%ks)M>5YP zsO-~TMxC8A_BH-sHlVKqv}J1Z`5TVj!|(23K28A+mpgACJ`20%jr;Oil%`Im$q(pD z#`b#y0{^#_iJG>DrOEEef@QGj{PDJTj*rR9o#wV*xQ)Nl6j|ey@4oeEfg#Af+GOTq z_B|zS-GT1<6Tjfzdzu*Ru;CEwAmI64xvbyyw%TjGt-#<_Hc^u+Z>ZOG{@}&uuJF3( zty|+&*tBan6L_@(9FgT*PW5@8?nV_nLG678g`GRx9L&x6D`tC4`+Z&`52GG$@?Ps6 zGc0?(#eA>S(gr?0ae3{i^*87cZ%btOp2kfxiLd!IJX8yJu8DH;kK@@pE$VZPYmM zKztYQAWd+UzgRjxC|z9;JulS0oI`zSuMzo=HKlI8R4ckJ(r8C`iO@o{ia%&Ac5(46 zr<~AS*GMGAS|cDq#~^UtbsZ}66I3E2&uune!jC(zlSE9}Eu-_;q3kzz(K@$CyV1mt zW22s=GhegA3*}Rnq!FI~*C<#{XWx5F6}-gEx0K{a z$w3qj&8aKvD%P-VG$yl|?oZC)768#HkzAFc8cC}0$JgsGW=YFZEx{mlt+tmUO}m1w z$U)5l>X>~e1G)s827W<|bDIFlxsVRBN^G77;um9HiEV0pmAK0z?-rF&H!2k;A=6)9 zYR*6C7l=wpb<+6o{tp1GKvTbrlo6O5;g(krfFeG1l`l8{O`uCvT9hCK4$2v>UPRPk z7c35krHExbgzpuiMuXN+55*MJ%rX-wQOS=fvR)$FgA4%#5$B}&yhj`4z&8qQ#+kIz zBa#_%j+`I2nt7%_@yfodpzUUMn$0I#b|T#`v)VwQvt6bFNOm=6!Y!)p_gJp$6BDDM zsp*2#D7B+7N+o()t3AM?F~y8?Y_pM}AbdO^g>Isg2uIyX8b~N`%G$LVUS=B2v?IVw%Yx;zn6Oe1IV*pRbaTvKc+@)28Z)RM`1AuvmH+@eb= zMJ&y*F~DS{ zUTXk~Y{N!voJYDyu~D={pY7H1Vzt?j!LTPtW1H`G;vxq{8eJ;LE^2oMrAfdcNz!dq zn^Ybss0>vpV`i?Kgot6f$E6CWu7i1!4zdEpWm?0r(rM5mTuh0WW~nJjrpU71^Aox{ zf>8=U8k!X&9hzm`kNbZVfulZ)|BxT^AF)k=pTU2W7Ozs)=N;Fc?4`XVI!r>T0O%_@ovGM#zYNh~zT78KyV+A~1Ysr30-xjy z@z|sL_=xDKvaDpdR)dfyRFoLD5~Z~65r8?&R`XG-Nv3j>VLS4gcG<-;*+z@)B9#G| zcY0k?L`B_fxI&H2fbA|K1ryGT!;IYF3e#<-!B(JH%g~870gL>wD}hz5GcIV8o(;DR zMy~WEug)hLj0Q_oF^lU+X{ei#Jqgraoecr5kLTDy)-7}mLmME9+K^1SS#9`wr`?LN zyhdl>h7-FcTknUE!1cnJcAptuG{cK#c+m_mn&CzNyDUXw=+~0}%;-OSCH6`F^9<4X z#ebgvz$qMrVeIqi|DgZCe^Orq{sTh<45J8we2M;_{pX#0Tz+3yeIE3_H^=?$^FM#^ z+dq5#ut(uJcW!g$%V#+c9dhzJ$IX7^-ansLc+A8doB=qkH2^NWh-ntXU|`*e;Y6>@!+lZZ+!Wan;rDdZX3@&`YHR6!>_LR56?r0 zdv`nfq@@<`-hITrS1hsI8b7#XxvPc`oOxBnyZ<+5JY8Q5IAmYw%B3D#{OUJOxcY`G z?>v7EMqe9yf8#?IlXkmOz1)7SyWtMPrgxkg9`}3r{@qW`e&=_1lDm1O1xwEcnA87) z&)WKz8$jFKtMya=CjPVi+lz-aYY+USqqfUzy5FE z!`DxC+-gfx$c@YU??%1)+V9>1!^Kpj4z`9 zqb&;mQKso;tIkc6RVo07eohCnp$$tiJPMOoQbnwCQ;(XQlcXw$fcFMqKA+3E4YEzI9*7G^Knj2RN z6ACT(X(w9`WL-?F6_~-@&2}<)rE5)w zv7D#lL8C4?qnacJ$r{*df-uVH0L^fEGxAE=x(Vr-LOYkwdrhR&X59{-2@}a7Cw50D zVDv|g%({YoX5trsE*XqKCx7iHjd&vFx1PQ_8#%R^%Y>?N%- zUleTE8MMh-Vlq@cdq_xOe>ez|#eO;&$SGGV0_kBl)8$chgfuL$$Ma=vIL#E$SVfBM zQO)uduB7JrQYnS?CvG80cWjbijZ}{&sx$$&F@Wvyl<(JITeA9e7c7liK`)z|5D4us zk)869A&C~`GB-{sMMEss@ks926Sdbbi|wc{X8;1KVU_WSNwP&#L}>vnQ~f#>ewq4V za$(O$@b~&Z6WHvOXX=OFWd5@#+s)tj&!Xu6zz0RU2rE8p6C>%&UZ- zFC^S?xv7e@reNbrHZ`(XHJNA@U6G-cDvGqy8aCvoW)@no0ay;K_R$D3H8iHN5hRWV zoggd+qEj;X8c%9eFNTNZtZh`u(j;s4RL&k(24b#^GX|QM0i;KD_>wWKyQP*J^_o2! zZZyWJAEASzX`VAVtX;b2m8qX{oM7}s%`h%c8NOihlYpi!@xIMA9X8L!3+l_HqyCn#|o zm#C%&O-hc}sn-a3ZpEYx?SfJxe@mILY|uNm`ZAJXa{^B+oJ zK1=`Sqvv5E|H(0w^O^jInSN6Gykp%yl<(om3TnswC`$}7A)@j{I7T`uW1Ev=LlgW- z7za%!?g-stqQ{6r)70>Yuw5TccvT?i#wNih@|2a4N+Zh|I>|IS%9*C1f&@4YQWQwD zxl+UP#??y7OQS`pRBY%>xsjyO!;A*BND^MCp;Q1zsUT59^h%-VMTPvpOL(a7)+UK` z-jd^fF;N;Ah@&vN-2}~1Y&M4wJpe%<)tYc#(oMStJhA*Z8mVR=;&s%Wq#F#$BAGrH z8ezg{One%Ri)vV)hY}cylG7a&>u3wGwAf>Cwar6_)ESvZuU0|&yo=LL$udg;SSn2< z$*O>G(;BEuC#aUvT(cmOnq&A|ONQ{KTAdXIaPYdG9*c z@AJUEyBHf@TYO|O&)fTr4fnYvdX@RsdF&fcUTOTQZM?JAf$yJq&MF5Sx5;7KybOK+ zHh(uCym+a_$*tb|*8ZDG+J^E6i(T;iD^Fa#;h(_q0qw0?2sZD;rbEC_g z^;dl0TYDb6&H?N1ArmXyvv&dCUcYJkE7(Kc+UcdMPTl3Z4=%UI)d!!k|8JjE3Xgqn z{oI>Zkej}HFE#tNQU2Nm>gB3c+3W4!T=BDQHb1$z^M1bc#x2^c<8C?l)=jUWh74rB zaoUZSe`_~?gXf=LI{)Z{hYaA0S33FS#=Kn*d3pWaUfLdf;E~mXm88S(+aj!X zQ1@n<=n1jJ*o(k_K287U8_9p5=_yQ;Tp9cV{Kr@n{v+0r7}m&qwGp&CNV(DlR4|?A zWSc9gy^fi!X#{Td+J>FR6A`buOs`PS30IWWLkRw+a+e4f5SQQ0u9q zGB1zik`A{LI^{r7nRUZLh4ceE;m~coR83^udP!xuoUFTHo6>2>b1Qh+w5xgrkZVJ- zR5fb78pUW$-S&zWilpkCg%v!do+-DgonjsyrEIM-(kI;n((Ef%Qc1YJoNN!U63~Gr z9W)2qj-hKrqmj;dnq0*QY26?1haU9B0z3WNJo&E{6*wYdm{LM$ zDL_qVAfTNdfpxS7dI`59G=?2YRV%ivG)8XKOR^M22h*!>1_Z=Oe7Y}UzD`skN+Wp` z1iV@%KcxJi%??QklQRQmnr3D?`Hb4@8?lqd40RAp8d=*^gJ!WUjHu8V)C3*H!{nqj z&;hGIZj^1fOrgUvDEIPNso`e&j9s1dYGp2zmB`_8V7>tII+=)@sn8mfdXk(PqGL)A zl^y_5;+PwO#VAY`vv@8qSZza5x}H_a7+Jw52|aJS)h3LYSTD{OyD+N1Om4|o$_+i?%<=j`er;m6G~rgOPYpbBJH>NI^OGjuRA zu4D}Yi836Q$++W+<)`b-0l-db6|KO4)+CJj8k15)UlF1ZgVl4}c6RNbOqBe;;L;S*0+(Q==qs7LtTc0}ERwQ&L|*DORVItqOJQ$P8JAjRd&Ff25EdxSel4bb zK_}BCSwW}?>P({s4RlMTw3wR|+v1qP<1@p4X4uaR`|NWKNC;88&E2_u;=lKr;p(KXF81i}afAD|cKhW2J{~!wo*pVp$2ERD} zIcAmn*CXf9_hjERinpD2#tqM|_`wq5<-fa}JOgT9TD$VC?N)taLF>3%ZrSmr%}zVw z25#>aS|>iX&*S?Y(|rE&mCm`a#1Gdy;3eF?`-59|UbB4nL(0u(-IRaxgH!HaXScO) zxb3DC*m~&9t5)2Wgsjpj@O>*358mgHo3_3Dd-F%f|LRt5yImf=ApOikCv9-$4u_Yw zc>m=MTfeP5w9-8b^6eKl+YWkjr;A=#Eq#`IWAX=ocxlB;ZgWq*X{qJMxj%T!I@V1W zudZIV$`QBTzg_;_V`o3Hd;W?m=bv!mep{{f{$p=$1>Cmx#!KFM<#TxdZAjWKTKkpj zK48A}n^}k7WHRWokHnkt_w^Hh+3V3?y!`O?&uy~Ozls0!*rk59{H-q{OE&!pbLB2~ zydrG+>m^n>@2-{qI{4Y_cQ#$?I^&vqkGN{VdhYy#uN{vYrn%o1>AM#+n7MPe`0@Q% z^9Pr&z3g@IOY3})-(c6%e*EpyxwBuoBOYOeY-A|1Q zo#)FdB2V0Z$RW%P3-;e$bs@RlV<-wfL4QrjGMlSIC>O@%|Nr6s9~Ay1|Cx#ZUx|GI{^Mt%ZngUviSO5!|A5n+ zG+sE2M_{z*^Yfoi)BjO(-#q>!$Kr?YmkW@{EVBMjeNp%im}^)CvnGorDA{nULjs6e zfz0B%X+eUf_toMM6i2Cs!jWv zS-3Qwo_ z8zD$`j1DxFEF{bd2ez_OK9eM^@gOI*$23#Wpcp~|Y}hb+#Rg7+EKFOr7fx9VJaVIW=M7o+N~+jHV9>vD+zn zaZ9v?YzVX~m0TTE8IzO{y-`6_EITe2`?MeE1y{%XT&c_tf`xMOOjE2S2L`PZm3&Ig zqr&d@)9Mp|aT```+?CWisAY1@AZAAVWSr`z5}AD0=EphRN(D`m@*0_mB{EptqxwW$ zx6DRoGUlokfN$o@jN{fqYLxTPjsjCbu^-_r0?x&aT8+ziU8rf6*m@W;r3B@swFKC% za%Rx2RSSb+0q9S%a1~88!+65BWKy8g;4p&ZFEjrwyD-Fte;;C5O)NVz{O4o-6Mysg z&mwI%f8#%kqW>fMUJG^5BB}{M4{D|Jc7A|!sZNnAPqY9ZkBE#cql#baM_I~YW1;63 zkU`JEqvBAm((Rr)NQf1)-5X0Cpg?!&6oR6?BAJ9tE}v`E##vL*!BjoPkqs&dXVZNj ztfq0f?+z0kzMSwgLAp(NS|Lzy65yP$JdQ`*n%1vLW|RuWT%n(g8e_pPt2&(W^#tRo zcAK|^hL1t8O?rM}0Ol)px>t1*FrcM}QY%H!rD~=Z_M@&e&S9Dsj>mk@f(LRlo{8 zX6+iq870FPb%i0)z5KY?jxZrL>Gy!t#BEK|4l{6tkNba`0vCP;|4HXQ=09>fO?@W+ znLarG$bUX_9vtwG1L6MJJUFS^2Lqy(M(xCiDU4y6CPSd*I2+Qe#S2!BGARWa8~WoaM{;W@e$TUy{Ja#O#OD^++1 z@)6ww^OLBh4hG1eA(J9g;TG;+AVTsZVv++gW5TJicw(GFO~}ubY<7^X zjJb9Rb{nx(Zbq#N?q|$VuOpd;H&oPK4Q_!}HfM<=m=9Gz@9Tso^d#A)is??Z)bDU& z&_;49msB-4nSugDt*53txHE(V4)fD>Hf12~qR_tqBVX@&5BLk+}`TStuYq*8AE7MPKa(&?Efss4|i)LWa3@n;~MKiEy z1{VE)Z7C8XzLxwaHBm3{^I=S zC*8fy-*2Be7p$}5Zf||C^dDAS`cG@FwChXee1w}aLy9oagQ8)_PU$v zH~;0-+I1VxJ~@5z4&U~kzVZU?g37gX7hhEv6_(m6UpwXSjknzGimPruW(#}mS9W~k z@x?dW`j0o-Cmg@?`X|5oMs&e3k8gd)>f~N4Y<{xHKfC#1cfQ@(vGl!Dcfc>Wgon4A zX%;m(w4?9XEJtL(gGIhG#7_$tJujhvq zwVow8q=}^`c|K8OdPzAul+2;bbkQ_VaZ=7P6NPGlE9qfN7?yHXtf$jR6Lq`^-3%G0ULEF2O+g|PaVo``oLMt)GzLo=K5DjgWss%P zL?Hsk3xy=o^^BWG1{_!@H-bXB;`cJFTZ=k~N2@LpB(>5Yi8YA|Lk!F!I6dE%S157@ zT=9lLtOOdu$dgQsmxykkO&9AmE!zp9MxY3-$*`Kt<;AE(mx&GnWy(&m>}i>%D`lFE zL6!3zpjYcc$zmpjWU_353bP0YHYBV5W%v)hu;xFO{w~A{qDH{&nR4MbnEx!wcJtr- zM_Ls9pL}~lbcXeDUC03Gy4@coVYJ;eU<@5L5nM_Qa;B#l3B6*M(nFR<8Zhms<#EkT zw-XIJgZub+x|V9iG{+&(9rx362xhRcsQU!%qdo>!iCl)`iH0(E$X13CWmsmdpe|Yo z&a;H{sL`j5q>-E`B)++OATJQ8y0-olY4;m~5M9 zF?ERP#+|@!=0=e(XLDo(hzj4VLKyp*pb(;ZAsupjduL16oz)&B#3%zp%i3Owi?Gz~EPOV$%z}O@mb9&jz0eaM=LSjf_WvGb{ zQ|$(yN%Ue*sr1@$wnViWLE0{XPF1KB^JJv>BP*59Lm=hIq-qgX6==JV()85)u-Y}C z$WOKqq9kaL02_mLwboREM!V5VLRieXVpE7JD5f9|njiEzt~{(m1)!RtogUK6kBS4f zNk(dds1&M5P9ZvJFsxyPR8sQDVslKy>UX97NNA?Sq7M|b*)5P-~aEPm2w??4to}m}U9N6Ov8OJx9Iwt{@v`8dS51~vI ze!CNf-k^2mc}ef&ai?1O9`e@WQDs5Qcwo{`0UU&-?vG(ChF2 zdEL#A*H`7SwdN&HDkh`_E6=BYf6C>jZyM~hf|q~o>I*i#;)tij`~}vl^XG3@zFoa2 z_|4FM^qB8mL!-Y@*P3^YcIas5`S09u@Uf44z}UgTYn^{Oeejy!??15WpV14S{?j|p zDI4GMXkicJd)A?6fMVg|?>+L}#~;7u);{IAxz!g(&fMdeV5wt%asJ7@-IW(Ucz&G& zeqaCVDVd+Emo9bbDeH``dviy>a?e$nD|;6%yVYXWrl&o-!gKGhf5kcWPW|I&|LU)o zzq{-Fc$c5@1xclK*91V=@_5$$&O z?JaTrr59YdckSEm^4IRV$C=4PF7CF1bKOgBy^ee9(fUS}cdwJr+-03sVf^6Ui=E(g zce`l2(t^1gKeo8^`=hRyqu;e^wCb79-hSIEr&iufK6ly=X03a9_r*0ra<$)|vg8V9 zzVXax^w4wHpWWQ?gNvor9$jvm`ZDvr^U}}mUia!7NoN&%kDJ~+b?2oA`fs1U{Pf2+ zdj0JKvOj+9uFF>X(d~D_C@%Q;S6c{8>j!1n&zRQsJheS&W1lf|M^t?AMu;Vf3%4>aiM8q zI}zK|qVgYiQTR_j?QyKl4_Pn@yR2;CK!J}4G34;5T$v~ho^Nm#%GRBUR_c=ylaT`( zRwA=7v_L4=(3E@^#nUN?N`Oj78%0(MFzR$x>A*138K)SM5m}tF*bM5jiJ(&Nx{ZmU z@?CV2_hNGrixZ+@@%e<@4(oj1wredL=(WO!|1wO%W*d1nbN3pEQ)_IoVO8On+#AYNyK&m=PhE zg;KyxRaffK>K&`Eawuy?qFXjApoKYYOsUj@j zci@38=p$RG%MRi76rw$nKrul{WSA(qIzo1$v7f5}7EF|f<#FIm29{5^MB62*Vm@XY zuH;eFG?p;DL{`IG)4^NT^dmu3Q8llPnzX@3QlrcO5X!r_)e8ASrBHPWzE1BPy^W2!Ivb_ipWv|etD~K312SJ>m5=gFu5?@aL z=aci_{IZMa{7nDP$NXpV&Er3dwB7uT|166B43xZ zJs|KbPjXn$NCz?&C=HZO=5a^zY9N6{5Q(RAOtm@bXH2Bz$XpV@3p`mK8U13#9LTmQ zk^HdKk&E=W5WBJ0@tE8orPt8p0AoSAs06YWHe*)Jq`Y=6Y!z6bC@KZ9Hl`I`_;=5L zYg67r{*xsB`TVzXs7S?fnJ>1i0iPp0qMvWqJ2;zSy7^9WoGp2xVi;N?l9UEg9Ew@E z&!dfDf+=uFdV*m9SIB2cViY=-PZdg@mUaA~7i9on!Q6sSq^o^R&b%T60Gb$=+S%8OdoTw+eNsVkYEZtEDVjHrDu_sGo26bu~ zTNFc&AXQgmdMO_U2ww;h$CEP^B%=_-NP{gUNzJgH8P+qydS+P94C|R;Ju~*PrO5y1 zYH9=P5|_+*Vw=Rf~*{2PS8De@EeXZNps`8bqmu zuX5}jFZI@Zo&4cp7d8+0-bz1Q** z!If_>^UGN~6wYCuo3qOU2WCAUF-SJz< zq2Ei+?;Y4JUbZ&8ckO|7M$yanU?+b>c{Tvo{|Cym(npkMIdGZ%mpW(GVvBzo+S%ly zcYfj-?}}{+;#6;)aJiCET!T57hd^bukYXb z?k4Ljz2S~?o*q4h`&+L2n_Xwu&H0sA65FnqJz}XdSA!otE%j>elC#$wu6tO2trZ>+ zwPW_%?AqhzpLNBBx17K7GnXuR+*yacvctXmKf}z*sByg9{2%PN;N2%L-D&P~+)~@* zSJ`B>+wBy!#ufL?nr&uAzwvKL9A53+`(0&+EspR{yaC@Hd&6Z9c$zr*jPLCF)LmE4 zOWeEEb;qwrANkOV%+hC>KY#G}SJ!urdHdJ>{OJdsmV0QQ%MX3!!K)rSw{=wiu1j|L0LO0C;z2_-&csSm%GWvGr&g9W<;ap3gNh+`;a;emiO)fZ?G?KCpgky){A zMMv9$0*3jI@J)fCOL8s4fgc`JNvl;|Ox3#`u&GRcP?e{r(AL6*`aeS3K&E+lN^sn0 zx|HTe%M=6->;wyE&eZg>YwFVjO_N?(`JdN-=hOTr?l=2?t5yWH@cXo#|FD7;&`ifm zG>}@$sYym(5|cF>Fos0dFX$cJ%8eNlA_wiDOx6djoKeh{q*kxh4Hd@VmA1=@G=_N; z#IxvdY|$c@FH%SVV2+)nn|d$lH(~6nsH%b`3%?hH*pZ+M;J&@RGudg4@+k;S%At|o=`BBiq!8yF=B8=7pZz_NLlQ6LC5 z4XqdrLUiO>4V?qVy%aT&LY%~)S`xzZl2FZNkwT6Yx@IsGq*?_`h@&u99px0Ah{b*% zPPRgdDYR{&7{>@uDCN3CBy5lkhHY?YlBnf`QiKw@#)R(#EkCH!6kOy+Et-ug+4MAp zFM7RfK24@Zp%}R!P+0i<$W*!?O&=(gDt=Ua{4lX)(<;R*EKdGo8G;T!Dnm?vP5~-n zz@#k}OVV<8)E%VR$gj2y$Y3%>qJYrFQo%`glVT{l{hneHc?~U@g#^|cF?xoII0~Tq z!#Im(_+f)`(2Qn!PSW&Est|Rj{!}$2D1+y?LRJ{)N;}jC3&nc!d_Po$?l?oVa}5Au z>4>oG&{b@jFNm?sl{{Gp>@;LSkd>0dxC!FQ|mu2Qyhl{k#3akr`@5g_IJ zV8X4jbswu@24BuKba3_zh(X|yqanqmS=i@KB^&3SoAa55A(IGD=z9*^D+B@ z7bVONhgK~;P=?ix&jOX{2}q8pAWa#`gbAo7gbuG3k%W&F#u+|ctV6Y-4JOAJj{2WjgEqnJwO}da-A9zp3{g^tzwOU zaV7(CsZeUS!g8NcNdWcvB03p(R%?)AV#9U`q7>S0LhMyAo0pNI83c4z9SKZ0X%=A8 zC7ZFBQ!%3)CkBIx4s^_kl_m#$#Zt6k2bEggoP>5WI@l!A^w^vFBNhvk-t_x&(&XT< z)0602I;@Xb%}nvh#&m~>(s<4xD-DsOB?Ygmy&g7j3!^%37#iQJ+E6m7MRBSJM~p5; zdPvc#WP|mDti+{y3^Zg+3iA^O|2WJ}^|Iz}>~dXqu2%j79^KsM#nq-3Gvsv|jEe_+)pGpkE{ zhn6D|=|(Iw^^txo0!X*Wr4a@yW0|n3_Ze;4I>82|uCIC_|_EpQ`yhJCfPLM$r0VnK$Qpqqm$k|yN*HJ#`yS+)L9g#vE zFSn^yjqt%?oa{|Vya+TctD**payT%oTA0lDYh!}K5*AkB3kFwhvKgU7R}C-**>QH9 z7Ya_Um`K^F2HuaWq+kJ9WXAH)vcxr@ zwh=ouuG5qPtHRIlp&33j!-r=0&Ne|FbSg=0h3?6|L3%~w!HBByZ`8xjSkxWp`F=z z+a?;zU%d94%JL_pC(YXYh%4sq{LEVqthW4>tDd^-u^Sw4+%6m5z8He;wgdmd#>Z@R z&bHgXxAk?ML)Ls^4dk)aW+^Y)TSq&*^V4l_Rxbut*ixB$;a+q0S@63Jk2&-F(|-K! zHCtZT{N)Af60Cd5v(5*P{rS+@r=EM&0(HrUkKJUQ#h#gc)=yVF{o&HkIPst#ue{Nr zbAEiykI()2b<*5>=DhIs;=h0L&AT_|%ty{&@48hsp}PpyWI60QvA!Y=eoOpckb)|^}_tjP5hn*?EdYip1bCUw>2=WpRRdS z^8E7g?`-w!EALw|UUBxJ3(ni^#3v3CuA2Sq&v&{*Uus9>y7ap*S=ru2_n&v-k()1m zRQafvR^MsPnlEm#$NDGG?#|Edyw9vtx0|eM{C4Mu_aa|^^4{(>Kbg1J)v-5U&pr9q zH*bIYw=4Yh(z{lA@9Od$mo5H^vBD!a#@%`Ao|O9Wug*YsU(ej`_FvDwLOt%WWhrv_ zaJcmW$BmBwzVpLf=kFBU0KPSUgXQKoh5+Vt5CPoMwoeb!JOdsIK}y7!Hv zmwuCc;-C5dNAdq_r~d=a#Q(3xzDWO1tJtj5-?;g2DRJUP0%IUzyZ(9me_%lP)cJ4U z#Qq;tYzv^+W<#-UFJk}Cgj$6DABIM(Uc@8a80!Rh-fQxJPw3{ToGB*SBrm{)M9g%Y zAeAiC)1!Dqx8<5|bde$_hRF&8k1E+NKfzJKO*$GiFe*b6aFiN1X(({LqIKa^i>ORe zl}dA(aJHtIZ=-EBOleT(5g(+C-UNdcJ(Zc>l>uF>jT`(>>jL$BH=u;5YsM0hmCJc8 ziTK@u7xe6A=)i-L+-MDA&=r+Z#VW-zN5NwkYSj!j;(}yJ#equbXXA2u;=5GWl-eGX zkwHkxf<_{Tdrl=qjVvzZlp1mxp%o;P%-3>AJzX#)vr;RSOGTgzU%ns7gi8trGaiX@&fx1Xn4-q9xUjEPY(f7AcIQa!EZY7G)qF@~JP^|HIg>KFE){ zX`lC)8ciw5?7%O3vF@ZQW7U*VNAA<6XlLD0W7Jepk;_y^7Up7^%qRh6fI+5Ll~WNb zH3|t7bDz$cs$hGrbtpV1BYD+GPILTBqEF2DeHck5q zP_@U?Tq^BOV>;JWs!_Iyie*|5M)|m`m%&DPSVF0~X{csKZlEw`I!y|iWmef&EQZGO@ zAeMw?moy8(xZ4}m)dW(Pimj@rj}d}1o7wWfqesK4oKDgLj(K&khSfV2S?ekSRh9ac z9x!P1)nauRcX{pKt^f0P{XhR6{U2RP5{PcLP0>%7(HM%tDh)t*Jy&K^LKuVfW=o#n;jP_$bBA>Y%&>8Lt5~RY=6*D#`1Ix^=P4Lk~1v%-2vb?5>TyQhgwiQV6>)E zYGZN2G_;9m#Wtan9xpXe%IwsOuvML2)NUKMI$o^S>4K2#7L!1PS`ayoi=|e2=sMl$ zzi5?FD{Q3gUX=^TAl)xm8Gd4uYN@aJW6sFts!VQD6`~Yb%Qg{UM3oClxyT8G81z&z z!$S!&0g*jihaq7C=7xR%6FLrs<%Bji8ye}?G2Njt!>sm|UWWh%LfsVg-2Y+kzM~zd zu7=?ckWe%PhTeOq0wk+z2t~FmTaqnVmMu$WAjnp+Ey;2(q7y<7odH5GLx<4YKnT5e z2pxt_=%G#^z-Qhpp65*{9|J5H-rT*`oj+#H+@&j>v*mMs_w0={u!iKqtU5`zd6*!F znHcCcU{-WMxRc3PWs%53!(>~t(TFRCQCjt(jLLvj0Gv83G=)J^7&L`JQy4UbLH}<@ zj3#3XrTxHu!H{MTD?v8-245bcAK;P>j(YznnM%Bwj0e_WQRxzs;6$;LYDsHr{Hya z{#tnl^R(0d-aZwbx5nac#YJjTKx5cci8v!^)FoJbrV1Fu;Z3GX0eM_`1@v8 z-OkV_UB1MF%b>qLE4TF{SDwDXVKV*hjiPeR^=EA~op#l6##&9)8dzpRRJ@70kw)KatyT+9K26-tYK((>H~S@<(s6>E&-fJ^i5# z@3`XbQ>?+Z+I_35-KEf3yd|Cdf)6us(>6R#Ps+q&ZQQ#LvGjrrjkAMJDa z8KpaS7`%4Dd8^#>n7c=R)9W_h{k8TgPo2Es59B|yj(Fw6@E@1{Eq7w){B17!lQZy#KO$=QYllzr!}2HFrAYqRXsHZk+zt<*(W3FhtWwm$9lwKqBX{pk-}cIC7CFG)N- zW7>4)s@A$&om#HCzd567pR{Y~w%h*j*jDpi+v~Avc;Z^q|JfKE_N#w@pBz7HkC)C` zZ{zH$C$IkTv#UqnH2?pV{};agKg87e&mSeei~od*Wy)W(mR)%L2gydsST@RjzA1-) zd;j^$`fvH4pZ^$eHd4k?L7A*y`33c#Z@+G36gJ<)Qdr%`6sa!^^#E%F%^V4HINpX- zdIUFm^%O{gm6Y5J%vQRB)CG(wAgUty^-`zLNVT}$=%$c#n(qHn}y4@lCu)Etu| zHl1juTv&nSVupwUFRk#|R3{MyxkimDbZSvtmkQ~u2%56uW!2X?dlkmd8eLZ^^OvQ1BGwyO+)z%|`P zDJN&?euW&qNR$dJ`78-M7M~I>zeNf{J0(mas}x7 z_W$V>k(4l5n6f!L#kVtUCJ=N z6u=BhP~gP8oHVTBvaaNN2!q6U-r$0YKg_}m3??;!O9<7;N)M6EvRWU6gH)_TTYg@! zT%h2%*--5?`mvy9q!~_zjatu-*#eg;BwKMduGX`DSLdjBL#C3jkwihx%I7jkq}T9~ z90TCdxP-f++;l{xm7vm{48&Jy9vKh&V_J#T@N%+J?IA%lfX7{4B8)!5OZm_&WyE1l zNihJOOf(~$&3I0$EeJ*1c4C^^H@Ix1HE4w(Y}w{5uG~*0M8n7XEoT%HDFUV{dLvtG zBVB;Py2BAA40r~_5?VTwB{;YheB-+H|IdHEs{c>mB=G#y8K5ux2mbl_&jP(}{?~sN zr2d;=HM?yAOcjYb01uHgRLX#rQd4pAc}(k8IY`Cm9Fb!O`E0_jVlf4*#rp|05zje( zve}RYJgBs4LCCp`0u-q#h*2WOigj1iYmK(#gg%!TGda4dGJ|?09?=|8L##lrG9y0W z#ejYWkaUtIVZO4MK zn9gxzSrp@4S48L`qHBg)0qT`Z)vai;Mk<}e1SaN#%>YaBU0F^=9EgJGK+^CUV|DAQ z6j{AylH@uLsVOjArQ)uk0j!zM7m6ldfh;s1$xfbZll3Is=wfN6mC9@Bz;@M=R8s>~ zY06Zu7@<`|klZmC7jqQ}0T?3=QwXzf2;C_~W zEBB&t>3&M-`%MiI$ATfHw=hSRo;$5iJz6~Z%B&vw<_eW6i+Hf_meQ5Z8tr}Ag}WE0 zn*DD%?qM-x4Wmu`3Xr)3eq!F50NqdKH1_1K1xVowNWqLAT26p0udcu=ffwN&0a9+P zVM=MD1=r`CgexDT7HAj1@rQHrT@BXZkxsYNj0*T<*YLbKDz>eO>f&m*FIwhbzZlntyANQa$NR{8 z9BjK;pJw1<|LHksL-(A|@;r85ZS&=rwYiI}<<6a>aTEB8N;?^LA$nUuv z)#SOn;tjn4AC3$x-4~ug_RqZM5d4tk@>TOwKM#p7)xxEbx zca%FCIE?8s+E;qwzw6`?xI`j&_cR{~6dd%S5w~~*DW}%-m0T+1UJUNpc z7ol3F_ml}AQPV;+Xirl78n0QP!gMb|cFlI5P!)mkXijwPGzyaZl z)JgQhPed1R_yiqgi7_b}lY_#MvhCg>_1tk^x^75O<94YPQe$^G86!O)+v&Gvw|#i! zW^;Q!1lF~RU$jrZc}}mXaphXG@7VMA3rGV54t@d{KPHX=#dp9Ml&NA1$t^GxC{3R*DeL0`l?(^B2Bg@-7zCiM(K-}-99aAkDxUv#nNopW zhh+R)IFFeW{050-lPfV)#3XFbk|ktzcacWCp3GF9%M}axo3ApbMh@R6K#42d*N?I9 zsVsSzRk%-zLcbch;uQ88QmAadw=M3kX}HlQc2rU)EV{}{zTSM~T|(o24^t$*M~0>^ZKCVK5G?iQmpczg=j{|5B6A;!g-d z6YvB^zsJYNwI`r4ZPSYuDb&H7S0+n*8x~e17%e{EpIYFfrApRu7vJfs5zl?=u@&z@ z^b9W=*DuScx8*|Asnf6+wPBNrq$RHHh-k^z2~9ap{y4u94G)j#P{Sgtj|?%{&xa!N_VJo1Ok6Ojq~X4J%O@TOEBI!u%JlDrTVS^loNfmi*Ebt(AwOIIa;hP=Z?_AS-&c2#0Y7q}VDwL`k@r3RauRtb^SzoK3; z@5lGOmfIp|1PX%F$%Hief>Yv|YY$-tFUaRHt-=K}ya7`31igN4GP+&;Z^KcqDBoWrW0M&0V2N1#e<2<4zXffph1;3#)tTUY|67B z5zTrNjp3#zX=8=iQqSv}Wa!t4Tx$sC3H1Sj71V-M0Rz^O6Vk;sv2tanahVa0vi+x{ zF1Wi9+OxMis_ob-zY*BkC?rA=2D3LF(J#UvKE0z2W#gt$Po@92e58m*lFtUs0dC4Z zdk9FnF9Zm1n@{NB{D4RhQNyE{VgNXx5QZ2qk6ZvmvH#8|-_TD1<3wk@KGIhl8q`&2yjqU<&H8Q$$DTOrOvOU`=)FezN28_Uqw*z(jU@`%&kjuk+f( zjH5L%b{A?K9p3Pa|Ib`No^(`fCZ`?&YFE z_6HBcldhg;McXPFk9Z%9#r5WOt3gap^$Tjl2r)2JkCo2;34z7THr#7%mVuV<{kAcQ zA=720`nsio!b&EybCb%9Yz?IAygdeprO9I}z5da61%9yDvf;3Hc2BT&Z%d>2Uvn+s z>|Q|c3doWK1Z2L@e~C20buCR#0p$PI>nEv0j32I<4eU72!22h8yWu*>tC^T^TGewyMYUVAgHY9vR?c(vT z+YWx(^Hrr7(4Dh*f%Vg|lHf2I3NCd3Dsrv@o>i*?GN~@Cn5cVC=^0M`w()NvHIzezmC9Dr^`3r(lPLm`}<`` zwMalTw0wYizb@C0Enmo3r+>;^q;G!F{@00HEJx%5(^(47p}l+RFiTopF``oBqGH=a ztV}BsdJ|o~^mqVkH8d7`O^h(3iGSpY{$IjS>eK6E0hlV=(V{$1#Y2S?$)(g#no#nl z18mf!^)7`(r1Vqibp^&hSm*9}adHWRqX-saBx;iOzPX1JpZ0z(>6enlqU+2MA$Se4 zf8mwRH6bXBSyt`+qemuPI>JiB#L_Oc0%=`E+jj>FxIw7pgT|GTWt>OUOE!uU8}*7v zv)MJ#*!8Mgc!~-$LO#ccH&0s&m=pxpAgi_nRdj905D0oj>h<&T@Q+vwumi>vvPTI6 z3JDPRMPTd~mKYf@UlVn9@Uj;@|4gF{l}g{}6B{F$`+~fYNNi^rE z4O}~Zg?xHV1N6VN!iOA4$z`&Dul)eSZ;nzUcX<-{Cf7)K3@~oNm->G5sDj2ns+I+@ z2Uu}g-AJMYJ%SVx<1;yI8oDdfB}KFb!=I*xqYM4AOvfHk`Q)t$;OhJ5-U)gV7FtTG zUTH%njd3cD42z;zR8GSviNNJ$W#sH0%B0iRP)`~!?^TX~97`Dq_j3rarCIT7xk#a9 z6#g75jv7_VKZ}kmV)(~D$I_e=v`B8YcpX}`=_K_b^1%EIm?4GUdr>WPMOaY5+|lGA zhGwph^V>L{tcUaglAt zi{^j(tjbE2l5_;>wIpwh#!CXjOf6{%V*enETZ8Y(f4kD>FnKi2W;Gt2Kep)VLRm`( zQ&WWN+V6O#jwG*g#py%R;^N^6kYDFCydsU%4s=P_wF<#gno-E%OLs#C920wN+b#*Y zMQ@5kc%&51)wu1ssF7XuLxhSf2!q54v2eyj5*DH$d)53;OtQaZQbo(<-S650<}}sy zm%2b)FC=j@VvmP7IfQJ^!_?=an!QPZTdF}_ z;qz0(Cq4eF(T>J-t(qxq63}YLHuv|8lc$QiW`;8==Urc62Zr#*rEC{LD!S%`2zJ;mSU#13Cr^u2Cde9Hbz&it2p4ob?t?<`eJ*f8`9H$|JbqV zHJ-#1TB76HU-OgC<@PTPU6;bgR!KMjlg<^0Z#&KVmDe{CW8G+cop8U}#Q*U?sXcy{L0+d^VsXV zIe}aLdSnvsNo{q%?)&t-cK_&%qJNvzoYv#FT)s?Rf9>13jnbXM1@=uKUOcUD*Nth+ zdaiqWTzcZrvS=Dyts!nOmSnb?e6Gu_67zlP{8+I_+v38>8c&s~WUXqv+s60S2M5ND zTiBw}ucr&Ve;()XKQt<3yS>-WNu8P2ROfp)zx;Yq$e7}@p#6{sBC{i@!W9y7nRa;do;mQlLGkqXZhR- z^pncg$g;*SuWp_Exw{MSI!Y_4YMUbo$@U)IdfxQD=a>Wn4uLr@ABeAHz_320Pk>M2 z%g?WQGe^6KkMzm0pk+WUZN*MbLKLd|Y|9hDDa|`D5#aN+A5GSbnW0S`PiKs=07!(q z&EedtU4&W<`CU&>Q`ZgdYgeZ67_q7>FRB1}KEL$`XEhSxF%NlFc41DH9Z`6fvodQs%S6LJnfBX;VP|?r=t?-r(&_9D2*(=#lt^F0Q^zh zSH_9Iw_(Z}BC0jO5st?OVauR1K#e1(CF{>e4T3kJ?)QMeA%H3<#z|6PD36#FHtJ1v zX$Yl6kioE+U#(`V7i`~U?I{7C7=lG>SY)BPQO2?am0wZG>oGKeQO4xEPv0@; zZZ@!HRG>O!#~KomOtI3a>&p1Hg4!90NHoi|#a*8=3Cr$s)|1K8%1ZBn1u*px`h1#Pm9;Cry3(>P(9jP5RLzpl0 zRLz8c{v=puVec&3uXrVOiweR{pL89b(Crg_rGiF-rLu*&3I!g$J#cp!L6#0jhJiv} zls%L>j8PP&ULPB4o2oA@H)fIR4?ZRCOoo?KR2keb;}Q{C?MOlyXSsKc9(M@;w#Y>V zFxe1`E@8Ih3909X;NbXJ0Pdmvl>iurUJ8s^qA*FYiO7dTl`N*Ru*s%K#f(PifZEtm zlCVgn#g4OHw@x!>>*U=-l3f*lwS`1J#xPvxQ_`xQ!tOkwREFh&UP29&!P~F zN#kTs!*ON?nl#5}3mZeTgzx2!~4ri<*>2B;ebrWFl9UX|jH|c|pMxAW=FAfcs&(a20I9 zN?}#3UV`|wzx2nMNNE-O+h=5|DlJcO3GW()4#9P?hd1-)!^jv&Z{GrA$k3d{Q^c2m z2KR(Z&lI4a;p5ox=v5MEP*79z_@wd=e6*Olma8CPR4%&?O;~}te2l#0&4?r^3ap%U z6jq^PY|OOn_@szahoVe&oZt{i8<(++7^w~d$`q;qJ?K!nF?I5uJ+Liq(?N$KN;o(g zBEhrISfdH+FEJLYmUch3sJgmbG@Tmu7f#Ksl9-H@4c;Ue zanQka<$fxI&xJ!x;IO$X4^8spvX4g4rMPP~!U^`+ZU5fwaMX$VUq8F!ntH-s!$P>-g z@T>MjmWR)&&S^EBB6D1DlA|fAIfvyl5BdrH;2|B5_B4?Z^^4wyzDvt9p?O8y*4gDK zk|cWVsQ)aE#>eUAEX8w$I)~SNvX5fW1vo;}je^h!c$~m!bu$?O@4-Dwj<^T)v7h(SaDake^Y52Omi%~E4P)B7eGRo}umHaO zv@ZTtn|Zn~r{URm`uanSnU@8V?T?!sS$y?}vt1Sff`^FL6PEcJb=O-&Jrn*-K!sV3 z=2aD0a{K*(o_GD(CP$X0w#^#9Sz=pfEfMMPsmQX{!R+x=+fl7XM`r@B@fNXJrl#iE znVIGYgX^iKt=_oZdRCMBc@UqT*53dJ$XJ1ES_a0x^A}HI??;rT7O?zl10WaOsgMGlBDn-|5+ej z-rj94usjyXYQHM3ub;)P+jxFFF}kj1@NCs(-fi4h_`JXYi#!tpTm;UNSrFITo&S1W za$QKhU#flDEla+~ob!Fi+ynJqfhA8l49~!{aiD;#7X~m+Wz@C1m~&S6LO?MwsE86v zqVoB28u&+V6?lAnBGAg)rW{6>Kj;50XD{?o0wQE?uiS8cWL)^rehTZGB&uaN{8Op2 zr8Q1g(!dYpJxpC%l-V@QR;m~!&%emk`!D>eL3~O+@^XOtqA_7JIs>?>|BaFc=?P_% zWF%euZ-!Fz1d-&(-%Rm8LXtD-9x99q%L(l>8Ko>lF6<|ZkFd-mW$aaa`?_2TlFt-{ z#WCF*N!Z6l7|;_mHQE@JHHE}M>ZD1Z*4tzMg`66)s+L*p)ZJoEQxyrL#inYe4`t$G zu|LqK9b?uc=X3wWC3}$b(jT6%^NX2)Gub$xg_JWG6$CsZrT6?Yp zqMH;LMIy$f7 zoGERgEyyZ7)RYNORuJ?=ot5>EWQSd_f}U3ixEx81OB;QC3hfW{Q~aY`ky+~EoQL6o z(#xo=h=^CFutyz6JM4txm5DBFxl@?opT%E6=N15CU>_p9?)j>UFx*Q9b3)?|{v%z3HX@UN<)g zegYPVS!#6zRHnfBF|XlIv=s<5%IReJ;S)@9uHV6nR4yEOnNkZ6(}gs#;P-@O=pM9N zlH(Jt+V@N~GN+3C60_WdF1z7T@xNK<$k2@O>c`1c=8RA2e-{Iw6*6*z@b`m_KVe1|{m_vZl7AeezA z&(q7RF%Wm4Gc<-`9p|d*+-4?_G&zGbc-mNylEpzc7BtZ0ai*KskBtT-L@rcp+cZe9 z#=}zW@uHl0V8+ZzOvHr)HsyJ$7rG+>!X$xz_=bX?4yft|$Wa#y<2Rk4jcbk`H0iHr zJ#xnG4EwKp$$D?GlbTD7SLAJBrN!vNf6R*aIaS~ilH`oD2U(23#wEH6ERPTz`*AsInR&DTMHm$ZrPy;Pkw!^`?Zs`yY!ePc8i zE#c8VlR#UdB@4n;S$19>fWXK#d(pTPj`M@9a|t^gQ|8bySOJJ8bs%xu3q&xlFUHMlgp%ItY3dEdCX z`e@3r{j$gRm}P#(jBvHxIv-S8erN6I59|MJw$V-Oc?ccSaKE9pl)(ewJXfRPZRfvT z>sz;OSadn5pcpG5cp2lGv5RW*P$K}V%&`O34&?}F2smGRxEf~{b{=rCh+pWzp4)KW zhq2HzOj;Zeyd3K-Y3xP{5bz#{vf+f_cOIhP@Y8O2>Q{G+!d+jvB)IpQR_NJRKCP=w zr@PN5-5(RMydUC0`&_H?8C0kmL?9%f%d0}>VL!Qs-*UgTBidABZ5}d5-m*G9O>B?w-!EU8QcBH4Gau9hJJOkM?#oefmZ7 zuiH-UplLwwnVtKz^7TAf;N|>nz51@QX@Pr$b6Qo!^4X}RX+TAl3c{CuhB z?QOM8%aK7ZZDqyd<)tfPD!Pa3{Nhoy`>xLDNz3?X3&%TI^QsBjLGI%*IVR-$6=T(% zuUDdd|H7lD4v^k@VRD(2r0I4XpS@gM@?Ny<>BMe0l^U@IRwx~j-Tn8rdGF13W#Jo< zqW-3+FulsIJ}%CBc2Uj^6%X=P{p&!!?vp+NmEQ!FTj(HmE2_%umU*AMe6 zy^-_ihVWGuB1E{o6h;t(&ro}R2FpkTR6cBq)h?My5}+VmxyL&=8V%|?Xb7`t zsGN@sg`lu(v9G)U8ZOLKesE(I`OkP0%p|Q|Y4*YQnWteOz@=h3G&$^o$ zc9DN^(pNRydg2PH8l*hfXZp?dw6NUpw2r||p3sAgUZ|{2u`u+Hm-I^9syQVYJDuu+ zOG62cv#IjfS(x^?QBdXb6&Gi&N^LfUnQ=AMpy-5Mm?ZJ^pi?_^u(i*hI_qwJJH-MI z2YK10J-?dBV9B&65mbYnJ^3a-!b*gF7Y5ZDQhjbVYV60}VGo}jE^w?GSQ6)*HyOV3 zLZ!ze<9vuR-Tdm~DAw|(voGU9P<*9^`o+W*>Y|x;g5>Zt(*ceO%zYHTNt*)Mb(}#h zs%Dnq(9tPzrf-O35V@$}mbB<6A&7{&aV&GaTgr*ppfMz3aeTep5GSd#&K%=yNHl;&Qo>b0ugDD_D>spiu1`H*4XYl@nH7b+0tejF!kp+CD*NO7%LA0QiFnp%Kti| zUk=9~VsAQFb{X_B(MiMp6GMs?q^DC9DbJVW6CR@s;P*AIiwAcl>ztKFH6Sr=Z&F3b zAHpmO9n;8q4mM#<{)eNWXE`VdRTOVpZvo~sQ8|dkIc8w!SN#4!2y@?A z?EZ+tQ7U7q)5%7jnwW(j^$xjJ5vr_1J9uv%v||*=yvGAF?Tkm2j2&-~FjAGvG8k39 z4SG8hkNQ`TrVVznEYNU8iU^N{C-6-n)@(#YRSu07{hzC!aKz8DLh3n>r-(P(B-&%| zDBz%y-isW);YrOy&RFiN9PoA6!>$*A9{A2pJ5C~)|y>Ef}jB zY1M3dCx!)oZz2_#Rt(xCLz!&w*lgL9Ih#tekZz9}{%0kYhIPGiAUHnhLlBAV|GR{>WAjP$^*#f-cf8AfTO zGdySoAhq~+ z(*L)-F@$2u#DBBPgT+rkpU9Vb;K%LUrOn&eCv;jQByX_H@K_5MP~Po=Ra$g8u9io@csoi#o$b5bC4$?~DygO1M$jRo2@qX$( zgSqXy!QXYbZ!4KfbzFU85MZ1Bu_VZ#J`VVtE9u%SR0I0Bn3PGKx&|()*`;LIALdN) zn>am&Xjn}_E;D$Ha_vagXs|4`0p8~fY{fUV2tH1N)s{UT^Y3epv$<>r@R|XhS({JU z6Dk}&`W?TsVO2Hw?r*3$=-o%t)IQ(#XW zC#u2m3GJSj{D`WA)c_w*0hi@V0mg6X(&SW6Lr!$Jk?s3;*G1S8s`W4ZWL$CWX9^T>7tnPA(vGo4fJ$2Rtk)n2N%e+5TFs)Jb zHJzb5N6n$rv=}_En%yXkK{CR%Wsb(e|Co54~q5~odGE6sGgt9&scKud88l|yR6e;Rwx`AOrU(x9% z6Co!ZwSwY=6LC(B(y49|>nG9!TY7?$%EWVicBLU};j4p^Ioa7?d0PbLpsN-A$wu8I z>D)51e^AJ2Zb>P4wS%b2Osml1pr@=(_k(EDvtt^Eg5F{Wl%%ANz} z=mjhn0qx`c6)|OyeER3YFXoh^4tI5_M?NfOogdbsFw~Ij84ls0jebUGZ(?of^zl)N zYOp+&uk9y15Qxxq8at&ea$(QbN_^5;7`^##@FE2$G~h$p{`vDC^B-LfMz5 zmvJM;_OxUj`@nj;hajY^Ug@fQ=s+lw4j~ou zV{YOxG#26lHF!cEd^pnlyT4K5{iZ!Q;@&^e6n~p72!$qROqzoiMWP>64%``${zjX3 zlcI3sHhZ8>R;2+`VCkpsq}3e#p}@lh182_})4n|dK*_nr`ib(rXTB`fE$Aj6`f|O* z`XT_nuJH{7eNVm@{{gKU^gjWxx3i2~{kQOpXKykMsq$5YE3WQZ&z?6RDYp(RSO_f6 zEg48cM1&$j!9Qx{V%s$-Q$~IMrm`}{ghlWYs=sn#v^Y@oX!}ddfo?uJxQ1xryDYZCUyA>sZD|PRZPPY(3wWiNbHHM_qC!$WCctK%b z;34VHOQMhZjlXdgI0MqZ^8>bz99lRko(vh%x6TU5w%%f^!P+l-BNd5-J53Uf#Z9PU zZ!&pD7QNv)iU*;5KbXhwyv~Lo! zIA$SjrUVY6c&l8YP^DazpFdcid-#fOc;BkkK*z7qIKIe4FGZ~TyXjl|H0Vlc%ZPZI!5SM_iDeHUHFfFIRRybw636NU^W%B5wd1c~*p z*?ODTlEN;EJk2Pj?P7ui{2iM#4u^<&{1ruxd$_vqQ&G3Zyi-D&LpIg%|CQJ4sOf2{ zZ@!u3@qJrB@_Xi`_vZLK`(~M0!A2Ni^G#uziPh;d8vBrmAj*(D2LJZtLd@4`9x= z>*l8mom&mS2H^6r<9Wf&FeQ-#w&SW-2lM;IDRE((0W&W}DjaZ3ix3BHDXp`umTx68;z1DfYm3wl$R>+R>RCm{X4f6CIEGoahP zM-ONUY@_#4jAtn9*t0KJRpT;3eVyfEao@g*lVe}mQ0FmERWUzA zg2;RG)X~hT32b^FUA^9R8?%JYX#<>M9ACQtUvcQ3g-nNeXu4bWENHTuA4BBYw%(or zt#Ga%uPo1Lo>$jPnePXh7@N;)%u;%751%DAPjAE-+g)?_UT>o^YOyKxi*_TfS+2=z zo^Mo$H7l2Z`46Dlm)^-)&wp5#xbNmGN1wo-l+LAc-6Rumr~S)B~rd zX8|{3%LlrxMrn`e3xJL93vaE)a{{cI^F)*Ih>I8A4-p5eVuNUUIAt!gL%#YSWcA&l zMcgtu%LWond3n>RK~DWLc64+sm1tg5bZBsG?OW`~x%r6N?((H>vf6&PLKVi%1*ycP z5L=2?(h;vJvQ>}>JOYAn_BE<=jAa6Wf)yDum@-rpATk@K;#jd1S@q^AP-46VXee%B zvY`lV>&6YzlUK;xR4E&=XPhE!X>=HzB6p+AV(;;mU?Q{_{m$rCO|yR>y;ts-arG1* zqc@2rT})T9X`6q+qqdOIjnLSQRlwp3M~MYu6*$P#gHbQ~ESB=LgP6RfiB*ss8KPe$ zb~&IK|E|bRmM8nZUPKObBuvwg_fx;k{8Xl?Mt;LIf%nx<+IYUtDO?SFuU(Tr3$FUf znU{k*FFf+d*YW!YwkCS6S4cu3ujDV}U#Rn36azbn^MCyzk;?acl~5E1#t0et#C#ox zKrAGy6lFr-x!3zAit_hL$hT|%^$N{Kimpm5mpP!=nAT%fJm}OS8Yj^4)Bng5PAW95 zt~4y;olri^lUh(3U^bDXx8TG9b;uwE6t1|31Jfr}&o(G=b!ibfqH0!Mks*qHbWg{oZ= zZJwDz(T47f3~=&hOC&mWvRt?VtnM1jsRGiDo*w}|#C2o81PrM(n49wT!WDh>jaw~> zW#fxPtEU1qbxsZ*Sp%0dgu_l7AL1ceH244Xu@>mrP>|x&L>@9Gl^|4eQDQLm5}a7K zEmAdzwR~@#v=e61aIKjn#;!Ryg-?$316j)bYQ|v((8t}7g@zjypyr3*_r*E&Lv+!s zkLE}usrYlw^LBn>qBoSYsY>uZ)S<4LoPp*Ql*22Ier+XGA?(a~ao2yD?rQ~!j8gm&B z;I;J#Uz!*cuJjvMsQH!AiE{eyN6@<}Y;P2?B{!s3;qbgyBHhF97EDd+m?d%oKFs>8 zi$bVqKX^{q^0Fu=T}gP8rXw@AjVg3!253SVG>c?jISJL>^e_ZPKF>_KVvF*n(GLDi zagRst=GZsSVd~dLCQ!n9BqX?H=RSt-Ba>sfRW94d;cc=6 zapK~-%5IPZ^W}o=ov-cC4XJZuWJ!m3fB(4Vc!Oa_Wgrx!(eTLPgP^H zC1p|8=g4TMh66qNZRk<_Q}F8-&!6{AAA)bwY!;47yA8)t3aQD}*Fm@q6;@<<=Hw02$tM;^?`*AFPNr+HSay=SUjwFldS0KqjcOhSpnV+r zTqj9lcz~Ha_}yS`$Wxi_gDM5Cd3O>+1*(>|&-48(t}S^v=ubSC9R!Qh0PDCmEnE+{ z&Ot=Kb<2irKBAS+R?BhMPx~gL6z#Wey)2*ipdOCQMfOa*%bqcf5&Y*Y5jD-jXaQRf zOvQF-!fo%{uB#`4k1ve%Ydwx$jH@>DxRXw3xs8((ju-*&r;p>loa+~(z1Z6UIXp!H zM%QsA487+&?2>Hzsl4;f*DNJ=AHykjo+%H=^qVqUB`##yqAj% ze4Ov#DQ{2hhIbjBo|~n;lAII0j{f(U4ZCG#!B5kdNcWnobKJR%&T6Q0!6G4dyj{I0 zpxi!?!w$&dME(W9yPSBDi^SslTyF+y@$VTq_8D$GkN}6C0l&U>Uj?#kbAU7R6UBX} zha~g3-Ugo|I+(z+rHxZh3MCUNs`Y4jQQy=hPxY8RFAnOKGx;f}IMcBo?VR74b44za zqrI~0e&v#4vUTYpZ0bwqE{?*?G%cHq!Jy``7HkcJh2_I}N&yGhfiPgZ2#%1{5sib! znK(2GTzN~P7{&dVe;@Ne zjq0;wLc;e-lbW%PvBTE|C9#SaXN zAh$WhHy?bd`}AQacOQl08vhlpUO~_y1&#QsOkphMQ$fq(#ZhEkAyo~-UMJR{+APT` zS$FG&Up8Wj{jH6INiQeY_a+e>z|3jnYvqQBHN2+D1}5b7p{!RvSzN9Omep@UiIlf8 zz!Ap9(I9OaRjJm~X+ju0tP!hPqg9yBWZPA1_%AZAg9W1*YUApsLPB;=La5R@!LnAJIqR{UUJbx3XN|23auR}>&kfeXECU1Gu`7_q)-$k`*@Nup2CdK z7&F2TCB?~=oX`PS(h96>$vSDjk*0P-1K3}K7A(y3K6o>C!YaOReZA)6LJgydlp0c) zHUm{*%*Fw#Vd9oBB?8oDT?%wh=d$1NQ;M1kWh=V0p#HE_cukm;B>DB)JVMtz$(u4W6zI>DS&WYII^QIQz+`y!c+Xri z#i7(DOSpn*j!NmL4%$(*;L<#V!Y9In+7C{D|G}&yrdbZN0fW$Vsn+&W7`3urlq?gE zRtbx3fH>k&#(-&O&0G-2!mfAZg*p#n{o{bmhf3kG8s190IRPTdU8YZsZ^oPiIR3Kz z&H@2ue{OSwk{gewBRt-(nR6fZlg8J_^+Lc_X>yF(Vb4y(z!-C%nYW5EW-q|@YcJ&S zR&0S}SScw$SydQ`79KB$bFI*`DJe!@Art2ouMJpX=Cx9l+M|uFuoEZDq?R6L(3^|O zH0z=SK*Zyo`H2fHQWho@cyYza1!$;;WTMJ5-Ld@)=bj{wD*2~NWr}S-X`N!MVLaa! z76DJK%VZSoU{aGpxVVP-D^4Nwc}x^^>S%!4w*YVA=r>o&L6l@Mc35h!@M&$os{LlO zAzKJJD;CLId2#@uA4o_!oX2Od;t%4o(|U;9xJJ3VxD3mBWBw3Lksgw#F|jJVw$MB* zsv7x4TK)iYnXc1EhvvDnrJ#HfM(`fW$py$s_1Q?Y|0zI!s3Krb3h<-lD`59!`yCN> z`T}_0#A-Jdf%3eU(Z&W<9Ih-ms^0+2O89yu8M>q7zVi*=4D* ze!u5fe$`(^NDheBxP3%$dA$_ci8)>wI>v74zPrV(beT4pwyI%Ek@(b&>k_W|xQy`SpEZ3g%pU&b6|(+;b7 zJ--gO)vk0VF8J^}-8W@7CTad!;<;Vab@-{J@#wUk3|L;iKESPxJh+=#dAx44=xVqM zJl0ztf8NF%dzJIz_@4u_?kZo(?!2J2Er4V`4Rgd1UnFZ~+b&DrDHbr_fMS7m2;;iZ(hwERm+ZOu+(_9Ce zY(BNmhC`dvU1#BRa5ntUV;wDN5qzCMWAO4n7aiAd+k6(saCg%HuV-E5!>SYyIUAR0 z9SjEg3$I)Ly)bd~m{p@P9zE}iX&#`(m^TKW%ZEw`~IMMo#Ck;2MX4j>I%I%`!(;iE8#Hb*p5 zi8hvKqS~2xiCRD_Qo>k8bab}EIoE0z|JQ_M0&iKzmAO<3RyU1QxM!ul!s#cLykR@s zLU`!AmI>p8bJTZraU5L;{2VcwGxOPF`kD5CPmKu?> z8`^iEO{QUw#O=m`u%w4|b3m;uY@b*D#pCJ}4lzhxz@F*jeAV0Rof4~ezdNs*9w7-KsHdWvXCTq;;%D^X4@?Vym%QB z2UCRi*n{Jnpf&ueFpI3$1x#$N>EAE{9@X$p8>&R%KQ}^BMCuHJBNQB`DE%Y1yA&%F zRMG11a8HRED7wSpJ+L)Qyi}WMYdP}EQ2PJ_fdwwdE_;KL^yv#|jlVzEqmL|osVdWAAQQ4j3S1Cp`CY6wVvd` zALOSD`>-Zqp=<`Nm|5afOsJ**uYj+QkXAHVW=Wj3&dkGpd!C1Y!vv$gOJOL1RAPbh!1uCjBDgW0S0=n7F%*$F=+f0>V#l{$8gs-+w`;z^Q#PiN zB05hf4-yliK%-6E$(VV7L*tBCFa2xtlAmmie4y}~uzWG)E`NHq_4v$ZMM1w*mzKlI zrR*%$N0)-yw0-c|3KL-@LoR_mo$uOopdJcd(O2P_!_FKBCS1XUzj~k^Tdx0^BA^{{ zR2GuIQ1-(y_)^rjYZsibE1Yv)CH#^lX7#*0f|N7Bc>J$~Cp~6KqzvnN=4}@4cG~~s zb$bh|G8+JX4p8te{yMg@$f*H(80lQs+6jKj<3W-pk<97sd=P_utiR;|Km_#wpU4Pk z76@_%+;@lP0Hlu2&$kHX9`8Pn(9Y+(*>4tnmp67YFXe4DzM}h4nY81)02z10_9eq> zidoxhAyiAJ_4ebMuxAkY$rlKElfqb0k=Z`C<|Kb|(Xk9S4!Z4Bt<~7_njIaAq;vH* zI)-boWIG9~>*+bP2hFhU9lf_+V+g}JwI(ivasbp-&O{)U10%$ zTX>-YfPRrJuknzSw~Iyb${SPNPS5k?x-L_lTj*22_o?X6d%#1aYz^OC%>FZ=-{Zae zrQk^M=bDZcNMMB%kXg+!g5g=iPvpUC-{vQro7Uj!)m?Piw$H`0=&Nf}MQN zL6gfd|9vlfM|EP)VQ~e9^XOx9$E#(N?+Z`KRr6N)eNMK|U{wjwrJe~MR=*DAwJ)$5*VXT`<0WBUrA z{?lRZf{ou>?-wvl&$?w25g%#mZ|3c8k@({?;QU}9=Q;!UQr5N0(eo-XL#$&P?c?U< z@<|LgVA|oj^~<b40C&@;+dFSLr{WAWhT2LS%$mSJkPm?k;N`kHFpx?8F9R*3r~=mA2eCgHcJWsz zEcgVMcUL&>S-@Es=S;QhsBVd-(iy=Rioy)xAlybBVWNbp!kWc$*YzZ@{EbkKyh4w#Tp*l?nOJ|b=7DZNBl6kg$_R44TO=x5Z1rb>c zf#~G;$cdk}b)+wqt9gEFG>&aSLW_Hb)tDH!nHD0=ar<=O)Ygaf9EO=cqA3_ws|eVI z`wMlO+r(_=q+lIcAxTaAP9G#_3SuAVE}nV8G@Qr_e$tvI$CwrC7yhzr%U>dFA){S{ zt}qr3(zIPZ93U}k3UEIGb*Pg-{K=mlXVAqLLF@_%n_Gga96oEvGv%cm2T;-QrikKg-c3w* z;1l|ZsAXD@Qh#OR8%vrsyF{}b*6VE(_mTX@(&wx_GdEDs^dqmmaD`ynzk1$3hzD$T z!qe^n-II?3@NAnOi+)&^K(6xbGz8ds<6ggM6X+koWj-YuNKiytxEi^cMIm$stDDL* z<|YH&IzL;Bc3U zdRGka1`8{R43Lh;ooZ929;Pd34H2?Eusg7iup(8PRS3i3j1^dWuIxF@?`ZBOhOh|H zwC3Q-2yi(i>`2M={9_9eU_cU2^ygp*myH&2h^`0{tJpjML2VEXi2Mm5;EF?UZ!fgJ z!w~MF0coQqt>GbKLLCTJVhOGrud^-4wpqCqlTgX(7&(aW!^g&B0IgD)ZPB+KG%{X}{<2{RsTyD}r`FM)H^X%2-4^hp1I=+AE!VwqUI%oDw6 zKmISVLiKQ+u!xFh7KO&uNNpNxnIVgYT^eF=9#nNkQfc-c7!k&hgNPVy9l!BV^1%;9 z)^~$`Ys8Zve92Lz3Z&+~G~OIs=yZqN|H|9;dM-Pt5BWFBrU88CT|535*0V|RngDD8 z^f4rbAYl6S^nqMpZ&Yu{A^xIpLV_3L@6+^wTF)!i(;lJBKq~LuNoXLg_Yn7K$o}+a z_NVH!%-2&&Vm72*ZfvJ#4`Ry*ks843_MUm`4C}2*R=4}Q#LK#ABGGB>oj5t7Da-X^ zrtJDTk!@Mv;N>IYSv99evGoe^IpK1t{jisZcyin1GP%;e^~CDErp5TVswrNd(yS*I zuz1FoU!za>R&kjPobm@`x*0izlA}4vw;L7&;xB7AKIgZ5`u5**I<^$Yif@|$!m`h= zZUeszwd}0BZ#FQ8b$G4Lm#@4%2TOc`A3i13tOEBj4uG@9ZHrTCQ^tGeqNkEU{Lsw1 zEu$A?PqijT=4?Js^9o|GYhu@NmGw)nRZu&i_tk|7mq^iZj;_~uR{6HaN7Z??ugw=0 zH8J6~_f*d)U?OL7`{W;Zgj@G@CMaLih&iTYH@oxCuZS`&G&(zoIhZXf7UTGV?m%kSkT-WM+41`Ks%Y@yzD!uxRIf|N8Tl@WGGAZ91Gv9TTr{~od+tTIUe_o^gxw+kaKhh>{x9`*AwZmq2`5u1% za1ofjaeSe3T;z(8@93@igx!Eu=Ig%yZJQ|Z?z%tMMhkSS0ra;YV*{TPme#*c&T2F+ zvCRnH&W5bgt(M%jT?emgyw9H@WV=pEQ}up^WxJ6y4D9Yom4`7t)eHf@v%mx{1a6L} zfN3!sX)i#RM&?}sP|D?xu@+lk3+#1kVnSl5M^VDt-q(HX6Tpden;$qTLK%^x%gW<} z1m6Z+f8fU+0zff#VNjsev7WrgqmOgs?iA8&j!Q>#R;!$&1t&+6q%zcX@zTrNRpEE| zCUOMGm|3GZmK8NASn5x3G6`mPyg9=)>9-L zZ0Xz+E>`4Fw1~VAp-zocOvr+FU}jH+h+=Z=@u#OCgpnDQ9_YQJ9dS zBiJ!kBwmy9r{jUWuxSSP*x4ANheT-Bn1XmjmvacjN8yS^?CWT*0LrDKrX}gCv)pMR z4R@Y{37^VyaXf@eB%1sm^!^#}b)uM1%B4Q@PF4zi{k4)g15hHC!Xf?FI`Lrk1aKW~ zBXYjf(l!^`zj0NjF$A1c*4h;XQpA$>{#NW>oSLA21oQ3cV3qreG>uzIa6RU^R(kP< zhiLT9@Y!RW$kUHjVYf?BElRWPm4EyF*>6^W9(J}F0SPeXYG+)zhSQv7#^A_y!nBO? z#subl?Frm%zsS$AI3?l&Uwgh1k$Zf;8WiRy^*+rEo&fZ4h8>}lq@p;W)*IIfo~-iJ zP(Khgo1yatWytMOII+HV-yuP>h6VsX`^m-^q2HJhI7#6KVK^{N-C>&H#h+ zA84gf8B%XvxPa~#2Fzfu{hqlR-dGXSs)AZ>w&~C-q98wY=^;bZz$TgIGvt~a>c(C0E}X|6 z3-fq{2*II%gNDY zl?RLxPCZGVTa%!z7!m8 z935>`pIO^}nnE5>L;$I&Kb?U9|H!XiUAwQ{WP?ahu@igN$|-3ww98J51%F5d+F1U} z6Nkh%LO;=?S%~e&R_Oprf;1-8YB|NDSR3gzZ6g12I!i7t`2QzwdaK`0Gl2Zl?C2x3 zrpRXt;QPaC`2FktD=`3tAxjt*=N;?|9GC?Z+y((k{ySy&@5cf4@c{Dd4X#hU?&l5j zTNnjCRcfid{2J_XJg>XI?f}Q_ZtvS2*7mrk;!3{vx@_h>=@bv&Urn{GSKYhN%3gV` zmd^8{F=@-H_BF-+ozu0B8Ec~k%l1WuJUX6P7vnkW@0|?J^y@0v@H#q&*(0-V1liQC zZ4eoFGv$~nu&4L66u%=~aqTfxeqV+4{h{Wo zn`{<15Qt~~g~Ao+(bekx0H2Nw#;UO=z)^B!|k^MLa z`aIP}vvHE-_4Iy{{CFyx^3%fia{EAFoMNiuGk!BhtKR+faB)3H*J*sR=0kt`xBSnO z(4Syxw(XZ2*mIG9ySJg^0Q@~X{P#umz#a7 zE6*6Ot$)D824ojoqQ4;Pq!$U2RR%$!IZrT`sfN96N7d*YNi3!ud~U z)$YfB@#D+)&{@Lq?4HF+Syi93^MKT`mM^kFBDC$>H5DsHpBJ0`=jD#~v5=0dZ#=N7 z)8hI6Omn~zKuQ1X{)?>vxV}8s9R<8`B&7wMe^4LMvN9>ME9Z}lVm}if6Tc$gU)~e@ zz7bf`5UUmIEn|HLo5Jr4)MY4+>MGvNTJtZ_LP6uD-Ek|XZ+QyK3_A$X9@=or@40f= zcs}MC;yCse48r{-K3bHSq)9Phnuv;z!+MCx!d(>{&3bugJ+33d5`Nrj-NKLCjeDwK z40d$n9NS9_VVLbonfJS|oJnmoWKxt>elb;=RB7UiL&HFgnx}{zP%>1Ws|cG$;-zf+ zRc#TTEeeaZT>Vb&ym1~JZ_*?-=I77Tm#B|dPpSkhk*^gFjhj*Hb;+t7vW7t4-=<7D zpL$0Y?3JfGwh-s9@yDfB?6)h`dY(~9MhTVe)T21d46bmpp)}l2kF6<{Q$wXuvG6g8 z!VXc{i}Wq`AJ#~%mIW#1%hdYYVI4-AzhVit}`wiX8B%)2_% zl}}VSdv5m}5U6nkqNJGCN#zmRqs50p!6>|Kt=5UM0wCa76LKB(0Xwcdki05XxV5xM zq)KQPQG?+>X>&ctibVJ&Twrk$wCl7in`ZZIS!YM~+?HfBka@tUkaUdE6OHy>T)Xh*g2? zdP)K~rcCmk>UOu#bhaE?H^`8n-Eik3W2@e_!6XHzR?&=eM2Dz zYj%`2QqFRwK}k$DbV|HMNqUq;2t~m}8{fXtJoDEyUAogoAsIq86I*?xT!(RDkOHao zg~~!MG~uP|-F&rJXP$Dj@a#Q9Q3nRLT6&@URLXV-6~&17jmdBryCb%F*u2UH5EBbS z^f}FmnG=|a!hB@5zA%Y`4d+5cR+xf9;~I4a7aDWCk|5{rzH8$R+D9=wfh(?HCPBCR zGCzv0&cCn>0+3IY2Gzz6`E;o*fMvy0>x5Qf>W{z zaeFF{-w#Xqc8k&vY3B>MSuD(?EXe#vAT=V3`(3#8sj3=r(h*tNJFwy~KFCEgCxpxtZx0ya-vu)tHFeAXhL26^*Qy^ER zReKSwUn8Qlx~ylKt4hny!~KyCTJT?aBc9D=kAE|LMSds)?y#K$^u*sgfsLu{j-hsb zz#Zut>eu7A2BbFqtwK$3l>~2FW;!#)6Sqyc?c%?S7XWDP1GNk1lxX|n7x96*^2yf5DocdwiNakCI{p#etr`?R4 zmSLh2q9?n%oICnh9S7j(xIo)^!SDsJv~$66ny}|}&#j8Qr}cJhjl1h`Gt#waAw%J(_ZHhpRDT-1eBvr&G3 zaQCmcq*{2ZV-%^On&0gfyb<2Zt$T{lb%S=fryJZQH|tb)zZ2#IuM~1dOML4i<4=y4 z@t09W_1mcUrHiZQ3B&`3Lueo|$2OFRHH~jS1v~bAKeOQK{Svo=a9OLK>%Ho7HIeyEZ67%Q0wk^m3Vm0j z>$BYg&&~CQ01Fn`e_p78nO}%cISKVU_91Hl1>Q5vR|2;{44{TRjt2t`{1@$}jyiDn zdnW!qWh}KQo~mo5A?!coK7-jpI_Jx<>rZLQTV+ze%c9b4+;43${Ho<_1j08MXR68cm}uLuC*U(V_Z1 zw8*a*X%tbSaPV{-s84tZQlO*@5=BxP%sKk*E;31f5@1yW4Om2+9W6EGP|*`g?PFLb zB6;ytd99f!yt1;dgHI*#{=wv)@BOaRtVYsbF6}!Qka{?GX3S`KFAeMqE4q!NXwlFl z2o4uYn-i1ZEP+|%mnu517Qh1OK(7VUaY<7^#7P$F)z!E%z_CSlQNDH#B4hUvPp?n$ zSL~TW6fR${jg%`M*O4(asvWcGK@lB`!&o*|zZCDY!FTj&VE(H_OkecdEL`qRb4_dN) zluql6wN%117D0EJj8L0S)v@Obf|gB${E*C`g{qu@YSUiZp)apY6HSiktDR#?l~UrC zAWwmBR&tOlJNO}O(&@}J+Fwv#;5Ms>NRu*1KpiTBOEIrR98^IYYlWM>W>+433g0+? zx^hZ(DVLl??Xg*!#0wcPeHSM$xhY|%C|C!=$!fufDhW%Ny5BiTkIpI%zyum#2d&)L ziBw*&nVKCTuH(#|I#XMi*umYK+$7Cvthut9wNq;7IzAGU zpi<=uB-9Ynh-jsieyv&KgnEOB>==h>CtAeo{o;xeFN6pXZj+#{<^x2Edp2O5JJpBT zSHI7ZKz<_W_YsJ~d{3z#powQ=`xBo?1I@!g<^JA>Vsm&__<%A~baRBYJVQyJ#_Y;6 zo~q)=G|%oOb7+Qah^+G2@DOwfC1WwLVPEP%@y&qJ{#CJGpqRMg=3qMMWn{rhrrK8+ z9+HAdM~a zSmes|2yh}Ywvswx`3Z=ba1c<0<(gEu$wQKTtYd}5&GeE;DcY?v2$H$%`+RIuZ2yyc zfes-Huve%zWT>hCplprP@6)LGy3@epPw0R8VZDL}@Rz_4Z}d-Sc@dJ#5T!EaYXSKS zX6?2oq9&^+!0yb~?FV{=&Cln*l>BYa0f~B}m!G|5p|)GCw;deLZEkvREbikQpJuCO zSKUS+O#QL8nlf8;9xoNw`Ci#i^G?!D(g2<_wB;=4<@oo#gV3Cf=kZiEzRQh;JTBnw zUvNDff^4bn#h&*99sWXo9?Sj1(!uE|G3#n-7^QCU=?U5L+kCU^>Enn}b zF)wSt>7U@kW1_DaWV1YJ9r~V!3Oy8PNUg;QL?T9lwfB1}w*_M0r*YY44lum?8Sb3m z`Nm;n_k5a%((5^zncsDr-_FM4Hd*cZ;VCpSnu#RkuHm@Gd1Ll@t|lo^!)_oIemx<2o`U!q*=c>MYl7)Es^tF2Ls^R)&;Y93f zGPUJqy9zA38ArTIwbi+Z{*&$V@~~XKxK%khf5x+y?`vpSQ+uQs%kWhaiPULVkR$MV z%b#QIv>~l-mqk3Y&d~Gu{IN*X_8BwS)38C~eQg}}- zFzIXdRRHPvd)!4mBE+NRp?INu0-$4C0$Xe+NZ)#q*6M&pp;LQ6)O`k=w~LNRacB=PqAP;u{#8tG8si><_o2u0 z^k0r!b@oc2FSO!6L^NW=|IM>eB<9JL`ru?67JFvev@E$S9Y|IHIs$Wb+uu$K=gVU9 zP_6`@RA|6>f>+1JYH2@5Cy}?CsA@j2@7s-C1UOpB2;!ZzHOF=V^SEa`>uAt@Bo6doR@DklJ zu}Z*|YZ8(a#4|OIoi?U$%qQ?4c~_R``%^4QL`t}eiVf5%Wj$Q%DV)AY)!=}pxe}y) zS}!E46aIr%#xzMwNOnqxn#QG&CjT35YrurD!u=(SKkVRx99q#yjwS|lyyH{biUacjXcZ=P_;xt^*tzssQH z3D$7qt5p#@>M3`I#&TY2>yuEHG~caSvA+LRXt|CftoWNABru;KnIrY@%x2Om$cN)n z(TY^1avuaw<*Y|DBio%?IdGJ*^c4mkfNq!pNeVf&0Q5c*Nc=A>4*V!-R5%7UKDrJy zkz!-`MPV)8Vi_HYySA0#sEopu2r&fjHD=&Yl9n2n-1HS19aQ)x6S?5fv3*lp;t`N7 zauKHRBrtfY15z|A-sQ^m_9hdBBok>{^5S-7s6)Zzt_S0?vv%R!v-li%j(%2q>gLf@ zB89wAD2eq4-l=q|vQtcTdGXBpm-#9iM`!E`1JSn|PR0JTz>F5_H|m)3Vg<{?6_ zH~2^VF{rdD_2ub#MKVwgXmk_x{{4UQoCZuXV*OnF3?+m2BW&)4?8%Xd1Mo1M43MX1vg;!=IwDW22h(ar;`J=M_ zlNiY*-y+|WY#wj@J&6Fz$pV4aYy~A3s)3IL07K1dkccq0fN{)28!0Wru94ve`+B`3H-;)`6(T)T>l8 za?RSk=S_HKC?YUKu5U^md?EsD4{ZOF`<~qISNBuwZF=HudwGukT7ZlA@eUT~0Tfa+ zegiGZWmWkMMPiB}Ax6d}vXNi2h%yLwAaRGjLjA+}W z<^XD6;O&6U@FyLi8yy)9-M-URX^%NNhwazf2OsuJXcb#ttFe0CmWLrnHr?rsDvi}m z(-zojSO4Tz_xhK})T&x%pSTE5yQg=C30;!{&jhw!DR--puQqz@N#HJOcTJclfev)f zw*^*u4-LPbJ@>{cwl-f9ue+1EXWtjEYBJv{ZkF&~Z!^|&8ZXLvm_N?U>?ZlWwwIAV z+*bpibDR`o*#^h*OkoxL+97@Ln{H^-9#1Nhdsr}YMOPAqqC{aacz%dxalia-p}O?szh5L zmYv|GZ9H<<+tc)xU1e9!!#IMQ`PtWS7V-4FGhcl*%&y=JESUNfsO zY3v`kRw*8^!YRQOOLlQubJ5?%VMSeWbESCm!Mg4YwD$k@RN2wzrV?aMo@hKHhhZ0O zO%gKd+Ne|_D7dTggW%&MF_Kz#C&xB!!ZZ1i5~%g6tIEtmJB1hhU@TqsRD$ak=Tu@> zg{)RIfN~nIyO8aS&W-Z)eewf!pO|YB@-pCT(1G12o0boc$P^&`Ic852Q(lgPK~;nx zzb?g6>PBt6hBZzKXXU5uhh80{7+=<=A>N6?-_C})de!;VMA0#@nINO>wzxg zf+)ThsZ&XOvoEwN46>GWw54An=heNFWIujYa<}Si#my?5-SW97@i-(WKoscwj{$pr z;-NgRIGrBGRGsLcukBr9oGcF|K;L)OWE=XhwQ z3x(?h!r3cy?J}-WtVAQRXRtq4A^H?GB3`Ki|He%~G1B0}vogL=@i_-Y*szc&Ipz%& zD)rL&*3dP|1{I}urj{Ra)RJdqdfr)Q}YTQP9A4`vaAEPe%Jc2?BTtf{7Juh8I8Fm(+y*OjCGq=i{PN=k1A7 zC0d=8Le$mvQAjdyNQ!w5UGf&FieqUKBF5~I{lIc5*U>L#v3^Md%H#wCr$2_@Cjgep zLvLeWY?u1qCq_qoSJ2QO*M)~`9Sh#);44|Wb_ z-hrA4IL)WQ+s``|)Z|xby73!a;|n=FAea+X5~j`L++;9H^v>tNrAAX&2{Q4`e9mXu zXkZ|jY#UK0KIT@XR4L0{7cosr8VZ-hvQGK?5O(cAp!?V)M|Nee4M%9Ot$~#fJ$;sJVU%8H$ zq#Cy?z#H!LdJ@CduAc6A&+gO^Fu(duZEe3EZ`bn%`|RqC*1QH+I|-XS$Uy;|e@x&CwF3ue}J zb0@PuyZfqksQ72s`f9GHSP+wodfcYRb-`rSbzd+$)}R^7u*v6ZdB%eTMVa^bU79jo1abphiuxc+cr4b(Rqf4&C1 zjfA?c7C4;aja#d+=XAc@y>JP%?JP%rlN?8YcDKb?V$$VR=c4nm;gDBGJ9WICrlt!6 z`m0V-R7TlN_pk4o?O(ayHQU{Go-AF#DS2*)>Rk{pr7QIeTFu59%@|3k%1`}6=JS5E$k=!vF`C%50+e<& z-A+FV9JW`ec>^*kratErYKZG^n?iM6-3`c}C7aXT- zeVu$VCk{r|WV&4>Zky?DUMIB3dq1iZnaFKi%<+_Twj6e8!}$ai!wtP5Pv@y^otb4U zqa`rBhjFAL~x z03<%_7zR98Skp}-=N;$7LLLgdf!z>K1)=;*B!E}dwQz$Q0+B3~nj|Up`>eAzH8M%+ zYwSiF)eL1_`^>xMMu=@3(yr!r0d0$0qx}>Of|B=_~f_d%>Q>K*{ zf$I^;^QQIua-IzJ*erj2ogqvbj-NwE%sr>I_JWaDz%F-QtmgX#-ANfZt9~t{EO%mo z#eCqrmXtVHZsLbK*Bjaoo7`s}WMTHs=r{1I-ug$ArXOya{T}74Xi+Ogk@>Z zP0KpELdM~EOI;CteRzhKOd4*{#bCG~e@7+E&|K4AMI!0vS}`snMA~F1v2a1Fl3`kO z|8=RNU<&$v41IeavPC?z7mR+Tv|O~uAIcW1leKXFh$>6&-0_n0oST(kz?oU{Wx$Zm zVulcLWCrjFn~=|obqd8WMQE`cTFgrElG&pfGV6=v(#(;h1wli0y*A~XJLY_RY!{Qotd{W!za}Aae|Fge?DvlR|tCnooC6USIp2NfCVw6=!Y>HDB zqGG~$5#Zegp4Kfjm<%%X8WCDdb@3eK@tXd$h(?v9bf$Ibc$^=$CFv|X#_hc3O`cg$ zAV?jsLIxFdp|L%Jzy^}XoflpTDo;!1=%(-V zA*P0EoyA`u_~}Z^Lk+LRw5k;SPx>0^UOxqhjauKCJ@L-i>M z7lIJ)`c13`7YJhPHzbHRh>^piEINK!p2b(>Mas*Jrm|E)%Ec>Y_z~bGBM>KpE?x|B z9|}XVl-u8l&j#bL=0v4UrM-||oXM3Y>#f4`;7BkE^^5d{y}WBIixV*V{R1n+%_Hgq zhQElP*barzSV9d^$Krh3RdCPs;bLT#VBxcu{H2*@==>MK*q@3GxYle$E5jmB z8Hf-{Fqz(WGbB7YFz*L~sN!Fc9)2LtMVHBvH)-2+`!dn%4#gMA;=1E=1pX&#F+#=ZEhu*K=3Hf?`jPjukWI{sZd4Y**-Z*CDmI?ro@tE*}_B__CJK zb#kf(`X5w*xElXa^f0G@8<)P7^Xg>E>*Mqwt4HZodhZ6h+~Gonka2^w>$d$2-wpq6 zLDR(cv+1>q*IjFa&P(#|Y46X&;g+qhm4dDA_rxq_z8&!lX1D3A527`ZXW&`U-M$;p zWTE@=&1hXqn$i}C#fT--<9{bQQ=s^LrH!w$gi?Y-~j)w0!kYJ$(UTRv=k zU$S4*dVQ)P(DRZCz16x)I&MAlv;Au%3$;<(0B|MM05WI3hnuv~!QuDj{==Rp5;jxVV3giqV&+o}_@&IefcE-&+TyP3~= zs+z#aPorVRSWojd_^%c15~Ch($J1-#WM9CN`Da@O;q!tXlC+<+wbR6KhpU`` z!QwN~SGV_i1M(B{udBSdwQVnltJ%k2L~V1;a@@_{TYvuVwZ-mxvpb0b0y!_NZgN;e z8ZnQh4VQycfxQWqMhTk36fK{N@87i;E5PH95kTCjN7xZpL0s!cz+KK;zzHBkLb~{8 zRjH^koMh5T0c?$W4oBZdaXr zMnzf_qs4WONE1cRg{apsM_S|fSJGOCNCs1qG`H%!c2#&6QGqzCicG&i8!Q`ag28#` z0cA-Z=yxJY!$_?jjE7|t{zPY}D-~108%1yEup`Yr4?T~8N%p%7#HDqYy_aK^!NAH! zri?0sRp*>TOOrFc#w21p3TXVsyD=NWn=?*hG29ji(@Onu0;A0&2LX9W1LafP{FfVHMMzQ1ox;Tl^R@SjsSFZ(_G)ZDED3v0TB62o!M`3k+L@dI(-;wz` z?AR)Imr{a=ngj|?`|%6<_S6P2Qpu4<^uq55B1ip7DfY<`pV!sEln3^~uLQIVV8>kG zcZSD~TP%=a#`WIqtAXSbFt8w+kt9S^GZ#J~m~YHeexEs?`)M589OmEa@SxD=CE6nu z)+Fqc5Z&OD?U-&<7Ztub!@?MV;Fk^_Z%r0~FG23yF4Z14=g2Z6w>lUhV7|C;08yzF z7FQ8qo$@rZm5XO8!av{mh&lk3N9V@kt|WRyc#`$dN|7(2jG;x_%2Z0V zLYIJ&2H~mbBg{&ZbT!fq1EVXw+YzUneT5mmRXfQ0DwXCooWHQ7SiwRtjwEA6w$88u z$q*+63J&k>li#ulmjbzeP{kQ1vrJ`){Smtea60|+{z{|(ntZlo z>#u#*qP#pxrPjR)V%++Q9{7u9MG6*X8$z_BFTAs=1eWS1Nq&dF_Cf~~JrvI)N7HhS zD7Yh-x>TvqbF-=?zN09SLpO=eu~9Mph*`6B_{+#5(xj2*{K&MsxTD>MTBj;`zOR5S zw=5eXXVm06Vn$0F`RLFyFlNLJDpRhh$?ga)h;&1-8`ZCyKz>GYUFsfBv%(qf`bL`k z*iTV??8V4LSv;s)o@(?{Fh(*YJOO5%|_c|#`L!q7KdL8Vn7NXs!pE^a<|0a%5#o zJNx_z^w|RfLavg*%zPM}YJ7a!n;l!J8PwxMZZ_@$TcGC`HjZfgf$%86^bW8c;gb!t z?x6I30b~PFV30^*0{TzXcD^a$TVm_~Jh$Np0T|&z2g}C-#~hCGwvMmBAmvg?z# z(LcLxxuf>oVTq?+-frW++}`nzO-Sjd(yiZGZ`UIKN z*styTkH7EgHO_tUr4Ki_`_)}9MXuR%rRSLC|9Wi~+jXVW(PQ3u_&)W;XOg1;s>9x?)rm!`bJyzZ zyVVKD{u#RXqg}5|ol$RWxoTXS^|SF0U-{thGVyqBx7y+4F#iLICyHVtJUwRl(9L1W8q~Mk1=lVQo-MBiS5}6Rl1tQcVW3A&6vlwZSIu}ZNQI5c zP?)}-Di~?ggkm;s6y1Vb)fij$Xf8|(#ndG1mRf-0dWi-O_>BygCMI3m=b65swevvM zP<*@8&8byd<;Z%nn(rD4Ar6vkH_w|{ctnyWnZ4-E+-OiI;cSwg_mP)Z& znrFIM2lEGmbWie`s*?0;#<(}Ji2iiGS5(#NQ3D6A2+}CU*-WRFFtcbi(1x8%)MvY{ z*KbBZ8ftM?rQOOPopd-v@qyYldVr9$fp%!8Mx}PeL&}3fA?euwop9^r7(%h8)KKh{ zr^BXSBmqlJt60C*%ein~DHb^{!%RF{Y=>r6>B>^C=a)UUY(c?TOUNyC=nV%QgA!0m zZwtN@r|Vq7Q?lb+HlbIIfu1R6D<+>z zbJ=d8AUh4^-(CN0oK0u!(G36jjQ>F2J^r&m+s*&wKZOP9|04{_Z7WqGZ6=@aa(dWg zQf`x?d5Dg2&2)r18i#FLX4TYi#3KC^6^)@G(RO+^lyYL7E|FoO$hcseZPpTwILR_X zR2rArc5Pz#sUAuufjl47n0$)Q$P)m>T&N1ijuG_T4%;&NjylXWHJk$Kcr-~ssZ>=f zK!gK3~7Ofv-&NwU@`p#8|>1`s%z3`cYpFGa0E+0LZ3oWYsxM19;V z6#$JUTm#EZL=phB>9=r)=^&e<$1)AldAW-rcwt=O1hLEj;|L@D$+*+Xqmy#LC0rtQ zaxCVWh4z1}{@XwBpMOvNw_Y3|0Pl0n0x{j+-xNa3>={(;F2c@}ztPa%wyT=7x3C7!mZ)D#+!o8Fp+eHwxqW zBw+$FAUJ6nfUvGwcL3L}gl#~q4U=g%bQv}SRDI~=s{xTxRJtLtmf& zoVEL*qXTdyB^;(@!Q_m!k)ADesq zx^wogSW7(C-n;ndRVV-WdY#_j#4E9FR>TfEEW7IVOJx6Cy6%o0;^W>syZVlB?G5UiFNncUf%is6C+m zeCsYxt$xe%TdjZOT^_x6utL23kIN@s{_~}GZf9oywY2i;m&|)->vc9?a=GI_+?hIH zxi#h;EIz!_VRwyo7<>R-^Yrp>i|M8Jq;IP|^KarmConI+dhh7DN3Xu{2g)KJEw=hn zr#)Yn*1cqV{=nmqBQNVcuw`$!!>J!;<_X~1Z0m{NEDtUB-Vu+Mkn5j7Uzv;8zj*(_ z_oKYE{FZAUwK4K4`F;}t@BN-r%D?s$zsjX2ExQSK(K`DayUX#}#A!R8{+F%pSbCPh zu7391J!jnk?DEH#ZaeZ98*P05z4`ZFQI2?Sb$i_{3)}VqeP!&whR}`+@qkHvg@L@mL>xN(bHD6wSgAdocb}iU6^glrXktqTXqK-ki+|X1L0fnb&+3$gkfy0Pnh!Ub2 zQL!yq8d5!=>v*=y`pMEjum>&@yKu5>nToD8EFLSOSsqQW0+Y|E<+xVVZJ+j1K030P zpFTuCIFVieDBgn?z4OioHj#8_>Y2dSV_aJvfXG-?!N zTCh0)v;l%@lMF$rJS<3KDxSn(l$27%egUdgClX)mae|iUqcXvz!DNdfrePB)V6l>6 z28`6mi+z>!cIG#NIF zh>}PrH5QP&Sf}6@Cl#U5uZe8AkGg24Qj4cio+nzJNxusO6bMzxAc1swOiY<{$w*c$ zKkPW=0viT?$&VGZIBbmtGtZ&1o*kOQ-hlJFwi@IdJUK46`gS+f?iE1Ez8r(NQV++s8B71 z<609)h8P=JI7+&c2G&=59LkYox8=DAolM$sQ_usvP%R~!?ZQMFCGkWzsT%^}NA)_y z){JD1_kC5h2LI;zZ(~)Gq~c8dx9>9lS&;4K@BC*$`u}8`89XHdY&204eyd~ARHqo% zc-Tx88J5VK0_1{KHa18A7x03w?$aE+RhN8e| zi+-Ld=HYgaA7uivX^nbn)k=wQ1XSQmtVn1_$@dF|WDDX*9x@R`@v_|nl9K^G-C}wM zq7TJ!CTI?e6VP-!L_^0*AVTIEO37~*LOd#ZWr0eMfK0RCjs1M3SoKm)!cF2ya5$+m z-72BhVJ#1for#`L@zJnfZ?)T28pEe^qgU!th%JF#uCK&>J#M3Exvb%0Dv|LxKBMdX zOrNcH4XlCZatIxXsxH>+d{cBYl_nyHU8fXc0^cX1ap;32n|D+PYy&h)Cn{~alves& z$ISo7>c9P?{%1kzzj4)~kjU0E7|k*DjM3?gJF-`;ckQ|g`p(GIGGnwEn(c1Vj)ZbY zs}`WZDQ6?A9~Vh7z-=%C4-?tEYjv9aoSRC@oK{6FcQV99S?Ot&F^-@)W#nT(feurS z+{jk@XsJQrSl|ed;OPqL*@;4?2s)`o6gQHY-cTfzXxMaG1`}owxn1Xayi-iuGKW*s zJ8Bda+BH&|E|6krBIAW%*Z~t>&gyV92vo2_Rq>mK&N}H>=>xoEX1EyZG!VU#n)G=r zEdxR-*Fxb@qZTI3F4ikI^PMn(&<2$bdkmt^myoqM-5`=6U}UqQ3gyf6sEWj$np5*D z-F%Nx42%@&xh~U2K?(%AZUIhEg&rnUK*7ii#`U_SwPr*?Gn{9J^UQFb8O}4qdH&xr zi2DB>|NM{q2PcSs=06xb)BopNF>vq2uLbvB?99*j&$in>B&-vBj{ltUt>P0H17Q-u zVG1W8c+2U8SnpGOvgQ}_pZ|`3U=)F&&*7ilzU|>7AO=oHk0I!m|0CtOI{D0<>)=nX zy?eKK-;qb$bn~NsIPS*VR{TTJQ)gZA!LuuWZ|#H3+RE9VWAHBP9=-1N=g%QNSnsN* zK77YRZad}fckUdf-rIH4%NF~|(uY0%Np;7jy83Q=lB?}geQhWlzQS@_?DA0pN<4ql zxyx?x?(C%>UG9~gZait%a~@rH^9yow7hUF|+1qV1$3N+qE&10!IqS^bZ~EPN>Td7u zzUPO>+|FKo!fG$>0-X;&P&xI858gYZ@y>6o6!r9foxap^hrUvl^E+(d__GV_!DlYB z&q3-Y^Jf3ysP%UCE_#38XrKE}Iroxtw^!#m;aZ6^U$NgO-ZfF>oF{Wj{_6VHvbR6? z^3x~ZbmNKlQ3sv=?5#sMzute{lD+0r%CjN3{y$Nkl|H3B%YaKAu*3x`FS6(tp`F9P zi%$I0k*n?N-M!&@k6K46^&k9YrQcS%KfG<}J#JcN$(t{J=bi_jJm>mjr2W3X?Estm z!v}Bu)9gKFegC4J6HnpUeO9q|c|zW5)%{Bcch3IJ_oFQqStb7YtWSu6}FYqq&u zJblF%wEJ)Rz4qtJZ(Ff;`kdEW8(ew3msanrt?>47!f`jfP(EVoM_1fwpH(h67<}&j z|H^N>&0UMW_R_4UUpZ%oqu!f$(%kdcS^4S1waz6&oEILwXpe}yOwG1__~EP@et-Ik+N_gTG3Gr#z8|c9aI}{j@)r8&AZ|3C?b?&et#^DN#N z)T*{!s$g!u1dhc|@lB3n71`v|;NK2fVpO9dLG_LYHcHbEsxp$uyXA4-wPVQ@Fv*>U z-K};s9ZKWVVdnE`&>PNwme{Ol?OJ7eplRGHm;U=X5Clf}T)(H(|4BTN^!(qmw)nRs zl&coqQppPim?`$rk&B6DDFL7@n_wfg(ulnd3{}%@mab;3Fqz~n3^r0i+~Njy0q~Px z4Qd-nQ_RNovTgN(79LmpWI}A=rRq4BrAL~e0;7^LfaSjjNSWHBL?flyGRq9oF&Zc9F1=EqH9+?vj)G1&;{cA?tsj%833 z8W9(#dwRjojboS{7;S1&uI3VT7%2<-2oQSObcLxSuUb!*#)hYbMk!Y|2{g>Hq(L~O z9}fJkEEhNp8pIe(hK!y!m|TJ#PcNEGGu>!9p;Wr~Y4Y)Jv1y7?X>NXU@}Dya?D*46 z!t`_PM6D~DYBHt8x`O zxDe4w0?Z0UQPMD|+7kkV!+35uZdxrTDdQ9}(aV#5eh8I`wAnN$FB_Re4?%-kE%xC) zkn^YWfM{lX6@d_0P#jD1x^bJUa^1+&#$`Yh!+?QGl@Zw<#VM=e*Nc6qO9qUGnEJ4! z@{2~wI+DnvHNK2yT!Y<7fD4i$@oslRCU%t{-~$AzZH zfN7@DN=O!C7y4!oK$H3ODAkd(T2dZKU3&t1VH&CxV-4@)1Xa}aaYyxY=nxmGJ)noR zMRKHJSi*i@Hrt1g%+$|{O-BN% zbk~$5HAy;*o*Yfee7(fC>m+6p31gr@V#|!v01+t=RqBnJu7R`h5Q{qnUbS;eQBKZE8{epPju31YnX25NX=+v09`aC3Xa)slZtGI&Vt>-P=o1= zozx_>6@gu}Q7b|{O5nR-x)bW^B+)jzBo8YNkf)JGn5#1dPiv%;E|5+k5n5{YM87kZ zOSMulMbt`BnFejJAf_rA4HZj{r6f$sG!3m6jz4p=AUH0?U*cvt`)?`2j4elb7O?-1 zbmt#h_xyXLJ5mwS`Z2(_Ic*@OT(d7z)rJrzM^->sd?UbOP&cOAmaWT!1Xam(>P(&_ zIj)dwl=(g@L84ce%7oWei-_KjQ%NO^Mrz%5F{wA^xFAE1=zKNM1Pjef5~bAiWrGVl4&9DR%>1@2cuzJg{3YXDqy!tguWG$OXci|Jf#V%ak-eP)o(4APlFIx|RT2I>4Sw)xrfg;4)9 zo#Qk4zi-1num3rEZmYEr=zj=;K&G!C{y*z~DDa>3Kg2?y|DiyFqA(OC@vpD{IrA64 z`$!C*+oX49`HVk36P>=tfse0DK4Y!5^v$nqqeok>`ID9Ao%2)emmjSEO!|O*nQNB3 z?=*0y?_G1uj=cEV6N`>&Yi)Vut52T2<+Dc+_o9u9*SKq+qqe^Fibui^de7ha#M8-r zz~_I2C`-X_(5Gx%bj0&tI_0vZ^H1!&<5j0M&F6p(esas)gVwg*eqwh|s%~zkAFDpl zxZ;7muOI#PjN;+9g}>VVtmQU3Zre-AA8mTuV#^iSdw(%+^%HNux4G?&Zy$beO`=Ap z?rXht$tRCkhn;ratQb?qPyOblE8;D-+-aGO>0efEIsaFWeLVS%cGN>FKKr)+!M4tm z=O1+OPgXqkpgs3p=?-e*zPQ%M_LJW)J@jwV|7=*=XS+oOeEfqGZeHQJ6?eYx;Qh}# zYW5w!`^#YNV_RRm$8Yo(4uBTl|GM+`JfeKkNjK2I&#qhYI3qmx>}}%9f4=OFFKqIc z@7=q?35Pwi)eVEyZhE6~*HKTMbN;gjT>r59&`SGuTg3fmU3}u5v%FvZ;A-@d^Oss? z`|quK0hl?NYite%559KUfjd7;b`E_1jGHItpL)&7yL>3!yu?Azl(h|Zdxmi(g5U3e zo1R^2)*BzKB%FFz9^U8OlkSgizwl_`t@YFE?ewD)(Ru#CpX~M8+OKV}_^P{Kx%BDB zUw_W&FW$P#Xwf;BK|j6nlEV7Tt-oFTjz50z?h(JGcA0(9FCRbR?#mBzKe;0L+6IR_ zz2QYSKmYc#2kzWif%sSJ|5N|}pVj|B1pGPvL(J6w{8sGi=zr|o$f|uVQMIt^e^5yk zCV97x6}Z&oE9!r+ME(owzkL_=KZq39<7tpP$#ePw>VH&vLG(Y(Y?{M-qf??n3$AFQ zlIY1yR#h2_bIoLx+Gxo6^mr%*6|6th0j7%##*>kcmX$O<8XM_Bu7cJq zPfH}t_Bao!Tm$kOoG*8ExYH2)URXej?P^W$HrNsB0+FC|Bbb`sJi`Sbu^2miF)ZLY zVVv*_=?G8BfDCur9O@;zwVv+?sg_9OQ|Y$Wjcq)WgEcZRr#A%E8ed_IdWMr-X?iIQ z4q+0NvTk;>pq7f$DX3D>VzN7MQchdQ4Z}&$^pj>G7SnB(8W6=yvY}4GiI=5W!%JZV z!w2RxMw>X_u>TKAri>vI)T^NfmC`=mpdu;F;&vz7RUD)@aoSB&7m@=-7a)(U;zOLM zY3$HXXM7PJCt6*0D8pGbMnhVfWSf}g=$x)J<+>loe#I-RVknJJ(9cw|fdaCDOJZ#} zOBzyXl$#{WiLhry;}%va0og*P$G~PM7j-6PpyY6{-4&+`8|@nE&|n1=qAXrclYL@B zXrS2fc_9_!iB8#?xRaKRvanJiyci?Iai%rIl7oVf#e-r6QtE_`w9JK>^g}7+S=}-z1j^%{HYOg~%>a~{E-(qvkmZJfJM={4Y`P(rjV@W5E}NhvkQK-+Pxq+$ zq@)o6cZVehzQicl>QcF(1gVv8SGHMrW zG?L4TWuRPGf|{$s9Ri}$%?3KD zv$E-BdYM5+vWC!j1eV+ijmBiAT1OIA-ZLYH>9{5G|LA}6#B@4;iT;P~e5U`&#I)6A z2A|jeaJrB)s*Yn;nSoKlhDKHXQvXb|wNk<$v+1e_jOtxlZ?VZDgXSPZK%H)b>Z@!n z6EQ{16E%5}qvecur}?UOvPop(n)5VA5?{hQhX7QXDZ61CW6&9x6q+5U$>uOoM~5mZ^y9VzT9)jjr4(43I&78|dQG1i zPm*fB*yp8`8I)S1en$<_{y6Oql6kCx#ZqUS$b%WH9h6k0P6VV9cQa5WKlF^U9n>2g z#%RScJ+6g)5LBj0)aW@)9jH{zl7PF?dJ^3nJDtKa_7YKNu0OVV#0F|YDIgMRSI);C$N zT>ZHB(MQ^{r;ux`^Wh^q?$e!S%XU7TYcKJ{$2)br!8*jfYu>iOvM0*X_g8x>Q(I?U?u=_s z+5Es49{c#c=T|J=VY7`ZFYGLK`5MPscV|w$`4_)?ZuNuqOa~Y2b?~YiyiDBi{JszV zVzcwF{CMjpW`R3Cbl^LMYa3_&@uagxm;Lc)v;J`IW;Jo2-yQMEeRE#@5-oOF{c8kA2*DVbyx( z;x*D|EHU>ycJ3O7YU<0<@fR$bE&u)i{JeYKxa_TW?#+Rl{21BU8?KgQ-&Ib2{{nC` ze1(rI5AU(^Ha}hG?dNvzU%T_>51xBESn7fIFAkvQ@8-bwKfcc{%=XtUd+=kgAF1wH z!|wr#a}GIai8qh9!aTKi;R*Mgeg#!t=J%gm`s___hLgMTKR>%c^4ybua?G{Izq#bq znH|?Z>!adzi|Njryf5Sdk{|%hs|KE;%9sbkf8@0iAj{jhJH$Ta{ zHZ%?Vps&tO+%xa3+qH9Vsjklmeu}JZX>!ymMYEy6^+Jq&) z<`%+qGhwzJ8}6i;$ZiGQA;#r0C0Up*W29cAt8mnG5t$wM^*k_rHy%V8gICj)hOL`5 z&Ggx%m*DAEW7Jh;i`M)>b>O=y+spSnK6bQ6j{nicb|}Au%%fI_>`YwKVH zM~K(}$Vh^Uk_Eu=xCl?0%|t`udyJkVAh`;0Y&~GI#CSYV?FwEQw_TeL(m9go(St%Y zB#Jo#tQPux*>=5%?ur2o;|Zj~0o~X{cst$IEd(h+-WcxjV4)djj8d;4MJT3|JxfZ7 zUVTv0`?^sA$ZTKjqF7kTR1+g3urdIID|o)0rc_+c6v&CivjNgXvy7>cBCYb7M!!|6 zi_ReAc&o-Iopf`0?wWO>ttBSuAm}#4Rx)<_RI=HfP${mPD&c)lxAAT!=*Qi$Z&^IZ zB2*d;MQN0kifs^%_zINNh&WM8A~1@T+$>i9to~agpB{f%{kQCA{6}^f`YZCEk|U^J zt_@0jnK6cr>z-f%i72imR118tiqanf}h}Er6)Mne4>9&E8CXp+e z(J*Lt{C0XPn4ph!QhwK+R?{<>ZM(rtFTuP)wPM}u$>v_?IOYo#Kr8^mtAU4b<)QB(6K?#oHLt7bg|Wy)L?Zq++Am#wfm z&sAwd)O|!A0I-El*cuqXK!)xM2AS90Y_&%xn1(&Eh*D0P;EYrb+I+82jf5yg>9W|M z`kLnRel~4}Is@igz-_IgkJ_2HG~ZuG*df0|=T5B+xW?S8Yo_vW%6yn>x|-oehA zWq#gsb6Fi|mo9#DzeCno zVr`JT_?-=w;@8~&HG8dWv!~5{qO{{R`@ON}U+rJt5)9&>9=`2~vzSfx-|U?$_m&rX zY`bPjk5bBQx9N3`KHleo4VQf6z>|Ju`wv|VpTE-KyKTP@cfygxjA@x#AZ!Q1Sq zUD;nvKK$@st^ZH`|9_bOz+a&MnW_Kzt=QM$KVY@tnBP7AGe3SSaC$7o3&MZgFXBJW zcaHzWbd--%==AGgd3AyHKf(g=AFf8|!&HkFf)v?yYXoE^I$g`}mn|I{+F7bX#SKI1 zj0{a38dkFsN|}~jkh_|qdIG@ZXt+7yL%nS0#yk2ws1f|Dxhcpb@?JRbh`lV`wZrDEDUzRm~-G((<~>2&?WF=ECLCIcMh;M~wOc{P`*H1NT+P$j6PDlkV65>>aN zIvrEYEAR6|n-+He7+6myuV<3t9GwL()L%S7406QZTD ze6Eo#7Mv=JHuO$QqPuFAZ4GmEAi#3W1Yt)W$pJb8Bb`RU8+uG5qj8FCvP0g`6R=t$ z+evi7ck7?=pL{;m{WARz@)`fhbM){l^B*q$^0q!-SOcy|l#mjFCi{$^(@R;gKA29% za4cxKX0wL!(^Hm7QDCN-b8DkS9@OfD(AAX*T$<#RQe5tnF$Yp=11;ke+9`H4$5)|I zm0-etPn1iLP+%+#;IblEsHXIUp0Zkfuvo3*6P9pvuh=9lX)xjaNty)s0v@u1>GELO zH4x7Bc)o}SID?u3S{TOV#&kX;T8uF4SL+!?>^0E_lLCMVJKf$a&@PCLG2Ka56$c1S zMMp@+4)Gcv^=+_RqIi|1K{u2W63(I0kmr3LvMOvYS8a zX;_%_VTzdkG0`hh%ET&^iK+%CMyTw>6>K1hb{U|0jwocUbOm&yOsZ-|$gu2rir-ea z;YDry|d00K``LhqpdLOU%TypDO zuR7w#2i@PiY$I8ElQ1%ldc&$$@3+0@Y>f%AJxeVnJYH=;iB_y429&QmmPThHAnyK>GMZFy6?fKHrxHOb1z=} z$a^>3e%TwgLbdgmzGJob7IlVySj}1gIQXIRyp7@~uYd2Y1ev8e9Hh=ZTMfwTmxl8^{ z{O9nkm$(jDYwhMAm%rI$_xZjym(m-3G$xzdF41!2YAn)bWQ8eQ@B% z^JZ_ou`+wS)rHR=@K$1vd3Oa{+(_g;-ffEyxT~$-9)J5rD@*(Q@kRQS5IFgu^sA2? zz2A?nxOV&V9;=`I^1F}x^|~$hxbps`Hot%P{PX&S;7O}Kz3MUa-pK>s-}4Ol%Bya^ zJG0*}PTl_k;I&s@H8ow55Pw{3mvCM$MV zy!711R=7$(>(vLYzaM)1|6}jI1WGO6L zwroqbhHc4~2v7)R6bMktZWyHy_TGE%ls(EWtI$$P*k%51+L!iMMoXZj;eGG^$(!Zp++>GlT12eSeD= zPcEIc(q-N;{Rfj%uKekHd!ByMvBw|59d(cO+Ai1pv*-V>@&CW{uN1LSRwu?)Ii71#QgetJg+U_LD%-5+49g}} z?omi4oXDr@tZN{21|Z;pn0H(sg<%Y8BjwJBVE77zkW|wcI@x+jrJ4$%mXaCDZ&Aaf z=_*ZlRF|;|IwA?F4KP$zsgLYRIc_L%q?mziI|(*~R2D(7Zc7=|bj}&jEzpb=1Wl$% zrUfQDh*55Ns9&SF0AP!JqZ;9S%qtHIX;4kDNuxDL;jL;pXSz+2CyatpZ#2;uW5-kA z*uZ--%7kV+9qY*+O8{g9Y2VC$s1%V)-6}yhinyn&XSZV;anqr)y!N-@AhcI$@XI53g6k;)5oy&Re_HZVF2(#W%zK~7wZ@{sQe zm0`PLlQFy-IAM)ph!fZmOCY_Zf_hJa1eVGfFE^(ovFy8)MAnO1ccf zp3`WVhS3X(Xg211ai%}4ATEUh)loRg8Df+()7datX_4cYP_g1HhsWC{ z)g8tYgJw<(G@%{1svDH}Zn-e303ct}cro2BC}_K!)siO77Mtid^Pffgh(Y=v{3q5Z zmx#%I#83U_OZO3%SpQkP<>v4H6D@}Sumi7Muc@k^^8mge>!uPxKHSYBjWSBqVzDeP zI9912>O-HxNh6dLvBAk#(b7S}9cWWhyH zGcLxF99`5#^^6}&j-j&F?*zSUwjwo|HUhE<)QS~hV%!8uLP0Dc<#ao9#wq_0b<3y1U<$&x1F5LB)v6tkSI0tq)w8_Yp zWDgvS<@-j}!nK}KE=;6b%}$HOg_v1@&0a1$Rts?78dz2bXxk;fhW4N$U2MC1psyi**E9T>}1={m3RS)7(DX)#~Gi}3vuody&_a6vFaU23M0{sg9gD#2wgC&wE z4B_B6sQ-52#T!qZJ!ARcw$+z9fllUUvS6@6DV0>Vg&DeBkUY zFS{Z&<@)R1eq#OaZIiuzxpz)~JNf>hb)ZFL|p% zGar9p&SU34deDLEzO?b2<^TNHrdPkZw12($%)G5HmD<+6z%P0Of-?=0mWfv%i(@No659@%ns4PA5X-$K9pH~G(2ryjm=w@d!SZ@kAt zTdlM61N**x>gM#WE4+|?aI~*Gp8DY%e?Di8neYB&Q>k&*d2>z}-udQp`u^uR=U-Ld z>!9c6-n;+J*Z%g}wU+wL)IWu_lXj!;eByz}zCWYgx$T3>TCXg##Z$Xp_sH6tkQ;vQ zx$3WlH4i!ZF6yqkZ`^LrRdznu?!Iu}b^EQc@})a8x4xqAgYk^_$wz-V93UkM+8H?FYWN$CG;>eDu$L+T7;8GZq>vA9!4y|7mUe*v;Yv(D$Es`Oza+ zT?k!zDo z`*TwkCX0DWqzJ}NHS6VMI+hShZYNF(mR|>Zy|9TvqQjd? z-p}HgjsjyYT@O%}HwOk`Wtys2#|xe}$|6j^?FMDp4a{;iRQYzkhd@@} zulI9!KLk>~%;0G`F-Eu&Y(scOh0{$@8&s>=Y)$9-gW7-`G-JKKRcSaZu4-fj(acEA zFsc=@F#{N4?W|BOwz5jHs5=x zR?~4!s#_aHY7@@kz|bAaRk*K*Nk{fnSt>Sy2E!MMQXNVLAw+vcvN(p=j9gP%#bn8q zNtMJ>2v(^j#$0pA0$xrqSd;HSsA7Qm0?4INCoU;QgtyeTQ(-HhPEo@qNynvL#~M%M z^1Yl?$Qp5x(E^Sx0lC0W3bA%4gu>j|v8z!a+IPo5gzXqzlr}87KPX`{SP6QE+(N^G`W}f zKmLP#_xxwEmYcu%55GA5e|R@?ykgNv(Mdouc#L2*bdYQ%m9aWZ8I=~@iBsgL8N>oG zDE1q?JyJax!{v@+8}N{h$-`2^Wf2!HM-BkQB}!(>oy!Gh~Zb}q$-7zZ~~ zO)W=geWzdR;;li1mij%qBiE!PJQ0#=xRaHwp57tT1xE1Ugw*NLN~lJX z+8!WvI!wrk9_pq><5mz76S3WP5qHejlSmqmNq6$49GFfAWxd15>fHquTIYr=&NK=?vmr%R0?jVKzEqtrOx;}UYpU}c7? zppfe4nMO|_#^p@et#s>66AeVK*wTttCg>VXK<~pzqro(X4EL%3cpTmOvifiGr~Xqm zN$xBA&%}-NS^xQ4JviXA1>qK_9$az6@PJhFk%ZNP!NC|B3RcG&;!Vk}2_==XlXyJW zPa9aH*3gZC6KdT;VHB0fwk8LPQS8*2ybnZnJ?QHWPK-yAN*Yol<&H98Qr87-pp7ZK zGHBy`CO2*hE@torPw;ALWyC<%K(*5jp97i^s~{T7FiN%EQ0icY6>Gy>3oCL7uBj{7 zz%43*gmKmKu#^O`Bn~1;0*~p1R1i!02@(+SoF$ffc0!c}wKHVKs3v=!)=NU*2rhzx zMDTdki@BO8x>$lVG^q)jBu4sKqFBwb9YCncyq|^2n(byvu|UTZtTy7^a;<6(MFL@a zFm7}b7%763%IZaNV(CsBT|ui1%~U;Q@&LlXDZhlPax0U?CN6BIHHk%&STu=6lUOu~ zMUz^M9!`K5 zo`Al-|IA%?`})PoFW=pBeK?LB>+FEdQV+aq+HFrfdd@maJvF1W>r2lZ{ABvF`)BIA zgFliPI+hc*)M@xG?>i%dTIea$teTul8O@z4?Qwhhz53@4mj=8m@D(cYXD=-@d%_ ziPxsz`{S|i-nr-T_wp~E>fZ3t%?_hKHRsU{r?Rv0lQ$&?Po{T#qrElwjB?8{I~6Xy z_SzTl(w|-mm;K&0(`P-s!Ch-p_s>)w{K0j*&z-vO=#aU~Ka+U{U62Ydc=^DddixVw z?tlJ%Psu-D_{{pi4*Cg)Zn5GY7nF#zr|&&;dxV?u_GKSDoPPH57ZxBpy}rOYqkZy* zd!F~+GH=i;ZMo`(=RWn}4$J1BwAVc6gH6_*amcmD-t$8IP9)swwxvJW?!%jmx6V*6 z-}uS*UYWJshljnsQL4A=KYRZF8vp;x{)2u&{kO^bpWn*(I{s6nLNxs)x$6?_KLVAC z_;M?nNG*}C?mu7H|L42tKbTNXP2{bqiPSo^xc*aFobx|p4=J;_&JlD>_uKho2e8IQ zC6V&ll)=ds7d4vlAV2oKVaAQudkI?buzGJeRt8{YIMS1FnT0gDHm1k5(B>L=q69>c zSF1)Y!+UVjis8i(-YQtbwAoXlSh`dR7^BrHcI&yMC7Y5rD(Zrb#5h#h;J_~!W4@D;IyxFxbFoxP95njF zKF}vi!8h}tEQItZ6czQ1B8~rCCM)NloQ&ZJLs$9 zU|492V^k%8gwBn1Wr+AxU9*NwVwfz4Ry@P%UJiCEiC`$U39VSHI@w;lPxsAHCMQ&V zV{j#L-)wAb>|~RTZQHhO+jcg#d1Bkf#&-A%A*L;2b^iJY~v=|h^%RFCSQpj_wTGp?t1>I*cvsTwt@X-mYYQ5u|-kE zP5cmp5t7TotI@j##lKeaer>Me9*Ibs6sf-3*=jth1_r>uZ~4A&iI$y~-PpK`Nj#3MC$5RsvJ~EP^PNPEr%1MNCD( zOZiK=IZJ3@#>8>ZDNj!wiE2SkBxh=Q$fniVuAmpgF>c8J3N}+r(d;(fpr@=klD7Aw z!6u$$R*SD~hwu^S$|$0xD8_@RQl&~ARHa~N%&OF@u~vo&hfNEmFsUM;C=(C(?jt_t zG?p8|yr*HCGIiV&$Vx{_p=*pUEWwHBFzO~wdGmye`Ze-KfyG5|WxR6P1XRh4ni*^h z^PD+kBW5*K54}b#ms;xlqenyXJ)c6H0+!Rc{dov|h`8>9?)OO!4{|2h+&o!y@X z3D&{F`nP}I!QoM|n~+h}o48br#(##XtSWI#tb53Zl7ozp6`{4Q#gB{oo{!gVT$1UY zq8Q9fiNkHy82(pwmaWdnY(T-Im*@ z4R4Q9Q@4uz_n9Op1wQ7fdH!2Y{a<@wK3dKIQjAuzxQ)7p)9{Ko_GGgEwR5W6b&yU*pVDx4@K@1-vUvBj*i;) zdL9Mbwiwhhg-*sa%IkTb^Z)Lzf+~VQaazqU0ui&eYKO~Af)8VlP5{%Zw}hYvBER%G zL+9+)MP56S>1zS?HjG)4o7byfHHw+2o7W@zguY9>^9_$@nmAxyd0s;ibhSt#cKptd zmkkbqw9W-N8TDyi=U2^d;C3G$$u>tlTz+SMVXxx}1yHwqK0`cyw{LJ>TQqb#e~U70bmT658vMOKdItFHqxI}If$5WM|87NI+xUoHKa_ix76AQzN$nx& zqQdKs0&LRhyXht`2j12GDtd_+yT8i}&8l7G61zM-F6DOY^e?XLD@ky@ zSj~fsjzH*NV_P}=px5iTh9jXi5n9}!ubAa<{xU|_q$DmjqrOi9kOVM@>|f8R&`fck zx-xYIS&_buK1c=U^aGV*+M$o&9@=U}lDT*dvirP9jEf*SX0;{VeXeetO`MHPoSoG7 zyt1V0p-~w2P&&EBAGQL$D8zL%5Ic>6SgErbLcSD5W$0hNf6dW3#NHutNs>)gJ@$Ar zz9j`AYR1OI)W#2%C1q1%_gWX_x-?wAtj;$9s3i6QCqC&IR$8-gf`_3z;>~W!G|ajT zcnTB=e&Vo5bE9TV3cg{}s@bz z1j59vuW~N5(;$_*(MfD|z8CEEPT^ua%-vVi4rJUcT9g0utY}ewQyf{1?W(zOMV>hu zO*9GyQ;~5xNey;}>2(4dD{XBw*PUoBKVc|OB^Wz50BHFsRw6x#R(P<=K9*Z&GaVs&b2tyW|vmSgrB0NJLV!}bQrMAh9zp%id=OvRxdj7;;OhEY-AwG>4Is?TG9v-I09Fao71?6 z2Xjt=J(mOVHMO@fMoXsGptb%(GSH#qz5qz4_CIyzmM^J`fDw&Ixa?3=2%apeAl_r& zlj->WNSXSz!7mVD8qH3Go`M}_dQ^^KI!kY>5z~ut8`U*|l`qR@<0Hax`4sFItZLJ|8=Dfk(**16zp?~_ml}Sg$$Z0WUIm+kbo6?} zXswkUqd{d#ZiyzHbbE3HnZRLk7Vf$=19qoKBob z{|j~+!rIG~J}w~%eOskgb%77ZTXD%b?7AESx(|o5yQ?v^E!AVQ@Zb#>;&+5N zhHc_T!3#+P$g;dw;uB*W#~V>UwG7t?>d** z*`g3C@U}?W{E}|IVpzSZdKd0Hca;(wk~v5|WiVxtWua*03dP5Ao6ThvH8jJ?DuO?@ z5p?4zx|t!u>8lFeNgp_Bwr8*|i_ci&HMMKmG8EFzE(XzaZ5V&uLpEAN{m^$d@jmcC zN1_}wt*3>kDxNX!qmD1$%v;isj<~DAqKbv5#eQ`VJKfz7UZbujZ6(O|Mwry#M+9_| zz4i-zM~eZ=sx`Q#Or^1?RP^_pj*Xd%)YNldq9hu=PzW@?m*M8H5lCHQ`!C!Fc?m-$ z>yrUt^LM`dO2$rsRyR5=eP8VQ{aZp9JUu+A(NItd;Eu%lOV>hyQ#t;Yh>!cywe&lu zztl7nukYZ34w2VC_4)mt%}{IJ@_SA|yoj`kAK!NQy918GlsxSSRB+~X=ZNg@bJ{fn z*Dm~0BUh~my@y(w7!m+(_X!of?f;(Dem^}>z!IJh_)Ui0F`x{9n$P9rZh?nKIA_O+ z0w%g$z$Zp2p}WbO=_=TUu8+G9hUMGM$2qNe15ow0qmJ!~ie5bsKVv75_w8!f@5*(x z-~U=mh{tPI!OGBe_^Ama!S0a6R<0r0PgvLI6_7QRXBOnK-cGgC_OVjp$ou}R*XwI$ zc8cW$Xfu6EQ}b-j@VoP46ZGGGpJba>$R*l8mpUx#$bWrVs=}ye!*O(F3@k*{0^Sk( zapjw38Ua@Wh)uc&_C43!f&}kZioI6(Z`ZzLZLQn;aGe3cdqL-QIZkcBHYF;N&(PLi zl~W_vHQf&Mzj_Z8vpiOgJ+BNkc~4Idv!2|_0T-E0Q4J)m>nzW`z?*HW{q~EW=$})H zO1@#^T&kIS*MGJXHhn&+24Wn+4RO!uDDGPl#<;ZI)+~bd+%MPX8I?9Gp5+7Qc4qf< zElPl()*0Ro1OHn_xySjdAlC3bxxO#(eIBU2?UoA2glCa zo%7a-t^X5K;A5KGsM=-U$C%;cDN4`TFq@{nMv6EKmSn6r7zzV|~tQGsBTxqFvTDl&0rz$1&UO-|nRo09nW_ufE6lXb7 zQS=&nZpunm_aAbJ#IdnC2JML2G5@%1yk&N9V~;^6HH0I`$c2?0?bPGUF-*F$Jdg&w zh>Q--JZ;BpAnVy^Q7_-Q?`TDSi--hgjmmDL+(x!RNIbQZ96=2xOrQEA!vK5eYgi*5 z8Xu+p3kJiUv_S66UC;521rBj1NyUTT9F7$IBYCOrEN4=fcNxOEpav^Vb$+TCmrVSX z_(-#nS2m`RP~k&?=j52oh*f2ah_ckBd%C%IgOqfMVrw{$CL$OEdBo{Nh^OA(-Qm}a zo^VK6Z!M@UsNp5diaoiPXKVq8> z!APX9`vs%W+2K4zbjb-Ks?{~LyW^kYEQ@E-+Q_UjKWsg;zs6)jbzW6=!Awc9AThYL z&=u*W7g>Z`=Q`Ec%%yOrOZU5l?Pc`%^k`BJpw z_T}4pmHRIFetJ!be+geP@408>O_(!sTT{qh3ZatQHaZO)JxYZn7)27##^^8Z%nKg{ z!}%JM7`%g29(s3s;GrbeX@% zdHHbHB`&mD)EY6@>evZ%rhUU{=Crq4v~`jy!>hLLxu_l}tK)c@3=k)ctMYW5@@P%2 ze91SQyrQWzE5@u1#lv6myp>$Dz8#pSe8-wa=<_sUxn!6F4FqBOW8?wG!4=!dH$|rQ zJLe^wxR6aHrDf=_o27pAn)$q@XI1tC?U?HBa*IGq$;+pE`3?>U#n`^^Oj^7vi|Cl1jD^-pt_<}jAeOwzno&Pw8|mGQ@=9Q)X4zdOVp{q&St)XP~%z&9YP z9f^eo$Pu{6xP~+Gh_lwN;(}%WD=eaXSD;*P{?;?o16{3cZfDaP%>w~d#i@$EEm{~S z&TL1OOjaSKn|N!SX5^ZSwgL7}M^GB2_~tt}dfY19V1g7j>w-4>hOejxSz>gAPCLGs zZ^&R;Pk?M>o~ddhDLoDzxDIT%h;Y=gzL*HbVx6$32YM`Jll6b$ENDF#4#J2GXyppJ z)x!fk17h`VC*^`cOTVrS34heyAke{33n50!1V0GnICp@ivPYvR5FG5Q6! zb)kJh?tx$F_n)nczbs^>h(6!3_JN1ZWp#NZ1Ku~RbmNOa&i&I2v6JzR-hkU{Yu;{W zALsp3CLPbNvV#0Rhzl!47 z0F;J#E+e5UFwsiwyVC!OV%%#n%JrfRt_4otGOY8dAthqK^7T0f_f#K z0YV60ncas28}^%T@>@>lr972xpP#TdsYYNc2KaCU4i-2NFRwi;JhztI)>coLI-{+H zKHjlTuG(Lz_!=Ht#IMqg`rBriu=TO+90Qb&&In?UY;N~mc}r3b-sS^lWJ$EI6#3MH zKr5ru74?RvU0>31h{0<1?d&yky}rI%^Re|-C~%3_PiTezq1j7v8HIq5dhp}aeQnMq&S^$}m@fbg zjDaY=I<@8?fRoJ^r`|379Q|sVMKVkg|%Hk#n}C;dx3&QSW>lLtH9>=8Y#XtjB3 zUB6OSi=koOW0|5P*2Bz)mtF<=8?!&MSRbys;~?Q4?2l&q#HODW9ve-xT;X#QN%Fk8 z$ZnxY#O?28x~2zu9?n@BgjMU3Xu|L*96z-1TLP1((?rNlz4X`-QLaogl?xl!q;t}F zW3VKe#}#|gV`=Dk%uAWuEgx+7IUp8H+7Q@$`k9WxDNV)3YO`!(qX3uh8QMYfGXfSPKIPAXNYL!hT5l%dI8WAq} z@|~=@9-&~K(9(!qNeWPNu^ju;Rp>QmD6O!>!$OQ#Y8a%FytdY-@fs!jB$(v7jNOR&(@ystIvk7b+8fMtE?UI9L3ohT>KR;riaAupCQk)2FZf~&s*uRgix{5=<|q* z14So}<4yUTDjmpH;}OY{7d)D$)QQ4raOg+S=ayA6E`c62v35%>I;y>PQhq3zy7 z!>(yJ)~G_%>@z@7<32kZPQl-B#5}Dnnml(}E2vDmZQB9}8(tyaCb0vKg|qDyq#!4xlH0myU5n z(z~Nvwy!CJT1%H(h-#_pWe*D`Vw^wAG=cI&oh1_hx(;vvApCzm&pc{vMpB%^1Ur+@{%^=jU&-f@6Op}!8 z!tM|aD~wAy7iZACx9Qb#Bp@{P%}U4!vER3eJxAZMOMpFAfuG@o)$cQ?qAA{>ur0TL z7psDenIs+43Q5o(!zCL1&b-tUp-QBP&g@VFF6lcH>@dl` zzCJy0#3aPu5pnrspJr-@VIC;DQ zr{f()=fI`@8bRu>%~>fb{tkhs(EiUiQ_J1NF2G*j60BeCW)A4=j?2mN=50?VG5hGb z-rM~+Kger!+A80h^!=|O!3?{RFzpi2z2gorj;d&SHWskg81z6Zb+_yp;BYjJ29)|? zk}ammSA@g=LTS_`=I{Hq<#rnsGywfzn<)gWAQ7US*%x~JJf0_9(gr=te1@y7?JV-z zT;piz^k-%`b{)nnK3(wD93y1r^&kEccU$AT$St|F3hh6^DcB9Dd0*ojfB#IU^5oon zMGo4VbaUE%t%ohc@$@}Bi03jinR?k2c^i2jCBFmtqfG)VdlHx&Wp-%!OTU^?xt#kWW_CK z(1{sWZ_|2{AN{}$#LcAGURHq1{V`XSSbY!>!K_S2tG3j@Y`TY(Es$CvyGie|y(iJ= z@^e2e;I_>lsnt_IP~ta)-?N_+J|SJPTmYecA@J_=E|6d!D8kVXt2#r1 z;Lq+t5=V(Xtzs&#EK!iMOKjYN3{Np;6B{wXyE4^mAUZoKVHnjm#RGU;_V&5@mM_`0 zoEgVI-}a^d%G%oXDQZfgi-o7iR$yX-E!AkE9ActXbIiqP5}i8E(9;mS*+lTYMQ_V| zv3jzZPVrsTV|3s%YDBzoBtw3Aue|&O29^G!UXM-ud511mS}j4btdv0HEN(+~`o@nT zb;OxmXP##gpQvv0dMh>U$YIooO|3n@FXWducf|j&A5> zDxAo8CqI|1N`KM`f|>Y2DNAwj9dqrw$M?!H-#}@+g7M=w^@^ouIiP-y=Q0h$UKy?I z4~>-_v?)Fe90(RwUq|g*Owl4CvY6|s!U#wg4l^#Ks?fyWrahT=IWlbf@puUu_{b)> z%Ol;h)32oHKUz%t7~NB(SzCwQJ9a!iJR`%w5m>LAvy1wIy}||~scQtQ6U_<^hVMvI z-2CE2CI3iIdHfUwtTrE^Wgxrq>?@VU(3IIg5DBW%`ffb&eS_r`uM0cA`u;-sxL-L! z2Es!CeKQS12arglzW)Rr2_1fYU)XkCuRS1oMG!z#@o^UdP0X1{I@<+TJRA+JB!DfG zQDeG}P$$c(O-yp2)C=8C>lh(FtpP*I~sJDKoI zHkQ(znB;=x_{1aUo`q5ZTI|y$Ov%?e(h@8aG59zZGQ@LCuDLQF!ogvUJ9qOtG{JGfDRt%p}<vV+9gtidf9k<>cg&EG^IH zuOyCxW%*1sAWh&(5UaYZGv(g;z{`B)g6>zs!PiCR$Zz!!4GS1?Jkigogfvo{Ja`Y(G9-*(qc|j;Cc@^e87s3PqZ*iu-=#7lsfXP))bL!GkMSLsdZw|CYN=G zNFIHT{P2H3LJ-FRi2YOkb^SASQ1Da;?mv?NdUyx@ascp~o|Qwu+q~zO?cZIAl+dXV zm4A&t#1HOp4C>Ca4<%FH)-ShuqgV4frhg;0uey(tX%?5ErOds7qdO*nyDjG@sxh zK2PNTUe%rir+z>2+|SaX@cunK802w#?tJc)nnDEF?0G%(D&SAgd$)FgFl?)HI=kA| z3V^#K5gqj%M`99vvu27^vHjR5qedB<9?BOXkKxa^5 z4Qe*zn2H96c4WP+{wPGsjDC)m$RU z$L7bMNv+a)KnHUuqj6x+$$Y&4uu%+zF)#E17z5CJburKZ*C0r$BpDD$b8KKLYCM*c zs&7Nce1vmPx@@47M`B%HmF+i+(*^ZFC5u-VoT7OMzSIT4GGvtLfrM=p>T@XY^Edx4 zQw!kD>e>no2(~{Gh`osVSK%r$F$*rsyXtHtPbx^@y`)xV(lRS>0UgQ~OO7Anqui2rfj=}SQ(#P)x&J)l`_oH5 zJ~rJTY<4a_BQ!E?ru$NEhrhcPWm9etGFOh8W~A0;(hOXopaa7fO_~+OmpNqSqHSSW z(;Z6`l$E=wvf-g88_VpAiJ0xjrz}UElS+gr>H@!&C*UOW~`IJWB zeMSzz3G|99RQZQe%k;&|kW5QcdM4SQ$_z#?JyHElTNVfvE~Rhw!d*j*UbYPa^?0V}uz}W)f1}LxMFi)D&;VT&H*Wm)|_a zmeg03N}~K)+xAFmz|t!S<{ITjoD@~VLBwF$)jaC!RR=$=-Gfz~b=0!$z`*2y>(o|f zf@Yn+5UE@8#5js8fUPhSV;iDd5t$8R+3f)w5V zvxACd)Vh942l}SVAY|*3>aj1lt3A?h-{P{!+G6g=$+*UPul1~xS0MDN&7i@Kpj)Fo z8y?e&T;CI7F}zjTqTCrnM$Kkld)s1$;@o4 zb)2yS`Muee3gQ<6pX|WKK`AA;WauwWiGs-`@L6cyJq6pqojVhe^UhIR-S(r_scnT^ zk-yPSNl6p5MnC!z%w$C>bil?1ub$KdNEx3@MbPd>RLeqhn^bv6*>EgX4EOqscG=wo@`43^F2<6xG-A4UF;ng4wREl7#VR_VsjP*B8_m z=fqoHjb*e-?DSjj&b0-$LO4U}>gs0l(&|ZtcSEtCy(SV=x!HkxB z%%kZ_r$7qpS&*MOSp`Zb{2G|?hXLd$_2;qXOAJVaup$@spAl=l6gu7)?oD@N$k~oO z{o9pvG_`4ygA^E<;YIqy$W>y)R3S)`COm;j_n&9mR9p6bth}nKxVu`zTo`if9^ooyt}iC#s=fLrWJLuzf)1Cg3O&q(>e!|$WpC^Z ziJ!6216HZfgG^_d>k7^R3ru@;DlqXX^TU2JhE1SzcKvJYswh=izA~967DMmnu61T_ z2$&B?hmka8UDF>NscXxu-rhNPqG_;I~_1|Atzp zpe(mNU1>c~Bit;5E+ucD7=bG+8EMo{?aF`{v&+sCqu%r;`jBMtMGvPGvHmZd1sw+u zf%w6IcAz1_OCf6Z*Z2MXDX?dQH+kp%vV@mhkbQF%&Nk5P^FG!oTNw^_SQu#xBX;Z5 z9z>T+672h+C`0U?CZ=$D&wXx>zIa2f zQ8aMu6>)~^1^9~+pE5yNt#@p=wLU<;V--jy?aYvNF#-ST2yNQlzmi=0F9MQD=3b<3|Umc1jyy;CHg_HIJDpPM9kjmxT#M}I3icF&}?iQZ2X z)Rg!>sUmkk$~FNXbtQ^{zccIr-Oqh5j$yF`e1U%q9#&9&f0%YZ4N*j1@jR;EOr$Cb zdLL;e6u6COW*T^HQF6^(1h^kZ_gsVR>*erzfvb*dbzav--Uz*yLoVCxHeKU=xlEUz z8US|9SisI89xtfY0|T?^j5a;itZ9oTz@ zW(~Rp`o3N{;OIZq40i|`r{d`;^trqth}<>Rs7lSeJFl9d_&D94viAi3U^OeNG4*o* z?p=EYa375w69;*A=so#XR0Mtut1j zg@IZSOi=qLK^|0U>K$ks7eot=0&@L41vx3QoGpk9sSlW^HuscL4r)%QRV5{2A6Kn; zlbzSNm|rfJHat*#vOx#}{s#K6x#qsT?+E4d{`ENhJYNZE;Coi8K>4t^Ii8AQVxx8{ zZ;b9DAcPO(^^(Y$aB8y+tfZmv`c2@GjU;r}(k6UcDw-f$5z^4hGuf;n-jWl(GV2(N zgv{mGWFQG$D!5|9j$60hKJ|)!f)%BmHP6E!&$;Co$^m5-d@R*%=n1n6Ui8DVOaFe; z+1mDzljvRote*8KgH!^P*!P~`mD^1KgF;TPqB&&oXK{=4H6pL$(NIHtkR)%7cq}pY}Bi=jP>^G3~RMMdjMn`%B9yT2Q zPi5$Z5^t3?d+%f%Nji5HfrMg121BM@o#U5VQ{nM}$&dArRrlT%+6BeVLRv*iT;FR) zNM&@D?mWsUaDZ5RPNZcFuED&BK#^(dEIqOt{gPFmA&Feut0OP$FZdOkXn|e{_N=TC z95Ce4zm1bAmfUNm-kkePt+b9MYY3|F)O#{0W_O)9Yhw<-P6+UKk{|KQqxx6C^umqE z(k6TUZo)3%5K_K(&rUWd;E|7HQ3_w!#58nD{G^DSOtbzg+fHdc%bU_-K0)6}qkxYu z)1HBPAlfbe-kA?@udg<7rFTLJr94n2tf`2%AF3gL8>M79lh@p{NMv4a3;zk z3sR26m27Gmz2>a#${#^ymsfCP7q{_F~G9RHdm_L0>#iZ=Nl z|F(28pE=kb@2VQ~tZhwW{ZH%yE>>X80|>+~aNa&tCPukL2jGI*s>3%jm!EozT00otxorZX7^ zoY|$R&_YMS`S$q->^zHVO}(il^a=7Ykd3q+d_FRcX4=}bV6CiiSthdeI1V9l>{A65 zKV>FpF&EL6>yT4vW2~)Z89a+siw-f$7>2XvwA)?#gTkCFztO3h zlzOL2J}Bm`-`4$T8It_U*a19HXC&JPV=$xNJY~ zTzOF4R<9aM=rp3n@VXO5#kSk?8*`k&c?#K}=RBcsiQ~>Xp{xD`Uo8CXG*V9MzO*=` zMn0*G%V&vF53?Ry3Z2g2i|^e`y~hH;{xoCI7?r9@QEIOKHeT46s(5ZvuAaW!X+p`Z zfWY3ok$RyaXNTslB8!<~Yal$10PEQXVT^hKS*7E!hb2ok0lWUJY7) zS_#5^1k=n$0?FNgBFUT#e!Uczw$)dqA3j{4%w}y!pZ)9^0&0%pQk8RkVmiNQXCkx5 z_{UiS8=Si7(GQ!2bJP-iL!30*ai%Ke3K{(1=net8n{E?Kv297TMJa_oOe;KtzpO|4 zKaR7b6vh_NXH(CKUzE6LD(tPNewP0iKG)kP1=c}sU~idUTUbU9BuJqZPoVxpm}|Cc zd}{!OB8UXE3DbFax|I2GI&!O}%nUcGg8qZWTjZ_vvFK6o9i6~JdMfXUng%etVfd;CQ~}y8b%X2Wb`z{7bSB^l5*^19JeI z{eS?gd(p}0uqZ4;$qU?*jb-@MAY?h=rcnAJ-%q(?zlvv;KT+R%xl@4A;F$m=_*uybsAw(v7>jepoNV(NMN^J1gq&^#n?Ntmyi zKs#UpZk6}<($B3)p5MP)e#?aRGqezq8gH9rSYQC(nsmpb2BKMpd(nUuH* zHARv&PgsG8RKWH|ME{40RsQ<=i}AhfvxM0tH=p0Q*%^5?inykhRnzq|^mY{VDd1R2 z0bKAXR3R%Kov){LTByqdr^ciBBgltI-sm1Vt5-4?y38@^SyOHvp7ef2t{79MCyS=B zgOn0ZX(T0+F~{gl7F-lS0d7*qdi#Lberd^2TV!6O{6-&;J44Cpo2(=nM+U}otDs+7T zaKH#s#5kNO|M~Z)9**=^b_PcM1D6eMs^qj*PMbaKN_IPkBPkZtAOlDG(m%|b7U`Y{ zvZ8BeS1GNL?>DLf3ek;<(Mf~l*e_MSYS>USF0lb(SG?JUmo*l_OKr(4^*zK=6Hz*4 zxcJrLD3zl;EthEmxip=+aAt)eD~(w+cnr+ROfmXZ@z_)T!^|PPXIk5xgO)_w=O?b! zKkr@0nz2eN^^_|Y^<4>%a=j&;^a55%$gBsgraQCSUDb2i|FSROCdrU5Cz={$T#~c1 zDyrmYp(=MYtcp>zN~zDa)0!<|KN9BtykL>XKi1d#M!QSAc*QC#q#ywmMe!RehlA=? zx{hcaqgT=ri;9jGIRXmnm(BSrx9pliyj`yCH;l_(Wl9-|@&nrMjAuf;vo9qwk*sGA zRwUw}ZL$nAq#Ofd5u+Vf>2QDpkNnRpBys5YhyR{J@;Au{}Xum%$6Ywe9xDP#>)Q>-FQWb3|VS&dhOHK#_T zkVs>cD{lu(T3u*F8f-b;JmXh5rMPJyOzY-wr^ZVCAMdP_7k5vE3Tyru>4@f%RiYM3 zPBoa368VlsH*rUJv7ATt#cGvfxSDg@RGo%n1RmPJ4CG~yIS+MvR@EFf#vBkL?V zem=uBE_2w4?b^E9CK5lX?B1a6uwuwuM~#DTu2bYDbY+v%9(r5b$iRN0eEwkKerKWm z5c3`_u6;^>6#5L>5sM3NXaEi~ruao6@~wV+#cj)HT_x6! zEwWPN-ZiW1Tujju(7S$Jf`8h^$D@3XsnBhQtDb!G4+hgUiIc3xq_~b3llkJ|(q#B1 zquF058sDS=z6@*N=;UWQLfJ3+?4;&CRu*y$_FD`kdfCX)vGwrHKl=&$8ETGW>M1FF=OpOLhz8ao=Kx%3rpj|Q54*q2PD6G4qR4XA zmU$gtgAlTKCsg@%L+*MfQpr1-VWuH9G)P%ss@R&jGehw~gyh=0O>BsQ0B|fEe%vA$ zBb+}tR}`7dow@fl=biHGa?L_9ywHh1TjWJMDt}d0Wk$|cTXH=1uRKWlE4P};=Ws?* zE+&RzCUNwscFBr-H)JRZgtxi07{|1i1w-pb6g>#WMFF~SI{k|8M1#=`Ti{lxX$wt} zom44DV!vX&Y0phjb7vo{|fOQLfmRFpH#PV!?BG>D(#*p#LW5XfES&&Nel6&-x( zzv&9Zvi7l|V7T8jXHQ|(EGlrCy86Cv9!V1=&(=Le?`ArAtFoK>eZ`3v(pa zNBd2=4QXQ5L@3z>tB=s#Y>xYKty_kdDX!<+CaNSao>i#0u6yHB<@d+yL3fb`!3pZd zstpd`JUMXLI6SFr#*uB@Ev_(eAsdt^mns%$2{mQ*|H8vSCBue*5!5BfcticOQl+7>d4ec5Om+S4jM9sB2|W?hz`;KS&5*2iULX8(JDb??{7j@_JR)a z$U$w#5?ecE#QlHI`d~5zo3Nsw;?fyo*R!&V0E+n;hIekND7TuwT`SGki(k~#0QBn`vtpgG<5 z>cI~R;+$_Ao+M5e7^WodzlfK+;jx|WtAngEjfgS>06-=h+P+0Nu2&+=L8gbNV<*VWCjTggtKnl{4>);y5h5w+h;qCIAYv)xFlla zaee<+cllV4*T2a9!hUG%*Ltq>{5iVW64X2;%S4oiAHZ+7W}@Zba{5U}=!)sJuuagD zSXz2Y?0;8Ghn;%~02f*(-PiW`?CxnH34B|d{EDsq_b)L)d0o#xk|@acAZOFBd|=W0 z9qn~U_Hc)Yk@xn%E~s^UXIbkl%YbRX>3(R)FB7@$zQgZNHBe|bmcP;WBL05xPssGl z&fBt16%`B{v7b+R{^#Zki2f5~bqV@Dfpb5=fIFgg2YR;#*;U=Z&Q-HpCY3kax1 zy9A`&*mOTtjAOvWYWqo=2dBm62q)w%iQI2!~`g zNiA!tQuqXOskpkAZcfX9^%oPTO+7ZmbCL6yryVM3G#WYD6x=1%W?@9^sxJ7=rwPyC z#j1#ZZERkHjL8x{@6*V71tYqPy!{6*f7^GdFddE@PjtUkFbQd&_A=&=wcRF>_|=;``@Z67pyV5#YwVD|s*CoMBi~88wH5acor# zGKt&2hbEBfa4KLAI|d&L_t|qY7w?KfLDMt0Q5VP|qwC!B<%8=Q3yU0*h|=qr@m^P5 z50SV60TJ1bpN_&;qJKg$d+2m1W`(q&xaaLJcpjU>WGd$^%W-K{W1(TTys}Hki$`wU9$)$%# zJ0A$wod1knc2!R1F?1SK0TNx+1BnLc( zYbM-E29I!0^oX=WR8t5v41*wX+^W4PHC2eI5w6CsNs!5c0*_5*PgF`xOuT$I6~Xyi zu+3{X7C9>s;gtm+(#Bw;id$T_I<1Di9F)L$^iCAKL=0|O+PvFP85YW0_ff{nY1aW| z%f%Vp1&G`>wCNiPdshiW{|#7$3KF}z{v9XS`5 zLZwH-bUc(<6IsGlohWEn%N;o_gPCZvY$%;JNq$HSiMDNAQv|?i{~_ueyDNd3Z5`WI$41AtZ5ti#*ha^;(Xnm2W81bncJ|GC?!lM(1#7H1 zs%qAJpnCFJb$+x+=WltL*l@0a(y>HZsf_s)>n`wbrGUdqpUuyFWgcyY|4g{ zIgBqB;W5Av)mhFXmo5SCrYTv-OR4*JTy|~d!fV#21xjxvZ(y3CN2u7BanOETpzEk%>PaH-Rgg?&v^;oT>I>dTkAj}fzeczjXrvn^(x~KVnE%saF zz!G?EQM&ur1>Z;Ze*Jb%7Gablt0Zec6+%@1Ib+46X_% z)qDNUhI!5Z39cOxpAPXG^4*BvRi!B6+d0mwEG#Rfc?oY_uBo=R`KMhC_vIclbe==r z*gG#KX8rUXJ6}%~IXPIl_PROnq_S<9^Uv`;@~^(FXTJbD{H@)Yw(PN+j0?SZI=(5$ z*Zub=Z`1$i@Fz57&!r$28z!(f?up^Uf?i#F?!EsNneR2SOoDJh%l%>MbL3@bUvSlQ zi(dr~uA=^J;BAJ}a8hBp!6@bO$;zLlG#2gCSf&3rSmx5(*m&JGBTwSBS*B^>T5w{> zEV-AL-EOpsYs@qTOc_RlM==09sT=Gsva|7WQRvTA2$$XvfOu=E#ppH272;@U>gmXp z(xpzsA3MtXBu(1D!T4Q=MbI^va;$`SI+@oBMYwV=L?vZ<@QI29BVHS`#UJKXa6{Dc z-Bu>)u-a&;!TmO}PZZFslVCOjZa<`-16h=>qJC{lfPnvq9T&Jnt-(-jE1^;}DC3FZ zY-rX3(e8=QrRVFmHgrOk!P*EB}BfJ&P+6x=k^33GB1ME`bTUwN_nN&@7OdFh3X7j|uy zGG#9e<5z4R9hPiKEkl%DG<-v9%`@Ul8iS z@Y2Yfr8-M=8vF_rn?sysq6wA8Q|NbFv!}FaWedHivExyjw{F))3cv44R0?J9{`<7oD9pEN<-49*@6d^NvA$V5HaE$>7y~TED4IrAbi2mx)A*t`zxH9MW#fx zx)fQc{%&6&J)3Li5EIuBe8H?cud&)ysa#Li(!}K-Qd=!c4+^(q0L?t0<#?6BYMQOt%XRA)Vg!AAcu7rJoW$t)QJ5M>#+peod!{i~CJ zi4G#13Nc9(Clf(vK?b*6$&L1#1-4~NT2&8949${X0k{9NeiSh@|<3uhB z6ZM{j$bXpyC^21{P|~c_;a+w0$So^qTS;PNxwrU4(Ym!7@z1NB`juow_?!4EHW*Sr z%uCQ>GKKOp;`VL7Ba7@MGF7=`;Sdhk$WcjUhe-&^9(+i@F?k-pz339Z`zX?kU14{ z4%h|UrH&Yc0sZyD`H#p{`GJUla`uJXjcjMz|GMqULia+q!v#n+=PAoYWTVz&v@qni z)9bxGwtMGf|5Q1(C(*lV3K;@+Ea)-ae=m@r*lE6k$%0Mjy^<-J!)}56QE0Z}=Md`j z_V8=_+0FmDly{2Kuv2hS(VuEZ*P_t;;?K%5v4-wh`o9*QfGfYFmQViSy@{<(J1vCv z0G`8VUGI?=!VK?aJ9qu~P1BU5U(W_VYz*@6SSQ}ATi>6Z#&PkW==idfxD&88i6=ZCyTdu*5UW9Zm*Y- z!lv(2_5j6V*%GUTSp@%(3F z^3KlVgKOtc|J65WfzMq-y1hu3xN4i1S#%;SL481BcgxPv`rwy?#liU@CF3@po?sZCXN=m_qT!Xg z=W_(6Lg$an_u=TN>7AE7!SJwcx5I7woA+6-w41g&+}7@%H6&%ao-2XYT#qwHO>oI7 zo?ge@Y&w=KEdQqyZ%*Bd@hruq7N^x$f4QeGm%m>u9{(QS8!GjyZdxuqVv>Fe*r(+1 zd~&AweJI$RsM~v$_FUs`aJ}frK3}mKt^y=3?xL<(y*qmyw{MnvUUOrBGy6dQb^jhM zpan~K=?Bo;YG>G=MP7scbN2&U8E^COhKEl(Ew;BE$ksFN&mzbN)Q$%-2&&)}Cjbty zm;Hl7{t>mLqByYPG%~ay7Kh6T!v53il}pZ+*|`=f6eHWaof6;FPEl64$%nAP~jzge*txdj#z*ABaaI#B9gH6Kq0pNGMPsG zP#|>yzd7MI?HJ+q)iOP2*5m`JE_fG46d(OaN=sa(%b;DIS;5%@72OGl-76oR%VxSX0$5cJv2@`mW@KjMGS!bA#Cfk( zD{)*q7>@3qgTLb~Gv;mS_Sn)aV=2ES%4N_GiRTt{Y6v+cwZj;f$k^rb?Uo+7B(0I} zB4Y8*>8Dh~aTuQ|n1Y-fcW~y47hxc9G&Fj%fKtMN;E45tr-4SKC#`#I3+UZts74fu zSo8HNY+2sn@_@rzPh}B2PqhhUI?5MS_q$+p~Vz?9guq_j}xLX|{A&36cHv1xcj5v4786+~!Sq+nXIBD8A8DvkXC@dQsMZoWXl0+p1)j(x_DJ`vna1I@bv(8I~ zKzNbMcwiVxrScI0cXR7YJ5cC9kE`tLJ2z%Q3kIk>PA#6uOhm)^n;9MZ%>}PWa;-+j z9ooQM&lNHOJ`vu0)p7R`ACPEpdTiJnvBXK8 zRDFDnSuY73j5h`fMlNA{HOAw|DjhobB;(vr<>}GPc8`ujW@G3kd`j@(F|W#;YY9pT zziYv^feynH!Rnb$s--+x!z)302451!&6V}I)ajA{u?&hMo!ChW8Pob}ZVdYSK}QO^ z(m|e_RFx1sN;OM5?&+Ww7L=fh1+{qPu53%higJP<&^##x1cQ#&(Md%N0p(g$3Axp?P<|86m?qR|kJO!O4M&Od54KR= zqp3}eBvu?J%Y2er{sotcm#$z@^8q`{JK~|?&SY?TVSq+Q1S~jit9_`E%2C5|XeZTCYL*6@cP@j>8kdF^hyozigd>ktJ{ECv zY2Gs${tvnVhk*wVm^3gBmV6XW~LzfsrPmzj5DP!b$*W9mow59rT8pixu+5QPc0 zpXs-M+J}8wP1~C4jQh@NiTe&N^apOb_s8Vn0;t#h?-2rbpX1ir$+pYck=*GYk7Kk~ z>YOiYDmMggW1tiM4KF>U?$b_L4CXP49b#gd9k-`p{>+FjM4tW!X?`g^UmfbiN7Ir{ z_~VtfDrLR(8;p|ApLXwv<_0gTo==4D*D4#IgLAY)?wjs@y#sX2XFa}(z_aQFB3{>+ zUoBbw^Er&4XOZ1sQ9S#p-mxC99nZD=FWFI=UJvCIj9Y*$`PS^zv{vuyAeQ!*pEm~< zSM3X7&{f`BM|awnwOyaf?Qnv5bE~)2@6Vexep~Hf43Y%lgsr!{9p2*&(<+_aoF7LO z?N>XR7M$1ed`)ZO_;#)GXQiFC4^J5rS9NdNY1yA2+Bp;3+pqy2xxlOss@IR}JsIiC zEmeipb1UzsiO%kBi>!5rFju$Ex2ocu4Z%)pHhrxP1c9DfT>X}VGiS~nqcYo9>gUO- zKi)^zxrBo~HKNen@3$G3^1QxHGIm+Zpj0_b7Ry~bVDD3ckF%u(Qzy4^Hjd}JTSKvJ zu4!RzpZ~o4#|-tHPu66k=Mvnp9seH*Q~V0Yo{>z=%&qf8%7W%P-v1$=s=FTwcM~(ZM^ioa1z45< zPg4~E2#xS{27ZH={GI;uF*;;Wa=dPl+3tNxYU2Q{8i~t2$q7k$z*QgzA$;c4vkii+ z!;b^-@RDWmFb>}01*TaIij1To|?%MIXT>AWH(6vGKL(wZqv|2%5dfN3c7#KtYfa0m{e0 z98nP|gsSHj`k=qxLqrn#`FfC^**g!^eQTwa5BO5@g~3rhs_p6!)}~xX$pdh$>i&w> ztjfbnk(SP>jcWT=W}{E)iAU-w8&miNj6%?Bj5hUqgKlX=0ch2)oC&b4K|FpU`f~zN z;SqPnmZ_}mc_=E3=MH7>%7~$&39*}-PMa`6C9iNOZ}m|pP)BE@S0KBuj57)dG!KOI zi^ciK;Zm?BBE_3m5gLA9GNr_3QHhfZ(R4ySeu$_gQB6D(8y=>79G-wG9%&cgPIwBn zBx&9|%=NGSracV8fNqsAuau)CttV=}6k;>MEhT&K9e8vmT#+u4WH5;Lp)o{{1Q!H# z3FEKd7uS)FG~16ZVr8ICbp8x?ixn{##4phi`Xa(yUNr+d5PS}(<1jf?{EKB(qDZQi+ zWF)kS1x&qb=pt!$pLnzd?d?q>FvhU%q}S;C9`rjGy;ATxS zdQVuirlQivvBb~?X6zIFvnnCKvg;e2C_9P#1K$rPuJjsR(v4+RTChO4(xfq+Gu$A9__ZcYeO8VmhgvizTAEOGkQU`KRDY?3 za8yT*0&u`PMB5K}8QM7rc1gjcej&t=mnPw2u~Mpzsc1LwN0zb<8Z1U(OHxK^&BmWW z0hYqow#+lGMb5?ob)%VOgcn|rX086kIPuq<(y*JshHH!Zq@sGiLO?bEcx@lRYwXLL zW3?V1VXDVN%vn+h??v%hGg+omL242Krk=c#7a^BzKbG2Dg{A zl}Dt>V$DY|xnth?aTwwtXER)KY3MQ=3jVJEKW+PKHVRG!Rp0%06u*be*-dI~N2I%g zNra+GIH3dIQ|A4s0$@B2cSe^Z!Q0c9^B@@!57ms|M!BBjhslQR?K?J-|E^-M0i*kU z#f0En*aBhd_1cD%y!Y*TTrJ&?rp=hHe}8eC$GVel_p@`{hGw+ihS+D;9oM0sCEw`{ zww`8nkv*AP)|$G%8csUswi{n%-^9PFdLMM5xAfayPuFHXJbj@*9sw8GFJ6yhhlrc} zLCze}&#ipdl4)M8f*$<`id41US5NqTMBT3&@Cw~+zK(#cN_!tuO2_+X--smzZXd5@ z!|SynMqZoSoiB2nuJ)Da7)?DA!BXdsI8Oil9Kq`a{-+>S%~$oMZlliT#9r;^`kX&J zeh4*<1FDQAY1!>hCD{7r3WC6lZp96+H-@O4_kZJ!;pp}+|j?hK~$p&V!{cob<;8%_DZ_~izetJ@5{qX~`%&nXi? zm+h4K5<>SYxK{qU%j~G{F!gp{i?}uKhcvWUBzs4G6}^k$pxX6+W0j1CH=NDL)wxT@ z_7Cs9+dRM4z=M!AeRqF74ClI@Tsy2TSzZ@h)aqZ1>OXH@|96YK>c3lC24r>py8o{Z zH`Dx^c498vdHRN2Ax2qHr&q-0@__#y_m=YL?-%|RR94kv#Ombqx;gL`*TeL><5hqv ztDz5JKa7epv%#Eav|tK}5PZmFP%w+6O}C+gQi7UthT`g{W(rFVt zsADBon^GF3X8A5anTaqoi8HQQs&_L44?GNlx9R3-V^FwOU;bQ2)G1o7Yy~WZ4Z-zJ ztzoBf>9KwrANdudFM_8C;w_yXeXYvylq6!z;}@1j3dh{QLxPlEf-Y=$V)-klygdNQL#Zf zyRTVJ-E!fL#a<68%Vcp`hAw+~v|Qi`E$mUXe?U z&?{fgp0rn<89^ zcgdezL|39%VjaXXu-P!~H9pA%Q>vz_v?OAQFM$Q5XIzbown}k06x)|d6o!&egvg~{ z;b{+@9{h<<@Z1S@2A8b2gg&G|th=zY3mDMg6@R@&wfVbhvP$h0Uznv)syaa-0q@2g z2DUH&_#=3|tQtDmJP3DH0@Z|VB}7)_ND||C_8oLxnITcNQ=+~F{P~rnRcC=i{zdY) z1ED%Y_3OSJ*!SN(uK$Ome)^jrnsxMtGS5|55=_JdS&LBK(J19a0reO~Ds073tPo0j zs{KI>=pqO4$io!CEqf3TR?IXMyiNxP=IYY)8q{V2Q0Uj0`(s|6vO1NYc|6K)K>-_+ z^W3ZoA}RKWig_EZjW5u|vX@%)r*?uifeO1*GW5BlNC7N*C>i;hktgYexh>AMqiCyv zEXS})dl|coO~sE_F&5pQ#f{ZMgc=1Vn97peT-6{7oQ2Q(JdEWk=zIG4*w13Y*XUPX zV(?ZCnl^J=!YqHB&F1Ha^66XyB{(!{=9p^}?dAlG3jUm`ho&U+o)%2Wtj|M#8kDFH z&ZmsM2|28)^{LU3nio-wRJL*aT*?y*XmnB#2{A^47FsUCqy94}0aOJ_seER$4zR@IoPF` z<%d-$oof%4$dh=6XQBoTs!D^iCIP9;qBBV2UauT-K#yF-S|r-fzj1*r(uQ3*Td3!# zXE(xxc24O)%xVtVeJ~s?#`mj2nh-U9PARm)p$2!1rfcsMO8bWGU)B6o)39>4wR*ZS zI+%Br_Eb~>*rEDd)iN2YG6TksVwl+U*!U4oFmWm9{41T`6|J(qf^efEDb?iYF8C{D z!Fz1Xv-p)Z=y^gmT9Iia%?UG4ceLCX48?sK|9A@32?|um&s)+KO0zA-Jxl(#d;x7? zAdI7mfPMcFUCD3J-CXbaH}*YPj&~&QF~Y~8?EMWiGW_1_e(!djoN#flB>%m%KIf_~ z%R}q>xqPy663FFjufC+nHuKh|ZSx%tT=;Q&ySR<$JQlo9?>v8oZGT=oUQBDB2M#XV zZFZ(RJl~8>l^xjyBYVAJ`F>l>Gh5esimf>qzdRmSmc4F%t~rQ!SGbjQ??x77G&k0@LJd0Zy2<>xZHHmsXm-t^XZ}2~cw7o^)cQ=} z9kjoWGM{>&cS8IYb6A?^p=Isk?R+h-qmKsn!CncQ#-p6fmP5USN@iVLG z&Cx-75>d}riEFG7(C1v6)qp6cc)RQ1z4n^ritKjyzIEY9_eRee^76!aVmkLqcBbco z(j+QuxZ7+SfOAv*yw};yPvkk0&2iB5d6$;$v^~$L`>vY{Sh4-aCw!hU)*Ol~q;_8- z6)RqMLv^Qh4Rmo2XYX*gq?kzWtF_JK^mc3?NrQ~y+z#>Py?kr)E7QUv>er9F6&Q9vUx_WB zWYLjRh;*_^vEIfs_WprO2D!D8+w8AKb)f)$FbmHWxA_bSO?rIh5{so#wz4NgpLouy z`Yb23&o)si=%qyU<4LB4Xm#msma>>zJ0$8L6WWYur9|W|;#nv_2O(#JLOCfrERXJ? ztjl4agjUlOacFA}DVE}B(;T@kX=~P3;AZoyK*b%bJqCK^H_ZXODh3L(?GjIX^noK3@nFH_>OWGHCrWd zdFw?b1vS$uz`~z}6IC!y2ZCQHRJ=<#!NolBtow3=M#Q8zBTCfNR+c@PjyhuOvYxhD z5$F=}Q6nDgeSj(YaeSQ)i@gn5tme~NFLY4J@Q`@>CO(#lbS zS5d`zxJ$fn>-0yXE!~J8vX!-5RC_qaSrOR>vEat?`9K0GRpgJTIaBVSU;R3_qU46? zeADg)4Ksk%(A?#2zW|K4y`Rvpd#^Jh@|^z9xgq61GL+~!TqWr)eK3}RHe!f1tRLx^ zrObAe55{nKA{vd8?7njGlcvd4`O(^sRc@g5BnefiCPo}2=S?$ zc~qX}!C9M)NNmpjq@x}2t{5xcH%$ebT4Ui?1mB7%q+xKnFl<4R)eopkEWA_|)9>HFLW}X)fcCLtSg9m;#h*A+KAsqJRE;I=lbhQJS1jW)dK@dR7XZb*kVqq z@)Qh3Y8ZVy!7t3hIl_M~C3>L$ga)d?NSUk12B;a(afgg`6tqn`>&xPQhABwa4rHt! z%7$s0fC?uCn{Wtdd4gRTfuS>r^8Z5V};T4b@?*-`7Ha5h_A;}{B#ZSVl4YeR0O&v~L({=zB4(msR z3nx;cF_bUE!j5Gspbj|8*M>kN`!i~loj)OlZTdzdek|0UiWJ`kBY)j+=Si(0!%DMI znJ`bx>;`|#BpWiQL7Ai~POl0Y{DM+0<4JjwH>Dw7M5p@wja6BUd;L$T_!Rv%Oc|1Y zLT9W4-v!pwK2K=Qmae~hSqSk06gkqr-|JeR?{#ftKphvRAuCx7RA z{oC@TaH+x5_K?Ymg)^tF^+@-$|9kO%wneRhb9wQX(~T(6aK7etuJeG`DCqr7dUI&! zV}q{Y%L2Hdk9ml%f!2|d{jH&4`%Y3?4&PP1ZjHw?@xi?FOkkTuA2*KgWu$ii)zX>AH0-P^u?cz@X7YRF*A=0vrV)lGlD3!G@K{2+4UsyTM+b*OXNK#vJ#4ag`t`@#$-vE@b?dde zU#%HgJ3a3=ezz~37qxO#U2jy#A6XwKb&{?-+Y3bJkE~$<5~MZQ$P=G&)lO_?Sr=@#jeAXi<=I~ zyFtX%t-8BHZ^CN(_I-^`L3ZE!ohgG&U+XK$TtAz^?q>tz$|cSAqb7Vip3ekX1sA_; zZTHrbXW%2lYwiq!p|4Al?H`}JaqqA3BhJ;J&xg?z4PZF{5t{<%e|W`3O7y9O=ds8quG+&

?*EH(r`KO&|KwT{n_4cm_AE))!} zkSD6m4R}6VXKGt$Pyw%%tv0sKH!O6y9|s%Dz}-hhn?GZ{_+DAbU$W!tx>2!JQu zy3}Bk4|gYGFS6Q>Sv6m_Y{xirDEDptQQpUS2iCb0&Bm&p6a>JEva>%BQVxRjqf}}o z%E#D@IVm@rYO^dQW>uL_G|-~dj|V7lF5z=K&(bWTxZwln^D zw8N65f&M%?x@5P=X;!#BUDfr@_4hvk`g2uN@HAwQVz90Wwbx%Le=x0OS_Y9*HQ-#V zE>*CadM}Zmt}NKeJX)a%70SGm9BmFa03YM&( zaulhQHsF#YM2o1w>WN5U?UTYGD}v}Y>Z5cF0#)LdDCASPd}(6PKgdP;iVWT0_=B&~xhq&1df@ip@6@ zo>Bqe!k*$S)9I2?kzUwnjBW7P4MXurw_I)#W20})ayCRH;5khZ4k)VdCo#rdO?%9f zNi_5Ejj3J561NW9AliE^&5=W5$z?!OsS~I``E9__r-jN!q#6(g;RW*Aw%>qigH;Nh zNq4V)9~~RJ1(+9@U{|GV*hm&u_{o-W+a%Gjl1gMwp~y8Fi!jO6RkC9A#ThF`XCgKx zA5cF|)BwLpAU%Rtf;;9w?d+@n=7-35Fgrxkl2{v<1XdhHn;d2r5O(U21czs)RXo$W z8EUfVn2IrA{-qF;Hka{;%XH9Y5b{dUw6v-*JS_@@*s;`Hg$k4qQhO|x2%47U24!Ag zu0E7F60Rz1msSQyVStNwm-Ztbc+oim(S#EAQL`~3(U+4X!xln-7HUA;hXXJpK$Y@>^FNJ zLAAf23@Y}RB+wV4q7O!<&i{L+5I750u$^KfY905hVIKUJ+~hkuGRp@$bA2_x4yLI~ zSuGWJ&X(1;wI(Uhn!8SuGEWBO0=9ef*ktv%o;j-=^)UcXp~sv?u8k#Cu_GB z%QEH0ETc(28mxl!H)T_$a(SiXqE}vbt_kyhiho}K2*|s{+swo3jwXx1o?s#FGL)j< z=U0-vs1g<^^I_u)@{{5>s1^K!DvEdw0ge>+-~IaxjpnCi*eiUjn5wtF+qW;c#IYM%Sz??!gJ@O9(|kwv!0HK?KHqb(`k{fXUG7zUn|=^C%Vj%i%QkUBCSSk~3rp7dodESX|4O z-m~Z{&0M>AQsZq19AcfwNz#5@;;r43kiJGF=oo<_DrtR*^8SZr5&P%$)|;woI|rAD z`B(e+=hS2NUL4Q~ipsv_Jo1IbqRM+Ra9!u7x_v0u4d+NW4sSzJjA#+1Eg7+>=AKcLAydl!(tRGt@jqu~2D&wZ} zVGwq%cvY;A^p|s4N|&GdWvDj(rPrlvD}!cc*ULL6Z7BshW6$^S+TD)n=42#Uv-=}m zUUA(#jGt(ozIXQl-7wvA7OHpav;7(A?7C6Wcn5tZJBGjK%sz!Ijr)o5c6>v4G>7N~ z3QW-Uho3;(^k??CU4HLgUL(j0JF8h=vpuCCL0 z`^H}u*F5fFVHQ_@BbYJR9Fv+F^p0~8Ck6Olp8fXj>5W_N+aFVwrJWM81=vK>`mXPg zaeAMhSGj3%{>>h%1H3`_x(_Xkd##W|&+h$Cy^QV`^{jsU_o;^6FE`h~xMiTd!Ds8) z$4src4A99dVN`E~hq&-e~(>hb;h1t!-UT!#kRIB)VE*YnL# z+E?~t%S`?SJCD%H#BPOFm`?XtoEIZ37VmWLTR}emquOXePB~=KM1nC5FGV9oGAflW zOP(*6sFh4m*UtE0lA7}$n%D1NPB9-`qibiQ;apxU=j!8dnB$Q&%Mo2$lc`p`xPsOQun~4H8>+30QW83~!TywBngqe^E`;{K>}HYEiRy z8I4{|iGfP#r>hux955wtI}i&ZoEPJE0uv$PQYllDVje?C&}p=_npPsTbX#6IPgKim zBU}o8mBYMKef6V@NcEYSeud2+fz^{dYhAbkjcV6oY2d;Fp+flK?5VG?()ejd*r@9% zQUhwfBCmO#SD|fGC1VS2tpnR&-Df!IPwhIe3sWK^6`2r2dPV+8UZBZJpLN7iGl2jR zg~;p&$q2;)$WlLYN1P;l5EfBl3O>)yvQv@~fSf=eP%Nf-BNBCCzl93edon8bejf=1Pi~-`Dlr`&QFb#|3WV zb$@{;qL+;m!Kmh~|4+a~K8Vhs1waqw=P*@aIB-vr#Q4PVYKg+ zDM~o4Xb`6#9sMCOGuxmFgvc}1F~x}}7y2$AMmcrp3$@p2KZv)IgodR9z4GXQ_v#vT*_ z=`k;x5fx?=9>s!L2}6ih-lAG@CETNf2*oHt@x)hg08}}nIG{#~wzBAE4`$2X0p}mNLlr=cspmsH zQu!@>iRw`y#Nx5!eo*;L_8oW(eWZH>EhS4gEh`xl{SEX8>{1n{!>XxYE4uneQKZI1FTf_v!O^8T(bxZr5v%xl_ z@i3Tti==uWIZP_OQICs`6#VRQ&fmGX>$Vv)$XPYAV{_EMODp|^F`7*yTgG&3%$4a% z8{OCwBdTU?B>Ddkr5>4LU7nPa4E9Gx{hk(rtESIrc;rdhH7a2HixDC}4wvpiFS9Re zQ=Mq1GYiuC7HGzSD241yW_(_}NHe#9zuYE)%CB3WIdsd!td@9Sju} z*|1U#{=+jM>??q&6DvfKcc$rH?tjb22@(tl%Z?OKS}_;si+Par)p(|Ng}nm;92=kx zU@%FZ*%i$2zssFmxe>Gik+VPr5jT4H)>KeQUx&f%#+}UDPv;xsZxitpbgzEKw*RYk zFIFm89eb|dxJNf(waW^H)T88$fbWx8qX6G+pYyZUS6-(93*q*i_(+dy<;hGY_O<4w z|K}F+clJ|8wKeC5t!}Tl0Pr#?trrS(Irp}&?bXtAIU^+XUliPQw!^Fp-O~-f=@!w) zWh`2rK@Vxf*@gbs=@0wry7TI--A7hV{>t95tZ3HnwD)$e zXw$sCCihF&IJ%_Gc#hxE)v~&`fyCFX<}K8eD)6Dw@JIWZYe*V?qnp=2`sb zim8{x530pua{JE5OWaaLtZlC6)r>9G*3ROmN!Cunr|WfWhR?m8>agvXBg&(z+Kt2X z;hrqMhp$w7SO15P=2hBvB8Q`Af4|kN-i&tv=NT-`Z4a4w%evmSJr%bt?5bP&b2?4C z&du&t+qUJP8H=STH(>wz7p*m4$_{|@yh7HX{VX2Z0>Ka|j;q(pn2)FZeYs|AMbl&N zuc|q}VvQsthT&HGZ6TGRw^__q|2A{&(sX+J_i8*&btKzS7KO0)CriNfk zUsIohcWuw;Y}<1pfp-Tg=l0q*4D5Bg+WyMrEO6?%%{$5W4jK)3{ROoA1ZI9hznOk= zLSz{Ldn0eTKd4G{BuYN2CxF7M9<*&qGU$}cg5IB;*M?8PSB^L2fxqX$F`dj*OW*jA zj;JKy!g95SO2J4vYymDg`5;6{U`xfxyGl81hHu$|V(FO-JMMk)F;1qGhUxdp@D#Dl z6c)6&BemI>EO^MIv8Z#<6ie}t2Mdy;+x&O#+kjfW@)^h{3oMq=Ea8j8(0Mdh{*Pig zx!LtsX?b~cQuWb;=6rREIXm-oV&@cqSh}wkJh`lzYJv!7hiN2v%%8pYz$8}JYE{xD zr=0U+N;DMAdapryceT1A^3FjSll{PEo9ZG-NPS}Qa&Qu-`FNgRh}WWi@UtwmEAF~c zncA(P`#8sDaSLReMUH;aqjIk_{7>n zquy>iQ=EU(Sv|?nOGW1r#MlWbVDd-(`#*AFvqgE;B*6g?x`gGTczQ{D2%ep zJSN>7feYUd2k;-pi82jG!(!Cu2IMgjfy^>$01V=x3Uy^Ok&+Q5G@;1f42$>L@PE9f zic<@q)L0{s@8xBdNsCwxnHi3<4tUmnu!-{TiP{FG*s@Oz{~)~7=IY(S`_e6Xd=;M5@9?z1U`8cHI+Mg(&HWv#$>ZuGQ{Sy6{ z^8f3vWdb`5`Snd`1&-uU_*s8*L|U?dCxV;%4?voT9Gzi6-7%9?-p_%Pg`jwR$Jj}$ z-{k}PBx-O3DNYAARd`l8lZjK&pz>l>Tl?oRF17YhOq-5x1rQMt(OFRdW4!7y!V;v-2FIx3CQv(c}#V=fofeW5tETqSg>&*>|;G>HM^P*8vps92>KlMNN( zUOHO6=!a9vFc<6kO=)zER!P8^ID5zNRUZuks>ZcuTQsAqP6gj1S$flv+EItDC`Msf z<=QMhMR^`ivM|%n;a~bB=gX_7vXMX4cIk8MBZ6$$N1NHfN{RdA#SnYcF2;pU=R_n` zp)&xCYnPh4i9eR*0Q+vLD*TXT!iUk7V4*0*Fm~?u;+#841)yipuo78XKcjd50D*V@ zTA>8KnZP2!r`&RF+&0hM+)wCSjD_OV7R&9GH6dp$p;q{y@@kHftA-_71>1H7*CI(N z!=M0vXB=&6NYKC*l-b0j7!Bj>xkW5}DwC?!X=HB%f)+|ZF|`6rU|9ZMKU!@Ct5C1wVgp)n~`AygsPqN55_(-f^pI9QG; z(xkDH{!zhh{S%LU^>B8f9}0brAqWQn0$uUe6~fwq^2nT^<(f<>hmis%OF_G9nk$}z zx;Wde|0jtKm@D(KY-?~iJE3Nn1 z{I2MQx&?wu9OIMvCAel^05nxbkpRUA5$pwS`fXpb{QlAYFX$S8pByiV{6@%T|FHQn zK*nhA-iKLgP(Sjk_IgXpmc-%im6zOK#>VTfbtk>^)n3}<`q7`~(Ho-2yIQd#-vQnX zYsNt9){iCqIMw6oc9FK+mK8kv?<6_T!^K`cr@76rG%TU7bL7^y!IsjG(<0=ZV*i%| zvsjPo>XVhGpLE%urB^`fv!G>9-(EpJhyH<-?cR&8YCA3GjI83LoSoc;&yeN2(jQ#b z5lPz_I4{2L(r{LPUS#Fwbnn&~+BR4?M^I>NoEHotZ8bFvbcQWz z=#(^Iy52Sqt+1?I-!E=j-0U1|>KkTyKbV)=H%(s@w~KG}CiU*k#1TCHh5GJcFBNvR zXI`)c-}+K?ji%OKCqJT|1?BVPn9VRh>z$|k(9HIn3v5i&iRpAUvp>M! zIE>C|(Kopw5_BBrxw5WW+TroUG(Yj>>;&dR(jBb`7Pwu+wlcnZKiIZDKPk&%A$#3t zgjgAuz7GoCEm7I+{Oi7csox(sK?cqhj^uW4XI;oC=s0b0uJD@MB{OG`**z zBPL!sRg5Cp1XQ8vK%YI=#fDILU@|7_YuA(opOY+0mG7F@CKyX4iyCtlYAh&NoRf?z zvo)VQ9X@eM(lCI#=g{g-2Ok-mz;t$1{Fd?+dNGY?xC?R;WRL;TlQM2zmCT<*Q6Z>K zIM8K)oEy{-u=R+k*ml_DFp@cg_!T3WTy#srEE+w@lBos|%^^N&x*;>E*E0>a+io@^ z)0oJ>P_FdAAPqAIzkKMB;kQ0QE6)7og6Ogd%HmO#CzLn(N=aU7V`Vv?Ss6zk`2d{~ zI!cCNkmZ#eSnLkL4#mKqK}kRY3W@YN^g)IFq&-dqWyw>9QPB=}UL-@Dia)sNu?iR> z)v)EIuZ{7Tp?w-NS+4+n=p$5;N=+)iq@J5(#<-N5wfOAK3|sGI1iax10T_VQ1OVBWFaQ62&zZzIaU{QjMt2cRnelv z$WgC!+F&~r$NZbP@eCw8(mo56%G%F5uK+eohT}~KZbhk_ebV#kFVuHZ<^Ln<8oTQX zv~8@$Y~0wkZ99!^G;Vm}G`4NKv2EM7-RPW`JKnqFeOW(Xk3IIFuyA<#GB zPML9JU0|DMp#38uIKT|mY)>YsMsndzqsFp{EWb5HE0GA*?V z45LVSiqE^Hp-BP#Joy87$W;=M`WSwj*|-1C9eC&*lz64hT^n*WM-IMdY981e_IJF% zZ*_bh8mzpW7c7-q{ZCy#Gb}n%9?@ua6@_k-${KaF?1ylzRGZ3L_@Fpva`oQd%uB4N zxq?qH72i&EdzDT_NtTp-Qt?YAX9e@9Ga59O&?FjLd7h3uPu{BhO0Tl{SJZSbg8qK@%4HRNG z>yZ;#-|ZLFMU93Cu84hCtkMz1)LtYFqE+axLe=VtYEdruJq9cGya@xIy_cm7B8{j? z<=Vk+|B}FaZa)8Bg9&VsmU!g&zq%y|gt#s+#gfs@vwoWAzoV3z`I1$g)5`D?7U)Fa z48aATbK%8`g{py>&-I{Dam9~7Amo!Q`nJqR$NsO}Vop61m3dUIie?v6@;|C1;kH|y zF%8c6QVbkRj{<+FZA=$P`e-d;7m%kK4+5x~i}8lJRR63Iql_gn!L-1fq4=d_R%oPXlk$EdGNnyo zWHaFe>y_zVWom<%TY!+MOcM=hsDM!*Gp$S^ABz!|s+R0tRe)+H^*}52FBJ_tfpt?W zpEngF$}^yxROp0}fOc9%O&k-22`SRta`W8?4(-Y_nC>vCPsw|4@8=M$PBL9+qrDtf z#(3tF^dpt0LQ)8tWB>l&0m6ZV=mpsWUx`00X+__IL0}7?fbInF$#f?kX3MdKuV-!F zy!CP7@o|g+blKM$r&41A;Ee~u!9Z%i!Kz`H6vqBDy8>JZ?E(&nsgcBHss35M)PCGA zoXKMcl^j2!0Huyz*IrU(Dle+Mx?&%-)$)j&1+$<@Q?y zTc2sXvt8W1A98ZJR=Q5@=e%y)433NV9DEKf<%rzY@{<#rbxy>*YO8ZQ?$!<}9Jk(d zo=-aTUB8Mqlx9t9g>IfLxwwyei2gn@FvxdZ*_#yZ3_l|A*>ms8NhJ|??0qG&!u#Ch zCRrxOCRy?rr9-CjdM{CQKh#=<@%U9^Sxo(Yza2Xrsip6_mz*#JTv0Zn=*MiI^GPwh zP7=JHmcDl!p|pYa*_OTCS@Eb{w45{zOo410JMNnqRMoBT8e2DnB3m!~9-~YXOm;4N zRdkv_r&ycG{Aa)kLfz+&r2U;l9#vy9+sC?ip^*T!9`h;O+W5-PyU!{Af!bDn-EuTX* z{Oa?~kI59rsWyuvjNHQQo|77}%5QACJ>IkDz45l)%oEv8%QH6}Y&v`U=^*G@wv%r= zAb>9DOYL^T_6T}C`5=ZHC|Lp3ntdp-*#15JHGcr~{>rBx_WSvkl(t0K9nV5Xw-+fo z_9t2+EfLC$R&gOM>(wcX(k}uOtfm#G2^St*+U?mt{Cf~xeo*_mAhs9;WMMr-xGvfN z>-ULD6>6u|=x6vT%dBA`>IWrC0YQvvBS1i(fHl?ZCEvtOa@XTqBfX1V*eBnDfaPEQ zVjR#rB!QANy2qFZi&`ncA*oQjfpsCBixwbrMAn@j?xQhV265X0i{+yF6&c!Y4{q;t zj!yxu$o#opFd!WqZ^Mjnz?{i7P%dW;a7{;41FO0#Xr!oS%$#~#gj5)+4E(o~8>C93 z^(M|jdk?}cAKQ%-%)QYBYSvkB!#J1O#)XuaW9faXDtBYp+kgI1v7BWF5XZ0^K$wF! z(#Fog(C%3~NGCcqU#0!>&dFfU$PsQd)4PBLh|R^O%~Q)_vSDD$sv2>PrZ$=u-f&h* zW=OI6c4SD56O#R$Ebmf5kgSj-s;@>z2vF1IO>jf7XQfLthOnj_5Ixx+_PvYv8A)NnF@*CzL{ZlER)>gK?mFl-hGISqJ+8^G2;*R6fyWr+umYu!Y^Rq zz(~(fk(pwDxI|bY$R{u^*T*%`|C=W>$s^Bft<)NA0f&{9QA-lCo=Sjmw}N^YWN48m z*nTIY;UVX8^$I>(ZC+g~j|Rk-F)Hb>y5Jqf z86GxNXB4Nvxudt(47VV$V`Gjeb@t?gt(3F~FJPt7N_rCN&l!A`!2|$*r(xtp&-xgM zH!4vsxtnvno{<^>IMKYRzms&wO9e)DEcw_8?d{Vy{*24Tl=P8OEDaQ|;E{iouD-_A zU=@|8y{2Q|pv-hD3Ae~nEEIU6A8xqlQxIBHv6E$nBe-{QFDHUuR}R7WA*)oDaAZ?e zSOEFmI^iH;2#1PtaOicfHOyH!AL@vdabfmv38!`Hh5|HQd>!rp`A#A_cV4_H*^In| zwE0iA^WU7&|ID%2vg7kuqPDHp6EQXG&V(zI6UkMv!!&UyAc`t1Y@fp8dy@?4kh7($ zF<~F6g~hD+scm7@t`Z`QSKmg%hNCheY2V7Oj<{`wS+3$LD5C?knN-fGSt@9wjT`qY zon1-j6%=4A%DC(mk)XCE+tVZF_NclHC>ijtG?Ve?27JV9=V^XmUrF{Ig+P(5NbxXg zVG0>o^gW7`2%4u;fS#S3BeraE(lb~h*FVU;5*huODjre>K_h}fAYmSb1j}F4xuasv zUg!9fcpCV&YKD(zk)Db-DTr037Plt5T!&8EBy|bt!YWNF<**1>Xzc~e+8VoO$ke0> z@DlPQ0FscyThgi9WoLQ1r8>u?l2p$~65Gyg{VMDJ*Ie%o!KTX%gsJ z)aFx^`V+%BY>OEtwOa9y$jUSxBcC6wiMX5*P#P8(0dgg5Lr!?p&HZDGs+o+ZsuAB= z#oIXRO#E$G!IKYhQR{w1L3%a$9sU|9m@C4xJRjH92~>J}LYvBj6Oun_H0Z#fO{i^C z^H7tDYgnpZPYDsk3vsg}2j?P6|n zTF1|VSkYw6+AKbUhn-+%HTYEx>)Ai+23vli_U@Kvv&?=Y|1kak1JJMS>IIw{2L%9+ zh2VI7fiD_SO2?pJCO^KSm#=n5 zYayR|cdE%T{YJ_AJ~4MM>$9hvs+{`G?Q0JQN@PFr+^0re;#M1AhZOBYAl-7S!?wM5 zpd*3T`3k~8`pQgr4nqH=sQfdhQS$^ z%aEim2^2;mX1uFv;?ALwQqw^MC`~KUK>`AKo>nmwFDCR?sePezYq!RY7zU$yb8?;jxf|8jfc7)vbmsazO-?> zfz%eEcZ7tp+KetLm2z4p#J6j|>SsU(-tspVzH_AI-Y72wd)8XvSD} z)|=i8;B@g>5PAKpUSVfiZE^Z2~ihcjozXbw*?u|yjY#%+Mq;?>+ zi`P_zZMF{W22`hd?>!qe;iO_CuR5QlHfAECq<7SMU57}SrV;?V<9YQ7V!vYWvwdg$ zcK53}_0HppH!6E@Pu!{P+6HqifHZxA#o0q2Cbc(J4MWkE-895*>0Y~j9y=YOz{Q%L z*DX;$hKtU`6~9xaTDynABdQPJ>XILLbBDL%7U07lE4dJ-3NQuP;t0IFoi{YRdyLSv zf2`;nxbt>g>v$=?`TiCN@Bjh+0s&J`J8@qx;g5wUp`L_0&wGGtnC+rqG0zYe7s!(K zm|kLX@m=C6SkM%xlx74p|Kz&ZNCk;8o`WDiuk7m|0OUSS_ke$-_CM03;@h`II{1UB z{`7%K&39&vmtieF_W!_9Omi>qL-A?M4E7-yq_ii(!$RUyJ7{e4Av5_k9rKE&b?PM` zr~)fo9E5_#j}VtVGV+y$nMpKxWmC7n`KX_*EYDn+|h)KMR+Q2w$q1$H;I2L*lFi#s?YorpWweIu< zI2M_MLOEDi9#2VQF%M@E6Ck8k9-wxx8LF(!-w3skCFYH33`Y`7l@=+i2U)U>Wk;j= zDdP0R&sW1SHyhrv4&6H(^7#(+>dIPW3Em5xtEv4zz4!#OE(Ri$KP z)3e_4B-6}>^Cpt8QZm`_n*NJo!z+|n;IIjn zM*2k8RTh?qW0rOExbhSsC{*hQaccEnhmKIQSwe$_oTpJ_fEvrk%rhR|yHrPKLX%~% zf7E$GKP~DF;C~YLm&hQ@lg=KMeHE|0ma5XHgsv;Mj!KXso0sSDJw-aW*d#|nHci(;a2jOI7BW_P1WFQ`2BE$2e0)0r zp|VU<0`*<;0M|&1%JL>wbRp#XmF={?#v1h1{BwOd@j@H8#mi zQho3b$mga%D>+S>MQ{zLC9~63W4)>fr1)Y0G0pVLmDFwRzT05sv5Jm$mmrc6N}7^J zH{BDdaOreen8Ar{)@2L-V4VUdli-xI2xUzKQ|06*7+JEhhCsERg_kNYcS^6vH{UoG zXN+z~(&=w-Ww4t!a3YT^m^y3H^k>hoLn$*y4{;|Vn=AO z(#~78fzdQO@%Q29M&hdq?b(@3EyuDkr>O{kCba?=Y({9FHQav(s0S9xA9MjPoI3$1 zc^C4b_&UJ5Y>E_CcY^~HMbMZdMZn&0KVUzkKr)bDH~9en$3<63wo#l@kc+`nKw%71 z=kNVuUHpL)KYu3Q?Hdn6kLPThnQ#vw^WXn;ls@ei7Pth=f{NhDP#8cR_)Pr2KZ{`| zvKzLArFQ^1vnXFA*QrpL7S6+zpT6Fvzr=Gr`s<)8-b&%S! zXb#}jV=qF;GFxi;JHf{^gA#xD@zew$j`z*x=F@U!{jp#7=)^En%k%X3_1-xw8!6{; z(A<_-@Z@sd;NtS_0Lk{e4rF#RL^w5Qh(qvq{i>3Y@5TA`pCzL&;*_4OzWXlpj1ULU<>JH)#~~rMo$Cnr zN|mqoS2!O|b;k;_PCv5$-C4epIG98erm$LJ*EVlx1jO)6|cgxv0E*?-S ztM>WuP~6_1>6k&OxbDPfGz7UHrlJ@)dz-Ia1yMD3KjXYJv>rNmS?q_)&!ii!0*yUf z4znz0cA&G84Ua}Ea|~Z9w61xK8{aK+5y1gA6)QK+H$hZge>D$MZ>HA#Ky42(1`jBE zbPA`(E<1j1nQV@&z`xhSrC+tA9@n~B;4KUf{ihYt&FLP`qVCa!S6v1@vpcWx(QCw= zCqB1^N0!K|uhET;*qT3%dWf9PJOO{anEd|TC*C)QlhyQG{`F{n@*C(oIb>XKa(~?l z;`r;bI05=UX z`ytRIhOOIv)#NM!wgEjUbCB+ol>0*`IvV!?}oY zAo^Y$rym{445}pv(>T5wDMYq%+)Fk_3%a%<;Iz&tGrS=LuWKx=bWbo6uX)bGn^tpX zd6Aq>LE+S#NB3{2L=aVb26mKc&DgOIxlu-p8ix-v&+^0pXD>O7{l3qNky(0EIs^Fp; z|8%6yH)`~OK$Kz`ItS*&3Y?{i#{wMEYVajIqc7}LV@!p&MD#xNQL0T^5W|Qu0)D1xBTXu%(YVDN?Swh@ zd#rml3W0|n@^`-xI`UGTBSmyt6hFLXhnkvPoP0a^8wZu{0%~qbt0IIuYZuH}V%Kol zoJ5jj?YNV6$=W$9gls`xW+)w|*7;EsvsSv9B!wbMx`DpaDJnW#@fi7jo`Q-+4IH&3 zff`Sf0G@D&1)<2>SJOqQjSo$w`D^~XePNCHt2kBQ+i`E~AH_BP!$%KEbY&)3;Yw#tI`p1%Bn$rdT8nA$;PEnWaIy8+<^GH<0!&y?9Vj3;2eeV zc4An8)o<04+TkOK4iT|S$m)j~XU-*AHXFC2me@QU`w z`_^im&zmh)(M63(T*+j^;i^_QQz6IOv4M-a%0ku+2xm7llIzA3w2h4pgr(U1{m?AH ze-(9)Qj}HaCXlPH@mH5@aU7+U2jTVtuvxs);TuOM)87EH_iAF}5 z5VSAuAp^%c75gb=if~-|itCcNm8V$)JbYanXVe^ zGpShp`Zaze-$wn%vm^0lc#L|im1JYIpZg~+v zTW|P6ocKKjMudI2A zzH6#^?(G`gqm)0%Rapw{KP5ucahs;Xtz=|P*%fgWgG<4J2jn5CgW|QFD6_;^Eod|A zE9FVEFC&|TlcK9~FFjN_rtIE>WaZAe%xf}3;i6!~%Az!bRKF*B7VPIaX%gKNBv&{O zoS{1|JhCYW{oi;XX8r*d+#L>N+XC%X;^sc)(s6BH)Ya|)en80|S- zI%X7Xd-!TpH-)l_3A)y!ieuO9T9#(I&W2VzF1KE$vo1XN0l7^(Is?CthRF=I9a}gY zY8+Y*&fmLszrgj?K(V5o0niuQ(srkmyFEWNbmeohEeQnPli$9?JQm z3yFI`k47yAFtF2BTh1VO4@ZtrM+^7f6yzHk{omuYOkP$e121&?u5&6avZn(bz^XJ- zNv^Htsm->Q9>9PSjJHASrGK}}u+GZDjfO2#b-Ph@DVM?BKU3D0+FOd(nOA^{B5v*b zyYDgK>veSH*8SV$RL{d`a^v;CZ3~a~EiFH-p`ebjWIvCm_g97*Pwn5X(?>UghT6XH z5nj$a@5o!;FCNP~mv0LjO!h9CWFKo!-jjybUyd;YN6>NVmzKbMZwW;S2b;jn>AqRW z{*q{<3OI5qPXiFl?hCg-)Flx#`+~}PwD**@)MKC+r50^lGTb8{HiV|)=$`SXrOa`^*RLt zfRIGqQg!;NCVZAyzG3If@DC(;hQZp0NLF|bH;HHIFG2I9*Bk^21HH2c-P1g6iwHr z8ND1JP82tlm+eerkJ|LJ1neAwkMs}TnFSr8=e+Z-%={l=J@z=#Ud}Fw5f%u#TgX2( zM#=H%qZohiJ#5HOiDBg%cJ`sIOf=h}*ZSq`<%)I9QzWbea8(`FhpLTfcc^$-*M}to zPSH%rSZ=+dq%0n23ou7KLxU2b^HLR^*>RK_%rZo&&7qn<>f>ei(dWvkeH+D^5yTk} zu?9r&!dp=yDVC@e8MGj!kG_d#Sg#rL?Nkn!H|ZUVkZcW2s5*;>yUSHzIWgsGUHqQ- zL0UgAg%8hiveNn^0<+X1b4`}^;E|6Z1@BO_uVyS}i8hRJZuID*d&!~<%=Jztw;Z#p ze-XhRo1A6u?$i?50MrChwkp|m^MsoB|A>3Yz$)3nuy?Q_dJWEwZ*0?xQk1xNW0l!M zARa;6yk*YI-zQn;Wu{#gRq1qoyK=?wiUI7N|E^Aq~oEimd71~RRF%oZJ+Uj8f zmddy`O++eEpRJlM(M9op_{i#4E5gb#v=jt5ncS zr`YS}iJ{2CutvHvDzF_lhL}Z~m|!K1meFt4SLOIlB-uL0WT_A?i(9rh@NR(q&{`h5=>GdDa>*LT$z^(+fFpAYlBxPYkn{zWVZnM)*_o6VNI_!AW*aoT43z?CIAI zngKl#8{c0&qNqLs4T-C7?D}3@Nn(W7A-(GL2-a+MQ?3=qDf55xrH;a$X0s3r8WV>DQl zXyL;NXp1V8B+{N5G|UpFyX!wggQxHAm!a@vs~2p#zxs%9q%DIcKx51jFAE=u#L|=$;GB{+cO)qiP@`B4zq)-RZXlgCuyQI9BrA08Yeei5} zjF6nm-QN@`u#n>ebPC{&=RsbmMUeS<(Zc~d^p(*FM`{U|G$k5O8>R)u75RC{x2y{^ z} zPqer0stU1(@&Lqhe#RBpRv0W<>@fct!xpoeQ)%;|c<&`^`i$X%{~wMgX%UQjjzu8< zg%g0`(7z%OzteEahVLg3GDsK?x)%}A4+azf8Uyq?`h$8=VH7_xQA2(GK%Ukwdkh_t zV7b_!M-IJRdv7OFcy*enoz53S`JoilV%pA4S5L*?ZEvk^zx&7u+Zh5t4$%GnF4E#Mo z;5#HS+fTLSmLw(B*l}aVImX~Z7`*8@6}bO1bGvRrw~`2^V&znK$M<%!u_#-y%VWcH zO6tq;`<{F=13c>Q6Wt${^ZR{$y#ed(knL$UHbL|m?uzrD^0(zR-^9bq(}WE_uT7CuV$K)2``q8qhwXBHY@klE1v$Ou2edG%9G>d#Bc&T+ z4$V$?+~+qAgoltCoLb-*hKodfp!%EOP5FF7;ZaywbNfPG5jtXHWRs@4FDd z+MzZcD_}y8&J~j-V7B`x>!D@qq^&r0=V4l(vHLA8EXJpJed}d@0?@ixYXWIFVBzja z;4!;Bw4)b0!)*e%&3o0#?Rn=D0=O+Z@l`MVJf5dR_B=f8&t?na;Pf;3HDu2%G{bL^ zxN_}jx{*F2s$}pnFL-n5e#-!8_djvhcfS6ntB|v1u4VuE6D6#+*6V=J1Mni1$Ti)1 zn2_7aPGcx)=OXrdASIKq`8HoS*3W0pIYdlpbx7ZQs9K8$r0U&~c#>MHf4pT0d>i)A z0$$gqwDQX9KmD(ntCj}@`(6Z+uLT)SeXU?fFH$bx@)97DJ6xvG7t7d`^6e6c0ipxZ z_`H9FrMIhto4`5KGE(5I0MdraL6jHP1^+9BaT0>iXwRID;FB~5YRg63=_F<^7182R z*ozhM0Y-I5^GOckK5dCa%9>3AuAM%Nv*2B6uPGl?mApa7Hp>krf|Fv!QEXOPnZc?7 z$@PjyQx++U*4=D&BcH;9ZBW_tW$88%)CZ!csgDlX9g!S`qC^DDz^|HM)`E)|_YTY@BlZF9Y_YNcx|(`(kB( z0XA=v>-)uH*z|ff%kSt5G8VG6nb&-37Aul|<|6q1NK`CRYo<!Lnl%_2-GVhCYcJ=7*X{qY8<)P6_TS1jlr0mBpc( zq{2!}9y+Bl5!Q)kvxF&S(4ueW!O9ODCU`1MbBIM*-+2gDQ%)xtSkROsJTT+xW1 zOb>IQa1fk}p55qYP-JxRSySeokdOtCjcf1t=7TB+AE@SFv9Ja{hXrL67g#2GsQ9?p z8ed_p*q}zwMUM{Kg_&)!s7LHU-A?y7D8*y{$Ul@5jZUOyPRq}NNWSB;75Yl6+h1Z8? zm;OnC1zLzE5Ss83B*OzyYC{cQfi&!6Q|^3>#7AD928*{Qa+e6R?5kMZ$ij4Fl1_GI zjw^prp)w(irM5_UG~eoZW*0t;HtlW1s8+HI;m#?7kT1rq{3jen@U(byz9~baSufXX zT1AF8^CaNw*Q(1q>zDWb`F@IBiNzjYDHY^yJQ+NoNv9j{B0*zCjirFHF9VL+>tl-k zj5m1L^C*-vnr=7(7&p8nUQ!I-$pFc>ynoS$E(<7(BT=ScH-E{+2li&Eha~$3)&99& zi53XVr^(JB=&#t8h-fyr#>X26)s=~eUhJEt*QjWqKdA{<&jfImoewuZynCQaY0ezv(bnQJ1sWCixc$(kqPDr4Y;PHOX$iP zlfQCsr`ZNPEx2buv|_vB_po1eNyh*H)iVVUl+>xM7&HNcWd?zPe z=os;8uElG-k=X1b7l4@cF#SA1+_YlLXAn%k%4huSTRqBS&~}+|;C40K80-0zFX!Q! zx|ZA41lpbB%Y6{O`0$MtFzdKK>W8+q|I6SyGkr3}mgP2Zx9vy_w$kQ(p(F*H<##%Q zvt1{1pw$8WP0;HOKC(;V7d}JRG{$-IhGr_yOPL{&)6AnFK~KFJc5RlPrtX!4!N-=u zZI~AQJ*V4xX`{h!ho4RL!d8Ck1^Rwd_c=sKVMiKQ!N^z;fMunAQ6lv^~Y*+_V9=_ejq`sGzpHEe^ph9l&l% zQ$twJM`q#*V0SE+xNbT0zypWA%3~Ozu*KgtdnsB!XU#33Qt*NJ-RMedK2haEW5Y*tLA zuKxQ&cP$XG_DXQJtH!kYZz%b3X}(d@8$0gvorvl<*D?RFrlk{jkJmMA9d;dFExh@8 zx>vqORY*t?7$j?hmR+)X$L^S|3slR(|5Q?e86d#HX4Nja*7OR;jEm=U z0(g05=Ma`VAW2O`=*V&~sNm1y=GZ*qMHx8VKeO}Lo_}&KUEp_xix*nNGs7b4K_~cd zg^^1zIu28Z@NLnn+p(85$H`eIYf71>naSBv&NrC8G`YJ}aVEUxqiy`OHKSRFB823Y ze;|~+h@8rc8&7A4GJ%K=<>5PDB&bm)hvqNwbR8|nNPCR7qs%y72r`&CO_w)};}Gr( zv5T%H@l3XRQEs<+O4o5jmxfY{V}T{ZB3mmgvNAb#D-x)Pp%smBJ}j|%oWJ~$^bHJ! z6EQ`6`22g2X>&;eD_rb5iA<}puElV$_`q1_(ySU%wVB9Td@=!7MsGk&c|al>&lo zf>*2uc--Iv-ePbA?YV@A5SW~Ei@^7jblOmNsdH`?dQ?S5!|{_>=a^LAoU*d=zw0-} z^AgYyjs6sv{Uvh#IikFFgjz5PI}*|0Tn+PPv>OO!s1SolOoe;<&WoX<*juFvX8I+aaki61|x7BFo0zH8&BLPvzn( z@0Bgb+AtH7XZP)R2#YCmWx~^3P^r!UZ(>=diKo~m z%rJu|nQLEQ$$$a#Dr8nGdP@|cx-B{%9B=tD6Vc+~>B>;?iEi3c=VZBHY0`vZ9+*r? zU*Knry5R*V;Vw|`u{Yu(G6vy-ye~i&3)=)h$aqi#NEcfcX}ELL)HSle)*8(MX5mMf zm;Vpz?9O7SzP#0mBcBQ_7SxV3+ttwONX8RNW%4?3l>ey_50!Q?YGC z`Cux<1i!JO%XLjl4Srza${|-*VLx~-(+8)`%GX2UAW{hw7*@$B+fNQmu8N_CUzf@E z96)HE4)`kHS@UKedn-2gabjApnzSY9IN^=`7*9`AO2QQsn1>eZ5MLd+&iaiiI?Z?-X+A`A%^j%)kNcNyx|re+rWoc4lP`eVuue_E~+I0VG(l%BW}u_IHDW z`hek}A3|Wj#6cs(q0-7X-BSSa+hHx>C-Cn8#;NfQ(e1T!EoMxs*|)pVlXu7NIcGnw zyXu~do88OgJr|}+pI(QNs=5iCn-_+nc> z_4AcRS-@l9p>|=rv+X7GDpu#Lv4wTQ(Di7f66AR}d}f+>AO18pwh=vpOU&o!v+_Ca zI4Nfs8?*JknJaWVax~-j>n3vtVAqzr;vn=|H1$w=>2lmZ`g$l5De%$F;%)xBZwq_l zW%keIrtd-3{Rqm(VM#RcPx}BjIbx9sJw*Q2Vcy#70T`|;ZlC+$ei+wv%piT`WAbONWCd^?xjEw6w^@q>(p`@sw|zDa9|Z&PenL(@Hj`up`0sY+e1 z^AuDX(>y1~Z-J@TK4*zkIn9d(bepby+p+p}S)Eh(Jzu%nk2+@u`?Bl$2)_mDP77>v zYw4Y5FnT~3A5gFLALQ-Sb)HTWTlidd^%$+Q0%yC8POclvwR-iFSA$33e#2-RRo;h? zj=-~1`~f5Z`vGXpo_d$h`fJ)=pB92&+w{__T!4p+_w09s?z3_aeL?RH90wh8mKn5` zDm(+OcF~^q52WpG+b(;{>>aQDT{%$ejPC>e-_7CFDen!6m94*%os|q-{l|?J7X%)T zE(2m7tLl2d?dO2nQK_nTTdU>gl`FSn$&F%*n|}%JRDV7zKS6CE5co47GadAhz1q_U z*sc0OavK{1l7E<_r>~r{X4OLM;Q_sVtylEK_q)4X9_TSr%1RdtFl(0yz~8nx&>=7P zg6tB8rxI+KZ%HwP-xxV`&-x6y>g6vrVZvr_UsHat$4+ni180* z9&*bzU*(DriEcPZUY)#;x9`ynSW+!Rh>1hmWtsjzg;I3w8uf{3!ymtkdWm3Qds0_N z#_5oI>&Mbb2Yl1=k4k@OEJU80>yu|3Ns($UI!M`7cBraA+;dr|Dn$x$O5zR-ss}?$se?uft}j z1_wq^C4pxFo6kG|!eprsjlUE{N85s*^*v?8a!jQ|Ort}3I`f~OzjLvCqp50F!vHl+ z!+9__@7QQ~J7qm7?BK$Rj~p;4_0R}{qD%(%!os;BE>%X|46kO_1PLv^K_6%EM|>I9 zd3jD~48&hcnh-SU@2;@4oL~#R*2AUW;oqrn97g2M;Ms)?2lFlSGi%Bn5iXm|{#JKCaT>YvL3Q9I>y z!WEm4JrZYIF}T(ZN^87$1ff1U(HB|G8v+{AW~7W)T&{8=HOwL8-4UXDYrHh$u^U6g zX~-h@`JOp?Hp)x#oHI_+h~QecLdVmxVQ7XG+y|jch$`bUYR*k-@g8iN*C;=V7+Vl2 z58{m)k4Y}68CM>*7|RM&d%pcEle$-LPXQ}bGV*Zer4d+X`5Ygk^fI0pIj z0SbtTLFtvh9z4E)>;s^|JhWL&7VI2ZxmI^TGi{**sXlCUia&I@7(R?*-%L=+RAIvf zkA@|gp4qy@isJ{Rxzd0%4q>vh7>&M#c3#FaD%*_C(RrQ9q?|dQ?FL6l(qHsXZg5Je z5CowLa-Ao?;^0CCCNv#>HrCzwyinwDooL8$c>E@@j()0*XoB1+SxG-LUT%(j5~X_# z>+}Z>R!*^>jx33?<=RN=g~DdxnD$RY`Ke&{z7pj9yiCPrauH|%M34J&SJlZDIfK<* zZ5Z=c#qtE)V+oD{m2yqOqKtO5S@QIo{sJUYMeATb=xvOXN0)s;D@> zS>ZDhkP~s`7rfQ;IQf0stHTB=Zb)zm59j?8XYn{O+doO(yPg2=u)v4hGmvJQ`VT|d zUro}-6$?Y1wvFj3 zv@`)2EU`RjYI1|3#7S;e+-678sX7+)@&NLhP-k(=o)z}04ljI=PCL!{3LkPuQ7+l2xK9SX5M5O-s|vx4^2e~0`B zu7>keLdhiT_=9$Z#DQWe3xMn&)aN@VLYB1;Hotc^<^@l({TAD-ADe@gyTiD0Z}}`CdH_ zv~*n$?Fi8nab`_QL0al@$ms~jPg`L{TmH-ab!P+M{@l&I_ORaL>d1zw@pvv-davEQ zKSxpQ2E|oIakXka5CdExoIh2*Rdo#a&CTnczGJ!Td){;@8JI0S#PAmPfWueS<+co5 zwM@1wFL&?*Lp_P+{!)JK7ho?G~i{bp!Su8me0O__Q{$f z(edpUX8q}ri6Z1%+tbU@k=5esp1j+4_5ML?%XNK%0~nmm0dz?l zy!LlmvI6>ve_pTyfR#7qTIKqlSHRM(`j3afe+2{mhEs<8-a89S{4d{Mvjs984Ijtl zM)cYi+r$21ml3s&uU9Lja;EMc>w8zjrgXpVwRi+=uj>DFY_iXbHt@P=5ZDoS(08~{ zy2Q8ad04!8Hgu0Qw*Wjl@iYxs;t=^wPHzyl&qd5vJx1#IUBm!$JWhd2%b_Ux&75Do zTaBY#N|6?Y-?pARB6qmGmlsm)dR*PE`kdO%w=Rgg2H0}Hd~4636Cen76=XjQ`l3p1 zZgV02L=PLPWqp7@5YtRkN|dCfmBig~od_B7fKEn60ST(|N+mR|{;Jr+B9jDT zHiX#gBh7v%U$3ex>t8{8wv1{+M_TR{7cl#MK2&vNozM`0*2MpXt~E?GL>xXi9J|PM zn6UCFOeEF_gHt8d9LyqJ7F}y-JWUq<)hXV!6fa)F*#Fj9$0N=f~FYf#V23d-JZWcv{ znNeNm7X299o^N?%yv#hmMv2=2pEn#!n{BYo!k~l(o7@_`ZZJ^@8u;8Xf^TB?3k7|o zz0Pa~XZAegwxxp-r&RSb*zcNcz^ZN9rj;gJx6Y%~6g83~AeOmqS<>Xx@-@Gl_S=&t z1P7^Gff5o6E6tJl{+K?ZlhIN1$b(%78NC&nq9@;%h7hb4FmtSU-{`J>;gTB*7+tvPwWGOKCzxz?l= zZODp5JtDEdhY=tqjN*6Q_BGLJN?-+q;f2W($VvMi^}H;tMBD0wbNt;+V^7w^Zkq6E{r^${wJ78%ZAuN4J3j6rqXtZf>|a&dG! z58C+EGM3`9Y!ZB{8Gok{CmW;|TcoMgF=#X6c_uNU$nrh$$t2rP8xC?ZcRLwYf6N~X zr%30T25O|)K`i53G>g(^tpP`9k3Y)C&ybhOP>>{%A3S+NQlXOj3u2OYdx_K`D!MPt z5nC22-NOD^6`-8{m-j_HN#EmV%Q^uhll%(&_XSq%{tv7wT{L~(d;nijLeay|U^OwN zdcZ*>UuZS&3#|qjGY3#4!bSLevA|Q2K;vxzL0^}lM8BPOvnHY1Tk(g~ZD5%Gzg`!t z-yx8kKDSjKOgwSj-QB4XInAGea`sQxxIm`d8Lnn8SCq?DEf0-p4yD!0z%c6Dl1e6R zIN(!c?XR0L;w!h;8hnkFu`1{);#K?>ru_b7!M1UQYdhkHV`StOS8LqI{~_udm@^BQ zW|Pgv+}Os(wr$(CZQD*Zwry);+uGQ+p6BL$zwh2#b!vXVsXC`;dV0D6uC<*GUk`cQ zZ}~M;C0+PhHXq*`QJ}>#Z*9({ho@mnF~4{C)Dt9L??&vXzEtnX)|;W_)neVpBgTz> z{f3?Q<_(_feVI1w)H`GiL9SDr68~+QX4hqyjfQVqTwd?Iv3gI(Bhl=(<6P-{I6*FH zPxIKG^)dRhdS;8~#g^&mCrZgJdZEvqD`M}`+Xc2djpst@M_Hbq>$vz$_sJ(>?i=D= z9-dx%i}T8;_0H{1TvncWHeh6ef~S6Xv`%J4@AfZQe9w6q`*G{;*Lt))v7G-=$6)am zbo!Qu<2iV&uhUi4pLh9_O`{TJc0a?r=%yR19(H?Q+g_4yjZF5}?CT<{be;1D*vxn2 zW_%={2YBv{DX_4}p68IBVykI62gxtgYlCi`-@g00_AB1K+x3C{y7QB2f3`36+4qy) zz3;8c7sHd*AJ+H7{`KiAoo@O|tYgxv=4(f8^4f1*a3zpmT|3!;7rz6E<9NklTK>i> zcl*4#B$xZ+bx>XJU)^XngZHdx-7FqTdXuzbBpB7EkJGA@e8ypmxZWF*yp8uW=K|L7 z)lBcF(m2)qpu3!0(PYpKe^Z?Q#3F2O{a0^Zb~pO_|A6Yp5kK^gHzr`lyuaUnk+pJu zXpJBTKtZ%&L&{_$q$2v5^^jMW4J7$`eT_$#mj_K0=c{%cXnGse;K7fLxG2Gq4NGjKuwf zlqTy&U34I^5Llr})Gb~45~4{A)ekEI zHt7NxqA)UGf?mxGVPNo^K*OaXNpiO0*GV`Zi$RiB(PUA^Tv{`!NtI;h5zAet3RV&- za|S~%a~#f_*~saJEaB)Oqg4{#GP181h&GnAJvY;l`=-)hEd|687XtU-$hRXec)B$! zhmwdR1;344eB%-gDg)s*o_BB*a^$*@`S~zZQ|U4*^;EiYg95%Fx)F2{YUQ7f+SMOj zT6J@)MK*lma>;jI)T}O`vPU&uD~*W=Vf~IR#v@Rqx!JWw+gZ}ETvAdb#Vy_=sI zU>4((0`Sd)bilCtpYS`g0>hD7%2kvALoZq7tL59y4aP>i@f6!g1?z4+3LK#c z1#tQ~WX5B8DzZhia5LJ&g?##W+-l8g^QNB$Od+&zEZiA$N(X782n!K~q?3w^m*M%V z2eckM2voytcwLLaYz?(kk1RDqaU#9}-{H7B zQ&wbBxidWa#>L$1F^*XPr_Ly&kK@=r6>IR7j2l_#UONc#2rMbN(~Jzl^V#;_Dk=a&gxQ+kb_06NDI|Ri=UFg ziFC{28Z9YPEwM=$@Eo{pJc`U44x%j4+aoM%>Xv8$ToLlxO89J!R z%wEi#R&cASd);1Y7AFyxKp9aUI=r)nHK8S7##Igfh}nt*2l<#U==BGS{I8NT#O~C; zEG!@9V0*LMX}I2u2A~;KHlcsQCuCj)&==#`6wtIvkRR&@@)<5gDgh(f`wK|)tq>sf z2l<2yhbGMkxwB^mp0Hn=-)kFMR+-Z&?_%{fZ7`jNUg)~m-~8*tbsogtbPR1f@uhGb zyK&nFT*_i>WO7}iiwyCQD`zxEN{N85h z3qCIyrn{m3&W||KwSefHTrWT172WPlgF9c(O+KKii_Y2-mA z_i6NE#p_X3$ZF?d0S&eXFu~T<>$Nl)|C#oizH#kMs{1)wo5yS7?l0NpQMAp@?n6?K zG=2+R{a@`1Y&h2?}}wmrrPazUvV2?<5O39Kd1vs4ZaBluuiZ{{a7R#8(~yf6LDI>YFiE z`?}ENwtslX+N|?$dwed=i1P!*g?Ke)FeCelL{^p7)%u znIT2reBB#el)ZzxYn7~5IT2k@t;f3~l<@H|^-Arf_-U2naLJpisfqr3{%?5oP0#JT zguR*S^~&(3?>6T>PdpxxzI;7xk=A{lRF=~@EPoP1r1e&K+n*v}x*^^1ec4z~xAWSu zl&^02M~>)wTk-r68j;R_j@P*%Th>ePErxYHMW|uG?Qxv5E3>Ww{(yr2Q_YZLFe}~(8PR@?%sQGVZdFp#2QJ#)+1y`arD^?y%vp58St%~pR z`b+2flW&a4N$P|OC0$aeh~_U^v>ai)F9}KcS?NMr6ugB=xrg)5(N6WGdc{?c`%3|< zm<+A1r5SaWlF`(N-zS*9e2OQ$TndMs2~Cr2U6q3}pV`D5F;>2WKRZq%q6D)#K%}YkypHD+CZNAi zKU>$cJje|NCorWWCAX^4%g$tj*u*;HLv7M(*Uzy?jhoIOMyNF6s0Lo< zr^QO6VbQIM+Fp+0v7`NgTgidyUAZVCD^RyflZYeQlrl->)tnCKp__^Z<4~5VfQRab zy?@ny_OF5_MwnzIYA*0$QNvov=>L%SfdNUCX# zSJy#MU?Ez+<<3s})dgL2oDzhb7%t|Lm(Sh4q^2GEw?2nxAce0mb)Mr0)mt;M_9C^} zWaKCXv>!8r$Ww_fE{l)#3@*t|Xp}^=%G?IyZt*lg=?`3b(ANrKO(n5zepdxPKMkfW z6sR={LcUdbq>PnZXQnA(U+tvOF2a7b4xE?-77ceTbG<5+{$S_7$0d=`MF=>QFheSX z{_YdF0G8b<0j3f}t{g|{#1;V@_)Y^k7l@iDios>E-k}nlv@C4b^ZbS8+i&$(#AZ=g zl!rx|G>C@%Pu2}ek#Ny++fci<9i)oOwmp6t{?TDM!2B>9p_J6@5{CcOr@7sKce0+} zJK2a(H8q@oFg7F*?~t=VC7e*Lzte6NN+jA6&$q4FcOHZPnq-BgT2&HLPSc86T$O3Y z8C3{72cg%b0(t|%NGcZX&=x#m%$J0Im_A1B$1JoTOYs$C<8=((xXyuXr z8kRq|N~nQo39ODg56CTrH5P7#Bp!DtSi7-GVho|mFzPuuJovdK8XCoHp+xJmcBy$P zA*fS#L*gSD&$L6x0NS~Bcn%O42^DedM^@<5L}e0G!Btn%fW=wVA~RQ^Mj;Kdrqi-t zW@!zOj^xm8I#EGu(k*Xic4vRad@tDZdmYN84eJ?HnQGd0*#fHkFvDjQRc zvv*peUj9xwRx5-cO#)}!|B*n4We1ZvI-8#=z;F-RE;Yhpt{ha~w7?g+MLE>?Vof#3C5uPS9`uKJ4nXA{qu zYq1xlB7v8c7q9~s(KBXqM6?)#rsAjo(ySGC{?d`z;_ar$LH<+hP6C=l>Ny z@%vDG1F!RpTZVYAKOp#kL6Q{d#|Qa?e>nj$kO(QH7@6al_86GmaKNoj(*ZeQ`*d-j z9v)tH`MmjNg~&ewxU7Y&CfVVnargZ^q_e)(-bxnNeJx;S=csnM3WW{i2H^J{BvS{K zJ$L@QO`gFaXdTibc&lxns4)>`?72*Gg?=j`$FGz0rPH0IA7;n^fq_2`jVR0hk7Im0(MQu<@qem$*%Vh zt$I?C=du2Iif{F7+}1msMUKwZc-9W{zmtUYTJf8DK=Y__S&i3#Jiy7fegxkduWL1V z#-!mB`$Ercjlx?0{{H-Bw|DZ+`|_hpT#jom!kNUD*01Z`Z1mD=XYoHw_?Nj_kCVqn zhBf2u-Qj+S!Y7@{KiL7g=2sCIyKs-{ZsL)e;GKT!K7GQA9q>3UZ9PhY2#Z0lQhL2nesXhdS3h!za}13A zUq0FUn14+D)F1gjDyaHz6;wMW^|8OpC*-dKOF*gF$<)Bx@jJmA^$GAdKOaC@SY$+` z>?B^wnIBlj&HkRJ1|Pz0*`d>@rNW1fLfX%r7|niW0)0Y$RGO1%Mr}m3j(b6=k+7ws zJcY*i>+GkidK{A_@)X8s0gk6w2VtlcmJuil=ztvazN&2|WBnnidF&w}s4MxEnlfG) zErpDbY6{g73|&|u0%f5OLbB%Yt!foqA`eIhmUYS;Z&?ack6-0{NhUG>d9vDNgQQNi z7o9~`Z|x>6b7Qt6HTrpnqA4bVGaGE`Ig>&(4UuV-UgKXJG|UI3f=z-!TUt)k@HZC< z!G?Tc1X`LE*oHhB^)gBAAp_h2cBLT3a$@pQ6geUr7|4iFe&JlrAtOq>UBU0PoQ##O5MtGq;UF8zPEg6W13=^m;D443s45#Y#)W7&8Zn0U zuVC9QyG}wIlg_oLouIVvA*wZ+qNBsGpqlp-a60hPNc;fhgI4)ldtAc-wkqrrvZ9(L z>xTnK&MkVw1Ri|m>0uaWJn5 z{AtD_B%TB}W3;H8LRnnnU{Hr2=C=`NU4na+A4(G@Ln+Y5U^t0P zLGnBH2zI*BI&Nfq!h>{~1Vt(hx);UKMyW_l2vm$?N%t8rrMg4AzDKkRYHt!|8|jH z{=tqN?vqSEE+SP?QGCi3Kvsybh8-IU!|bZ>SVk%!F;q;UQJBVXC-XbhuTFJ*-HJ$6 zejYSZi7jPFym=96(vcH6&@Ax6@o-d@&weyEHxcQBO+)1nZv1E@YTGWIwp|Mr0y%?PE1S_| zal27W(9Usd{O6P1GVZU~OptyrQQ~I7E~PUy+aAH+ie`T>SKxbPW$XV~bi}3wFDZ*w z^258gRAVnynnHe?G38qZ+eL$gX;{;kpVJ~`^y95eiP%UlTzVP)Sno*05@sDp|Jhmj zli7CLjA0h;IAef^`Hwlo!>7L$RLp1J2tSYnH~_sb{Rx@-26%Bdx~+ZC1-;?AiPXQ% zlVww#)%;A?-{%+iFMBod`e4MAN5T{;Sn`To{-??}O40Xf1ql9R{|qKoJe<7Rb$gvb z=4O~*q4+y_Hsc1~BX{0Aa`UD0n&fg55T)~9_Q2A=kB448GrQAv zPF_#|jdC5z_9-d!d&?Sby`N{Y){FSRwq*D`zQfYt1M29Tj+f;w`;Q0fu?^#3usTO_ z`d!y&K6RSL9lsiG`KrF|{z-R>q1vw9u8TqLrPrNJ^QSt`d&}pRk*GZ7+~qx0VB|dw zfb&QbDc8R)FSlh#{`ifm`JpN_?(;S9RnuMhI?%WwKE9XbBc*G0rtW-XGXBze4jK}F zXIo|MJ)aw+{Q=u7JRU)cuZ!Ft*?D*cGWpK=rcXo0-f6h|J8UU>k@q5F$YdVxnx_f~ z3wWL|rtrI6(Py)|>;e{1^LGrzb@4n|-AC*UFOx8f&v*lqVK4kO-g4XIdhDA{p1DlI zDb)CHnvvb-ibiIxH@5v8(%fN_^D#x#N{oje z2smGNn1e4`J@<~k+SKshE?CohyALj+$Gt%=ioQ938GKFe3e#QMYAvp-T)c0$ug43I z9*eqlNZ@r!>hy>?D{;g0vh2inHuCy=P{|G-6jz-Zo{)a-ce>3d7J#g3PLQ8clId; z7t0wOP|A&8iwrBw9NTs3vP~)jHVr@JLuT(}b0w*VA<_eZ&!r_PmFmSJO}oL`C1E7XhZndI%m3;ul&>o!y$ zB}ObC{;(>fyeDtXl%F*ktbtYvNM0Tp&zt0eg08_$Al(~GE#0=`XZwVTt~zrlkUtMu zJ9Au`>XsmsLXoPDwDP8*i=tF5&d3%BwBcKFp12I7BSCmENEur;N*5B8&S98l;;5hl znVfw}g;fMZn=g@~*WI98E!HWMIMG{tI>-^Kr`p3pb@LaiBY$h#NgSDdzboGrj3|qO z>lWz(S|zy+cE?sV{7H!8BMQE}AnIS)h!>$IwR)qak~IA!Fv;@l%)hrrx`Z=uG4`Cu zkgcT%&0<1$D`O68<-{ddPaAV`LFK)^)U*P9@=|#yBn$gV&DW%us|tQ7O~?=m;~K+A zQi{=LQ2%m8yi3KU)vk~Mz3==(QoQdIJ=0E06D@^V3vM`msf5@MXyO2C9jo`vq11704OQniRM@}>)??8zFQ&A~HvMtpCnsL9xnx3rF z%XDTsU3&Bny20WpxLqrNLP0C1?jd7CwfCviXx$}ub+-rHfqa?xNux+F8| zcpp?Q#sU^Q{v)6FkKd=&0M(I|ifg8kRNNYBNok@fc=k1$1s;slS7i0!QDAN(msdg? zwJSw3TnnGIGT-lrR$5m}HpvRlWu$;yO-=E3XY0(IIp}` zCYU;=}?SXEwBF+b9yu3tgIb1Bb2R{;Ss1i-Q@%X|B<)xoS zj#w5-$tfwZ?#wLGt6V9}Pn*XM!jfMq_~!FeywUOs5@IM^ZjtBuiL}a-)kg5MxHxU5 zh`Qz?xYd#PlM< zJi{(4gcYb$szhdCQcBayh-vFeNz{p>{nnTr$Em5wAaA(EAjeoyz%dX~Xx1hm%6D$8 zWuP6Mg@@@pg?^s3U;k>D3-9!_BMfufcF9a7o*cH~UWu%@$y!Wr_-$2*teG>%AehU( z0D6)zEY>so3)3#(Oluyiqr(fHNX3&UA#0_6V?Qgfz^z1N5LAno7Nb=L{q65G`KRR3 z#TLzXxIAqldvwAW;jxSF6xO!!-^c8EUP4}Tm)TV-pI*|til#ydZ=M9RC}%xrva-Iu zoy5i3SSA`i2~0)ZbB>mVI&$c|(m_53a&oL1y|ygXzO9O`yE2gKIq(bf@;wAHKNn)stfInDEIE*lNWaP4xUKvUgs(+;Reo_uhNAlZA zb)Y9(Ilv^7S1TFB2}8OnuH8@vD~79O2@FcUwT|sQ6$jtGu~@Qg7gq{NDGNPG!6ho9 z%%7#?l^#MHop{dSiFNpNh`VkWO^XP^1ZatZiOY6w%Alb2B(q8PQle);DZ+D>u}XA$ z(h{sr1YQ*CSTG@PpQ2LOs-?NGvkwNDY0SaFW*Q1I(^!Ooe*ul0D^K`Ez7W}pfNye_ zlka&Saz+(5`aogQTT($;b+9-73;$B;6M`rHHADfRaK0oHW9+`h{q8D|r_G`M`HQ-N z`|GiE8Bt8l^E62p0caCB=wN$hy6gEg?aij^*z#}qp>~YN!7LP2qDW= z$7Ke661Q_u@Jn~5FZQ&iajWp9#{Xb}9Z{eEmfag3U-R<4CeM!`(C@j6j34lww;`?D zFkYRWVLJT~Jq+##LGKO#Jn;1Zi69981Pj3Go=-@6+!wPA|FX_OY6?8xWhZ$$*CCi$ z#qfB0Kkq8mla6_L##c%9Z->dfYhCNEp7s${4Q$`*g%@<4@5`#O5xkc}0{{0~bNdxJ zuk-FE`n4AK?2kh=jIaAPoF3NRe~25Vqp_{tK0t`!Jtm@^n1W4toGxc5k=!FnTzyRL;63sJe5V_iIx7dCWY-b8>&WHl4Jsoo^Q` z@YrJ5^$s14;=ius?b_wtJuKiIV<9*WGG+0#>|T7ux9VNH8jbQI?D%y}HGLl~Z+_HE zZ&IMD>+b1a0cXE}FV#TFPiA07Q>6JP(A^Li2cVc(Wq23=w&BclUT}UD7mBhTV_yP_ z1iYqx?N0FXeaSPYT<&MT@kdx>IadH1&ifMOguVj@%NVQ0K+6HlbxFprYR6}xIvlL#$ZKt3t1~p&5engF0cT*c3cA&|? zlB;U=Xwf|>q?xxAEiH-nM6P145hY?r$k)$^ zV$Y>=QTd{thiYGvM6&T71Rb9GlqjFTRkW8IT?-iA^AX^d&4nQ#8y>Oa4NDdPTBS|Q zvfgNlHu<0XYXur@wI-AAyzEINFN((<>C+w*!bfx~Ap%T70YaBQbK3thveL8CK|J9O z|2o{PTj#KTKg=gae-dBRCv3)v=2v#sv7^BtfhsyV#ESF$NIJ6i7uO z6On->*ivl#ZsBr_Q3aKyT^8Aa9hIqy`WfvSN}guKB$!IcOEYp?KL=k+hbk5{cWIIQ6KU@be?OWl_3g9A8`!>y;aH+vM2W4^ceQzB$KTV)v_z8w5(S*MlZqC5F=s0C=nCWg)7b%MhLBe1#2qMa zE(3wfBArS3jln*)GOAcD?DNz{dhpqf45hXg;$H!?I=1XUhWw5S;K+-#9T@%5VJ!p)%^Ies zEUGX=N17y@6;$P$66g52j)rXop{ZQ9AbRYW3H*>#FB`%;xT%OLRC+1Z)vuq;r+xyB zj*Ls&_@-!d4FvNamG$!;_jJ(P#Tk0 znu$RZp_vxPgc_D4<}Pt>%QQ-MICK#xH>2Mw9rIle0%1)I>}~9gLoW{ zSP%^gi6+||7T3nI2y>*)s3@BW;|idZE7C&CN;J5x6nK3mxU)(|%c@O28|jDf2HZ%) zS5QfZYV`<&gc(VbRBB2`f;EYpI8UQSecNNAw7ioHUXy`mj4L~#)ph79vFS(&2STqT zRw&KXIRJHmvD7Bo`tCr;&yTM>`r{GyKA^DjXP?HrKfUum{Tsj>C1c4-RRQAC6TD{ zK%35B;y?JXs<^c0S~Frzl7+doh?z80R@=l3R1}kEp@Rn56$2V^|e}u0M9_se?wA zl7yQEHFaQfDDT^jc$;;b|8D^xB4UOVc+UGfI2?c8d|>K7=k;|9k{^QtB?}0p_8ETq zg8>7NMS(;NxFgC)Z+M?4??os2*N9zz`_|qo5NqW-&w5_gtzM!rwm&IeYBuy=2H)h@ zZX<;Kn?A_RbAS`ki{=|R{=K_;&evL}4Hs?vU;QG;3g|KVq;i_b9zM61QPex_%bk~k zKCXL^wY(TD^p?Ed`rJCUi%ojnck2F}COOIChmeT1rTUI{v6H-w+m&VJc^ikF*123Z z53p(9Cta#9+7`n8&$R??J6&&g!+D)aZzj9SY8+?1MFlGb^x03RgJpyEey#K9FMRKF z+U(G6?6se-&@Ly4-hJ=u*f;dPqiVA~`+A?FWrM4$KER;ZoA^LF1WC@&U(LEvpbspOfa>9`BGdP2p-Y9!Avr zufPOgb@$(fEDH2pr%>)c`d2+tv-@qkUhKak5$V2$>0aKdYPub-4xQWI#oguDi-tb- zf^YaUc2)a)U++g7Tb4W_X&x?B*=Ml$o38BbwM`rjj2`NommCLq?HhNxyuq#?@96pI z?0aOcHcb_UV8&qLVL`8>}Mk0zK2_*w_``2An5^{>6B5bAKdUmLx39FAKi`#v@` z;M_8L3ZA<7$#XegzR+#}2eloO@_oJykfj}y)H9$9clHrOP2Na_NS{s_HLIPMq2Y1w z1})0BS=-CeMY=1V{)%^3Rr+wb{>KIC^4%^6qH_L@K;!t=%Z24y{_CRnD(O7`Wn5r& z7vRr^v8N?_{M#a3c!At`;|3kIf_U94pn5Z1@1d!yZWhq>1Z;Z+f_=!JQ@;bJhJZJw zJ~+UEqGQsJg9n0nIuZSZSPo0s-VUIT=~o*;5s;8rHc+(V7lw(O-PcJLMayC~+f7Eq zfp{@$4E9)g1`P;&LoPj;wkowSl7?x22VV6$0Yj2qFbCEeYx4N0LvJNhwhFBg-jN^&N~xOJ^c0R$vAi$9_Nk?u*hfWPMVmjhMXRr4@{6$|2kI+JasrRk_hQ6M z!+)r-j~c>tTo?C)4BB{pet(dw*JIm1?ISZfS<6$0gSII%+)N2eh{;bWHQKT+;*>r5 zizP->gPE+7u72bqSV8bCp)k!=#e3BznlB*Gvqk?2R~gXB6mMqaC;gc_LR4)#USiid z^y(E22}uKcJ9gaC&mj)oA%gSXB4BTdEN=f$5!Jwza2`n zBB;=7KjhSvtO;HbTQz^N9)wY#7^YXV>`o*ce?Vq*93wdxVWGrJmOFDKFMDGQeN!j> zanmdM;-8l+{$z!iHs$$rsfZ$FfLe19XETcES_MPrJf7*37FBU?H1JkGWR39~cF`w; zKUY)NKKoqLUiATBUr=A>cCA_dud_PK{s;X&N;xVF%`m9Qr}^Aeuzs=6jitwMT9z2< z2bjam!jr02QzFXAl(~d1da2CCHB6F*g`R5cF=Di%4uDIxXsSnEj-d{kBaR6lE6@5yk2z=n|%lxqK47N z6mH118Cv>w6>GV`NVSDpAgQ-lHP%gb!pBme@?Cldqa)0Das@K_I&kE$1M7gV;3Kb{ z0RH8^k9eCh*xfb%-gcTtSNG5W;O?Xlu#^C4^;}562=$Q|N|m9G$3PYJKnE{-&V)Yw z%)+Xo^k7;G-xjJBZCNt9?nGB~WcaN5k4VceuIgBj&DpGq{36k6rk@9J*67MUH3-sb z@fl)gGIZekn1(S{tm)1jMoN_Vk`pXm*;*|qQU%9g84O5NeCUOajuN4cWMx#_y>cIe zjM>FG&}L2fYj9-RLlI%rfA33hS|%P z0#)&*(`7q!ZRDiPBpJ)KR;QjaluS?@WU0t8<^G7&>VYk={vm`?Y-;zLWP{uufY*?U|k>G^oP;}_fVz9#XuaoiOi z9m1vC-k-=u?HKi_`(7$ew%V`NqIH}ejJ)w*Pgcjj>UPUK?QO+x-oW+fdR!N%sYCN- zJzv@>_?_w@XZbvzT1G~C;-`tXTx)$B9XI6bYPVds(73Z-?xWdlleAyT~83lZg)0aA)@NG3D2prnmH^U~s1)uY; zD?TmpXZv;owD(A9h)G+I*^AlhP0VcXfrhr4=Hp*&b)ADNH+f#~=m_gG5(66*Xt_P1 zK6ZV%Z)a!~VDrIhy!$G^F_iR9i&XHP9oK`ICuzQ?$BZLbejWD}gzct8UVtzFrP^=U z?6DRn_kJ&wy4L5n^*ygc@Y61z-TaYzmVX)SwdMfrR-cJ?c&t0`_0DkmR*>c?7n1M4 zmZ#lbR{$ge;P83=ng8o;W9f$#E}hp z%31zbFZ=BSJ-sE*_vU!HO$X{;|HZ)k$K!K#r(rNV&V!@PxHp#GtNmY%wV~Huvxir^ zwC*R37kM8KQ`dDj4o2NCPwF+#%CF_rd8{bg@}c1`{!ZyNYTUM){5l<0Y1*Id-Boz&K$6f}Dmr`hbHovB2h}f0$yOtWEm1 zlMzMkpo0)y7L}DxjHPO9)D3DN+!33{ujIAEpA5pR-rLBMni9lNlLbdrgHoi9DUqI} z6-^2VNX(LydCd!7VggZ;a>-;V?tdC}njYSe8I?XrIu`dAP!?}(R!)ZX5($|qHAVLY zM--8TK}LkNubQJ%L(bb4hNadOiJbalr-S-YP{>+6DAO;4eKc3Xn!${;+@OxoR#(JP z_yf8@6ZBT^U41;^;lA^cPmk*j%@;~m=`k$N+KOJpEmgh{^nfS z$?T+gP&vs{CkoAnLJyj8ql$2Z4`Z~KOVHy9jlQ8VVOti^Gs$wSl6;nVoVeY|@5xE<-CAX^VgC)d`h$WGeQzqpQW-=R!jWNRrY{g;7 zl!%KjQ)GpmAOVP0t#P<9tw08SZfpwSNokcO{bszFkb6SQsFkuf#M;nJ84PL8C~5aU z_VK+xM(f427b?F%Bny@81T4njt3pweXp+x|YK)MXsps1w~brk)G^ok{!Ai8i7?LD_XRjBlc6yavsEC-!WR+$g`-Dz<&X4T6#JucnI zCxNXSl;VLOzGnzCS78$kb%B>)*~LO{7@QgTNSwjOycID&zSM5EyfI%+O-`kWa}z@y z>gCPjt4vJ+pZ{vP$A$PGk_f+u`@w_3E`GW z$Lei9dHIUQ!`OX0GzH5<{d=&=!m0BuU^+GM!d$Xg8nVPG|{y~1YN(pQ!I;s)4ja`EdG}9d2c)tNC7gB!W zd>}Hv-GAlvy@34yv=GgybIOxZhN*BljOz3=$E}85!EDoVnbcUN1r`{yeuyIP7dcYm zFv>P72)fErm3^8mQI&3#YBy8{i&3$a4jBHRbOI0;0|Sn1^}({{paw!wgCE zT=4&w@z8f;?6dAq2>QOv^N*i0TfiZSP-(Z{KjC{qmWU8x#1-GOzu~92^jofe=Pd)C zH>RIt|J$yrepwTu_W5jL#pp4)ppLWO2Auj0n65v}0uKX8=r)}4ntLuE&MvK^8Oy3> zcEWR;ubM7u`UZ_Y_&x#CC#&)uBXtJU*NNOO6N%kl+1%T!{FyCBI|SJk1U#d@CQd71 z-g>TwUXP}2G)WgbU0bm}ui>z;*+JD{If&W%9fX7iS@f%TS z=pHwvZGj%&q1LVazp_5Neb&9XgQm&iIc@@stJ}~&oUiUgXWCz5`FTAS;NyAHdi|T) z(7DdmRQ8mU(dphzD9_0rQSUm8Ab9`y+im0R@Dh6&Hi_SCU(J}e{z~VK z+^|$M%@dY>C^6ITdwh7QYu+7Y@9Ta#_*V6g^E@WQ#GSulY!2`^ z4+2JEySBC2w*P%izKH2}jC#7>q)S|u%5QUi@b)QrUK|(j*o0vK0PbpDdlOX`^auno zbdIm0Heke z%q}?x3lH5)kBhK3JM{W#L-cXqMcfO&uVE?$O7sRbUSa-D&2vTB_Wil^=B3rn+lehY z*XeEzux}XXSr6Eh`I`Oj;JeoZrud#YIPSUTFVcmJX5*GQ#ad{8&7TaU1q4U5GXAoK zq+O`#c*^^`^(wzC+4_rq*=##$+-R8wVQ$|-0lq&mM5|b9)Vfn)rLsDIgn@*VdA)Lx z8j%AJe|4}u$h)8>^&Q*@>bXG>f`VKSY_73jq76q3-wIA3Ss~vD4%=RAsp6T#^x+s=^(#_<2RQ z(4$YvjZ=rA%*u9H5LX8gs;NZW4FI{_^qg`;$qQ)Y zmtJP@*sYq&GWlu-`x4`#hMH4y_ucSLb1uYZyA1#w^OaJ|3USjPwFmGGXH0Y@O9{-L z$k+SA$$wsb(d}L~ZF)6lAdTmhrFx^=buv-26_i11&%re+rzA5`MS}fWVq`IVyR=g$ zoC0OI)D+92BB2dcM7((RrV4EhOX`0c|MmFe8U~M3KJ2;e+6k7WHfNZQx1msD-;iIJ zf97UyGv2$#PSeCWaDJuoo6XyVlUp|HDS-GMzMAb26zX0`Q=mJaCP0E>39domSV<`n zv-RAK0&a1UlsV|CckcJOU`a}-Wi)=toyj6{lX15MNU9yLTA^eBw_4c`Z8qA-vHWbS z*dIfJEl?Bpv5LEPZI?8P2tUOu;PGasAHj;HlYSk?ffQ$#I}ELXM7l71T_!4ZULJm} z__qUahVHqHec>B`yIky_^Y61;HtfLLyz#9ie_^Q7MHq1+SkNNqUm87bS}&O`jJ8J0 z`Le9xi=oBl;IvsbY7JJ?i_t<#a^yd<@-W40K{5o}atAq-oiF+&9;LPc--#HU!#1WN zXWYMvkgI-r8Kpd6mHq<%teE#axW&Fu-*u=a#HEvS#cCb(Gb=EwsbD{%u8O2c?pKaYm1&T%zF>R#m?&O8)#e#bskte&a=1~8 zo{f9q3`^*@3>9KUm6%M4lz{v}v#&B;28||ul14c{QI0#gI?w}500umjcImP5<{z1m z1IizpbHb~V52u-#J*~DGnM)g3m1R*N#&Bfo}YG?`1P>jA@yXU}~q94f!9Q zJ{*rWb(G~YU22#6#{4#`L1LH?Df8#D={UM0K2_Qz-G;(tSGBD7T^kZFe|~Q-huGjb zI53o(X@xeB!<5pd-TjD?Mk5nv7mGN+v~@4O`xPwW6gnbO{zEvHE%%snl~p&H`q?7D zQVQ(PLm{71d8w2p-ae#PpUzE3gTmlE0I4csF!0PGgJFH2LL!goND`*TUA9OBhcyC( zE0M9bZL^Z@t;C8Z9Kxu~rEi6H?YR6P<=g<&?A;UoU|B^U&+E)2f^^>~Z8~8QBW*;I z&~nbMfr|KVvHnVe88f3uMRuC;Z_X7gR(kbLQFeY~Ugj0%|5qOTJ^Be_W|9HHQ`taY zf`dr_2|@GCY4{5P@<{1oKtJOp&MV?OJs>#~@-uvhFaZRbSk%WG=xG}*%{1W)%P8IB zJ!1uHn^mC3V~{@ZxvJ)jlgk0=`MCj~mt)_<%=YSmVLG79 zuWie13CKC2`Qo;9p>=w+d%)|xKxgM^-hz&Q-z4bW!9kqz3fT4N?kMZ|c(i^1Izo$$ zcUxTo_CIg}E^-{Up8Dhgd+yd-Z2EVf%T3{S-CxPlwA}6a{!c!TxE?bb6u{>K+T1@a z@`fulleu0qBX#<{urJ=Gg1 zecww8o>k{NnnG)J$q(ImBh>8_!$?O}QnGGY_%>i^)wngEMX2*RKZw0v|CjErUy);R z^-0!C;<)n7;P4wtMxlf_-as zG|j*E5D6LQdGEeygPEh*<2AX6-~P|Uz6#m};^91MHT%A7ex&Ng@8p{P%59Q$wdQdn z@g}baCQ0+V3(4zvU52gYJSYs^-9qm@zt$!IxByqQa8g%1Ps?6%*~+??>0#`5UN7x7 zp{#Rn_hLtn<8<7hcYAM6nf-j%CevqfeGMo*O)t&~x2|*Lx#(}|U-Z$HpS3R=;5#_y zpQDN737&6OfV=xZ9u1%^Il!O(VDmLzWyX4)AO~mw-VqbI$Re2Cyl;QWzpwrbv;@9> z`{oxizO@_R)c>Y-zTiLVxFzTmilxP$aAzVZ5se>rBKWr)LGxT<1$Od~iHi9quvf$< zTJq0{6YgBL1Z=Pt~_G8^eB0T`PbQE)WR&g6j+C!0I4;zmt zP*t0(K@o9FPJ{KHki^usRDQwtuMv~b#Ms-Dkav=NX*HEWhJ{R2*hcLMP7W$jAvT{< zloi!*kP?EaK-?8O%3qPvaR&V-L)Ger`dnCs(wkOm2L2z&XL^63s8J-6O7d0Q#drqI znnb*r5-9w54O=?WsQ3RQ#yT6TQwU?3R#+9_vxu9NLu!HsIA{MYKtr!_!(KPxVvhPC zn;oogo{z##Q9DI~ju1G4I4_SCpg;~=4F1coPV2zf?wZQHhO+qP|V)UlI}Z6_UfY}>ZYit5YzUVP`Ai+X-RjjFNNUVF~g z2^F-XCkLF#wKfWxHr^afmEfR_-Zu!*oiFCxvJi-=YkL zQu~cl7n#cd@%z7NCq#v-Euk@?$(KmyN&uM5_!JElN1TQ9AdKI3nk=}# z*3j)1EQLCjf+`A@5RHZu(hhZcLO6eGC}en1S%oFTWf-0Njf-W9=rILlW?82eq_D~b zBcFXU&}G&GD6eJFh%I^iR1uqMG}v0skwnq@?7Zo$`Cu)i66zwYNHn3&!x9a|76SMx z{-o;F>WSF0tw8|?o_6w8)EpH>rzW-ccRrv2cYy!ya<2sUHy?q>EZQ9r04s}2P^4^n zW`Pr|d~BcJxGzv48bxGg!=kmuZYoAlMf@AmnL}dUD8k@M5D(=#dli57@qQsA<)>1k zz$oGpRmjOESu^O{Q3W&$wTLWNx3HxVLx*^D&)#NQbZgdU_8H-5w*`l%+jNw;a_4V5 zi8544GtVz9Cb5lU{fp-uHo->BV0Mf_>DQvh9Qo7Fs$;L#=bJJ37#7nWK&-tyAP4uS zMj^D_0ut)ouU5Z>)bDV_LAfx86g&Lpd(r%KWnARCDycNPmUp?8xdEsV?HrA{KVJIOn3C4x zKYesKQ7IY%=9-#mf{QbPRVW(C)9*m1)czsWElJHhUnzH}TnHg#6F>MU*s{o+3h|}d zlW5eH{~(_&FOCRt0G$#(&rgA$FyV%NEk0k&EIdOh*FKX_Uv=X~4#xFQ?L%d6#)3zk zdaN(vUCY+3PV*6$MBxP+!fD6BeQU?)g>mq}s#KDuR&>!5MpLD!UYGwf_UM#t{j*%j zx>agMUdu4Mvejib=&Iz+8WfGR&0&|BX;Gp?Y(CdY;6k3%HM7K`-U=%Ef1WQ*c&yNd z?|IeYE%5uNZQ_en;H;tPHYc3wHJ^# z!E4ZcM~|Dsb}>2d%=hw}oMY$yP(4p8V8+s7i^zUq-QMeW%Y``QlERf)z!l+ZtrK#_ znEk_PUVv?4D@)IsUmqZ+3n8!h@!k<%@f*u5O7zrc6WGw=!`SuSRY%}9fw1l#f77(d zoQ2P4@Y2>b%9+PA=xzRdu-D*t!`^mnW0r@z5_mzW`OkX<`sQTi^|T2Qqhrh4JULav z`+00<`sL1lHp(*RVKMCM=TE#(K=TbgBR*?o-3!}GG`*(5K8Lg5P00Zwk4czqdWS=n zYf1VQCE~hCQF_acJzx8=V$o;o-4H6H_r-ohJXe0hEz6sHyXOkm-CQ33{j~NOqT$YN zd935=b;51G{7UEfvc6zvds}b#M0E!DRoh0b72I{_zTlytCcdkBsXBnD`Cu*i(E0)~ zp3A?fZ@no_?;$D2O5mZ=3n zWDEM{&emsGUwfzEMs2*C*4`vW#>U<7^jc5xe~YLm>Fult-ZnGwLr?F4YmXV89C-Gw zyHSr5j==kchdjj9PfqPyNXw7~M?-=&?^MN?PWLUy7aV@>ovjzbX7!w%!j4aQXq=BZ zl^4ytXG9*!t#PiVug6r*ybki0JIjlqQ}US|6_3`ok6d_1-lHgVhwg*JyRG+~j^(^` zuj}LFS}t#Wt1!~|PtS|*f_UI|6_8^Ac=C?DGaQ&{txo%K`UW)GFGfPYyu^%c@A3ZR zyrX>weqeoCW|ra9b7gcRx_CQ$N@m~!ktM}eORS4|b_au!ZNP$dQEfJzq2LQQF3dCW zWK=UGN>?n$#G1-rv>|EJP$-fTj_hdEY(**(?vYo+>WPmcozcJ=Gc|k)))dU%!I6qw zv#-P}rnj!i z%#2+%1Gne|uhSom7vjcPtv-5CZk@jp)6CHJ&&uNN=8EuGBH9ZrN>2G6Oy)iDIuB$m2)k*Uv5dpZS*T)?eF-HFVgwk_t8U51%X}x?}`RO2UAx+9N zg^GFf1@21CAR>a+7!g=UxC6f>R#do)y=NkojhZ--!d#YNIZ{&9;_KVOKbCD6vtcwD zxjPEW<_+86yfmo@!@Kn{Cy{<-%oYH>=@vDbd!*qzYxU{h($#YpObigm+)R;*s){@I z2~ejrEQurGEpVl@!orQ!1PH8GHYMyFvplG9w_rTg82;Kej}{I*IZV8K&57ku@&oQ06C+XJD);6+k{)cP(v^Y zW^oL}pKxFH!564QCQ#8yE`7pQ3KNN7oCAw4JThF9G8LS4{G}hi%pm_ZNDNh~6&N~R&pLNO3~)g5r1Sqx%;ck-P7idyE>5s_p>|3Fc-GSwgk zL7JMQ5y`u1x5`YStTE!N_#y2-YbU4K9ATW#u&>cBu+>z3wjA28?y~7ne_hN@_ZNjt z4Fs=NhT5$|Bx(G6c5Myp2C`~C?M&JQ1nsejvSNu+8)Qt=X3{W2L`#5z#DR09I=t;u zMPe57rOU1fH>bm#2`S1ab?Zc&JFwb5NQggbQ`hwB!K;zTlA*yN(IeB`M@pep z2^Mu;>5^0Q8Ly!>z7)Uy@vxxrFsVqq_l4||Um*D7yy2>WI zrqQiRDtR1Q_EbEU0*k?un6)N_z0ySo$$mbiLHIOC%+N|-#d~X9Qtj2E334hUh2GS$ zf`o=nimiczioXIW{+zm%!GKN5XZE?T^JnfK!zeu60O{DWe|+RmD1|}+!+~{%goPB9sYJa37gS!gnTo`<)5@xQqt#pn?eS z1-46!Gnil1k2D5uIuQfvd>ybisTDOK9f~=8O%!|i=>6viSDNkWN>Y0=B{~JI5~3`hIg@GtrV)-A~Tx-5tsn@$Ui|fz#2p=BIN8yjxxX zoQ(v+{vpp=UZ)*$!@&UT?#^dI!v_q$(*yqNEJqGr-<`6ZZM_aBkGmoH;#3R5o(F8q z%f<=)_v){<7O}V6B28_J8Qf{^!@7xFrNHNL_UFzs$1hfRIN-kE#m7{j2BhX!67aGW zsiXgNs!kbJ;di zQrGhGdb+MU9e97`zpZ^4YtF%Cl_Rg9TLoMZUpDl2+ih?>NY`^0_>}D1a;sX~D&m~r zce|FCYy0|H;s3srH<|Z#1xdU4lJz2x{UIFqoMao|(^rAn{SC<;*ulS(+I&4U^J?Ih zt^GVBiAc80y*pH7jBM4@YcuZxOxY@?-sCmUhf^}56IOC=d%bRY)~!Eg))@c;qk)3e zKp~=M;2ojcaA5byo&Cp1A}tZX^!xNoYypA+16V~39v0vV1dM+P9>-4yn!(bn4nIz0 zbYo6$zA2hIocAQ^vtJ^G;~cv*TzP(?fk0Y>5oouK5J0up*e@4O-Q`=k10`3s&}Cb_C7(+O={QOm#?LHTw2B$~rFUOl zU`sBp7R()Kg}sEKx$>$s$rTc;;i#^RQLdxSSO5n>UylRD>k$4=P0?$pyTnDTC@G%> zB6Di4k8F!XEdKW!5r>;q82;m7y&BdA6ch79>V0p_pp0Y%az_}93i;O0Pi6G$L7$%a zTm`3O1Vw8)=1G}v$;H#R+M1J|q%=A7 zB*{GMrckjAph^EdgIiH#54UPjyR)m)vxXfo-kJ$9AXbJ94o{4!LBq6)s)Ekcwq|1E z|I7!I!Q){4JljOKS$OHhzb;$D}yZ=JK` zLnEc> z6}`}WuRjgn$LP}y_Ynx&kha*$!}=2Vtz|Uyb>N!$j*`Di%eQ&$XFye|C8U4*XUd3> zcE%(eD&@oL7O8Q#scLolq}hv1=SLJc(dy2K6DymmbKdGRs2K%)!!ovu*S8i7L2vq4 zSSgS!s;3b&WR@S13!0x6J2ot8m6!;L$N34Pt@nqkxo*i!bgkvmNl_GWHYqxVc;X?E zkTIdk6)BCUctdFBlq!+crH{H%2nY`vwlQWRrFrAgG>NzG14#S#9kfMGddm^{3k0pK z*!kaFsI~>XjbKVEu&Co$o6Mi>16;3;TaH80+Bg&0y-%D^#*&_u5rx zGRT4?l3M-Sr7iPE)1uDe6e+{mM$^B)5f-edV+^#`7^R~Oi;r@Gq{?XK%itP++QcCp z(kMYR77|sqW2%|&fNzR>(OvHs=RN+`?qGqGncZB+xE>-nq4<>A!eJt)u;&$8I2#o{ z@jt}WizxmnSD5*!j^Sd(l2MhNdeMLYwCiBW2Pya~Al>7y|C;b{xNf<1%t|+UE#h*P z>Y~Ewe4C>mGAh~Ce62Gag2J!8Gn~r>6bY&zF-;A80kVSioR!nbg1ug<|bX<(dDKCa61zjzKS@ehVCPQ<0r6>%m7^^7T z|9TEOzbneB55>UAN8p#iaQf$orz2k1^>;%GNlpkNoam7A44C|e2_*iWfP3iays2Xz(E=xIn z{eL9BD~u7A^!EUt_#{i+6@K3viOTM+`LZpa{lnLxG~U}n(YQ5kV6Q4;v}5YFp6#c* z1wLViBYyX|igx#?Ev((GmbLT2fLH@_^7mbehDa~oa%Z#zFlbLRp70!*v;DM@K8Od-MXQpbky@2U{}1R z`)VqxP>;*K*`J51s_>1e)jyp3eBnK|Os~DSuqAZb+Y1Yk&1*26tL?rkQ@7q4khySp z`1_h3o38i+Qv=G9Fu~7SF2!Z`Kvw_nLBNRMKNIVM-PkLgvChLc9#;+nw*$>DCpEyo zd*)-%&fr$Mz!_i1lBKC#Jzp z)@7l*z`Az?KhCHE1KMCK{(tpNXAapknyx;IXFXKyaXXcgTic4ddhZ>ml_sutQJ)I5xas==o-8tderl0aUbg_^>QqwNK%|rme29NPTJw zA`0`Ln*NK8#zOW-YDI)!+A_nqa>9*U-xxlZUEjhCK(fr)#mBWwV^@+%m5#HfL#*%& zO0M}tRg;vk@e3T&8oaKu2u@>V15EfWwm$Tkx^0sLu&N5HSEQST=Ca0@J!wJO?chrX zM-}4;XuoDEQbFa3EgX^)WP1FvB2()xlsKwTfH-33G%5+#N*3P~)>YbCf#hZyfMCZ4 zHHVMNX^W6VHKZ!JhoyWR4Bk#8V>;e2E7|!g@$criS|v#)RfU6USncvI@>dc;1`o13 zsQ%MLw~23JD)r)wU<)h{ zlQQ~!CqR)S-vvLl!6~ab)>A->D;X zjbi{x8l=L-GC@JjDUUWTDmX`zzaYr7w0bPDeG9lU)v39qvs9Qh&jL!6gx$;rUcIL_3W=i4a8({uEXU36F%70R`jz&|+xT zWH@HAl*pfOMZXH*D3wSET>s9UKk9^DVAa_1BC|QGr6d`wFm!ssSEFN95JXDQqBjg! z@Ec-1t+_yg{_e3su=5~-T1vmn~`(x*$#X#w0tXg`o0fZrDq=cSqC`N)wnoa0QXJJhP9hE!OU z{Aj1*_8U$i%MJE6z_1#t?I7TgNI*4{++kC3l-P47Zj1AVf3$`iKDzbtlyYOtQ&GR* z4-j^e(#_-ewQhx|$2Gl+EnkCWYdroGl~h=w`ay3b+Mr4qMXK-@4l%O5x}P*NeCf?b zy#_rwSw$QZs)!9ujrY%$2Hphp@YUR^45B>deqVjQ+qXOOl1gpudctkQZf>Az1((_guJKP zSnmFF!tPw`O|t6Z`gyj@gRED(F|F9Dr3kCTY+=jvn(B=6S~rtg&|$RGVAAYhdF0l# z-MkR#*R_5tO$X1n-2V9uX2gKRdp!(JK7kV$7UF`|N1A zTErRP>1>3AEF4h1;7MMz5M@qR#1;|R$iNwIu(L~tqYRll zBCodcUMU`iS`%bMo&wh-bgVVnxqUl4lRwMmIY}%OUM3ub96SH#Pp*{b#Znq^2lSs1 z^_z3&4vuX5_GW4ou@SkOoNWf}9XJ z@b2D)aO)oP0NHa5GVn#mq;6=&JD|kvpw3gE=O%00u$X)epV8ob@Z#EQcC#M6tEHD6 zGmjbQntt;*yIZc|Zn`j6}W^UE|~w~$q- zppoqA(6ikG;LI?za|1V?)~XN#8oYq8y7rw{9>ePQ<7K3sfmSc^0w5y<88?|GZ^a=B zdN->@mwknI5v_i^DnCC>!md31?{{-_BLbd#4MW~vT9*0fwX<9S-w1J!O@!SIMlypi zgxAjxU;O**R&CI~GVJ zS27(iwRgyODOjlg8#Z~kSSY>Vd(k^ocL{tjeIzWF;{8L#Ym~@wyc`(Qen+@W6fTa1 z#|o*q;&KEAu9k_FUhxi|^Vr*#SpEc!nsFDwgYZ&No@_~95tVhOW`9c3wg1EA5h{CH zp{Kw?mR=B^Be+2$8!dV%u~0(4XaK7{QQ`U97Tmx-HDw1L?HAS`6S^0z$Efdon>}B_ z)~};S4vpS?v;^{v+-_O0JE~9#$TX8I9U4)#s1A15lZ|;SXHV;LSkOqu=P$q}Z)V;_ zog;!zq8=gJFv1X8|7YmAn!DUkL{{_`L!#4O4~nVUWt_DvHc}|kQ%t4AuN@2j4<5E{ zjQdFf3NLQopaX8Pikiztrb1>Jq)Fhg=|F8hTE>Olz7#22K3+N07X7_TfQ(nnWpVOo z%Eqxeo?eC7Y^NIZvs(Kt?r8@_L@oF?&wv^+YlLd}?_HDicoruKXB*=U8F*@em0kAg z!XsVL-;T>vZgk1!Ka)Zf2&^zhd{*Uk^fi8~r%wacYGI1(YqthfJV?xll09Ymkz$uR zBI8t$Sq{r94}Q||`6q__h46y3U_0d)K4vnn3SlD@DN=x;ix_Kw9@7zB!W;MzExv)+ z4u?G}CFmHnfY&HwIp$DVIVePxc%ZzgsJ<_qN05pfBL>lPHD6nj7Dj-%+z&e5WP_Lr zrVvBKU)C4J55fw$h$f*!3vPB0X?awtI%hf>MJQ7~a$M#rjgZd=hoMXI0<8BWn2k>! zDJ;{=q>{ZU@C3I>qaT1uP_H(T)@U%Nh0tiRlTJHw7-J!?7dq{tXAecOf&G?Pi@=9& z>k<(o`J8wU92_5mancO^S3m*fev@~5+t_6Qoq~zhFFYy&O?*0hytP+>w4o}vAB{tDJdrty1wApRLjVL_(t z@s|QmZHq}r0(^jjop$YoI>zAmZiH!>d;4?7TM z_}ormY#xCiH(KhR9rju^GZ~yBcOhf4R))hRktXG}E<;s=a)$^=pxr1&6GPJ_tO_%T zR77B<=bwyX&!z6bh6>KnQ&B#b(OeGpivS%{reMZHFzuK`c9?-|VqaT=EEey5qe6n| zEWS4qAk<=@<`vUCD1R{~el2lYs^cn^O&At+WMzfwlKsiCK5VHib%(u6Xlg0zvyD-L^)^nFK z#_r30OSNVH$A+H?h>lxND-k#KH(71>dzh0wd?0!O3DJ}@ZDl9dzMr%gn~xjp z40`T&I7p74z0-)BUW*m2)$UVAinvy)U7a6yH0g9-^A)^=OLcv;#~Yx{`ph#^Sl{VvF&9|HQ;%(M$Gtq=w;KclXZ`@R{kIJNwvMFm&e}Hia+OM zjS0!i!59B#0PoH(hvvoGFnb5S$N4~NV8(mX(6gY=HcJR}Ep81@{ETDAUea0_C(qT9 z_DPrTf`@GnKV7Z!!R;jNc0h(&FE=9pN0z4Jw_=lUbRwVg<0JRmJ-4eo2gzGvxOKN` z&e3sAZ356d_R{h#GW7fC)I6jAvbwp4Xu3w;2yi)pt!v2%X)U)dvo3RR85q{g4VYVt z2Y&qS?`m}f<@3-!?%&>^^lJo&bJB%;1|;SQ1nh>%4X>V+lL|1@u(bheWApOxS~;BF zo?ACNTAP>ocliY!2&D;p+3O!;SMKY!S_i>#x`4F2KQ08E&IxXjZ!&BdpLX*&J|DKj zsxW%24?a5H^O{%Wdw9;)@fE$Vn#r%XZbKHXt%1*pt?7Wi_`D9^Z{_30Q38ED?#Esu ze;kj{=2L=g`p5ngu;LTQ`H**r`52h>-CB+E!~aU29qNAWIuL9qcRhUsnp*EGcJlxM zg#baH=l7AoHm^4>e@Y&oce4zYevJ%)g9+KsnCVmZKDJ&A|KPiN&X#N_n z%cAifBouZ^%SzieVtbgyFCm9g)R6UC88s(mB$&(pEt1%|uke8kCMIyZG9XmK9@za9 zsbFTHa7C98$9?LhBFq1AfK%k=lN2tBJRuVWef(IDvIwCYH$ElJ$P|g9(8s1kIrlHf zM#s#ps`>!>C`dFQEsXZfHe*@GI3UL(q#n<11AEb=3e4~bP1gRUZ8dYKoCz) z;Vms26%|rw;2}~j!qcR^sk0}*}Z&##twT3=}e(YrEo+m4p z=55z97c5TDjktTKYL!GtU)#>W8Z%}(rPa7+vi?|nnZW4q-zbPEm0DU&{OaY(M)zM? znLh=@^z**WfvNj^EIaT~Xa%pqY<~e97`?A zrYxEiQ1SXTARMB;X`gtNcsc6 zD>lV~WlDu1mtVOkS@Tch&qo(yIFC1hDau$7m`j zhyKtD8`kKp;6V9d)QVR zXjKZ_XeF856t4?CW^h@z{IJ|u%kf3jd3XIdDRxB9o9y|-iYam8f)vggxDdYZi&E5h zH~9+r!u$_L6yg)_Ywbu^@KX&%zE28e-0n+}dZt@eS+=PPzQ`bGW4O5|?hBf+UY;ib*_xH`5U&oA^ zcuw;pWqD80lJPy#JHUaW4x|=7R65k9EQ$8(^h6rphpwBX2upZo`NMp zh(es;$L$h5ilqLf<0qjcpYtnsBxQE`ChoKV@LqT8L1Xi@@v3PgmGPS}0TxK}uKM+> zhH=&N$q+vP`i}ZYn^5PaM>$tJPbHVUVCdyD{vplKYLD?3&zn9bSo$TCV?&lDeWUId z&&3e_OhCY0*UC1l^RA8NDlH>tU5i-lZD*+8Oi1U{*4u8^`iX(ZF6}C^ufgZ_f-Pe1 z0f*od%Kg`M)Y4V8yMWHg@|vY#!%m6dN6G7JVKj=$X!d7<>wMbB^Kdt%lkVj6H;6lU z1EKBl*^_kw_ypaV?ce!6R_KV=u|+)?8&B9+<~z35B%q}c7}d&|_hP5S!Li{om38ap zy3_C2AZGrF-swx<&_6Dl=a|!@?vgXb02uSH>jum>^?clY)m_7U_wJ!01m16DM(n(o zK5vDOu}Adxwp&-xBmHyR-j~Z}c7xGd1GRa8FS>%R{WdrBJ@Xz99u$PyZ}aj2KkS~t zeRslQhgP^&c#|@G-`n>&zgN{w|0RhE9tl##d~tq-6fdwo3GPIFH2vnv&C9+7t{fhM zw3g$M`)LC?&v~(tf%ach#Yt#c`;QGAJ;aLYlW%$A!RzVYCn}F{N#-(TbJi)i(x@b9 zRLmHA(;p{Efq`)Z6LOR;a#nH*KfV^4Do@3#iopwMBp%Czei!{_P-h$S<#KmcKkYow{GC zd{1xclW)ydZ3TSd-EF%(x#&6t@+RO=9``8l^zTp*vL%}l>;EvqZp1Cj4AKUb2GNNq zFGtgE5ph#ewgKIMks-%b(GnosMX-O-QwZw-FDRipkfw2Yg;8g-DmaYf%N!fvNVq}& zHZhDo9oRHz*vQz()J4&py*SNYv-jH!7gD&DuPU>ogB6J}YJja4fEVT;kC+Eng8idN zfh&uf9iu}_Rc9~Y9j3yMoutqsz8D`=KH^(W`mQj`0qi#65^dU7lgv`kP*CGwLAuF9 zom=tKWe3EXb%~-5rXR5$>$U9^t->=53rt6KhMZXIw}>|wC_M@havftfz)N6T(1NVp z#1TyoQ_Niqr0ZAn3)RtRe_{DgqCpZKf9NG~M1|)fi?rsHDn%0~`BmCuATg&ggJjeR z!X{qDl);vuhAAe;2S$6HRVyexBqsy;1%)N@jwwrTY(eS=K4SAsY#CxR1Ugh(uBfYB~hB}@+$ z?v5#w)RUJ-*RHiKus}U`7b_%mPqE{rHKDrFU#FAbA=Im*dOzS#@@Wj@&#ov%gnI&Vj{%BVIFyhy%2V{svjuS+Ms76^ zoZ1C(4OqNbMoxEMvXl#TauzVsDKnP>3HK%AiBkmqDyUKrjGG8)9?WwF8{^8<0ZRGi zFtli=xHMrXnUY~xbHp5u@)9T*rHYLu5h~p-Y5AG&DKQ!}T*ed**|cF5oAyXgk-dD8 z^YoKqrtUK`ERd_uY>mn+q@vvo*<-mT9qQig?eI*lVYnJE? z4`!!uA_2xq(k#a=_U6Zg08hvfZZ@8fsothdAgNcjT#b4Q;mJ;d{KLL8RjPG0pgC&s zf@v3}+n?+S}a~%3SpRQ zGWE-Uo>=^?6l7;rcx7CcS5@vWXRY1@UPg78tx_U;atlU)ZZ+3$;_`h;S+G(p4#_B@ zrC5d0OQT7{Wep;0*;IHu>>oSo&L!#5zgN6@{6~c`;as6gR@Dx2Mc>k>SxTB3Go@N< zWuUN#D%rUy(E&u1QmquBCBz$$tpQG2XL=}QOO?;>hV^JemsLl*4B@D{cGj-EOeC2& zz@#qvNahecUkoDT%%EN8-7%k28zz=Vwx#U4&(k$ZgkmJK4>yAAEx&_3m=TSw{x^cb|g{5%f>l zU$czUJpez)1zBZ4`c3VJ12BTgYHxz^#3A>(`sw2t@_CfkfQS{-UewX=Zk_hh`D^B0 zlFxVXUn{5g$<@zR?q%Muw8dpf`_E1J!0rm*VXd#*OZ!*B(Sq(akL5wt&f3B1Lf*vQ z5TU^12;qnKQB&wht2Qvkss=0ozl+|bt>?pOFZq#{^(^^0od6p6cpo0Ub@#9h{TAFx z-}IVzQJcDUJJlq}ebFELvgP@?wd26y8QADGUD&f>_O~D5J}Yacy~Fifo7TQ!r}kN8 zopeIa?Z!sYpm`5t)CMt|JL2D0qM$uslmPtZnK$>{>N=?z*v9DI-}Cp&a%ia5z?A$Y z<0;$r_7O!e@E-R30JFC3wDH(IJvII7j;HnWYl*vu?{h^G6>$3t$R)dF%Luf5cYH5w zdLa}LxCsg%+wriK^Z;c9+8IWX2WydC_+2aIrbm2lX9<4k;QFT$F30=xXD&Nf9zg*Lzf_w}A8O_zaf zPAndiGMaet+rGE@SLrLdo)3Ng?+)HO*`n2N4OKn<8C{=4j3-@79Nl*xhwN1bPrKKO z4*P-)Ggk7LpBML?;2YJq!^E=L53BE(j7>*|JdBR7DZ!*1imZPBsRd*u#wh-R7J<@W zFCtU^<&;I;x&}gVKPy*hY8n&Cb>TT~-&6ZzVF4d~j;C6VMnhT_#fgZEMLXuFDbD=_ zI^)!FCQ&4!ia+G(6Ge8((@2FFJpo5@yG%+eos|(p2a}DedJ6)glsxiTeQZf(KJ_qM z2$?weTq$x2lRwJnal1w2uX}zq_(>2;qk2svQ5E^~uu8NivyiJ+7QIqF6mO=uDF;O5 z^`X^diLQnmDKqEZ`l@~iyWSE8n`q-a6p8~iwow)S8mgb$YPLW9>h`VMh2nqOC%_*X z#|`3|N}0-g`7m>U6lkm;>n!OksR(fkvnCP(&deIM9FENL6v{7ZV3f*Ct)SGS15rGZ5WX2wmq0Fc|TFS&L zRq8&UaGR@**QS*HRE|LV3_l7z8h+YRn3f^Of^!`{9pv!la+39Nnq7Ka1}=IYsNJh%vbJkpoIE1>~Hz8biTdt=R_o9g`V#xD-wltJgA)%CV9Ax3_x!W{=En z1sX3~=GfOIxGK6szR{iyGxlJ*oc*kX8h7jv1V(!KN$2pl4*uA1z(l%^z{PFcF8Nd+ zk!%XGzPPo{8Pc3!6pcDFTC7*Lx{*GVjuPAHSn=V(5i=K3P0TvkntNKYr6I>`iPvgANrYv7-EMwdgbu&?)o^&~>v!(3}3DNS?l16&8s>9m&&T z*z5YGpW#Y98jnF=>=)_bXKBlVR!^ctUt+FS}Ss@UzXp&Ln48n_NU@~(_3DJ zMmRqFo8RZmuW9hNeLoUS8jlNq&MCk!7hc(eeKXI#3pF`jGHNpieE1OG=Fw0lAtz|f z@8Vy=!T4szD76}MevQXZbnP4BVxBk&5Kx34vmdQ zmu(6RFU%xO!zx<#jbyF7Km8iUFwC>$mMq=|r;M_(V^~9+Etsa^h5g}Q6^ZSmbYYY=&y($JKrDtT|ug}K^87p@?^t2 zAl^GpYDVWtq^+UXWml(adhP9XG}*lGeeryUVs+}fu*pmMwxD-GlO=wK#&I2|K(o%1 z_r-E20groL6QlP&r2Ca`A$mF&z$;)2JYDOq+~4+Xic^q}m*=)dw9eVnfB*Cf;UY~! zcDh?c_vt8|K;U4#>H9zBi8K59xZgKU0Px+)0(w1Q2728!%U_Rj#~M0xO#5=yb`PV} zIkxQM*4e)lWoh(ceog!Y-reC2OwF`KcU|3fUAx_T+E4BHytULZsCk*J#it3Jy&WLv zoDFOcZ0`O(3G{oq;>=6e_SlX*4UPz6q|fvz_6L4$Iy`!~a&liJNcLGii(zmdAlf=S z5;qyUj+pQ8TxIVty6647$M2bsh~Uri4cI%__PK4>-`+Z0yW<6_d^Ih~2H z9OuC;t88;${myE7*G23GG`>7C&doIQS@8?K(gFZNG9XItn7hQ&_H0xR|cH;h%a4~Li0fdS`=hWclR z+O$=S*`6l0syjO$L9d8UR~|hm+Ry2{j-S(+@A)@C1)tmcsbhPueHU5Lro#vYdxI|o z!1DRWSd)fVDiNaLQHdwOT!8BXG;PB#%Y1WXMeB8m)UmgbatH9Z=egtlDsX}CxpA>T z{$cU;)al{W%0T${kY?`;x|+?~{({i}n70lLbOp9PVon0Tm9qcc1d!@hBmuiFfE<7g zzpK)uY$&f$%@aYxRbVXO>yFTwMKGR55nMMC1v3Tc_Y~xTGXtwKj5?Od1+Vvpz)Hc| zOO!0Fi5qJ(h`7M+0Acy?l&Dr|9gBrGS2$*^7ap-{@Q0AiDJe2}EqklHQDh}o%LUOL zJb#DLQk7gM@ytrB><4Cybjfg1%d&D|TVDx<3V3$RkTjS_O}!M1HscZl8fNM~{jn zSzs1Vm1jzsO`hC~9??~af^BzJffJ2Fb20V@t`grOCD=bLbCW`G3|}d21W9iRyl3bm z97v^>ofh>Dv&xEYoMP&Ki^4~V`oo<+3Q_R;s*9777GPK!StVwJ2Yr-u9Ycr+PN6Ku z+(B;Gx`~0rPxD*^34Y_aME}H(e6GbjAlT2F$=weNb*Se?Cn);N{hPPgaf;D4$fwNs zh#e6-@}WW0@l~jEO9!Ftpt+*AM@JWy5 zHOjdi8dV{+gkiI^wMLO(@^IK^!_(1u&dG+>9F~n_QHcKzSV?6)2Vl6X5bc)P$Cj< zT=!STGsXd-ya0#4<5`Fg*BeKaH7YfCcOy8ba%wq7tVl9`-&-vYZ{D}!k|Ty^i(pm_ z!y}Fx$6-!jAG=hG&aT#88RglxSl7=o?w&^Y98;T{MSI1oIzAp~j@ zc|Lf4H3@z0*ew0hrfgPrfVd^#Bal|*RJw?Sfgwabqr%myP|%*2F~#X0K_$SjFBPN_ z|Hs&uG1#Wf=pJjsBrPnhNEuw4ZhpJhrte6Zjj+)B38s~r45lN$`fnR>F{))K zXh4`IIzxPde8Zs3cuu96%o|zg2TDqaO+KNOJ_ls;_qk$CMG;noT55epMx~chKI%}Y z#JNF>u)AoIM6XPQRYforwK!()Lk4o%@twi8G0u-*-wHiVTwQ??%s(nHd1$I(P$?$G zY7RKM0C=-YG*^G&(FNoo4;p^-+bU+oAs*>>X+6g_OOAx9$Pyp_#XylCtv;^X~#)46q)x|GGSc@f6rX z^bi#42YTxRPMjKZE+;eHtfF2-lL5LiR1+|(%BpRXLW63WEiT2ixVt+9ceg+(#WlFQySux)ySuw2 z!?*X${0DQg4sx6;EAM*brmU09lbExD2Z;{UhuysHGYc?FYKw#^Yzlv$#b8ZjX`QP@8=@f3IxWMFVgQvW_vBYa@4ulCqWR4(fddF zZ&B&*uTkm?m|kidFWc=vxeD-sdU?71(K#-!S5GN!=h<27C^|>m7p}JvPG67b z`%7z=MfOhMd(y3*-sAal#BSnUWay@L3i86+a9E}_K8gKSXizER)!~LJZsID{lBIip zKM$kp!01dWweF48E%!lyN8^xPy6ZSI(7943&1JAW;P4;e`%!!&2k(AIkQ(&uDCBSsFNs>g6r<4Tdh4`P}MyzrA`I@ zp4~0(Z*qZq&M){Anms{osq}hkOUG@sbf5#w393_Z9ui;FHLm?9al7L(ADgR<2XvB} z7y7aI(X!{Hme+T$vU{Bm*6+8sKT!-jnHv`?@)MpQ=)zzWe<1z0!jb@;*0O z7G#iJX@<5k_dVfDJvA+2-aEi#WsJZ>-{Q*k^T2pzx}v@OXLX?4X+#pGTnT^GM|B$T zFsRIhW94MRh9mVg2owsx$?CScd0qnf*90CGV7#3!Jz?gw3x2za__?8%(|CPf_@l$f zanK5lzy2|Gef7flw9;|h6~yNXYpZ?c?Y2(8lDJUK3xXY{i$-opD394jcMnx_PML4Y+lVKKA5z$!bJb_ zZ96nBS#0AbJUZBWEVxqdPjb~7K4I;<(lP%-2Cdk8D#yKbi7nAl->NxL#1gH@;~C|U zVtWz||DIWw>Bk3obX%g&C}sBn#4NJ-ha@+{A@)Y=CyJkc9~}(`SI(D{#gs1YL&MIu ziS~Vz-QZ<13>2O99vkWZpm$;I{^Co7u4IB{1#L_C5f2IzX0NBI)3sNCDrQb)JQ!=? zj3(eXf)NTXq@V4TMS^Wf%VtsHB#3P?jVABS5iFjw$qsCoGrvd0WMC)IV9lmPTIMJW zXEC#xBC}eK)FtGQ=31sJXrfwn!gf$eJF1siooMvuO`V;yjjM>K!x<4}=j~RZGO!_! zt4$Mce4+Wqsr@0UUz?2{Nf8_%77rn&hW{Iy64NDaR*G?8gS!=q%?-O=ZT zz|*1)wm0yD^xueYGhrP#frkR)uv-E-JGiw3oov0q~eP{mA;NmO{}T%NVM zq9yvUzKN2)TFej0l}unLz5K=Yg6%NzQp`MW=@*)TVY5%lZlj8qaUlfVzz}@lFUX@W z-UyCa8E$xsuQF*0=_m;ez==`@e*vMEv$5l&BJ|>gu$zbrRP;xgt1~ z_?eXBOE@MWw8AF9WXq8UpF&ke{h}rgOb9Z#7fqqr|7@@pG~&Rm4JC4PItdAZ0q{eh zJ~Va#3c@%{kxFgJY6UbTQxqI?lP+j9IC0A4p}T$@A-VQ!fZF$Ok;^SI_n6M=0P$Yo z8iSfUKWmBmHv|TNlqP3v_%VSwlL%^&xWlTIpsJ{)lybi+7woDqQ;Wg7K)b7;t22%vYIj{W5Hdy`|BW< zb$Z?1q@E*8JkZ9mC>1NWpjPmr{o~&A6QJ-GH9hA~TnN`aZzf5&yZQuGpx8Jq{hu(U z4F%%JQtP?NCy^;)oC57XR2eBp9@A{`_;aiQo@NS@C@0B6e5^$PF>o>|#tX#z)70XQ zz>p01ay5GLHj~e-;_~J4P(YIH^R_!&_f=&VaO#pA(p|+CX?iusxg`*!Cve!mJ;}hm z-Q4+fd0H;mRJugCn_Zvw>4Ikl2J4pH%pzwd_t z%YJ%aK|Q_}{%jtbp+C<6!}tK^!zxb3be$$H#%K33`8&F8Oo7v0kpXgi=ZW+iYurA& z@@PcuuA^a$oA!0@l90tkFpK*G=&s$1&wF(Pz^Yz{=qFFa}TaaA;LJ_uoc*ZW$$!gxr;kw{q&V4lpxb)Ea@; zcPI5-LUbcN_P2D8&>Pz76jp6!AFWbNiTO^@N%%eOTo-y`n58-9=Uhg)EozK&AeH0}}vp30E z19}rr%e%Z9A)oWx$jF&PVkZK(=`L=(xOy8fW=~3fv)RY^RfHI5-6&10@s@ke2sGZP zmtWzT0_WmFN<7Z2&@=6w5BhMCS}!)DY`<@6Qrzyep7_XT2&_FZPPGN-^W?t_Ka;#| zPe|KbZG-fI-h;R}H;tV#Cq}rJWr$5pCVB$uO#khKVCm@Zx)UX%Mkb+{rSQ z#x-h=6PV5GJ|nQGa>p3>sBcSaEG70}qNgH-#L86Keo_sC4bYjOUzRABVC(n0$D{cX z8#;SL5$F5QM$nPM3~vK4&ycB_qLZ>s;6sdMK7zbOmt|SNzHa7vrNvkr7+_00)6yGh z6*Zg^AYnV&`)*j2Z1U5lu@8oE>2r(1j+cF|I29|B8I(s*(fo6X>bNVWi5_0AX3t-i zXBiEf`(|6+4~GyD&Pr0Ga&AnrLzpU2AD22NlJJjQRb&i$J!Ue+;=fbq^eW^dt2+4g zYvG5HFl||1&n0N7;S4B{*s;`p*svJd_$X~Thy}F!0#LRHUgC2%8IK`wZclY%I3{H2 zL?Im-13#p!6nZ~FqjvV(F!3^3>(ZnuguAZBX-)pRS73Q{SfQKJ#H>R0);@U68N}q3 zcp4syJ~nCBt2K@-Knj|*V_(GLM~4 z7at>-u~2!TNxqH6^GR7!v<+Hm5J7?o035Mr|?wKhWubh#p{6s}Tu z!SX&Df~t~H=a}jd&;`;+fIZtSGjq)f{tARVO+q)PcHU+V|Cxi_y?VCyv)SiBO_iNT ze5w3Vgb~_@!x_iYT&ECXt^qhEOMo@i{b@#kglww($3hwOErQMSIqgFJCCjeMFUO_U z(t0p$&+l_t_>)B?@yo7Wp|;|@37LAyZApe5Z4#ksF83%iwmhnKTbfyl*0Q*47RwwP z&7yO^=i;zgLPf@X2KZCaxed zv{!}UG7*tzGGxCY?fgK@C_gKK^526rnHGRlcpw<0b&R5^^T6nWxS=9V7P`50x~aGSyjPYF8j~SBGiExF8k%2 zWhjDqIiI!gXh*Iu%tEc8u7brgBWFhqDbO(QuXWeCmt>#bgB=;$D*GAozf-_YxleKD~^`lDf z?tp?UTg?)oX@z$Pka#FhS zZapPta`APXs~>%t%H5V4)q5PnWE=u=nJow2^%#3Wya)FWE9wU(l}dFJ){bMphbHnn ztfy*UcwEF&zqm)OB)52Zp<7SU3`_> z4AxHtxSytPBO)3)jqWd?q|1D4ePB<{jWutA2<_^-?<;K@XHf^&+jm5Ic!I{i;H0=+ z+wBTKjzcIpn;t8l(iyFNF2hRSuP6Z*u;?+R?QMO#lN-BknH#OJnJ*F^r-#7%Ab8w$ zK=IEBetRpMhwodqQ%Zep{?{k33ni7VHfQ;x3}fZ>Y5kYi)17e;4WQ1+jp!+3>t&cg z+aA2m_L}DUd7}5~aYZ$u)5RsfH{4ofjd;_U&4fOq#zk6rcIzT!IG*R5*Xi((q`Ymt zmmT8?^qceO=I+XO^c{ZwXJ6TGrj1Q|=L6WK3|^Zl@#!QoD?oP?59iXe>C#E##PZAf zU07U_TaGuGQ^dR2j(za@7D$OW%(b@hpmKbPUql6JNC!G z!AX6GOx4O8$kSBWhUNPA_SCXRoOR&E(?4nXWx%Kr8SA3Yir&f80_aM3a9#NQDRfuB zLz3UU^-#{kHedUIFLKiz*FpXy+@QhpfM}5T>cmL9ES8gj-i8c~P#X$BYug%P@N6;1 zXJh4QTZ(%7hU15-OEQ(4C!N=QUO%dLyq+3*bQy~7&zeA;7N&*1Qh@)N^reRDUu;bv z^nht8s%Yr_Fb4EjA?QBYwuuGpW36Ul(|Fz#!RVGli4nZSU8MjRDNPk@YCf3LUwK7T zu`ogKeHbY!<5CGjr!3ewsDx&NRZ8Us?S5EvCQG2Z=`57{Ans*YM>&Cb5kjhXVyYD` zIq8I4sJH}CF;2qYou%&JyPqnBDF|@Aa<%FM#u=fZ3Exabi>R1>e4@QK$uS%fCRdck z7}jI$Mioz%@twmRvHoRiKjXLmZFmUBi4vbqiXzU$y%q=0*)yEB1(9ZM32gQj#NO{m zO)%d<1v{Q1zDmPI!(*#X)%*uvW_(rQM4nTJvJ7d)Y*lWb3<;pz&yDGKAIbo&GM*=0 zo;2a|tWm_Nnt@7YK`IpyYf#Ufvv^{p(<1zU_st3vn~qfSkE*UP=(0q?bB)EHgTvMY zZua&vg*j&I2^v*QhC$fdlW9!Wq;=WgEb@;PQ8g4!MA5f7Z}WXO-;k4!uG`_G{_lI%PTi$X<8DjFtx zj9TSM_T{=%wRh(VW=ARWB?sh$2p(4rshWQKU||P1Slyx9{*b?+$#VW=5mhptl!#e5 z;fmDMN{b_nW!_0y+#(ExXeE?+(V#T777`DIL(JmIxnDV8yPr43pV&{^dOKX8IGonuIe# zR^Ul+aJM01S)3K6Dq<`UNafuCUnCftf{I1QMIzu6fXN|gE^tetn%D<0n=MQz*e&*jc2BmvxrX=8Ho>Oc030r|B_j3UO*2@`rG``&?^bP(^-;$dn zZF=vf?PmFQ=PxMMiXKkMtiZY>Sa{y+t)0qC`TW;M@mlre*W%KKb<0ss-{srG3Zvly97Pq|9~cY&kQdr10Ku4^c@{n|nEByW%4LxyE_Yqg4Vl0%vF^{Ia3 z^nzKoYrnfy@8IyLb${Fy(0eRlM_+$?<1yoV7?v9^CCMCvd;Dd_*V6!Wo}mH&>pq&# z^xv%@PZ3mvSm=*~D@Z5hUO!r{7NX9a#CMXsg5CIa?ozbD(Rwl(k84~}p^G4pYSb_E z>xE^v){B82{?+x!3lrZ-5Q$9zu(GI0dO)6}>5DE6@(3^#xd%9)nTWiM5;QGSVB=|zibw8|0~Mjj`W+`W zQs*$%;Ag&LUEEI`&@uZB~^ z=dKO;2)f4|=>m+(y~8a0BbP~>SLjfp$X6{^l~(s(%BvS7y)f}qU@^KzmParwd%u^= zGm+x~ke|JOm$>D4_s|5UtKeHV-cs!rRl|q)a{fSxkHtwu1fBLc3rj)S?@_*sC8JUQ zN+`up$eGTeZl{{h)%{@|GJ9DdpQ1I+till~Myn=~Wg5O4U$SJ4rdbN_uFzU)!&(Qw4 zF==B!O!p#{DFc7NNS=`Ljs}3sZ5;Ar=AHY;m#P%{A{`yPeJ0JS-V9QycyIQiPhYuI zkeqcD2m7IVDQ^P`7VI9heN~9+ll`v73^~pd;XoXUEJ0#PpU2^JmEe*?O4Qr-@;+^8 zRBM!zHf4^_y~#OZEk2>~!3}cE?YywdUv8^0o~Z4@EnkLT;{@NQOU_o&(Ke*@KWCw! zXsZp{G+IlUVup|X%~r;kcaS(C8w8{kSJQz4C(LP-f3g=3jKj?Ub}iX{2*wtM!+3p4 zIya!fvc`Pe*%tI4u~g&m3b11lPXlYq0r%bmLWokBrr%?~SV3BE!hpL1p#M=~NpFEq z6m+Q=#{0^ue#{VbuScl!UoH$tNpcw3|1gE|rHY`-^okT6;!T=|8ca&ULMb&HOtt$z zaM&~=hOK{u^#;Yq5yj{0#N0XX z*NB&s9~>gntl`ffNReVqJ_ky6d>>G3IrG=kWTPkBKHL^1TZNkQW;(|!uUoYhHmN3* zLowr~iJCEAt(f=x%)%+P^LH%1N-T9UONM27ziq6FD+WHG$#ltsbXKI*bea5XuvR6; zvtG7-cT4}70(Ocq_a?EwZoW0G&A4#gL@=2vF%Kt@E&^xC*r2Nh<{`hH2+D_}q{HH(iFYA6`!50lYq=*V<`sYQ8q-{+yL9 z`*?!QCatw2lb3CC#?pY*2x(3U5|`=WRa=S55aQ>RAAcnn?t9YQ)+vcQ#kgR2-Cti$ zS{pAdetIo8?0=pBK9wxmt)Hie?5Cr3><8E!TDQ+U9G+pfw@ltFUOcAWGkP4B6P=77 z3V7GQxjx-x;%WoJ1m0JMiL2K`o^}Ce;H_!&H;08xIj!^c9WMY;$K#nu;N15`tK*s8 zQ4+-_hd`^i+`N2S-HQxa;;$s0%=jeDrz=hw+GJX%xQ`vi3_d5jg!(;`X!_h9+2`nb z7mTCU4tt&Rz=_TRk<0f%Y}-|@!DnKRt;)I2*00CC>Y&@xik6MoM}c3_cvmX9#MK8=fjL93~NjdV-e5sOkV!w zkzBsz?uWoOht>GTw71rS-*42`+X1E%8*e3@{0{pGg`1f;#^eA>PMef&33tpLsOfBCS-(z1FD@0@>PL5zD;N_>_tz6r6QG9nXUkRqasLcDxqh%cT z#ODVz@TkcV=Jw357}Jr?!8P3_fF>C-p{_ zAkb!7s*`tqD|i-SPjw;B7T$}9g?BErIB3*?lqZqS(7Gy=uH1VMGt~V~K331lSlSb9 zOFv1{T9&%`xWbgDng|1=^*AW=QZ?!FdP1{5_e>FJ@L@`OsJQ-MZXuzH^^A_i9w*7G znJ)@LPZ8!6VftEY;r6-DKU}P1)R1`9K%;UMPRszrblYzMHn-w~Mz?A&kW=|GlYf>_ z@<7$WMs->e$Jx_|pa|++3cn4U{xw%GM?j!LD(D=fLTkuL%}rHDS}X3LP@{=GsMjeh zM^~H`6TSwP!2W7XG(M;O?rV*n8W&g_Zp+1B1hfd{6LOr3H-vKG7IaIK#qtwlQK zD#-H-BD`Aj!o;J*AR?x2+CodOA%k7rwqf*vJARl&tqm5PsOw*L#Ly!%I)13D@2TIq z%RQwlVM1D#Bx?OnQaj?rQm~aT`+N0N@YqVMxlbe!1N%#b_$YGvx(u=ve@9?sVKoGO zCB&CwEc&J_^vrMJCYXD8_Xej?`)-zPT|mYiO|KHl;U$#u(`{bih@6GHCn!b%o|~pe9r{*+x9?rH< z&|aBdF>vn8=5uv7++oegB$n|INRc~NZ!UPW*DZ7+S`^ zHxk^dWCr#9`}lkmFv>Vz?+v57l3A$l($ak?6 zBN5m9qfJB!XrELyez0cvE-yh433HsqBn-d6CcAH61L||MVtZH}S1pB!m*~`uMaK`N za>WUNl1pS|VaoLyD5J2-`x@=Xt6px>Q9NHUrWjU))+!R0OJEe*2u->z0n>QO-Ym-T`0 z8x*J?6MEFM-&eBAUSw=E`!Ks+@*S7eXNusyUG=9kCJ<{sG%pY9r@siE&g-i_wp}fa zR)F`SLBK+rrvc`W_w&HR)#v#WR6BFKO5Y8w>(@y=U9QvJ*;M*CH7fppkef51$uY=~ zYh^TWDfe#1qtO>jK-e~)#OqzCl+l0VmZN&uVmd)wx9K==%FdQ&*wc7jbqYk>Zc1oP zWYWxa326T*^mLcf9dXz~QnvDT6cb@}YqRbD$k^$s) ze=jB8zc)|vx*7i-<@@#rK2i5NM4O6dT_ZwY;G()yzwSC-nvwl5_Bw60q_geiXh9z^ zTAvQceAo!Ga_H0KK}Ju%y0YQnzgkImTX!ByS#I3SxVO8{oSsbJH3R8)G{_wc<M2;)Rlboa|Yo$D`;0XXa6F&?|O zs`3o4=}b2k^aEU-ZC>+C?R)f0o%1wMSHK$VLaD&7(-5onQCE6mw^4p8$QuZxKE&&M z?@DM}J%2oE%L_<-yx_W-dv2w+brXEqFL!&Ae!&fRGPv-+=WKboZ@lz0Uq=rh67YSV zd?mi)sNYNrc+{KXbq_EuAtZ7JzqEEfJ)FH$1Gx;rZdbB6dZzxmw(S;<7q=u6^1Amc zBM1Id@#@x)J*tU|PU^1P3@`qrt(r~ne&4#lij$nD`u+1u$!f>zwYitm_5G#?r_=C# zCa=p&b82R5T)Spr)4Tp+FrLp7?@iwe|8znI>jPoDiKT?!$A z*4;?wX3{G4lOydz6ZqMr#fDOdzi=(PZI^e$boEpu&6t>r2l|Ljp*KljG@!G-t`x15 z8XVi^s)a8x;CX1!r9;=Z%$(1ZoTdr~N0f1Bso(D;*&oX#{cI&dC4b4DB`WaaNSTG3 zjf^|T1eyK9y1}o@z(P(Nauh55>e^ScmW-h&Rb(0*+LND8lU`Q1BUEs%!9c?aRf8;d zTOEfeZQYV;eqs@TR^Wyie$-4AFQs^_MMe1?li(%Cbmv=HVQtO|1qF*dU2O6;6wBgE z!f9uIj3aK?YRJ&^o-;jOgK_0$mM2H%9hGWFE{CO$6m^}bVz{(SDH~H;cK9#YWccZe z-~cE}M1ON4%mG#FSd`zj(Y=`XfvHu$DoiYU?8ynL?Vd=Du)gvket7|%!31f##8vOf z%oahlZ8;y6ES}=&WTC&ODCECrtj|h|uI*aZlZzm+Gi5KV#y6loP!Qm-$Q7%nl9Fk} ztbIXoKD9RCo*n(Fh`=UI$}uvdGes%onXMreMQ>f4CZ1*Dn}EdQj^<&%$BB%z?zA9?p(j$jWbsI{o}RI)$rFpTI12MOu$;3DXgh_ z79%s6IZ z8Ad3Pr5>uPl!(^UtrKn0B-+$$%@l&cJ0{?z0#`!f^097J?*;AvU{E8zdB%HC=7v!6!O;9{u_8TD zvk|VF|3l(*7w}iqMSN?B3LOo%R(O%&;+`S?y>Z7dKq`aG5z$2yTFzeuL=LTNmQ22# z!QXCCZ-JQ`8)w9!K|VKV%;p~!uQFwWqh*RcS?cMgh2G`Np1ef`{_rvwk0>n>8+Kz_18U-7Hzq zE5a^dRNcT&_kgI5LRS1QF^7CuS)?R)QA1nQvEH!rrx{Y&h30e@>nDt38TWiGsd(1F zwWh?y9T=6*rF53_;bshf4GRdDs&$H%FoLY=6-AF6u!pOcJ-^J9IiMiq8gZ(cBta*X zsTlrH9NSkaTEwVHSs_lf1u-cQpqV>U-%nr>a*Th<2#7wYkZj*zu*jF8yB`R_ADzrjTPe48RWpo?diq?K<*##z zINC;00$5^)8Pzj6JHCs6#P*9tP(Y=oRmgg%+axFCHPQ7%-1=%y+)MBCdgom+L7XLJ zYd603hu5fJvHk8M@YUAKY&*^iTsQKi@T}vUkBI%2`t9>U%zl*DIWG575koY5fc9VgU3To?}V3SAff)|_Ppst$?9e0^NnJn?yJFei@5#yRFbB35Vhs0UEONLVa8qe zaca89ru?fH___#rA-VpVJfhqds-m^`H=1^ida+*Ht<%BC8eu8ecy~}B<$Y-4Vr3l} z;tJPxwh}PtvHgBtQcEI0xNK$Yl!%*z%HQ_Zrk<%!L!+PD=Apsfc+{RLK@UFn4+KJ{ z&Qc@YAId=J5Y4wBc!sCOm&t-iBKpxEY=_PFkDWV@i*p&3_S81mb}f(Thjw+ZXMqCT zJJY}IBY;dtDkP<8x$9pcCOt!kC!zJC9R5pm zJL`1XHXH5+xiOer?AXl=B&NO3$$C|^y^B%%VgL^G&7G=T)sE9PLUHdiKg%^4PS;%z zGmqM$UD!X=zB1ITRSbgP8O+<&U(0nX`N46Cj9wSXxIo3^`!!jT>dVZRH}O|qU+{#! z?>mqH(g}bF1v9=(%Dh43RyeOS|4h)YGrkI*psxU@+Kl9!!(UKli#wHn#+ z#=6|AdH1CMUdWB3&J;P-Nv?7z5o~7gT!z08yPuOQgd#zysePwO@4CLmzM=5DvLse>F>v&!r~P2bY+3&WlX$w`XUjqXpt62*i7L?Ru;<7WB$Xs#o zTccZruZy$rX*BwXiyDPZ&w;Yj0ibCHI-#125 zS#&qV9J5vtf?{g-@>qX3K5prPDh8cJ>vrs-FNE@ES+UMMYoC~yTk)LuGs*A9+?7rj ze|}Fqp(fLyn$ltc#R-S1!xA+jxM3m7;fQEMi95>(^rB%4*?yv+v)s>F+GZo=r{$c*h)jx5?N4F2gEGgf+C^ztnR2+A@Fw_upfPWx}KcbPxQ&K|E zG5Zr@ye0ckc15Y-)vx$bKgrlK&#cT?Z3*cI6ZkSw869RN8RB3TRo`#b2@#Z67=yu% zsl}8Scz&6nu_ThpzOauhe=$4yhc>LpU-GRVW)Fkl0qUpI4{C#p1EU@fPD5vEr+~?S( zfHDT75vR$KYKOV}kVROPAQVqK`@2_SpIk;+!X5#QHZVYJw}F^|R7l;M)lOPer2Ml2 zjh8QL*bz+-MSY33N|5#EMP@}IM;)eOW9+~3;{UesnyZXh9V$7hU($LVWGk0`=9`ml z2kOAPA~z&h)7q*PhqG7fVVsz&Mj{(m^UOGc9{O;reN&DU5luA26pIwP;b^-@@2NFO zt%OCUM`Zg%r}FG|zk&X!iR7j!Fnf7Sjw|~ZVJQDQCL|idLxDaYfHB;!lj)ZZivX}?*fkijY%YL=Jz|_|1NzubMu?q zfzh_kA6}zbFJQr0wjfnwCUy>n3D!0gN^IA{rSEwQq9w# zSWM5T-k?RuV`50PsRP`#X>l_iYGNK#LF3F@ev%3$D)Uz{_Q;{W`l}I81fwgo?O3x> zzU`S$t0Jju@Lac5x)c6Bwlw)a1Jd(Pkmg`%KO}Qxe28COF^0> zd|X)zL4W6hko~ub4S$7Cvq|-SoT(p(&aF4R&Oy(V^1e=s7u_I%j^^ju){BP@F<0(0 zD(%a=mmh=bfJ2tfd!BEhe&0RoJ(<5C_N_ zWum_4AeCM9;HG2$pD;Tw@OJCDK6)jOeIh_(H!hRkZBwA(X%Mk<$!R~n*fUD}Y6IwB-BwlU+*|yC(0Y5dI=q-k)Y=-#RQ&22@%d4s%}Lm5GCyi{ z*KfgHBxH3=)CQ9Y+^lG7GCdKc6cIeG@cp6UsUH57qZ`0Yt9n)9PoB zRyUL9>?H%zA?Ljy^&ja^6FlpwhpSuVsroHmthP6!@*EQ9z_od=4UgtFfk2Ygm(?$o z>Go>3`5&IYt->JZ&7Ot#;{rl8^bSF8#$WIKUpXX4-P*P*W0pMckr{nE-G|LcY+KK+ zns1{DGJHxonvKIWhYM{5oWGN4taRD(JFW*pv>^Akj=TA+;G6xAOwu*v^_~RlCH8*P z>;d@t-})tC@A~y9-Uue-80R@8KuBvmG<@fLmVSg3f54pq6|d&oZ0MOoBfOW8-7)ER z`Ot6^MQUv-z)g70Gk>(g7ukOZ$)oupY(|AtRsTjR5bmvD^THc^^l*9+&S_xQ+~|eU zU6BGY1Nzb*G-S}`$6zGfj0@um-D{)}WII*jQ=53p&@A^vtG<=Xi!S}jw2ku8A&;hQ zV2IhT`%BfvRx$T(KK0K(a#m8~xO!!uP?P;KhHkbBWE>erNvzZ zEejYZ`07Ulgf$)ooO3Z;UbA3bD#KxmTnjp8M7Q8DISzZc=%D)3w;`T+?nUTwp;_9f z4&zr4b#j>PkQHeVekN-@=7J`g;*zJZ-Y;_~sb^@d zztZ|>cu1bSbC>N63YclliQ=uZNfA&Km^s^-Iy8^KHN!MzlT%348dU!A$@q7rC7mMTbyk+T&Abzu z@b0~}cs5e7MuVh2o_KP&UQtV)P!#?LRzmf=X!)#J`)-i#Cs|D{6cUw)n_$~ro#}|U z2?IaemWw;vN{W01q2gZ9OyAX@SYtpeVq33&T70$^w?rf!e9{IyoFlKvw%lO2BVYEX zppZzu2vpU<5Uww1!&RYi*)ZuB1q!Pqxz3AWHMG&rN1u6BCBz!>}SHW6fG(CCFhL2v0{`!)oB@eQ0#yD*M1K)30eP$Ua zjlzSPiT!(PAxl*6@`oP}!U&7o*$kxh>&PeYEY=Lb}XSf_V`;gJ|34Y@nK& zjUUS49*ZsR51ilAZ zdPI)2(Q*$?(HfBthx6%(%imuiT@`X#|Eqq~dObyH|0!)l>AJTJ9<-eB(O_p(k0nQu zF**5RtHv4szvF$<9O3Ufq3o&6m?>q?bcpnBuZDIYx zL_n&9Y|>4Vp?9Y7c)(l46xtzH2wXlKZjQECbvE1`qYtquB;TI$WtcPijI1}BG4MvW zJO(HyXj|6}2qB+U_wwB`QpTJ#sBbj9OuD*ie2|-abm}|z`GBo*sIGE4wSS+s zBI^rrS`zudWjx{e1Pk(u8ut~d+O528_ho16+G+19ZP*>|mk+ETVZ(aajMzkN!;r+q z)uYE$8_)CJCo%XBD^vkJKQ}}kQ0Yd_24O!3?9V4W+qXStFP^bNeyRH0H)W=IJbr!^ z;9GW1KbROj^L>rchFr8zrp1@d_Ee$u4H^)kbdQNJobLdbFUh^f%93kX}W~)?ooG#=&gO*hTgVTZrJyZ(q>lM%nO;n z`elHyLlltl1+dw<9$Hy3%K!YyrM9+y;4W%T;T?RUo=lhfVv0&tkgSxw!A)> zx^6r@z;Eyv7Ta)oUDs1aww?VOhI+iPANbS!Sjls_bF}dKXCQr$pPie@ZMCrj48ey$ zAUBhoD-ifUfE|e2G`Ka5J%fkqcof0~$p4|67xwY9K?n&L)4WCcJj(l3@+&IH{b$O7 zg=~lm|LE+9{9RgE)CJ(5PqWA4@$ZZ?ep>lh(Kri^d)`X(aGg~u=+_qwV=gDMzyxC%Xo)U))3*=4rA3&!#M9K_NQfT&4F%&T3l!;)F zoY5!Lv?{k4ggVbQ%D$E`qCn$4!bv_EA3E-g^l}JF(9G8x?JciBKHfk698ZoU;YvBS z>NL6jm$D=9fQveXI23$rD5ZqtIOuekkWybVTO^xlo>GZ33VCK9GFv{wrOE|CuD4A> zlV80iu)xnkri4gChWglIE#WS^vD^~1KRzYQhVUMH1*lkaGAR_#e6f_hd^qM$HoPYe z9-WOVTE~e`tB_$0R*X2h)@Wv{n2oUZOV#`Y%M~N(G_OW-)~|?Iz&3is24ngs+gkc3 z+o%vZUkQ$v>SFbFNS-Fap^{F{{0RC|%*H8HRj!GnQEJG(a{=1%brzvEYP9`pHU2;~ z7lVi5j7)Pqslc#v@kCbgfY;CFEvzhGCV~b!zb%+R=4s?MFvkC4>Ybu13%73VN-B26 zR>ih$+qO|LD#?m%+t!M0JE_>IBo*7v`m_J@owL8zW*ZmtYTnFuw6~9E^v+o1&NQ*u zq(XgwVb#7iQnisk}oUf*%J{ z5bzUTj^7aDNk+}MJJ!#Ur%;IGVMxEdA`YM8(bxWr5U$Y>K@%+oPWolszHphLu&0$7 zm$IsDM0m%2bAdTxNfGXW(wL}l7QLMC7mU8+QV#MgmgsjXVXx%o@7hE)@l~TuGmR2u z%`t|jNXii_qt+7f2uvm8#X!<_dFA1P`OA$N&M74biJ?!@6vBl^Vn!YHLSOD5BS~(D zKx;jNU-r8QjD!Qb(KdF90@tL1lq~j?>Ko4=svUUxpy`MQrZ|{})ep?apHn%g(QP19 z1GixZvfje3TfkQGUozeonYUd)ylUVb&!Ufo;9OU*w#p<$BW_Jv=E%1>jPOU-$@53; z0DNq|704;&@~oeYG5 zOzb*DsyJ@GWPj}94WRRdaRO@;Y|ru;6cR)te)bHPx#&c4*nu$nR&5gwaX@Ji+{kM! z6>Yt4RZ;jIbvc%L%qTD%%F{jbluNiiE5nK&C7oCg=F{>vAm3A;41e20QZF~*f$ zCw6nA?{hPI=`$QqHuW1*WjXaK%(C{C22^FEY$Kd_Nk}<&Rn*<9#cEr0X8xo}dvf`W{)%hn1T@cZid_Afk>Bjs>K&1eFsg;nJlPyehKGUbOy5|4)x~| zu=PLPp~SnD>saB^OCJ6;rP(4{!Kf8y5~f*mng%vq#Z@aP(wv-_@bEf#I*U4(4NG{% zPYm0!;%Z=MSIUF2YdGfEOdJTS zRXD-cF`Rt}<2Sfl9Q>Uk|HMAg0Re2oNv7M$3TaSE@rbo$uUsS6>b#zMX9&u!*g3J~_VP0UV5j06yJ}N?QtII5R8KjKr4e#V(5xBBC%4_;f>^|74{Qz48#iPS5kRcU;d_Rz(K2Xj8R_K&c*dgVP1|XNyg=u?^ zb~9j1GZvALZxDTI*Ov*4s*dgMZEV)Zc{}}%!S2m4pyQ$CMH1L~STZ=gHebTXeI)6a z^EkHgMxT@2efFq()OV7^Q|zYoyQ}*a#Ht0DD78())uff-!)egsC$>` zhUt5qGwQ(O^Kj;u^10=A#NRqQzOm)f7u%@8b-JSiYTT6Vw0k~fo%C&5@RlWLdQNPN zV@~bS__CQ3^mxZx+58-RYIY0n{}6B@pGBENGnDriCZ52$ZNpLs)HBsdaytS$+X?4AVz&nxh^u1 zqctaIwp|8Y1lFIMOs`Uq)?M-%{qS}|F8*wvliX@L);28ogk5g)o6OV`2|m9cq+Mb7 zw%Ojs<~&XD?e-XFi$VaXE^r7KC99A{drL~tM@GD95Ueh0sWO=4tik}I7X^}ACRQX{d_h7 z*aP49{A3NBE+JR^ULHW!@1Wcjz+i9jr)BBq-4_d2{5h(0KKBv%WwoUTN@{IxhYB3) zx^sI11$;Y^T>-o?FN5+~7{wdr1IfiRTVM0|X8)r!aR0#=Rt{uh`2|;6X3cNJl{`)< zIgoyCJ6^13{wu6TF*$+rP`{x3uu!J#*sDQ}K4{QPH{pAka`v1yThJg(IQdT@bR9XY z3$y6ZidQ3=6@uozHu*MB9lH>_+)njP{fx^*q zJ${>i`0kor1SF;250P7o7L-tkm{-wWWfk>mB`Zi*ur#qaVDnOks7~ccoOzXoGx}KT z`1-vwl6CD+>9v+Ix74zIK}JcDga{62WM-L-l_MAUo11oG>6SZJZ8}V4 z9Ik&&dP4c`$J!P6aK1k}D^f+vn+)oJ7pf#TINbociu$p1_N*(loe(dCo_%cl$wnd@ zg=ZgPIh^KC681DOi0rgCd8R4UgapZpJ~%ttwDIBtry`{|rPa6n`iJ7>m*HpOG|S!BPnzp9{_2>wgK`XN zCQ_Pj9F-s$_^EM9dvaTxdC(w4c_tHrn(=F*LsJDe#A#OaU%lP&uQm4#j_n}GlB5W? zRs*SKokaB(t?JZ&(XPX%LSm!eQ3cZP=6{^G!A?7t>m<%Tby5@F-?UH$g>?MI(@B_h z8-TJ-`z!ZDVU9RMo!UFyC`PHwp9-U%cxiIOQ)SFV?L4Bk3_37*zyvewZ>h|#{2U|2 zAjHgKk%bhNjVtLGZ_#`F4SEt-+p8uRk zo~$~NLaWj$C34M9f&tcLJel~uWCg4RS+H=Y--ms|)1 z-KINNJi4=LuoiW1aXFqBFR}(Ne_&1^8f)9%yv`c3R(}IE zW>+8D^8~xyJ-V@4WC*-(I212h)B#Z?96NR^i#V?YF>%0N+Zx;bCBdE#luxGPz$d@A z8^R5w%qMzKgv-r2Z@O-M4jMq`xuE1S0hrNv3rl+yK;-&fn{jq`M91!0C+gt)uNcw& z{JeeKZ#gvSA@1dCz#b3-kJK*WE9pVFXu?~M^Hg?uf`$KUhxCl#)S!87bXEMWrsc^* zH}^ZiJZ?6?Cx!bpDQf%o6KDU1qoC8E41fpJ6ec)Pj&*f^w4dt9{M6X0xO!Z`+v;`H zeNhDv^q!PNV&)xnd^yzpOWR9$QNM3H5voDnzUoxv*p%ix|D7myW$j7hgTu35_3Gs% zFHQFj!#+ju0{iMU&IQ2Rb36QU)uh?Beb#DpF(^3laM>1oXsk_cCCf|!PVW@qu9G+kTt2BiX1r}VZF<>REI;@l z(x@(5lujp#c6?rPAY&av?+9-8CW(Lzqu#AV4Lo-x&%z z=9JbHXle?@&;~GtbLvVL!y_CkZ;E|y$}Aem(V|l5^A@(vN37tH=eHvtE8c=qxnqyR zfNwT)DGzg};3OQUFus+@DGOk(x{qetW6l{^#aK#YDYgqfB_rubm;bk*kRu)6FvzZK zu6Ko&6P`4rpjKTe(y@4e7lFydmZCuurxoIwh@BeEaduh|4}3YEvyx+rRF8=ye`H^$ zZ3|pcA}v{sW@jfU5%Xrko&)-yf72Q z1GPLxmN{^PyA~_KwRPq)L=^|VucAss8Ku{5qiC{C!cKGFDOxj_x{k(;ot9DwLt|eU8d+;f^rAJO*SG-z~NVoJP-#TAO)jU%Ek8PM| z?_QsD3K;|UQm7;_iFA^_PEh^^!O{dtxC)U?A3SCLMri!(qO>d-yCF}WvM7Jyq7CwE zH+4&`nXlIU*)P7bgWp~Z8dFMh^G6DiuJI<=m>KER+*XgFM%73iskO20eMTYv2*NU1 zckank+gSPXumms6SmLQBl&B~|eM8t&ieDyJqR+W&7{k_W!??7*`nrQ=D7LOcgaJkJ zGijo$S{X{Z6RRn6$q$I-AH2J=B?-kA-UJ=6YHH-sB=DhI2H&54P*AChagNHQF08a6 zF*M}ls%705ld6nImydH*!ZdBd)khqs%=c)4Pw3RDRM;prsL4m47;H8xb@82kbUuMj zDvN&bHiG`6?SKAP+ph+to|#mJddK{Vhs^KU)#6^XPE8l-u4pfvr=%4#L+uQC+em=a+p>kETtlHv2S&Og@fxm%h$4!9%`O%i!$l99O!EGIqOm<%3%@9& zLE>P#30!jDkCa_Z0!4+6`&fvQGG65HrWWq+1F;~D!fdwHtLe_41_=(@qV~1~8p-yS zjT4Wy`T+LfKxPyh`>Hc9oXIct1XnbaEnghP0}%Q*@im-G3S}M=}PRvWKP?I@@gLk8pz;vQ!q9G;nXV{(@~KC4Wn2 zh%*_?8qv|dZ6s1;SBZ60MFn|UQwv#1NZV&RpKYMzZ{1uUu)ff#XLDSVm=vM;gE@14 zsW4NsX_A|@aGWMvDqpz4SRFhjR81CE zt_x{JsPGT$q=ekT5BpX4n$k5T35$7`(w{Cv#uqKh;2ll2@`>mg?&M6?KP;9LB>e^z znl8MzXV-ly)+#lv;vGB330Xz?Sr`9X?t1G;P(t5{KcI8|XNZ0jaCRl|^81MhT!c7r z#5$O`HxxvicSm&k_McbAxFV&acl7T^c5mq=M6WNty2Dvl0y|)v!yEkF8-&Oy90D%= zpUaN9uTzorufmsCWxz5Pm&flKzX56cgaW@hu{^>Jc`mvH@r(F8`=GJ58;((d!Smc@ zk#XD3s{&_F9_tFB+ilna-rcgXzYp7*9W&1xJL}E`s_3No9*#Rp+ZF_ik2tqIn>85> zk7JS3HaeUK_YapHp*0=6hR!L8S}wIJTb5>@G7ozF@aoo@%jiAz4*V?-1x@n!$?O8B zTJLW&kem4(I@9^iQq;FM%va>;{xvLd?690N>YfegJK(d<-c6VygeG@m;|W2KeXKtXc0 zuE%62Dz^82y5{PATr|oHZ}gKJ>jTm7>XDK`%XWEV(TU&b+QxYF4e5Qll9%W)$#U5f z#%i->ru|nvrGmm^MstS#WkCquqmF00VUOQTi&bV z0>&9SrBcRzqO2b-yLp^tubovJN?RXoGi!T=>=Vgu@^#%eHDh}J4?B+R2qMZ(j{xn6 zzfpXCccVePpv9zm?SGBKl<_gY{NzkGvn&E$2|lL1#61+<5oJY`g+(4=P|j@Bcs=Bu zcRed&EJ#uZ<<3zYs|6&B$#LPp0np z>If`b1+1}OIy=;5X2E7T6#6nxcFh7!nW9C6_n8M~9JnvSB#E6V zA_@>ci9)?u%n_YTb8pQh{k437}JEVtLP|+jlaBU_7Cr0 zY=iUQ`7qW7a#pD;#)Q}njoILhaeRN!eO3HPrLK$l^UFC#lqnD_{V|Ke(9RN`0LgBy zCYVRXIjNWlHp+RVh^bbj{#FTNb*W?EE8=o;Qn`bkxo6H)q)(jk1QVmEB!1#>-0Y`OyH8A{jYTa64;rIk z{_pf}?er@($c;EuE5)cr;}kX&5aze^5m3eBb(-^{HtX#);(_-Wr}@BV^gx^%is=@1 zVBdl`9y)RF0>#&?T?&lA^O9|a9Fb&^@|*7dw3_x3Obzt}I~X0Jh@90;h20u8`FJqo zp-(oD_eEzVU^7w$%QgRuVw=p9{UbyxHNM)T<=q6L? z#$kt3?IsiL*AmUg;RwFAwqbMTSQa5fuD+h`5X?3dZ+Q0m>zUxuX?de7m}TKUPeQ`z9IZT4bJpM=^Q~JiTt^Hh(~gD;PiiKME8&N!FfiO=G9n%=)H*^u zCF0aFT!jEvqvKdB6P4SBt$0sP590Lw+qo&VCPqGE6=+uQdA7G46qkWSp)WdiN*(Q{ z!jo+8p5lBg`_48PV*-G{VYeRADL@zTD%Y|WLuW?ajp{-wdpd4|5pM12oS=4O}Woo``j^<@tFsFzQ(*%`9i*ji74R?N~M1yeA$~} zd{`cyTKdiY+nT)+gqFl2>^iAWJ6wipA}8W&dzjKjp56J};@^wuHEetKtaE;PZS4Yl zAeB5Zd|8J%eC0w6LnE219(~Xe09zz?KevbseMj}Lw3o8FK4d^!y$pAcaI}K;cZ~DB z+K@s&I;c@T?Vcdo1I*SWO?(aDR^xNHw&drAbXi7UDQQxy> z#_ZyXl39h1+aTE|?mf!;qJFRumBC4d=NH^CysTcoXXhisr!!03w3zcwthiWS$8OeC zzKcIGkG&Vgt*z~LS4WHZS_I`v$zGt#?QEzuiA~0TrOH6sa}J z-<15n{>FWXVs%#e9mgPJF>3j2KR|CeT`)Kb_Flf*zbn6duB6`j{rZ61p)$E)*~rZk zSbgh<>+HF0yZI|>+1+>=x9r(|w_zH~cb5K9i<$9UsEXw2xjhWDbJ|!Ee7gbb{q1|1 zQFiY7iAmXu`nlNkt0qWuGB1%d`9kscSi4EyAY;4L_PiyL+v>3FR9yh)z-UP~h2HA+3Kd2zm!C&xLL|I7$!lP2Gype~+vK7uwYOnb#tFuIQ zZT*oI3bY)P<6V*{=sLpb3Pxp3V+kE4l%#Uy#C(ldt3h#Mkqgc=!rX=2F`Y7-_Ct^u z8PfQc7CUb^1(;XU#T`W{NYutxU=JqL64PNYMQQkMBb|IvY*f_G`PGE_(RuN;DdOun z82pEQFt8%Eza5E^+D9mP?;*0Ws$fXu|CwmAh-Z+l8y0q)I|-#XkDgFiw;RJzt>gkL zw}@IIv=R%ux%DQl%o||0-h?Jl z+s-N3P4nrh;$gSA$jqcKqW-LsBP%wO=&C!`C32U(+%UHJ>T31f9M*LS$7@Hh$i@J?4pLIDB3Tj*~ts z<|0Fs4T(!3L!(Mn7OFzC_X*S1QOIdUT<0!Xo9owe@0G*qoTjOMuNs~z#;aFihoUBU z_)tS>OVR_VIDYqvC4KJT#dm_WFBk4s%Cxy)VC^ndqcMRmEO4Pvy`rd$aD;%(?b zH0-Vtfz0t}OcmewX_C$k#>#_l3^hJlzr?yms)rrA?PX?G5^}6sbJ=B~q(B-Y=2N9} z4Ko6wmTQR!OEScxTM59x+FD|1VY~GRl?eK*MOG#+UAt3jL`)eq{><3}Hl0*o+ZfIP zNiNc2sF0<0t#Jb}OUtNHeL9f~D!roea?+{{jV#9XqZNX*L5cRBn&j6eqQkI*Yx)YK&j+YB7(z`#)JURj8Th%ZH^Iz6c(+FmIZbpBq zWaFr%ofG!XK+6hvYQ1~gROHkOA_IKMPot-opBE@58C)Kh>37%O+zk}Hb3vu8!^^-U z4Z-V|f96v@HvCr`9{&zSe{-c7Qr5c7Urr87HZ4kiIv zuqWp+tF$wM2jSgFf=97ses?nwNy7$hdxP{Go8~Fxwu-_lpy1b!-eth!+SAxoZR4sw zZjEEm#qYtMo%TOlpO(mVX?mbV-pSb{0|005TGiWOo`>VdHhma=!)ne88qIHpig$}7 zU4~A#ldz*)SU=O*2`9YIgU5^Q&eL)3BR$YEe$)H2_tnnt@l?g`_agGlIj~N`*TUC% zV@HBcSqIQ3XGhZD4ZEBZg?~|bt$6vYH?^%kBjcc!tK;E{GaLJZDLa)Q2 zr*t%fFRxHdr0sD9zJpbJ| z4`EfUrke|`pLg4>UtT!48&}v@KDLKlibNoy0}ucR>H}qfKvAHnWzf6Ip35_Gs(s|h zz;^cM(nFq>>$7zP+8;>F+l-I0`-%^Mx1k_tmn7j#h`cr^Em^!4M8TK{D#tuCryZ0= z(O#ooZ2(KJDbl0OX_Vua%oJEl32~Z?mP#R*}hwQNo?B_EV9Hipg{Bd&vPdAMt$I3H!kD7gX+ zxq;1Wg`lLwc*O16V}~JKwv%b&z9n7qb?_(Hyx2%%d#kDCpB3lJH^GfI)j0be8V|kt zkn>waVIYj*b?_U1FW3uJC0Y`K+()N#Epr<>R;QKTo)_(9nT}(M1v?S05|hF=!^n41 zI`gU{GW`mV+lU>C&p8Y~39@hC9gik$oq}(s7BI=ET&=de5Fui*mThvb$frvJ2X9$$ z)204esD;?`DY=IHfM%AA5EH{mB$nDyI7u6pznD(^V!UojHzlZy~RyH#U2 zD;|Xzc^foVx9V2~6RI*LQ{yGyjMI~jH_8;%BbWswT!=XLXT;qIE&>MIVxt!=THysB ziQdnS1f$rt-pfGAm?a=Z1OKc+S13|6h+`8qMy0KADmS{qEQVF7`Wop&F;3UGMQi(s z#hUU(kAL1$&D!ldI4f+lbt-g*V-qGl-^D7d;cXhXI#%S;w0=5>S(z;QE}duT(5q`! z1=Fgr12=?q!lfu=Ixu5ZIWE+)v_x_GuBb;wsQt&o8j>6pWm5 z$Q>>7QUe-08Rk$0gU6PPVVr%}a-Khifr7hXGQ4)q2uO?0-~kUXYdPQhE>>gHY^MtY znf_0kGUe;1SYEY1_`Os&6Gl)nn2xp}pY%=KOg*NgT8V`Q^B?Z6>-yAu$ruUh@HLIr zf?4@uepE`3PYHXiXFhZ1rEW0=-}aLIj~)dS)`o1WCa@! z82j-d+8OdA{#i@S4|sMQO-{U&=;7UT&=Kc3xg}$#;bXn*<8-v*kZ@-X&y4MoqB_OV|>VK|9#GORiW?Kv1OpU)wM2OL1Oi8?&^zl!C-jfc7bhD6?Ht`ib^W0$(T`ZjT@R-* zM7tbPf_WR&et!{nyx!)24^JmTJK4P$+8YWyB%4o7#_1jPAnRHdQT7TSfx2Grb}FD4 z?VOxE*F#R^J$iIn4dj+zmrrPazv)nJ_YT|s3(?F2EF}Bv&b(=SsoEdqqnAFH<-X1A z3q*XbFTNhYro}v@Z6Ynal3cy_Zc{(cvsz@lr|OoGfU5Ygny@bPC>H}S$0MR1wU0p# zybec(nDH<@-Zr1cZb9F7Kr#q4eFT`(2EBL;AKegDsMfT@Ya;+cKFX5Y79hLHES4Lh z{tA8tLLQwR3&L+gQ*+Cy>(IW_Oe z$`%bXZmi39HRH$%Z>`o$X%sb2c2^jnhK7rplDd>H3~ob~#rMWfn3`K?P+;o-r6VPOMV#b!&*{42z1*XAT~fE-?D8Q(}!2Y-Sw(%H5owCZ9>7)jzUB z*~)2F;8kk0ZiW(x9y7AJQ3HE$IMaqLZCk^{+SBnd!n*eZw_xPQEEoG0x&t zBR(~ttHaO**}?v)qvarNJw0G;t|NNx{uOV_`e3|fV(FR6}9;Y|u%(mc0x`pUBm;9u>hef00=y zF#F0PR4aaT$gkkX3OGiIv;EW^>f*H2nnwRHT`9K=xspK2VZH0>J_0X$HBOKY232Fr zQA>=qo@#R4b^}yO2E-o^Z0gEDqbT>01fx!w&YXw~8-7a9rgE$(x_Jj<3##G%uly2y zLE{QONKCkL;uV5S?E8JjhMloHc$M>F5Hhs}oh#3Ph)(s#)w<*R`s-|=94Fu@Py7U= zI)$cOFp3YJTF+dp#NlU)Q?M_T;rK3#JiMGC*&nv$a#y=iT8@qi0g$t>1 zY7b7JG8m9S3H1%Goj{O$tT3~2G1CT}3`}051Ln=S3&Xp;?Z47M%{y>8=TipG^c9~(&l2UUX6m^_ zsYgxo>>wF=V9rOsz^-D>kfNL9F~rwa?JvtZ2u@a>uavS<3$c}RN|SB|5gF4?3VAF#FysF`&NNndENl1?2JHR)ArnUZc$L@12n z-~=a5hOePu1*bdA)!0lKQRjqWvz|JYE=ZTSydX_{tLadhw79nUzIzuRWgg|8u13;? zue@Z!Va|dg4PT^_i7Q>5I^;JakF1)@cHnKDB(3-tovFa9cA8WVh+s}Kz(_HG!qQ2f zMyXQEq+x^DajpSHokipJCgCDPqEo|k*_fnJ&HGra3q6vqN|w$h84zfu44LSV4BZ`V zqbh@S@RI7N@y71WRqYOiL@;V6R~AN5+3`~n&sGiV!2eWj(!5K@jCe^5NH(s;fxBhm zXo8eOy$wkM^k1vo#d@{I5ebJvoF;tAcqr6n%>17MGXD~jZ&L1woZUfJli`Z5iaQ-w z?_ZZ+Vy+ls6uCdEme)jkRmXzp(I_ZjqW4EndHg`boSe&4FZa5M%riT#qd3lYCT-zjzP4bGIO?(@V0-7?>!0n=eyqOGfgu)d{QKif$+zpjd#J-;+S-CfLC-pw51Td&`X zpCI4!^Ybc^gU7@^FTLOOAKjc5`mWin!|z1zhjx2Y8$@~sF)AQc@kcL9+cPN&PPRLFZ*p7!QPYi&P7V1o%gzTlt@1q|HA+q8{ zY`4#jC^Cr8!}-u1P*g%2<}wpW*7BAE-Q8K*c!968(ON6%5PUsJ?bOhESI|frO3?TQo2~`c04jx|2I-+OagL0bE z8d8RgSoi*9S8}OqDM|^vau~4W!o+wJy6`5P^1!F$1cj^imV+DP3|-PV_s=N%0u3AG zMSM+I0;|7^1}hZ{-8OX?+E_^0Ofn_UH>>5krt=BsHCuNK=X4pm*fDh4!Q9HC@^Vca z3c?K)7-O6*73Yg$6fNo5%%(YGS?pvSVtSkAz)f2rwB{Ysx=w{)lKQb|_$D;*0iY;wQva{lYzs(hJ2yYjra<|A|N6)a++`rG|xHqX%8X;?%N6zA5BD7(qnkb#WN9}-4h>brTr8iDD z(UoDUfJ&j^j3(cz-z(&uE-?PVFrTbx;=NB2S4x0HrPk$&S0()75IQ=M5)c}|W=aM( z5gcFT7AjL*jMkN7?25Ly0HOaAThc8CifpkYfg)YVU>dVtk0RH7l^HUOdD1np7$qY$ ze-IOgT%^3*o-FfpnhyIh;$pPY$sE&eAw5`< zKG1Zig}$xAdDM~ZBU|RDdJEelX&Hj4@J|~U@455l_+_e%+B7Ml)70l}6glA!$V0;>kKO<3x>{;b+X(;(9J@!H8LRJpE|PNI`PHnBM@DfuHuky;(tI+^zu zY_Lfc;Iw8Y;yU++qdVHNt*zL#D0?Fsj}$%C-qwO?ICnLPs-(d0 zTrhf!z8W+uIXegrqW&f4QSdoPE_c$H>h`Almh0n^y*FZ^-n?qC{G%E{8ipU|Bv~Y- z1YW!|XlknN+A|*ZFSGVQr*Oi>NyT#Vw-7ibI`lh*a_a`-FuR4p0@56jXN~ib%*l`t zoysI3G^UN)KppBcN^TRmd~4hp8x`Alprw@&f{NX2b|z+S@@uwkj3kY=>y5xHvP!D* z!YB`cTxPcFj9P)aTnq&UbPa4uDci3zSf`G4i6RfstHo#qvpyA$+OGDP`tWa)9~x8A!0P{J;Nu{-p7p?laF``Y(;ru{2O zB|-`zv4`^V@^SRey3)ewY1XKo7q-oJoS|&EF)mqxJx+bX{-2)1dyG(h`_s~Hj8RoD@f-R|*58wYS|J?Ow%Dtv0?59fB?S-u{) z&;*=d{q0^M2nflL&0`|M>oNpw^>;D?mP&MMTkrmy9XPB3CO3X-=5#H-Rd$uVYaT7} zPW;C2K1Vfqzmp`gvKs<*{5IcZ3v0LjoMEi(U6p?0^SPtJV#gJ|%D7wJxIO4L{1~pq z8qoy#WsSP;oK@I1tA4~NZ0#PJJNn$lI2w9Q{IuL&n!5OPd5VQC*kdf)U2K1)86+W!S{Gii;59rYaJ z0vY^Hbz^AHdfSb5f;4j4?jHT_;*f1dFJ6x>4v#dIfR?pBu9tC1f)1W{jew39kM-fn zoa-Xrw9zlq^4(^yvwNhuIBol&Ad0Os#x>9kr)Jj$GOc|ny*u@L4B~1Y{>MCG*tXxi zQQYq@ryf`2lYYhQ_WS)wJD-zE#%=fKqO{zH8p_~{)XjUmr}Kx2lQVr@53!4cwUaSC z@DIN}GW9ZS>X@EvLQ)-+gyaI^ zWwq*bjZ)a+44Ju84OB%Z=0KvQSA#r~a}D8?uK-;a6|%aA2z8ix3l9Dms^~95C1Phr z!M7YaivBxsgBqrsw+{MIh3+-_r|O;Y6Z7=N%UIcM zvrBVk#0{>9{z4Rs8|(r1F9i|Fv?@I$8%1#TIH*}pw`7{NNLBBBRqLjO5Kq%B^LS9f z{9}m_OB!Wx@n>E=g2lH5C})-8u{6Pgtc+uZV*t!^+R!C{R6TvS%%SBIhTvn~^Z#zU zaew1-P}8Vas8ElwMp9KA;|+w1EE>K>F&&5`Xxa|~2jzN=Do$)Mc)S(oebs|8U_tYu z>GoN*yD_Indp%&8N z+!G05K8vrMn-J&5$rdV`mYSps1GExDol8pHN7fXeLpw7BLJppl@Y8;qR8M*W?UhXd zg)<20)ai0>ZWa*!bxRK+4BKg4282mkW&4xCd}4ZlKrYBSd0w=3mIGXOs-;Lolkk43 z{wi;t9Qo!cB#rOI37KXMC}ZXYac8}MNU`Xq0A2slnt$Ylydk&d&niNjVBWugW%NG0 zXs`Yt%GY;A$i$o|ir$M%>5HaTIQJNxTO8LU2t~vrXRB_TuHa)ADHa!5QwAoIG)geR zmU^~SgO?}=fHgx*#V{{l`ioZ*EN~NCt?Z9X?JHmk%|_nV*mRS)-iZX0=r=FtNPqtF zJ0F%OiTbWZNrp#K@o%9ycMi^boz32symDm0Zb*9Oo0)RGF@j`1#^X(Sc|@`R1GTRd z{lO;dh9q#j+lJ%Z~Sj~} z5&ZZgo$;>_&kT7FvvY(BaGyKSN;gEJ<>2-~LxiPxfMWy0g^!8C`X|B7po*3#T^RwD zxe8oR%h@k~Ht90#?|2+)J?Sf%`rN0L46L?-jgSAU;1NNC8!u|k1OBdk^fLYwI1xNL zpWM2^xF)g@{!S1`Ha`1Ta8dIQzzV;N3BPpii=UEo@agV&dz`d;yH9l7ZXbR=Sa>fRd|dKaf1VRzP?^89i)OD=qb$sNXd>xm%Z0t>Q+|xF2hGu ztln9})6TYUks(3zlsdEq%+ufRD?F}Oh;3C}oD80)5GQRr{)&$GBkf1%%bn+fNba-z zGM-KX_p1!_<~Kag*W51K?<2I(gicdB)0ARVt}QxG559)o$E9dML9>vH7VoQ3&Z~!- z>+^+!ZcxYgt>uUL(uS)q=f%IBi!O6E1^w&)kEwHtjx>Ikb*zbP+nCs%*tTu6lSwks z1QXll#7-u*ZQFMD$v%7U^FKH5MPK*&YOVTJ)pK+1HL;(IzM#!IBm6VP)h@@J8n(%t~}R@xwjvCsg5_Qogj%ggbq*q z9G6hon0fuAKQgcN@4uYpL(P;cp5x|aBT<%B|M~Z;jmN1bLm@u}zb=mmDyNl`pQksG zf`G15J`#OrdCyg+%hbTH$?sL1X~3C8(D~!w{guCc%(0@ywWvYugLQGo^RAPC>ou>O z?D%Hj*eFRB;F!RxtL5&dPmAScDrbA$W2?bSKZ1}Y*KcfI>tm-tLrD9*8KUH?Hc$j_p`zh2AYGAkYm?6q)OQfvnd_HE1};9T!yV^_QE!s=yve|3a5 zZ{MvpH}AAIuP;)$+k9m1R-CrHcgIpcZ0DD{^&IMExwI}l0gsDzJphuH!`}PYs#?!W zGS&|u_BQC;Z;(l;ZIA1#%)-^lBb9RFq+JLT&a}fC`3zmq-Nu9{JSK7jRAnjU3cY;)b`$qm{nX(zmqJ1{Ob2mQU-ev_0AJm% zdB|{RrQ%<#+rMZe6EK=)GI62irXfv>mPdaR^F!hVv%`@4p-q*ZsCS3n;;mZm8b?kc zOSZ2;jB7J3F54qmtjAw9?#fbe8V8-_UB^k2ZymxC@;ow@%qJmkv1^F_&T!EAJ>e_7 z8!nUf++^rvjc0E(&SmNuI#Qi)zzJT?e$ynDkCpnp)=3ejZK(|Em&uPzV+xk1Lw#~Y zL2A0@5Ge!_Y{EH38-4X9T)fzGO&mzv(VLz$kU2tfLUEgcgKFtvf&uMAIoQ0KNi>cx zbh~Q3+NwPM7@P}EsYk@6V(F`m6g(^C_kR3Q2=J{*iXUaK-TF1p3;~>asUu z(~S_4TVNq`##q%Um{0uqEeZ_F)MmP#|l#G|?>XN!${(G~HF zVEYFjrJyw{wTuI|fGrAFPJO67u2RAzUyN^y92}c#VFgU!A=XY(r#>lBXXkJg%H+yQ z-xX3#_G}1cQ-*7iM?z??*zU)w5Rb3#Q_!{6fw_=@z}t5<%Cck|u;-F9q>a)ziCzGV zGySNW6)ssZOe4Xung;o2e_E-OWPX7zZ2r7~yf0<4gJ9B`5ou#gt+CD=>VNP{mM>b5 zD^g71yVA+D1s{&du2PXEs%BD{C;iUbXj~BUV6o$7gMP&Sj%Zv>X89Y|V|cn$HPzXiD1c$J+ZDd80bM>}dz>)P|7kc(p2j`F|iOxT95j zU8s+jP(zQ8c!p!^TAOD`@lVE*C0?((pp7qHqDdCR`j)Z>e+Ey1IqNXOxN~6HDeG%; z@P?|`upazYiBPO2K5^li-b0HUw~?me{|h;|sE zpi)_Wt3Yr6ukOK+I@J#{bKS~gtceF|!M;BgQzLlD4~)3!8u?4*P(Sxe+&v>oW1u&^ z@&a-2aE8-hEISf4XOUcyy}#r9*B<iy6yc=JKPROY6)zMyfdLhdj<0 ze^6%PVLJctW8zm#@G@CeEN=X-;KY6dVd{&N`3%ya6C4$D_^5ZVV^fEyPVF}_GO_mI0D2mbTRXf}q6N#H<%R1AOt<%326 z@wGu9W87cptiN_%zTD=n&CRC_29FdyU)F0_f-Sb^44Oxj;Hcagy{p&0LDSX=hE%Qk zJJWlwbgEIJZSV z|ML17Y^q=&=xv&>yS3lw>hp7BOalig)@LU@X4=d!_UHA?`ZOv_h}u6M?%x*Da;QSW_fYWI8^bZDw4 z)F|wK>d_()ut6uff1vmIa5)q_?NEPZ5tj|x;|eGCIWuACaqis!wtLaKrFviYZclcd z37#)lj9QVbJmx%J3mkU6|J>&Sf7<-0DxKcS|8)M>)xF*V@?C3N6ejAp6PNyw`?T6N z^Qu20bYA1m6_yZwCngt82OQo*)IRkZo zZ_m5ZWDelp2KN)xq})-EU%>r@_|(U|%(C|H2gbK|elDh(rz@wWt+VHYLm}OXnl#{N zy52>=YV7i)73eMTF)^lg^K#_;%7-}Gb6B`@r<+4a;COTUvSnIs+u!3eQEuBP0Oisz z^}2bYw+Xf;l*EKZ$BN||?yB+5wP$C#pSlz{Tn!uW_5z{>figc~Uz6UPUhIJ&_PzTT zr45mi;xK!~K#xx=%Sf9&Q*!bGQ_|c`fY2%k7Okysc^Ys~UKC+Xr}LL>RYx7$S?$pWIfQeKb_o0CpA+1`*z%P57*X>fFd&$wR4 z-7KvXojKw+7Lzy%f_?{cO8Jv!A<~ZbeeiAN;y9z)+cKNx(3+th!#mVQ99H(3UUsyw zFOL&Ffr}cgdzDb4g2fB0)akc-o6wVb@dbf8(@>aU$4Shm;#yw0C>*woj7@JN?vt_o z+LD{DqUcN6@K6?B!XpA$UDqhieXiJKBxWxutZtV{zE4lm14gXt9y@QEJak+oHY@y< zjm7pU=B&5r^LOTQ&3^E8rOqPZdkCquJ$s#hW%X7q4E~-`M@7E5H0QWZ%VOUeY*LK- zpo_~8)Z}&@s;%9>H6QcK5B=IeV_lST0N*D7hf0!n#<*zmfy{nR)Kn{s74a z6^G1B>*LWgK^@KCKu5y!wYeb1Irn=nkWLa%Sge^z;a#yI5g*Kyv$k+G%6$F_b7{`m z;X8bIzEhkXga+<;qdHaEuS+c0SGwJY-;OyJdI2faJF(m5J4^@a_mFqbg z1({Mo6wlD4UaE|5il$>~7tpkVJEyn>AI|GP$E1$F;-m~|NC*ahErkIdS3e6_0$@mP z>8-qyJeYydc&YWvK<0@`IUpTvL7tuYtkNAeT?N;hiUCE0`I^*WS?EpKyh##-}W+6Yq4oWVeL%RI_bFO8c54}=@=3f zV3UZ`BAn=40ukKnHIl|LS20WHC0I2w(-lj_AJG(XWSGuv%9V2v_BSRznTM0b6c9QD z*(dC9V_U7`@Lxnws_@#Q3keC532gO_Fy!uOOqZu+IW;QZk(f4#iY)6T3$3v;V#JV& zpwz$j$tYvW8ZSYYoEoh`1tEE8hTK`LPkKINLX#xSiXRmydqbUVsUel|OmYtzCy_^Y$pV!z^9mg|IblAX) zo9yQ}Ki5lxRDaXOYOi*C1^0K9IHQj=*!Y7l;Q4coH|UG$>3PCAJ-XfY5-}M+^o!)< zHh!3WeVIVceX$bIb`?HO^l9e*ti{!Ft~Y(+w@C8#r`7Xn!6=!Nu~n?w^PD5o{v{jovAVnNEKrzlm$$}m zuo>l=SohT&kFmY!Y`301Q-t+$F&K@q{I5)|vI4;Rb$NDrNg>PRknh9uAMq%%o zkRZHYZuZjLJOyj_aq~|t%%?X}dce-`C3UmL$94bSi|;W=kAJ%rnRUtgVsncDMYw*G zpQX0@cy1c_7ciu{EjaRiQ!KZn4KzI;VTjHY^to?YwNf(L|E$(J=>mXcS7fS(54_^e z?Qh$2w{K6Js<~)|?i+eCXf6YWKNRmfCsW;tUoN|yYbUdOLFS#OlKhkDMgnfD>bps~ zSN*T8_3ycRMJt#Bpy9AH!3!AvPyb3J=p7-) z0U{GIb9}O8k5zQC{{RQzT|d^$*AxSbABz%l@&nI`r=)!+Ea>}wBxC4vmA#<#Nw%U! zKT#cm zj73FV&8gOpzk2`J3^&0@8i8LZV#2>&sLeYK3sr?X)`~+rN*eBkpU=Nb-Oc+&{I)a= z4H_S6G+IF zo^ev%GW+Q&0}N(vTu(+YdmhylTP~gD-okq3)D6{yXB}pVwgU8niv6glr1^)ubc)H6 z6?Bz#g^W6h-rF+K_iE%XA&vs~%Tj>tG9TH&V6gaot{yTO%McS7_Y>k9b7B`ImtG1H z=Zng;qIVkVr40#6^4tv>&p9MA}vErkHkdak6ZtCKkzt{JDbH|BN6e ziU$ma4`Ol5qp)CD;+3Y8tWrP6MkZ;jyb=FF>E+snD-`O)tHvAIYq%UBwdM@@z z3OvMM(h^j41o6A4WDrNeaL`~BPqwUtptLM4M&pOr4CZGY`yd(OesuzY?gi^aOSOOY zk~?WGi#%C_8Fcn&o_5CX`e3msf&Gv_j4rAb^X!zB3LgHgzco!fgHSnDRZrEi=;B~_ z*CG_aaE2F|VWRurL`(@(Ws9K&`b6q~yI0|=w`wvit*bK>4zUjI#Pq3CwMx-n%i|`} zs$gN0&I@dr4Qtd$EYbYTYN%A+|F)v^CM zD@}=eUpKCgK(ZvX0Z%EBasD(87d4_Z>-dPHn-zXNpyzADzAKhdE{A6ZSN2Liky;-t zdKYf~Q5He^-hsOElr9`g1M!bsqR+T?uK%EbV*2f@gz)a3XV@!=YxTYxVx0;F(^MbSpuW#yevuj`8#h>W)0cCeBY)@ z_sUB;N+VpfVr|Z^d=0K9A&d`(>jhhx9%ku#x!wNr93y)yJxPk?>KP!H>L`<*lFiyp zClcjG#m;|AYfsILDw6mpxGL$<3P=Sd`TY~{;{a|E8mZ?Pm0dB`xmJcxQ#JN)2~3e& zIk~u*Vez_kj97_qpNY8M(@(DoD6x121_ZN?4R#C3GiysVw#2gGSOry2k)~nuZ$Z=p zlQ~8bZ(;cQvPf2%&_d!;f?cd*^D(S?4DI{&&1*!euG?1cHv?gUOR@2MyV9az3JPE* z`j#*8FdbO4Xru{p-@Kc*aC8C)57CCEWD9U?Iik}Y9&Om58pJ&%B6?Zn+guWh?C^{a z=#mvX!ekQjh_Mk)(x~Q4f^GkK;xJ}({U}5IEP%gVMBRNW!VhI;Te6MixwBHGiTe&N z$S4mX7wjgKK3fu^j#79S`iHg}|F@JB9~J@ayo}D+Ks78?tHJV_FY~w5%eT;YD<A=pP@8^r#Ibnsx%_BjCVW%~^9cUtrl zC0N-8T^fz@^Y$FjO^~=P;F;BZnpN9Ty4{k*58|KF{p{c-bzBMD=Il>Zd^wtj-Q4N+ z+=17+@Eq6w>=Q;=cQZ8noY9zmXVH6L7P@vSy$l3%#&CHdp7@iw-TWAN-qkUdu-;H< zShuf&Qv+P@=Mp}(dCi+p^dsVy9s}8*dRhgFKM=n#(+GAAt@<&oKIt4y>z(ukM00!J z)I5Ya3AjAw;t0HT_}pV()=qVJVw`i`>O6!#-kn!Z4Oz}E7fQ~r|+N5*ei!T_q zxJHD8eSuND(LJyIpWWTlO2lT%f{eP4VP9jOv}xNLx!2vzCy39gf4%z=P#AypH1}ha z>U(}>-XvPtYu~hZ`^=hcm-cv!@A^&YIBat+y2*R_Tvd$XQ$V@@+oFmh2-~f})PXV0zTOiwQIgi;oV>B zSJgH?5lLUTK1Wqnb-Ud!+~pdr`ec8Sct0-oM8-Dl6LV*|ALcLxF88u%@wtYV?s6zL zad%lHQq>YZN_c~|75(nYG#)Y)wO9a0o|oN5R=Ij^*_Ay9_8#R;gA~;?+53v(vDxpJ z$#1D2WQKPgUc)p(Dgy6Hfaho3T>=yXP}jPUHxNVt`l|T(=EA@WXbkPiO)l z)bl9pDlL5&8#R8&3`9Ezpo+Zxd*AMkcoZJ*#tWcN)sVMbIIIHE&5x^rC=N}c?Ogbh z)K`A9{friIWVeqtA#+KNCHCCZ)v!K%<0@^WKKwWKJ1K~{Pb?szj2F6M#5dC1lIt5K z{Y!<`sFfeFGFrk4{u%2@p`uh7C5D3lqx>8uCzHe{T$ML;DHi74VhtqCV@Zkc)Xepo zyp_DwWR-wAc*iCqbVRtf>5mlixFlC>j>|AaYwSIJHV!zvZn@BGa)&3`nAU1%^6?}&zQmF5Ae;V0Ce3NX=s8ei@SK0U9`x)`l1hmE9 zKU#+r(93#5g4i3DB~M4tbzDPl@ZzZzzKvOuhyC~^S;<+hBh$=b@v7obWufnPu)cZ< zrFxzoj1p{70Cw^?MNsi-TVTKVe`5>s!iVy>oY z-faJ*UN)4OJw}>J_lCN2I5{U`PZ3(UTd-c5At+DNSF#?s&wt6r#>Pc;X#@)O8)urF%43z`#qnKo!pa^k1bxt>X6j+7diOuNi)Z{-=4?G$cU-Xxd)uMi|4{8{ZOD5m`(t&(#4?<2xvi6>s|MKbL^r zEd^(q{&cFRT1nzsv_hu=V>cL>h&Ps@BN!#E7@*4_XJe`$_a(#PEN0fmdskdWaDg=Y z%VX0-Fi*Fo9DywL%r74R{N9tq(aG5F3FK4<=4*Zp#b^ZKKyZe)sH&C!I+|!^99sP% zm99Y2gaB5<0vJa`{GA-w2?Aa7l@8s3+BIlCKYZLCt^hdw2|y@YU^~dsWE^Ncf^Jr4 zJg=rx`lV036ws2Hxs&*zt~G4<{lF^0N{6JS!WcmY338Bv7gB@+Peq}Bm-ein7@qM7 zsujZ`pnhlnskM@4C={N8wIE-&ny9h8AA*h9{oCdfn3>N{ZW^#K1 zMo0POMrs=Fp9Q6}J_!eZjCDo5{dc~bt+4*}Pvq!qU83hov~56twj_mV#re+kcOmN^QKpo?5`s1A!tg^QFX;~`xJvcpNhH?%$#QCN z1dUEH)P^RZhHj2?{{KA$APic0(p))E`X%V|OJ6@|R?XXwi9kLeGB||dk#q;vJG2kj zSAjPr1hU%&`70@*Zcx_muh8V5*~-FU#qP&m3eTM7HIvTVSI)P~eiYq@%!cca*S2Mk zDc~)>ozBy%9P!+h-t99A;d38%{WM^o0jC9~-%sQ+Y=4xj-INjfOonV3WzsL8bR#*d{kUS= zetAcl9ur=ByE#h*)N#5!KIiavcOJ_T5IwJGacvllZx5;$xLpZ*Lb`Zg*v;{+Z+2e6 zTrgCoB)S zz}p7WR_8|N%iG0yX6<`Z|MCVOI`jC)$tFR|w;tDZXscQ`)Rx7-TGAVm_ie$}w+-lU zw9+e(fzK2PG2nHyBcY^wJC%9;7htbkE|@dR6w= zELZJyJm+R{urlAgW_61daIj-#DA>r4;%{QHf0Y~H@R=A(@_F;tvU@!3XWrkX)pI{U zlP!(%wuP4Je+Wxs5b%)z>vx~|4tnJ0-fZ6|=?30u{eRl}2C~8+=?B0qX;G6rA)VzK zfkc6Ir-{zx6oVvR4*@qo?$_vJVZH*^kBM4;O0Si}$K1H?(P9lLk3ml&2h6*z5i54< zUyyf;iqW`Sql}qfTS|v{E5yU|KWjB*`%UJfed^Za=%BleQtuJ55@ihkjkPiMOCZsy z%O&Horc?8kJ<=N%=Oi{9C7l(!({T{tphkq26pNN%^O#lfO&v{`w4};PG9y1paV{1_ zsv}Rtf*0_(S3D-wdb3Bx9w=TYgj4l6j{edky@A-ix^kP0Z0)5}m@ z6pt-i0Iw?_;8i2xGtqX3k>Zq%cApVj&&R-?oN!M%_Gz@mrdXoiM`eZ&8#s&G;95y7 z7>O{0RF;r$cmxklp~dw0L2WrXRE7;Z?W&DkC8u2Y-wmbd_-a3dPSP2NI2W(xlDP)v?)nHA$-+5Hd~U7CQ>S-O;dbKFdmY+H;w z=M2malQ7!5EKzd_5rh+|$&+$N)FgQFz3Pt%D0)rduOU`(*qCBW8w?&(+dCB^Pb zT|tar>Ixwkwh?KSVv9`5wx}N2_?`^0DyvVD?z7;|SfIP;BGorxD~LtSC~8hHnG4rMV}4!AjuWgr8gcCoi-zdoJPwenGbETc;W8>U)XP2tHh%9Z(X}( zDimd?sf;6%@IunoKJ1wgQVylF=p%J|3vvoHDc&2k7_Mfq!4s;wd~vn}l~pG_3Ut=;r-O+a{W6Iu6qjEFnC z4t3fdvBY}iR2kj&Ob43sJO~3_Y~Wp;Q6|?Dlnc1cRVoE3F`HRcyEki2xjfbsX$35t zLqNvSX~3kbe{Zx`k*wd3S|+fTvPn355TGa0Tu3s#*UbN;rRNyyIpnK(GuSAPy=b%N zB@cF89>C<>AH}aC#g22=W~w#j9m>N*XCKC4Dp#wRaT;r()JdLnDkfW2wARkmsB3`c zIV|GF6K`6Sz_e;1&zY8|F{(j6UjpMn9F`thhw#a47Uj-7GIXS^@JGF;;J0?`_s0iU z$>LzKUJgRa+`&6bNa+br$SA}CM=Ehs(lTddnOln)c?L}Jy?|gjSi(W*sNVg}iL^}5 zcY0-n3d9YMp>p{HJOrNjJ2)JTeabLTO3}OCU)XhzwwCs`87tWHsBHJUvTVCj>?5Pa zSw&!jM~v8$rnCP!p!wiFsJFHU691=<>xPKu_i4x4oUb9NcNF+Uo2(!m2Uo|%mc>JJd*zr;ZdA$y=b2Gqo9sq(q`n5T&;}5Fk?htZQINN$R zv_+W$>|`KqNfDls-K^6HyFGXcuU2)8Macy!1LitYSKYea10SC12re34B4fH6Fa_QI z2GCN++(VepUgjV8XyF+9g^ zU%~GANEzT%Z!Fi1OGdR2iI)UU{`;F$ zdfl#YO`}|}7qg#7A3Ya;-)ozkNbWv#dz*~f`M@1{?_(Qqs@)bAg{h|3cYz(mI%XZc zdi;d08}#Au+!sApM$-M;gsr23{M`*;0Q1ZBDWSXk`*qmGCj%V6ARWH7_jCItK2TVw;>9Y4G-{}8zDP~`r#ul;8XtVeWSqv3DM2Ubo2YvGmAew=Jkik z<%qQAYjyj+5;MRoR;w$ZI;_h8_;Nq#+!u5{Q`$CsUw+=ix)K6Sb?w&*gkRq8PcETr z8hHWv7de(zriE+jpE7Yq*3o*}-A=VWTBN&g*6?DH03jZ;A1ezuniUncbs8WH# z&cCQy7u%@m>8}CDJuHW>5y1IZQV?Ch?MEs8Xf`ur>S?)tO3E_e<**#I3$+weto&H@ z!}Gj}4H=a;;lOjbscs^j+}wqV*;f2S&x0#>mG+~r|-gFQW)lvC{CuEsNq(sm?8 zJ~La@oTDK5~+SH*FgcQ5;nd)%v?J+sQ52pzYT?`W!<+*T`ENY;hbwT>O9aDWN*;6NoXpMQH zee)p={;k>eA;=R&0U!o4q0h-35RbI8A!-48j8Haf(^O!>k)c03qH+C}vzmb&YPhuE zrl=*^1kx~lMgmc#Qcm&c=5sgG~Ra+Lik`NiWAygxDf&yX&ov_5oByO~P z84B(jX_W@%6!}HhJ5$I!+1T)k16J6lLU^PvD<2QPo~_X)%KmXp;#X}7KMV&Uv@cY0 z6W1y}yXdGLCmZecxGBa>_0|9>LH6I3t38Sg%S$fJ-}mjZN_ra3W2jlHw8gwBl+pq@ z3@Eq-YG%4{Pil>RaqxB`q-On+FA~az;(`*3LX{Pq0AU||uJ8|O ze-sA4LEac)t@^iYI6`p@6xa+)mm@RWqE-u{(+qLGtoZyHD4EomUszx5fa8wXG6K&{ z@N-_vguN(mL~P8gvd{y0&H7-`wqo5+Svdz=>q4X3@qPT9+A{IMn|H_jmEHK!#%z*| zeo-tsGh+zhP@@o#z7G-?bkq=XBK`zl}NgU-0Wt$a+X*ZUP zj8TX2DW@9A_TESoZMsqxv#8?z6vakuJQ7j!Jq#V^wJ$#XUErEXj6D&1WEH7zhkHKh z+glA|!fS{9xbfrS5Q-fCI}dpX=H3|;tpx7(dlHyW;+nWg{H$Oxz7UHsWv8T?UYS$| z(*=!15aOD!=y$oL?WG3PAp#iP^!7jbD&12lWCc0TI)| zpd!m|K3OJ$1(Iz*pig$scWuBV&NLg$a0^OQV4&4kjMy+>FF7&)I;Y9{l*o%|*JbkaT*&NpuHnl=lwC?g=IdLavFksF3ASVZPn_+wvcT8k4&dP-(iNEb z$(mKKmZRU>7OwZs7y~x&^6yvH+ZC7+-I4}s!ceL<LBpRm#D`xSj@CqL)3 zB?>R7F}kJo9^An-GgCL;oAlH9c?P&8H)RV>5bz4S{BbG(d=20_zc?Q9A|}7^d`~?7 zdx5}BW7YYPjWiPz*M-Xen8(!gdi%PC8Qx6Dy!F~fkn=Lc^uh17*@LO`X?3{m)Ssu?>rEC?!6ZXYY=;>Fu=99_-aZU;?!{jAY{dt3kVdFd3YT-rr1x~v25?=DGr z&#J>{IzOl0TB`ploc?<}$X($NZ2{bTfTV#Slx@&2jO$uZ`XgwX@=ICO2^^!|;uWrr zmjN>tp%kee-m5Uzh40f3AS@7BQGL`nV)T^2#o;4~jn7A^bwQVi(w%Ai(@;Qc2AC!l z4h+PBBr2Zbq{{rAUDegThfba}?v&>1ALuonxm%uu8XHqzW#Xebj7?K|Mm;ZCc2>s@ z%T-(*ypAn}XLAj@6>-E1GUaqPpWyTMY+TvKk0g3JNd)vi;7lbKBLim&Oru8x0eONA zbxw%>EsCp2lMmX>T7<*j2V!ZHPPCzE@be0Bq25=AQ1eaO{&}#~@VJyRQ3SK15JMqP%uA!U2Ahb`JKubAIrErlv z^xPX@i+s~8(IctRoOJgLbhLGE%Uf^b>RcsN_-U`hio{C^3zE5$HF8HjPGdBEVM*OC zZZ0;5NKN_}Tf`#kZ%zKh0sGM?m%^!##jG>G!U{=MOmocpRt@NL>?1wfhJM}ss15N< zVl_PHAUhP_$xyGtGU0{2bgfFeMUIlnAkHwk4nu4@tOKD1yqJ##T8$~#d~-~=V)EE| zA-r}8qP%ua_o#|UYtE3?vg9F^c;fhWM&t_bwNkZ0TQ*_Kg7hr$7LkDmf)cwGye51< zZzpXfDv>#QJw=}am!A`*P{q@)kN$=Z*qNMqcCAtw5oq`|$n(&KwZDk_&|IivX#M%| z4#T8uv?2V(tHRt}p0A;4oMlFCGuUa5B!k(<`sT>L*2zb9M7$npJ zY|#HNeYI*AcobF190~DHDMy1mlG+8zn^DO!i6>lJ)L<%K1`M`=y1L&+EREjn~LHMF;<$0Qemh)hv=id5yp*7z}j`mn>9R1jPD`coZL4bSgR;@ z4T-q`G!nH$XOW#R)iY!(eJ$sll98ijRZ#%_RD75%&eN>F8{#S@Q*V+ zE7KG(l{hAGbJYnvr7_H6_=huWok|40W-n>Ylyi+yc}>1Y^h87R0gqa-;<=|V*!o=pzFK) z$Hz0ku=0;4rb#lQZTO_qG%4)XIBKyW_Ya&|e=Zh)DI?A0xL#)P)HF+#`->sS+eN4k z3iP9l=*|voaM=&4rcAjCIkfQ47%zI^A&bV5G89-S$t+)lTZb;TgL`i7#?tc^bP2b#MLia73BX8v?ss zcX<@DUIc@GcXkox-r7afN?||HyQ_aQfDrmD*HcY^`!?I0psOMct=+6 zd#1^^u7#t!+unG;9Ag^$n^=h}Km8m#m`Uk5H4`QhlWv`jO_ zZF3ygZ0DgYun@!`Ov|^i2(o^0D~$N}Z{NJ9Q;%wVFJ6@{Z=!iokYcj{qqQwtJ&m_s z&4J#2pz(>iGnr?7kQ9dC+4?ezkiE?^vkDGN)$1yxQ=4@%v{CoX+MPnJFKtX9wNoXP2l+ys9ME^*s<7L``l%T1@SA!SuU z)#-L4NcZ}x>v*GOs=CT1^-8fa+Hu+!iBaO`R=N4Lx}t>JfnO{W zpR=F6;60|qU7j5z!fy}HC>bb@^*nBmQDMA8&w(ySKs}-csm`l|6={;us;B2nu8EV{ zPsdaL)0uOY^^;6LLJeh-wH-<9)e!?web=m9&m!;sqV$rV$8(61&U5^`)8kZYh;ce@~QbBZ2!@-a^x3==Cjc%J`F7WNW zyWTkb0m5Ttm*9==vPW;6`Q^pnDsft97~=AO3Hr z7*u)=uzUx7lr1Dkdq4`ne?Z}(FHet9!n7h%zovk_ zVdGKw>}~^;@_6S+5bib~M3Cw>GXv9zKlr;ujOHX0&AjQ}L9*nGqCMyvI1BuOgr=Xk zU~Ho1tg&_lPQ2~6FbF3J>mszen~7gsiv7?A6&CH-8Wd*IXNwf=B+XDxWAf)eq}}{Q z=l5cv*jy-BJNZKLw7G{%vQ=u=C(45~gLs4&>Co+2N98G6S7Q57&+ra0%a`V={}pkR zyDXKV5W*3fjm}&i-v@@oWt10bU=%`?4RMetToN)QZ1N4q`c&^pMvS-@t818y9*Gc(P(i;76rev$!X80?piE2$6Iw-lPZM0m}a8o@W0Lz(;RMG}iZ(LB(xTRh*iSt!8Bt4q8JcJN(}4(4uUz zaVOfvM=LHX{c1qhU)Z}Lptt5!*AL#ds#u&k1UXY=X z2c-p4JN5>IVl$SGFL*N~JHYje%}(IunN%dsz)HnWj8vuxbl1(gp(KrI~NewiF#A!v)u9JP9m3NSPddygHCdP_UgKl;jsd#ma(5Y#x47S=Q3VTYjH% zzaXcoqip0;!73Nm#6ezH=%`h7&4RbfCQCsYcT7rZpvo!m?o0xkpOdekbhg)ywO%MZ zr^te^ixuT6brCDW-IvuUoU`gS0wmSFhbF=J7s2PrhQ)&XQO?ySoV&flGw-A+&Ed3D< zdCP~d@#qTye8eI+&Dp@sVb0VzW=Ud@vjImzTWF?>tqu{`I^Wn4lAe9 z^b*+Q&sj#?|2?2?5tE-U`ft-0pTfB^o!fvZqszWh&^=Im@;3}+*gobP+DG^cH;7Ca z_Uk7^Q(VPTwuk-q>1U_5_lkoNitDz>bijzD+|%uX1}oomCp!{*bej#=f}p^H zz<~3IOJvZR?%JM#BmY4=%{Fiq86arM0stno@prck^>cf6|Gc=ZEPjXg3UsRcoHD3C z$6GzeaiHk;O7;YtdD%JDA47PDV0n@_HIES(3Em7ic=AaJURwGa3ck~Kb+x>HV6@2Q z2;Nk?{ab>cDDV-sXIzUV$BsYly!menS@;X5>f7^Wro4mvsc&6AhI7-h_r4-&UbXnwVJ8hAwzz^KbQ) z&*_M#+6v#{qB4}_ivCULP~>WgrlsbkyO`ictjfb<7?JAX6JV|=E5`>?r@9BbU`5Zd z!5+)@+cOv4>=iMdBoXqLcca$pl1awLRA3Pod1Mb9UYKOuY*T$O+eJ=V$+Rj7lqi`WZ9r& zjd({TcK3e!_1e8RmUMUYxV$P1IPPUkk<056Q}Uv$e(>4nm(#*qw^>;s0f$qBq@|hB4dDFe=jgUC2Cr}C{s+0TsVH($%XG~ zEe8eVRYVCz96=hII*%Ygsx3ui+zyt&B#KdTNGHYX8e$y>x$UI&L;W#Cy+u>*(WTJZ z3@I`66yc^Y`vxXR*HX+mX=_cn%TN1esZ9+8G-%`dgWn z%tLUrTR#le{uEeBn(wZy(cfv{$e+VwO41#$H<-m>m^@ArU;WqX{tr>-*j;I~ZR@1s zq=Jeow(X?Cif!Ar?WAJcw(W{-JE_>l3f4N=?VfY@m+`jt{(#x%n4^!Ua|I_{wTG5i zd4@;5wr_vq*{)VM=niCpl7@(k7^n!!-@c>d77j_xA%@=QD_$c|Og&tG%VTW(8qGRA z$b&R zXe_#ks!r2ZGuKK2>m$1St2?zK__lijVYlo+h5Y)23BksjVlyR$FV~Jo%yigK`EWCO zu$=F9T8K4NW8n-mj}kE32-tn_p_c`wOGiKt5v;#tgCu-8FU3}G9!!mG{iQs17 zIqhF@%_x-K2?*|sh&$;^r0j88b1Jo?Ze5qcavaQtP2UC=e`^u6yD_JS5KX0Xw`6}0 zF!TKDiXU2CB}rvW6U~7>tZJTPzT#>2-*V9NC9@y@u{!1Qf!^u9-jpAr;M$*0{`$kF z55QrEDiikmkIfc=rg))HNvY8RuR!N}gV|AidcMT_n##`L=Fn zmz3cb@6)HoMD9bFvRd5?O1;MQ>B~@DJ<2-Y+uNO~?hl$zM^!J2q&B42m72J2-$ggt zHW$}%>!_1nmvzZHOyn$YV_dJ>W#0PD#RV!Sk zyji{Ceekl3*t+YsI`PkQ_kA3B7IDd8|KosQ*XDLC5wM40Px$(=SM?cF+wLAZsK(=H z*WLRTtiMCX>$C7VLEN_GIX!UCqpmyCiqypqeD_TQdYY})Z`dPyUd`tbd@jhh^?f9e zp2B26_<4uazpLJCIjs^ha?JuD8lMk#`Hn++{2Pvg2JAU{9k!LP*PqJy0)P5|7`^ zPU$O2x5XWTzFv)AtBdv9hP72+?~UrE&z|VTX^y&{Z%z#RSpZ?RHk4j4!6k^j`-f)p zW12l)qlw*fJNGQni#{k>k#u-mEN<6pO4`1*Z69;BmY9)cHq!lbSvl>}^Xg|6UZYFO zqgWq|+tz8Qj?3lhD$ipT0BdG)*^dRJi1v%Br%5UEMXq_onC~G*dT0A7?7)xL{+$-N z%T+c2aW&6-|0&*$z2}Lvth(~5>mo%QT~6O+&VE)O@SOBwk*xnd_)uf(=Q*yOQ>2#0 zx$Y#5BURVna#E)?n=QZPFuq)de>*Ds(iGRh%CpdY9DD*2xCi-f`0wn3%vV4HS+86` zG-@0y|NS@6o>JMblwWkj@~V$tPsuRPpoZQ6V6cRYvnD9drr(rlllSA@vfVtxINaeO7#!MYizy9pp_(C0lt<>twEXAqWb#f--f@mF zh8?=*K@#qfK$L=~Zr0+eh-8;$jUVJ0vO*0C!lTBjn%Pn0Zddp6iM5^#kKs(LZL~^5J=+IioI$3>@cmNcm zC=^T50K+aYizlb+BmlC0>O`ngmn5?SbI#8}FLbO0CULCtWaGCpVx1D^$O_B#b_#0` zrJp7ULJQcdp1Wf(7%*VNDnTkNB1I9-C^?T6cGWM~l^4-(d_(Dn8U)`P z;B=)V3a{ONC1vYQ1#u|IGzl4!j2V~ZQOjDJx-PK(E}}bOX`EL<)%{*sI$oOiAyN33 zDmxP&hfOS^R+@K4h0;{erKEh)tPy~d(qDWJR`YB=;!1_;g-t{S6ElCWA@M{!*|O-` zUv(c^sBDjQo5?WAYY7`bBd3jdCKn9+)4V5S14lHIQV~*nEYyAJxVMBZA`w{bnuX)=5q$I$h3*Gdx=gsejgBtaKw@1q2Zg#_i77? z;qC}8ueE6Ch%Aen=>74-serB8@F0E``>#Z~JHoQ1hKWaGNsvbwevxenUB|Ldr9xDR z13YC00b6vKQ`n)k*)K+U-pRPdlzbI?DM%DKj8^OoOK_7nwk6WWOfi{8P280zBV9U7 zYhmHUf2n*Kp5mIU(1z{Em88<_M946kp(yDT4hh!s3gFbLj#`tL2vdLAsRAQ@NmbID zhda#QKsmVm8}Tp(TTmlA{3S)Xi}zGXJ*XUL#g5O7DCbO3p~ixDYeWg{nQ?{f=X>d3 zfJM>dRF=}rBWI-f$)TngHN7v0i`j)iky%Vdgq4*zhs}leE&vpssm}Zo*&T0S(#_lq z%sX;Z^@}{3-m^H01jzj+54njjT$1i@Wpsbok|c(<8s(z8;b^jWF>g~(!Ns6UF2VOf zq$(xVo<;293>4KyTVf09M7gB{tJ91_(^Re#Hz z*N_x6`Bd=|+qN3enAsK6+C-hSvyCi^7;rU3O(#n)tl88jb2B_)k1BhS77BzaEM92j z(5Yi1cf#2sb@@<7u#rqB2s7MxJ5>CERVFGU6IQoJw4Ib&9dfI>338ZeeXz7ALoidV z%v6Lzo^UKt747-$CiTb*X=k=9*+!RNV+Cfyv|4j6MCuZm&vvbDppqnpx^@!5iAQf?>Gly4E0-m*0ih(aErOd@TzbvVuu#7|e-OSp@?8fvJmMds|oM!^x#^*Fb#998sXKt+CJsY=) zwAl5NZ6x>QY;pVNx}LoyZ+R2@4}h$8HsHvW)9-oP{*%trt%cK{_oRRNerewYFwy}- z=<${l6?FlfA^tF8N^9%6n~2b=(YUY}cipzZZB7V!%#+veO5JXJJ6gfrta~**Si9M- z1f4ZM?d0FIt7r8(^b`J7KFrbU+Bf>>CS2I8X5&AaD|36}cDfvYFRhcx_4he4UrBKD zcsoB})U~{ef~jf0Iy#2m1O=`r-_X6DFPCZcb$G4n^LnTCzIIY#3bbEGY3nxJ+zEi5 z5>-LZZ&B8(jPyM&({G!;8GHx$z(6edeXK1mP#DaAEK*qdy;mK$=$JO;dhQmT4!2(N zTiKq+)j9GIxqW7%i*-C9p4S`U$9(GApoVAgH^#VLM)zCw*-$qLLjUKh861HK!nGrQ zkDhtB@IyOY(EWz!tlz~_S6()Pyb|F*yVkQy-apFS!wm%u4{39D9tc0XKXom+^Ya%^7{T*uk*|L z??Cpa>8bGWaC;~9ef6q7H-Kb^F6WwANz={Spw@*=?|rcPhwDpDP3TxC<<)IXk^3RY zVNkxAR6qA2Yt`QG;^~Hv5ai`BtVR8@qwVK4TC&&n;={)4aV6fTrGJp48{7V`bNa<* zitmMU_BQK^uiSS2eGdSN`v4L4f)Mj+KmhsS(L2Hc%!Na&YhYW(Gyx*5DO?WVZvGuK z_SN5(0f!&*?C4xwexFa-_+%X4zr{820vDNa4J0dBYP4vOMfp`BH*`abWx5S!Y=|Pf z0^(50dF>vuMeCOx7DR1>ks;mjnjv&6_s^s%>W1PIYn&VMU?@dkm*#=!N~OAz-6y*Qp{S};SZERsC3f9u?1#1bSEN;GH{ z9N?-7Mjn z5Zjdj6x)feQ-XhIV5z@X3OC!up9xWvqgibTv!4BpSSsWzZtRJ#0fXdv2r<)RMQ1Q= z>OIGGlp_!~Fey}+Wk}aWcoer=tN&h*Vzy}(7OUhZU2EV1ZYh6`fh_or^Emz?zPG4Z zTa|i9OnBU()}N67&Du?OWH!q#F|KitW%Edg4dtCE+iDd(F8SWliRmnXG}HpTS_^-! zV3b%#_2=EKLYx;-+D|oT8VQbZ$%+HjqS7*jX~`&?1)DzH=U^Ju2!LYI@u9YHfQkuW zBl(;(7vmp?rYTJ70@ETUJ2|{81ezMHB7Cv$Lubl!OrPatY8waV5@knRhD)%pLu}de zF$8kRfHeaJ?eYWqElZPMfl4-S}u z#XEk8vc3PACqzIr4)9MbMWbuGoDx6^~J|6F*CyB6n&?hb!crMd#?+!Xp;`DZ7N9y2_yDYFe^s zMZYKc%#6!(2UH@XD_&I@^sZ6#eABPi&{Z1i?9hQolD$YQNtDalQY1`|oV9mt57mCF1u zg0eDeH;!1I1REs6s&5IjHL&2mfp&_IE&dBfsn<~K)QvbU)KT@wuD>WnH$*L*mSwOm zwRv$?;WTNc86YEeOtcLXZY1cnUirhlgXa$$u4XHhyO$mxtEH@$B79z=LyJz5byQ| zYrq#9Gi9xO5!0|%$zt=15%1Jhl)xFo_qQgrn0z4z)-4jFeB0&T6&LFh3=KicPid+g za4bUWBHMv`x||#S;eWa9-hQyuLgfGrD~htAfJ(HafT+#0W?>&w?*O~wQw5e@{-x}20 zqjuUK9BnjdRRh&%ss&9JSNw>bVRBzo9_86ec|dQmbP)(YIJh1y zdzgj6Y?+`sval%R&jwDR#L6tTCZjp)`s(tF`a+}yS_F*0++vKSx|l3(+E$GS=K0(7IHz5nNagQf<`VhYaBY zC#tdc*JV~@yb?ESpDmHb#0(Y1Kj8Gixr+}rpPJ)CXnf#l5Ao12&+(-t`xl6;)8-hM zF)tlp)qdtMqtfA!nO9qkM4J8o0>t``Jv4UnMOM57`O+RZ1JM|jZ|&ZYUXhXhK}r-5 z0Wm(pKN!B|#J`!O0=a-UU*_nZb8&%ihOH9|pMx~Doy#zRT5{z*=B!VrP;D&jo;3Yw z&-2kfb~*6l+_$N^6`z00zw~*I9+7dvwO4Q4mv!UF(KxRUc>SlxvFJlno~yRphqE3N z887N`Kd>L4WeEvghOQ~6)<@fogReL_Z-D*7RTNoq+ddRer}8Uy_IFh&NOjw7cUj(7 zBLcO2?c}{cm_SoW1}5I;xh{LXJ#lG}&HF`ecT~ofonyx?V zX8ULKN29&HqRw&qB6QC``eCd(?eor*y7$S3I$obWEqej?%?Eq`SM#I65%JCCI&b$) zd7_Vh+PUjqNwNf8=ZU0pURD=q`aToe3%@QzjaDJ9xd2`cpR88{lQ-4g|2mI*`gX2y zpYoP(+J-vXu-+#ZXSbg@dLD(4_tSji%YUfe7l+$x09u9XfQ!^v_U+fgT?CwO+nP;o zyiU~-OU~Bz9}|{Qv)qrR?_V&qc%k~+>oUUn5k2+pF@8?#6w+z@8NZW=rS&FdX+Cr;4WjK06q%JeCsw9d=SOc{OS+iCUzvgW@qeY-m!&qag44QAR|KY;q` zm6!j{%q$K07oj`Ec`FTb7t@I!K6T~V{}tspd1Y(5*4t|yjR7jR4^aLpZ=Rv;^1NYk zq|2Y{4YW^V=690Qa#+-^6F85($mM^??yGKW%iwib3`d^i{rs23Nql&->H!*CiKWE5 zkIKr^VL{1}26cCQrF*_#ifGFVG#>ya1=fF^wu`3fyi1dOl-+>@E(PYWUT3EOv-YMR zxWM4Wt6b&Jog7eqslL##wMeBR;QVQKiSZKj;QN?&W~yEaa6`!U%h3l}PQ`%^Em{#y z$|MKZ&?Z{ZEdr97S&4MSt&g1Qf*dMj(yIzQhoxFIG-8woyEhu?`8E4d*X0P*-h~U4 zBeXTErH^4egKoZgQ7)RWf4@*vT&7C$(6F1H^f%b7KLG!ER9ql&tHVjhR$$mQS9^bm zT^&!HDXvAQ+6XVWP?Q-B`;&R+@>yDPq{S$Cx+s0(%@Czsh%Srt2OS~|J_nr%Pm+p> zhb{Pcy^1`EYdx3;RLM0~D>hnuf{kVL*f4BwDt zp#{OCL6s;rss04dRHXj!0uEB%*SLrpyxM3!V&Gq)pF&y`OJm1n!a1kkq@3g^SYajF z`7Oz^)JSGt+_iE~Ytv&JX$9mZSgy@`1(yG#CnIJ(Nc=9U zF^6Bn=3cpRt}5=>kiT1qA_Z5j7s{8d+f*8Oitnp;Dy)nMBfAs=_xED!;-H_*XeA$t ze?m4Y6raNyVX}}=zl3urx&{oymqz6@u0?{+RdCd$G#pNBXrxz-T(6m1CoUN z%IrK4$O9nX^F8JPH0^+s{!4%_QCE-Bt0gVzHi8q(DbHfoprkx%RHZ-oE?yxSI$Ji$ zP&M46)HXNuq>aX{X_cluU%YK?jWQSkJ>uq)7xqT=MT@SODlWgD4w6~)(Wy8~o|_~w zgvu4^Fv|^q4$VD&;9&RhcN4HY%h7=Od{i^IkWkK!&M7Qjb{>-k>j| zu)`_XR1#Rec3;q>7*2!GtjoZ#ott(k*l#sq_=gIjiE(r z6B_+EZivd!udqpG&rO8{w@O7iF=D+dgbXEe`dIjbxkPfJDz#$Ah>IVRx2zyZTI!3* z8BjnTV79yCE)+;QlqUds5Lga|0Iqvthtnby5m;yuOHy%Q2MHBPQu*<4TCs6WjormG zTtU^2C1M~GCl)B&8Atf2l&XF*QH5rrP<-j__dcga? z<)P2xFOirp-`Y~J>0Uy+}_a+HB5U%wO~iHW|$ z^o;=W_=e{#*N1DTt33}82|pZY8&v1|igHipjZ#wRhwwxxsX!SWSBD~G=+z#OgKOO^M+8$E7 zFL!M7^s0US0bukG@V##5H)L1o*@2T?IqFYu*KvM6J5|G*vwQ;mgk8;jFUmIv&U%5( z3mBVucM6}ki|zz8-n?Xl-Ti7Wl-+Ta#qiL6>Z~bom;~$|3Ua7+vF{AC>&~O*%HLC`+^6Pk8IMvgq0s=KkaZk_R!)4{( zo?p@Lrt*=Zj~MKt$2l%&N6({xbrQ?pX-IR{rfpAYp-VtL=V5?-LZH{9ik`*0w{ph! z=FNN7!zLr;X1k;JdF8ei_sVa$X9j-sI=&CI&bO7f(5EHibr}6m=O{ow$8U3fHTSj& zcY82|a|U!+il+#vcYgEoR;^sCWw?();AOjwq0UeneE;2jsz~5qwPR4=GilK&jTg}L z5S!QYF|(R^3J||;*(mJJ@p1~po#_A^_klg{gy*zeTqD;xEKAv6GhaL*aI_!gn6EkK zxA?!Uz9E+B@M|7@`f_MBd#FKDpA@$xwYFod9skJWSJrUN=i}D87QIdT0sA+ zjRy2Qd`)J`VvsV$@acKa*mPdO(%Aj6HvlheLWEjd8_ z*YR)Q88m?$ngvCGLWnDIt;oTVUT8e+TtF0ymSh+^y^PD+G306K6T{MvDo7myRBVF5 z=J*>*G@sSNPIz9c)>41)A+J*9nYanHU$xOOUaXs$<+9Z?2S<+Z=L#VJ~+U>lsO~v@3h8Xf<4H?Feoolqv zPdXrzQttTi#{&6kDHL$WUr><~GB>8d4S#0wn$Cf>~>ot)xvJ66JpC3dd4jy3qsY;o9c1WjYezMyt!N9l=@S3T1 z8!5EtUz`;SKZe@a zeI>w46*%sbbc!iylw4UF;?0;-YDGWA%3GZb5MA#h*lcV{{~g6QqX=+@oU@d{- zr!+t9>?KL;=YrsTk|~v*Ho31woqE6B$phEP@Lee zoVC({Na0rp1|;k%Z7KD3c$JVu=Im)oW0eZBeO@CDMT1lKd8BpWQ4RuCZKrSSULCvy zM7)}re?`mI9xe_Fb^gjUXfi%Ahl0^=yO?Lwl+>W^?m-G#88lzN#N()$oEtPm6vMDA z)TNY8cIvq4GV13Naf6f6HLgpO7HACO`Y1@esPdmnL;rwKl-V=s(jII4rXO+T<2T}E zR&D;@V)ii@&<{Gf@&}fH_8{-LL4juHeZI61Tebz0f44Dt&saf#^=tujLhn6ipz~DQ z1SJ#nKXjo)GDzYf=sBD{tGxShDg8?UP|qiFGzrr)H*kG_v)AX_fMI%}0rvKuKFut{ zq)nTf4=@oRyyM}LXUl2HP@&r}KHrzu@;dIX;j*pEfPd{6=Y->I9K+Rkx7o9674CgA z!k_Jx7?uASr_6wt`>1ex&n^!-qO=$Ay-{xC4M&S2=p3+W5;^y z^L#_b3WDJv(CqPf)TV5-&o0HwTR&FS#W$QS1~uuYuq zE?9Tg-#SX)*5gUFEpPj6U34`3qT6F9%A26^u`=rURWpxfHgoSBRLm>wU&$L47fXVxGR7SA-`tR3ho8|IK z-C{WKKH50;`8c=t04Do!K2!bEplEaF{dHOtx!WX%u*ZyI)85*ip6R_1pJBZgI8N<7 z+X3&n=PH?_q*;#;Oo4y z{DIxubwoqi)8%0M!tj(HVtWm;T3>+*@ytN zy4&q(yF9q~c)O2dTz`M$VV9{%o9z`elH!Xk4%OQ1u`eEF(fUPld7}lH`WzccmsoQ|YI$sco9ti3? z%JV-HfDQRb0{w+#UId+J{{+zhVvaG2&#FLt0CI5$wt4J z|4k@Z*fka1pBCE!p7Io2#GVk(NTk>!c>u*=gVqkZ$E`hMC97CVawuINBG21ngct!h zdL7e@SB)p)_=&Dlc8pfiSqWF3UTNX2fj3v(b+jf;t5wMvf-Kr@H*j|sLei*s)>fmd{un#VpPcU zm;ADGd z1tNuPJG8Lr^f<@xRDB8Qw$u>HqUY27=$ zbNwQflLF7_A@?7qiBG0T=ErJPw@ntKN&1}S z4uXi5l!Vx)TN^mC$_k?(JR*FsYP0ZKRpyo;gar!=?mycTO&CcP#1`1(OCf0m){=UR zf;C2}*LM~?XAarYiiXjLPDpUk!Z0#nK5LGLa>S8Vh6OpfYYtrrk_b>;YD5$mQE{^2 z#Tj(CkB`uCass7#XcLE-$Mt03V)@>~NQ{V-YBhCP!>KHmuX3sLl@z#VMc|5Mf9vX-Huh^xLE!T_V#1Z);Fd};JkaoKH&p-pFKn@ zmDyMz@0xT3^|j=A(3kQB^TfRZFy*%gfNPSaUL5&@!x|G$9$>HPWQHeHU_{|fr-ewu zjpR7UAk0poA3JSu$fTD%6KewV&t#d{Sw_?Fq8yq$pe0VM{+@h$6NzuZ-MrB_?n=FN{1#8t6uq8N(wF(y$cto0VCGpVauJ<6$DUySR z17FE>jOxBC=19bvf?E$`y$ntRzw_=-;fyvd8kN&r*n0TQ41U%Oyv61LGL421_A=|n zmpD$uW3@?~uhexR=bfm2l~>II__vQiVUI36KB3O zSmoLit}CbCR`QvG^fbsntl}A0Nu#eRsAQ6}nPW_0p~{-HP+Z`dQ%;)`ekx>wm;ATf z+@-g919f>p!L!*QfZE8(EawDS~Wg zX|b|f=2mDKoz}SpG*62qvphcjY_24viU?>i;y{<>X|;b&>|QlqQ&K+fcDnV8o^S5n zW@XvE6*rq#wC-@XRd=4c^*Pk8eI`h|b=U#Mqx@r5bxbP|-2wLw2#RjxZ&Z*5Gt+H=SFoe43xA(&U|sW?KuA|??Ur%d zL#=w+_;oYw03nyhb#%^47i#bR>az4nw$E(d&;Y>%;u^twwilPv(s0*DqSxhDXq>a1 z4rYTM_pOCd+5o}^@lve2Zu=Di@RQE@Qg+m*=)|AodL`U$TeS3$H|8u9qy8Rb2 z)~~a8R&~D{E3=jhbAO*keV&hy_Zk1wt%204DK~*1HCeI0!n*|tkr?{^a9<}{x9MNX zU*P-V_KD2;+r$M6zifQg@dAq=3h+;(;?kWDFZ%R8YY`N#fuVlw193_LJV3y0d{*5K zXuYTLy|?)W9>D7C?cY3@GoWN%%MP#rx%r$N!SKRg3+{H#nU?8w?hWGV8D#gqO55+W zz1tJ^IUhM|%`&)b&Jg-_9~!rr)dOeY5ny1hL2E)VHM)L>`=1;;PlY{sn&zJm+f`<} z9t&RTdEG-jSiGRclo$T}j!6zLpRN^D0srTYWvwjT=b?UQ@iuaO`YS-K*Gt$Y{cfjW zk#(NVV_cS*ze}~#2i7hqZv=Fs2O`AFi2&`6yt>bTELf=hD?mQ(vmg^hgzRJU^obIn zsql5*<|x*R|2uy!NC>?Min@V)-0NWzG+K0W@*%GmwrEPJUU72DMJsy(8$ashL7&qC zAh{@VDLX&GPb674YNFbd?8ecO68jNFNXDnnFbt9E@}I?e9a_; zAk}ujZsGh?igDUayH~u*4;9Bv)&4LptRodiEvtc6s`I*aba;!1*1@rtYYGA_Y+ser zP{NXNGhJ|4h_miRr88c+>RO|A1ti<4X~I6`P}J^aatRflYc zG~m$`4*ZWPex+O$kg)6~Nm`*+(TR?%+o;aOfAZZbIlm;3z74e{BxOuPQWl;}PuOZ< z%?>Pa=M4FekU}K}JWyxW2Vlp>V&2KsMvm-aC<7g7Y7R4%L4j!{kO$fMV z!WQ0uDl>6vXu@M0xO64w&i+SfY&)K1Ci4sM;}mV)pjGX0IVwy`iE6mz-$iq+>vY*> z;;I^uA1?Sxu$DuwqLK*Qd8%)&9U&L85%8P*sOWTc$ks`POA!dryNDI&$+)Jd*x4jp@$Lt3kr$1*tpaMiey*Ot| zS{x}1rb}P$lU6}OJ}fF4A-v5GKWIbX+Fh*@b&xq2ot!IB$fJiO_ghlVlC)FnQh2yG zpA`<#LY=t~#<5)laT7JUUfO1cZJmUxhtp$GO^mdrvQicSxAinrweCk@nellD);WWG zrG@6VOzNdD=)g_345T7NXk&tkZ`Bm7(UYIosne3rvGOnC!D9^L%f@h2&9VTu|VN@B$xGdcw zZs#?RljNrvc9SBaGcLbTe63^-0`lxjLGrSdUp$R-^c>;QOdHt|p}^l+n13@qzmT>` zg7>sIbjn3~1ooUX5V99=!(xel2AFIcG&qEW`4(wW;VIVmu{bi$Qp(nh5Yodchywvc z^xr8$i!Yv=@L2+_6D?tTe-H8i=Dv(Y9pSf)cfFT|YNizm0tF1iZ=cQgK$`jb;35U7E^nO??? zq)0A2VtK@ht{%kN!9_8z!!g{?WpqKpFy6eH^Ib_bqpA!$iZsfP!*uyu0J6y72sD(C z@cbE>#km4qnzgQXz%a%}5G-5lSSy5V;vYDQ=x>IA;N0a|O`IUatC1>OckTJRmE+e!qYISMK!ruRQ@2u>sgHdGnXP z8-Xr5581oxCqlo2B3F0*hig}9&aDMw`?NH#y~w*te@|}D4P|qIuA>|*kiqUILAOir z>Wbgh>-5a-OKh+m8zx}8@#f0?ESJa`u6q{geYWRn+#1RI=~9(~bG5Dnc^i-G*yB1! zpTGA+corXU86@7#DxKRz|1py?%J?+&3x=-kl{NSx)z?0vWapPlU`wqHfz!o6m+kYb z)XTKi3D!-HFYN6ALf4e1FCqTx9%R|=s&b5M>p~PGuiMrRmfh!wvwx@UXK?>jl(gxM zzjFzBWt|9Rj{il$6L*xY%O}QT)m&s&pRV3DRAV#XQlPr!^$JGdA?m92g0~Z8b8A1G z@}^<&r+Pi^)Xs4jw|CCx=<1mEjGliW#EWkU&&J*KBvyxEif!HJX{Y^?KYSGEHI!WL zhzGf@{vG-m8->#}rL@#Zp|9|Yh0LEHsgpWKpU_!z+v@V=Js1MT01Uv=B!bU*b^ zo)ENLZpFy;9t9kMT&~{*ynH&4DF}HTcAwgG?+x8Y^Z0#s-Y4DUc?{l#70eM5WETar z>>o-Zz4hEDecmd(KL2Ud4M_d~P>U@Zs-wR-%v~xf7bzx**=^F|<>Z!~)f&ptRGUI9B2}r6 zLcgmSfp2i&EsI)qPjjC;Y?()8$1Hu=w64jfJQNcVabXsVU{{Zx*&)eqhDjeM{%oq{ ztVqT?4iH1JX47ujEKwmBm_p&jVP|TYrxHd{2_0h8>r@xU{~VobE;^V2s!)=yUHzhQ%`QYg!#*` zY9U_i6?V*g@UWfjhe4nl9eSM+e@R?$NI9`kNOY9QjQW>cRE|A!MKHk~)8nB%lkw1K}VWE+lX<1z^ zmB9T8MU#O}XPpg>j!7u|87BF+6R|_gtB_R$s(7>$kL@0v)<{V1v|J;uIzg_SqS%HW zeiKr<%x1fmvi!S26J1KAO-=mbBh3w04!Tai7XB36C=Ka-@4CvjaWQ=Ej5{8rtjpCa znO5r7dqtiT@-4Q#XUYt^jcmciGBcqzt;$X$uEM^3pn%6P!>^^O+xV@`5a@u9L+J_xO{M2As$AS{#>+j zm&9}(+o>RaB8F}6@sWxX?x)^ zE%H?Y2`&kKKn+V`LnRjqBEtO`0d3(Na!(|C82M1n_b3Y##~u=~A*TwK`SJWDnY7?Y zwxA{z5=KO-g5xTFn3V7NFi7E4Y525oBsfQfY8w^FtQs1y=U)Bn)iR=(_X#MPMN}k~ zNs@moDN_R4CD$4KtqA!ml#+Ca^TeQ5&W0F5!gUqDFp{#eSmBl z1Wb(ea8yJ7;$c0g(te|go`)ys$AP%d`tqp6J?$P>fxi0Lr(gyQCLrwduO%uOo(Ka$ z=#jr}l(v$msaB+DvM3ngU#o_?kdIE=k#vr825-iRPIHmc`5lfs4;or%G)d1UB+1*7 zwo1ezt9SV5vZJAbiarwMDw&BGU}2^nOw76E6P)%X-HIg`!waMIyslGrhW zhI_5-o2KL|WsS*~>?w~X*-48(q5sMj;*;=yM>dt-(?KXuETbSrA$gfN@RA%yOgbA2 z^H4eDZZv32k(^zoP+}xiQ0+a90Y?Zd^y4SE6XL|Cgr)r1atW;_=W+F8GWj1F9;c;c zDaBUw!xY!-|CSF%0;WHMyON-Ovu99m%$+Cb3t;9A^aOnf>ck2oKwFgd?oyZ z`PK&kga{@JGeAco1%1)2nPxXJ&Lv_)CmC_`~UV=?R&PZ zknQzeA1Y>HP*DPx(cFZR$DQw@O*t??qRj*DbUcfjK?XvKn&0@Ci*< zZR?h?cXO(r#bOeY?sFI#!`1g$xh=;x+tm-dHr;8MT0XmzUwTqgZ=X5ue(hQ=ad*$) zX&b{3dftaFcMFqmFS$?0Imq<&39n7svH1QW^p#gWvu5FT4Ql(87dpP1m7^=`yJUTe zAkCAHP;u`oy50xiUEfR{uu9v!u5kB$px3&lW$axWbbK(p;%_*7Rmc056DQZ%+VYPz zi?B;VQ_m?HXhr(Eu|CX)Jg(DqhJ(x3XL->m?%#0dNNHrQw@uEtyP|zF6C9pa+i^2# zUgLU;fqdP28RgGq+t1*9@vjZ&v6%9#%jo*?tL?IX`*}}UfZJ#{Y31XN0K@p@h{N|V z;`!=*Kzr+R1t;rLxAP>m4?TZ5S-aq~%}21~Gt*Yyv%`PSD(-TI@Uz;7$|;Oj=eQDP zw(Dj(3W@LL?}}_FRF}9}{8Q~4soQ=6A!FAv(tczab`(H(1HuCJH|o$%cu5s|Q~rL`?eWYUc!LSR_Hrex&{U9aGBq z{01>8ahj-6F=r`=C!|)0{7ydrL7QEA?1E8GK~uFTY5)5>nj3u`xi^$eVU$(HfMp;H0peuri8$Oys%hc!$b!$p zX@HojNEXYWISh6@4Vv(`R*W};juK33#0H@Vssm0+1C6U}QEfMN?{t86awh#sYoMvD{!vTS7$xE5tnEdh%S zHECdQX~7pIBGWJsoJzJg7gWp+ZQ_wwWljqv`8#r3Mr(xf`=1Ao8Z;g;ukzG#uf5R4 zkG=yhSN@DTDa#Vp+ZLwtL@?QX88PJHPTeU>Gx@q-xwgpb4eOFW@wFA_$Z%qQR^^M- z>jq4#$i`MxuHC47gvDb1MEqL-RFJB0LuY8By_-NFVQ(e6^1S}-NG!l|l#^@pD-F@NcHO^x~S zk(g1_AV{Wdz_L^a{<3#YMH`GQ7TUIFZR(E%@n%Fd1x?(Du2`k%f~aT(SAOyls)zVk z`Y^OwKWwPInQWl&Wbd!3Oa}-Qk(rCAex`)`P^sXPa0kC28j!Kld)-I)dlu*vgkps2 zS~E6%N$!{TH4*=h#>R0H0+Y_6j{<49jbi&Pja*Kul= zNi0J2bLKvZsyf00=~3H&l0Y;tpUJUEk?0{HTxBp zEf%|6_KT1LXQ*US6?8cqL!(ZB`4PL6g>GSqljky%8e@b^tho7g{VsS{s<>Dx&GV6q zY~fIY`%z__wJg@Fo4|AQ=cqBIT!#g^k#7Mm-$EQb1X}J_QteW3<_}8iqwGXisrC8t z)II8;>2koBBTh4}*5a&+Y@iOYWtlbjE(e<^6lzT4l3F<8h&n}tpvAwN!_eY5BHw1~*m(%O@i&rbHl!b9$eNf3X)N*R z9SOcXP=7;C1tY`x$0o`a6=|6&O?>gmN2R7%>*wD;mfGnKB?tY6S)=hekOw z&tavA&bs4*i5=Aj$=!Uf=D~x|#XNvsjvaRUr7A}QSulKTu_{T$ z=VkG7*{eacFpbhbGPfGB$qLP8EcoBDy9*x7b)WNv#r|r3H?hB(-^ra{9j{+s&u_2^ z*rGvS-EaI&A?QOk;8^y?f7kyy_aLti@Af$h*|xiXegSxnHp}n(He-*O>hb#5Td(6| zK_KfQh|$lb%GboJ3&>-y1C<0r=RMNsp5wW~QbwT9vD$NVUq-N#45com-*6w7+!4~e znq|Gyxh2%6c|YF8-@bR>;-|F({V|tbV$Rmau0S zXEd+vwu!Q4_x)3=KgoQnduG7iwtM6m*{50CE8~g~-^XcZ%YAozHDI+!#PDdpaZ=aCMelaRtnlPH+wG0fM``Htz23?he5kCwOpocXxMpcL)x_f?N0S&b>2t z&3vgoKj5t1r>b^68$5{uFvxg5$a)%H^~46XP3979T!*b%=CbR!9K={|yY0b0r*m1^ z+DxDwGzPtnYgYLU{Ym|J*wdfc%rtPLNkK0Z|A^Ubv#5Ij5fcW2o`^c&KZ$*tbg!E4Tep=4# zvjVl8UvyLDq&0ymV}z!@0S3=2EWKF|{SKY`{W&;fKHJ^*;+?e~RP$u5?a#G+q&}uk zHJvMlo`93XWJMRCGe~8Hua8x-wyBS96TH&lQ%^{=i`(;dAS$Tyk;wPAu}EK2;25@< zN-o&<5O!1VW+z*-t4!ss#Q%aBy?fe?e&!ks;I2^%{Cs@Oq!A2MmY-gSElJ zeZVU)+cjm*e~p&kE$2?UZ=Ys>$IVxPSdIqDIS{YQA5rF-dJx*YPVAs{f0iRisd^OO*BoiYxWKu}a< z@>@Hu>;1<>dvyvrCAtKab;{OUmBOwV-#}dzF}oKnEE#Q~ zzks$~9>rv451s)4^~S@II=P84*`@$jsW2*7ZmDE68(V|b3yL;LtOoVb$g3=5QICE3 zAwiA!fvkgjfWPf8(o~x8pCa6#2si13ud(B+T~+8-I#pCy&U$f+0x^603uCo!@6-wt zcJqHs(S{dU3(?(v&KbX{bo|n=Er!Ze4@{WB?kxce*$eXA(l%RYUyI5QK)-FX#9ve0 zHH?#U6pLig@KD&gds$Jrw>*;6mPpClaT+-fCxP>*4phTN2= z*&j23kd(bnK}Cpmxn9-AOQn}I<}?X4A3_eAIs<}ItrJ4FM0E2ovJLk*UzKyD^2EH>Ntl7mp^ z%dEc+Ls5x~0~_2ha*W)nKiE(dEP;Ns>dK*cwJ%VEC!A6>P$p^yF&-Uyn>WG{Xk&(y zEKJVa?2#;HqYz85eA*vkG-eQH@$P^(i;|w?KwZD_Wf;wn!fpA0&dUfh(NrKQ@DpzN zH$6U^^R63}Yd9h8YAqPT>a+GHjFpfJgKr8n^kO1AGQ}Ns*o!hI!gwen8Chj-9s$ddU!a;h zx5ugXMZxYM%PP3j)MX&sr#zF6o*FI!_e#v>-1q3XkY5uvocg*%Md`CmBv7FXLv`vU z&0Wc(_b^)e%QzDOoHesl*&w|R zQ<{@bg(xTB-k#D>85YUhw{liF zPYG5QL6ngnPB-!|O(DWf<0Zx7hJ0#t%81+-T&awoSZkdWT`!UT637OVI>jo=DSxCR zK^7rh_8W~KnYJTv;cDS~$d4b=rJ3_ZyEgeD2OSJ`X#0Ccc`(!vOV;wg5c`>tJuV=) z9hQnLFzhWZALX3e@R&2c7XEj61)KK$i1q&*K$n1@T3H3J0dbbt{)d2T034JuCW{|c zeeE9L6!3y_Pk2KNRpJDZPknFuJS+HiwW(*;_@S_4oVn}Y_FTF3(SJIvN&+sU%I4cK zJUD~QjmH)v;y(R5o!aSKo~prPevNW{7ysbkYfN~bW2ymoEa5T)5DEeGe4qctz}huG zG+bxWj|=!rj_>_F z;nj5yiBa7u{hGBQeEPQ+4%VHT#mngF53r*-h;}|Qxcp5|AHWU!?kCUQ2;S?lM{%QE zz}^kvZR$OSt!HodK=L2S&7H<;UY~7odqdxYoK?=Dnhw9_&qkqf(?OQ0Za)L&=P5c} z&1;3%&0lwek4s^nE?+CY=FL$)qGo%C#6!H`t-~yI&%rFe9bVI6ag836*^M_x0bk>{ z60*J=P<8CDAt(xOy8{1Z(Zatzl8wl2zWpqw=Wo;U1ZnpH?uzMMuHOTC#cWUlD z@;fo`Sz+Vj?|CSG@^5?P0Bju<7aFvk)D4W6=Ip$F1g)Jt0Q}w7kxM}@Yws+h#J-0w zvzJ=jf3^V(O)pWM-vusI{F2o*U&ecCw~jCCL+Vu~e-^u5{mp#xa_W3&7H4|Bknk}x z6tGBi2i~r1J#gxIR-Rnzhks^vSI%x6B@qI;uwne&XWnez57Tk3wGIkCx}j0ljjpOL z4Y&6ncNwzREs;H+1mXlbU5j0hZmgtN7)HJ$>pxyre0jvmAlUbZ%~ehUv;|>9R1hu8TkB;@(2xL zI{@!aJbS*wlAF`NP#{nA4uT5tKU-rpREiq8o(8a4Zy7kQ9|(SzOgAt=oE*8=+DG`b zj=#Lz5YNnFl?4(e!l_hBVi&f2<)7?>TVlknY=9roEAkwO(68m}cqo%EgjXf%XqqT= zsSiWFG84HGVq5Qo}9;Cu@onMcH*pV+Ru|e>#tidChS_!TG6e$`; zm+mb5Yph1HRZ(fRe%B#vMhCag=ZVwI#C|rkI zf=Zoghz`6t&seruGME#bX@kZr+>^%QO}|om1dHuj?qhFg8Ll}C53H5H}Qpp>45__0~2?H=t#w)y`VtU=aWg45t?LNu^`659l@AVs3Sv@qKZKixH2id zgLf=z-N;OOAQE&Qoh9LLQx z6bohjNDaw&RnFy7 z=f1=h-W)L9<=$I@5}$BiZQoFE7Pa?)wBMd)oA=K%))htd0;wu|=~qW%s3{-0D((jX0#*ncp`NamvVJ9lF}pVCl=5vkY^IF0Rqr8KC4(lc(ymbZ%CZpoDmCW5p{g1Gy9$PIdHDF0KBIi-N%gk3ITG}tyB0J z`)Xs}7%p}8ILW#8=JBWgna?%H%b^>2m3vGi-8NmmU>NAN^licfW%mu_M?iQ}Q#j_M z_cmfc;Ts&~+3i0KyYTss>FB%kynU2fN#0%a42~2+X-MXKnBLARr_Co?`z z9<{!viyG{Lf|p~p{>tFkws9U`)w!eorfx&u6Kd(uyyyC)aBaT zAQ0GGkqKTF9vGcHh4&0#A$}TkA8oBOif6`^Ddbm-z z5cD2^ecScBaANq^fy3qXv?m`=HZnI%HM{9ZW)?>{13at&T<9LAZdA7Ktp|IupAbKP z10HGfS!(vawXrb?{(X7$*Qb9nw)Z}g;kpM}u|vJhFR)S>ViSWl@D?^w9Tj}l1gr>r zKAUC#yRh98%56uI&l@-tzS^csV#iJM(ZtmaE6t~JeUR^EBY?Q(6!c#5>gb4iKiuHS ze`{x5T8w%gwd=ABv<>a`X#w5=B0@mQT5gnc%zT zdt$BM^husbR>u_d72vTb6)+hk#@tO35xUT?J(y6lQSTJ42FcPKX9?k$0X1 zE{me60WFPp9S@1 zP+GzFMX`x*#cI2#tm`_N#gSrpI2i{X7`d-QW5xflq2+woUKHv{pM$vxRz8Dme=|dV zSA?FhPP4Dw9h3|mSwfe_Bj$i$TCOcjE4KAQB;AK=<!1HYaHQ!)(;{&2R|A$*6C-p2+PsaIOfA31S0+`^5y5n7CMM0};>DiW*&n zZ4Y<++m%1UMur*iFou0-Dqp7-C^5;BPh7<9H>8mkl1Mz&9y(QGzpE#_&% zv-;40;;_}IOgyuZ$4ReqGYq^z7&>uf4|@^(YFU((>hkXgD-y^^39->F_-UuH?S|I<`Qv4X?dnrJp^JQEur z)%;?j&Q_W<2Qjs2qQjEx#s&X2$s5>-XJn#C;1#c{FmcnEQ92_j!)c;qhjW$j?km!7cTkf(Fjx}v z5&8pL5MLk3Q%Wx5Bo^kuE4s|?U7*#WQbN#E78tmcWQQCYU6&{(;#lA$Uyf1KXhl2) zNtr`X(ac-yLn2N4Qnq{XpySq=ABxI#74AM6o>2Z&&u*g)1oRl1INfxis4ywoQ*va~QXWs^;pw!i4xR&y0V}GJm#NHNMD|-iWI>C%=^$3JJPltoqfxjXNRT@c(Q7pB06cIx$KIgDj_^6i6PROdM;960F zdqAHAXFnfl)+9YO^gse3bl(&Z-L@5VeGL3U6}vS_ z99~ZdRl5aNenSK%&o(_u6TFCUg|?Q;=jrb`4$=zNB4OSWkz7j)`8hIUO z1?SabU5H`#stN{^R5u^tnVB(I*>>U+xz~A0pxw{JVG?o zC-uJ^4rT=0)QHzk9Rz#ttWHZ zM%SCXziDXw-K*r(bGANxXXu?}%*^eb7uaO<5b-Cw%g1tjhJ1JzczZ211mAbPTR3j3 z=>jXKc|6<}?ZGPGbx;Ncm*8m;fDwFEuIc#tYRts&5Hq6kh(#P-TAJH6N}{{g%6Eq| z)p;9v!j*ORmx=5KWY6@O9TDyC-0)B1w88SyXCEdmKo{WuTJ3o4{*+&OjgYrNZ&GtXswU3tgJyKD2Qn z|Be5Q53wiS=b6&#h>N)UlG5qAeV6|&pWrf^@J7d@S(GWW@!6xd7JJ6`dO26e{I(^R zxc%p*@9BnQYuD@T=W@7PptpDRF?IFvr$gHb%hqivA-7{9RsE>CQ!_^{zgLlat)chF zitO6(-IICF`yR8)b_chk=gagoldsKXV>@Ec$+sQOLG=T_?Do0pTHn_Pu=6{Z>j@Za zc>x6JU${P_%!m~*ziupp1Nggdo+_J_ie6@S!1B*cF94OZixa?d`XIv$dE@Zs4`T(` zD(Vj)DSj^H6xmq4f?EesAprAS-p4tWp&`ui%v)|xcr;bIXF62Bi&;)6FdKDVD0WGw zG-(oX(3gpgm7Fts(l$|96S~8%b)Bw1vQ*=_ys{OumZk1ZO(B!Bw8`M^0+}0UZaZBK z;qnjE7A}`-im&y-;iXr$jC0HfPVE~dwAcK z|J5OM92u$5)|nQ~?+JaI`bh)*3wN#lO*>cGCTUNUajJb;&Le@47yam{N(cTQZYK7; zNhVWbgn)@{cYjgXNp#rcgengNYj)ee;rDQB0w@)Rd))5eAg!MD>S$lJGtD$oIQOeJ|14*|#0|S>xksler9|K*isoj7f-$j(ToP`Fu^6>$mh%kn_Fh|5W?50; zCC6J{kULM$U@o+<(3w>?+xjZM>3WMUGcoQxm$78N|$M*X+5ZfFSH#eO?n3RmJ2cg%tXy(TZ*YS%Q9+&%+ z&8dTHD$kFYay?pqD1;q>OuV=cr~4bX>lzQ;fgEHe9$ooV*%$J}K&6$Ev9a-4Uw>s2 zd8-uP*(%(aFOzXTI=o0WgLbRaM+r!}%v94ZSu-65izE|YIWeTZ+AtThtN)`$s^Nm| zmaE1}BJnk|!kUd|V`NxL)2Nn`xACj0tzanOxY8*2A+F?$C{qXzxkkp#suu4M;9QOc zwa`?Ba0KNxYC?kdDJ;xz>3tIw&J}4EujMeQqA(Vz!EB5J05@RcN7Ino;;=KgMwXH3Xg z7pf8}1mC91Oc)0(@MSQ&P442Lf;tUJmzWfTN;TC2!l?xzc$=0{DfQ}*12VIs6YJamAXs3gHNo*DM-fkkVWQdjpf zL441&CbS|9q*bcR5ZDAgTB35_0dLMVVs{=HNhMBpBz8wyL95e}_+woaN#O;~ovGl# z9%73G11OKGi6RUZ)x1&{9yE-_a^Xgm(G1djN{IN9@W50xZ>gFpg^Hg;!g%J`Q5N-9 z|F@i8v>Txg_UeFweg6W|*FSohO#K#s9!}RiAD?3DMHw}q1S2dM4Bj&o2agA7V-6Z4 zeY}HQFQKQB|9EE5@joeB=v~qOT)yMe>zr`h?S82^sD(t~gXKB5bVccR7>N^*?n(AN zD1dz{{jiB+Sh4$iS2^AD5NU7^akJCA1mt{~^P>o+Z}S-s z@iohNa=6%n@jqr!bnLk%q7rDH?!R`a-F{kdc(~;B+FwY{dDz+Y>sk$@I&bYItYNck z5087^E9L6?H>5Z_+@kkmJ0z6nX0^LJGH&sthq*HzEpH85=3?a_z4Z|=Br^Xjm>>jP@tDQA$nuKGBPPFDDYK*MGr+iV?*NEQ z3Nf6Oek-XmD0dqu=nk4)od>eAy-*L$7O}F`0+l~TwJ^bFZ!v9~HFIewA`lDL$6wT} zxMLWnRkQG;8MLRA-Nj(wL#dq@R0>`{=6^XG&7+S7cX3d=Qm~!dSab%YmJ~{876f=n zT|@@kP^3GM%dr2MQ|Qb4TJUOFiLCk{CH_s&i-C>XAvLiwAh{lw>3yvJjB@vZc#YuNA%P&HJsFFElVShE*!o@`bAH zUl!q&ruWr6=-Cg%Mr}fLoZ`b)`yu4=-if%_;VB$~t##l?YS@shbKO;X(g}q0D#Sfl zs+6FVn9LO}V&v4}I-F3bZX{qe-GkJ9*37lt%lr(q$!R zjC2}N$R#3cZcIY|pyirwih7d&;~^A#QJLl%WG02onu)7RS2faNG)Kf{+24T45K&X3 zJKxTSV!!E18LO_7tz$5i!eO2EZ`Mid{RMVH6tznNhoeqD9DU{NME*RRKlhN2n>q`!ZNMkeY)eNBErk14DapzSq=dEJC)lz_1Q;(hYFEsAJ zjO#v&icuP^O>5nlHtBv$W+&AI<*A3Z&&(<}pJ5qf&P#8+p(Wo`_ZWwwql#(|4jH5L zBGj%S?`&ls%2^v;<4#dYnm(I~YK8d;&a*tdKemhh358UN5vaC_G*?LOz0`UBlj-f^ zGa)Y;k&!>jW zGuTqIW|+C_CE;`lHYeFiS2tbS6DJk4A1IAhn2uyMDFb?o_VIpA#YKBH6dH~CKF6xE z$!-%lI_O_&`-(eSsLHcu!+64R{DN0vEIPPq%(^pDMAh&wi*%H6DzFNrZP#$fzFs8R zckD%lq7pFKW~p~16`Y?+$8&&xn+5e)ciCi3M03o-!Hyg?R%9&!j2OvCRQ~> zxt3H)=^{E(9%JIU`8taxZPc0Bz&Vu2oc8!Qk~_xbH>!ggZDtt<%OVyCj^+BE%}F-S zM5X{tJ1_I^R*e#^4AQ*6eh)GC{q+9-r^~BB!qLw%uPCgY;3xAc#aG3FJ@1A;cziC| zc=vmL))F>ctlQ@FOu%yW{u}6iBDx(l%}8cT1>Y?KWG<~jQ9Kp4PeS+majJa=o9_-g%Qh(??i@SVwp2l(IHYJ&VJ8{<#Uhs==a7Cna} zM2D@!cGuN#lnvL1&0W9R-rE%}K>J-6F{3G=D@ntyDj$E#!@s^PI?m@|MUCzAV651m z@2C$ibe-4lR|%3WoQhqKh8F;z877Cu>+2jZ1mH`tA(PkH&(k>G70~h0GR$bv^N_i~i$WZk-2PE++FBjz`2O!I`+D6CT~2@zE0;lrEq2k60gL-?ezxuv)$OVA^y4%4>xg`|eSqDx!a-|21kh><2kE z-hw}eE~7v*u`*IazE3ibii}cH)0A8WJkSD+25<+(-8|e8^I(4$#HN76F4`%0jccX` zku@IIX{Rie8wNDCT;yy{p{#70%5A{fQ5EP-K zu2&q9b7}s)a1S4YhuA29r$t#jhkZZ7?skv+?~_FEUnz~x1r9nw6+2@b2`t)%Nw4)D z#aMVIetww@;glIglaxkatmY{tCLt<%!4L`kqY&mLWwo&5-r9#7x0Dj01tKTm0-SOj zITt29nV7Y7BTbWF#vdX5i+Y~9>DzRF7=nf~nE30YE|^``Cda%mQhwhQrzg%Rsyy7!QfMwRj#9#4 z5l31K?W=zNs-x`cZnhvkuOkWN`VaT_IaXF8tMkGLTWrGYYj*4?4PF+!I}u^*KOMBo z{W{18=pt4GpG$wf`0(v$UZo`5t5}h|h-N+N=DO%#4?p4yY^hmUT$wW_!xOD(HW`Kv z3=%YvOKGt>ebuc}<}$AM9_X`Hk5aN=DD@4*HePPiNVH>d8ddS}XupD)uE1fd;i^rX zeBcvDP@?b0yJft?Cm|Q`=TmHHWCTJfpjf8MzMPW&I#O@ct{>#!3A~GUNOnMa!>dnO zRm%wwsj*zqk4`g7bJMIFD$rL)Yu*^Y_n}xt3Gn}BpHg9rtQ?Y%Lu@OccX9AN5MN_H zHk6xq9p*uFp$uI@IEm!9H)dJ%Uya?p3#);(aVNT#ni5>IUqlecbOWbJpihx85a z2k#iInJB>{Rnp>R#)oihNchiI2Rzo1M70+73c1QJ=vtpJGWQaUHq#E1%5n_r_DD)? z#N}`mIaG-s4~;2_Q1TKAwC)_YvK35sA888np|@XtZ52$%RC0(Hf0XB9C15J6y&;H6 zIw!XZky(0RF;d?|@0+latyJ46*VF}blD0|?3j?5p6s+EgOORZqdaJ>iqTg^{6*HcD zAAzP6otetMs@4H4fbky|t;sb-GWcJT)qRVwle(gjw0XDf$G#UzrZY;-cUdPT_sz=b zv#OB6)QD#X+CIpIl9k9QO7RFU8+}bpV&_twPAG$1&K#zuUd&$@3*%KNLdZHxp{@?2 zOO)Zr4t61BEq|61ipda7+?#;X4+^A*OaHDnE(a-ji6*FW?lNR0H7V+4=8;~bNu=K7 zkA>cdCMhydCdYha5$Rx(rC+^*q5j1wr5~Dks2+2si39dnnz2Hr2(BNiqS8E3PCVaj zHvqxnP`KQKa>kR^J6v-bf*gq*62@+Pt~1#MF$5J@hO&rU7R0haZb%9tA64LVxG+td zyQ1Q^Oj}agU^Y=*9w6aM8;rZGeV$&N^FIarfe2IoS91Y4_kViXZ~0uH70o_i1Fnpa z5;lnb4%qOit-t@X%|#6pVg80;*aw`^wj{Js1#{_k*B>`Web_Vu2s`#~hEzGXOVq#* z_!lQ!fScG=pUG;ES^mtee{ZU$X#_HADT8f2u>T zLf1c!HT&KU{-Nt#zwX;y&22BTn_p#nJu2;Ye;#5APc9okoqXBvYmCH<^>JNfk7m!4 zrJ!OE*{q*!aO-O4{;?+_fv;<6>C?x0kZn)n^WDkEX@Wey<+PzeS|f;%Ppf;y57_S4 zdN~6+I|$F+T6=o+vk{8mX1vjt|m`^RQe`=G#c)%3B;pT<9{XMBm% z<9sE}*L`~lf&K1v);=aoVEAyJsVFjg`LWgYw>vY}|Kw=Xuzj?ZE6wwr*Yi3Pc)cB! zGYP++OqXpOOsT@~twi$DdF#>@*myi6=}c6Z`>I(Yf>(|Y}k z?&?weT3dayh4JdW%6=8}%}b%d$I-!Op}luQ>Mk~OrMLZRBF?`3S%(Ud zIE$bz)zOT7iLaOo_wYm*tw0q9%{qHIA`2#TX68v&hHG2Ta zmeAhs^|%B6h^MqfZ%Yq}wHTPa0_5_7PcBXYWqV_Az0C3M*grvvj>_+)j1pZFap@Xc zbqk5no6wZS^8u=7CLH)3W_ZX|B6L4Q^&Q=Rw*D56lwU!**oMe3Wtqm>_!`$?)HoOY z>0L#x_JD^I%O_Q%G;q{O;J}JC=?_&IH0x7)fY~t%?W1|nvFfwrGVBOs7Gk+ zt(SPQ4g*)`zbtY8-bWu%m*d(DQ|R#v*XD4ut0ukTbQCTQwu0&{ZHJX9wp^Ms3D`OU^}=6xe!*4T2%# z?fDKr1Lm)~GE~+(Gh$qK zY!ebT2DgOJyXE`=oV(mE`~Fb;B9GguWAB%I9QIN&vLdnSgO2iry!9Ar`-*Q$Zv66X z-rTNjobj`*>qQ4HQqXl_WE}tYT{>hrI~efp=WJ$))!vfj^0gGg9;)VW6Wn>yroQXX zE|cXdJYm9J9wX9Y6=lIO+h+X^|3e=1&v(SN&d#vemG;c3>mWK@O@C$KMU7@ZyGY01Io};#If`59+L}6G^n#uxN_9nO`FkZEl0lnSe6iHB!039l9QA9nk_es zE3IxTX1_)!*8GjbHS}@anx9-WFH5|eJozzAqPA9Tp>V^iN}=B$Fiz6uSeaOX4lQ1~ueEbw&K?DRTGq7%fQ;|E?S4y5T&kSgKpSi7=HrHM zDN;9Yw9g&tMw4i&&Ze-umIV!oB!GeBtrsQZzSzYjL&2-&Mn287w+BF7a4Ya87bp+rYW}5I>5yGCLXS~Q zhFY^}DjnjMKpn}QB}WQXL7*S(^g@p4rpg^ELBa72BZZQ3xLnW}cX6gO-D0!MCm;O? z(qOsIqk3zf_x|%hj<(E0nA&;wq5?2&I#JqJrFT!PD z-@1yNg^a(%Up(J&vvHanYyz7Q)mV6lGyE0OBj4}@H9_4yAK~ot;b={QS3fiYj6j17 zO6lH!eP={9+vUie(3oiDjM!JsNHiKEtGcc^h{-TDxbFhl<0TE3H377Q5o|wO=A*)K7XR!XN6CPtSeeV5aCr@P+>r)$WTM_@(x8*N7alFn2F^yZ3%@v>z#i zB%QwJ1zg4tyM-qB0&zca25avbCM%+g7(#YqYgY*C%wBMkgA-w(S5_bCLx$avTFD zzc($_Y8u$xDvA=~W;gDKgCqgvSDsTotNQQ%>TUJ6GQopKcL2lvuxtOOVaC)Xgw*!g zZ~kbYhK?bxX0~b^NBw^#>KbXl>&es3ULK!TswTE;!=sUTovZ9@`R!{a*Nu!DzBvB2 z)o9+Fiq$^hZ4*N&hJg&si&L>JjVj6gCDtwFWkNonsnkHq|J-5*ROJ;0g zRI*sw%rO2-&q(;x=nu6b>D(3k_+BLq9f#dx+u`3N;MZ;l`NtQHuvQyp#F=-zdUkEY zXECAJdoKjBx63X;hl&(+$GmTbu%cI{Jv57I)f*Fydxp79If?gSU+^4=*)P~ok}BAk z`r|FXsfLM{|N51Xyx-Yvb*wZMhmv@rT}Mp6C2PZxWYEZRC&u<--3&4WqeKqt-D2G3 zq=DBANykEWOX;s_edI-V>{gY;zI$gVomE1zV=V{Lm_Ln}Y@H0PC7u)32P(k+wx@nC zLZWhCC1k@hQ)%&=mrVR^c`s8%$@zCRPoaa1%^QWf6^kEMN4iiIx8V|1vOFh8*sn|$ zX+ORuMy=K?<$JwGqH<^CWO)z7nO!J-Q&wM~7c^AYLP*QH^p+^Spo8l6f)bhcce%|U z-%^v|0X1mab3`oM{6r7x`P?q`5}&!W`%?ImMtU$x1$tLzlqR^w{+>$?v*d@>-^L&2 zdITB87_@?{MxZhW+K~PXcWJV7D8ddlBy(}ssa-h*OvCHYpQ}TURB%@!i1Z9uU`A6M zhHd>#+Kc?rXck9@XVbYqB(7THq1T~plq|TUitd6Shm!+PXFU;Tqe>Ff5Zv*7xBWJ8 zNSEDYP2j))1nX|+O!(*hG* zwQq!k#Q;k@;*=2UKtxVt+8Xhf?C<0(**4TGQj&i$48D5{VyX9ScnytEG;K)HHyGHc zz9^(bu(#HZ8jQq8$+yD>liIlj8VsULG;63@9abxF!x(G2R3tzLev72i>z@Biu(Ifw z!FX`$z2=OPHbZSO``OSeZK?p^dL|#UWgZxc+ifQ4^ejnRN>_gNmbfKLS zq&RQ^_S6lKMtd!N6a`YWe!+RrxZ`>or1wivOnI_xR2I5x`8To@w~{R}PjgmUnlIXnF;rgtmnAUT9s%6; zp(`7&d78_nnP+t+vI$z%S~wGA5H>B%zRa#Pptucv$x}-wGHe>7P}K1s}C4#fSX3@OayGN~$WP(^doWv3__c3dbbHkL>k) zIU#^K#JONI4sCR(u2Xs`~DI1m=l4K2F?4AB1# zm4D3*(bfQ6Xc+ZZMDSzi8rr!jx*os(2!{^%L*sZHf958Yzz?sAS@nZW5w+!?%Us6K zIWR?A=6Y<@m(M5{jio$J#-HD(Zh3c%27YYPXf}jIN_|8t7GxJ(&~dNW+aM8LESjCq zW@(wA$HnW>LTq%i9;R3t@bFOEh{dkZmTaOSaF;c0dT|BVWEd6Xqn~5X8;9vvq}q0T z9ldv7uSmXWK%utg8Mm%(`__t(W9CjFqAIKJAQIt~!B9M{Hy1?KX^H(am^O*GFs~$e z9W$Z6Tc`O4rhMO+hBdVl+kMmWO_S8$M0?W2YR=B8!lAzdXQG9avFSEqNbGGoiYyit z$~lh&%t#$bBnUzT18*hk10!}QGJl%zh02*rhjMC9t5&UEJh(8{rAseRptM>>vsZrX zYe~$f+o)g{Vt|wj$`=0_vTpifHt2OyR;r!nkptu6gYJNtf zdVjkBGKY*6FtfT&zJ02M(@muoI9L=eq5lWc`}+fcYS*PdH*%>SpykuK_tho*4W!h0 zR`ULG-RpjxP4!n5_`qzGiJ~aDpEpWOvZ{5qP~7{`k4$iB4E{St4Dfor^Smj2H*&r~ zzfNOF>2QB}0Dj=F^@0m=KsVjNf(si_uI*2?MNd6XkI+=rJ=>1J-m}AONe#X$=;M|P z|Asx|;~2>&UIIA-@lmSky2*uWi6{D(7}L~DReYv9)qi%c?cwXIif21xud9UabuJvv znj!l5Y3)z0vsI6nMxmZlyIK4Vef$YOPlhMs9f3dc*F;hu7AER zt84l;{g44}+-@6oH7pXZc)32!5Fr;jkBp}q?zpe;>gsiZ9p8X*Oj;^kb|BbnM6TWI zy%tGk^TQ03Fd5zgBuH4RaBw{wY3(rpIxVXVmHH7elOU;UChZ0q=2(1YUk7n}d{ z7;R-$%M@2h>+u!e>lS1x0pR({qSODagkVKr4?F7T6WnbBn}V0qjs>8csAK$aPIp+| zaILNVSntmWRl(6OcZKej=L1;mT79oiOsdZuTa4+q4%?4=e@|k&OPAaa%-8=~dslLS zEjd9zo{PIBFp>-rlfOyfd8Gju@(w=kpNcc3C);QCT`N)_&<5PPv04j~gcSGQf6t{Q zCy&wrC;tBQd#esd#<(Cg`@!1Pd0Eau4Oq16xed8(F_zp-G-;>MIiSgv;}-JC>Ehy3 zG?>Oy!$dd`P4iKc%^zx6b9RNzXnya458&m`?qHyuLOA4}y|*=XrH|E{ks**LNlf^O zFmqgHcDRHTo*g|u4|UPXElW*q)`20$5@4j%`FkL*1~`$Ro>PT%(|7d#ht@tHRA!V6 z#Kk_dDU~!fWU0gI7)pgwD+0bUmT6~m1{b-u=ThY>Kl45B^KYcvycF3tO4>3SZu5Zh z0p_DLqsWT`)pVlBSbh>DT?J_Wu<%L_lU>`vWHjB{!@DC3Oa8DU8YLp^hkSUHi|D_siEU%Y{8^# zfID;27WupC8{+eQ2|zvn(=h;VB>&oxgcL=bO%zeVNrh5!D9b-bB_ml9gFHfMdvDYb z5>dI=ibFn0D7S{|@E{U+Q??#?UYtDSn67OS$Vys5o3-MARYoT@E&Ib%P6780r80|% ztLTZb_+UbKX%-7C7Egn2`l`KuXvsnj2A7n73P)-H7h9^Sm|)bM)SA0p22Uj$CibCk znQ1u8yQ(irub^O{U8zNF?kFmf{HU02x5$JEEcrIXI?KN)C`79StxymE&6^nsCGqfu zhhNU~I}lP49i`vVW!^FtGqQn7N!g`@H9o2gemOdX|FrCYR*k+eK9xyfZd#G@pmBhr zpP9^?k7}J%y}|%?I!=Z>UjZma$$W~bpma5(6~5wE=jOzLV9Y(`XOGSI4BxY#R^l6< z4buitry)=ilX<8hW+k-RpmBh3lzbUIikM9Ar0e zc?c`exGqxwsm>OEuc21MgS}CqGjevzhx!sBBbKtGdBl?UMo#Hb|148 zVNxRuag;O@DRcaDDJM0v2F5coFFAzFQt6*&=Ai=T6*%`w&eNiZgfaafN8U>pNaE@R z|ADAq^oLX!SL{&^O0+*mXIP43!Vdqy4;p_S#*3Qmn**DM9w-c&ZC&%86;x z7;|U9iAl?r9^>OMEMs8}LM)RdrqeK}N+uETm~c##Ywe>6aBQ&W-XuGe@!g!Xxu&*; z#BHMJT>4y7*-TOu@j%=m1nZETl-R%dV5jcLaX@4s9 zabwSI*q^z}7`|bnScPhL)Kz)-BTYplv!v64UCEaFOYI#d80$3jKZN z#=GKYtoLzvBn82}qwW-@quP49`A&JCkxjYr5MSi@o;|ViJO69;kQ8w;-Ki&gu_WW?lI%WU7wxx~ z_~h4k!JxMIS8wtMVM6s}w@3F~*tx2Ei6xiQ66ef?riPxUE)Y|L!DJm9=&= ze{Z!Szk`Wd1LDf{-HC70ya^uIa-&$wp=C2<=RCKNq20KHCzau{pRRnfs#Li1($aZ8 zyvNcqy>;KlS8e}7dE~S*R0NZ|bRd)y6TNz{h8!$phhwTnvn7edR^8!jxe?`iVPntI zkYaz2b2L7*gE-_i^S0$X?CQ7ve5#f5cEGlzL&yCYfV>P%yJI+Gyz{$zX72N61s;C{ z;8z3SXaAG{r2Y4jDu+V%_Cc@X+pd;;?1x@?JGoQvpGN#TK<4fJE#^0L7;1zw0ve8$ z!q-W|Ng0zxIeb05ffp+Nr6^%K3@m|+7qpB6aiOZGU^@@qQmPii(C>9)l`fm;c#B;vVp5QHVE$U)JNen?9VO6{|>&v(>oQz-cu z%#3yxvo zOgN`c^2!1Zajn(tkfkqX%ZkN3IZo3MnNp**cpYXyOQ2Sih zkp-kNQEB)d5Mq-V#qZF#95~^aq|PY(;;o)PVEhDl;Gl+;lNMyyPwtImTEw+0Hq7mq z8M?yqlNZXB9ojji9F$~L!s{3FLc(F@-mD7-94t54nVz z;xK^|2I0GZP%hDM#pT3(5046BaoDutPZxWh=NGw2N3$C?INeuai%3v}3)!fuJc}?= zs$#iHCG<2{A#SuVTIH`zPnJN3mA15;a%?)Q;BSW@YDx@>{)d8h@H@3)z(nY|d-Pe~ z^5=QBi+=(DZCk~gT>j;g^<}1D%jWm;vmOOdr5NGq#&eaB1Zvdop&`sF9&p=0E#IKF ztgH;?O%4fT>_g440oexyqH^Hi2s$6aNq$POHSe#_B9hmZ`K1@@&CPbVQLlnYFw{&o zKoJ>ZM3^ZZL5qjy3M@dG z**GPObpndCDBmIwpOq0kCJY9Y+$%s8Gsl9D*A zwfEX!lmY8R=LU7AWG(8YLeuODQurxVo(skWQ7>sB6B#k??FR+(f78Dmfkd!i9Nu>6|ZW#@K=!$h(`R41TgQLO}*& znowdqO0!*2xFXn{T+uyE(voERuaV3UNxk42GlRg|Xn7&kzmTSKe&n-Z9br^NF*Z?G z(vzl9$MU53LjOR<>qgdiOHbh9tMK0B3yc9a^#)@x8o8Nu$MCFWf6g&Tay*Pi^q2cD zitKXib#jUNMjnhi&uz?olYCQq{WxMKY0?M3)sCCekuocV-8@qBQ<6t40w9p{D@B_M z&1B=Xcx;;Z4&$|CW2t0+*dW$NJkL`^NppWF76Wr+$SzPwSd&qCA>47q^$&40Haehf zBZ3rIwjJGuzT=%Zv?#~zKQCMt65lr2dGnP%9aK-9wytsR8tYlyfivj zbI}Gj3gt%g#@knR+tFbTExU?GmFs>}1?tV)>AXvrSx?7I_X)mt#b=;ikJEY}I=)fm z!uCE<7RMKOme)b!NdMF{ZIdMd*G~OlWYLKc9besZJ`4(lE{WSFZ`%Db zgr4+Py|iyt+iB&1Z{yWzHnN(!ZyU!6k=oVu=h5Q8jKO~{q-Ts8nD;gd+V4*Dk0S7S zKS#T;uDYGpw$!*koGqR$@8jfDShuXMuG~7Tx9hU3b~w#W629v$VJ; z;#WN`m{dxsbvXrtRiLhP>~hn3T3l&0?I2dKw-W=qt+Bf7`in)vr#*%0o&Fej?e=e5 zxvsYd4VYD><&U9vF+S#lfhId2=Nt&P&aZXcXrKG+iu#Ez&%GHr_14`b8~FB^DAre5 z+bggJJHLabo=%scT2~#5hoqKmr=e}hk?SMw&-YEC8!hKt$7dC}ss#4$;n&GGHC~@j z1T&=I3BRUKqBXMU?7O|P;k=w403aCvn7Z-1J$vB;RKHSw2RZ^<`(AuPs9^k7yF{yI zg#SMJ8u{MY=c~}HoFW0L2qu!GpU1__7XQkf z917r5h7k>&NFvOrFyV@)SN-FQg4t>!ZD(ALTH6ZCXDK zNfFUH5}n|$D%+ymk$EdIFQ4}Pcg#_uqo0&HKf%6YU{m;qr)>Z=`kZFkGdhB#cr97S zbnb~HhKm8=)pqw(4od7dRFjiumcF18! z+f5PIn1-oTMx{T&ImE85`L|SH>0z2iv7UHx6dLRjD za!Fxy%o3AKC^e#Q@(D(ai#r$n{J}MQ3gamK^(rQNWs|2q2?H!k(mr9$ro%1<|D^Gn za=AovFvFCk?BtUrNF~0>=x^*@rL^4bf=^8g<=G%hqJgx)a_E=@oV-FuiT+ACW&Pbf zUP!ROUlM=T2&PsRMM00(kc1yE(t4MdSXJO!VJ(WLaL__<84XAzXvaIEGle$-QDVmu zfMpW`R$V`iKtt_o)60^WWMaxNNq7Q`n~YFbkrI$RS^B1yx|9T#&^42tAQE=IhTjWVmU6XV_^iI?PO>e&@vLp9_Y^_OL1Vnh%o$QDq>>5cm_Xgz!cgc zRG0~aG6N}JF9Z|?iV9gLcEYhlGn%?x*p8VGo1#%|+UsbL7++49U{d!CdYvo}vn-8= zI$#N3uTw%g5m;7JH{3xyPuF%u%M6*Ai??ez+=A6qOA6-Ny%!x}RKmd=?071=)=Kox z1hei7Wk+OpaZ#`w3rm}S+t`8b4f*}QuB8?mumaDE*$)K%p*~(fw zWeCWSp)u9cl~RU3Ss8SiqfA%?#dyGoZYIG$~H^`w% z)_|bRm(vQNlz0uaKS_)Ydu1~7M}d?WcPnMHe|yM}}Cp3}~m z@w!Q9XowXll(fdhO3PoDtjB=4RoR+$wnQDOgsKYQNbI+qNhE1MmQ3FxQ)$?EuBwX* zy|-a5Q5M7nDUjG+Tn&K^lWqr7KUmJyB!3dtvU9#um>UoL{>RkVErtLBhg$gDs_X_K znV!I7)cbL^M~uxDObd=)W(;Qdmyy_&fQF2~nCOosD$Cd|?ZnE$DuKbtU5I%iOFco< z@8SgVqY*Sx`F*8#_`xr@4h6nG_e~eF>0KY$e$q2s4tx1DE0ifMJmHwtZ@nSg zS7bR3`*IY!vr~Y8nx{PvHZ_FJm+`fXt@;%_t1EiVr)(x~*I=3K${oMbrri0>gE1Fh zpSLD2-S!gu4InB%^Gfe?-v(NZ?|1~?`Xg7EZ~G~lo~}_3mywD5B(<+;P6*Vb6gj>V z$h>9=zmGmJ>}a;-7hb<7t(7&)qP5VS+XuevhV_^0pz3x+g>CMqc##Rh6{sD)?*jc} ztqy#^Tz|#ATi8l=PHNpzUQ0Fr!=={mO6DCETgT}w;3yNBZRlFhuOrEn_u+>#y@o$r z(|y&qRr6*+_i>(4()~$F%F|Ht_}=_;BCYW|fm6;VU-z{uG-xdR&M1cZ^GX(B%WGrl zoJ9+_={+hUF>8kRiQGEydA>K(qh+hJ#{G_yk29&uJ>{v#YGh1nhr^N1jb*%TZ-on0 zwVD6)G-0JvsTI7(;ms^(xP`vELto@Tu0}U=K5{UQkDJb6sd8dPTT^H8L&SXr0bdW$ z#9|k1=lvRfu=6$j70UfwaS@{(&U^#VF;jU-si9!g4axp}^|+TXJ<--idRakg&{ zRF%1>+mz*Y^>n7>s^fZrDz|>HWgp{I6}tV^ci*tNgw7M&eKoG;YC@O4JF=bWF|9Ph zLujL5zq0ChmWF@rJh58EcuCnUGo>T5c8 za`TgU3GizG5ac|3L!?aue!hjM0Exwg;*YBb{HGf4foRkX^~i6#gqeq&^OhMu&A9vt zr5qtgLZR2+x+!Andm>1DX-0b9Ns7g3o^n{=T;JbBOb@vF%7p)T39LCelz^q9Qm4 zt=rDy(y(l}6wxpyjkL#EK?>AutpQ0F!Qm?9AWg~9T(qb~q{Tv{mNX}-no_r4?G+%#<0eYho!97-U1O*fXa)0yD9+nw8MiNAdNZ%@DDQrIH44XrGkI; zINh|khLqXL9Gh^CrF@MUWsOwDTogIkNgDa=3A}TF*;~mBYv|W~ENf}st31`>2F7eZ z)th(__?xv>rsTCyH#OM?iJC+|OLSVTJM3GP@>C+03i~L@f`Mw;d@aPw`J4G*8z%xk z@J5~@*l#MY$l*POocKL%%u(UFnJDZ+pgYyML}W{U4<8Yen~%t;}^M3n&SOkSk)rbr5CxJhqR@>9Y{*T#`hbRVMz> z15yP6R$5)VN`N?%W`M|z->lr1m}z_g-4);DVZ=r|P|gWAOQ-5?nlDZ7m2n^aAZcOj z5-iI6Q=SoWqc&=%FdmXsp_%?KJGJ=b+$D2;tTd%_1``E?<-sxP0o<-~r z3#J1Xr6b1@bOGcrtQcrU#!EKlzpPE7Y&r%wG9;U^FtO8r2MUpNL?@;T@fNELz>Y>0 zBYG!XCsfGH#Znw5nqfo|MB-F|OAix6G{hHVhKeE^uLD3epCg@7n3n$GoICobJmTqG zqoNG7SV`nzp9P2>?F#NxgoV*UkdqMFQ|fadWw|b#sViiYH+5Xs2IjL24k~h}H;pON zWYw5K2I`kHr^?Ow>q!R)cI5qml!wBkzc?DW3(5y0kv68JHZ6J-z?3SpWKf`va)+YX zw^htA&9*pB`(JsRfdwV3BboQxJ^SdfBjml{)6&k!?gD*95a?x=He`M$`Gn9y`U)*9 zL1Py2zW;kx@jm1KJwAnyr#Ia4BaseNohGy$0NXdd$CqxCwEhe&KDWbqw3RfMKBk%K z{`aLOUw&CucbATc{;H6Ys8vFMPmx5!IxL zD(`W~LeAGMm)Z=CHXJWgek0rO8Ca$!{)i?=#dCAMdrT z#|{%$*(naIo{<%cKV?NT8%6^z3U&r&=zA$OJ5IMQBULPbO&Q&`>&>k*q5yncm-#>h z*=Vo3e+hW&Z*K=HvoZGD*=^fN8$Gvo$2XH{PA_M0F|E6iMIS#Zn}!-|HNCYTyb%(k zTVNaZvY3IdV?XyY!p7_Qxn#Cn9r&_gH62(Zr&?RB+sN5DgTMxu)5Pz*b?|<5k?XA8 zPtM4!Tf;2bQcAxYzI5|r@LER3ch%Lv0^KpKd7W~b=H1(afcUtS@BS=3&uQnnYF|;Z zvPs_F54jNio3(SXyWL;(qGOWv_NjVfe=J0X+x=2-uful%jR? zJkYGpU+KUHb16vOaz#|Zw@bwt;RN(0_H2`c z*G`(Rraa>xIh_E!vA-Y`F3b8=YXr(^>8gJ)Bzt_)#q%q{z!|?DNNVf^453cPQgupr z*fDx}Sh(N`OD8NP`j_=_{E?nabE@DTHVMpvSa_#|!NX1|2ve9e@sty~Qo(y2=TJCM z%F{4#EQSfLlFJkvD$T%okg&|RjHN1Ineui*Bz>`Pht5P3<&K|9w?B+6f`DdgDB`Dy z(}w9OWU*+HD9J@@%2#>W7X<=`IRjnGrI09aEy%30 zQ1XgP_u6O3)0`vzp zXM9HDf4Oz6f22d zx$!p^%4kr+HIRM)US;`q6!^?sH@!x!>{7n4SFpv-naL7O_7>!~6N_CXym7toI=nE^ z0OF~tGznQ`Ke@RHDfHga+q`~00>7DbvOa|^Iq~O$la*Y7hG( z0b3j-A-6ail8EBOJnZakx_AYX<2*I#IVbXX8yXWcQ<|t;cxv*tf3Py44(%UIl_sZw zTBXK$lJ&F1MwFaTj}-9DG8SnsLHI^u8m)U2!YSuU#iiv;!hlwRRB58ObNl_HvSvN% zgDg)0|03x;rAavKD2(90hD%i_4^jU{>VDaV9*N7Kd7+Jx3z3o~F;$gi#t%?EA|6;n zOKE5jRu{fs5wh0_4BsC9jx|T)s@FC*?yb}qZBz=u>ga35>&sKagIx1ZWmJihU>mF* zHKNUbu-C0_|5LI8d1qB?QRi(To3AW72ihppcm$XLOah2lDbX0sS$9wcxE(As%K{9}^8td>6c zf5m@oLY~|~HZa7^LVL4^K`oS;IO3(dT5_*pN5WaI`xalB{jZ$xu_OK)Oc4j9eSh89 z5&vi|wsjbg;}+cZJ-UPkJeis( z-VDrKHV^!HvF`d>ub5rA^jj3UF8^U@Sm%7)rO9Q!eY?y>ol2vhd>E3(Bb(>#|AZ*<(W<*Q# z_-%%f?acd`E3+%OyCqS>7?O>`;!fdJ&-^b$wp;~(M+hXIg`Qvv9K4GWdeeuqggEaq5 zXWMhI0$kXtE>c{mxd4`~I*~YK7C+>0wDr?d|Cgm93*{Yrxkj zhts&%;7VxJ`4F3)GeGrRVS)r<$CVW4#;4?Ca~a=Yv(5{L@niQ8>nv)S*VJow*9YOE z=k3Fcm201CU+1v6;!CX&o)%#!g|Nw@6m~l(+hL(@65@sXvdtPJSeKvB&58 zV6dK+P>GNB6ZIH?5plpLSt4edFvcKZPUIUuS=T#TU+CFQ<1l1hd_t9X{fIg%I{rL6 zy^(14BuJMwm8XL!6)R&#KIcf3koo?XOA_ItKN5`oC@Ae#G)Z!qP7MdEzM>Q{WbLw6 z6#hdz8q3UEKEHU}Y2?M8%O)ud7+j^?y+Mn*Boq`FMba979(l=G*rHlGLbyg77Ayl% zNqJ?ygH%@YNUq}T68xUh8?8UQijswaFT+}WS~LV?&FV~Mpf!(fht7AQF2Bm zOV)sJny3bo?x=Ecgeo`?uA9;#_ME-_;w^y;q1n4nAZ0;%LwV3n*I*+_pXh8&QwzR- z>*UMWf5H>0iVWG+7E3X((IYxVdYwCzZW{TkhDaQ%H)@Q^(&x;9;!k>csyLpU1gAV% zYEG$_tBk>FR`Fs{>3(6(^sOSrVABgp6v}wtD+Er}pCPOhj*=cx{EB3b1ygMMmQ0q+UA8x>5r7-gX=EQ#y7 zNG-X=eENKD;Fc-TlyQ_hzi-Hw@dMA4$8iw$jkSSPq1aQN1hSQ6ArL|KHa5=ngukqJ z^^KQelIhp)i3W)06s|G=5GYiynZ?c5{ko^V8`wvtcD~FUjseDut!r9~IP>EeIr6NWalNj4^nrevX%&n-si4<(2RiE2`gQo+M86=N>%6etyzJCcf?=FWLLNmPz_=uAk$yq#ucR7z?Kuj6?GyFB= z5S?U|$#3G`o>bzfKO>?~qUZ>*0NYwdTv88s4N5v+XNUE!T^lZ!haxM1Pb)T9!{LV= zNd{R@4bL-iDpw97uAZnxjbrAKHK8i%JR1Bbv&Wzza_Y^Ml1hnMAX&{G+itP~?9yAu zDUfu!v=s2uTXtvMdC&j08~Sm&ElT$(&pBnmk2Bv7J72qh{cIsy*uQoMzY)P4zpCXz zacPY(1BuyGr#}DbBM~v+J7pG(|6b5XEeVsRv1iZ9Bbb*A9*(6yH1IjUM1Q2-b%9pM zl#+D>kwI>7*L^tGuL(zhBqY+RQ%wx74JwJK60Ia9T?)7q2$cPe*CMVH!RYJ(dMKX< z3{Jj{)*<~Ts4*;mnK%xYGV^bUJYt+7Ddw;WDU$>8SK|`g`q{8JIC7c;_C2X4rnoad zpH_*Nrr<+Hma3%0za&W#y5jjtPTNsy$+L$y#chFd^^TnUrRF5JkXvy24ZmXaoC3e+k6o5 zrDoi8>hNe(Eq;*koNEZSD3Jwq=KmHz2e7}mVb~+S^ZWNr#=n_&xr_WZEjplYq5a!M z&cDA8rCt&0h~E)JkjbM4R#$FwjNnZ+ubMvw7%Q?~WK9ov-a}K#w6XZetlbAi@zLSc zWOc8_kA6Ar+T%u}pAJEml2hXc>D7v<| zM7_$YHs`8SJcGHGZMPaHW@ggex*gU?Pcx`?y5AFyHwSC%K7DCAua=n5_*;I%3_)zL zX}k3MBKUE89UVILeIv}IeoTMRZGHFJ<$P|BRLKB6N3qFic}*Ng%i%ptsO;2|x@Esk z3*mPcT?6x|Z{4T7UW9g^bg~25jnrS~F?)FQ_p0%??;hZCO1XVE0{S`;G^sZ0VBhJU z@a;pFBcr%#d~Xm>SGNzuaz5vyGISk}?N4YBa{RU$dJyymJFYg8cTU$P>^3imKc_RM zM`;_@nB08r(b|@2@ogS_e+J;uyn9$)RWx>AH91!=y)rZ1-}l&F2s`Yb<$FmGMmNE3 zS#Cofa#c=45u1M?cwR>*-JYv#eCA`^G;E??>@pdoy(>Gp{3a)| z$oI!$(*j4oECWH1oOG z2K)fQ|Ag!Gnds<7zVPMz5F|E!4yW@Q;wmGI*3i&b{3s(905n1^Vab<&=6~(=(i2tu zjj!!!COb^>TtvSW#E(ndSD#K8Ui>+v04d&D4$6IB7ngmc9!iO?-yStCja#mxR2i%K z6@UY}MY~{ihiYqnnk>t1MjcwUHLxxJ_vo5s8s`L0A_Ym+{Wwk<82|B20W^dlkW1B<5`XC zm2L$=rdWi?ubh8NkPaX#A0s#s6p}58DQ(3vDYwI)I$0e%R0OF6Wr9r>-K7Z_#iAe! zkVBfB)!5bvBVvI5{Av6{sK9g%zkJESm`5odZJ(QJhiXEhW=E+maymQz>mkfDO^V~q zfL@>--s+UPii|s#>6b=5HQ^IVL7p-VT>5S4!gQMP=DBIQCM6yMkzllwdU8tYuW=c3 zF6c(xCb12o;c&0sU!>}b*pVgY`>xB!>f?3`)k>qR)I5|e^E4uISRB(;11g=eQMJy0 zXgmB#k1A;SFqbr#T?+%q*+P+)s9bGO&nSZmEHq{XU~DL~ zn!PM0Pg5WXZ}v@R{m0_ZLaHo5tjq>rcQVIgIY@`Fg7A8ujHg#DG9pC>ewmmU7}jNm4XX#bmT-F3r30 zUnZZ|W(d<-Y@K}}`jd55lFFOsn){1MLqUj%UvKGb)FOr~K>1PBvTnmH154Ud=?z%A z?x`%u?pextoVNH+|6Q3dACi6_@+r=;O*79t*dxJ?D5XUC8E2D#e~CJS)>%`Na?SwR z6@4YE2q;^{1Kc%Fa(A%S!&$L_-l$i^{QI2G(Dxrq7}y?jfDmZFZ@n$Q=uZ2W z2Q_a%)C6r;t>ufWCPkh8+&ELSt8Mow(%a0*<{96(UB`HoSXSM^cH3z?jq4O%cb)sv z#zf8*kKNNj%v!?tSO&WF!)_pqt=;F!%L!nmKg+b+cd`s!_vz#W&8EeEYR##-RNFgq z0wA0H;N{kZnw;)m!iLA~JGPv8_fRlJrB{%>f!R*R1sLQQwLMr^XbEPL)jYn!B%|iL zsBc=1en-FQd>q@rUfDm<_UP3bxoKNj>!|d60ei_z*qET>aLOK~;>y~5z2YqZ>Hdho z##`M-x$ zACIDje^dg>AMdm5?8@+;4*H=>$jxHqcIx`Qer#`EjQZ)N?}`-yzVph<4>~L41NlYQ z>Cxu~u6gaca!W5~F5~Oq#m_;7VOwC;W^KT=v2aS3+qNPKU)yAuVq1#K)_RibO5LI_ z(2Z`~?f@61d%68=P^3YQbKJe|1Wm*fP?F;5+%plwc~QtF*LqufJu`!=Th_C(eZc7| z^Ln0Co#D3@XIA}S{n@eSvsj#Qi#_FiJ?+Idt=)bnkcNxDL)Lnj{9^mM*NKg`S--hV z<<%iZhNs=?$jfO~|25G!a;ckrn-VWr85Bs=(%3@uq4Q)o=^~ z0k~ExxpB~82ejJw-i}{(m`2m;wt0?@BN$7G(Rp8=>z8H7uAa{|$@)ZLZfSq+-J7?D z`X>8+t*yNV{a*o=(gn1fedp{*|4eqz4r`4855B)$B%X6rA6MR>J;Btv2l=mm_=qRd z01Lm3Pcf7D*nI5R@)diJe%fllBHDkz-}=5NHhpNs~&=@Z1OM`l#jN< zg;K`fW6(UU-^|M77Y4xx#g<*gV!Oql#URV4^e)473fbncqP@KXoSVc-ZZM+Ne_I;i zQNYhjYwi%0uvmhO`vM+?f7{$aL!nEl$7Zg2|I-p4%s^C@bN?IAH@WhFpNB^*M29IF zow+MYL>hP2fhzRirI14x=*qSPHxLAZFiF5SUw+14vG=B|)EjRA>w1AW3qhqo9IRTd zIy(N7Q@2=3t9(1(ipg*mx7mA?X}9#Hz)X>#Wbx~oNMOu1FyYSFI#4AERIqK@vdMG% z43wr^G;uB*%Y*db3=~xvDb2VkE~eo?RLMe95hXUZbJpKEeu6i>7H~eE|wA|4*GA9hRH_j zS=54e?yL~lxceI^roMSZB|2d~YMQ#jGoof8B-X-uU}cFcDOMWOTO=NgQLbIzzx3%~ zLXJrzu*x6!M>}!cr`n63)v7f7djQHuj*H!^8sM$pYk*|g5ACM)t>b6L` zni#>aZ~g?0*$JKmN|IQvjT9xQXDMkDzn6g#g0Mj@hP6u2oMFK$i!NW$myQVM4==FJ zgZ2O=(Ued;)fp5o>LiPlec?=NS)Wyv5LyWjyvfwZzon?5mc!ToM57;J zq3RcCdhrcZ%Q<&5Ibm5CaEz2XlV1`H@hO=N|L8s6gB49Wc~o*nDp4RhWty%dpBa>` zS8Ez%fzO+i{(U(w$HW3GeC=EozJvk(E&@6LT4)Jz+JEUq!_PpQ96P93o!0;A=S$S! z8r2Pkm`*6>n#S7=5ycSvTD^%h4=}BRnsI`YxRDdZL{r>KoPLYHACqU+6{ioYuQZlt zJ`-wRDRS8lp-s>oD1#%HeqF9u=z<|ISNhW4_QkTJX!=DRAn^3 zMuqc2lI+w7+0Q)p_W#Xu(FGw;epZ(A#8L8~E~TFQ3X+8Zc@~)j6hVSL?SM2E=XM!H zr6k_xtmPPwo!|Y^1^(LjhJ8bUo7d|bDj#Ujwqi`qu*j9wz@=|h)O4#sgi=n|-g^-O zrn(YZ-a7Y+e399ZxQ1@|enz-RwXhEv_Ai)wRH*>}LJQ zL`dd&K5ohW_A%`8g5P-_@~I;`fnKqDn26HTeO~pN*0i^6JZQVjM}Gz!eUxmmKA2#5 z8g_tv7klCOJ>}?W8r+{eC3{*w95gfAaolXv6z!z!I3(+S+#j=ySi8bF4vTW(vUZzI zKaAah!`OA%Tzh%B*>=B!2z_PoUToIE|y(Cbhf8z8!0@haD2!2D{L1NdALcw824wmSG(&^Z55);HF7 z1lA|F%5&6Hsz*O7nrMLgaW43hR6&^TBy5ATDX99FVGWdJ!DX#}i%~ZQ@q^bqg-d8C#M84iO8Yz#p`w z1`4TuXFqGQA$ZjQPDdfh@>o9QHqfNFH;HnS0SHlah2xi_BM$vNoS|s zRO>?MAb}+elSpR=280Vy{CG#aJVTc?ta1fEeS65+#K|x+l1OyJ-tx37Pt#5vPgnql;z?YEU}U9Vz5}|Jngx2ISk6IHE&GFo2ePUXmP0V zoHPhEJu(APWa7Ji>Tzgn;fnP-)o2!>+;8E8rQF()T}mPmbb$tf>V zRS+_?6GNifbqS9t!z4=-FKAsd2&jdNCz(~+BDe-cNvbb)EprfG*11xDuvuB6;)FoY z;Zz4M5seyVGR)+%<~YmL#PK6y#fUe-)#*az1cAcDZML_tfk27B67u3~qM@MwNW7k4 zRpJJ18R@^5zIHZ4&i^jBh3%LEG%^p4d%nbUGT->hM>vO&R3_Dl{!)e{6$)@}5gec* zDv|WHvpaw>&^Q)ImYFtmLGk`!wk9@PIP>l)b_0z+lStj667;N&`-MayQWeXf5#Tc+ z14Te3JZgW=F9DWa6Hh@4>ZB1#lWbT#au_Ot1wB#p7pG}eGFHf17v!)V^&W?+7i#-P znWLj8TlD7#-rlXQRp1?2|O%y)BiCHCIwE(n4WL&Xr z@p~&;b)t#ve$jt00w@)nGq`d-1&%2TjS377t113U(S$HM!K64%(vYDnapJ3a#UE@` zkU4y1<8?7wT%LmIOcggCf?G=RK!-vv-qTmoMza=6>5Es^)4r!#MzDJ%7t-`mIFu1N zd)N3J&T{favRW;Gkfw$isGJ0e+5D7X?RY)PmrKozEI=9-I!`5rt68(0GEFiC!)!yA z;i8`+vjSCPYZCgm1g6eBIEo9s^qQ>V{E{T^z~N!K)S{*&@A=1XDQ72&#FGKzq{VpL za#`4O6l)VMTVj&2G4h})U_=;;YV8=$G~TSlKj_3ipOB2v95dSgD}ZW#f_PoRFEh{Y z7dE7vr<_n(PtQQV9zZX9NIqyd^6HOgegE;Sy1<_hq`wnIDgM1;eLtK$6*8%IJ~cNK zzNXO4@b3N)M0u=-!5eCNzM?TdezJZ>E@oC=@?Gk)j%>egpH@tF-ct_Gg@b{ zC-vytTLLXba+)kW1VzX<#XIiqM<1j+Uqo--_YiMl(`}c9=r1|mtrzoFuymVaI*q<= z8y7LFfZ&0ex3}z5N2wVu{i=bJ8J>r_b$qiat>aO>8b0-tqK6tEUxoYIn@fkA%tzG@ z9+6Iadyfd4rVlS_a6hpew0&bybG>92(l>icCNsRA`V*Kv>$1P{1$ zhi}}EE6>l73B2}A(->-Q{ccY0{ob3e>Cc}#U!IX`&*$yy?i7p$JmbM#!H+Z^Iu5rL zAJ;`W9k(yC<)oOer{oOV7NLIa>Yl%R<_iyJcb6}K$61Jqnhx&Qfn|tW{A$m`bg~qU zDg^WzcfClTc^##3Iw2*sODe{@|W1$sW*Tr8CIi2Ruqmt4eEZ=$tR*^2(GL@e(j_2;e3hslGxt-f9>vzWd zHu}z8ZTHuaoCQAbWb!v&o%{FG9=IEx!?qlLn{iv9@9i+cGtcAMq3(xZ42K)7 z+i3L%^}6r#e^s^SKRx3dJJO$?@!KwZ(Yk+MX8=dZ$-7z}0JGO1xc6PdB+qP}n zwr$(V-Z$^KXPkS#)DKu=ja92=)qLjTccss!FZ?Do?d6!Vheoe4`Rm~}sN_pFF8=RO z8B-P8BX5PNV&%W18P}+>!V;K4&H57Hx)yUSnle@a$$!=f?cNMI<SyTMX#wT-+1E@+sivj5*2T`=0SUt_>g;=rKX0Vjdlocx`qRJ5MS4~Yij@7l z^+wn&Gcql}QE4A*{S;nSMRd;=a$pK?)-r8HW;Dfxz;%TmMGsSCB9{@Ki5G5+wkJP| zkC@#Pb}VDTi=&0X!zIt!wp3F;@)AinH5MFyuxg1g2UD)~kl`hxtg0U!o}wq(w9?oBZjMmt zX_HZ``LZ`(&^aGXO(ywQNF!THk|S|{Tz*q%o`al!h(wNoD9+FLP~iyG8pHMx7j7JG z=i$ZDy_Wn!i=ihf!b)^WMGQIie?5o680z>7b(bydrl(0o(6q2{1YT$5>{?Lpqb~G> zl5H_%C5{U@{Q~nc?6}5QV~PU?pnes;z9`e z-9^oA1751HKx}i$IA4t2r&7?)HXlf%V*fwj=GUt<5HQ|nz$RhB3D$?#5_7uVwBrXY zj$%<7M*TzL;5OmgD|!i;GaE~JkY+A-8{C*|xXq%X!9;DwdR#7DjC7r6BBhHXq(=$^ z7e*O(XsDrU0y}yw~MeQVkH1YMkbSim*u{d}aAq2+q47x{q3uRKKe;j!-#d%tcf1(fwHz`pMbGK=@ z6BW_2Shy1;8YJpMspIBZevluaJ1~_LxB0mDeSM6|8zyVECVD(rk)fj2E6R!gIa`9q zn&g|}m@=`_RKy?@vthSWvq1Ytf>qd^<^aKebFv@_Yo{ z0_{LAK(pGnZjEot_>%gulWFQim*)n*gn}Ws5z;j-){GwH7Q zJ6Wd|CZdC5Zd9{95NvGTSOBxun_43JkJ?u&4r{j+`lC13<70~mP+|4(RP0k_8jsj#MUM-5!rmP5``X7uVIcU77ujr&HK0hjYxi z5wq$PIlFKjQR~k=T`V1^eVgaaBj;lPm^R=eohEZ0u(R6FuKP(*9|hW6y1w?gYC`RD z(@yg~Z*SgkaI!iwxa>T>c0@nnVPEy^k52AJ>nH4j+UVU%lj(HSc>eB`9SLAu`&drj z(&%`Y1_gJ%`#ENC;SI^be-qY%3;3paGU%s58%n1^SC>Yn(ezvWPm{Gq9GRA5EG-ul z+&4kwZ{mWZifj*YF;I06P0nzUXD;pOJ4me;>&0bU00?ZgMi4@!&>2 zXm1{~Pdm9`cgERRckC47(TKUwyCnKo1IK@qXFdisT`%qNwr@S}kps9K>IqyoayZ-q zkKI0}5|eMeJ`C)hlH35@Lwwx4j_>bUKcql^J`#ZyuM33~I)Ei9tu8jl1(mGECH33r zw@JB5$G2W~-OgobBI;?Foi|V(Pq}vq&o)#t?*ZQNl!oD`oM2|Yt=9D|=enLp8ybY0 zk3F*2`Jq;U9*S+({jQH~OL@y~=3KMf%)pWW_XHLZa38Y$!vy7X{_*32(}`vn>zEKu z*Ja1Q80>wcsCAZ2FufN zWGCwp$Z2tycuZJZJ!0Z&+v9n0 z8Ksh!TmAWJ-_FaYmoM04nfAkg==sfL@m_#+)nIGQjrW<)>uGUZ*bB(=IN!ZpSJUBS zxy#+HaT!`%&3ktJ6{mT)hobia1c`lsK*<2080aq((KQHW>gtQ^83D3T;MPgVh$sNH zm5`ZbW!PLQVK(yJCu%Q*C5p7NBF9t9xF6A`YK*W#t-YK7D)tQnuAkG<<$Ve64#%atS|ROu9SDaZIDAHeba3$7Mv(d?{I0uWol z@?k3`zrrE*x$h(rbcTQ|T!X=ZI`zRn%AC-45(t)d2Cwn$Toc+z|E#HUi9t=iH|0IX z&Yiq`BvO#@V>rCbd9Wl@e*XF&t;-Q24HE=h6{eK5?Ge8D%EWHI;ZphpzT|m-KY9Sq z3IXjK-o9w%S!!b{R+`4l*cpHq_P10$(Ru{mGl;AJ&T{s+p6xmMK)E_f0cLB#%eCab z2&49s0bJCS1DB!jJIS9Yi&}!{qfDm$G!&_R-rj20GY^Xr*VRx3awop6um{_UB#*x* zi|8SR>wd^}tZ21j7%PDl-k8(^aCR0vn?);pb4V&=(F#WaVV?rQC5Ya(h6N8bmJh;> zS{GD07$atvvPp6(zb#0aYOj)QtkUc|i5K#XsRo9uHEeMXL+8!O1OKEp6oicZYML^s ze<`VS70{PvVq#~M)TS0?+9H)&gXAYPEC2ky5y&kBnYSUDDe%28!cp}k+_#!4Oos~> z*M{&K(-Vv!M~UKuEvM$#o^?GsxR%YhURU14(SGHkIY>W8P(d`hcwb z^LORbZwT{Y=5ChMJg@jv#4^D|erZ0S(QH~i4SGE#=W8`pkoAW_n8DFG!yn1;dBc1d zXudI*jIIjwAqm>(cMK}$;!RU5c2a6X;#k~dG6Rk=)1cP50hxQ(uI)a>TnO>ffhFM@ zm_WE?21v&Jmf8}`f1c@LPAe-!KPAErAX`b6G|bTK*_=B<)ele{}fv2eh#ZM2)M%uw+!{)Bki{gjjke z*p`eA+!C8q$i&fU#m~U=2Q?~#$>C+$y_(42P^zn7lUTzW#H;E(iTbQdL**D)G9)Ay zV~?X1dWS`oe}9K|3@R0Q1&J za5b*53=wR@Nco{JUP@ah-EI%5h*;UPyuySem-fgtp*9e4ET2MaX2ddnG-neo7S|A= z?=V%mS_!XwLc^M)I)4148*x|B+6%hiO4+aqVKg$0>;7VFVN9hi$5pnk!_F3)k0LcwWb>JFo-#t*TM3ujG23SF+KoLS?% z=M*lvV}mZj1awwAuz`dr_HdUOd|1nnutUo}1)a)-(0|gNapgksE#+7|xfY_Q;!xoZ zy5~`1n=1i(0)fOeU|{Q2L6aM&IQd7tijtA?C7h11!o4H8O}Ug^)$B$hjT^2h4#h?x zj(I2)$(`EqSQQ<~ddeL0a^rDwzUZd$y%S`gR0dzzEoJjSn{p+wNNTxnGHR7@vDecEtiMO^5Z4leK)(Z`PS-6&{exsN7omYh|{TN z^h<5`{gg!Q`b*bpd>sLtRlU_pxB2LOKekiZw4CotZ6^5qHsx%5@oi-7}C{~ z`Db~JUnN3b`+6-~W$Dv<7%mSd`&wL)rCWDPJ75(J#OoI zn|np=cI&>MVu3eT_29row14^8xe z-ec9rYmzbTsm|+L^|S92wzbyjOfaFlvDzc!&5)kq0AaKl+eR%Tm)EMB7WV~UoFMx7 z`SnN@cH^`6hg+*%28QjYKeO9QuOeR6bd#DI-d4?y?7ng-ikq43zwhM9d41w9X7RMNmMZJwt&m-S_SjWbgr+ zUIP80d}92fg1>>1nfT;BQBwzAr5H`~wkPxWts({V zWAO;-AciQ5q8e?w3v>rN0mZ*_^q{Qx$ae_?{RBY*INa2-0|duHJ)~KNGt^Pi@nf3K zw~=f8GR@zXRmpK@l@7F0Cq7e%Ayl@eC37)R-`6gU{FZER;*hDGmolFQDrkSIgeMm$ zD+c41=-HxTmoPqb?oNDfVmMjBx5g5HBu{kY98MgQgy<1n%7YO6g)Vs_wc}TG7PS(9 z)BHD4j8IgakJoX?K~-Q~LGN)em))XhLH9d%n6^+LuAh2SeE5KN2DDJgs8|a2NU3gO z(wlge&1zzu%E+Ni+R`O{zVU}dSG?3ns0~}HYCD?~6}aS-Y?nT$*_IrPX3zPk!sMTI zU@5fA$`30Zk!KEKR-5*OtyAPrht@2o@ACINe+dvAeih)Asv1y(OHBXXQ(&e_vOI-R zp1md1IbaU5E0Jvzu~c#8xDu*F;X*(>8WGE#Dp386`yP}S>{ldQhTeV#2jfOf>Hk~+IbB4fXj5vA=MhGVMI4;=Z%8>NFk2>$Vsf? z0w$Cv_Y3}pIo!e;Wi-V^dzXK+`-K_JtbJ^RdDG1}+)@Gzj_me*@{a|_8RkLL%!{eL}^-fmK^oL;}#o~B&3@sT%C7h zB}f}*hz5c|4;2#kAK#v?M9X(Wk5!I{q>Cyg=Couyk=Q1bV}%d4O}6@&89tp-nYd20 zkg?|}!#sJB#$+RH6o_Hcth!T2!e|=}?3LLlmnx2{dj5jVC79`**NmLoxBhVtYs6tL z@>2+%Nx#g7_z$rsGApaaIWpZskodS8y07LJE@8d6USnGYdY-l%nn_I1np!DLu)K<0 z^tEMu#7s{kOU|n zc&uc|sA4?1qzwLQz^H6y`VWCvRKa8itY9GyB9d5?gc3VWr7w4`zv5U@UcpVe@myuL zM7OcbwRL{5WnhSQ;7YB&(R;u_u{qxb96LTuqT7}{zUN}BmozKYG`xZDo-z)Bt10Sa zcEBp6lCq-VURRsmS(8V%n2MYw_y;rlB^XMAbD!+&IFd%FMLBPbpkRI_YL4{C)4F0f z0*7eTjfdFSss4a4+;y&h9(;79qQOyV7a~Vk{|ej+b+k3+GxGGMkaHWVghj?K3#sd) z>Tr3Wt*iOFiMnIn_kxB!hT^AE9ZQ9jg!}yfs9_^7 zYbgU2*;-GL;2YbRT2Ya*+?C5TzFMXb_Ho|&4d(w>xPiss{!m}c&+OH15KwVw_`~cv zQt!U(E5hv>U1@(a*2}3G$NZ8^1NL8wftE!dAVurT}&&>W6&r#+-}1SNUz%Vb{f9aeSR=rQx4dE zl?hz^%)o#!8@*Sh$#lCvGqbtxiF^hEIp20|PJE&jrhTq^ke}HA?Xn)tVgSd*ue{2W zJDbz(>z8v1d5?#uF&d&dAavK;u7c~}LST7CCy))W`Z9|QXQ=j3!+-f0Z}liP#oPb# zG_8jk&FA$TT-^#v*tFBJXh?#-^tSg7;kZ7_?s5i~Vpq+$n&o$1T>MfrZWffL+e~-I zu!ha}TMh*-Y4zNKtIxeaXQ6i{6wFo_>^#2F`GnphanT*ug2yQYO)lH+$2>03m%-pq z`C?Cg%_+ba%*N)OR6se%8?Y+V>~1>U?VP=l*5UgmcKBTWSn-L9wHIjTdvheqzxL(| z_~ikL!rEXnTjp`T(u+Ko<=8Q+RX4=&4csGWG+wsarmZ{XaWK7FG%MRPdEJ~wlwxn8qqLrmKqr=(`g z`y4ORiC*i~Do-Ets%AD1XUHozbHHm~htV@Lz_tIS?z(BH)U^A{%k~6(lcw1@GQjJq zZ1frEyPUCp_GOuFr@7WRr2K5;r9X#p5Zf?*UIduxjN=dL+0Tc^w)A?^Y~GAMgMx2C z{2L%-p!=tssVgX(-ozUP^y}V8v&37{@s8$#Kkr;XFi>Pb^0WR5>7OKmYaBA&HB~JW{!>t>YdNlDTb%h*E1(7pJ#sT-2%X~tx3S8xalu3YS zh@c?-HqMeGXZ#ggt{`fllTU4`;kuH6v;l929TzY3$!ZAqL8Iy1-Dz!)Tf~ahu|tLh zCPe%*^P0S^%0I=PJ;=OMT&463`y9=xBgzt7g`_N4@kP|wAf;QSKx>ZNS=F`KVCPM$ zR-K3`k(-|5N6*=bSYm8;^K5A7-)QgZw+ys{ZP`0yl@ zm(FSN9dr8~f3AiK)Fc!|nnz*Lq1OHBUzka&+Q$Ia!?3`cS>6|__)l^G5`V(?H?aF#6mW>J@c zwM_gMI$~R|GSZ$a<2Y9`ugX)FBIW5#!cL&vZqO-bqJn*&raYX5n~>1ls@XUiCpfe_ z1~%YMT4doHlniSQi8>$80Kwf>m?N@!MDf%1CsY_#Mo~!PT9@tpth92qi0-7^-_4Lp zuu6zY3H#;Qaq;zr;TrCrcMS_RM&QOvK6Qf4+JRCGf)A1bGzIOQXsD=G9Q^pkv)_}W z{wgk588-dEq1wv_+L`=<^-TjA^W9~q2LBtSc#&)BR|U2m8OKWI$jF)QTq*Ov05&9ulfs)o6tsu`Wa|NBQwJ*Wt|V}z-{SAF)bq=adX zMQ2o1q27P^@Mq$8sW#49^b#x-E=)csr$#3Ez`3-&M-rQX=0?Fv6B#&Ef@hL|0ZjuD zo5r(MO=g1SVoj=HC!XWzPeE?O9k$?wb5%*mf{sJ<%~-UuQ{O>9vn**v#qZ)rq{g_C zjVf3a-_v9~VsyufB}FUah!Ui9tK%iv#lEe}iukR%l_qT^N|IQ*T4if6q(SHZPkGbh(2w!!4g>o8*S~ht8+mU45UMkrPXSwB zdw^cFn30$fvm2t9@)LfXhyW~b%(pMzwi`{0SQX1N!9&7D5c{U8W+CX|QI4pg_YhH4 zKZ^+9*X1st^~IyQzNmk-<$wK*>$V==O&rL?;(62Bm2)F_e6zCZuz%OdM4sl6-pFko z#-QN;jB~$`h;EY8Y;v{+US*=3c6L2}zi!#q^}4xNL-o=x?$6-ohe2`6q}l4+$mqQG+4;+y-d3mB za7Ebdv)gN@{#G`kFQsEKr92LS02h99c4 z(>o8h&-llA9nQwLA*Ye`bPP}5h???Iv}^A0p0B*#gsk*Fo}RDPUlY44?@64fj9&G& zZr2=61OV+9v**)7Z(>ughfD0r+3UX3h<)YF?au?t*Dc3lfF3OO=?pd<;BdG1V{qh7 zRC}}Lc_FH=5}dy`-94Km8za?`W97jRqbPQmI6KJ*-7UX_xz@Q z`z4FLk!wC#wa(?|$&d*zm7i^`sr%MG z4KVs!X_LXEtM$CoxHaS2@=RYn?J>V@FpqWR?V9-B?XrtjZS8yp)9vmS-_EAJUt77H zs)eQZd8n1Vi3Ws2%;xbmsZ>ELXo!yv_dmb1;AEXPP5(_Zmc2I)o3~EOs&L#k^1lK546NbZ88nOo?R~X~aqhqjeG6 z(Z^K-yklWCx!CZlZl2aYGYWUcwX37i!HVQzL{BZNkdGntS%mTQCIIHS`|#4P#DCMau2Dm9GtQQNP*NlC z*jiP}yPVZx6b~6=R*+C_B!6hH)jNdzV}SXZoquCpNUAS{Lr=tvYdalHO)U##5=ztJ zV3a|7lAc1R593fwN3(l2NJ*MdzN9n69f;6=_9=15@Mmz61 zlBFYD;YmVnl^atkYAIQ+?9^aoM&-mZIVu_&2u9^+qnrI^!v%iGvT(_1YcO+iwBg8_ z-nU2@bQ&ANRp_fP%DCQ4&@0iKyE-zOYvd{bULubn7GJc=1CE?f#6$HEL#K!59gA=1 zses~80Brt7vv^9#^(6_$f~32Af%WS1ll-5zKe zq`k=PcT=Hki|(jq&KY24ABs(a@bkiku$&~A@#a~In@YiU1;ahU_Q0m zMa%5BPt+(lkXZKwHHR63qVO!TQ~KP6pW3)ao4IXkUF4koIqVu)^zWHY zt+NOj{{Z%i<*q9VpuoZC_9 z_sIoETCRvbXICy}GF-*jSZ4PozEW_HiO`}JMu~e5C@HTJGSo0S$x|V>gBYq_s~tv+ z!iAP?2xe#f`OCj@ly%EaAqa7-^~4Mcq{RIR=lib7QUaBdW7R09yXu6bhoXbyuR6<0 zj{c;XRbkTXq$L?b=oZ8(*v`z_2QFn`yDyssMy0MK5{@=pH219uI#~DO$`&t`&W)Sp z!><*x+`m_P5fpwP2D@*bk#H#;7E}pA#K6Mz=fUCGr zqDy#@O_9V?}~p)2&)Nr5A^>B6*@f;mpZ-2Khphz`hjsngdPO{tzQBA z;{(WiT^9bNXMY@CoXHN@;_CJ~>kRL%U!R@c@*2_^=abG@r5ZV_ zGmtU;s^uf+^U39$064{4n5nk+n9e41So>O8(gVa8m1jIO;8GzO1<`djIV|Vt#qj|xNt@E&E8CA0tWaPOW+`NUz2&x3uFZ~)PaP74i zshYO~9b_~oiGl2w2CwtJIMUJ27r?oqWLgizmvnZ#cA28?6cDA?9V!4ghgOc$Z0F;k zsK?qpaAh_HI6l_mqrY%2yMMSmzPM|KK9^S2wv6mAfIf2=-+SH#@aMh`Ww@QDXKPy4 z=%;4lT4i@FfMb1LwmvVlJgoo~+JU>7WQ1pBy^r^DL_}Uc9sL@%y1GlC_w$41r{1^u zu4E2h^JTZ4!w*A+zVy6*PjjgB?RU>&znfQc?P$AScWRhnt+JkwdMi86T;Dr<*4UT5 zZ$rzgPp{cKfmPz(ZuK^plxoJ^^&9z5QChYg^S9Mm4Tl?8s6Nkwh2f}`z@d{O&IG`2 z79#!DI?v<657$;3cH;#KbS{FvYIHzOgjYFh0HT@wiIi&x^3t2KQb^l7Scy1SVQ28sSc zY^MTAef-2Ftir;Oavq@5q@T(>-dCzX;1{zv)qpIT=;I(CJb^;{B?&iLe?w3hNb_UI zg&GV~SMo&IyVVf3Hcj}ZLXChCOPY8|V%)TA#tBIqk`gyyRI_Riu~1b2D+D;``?lk} zhk!copnIF@9bVT6#2z&2%4&$?xJ}m}&Uniyg2texZ(z-1J(-#R&S(BOYN%0eNEky@ zXr`)FCKpFAmVz`Wf%1dK5oapMhMtL;wL|y96d@ID>Dj#bu>1!+?)a(vH%U*N%Ug_} z)@^~-t$nxixLb&xO(|!nRw6+XjB(}3x!3Nzx2=-c|D9_j`U6B=LoP*GjLM1#?Aj#cplh50!$_uR!g6B=4Ss+%>EvuC1Jw>!1 zlw#FrAvoxBqBM3hB(N6(3)mEXi$sX(tjIY7jsjeq$FrpE)uDrr#K#K1xQG^kJ{s7j zj`n4W5FriI#2U+}mGEk#Kg&Yqtyx9#I;;=QIpxsmYE5LZ3C84Tt9Nr)h4dMXCl=@R zbz_yG#lu7qWNB30)a?;<88h8XG;r|rjim_$O2lc|^z58rM_UYnNFu|<9D3a9sPxW; z3w`r(A><3|q=ztoc#!aqOihN8^qrdBuhmRG*K(rvHBAkr^4 zz6@qa2+nh^F7nA&1nD*{O$|ec=V?V^F^8SvwKKQ3S;)Nh!P8kn0tV-tT+k`G-Kc8) z#lo)8=6$!{vQro-nQ;`HM< z>JlUTT@=09L&unZu?f`q;@w(Ww2nQj2dY=jKwT$tGE$q3Gc5caCh#Gzk|USiDo=|v zm=)nZrB;8!UHxf(1db_%Ov=%^ihz@z-7@)>ZhgMx(NsrXgynFK`DrhFg&8Jyb!*u*-SzYrUE zrOqj~hgb~hn{d8JhRvNgMo)8n8B39cb#cH(P+vQ1q%DI>Rj88Qp^~zikx)s;O<|KT z^Zr96it$~hnfk{xD*oR{Ln@hnl_MhvQ5$Z8Df!fkgc&5Uzj*E!A^5E>EU)3eAE87a8X-IjbQDi}Z32 zLgv^v%G##*5O;cZi5X|?d4G-f)W+=pS5|MghbHduKPBI$FSY>ys{MVS(@Naxn_3Tm z2`(La3{FJPuR543}WKWJLzb@C-LhdT|tH+OjkE`Hto9p?}8bznVx0AVXE^cpYc z?2hT%Y_8IFJa3tMB7lth`tm2>dG7Ts`vs%NZj0VVYag_k%aX_A zB2(j-gjQzztiv;Hi}k3LTB|eRTRk4pLcJW{{c~{i`blo3ZrcU9d!hLjOmZAMy~jDx zQKomP_f*|8UH4GiRkU8K>A2q4KJz2GF#ef)C-MZfTEWb2#rr&BzPVE(UhU-&X67EY z(s2)ZAyaOg{b#dX^J%#qPxsn(WAhQnApI7(oX-#_yXLbhgGxm7*|~?Y4n|K4hx-|M94YR%g$NM>4s>XyD!{==LF$4X_l{_Pv|x%XW5O<{H?Q|Js!@0|wwKN_Ih)>pRF#u+Ch_7E`kUcFOFD==R4m=#}dY^*5;_u}WIV&RY06|J~jT zDutwHs`Zj5zPXG6_#Id<&5eP4?}&9Ld3-?9{)w&nPApRjMz}SJO^!_Dj=&iEo^44X zT4Tl}ic@20dVY?glo>daRf;eX?Rvxsv$144(`FLc(gH)7>5FsWZ1T>>X`6%$4#Ln2zF7dtw9Rbr3aG zYGzMp5NMLa@t3D12G@kMP4B63A#Z9jn@p!}gv&XRb#Pu5MOkpDJc92k1i5c^>9$X) z{qdQp72>t=X3ty@GyX_Y#ltAYYJefwQmjuJb1BX-5m(1%7vYM-9L9hAQ8|e^i#wH- zGn1*D#YnUMD_4FBo`;}BJAvC2fAs{048_Wtc-XtvLR8$Z>KD;pC#_byF`;1@;ZT6{ zI8n#ds6I;?T!!OnO^b~DyOyF^$~7O}dCbJ>=whKYD2 z>7_ehCG{(I&-6Z==ym$x>rd{#O|KpZ4a*Ef)P#F5sr*aCiiM#N2b_x8J?(FZG=q~! zAJ|2{yptfo!}nIU z^Jp=1BBh81PW>}sm@74s`NMWjWH#jx!ICzP+w~uVe^aRAo!?*38F(uc11$3ma>?B0 zNo8MK3|Z?rsG(mo4af*kvXJ@PgkQwS65j=Lu+!9UUrz77_H=5TBH8 zqy71<&oy$yqss1gcVaj+vTnsmqxwfyzAKopw;wTa6+WHF{|vBYd% zn;l}p0RLE&ML0z=+3qFl3v^m_9ICw2SO|rlrmJ@Tbxosq{A-c?vB~Uk-5Eo|p7U#MP27;Na<|s-trGM_+0eaA4L}N>8=MgIHq9@^vvq5E0e3pKI(Qdfg9#We-a$T z(i`(MXwv?-yy-FM$Mkf?0sSYAKwS~H4xm&$p#CAK1El{g!bmgNfK1AS=9>DS0|3ztv z3U=%5a=9^n=Q*~LUfZsn;0mNtVT{ZwS9lT(hcWj+2TqqD6U;eE?}gm0Ptg#Z5P{+hlq zvFWw%oQ>aUklXhh|D)$Ty}RyyBfH9FPa)W@{ld32pNPxu91q3)aSxf$pB~uQJ%{1d zWiavhRys$!eDQKYf4y`B((ldpB5oazxnKuA#A8f*7*-Fva$otaLmN>&$v-YUyKS8w zF$W-PC9gaubzx{X)%$EgKY!?Nq3Y@ywoSp$(>!jYA%3AgftPArA6g()(CX=J{oi;H z`i1Y^?0n&J>hQJRYM#%Cah=I7n?<1s;TmpHt2 ze$Y9h9NoR-dY0QM{b@KM7ST*Kw|n$d)G(jp1kSK-$3dyeNsv$TX5Y&y+I~Kff0NcF z{(JG+`881F9mqY-=jd`BAQP_jYsskF<72%#o;|bXVOFZj1H$=@-BsIZ%4L}Jg{bxN zYoQz2tp{k+E52rrZlLEpzv#yQn_2t7bX--`@!H?sx!L6X`SR|<(`C!!Tm5uD zkZpZ2s`L4DlAWJU-4E)R|2M&G;WdufGI=zS$Mp4b7Y;q)2Z~mYW9l2`~RL?p}wO&zyq1rLHANPU#%Bnz;Z>e{f$VztR{RZ zy{2a&_PM;J2OZ}M@fCmbW~B#P zSB*QfLB+xbNwXbmBugq%`2P zjtN+sf+}>%DrTCQ|7y3QWFjjxCwb_~PB~;;$ST!In7{Pn<@v$TjN|d3qtU;%A?Wbm zn&J;!#&HnZ7B9ljpzeNkD<9u1ji7%U_(MX%P3T+?6=$=mffRd&sabR4OpxwzT44?@ z6s;7}q>7E*@H3u`A3w2O7{V6~G)gyy6IBnQ9q=r%E--!X{x8zep(q{jHobQN>L1F5 zJ)-!Rc?OPBDx}nD`rSaTx}P_{q70L7%;eCr5PMW;^EV>&1g4JLf*i?ysnQITYfRkY zuCU1*_8i!p@FP^cC0qGxbfv5_;>sN8gNBMsukrrc8fl*SkHfk}J z5$c2wP9`}jC-sxE`S{U-H8hVT1=2%GTe(iZN*mMic#5d&P7Jb={ZeOeUR+lV(nO(3 zmAQ^RYmjylv(_?5Aqy^~hbtYGnT}?L3BBWalrRRm{!#bKKilrP@5Z0|dCY&l& z38Q{#4;ubSmliT(YWQU_(ULJoW15nMfq5ouN^QBxHpZ0MR;u)#@*-id%oYXPXXNJfKDs(-TP!=hiYc}DsG zb*309Q8&#RL#D8mz9L1*m=HsFB>cb>PMXaUg>27ET`dTv(Dkb{oK8{{F=RcewlvJW zLH(}`vhUdhQOx#DtTPg^r}E+!V=A%E2_?`qMkgMcd6Y!hO^1Y-16S@T{~*3)c`%mH zYW$x5!^xHJ>>vaU9Y>19Pxs>J8xzxV;EeYpbG*Tt`_H$YlpSVNfx^65gE!GhqJr|8 zl6^FOme4TWeDV^Cl!S$-`&R4;G{GJjjao~1$jaCxiNYd?#k?{2lMu!+_sF?a*^7m5 zHMv+cm2eh{SqpQdOSNX1W=kHX|6731DA=S-dJ-T3vwMKv&`S$w#^XB+Ddp_zWQfsNLpz9S6HmP`Zqmuoq^Pa1k5HJO#$mG7h z-R$n3vU;ZNzWcil+WBdkS(v^3a5Fa0=@suH@@0mrYW>&oSb}GH`a{m!W$Wmh&p7+@ zmS5MYTy&NFnbJCbmlXG(X|pXJo9)7@^}WjZsf~~JVSMLT1+A_m4U4Uy^$d?gT|BxD z!j$`&FEXY7c@&@0$J8f4{W?QuiO)h7!0NP{7%Y{aKBaz{fmH=?uX|*#KW5lo9tZFr zUy3a}UU9Hp>&|XoBqb7Zy_PIuuCZ5hw7IqoWx;m);y;&1cC`=b$mzIKyY@VdyHt0d zC24I5MYVYi7TW;_-I}NMoCfu>Ur#y32pB)=>xNEh^z_=wULTO})x4tLmd=fCW6+$Y zuK?RSUmIO4e2?AjDbUXF63!b2(FAA}l7HQ!orZ|h!2h@}*T5Ozc^%jK$j19Ig>mhb zT6MaV*_|xMc{`^Aa6hd-rZ=$lk}xW4&vj#8yNOYoYIzD1Yu1G409EQ#wU}qJ5^ehI ze(1F%{M6NXlK?r)}VwLIpXH@SaM=v(A#Z4Wwl4F)Hzg>e|RJjHfvoa4B@E8UIL^I~}o zwmOU!CvkPSmbPr5eMu@zZikZ%dYKp%o;TFV+d#vX<9O~ydf&g?K0p}n>p;9^-J=C3 zOzXOf+Ut+UB_g7miKxA1&`ahzUAJ*C*)!*U$1)b5-Zh_X;r4I9|82KtUuNpB1ZBse zj|<>^=+~;3;1d=tj_bFIvAT2T;A8gN*O06H3->bW zz_~~yJJ6I5K0pV_F=rOcg{3pwt~EbY&!Pc_gtB}+ABGFe$)t+dbLU&NFftnx{6Fa* zt^YXKC^C4;Zv5~KC(V%-jmXVeS`bLx8Z4t}pXLHB`KIbzSE*yCX7-$^XTF)R$AD2`NtX+v5wOpy&XNRvhka!bR(j<79olsfKU7ZQF z5=zI9s8_7^qqYEh(3z_`dPG=iYWHE>>F_i?xlPH74E-x#k&H(oJ0Kz~M=g;di|A;f zor=yuFJfpR{~i8kc>%iC<98(g1Zi5Gib8)~5yEBlSfmq$1Ju`=b@uy6FkKBfBxe&v6Yoax9YEOPy zM@kOnGg7^-3bgjN!6ew@%2$*9$W0D`xRmIl)S+8qqVhFN_%@Zh&tj8Q=Q~nxqskS5 zEn9r5nPkS)l3FW6s`{b)0}N5cW@1+`uF0H(SkZ=9W+Fo(l|8_+OH)5sos~Li2#WtI z+|isQ(3?m=TmUm2gV_v~8;lJh|16<$fkL(C$x4 zaXx;ZqH4jD!8){(j!#)61_oR@MsI`Cj(GBeL2jmDo6%C4PwZQ^+y#iudFL0`I_Q!F zB=Nr+Tr-C!kO5>vFE=t&9D^S_Wy!`uUoEfGCb7>eR>T(O8SjowH8VAu0;+K;x1`mk_LjP5ArxOHV#4n_M??IWEPUYWw+3ySJMKa z-*;XasgBG^mtE_Ab1j{Jd75A-F5fB>#tLQ>MT5EKcPE~0P2WyJ^izN(C71?f8NYCK zO8R7+_DIv%FrZT3kYl6{>%^;JLO6M=6edqs91k?Bs~;yL*fARg)KW(#gnu8BR?Sf_ z;>nU{W^$ftcwemE{){pq{LT4)i2BN|Hp6XO3dM`HxEFVKDems>9^4&D@#608 z?rxg_mpB$g@qYnVuL*fh>GnjM4mcPhMM4pV(AMa$$a3f%) z=7LIX;snh9+UCxbhj}!Rf1v{eWqpaxpK&N6wb^lUE~G1JO+P8H=^GM>sb~CKO={zS zJP*ZaJetZn*?BN4UE z=@dHC)H%koCVy7(_)yI)FS8|A=Pcv@0};gi4{1;!B^W+y65@}yXZGGSt%`;HH2pd~ z0Si;eg4#dxp_O_wdV>ceJt@Iavnj)gsGNVSk}a@&hu0l8?1!Ub^^cZB2NPfupV)|;G;9eVRv%+Ck< z?@L--v=53~x0gpA;kACYS-f5E+Z}9>k?Fe4sUG{9D-!TLXc_n|&#pnk6;X%o?RU?^ z4m($X@21f~^`+kJb{F>>jX=_0oNmwC)$8E6E8k67X2*^Mfvb2Jetx0rTj2IOw?NBz zS0H#vtxLc=)p>;+XM)oc=o>?y*5h?B`Euk;Fh144C%(DgpYq;qcy}3$7_iITs$~Ck z*M*}{W1who(xydtrr*5V?|WOZhZb;|y_g2HaNlk`h`S};BILCJAHbXdbMkncT-_f_ z9=fgGZT4Y5cx=XNjsFKNb^MQE8!9WC0S7L6PAsi+{1<7?&m_a+j8Sv8QHqS*3DRx( zQ;G~jRhnPPShUb{XV7!l#g9x9!m;&pQL3=Tv^f?MPgV!luk=o+^zR5qepj9sEeEe2 zwG;b{pzcS3>8`nV-zl-J9>gxoPzmHm2#fPvWw=4d12TxY)3%Nv;ljgCUnH+}z+)t| zPtWTj^6b(d#J=*qjM%8teOc(4*{(c~77w zrDLTOEq!n|k*45L{n}Jo9s2vji$cXdlOtL?5czCF@GL{YL*@x!y2*VqpxEP97f!wY z{t!uI^dtI$66kjeYqxmC(C)Y?7I%Inw9?a2)w{a%^puiR0K??2#S1D?OWXR1gU0_% z9rvSeJ6`Y0c2`vc>C;N5>r@Y!_uP_RL|nI82K&a4;NAQ%L<$7as()Xfc!QKQ2Mz^} zl#ZX|VY~&ngW(fC3hxK`YLk2Za~~cAy#*lb*urY!{CQQnY9O^`Q~ zSo&3@9v{gTVb6>l%g`*_6q6!n!fD)u1e4PiaDC}QXW8`lfpEtl>B4X{08>^t|17yJ zxoOzCCi~?C0S^YVpk092JA2uDRXM)#B3jH=haZ5}Z(_e4du&)`0q?+nJj#Z%YR+7c zBC}S^&p9LKMQgl5i*-wmtEtXY?Y<7sjQJ9WV^-scH%MoHzw-%4*YA@Zs&B%OTgRBR zoOcbCI*DxN57Ho$5=rcfc%=-d4jMOnn~i%w>fClIm^xRoUzbsl^S7)cf-j>44HZ9S zL8c1_BW0Mk#Dw-AQWMj5{_{jtTIv{H9{PL^IgViqF?q`-P5!H6Q~Q#pyIOEd;=7M|fMjXEq^E3hpT&rce| zC1m{|-as9Z?I$ewttNBq)TIZVT)j>(XPRz`P>V1qU9>`=oT4KCIUu8Y6;9{ux=1|e z_^|RruSGN3Ns&P_p*8?l?vn~5-a)Fxp(1K|hBf3s&nPpE8D2jZ)QI?sQ52+E`6gGl9~su+|Xq+_#?A`e7PNY?B+z04sQRG2D9nBi3*;s?PlF26Qs zF)R+Sr~%m0Eon1?x#nu5T;U)TF*gTj!XNer~5;9hBWY{`Y6|ta;Gw%_eOWL6q--#J{ z(Jz|(+URj4_RJ%;oH;JnvWh##FdSRaT$Z~OY zBuW9O{`3`T-LZ372zDunO#_;ZGT1-EQdBuiX->>ejC3FuS8qo~YLLmrKk8MgoU*D7 z>4a?3MlR|OYyF=#Dcfh!@j!m`@{L%;s5FdF;1m8>4@wM+A<0PGQbf;A;!=M7EVM+C zVW=qD(d`?|+J44-{m9M|RT9j3Sbm**7C72vSoom={r-O-XKK9f?q;ePOv@O+qpmr0 zPCma*Z0huOIrDnVnY6hKfad7H!0exaYhAj*aa`59nCff;qKB9KRl<5>5={=Y(F#Sb z{T|W6G75Y$wLiW+d_M^UhpVaH_>AbeIAogjQW_*vZhP5BsC835?DEU_nkC`tRI6MD z`4+hjaK+_%8e%Qf76{VYl9XeZ|EOpy@P2K3`Ld0=kYScxh-M#DUfhZIe`|!6=8BPkmm(%%RDE=G2IhfGepoA;O}_wFSBFuQDa!|j;urvp*qpORQKn%a7tL(}xW z;ehwMEcqyBW!f;s=oP_3h+g&Fcso3qCh-n9yhaXioAe;rXud-_nvl)CUXxhgC0|cx`>^fZ(Zr^mc zMDHHge)g`xrZibs)6;DDIvZBC^|gcG&A5MYUC8C;JPF7*q5H@md7!!DvEc&B%j*XC zpTtaw$uTd3Vd^>yz-K#NvpXWqz&xP#^{xbRU7&XziIB^1)T`-VN@wcDPT6{3)}4_T zWUkC`%dZApOXcWb|7v@6851jLJpW;_i0#Q^7W6&|1_9R&db!(}^B%&j0&XYE(t0kJ z0xKZWS72wC&A;4|+ci-5#S3s97OH9=QSF1@7zvV068syrn6dsq$ z65m>nhp;U{$1;t&6HjU&(b{MhQCjcmT=3d;-(A@oz*2nd&cw|p9N?;<%;%vFn<%=6d2%I zfA1fcyPgYq;um%BTadUFI4`L|{Tzo~_YcT_-BEK0nR?lLMAh-`F$<9Hd*a&UnfEvn*>?^hy$kW501`d=K`?}hr3AC#WZMmnN@ z27=$DXtkg-7{y)AP4d964wFR8xN$@US5?#3bpUb^o!t^XCd+ zt}2BNDps#Tl$R_cKs!nfb~u?3hne;o!Lu@`m`%)ScZMR|cyCVnIQEajxw#1=GMk5B zLc$9Tdd!_EM&2>mlv646kcvL>f~lXigxKHFFO9)0^*kM*x>W!DI#bC9&w3+V?)RK+3sP7`y3_VQ zL{Ylp1q`UDzvViWuNat~Y(;+b+q(}G1<7PxtKqW_TJ=Bxt5$xtllK4dmrx@fy%~gcub?h%kM2B#TR2B&au3!j~M0` z70$XK#UY&z{Mo%`sANP+0)VdV=k-v#Ru$ASC-t_JuZi@} zq8-t}Idq?}kIT7YMWM#Aem9dK@j;I>!E@%eWI5V*2 z2mR6*VA!X{s+4o7fGcka8}QVRt?u_KQwt@im16z6@Yj4wD+=u9L4)FIZDRKsbNHzx zGX3xdKubv;+#mlvA3Z%^QmIV%TiW+1wP;g=<~@_%4VS3GaFu6Ob?)mi=}9aO{NLvO zEcoqAdstzJ5v?_?d7l!W8w5u=5ht-ibJZFuIb#2{Fz*ZHsX|c9lPDsl_91>B+h>{7 ztdD4@vBYc$xh20~tvww1B>aoK{qZ2fv@2<%8Jt&o6`V`yETh?dCY2^3dJPA)lVthx zgxja0=m|I36iShQL<6?&6NvfblT=2vAXsYd!|_X&@j?HtnoAtHiHwuWzeB{f2OQ2x{I{jsHQ*r64vA zPsCGshzC>srINE(7;_fTX1C(p0UwgPC8^UD!amp6_`be%1YuACw{aXe0oYkhzgVw8 zpZr?1`lp^xA))lqg(fn@M1dY|?}pN@bh1$lZ{9E)g2#h0e@p0*PsgF*-YhBxAUg@e z9JVF`U|H9kn;jHf*rH%NyGZAFjOCCKrNLz)%5QBotDxCS!B`5XWSGz%S4e*uRi#8{ zv$Vlw$J3DHuR$aVvVo?ZM8oYU+0Rm$zvTEXH4``PxENB#$SJ28Cj|Hc zqv#nk6lxcKOEM_FbSbg!Lnfh4i8meMQ5n7dk@P>mEoR$HcO=k*(&r>X_j$vn^ zHy{bgs^vOXEHACL2L#6#zIb|LztQ&S{WRg?Vbl7-w#yGRFu?t4b`!E}=xzEyHHfv` zdzatIcXXkZ#>>)hKBRSi%YUM@*QX!gtMkM49c$P@LcpazsV@5$(L>BjH@FWnd|}vy z3iK<>YoM?8+Vf@R!+E>Qe|-$>qG?=swzYqF*{*=_lm-F^m7uNk+fJ9(KfDW5uh&MW zLbfffeq^1_z^14GpRvp3>i0CMn4)PuOZby~8_+txrvTDXU z5pY!7G)@iGcD`G?#%Fr@DCvD^2`PP(Lnih!;6Es&-m~~B2p$oMA!9201W#2^dG7Ua=#<-!jCeWH%gemPF)D>{vfI?VK~A7o?m8txx$GX z94mPg0(fa1+6%~?8WYG#aC{YI5`5HhhI6=gR5W@H%78Ll$%=yV*a+iY?j)eLbgI{P z@lQGujhwYVWN4@sM*dxhm&9vOG%8a|)GHz!SHr`~kF7-j7?`M#KJR-DPUR*wM-yxRg9~{%_vLDYGoZmLTG*;#nEAM(cV_)>0K?#6);J z-X$_qAzG?crB3TFNC z;TbH!ZUnWvc$1&PIy^*4qpKw;d&v07iUm?J3FCw#^x?B4N8lz$HE3vpSJN}T6j!Rz zc%MexB8Vucj{NzQZYdCxbdbrPJig-fg_p7@6&0pS+(r||TuqXi9(^9D6cn`R=H9N) z%IY4%J^(#QF@JL62W3$(DtuoajoXHSsS4P%!&l&zUOkSnX_}F?jM;%AjwBWs98uoE6{fmWwo_PW?ehwzL^&~=B=QB~+>kufy{o-+(Q4u@NmeMmeq_jX z_WbL6L3{gnw^8akydMh5xxFiuqPNLvQ*kB-m1o)Fn^kNzbUp9KlVVx$Q26{{@CXlJ z*RUz!H=yFAE?F8=ASKCCXj`80L^A6*qxb2d&jRzD z|CG&AAV<&nTml_k!e=mzP-wCx0~;`O!sSvRx{%Ma2*c1>^DlC)UXO$>;A^EC9#aKg z=T#doam5l$5K%Lue#q0Ivi(c1l_GVv=A8U>jbxUR3T`|qpW&FhvgV0sYQ&LlV!{2M zenZku@%M7~977%iJNi9aqjHC%=ueZlGyfl!TNQBjAzN>ttrs+r#Jp<~uhRGFw7Gl| zCV!&40mt0uhL1E*a_7j7W$L%1WabnlbizUe{6QK*oe63J5rTk!)Mo*mkhi|KU}GB5 zfM0#O9iLZhA9DlmMXZFbjSU4&R&6(< zWaRun`gT`R59n4T-jm_4lba4X)a>uJTfb04tEfr%uJ-rhw$_2yYbAlHUfCVCd#@o* z1V?{hm^NEI&J(g?wFuB2R`&|&Thvhfti0dei4tFdU8kc11jI9FHukKqi>I(TV}Pkr zD^OIlnI&^}&jIm1Xq>h#QBRdZC<5!n zOr~lhrBYvbyGHv-9=N+qLKl;eA2M@d%}y$_f4wYs2E!lKwVfUe7o$E)dvk^Lg3-pB z)}+Ropqn=~ESR+YD;)jsPqW+R;+FUm-f!-=y!Mv6YTO|j>j5AG$nw$j5)+S#zT23_ zR=3k;zkwB_FVLREyz-T#e%KkU8`L8t;PiH-WaQlPsqsX&swUw4{WX`6kx9GuJYLincp6N83G_J70Ws-));WwEzwke_DQ>@Up;qG3_aa`enhJ0nXxXYE z@xLc8vAs{322WuV=yxCe5YqEnSnU%$n=59h)$R*|yN+Cb_rR+hIfinQhTWYj@GXY@RL09y zz*Fcj#OMeD>3ak5p7!~Fc;zzQ@|a7&o+1v-?WB{!&w;`Ey5(pyH&%W;{`h-=Siu_* zf#~ms`Y`q{p62)~oF&DN&c<3VUm*QuT0d>Wxtd z@Ct!wys5N|0i>j(ZY7u@uac!d?5tZ2RGqcxM1r0$w)R)l8)hb)W{gOhlNpvZ@Rrtp zn5ULP8uW!fjn;fd(ix@MzPlf$3KR9MX58Ct)8d9IzKA|nLlN7hVuORG zK-Z#fjv@XV19i);!^mM}h7YT}bxbp+#;i+7^e~Y@RDn%d@ql5hdr&#_BO}@MZP*!d z@-P?JT=P8oo{TfMSLaKSKG4SVETflS`7ny@P}1=8S(?U) zn@(#5WAg7slf!**4JYOqCOD3Y?|Z3YbWhgfCVc;dN$IhxYT6B&&ICWjgoTXE;%=po zPqk+3MpQJj)p%58L<}wFJ1BRUQw`}(ZaDqK<*f=WVuE@Yh5Ni1KKixpphtvh()=s2 zHoP2cTlOV7B6Jk=sKV<3m7-fchGpdEw4>&gDl;!T?oMGP8}ku-Jp@Aihb+7rxd=ar zhaswP%~EH-nOL8WhAVA5{Ha#&#&dQzabJn5I z7-Od$a4T0`_*Te;@GXCM%6LS&2ET}kUKSHz=n=$F>(itBkx#SNju|0uOj7&}!0ETS zBA^PLX)LMMv@rLzOW>lp!^VNBY}nxtC$4XmOv{wval&U+p6BB%x7Wj43livOeyF^^ z!>K0;xFI&Z_VkV5aC95b$PoM&_kg^|aGUWk5J35ep5|8Zyb^FtnPGW@gvS=3Gmhgz ztZbtgt_Qmh;IWM!m2JrwwIb&$9)qQ+!=CJI<;U+2L35=xI%02Ds023DuIT5FQ?TQ0lE zH>ktXwB=lGbJBA+MwXu(B!#$F3W4A zOZK56X!j1JcEuydki}0Z;<8)Ofi0t{lS%PDV@01irT&f^^RBjXkr|#iVpy7>$v$Xe zQ5OxW7CVlNrAkJE@J{~K&Tq(Loh*g;@S^~kN{emcbg~a&c!E$^qd)M99U%GVSn6SIw(3(ODum1o8kd-4yD+==aMdC{^iF z^!cH+T*=ZoZKZ{3AM6v+Xw99;Ak_&4{vW%y>Vet?Hot7@KPUb?)8)(qbq?ky!G$4q zX_@b)=F3zPtA*%d+Nu*ec`49R+7$m8 zKXr27Y-mtumPDT(%}+~7F>&l$uxIfiSzL+hS4E8ND-_ph z+wn>J00q-5D2h}%E8yd#l|#~Evc5g`i9jutgIG_MXTiB;L;9|yw){v%R-rJKZ%>4s znB%{2*H^#@6ok+nLeSZtg^Xlh&EJ*o(E@p%w(=liB0PfrL^g>}SD?UBp{K`Zp?_MW zkZ@5_!cyzcp^)ddJiUahl;vu7{c4gOITTiZqWzEwx{;dk+|HLw*QnR`-@Yan8mM{? z7aG82CZQ*wQIFqr=#_rs7bnQCRZpPL-y4D&KT%*WqkI4T)+zBdGAuEiJ@7jX96DdwX+fs4Nv1P>uP*AA9@_!^L58L-danl8yrbG@ z-3A^)o}s=O9h^M(*#0yaCcK!7qBMxX;?_0_c*i-2c^#Y>^;!teY)|AWjbn? zV4AS~vZRW{>)z7w;PUAtSZeCEzims~jM~Y{zojV`XyE2UcnlA8 z&f@P$@b}wsrrx+d&SG{6pD+@>Y`$uBYzHx~K2;!33vKaT5}Zt-^S9JJfb&_Ce1_jskaFuf5juY0a;JZI@4D zwpTWW4a1X4FoAE2OO9Kdug|tuy;r{tv{DT_UNTXD9lP&E|7j77#ittXCVtqnU7*jR)2xT_$EXODe z{o^WC2b^EOc5C{Z;wMc^4= zb+aSTiMIv1jFdP&k1yMmpIeJ+I+W)M%cE-%#<_Qi^NYAnP*7Fwv4&cb&rab8|5_x{ zv9Z=l$iOt4T29mv7mL#Y-5+i%NLnr>(fmOKUVX zB$#b$?k7yX`46WWvh-bYn^bTqS|-U|q%XahN0p#WRG^uwkb-AKbYi+doI->5?Im|(be7ANu7~?w2c+`Mk!(iYH+^RBKV4PIi2jK znG?#zg5HH$o2H0MKflvem}F;!RJ@ZW;5?}m!CU#CMD0WNvA_9Rzi(pdMfbP>EVr)D zvLQ_rXI6Q!exD)NDmQ1dDXuXQ z7hIBaDafq=9nT=S<^(j+&c+Z5LM3WwF}~L579r{CcS(mu%4kOqA(A_Np`mvBS}ZF? zTa_by0^5e(=FP5m+|VK`+-d55uJx&p)#*S+nK}bbJZ0WQC@w^Wr0$F{ByypXEToaP z3~Wb<2Y|6(z*-Ap@7ceZAyN<3T!J2nE|*mK>!9>Un>eY5(6&OtkdgDHKZ2ciKFO7r z-J_i<_12o$w!Fg_H?hK6pj=HoayO`8b6G@|m=1qEW~|6>+NR%!GdsHT-kS8pIiU_Y zrkJ&H2Z7kLjK2CnIv%T3)xcM^k`*1jG(oj!j!|I-k_GuDjd$Mk@rMh@hNxL2l`yA6 zf_YZi%sxRDcZBnf>`0ASQGFV<89k_PDQ3-!730R~Br`+CgNB|YauIQ*Jfz`i54J5O z@R3Kq$XOwFuZ(Jm13$eyyY+AiposRnaNwi3q)}F#OLYHc;Qa^;#kL~AZt3h-(peUanF`fm5>0BdhP*L5i zlNC#cQC|KKR6>i5tj)a)1Z{{u*Lm@voN z$8P^?<|^csZH*dibyf1%bx6PcaZpb}2-&$l`k&k|%rKMBL5V9uS3+$M=`w{_h~z&{!3PiugnD?{-dw_}rOBTjfJx#2Gt=LVycF{wfK$PXWB$QMxDCi4boVeR?#m)uq z0^lK*QlMmaG=nTkV9&1Rd770Wi1|K`Xc{~kNXT`x3nuQu(aBshjk!Xt+pKLJJioGk zd`I=&(C2eW^W^F^>p^+sxm@B+LH5wIBBp(RVxH41`wL!P>Q`EK_kX;P$tv3IyurTgvbc#InC7K_JVy@CD<%m^&4Bmlk{@J~67+eRdN*`jQbl`;S{T-pE6}*QJYP zqpN1Eqatpg$CSvheq-85PVWPDu-qMT+UvUqe|CU;E_WaVWP#22`1ki#`(foU7)#0U z=zk|~$2-A0?K`{c`+C~kJ067fH&OQMKlqfs)A!)fYWUIG7+D9Dm$!FN#r;-q>_^v9 zsLjg;o-|Y0hfeKBpdTNK(kx)gbvIY3RZnnK4P>8xK{zLQ|lEt`~X_GCg*u+cek$!Cg<%6kES9B z{<5k7#O#6eXrj-A#n^kS0A9@$r4gF7 z3F({%;|@~SM2oR#EOYJkWJ%>5bs_~^+9XW*~^OJ~t9Y%RU>;ixYD@%I~I!#1}%zM~@9 z3{qzMK(h}t@*)-cG}~_!i_(cbfT|J#`O>vpeyoPl0@3NgJ*UJ7fJqV)yMnM40b|QnImbef;ReXICki(?_>7Fi4he^_#1#Sc6Tj-HDw${wTE9$Z44DAXV`nWjM`D z(Y|#o-Fl*7ItkJ4larnL6uGZNiRF(QU)lZ^a{;m}*RCW)iC}Iy|8bfbNofoZu?#VX zbl`rAU{OR9tt`g$=23#5B-?Zh4}f+T=_R9V7FUqA8n?5zF8gGe4tmzy;0A#)m&g}U zgIe7m`=XT~>xB7(YIfI;YIfv{NgWyX{c+%`B(>Xnvkz;-KZ6Lun$M_U9@I4(`Ty{7U}k2XQv^)tX{7GC*lF`~&Q}B!Eh>H84G;P#V@%Ml6T^IxXsu8~xYlK2{ zV8cvEt<3+aBsa+SDYI14CPi=X<;ce}!k3b_##1*@MPw26d+>H;M+K`EapYiRNJ=ou zZ&)h8jtKBv0I~~wPvXGC$?e-sZ&FVyfk+OC&wt+shN8c`X@$dp_f~~NwUxuP>x?L8 zgA%5-&Gd($*!Nz2@K{y&)GR-$W)Ws#5?!h?P~%t>BPzYK|6Ysyllj(RDE--iGldj4 zYbk8ZD@4zp)c#SwQ11%V&G+f#H-m^I`3U?s4ReAVzEX2Mx&6VQpJEB~Z1ASsTL;q6 zwmTnznAN%*q~`2`HD?c#PJi)(*5*3#0or4qweSk7LuIo=8$1A_rd|cRaIJ^RUyoh= z%UDBnd8=b#j4OUplSbDfCAH`L%YyCRHWwRa*49~sc`nE-rA-valaV(!o-Z9n^x4+? zY(-$*Vp6Xo+?1s-HQa(2-YhRgyl*W}iAB6XC2&T4uBl$@gg2Up%9}D8J(tUX^TkKr z_RG4$vhygswB?YuWwzCS;V95ej1>R*BgAClsP98YBm?2KUm^&9e+7q2vfyWWz(>3j zz6ZYrL;M<{Hqx$yIN-j~1j*<9`xw1tM!6?M2S(kisc3yoK*zRrf6#1zD4YJ{eXP6^?WDjI|aEJI0F;oJ{aoh1X?0ry zFZF7>mgbhv?V0=P|ve( z_V;`uE#{ycy(u2YyYt_}bz*iQ4uQ*AIYq5{rww4{ob$V#I>Qm*b<^YWKC_XVCb>5- z4^r~J*POeWqtNTKj>1pev!u2sW<@l&`F9ntvjE@A1^R1Ru@FEv@gT`^S+522OCbk+dz?_p?%;1BTj&+;<}nu83Q}?8Ek6e>j(W zJkB4|>Zn!EAkCnE4Uv1TJ=;_sEhs6BQ)Bf&pTv4_ijbG(fIT+RO%}o7+wlli|HR=k zly9#8CaSZ351>W?wd4Kgx|lme$jGPFeSA8u_jWEg&D*!c-b28&PLRD0QrNSIDyK1x zbLA_xo~U#4tXD)r*tj+OxaHFPew{7G+~>a3BGuFVw=(a?yHF+sGWi~i!F~jJ%UToK z6AG}w5A?gZ4P+^?D{|=wlVJ!B2!J>XO$J8SCVYYjaY}bu+lt?l48B4}*Re1p zr2<60S?gniY@n*FbegeYMG7Z9q+H-J2*_&W@T%(+28LuugJc z3q%^F)rx*5@(GXTgv2h#IE5Bf7Ob`)iOs`BW!N!p-vrRt;wD>iTSz{*^7`IH^6#0> z0nii0e)Bdg$$d)KQHpi9TfsMxO&Rls7E69kPDr$4HsMq4J#&_wQEid+!Kcfp%yKAq z>bxk(K%&>Ao`RaO2Qu#Q&P{8rxTKt0maIu@jpOp2a|j~B3#3c@|{bJ1Zy2P)$IM4_heDk@nQxmIIMnn9?Q@B4T5xq#fezLp94V z39{k79<<7Gx?ug;*}eUkx^`8%sB$)~@eQh)n_L?OSCxh}3-$zp--z&Nzg$WQtbNNI zDE@wI-X(G95BF~!OY0{bZ@!=?3KQXy1ggC#Hc@L+Z_El-UH_{>2U}~tdRr!!iO6}# zY`zk;PAiK)h8X_I*JsO5W}h%CW5>+dLYrjjzf_`VP$5^YT}i7{D~81~(5C20TpXfw ziH#&0FclC^Czlr3i)=R;Rv>9RLpvOctT^x$m$em{>--vIEylFnlaU^GV=DyMO$#@@ z-5HXK>&Qm&s&ZlV(;*0k(0)q1Sc@G;g-dapRz_bTqv%FOQ8t`D9H?amC^IP(-&*!% z;d8RD@F*Tg7xG!J3Rsu-Ai^zBQW2EdSD#>y#KgO+a_bWOqd z8^@1TA?L%`r!wGtDKTiWd8|U^C3{a{Xz4;=;=S`2zSMn?#^Ot%14BuvX zNi#*_ePhIoutXE}H6mA@1YDAg0TY4rq)Mai*c6>`^mhYnSu6MAgsEb$q7pJD`zQNf zwrKQV71|>-4AZaAt$a}5@L9+B7zY8I6up@;@v`jD=oO{0(OlB^Cw3C>66#mxNxfDG zcg+J7XS6K)P4_hQo3i+26tJeOwZU1*v*>WYE0!yv=EC_!zY>KroGjJYWan_qC(M?Q zWB~LOTVKBDqhsQ@vu;j?II;93Aoe(li5gCU3|Yj4*zef?3m~Ds@8~fBA7-zN|K+zw zo$%aQez0%h#WbHOZSWxBfC}~hwGVyXSefuVOig- z4Xn@*m!4R<|4z`~RAkK!P~0U~-_D_+)1=G6a&OC3)}KoPV(ClQ1>Q1Atu5D!r0KWQ zMTzCyfGXb8TGv;Dqc~=TY;X*(FR`;ZHWApndHYcc9FoUD((yV(jty+T<9)4WKN3K<;)mwa_3@rt>5`$cd`BIq^^_Py%$a`z>axT0O%7}ojyz33*a*rx64e8Cp?f*bZwWv&8{Do3mh~B{eOA;wg>0IMGljIB z_Oq{Y-G>_u>|SkSQ>FxM>b?={y|;h7BVLCtw!rfleeEv=I!#=?S6P!ON0;1Zl&)vK z+<$Rudxxs|myLj{;NG$}^>$l&UqiQ_{`cYVeeF{_t^sUM9rx>7f~(pmlNY1wKc1!l z*G*-_>fL{ST>V+^3!DJ={{Z%mAYcA!QsjNY?y)i8C9z0$)LeNP^aMNCXytOo`R+x& zeq^SyB8&r<-Iktq2K#c>Pc~Y&WQ2U|my-ckbG*MhRDot|LMdR$*@ z&2Q7#ItMhZ&TqO%?7W61?@qV_oSr)p{g(x=h`JD6j`)Y|p0}5T(z_;I;{sovAlB~? z?&Ux+%iF+rgNwYIJe3mde4#z3+qzoFw##bl!Aew$3pV8K{ToE-hQ#d!Up`oeNNX&G z@}9&-=8bwF77oCuA-~IG%AqQVhN}^bk17|j>>Q$tZ!QPMbu4Q~N+JsSdO3h=?G|=H zMt~}o=Fp)!QRzQ$bEcf-0wA@TZJiwA)){B_h7v$ zH;jv9t+CMY3vXK0uOcn!&tt|B|BS@Ztb^iNqAMFFO=MVa7garrm4n-Dyn>zSBczcY zKZ>OuTm=?JqiSYI;XRttMd{nW$cG^;odGsNN)H%-w^=L2V(`J5$%EIuGvp@JH48(E ztm}aIy;gqfrXImJEmlO+BzlPye?4q42iw@W|b3e}*uL&hP6w0W}lkb(dRT(c;sTWq#d$ST! z>T3KlHG}^6EzwWD>aR)bKC>pc-ejhnq*@p+EY8T|7HaoqyX@H&@J1IG>mT!#)HCs) zlh$Go(c}>xo#Ay`YkgjGcT@hx-$_Kz!ctkjqM#EjM zTLh>44wkK~i@_y}!`7`VWX+HXn{IKEK>BKllb_@sv%lgIun>x_PBv7MkHS4~^e-@Z z@P3Qz;Hq>bpg}w_FTwP=&vyE{?&B*5{@}H#S$)q+-Jjpd%{VbyDyY~Zf4)R$J>wsY z!5C1A*4ui@ck|~g>i^P0HYBOhRA5=s=!kGj3{X$O;A0=vbIA)i+sjr{`BWfs6youX z3#&^b1VIF;pq55F-FlE{xyG7!?4SwZ+pSH}$^M`&XTm`yc9xO_oY>rGG*sD=C3=o9 ztVw6{!LtwT9%YNPQws*Bv53&Hdx_#CTZe3|j>sw9?C+fj%E3~+K?R-Uu zN?oGW0=|YbOPQ{Rf5k|b^E3|OpfQ{=$1#qYW*2tDB$c7{qpZOOxx4lRso>8C7x{qC z2M7_GScz%UQ8>aJsO1G4l2zYo4F42Y$8W=bD`&C0Nos)N^zjxNR{&&2>&oOyQbnA5 z>CbVVnn4OEdS7+k=bu*s0d{k5f8W_Jj6bATwlZh^pYp;a?p;cCzfSgwydFeX#!8yb z*GB(-cdAYg;J%DWl>V7^!iM4ur+mrg#ue(0GJzqNP()k0VvA-gx+DVQ{ih;WvSF*u zry-q$H~D9SNUkG-J_u6!{C+eW5u!X`D9en2Q{FLfb(K zm!dq=9A^}BNc0{~&xxNX%Z}na7HMCq<6i_W2Q2WM&IJn~k-4n#tQmjzPgRzprTI#w zTBIN`5%0JMAIk(E?UA#5T{7#! zyvK0bVl5yOA*m+-g<&U>j<$r7@d`RVDLGkW?6M z0<}FiXXib~3cg!TjEVev=ivE{vD>(AzZOt>^TA(|Dc_=&!*9%lJzah*JbX)fple47 z9iJZF6<~N@Z?)^Y>-k?sC4t+2Xm!BneW~2e>)9424xD>bq5T*BNAQsM6;nuRK&ozT zSIq#E*$)&uK6-os-#Oa4z^7yPx?FIUS-^qaT8H1JQ3P5v7vCG1YtE|!&~M%<&kNMR zeme~V?{Krr%;cEEGqbF3HPBy^M(nj@__(w&-y#*r?^)0V0+3wZPyDT#&h!66|5~x^ z(0+&piQn9QeKhQG(N0DSc>26e4gaHg*Pfc#dEA*_AfEqLeJ4jK$93{@`FqNTPs{H0 zqhH%dyBsKR)xnthqWC1(=llnDxT8$yIn6UR9rQ|)4c_C;8XF$0+IZhzw@DLo#RNMA3TK@7V4P z!*XY+@22(;)3UOll-Rzf{ek4(?`CK0#o60m^(;T=8r5w1{Ca-6(6}LDUhQj|)BGEy zxAi`PMPT<<790pU0fSIG0Uc&rZ`QMqfv6mTjgJnI@9sh|)%=#suGdm|=iR#^Xb!Bp z4#SkOz`fYBz_m_D!hjYJD4FEyslQH9zawDiK#1pc0VS{7{Qm*CKu5pb9UchJ-0`8y z&pT<$-QMhrlX$baAA$$mS>gAstbtzg>95zja_I+dIN_MlZnJMa{EZ{_T;z#`*ENn_ z@96DjAKyRsUTSwdd8qfu72Euw{ra->P2NQ(t?=3>kAPQQb>)}u|IhsYf4Ke!|04gH z@&Dh9{VV(@Ddli{@*U$p^LyVk!s+h`FT3$S&3}Y1?f=vI&ha0anm=xYm-9(6LoF!( zDJ=;9>4I%jsACgLjN>rQM^(URmv_c{qWxQdrQ-Xw)+=dE`K#o<8bjCbd zD>jnFvC+#RFkLZlx|r%jMmYhb13OSmJn%r0M{zQ%(1lVTl`3FOFLXu0?Te#SE7=M- z!lJ{G(m}D@sMU-31k_K$I%Wa=dNs>Rv5+&&d{44fJFh#b9;b#(w@7B7_Mk6@39ZJk z(>T;qO_@nIo87qIN>8G^QE+kq;`NHjPBiv}f(#2-=<0ZnbV7vjqu95T!`K@VZnoF; z$3=Y_onjq{;(HJe%Yy1ocR>TFgQEHM_)i+loJM37%a$0mU`s_i255$}608O%M8z6Q>I@>tPQ7Ur#uK;S zi-lIJUd$KBTnF+?jvO{yp{RL+Frqq49&qzr5}})-reL8pXjnL&pnG|d@W)X}Haq=( z4Xl+DESVVx-JVQvy;Ra_L>AJ61*(e;rXi*#C8~XwYu2X=36E-Wb*Sn+!$krT1apet zhx0j-qP%{xoD-P7u``Um?(5Ui7TWfx>CC~j$OPZ*f3~>-KL($dPTcd>zgSKHUOFnY_1!- z4kAy~W`5LibKQKq?&WkU33JdS>9`7-D?^he(SQUOi8FknjUil;L)lifivtQ8>K#x| z#EHUC%5ikA*USmJV?nMmrU-&b;>~uM>4DM!r>F=wGO13j3>yT8QC2Z43P9d>(K^Af zY8AI*oN|(3o=^uwMCMdZz_TU9^v7hAR9U4ZSG0=RGd!-x^lYCrE6ik60J2VFnQ4^CAo6<{z7ljyivn^a3^uBUNm3kwn< z-p}%JZ8$77N&|kv>tV9l79-EYs46MPU@eVwY_}!AavyM!W{uWdG?$z%9H-XA$A(Yn zgiUasQtYWDtz~)C4s{DGH&9N;ty0xNNmLZ1wmEPi56}nITA1y%ryrTehoId>BPMB! zST{!+beyc&O3HImXj5wA!;+O{IFp0i6ze$!UBKvs4al;~OEQ%BbUT zLfG#WG6M{Y?GR^ObbeP{7^zg?2GTYWaIDw$QIq6UAYmangs+q`S=Baqty^Tws^5|a zgi#&iyql!r7Ub76d7_d}#mOE$D!5}4bhYU~h)#v60?lfg12cXBG~5IfU|Qau;XE^( zXNL34aGn{?GsAiQpE4LC(QhUHNzLT{z6tvx|M{eK>^k29{zD{FBmu+NKU4pM{vH1z zzXkj!2_;bkMQ{TC*ZI#$Pdv_V|K9m;9{k?#kH30_@7?^yO~=d`kJdiQc#lx;U1F=< zmRt0#J^yt2^0S}2aL?sl@ZfXTT53*mi(@xlexEm=80_-SZ_nKLv|s=E7bnkJ=;u%D z{O-A*m@8VxEWFjS*Y0`a0|(;w+*Q2w>TUFwo{sn0`t)NC{oz}m$oJ{@UNPPZ+U|G8 z{%@ZD%thvo2c-UV;-QDFu-oeNDF+azSk(_-erMa$cR%^(*Kc~`Ya8x=<8PHY>e)9| zqEq@GoHagxf9H%l@7QtGl}`Q5Zu~nx+3^y8BmR<07C+<{_qm%sc`)CW9N z>n|O7$7;XJZ?^XDfApg}=4?6ne(#J6uCVq>UUS=z_PFr)?bg0=&GVjleD1+ZjE?yU znLyva?&Ig7mo5*U-Dls;PDR#CAG^(2?oR!+)6!a6Y550!HJZJSaPq@1ZTHHdugrn2 zxPOJSNp_ZT!>=yBeGBo`RozvuT9o^A`A?47pAm-`5R_$oVp`TqaR|9=bh-)8*( zH)8(^{~^4_c<^28|Ko;&GymTuly|h`KhJ-@wExd{k^iK4xrBqmi2>&tT zo+C4Mg#%@%fH#c_P#(rXG(^Y>Csr~Yg{XGhZ4*m(P&$(q8%$0c&=KB9n?sK8Weus+ zf+ZDA#0F}%x}+kufkHh*dpcY%hK}U7jdEZHSeT4hvP+Cj4pPKURJ9e0H_~yvn#($A zrz9&54JYh!#;H;=pcwU>UK$LgOeJ7Oh7>_XbC0AjXTQ&o%{I39t(G>tc%WR#K8*|_T1KG`>7v@*#Wb!&{6-4cjT zij_to<&BzsO&xcuI8ew(394KV;ci2$^aonnC}C!TRk36yNXNA}r+0Wgqq}1eL;7$9 zbq1a^TecibWY(R4GDtQk)r9vR{NeuGN1)LMf~O36Xk8(Zl{J)am` zQl_bNl#xbzNGPW>LoHDb6~nfNfT8syrmLgOP#O~o)pZ7bQ*0I3G}YmACB&@oP}$2j zYLcI~idCAxK5)=gq3Pst0U!VtwGKnO-4Zw#ZDgyx}%g1 z%N$H;Sq2)mT{LRQ4GAx(y}}?{l7YIXrYE`15NVa*ve;wB`2egjH70H(L)Sz6c)$|{ zZxnkG*O*RSs?U-fR+m|UPHp#FV)@0IfsWfmR5N&HA z-J(LK5sb4G(;tq7-f)-+EJrNmy@~0naoq>FP^tPNR0|nW;Vsj0Dy-H~T3VP326%Qb zDH{YQCRhf<1!b5Uq1nI}YIPEALUxX!xjdi{6gFhisczd)G*C@fTnz8z(`hwGQI&#G zHM8YbGbrZNftgHpiH4ZYMIzcQ)hA*zYBOU%a$D)46D8?fA7h(#+rS-o)Uo2O;fGo| z(*jd*D{n}>Qn8lfRXl1Y*r)a79|E{`+@ z#>YcmOrQg7Qo-6-j*sNY80xaAR?tW_rNIa;0F_eSr&1tkrIr7f{+mPf=kp(s`2W>^ zQ>tVJ8kty=$b})%nmCCZ(g`&TNb&jX^y@{w>)7p5uR&RAkS_6&RjijQEwk6IR5Bx( zl#|TB3kQ`T;SZF8gOZbxkkh@S>I0+c8e+0wP78}JZg(Vr3IZn`L(B2Bhy#CgXBNH0U0cwEc3T?5D#*>n&y~vR8_UW z>-7_LAFhu~)>LD!UMZDwK3D_Cof*_KgL-CA&kX9BK|M35=l_7g5Q%*&`42ji|NAEF z3;bu-AN{G||L6HnG6f}5WD-NMe}eyD-$wp}rVt{DA{g;C^xyul)l#`%t@^ubW_&r?_VV#Jc}`6^;@-D6JbIPuTlC$p zywO-SfBBpXK3IIEz1Ryj$=Ze0-#q%F+!aTNzxwcid53RIzp%ks+n*_(eaQa5S^WpU zT;YOucRPLsYMa%eITtQ_9ew1UYkhd*arZp(>$lf9qq^Zc_@PT(OT4%J8mr!t-e#Sf zKRj~NMfS`#&Z#ZU9IS1(?8ncq`Q)n2Lyz9*cgOLK4c~cY@t4e_kACCI9nX2{)T7Tn z>2>$h{4ZBIZRs5!TcfmY_ssYIt^B8R^j%%Zzv-P7kK1F3Bi`tK*c!cf%Xa7A@FIKX z9ed^8+w8_Qw||V@d-l4kFG3!4_tu3hv7xritl8SOh3$559?M*~(tSs%tDU;j`==%M zJ|RsV{>HqW1*uTJkK&BQqzA8ES?d3la?`SDu8q5h!;~zHU{wx3a z(*8f4?;iijLj3eU)8DWlYYWPMv<2Zmm0F@sw+BvWphluf5d@%SL$K*WTE0v|akt$f zysVoXvx7krt@@K;0T;3wrBXOuY+FjylF2OBkL8q?gok|6X?cL#iif5_)DjwuB=dpk zQt7y4OU1$12&yBqSWXd`jd}S76lh`>gxrc`jK{E$vlJMCN<#o0H3TNcX{J=Kh+_*Y zz`eG~Bu%*%nq56L)(ksQ8L(qEYL2HUrj2SJff^~%E(0{9xAAd_yD z8?)(Ax03QScv6b0ZJGkd=!A``yi}%ee)^QWrKm(#P6=qb+GvLz1rB=Y5s;aHN*i|y ztS9y(xr{X0sc@X-3wF7cb<`SNspZn5RYeM2SyF8tv}-lWvTTlr0vv0CB>-dd?R4I$ zgzcf*j#0OgXxL)o->v@!W;9WgX86zN{0IH+@t*}cZvM)D7Nq}AG3`nbW1^<-03Dyo z6*6)yR&*8a#&%du!8$R5h)%ZEgEZ)h5DCWxo^G_bD9aXx13+qb zF(t zP?ZFMM8c(pZFB%*F_nWburwr-BLkWEbkW9|eLO4q6eu7Jl%`u?gjT03wT64eZeI`w zm1-~nB)&ngRx!c3g&vaRS_!b)MklFG+Gb&x}6tYY3cH=FJGRSchC2?I^?yV zN9?R6URdp}SAMA6I{Vhr@eA{3t@P`;xBr^@4Y%!E`);#W_l2X6O)SkncgRtfueM0_ z{pwX$KZ9R;vv}^K&jm;C{e=1UerG)R^j6G@izDM4WlhO6HwA z|8ib1Ys1CvJ@6xuzdzokQ~CL-mu>?caN8lsypUhTy8^oE<`wvzhqE8tYMu2q-ut#$ zt8}qPCDy<%BpsnZp^2c}l@Zv}KXEuK5$~CSS-2A|sS5udzoChBIxALFar=54=VGqq= z+nfABOxLe^b%}*0f4u4Jqo@^bcx#!1KK>29Wb3F4SNdq5=FaEtbMpr4Z@t?ZN|Lpm_zh?<~+9e z%SUXo)VkP}t1R#R&dwil(FgDCa?p~$Z{7Q+Wj5L6t>c%u|Bl12S!v-P5?6z>=Pg#A z*GE78^spZvDxI;_b(TMSsoS64@{+w~ald|Wt?g1rtlGfN+vC(jxFr@}Kb3v$gahCG zp?mA?m+kxPfk&?L^yS%Yf$=_(Lf#||uRP+*_y1@9|68d4Hsk-l5&Kv8k2w9tKm5+= zzeQqZerz`VBAUsD|2+Ts(*8f+LH?5u`Hb?H#^i#`FDU)TpA3(gi!Mr=VJ` znhAkHB1xr9iWxC*#>bp8RfTl~t~QADn3%K^0~+;4VWmW)d6|}rWsXEcovB1!HjqW0 zbH+fOYqW$(f6Q?TJqYxkTW-MPb|g9ZBG{YyloHh^JH0erN>qX-Mihyz?<7eaX;xUY zHmr95PeDSI^F>?88eFNJl_X0Uh*G4+a9OfOdOf9;{6@Y&nFYNoD(M!C!XrqrKqS#oD{QhZSdFxV z->UZjkScLTt2J!c!;WW++o4jVRj^yjXLVgjTP(y*gIbZzCRz}dQ4@+4R!6Z?>Nz!~ z3Kp?CAQH{5S^vW*od(pdC#_DV`ed!+VMN5j7D~Wn zA~q2|6(LC{rqe*KTT>8=MH-V5YeTjENN+Sl70;HDO4Kl;@z~=>5ye)aM%x?oMVP=- z<}{FnCW)Sq@*xTU^LbRTp{9UAY0P6;y=&B*bO#y@n?2Lkg_6a>Ii{**GVQK7JsKhu zX@0f_ypB2mfpy#p*f(MVY?49=6pE;UHB)$VjDuW`9XXXj*w!(aLeo%(&ngYZ zNQ;av`a;sE=c6_-p2P{m)9P^xLvl$w2+|oL)7IotnhmCBOdZB^!(@raQi1G@m@JbW zF)}DN!$OW7GcnW$NTW)FqsF*8K(GObayZ54c23~NVW8@TO5E--u40LWmMArnX&Y3k zNsUjWnQEMZno?E+`do=}Nwi@~owS-BiXoVhDmazu;Hr?$xpb0&7(|4eMhC=DRgpk+ zQl9vOQ4?cYO@hw>gXs=adQhi?K>soQx4*6bSrGlV?1Z201=|g?wNWsE!*-=w7Dh>C z(C-wHr0H2CZgo|@o5P*J392PbvG_@{Qd6}QZLt_9X4w$~47($=tdl{4kDXSd*6L)$ zT!G9N>J`K?DwPf{rt?jF7OmC%`emclWQCzQ) zHKWt46BAZNx^7@p$40w0nx3K=BMn1VPZ^ZxsybxbRVtm2m>8Jf2(a475dv&fNLi}8 zR#WQXQm0)D;c`6gBupwTHM%(%1X;BtWUcnZ@|{-J^Ws66?qWblq{OJCNKLYCY8){= zw(<>1OHoX@Q!Mo8PF^aG#hhodIeW}ET&3rD)>yAqN!%ktvt9=(R+5_rBa_VZYfUF0 zQZs#iW;o9b=b7O=Gn{9J^ZY+%FhmmHF8+hg=RX((&E)^S3Hu`dX|8qOHs1pNgC>(O zgcA_?Pw*e&+sJ>WKQIJOeI5O`MfH(mieXfyAHHLvY2I=XU; zC5i4rTR&fT$_cLC2fzE;C(hXY;JMGFZd>D;PaCV>Of0_NVym2#erl(y=B<1BdPi!T ztng4~yjf<&_ZHrNiIrA3H9PBL4%;DpPwI+a9%gNR>^(5eAbH}tsea3@Y&8Kd)v#tTwLX;rHH{|Z=CpV z7kTmeWEd^~^3qFbFMqhi*~f29U0AvP+0QQKvk8~40_kta4da=BXl%2QXq z>4~GRxofF4mjCg7ul@!)>#p)qAFuV+_Y%fRiyZk8iT-TSI(vEft|!m@MezqGAM)Jm zOTdYDHaS81#qrN4wqJw>+Ry7JHU4n#noF*-Cj8J2zrN)D%d{`w|DXB)|1AGW;_w&w z&rJR2H)8(^|EZ#E-uceyzfEH{Z5m!SQoPfc{L}nL{IdQ(6Z$*If0EOXI-Xu`Y8taH zDF3k+r2eN>aFSIjQDYFjh+yqz0K`Rt7D84}mlR%*JA;X+iV3%rhlgawuet^(a5bVU zDyr>twQNzLG@=t~qiINn4JtLh3uK3qUForUY3L)g9ikc=q|}i(DNM+=)*KT~Ws-%* zZw^WRdC9v!y@?rLnN_60wuy2X7WWXL1ztuMWIOzW56NH3cXCwt)at0(QDM; zVn(frYK_bZL{{@Vkvm4RkkBt^WgtN#-q+NBtM>=VObcQ-$H%~YE7hxv{MeOjA58Tj zDyt+TBFZ~TMo6Nf&hcgw3K=|A9;2;<)Mx?elGyhKs-wgOafl`%v!9UJ?1)t4W^>rg zjTxBZ^f6z^McusVm}Fn@1Z=v(2Q@Y1Xe0wP$Xw4Vi)fx~jdN^{$*A6_7O}Y1V#tDK zYgp7_+NrpmVOg=IH2nIgiJD;#Z)-JZI0y*G&42SBae?~(lrx6b0i#sZ1Ogi}GBT2$1e{2W z!ZGGj%@JX;ytWZBw857dN+x%oz&2N*(d!VCo(4G_^{ z7emLbS|JUOEf4a!y3uv2m7>z_TlH~H9ka&B7&nWP&Zt3Z)sh>CG=S>qqRiW>fV32m zvLR*|sT`XUCwj(%YF(ZlIs*YkI zs+l!!L{7YJoR{Ek5St0LqV#m5B95!Mwxtj)rCC%)!dNfWhL#)kB3T7ukj&ex8_6xp z_KFB4upT9cPS~3slU>}-1TnjL1RW^+_CE;qB zq=iZl%jrpd7z6?qy)6fmrfb+DClk%6DV zCm6>ya|G8@8be|d;2`b~4YC!u^_+w{Bw6SPNN5gHOdd7(Y}w}OeV~N0X)S~apKcm0 z8ytaRQ0-!Eng(MtIZQQ@8eJvW2yxJ1Tfy3(T5h+)G$S^GssInhA&~DPnWif;WkbL! zh5jglN;CLo2H(u!n;CpFgKuW=&5ZpIgCUaqR`Q=2{hx2dzQ})eU$Xi5f1dv!^A`h} z!jq|gg8z_z$A6OF0{$~y&lrJCf2RI*{}ClSKEKpc(^WY8FfA8?$9x!*86E3_0+rX?-!ku@SO1B-Gy8c=ZR|W~aaM$0|ceuP?UP3#}`~gLaJ`pQqol`0d#j4`WVS^3SguHy*XhtV3SA zbQ^eUdzURAT%hnc;ZDXuZ9f@U%vl8^Z)J zT2TJuE(rhWH_`(OGUXD*1VOgNvq00W^rcn}>kg1iZ9-#=!1DEeI@ujaV=`+sV7p#U z)q~g~8Wo8ky}&9&Va~`UF;BE}{Vt#sGkF4(R3B~jTcLtcc7WE=Q5U8vnY5eAxK7+} zHRQx#(4+fU?DT8n2(06tL*-N^ta5-lv30%*vo4D;f~^~H0&cUTfUoK$ z)8ZONinDWG!s5!Z3iGy%_480N!2nf3!Y~fY;dEH7_NZc1>QZ*GmnYNN?r2nRAW=UAC$1kB(PAdYwlE;;xs$RJq5ZP26r#)|$1_m5fXkNDwrDv;XUkkJ z!!(PDpx^0cnN-M@RkrDO$4)E3d%6Umo$S}tf8z|tjKP zdtT2iGfEfACQ&o#l_NVFbRf0Yb%&#B)G;$m9ms{2NR10>bBMCb#E9-6@aDlHEz-gO37YR)dGy>11xLXU#I>j zH{ZpEf9ql!#e5vj@SpE8|5=dZ=CAx`LHhp`sdCSokQ!1afg-`7j3(74pp%ecpOuW- zK&qg5*Rb?1Ho+0ENjE503{~52I#@`EePcqUDU{EW6Gk)v5+^7+Ox4J;4kisKE$J+l zjuCI@kcLw?HBinEi>}ob${7h)iKL`;lS)JEF*Vz&K~WXp&@e}}GG*Utjgtb!%6TnT zi(^+AjeOIAbDd05PFP{3nN5jGcft(~rpPl^->@;Tqw95`oAL&HS5DJVju!Kox*%~% zrzRHhx>=XgUE9yuiIEeJ{DG|6LMUZbhp-K}p>PF)C_37HHr!#;|$7YwC4l~!KLi*PKn z4y1U z&46{KJiz)0<4LN_I*CTE!3`6WW>`&0?8Horpotfmw&V^~rBFngg<2IL=q}GNieV-g z)2$V1IR+#937sgm^DVeOY~jrz(i@Kp>1r+=p^9I@+ibfknM1tRrJI#H&@9nd)hv&@ zJv3WtkfGHX*?Euyy&RL3Ih1sT8Xqf}cv6~rdK5y6BXc;xBQ}Ti8?^}6fdLnm3)095 zO>4S!(oV745(%(GLQs$Epgx>ua!FKUI%dB?ijy$kB~x^+DAh;ZOjpVa4xr660h$3u zGr(vD7|j5q8DRAPw!z8&ZTj<%`45Jof6sqXFg%n0`z8$9W05nVJr@4u=lo~Ob?NQR zmA=4#j{8RO35<~QJHX@9#V}t!Z7t|WpW&15e<}Y-{tx;Cr;=Yne|GxDuO3b&aU4fT zY~z0jd5&HGjVt$>v#tK4pR90qdE>3qK_-Po*K>ST)XOz_2XU~{qoig9$fU{YsQ7eYWqC*>UzJs z@$tEH?oY11-3xEbIqEiO<-?8j<6y;Sk2~ zzW>sd@0?Nn*^l$}+RtIWGUvjZmcE5Oc-7T5?_Nyhlkp?FpS;D(_s_nwwfo!fJC&#B z_0C)JjIEzL;(%dCzUJ-+3T#$95xZoW%2C^GH~W)2eDIZ{vF`q<%tEK+w%BB&#l{17 zvn^jrJiN)AcQ>hTd(qMr@QNp&yMIOhs$XuBdwi!Ky~N)AoV&?8Yu|MZW`VWtK^xeiyZ~ZUq|M~v^f0zFJEA>Axo}8)w`9|y?#j^2V z_|N|oCkoo4lOw(~F)@v0JKxq=c78%GA5Y`ASjZ^wG=4L9+WtI#D}Oov$%eoeV^==< zs@T=b{B`V~4;}bd$Nu@yfq!-EpAQ|Fj(x(S|%A z*UJ9%g*y4HFnw=*+-OrVKb?NypH4_}tv)X4Q0P(|3M&aB)uJ*?rUHmVpOLzRYc}yl zRw9Eq&&tC_ny-c|r70=AoF8W!nA*Vzi}9NSK10+RGzUtkYPJihmIyFVB{O2MOgV(0 zAepF5+8t924O7ZV_RXOluQ6hO>$}iQR}oj z&LowQGrfw4!Ess?qzG@6jAq%)D>9+zIiVg9*+JZ-%dr{_OPP>2s(cfWU=N{cb+kpX z)zXkjhW%EhnJzcWcBU(|T_?_at;mff5gls{flD??uoa9GeZ6dJ86=GW#pXnh!@6Nl z>WN{`lXV4DWwoE|jY?t|n1SS_8?@HL^^(GZlGU8>CR-LOJj#aYt{6;b;j9AHHq?{H9(}ku*4a3ZLk+F|7NE5Zvw#HY2 z45Ev8jC*|-oQ9&}xZZ+FXlqh6a&gR{VkMWh>4~q_$}!0qow3N4Su?At6T3iQQ9x5^ z%F#dvCA(DHstW*0LSD#Z5rI-lM4DHtE-}<-OU@6vcri&SED=%pi0Ta!q2~?3A=KIx&Tz;{f?PelD>KTIQVo0Hg4n;w|0NYg|rW!0!bKfue1 zNSm}u;sG!A9l$G9nI2NA(Dfv3XPc1o^-_i4eD^x4{f&F&%XVPTu%FM}?N_p&&bKvH zxL`*O@cCJ@0Em5Jk2sl{UYg|Ar?U{|KsJlZT9E(~=|RbiGqIN=GkMSI6iKf`zikfsjQ>WE-3Y=v8zy#u4f0RNkRRZmt6~p78+w=o3W7o1RqTk?y!LUU2 z*g`;8hAc=3I@KQaOpv21T&I|my9FSl`&B!g@@09XL5@)j1!i0p;WiU?!a+}qB_7Uq za>W7I9E?*_hu4F;QHe=OUdgHmXea_vg2i%@UsmEeq+yX4L>0>@lwlmnjXk6gKoOaa zrXM%wIPHM4JX$Ne1-2-VE(#D+Efh)U0<>ZYot2%_>vC+)jCrO&OAoRI+%g z;}l^@D(8oOPDeXJ3QLS)Eyqk;vYg5Sy;9X@n;l=&$goti_%_{*HM=@cDus9&zuJiy z?8TjKyM_mr6LeU_2TQ(;85!B6bQ)#>$S?UN4bz)x7AJf zJF?rQh#;&wo?{)800*(nm9Xw8U$x4B);G#hD;XPMIW@*&vV!C*Ad{NGIWstC2ItJ+ zoEe-mgL7u=e;AyE{?`G}Kjc3+{`dR`g=X&m{zeSiW05PMJr+LszxmJB@^#mr@df^K z{5MNbP>4iOghVj{gEvmD4XybZ|5^1b_|M+}AOyz$(*S6C`6(iWq6C4Y{xJZWbH>YZ zYW7p+F{>utd;3=CzD2M9)&B24wbAY5;rrGv-)(h2pNI}N?w$9haOF9rkC^iMls>sO^~55M*N`}BL3+413d2d($OEld2gGg|4|S4+DkfAP?b zqg78o|IGEa@n@H}ylCxp>z(^+pkSLw(Y{0J?pH& zFYdnhlb z=7F z=G$&Gy_Du>m&x-C)EUjc=eS<0x<+mKLes#vRQaEuK|W9CzcAm~|Dp>7HUIIn&HaTm z47Db$4*OKwEft_9mabWuJkamAGX@P6{9Z%P4x6f7Z|6w_7YcAJHzwqu0SN20>Bwoy<7z{TS9`g1Iv2?- zM>z#N$`eV{gb{2~Q$}IEL2-%kqNSiKAk~? zX2Ej(rsNWl*6ub35YP1Eu?vjnub&b{_oC^7k}2u4o6r9e+-7N+%FJg$f1ip-ho7Y) zrq2@q*wG`aW=iEry)Ly&Qp;(3HMLMD%XyV?%W#vSVWwURMjTyQIK-E$*?Hn zh#d%kXLy<6aGV;h9Etd)!^cG`^6E}KL3dQqxSQlaS9G2fC?6$_j6hD|-{`L>|eI$jFX{VGyM*aV#HYu30em+dIi z5{EL@0$Mh%lR~aJnZD1&$2+!TDR59v+nItp8uTaqgzd9dFAoV6S@SFgNwm-m5qDY> zBbgZfoUs?N; z`Bvr@7xbw4Z~n6&Znn*Ya6j&~hER3{^b<)bqhw;4Yh+Svmp6xFVlaKAOIbOMvI4q2 zk%?4X>X)h$xUWVH-YEABAuqR!6bRPZKr)tuq*ThW)vDa94cHPXn?nHf?GgQXA*dp_Uzj6JJb<@*wDC0EZq7^`w(*s-k2Bl#s|NdeslPM$@lKkjhN` z3z3R!U8MRADIqWv(UAOvTN}ufZ21}qWEG>4h!qke$sU=LCmK|<1}f1W_9rP_EoOvr zkGB)85X^PNdP0dDClsVg!U`u9rZ4L#z-1|_M+_z&;ahz-Ka@rTM9qZduH><)dN!T( zYQ{uuS$1+#2nS#}k#RdD)2`%7UfLr`1*p0Hhz-KrF#In!3r*+B`3g6iY5XO}n6pbE zpT_L}YTaW))cn>x3F^yR_i)+2fTF+WM4$U?;EPV1rs_q@q6{i4NQMED$w9w6AA9T7 z$}sD<{cL)iO3Sr4B?NH70fxG$Yw1Ct)+C`Zo;qKb^k~X##FXQ)NXL(=)L6k?DGv>c z4Oy-jBT9AoX3v8Y#9%x`fa$zOU|!Z@FlptmTs10JSY5>Ju8OwWqdesd(`u$r%Yy+uycit&SdGWU)k}f+ur-=+OrPb;@s1Jxc!~`J@nR^S6_VBt(UIM z@7g}%xux$aKK|p?Uogtgo%8w=+-X0am0nhQX7BfRy0-lGp8N4{E&GFOmY?_1I@G+= z7C!cV<>_4(mDZf)9rn=plHZ?ufwkqf@7%;~vF^_vykfoUUU}xMtv1{6SMpxw)=Rv$ z&UoGDTE`@wKIN73&wgi-({J>dn?eBep(YA62eh-II-^n}Ykx##rd2Z|Jb|lXveARQT%iU z0YiYm3?+0zK!8;(2?$_GmgFMYmStNq1h8dWwj@ikY+15~76^pi3BC7DfB>QQKJ)|_ zYAB%$2@rb!U0xn9D`E0}4CD*L%iaInyVkvHU0YY@9PRV*+53jlepiKyFT2v+Z%{jx zX8rh*<7=}km#=sf^y1C;JaNFzm!7irO6#Bp{7&3t8FurFH{8Gc*+pw-o`j!R!Sa8- z%cs9!KYQ%H8-BChyLUd>f9vy2rPOn;#D9Ghf3{pWX5Mjy3+CPYZ1@D;yn3lwZ(Z`y z%jdtCJt8;Bls~_H6{eHhi;^_7FFaF`j zYjhsFGMIH+td|9_wVzvudI$XEOS;M4U#zmxbT z_20Z!v(NwF>c7R3VoeHc37^VE;jdT!?F;)@VE>;VV*NL4>Se}Ktf8VQE=>Km=!fS_WDo{O(NV_CScYawTEB=qr@uK03kc&b;6)F zR^Xgb(0#w@JDTluumlNpBo`1~Es31dVN!=i)hYC<>0{RU8?EiY2jpk*ewYPsL1C`%xw63!5T^8FUeQhq7fbU{(f z%ZiA)^(5Hs5Qyov4LjZ7ixZ%3XOl^b;mY|YRS(OpdadSn%}y=RslfQim_#8oNd{Ih z4uoOG^F~UGjC7{UIua#!<)i>`8c%<_`fmar4a-tyD%WN^Y1`u5uwU|JxL5W}#vpQX zHj@gPp6?YJ$-+>TX?arAhZE%s4$+*!0O;1s1TjHdh}pvieB6n}qCX0>K3s(hT|V&o zcHm2ziYsxe8p5!i(>uvlH1IkR&)2}b1@r?D&9J#-n-rjojJNVYU|rJ7z%)<`|84Aa5T z%XWokJ`j>l)l9fp(CF2ubUvn}K^06yee*-5@!ND8ciXhtwr$(CYqRY-wb{09+qKy| zSzDX!P3OFQAH2^m^B>%wxv!b)njtacgQdkhP$lTsDA_|%3J*4=wj35Y+*}6y>?3}1 z{*(Wi?=s2YyJQ*IR|9@>jMr!Edfdgd>3j+Q!XOXM$JY#YhPO?NWMN(|_UOl4qBTOZ z?~}8DO6=)p)$ zBRU-WXvnD*iY?wIXRv6C3L3CLKv2h}-M-+m2Re|V&aS8_Y^3pxd`-w`W=SVsCh8 z9YMMn!zEkl7xW#q>wH-?1Xa$h1OB`JPDVfJ&8H<6lkpf`|b}qsi)xsK8Rw)-)Dx$JfL{t3~YRx`4 zO*|?(V9^lsBY(D1K-AtQT&<3Jqsfky=IN7WQw+)NA=J=m$WZ-hktLshT25J_LrMO% z6)2sAzutz6Zi|{!nIMc>v*u96!f~3tNIoygeg!|`Q85Hod#?ofGB zvRLu>nJF+28lF1Q=s_}mQEcBtP7+8YV5epba@E~aCdnIi9hw5B}eIChWqo9Xjulcd!kTXDqN8C+#l^=5|^TM zVUW23D?+ky`B0dbO(cvtp;$kGu4S+!w&2UjpGQ;O`-id_Jp~y_-z&3_--V7LBa3dC z?bdKv9tHmcuh$6BVW2U(0e>=Z<_`ExalaaLKk(-~=kenWIZT8*C8vun$!G|$2e>6N z`*A~rAjOOzw~zil^Krb!1|QxyH-@$2?s(9375A}@ciC&>`gm`7)pRa0HPb!RY4b4y z?xA!0^8=Z&w(d^%IoN0$wCujB`quOQK6hl_zU6H@w{gYhsd!uVs(V~{-{wuKKQ>V- z^ft(5LA~fu+==(GU$*rxvpjy$litB+Q#1Sh=ofHR=%q%er)P$2oYCJ()9r>ts_uQu z`Lf!j|$sk2_KTN&rp|4in?dDJ>;`8#eu8D_DGq`e%D21kwWRO?DhqpdN6McS5?X!kPc!N$50e` z*g4W$wFJzY-_k)#ywBm~{Kt9i{!gvaz=?_hrrIPU{aF#rfCJMZ_Wx>b0$B$aM> zapa`JG5}{z3UEkA$*Jv@-_&0VeZK%FfBbn-`i8nLORaDyT2#qU1EyDZChahEyAaQF ztjPLX4XX~lVH`jmR(OqZvS!Wh^WLG%C93sJY>@V}%dpi|q_adFzg+zfZp&;7xyV!5 z%91W0N{arMujBHKK-F-8SnMGSY~f)PIZT(wMDmpAT0=?=9M~OchNeo&gGu(>!`HUz zKsU3fU{)Syh-vkZN(A!cQb|_QZ_xH{r3oCb`k5Tv7+A_h`6Fw zacCmnW**2- z8gj{eGLaX(%Fd+%FQ=OXrOhGQBfF0Gm!eb0q5~DXNSXH%MuV2l36m%V)kSrBWkh+P zqG@g)tyV3lFaW0##-sllqRGGss(*PbI7nTZxGtV^&@bql*QRN>$4o>dQ%F-|$?{)If+Dw{i$HT#&~WEkaZNIkK6Bj zL8ymPuzY|Qs9AYxM(EwrSZD6~t~`WWsktpij?ek$jX4H8VYWZVS0`a;O5;dT4;Ff~d%udzWiCu#U^CqRc z^fbo{62HR4I{jAd%s?P8vgOHjQ99H;^*}t=2r{fW%Qz*!1uaw1{ne3@TPpS|Qc&^QRkwEO$djua|pyU-#cG%>2Q{~^C7V+EWG7B+gF z!+IWFeJ0{eeOql7H9~UTGrBBabx5&waj}b;W*=6zF%<>E|Ln2I^Z|bThdWFr9f{oI zCYX7aQ3r392$@IM!e+vaB#d0Ar9x=!K7?w&(rK8D;EO}0b&VD<%GJ#sjVY@_7@l*> z?a>^Gv{3yeQ@^aTZ7hu@+L__#&`k*2%(+gVjZYjgS3LoiWTnT8m`d`IoSjp(t&(lU zSk#TR7A1uh0!T7wT1}(DO><}CN6>`N5z$G^hYm-RgjO0!GXvPTXpl|!nj zV0fR!;b$P^e2r}i<=UcTdAy!{o>a*s9dLHgjx%Vr zC@{`XMwI0gg}AOD&%}PNvW5ln^H}3#(1thBxsaTn6{tNcu;D0f&b55V|9^OYhJ_Rx zCp{Hf`T+DL|EmJ`+%Ira0l=VOG3rngGgQ&OFfcKAU+9E%Pl!8)3?-DjKNg(hN+ko>-My~0dU`fv} zXLKaM6#^J{I9u*OW#X@`Uky^t@q@6+&*ro^3Br|nUz{)V-l|p!?N0K;LbH(-FQ3kZ z_%(Q6uc~w7+s&BtA1BJ|c18UUPsBFo_-l7u3B>!R2|BeBHf_Bo2kAkh7;*xm6LbA8 zGxk%ML_DXjIL9^YCkXAACX)OR`qaGaX)C-9_%xw zV;O>%a90I;wgit2Id(H@C};m&Y>g7dDm@$cMnfsRY^nqs;e)4rPu+dmiG<$|uWYZ@ z&j;yXbD!bM0|Kt4s*OU7cs!$Lh(2ak&gJ+78S1+qTx_nhsCEVS0vu}51Zny~?QKqf zc^*KtY|p=Wn85a(mJSt$twuku4!Cv}H_xul>jR!Ec6WOo{E2$rcFu)t1$%x3rUX!(6vSzmtAFAYZ*Bs~fwEvr4G5%8h@1)UF~RvX7hha@NO125D17 zGg>SoZSVwr4A>Z9d*j7GAQSIpjJ~GZO@*B0*v<404C@iojsM{ZyzkBc@^!E>ry4Y1&`*^s`|N*kl4w zRym&yxmx&XzfZ|#>`&b`Y-bUZ@YptNN}3E&mgMuc`GO4fBZq~4Q=qXr$bp74`I1x{ zKQ7mzoBNDbd{kr!YWOLkaI4+?i&D^!rLjkZJjRqiDlibWHhoDyAnb{-rl4MnE14Y5I>iqTB2rIK8ZUkTqww-nrg*I7M4*Zg{H?T z;g2r|=G35dHt;v_b!Zg6@J5tr!;_ZS39aHXjSqD~SX(lkfOP@nsJv20;u{X|0`8rFzJ#MoN`yBIFaHSAx(E5RyiMRY~d|d2|#N zLGfS&@tuEMATh1}2cnUZk@`y^HLk_}SEaF&-$9zewnL4U zE$nYqa<1hLVA>4c7o(U1pr!SLPlHkH-OQ7q^~6dx9S;-rzg#pFR|!*PJIp_AT41P( z@K(m^@#yC2Vw8o2X<&7ReEUKvkm|YGZN0_tn=-E4S*qq&uFPPCi6GQ5d}|tWn*aw? zW&t!`o+fpLOY!;eWR`eQ^ko)hOd%&@ z%PVQpa|gVTB!8b8js zT5=*MFzILJUGk4yOf(8TJkIVwF;k5V+=gNcBKa4WUepHrF3tpjA7=NtHl!nBJQ}#K zf0k{?Y>u9`S$74SFrm(`*$W~Tfy?y>&X7woiTwuriKVYy48bIli zensZ(1wR`MYrR{}tz+eXynNEH4E7ib>o@=0SI3j06Cr4%A?8rhVXo)=11>=;iiV40 zLGOc#Rzdapnfljxj9i>{KPUagpunNLZT+@cyQ#zOHKE=&5x3usj!d8xIyZnvz}=r5 zBCw6p(~&RueHzKK=iC6WrsnFA^VZIg-8tid-1tTqun&q4XtKY*>y7t2Px8IN;j?@B z+bgjbg;sP3==%HR+D)j@_)Gcf*R!@pKuX zO|K7#EwWweneq89)^hf3qE6S8%n?}ZxxL5sJ}IR-aQh6B?b*xfP47qEJiX5cv`rCl z>Rfut5dyS&U8itQK6NxjZV!-!ukagzM=aKECg0hIXB%&pJ(2eU;uG*ld{;bxE5`6eZb|t!poE)VWcdI=71x?Mz=)b z>a+>}B)~)-h3EZ|-w%X1q#c$U4Ot9Obt5W0)r6OG3KD*J;nY~K);6HKboTIly&Nux zj*qh15ci2PeTo*{j0*mxAeEC2f7gpWsp#?|I|^0PqUdfFRAbD~FL@vuPNAyCleuiH zg5wNd_#@p-CCh9Gnn;>_b#zLGqe-AwD6z+8P6i^Z$V0k|Mz<`TQpTpJOa~5AKovtl zhj^@Z+%_eotm;JOv+3&RjGP#cwmc09>e4~f&=;~D5B53)xqx!jlS%$`hZKFXCV%S7 zI8)xL_*!R-n3@z~OFeBL@u9sy@;{~&BBlI4@Sx}iC3JJ<9>wHwSy|IbCY(tw?sGAP z7=76by>(>&kV?h=RY$szdXZfn`0fUq-6hW;7y4!MFl+bjUCAE799Bf{fQ(&*EIPzA zw#?;Jgh*z7Mm3$aiS`)Vq5n+PyZGD(zB2Cb_}R*Y2Y-cPpjT0B5#;6Ry3=snn#+v& zaL5s=p}JVNg(nI-$DD9?LOI(3`j)vAFrZAtCS{V#kIh1a*d$ZDog|roTkgrGwz4oP z=KkyX?-`j?mmf(O5@I>S0d;DRP&hOzk=$nmb!8Dcwu|?4f$CN1yq)AFii^^OsZGu( z<0^|*B7Ru+%?#=c77tyF=8{odjFj*n^r=d}LJ7%(P3iE+?2Ug{t#JQIbW!{2JKyX=>+!X91CDPLiV#{z5@FANc9q>7*wx$Ax~K| z!K`(w@N@W;GXAUD3XMzFgWG!zKf=CSKEX-SCL%Ns$Nca;qADg?bmcJGJW!fBcKi~9 zf_Xc_bcNk|8td*G^`H5+aF`@9ODPcr>OkGTnCv1}B%r>a8vLDRFxS7r@9NIcrvtTl za2oK1`B~Bmz?w#+jmT{q%6;}}%~~YeU@?|&<<`=*!nu;=dlY+#3K?j{-^|pijLL%H zzo@#k%F(X#GpXPVVsq?A3EtdrGk(*iq2)UjZnshHGN>Elj||&U=2#3yM>g(ExFfCB zZXtJE<4BJDvY~*25QoyLDMRpT-VhvU?!A}h4AZ2CMiJ_!>LHEbj#TYZ%%V&p$9{@} zQ|ah`DwH*D4W0$8F@2Pemn9i(0{W~lAFh31zJPU697JZ9rc));fN`q9;=CalQ3=OM z^ck1voz&1hgfdtdY`NzvYTIr6DesLbmpETl?#_bc#g<2GWLc&x7#&A#^zb?*P4=xd z(Z4G!BzPg9+~VUXFxYQX=V$s9=OUa({fxG_bt_w#X|6G$s|^z?;OWOt@oAkFx0?R~ z$6`9$w#jS>CEuP6o2cS>RyZz)PF{^G&v30=1hml#bL-oA%?gktsn-6C02zGT{(`_v9;mHZV?WOYv0NNUK0=BiDH*I!X zJ0IZ79sRBk>win-uIajLuTK%Z55C6xxy=c@EXqw8yf&5gtjz3sos>T=Txd4x`K1|AIsLnLAdtYN(W2AJ11m2IJ6!rYuUrr*K1Y6d#uR(VeT=O6iz*H}K zj`?Z_f~ zHkVg;*JcJo?Z+BRP=^S3Fg;!8c<-CbNf+A_U%CL{pdjF}{=D{i&47(j_w-YD=G$Bu z*&5Es*Z#bSmLuf*S>KB76dJ6_bJ!qNmr+`CKW+ak=vN0`^x83Mho0l-YTvp4i48ts zwY~Hl9V;Ej(L#vFGwl4W^Q>VBpYGFpFf;{EC5T|}q3?)e@=@M)ZF#k&$$K7k^Sr?{ z4+roAwgR_Sj%#*zF$~@BXKU(#bjoeSxj$Cq{(>em?7F9G!M`6nt45dp5fH2Y!3+KLP$1<^E>~&evC!kNFe;)s$5u zhSTODs{#JtM9ej?6zI=OJf>_JMr0#W^sVSBfQ}&q+yEo?s3tBr78{J96yAv+s5p5@ zYsylKl&j_3pr1+25asYyfS=|d_zt2d#v=rAEZJ;yPE26?i5H=+{nDAx7TO{ePJT0% zn%>E}szjEdTon(ymNNZR+C>Ron_alZfhFHT*{|Agv?_-MS`Xm_^DUxI9#x$fsx(M% zvQpPs*v7n^&tgcIZ=~d)DB_l)>neNm>Hg>{e=IffBYSe;D*5^UB6YY`=Fi17W z0r5O+_b+eDfsYC|3w2ShE# z<3IpBj7q$WoM^qpzya+@VWaAlJ9i`V=sWwkPH~-J#=|s~yc(jT97;5;s_Z9=C6l@n%p~NENcNU?{Rl<)IAvj~-|Nqb)h}IujM=N^ zU#rt;3fQP8c@L|9t}4JZsbeOTlqeabwdAqCS+xnu;pRS=skJh)C;vHxu;;<20vS!rhsPu<2JTg34$~ItUrSGG}tZHKmd~GwUz) zmgV?%EGbMPYl&W}7l%_3mcmS^x@ngg2x@-ZrL2?>pV|LZ`~t>7&CF9X;9DZ=!dGy~ zA^sBmI)luYFeuxae+uf@@im+~s2JtuE2s&BI!UR<0uoE!s`8mgRLH)f@L_Du)q1C= zUR@cUBAqI*+zSt9jFeGOnn0;Cl?she^0ByN{Nv0X$+u3o;5pfa62ZuhiX0{+G+n!U z_^r~0jPoktA?Km_zi2vmCR56-b7iv0ExAEzYC|Y1=*x3X@~skLB0rFtG)dH)?n#W6 z!_c^w>Xu!I6CV6a#=3a=P^fEXvE#d`<5|2A+I`y0p$Qn$_u!4GKGN198zC0kkOo}$`UvQYj&B$%9sQNJB; zOureJC68-`Bz7mrR_F{GLj;$f_h(iPVu6y0!Pk$w{IzgeHugfKvissPrSulcf8V(A zT=Yk-v|<|AmN(2=3)r?58;_M3*oIV=q+OCZ8IgYvpkb702v>_5uO4!z88n5ldQf07 zW5l~jeM2n8qmFt&kcesS6rmD=V8!2*4vnNAg?6sXu+Jn>WuyFH)KSshW)jr+fr=P* zKm`@2iDsx5RunLDFk=H#ECGy06)yV4jWS)pQ%Bik9Dpwmn~+IejJwecNm6kb3W?o1 zO|D+Wlemswo?Rs-)?)l!^qYb*Lcxu3f1KA$*0ihtO#8aeQhtSm0(J^^i}61kDfv5o zL2@>j#?;|xVny6WsfDApU)<5-5XqvACdATRJCmyJ)MwPicGR5FZtE<;HCJZgi4NwU zmYIUyT+5^U{{X<*uTid7`gP6?9DYsScP0e%Ra`Uvag$%k2P?r6QShlM??o4ZQPAOw z$$us9ZUN%91nQmvjr(+^wdq?&bx=ps%>ivs{!gy$1Ve<6Pv$~K?*%y1NkoLW-{k}X z_BH@s_XEC+ooAn=lv+Z#{te3~A^p?*_NkAjP)6VXg$qfn=sqrAq^&A9r|ZD>T0G~^ z;naf4*ZJzZE+Bjun=d{KH9SB=mRGKz?Xd~23%70Sm(Q2>;w`%WEek4M z@Nm}i_Hq38z22Om%__&AO#i(;l_Ra{zJM#iZkFi$I;Mc{YU}SKd`j9D-3MA;ccrsw zRJ9AfFR5=tdS_HbM(@tYMfre^OH88c6z-cNsVn|qL%W^3DaS`pVeL_0aC?Avu>Y~Q zr_5Y_>nzdA!|nD;*GZ232}mh^+eV>V;OCVG-FUcx+n>Im$xG zV(QOxpWB>evqul?>uLT5-?qc#b57$KL#Y=imc$LoUiYGTHaY4*jbf3?l`w7DAWckbf4V|bfY4tSwXH?+I2^$h5Lgh*^y_iA>;udf>9{W>%l9_|kbJ_} z1qzP1#WIpBEGa4aZ!h;=>>;0tlk6u;o)5UOwE?82^Er5klF*dCj{GH-*0h?RkQq>q z(!N|lL#o752t5^^P?b5t-uR-yTD)Z#u&f)^_*fAoEH-oX`WK@6o@ejyOy zR(kqp)8~)vX<4>InQAiYL@Sg+{0sjXbYxv(>uCrR!k~JW_{ybWazPb$Ug!mF784X~ zb|os5uQcD?zyOtf9D|aqeVMXCaZ+I{u2>YF8&%Cv*|~;_iMy?^oMtzd%QCkC+Zf}# zt#4~%6|h1yS=Bov`u=r*AhjWoWUFgiTm{YgpMw^0_ZM{)HV^Krv`AG6`90ljxe9;c zGiVtY!k|app9Avn9)Dwg*elVUDaBF)%X4bj8=4bZiBQC%Wa^zk@~F~vB^1!@P(yTvviq|woon-IcHxa^i& z(n?}nLm;SGn8@juZ{XC>6l~0Z>weHH!gLAQDoZv`a(-1)nJ7_INs4-SHV!CRk6~Co zqS;XtZ3x^cX+P;o! zDh`i`K0VzJ0InMuTGuzU3kZKYp%xj@vnNxg6SQ&Y3sXbH1BLp^_CpirEsEqnflP<7 zqH%~PsM^-CCbAG>Oi?6&BnY>iAH^2UaZ#KZv%#T;Rf+e&C^RdP?;I$(P@VLK#o7^a zQcf`V=MtDQm}f2mh-}{G(on|g){3ujDo9i_Zl*a)RP*FRi2h?Fix&KqX>ti=Vgy}F z*owW6ZZx71EQE41;^XDmhIkM|d1-cObbi`d$~f%_biuK8S*Lp9I8`Hz!&)u`T4NYu z5AY-;!o691G<$~8lsMRlx3XU!(7dT_IZkk?o1KE&B21Zymqv}(s$FR87SFp<^e=t^ z*GMy*Sy6g^S<=dI-H?@z;w3t0KYPpUk9T zLjyzEm8yH=-oMX9w7lIC6k_F0iT9r5Z%Dsws4Vw+@}u;rMJ%hxKvzW z)vscjlel)B!ScImz**;aP0@O-#f7ZAI!{r7$Y^K8LMK=n^bgVcc+3|YRBR-=+;8P$ zWePv-xnQZ5;DXBA4Y}K=#W&tjv*sC7Z0bci`!? zA&;L(_rVjE|DS@Au%MLExqTG?zVg?*tg5QFW1}D z2LG1T(zD}t<@?PI6>Dh;Z&oBm6}3vZgl?~1&Ub#=-Q9&}6Jpt+fuBA{)_%6<^{5#l z&o|JpE)zai|9lse?rZOXq}=7>YnrX?vx8^AD%_0wo()hbVt1 z>bp;Wvf}Pr$YI!64yWzW`lXbESn2P=O3xLrd%${aK7$ICIlhn6+=SleUqnFlRlp_; zmehM6Tprro+Huf}sQtgwjH^<>9==5Svu>Vxte)hk`Vu^atrW-i_nzAnvd?M4i3FabFG;;f} zq^+fwP^+Y%%;bH4{ICrA091WGfeTcsHGo@Ar$_@U@B-%1d;Ae~j%-R-qv~b(24yt_ z^WUmmJ0l{uM<0r4K3(N~RO_bcSl=|QD&}I5iF2`7%3OMlCQbAGas>lUsP^jaFkSJi zz*NVl?UKsW$~f&&k@lQx9LI-LL{vd)5-XQ;Spua(qll z7h!{2T%;kB5Z>Qzn4^+*?JLtwJ%&ioWcWcP!WtWGW6KOIbgypdcxze4L&>PzC#7h# z&@q0yau4ca)oU-}J9y|-vQ*hJOR=VvSxFTIs!Jas=d70=3iQuz7z@laXQaycU)34z za0(L9lg$LB>BKz#P93UNbIoS+o0b1n%@me88E|CoEK0pzK%olsXR4hb!K2PVV>8Q; ziW1JM+uxl9XrszE`pw$H*R3J01!B#7K}-DBevq!CHmQlHUCA`b3cR3f^wDk)kB#A& z?-9YRixDQWdcZ4*FRjucNhKL_!F&EN4SVMAWfg&Lr`)2Q7|o4+ilgLOw->3IrBwq>TDmrfg^4 zlv(tZnUyJS0=2qTc%ht5Nmd)BSxrJ7YSUrc=ote%!vMm01Cko^uzC%J0xtYE`#7(& z&2J5chN2J%9pVHV{(am_X0+f+N+ZH=){lCh9)$8oyN|%Of@1z>TrFUaC=X1(>~fC` z*2w?~sRcKrv7x$&Vt-*US4a8UnP$ncIUormK|^2i+$bdu(7o#G_Tce&s}R zq)5~3FaQ<@0r!;iQ}h+CV~+c(zzbTQ!!NRE9BP_eu^k#^mQTm8(UgvML$mgLQRk|v zFh!MULc?myHbp^4(`HI<%c_^zP>)BPZ6D_I3H+44hBa3!FHw`f^)Qr7>&wq+# z&_Yq(o5Ph83yO|Y(7gr%Hiv{7DG;pExEvrr zps^KM9=^70HC;lg%ka_(T)L)IB*tDXrcrTMx9vP_=B74qFryI}0*aP<1e z^@t;P{S4Vi5+L{3%C_3!YkydWw@-k4y4yPSMd^xDx-s79%Z}How^R-fI8AI~Obc)v ziwFR(KOXZx&l|N1dKUBe_HeTK9i$#uIX8|lt-n4-yQK58^!@n|vU|OYIA=&FLAGw5$QF#)B++Zg>1QO94$IBFj+6r(fA)3{bcK()fzV41~s!dR1?>W6$I#t3L`1L9bZf9t&%lHrhuzl=k5U|5_m;W8m zvbO*IE}ueEeP=UF?>^<_4Iz!|nH1o=#d+N0uYZC2RN5S8_))Z5*EV@=)akf;z(uM$ zCeXVt7oLyYKxBkT?=9N_4n=lk1(ygI_5$+&GdS7&UYqxx3@Vp(kMx4RtvqxA?^AGE zeh#iw5M4E}gUM)D65Ay_mA$dhMR2COkXH|=|vo`sVGWr~3 zn{bew_%9Xcx3F)Ww4j*_r8jwVITIWlj1f^`1)J7s`JH167pAy!p)b-@rDLne>@#c@ zlY%C7IY|x&d&)_JYrfr>IdaEcdT6tajLs81m6Rl3!8!a?pEx%)V!$11VvXyLuZAk^-jho#`R?!M@D~w=wurdVw;gcPwNyP zjb;%%@3exafL@HpxwuVhyuTebqg8uRQU@DxwZ^~}eGXloDrIH%=+~=-fWokyCEFBf zm?r-aJd1)J7BxXJ`YjRn%MAIjn}pG!sE|P01R*deIuv(x`QCwOg1vj@%WA`&pCQV3 z^}eMUxM0c?7%O^ONy=?P#Xw=W)6b=3Ys{bg{_6JVug24CobkTEq#R_`R71ftR5M5f zz6RcgGX|J+`U<J}5t_Mrt!QlxW%f z8i`tS^bGm2JMD&%gJEl6nWC1&Luen{P0Nhmt)cg9L!nq7&&rTWOq*=e7^AHrl=}yV z#wzO!+cv=Y`6UERo2U1zT9Rb@8+X)|EhLJE%MrH6**foGX+d9cQN;yl7i|sPPlNet zI=4&ozJzW|fwE&XZ}|Z}e?kN_{Fh+-xtaW_7dKdu2n>Wccfqz4tf7@zg#E&|oK%=) zXl%8MlEeHS6_P$>lVd8vL8wzH%j4pj8wQ!kV!+wppmPPJJu85-GOJ9iu_@D+nvCsB zD*fF@ZrqeN$BCmcTRti=afoYHkn)*ta=3xZ4w*cZw!9q8nk|h10Ze>lV6u$siDRo2 z{t%`I;swu=8=Z#9PEhL>k}B0b^&csy+WDPLRHA5e-?8t)&A@<-fTc1!&Nlx*@DhyaVURX50odt z)Re_tG~+kZsfIzpK4T@L*jC7%ZD6lh`N)Z8Czn1u_0hd>PhKz6LVNeK6(+v4`_8an z+N&d-C{})=H4uWRF6(2R1Yc5;HR&beOuJCmv8~cQFY~O?xE)Rh!(`_^Dq_85GKs-8 zb+QpimxcQU&pGIdX23~0qeoK>ANvUh?^s<$ke%;T=$43*fX&C|bXU2W0F2LdLp~HMyj1swbD)UZ&w`8H4Z1nK^=|iZCaD_1oc^`C z%`&YI;1Kdm_mPO@`!a0*>F(`@)Krc8-926~lYsYr=J>WyHT~o58K^S8b)84(?G&;4 z1gjskaCm&te5NLK(eWqCHC}Mj>$wO9qt|Urp#F1FDctAzvUlAeJ+I|0d~A-_ zlFe);s^hpuPpR)NhRpkYfB@vOg6kRQ(S7yz(IeB&^~RPN!Hp@;y5qKZbE`4fZ8A}A zvpUChkHQ!K<0_9$a7!WpP&>r60g4q88+JJ+^rm4s-aw8MJnh*P=)HdDK-#g0^d#K! z8$1AC--Dn1Kya^TFGPMD;Q!p=g3vf$w;+WIx}@KbDI2ZDqiQP(u#Ld)N+zE}?b+v0 z%d!VqEn%7yR<^VH`!&9i8C2{+nMu3yJx; z%4aQ_g;}Y;;z&y1S7aHj|Mu#WP_h@{A|)3)%Sya~iF}_4o_P&85%AZcQJ_^47_y6S z6gI@e%-9L67uk!gs|xIsDHXCy6tWir?abi$FDUd97~q>=%!-M}cYLGi*Ux+7d-w$f z2i}|pu>Sa8?-CvR2|oKPDqVAS2J{B(x*DXXPLBo_qmY&>>&Uv?G3rNI+PE7l&DiX} z=~9KH5b_O0Cvs)~7T6qUZgyjD>+zb`U@?tRP{zsN{LY3-UKtaiiw%c2^ku7d&fmtE zjtr@qSK3;7@3F?X)P}XF8$(@L&mJM#u5qz!Pks#wk}c=K+&f1GhBNQg$~>o8`zu4| zUuM#jtL2-BFSYxf9=&RrGGPR!ybCLEBw5yQlKIL(4U0JeoM4ivQ+mu?7QK@LQxy$T z5*f%TLRYkH;mHVtp)&tW{3gg`47>2W@k%*lRy0b+czP3kNK=`!=%)eXA24;TRgs!= zEB>|Pa#=M<)40;bsfy)lHE14f0!S{{t4!^@327=Sns$f1(199t8%566*rpQ2%F|ug zMitryU2IjJumUXR5nroUrXF<@2=2|y-pIbe(;AD7kD~RENe;}n^{6Hk%ar_XiFOJ` zUJpFtLr8thFi|KhDB8|ohi9ceGOfT6Rcs(OaF8i9n#p#}hYjKv`>B&uscu>q^wUSj zsrto7PFzvZ(2J(fgurHf@oFj$#XBk!s)xp97$=ELF19oYJU3P6ZE^%%p!0p?8Rjt zF5aTBFOkXIX(qhZy=zU`rjDr9l?S}oOy9-3X}qmc~L@~PQ0QL6C1)vlQs_QSRYdJ5V703p>^XFPWT@1@a(1ZXjf9f`^tDc8F`Zg zjn|=UJQe>25$GV~+oF+SOHD&g)v%^17=Sb^KpVOXtf96z;{qA=ZqZ@q5q?f-7{mA^ z7cJnnT{+#eG9TQsdwdOP*$kFx+=XWsuq0}3+N0UfJh*3|(dpzDLAe0dAdWe`Y!67)2r#6f!LbCOY8XV95{lh1pHZ@ z_@ciO{&CFH;d|G=3;2pnb*IdjJt7zcMgh+N?u;P7Bu!38BQ84oY!86V%RW5A?WfUj z!nM=He6H1isJYU3{LV40cAu+1L<<{a@%IC+bFH&AhG_3DLuZ*h_(#uPl!8Jw>>h#b&5EXdUzA7kj942loyx~jI^?HKL2 zT^_<>d{!7WJgu1W{F45@gAx95Cb2h(_0)Mr7oT_2>sr6{_(0U_cS@_(<2H2|eIas( zm+y2qvZ>D^fVJz9T~0`7;8}Q^)%T<`h!_4*>-2d{noZF0 zS$^&2zCpxn3wZl?!8P!fXLuQ+V7T@)NCqkeHE&D_l>uJ&CdLeS{2q(O6g#eqAT~}b zKia%(f{CWjq8(J|cN+F5m-NzotR)ie4E6T6#0=LD+eVN!?Vh!EH?n+N(PYl)0Si3W z{OcVNTbHRqTW4~}Lhg5xb&suhbAVd!K^bp99B`q8%g0q5%gV(uPi^yPmgO251vBf75JzNsZ@+0mc=*VYW>9iv>S)BWzZ|BtF~imohLyNpv6I~AuYwry8z+qPXvDzD=*m_w9c9#vc25?=jam*92Xs9Q($OF%bZy2^x8dDR!I1NY(KE*uPzU zFaf9?H4nV3$M%2#u^`aVE71kXYwz^zf4;=hTcRquliSpqPgrfnk&rJT+cU4q%ykzx~NMy z`ohK#oCGK=rM0SgB2(!w49o|`WpxikMAgvzCY9aJEfgWmKW707<*Ll)h!lNzKgK$w zTM8jTqu5#pCAFYN)3QmG7MQdX!j zR{@NnseyJoaV*kEJE2IcmY?k4!mp$#ankg~MvQ4k6lQ2`0u17YVfn0GzbFu8bk3PM zR2R>Q3?(KtbTB&{yN8#WT(~&haXzE)zADPOg^cGFkMeA(Ru0i|yHpS@3Rrf78Gf7* zSI}R&YJq&1jWpKhBD($vdN&+TxF^AWd7z^&0(1Ib^8WOz0~RmczjstfkT#7c>cwfU zM$OhUK3(F1hB!^}Z6uBcX$%Oj9X}3;+N+bd|W?*gm+~5C%Zd-;N zxcE`8O8Ld~y<2*UHnT!BGDD{pdKo9DO-4%~txv%R*Nvx4DsEdKD>h3)20(ij)@Z8p z_LD2cHxM_h+W4is2*~&eeSBFl<$tnomZ4p}zvm*qQ@kDC=LT=sef|@GX91NCutH-8 zAMbfUp2!crdTi{Si{{8F!MUTd)R=Rpw=5cY5-2k#^GECp8_w-ZF(ph&HOz%+g~w`o z3ZEfX3aYs;=$OUbc6Mx`CP5sgi&D9nwudd=`t^nOuYPKq2>CN^1-qZJUC9A7{=ZxUbyU&LBBR zBjrt5vr9dsxrk_}%5_pLDaIIx?LcG1@%pIFZ7GztChZIts5%bZl*s*}tyJ!rzf{D@ zZX9!C2<46}dGlBjT8t5WLZvd;PG+&$ofy=HMKI}Jt^Dlb!wvHUB`<#zlCI(!pc^9< zy|QdMyxTR#m%->)v)yw%kJJA<^g*G)eK#Q6&ljQ(im#L4n19|^mC;8#twriEeTbXp z!w~Yj`90k}#XJZ9fq(!==f&jelH$gOFqF|E08|B84dl=Dxi9>H{bYC#%F~4U!f2Z( zE&*SUD=7)oAH#}1i6BMK81M6_J-DN1Ud?v%Y5&gZIm)x%xPX6LB(TbKIt#Bw$G7*$@~ZQEr>Wl_%l|F~(|%jC(XaQkheF?BG#Ib; zwKTN<1E6zTF`D|-O7+_8&kg!{Q01D-g}d3DqAkRC$Ln>-)=IPE5Z{X5xvWp`=^T&g z|Jr>hZl_kV0l-8b%i?VEum@bt*bCD&i`2{)F!^gYzX z)_UuunuWWjnO&GmAd2M{(6*lh68Y`#imbe--U64SO6|O#UQFTiG1VEex-OmfxX)8hNmxdLx6X)?Ij9-&!L~sgw1r9WbT@N>AJy+Y{c!YU%>vyPeA!S@Ptis{IKo^6y!Hk04nrF1Nw% z8ZMtz>pocyJvy#z&Pl*0vOWH!TkWg(pw~raI>*?S8V_IcHmLNlSLf-H+CH8$ zojdE|0Ub2nC+?y^-rq+#5ig&M2cB5CA@F80?oA_k)zf@)I=^&MLFd*A^vZ|G-GE>a zUmO?(woh(LTd#Z1?HKCeUdzH|YlP?8i95y7H_Fx#9oW>3-z{rc#0~SL70D}cLzTKV z6<&N*qOS4j5+}dI z<$+0?$*WTP&^4nILgfffb!OZP1!Qd0`!hM6HU*XghJ-R@u=rKzraVttoW(ySfzy4_ zq>(PZZ&_lI3Kh#R-YzLGB|4Tx#-yXb3zr=si~M8A* z&vfX}M9_ytU<^PYgZNwqdaUhXi)SGlfmFR#3QHP0u!iCYozK3AHwFd*b+Egy=H_uu zWcT}VxD`h})KoSaRUXfQi>ds6kr{*5(=K7WEnt83Q(gV z4_87R-Zdy^MQp@M9pr|ayVeTMDJ82}P|9*lRk@Iy{^?zyId(i1rFc2*V+!*R!VD?Y zK&7H-Z@?y@>?`g?Op1;TY&7@4xzMm*jhxI=DT$HsP(b7oxtX{tB;6mb*2{A@`qlE_}*%S~0~XxN&8d_kd^#+d0!mU2VuPI=hy$GZ8ONHPXJ44DKTX&G-a4(@|V zPl1tSOn?_UOU@yl8MUX4h-C%+RwUez1)AAjl|_hPTAPFEN@AJAftgu|j{SEr&#m)P z1g*G8Ep2LS5vW^d7m+HsYVr6`>q4_l#jUm!jxuUwQAvA@r?+ks=BtzVp&wr5#FBjd zX^6o&L86^h`1$e1ejJTvqD0wgGh-={S5@j_Mt04EZV3_(OKbbVs zPd`gMvP%BL(>X211=u=c_+Qvl594tl*2QB1iB|{c9Ewr0jBEMTKvlMW5y0ARrDtbN6eO7 ze6Pc(DI?!<O)N&}@ zOzs9>~}ozeDW2 zPl`~pT{P-}}-2`7uf7w%R_~-8}&bOL%|c6eMkJugmRqv;gnkX;hAGujv_YF6Vo_f_Sa5 zR{)z!b=%4(`sECw257%06XiBd`1L=w@@sKl9b})vKaPQR^JM80$swB8*h9Nr?+e_$ zD{aFWNVXaaJb{Xd>am>O4Wmioe(oACdBxMM@rkiz`aY9ry&sq2*K5of{$i&r zBjl^C>ihQs`5u$^zil_urYjR$Jxb1%g-=Rr0!$OJgg!?jx^jNdJr^;R{;FKCQP`VU zd^dB6lYMx-b*D*q|;P%I>W>t_32zmbg8Yef8YE|=s=IXaL>`{AlhjoWg`Cg1zR zVrtb#Wo=F4i7MU|L5`El8;?DI`-T4Oy7QAS>(i)v)j_q-iC@0#me(R2MVK|rV?(-C-{n@o{zoP-Mez!}x{+T{WuiY)ozCyqU*zS99wyopBe}(x7ik9K!p(l7Ae~WqVaqU*MPT91xQ-%9wp0j~eu{qy7v^zjU` zuK@{tT?@cYPLG0SjeR3ti6Rb4OmB>lD0};W0uaVRY$2l_5}=|F0M=5^d#@5Gh&HdX zU58g&xdUDkR2T=(1}Zg$a!9mLtXaGXfp&rLz+td-*J9oIl7OoPOZV$+WKfKzX<6gw zS*&c9=iPY8n(Wb!TDl}>MzLVhsppI&73E{ajg5l^l2sa*+-(yIn6Yqcw<4xfm{^Rh zq%&=qRBjKs5T{*ib}gMY(=oPGIA5EQSts51{cW~LlnaAF2=;}?Kt5p!~Y8J2{Be_AV_Dpo|E$U~i@@I#_-E|o$A zYAh=1aw6$@IS_Y*%Xeh4(}CBB*=lm>HXT-_;o+ol8N^s2hJ0(HFx4P68iOm-xmKBm zrH8y&wX<}jH0qals+vx#{@~(7|1`yk86X;ovm6O?_=7kj*oC=yk)9wCg9Hn&TO3E+ zEZS0?(TOgBJOn6HE{|127%4mExMDaU)VkOo+Od|pSdYl45I{F3Qb}}kNgQBi>u-|h zS#05~6GQMXsvwrTE&tHNYwd?&6VU4MMKPxwM}G||Q~s`NWj6FQ9f=0^Z0 zQ>H_bOaHfPR1EL|K98#pTs%!?xD*hq$_6an$1`^!xf`rQaBd>`^_QR7uH;I#-2v2 zOyep+g}yAIFgBOngtJi3=|t00@cYCCOV~qjOb-yVi3pEaD9${CL=Xz*)K4iMlDEH3 zOW7==ekR&sGJCmnpn(3d<1%H55CB}FCNfl6v`q}0ikXb&Wun}mFG&ScuVGVe=QXze zq5@g|S%UV@{4>5D2jkd!2}i*$-6sbipwNV@uU2DgKd2sXA+X35!6eI>T{XvR@@0^q zHONS0Y;h}PC)m(3MfG|%$##Y8ZRUYJd^Vy!NhLK*8D~bp6mS(~sp}mymVP1$9>o$6 zX3gT!=~g&driEDAlebkD9ZD-#mDS=2lZXl{^YI9mDTtf3P|fvoMS?BAXHZdNWD0eUGurlLKca!ii?62eZS-F)cQKbx*^H#HC&sL%v0cD*mp-q~F2rl8MyG$W0V2d*RT1bgXA{Wih zW%x)x&i35-KjSNgn-1!;S0C)5{2ex30QAQDMd6!wf4DJxbbf?tIM8N^eGBa47Xr2V zQ-f*k3J}qQy>@+=U%?8Z;7Ux z)*L@Gq|N*utI4`bd(UbvY~GgGP7%k>rfKATpMlNl?Pu?*)_{(MUb(BTo3ZR;LZhqZ zkvlmvHWVHgvia`Y?H~kDf_u)UXRRqsrCq~1oP_1M&h6gEwk>^|W&CqEqw|Z{s{OX& z(x4mf!y~$W`zdy)F9`XB=t%?AH%Qp=?}u-<^RS5A`t`&DTU}45sHNh3*e0G8+|HhU$n|;*TXfr}R=775pNb8_GW0lyD#zUCvi5e4 zasl9q?tm2E{hL#{&2MwBTizXmnmS^jvsL&GZmg}Ij@jEmx4zi=hV>&1JuQAdha;mz zPVdI{*Z0;39F;xB_zjj345*=j^_I2Q_FjY)zN9&|_CA zROa!l=IK##_VPW_T3y?6dYD1ia&Yi8HCSAZ^+DIp`o9D}-D>C(z5-r~PBbqKzSC9tU1J7wAC#%#7Xy>a`<5;3 zH|n^8gDt*XVU?M~5p61X)d6(FBN(^i9k3Q&C&ETsLqt_LJzP#dL+BJUF(U5BLQcL*a9iGWZc&5)@#tRh<-Nylxufb z!!b4}XKD(ro6Jj$5_bhNNjiU3gZ$?(_5&kAD33jnYGbCt0qY_?$VR)=BUcKF$kPX}d1#2oXHdpe=$4*`CUIF6nF>+;A_h#!o*CpIv+Og| z3!BZ9r)KP!us=kx?-?cI6Du@5t-pstu&t-f`_AT!GmFAlMX(krp-%>pS~&@0tIr9> zGyfisY{V@%{m3D2{aMI>>gA~=|7QvJ=p@1r^OtI>W%WS|rDoB?`kXyh)wc#CGMpe` zLpY>SeB&kf>LH@yPf<~XmNG;*LWN)AWJE>NmMtf9RkN%fN$ExfQm$m~_)g;LO&K1` z5+peT!i&|G2&mqe<0tXOGWBVv;Fx}Ye~4I78>@w5Xeno(oEVZ{B#ie7dkUb(S1Zn* z4(cEk{pjTT*0JAr;}|w9?kE4FQBae9+63adfLOc|WqIm{VoIWO;XCEB%1muQ_#k#^ zp7Gxq4OpHZqDfl1o=anq)p>@*NO6~H-2+iXEOhh;JeZ;n4>6pg0+a7VX8rlbq#)%m zQ`Ky|>9^U`b$=|g&X-UStqiD@dAmNM7#x7{n|Se5{rIZUiwFkZF=DfeJvJIC>WYB?S zY1~Q5VixOC$xfMd(Y$p*1#^UNWUfmB@!$-f4FQY-{tT=sJ2tLTGh0Mnh$*)7?Vsw$ zkZSgnhr}d%@ej%RF`4A9BgBbq>d49@t%ynGHU(<%C8zFu~FwY!Hg@~aCgGN?)P#$cSFNL>3e z3A{^!EhvZI`Nk1*LWr*`)m}FI`)WV4kMe@J0@(!0VI2WF!qVaKFFx{iMVsMIhi?@@ zdti0q-_Fcf(l@FwVtz{~K}-++^Ac*gQwm|9A{K(5ek@{CQi_56nMP+WgNaosS;2M6 zh!9}-oj}6`XA-tPt8%naxH)ynmp{wPIoDq_#yZW9cTZL%?^z)^`mfAoN2WX9x(r$u zTN)TkJc&_Lu2fQBYSl7idKpicd;#{LAkEmdNOdXGF9aT@4G=YRg%lYO1?24d$cSA149jvJ$J4&_*bjc|Sxso2@98~b zskjABg#*v@k$i8jXo!3p-m@Fo{rAg9Huc+2s%l_{teibx{WB5+@bhLsT)?l0*-o$PZqk4I@O?T*tbOIu-ksso_;LuCvUacm5O`91 zM|1cx!+pAJTDRZScG7j;UC|Ks>2wW~$Zz*#-`luO?yJ9kx_^4?aCx-@-vBl>c8i-v zZ-b4=Q+TDcJ=<;zY!XV57@t)=jhpt6&!-$l%=Oyj-0NiEMo7g;ZGG+CaF26?CF-!J)U zv=bsMA$^3?eKNmO*zRk5$A0T@Jl8YR*Pmuuvn&fLeP{4!&fo z(1mcHyv*OALdZrcW7qK5xKfu@JtYrvl5H53fliZU$;-ugEbHSqW+u`?9M8{9Z)T;W zK2<}$Zo1GY@ba@{e*A`UETh1V=KxJcqe8y92-}xuAyjNhSIWbiSWB%+I&^L&x-@E4 ztVKC(#=CsyTAg!HI@lsJtR;m>wK?Erip@lZyA1Z#GQ3j3CDo~7r;#?}{>a+Y9Sqc;V#m(-#5LqXmlod~U#*d{8hz|54w1RZ_65R=U(GRcX z8EU_BfPFZQx0dm1qnc{-7Pz&Gc;iS@99yxYKdIQq$ZuLFNgT>Z0u{qwjtC*(csyDH znCnif!d)dwEW)i2Z(L1=jN3WXpnP<@CXflE*4nC=d)Cji3j*tJNVKf^j0WBS-HPdGupL7zrcX~qhpgAysHJq4r}5@ZBwO0h#rPQH zT9#QM<_NNQ&iC)iz6;YwCt1>x=VuU~0S=gf zEWm>@l8JBBtH(7DsVg+auaz=sRq%hJFb z8*$|LV#!gUX!2yUWCwpkaX1E$6ml=b;o{&>m^C~aVU$d+QR(~g2xoxcmQ6}|_)1Kp zt{}Mq-AJiI3ayU#RbEG943urK1QJu1$~BNv-!Q zN@G5=xc*?VIZO3u?59THuWr3>UhO&D%uN~yfi^Wik8BxC(W=#8LnPCl4K6TgEHY0G zge?^+U#EL2&k)_1b2MEV|Iz%mg-TbdQEPn8y)u{XS=ZeN#28$2V7eS0y*kRe-27FJ@54LlpEoM6qPJx{W4+z+o1dTSDew1<7oXlAFYzRR4b#r+ zEg7Bc?OWg^gUy#Ai||u++zJ*Sln7M+9IUkNcAABhFNp1Nnqi;^SnrpvPV4l{??fJj zAb+vFuY>3hny#JpJzQP(rP~}GdsEj-y`f#+Hv1PA9j8|lz-!*#6{Bcv?2qw99ztck zq)FXYP(W%%r0ri@AnEhHcdMs+G5S-lZ9HTu-$i=$edmuyxmH~u3GHOg{d@0{|07AO z-&H^<*4szWaJP7-&cngxW8@Gw1EL-$@OhPfXRis<@1ZdF^09S!+tyw8enUG|+p6@6 zIdrFc13mP*^+han5jL{dSJL-*_%)M-QiM7|Y4*DeWcOCHzx?JJAqmaI?n@6tjUq2hNzCwA_ zI~!Ji_3w6$Wr?Q&J#1&!`on2GK6!6BUagqpyNx`K>OYUAxSP!eW=2-6YrZA{V|3oJ z&CNcf<@i7a5`-G&Jh#c_*L=pwp(y8HvDR4ifPk_oVwVE(acR>&Gq{Db<~%p=vxg9K$FrGOf*8MS7GC0Itgw32(N#vrVk zBTFrnCCST;UK+N@2mL2A8BKws-4TV^z{;qU&TJ=QQoT8|HhdD365(J>aw~VlDsra| zc2UvkZ$arFQ7d4|)2SKpyjL$Tnk(l)-GmjIQRFd#a^jK1+q;3MqM4l;N-WYP=q>4yl&=)Yq|icbpTi}NK%SKX~yEUKB!Q9n!-Y|6sY z&-UXc%cH1HMUSNmtyu`D{E^JASc>>=ooG9m@mwrKmy{na2i1bY5do28QsyVlwg{JK zs$HHUx$e_L7tXhmV}hRXFJPky3(297?4PWR`D-E8Hm(QIMn1u|b;g~mGXlZNLcm;x z1xB}q)wGBoNeV~4@@a@FYYANEo)>jeelvV~D3Yy#QdSq?UFJBFXdV=;v{%oIZFMw@ z-P`qL1>5{8si4sP0iqhvXrEZ})dd?-4i)>*Syjz&ri#-s9Lm=YiA4W~ueyEI1{UA! z$osSalT=DvC7#KK9xSUi79dwVGw_XZ5{4VkV3BH#98akFxOF{(s)eN{CM;|-J$lUJ z==Y9>bsGQtk51*PIq?1g!GJT}&QdGE;W0zG#;Wvaxh;2|@I1zDwP2}CGDec*a>M2n zv8Xb=Rj9};jfJ!f3~g}p;N+0JG^haZWUGn+JuBigI;^dcp-JPbxttCay05VFXj~bV zKuUKUOVI^deyB+%HQGoLtgPnWN*2U_E}s}l?BUuiS*qB`ZE1IXI=091ver@PO2eYM zaMBcDHtnpn*6a?s6(rQTg~jYw@FX*#Z-f&z0^-dF2THF&Sk5aDAaGFZ2Y|9TwbmdY zot$eaeQM!756*fX0jzoqCtAYQL2b$_(M>N&6vu7}p$3u6hC;m=lJsAoUA#;Bx6GBq z@60GL>^TgiAzX9#5M>ylqDbjttW*)?w#WTW!`UOZlm*h=864OO8Ou6 z%$zcn)|gcn?|v+zb^QT$l_U|}B#AlND2I*LI*QpoL(Ql}Tf_o6b-c)AvfTgKB*97^ zC&`(>V33p%MIoCpH|3GzbyRNt-{JQm4ZJIA zu&;si0`(d6*$B#;!|wA(`PNUICYbmB1+$BOjq@`Spbp1Z=T18J?9TS)yBnGh_n5Vh z9(4}RT?*_;nkhm7|9cU2uQt~OD{G(2C|EnKcTCsfnT<^B*c#WA*YQ>CVR^3nySB2e z&QSu2aBJG0S8jVk_t#|~`+MzFP10XQvP8it#@WYe+d!?u95Lj)nYYhnP`v+j%0O-f zvi_4S50QS;towkQD=d2O7vHRWZ0Ek?HL=43Z<~D{Oj*wr3eb3EiE5mSa@AZp%l}Yxa$I;*05P`Sh z&tCq=?UR>AY=HOdVf9mrenZO@AHe%zr1I0NhgIWk=FF?K_xH!+$++o~-gz$Q>|yC6 zM;6BZ8|;U$MeXfF_+}deUH9-f-shEf_8U>^EaZ;rs=r$(qS!Yu0Y54H)K& z<$b-o6TDh`zj*2UvcX64X^joK#GBp0z3M%8KF)qiCZcVez3zR>drG8pTX&K1uf6S@ z{zTyIJlI>yj{P(k?k6-aJV;>h2X{lFL89ldvi0#!S}nfTVX|BbMJz7Y0n z)u8_m!WQF+A4?w#gy(5!@@G$eBlt|51)=ggea@!N`zz!q9_N%m!^?Sog_HI$ev%}% zjA)P_B}ogx%dc}2BaPAO8yVx0@XEI$>L7N<%-ga@9Hvyeut?Sv>@geOx$pxPzoXMU z$kas{_C(*hA|!!BP23sfD=Y+RxXHHVUUrCOgo)b2XsQMXy~<_SYjR&2B`-{|XFCSq z#r%ayY3N{?IH39y5&>6$)RYrn{pidREPak*2ixeFMKqd?s!j(~&N>M~9JH0~=ti+M zi6FzIS^TG?6xru#u#rFD(+rpjLqs}H+0YA_SWga*-Jet0)BZ#_6Y=qzNNv(mRReAa zo?xS6h@`#$AvTx*qt$^zY*MpBEe`9;QY)WqwCKNinzh;CBp8!Ncb&`>?M zBE+S(37pnZL1w|9qasV5JrW4k)1XGSwN@w}G}W_q@2kDPPHZ!yAV$2Xj2uGZ9GtkpMb@eJ61?s zC9z?+kKr7OzF>}%!NCQF7EIao!dsz}x5$|jwSp;~B1BdCDk4U+y!A|j)Cr9t&;X@C zp>^b&LX^-KyHH`IE~B^{fKuKL4e1KGVUa?UEF=um!kQVc`|UK&ZhPMxJvfUBPJ_Um zHk~MlpGYx+oj$5mL|2XF&!7jeNjDUuYu>$6yp{9_74Sy;c_04)h;pJ%Ir=z;1oeM8 z3>plp9-p97&}5lJhte)ZX@IEmD=sHOSd1%n zON!-PqTjO<%Qm9bh}!tBgaZXmW{xQhX%T#QNgEVdqj(u&Bz7o9D#B_^rIx{%u-Fj5 z-8!q;9~R!9Px0?th`N_d51&P(5;~32pY%4h!M;XuU$DrJCfpHH<%yH&?>Y{qZ9JBt zM$Mua^$B#W+Hkqo@>^<+>do;AwD8>8;3&oVO1NZ9RTgMD-;Y1HJM8<=`4WY^`KuBz zcTOWLQWNv9{$H;6i!}zNe&OoH7p~qP`{z!6(d}98>j!iGy&z(Xlt1(Bli;skxay1g zK@mFmO%!F#`~>7Sn0w8aY)9vt;`vWrZKu`a>>_%3NBgrKHrIp1d$h(Lz|(I1*14*E z44lY$^4EWv9K4)4bMNNmww>D)wjQG(^gjD+?P+q{m#|NPhm~0XM#}2|GGM03wkO%w zkBKdUMRu&RT)azsuT}L0Uh-T%ZaZmeKQFAzKP}>2dXMHKuN=-RV>hjJ$9hxwj+b3W z{++H0NNxF@qZ&MIn=&UyfsNOHLM*9L6e>)-g>Y&_#D0ajTbRs(42 zRj<>vyzc!>-VEOT{G&Y&AABo1INlG_>Z!N_H8!H8*I+k@5`>zst_j_Kn~hj}M`6oq zE^43u)Co8L9oDYQu3fJYt)_U2Zu)y%drMz=%Wa-Y@#&I;P(aln|KL7s6=uX#XHo;dA$@>}G8>T;~a-8Rl-t)<3KbfQJ z)9~SfLtp1~`7npZueBENk-F!5!4dQJ$|I5GIea&og~!lBjl`roqeV zUF1o<J>KO=O=yI`k8x^{)yWa9S*y(@D(PYy&D@vB<0i_?hdwndRz8?o6 zQxmoMy|a}zzcH^?&j9Yv0i6C1_5{}ny-!aos`}bfZasQTu{*aFxmWJM*Vvw(;qBFB z?^?q9N7bv@8J;Sq zJ6i8`Y(|1_HDz_}@sf|g1$f0KunE$1FPu*0KP$WjJ?(?A>p+`6pxIedUtADQKUw!J z(;!t(+b2uvRx*=NeH?VCQ|^{OztLxGpMpL=D1EYfv46{2aTX4#z3#J+UIxUmlpa;l zjBvbxakZbK3SGxuEvULMk-5i-u-CLs`e`dC} zzrI`8>DU3a9bhTvxcnDn&HSc?7f>3=L6P0}NG@4j3;g*ef}{@_KOgJ_bz4pvOf^$z z$5Tw#vFNB%Y{px3NH@{`?g*cd<^Pp~_)BQ;XHJA6e{hZmTv+ntXVMFAoeev<8_t-- zdiQaxx4F-;m&(o)e)j#nGZGsqFE*Pu?WXzy8$m30{rMwW_Md;~-79T?^M4xPlCIBx z*Du=G@(w6YijFZ2b!Uojf0>myCuFjBm(iIS5KbgR3QN3xP-oT8J1N?Ve{A)gZ-(dD zr3$$lK#qm&+5B3LMql6IqUy&sWn5 zFVgQi$(}>cA$}=Z2${5@*&*Gr2tW3dNedWmQV}EjtJ}0(=`S!%a2#bwG#aitBwj?x zwuQhnJ7b)qinn^m5B7Jm>Y@zeDOl_sqmpxZeb|9(FImft4n9pV zQQfZjJF^iQ(z$5F1bD-r2wl0j1JuF6JozWC40UeV%EO0l87|5sTFU$=%t*nJ>~9lZ zij855T6~5kv`v8s%70XWwpGdGUb^a62Op<9i70@e&+QL@Pk*hyUgR`L+jZ#Wy_EIy z>NXb|jsvtS0M866jeGLe>e;DXJ`=2`m~fny!5V_Y^lCqF5WZ>Ffgvav+T-N;o2_sK ztHE+1#uf^RGgox0#bu5iIhZB|6$o(1s&7ok$GM>3~l$MPZxuBB4QiZj5s5K+$$#s%pe8W!#_PqTs9n*;XYlG0|ANQc(1Z&my3w1K zdf^}@auXCENxuA`O`$mjKNZKworh}33IH2f7^h#wqj)Kxri1YD& zhy8VkD~Iw3L)=DSZ~&_Hh`?p{;8?ZmaLcaN(F&$$69-lqa79lE84o zp#W9wwu20hs;sG5J1lfK+F0?>^JY1-!I~pau(Sb9+7-cxaR^M^;H)8iTFXO*-C#d7 zR{O#&pT(B#S`^VN&BQTS2R+R=XAzFm|M9Y9nU8!{{$!N#p?Q&aD*1eJT`PT=RIlzzyn@jh92oObT>eEG8$Hmr%R=(4;@6J6zZj2@*!`I5En=2TY! z&mNJ4Z9|KeC&i6=+{R*Fncgj%hnE7|t@D-ExnA$8uxyLxS@jRvtB>%lGhQDp%k=9H z(Su!=BhG5RXMde@pAUJw3G41RT5J4{jv1VnKhd_{?$gY6|2w*7Yte1~TpWzvN1xTV()aw{ z{-k8>Okedie^B%NZvFChwSAp&^XLh$>$%3I zo-@x{bsTDa(J^?Iy5`T{?R8yp4RZPCt;ZqXaYcUA-#v}Z;p<%(DxY1#s-7;db8|*7 zVI#0pbjp33Nla{G3h;R@cdu#OYP9F?GL~HeK8FkgHb3LGDGDVj|JC0e*7Ds|z7_Js zdU?biUcaxi1dmcQ>u29lco^<2-3`QcKPEoq`dJL$gYM>#{XRtZH%gySW4Qk{K7mF* zL3k@5L6+BC`-vU|P`J2g&qwwmNEA(X6lx>9^yL)d#Gl{zGxj$NfbWw;26ysyx+yw@*7l?Jp}ay4<;L#tOGplmb5(Uzs$_CuG=u57o-$gf~t#pnzC!nm}R zvKPHHqtK2;QfPK5`3Mr|DeTN?OF|s*@EE}__rIWPxe)u96;^GY(2m{HZ4+|rx;Qo& zypr??TQ@~~S3d@I}w^;I79{%bfZ4PCp8iz~ zxgQ&TyFv+FX2v*sdRz1f%naEE{``-}0Nyff)-8H$%(uCyxD74UN64u4z2 ztibIKG7?2Cbx_!brpWGw!&wHpz?o@L2*565qEG|TT(Zs2jSDLkpm&T*J5~X<3DMyK-G|;Rzur|D|djip&WjIaE^V zTvo%sV4*o8P#k~$bYV|nen?9D0^=YhexiU*x>;PXRE;o9Oy1t)3|FB0nUHr%p5vKR zHWgo4$+(!b&8KkcJ{w7je4BHfa0xZrXs&?U1YHh#*HZGfe2JLHm&5oq_b;C*@!cTq z5*tLV(6Jx{5qxo02L7lPQMKEYX#G&B1kT@+pX-6!;7;s{S0@NGF^J^Z$0ihZ!W>`O}e$zAuCgn+brG81t{>_cI z4!WZh+oFQBPTXRiElzpeu^qsX30<>wt$;cI&~RzQzw8c)W+`?Ej-t#d4b-jSr~QRi z^Bn_O6>rnjU8DY9@x#%DED=g2T%pX8T$&f&@?J)2SF{0(r9-mtXQsf|*# zyc0Y|<)pXD>woBkW90gki7n9W>bbubjf@Ns$X1fs9SjyEQ8US=ZS9Ns_v7YqebN7vS4lX6e@2KP@OP>g zy8}Tn+VEo3sAu@s-0nt{($;nt{F9_oj_NrN{ibDWN!^xZj>*!z>TUMKal)$JhTTSw ztovo1ob#?Uz=6g-md#`%V}bk1dlbJle&Ihme<7RQy{+{PfY~Q{|B8{|TlA#6=H-Iq zwZ5CX)99O`_SH5!uxdd6XHAd$lKyg6$9zjN9ntz(!3|h`*Vrn3>%us(?)yzT%yy@? z@2Mwnm%s`rdZd=Ba~ZrhHMAuf`?;GmjHkhPMdUlD^#<{Z+}i!RzMG)4Pq%T~N{8~i zo)7bt0Ri>~I%whEVVXMO^M5TaCA{BYL5Yq4x-RkFw^{tN(G{-gKz!UwJn!kap*_B^ z$p+>*Euy68ADo$J_`jsJPY(R6we7a{V?M^aE&IpRZqiK$*u z@#!AH!-CeXhZ$vjjmpwo-#h$TenP$bvbF;eB>>1J7OeJVKpr4)wYNEsW6sI%R$RUG zwpcuV@jd(FV|(N0Ta*P;*T>UhtHA+NY=}vTSFPJg>>r4l9KCk8Z3soDRU{lQKRm!o zr+QBJIR#x8V4VnoX@dSP%txPY!|Rlr^tU~zu=|iOM{l>I+kgkAx6_No>8R4`nCrsJ z_If8O^A&{xSmdDjG>RW~-Q&H=pLzv9DZTl$)9C29+5N9imhk!AkF)B2=TvYP)KJ}W zVfZ+&(S4+FF7RF`$#i|$KIRNlvZX80eh#di{+YA>c5=AvZ9g7Kxnm~StMfwf!fCRU z;I$W@ZRff!dAu~$YtHC#aoIS4bFAxnVR8MnI|6Y|0AL^HUvu$3@0(XrcLl|a;s|_? zpB3l_i>(rlcYa*T_i%w;qFw~I@v6Db)2>k%seL3q_s(jL>cd+;b zNTKi`bDeXJKJ>X1IO-}@$}8qS4VLsmYONGUk>&=tvCgh23D7N!PbAP)oJPFS*lOzp z$lsDAu$Jh)-0acR>u1s-PmKegR=*K;bSwQKk;qC>`zl^J4vBiPq3HT(r|gg%5uzIt zVEi0}Dv%Jt;(y?S)=2cGH6V&LpT-?C)s+ekp?~3L=?6-;B*Mduxr`z2vsI~%V*Jj? zgiR|xaml>!y?=(x|xQ! zL!v^(Tsg}B$ZqWTh_?+e;+y4K8_;Qnj=>TKBYNO*j{3V>1{qhLj^$ z8g=}mj&`5W0exWD$;bHY%8>{Qk??!cHcml_FdC0KM-{vt|l)hB|^MR ze*hsv+MVx*7Fd+g#Bg{$&jCRg>PFHUYf(|fpA`M(^^YM^QHF?dwlr0QPX~;RuYAvg<7r>Ku&-h}>s>$S7c+PV zQrEjB`*Oqj-+iql{h)Tb4a;9ka6_$42Tw@$rh*GxB-Q%SHc{sT_Gss_#B`_iN;N$L zTQdZ^Lgh4lWxG7r2q{>kQsh!Wi2%fMqxx!8EI6EJb(%1)4BNvqxu0c+YcUyQ2@)m* zyTbCnpv-xU8xXb1T(M~I`e~Ti5`}2Zcj97slhJSxx(Jsy>St0Yuc*WGEoE~w12vEG z;qs5^$W$RVp%WG&2UxaJo2@1Bsqnp+aUSd5 z6`LTNL}l~JfSGvtys%}sSd(I9tbK9Rp$8!d8_H`K()_d3jUwgrn9&EOx{K==Igz0i z*hSQOi^-~JSJ)qNTId*Ke~9qtC%^_IM*j`R&pLq;L7pOvAnvc-_D1L8>;+|R zf-dQjZMRPU_qtmMqP%KMfOj*Yb`|PUY31}-d3*z4WoVq&g(U z^nidNOT>bfQVl?WiDj{Ha%UlP1z!3Co3ZOiT(z0woZ7!)MTOKeiOio5#tK)_CLyD2 zaP`otPGk8Loe9=a?8!j8FboPj7)dRovq(EK_XVCcI-Or`h~{x)Y<{xrX4Fi#L#+Fl zK7@$Ogg6t&L&M}1n*NF*!&|0ukyaRVf9-s~MAVMB$vgFYc_nCy5bHTyek9^7^o+5N zMX5Uh0xDL~Sy_q8(C#W_mGWvfY}LNt`)Wn86!)hMI)8?T#nSbm24OM>S{5q{vota^ zD_CJ2`zHSV_U}<{D62LPm_=mH0F(IHX9&`Bb{qY+KK6IamGZoisxaIAc=twiPJpS$VOfyP_qWcyw6X z^YYw$#G%3e+9Cd{d%q(1nBQ;2ztYyp%&qiaj@}XF+efE{Ww*y?rljfgw%Pfiy7tGy zcndf1>SNU;W$)_6u=XQY&~R}dxN1+~SZJWjnWeXWi0*KTfzlji^YOiR=V2a4J8RW- zk~ikb=q>KHjMqQxG@URrw&+?X-XomMh@AfYtpy@eYVQ9Ulb=butORfDW z2BaVC6rcN4j1Q5=Ud{UUjlA&LWS0d}I%CY`k}{r*;;;3}*3OSMj}lU>#iy=k$DJtpXkV z|E+kY^qS7fE(H<658)rtzkXWl{I0bH&13@Yyp{J`Gr5J$ZaWot#d!BC*cDKHs2o;b zJ_&7z02@YIGA7PXzore|GCOO?W6~I=z(Rqreumlp&Z}-&g&w>|N8QNXFG6l!7sK*X zFPHb%muxh|u5+D|e>RG#K<=@?`(r(?L2Lz8?8Q_$z|F_8e#q5km@Ck~zE|IQl#tj% zAk7!_->&#b@Z?MT@zoVWf<{ek1rL3v93vc9K=GJhSf}vhbHz+kfTHO%5ZT;@M=U6* z#LI>zM;}2>u?y-@a4P7Am?ag#2(z+P8>(xqya-*Wb9>BGWSYJ?LR8_X&e-WQ51wUn zf=kRWv5ivMy7H$nk5h9AkC=!;o=hbvhaqLMiew^fTyr$;&|g)pp%-e=%%Ltz_inLK z*RG?Hf3hOoRbRT?z=dWd1+oKJn+mM{7%D~-Ehlk^y@nrA&7^t`=EGfK2WAv8&3nG5dP{xb9*g>GgdFL7S$~?Iiqup{dp1cX zER*0oaj!=bvd;Q~>7}eJYt<3TtktDFoBbL8IEv5J!Ty0^#e1cZ3Xv&$tqj(WjOi z>(H+Mu85Z%giC0+Fs0Bjx8e4W`sGnov$qB-`Y^+C=uYjgrzryQ!!MQzOW;Z&1AZ#oYoAsMDXZLqE7^Di@G|R zlVPC#J!-lZSH867E10jha~<}K^3ZP5m8c)Pte$jlQG3PKx2HAAiUzTB9!OP z!JTdrGe0|(R9;ksVU&%gpa%7$j%^n5jltQT{-yjUu&^O z7TXjdy6ru9czW7`ED!Rc1O~N5>j4ZjMFz+h|Mm>bc5N^XPgpvtZ?Xt^VpQh`n{_xt z65R8~5~{$;iTDxoBw%%2h+n#tc-gdM#Z zidCJoj3wlmEycK0$G$7!Aj`1L-a}b3$A_5nDeI+8op`n7N%eFT{Ol!=%SngtmR9MoD1}CmjxmzKwg}Vzyjs5ERNZzRANB|w|GmYcAD&in<`y862ySS^FuVqOGjjJf!rWlkqoy|HA5V8C#)Mj z@ZOyu)xzwL5d?~a2o{I3+k{he;H>JsEfTADpJuip zqPbAcL1tY_?L*~AoSN-&%CWvf|jZEH!Ds$ z--@kMxz9vU5>)6b-v`PI90*MhUfb|fR3SHyfXb57SAt>^qQD7bHv?=*jda@N>bTQRdeTOdCstmN@=#!$# zm4k(hGHzl}jCKAUwd>|?XB96iMEB`N(valIlQO8<3^BV#M&JJ)KKwxwUnG7jsm8gK z&?x*FT}7oukP?cXuC70hT#2fjMcz({Xv0lHw+zidnEF>4ttHGpN8_*qxkTcCnn=T| zng=g+Q-J$!@)zUc0|^E6ZVRUro@pPuiMTy@wcLDsV!U5<9lziR zjjez~dcKOi0&zuE9s4(%pJ^7*_Y;OWcoRQ^z08@XK`f$%Y47TH#HRn9Oe=IakHKt% zeF=gc7K44_~GOU9uu!mTwL}%s*};)V90~Z~e}B z>7C~9Q>&zM-p;Zeog0@qyAof|8JVVeNc;hpi2%>huw==~-VT>Tr0Lgvb0&e?k4i=f zeT`*J6O6K({^aSh%=fEuljAJXs*d&HPWqM){$;+2?$(!J4bM#IH@o-#UvFEk-TZW3 zvCdv@hku7qNMrdLdw=^n-o|$l-4znc`M(W@|9ihFjZFnK=W@^`?Ol(xB)1gXU+y@uiNDgD#UJWNwNbP|gO6K#j1a_p zD;;aR_e(?AnI20@v94DI9KP6o>$>C-fE!<`Hpfe?e+GN8H9D5J+_D_ygJ!kt9G{=O zI`n?ZMpNfA@Hp=}FDM;3PJVj>>%qhqWg~C4?$CF;EMZ%Y2jbg;Hz(%+AM4$QQef|G zHBfSSXkG8Me*>W+Ha)D$@x{mjm=yoIU$~6h1>Dk~u5mX2&bR?PuG$Xo+B<7I_R8}C z{kbRHf_i5=KRGuZX#5?OjqJN-wqw_?IQIU%1uYv`l3Sm)3o;*N-}S)@X8WC##2Q9c zdtLR+a@*wW2|6tJ!$83lm=U>N}di~};m(6Dvj5{~IlQ!2a4m}*!E;q-N zYA?N)GA#^z&x|G4V(od>_Q3X@$5RaL*B`XbMv7zF^;cb!VN!a}pMBInE`W3id80DQsbL*@^f`_NU<-}e=$WX!N(Ez1ma_d8Wlrm&-s z6ffMvoqRl0GrGgOL@{WQCY~Vqd#ApG_)(30!FFuMvMtT!ari%4EYl@(wl!i%Y6zog ztMub-E9AI|UL7#|jJ5EDJT=ky8PTao9rMfq+A&rN=+PbOlhopVRYwGkiUU@5Coj4e z~ein09ZQ{)Z8`OswAv>aAKGM@H@{Kmm>3Fl2z z$pyLgs_57;d%jSF5z@8`(x$fQ1H6m}nXvfrfT-^r5MJI@uE`2L!7^QipRmGH2{ z&NLGId0`RyF;Vv=e*8J$|B3P)oD9@^I}I8E{4u>#d56h41wA$6HXZ*+74>2CJ)?TJ zh^$851~oAV4gq37+P9#@R)tZ<~|3lcXOGiSv6iOGVQAQBK1hy*vHNZ>cX{c{b4 zSdt_`j$(H~0z`JmeHHBuXq^8gXk)4d z->cJU_mP50)nU`3yRdwN2Zga`JcBr^Rlz5ivsgB!F51wGTTbTe+#OyN9h_=I1!}oz*T2>~Hvu#j!Ng+B4rl zB3>zv7M}Y6r#mFmU0c!O+4Gr)!)l8&=8)7*;LY31`6jhyCxgRN{GSyJd~xh6&FHJw^}`Ya|s zKd+@OeJ^mi4|m9Im=A015_nq*=^17PY?%&7x}*SC^lcdNCp*rbbdWbx^-*|5!p>6l zc+V-`wsMh()}A}`aM}S5x7m@kGfQ5^t~=4ZhbW-&@y7Y`ZK9X{(^OwgY{2{2MP-hy zu3yQ*4u_7lXLZ-76;QZxn%Ae?%Yzf}$?v!1t-t|rQh@0&e0xgXF-P$~`~by+K%htf zb{z=+6Act-{*Y@B`Jn)3&(=#iDfC(k$G9qDIP}c-DGH#&&{Z0Zfzk*NH_HHYU~!fCGd3oGbU zb=1BIV-K&!1}f&1c)ND;rCE-*i@h_v}`jwh_gtI&3m z(w7i%nvlAT5|sMME+=a)+3gCGF_MfncmA!qUKm@G%Apv;s9eTTY1!)732|7lLkAYW z5KR6?xA`2eVcXIeid(BDqFR+(O}4!77c6$*?TW;RQjC4NQ|3VhhVJPJduwE-hzLWP z$j00zkpauOiOIx6atC_zS#aL|LGh0h%!+DcA*!~Lr5{Miw>SB)b1CvgwDTmykiw0G zHaSq4>alZqw~mTO5nLIZq^L-4crpi)VXUZde83*rX3&&kQEiMY zZXr{=6Jd#Wr4EjM?TdF(|~~B~zkBwI(&# zle$?MY*c1uzp4OtZ-_o%aDk9T(#*t=ZhFmWVU2-`;!=+0 zU?+hX1AMs*1Hrn(N&8j_C`#Y+k2l0DkzZ|1TmE3aVy&PE_WE;;z9;&)ogH>?s|dcg zspB3Cw)%4kF8Csxhar5o7BCW=4QgApmy`7DV8^cGKqw2zAWh8`4pcXm=on>f9T^J$hB18_@SD! zg%ZUXsV?9a8e0WcDanL4FUpu>Qm*}mTy7XqiVK>5L}Qk2K_W#{qh4KbZBU`VJ7Ys` zca5HS49!uOGyl=K-{$8_ornR3=uEj>`w+*tN`$wQ7XjWJV>NqOM;PSU%hDvaqM+r- zLJ4Dn8OSv|k*8cDb*Uyny$eH*t2Io0QWIGo;ezzYCd=0 zJbg^kO>8Nif)t;-J#8-#V8#uqxU7G+B~kR_5KTP-L7-;(W6i0AX$)n~&zysUy0~vr z)DuaohlPjV{T*TP-Z`hTheb2LJ(J85Je8vz#2S)iGGNiNRu0Q;5Smgig1?36F8Cv-PfGdW{?8X1dQW{xh+Su7k73NEa&B;dAJ%MKzkS3ljB*R(1;ePYa6=!)^sq*B6s#f1DeY3`_C zS0gU!nAxCVB$vZeFO*kZW|?Kgyx?&~4@Kws9p+O-XF*%#il6{JhqTZ%)taK0Y~k#f z8U19r82r5LlQtp)xpukgs^fb^dRhbtP;n^V+WIM z%jDmsoY>snewEIs!#tbzr$k@}8H*wrg+4t?sAW4UA3> z0>R4Xp_%_N&YXWLpWic|S7Py}=ltIbg!DcAlj-%&s>V+l3*!5JeO{1#HU@Fc=F8uV zX?Fb&wYRbTV^o`IfvXogx4RmM+TOdx+}xvUuPGJcuGcHD+N#qnfsLzX7|t3d^Oer< zRf>&Z>{DV{LEy!8lQndg`f;`i^rakow2;C+8yvehq22`(Z_GDbU;7x$^BM z-vXEJ!!pC_vcI;G*@)e^5PqS>Pab?{ zQ{A5}w>~b7l?3z~uY(fnm!1n#yt(b4>G-)Xnayd5%bj9=B;y~aDUzREL*vU^?d#gH zL~Z8~yxFhho^yuhneJZK!PznPg!k`9skL{doBn?{K2CCM?0OF7J{uftod;=guAPBh zvIcxN4HqVr6h}zzZTBZ$D1K9)pcN3H@s$|!l@0W_9uEX^TS=V-sd5X(zpCb+t=E78 zp)~r2ROb{N)=$r1NqZc0-^?5Tv9!dIgf zrV>w*3mR~wQem23Hd#18S?FZ50pacauypewTsE4t=_KeYX0^+*Me2}Ie{aasl2Z1* zo|G!ERcTt3!@p?a&7z41>ri3r8F|TPm6Q?bT6E{fl~ohSuG9_Zf`e7%a zD3?z9$Xdpfydd(}FoKXQ6!8-Hm-64L7}dJJjhE$%ldquJ4SCfkW0l16i>Y03qEDoa z{X`wp93aOmvVkyMae~#mqyta<%wvrUX|BaGQD)E3A1XcA0E@=KCCp%o9>w)5 z3OcxC={I+qLTZ)VdSxVk>!`?!nBZnMk+7%-OxctgL(<5C4%QE}lNWs*b<@F{1@toL zA0~Kk8XhH9__CBb;S!wb#1!Gy2#nEYc`MW~N!M`TqMTVGm`Ba8uKzgmjmV3>&ybU; zC*;rijA{dG*gF0MMkHv?y zj=U1T1k-`{v7}V0fx)6XMqPCk*O(Pv!3gM?NiiG#sngt5YwE_3IMoz3FbnH$J}B~& z&oUHd@+J?Dh;1PFQv(;A?4~sVG%*2q{tpgk5qnqA`-y!+j2`-jJiOorXGid+_lEdF zrw{Oj7{U@zkz9Q7=YA<=U9EfFrL>%zE9*);AaegO1E!W2qFybIla1Fp&u#7TEnp`G zN88;K)s~+tj`iv5?{NaZ)SR$iU5A%8`rBRp`>eIPZfnA|xf;BWEBJNY+j35&j6TN^ zPq9lr-sAl4Tn^>)*bKS`0K0m#_1Ns2s}cu2(P~G~R{2$AA&P_2xJT;L>f;grz}4E) zTjMsJz_I|yXL`$7;i0K+q-q=F`hoGJbNo;}56FeE=Y6x#P>9)h4{H@{ox3abzZvA_ zyjn9L)UpYC=hd;O*#MTaYjlH&bHK{{wGXC{5PWLIN4(au{P(!T-{w)(r3_SjcbH)6 zd>%UnIJ94xb6zy{lODI}q?)hP{_lHvUI~gka%j=-q6=ie%si5#8voz5Y2w-cj6}|I=3&BVN!Fscl{97 z6e5*0ErnC@nBbspf#iIV>lwW9{()@$0!OIKm^l5$z{H4>ERif86s1SJ*f`G~IBdxY zPu+Kk>G+#5Nut^NyK5LdYm{s5wd;gTPZqq7?!Ss1^*}Y*p|n3L+{hmL(02X7ZEW=n z;Pl_@ZAH{(#z%Z(WSWiudA%u1Ri`|v_i$g)O{hQF;INtEGgQpRzAvAro!XL~XUYhV zy2&C1NS=#!PKiv;S+f2*5=YfAl-cdl{3q+2R&BT>R36N;^`jHQLearor-YSc_m8=0 zyu%LijC{*R?Fir`5Z7Yk8zyxnUWf^bUFoQEL%b=5)8LBQiY%+w8oYJ3ehU#$ggZHo zumx)g9SO(<-A>rSLRZb;l&!$l%&tX4AO$ zOc*wum4d-8IDmxxqJ~>6OQ|M62dkPr1JllqH6ar&mQ6ZUwm>G;Z2bgMywI0@(mK6C z4Ynx(GSNA#IRMkBD74VO#@PK`iH3!sXds5~)GaI``TI@8{N0#y?K$snR(Rzp&#WXd zVL}-#TKPq91|x7We_~b%s9sA&w*B;{w%vuXVCKI~aC1aQnwC*1EHKwU6=~&EGijwF z>7|A6@N1lk#h4(^=3KiAvFfWWI<1jq$bX~Hi}%dE6TA0B5`r2d*=_4M(rFOluH+k9fCZn1H0;V?Z(w@Sr&2pTwiFCYu}krg@!OsqhH&f+dvTt| zu8?S%)VXh-qbLpTy+B{6fsxyf3k-Dp`kpLRB?PB6TXd(yC=-qa%cyLeMkbq7aMqD< zM(g#R?mnqljixu*;`MeAra`U+{>`Z&?Y?1tK8%ujk4lV6<0MiGm4l{()@GITPo*&< zM9@B1>79E)K=JMzc~bLtWJ~dUN%Z22fI_ylv*dZGihqI59i+w9aAc;su=1X6ffcH! zVA=OtC_t#3#zxYkm2jmcaL-ck)_$knV{?|Skf*37YPT_PHtUXg7wok=Txq$7cg?S~ z!Ui8z>51cov9^%W?}9(@%>o$6(J5HWgo=Q0AS>93=lf@ruP2&zE9=0QY2VqI($`); z8McS*2?%sbf3}IBmx%aVUku7NdphVfE_NC>gbZGAy8Q~&2)Up%L?8S7@w^y^$=5w^ZIKNhWY9s??w{|T&W-o;ZskF4c(dVlOj!}PmDiCkS*26y6imkASS35exhC_(+eH^_ z9^|5_>V-s9-TNfk+i07)b11cKm4SgGs^x~Zah0i$-aV64F4$jb@8^7LisO1595-?V zLTyCR$%C+}Z)zp;|FV*d$-8`eWGY~1GOXY^|F`Pv7|=?}d?Yri0J>RuR50}5a&G>( z*1T7LtG(CvKQ}sQSOw?}L59My#@LP2=5M3hz?u@%; z&aVk|cnymOVAlCsV_X;EF`VN&kBRD+NE?4;`P{=v+ZDbym`T4lG9~IBPD=2%eP&%$ z5udvQCC92Z8NKY^HWk#ftFO0SW2t>#!*D2odOzBi;CJc%^=Q9lr~7;V+ji#7eH#(r zJQ5(dd}-|TZ(nG{0UgEhZ@1e4k9ot}D|4HtXd*8jI=prvcHjYmewBq!JfPa&M-6Wm zjgMWI_Ff)~2stlrVJEkTIv#C@9m&sBS9~Tw6@O4s%U$A^^~rT$rtO!n(fUJhxraly zN9N+MEz9^rg!?ZJ{a6m?js0P*I3dz4B1pcyY+db5w$G z#r-+3fpx2N+taz_b555!wZ8m3ZtOnC&jqac*?v1Yob{>HdfLnFa>!29Tj$fsdfqI_ zs7J3w#MH9y=?X|VqY(@*R$wr zG@l&{&kil#yF5mDBo7U^ysDR{RzEk!6Q*limY`*A-DxWI8f{&7Ija9cuV;HC)=jOV zfILAMF_^?%##3Z>@sZVjds7ONq7EH^Oz8daKIdb|mOrL$iNzed!%vP%X)K69dtVlV^q*t^;Ijf@hM=TqM(#N6 zR?uDUd(cfTBua&AREBHE7W5lUKMblpecq}4z=c$_dXlUby;f5?ytd5ZoHqd196lWJ zBy}uWzan-}&11(EE!S49h&t3uum&RCzQnS*IEL5^2CiMU-mMERxvUH|jdfBgi^R3l zkRQXSCV@Jo!VW6bZl&^xm2K`aNeMzRTvc0Q=6g}tP=O_dwK0S+ZsZH#ViTrmf1#b) z&>O8AIV3|72131_KD@?Uy2VthfgY!#v%|Js3cDM)<#W;voUti0f`*L~IzjcWHA?9E zxf{O$*%lkf2M){uR5wm#xE!rCbTzj=eRhF}B|fa>lSt#_U93W@)A+qiaVmbZoI?dC zK`uKN_w=Q72!Z2_$>CHl6ov2pcA}2yytPb74I&vWgCK>Mt#&rRA88SvE5u~Oi$mHX z{8CC+Q)PIsL3dQxl+cG`+XB^o?ZrC(@@FW4laAt61Sx>*8e1ucgyIcv1K1LBL? ziq-9C%UDyxYCOi`uy+~>7*#@fDB9sOV&dSS2pgk@j4#q+gCoH{nigAg{xL@FWN=XWpsyqmzMcXu>-XH6&O=qk zf`=4MOSKc#W+hT_Np{3o@HDYFb2@QldmVQ{t6!6sN?nVHpv^}>6*x+12@vFaD!8LC z4LGuD`*QBqyx$X~DJ#?z(WpETs#uo&H)$RmsrJQ$u}n*!DLTj0`T*s6J*j4yq(b8(pqBPdSL*j6jJ|T&302kLVb~ z$Xd~ymWzo)nGiJrz9pr+9%Cttfh1_X2~yoVVRy)oa}ql^1Nli;W+7-M@;l$6&5nra zkHDpabrn4&Lv8Xg>GUM7aA;&T=p9wAzu(PN!)$cnj z^k8_Iu}5KM)i^mCNDx3FPUL8gVg^u~G_6aqn!pwlSA52bKOMg+po6Z@K@ZfVwkR%& z8uCt#!)Oh<3`aIl5q8Dk6o@j5sPjH%4&Q_Zlsb8*-k>6IHlr%oUAmw0^zAZFo#;4m zUFvje5jA6%8a>-F5Bmhh#@tQf68|-ywQ<&bJ2g)IdtFvl~n2BNTx+P>{*?3 zr_^RfF-8b!Z4+lORTmRzwHmaA9cii)Z>v?u*Eg;rW6u>*C|#~g)KRTWm&=|xP@rvz ztr;jAaL9IKWK?OOc&?hi2t~7aY(f}#=x(1hp&F2bRe2%?IesWdw~H7FQFh(HF54I9 ztM+sdoy0ZIbS}7&MxXx@BlcLQ(^*6xOn7ZM2)CSXc%%niAeu%JmPPsHmL#dICssUzA=^c)CA7EklYc(&5~dy_)GfU`8F*a)`e`~_^D5~-8|pesO-_(`Z^)6ZpSaM zkJsaW?(KW^{5HK^=xhGISGaq;?r>vtyYw%&YyVb30fou$^=}~)?^Eq@R)^a2g3H)| zkDbe6%22br{_9P2O||apd;Od4OXn&~&EFc&6N;?X(Lx0~!M0)+p8X+4Kapy$M}{!F z=g-i_Yp<4$d#ZFil8>hj1WpAlkA0wrj%9svjK6)oN)4Ay*Z_yY^^~2!=RTbvz;1tj zN^h6*?bc)JRmHBbKet7`-+w;f$eX9qz zS@fI*0#KvfsC+k_M$l?ednQh>8H*I)$>p;;B&^g)}UbuY+66aKS;EeU+{Tc zORXW+;AmsBqO}Hq+3voYmx|Z|IB1kTVQzn)k7yX?UFIjh21cS7a6gYWemSrD3`fle z)4BIvB)=%gt9{7Ea(i5Zy&u6*#WEEDU#fcVrkQxm&*@g}mQ=Elt^vmFizp{8H3H`v z#|ABZ_T%fh{1jWyj>f|z@D@HCY6Ja@lzI| z)9vYR1#eK)_-69p{e(--`V`N+rAo2<{)-xS{6J_|t)Uyl4n94ZNF;`dRkwVz~@k)Wi1 z5OEG^m^jBYRVG87HEj>KZXa)`=(j?1e@4c9gh{a;%A4>{ z7IrQA=-=fu>YC{p>qU{-xN#K{_8}|`d}WKYG(Bl8W!flJ?(Hiix-MU!XAtfFzI*ri z$y!;tO^()-c?dRKa5&<2K|skli*}^4PEP#ybw-NEtWX6y6B+t`QOzK`457UciwwCr zV957bvBxS!?v+1>}MCFTz8zIU# zgx(5Ax%5W<`6n4iw%E9yW>f{AMg)Nq!DZm0qh_oBSxK9aVds|`IyLIGr0jy$b5;?< zVdxM=7M?pyVi+p`$LenrR+UuK9m32*!81yu=e*1zU9DT8n9WK*c?_;2LCVx$Y_=?w z2tidAhyS>PoGtTh-+r1MUhts{&B}x5}6&9#{tM)$2eKN&huofvXF!{+3&&+Q@eTwr9x(pV^jf167O++icR#O0wfVEB3|0X?^{6 z-A7|c5~sXT)fpGKdT?MZ^KIg0%JhQ+j3h$t#giN8E_-5K%Zy?fsKtQW*&qg78tw~x zW!ukdZPEA9*Xb@qPS8!RC(%2VL274=rRQB4bQ^c)sZOG%Ef9)U)RopZ4eyOYO=#^k zkKJ}1u4^(JslD{8tVGFQJt5s=0+!<0jE`h>ON%Fs0}a?)<2zXt8u%Q5g_AYYwd- zM6_%*ggPl0T<$#FacAtq*jOyT{Hbn(w4F`&H0fJ4ngoGa8ZuMk_WnG3;-T6ZWA4Z8;NSPGW`pW%68nW`)^2 z^O28T8Vg)I6%9V2P-W6ZAKSu$d@-N%e z@+G68;Rjfy_G#$&8I@(GKwqwHBk^zKkY=44mCJ$5Wm)6xkG3|l)Ug$3}6!Bq4 ztm?Pq%CUP%v&v9bL$TYejP#xL1*!-@AEo~Y$90w&^-zq8KuWbejF(H!@t#FA?686v zqPhvFa;NDQ@+{_1p*)jn%~e%YvHlkxl;}Xkl|J_TQr?RHE5$~4kUW!(66li5gBmq- zRJJ6+V`*3fo}%7iB7R}%H(U8bxL$lVS{W)nAC9-rWvwluAltW9fi&ERnEtLX229o4 zE1Dfa9ui3_Rlca*$i(z(QItMhU`3zt|BlyOG-k+B|D?~v9DUFm>0agM{nBwQ=e|OE9%9_A)-59b*lbp) zVcEI|t_w7bR(-6E3vTekw7bQoPmpm|{d5_JXu^oTlDPg&_sQbzwX0jw3EDruI0LyU zJoGgqQxkkRJm%{486Y#R$nf|KD10`({E}t(I5Jt^?Ec&E>ib^4etq*!M%>e}JE>#9 z7uNld@_Q8`1=QZS$?Zb4`BCKaXBK~~JltphtPZeU5nJ=RuC^`cab%R*v$F0w?>9~3 z_r8M;l>EdWue$$C9-~3|%=-Mex9RmeG#t$N;Kf?sT{SUSGe6ac=yQ_T&Ho>!zOg&g zs7IIRYZWI3(FW>`M2YC+R5Uv#ah2&U+?4ndG;y>7zROz+bCu-?wQ@2}FhzTM91 z(N$S>JWl4A>9z-Vnfdp;ZvDQ!@M&R;7WG*rBaF+P&0$?ZV%>4SX|X+q)k5R3vEI}E zhvEu3(feyLnZ@$?w2~p&?f7s?degi@iPPsK1>b7e?*-3A{Dc@|P*PkL*YiHV(D;x6SX=-+NBW1ZDIu#>^MrvO* z3D2%BcB&_K_a%Z9gT{t0cdsD`-;55b zDorD&OvH4#&YLr<1R8!+j#=@C^4|a@m+A6=ez{>FUk-|ZLW#S4M?CcgeX1`sj;S_5)|C|HB0?W&6+q8vF$|<4)Tea zCSVT3tHMFz)44;zovAT@BGF$$3^_6rJ%u1=96tJM#O~4)Vrb{Yve8#D<8vHDraq#N z$e)smpL1tWrciiO&`DE(j;cPfZOF_aNx|I5<{xn^{UHz*d7nEwhw?Fuu!-}*CE6}*r$15!kMkZ9s zr+rXyAPn(OHMW9Zw$dIIARnpn6Og3FU_a(-baI0zv1`x+S@G@`k4Fhn;De9ti-8t^eszjmE*3 zP7CEL3((Ko9l#(nFtzhV!b9`qQ#_0hO%wTms1BC-bKVlcG!&Y^fcG^`eR)OSL-d}% zXSOCKEFHHuU3NCL4s%wJ_a3&%T<@KBr|jedFAn@XOgnSB)KRFe?31?Eeu=pT)O8G| z^Jloo)(Sr)}iRobGnk3>A`Xm%f32#^`2zlmPq7j5?$nl5?OJT~JViEc_=8nyQ;1nNL zjq?^I5KZAanTPCzD^hoyN6G3`=;`lhrAL@rltpX$NTqwiA}!D$4&_##yx;t41f1zS z^r5I1vMqnGQf)L`$WN`KLWh_arn4}zEF~kN(2{Jb?E7IKA;*?b{fbSIUijrsZUBWc zT@6*BEODNgSkJ#l<>!CMr<>y22#eHK7=-MQdu~TH_uYp{3fdu*Qg*N$st~$fsCzt| z%hM>_$Va$mzZI%cJkSoCdJ4|FP7;B_F?``frhrP~)C!7$g75oX9HOhxRyERzgwhSYe)?@AH7<_Ma}ooWBmvsUTSNsgKSz~>Acy8j$*3a}7(%!AJQ-xKVo z$&FFW-)Gy=L()KDYER=8{+$Mp06=(!kCtWv;e_?ddFMIdEC~GQv6ayy@<>2( z?&)@0^N8{GwsfhvLVaKI5c~+fb33uLTXJUU0r~VJ#7PI%QUI{JTrNIYn!e{N_Z@JT z&+DoalWew=y`bpKoA<8r6HQO7x)*VctmhK}HbJS*wMSGoqMrcECW&Z``#m)H&CkJ; zv69!E8P~%v6csEI71uk$OL~tT6`9T}%S|>*Sfil+dfc3zbq$;ALU_!GYQUz#8XKB% zw8#6Xj7S#z%IAP*kNvk8K2`w*Z;6=`ghQhdVuRAg`?A!)6CQ{Z$W0z|BASaP7~QP4U}>s|W@Z)r&BdOOal z$Z~lSR?#?XK+T=rcEx?!Ip-0{$!34phF^2R-LFw=^H|RJ(VpvZoao?TH@n@GtGII8 z?0!#&h(wjZim7xw(w>-RBi*KHc^lVI%I+lR@CK%^eQmvCuUH@ZJkKXsO!++Fs@QW)ca5xug7v6+3Dec4cFP6g))Rm zwbyH~hEC~K0}A~_k&NbhonYsP{RPCujQXe5_2PJ>ON#3ADO&&&w~xibn3;&C9(OMA zz50$WhZAN&!pFWdWn*uaCzD0fWW<1m)h%Iahx>jo%6Sd29Dw#~W%F8pv^CfbBY&SF zr%UteGd8Ac@h1!A$GJR%;His8>;Vt8*QwL`q~giC6m#eRnZ=zlNJ`We7idr#_ ztBB)U${)^oirnsUl%ZBg{mPD$U>w7?Aw2Ka3@cf zq98QC#gD_Z#*-Fom8IF^9${4tuKHh?5B%Zvr%Vw)e&SqdU@#V#skpSgKso#k^IFppP@I_~$VMsZAs)RG{7)JC~?UYd4IL;qTNS&BjCqDbKuBQjjS- ziL8!cO4Ov8H?(v{-j7eK6kwNu5raLmoX@=*RmWMl7R0!PSm+sVb*!!{YbDfLa}tEm zzjQjuI{N!9-JG#E@+P>Hy0VZ@9(A@AQ0Z2UG>XZhnlQcg*<0;^6OXU5+H%j`X3 zfZ_HP9Tc6Dw&Hv)0j?Z5|7-w7&>y?;E_D#lVrkvIk2iQ8#&suFvgT7bap^#7)how8$jjm)iq(z(GzdY}Fs6c%TrS@Qy?nt! z4kKEJ1%H|hw7M@o1FPl{Yj7;lf}H!c{2NG#K;h*(S%eD1%kT$LCpvcGf|ICO zspkNYdm?CcGgD{4XBwD%Dm6L(Xup>N0QoP4Bs)06=XIuY5r}aA*9Xf!$eZYA9gb)<1Se^(FMZz|lmyDQnoyKxz(m8l4md0xG|>_G^4|-sO4Mj*=C>U2oM2oDg3pKPT*A`w=BsVe2frgjHq_)0o2^Wuz%wiEM1VziWp0o!wTizCCft5D z*2K8Cr?U)<8%F$!dfPeId7s$?KS^-?Ey-1)T7fQHzz=IKM4X#ldc`qACu6l4JW zh8z+W;?>+BC5R*$)zU`&@{=gE(>&Fzh5lM#@`afESc-0YE-_~I5@~o5RwkXTD*QNm zwj>J$(v*$<{qNomBgB;YA$LOiuxdr4LObRJItK(+-H6(i(u2r-5|S%#{}?xvLm2hr z1G)8r`=|HTQcPZnx<^4fLUP0Yw8wI7<${qZZ+v;{?${ zrXfSbW7Pl%XPrCmD*EC*UNys^x=*`Qn$z5;KZ8CBt-npIFa zX@0?g>{GFhggC#-H!n`_berNgp52OshvEi!+12N0`$*lVUs=rUZhhh7unn(MuM=bDE4WdiVFk=5M@ zcbkJ=N4I`Siwdv^!hi@}}FgRPA}-q9MYuOxmZU^-QOh1>z&^YXuG@z<}g{G{04N-AW zzu$U4+&q*V7;C+li?5$_PnDzXcyGk-N6&CJAib6tZF?TwDWu%#AVqT?gz8v1oHFeT zb9`&ZCXmSl%&$x05L?%t{5bYIK@q!$9@?5q?eRdq*gQ9N0-%`+$WPy z@A_8zT^k(_eLo3u8co{=s+29XZSP&b>+XA{8{Cg`C7bN#M~v4E%Is^ksS9HO0L8Uy zC1$RApGODi0(d}Lq@JKo*YK`TVNrLu5;z5G>RT|eY+ZG&`i!e+M@x*- z*wMKE+5y;2kMiP?yc`-g*||UVxaibT-Q}u# z+}kJV?%uYNQNQ9Dy}0gtjQ3DZiK|ilWXVy^qu5NjiC#6*c6Vv}E=;ojQj+EdsH}9$ z+ZjiBH?0g&@I0)apF6X3CuX|sYQNNU_TDgmo%&^HYn=UufNue~hU-26g>UtkWJ50E zEhigzXkd1|jV2pjG1u~vQ&RuHC}ph$!5}Tl!@wZq(q!sz4@T)-WT+%~(Eq2AYyj=q#9{ zy4^BDSv#^4PE(^RWdssv5YC%EuA%FGXCZ;O%Yyi zl~Z}N{!J+BnwgdUrQ}G1LnmlPN)#mNym-$>CfUyvJOp8sO-R%o*C2jYeCQ7o-9k_y zChv?L|5rB^BxGm7C;cGO=poY#5#x$>sFb%1UkCw~gbe;{zLxosjxg(#M2QZQoychQ zgdvUz>*6X9tXPG&Zi32+X|jeBqzK zV>QVVI|ZTh?(lb$YRNTzn=uYLktCF|SIHrgT-`JPL$Wr8qPKj`_1#jVk<*}6NwmLmBasc%s>MT=9IX(^lPFc=-D^{?&GOj!*a|D<3}mE~ zW5K~+>>@`!4)_UwUoSQlKTT2la&#q%pPw23l`b)FluYXke)Le+JC}JY#aaAAe_}}S zB{`YIk*GI^GxkJLpJh?3S2Et>7k=(E0{Y8=N%Z(%A&v#Aycp`fa5-t7l{__CFK1b@ zzkJKlc$PET1yd?N%*$_<88oOWa@hf}70mf393>M>F%_W#^0eiPgl3i5^d!Cnsz`p~ zxT>V}S61>paBYN+sCQZUjX(r39QayTIXiWMOmJW~u!PiT)aD*{UjmrcF7~6R&nG-M zH!jO2V;T0fxYOF<XpmA?zl|CN@%O%c z7x_A~*w4&Ebs~kbU4ehnN|Jn7k0GFH%>BYW)F&AKP+%)lb3LS}Qhsgt$~$}nsGBg- z4hj=(6?upuOrCaXl7KiGu8x7ipvCg8!01p2QEiHqpo=(p5Y35!U1>H${Bed2$}F^a z1s{smi00W>rQ^#h6`{?{FpIQU(;oJ(%jJ~`{!R0D$X0&ej6dj9vVdFeXT@$%VmP6w znpuGoVL4gtDweo7gmk`c2+nzceR>tMKJ2*#W!6};{!D4O_|GXvNXB0I-olmRMb4$_ zm|*gPy}?yVc%$+q8e-8>hEl>nMZRk%l=`9%DiUh5t+Ph!1#QMFq5r^R52fz!;croy zK@0c+5mxgqbJvFU{4w(Z?|*7=0^pnH|UAkJlkBe->W$?01DdXtB! zcChxELXvSaUvaQW^PT&U&}uv{x2SO+VY|8XT#$QGu-<+*^%*+ZJBS^rW_1_}$au_w zTm6ikc%H1L<4xIijtObbb{gAyfVi;s7%(1sfzvQ45wdx|Ejro3*bKb%JOy-^*uz_T zY@g6X9TTpv7|P#hcWp{QV7)!_ZRy?icP&3jx}IFqSPtX#jKZREddxRKRCkpqzZ#w# zaCg1EmC*O6KWNoY)l;NxRdhg4ZW@PW!S9J6DZCE+IPmFW}*C#YC9j{@1_*|mSjNEZ~96pVD07n8MxOK+Y`kqxN&l=Z90)9d> zocb?1JFY7l7kWG#{jN64l{r-&hdMbM4>WIpo+Y1ayBbfED-#o{x^uV;oTj5A+@9|9 zXp$bc?W)u7Y-`|Hd`Rabn#RBHAhjSZ+_&Ay3pDkI-lX6W%C^4Z25yhtQ5k7(%dVhP z89&(J6Y4Hre;F#*L;H@Zu2Z8GYPazb7M!n5VqD9OEzcejob;P39v#nP3X4qpK8=)z zH?EWk%J$F502%g@+IfDoEstA;mTPAW*KZ@t1AR**md6*z1Z6FA{h&CSjV;>8zA}f6 zgAO#?<9Y^ni}B3%_5RLt^ahWeb|G+ozJl80y)MBfi(zMx)8>gOW&8bPrRVPbS)|AP zX>EguIcsg_;PC}*>orXwY=t|Nx~YukI(-1qGt6*a`{o%wFTY6 zeTq@R-8wG+$)tQoYx2_74R{CU1A*`#@UKh&hASYCs3#h54!t1Pdtm=CX2nOAjM~rP zO;~@`?e@Recj5i)Ee2L>axrg&ne~aO2C$F`0n~de-yk0(kdqdtH@!fFJ~ebx{8Puz zX5gniy}Y^EI^i_$NJmYUc=9MhtoBD(A)&T4GAZKf4s^1$Q@vR&JtC2_@0TaX!I++t zW}RIi7)0G4CgL^AfLie`&P0PKX#umDFG_|r3z+riF%iLQqDW0rs>@XK`9hB&%FGi9U9Y zI4pQG$tL&k32?5mH7R2AD`^$INcXBO(`I$1VW>dbm>ALm{G*Y`F$L3vh!F5t=cDbH z2VD6jm^7%*d^Jh^$n-KJB7P@{uI5#nr#5h!2JS&ZIuVo&U9LlLvSn(x(|Rs5v=8$< z2+3eou4s}pYkbK(*8rM;E;&tX7dIDkk!FREVib^m%;(JRC}`Ypo6+A{Y7 z|K@&+k9%X52me8#D#E`vvIVYW@^n+Vo1j8}maml({h2eLiwnrd2 z@ilt4eEF|LHsV{urao8Ca=NkDMy>e{*`kqf-G7PV+C{NOLHnqoAywVzDP!v5Qmn^ICwv8e68$16 z>rc-!%hCgZm<6{k5wREhJwiy4O#F8`NgQGEmz#EEyQq(5f%*1tCe3){x^Y4o7jhw< zal>~=w4yZE^YuW&g0%Re)R|MgGA$AFG*m*Cb@eH!$T4)xZ=-mHsxeWYF#%+=X=?&n z#O0#tE(QTfvR^b|TY;REUHlZyS4d*2O*!yE$RqWFM=hAKXU-=zb<$^}(b|V%N5SPQ z7Vch>dX3x^wnz6Vvom(;E|`h3qbSip$SU-x)xIs9$&`WAH~buV(p&6Vfh$)6T|E!i zqjQIRe>9gEGIiU5Zfc)E{6q}SaLT)>rrmT0V-PXt8O+aLjV*>kYV%x@oEL4u+W9560cw{i;y)>4@L4sGv@37Nk5U2p0{#$Z2XV4 zJr0ZsWQ2hTQk_vGm~AMpzYYbh9$gH*A9Zv2V6KgCQz&ilm2ixx;V-e9CBJMrVu`;j zTIr2P+*TV_(~>0;QjC*{h{u8;(597wSO36?l?so2pBzo_lJ45mU?#BOn(uwDkCoz> z8l<*(4{}qQ7|W#-HL%^*-HNkJ{twszsI;I5JmSDKz~>7*qRvxJw+Z(f!7c7D5j^DJ zIU5Ba1P~3__bonyNHOg%Zmz_><2?C1ub=nL__*!1ZQQu7U_*Fz0}wiL8a~@aro<>~ z*UF%6c&xQoRL>ruU zyW19>jkY#D?`b?AYx)HVJUoX_Ld_g#KF%Rv+h145hcn7M#&yr~7Lg`7-k*69l~(|F zz8PR5`yNZei8A-)dI=4MYRd7<;c`XObJ8P6jOI}nhV24$NtOo$A2IXkr)7_j&s*ff zEyT;!aW^MA0B2RN?DNY*v+nfYgH`d2oA=TuKpDhx8&LK(HAXwn z=V6=(s0>s)ZbPeXe@|4x{U;6Z9Nrfx^3B=$ctg8)C{J(@p8zOro`q2@DcHE4 zCai66pLa!2KP)?la5Ylek9n^2ET?q^eZ9t4T*;XN+!H!f5VL!3j!kYVGoM%Kp*w45 zzT?+gGQO^>~_aI;KV? z0QK8MGcmfXxf)+|2cz^Vp!4$82uP50LONmFCXN8j!ujfd8T16Q6;3ojY91 zcEAig;?9uIc@Pfv*WoiT_pLSjIL%tznDABOBj&T|$;Ue!5Fp)k4a|r&&AtFSo(%b@ zyA6ypO|{~Q_5Nm33B1LGFtQ@7XB$u%d7WKFMX`fN(^P33_Eaao3Bj?mXObo zAuHUvuoWm`A%{OBCH~2RY+iZ3R*fc2kCG&vFYc^s1fn{w>si)^C{2{wff;mVTZxD_ znR=2gKeup;{+P+P0+t_n83z`IqyA?Ib`K_?PMtqggAtV|Z|Ea0oSe;D^R8T{G@)wyG4BJGo_rhM(ns24FVFkPqPEp*`ZD`_)!q5fc=r z5if&t5e1q^66%#nV}0lA&m(ojVi=VkF%#r7C0QAN5mStL)~e zk~l%Q`pU&Yj7bP@ELW+p5LGE=-VC!BGm$L0LO0&L&Wl8-o_^e+t{`S#T$|#tD*yWB zEpq>T5#17H{>&eJ!7Ul;etgiZpd0*^DOIm()v}m4nHC2lt6gO<*lCj{dI*uU0Ur@T zsB>_XFT22i(d1!FIk_xmS3dz?WC^v`qj5{*lKvMYxn_BpVtens-I>SR%%;vFoEMg^H-rO`nX z)fguFtVTvkM6nCT%~Q^vnu7GOE$K}9JSnFuUJSJxMtJ8>V*E1B74o=S!P=8k4VfT1?Le{R{P+CK>n)L!E}5b5z|;} zlY}p0j{RRemSS-u9!BXC&bnxY#Kgl)CBh7R5RN_cwqTLFi`oP`r2*Nh(-!iHg}*E* zU-SZo=jGC!)X}RTOV3E^&!iI$$(T)<%?#q>f8tUmq%%$45peg-8p-}HN?*Mptp7Ab zCm*vkh`%pG!SQZ|gP^3{i{{V8wl1?g~tlX-S!HQ?$ z`TqlKA9!^CFx(=bWDW2O?@kHGme=wA1hfPC@gfW0{Sph<{T_e!M^1UrgAZge{Ch;c zast*|XgWOyAaY($mnQaOl(U>(FVJTErNynL3{I{RReh$JW2~H3`XYF04{f@VoYf4T zojh#rhpRR+?;GaaM=WzVJKArfrillaQ?ORK&!3^;Dr~$4kMs@}D|A9$Sj~a?KdwK{ zJbI*;X|!yM8irGPJinSLYU*eHUUNazG)$7blANI3Xn#ybENj|TpGTIt9iCOTPo)<_v+qYv!HWMBd zhb>yWWe3^UiZt(+0|AMxT`wRMFS8vwwmV(>n+-UsF9SV^fGR-4)-Q|7j-5*+T({@x zEtc1{WS1S6F}fA)+x@B@52s>v^^YU29WP8C^G-J4T4YAen}P++9ehCwv+Lui&1U2;bA{?P22`O zMfStwc1cgo<}(6|DV7#BkBTU^T+Zf_=Gid84OQjia1nIo<3-oC&*5=OY!S{Nyrv7l zCy$M(Z$(nXvZ4$Y5ztM?yI|O*)aJV(QzJs*P@pJ$VHv31c zo%X!n?^Zrhai?^bKMqwK;MnvZwwO6O7s#@jG_4a#R=BNOq>SHJEiQ7r)%5D7BtkMB z)`=RFy#U=1**Z6pt-zA=hl8{o+b^FvATZuu2Q-H~-kl*bn95FlmIJ_GM!A zv!bJ0f?U@6&SsL1AAWxQW;M&Pv=qWc<-1RxnmtU{24T}bAYs;wBt^>_@k+8nVMz1Cbad^uza8~^&e86ZCQF)r3kTtf-GXi>OtS|y)!+;5{QV*9_ zGX>Z8NL`HI{Y!h`%rU*FHYPk0^S2tA46KrDdiy3~yOPkYv3;(dnbY|X3lt%O3BBQ; z_4@P=Tn{~GQ0#m7Gb7TifLgm7lVL*=t^to0hBFmd*} z%)R_ILqF0+W2RWA(NRRiV_3gafJOh9k>;GlVd%_&B^vvit>=MSERIHnj$WDA;}s(a z*DdL*6Vp?NoZasO52fc5iTEyLdnk`B6zy09Nh?tW91^cgA9 z#@)}@$T#?(@sMJ*9B!kAGloARKV8yP)2L;NnaWr27`alTc|iTYlwfo@>jhVaD=E`T zzT<{q1(F|q*Z%Q|GsGflOh|zPFbw)l>k} zFO%*6-T2C(3BtO}*WCY*aTZF(su0yPH1Y_HzoC7CyLm^)A7h4!TGA#{DTvr(rC~ou zS7Aamd(>h+ab~cZta#vc+g}(6R1D*gM2#ya&>BPO3>MN|L*; zFN0^%l%P3Hzp$XxpWa`zgQ?2#a2V|jAk z_=YP+8-YJeg(;I2`6Zk<9Vp9h1@q;LjGkQ%mXV4 zrV}x=a~s^#$71?JNJF@UoL~j@?3=(eQY0)s3IZyBo9NuKP12sl-?4al5+G@l?Pe^OtefR~>ExZIM3kiR4iMkj$K_nc4H3L%{JOJEn3&wB{3m`&NWRP1lQ1OpW_CKxT_Z@M$thC8vGVFGHv9)p$tdiU7{bFza$U!o)_+ zD(L$21?`}pgJi+RQQ0%`A8NBoue7FT7^d^uYpO%C*6QnH(h1t?!O<2oyW5J4^oMQ4 z!LsXhLV%4L?Yd!rK=r0uz@>wY%{6Y~cB|)`^91l%{mwjA)2Lu7vZvGO9UI=tG3G1d zBDG7|M*F?D4HpNd8u&VNJtlGe8Fc@NrFo%~Xp%;gXhLTjXCs`IwY~0r<8t$Q1Rlc4 z6sMk%WpD|UbF|;ldCK3QyG$Eu_OX|Kikr7%pyBM~;ZCiT*DlAZwYWbYFyM5i)}}~g+b=@A*I-as*4OzExu0gSXg;6Gzif9* zdwg60zb_e8_ZpY&$*p%xgV-V1J{PuK%L@*MX2Nfq1Xu`{!4_I2THU+&Hw9B)%i5#* z08c{K8=R)8omb1&tzRNIQxY<8Ej<>zxF4&=3_Gee&)(2rUlPr0C;n>{Go{TqpM(vo z&>V7T*-lTwEI2JgZau1(H8&14pZk>x##K6P78_P$4=J$L>JHM6>ud=Z&YtCO?>Vng zXspL;Bi1_a>ujfhtD)|fCtwQz2&4gehP?C81{all0CE2TbR5>kHUk;`K6Os&2WRmt zKQiun=y=B4EVT_vj%}a_)%th1Ww@DqEJPE(jy|hiVF5@o*nH*vrj-AtwB{nl#Ioav z>#t|N)Xs5v3<%f`Lbfo_=jhVD_Djn#&Q3A#%H&7AfAaqlcuqBEJD*BQ3cf&(Cl922 zYuUMjITM8yJTJEe&wR%*La%3i@%s_}NQ5Dng{p$NNU>#I7pX3f0OO!@8#OvxKEF%9 zyMxmxYSv_rW8Mz8N-h1BSB&Rtm{eT6rVuh3E2^D9?6weH3|I6uq$e&9?kMcAl8Iro zRh?3TV``35fegH0`vWTeI{q;Q*a;%d%>3|Z&-mELUo=JbPd!m#m9@ z16fIAk3osx{4c`@k!pU@aMUmYO5gj^Fl|(zevC7V5wu!c9PaNdNtLCYVUT;7$dJMb z-U?1L)z0*+8)Q>|Cftgmk^E>0lPhT$ThThmz_zcL1^f2i1kTnX1uY6&>FR_EVjcv{ zB(>^whXKjTK)RmP-I$*9WSY1$I=WL9cH=qMI+fdB)=D&ye*^|rI}vr>EhR(xf-!${ z)y;&<=;K7|{C=F-@dUQk4>cyKZ&LN6U>h`?(-xVjl|`87nd_DdQvVbADUDt}f31P; zs}O4j@1PhY5hd~4%G`Sh6Ehy@v)XZEIx=Qqx7sUBOkqk~X)H1mKsUUsN}zS}uz7@4>`@@S)$?uamBFa*?@jy6-$LiYN+WWsD|5Itf7SFuJ!@_$GjjC+d?2r8x{1RO{z zd#hH-s_Qt&5C%+y4M*#<)FjYs|1gWv%BJoG&q1(9WHH%QOU~-Gj40{hjSuKzopM%0f)A96L+76iar(9l(+bHLA=H(_%qyWiP#9r6+cleq z7Qt{gi7`)@Mof{a=U4HyYGWJ~u9BkSk;x1TFoKmjN=n2fS0_S2a?YrT7l{KrR%Oh$ zJ5vzeXwI5MAO*eOOK&F(`dA;Po(HI6MS>nYD&9iA1|JfPMIgugZp$jPsy%v3L6Y;I z@n9hnK#{=ebFKyD*`%1=b+d%t9qTH#d5H1y#>ZPiv<%2zEFozpnRZmt>?}Cf< zm2l8+zgXx_NIuO$B@&ADOD?(#E#-N+=}J_uA%Z8NN4P7NeP27>>sG0oQ^R-ef0WEk zM$^aQ#}q2YA||M9W889#JzY?%hTu)gbLD#%xC0JifPO zHS|&SlNM1;T2{pl)YwA_FKh&PQ&Be{PBr8Vl~L>Y^n%dg4=H}Y;P{Xn>ymJr$L zgB%n!g-E^ki@`~M(E zdy<1o=g)=D=-GP?E>X8S&|#q+V)FH61&BwQPN)YHatG`JKm-6azGhT@o{rQ2`HHn! z;|fI?@3t;{s#hOWM0W6To@b?TF*LM#K7u!FD7ZQ}Uk-7pyI7{X$2MweOSEGFx?u(rNh-BsKGS%s+Mo2svH;Jl-itam0Bp}4nyB6I z66dzV*(n;}o6gyU31|IrnGg4VL7UdAZvi~dTdxt#nn*_1bi+1oiq0Xl^%+(5hF+ai zl>j2wRc?rO+_7f;!+^~VgGUJ4g~$<_wCfqAw%QAf_b{x7{Yv#`z%meqn(cJdBpTrH z-gbbtWqpnC2u*^^rM#F_vwGO-)$(;4=U}68?e~PEW^}ZK)~$PTT$I38V#Tq2eYsQl zp$+~ys*T_w{yyve7bf-tRsDFWKfUM6W24jRY>#gywq?uXDyMl-hIQHPan+=`waelD z=Lt{OaGXokE+@7*rb$ijFuZr|vCd7Gd)GA++G@_{Q8(t!q4myfu1uqs_O?~dl*)TY zv(SDML94q_-3;p5u;Pnn!wUD&K$XmqkH&|FSq>XZa0w@S#Mx#2cv=LcM(oFoH`Dh0 z)zI=Z^?M0)9kxh|m)%)62?- zk&(u2DHS_Sw(DVYiBs=)`wINmw^(Kb0J5wAb9J(S0)H0XfFq$d@<4{riuc=ZyL!Tk zmE^S|F}=y)PCbAG{IKQImkoeOnP%<-#uQDaaF}$qXd`wC<2%277U~N(~ zmJYUeA+#i&5j1%hzxd$_&Y1KvG^9dYwS-lZrTpBN<}Fczzu9g$gjzkVrUAp@Ou*nXphsbC9qi&kTlhV7=`AIp96xYz>S(P1Kf ziXU&ks=RyNb1d^0&EtX>7(RPx6A>d_AYdqxYIE_RUAz6><-4akL?g)^-C}9e#EbO) z1WNl`Z`XPeZ>hxqyup1}mSlM*1UM z8o>UyTv|~Y1QOHfN-?zJ3pM&lutUpSh?TUd!U*l>h`l1xMD|g?(%5**k!HJ^XxJZV z<51z24AKi(v|V=T%NEBKFt(D2NGj?Lntc$qxHDNz8Cc3L8kUj9421SRRs~B$7^!~; zoC`<&f?ChwQn@A`e^nxa#IgO~uhhZi2-ErBW+W-!J{Ezs520R(z!c<-DHKy@cfgEH8^FZd zngz(1`*sFQcA+xWJt5}Q`0*G^96umf!$y7(hQTiXtA_5W@jJ4sh<0(|aaH)Ek~R~@ z%3tQT&0TV1sdSADI`$XwyDP#E4Iz}iPVezq%d%OP#j+g(2{FZ{_(F?P#xs0Kt$=m1 zz{cMyn24sq*~nD*BPk$6T;sL8B2?fB&6x9GGc__+9-Q94RAQe+DOea@Su6OA{&7Ka zrTCeRl#CcbSHAHPn@R5z6Z9EDo!S=3siGexB)Bs_-rD6~t(@CZn=wum?xKz-X6-Vx z=2zsFGiJyQCjV194(AjP^|XczDU7np@XMV$u!xVxzTepti2= z`7q)9rL^OuuwaEOafg9x=X!XMB3;&Lml5K{+)hR*XQZR#Z1bdQ0dlF8qr_QrPCp)Y znJ@Lgb0}hL%`;u_B_147!J1Gi!p^MLWy9;vTl&tjZ5OT?uDJgL4?c{tpaQ6(z%*{) zhunWX#vaTWdP4iI-^3$KlKe;ePW1_)_UDU4Ob;}OgmnKq;pFf144kS#i_};_^Y-4C z2zQrW%CGCH=B4nGfsAU#11m;vK*7YdF>mQ0CbMY{^z*8}N8=bCddmKpTLkLa zNZNfj;-gyU;tE=&$Ec;i+e7ZS7J3K6aD}_J=_S_(F!Vy>e&8U%N!xA+{LuC=JANN? z!F@8eFL{2gj^lZc^ibh?@>Ni0(droPNZYW{zKM43eq6+jX4{XG(cUs$hFw=S+1}8; z6M9;CxvG8V52>n`Z_A}O?wp;U$oApCVbSpEJb#zbdOHhtxjyT*-QK)SBf{Y%{1~@^ z;>i9O<2(D_RRfy^wi%+=-o|hjeZq4nnGU|);O=WVTaGITcM%aufn0S|%dL*W)gPY@ z6q---aRUw0O*a-gQaXlR&%2QgxSR%4TDexw9Jh@qE^b!|1u0v5bpqL2@59^kHdc%W zYaZ2G_ir4QFAXx%UY+l~P7^q-hX*M{UoW(Z8II4**Dv|DDGdeFBU z7WpSQomQ<4TzYo4=^mOlT2{XjD-K@UsZ=;$R@VhG&Nc5+ThRVy9$0leiErqSMtV7G zzSO|S*esbyK6ko~JWywK1Xo*2a@k*4WDs7jXRzXSJ#8+-Cah_>JlsRGWY#_o6p`eN zdVReE>47w^5C3!divaeL#r1dZ+1mF#<=9EPglbyiv3Yrao>+YJd?9~9Bs@XIofJRs zYZ`lheW&M`mOM8EZ$kfJJa{H;x=~uP#OQs+DP#p3W)yZEpugqkxIWHG7P*(A9V~F~ zPXAABN4NA#A8+C}*~)`uT^AEd7jAfm+5&y5k2bJ`(gp2)JZ%R&8;ZdD&4^JEaPgfczcE zju@;Kzp*}{e}bzvX+B%fKFN|?6+-bqBHUv-pL-%Nop!8;YIEwvRE11`2MXF;IHKzB z@o4p$3RqKff}IJ;d&9Z$XZ9~SoJeuP0te*XG-2-h^fhq8KA3S=@uV8ZfVQ!|M7xaO}uz}^g ziyn#K&hU!V!6eqP3vw6JweVrQKD@ipfKX@{I5pqz#cqV=Gx~SHu^;qa_OC z^$i$F<&K1V)v4jz*rk>={F4}eRn5a7Awoe<&K8vNb1Z@ICd4lk zG|Ox>zl$9K=@U~Hl{b$DO-0^N8=!6Dq{=IgT50#YYPRxi5i4dhMWb8z&01HkRwzgE ziE+>o#4mS`kA|G(+_h;L61%9#i11{uEPsjw$DFz{z5-D?D+3cwMGrNew}BZAuBF7{ zFb&TIG?Axt8?Yg*`|NRwe#Hd{e15+U>;9(P$DIG7Tr=j@FunG)@ZW`C0;3O|FKv`?(WhM0t9z=cXto&?(XhxP4{J=E9cyoRrOR4 zHEPuQm&|WApsJ=bXlg%)l9yQki?gh5G~ks0}&`01Z5=S;C_-b zy&#K&uk`WfK7p2jB}%~^&YAtfubmRJXOvof)P`BLbWgK#s}z)!#Bif2u9RlFDGkNB zHmY`~e8w)WddtdwGZr5;N+n5|F&dhp<@8e&g(8%)PzCmc1gbd`^KTq1ZxMrJtN~Ql zE?t6D8x(QNM8+SO*!o;l0@ch3dPA&Ir={t zYfRx0k;M-l{t?9Gc#{tj5C^#f5etMz>}v^VFDi>fhX%h(S+t``I2!37u87DXNntU+71xl(d0$z*o`Mvq(v# zy>gBWnE=v~iS#GjTWjft3Q+eW$v7c>G z!^rgFDylbuQJWk2kbZ<2F$c<2(|syfr{m0l%Z(lk{C9pPHehFVZh4m4l=a`?DgQqdvHVFiZP430tSGtz8u{P;<`00F{(Ff3N5U1V^&9{&%f)SN0Kr}! zL4J%r=CYtkRW41R9jfqC+xPs(4a`GN)$jDYF2&AihB%duUE3~=33yKO;u8U<-_{+U zx}k`kpTpHfyGsdYg4Nc~xEdFtwFrFOciMx~iQJc}-m-n6-D7@#<65sH$l}?H4A=8E zVe9of76MvKN?2I)H*FXp@BDptW?RQ#Fr4bnd&76+ zIy`YbJ{9><)3bfZZOi;}Z;S!BN6fUfT{L7)bnDZyin|7RS>V189Or?Z^27$8U7@e7 zd)nQDw8OWPiGX(ur<+RPJHJ>@pMDo~OR6htp=8JNyd(sC__C95|tr*^zcv~$Bmshq8 z1fE>XniGcqcY>9$;ekMK{v!j^q=)O_dH`x0yqmK|Tiw3S$KTE`?ySAZA6bLM%|AAV z<5TyIysYxANt6K)(5t+eA1H)ojzgWbjV85Fh6o;x zMhucD{4TOvxW!=-Q?;~0CbRSj$5WMdY?Ba0k5J^RKu#zeZJ`T|&A-{8l=9-xCjZ&~ zDOBheW&PKZ#SrU-JZ4l9RtvK@Lnt~dp+1~>R-rM9HqPyP9KH$9%6p~`G{=-b-5GA~tO<{zNV2mXhQKi&GSfw;ASr&4u~G==RQr57Shwp*$Xl?R z7C=JK=h&IH+8iNMC_{6oQAH-ioeO(iV&p#C8DacT#8^XQVCJ*yy$CUwaAHtPkbzH+ z*vCRvi+2sVmnoISQ>`my4|AzSaC0(b;Wsm8mM$o5JDj&JJ@2=4LP04QwU8-GD<>AQ4?G$mak%|(L1g~X^c<Pocbl0u*iA zra&0l9f^a6G&9_-;6S%fe1{WMu|;y9IQ28(`uWoc>&m#|!|`9s^hlr9-TF%DpbF=! zI16r^HWd*(R4k_lrmtp76*+WEzlWpyVpv@Smthg6!58}}Zm>$>G&=IZY}4~TjM2Jg zI7Z&LGsLOkb2GjG?3^IYui4e<5Rn8iThc56ZO|+*;`oDJcjwyvQVel9>;pPw8SZU( zt=K1h!kzR~YD$w0G5l($)*2dr7Qr$kd7?T_8p@b0x~s^+)@!+{R8+N5rE|Pc#?Uqy zY?D|X8Q=(w9sba;tU9z3Yhk8SFS(yO8u;zMOk>0zcJX+DuwsE|)7 zFKrh({M$cUIn1h+hn|}`OTPE7aK1t2zYF0ll5$5k1%(K&6xvp)Jpb8)toXg#AAh&e zC#Ug~==EWszjL;kgPE-)gSD>5z%(m+p&Lxgn#`BOg?ShLWsAFY5 zin5NNnMn94(ax0?wdcM?tvt>=Xt*o{fvl7&Eol105=BQ@hc2!)@bm zT}DIFZPDeLe^zXv1BQFi?A*s0`OWaab2vfKcD+7PGT>CG(!_Qiy&!4k@be^FT?5Rk zoOACQ-{B$YP-Jl0CzySew#nk*mLN?jqgiBl!cHxFj$Wg__z^8~Vcf>JeSfn+o5(m3 zrgYKQAfh1GaJ4_EdwvSop%PL`ixTDRHHzZqHVn9?!@2fe9g`9c#1+lnYSNi@dPr37CxXYgBKBiK2P;|$i=qJOhH5y@HlMm_X5 zJXSS8ThG}b(sT)H-#}%Yrm4dF^BhcH%7gU}S%M{wBAx1d4d^}9wAl}r8wVdq!_)jTI!Te<~4*Kz{vG!<-;Q~@H$d1{{a;sRA2niu0`Ob2 zJm?Hc>qV6@i}x%sz3TlTT-*2gJdG){`(Ss9sCK$?pz{s8qxm*c+tvew*9l!^WzWrI zb2FwJur#V<8q|+ASayiLWa~ZflCA4I_YmR|a`1yVVG^&xJ!^IE<&0?6nlM4ftuT`) z?6kKi9iG_7$pF0BSfQO3u3P83w;1YrZ~&hwfJNNobG~e(x_I%~Jy}WLxKupq^nOG>1+0&pAvS4!#eQ1Z zTSHH$3L`zV8~ig+26nXsQwL01^RzAmpNPw+O$^t8SL=DQiy2R2@_N@q-k;+s6*5G{2%U!W~* z-uyBfJdi!VHg^9Bsk1WO5tUE%-R23Yd@D8utXRukpU7$Z`Tf&U^LS1yj92&JxGOzi zkjbifvS+f&estVvyL;j{TbttY{>szXxZ+23UiX-bZ=-uc^zzi4y?MMu%w*IFQhb;e z&tXs#Q)}Dt$0dL4m{q*}^sG1q6@A3TmMpfuxQJ0e^$K5$E%(=b7!~1m` z0g&n~Ma922$3;v_^l&~k>A8Eh1WA4Y_MAb)djEI#cpJb6i@Y(&MIguc4;()y3j#Ff z{zr2C48er-6m^laQtff;X6Zv>kA{E+aanA>y1DdZI4drrQ1CX)<1e;oD^OQ3 zgh%7%8x-hNo5eCeIbO@jT1dH#O5-|VUmQx|4E)mVpF4KvHP2)Qh&DRs88=2*_OCOD`ko%lVFrbevF%wVYk<2`XCKeCj^bI z32U8y|LcOC%@~$5T(J>_({Bs|fq^t}C`0neauT;tcE3OcKZ;5FTZPksC_PsXBE zFVsLqjY_q~y`XN4Ro9op7Ok>n(v~nW!Ikf0ypnv>h6hed$5>twa3vmd^l5~@=+dy3 z{%O{hs|%4u%C>xmcB0p_imj3rRO1M3Izkk}vxfeGWJQl)7F=4IN#$=*^85}8kyWoJ zR~&00NnR*Vq*cn#Rp2afN{Eg0Qkul~s>|iT>^0n1YbVhEI#WJ@~Hfn{nEMtngi~>ToZG{mIYA4ox~yS z-!dfZNP8g+k^Ln?)$0?glkucSoD~kg$A!f;5#^6Q6*FB=P{K+N`)0X*=51#v7zwL< zl~WKVFe{-3YxsF8z7%7&LQ!I=wob@&`3oXN`qUkKfb?n8>^s^5ZR%*pvc)-}=a9k0x--g`-1#lM3)#y5Wcsr;a10UFlH0 z91>I|tn0TxD^+2SI#w!;J#bO8e!6X%!a6ltiKqEmF9|*5i7EM8;pbqTVbuzriQ=^X z{I_eV_W;h_vW5em-^>jWj3Jhvg|UNGs2C#axy6d`-E1suSa6>l#lA~_#dMJ@{$Tgu zG9#u`Ow;rne77D3xImhLm5|hGu)UrzS&UDYv8u8$X|mkTXKXj?1Gl2-(jLX=9nH)@ ztxgJ>s9*nJLW2`)7&_wY+<4xx!rgDua9-53r;2f>@||#l9+W6ErP5ZIhjB(~aclEG zA1AI#G4E>02IPS83tvu{n-8A`rhy87Fd;X7hW`&`R?^ z%-64Ng%;oyGc9(%uo$c@F!|jM!n%Vu80=%-0Rn~_O#>B`T(|*m`Yo4juvgEw+(7*v z{+l37w?FA%J!GQ#kxS(19m8sXA)tGO$2+o$XD7gxjq8#nfjHjW?jHQm%m|#+2J(~b zMsqRoJ)4{R)h>!65O)ook1hIo&*|H^NqKB$yRUi;CWUN1)Jtb~k#*H~OetzBB4^az zzfS*vrM&9M*8XV9avfJR&Cy6J_G?ku+^XFD$N@V8YDKOe_f{& z*KzRkZLUmQDJH%fJtW4y-LSoCd-gTBbPnNvnZJ6UNQM%?IkZdD_I?13icVG9>p`wX z8uN3Xx~I3+?=vUleRd0?lkh#(z`JSjmmbb*;*f^*wc}V~@Xqd2RO<}CvVhfA>R87O zc+mVEw92pk{to*{xwM@v;PbMsjhyLx$GON-T;X@ED1GUDg8xJWvOGvxVB|gCkpeD_ zr4lxE?&L^a&q_VHIh|nEc@wzyp{r+ku9FsbJNBBSVkXa2Z|)`~GWps@e&~5F8abXa zS~p*rh?|a8fxOl?i2@(K+)Mc(07BiH^9(o&>QSH7NaitgjvrBZx zW$;}|xx4;d2b&zPSLqME*Yp3%u8^&D2qM)7M`!LG08Dsh1jj$s^1Q~ML9oVZS(5hP zGmbLsuK=wdHAjB&M;%Mv=edzJ+=e=GcLf;rc}7l7(t5N|v9&gspw&RkL)ae@>t{`j zIHqVcaVo}fsj89=UK#O!ynQbzKXaNnfH zFUKWYHo+fzWN=h#IBAjJ)6?2CD8FJpSS2N6D54lriin+ZmvYXV9_z54c_f8u3s~P5 z`>AmdNb#T?wQ(01MLh@s7Ctq)p$&n;K9ic3;|+TnD-fXs%KW6|Nx*ulJ4i#aX0Q-$ z6wieIjOoSyZ>;A)NYXuQ(7#Ty1BLV6h1V9C?flDWGZpy!fmL7H(XwxYtbNF-L34N6 zFKrv3WXS%ZIXHU0JZC^Cu6mR^XZAN{;qG&RxN(N|2vvdJ;#GgE5I4?_!t4~8M4A4! z?FPM;5T_kQhFYFBUYl1EZXs>f=Yl_zF?9H?Zt$)dVv^V8at0_U5$QgW(&Xf|EJQ2= zaojjZ7exI>2Uvq-M5&Why;@Dec!E8Wybe)y8L=$iop6~dBxO|yuJfqnz7^;(rv>xh zYn7U<`lr?&6zi~ss6-D{o9oZrC))4#G03dDXd={h#7I9~**hd*D>3cS ztNuGIyi6CEF_Ta>!MgFAqlwjjl%Dm=U#mZCdhxP6Bfxtg{_r{1tNaTwxX;-|Amvr( zGbb}!t7o7ed<_4?1HLm0g9g;MDQY|EfD(28v zQcc?;BTI=Q3{vu%2T9aNcv2g9Uxu`wc@u|azKsh?l`IIKCBsgSVhDzY8*|rgk2|c} z;$=om5ma#r5$>WiCj#`M>vJ*Hsc4!<%5BS-0?af>VNK1UBVa9O$>s#k1ie_;Vh|2! z!kL;*{A&oiP5&BFAz=L$lw#l2t4cNU9@h!nDg{}MRSP9>`_WaB5mZ?jr&da7SI7&a$AKp6z#*1;_nCV^Z3g);HQ*qXYKyH{s&SlV`&wX zHkH+3vZWpl{H|XDGF?iH0(>mixPexhrZ!jJeJV3AwXE9B*Qllglg)uO&zU#o0K zpY@(W@7D|ASHR`Gt4hxv`kf3H=DQ5<%N0ZZFYolPpa|u|wj)AtPsmkOsG>UG{Wv;) z=G)*Dam$&Fs>TEOjB(@mq|Xj$9B3Ok^z;mxe~{C>OugR)YL0fDvjPuylHuvDo{l+- zZJYHBTl*gQL9xC>9^Q$YmDsxA^k`rz&(kPkRO{Z12*hosYjGV>o!9L;#cPJVd(G~! zf~`Vb-J@LFch`PjR#>7Fe9puKUPE8w!sF2FT z6SsqqnEdbvok+WO&t0p$Z5vKlxZ*P#1q9w_dqV5|nxtH7mz=w`-m?Q}Rp z$HML0w(86vDiW>U&BdEle)pH<+29lI*Dn1GpA|i1#?y$jd`zDTQgUH@AM>t1nK+BzHB@S6AT z&nup2duD$W^g-giOQM3o&u$;Pu+DrP5ySH-_he{o-tcqF3~>W^d_1OIfyb>8b9C%? z_ys^(p!{)EG}nD0AIRs%vVR_##un9Sa>$Bpi5SkOQx8r-Q8h|%5)1v5aOANRLfk*3KZG=o zgc=VxY};|aGat{$a4^$1=#{0P64^H~c~gZ)insMv4%x^)?_1?8o#wg3ULF-t54U*= zoa4rED&^=gStR454HVSi;EQ~XvSfC#(Fzn^P&CZ87~N1rty$~LA!_=o@u_%Igxago z@yDz*GoxzTgo#u&yOv~A*sfCEC=%KWHNcKUk(Dt$>wEo*4e>BV!POZ+t82{x-Y8q* z#fb7?70*P-mG=klqaa?i)ySWP{_b^EcHh~)dB7gGJzPf2eqoJth$`V*Vh$7eWX350ijxofJnBbzUQOpo4CY}66 z*FZw8QQh%c%t^O(5h@l&pr1P;tkr`3njSLSrVq;?Wl_|Zff7w!4gV!C(IH2;N(t>t zhIkviJ(m1q2ks!86X=zQ(?6TC@cqnH^A?k6)3s`oKO*=@$iJ(a^C2ix zcdHV^pgUPjaO__xL;5DpUO39$rNb5qh1%FQAQ#0S`fBI@G?B-rK*W-#2Tp@AP-Dgh zDRgsvGIP7vD&Jh|TL0R+Ucl2FUdLFR*|qX1IkJ)dYf~0O+b&R(wfY`jlk@elUFmmH zfMblM+fCWj;WD%SxEY#Ey=8mu%DJGO67kLG9~TF#Utii_Oeb8p=PX&tY^4|6Qo`Q9 zLD4VmbAQingQ9g2R-(^jd{Qz-R!Zc{p5$s*HAb6OhErm1tP?y7Vq|2eGOA4YN3uSm z32zXYqv-gJw~3zhggvw0CHI#j%r2~@$84@~47s$|R^|3YQYH$UZZ;}yQ{aqhKGDy7 zC+w8%KdCnueEhh@l4hG6sxw^U9`T@r0>P%A*>T2|5qG zPHCtno~r_WX4}9hr?0}(kxgC63BRp<-!~qgoG-=uK1-gKB&nvxjr`{%2 zI#Og%%;&NLAA+o%aTMNR=zp#d_3g(P=a`(;rxweGWUDZ!9+`aE)?_H_?=-cYhXrvF z!;8=uXfBT1jeCyL=cwC=_hwp{ccQ)X?9;Db?RUAlinA!+A#p$ z?vLf&UT>W{n%$c=hh*ZLw*=|hN;+C=#s9>rPLe1`GZ=j6he7bPR#Z4a@y`1#>)r^ ze3f@fp9tJOIpZ|V=G)2rk>$M;`xdq88QLtL+fhETd03hGl&LWk*{pHPIi+ve$mGWN zwk^N4VZDX0$$PPrU-xwBGjLsC{?vAf=rdG)>3z-vj`U92qI4d!8{WOLZ+e6o%YWa< z(zxm9WL&r3Bdl({`m`-#m+veOdC`WQ_~}zSG3jIf#&7R?*>K$CYCmDaZE)4LJH9Kt z#_tY^{Q>%EyAX}6z28~S_%E`uvJcrej{wm4!OX7Wdv4#4J!`CA?Qx7;xonw0H^1;+ z+zv{V2b|2uSD7SrUe)fQJ$3py+FfMZzutQ92TM<`xM_pUHjkpg&>nQg#4-FoqmbgF zGCfT?7SOKNUAD~Z?dzXksR(&qHwx*3(tV0_ezsj-R_jCb4t3)R0+bzWW>C;l?TsHAbC=gUM58A!Un#2W_K4Pz#m%{a=1yh{C35{_s`h8d{B zkpASW#$GK2u$NkBS*7gDMwQT|X~>Wzpp?BFYTQTY6fcw=stSb5Qa6bqws{GY7z;h@ z$)QKg;s)7%ks~=4V^XZ*)N+hSPy7@fzvJ-5Ti58k6i^`dS4Ou=1iMI|$ zWA(#n;#cP$l0T1?Yj-wedcU9m4xSkM&NeR1Max01?nVcRypcfmO^B&7^5iqEQBTRt z&Dh8vNz3oMY6;6SZbIMxzBVPoZ_NI}!G{0kbP7azMc;g62w`ku>$Aba|CJ&>LNPBE zT{@~O6q6xKdHr`_s_l|GB9%lV*T z4}w_1aPvy=+F@DLa>lkW^q(w49!afu@eNKz1~N+Jg=HdBvvZZCn;;qD(>zC7Ia54M z1S=P(*^+Ix9O^EWH_dR^V9>qjG{us>v75ZH zpF{V$D%iL-Na9Ok_!e+*27NM7K)FmdWxE>Yllw$p=s;nkYBd8mgbXK)BX*4de}8bs z`3_&SAUnJEmk*Dw<4_WnLV@GgD_&SbE1*x9tmw_CF6ACeY(CK}w5ct)1LUf4@hWX5 z`>4!ero%+VVS7ZFWPy%!V*Z{%}UnWLe@t zGxeFqC=TpOh`gd{T0<4uDPU_LC$5foRO}flF)Z9(l%C5VIazj?dMk&wCq=BpraO0{ zX~U5->!an)&o?T5JHqrVs&&#boxX2ja1LPTLpLcEFF>3eqFuq~Ie_Ga@4UM3V0 z)8BAnC7f#ZC&e4KW-u7fTs&O-NVjgm>fY0ci~B5XPKmhMueUXw;ZE#vDbW@1w^6n^ z-E&3ybU+^J%FcDk@JtU>yhq&3_Pg3YPI3V%9Kw1eB!39v@Q**d6g)?9~eE;-@|lgi1T1c*Lf$>-frFf zrL~2l>n$tZT}gf2^2s>a_b%(83JKDpWtx8qr+$WQ;&fHFjSKX-OWd(svjL0sPIf*m z8qvByCfdwBlDm$l8wFNSR*p-L;vNU~S+3w$E~>U(zpk{I>Yn79>K}z} z0c%dlV3%K+9$&9V+ZXi=gSd|_y!Obs`tApdp2d$SIg<3(Y-U1|vue*qnk&mE+n!HM zX?n8YB9S{CN4go@*RhJv9S%k8$nux7ul%%6U&tvr-P-=|YSrKBg16Vv@_T?R1_&Dm%LD$n6(XJObn-(cYII5TVi@EO77|9~ZHZ5EXvPhBG zXv#0w!2~d_FsrDueeQs_YEi=#sws>J`Mfe2)t+Nt;6t+^`EWMaQmzQ4L*MgNPsvn! z=~r`9QLvdKYh1@EHLQ!3g$VuPPf_N3QeK%C>Y`f-?ebD0#rc1wkuw^C=%t^zamMWO zR*9PoYe|g}d8Lq)yzroKbWY{!9Ofy=rK%{}->pWIjgxRu@|FRh7PzBGQr)tJWs_YsfIp6c2%{CTn%A zt+HLPSl6$k_EyJyJu6h%y0DkesGsu8V%6%+xK;;$=FRy|8l7#Jv2E1t-hPVDGx}Qg z_^r_lQDaqwebds}R!AoHVEQqzF6vW`ARG3zJ5!27@0J#j8nI zeQkSI>m?e$sG=s>WWv+6)>VP0@r0k1BrJSmEfG7}iJQlra@5b@6O$DIOHQ7MqtAHz z7{@+T+6F(&V)ok&>*KG*M3hR)6kwn+l%d#4LDSYn9VQdQBW=ex6R1DoG%HDBSLk(6 zz<|d~-hYm#HW&g77@tWKK7Ia@i)~)pX3|z+rkP|Sec2%4lxXswJ5JXC1!4QoXkG}N zA|wrnf6@>;p}(Q<;0s?NkS^g1*lj|4^uaJ{c8$N7yP3I}QM?>;dreMFac3>Z$@~V14c!U<^Stg{qEA8lfTvU?WP#;$Y@C4->(4SN1etWvN(qI( z9=yi20>mV}VB5-Ja+;WS7PJP}iuQRZF4q17=d zSH2M?#_9f=iL;wyI}L5n65FPT^bXYf12xI6oIBT)jB1U`4`qg$vMA*eAcbL|iZH5) zg|L>tNPA6Ww7Xizt(y`b*bAY3NDqvkikAx&$!8{wFsrH=%Z#l4#r> zwfG|Dg4B zCTWE+Gi{DPLKn1uwQ0yjE3}ZD)@9iubXp;9x3ET=OK+TvJ%vKH(dNK>5J!QV>ajZb}wH$=p2Mh9MiY z!wBIvWL^nvvNV`AoDpc~boe|g)@5|1Po{XnX)p|Nrr+3yLuBJo`PegAtR0!G#FYe! zYa|EA4;;ItV;%jdv3uNjiI#S1{tZoFD4Yiq?IT;ieqwN)nDkix=ZQ2GjW!uWfhU$# zbPUbX>l#YuWi$fM14^k_@u-c--o&O=gi;EW>n>-jDZ@ro6B{6r;azB%nK@g*h%o0# z2>hw%d2Fm&rY>?~CpWo$8FQAJGV0n6M^N%)*%)*f*#PflvM|9cLcay)D|J@RXfB4g zc=p`sB063+phvc*90^0eQ2vLuE*Nt*_S^I5{rM2%JboW(Xqt~((V+RDpV|5U3#$Nj z9N}TnS>SZ)OLuj??<%nB?aor0;mgMenVS3kFAx<%iY*H1kt7JjqMqu$0&oRm-_8`C zWh1>itmLDOoYl2CO+<~|)i3JIzCS$JpQev0F}-dd60djkvrL(DbwCr@`OLzEUv<1v zI%9QvcOM~jyhvgCZLDeXtoj^LIsYbyr?JY{zwDS&Ccbps{_M`zP!HT%m7nN3e%b3_ zu+w?{m{fGbY@LU3G+oN>}4b9TiElx z4OMR}`&}U;2RCnmGGQO3=o=?u+s7d@ep|e!aYuH5*NMRFjJN$=aSQ9k$<5=A3;WeR z-J5|ibK-ihql`KCHir%MXz#%mn-e&@_q_$__Mr%lr*(s8b?d|?49Rcgimi9vzaYy4q5^@7F zc4Q5)_@oO7Z=SpIa9;sGP3}^$N`DoVn5DbdlQT=y5lFn4k2Nned z1~&d^@-}!9yUCmCf&ii*ke!FE>D1S3h{~Hgh-#j^_KADsD(?&s!yd~VWQaOq6w7oD z7&X6ykOQIKVdE-$f17Y6Vf(!|KlaW;?svj?3mi+fQ&QIpl;pq6MHENxYu0?T_Q3w( z~`w6YcM zH@Vk}MeiS1_F;3>xm3z}g%syDp2TU8EF#@&=iAEBJf31W;!9Fy_lq5m}iZl z*=?$X_X$}Pn>&Qc*B$!hC_|HtsYbCy$n{0>>{hT1hl0i7SoWVYW)1RsQY0*m|BZ_i zezyHS+$JT{YZR_*TBH1{!LLAGL_HzMs9o{6tYTx5EVJNaVEY61swuNp(7EAXL%TAM%Xgo?Vh31acW1b66<@GCEQK}tJEZeI~dn4^qSJosLno_ zH80DRO5zMq4x6Cx=C3aJguJt!b>ARZ36R|o3!nQ>?4FOm+Gjsc?WZ3B5IELB`Vd7d zGf1{gfP|6dd;tv}HFsjufvRCAi7DSSHWYMa8FyF8kB;?UT+)W<6-N=V@+^^Rnd1oj zjBzTFv*{M$IUDOJ5*)m&Sr~B_QcU`=sJ{JJd%~KGJXRBPu;}e}&}_XkpMoQ+XSs;yVZ= zJd&rL#vAvaMqXPXO8gr!W04PKG^1IeeysR1|Cm8~*z`cj8Uy!-Ni1nwZZ_WynS)kJ zS+*5bhO-D(O@wZPb30ALTw_oe3DOTV5!pSTy2)mTghKYIR8HC6%~vhKD?sql!?r(A z59RW%hFX^i+X?(fx|JYU@wW)RCN=4yYEG1|4=Dxw`WKNGDLRw31$h(hHq8If${wmS%*AO9z!>VF)@eu7L#-qsiXr>C*)t7@Yw zB_5havGqKDaP~-Z*ugJXGB_{gYUDFhul-;?=87X~PEODtWkE{B^&{noDAzD3@dpIE zA!|q66i3mxbLlpHN+sITh=yTllQFmL!S%ne@OrJ&7X1r8n^Qjw;i?5!8isq{?FuP` zzE&SXkDFk;iA>=i!UiGPxmYGDvhyhKTF*paPH6m(02B%&rD&9Rof-#k=}W&gK=|%g z&AdTJ@37f!u^4g%f9J8Uv*!UX$Zg-Ak&${F-~+EQKvy3M-zm(qknH$&k`K-$(t8io z6J#ftxUz2ME4B~x)`QOhRl@iN`eu7y71O!j<_%yYSRiA=*8^mH)d_w-OC~-7zFn^3 zcLTw8TiqNVSm?}29#CfF$&lK{Zd@j^ufzLN06+37JIG)A_Mkmk;}G6_YA4N|kM(H{ zpWt=!oUN)c>>fl2@G)EI*%|I|z>deWRJLjBqRbrVR_QxGuq{*_y`_aj*TMVx zV6+h1d~;T*zYZQpAv@Q+qFl&?F3)-(?EKXn|vSA z7(u5Qy1w3St|%K13ssOszw?Z%t@~y8)wz3-kkNqV%wT(N4eb6co-^KcA*TCo*Wtrz zf_Jl%)7y4?fxCWwDt-5#;Qb`JqAtifQFBDpiuI!5Q6ZAaun;b||CigvmbRZolH_M79~`>_#B9{OgJPJ?oim*G8s%*3-%p zWatJ0I0sCdKYx6Q_8(uOJIGv^$LkDV9RfuogBXu%_-enSZ#Vqz4tW`W2X+O3mBWi# zIVrU%Ddo?D9*DgSLFT(grBSr%fo-=~NO-*nhl$N*m&21YdjdODdil{!_jhja;&E;i&rtExRGwH+{oXPl7Y@ zIz6d$FJG@uC2Wfw8CyqjQq37X23%}t27I(LqW*V-wmnvu<(xdDs<0#Mw3w`#YDi*m zsq>W-`qtb0T>7HU*UajNtc53YUnJk`02TW+vpLZJ5Cz=o`G`z&>~L~gUCOG}y`kl3 zy84wXPjr7YoyxW(=T&5^ z_gn9`10xP1Nz1%ysTS+`Lx+I!=`dpT*qkI;+_MgHsvcj%+EM_9`mk*FaYN{NLQZIO zYMMTm4maoB-mkD@)zpYNf_|0FDU8{+v394w4wbA+fl7sv`%y~%={hx03px7!uXrqf zl`JE+|F{&F<-hnSgd22>abRMFulW}CxsL_44X|JuQB0G|!rbVfDa1j!@KM0C|3V|! zOIBdfmyMWU+5_DG=I%p%M<(TzqfzrL0w1NH0}$B$L+1X-zr?vR9uA?RyCn$BBecm6 zFe*kmW9Xih;*S*Naf7h3tQ>XXzJ;lX%Ch0`tNbg2Xr=|<2SN?;SkLw9hlaSnmSDcU z2dF(rGlUa8>ExxBc%YY1aSo)Eef)rEsuI;vJYr~De-#lg5pa^-vhU6J%Xz6x`+JT5 zl5AU@nDHw6P8v+UhZPPrCn13V} zuS#JdBISu6enmflZSl5Ts%7Gw7)$!Ym|q?h1?4?8Mtu%(Qz)$ooX?L${QKt&xYmu|_Jhs@vE~1{ot-IeiM@96uezYu0j+mI zCoT?N3y`TKT%MNONwmU9Wh6%r-)O^?dJ^zy3bE8MEW)BS$Jmz-KiIQtC#nyAgY_=+ z_pD8t6Zyd)`2H%ck2B;piL?=BBFA>eX6E9{d(4E3>3U{So1U{ta0(LD&&HLa0T=JQ zA2R~%GEcaR1ZzgiIf;tIw=OLL%)C@mN}#4NM4sHYzRAn-^Dm^9+>4 zQrs+nEHs*m9S??{r(CHey2de*(7-V+;TbOQ#WY-hWrY6h807F24O(X9~+7N z!akvX&+=Oa>C;Y~aIp)lngE`+!(j*FlhYq2_wK40Ceni3r1_G&u@TA+Ywczs?u%yOIch06-E-o|&J-^deV=UvP_FVp2ph0k-#)9o8JL+eR; z@rBlMWfHKmO2B=U$9eOH*En$F;4(bodc`|Q$A-xpa0lMATixrp0_;?FpITQMyZP;I z0^ULX$V=sb=SnaSkk2tIyCsMm$r@tyYtPkq0X807uBO+b{cfllM@z@BfF4`=BGi^Taq<7bYQUMnoHJ8Ti*^o`rH_*nD+fD~VAb!)e5(UH4ST*{0Q)UB^{qdqu+_ zO)|an`PdbI>&aUp|CHyr9i#I-ROb*EpXt*$t#clBRo8t!7|K5TX0-#kyYsafN&6x~ zeNnIV{ncGvKa=0*so2ck;l6%b4X6Pr#W@7 z8e3r8x@GnrVEg{tG_A5ptmQ4<2)Y$L+pGr76SfcH``gm8#?Gr^JJR6&pHV*_l}56I zgmC`?DbzQXZ*boaSQ@3y8U7bh*AyISv~J@}GO=yjwkDd`wryu(+qP{@G_h^lb~;Jl zoT^jjzO2`-e))H;Zz&$V=){FgHC*G|erJLynG`#GQOyt`+b^0sbROe_gy{DZInH1< zls@94RacEFlgxadEzFE+xMU$Ffd6q%gmrG)ClU| zi0U{py1cmr(hmm%$z%vFp+C3XZB)iv^)kK+Efck8zfRbZf}3wE#w?zJS;Zt3kUM1? z`#TiX|C|;;n#L5Zi30Rs?ufGNz>~~+vPLy36uV?iy;P%W@1elWylWi0rI&E|$y&8x z6kmk8kUZA-20Z)!q??45=Sn$PMu0a~kPwJy(4U!lLzH4-^Net$6Nwksm}S$}J2>t~ zokwlifQ}^$D|$jYu4JuHW|K)|FZ}QHA7Oei7$JkFK?QM}v5CupS?_ zSB`>BfNbM7-m6yj4~s_4I&=KCvb#b^GR((3u$1eO1q9XNdqR1EFZu-21@TBtChoVH z1q7GJyXJw%6Nx`5Lqd(R#X6yV1DTvuea6<2GUMqq2Eb!2ww}_fCieX5duz=Cd|M z+c6qtTCS@Qs}?5#@%7ooHDmZo1C9`;lU|^KTKENv4--8|hd4`6t8NMqb(rMY3A8E6 z0rBNB{XzK(PpdQ_y!4_{WtZ91vHKF{UhfPy=SyZ)7#852X2fiE)PK3tHA+ZIB~01y z9>l6e|4|hoKDae7iuu79vvwb9LtsN)WA7L6@46o(8rAD$5A;H>__VMq$X;^ zXI~yGS9sy0tv9lO+#7AX6hCXkvsi|^B^b8aMBhqv4?&=c!=7(j%r;rHNpWhb|A=p3 zGj#OgqJYG#@bZ*|_OTvaQiyRYA;L*z;i3qPU^EmwgWPjXe+|2ZRl}a9A%0u!*9KvMr?*8+)(E_>q&H3e8(mpMkoi zB3BjEAscbXM2$mjyv%4VhiG<)wCt#tV$!(@CIN>btrax=q^#JPN$#AYgbNMbLTAQp zXuQr2V9&ub*ka0UzaD+w#1Sm$GLkzOk!{;o1L?kuL1s=czGX?6vO0nwQ$NLFAsAlx zDb@I-xKNB6BW0;`@aDBr3MOh4)tt?SHVFRdg+8m@V%ZK2W0QSl*>iR}HSD0krckrE ztjaLC+(@?BT;f;68gom-93A!J&{}6T1A(1PHeRR;A9E`Z?@*?AN~t8WhNC)KR-yx8 zde)V)#zE6@-XtRPpG-JaiStlwsMs6V4FIZkmkg;&s=$sZ0U(tQc_o?SBbRRawcLW6 z;YOT%YUmC600Nx%6jMtq7Y zvp|R+`|2shISfHwC8=l3HL)V?q(c=#LR=XptWerj3lW>~HJH^pc@L2K=ZnM`_R-xw zq>RhIP}Z662UxONAS|LQNv4o(i+{O!qY@E6#0mdj`V?7C{Opld_8F?v_R>xns zNq=I2ufe5ZDS1&#o1MCOYlwUZZ>n1tu!413tTcv6v|7OPN`S!+QQc4*q1wY$k_|jY zlA}n^w9iBXCjSQ?ZEcWECs9V9hyu#Mhn8mf72w~d>4jg6U{8Wn!DSBdV!cA2h_DQi zPl8;LB|pGqd?TKAYTKVfd4~b|kAu1Qy6*6V+n!tCZ69k(C)rM$axx5Z)elwOxaSBn z0<9_^k9BcdmK$5{9%n5w(0!40>ZzOin^$X^;<3EvM*~myYvVI{y-e+nc~yF%$JhR| zJUbim>&Lt6Qa(TRj}b$A0g!?_rtD_&P9B@7-m#p5675vouU;ED-q)LPYBU>3H3Wn5 z8%N(A>>r*h9y8ZI*OiF=Cyn~qRKwG_bvA9Qr7t(Y19Z-I7bnuLin~{bik3S5>nU2l z?|qLG!q0r?d-|&E_5~&XY;k_MtaX%#m)5^d%L9lsqZz-dV;H)hIEG*RJ|AR3i~ zU3cr!eBK_*#!}J`m=Y-4EX|vHhkU2vxq}#+k+c@5+1j{j?7p+IZoI6#vD3af zUM5icm!P(J#A?H)YscMw$1Lo3oA#6!a5X44{j!0*Mdv9*RBz2@W2(*Sa?5VBW1v*~ zU$oE$L*Z+LZSFN_EeMC6xd`AZVvr3i0 z+odQ=;v)Cs)|-|Ou)ak*$*bqX2Q2o#JEO&ad2BezYd&JTafd_VL+<{NBn25{>}H?SX`Nxe-A9UjX-W|6AGa zoR8`uDU7psLXE~rNwZ6hMk{@nPfnzG0q0N7CtM96>(qdCx{c!LBMzO;XWXR1Pi0_I zy+l7jYkV?%XOU%5oC^;s{r{#vUyalwN)e{GOFVHBMCbP(_(ZlqV2KOG6 zLFEP4G01Dh-lh{ZU^KZ`?xN*Ma%%IS5hO&3!HqugL(crLrRm5=a4AL-QH4HzuwEOZ z&yG88V|_79VI|Js23!!%wo2BIRa0zqOe*fWjFV>%q{NQr9=m}64Sf@7kv z7h#Q?1P-z>ZOFv^;P{0DJ{|9b)25l0sp&rJ6z(K0 zCHpQHmnTNrZyz&{@6w+sir(}K97)R^DiH)&YO`M6?xaoSZWlFiE#{I|Z?J+POu$~TCtZ|}Le&YW7e|pc;N5ue4y1LV zldj4YYq88slTlLgPrMXmY&PuhC@yp>slZ9K$z9b_Dck494_)AJDED31H8! zs}9Ru3byNJ722{{z=Umuq#=civp0tfm?6`TU{#^Qj=ToGXkLH~<^5oo(uu%}FF~k< z&_Au{^*m<0yQ586hg1;&y_JdOF5=A@1YcDGjXO4Pvo4BqRpY_GCme?~X(e@w_ zVTj$Yc9l^zRYoBRBOM&HNO4HG!9T9uhg5`eoh9EtOuWoBX$sF;rCQEavR0v$RkwuA z%MXU~lz*P27wk-q|2qyEA!0p=dsiMpSDN^HBk9 zcBS%5jz1tnP~g(^;f*p>jf89ejlQ+{D(bC^f%lfzJqJ*f)Z2}W?%zDubfV)rAknM+ zJdGIF^ZfYS;qQ6;x2#vty#62UP8au6yce+((cL_?Ki`VLUA)y%+Q?4t0&!K?5omXXqx9^XC;M145D+y1C9%#*ybC2_j{&}Kp+4zO;qvoDsIuV!r(^QX(=CXFL=UW%PVcZ06+;ht# z+HIH)0sLJC80P1^r@T;BA3sP3M`GW%5DB%;?EW(QQmvoLSA?;ews?POmGOUeU&K#M zRT19gb;yM3TVJdoEXOrR6@B`@4urWHTR+tbb`#n_iC;(nRQUx5M*R@l|r8`>7_thZM9TK#~C zQ|N@;f~o%=|FSEoFZ7{m+X7B(Z~RV@UCn8`dfqq6T0buVz=PM`(<>nB0Z?Ba!1)nY zWG(mm{rD~JADU4}LB8cZw7=u`QT}PCC*r#_M;ffV6NXSzjWA3TkgU*y|I$QD6 zV{ZB`-><{~2?b(pmSIKGaVMMH(KKt(4tuO*DGBMem=Z+#k4FT9 zc;x+4iD@mM@(x1d{jh6pgsmbX!3%6^N=(}DA(A1bX=cH=9TZt^Wz^)yu~%&D1RTO$ zsm?Sr5lp0#y^V;sn)h&4-={*IjSU>&tA$?DHj9nVrGqp z@y*tYu%v!FtA~<~X>G;?+Yw%kFWAglt4q6SUO3wD6r063_27KVA{&RbU5_x$(tOjlr5SXqCV~2U z!i!}+p9bx|R-X!c-eVP7%QE^RABH@sPL+kvh=%HtQ$w)`oSATeJj3aXiebRFJS*Vm zkWHa{WMn4oc&7A^V#-udc1)FZP=SEPK(&8#sYE$yv)5!xQUU1WdfPM`EoiDDniRy& z5J_{z(p{M(;@vwrNSX`~nZlIpv)Xn#CDJ~-JQ^IoJn5T4nj!-9%2Q$O5~Mk4^36;D zB^YTo)Kh^boom7z(CWHMQ1>b=Td}gE(F$cj7yu1$>9MssFCbwoOHD8bYwzpt=e!VX zyRU1(pG{v`RL?%cw#3x+a3;o;T=yee4GK4MiMALvh*H#|4FcMK&@#plgy(n8Yk;+Gy}qJ&6D9909^5CX8NJgt&c!Y7T9pqXmf=#NLVuS@-qD$=%B2df3; zUYJOh5mB;MpxI+qqFs)vUbUeF%_xEWU7lRm;v`0sS1&CZ{YT1gwJPNz388L3S?^3p zPRg#3d2vjrAQ8MNNUA1l?xE(d5xCUWi9`yNEy}Zc2XIF4bw<4jD35MizaVmAI*s%N8K1#F*7aT<6ISajePP`S2^E(vo9b$tSEXO@v+| zEBG4U6~fjQ9pNBa;o%OE7cGl+>ob)5V5f`iW*QZ{*-De0wTp~!or;!VO}5^rm=2wM z6;h&}>HV%;nVOh(!;xmy7XO8>pEz&@w7Q2>1JSROQgW{I%>7t=nv)d0eRwcv*+t@xIRqI-b#U-hwCO z_rFs{%=jfxzh%7R_2zgpYB4j99>?z`^PKPreE)}-mIv6MK^euL`KEz=)|>)=$7w@~ z*0K-<^?R-|!`#*~Sp@k!0C@uJCj!T#?1-CpAK)t;o4|{pmuj|~@|p)s#O;VS|BJEj z*K`?h!MwWt9UYtYqrGWe{Y}^-aFNDY=DvPt3Y;9KP22Pw{+xPZ=wt_Opx<=4ZvwIK*3PPqzwxqfnQq6B*)h4x`{bux*J-~iVfQ(sHKFTT z*e|y>0dCE7ZxOd8`<%P5n>vs4j8X4ixVDYk;3-6b?Y|N_nL2MzH+zJtsb55>i26D` z0w*!Q@*q#_f%Cb%wNLZPRrcSSe%{VdUmdl*#QvshuD4^%#q)s?FvL673kY5JcP{Gz z(9-sTL0OA_-0Z%S;pMYE6k@(718i44?t0h}G#P@I8|J-W4H|UOJDu}Nmut8wLe|(1z$SmxslqEX@lY-@D`1wl%3kZYM zQMNS2K~d!-b=XKj6qOS>2a%#er{dKxN6&?@mz*RFkGtp`JVZ{iWO7=};Mh92PaRnw z9Z^BSQlCgpW26qbsV9(&C8{|9MwUP3q9MhzrB#qs+OO8KDK`gJ!Ay@%&*X5HG~c;?K|l zFatEfMO$+a8H;ELyUMzU6K{yD4F$qu(ht!os46%G=uQ^2;u47KqCM7V+}#^iGyyWL zUO&px#iyy&W{FQ@0B)5({`Jk~@0v+JbkJ>DyBs94ioMIxQLvcyhNf9(D!Yl);3{KN z^NwS&Sjm+;g-pdn*>bFyjB*IIyEUvZE|2o$)=;!?tQHSsZso7GE-)x*mUHC0G!D}Q zxzsHgbn=WeA(}m98UX zF$YR&@d8z0Vl10_a&$UC8c~S`#D4T z1@8OsVO|iL)eDGgVfre{oKj*H#42_aI_Pg7AQBN&<{WWMSrDg-Uy2QoG>JQ1PAbkl zxDU>zGA9o-jrQ4*b=ijy>Quki;aCo;7kinK0$Wk6 zpG1&a(=hPtPqEgidyEP?dwh@na62-T3)*b;MTCgc;`7f;U2#h?Qy$C4NTZDWvfn(- zS}0jOs#q&nY^Uy_r4p)lfsqGXX6Gh9!wtK2PclUY7-Vf4Bm!cR=a5t|rk5y|+mF!r zDwW5(az%HYSgERpHn~K}`Fo_0JXBRw@&kSYlr70#ewNfZ0rUK;ftux?{y6DtFe&FQ z7J;JCwJL8a6?$~3qT|0L^a{v1x$wu@=?O*9Q0R+A^JS92_>gImB&y?v8xWYmG^r!m zlxP4!+0-jPqX!}X(z=>daZm`AOqmrbO^QIA#V%!ojb7FB#s88_L{zQT44SQh^%3fZrjf0gH5et`yxnmg; z!k9JjDlc_*Pz_XQ!BuiHQSulgh{JDTNHvnqLo^YQ#L-)M8eY zEYDqpMlWK5RJPWTgg+XilxFptqJnD;<_%7>4x_LTlqn#a2_+$q5Isz;7>*L5OxjD1 ztXroSX3GavgT!!h^2@WyDz6io8{aw4$;1byhQ7QU2ud_%f0K!H*POc4VX zu%F+i?vEtk?l(n^XOcFOgaz#l2I@3#SNo;`jr}z8oDFMS-Rioph*OrSpFwXj5DVPR zZ#16_ZPIe`wk;!m+4sC=*Yr|uv3mfsQES^`H(gV>UEkIutn;SkPV_UM`b_tSzO=*s zc8zR4QkP5+2;Mz@P;Auto?P!-VUM^X^w>ttH^~U?606&JGPaBFBR;^`sQDMwr1{}u z?PPktOkT}k?yTQ@9JFvU<~lE0NxX3)rX6FKjQG!aJA?#rcAgf&bNV4-f1Zw=MBK#2dw<+7f1Fqy` zcxLg(eq63|{k{L!bhV}S{$;wu57{`3yUFXGk@dn$qjev;*NsWwf2OpveZ71bdLG7k z^zbycU=OtTNy0J$u8C^SmfC*XyGHYvVTK>F@bc5##2y zm)oB(X#WS3P^t1kU(h>(KUXk8`|WAq*^AttgYPA0?l&Se^xw7t=hp~K{!HQnXmu}_ z9pCNTuIk?B@2Tr!^$%Nb`r}^jesErWlWd0t?!KFWi<3`uuIoDWUt_ql&Oo0}+S6Fc zj^|zO=P2lQJEuE+eS}Gdg|3?CzRjJwmP@Oy?)U#W$ZpN6flyO}z`COEKcW0*>(ac3 z+jZ`lFeHJ(DFH0S=)Weij1SYW`mkvht@S{A&9z7naxRP7m7i8HMuj!P;4qmpLkfw_YCPWtSS>A zCbhGj zHfvnWcqXXB!DjrOn@REur6KPUAz{X1!hm%9;Y?Stnx9+l`VL8K?Dl{>(q_GdF|tB! z&2_doC<~$h5nU=%RG4o2Q*B2gNv>_v9@7aNqAsmyZuU&=r(=#IZc7A$muyrv9DPY_ zbeAbup#~;+yQP;v`sio%_i(32v1g{emKAA2Iidw_uHFsosjE`}3lgh{NHnY`i>b9+ z_!4&ip$09)JgSJbcD+snprU>li#z^>^*C4r9%)&E>mTLBlZO%Xl0t2$X`$*1Y$A~r z{0uRX+dJM5m+t%&+$8SNQqNu-N7NN~XcP;tXrAL{D$24-_6)53ZsKJ2@%*dVDTHjg z!EYXccJ70TwW1wq$JrEbCz&F&SRTBS#G_yN750_|v;ZO*JxEv7%)HM0FFPfR@y{Qk z0lq^Ns$a<$M4tD&9ik0Ib?pa9D>7OijSM-S71sV*b~XrfBi$;}MF|A{zG2lG=>k9I z75US9y?s00u7oCODHKWQu#$d|GfGSedJs6JBV>#dj^$EG>+H?BUPZLLQfY;`lC=B! zoAA!Tl1UZ9sRb%$m_edriO_|_SGX*4dzevzep0m}VG23ygnV@%t_$jsA*V|iD8DSH zDHg@7n!4g2Gc%zvQ{K|y(EJt(iSDBN^eAk#0NCAVhVX;Cd@TtUt=7_iR%{Ts(ikcg zE+K!woJ>;x7!46>OMzOIy{D>A@W615RfcmoL88G8Y%|?x1>CUxlC_Z=FOjI7iRH}+ z9lT{;yMBps6*{BQ8OaMjn+HA-Y8nO2JPW&fBJ!@EQyg*W;PE{WIi+ac!>9k<(`jfl1KoR~lZzI}niws2#mG zVTxuEULG$)6*`sGl4{hzzxW}dXix%OqJ_0hFpR)6*X$?qV=IEc_IbmJ$ykULitT^! zsJ~|LLmX2InDKol)><$7q@1j+0G@n?4HCr%BPYL-T=W+F=ZWT$-KYNXj`HP9^*m~i zux0@xp!yM3>-+qfSM zlYcAO!@G~d%s!_NOx!fS zK~v&=Eq;JU-M8cE1FfuBc|rlF-0BEEvX&TfyyZX8nnE2ntCQ}u zbKhe-INbrNgf-94uh;haPfgeQ`aYf!)@_2kccUF6{qA=4$t~}M->&VNsBN99EYHeD zF(c@skDFenZP7empg$fE*z^_jXY@Ng3M_cOd6n;0!IJB7d=mVL(h2ElK_3>OWV-!;}`bPQ>k`hLv`{68LKg5_*$q&fD>}R`*5;y zanyhnCbH&A^|QAhm|2vM;;%E1*eA86pOFYPgUljU7J0VoaxK%~Qv#sxMJ9z9|9n&| z`=l|!D+C6X9TuHWnU}I}w?x!j_sM=K>UCsOk!%(t?<-MQX~e+7tBAs(iz>K~Bo%+c zn4^?D3N0m85{y<*+yqN7|N3dbb7O>EXB6vYIsL<_CfIylTGC~t&w=G?5+N78U*daY zT*A^^)(PP{?jv+jnZ?Y{=ER{=RW#74I?KgxzVh65L{cj{J@yFpuYvQmljWuvQ`^F5 zi<1es%~6C3dD3H)S0}Z0H&xCrx>)+%iey&UicC=GOpw$I@)q2u5hSAft?9G}Lgtv_ zEEKCW6iJ%tT`og0*>U>|_+q3VKHX`gBjd#x=UqnLWRGApY0K6TJzzMVb2uSf`6ZOP zNfRAzWk*60YOj7D?6iCq-3zsXHiyd({3HR#rDb8+xm4PYS!=w5GW&DphhXO zIjWiAjk6(scdH*&$A-DM{yN`);4!*$V^5Oml43c;!j}o+N2Caj++5yB4s;qb01?uZ zx1oTX96mK5lAUM!-ktW^FpRd8!9nW>pnD9x!$dE+L{~(QHDYTJk#nWrI z+PJQz!b6a4G@7iX+DxRMbgz2H4gUp~3aB_lP zn-ax2?W|c(@mS}uj>xpOygc{zJ^*`Ji}%b}!8sE}k|!alvEH0XfCdF z-PUJUS&`B}0Wi{~A0NDkm_i2ukA=c?%&NPLa7`Awnc` z%klLTsKiktRUwZq7IYCoa81{)@*#7XKZ{Y!2BXtbOB0gm=F*WUos_i4g`Be3lExZC z%Hruzo)7(~!&(v%D6!Fy9#C1cR=8&jG};uUB8TXL8_t+c(9XSBkqy6v{$bis&h$Zi zE1Ny9gkjQUTIi(QV@j7khfNT2Y@T0Bg7yKr_EXK~stnKVhKo!!s}a13&IQ-D^K6=tSxUG7+VbXbw@@Fiz^E3=#{f29{kT%nruB#LKC=ziud z%@9F22Pgt-M30RNb%POx)tckZe1?w{=PAj`1jLYVo!(W+g>man_l}F^wm! z3l6)^muo2E zMc`WS*UsaptA00-jwUyBA1x9ouiyXH|Bi6qdRGuFvY$(ui0S?9)7;;FtBgYr5aN7 z@2O~MMeqFcPM}S{b><-K#@`0fe3|DawTYmoe(rM@@}BXf+iBe!v$t!%l5>XVeb;vC z69W%$Oglr^(a+L#YyCC*u@|~t(4@BgH45|mCC*EKcbHh})mR&h0R8gK_6*kDF7+cYf<_${LW@cnx1RseQe?^7pZg>D1t| z+MKY%wasD$5OuKB+p=zXk%g;!hQ9K7rM&}WcwE%Oh3&OY$5F z3*4C^SXtq+n)*$+ZOVSiYmdLs@fLbhtM%UYK9k!|I-kwX=nXhg&wfR6?&D_6&64T) z9Fg(!9<0M8K+tct7LWIPY;*efURhfSP?tF2iK}(KnQ*_pBlFzoNh9cfx%;UKc&}<} z%iVY{i|d=(K#v$~<+@CDRns}HG<5@sYrhe*y!q+>cj0Zu=j8~$R`2!W`U36XZKd*E zet8qFvR9!SH0OeF%X9w{)vhO(tES#Ydad^uyUe)X7>o$bKr{$$nGp6CN9JD54 z=u}^3;()E$t>CElwbE5aE*lEbm2iYTnKUgiP}G~C)-oqy#OF9j95QQ)9ZDaXT+)PF z)0WPV__Ajcard56Gi~B{YW5xm4?{>aWg4QvX#AEGv%(?=#XyCVJ|-*cgG$v9ALY`% zaSgGGoEImTFTt4?q5;hR300_PIfLo;qBZbL#pCpH`e8(2(1Ol`tfWI)c-k-^UJ|>L zL!>n#`o?8uCArl!!cQi&u7h-vMIsaBRksom(W#4sW{tz{>{u=2$cGSP}Yw>pjo4QW)dGPhYGoGZZ@TFz1kBgzMz9c>9>)BsMcWSKHulG>K? zj~-nemS4$L*U#4uhluIhntJzWRx#Nq(FWWzp}u&w6V4LxgGAvMl7lD|Ahd0UOBxoY zSv#hNw81f$IdeDfSA=TB%stnyFU&Qn*l5QD3L@Zq!pNrSWaj%;M1hKyS9JI#TOGzQ zVe(3$wT|JW%dB(<6FlQ~^PC}v*8QX_k^oP~{KqpyrrQ~6ZqT#3;`^tDSk}&~s3cS_ zcDVAbxQJOxxiTsGBDET7q|d7iDcvm*w^fGtr+PC93*J(eojngP`x@kjR!^U^c*{D% zh@4|K`f!DvjI`TAh8hCPAlkU|N8i|sqo~rBq$OrfCVOnB6UVecPX0L<3hP;f2^UC? z%52PA!Ccsc)Chp&D@nU~FckQAP-|90)$HRxd9A3Xt&ahJj4EK9>Hxru2N{Q8_C5hh z*gB=MkjfHf=v{@wR@5fdPMDl23Pm$c#iw-tZLBt2CWoPz2(@RMOk1rkeI|vd&#p>! zBq{wYyQ(dHa21Q%XITj>WFUk`8-yIP(&wB^4p8PKoL)jn{nhuu)I?bPJd& zv{$E8|Lv%&&|1Dq%qjd-fszb7#e4WzuvO)3VYxIbBw|b|xEebQTbGp~68oUhoSf_; z$R9~QTqhO!C9s%AhIn?4NiO^pR;-2}6S{I`!OZd#*_co+QtCn_W`p?X2w`#<4DeR; ze?WwxryL=BYdO}5md?yG3t59HWM|88otl0v^>Y=udoG4}5-i*wZk>GOWJWWH zWWcA4XE*F=mTmrD_;N>t7*5oe0cM;5Z%d-%05d~E+yM65JTj?xh|v5zavmwn` zaMEibgGAnrKZ34f)k(>W90VN2^t?uq?u#InxzY6?1>Oy1aGB^`t zAlv>U_p#VzY4h7bB|s^>+X3V z)cbhtB*=AE`o;1>V{Y$sJ=1E%=Wv9a<Q*-Ft!DbmRAY9yHZWXmFf!e@Z{I?fxG1FuWcBn5ygP-g7JKnaH!c?v=8868zY8 z-!BLf#k~BS$8{c^4us~B5qxL^9OrgFmDXJX-d$w~Jx6#*Un?lxm&Q5mZk=4trR-A} z!%{;C+iz|!?fkD$OY#Vt_6K)%5id3m^gLg3WnUOye1W^b_WKdc6}fXe(y2}l&E0%u zLf?MS%P0Nj&7v@CnNQ`*2DTJLzo8Ym0`OWkEw9}bS7jwk&Hca~n z`tN@(t)A_Ba=dRTPTy^B-kTcl)^GgpKY$LOz{pQ%fCn%S8whk7KDo;iU_ln3PyKv< zM`W;wnnpQ`=(~+d06s)~XQRJuSmCnxs79VR6AW%&@~+GuVGZlld|~yDn&ys0@$xu- zn5@`MOb;){tmFr>%?df460hp#C85xuGLzge6m3NC12YHKrNa7G#nmflElc22Sh-+} zfAIyoNLVP!k@Kzvhp9oE%7B&iqZA3xi8WYEh!lp~YON*1JV^CZ-@1|JUAV0!sE6Z% zoRa2q)=JY`lc+8V_r^#Y&pHer35~aSyXXbNfWsdy7Hb3-DPQ!av1T~l+l#t51>lqjeecp)J#X1rBY0a;K-YvgM;E8vNlgwDmlWPS(Gq? z!gXz=QV0t-R%HZEVOA{%<5AwNHi(<(jA(NeHwn9TW+lKW4jcr`PphJ1hpp|P!oN04Q^>d>H#?%U*6w#TnD=0U<2^3XEbHym* zMqvGJV*k^ES9e0IFii^2kTW)NUc5F&avtn-AP%(>1J3)S6qV9Mro#-A?Y$VKLT$`e z$wMUnL8zDTIGhMhp*SPe`?c@3y&#e$IT#(wH+*AZ3H*v8gp9pGB3oP~o~Pd!yc_xT zs1_y+oG2meSNtF6BRzkGrzN~|ZB=|k)*+GXrr-#R2_1d~1IPD9K%kzg7P=^zW=Dw7 zTLF>*&7Z(*465(V%E`aV(@g9F#kVXy87yv z@T-aI+l;6e%T^z{BEFZ`4XLLJZP;J|4;fOPRk_g~+6YQ#{BRE;5b z!lB$iIoy~#L`W`rDju;xJ*D(Sl@FH$8Zy3|^AkIVum@GQBi?uHdKp1si`&$V(y z3cVr?yCgSH6GUeGV`RP@sAiic>PoSIJI_iwE{A?n6sd(L`V^dBI()Ilp{hLWB9d^v zQfZp}x`ZRURE@vOb@5URgj%G+rjRqZp7Oqo?=@c*KEggn{fpB}d)k3aE}-=T7|o|I z{ScooX2N-9g7`6o=MgGiDz$583@f5&CF`=LrXUQiQJzSkQMx~1gdIpkOQabV}U@ zI}BtzOI8I+nD~RO>p@!7mKCm4Dm3*PvkJ@%le05$pZ^aZ{!B<%q&=x$K~vd4U+jZ} zFK0@(3k3ZRAQ4iuu@r1b!py$lVDBs9+Y$hgr5h=lr2$Z;R>{inURb@z`UkoPCqUW&~#*1yZvc%jZx+f%t+hz>~6nH<^7E06VhDQ zG=5xFT2ARgU(Wa$9-5FVXb$Q)VmUrG;%k5NeF*>V^cj>PBrsKj1ZMq#pv;DJWHr@!R_?c1U|qx+890$e!kt#xstcMzP&Z2+waE z4)XnO`gy-@cg_X1C%OHuMFFn0B&n;9uSf2k&P6TudQTk}ZnJ70H$kF)ei)A*2P;N# zJ>=c*hjX(DxVByAP5!Iydj%7|>bzCJ^EeJIBe$Dy(KLl;Dt$K%ASUA0%P4zA4Wf?6 zP2|J!nO^TE@`zvyf-eBoUB~T6p4a_RulMqFJXf&ewz2zK(BL_DM7{UL`0wr20OsG; zb2&k7K=Z{4zk5Uyg4Vk?WzXLdhe_XW3qC*5u@I5Yej_SX+(1esGv@A_bX2Zop5IuTZS9qG@YlPg!FPOTDJv5Ly%ZDn$VgE|8mQKw=G^HVmq8hL9-!_ygfakQjLScV_Ta`!9)mZKUKBFqjs6RSGM z+ViTtwW69@e5o>~DE4cte z<1|?;1Cbz@@+0}z4KE$ zX}%9df?d)lTd0F>!P*{Cmsz~y)qL$9C7GCf1+(tQp}xeBsD%FyiOgQvndwH4{J z_Rd9(%sEk)v!|zlS#hS=*e+0zT6@FvHQE=qq}-Cx?+i@wyv#EqJWH~&JLOOan9Sr7 z_xgkWgW^v+6#Iho4Tc=SGOVBe0{40H{H!1A-(`NboWR?>p);WJC1v73-OlNVYzo=X!TS%jN7%y3dMNkLihx*lpI=UFoqSKz`j=# zO!({&@v3sE4ZA~8A43Y1764kc1k%`J(r$o6!>3Ac@4<5zms56nu9{}8k9g{ISovT?*j7Z}p}54LSg^~jSRINA>(HB;VHd5E?9ww%Be8Md3v>xu*lQGAn78ngV}e)E z))_|Y;TU(xwtoFg_$g1>Krm+3e}{6a0rlQkwWfyc_=|zNe_XL{OqsjvpM+kKvaEWR zD%jaXtBy_bZ?^v<>Km9dfwpBQlZkEHp4hf++sVYXZQHgzv29Om^NYTlTkpJct9JEY z=)HRN>bAx?6JzAH$`FN(4NK|GZ2Ey<#d?sMl0zy~49lLBa_M|;+=yQ)WvH710M{Ue ztzTrs@?DS}q>d>v;2R{D-42CQs9=ErQOS8ruHjJZQPj94 zc;C}+Qi{I?i#}~I{~z#ShWKfGxVqqXoAJ=cVC=o+ho0MH&{7uwR6zW>hnV?6`z8Dp z1ys-n1qKk|h9V}*2z}4Hu@n4W)8*(qJ76olKFc^Wcy(^kUYGd0ROjrT9e51BfJW|d z<9{CPvlrSAv9sN6H}KN-j3=?StLt~QpLQLtEk&-r^bT5@&V6nAa_jG(U1O@p`t-O? zQ+YR@r+2JvzMo&#zTSbaQT){qrfGnu-mJ(MzP@eajmeMx6MLVBm43PdW$j(f<5S+e zE-L`5YtK{mL!7Q*PfHDRC;@I*wT}lNKs7sQHm~P%QhHuHucb>vH(-0AVBrHtx(1o< z{dsoP(_t@An4a(Y-3<@cHj~rnfnUc#@}d-|p{jP>?ep;B`Z=De&9FL^tN8M=z0q^A z@M6B(dN&_ozuQ;#Rz#AfWp{SuN-e|oKF`;(e7$8EvRnNy1Mxg@fq%cC#$MgA-M8$g zhRxR8a@&>5itnSlzWO$qE$c^4r`y>E{3?yhaoi%hxcPXE!XS~}_VcK7T-yE&S<@K%60|5|l_dCmLhprqydhTgu3$YTzw%vD|s z@D_&e>2%fw-L>%$WZLFY>PqBvW+q*`g?-aC{Vspf!hHqS#!?FuRZg|T)UO{53G+G0 z;os#sxsqPxe_3}~X;sq&L{1{`k#3w5d&FV8??55cIc`N&(PQEI{_T1|+2r=hx?67h zBM)5iK?X0wSCqdA7@oHVJjpucUrcv?!?tjyrR@baqmTNTNFE0^vJr+<;}JXbgGgDy zu;7)AL(^)Wloq7qG%wik8nLcbwuWNa^JGX2CR`$`{#M4^xH2JpG;KbNF=$!4dhz!( zu3ptBjSI{*6t%6ZZDLwbuau)Ak%3i<&^GbXXeu}C(e{t>O=;m$slj9Ov>?gC4Pf~j zexM`~hiuv~&W=`nkxtbc!HP`6cI7N4$u>)}{WkO>P`G>6y1}DTL38^{NR&z*UIzQ8 zm8%T(ga#STr&!UTn9Z;pi}iY8M&y-BaN$DmP*aL)jot+IqQC-f{&_IW6_5U@m5#3t zNM>;XvfiM-pbECJ5IH0Es$)lhyi8FS_>qB9{LM0TE#x3Th#fC6p29*xa{PrWgbfYc zC0{|PQGd#BZ7lQ8@0GG*bR$pP)JhCT)hZ#Q>XWCb8A6;;)rz6Bad61CO54zJ)H|6q z$Z;tKj08dj>icb}PUFd%fU_n8h4RjxUJy42$v>Ri!{mx1vZz9N(3`NFcZrI>F=N+- zsDHP}WH~4c?8uR8E!4*|`5;Tji~wAh^J*~_E#vo)+6vK`Kuh;exJ)~uClqiFXaK4E zM)_iHrrGc#0>qf#CGbywy1)ddaU~^s6qKz5N#>fcQzj*PA(;eQIf}8V!m}Y=YHKNd zrH?j>kB8*H7mxaOG` zox{Q&4g{6)K?$`dhm3sR(33Q_Y27NwHjkuSbNywPCt*lh`xe9AZdK@d4n5$e0N?4q? zAex|(!W?6uXHdWhFCVTf2;n{W(-Pk}+3?H~jcOL1lW40>n$~5|ij`$5IBm=(LzC$V z;Z+GN#KwX|p(oj+eypRfZz;$od-X`sskZp&$0&&wunU4$l>VlbvoA24WH|K{k`K}9 z_@`j9oPtffEv*?a1rO2$E4toE1+%9hp_YiLO)#i1Xz`D3R<1QcU_y0HNBv3Jd0x_a zfMo-++SiO0l>?RrMFOKda5C#b>ypb;&)G6Hs}V9rD=g3y|hnIeBB5P1a|shfzQl@iKQ(D9R^wgf@GN+^1Z z)f<9a7=%l#+VE;(I1}M3uyTxK_MDfm1a+>|YnM}qfrT(?ZSNQu3?3L_tBLatNh}_c zS`kX1*BcRyV-_VZ{FP2fg)x%2xu*{+NKD#`s9m>UzwD%-E;ww=lqhK-EOwd9U;~%xDDZjiJF%W5Zhc&; zN^S`3M{V&TmxkM)&ZH^Hg|!?>=*<7RrN4dCKwZ!P#&hd4{_+3EwNrl2yWVr|A5|{| zm_dIa+_fEEB!Xw z=Kk)$yNAWP-b?$^rZ%%1g{HP^gaHmLlmoXJ|CsbYQEHyjhJiT5TsSxdA{|Zwjtos@?6Ed_btBfuwKWo zXP(3f-F@N(igzv$sN40vd@Wk%hh2M*>inxt6A#mCz0zK|uBvJA0aiSn+_;$nmbP2l zzcwh?)-3u%D1fwF*2~teJdUGRY?<$uFxFeJJnch^vvo?kRX#7z_v;Tb7F8?wbv0d6 zZuma$cbmQwT{p6=KKuD?>~(!D2bmCybvbRVj$G;P_Y4;wqboGm%+^70&%nh+pu!p)+)~;vS>4)ui-!AyeM~1iQfs#+m@|P0dg3fkGo;yp=)tR+@=fU*u z_GKo)G{bbyd28BrZi_)*4tSlc5>8&0vi_@d_ zNsDgbZ~o{MgFvQSV2~87GdWIZkb2r`(hn4EnCMVH9R5Zs2?Gd0pNNMai12F6#Q!=9 zV%4TAAV)5!g(&VKtw@0_$V=sphnTdAz*=;1-;!IMY7dO-s#dkpCSN3Rz(sw+PB+WP zP8*s)>sv$DLLvN#Vy2ldp_8&;(?(1tF;jW0O;^Y&*VeQh$r0*hm1KVl=9oztn*ag)!a-T!b`Fp+Z%?R8(!?c++dkM;+1O;nJJ$jQlX!}%_s188(D%>ic~*10|Y*kM>j87d52VAbX2DEh9h_`+*s#k zDY_u~b@1$y!gNTeO>-(FHWxJen9#N@5{wm%toZpCNrt~&D82Zog7k2hF-0;gd<FqBw3TqRE}7CpJwh~&R`j&n zSeOY~w!IHK7nvj65oJ@_15k%cL_@K{riA!@YqH?Mai+Lph#tCsZJ9SHEn>(6Rm1aaq2@cT`!poU~!VqL~Z&4%9 z5Gy&MXz&%Q4b7>ZiAN7`0@PbCD<7%x?h3Ezf&GbSJ_+IsiIe2kXX&saIjiik+i_aJ z(+T2nBt317A@pojK1As;n|s-I4Hm?ni7hHf`O(OmM)Sz5(keloW!kk6s34+5$hM0( z=;)|Z@e58cI-_~=fR{e2Ae(O(7E3fa5(JGi2NN?Dw+lTc6qalp&m-A-orhhCtYxh{ z5mj13EoPAiP2Gd?2un_Y-*eQ{YRxt9i?-EG{NgrmVhCVT$1ewIc&;Y9#0zH54UM|VOm7aa%QE} zpd2l5&YOQbGE7o14lF!NSZ#pOCA49*Xv(>!9xlyREUSw-PG*5C^sFhrQrkeSl)wF` zU!8iE384K`zxAwC;u`t)AqRDUyfiQU9+VCz%m%Hd0#KX*%dFal+6gyKFW6zWWa)}6 z%gstkUN3z7Xm`5oV;ZcDtCIxFqe}p)Ra@DwwODwNxZ2p|lY&dG`%Bo$*z@l%4sG>c zT#Jd#jhI7=RoDWXz%%YTLiSnlBdl z&c|hcSBPA->QTAq6e!h-5t6Zrx`%q2m7D(;PJlrHe_w&tUjTwn3Q0tQ2Lkuwo4&qe zkgKLgv^hTMoVNs^P19$aU;9-7!9yNOp9)__?IOw>^oeO;vL~j z{}rNN0rd^@J6y9wpD#C9F+7_uW*R7d)M0Vdahsto&cHe=!{D~X(ACsr&Qm|Xwd;c5 zbKPJb%V)Ky8p~BZ)QWD<<`eIAkZAqoJh+h6;8S9vg0*<_17deZV%dfdJobyQtWbWav^aX?2Y>V znL$pIaRtk3eynzTR+=N)P(I04_VdZOz2oOg@f7UA;r?hY3Q8G}HRs>tHJE`2+dlFx z=fM$b`V#d}11NZ?`KP`+FD1COL^NF!vt5VW?Zm0gtOGJv2@)6WtLr!U-g`R7LE?7m zcNDK&2srN=tI|5|LWN!VEq3-Obe?X>>~FkB7M4$ZUyog`_PUjU!W<76ar$oiKI%Fy z+tuSyG&Xr%`}gY@I=j)6FFUTo_IgRmt6M1DPB*b95A#*(1os5ueg3)e>n49btnGDZ zdfd-*`?$Py^4T?lxc01E^O9nJJh}zF)aErU4>DYJ?x?=h_ zfo&fT{O|Jj2Y~NH*f(HFG>|Gkhn8A``L%91A`~h!3GDfM$pp{>Zw^e&kTIUIL>v|V z_Eb@ZGXs*}6%osPBY}SxY5qEkP3A8WvZC(yxjBUcs@qPz*7$qVB8I9lTCEh4V=b=- zt17LW%c?=T2f{KC1Sx0d_>^lzzKAs$yYRBq?+ru0-e(*|?e#`Lku=Ni~hYkaW_dVBTDw8m&pyC1(02uxOyB2E4G2pDnv5kQN*J z*d3%y)O&nzuDX2*`tGM^K-qTAeCYBB1}mtXM)&79HH)`F)lSvF=V(*S@tr~;ZJl0IZwY#Ym}oy2L&-05$$D&wkqAVVxrsn7l@nKkn&Lv z)#52vilZ$YDV2VtM_iR*C`IwP+M{T!OPY zw5^huH$t2%-M)E}mu`@eQJxg8XWcPpi9^w0GQ#0!d2|GRB?5{H#wb}*3!37EbP(a# z%4KL&8)SQw<}zE!1VFJgvBWb}@6tKAAyuZZco3N}pP|#wgzHFj5l5=11Ob5nh+l7} zggs5mmHn}L5aRs0cQ^3(;wYe!udIMPq8ySKo%TNdebTn{S($6&j7=G?(5s7D-wds4 z9nOgx3&t}Vdr^$|8n9>ivl#R(9TktU&e(+EnwZFNz(bh+7L?SQtM?k+s$n7(o1AAR z0Jafuhg9DBK8?zSMXof?b&wUXju_*)v!DfiKGeDvGv3be2vPJC zC3-W*F3B0RIcN_J`R2)G>l!pjhVV(baB;{~Wdd2OfT2M*GK$HilSRm;W!N2L%Uq{8 zaUigOfg62?&IJ4_-QO`#uz%_f>wiq{39tM2((;ypvxSd zb10H{B}o#pQ!S&vM~)z*I%VP+>u}hxWiUnSD1LU%hXwF)V3#@>$R3f^xSXLQB+B8szRa^pU=d&i=;S3vhq0`4d&nSK^ zhhd@mlV~}}F-dV$s)amKd{}`mGao%b6>5H*BlMtBmq67&e=A=V5gez&n}QOSLINu& zB9~UnA@k7M$TVCOrNs_?Eg-6)TGjejIMy17oRdp?W)QA{#l9l6(5Tw0Uz+9+4BWAD z>blL@%}HoSD)D`W%+3yq>@fy z#%Y)$CJn750?+`p$7V1&3hx=18R# zY*2}^L@n}!$*d#69eSltT>tgvi3MymB})(yEmMj!c$<}fwqaM0a(aTD)WtEIJ!ToV zfy8O`T4u%zF2mR}ip6Zy-bdI;O+s6WCCPU11qm`^viuhw`~J{!@dCMyfu!d5 ze!a;?#?ZU?6_A>0t)$-3&HhYRi)LWjulDxOW0fu@uZr4nsy}iROt>>uqEceyOYd3_o zI?*h>-_%1|_vdBoRSv$_(+I{g;Ne2tcG-uYpxEzE|3w+Cm-AUCD0$yS-}|9eon1W; zTOPlCe}aMD>lr~$W1G{Y`(2Cua<`}Z{qM8&hvl+u2m*cR$eGwA-BmSiQ{YKqq zo_*VceyTj_@o?4ctXWZ#zb^dFYqmc9+Hu8^yzDfv?HH)AdDS{)$q|_6hRkRWFl|LZ zcmu%PReupdRBL)!)`eiCrEXjd)1?&?=#F^o7j&o-xE!31AKKoyrLCFTKZId?y_I;$ zwVNp)1#}@y-~vY4p5^#%?C)4MHON{>-3~&|3a zeVKYc58Hgrc`tf=7A~K5xb9MSOkaxG6zucRT8)vA~+z|MQr1X1sdq0Ksd73;D zyKX}V<&foq>HW+#y(@U10po3LoBG|r#Oc|c^Tdn!vIQIyDT>|c>E7}XoSO`Dl$s+s zE#J85S?)H##enR-0pPzaS3#&WoF}VF+F6qi_TOc1HiDW7 zMk$%6{N+uwvMADEjw3o1w4Wi80sxmqbliBi5Io6x$+ zwaTEL8C~L;^tV7D6#vwC0|i>wjPM^4gvTJyiImW6Uh+hD9rm@Sl&NRSPlO1Pv5G}8^%}%C(nBYQRIGZj#V|rLiyxTUjsy5Q z1ZtC&Ma|y$5zgH6FTb`99MPF(PH3^&?~i_Gop$2Zk|`{gqaP*Y#q)>{q4*0xtzcXN z7b}mGO4q}<$+&1J?-f=%B565GL|P1%vuq0IPojquAf;<#st{9In5fqlmpK&4w=zK? zH9;=MSy8XhAJAA-=}GJi_veadD~_52)>$_9Y2ia9>Qtn$WRqjHGP<$*gU%>A>e=#t zbdMvCJ7=^_!&3g^thdnSQipfxCF<-E>*NoO(p1f?Wf6+5H0I8qJWy&HR+2UOU0sfX z@*5CHTr#5Tk~pG}?!aw`Ibn$tc4o#sP6U+@A3asS@|!nF;7Ks+AdvLX3pVZmAktst zFG)dW1->n{-@AMHM^eTYn1aO7qj(RsQH$mMbE5R@5R*d7r*MKP2ApLs+mcq> zBtW7Kj*ozJf0cAS2TlMQUr*qr8vwQxA^lYL24`gzpf zyADonkU-9rsdjpn!op$sR82Gy+hta}XvZ!>Y%-{HNs?&49BQao!+xt%q%sLbw#<%- zBHt;%LrLYMH?NzB`No(6=UqdNW7-y%LRwHW{3&QVB+&zsc5c$*P_hk0-72=HH$Cnu zzpB0(SD6TtzF-*RWG$+POPU5H%{%{Vd{Es-d6`Jwz z$q@}C9Gug4so84WYG+bz*Y7(}XRurl_Ptr`6n$|ItRl9hMrNh3%3BmBR0}VtGBYz2 ztSSNCpHg|OgPKjZzNw=0L{rY|r&D_E04Had8ClgXKpBn|Kgnb3h*TF-tUX|)6Y?bocj(1DXhe?WT{xXD55&hgEJ$Lyipj| zfCS~xOL%;Aljrx$AExxbS?)w3mMXueek~`bm$3Xvl+wyMlPghc%w4oE{s*$sIImQ) zLK7sSB^@V_K&-`u=%$ULglY72w!ISCQ9AE(rH39A`nex2%^iUx#4^=SngpAa4qpLQ zUP*|CD!D1uFcee|$ugKp9X_m;&iH`B2*HhX%1obp5l>Y%b!PaB48{Sa?m2@)`e`aS z!iX~H`Ho!OGV_QW^l$1YqQy^RWfS^+rXVAsizSvUDg7d;V?w6D&pywEjpYK6!Syc(=mfh;rTNMmHB8;u2<8|n2 zUseXJT_XN-uE(Td)a&IXA-83-3Im~u{Ur~OHEw%zo-CyKN^lhIuU*eqEx=!Yr@XK$!KklSwO48QRvvGTH?j~@$ zJ?;nYT)Qm7zRX(K)gc0x**BLqw!SWEAi8~*LPn(Pn)B8VzIAzXy&fUoF5%TCea{3f zTT}BL?X?&E9G@jy20!aXl#?3QlKTTr{@2AEKZzc|l<(+H7m*BZWQ{vett!`TwDdWI zK{wCqEj?_8zx8dis|4eu?rpVbMfdsa^maA=f#Gv-q06>S?72YG>Dd0I%o-sSA^qhe zMf&q;@4)YMtAAr=_wAFWjiPq#E9i>N~AcR51ZOshV0YdkFpUEj#!#*dcafmFd z(X9lbwN}R^%xS(zZ4Fo$lr`PA^Ymf;ohAO9HOq4*aVU2o_{va+>lWDdl4O6r;KrfW@=d&#$KZTf&p2)ik z&DRwOaQ|$xF9+r?{^mNy@_plKMql;g^Wx!x6CagWYmr(=pDpCcLh zhae%akwY#H+_FucTnTm4k=ixHfOtfZ+9>|Q1Wpy&nl`JhVp}a4YJ`^tq8(3R`Hfz` z1u9W0=9Q266p^=_&C&%LT&lDrk))BW_$)|>AyAwseOa+t?bxYPeef|9O6F%XQu2ro z(dM~`D>l=2b{s0IMo>co?Q%$Y1tXdS_R5rGHb&Mkm(DP8^7Ul8o)!ES{Ez+T-Da- zZzV>Jp~q`xyn<#erKN5M1NG$fo;B)o>JlMK%9S-MZ~`s1`q=`dvVQzc+2 z&4}nO@1Ks#+2xp8WCmufL#x3|8^_&vn{4MDF~^Bi@mTKI*kbuE)#@UI+aX`-HhC`mhX=l}An&H8o4m<;?}*cZxTUM}e4(^KB?y4}|vf0QyX z#$NLJuSH|{4#>}TybvaI920mkD+dr0E-o3_v zYCQh93%x70--#wr?tBhL4o6{JWQZE-(^z468t{`uMaxWeHWG8QeQmJKQiL`}Q zLim$e%}Xul&4rJu)2V#peCr@8VtcRSAl7lUct|7AqjVs16VNC!Y3w$@5?a5*y=9X`5pCKaqN zbm8w0f)p*afjEdk`L>FHPX(NG3W+&3YR~19(O$C!5=woRl>d$2r;0XdLLdvx8AK)pi#=L4v z&8Uxf!?q>7Rx+?Mo7P?HKZW-sOT#xk)#eceE`Fg<*_wj(j}+^2_MwZ#)au9ipxcmV`=X?$_@5`2A4L_#Q*E z^x7q^$fKAMrIz8tJIY~}DouV>$4E9aF7lpaaH?4i9hE8meGQYD6rc!1~FCUG*2>Ia{mv2 zZ9hYQy9Yext>5_hk=$tlIe~Y}FuT1#LXME6-xB-!#~%nE3}2vhKfZz#P$83kKS3Gz zr~)}XdxqUKZo0kb5Ba$I4nX$c%;_}cW4D7s==m9C>IiK;8l4VBo%F?LdjJAV9!Hpt zFZ@?dLx)8j_ETLqF9^C$^ZK)%|E3mV!s^`j60#mf^F(aC*IcZ8LyGWecqVi=Gz{Y= zX5;u*I@~&3M| zdI6G7to-_XOJaN>jqG_Y&Bg1={95M$Fg`ae`pzdjZEG`Kc0F^6=XEdLU-6r2-ClAB znY{L0H_h*UY$rv=$sT?7bzW(2YESvhJNgAp7q?cKOR=8hUB}r~dful47I`OW9u9p3 zLF!*;`7U*uPcgfnNbOgTFE<)jpMzh|Lu3GmHojAV8;tvJ2U|Yxj;H&(TdVIQSz*hO zyqZw1mtS2No{WjPunlX7ydRrH92Z@1g#?@Ze{A5 zN3o*MTc;_k^m0A7LA!j7U3a%{VckuNw`Ey3>-Hr{lcT(Tb75h3?7B^pR!2q`gYN`3 z-KiKW8)g51AE~3cvNt5v_Y|&mPYmm4JQrKLd2@hB4-MveC`W~0%ySaojoK^qw zyk;CIT-lk_KTI_@-F%K7PJsOPz_ts1L=e9fKeKnBH_4sqN7-UQ!yX1pnZ}<_iaj5s zS_u}7JD4Pf8~(2o0K&`m0|7odDO^qmUi1F!3m|Xc<25d!jYip80*!=Dw+guwzTIYW zD(*G&G8~@xdApK284wKxZ(d7rFc=M*f+u4Qmo3Lv$yCqFq)834k5wzBo@osC^Zv?{ zlk!D4v3La3-l}ZFB^0NvrCmr-327jmJdDF~Q3RqwPii$ixGXY+d^yLU8Hz|5C%siR zG4_y_cuZKQQ4oB2v;3N+2~t~tvPmdNxs>v$ywEg(oEQ#$I z$O0`P3T35+6v>yU`V##yg|V%H&Maq%HI6BaNZo4XcL2rkpxC)uHr770e;sP82*0^5 zgYq8J8PLyl(5Z(M*YPM60%zeqfJ_=GVWl)|1(T4z~nY*d7Rq6Bn$2*%$Auu3!X(tDOO#e zssG`gD(SnB-IzpBq+k%&byRQEwO;q&`TI!{n0K1@4rEc}2NWV_0X6F&fRldYyS%`R zx}#&ikI_5?Ak`~t^_G~YpbK=logQ>VsC_*eC$Zuv=321|8o6m)h)3Br+qor+ePKpB zg7#_teDe|bfUt%?I0|q1AE-G;trpnD@{r}JsS-%Tu2={(=GX{99Jex3l0?&b4Wb%5 zojiC)hwV!v4Vm&{u((CM&8eT@QV1dVEO=>>eE4yJh8t0y3>~VZ@VNI`rxO+W`yd z78VmV4O-bm?S@^2O8E&<9fDZ?IPP{ z#4h2K)S6`M3ZCnHiC9BMxl<$pTFPZfhy;+W=@o@gL|hr|qA%4}mS*rM>A@wTaH7ac zAyGj!f#J8503a!+1DTn^B@4`EASos5#zZ@90#iSO;@E@H=3HM?m5@Gx zP102@y{yAG_1q%0WES<7JQubOiRtOenadUi*eK6rLn6+p$ZUui_bfybOo&iL3Ki6& zkz3S&BWM2OMl3RrZs%GEJptXrg=ikVp->=g`E&df_mZ`Y%>AziTCk`sU*4~u)|#3@ z^sZKP+A>{|vovwb(Zp6Vqw`|5aK+mO8#A{JTymQ^QXr|}RL19yQpACB>z1XJ!C8|f zR`|OFh(*}E4rmj3x87`O;F6}*Nk2rBJZlm%$PFbh2Ih-*0=PRWVmJ*9HRe#Cz+R=Ki z>5=ob>UvQBx*%SeNb7E1>o@_9`Pnv=Y*K75Y9A!PpxfrT4Zy9MqW2a#XY`ysEL-mw z`1Ox3w^Y}JkXiTjF!6o)Q&C?trfKb`P_%!iQnf!l#H_Y^(f2Oz!fSFj-ECXB!zDy9@qeC`67agb5XEJ)Ze5RExfkxHgTagGKb0Rt~$oM}75JIq#QD z>+{J61e^QseNpwtr5ron+tzrS9_Pz>O10aI=T-kQ0>@FOn(JVgU$}nDPNm!KYnk;} zO)rr5E-oH0r({m=xu!W==N$nk<0gRJ?X%5!$JzJd*U{Vj7~db?bV2wyu$9ia{Trv( zBfNQ3xQy@n#dsYunAh9m^hm9a=P(&^vc2j1@5={6Dt4#qbCjU3H>iCq;V;u+0fqi; z(RnF{-+cVou zJ-eILuHTwv9cEfiyw~Y}$k_V}B8wOJU^}dSmzO?GInA*4LErwx+(eNwA4%|+*-QO& z@_XIx@umE64Twv>9jAz)Vu_bO-t>C~+!6E@#B$flEGV!hSwTpFVD_6#NI2wpicF%- z*s}`RRm)L(v?`fc7HgPWN5-;220b4NWkD>0(W{IG5k+%{iWc@XkVaL9)6RJvxXPC=wy|U8$nc`y7s2uOj*M`|8PiKu2KI&wA#A~lMorMh?o}VGSNuSG z5{-{oC2Cz5OO3UCeqyC=N@1@4uE66+a_G=5ai~edL0#8cvR*7WP#i?U|7%ur1!~L3 z8yI1yYA5jIYe;(%S`H(6=8Q5P-6$jpV@*xenIG8(zPu4{E8iF+sZ~D~TWUns%k;zZ z3zD{9sxtS0v_}2v(6(`|k|R_5FJqOtgR+s*!31dLLp;6`4V-klzo12nU?xfg;< zR9J+ zJMB7kZnQMtX_`Z}14v)5c|7W;CCSQcDqC>3tY(1)p`){H>A|>bZ zZJ`c=Ajz&U2zXtAsQr3@t12Q7U#ki7d92ia#q$C04 zhmt~w&Q*18O1|Azf%SxeZqc{eU|M|OX%yY zz`YiB+U2?JgrWGr%DW-26&uviwCdu~|FAJWb||}}-=~DvIo2pCqehu8(W(Jo%Q*f3 zSELDU(HV2yJYdPjCs!_BAd8kOO*6Vk{`-@D@5IW3Ic{GWmsWYXsFtatVL4Yk#2LwS-aH^CPLTWboORGkPanVV)Y>^mL_lV3} z$~^~+Ge*{WjR|6tB`nR(aqSvGgv$-qRstI0c&E}_gkb=^Uh^0vQ6_5^#%W}7W@i!) zX=sTUj|76ZYF0-6Kzou%3*QoE{i1v>?_m=OVXX(4<%Z=@Pit14gebT96WIW5SvBm0 z1VFHYEA^>j*YN3HBjqRWZriewX67>u5)y|HTKMq#17DK?3yj!*;1THj7crDR{wrvz z7x+%T-}Loh4zc3_a!Y_rjuaUTc`E&i@W$|6Iq*FV2mF#jKAbxJI{$iD_(zeE)7I(K z6&L%xS`6aT0JNZ$jPi4t=i%OlEtwH?y9|$9@kV=`sSiWkti6bwg+)+abzSwo1Q!cS?hp^wEtN?0%n%`+tj4;gT&Bw)c9J|?9bKX3@Ao%?0Ik?gD zi0DHJ6Y@UG9TwB>eLi*c1Hf_KkUx!Y>jz)+=LEs?`rKh4@E!-6-hOUp9gK`dTW^-__*ncb$UnZjPv^p+uOB&GuyHHIz}$YH*NVxEpqde8g1J4zJjrT zc=tUeh}zHE`b@OgTiyJNdy50!r%!N?T~AbmWlP$7T+p;EFvTUu`dYm_#rf%Zv%c)* z?VcB^+*G*8W#9I#dosDb$1wl~XWqWe;ckw%z22)n@-l87N5MGwdu|66gI1)`qe~ofo%~+r*vrvF7l^+(j+XTiVaBN_WVr& zG&bFt6{?U$m0otccs0(Xa}l=deCiU4Tz?jU{1_&MWrmKor8K28OM3GZaulvhDzjc= zHY|w8djpDP?3ZXekrZ*lO3@x2Q;p_QI8T;=KL)6&^FkBqr~MqZ`6jLSjUGkx4mJ%+ z=MysXS4e#J5}-|)1YreQ5(OQE{P|WIRGCH{T+k9Gnk;K;EN2#e1-MsXsQne7pA7u*( zStDt+q!Ta`Qtm4R@=y2bY0Vo;vzNCDRK}}1kk_cQa>A`Z8fJ)VJnI%M=8Sekc>;gX z!?9G*@cSl-6Y=hoaL5JJy!U6g2u7}Oh4 z<|(F(QRNTI0?(!?%krSjK_G|a`n9OrF5VvsZ?3%PjpMZ7zxfYmjzzvuxLNt!gO2Q& zBq17&pS{7^6%pxbs1Q%DuB1q*i~X!ixsE%Y#ZARfC~;rdBLun{!f zh*g2cK5OX`Zi(ucr79L#qc-nKENwVJ7^viNCh7!t zDvbSg2mDhMHy@+GEg%H-JSF>k=WW*||3lN(M;lP(xC|&iFL_GMFD2T6N$II#u<*xF z2m8;kq);bx&6B|DK;&=G5j%a@?epKeL$543f5B)d1+8Z3Qr{%;gecY(;mbJ>oi${M zv1t4+Wu$PO#}!A0q(PyECikYUu##oOhEwg1swug1P?ba~&@}?Toh57pe}Aaw{&S75 zQ;tQVumizz>czO%3ox5jWVm62#uKe!i+62`J6Zfx91Fr~+PZcIOQk~p6eKVhQITL~ zrCp6dBP+WjQa7{yxo!3{w6?NRS(TZEBjD5%hX_X5Y(Q1(fHAdpgd_841oh`{_l;6w zk7QWRx^>r1)>X1$ouy~t1QRSu?s5f4r7LD0R;dzE86)bzpE&SJC^>pM$F%;*%2xsm zO`qPk6~J5X=cqT}+}QUx+~oXN@);)E+g`nS(t3jgK~%Ya~=m8Hd8|?~sTB&52G;n$={)EQaUPIx8 zM51yjbWk8XBdrBjS{~#N%+l`p`W={2--0E~;N@hQ#3HMG&A|w}Gj#KW8sA@UvA;HZ z)VdVaSc;cvpBqt7tN*Se{YB0&Dq$2Nbuw``=tD%Zu!$9*Ld2E08BNGN6>H&0dbQb| zR#76UiZ~6y<=m%HnH-iP`h6(A=zv>zKK0KAOSBM2z!B2ZbZH2=41C?P>(|pT2r6_Z zYv7||x|K|sL=+Nt2KfFQ&s_QhA$vZI>UOD?2NhP7aLID+n`Ofxwp4Jed1|g};rY3Z zW}D`5hH3790Du68IZzL_;5WDa;vJQ-+8yR+v@}DS4b2Im)C>xg97%Wivar# zVM!!0!}>bE>n|>_lRS{}+gs^de%MZ% z8xpsjzZh<_c2zSTkNzl&GqqRR>g}(G#~0i@E+=1cJ8yRoam)N)-*KEq=Q&*r4`23t zJ1^^?5SzVEN)|QVEAmYYmv0yz%iKjRX@J{bk1<&@x-h;6!J}%OwvBtAt6MBSpUa;F z_CV8+91K2P;25yolhR?R1>*93z*64%>GlN&-}h#l#@=gKnZMHr;U$ed&uiq(I>*KA zs2z01+n3dGTYs^L|6QH-c?`X-7NN#d>O~mvj#1q<(#T!wd#>-)_dV&l>DAucmJwWg ztc#Cr`Cxn+Xz;^y|LNlIetDCId5@}d*(8Ydgxfhx#v$N+YOmVmJNNkQ;iTvqGI>07 z<#ST|>gHW?lG>iR`Fe_@ul>IL`O@ol0m{J3;CO5U{8Wz(PUUs2D{0VQ3H73+;pttz zxqE5F(J`%azuf1yO@x`14g-5+yOlE3+t_B?QJ6 z_4c2R%9N}U$!_P`r+1z2 zeCL<@4|vwI*1ay=*VRmkEUKY4p5etII&Qi#iW%h)8h)IqOUEjxs!8z2HiIV4Y&bgN zALLdBq#>26^8qHMDp{H7q4MwL)~+-~&?)amqtVFTjZ@iZU|}Y-P7yD5Y@!l7mQsP; z>wW_g^As_@fld8S#=~q4S1ZvO7Shc)B0@?!F{TS-?!tsNy+9^TSr2waCt#Wg z6+IAYvIY3!^`UG7uTW2~t(i_C#YqM{EXe09HOPcJnWa>$h{qOXz=Y|Zpj~BICBIc2 zrk0kO%uLdTs5AP`F?wV~WFAqdIMWG42HKBv^8i6A<=+AsI1A=e6Zz~oY%r#A3Yw_Q z@xO7J@rq4+3xu1q8md}u5as0T1R7G&Jya+0&hq@kN*mKMTg<;LQx%T_=B{NYBs<3Y7rDgHxw+Yq12?h(Jo?S9d%5qjhdCQAY+dZ z-r37vc;HXqWWQ8~p-XWJ@gzkWNw+oz*Wj;d$!9u2Xf*xpNT4-yX5c$f)9~7;I(QKR z&P&O#;)$9qS$$DPs7%!Oy-@uVLS4&4;`%eAr8f=ib4%(7+@q$fELvvCqm1NC{H0(5kQo9=rV2LwCP6_YGpu@A{#9U z0j=n`27*uCccrde`oR#-%+0%uuX!j`x_E`r76qyhi?(lxRw2R>3p1rE3{OhqmL0#q zOi+?iVaU6%#)C(H0-VVQ70lA-gJ?8%hG@m(SVu`)=8NP6*rX7?VkYot=F-v@tWkD} zP03IRP-DW^i`S@P@LDH}!E4xWdU|VF=Yu7^VzLB-!<0)th2NZ&0J|xkOn* z!nr^u$>3x`WM#b+x#*rshGriAm@!O~f_IXLNeDpM*L=-v&inrZyb(Z#s89NC-U1%r zLeB%`Eq1xfYkYYN?+b;9M}r!ya8UU=(@s*;W#Y3>nM~>D zf2F_mKBcB^BYW9>Z`bUcN1N^2Z-r7-SL3^bUkm2 zJpjGwn+JryrdQ~F9wud_YKK+G_kFwJTe=%t|CCUHOTe{hPOwvtq zN3eOj_Te9VrFqNLiHPj%^+`2r{+lws)B~AYbFzisgG}S-{1STqXuhZ))XH`GB<{Pv z*SpQ~F84Hy###q1=efMF*dLBRo62=K6r>-G`W1QaAENZ+i2br*80f;WeH_3LfB2_; z>3Tw=o#(kjqdv{oRR3>yxi%18diyct`Y!Ly?vjAupk>>C8)qbK~4JNZBX`!$Qw9Dl8w6c*hx3zd9~q=Ebwv)@ZQ8(r{gy`O^xKO|1MZSJSU;_#W2vbA(c{WJ-`_Hi75 z?QQ!Y_^5tGxmkU&Z#)v{&3vN$P*#914+H1ikpxarVd=+sZbSBVfqm@2c~^yC11y1P zHFSo|_S$CC*DZa`i4(UZc>(G~i=M?k z^EWdw_GJ=SiJ>!Oq(DPn%`Q9>>fAA7L-B}!HnL2}`Go5NnILj&szm-qwrK?Pnv{hp zDFoTj!*bGO2ySAfsh^y<=u;`Ir0;6qvegjLNu}ccNDh~%R7+vMC*}gBjCyoWyt4B9 zF>?oySS9GFi~q4=@Y&sqh05bQu*uP?Ud45_bO20GY7LI89fXGS&nLH8l=S<~)g#Q#5tTP`?YDJ?06g_KW~kfK=nm4eJs z8#fUo#b{0*v@F?5X935NU}?8DzGKzC!0g0OST51Euvi_G2%SnRr}US!f>JYET6xni zOtEk`L(;t&k_Xobo>DAA~hgP zR7zo;f9-_g`?~XLgp#i-JqLMrHa?3PKsjt9X%NNPlX;%{4~_75f{}m@T@)x>1~tI< zAVN^EA|B@$OL*K3_qDQV@*osJ{??x|Z&KcFZxeVDvDhD!2d;sIeX|y7doG7vCX!|T(*Fa|zEKXMLY-6- zS5(uDH<1q?#(mIhPa)N%c5ZTCM#>)Ty$}xzhW*ksdI)}(*Jp$Ya*28U(NvuDYY6Q% zF_NJI-~yR^3jmpu$DS=2j{wSEVj7#9RBPi%>#{4H(kX*V?X;+dxK^zQ78y#D3SYB; z2iaoQ#GM*;eoH3j_*+t@NHcumSd&&NDF+|y#AwBFmXS^5noO}S7Km=QL?<<83!{tb ztjI|Fjgn^@UF@*p5S}|`T$V_ZtqE9hBvWqEEX00XZ^3~Dl44(Af;yoMbWX+<>hxsg z!~I?~czFG(FVHlh24_LlJJu?GPi^>N;U#DqmV#p`GdxS(4f99=C$Y{iV{JJkyv*@6 zG4r?)Hq@-%0z3MD#xb}$fGkGi|L&4{AZ>rLXZ4?-<9Olh0+p6g3%^-+Qg4{%8h?`h4J1450auI;ieNyk+Yq0^4Y zVNuP~2l`P@_wj_fp5t&_ua|dTx4h?bH!!KWR->l=$@jx`qLj(w9LRv9`*QF6*aj+` zi<2&UfDs3`xoqx^=-xQrbYO7(>0CftJLzMh$#-k8g6f9$^EAL*jx$XGVqEn_u^ z>)-y{giXKlKX^0!4C!3zetp&tvR8aVUbbspwoNCxS$=m8#PH(0KHl&3Dn;+Ue&L%r zVxlE{D0)x(p!PqE;@^$o%8Yd;9MDej;!x)O+Lv0cWOrzZmOEz;!@*o3i!w1JJwv z7!qsO4)6Q^!1j3^e{*1e)#LwmE4}4j{i*ZN*9Lb|1)lIaeKs;j+HUqL}0H9Hi-1`MeP@zKC!2&DyAa4wIxMlD#C@ zvq8Ju`S^>$pD9Fms>5CCc;jZW`I|)aq-K#zi_8mek-;-bb+awhs-Une-6v4H!0Se0`e9_afl1iib;^c%r~g}&7pVO2W|MylZP7$13IxfW8?yD=$8m2l-dPr%&sfS{&k z7LZH?BsyXgTOi?gdwpf*P0*(Aw?v+j&4NrFQL0%f#L$rbUN6g$qHAU+yne4=D^NZ9MY- z1tPibJQBET-gt`#Ps)Sy_VUSB%rb3DJ-(n=+igzw??erhX-iXw z9*;={%@P8!-fM7`^R$BkX2qSf zu&Aoh)~YN$kpp>!g%!dyax=?{9^fui7bx=+Tp`P?B}wgsiG$2iKjj&u`YhFIR=jfI zAxO{{*7=|KYZ3Wk*xbKAQ6wv1K&8(#>~F-VP(P;nd=8`XUo3J3B;Mr;rT6jKGw+|rw(>t>E2*Of_Gbr$X+0-83$bl}%LLWKa?srkvI z)DBIojavOhDi+jmCDEGg97y=GWlQGmhS;;KEB(9{rM%6b?-YB~#B@vYpbRc=VE-t2 z|B>$V@HSHl+6nMyfP3_uP6qlQ%M~NT$00T>OAN@KC)@E~z}d+JxJZ`cZ0f`w9}i4V zUb9@oTh%F=%Zw6>=a#fK>)%jhxG zsz_lw%qNcj9Z&R45|Hz|B=;QXO=G8ZW7ME$k{wo7nndw+#8UPWO2YWdE@^Q(n-F>E z$rttAIpdAiaeTl~_nfhPS|P*XRJ(Zlck3%hH+zTNbF#)T{f5*& z6x|6R@xNKIbOx!a>3Ni#&D65~Eg{M6?gc+kx^FlwDv$U!-In~YcRqT=)_#t;B=aAR z*ZUCHMzgLxCOgQ}g6(-EzuCzH`^CKqE%Vg4&3+ucyRKJ0uAc^pwEoi7G3peLUlG(g z>;lGln!I|0pk_=NMVa*D&q=k3GI&97hb=gaJO?*jJ%>)czgkZ9{iZwo)AY05%RARB zOZ7UhyTz~Er-?Vizy4wTP;-gC9W`}+Tz&hzR2sFMakFPo`O@Zu(>|VO|I1>tyL27i zp27dhJ|KPi-9gi8-sj_}l{uZTeo!7o<9JfLbiUr77n8-mq`1d_9`+IJSub^UNJ+ci z_14j|p}ER1(`A`>N1)y-bpE^;mtIw5-whO<(Gjw1eMoYzB17VO{gAryAw>97$d?a0 zrRf!UnY?Q{vL1hKm)&!BGMzfH0L&|?Z5!>SgCy2>k9B_-j;FRWukkK`D-y4AI_412 zI5H0w-Qw}^0Nn}1x5(z~Tq<*F2GZrykbJz5pV7MxD3(@h_zFDU3(Zf8aWuZgm3F^qysdrj3{i0_4UQMM z$(+dpf3oNZdhcA2xu0t8?@u+CMWjmYb@~~FwQ)K7Ix<^DgZO#=2>p!%6Wce&y;+Gd2dY1{!u1xC}x_{d*Q-4h9Yu@?x^f4}WC8 z4Zl)Qw$5{q>8d6Iw8K&PWi=?1@4il9s-=Zf8qhv*lBhNYTRJPq{B9INkl_xMzOXq? zyK7)l5$sRUWjNbOnYaDaLn^5Tf5$0?U@{cAl1@kpRZxp`17uXhL*N=Ea>+pD40mF@ zzh%@cMy*=rvH|lB0hLXYIN?f*?oTNR%`t=!%$(b{$~DrXSVLr^V|B>or-K;7`=mLD zZ7YuzGC4Q%a=ld!rdl;e#Z9&<V-J?U0I@a8X05V~K zcF27$ZnQGn68++tI&XQo-tUo6^sl@$6-erVDQfDy0B}a6?0zaMw+SF79$ra53t;Z% z6g#^Fdy-!nvyNZ(Y zhck@|*zx|M#^5Ya6RLY3((;uwa%PmLzSfy7`b3;@HU!KW?z*vG(@_E9c#>o#{oEqJ zwFE1*3Sfp>zKSWIKC}sN)ngd=P+<0d2xfaQ+J9)bk8=uh4H)HwFVScegUCEIw7Hey zN?khPuC!)BaUhO|M0@1LNYSCpPpy78WM{{miG7nmMNz1(5R0$aAHX7s8-?@uy?(*X zIm_k%B)o?>kX?!-)Un8nkI_BBSA4uk*1+@CbD-}OUPp>mM|(1vB_Q#_t4HTb1G?5o zmv{_b6o0yyx&=W5qnFH`#R*=sW9Q&}mzz-yUnKl4EIDiD==`hX)JBl$({qw~%%3ij ze>XyEgW)a|9>Dv_nK=rjb1v2bVOTY~?TZ*mO_o`Ygkjn4IfuK46sUQS%sgYhaKfc* zSC$NDj1lR!pnolDK6*^8k6_)QGB#wGdB9AWP>r@!2>tf0m|B!k8y0X-ocDuu!RrF- z_0E-tEO3)2FPHgY58B2z5(hL#^-HzYm>{K1P%T)cHwm|AUuq`f(mpD~4AzE0TX?`o zeUT`QI^mEwa}hJL{O6hFNl(>KpC#*#A9VcnLaX^e(s2E9#T1Y}a)*I3!NvM@S#nGT zCR_6y@Am}_uZ9vW0}1g92Zw1U4GZ5+OzsLRL#issQfVfo>u+-veTuZWPJQAxOxmOl zj_Ruo=`eNI;ca# z_!&rICCEy)U^-&QeXAP$8AOhfZ6Z2e+FecV7*ldwEZ7LerdUJHAcH)iYu2xxHQM`D zqLDePyFkPQJa%4>=89L&#o9w7K8~G^%<{f5tH$VM(YV~^T+Or0{~gaWpDJz{%&fnI z!^7+Lr(tEuKhC%jhv{>bCNM)6z&)Fu_9`M2f)#M%f|z6cV($bV!N+?J@3NdL4~#Cv zb$yHi-guhUSCqsoB&-eb)%`>{6b}#9{0*DD2&G(IE+tz-NAx#)W=vI??eXgiJqM>C z6Zh(1X(s-+?D}(bCX$D<9AwsqpHVdx@}p|s|`u5o(n1lxBk zR!IAW*g)BUZeey_<+r;A=JluWP-}336(9hY*p11-J zMoMqFJ>^t_?R@NSL@$#Ba(en2mKp}l&UBr0PQ52|T7B#<`2AmvjJJtu{ZXHr+h?Cn zboF#^+UfNDL7-TCf89GH0O;PMcbr4Ir}y>(L?^$#+l&<6Z@R5MBVchgbenVbughoI zb$#Z2;=8~13jm|)ioy5D4VHM+6kPqW(6;w3GN4-93);gtbuz3sZ}W8C2FCmNRPJV< zmNf5g8`G-W9q8ZQFzjQ{n>31ENilZ&P9ylQT%q0v@`sPe_dG7Ss&lxHULIXJ#6GUE z$XE5KU1vQ0WAOgiNgHCcA@RL}nkjhA^Hcj*aPzPi6(0PU*A3#x(Feo(_%=UQm*(ox z`=R;mJufqYFZTEtmU#AnBU-oHo$1|ed9E5RH%XxQnX#W8)gP$R@1dO+fk-WZIG0_X zZuix9sh`s_P_)N-CWN z(r zora1noxk@3V^aRTwF(x+YQw}#I+m65-xF=Z{UMp|c*nk4rJD4qA(urMXBurJr9yZq z^va}I^C&7@eV*+RezRi2gwV=g#116ilp-Rc0EG@p#383hLdRd;w}Jh$p}xXM0>yz z84nXARKy5;U0IPivH8*vF^G9ur*R!tU&CI`o{!h|hZuPOw=l#BekS!U(5g+Qb1<05 zoRBS-8{nn+gKLm#077`Y#V{g}#Rzf6IA^U5cGRq(P@cd5p9%C^ejeW{Ygz`LgF+yQ zIt_4OlF)1`K%?>vzJ8s*d^Pg*d$I1P{_yn|WgsV`d`~WzSvPQeasO?w1`Bewer<^A zLe&LNh`)3^BMW$J{$8$9ZdyVNzuc^NOeJTXUu4#~%qH^p6v&`VxCrzr97B_*6S7{3 z@6uB^F&h<<8c^Z~ioO0`8~Z*~5D!oqKqU~ZQ2)begD4fCrNySHcAT`P;p`lxKWnlqak} z!*lj(?Bqg9fJL}1ONL4`<3B88?)V|1jS_@hrEwU>S-ZyyKM9ePX+;aj0?S6NW|prv zPC){I2KWnn%@jrrd|=Cn3dclae_gR`(>G(aL`DXv0k2+>AT3$A81}$JG@f(|6{-1+EWBt#{HhxE*jN9{L{&8C=3oK-PS}W5cmwV{W12LssY-5 z$x(q1z^bqrHJ+;-hO(gA<}*#hUdTOp`8l~{2$)rAG$>IiYmlQeDf}j5 zVU_0vq{3>MGCN%#v#GgD!q!-@A6elm zFgY4?-_sWk%QH9ji2#n8O5ii8Rkdym#VmNE4zN2*{)Oy$OS+{j^D2@(u=&CrXwPB> zP+3yy*ILd7NQB1`3^I$#+axu=@sj*&SJXX0O^usC^p=?=_~th?(dPvWazd_j@s4Gm zm2j_9f+*@7lB6T|8kp8GoF$~s3Kn&)vp~k4>MI2M;~~D+#)F?r-(V-q1eCx~Q-|PR zI8cvT=d=#BqVn$vU>|d9n`d|8H#jiQuJh23#(0w9n@pEJZa91RYS@}Ph+mo)`_D7} zBw(l_I7nY;u+QV&FJI{4S(&dhWTOCZ%B@bz?N;>q%-b!XHzhr*b)D-WzNR~yd+Dd; z*u>?wYv}&+PwUr-%OK7zr@Zd-G5j?m>CF|-{fiURo8f*=*sgcvp8L>fpSy#7Vt)^C zm-{xt2))~^CzFo%V_uK%GC7|8M9` z>$rw;vUk|)bv(JbG|zW;ICXaa@{_b(=C4_^*njZjo7TUL0_pjh=?9h5a7yFN0?`sHZo_2gZerAo%a^8|{`~h4hngfhk0jJHwDtBJ@YHJSd z4AbitGiWX-9;R!k>iz* z3HdJf0crY9FkQGk=(pXY_EkGWc!hwR@0Gav&j<3ZZE|z(-mc?0{!33iPuq*_8qO`B zkFGmAtyjvE1ft%B?B#JTIgLVZXn+Ll%sS{y-T#8(2Hq{0oa1Sg>aQ&yNzWZ!eEaOz zJkR&uS}?ft=_v1xXDM^(cE9;N0sH&W3 z$gD+3q$b1EuhZ)_hWI=Vc*s6Oe?ZMle*w~@>RsDj!bFa06o>pSdq(gJ|G03!S221k zvkg*aC2K>O9#@FelZ6S1LY*V|LY77jIX(;MgKRJYc@q`%i?QE)7>h<7f5RqkqGN`d z_LIYlQotsJ8^!1m49e7NG>AL(>a4cFQ&;#K0sgX`LfxR$0+0CgA(Yx>WktSt{3xiM z$*;)pJzz(zG-!P)!U`(uJqEgzFDEDJz0VRJ66&EJhKEYJ()DcZT(GgNx$5oF`fr2h z!}l?Z7qIlt!w8u8WZRE-3YG9h%br2N!f6B>;Y@r|4KzF5S1qE)VBwB|*;Hgo%j+^7 zW-pnQ_~$~c;HISWlsTVD7ItOkYW7B3O?*#f--q__tduXD#}#r~>4^a{N92@j74lG= z3sc7i8`Z1}QF^$+9T|AdifZCjj95mIrRxL2p(%WtmI+^WJ=_k5D(2k~BF%U)x;IIm z0n+rz@);)}_>LfE z>^HloEVVj=#Eru?oJCSPXp#i~!oJ$Psw1G>8tXPII)I417^uVkIy?S*D{q=mit+#@ zDgJ5%;G#!a1~WG1KS_}=2b&qPddK=VC8E#Ad@@3>eM?b$%Yn68s~XXeTDh+g?gwB@ zOAGzFVxa<#6sPpgPl`6((T;+H!`14Gp_+4r48`$)OH^XNkeP(Gp(A=_GCGMmenkOX z2S%qyF4J$?ud%b#62b_Sh4GK3PVHBK%*Qkg!dbY$5 zE0yNLic4@2q@MiViR}vDLk>lHadi9(X@xSe{BxR$DpWGv9v6$iT?7&V5Ze}AJnY7i zr&ujDFvFrTFv^D;#Bj{GoCsMy!a2eUMNzc&*P+gAT&=^f5{JFe?ym9PPn-G5H0V92 z3wyFjAx|2~FX5|9$T7w$3MfDe}7Ae3jIf-0b6yj_WZ}|_rD!PKX zx-V*ICVx4jHL#}s>a9A%%JAeM`Ib#vzQavv6VhMo|=YswFdrDchX|mNDpA-lWDaTRsWTu zSw;lhkWbLm@(>W!ut|4@aPH0sULWRQ`|B|WMK&geNqE8kTT^6Ttbuv)z zu*g@us8|kqWU*#$UdWhNMg+a+RVb24Au69?S{WoKcL-@C-~Q!BQdPEX(?^`MD%Uiv zuQ2H>BL-$Wwp{j$=)mOUuGRSv)ViVqMig=5DI9);dsFM(PzcV83j@Pww*qJ~e)Yc$ zm>E|wDp-qNWQHOh&sTgQ_-);S^sG83$5NqIPGOkrjK#7~7Est`;o1+AQ;+7h=vHJ3 zkDeh{>IlJvubDA$5gCR=-Am0Gti)4}!b)kckZW>uJx#ckIl$-aVUBz?xtjx)ZXxyl zfT;qHO-}hg`J5Ml1k!VwClkTXFL{JXfep+t!lMGU;J&~9W#GP^FCYOP_V56>sDjyE zJ+SivBS?V1juDmcS@xi_m-js;&*f6f*!iFK;c{)Xd**DXogayR1l;z`3v0NU9rs?v z!qR$4l@sinPxM;q?jIBehMYUN^Bj+{ROy=cKO>KtjIGLs@vu9K#9Y;``+hjOEoP>V z-bc-=0(s7x+Wt?M&~Qrz0mYOC-4sXDU&zjv$cc9-v_zxDf!>vHxK{mr5+pUxeH{fc$! z0dXNeO;5`K+AE>Qb!dt7*3W-gjl*=moLW2oA#E&eo56>&t&r&4oYSm#vt1>0)>y60 zbh!d|Pq-fa8FVfW#i@FE+@^{^w<7*=tsV7_p!pLZiRKZ_i^e;h{SniK{W8&qhpNZI z*j=lp-`RDKKKPpYW-?ga`x-}kTKe6vJoX<^!S;2fxSzh4(S`De{ZIcjtG8ylOPA5S z@E?q)`pwBp`iC*+7y>+3U$4`wj|AQ)N*TM#5Qz+??258SP_!2W&^A0TEGpOVI*Gd< z#Jp=oYdH0Mi)x9lJBi}D1y<~0ldr%C9UDB;PD~qfF9T$UBCWmPIoN_^V(>rswUxBv;au-u@?jpK&O4i4116v?6Ql0{N;rg` zlvaTQA$E;ldo%TWUh>??8UJcr2CZmojJ}YhYh=8TSSmUCYB5<=d;>~Ax3=6X#Ge(>>=YhrS!Io~Dd%3(6wurhFatv| zpZ-S2jf<9M#eN#c4(ka`0{jOyC79+lR8}Q&x_HF-B>MeX?xPIJoC+K*WB6+^G8XEV z^RoQR%nxQRrG!FWr}a0DVl*XmAN#cyS9@F@h2V?|kXeM3PitB*yfo8>&Kfx;=+DWM8@Ypw4rsc6Z^H!EM98bP4d zQ~wMvCZYbOtvF4>F)xLp-}uQ!wK#)BKhAm4uW+Kv@{6>74Urm-NoPy76X0W4iM=nm zeDRQ&jQA{WA}>j@t4B`hgB?(#Cg(>$G$>gOeg)yHX9v}gFYyZdC2-q@^jnOHi}~68 zi&XqpG3WZnArnpcyAfIqGn;;8IaXWnFp@wa$f&=`r?kqFvJ+8Oi4MWWpV?0 z62dZ&L6W0>NrJZoGjj5m;F4+CFM6PthUjBzf@7T_W3_3uUaKwdipghN18J;F83Zec zAEizRPj+InXFYTZvjAC$2c^)i)iMAzN~BDVx>#qb6e~=D>R*1SdI4#SxLySty0@yw zG1PDJ66b6d81hNV*L;%Q)I?Lz6$mpz%RG16ukXbrglvi~V%Y}C*+5|P%g;z~t{a)n7d z`Acaup0PvHM`A(Z?TUq*>`Hx+UbSc$sw9mpZiHHl8R3Da!OT}HN<3_cA>g5bCQ_6r z`tGVDY#SzsPl)ynu>+%IEuV5~k9M_dD}HTAZX@1gYIvMgNwGr88q;G+Edq%}Ua67D zjy;=Hcu!L>w{*hk8v{B1p6SV#^p$=MX!9#bI%bKYw4>c$LntD4DwhG4VZ+eP%P*sTD6@f3F1^lMtef+h2aMX5C)`eaNY!(E}8c^1x#)bQZ$ zjs;n(1#RjYM|8qOV-w1e_Y@?NXub#N`u$r@u3=%d2F#hIbP1Z>QBp58WMnpDVN$!o z%8gtZ;BjJJ8vND>kFSN^HELM`QFyz zw1fWkb{C^!oc8rH;zt2oyVkH^Zw0JT8W! zFJB(y{a)Ap0Y#D5j6Lpky)V5AuaB*7T1GfXzzZHXb4+p_pOslgBUPlmIOavEo zeTRR^j`(Mq88@#lZRMwlE`O!2yFG7Pj;5AIi}(Hn=ME4{Gc_D>Y{g^0g2FB^_-_<;j>(|TnxWAgtQN}x` z*Y4D-dhenxOEdVoI=XaME4rbyA=>VhTYEkKPVNQxJznFE-?w&mqV?oQ`g7?_)ked~ zko)`L=HrV%<>Wf(;;eZ>kI&?Tif)%LEWD=Y!0Dv%!Q%tOx4h-B{oI<+{eAXX!0RoN zK>NtP9=zs{HnYgIc6Qx4Q=sm7&DF{};%i*bcQ(}N->3LIu*Kt7-MS~;`@Tfx{cia- z|9EYV9IxNr>T;pjdih||(_r*INaAk|PHp)~?6v=)jH2tdFj3|j_vdlvP}|pZ|76uY ze$m<8{{^-Bal{&#&vlCBZOMB)R$AAQ|7E_Fk1y}>>1wOz?I2HA7gB!c()Xk8$j{@e z8~QVR#|tBoL+V(;#83C7f)dKBl~e2Z-U^?$7qB20-1r77%tmr3kje87{&}vyD?qAm zC7PFz{RVkQ!a}AH$qGOSYL}n!|J4FsPfr9-25Gpx_%SFL(bI#U?;+0V{Yo%+`jAGy z4K{o_TT)=gp&GxAS+yj(9J|#nNaLzGRS4&EC?lztql6=|oM%B-H}ZIoiZT8Gyj!dh zdF^pe2%bR0DYU6ir%fE-h9s7oJ(IxuN1j0xpdI3K*p*G`Ii1cL*%mL2f3NPlXFXNHk|cn9750`YwU&b)ej*OW?vBJU z$zR0*Az~!72b44}WcIc2i?cjjaq!L#qqbDIqxKqut$!jHmi@MyTEfC8q(GF>r zVl-ndh2aZQVNDnfHp}ZY1)ojOp&li?N|bdeU1;vlgLy*rU;@V?tUb;7VA3x0lIJ)g z7Mnkj(!rdw5kX_-`vPpRiGzf~{lOaY6Tf>FnXNH$tzjtCFifD4c@kr)-8i%}(GML| zkQfZLLaGdNV$UeVA%SW_2M0gbsZE7fxCoLn&^#p3rM{QZ7caUsla_Cmhs2%{RbMI+ z4M;lY4joK5loVJNeReo22tbr(OaWg^l&%eamhOEgP{XIH=A)`i;U0>dj70iu)+FSb zJ%y|N-0B&dfYMH?*&vCfy>HRfr83P4qGauI%`u6YrmHuC6!Wr;_9zilMQj!dO`H4N zvn&!0nr+%E4r%G_p?KHpMX8hu8oh)a@$YZW<>XzuN--Ea1SUa+bJVbS}wfo(}1474jdC=H-cnR(e*7B%JE# z2^UrNI`#5`EC(uHtPN#>ARhn{wFg~I8L(%lTNJ$f)7QeBPR1b2r+MJjw=+R#N~&26 z-XPpI=#3pUznHVI8~c}qqNNjD@w3cNP3hCMoG`YP=!g>TIDDr_we2r4id1l0m0&#yy{cMS>Sa z_J#xvMbJ-+Od^Rv`au=tBA@M$FCieqO5Nka+wk}8kVL_kJa(`+H~~D1N%q`01M>aA zxVeCN`|`^sB&kfaUzT@S=NRy6lBRHy z&4g9dN{(2dV+zAzUZaWc$pmq%E^1ckBaD0Tb;7(b*U3utTz8;fnnmLV97MQcHq3_S zlxnq$lyx>aB{785N^0vUkVzHoZ?iyU&n=-0zf$cl@JKb{9%8iQX)~gPXjMgbKyryz_`v$cF7TIn`Ks0kO{DwthTxh%@!XkI0J<_RX zc#2hzQDUFX$^HVQ?A)G2{6)3~JYYzvb9;Y8xCeELESo2UE!^QB>NH`0rU zkgNM_`NyU5Y)j}&H>l}DEu7waMr^u$ruO4FbQwZCq|)#GWUj%zsde4f?`>ZUhopJ#jOqMl z^io?zi7%%ux{dt>n7ZwII7hJT8M;xRW7Yu%RSOrg-+8l-@lAL zdZVfJ;Cl_O_Wrk}51zta-ge;XxNuJI@;rIUt#UhaO}BrT!ieA4PxF|fy!yOeTUk2W za$7FnkTZYB_qT49&3id9j1H}>x!Ds6CQ9@4s;uVn&i_~>f4+Lo+|G6yi;8CO9*kf2 zJiaf2S0`>f>{!q7oP8GG^76OMdz9PQRS&jSf1WdAvUm1(?HZ%w+6gzS={jta&Fwzp zL-D(dbzkD%Vc5gtWM$W7Wz15fx3+GI#ap*}eryF><#oM!JXBkq+2!yI(Yv-Yv(J@&m3@B2vHJd} z)gN3I8@Ih@{ni(ruHIo1{WekyM!5$I=zyV&KX``9D-fUOlJ(c}0V?()uH4rI zx8)P{KS=V^O2YvJjP#*}XOSjsAJhuS(@b5Ri+-zjSoNRocnF3Z<{ zfk||Y7amtBQH~nF#*EbY!6jvxtzC}yy>Ix*tVZ291xru~HB){eE(X>JDZFvS+;F||$slyqoCF1;{V$tld zl^~~8M_w!#Q?Z~rX*1~fs9`{Hik)!oN*q~rbof1u#0YU^{I}R@tvbAHD=lJ%m^7_x zXG*5+8BvPu798NsRw4(?i!;jP@luve+e1Y2zW{k%I2Su|YV^vize6j1 z%X7emDdG-TA`FT4B_EFw^^1t8;-wJZikSAapN7unZ(KRH zQcbqy8qo|;q01?kMNbzf3VABx*mwq&@y!EEK_~d~} z^?!XdDy&a!KgD-4zl|7{PPH6yD2o`d?@*Vd%CEPuor-1VCk&t1Y=74=hqMkJG?VRJ z2zHjJRmf>-D9c9Rs2MQQuv3^}-zJqa0^%pdgUH;a`kN&j~2GgotP10kUtu>as>n{fzY-YW>xP3OocMQ<0Hj1y{kO(y0k z{$W`U(X3-qA?FNT)#RPQ6so&eYbptC(MoqH%$061r4m}pDGoE9va3hl^!`$(Svlc5 zOzhl!%Z`(JSEo*&8oK(+j2(@`;2N&s_RCR=M#uM3kNe(Jf0Mwk0+Cvj?f9cXz z117Nw^f>>hCKhhH(#19nv=)^uoz!pQvXtVnPD~B{N>CA-TK>LzB3LcMs9)(;&9Vca z*88jR>#QkUFS);2jEe;}8sybcdVl!KqK&V&*E{O56F2|S zp`}ar)9=~iM)2|_-Vo4}UR~?=Uwd=4@2|Spbj7__-tH~@%=y|DkDv4FAD6XP3OAna zx0bI|mwTFbPFtV+?l1WVqYG|-^SxuUw?Yz)FHokg&l*)x<-r_{9x~wZF3L zT~`|~T(jc$?#+(p9dqA%SAOmB6C29y{`~8YICKv_wf~a`EE#*(to(1~KiX?A$IJhD z=Z698(HC<9d&TveeDmcij=OjfaPj@V|Gh_h2VQ&4jh(e#eeS&sv)XRe>2W))wA1%? zdF@K@q1Wc0vGb$xrT1{R{;6>e`nD^tyRq0QU^xln6ID3mTFSuQbq5@}=*#cDwf^sq zxM$t-`Ry@aKi+rG2dkM@4?#l2VG=A~De?Os^? z;N!1fjrj4q<(s&hx4z)9FXak_@eT+K7Rdwp#T5j`k(Aa`OlpGe?Imv@E?{& zIgkDF@gIpQ&jPweGK)bopPv6DAIE<>UpoGi5DQLoK`s>)Ty|mkkFYTOr>=8#7orD4 zIVhn5fpb9D<)b!?rt20ySeA z^_WVos75`YGfX$N@p#BJ2jy~tmC=CimCeE=%;RQH9%``-TA86ZM(k38)ze&inzKvh zke)`StB&0!pgZ-*SJJMo^#gJ|t_H=TMT8)l$z+EGTB`puiFp`q;pk0fhH2!%n%3X%8sf@)cRz@zFV>l7$I@jzfDQ9R&eZ?J< z0|Uc)gP|w@I<6p}vHzO^%lT#;L|jKn+)hf=J9sf`5Q3X3(E50kV$hc9O<m7o5;x^`TwwvSqf4H$b?m&Vuye zOwdauY6_N=u-u7yC{R~aJMQ+0kVPe*@P-PS35#Vy>1NV+7RihwmLwT)7WkVT$jxL2 zX$4b5i`Dp`BuvMw4uC1KfJEb_m>Ht<6r4B~h6?3;su#s|Q!@)9k?RH~3l|c7n9o}S zx#*|mT3jVeH4%dm2xM$dr%7?t^y6`qReM4}x*ppG<-|;!92HsgKu#zn1tJ>XuKGi( zoT#|sFg_Mjh0!zv@cej)#pJLo#;ny>3gMI>HLCqta){{#ImA%;JBcOBJ-9N*f4618z$qgicPH`0S8Sec>bYp(K}L>JeRi1h zximc;=D`MG^+QfrR}DDRsF_wBu5=8jZ997s&S^>=%fP0NeMn#bW50A>0p&+j+&HHoJhlg)a*{^ zX^%>kO@N|2S&OU!qG29hC-j2evQup+oSkK@-<>ke;gn0I^?XJt^~nJaHVUIcff;$V z#+Z_2IRa8J0k-LW0P-EuUInFc3dFD9J9Os$iJae39&OWpSS?Vt&|3T;S zf1ihal>cn|jdO1K0`MOU!9W}bu}{br{_kQn;{hYP#`^^Kdz3}K#8-Q!B${!FP`;!&GWp<$NeDmJ@ zw!iX>Wmc@exAjql)wc%bZ?eO7jk~URa{TB|ml!T~{jNvH)1%k9>G}O~ci(l->DI+x zUHrVYm&)V#~uPndCmDa#GBEI6L zr#F51XP16;x7$};^epYr``!^o{Es#|=PTR4bjwSJf9F8to!qh>py$kykl>n-+1cc`+u_Kxm&%n?E^pl>)ZC%ukHyKud(kYzg}$lGmm?A zy+0mszaw#!|UI+zsr2XUi9`Ij^5LD3|9o`*&)odC&&U21{v)Qrtn_8;|0YBtMSx;5`=c7sr{+K6$Ik!x zGV&i-NQ_y)+l@qbq5Hp;7pDK4%S&v@9u1XI8yggR4G>@iiEJ2ys0rd+sx&cJn`((5G-&12Uuo!0DT z*_)J-X=%dMYvULm1&U7f5gYOAlPN~ANZsb$KFSvqz&818Z`6QNHJ*g5d?57=*LKn| zZ^rhZ(MMXYM|AueZh2a>I(2=L!)l&1sTf>7PO&}@bfng&4st)C{~KB#Wd@Sj9CR8} zE~Lr>iyl`>k;@0gXgtDN#R^Vih*snBP@(UIEvFR@JFZAzo!Wq!9iRb;(}Z-=XsS$V z{X(kmHN93Vqt%UqiBzPr8#A~()U;kHHHuV&#saL<>b8>0=D+xlxG?j7 zxKvL?SXfB2DnP_;vm`ssq9|}P9Yj$$84h~G7NZglpP4jNC2wcD4p}3_J`QPgP~?+Q zVUQ^h;GjozhCtRut1^OTH92vjdJfL@L)0yMgdQn`R5NWi9aOAoqa3jXe44MQtwG-K zn54vKYCX~%4gp(jwv>#7fs)NZaVfS^XeJ429FET359YP)Y|hM)S<6rhHM^R_ri|-P zymFz|0w*z&#{rGbqG&GNHY&=44}K2iMYhx`W}RpaKT8Rbc%R? z*3T!gpK3^T0jOyiJ|uNQ6zwwXB+Z~Q+-pF3?2>*H!TScAu5#2=CE8B6gv%uX?~>Uf z3M;P0*K<=8;Hou7unJ|X)*NKZ%9!S>9Y2+A5@@%;YZ)6UGkl@eH<}28bkZ1Si;A zFuGqA8%~WMIY3qDcyYqRPR$$I(Cl7->;xo_kJD3E#LGP`ulHG_K4CH%)2C5Xj#6Qr z?svNtnwC0LR{^?7wq3XMblfgk`>v{AX_d z!{=fj|C-V>d2mb=_A7~a!;TaIif&V)H`5Axv^(%e- z&-z}^0|$1F?k&3KH^cCD^+oXNtPt(;?A~_gl1-0a@^|!nZ_UeJ_xIjv@7vk)|1j_B z`|keMitK^jvfteC%qw2pHxKjQz2gq<(MK-0Vy*Ss z*RAy2@8Bygx<5JZuimS#-uJ_YACAS>AG!Ja=Nz%+f#<#TlK!NA=c<#fUS4{+bsmWi zUGk;pwe`}s{y=~9_1~>dUAszrXk*_4zxMPmzZYhHUt=~p{eob-)4Iz(x-aED9zCK*@-XjjWc(ZR2 z7hZkLFE;-v_}$fSxZs`V-`Jrb2jJaXAu zx4!()z89yL-Y?uZ-gq71wHq41wmWObFaP6bqH`WR_|Bakkgi+Po9zDG`?naK7d(08 zMb{mCz;@}A{#dx^fb+g}U~VPs_CRT!{{-^qKL^4hzd!!5ABeA>zR{AK@V|a${dteF z%Ph6=TlWhmZ}Z%lD|E;g_ITmu<$nF};FLFZJo~lsYrWz#*eT-RY5lAnfCKTT(if&$ z+a2~K^u2kPX76pS`VRNjS-U^-b~b;-O4Uc7K6@>0g{QlFUv=92=QbNRHu%w?eZeV} zZ?EV4qV)0W{{#L15BGmV=jwm{Q}(a$9}O&)!cRy}esTHFRG^4NOxSoq9n7caKOZ~) zr}yRKKlJQfSgA+^#Swy2JgIyUNO#&}WhL|To?0=8d*3N2zxR%V4AZywlXS4Xs29(C#ILH z_1m^;=w4CRr`56yWd$q4^2J^&)ylEik^;$14hxftGJ75}079kQQ>uO^C)oWV-qNrE zLMmvewp}L%V=cu(0o-Q6W+Z3urjTyQYOSIOtzM*(*#;A|fLfs?0;6!8CGQE=5fAv_*NMt>d+BF~_k9jy8MjXvB0lKqBbYXRQCppk^(|KqIUX zOuJ*5M5$r5C2*;15e}PJB6`jKfPw3#p6%mcgQM$&p_#Lb5j739lL4r4mT~RIC=d&! zksnA!qahA7I4xwHTviH1jfbS7AGfGZx2@;kqCs_LN2%wDjFo2k{T9&4_PXs7Qj^)l z)+!~aH;${*s63`i7zsAj$&_;xx#}sEiAjpHgJc3Il*UHl7W$>KT+9O%p$Fw>ho-}> zWI8Q0tSe=xG0u&9%A^4q*>MmJ*#cdVGlJjLvSGFA^r&dkZTf01?J`Y(p~mdc5{6W4 zmuW56?1+P4oU2jAN~$?3h^bU@;&TezPYnsVkj{&++0OHDmvrcq(Zbjc5W2Z!;2Gg? zI!%*&J;fVLQYdvlOaHgRf}URsvc~^SVpY2idvpBfOU!>3YPCQl)WTm+)>o33b0WEeQiu7P!SyIQ&?*^`DC_9h7G6Gv9mTG<*m9rBESry zn^FY8qhTwJ(>c-X@FHiGI^&qILAI2ysbHU~4Z?A;#OZW@i19s=ow)^C%-4Hv7ok{V zlErYqNRqObsuB_ne%Sxb5}58M@Sl9)L;fQt1pcx7XXZ5j$bbIFesI7)HiY{mSfpiT zR~O~P8|p(kLe)&QI_Py0_06IGEPxrF7&#}Ok$@bXN#495}{#4t0+H8d8vjp0sU?@S8Mkbs#z{@Wl^6L z$XLYl2o)(L#TI%*omIUG4U~Mj8BhDM#2Bdzr`s)6p0LGf5S00JOEKJ@=2TcdrG;@S zS5JWj1RwFFnx@kcRVq*V0x&LD^UcBt;+YYau3N1h$z-C6QA{POIjQRt7RvSt#X`{+ zN2PeuDQ8MuHROWUq^n1%pyL4ffo93HP@L^K8B?;DIJW!_Jctqykfuk)WvmfLgf!ja!>PQIr8_Kn@wdr2lX z=GD^={o2{jN2g<_t#R@RFI?ta^5ku+u6LDq_-$usx9`2{A^BY6j*}+)p0F8k3uV4i zuwGdrdhxC!ewMj>Gd6$Y?U&UqzU0_r8c?^e{9nHRm35xI`S@L55?4>|IQQ=0@XHsS z9%Nkj$oF?x?n!N%YW}44Hrf2g&))xTsnjiu*r!(-TCO@u3K#K?OSfk9=O3h@s;P^(akP)&gBO_@>6!l>+gK$$J%D! z-*WFgez04wv-{=0I{d0LQ(J%iTy@9ufBP;jZ{Ip|jjfJZ^Q~K!_|_BKZ}Z0fukf39 zc6;@vcVB()C2igLyB$9``d?0lgag#c;Jq!ue)oP@2vjXS6<)$(XCE8@~c}uaXq}zTJzy$PI-*_ z`1SvR{{M&h5A-qo2b$CW&%^!|{$qpFV&==oe?(V6Bx=FGtH`J4KOZ~)=gY`{5YeqB zqAH*wRbE*BV=N5+;c{p~VpB`<-^5NV%RSBO6$7Hw z?CM^t)$}+l6)P>@PrPOp&(|u$3e7mS-g5yAgh^*u!X<@D8cMg;wA$TCK`R#3sMQUhU1H`+*;C2|?PhXtU=&_q`57maSZWjHNI>z5r*1K?4t1Y%cB3zbGS(2DYi^<_`V ztL5fmoTLTA&6?Lc?#XK)bJ$+X~xl z5eA$q&9=L+F_dPPZ(NPCZNs!duUPC?4JJF0<7`k*G0W0F*io<@y|! z$#(D_1}ZSoM)6vNcMOYj#o`!}>*XlZt2x8T2m^(H$JA86RBJeDx0T}tIY69L5Gw53 zjPPOqH<1(Q#wXSPfFJUo1-|jI{HKt7wEpLR>IVn>Bj>4CS*AU5N_I8Xz!g~JN~7+` zs|6fBlvKCd>(Fdl&N^%&>0!w-vw#y2P`@5HgBE24k|-Iqo>b_Md7aDS|_pOXNaagE~=?WsL@h@MNXk z0paR6#g{U0fiLn!tqe;JKL9?-6n z$G(RE0YoUF_g*7FR<%W!ELU|~#WE03bC+znN&*skfD-~7AV5NgLocCs2)zUdy^}*P zp+g8Ao=>=Wc?poq0Um*S_pG(oUTYWc&(inJXy&*7Go21k<%Mdyl<8(gJJ;jJT-feI zq~M2>ex8nVyx#?qZZDZ_rxZj=_sHoZ5}5+aWdt4s8oxfUl1U!BvtD(oM(pf%y6C= z&NIV#W;oCPUPE9a`JLoH$(j1!w_%^4fjs1^3fX-x#oDZVDI*o_bY9>_d>T=505V0vYh*1Klh2# zpi7Tl2;YY_xC@}`_*2%H8$Ahcz(It9y)vW zgR`_Ze>&&I;qM1q*RS4i&QI3d`>wfj9zA3G@n6-;SDw4_euvy*?DZI4JNCwxezH+^ zG4!!gZ5QA?W1Ai4GZzcCF=vQ&(7I`B&dw=-ubU)t7HKp@;cXPQ3U0C*E9t)$12H_`&`QZ(`I5hrYPN zHHdWTE8_KwFMRmsPyXqR`lCla2bE4cd7IhE1EFhgpSyMTx6fR%&nM(A@%W*}B})-! z9CGa*$FKYB!OMNT*$zYVoh`Q0{_w^=FRpF>B5~(=uSAEfa0c4g3%N0Mcxt%LX^-x5F8Tw=Mbbndh!BcmIR?Lgw~MYPW2> z#}fUy+n>D2`R8o-$7eEo@AA77uDXRi;gH79KL7lG>i@rk{oiKvKi`Ud75>xhPM?&& zcm3ZYUTNceYnqS7nZ%dpKc6@MN1?xe{AZefxA<`SF})7+&429q;Xfg+zyla*r2IT5 z=4w0%u$+bkkzDV&j^(6M?Gl*lj+}AV8*7s2kE{H|nI_MS4huY#W#C?~kK(1!cjcHF zP7`qfP&qkikE?dQS@g3+884MvW>mqs^jH}}ZMa;8^cFc*W3Q@B^iHSNK-x{SJxyS9 z!&FdF%fQeUihV65l_=A1_ESDdbwaAEp>dP69kN);;2wl&~~T_hPP z6hWrB0pMX>`0MeXe8FdfRLag&Ydp(9mhToofh%c9|_O3TwJZ+=#_^ zFh<%W6vcTm=Atezga({5Fq1u=LI~NGL8KbNS$*J^w30$8O_J+YQdOaWI|V;gqJ=Ta zhrUNBaFOrpg-#I|3w%-r!60Nvv%{L0;RM`BDF_Wh99y-xot0ayUY@VWHF(UDCf+9` z#v$Rbk#(rvpa%l|wp^`dIzhYI%LUCYQZGo5T}4No+F;ynl@KN^m8OSPLndr*WGF_T zA51TStM>@MTpHy=AWG^zcSNSaA)kTGT&GGT5_qNXP4|E6lshSNM*s6){3kQ{{_&sr z3OE1YKl3yHhtndZ!o!sY(FGdg6d@BPrs8!zmQB?tcO(OwbP!@-&|SUw=(O28hFRw*?VN)aL&mNO`N_H;|o;Ry7aWO)SQ0~R6cW3DN6 zQ%OncG$uy9$dBkECycYAK2mXj)XRzP(1c=V`seX#jEhQjXmS=A1ifsoomPmP1shy6 zK$N^pd)XdZ^;*-YgCdq)8PyPgs)P>A?z7lNJM3QszW42Pp`^IVO$R zS!0weF@4|Vkc&kXCCVLdafXNL96u$~$FCqrN&^&R9t)2wQy{`YOzXZg<^w@=Rg z4)7lmMqn5x$kdnMKdFD=Kk#>e|DZ5NVyPrSVqcyA+^y{YJo4N29qY_`RQ&CJm;7w` zoBl-3-TaCVK0aVaAoI>m=i!Ika?n1fuJzkx5505A&4@p2GHc;87kTfUy>@zf*_94m z@rO73{O)abdhp;EQ@ua^eAco{ZGZ5c?IR9#SH1rnf3+tb{=@rEKDE|@SDt&fz6AEp zJ8%3hdT6)pUisv>KW2x^RX!-xp1R}E{o>1xJlOg5q3^Bs%iLp;c&(xCac$}NtiR_4 z@(=F2^vGjA#GhE`qfK``Y1IQSYe0YOuJgw4&VA$2OK*8+J8Y%nx4K}~)5I_4bivJ+ z*l1Kg>I`qs4}013_F$Gq$#D0%&FJs9V+`F$V zu)vA=oA&wOv~#xl;LwFOJLwzcKNlQ!_Epgb@!*l2&O8zQ`Ss(Mezex(r#?Dlntw<^ zzg&dQU!gwv@TSF8H$3Rgl@HtTFPqlbD?Z*O*EnwR-!DFA)-Mm(%{yKD0eI>k&r036 zKRSDp$5y}plAYf?k7^y!zU}3AA9-S@)$ZB&FJlCM(`s(}*d8}und8p6&|D_5!geq0 z{_qX_L7Bfkls|vFho9Z?xw*Y-i?97;1jIRz5gkgOjVrue0v#1CCgF+2_))+_L=TC#~?S9e?w?@m8;#{@gwrm+n4q zv+F+p{D12Izk~hXX7r!mihULSGbXA8^##Mpzr*}Ti02jK3b+s(@R#O4;^)o(`CjrL zoL36dWvYm%)aRG~)aQr)5Y=kJ(%G?v_f$WC*%DBOM1JVkU7sEnv9gvcqfHHya57)# znOX~%CKC}ydmOI>lOfuZ>eG8BIduw4C)_G-8FfH4wSo^3T&maZgFG;lOJ%I1u*$27;74Y5_$NM^EHI|kHBR-LHrR=oh)td?=IPL`rd)#|WH z1`w6S#gXZINS7oVb;rSlT+(!*k#CD>KNQj#xevI8Opi=AS*k>Ym{VIltD%Nr0}27Lsq+T3N5eMc<575bR2D66tOLePYC=TjwO!WY~7N)rpCH6q5+ho($u#kXb zS81_<15JNSsfqFT@?5FDYz*qjAO} zM;V6}Fr5WUic-|f42Z}|15;&A&uAK1Dl{#`MjI)q2aHIpz@&P`ma6%cCfOEMy`zDX zZ@T~6knB&l?M!{~d(404C*1sB{v*!M{GS4mM#ou%#<3CrmZNfm>Lwelf}3i$3P@np z`Z@{rL$McBV2Box#2{7fwP|uRB2xlO zCZ7?mAeUEKXdpL=-X=OR8#Zj%5-y>84sG2N*L3RB}Z}ZgJVRIq@2n z?B;@+VG}8y<-AU=6_vA8P_~kONNXH5>?WqCMQm1^R*>ZN63|G%qAsCowa3@=fy7my z?pW7pqMk`Lm8dpC6eW`#*A>^K`rU$F%=rwLA%&jQirQh?sRM+kb4~&3mQ(6C+5hdI z_|G@f|IM7Ht6j-3lq#B+akW{f@vRBt>p)X9$35jB8L-3@N%J3c7LjYM|J9rSXY^7ayC*xeb+w!1*4xpz+U&>0@*v1|dt4UcD+B=~ha}Dp*iKEUm$W{k1*sMvmIsu@_fs^H zccpB%MN2Ycb?am|lX1)Ce7>G8G%8pzZWpm>m~pVItf#AerA@TGqLBneg{Y4Ww^3m5 zI6qYIDA}>=WG9IS#SYfQrEG1eRnkltICfK205{2M)lLS_S6M5Q9+ZmRoaRm)ekiD^xk2!1M z++x2dG>zjwI4L}zeQkg~cF1G1e_VZKxyR`v*3mY4VxhI4-1?N{?X&i(BG=ypud(3U z*N%R=lfTLut8Dh++|_TXzq`dwAMC#~ancf3zVqIuhyPCK@Ag#t_`7%g;Yyby?~NjO zpY?W2Z}i8^-V3aCMg5BIlJBl{?W@6sZ)|bn-m^a0eGPE-{+k~7yUxPdtrmacnCxJs zmyQ-bdS&M|$CuuF&##Y)8V3T|J%eC_rCy%1(dk(>uD|`>mCwGjlUNpJGxqPUxn#23 zT=eOkSJ5t9@1$SdyU58qzewKx49UFwbavZ6o%7L#*kWh==nB2Qz%MWR^`je{uJ@KJ zJ~K-EoXvnop7S<*(>Ca?)Hlk14n6y7^M+aPS#Pg<+FcjBOYB~M3^i}NLtFrU@U^Et zI{V{`mi6xEJ5QYT{uMV*h#xZGAC9Qp(_Fi^!vZH>de!@X*!1-?o__1;+AjOPU@f?N zV*IJNP8|yj=O+3i`@LZrK+WSKKQmhoAME zPcFE1yy3nNzhFGP$_f`heZp^-?wq;#k`I~pdwWZT`!=gS^X#5;_8@wBhiGpPj$uGv_$bfk!;sKYaJnz8@i1$Qy3G+uSQFH|@wB@X^+ruldaD zr!2DXtIgk@@X~vaUbe+fORvApTMIn@Gpv_BXPIaA*!+msZ{B<3%nxS$c;RzXm8Eyd zeE#|W)c=16`@dl`{{P#sufl(DlTuROJN^?-6Srp z(~joN0TLKve)&&(e)x}5Yd7*e>Ir#lIT*9ygCX<~UkGO)9# zt@u1o#thD3g$qp0Lq)Jh0Hi4$yS72z^!AhNaxq_>qF2rq9uqsdv zt*B9uEEdagX*lkW4Xj!d+gv?zvq*VV?MEsx68ZpKDv!S&|0zi0Q6uCAM%zf~Rpq(^ETXH9rFGKw?2D?zmrbwgeRa4v~5vhKESPTP(1mK|x)ki3n^w5UdYGts&l5?Tmz_?a|a3Y^hnI)hW@@%X?WIh+>u%X)n z84E47|84U6Rr}uYw{}WqF=qnX=}L>joG>BQ4!av@1D|h>~1h=Yhbg zm562#f?c~-WT0Ubaf5_X5vH+^tS85P7c<*+Yt-%aN{m4_)9s{{Q)w2PNCgS4acrebt$G413#!+I{;NJ$JhF_pfRgrsUAiPalUQ*OuAMmZ1iRwU(H z6_mt-e#0#SG|{Ig1~~FZ8knQTHKvYbi zlj-e8i6oYSQy7}u1YSF_=BM~%rO)R-|8M&@1Vho!;-6i<_2s8v6vYr6g*W+cDbMNa z=WlIU*F5#XvAtE*R71n>{9A^7FHa|Z{?zh;jn=Sn2oykWI zxMa_5#>GFM+uiB`{N)E$-1@P%R=o12Hq<=h7!h@s*#5lJm|Jhk=^I_S+Fm!mzTdfL zHWpZKuG7u*zHOyPFM1}q{^^$z z%`H|_kG&>y?e+fav-f^|hs{5F^tL-5JLGL{&0n6da@|idspEIL{^`fo{p+&r*;aVsF=t;&t)IW+_GSKj*TeL2+kty7xQepdN!zcx z`pOH|< z)!F_*xv^FB=5;q*|3P&Bju-yqgzMiZ$Iox=Jfp948L%md|MrS@<t}8FT)nqf`|lFn zXkJ5_zWDzpx}egPtI8Mke`CIriLRhzVnI<+L7~EFf`?C&JBz2=e^2hpU%-FR=?bt4 zqh!!&@;Yx2MIvdaMRRfYx zT?(lp6A++mA$h;kD%ol*7MPMtfw;-Q87fT6C9qOU6yz3fq!J>UiNZM3g!6tj>*&CU z11E%wX<(2F6Fqy#s5tpG>WIWV?az??C-+*yDu^}1em<=k#{3tvALct*N1WeK^LO@x z&X1dIV$9eWHBhCL)qpCNGkB~mdP1R-B=LSz?@IZWfR9}}(@szoQeYBQgJ9~l3YHpH z8)?C=RVFPdtjo3DC^-Oz1gnvrUNu2lK=l^cmbj_sY?b_yn)lpJSON!ftnrqS>18dw z&P=Ka$be&k(HT?iKr}!X!gdQXxKyPAWtcIX>))%;0+WuQTF<+Nuo+9e=+Pnc@w$EEF zIcV7>voR?);QF|gY4uH0RmdtJAjwX>%eU3B%%=<1FeEzi0Pcr&W`YjQLbAm3CP;J| z0UsfQj?_w{T#;A1-Em`7s0nHnkb8KF$(09`IqEc8niM2x7-GDtsly1 zup;B(jZU_M=;&l9A$H_d4aehvRMpAVv2-C(#cEU^5*nBb_tS|AIQA2bM98;DHsTm1 zWTa#cDRc%CEI(9(B%iJMF;b_e&nh-PF-gv{6PyS#Qje}qYMoLFw~UHi>ZFq0AdM%6 zEL3)-UUodB^I6ZKvzZapXvBEYs{^HiM7Jaa7g==z+Jx;}#c_V>(FfM3I1N*H2QQbI z6ddN;J`KkOw9xJ{Nh*hrP+jZJw0WCBIx|RT2I z_LI+Uxw&!ZEU33$_o*9?`f>Bld#~U0)&2Ha@UX3%(N)(jBi(U;{pT}xezdUk9q*rX z`>StX@^K;8U*8dSU&>fvv5oHB@{0T3W#7G|b6Idhehz!_?t6Xolf~8xZ#d<+ce(yb z`<-wTcIl5lx)}ZIq5a-?>Vf620=C)c{nc(cVA&ts58e9SdoQOh9o}&7MbGT< z)att*``r7duaE5Urzej-U(pXwAD&+0f^ma+p#O64%kwJ7T($cF55TE-&GqLDZn|vu zS62U|vE+r^gAeSKUS!eKg)iTE)V_NU2fKWu`k$?r>HO&9`(~f@zHp7Z`VUsSWBZHN zKI(4kx}BEz{h4zgyM2py){%8@c;}5Le7FjF*h#8&+(Tz%|0hAd|&RP9nKPNzWlBAgU8={@XbFjb?YPeH7D^a9Cqm9ht8HZFYVjT z0-7w)@zqeJfd?G{HJck_O8UmM+i#}3j$hj0Dk<&IhEGVB+nXAW==z50dY7jy4y zKe^$o{RgWZepvkR5}$wmKlT6rVf_#C+4(=jjQ{^u>?`Phis??&9Ik^zLcj%T|_4n5nmI9oM(0gB4oW|bR|*St=(}t>7Zk?J2pDb zj&0kvZKGq`*s*Qfw#|;YPoDRj?|a4>=g%7Tx2nddx#p~O&nu3sjw((Z!LyUbRz=W8 z;LxujE_y8jx)~;*3^R-U$0T=>8IH&VHF~>oSgTT~h0q}eQ*2p6w8~D60Jyknh+b)P zy#uZp;@OJ>L!X|JUq&l$IJ$%b6AN^0L`Jw8JYEU`2N}yhu8&`ruty9hjndt6GGrB; zSwJd3jHF`obV5HvO?Y?+HWDI5a>vOKWagw>cFe>}zIq8gQK>v^o*9VMxk!ZitRMD& z3W_}WX7T31ux4ww4KEN^RX6kuX6r=GP{_o^dG4Xa3QjdRLhqw$&lDjlXNH*R28ZnM zaq{>Cf%&?!poDS><#-EuadzeMlR&W3MYKYW%?CtQaVQ9_2|;!86XoU_;WFOa!1=@Y8AUJgH*KBuckp!Qc4x{pWu<=>gRSItkB+VE5aF!gE3OQ z)E4fMWy2hpJqJGGc#G!+G?EAtA*rX%>ID~%u_Cjuc#(9kI0HbzzFUWV3{C7G4}US3 zpwA=SmU>08Vuvc#SO>dSsSlDQD&nniNpD^9C#igZ;-mSb@@u(REqN%c2B@|R1uopS zTJCjGnr*1y>U8RniV>IOFw&zAa2%bJ2^TdO#i0z_ge5q&f62qQK7BMOk&PvxKYq4C3Pu%-IAIV_=G4l_ zzXNT-++uDjqSOOr2Z1G&t2~Jb$w_YHxLO(okE(f@X2x+`SjibjP3`SMF(49;x-Le0 zouI-xU)NUwd{D|6C;3+FSsFH+u2`XF-7%cld*HWl)=DDP3o*JBQh8bcxm`gK{)n8@ zVlw86YUa%D?OB^b|AxR9&g`LPvCs8)JRb=*ngC(dFY`r zT#l0|p()RMzEt zD@dACP3HO`^5Q5&<&2Tz@W7lzi^GJ2xbw+E==`h7GwS~Q#da1_^IrSS96}$=(a1Js zB#a@;PeTi-!nLW?iKr&14u++QrUh$xAjXKwK4+kueh5W50)?d{LS-XC5>e(CnIC0m z1t`bK{C>;9u!}2{%S1N~4)v4nxA(6_z5_H|jwG>AkpdI!(e>ZSdcE8mH%!VNu#Fec z^4N)I$z%pRkjC)}NO3R8U}~*3Ih9Iv=42G=omL9ja%OT^sQXOBvTS=j5(|UB(2_o! zT%oZhzZGEXu|WJa@tgg@@TzMLn;F!d@YPiU1bO2=s(;oG-l}?IJ|o2mDg26)_}v8w z^6!p(50%=ZNSBHaub%R)(i+w|9p=Jo93_OCuByMjJ=U>@aX5f*Z1#CS?M(N34D!f@ z$$GvL5Vd9Q*h5X&&Sg6;d1%#)OzHNRVCn|!&nY+is?JddL-_bCsaR${j;xykOy3Qz zz0V}8oR70jE4vIRvjEo*Sxsuy<7KWzdy7cs+AfR1w&UaU-B0H7`u>KYmK6@CB*U2< zON*i(C()$3*!J)|Y`9&9QAJ3e#+SzQ?VB0(=dF_X?{h`;TlPI&n8q^Pr!STCXEbf+ z0oNNfed;Nf9VZ{hTc8pAP$Q61=sgdTufz0)=FvPMVaFQ+d4rBJ+ty)4u#Sgr=gtyg z!RQhFl%_-A@0d2dUCfxS9rLr6CzBkWM8YVMW1)fEBNjqcvYGXg_<>7S9=)K6s?^hIklUXU}8os~8 zG^&|rq7{@_Pta;IUx1vs<_Tl{K66-)#Qaq})!6S?KCNyO)vYC8SQHZk zk*xFfEL?!3qvl)rmNzd6^t`Y-PP=By(|sS4vS}I>jM%-`#~Pz%5ZE}? z+H#-yuV1#w&3hez-fMl`dpL!yh3Y$9*L%^lPCc9BLf-$8WcANLvYF|BIoKdj<%;Sq zz-rdj;wzXZok%!uc!ngz?4$qc>1+nAKgEHF1hjgD2781;(se)Y4pG<4c{MKw(y+)_ zv!Kd(3xpwZuXcAJr=#60)432Q!>jKtTgjw=`z!!Es7`DmIX@;7T$)F0pwz>J#dKtC zT)gENzoLMjzY?P}7k$z{=r|*?s*^W~_H?3DEjSrUgz7EF6BkY;3w2yXQABv+#X1;$ z)_J>p6;1;1B$;k>z7K!A2mbit=Wmpe1pF&EVKi&Aze>icjMLNH70_j+(CeDWH0+B) z26NQ~G8Mon$b-Ue2fXqpxB|9Z4+yTT$I0FMU(vwX5V9w;;xI-59xR&}d-kGBo z5{=VBhLA8!C}k$dPC@Y%yHJ}QjI&TEOMD9TWfH%c2hM&j0kK3%)@!AK!Y!#kRk4xy z_lACrKDG0qTONKz^*>k0*5)NAzh~hD5)`=;5x6@OR{hjTb}=4s@yd>2vPO-J7bIS% zGCXA8Klq^2LY+562`jBz*}HQVFaA*y3m*dP`S*)MA9j?};_9Y{470ViBK0ktUt0VO2DTi}75IFOQ*VO8Ld; zm|5wpxleS^8(@8`Y11elu>u_K`<5>_k`0vdnw|(#Xa`VOBq&s`iNG1cPc+Q&&R5rUCuDaN=y`J)@3F=O&M7O;Kd{R`SJx?vph+c1CzA9iZ zIZ_Cg$gkJmM#q7sEy|(GMLv(FU@hk*uJ2|AlP(*=YvXGVsfv}uqn>bFS}qc(nn%5d zy6#TBd!M*gt&8w)RnD8&w$MwH+9m+|XOZD9yOx%tS}cdFcIxbB8>ZHzwto01O_!GA z6QliiQx}b^+@$KRyVN2~O~Y%B4{NxUTCS+8)qiZtz6q8xUKeO?cOSF2&r_;TT8{_& zF+4U}krPj@ycF*1I_n}AAJ;3E(pOtMf#itYpOD8gcdAp^o;E9<+pHJc zAMqVe#gDB>mmhod_Fnilz1G1gI-M`6wkn|d{*MxTk0~A7?#isDw<{l54BpWwS2sMwe2-dwH`< zuS=IhQRG?ulsW_R+b%4i)lM8#EedE)Xk0{j>TFoabCr!~zqX2l@A6tmAgBA6(%jUp z(B{=VE@K~h&f7lV7>a!K(cNZ5?vTXRCR)*cseLZ@`|k9r6&JK8`ugX^+R#1HFh<>@ z<gy6!9vzWc3S*R0#$_GA1v%$D2g zDm5L;+uby%p7B?p9xc@zqA8VHj`GGD+vSsEcdBhAG|3uR^4U*BlC{JWnS4n+8K zFiJ27%U?_@0Wk*z?si1JeDZrr#Eru;9F?$2se!>7rH3EgBsHyjBZK5GkuNUmm|QV= zWNY?7^qMx7K0bm?DG&3vLr87W*IGiN*2Gre*KepHl}FyD{#W8Q_2*1 zxtIc!t7w5@7F<~YONqZox1|f`vT9eY7z}s`8I`0=FNlAf;K!Y%>&pfF6HE6C%w3-d zix4zx%PUj&>}m3B__GNG@Zrre9~}W@MB!Uk2Obzz1=yV0#UkWGge{q>o}G{ zFlNJ+(qIyeDYDc`0cjh;S?=?W?pPN`(LIzYB<$(7fCs2j>3nWI34vYngF`M|mrUUj z%PFt~yDbB`#x7<;CCW_V$=o!>C2tnUORM@rw-2AGRFP1{T7B?*zAV^v+$;mwXnzJJ zT&2dVsK~I|;PfGBaN|vb8_?vNatk{vM3)_E;s_gnD7Z@J`wF-_$SeDa5xi0un+o!# z>aj*z9l7jX$tUuwBAeBQTEsh{?&=R@_{7A>Iw?46+EuW)n_k#vkKUD8B_snQJ;dA= z2B%hdo(A+XMo@+LX! z^U`)^P(WY&&xD*~19H%X!Fb(Rqsdr+?=j%^=|42gmKPY1`6LWzx5BAe;#XwR9x~q? z)gUSDGGi-Mj(AbR14$K=^RKKC6)S1We8bg?6cOH3)my7E0z1TQ1ODh~e;!6jCl5a} zrmiTokQb+tMCY2Ir04*d>Ywe#L&S2`nbQ85WzQq*Wg@T`7}l}@bA^XERw)%irx<)s zCw@Z~jY90=^K{`QqH}5k4!LR;L@y{Sz36lB3M6I!eEKF8wA&^c;3%0?;ux{y93W=O zCcDIcJxAjOi=#=4o5#R3M(Yw-B2zztmnndir`dZV_Yuur|FjODz(U~A|1rliY5v>a zBJ2=VYhFyw%L})I&ffM*%tk)2deS#F6~)h&4evx3cXZT9eyszjw1W2GpJ-7|5LkwM$V0% ziB)L1ktbX&bk{`abTILfTdOhOFAGf%Wj=}>Am2Iy5@?P=TXthy2C5znu+UU3wqs;rJorceE6NqY~>)}$}K{< zx~k=Rr~3la+8~#e`)4~0y~lpt3tIvHaXg{+XGW*4@5PiZ&VJ>^J;u)7`liz;#M9J= z+y41=m$UliitZ3scXr2a^&#t^YN4mC`%8LX)oj17*v7r4PYf;QscCZO-X_=0$)2YQ z{NKy%_9CVhmlSwaPq%i$?3!b{OY&xcR!vp4(}MlJPy!CS45VdUvldX9>t)vqiRb6- zj&!v5aF?nV#`E3c^6Bu!%Jy~OUE%RYLY2mTKRIZpOTvc5@-(no9ShwB|j1Dsy%G z{dU$_b&THopDbb>y$6k!ZxWWE?&?X$SeB^o{~SyE&y2Ll*P)Dw6TsJBZ>slUp!6B= znh^9e?FY@k`+a{l(ueFjAQ-fBw-xZr2Fq^sEe;T0{{DsB{KEqGtU^^%D_~UHHX9)nU_4hwc*#mOc5|;g}etz3|eMbYV&C3%6>++$0=WuZl9{tf~^OAar^o246gP5k z6EPy+P_ebCChPGDsEc&B)~9y5y5GZo_b?ywjvqFa3>+^C=AL@>i{o?k2sGuI(>=nUi#yTVySl^TV7W ztE<}!6K$HErjaaD%4zckiA6x;CYH2k_QfmFZc84HrHN$}w;Gfr6I+qZWiqYPmr;?o z>rLI$=;b=X!bM5yp+wBtH_6dAsWq!#)tM+;7T2d9s=$P2mz+V=Z}Y7RA?`u)Qlp|3 z#75Q3Kw=f96ClBpIwX$Xx^dN6$4UsNRrmWk+*y30KIUju3@#3j(%aR7+Q)*oHNOn* z?h)ZTc{b8#zl!7U=)%y_c__I|%9kv)lLc}rdH;g+nNdBSh+m$$>556Uj0^Bogb&(_ zj*LPGJ3vC5qP(&h`Y(T)`NJ)N{jty{?KEP@kF8dJ_zJ!eZiHQ5{4{Vh9Y^TPP8yUc zEmD$Uf0sCuGVeJmbqGSMq(LUCi!1C@A(k1o$>UaF{!O7>c&;SYE-+OJ7lk+hR2G|N z3`~w5gn$%MxLI+Wm16#-4GXKs9lYGHQeQk`A(AcxU2tDw3&=ug__;~5k048_F(s5m zbha?-$_!Pe97$7}^b}B083ndnExvHS@od;7-XgPlr67g5_%lQ1AoI_XWBsamyh;_0 z2K=6(zL@?;= zyTukVaqMfeU=UT)&?1gqR2A78lsh={T%n#GJ~Rah`hr|#S==A0kHU^Pb+__jyTadL~`DExW>;uW+Otvj3SjT#u>15bXIb7i&cxjeYk-s#Xj66<$ zJHa9oCC+dK#eWkd;wHMs5kSZb-XiGqNnwy81MAuie&1zuoYrvNY`3|MH#X1loSOE$ zRv31E6$+sPMsJ?|d~xEoI!tu?B1DcL65>Cjj>7KCCceU1HF2>_19N+O|=7T-&#nnt%ANgsx-1J>TEo zogS-A3z4p~+uZDW%wsZ9$%bwy$$Y?5PdOy<~k2=t{B;Po$RmLxpU=QXtt>#*@3X*G}Qp!W`{Wp=~rIH8rRle+pt2>JH9S{~i5&W20Nd0%8VV@X^OrY&gg zhTc=>VNJY5yY?C%qynPMyy-lCVH&(@9rZ<`xxDAc(Z9J zns}+p-EO(wwCm;UU??FO^r=Fh)3GnxdRfiRare()`R}J3N6^Z@ck=BY)!mn_@Re@~ zIThU_goK)>fL!P52H6j}vuiaTx506`BuRSEp!$ijbLQ&NBw*WhDDow`<{GzCRL1-8 z{rK@?6CG2l{ux~s(6-xw@0-zf6G#3MD${oTdP+r4;2UDpeI;|4;Q9rPBK_!t%!}zh zdCV$ej`96`mV8~-Xx_#WzZxZPd5SanloCC){ctV)FdhA&0(yc>*gpI8<>5kDOjMFg=_{W?jQpv@bk%;t6qUJ;Rshoy4|8C-n8rpJGCG-h}!ejUT z6QhqOO~b{JD&P_0rvxHWmc^A?q#l9eGTe8i5(zr05mNcf=k;Sz4*$$+$}m$VQ0-}B z8(Vx8PA6kX{WC!k7Fo*o*K#zshmwE>4Dy@_Sf$kT?4r_?%PC;2E>e{4?PQ{z$biq@ zba`QSwC1?(06dgUYvGS@L%)3Ep3QU;CQ4rzk+(NNr!Ot5WP_Kk9;3|D*)^nBjG~3h zkov)c$1Y8m)Qid{CTWMG(k`}j?kTM~^NpEsO?T24i_}k2rK3BP_l>Z}2pMZ>05i6IotCb=;7hj^Z!vjqZs z5tbgNDb-wQ=Dd2LjmKtPL6R6a?mC3xA~Z|5W4{z+;fJ4IFO!ALuQ?hv=_W9kehEky zRO5xcK>bmC1cr5*TWN%n9r0i?qdG9?f(FgV8WCb}iO-3)dVt^g0$Sx;kVxWsXT>hl zCNQ@T$lv`P2N4B$NnwaPmM9pTjswG4D!0|JT1h@PQKXfNiw+@Q$E^uY4diA2>r|=J zSdO}VmWWU%#55>V#DDfuTy<|m2aM&mMa1j>W0gn!&0WzXq3*lJCFO{7VtO2{N@Dzz z^1JA>+ce6OsBU1~Xdor!dWf z=!qLPAQ4T7637&+^w%ewY3>wU3(7JT!L-<#fYfPJCLGGVOudr{t>7J2uJK|-?xGan zxcOcJLdN5ICIOxLo&m@N*}CgM6IyyXw>eAiOMwu)NRbmd%Xl$6rQ{(_K#QbIZdePI zajAZ>kc77;rdir>DWn+*1t=jqwXt|OLTKk-!Z1I=7r9{9Cq%6^v0+C`%S_gPS1qEz zY5a86+E&n*bi!0MA>&<$^M)&}vnf7WQcK4Xq+Jb3XUaDJx2dNPU2e`XDfnVFRztlp zf+xPupT}VR5RsI;WPa{Jjy6O=HHu|ATodUPtX`Gpo(?qIMoee=_foGi$ z+UdLHZivQyZ8Qtu99!`ff& z^=d4U!v9^ir@#c+oA_R3P5wXC%>dOH9cMfd;)yV#1<578qkIN_B!Kkb{Xkyt{ITp3 zM4&cM=BEO2iuY3#zVDSy!%Feke!^jCP6MFhLsk>e)R(1cwcT;mw9Vsn9>S(2q~m;# zQqG&?d9oTs?waYnh*;fV+j7+#rSiG&o&x&U6^hwi-gO(Y-g*0+0Ylq8Ny4SQ%(1z7 zaYPHZ)h?^$l&`pH?0s1Xb6@|NOW^Zq&E{>J6}a{KF}I=|{OS6ai_O=lAL+^F!=h6a zROmAGh{UlI{DsKfZ#?&*Yo_0wdcKPB_3FibqW4&iX6tTWQpW7K8A$$O99~sk>5t=Y zzQrIltC^NB>S&ml9*SaKgGTs3yD}-C4s_c*XF|6vf|L&7-aGJD+|Q$zx*MN61ddPG zcXZFU%5PQOTU)lYj*ExK=-1;p4P#YE7<65aXcv$C9CvrRGzk?STR30Z%g>hT_(|D* zVLz5ILwLpQ?R*b=bTaapg&6MYd*KQjGk z1uW5Bscf5cjs7^HcnPX+mfw1PsKdPWy?Ut(Wjhgt@w#8Z8LsfSnDbS7?y&p$ zi_q~ChOI2dD~Q(l%0~Smij?&H0<+l@OPznyC0tR~*LDgjCbN#wdn4_rKc=&h^=*zL zX3KXFJ&hwnr{?Ym2DJ8Q`y}K0G_$`&&)vL4NPSN0{en?VBCBn~o$CIcmVn6dIa9Pu zTHTS%UoWW~qlM%q=?3lYv*j{CEjy`sTx40t_Zh#b%2Qr5z%1Hb2iD+zWnz*WVzKnNJ4)JqN&|D-Uj6ifNa@8FrW(1#F4KL&ws>MJOMUcw?;(U z?!(mNB~{Rk4QA3S%gY_~vhfL6`}#uSe4j4enc(>5K9r#gl0P2yg&Xt~ISvP}&CZ*ys-iN_GVM3gyW;z6W=6*+jpHp!Yp z&TvGqqyY`>I=T2m-XvE?3^Qe=E;-A6kAXafioXjkla&7yX%D1xNch4Veqcx-EhZ}N znyWxqp%f|F7o?qs?c1YXV$-5eA?^8VHFHaggn(FEG&OTSS(tP?sf^>vd&}W8a`X?MDv` zLFGX@9sX1(kLXI}(+WkR659IXq&a^}v2V%4iW_Y89SYZ>ERsX1z50L@MmokWerd=h zJQ12NSVi(nd;cwlB&d2?vEY=(t|xuZjQ^PjAS$$4zDPd(p)QxMXTdG!sg*c{BBFZ9 zVu=)K&QJJPw^N~c@#o`3csxRicp)*3F(v?VY%9B zBQvT0g;{ba@i$FU*nNw(6J!l~TqUR6x6J zKkU=LTgJmvf&L8&$l(?wD*^n1D(^uQQ^YboJpqytHHq@hPrVQeKtw3N`*1x&Xl!RPM}3^ zqPQeRo4h*Xf5yH1=*T)diWk-(Uzd^=X~ z-Voq~=$A5tx z(Ktp^m_-Cfe(BT~{|!V`gBW&TJYnDyL<;X%2>Y(~vEU0{HSE0g)l^mHCuvr;Bv5INP>?w*;RP%KQ{vp>%r=L|WdBrMKsYM7uU3rj8wUIxOxNJ7bIbCr#@&7OH*EkG8rWj(NG;h$;G86AP zU|Roa{Yz$d*u#2|!F|$RZPTD;eZ{Z>^iuu01U{$zcm0Jx4j_4CkDZRiM_!jK^t4UI zrR1xEBFRFYY6!-Mkp_Y_^1$#uz()3S^|TCR=WE=@5UnOaiXd#a|OqwGn# zw&NGaBo4w%$G7#9qB)t<0vm1janWfnqlBdD_G*viCe;e z(N5P*YeMX6mt&Ve7+3bw^x*h<)$0wnMx3#20GE$R<+^UNZPyxTF?v1z8ZV~G;oKQh z-Lku>*T=G=`!oTtdMtav7uqvm29BFKPnw9j>D+v5Z-{!iGppDS{xS=O}zXHEP z61A!``{VjBx=F}hQX<>+S!qev_V%cG-DSRB8$xG4zt2YC-Lo!gEJLeJWj+1AV`bQS zGLw|29nlJ~eYSnbc_8>|NqNjQjh&-yr_)luJVK?t+^n2Zd)fr3HaP!zvCFZ}e!Ikl z0D67Yt!J*eTfaw!F8;li;uU+Y1>G^j_vc`hl_UH3hCGG_Pu9n*Ojfe81rjNY) zkIJt^9%W&q=;>kI5&>g%XDaxSYUH=S3ngASp}aV?SagH@J^fL@>jfa;v&}lh!n# z1>f1EVtz9U8Wq5_YLY-x>F1(YOKPvwU!?wr0z4R!AywT!t5OX{DNi5aCU6O5Qn!iF z$x9;Gje`C*N3!kj$-U@;3WpJiPi95&8`df^Suwj6hlooIuTvMxut*9)vN1tH(4G}7 zuO)Fsnv?b0-#U3#miz`Zv|ebTLGvVVMkxzw1w1MDdffV>m6)2+41HjeICHQU+Y*_G zwbVLJNX@sPSt!*ot#*2}lh+PoF_?% zI>rnB!muOKzc0&QkPtYM6_ao?%VQl(1Xhu=oz?<^mb`z67Yq0O7zWw||G?tbq$1~l zWG$59czh$<6h_9r89RzKw=hm6PXEX!sUL)%LlRLKg-z6#wkFbJ2fGvGrI+nY(^Vut zm4Mg_Ah=``EnwV&%;(-bJ?!f%oHD(TFcSA^Pg8#RG!u)-WtkPGM919$HqFiqVwIOL z4R&eVhEcNfIZhQ4L3k0$Mk*;5Mv-isnzu!v&o^W~y*m8vFQY8Le$m?_Qi--dF=;NL z_^6Sef|Sdvn5cM|hvE~*?JZmigrXF>wD=C+D86-P#$!i`o04ZmG4$YK{1?4|Po%J} z>LBv8%u26s!~m{U4Qd5PrIKV)LKs+XxHj4l8lo`Jr2xvAE(bxs*idF~61@L;n|_yK z^L@&BIRz<#BjDi_txb}^?vTb--M2b4_o#Tf>-XT`sg4Y^enBr;y%24fUIYl@?}(Jm zhSR84YZNv~bTfhkJSS4{Vf>hu5_^Wm^tiKTY|6RhH7L=d7c&!o3YSHZAh4I#*v(m$ zCT7JBGNpvKxg_EwSyZ0E?)k$-q48&!n{esFCKs=QZ;uxet7j)tY7>m$&q>uOLD$ig zYyo9XN!Bc=PSrAlN|#Ih19_3z4&&3!^k@6tP!LpJoBmupNiuNOBxGml8_|#ci(?i> z##0b14B=p0DEjdulD)|s<2MmRZP*qU%oN4soxaf>ts zS(S|`_&eGlyNim>;{;M z%*w9$7qxXBPubtcW}zVcuPRmHIq7gpqdeX3N62PHYD{*5B-k#jLo$1~vtJNwr-&EX zG=dU|K#z~xQYaO$7KrJI>?DVRb&5YFTJ(ZNIKQNg_hm9=&n_LP!0rrLOdHyb@#$4X zsQ3*J!@|6DgqYbm!DsYySBS)ZjDY<+t=yDR{QoO)F`U8Zm!skEte z6Nx3Yq-ovI5b>p1D452E&BhF| zN*IVIPHQZjx$uT%{W?kpi1}aK)nLMXn7JHrhGxW`Scc1vwaEWzO*!h(Tef(?G<0}y z?hH5)o5i6kBbxwClRf^sd?Nk8>br%S@ns@nZwEa&|DArG29xY|Tddvg03pLd#<54l z4y4==zURD?*MECP@<+i24`GIUL_h1^^qC~3206EUD5&CrZk`ZZaRE<79@l3VRjN9m z-udCo=Fv!M-jCt6bKkW$tTzS6l)cLg>d;F*g126>z)K8|tIK&=_mg6zE`ZxfjA*vY zM`oyPX8jtSsBZmS+G{a+f^AOgEQcn><8?*HGW~nEjwf&1Wkklc%lIwf`wRP7SUCov zlCND=_hG*0rSHXtZpFWq;yW8J)BUG#=STUiwS!>e>}xvD)0>7t`pr>-OV3luq;gf+ z%jORY+luVZ{d!59WnMM+!!BAG^yDwP#socE`$-M;47Kn53fvoS!(?qUR>tR5Eqb!Q zXdjrP4HpNeVTNgRhjR{+ue`=y#4vBmX#_rEnnbnzG&OuuCremwk=v!8)q`|0^n&U3m!>{wFhx}2V38GO$Ds`5IM zQ*rk^>9D_HnZj*7jQX^`*A7o#IKlAF zR(p=%;39lFzwkllV@Ujw%zX6u+ObQC zG`VVi+!=_Z>-~`}*$^3h8I8Eg&-Ky#_KDM?Ek&nx%Qnn?w@e$u>8E!8zx6dh6=dB6 znqFr9gaT12l4Tfn=d#ZRoC7FI(8%!$WZXj1k^aZQHrnQZ8cLYYt^VdjFdyghbbrpL z5`y%B9TrXFLh0u+sA-dmd|iG8o$_;1>lpCNskTM!O!1{+wCD526N{<2qQ~#ZtUu{; zqV$4(oa&PyxImUB@Dr1OdqIgOxif5+YrK39Vd3=9#^RuD)uE9vB%P8I9LAD2`YIYy z$l^^sTRfMUN^KxwBR#=71K%0>sSym8=sd39EQmNBpIfMCA&#R2DPl46o$O9vlKhz{ z3hFd3t$!vWk~{Qyka@getW*af*s^ut1lxjhI>R71ElGT*cre{(mazf8k8 zL1#FFBi%{v>bD`a0Kd#HDsw*DIo(M{iY7ZmyAD56Vp3K)1piKHRa z-?9N=2jyA(>~?MpBSj2AR)!CqzI+czb_e!S5A~1}JEPtomJJ4l5f_Cl*qFuWbwyP9 zVku)XiDaF{f;i0OPd?2Hguz!t0EXZn;EAv72~@=yi+{;Upz)j2!}pqJHC6}?5OjYJ zAy}_1mbK){lGJX;aJQ^1{RSBJNkfY#*%2*EkjoKD#Kryg$&@YZk8*bP}f0?p3ma%UcF*Ow}ulVP7~ft&OhJE%?aRSwdVfrnBeRB!B&@0 zaP1-P3Bm6!!#mosHHox%3}iAtZPp%T{#4B2R*VAfHduXQR$ z0n!koLK!RRk#3viavqtA;K$tjTrs5z%1o2EOuLESooo{pA>0mpk1b9x_`6uI^1DA- za2Wd}VTSy^!jDsJkUrq=af6hO1*%NtLB^_9Y#r^Y$+L=;xJh~)hK?ws^7_e283qG{?7_>xjQNL9@frKziBl*E{buZ^JYz|ud@87u* zvYetV$a#}~S4so|pN6i2=ze9Ll`d5H>-qjDIf0$26q7V;Y%ph!O{9G4pbI~1V6mR} z87dN+rl_f@O0G+{jS0D|p@4S7d~%q#>B@QFX#`8nI#t4i0;sBX*S^|*wUC0cUu^|` zEU_z3=SKnKhjESkZPkD0)0%u}sqd^vu*Kqt*wW-FD1gH$rG-iMXD|P=*Q}SYF1RT7 z&L3W4f|#eP-KH0PVPr!O9}yuR+0bBhyUkld+aMDuH}10V)@?+`#OzhvN@0W4Mc1QNiL5j z)Exvu1|0yN!FK?^QvJnYgYv3(0Oa4USIk}*fFb~&f8rz9&9T=v@~*2q!m1fH|GB+1;Bv$ba9) z2@zMTw?T&)ud+HEZ(ZF^Q`3NkjbK%_2JM`}yM!^Aw&6NDUZwW3 zS10Vn+x=$b1hZ_aB-WFTv*l&>{Mb0Tq^xU8q^FL~QSSKF>P7sFmd#s%3h|T9YutMB z$opdtAkWpN>&51LGvvbk#S_Z%RJ!|aliarRGAPOAd0c$ClC+A4M_4Dag4=axa7gz` z%R5VSTL<8@or(AIv3$+p>VEDA!Pfm8r@j4o3v~T-iQ2Y(Jc{eqENop@52d@`C3RHU zc%1%qE_xpI`6?-+T>P#TCN9* z%V7_bIiYMY%by=xju}W7A2)&LH13Bsr`C$pyg`*rKCiPm+40&2SkTFDKyX_M|aqW?so64*^9SVZYSqB}jp8!rKOoilxVhsmg9&#SvpJN0`#oDG= z6i}|w%i);8h6pB%vKo@9LmMM9OzNd9M#dZxulR*asyzjoRO!Ol*@r4KcjB_A?#R`3tBLT*zQrh79p`VV0Z$H2A)JhS&0N%qy>P3_ z59KBN62qp$BrqDMF-jF+T~ybCLlm)21kgY8`N5$~6biLdn^G8vmmq7zOqN7vloYt~ z9VW1pDSxcX`kVML-R%o+R@p15Y(k<^MQMVHjl@VM?->?yCXUoOba3J60s~pOc5j(U zMWVvgZjhk50mjG=uYct)vOlefgMa*%+E3o=2`8I1?vP!pP{+Rc&Od|5nEuQ>J)h5l zSS6|yl4``_IniTSyqiwe^K+6if-Irs$aubHiy~xFAwQ@P$7G13GBNK&Ny1d~b0R+{ zQ-y}{7Pr7nqr3@u94M0uDOYM$sVlG`!(Y`JUnu();92)pC`ppX%KM?Ha2LJ^5-y=kgW?9!psqC(a$=wMrVnt zS*6T(O2tFu6{1B6K8&g`wN7AS_V~CzW;aICs_lEL(GJEQ!1J03ex=w7OQg`W>0oq1P% zozTp5tO`OpxJZ`s4oz8ACB+b2FtGkP=jCOlZx#TkH}5XIx$hJYZO;SgiSZs3D+nsF zTKVRR9#z2a&b^cNf*bu~hbr_H;DRLzmkn9s<)4#_zHh_tIWIsES(!Ql7H-_HzpUCf z)Q$PQNZ3--Cv96;f5j2ACm>ln!x8H>VpJRC3$_>F5#uLa24Wn65=>Ljd{95Wn$a+w zrRFu&hY<@!B%A`|oAnPE+7^?zq}#vCoEcW?xN2bIIsTx#a1bc6zzHjp@h?mv3R(#m z=2$y_JPQ}Jv-x#khcE!ny7&OYgQ6QF|xBcW#&FBl!% zs5L`^-6`3SBo;r9I-DcsKSxP{U6UT5xisM`&bd3Gbt7-z*Q7|Zv@g0}3?a19pxZQz z7Pz#V2J-G5vQn7&f70Is_(ago4*A2j$s53ncEA3!KkH#g{L8n-!ixAo{*Biy27QrH zUXes%vAF|LXS%Nd0Q`=B=eq|%rcdBg?%wAM_|@+Qvkea=!b{yB*_%iaPtPaqmeX&8 zl!TXwYj?*m1hpq9G59UI6zHX`0JS%N(Zxpy-;RUC#Vg;v{1x6)i;0F z8Me(fXpE+fwPV}fNt4F5?FNl)+qP}Hv2EMgF&gfZcYWV_&pE$bf55YzwdS6g>zdh& z(s$@Oe`@uHZpqHfym{Xs`Aef_Q@Q<9)3&E=LN|n8(g(cJ;M}^p?YyNmp&7#Ouqc}0 zf0g-o@>tTTvT-{YL74^EZWun>Ez{Duy(C2?wEyTR;`SKO%6uMxeeG}h(KcGf&GeEKHZR`LEq@)w<_!)IcQF{d5dd!%R4 zCwhq1>*fO4yCc16JYd-IYU|Y(3)hAGsmH^rb#GqnrN`|}4X9V-wo!p~)$sE$>rD)F{2<#6c&^e&B2Zaw^+cFyPy$!s_(>Y(T6`B&Mc z`Kt2~pw+rf(9`cdMCd?%HN@X?LGQNp*wen$0ZvUod3^va9ah-zUHJ}n`yANN>iQSS z83QCTJFwjCW9~jkjX4QBuCgpG82MaJc#l8a{w$`!;@ECC9aY!x6EnOlP48cQth{Z# zV=)R}giY|4KCkuj(z{HsSENMuYZkn2qYoCX3v zHbwdj`jj6O3V91TgnwQ3VVa`%wgM>WQvcN3`p?yF%sc1~V0+{?U8!M~yyVZa{qEEG zd<_Ubg$`DPKc8sCFtbj+^D|^CyRXW}OFR=!r4SOvUfNg0P#(WconFOEheDGxY_|)( z`3y3!F;}YHq@*mXHO6YIM{Fdhh+d?xAJq@e;>eUd$+&f-vlpL2s_T~jLq*Fnn=VYI zD7c3K_$kaTYtbb;5T`y3RhldxCTjUrjCEFge{H5v(gTgY$lh?}^Rm@3FA8HbBWQq(l#J4a8znfUqf|qA!4OUnl)~|L2tck`hKh5SqJo$EC5h){0 zIZOhg+CO!XIP&~JMjQ~-d5Mg5K^@YfAw!4Wp>1qWQ8kG4mmj32y zn~_&qYGKNUihK0KLx-3Xd&Vm5xi{8)kYRcD9(}&O3rT z(8AFKg~P<*70-l)p)_iHtrZj)v_KoP(sQwjoE6pMo>1ZSCdYo})R>yfLudme*BZk&S$2fx4tcPX7f4Kj7E1Gz_W(-$0?&`k0zy2it=qnFZ22 zwV5SLc&InSIzd=y#gOH&3obz!BD{Yt2b8`QN%!s%84!^oY~@yzj+qLbDyCjc#1H4# z1N7HQy+41fS3Io>mw+SFcvNvEj17h|Pv9G#odHv!D06&LsJ+H)*!KjNKuif@r*5TG z-1gGIXW5>G@?@#A0d&hrRSa3!{z7%hm#?s)Ri-Kx(N(!4YY21o31Q4LmAb6k!y_ai zct532L~zPxpbwp{^>BQa!p2aJEa69dg_CG4wohgw$sFdAbCdP)4iCPG8 zpqRJK_U!WJEtL1+^%m*X6lO{f`uT(g%Y7pe`H7VF8p`nXMv5)Wv@1)?yiFvdG90}` zMC$=NI>0f+$W>CI`9M6qh9D1DH`{1H4 zn6gyeh0AlXs49{O{?rdo4M1%V#V2R>Ka}x~6~ofVWBdPXlZSW^&{BfKu9Kiz|FTKV zORdW0f<9Q;t2%_tbP^T-*L$lNG#3{<@>rO^I4FdbyZ$3BEwn9GpvfxKRzkQ_f#0eL=Qn>QfM^z73> zjP6J8<$cj^*xKux>Uhg<)GF})VWZe`mbaSS>GrcZE> z>(0B}>R;k_^7%{Z^=iji!;t=jij1v#JS(ECe-Zo5nfWo=82EPV?gz5G)#U<>t3hd3 zJvV<@efXa^qqJI9I=uTI9pFA@__w?PUAu=)&d=A0yW_u~F!e41-zJCYI%J|f@^07J zo6WbpuQP0Qy5D1bcs2E2&#gbgBdXUuhiNWuQwo+{EB~-QzSMANJ6)D_TzE}w$Se!Q zXubz|ZFQu?seNX8g$!z`av$}T)NQ-y@$R)&ksIgm+Nhem6>W~kWVyYVPFvk=D z+}GAjZPTHjJ0Zkp7D~WP|jdE0sJ|Kg4J>fsSXMQ#RHRtW?N5B+5 zge8+CN}9%u>_6(HYb4IY_JEk4kdJqdHuVuy3J@-~S&8y#LIDd#c?I@R>bkUlTbO>Xc{n9TK_Eo8T82P;(zNVZA-G)(D~VsJ*eO!YX*I`)G z_>y-C{RgdlD^UW~y>?vYm$xIUJm5v!&@&AQocZm{!~MiVKBMny*ZR?KOTeT~z@G;V&en*HnYE0ts~7C$rKq+-ib7C;X!vc!7$)mpxD zl!$KCG<%yrmx#fJL5CxQiXAUuhy^ty5hFJ596Nr~Y=eT(9JfE1UXsXGI-r8rnt5m0 z^p_ruM3{t|d!%^ZK;|lsIkuWYxko2Bvu?B);hB(-Bow=$$cC|^E=sd!v62aHn{alp z^+KbxirK%aVBc_hguSzO1&R#zK9WK!5`W+}(W;^pfkosWRN>gMyJbN3NZE=*lPRFO zG|FD8x2QHIT}i#MQ6c*3TF{&2EaGlakB*O|beE3$#}TaM3A>JRR0(QIpox z$%e|vP#XnlkY}AIziT;lZ#;?elQJe1;+kW<9vbvg`!$}{MTJ-6#8bj@q&#XZs~I!G$O2y8;3WgOU~Ir+-_v&i*({#3L%hrFvSM>{mNe* zG|Qzc;IsiG{qDRBk3-*-s?&|69tpk-4WV5|Nd8EAaAZK^UEK0j%aeC1PLQ>Mgtr)@ z34^N9S6d|`Y6};1f8a?nboKitDGfMjq;~O5+53rQ*csT&TIB1ijV#GMmijnon(%8S zEjRi;K$DXQ@#GK5b6A{`oebarNgB3ZVCnP;QCk(0X2sPQlRPhZ_$x3e9qEA$t5ClU za8wj_uw<9T)}MQ};6!a}-sLI#TbP=Nw@^Yhg;utmHtuJzrL(cHwXdbc!pUF0fd|NT zl^COrxl0XEXZ(2Q_Af_WaghoN3%A_*nWw0Y-!Lq5f;D1Osr1lI(|Q!LCz}VUhtbz^ ztT&aWoVa+BOq?oNS*zN?uA4@(ld*r(6(Fl(q}qB9PWD@oJ%x4%lkzYZW}{SDi2W6P z$X=gygNN<^U`fo^v%tKUOQ*CBefy&vSK<1zjcCzuj6rH-#Q_>kgsiU;RiE}-2Lmmp z*RO%}uuXy#_^RFT{pxYldR3oLyD!S|N~_si*nQe)v@MV<#AJ- zlIqwj(PWK%g-H_l8*!e=j_$f0i0FX=z&~~VieZ(e^K_1_#z)_$XzlgP>?smz;ALv1 zHIVy2F}w^3uqEVFVSm1Vs)3&wFun@4EE?GL1D+cYMjX>A>IG`YS&>ZCcJ$nh=Qd)K zl;Z6yg{Cs*OM(A)eAGn8xJ+XWyyZ+-{pS%QkOAIjnCtX_7y%O-K$61agTFs)!(Hdx z`h?mFfMK)Rj+j%);3NMn-}%^lE+u{_0_Aj{^SbUdT&6dztzT9fT6mu>^cS@(J1Vc& zF&G7$0nfwd)s3?TJ6+qhZ%Mq@(Net2fCmq+Wi1zvcK5Bj4}&D~7u2h|BR92x@ooFb z549?rIa^2{*l-am#bZJ(0tI)9JzY46%~caLuHKh=|6TjHqGF#$6VCK28qLcA1EV5zQ)U^fbw{2Caco<@~YG2QR8ikfMN~yH%4E>G|q=9 zsO`Nf2a#j_Ay*i+`)Nck>(Bn(M@C0i%M1WZt1H}g*sTpfxTS+o31SNr2BK! z8_-fNR{fM4h63<@d`j_t3OCAG)sNr?F!Wg0UInca)Uv3zMVxJQn}hlge^=18-MEc! zI_-9@UtP<2n#J&MXwx!*A`BnbO;g6q8wJN53bD@i@qF6Orkmn(8@th6 zGy1z%7pCj`2G-S%ij=B$5zC?^Q9KKKCc`{;0eAf4l*k1z?>7iCJn@W-y<$OR$KT;4`=wXNZ+h!GU~A<;}j zSSeS&RdCGo&XWQD8ErJ!*Q2BVfn~NZV3S~{(e$%r&HlYxoReh?S#SG~dzE${Do+#t zQMAojcRcD#xzaQV|7uop2L?wLtWojsJu*yMG9n4jpyc8Nv`q;mf9Pqu_{+zaZp-2U>HJb8 zP9#Ky0<;vw)9fi|^P)V6=hF#4V(Lxvh$Kk`;;;0GXjScb&#rS%#fl}26P1Bk5}WBe z`e_f`WxWp7B!9bTDlF2_V#(Lb%C+GQi@%1q^2_3=i$u-TD1xKjxdvoEmmC`4hy4Hvwiqle2d&a!7L1S?dKEMSD=c}xlB@q3F9 zPyLn4b973y*h^|urM+>V^gmM(!c~U)!jM2Pk2xqE64h|gn0|f$%0=T?6OoGud>pun z`yo1~Q9rWCZixOIhK3_Rx`badkaNMj;F$V%UsDbFkebZ zj|D7tiJru0a}MRHp!d1R_jE+X6U+pmZs9l@4=M9Zq6>LO$e8p}2MTcNuNqUVrpEjE zB}v$YNGnd^TZu4jwJY+r@p?bHH50c)zCNwNt+S-zXJd1cXgF3dd+(rOc?8xW2?MUo zSAcr4)B~?mONKg z#C#!TU|L3N611xN{hj1<;n&P2ZhFg^AKuB6m=#siEl(G%1HUJuF((|tK9+(Tx=1-|2yt`JpO)z zppX4vef_wqG4WjTc}%F`0^>aa&_&SDgW%EqKdo{>#C)(m7~t_l@WJ845eY=6A~H|2 zSZ$CO^lgHj@uwe6Hjzp;85NFHO*UD*O{CX|CyuP`qx;&oyUKMrTH>LILQ z@-{KwBIiSYEdc#8bN%Q6jysU79@o?0J{I6PE^q*RFQS4AsI$ESzOGzx>a~FiFytf- z5>WYGH@22Nrmb8L-cB2)e6I!oK6~-9=Y{8>kW2IJM(HCf<99t>=LdRP!iGcD1_7vM zO|v&Q%NOM1sg0+b>1e&PfyJZA&g*?tOJIC9Us2P0h(~ArTT^(WaD5|T<7J7M?YOMZ z#b}iKH~=AI`hpuv!1f&3#{G3^{JEog>) kQYMpt@H#bh2xAPvHh6^(64r0Hj^U z?rHOxDra+D6rI3%tw~!4pSrD^rnKAj=;hQ77EC_|cXV@tF7y~SJla0j!)@meTP9Su z)@`r0w1WnwvcPa@&mj(0$Mho9GDv{xWS z9%o{oLl!fTv(@A3q`wr0My=PK-WhQ7g&cO$?RBrEG_4}D_5-R4R+Z;*Cx(&g;s&8} zA0Rt^KWdHI@!Q7(V7}A`uyq~HRs(w72v2u&`|N`r8HjW6rz^RyZnJzkdaW5{cvIJR zr`DJ&GVf>Z12}wKyc|J4qW^&+Xg!m=45juT*a!Zli|J;#*J|{*)yyg85SgKg3A{vX z3wW$QjLQI@Cf*(>FPD8RheeOtNp(NwS$23~ft?uLW*^!2qd5$&$44qhfMz0>+YOLh zwE~{@{mwD$+gUTv+I?IjfIg?qV|CtE!=_@npWNGJk{Y(k`|NA~k7b#yvNgnsoN0cO z@q~FZVEw3;l$ZP1@VaO1)!1G1$}LrQ?FL3@62L0Q+vm79w|k9xsT_;VIlJqM;E5MC zr=t(h(+&o+gTWc^u+R4IoRC>#;B7HaJaFB?ZDbF{;elRr+x^d0drXQ4#Dgso5o6QG~WJWxoVhswNrk#~mDK zP#_X5@lvJB%;G^JhmKt;n~K3zhR)6ywTw`TLaH-jfiqJ&C?6)7YGQ~VyU#8_KqfO@ zjgcj=YvKCqL_hPK2W_xGNU~-arjCSF@P!2uEFf@_4F5z#w6uxVDKzz`PTbY0&T!;O((Ec&7cgDI z3MxsK_MiL2gjP*5d&T(9_lfQ z@x{NlP-(0;a3m71SDeaC=X=OU&D|1s)F<^bP9@qN9BcUdq)^6FCTtR1dDsWO&8gA( z%-?-Cn+?wBd7aK*@cHpA^jbuE#D!e2x?~*boWtaMHStZJ+>%ozR;ZBY?VTI*51N8{ z0|RZ=3Q3`&^#WGQW!(NgeJf?^>`HV$9s(v~3nDdxg?>*)5d=f(IGj=Fx%uB+2d%vY z-I;7G)E%P4FQH^V`1)P>QmmG(%hzQgGn0PoE@p>ASF-E~%l93Grk|btGQw`siZ-ql{>%wRqZA%oUi1+L9|1}5o_gxQ zwfi-|CD?y7$8n7$i*zGyjRe7`#N|<}1XFY__3}w!ZLQTt{=rYNvI_`AD6y5HBitr#Nu}J z1aa&J+H@G-;0uH_r(O1l%QYnyE?J;6{r5pA#G-86*c6FOVX;)UrO#Hfsga43JhQ(e z>qfakMU%+}H$?bL725t*4bVy(z;)0i6%fJT|C6M~`XN0;+wM+xaSR0qB0Cc-!9{dZ zWS`Bii27N)ja#d2xqXr~QD`@t+pi9;*O{i#yqF$DS6>pV1xiY27NP{qry< zdi9L!F05C(6}rzM=XzNRmOb8U(*nHvpv6mWm)@lLns;j>qx`mEl@1)X#vu){ERL%r zwI)ixCR_EFEIqzd_{&Y&=OLss2g~P>6=Bt0u&2$j8lDFtOd2vrw)2C|`_dY(IbJ6C zW1{N(Jk#q*NW?6n3L)k%SP{%D3wr-Z2YNnk;8kqY4Pf{&y~nSl@iGhFg}pwh@758h zYMXT)QvXE=2yo%m-wJBUx}Aa5Z)D)I{%G7LG}EhljJM6U-#YK0bGjL?xNO=LoA&y* z>V}x3Y16rB_79i0vuCk>;r1M$y5bPj^yqb+Fn;CbU_1f78Keb19N8byi*5H1s&hMB zshMeiNI9mBGiaYBH0%#Hpm^WxRHAtsJc2&3;x@U!ek@rJOY5TJ_(9So6;$d{!Nw1E%q_F?bC&fr?A< zasp5FPYGrc4cDuf4@N#6>#s*zK;WzYyl9W+Zs6C3tBs=OH}c;#4cnG39&+&4{q4ajnUqmJ4q&_PF`qRc zA2?0BoK%*g`RIU?gNXQF(!W?Ka%)lC_P|LoHaBoUGQ@vj@oRo?Vq#-N;nokoHuC*~e= zSTQQ~0BK({PP$AW+5Fa-o{2|a{gAmpOf-$rl%tGUcf!=|OGssX_Gm^uo{?dBzae#X z{(V<|l6X1%N&$U6*3;};Y`6rwm@PV@FyUB8J0(}_@)@iIQ8~L6OMId)VF9=3$uLWp zZgTFKjxII_Sw%XPnWcP-kr>%hUHUKFv2Y~iKXBN$*h$#^U*_N{uhkYK3$*kh}m0%+1GIyt6X($4-$$HdwYgZ>(E>zTKmbZW-j3dbFV_g@5apScyLV7yEGzTRLe% zdWaxid?U=5-xLlC{TRQAz>!9`=~&~23cJV}MS5}I=*xV9EJ``&{vwUR7ZwQSQ-cnh z_JYX8^OQl;qLPrX_{cSD7x87jI&yyt$?7_7zM&XoJz{)MINZ@uGGU2ajody&?Uk|F zsyGVPLs5eZ@**3fxegXX@*mNYNXjF21tJo+4axXW>zxronskgEhoW=AMrdCUvWyio z$b?aq<3mXl8m|;VTQ0Xbj7w-@6Tre1l=AV3WvjZkX-%=W-k0foq|YlafSJN0_>Y@u zs>MR^CT?z1#OTJ%(d4(Nw9X4?ohG)Wg#O5>!JZZV{>Cm-d;NiRd;tll&aATx(AdEv zx`;+HF(>o_T9n$g_sGCcT>z&@6Xjn!1&8txsz~8KbtzW=(gJs|wLMn+yf(1L!uQYe zj}33MwOV|Wee3P@Y|jvE7x|~>Z<}Ug#l@?vLWAGsIq-{kDv_yE?U7}X(yg`+S#WxS zS^3kb(2>7Tq(#r_e;4M(0L&(gZWD1&q2GDMT#}y?hyTG)b&6-_oJH8}Ev;z^WahAW zokTboAm!GD-MMX5b#nhU{aZ0ioa_*3wPmtaIWdEuQzL&NmEcj!Y5V{$tJxGL>$C9< zQ_Gk$GO9|G8RGuykX3jvrUe)T^dCvnI|j~dza2+3-%P%TM493GArJPHV!+CJKZE%t zAi!2Y4aW(xbUWJ0lv0Spf;9Kp@_@2h1jL&Q^=Rdw$$z8_=6IH*T6EmL@YF^~^LC2& z9&YuMhHZaFqB2`YS9r3hu_Eu)O+c2`Gn7G&DH1nb(miTweTMv~1>70~7T!h{6F?~J+k_aUxRXSBFRk+5R~NN6oaN<66<_j+dUS1wIz8+yhp zb|1m&rhizWyL5#q##lMj{(-q5=Q*T}-0F1VyYzp@+c6BJ(uv_IQ0d%fTgr3Q=Q5+^ zx+TI7yu$_|^C6zQ{n;%z_<2SB-H*y@uDGWQto>^9)M;e;ZhBM(=yCZsHvMsf^#s)a z(jmZZTcnlaeNo+@TTwbMi|Mjun4=cW14=SFyBm&quuu1 zgs|--M(*!BtL}!xhF`nSeuFn@A!mBe#i|znD+9lesZ$yMqla;t*p`OL=o`*s1!Yca zSkDC@I?H1w;uC`NmJ3Uqd>p|bfOqHi_v`&>dY7%uoU6O*kdi6yvf3dP5BXsmw-pX4 z?T*Ru%kk5+6rqZ2FtOvven)2Aa)jEY9r8_Y&~cW}Z8+l8%GHArLz{8Ha&xyB@aT_o zmJ`;cYis>E@{?`tfvMO<7rf_PQ(Fk<#{1EtZMKUY)t2W10ubX!z~!pBY4<9}THA3C znbw+LOWSm_M9tOVh0%uR?mlD7&GutXt7d^g3F!0WAJc_pCeF&Caox+hT!pLa4k`lB z-9MGrJiyg$8@%eijOOH2)x3RFBJ1%DL{DYAoGKjD^Lp0~c3*u)nXQf&t8rao`ZQfK z`@B8Z+rGc;-2}uegHQO~KZ675C<$MbZX7_x{c|1L(KR*idkE0ncL%Q(S5^=I#o&XK z^PV`RSD)^be;gk_Ea5qx*%?b1yFXZ;`J)chtyuu<1)p4aAFTEUJ5`pn69MH%CZ??n zM#CEPu@tRWr{%Uvj4x%LjCS=6VI^Ij_QPMpI6y#npz*RNE5?CbK38UiWG+z@Izt*x z*;UjUP}DV2FQ+j`tHxTDv=E2Fq1UTOFcS0Khwq$UDm7oZIG?PJMyV@Sj=qhwjWR*o zA0z=?^M9{ri=aphm5KW9yv71C+2D@cEr0vsT}MzjXy5dkJAe@TaZ)wSv^IRWKNy&( zg;7dp(aA%RtAMz?iq1lKs3Hu>S5iaHf-96H=?Nn=hd`_brOEa+sj}(XoA^4hQjk2} zIw^rhAOY~rh*X8>keL|iyD&D?7!C8MLx*VIj$s7HC*SWK|e8S2~o%Wu$0;(K}rTj-tY% zkR%nS)}U`E66wZ7p{ds_gk`c2;-|!cKY{x~Uz$Lm)bxe@LAFxQPElp~mqEwMW3F-^ zeYxGQlEd#o-$GT6&I2H_v)&4b;7{9=7@Qn@w+xEk>d$PGd$;XJDF2!C4i z!W2xM=91rJ*;z-1f`roUgy`)@%B%J^%PD4X1?R#UaBdhT>VCr494RX2;~G3`!ZWi7 z+oU$wCB{cUEYJj$Lu44M3#Hq1WI^x-R4T}Z33AGi>EMOD@BL-zV1|cxK(ie#)JBHJ z0rvhNwdbRHmB8A!Y_^<-j!Z$623~Uhw(Lug6co#53n@)d7PIQwE4~xPo6946(s`r2 z`xTC?^hto<%~MT_m%e}UxPPeAKA0A*&mG`MEE8~yIN5@6-n67jZd7Bdeb?L-TW|Mf z#Tjwh7(1e*3)LJ(cf37ax8k|GaWH*yqI$m07ep^)119_{WvU8VIrpL5X%iS>7F1^% zxOH@Ck--EE%>8>7_7QhG+2gguA1_UqMfpy8Bf}9Ol8an&ic7Y`c$7c#lNYCxfxRRW z1p!ZeD9NJ(CvUA9NBlHdPh$o`#tP`=t(Lt~Nc^1Zx%lJ?R=5w68lk>q+9imt3QI5g z7?*Aao);MA65(db7|gUHI8R7!TqlZ$mQ&>c+6hq>0e*;MpvV}NeR)Lldy8i5hjUXk zTmSl1eDVj1@pkA%RC&G2791dmO`AC*j5&IBnR~L5LMlodlMv0HWAsc=7GEuaXjj$l z#P(x9oci_rtOw)sqm?Io`y{{8xO2eI4X)(?sE;laRU_B5@Z5)@w>u!?@|&DzY4@BnYOhkraI%^L&1o zDy|@V|C9N+Wcu1gj!3~kEn1o)_XawSH3j4QyOYvG-nM-8(#A9Ij1WKL)dTzfdOQyM zn}0-GMFrAjn}d4ADd3BiDw?G@Vi)HT(2XP| zbO;ZIIl?&Wv||g3C=vs%EAe3>2XlwMi4}?9MI+1@ZydF0@=!k}I!{>k`5q_bI>(Lt zP=^iA2v3QSGnhrkl=<&?2V%fU8$=Xk03j`D%=E z1nfNT+gpnvU^=F^;kkJwSM{z{*k*AX{Z%2C<8ij67MP>szFw)-%zM~+cbOg`>H@Nc zoX)PF)0D%HT><*_lle-Q={iP*syL@ z+NuO`IaDYCvc1L=%B(eBC)@6_T@8C{7=W*9b8hQjI4@7O6E@DnqPF6adCgwdMmucy z9mih*>-!H?LmsgyaSm6WN27=wdWXx;l+KxL!{-+~yj~X(uU&1oMrsXMna@hmn=a$G z&-Y;f;bBIvS9*^YOum*YMfs0|AXxm4C%)S@JUt&%kPacY(dlZM+?BrbYBj{=2jc_a zUE5-+@;}?XVY*?Uf0Gc17KTOwO_o41ZnpYXe@(rYD<+l530H z&#PLi*Qf^@_mnj7U+$m?Q-Uq+^=`*Ui+N7&gEBm^9PqzGZeIRo zhs+EXpVhMV?U$0ym5x#1ZU6J{Ew>kloODi8UAOmg0^p{8npXR6Sq(w${mUaO@1&l0 zh+59vv4H&v2mq+Pm75aTdCE4)Svd(Kf9kjxkxS9sa=ZNdJX3_+>M>Zq=th}+UxFv+ zX8U%&C+8D` z11QHghfu3Ov{IEO>rPe-qS@Sy#Z`Y564@2Vbm{|zfMzj%Uz~^5#Ik`k4 zVWarM^6MMwa?#d;q zwkacxlgwvFWoe90AT`R1F@JJH06#I(Ws;2u@g6G#?jzNkPcq$0Y|~*V3-f#@LwZ# z37MLNZ^WOXGZN<~#hW9^0tdwWB2Fe15`i|%&f&PPCG#^*`g7LIL&uiszxf~rr7Lf@ zFlb`9BGalHg;$uW;3DYW$RskHVB;_7$cN&%p13=jmsvd+PCXUT?#(rWcPNbt-AhYF81(cR$Q8ZG!UfY$eBd+=lH$BP^3q+Qy7O z;s7goG+Ww+A-YCaX;iraV!(`@!hdQCYNvXP=nuq&g&osC!baZU_8TFMD z9Jk7K6ZKBX{_!bC^(_7m0IPA!k@y+klG1|~J1~O}ND@i*0|h0biVwbY!v#ZQ_(_(? z#C3V{|4Lxrs-TtZo*(tw6r@dUB~I47(be8p7ZM-n#q2W>ndHnJdbAO_^p5Zs-=-mF(HAB@?+7=DW$KQbnGtSZ66AKL?pM zvQ|9EmiWC`Fi*AiRCeQN1}2_frLQh0NOY5?(xAz46_9vn$cYz_s7nHET&nC$rK9Ks zIlXckoNiH}BFTnlPCxi`8<=g`Rz$bOs^k`5s1@ZMXW^7yWs}$l@4&(U1!L~`+r9uP zs7bes{K%eMc}{H7xMIw$m0^Hs@g&!X%~!k@YKXm|`hMPZtD*7#RiHn$XmG5cK7tce42u0d`76K7+;$&!47iTmWg*Pr~C3VH}0SLpQ93+{Q1h+moE^#UIf z>e#+Nft6|S+jfSMY#=&1fQ~ozAscn)CMh3@o-{Z`80hv!%EbzCntAIPc|Nsy_4#@6?n$?2u8Z=M45I!5>YyoKCYjfD zzFNN8c+QnIB&%D8;oYKw5C~mA)>K~qHGn-Cy(SoPQf#{pVuy1$z1u*=z#fkl@^Y%L zd_Joll=wYRBtbo|Z->#|gQN{_>sQ+zh`4oe)A6WuJ$Q|B31Z@Y3eYiDT{ z_B%0U8XG06eoKtO=aSzKL7vE1APx>FjbEYx~ zv+qM#b+!0W*?|}ijGz_XfElX_(O>p@Wn!0-ZHw|=Ya8Fd;_ z*6m{OV;a!emOrzZ8g7(vN;Dh&1Nu8 zZf&eRO(Ju8zx6)*bWgAUK8j1RZCXEmAD`|tT%GvZv!lj+3aa3Ae-_KYe>t1i;=F2g zMm}EflHI;4%Tnc8@s@kGGpsnWAL$n}ae19w+j}3CIvv-N0^3}v`1V+(T!yZwJXv>d z8?g$g+my`ad0cvd;#1x)#-QXHZMQ$upZAWt?XEB@_zRU8^%ggM-f3IB_GdT=Kd$%5 z8BjiI@BasQ2Wvj?!lVzuSESuRVB;U5Lo>kE7u&ePwa^34Iw~`m?G2yqv$q^TAz1oo zeeGawf94<_Ytg6i*EK-(`nzRE3Zb*L=<$#4Q78isE_)}$i3L`3Ek;vIw^E^8KASRr z4C{8ki=+N@++o~(4j8*I`%b~!Nl^qV>Ee>CI0J~bRR7jC16*q44LZQDHqpi2_?KF$ zog!Uf{HJs_gd!yQGfI$p>?B*RYP3uGYIV+~3%~A{Aq-|r6@1hSx3B$Wf}6@XmVdL- ziHq{lbtO@S6BB>rZvr&P<>qc-RA?=oDx!+dtn3QeAav{$xG|PBP?j3Hlk1I<8)Cmi zMq-N}(jKB|H(TPP7kiBAZkKAA!jqqQ#qFLUH)7aB5Ct5HU(ZS+*uqpfrxCi__}xFi zFc<$SMUW&d#z2)K4IMx0`c{O*VzHl49Z*OcI;sTC*~)!7^NJR$23c`gghDl zRmDlgq72(RRH)(i;$FGYl$g5_$y8jea-OwppsiL zV0hcAP%mmEoFY+0h74H`h-n$d(KIirsKZx1QA{r!28+w?7w; z#P-v2E+Dg*rcR?$mMXD;i;8e1>u)%gkh1eSMo>DLy-lnTtbIuq)nE43y|b=ry2VIm zm=iJ>88HejGqMlcWgmyVORSF{1s_)r+dR*~oHn!sJjfKROSyD#d#QvSWLU<*tNtnh zaX&2zk2DFyPkC&zzuL>|?S9vl1kqx&l8V@2`XeYLp*U)|SWTlrZ?|L?vj^8@(hxiT zWvW9jD)t%$`G(Iz(y3n;{A_@LDZDU4Xo{vP#M3EVusEP)Qm#IT&5fO{QedB>D%YS9 z?JZrg|EoSl7E&dD24Mr77$j&zXFPE4GVQ$vv7|7t?O29Gufua-Q9CB%e19f1Gt)6A zVv?>CQg<)fa+0^F2tFFDl#@6 zq{n7utNn%wW6GjaxX7k|%?yJv>_?shLBAhHd7&%5*K^U5ctYYRlrZuj~; zW+wMvD$W&Nz$ok_s&Dc66g{9Qn@+?jNFq7xJ za7>ibs%d9A$GF19ru{hVAQD+%-8;K>O9S?@tEqWsM%jL}rTm6H$2{ipnf(RtaB$8> z+i3VmH^tg@ShGwjSpb0#-0g1Q{6aZyb-lVqS?uF^I&TIxJY2lgJd5m)nVr_#Up`ZP z>Us}3Xe_c}+S>N*)agEbr$pR6>AY)$-OK6g(L8M8U&7{VpU|%oi^jr^g0Q5u;ntitPJ#iHbLFm2k|oy6dnU%xTGY#*u-nOPmY>{|)fP4pxkJ^J)2SD-(MM8YyVr z!*W}YfEP$+X&q&?ta)zz%CO#fB!}2+5j?I{CBFf2L#^0@KMAjO zBd`v9uId&T(x1a)$iWk&$V{B!YQIUo;fR*tF%Geqcu`%eBbQi$I8x|P*SYA9P7)&r zVUpDA|F%KqKTcfe`~KAly&IFrPyd^t^93&vhUP3;OtEH3P3hE-OBN3swn7G$QAyoY z-iowWy~=prt~iaZd0o6xG@ix;J3JKQykImyGU7e@)o08xLp=JIFxs_XBPEE4pM@ z5Zv9}26vsGz3ZGhRsYRA6+Tzo6=1OJ_Vjm(Ju}5;8#g!!IOJNJ5OU_WYS8=sC3OmiBJKW%;*!Z+EmUBNS znLF5VRhc3A!{Y;f%=@&3G_(-G`Oe2wnzWU#t3D5vDKe0zU=KTjsnB*<{!KH$NDhf9 zM8wlcyoF1~Q7?o^El=49B#g&YUxAwJJxX2U9;lGkVaPp4MR0ZXfVo5BOwz*uIZYgh>$YBn>a*7W+rYmdei5rhXqJNWKw8UevCOR*5-GflSVVi;#M! zvUr!=SI*)e@DDG@1Uz3goI_o_tTCcQIJo6-$xy6fj?ybAX&mM`jpGb+DmeiS`1FcI zXFTsS5Dr0efvoX!5CRF+E<}RE2n8+9NlUt&0byk(aMu1nLxu4VoJ8pX)Jq06(wh@$Cd6Jc*mi2(Q#-cdlcMsyE-gTBH#rKh(yl0yBF)Uv&r(>-$e)+ zN-w2#4sy%+_)&Ky;GKM!+x?c)2zc*YO@xifygPMEuOw0jgqOCiJ7yDJBp>Ir-R(HM z=>VlZmwGomR!P-b22=GtR!1Ir0mul}KL48U;fcFC?v97p=p(1{V{bNgS>I<1TedEh z+`^A@wn>^Fh~}yqtJxksytlhUXs+MN?gqt)rm}poT4&=o1+rZi6});o*DJ9%y+_X4 zKkPQWUI68wCV@hJ?(^iw4z(1!DFR*IuiJOMPTS*`dBy$Y61&z*;#$i4V-((#u-lm9 zck3k{t1jQU;8yF-9k;hFyE7-(;Qb>wuW44Unp^xFzB_OO5nRMG-XMn+jaicuX{eB z^XPOR|5V$4TUygN`S+QB)!(S^!u`p_=i{Wn+-kh-&aGpXU?pDyXncR)yn1tC)^Tn@!qTkQI98dB* zT=r+V*wI_&67{SxAM*mPbYXkE-fcSp_PbqA+nxu7k!Hk?{~gW(n5zEk3IAsnO*Is@Qgw^&etQ`OU#Za| zyI{bLAuo^{eVbu{Ea~LUB)IxbkvNgLJ_SFx*^-V%w75tTmZavNPTPPRyy@3ks(V8v zXq?*2QwdSr~Dt1$( z*{6xV6L9<7`69<02@|ANVQlpHZ7Eqa!sZE{Z(6dghm6sYi@q`0&q{OBmqE7*cajXf z&3~#RCpc(u7c5S=KFCZx)zF9y4ag<5RHK|HWe04~s2W@PgXuB%ZC85ogp}Pt%8?pw z1Ro+{K2TUl&B||Om?__UU7xpFQl5P?wLx~Y>5q0xKBhvA;G02G>;uv|bYjw`oVYcG z87GXb+njE=jETQcCHOLnw-E*c3;gU%6AltA<|G^~ekxPr+QTq3y_V?-`q8KiPcF+0 zLG_n9CRx^t$Usvqjw3#3^U*5<87a>8=`T^p=475|8f02wqYzCn>$8okBpKwMevRUt z^H5Ytrtiv2NpXMG8i&pus;0%7>{Uz82HHr0%=iBh(qtYzW!C?=!QlUOgTJWPzqvq^ zlPprp$yRjY;8H`%-+$q3B2P)oeKGbjh)N@E)GJ%~*rgNmh0JZ2mY5be#zPEM_<9Ka zRLCjW#!E1;{OU2;Xbn*vH0g9y+L^D$2)hV9GUz$W`N8#b`o-1(Ro@5%Pa&?XN>@GI8IH>N`@85Nx;!_r_9 zl@qnQ(8BVxAl!?7s4KEXMmJ`oU-j9LRc7diP+^~4mni|m5}5GXT@6_YL~O`5lTVWH zMU&U^v#}8`x&@s=(Ff5t8AolS zD#%k!dJ^T@=%bJlioq<6a+V8ZD0W4|t`)WZq|BNU^z5>^j3{$nd#lQG^N{0Z6omTScTbc6q{Sz#KA%2io?a^3|;&x-PxtUb%nFUqR*~nDHQ;wX#g9 z%XO!v9vz^pxjd!n_1yX+(R;*mnZ820>9}swKV^yTBAEH;^4FSGoEQkKzZR%1^WAO6 zMpOpS0I&BWLB9lPgake)!C&FGH9l)PZP%__2wOLwS}2|bp1QMxTN#jbn|wh)u61vI zmXWDX8KdH_?dGSyPic3pHKEv>E!$B%v4Hzv4x(rKenmCgr(@*TyN z>f!EPIhp-~)dlK2WDe(e=_YL-U&^R41YKomcG`ul;{OX0orJQXtZYxak{Eu4<^9eh)rcIy-!?$1R5Z_#1+FHwvlc^OYf z+P!hhR{bKIqAm6ZbrO@b9DVZ5kVP{D* z`biFioZ_#X^-Haab+-n7-KEC-=+xbKGqWGfWssr@YMi9i3nNo)MiD7lS4~>k_7dEQ zJ zaRNdtGuiNP!d&hOL*{Y)qA2qyLY;rX)x|&D!taEunERD9dH+neVL2*FN6VWlUH2eM zWV^=OQ+DZ0$YX35z=a);|6>+Fdl8%FSXG($V2MqFkM_Fx9x4Q{5F&@MYFv8yEL@*? zm=U~|CRIjfI@eXeTg_^yl3;G2!B&wX&KE@YpqvsqDH~6>?k9tI+nqsZy5g%nnkd4Y z`Y+{8RXS$B!S4w_`=84mv&v6|k16x4zsdu$cm_ogY$b)ihv-q|io__eAQCsdgY%VJ z&)bb_Vx?@p6L5q%F4+IVgbK|!g@pBixH^Jm-eVTVii|7@N~IAjt(Mmqq_Hxdp`no} zNSaG0;JqxZbCzvN_g!=3lysJ8+Dqq7r7ndVC}8eZ9IE=(E-VZ-7btPzj~?jYNE=oV z^;>1MEpjQTK=cVdyg+-jGbk!8NJFXfLCCf&YD2an5hXGa*ypa2ryWivMBkJc2dzM@ zScOcMzdi*>brCs<Vu#ic*n5A;v!f zCdwaQagvi=jp*eW%eKg>7cQmGN_2ncnmkC?kV6$U7Q@CYjeBhDzH%~1(VHa&7bFY~ zDQLrn%O0H{wFb`C4i!O)gFgr(3eLl)Hk1E%)9T@B&GUXJvuds=CjjqNk9@TJ@k%I)ybvvn^A)Kf6?Lw z0>r1qZF8d$)ZuvM9A*Qgbvqvk^!lH?TBON2B z%1k9jH)ToYO$pNUKcF#M<~RB2iogRJot02;S4HdL9_Kf8N&ZM~TtLyuyP*>%5*($g z3!x&8Sw6s?2~Ngo1fq|*ORDWV&w#1_DEl!l889$mNHyc_!-^{k!Btp3sYxDp*S2+9 zVn{ezP(LXKg?*Oa z>DT6fSJ(Z$OJ>!}QOvZqh0!a#7DKxbMdyNpS5Nz=NzcbZ2{F}(>lJ9HW4rfpAcQhw z{;~k8=3DmHHqBiP;Iu;HskC(_rJCOTW5*_iH}tir|C%ON;yM#~_id?t*W`s(Ut#|3Cweb=RCi6n}u{t`R+N0W%{?gMS zwD zI_KHbnkDyV)!z>u1?a~uGih7BkH^oh&chZr~jH0S#10z{-;7(myv!cK;}!ui^bjwY{*;=Sd83crg>HYIQd+qfPSPXel7JW{F z72pKDq<+QdMZd!yR`*A>nv2%`Ej|=@oVz9tKtC}xh=a%dQ95-kjVO%@^9YnhV0+F> zP0n}Ct4L9Eq(rJ$FS1Eu2ByrHyPqVLtBVk(MBw7c=Jk*$Bw!yP_{pm}rccsDbH+wFcq%;ZQ|KjH~ouyWH_SC8To)I8lwNMI1)4{I$V^{jO zeZ@_iy@^ zLs4jhb*P+55)g;dwz|HvZon4WqW#ng(PXtj|pnC zP8xI~rYK8I1(>X59dL#Xtm~-TO#H4W%l*09UYx=54cTPvq5#+3vYzYI9)linB>NZR zuZ5q`Jfm|pWrszI62|KC!KKQEYCnD2t)KB$E&P60sh5k|q||yWa*7$E#^1%oGe0oz zw47~<8GHVA(In*Yp9uXKAF?Gr3wp0E=`CVd76@AL%~zhDz@`wGd^fXb$?Uz$Elvk1 z)kGSI0nP5{;PRlWu-Zi0tvp%hmLmYGx$JMqx zNnfx&a+#*F@;fIR^v6&W{E4qc#h|rBl~DwxCgTIGX23{=y@P88I~r8G9w0j2tUX1; zA;Tqux5^9+o)X!&HPMu8y-_EPR-c!UNLX)J8@9Tt+fQqj&RT{h!PbG+YyyHVVTs8S!VqF|=^_Jasd<_%nu)l=ALz(K>+ z99x0<$Cz!EtV_-JmeqJ__%eSLEi^l@d_TwU*v@U{b6`j`WFv?lL5K^V=pIl! z)0RstGH0{=WmT}$9>=<`(Gy9}hcN|AlJi9On# z<>k!?6~DVS-%8O?1ib-b0H5NYf#3gnJ)^L0gN}`u>~jxmAf7ZHliXgWA9-@z`citm zP(WO}MnjZNt;B&O=$Uu;3Ge7l)NMCB&&Hd8Nx&x>sE;b33mXLdtS9D=O2p_ge!fZl z6d!iVQ0P5=>h1LIcM-pAJ$iCeZ#y};VT=8EewlM+_^|B1KYO$FI!qF`s;qgcXdJ*$ zXX>^bS=OrrJe4Gu>3w>(Hg9vbI&Bt~()QeUqIkQw-I?k6JWpW8emrJQaf@G1Z%ZWq zUF^oc)ay$3+`caw&UqtV)V)8WR?92ZZapOK0gNsKnqBr|MtU7ygR#B$kAs~+f4l5; zKf=dGhwztsy$65y@;}&kUtFAG7cQ0C)!4^-bho^rDat`Ia6cwX*WAI5&P6^S|vq+GV{!z4qx%yIZG@4Ppx$-vqphtP?ix>nF1zZ|<#xZX57s`e(jl4>zvy z=xnJ%r2;@Dw)fL|KJE|E@aqJPUgACzT&8o0xY^xLD6xS)ll0S7 zrL7Ptr+ug!e`nHdh z0ToLnuC=!Fu0@VsrS+5H>|8FO8Q^6Td)e{Q+kT|*(epe3GoG`3$62F$p(z#av*{BP zg}CWT-)C3*31LHSdE0(J8u@()er|Ns0Ks+J3G`hSqgRI~TE&cr2L2T?V@t~ zPLG}8IrseUu$ep%$|eU8UtQ&}u+%h^>E%US>w(+JHb70nvI-l8TR%bW^p;0_F~y>k z8qzy37U2qvG$wyUx-&T{H4f9}0PzI|8~dd9qx$a*axLk59(d!a3Kp0q)%nYoBYt!GUCd%Y7Ysq_{+3fO0;rS}Ns{5k z%UAwoJ#jivT{+5{AL@(xh*>ej6s-&n@z^FQ*CM9SVuDTSV&LaVN{-Bx^Hh4vNdnhD zfl?5U_NHUPnMRGNJ}4AG-0o1w%lbP{K9r?f*oQaZxnOKb%E*-c@K>|%pG%x%&FF{f z)3z~2R?#8CRvzj~8#Xf>BiIY%hr0YG@G_||=mv1O9+?>T{=IdTLF&8Ja*{WL)(BKu zzCOk{Ga7|?AQfik9Da+I>x`8W;)0u2pJ=5Sx5q zFYUCJc<i|lhpIeJs;u0-PB^_>i zQ%G)acqqc!DTX1!nDRO{HHn(Y>$J${(HLSdFxe$2nwfr2+&7~NX_H?xvKM34(`VHG z+FF?se6UOy3PoicKNf6>7|$UpYK-t(2%V3&dhqI25DnCCfx}iw6f8NsVNJHW7%qYq z;X+!Bd{nLu{;2}{ykdrEX$`$8j9rzG!W)KeNA^Njx%rJ*bf}uquyD#Go}$r9*`9MM z`dYSzgiA;6J7pQT;AWi47Z-DQR=si!(&dMrXbBnO3;HY$P2gM~L$fl1ZAY`W)}*sn zyKgMg8M)V5(rrv0WSr*yxlT7WwnPpt>xLrn&;2H3e+t7HiP5eatV9Rht3z!YZ55X~ z3ah&L1xN)I>Mm6lf1#7bK55m9mJ&7up>4dVQgG!1m!K>%`X3k1j=fop~_*oU5?kakesA5bWV%sx6jNCk{xI(ecHw zR1=1dYc&Z!Wzd5?(eK42=;hC<#-hWEVzK zCZy*Zg=Vb-XE<#t&8esmF=Bk^YIXy3qBy~Fo1pm88w`G*iGfS)=1e@X%_}fZuEkX( z-Nw%#88JeSWW&WIMX_4_Swx#ngVNv1x5V0s>g4JyY&e9^Sg175A7sN5gCsXrsPS}H zbns~VPO<+3*YW}WsDv{uSl^+-;OA9cN;))2OHq`gF#T6*tW1AfN{?LHB+93%7A?|W z(%f;xBi9`GYdOBnU%}jRgD<=rqU&^2OA%6KlU$2{@3|v>)sOOphlpCzQTK86aqfHe zsx~j$b0N@!wx}=)YA{09<_R@iAJ)HXf57t#MG9rp6iR{JYdIiYm`^%LlmzBzuww`z zca~*6jJ7D`o>|%vaCFJ48g#R(B_3E4VK`w@E&MZ-%Z!81J3?!(X&I+3E9harE$L=A zr*_x>b^%1ZF!hL_WRf+Y6{tE_M6zBUQ|2Q7o-$7q(?|r3h{FXIDT^82oikfA_#+U7 zI+Kt^i8fw};4~(|+4$+BE~}c_#7tCWEu3CtaK@2@GV4xsF$%3i23G^uCRjKm>z;=K z;SPsokGh?Qh7AbLzVGNbexV#jdPYf)K4XY+u+B%`pNu=x`Vmo_R5~QgVec{@Qsrxv z^D@Db>v6;~?R}I!&3l*L3TUBNypt>Vgv|wfz8Td&odIeDuIuMNKVFFuA(^rQB;FzK z0fl{EzX%m&^1cN77h444iqd%*+BU}qjcpx!?QC`S_iIYgcmb6TjDMx(^vz>2jRUSi}h$PC|P-tsb1NR*!MNk}>!{a=l@D_b6Mlo#{wx zSoz=6V3)TVI=1`uw$l9DA7b3Cjdt94e(FWnyv!EM^^LzG#Eg8w5IFC`eoxjK1J(ha z(}Ate1JIctFSD<5J=O0RJ$oxah7_&$zDayMBW_6ju&To5b=MeUw^>J&TLCxQcj`4$Tsto|n;~mpu5#5ObI(n``Vqd<}g#U=` z1W|i|O!{e3SFJe5b$B(;19~@fXRv|Jqn~E-ZumS)uK3V7+cMV&&DPRoi}g*iVN;8FqJMJ`lrEMK{mE z`6RjB_Jr z!rb!6zrN+O?B2DDyy+t6{U*L#llbwKNFw|hss+0G3;KeRZ~(i%s*lWA5OJsv&d2oM z7PE;`SrFvS=?2Xp-DzNouiys?%r&S1lzDwR528Yyrn=VNi-cdAdjuq&7SDhfJxKk2 zcWG6ojv+D)pu(P@TiE68T1=>}@hRn;p^iBus}^ce9Rk(OM_eb+#A;S((U^uh!iZ-- zs5fmFPIS!-la2N1Unba1<3`ddB&9oL$WQyfPno`hE4m2F-VZ1eR=8e3KU#)!1B`Ax*3(D2Uzi;AewI zYQ8shGR#C8PC+5PzKG78U1fubI9i64IX$JiCi^3|jsxqlbblF#>uG*}XWgWyQ5REc ze9UjvsKSA;?9;$+Ga1!D@p;g}>wbxzQ$CcO%s5?yA1e#r5*6yx{&)rkV;OL z-j7fa`RIalPVI_7?c7=HO@7~RAWarA+J@9-t~O%Q&O8Sv2>YMwI8Oqc2_WaVu|p4h zWP>(#r?Vx;*hkyhjN&%IY_lnAaUf^t#q7L zh=LWnDWB$vH~kSwOLCdw;b_DBi{Ne|C@C(dgkAUFyDpZzU_T~OrEJznKHQE$*J!!0 z+j5|JA2m?p-(BALDF3IaH?(aIqIt{=^TR;PVCEM@GSzi(8;FSc1VXH4CCfFi()|!g z3tfdD`1&Q=ISuO5XKXySy=`UI@48i^DXzzmHkt8utBzh7K5uqtKg3IW{7M6^hA6WV@_6^4A2Zi{(&V)Dxg z3h`xL@el(SJ#kiE=0c-vmg!g_7@AS56(SNT;{m2Kqeb>nw?a_QH|8*~L4nVB6)gHw z%)%-(?VouwviG}!X{SMAdk$$!z}-64>kO%w<=13Gc|1AK_9kTK#_FxQV0CEcjXXRb z@vs7a>tHrU9{NK|jP>|Gb?i>xYSM8@tbNy*e*6$gVJkbfq$@~)5ZcUH{{Q6{G^`&M zz#so^_W5!ZJG33m(9veTv?c(eP z4JFI|XU~a=PZzMCoc_ z7jjkS`P@^__pvHFcjaAtT)Sn%79rKcYf@)P%X_;-C<6e~eeuf2fkO^)+PvD1b`|EM=o3GPw`cUdp?~A|Qap!B|KB3&&1n(^G>GK&i{w@PhRn)=g7y%Dq z%X@chab3&(l7nS_4G++SJdxXd=F8nZZofX*`?^dH*dq|LVSQO-!=Kb`J6|ruN7i{i zSQ-~-2Qv6#)3!YhR)gI3K)vapJdok%^!s~j><~X9$bTqhx<`)ree_U(ar(Nf?;4eX z2DC4D`Q^6)R=*&gr~3jIxONWLpjj|FI?&5b_?7n7c+d+q=MMg?`wr&gAKxA~+l7dByaugj zs75=golmlC1M3bnUf}f5Y)q0)R}N#yRQC)!*ZyuAge5p>P%;5mEUVgR)vRd*Yhw-b zN`s`eY;pZ@?L**`k<;Bg4^7Q6=Ck=!9IOK@F==f$h)~ zm)jgt0owA`s7ISFz%VjO%-KooyMibdY0m=b={GS;Rkp*oY(WXa*>hFqIL>(<=hhz; z-9i>HY2GEwz~s}SDLfZBvrLs(=5E@g`iOlr+`R+ZTu&E``-Dg1vD;0JO)bTgx?vOY zz`sLeameTK<@Mup!PRJEza(YxBd(?Gq#&Z7 z!Y#reT$gL6tCc&%2W{Iq3Dg`-z0!!A9XBmcTH*}yPh3Qb`HC|pW=zXcwrtiUp_`?% zGnTr23BOgYhF_9+D^U)`b44N56hM(*7cSu6P~hd|J<5@?6S}K=<$$`z0ey1BAdQNP zqpL56|Fu_TFk`*4l9zqf@0Y}za{t~*oUj#S!%1o*TN}7xpmjUnQ5uVBL*-$2 zgvkV|5>;r38da421onIkxIF2|ld(PbMd46fhUtVxCx;*+r2v89VO7qndsQQjRWxb> z^D4W>?xw2o3D7<*-cy|(V$O2SHdPE$DTi$oJ;4e?zUQU_syv3QmRM-}P% zxDfhsRbA9d?rl7+l>t44pTnq-qdLVD%vZ#Z+1PRS)4sqN;FdU~#>0>R(nIbT%5&;$ zwSQy!$xJ}Ihc@+AxCEcvrfO6cPd_i?fk^NP0dbM)my5&C*<$aCv?e%o;o`9H0L^rb z1?RXwKLgi9vu1@o%K8eT;-c2SJ52`tEM}KiJ1hB}Mi4;3PmjOR2hm7J&muNU#9TGE z`XeC26MWG+_i!zLF8jbKks!L|r{=#u60NYPZHeWs2Xh;fRV6H=JL^L*f9qG%gGMyx z=x>IkB~b=LG|y+4$t6{~?XgaD#EcHl!&d^N3C`M95=BZXaO0 zch)gF2=UXRhy4BFy13-k>?ta(nH;di5gm&WaXdTC`bV@cu*<;{vP^+3FEIp+$-2S>?gxJ>>JcIvEe1Bz9IcGsQ^4^b=rMO zl-}Lz+$)C5;A4B!E#YRF?NR-O?QNQ;Hi_3c5^%#dz2$w3nLN(^IcO@^v&nNHbiLBO z>4M^Axji`5P}>fCFpFI~4@Xe_ZpZ0%@jEv6^VOCEaCBz%1h6>vS;w~XoL=|J@_b@) z(|tkjJf?R8S1VK7at&zO-8!$zv<7h&*<9ZTN4jzBWvXrojOIEYx{PSIt9tbALg)It zL`HA2^W3(6xTvi#+Nr)s%}|aT+Vg6 z?#6d}46@aFc=(E!78|SG@&dR2H*kEV1G`LvR{Cx-NnRVE+WmY`jRIPQ%zQtAdW{5gCOPU(5v{c-P1H zyu8VMH>+v8#sj|CUAV^kY>43dT&yWwO?-T2mfF6wALn*BMXnQ-^YxrqUl-K&EFi5M zv?s^-+&&$XdtJ7^lu&NjBeV_5YZ%@1JTW}|l?)8NUmB)1)A@uvUfR9Y!q#vsoFv+y zS||3ttTT)0QsQxIr;O#jn&rT*cE29Dpa&oc?5xxh`M|wg)Ix=R!}m1_HK|!W1}<~( z7K2&O5P%K`@O!Q!^>2g#8F)M!?g%UHV?5^Vj|Mc^^PmarDKF8jr}Rc_g6p-(Ctj^i z$M$U~D~=verlQr5Uf0L&5{Typw9N~G%~}51zQJrteBiAub|H)G|bm0PwXu#FqV|-`xFHd z8S6jHCdc1wb>1V&wBHZBk=%x?bNrNAC!@cU;~Q#Z<=CfDK#I)7HCwDWUQ}R>Rp|GF zYm2v&4K|TNg;y!ybml-(WG4v5{A){~2~RJfub+RVVz$ZyONyL)OdB))Y0y#|<>?W2 z>hW9@k0XL|KBn3818ZZlpQ}g%}Tj)R7wMD zvaC|dP064{HD%KrR?E$(c!?)HgZ#n@mM~8sXetRg1XZe*V2%1DoCagdKo&}izb++j z7W|St%@`X^RljZ^U5%qXOB(T?)INbKA4)V0+24HX-Z4L4bViRnGx zOm|t0ev4{NlKY>)>K8r0t{Rdu7&jRoIktN%nsx^)A=mS!_oH?5xK&rstqkPtp13^&>I#%W`{kw51G=nX|2qrUI}T~4+B0SVFkBU z-$n7Og`aPMp$4`_cTpk{2q~brTi3eG~~%T7RWXIY-C-Z+rC`AK6SPMF3A zCUb8gJ`2&it-Nyk_e#a1aD_l6=!fHnVxbru5fcS0y4}5%z9izFL{Uf;*JvAmdZHBi z4B~)7VdCU`)OHug96^+&? zR0f2!Q8^EWw2dNe2!F@RV*l2R3TT8e~T8AhG{m2CL?{A`B$ zBs|XYDw9#+`hHk9r2PCT3P1tWnjGMsHmfGOH7LWKmb2YRgu}APb@2l}ixR zdH)XTVbt{z@x0wWWBag6zNTO^Ut`@YHL)D1o>UO+1#ccer}<#UlLBRuv6psn{@1Um z1%IV;!AWE8WS*?tt3Xv<29?R2C`jYMe7?Wd#-4apeKuUbZg_`2qQ5! z&3)*$uVQma+6b);=cz-O^t%+nK|5I=QbEY(w8~4{I*oHfV%Iu{6GaBqf}zuf<^7r} z?s%vqw}_d0V!YF#tnX!z#lIYO(GKhk!3_e8_jJ7qwYM(5p9+|lp-GH_nROg9U!g51 zr8Dwdc9-CI<^Z$zN)F`=z!g-XB-{bx&XP*lus_vhy(TE#&wE#o(?Ff;p(|dDt3D#NCP2@+b^3Hw3s29j z=NrAR>9I&EAg%rVH4%F?_QQ8%bE@~Ow7PIpE$3s46kGRh?8*ZKJl4g)FJTV4C3rM7Lm z4%_b+W>e3XnyH@$;sU*g*VVpmcf&)3F+2tzEYYngJO^0EZwI<^+c73zW77I}jgrrI z*;IOZ-#fm7U=0tV??!$I-K?##*bbcH~6eByHy}GMh zhv9xoeh+}z^qpSk_4}nvZBEBnp=>bJN@9b^Wpb)u_>B90l z${ZG{u&)4LTc2_^oWFv-_a@lqj!`b@IA3D1KMbqqRXr@9-ffq3)IJ5<_A?$Hw}6gs zcgNKpJCJ<{ZoY?2sax)bF9^fa+aEKRZ#5}z(Kc`rv#j2}@f)m+uRFv!k2s!7vS&7$VLB6@el^tO7po;;8!D z!OiCkRt(n{R&nz}RSt;K4o>S6BnWeDG=51CTINv+zfo7-ZBs1PNeSJnG6@ois<23w zG|E`o2pBr3l-?qimTc533B?Qr&r*!1M*5epl4^O0k)bJKxswF7ZS7^!G0yzp*QX7w zHt8>IS+G0KKDZq5>V9xYC7HwSHo%LfRbUvQMy1?G(Oh z#GM?IQBPj*w^5}7I+iSDI$X92k}q?B9}hGdJ8ywp8(G{(ajHDcX!{epP}!9``ZrKP>eY>&!AensA3D29Ywu}m12=oYz9MAm>Ix{fd)VJ#l7;CTW$r|^l03UtleyGHdUB?VS#^9 zO%t?wtvRpHeQWXciNkphpJbHl}|nl#LgST^oN0>vfPI=}m5L&k7He7gHi6FqP-dj8g}pPbS6+NITh zFoi44WuXV1(HG!GFZ6c>`@AN-6@$2ce6g*CNLM-6$KqBCih00R=I}fcS~oMk+v`kN z`0=%C%9Zw)%|-`GX4i2EFpYiG2*yfK>!F)3DWx^>jGDwT^WZ>2^HfTop;0@lu++=1 z*TedB?9S!){n0O(uAoS)VaD`KOQ2hC%6RKWJ5<~Nd7jFT9xz`P$7 z9z&HF4(;@yJjH^E#xfOy`y;NXF2Vegf{HECuA9SX6g-t^-wjcwAiIwy8N&lw1x2Sh z9e;JZg>El$)Wu%9Mz3Gnr+?;AYEY5SysEkwtC3CE4N8Uij^xrY*OwlshEa?(&Xhg zFMd<-oVSMB>P1T^B$)k^WJ5d z<=joI3*aFtoKPl!CImnq^($U4avu)ncVCurK5Etv>NCh2;``of;`i@gC)hYb-=akA z_X@9bGjrS6(3cB!ajF4}fu)-bRyUsrwcD=CH$rw%2%pE(fcEQ^WE9@+(6*zvQehfk^(eCIW6!&~q28%b}cwKiB|OQW~kh5Ky(@Q>G6b60P@2af;a>g>J0tu1%> z%0JDYd#i5wkLb@2j$iy0>*j@LK`Wi};322(e#;4KH-Q80JnhWA&tKWH-rS&f`H$B5 z{h$7nZ=){_Zn$IrbPa+6zJ6$Nm*%1iw4cfk6sRw}{rV<9K5UiWzJBiQi*MULzu{rq z@As#l)4$jw7_1Y&e64!!F%Nz5>zj{={o}9wfY@vs?}hOmd+vDm4XZ5$|JmihKkVB( z;N(MFS0A%lHFFm$AN0t=wN5zd8;_3)&wXu0DGtP|A3uAURc_xxzZ=-)Ys1@54_3Rb z^7vjy?)ngUAh4t4jGjN>j?`O|{c3r}5o5VYy(`4_+YeeUt6>`ULg^s$oe$KAH&u?`Rk-R~*WCH})6i{? zqMkYG#uaMYtoGSE_uce_$Fxg!Iq&)-7QUE2Jo?&~zOwk|+wXVMqF1xtD&A|qd1kds zU%)1R9bCEdAupZw+v0SC>yPov!?pgjb@1WV|2y&j6WIT4UjO;A*oWai^|aiozt4d3 zPcZ+fF$J(D^QmCb=m+LM!oQsV^J(Ni7@scD0NL1w;6LKh=zsE2YDKA9ORF+I=!6ss zOs53{O!8e!Y!*z7$`e6q_`ysT%caN_q|uW467IlyujEjODoB&80!!7wD9`9tr;N{l zRzICui}%j6+>t?zwhJs*h$3y*vO# z00tF3R;f|a2K{gnFokS8ilmN=sx_^_^=G|~H)}C*Gt=&{aIezLB^)Q19W5mYFCWAb zFldEjQ7;oHQXc9q?YE#xrCk)Qnrlrenyc1x*xYH^P@O{J0qPGtE7ncBD%k@en&mMK zh_Swfto9(^SbPz-BGPHrt{eV zXg37pqwybZG!$Fil9Tku4H6B#Q6Cw4u`Nyc5UkQft%0?0!gg})!muP6BH2};*cjE3 zX+jHdmjbGB!^)__w3@36bU!580>tv3)oAnOCSRyHmBJ9BY_XO4w%*FlknD`cGhU{s z2!shrbOXR@)sisGu%HuTYSwWuZN{*zo;=aYevpm_a|=>nrx}`q1XV8LjF?p*TbAjF zuAmdNDg#DIC$XN^8cp4VL)=!&8;Wyb$F!#kC&PS@n`*Q=@$vA5s=j!@L)})$E!&+Gxr%{Gv8XVmcXF@Cfzuf_RAzpK9ZspUUQv)%kB{}GmE z{trLE%{JqeJd^{xPRB0}CK8uacoX!=#4)N$+#bN4I-iyrR4xPc`;7`ITT`EEDXE|| zTXadS&f1wS&8Yz(x4nWM^ms;@G$J>IMLfztnTS*+nyD!bww*)8hAob#Zf-KAhCHHn z+zjr6o`|>%RUZL(q)v;Oyig9tp_r_)ulOjWA;3_|9tKBA@ZH)p~GiInx>u7c)do=+U zn5k0r8Iqn%a!n54D(FDSbX=wI5&FNymBAAJll^b|ztMWDmb1EZ`;@^ZDjnsCCWbXp zfbT|B(aI_c77fRlaov^*tX`7%a#}R9#c9KHLtF;c5??PF3M_`WQp0_uU(FZ=way4S zFw~XCG|#E-EMJ8vM39nJNlO~($gVhD$%F7r(^Dq>wjBGe%;OoU#39{4f+(-)^Nh>^ zbxtR#Zl}z#LtZo*y{cf4OFf?P9%SrNrWWg^BFDaS81;q=38V0 zfCNPhRh(_}1P6{0Y1XANw&GUmZBrXLp>Fp3_|!3Mp;c!Fh)7gWrrm`s1*U2fx*~^w ztr26X!DgMLhUdF-D{Z+5Ru+h+%Y?m2JB~Ws%vB~Wno!LW$C%NK7*r?^3-s8n`X6Z& z+dS%-M?LeXXCC#;qn>%x^S{Gjh{8UR{0E<}|9u?xUjCD;Pd0KlSV% zUby-4pWL#o`ne;O%a8x;Ip0bzqMrO-#!vUW>5+?8Uw^RcT?@85WVH?M`02@4=Ubfz z*ZAgUH-6*MHO~0Pw~s5Wcv|OiQJh|fTZ|%9&YG2=~I(t)%$Y)p2y|N?n{I?%{ z@~_+P`io!R_4P$7oVL<+_w0S-p0oX{JFoGL)^E1`ynEYh`#XNPt+N7s$OXi1o%LtC zpXD^)KL0C!-Z74Tv*xO=9)IBa-`aM))7h_sovZ)0dgBeZzxs_;HrXmsA!eJyM}K(mr1LJ`Kl$sA;rR^M)&b&mr3JOA*Q(hg<%h0~fZj;(0*12fOw zt8cr(pAXI~zr~x&jQ6_#{Iz#p?)X>F+*-YZ*yoVVp4F7kJl#9%%jI8Rc*Z&3+Tp67 z#pctMGp|~2M?gH}!Q*n9h;LrH*N?Zqwa2v5MciefYa`!na81WzZm9O~jitCzpoV?T3>mOGv{Or+{Kiv9%C;or(`oGQ3|M__A z!|)%ilooQIy7@n-z_eq58KiDH`V8EkXe$*?1Pp~ODQqu4^-J*}$hhiIZ|M*DsF+xI^`lqN4^AdZ>adAEPLUYD}Zq5og(m zg1d+Zy9hVS40=czsR4RD*T(Hqst}-*{tV>ijG-U&SrH)Mh!;6z`*PG z*u0vIFq#~ev{E*k>$O3%2my7t)1B}XHt`!l7R?kwe1;L_N>i=ScFK%gyT+tVu|2EB z-WcbH#j3_*az6DuJkEqOxe90)Yoyl*DlwBC-!auaAwret@(*W;no9ygsyr{yPgRQbQ$|BY8iMh2VL|Gdk8 z;7=d_S*q>k@BC+}=KqwYmQmKlQOg8sB#brSe4gv0I-CZLphiuZK3zhreyiPtn#?_1=(xb_sWC)oWFav#r6FWjYnL9CuDrf_Y!bgCSIU?Jqk**IXrX8CtuSX({ z*+}&yv)rKBI@xnXo$5+@&)~CM-1QrP+?-^qZ4-q9rfKIruTU#juq=`FGC2yeF$Hvz zCK-ej?^)#z*aflBtj+Bh<7T&zoi-pEAo*G@lZ6`*Zh!dxZ~w@D{_pgEt8`jqE{edC zVu6Mh&Ewl&OPC!@5c7KA2 z3Jg`TFp;c&O)3?MjvFFM7|bkr0_NN0utI_?AWw5eSk9DNL2I0^%1}ep^RQga_u!!v zd97|EN9EM4R5VOA*Dj(RykNroC@~;9pJb|o3P6Trw(oR%Ek8d>)O?NRn+;kS7n{j+ zY@4K( z5h*QI=@O6AYC~h`c~~?Li{@d`JS>`rMf0%ef2Y9^g?}RX4>4c=`#9{q{O80YHoW}b z&wnU{SmFe8e)9qN5B^{H5Ag}$KNN-#AWl-qN1Fe$P+RVXI~IOnzuNKJgQsu2$;A%| zpa0%t=xqXb%T2&ZFFe5PbmNKH z-|o0zjpxq$`dzjB_s@It9<^}af|bv^Vb|TRx#N%PJbS{rM}K$m@1^G+zwnUD(5=$x z%|F}ofb};1fvWHFX!PuwTm4ny7Xllqds4H~1#8~_Rpc^bvwbhwxw+o8+rM<$Q^y@W z_{lk|zp&CtF?imiuO9H&em|K0+J5?ileg5BBd>T_{_{0&@BPS@rOPk-e)0GCkqbAw zZvVB*Upz)%>(On$cG-qUzdSka_Vb_q)o;yLo`g>tiqb`6=ZRna+FWo@<=cm!dFZ*j z6?ZPkJHBZD_0Pys@Sm1>=)y<-ocn4n_lR=!(}zFwS#8->j@8B8|Lkt%9e!c)yAQpz z=Pif+`g`?9o>-B7tbX=k8?6L?F?aR>FKj7pckAAX>xp+PyWkJ>C0}3tVdz-CyvOvc z>L!1B_{Y@h?KKy^lK;wv8~o(rE3T;R{}uf>ti~;pggw9a*iBA+X!*|Vp1k9RL$7nk zhrY7B^s6<|7k_X>a=i*&`RLszNrRQt8xQ*Ig=hSEw%v)#6s}uz_}=0Qi+_0VL8t6C zdHd>>S6%V(dpoVOk6-ohgRZ=N@=W2->skDl&{_WIC<@TLPykO3B84~0R&jp zl31FoVyj!WTmvDNY)h8pD%+Ap%_g*j5_%6kKf5%)U-)Wj| zEi-63g{~~|09PmTdBtkVf#KjW)JidYWVkLh?sFnpQSEB7mu>bklV%DkV2ohpyOX}t zGFog#z?(*o1{ygRvD1)MnUqv8h2|mU84JNmYtU zWuq1Q)p|A}J;25KdB_R~lhJ61&ITEcP0>QY2E71R(N<~#B?ge_LP5Tofrnr*=`|aD zXJQ3zT|n?i1#Ckqe>wicCd=(I$fXT;JUus*O40;pmnt%C_uHg6Mv^tBg(w}hT92DN zrn+*fhOl`U_OeMcAd5hZhoKsZ$pBJRjnqNE<;F#lXY!qXC$!30BJQ=c2AfK?Nwi0H zhRkph_7Yy-@}z1#FQ0-BbV9a$8Q zgaW3JVu^M8NJ45M85c;Wn08j{xaPo*VmNSnS=gzPDL-eUjix#o#j(jd$#Bf|f|`k^ z4U&mzvKo!LXf0wx903LnsM~UbA;h%NMs?Y;Gok~28UFLB_1~Pb&}n>zi~YY9NBn^Q zpx-|Jvrya3Kl#tX^#9SQZbeh;wv_4vVu^QzNtkGKGYLU+YK$QbJyvzQSlLP?oMwk7 zb$L+N%%)8dVso5_JGi2Uz9qFGu!d*=8Rd{xk7E--qREz8MQRcw^-ON)1Og-k*{QFC zU|-~5Gs!l)I9HJ~h#Nu%KV3v-wu*KEitM5W=c-MO^b(UnLyOZqn8pe@Y2b7+D$_Ty zp&XS%)av6#3TnwYxQQtGbfAP>X~=hhVvJz;K+BdoEf(w*l|;GA)-lD+_bnR6Skbh* zS+&4%I%PG&d<{z#+%cTA_`xWfP9>WLfXEJq>T%iWvkk-aO-?dH#_uD&2{sfdHJ77@ z4k!&EqRvTSo$gZs!kevFZdQtgRz1@OhANuX{IG|Pyf0q=?O*bL7N-7Nrljw#7GpnXhR3+3D1Mj zurD{78O2WM8D;2F9krb64P&>1i8Kwu=`yHN&A!%;C5CCFI)<*h2G7Qg_(QJnl1%el>(HKm-xv z)q=b>>JkOF;nQgbgFQ;G2<^biTjOzyDpg@e8_Gjp#p`w@UyQQ$pyUxFPMPl2bgHMI z;6Tb2&8VEK7i(XtKIaVQnc+M$oM(pf%y6C=&hx*{5SSvqiTr2g`R}jBKFNQs8Fqzl z0RN!~l0*rL`aJnR#K-s#`StT39D>p5n{xuEz7+qt_>%eCD@*=xdmlcjHJH7Zwi!aM zWiR_^?`3uU*YM|0oI5|a)_1PGd;ZRc{ou}@zI4xeYk%+I%2v*AULEpJyvg77w7zk3 z$wBMsJ(gZ)mqm8_%?2;&d$05BX!cV_O!uQ-{rUYzyL0Nz<8s7xn;935?!IeA}bO9kz6UH<~N{O5W~I%loVDcvJo_}(Af6Xm=>4m!lJFgz! z_&Awbb1~<%3(eC<_$k-Dd*$})-uB~j?_A;ex%4@Q;_qmSOZ&3x7an}={rT*fPrbWW zUDOXj?*SKr|LpbJW5iys9)9#)1!ndo>~8blar)m$oLD->*pYubb?xSNzv}Jx`z?O@ zr}e+H(+lQ_qLZ@0m;CLiCvIFh|33Rj;rQFHSatSUOWa4_ zu-oHHo~5zH>*t}TZ5?<&UvjzQPsUe1a@A)Vt83DG-&?A-+a>!ydgytlp8L*P!FEqR z_$TMeSvOnjT=^`wOYMnA=-F2BdmAmH|MC}4KmT0$4deA+y>!jHKX_2eZF2oZ_g*^h z@~gHht@-vA4}+!ZiRZlXi1fro@7{33PHVpZ-6vmsYq-k6KN?^8GJ{_Ji`%cO{^a;) z_PA)N>hAa6y2ANSzBFeSu5kwoc{yO z1fHe?GPU&$p5P;A(77uiwHoW1;hZtcB_S zGZI^T!4|Aaspu>HAt?fSoX=*;UA+t<>0-T5sjDrY3rW5dPBbY?vRcw?#TFZ%{5$<2IN9VpwUES(ht{N;#RSnS@HL`aLY<<7;&l+3u7xny@glV;4y=Sc zXz~=E#g%ck-Ev7cC?#4tK&0txWt?p~9nkLzdeXC%N`WIYl^z>&IZl_dh+-x~-wsk5 ziMLxJnu6M(lWeZ4rmv0R>dprb_4JD$&YhO1f(d0-e)FTDlaP=&)EXb&=ty z8j)35swZU;(^My|30ZCd+;JPA)dA`u8K>p(K&gbOT*iRgmc_*SATRO-s8unUp=cU; zd-|8PVIHhTy-I|R;eIB|w?(As#uT3#Flx8EcE^DotcOwk&sAB&~7TlvCu|DX=>z zm7qyr4&Z{Im$DR*%-1d5Op=yC3@E{2ls?^uabQ%fSQMOa`&Op~N)ZDqHcdHUX;SnX zT2sSXwjWBF1nnmXA)gC_gw>E+tlAYjom8zQ#egM}b*{!`6T(ORf7F!1lApzYf{*x* zXwYt#;X+_x^L;+J*m{Cmo+mz-U%( zoJhr>x;qag^aB3ZCag?*VH zU<0hcb=*Re80V{`l5GH8r8vUCaKgERT&Jq^pkdWDhi*2X>e42s;0EM`5Gr9DkrA9E z-zRG*NG2wBGnXridR+v37)?Y;v(wBpYmQa)P@S5vuF}q&xDK%CX!2*J0Vzci-Rhy3ObODGMVP?4qpw zYHiCy-*|S*^Q|XW|1omS&h{+*0^pR3HVA(87igbw_Ut*#dC@!Jn!msD!rS*?xdRTw z<}Gsnf88;6+0pJhZE=mV^DA53_hfg!dDoI_t&+ZDL-_3nPPlHL!=Fp8c{cGhczt!x zwSM-(;;YVj`kBO<$1J+ZHGTL;C%t&e!Si1@?%l^$yko;R)=B@Zz4rl&{%P60o_;Lhhqn_Dq@fUA6y`4V) zym`x=@vOacY3J8>owds3+NFM6zG|60FMV*W!PV=oyI1~=`U{WF|K0LSoD{ z4}SiFjpm-)EHD1nOS?XU)*j3ye!tA`wq9?URrZ{_`}gizCQ}`+c>0C!^nNUCu=yJ6 z%+((|ZRe++yP!y2_tarmtn&P_yQLm)?ACnm@yRmVKL35;vZLkRk#C&+a`o*SE}Ptu zSULx7zy6XZZ}Tv)#UFP$fBDs4*sE~sFWx?&L0){p4F|A#*E=CM>*d1^+O~85!-xI? zxa<$ws|P-G|LWVV_iSla@Ws~uhyMR-=08dFhb9~z^dyZs$nfG|FIW_|FAuNC=R*ybUA4SE1T#6 znQ|4wN>QyV4=784aMjbARm|Y`^)dZaC z0Diu})dfCZ)KhVkA!&SMRPjL;DUGU8U8u`es+UL&amLmHQZ0*U)rL!rs0c%GB&Jg} z7wD&xqSf^$$+Rt&g`{4CNjt+?wp<|s+nNls8FCQDs*mX@OCfp4Pl{}i>Y;MI80m7k z4@_5rS$ER)PRh^{q)GOh*|6T}4J@KpAx42%3!SmpMlj#S%~YnBubWL=K=CN%S9$PG&$7_sdRUB-XltH+S(v(PQ zek?>BKLkP0nDFyRlIo_Lii;tfSSxm_V6IyO9k^2qE1Xyi2%K*ZMhZ(c^OHJN zrN>|c)D@tYN9}4h*+@8UP1KEq*YN#>(+<0$gT_)HhYT8SW}8mJ>Qxx4oa;=CAZb<{ zp)t%UZNmUMV0r?wPFiX!RX6~1Bulm#xI>uQ#4%_vmo67L3zc1x0El2?uw6jPeO_W+TBS(2) z*0H5(SZ$7Yp-;hCwC^Z(W0;S|N;xP27Bgy%O9~}SkLTnjV7q5kn`9SZE9CSfn`SMa zYNp*N#f!dM4yU75W)sN(*U7epkGhTzFy*{MCo4?DsrNmbClD!{Xw(voqFN3{Jq7j5 zB;q-Z4lSr7LID%1RBY#Ms5%|=z~gxgC~M(}DOLGI8v2O;cuHFM4E~eKe#C$BY%0Bw z{0DIagKpXmJgSsnzk*OB3(ZY{O35G9Gs>tkoqhFmaZ*o5(_fw*?9*}qX>B?eIJzP! za8~96G}Vy-!q1fR?MS74sf}cNBcy7!iF8cJQgzVH)%0dPOZ%?rmYZay9ppreSS6ck}Q!p6B=HYX

dF9u{?9wnV@-gm{CI~_)FNDb|@SDaw=TvRL<3x!%qPO=S6O9!dZ z$QXHvcv#3!ccTn|`uMP;c0AwSdIlKH0HYaTGy{xgfYA&v`rl{>Oi|xR{)5cK|Goi8Uc-k`Xp%`SfN zGiNTc{@=OcVh_E`oU}H1^PY@ZU+d0uw%qQ{Cy&amy7%gjod1L0Zb`gyNW5<5`@de~ z?Mv3cs}J6MS8Ja=EUUBe&!eLgXScV%_KHj1J^rHWR$3iGE`N1}0~XogCr{jT^`k3} zA5YzL{)KD*ebEhe`QaW{Zzi0)QTl{mt%u&ZT6*@VbL@eKU%uoDgVXQ+-RQ0Zia$GW z+f(P2-m#xO@Tbq8{nL$pBfWjuBM+h|y)9mZo z`W-eIxj$Or`v=b_&)fCIKks$sfeXQZg6A%n0IRH!vuF8p_I+p39oF9bkj+{4L1c|} zest9{5B`WKp1bK0`&DMsr)~JglbJn#arRO7h;#I{QYS5?vfF%jqYV#QC-u;&Cq9jq z_gLz+!5ee!X9Td1;bndNyFe11;5Mimplx%vQF6!jhCA z3A{cs(pd!LOBE-tX+;x_^NErXEn_QGlOOV zQpeO-FvAJZm*GF$0v9`O{|o;~$RGvH^#A#Y|KQ&~{EmjcREM*DV|CRoNC%6J1zjNn{}Bg`Ob0Nf6JC`*x;K8W`R{jo>ljr7V2HWz051 z13gBk`h_->OXP!A)%DVZ74*vTC~h)b;EKTzN@`4}N)tnM(iXevfzFKC5!jk|=|FFG zCO|XDz+t9OnxmXi5#Cejlp+4e2s!Kx)&41YG^0w`v-$?UAD;@cA8~1_wr=fv= zaGs29*J|lzUP{@z)gMu{L`xLKP6nwDoFt@DeJvOOJyrob?V-{}Y6PE3lZwg)j&6<6 zHrSHJE~eKC9N1*b1s75pX}C+%G+{s;#I)dwksOPFnTw|9QmYsBtnUnm#m;a@DRI4% zWc740rA$X*SW0$FMp`Q8S}+yZO_c+?VU1`OCS$820mUG4SP~LaeKJ=Uh(SAHz-m53 zDH~*9t!hx+zNL~PJ}@k}?FRjvq`O>=R+D_XXLO4+Ku2xVheD4|DpswI)eF6V3GfLf z@oke$27Ird^u~Bjf$3zu$`+`smr8TJQbm??SjbIaKyT^!ylIefRq*hRKT3Gvh^p9r zkWC?DQa1~6AvJYXO%c*_WCG@ReFpQ)V4fMwGlO|%FwYF;`M+fd@}H(Z|DOLOas1=_ z2ZLw&|9m9|&0XwtXzrp1e#C#~tRJ0!*(dA29rKmq69lEuBr*Mj5=3$ncwK1i5An$= zpUQub|3QDI69+{;L4S7os?Q#S5fpN`y{&J3^bgCcyPp4->wf#- zb<15V>u>!EdvU4KQFoouJ>#rD|47_wnX_(urjy_LuTK!qTbEpP=A2_rT!cRPq26lu zp1;TZpZqkrYK`i7XYBUfE1r62W$m8lFZ$`DE8F0@w>Fq9jssrZ20Q2v_iS?VTPs`; zEcWZ)%zbj+fj@s}kri_Xo6;@2Z?VP!rz6YVr_;;7_TD8o?6}wB8{d9#5`8v*=p$<_ zcKVwBdxxdl=f0x;%-Ej);U#}v?(St~@A>pIOFpssBYFCaJ>TBh*!KP>UYsoc_)pr* zyH9Pj-uB}+-`wP$g+M&3!pF?o>+CJ&Jjfh>;f~Z5eh40U=iytP{oJ`r?nS(|`&CcN z`Nyc+61&auj_sCGN9}X^8!JJ@zwfy9B6Htb^kT6!j||vX0P7(h@;Mb z?Y3?0V|3|`_pqh!m}g(NK=Ax?V#uoZTE;TMN3djxXlxm%vyzYiPi@Ym&! ztgNxz84umF+j>9VxxIN}zA<}L%@IQsfyPT2K~8`gXHcJ=v7*ZO4v ze!FtkL%)4&c*thUG}qgB$x9D`@4w)d$Cudiq<4O>a`k**tG6FCk1s!(y!St`{ulWF z|1ACa9Q}Wi$&c|Lgg|Ea|5sxFPTWpD;6LgADQ;WkhEqy>hPd^=sp8g)r~eRTfvAfs z_*Br33KqmxQ5OAzesLsE(UX5=B-?`FVIa?6g{KsaH*Q$O0Xjo)Va? zE}X1)T47o2VT=Npo>gjRDk|7$qgrh8UU5GbfbkxU8l+whT2U~0}C3LbuG;vd2mqkJtq#Y-aP+-&%?2Zc-1Fd0jp;zmBdA{W2#JZz) z6QUqgWokOdQ^IK6ZDD!aE(*3;s8k#gCMYY}6#=&)jmCX0Dk>SNl#V;2-{ABN+ zpk);Olr+=(=iju={;e%0bnB(JWszx-Ssbgsl2MdZfb{&8-T6WPN#lt?%CYm6V zjgrj7>L*APt@IjR+if>6M2>U%SjD6&LbNg{F+ke_+8E`^7ODbHtvzILSRDz`I6J5g zv$h~(+0ZvsUDkAht!c@=AZ8K1Fqv@j*bZ|}w^ScMvOL6+L0bd*bb9O{qYA^-I^+^!#?SuY9nbxLA@_AT+4&gaUiin*i5DwsSg5y>od7}og12vF_6M) zlxak2o$HUtB9%8dt5dAT;ZRj^gXHy%C3T+}`|yq%I{JBOhvUGsAXf*v<^wnPEFK_Ax^c=symC{w@C@h)?AI zK&H$9}a01&470p$Hfy31|~|J!qW|`Om7K z!GHb*0HG-QbpxR3=~EDaCrJ#0{yhNN|JVJUvp1}F*_l^gzW?*1yTgLMSMu+#UvSZ8d`F%#m`)6k?(vO5nA`<`ww4oskI(iRG4$ip0C`#?1B5d zRDb)Z3pT!NjV-oW`CaezvzC4R$J=baPj<=daoa7w*@`DGSJ?c@dyX|1`~LUG>ny$W zgBv)1T7r6avx9&9+KX#GdF{Gx@#^B47l`*CcglY8ehhK_U#?!}zNMo3c0TMoD{gw* zn_Hf7=mDF|J7>A??{U!IPavPWan@lsZ@A^1T^`3ir-kL9*edMg&_WRB?SM2`o6DQWyY=51% z=A1g`nUelrs=(3 zZ@JD!MElhX_uS{2(@t1+&fZ^o{eR&9|HA<2-}9f3=l>uCk(}}WUxoc!{DP#7>HLBN0V%qxFc9w7)779>w(Wcgca=O8N*|{0$Sjl7 z%`^{vaL|0psFqaNYWq+lKmA2RM*+nxM58(*sS#ub%&(V;~4A;S=|p`v+Yh=>3oV7x)ulx50LZB)n(yjmTf*lm-GrjlFEB^@#+11+-0 z(k&;%4ZM(<4yy&ZMTG&KPNSX@Og^tgg`A!0G7VlNEs-z5q!lN}#xUr@xwM_?19(kM z*AX#K6*~LI7%^ue%!kvW7H^yAnB|QNft0r7&SMqI8t3!e#sr{1W77>+UTBQycQY8=8h5)FR zOg=4Bokod4g^mr9Q~f>_PowtO@cGJsZbP|D0h_J}#H)3?E<>=82D(O~7nY@Nm<9&n z^rq=_svAuwltKTa_|OLemrEHmyMP6KJRHG?o`=HlFbVr-gL6Oj?YQ zOqXub{aoDYEBVAoY1UC6%A&L<2C;?qz$&UuGDVdl!zcjsiXpQQ8s@S=lv79i1j(lw zLko0cGqz$1Ww>w@gIv#|#8z8QDh8O&>vcchPhd?o;q`&MUcd{@tTpj)b0Bswu97us z1DmB#zm?O|jj2v2^X*Y{C}}0GWIO%9<|QU=OH^st$|DfaWi?GxsTv24R3;l_IEKj5 zy%y=mNGm~>1T2Z=!?2KpaYjh^zS4;zO0{J*wn5qRrxF}5r<|dt3AKc-*=0WKi#<{u z$@LVag<#nj=4i3WBT%u`hMKq)Ilh?U0u-|PvY5_}eFYeYT{2gQQh1}~ryD+2>_^Qn z!+$>L{lol=dmT}wa%+bFd>BiNmH0Drf7owid~sp7n*ZiM3*%<(*lW=$ydV`L3n2NX z(TV%Mt7i+1MBD2qFzeE_#Do}DDLou%g4wBN&{~Bta)^(qRtoM2T$$+CYgEciO@Q8H z*lc0lw(0aHM&M*7dLvtcU1nIX*u8?`5JIu9ac)Wy^I|W}Zvtz|9G!>xM zpi#=HxD#ujr0Zn@6Z%>vCNzd@nu3|hCGm8x+$C!x3U2Fc)^{8{RSmLkxxy0su-gRs z79r{*74$oqps5zcbSaCuO_jX7PfIk-q@#=>74$p-C7}GMW#$>mGnmLXCAv0&WGaK` zsZv?183{s*OMQ@T<$+qv>JuepH|o4Gspv+%AQEhG?2P$Lt7K)`%1|q%(H3GQMr_B= z<|q_Z5CNMI-2ps(KT-qCN}6zs)F?61L%uUgg3<^XVg#u6ok(c0ve99XOrtCMhAtXK zogSmQh2epm?csfph(bWpYjFWIt13525B;W=6bz1H&18=3wd&O_g_R?tR`yGkPKR-j zA#6mRVN_#9VT}=6D<`M>v;p=7erDLujD6A;M9;s8 z_22NB{y$%deX{;rUS9mBufP5qf|57{Pp1a@Z|lEJC(ggte?y^fK>araPf`#${epj) z`fm?he$KVOeDc7%PaeOz`Ypg6^Xx^M>>HQNKEWIB^ULRt-1qL=etcQ}*DFuzFaG|u zvGDG^4bLa`7Vf^~fy*xb-C5pnn-}*yc@j3Byfgc!EfHtAF1+94g)QGd^N0JNfA^Jl zJVQRY>3*}C2S0Yzyp!I&bBJxSE_cb{OD}blw)v|&ZEG8+t#`(Djdh>jZ@E+a$M#5` zbU%LMVz>XU2_3iP%fCAA%*%J$mcO6gICJvPp1J)r`IgmZ?S0BsH?6SU$(p&yUg!Pc zu1yzzXoKVae&Nsl4qf-ci4R@6{u1o^$L;mYRhGH)kQLwE_nF?H|BHv$IPUFTZGEHL zR$1(tpIvv^oBcA@*SvT!} zWbc~C^Si8a`QJ7@RJrf{d(NCScl#3`e_;M%Sm*Z5_y5~|kNoJ;jeb@{>nNx^yh7O&!y7Nv(~!c_*+(6=SSOLx?L5pj^FN; zOLp%3+S~GqC+=&nw$Zk4bRJ&&R(bDTk9%c2`{o-SS#P`7f@gQQ({rCfm%h4sd-UB? zkG?u_^?`HEi;vuzOOGD?uYGsFYVDOyyMf)UdBBk;{C=MP*a7#zZymnz%{R?XzW3PN zzrV3sqPP1-mtIl0`sum&*5El;1*?3q_5Y#&|C;N+As^5GK_Pr5|MM%cFH-+4&#S!q zS^VdlTmMaCz33m}?{n6FTfja(t^ZG)`u5d-6Jm`mgdY?oGL(g>|2A1L1`G3Wy5#l5 zL{>_T`$*iUO^*UPAnf^lO|GhG5Jy^6m}rpVxSs5kgmN~EV+E+JBweyQ=o&Qc2at&? z{ZxHpaAsk*WzccQcE`4D+qP}nPP${;wr$(CZNHPb->rLR{;dC}>Qt>~@4eudSxGd^ zKSbt&UkY*As{V)ZvGy`GGXw2c_gqSWudiZ8qjCqsr93Dxi9A%R;md+?TOtnGC=|PG zN+?e)JhVT;D;#*mGWpDk6{a!J(u1^CmT|EqBr6yS4O%ePHES+H8OpeNlhp1%Mt$uD zb1#yb@K*kr`myXe3#u~7tm*f!;v4ig(h@1K1#&Ti%qn7?TAOsolmM+o$jH`4qyX`j zOQ?j*>t6r;XJm&688S~0lTd|brpmjJMRpy=Kg?)-s?s8tiU1>3@a(^f zI(kErSrMz#zX}jjAd1hCiuOno6**bBNm>oZhO|iWTPi&zaa27xaX&N=#!IkBsQ+ER zO#|iB5(pLDF__Cu;{1sc4irzkiU>)kC5fx3JD3wmLg`q~O+Xg&l#?+LLjezUR=~%0 z?no4S%3V%8j9!3phWsNSRM-~Dc~;EW15kik#cKH zU|A@+K*XrnoQ`{_*-K0VkNu|1m6G3|zC>=k7))Ub=m~t;S@JVNKLm=g0_+tyRoiHZs%?JL!5 z>cSWccVRArCten=+N6Y)Ajw4K8e^heefpaZz{;3^27spk^|CJ?xRZ zcq3wz{-MY0%cAd{NwdhQIO*~w-C03x?fWF|2UspYVz~^m&bE%iI>_BHf4$QmV22QA znwrQ{9eNI_M)vmGDw4?%>|2%BoE}6 zL?Q7sFj>E7m=jA5jbh$PbELSISG7ZEMm85FYOmt9-iqp>6?*q z|J1et{nq>&Z>qtUsqa%la9E!tFX|-Bw{>lCWQ`;a7R!BKkzeuc_SI6^FOZXDoAz1y zz40g`(0Kc_qps;Fh^_e-FA)e`pHLHwmnvWZca~BUClMvgz6}A#;O(w-hEVi$Yz!Py zlzL5~fHebboP*1iNxpm^1^kVihbPORXd;EVSxTeTq#QHjI_AxwMv!qVKw7N&2NhkZGO%4cxh-OqB?uOq zcM3^rcLI#ypIul6TC;b}g_|^le9EIlrL^A_Ld7I8UR#-et0WCWrx-CfFxa%2;5r3) zF6((B9T^F&fIQl*n~cZ9QJOY>YF}O4;(N(VOGGg0iW5-<)WFOW;lW#xl|%}VV@DLW zZlc4=q8BTV6oHUarz8ia?}~*phMJiW&xIh%o8!AUD>AyV;g1Mal-6-gXQ@J&ns!Vv z=6(~U8wfK+n};HP?J)fc*tH`Dq?G|4l2*yyW~$AqLVUhHAwqVEMFdeoec--9{h|TA zJ3r}Xgv#;K@x)I>?|{wct*9JMlcApu?PJnsj-58<7q0`ek7_2n9ln~z9nDYQrIy%n zJ`E4+w;vhS?d?YepYPuMz;abh;yX4@>#ER%UDt}Lp9gWnkmbYNIrgx@REMpOV_Xs7 z{a7F_%R&e3)lIsYNokG8;OI714v+ddPhT8Z0d_sr9>xJg-{0YK0 zg*&*zv;fzx{bg@*&Mnhxa(DuzlB_OhJj7(h8}L^H-ij2Hmy7uC21*CU)5xhdL`8dYS=5r;B?V{(Q1AV)-vDLvQB1LV| z_Hnl>gXaCB!)_B0j;p8XG}Uq3*b?REcOW6f^K|Wfq!z1DT5ao)h)yj!X%Vk_%vzk3Lg7)Q@(e}aBAeJi9v$Nq>qPTsN4+RlHhv0Xh4 zgP?6cgd)rGw50v$n3#E6Vy6+m$>~w{`FB;b<2xm#wq5F?SbO-dhNf+@ISNhIDc!Bg zc(C!-=^1eaf7VpO)Bhl_uG}uBhxeIMV`%MLfnS0s|BHT z^CFU;e(YM^ZGS;V*VD60hHc%4)!Q?DTbIMYd`XVs_Rde_+1&=)@pk>;dX0$F4ZCaA z#tEP6#LSNG(Q6glhH(fRewA(Vd!ONUSpwfS{yB%&*i-Yn;RQel0C>8`M-k*3^Q*-K z0901d_xMbaUlw-Szxfit;Ek;+{jEa%{eGkX7GHjb-y0)-iSi7Tt;6%J2VT6=Vtz7rk3eOF(( z_DK6f6}Kxeal`cMpG6U4G@f$U^XQa-48Nlh_c&{-uNEbIt#)_{2BXPfvFO8@LR~&_ zn`RjvI@Xo8TuLx8U0D)4S9k|X{BTga04NPph&^xML@2e&fG_>-dEWI~EqEPhhvsz? z6uDY4RJ$^%qB=!DGF7*wbCz(5co~H&G4NUSKKx-lNLa`yXHOAqQ41`+>imfsDzXd00V!vzlASKv*`gc`~P)1}Ew z4T{|y`BjZ0{rTZY=5<8}hU?N?`8=4-R0|QxWyMiO6n~I(=1|(06JiS(*RFm%Xhd}4 zbNevaNqTs3%X<*%9V6Ov@3mS^ zgi~#ac9lRVh)IF+qD)xk{CoSw435}-%7j`cwg!Tc{AfER%#)uN^=ph$wq{&9ADj>& zDKLwA;eIrdx)Nd$BYm_`Lf%RllSRk!)}vK{feReoqEaE8iIrk(OqdDh?C;p$!Ze!3 zP~Bk){XCgOfkN0p9%Kr4EXkA@2{7E1jDURO&fj7cI$5>}wkq&pL4mM{(BywW`&0g8 zDT+Al+QV+U@t}^j7;HLd;?CtCk*4Ai596XX27c!zU2Bw0md*<5IHl_UQ{WMa8FCz9 zhN;S@<|iheZ+nCcw=(=4sO^{eG9DZZ|6nP9nmFM-oE;#-RBH~7Hr1Ptsm=@<^{s{x z$Pc)KGYN|%@jcGd2oSB=a20q3fY40nqs-;!f_zs&| z-ZO}W`2bO7M*~|cJKMK`8{dx8-26SW9ac%HIZeZ|J%BekIxg$BqwTJk(7Fb#AICdN z*F*?J^LO{~-lZPC*So0UP|)o#TtNzw*rxA2P0eNNn#oAj;MId}TC2l$!Hn%&)^Kx+ zT?cSYPuz6JRn2X}iJsdRek6o{&wCAx+1F)Ti(3Y=_9LiYL5thR0eGovzt@ZnIRoEz zzmsbB^_mLZ`e_>K#Y(2rMf~VL2;P>Vm*dOYXVD&=hX~MQ@~*4o*lmmNE;H(yu1kEs z8w)b}-}5!-y2H694ll0gqi!gYCt|Lt2IFs$W@4#&5{+hK zseDb_dTOm?YVO+4-Y?gdcH63+rtVk+^wC9VydhDD=Qj@v-KimS9jKr50MC~Wpx0n z0$5sW?K(ur6aKK1+K%gsfZLYyA_r4!hb!p)aRK0*576fKyu<+mc=f#>9@MS4_T9yo zefiE*|E_w$Z}(ZxN3Zf*+?Xgd)oIzyv&=zff9g6r|=i89@4d5V{-dYD+@>#$CWGM$H~Ik|heUi>O-zcYw~Ibds1Hw-)Y zdws{nUFT-g!DBX^)#cHf`6O+!Zt>aWdHJOxm(;9z(QkpT?doC(^t{y+!Xr*2xaDCfz zi>0zAOU7FI%HjHkLW$)XX~DXX^y&{#!_4&z#i-{+?pU`@t(X;TP2QV$BkS!+<_tbm zT1}8GYD<{1jUYo}Qc&dC(!}@Sa6==$1c8Q&`iX~?C`lmf)JgN<>Sef!ZHZ!BJWS?? zjmi8`G~)}cjXN`{L|sbG?1`3|?rN46GGV5Ho#p8WbLGJ95Eg;9YxwRGW0K;@ERhhZ zv}qJ2uh+Sg(S%EKxAH_O6lDrjk74fRds0O0Q!Dde;xhaE`53Jv(O}pT(YA$1>B|rh z`lO@qFohd))~R+Ps#Is9juav)Vk+EhFI|7l;w#%gfU2Kl3FJ4-6VO#hw zJ)mGzd%&*Ct$0bT=M`G?_eCF_R2wuL3lU_JLac2~fSx9>9`G;Dxdd^6xrv0#mI zzF?v(r~uKFkX}h^YgJ6}ldevkQl_-r4G^yw=G5Q@(-@oB{&wDF!H_6y1GC=qphR1< z{6@r?bX5PUH0LmV=y2h`pb&eFp;j7g!E2U~B0SS3QLcJ@K9R-;MYNiC(Ma=C1^JeV zF!qcG8>I4d$r*~&Q)Vp9jM5$nW!~=(Qna(=gD&wH4GhfaM$p7lT8d3tPZER+Cor5u3(c%JVoioB{SGtA{eSRhQXD<0 zR18DG5Gz2&+-po`x7lr|*uf>qcc`cmRb&?e10#m~k>eTSB6nri1~yQ2D2n2PWIfGA zQa4n836BGlunhEPXFKrUQ31*#E^jwJ#a_q#P{<@`Y5|2KJNDltbC6q_>9AC1|1xY2 zY@afY{Q&^!zem#GsPQ)CYnnTG2J92AIJsbJA%@gN0>xUp!&UM{CL7mi?SfJ;Mg%s7 zgk&dyiFEv+OnSHu=?s4!K~4gF>?b)Le)o2Ga9u>0vJ*?^Q?*SAcdeQIqNGEv9#~;| za{fouM_puah9w(Q^Yh%&Q|?n9jhRV zTJmPHP#fx0nn86Sx`7aYw;4oW;*Y6UzebTF>5Y@1$dWXy8iTAsw+M-*Foq}MG6y1k zu#rbgy>6uokSy+NWxhC3E*%{%#|=>{W#6z#AvQ3>wLYR^y>i()?&aB(aREd2Lbc}`+TQ@yL=4XtZnolWPb8rEmGgmL@nITC*W+n zjW2h7LUh^B({O&!Zr#VV4J}{6c-o(92TQN}@HjheH(CxeEz7?Dd_0;4s(-tQ`_;W? zow$X)WIkPsqNAu9=ytfiNJ;O1i5xGs>8bg?bigjVUk>tZ*86t9cpe}d>s(B;O?Yi( zwbAByYH1ab0FG!M&ljF`09!=MJ(qi7j|p*`hxr#LU3bHZQd}FhuIKh|=(OHuwXa+E zhHWHn>uzJHIbMe$NwGo6IUb({D>QX0NGUqmKf4Td>58gQnT&^z&zcpk=esQ1^dD2b zU)#|ts^7n^y>D1IWnMZQ<`cV&EWi09Ij>7NHNy;@+J&-N+#H&Ko<80-28Zu!wiCQ- zU7rz!lb9Tjk5I84?%geu<;}}CD_$)ifJOyoB=+a>-^e%5vOTp)E6g*zI zjbf4YJaM!-RxR;+?l>8o*v@ErAxhC>bi3Xws?f{SZL=hb-2fcGzIZ(C-5)rqpVceH zpWt`sy&N1?)l}VHG|hTl=s_NQ+Qq$krxfV5);Aw*Q*}R|BRi@2o`0@1Pgb|TdPNx) z70{7xfBhE~`|VW#&~i8dZv}%dcR2!m(%uIU^5~X;w8GRXiT1K+lBPPK6Tjh|L%x2w z89&mvkDI3*a$&3%v_-!`Fe};VSPxyfL2U+{-wFYs2wPU9WvPR(q2f~0rL_wvL%|$a z!LcVl(ICN&Eg0tmwrZ8I+(MTl(bQL%_HA|zDyrweyp{r8zC`7StW%8-M2uVrZQR=Q3=&;?9i3g66m8Mj9mum&0JcH4A{JWw>!|+N)0^P_LZS=^E;^_j| zoSMrf@ge6J+sih6wrQ{^DprWb2c{kH$Q;#rE}>nVe}7Z<)nY7LsH#{|xJsijFH0AU z0vU^PR_DGccc>^(6*HG>!j{RQ_i^e5AbX=zE*2K&0~xBTDQ0de{dlnsdZQ;%MxXiX z4W=&=lM>^WG=&*M*a+|r6}7{Qv8UPj%J~h;K-UfXz&Rbuz6UJ{KNaszW<8Z~z#3mLvxvRbx6O z@Y2LAJDe)Pq>(7e651k~q_8hlN>JmfF-qANx7KKffx-+`lQXS(20yzs#nZoXqfXVC z`M2^T2A!^z_nd0La?qzfcazR*5B ztjZOYwQ^u37sO3er5V9!?O%l-tSzR3gH$D~!exg{&~Ly<5bz*S#@xXKfhAlS|0~)d z#8PFvMhXA1wTw}m&XYFAOoL(ZTv~tQX*={2vrd^JdQZ*EI<80?hj!k+^NT*8Z&x!s zS5u;$fTW94DMdXS0oRt9(5MaX6n!2%%fL7bhr$^=Ny-h{S* z6$;dDUzn$v3(`P%xJWVKM}_`HhHbsC1{Qrrbp9+GJuN*Tm$_w1}8C1X){! z)-*Jj6mUXRNc1+Rb`p*V#J^x7KMHDn=k!9N~d$&_sWD?=|Z+P&dmq&@E(f+CN zIO9|L>hVi_{Rzl?8=BJ9gZv~5AcRc&V|eR!o3q;U3g3+I3J*ti%Pwjtd>QsS6L7S4 z2s(k=vLv#S<-D>Sv=z(s5x|G{xd;2YhUNJhThf_|?7y<@Wn1>(Rzs@hBgB0?&gCu5 zOPT(*90C#)d2$Vpzj}F{f(AGWnV4y|%QM}wKdWCqa62tgqvJAL@#59^2raS` z)l9+RGMb|Eb=#zAs6u`Q7%qExsq%6A9w5VUSGvtxzjg7LT8Ys*9PF@i+&m@q>3CsJ zo#VK5-LDUrpO>PdeQlgieBHx1X&&8gsPZ@rhrXPhYx-#d3Sl9J+FK78XL@{Ipcal{ z?Kt+kmu%bi6Ln-ga#_CyNNT)}rhN7uymBUepV!n%T4Ek_;ghLy{9Zrst2t8ej?&_0 zd`;ULWVdd!sFu47ZW}IAeCVpQ+pjZDv%Y0vcKIrLz^R`{ZEpPTSA<%;E+#o^e>rW@ zWF)y}s;rqFz{F}l8oZhY@(Kuy&v=3%s%UU zie3fmI{}3!eC4hAaa3U6QbHIlYYF3n!4G=d1O;~zE>yPef0Equo zyquJr^0l7QKV&HCCxkWTeiu-O15$sJ?EQrylX6T$62bth-R8AaRAGD zNF<-c1SKOTp+i-Ci3JyuGZDTcX1-EsltxE}tl5X9m-+xHlx-gAzf=j6GSQ&hB>lv( z6amr*qOsWI`NCqoswh|fGkMgQauRtWiXqy>U+4pdDk-Sg{(M-(4ltF1M4cL=3w5;H zak+i;3oyd)D*MI-{CFyu>`2!Rm}8ERjH-FT}QSU(NkQ5Ss}{2U9!-;M zD?bWlpi>C8p30&&ev(F8j?Yb=8l;ECd)Cy~5RaJzuSn%+!)!hKQzQ_}G%x1f1y6kH z8Z%iOznZ%+Q~0-1B*UW=J-SkzCmB&R`3Oa%8?rtNj|iS@fb*)c!%^q(aI8JT-4Rp1 zi&VCe3zxU}OZ{o*d(7`U?7WBMDi0T%)S-vpSvSe8j?h`I#fa`F=?9!Yak8s$r`H_`6tcLYS^ z#%N7a<%T4w+WSLX0Vpscf6TtQR-U#P$?iYryj!@13QZI5D)cJ9n2=1N58$?BW8b&Q zFVK1e*Jp?o3pA+{8r#Kta6qmc(*^o}RPYMIS`|*lviZb#=c6cE)5aoR+^YMG17$qz z1gqL1ONN%&jEM3H*q}TKzk!k?SFmCn7W)RCOHZ4X;RN=(Wc`B~QDUOImswFOcQQI# zIYf&brwl!VU61}uV{QfKup$8s&84+k?F)mjz8B%K|E-tiaJ&a*2@z3JXZ{~}>>-p# z8Ag``q^$!!6!xvYonG(7sJ*UxcKqydhW8-@j1Jvy@x2WmbKD8RNA!Pv2z)yo&v!9x zf89Rd#$!);zxTt(MoC895ZJl>B$h}k0XjLq?-~|rPOHA>$KbO&HvUa?Hw{t(|N&9n83XRd&tUU1FnoJ;pTH`Z?=)?j*qJ zG=S9jZeI0x+W{6BpSzk4Ff7hKvijldDp#g8YPRnCBe-hh*>A@&m+iKB-;y>i&}rVT z?abhkJuZvkr#B7W;X;IR^p5(3<`G@iZeH}RN@17V4NAo3seGLm=B%j1s9jW!{+zdr znaRCfL{rVH5&L?b8EF-LoaA`zT_&h?UtLmt9v$=63%%ZQeJRnKR!z9|?CHJ+S3S!t z;A_wFy>*7!t>4()*tw7Ja@}P9Wot8exx(|w?E(5uh|gX-sQx&f?a6W4*vhD=2|G%# zCFRR(d!n#*w>{q)+4eO^!F6MF(_#_5{66(Ws6DedY3)DZx^$GacpsRU$G7bozq+V$ z?7f*T`ks8&C0B>fb~qw94kCQnl+M$8H+*2C<-M)Xs@8Ixc3K%aHM>4s(Ik5i_Q-hM zAhSzodr1~BYCvw4wm*D`x^g(e=UY2FQQLAq*z$X$k}JGCj4ZO@?Wp;9mp)D)xvrSe z@aw$WaRukgHp^!nuk#Ki_>^dln~jgGrb98m?w3K-Mz73~o^Uc# zFfZ?(JHXLr55lrv#(zfDTl_S~$gjiytc-)gjeLn?o8EZrXK$|ge)v@E{p@Y#@NR*S zQ=)}zM#xCuOH2y^5CNamc_8oOGf2`7ycP+Z3(4RefIn(d!tD5|Oe0YJh8F!xq;n~vDH#J@c zt-@<8drE_F!D5Mj1e&=$!~VfVLYn^7zljjY>bau0Kr)(c?{7}!Q2SS14%5Bw`fY_f zMM|ZymT&%P{?Qmu8gqv?-@MmgUL-@scIFRO$03hCyLGK8Q%v zLpBnbpb2%z$os%0+n)Yy5uGQY6Oz}wIe~sCDhRAN)VB-q9v96}2mA{aGIsy9+y*Mm zv1Yr@3amDZG}3WceB8Nzw;r(s-lD~pRnjzG^;2L1*kKL4-%|(8n#xK5n%GO0(!|Jq z7v3(5w2)Uqxa370HYhO#OW%me$WiTkjo{$%NWy@x@fNFbVH>gv{tkz@g^smNXK z)KmJAh8?tNvSiSaE7XsgORY2rB05Ly4j{lWnlKk9Od?toM}qv6%P6JsirjkqxvSzK z0-abaRDgx29i;Fp`<;2iE5LH|?#`Fl=fXn{n5OOb9v{p+fUIC5IQ1lKsTMxCedm0y zE|46}GrQa@VSrIQIsWO;d^9<)eZ7AputI7KC0+I@xHE&uSu+)#9Y^~V!)94e%`yF7{7d(~}WDuqkDGB)$M{tL$L7_C% z<`qa#qek&7zBhh~bTt0H+c`6gDX<=-S@viYQ2{T_S@GwWCop3)&1W_5J%%LjBI~Y9 zCD3HW_ZpXPJV3fZ2Dp>1CAO=l1tPVB8kUVMpp6G*DuQGxVx_=%&#$~kQn6c9(ocFd z3HWM{KGBpWD1|6Ool6nei9F}V2DXi%Oi$KKtCEvxgBSbDW#0^0364hz zQ-`4oF&DiUdP3W}ZlEsg#%Oxxx*K9g6HhBA==W8lQI^6J2eC)7*g$yCzaX-nv>AsP*e&$%-HlX;_&FNA2 zyPSe)ZBM_G+p~_$=T~Se0w*@E+cBZ)?nrihg%+W%=WrN zSWZq?AFJBeUU&mMm(w(Ggj+HvwU*c2PdvJ3WtNL;tK$pq^4CP(%H*r^mP1xYv+w;F z$u)=bl-0?Vm-gc|*NC6}qo$n@{0uW*8-0hJYaJ89L+is!D6a-^n|;X^pJy@P*ySSg zQT;ua#Y*nd>D`nHr#>|Q5-=?47lqrs{#fMdN#YZu`sH0CQV_JV(ZIF^;p%%{GjZj% z-|+BV``G|-@DWy~Q63G1YAh5!C#k#Uu1Fz=O=asto!-TPVJmmr4gcbT{FUAxwOwbJ~(Ab^eQFoOq= z@3wU@lfy98eYZt5c=n;)>G(wSHK6yaBaScC*D#s0#4peJf|j}NWM)6Crp?44B(^#`Jmm(T2|(ShrEIRRg(>}#dzB77ld%V<~Oq^7xF-C`$dDm<2QOzX6t3;_hMr~Eac zwerWzc@i1@?SQJr3Z3`+YZ#F70O(oqL%{iJ2S`8p{k-r#Ug7aoJPYjBGPT3M#EPj( znN0~5Sn~hFvt)pU2Ye&;H>@Zl(|F4Vm~+12z*jkHFcK4q>7#v~att}vF#c|pDe^7> z79j*gD;4B4SAA6%kVrNW);MCUuKQGM3;8-@Msw{yAL7e$n(}EhP+)(nC4qNaNp&jJ zq@biq7c3=^E9m2^cUiG=%M`+&w{TYZ(nr>n*-95 z7-}q7=O)xB$kod8QjwY>Y5No@7^9w;1V@?eTR5+q`I%u;aE*u&ICHXyD~V?#pALJi zJcoKIN*>hX=-;Q*Rjd|ke{<~3VTJw5KP$dgr#ipj)Uu27$C$8JC{IUW-!70J*sXBPs#qEhIss=^W^1#UW~ za$!3QdcH4j+0R0#H0@bHsVw5&kGe11u7~4Fi3P^$Ql8voS>#Gfajr{-Y8OSbaid}d zqD2Ajf+(+fXDThn-1RSqCcLeFO@fS?`lgucsu;UWB$}Eelt%PrDFE^<(aQMEIT3D{ zm%_r(lpb6-U-lPaQa}vzBKlpT($gGyP+ln)W~kt1X|HU{TCDvFIdXySG`7j3 zZVK8y2tKGY$uY}#B58!Z^yplE2`dpRk8})S)sdBtRD?z}Q|`zpdo_QgB!3>KBs}N> zZJ`2_${lcRg*r&WJYm;g^E^1+C5zc_62k@^L#axqbQ!20it*nj6-uX*kc({T*_6t{JioK+k zBSrQk&z2yr=}p+~ul)t0xC9? zM74bWPwPw9mc*X5TJn-9T-^WyH3%#LTiV!}Z4^S?FSUuK$bchE+wi3%LTnT+LWN-M zWvqrFUAE|S(j{a^JlT;>>sT>}^xwS)kfB_nM9GsL>8y~y+hS84(6Xeb1ZC)bDh>io zehCjFG8s~}S&on-H042BwlPXV;{Y%2Ly=>H`)ERec}myQumrTUk?Vy;7D8glGVLRK z5TcH}&OwSj8KOnAWuR>Ik5nRfQ2siEj@JlVV72pB0m$Hlm)TVTRKLglj(6arHus1oN0JBnOjx^dZM_+xQWK%bQQ&wYn0aL^)EJQ53z4 z`%|iCn+LP%;RYmimca#mw{AUn84-)Ffzd*sP9-z%iz0>q8-|LjZXgjCH7?r=yQPlJ zAHr6Rl~+cbO&&_rjEIHfLt?R*m+8=Loi$d1^M*%ygI93cg8h*ipy*E9&-h;`d!+*r zF)++~%qjcc;gj^<@>_&>hzaTSBdst6Ath}Y`WbQ!4Ic61r3V>^WxsPD_(qJ2dAcWx z2i`&FTuwUhFFhr`SR5}hw%bhI`(je?F5q7~p5dN;gj|(PC&LYv57!wC>sHsc71iIf zn@k5})Y%QE9AEfaOPlP~!+;B`4%?XX+A*%INk3a<9)+tRR| z&g%O*w7=M#<6mQplXCPRXr8yePOv`!pD14t zY21ktAlzdIBQTeINnm$5uGEybSR)54$T)YoVn9iPGZm(d#qcJE2A!L6jBVbpF;Uloavn4?@WyYa+6E2vXldnUkODh>TK%|Ek zgCm;S1jLlNt_<23C8pEaZRu@6QjiqdGci~|IZF0{;Gz-=S#*;*IV*Nk2c_UfD+tcd zL^@^ubT#A5c_K$;M&rM!PEW3c9ufWy+~U3xdUAmLOObUsT%HxFbWf-)wcKuApHHu1 z{#Pb88i(gJ4pbVG;2Fqv{a02;CTfQo>3?gPPC>%eohp8 zv}n!B+=YPT-WblnKcquwi5{^DI0Cg!<88bLOr${11T&gT;&>Yrejid?5>D6Xa$<5u z6^r-i=~hdMTuoEDd)U4vBMzfgRfl>;*YM7uk#{3zfj9w6ZEA3^-kawFVaDsj_%dbR z_(MYVSeX(i*<)s`rlnZe*bv3) zs%4BWTaD;#C}d?dq6QqD@z{@lJh}AcbiW@8w**CB^>Kzl;ggJO%|J0W@gZq+;-IUn zyJa;M)~t@thT%B?1Cu$15LbTbhDD{aqDmhzdT;Rm|Db!o>KUULXGB)|~N* zn|8Ov^Fnc45~8Je917fzqPs{H=FU?;mq@_2KYo*dD{HV8`WZqVnK>dA{x3(f7L~*! zJv!zPifWYEA?F%xfILq z58VYiMcjmX`)PE3rf8JeLh`FQ^EYLXTpG-%1FiTs1Yvx2ps1HM=bk~=*kD) z3l1MqbYxoUx=f8@47u{>jet}|D_-D*gF3w=EQhK1cl`t~^&0h+p! z%Nj8)ikxB1K@9)WHVX!5dxub^ehZO}u(Ie1RkCZzkXItZG|>Kpzd#H)Q(U=K+@_i* zzmMCi*R=}(@9$y!6A@Q=2rz}1cKKCl5rk;%R15A#T@hntJ$e#eJ@y)|!^*X#80&9s zZ0>sNOQ-?8E;GXv(^~0D<*!I)(^_ey-oe$D<7ka!SE?*?c%jL{p<2pdy(dUU5X-5a zdaZCLD4521&2%K9q|5x@0BHH4T*v>1as!9VY@csl@IfSqZ-q03yQRL^?)5$)e$KdI zz2U!-!$-n@%C~X`*jB%?K5E)kXN%0A&y0XpUD73Pe2&0ps_*s(65J3@>@-wkyVJUT zf;xPAWKOn-QeGdwCYJ^yqPn^PCOFRDqCMSaV@kDRbX<-aLVVB9sBoU=&sE3QlQZmB zp-gd-c5CS_>y0iM=-Iww?oS#y)s7p_DcQb3F2Rf1LG4c0Vyh!1b}kc)J(?~du)2Ov zmn$!8yHz3y54t>|UOoq}R?DmfSiZeG%U*|BPQ`lfwpXQWe64Vvm!nH-HpM!u7rRAn z?e~A(Uf7@gtKhrg(psM32B3Qu+WdI-)X;P4D4T|(UkC+aJg$w0G6M7ujJp9b(_XM|$TrtT!C*Z~c8QJB^2D4dpqL8bAOCww}E$ zX^ZQt4BCXxA!H`Xjm`#K@3ZyA$~}XZ8V8}ONIwT7yU(>fD?nY_7v|Mawa$gjdsm53 z7-rm!cfU>z4rt~}Z-dm%!&&}Bc4f8S)%i%b$4Fb$1`|NN>!!~{t;3Jv>L(jWtZyxf z<3(kg-8ST;xJ%9B?4R1WRprCu*4tDXS>D#cP>;9kEzJjaXGPES7ngZj|43Jy8@mmb z_l>F->9ro?!uFZl#8kFu&12o|-r5oT^~PTEQgTi8!}rl{_mj}d4zH$X#gt*25`5ar z>+(yNqiD7L^IU@;)eWax@&2=K!~vg&rHM@mxe z6(c^r!!}P(tNxOl-`8XZ`V{+_K$+R($A3$cFZpiSUS|>kfd4B@9tjSU{vdPvHj8(o zoIAWpEoANX0^q;>kS~g#=eH8(m?g|V6(ZKL0rW*bESP;hut^-Xi34`jd}r(=YDj+N zSp*_%Io5F1O7*757}-K9(-s97?X|=N0evzUgjDI{A%QN#d>LM$T%)7^fUY2q+rl`$~vcXhM?H?U<~>!65%=C=8@r!9b?jV)EcVyrJl2 zjEyB(Wl|;SY#YNoYzI-n1$oAZA-W<(9tQ}SFH!S-y^U4NJ@ph6Sgn|vHk_lzCOZj+4AoU9#^$eNI(0tU#i8-?7}Y*m`V2D zsPQy!j#|nhGcc!F1)PRvRp5>(dIy(1{z;-B z6{Jy1)+rQ0K;>u=nfWid3L`V`OS)7ESE^O=IQ`Nz8{(_5w9HyZa1yH~ML#-7l=C)` z$Xcu>2B{E8_(Ox*>DIEuTy$+63E?ZG<(~=xaR5HnPekJmpyZpcUN`FGLg{Jehf5Ai zPWWINH$TGwqd$vgF-48M!(=WCIS9{Rkn?4_XmGH>2qv*^Vp){Kd+Mn`KJiv&`eA{C zz;+kwxlGDgqQmGP-UJnxnE&Wly!h2|QtEJmIfIb20{aOL3Co-niv~TlAIASE^$q=v zd{?hoX_OjorMCELK5;H%=J>VO{ugXFJ^+J=1nc(z!P1q}5g|p)`Bb45T%Tz-o?~H7 zjbK4#HeI3$oZ+o-Y`Kz1mnidrCQAgUgWD7UB z{Y;Eh%UVPxaZK-c`F0b>Rp=+{_DW+T{<1GiCJtqE5qV*FF7jOQtk8TCl%(7gZt-w-b zEkeU*-dABned75e8>gsQ5<;NwnMvHloh^OzX}E@SjPypYCk{RjIS%32aF|Y=b#TcL z>&jm@Ows0B^b4GmUyXDvVDXQ-Ac)vkxtRy!94MDg4u=?wjn@}-~GwhyCZnIYZa3Ey6ajnn(7&SnY<~mB6oGwi{GG_zDV41o{O6FeSpclvmxb~*C2mYd(@$3qf*tTW|yL)W%;Zl zxyAG%DPkh{W{K%$@VTk-C8d4){z1BT{8Wx-C^4)3smdhRc{Lq)X`2DThkSof(GO?> zyN$QAZDav&-7PD%GwRT52X>YVarm~08e&>r71ngOz3LbIma@IBwm@KnG4ON7Sl1_1 zkkeC-)Ep{LOT#de3P_Hxs$nORP*wZSrF?a}7Xe4R((+@(ELmmoh_pX%)tW`0xDJpO zTwGoZSm^S0wyRl(N~d>UPx??wt?AU5`e*%-T6fy890W%3vXxsk48`&Scsp*NI@8-b z52}6dlV7c#@ojy~uJ>(p&9iw`R>U=X)*e&Oy@7|BQ`&tovSE0@tgVOze4pOReUq&g<4-5C020w)f~ zOV=*4+#S1I=NmS8u9m+~YCxZ@L#w#oH)`uZ6M5JzffdLtiDYe^Lf9S`CN|wp>oxAD zNkpywo&F|vbeySC5m#wfx;)$zYczyb zDx-K>z|c1M%T1#^%C7w!Q#5P5P=>&40S!$~utkvQ#3c%61>KfAKjrw|K%I7}26$|O zW0|-^tvIHXK4CzGq0lrLK}awFl;}e6MP9ETVC247Iz@^;T*=z5c^0mYfGg6dHG}%v z7fq%_15h@5{G89Ey3^3i<8G@bPO8cT1?nl8%~`3R%h$xpBf<-i&HQ3ao9Kkjs&a?k zh#oGryk{qWYeXAwk=p5JV4urU;ar1OBI1+ir% zF{Cu6DXgD`FAQg<=KYy`QEH?Mnn1DqG60N3fSZ~Mp6%hl4HU^wava0=o}u29}^mD!<>aT_F{Or+lazI#;9X-n^?(eIGvK~3^%&b{_gE(oSu!0;2 zVeNUheK!Sn8gyOB{jow;o!&@*yd}Jw3MHlcJWYMRhp-gzVa%=a(?TcQc!rI4BdvWL z|8SAwm`^Z-c{O`^Y_dbzZQvYXkRs-p{ot#p=Q7EAOgqX*znHIlofG8jjwLSujtEzC zq#pknkg#$vYuC9nh9Rp$km$@Ckou<_75>|e-WX}DELwvfkuc#ia&@mDumrf0gqM>k zmQpsG_mLvHc29}AqVg%KTOTVd@-G={y{3LJ^ZaGHXNy+yO<$vVqSpZIw^EHJnS=uk zqRYMa*a|}|0RDltBL{KRU*|WS z^~Z&T-n>+v9iDS7-@%)2n=xe+X<>9L!YckR*X--kD2Yak(jj6(gCbRBpGR8f0z*pS z@y&D>e56C2F4x|MUO#wd;_GJ@Nbcd|vw8RYn*f01{!sw1>Cz8JjUkVw^3n>QD1EF_ zx1EwEKZAeO4aFwRZStZ zSel&GBHfMmyx&q)NnF@ z!mgik%NHLqtI?QID(dKdLkR-EYZyN(?iSKTNSxf_n+Ze+j0wqMIl~|AI=|1?_2$E- z!h}bR*912WIbNa&t1+g0>Nm*kU;6gDa#h;z`m}9)h9|4) zAt$e$SciaBgZiT|s;)w-n_iX(K+Psp4ESPhf~afHKRK1vD=jlKEskH@a;`kS*_%pVc+5|^6lR1z` z4$FB}$e}-6)y??+BZKq(@%nDM&z1jNRmatxz!I?+RNcPrht0y$({mg#gl}o%#8ox( zX;qi_YLZCc+WUQp%E$8%9AbO@WSySj&=bt-goA~e+A^~v-M6&q#Ry!mNDSE6JZ#>d z_!`1Nmv&&iGtt})v`OYogQKq-k+ie|uBb0*UA^v`G;qDXUB`5>XCZGRg9qGHG9aK) zX?kcT=V6S)>iXfl%|L;24kn$u;5ly}>;1Pv0SQLuDcZL6mPWh1sWsFKkL#dbIffo9u>}WvKo4R}^5w*-^Sa(4S1s;7 zzTLR*#aL^vS>r8qpqssRUfXvHHu?82%+Q2|)@a#AtH=)Toa>3#JC zd3}RGl6*Qv-kYjlQTd#~A8Ka^<8{=5&rklp5XYUbAKk~k-szC(uf{ucrAV}8eDqPs zGETJ1Ev}HAMJP;4AB&e>5#f*fcIde(IP&lj9UWU zpWb9ujW{-bFD#xHqiUlCivyG%btBd9GjB!hWe`5clK^}x%qNA zG3~_yt4~N*jv8fAuKdw?rRLweUi?HkRTK`(mhJ~W{Vg3?rb^ztaV{7&dxx{|88Ng9 zThd1Vg+;q+Rct_!H;u9I`k3_>3$(M?*R<)BM2EE!nN72_J8UV)Bgd9|uq))=yBM-r zh9$}Ll&*r0EX<}bkwa7Qzl*lCZjR7gH4L* zFLo}$9z^2QyPt{d83m?Aryv>KkUo~LD&_*pUrJcR#aRv(;6A2|6NkE_SvKzK6xz{% zw8&}gA*tv=j>=vU*5AKxS?UG+t(!1I%(aJs$iAx5)P5vH=LusP?plZ2SyA@q0u`1j zMduW!ttzF6Me)%Dh;i&b9_RZe`68=fjX_TSP@mA<>#FjFBukIN93*LC$@iaH$KYdQ zO*B^QIhJ}TTRBv|IAE9mtTaHigz+xs-rARGp@jDT`6218q1TGmI!x&|s`09V&M5`L8WtZv@qJyWP_%f# zdg4>AM)n0m8w2x%B-I@f`-)6N$?=cwZKK%em(d>^(q!|6cJNeK*P!U95mG<#6D>}ys5SnAH5z1%i zCJ+WyCKs1_MNK&n7L4N~qsz|+GqePAfrj~mq!Vrh;*|){P81KC6J{v2gG&MowefPl z(JNgmm8oUlNiiZcu!Xq@l|$=Drd{!gv52<>@Z3|n z$>pn-^DIj|Ik71#^r{&bM%Z+qd!9zl@3HD8N0r(&^l)D#icnfCquU~5S&&9N9}fp@ z`0~FgIW6M8Jgu%zyquN#8iKE-pA(2zCE_MS<3Dc{uDW*<S|UHX$%+eg20Kol6jh0h_N87iza&I^he$E*J8V%j zx@|y>8Un3cF{eYSU`ZaBH*?C4McTInghHj`$9~AeBfG-xK0Q|%bl^t0aCSKVa`{aJ zsdoB|WX4I@QE`qU!!jJpTiyunSC=xiWNch{xmhsLbU^ba6#L}T&=-1Cz}LDf<_b^s zl;2C>^3LG~#GK(Dm9U|3|3qA0bl8#o$$uZt`bnTRf74X^j#WMBk!tBr+u-!Lmn1ijDS3?GuvPXv44kQY4;Z zBf24^z^V{LSfG|oQ=x1h!P1@>wCJ??6T3x)4hI!FJ)X)+1+Q2Bj-Q}Ri}NO4k>k0L zJ@auw+ix=SVb4We^)f9^c^dwsAMQ%Wf;NhzRH>ccBuC}%BQqE!@<-7A)n0ry2~oI% zsc|2-(I78l-$wtA&YWbn1-@%B84l72Phc;`1}0=*?5BFV7(}b1TE+=hY7IYz>dpF2 zD}|HB%dbiw&M|Z>T$&>@Ph4m0e)lirm`#*L7w@?sKcr((+qM(U+!kT;Gz&(ZxXS%5 z!2Zz=*|h9`@|;%!=`pzjY=(R3KpdaP#;mWimmq)PGXmxP{YxS05NHud9;62c>K!$e zJpNm7EcM;*J3w+#@+zNz=VXMcNO^YKgT}?5pRWqm$)}4O&n*im9xvDTHpB_8#P9nF zme6ijN*)h4j~y5n>}_86@i=c6P9Jd7@lbq9%oW3TMg7)|Nx4s)@piWloD$fnO16F< zaus;Ka(IMvRx_!C?;U0YdTz0t? zr@{DA`-UX4<20wT2{+X;L1)b^rs?ASmbODPb-(G2#W~8Q#7TqHRpKD6E-B+Z7U=xE z7o+-g4%N08yv=cUldKJ2<#VTX^zQiNstYtY1zc$oLzW6bB(JwiOJQkTx-Cm1#8z)N zH$cKWpu>ttVN}v9h=z{7V{ff$i0JylBL4ZZrTAkW@g}_kJcZy#PyBh%x$o_|%&GkM zqylWeK7q5FOm>1iE zS4mGu_puDxLkf%1UfKnWj^!1Re3$G0=v3aV4uag)a~5rbkbWv$S5RfcdIge3!nL#MjGEZGufMSsFKgV^HuiU$0|y zw03id8R@F{k{r95_tQWogb)6RAhtu(bci`5J_xI-12W1%%&VIf0@~Af9d|e4c-%8p z<=+O!ByyDFgC^%c^#0>iR~ybiQE7k^%tJ){Xb33cyyl?D_Ffm{lxnK`M%K0)qXJLN zbKfzlEN)YMhN0syiOy^Na{mUIdx8*OK!S6#FCkwh`XRP`ozdW8xp1Nfim>y%a)@NO z6=}vnR&2#AWLNOQ=U)ud8KlVP@eWWKRw4_5G)IS707>rwv>nVZ*?8hWTD-dBe<~8B z%eY^b3BHR2w5vM=DvDLl1LOWGO@E=i-KIW`l(K1*S|KNh-4`fDT}33uA26E9kifHO z)FVTNXUE8KqG$UB^f$#Mndr8zDiSiUUBlGC>aRBW!Xq29@5EE^*NBR0?12PZ(W@=t zL30_mdtR|3aZX0*z8|;3!JJ|9-wy{Q-Y_fSj8Ln{`tL?1EHLx<{oHL<_OfAS^C2l( z`{dO;_pmI5b5%X=Qh!Bi*oP50D2hmsOYK^6G6Q(6(4#aPWVj>yeE%S^er{=2^W_J| z(XkWwhBvex(e&*Jp0FWJN{6Bka^O}hkp4YUnu}u}e&Sara5C8ZJ)i$WKvCKnR=ky= zg*IA{q^KD3$TbVu;|~u`Gr+g6uL#POH>g1PHdyklsyK)mkwM9~R!d1%sG|45ZjkYC zRH(OZc2KmR61p4Ju~GAA4ocH;ymjT z_Y`_hxFNSkLy^tw$37bw&rf9SZzNxik+<*PkBq5~PuKCn#Y z_hkY)6EOMB7@oUQurYm>-St*yOq(NqL1!)>X zYW1kKW>y9LsXOCgYIy`$L%ac&6~Z#>oYltw#B~wJaq?UoS`zHC+P|n15@W^sbg?J% zLs#-H@-cbXNYEz;G!=YC4NU#ERpd&0N8QLps) zBsR?nR`ZyvT)9~c$=H?tHe*%JZTXIIzEG^=mrA8g8xO6@v%d4EZZ?D5@3`#H0VaCW zNJwdZLJ$Zij2{Gm^U3RDotuLkYSv8MW)CI%ywCsgg~)&F)axSOuI~2P^4SLT|LFE9 zIo2&M`EbQ`B0yFiD>|xh`LEK6JFn4eZpU!CL?B1VXMV|uml=-N&eDL|J(Idk?e}=i zEH}GCGU65Q6**auIf#y_-F)B6rl+B+>w0>Z>hh@!_#WU2QsyC$-gV7rW z)p~B^31<+t7fZ~?dYA#i?lR6tJ-BGz88a1dc+^PuzU(2ae!9i5w7t2Jdd+SGt*0kF zWxWh%I93nR$$7m6U@#Hst5w2n@*xY!{fMks#pic8R>ZNsTa+zrI9PXo|0NFMxP1BF>}y4kyohrPr^| z@ks*t_U9oF&(eHd;0VhJKz5#w>%2*?%a~RA`pXOzn9p_t{rSETML-K4JO_FVYk4K8 zTZWx7j#hi6!ZB8HKLArC>w!nv;P@XOh=2rFXG{Qh*ER0C+@WTXq?hwXs~aPObyM`QS_u5BZIU3@Ip`{CevdiL zCH~t0szup_7!Qx^-W}7b=8hJpXLtRJuT5ufPm9EtlN&C3pi|pcF5r=*X_nh5$EASx zkDCZXI%u~!Oo)S(W7D~6+sU>Zxc1rlar4ax7{OI39#6NK`070Ef#dNJxPACgGf~B3 z7lq`?;3Iw9j|}#HNbhpntJ2kZP2Qh;e=mC5pZ0v%?_G=_rm&MPv^YDvW&)Hc;{RlQ z4{f?|coCqwQ0{OBc|EKe#+PHNW`qA5iVpz8hldb7wwEc}fld^NACGA5?XRG)U+EAD zdnokX&z$dX0F=Ft7_#SHu@GcR} zrO+2@ku;m1BT|Z0{(O;>K;~EeVUdbazI0~3ic`DysbJlJUBRsAsF7?m_lwIY&R~>9 zWAGYjiOHU3*$gpJibu`Y@^OsIG18I;``65mWLrUos~oWv!}?U z)oYQ=_*X3JuO@FHVgZdvvbCgUQE|tdHidB<1*&%c{FU%I!+-eEnUN`vCeBs}BG|CZ z#eU~MJ!vKF6Z3(0iU{)_P5H}i5_NCYiH&;VR;^om;w(lJj=ns(&0nuwa3)o&cB51o z&p{)G``llWM~lJn$zxPBT9Vv~MiMvjijp<7oIii>Hnm1GC`hz{RklQ;?5~4}@(4MS zu6>00aus5!VzP)QQa8wR{)aQm9i4{$u%67sNWwH_I_f|k!!~?u24$PyPg<-q1E`C@ zdx7dg(6KgQf|LkOHB|Jj3afYasHpY$WTBdOg~l~?nT01I;vMtBK4^Z1gQ%x~ZG~kM@Qs{B6J9*o!@Q3JRRu)o3x_#ccW- zfo#8wB*I&6d>bH)gZR(WR3=TGX~90zqA<_-lk+e~zsw+)24TRcN}gZLzX_)tDF-FE zc*AMIvL9(tMG@7{ATSK(&90TQ=nd|S0js+ZOg)P!N^!bSxL0)9ExWN;;irqM2MO9+ zzXhQX_zW}$cHC46!uauFDc5BeF)7J?2S&^~L4h9#mN_Z&)P{B2xK(>RVyls!a&>mO za|vnB-9pGAvU_wDri;$%iI((SJ3WXf3T8ymWxqO@^`^yq=)DJhL|H(PTCnYr>6@uX zS#)Ot#AtWw(dV_+U9cO+J_}Y4d3U6hPl&rcY!!Z0$iDirv@p_4!q~Exqs~pfqdtcD2hXIcRSK65wjvdL1X^%lG(tN<; z8-U{c?O?8mmlSA|R0LmrSS;jzwqg~w7-9SagVly-W<0?op?W}Msc2l*C3G(rPZ9Z6 zFu#B+7g61sx+9OdgF&=L!68s4dhQkEp&xhM+<89c79aa}u)FkL2KD>lm^`7rhJ|e? zrf*8sY@h#Gg4d6)kJdxxF{kJ<#hMPEPg++7$q#5V;86(&ODWdT#}{g|I0oY_M`xjV*cYVk(K+xD>G1{YDs6{GQEQ+1l_Oou6(>pH+R#-+~w>i4Tw$3{Dys^{H_qwMWac3P_G)JoLE4Jjwk~9ngecw6rtLXjj_`gln{!pD^MLP?@IBv9N8B_c<-R4S8iS&U>!8;sp7hG3kPwR&4_L}kkRqcaqP|O zzQ#N{;CGdw?M5&>irQn3^<;CFJCO9F553wldy~f=)~;p1miyGs!p7r%Hwj=Q?X(DX zoocxX2UVrt7UxrqOf=xTv>tX)1n|lNycbEiI@+J2ajJt&w~Bo^E`6R#8ZH3FlM`o@ zT|90J0U`R^wM$%XkEPG1=gyxAvL1VQ)-H~n&~k4Yc2xTl@IvU314k4JaINE9@QS>(p|c)a-eOOKV%cr z&HynYbx$rv4VUu5>XoD3-!{CL1z&rSnKZ70+H5?}E&vn2oBIJBzKbyNn~-8Ae)sdP z%%($G-6;ql3KFsLMof?$2H6buA_R-rV+lbfuZd+M=TiC`aXdwJGa=2o{XP|!L=f}7 zIL&Oz#-M`XMeHQV)z?0scB85QWens7OZMja6;9s`>dB;Z=j6yz74JP|OcaIi7f;pG zFWhpOSqBFFidt+OaW{EsSoo}$bl=RJz7L$2<845%D|*G{|MpDT@<9A9-uep|*E{W} z#JuhoJJkAj>&~GjmVl$~IMzge!oDY?*$L5RpnetZZNrXLb{;EXyzB?v9+lMkaim_N z-Y&eAMiJ;So}BIArCumVayTgDo)7NjqTd(y=bFXmXd1H$Ov@Dyk_0O;xN?)AAu>_v zS;D-NATkt5U$<2vm5Rk?(1Nl-+!&|VH_1j8P?kw3ce~!dnb3I!W+@t?!0$4JTy`vM z{4jlbTc#FyiKFvWWyG8jh{gZT3wXjuyDM$N-sS69j65CBW2k-c|?xVswP9C zo+^bvjdSv+MMBlm6XM2{aM6XYHn4&v$R0M2M}daA-;CF;y_AcmPgcsJC_(`{s@$JL zLNm8O(ml=D9TjhEI%nmVaiLX|aR7=Pp`(K6B~FM&N19E+9tzsQp1$G;oI*;Wa+!uK znui?bkhhkdMF(fZDasI);{m~(0XQe1lB*Woc zsNMk;CAod4j%BmkyoEt=DFvzK{%%qN0Cx!v{qRYwx>Lo2hXs<+v*%#BW9OH}3|tEl zhq@Ez8r!^&@$DIqqCm{b=G;H^g!%&71$=d0e+z&#f4rur6b3|@j&cLvt*5XuTH!{% z;oZqmqgyk8QI7n0t$v$EV;kY1NPt?%b55@^oiWu;u!W|K(>q%CyS_8pZ&8z0 zgHhAd*b1P9#!})p858_3DM@GcILKtZg@R%a`2I}TtL|gDzy8M0d`AAcQW0HOCSc%R zy%aw8*33Pf5UkRdCp?ZELbPHV*L?VRFI)$`A5S@ZCxz_sBfsO~-^uq+6bhnL+aa>7 zh4UFCb|Jm}68(y!_K1Ae#p|532Tm$c4wbkuAQ=5I>ev$3Vx7iXb_-n-+b z_1ZKAdG7M)dw0F{Q4C!*U_JU-bSFQXU$0J+G*My{ucrAAo>@gw%L$o&?(|myhmyaf zm~5J%YD2$9}Uhgv@_g-t&&Qk$nQGSn|u2+_~}g3&Tq}#WBdZv5fgx zEjzyHHU(iMA_Q~8Gna_ftY3c>CiUay9OD>suAMu#ThUl06NE3?FCmW^;f$k6?p^(B z3eO+}9FeT%Dj4=<^E08bQFKYBpa}=vHQ)Yr~n;s+^EH>-JG<^}?A-2ShT{!V;D5!$l^MtJ(=vb3uq-6a#7GD`x*i zHY$CN_=yw0m_jYZJpRK}lP~f9H zW9C=fM<6$(6YG@#!tFVC=)!*inDnuO7otHLkSBOWe1m((0gHeSpHWeA_x#`ayxu9_ z4g*DWs%^ddb}e-vE_ORW{Oqe~4_Erfk?oON?^ogT+$C>VriK@NVD|U%E*J?N&wb(~ zH=oPCWeOEt$WcSJL}ui7xXrpT#-&GMe(?3XYx_lpI2hcs=~9@T2{{2dHiAHD!~u-0|AC|}s*vDybMYCHDr zKKEUAZrl0@9OQ0I-7K7@eAIvKbWWW^NIWg}pAIepEK%JJ0|4l4mG6QNljqrsxJ*SH*`H^H#hX>2*6pNZ`^RWv53id)r$x6*vEu0yE8D2A+CG;R(vuPbIs&h_ z7tcrF2*S%8IMo-ukbI`q^V4TY@wE^78H95Va;sTW-Q)8uT7=?_cL{~qq*?>B>f*0&jhnpUQB%=a$Otd-JDB=3 zfHJoGG_0sUfxZ)Dj_H3Mq4(ZPPkNa!L#^iP-R7;&i$($g2s!< z8&!UNo_Ce((w~Xw?gjU+!o^{gnN5GJIH}Uoe%~4}=D-k)AGds-kBfp@nY_;{7|BUe z{?vW;^L)Ry!!7h~EAaEq%U?<{F@^Cj&p!mrPuxZ?;uy8}Jh>GfJ;Lm#^!n|q=n|o! z;eH9G;R?@>j#W%jvnUj3%$)%u$^$K;%u2-@&KNCcMaH&I5n3u#f>P)fL?{Sw5)uC3 zDsqzm*z-QozarV@$jAIPNtYFK(Ra((#c-o?8mUnm%29)7lZu~6A&cL|G|`a4t|^uN zq5OGkR%0o$vRg*gfED(dP-)y;mI`0FmP4~@Uvg};4JiV<)GoS%)K|M zt^+$qg)$KDx6}%TV#8<=`hmDkz9xk0(dUn1X-(2AMnAZ#yzwb>AMn-jKls}Jk*eEC_)K9zp^M(eS!$}@|u`;Spq+btX;qS!w==4Qp!~1GQOMXG06~l3Z=)PI9 z3Vc!?xKxm@iiVQ^X)!Rk?AV5(Kp!(2w^B%&r&{4*Mp)10w^qMPM3@uh-NXssoiY18 z5znD?#gu`egjPA{=VGe^o@fBf3Kx$Nt?i#E$z|oU&eX(2QQFPL%;*i5amfrPnam_Q zk@kJ{Enf|06S0X;IjXorzkfzy%|b4~wvc`wF#r3eLs=XLbegeS9&+?=6#_QCzhTr1 zS83eEs+JryN>kJec?!_Q=5?p|@lM(kN~QE_L>!J<4hadxYhxGl8Bob~Y!nfJCxQZ| ztRxeQ9w4p1Y2*sj+4KvRh>8Y02mfYeOpGe6OvE#lU<<#Ms0ZEFm~zA_RWjr5eMv$5 zrma;nQ0TvpYEU;V@zPjcR7T-d5cOg4RCD@8r;fC4q(QBI?h;XyW4}Ud*cd$xN*R#J zLC2Jz41^c>uB4SX+SlM0{Wo{;dt#PC)=$L=>j5d0k>EZTOzX(&iyWyv%7MTFq+34i z&#h1JmKerCHiCMZJ#+c?LBz^@6@TpOw(L$w$%^TI{D4&*ZC|KrCg<{N7nV1u)E7mu zfs_P5ttlf3$#q^@VV{LZ3Kq#TeMk6w?!TayfwLc zj1kpOovKb)+Sw^Q~3+(sLckK@@>QuDujTEQQASldY;niueIF0adQX(V80 z!+34FK+Bj05X{nc%JSMiMPR4m98YKp!q-mGa$ZZ!a+l2NSV3&kX*j$owy_^Cb>zJ| zQ*E@*ZhJYun%A{jEFdRCKObuVr((re^!p&v1-i6SSV?_98FN93HQAG(WQ0 zRsmlVletd%l6~ADznZLhs=fCTtGzt$5V|0GD}*?&a}U6YIU=UYwiQlbR;}%E>*cv= z5to|z?%bz`o{&b3-Q#PEDetQ{^98Of2*_}kV@l_A@OFdyeCQ*P)7vODXbT|z_Po)j z3oL^?^;J&_fJ0O>YuDp}8TFSL13DV+n%nzLJ@?5^+v|mLrruYF#hjj(d0Dk5u{ygw z&W+GgGPa3b-cIM1)qKrNt=BUbwv#PeQdE4SRDf2max%Q9#38&Fp; zvGGoJ;*JhJHjyXzrqXD@Jq*B_HW`G^&*ceF${nEsRa7_k`9E6lq=c@t=4ir;f} z#K+rU(m|S^-%}rqj4xXL-tG*xI^0%ft*$HAZF$~_5$LXPyZb|2!D?GN81GsM>AiRi zy3Bg%VM%Qp&@D9Kx0}N{X?x39LhNBZWH_F*9XF_{f&ZxCf(=W_IQ3Wd)0R(uDp4>&A@Pp} zHzr`)37nyCk?`)&GnLMV2Pm=4raSyhSPsrPo%lC9DAFj^1cw-Ua4tz}5d3*1h0>p+ zeeIpRxDPViKTZpVsW4E(tV7Iqq5~?bQ zBmKTv_@-bb_A42P*oACTKeq}~O=6W&6AFLlpcx6nZgkrmH3YUWq!CeFjqz}YoSBmL zqg|*zrw46ZL9#YhMq(Fb)-IMjjdlsCqR$w!!I!qMU1zr1#Gv@X{X208$Mmh17<57w z^@uuakc;6YWuev)^RsBkBw|oAn!mO(DXS8#M1ldM@-vyiVLGp|zZGr?ws38?^!{kc<(E&EH}AgH^#C%{uaXGWIkgcX1OxP6 z2sJ6uKb_Onj3pY^rW8Tr#%QX zLl=W1`lNFftW&HyS>#sQo6eelXpOq}MlCx4`n#h!;%)2^``Tx|Rrh<7lVLda*58P8 zxhPvoQc#jww4(F_=5usc03I zhds=NMJN6^*r(<=)Z)itwWwU^0@`NML`y>qn0Q>2Sy^Q!J*;rf>O;M!>b;c1_Gn|U zt%F#_F;Lt+=CAy7aCW)kNQ#wGO-jAD24i&J!;;P^{Yy_g zf$TNn8XW$H_2XfSnv)!js>C?#mf46_jyTN$S>qJeS-CGz%bd=Tw|?#?(58)ZJt3X= z7ix76jD#_5AtPQ&BB5a+YB6yt)vCoib7E|F^3IN0ha&JZWfCTSW7W2O3ZiCo-d6C% zHEujHV(X~-j3C98Z2MU%#WI?g=J(;+|3}vfhQ`Wy~=K<4xV8|U*B)`=|iuT(Ksv&1bc1d!ggeCX=e3^Ze{XPOXtjE0qAp+ zt8;1qn*(|?rQDEn1nOjA=%c#$&kQ*Bg+!sPa}5#s5~IFR!usY9OqMl`2^RDb> zS&WJ(NRXmKt)iLk)tu&S6uSc%+Vr}UtZ`|m`q`}TR<)CZ=w5Dl28DJPLXbA(YC zn-UPme$1G27opb*R2TK<)_&+~gTqSCrCD)-f1^Rwwtrf!CfwZ8E+E%sm47ukH#XHF zlTnTCXN7ailPqm1i@e0#5depCmHCVS@YTjK9pT&Rs;$lJ^7F$AhGU=cQis>V+0YJM z)8x+SgX?=M33IpzOGXtiO6;k;-9j}%mV8Zkn0n*o?AV*u{$aC`Jyi(sY_dPV zJFK+Nh1_GsFwJz&OV@ZZPRHRBiYMs9pO>Ot)ED> z%87ao@0E`J-pjecd0!o_>pP$GqIfyKa}U#+DS$w$>1HMd;k{`|!!VVQ$e0Rv-qBBc zc?MklXn+Qu8&=oe&7>2$OdnimUOqYMbiJ}%_};;-eXRJrJ@~erE|+qpbK}~B`u=1bZxx0fus`4wJ%uTz0;iezzrzF7%32XKum$S9|57qPa6x*v^7f!?iJ@anVMR6CbH^7M&}o+$Mb)eExFTMW zoR`FV6}bP{s#knJ+0phqr>)!Jk`HiiB8FT@Rx`QM)oxo4flsDE;;P6|9T(p3hhXd_ z(9^u4X=dS&z6j4E7w4pyQf%@C@`Nl^JsTZ7{WI8`1BSl!LLQ9t$vl`}K!Wj0@;P~3iD3>8s zp>Px{a=^ucl$-;41PdwLOiIm@$f%AajxD^Gait0~Sf)wa5GfHeHf!_5%Dxno?RrKf z@pEowt6?$m{{Cp7$r>$`S3-AyvQp-#F)nY=@8I=KL`230DQPIrPPEgqPb;D`>+^=p z!~IGM*7V}XzvpHc4)-8cxQwCaQexw#R82GLagh3r{Va^OZDqWU{ncf|HSM?)x;s^j zJ}^kDn)Q2gs}7?n(g+(5i;(j~>{2)DihxYMyFZ750sE*LcW=az{;%>u|M~kOgsiRU zWv&beTOeQ5-b7~+W!o_lKpRc1GOmw2N6=* z#D{%6g4AY$vGI5U^tn*;jO5)cX@uO%Ims1VYqZsoRN8)*>3wC-pr<=f9l zbF6z7$e}HY`O}LzWtFV{JV|wnf*7oYohIlW++?nNiq06a>X@%k=LIE=tD=-Cycsz` zkqgwUeXzgF^u9X*X%iKw45Wfm6~yoB66NV)rzJ2bck>Wree|YD+{4phC~6U65b6g_ zpM#S}lKgUJ%W=%-q{~abB}vQc8>xHVq>n@NuVLS)o=m}i!V!M~#UQueAw3_@%QQFo z!+nw+lnRNL-jC-AmG-WIN(n&Np5})c-*;{!Bp;*>UkeCJE~rHazLcJ|>-{59j3YP8 zq03BrZy$FevO$eOs77G&qdPkbFO{z_V4UO%D{mw;s-0?-d9mTVkE*53g$W{<39`wc_lSG3Bh|MLM)8=#Wz>D zHZ?GFA=2dBG^mRCw7PvazcGCWi)h1IPwX2{YUlwN!TCSdNBvzGxcNuFS(QYxRgol? zPm>(^Lpvn&A~wXGpNzo3D@f+3IgJsCU0DQ3!J?^g)NJUa-`4tnP0}##VQgS^Rz`of@}O55?9+%G7L5ODhnCzHJBggD6Jg_AyL=}A z2d}#IKDkUQm-#OZ9oT_k*$}TE?<9Rs9hl3Wf8u5P7w%;r@7FYPrRHd$xq@Ybzs_u- zKVya5Nj>1GUZbYC*g9kX$N~5wih*qzF7r!>e|nu04&&3ZqErpH*O|kQ+;omF$f^O9 z6m&;|9wr6MF#1bmw(I_E-*{*x2&k|GHGFUyv?@63tZr86mWW_iUzyyzrJJ6l{OH&`CPkhnMGLwoV>f{ z<{mCh2!C=P>`FS6cF6g>$~Eb=Ofh`fu}F6#r^-%i>SqhEbT2s|IkPNJ)M zOfPE(z4|CFJx!K&hnKu(1@<~V!mv#*z*C=>`CW$>LTpxd3)ui3dxOxmYk&{lG@@Ki zk7>=8w&qRf{pU?&Nu660iOM=7uf@&F$h}#aYtYE#}JM@^0Q)DS|t66o#HWvbxHD7f$&Y$lew0xRD z4LDt`=kC1LG}#Z+m5!H8yQ=gmt7i}Qnq9nBk2?>p8}?_wop95MuGfDXYsEI#`fojt zj4#)=9qBrro@*Q~Yda->z}^a{uJQONEe36c4_arhbzDNj?>^3UZCd=+O|P3CFC%~| z?znz9Lo3yJD4iJO zTIB#K1WtJECqII>6HY&Bnssez3~FjGOpju32TOA+YlPYxFo^{5o z*Lnl{S~#W2n*=|RXKz;8DC z>O2=btt2=W%j7l|Z~FF?W)UurV)d4()* zx(yQWBJ`TGleX3_CBudUD+2nx2nd!vMb+_F$rd?Re(2TG9kW3WE_n9iQJngJkK$ko zDmSTIldfnKZIf7lP?w8@;Wc;iWSeT;{eEHkiwE0AYVO($7F}cikFn@C{g$0kWUC=Y zQ#l@^80bmKqz%o%JCyG#Wo_!TsNWCZBxeYm31SoqhoySM9&MM6p_D1%qA#yzFaEU1 zZXnax%3?A1N{!N%V)2wRaXNp1MaK+%@v}x)lRh|jAavsg`%OiQFMEdBXA|?tl+g2x$P_36MP0N&8kaMG zf8ncY@w8s9Ja(Og^1kvAC7G7*0jjbwHjP1}p@7+_M0)f|xtC5lGC4KFl*x8PkJ09P zw35o*LVv{^xUPw6qx^0m-W?;atA53D4TRw+g$yy*kIV$kjAmi*)Xp(Km}XgC(n#KX z&di)<2e*CBOiPVorNvWf%A$(mN_JTLQVE`TjyWY$B4c&QPkNP9Y} ze)FlmbbmDkXujBf#ubNKolHCe`sBAE11`uDx)ryjqY~ zZI0rn+9>PB!?O008T{%9;Cwu|Jccp%VEsqDF4A@hvb&)#M!lRBt(9a(KaakM)O4?| zU);J<3o@pYHrP1gsI^MB@tkmj)RS{tDE=0dw6;j(3S?Ar+?nb2TM8?dOQ8_-Rb&BK z)i?s|(}p$Gd2XiDQm`qui>0p(magJkVEJ0h+<0Aw%u7|+8RB5#fusJ>N@zyeg~@Zb z%z8~1=zkN6PASjLsTpbEKN#roo<8G2hq@SMZp&@g z2!ayJRt_xeOAkfznE@g%_);hnkDa=Sqhts6!GL(yuO~wh+y8~owIIa#SfvmVernif zoWbx3wB7O$T&6a%R#MCCJoa=EgSY4sy91 z>a~e-QQDZiNchQ9vWr&;7Qu91p7X9eaxPWFuUwFAR)vFye0)L_9+}? zxBV*sNcDEC`zGaqjvORDs55$hbnJ>@Z2$hGNi*n_XS&^koT}NDKLSp?e-3bU?Uu~= z`4A0!{AHPLcg47cO-e=F?pVuiS%M6!L;8F$JnA28$Wu=hfbe=PCUEflOb0%O<eN(QBTcvxhvw zH{SPM1Dexq<1$+Zar-@3&F}VrA&8Es-MS|0Fm4L2fFqa-vG;M14N-=`NyZOgb6A$D zb$vBIJi*X1oiMmQ-0dG$?{*A1uLTtQaRUEWjl2v(&N~(w z`VX@FA2qU7*;Y1?Vt7m}4J0ed857y?L#7fF;Q9%K1OmuYU#@P6{5p00Sf{3xzH&q9 zK^08!pnuY;3Hz^+|sIdXqAWuPv>KrAC|N;lyj+Nm{cN_Xgu zrbN|Kcv)5@E3HTTwELa>b14ZM&Sj~3rDAR>G{G_&NRf>yz0Uos3_@#R-Av~^MLKpX z!lWA`P)#j4Q6Nhe!-!%jNLs&U4cb<%vO=^&*hH@?D4E*@b#nFLR(u?!Bv zbOP0snwSuW)pTroocr!F0ZB***5|?BAUJR4V}z#;$X{1Rb?LmL;k0wT;;Lt>0V}#w zGu67`*~jffvvo(BVAHI`2WytUaaUpcciY|or(iL0JyZ`ls>H8k@#(AIFB(^+ zK))iuFUN9jxB~T;Eu*xVcM5(UbY$`!%^OJ3m=9LE#EC@cpD9Z4T=7>7`I@m7wsSDk za(u69-6)Pbd%&x9ZS2iLBt1_kwXzhJu<5tZ%8)%`gF6~gH!uB^V^3sz-VS}TVTIvR z|Be^Om1|>tht`!UE~$yK(#WN8oLGoc?7v{m$+F?>gacYhlg6^t?&AUHZtL*J;l)&0 zW;Kh=_t_eMh9Xd7T|8~!rR5ln%ByWlMtF#Gj>j&D)i|ATERqkp(4ysu!6L~9;}-n} zp==n`X)s_<-IQkFAv`Tp1$^S+PHKl!9Qh%m&6~!@EgLgt4oX7 zs4FIvr=v!#GoUjd8&>J0@uor{u>He!1l}Xxc=OLyEsr>{lTe;oUvLc?lf6~k0rEpE z!i&atLNuuqbzVo1-vBE(dmotVR}53abN^=!p%Cg5<*~I3tE;M^eq1)5=9Pf%fGT#g@;%vK`!fXt0DP zwe+DK^H}CXN^C@09PU2CN7PX+t1>)#JT-+iTcxQ&m1TY_bS!$qbM?tTKY=QoH+G1u zV2J%NAr2m_Oc1liUbR-0&QFbqG}#b|Af>_^yqIRuxet zWZsK*Gyw-mJOf;nWHl*pwrOlZojlD6j{Ml-=AqMTYCfuQe6YH*W{wk(yb$R!Q7U>V z(wcnIN`?QDO-uD`Y`}F0lgo{XSdqJ#b3!4aam^}Jsl=J{Xe~*W*`e1^W`E_Fi=joM zyaj-M6!(h~9Si+~{%nf(6r2a7AMD%o_@V>9#p=iK^^Em9FC_IEk$jM-#elCB8g&M= zIW}@c(};=tn1(k{X4PftCDCi_O7;GDP^Agk&EDRCu_t~;ca}Gi#$Z6lAW^c7*91i>OR!5oB){wOmAv|lQ`*Z zf!1-8NC`X5(5V&04ZaW*OC|eTy-K@*LzbFhq$&^6_ngwL>+vbwi-jO`{k&UtTfx_UdiEW2ZJP$ws;BP+g_2T@2{gX`DnZGK)mrPsP)f}WRmOu28} zpnIDQeD~813p-3kJQIr@;QO6S5R)H3;-Y*1D+-+8&X))8_BZhz@3%iW!`mg+ zqSZ+uq*t4P9`Cgc(7n$-!{O5NT?{Azt!MCdhqxl-F%c>u_?#6JdO@UL-d!KD8= zR3LC#)NuE4{Ur2a@U?FG*YXMOI1cy512Fuu1{<)x!4kA(1tClPjKXzVU z9Xl|~hfxny1y6|)@x5s6N*)N~#@T~(=7p7F&oZU@XtjQ{0ZS8C+Y~9XHTm)?(@c%U zYN3yRr!1mDNlRU;4vqVjG*=;x!5Phnhlum{Y)`B$<{qCj9@|?rd;l?TS6IKL!t(Ko zAB*POmLH8Y+Mt&j%MuA(7e~33>V(-ky_8|Bb-Xee(Yl*SzH6p<{5+(h+GHZE1{u$p z8c7|*sMtuwq4d5m=M)DXZi-^a25KUYWBjVJpTs9A;dCh z><72#k$x&_eY$)O77F_!r|G8bn#XYtd$nlbEU~y}23EJvPn0sWBMe{Emst^OwZVa% z;ellh59&uvvspnIHtXyAzk&mz(?X2^hLP3|+Lw}ydn&G>QuxOFwn;eQD#pe7H5lUy z*k_@al-SOw>N8mWlyLzWw54?EVvA9Ot&>6MVJo;lmLNt3qy4#N>*HY#7k|&XrMQI( z^9A+G(+=fZ6i?Md+?zo?Xh~;gR{R|Fjxi2Bw$WOQz;3uc(JdWw4H`0JR#?KuW@QPd z*;~S9!o9m7o6IMV=OosqQ6%Ps)9cx@jXn%r{U z5Zqh>#;(1(S#`B)3@tiHj~=_mnty;E6+bJ*J9#%;NSX@uE3SIMnoyeGpK$ya>l)Zd9slcS&pFk|SoW%qdvCVtndU-Er;z;}tV>y6zj-hAj+F#PQ#aRA4Mpi>P$=bB-@fj%cbp0 zmQW()k6fvVa<=M1t@FUCVi9aaSJx7t?ThMftzo4y6;G*W$U=d`gux=@n zGq&=?Rf5k*q~d}{eIyljf1IW)ASx>P$P`q061qPad+}RNt<7YAO#XMo^x;uQ#^=d^ z{`_YJM}4hePrr;ZhmV;z1=v9q@1upC_%}>sii0O@-kGU7Gz4 zZY>!9Z#doU$2F?y6W`Mu-zVOaw;g?p_AN96FISL*fm1^7YJknv+{^8L)n?-aeQi@mcjBsqcx?L4k0MB}el2B6o- zGCkm^>qruG?&rJb{bAQwvVt*on_#@=`5EIR;@ZDQy1(V?$%Q$0%P?Ue?ruUQrtKGF(! zyIYFu_WUHh7FbnP$J*zB+Vfd^;t{ z+Fq>o1=={+$J7F*^Xj}3w=-Yv+O(moVTf**gsxM1fLle|`Zi^M@Bkjxm*?vIPaPj= zI%lUZ?)vWwWkjAQV>NzWTSV&C7A@W@fBoKK@(3QzKM-{$x8HZcuhug1+6tb}NEGyq zi0}pOhY+Zk`f!0^IZQ2>-5smEb=4gUJu-T$zVF(fl{vZmeqjdqpB6U5X|w9L{(lhG z7x-Gb0D%W|&RjX28fW%<0yjBZpY{6_SgX+bPsH*TD<4~YT)MBg-B1X0`*?C3XoZ z$|Tv*3PR=>(rko5)r|9ES27NgDllWVp!_s84$P?c=!N8J5Bhfg4WQyrJRl+eKZ)Vc z0`>&|%Lvc1F+6pdeP>VcL??p2={P#G`AI2wohY>2-B8}EJuz)8Z55=OjYIo!x4qZm zvOUuhSSpxA2an>+fQW!3kqH`-iBg^tijynsDCRCYHuh8Q{GS3+z1>gkXbrzyHv{la@N~K!k z8*Y36j9ta@Onr?t$BcQRBSXW3bwdr^o@Ud7Un#%R@!iZ} zL-6MyLACRR*yho9i1U(6zGBnCzsYepq4#jvv4`|VWa0`TNH^d%p~G@{?dPiI;Bt$LM}v|G-~P@hiIRAj$ZB=DmXiKKH5i@oTVd@%9v zdq=9~o^Xn2ZN+$hs9{vKnlr4dt>__*2}(YD8v@7lQc4qsqB7W=(Fdb>@<4jE$*e*B zQZ0N9UU-{v{)+^3W<;B>rnP%|4%q=D@t75{|=@hhPWhO$q#G_hZ8$VCb3`7NH0_vYL*Zl17_ zvE(&v(uD9R{#@EbnU&m?P2hx-3Ab!DxTYu(!AH!3-qjV$P5?)M@$ z>eZ4_^qbtzXRn2SC@pe>A>DBN!^>pCJU-u{rO46GqInW+ZK)U!&blwDWt@C?7v$9{ z94D#?KGmq2nN02|S&(g+-ou-8xWKBN@$9V5ZXx#H0fGbjf{0lOWa zNO@!aPdazB9(@$k@BM(*HKU0)KQZ4?fc%T>3&d~&yvQV_a47kL&LriK*EMkLjObG6 z1hhwlE>m)YbUQZ0XpeGjQs>eBtP4iWHC@}Qyb8p3+} z7maDB0}N1s&!v3?cWl{b@u^|O@_8b6doPiw#Xxo zuf(Hw&s@v}r+ZG9`^@yk+jLs4MBM7#*+azE+C^VKh=wY~Rk--)XR63?5X zs$Y254=Hk$%zgU;IvLWHW1 zj9CgwNy*3y2^rsUAKU5)W-_L0!ROa5MJI zaPcQG&|zkUfnEzSv^fw^te*AS)iOTvD~rGVS;D--;C%CT>mX!w>mIvM*1k3jM$$+B_2JlJJ=UCJ zLmsqPKGdn3GCsF`>*9?3cuQr@wWeI%&`MUy-_daJ*wJ{=Os-}gjb@Y3KKkHlomu(%tB%Y8>EB1 zf^mDkjZy|F;uRYT>fBc7E=bL>)4W!TJ}&eIx{G_3B*Ku1XM}PzYhaNwj;^Y+jP~n+ z+5Pl{$KHd4D4VgYqQJ{J4om&rh}ChX4LO69v{y;AwnIo*`VZAWQJa;zli zu{=aKR;=6KjzUR5viJBN|f*3!r}m1^+%Q|#+ZcipZi~;c|VYc(W5gX@!9~lXry0T zRA7g4rwkhEuP_KJc*x|`G6p>O2Xo$G5fMJwrkH``vI_sQ%o_U|Qi~{dMJKUvA`V`A zh7G7c+AJFdjb!MT=rD6t3cOmG4qZw;(0mJFh6Ql2ZHHc;ViVa`q|Hu?It zpzY;kW*$%4*Ch~9T9f=@1#g!^peqf+Y>+Zbyg&J_ds8SM02eLqyb7x|KK1G!l$=mm zYHhe8#CpoUR~y4L!lD97^ePG!^|39iYwWWD_Z>jNSFpY|}QcC5lX! zmV_kLkYCSWkpYjOD}&cpVh*3ND5Bn}yqj_oBcv!-jBhlYAe_U@Kw)813Azoxj+p*Q z3tw+l7bB@3Sq}co@4zYn)#;Fx>=j#&MlRc^#&(#YO@}Q;y({yvnSIq7X{(*|Ffn$W zqT(*uZDeZ*yYc(%1Qi0T9fVfz&nS|u*-Tsv#8tOh%TpfO!)JKi@vyHvbx9$<;gE!@ zStB#e>{J)8WH7#O61YwNdr)cwxMaQ%PL}cu7T#Ua%7_e>@no(Nrzn;h$UF>ba0%6e zVrzeq=~Q2gmn=Mp2{d$zbPIhB0R!|G!-oeZ1N6X^iY@x)l!ADI7Oc{jZ}Jz)A0gA= zDClaLAJY|nBoowdbI=3k09f?QsX|_Lw)j=!mIRJ0QxKm%I0(631vP5M&w}!>ScgU4 zs8?RDsph_XmDYrj7Xv8oJ`YJIvecNZol+*35A`HUG=730^?QEFvG8e=Ft0-6CSSmE zU9k!ECPvkM_G$k2eoebQ3{mi(Byut7}-)R;G5*PVDCyt!88djl@c$7$%*w zX2B|Udf*((ZFC)7dm5vxYaD$RS_{4Efe{I{&NoT+?sR_^u(V;6iHAFn7TpVWT=BLw z;bCD>juJ;jNu(Q*PF<(74j26jEUHuNMw(yLVLbj4O|(filLGA|_9Q{yRXA4LA4iz;sa1%pu5!a{t$hkc6LS(v$uB%va9S58f=yreprS zykpR$`Si{)C_gXgorpff=!aD4@8^XB5PsiCNlK{E{~C*roxTdDDm!G1bd>lRm&ttu<{HLv;Df5f0bh|$+A zvCh`zabx_0zhP!37Sp{izGCx7kJr&eU(fUEwSDi@3g#OSA&dVt=3Riv&zEK11K8+^ zC*a}hF=zy*uje(Qb}jfGX=CqwWwt8`^s#IPhOc&S>H8W8bw0eL)ouY?A68n>GAzn&OzsEr;&d%MZ6{6Rzy`ZB+tZre0x0>CI$2bkF`XvB6x5bo9ukSX=2%#w- z&`tZB9bms^xd~2uhA4NYr)ej%>jJw4QFgkoZQs^1yLlu>XjFjdz0mo_!QG4Lcnd}2 z>T_Irw4+Y1 z{zO6w;*;RCm|xk?v0{!$TN65zrSdhU8U zb?Lb4nk*D?)$}?pS?6F}e@k0Awtqd~$oIytxZ2Z)@jY%LJPbpei_Gn_%LbsV+SL3NqtNdNbF6PQRd5~Ql+*Y9%7dlyP_s42Wj z!D~L#6vX7UdkkTga;VC|QWTl(1aLnhrKG0dG8aSDNb`deiX_{?9!5xHR&V{Y1R5)R zL|J^&|ET!!IOU70?w)8SWGxxlWkQjI(;|j))^H5kD@1{Da74dC=n_&{Lv+&gEW-0m zo!Kr?KVuV_iVqs$%pVBm+CP+O^HqPZUzQ)oB+;gZZKV@NV;bB4dD_-xo?^(sD=DG3 ziNm*-?7C*Zmed6kdR$&U$_*J6`j3Se_`66zwkefMtUulkoqIKtb6+6|l%(fT%02z5 z_labMfIFT2-8TUUz&!kd7{IlYUmdcKQi^mb@Kts5FDG~@knM)BLUH2mw!SA+S(f~^ zF3Hkmw$4vw&lvULgc12A^Oh8?br#hVE0to2Yw8F-YCaViLK3(qvt-2v+abj0pzPO=3P(PO1ZXFPU)@@evfv{oxwi;!VyQT-b3S$1Y+ zl(3{Iyg@VnLde`balUkjIqG2+Y5E*(Qnn$=UxT!YGWeEXqX!bQ-GD_vE$$+xlsuI0|=}exWeKuL7zg#N~0WtwV!zJ z!k;q(9k&TDLbiARUL8Pfen0z#j$RJT#^Tumbth!!d8N^;2t# zS-lg`_5ul9zi$Lt)TOp|ZM8yi@L1_ycnMET?}}&1?IkD?v~{ZgC~6gX_DMV>hvfPx zP%1aC5C~BXrdF4AGX3o$!#F*{ORXV4Ay|89z9!v?hLOuiMO9&3u0dZ&_Dk_9hYPg> z240{(O&*%@ZBV2lG+%n!(Rx@M3eyEoA&WmS+}4x1)|Jv&qF)7~PEPw@vor=w)3=ZX zeSU9aD>UxyNpMR0A*1-Gj%r0~_RfXgkiqOVC_I-qEV+6qw4)2sdtsQyz}x}IS`9n* zXEzda86yd2{(LHme2m{M%s04`i$Ff`6clPNwewhf`IX~%5GKb;ZT|960T zz{QjfoKJykq3PEp#vYk?~&XH9QjD<#0Dlu6bOi@l`YB z$`7<)06uSqdTh2ZdVNMIHi+bEZqL}Dd8f+aV2HddSJVK>03R}^{gRz;20rJnRfs*l zJDXZL0_)y>zD=PmZg1;o4!*59bh^(+QZ@=3EqeCe*P~&5Cj5nYu2*;NNOiTk?c+2@ zkb7(Ac`as74PDZGUeBKo*B~4#hllsBvg@A7hbNFr+@-_YTohlP-`O@D|FUioK;k8m zzxlG$eVbVTgL>2FFW6B!bh64qRc_9?|%J6?*cpuC>>RZ$~Ts3s&Gxi>F@eLvn zu`DBJPsJ?(dcNXPI&SbRa@-E9eieIPTwiHFW~kVEA46WI{0Xs0iJSl#4@R{K9kgO_ ze&u<~U3pnGr{A}{(#|jeZ`znPTuP4T_5lG6b!C-w$GM)$;pcJjc*z<&hr2|zp4Uwh zdF|`k4{W(xXG7BWjP17jcHPdqGX~f#4qG1yZ!?;1YD!*~*Ch&@R!!ikfX@uMAc?e{ z8~5wW7BRCoo4n5Jzr%}iL3dULI!AFko~!&92NH?y&snuyyzdKk?w3yCf}itjC3tWm z{{r*ic0i`*ppR$J%Q+}X{CE%a_2xx@&_kNnUI$)~=qtxnP0>wT|L8z~UPfOX3`9Y~ zSdVkaiy??#^&p^^6|R;hff`D<5c?v-b5UmY8hZL~bj$Jhnruu3eEsuGMsjFQeby-4c-wr22L{T9cA(Gox@?*UpM1*$KA5*<3Whcep zDk~)zPuRxD9J;v$_Wzm-I!jMaJJH2Aw{?Y3{_rDIZ0FCN!KU0IS*_qD;10soHs4i@ zkZRu@$zMH%t;r`c9Y_D?oHJfNYl#twux;t;G3Aezzao(&tbTGN$|T_bf{g=NBD<8g z4qt{4tfcFPyS_@42AAXo9!C2k4l@vOE@sf*xn6|+8^*8SLOGxVpi0!8shaQ>H`ZgY zR7`O>qJXz-g{qV#>nJ-jyn2;#xIh1_L^Q0t65N~aXrM;+XrpZ(YP*5tv82$cV^LVQYJ0!X0>Ie(sp7%I=W;B(u z`fwz8cFbfUMGQ0!DFxC%Ed$17B!Mbjyfkg(=JNWX7hhJ=`1jqk#m1Z;IF|XZLHJ{{ zmyC>ZYOyu3G~eKN-*oLlmYasR|D{& z8Y$?|OZ+3i%1X4z{i`8K3VMAYjQiPep@BShM-UZ^I>`&XJ{0e5Kcl&3l$*8Kz$I!= zZZdAbKwk$aPC5Qp_Io;N7D&$`0`QP``d=9TYsYpoc=~b{nH0iB<6*PnBSW02or+`_ zTGtr&e)s;!UourjJ~Fn##x)_!fb()nyIht_Z+w&DsFo*fG!iCOwB#HnjX5>ZC!*|( zee@{}ySx1TGt<(7vqe(-&c`D#@`Pl8r;xm+=XqEbzsJKc*?95`J| zv4nq5G^t1RFQwPTqLhk$vt$>&n>(=vIwL1L)3!0oy*qG6_UuAE|5GfLCF7!$uY?bJ zi*_sOaaW2ka8JkXqhiovkK zd`^yr^g9JeBh;|?GMP(LO4H)tD%QleFfO$Uq1^L>y`+r zjaR6;aawTIOHhi}{db5dgR5nnBI}A6Z4-8h?UZV4({QcTn~H!cg_Q>uE4wlM%|fje zyaFd~%BrSO?wUfKb zXQ00NHobh?B3z{KN5v7uFI?rMuAA>d%2&8#Q8F+o@N!!vhnabY%F84Xr6-Tr*9n`% za=vIVW3%SPFVlmae_>Ao=cI-aaxLcXTAirlYKv*FqyLV-Ai@(1#cx+=FEhFyZ8N4m ztAKlqQXmNU8C0eW!I=e#{ra_0Uy(kOUh$uiVrR@ba|0dkzbNy%$MswHw^V(Dt34|D z)wv>?L5M5ABkHGqi#MB3zxuVv8~%&!gTdkpS!2~ zn!`oCyYmyU&2O*uaG=C3zqb2+9uiOR_Z9)&b?3jEcr(QJha#Z*57=vg*@V)N4bc5A z*>$B1(qbKc&m|dNZxa4z)*jANPUA;Nm(X*{K+O|Ke{DCKpnW6LM&R@QMaTvG;l3=+ zzPER}RY#CK+s(r*4U6F9m}erM#8#iEU^dcmB^NzEr_;+7mI?*Pa@Fkk8P*^hzs-d6DC;ypT` z`a1L`QdPUI-x>rlZm6ELKE8i=g?rSA;@7V(z0te#O<#1_UD?cYCO*Ec$oqYKRa)2r za*_aThEqik6bhY0pP0O#pACJ7dAUzXc5Paq!{>6HPB=tMCf|=SZ=qHo&W-@0mQ~pJ z`NY$V(CMEN_kVrReHH9JId6|Te%*9L<#F#P z)d23BjcS$%1?sk@Ef z&9RZ7%U<_Hl}d7=dT}becD5`o8*>WpExTH+9^kSW1AF6t!Q67&ZjKO^(rFRriJr)3 zQnob*XKQ$D4y=GVtW@gsr}Z&!{jp?QdHt-mf#~mVKE3r1t0iFw|~M z2{wO)&|vOrlJly>Lu)uB#{KS^>6LD!+BS|us0!)aY4#Jn&p1nNiIz!`O2lP=XDVuCoLB2-A{4k?tNdbkOmY?=#Q zcx95v`Y=8N0k)IztvEmtimyTC%2nDgo2}6|a7pD9Q=5jxf4v3n`}l$Pi~fm4abzZI z6^0^Ng9rVg2nB7tJX`fhk~$=`x7fV((Zl+Wl?U^`qiJAn@bE2bppqY!mgwg}>T|Vc zJS$|rtj5jo*>WVodBq#jU7CR=&~h6Y0f+(A+!fZ2cX;@%;! zVWGtD4p*R}(Q*YU=NBQOXN9|AV4hg#*83D-Q|vY`S*y*P1S<-YxD+Ds*DFW0r85lS zBD_8wl$qNi3C6T_i)`K@Wh(Z4)K@lfmTjHZ8H$~|wF0T4`#=J;>?elo2;E5nQ9k2Cc~G32tSK1YU>`Lz+^E) zV0EU$N*syo*JQUsaYf4_7HDkZMc7;!DR^uvaFYzwCBLu-OF|nqFZ*dTrK!^6o8LY+n6C&N4Z7- zEI@gEz&wBgD6h4qGg2^`Du%V@lJi!yxU zzr{)?yZNB>J<&+$f?zZHd2_s9w5r-x$mb-4P|abDXgFe4{0W}ZbcdlC(g=3TZ0JI> z(zidbSbHxp-?^=htU0zK_!;oTV{~!q{0|$nQNNWa$L9y+xK&Tmw?lc>E`3`vhn*>} z0F#bf%O_e2FGxg;>TxQ|o6$};v7BO2V^|_EI6MEgZ{w9$L3x$W9BCXdeHZ`JnnHhE zMylGH-9vG zeawB<1@`3+|3IY9(5m#Tw+`Cm4-|DnJGO`f2?&sB3`Oao)z4ym0h>-{wgh~aza?TY1 zhkFtLcPaJN%fuE?{S}=KbIPR#^_CC0_hJtzTu>V5{_}d7>1IWf{&Q;l{IY8U zFYQMf65@{8lP{9cD}fQpdzo8*r}q_fyn&zbU`Z`ajkuuu+C-0|-q@J%RRXbfB&gm_*&a-jXf)vgubgI$RF$4C2%o)zntbpn{(_2)$!2Cn8#!=7pH@7!k|pV|9dh4v?& zaWuz5?$1T{mX~rp20P8;Mmsy#XKYCPYMQp6mopbGA9Xn~Z9TgT?q~(iyODTA+8_V_ z$m&@MdKCI((*Oa#AmSl_Y&or8yV9TIZNO09vJjdg$=obp3y=uvdq$#UMyIXhkX3CF zdmu7WdN1Qaz7@~T>In+B4#U&}Q>24<>(0?cRFa>AErh`#sgo_!7fLxrF#BQ41;5F* z-_CbMEhVU^ylo5MD_`tnNK`Sw{P7a7ZkR$};3zzLNYFGeTrbmv3clp%B+6%NCd&2_ zonn(jtUd@7Q&Zqaj?oIvD9wbQHHToM(Mctm!$Ay9sxOxQ$Y)rTHs8V0R7{MzA0-bY zIpQ3Z%_5AJuFaO8|A5-C{24@(|DYOzMt}fGu%+Qbmeyo(?SQXfgHs1dLMuq1mQZ-M z?gO*jEnFEAeO5l~-qEg8$z_NvNuK!Nt>6Dtok&?!!Z?VySUjL8rukcXF}ZPVv{JsZ zNi6)gwVkFh6i1iP;&bYT#YY8%D!0?~>3i52wwDIf7Vafy2+8Cdu|QUd6jRh-%QACC z?C_s(*o<G)(OWQXEI-<+w_{F#lU@Fk3nCOw=C@l9=*IS`LaaRpuECnC->vmWW?P zzK!E0--4S$e9S~SwYtpPOQgFLX3XPu!pq7 z6S6fJ6Szm(ieFDYR@z&YcZCGnmg?|EJiz|MSc$M#piZi&FTRJb(>!wot4_}Rs5OkR znjX4i=7`DG6%ryGX6V62`G@>n2Qqm)e*qDJ9nX`=Ui5`O>iEnS{4@}kl4dsw+F71(8zV{?9q$lfN*S~ntUf<`8|D;|;(WqXW zcWWBH&tWMls3oqq%WYHwqww+*u_i$xF+$&G$+s!BKabA2MNdxtr=DXK9oWFDga9Ao z*(;36?V(#XNvLZLKMu~BXETItLFrMJchi{+ez$~r29M22^Wf`aU0On$H7GMMYHMX2 z7MP3@x57gn{*gIX&#bx#&s)@NMN*>L;iyRqX4$a-e;%EUcP^P%W++HMVm^i@{fl<4 zBzj67JugKL{)){n*)IQqUmxYHC^bbrlKao$H-iQrd3!6_I6}^>mwbB9Z2s1B#0j%8 zc1!LaCrz7mTqd1(f$AmIc$qE=0t*?jVVsAbKU?vOQ?Eo3u6MLSm)BpQdBtbeE(LDe6xU6tkYJlJP6B$qS?FXrh`&=&5j32_U zF7zSCR;ZFm)oCIPNg3r}uP&8+JebYud9(S^#S52A0%(8SKr3E2QoHd;8Ce6=7<6t1 znA$DMRpGGmC)=p$DziFcgsu2g7-QZ$a~n_5iGsxdYedCzb1%mdbxvjJF?<_klu2*F zoZC`y)&!D@V)SRH%>$F}D;~7J7jl(8f^2unEi^I}!hW!;_H6&Cl&4N~aw3*$U7LM+ z8OeF2jaWAnC}AyQePbNhWQ z6&WZWt5fAzF?sySt*1SYvMv5^9QV2BQ%Cv|epu9k1})gWVBZn@|6%GY!`cj#W@)kF z6p9q5P~3`pC|cazo#O5gDDLhO+}+*X-QC?CLN4dK=gOb`oxD%-?#}Ga47&Cs=n>=? zN-mH4TOkG54XgrQ5uZ710sazDGR6Pt-7CBXePl(v#bPyr2No#R8FOa&A~$YQ+{7Rc zsh1U=Mki@JSv>DMZI96`s?=}$)%iW!8k8ISTlk&8m$~x^F0W<>mnNIq*N3MC8`0Bn z8Q|g8yi0R@vqx?z5zy;HS=`vDrOEr0Q(BfV8I8LBd@&Ih#A_>Dlh8c)R;s&k)+V&! zeSW9e1D*t!ztaK$e_Ms@1qQ(KT6h^f-gL8NTfKYgepf{>L41J~OVCL|HTMlDlKEBq+sYeKCj- ztAo<1$DI?{{${$+vD+Upop3G`aq*gHEX;x|)w4H;BT(T$7b2JgH^ z6gIk=Tw8Uve|TQcy9I$AQ&uORZm(BuJjO*%%Yf6^QI$F?_l%Ro53el5ocjm#MBc1T zA3;;sOJ-v417fPc?V+FP&td`l)KRyJo0VD9 zTc4)MJ;b5wSW%23bUDQ9ZeEdhS%~BX)a$)J0Ngw`x;<`ny+d9`7Vv|PUyt*hXEOQS zHz?q}|5nd7!eOfd|D6+Tx-EB%X1wpUPNp}kHo`ZCGdzGi92!5K%~{qs>KUli8YCOE zqWRj^uy_E}xi6g~mI1s*UuL{cUFvk)v~e)5gEV{BpXV^qTK4beX#Ojz>V5aiA$|Zg zzu5c_NSzhGmA*wf1Qcy4R23m&ir>FGLB0ZNAhORNFtvW!bW1uQASs;{dmb1sa!s7d zPyoLxl?^xlVpoCH1+^!*Ye3|rd7U+znLLY{cFxsocJe4ZL_4rct^G;-m)NT)pa)cMrqp~AvHbjr8%ekYjPQ}Me+d-eOI z!v_9vzY^2%9FzkCUZs7Il&!aLE9691%jFj54LUCDvFef!Yhmru7c`fx>(fy0{|ZZo z)|)%<=JhRO|1sBxEgek}a9bM?8A&WsDxQ}(#5WtnbBrNHv6t^;Q!+zipk_J`5t*@W zSY`Xc2n!7W)po%>1D9GaT?a!P?4Ii6kp1yKXV>~4(4EA>(uI(Z##%}y(k<7Ze4RGJ^@T-j7}VUWilDFVCTw!~2uWKh7OMcEykHs3{>-S>PXX;zr0H zc2{GDa4QO>KrT=lM!76EF>gnwFE;k^?s8%&{F!@Wi*6V_V|-`w=i5z&wO{Eg=|&&C z?_qI-XtJb*Ib{%Asm@x$bK>tCgb916K-sTGa8_}Ijk)19D}A_l4KoOJN-F(l^34e0 z$y%$7bDwL-3-a@Purn-cGW`CQrP`V$44rb%e5G}rvr8vhaQ2PNYn->%%I4IIC1MXc zE-8&&HwikBf`Vr$Qs{oAFEI5(VcHHVCW1rHOdvig=?aM;!OeS%M`PYmOA)4uL~;hE zpSj>0)D8rDmyh}D%v>Jg!|eagO2wTXW1>esuNJ3h4m`b4R;XNg&v}x4xqQ!kR}8K% zZeUL?hCI&!yKFv0({qlup#NBaJ_DY8u#U>CTHB%pg6)46CJX$eQxIuftooOO`h`T~ zW;oE|api`b-4f4GgRofJ_^2h^Mbj<1n4I<*?{MED#Bs1{SOzWTw3WYdU0=aZ_LW_x+XpTb6uzWymFQ=yYk%W>s+x0^g z)0~(Q?2z;kfo4H<9bKd^2|zG-ArI+()r>Zd!G7cJkcvXoHacWlzAs(`J#7y+lls6B zhL*LEMU>rSeF7$QU#q$@DrTG2(%DVuZ?d7arRxB>-bsqEL`4$qel_twQO4tZwx!$C zwoSCG4mtRmJVi5Bi7I3!o$|mb!6Oc8xSlIkc(y%#?nPX3qt59e5n+DA8qiA=dCfb{ zGulfrM9O2oY0w990#F*t73@`;x^(*Mo`PZ4lJf3Y5^?+S+utfwtWdohM_Bl!ch#vL zz6WQ=Zl*ez52q28+B9Ei#+y4j-K0gg)0Ct=PZF0k^Ai;$gO@j)0>+V!4>kLiS3_2?iMZ{?3n zU8)~bezi<;?uWGMmqzZC2_8+YWleMxG{O9op2m_O)Dky~LZ5QkkNe8~5eQ@x?~Dw-=*tNZD4G)tz_ z{mqK1HSkv2qBeWmVJ3jL?o_v5D(7m@5J;p|FMrX3a$q1yoY!%8G7V3}_nQA)|3;*G z_`rSKItV^aK4G+8f4Umfv1YU3Hn_T}wyzz z<8z?%I(*X|OX&m`+wdYDuML`h1S&q>X@kJGE04mpM7*Fj_d+Z7Hnxtx!x(q%+OpI{ zt~)OPuT#I>i6vmYvA6d=;++D=TC*vSgL_@SZ;%$RMX8v(sY{d^Gj7yXTO);{#&51Ef!v#SK&+Xb5~ zx9775&-je>kA61HNZWwb3p?|dMc}))H{{Z%GjJ%^Ce5ka+wV2%eY<|pvXk;EYt;WgV<+NY7FF#N*Uz?EPFTEe3E?cz&;?Evq^Paqyq7s`AxLKvxa` z*c){gFQTkH@?Xz;%3O#vIU47_xEoaNZQPy?*+?>KJ3#asFRIpvxeq_S_l`VC{dWhw zL&gB7&1MAq@ zu70e6x3OH)8G4gg^BSzFDy4vaH*{pke@dK;!KFn;k!%sjaRPiC8 zJ_xW9LPBz*4*6}e16iEz2!$XQ5LeaeR&h4tzD9jpt(yC)FV51-cnJV`yiamW1DWI< zun8o-O8hm|2N%{cy(w@G12>J?aH!TzS{m(JD-%(g@kv>H=T^t0@o zIQzlM^!I~mJa8Gm+ zq;iC6=maDRKQAa`m?YJVuw@?}DGbN-5Y48HW{K6tL*Y8 ze52S$Hwkny{5CvHmtaX&poZVn5ce4OmWLtiRspJVs~9c}FQUW=5((Rj5l=2XCS8Bj zSDpBlWw0kFL4=m-ysF3)cEdOSoh5_Z5VoEf#~z_MNwW{UsaBsUb7Bb^u|P?u7&iGT zOt5ZkZ10tDViM3rkf_{F;~40>Fiz!KGj&3;?HG+_#>Rz5Au2qtKmUMUKu$*eOT&E% z+jAZ&tXyz5xBwwH{uJsnk8}W~_B5PyUpYq@?lI}Nyi?CqiSV0Y4Gh^rIJ{gzcbyyznQl#n=7?$OWdlv=` zapLAgli{R;CW3RdC<%NBPGQKf2B^u6?j-mQh0$|z-LnlO3Sxbj-6d#8{Vkk-$`T#q zNr1w=(rg0T|E6P@^~Z%KNH7*Rkc!*~xZCf^I}44?&mTm?DUp+s{SGSI4YaBmR?22& zrGoUQ!&k}c#d{OXUP4Omjdr26~at{c+J{hOcH0;C{JcMX)QNARGA~pZ1KhN z-?-e8&mb#`h5N2njB>W;hvkVBm$`>CC6drCvL?p~(*h=~9XSW95vN?(E`L61ooMxn z1k8LiX@q42tH$S43DZ*Qm9O=_^y1G&rHgS&MG^T0<;6Lg!~VQU7AWK*a@Ak%jV$K~A2K$uJKORolF5?hf}39l+K7jM{@#hl*_8p?k5LP5IEG5yL?J%#87H z`V6xyc&nmwnJ)@C24oLq>(+f_mlZ?eXX{#m-=P~}BFrh?TgSIM#x`t2U`2$EiHsH1 zWopbR_zR8@f?+>t3}!G>J;WI>MCAyOv{nf$=rL=X_t6j0e0u(dCCg*`LrlZ(V~S>{ zP0;86iCRYSw;;ai{0?i?$h^t-2x^nA@O8Kcie>ucu5rA;$DQ8Z(>1GcN4T;a5jQZ| zTV!93lxPUq@6q8}5Wrck>L=2-Ly7rJ2n#EGu%bK?jf;&6Pi96XQT@6SgG0jV0S zzY6zTW6!7+lt=K)KYXX;mrL*^$WERZXkfT!`dMH&zVFO`U6UG+$W8n%q$JpH=MfJ# z9sf@`z`m1)qlPcz`j*1PnLFQzcC*A_IawC}mrWNnMlB7)-D9dk+T&kA7fh3d^EuK| zo?+CoVd2Ya_H^i6Z*Do0&_I(91GDh|mLs5upFXZG9oY2X`LZ(KYXL~~3T{UOzk-9h z3PGEHFn(V#ZUdfnjsP&eah&1V#UHyAGDaP+p62RP84s}wF{};e{WW}KvwcMAlLb3K zg)sf`DeyJJal366Y2U^2aJQU248ocG+P9nZcGZrfqP4HT-*)Fd|1#XDbv;xdNdUYn zMcb&lWIKGE0X!DkegC5*?kr56PHIqkCdAMn%3J<$aW|hnzhrSJVlMh zi{3EHhWZx>>EWAsKcUOoW2W&$i$CO9@$%04Pft%7%j9}+%*FUdOzTYn{RG#pS5w{I z@d$R*#0HXg>CKMO>CCB%w<8FA=GSP|v6jfuS#>9WzaLp>b9KRK^zcS6qjqq=SvkM} zAmQ+OZQs;c;JW#=f0niZ$a7jETzuR4uw=|_mei@;WYYxQ&PZqiJi5;N_drCeDt2fV zPRFeb@At+w+S*HR>x+@^S7kiI+WSZsZ<3v!*ToiD^*3ycn?ppNs~9}|PK(vOxtSB` zb7L8hFc$nPcw+0ejf+bFWL*g8a!mVJcAMr^WW}y_6Uh<_U)-~z$!mKS$V2uH+i26I z@4nD23w^@2b%v?C!{O;}T9;0{kq0) zMeX}6n5Z;nis~b73n3pclz=a8rG_L~jfN)S-bd{&hrU!0cRvt}##Ew-ha^nIZbvG+ zlV6uHv0Z)QB*43fgh7^55Q{h`ZaB}1{hd^#kE9rbtU}?`A@I|kRstSI=t_^=CN8QI z=LvS8VJWr03`6Ncy6`&rzv`c^H1OZcu=I=^*2WAS8NWM}ILkM!RmI3V*ho%K!6ogqGpxiUOWWqjD!_ z-n|RMu>&KjwKzL00#mwKX$*l}feJspYZ(I(`ETL8ixO2d4VaXznyMiByD}H0|Db@^ z+^-s|qJw`@K}8yR0g`nqhThX}lo^+J|5Sfug$^JUrfEz&Z@hjN=|T`|6H(nQt^ zqGDwFcBlyP?Qnaqm75(0yqW4xK!y+ENR?O+$$yY{sgOrX5{{(697h%k6e(p3=|nt# zB8hkvuGc7%w}Ua2BNLP9#oCCE549FD=QUq&s-!1R6|Utn_{0fF$(pZ-i`(HoTFzla zt^S&7jo*?nf~PT6fv5&8-pJ%b3+4;#lgVIo$4$E;vz{wPga1v6)xM1ezEO&(aJ_d&Th#XB)&ybnI5GMyRW}6LmY=Ppa^xbD_3xVbmM5UQT zt7QDh5Cbf} zy-9D_U|90RobAHair0S38gbF*$B|6WH&6`pdQOghht21v^evI^B|ijPRcjq~Db7lA zi1nQt%#*-@ezYnHw2BIv=6|JB0#T|l6Om`B4ZkTm%#q_KVP=(Kl31vn%jep_LjAJr zR;f`QPteTLJP8Qrr2bm-r8higvb80_TK2Mb<+$3b0=n0WBd(}bIZa+F;9DUv-I_x4 zf`Wv;n|n}?rIp&akQv;*lY|P3tprv0OoV(2npCyMypIyu6@^|8j2Wtp7*}|FSTi}Y zYM@mC>jhf7iN>V>uToB{5*LU#@ufNVY{a?qGyXDyaMrWZP`@5uOs#3U>42Nb|1IyT z9JqlY{WCz5Ovt;&iYfSTmoLfdZu1gA9Zdck=I78{(ubv(?i;)=@*8D9)|W58nL7U5 z1JF9#H1#h!h(Qh8x|x0(oo1yj4b?>3x;*@To%U~Rr&bWntEq7YE?$?b#zRNAzems7 zr4|`=hZ8tTs!yZ0jFF4LWAG@%bwmQdbC!O3E9Pzcf=vk=8y^7Lp4FRPy7qpOBzl@H z-R!tb92>>4eg}ijTzAg&ogX8JwQhYPocVUGO_^=hn=RgUI+DufnE}4+8rvh7#Nbht zO091omz|2r2^&BgozpdbrDgl=?D~1u@a+dTO^pShwkNY(^6{=w>tg=$ z-1`l$u?*${M}cvi8$5X1Nt{u?Aru8*v+?t&#>C^vxMiPN`nw+{`|S6!lrc2gnzd&L zbk&Jat(ENLgQ<%Iz8)c)ZuHh&p&T`^?t8-Y;@PtKLI9syu}hWwC+bojOh~D z_Qe1;?Z=llJ04#4+0~0%RW3DL*6%m?52r^Pb-a^$*G?J7I$iW2E063tz~SA!Am_cz zHs|sBoco0~&-1b2`>+GuuVC*8;(t5PwKf?ZGl|4}Rm=RXmUm&f97M!+O^)mCVt}gw zy~%Q7Yb%e9bdE`r$v8sZHYQL-1jTZB)}LTN>ZnT!aVMsFbHcgH2WUBoDW! zyv>mf{Jxh}2wFNmQdIGLnM)vQHxp5R>*jk&p(L_jX*{&)9J8>wtiQadBz_tBdyS^5 zzFpwAX@fu0FLZV!FP)SG5+#yVVx1Nk542OyN!kj*o|k?ACa^gqaV<^%ag|E^Sr{L^y2 zz9&|aN~-!tAywc;@U#y;beMz`d)>Yb>QsH5zPrK7%UVV{1swD|p=F+H%o6;m(rZSo z|1$hRjo`7T=0d)NgySQp3GJn)UwLB_3}x zL9h4;i%e^%G+P9_e)w?cNzIDu7l|8`Gb%$@ccCd>Fewr^3Mfd&$^}ZYDKDH1qLBGG zO$E+`{8O@k13w63Fq2XyNk~ZBN>@l}Wm0LNgTCM1c8&fo^jYm8CL( zv2Q||{Sb>=F`ujNo%&K2=F2KPpe-RG@k2M1S$^$kpVojev^Vi_;o z;TDW~ZI6ldzmt<(!b*18BIiA_x8)v{5w)%4rqZKIU_`-}7TDos;v2t&f3xii-t}%= zCpI0iLa?vF5;%4Eouhuq4&N?SqF-y+EodpwH=s;zoMIl2mmlb?loyu|r?jgcYBM8M z<9l>(zjDlM&ZYcE8VDmXT{_RNOg^h$ylGxw)RlCct?RfKn2wtATbluG_St;MgyLuR zD%C-7lPa7L=C1(?4)mH3{=qv@&wQdg1HOH%bt4Y0ioNNN#ff!yDlqxA5MA<4TrN$W z;cX7M^|65^0rPn9YwS6v! zY*e<_jl5_XQ-BT-(?R^=k0U( zFB+${5=9WkEEgogp{4P_f9XzUv>J<5F*<~nQpSWI$?=QeN?1n>`0V?RbS$sGf=ndU z)^qXD7fdafzr{P8XNn1nPV{lwyIUkHqg$aL^NvKYT zx5uJ5by9FEltZ)(v&8as%&ZLYHw+^BB0^CNcm4zC@Hgm7YOnC`aR=r<5wU_P(YqQ- zMt=&RP?d4xB%?EpJj7>wQQ8#uL_$?Hi$j7Cz$abfKhVvf>1kuO=RevHMQUA1;K^== zLM&#=)VaSX0R|rL_fRbY7ld9SEIhB^@2&cwsK_oxdl{s88X?TvCl$(+?KI>`cm(;~ zPAF;QlEQ<9zo<+04h@y_mWC``DJj?$4$O4RmxQ_AkY*w}sX?z-HY_|&@-FVMHi!t8NI{CLDRC%_!G}LObumW%|d3;T> zCddFnznro}w(hiu?*tR5c~Gx&C(&*yd02(7IXzDTNy=)ln^v494?t<9XIIy6hviN# z?R5?d?P#6T{Fze3?^m@Sq_bvwraeH3xOGeViepg6L%)OB<~}Uxb)R~&(@X84+iP)c zJ28XE4Y+v0H|Cb6dRXqh$!t;g`dXG;-sv^fa?0-g#+>PLDy^zZL<)7-@E%ryI5yl5Y;vw$=|Lw^{6N$ONzu-DpnZSO6jY0;W% zzh1Sixb2Mq+oW{&r?eNSD?27J9clpz46WO9l8=g+P2Ji~4cBk5wE8YO?rZEk0T$q! z#9RKi?g(NlmXEp2Wofh3ZgYQ*ecay0;kAEdv%SpA{8bmc!r>X2@M7RBzT zdp6mhsd2Jvs$(!YW|v=!6m-^fJ-?_`zhb|t3t6c5!vZZ3wOE9GWG$Tkf<(A;KZo&?|3F?PjVdaf)#M`TIL328z$72!FzpC1JIem+7q*}{ zCe8xzEZ`dCYkuFJN&k$_dz9$=mqs}vP^MgaBqFvPBhlKKyv=m+_oOTu-^jgttVI*d zDsD}&NgTNcq7)|{QWRMSTbJi(7A1lsXwYci z1^T%=M8_!&1ktN$uWnELQ+ z<;sgxsx|&9<#hhpB>9tXxcyY#Pt5ELCj4AqHfsx374~KoW?lK;@tATpJ@X%iN=r6J zep$1Au{yN{_xf{;G|nm^?TGR0zrQN&!La$(h8+MrIZotfWksMh#~(|JrTBE!tB_>! z_0+OZ_p~%4uxN`oZWCc2jxm@ATnBA`ek+5IkGH1m66IMJG0)+NMhNHAIMsXrb&>U{ zS;Bg%qvo?b0_ogfWve-9#kU94O?H&|K8=Bu$=*ql(ZCQyZ|*aIW1yiB2T30}gB zEJQrS^D^vh@O2JY@^?kU2$JGlHTfj#p#SJ6=}CkglGE4Se^wNSB#b*GV=F28xoXf= zDveJ1ME(OuE(AZUaQ9KpiK8+TS|Atw#GahfJRfju0m(=#Hw7uW1yL7`3;bnPnYMWz zx8-h6B~vB)i-pajrOkRIoM9zE?sv3MH9fQ^sh16>iYHW#jg-r}`YncTd%pL zHtnB~U3?fap1&bK&xLfl|5zlA5M{cLA<-arOIQES7rh!4!z?^2QDO`8Y5|piu8M_c)P340QOFT%DGK83&e&9WEzt`@K@^e{^7tIW z_(%FO_WvmywcSio42kc4<7E&p!t>hq-cAYP$IC}z4DoCd-{0s@Ki`7ha3G}r+58rM z#qLqmL)88TdG0M)<-OY3r!B9)jj+e|I2^a|Zn`^e?a(g1)VfjO2LKlz68vgkCpXt@ z+U^e4X| z+p+%AHuoWIQ~s(wMOn`$@Tl(lIoiXU8PNW?w2{xVmOkoIr|CxV@*lBUS|)Im!22RF zt*sttvwRo{TYZ4b%M)ocDm1NUn{lV`T`{(=d9=L z<4Ia3?}W97>vuOXmpZ?O861vX2iw>z?rqL-F11=wypOh)E9qZf4n8`rMMmc?KG4l1 zX^{~;PW<6QcD=pAEoo|^>pcIIPMZ$6wA+%VeY?w+I3Ihp)-)LYX^pQm>q6f+2?A*? zSbz6`yay}7d@XtOi|tLhlNCWZ`zs` z%6@{nBHvGGCZ`5(D=S>)Gi++pGCF0QdmVsResS!Z=VuNfXcL~!qmPkl77wtd+IDL^ z12K;kbq4`g#R9~KXh_x9jpNIB#*Ibg88>$Xk z@#%Qh`0Ho9D?QsDwO6&>=E00@&pp&hnH|5E_;T5aTd3K7}7r^H+q2?)s}7 zCm_}3e7+DaJy9r7=b+1movr%yO-vx;m`TsUM^6O*7YkXk3{I*>dL4~%`?>FT^LR-T z>7wDrT|K2+suX+;lVsFOSS0){71 zgBMz&d!b)uYI>+Yp6v^uZs;YZ1xSMyS%)Tm%`$R9m+3rk)$k=|s5n6#;I8G~n)4Rn zArvk35rluERjb*MP#q(UpSVe|4yB;x4P+x**ReJ6_+`qZZ=z83%Uogl+XS*)_SwnT zOzEeqthV6S&Ip>dWH<_e=Cx@q&Fhl>_pUt_EJakr@_!i-Y2VGw>P~M2@D(D{1FTB= z9z84z6&cV55L%KmB1^(qiS9IM(jVtl?9?QesVt|FIqBwt>EdaA*K3tfhp-JKD+x!L zJIB(uM?za85>sxe5L!65!Li%j_LE8(E$bIGH;IYH8yGOd;)#SLEluR5S(xV-+m~U> zL1*nb{u=y+==pCi;j2pcj{H=lQq3l+U5hRON!=K$`+TO!ltvL-F`m}-$?pm0L2RE7 z;nEiCY>m1zi(C(p3!Htnwxco=ES!K`WeCj@oKzaTh9{{ut)zdVZ;J^{uIlIETg3df zfcu&_`&!n%7e2K|%wsVwie#SoHB z-j8tM;{)Q4q^d)RQCtMoaQ{kIKc-hhTw{>YFRlrvzeN^z`v#mo^O?%z@bwh((E{oe z?&>8_C19iVML}31=opz8+qmpsbQxV9vvoXj_nZQMRtRaOc;NF8y&4mWnPWDBL(Dhn z^#vjlU(#0=f|x-2Y2%zA)L!qP>emoU>Qos5tNx&60!agX)3t!@tYFl(oC6i}7!n0z z)cvk+S*!OZ4QVB&bh-NI+1y3!WXj@>_Thss%#3%wGN2HGoLQ2Y3 zO61(|d%Lw*cBYHPJ@=Z=Z{+eXRe0_pzW9+6a+^W*GllOg=v=R1Z-sBg5HmszEhEVG z&SdciF96=6qeaEYF-l|45{lKI!y>VSSFWcNH_|5hq|QfMP^%{*;RJ;;F0BT$n7q(O zHRr+1ebo9)6XT2-@fkm!EgWY)aGD`;^n_LC-fxW+E7HOdM?Sz6cbOiEk_FalrFSqw zMtMfWHx@y{hx~_3*X(Z!^$slG`jT}EUnveBPGfEk*>sc0QjQRb;+!z?kkdU6xn_!L zsH_-1g$BFQ<@!;bAA!RQdFu?vLw&KWKc=hk(j^?coze-_LM`k$DX@A(vlnoqml>4) z+!AJ5e6=I(2`z~!#B~3*B|2^YVpSd3Yc^w7lX!uF;rFcG0LzodR&pm_l^Jkztn;C> zC?P4!jNKm9!j8{{qO-4CDLv3wPJ=ek&)e40eir3H223Zs8PCdK`1s42tK2M4+ub^&Yx zqai&2rce?P-@EDJhw-H%Okf-ms_OC$kTvtQTNP4thjz05e#KLI$@{$QTkGOk?5bGm z{hZk7efUDWNqZSg`uaKmm){n3)i zv@l|V%PxUxWmmP8->oEma_}07O3ixWng8*yw*tkwZEwPK7~IHtl_7*0J-dd_19;CR zjA~0<;vHaU6IyZJea0cYlClSwHi8H?!Wvvv#6>B~9F9Ej&$M~>gKZrrhtJEn9-AE= zj;&uqt}T(RpBM*fNB%*|8^&(7YT)S{E=nZnp52awCN*513uQDfJt*1EK^wriQ~a{d zH`FNb@v7L__1@R#S@%ON8p2?BI&K414BAwIRv&VmKV!ByGtS-x?8<{Sb z3aeg}YR82<#MGIu3mJ>?kCg1M{o1W-t;4Q_PdK%QR@>{|9j;Hgi+qoFI;A=e>kF;K z?z5>luSCvc+m+Ue#P8<``7&JZ-9nKmo$HS`p3f0)%x@HfkgFb7kk`BW!9rSP)5_}U zLn!y8`jj5xN=wX@8q0q6<>1zUe4?WZUXDwM?s0}fx1BW&vh-m1?o7T zyxc_;xRvI-FM5!Csk=&XXM6x)XDWPHxv@B3T!zUtoE~~CJ91+-xN}OlIsR$HOvzC? ziI{bw?JE<+`}9Nu2x;*<2|m1mV>TijBUTXf`C;Em{;J%s_x&pdWp(BVyYC)}l#&?p zxO$3GULHK+$bE@hSWKuoYl7u)8=8}o%I^3SgG|9NjefLDP{o5@n|c1S9W`!24FbJc zI4LR~k7YWh8p22Z&iOFStAOG-Fh@`?5 zyQ^rRH5dd&BljhLRGJiOhZexG`PuN8)lQx7!E51?Bp<$f>TdmrW53@BBqR& z>WuT7_4BlgX6O+%RbYn?ULUVJOQg5MjZYzQV>K*^Nu9}eAMQfrQ{S)e=^DXV(L?>C zhx8I9INffxlFcgdZghQp*-R~Iq2%7Zv)5Tc&a_QQi!i&`9U`dRz0E!3rlLJzpr+r0 z!M<{WU0M@!x1@ur+Qv^lKTkki%=_!c=gY7GY!Le?+jxJ7(m%wpkke=CX)y{fpKvY` zMOe;~n30F`BC({Ia3b4sWO4R29nvg``C$9gn#vb}z{$r|*MEdC%r>$&;(!Z>8kQlA zdiKqpGiwb7WeYAWne_?fAem(n`UUG@zhv`WuYYy&R1dNr45X~ebO-d zR8MK5A~jOKM9VzPzG-zYiOeNU5+?qgCcAqnta(FEO~Rpxov6<>$5Z%=N4*1cK_Piv|8K=CyMhhoe*pBy_| zq~4r7qmN09TiF+PIHQDX?3hlEik;}CTt>W1601{50nt*j{HZxo0;BDMR?cXyDUTv* zD^l?Lys*M2Xx}2`*c2&#!rTOJ5@S7yWAFquu9+tbTmDIAZSBFep$}81hU?IcoWLx4K_Jq5QwyZ}yq^Y=we_hlF$FY+?&kvt2uQDsX7!!X_8&8K@SI<%1QC9o7to zhazSbsOi!sSOb-f9hi*L9JS;yMZ$A5zTjdhBZibnP)B=BT6a=dxM%3_7OONl zDiSpHO8l}sa4*@;(N3QfFaStXin^*vR&zre?WjQ0PNfpeI?5tY9H7hMJp|uo%gCQN z1?C>_=^$cRFbQzdWwE#djt+10`y6GgWT_@D!0PhNEtzd$?dIg&A{ z7oLWi%IKAw^(IeMiAnWJNmr7liBD-qKISlw$8!^|)icG({!n5uI6*=9Of^d|tI|rm zg;E4XmRzQJT4kfpHK_OU<8Zxnpvc6QCDpWwK=Q|4M;Z1HBrbZrcfP ztMe5taPoii2={>X*Txn7Uquj7eJWTP$P>mr;L8)^J)jr}1W!6vP=5I)u8#zDTDk~H zZvxrfJfm5;-&4OsUs~V18^x7QLT!51U-4~dm`7}S+V1D8zBx6)LDsAvby?kAqLLn4 zU#U-WcIYn(EU25WDg>WOZ=KCjDA%txh6}Zymn3({HqJSm9s`QKIMl4yktRA^&Yy8M zX*W2Qt>1+C&5;1OpG76wlDQD<)&nJbJmCs8Q@@hu^s! z@Zd6Gtg8XhoF8W#Na1jCH@+~xMf;d4436V~HwWx47?Vrz1fK8hoo&{Ss|(y#0kuSJ z_XB8=d^^*Az4I3z;m%!nfJ(w7UV+Ydpc&~2(EDl)>_D`A!Fy1br2FIw33}wk*S@VY zx{2R_OwYT*50wp<|&zR#Atw)Z~|fu6Bm0}Dq-PzIOzKxJo}M0+G3k+)C=7APnhY%YeF`!YebC1sN)^m znKz#p0nd@0_casqIOVT{F3y#Z3maJ#8~zb5i-}K~MZh1?!V~X zF2}7d!m@lP?H+=buVK2K;0X7dOiK299ru=+{Z<~nm$Nm^TUhL^iwc z*CFR=YLMD3Uq{E(CmHOHcgh0nf_F+hOcdSw?_`4}U!^CCL(my>dFAcM_%(9a$yr)#9|{+x71gt& z{^zKCCBBP-@8Q7&Nus0268ujV12~F|@q`90AsYoBM1oIHVq&O=o+gN7%RZQuR}_k2L{cugb9*^>#0~+t)f&$A};a* zSp_?^zUvtZ+9?_}fc}PAcW%gO!Q~DvH4!MzCl8R?@@_fEWWmZA{4fsu(00Vp#&XU1 z`r6HXu}`sMpEY6mL*)E5zWNUyb)aW^GRt=w=vTk+ltwp&d!MhYDJE+snh2QRDlG(< z7ohWZ&%P4tU3kvpEODSFmaNp zax1JN)N%VWCu&JBlDNHp<_Bj#FK$`sj)bfufGW7mYQiFqTlyb0?gJMy?$XF$B^}o~ z4ypvBh$N8d#YCVj?|7A-Ai7U=z--hUp`m z+x|Xf((tC0GlM^%2%^soj?m=e$nl@e;b39fEgZR{D|(mp)#B5>=zS|Lf;P<8@7^b% zmuK0^K5k$p*@7{UE+GYb#UXuzu!`3dOVU zck&unG(SZFDr07o^iNFo|2`)wWX^?C{1Y&)kDZLbD}b(v)-?!}iT{lE2L=Vs4YSUl zU0c$TBs(MKOT+y)?)RCI;dWSI3p&aBy|}w`vle?e^S-5@B1-}q`v{m zg>~{dTEIpEe{3o&R6(-VT zq7w+F(8vF>R$z#>NY1k)EOh-DiT?7r*Al~ODYr^crO8O_8)6eq@!OKr+>BkwLL1$n zl=-J2iSz|L^%p8W>a8#FBa3i#Y2oHG5b4l%bujSEF26>0u}ZNf+~s9RBX1CRNHzrM^%3mHV9~ z^}huIMhX0CR(%Ibc>(>;6*wvnJ?HJ_1pp>EpNT4(fAD034OHBtHI zIyzmt+UAUrbaC-^yAJSv2{s2mIGh0{o}U$XekA2Yb+pX~adfn%-So+VT%!GKB0Gev zTn^1^FS#u?5TlSU)UA3~E10cw7rpPt(GoQt;_-c>BD7KYzy}tO%iz32v`y=bXE8>_ zW%r=@d%nl!_uk&_sK{0~5Z4;$VRxb98rcSAKX_2Jsjun!qC9c+Ja0Ct{UG?Z*aq;B z6!man>7eD@|LU#FdA&71(E`rV)ZsDp96wL8IBsGL zc6x7E0oSLsA+n5C)rk!Q9!Y0mE}L;6H>->E`{T{crb}I%9$-Zq{qvk+;Uw+b(MXj4 z!@StrLq%ay=XX#0OG2A9*{7|n`pNgTQl;H(Y=KxsfIGy%VwmD50Kchgd9$F7oI>2kzK<~%% z1?tte&M3_Q*hjA0HrH(^U-_4VTb$9FdXNwPz9^-U@hp;BjUP&UaW`cgv@@ z=6}qswRZJ9y+bPH<5s&^YF~G|@usYB8{+ZEf_4VHrHCm2z{dN%_3Zrbk3HKCss@cZ z@2zo)HZNeE;z!KROb@QcN6_T+|Lw4TlXDPH`t#B!S;+*RWyYm+v+8?dmiU>UQWCYZ zo^hd_|G5W$w<)(thxC0@`jb?URF<_P2!db&pZ5|JW=t|hS;O$km$fvp3^@|e@AQL2 zXT4MJ>#enaUc=#PXwj?VbHpNQ;ZA#UiLq)oE|h*gM%KsMz=!EM4y zr%DQt(yS`R)%%JO6k3#Pp9jN~D=}SV#NvFGTodTsd#~@6j%C|C73^-$ZjF)!6PjNd zkJs}YOZ7cYBauaX$bk~-wCRt;_^C`l+QICf>~VWIg@zhedgLJWGK1;Jy`LHK|Bh>a zedV-lV4>T}CsK!9rKT)o_llEUvFwC>(Idopju|=_HWU0`M4e?@oZ+&i10fJRxLbhW z?%KG!ySuw<&;)mP_uvizg1fuBI}J2+4}0e9IbZ4*yw_V#Rjsw|)Ip7g1g0S$MKUT_ zZ9+V$*Y4O7X{ ztxBuKd^FJ>E6QfnMcLUA-M(BD9_B~rR(rBg&?g*`69$-Y169(3FopDBS!BxX-J`=J z*{|2bf8VKrxyN~pQ#zJ8l%u-SPg}jsc~s@F$h12aJ#kt^T|>WG64d%hh1oV)!c(xy zrTS`#qM;m+kjvaAOXsG_1=WdaE;tiZaMb5Hn76456ICz~l9cO|h!toGzl$GwSo~a$ zw-~LcFK365QJq=-!MM_&Y#<+=H8f| zy64Ov#{+qxq>}3Elo3p;Q@x^WxJzi^_7$nLOTF~6Z-352-wD;uPcAbasf3wJ(JT-Q z7=B#nj2^8CB|c1~&W$%3*Fu^$`v z?@TPTl7eZXo>b9Bf|NoNu&e(alM{oFvWr5V=Q+0?NQV=JZ8d8LvQL zNtdQ8sW!-ZsE1v0X*j~132)9tJiOaWE*Ly3F1erAsilinMn@UstPr9}9Xr4j!IvHE zV>X$ORwas)HD{D*C^oG5^tl@6HGWd0+nOy7yV!wK&K4hA!LmQbH`m~{-+1G%R;SvS z(rB^e@?Lo~cSB;TR51^fRvbs>ceVwQFAEoILL|e&9I)%7GubGOV!fPqh^JzezTcA1 zIUk(q#N!1OqrJR&U3e?VW@zLa5=!0vCf=kxLSEn?FW09K3=8T2Lg40=*q`6I`ZDe( zwE_-bLsTyM>sJdt6J!(yYhwx{e)HM)sIeZU(ZkEa_{9cCO7-RRY=ZI?y_OcMDGCS@ zR*8^s>!hrtMDhqXrBoja5%675_ykSnC4hn)ld4@;$c`>Iv;K{1P|{;GSBiGEz-~O| z-Npv9u(toXYtjch@BEj*Y*3@V(7a29RWeBfG^cfpiMr$Ry23AG8q|X|t=N4u_PL^L zA`kR7$ryPG8sS>p?`TDc>~dZ~)@9UjX=2QWs3|&W#{(muMXMc+JtB^!=jY%;x|VD9 zYk!UV0F>;g;Wu$n=Og<|H?emz1PhQ~d2>)Lw$j=P(L$(&!hUW)xWwaPC`c=qe$nc0 z(x%TGEd1Z%XqHbM9zgUSk$nkyFZoCHe*7xW1-aC`27Hy-MUo@``hxcc_f7>d?tuk| ze4|zr=Wn~+HXLSY@22X2qEGlP25_tOKZDQuHJszI_qH8y zF6d_O{vyw`aoX>DB-nFyy`dp-##(87w`X>S&`Y`JFw91sL{Qhe6`WOc8r&h&t zvT~K}E&<--ydd9pzM7mhssf0!V)K2`L9_YP+Svw4 z&dUsx;>VlJcPq13%|PJZ$rr<8u(S7lsEV%6<+6@(GfE5Gw$!8)y+i*8fLO>8cnV{@IGexlknaZH)qgItu)=iJ=EGV zskL$+#oXuhf^&r3!EsYwuE#|MuO(Cca3fBuve>!AawJ{{yZhG>;D;Q7tE9j$j6G%; zcV~B41Xms_2-`Sue)gv+PaB0V;Blt9yO%9U?;)hl5JKXz1nEtF<_FKCs(8K8WF;Az zLTHkk#cm%Vb`$Tb@52yHFh;=rn`C5)SeABLKvQxpeFelU?Oz~kQA^bLm(@S+@%<}; zNbHe&ULx{#`2Uz=h6ZsX2GPWMi;wfe_Lytr6B0zUOnbwUlOzUDn)tcsWBxXre${6w z2+CGyS-%Q$A9hhbj?A6i>;I#EappWZnhY}w4GPm~4*4Fw^6hIdQSfdk!Vo!ln}-BDl1d zaXSCKDOD+1Wj313dzz!<8Cb|VwVOOmP7uUA6^%5?C^f^iC`|`)Xu;^0rUb+E4vMb+ zljaC=an?zZ*;<%g+xfGn>nDFW^Y83&|7n8PZ{y@QF|p};mW(5er@vB^n-k6#ZCH=lYuF&2ix+RFENC>F;<{-U?CW*Q zw%&@2Bk@@9M^k=d7VF_UY43K%e~=JS9#OCp%%LTq>77xNmzvRG=+!GsAEO?@I?K@- zO)!?J)@>8G@X8^Dk+c3$;FeUHCpxdn7}I9rgHX~4*?bQyR0wDCFT`Gf4B7v6tcK8! zy4`z1Zqxn-Hf$8z3Gt$`LNf=+bRdrBNUMeuyrcAUHZ?$NYqap#dz{gaSPa)7tvADE zWa~x9bpPUaKyzfu)(oWi%yl@OPuJuexU`UVm_l#eO4$D_Dk7$%?t_^ z_NAw!gXb9xmLQ6IwrCM+=2d3UHfNdYH*AwQ>fL4v+T`C1Fu_Au7%UxPIj~eb8?dV3 z*tYxOHMoC1Rb}f2KP0HTLVJC3Vi>*Dcok%b@h+fmLWC;sWK?gUm0o@DW~Q++C7F6E zC+1B_6p<#BkC#j3q8ePI| zz@^)ZgcXkb-K`^$*97M*P*ItlZ>!arg>`SIm-i4J*0FhE**H6MjgqAu6mlco7xcp| zMzz2E)I!3&YJE)Gth~jSr-bdcJU@}~*}40W>l`b+Ax9>wWL=%tkVB#p{^aLRTBF3~ zt_Z_+RM1xgd0;s!+0UNUaxMfcHAnhHetaV?$vE9?UL>< zg9xL-P(r7kAQ|qt+QLlr# z`90sNCTln|Jl#*7cRQbFm)lUUoc|F3CFl^=M346Cw)`L|n(K;=uE$unIlWtL&lq-K z|3JHq&e=DfL6TZe5EGXlxI#CMz|n0Yj~H@$ve^C++4(%g#~)zb_Mo#3G3vY0)ok6O z&xJ#eTHGnWruUg_a~n2v^u3PrxpALa&kea4d3@S*2Q6x>K?b~KnX*0@$|FDcdRrc< zxb%c`Q`hX?HuRoWvT!b0v;z+{A@2hb0K1zR(|g0tt7O9!MTWn+ao8w%c{*Je_jNh< zH_jWJz{9}SJJ5ZdsG-r*`XefEvkda$n+CW+@m+E)a}4CN3w+)sT``vp=%#bj^E{=z zA#tdpVl3SPKiZUCH<3LKHzrx4j%@k7F^mKsN_K4%{<%+`2-$@i^vxkMG;`P}7u50w zMPWNOfrY3YzVch;Eur_evZrJP@U0!^>N*&Ht7}}auVeB7Nv{8i=<0g1x6skO?CcrH z0fBW=HsS)^S(@Vg``gdEIj{{OYxa_}tLk;@c73PQx%JD9k^rx}oXhvAuG8%0t?uV) z{g)Uvq~6P{YXetvU~&=;pzOnD{Ytky(QbQ6X9zdsnf>;6z_!No))%ZzLfHI><%+0# z<$J!D=h7ZX@Rei>WZ>OQu4(Aec4kB00DNpU3#cV>x}|%qx!$BBNiZ#R1{;y6!yjq9QS7o9li(3bvHD{`Fe zN>2PFfmz`LTMsJKIOdU-B1dsVw;~T=UY;vI>oCm7dC3`Zhn4GvJZ|%ERxO_S*olVO!CQ&6?-$-N!r>L7~hi^#1GtI0;1d; zeF%Pz>LtLeapxW{di#=HZ|Rye>D z$zIkmK$d;;?IUEC@+Oav0nWNN^$SG*#VhqNrB2oJZarvsFfV zb&ECR_7RuOkLc?5aTuXQ%UwRB-?KC_OoD>0L_=+l`RuO=KvN`$rQz$CWj*BRgX znP&#$53s~B8YSSfW9*W_*Sm9 z1ox~JYilw-`ZM@2InpY$Nhq>@&0iY6$WJhgmm)uPrDJvEQMyx7Eu?bNTCdpY54YLL zTCtRG!rmjTlPPbXc4vh;ZVv;_xz*4N+yI$W%i5<<3~ntuZw7PfaE3X0OZ16*%&~ux zM8(5gg)UeZu+5xUY?I0QMqv`g6ecmUAsp44YEGo{H{W$bD%;7pPVx`cTG?zYyG5$L z+PvV~7SqV%VfmFU($KmEE3Vg{HvYJ}5tGqCGRuUP*|#Q}IxAP%y5GMSqRD7`A1YqY#+ODlHo{T zYzJXR(lTmyLzSjV9KF}soB7c?pv`?10P9G<_7r8iLvw&D_H5yE{p$}>&u3EJhe zZ#`;^=neQ#m49)}^_bP3HRlsJW@@Bg*Lz62e->pjuOc97`>=iufUfE-iM$hT(zT;TgE$TN-q}cb64L{)R{c?9$@0>;AG1zBF^%{@QeS+fz$JlfA zVG*e33Uc;@_N}Xki32csJ%l?#Ko*i+Yc!1AAdG=8*Vzvj18@dyiw0?W@oJjgyZQ4P z29RvkrH;dHq_=}H3YP;C;1(!ymrvL3ahJum+jo~0RCCjJ=zHDqSoFMyI?Zi=_1x#0 z+t%>-ZtGH2qrzvB#XtgZi91&4c+Bur=$+i~hkvu2nhpRyjon-aTQc6&>ijA1@~7*) zQp~|o5Sxyi2Hkf@DdxI9gED;ELsSU-1NE=Y&gzy0Z=?Afdv5bpue$AD+7FLgc3(E^ z!}gzs(Lml#pwGmaIK=H&>c`6;IQYk9)i|w8EvI2y&D?bT2k_Lkw)1KgNzJsb{T9e^ z%kzk=g0D3=4Mrf3En(c?pxJxH_GSloGq{d(aSZ`k(b-&;;sSn&R?Hfw!gQwfn92e|dGn{wS@7dkA z6#y;nhRe^e2B{oT+F@U24?Xq;52a_~6F zJ|^y51?)$!Yrg$Y=k)_eqzgdq)d!DnNq+C(o@OmUEG=e_$J6zee#o?=1zJFq!RnAa zR?y^qUWVh-Xy8@Z5L;_gF}R398bZ<+QN~GC#XoT}V7yZ)R5KClj5~V3U8tS=dckdD zIjcstuqHT>pijQ+217Kh6QFrC&bw&qi3RWIHWY4$CbL`))ujYg_S%+q{wn$U7*tkepRnp zR89uONAa%x!RDi3B~@dTvqdNJ4yiOAis3f|c6Asj{E9v``-bv&jwW*Qa8pnx-6Tb( zCd}GC%mX&p46)k+ofA{V=I8gc^IJcFl;r8_1T_Dch)1v(?BmlXDQ1k9pO4#^+R|iQ zP~pMrhhB76_aahG-dQHfj^C`9p%V8sN~t||ECh5B(bRKnE-erztMqf@gY}$?DfQ9M z5EkvUW4g;Vf${J>gYvC;Gu)=Bl$6zEmxQ9?C8?HG+KsFw?9B7%q>abcLB!Mx6qN|d z>6^ z^%fr){cNJcgSt~{!7^S#?Xp=%^mAP@K0=NM8=;x1lq99hyVN*WM3~!9QU+$w^qYb0kw?Zic|#w~2{F3C%Mf7_CSZ!%5ERdHFq zNeLI=vVRpK9SJaG<7E-$!7UbQ!iS9+S)>>Wl8v@GGs3`MHJ7$wA1_5qRAWuXrzw

s)$fD@upC0y`T%R8CyTVhBs#kcpub%PdFP>)WvGP8@a<%HHnN9qgTR~Dp*awlkN z(BW1R?flvVtFHadyPDv}+I5mj5+Cd9lH@NszozegN;&D~XbI4)xD zJ!rS-xb?G$tK9MOc!Q@tsr8V`pZ%kjwRHPejWq5xLl`|@x->e6PGC#+t3;i=40eC% zQ^nJy5BYXgw1fc)B2N+fA1M8A?HXuLCa!k8R$9~8y3&S>NCKT)1@V>m$FIqSCZbz- zM^fF3I65bPSd+f46#`B~D6y=>(8|Md2vucSzD&%Xnoy)r7H`B=Da#s>(=8L9&3>!r z354M*;U|tbZ${*?gZdmEvwAPsXvB^v@jvAOz^jBw-t!;())mAb?-m}S{pWUQ z8mHF>(r5HLTp3#OW_kzk5AcF|$8nRFaT{&I_L+FNClZovdA0!Ho znl?1A6Q4bB+r3JuE|Ycj8`85>;-~KJyFSBV;@?W|Jhh)ma;%k)YqnSHv`i8OJcqs0 z8KsG8bWggb^>{8{xSlf!9Ct}NdpC_A6c+@{BlOjm;l~lHZab}dIGvV&CfnV1cL4zy z`nwgXM+S#)uLX@BmV9uh00Z}BwzPGJJVZskS8-kLV`yb+9vko;7;)V5`u#ISUGo4r zVEbwYbvpq0HI4z&u;kha;q<9vRE(QoZN8OokL+5(kO>m$X25j&8^NpZZKd?C> zfgSuu`1Uv14ESx9J(q_)cq^UGp!ifZBX0x(S1lgjvMp^oYgP3uwGKBZW-Wn)!@tT(05A);B2aaya%Ha z`?{5tF?F9e89F@dUE81VfdrhM3zu_1TU3H?R}#|~EPK6yvp(JKIC@=Ys>8%C&+{3} zB!Zp1{O=8uKhknqCiuei75ol9nAU2JAEDX#u3T@A;=n85#p-nbb`NNgE=N=oY;@Dd zdZh~3+*wKkuG*$)a`7B3VLhm~Z12_%4o_|Cze)Q<$$RvU4zxT!1@|s%jQIBeA&xH) zx+jtc!)!>OYxbDuh=xmv^3TZDW~6}s)VgsC+w@cLP^L9r6ZtbS%cjJf zO7l5e+SP&|D2)3lRm|YYu8OUtuBt>(t+-aKy$gA1GJl>+ht&m(&2X{HoVuOkiCsyl z{Bk7y+`UcuZFu+`lN*02W{4YAf+sxA`;#47h;;~R0<8Mw829&l!C{4_i?14I`^ntm z-+#5h7FqD`43lG%@Rs14#iNxi!GA|hq0A44r<_3^a}rX-CsGb|=2Vp_fk7VbXH>yI zfOAQDB$PMF!Y;SijW3?}mXmktSZ3mtBVzt{^$_(EC&g*hOtOl_HF2APu6k3So)PK6 zo9}uS&$x3Mf18cQS3}cvxcCk5%?ly+Os1@?tsCjv`O5n^3 z+4+4??=OnX(3JnAPStX-<;J=s6^f!J3as+^fuF3`%_n2y@AxB->gW126s;DQ`AA&x zcg<`RmBnH>*OEeR=1U1_vkq}AY=V}!->_@ettBwS5jh?xHZvB>V#OCiP_$^=l=ak+ z2Q6mkmo8N4Mp%r$z2@h68F?#2S-8rBR{mVDz^<0~Di1I&BG(v>%SE^-eyX;jjj^7m zf8oA}C3F>;7naj;ayaVi=U^&fw#xk;q>sENEX6xcan6}qD_+y}03oJ!VP?5kyU{1MEeYIU&@it1&R zN_J-!oegb#IHFF19|gY!H49tn(EM&Q4S8mjR?1%L9v6GQ?Qu!*Tt82r?A4%E1G#EOCjKW($v$z2w{!*i`ZY z?87h8wjvf0kuzfG$+pnK^)pY_1Ql@|mp?cXN;;0wkSVq=xE7_+#vW!gL6c64&MTMn<*qg+a@9R&?3#V~+G+QO+Q#2CoD3dz?%QE$lqU zS>YU9M*L9)ca5^HS~g%&d9q-#0M27P{mqWo|9ZNX71KKQ4fa-F>L5NK*3Q)-PajQw z$Wq-%GwqRpq@MqS>~XHFo1@MEz+=lNtGc_7Ze8%Pdyk_a`qw@tBOZe*j3HaaDGUrgOvU{$>KWqU;!_By}V?_psqZwRuQ*(?tZ|FnpctQvfpMhKu9x0qoO2&+UtIKnD_g#iYzfn zntCszzOe>R+1DGaf##M`%U8yl;7R$57{E)MuY*@mfc^S73E({&>Sal9?{R5kFZ{&u zIJV{z{pFWvzkTXD?|*m97l5xX@Q?xvP_IADt@oSc5B(Lz9&2#Y1pSH0V4CGp;T^Gn6keQsK_G{#|B2`cr%yjd+^ z%<{|haCD+);_$6H89K~=)w9&kAGrajySm!)WjE0f6Qp1zt|snHvUFK!oG1-`cMud-h_^0^iu9F$LU?tWfQ(nolUG@p#`Ui4&P2C2qfx2a}Bs zMjP}$oqg%PQ1YM4+|e#twwJsiEn+3)DU2M+mcT3eIVDG&1BK^BoSH%Ep!Bm+*nVRd zDPxJ3_V4*+fNdz};ZtA^WOVc=$Qt}P@B%;*6Z3KU@sqJpz`v0Ugbn^M`QG2(+M>KQ zzH7&4tdHR4;OC56fsdt$ZrL`xQtWP{$4ALu!dD}MmVHJca8+>9x%f3=sfWn;s<5zn@xl9xo!GJEAL>x0!e6ILG2C}T>zny z{UGUuTb@&_UkScd`L2_rFJE%8nCMoF|NiCgWG-E+JmVo3;p*&sBqBR*+CbH%NQLxn z?X?-Mj5Y8f^q9Y7v+j;!D_i4bq56GdZTf!;WJ^dn`c>x@m8BB`H2+Xgm3j1URQ+ez zMf)ix9WGJ+G3+jU47;x!Hzb4uPU)n0Kf&L@t~>V;b$$nk%ivp_xSTVhmR;RZb;mx} z__P4BOWdnPz-t%4(C3B>_%@}*j%yf5e768w2XPLuWg@KuSWH^AO+)SUEx&v3^7hGC z8hT%R25=vrJ=XT@Ns;r2I&M!POXwCKSKmD6DQ@i39>Q&dPw5a7#-FzKmoS#i@ja&n zyq~*x0&h*hI;|uRmuU*wU7h=dUjVPbGGK3;?|1(;r%Q+4z;wa=#{msJ%g3zPy!#bJ z6oal=@4f!(iziyIE0mDtK23v;-N-N7@2;k-j?LHaDl1ujJ3Wib-qwqq1Mjs<_nvs-NWszM-FX3tC7x&# zVI8;s7NRXtZ_UfvPx2#ukB5}3&ED0wvyco+-eY8-figA;4!CKOWC94xf;`1uU$h9Q z{BhyiykuN6-91}j^3c6HDjCLd1XnP@Ja740Mxv^431rq8`zAM|8u(E3SOLp|$@4|8 z^gJwg3d!TP>HXJ_B7(OCj}uF#=;ahP9C8)|8~e$hRLV$G$~N3~Yq2&i1Do0ZUofnJ^WBQc*`h$w&ja$J`5rjd{t=cqvEkc}P6wXYYq?;ofV9c(0Zdbf z5_ndNm}fAvIhEmXF{)U!)MGwKt2~>>iyFjgt8$-B$u@t9s1CeF@8MY_lEj*<62`uW zz>&i@&fAL=(LzBdga8k!_1J!Iz%Y4aDpbfO&Xn^_2xEmMRExJ!{Hpq^0x` zQj-fDlT{GMr#{4=8ELBVk`iw=={9n$MVc*gVPn^=Es|lA74eEcL$VU4l~@t0S`7V7 zor=I4Djv!c#ypA<9KDzFyP|{YZ%)N_9d`{QPX==eXHEr`{&3iMRh6vp;Iz zS5%{b%FE%@N|)|7pWqLBjNZA(^zp;Y^YFNncmJta{Pc89XFu{U(L|_LAvwO!p--em z!Czvo;ghR6wW1A2e!!QA8vOok;0qc>n{%!cf@&z<8dxcWK*Z4^tRiM8+@TLIUWP1@ zJIv*qHN~kIPQ-UHDyL*mRy+JpwpuInpc;x2pc#F6e1w63}gsFS=ieJZjv;2Ez4)WFe)}84zHSq@D_iiI-9T5DOEV+ zg>Is()GcFJ-p$^YuAGL~wAk}~N)MG%j6+2JGpr`m4Ofz%TIc>T=1P&2tW-Rs(zNI; zeYsIpxq#Gm|NH;yDeXisK&2qgnpDkN^Bd{Jh&v;S{z@eRO39kd);{tZ$E^@@mMOPQA1paoU)509AvSE>Y-w1=yUpX z(KTl33-Bn~BpNh$t%Or-zULdwXrws*n4tKyM(2!CRRt0&Vy@QghLV>^I4@$u!>-h{ z)sGPxGjlaUJ6xGwHe#_qpI0u4U-C|7+sTK1aIxwTU#Yp35;N{|s-{g5l_XP^-;=26 zr}HZn-E8-D77iKgY&7{3Fb*XK1(X{pVay+K;;RUT6*wi*Mc>Rx zPp>{J+kt(80bS6-3H;R$eV3@8_*O*f@OQlN-R9|55?@Dy4hG7G0 z^~BLcLJ$)$gjEcX`Pvb-nfBWvqf`^wRmIT$@Vn~CEPU!4m>Z$}tK~7G43@HK91wJP zsi;hDcur-hw&vApvVf)4$yfTL5v*n~i8_aoPZ}*@-+Szo1k3a&s+lc7%^oG*sP*3h zY5X|szW(R1``-JZ7%hfe^v>u#eJH3XgpFZ_nDa^?sPFC%B)@|#1DIi6#ovzOH$8h$ z0p?Smr{C7Qjz?;CC6B5>|IU1`UXJ_;w!;9H8*XM53%svDT|3t$#nj6Jr90XbkUC(O$fD>iGl=pe@_3oP|^yletM9r0IONS4BCGu8#h;~uOtbH#} zJ;=zoX%lst_h|?xRvVH*)ax1CyjXiY>HE~OH(PKUft=@SdXLz;b@KUY@v)`DX|OSK z*Z`F3^W>9OqUm>$Fz&JWI*dx>mw9u-ph%A+&WA&?Y6XhX3@o{LH;P+SI2QEV?c}QI zg(NxVC4!d7XATPHfx)>xAZ%Z+r&QG1`jW)n^S7-m$=yLL&JIQcYgOm*-mbQ3cS)lA zGC0N8E$FwaVTHFi4BGzNtX`*?`LrV6i`Q`iY@K>kJNJ7B*&I!u^AQ1!H9MeFUey&Z zc%vlm<(>R?e563r(HCgrO1z)TTe&f6a5wN}5OCr9!ZzNuuw@@H_~v@v+Z@ji1};2A zrb)uNJhe;{62EP`%tI)_sgPb1NFP8O5+h>qe^<=Ifi@HDi=d%LNN`F6XG#(#Z=->z zU?T(*Y!1nDEQI)}MN=z}u_{wDIYaV>5})I~$ITZreDmgt!p3T`gSwNFKDFq^ij_6cTKNo3OInet8K>NL8u5vb15`dY`zEq7vOapK!aZLzA#0Ik5vo8r zSR7u7p4ujnEkh0I7iVe}?K|w~(>vzo_@RomLnbDc+&QN&R3_e>M$OlBWCPkF3CW6- zQAT|Au+z{oBCi7(gS7)Vj4B1n_+{&MB-ulF@kth+ZYgUkXT6O6`4+@{z3jAA87O?T z8d6#nm(IySC5GWxDbw#RN*WZpb_VdWWT~QVU5i8tr|Dx~l%iw!^dw zqQ3qCnUsjr;$LhSnOBzR$&o{CXY%Rw8L`F;k|?+o>-b+3eo6Y%D`rZJnd(%~Fi#=) z2dbrOt7Li;U!_e7u6()-SpE~GpEjM<#ESn|WTli;osg*DnWWMFeU!{jd9zwd`HRqy zeA#%B1H)kO#LPsSykh-sMIQp5GrISxNJ4~dQMg5xls_gJ$0)<^Nm3?xYqqTO}@I z{P=ONN0!*E6nB$O1^b9r2`?%aeXx6xk*|G}VV?Ux<;4)4`ZtTAEF|N4A477azSCMnUCkEGx|2NBhk`uhwU~W^0z6$Eo(k_U?xopUUbb zj^wla)k)lb(k^Zbc22qb07>1<>I27!z@n!;z^3=yOwB;cmv>0Rf_Cq_un_;MuYhZP z=UYF?#>3`3s^X^4eM=Q_Hw5KciDct#?EFRaY4aHth~`o=@iGp0zZ@O~d34=-x-^Z$ z*Ae^egHuiuW}Xpk3E7Z@+ihpc*Wc~9JW9bvKXCcz zf**L&$%t3i+4s?XZ++iE^^1AhACVGc72CBuo*>4dem(@0+lHplB;Yl2k)GFXZwEzwO&sKkM$ zV3a^%4gU97fb}|ifXjH-rKaGBpHHvn6`;s_MSdBrjK%YA#eAAw)7lWafGQhBk!kzl zB}$7HJJh7=ry7B@u(gT_VdI{UyYri$CggJU4c5gjluP#t350$EQ( z&l?V0^QZ_3*q?%sve_#5S&#t}0{xy|9m4`wA(AggFLA`v8)HpMODuziCJ^`!Ki0Ea z%;=YY`9X0KJWV_|RiCz$-?FzRFdssfk!go9zm5PUc)AT4q-%4oWYm)EN(f?CamG&5 z;i1cw;KH0cw6ZA%!#_zaRx6AD9d*)*a+we4p7@=r>^9R<*2K!XlF!P1C?w1po+6D_ zoJ=#@C^v@1?e_C;z9e*C+t9PbVAX0n{yKhyoYkNlL(+{7;u1~R&R$!8n?xl$&Cu_y znX>SG@{>#{+E7q<`EkAEFq+AT0TQ`aHMb%m% zqQ&6r9X~-7N7*;3@a-CuPfdRbKDNwrMTvuK$fYY^K#}xKp=zUIbIQVsioA~#E4v{b zRdVurt;{xiSmn~P1;6EL*JF7iZ5o1j*(^Xr=6{z9$zp62dV}0+;McLTXtnwqWeTk8 z+iN={m9X6LGJC02F+T zGFbPGi8iy}?UfT>9rjR)G@`21Kl^fj;#QwJNl(V~wXVle85#ms%iB9XTm*&B#~gjnW`YOEPQqBeX0=7=Jc0QQQ^sd1UacY4dWI*wjoTIaQy2Qw)}YngU^ zja7cw@;~dZj4So4c&UG7nsZN16Evx?IFNz)nb(JRIT+s?>WF*wFx| z3_(m=4P()U{+rCi@Z-q&qq687IUU!XnI^6%QMnKj1{McQB6-U{B+SqPR)sain4QEV zyaDer+4xOZ1E+{kddVJs4Nwc$l|_^(B?({8j>f zPJ!vGm63dRl0NRzeN6E;tKgb*_-e|%^m&EM0}4DdhCgypqQk%NGMX_EwuZx-m1mUJ z2(yiTrLNz<9ObW_Bg@vHWI5Vu;l{1YRT?z9)%T4Z?a&~_yfyl)Q|o5 zb=_dTe_9*<8j#O2U@Wj@t7rCQvLkO7Q07Ng5hiPb`0P9Lnzxh00pa&u3% z-4N5|t&4w)xm_0Hh5Awhw3AO`QNh<4ZeY8>>Ymh+qBs!e_ zZJP1!;rI^8{{fjmX1`xG`@Sa0um^7S&T47mqK!|#j5&UkuAKYg@@utrSqi@S7&UYL zueV%fn-i!tGV0{QQK+vr>;73C>ADMl{{45iU2OF=kNeH{_u6r%XRcm6d&c}nAGqt} zKb^GlRd4=u)_Lp^r#ZiQ^|ZAfdw75Ltks`=V!Lbiel&XZtUVSx^z7bUiygA*YUy{z zN6ul6gOLp$|Biuw!gw}>Huwj|v+}~9R$X#gXz7ENJa3i77XN3^XH997-`sgU^X?%( z+w+}G9$#X-Zt|wPj(MG3;>1~ib}zYqo7%#kbK^eokq(gUmHM()x*IA68b@qeL?Q%zNgFii({^bEHow(8# z8vsYGc6;-R*AwbNOMTZ{>&Eqm#0?)thwbRUrn|SEzxmePO@38g^NDv~*y8&~x`&T8 zIBE8_OMaNU_0{*V$|Em4^V~g~{!BP(){hQMeR%G{CK;`G!E4+4+vb)b*C8U^5^g$XnF>i##T6VDqdr0LXW2h zm`L5;!rx(k`yDqbq(pU5Ki1X`!%XX-FD7qv@$MKRL~OJ`HuFg*|2r zRdIB6dZ4MuEtUW0HQ;%M|4cHP`|l(bMKAn&sx5q+u(ImIwqZ+6iYL+zk%b0=GXiWA z3t9sZb$zd&g$0}`x}K7+lFgCR_eX_7vpksCT({yg3Bt-MskG#ec!Z&yffB=94gu8i zs5+qRpedMO32v3crXXUy1S2c`(x?@(V>+SGXj#sT@qrnpoZM(2)!2kOafWr37Fa;( zWr{Wt;q75%Qp&*Pnz$nv^(^QeL`|iTI;EFJmvS`Uqa*&}+D&t88 z=r3G9rG=zvx}Yj_@ss4^$3m84Dm1$=Ir)!ihgAGY+F|-S5J(DjJ<%%Krm>J)M7~QR zd>{%{J;P)&6oxqEvEP7Ncq6W*XbaLZX2u%jv7v1e$#9ZXre`oHJ3}Ou(%KzM_6PYa z)9X#(sUGC5=5Ww*lRhah`EW#xXu=w21lelHOllOxN|rRi5MZj!2;v(9hAW zUMDBi2ay^`PB>!isHgK7*X<}&U7plSnl6ZyFKCU3H|^%l)<-HAAu_f}&7D$3Stwb`YYAcg=2Pj1W!Q z7xAyaeliR5{c+~++-nu5@}E~;`5%`@oaB+uWk2jUGLN{Zq2^Qe11*Z1MM_1xP{5>4 ztylpP0z(g_VyDw+s8A)D>I7l88rq;?Op+Wm3OECy5PmYr6_RzU-W84RBt)y7sb>;U zvxF1@yU|j;+#oH$rGBy#Q{zF{D|02NG3m$I30%yy_FK8z?p^c8!rWgvZ0V~W!>FehaBWKZJDCYI|M zl9U_4;soGrDe97X2aNyQ&B9@AqN=?d%hvb!T-UL>-wPE%~%*zNz;rbosU=et6;}lo(HyxMw=xY~Zw>8atz4dnO4J^kWw#7keNfb@Eo_K74NOtG zqj5dk?vH>jA9Pc83WJ92PG@?b1+3A%u_6Hg%NHsj~271Ljq=ppXDZXB zCDl+$q-8J$T!aiK)~LclswUbg&rd3Jo3YT*DBo<4x~Z;7j|a(GXcS^J>uCWLCdPcx z9o3|&KEs1%c+dFiniZ@FiCi{^7XK^v5wIA_Tv*2DMQ@$4NQTJtDw(^aJEX!hpo z?Zm#2Nv}U&`pqwni(5bJBWE1D*)Ok?o>*zw)eqS5+JoNdE7^nh7LKY_s;B(ugA*RP z{du~-A8ckKgzURi(mmaT-%!=+9W&s=)<#%YgTx67fESud`?>AovIJo|;` zuekQPqt;vFnR{l~ib5YyGLd(|woh^8EbMvcutJxl0b%yt37c=l<~U zZMV2~Csp3)siO{FVwoqyM|XSVg%!_#BV2!r?>u<-x~By3#fj{-2VHmZ`=@xv-n-`o z@2~ghWHwl(V4k=Xl(Nxf(U$FiM0`mW~|C{{ntN*Eu@-`P2 z*eaT@R2QxOM`Gzk>HkK<4WwHp$QqnWI#JoI0n9K0scK{TQU!vmRuu6b8H(*Fmqm(b zE9s7O&2;o`4W>hwuTQ#VhmFK?Bh@RVc^ika0GBFjLq#*Sfm(8MWu7Vwe4{pi@Ul1d z0+wTC&!kPf+U9wPE0^`@VjK;9W-y_t;jk2VfSC*1NHM_53hvu+pU?K2lOAhWwxjg% zpo=!NOux+KJ1w%~gSc(*MFcNXo(eM4JC4$q|rx|gmF z18*$SShbxjyI@KWn;i|7nw&r4$ao@fZ45GtNERrV1?j8R|73##W=REMh$VTtALJxa zY{@O7VDh;^evJ6pJW>txfs|DZ*dMV?iA|THgjmdL+)%5-K-?@vg+^4)x;>e4sF6xH zp?r-}^CLmD%Xyj6qd>2EI7|1Dj6Z~=l&O)NAt&=(R~ro=pp+gL$ySSw)k?=rP=u=Z zMuzCx!vbC{qjFZnrItuS&h!Dza1))Z8Rgxu-T)EQav6El1-fxx@Y1!EXraDmVhzD= z&~dd2wz*-+AY^6GuP3|WgdW97w`^CKo;xZk*@;h8I@N|#f`DFDl*hGN9;T>aM(L(3 zHi4yTJi_F=Wo46@az-V?T-Z(Ob+(5ArG^zZBSF&!oS*fR zm70!2I26P7}AqK5y@ByG?R^ldQ@q! zU0fTYY!e|dJXcX-#lyKCEzyjNICy=a4jC^QSEinrV=8fpmT3(rmWyI98wU-M5YZL{ z#Z*PpD|xBHIb2&NvcqN_#)-Tr)_b`LmhK8RsX3$P{tR5+`ezTe=RDx)%gEh7i zF?7$-m10zg8%oy$5_-tk9y2g1YB+J>x+XHoT3ZYl8YRJjK7^~blnt?+zaOnRnLl6x9Ch{Kw zn#uot9rjuN^MQWB``-ZmLrlNo1WaLHfd9bXME*lj5RrsY;w$xkJ9N$y-YKUfEq9lv z)?e`5Q@8w}y3e)GC7xS)^|@#MN<8=Ej(*?IciQ}*4fbB|MWu8_Wsl71#8w|3vG0Aq zIpLtmjc?jlZGXtgx9`8^=zFJq=Y^nh;_?CTtNB0pE;i@1^Om}6@cOaO-=AYn%{Nyo zWgfiYD3QPS?u)lFu0H$p*Ux$E*AM(`_p=Y)_x1yg>Id#JJFL1vJO7hQ{`}mpUpxA| zJ&l{m#Shd@-pknIk4*Q_%HCHE)=a*8(a&e?u}b{Y?uS>-DeXo35AOTc{M$ zJ+c2Q%lzi8#=7#u&pmtaW#~sII^o5g9}L!f_K#$=#GE}&PM+cK{nib;yK%^ zrw?=UcJJ@kTkSh$%YTD8n<^iDck=1t58rwNFZEVE^n`=Ax%A07H+m0ku}y#HJa6#V zUB32}YrLL5?e$rAFU`$^KDe;*U-O%Lb@UAO z!L3JZx5M@RA71)U-RvZ!yW1)69J=IrYdvw-L3{rE$|vT$bLi#g9kO*2$}hg@pVq5y zwfGCvJ!}7L)(w}ppI-NPdzpbIJn-c5tCgN`w|EB{t}A^|xbuM>_F3+X4d0q|;P&C!YzIFZI5UG-%YPLL{pOoS+&VT-C|F>@=|3N}(m{gHyIj~*o2-Oq6x!voOreU8$3QWULXnE-Q3gTMMb1-NP)n~Ed6x}PsGdqI zX>Ft<2@zwtK;saJ)f=?h$|-hGgX_b50qBx>HQ#Fse5;X4kzIrD3%Zk9eRI&~Ax(ZDVVHhs;D0bYdX93eu+)OxCaWdYj&`Ca7Mz8=jqk#-2+Cv|f zCW9mkqJ?Z>q%=i|k7~IR)~ghYbRj#HraF*q8pW^J|IHr_(|n^N)(AL&GmWrLjjA95 zwPcJG<)D@577VI8ku5MDQwgEs!K&LxSV*oMPW+e$s&!-BWCEj8u9=O(1mrp(F5#)V z*#r@EgiCVP2h&*=FK97r1bmt9^eMeofvWW}-0?>mFjP|FgmFg(C-S~)km-K2P**uG z>SZZVce0^dw-chfCBPUma}2%CuBbG?xOBZ^*R8n`F-#-Nlb z%b94D>@nGF(F+PW7bg9;TAWY@>YBf<|sH)nO*>MMHYIddw zDPGRPYOcbK6`m?jGL4qcCB~qUR|cTcZfgN(wJ3ek1loL=q*HaFM%IeyNEoPOhatx1 z|LyrdIA(XX&vCK;S?R%#`49B%<3EcOZvMu97N!3iALAvd1l8J*4#<#`0f%v|fembj zG$;1BSj|(8Jz-Fg(!6v{Aw1VG5?~{YQYZ-Wc)#FGpcYSfSuNYq0WQotQ^(Zy*;b77 zf+12BhrJY4tE*}bqZC%AYi>Do)j-x+he$?De*mHp&Lz`HvWOOkKwX~n_*MZe_s3qY z=(SrlIGOW@NjS|W@ftMMH{^RbBzSd^ zs1IYa)00)PQn135uY))}4w{n!5vN3w>ZFEk#TloJ#IVe|NM@W!mIGiAr_rGeld=Q- zZ_oev`~Gi>H2+646|>eG^_kwdz%}Z1gI4`+BN&YZECEC;Su(Yj6FMFS)0AnHM_8fG z=~<^o=LK`R5$aKx@%Rz1f?jV>t0kF!U|UQHvfV^5btpZUR7kdra|6y`GCd=m%qC4^ zD!U0gOcAM3cbrPOupH&Wnx2_PFt}e+`-ybR9r!hWl9d6A&+2V`BIGN*a<*614S)K- zGNL1lQFoH;wF@8vK}|m~$!pq35lh4fnS|5l%)x++VaCRRR2=wyxtW2+C528(xS{4~ zI5h@aoRCcpbSj0j{r*tqMN9IF!a&f|9-HEz5UwfmaG3Fcb_?da6)G2Wl2}=a%c23n zUB9LxDDOv1)F(5TUT_U*G{6aoV-b?3^MR^nq4o^snZZ0Wm}ds_%wV1w%=4dN2!bKs zNd7a^|LtqB&+wn4*ZMtp&A*@jkO+n^1USeSssBO#f&bv&0RBUwIEf`G0!6+G|GB>X z^6V|2CBVk=w;ohm{>G)(A*0$Uowp9U_1S^g>fL+z%fH)eqb)7)(k%yX6qjSyT>i8L zs~&r0Y4i5g%bt1d`AeU;iWmN|GH1Puzaw0F&a&y-?gCGG7GCr9ZFj7i;jNcEcv$P! z+t;6U~G z+rzJH``nyEd+m4H8(dac?2Pd)*X^?G=?_dcTKTo-9y;Ll6MJtiy~nISth>@G#~-sz zWu4ACcWwB@_N7-;;_jWU+H#HGAK7`&o^#Vhvzy!QPuYvV%wF-n_Sf^D`pf+Lw%H^B z9Az)RM19x%oPE`Mp70&YI*l}nJDFIJE2ZuR)n zd)>;Oy4<;QmUwCV6PG>f;rDNzd)0I2UAOFuOD@>viJk9y`>G{6N1Zr#-8)V_;AW{M zr0;#;4dtWtpyic6UE0u(KeN3_@h?lByx-hN20AzFaNcQe$nVTQL4glDNzWAyhn9@c~1$TB$12 zOy$ia==8@84eQCc&U5J|2T$);bx7q~Vj>ULTSK12uxxHj zN-+3ryBVV#(^gF@kr?F(1ZL$nBrJ)e+R*Ak5=dL9krND!?bdn;LEy+p9TvKS1fFPxrB_%T{g13q|KIBAmtk7l8q@ya2NJTP&q-H7*e6JN%QLt}*rCnAmQMHYb#=hL5zx8r?5DjBG)&fC}&s z=#7)vJZZJ6a;^}LMm>$A!Nw@-RjE{2NKTjZsBZJcPAk<&7jh6K&|Hfi&`^a^5i$avs1#6fqX&rQ!45LbpOB1z3*y+7YQR=Fl?M_L?E3+W}-|##YKxtL1b|QZx@KGF-rV zbzhEqsO@OEan6Z5fCo)v1h#7hxDyIk#xglGBv>*oWJHjL9WigWH9aV3bf_h~mW|ZO zLa$*>Y`>?NLRA?91u%#!MNx`tHd|GFQPw1@p+ywbue)>xHdCoEpLIKNt>PpHIepNU z49PY-Dk#hLG;F#6Z!@k^^MaU=#xcdQ71yHhG}$XfU1r?sq#2|$g0dAS?*`1&2j^5$ zjWoCg8>|lsY$pWDET+_(JgZNf|K>mWFrVsu-uxf!Q~txTbfGuBuOIWDSZFWgKj6pw z=W~29&1OrPQcBl&u@cHM%4jt;4Dcaf^=j-OEtE!OlEUbv+q3R?H6suu~$-0}SD-DQCW+*3W4BLj_Oz7@t;_{6^ z?zOrB(ICeOy0p6iJn>DIp&lDBDnUC0XSqSsEN1KN1G?KVh z>dD<)G<7WrX_P@*V}p+>p_?=?COhuUAeUwhSDd(L1Ukg6i^7Ksl+^yEBl{Z{}n-|_a zp|SE! zuL#XrcD}#Ty7Qj)_nz~>R;#sd+3KuE&YJi7Vn>Tx-oDt6Z+!4-fev80=ZaDL0d6{R9+-&O?j+}qt*-kXCF!W}p4a>C1pp8nCgAI`7e`Qt5@d;G;~9y{>()82h&+ikYD&ZNG()-@n}6+g-`6w9Ko2y7!syEV(s!Oy=n0w_hxE`nt=ttjBjf{E15* zd-}T8Vd@VSU-#C(-kP{NH$HjEAC-4{V4o#-e<_u3&i>tX-(`O`n>=jQ%Qt?Q=!4%& zUjF6w|0n+c-(3HLe0Kg1G1LF^Yq2lGfATfF4uAXjk7SpysbIzOmD(ckpUM9#{0EgL z3*S3EDpdGI#?m%s9eZITtjta4DnJAXMsLMK_%(7A092L4e&$4T-eGu?01icfdkcv!ZcUqd_a5 zE)6?US*}LyCf=#@q#@cwQs#(8o=QZ`IEJ)1K>-lLr&Ne*w9vS3Rs4h;i&}}ymDQMR z1_{2xvM6H(#Y)xb!db&C*4RV@d770d5518NP1T?|201Rl=4*lH3UMUrZkH%zitXa4 zZA0ZikL6)rjcdh{OJ)?N&JBmTvQCrZrUSPULmyxikT#1DUkdQfkjQ5P*BwuTa%?8X6(yO-A&oKFk+NW!$^xWSg2-|}6!b_*7W87q zffI@%Q+3Ub?Mk~N!MS?FNE2zMGZ{HKjns+?N#+Nsnuiqf77Mf$U$sWKNcH=uT$M^? z5S1)DC`3&mVfmRMIZg<8pOu3)>9l&eCIumMvoMC5y3&pb&;ybhoS5KpX;O~^(T!9| zYmgjO`YQE5?82P?Q2#p@D_Eq~n@Ku;oB7Y8gqy$dpUI-|pRzHCXr(k7gFvL0%}$ho zQ3Fi}j@TU4P$2_*6NAD7+>P9@Dk)vJN6!!lZp!?;BjGQgy4=G0_0 z3aW9AXjMl|SZn7jR}ppH>nByg8+oHjv7_)&f-*?iGluR^vV9n*2xRQ#O@JxzU9OG| zsyx(!jjX${fo9LfikVTW$P+?i%)*62uLrwiU&?t=pL8q9awVung>md*kOxGxDEY1W zpam6OSrNL>XIg-iPr7tn zs};<=j-=~VFk%LNi?P#*8kZAqY2wVxa%ZAfZI)MU>Wv8HwfuclpibPz(CW0ps?VJ-JdVbPO8Wp6F!V68r9vhXe z&$q_aO0LWHeYa5&+q%$j1j#2v2pGwf-V^hzjF;+=X$nCl$2X;@M6#1{n~(@oY?m#v zJRZxc@AwUuAmWx<<>XF#GNj2eGQA67j?EWS7D_ZtI1i=*#V?Yr%5W;tZMev*2BDh? zE11ARKbn{#YxT-xgr(?^h?5+c1cJIha^={LQ)!hA`&KSdq9JiOffJ6dKz+56Y|7OV z!%Z9^u;`hZpBZ2@1B_;X(F`z}0Y?9Mh9DUBjpRQw{eQj|`z-(2>AdYn|9<{Mp#(vZ zIEkTOfd63sz<-Eu0RN$|BmpNO6obAB|G9*_W>4-Hzy9OhXFPi5CL2_8=Os3IUV56}C6`RlspJlGQc_)6n~OA5Ko9)D?Yp?ylV}SBwRGqu}1H*H6jhC9kUIcw` zOn1{$wz=uzP3ZeqSZmGW&i=!^P4`}&(h|gvZ@6JFy6>d(-_dr6(^u?x=9{Kon|I3_p51(@I zj&HuZmAX8-KK#zf8@}<&0Ao6j73=pMvd8K3ac!l@wBpNu^1+6Cp1$&Z%3hacF8Gah z!maxseacE_?)SuN?&YuCcEpwZ+N0-ZJ$&gd?td+Z9e1JJ{_zPnh|6+EKJd&RS47*$ zk((cJQ2U@td&BR`Z7t}fJ`c-}5SUzq<$|8)LO{oBWX+7rpHVbY|EN^E{n z`A=z4>VI;5Bn*juo@t=Tdag0xfkf9R@Ew5_U@6F!gF#xY`kkR=PgO)|PzAevvehWG zeM^J0Qa0PvVXR#-Yj`K=3RW6SO%K3m)dH^u$rx^tWYtOOi6C9W-9)oKEIWCzY?mX# zEA^W#ofapdr8jd`HK@fU5);aj=Kx+cPqip-q-z@Gc9Mfou0;qGfJwXSuualIyZs7G zH*B*h53CT$iS0p)D7bCG2Zv?@P6DPd^c{iey1Z)(ip8f7B`#DpWNJ6m%4~d0> z)Icc#N-^w&YS!Cks^d3!A1zgQPIVJ`Sz=fqMN56N+71G(f(51In3`(Ze!p1e%}(GG zQk?JULf&^WV~aj^$Lryj?-fEh|;kv(!m){z^#0UP;|M_ zpwb?s`vXwdWqA^o>l$Bi3_Ug@&nV^xErtYyZd^g~jNw|<0+)5ORZ{Yl2HZg#L<^V8 zof0XPxp6%-*ltbf!0gbTs%0=rjh$2@$mD!Lw1N&>%o-lUk4@a~ll5HGPSKhqS{56R z0#qGT3V!6(^=`hOoUSva(KW?pZZa-*ILR@AW|~NLksfU{5>5$)5llsG*!(|=*?;9? z!G$@*sQh;>wqg^x;^!dt|EwJ1$NUHR_VJ%Z3OD~h|B)7H{!eAlM}rQIP6WW<84eF? zN!2n0t-|yMt$L5IRqDke-b|HLI7;LT=!6T4VK(R1sch0LkVvyVXeU&#E;f9CtTZ7q zEJyrs)G5`8BGar8ScXI+8l)+w7DZ!iOqD1f4Z{Ye$5ERON0wbd{jn z9}`?7<&Z|HqZHe1xgvsE+Irt=)ijv#IqJjZnO}i#y$TVQaLa z?N8$thUV%S1qvXimGf*nmFaZ#ko7Px*Vc(<%IuT*fkgwOM$eUVAlK{(Nz+h34q-qT zFLijaQuLt;Bvz9NSyqM&4VBCEm`nQgypN8F-k={j4Icwcf2bHuui@v^aw=+#WZZIRjATMQZ2h-H*(bU0@Um6sL~iwDu|bS(#NtuzB}x&)j?dYrHDx}sk62* zT~l=<6)2&Wl_ge2VqXy}$x@!nl8$G*h9THv$ZazYCMDkbBesBe@?CRKKTkSkUrsW^l{E=n2{RQHJK zgT@T!nc+M$oM(pf%y6C=&NE}58iHW>H^B7=y4RM&e&& z{tx~S{D=Go@Sh|K!_z2_CBIVtw|!^N+4iOT_FFLTou9kW_wG7n!BUTXxXNDhR?m;% zgw`{0o~-oRdW{Ki#ynKxEA>HP)VW9PpAWHzztDyQDx`@uT$1gG$VaO~+Dm^WXt?4LuTmfiDkH-pgct-tsA=H}b| zXc73&8h@1cJLZbZo?qwbrT2N@m3?oj)}2#lKivQRTlPk$%~@}|-`+9%fJ3i4;jt^h zd53=Q*yFD$Zn*IynR|}={pj)boR^q=i-*)-d84)Tvp>1?9O63%oX+juI-(fAdD~42 zXutIG+`TX-%Aa`V&gZNiD35=5!5wEb@A{#7%X9Z%U)a|8-EW^cF`AdX=d3q=eE0r$ zU9upX++rJThhuNV)64FcUTOp7wl~jLH~w(lH>F)kaLI!w^Umfs*H)fYk2$Ot|cN9nQ|DlI#P;$&c@>QKguV>)gHSBD;6@}hCnJ=E>PecWl0!_?Wm_n)lGW)KAgkHRp$1daT7Is_WCCXx zs2JZKOJN=uKy4AKw=`O-Hc-f9M8|Y^T&r}N}G_FMfn9piovHmC51evO-n5^VSHrky`C|bd)9iD49l}M``2-lnQ;L>-5tRGl;A@widpk{Ko6t&?gY z#*lE}q8StI6IE-1bbyhEaJqupN`HdtrolDBs#nhEI#MBY>vB$pMj(0;A#1f_Gl~oCY&qmoH6>rQ!SsZVQE^BX zP>$$<95JdC6EPx7V;<0*xCv**gSHbF(PTF<2!;cv+WsoJ#l%7v8)g2^#hO(;*Ph8O zew+EvqJ*2j@t;MR|09N~l&4IJrP2UN=}-ZY>Vi`h%o3|)u`HpcYitIjL_6)7^=zxs zaVil!#w(^j?s+Mg>Oy)q57)#<%Blccbn8~fLsD%=V@pPquXa-TQH-H&KFl$7uwe#+ zd@tJ2p$DpNT+4%K zA}K)JK=7EX1QsN?02}pEBkYBVb`AkjV<+qPG6lVpX>r3zry`=HT^%O-NFLWLqKS;N zgrb#-a7)DGRIk$YC8g3)BT#InQxI$bMY@~S&AK*3KAr!QC-Q9j^Y~BqQ~r~+Y4e}+ zA9mrapEk5`BoLUOKc4mTdF)4_#wDPMdj?(a1@#&jQg$pCcoEbSX0M!RCCG+Tt$KYh z6`HwxhUhTml4`h=Je>Gk!%mCMpn(CCuvTqn^lYD>I7ymIQW@U@nXVV7JMFFz`h>$l z0v~I95AA@y3VTe^H|4%;VSx!1zz9$TOH8&fOi$IZY#gIw*`{)kl^^I@&l!{>K1kI@ zBO)#}(NV%Jk{+VLZMWUYrZb#U;tIgHisDJUEVyEoE2@cv>h-xos#1{>Mr7G+Vp2BE zk>C>axX=gP2I+_+Ch~QU=y&;|Z=``zmh4tWHO!9eYNt#jMTw%);J_(%>a~GFx1l}) zWilxwOjK~Cm2>3^o~%&0VYWV;ZUsmJV7xrEQ=rjgal;=N$}pZ`KQruShW*U2pBeTu z!+vJ$e;R^d#5a=v;4}HZufsmee=ZS_y}kkbhs4k%wlE|71^5r~P2@jG6d_26{A&E? zr;mi$2Y-ZS_rLcj=ZHs+eyQ`~_?Ed_K6>+Z{EqZS*Bo@hY1)n7zxLE$=1(~E19-i5 zu;i-mo^#ingXe5=(REL~cg|0@NvB`Ge(&mY7j~ZKH$M8MZEnBnt)DJ_RO0z1g{|E? z)_LHN@1F5~^VK6yzy7KHx4ie6r>;AB>37RJoG^FWE!KZ>qiuHi%@!NqyWqAv?-6#s zE)%rH@QEt*xU>ETX5|5k6w3veeK7E=k${b*X_bT@z+N#JH=Uh{-f_d zc*2b*?}Q)w)OA<9kK<2WaMhltU-H|_H{NKkclOnP_oLB;*R!h}^n=#};=$)`{mELu zanEeE&%4^y^IsjN-rN1jN7h*UnAhje+3$|YvA@gx;-YZ1KOVja{O8zx56d6DT(vrX z{)3A@Sjpj=KQVXdSLW~Y>{2i7@Yof<-E#f)?2R7#&Ud%Dw&`- zf9S%GPThO=S9iT;v3uXXc6`=vx14*^v9(>8Wzlf0z0c#Q#nF`?+jot>Y^X`^U$-Z^ z40Fz2ha5BOwzUiaFw$pI&^CdGB^-zi`0G>-_TIyHC34V6q(T zesH|^&dtMLzUb<~A-k@B_xRYGuRb}y&B5&Pr_Q~$d)yW$ZF|QR7cE1{VN)S_GS2w9}lKa z{NFbIgG-e>DzO|QO=|cT=Rf~+{?E6O|17Ng!51>1yuHZvKea`v|1rji;n*q#9c>z= z4YB0|0xU@>y(vk>BEq?>%cl?}*HMe9xC(M?&C|wds_6-Wp|WI-ERTY=<+^N=ArU{} zRBA3zYRNq8TTQWSRhwZV?q@p%zvGbugKpG7x7nN&<)}0!oNj1kYDCe_W0>Ql)4Vtd zV|&N~^`a_uq>Ap_wVv+x8~vD5sbFXg@kv!$uj3h!?IYAgYm$tFuB-QVuEOm z`6Ao{T$Cojsn)eY%4$&*n+%H-6GukbY-hBNG3dwnBpW8Da+%6P;S?1gIqR~PZpsTml;*kd`2<-o-@WRUMMOJQQ-^1IAoAP zMVhYfe%sH~=m1EMDw$D{MJX9?)eJBZ6BJxaAhm*Op*ov#6|iF@Tvik51{8Eg2APW_ zXPmLfo+LE}($kA$6Red@(^?>m^jTV`SZw}n~b|KVcYeyq!rnf&5^ z^B?rv$A1cFm;aU8P_Fl505)XGpbGv!ya8N_PnVRM90l?h`)Qp;?0 z$5?vo7RgqI?3h`!A@tQE&j@LoC{h_!1$Y`$t&S_@Goo4Koh(|N#+pf1i+Y(5(K2{H z@5ULYYA1+hKcLH%-heUE64Go}Br#bw$3Q1GB9~S&Nsn-QMK)24g3kZP-hF^ePL>Vh zrwajDkS0nOaAAP-CN*^?lSwj@Or``xCR0-;)00U+LE6%r^e&))B8ZC!NbexMNbgm8 zuLA$G^7;8HqAd8~@_)~BU3;Cg=UnG(&Lq$MocsCheLsbM>`MtwGwF2F9|-KQi%h$Q6ZwT4#^Xo2AN)U z64o)bAT$%&&j=MI6KITR1Fjg9iPC_wE!&UHpw|& zlFOv>VG1+5aZvX_xP{jwpcI!%Ry6F|`d{mRR9g|fPw^i%{a63VCk*{h{b%N(`A7fx zm;K;?e{2Z%X;@_A9%{9qrZ~*^TSyi&Wk&AhOKAW@uS4YY~Vr#Gy&^CQHMHl)&yz9D`&e_q14ywDcz7I zYT%}mtQewbManm8wm-J4^oY#2`(-a2(|DoZja?H0w2G^bi>~8Jl*Og>Qmb7IH9JXV z^8L03Yh=5EvQaPPi!3!!QKDR_l_m^pha{;fZY$~lGDVepjbhQLi*?SZC~8vlYRf09pK|XvpBwy0yzz&A`g?o)c{P2>PFsDWdc>2D{+Zcj?uPSjx%W*$ z_`^CsT%*0m5f`0t?0!q{Tk_t1==z7mWvvTdI%m^EuQ=`1gWtKRmd~yDE_|PI);0M4 z^FIKKYajU35+59O%z9U|_Z)xuwXd8R?69W$=MA3S<@6Q{bTzTyO&syctSdH3xuANS%h%bsx7$@TWC zlTALn^0uwfWp6q0m~HOf72KZs$*$q^!z~xWf1sC71@@-aedWO`R{hhK?;aKSXaD9` z8{WEG<>_r+yXVjO756y%PU^`yTUGCVaf4;0t6ve%{`wZ>_9F*8vHWW7r_SDex!0>Z zt+DorzkL0!?Vs7>qQ#D1`PdD9x9(NfZn(@Jd=I+{aPT%FI6VT0%zoY;C>K^(B zzg;>QWuyHcyJnR?Z@G?5 zH`ji9pXzw!4^C@Uo?T5nZI`X%ExF-Fr){vw-M3x&+US;-KiGSn$L@IeyHBrl*J~f{ zxyoGi_SQAWoV4RRhkw5L|8e~PFZ&PtPyA>0{I@S;RSs*qa!l+DRS)_>ZO;wrJm zOQ`Bf=x6tze|r8;=d0#F8qYv#u^y?37k`fWpZdc1kC*iZV%!s&M4H0I2@V0BEU)Qh zH*B^W5F_h#ej@Pr097c)G%>CXpO9OKlMsIF+nSiUgV$LDu&xaSdPw-BGCp zSJ-kDOf%-lmO>Zyi>}jTMGx$l6E`hakd7($h3=%oF`ZO^ba5+9uu!@U!WJ+d=AmK7 zl}A`@CIQRJ{m|$L4N6yRp_nTeVu@n-5sQ_&H8n#kH53|T10{}n2``PR<2(wmVnR(| zIVVkIml`k~5GiSv!M|>T}xL~)EYRgl3Bwz39oprI|i*rYl7k)Bo?|rE)t4g z%zyYU=u!-kF|!hdT0_Ch7#bL{O{1aPm;o1?Gt;?l_1RJo+7mJBjvH9FGk}>)x($nT z1@LT^Z4&J`om2?0T()XNePeqaT(oT)G*%lYjcwazW81d58{2l$I6Jn}xUp^9*4{Vg z+*vDsM;)7#^q_3TdX@n(dkr2kC=YmF%)e|W+= zCJN*Ps`YVxV}h2JZYX{@PtE}{JGCv;fBeQ9gcHPv?%sZAlZ&A``9*B~-EXL1J0R(c z7Q*2xX{T5;LMr4p6$atD?0=r@3uL;mw&rgy*3h#^W~R*}WD`jz-&pU_efrR+69sm^ z3@V~ZSQdy8#02RE?!{9h7YRjY*|E_ssyV`zV8=MhX!UTh7M~PRBAr6jWGomVqpwiM z7j`ud21?VMp(Q6@$U7CT6ofGD3a$t8_s73=pz1J%Oz5~I&r@1>MXMzYV>+cf) z%)@uWa$@N!;ms2=OhXT8_Ul&x-cziRUkw|vipBUWxigiR6VgjX6%P>0!e_dg3K(pi z$C2Zx_Q{dl5{yq-~!$L=TNz|~a(5uDZK~`g$m!elSi^PAgwa2c*-#s928*9qK34y9g z-lZf(lrOL3MZy)SNrIMACYV$-U`HnCLm35mBZpDt~t``;>O<>?m0oSu~H$t zZ*rGNQeq{aw`NNE;|7QANM2KpV_ju-Eg+4>vtS;96fChg!jZ&KGrPAlV97Ptocvpt z_kt}V6X|JHW{}f7kVOCju@}9eB64j1lY-|fN#+HsKrpXBFr6m{s2p6Bq_7Bn2l_ky z735KXv}uxw`At`6qK>&hv>|6$w8mhAq^OM=;cTvXbkjK|cWc!nAn{v5sh)qbS(74c zp%4C;bI7wDg;j1?F>`{2>aNhaZnot|;KZNQi2c9FC&MrLap67>8R;-$_gtLNlzSA$ z&AQCaSuuuU9Dg$f)nr9`;bEI&M<8LzewIxKWs-fJucYOu#tza~aNw>c0A)QmrX z#-)=8L08@$P98zocc)tpVv))ER`RE)#C<3OP5mS-`p^}E(!tu1yGbdT)(wb8 zz-cxs4^&-flsv8t*`udJK50#mL2H;~J>&Ziz)>)PhVvw!t)NE$0QKGvkjr!ZlY?77 zU<+Uf70R3(47bbrjPig25@mz{K^CG*C~*b&GlScl89HT*Lhithr#n#>PV)g8w=whv zb!|GxfRmP%s#Hd&r_GMlog=yCRg#bMC1s_?RXpGu?WHMx>E&G(;dPCDn!g6f667xl zuJ=#uT(p;2(=G6+}R{I5m1%K-ludlkPeF zd0<%cmggmT8eK3L|N3sDa${AY2XFI!+%B%?{SXdoaI<$XCJjsS2v<<=X>(}4<2aZ1 z>SF}CCS(-uXk&|CTASu!W9>?BC%QORaJwRDQ}?ueuLp268tC(UwYmOU5vC4$ESbuc zvVEKE^eD!ACH(2a!%jutyy6103Eo{CX5`ioG#gt2G;}ecTDMd-yt!eu;H5Q`HZOrs z+-FnI1TUT(04K{Z9^HEi!=TGQUHupO%U6{PhrAgtDAle5Gg|`r_a8@_n}-n%9PgIS zN>9z?o+w@~O9}*jpg0ZMs`{hP9QaYom6Qjg8jlYUp{mzt(Iu*@bA|nFvuAbnsHc0* z$H9ivMCaU}tWurOd-oP=vB!pbH?g$pjbQzxQ}CC4>-H4J%aDgb^yB+wf1U#ffDgv% z1vz{s&kaVO`9P45jmV&d&+U%;_7xb#rWCzzEilet1Mm#!)v`Pm*ZMZf7vnQHPL!Q!TA_G5+EkBX9-6I$!?_Z&=212R`>%E2hjYO60_@zZEj!}d!~oPqr_(msD~Fym}0=~UX3OEjy= zgw<&4*T;dZtQyDX!4Ega0ck?ZagCTnEuFabH%2sH`Hka8HDrut%PJ_sa6fXlm^uRZ zs(Iv{SVoD1$ISOfVE{sk&J|8B3HgZ|N+#yX3xTY{2F#JB~q)50(aQrIc95`RNJX99@$TBF` zwQBOSP3d=(RZ~2M7dP~-*bn?c*P-$Rd~0GhlUX6f&^P|>wA}grdgz0Sp+*~H{2h^# z@3|6*iWfLsXaRn<*sreXKZ|ICl#mzV(L-Z(%IhIf-{;BN+?C?3GZ~%c2-1t$1=xH# z(HB|uaI!`;RYVm>H1{6={#8bJOjB02%dQVJ)&qw9ZDf!hC{xZD`2|U<(ijm~bd6(| zZz(^FX@XXblbjF;-#O%LgeS3~O}@cuJIgjkEKEf}q!xbR)e^BqFPSE;d&yt z0gg%ju(yAF&#S2i(~Udd0X`&k((eGyA#|rhiMFXKLe-KgmqdX@6kBr4iP1Dp!gy(p z8&(=I`Xn+CtHGfYER?r!oaVa~f|%c+=oZHKqn?rp@*97oPd10#eyJ%k^RqmINO5#0 zD>{QZu6HI!7<>6fg4w6^?Y05Rd}*d#FtnknPQ*2g19fS}e}nSYQX;?Iv@HI?SaG+! z)#%4BR&*0hV|XoMi%>tU8d;)Ld71_LlmR}{`3v8YF9TL&rl&bdq~#jB%m;G2fg6rw zDfBK?x>OS1Hh;Oy<*P6r>sry!T29xLl65Yc7V278)c@XVSg7UK_=?F@)WeZJXW2oY;d^KYyD+c0P#$$pc^e_jaHz_9}7jqOiEw ztbWu!H5U;6OB|MA(sroGOc=a%hy(CIxWQaqo=|MmlsNK(Nlr7UWDZ`|9I1K@m?fQg z{%xqtDoG5P%1!mBj0g`qL7Q+-0QWpm{lM(+1!d8NY}Yrv>=Okd$UIC_>v&_h1;)}{ zcRbcG8uXUczki43=&3gF_Act-es$KVhCoK2|L8O2o6qztUm019QDy9xKOHKHYP75j zC?pkSJhJOd20~QqOAk85^h>HHKy(fa5gVV{4|;O^)fX>ji~ z#%a`V@HDDK68f*Xyk5X@&mAFrAm&%FupzdvWAvY$PaAsFl@j&#iSeu&1~(movZne2QKzG`ZTOVL;} z4jc3LTM2u<_2_Ba{b)hT<$VvEMIHuRJnBtueMBN1eqXEfxcdbYYBB4P;G#aK@N9RP zVL|A1QoaR$wgouXIZMD&KV0I>^>~}RGLii7+8ejW<8MDBy`XLzKb5q-^R+IVyKr&f z!p&J*4&Jy~L?Ha-^U$Cjwhr6^+uwV3w)pHPj_h%Q|J=?HPPKyy7A||v<~RJ`55Kjj z9pbmc)7ALEzU>)w*59`j>~Alm2jL#ObLui=cg*`O*|WuUdpkkiG0u*3I7Rd>Yt1Myd$7>l<$Nc&mL*3GaZ8Y4neK ztd|`ol)XH!e>m;AJhxi<#{{*Xj)cZ?bIs?zQia3l;RTgs`p}z?&}4XQMr>$F+0*x4l<_o!cH)T@S1u z`K4)~iAh@i<`a(M6TH@M-6J&!jD`iH8)skZ}t z+ODP@Jz(8ibxRc?DBb%+=imBFn@yG5NM7uU_aw(u&5`N8$zq;;t?pU2*Fd%8X559_ zV$~M6*N7lQ*1a{cFYh@0g~JvP2A5M-3cFPUuY#7_f-HyEWkuKRlWq4mL_fgY)Tb*Z z793>=ZqWjRm4`n2yI5tPYOjHdV7tSrv4PRRrn1OE@HAbM?7 znIi#xmfZ0W1k($t0oyo+JswjSkw(|ylTWK^9J|_WpWa|F%RgtY^Gqf@3o!0@;0z* zrLV4=i?3FgiDwa33l_OXEAAEg97s~}VCXY|X21-KpE}$S0lzg9!9J3V{Q56doO+4^ zdC$hxvAmEv-F?B4dhKSzKWo;9yoDS2oa2r!~ki z^kOpRB<{gPB7|YpkZ4#O=GlLV9Oj%gM!64V$!X1R&sX&A!n${`L4f0yH3U}|KWR_e zlFhRlN8JazkkZf{e=v|=ZYQ1uFUBf}z*>wR8nu&eabCL1{x&8;*IvR(AwU24)2T6m zex@S)l1#b?^0;6G4Faxfa=~=-&Uc((txs|-qRG2bpsv6{`};RrNNms=%1|!YzbiOS zo5!@ysE!{^=aQ<%?H&T7%-2E}C`SWDzbr<@28oc-W)&ZE@+G5yxac&-*|dY2$Gb+; z4#8beiZVX#?KUvhj$kRTgnah)yNfY09#=|3s2N`9j|S8N_-(}ORDB~RN{4u;!h=y( zV9Z=Um2Wr)wA%cdSk^uZS)khb=gT8#o9v=vuU0X{ad@JGFMp`H|1}?p{URaxEEIyL zaj=$!?7((QoMoG3o z`Q@J_L&0XyPz6SkBAa&i<+=EgI(fp9-KZvT>O{rm}VZ$@<2*?5O zDH~;g96q%jxu|k90bES)TGpoI^2~-cIK${#Sn*eHo6Iw)Upb-u_AOY!;R9&ZOwM>g zk*t9qxyWWf8G@WgAp-Fmo+9@JNKFUx-^C%K@bs4G%^m^Q#KBX}v zbl8Np%wc4h7>U_&SW&F%>7i-XyAAUQn6ETe!68D7&5^083yv#{`>ng<4iF&I#9ydl z7tEbj*3>jZfw@&Fk}@D^<8E=}1O{4v z$TeHBDRNjCpH4eq(nTk;J1;k9kZ`#<=OagFNbtt+I8Ql=*{a$ive}qJ5Q{{x(F1u! z0t2=YT`j2;k7Oi2ny*Fd=LpxaTkra3%;P?cWF3UIBfM z4!_+EZl9(vWwT#3z$?yc{DQtmlAmVtAKj_~8Eqfv!iCskdtBXcodk`O!@l)Hf=`6+ zfNPY%0;(H0(8`N!k8h-iMfInFKps?e^L~3+^b!+wSp86%m)r899=HCqW(H_FvT7?< z-+H_(n>n{j;Tn{W9?5EGA{3BdgQS}O`jegJj55X>9@KprA+M4Bsiw5^qa#WAo zCPrIVF0V@0Zf8qaOVxE4Z#8&T`VN`@K4Vq*EUyP;?d_V}p#+2uO< zQxE{)b^}2I-(R5)_AOfIIpJxq-qJfD{SGp8^1jfyJr>eZJRT^wjF30o9G(HJBuf^t?CBBIIor3I+yqly^a$>aqD0_hsv9r zjSisy+3mxnuKyM*p(bCEAT}ItB`Dc#J*unFC(ZQ|LRl4b0qp*2&)_p=TYu=y3plz& zO5?k`?n2H5Psl6u9Q@kxk)-$8hk+#1Yu#QvNnyNfdYRe^0XL3m@8r9YHTqe#E#9Cc zs~hHWaO%H%j5|-&w0_`Ji7qnqG|yjxJP5~_(sI0att9#Hc8t%q8W)Rv=ix@es?;96 zOfJSy+HJ!)YrK6Qq)&1Dv#@d~Jy;^oBvI`Bp1j|#JRV-kuY4~yxf%bV;A2g->H3{l zyh{3{RByiY?mcauV2$OpzrY|$;_j-q_+Lq@FB>16J8P`JN<5aByf}kWbX|rQLPaS{l!py38Qh7D#Yh{0kj!m$Rk7C>h;IkUVs zz7qN;$XPCA;H%JQCX8m?jORg1XIIs38YFS;sl3DFwn0?(VL`i6NXN_vXS^7bD}8JR z#(nm3rZX)J=+8IjQ>QVl#MM-2o4zZfDY}w>7x+dTVe#tQ#CO3MkI`}Ffvy(`b;y`E zb{$=_TsFIihL-8Yi{Uk-c^&g5^@JKf_${W9y+Uo(t}wbI@~immuy4{Hcb8$Q_%Y+w zykV5OR>+wip*1e6fhJx4@7+w5n3`P~<#cINc}@1tlks9U!EQNmG-5!#;noO4TBo+x zA>IU81N0uC`&;6GOy0G?4%k*gX*_Vs#qNa>PbJ5>;1~L}93MS!a(pg1+M0QK6jA44 zUJ7n>0)IFQx^1am^$FLQ~RgblDRkNUgm8bP4UwE9o)^F*4BcyGvjbF7!q z>7(!BhWKPh|NI+h;9t%grS}YnT{}q@v#z_C)Ng$i+^O0$?hqEnErSQX<=&C~l__r& zp0h8;m9t?^#8anKfwtou5Oe;HS+N*&I^aSSp$sqOfgdUYDYCbSUg3N$H#E2u5KR|} z7ON4cTiNFzasonf!?M5{7(4Q%)!|>lmG$2$`^@(nrPbuM5yq z3IRqwDrUlzt?$EGaR6ye=;nXd2pp7PC!c^QfldAN4C5bPPAq@mB-dwDJ5ZXe(m$&Y zPa;K^CI8FjABpuj$p^x#vmK|S4+=3O(OP-nW0q5dER16+(xb_*29$1C!WZ||kBC^oN=)3t5?eNIPqb6~1WZKOl|O`jzJ<5j@$G#10RM5M@; zQ_hK}xJq@W#!Ba=9nIrrEvJpHOk=-rtA_zZ3}mphSS7WDhcecjNI1yeV!Ae+Hy<6m zY)wK}t1fk26^?Djm?OnsB-55CPSa!=t3{j#T?8(oYwR6^TiSh zjQzj98DRx4NuOTz*=!ivSuOetY~snG@2gyd8IV08V7ZsS06+dB{4kd^{2KXCy()_& z@}=ZY@Qx=9ESeL%=m*Mq*44;d}Fz^!xDj@gbD{miK_GnT1A9v%bycidITzz?E>hE z$l)*ZWE^73h_|g85VDy>YwK*(s`nB@he^Gt8L-;?KTXgugxRgj>T+bdB2)?!`!U}1 zza5v@aInZ@Ia{l>pxOs>p9H1_2Dwvf6o*~>DoRx?RW%(`Tg!kO#`>MI^XzUSQiV|~iTG35$5V@5;? zMC+$Q>~oTW1E%i$`<3;>=aBdxDd6@&u z9CKdjUB{nHhRW%R;;1P3CQSnidNVXwZH|3wNwG;G^d-F|KDHUhT!o1SF|d=^hmyHe zzaUvvMi0iDO>G)OA2Z;H$`JP#Q{+m=?^w(Fx))^VG5IL%k^sYlBt#&%}$y%^WQ|5~}=OCk*BnYF+|T zjE82qz8VlneuZ1 zo?UWlf*v>@e=h+%Yh-J<-bvpEe&pOh;u#Je>2sNs%RBfU-JiOwl^&gU@BbJB*|Hh5 z{Ul%jGNOH$H!jaQtZx(6&-xQq`nw!?yg;S_a~;=3=D~7#{M&0;dVCIzv`XxgT^9c5 z`%9jl3)_D^CjBexdc5a?!UXCr$$dT^C2Kw!-F`RFyUf>Y^_(RxP1amqj~j>0@~%6d zRmj?PK2C0dKY(Ffox6k=tjCWrV*;M%m}gRF z|A!%-GyAT0qc=kDr-CZVmZKwm^IAN7z;jDAEur$7b#Y5y=JYa`ru{ zH^$6rxG$>vbA8_y3JF{9`ZRtCK(AT@hY3B8RX=`@4ZQcuJ}0r?-EFSj=5yNgcpimZ zAUo(eE_>8;@Au!O(K)y;^OpMmuNH1_KM5xO-__K6ck|$5x5-{X@*O?bGl216RUrbh znWC5ZE6y3fQ0T=J%qh3CQltMdB}Xu+k&vPLQ|X5}@fjd;yl);1TcVMobKQvgc!9hd zM!{r-;SAl0s&VoaStIhZ%K@`f&Owo8j?7epR5x_kusKtbc`Dom$9Z-%ImgO+Uy;9Y z)#^SVGJ68s66L;&kCBs#L&d%Y0$KuBt5nH-c&`t(#yzG$_RLy5My$nV`=Y$5uV-w_8+YvQ75qi3Nz`}w*pg(@jzG*M3K##|lT zr|k0Z@uN;ZlMntWHMllyqVOgEne+PtYhGJMV!fbbPcc_)p8K!+PFNY@(rFokwrx|wZzK8idsD@8_#%B3Dmldyih1T^CXRGt7epRKApEBa zyG~G#1A!godJy$l#@TCKQ(}gQLwc$$ll8kT9Nw~P8pra0h~+;2Qd8Vh`>bV-M_ee# zNsOAlL$|_Q+o)pgOX!Q0_9T{$(qO7mFfciD4o&Cr^&NJQl;KP+ha;*8z1%ukS=Gk4 zB{YL>{8_FXwHVj51o7Urd#FF9p2%<@8R%HF5WoCrxLg`!CxSA+hIeuMLo?cQ0g<&>+wE}kl0MW5v2bRAY>aAquB_i2>MRF z4_WwqjlSx{MY%$ia-C&c5=k&e9!IJ)r}p}9tn7(M(;H*b8o)vby#G$fx^?L@d7is# za0+0{jp+7%5JYJDl*NBzR)F!QR_$is3;%xo_5;^i)O0~AfJw{RV&EShj9vlmf{F4i z71!>#h?O>huYd|c`6*i#i{0(1E9p$`!EPaTphDC!U#A)QL-s@~Evq)?NGVuJ!_0&l5sF=?#*PU}Is(7@eVPV&z@=n1 zb1ZCd4SMP-=tk+|bjBuA0b^x)e@*{f=G*eQmi(Y!pr5}eK=zcN(1F$?f#yX|?`0<+ zli_Ag!I=-MiXcI%>>i^emk#2hNX&IhE=djYx5H{+g3vpC>DvF19p|NarDzj=RjbM8&Q(bz{0zG9`qW7v83c}|_D9^f}n zkO&iU;q`dO=QsT};F{1A?V8Y47=|}n%lZkP(AixoH6%H*Q})} zsm7tMkDfNWVLnLm!t3_?B@PPVd*b!k(_st&*FjKD5${&}$Kyot>BgCEkJ;Vv3`pbS z`t&Ka)uzFNgQxTw;qB5dC69FEVohK)yL%jS#e_p2G)tHbZQwFb8t>7+)Rw1fA%17T zcVPdXm}lp4X)k*YHgBEhe|7R8-gv48zW}f5Wf^%bvc`hvUTu=AN3%P}UB}i>IX6B^ zbsU^#7lzXSBXLXIrH&iW8a?mEo&8Q{3@vLC!}#;QZYMsUD)*8f7*U{kz2p#ugWvDq z?2_kZmV8(;jIyV*&m@gN+QI1Haul$v`||f8Vhe0_wkF~7i`(-FBd)`-=b|8G)n$wS zba^6b1mi8+_hl8q1vE9`V|!!QWD2-0l}{41yZLLq#q9{_1#kCW04HO!1jlu6<_|5( zV7lFgcO>=oypL|5QQ>?1%O`V%Z!T>Jy__cV3`!Mj%f`0aR)cy@2|mIm78$y`*U-Xh z8g7#CCViUx4>PvzY0 zS|`b>d*5;P==xkPDU1rZK1OKP0G?udy5HTNU!K(cn%|G*VRC(IT8C%imIzw?+6?s3 zHdA@rr#KgTj%=O?nwL!mA!9YKT83?NZ*n_)THcoUPb*9Hea*;01y~Aa(Tr^Vo@*3% zzDKc3C@i^r^>^b4gw?Ki+5-#=xd4kh`b*GcTu<9*`CiV^$NA`-L+hJH-1twymzP8E z@C~@1R=^j)6G53G z^ojCB*kd{8j@r*`Skh`nHb;6be{h0vN@zA!-V%Dguu&{q5=%5B7W`0c>CA0wwOp7R zDGak7>Nq7C1BnrqLZ^2Pnz0_6iu@{j*yue>(2OILoP^b%8dzA&#-=|AF)C(TW0(*1 zIOY4QN?L6qSbh%YFWP;oWxCWc?ld@DD2GUi)JsEbs0SAX=@n9>A(M_5=v7)dBSq^+ zmON5;Xkop4lwM^yR3ys1_knqfIi80rPueO}C!W-(*v*vesRJa-y-2p2mpXQK>nR;& z7~&XIBPU5RkXf;ArrPPhKgEwY7Scjyw3IJn88Y5~AqDVROUgO4oTa{xFCT~eD1&?Z zS$DFc%tLTb5^vK%w9cFr{d4wXI-A8kC)kgC&3F_V9=5;ydGI|fVY{1P+P;_-UluBc z+Ljc>ICPfKbjJE~M{Pmw^w28%q8jaw!T>K(JW^S;A&;y=2xW*r;Zhk=RN-RP^tZ0P z*i3ETxF(LmX!w!Gg$}wP;3zVL(8CC3_f5ne8dQZesQ*ao+@KRdOs9tIqRSkJR70_p zQ&@46Ftg_uM446uB0loOr^bZn{&tnyyo0xDU#+urpqcH*4Ea*8c@$!Zds3NgXB5M* z7*l@%TAr$FLNpgwY0kELa3ZHmAs-!egRZR%FH}@3kZxZg=SHXUxb{`T!}jk(XoXHH6C>@<*# z`GzBRTKyyH83l|5W(F|~r1nxRWLJHCrFom`qvHhJ<%OJrhyI`;d2w@+LzpLwc!aVc z)k7#OSf&!Tm~@$BqG^n~K73QM@=~*&w`pOA^Y9k$9d%MpgVS!FvpWs(Mb39Fv&Xu% zq9RvB9U+}l?GCLt2(40q5)o%hK)21Lyv-?6%v6RdE<0&OMbnj%<0sEL`$BDG*pbXJ zo}$~97p7aU-8)2Qsx}UX*E#q(14jj;}83Yhy79+}< zPt5lB8ek<1qkAh*(8mJ6Ja@EqSQvaPD3{z@6xy}j#t1C7lUUjI&$0^&M7NXxUVJwos(SR7lc0iQ>f^; z#H82CC10IuIx0&27q*cq?3!IYj!Z96@&3M3Tr@KzTivutu{X^e&SC~K8&kb9Zu+eg z#}!Elko`D%jU9b-qV+Hz5y2=xCMUzO`6Nl$)A^c_t6D)vhYW;Mog{*_SzC z1NKuVz3j4b8EcW3_k1~7tFkC>w-_dv&Bi|~B}LnZSWa(RkeTfH|3S^A5GuYF*@wj^ zHOu0BQZs2FZP=%PzD*Xg%@v~Z$;|QMGXN>XK~!9l>rXS~Q!Z1Rir|&V9mu0a&dviD z1m!Z_8+BE?j=YA?{Is4`_ENLnau|@+eS3e<{P=#TV``s#rPK5@cID6*<-VlmGf}uC zG5NfK+;hg4V&K-sj{I*Opyf9bq`!XCNbk_SE$q~9;lJ)T;Bzp2<>2+82LnDwzUsX# z{#+rks-kfLxP;u|wz^yRkPp;gdBY3Ko*4nXXe{Zr?v&eG9I&?Joj)uWx)wY=`rze) zmN9g$l3y^rs9RPr!`A(m7qbN1Zud$7^F8L5C&Mv}1T{~8r3`E?ai;v_2+m==hbeSq$+{;xiSAIAaJ9_}DDP;<%{qaAh^F6OT2Tzv+X(PV-+vW8t-4`r)4`$pafDE@#m<>2 zKHGPY&E?e?@Oqi`RxP+Gy6!wxI@x-fBTCUD$e#K1@ua_LzILKe<7?dUIOYL99>2Vw zTGQhf3U7F(2pTj79pA%}|`Jb+u_Exe4-4MD?AALl# z41D%0O5G}e;Meys279Bht1d3r`3ICPzr|u3gN7T0UnM;rJ3q3~!~ew@v_Jg*n0mTe zw<{fogW(nAI(s!x<7l_9OS*i1y-tI7y7RKwSUz;8+X!ZP(sj2~X?2W3Xh)%w&I7C; zWq}EY!Qg6eKI*IV|158PERLSq6GXOuD6Y}{Q22AZpt%Q3-(|VBcp`ktdx?9-xF^(< zU#-(-V{Tg3*Zi!b7y=~6=LVvm6FX@T%L~MPh0G%9V#Z6poeLm7_U4bSq}mc|%kV`l zH=*t*+!IHjoN=uSzz$uXvNT*y3X{({K~+5e+J%f*u^}_br1>wJe}fp#b6(71mN)U= z%Zg=q2`;_hv}kM&GL2no6m5_;y;_PzDoA(J_)8@6fIsjU#Rl6-?KWi`Rv69_yMDpC z9Jehzh2va~^9qUeF#K!@JHWldKGf!I#W%%vm`CVQXHGRUy9}Ma37hlZ&;n87Uw7R_ zn9=;5$)Z3uz3Um8@L2J3&8rS<(R;}R4%{MMcS{Ig+q$NLOL!BWe_=T?d92%Qmzb@~tEvk@`6U&3U8;-8z-2A!{##6-5uehh$acz*ZR1 zZB|Jfvhl-jXbYkeo2ts{$S2T02eI(VX^>ZL=11zYe!KZH`vtZ1p}A;QzXT$VpVNL! z5xqFlzZvt;c^bA~3@Zx8IPQMzrwHe}yMXzd7RebV>7<7@@-~c!27OS9dIF)ODsNhJ zFdBAAA95~z)5EXWodOvZ#YCRj@$Yg&YVbx)x^XI`#XO2`6JLnPY7!yYO3TjKP=}$8 zWMCy*_-YN&EaeNF%gQL~lZIS&#W1KUcz&dMEA19JL-8<`5TW`&MNfCNGTX!2*{foY z5$DF_f8Jqj(EQsa6FmrZIl3WFf(PMEV7<3+z)jxCr|%Kdy6q(k+={RxSfA7S5ncLl z{N=NcbsF9#ICB=jc*s($^!`oA=%K`Ivf2MCZ3OTsNn20`zM?*qvPVN{{(#loUlWi2%oG(J~#W#47&Un09pkCv;wHz`qmD`r!0| z&)OCQZ$k9t63v;liTYK{%nU?*X(Kj7C}#Fb*f;xMsEFb#FFd;w*W7 z{k)FyS>(9?tlBv9^o##s$l_NXV17k#<6-~YniIs=c5xtEZMjY9XEA)|?sK}4muX%< z_5S#qzb>>l@n zIlu3I*k^bkwDn_rzDCk;KWt|B(=6aoOdcy>b-8zad9)6gukz?@KYbrd%i3bt;^8|? z6ZG84m(}30wG%Se7u3>z$7{)LKN#%K>$$!yMqzXJcj)JTT9?>*x3laAEg@^&P1bZd z4L$X#5OCdNO-*)y#>a7iij)H2kEqF)jdz_`^XDyx1@Y(N8}_4%&c&%ze*(?hNrw+m z04R0X-sQ=(#o)u1_CMkU9*&BR0TWP|QH@ zZl7}F-|}&s&w4|_Yg1oP%!LdPYMAhs-9XZNDVgzC$g`8*;@{p}%gcRxR^?uwa%tWIudVst|2w{$0LSft0c{`{ za1l7Z;p6`f#1_YaH}@(WlvsM;0QB65CKAZ0ecOMZk*xi^7llXQkzh!<_Wg859^g=U zBIJS4%;;TGc}%(j17`4EwZCDX3*mkU$BZRWTOKZfuaPMfXhcj=&+xBEtA3g=8E*aQ z)DgcZ>IcN*58@eOqfa4)cwANIf?(UVBRrERP%E5=f|2@`3Q?Zm42e7^2}WslTiTBV zih|_vdbO78SZ$&_4VAubf(SHzh58#c*5x5`ixFi3`|N=S2jK#F#$KP+ymav|ZiZW{ z@j|vf4ckeEj-I*;RkT@agh6ChSHUDC+j-Wz<@R;mpX+S?{Q;7s!WpA;B<~#NL>5>F zGA?nX>SU3~Zy{C%!>;13ho%FSQmLdumL98An#NY@yKj@rHH+df6sP4@)IW$K`$+z9 zHHER(l=0um{_3La^Md23G%w>GZIy3w7Wx}K&3Gti%tgmb5eYL`l2}Vj7NEyuo)5=L z@Gm*21v=B1tlFL;Ja!>0`HOUj_I{EIWxT1MF+{*ttSY?mSyzerPDA{asS*kO6O2si z_8rnCJ{towosMzax0!#=tx$`;B@X|7 zaGu1jY6IqHR3WNKihjH3VG$_j7%f@2LM}X0BSw$628!XU!)WoY;cY7}HBn&HmC2RC z+uj2w|0&Xw=P_z{j zKHXfEJ^Qo6a|GumgjhYHI8iM^ZX|HI{vxO`Jr6>ez9wdt?Q`7W$(i@<9xU~-+lhKs zFc%Jw0SOE|HdWwE*(3Oed{`8uX7#)%)H6K@vYv$r5@#AIe)&gdP$P#3ER)3;!Zj5o zcMUBHS4_;ANQg`-p({yO_x+X}FBPMUOk1MWlkns`*C}O1pI@YUpYdD+9 zEWB4Pla*nmSli@yAu}}{r)}qd^4G&%zZQ`oE%0%an&r^q{mQ1vE`bp5#N;G zhYR4>)l`mxw|9*0QcKSkia3HkLrU}=YJ`cIlu(%F*2wxcY_1H^|h)62k;h$=KK4VhWVS%u9wLx(%55h6X^5FUhPG=MCOOrQy@2uBP7?%8()r{hgtiO-LpvJtRbv)25Dn7c^&qEYjTl<~NVmIm?m zeO`op1C^aoyczEzc`Xw*5$n5516PW~>3A+i!l`jLR;ev@K|-qB7uz2PJ~{ct$;_NO zS+EG*`w$uYpIMhjilq-TEO})#Xhsrh0!iSD;`lUpQl*3aNH5!J@9})D-Hj zDsU&kdeLEsU@@Lnm~DW2=|F|Vu27zgQTc?5@yKEkRy!02#Kvv>nOu5_dfv7 zAcZRJyL@K89tZ`J9+ki^cXtNJoS! zH#7c#iGxP@_Ycf1z%H@J23=P@`0m3CuhQkI?n=M)cEjfHRl9}Wn=SC>72!$Ow@=?k zSE$NoMQQh{<7qQ<%^v9XsOi7d|IqQi7iN3cfKelv)&XuQ)!_6x z=`D=~52?Y_l=HRgKQ`K4#Hjgy_2}-J75J>!KJcjNx-aOxlid;QT`jih_CC$+@w98) zDYhW&8onlRaqidPrNsvg&9GVL;dd4ZO6eC?$zFJ#)l5AvFz@d=B=iV;2wfdco&XtE z`Pygn4<@@V-!|d_ZxNr46pNjxb-X75=XLp=C)`r-yFwC@0xf8NXDzC0@>@;yT~kw@ zF6qOhLcz&YUhaAQx4OZlxV48x{=FTO=~aW?+>bfWo5HQtM$ob_R#n5yZClHfKi|XU z`nY%bL8(Wr!`NmafXmFxCeNm=L80wN?Y+Z>Zr!O^r^dUX`F-vz#U5bUw!pbk-0WxF zu{P7e;kol1g?zQq^}>y{?(+Uaq4O!FPa$vPHY6s^&$goj&^A}M@hYq{i4p+)c$p^X z60eaCc&GyEKinPu0#?H3K5SFsfeFXKVDrzFQ`%rk-ZOBX^cxu{NcE=qC1eczEtQ%Y z9RotU4+mTi4hJ`arm&^~)&=>nvWee`SzEdqL8SCCVAo>n@^M6oY!(>_y4;|E$SqMh zg!*OCD*z%ITtgb1B*i;R{lasu14XJ(fV?bg}GZ& z9ZDTp6(~$*$$j`GK=~@=t~i}KMsw_q?}g1dWu`zyg+aTX1R5DpWMlXoWaSXzztmi{ ze7U%_$4}uL3HMg&uxQh%T$YJJV?^USwsriqo?WFpm*mdN1Sm&58GD;7HAL_O8)d>?GH?4^^ z&m87wCKRM=;@oI{4-C#hDaGl@Zlo{cAA;>+$80c?hqSTcM9=>_hh3$OAUXz7#KZoP z4BFEWFJd=}UTz-f8<(7;LjQOyW2P>lZW;*H=YubnlgI6=K>QP!i}OU5-59P;l{V{) z_nW4_^H>uX@tX|WOxJQ&$=zK1Xh(B)KWnfyRgxP?DXRY$?`>DE9buU>g+%MNOZDNx zFP8NsqsD%JAOdHJlFV(Jq0EM3r1tiyRnq?!8?oaXiuN_NLsy()ChJxf{czd#(O)Tf zBW7Y=jkN0*B`6pU!Pizb!zm7fu4au4d+}$GF5PM6OjV3F`KaY^k}P*$%##uoklWFV zU-%;He2a-I-v7O{c+@SCq%yi11ATHD#!q3a(MNqFnUC7Bpjq=WaK*?6(Mg5sc=tzG zYP%4=RZ6Q|ZCl-Uj`VaRRhM|NozfdZbLsKnM3p@-)1ZinzKHoAK;S;_8R1w^wqgBU z5R8^q0zyffg~twKM^J`!>>`^oN1e?&$$K%Pw?laTJv-An87bGGPpuL|vHM70i^Nhr zx48OYYQ2W6%&u0!eTa<)`{6w}f~vSuJ4ULEG|C+}s!q;jR&wfBV2xP!)u99QW!Egh zBFueZ@pX=4HAY#P@$XLpsb}ksxidsmahrJ@7~Dnl0c%W0o)9ACxU34NgoZPs4HKKD zKjW+t#XO@(5)>H>#d9y-c;QGPB^85mx*og9SRzGX(Dv!d7S(emDN3Xai=MexzeYki zm~uYPL2c0V;ydB|A315|tcQ$YwCa&`oLUH~J@XQT8GFcroWRlvU5=1%ash}u z>VWm8x7wjL?UJR`R*~;zxA{k0(4C7lIK?a#L^ROj(PEa{827nE_bkDNiAa1&mM9-%Jz=m4?hp4lPsv}yqb^-(voZucL5Zv9}-QC^YB@o=*-CZ~C?(Xgz zcZbdXIrrZ2pO+f_(68NdRn=VIM4J>4r+uS)Mtb$Q&%yg{WKSF7O9|$%cd@T7zjT_A zz0&?TTaW2jUh&$p(0V4%4TNcdYiMmg;x)gLq;1z4dp_O_eP zGI!FKwdD9zPM0+m*>!vUv0USJ_ErVgy+o<)-QSmBho9r|0N6~yBrw49GP^zJK&tXH zya|pV5bS)wpyjhex*L+&(lY=yPeKCY4yf!v&Y(@d?zNmItvXA{ccZgQuU&K&GnfZ; za`$@3P3P_9d#25AcfPNi!`sZVoS>vnWTy5W&E0K&xo($R71LA~yvEgSe@&Zy5O))2 zt3GgZ%I}0+478i7(r4qQWkT@|oRd)nKHa!I|KNV_?=JzxuNfrS0C^g!x<4;sMeAxj zMTXSJY_yxV0}AHt>O@m=8uv!mC)Q05_m^KzxWS8jop(!8C3bFu6m(m&T&2y{9LpkG z8ps_?R}b40t6S;amZzNnBtK7;hjL87Nrc)LAl;U0)J_|2^Z7;A>XpKK#)u8f$B9?> z$o3=DM~@9(Li8y31;$Gb6QIj+@d7!u`m(mUIQ(w3yt11&Umd+;Q=Q|c;rg23>Z zZ0d5_FYQ+y=aIdrr@lG3?S7uyha*5-@^wpjV&$&rTu00C<>Prh8tmrWnVXzS_nNl5 zk|A`=zt8U8tv2Jf2O(m)eEPrE75&ouU_ds&E-u+IJU$Pj3K!c8Jq9|T`;_c%<1;zd z55Ck-g7?ez&gyfHpV}MLhthP)hV(8RCb;3?m+cXG#&_6uw2wQvGjOOLKltxpA@roR zac}*ch91sEFcV{tXtTMi<=#eWNn<W$mjt_PF|Bn}U5}OR4B#E>mgD0`;m1 zUU8^wkLFKP{qVaG>oPME`6_Olu;2|F*Kl_FqzF+L@sWc1ok+Ae1F9^GOmY{BpgLi^ zLC!46p#oi%j1%#su+$5|qCR@kFjpCZ>#muvV;lrXIP;3wDPAgo;ryz~n7zmz>4WTL z=|16WEu+6z-x6m~%sfj_Me%j9wF-6AI?r1mq`i(xtMc<;NO9CdBK_jJ{$;KLHf4tTLpwsMoe#c>a`PxP5AggM(+({olu&-J^&2-0jH#Qg;UYvx=FFR>$xEs!9iC>xK(r$WWr~{e@Q* zeLI1oe9~!PFM>g5>DwGR7-&)d^BtPy4!c$c3STW_uvT@^-ylB8y>o7Skzs0dP*K%w z!8JV@uR=lWe4~&cFd$;bhDbD!H|Gv^(7R;83`SD+SU|+)yD|w>@Q@<~JsI=*Pw~82 zGc8tF&Id`N39V#&(-3Nf0CI?icuxKIPr7fZqScCc5$>F;z z=44|fWh4rJ=)zt?$Nks_e|iL>m`%g;-RB%c0Qsc;L!&P^{T4{q((zowDiA@52R8ngLfzNhd=VZEh__m9jvy2J=Iy6iTvr2=KC4E4a;fPzIP%QPv{arlOE!BMWiyT-M74r?EN2oPmWJDuL?$ zIPeJCckF@EW|A71ZczbYupoA}%l;jxvS!6W%9CW1rlp>>e_K{@xp{-%^ApOFS(vOK z6-Z=A-9u*k$RY~QG^DLu*7Zx!N8OdKVH3U+puI#N^ejp&vVcaIqoBzLm;TJe+7f+( ztW1!G(+pErOg{#{BGIA+#@rEtg}}3a=AIWmvkrSd1!J>l5(eg-iJJIeDb(oJA+XA+ zK(r788L(ptLp|&Gs=9KCS>fAnFFK&lehHy%nEbq!N{x9vLrduaA&1P9B%z6qp~}Q! za}2L|!oac!XVd5Z$I?>#kXJduW5#U&irL?}T0YRB{@bpK-cQBK@PR|$iXzEx9*jc| zUH$Qq)k@suXMf5Xl^bKzm!1Q(;o-eQO%;C4jAjomT@dAIIxf=X-?uD87K_pz%Jv$r zF>O!_NKvZA&$fxwPkP%J1M+>R|J4etCF1*=AJDS`!--=A(c&Kk0etD$GXj#LLR|+l z_!3U-1}VEPu5(c+i&tuOi6f(~G%%_o@z5jMl{a76%6IRg=8d@LN6#FX+p5j_R5S3Inz6$- z0_^dtrT%BcfhO21x6kM0XSF<@Ez%*y=DQD2zDP!mS$&*nCRov*MZB{10IiDE*gx7` zmBoMbt`=--J@GZT$|S^XqcqvHr zH|6bNimm43Rt2c%bzB9kYR1RJ?;cI)*UIOL+0xVSdU$Fm@x`sVih}pGKX${|y5A6B z>uMP48z;yD7l`R?STC{#M0e8E&C9e0M7Tj?aCh8j!0=+T1K7H{hdPe$1MV*HfmWaW z?sJi!y2VwF&IF$K)GOT*w3x17SDnH~rww5z_~&J93M`K&$5he_nJdOouXq7oXr9|8K> zt^*Nt?~gAevg&tj%hR3*jCf`;5+L_M4a#J^f3k4I$v<>dWQ0E7R1^ zg9i-0r(<3*Tki*yld)yOx2@;2gegB@iB@N~m}P`Z?oC+E)t&Q zuwyPPZbj}0)#bIt#Yx4LlZn9@&!6h6-0l8R0D9<50jERSmhJmB7L9?S^8tC%Ox~NJ zj`Id4P|7g2WD@H%V#SWsn#c6oH9f+eg=?eaWCt!d&^oofqAFLgQ8%HL704KzooR2` z2Wf&8Tabn3xi_*AQP48+JEUZ;oZ<=9k9$AyrQvv0@{Fd_C=V43!#WUy{@AL_A-Jz8 z1m#k(cz>xZQdbQxXbcb!v`!E63EJQA{F7!-dEbt)cAm~K;c`e8$aqOg*eY7Uv~XO_ zYm>x|4s#m&8wWqKA`#Vh&Gt>Uiv?q^%;t5WbpKu{jbWF$Z!}k#>L%Y|;arZJmKQT;b{&3R+wDELLS;xs5J8TLs(ApP}3Sq!e-unoCD1PfS~9l|!! zt6uK@nhUA!QwpXy11GK}Ym7kqGG87E)A0ZVWS6q)DDN5U3mebTE?u1BhZ`kHyy9J< z0rdFE@s0CGLPMBeYv(NDNzZb#SQia6)E&%tGwPIWehC+en~%yHc!6}kEWY`4!C5#$ zDpUR37-SN3U{C)CFCQlzZYz$WQ6VcLQHA!Ij _>WP*VPr2b>_KK<_GT4OPm{Goa zFdus){%_xztW&Xl3!+Cml11GqmBP^>t5EYM7f!^XhI3L;nup*JpR!Wk)|^DAdAtZZ z|L3iE`=NQJ<;XQ!(AOB-L@^F(Iab_#`&4yGLQ8o(GH>w+7UJ=xe(_(g8a#!2c<2>M zg{I4|2yHQ5K8+PK9=W`-f3RJRi0r(66yJ_YPd9{3eYU%{qiDDcpTe6gUxwu;9eN0^ zHtOkqMS32*%PG>d{W#*2QUQx)V~f3qLNg%Nw*7-p#e=h@_vt!UEpeD&f||ER!j=3= zhd||u{3f1O=U|#H*Qzm*wZIS-A!gWp`bG@%$C1Kzxx59MQKCXB`XP}4TZKti26Mn+ zY+#6E19wQKX59D=L>8G`ej>>gX^=|Cu2G#0@e4KJcAjFJOrT3Zp>&pwm>SQsbWOS3 zmT8FzaYbyFc45}UJJUoS;WXBCf+9}NE!Gz9c!83LMWiq?IfS%j^3}Mx#zcN0*;0@t zf`M{+Ko9{t^31Y8tpT5Qy`+vg2-`%PN>b?uJ*n7?cw3TKpy_lEIgj0lq<~IVbRpX8 zIADUn23ptu0Hrc$yfoNALhl^-e3Uzh_)Y+)-0wOZxo+Fr^La-3+mlKNyzv-@QDmq3{kFbxhVBLTH*`g5`5;*M7o!cHpCg&NX*pwA^rA> z_>>|)6%+;ugCw=+4uA7NlUc;!nVpP=S}-}xy1;mk;~kY^7^xU-iQmDl=)+K8z=tY# zkv>1zDqI&SC)l2dH_V<``twozb{}(I-!$~W88Eksr8Iv`t&v2n`=dobofm(I^1T|Z ze!nt}c3(d^DSTg0wpN&G8PYWS-v9;eiuHV8Yhw|4=O`B85w}66@}gm~c~OvL|G-5a zM3FMWxzmd?V3Uc8C4a>g^arX~$+J?kW%UI8n6_9I^xp~d|2%;;5Q1mVfpdQKpKP%l zk+)LtM7Q;eM-C)-)TH4L>^{~9-Lu>y;X4cn?^zCGOrOL0h{l*V3f%EM`!)sLP4A@# zvWfjQTF-UK`y$=S_dZqr54XdKsM|*C@Yik+V|OT@Z*50Hm^Q|KMu9%rA5(9=JZHHm|9;vu+*MPm7Ry4wJ9*qnuU= zug?rqe_J4cb?thQ5M#fB#x{m9yLl7f#k{2hE{5wCSgz)Kg1Llly5rjBHERVRrr5GB zy&Y}Mr#!wnJpyjB@2YMZ3h=8p?!`FlJagKfec!$0$fMSeY+oKWc*!%HpVfkLvRk%E zYPek%+o!voVLKNi{y81m*q!?vz%Kg)5pL9bYdFer?`iF}uVoM8A6`Bkb-d;9);``c zjaMi6**}M{u<^JeSzZ-%XHs|F)D~Umlz;ZD+g%g;bZ(DYH(!o=$g`2oVslDM@`F1a7`2m7@4>fF9=`i@)w!B7qUFIy7X=f?>-L7hg@LkNA zZf7}L-NrG%%e738qfPQwHY995pSrG1#`ELTHBmO52ldw>l4?qIGYGC6$IFA03p!sy z%Ic4$jT}RyPB)sC3mQX<0y;fz@E}Xpk_(&vw&qisjnx%?)7!_&#e?zVR?P843pN-BvS^sn7l3Pp^0+BH&A z!F&N7YX4V?(2zYlDcmojomHq_PX2SwQbWTr{=`<~$KlWDXTu~zT!IzB=>phH%^&j? zhVds3Duw*@nYdAm{TBS{irw0lDE!TAs&_Q>z_@?x0?dHqEVOc(4wD1>)Nz1xM*y0Z zFn`LB;*gC@$>bV6(AZ?iEl-!+Ihem)L-8}%;2>l$o`DwWSJ!wQ4^KT5)ID}!VpzOJ zA&w`dIF)pmBx&EnUf6P#xzH9dz;O6)n-40Cpcdx7C~smuz22^qLxXJMJiFCMrcP9m zMOKQGjkGuptsYr}IvXUbHZxyZv6ReLy7tze^n3Abkjt;Aa>NQ&Yif+1Q@J4pI7N>^ z4uK@ni%OD77)lkAGz)mkqlse8+O;$a)U!R}{*T2dhG?rFxhL3~V)5qrjFf7X@M*BC zhIv!%;+@-~*q#SThg0swZ-?iqVfm5V0YMB%kVT`&O7^zlP&s3} zAS-hZEN*_?JlA^pvUg4_#NN2i$fFrg`6UYd4nw1kiZW>mUkm9!cV|tx` zY_%V0=Jvfk5mu5{g(Cj*=%UV|gWsUjsP&g*B4UBw+IUtwiUw+HfZlP?z%;d1CXcqT z)71}3_FWcs7G6w@BuJb^2d}42Gc&IZB*2+q09W9u6~thaXjCTIBogl8I>3&gDbe1= z37GT^KYg%#asA<#V7hV&$YrEIDhW-N+Vz>QpddS=XF{m@>q}Z-EUOw3NU)fV?R-3O z_cc0NtC*>Lz*SXhNM%X}+65+er*^ujAD;JXd&@HI!A4i?(r4CH)GVunY=uS9hLFSB z9htf%wN_CvMijZQq#TP>!vd2O&wmRT7YDxJ893`_dI$Dqy(su-xQZL!dcS(gp^g_q zMjKAK9`!rr`_BvY*my#D($KHW9}PQWZ_yq%)mEB|M7W*uPUaQDlSi5#JQ zme*iRj`tImr^$H`p^e973hVaHE7$ag3%yyw*gRbG1*p1?>REk}3u^NzY@I+89N$d% zaZ20n^YS!a$-{9SkhHyZEwzjX$^!VRyQgx`a=b0j*}3#g?o}-iU1d6cza5W?Cwf>= z(_3?HHOuyb>$1HOZC73E-Uf#`fp3{|J3o2H%~kD-6(QM8#LQQP2!!o*W;&k3Hh!y$ zF4;VnMIqpNzYD0{Bl2@5TcW4!*NT|x*ANrmC5@N*JHI-1p|KkA3~x-1vnDAjBpv7L zzZuKE_9oqnKCaJ+-ILih+}FND@6yG@eIjWelfum{BD z^_+_qTk@wPx^>B*sCz-p_wYkTkAd}h_1m3rx!~T%Qju$vn^Aq844@kb<{t=72_(ZUEQQgpT4;OQV#jSxv2SRKe#0M&0 zS)aRJC3Zh!vO$fOH6NzvIkixO9;@{@XV(3BeAQlKlDKHq4T>6Qb*zR%Duue)oCm%rOCG)dB;VEOG|? zoWls8y6hkP7zGsr2Y(~xr_Ov{T{`sB1ebh#b{B~1s-*Tuog@Jy)K%bAseQhpuY8f^ z0ulkQM7A1HM97Nj&_`mLaEDBcc{DWe7{hL(tu&t>1bHl}(fxfNzLUuZWe%1mP`n0~4F z>lf$0D(g%X!}R?6DHc?mUbb|2zCdS8q12E8JFaM6^Y^w3||YKPKh1CaURnY_#p}P8>nMe-pmjoq>PlD;Y@Be*vZX$ z7%p2^0H@5W1~keYE!!)(Bcu$0Z;_NoyL04Yh<6|)$w>HDt94i}=vx1s6i8J>5cV&v zMPgiWD(1FGcL)f>%6+^7{{>(TC3v1anJSMEumg)=IzOlY<5uKN=%z$!zW7dt9WU=E zEwsKlLEKcQ~yi;>Slrq{37tTY58@()W70o@K_v6Ip=J9Wr z`$vQF_$2r)=XP!ZygQyBONt5+=fz*l{xI=_P)$H5woQYZOGMI8Qq0;Ho$A{m@^CBl;$y%nX_y8+B|J)u~#sV z%N?>WT(DvpR^O)Zo=oIxLQwXaWk5dLe9~t2SZd&3%~Q@Sb9Dn8p3HRYoBc=shn-7j zJoaxy7f}%imFJIrGb2RVdbGDuKMaG|;~hW4uV@^0~yjpOi?kn{y-uPdPtWPEV+LI{> zUwajKP%rbXB_OoyF#_P2)D|}kdUnc-4#Qo)&fIbz5B=sn_(vT2Eq=Mw6s^D_9biH0 ztX{cxeXd=`i^ZRdocxE(?4aUDRPWL+6$4IG++T|5GW##yM2IU84EiXZlxU8oWts%> zMY?6IjYF)84?q9a5+{x6ucGKAftvczjO)bBVdWoY78)yOgeAxvMUsWfUyMVYc}lRq zeWQbU#1E%@)Q>cGW6Yd1g8h5OiWXjWS*Q@iNb;*FQA)__AC!S^e`F71aYx#*;UI?M zXB3QhsOk+fI@N5$V8DN;!lre{5v%%GlRmT{m~$&Rg7^Ukf%j?r*({mfTYUXrDZF}nf&@B0cp}WYD|$t-F}v`w^E^nkn_k^x zaP&HOv3rl^JZzO2ggMgn0P?)jk9DTdr2yiay zkLB9w+>V&M)|wtJ?M~hZeV-$pYFq-xx8E<6fCLUhZ(182>!NO%&Ad&3hD)tCUEgVr zw`_;&Wm?|T2_`~K*LjsKzqOX@^U=>+$2Irc;Ke@jD;?+I#R?r)PN(-ALPr3)mESt&6tp6xmTBQw|?7_pFoae3?C@u%w(77mO)2w(qr9IC;u_WNI9ZT&Pn{cZRFr!~s$ z@#*@juIaVB@})7FkmU;s=g+?^@B58?TA<|aKDTB}TIOPs!ec?ETj06Zn0DrmeZwqA zNvgB@b!tHRg98G+m@#=!;agE&Y=z34wSL{9JisAO*P&C`I`Py%O-_*S8>TnraIid7 zvWWB$KkGzX+5iNsjn3h#b<<|OX>l;d?lMb`a%IO9D|CTpRt{q;r-ez@Db|gsFbsi| zQm<5@>3YnoPSW_-LHN{ptslBFZGt1~ye!gXv9@MEQB_IWwZkmJE{oTO)C)aX8C6!|{JiCC&;c(EVSuer zB2O_q+=IUK+oH7}#DSUXLC%!lv*(wPcg&QryAkajg-W?PeP%sCTEA#46>lv81y?$9)FcYldWdx_o zekIsL_%V)Xf)Jd~37PiELoKdQ`c)-ZYr4EPZ#)1!U;gh9`e!_${I}kyM&~X*qEi~g zlnFGd6@(g|d7ippXp>;?`N5e|^si;`s7%T*1Onbu)^05dbaD{~>Umy83hMtXnwVwr z*yIP>LR`j)aCd(v#}x~})zzv`I($(xW0;Ykm#{g!7H9cYN4*Ew>E;Ay2!$Dc7zt8? z-S8oO4M1iV|8X}@e`+hralDF1kTf&GUuD;kF;P{uK}Cgye+*V^>G~))?hz3IiI=cV zyiQ!n>SqbiW77F(KYrlQIY2U~P&typRcRyH}QCV|u^=3Ctbc_&eIeW{&&vuwPzdd`-;KkdiZ!797;&V2CJ zZJjOp53F>k9JAm<>}o7yg;R1VGDoRu}FYcET(3gi-4gSubq*X?-+z$AC4`-|YsQY#`W~ zj?Kb?mjfwmq~pb1La{iNrw+B%&>&q$rlm9H^Qz?p?0<&JbYwQaQ*05eEASSdA|oCb zGnuYE^iB*wm8-N;uaiWj(N|p-Zi@^z4mTgjRxOpfdZAJus)ZQGSu{cZ&RFcU+(@#} zw~P^+7qDg?>N5J|+Wpd;o~w5;lEjf{;JL7Xwvo9p{c?j3hz`Wrta$K<$6;6Rjl9E& zWz{CIBmo(yot3p#3pA?~Gua$4jv^2FZHC+qds&qXcZ85Xp$&3B_I?qTl9IrqdlnZ_6 z^aoir&{kHNoh!sq)b_~MG%&z4%WTQx{|eAgHEhn^ad3|~ zSpw)g`1~Vnn-^AKWWwu9Z!5U$CbK*LHVdX^hu7&iqq*WEAfbut z@o>`$cUvy}ayuh$}7tB(A^)vyuoo zo13{bIh$nO)4yALaw#}E;7AYWp($M+Xq1?;?``z}be*Trh!l*EKP zNDb*T7P&+>rVDTt*6#PzdA%v}+`H}d8c$`{LgaQ(A5q{j4SolN1T-IIN>%#JCEJ}j z)xLLatDjuFxrWiMJ*~Mr&_3KIh46m#*rjr?UAVrpSY_2em*MXy(Y?rcd@@Anv+ewG z!GSlGO$T~b6B<9XcY8R1HC+?+V0a(Z9JlM>MJ7GH-XFkseE>-JOc;qeyL(K_;62N2 znfLGe{O>c`E{_(%Nt?ubx6QK`*!B$sGci8>Zm)ZMr@OTmKBScG{jd_UW(=K(pwaAX9mt{Qdv;`#&0+fjP}BIxN?PhT-0<+C z5zlYeTk&pKx^?4mdy@sybuVes(Y62e*@9Dhj6~Q1ZSr(uectf$J+jogblD=)^SJ@8 zu|89s5v=&$?|AvSNS&gey(h@7d&k_ksOce1@|iz9(7v?BZu>Sjl(NZPXfw9@jRSO7 z_JTjq&-_krz{@Y-?i9ZdC-7h1bTC3@75FZ#5o~>hL-*qNdd=s{;gg7%ny2yF@@}^P zbiAUZU9F(7CMDApRkoCZWo-O52eR)b^NR%cFuD1cCMu3hoQnxD5E;h(G|jdT{9Qxj z=T(KAbn=TiLqAb2bndg0qY$pC{vxRI9gff+SqjBR(n=WgyMFG`Gg;oGAL3?t8=WGb zypbtDBgn%3$V^!2U&n#q7YQgq0%0%Cc|3sfd?Ics$%y`lPY)Y+QjMfdFf`axAx$|Q z0p--4XC~I{Lq3kte`g`Tp4gwsOVxbT7eL)UJ5hy2xKaFTM&GXfpnc#%bkl~#l$N={ zF6jXL?AKFI`i62v^}ZcQo~eHO)-eitK(^%X3#d+kY(ZECdS0tA7Pqt0`^F9|8e+XsE~)@zMQX+*q3b zY#wj-CP1}^wlX2cjN`4on>V?QSI=MnJ|!jQr7BYOgeP0Th;vMu&G(d=g_?^e3L`UM zMb*K!p|bMVMW0x%tH?JPFe({_4!p)H_^=G-C!M0<+yuI&umv;sLHL$$iAi%t+&EWJ z7Ztahv0Y~xgw&-i&ZCo~_lb_;xci7(mRY7ni^(Lx35nQ|2UsM@=Qb3A#i6i;neZiv zC<*a+KV0lIf1w9xIl$TRvS^JEZjNNf z5}P>1Z0fpY)P_~c68dy;-g8{;(au`llRz+#@`WhQh%zSXlm^YTqmIF!+R_wq?eO<9 zoypJ6!jh20Ut*r)b%ztB3OW9V+!Xw^Y0_&rHD8BPFHcNcGnum_Qoh`AtBgi?i_9>` zQJpXbM8he>N*b+JlZieuN1#5pOfsZ%^f~T(=X_1<5RwI9Uj=? z7&~RbzMd}o(s+|=(=fySVX-gjZ+W~aVu4ca3*P2@*NQR?^o+B}P-&6%KDjc^W5OD; z8>xM_yivG6l_nf9Y=+&Vn}&kQQ(z{w_x4+&)vU#?89$gMR6Ma!#)edhzxE5rn~lvh z8mYl&tG!Z4OtKE(=mG{RcfK7e*3@W}%TJ3oX_%fA$l4Y!! zNp(mv3XX{awNdNNuS)|ehj+wyo)-C!kWuIcWa{L&*Xq zk=uR?3@9OvmsE>nMzE)_I&+cuNXZ1aYX+Z0rk)b2j8S;F=rqxZ@*=qiPBV63^z+{q zsF>0p>;tQ416w=c31Il%^OuAA{!Af);GrP*{MN{Gj@~DUNWVak-q%&|WNwhF`Ux^r?;juG+^q5~8vs7=#Qh!cD~V9uXGhb~Jy z3oAfo(_#AeLgudu)w0$*gSLoWtVL}DsB%0m&B{)xnXnd&9}(H%H_WhSm*Q+FWcvT* zuDh9rg9q$A2sY*|1w&3}gMBbA3U2t=rWe^h@CLxS?Ad82XwTiTU<63Mm>WJ0G$AJq ztPkav?P#B~hyCPr&v}(IHvMUDpY6BsE5f!l^iW5uyYzx5@B6NjsrB2bt8$o{j?pnL zyxO5OH)}pKtFtN?q>l47q5TBtaS}aVhu%)HDF7Y&Gr7|BTX*)`q*8U8Z~N0qXV+bk zUe`y&gRgFfb#<3j(|spsY2_w(GiS}`uArj(H9eTGYr0pCy9L(szzz}M>n893+9zN? zm1Oj?0KF((vA>@5BWiuqPHw*f!5p3#lx(=(Tea7;iB9JQe1m3-}wxdY0iu zpb$%WIEl+0;+li{zvFZn2?ek_U6kdlBjU z>TSDfg5&%%7YV}g3Yhca>$8YXpmBljuqcH%tS5-reH5_GU4nG!?t60+QN#GUe(+=i+IJ?m2g0?38fabkf@Jz6MR(c&i+Rw3h(2eHXUY z`R=EVB3R$Y(fv3NTKT%`cBAXmIj$ljcpcuS<6pqrxL`<=-I!;j{~NcHewdw?M!gSP zJM(ql@P&$7=M-8L2DU&)Ry>Vf zlkB2)!JVIi;;*2AMMqFMllE$v(pqXstw1Q3iVuro7_fvz&-fw!!v)6&w=9h@HE5zG zNx>ma(q5AS0(Rvl(XwgflES+S^ORa6sg)SU@Ha%1OVyCoOf4_oBcrG+&OxKAe5?_l zR7*fgbdfhEM6lrs#gRfHydp~@%{T~UL8dK>tdeE2MHhJ2rbu{*6P|ziK$`MLXto?7 zG2i^Izb%<^+B;H5!d%@r-d2lbw#I}}#cLumI5|zkP@pgj)}+wvv0ne{tP5)j>KJsg zX|W*h?}D`Ic?Ey};lEkcF(hLmyo-+I!E~ldk^!hl#B*ht00laey9P*L&%IPKjBlw-hW z$Jk&NMmPlS(d+m$K7IPdO!=h}z%q&G-AKfJSO9nYqN3sm5e3r zjTZ?8bi0imR6ln)qQCn+z5@jt&(v1fH;mDNrbphOo#vY0*|Opbif?m{%^NF?^|nwu~N3>n?K(H>x^*h7InYzfq=3 zwi0%OS{hev&Pg~CaO5Zu4zGsGpU8_`GZjK-Nq%3n(4|FuFYI8S}Co_e(Dp!iF# zqf*`P^>}NE#u+cT&S1o^5dUU^e~$5+=QSh$y8o&9>z=4*GgDi33(DOOK2s_7M#zcH4?Zyh^R!q)YK^S%9i+#UlzT{9KtJu69GQ7pw&)L18Mn!(0Fx!{jW1 z58|!Y3*M)f!1M@txyv&1rAl4ZhIzVlJ_f#1u+WGr2&_N_$U5F~6F3`1!IF++Xraz| zOHYM{i^VnrI@%vhFG6e@CA{}RWBe9>@dJgwv4;oyCt-$5o14ACTgodGZ_w+66NUvs z(Bzg;lrDj4=&%~#~DPmaZl!~W=QNCLxGm2lKp7%E@bv9Vzb_pPj33D){M54*Ks82tnk3?>|2vK@ni@rZ2}CPdV_2 zd8F`W^v`F{(}y_rdM*8iavLqLfxi!5G3D6hz&y+{S&q1Fmnc+vpAHUopx2w18U9O3 z!hX@l)04*Qu;t?$7q!R4S4`fg3AdDIac(8fivr`QH(=***PG&7W(Z-I%QlywXId4| z+GktOmCrJckig}caQh9^;ZfRs3JXl8TRoax)HeagAiAF{s-$>*oYTbo&Ea{;;*cY_ zS+daMB6c$z<#!&hx{;Z}Oc_sgwEBcnxJT@4pyT-rX+o{pz#ZykT3 zsAxQZ;VFd8ms6V}y{+SBm{oL+7~V5&8Tx>spCQ|6e(%q%W_->QcjMIlVCuHp+o_zI z_tEFez(>z--mMO$u8i(0pDsJMR_l_z(I}ayYyst5p zpe0AXwvY5pZM}gFKrQ}L7Y}%4Pwe8ZbVkC)0p7Q#J*2x~Avp79>_%+*Vzx6Qo6GWr z*mJo!WRmZ-F+q)&tL^4MiIvBsTL!4(HMB}@sU2S#-JVo1 z{VvNlx47L$)m$w$>=o>up4lxn@BA8$0BJ_c>0Zn0(|k|Mn5rA2pcdyNQ8nw7h}#q- zHm@Dv)4z3F`z;r(ZHV{X^Yi%>KfnX{=^bo$2@dvg{XmkPI0D-dcZGv1_Iy5_9HI zl`;J31Dh>r*y=L&89AkmR@IT^hef#wrXE@H7R(c+6j!adPMN>Oa4EVaG774tCjWGr zOA?0=2Uz`%wo4gHQiwTX=*);>anPhp0oiWYGZ13(bj@9{P)>gGxaAVO2LbTGG*5e$ zOr$?>L+{ctRw0bi*cWBzQM1$UvlRCZhD}O zMrqdTP=;iTXNRz2Pf5%&zsXdx5>sbOl`T~F#9v&57gr%jmGA}QqJyNE0hq^55{v}1X;Gyjapz<>qqLq|ABBVabP%%r&aL3 zJsH7Xg#NNl60SGxC%g>9vrQ0I8)+ug-;_YCjZ*7dQnh;GJI0(=Y#fm~QL7C}5mi?D ziD~UCT$;J7HnQhW2$XWEH$)(}=!RJbY1Yv_sjvh0I)b4^2aGL@N;$O`%}w}69{8p{uQV^%65=cb;F&G-!1U+`C$kgUfp??){nreVP~NF*$=!M_=ho*dw@ z&jeHFotgsr6A}?ivy`zAaC{a*Vwsml+*RrpdW-c+z*?6HXj~v58r(dE&|3hC6mA^$DEi}4u1-3MR%Js_VsCC?07I!LF7AY~fFHWp#6X!|6y$pFECLXf9jlVf+nua* z*qWO+%#m7oknCmFni=EfF1grvVwE6?Hum2(HXB>{fqLV)K{rkz+A$zx!dUq{+`x2a z+*T)=MEBUGc+gUyX9y&*eXpcjW(gITyR8;wTQIT+qr5FJ=)eirgvEaz9Yv`@pGm31 z`fS?(@jHuEli=q|-KGT$ecC6|g4B7jWI zDym$0B_s)cwFEjeep=2-`5%h$67q^>0kP>&Bd<7RQX;(xk6j`w6ISon%~fB!27P8Y z(f=#=-CX)uA()b20ka&i59$pzn8S4Niu-m>aEA}u{Rk29x5Bg3GtxWVhtS6xh#WEi zJ8|F|UfLTU%mKN*%eud_DCrd6zQy|rdwQ*CmbCe}sj}*u0;+!Ad337ryu0*@{-L+& zwfY-edqkCWR-dAG^E#?lHM?mzdByA4n?q21X~E-VL-o?zf5+zSypLI*w*K)PIQN$} z&C?+8f$JXU{fuzB)1sdQ=T6SauFbCKjZJ4S=)z5%B#^rO75dN(-10hhc<>5ibJF1< z9@>!v8s*fY?Ho7J0(-KQwJb1te&w22ziqxi$kx4pxvHnzei;a#eAK#FL28?G}vNLQ~us9e5!HD^!DZTOtP;v>)#O#4J@Xq(9_ZnW>sV0Y%*e)ABrDM?9b zNJq#O=zNKg8Q2oRB4-VzhZ!r_kK_jZy+jm%7WlC=3GPJ`O_dBo z^O?&8j=#l#x(EH}N0WJ91UV_0`T|~KYJYtwl`_B6!<41zE*~qeS3;+8gup+ETx{*Xe;gKl)|H zG#Emlb4d{tT?G{H(}|J_C-}=)8l|Hm{;b}*VEsR;zA3uWsM)q-8=a2Xv2EM7ZJQl- z(6OD4ZL?#0$F^&}hDC*)w0Q5VO)zG5u+p`Uj;d&3L?7R&rW*&X;Bmw% zHA;8gvH!s~NN+6^gYkF0{PPobh}Ck=t8%3= z1u!_+@2VQQM9pH28<3LSE%Iu;OV1O6r7(JW^80JEIhSD1_D^|G?f=zsFQ9Jn_zaT6 z^>}i%0YdF!kY#qL`9l?MaSu@PQ|CnquD<0;KbexP^9g#-4uX|yENCPs2=A@dMt4v- z>u%cC!4Px8T>y0{4v?@EBLP-C&7&wPE0eq>JA^T;sk)cVxIbn3yz#5eA5c@Gy&a>F zo6s3;zDayNJXlV{s`jYlG+Eni94#z0a7#juj6#d}z2NTwb{vzfyoVBNauLw0SI;S4 zq~SSsLojmns?@Dz*~ml2a;(DGvWi?o&Nqvg$z%jMLO(P|=EbAJ?ly@5e_0|ES#uIF zcE_BIc!lzv<$wHWxg<<-=E*fnmQi5e>~oE@^;7x1YQ=FQb8v&k+BkY!p*y2?IT_T1 z3TZc>h6Pdf&kP5iA7zgw?=6nJe(O5`MEvzNXg0ujDJXY0Wa=-_3X@$x2`s8=A@0~b z!g5`aVWK!iv(GD~jD$lk%q4n_yr%lC3_T82CrR=*ODac=Uz#RnzR4;j1v=d_2ua$p zk2@!ESClJ*31KleG?qDBHjUdzU z*KLl_(%mhd?=c1l9_M(sUc0Vt>gIK>YuGZxUAWE{qP$O3yIv+uzqZ9%?4;1w1OT6kuXHwbQ@M?zwgR5Ub@{!>?tzDt%N#{3M4xVQ2Di(ap5Ko^ zPm>=saqXq_r-JqdY}cvd@@f1o!OX^Y`x1}M)8+2GdL^0%sahX(`lA5A0;iTq*sJ9X zzw2f{bFaa$t0$jh7~n}TFd=%Rm7vpI?_(lv>+|#Ro-^>gkF&-vlxwGDNZWzH?7o?2 z?2l`(E5ixFn!I86VR0++a`&NPDc{qHey_mer@KLB;K%8RqubuPXSK^F_)A>i@bHVm zmg#%#?Ra*C2k+{(-6sk*s9Mw4qn_JqH%FACZ^`@ag}0~k<0FrOzXKRMrDIP(9(5tRNC6G)lcI=^LEF3%l9t4 zzW9vZH0bbu6$IMIgNBhN1Z}&u+e$slk8$_B4MJSzCy~VljNdB7~ zl-WM_td$>D?0ZPM8N-`-KV^n43KD0<0~lZckP}axHNS$ zDMue`3mp9xiH=L;t5d9zBj&p)T&j zgIjYyDOCL~*m%>GnzG@{ih|*cFZ`k`W==EOz>ZJFx|sXl+p&G&PEBDN{fYjDLa*f0 zi0p9+IDy9NZxU*0$HBLY(dVDPMt=~~W6M_vsz;?e#`SBcCY`-XEo^v(y1^- zRR79eV~EYa`MYe`)NzNL`5+Tj0PC-lb83ucxh7t#0_#{?bwsntaaAT+%Lij`K84~8 zAJ#lJU&NL0H?i__;~bR?4zzDYzwKH@VIK*JWUCT1Z4<#LPnPfU6m!WGP6B1>KX3*H zwL!0ofju|edtY}B!K3{(0!04xN;Z*}FBzmtfP--g5r#lHap1InVk5IT2ydE~(Q`@! zbEdaHKIlp`gXW*O|Md9+mMVJmcCGQTH0tubR7YS`S>TdM&P)j_I%cm{l<=x_NxPFx zmMYqO&N9|plSa3LCehv2B~+Yqm_L6sFoE40qoIJg(4331VOJ2YquVMsYM)@rgaL_h ztfi!G2-p8qjd7W`pt8e@nheIq3sQmZ+8?7OHvZ0+){QpP zqVc>{F)n+=z zrNH~K_S?hHh_R@nCKwCB46Nkw02bPl-Zbu;+NUJbD(7CgdG7GMJ{t~zbu&i07KI;N ztpwyD_MQcUAz6K9?$k(!!#6qJCo5L#7z|OQOl-4Th02jX(kv10@P@Wi2XUE-nl}42 zp-AKf+Wj+~JeJ?|}Mav`B@Y(2XY@>?MNO(=AYZ8$?XzG>a z{psUWp%SGjDhlVe-SzgzK4ipGa+L!P;)^3W`HYLSmI!| z#M8n7V;GXv5~CvLMTte)n|`C4mR3)9cjR!|ka$ZEyb-fO}`FozcO4ST*AEVPkx3-l6U~ zqShf>|N5vgPsg=>oZ=?ivX;N&sQ2b$U|la#eopSOFfE|T@>Fr2kQa1x%BiUm=sb{J z`j7M9xrU(Wl=yKrVeM_HILfwf!kE{&yF+h4XQ{mPi0jqrsGy1FM6cHrgoEg{$aHVY z=34K5z3Ia4I|glR9jQcAm2itH0>08 zy&{b>&(pb!pIYh$aTc$0Xzz{{a?qGR%jbY{4mGM8J-fTU0UKAhuePs-rxepCTxl<# z&oQ?7x^K@UxBc(CiTs+j4YA>7$~NyGI9A{D07OV5wAIFkns3%-A2*BQaeBa+wDj*a zt#b>s{9|384=|E+nv`YsH3!py`#X7eb78}8mEHC3_KZB53fmq1{=C`Fw)^eAyIDm1 z4}UAX0N1(w9)s7Np|7W>t~Gjrz-wBbaY74yc%r!tD}@`}HGj(hpND~SVB4m>?zCZR z^IUY+rCC+?=sQYx-6&D+#%@&3bBhLiP5bkd?v-)?+L~nG$CGHprqk(1?%9u^hj9^nkFOfX6J9t{U9eyPiEJY_0TJOpSyTtBiz zYiL=0_PDWNit0R;70B?>3Yo!H-Dd4Qaga!Gg;k<-UM~i5QbkeX^`{2(9&!xps zA0P-N-#=auZeFMr!_-iUmRDx*#a4avw(nCEXW*5W)-k*o$=UlxCC$nSRo<1=GU6e9 zZjC`?vzM`Vy?x;!IWBk=RVUVKbSETcaifK9#(m|VWedI7+b>b54vWXm2rI*Z8P&gAB zeavn#y2#0@2L%(-<}ZL-yGUH9T(3A_4UHfTcdc#RtTHC})e2)sdF3p_qyYMtP`09W z7%s_Qs8nJ<&Bj?^S)cf$um~2E4Y)jwcs!0wP6Lvq*_^zpi~#ks3rpov1WTDFSXo#z zw8;X!I8s@05ix64o0DkG>`%?f=QSN=j8(3s5hTa6D z9zzmzvdV1E1W6))2}zDni&<;dc=p0mTHh{3jw9fw=DC^N}9-{ZK;V^CnNSxtZ*2;%Ogknd3;qk`L4y$wwqQ$~gcvL@h6W>BZQ&N{OMy#46w+$u@B^0@UV5$q$U5ooVP~3r3AI{^p?1a=bP-_#=QViytN z=k>{dtG+?xNaYu2S!r`{QlB?3<~vuL_>@vhV##H#!17M4WXkc|8E~sm%@pELZFC!a z=G6f^u~ia@>kLS}2~&%pW@p!r%`79$1PcAcIV2S{aMc*p;yCkk&m4WdS>#4bR# zF^GiIH`x`k z^9(%!x~TzoYEDbn-ld$H6gni1g-}v zy7Zl%&+o?{Pm{OzFqii)(tk921HnOiFq95W8x*aeSDHn&-1c3!{YBRBUcbVp$r|1K z5klWv9Y>Je#7$cYw&5F2cl$#0p+2bXHAV3AAM<-*1it3yG|NZo-8HadFiCg&?js|j ztM${OcEq!Jyw%};(kW7qz<&XEVY+j!`?<<{>fP4o>4=DM)G<($_H+7EZ(KkARq&jF zo3Xq9)w9>>_H-a(+52Np=55TCgGLv#<$ZfH+hv#)uNsK+2>U)+Z%Kc@(V@xi7(kTtz{&0HzmxT8{py@J}lMZ;#sn|i$dLnLF+wz$$%He%f-k!Dj zeo`Gx(7b}+c+GA((T^cZ*t3c}fh6qLdu`|hjQn(6+79eG_H=mr$GaLr*frFB8??_z zarL?W>U**Bj{LBUaBN>s*VzxYs+lEOX1l3{Z>-ttvl=ejU)s}j&w_LuOtk4af+2f; zE@|u7GZEsu?LLBLYk#{WgJ)$a&a3yCw!E}>eCaj0hVp+k-Y24m#?Nh7t1ogH<11pj z6hN@@^qntT&+C&iv6-&Sij}i0vgsS}zWqM1=MOMs@cd7snKMqZb(IvNREpw zB>cyVTceq&j78;5(54cfB!R~%(Xc$>;_$1WLmcJ@mMNb;nsS*+NVOYlyXsk|&v;^nDN(n+M_tP=h?1=-Sh z=1p=`g~W=^_K>h|3L9Srb8(Fyy?ms6F{iMbERZ5>!z&9WEZAHW3TS%B3{v4D!Yw2+ zWEgjk4mA4Z#zDqn{te=t)&v;Vg2e^o(%$Hqc~bjgPZSn<$tukH&u@v#Y9{KCV>F|f z!cxKw?yfwrzdQo%0{B5=%xYM86UM7z5UU;w1n5Px|GZR8{04%tdNVR`X`nro>XP=x z(KFbMOS1CD0Iyz)M-oD_RYPP-W~E{U3g}Vi$x~XCVr;4Jeu`Ndvj!XsGLFw2p_>G&g4E$#AK1$Ew^;qvjk zPW%~Ohx2cAdvc;^$7{v}e464dH#-cqILUft8+{)uo_^u=VL3W_YD5bG`Q}}b)l+Ce zdiB{Q__C`r_eH9_)SZfr>^W9Dw6w6jPP)w!lOQ+?RdJ(6fhneJ422B?A+}skdZi71 z$)euoohf=mG@J$?6EW`ZqZ-+1)3|mlxUAOF+55MWT^u{5t2X)(?u}7+YQ3pKx7s<4 z1dD1k)gv*RNLJ1T7suab_;TjW)+839-GE1xVr00wlRhKS_SFV)@W&5u(Kyr1LFtZi z6^wdPDh*5&UzTGyf3hcCvqlXoM2gm!gP$1uMd3k1)ZVP=V==pd?~0;(xLGgxf2v<5BuCcZHkamcVfmzI`S7fpX8)~Q?H=Qqu`9+_4tJr#*3?myL<9l0i9N(bFw4FJ@Y6&JMe zpu_*@#C&QGs8!YU?yx)2SnW$r)T8yns#$9FUM3f!uJ-!FbEyaomk0LI!An!v)|b|= zBAYm0{ZYh8RooxsJ~4ocf|bc%h8q)cm@PN>XtvV{E}52nB;*!d-NFY+qsIaGJ+Boe z(ICuWpD0tWY7ebYFYp*)P+WZ29>bd~#XSV69PDBB8{WqbI$=S(3;WqsXtR1CoP*^z zvVz7z4R_L^E)`xX_3-k#1y0eNu{ix3VXZkT1(rEax7+&EOx5jbX1?}OhI#J)lvflu zoZ;KBuhf!vkRR)@Euvu3eGPQ@Z|OR#*6Iz z_kCHvh39JiQPH(U@3}KeK-X%M#L@4`_4RPs+di^2jGohAo(odlU^@`v@a*tv#Wus^ z&9bx$xH}c7b)1-Ul@U1X=IA#z)>zz5r0+ZG`P}A|GZEMEQUs`<+7j5cv@O!$?*gse z9TNr^^%gl=T|bS^)Z#j-3)mBVwCdtjK0fJvY*8-jegpj?!lw|ti;qt#>w{@jg@B7+`j2q{{6Y* z_ER3)@UlWO6s1qpHYO7B}4Di*W(ucb3&)pb)qf1h^)EKmXR}}W?;v2 zKw5Usw8ybte$Kie=yE6R-c~Ts;~HS2h~Kbvou>0T{fEQvnQ`UUdo4XI(M2!7jdJ?G*xJ%E? z--BfmP_r*jlx+9ZsAI>4_!n`Dy_-_@!h;=Qd)92mKFV^N=7f%rT*}^s3Yd-TL~h8~ z*4-mG=8XKv?Wh_=Z+FV5TA)P-Xc|%+I2SkalNG%xGo`sr+S8$I_p_0~Q{Ko2-qq#J zYyyJHX~<8jE08RH2X9m@{AIR6@?M=8HW>KpQ*Q7p)^*4v15b*ZO&S3L+G!#j$o@&0 zzf+NGPN{C5>~blAS}0#fEfy>OZ!?+bkl2)~qBx8N37}*C(~!y1p`>Z$)HX5ZP&G&o zjfR!i#<(n$fL5KRErgDbWDiseS^);PTp?M~P6)(eES7*3=nLpXzQ~@#ur2bB7CCrUeIEQ9O-6q6+ zSx}pnl3u(h5nOl~Qw}h3Z|-BV>N?=p*h22}5DUa;RMIUgQ|8hxI}a)brDZLoBR6h+ z$+%qu%2U(CRpolUw5qrS^~Io5preJ3)w1PzAg~rxx8RruqMJQDA_6uN-vTNO^XA#ON8^V`rQ?xh8Ir_iRZYcOy3aoH?hk9{rL-mhW9X~l=K zE?64`7bzKfHR$9s_L;Jix4j=EC#i%`!Y=)cu}O_|skDFgqnK(dDb-3!HhIPr%-}X) zu71FP{^q}S)}oqEfh3nk1ZT>?0I1N2Cz(*Ea==mj-H(}6rRH-8&W(hlEwsvGD38-H z9ac_?kng6Y6c3&hZJPw?sm&(Y{yck@r&AQF+(~qdz%kH>yKogo z!D8%(-gl@Ld5PVmM;#_7s%#?$x55}i0SFfBHLthU^VBm=rYO&_t+G8D@fw}~NpHE< zCNK!V-+4^8`1NOgy6N#Nj4vyPz<*EB`VQ0!(#8Hx`B{~Ai!0ilh4)IMOuhJyfp?~% z7C#ki%&5v*$zd@XWr01$$K)Eh$NnQnZ7lyURH07^oMi;!m{N#{YUmA}Y|4POCj4G% zmc(BTRaY2h0|aYWyhfj4lAv7sXGDQ-jUhe!zkhUO-~`N9NpG3$Sn3N3q7f*Lec!Pt zm?!j9aY%IPKyL3&7cT88XaO4=Hbb`L!P!Gm%4u?H%53TYTXjVUtAmw4P>zNcR*5mH z#;~=AIA&?s!m@b`M^BQUhaBg~z1o55*N_BgS$%&`=}@UvMdfZ8BB%VPU6N9BL#^Q+ zDW#bdJks{+LAhYV`md?vNcTRmIt>#l|;Xu8XJ6)?SK75Nw^9c$+Ff&%o>4d^ki*W27ig_zm+Wj==Y<0G9#nKpvwRBBHkE zyZcX!JkV=-boJ-BQ<9-+2KcqVDI&1bo+zBcf-KrZ4aKyVEr1@85*ABK)3q> z+Ut+=M~%UsxJzGbNXxmeEF{wLNh$54AgajjxJ$&l==tK3wXPUW)?g$AdkUJ@ zp#}YRJGKdw^aAcCfwG@_na6&nTf@Uf8Lx2`TdFx&jC>0G_IMZhc)hJBA-rG_A3M`m zG>+zwpM9+X-dl{dx^KVm3Z|xek9uqkb$8n)axQZXncttfL=F8l+U`ThUd$N;5VOx~ zp9(jp`R$)O8ON(W#;2cif#U>&{P&Lf7YW6jUb{2fy>CZIi3`v`JkvaVYH6(_9FWtPI7cRi5-b~I{?cKYz zao1)|4Z!p3X~(Toh^&Wzp#RhL3@)u}8kc{)t^>c-C1Uq73ukP>GvR(TWkqLg^W_+2 zpxeggKlt;@eZsEedY9|J*ZQFU(8(ezAo~{JJznIOlq(Fyc(&c~mZ!DkQ=iRd5#TUr zxE1&{3_sI4AE>mNyBfWYPQHqu2U^fU1sOZd*h;xr^C=}U$&W+ElR+estGZ~*^kK3P zVi;^4N+J`W(}^6=HAId^BB>a|IIhO_N0boDD*X=D*tl}7!v*`fh$-ulo8YraO5lMg z4OMNI{>M0x)S2Scw_KrEe&_K{Dhu+HJgca_T(3Xe%XhIlshck-6X8uAGw#I#Yg7Es9fz8{+e2V_4c!z43HT~dVNhLHK73z-aEbA(pFk)55 zIU^4~9E(|aaEd86EczXpZjOf=nfQmySL+y$8{~=K)ZhP(&?w_TKo6;W*_EkA?^ILD zf1fwICEiw2P!Q)k6HeU}tun$QlWCU>_nXikCJeD0Kj^d*CfNqdQ#i;pb0`(#Stv{1 zew2l?CufLq;x3-dvak8^k_eMg%h%aa7Y>L=o*mZtaoNjK$B&A%UzH*BS0TajS+)?T zoG?j2BCi$p&D0+n;7c!vA)i3vl@_~cl_T+rZp#2Ja906mpKai}KLCnkFOW9_ZAJvEQ%{fL2^Ws%%eBT?k+SK@s#UP4>Hx@! zf5rKyDFEa|LGUvk=bH)KXY3CRlUC9+3Ah#8=#6y!3hlU}vG}x@_srMoZ7vu>Lo%A` z3&GZ_?Lt&7`Wg-3mA8VMAp22?2J0CC*$?dhkjVcHVp7E;ba#!S2n(WV#E|Dg|tONZ4E}zfu&4X3TJ9%yf8Wht4o_**c@9 z*&t>18VfLH87c=+H$qOD{;I9>P0d|ecPgAvR9+-@ZH90cuJkQ*SYZaK$^I}K7v@eg z1sOgEzEgr;^G-n;Q;6C^xSBAKeAI61ZultB%BH`u`j8nsSGp9(jbY~ON{z8#EIbp3 z*(=N!D+VV^$6$er#y>?6>Vi9r%wO`usYMgnhtPo9={lR|2ItXdA3gP zE{TUh70NqVb{{1gj<5>E6)YZyX$A7&>+DKU>9@N{gRc)F7WoT^k$21@6L9)v(7`|{`T>Er^y^Y1Mg|q^;P#=qGnCgxbH|#Ge8lI zr4<0rxUtV~!_V*NVs?ptvt!5!azYAt7#>@C8ru}S=oy3hp8HYOe(Uw>s-Sn6{M4~X zi&q*(6e=mud@&QN!>M!H<~hx}>?dx{srUT*6NtUxHbCT{f85;I(>Ze3DyXT|g&@?6 zPk&DX9J!vzLEj-7H+TFOct_&AT|@P|aA>pta~UH$stypH+*Al~@Z0&OFCr4V{`fPVJ?k3(e(AIo ziuS#qC*zhOitfGaQ)uJ1<)Mu@@d(3;jVenJn$d; zF@iCub@f&7>oJD~`sa%ODLxg6Z2*!sD}j-gwmrJONV^7=_-%a<{rRHt;zFf7OpgvV zg}ANh%0Lg;gMk|z6wF}~iWQ|KMbl|f-$+t*`OH+^`_DwI323LSw22yH-!KYRB2np7QmZa2ofA0(y>q2MLfe*D8&zGtsR)z&=xjI<1A+ zNXxyMNYYcR)u9frvWc=WTjlqwZT~Hm7dW96h70!r&;L%gjQp2t0sqfrIr?%_a9Yw% zE-tN7yiw|$gzG-nSn^^SVGDg>`A>|Dv#cb8J-10W1gfbj23wX`7{B#XZVSv3>!DNL z?($#0)pX^Ozf-POAw@X+YId-}w`wH2g&a^$^hSkUU{LQuHGef1WGqcdEGIzQv7pH= z5W~~tl=oYZb(hqwv5ke|CwM|X)p5_!(rGCU-^nRBe+4r($uEi{@MuV_3hU3}?#;^g zq=NhmK%6UXR=!Jt0*`qo>&Jo!Ztbs*AZ2VbpyJjMIbvmGO)=P=RUc2P`LoQ~B)Sa} zZ-{~p?T%;ze@@JTLk6j3%VOc4R!U)d?Exy$*#Nb`*}L@oqYD{$8GL3WIm5Iy0iz*4 zrMc4B&{Y|8EYGHk+9gJJ5353gw1hjmO4 z;j75fo}!|PPF3jW;y;YvQwNWfc{q`7f_WP-TltG|2PeBNb!lQVg#s%YubhIMQw%J! zZLsM_J)&~LG1T=#pImTsV)^|?9}dE2QCNui)S&4(ubogM>#?P|guXL((C8-PGb#Y^ z06vV%bOrp#Ft)E5d^nBr0c&cB@s|>x$`yPpv?fb5515&xf15(g=wxH9r07<-)9WRXtLA)S5T&;l9t{{Yp{0~O+ED+{s_{?p>}M?6SP2J^ zmTnAASg>;81Z|p#vNc&)iWq~<3)5UOFr>!2aqIs+6Chs1Yte@1o2hIHYg-XTUxBza zTDuYA{eBZ5II|}fYr{5qAvVc6g}FKl-cFVQodmUCMbxq2dCT{jLZ}Q391>g` zwt!rlha^6<_j|y`24tIY<4m5*b;dFG)~0K0H_iRD*U|oK4^uX2uLm%MIPXxfJOj9` zX}lvK%LjMW_)-lT3XFZ9&egoQd%P#Y6c$1cWx@xce?)wI2SNlwyr4vpqRN;sbxFNB zM(DTfWdiFpaStkLxg-PXfDU zLhoT=MLivSg6+V!@Sz#Ki`RhwUB5-EEgdr#T|C9jw+-&=CqsW(htRt%mbK41d0|BEjEQ9se4_%Ip=gdk+`K#79Q*QG^PR$LgKY0$HXUZSd zIi6bqFU|K3e7*w|gRG99SFTVGb?YAdpD>mByysWdM`{7VUX{6ChldlN&da{J`p<2v z*LiPFJ|XS_%^F@e=K#U%HIVt$=|0EHfB+-GbJoPP*U7Hp%giDeFbq`Hv}0IF*N)h> z2$cQ1O)v%GBUUrXH3;l&YTl3tG`##B!KmBQKHw4fEtA&@h43@_K+%H01NVJr824>) z_)lY+pp64TmV0Qg>(f#5Jd9q;R5qXp!PEQl%O}pWS8&V!?%#yy{Bjbt(7^a->vK-^ zt^2#vy1v`%QbbMQ`JbGmBhb#$lp)tOrVDKLhHpK>%+_T!;IX&-fV=no)xvd4 z;3>b+u0)=bMoZ*ZY>C|Lh`!G6kDxHr-RR_HP!_^mHc7K#N}e->u*4EKj8 zu+Syq80Dm9h3ozVgexnP`z?P*>X$0Q6=E!7AIqop=Al7}7ZMLwPEI~gHGa%uxqz2S zwo{kyno$rb*HukopRKq}iqaU?{bSZT3|_BELuH?J;R#VWpCIb!<4e|&g6^D=lmsCq zRL4Am@?s}`|D`Z$EdC@CUgH7xF-L**Y0l{+vXW@?w}n)$K>D||-aH04-FmbUr> zP&a-t(|JqRWKcbBA~dqQNA4(X?BAM1au`j;K`k7~>RFM-D+7 z6eroC-Mlb8OE~c}jk4UJTo&dhYkj&1;h%}02~{e7kVUxkDmVAV*(+nL?7fDrOwDmE zR2m`gg=krQx=}Nx4rw)oP&OBJNj(J`stbF$|H6kNzk!>kAFW9>6QuETQ&|3({6ir| zq-tWUQd6`EroN1~I|_I)_C50(3Z57Rjjm&9l$kn7?jLG0Z{ z?7twbg{3*Q*fVZMj;z$;JBBh1CQy;e#ZlVe`qS-8j|Wc{s|)KL5i@$UiSm0a!F-m` zB&xXm?M%DFmG-&W=|$nkIUqstA#O@XswK5bj7klchm{(-cNe!%9arDtGo3uUFWi}6@v->^}31*T3e zWjbKPYsHnBHcab;!Jch|8choMiosPG1ffiyK$Ud)SbnNw$4VtA<886b!h|d=5u`By z6JIKRsKPsqjW8s}bZS;EH80JOuEtG+@^r}zmzd*{e$7K~fALryxI5|bW3C`d<7)^Y@Ml6*ijWzm5K~jWn8>rUdCnqA$XxyY{K?SH_3TLop(xu z6b3K{M)Wrqhsk+3%Cs%Qhj`ZdWgrMWQn*F5Lg5#ON=tE)MYje{NlwjJM(FY+br-zn znK(Lvt|@uO7-yspn}Uu>=Qh|+>~+HTX(|~NDH6igI|m!wxpy&EeW%0t9dE}y1n%tW z4!Cm39ew&acm#wi=p3O{2>}?`0SyRGS{M49#=gHfSMq8IWa5O)kj2a#8!>Uu4QRGu z53}?BPCn8)InYDj>-R<-eo^4ThGfRa`pPkNyOo$d^r@A^FT6eKkj9SKs1_$C%(+&K z7hPiH?$2vOA|Cjah90P1k|3A|A)kbC;EcGV{u% z1)|^g{s?k=qBpIKcI+~5d_DG5?0!#Nv~Q2D|9*FE(0wX=UBg$~E$W^&;OTe0Q}}FK z`*wwE88UNm*DuMKbSWvjN93nh#M;ju?`!div~;c>S!4Ci2a?iOy^uX< zv-6kr50|!7zuUblYCpLgnemF%IjhU+ z>0P1cy?#$y8xqvrUGByEc`!Ug+3i0Hv9xV_{-97%>xc6}U{~oK$kqLMLgBet58-9{ zxW%64?YMdW+D@gPnAa)K#0S|hi4<(N5FHFs4? zAbYy>xZCYD$#Y9_J z6_Hg@S@L=H@|hRPG_rl%-$WK{+KWD(ZTp7>mJqrPUuJIkgExT4ZoP z3n1ORK+OME|5A#KJTWCP?|CA*;dK?Zg-5-qU`|69pfsjx!a?_7 zlBniGQ6nV>A7WS7_szppX$p~fVg{E*w9O+|EQ)lEk&`u7XmzZp$jqhedhwx%$B(OD?~Z9$~`z@k8Ae}f-5 z$({A)eIheDb+S?%DK*dBDvWJyj8gVp5(tUxlOkhYOm^^8izRnEIN4Ml=>Jso>aB+R z2A_VWz@huZphzIe2Wv%HF1DSF5fXNg)9y^kN$&7YiLL#9FVqO+`#OL~l{Ne7$z9yp z-?%@-7v*|jV15+-Od!;_S;Uuble(`g&Y&%vZ!n;ZBXI1W*_efYskT= zBcqyF5^2S})gDNAk*?lGfthQ%Q*dee)6f<#;ZtSFl}a$y!c)gaH$VxK8uRltoUH(? zro>6-V7AR##UGJoqO07RG)>-ZsAJ_`MZb&*72%aw1$Rx$LC0r-km63eTkgB8-68}S z1S3n=Rx?~D%Wfjf%_tE!VsSVZTGJw;h?AU_%n(hNnR zpYY)x8XrOE!a zm@0QN;io+sHPg(HKxz{rkNQS>ghV@8#8uZ9!Jc|pDI-v%uF1fr%f*AQS>zId6G{&F zLncV;Qe^jTGaSQ{DE`Bw2T`gZ2idRSw;!$rn$1RCFY%;>0PsYd)pD#NeoPmEd^3n~ z-tE0L(ZRiiem0UVzS88<8o34JonVxc`7?z54-6hcE@IN|cc@pWKi2h%3p%8n6*g0H z)g|e|^xJ0^s=|Lc_7)r%5teSv$l#FHBMlftWqYbEQ+~2@gm3(||7KmTb2scyql-IH zQfi5*){KX|E9Bj!Y+g~fghZ2LVM7&CRsIrw8sCizQAw6+kAy&90Rc%UAos>Crr1o+ znIkhst{Gn}5y-}IAyZ0`=A1@mq=|?`0dRx&D?jxS=d6D2fZ`tdPMU8?OSs7*1FQV) zj~IavVj=}t&}vNR8=hAoG03Ip4yD{^rh%_$;kk^J9&SL#JF zm;B8X41U^LBRMUKh^;za<#pv=ol}Z&g}|T@6U^e<*cBD+bg*cfc{1s5!*}I$^unvD z)R@pxE-~Wn-O`vAWebSznFR{0i`L;hQ%a>E@s@mFpnNt+dTJ8nNAa}!N_4O$y8Qw@ z2|{IxAz}JIWL;BmWowx2xZ{p(b!@AXj-7OD+qP}nwr$(CZ9C^oZq+$Jz6nmqbzPcnA0T1Rs(4?dwFEkDL7X-@&EGZXo2`%VK`C@|qdP!==}VGDawvXt^je$iCFeu1 zk0-Z>xYL@!%`QHN%XTvT!V2JhcwRK*+8MiUGP;Jgd5lxio}YJMeZcdXzDBbLm=&|* zJO(*l9AZ=3>@(odutE|}Vd)J-l;w_E-47FK9IB$X>Au9C>9)I&neiU^oVv;RxNUEk zarJD2inKyE0+=}V2_#9rv;!8WeBADcsQDajQ7Ak~w@$C0&a1aD=s9-Py>axKOiX6l zp`79X}Ok5v~0)F65b+UThGW=S-s~Gndr60 z9FN6PgLAvpl!G$YJBEv;)BU$!FM??<`h>->q2p!@(Al%oI3xKa?ZSCn(hsQ0vEe>h z`=`x!7s{)n?%o6&?WPCVY-@S|YdGb2ur4pN`P**`K-ZIfvkXRV+qFFfe7j{><7Qs5m)wsN! z>TUp+xs*O>sq%Nbr(>TOo|7lIsS8{R73CC6xy%lvAzDtMQxWdIOnw|`M5-dQG+XSw zWd)kbM;AWtqy42J54c)j?EvPBUnyo^TG$`s@ukS`-iftDk)ve9C)VI)F`4UEf0;eV zg5Pzhs8h=*hS~U zhAKc$lta#9#8XIXi}bKkB11kq3jBKD-xX=)D(f zKo=e8Hjc*jBWyWq&BJJv(3UtO{A*Yb)+nyz#sQ&6ma~(02c=M9&tNW3V<5 zvFi5RFzwdjJIw-wq!BGdltKFBDP>t3J5@=Gpf`UYmq$coMcZIa8Xm4QQna9TYezm?C0czVoFKBa4Q_W31vHV^%f5{FLsk{_Dngs}2;+;wM4XD z?eXGSV7&bN7kUIfi#zlE$pu95f<5s;C*S%E0QpYR;EXKm(o3ONfx>Y_XTi_}50&aU z2O5zJGiHn}DKxL$&6jnTPqa-X=u6huZBI2PylhkUUm8pkP;6vX{$Kj%`5r&f~! zmr-2JKKAQo2^R`Ypv}Wpn#Haz7Wo3F_QxCAwG23lfQXVj*JGk+Uk7LSVuR+?YMR1Q z_h9H_KrL&ckcO*FRoj_|o1_W%^h;qWBNO*zmUR3lkpdb*hX5a?ISj#*H>__&yYxc+ zl)Yl1szxh)$mJi3Y?tKl7N`SL7g_GWfzhCxov2{vOI*9e{8=AuVAOl+^a`V1x4@w$ zTA{3D{2Arm}(hfCg+SUgk$Il!oHE_~MtyTtsKoC@vWX1Hqn)QHGHTZW!enyf+2 zx8zd*5&W9}mb3fsi@jTF4Zu_w-~D`FpR2`^RR zHa)BBtFGdNdS9z`^DoV&H*Z|THU(mQxcuytP?WelR0a8pn5SP;Lxh7Q9nA_Zy7`c0 z;#PqMAcTt#r{MoCepj-h{f0L-tX>F=2v`=X4Cl;GBx3?&y0@hoY$)b=N=BNn^+%U% zSB*nS|2dkrY&%~%VOdqQ1cv1D#ZqLaP~z82%0iiU`ny6`xWZ;GjR$n)0&d$Ema-LP zR0da(1M;*a|5$EvnR3P0-*;bEg7WCC&Ukov@^%((IIWL^8Pf#vU{W^|E91!yi1;pY zpOg00(}Vm$1C-yt*U;ey_UVEKjFwq=Vtv~o|b}kw5+M0R-aCXm2-Xm|) z6xp+b1=_vR1qkw*Zkx}`cI5|-(rH}scXW<);(45KHm%`oE@x@TlI`#nb|Snkn|)|( zzhI}ZPpe&F8$a!SHpoi**ydK$I5~BGBJ~n(<8QwAzga-EOukh^in)`(hZdsrl(x2x;O8r~`VG|Tx4o4Rg8?RhNL*=l6**n7UytGQ-r zsdhwZ_j*bv*tVm*J!jmj_tt7@6c>SU?A{3Iy^biY?;wmeBa>xT)yBI z+|sepW}NwR4)ysKQ={pL-SYeMr1k9vc(kZvii7WbIpqV`K4?%c7#x0DuTHq8E8%5S z={y=;aIo=t-M67%*ZX+Wz`fmcYQm^CM?c0_^4hH?0G{*S?cYek_?X!YSVgiKewNjTBEe^fRhs0VoWyl>pWN8Gi9 zF5jdO^xUVay;L?lzPnuM9Oy)>rXcKidr)ofe_CmnN--kOW^KqtntyfkddP;SEFT_!JY_>d+k7$HoIDc#)`ebVHHVC$TOcrmKw|MOM zTuN2}W%q$AmESd<2*9*G;D3nxDO#;yv=2KN*4_3Ah0M1dn*oOL`8Dy7GqdD_(&P0h z8Wle2&q;`$hTabQ-MZ-M$6aMJl_=YW=EyQ{*Mb&RMx46~GMN`7!#RO*QTAL&ajRH` zV5Ag>tMWn8pZ3$cEhQQ`QUSZQSSrGiU+us`x;>dCxQXfyhQb$83~O-g?5MAN8MJ|1 zqEmWPy(v_p#_S_@xY6QS-!lh?)=X2_U_(x;7M?N>Bq_N4t4>ugQ(cCV+@etU$ppve~;2TMoGFwi!3hP_1Dwe0UPJ=jx zJ^(qJnnx>pj5}>Z!PqGWSC%dRoRLmZZpML1497|eM@yVfjC^ph52JnBdbS?{Oy_A4S^GMJ%Yd z*9>7ve8$X3EpqX<)WSW)FDqouCF>UyS{1fQI#G57cV%fra}?=J*E*%DNU!Q>76V%7 zUUP0Z1=SidB4jSpqP^A|R*nW`;&-qS8NKn*fY)rb^j$vfg0S)x8b$DeO}qw%%_?H_ zKaZ=WL<5OLCz*u)Jd+g}N16df7j^?yI7{+)6zSUVhD58UEt|b~x`o<;64DXkgSKSQ z461GZb4eV@_jQy?FxRzOeNCUSGDj#ujc{(B`I{&if6f0qGiaJp)0!w$oESpS`A@fM zf}pl8I&K7}naO<_7S7?rqlqwFv)`AM!x*&pwhvi1TXQ-K_FGVLBC*4333YH5Bnl<@ z!#cw1nvY7S64QE?1KE)0cQNjA-b+4B{0830^x-_6dvfM6h7G6|s28{v9){zt3xcGG zqy_&pu;Tu)YDX@v6UUYqVqvikan46F$Si0~^xVYCcV;OamqUF=wcHTqP!OJ$4dH=P zXoX6ICk5^3(wk%DN=F$g7@t*cRG^PkFq;#5f$zp>>k2E+YcC)fNE9lJZ@+p|C|Rj< z`UiSWXOjotgL_v=%QlWp@~}ONtIr{cb1pgoB>HJn+o=vpru5gU>$&pp&6Xq1_$~9gMhg^KL81!M93j?WiIqEz_#}n3cC!iAD^~a{8p}`l=LrDE8c`wZXM1W zG832XlXo%vD_Z-9ODd}Nd~FT!*Hg;Xr!^i=`1Ekg?P-64=A1k%J6Cd26s*@z*wPX2 z6I!CLFFmefTyHT-S+;!uvTWoOgFh<)&w{eG?VS z2uRPGXSD@68r~UK7#nYaIa|%s+K3A-K)vNn(H6Jy{TQCpfv(2wAjwO+$r<+bd-^7o z{g?9_e84em1tI~@OYVfRmL0HsGQA*bvIS8M&HH z-{^7Jtnm0enmVnvxDRkxe}RL%A(N$~4Dq&Mwn*FA0lpB_T=V`wFvfEode2ZA!SHHK zuf5B^%{k)GGl1VY4_Mp%tJ$l=`~r}k{utPvPAJ*FxCAICPjs~|piN}C@6&PfGqt^( zc^z9Sr&3G-#&WE;&a0bp_|FPhO`pEHY(92BG_J~N?mEwL6~s84oB*lzHe?v4?Qlp$@9cCz((Zm+UMj9q*l({ttQ$&jnMrb&j#E zht2rP9{U-iYojj}8Lzq>?9bOGr2u&69y{5akdPjRmm>Nm0Dl-zhZ!iqZvxCod&{XA z1fT%^)zk%@W1RJPIlRS~axZWtg_r2erJV3T1JMBi=o6ZnhUl3+?X{mF8km5Ag}@z^Iz!_hEU?fbcf}5tej7vuoxSV#u%A)!(-~f zvpBsn+r94~T9E!Ato9v4_M*FlGrbk*8x#kaB)8>T=Fawago+o*v4Ewmowm>s)C}|9}R!jL;&RdRy9F#A_E9XNE|M4ASfmRFc zTMp{;b?8MJMM7i8g{z?I`$5YL^g+)~m49(27#3Ig z{+NZcRnr*ZR=ip+4LXUbFwFt3Zaourj!sh18*d3qe8~>ZpVDYVu`n{g$Xq;ufSZp6?$=&bc;j>t zh?(b!6~x3DGU@a?lbX_!&@~v+bYY#HDw3<+hHc`BRJy{N7=<%p-bRWxb`>rHh^pTt zBKTE_z6u=jK4?h>(n$R$pVwgo0}nkn(ru#@Wxh6lxT# zPAnE3jBYKR)hPHJsn~zjE~00;3s+Se)=Kxcbrtu-V%jj1eNwPoL+FRc>Yhhf<6;># zWpjmNIw3dK8GH#nOPpZYFa`^o@R<ewc{_P{Q`2+=sB!M<^XTw*%`R^ zGy(qa<TrpFtQAb5)kz4r?0d2jQEcrSg(PYDX9 z2Ofkj4!kl+QrhuZ;XCVAit#yZ+g-PN3({cIqj$g1omFtj_?i<*(Qz7~n#eZ5e@ft< z(PaDBe^)(BZnQc%QQ^3n%)x7Gd&*d=a(HOjvLDdGu&=@YIBqJ@aWOk;Yyr5>-0W~# zBpf-X%(RIBy>B-8>9ya$+)l=eL~nRqD)3&}W$~)wKAyhIu`|^@rsLRAqjR2y2U@fz ztlmC50A(IL4ev3>+f7rQE?-fl!!<2SF=5X1){hE3tqbd><^vHruC7BJG4HU1R}R&$ z8Cl96$Ja*9mz`XeR@l}r2RfBSd=dB_PY_29F6r#ejjS{7XU{n`PP6k%NeDeYfVY>O z`VH=xZO^@%uO7g=|Ca1VhxeEL__$3^t~RgD(Hh1k6>r<}0N@*SmsEHu?fR)Dn`L&) zsyb$T=2|abi|AV|qMWK-lDNAPRJu7H@7>%2dY+3%s2a}OZ47?b_jQbkmY$A}^c@meb z>28~W10R{vQO*h>s3>RdhfRkW4%4rFv=e+cpsKM0Lb z@Ql9@8U#LW02Cj5VBCL1H)cq6qUkq*Ki)L7Wwf4wj%I?=&^3=XeW+??11D|PhdEh#+f*4vZwRYF? zZx#)`9eGNeqWjp5vU=g)!Iq6Wbwy`j>eEeBYQ>8zc!k%phk7HDe-sn(XYJ5KsgEGj zUOLS;9K$fljUsj zO>(nRDt-!scY+^>iBRFjZ8rMjoY>pW#8IV9Geo=QaXIEyFF?myd+D}Z7Hd6YYg3P( zA`q&ol4Bnh`^jB}X>)-%Jb|*pEbTKSrD;3YOpQJNsvC@bCSmRCZ?}L`YKg0G8g~rL z1DDHa6ex|hI}}PDi#_ipgP^*%E+AxznhUiN!WKXBT(hq&#$ZCj3L!O$MPRm$g)6`1 zK;%e3;<0Rkh%E~Tqmx7|@K>~nr5cIox4bDr0ktFXnJl)}*gf{L*yCibRSWIkW5_I# zIfGv#@Wpzas>QeFZ7C=WB+qKTF|13lPWdWP4(NQok8DZS<#MYv*iDWt`)MMS`eYP- z0->WBt$fIkSp2_PewE|qE5(2+$kS!?lTlGqJOpmQkTitrgU+3LD79#oJ6MA!-IFLl zIy{ex%$A#u)W`iEN*($;wH*i+TxhapA5pbeZuX3m$7<%o6e2-dByD#0Hl_Kh#WQm`!W;p{W!H;m=2@F&z)B2cQ!{*ZdtL3GOm>WU=Cgob$kO>hV6>M8W%BNH_W5U1JfMG+M5)Eh(B z(0S1)5&4F2NBOdZHAS|f^emBfoBJ_Rv3p?>5RX=LMuZ*9msNc>0x-gCgGfiaUPZG( zY*LO$44%c2GW|cMUJc3k3B=X~p<~JUGHpAvkn#oC*fLAz=}mUCWuVEXd9HQ4uw^tV z&ae7fE7)xUH8V!zDCNnt&+(bLXs5NbpD|h!SgI^w5yrZ6a5U+D!pya&K2_ha>rL{8 z$g=?apt@}MJPAg-fAReKgbE@2N%RXd;G69Ve6wBMZ?+pSaOxiwR$Nm1eLo#Yk-53y zGnroYnYR22=;>}bCxgNrq5*=pEWoQ+(eIX=cU*QJSiDvhoa`JebABSfeocAX-o;N$ zx!biqqo?$|?Mc&lx_tLyYJ_OMD%!_<6sq_~SohomUX$i8;h)<+So7b9pPv3jT+DpT zVZZh8w7VV^W5m2aP|alZY-@$^d5w{Eba{`Q*1Fa3>CbHGNm+mFVXvuIZw_5U_-J2A}uyNhQ!^dY_^KtF^?|&ojeuyY-+dPh>)$2Xa?ad3H_w^9Lw$r`1 z=nXqgk4s8{34g6wpSnW}_1UGYH|I+c6!85~O>!FW7SOQxFP0hDJU>I7#oNMrIYNO# zebf0~B&y>C4C%4Y=6kPp!?E^xV05AFSlecYv)($0`LOBUU*6qGe>&|Pp+dxS@BdeV zUwb3bp!{**&aZyAOWmwyp0xc>gJ2afUAH1gf7y65w8?A1?X&e&wr%W^MsL}DRHMB5 zG)h6IdK^pPeMk5_5|zC5I(81-!r!iEokD%i?`jt_K)?RcVM7;;6T-IQy;n>dA(`EH zjA;D@@N?LR>A73?pavD)ar|n(=K+_Vz zR6gY?GD=iuYhjMe*(B<+q{gL$S8G`ZvC4;qc~>7UT8)Yhg<{R}pX!Gc8vk%m!MM7z z$uDvRY>G{%9&unt@72!}^q2icHR3zb6Q;p`w^fXuaJ=-lU5bE#E0)D8TDkc(2u|n# zzKOpJIzWMfJNP~YSE-(Tqhza!MlLgkIj6K$%^5(-YfSEnZuWfCI(q+ox>a4%hT8qr zks6d<)rkK56P!R`Et-LjYG|>S2!?k$s~T>F4$g6*#@D(%d!*tDMz2{f9cIe??{6?w z?tZ&cmbklaZbSHCC584_qc*vd2BcK$Mf3WCxP&^gqM~>RRu4y%Y6!4c){dmU+;~t@ zq7Yha;2yUA>i6i0)5t2A+B}85sbZhABx8d&tAwqS1XB_cSlA?K!PsBT;zaF;qY&eH zy`gw;mWgCVD?>}7lw(OvR@t&4Mf}S5zMuGo*jVkuNhR5aXp&mvbQi7hWskxFrAu;H z!LzjrkhX%07GV-leVjh4B9?}+!lDDu!(3+EJ(nnoQUg}p)(rM;=DZ08ivmWS6uT{F zCI5uZvTQ&&AzB13z?D!Z%9qM*?yrV?DoYC2V>V)uz zA)&6+K+Zx%+xg^0tY*93Qhhb9m<>iNS4;Xrs6pTU4F7bp@FpHb0yh@QLo`aQiwyPP zsxc(YNB=QUr20q<>LaG!B+Dkn2}iMvF*cF*;swHt>Coa$^o~w?>`vt?q$11J2R&iw zco`j{NI|BIGxqfLRAyM;5d)`%bMbBvBPo?TBB-JWR>^)?+f}i@Ji?e>?7Ws?2BUvi zY(o`DN5nRD87}S93+{bMS;LbdqKf4FlNhHe%wjD!crj?AY84u`t}xoYbIRn-?7EMK z*YwTPWwS8xe-Bw^JV@c5<`r#@S{~t@_Z<5aQx3cl0}i~#ee4;R9*=e%j(yNY5b1R0 zea&zM$-5IH78I)~i~dTid@R*#?{%pLJN2dJ2DIm#{An*nN)3+hwl+7vyPs>yD2$mJO8&`b6M;kX)h-9ElJL$qhSx_AEnmbDRFKxJ2GKO-VQ1Y)y zEC?#N_#9n|UU|G|sR+ON`A!q1k?Pih@nzoMd+lusabxGdt)zLn781%D8OCJ`<*ZVuo{~>| zLEwJ-BmHDx` zz1UcYA>KBYYq&{9BK2eBnRw{r|D2ikc$hO!eE#FSUjK*lQpkSHo&R@N_9sGy6bJo6 z{)GA9)IBQ|SWCUv10=Gx4m&ymao@Gs|3yORkRFB_xHl60V z-M_vN!*qN~<|c4oUZ|@z?s_AVUC)-Es<{a}Pl+F^N&0DH$IDW>>ZjAzn2qWGsXr_c z5V##PQg^vrBDz~xxh%MEq>ZW2*==v$Y~jf8XtqBmk;SZklvSC%^fftegy!_jBep3~ zAx`sNgj-ze90=L6ihOMBZFD2^4=&S(9;1;{lsljddeh&$>c2j|nMi#;Uygih-@Y1G z@j=)wH-)(GsIPGm1 zpQZqC9ci1?wW4bc`;4aNZk+95H@hbj>JzQkl!jvrx@PaV)!SqX#6@MAo*i78p0j%R z)3UE-9fu)|YgKh#9pD;yM~+Qr%fd$5Nw$}97H{@r&F0tUX1r{c&oa_YmFmYp`v%>^ zHMZ!WNo&O-0Yni_j@oq@qBs8DP2WSZp|Xd`(g{vQXHQ1!nw_xzoa%`J}~hf zBXh;P#KNMa_W?_qhor!A^jL4%nKY*c{grXzl;RSXzNL6D>a4hPTkFK}jG#(}%LVLT z>d^K`FF-6f2P$$U3O;2qbitLRb&C6`utlPY0w*MP;>0A$MG$F6`B%;(a zSH#l^3!#=v70nz)9^95V$0o@WrMPNNnPFoaB`*3B{DuSx8Kf8vyHTZ28AQJ7{3C?~ zbJ`3G)WQRvFfM?}NJZjsC@_6$?Wmn%M1TQgh$rhfB3{k`lZiABI-*ow?ra|G@1$Ir z`0Q`YrXPc5e`pz9E7E0r_Xvl=pcg{avC2BdzJH`_fCj1C(kbk(4`3Bwf8-PD{rN5@ zNP-=>%MaTCL`;!LlrT`eXv8B-7WcbcO-oP5GFA&sL{9K7Y>e`3S}_xyy8Fqz$AKrx zNk)y#^B4I*tZK9=oCwx0{ijv0w7B7%vxJr=szWe7rVLz+Tt!ta$90iXHNTiYynQHT zfjL1=;}>p#al*C`Qn5>V^efRXBWVix^w<1;IYXEPCES}@zvv9i`Tjs>bL6phvV#L} zR>tHIyC&6PZYA0@yd_evbVnH9tyx{oo5%s0B^ldM*WKp>{hHVtL!z#%3CUtpHZapz z!-4SgpKuz)RnWpE#AV^``Z9Dso&x`>dj=@gnQyZV{E`yyP9XNT*ZMUD{kt(_KwygA z9DK)YFY7TEQc#-gjA$xup7F~X-WE-u^yR9W2L|Bq)nd1;-s=+&ECAq;q~p%X99IN+ zW*XV6*RcF#NCXp1hi6?ZnNp~kTnxs}^q&VQMRH44Vsgw=D8rawNxSNkD$9_P?pNj; zKuGnYC1mZMCxIY5)7awLIsD2KFLba<2!7=9Q#C4*;V#a93J{tp{O4L|hR=?Qa%PPn zHLIM0A0F5b?hf}SSgYK9thA!E{TEjwN;+ZmLxCkz*%8&f9D|?)CUh7RaiftpLm!N5}v}{7Z%o2Ke?iRg&Z8eEwL_^U?*3>3Z?C&+2^c zrpyz1L??t2tbtst6j5=A``*De(qJP~O{N)(r`?FB)gTQ-$b$q8M0USnZTx%F1t|y% zg24N0JddLH1clDV8q{;|u#^61d(C1hoi!UPX8hr@s>|nL$0KD6-TUZ#VTV)C<;rhh zTh%VweSyV5ygKj$gTCd>_M!k?=cN#e-K=wV$8H(~r^{ttFlK1`Xye*#8vWC?>Dl;& zmi^^TB~;DCTV30!U@As+zdb-)#Op9*C_}sT9M|EcY7VMK&3yojUTdb!KDllIHi3Nx zFhPs+CA0b-`JpbW{b*scVqvo*+5Hf>Lf3=db8|lRvKrfQ`@9mPW?Hkw=HGn;&3zK5-9sRP_I$#03_?!_8wS^!DszQZ0j&} zNYT8E<^OyauoZZf-RR_Rc#X^W;o@c3Lf?732=>fl+XE%jTIc;f_g$fKVpYP+Y|_Cg zDk@pk_>YdyvEpEvBf5^B4}AT#X=|oPn}fgMw!9&G<7%eH#&v==rn_rLVgvBJio>Sy z={tmNvI#s#G12Kh=UvV#VW)?uBct~=0&W2vKbvH?cp^SEJ}M6@`x!C%NX%NaPy8zA zeo5Q_cgquGcnqKA0a12GeFx3%Ry!7aW}5daO7?@#HPyp2Trd8JlGK(=7o{o7y|5Wo z**1I~7ugZ~uN%}m+ZRzg)3np=_Km~}?-vPd-kzT7FLh9{P0wnF%hWYqUwC!{|85Wo z)QvKfxJI1p^w>3-pz}4hEmF2vs{^-=TxQHIpFq^`XoT_Jnx26s0AR-o z(5e`C!fpVB1`>(jY6G^PeE!0g^JKF_QOu}~uAK1eZ~;pIUkCgPfxN{fAvV&5Z!5sX z;}GDjBHu808;#)?xHecBZf_H^X)yt@*X%(265Do|7i1!`G39q}_EDjEJ24h~Du+cZ z>pV848b$92PpW>CXBe#@c5h0#EqMi$nEm{H`#xa}Tt~U@dYE#TDO`LKmB^FONPoWA z;n|O|TziVr3bOIKQM!M$s<@a_whbtyN! z60vp$ODvU#gc1sER6CEsfiRB~UCH!qLUhyAtaJ+TPy0d&v*02oIFyiii?#~-W@YRO zKiLXqX{)ho!E9BJ?nNjwrlWj^Raq7O_E-5kS2NiCE+mB)R#Zu+B@nQ0FLJ96MiFM& zzssMS_!lNKAn*@{8Tz*!GRC`aSYs>10sk2?r?Q}+G7(1{NQb$7{M`of>dD{_95-_X zfz#--m|aa_9PoYLfb_Z&S1h&^CMEGHurdid-zChlo3!5t&sq55j|aratPy<-VbKQT zbyvo}h{7z}7p28*VUH4|HW=pI6^xE#aDGt<(oaTqDf61wxOr( zBud#G6rBDA8cXfBIXk8*A5lrM6}?h*`}YUJ1El)IQOE6%;KA$JwAbn~HG_;$@?4%~ z(>N?@&zw}!M@=c0-`!bF2gMZ9Td)TWTnMLKdIrc#Q2NA@5b8hLoaX*$z%n`ROMdi_ zh2^5n+~(Xc1JiPB9}oe|{0~0$>bj~)tD$q`4B$b5Hz`~Dg+z%H+rQEDR|(hZez!6v z3o6sZL{`g3;e^7J{BsPtsMA-dZ@tH~-Y{>Gk_FRZUxF**n|XCqn-Wq0tx~7a8we}j zbq2?g=Jq>AHs8fK)vJqHWHL2c{P#OzN|nyW$XEVPY!^B|@lO$lT}9{zcXV!RHS7AM z{xG5)sX@GUxE8X^7W*#Gf)zo9XtfGo6iCYsc%;!lV~YBZ@_=}Ab2(`^$=6(ju>nVt zh~ThDd6tL#(u+5RGP(aPF1SUJSB$Sd9*#wd~e1^&1>c~|y+whR!f7n0FR3kRxQ%i%UfSte%pA&wd%X?4V z<&W~F#r(@90dU+oV(~CCKCHy3LfyCTy^lVL`q3bUtRLe}A7$O5MV;lvnN*5t7)YTvA|2W1^Tcejalp@h3D zjY3l~LrUgyrxEd_}^o+DJ1$-Z$2<9m=OFf>yUp{>gy(>mi{)UV8yfB zXU)YI`0LbB>(8$sZ+O68PmH&j&NE?g)Q~%fJ^r50*P}lC0xxBCc`biW$dB)_B@NGK zGyV?CFxZvu=lFzboxOmCY=A|a`^^w7;CZ|IBg-_p*&7(OQ_1g=xAtDt(`Cp15reby zRpNmUy*hXmV))YGUPddkanfzHenId#ay(M`ae70bTIjBEjCOEf5G1;-v%ivAr+nd` z)#7z3ij(R7VZ`rwl@%hhLDIfk%Ad(^5jEBMZZ4`*oM~^<^KyMmy;`s|?dkKZvF;Gk zD@M`?|@SLD>Wyk!) z<0Pun>C!Uc!UIf!?e_^pIqrOn(3<86dvlG0z25TWvEJ&CS#x%HTT_`A)wZuU)k33n z8MvRkQrT>Ny8_Cx5!F{@&zCH;eRhNXGI%BoHMrEk5wu=XZLkjqOs%l)@Gl7M z035>rc2JqBZ%a-^8z`B;XQL&64vbBv^XyrLw)6N+a+A0F*3=8cN*BhB-7&&o)>x5^ zy7A3O^j7}sHHuAl&(OpLjmPQ?TU&IeZCeGR=R+E7^C8>k7DB`A!p)lb%Z37yyF1;c+MxlwZXmItzW(BTjP3Z=D(%4em{4*59fdBUIqXsfj&?l zJ>OBdH<3&JU4B+RvGS@KG5em5Pl~jYO>sVJ@`v(|rxV~|k0W5_B@URYFj??`DJPJ0 zoC0Jy2?4UeUTF*3--4q&DJe`*{Ghxlyr`8Eyg0IxiCY4xazf=_tkTPUru0cY;dXLE zUU#2T)_5zOaNgJRNp0AOlEVGagR+GWOU$s+3pMsCO)P6R8jB8JD*R__TM<f6LYrht>2#11X&r=aDookKsUnD6MJqzVXXV94r03XDv%mP~FCdBMmV4`8z>^ zQqO`%m#a(Av?4UMd`wvirIQ4;M2(m0zK}){G9QHKB`wTX$zCdt?9?ei_@RqPp&3WW zK6m9puGtJacGYH)0z6e#$$+sWl{A8o$P$tjSM0rim2|REj)AKAKU-073F)e|DXx65 zWexiu!3Ir7*v(ue=Y`ONQ!d^{m@c_AmcV#8LZukw533GsWU_|2)58943b8Y)5o3S+ zoLY;8kCeqDx%qzo3*_@v)A2IrI63k{wSWK~-NJP-GO~Sp@jhm;RGD=d87T{KNEKuz zgL+IwM^8?qlGNCL$VxSNEl2|KAKEBHA7sdouQW+<6JzPwSRYX$OESlqfz-Fal#iaJ zRGLs-W~afKZX{XJ9cTFjhR;WR;RG5Dua1dma;9IcZV6m?}HSD1>I)G)314gUa>R3cqj zzPz!kG>}^fUbvEmN&KgDA;L?;S*N+5CVct1VT*$B53C7|qq$aPId@KKKccF$o$SR% zRh&6n!Q6EbX-ahgMnZSm5=+4&{rqB*_rRD8X>oE0^jpz3|D|XP_xwm#KWM!qYYNHX zUwltD%?V1b-+AWw%w0&{1gsIuSu{Xt`HVwnByw@TaHziqRd)4d8K2t`jn|KkZy|y(TOaCcip`c>* z@25W#Ore4noYnHGwz)qHa%hp4^*amLQ<%0?KvtL7eC7C4sys#3Ol`nVOAFS*-lYj*NqtJ8FqAHE zmZz#DWq8~8q1N3A1Dd!r)QB@nT_F;A+L6M{ki+b>!jHd$hCk`cOxD6pp-N9tp&K{8 z1HWiC^WlEx<#5T6g+vhXN&$=DI~PLZgjr9R6bWRPWg(?U@$hXNmTVm|TB(a3Jdw}( zO^a~4W(qLAKUtGJZCHdJ1X#Dun`gBh{=d1|_@`j(jyQn%AMiuuGU78tOX79tdmi9- zqCX?(u-&=EEy2CcE8-pAENT8{#3 z@Ne8nsCk<%OWek^xPG>l`25|n<#^oIzv#9Tr3b6@Tw3$#h*qOrzc)R3M+3CK(Id9T zcfUpwJjbQ%XuMzQXf{ph(02?r<{Z2rWpAI&#B3tz{QGb%VSn~HtKX9CavD1d`cTn) zZ*p>Rb?7>e$yCzecqn0~i^yr1xpI*49Fk9`=xM#EczI^;>G_x&PpMo>{ZifwS9pNg zQr}y7Osbg5%7W)p+w+IA=JH-svDWb{8K`l6d7ASIYSJ;m-}2bK`kqE;2kZ?>e`?`u zzW(u=;`>P`RXg6Q@30*Y2IOx`56Pe z59neW(YEm$j$WG3=`IBB(be2EyGJ28yDDh{R*$;)v|`KD{9v^BlIFd~b(69G|y^y~p7Q7R1gyZ<8h{ zb}s|rlL6TVf-1-LOt0GE2S)q;<_gW0O9Y6EV@ZmSEytm#nQN~lC`Y$y+gt|It}Z^- z58Vj2-P@3yF1dBv7H)d3!&h!LuN2Lyr$g47Xw$N)p06>wlI*t# z6?y_Xow<5yo6e1zW*_Sgi{bgSjV@8(Wv6&QWEYt=5kj>$Tf)qyGiiiFX21 z5#WQ>+PA_B6YWd2)A7ciS}0-KO-tgo6xG89r1U)dBslmO@!33M-Q7DgBYbP-?)e-^ zCjbm2+l}HLI^{$yIg=Kr|EO@sV^66i1+{{arh4zGo52n7_%P1il0~2`zjqUjNJ>boIJr1NvHFyb$+QbCx}0#_on-k`?)Trb2{d z8-S$>rGsf%FJGHX5`5?<(s$Px=5HC;C^_+G5{g-hU**eGXNpbL_XQ%$FMG-%PM@(C z@MXs1HNjv-XGusj17%|2$r9M0q+PC^x}PDeo`vg4!Ld=rcY;)5D8so-T~pRQ3I{`m zMK`bF`6fyKib0^ZdLK(*sSK&=%>+zA#z3@a#g??x@q8_X|1gcmqL}8~lG&Lawl93{ zT&5>6Cf_99L-(xULVB|yu^WQoKv;1`3E|~lH+mSs@SE1eBB})TR95<+;`%0CFC7`ipn1=vPhD|)bObi^?R5*fupeS zgNaAH*eLcToO6^8QPQy^4BU`0S~DTJy%aR^L$loo6U{}z%&#+R%GEj0;nDxp2cW$` zzy&nCr_4@;(d9fqapI0)%b#j`?@ z-eVL{&eIBIA*n$_6}V8{C`|8~`D_si(-Bhdtngsl`hXZp|3eXWa(2nOG*i?z4L~>GmLfAS&z=j^#F!l3Wt+~;dq9@MY57LLPyJL(XQIv*LpMai{Elm=~tI&NUcz);q3 z0^i4%iJWx??iLB%unSv~D!L?qO7Tv(Mjw?3K2dJknave{G}(@yYL~1T&KTG%xr}Lc zo(?BiA=H4^28z!FnxAk8ZCxcP1O=tTneAwUj-IE$Hu0c4N!V1BPpQ0gBr0un%w%d^ zCRdTIv^gD^75}mib{Cw%p!}rF50d1Vjjf^TMZ#2J_b=`2puJ#|4%?Ozt___izuP%~ z%T$=AJV?XO6Lp zTfQe-RDVj62tlM~fzRC-@8@Hal=a6B;gr3czp7e}%c~4u>z}%uG+tx87rLt@^Fxc$ ze6BmLA)_t5->iVyO`$0RwVwO0FfY88xp8Xm+ptVCpy_JtuGV|}0Jz)searK{ZfuVD z)>h})hnmCtE6xZ3eaABq;HD`eXV8sT{-u6P9dNbF_qr0FV9u5kx~l;U41LzOEN?xb z>+f;dVq?#uZm#7@YB%^O72Y@yZ~Yj|FbjSr$H;0$>sos@+Ya=38Q-|B3F}?pJ1E&3 zUL??RL42^*&&L7i%zF9_4`OJ#-#+iwc>Ig8v;_p+@Ou{CO<>URza{NlobB!k(siuc z$mcX~WzSB9(6=+qZ$IvRJBhE-S_#%1qnTscwmmOh^5*^Ay+M|J_5+XPbdbIh*X(bP z^Tj`3#qBC#_3Rht5ox+M6N{^3fXwbEST{9)Ag-&c8s|dUd!2yz1O*|<@|#wPn;6v1 z8uy=-{54w+Zv&OUEWWR0;#qlqWiz=Z-`mAcxdnQjGd!Zsi~OPFSh7}K&)UVAchR#X zE4lU4o#{!l=?>Gx^(Q?Y|7`l61%89*9i@vK-}8BD(G$Qbw@oc60f))MI5EbK^QlW@ zO%L7VmHX~qztt-|eH*jSq6A>&^kd->^8C{z?35 zfb8`c^tmXFe;4z34*}UF`gyrOJU*!2}qG7kXYL9Anfz`Lg4}O<77{GYqh{D2;$1UI&XU#M{(BXT!9ixOeXcIG9 zVz>y8T;Tf?^(IyuQrEWXD9X2P+bC(p@l%>g`aHrAlz7+xE8kO{NdYS<7{u&CxSk&u zkt~Q0+`$CPe33y~1aqW>fh|%$BQNlehO0~>_&U*A3lFSqSt7`)&`312#II~BjTN$J zPjSjk18LJAy&1+F!J4dBVKAi=_!DT5o8?4io5E)OHmpi7rG zT>B3`go0!J?GuodLv2#XSj(ijUG3iT=0zX9nWPKyNDCOl{wPZ#1?5+y#G^nq;$c&! ze#WSku`8KkP;{C@TUmCX8KWdgtjWkx##g|)(&X#63hbbW$pwogAQaCVXS!B4Y1V(_ zuoiX5wa?}J;KA*Ke2N^Cxf%(Sa&f6YRBnDjGGa$!=M=h7)vaedF zacLhBS3zP2kdsIv|Kwo7ROZ4$S%QV9iDRiJ7(lfaJdS)=_sEDff03tanJQ=GR8srk zd&qr-{*UhazzQ@w_gHJHY)y302kB>>Q?AnFXO#&f+_xMqB69?FS0)?w6||F~h{M(5 z(K{`NN~$5JDw~!dW4fiTGb8K#!OxO#W(z?i?OR)`R$#hrgv=}EB9cG26`UCw>TLlg zDA&jl*G>E_Wc(Dd!vniN>ELH5xjY$k{I6q;XO$&1(YtbHli0> z4GPsNf(dl*`fCp-f{$i0kc!XRH_?~8!31HLLmnqGlno3O4J<{AbR?hNqIS!*$rM^n ztm|UW|40`7=7C{X7%PSerOg;<5?dzb^F(hZMRWvdHb_7);zu*m@*;d(bBJAaa0+;P z1iNkg*0=Imr7HNDusC3GIsHr&LGy_1!AUyOQAPsJh5Rc_#o@dio=&bX)S9xpD)X{A ztlFFM0z^Sarnn?Fi?V>_`dK*Xj8o1oLjnh{N;o;hdQ~>5xI)i(iXstAp@JS`&zd;> zc#DgGB#leJRk)kftVxd5++T5C?umo%s59O`bxdo@6VANT_D-Iejk zzZ)*-MaPA+;S{gLf5NY212}WC>v;kHa{6HZD~|*h00kAs2$l0KyxE+R=k6z}^kxA+ z++GnAMCR%L^QFXKnbpK-RD#nd`?Sap-zCW zY8Q7?x?Z`DCpJxsd`lChrhY9)LKwB%5_$6cF3uP2lewLb@`(I(o0_9NpJ7kOQP=Hb zHauO^2J^@7z>gXY>cd^C>ZgTfzm40_UOKPOl5zMQ-+zOZtsJh;1Zr(JMWd>m-L2P! zkUe)BC6$Xt$1ec2H=NbkcIj{aW@-P&~6 z>NU;DXc*vj3Iz}uw$t{t@5kMKJinRK^f18PChua~1K4KYY42 zz@}>l-Dk9X^Fw;0?)GqWMSiVDdA26a02#mP2@F3rFsl6a2c>VkXJ0RUybuxatNf1A zb5Dyy0GGCae<3FXFVAniYaZ?MWG}OKyZk*~uIV_gGPzHKDtFTKe5MD|YOL?$t9*y9 zT%Gy0uFnY9nUlP2^ZKt^e$Ovf;-5KRFGFf8ow1t+7sK?L&yei8_h5A=mHgcAt+1?Z zCn?_NrI}fNE9QmMp?;m7gyW3JZr23o-t*j-M`6Ruc%-d7uJh4MZ)UTrM|;U)n713_ZiRRCrBL7d1iAr%Ky=`T z*H_|4!53u49dI}NvlG{qsg{HD`vM@k)M?rQ%b;O_~MsxbghQCyan!04*PRIp{>&YNkHKaMh$(PeNy!mj zaj8*LIs;-_GVrMT38;Z$kWe+3bj*c8DdiI?m{3< zZm~W=mD*N}R&RmMHec2v(Jod>NRwUlY%dx5>HGJ&poj5Ecv!WEUuWV8do;n987?b+ z_HStP-WTD1s7N>aKgnVZc50)RKctYd*?8v)cw?303EANW0dho(X-F?2MKLNcWxR5t z-J1MXj7R9pl_3br&SBP~WpdV|MseN-m(HRjp+9BK*N$|1tsLbvBDrnrwWYsP5zfZ0 zQ0usC`ZK1OQ8XBpvXIlr20bGP;qj_A0l{J!u4dSz)cJCbLZol>?6Bm-(eE(qlfX|` zY%FPm;}}KM4lE z67P9CB%?oVNIQgCdmQRB3>~0tVCYp>G!XiaxEq&qd{87%f|<)&6bat#d#K-w;|CsjoKa#GBm2%ukd@jc%rXa|EBKQRgAQ*xvL=!F+67g< z2~V(!E$rxC%LbK*N7=t^V(vAJAplc*IapiFL0+czvvAk1yZR3mC%dAbhp?xr(_&Hd4ebc1q;=WGuGCzoGJcXiiI~}_Db6yVy zF(?t8Zuornf2Q()CtT1-vg*BFz+Ti=5YSP~O7yTM?!0GULd;Iq2-S|D6uXC)BsPQ^B zd>{`MJ1^TWT;;DmD*-9G*Y(Y2z3v;0+_hvq?xb$O&BRo(jMf=s^l z6^~IK*P+T{VYLNSoxCr*b{{or`qyVuoZ68;t%{Yi>vwaR$KK9Q2K4xi>kg+iklEk# z&f{)^UFIH}*{kxx-PitkSiFXtbn0&RzJh1l(w%nKuQ8XFPNzg}g!Qkv3kGxvR6~cL429yX{}krS~|sT>z}k&&REyeR_P=TK>?g_npwt`V$v+4MbRW-uH8E za@^-TN=WV2DaRw9neMy#A~pb+LZ;7wk$82-S!Zk+za@c#l}SWy7LsipKuq3eD7!)H zynCKCv6^k`;V@CR{bT4_=gY)T!y^;^TIW5WH^nzY{h$GW(Dq&kct%vydh`$1J1-$; z*0Tco9Rqt!J`vwUzk+6`{JzB{{&}D}EvkjjI)9O`*%SX9&-NrsK;%PKQdXE%PstZK zw1nOU@anw`7yxT|)%eP26VV{`7Cne9Z+N^xyp4!a}~zIl5r2 z#(+T0_s$fR%jT_9D^__tl2B2PoLAX1f0HLI${>y}%~{x*Hi-q2fpna?VHeH9L8=rl zyD=MEv7}t#+HvG7Fubjh43Rb06`7035Imn5$B<&o-k_s z3m2?lwWO*;*^lsQ%1&p@66WOCz*ZIzApEfYn~5f_kc119*-#qZvjplB=N*mWH4?{oQL-jqk%ncOuS{5oVtAtb>xQl4Do+^;Ec;Tw1LsM> zi_q)9QqAmuVi9ADhn*}T`MM0jHLngF+c4@`>nzXC8575i*@P=(;7{j<#o?nhBRGSm zw(KDTNd+cnsep@v*ylUza5+!)@~|7gWx=ompn7X4SH|!GJgk1G&n0riZ?w z>ty#b1?Ee+@Fxd`WL31SQx?PBr%hW%v?S7g=L%IdnzWiBXf%;T+9qAA6j=`V;!uIm zvE^SxyE!{)mJKt5=AFAmELMV#{2x3R+~*&Ok*ra21rKO+&wgs#w>NLOwWb2QlAp8Q zVVQmmd9P={6q_Rm{QVSB%%6Yx)(#d_qNc>N&`eS7DYpSWGnPs)eEnL`AqfH+vM7q< znNY9#dtu$m!6FMB>G=l;wm)bJqi~KkFz3C3bF9_DDbz?a%ays%#gfG^pRZJBq)$Y&eiN^}ekhx?|^4r%!oFsd>F+VDy_dFwt&t&ilfzEp0|i z^)&rVc}*skw?4?j|IVapuh*H64-N-T9H%~hjFjoohI>RZjtm%Oaz!EHpR}{w%m}TB5e@?qP$@AjZHh<{N9^B19cIG9G|)+6 zv=#pE&0QE{lmjLxVyvJZoCCF#;WzM*XS$X9^95=1DvL>VJXf*=G#jD@dE^V}HD(}= z!YjrIxb5jII-^!hOAy^WW8-xRPbx*4kBZq(!U_OQDOC>SEZZ zzd5DP4u$LD8p>*xE(qg8lh$g+k~1hrjhq}K94kP{bZ9QHNe2;li67GU`IxuNLf@zC zbFr=;dMA;BgL}VKc7M}zzujP;cwkoRt45~J`v+twRDy(@8u|10r~k+Ir~ezmEdgdo z!qOwjF?8CO(^unrLc){Rzs27VFK14T?|YkcetYnPtpAP?((Q{A_1y0Z;LpJ7UV}~& z0f;p%&z-TK^Gt#DC+VHn0@=-*DF5hV-fvI5Wc;Ufm-sg>>r2^u4eA$;W^Ar@hfd5c zYONjqExcLPs`!nCUEj=80~ur6Qb zPLGFupWpRr8V?n7wHv48Ev0E%fVEn^n)^j&s#l-&9|D^qd~5DN0vgAy-&&WxucqX( z8UMB}+}@VSXZa=0QZIX4o@@3xh!NXA?12k9EnO#kwKv=&V1+rj_8!?C+(Xn>fF$ zC&s#gW49c4a4xrt#o8O*#XpyIuVXP$zJEC{vi05ak za<}Qo{tVH!qv_#eJ2ku6M0ma4tw$91&Z*yC**-WVY-2%kd3j zRi|U+HBvj&)it?RI?MI=>%5d+z4PY%{~Y34$NW%y%)k?^hVQhOGi1Bm5iGFmBm0CO zTrPurJ)O*X#rrmw{t9^P1ALj~DNhJFZoe$*OFl^jdVh+zW{kpAjZ;N5FxfBaZpxgp z`VW1^m^w1?ow^Q^Y_&ML;)0X*LoWuH?6>h^nP2_JLl6k~Y0?=Ug**YZmy=q^g^*PE zV;Czza^w1Unoh8m%PN!>li3mj1E<6yFQ?F_>2z&`X(Aq}$4uq%FwuNS^O`NQ6sT44 zPt^U+?4m~%^x}4_U6JYHWY}okR*#1S@gVsB@fAMndJBenMHx#zn%bbUP z*aVa*(k#T18z`N7hV)_H)=3=5nG~#dnM78Pf;=~v5s(sY8-Z8RitWJ zSn-#l?Dc=}ODh<~^iW`CX^B!*Z`(KmAAObkS0DD+1g9 z8Y~V$SquXuTC`gw$F3Vo{mTTxm9d%BKo!3*q9YZ1-4>l@m3HYW+wm@>U(026)pk zDs(D)S>B(w#3X}^8brJDZN_|4NO+C8Df&)jE)-GCquxSTCP#*7j*N9tMFR75$!Ub7 z`}#Wtj|ebj$Rvs2vgIbIG2yNA^%HUWHe;Ng12e@YZIq@5XGZCX4EG{f0oetWW`EG9 z7j0nh|8{_~SPomW%PYhF<-lxk^w2k#VZ)+<0`6}-yvQHqYFA~#ygW~R{C}_b=Weis zjT0EEFbbk^Ge;#$<1iWeQ*nk$-=}BT7~)0GShNPx4GfD?!y9S~^VHGfcU(>%WE2Oh zC1ypus(4PIa@UAa3NN!sZ!B+_Ys4c0j>35)Sl=*%Aem?bZ-7|Tx}vyZXmXtpgT**S znZtg|A%SQQ5Tej3k@?)WDvs8YNWBErCTS`H8{|VN7%K`Y1CQfgrk||PFF7lOViuACj5#YdTqYPGi^JGl$cFQ7w6>%7#6rm?#<7cYmF$n$z2UZ-&gf<&hA!)F{f)L3e?B9r} zvkC?>fryIW}%-`b-7s2552QU!6H40-wCiUK=ilT zJ}bML{T53AePYY>0{`3ADb#riJ9gJ^M@Ny!Zw=f}fy}SDkE5&k1{HqnmESoYM``C?Iv?$>1zTWrVudX%ALw z^);8i`>|)J#ci=)d=7S0!c5oUq2|Q;;bYn=pZxhX)|I(Q|)y z_nZExiQK)gV=Q57`$#)NTszngDUuGY{b_Y|``u`7V7AKEbJJ$TMm{=frDf-f#M0r> z9j(-!-KuHaxqJ0|7vrk7ZK0*-H`wVU$Ny-S3fswlyK`QPSE=iK zN2gWe{JQ;#nv3A|$`8!52O_-l)-Tfg0R(}080=S>?z^a-?NW1K2`0H5V5$utDaAsjh|*mHZ8hQ z{6}-d{OZCzc?w!?n~=}y_jG=x-MJfdZrNB&$VNoIy5>f9GqHjwwoOfZnqe_ z%Wprz4W7rHZ7z(wcH#~&8o~ahN4|@t)Z>b%(T(f1IXlJY$>FYGMAwbp0qME<+rew| zUCR14@Ie6e-BbVkzal%C&7U*hn@9eGt__ig3fv=3=+C#0(og;nAW13o6$>DRTyZm7 z?<+C;KmImss^~aq8H!|cEAzr1-|)6iD)zl}U)D_oMioq|oD;F(;9`WsANLSh{fQ7V z(Rh)n3Y+pI!>-b+l)M2WtZ6^;B-4-Xq=+Qi?Ny7TNHVC&@^m+e6h?0w4|0NjbrQ?Q ztwWorHMc;!mX;fYEYToGXhxv)JU^2_$W;1zA z>xEWv7DTE_Is>?Ipp}!zgjEW2K5w2WA;EjAgVzsj4l! zi3~EbMp0Km(vl~P23Z)YEOt`2B2|OGWRbfOID%ui=A{;yV&o>$R?C|LI)V-3GF8$7 zPuTer$b7RC{beq}Jr6(aM_$2)~@gjw)Coj1U93wSmf-A(ef6<_Gup%FU zrFlThu-riYyS)Pm4%Q}%fK)MP*y^M|Xl!F494GWqjUJ}bLET2!XFdPF;uZ}y7|sfX z=f=b_>vw(Gy;G?|?$aTdOl9t1%YWy&Brdw4R@Xw>N+ z>c>+GRx(ZEM1QV=N#;aH?AG))Jd*@>v{CK^QbZMcMelMDmI_6dthnYnRXak^Q35he z%w>s!pDV@#Ev2sIL=%c3Vu*51@S3<-^GjIgw!{s0F`G-sgi0}7f6#_`AAz^I5>n*7 zmS3@7oWOE>8H=88_f?4laKKNqZ`BqXfcD_;?@>4Q&%I!lfeSGqsA{f|JgRcDo~8RL zhr!X1b}FtMpYjp6I+>KQi!iY^E}fDT=2@{ zJ@K}3PE44P&IO|?hGffn3SO&0Fy66av9nCdPwr)m4arzKSV~UXB~*pt`Q9o{J0vZ-Vot2LqYssnWB? zoE2rj-92t(C$>drxHGrj!`Q11YkOuWx$)ZjfulP<0^D*su%IOn z3;}aO(A~^XhEGB`G?i_V4Jy{s0s;*t<1Hkc4M)ET1%%+^0_ME1G*N_3LBTLR=>z7V zNs*-V37v(2y!%H-q``o+sdwnEt;Ut9DwmrVIz25jf~yCQ8>ewW0$R6$#P=)LYh*xV z>eT0q;sxPL|E_l9Ab&^y#JDWMhWAYQ-m)6KOF!poy4mM-AmEXAR@bq*F?I9a9~9Qg z>do>4Sq=YRS2tlZM&m_v=2mUdbBF1(6bAlB5dYWlA>4E`tg{OUGM%; zrIIgd*5d{zm9`#o@#PttKq>v2v)6aObByys_x{qC9#sp!aYgnXS_}B&^_1`MiCMS% z`Ks_3w`rwXT=<&OZrf{|$V0!nI41`%g~C3emFC9Ze1>diV?X3Ay8av=jWOz{%JF=T zXO&sg`Fuo<%e)@b<&t@8b};oktJAQBGCJFFnw>KQ)B z)+@R4e;$4AdRP1I23YMjzte6ZxZ!n7E{?)y5xZ@lXL>o$;^5$HN%FsLF%sxGPdur8 z9+K#PrMzoCsCmAp9MBa3E_83V38d6A5T{?8-{(;1>Do7{&G2I6*eGm0Cj)Wl5mJ3y zsrWlz<*dF@HY20%esDLsw_jpmRZe{<7{JR{_*71_b)O4>x7VaFdSBx?&Pe6;=lMGU zf!)~^q@U-|TA>C%~@8LzdTW)t78 zm5<}Zc>nW1FRN+)%qQE5S(PfBPgtseZA`$F&{ANlq6Dvyq$X``-eMa+nfzU&t)dP_i- z+)C!pbf!i|nymPjm5UMIHPmo)Mpe^3`O!&TK!SxA2SI;B=>8^}5Da-ig%oq-a{FN*wEz!i%!-z6;5>^?OH4ldiq(LarH(IDlr^&uaP}i_m@Gypi*lUCcasONE z>PcLQZ%&jnl%OIyW~tI;{35~G&tc7L(KhYqkcBd$Tg4I~!vxuG%Asu0hK~Ls1WU+S zAYhzKN5~02r$Wrnx<|q|yA%&#%tqehOJD?zB)hhr(z_aK37s@PlT-O`QfT18TD(?&pH6dCkJ@= z^^d<8JzLWlxPRdH2lxPh-~a0LweLu@X{j^4#Gq_YCx)ujXDgvLNx}M!8H~E<#gc53 z_#`K086*=INZCh}A44%fxMLWipm-qKH_Q6k4|VeXBjS&;-!HNST3K`$MLhl2k|avz zuR8NI0hT@7h&=F0y}$~g8a3-7D%SlYh(deG#4!bL=tT%~MP!seypUiHxI*cKrb^wu zsaGn@`7+L(2CU!*1z@X-e@O}rv?}|z6@PK0%cZR#XPZea;$}+z8e4EqSta+NJOE^x zU{s4|r8)o0%Zeyv$3?@q7EQ=bWJ2wcm4RbThSnh-52M+7SSZ+)mFckcV)=eI_Xcc+ zNQ!}kc`z8URgfvp({ioidw8&FF)^p;Eys0)3nycz|I2f`pjjl#@y%dtzVBRk%&m-P7mv6sui}JC1muT1K<{ z+e=z5Pb#@vUpTp2o~EYWmpY^Bv74>6%|l|XSx)!Nt8^}7I=$T%>=tKMU*SHtNYW() znccP?m8mg1&1`_Zt5M1Kv{iW~K6k^N=y&a{H4fn3S0-Hyki}K=>N|?Q#`TbPRr9`r zKkPGGfDnP7Ue!p@_7B2sFE!V*x=zW1{6l`$#x3M??zDevFI3O8g&%m7T8=}%c2NdC zj#H!8{)lkb*bhC{Np9O`mfLQ5cJTeC=p2sCjruJ1n$$a;(K*Swdl_@P-ucK74ney) zkl!#+aU6f@L7nC{>pnTT^qAr#!1sI21Vm=idz|*vj+5j0UTdcI_`XH+&)8OzU2C7L z?{GOuz2{&YH2QkH^wUSjcs`=s4zkwjJ=A>KxqtobCh!B`R05qVA1j{{8@{9A;fafK zB&L}J>Dw0s_s`z?ph8dde$wwNE+@OMFRofTuKS3)n@2&UF({{DkfXq}h!INmo!&z( zK)rNV&%K9LO~ZM{P0jNMMg}l<1X!yNWOpX}^20jFy(I|3Nc(%+d;w&OSGM{6)$Sb@ z(o+Wv2cCZ9q63~D2n=YNoc|~`q6W-kEc;1)pOHoZ#RkQNhCKa3QpGw6sOA%a^PZ%7 zSb6xV#Ra%bvL_kO4CiOt&cbzsB~q0J6i-+ohK6g_7Y#RD0>q?_!nJld&_Y&j4x&pF zgwapuU^M#v(Z_h{Wpd06OzBwe+13J0Rx!%gL&xS4=3$nrh9uX<-jt_$ulJOV;6mWT%|FvcpE`VN}ZwzwMU2uGZ+# zgu_UPWN{$k{%SVmN+t}GO|)A5@f}NXfRaFz884}HtW33HQ% z(~_bRMMCB3C|j)(xA0oGDl?H22iqvIe0fo`93J+lJ`1*&7i6f}fM#s}CzK2K2;)6M zDBI?-K&ClE(xT8-xZlWEBpfa`3^oUPqz?6L_$M(HXgx)=uq2&Ys4D6?w9G6HY#tSQANoGDt!fNeHi#~&R`;{I(VYVPWl^=^%B-tmwS>GBj5Z-;AmszE-%v_W7HD)O zbo&P2K(Sd<7UQxEdLVcOggHi5l_Ry{aUopSQV6X<4lCG_%%UVA#+gW|#&DTNqYk^_;bJAeAsjTna7e*D2cxvM3+yp^b*CAaZ0D2r#r9)+tVZ&7$0?t-l!+{t>{xbe`zsuHm*^1;I(MtC_9It&Vj8-~1D(m^cQw1ie1Ly4nI@9EVsOrX+0& z@Z(udb% z7`>V*2cY#lKkU-;19VACoL-v6m*?bg@zac||JbhfTIcg$MX%;pNoq{j!2%bjhDD=_ zlr;Wh-EA1NukP2fSSLRF4IZ%JHO_TCOWM`zVJNne8hBk3o7(P_2!F%9pN|$7d%cUX zd!vS--TK&Bs{0lht&|Aa{xJJDhU+X{19IE>wT8dTqMvx}epljY<)h?>5@IV)_Lx>7(Tl0w&}m)=O`$gTE8Baeul}}vRo(6u=DF0#&4{f zM(90V`(WH*1>nAafPj5nsVvMOYP;#Y*Wobl>H;L+55E4r$UC)*yRLtpN3QyP^<&Wc zO!@GcW!)Y6jLz=fc57f(+ez8oE)*&}WYDJQ330tOPe99Gw?9*dIreG;GR%%I<==Nd zWSWFP@ zOPfbK?V_|^8mStO;i_~_7U1W1!L*h2%g1#h?Ow-y^M3(mU=OXJ(?F4lqL0#S;>z zaq&ZGw5JXDQTX83lkyb=RgW({B?NT%o@bjx?{YaLxr*Q|($*Lb%2pRqn(LNflq>s; zk%>eWrfoaH0+Y-cvD#$gi(A&PN~C{jQ^h{ec2{HAX9i6R`3davq@2{N297l!RV|>a z1URagD?fjfKqz(@+yw|F<768S9t)8tks10?ELK?en;w!m$1T#dsbO z&6`Sq0=ZYgHXKxJC|1xd35eH-W_MDs!VM_lvY^%sUyZaVv*K(fBIXni*iC~GeY8bPA z3zP#tahhXzWRFZ_@XfQ7_pbQZPmLEOAyLIC#lX`8%|{)BBu`A>ELTI671iT;oA)HfhC*xy(oukUkBqcd4&pMxH;KtB|yN&P^Y=TNH39u#G zPby@)H5&{e(ss-xK-$b5YdY9$iHbkr!jZJAR{n*8Nl0Q&Z%a9xnkX`z2UAOvz@ykh zS=UA_C2wI1=U}r7Oel^XvDUSrFlAi~qAes3zVhCK|4nZ%)EbUCjZ4NFg)R)L&jD5r z*5}^WHv!M&-(M)jR_S&nV{saZN6M*iAcJ>?BRDK5cD41W39V0u+Tm&o)&q316@KBxeVA#bP%&gHDy|o%YlWrB-@|^P^7XFd_Gnorf3n95B$WV;Cna6}yD_x6UoXMeh>4{5e%YtRe(&rtB zL8dCg?V)IoSpln-1->kT)IOBPWYr3W!5JFZw(G1qPw_Fj7z!nu7fPSL?As1bx@5S5 zv^9&vFH#k|(H5Fcu*&!VqoC_}Lv}5RUkr%!?1WW^$xWIaa;nmJ%Kp_UyXaE1j1kaB zJhS)c$RRwn{R7VN=P^a`nmVYs1M_g`)8Abe z|6PC)KL<&^k{=1IO@TL)n7L26*HXKBPkJ}}6d;925JXEDXTVTkHn30cCs2?PCJ^b@ zNc`|!?gN0+>FmSt+$rb)(fzn%bWKl7ODFWEcd$Xe%8l7w=Nbcp&t(vGGwc3qbW--( z!PWN^FiPKi71+(TUG2S0ds|}`DpE0a%6G?)gKTvI>W7B z$a~JeGrFLmi9<=$~@zV1-+u{33PM~4`cG_ZM>&MvRnvTY<<<)ph z5D`7IWzeYcKTMrtaHi3=t)q@@Cmq{n2c2}%v2EM7ZQHhO+crD4lkdCP=j=Ll|IB)S zzqP8?nq!Xn4907g(<6z)AEeDyo#NKP&i;X%>aKyNGE_j5^!I+*ZUBN^FL>_Qjtw5zcWpL)+(HyYgg z?Xwq1h1s%NXg!;$_(y zXscV-)A;7R?%nEr{Pg7GwDOv0$XWjN9F~0Y!!^s!#p?rdv$_Lk2fMrB$s-ouIav@` z*DdJfaz@TTFM%{n)T_Fl4}H`9AvPT7;`8XgV!UY_S~d5~M>xqUXB)p;-9_HB4Uxao17eKPHJ=ubSijYku2cYbnjH4(d--qF1e(VkQV zynY47Gz?mEc;EKCD+{haR}>QA(hGe${Ql;wUaOQy+d6Wqc>&KWiPo|+F{aclGL?Os zu03r{b3A(6_ClUgBrn}}jW+>SuIy=@PwN*uZ`19i%~!59pJ%hH{W>(4t_x?Q%1~I{ zZMGhj-t+e*r|_y{HE)rE#y$Td8TZfma2WOW`OB{`MF^JIWn>T zNX5QR09o4ao;6pY>()Gi2Ji1V$&2qI*08T6C;}`)-*JRXt?@s$gnxNGLr#ur=wT#0 zxck`@2c>IzT-^tCCb@EA&S2+jQC0&L=hv+OG?eLM60$p>=3hfPj^% zlm*x8FdE`-%4v=e8>t7EH%4Zcer_nB?6_isv$Lwt`C(+g*J=TuB~!+n zt#TnUx?fiis5+YT7ol0+Rf`zUh?lkmSuH9t`OopKmZyQGS35ZSr%AwmogMSnDAU7_ zg%=@THR}}-5bOP!I!3GyP^{G~tKQOhClil-l=xU2!})^HYc42`&cQVcPM&FqtS3?2 zs(gV2b4fAdEpQs;f<*HsPd&QxCm{`UaF$#saq8@H%JldVj8`SatC8upo#{j!F#o;+ zeq4&pGy6`4avm7h?38r0ATzZ{tG1*wRls(Cw%(;Y~ zu!!w7DM|d8=n;N?f)Dwm*4?oo#vIHo)p>_0jG zC8UlxENTi^SQY}vq~}tZSK?ik>4WtLQ4hlzhR+yshgdaMEZ8quf?$u3rd+r( zA!4I99@V59>;wr3MxeOZz; zbsvooIl+FLMtZ=XG}FCbc)aa+MV`ZA0$hV0)N6#C1)*iSh%zo?5`OY02y5F95^z+A zbd>_X;sz;ST#!-qn8`LnKLkq`Jy}y~8EMLPgBNAwWJ803LzB4?CB9W@)5yV&^#n+v z!d2-wVv!8Av{F$RDqIIp5T%91zbS?u+S?V}UnTJm*ffxthhFnJJ!v)I9ucVxp@dN7 z#A#G`0&-?Co+1LavNwM=9U!fUaav5{)#8S#D<+ZL>lmVhFvB3B#n~u=NN^;2G%5zD zs{<+Mm=`G*3|A6yf30Se=(yuTYZP#){PkF%6B~C(8B4~E7!o1ilU6ax{pr8PUI`uX zhlPMVtjFKYK!LepBXt>gb#v~ESq#+VY{DHjo2$SECr?(yA4AN7NTw$5=i%2T;wN&3 zDAi@bur0$c1jS6ppGJuQhsu?3f1A(oXjlJp;E;Q5*9kBo4xf=pLCbtWd0IV=7lfUA%yxn zl(#jnKUW2l&9eCjYgH8koh53pf$J&JSJU*}xU{MxU?c_{gW;6L6RXkX#?#B0ZAuK7 zoy6s3a3r~O@}!9NGk`Hkn-nIMGqYEbV!891o)~q_+xk;TDI7y*?l?44`CXErlgW}b z(2TPOnjsK@B>n%!RAPf;S#N|DB;q4Rt6Cd+BykWx8yNXEKQhFv&6! zjvhYAnF3w^Za->d`JC5?R1{=pYx`%spEwU@IyIAz0`?I0@=jyiK0g|D+=T&yH?m5z z?PvAItG!s-p5)H6owE6-vL>oA?iwC@bDlQjD{I!J1dp2QnXv*c{o=7v%OXHzEfA~j zcUeN6WGy_6>lAC*jn-#}{adykO+emrbMLNO?gx=nwaYO$Z8hL)wH0_4nVH*pX1tm8 zIr$y^t<_!B@(Clm>XAC#ao8|D&T7(ae=Orlwm%cgkv2v-{N-toM<$Q#cvU%l- zB!ll(zJ*fB@N}2`Lg<3hzI#Hn>vEr&48HQ#Z+VZq%Y7V=x7r&_-{pbMzdV+KFcnyN}7mdW;>5l!0!h?5apf=V%%oD z76g2#oj1XII4%1XubYXiZM7D)9hIFD|CMAT^53S3%&fQqhFf;KUkmp;XgB{}dn~`z zUbY?2R1!9Ch{TrI-XaMSaoPRl_8e4z(kLZ-?`QS=JRiLy0=gZ2x3^K*c$7X(XLqMl zn|iH_I%{`dx!tW-TY_Ge51P@5I@UEMw(3DziA=xiZ#?y^Z$I`(S#pYUFK9#cwPeXavUT-8~3O#8Wa zJEc0lt^@NlO}m{B7dQpnUjJ7N_N@l~!v0hTrr!Y>jlbL0Lz6`PeM?sW64eN~loGpH zhQ)~PmM>ucO;A@H*dL^p2~AIck@ovJccb7H349&<5P=VaJUn77GCIhrnYLT01{wXc zW4Szdx#)&MB;|WH)k2*-k?c^;=-dz}A3;_wCW!T;o=pr=y)f|-x=>0WUyZyhXXb!r z7Pj4JDWpG2DYjqfQrMq0C`mY0zQAGK)_C1qK;OutT0U-G+29hs`zHxnxW(XXYP(xi zV=~E>1m-c{P?NA@p1)b+IdzR*v|ozNo8Mw}nb8P5Sl-n7TMMTQTmha(I1R4~x|STR zGrBbSdXHv2e(qI*iMT%QaS4bzx6Q$CP~8iqBo^aJLw^TL%nNt-=Bk#wAmmpIX|ohF z4yypNG7i{Zk!5iWG^+|`{gvn5K7SUF$q0%+=xFriQYpEs|prnq)OY@%bR{}z@y5tT?LXfmHKI>zAZMrKpY`E}@hgB;J<`(#?u!IDRU8#Qzo!?n3sd}}v zuHSwcF$y?W|IsvzwjDR`u?l1a{Zj%iafO~DB%fJ;%qz%01j)RO8}iZUvmjwuE8I#I zzZTmN7g)zT(a;RG2Lk@orE`4T5K;c=Ksi!cHcd6sW;C1kiflgcINLL!I z^6;9dqlWkt6l`gXeuXweOg4l`;(K>A2lAkdhM!#HI zGJ#L}At*wZfqc$vt?7p->U8gGEED=d?j~^hGZIMGwZ}v4kfir$)nC?8qg?zE67XBB z`LX?uYdAxCn(?3sjB_zjBbL_bGbqQTN`4Osk~HOpV_motbi*WL61~F4|3t3`uZb-o zs<=$qFiKz$RzFh2l4c^^U>c9}0;V;uGjFum5!%*NPL&pYKSRN)gkE<+I0H?TvP7+$ zpxrxXMZyff=!dV83-MgGpBmXWyKP=d<`(%f1%qi3sUc3-Ow{$j7&($2v9SrQPbyXT zLjFG)G9+dd3Io0_(1N9HYtx;IMums@-j7?|&L@v`Ij@I>Ikuh;rW zajL>7+x@l!3r|$fJ1g)RboGLE0^BRVA3r+ja$53OW!UU@)ve5-uWp@n@Abs!dK(zs z+pT>$>7mtby!e?rC1~(W)FSv$x7_k(cRcTEdgw|h=-Zmexpwb)bJcMzVX0L&3x(&~ z;I2PA&Dmq9%iw(`BQDGL4|3YqAA2UdntqxcuCJvRCEzJ!&Yev3nr+ z{T33f(tegWc=DO1br!%nDudXtWF8h&wFAMeU;-5+_Ai&1*^^ZW^$E!t!e*kop#h{)*-Xq^oVs5 z_j*y-JH&k-`rdxZo$9ds0zb7m-dXgpkB&}hd#xKehP%hJ{;XE*$Le{Rt07uSv#zn2 zsuX`n@jktM@L~5X*6nea>tG!Bb#wH&8XL=TeV*;s-F*vX?O;4|Emi%R{~=pxnvT`c z%^KrrqkxS9ksjevaY{ov%2;eTyM1NTDy#W+{>rFds(~1Ojp|- zW+}&l7g(FzWbqzvfeUHI6SjlqcJG>Z_MF-DU%6$zedfn%xgRi$yg@Y{OWStd{I6Er z+XjG2zsvPqel`81ToP)3ZLS3R51HrCl(YXaGwy8z{sG>865V~rui)~1d6&S{fkawZ z%YTikLjd&`{#*v~^QimBH^@?sD+!}4QjLN4kQLK6#*+_*uS`z9A=4@rI)tAV+9%e6 z@v~D$FI?f8z#Ezzy`x8F$`mSM&xcENKU(5ZPbBL=Fz!y8jUI?m!_#x3W zl=|WD&GZ8gz8^@-V#2|n8Z?o84u>G8p2NK882lG~?|wKX_qBa1_nj`^ z%k%TNuH^S37w+S z>PksL^~yBEdD`K@di62kro~2zZm;nH$F(t-dKc#W_G1H~=Lw4RC}Xv}g5c`VcjC1D z3``JNt_tngP7)P@Z#qgSWOGdbe73+YIIU5urJYT|A`5uOoS8i+q)^H1Q=(kP?}7v_ z!hqW%oeZ}tSk~(n-f4!l84YSV=%p0=`)#uF)n<8K6sl;04$)xlEDrMM7x}tn$rr4P zPa+rnFoJhqGy`7tk`H(BsxQwgPQbeFL2WLOZo%Op7eGos@g~R(@?caujOC|Qu+eg0 zzOZF-2qPy`8YEo3lln`rVcejEN>Ml+&N%-ZjKLORLa(zHUP%ud@dpb5LPON1%)j~^ z(7%ZqJn9k~IjBwKp!iLiTHMp;(&Gaka&%bY#+g>kqy=;^!hXj}5f(9{X5N>a2{4oL z%xv5P6lB^p&R%& z7VSk-YOL0J-r!pfl!st=atDZf4f_tMz<%Nb<+rLbEWGAhY{F+RE?Vk#D1(=?{0RL) z)>!J}F(Q6w$-T9tmQ<<}A-aESO)vqBCkkD%Si)nbL13sf?RAn*Q)6MEs!1C*jk6@p z6;$TK_?&0b8O~m~;hKL!nm%}Vys^~k6RKWHB$!jB=7l6+7ya-L+B79;|4jXH4kF{H zof?SN0j1Q!z~njlGr+}^I20_=Sw_Kwk&Zqj)3V)o6fyi4zgFz<%wiVlpy!WM=wjOT zBSD3j;{n?x2{T&^)6Twfon-!azoX6L$K&_Ru?>-Lt}K*;F4 z8g4uRj;vgF$eQ1Hk=Bh8mLC#o9Ntk<^7c9m;=TAj?%9?B6T{c$g&R`P04ySFq-!KWugHep4-U7c;wChh1plWjpNpvr6YIZ*#$T z6?S*7URG%?s?>F+Vu2(N@60wdkd_Yb^$-8USeBDG#_V<(#{ zDc>f?cri}0R0*@CDVaO#iKPEFJgI6(O=;HL%M)ffeutqx}kX-2sEoI@mD%xfi)d2nEoMWu7Hf3 z1imG@QW^aN#^PyEiTf}p+iEF=s=2>4vT0w+j4@f}nWaw-7C-0@xDwINy^uAM$!L75 z=tTv7(4lRANSB2toBW7#YlVK8VY*WfA-11%P~WtU29EJqx@OJ{xA>A6u-*gg!yNIS zXJAUHXmy7e=M3AHh^$o{Wh{4pT0keWPtxq#*Bfb-tP=>qz-q8M5sC7@5RR5W>3vwFJ?+Atcfg^n|$A&hd1gUITzRuL7#{|>tAwkW|HW6U2 z6G>MU&q78bU8XNAM%%GUjNd%LhB8Paro3f@EfeHUmTvnf?93wNIZgvvbcmQ};S3&9 z{_A_+I&50FI8PErZJyFOZ;r{)pfqBnI)h%8XdkVD@m4b8JTJL^flf|X%{s2-RAfpo z3*KUyt+0ueLy3UGX)Buw!#W|LU%nF}!>vU%Ymao8Gb_p(%TtLOUn#k1?h&~Mw*>)D zep;y%I(jjSlDXTV0K&iqcN}g6`^MQ$)&vi_P%=^(n5d=pfbwzh{Wo0^t?Zz!mMh$nctkUv3 zImCUZWV1%2-%CX`)TTIXKuRQDgudS;(4~D1M{&eYLcxU-Tf#qQR%($}Gcw~#r#ZnH zRO;Ue6oj?gb}+{xUKAH{sr+ zS}DDnxtO94<`uiV=+&kc_lQ?o23r}GW^>YGTVVOOWFYRM*@I0@#E5DbUM9t9R`^S2~bfoaHXuH2%Vh7{XB%{bvxd+2Z+yG|U&e^ZFWKvp( zbJ{7Wga*93NYjL5``c~2(bUm$BE4+gpxY{8b_Y=FZPI80PTBlN0^Kbo-o_O3TxV$tS2Oz zPb`_Tl($_g*HE5|K}Ezwh7+_zIk7H9728>>N}0>TpP%{vUB}=4<0&;Ry;mSF@G}+= zh&HtQfdo0b1oWZ?|LkAr1@o<2+Uk9sede`oc=)syI20`PD)(aX{`eV0LY);v?S|Qe z($-(<)vzM?oC}-~WQrhOGJQ3jW&AobWP;D9^6zT|h#$V)h0dAC3PxzXUcWc87B<_i z9|nZZPHTI^H@_sudRxA6QpbH99kae@akf5DzW;5$+u*$Uy7#(19?=7cyJmGhAT4`c ztT+UUsfPjvQth>3kWrbDtE}60~n?65Vv(vlL!^hzov& zg0Jwt@~T?JyZC&~(0k?*6vy%w_bx-mPOsai-W?)on{ev(%8uzimMZI97tOq#G_>~o z642Ua_huLta8!ZmDRboU{D+1&XqnTt_?fuNb(VI%k2kyHpkq6DbLpSeeRNIPV^Q5T zK%Z*sb;z+Pvg>tt5bXja8F2*A{H1$~jWR6`obfU%KId?>)df~aI!w3vzOFfp3Vgi7 z;_)l2%J|$OIGjGox+^Qk`b8be_WHENt0&p|+@%=D@&VTdbr~+7pEXat?OsY&Z94bw zb~`-lF5gE@WckkcEgE%+yie5O5Vu+QnyR{A=GTe5DzQ}w1AGU&T`$6swo!E(M;${y z|Gn;d)!o0|?Pfdm)vJDj3Hsc06TR9vtlYQW*pJ-@SGF<$>_c-^bu>>Q-2e=uR|<;^jd4|@~ zTkyTCNTS}07_7bft>tT?Qs ztX5yU?hoI_wFltr9T3O}^zwfv`j)1_`@fTyC$WKw3%u%W+&Gdz@-u>>*RjR0**Ck6 zSugTL9rRhi+G{Ijj(mdtJHcja47gVCw*tVhA|Sq|I5ymdXwT9?fCFpgiUWkbY_=J8V`- z`OdNJ(^CVV*vCxHW;qHCfQNzOMi%=oi!y*&A_c+&G=2h9F(rj{Fr75`a(nKdX2oJU zl`4mbG0r1NY%LwlD_krjW$`dzniHeL0aAgeIXB|dM|sGIiK2fxATH}%zLz^ty-)}y zWdf(%ttkt*v8$X(w0<{&V;p6gwC5LR3Bwq0Z9cX8D7i#cBuVb;w5SoaVt|RG3S8{3 zH$)?+WMnAiX)#8LX|QMqBX2rD9oz8gRwi3=rNYIFP1MN$7EFa$i{hyH{IB`HJIFam$r{NB+k}DN1_=8TNg}lhkIwgv{cZNoxD}lYp znSUU3hA7#b>DG)i@QVW+U5_0ErTWT#+r@dRuw*C8$-E5uZ5kdic0y~zKEMM6aVV(i z_MN);-;A4wPa^AOP|bUI75o&KChD8gEwLo3 zs$MeT1a)->K1@mkB||VOS1b*cSW6{5#*=xv3^=Az65wcXeo4W@QS7xBmvPu28X;Lf zmYxm7iQHly6$$Zi-m{=p9&;wfnCQu)1y2U428!?#Ca6eDVtl}iGNkZIp*7I{*#?D0 zJjR3zSg1v%QsUfz&NeXW%oC%hQ>>XtfQX>kLpcrrzYtQ++1VqncnSd>7LAcRx)h!G za|Hc>S@;|Zd{`I!+znDSS;AK_weS_#7L59F>39|TCV5TGaIWxx_0f+>J~eQL?tdJv z)myOugD54&a3b|6+&W55-HgT}H*ty=uQ6azvJ$-ylIQu9H=L>BkXE3Ou2UGek4;&! z$0CM+Dg_^&#tAR11w{Zx+_qM2^kBf~R7Ho2s5jSa?N6u(Dv!fuRb&h;LnxLYL=w{% zJ0~?@TMoMoJ?Idk!Xl|=V2o{UDb&e6_F5rj1TjVjl!zrHkQtJzPgL`$Sweb%BXV;#~Z34$X-r zTFIV;W02BQcd7I$jWP=J@v%pQq5@w0`bXV&NA;AQ+@d3VKubDixCcoM{B zR{W0#==%Ya^*XKk;R?98@P$SOFI9yQ-UB**A^iYoe<3|%lmUP0Vf*W0lim%N1Kr(i zJRM#8agV(2mUt1lOhOH9FP?0+45FoVv`$Zua=5Ohk&+X$lU=>s8_8$BMI*&#*_pDe z_KEaaZReK8{d~{d_esuL;I)nI&4$>fnz1QO;MsJ7n86b98 z{hw{^&`#+b1aMj6s0d{a{g4zKs3vkas{WRvV*SY#6AeOKordF|ktoj$$Qm5QzXo

qRh>=~zK z^OXAB)J%HSe>BtD0?%4MI#@pLzi7=~U@mqzJMUq=#{9R<9aTbScdq@Au7P?p(yj!( zri~sW2nSD(A5c16w%R}=>jghq)Q3Ye7Thb?=k? z!)G?6q_$&D2*S3fl5t+?UXvL-Cf4J;34$-p*0nuzH`=Q&MpY(Vff^3o+>e(FN!A<| z0TIK+H1-{*FxJ^URld9B%AM}0O{*E()b6`mG#B5qjSt}C=vS-8?GUTDZpV8?_b5^O z#TbBqsQkFb@lZD_Fr{{DwbN+gD)_H0>2AlqirqpD5x-*{dy|ar@h7K^2cMTqAVQtE zji=c~wvF5S*k4~k>tUqc2+SE8gqIHBJuRoN{k+Wh*>-PO(Q^0kw z)HGKPyC(T_vx3p5YlH9^_on-4WU5iX;~?W1|CA?O>#%_Rb_VlB`)!7L7t?mCbmvHB z%{P7oD0l+QZ3iH|c>~kOfX|CfzNCOsHXnqVl>uF?PuUn9Gh#lHpnEfvLti^TVE?D> z1S2D$ln=dV&CH8CANf2I2S_@MNeQ6jjB>(eTwUBW4q_AT0be?BlNs)~icr1am7jJT z@oa|0k~ak9LB2#5PI7{bFl5i2_MBFzFpyBFT#IR;ijr;3?g3|`!9bZ74(15soUZYA z%G1x1B9-E#iC17YtJBG~EeUX<&nw&xQe*h-t|-Bh#fN(~jjIDiR+o$|hQL{Riu|XV z3@uoXsV6l=C2`T;(8$6}be~*_iW#HHCNyE@Z%$BH&|XObdnpW<*AUr7`XBZIxj`!y z>q&~JB38l+-s*;ElJqK3Y;R6Iu;q&tfCCTUhBH~Zb0{^JHA<6%Na$F9>Sybl6MBMgGAFHw4EH(OVBK{*x zJM8nPfK}(hkuXAN!fr8aAa9gPy}RVeh**$D5dZis5CiuU zP-g5+oCJ3tn@BO+&v9dWV2=EjCNOWJCA87niqKc)&)k$!S3ZGyD5q z7<+9LNqGx&2{8Sl+-tOgY+OA)!K=g2ii9htn&{Ijgf6nOzOlo;Z^)IkdB?IB6=Q(U4#p@{6#v=h}$(EIUNn zQ)sHig<&g9-Zx<(T?WlxynCe)7J0h4@4Z8p{Sd?iE&><;ruq@BM6tkp!z%u!yftCG z2s-o}BH260r4d!tmyYftQI|Qw?Zjv+L7VX+o04^A8eg-_VY$%;b2$SJb>$GD36oksvjLJ7|VNv3jp*rA;)!T&{nK$fts2Nm7 zzNoa&%q%{+nDS1Au_s8qQ%3@{vXvAt6P(59Asm~jwqw)zi>FF><1CpZ%{HB57*f-n zu%%m2NynB+D3~UYtU?_MghwjOC8!J>^?sS-gk6hxkmKS!GD}TF-wGkAoZ(wxBM6}( zv*oak>vYIlI{U+NKo`n@U-QUt8nm*AG^>Wm9JyuQX2a~J|F?uc3nBG4$cUtmcQ(P21iZ;}6;Q^SfRm zk2zBDZqFH9TKktCA-=|&rtVeE)3VGMYf;&*r$O~E`ise~==QY6ho6pEU7u&c5J`f&os`@f#GdS9O7NM`|@G9u7; z?p$yCgJ7aw4;-H_=~2Kj*unC)?WRj~dgAQ%*}A)>b@N&Mtd)1G*}bdntn7yQ&VIjz zVvfK=3p+GJF9@EH&kHO92k%zb>pLQHEtRz6w}$_<}6=+zvMOL@r*NLBgq zOnCUTr^dQPnmNaNg>JtizdJv55xsJLh>ZM20%cMP@I~uzF>=sV4dji8(w*}GHa+%`AFUI?Vf05N+KMb|4C#Fd*wIJq3AQEl zOwwk$G(lKuU^Oam?syifeA;~n?7xz`7>e1vgE2z1SvHR5e&G-N z{;4ndg^gi!ZV)&dWK+H#8TF2uk2zGeoI-Qf_YhE*(Bg;96A<3=dlHk(?3hY{W+S>U zxIk~1GhgjDLp#AF{puq2P#=9!noPhsv{Zx5e1(}Fj67%=KJy-jKNM-j0TQmzuUGEf z_{QNd8ixWFIo?9Lg-Q&RmJ&C5_rg& z+hW0d$ugWJU#?iDb_w?L1hr<-e#`c%v|?}*JU)`7Ty7D|y&E@lF?>8h5v*AW;n=Un zP_Zy8ctTlJw|Vh&REEDV1Jc1GzUu-W3hRaXUIGFEL{EN0LS&F8 zVm-RpGzHNCIjGiP!F9Ci_|U1MCQ2(EplSyl#{9oc^m76h?mCvkRau>vY@mbj73Ck= zVWBMQwRm$C=m=SOK$xxWBp@#)hhZ;GH0<@~&YCjAN~7fL!&hOvmFGHpYtP(go11swf}(whw@!%?QoMC(jQMtM=Hah!Nfx{!G6+i(T{Y{ zgPPG~Y@bRU0ro1b`e}p{Wl4KCubxiHsj5t<=s}r@AAXN6U6+E1l*8Hz;fswLa| zK~UocL>nvvW=4I#D%ut6Us#lNW?+#N|5pILHqgR9{}uzKmV93&HeS9;F9f;=XKw`M z!APhQ{PdkrKB3-p0U~ri0BFS{*>0ad>O}z$MGXM=#hmP>(W6QiFQevGn=6`7vHpQ0 z`j_l&UZ=0Y5*w%SP*&H=+5jEze?N8uF4cW^xxE~lZIQyYJ~k&^OjkCo?Y43Di?H_3 zXMB0|h6SOBu5T|t*<)b>H&QM6n>K!jn_6rmG4gtx_@8}cf0Ha%?{=bUpZ4mZwijO) zD;;~0Z>aHcy1CiA?#h*8Bk{$un))-fuTCD}XLODqEfKl6I`@?Bnf140PuN$t{zV<; zc3HF7Z)vjbM0p7qM_1Nxd460G0l%PH7yGJKIRq|~jv9#KjOtQdv{NQ#x1SGLU9YOD zeeSn9+oZ66DcSWi zpMOg~o1JdhV?WvNp7%el*Z2PyU0}Exf>`HV*ZhDW3lxq!I z-S5{QOmlAg;Lq=0fOS{?x4Jo7kLiHSmyxU2@Y3f>Rgl?&(;V|^joQ3+(02+b*a#%vtp$q2p*;X)=K%!3 zdF0uP&w~SBrk!K`oRh)3UaV#S65{PO(p&7^| z?hinrNXx>X6N3MvJkD~pza2m^zW{yLC)!FD3UW zJS|Q;rP%0ii#DVFpFnwY?6$)zuGxmdfYeDBh*)BIR!#_BBhKwrrBw3~C!L=aVj&u9 z+gc6fLtGnXc4iBYux^Drb-ywE5d87v!NnCFg{TXc)O$e{TSRelvW00;rU@_??I&)_ zbgC=EQX*8wLhzPh*=JSQ z20?L^nCcfQ(7I@({zvN$=3OLd!GAg}`}O0)ZmX@3>cEAgD^aL6@K(H|2{Ga>q5C)J z^^-Wcp%UPxy&Bm5Ibn1h-9GWn6w|KBO*WRxMA4&*?No|@c z{1n2$PEI;RVN71>Z11})vgknyV6hG+fp~s(Bb6bGpddaK+K#@9zq^6v#k@B6T0G1| zR{ceVP(d8dkytWnnWffxq#uby@>qxI|HYL`Eld?#Apa{Vq-3r9b@16PE-6VqtVMxq zXM8Q;(!ZRg+QWq$5&_nx06xE)7>nT9t3I$nEX#%>s0S=5le}eTe+lu@_f(K?w#khYu{LGTb2ua}#g6HUgc{A#-iuOQz@}o#I4RHT& zIqhxw2_4Lk{5_}40)C-iefJ)&51}r=x3ACvX8fPXS$>%PzH`81!T)r?=n}t}MDxkI z$N-L)^H6-f3sJ)7I$vF+L;`@Bbu8P*PJ|O}U%7|1t5U0iZy^)>ZpYU4^WWhq1HW(Y zq^T0p?op37(%R>%YwN~soh#=$^5+qQHSE`%!-w|Q_|$u%rF1v<&WA%Cu=z#ses9ZK z(vfoe>w9erKgY$R>tj!2cy@|4$J6>@R3`QzSMZ2$V-r~TgVWaTE5)?7yT!NpE7Me` zTnjKmsmYRB$C=NoW54ClxVrW)N}Xs#rPGD*iO+L;_r%I$W@VL4Y|{4O6pz#9;%3&v ze0dt_)nZlFq{k=!?Y7ug>ukg^NAPx?JJUPAy8M#4x~IPh?wS9FbM?yg9duF_{AN(b zcbTiW8P;prnX`+>9Bl|-w}7D)tzMkAF8=1GasMUJ*rHzW-K2HftUg9yU3mZ$ebsD( zn_YBH0=5}H0z0%V0AhH*Z{93IYm-G*0hsQ&9fx~QX_c)td^cJlz$at3^KwdGKG)ri zP#tmJz1O$-$;m3p-j2km?6%?Ihn2SLPtx>N#@w8B``T5V zuk(IRByadEkCo@46LiNx|H>Pu1%Yk%m!4_qZoAWw$Bz>8qugvL!Y;2QEyIbezXIKF zY0cYtE(4-G;X8%WHpwS#x0UM>J>U4of`z8@@V6f83fXwnn>GU-uGX7CVC z87WHZp@LYg+$0+;edm;ZmLj<3pv-3Zd^3f7Ak^=zSrarWn25Lt2tURlUVZingeHm+ zX9V`4gTrR$B?ko`lI3`Zp*rF>1xGd8VYr}qLM1nD2@;yr=%K|d153ZPvIQQLC@n_Q z7f5QZZTu)Qrt~Tmu1QlUImHUap2Xkh$1!wN?wLS;i%yw-3{p@WY~Z8Q9H54j|H2$v~6-V5LwaAzbAs_ zn5j;l!o>b&_>&$U^?sA!Q&eW$g}+UMIbzA{JYd7)^svnr)EbD-H6+Z82EADE5v20w zm7Usk#mPEVU=^5UpGB)GmYY5JmWcD*6A2I;ZeR!);r4$LiR&ZM$RJ>6jhcwr$(CI<_me zZL3b!IqU3wGyjXatLJ~}t2w?g#%sY(D|YV8cV+Z~h?e;MX=l$$YoYxD#R9yHs~dFK z$Oedo)@IhgicK)y17DQ*&B&MgDjdK zrfRY#+LulLOh>jYvG8P~$dVq1m#hiNy3tm0)nx`S_sn%?qF^ z141UjI(sIM*fLer3kcPk#6Ms)c_Lng!GU zoKqeD!6Yc%0ydF1UNS5uCNnlQ52rbdW6w4>y~v}>ff3|03ClJVYl56HVxFEPMlCYr zcy3OGmh3O68ZH$(a9__~;po&kXLa-t5ukiI7&o&|7zT?M{0(J59a#5fkzi*dQGg`O zjno*sLjH!)hc+M$jx&TTCftgOdDtSV1sK|;*CgOqFWrhK*)8C4V1Ql$A zfl_QHMA}dmDmnplX?KMY!DMe0^9(s(xsZF7veZSEFkKEUxB^U!`f-ku-BJodwJ?(L z3jG(c9Cb4zmvIPx$qrh$@;ehvf^sO~?;Rv?I(xX8AMSEU<}7Pb(9YwyU_(+N<|?lN zN(5*RvyhsBcMXA1`^G~*WYf?FMf(i8q3;0!{l!iQAmjeuqCqkyNubbXJ@IDSdL$f0 zm07cal!go4^Y2F8Abn!(|NW zhho24ctHkyH*CMX&*(bNEivRQciT@e$DdX1Qc%ayAEE~aDIgq)|~3z zouAwOr*mmGKZl4?WgPbo@bm%bFAN*ra}V7v z_0MgdU#pN;bL)45i6PHZybtQG@)TFRuMbyLj{GZESp!dR10(wUi|f9!bxjwR7gdqj zjtJ!PJ>-vzdUgZ?w*J3#yC#Zhs_!p0N^>;tBdn%KD$E3$kH~YgM3~gK-PQJ+zB@4y zXbA3Z;CEnXy21z^d5#NLUzIPmI!e7f2C47shrj8;xO@){&8uX$x!tc8rPCXh$Kstc z`~@mvq2GSE=B0S;ELeerevB^e`+^Ch+<&FGdc8M$JLZO$&F~)+G)s#EjXVOF7dKzK zGt2bbuFVV6xnCC!sl5pTv<};uvX`@ed$PUg>&`mWr@YQT^bO>7JO{sn4lHIzOC0se zYBO-tUEp4}l^4-->N9%R9Ru(jXTIyiEZ!Vv71>vAM&wMKKAJ8fMwc|UC;Z+~_Sc{4 zGu(!EACfcf9Fwb0O&3zNy@MWB?xQ?g+g;Ufp>-IauePm|ZLi-HlN?W@YgY%?>Y**A z&hubZvtFk=bTa{m=Z^Ed4}QnR1^%_Y#7bb>*D2cJ0h>C{&ZvN3*ZsR~ zC#&y}{d#Muyw-T%Zn0d zf+YG~)~pjuAyRZ?Pu<68PE^6KS+&XgPenOG(BZ^S4LyFIcZez!8WF>x!wSY???LmP zqmp*7N+GyIUGRXVA+z?RGNS?RO?ZxvLPQEgNoB!WNC4)EA(=vx+t}%$5}X_llb(a06e%*T z!52p-5*c>7Ub%UT3A8DkUJ#&ZSnIBiFJw-MlEO z!V2OWPt<#5N=|?y#JX6!b%C!MBbfxEB4dIK1l|@i%10%i z3HP7=AV0?Bw|dal#knXDD$qZTGqnxh^Yx(wX6D8+uZVukFs%Bbo3+0Z0Fls3zvR{I zR{}6=m)=Pg*z5QS_VD%QDlJPfZcv4>RVD*Pf{?6U;xJc*qmS*ND>=X#mp`GOvp>f z3}JG&6c64Bmg|~Q2ll%a?_+y$ttwmn!pBhyPWjhBH8G6REivSX(QS#>8etAN@FUDOh85Ol-D^{iX(dcUMWl*QAMm%>H*D6#T|4r_9}@#vqUuOu@2uvZ zU!ZHm5wfF2`oRwMM7$cMj@_4^70CiHM6`DpFbA9#1$CsBk^d=`FIkb<=o71Fuc^3H z0=EuFl7BcqltM6P=b|J)>623W`p?;l0enR`^ewDZNTbJArJQ(tFC-S|LlGp_i`pq! z6sD%84q$?oY={rRWAd(|HeK-Qh78mlMi!-Ctui&LZorh?sdlNvkYxD-N{8Sd5-%&R zm9>uhG)F}2{JVXR6tfzOopv~^aSS59K};2MzB?hz|28l5Ej^zkl6+k?2~qZ^Q!4cn zW6_)f#816IVFhez(%2NXVrA0|yKIq=a6}9)3jeu45Z*6J9fn|s{Sk-}W)RDtsHg-A zr}$_Vq>cVoaFdgMGkMjEZrPL!GF{~_LK$cmS`9Gn)g^HvNxc6lRWpvWB;61G5mx6u zPw!{y2RJ{x{S)I{s5$tYMVL%5R5>Q4rD(T0&LuKOTqQ(a3z;&ie*c>_eN?!F1*`(a zUkF8m)&KW@#{?IbPSNA;=ntDp0QdU9L$9dGOJ*O{I7jiII)G+!=u zD|j^C4^yT%PXt?{`ZWhtZBIPgHCd&nw@xCiSywAP)uiHZo{hY6Li_#6Y{Rhnn z+qUO!j9SOy`b|g2m>0VzinI8m5(FQ+Ir3|~(@)*V^Pun|s42oxumvk)O_R}iZmUR2`=xeus!w3!(Gd!P}2>80b z59f~4-Y(3H$AQcEt2N!5DXUiOS>1cAx0ioy=9f2SzdRUJIzHT-B|kz}<9tn|cW$;D zxnE?Uzg`}<_1ey5p9pdlj$C72P0#om**PDZPaV~v%`Tt#vp>$3*qD8}Zu-XRf7xuA zr&`7GT&u_SmFn=kez?x~{=K8Q)_uEawv`|5@vz^zjw!SDKD)x8D5X&>=% zElSz+y4#LjH=D?;h_K%c@tg)c*>9&!HwPSlUWIt#-A;b}zMpMvF(}z;TDNc2SLVCR zYR|mI5mbEdU)8pG2J4*~8MY9({c>zK>P}qJ#D|2D-0MEEr@07#qAp zT~nryW5{#h2l6N6aq;a$N9I3=2gCQ+F3v9zuU4fvI9qdBzy zUH>sK7e}FfYNDd#NV&qyO27&p|#dauW;P z4B!9@j))_jFGq~hR8>Qx(KI;$Gbu~1A;W{fQycPPR+|vi!MKHu#)gTKGER9Uao$Ye zf!VG;?`D_dk)+D}%>u}Sd&|j&xkOi2pOR?Fg}etzxMn*yx8Fga*6IbX+iJU})BHeK zns=BoT`eys)1R=6Azsa%mF+85WV>7|cZrjXc>I~T%&A^Wwj+bJuS6ATbJSt?o9u`E z&b#im0T;AWIzTaw18Hz;$0BU zk^^ASBQEyD&XPJA&dM3_O0cLvOgX)(I7|>- zl2MmGUAE47HL~*-7kk3tFenYCa!gbUe@4`2z{)x3%dM}e0btty82(*fjr1<$2}O=8 zNai7z4;Kv?3L%`dZST|^FH!(qw5*Iww00{Lc9{9Qk{EEO)M{}Iahk?ZB%)iz(c2P@oi?0jsy6R`|UGLtX_mr zWl7S;!h({@L&~f6ia#9EsRm%B&=&2C!-^2k`DgsnS%D&JIir!4J=e0#p-TSUh9(7~ zta6Z02qIL1x*SKF=7L?^MU-xmD%7~zqaiDf;#13liCMESNdeOkA|4JV{rI89qA-|3 z6I*rr?gv#QS(7qh;IE4Z2yx-sX96Q%S#3z4hU*+_!v0w~q|_9YoWOmK_NgQ762+|b ziwZqtKn4YZ8+vuWass7~$+8#8N{d&OG zu%o0V+KLb^V<)sOI!JXqQ%6n&^zTk{gas@YxrLc1P&9w|z^WcxW} z-nOlYrDi|IkNh-TA*RTM`a554;Ck;ckXG%B!J%u;RRVwCa zSu;RRkNK2X=oeG~DDxy#APsooiaB?>7+#Evkqddj?||8e0A4YiEw{~U_&FC*hD@j7 za#2N(w2KM5BE9^5en_xjLbGrrR1)T`m-ZB$K@}Fzesk$CKe)9wLXo_}pjfpHA2cem zL&nRxOXls;aM1#Q^nssZO2ge>^w2-_(W%*bqzSG{s#*B#Z_OY?w_$&TWhWRU8?gQk z9CCxBm&*w^u7SnRJd|-GA~Nqg=@Tu`GytG`9cw6 z4~b;+j+=X%gS)W(V&Hh$q_Y5@! zzEB+#I1Ec2|8*Qw+#sjHD*(QoTRljZ=r!IA^IRou{hhYo(|pAm?|D}9b-leY+O27y zSTKIqt!ZHE++DWlRQ`QYSFYV~ycZ#O`Q%#uuxUrDN$>8rpyBKI zv3fuEk@Bkk1`c&993o80~E`TJfotR8<_BY><8CDeRk>j>*H+lu?2bTZGX$wD)7EWu*CmI+h%ipN%q<2^8~xo z+wI~;<1|}9#@FFt4S5K-!Sy+li80;rRKj(f z4D^a=Y^lGRc+PUYGa_aN3f`AL@2t>EJW+l+T^ARcF-0TfNv8^&R6=Q}H} z+BW#}xXn;@3i;T->#7;l1l%Am4=pOad#2A~YvuAK&g&e>37Y4KVyBkXwLb+-1_Yqe z|K@t!W^B@vUvA^I-y2L^xMzGp+XIm}Y@S+2EihA4w~NLhIm zEw}N1b@>5oge_5qs~**r!pRx2okabeZRpbFX&|rZ>~R%DWzt7U9jsDp!8)3v%+xuT zOz~B^bmPQ~e9i)`&#Ya-M@_97 zWB}DZ{h(oJUQ|XZw*H%@7>B#aj{XWZnbiEBL?eAgvIM?4qIL0612hQ>!mA^>T*vl;KltH_Q8>X2e_11ZQ%htQnCjxrCtM-<5$#cth#eK9`5`9}(LgX^51xe``@04WG(rj(% z^_y*_b}ql)CXvw=JRqX#!~KKgQY75p<_wi(0Eb0xty zYIv-fe_&P$C}V53q(RF+=S5$9H0Ren0B!B({>yG|JSQZ|Kt>JDt?yt&)iyuV{Ih#O zGP)`UcO@Nhe0WNWXbStCIkOIo_S;y1D{sE3SUtX59I$04LJ3HIyk$=73kX=Tftv*7jN)a~%j~|xSYK0c* z%hMSv_>&2>qln~)>(pgxE|!`Y;1!x!NQC;bN*rQVfUWm;%|0Gso@$JM^+C87R808| zYIaw~2`t&D>`C_n;rc$D;E~{x2WW7jQN!m`BUqq24FwDPc_3u&z|ewIzHN|>4YYkb@HPk^_ekO zh4j0u*m5%U7-=~Os;j>+#hhe0>gZGTM_o>mK~niF+p4K98v$1H1he^IJ=oS?7&jhe z0)~rK4<>r@=J=%PsKF3Ou(A0U6eX?seGw&+CdAfI{JBV1bCN%W<94LM)rR;L2N|E3 z-_k-z!Gwxv(0n(yvP4P7kKFM!rc!CPGMx~lCU%sA6~jVBqJ4XLX?CrU^9NoMEXg1z zLJe{)WvOg)lD_#@3D#-`=pp&IX|Pk7{}~^ttYG=0#k0O){}GF2zr|wGt*w{W+-+Y( z)R=zEpu8307lhZ^uRvjGe;^?y1d?J>QQfx=+N!sHS{E&!=H2=RGTG(+*rGld8M)v(M9`vx505-HFwIn_!}bZSiODG6ZL@Xy<6qkw;$^T>;mL`w{Ir5@&luJrnh$eKCI+< zmi1b;&T%m4y*~kH>epLa8Q!-aGvd!%jGxX!5b&K`e_HrY!^f{EuIuM@J6XjWwP`l* z0Oj`~+KS3|EVTm8|9pCdTzM@ID-mdYpB^DoeVp8_XJT_Ir?}tp7a#i`7EHgZ2fzQe zy$n*E3*4Ptdra86EH8M@%(i4<_prUwdmV0Hw9j|CzHeHr!%bIYJ-kB!;um4KaO zyG|9Rd9=v+QC@{x8opqQFM3vhhGG@!s0Z6NAq~LI-zF5GK_hZ- z;3g}(gEuKlF6IL^%A+eHcMF%%T5u^bb3ruLwNMeDLw8kfq8oW%aw16Qxbdh%be5UT zN>nndGsHl4$(Tnf=+xnF9y?rH;e^1xe^j??_ZzNiudslEETm9TA*y{KC9&*KwL=7! zj${hiV3KCYI)t8_MzB&J3KmUv3V`^}PKY71kFzGrQlzOH`L(#FdC>rBZKo#~PBTh>u>Hu(DhBkGH|G9lLIoJha+Ag(ImiqCUJ&wDrm? z+^;QV#dsUoEeU0Ft=1FP4_d1JKOJ0pcZ*=1I#dXh6iJUsHmQY$4%%Ls=@Ky$s6lA80&zfc!*2I0&)mFZX04Di^b=kPJa*H8c@GTA z)=NVq<>4YD`VBzZX@`4xpk~&aKoveab62e;GJIY2?Tf1wbT0v&UovTh^Q6nLU7-eK z1LrhihcOBMP&9eU63f)+Y!Rk~mnsRjd4?DIT!J6t*D5^*!y`?2!tzvWhkfE+9RGCD zySWemF6Y+4&VrZR)A%>dGEaRzE3y&T(rKXqAb+G%6xRAByafqeVXL+&JFh4*S&4yb zmUNM*vMV#jwV{QVvRzaZhV=BO67FmJ{3(_EZFcvWV_fF zyZwZ05ltVZl$+>!grIwK{*LwZ>FJFhJzIoxxG~HaRK{7{V4h_0!VrYaLx3syXmlr6 zGUI81bs_F-DvC|HpM5iXtb;}e@0WLT-XA9?$gyTI%#l(;_C*JCG^c~0;l5@C^LM6{ zzf^XAtAIh<>!0+#qH!aqy@$TF5L<+r6>c4wH{37pU@jw7m`X@rLaPd3N zvYq_y5`zEo{x?lW<~k{>bD#!t>gby9 zx_N7)P`^5(;piq4!PR$P==13?H(;6T*`LEyt+nSc-Hu{@>sphZ z)3lbg^HGyw=F2Hv-7t0Q3&VXgbtVmCfWo%Ne`; zw(IWS5yNYp&YkGa*bLtpBXP2)4|KVYx3=mO-ET+O_qU`*!1r;;H9>4UncH*C*Nxz+ zcWZrKVB6{`uyU-8yIzpPi1F!fmAFoOd(?g! z-R|i+JWae0e9|5)RQA^*Y(1WY;%^=OqC+jUX^idKIpS)2UPZdjt^-(j?zDVO?qX1i ze?Fq0_>olD_BKzerCueNsx1qje@sON?zvYI*uUGT(=VX+2gazL%ctmfwxjXb8$BLH zxA-Qc!*9N&@-(JK?&|w;ymn>wetayTEX&nC-iQpeuh{suza@|W-5$p(<;r;-^VP7r z`Cc<4mv!y`8@c8B3jO%`AF<^=vFRHOk1A}_*xUADOY$#y1c%3pGKk4K{*&Ta$!ruv+LItP)xFsEd{w5g5@N_H!E4Ky2%ZETkWIe4d`tJ$3#E!P6D!hW(k= zkH=YI1wTZOU)ev%%d`@RP_-M#CK9ZrQ>@c1C0j_f9TKf2OW^nxe+n}Yfk6c!d)WH_ z$PeBM(G!N1r1V#SK+chGD^k!)o9qPJ;`8h==-~?8kGH-gtNrw>1=w*lreLn?V9?%{ zL)V`2lC?g@o57g;Gf<97Y{Ic&Z7Cu)Mzgm_lL6Q4dx{bUTrwKYEAA&0KXIw!Jf1SA zm9ZJoEQnx}aGL$1)67z#HSb^IF*bc;#+H~pRoM~#f%>;M7a5dQ5KXB1DY2Vhv+ZjgUc|T{dYxQhQ0#u0_g)jAocn{C$@ufkfUc>koB~2<=6d37P68eiaRahpLJOCUFBs zVj)soR=zy&TT=wgYza~Pt~W>{xY}><;wu+;OF;DT_BtcHY4dd@Fcf?WOnjcAPog8m z9-yCnzM(8_EHZMz$*aP!{1a;nT_{l(mozn?6T) zwe##F%oY;*jEstCRY!Nb@ z9T-BG!^RsVvRd;*@D!bwNqYEX&x#x5YY-gq04mo0kxk)y{Cj}cqydxCOtQSRp--Tr z{v!lYW)%*xw9N9i1@J7HhR#PN>(?&l=ht5J1O3GTI`Q4SR4x=IQ9>%1DGkxHI}N!5 zlp&^5kp5J{qDD=w!FL;&h-?nL|0sQ~2Tn51n7twJy?$uf<__`t;k&lAX)ukSANKuYljKji!rV+=?mRl=Rd%o9qg{3MJU6Sh1UxZhX@KdnM3@1#ArNKWh zu;S+u&!ZEjNQuInaN#s`&8Ru1RQyjoRtSEsc^)*aS>~ZKwQ3{-49rE%X7uEQ5P2sd zno6u}uYz#5{jkv}9xso$sLM8@Nb}-=bPEGxMjz6_fs88*%b3maTfb|7Vuyq)B{rb# z!pV>uUN=NscbY<^GPYPUMLyhk6>TzznqyH;L8h;zI&~^(9xekKCk`h*5?Lx8d)}^) zu9>QLvcxRgY{}j9f5*r+WI&P9e{jc_z?rd)naW5+l)CI1? z>p24+?xvQe+4Rp;jciKy<#wDZv+e~>lvukiPsNI@Y>*@MXvr_%Lpi+o9KGbba0Z zba%5jmHTn!?z{Pd7TkODwmrqSgM)BGqi-bOBWJh#=X}bA=RNG2k1S$&a`R$qd)ouc zbBxbX>+RbY6VEQ+?T~o*_w%T?h9LV}9+9%lSuGzE6fC=6K90nAd$wcf{pFaUyGH7E(jAE} z%6A~GyGVxQ)yvj-wLUlDydA7~zI@Q$`)=5d-2?ir`|<;TkU7yn{plC^kC6nehPUQ* zAPdqOI{CaXrOcgv*O&Hf;~P-M;k)M(iLkz!Y$zf=>*xgbTp&C6mY_BR2_@OEYCo8X zIe;3CknN0O;!kOc1+frJSfDWX)kT>GzbyoPo1qzln zncHY0M&wOmKH@VYlbuAe#UPUTM`HP__p360jKNtWZ(ZvrWX+9aqi|O@{(Ql#W&1i- zK72U;Jd75M`mc4;Ato*WX`yHUXl4A-jSTnjUvwH*D^Xoj0B_MPJnz#KesTYpUDQK) z)9^BJIldzz;*Q74?0dYTEX3hyGPm{Nu3evz%M$HTT}ucI9-55|HVQ7SWt0gLS0))0Vj4<{ z<{m4v9j3&fAGv=k@#2%ZanncH>`F&W?X{UE+!15j#}$kpq83%VOa+FxB8Z4AEf#YQ zEG;Cd)A!2ge>@I?;kNXPsu04iVvCW9xd#t$!b&z!AGKOmZQB6m578|X8HeA>{m)Y~ zwd5OM70`(-$^HnIEeTo*UW$bSC_HMg>MH!`6M&?q!WUt$sfboCk)y24(=~KH2Lf~d zK{B4X+#>)r)4l{=UCb99bO943KXYy0ET>{d^!dL$!ip?Y@l?&X5G*fW)61gZ(q;pp;n_X3A6t(QBbjfmM51G-fn-75vi- zrggGs$s_J3!)*oGZm6Ra7NAECnzwB0j$EjewDanw+wfkIG8pJoZyISL?Lr&Hc&6B_ zhcT|%wk`|<+O+z_HdTfaEN2@>^)oJ}^K9i}K;_8@_z!&TjTdMy@C`S}X6Ik`JxSjZ zKxe%tV~qdOzRsO#%mq=Q{;7la7ZMZwagBO$lu0bOEE=nl>qN?FC}zQZe!L&0CYt(% zvjWAOZ(OA-e4deRe)iCT7X-JhAJ8FcG^(H$P-XlfF)Rjc|AU5l3)A3eFvX}e{Q;1t zTSIYa_^TpS6Uo-_CG8PKgP?Cms#%|bHFIG?VLXGZCoKBa1J8;v$G{X&<^QM(3Lljx zUyn^*Op%>~QE-YsBV{r&s`0}(in}ZLw2s9gu&-!VtOa29I$X9eemGo+ttE!@WF} zB|UU}uO$%PosEFQ&emxim(@nOyqPY8^2+`8b3Bh%&C(066VT=Bh96GbJ+~Rhdfl9! zE85zV-8(UK&)rY|UU8apdp}Eta@zNHFnk_&uwrLndd;p@U)CQFy59vl z7k(|f6=rQN*0h;-<`T4dx;tH;ivM-EE!qB(ylfD#=~@r0ecZv0-N5=CAUIGiG6O-zZ5rw_s%zv~1t^h}4U_(2Ea($xf3t z=huHKZ=ECj^=9suc(H~v+jo8ASu`ykr?;U0NL)UkU$+7U(q?)ZhFOBuV>Fz{E`6O| zz_mZlQuI{_YOZ`UpG!YfE4!Cocf$ob&2HZ^x8H{&J1+)o>^DIt+N_!gXuaB|QEoGb zMq1rVfV6L6?;l@Qc#GW+uf@l7Uu)yGUbZ&7A%FEecDp`%aco}q*UGm!%^w#|H*0AR!paF{6{)K!=9Qp1bq@rUsilB@^pAsiq=y)q)tIo1BhDz7 zI9xTvg>EaAiG_7-$_HE^sS6UMuHZG{|7J`pq$$WHykIm?6AJ_pv-za6d zg!Quz9@97M-hu!~rp5)5lMtZ8*gLD!K^Lkc8q8EfT6|99lJ2OlUi~2AdL6%hCi~fP z^J@&t6iHY)4>fxKP8?Bbtz{AA8Ry17MwoC5lVEe@4F_e~<|t(Wv2t5c7~uq?l<+s| z=|Vb7v}vJ6F<2CR9B`%phRUg0 zyM~+w8#1P5hAGFafxAa-i*CG>0vRnjY#KrZ&0LVLg)k9Fh{8jOXZ%N277&aGdKZl} zOd1N0ZyLm`FRC4ery!Ab>_jPnF`1ueY)4vg*qQA%UjkWEMrlyV&m4u6Ekh=O43+Lw zQ=@|CzB10njMZ&TH@;?=l3xCdh7Kg_S_{~oHCsjp{%v#at+0xOb*=o#-?K~$Rv(&` zOro;D^eCAKG2FHFTeuk&FoZOMPB~c8*s@|M^%{kU?6GR|>XsQ?w~ulkbhUSw~f5=p3^kY3annR!J> z{JNB5V=^Ug_9`M{mh7u6E4EL>N4;^u*k4nek%AZYvDPT$4&>QcVVojOlnNF4ZJ1a= z+`QqS{0P=_@lZ)cJn|!tFVC_=F((cgfgA;ot2{!KKV@C=H&uPj-V;xC6KBcX zQ$(b5z7A$zftd5U)=$u;a8xq!t2&!h^EkU%CJc^7JLr2Y6)js?F>Z!(FAeZH#ri*G z9b&1{7jBrP%n1g=&CpO~;RnV=NJh$IRNZ|w$lYm9;I-Sf3?}fyi$+D z&&j1%wP5d)t5H$3H?XernlFW$X8-^3WeW!u{I&e^Wcv+4$ZOs=;l>&m%3vb+PHX?G zX=bk!xar$cTC*Dak_7yCnLtY-1xbYRFCk0{Vh>yn?0Js|Ry}cj-81|MGR&n1K9PYc zAPW&9XMgoeJZyu`j$H%(MXFiGuUAhH^kVgno8a(R`fO`IZ5g}TZzs}|=5)Tzced=P z*Dq%|KKvt~cZ2U>`nb2)7I@}Z*K35+WcPO*%*AIp4&s65hu3PL+)fs-{dBeEu{d;G z;&V=>*f!YGw!3VB^(pK1ZGKv;kl*dbSl;k(xXKysmbT~FZ2hV}uF_Lx;GgC_4=Y4i zU*lflx5@=<>#Cn1cj|rIJZ1L6@^x*j%L~=^Hm$I`etk^`G%tr#^1W?QKjVHrqznA= zO`Ew!<$v3$8FAI;KU6ETj?VBVD8=8_w4fH z?KUgceXr~m+I1E0@jPuP{p*#>dR;7Tvvt`~IL&k5e@*Yb-i`Bhp{`BPGrjLx(<^NC znEd4>^inc7=jFZ(aK2==NQf zJYtS$TkOVr7QOd06F6r0~9UqlpX5JhDUiG+e!pGQ;L< zW36KIT(z3@-Y3q}GkDuNtk$%OY!mc+Ogy(vec4y$j)qpbkDx^I0)gm2VCwff`-%Wl zn0rS6lKZ{+55Kg2u`~*DeH??26Vf#V!+p6wZlBZ|E77Rk#jjiu?inA=urkXYI1w$p za>geLEc*t*sTI;_I%SkitK5bE)=EPKY)vlL`FhdepgDHWR)`?6NjehXC96qxT7n~z z5>5Iv5mCyQzBj2wzp?OGIn6YKQxTXh_`c&ym+A_MgG&oL%s$LeikBXyLxM1$<_HQ& zE*qcu6q;%}u&tsSQ_^}hd54x#l~=KFo!BB!n^8YjK;h)TvK^ixsEtz+HYK}dIF9Uz zrja**uzN!noaVC%aLWjd3SF6(Ao=U5@Cd{2V5NO6CdKc&rEHUem z*9?xuMvG&^i3s0VksJ@lo-8SFfcfzrtRq`LE+KE!rp7B`t%kB zP`{HcMJ`lT#u}0%4yrgr)(YWLr2$z|kY!4oXLUb!y3vqR$7~FCh6I>Gw{m60fQDZ4 zu$~@+mf%G|ZJ<|fb|Ez2)vXs#c))3VC>YG;FWN>y9vV__-mT|Rz7nNgI;|Q6K;)Ai zcR*N28@Ol5NgT4K(yoS|N-U7~1= zJ5uwP8H>&p3e zM@JH-{Tn4VGJ%5;EEoZ^mO0NdBrNU+x}1KK1NTB?35E)p?%T=0v9GjNW4csEPJNy{ zJ(I$&xHQ~C?!XVxf|Jr5OEc8XNZdfWZfhgnLT`7g^0)cYt!Hi=<`A^ zTuji^5g>0;Z=;x?@Yn&j8a6);@%#5CXJa}BB&fAn! zmLVQOIB#TY%=qvra!zFuusT?!Ze`-*EMS0Zvdm_Hwq5@#BRY<};M@DB}v@&c~@ycWdy z$5lv`eKB&-x`-QU7G+%dUB!#elx+GRJ!$QqUdH}VF)uO|rxxeby))xNFVy;LT+eh(Ou{2cepcYA~J@OJp z9b-+j#pp09+HF>b7LyAO2xB{!HG(4Z8Y^wAD0vY48CGuUODb9}Y&xr!M%r+^AMy8meB&&dDHU^El=maron!Zb#N(-wwiU(?(_@@u72z?xgVmilY-6B9S z$vnKh1g|OG5QJ+ZTN?}VC-nQ*(KHu9V*29#bZLBp?Lf`unY(E3fEC^2uv zaz1A(aUIBQks#MiKINqcI&X##Ckajf>Ak~J;FISu0{r3K|Ra)XSM z@J~9nQAKpyc)a;VLHwU4_Xf-$}`}NBNzT`$T#4n!?sg~ z7tx&R)u89e+VFy*4a2cuZ8SbRK^kj$g%w7VHWBlPmECC5Yq(qvH4h%BiT zOyH2^c7pARWHH_FhlOh);m)|SaN!+H!WGI|G)Gy@&N?8V8I2cE=erj#y^Q$R@$?3leh@a!;BKy&5k zlJr^5QQ9ha8HfgA_q_;?-nN^k?P;GH&n^_;w1Iw5w2Mykv2R8UdD+19b6(b!&UTzO z7U1@|8>P3`EWYdW?OpWqnld@POyT$HcaH&HxsE$=sMl&8UD*<7-Em}gb0GV1m`}Y| zMk;}9Uwd;Px4d?y059gg%xq3DrF0sR8uY2{Z2AKMJa&usQj*nL)Vh+IR+O@UAV{~hJ9e9(* z(n6EtIR~xHhk4O_Inu}6$slU4H-TR_7otA>?y#r-J}ueGzs38N=N7P-`5fjzkl7Z& zQ+_{$v9^0?bl!q&_I$^4J=|k;cP3oNl;Zng<3{VW*D41%{sD`XkV()`eCxf-*vInD z;qx0=+Y7k2w!Pg7OJ(ObYud`+bbGfJ+pxeL+jYN!xTSOcSg5~I?lxq3oa?c7mn?gn z4I(DLlcM06EJz^{ly+aWUY1(f>tC`LMoESqE$-L8RIL)4NG2%xnf<;@rNz%@dBBKf5kI}@)Kcna%xN}qU(=iW-0dOu-%XG|NRFcJk%*NO^aC# z*x9#Y%y(NYOF55CRO4SnVWNh6)xxG?&wx}c3>^qdU!Y;aFKiH)g(z1$NXo$>@$OZk zx>qTay?4@7k4LyRl&H9_bP(8qB|unlVTnyDu***@o#$PH@g`fQ@_4k#vZeTG%8XJ? zl}x>3Czlv1%ub3f$iXt*zS$t;qO{43#5Rt=(sYYgj@7ng7@{)1JO7x+=3J5;-ya=6y`hq?F)-+4w7_AC!m>B0_E|`P5kk@ z&N5$z@hO4ogdDe0^Vzduy4z!u0Y_Z{0*ee7c8U%TxR`}MnNSA@UA<+LWrAs0=)gt6 zg5Lx)3ltg#kbLOLq@F9Q8uY|g18Pxd&Gf^X9e4myA6QcyCO7%^AfojM*q3(sx^ml&!&j>kc?G0^g$gANd63bS8LF2ZcVchO0)B6P8(a#rPjRl& zl6+8!ARS2JphEwxozcUf^t(V!?I&NUF}3bcZHL{K1g8)3CCZrGawUXreZna52GS6Q zwy1YKXNCK`BX=SSpnkMfF?=Sl#9osx5j%b`iv1U=F2+BNSxZF?a&s^kNEgdlhmuwV zdRwfGJPdMj{u6RB-i2U6Th-^Zr&&|_N=KiPByYBvvE<`%v&mHwcrj;H7E-g zJ##Btr89>+rGx1}^GQdy@+ZHEBFLEXhqMIQc^>zyjjH`Pu?igi6pKnjah{{zwa06{ z1Sj&`ndhq&LEyJ+sy8O(fuD|CGDQ;sGft$v`6x=6&f*0u|CqXkndx&fdeZi7)MF}} z^=iJ>Ixx_NNhN?&1Y0Tp`i@rFyoa}1rX}2^c^>X6-8iqwOf)y|6@5i&1{H+dbJm_> zYp9i4=H#+QpJHx3JT*5>cRBe#1q6crBXpxa=V$gV;7z?h4|Ki;TrPb%1RUVRcY9S8 z-k*UGeqT&(31VuKqaPTPVH{6bq_|}vY4UH1$MFtr<@<#wH@SRcDqu#oP?~K z*+p*inLW;@zW*@3?MvqB~_Yeq*%j2XzhTG7@;r1~BTi ztZP354I&|8-==Y`ZR$R5&6A!w_hVy)x7Qgtb#*A+TWhj>aD9)pQa66xs3*#6+9-Zd zW^C(vA0N_mU!XEx5nuijIIY|C>&DCRDs6tt60hMr8^0B-+-iI^x&GuvM8n{DnQa#* zXdM;dd?C8d*4IbcetRO#*3Sjx_zY~MrtvNDA@d#Vtz&v&uT6H|GPt;Uf^_Y)uzL@} z&xC`s52b-twT_2}edoBB6uGy1<@V+&?YD^949-)~HyqsiQwN{$#+B8<=uh0QJC&fD zhZ*tNq)j&-d3aG^qG3sP{tP#{6Zb3gkz zPWdS)S;Gaf1@=)vG1$fOH0fO*0)WI8fM=h^M3 zI2WNqGW_O7$nw2=YpTxwmxTjq-5RA%!m;*&OOG=6DmYKUvNcAgLJGRL(21($Ce`s@ zrIs-55?yPPPzF4ns9@FrZcW5D)Z*$P4TRkW_`1-R(a*br7euy3GtQDP;f*2n*_pfo zdt342Z-v@WU-82@`d{AwWJIt*?LldTX&%+@5M~-y9BdAT1(?WypQP@jSysNdKt-2gYih&j zkU_7#>a5?(2oBse6U^0QoE23@Sr?Vz0N~&Twc6FEi$`g$m)AWjxCwCaiFc*zOEKiF*~O{G$hq(q`v6W8LI@U2{M zcCO8gV-*8166WNTZ7Fd&_S;WEJvs{UdB`zCc>;zL>} zYmVk|`u{7h0L1UXakWLDNnhZ*Gx@=(~=}ZfP!gxAYFRi~F8$ghEMgH80iIenPgr?(!56`ey3z zzP?0=nN7%(Mejc;;o=R?>bZBqb7ZG_eehr| zFanp-RW>0Qt#MX!~~_8y8pmQ|nfKug_)u6ya^j>eUTQhX$^Vz2oop6p z)Gzq6RO58WhzBte9rAMzI1i))A@}+M3q^(_e(|{*zVRMlF8SU4+!qKIJBb1C&5buW zP9+7>7(6?f$VpO4cWjsd#Ny;VJO}H?cfJkC46+&xFW1en+TP}Ak>rV){3$hs&t?tw zmZCM~{QY-tnu$@tqcS#@baocyv4lac7FoCfodEuptPuJUX0zgXNb8$;J@iw7|6avy zpQvCf6dY?&$amA2OZY_%nX{WbHrN91+Dn*{+Bf!pD$7 zC;5iWUvV)(tlI@ELv5;zPlhvQhw;VaBTA$KHc<^tYvHunHGh|k80K$9>$LW*gtv`Y zDO_w@@xb$TWu+WsCZOmS=oxhVvqcQxn2K{x$~HeVsMKbeEz%uX4v2LeZNMjjPEjIV z$EkDdxPRBe-$fn?v=@}gt)VkYMV~0pETKU(FtbJ&`Dm8l(31tWjt2;c;nlEJG|h`x zX6R%LgY#i4^D!@g1*JmaNRyqBiW{PkTCI#w&Tnjga4zP;5^tTRw?k7 zL~>efajp}hixnn#`jFrIul6Of@r?u2V@u7&*%WEA zqpMJsijvGK3%NYE7P}Gj(aEZaM`4I)hPs1huW3-yRWm(QUXkgT)CehMH)h7n%OFDo$iom2ySqKl(j1f6uQO0EItdiSRp$7DbKc zDLekMk~o`UF3Cz8y-%5iHE> z`EEoYrRMF6e1%|0oj|5c{qQBbZ!n<#9&lhFDU0j{ae@p(1ZcyI199E*6keXkEbx3w z!1kqJiO1p|jx8v3K^*`4$2kKFI(2}Qbwwd>;OGiTM~ zb@J4@+lQ;?)$ZUAo4b;q^T+3A94%wdPtd@}_T}TO8LiU4Y{aU!Z?~fhgp7PHPKULO zuArCk`WMSy9$l~YmRJ45y#pd;S=GXP6h@ zX3xvsu2sxu`8vJV>pG)d`yz$Yn4`pR^4(q6XByU=f%AD9G3WK)*RWa-u(QS`&KJdJ zmi>B>d)0Beo0+=hxXoj~l9T%mT)$mf6SJ<>`Q9>w+6ppDCC~A4XuPI}axH?74Ls`H ze+~_u+MHVT>@OBiI^J@6?+N^h6`bejzFpYbbsahA@pugWWY@bqgysMNcPX2t)Cqh( zDk-zQPn_(d{ZQKO<@oXe>+bQMGu<8U((UGc^?V)-z577-t#^WF8m8+U)9VeN)!bi< z4dk!4^z4mm@*B=UZ?oCG8h+a-063K`_^j3gr)xUhy zcXy9oz+r+m(EF-GpzXECS+B$88Iw@pIB5IZit-FQLZ99CuE$Dlr|n_Rv%J8^KWju^ z`&$86Xkf5Jj<3Zok$pO1OwVUU=6oLut&SUirGWZ{zOVaT3SV$`%*TDm{Wcpz$NuQg zFA^D@sjttSr#Mj0=e;O;xkpm(bTsnUD1R&0>+<21_Tf9DS*?b3tS$%dQ`@?p=Gn6f z@c-K8)$4%kHlSQa(+_B%F_U4@Xl^6t>*6C}n*^<7eF2dWc`p)><&_Q;-}9xp!F#N$ z^mA$r8ps$+ei$WOTvLU7OLIR@`ck6vlVpn$4cSzk7VIVt-XTgg zz@=T{)kRWk(M88G#I*Wn|7iUht;oxgin+n60^?(6A4}I;_H>UsZWjM6H*ofKcC7A-Au+MRTJANViU zTw^QU1Zf1>KMaW~c)_TML50AuaSoita2_K#c1Wz@g2+0nh5N&YKF6B?q@^`)3elZM zrf7rLo+>Z+GQ&_$io!#03W2|h8tw^JVZRJB`Qgx*Ve+9G9%YuW{yL4RCkhK#r2m;z zdRz)Z1R&?$vxQ=_4zd>0xRwUZ!xOkPjwoO;JK>zbpgRBi2vxdZ4K117QZQm2pQgMw z=w%e9Q8dL85WiKJwU-=!z;7Eq#I@;-d9&4(0a$6yiZO?NGway@-Bpudg?F=>557CB zg+syfNsu5ps}hl}qQE!B)@hbGeo#zAgd{+iAowS6E{C*(-k*VKv0_fRK&~UmXcM^z zZY8b-fD>4zA~q}mjrZE7?wn+{d|5m$CR}0oQ5Ik+k@Bd5i^TO0o?P;;sBW|BbqtQx zwmGX7Ls|>Cy0uv3bnNvP~i^@RNTr@{+|GF^ObGG0aWp zQB65dAjeORKnf{`8!mEokbN~HaLSM3D~_RAwmv2BVcviQ92`@foA{lKbq&!*dw^Fo zSR@0x|Dt622H!kJp{(0J&t6zHS8cKmmV!$|Vw!=xptf4HE7l;5I6)p+=GE7>ZcmM@ zcU>F?E=|%cwpIe(q{h&q)5*swoXs3&1V`f=nVsf2A2KULuPq%YV;i>Dr1ottnOBs0 z{$31sIL*3`wLD4`D-~(}V5cCqXcKmU!eA3R}Oy_$>`t(2NaY#B*7SOPE!v zJWKJCf{J2&{QEq|tJ@#62?)B_@4hWc2vYbP1CBI!9MTQBmNMTs?o7M&PuvApr;`nt zZf5)I{_LeKN$+)7Jwsc>K(j4hoYvt!s)m%2;o3Qph=(f`1>nWuCY`ZfAW_5E-5S%e zQs}U44k@>D7IM59jHQw_DqOOW)ym*R<($BXvRNRIQX7ijRiRI5{rgV=1q9?FJtaTn z9$dU_r~cx<6bQDr1)P3Omv2-eM1G;XlYIKs)fRx_#>k>}<_9&bJS*|v6+3bjJhVHR{Bn->0b$)!*CJGMFt_RR znUGlj*thL9*m~0wwR`8-i>$}-Q~UVqH)N7;f8F)0I@GFFz~|2`LhmXL?WW6Smo3oy zEq{bPlu+$`^VAEm#rJj%?>+ST@UAuIb<_IaGP@=!WUStO{(X$DpuS=BavLUxw$o$f zbJz7>)6@DoPnb+_2O?S3eUWiw&{WI6O?p$4y<%om; z=jz@<2(oo?SA)n%i>0bmOG&en4OrFw)mr=)@(rZmnMZyy2VD4;dfsH{c6eq$+{KU zcW~kd93ncn?q`I2_a8nMJYOmA0EG}el(nE4tAM|gA{+25Ib1>8>~6lD{D z{(zA*DI~LB*TsCyR4v@PO_@93(`7Eo9_=i@)54870-oY%S~pF==if7C&*2K`E}9aD z+jQ;UG|UvF-a~j#GO025aQDcNI)$L)(K$lf7mHYBcfg3aEbL_X%jlJ8H>&%!i>pU3N6sTH-VE+S3LQZBD!kO%7!u)rbFBV1S?{#RtOZ1UY* zl&@q|t)6bR7=Y|H(ZG$OQC;X-c2=Y;d!{jfu||Pqtb=`%7#@TF%tBMEAwjPk`S!|Q z%J%L`M>l#Y<*70uG!-C!;wim*ntvji-A^U=Pz4Le{uu*(koBv<14wE^oCtL~YA$WjE_0gqJd2(G5D|VjWj8ilws8O$0#s6m#-!~`trsX@OBqRwo zsLVPrm4-5fvmXwm)jRaylPE^0FwuB6eK2m!H*sC%G(m%MC?c9OV!tbMGWu8`*%GOu&hms*R3Nxf;0RjXs36&v7Ao5DA%7wIUDjRHZuVO@FIE$h8yPsp{85J~bK(#& z`L+C{nb>#>$rH#K)GC%^wX*ni3^L@GXP*P2n{&G70L5b-e&hfxF18@Xnsbkm6yKiK%7-N5kv4wLI4*1WXn0K9thF+p@7Oh8~jCh5`E z)ddkA#-WfSp6JA8`FH=(B{GIB;>l)~?ocuQuFP3_!li<%&DDAR?7+MH)4E*hTNCOc z%;ju+lBldciw(;1W&C`Rm@&@{gyOzQ+2zwCGiSdM1%_v8czYe!z(WWty9_fVC%`ig z9!Jc%AP8a$hK7yh98E)#g9IviFhO71T}MI%K#pX$$hl@Fg)S{qT;coA4uhL%hwAf+ z2_m*W=qx>6G4Ne6*3mI>T(hP&W;8l4D7n(aFz#2Si==;|L*#|(X8jIUurGo=7=1oZ zwm+$UiV{fRz4z1jbB5&6ud=Z^X&cAfhdr`XSHWIxqr{E_)j}oRBv?}CDa&x22>Mqr zHXCtDK#ZBS@d86^Mzv&*RZNuJkZ5#P0 znXKJ|7|ca>Jbl z0xY>8pwdX`=P0F`=3eD9A-J3%mWa$K<_+OR?g#Wc&I@7yG8y;h_AeL5kK?&SwMhA% zy?EN%j<*I`yU)*cMnC(~&Rx`YR01#OW>a>CwdE@}&%KbxYnrHw=MJDg*6yYa)6h|jh=PfL@nF%6VLe_H|=)gW8?dzm-Bw{{-?QYibm+%^82&( zVrg#se#HH~`~~1SWhm!Vwe?Y7=QyF+H`({P2Ku<$-RY^py^|wa&-bRT*ei5HZ~gd8 z;NnxxaC3+tmG7RY4fN`_@tLoCRb~r1`037gzg1mKIt`o#Sle=4e^j6UJetzF&of8t zx`}A?11`OZ>-j8mHR`XNb+NVJGI;oC+AX^?=-N7dm>*}mbvC!1%Yk}^8B=|ohONzK zxIJTYL5JqF_Fhkr(g!)bHJtAYmww&jZtgHZ2(PL{kMpHx>fLBz>HEFPifi)}pQkKJ zgzn>Pats}K-Iwc1fl8p~VD3|EuJ*RX%O|%rKPa`8@x$L^XZb#sm&>n2$(L$la~emT!|}d(s3&-6?6CvWeK$8~Z!7Q|^`Sh$3y*y6Piyaf$Ji=h-rc_EzFf@i zy~u4wdR3t9jOcppp~Z92KJh%g}SeqBcNo_sO3tvooTXn5XV?!2RA zw4K}DkKnqWIM+%1A91C9B79+a>z&F1Jrzg!4f|Q8!>+w$O^wyof`}3-3>wD8e&XJH zJAz&(@BJRWzK5&@yu#$A?wIlWBL#1JX8iEUt%Pza310qr4uYyjMpUv7$q#-ZT4f88TvF~$u;I0 z>HST+!tsmQV3t8~ zi!oKybarT=Tu2$e!5)^Z=H}EJyV|H^3mGSwKZ32ulgm~~K6KVWdToA}Y-ANuhtI=8 zWSdTUi&osUAwM;$Tr`e^{lP4v@HDP9M|HB;qe9Romu zzIl+QXEy*vt(yo{vour*Q*H4_q?o9WPVdN5njz+msunFe9utzTEakC-nFjfnjum)y zo9M|jD=E4SZS{gty(op2Ot}e+(0bvSpk39`xXLVns!=kX*~C6;V1)=hSm<8ZycR;7 zx5sM2IMEVoid{!Eqp*w#-aKxv+_G8a zsQomO>ghpBUk(C^n0zI{Od=b@PNN`Rt`o3GfxR@o^mkVTH!g>*$y%(pOrl-~4tM`f z#P;YxZ*lZpZvcE!Y@U>tgN9N^?`FY!5f5`7jH8D36t42N4jpsV``;w%sAEDZ((+Z( ztrSK9pC+;@I{r7QUcRD?WXTTdgUbWfp*dn6|1*MU|4X4!0z)16F_`q6P5hOZ$ORwu zX`x_#)hD#b=}c;(lCW=-aZY6)mmh?hM&h~00w^`*gcz>6m=#hMwa>SX~X6FlgA!q{Ixlxy6KKN=|L&O-^G(OOWuF?qm=p zn~}m(qn3G564mr~tWjGmAO2x@vDU)1HYW&KZ3f!TZSF^cXS>qa0bh@*jT^IR zWYtczOJr>6%ygUzJpmNOqFPp&u&jNY?d(fmCA;iq?g>FIQ;9v#IUeP|F`Y(?Me#fv z_;(nrQxVH`Ce5aJ>EcKT1ElXYSZm+$0(?WGXp4|7gBehVj2JV8nexAjm+5}9?a80Q znvDYcPx;KnV*=mRmj)4=J%M_nZY@Dv4Z6~P@E??-1M>o8A%0+>e$bfTO>F?Eh{z@% zh=kR|31s28eYlxkepa|zoej9M`2?;_wesA?9_zmD)EopOrrzS3@j1*?ML(;dkWEfW zn$2|IfswDBJ)rx!UunJ6P!cl|JXbf9r1sj$19MuBbsq}_`hMDRgBtK-eSBX_ho;;c zQ@o84yhU7rt%x30Kp5z&ZR$@4Z(;9G0HRN+;{|(lZm#=S*8n1d#(DKJL1!PHZj0M# zUh$HI74!p#-%(58nfsN`fMF@G>z4cQ`i%Zz*|}cNURi1k&u*IVm6t2M(P^~LNpmWJ zZ@<=Qu=vvIYbl|gfIhZB8?XDo)wKOHH|Vj|Uh95Q{9amMt;<4QrTzZ#{dy}bvvd4% z`%3Gz*Wpdy$-bs#fQ8VuX>dku99n+!^=yN*Et#ZB5w!G0G(IM{+s~ft%>8`gUa4`h zS`sg=?0H;q7%b_bP@>5?p1if^^I4a?*;t&g+w?H+XV@%tyYB(r!3>|vtvm(_|E)aM z6^4@E^m%b!20n$Pwh+5}44tjooA?%N0tQ~KecZRI1E0D%Fzx*40G~nA+}0a_&Hm5b zUcdK)i;r#5$0fp?_8J$Ev3wO^uPb_M<8`<6GTBY{b-XnP423cF*ezC{=;LmjG-Xvb znXx|>FW1f0;SPgP^O@neU>$U_mCNUN;1yACobzPIZCXBPFS&D`RlgmEx8@KG|xNqE^m^+S7gx|URhsABZt9AJ5 znZfbtxr(s5^GUCrwrBPc1oF!maWZVxrwhwk7C3Y}(ftA~e|h0Z>Px zs~DU^5$Q!-;QwZCk!EDk7Qr~PHDRoOvlP+3aMflS;)Bzz0+#F`U}CD+g;(~_m0QNv zut*~3SrM+x??2V@kRgLk-!HWqv&_GlsZMpfl^4?-gT1N(?g5iNTo8UNu2T zo1-ZQeh+rf+u$tM)T$b{`@%0HS4y&FB$lZ~0ftq~kgSuLU}?ah(moeFe$9X^6~YVf z?;#Q&#d_Gy0H3TzJ0jsf;=t*aGL6f0s>Il;70PyPBCySsNipwXtF_`!aQOQuZU(4W zx}T^aaI_Tv$P}+S_NoLMFP3puRavmln=ZuQm0EXCTYT#$pADcL;?%x8IXqyMMtFgt zQ$0|r6n9@}P+v|4Bv*L0%b_Q{z(_8^GA|s@fz26&IjLF0LI1N*+SP5HP%TwPOe>BV8TlBk*61J{&ApP1bJ5om%`i`T-V=^&2F8RL;WxBCufJn zanoJcaAR7U6BigbdOB&IBHlwI36Az-{Xl09lg*K7LF&E?6#4oX_vy2i8Ri}Mw|~5- z(ac8GF|n&QG^?sCkRDicF`xsCrw>?d5Rwr+>J@CRveB!bHQ_Dpxjb`~##iHO z6LW95$rw`35SKK_Uh!TL=ph#aU7WRob)(rJMvfGJux7l3HX4GN6r}g3B0tbXYmO+} z5~E9{cJK}M=MBsdi8PdTy8-T0$yrC~01T@c?~+aOT(;h?`RYgExTuJoqHL=s+#{kcvI|8%f4^b&n z8kHN=oy7B;mKel~M3S`<4ndWe93)~QyeiD7B%^>ulhk)x6{c3^ zi0t~Am>)d4l^F_P4uKg4gghfZD5|l zLw`Jy<=2=OnsA{H1(W4S%0daZZ(-QhZ2kOn;>bjn84QmyVaP2x(A%nNW8ah|;h*2f zf|bC5n4m?i83FjB<2qV`?MrzKGsIVkA|~muUL+ae!HWpkos`7SkOvFagU#t>|8=R* z1)Iee&ZqI^OAPlm|9(WYDeUq`$+L%M$YzjG4il#Q+s{p<1i60vaH8fUvk_9gGzK{h z!1pGW!zZSsBqd^;RFU3mOsz|@nLZKO@!zU7Y2sPG6BTpAkfhF5Eiq3|NfUQ9oOBG= zqo56B%FGK=s?FAtpYr0av%iuf7mlaj`H_N-uqqF^~DYuY60%d*6L`2bEK|omMv@Ds`=iDtq4dJ+@<1frs=@vOP1g>SAZ={O*gYvDaSq8TZfLyI1118C5RBI1{A= zdJZ38^88|#cN<5w^f15!AC-+(+K;`$hbQolA`Y)&$i`HG)6=Qea^0I$TTt6z?R5EP zOj@=E@`}EW8qH+RV|Fg@I;Z{UsviJm^)2mM$9Knbb&+u84%+_XLYp$g+-~z@OjTX~ zes9+u{#d_ZJv(w=09w;p_Y>b?Uf12r_gNOa_4%U@Pj|r8En|)2A!_Up3FO@lk06`*w%hb7ShS;p3b`Z&?SJF@ixQUi+u0QR<9}jZdl2xz8v6dte-gat~*fIO+FXZ)-l^Jx19_b9Fw3EiX!E$ z15EQxuhGQ9{pr=ZUyRPrm$YPli5`~Sz25H8h<4mJ!(0CVuFoxkzWL{%{TC4WGRWY| z9+>_DI{dE|_$`f@+I#=ZPoaEbz%wM{$a;(ZI#lS}qiRiZDQelDBruQ_gk!DS^cSh)`Rq?%iYOWqByNyOB z(e5Rr9@sd`4gek*rxdi=;mlBQYaAFee#|;8#?s_9vQMK1L#&O%;H*)mRq!|p6SnM5 zoM)(ohRrMXp6M+Ca#{+LhO0gJF2fCh5am|d_~WOW&qvJ?z9+&PbQQS)XNf;QQleJ- z2i?GO)DWyl)iT*6?Rsh0Qmj!8cO0O$n7I`ggL7-?kYxEhFN_E`Dl0zmjN^v)&@QB3 z^{5!laYrLW{P`5t#k|&y%URvb@;Z?7u zYNuIEB2rG4?dJ~bjO_f&3N=j%Gl9ZgSc0$tNtg`R=p7sMpkX00%pwUwW27o*kP)uF zUm#?Kps?Xg2GlD5ZG$AM!WH_{# z06lV67x}zOg#}khS{ikHV8K*1>rz|X#AWgqA}_#6Pa5GBZ&w|aAhkpxv8JTCEm{5x z;T8VS-?w13^e`+D1U1F6-n5|prt{}3HtF*Bo6}+wKJU+Gu{lcMd_vpK{RicHIEZSK zwRr_NIFtnUp+2?Czld8y{7bT2+Mk-Ynpv=5xjFK;y@4CbzG1yOVW_FY?3k)l^qj=? z5^7ymY`#ulS%S#M6{=kzT0?YxPQDiri!@v`3Y=@2o1h%k zk7F?v#;gV9VTVanBgR@z3##Z(r^c=NVI_E34Y#=(>~CmMY)aS;W4yz(iad)#8;UV# z$a=|&nt$Q?yoHjBS4P99nF!gNTG&%?gVnM^LNi#)&;4`R=T!gLAaH5dEv8924EuIY zEWbspSjN65r-%a*#MMo}PAlp}QqFgOMBf;!$o!>IzW$bQ;p9^BFJ{CA?A+{;O6J{l zn%YsW1I~;TA1C0HF2R*bsWs$N%vs1igjfSzrArS+sr&~~@_**e|9u5ogb>SHSpM3D z^1o8M;j@H4{9o;?5>-_+;knb_B(5s7CKK$6fzr)w#1uyeExYZRL7%gkF0Bv)b#1!R2}Frdwa{V;*1L_Y{#* zGIJJ_0I+Gh4XJoyR(qh=fmID=RUeY^fyM}-r?L~ zasaM>?!k}SK3`mYI_~3|RWtcMB+0S^CN%5zX)fUj`QDp0^?8nmZPl_wL54CpK0>>5 z>+z<3PZu5iomVWx-uH&fr8m{Bov-T9o35+Vlwuq?t<3+@W7DlYA4d_k0EgF`-l+|X zgoIuu0w=MwUEL&d8|}~KmA1F@`7WOY`O6 zwaJXn&Z_!W*Jp5Ktlro9Y;)Oz?P-0>)03Iyyu#R&j)%pcS6nMRVgfI|j?u-fGTTPH zK2NzdT!zwD;r^ZH5A5})X2;w-L9L(^?9V6lOuM&B=V|ZLq@PcIZBLjtycY8hp*I=2 z4{bbtpC|kRK9N0OQ*Vg5?tf$DI&`%tde^+HFMa>M^U!Hr#U1Bzs(Rel z>)O3N+K*;_*t9n4_1^AwUv+2kIyPSFzmCa{66SEea>VkruCmG3Ia{99c$)Ly_t!G& zBy8Tw^L&_Xp_pIxZjx3W$LJg;O|W`Z35G z^%HuE1(w3yR_1Ii@=V~%ryo1?oPnBv<6glgL02?RVStluLz#)u0jZQ~vtr{CB-MYf zFgqELE*Vg(PDS=}SqV_H?XYgccI3JG1<%qWIcsGVf*v7=88E56Zm2pb(dfa(QYEA( zA4DZycYO z37W=(kB-VxC0~@_t|D_yDxW%*9GvxRsIctA%DLBNL?`$?;EFzkf>L_C~I zv|e7+*2Wper8Qm{Ekw&jhE-K!(qt&cV!%NkfWFB<^6e|UHakTj zA_F)}u{xUjaK(UFi-vhT?ze9tZ;z)sif7w<*Xz|bDcv09nKT%nXcg#u3 zy6Dj$C`)h3mFeb5BiEyHIMrn(G~3CT zo_1xrer;$Q6cZAXk0Xw!owKc1IzVYLM>Q_9xD8pX3_#u}Q-nhzO*gDhletaLv2upu zJk?5XgHiL5A=j>-!#lG|WH4KQJhiFFKh4;78FSezVkSCr!Mw7Bdo!M|=r^`rVWsOe zZ&eXK8S^zakSH(UZBk$sA5KI0SGR$mmzHv1*qmOpQx#-gvONLuf0#PQ@4CXSUnh;N z#!ebrjcwab8e5ICgT}TS+qN6qwy|StpFHn*&Unw4`3J1A#y!`(=WksX`07}HP#l4@ za6H3V!fvF2X`|MIV0thIaln^Z_4hY;r$-l&3s4oX-=PvjKlYym? zq8TEpUCjhD8CHo8ov&X%qA@}C!g>4*ebm~ckrb{5!G3I9vns*-6MK%F(~PXhQYq+BUf_uEoh`R= zk`N+Eg@@$GGJ_%x^HUA zB_&v>{V2iNB26qEDv1s@IiNQj!wiouu3p^-{N8)ChMT$xb2>5Lzu@tAR-*3Tc*q--xc^WxpJfzrK5 z$H`TzH~Xo4g;Lt{0ATwu^~nbs_1O~)P9wwK2H?m*t_46bynjGSeLU3Weo;+DeqLxd zYEAhIj32bSiZ@h#gN*=VRVy;#);~v?wZ?bew5>92EWUz02^>(D2V@|Tqm_xo|JsX4 z4Dg+)d;Vb&Hy|B?ndyrergP|At>>sp9u2V*??XT~{gqf{FY(VMkE!J6Dr<&m-}#Omd-FjA!| z#6b?-dTxOik_p<#@QFtr8muh*Z0RE^g(Rt2f9NpJ_ExUH`r#$YaLBhSH=4nau)?~T z2qn`R<9ojhYbM2L9{a8s8fu(^U|DeESsrOa!4CLV!qBaiA4@#N!5UauR2_6&X1k+Q{jQRolREHh74e(^(SZ%Tf=+B^QwBS z<7$&At9_q-bueGsoI3g0bR$Eoj?;m1N%EHOB-$G~shB|o}DdtSesv#c)7QpWI) zw+hLN&OxNu&JGDsf?N1NTc`G@Nu`?^( z_M|U7vGpHMZUNetrSsDczP0ba+TQU}?HWM04S(0pCgw70)HQlyxIe=u71w-w^nZi) zrPsF``#!Q74yDVM8GRW#Wjehgv8i~ot8@EoQf(VPX>Ig${LCK5`|zH+e=nF_fsSSf zrvO&_7m41Jpwl)w!6b|2t~149eE^W{D%<8#d^^))?|K#6QgOZ{J06q`II1CH`kUHy z>-W2fB4*2~FA|vSE|NNs>J8dio5vRfyvfowT@Y#3KwMhsdCg+Ce+tHc44pun9>t%> z6?mWs5XmIL>|556n4ux4uh^6Nha3L&{WXF+}%Ij54kH396@X<{WN8Y z0EI!6&8VC!t&dwOH>F_(z_VOxG(rxqD2zQlEclm1x+)fsH1?a(rIV$j{b=1SSJ|Nz zrh_g0mJy_#7zTmLa4`5i?%dy_KmPehd##X?}BjR|rd8 zP^d`W#OS{75q4wgHRlW?U%z4Z^lXiGawZkNBTKn`{@djh)_tF)up-1rJ3IjDA6aua^{+SUv>!U@d#P5>dv(xiz}X^KNS~IiIYkCq8C}C7I!< zRh5Baa=%Byr3NG`v3XQ8f+8)3@K`*Y|9n34*aD<@L8f23y)I$Uz1Ht9uS`$v5&0NM zG)&&w4Kw2u^cW5z`Fgdq3lIMT*OK}=7~==S&VFR$gDac9)^2=T2O>hluHfN$!JU6^ z9J$(69x;paqqsy@PdN+qZAWrv_yS?I?AeygRt60SOhB|{S+#PME;}*!zOH;DV9=<& z?ImMq)yZO)(o6pZ4LdKhBw3jqRIgAM>yC$p-dm<2E6*deJ=zqiR)f?4QGQSqKKeuB zS9H18{Xa|3uD|=y;^J95#nF508kKF)b6`ik;p)Fc{@lp-8gT{7N=iBC;gGz9$G4Q6 z>nucNI8r@k-rmz*cYL=!`o2g=2{)6*XfHkyV!i2HGV7EGiQ4b%tJaucY_*agt)G(A zOvaue;v1*T`y7XJ-}Dpv6=L%z8UmX%ZRo-fNzpG}1IC097BKGHToGIu9gyyaqRigg z*Sfb$@x5fMP&X1NI1l$o17g8$A||-j)>7+(jk4}toe8-{CVbpANNKt^;h!Tdl9e;v z1S?BLLoMk0gVK1S40kbf=Bi{u$0E{p`tRwr>qoNVto^qs>@P%4aQUe@V+8&2gA7yf*@b96aL8f-FQ_!u39 zp17|wwd1Ih0r-8w8T)*(X4PmgwQ6DJWUlhE)bckPbuum2_OQ`Gg2;yR9E$>yT5Aj^;2m3 z(c6`SEfxt5@yx-SGQ$@-yZ|ezHV`>mkA}Ljf_gL)hITaI2*s{c5XeXf{-k zfSq-@ebm)2QTp+3#p%v|^L0 zfl1J9WOn^~ilKXtpn>a>i9i5^?Atxce=c1FoLYGHscTp6dW!kv$6gx*Yd2*Byk3(g1fuAD?jm*U&cy@4Lc+X6+1K`=yVo3rKq1 z_1hHL+-!?Qd+r-e{0mnpzjyoliwdd}qy!kt@JN{I~<6d0@I*XIE=;_UVUB6#zAU@e<;B(0F z+l`j}IE+el>8Ns{@;&_>>+{F(eF^1J&?<*~fj3s*yafBIZWB2Dqb2I$Jt1|n=O%s8 zuWMEo|MPL_&~WXBN|D6{>+Ka}^A5^6%mHg5Q75-{T-yTg-(Q&MM)y8*?@+xtv=Tjm? zdQ|`)oPYBOMumPimxmd*<^ChmyyC7uF&3$vQ4BqpPU_&#i+^vOjH1@ zu{4|1w1BT%n4v2tA~b}r)`OG(G5`ZT^C%)h3#YNNjvU_dvQ6R!PhVnp;p9b4MfbIuWN3p1WrCFQoFS%#zC#dom@iqD;#H z81;jvFqR0xk{vhI9ncjZB-uoi35`TOj;hWVgST3nS|h`*DDGHiZo?4mrqsfFc58$M zF;veaZpFMzYZaC=4%<1;sq*1Rc?%uC8h3{T<924HLWRa90@tB~v+$-=c7_*iUnSGb z>rX6a$Q~^7G;sPyrL2EAGZru@yxJ(kg1|`y@*MU@7T99R{k{f8KveE-IVLZaa<(8V z)-pvQ`vemqDV3Z0yOOr|gE&RP$fHsA79oEJ)#Rn^jqh3oQSjCGyO+4jH zgc2@tk#Q&{nry7PZvtCH+#<}NgnB)FJD-U%#~=)pJ#z{YQMM)J%mXb)aZZ4DkSnEG zZ}@u}4OKmsuDZGk6fi#tKf{faW+jdX&wNG9^jqvpywGp_lfq;PM3R!1dSUhPqHho- z^+cRBYR)2b?7YU9l>f*M!)klOuoA(>=U3$r%SA)aomy$?4rW?_h^ScK%|~`#PE~cs z@;f()5nQSAl$7Kvk;c=c0_xF^&Ui${*#nfbAy;kdCwIfn?{f7LO>*HvUcB=5k#L2d zcJ`#Ko)-seiJf+_jHE!K9*Yw{ODAl>{W>?X>H3b>Q0|&GzUeI#9bvq|VN*;fIBVz? z;$_TAxq**XXn50_mdpWF8kjJ`GXFN3ipZt!w2G~}m5s7y2uKz4KKrX~6#m7dEv)z{ z$1_KlXpLk!uu%K&Aj(f0ISww`F;21coBb1|S`o>4DT68_kcNBWl5>cfxB6+$Xi3w~ zQ6x=8$IL$oA`r5YVo*V#_Uq>g5k2Tj8-m@oMIVNMRii|^n;(lok|w(4x$z1}#j=W4 z`Iz)oP~>1)cr=)l$&R>EmZGm^`mi8;1ed`oPMbqV8k z|65d(3>SBD z4(_{b?8~1m%G)6&xLrANeJ5|yvxUw-=VX5sei;pD;HAUGTJrR=uZgZktG55)YRqSe zPvHFU`nwRykgxkYAx1?-Vl!jAsnwb=I6^}c&oS@lWwKE(MUL1qw2T>lp&r$$y-Qdb zJuHU#X3%kANq4hczf5Yr(g%@FO-?eqm5MDqKSTtIgIB8AQ&SGCT0dEJv^9=k-BP5= z;?7`_;bqPvEjBW{IvQPNv2v_h3B!3nA?5d+JRSyQI|bxn1vrh-=c~74w}668cQ0R->po#}%0Mq)$?-G5k0I~P0}LvZtlD_8zQaRc)HYeh-qOF}57+gpkpxg}{B1-w z8t#ZJF>KgPz*h5fj&FVpdD8dlEf{BLwVOhSt@0fU1^wK>o>?$8)PD%rXCl!!h@INx z^gPDh<+8!Jp5P=(sm^&A$G*%4?fRI^bI*A7?EZXvSgonLK5$^n-t2rwd(^}y_P)~B zWVpFKda71o=S*4gW<)i7A+0;*nMQA^USG5RwCndv&5khJN^fXiU*(|UCE*>R@4!;-gT5Dh9uSg{I9T%giIHEs7o`_jB^{+b^Qnl~;mV|9KgM3@( zn$EXnr|=s*!)@B9$D=NWy*U& zNDiM0rb{8OD%gkFu?jsn+c$y0EQpg)a}adZOG#wtmAyAm~-z0iJ}M3Tm4UQ(V^LkPBB*xQ0TbzA`8>O#^MjKp<*oR9h z#1bs}>_-bcGi~pc7^qT1g@^~0XpqvaiW!a$ehBtFB-5SG|w=Vy*Jp{IkwJ5YZp7G(V=%17w)`l|JbGc%yH%2s;O;fjm{BqQc z4A0}gpXDA5l}!`=oHEj_eE}v!qj$n+v**eTvY1271i=ze)Qx9^(--EM!K7EA;#`ST zCI&#qm63C~exK?@0;tlJGZ|+stE6P>4twFO^A!c~2~M4Su$e{?lO1-jRM~%F1i#pH#poJRC3Cn}`3uN{aUvu)3 z>I7;&B|(LslEC7k!D`Uxznoc+o$?gK8MYh#h-MI$2pYlp&6?0HMADeIJxVmU>M1E6 zoyq2(RY&3aSc`dS5pA3!bh(%l4Viia+9xCiB% zgJ=D8que!{J2^_Se=ozIoidgZ7EEJvGFx{6ju|`EdLJgPo06M?nnO^e!;XMSD_&!R zwNXgM%^2D6lK~^hb(9cabopc^C`%dNMBX_Lrcpy5`#{G%i|K}2UOsjRuE|39Mc5=u zmCtRXA}qMvKm&9_{@D8O6*^zk1fsN$h_n|rqxNSe~vghz$?73!VpMe$SA?<+GNzVjpf z&-ITsu1}Zio!Zc!>(7T251}#o-QC9x%W%8srx3e|zRzqfA|2)zzSx7R-Z&f9Z~ zZ`dayO$(d{GW59TyRSKDUT_F{@VL({9(UemS&T_u)O`ipBo}mB3>+#S`_O`Wl47ks zj)ny%E>rd8SC25ct+tw&-XtEV=GfQ8yeNpC zZCiep+ckVN$=7z+VpuN$KSQkst|C0Dj#WX)3wiZyHb!8xc6}Se9CEmWqg47 zsCwkudoa!EW~_@sICY&J^A9( zxIBDJx5hdG$b4OM-}AnAb9$+C?D!j!cJV(hT6|r_7mE8dx{X=ZsmggHZ-hgZC zlZx4|mF?@3m(z^@mR7$Razk`IzV~&2KBr@I+=m_onX+8`-4~b^pdg+hEJP#8FS!o4 zuQ;A`yrZ8qby_@@q3%$4?*H3@w_gOgeqw-nqW-ftA7#cH;j98>qK?#c)q=F?-Kv<@ zKn!}8#5ucyQ=HR)V)v$Xp@Y^N&`QUZ<8Yaa@-r%|coM3}i71M^|DxF}1-4sT=~^6W zn{r#~4 zq6RQD-SFfmvA*P$y7UTs@@1jW)lmUyzx$p|{8Yc<+*j+;cYxK_uf%hMhu!~~B#9B! zXGAF~*{+SkMRT)uAT);6F%8xz<=)1-=;5c;;)S0pzDF0GuaQ%5OmMsnu%XM~b9 zZ2U(W(Vbblz0jUzU@;PUnT|qaw2qiOlTNpubCV9%RbisCA9FFLe2zaqeC^_e$LV`$ zGNDBNfPj2Tb{$Yb*>`PHe0Sku)f1))N{N5;sZxR$fAXCq1u0|ReBk_7L^F7RfhYWq zhvY02kC5$jjdJrmP<3KqzcxaxhC6NVxrEMw)(J>e;u9 z9U8_|jq#-71b({86z(8q?JbIRx1nFX3M9g9Qs1&OmVPJNPa@JLE5*x_q)eUtxcIhT zd`wZSJYXwO;O5QxM?)_DcU8RYV$dI}*kQXoQz2C(@s-+h5^?5QavfcCaMx zQ<0 zm)1tb$iL7`>S|FOkDH7L71pp+rd_U!@tqZ@ej6tp$dKotqj3M8fsSTDz$OLXnEhM6 zH$q0Dm~WS>xMGf*G@c>8U#XA`@)R+x)rjZPtiN%#cioRR4KIBw=`0D7b(WphHgEtE zHXP@yOyoOKcju=dC{FCYZE2nw?eDrcYE4xTqm^`%fkZGr^0!9wRr^9-v45$NUeU!F zleK)dbgmbYRm{L5q=?5dE7S=ec4T|@aZBRra)TP(*jrXwWQ*!tc7h^Tb1^yICXrzU zC*XTwxummh?{Do;P-LdE}M2}fw&5N<(jiZX43-;d$(CAz7mV2O_^$c#f||M zVxcg~3cDByt}e)W>GDj4gOq`e3}fsSxDd%eGZqpnvMyF>5fw0!B}YA`miD&3+JR=z z9(~E^jL=NsaP*9V2m#u9^OkHd+4vEuasW!2Xf{ z5V=90ZwR>CWM=*xqAX1tvA!-7HtasvriW9-_B73O81+s^Nk$yIIuSTb_vE`xh z?q5mtbACasqU>$oD}Id+%VpvcY+E9JCtUl=dZ*UAcwNw55paqC=_fy6{7!@K_R&Hy z+htf%(Ljgq=3m8zyscl3n;-vE(?gk>^8+!KouRA66oFJpe<|C7C9vi#-6Z#`s5II>E0N8nv zH1NCX!}kq3zjEteom~8hQ_I;;N9Z~XjQp#2y`nlRaop3kbKmemcsFlj@bc*0SD?7{ zdOI}yvJPc((q`;^lH$4XxHXKBi)f2GQ?#KMV=1K5VVKEvrxa9a0w?@(nsYxwEC72_j{1dl_nqjv0#8e*?utlN5b(4ODdyL;SV1I=Fv++3M zPUWAz_f^kf+kn1Idgx`v`@8Ud@?p-J{gzBJRdwq_phe4XBK{4-CvxB)?`RHT%g?@^ z4^Ia(*DZrop!e$oZ?d1?LHx!3cK7a|{k8joN8Wp7i(f=?m#Z#MR46^br*R@@E4#WQ z(Doikvj#M6`+1Db_DKjT(?lFy=(hi4Q*T5rwB*y9IlJC_i+$Q21k3~$lh-c?nAwHj z0iG#ta=vK-g>8F~u;LrB&)hI^(rjxcejTWd6k(Rf{KmIZm9!KXI}T1bDg);4n-7t| zx0g|x;rsAzn#&|8^;!>PWP6~`Odc_-O2o@`C&GnT6_ZE>!8K~j5 zR^E7u{C+ z^(NPjp%=MLTg#h;J@!u07Y#Udy2{}CQ5+%1uDzl$67iHF&k3}#kR3;b@$hh~FimkA ztwOc%-vxzWkzy@M(I3iL3ExS3VS>y4xPpOW;eW956xB=l?P=gQrTbD$CY6%faMX`9 zs@Wlx+M`66)I~M5IVVa%_bn8xsjsPfL5qWPufy1AMa~$vOAdFl+loO?d;26|7;})P zri;PNg|RRo7ui=SV{D=?(zKFInh*YfU8A2-G&_t@o8m2+Y*wT~9@_Qwx2W6&+JcFsOd2G-IYEw~)-oK|_)#Oa`L zd{vocN{*lXC*qGN=BYpN@wSH#c??KglIKdW^5Xtv9;$`fRFUAEcj=gJ3Hcqk2*UZj zQ&JxR>gizzBE;|cWy(ZS zT`g5Zbj5$iwXP~J=5d1)a3FXJjzTSxr3nrFTEhfiOY2o*52l1ZqZYs)`ej%#aqp8 zbanVgE=D&1en85By#et}K|4Cwn2!IhH|Q_~dPbF=Yu}4)TrT*q*tdaXP;X7#tUmGEg`)AL4sjweX`qV23SUJp&pW`PbgZB)%!T2qmACAGZjXdqg3*Z zFx^=onGM#MerVB}7n`gMhaS2%5#t>$Obw&1<`z1|{m^3t(uhEQ^hG9=t|Y|MtGxNl zRiLzhFi~jUsb-%wQ2AP=m3rb4ls=fRO`q}KQgbY%g!3WuI(@MX0Fdr~k!8oPvhMp* zuLRkiDE@{hK@MRL0A>L9Ie=NPlgKAxNOCw>a&rTQXwZhM!Svf@NX>TBwCQvk!(rA1 z(y`t1!ghF7CuT}1=q7T;#j>dmD4`TH66rF@m^6B_Shdu&zb#N{zx zpJ30_G{Eaon2xXgIG&Tq<83O~MG(G`&CvU?%Z{_H#%;AamC56(T#%mDpk;fE6S~NI zXr4{b=VHIQnJw-0T;M6Ees{H_)A#1?<)a%^>nEDndXO#|+adD2({%h7Y>Mlc*M<1? zdh3m;U1aA0KZiIiv?wQz>$7O8VSUo`yzRxk=i9-Q@9)cltlY+)wo^ug={3(}2SO+t zDB~WaBSXIzA_S%_pV*=sVvFg+mepIR-+kd9JzK6Dhc<*wm+&Y*_s2nwAG9E4(C!!R z!yAaeSw;14{i6Gj^JMahxU=oE9h*5l+x_{m|2d!g>q{h;00j%9L}>>u~96Y?wgWSvRX?-WU7RIQg8j+cM`! z(Ozr+tP2ov=_SfS-0d;_PMlam=qq&yjGlf@Pw2jo`^b>&uG>~#n3wdmbnvjh?&WSF zwy5#w*WPss&3bfz`m_E_DW zTCKfoI|H(fR~U{6m_2~4IhD)7erau)Tos9bi(0-kOK4A;M%Gf>k6t*N4=2>9 zX>9>EF-wZuJnM!Bf<=%buyoU@Q7=R8Ovr#q#5FZ8l5tt_SjVr#z|EAiF&}=(VX!QH z#1ciKj0Z2EoF{@|k(8Hc&s#uDPE}Mu4xCwXIb{j}X_`NDSj|f-^-Fs3B|`HP7PDdf5FFb}rP$*oqKzw<>#^9Es23-EN47FEU-H{cUkD^g12N&>MC zBmB%RhRXvN*>!DF%9FM$N%gU@fX;DnJFID38-)lv=0;_rGI%7oICI_*tvs|=6QH|S z2m3){$cABm&@kYWiQm7w{&3wtDxok(3-lAlY3?Sn}g9V?;bf{|qW3R9Pl`dyrG?$T#OYj??;L+GwFIpvdGm zP2vTmvhbJ ziIRG4A8S|WPj=|l;(4Qm_`fvRvERH!! z^jdpJ<3bs+hQDHd;{=u?wnNZYr;^ee;^&hYZHt@1lRf*=^@?q@2r}x2rP^^w{Yq%x-)usZcA6Br{4VGfqLi^EElsvWqGjgt12G~@ zZF(6l>_nd#TS`=g1jLyg)I6M!(tT%$a+Q>K?f*|$@ujW+89)ddUsN0lK5xHUJicH3 z&zyRWO;9`k1^1l$5ijvY(Ee($wSZgVXSy9hYCe~F)gOWTvipK}v->EWUN!ocUX|IB z4&JBw@t%iCB|Mg90~>+s*O*@_3?K8m7RH0E&rRJV4;kk%$}7g!n-j-A5uo6>X3i6x zP0omcH}I-zTHkda%e$v`eBg9k_q?+1yd2bK<>tYdNWdn)+4jl$?!j^V@*-*527F!1 z9^Q7^W^1$aI!?*~ePm2;!f*Lb1X4M8UQGIaJ}(s<+g_hzE414dM7ry^oI}CD0X(k{ zVX*jKst$`(JT5}YS&mb_Oe<3_VXU$5`zbf%cdS~6N!X0(J#k#8;exe`3>@3IKtm0#H4{AxCWw6M4yscsqkhkl34C%nq--&JMa(`02 z5^%a}5+_H<_By=lX*=2iwyXm?Ir<;mwHzk~vm2P6_4i=~njX7r4BHl8ZS-7E7^4ii zZpdS_t|JYbnB=P3;#;m!Itbl1#xp+-m5w2go?VFb@!Jl>D7-$RI<__^x(+5&Q#L`L zE!Au9I}ZlWqqH@4eqF!+VZs~%>QC`?w}d8E=d}Ql90jb(#t$KIcMR zunfGV@KaR>9W;B5rl?S|s#nAi%VXRDCZ`L#0q2TM9IH2c-EO~>JBj`!XAGW@G}lLA zW2SPYsKRJiwN00%^06}qkT0Uq2J&DK;)oWNhN=6sLlu2%h&WfvFj^0frzj>;!8?-C zl7Rb&3XRT4MsJ6 zZ=lN|+_%t_QFAWzg+g`uNRpo?2yP{;!My%jPKn5g<_9KSe90x>vVg*HhE#Bi zR#ChjUBVB%XgnD+(dGyi>pQtujTz{s9Pg|e*=@uA;W7taK?w<*&PE+1PVsVM+-7?g zR1AwnWMaEQCTfx{^C?inbu*>wK~|YD>>Dg2dH(4_lEj+O$~~J{M%8L82WO>vv0k-V z9Qes)s){lnw!$U7%B5U14Nxg^V`C@_QDT`iRWl?OWC^Jy9qs*?83V@LzjRmQ@oMF2 z*@uI6sJMxD1(yK$-;;JNn?Ki=R{<%%+FqDI$|;4QSf!?{OE7secsOPff;QgkdRBT? zvF^$Eq1;MV$8almUj3rpqTTY)+&EH1YlDW-8!{%j?C*h^`Z4|KdYHAStau!Obu*7- zYR&N~-V<{{26aq*O6=^;rYx9Wq!F}*6h7exIK~Y5nUGB{Nh=x>VKDi!q=YV+;fdbB zbm23FSRw9l>Lb#CNfR11h3{SDwJ!=~x%-&fV7{%3^+Lsk@_D)XA>e`K?fM@1ch+Ua z>HI}&R$peyeG6eOab*%~*blM%N|SWg5bpA!5k}2a=@|2pEL{pp^4#r#FqvXv1s$Sn zpc=Gj3#%hr-XdK)>@qC|D%tZKa|J4nNuzF~u7ih|)5NP|;&ghIHAJa#V^YtB z$bz!_mtf5&{^r{Pp!JVEjPQ~j8Aq~(vNoj^_`#eLEiFe#toH z)^|(2vy!2MG)#42tMPrlJkGTuvZnNl^<6(Y>&>2nLIV3w9v3W3m- zA&YobShG%*Kj(4JWqRxo3MvyB@Ju5|Gff!jhz(s5ev%vKU z7o*UnId@%cMwTwphf~zp1YI~vm55OdVx`*SS5vcG8Lp9rDxfJbvAU#O_5EQOM%fBP z#?{8{C=5B_6Sce34>SL_tlofda}Kn9zRZk&%%?%!VK>?!PYA!O8>Vf561vDdwE{_` zDhLTg`-&25iWAr?s|f=3a>_0mN!q6RGSxSXzgyNy97a`d_uTfohk1k!=GewVcz3QKswd>{X&yM4=I!d(I73+?J(_|LtPW5F zrz+s>jWlS7`545MG`wCA9cUTcsVlF)`WSOKCY)bCs@LqkJ0QCAYhL8t*24n{Z@tbN z_D5>IZ4LtHfnH-!>xU|toqmV>nw5N4oJ^Vy&5V4m!w;kvFI1X3sqd%bnnWG%4P_NU zRV^71c3;;tiWct{-Zd8Xz6aU92D--E#Ge-#nl;>c&y$9}zu>mP7L8X{E=$2*BRxj~ zqkne$%o?~TQoo1zovXbB#}a3^+|17{bvUp9lDE#dJwC5XL5_fz06zWwI1~qa{8-{v zU~??@9){vnPS08na>m=^B~`iR`)f-mu=Vi#QWs?>l&}5?L(^-VK?{!0d--7*@Sxdt zQI$Basb34y2<4d8IgcvQ@IGjBAZEW(9O-i4cOtA!RFBA^we_2;7EG5UevNLR>$voj z4PySy`%#0vg;y79=X^J%nE~Mb)e1Ui`aJwMm;nMrf()HMQ3NtUcV^LFeU~{*vam+~ zqeX1=h?%>BTqb1*Ya8$>4kD(=1iik*zK?33O_)C=;yKFdf#eO*K{P>Cjkw`Do(WWF zrRc@rWFyEo_UkaX1Y_$B)@7_t3`IsZIhSKXuJdy_J)M)4-A}|YSCC41#8ly+^5Y`DdLmYG(BgVd`9js5BDV>%xvxh$>V95AB>}Aa=GZtg` zWL8fWC0Qy}c#jAJZiF5Rzm^phntdBqeve~AHqeZ$C|k%7d+)eYyu!}n`fsmQCrtz1 zepvC_c(aa%yUvXrVJVNREpD5wY*~n?+|#eN!~|O0M*ZKI5%vj#dfaCzrM<2)l(SRA z<;yc6N^2EAO%>3-m@65z1}1zV#sj6joIUVwZ3u8ckJ+cofWxi647Ec_=M{mO($BGr(wM!UK`h zhhEelmpzo(WZ=M>qei)UL2K1<6k0C89%lzO*#V-9=MOSm+ZF*`wK=DZ=c4jC1^gWR zWRl@e7;=V4ljM;m_&SV69XFSwCu@1NJ`AHS*i34r8eOg=A<|LGm)o)<>NLvhD%7#o$dA@+HJ{3u8pJJGRCk%1Z|J*C1S8ug$)Wy58-L)4<9`n z93UBmBNzQZ={zkgMSgLzG8JCb!fy%sU!{19e=M64317+$QajP(DkPD4qtFY3n=@#S zg~>L|@qgou;xdqO_UHS_mzFC*2Ui4>QAp@5E|oXoh2_yh#D<{y7t;R;{Pj;VuyPrC zzfrYtrOvulv<`~%dlatngF>_tv!I;1F((B=5?DV_nt=pZYB|m4oX*T=J0<5*We#^x zh+)+STOOO0G9R%Zg8QomKd!a^- z?L^5@5*H3H5vnL&Ttz1L4O91&rOXc?!`wPrT>df!c6gscLGp(kI^y28dzv0+GH~|4 z<)eiN79PV;8WdphKaCd`#O;~=WjlHpe11E`JeooNWOa`!v;UXve-b_ zUm<8~B&Zdk_r5@1!}pJyJ*VR?U*J!G-kb5+PA0%EfPBRd zcpb9ws~y1H?y7ybE6*l)oQrrYmn5L9x_^g0H(-5g#6AWZw0lfKzidQE`d)7?tgZha zs@^d;(tzvMjx))`HYT?1NhY>!+jb_lZQHgrv2EMwsJ}eldEWEZ`LpZ()m?R0SMBPx z*1i_P4fG|4F0W(r2cYidVm|VAVFT~Adgo%4*6pQRP6^k#WqYKKLHP<|~b|ZAW6zH*fv9$A}0Jn0!8dSEIPvUVYhG zmyKseUfA1+2zFnOdC5DgkHf+>n+1iB1it^wbKgND?YahvX?lGg3fyGN3DLJ63)Ny4 zZn~82Q#9PNKYp!oUiCZ?q!V=A)NISGnJ{eaHx=q>-@FZmyc)%0QV`O)QD|&dwqF*$ zW9n@K<;<#kmezK7Zju45dcLE|W(qz>Oq6t<-=v zrjZ&0CbdDBrq521Hv+%{U~B^VcYBnQBtMl%kvrGv&KR(qHXQgj(Nr_dP(MFMfwx=> z1{9&HXsJOol#_GcsyT^%We|lYtkEKx$UX%WM&xM20=0HIZ`A@FP__alWXH*lHaxOO zrJoY->!nHmLppz?wB9>Ubu1ziC*-JsP|&*)M-&IM^(;cyddZt%5xN9?!8oN44Id{J zQa?_*!We?XL%_eGDJ8D?;r&mV{xSED1~+RDYi7jN||ybTfs zwR8ZwzOnjB;?V3`(T4G+GWDPGn4{nEXEM`-jDd@+n+!9>+&1GaZ>w$i;%ho3Be3O36ku!51iW%qu9%_P0k zRgD=O`L^H8lE+;&Sn}yH7nFp{GP#hR%0N99C6riZlj~V}C4*fu8~vJ$p}@|0%=AXv zpZ$wMlU%X|HzHW5TmJx|(kR8wR}>~4Cx^|F%0JH1MagCjLpb%JUhxykJT90vw+W_L zb(q_}hNeMd{0t1WYzF3cywO8--LE0+plZhM82+ZvYDxak(UGvc(;}IlN`ZIe<8|lJ zoqw9uhj5fj*q_|}XYM!?qZ|0<%Vk(>DylerQgOfiF=PI60Q#p9FjqM{Bg*viLVC|x2CzA(GgmdYcGvtN z!4z(bW!ckOXhB)TVb>nA=S?daBJceacdX`9w7M!>AwwNA5iEx zu!0~LLVt9O?xU#YtNfMwL-z9&{b$g6-R_<$3Aj>(+J*a5QUW3znUxR;GY`FSm8IFb zLX)^1b+IGInOX*F*tyf+{8no)EEtVu`E;z7oLMN6RsBjeS=5#T-1DY#D*cMsma=IG zT-GdOZKx@2l2H$)^hDA092QDa!8L-P6HT-VEH6{QJ3@_VA6+0J&gY`vAuT?A3(z=m zhT-CwVdLfXPp87U>K&=szJx9TX294=o=`0It;RYf$)Y|21 zH_Oa;+7ud^8_RYQQWMo6Ng*KG!Eghsu$_$I>K~;_&uwLo?+BR!M24EQK-@!f#XS` zLcNUBCeY53m(QfRO;06_ii=`1W+Ifj11s-?E?U zrnkb&_u9o9VEiFQ1g8N9B>pB|&(`__cW)^?A^R;1Ej~`BO*jOs23=0JSoFHjc6Am9 z!FKNpTVBnRO={kr>35uKiMQ?ern9`%%3tZ5Hj9skSNJ~WRE7@$Mk`R;9)4F|JshJc z2)xE$k8Y(qy)kur?Hf6F`#3AU?%fH1TaMD2=9!3Ifr9|ynYOFtleOD6^sfPHpN(Qd zZOvQ`w{D-JtvDUmS}J^?%t@);I0v6iRr~hLNlo40@LH~Q(^~(}V7uyvRjQrdPi^~` z8v*Z&g3oHiolBb~cUYc`*JC+^ZPs;|)STkwuj0@3XRm6%e)Nr;M(bk#CCJd;B`JDyLo$*Nrs(92*nnAV*gfCa)Dr#%*}n{G_EkM9qov3tOn zTlaa0U9mip^Y|T>ga8_C`JTH%}K@m%O7czT#x$0Q_aS@HI|n6z_uqdA^qVd!u)xOs6S1ogA~ujYIy zz<7rZOrHXN7>@KF2smmVZ{#Xvozh$i1Y1K=eV2%vB690^0|DQwJE=Aoc#2A;ekxgA8g|%`=dICLQ3{;9YS}!DS@pEh~5 zBK_}Fi3Nz<(Y?EVik5@=xibDH)2%7IJsr!IQxOJRwHGfBPO_-?8dF9LAzG$8v%Yf^ zWT*OzY)Y%WwFKzJ8T>he_NsDZ)I5s69vPf$qh7^;?HJo%x7y1j#?YQ8ZUik(#C!> zcKQV^;d2^N?M!}1ttm$TPnt-bBbf>dn)fKU+yPPlfi`VEUA9#I>E}^B$3Sq=Hwpnq z@{Rd0byoexAm0KVFZ|jmM-OT;xm=Tt5+P}vh!0{m5EH(GY+3F;aS=koqdH@*pJFS$ zRSs!Zdq}3@$U>vSr9X*i!sqwoAxb$bL0kJO`2-!j{w<1uDb6SCc7|gieNKvj1GlZD zr`zx71_ae94ZddNxTSbKrT+CMDOg*`<%=@|qko7$sr-+NbgL$P>a5@_Fl~%rP;n6^ z6)k8;BYDj!w<@TGA>#Wlm`0JXc#bmDO8Uw_=JBms+1A=AtJ5*`u zl7ZfiF<2&F#6uCk$6o|WhmL_&PD8cT|C2mU_!2P8*dOR9|BHpdTB%4pnqq?f(>NZ% zNs@-a18lRxT(u`b{L$FjOT9iRW4Y;f5=ExbA7gG0JWZRxN)PeLy9*k}_dW=*uKRBtKF6R#3uZa zrC%gt?QbUl#K-dQw`fP(12ndn%jTS=*hv9918yCkELb3XG=4sI;$W(z+jFCKWdbC7 zkURA&_4EtEQ;<8@XbI9zfBbXTR3WJbEd$wVlQMai_%Y~PZLxT=VN9@~z))~RiU~A%J4a&fbrz+J} zt7GSXfPnbZ5rAG+mp(I(Pgnq36l(#-9D*x|eehNwpb9&ewAYnZP24bM#))ld0xM~* z|A}EPGo}ogerU|JC0nKp!h-g1RVY93Hwn}(S7nV^lWCcH(8sD>qpjhTHZ+wgiPX)Z zwI)7XM6O{C?|;XM->slL=V$UGq4T%p8;SKDO+JqqH0k~BM>aZRML4i{um>ot8TOtiBWTZ0Ix^o=k)F40?)Vk zzSLSbA7?jKHqoeO?cB6YpBisgzq-I@{|Kx%Gz=hk;VqH1@VPbPs`=i1>0LWZ-cNQu z<(4eBVA_iN*=6?f%U+kA?kx-~`M$p%UI}d7_i0gdo7Os~czK?Epvp=B zAFqV3&G|dmsl;l0kCz2}f25pTyN-`uy(|r;^g6Z@);_M>y&>i-bA7CL7H;(TY2Go+ zcB)l%^)Er2)OvfaomkOSPtgzAH8V^Td`21tJOCY^aR~Wor4cm%5i4@r*C~Z^gf~xj zALBF3r7{Bgjx^mG+s7XpMelarh(IT=;@GKX*|v{U^k^2b+FVQ>SicPqFN+U~HIkmU ztWwM*T}`G_%!5M0uGez#)ScaG9)Z`IYu6n!^3pDkLCwmLVI40kj&a1KK>mB#Pcf5zwQJNXPqLtm3~Ln-st%a20zu zNAG!mLFGB>Hw=LYtwhay`#FVOo6w>Aw8Nzi-uAzHqs|Rp;RUxV_Fc#uR#; zZ+3NAi}k1HG5P2bV`e^>OaBf}`E^NnJ&tL&}g}geLQ}oMdv0F-%az z845^rIa@khRbPDtaqa6P=QB@tJV-)wAXl;mN-^%b`ncNNFDDb$6h13d+5$uvvov5he%WL$r9Azvu6 zKnNuMRZ;=h`949p^iUr*bc#R+O9fy0hKXBo5{<5k3gKToipd2r8;T-!`O47<+`>=g zXj^chQoe!*FedUTln`T`#-SoXpD+$S*x%BB@(zZwm>so}7cofW3LKOOIbK=qkTPPJ zt3Ze}YJMTMlV9URBUFelG%cyk{ccGZFsb-m`9!;s&wMI=E__c^_9uPu2fIzA48-pg zEfd_^S>m1~fPf7DKe=*m5;0tEIFBuZnnE-jK3^P3Pp3mDk)+DL=KPJ+&lbB=`oe*wwQdM#DVu{%!c|PGVSmM(nxzu@txN%%g?Vut51V?;N>2qQ1rcm=REQx8DUj<#&xllEK?y>c)7mP=>0o@_e|yJ`_!e;Jb#H$ z8m3MyuWe5r)EjK@EN>aMKMCr|;#W8)mSp|zVi}hCkNJ-_TP*DihSUxjL>gsd*QEM< zI3+8`YOm30( zIXUjC;}eSqLly=^5d>w~4fZkRJh2hcW1#U`dv>A=QmSvN?lg--0cdZ9ll`EIZp}{*? zQa?p#3GGVfutY-qy{qBE0!PL>3C_=g8pU_Byw&ik`c03iw!{rdH82)5$_HyD{h4p~ z?CGfx3J?uH<}-G; zBg7~uW34D#sF)`6CWPVei%0?6O@A2Oos&+~#wLrcm=ZdKjp0NVc`4C3HR|ja*MKRx z4h$_qx@x=TwI#BhGhaJVnqaEG6{@H>?pNKc^^6EZhm}Rcq1bO>@rEU7c5HdJ9?oMC zxM;fVz)Ogl!}%q{ACpIxERcQR3knq(YUkeTKr!qwmVjNS^Iq)Sx7cH*d&Bpcf6`ah>VJw{qZDtC>o{cQ5&&Cf&$jbd< zE;D5RsZj06>8#O=`s(bW2y(ALr^vKzX-c6uVj;8!m+yK>gc#do!CI0jR7rX|Sfn5m zY-2iWkiot#SbB#=rsJi_ulZvI&9;F^T z8@It9T(We~-_V718&{U~lI4AiGoE90x@@ezyHT6Awn?|fEZKr7q?x|--)eCg-Yo%3 z-U7G~HJNpLwFEuRT7p;wI6Nh51d3b(wnoHOgA`XQLx5{^WR@U-^F*#8q_)}Vc}V?#nK=}Guv@%nlR zj+%LsYnZUf^Z|UaG%^sI+TvgdednyozH?TW-#IIYz=9zP4>+l0pwsL9O0Da|pUNGs zncIb6tLA(zz7Lb~xo+>1&{&U)iUCix>WXgQN%ggtoYvvaWA@bv;a2+VO13Lc*TcJ) zYuE>Mr#9V`fJ>>&Wn!y0P|R%8{muJn`SV%BM)>H(?!)x`8NQ|ePi&>v2eRgKQDsc; zMKV62_TlHQ#+ld3rtc2nm0K`H&e=C+B6c@%+4DM{&GUsHLNry!p^xW+@C8AD!u{fs zqbZW#9~bZ`$NygBG}Cbx=CQL4mg__aSXs)BbmM%J_w5}e$P#-JaNpx;<*A$!Fm&_H`hKschG)AFPwNhXN#!`xG}4@K~{cx>aN8szDWPL=)6uEtfF5~8SwdELHr*4 zvXc4j3NL0?Tsti(ytjGAsJ%WtI+LHfuhY=w)&YU}^;>=gH(9=u>2^E(Zt43=p?XsM z-#4{%Ua^I$joVyr$voSy<#dR(?l+l-zMVatn`9?Rh&uzGj*~93I(Gw!>^ir!H~)qa z*Pk1DyIlX_^2kqiz3y4G);0r}KJ5HF?`|RFGr{yXY053aF2bJB$)Yc8huI*v9tfHK*(=BE!)5(XrgyIr;%eAxH>aZwK7oGz;eSAyRt9rgTrzCOx@L8o5uUpYgUHYSLsl7h;_{3(Jm9EUiGq9eqz52mJ+>e)hEP??>mtVnjXnRtv6VVic8 zXiIAPt6We*ksOt8_DZd0o9vEZsVoyoazUq`K{NCT$Q=2xJ;Q3BL%UwwBAu9{fHs=J zTX8EKZYQcBb~I@~T~k>oq=_Y?^v^(~6>bz{B!HG%KF7$UQ`*6l3p&Ogo8p@rvf*CN z3oqLZwn0j5QInlcM33Um$2pNfMS2C{iH8Bwv@u?c-4UpdG!wnm^o>5z+|fh>N&ufe zT8DOmSD6=QqtYLCdZxY_8NZX#A7%z`z#qPevurWd7$YDR8x33d?CBAzl&jYDX2;+R zU@%j~+?0gq_ydFJMN2d^CfalHp1MN=Xa{?2oxcP<>S3bdjk)sS8lN)MqBj7)qTKGC z*%XLFrEzJW>fh?-#?BNqpPFG3Z^!O=#ANKG$SIffi)%Te3I=2K^^+^2}ADD&-HhixI0{B^fdXIYg9^al@@5?1_&RD7o{4GJGsxhlyy@dZa};HM zSq*^r-VPMEPEgnX26O0D0RbPpoV$dGf8Uu;m@2YoYl?s5o>s|*FHkO>LB@uC=VU$up zSyw7q*p(!(`TokD)8ccxZ^THpBw(dM1{iGtPRX8)NTK;az}4tGtzTvpvh_O&n8YG$&6T3MyN(Z z#ZB82Ctmy|^Tb!>$_yDg;)e$_p6mis=_BJc&6vC{$k{9<{r zIzolWm6ZY`p#m#CrQ3bVcM&*9TFE+SVUg?r1zetE2+QiFa>ot?0hW8-Ewq zO{fw|FHSLsRwr=2-_n@Y3aEL!e+jF#8`=+95nj6ijI6p{w#*}^LbMK7cwhXuZyh6R zU2WS6!)_k;_%O5IU0?P)XWXxPZbD)Sn<8Eh^m;tDx=>@wChhqDPIcb};Gb-{pE1m= zH`RNY&SdVax$WHGd!NyC+Ij&DDY(7^ST=UrKJyZGxebRgQh3hW`S087J^P7m>8q|0OeMl|X|y%g^g z;O~zy?VnAGhWsK3`SuNBgtk#d*Oe>M`}tsnFEbjht@~ekZjPA^-$sUa5AXv5q+<@6pj;WuQSG;kZI!;c-%6| zVuo2+VO1b7o{Yegy53Jb4*HUyc(ss`a?W(%Wd$wU+PsP&B@D?m3(`dWIK372!L_$W zd6Sk)eiE+3c&{(rB)QgaNc1k0gpd*-e(72fGY}V4ni)wEX}iL7!e`@=cepPz5G?w2 z=C!1+MADHgG34t_23?d6_t#~Umb^@Qk9@L%ptXk{T|cRwa>SX1^|`>SvY@3lgJ<)MOLwrGg$D;V19h zJExnD;-|d${X^*{zN-)IjHQtXIR+GZXd2*fOe)W$&CtflnpMr2e9Gr8_s}a;$8hQC zV}=}+j!pG*!yd6m zXzG&Dhz#{}(Wp?DnR8Ei>XX!kJN5@~a)%l;SrC&bMJsAHWC>jmjU_dvJea}CAaEeX zSIZGp;Etk|y|l0QbbYx~JJp4q)nf~xJWCQ28pQb!e$|SbhL8(P|I1xe2onRLqq5YJ zBIlGT_FlycuTyL|^8U3Y74v@FwrQd186tspI4>g2s3LhJb>K|1V3}SwTTKQ9^3y4} zfBw2Kry_2K|iNljtgFv|w%wHuT zsXV-a`C2Wwfye=Dgf{Tg`1s}}me~(ex4VL?!R#4MV1qE~=uT}N@jZHzMSHdQ*y%l; zRyys<1vdZ63mNN((*LH!B-YI)^r?|IA`BHU z=CwOY@bp}^>%v8g+5S3$Owbr>12F1GtkV`~T0@*_e)RT9i%#Q zKhnp#M9<^;lN8Q)vHyrZo~A(O?ip(K> z`v)fPw`mqmsz>pa^4r<=Y&3X9e+p;qZ!`+SP82H}GsBp4({c(=ogf9{ExHifk|1?> zbXJnQ6ywfA=ZK{{2kL=y+04=|(T3la_1R81kfrJ|HX~+e!d9npQ0F+fmwj_@P3ZGuh61WpgvYR$fsWk%L%SJP#E>m znRx-Jnes_s)LN(GC89ER`{QFOh07S#IyE%nQ`v2JE~nJ@q-TQgif~)e`}vtKcxUtZ zBR_c5we7VZF;~N4GVAe~IDJbLu_lDK4UoLCa@v+sSsk_N&TQjO^v{^|kVbPj=hfy{l{GaP+3t*HzzO zDR%Z9yb}x4Pv!ZsqHYHGugXgJDiC)JI zsC8|#**);SZK;O;YG^X4g~*A^oqo}M-$yZ-+tvcuyXVMuo$Bf))NSZjBjC9*bJ7)X zDKwgAAlUl=wB*ve4atl^KH1QJY(e&}?)Hs&ps4B<4n|{WIVzm{J$E6tz1{MqejOmz zXcphcKYdWYZ@Y}sA@+1$i`hMnqkr9B>y}S5$j?zrGs~Zu9`M zCd>LSF5b9r4=xs+D!aceKnQ5875yQP?b z({aoSeWPgD)$OKJ@aNoBfyaOh&6e-+%gZ)UZKc-v?dzqd`8?Dr>vg#uQ>X2yy71s} zT{V?%L+id}->t2c&|a6<%QzF8PfAhAQHIqO&J>cZYZoZ`Jj0cu;DGavfBdK zjeR`K{4EI$uZp78|D1t9>UsQVwKMue)KoqJ(g+)N)qVP9j0b-cKB;YWTqKx+m+4}q zjU7RDnwt}rC`+Qh##H%!#~lT7J9c!hr&*$^#9SjUoWy3BmRWelxw_YsuvY3<{$-1n z4u%xY+fFkrwhf8rl6ZE3r)PhwPBD2ffSe8=mguZL3#u~AbPT72_T8$4^ZsF=g$;IQ zf=62p7BfqCtUg2G>Bx|IaPbR$1z;F;9^VlS3b$wZ zD|bNScK%44+!Jx78>{giBo0rg^EgYckf zyYNagi2c>(s=sBx@UcN<85NUU(84(5BUjypDYsO#Q6*eQZq3JQXO2?ZL;A@Nv$lR_0mG zFT-5M|Gie%g3!Rsch@*64TG49+VzDhF?og+wOlsN{i~G8kv1$WA{4E>3RnaMn~0JY zRPm#XV3o(hmxt8-Y2Z=1iq3^vE(&c(m+&h}qR|?wYQv3*kyjyZ7=tw%{F@(AFgnmv zB?9?)b1URRRE73Hjk%YGjOSUpB#9H{&bqtiau_#(S6>3~%{oM8Z$NKdAh^%_xgUmQ zJ0KI3?jOL;BW>C>%X$68$e%^jgMg)zS&iF{Tm{4 zc;LJq#5f>JI>@`I-|viY9H2UIMikzrRwn#Qmu6m8-SW{zm*@d)%Ku7~grRdv9toC< zZY|I}Us%vIP%W8Y?}2l#2y~<(uS_&aN+xM?Xo^*dA%I-&jeJo&4q#9#7wV%rwhZMw zp-Mt7Fndu=eC0_{iHxBb=YI+EQ#dJ8J;91=UC{imDrztpDo*3DD=dwsPpm=$&bCx? zCa)$3%N9cJIXgAczd&c|a}Z|O0;3$5()^>HE#S#b)oJBB@bD?C2v8DdzEQvN^PhK( z7ZZq`L9p12fBPj2?&5GZeq1x!GICx7WAybWzLJkk&;xrzj%;!l~8U`28rDwEMN zyu|hj(qtQX4g)4KE)9j&a-nMWD!2S1?Gg7IBv`qsU3$8PDY$&6DoBVEut}lNd zPJuR)(3Zp$N+&e4lFhhMSBI`06Rp;r0r@D~s<0@NcXO06L|GaG5p|endY5b<$Ii!o zAwf?zv-C0TG8^&w?>OmoBccTJBl(2RT?4*zk6?bDEJxRD0|agaNPiDvi3p;#gM5Jl zgMhm`AV6Y=zkeA&YT={4T!38cKHD)Xz3-{0$J@XQx6N*WnD4t|S=gx-&b3czUqg!g*;dOSmlkHZc(*ohg=n7A|CgN;d>ooTT}pq ztGgo~)lu&I*;_7S=S*|sFiO1DpA!^iB~ zLS=JdN^y1WKkn&G*XRi*OhTXbRPTf7oud}|w@&`|#Q>-L>LXN)VLw&CZ8skwag44R zq|F0-YG--JKMJjzPbI)?=1_Nxm!tE%Q|O2N+Vl9$r>MtGS#DS73^L|b!_J#o&F$DA zjZWWYgIHnLM%9*EZ`<2Ez2OVBGpgs2T56RJkicU&->UXg;tNwthrauk&o}XgWMgNP z@V>jTX3N`sfpEt3MCW;~T`Y#a^SVoH^QOjQZsbIL9k6OT=2hB1lsP=l2WsomTH%%X;jFO%gO0<(%1?t_j%!iK9V!u$#UBe zo)OoQ-aXOnXuHR?YdGA;?Qy##^SsZ#VDQ*$rm>^NYhrfmcAGnIR4VFrDJRV z%;(8>qhH-CyYz^)`$BR0>pB9!;{)an1MR-Us)1?YK)umdwGT7(d+x*5>kkfP zdA6!C%X%cOM97z120ow+@EH)xl1|>b@U9;nQPo)Y)wnBh#aeom8Qw8oAs|j2|DO;9ma$Ql) z7Cij0&Lr7+izx!KO^V!+tvQxei8j4jQa&+^g*~TYeS&mEN!cdt&#JQxIGj?9yZ27FZ)VVUsgz`~ltG;4H`F(jnrqHTO}I6R#dGtYBSO``%fVqH`H}jWVTGOs}<=EMq~N4xT=i5$>^Ne4vHYl ziQ;g|5}oblUxNxB3VYO=#k{89N;e07{11)sv3g4D(|Aq`GCaoQIUl?UwzT|g8EL1N zhz)G^FiuD_P&yhjNon{7o{&DuL=>D588zxM1U=QhJX$jdZ^M`k7uVGz3YV+10ovis@$l+(u67`G+^Mbjn; z)jJTWYLcK?K(<8J!}uK(Xo$*W>8+f#vKdbk7C6vRlMnyWxM;4Gp--AG7odhWfIKWD zfgOFrPG*k8jQZpcBo`!uggyGqe<>a;R99eojrR;LbIbnX6D<18fa=!fDV~CZJx@|P zv(Oh)91@9>5dxx5c?b)345QnuHx5rkUUiq#ApZ4W^6B?xDM~Q?eXhUhw`-RRq+R?^ z>7_>5!_NJnE7}rjH094chu#tP1Kr}B#tYZK&Kk)KyVi0pPgQVa;$$aUwt+TH3v`P{ zKgOa(Q3tSMk)q0sKU^WP(8X+GX`e>SM=07u7Q`zxEbvqW$+M8eIjZ)2JA#hZkVi1@ z7;#NPn~6`ceGA2n|2_TyZ<1{UZ6+61!!{b0kVbbjui=|o7D0?Lsl?w0V?Kqgv1r;L z5>=av*c3VY4PgE`5N(-SF}y}FnBY36 z($FMsx*>}cO=chF3_EPW2+@$mi$Gc9qo|0P@D@3GKx+Q`BfRz32_5uXlYv%ts2PUHaLu3VuJaYmLcFSe))65~%m`IE1gUZ$ff z$UJMq;>nv^fbxmLL{@(&WJ}D+AZC~64;-`l(C{#h7Dk9EY`lmJk&^$o@`I5)CH$LF z1$X!PH^it|2l_e_J{JD1B}W2NgLyyVH!@5!mXsj-j-*>4QnC}O9}1{4Ib?dUP;6O3 z&~KiL=Sti9g{Y21XINT6?bdm``@EPE*eg@AY@~GyuuNaPMnh*qa(Fe-fD*L{m8~*L z>8RDrX(!I*)ruBH#0sxK*$na( z^brI^`d+R1NI0YRo?kHbk-Gvjyq*!g>(|-1dNMUl{a1-6bt~6=78FJ^h&!wA`&_si zG(;SHb<<1&INA==(4jlNMu3Q?6{DQCYM)I|0StgcX6Xl zTF3pCmoKN>&I#m1*EIwQ-}*(trKuUO+jJJw{jJ5yiP_a}es>^n)1DO@+Ks-IB)h{g zH&%|vCUS7w&*b5##p`XV@g<#=L+`pc=w;)kY{L<8vn~EPnUWWInqV&egNZx%YP8&duDed3jYG z4Vb@UP4|AfdFW=h?i|fxf4&x)>+^*C^zRt5maP?-9&_y1yT8!Bv-O4ieL?Q0ai;DE ze@J?J3XRBfJ9R+6^MNSFCi~6pAlwu%OI~(q^s|rdxrje+z{GR=aMKOXpTaO=*uFDE z%yzr$8srzueZlBFPPjnub*r^<^NoAO=l^WHbo>W%b?0-o+96WvfV?e;CWHJW8-o%b<)*&z``NWG)h5u2}sP2ac^==2eWG*Ey3-65wZ>K z7ahIooXR?GXLbQH)e-{5AIAw2wO+U!KM$_kF9M%9zLwY+bbBZDcf3?ThaKN9-*>Ap z6Hm5Jy5Eu8M;UT+7XSyUFHI?4dtEyW-IH>rXQ|naCtXhnT6rhH##i9f1yJ~377)-J zdKR-Q_p9({5e~g3otG(r%<&}gNwf&JcEW4bfriPYNSuZ3=cn)#>S48hoaAXTQ@FJ-;#4q zV_E99X(W@_`Y$}BpzjM5by9hvq3!nia4QT-hf9h$? zuBv8`eR>O;krtjuuSjzlGTHT0!mKI!dD5kGQA=}eesP_mL9^%FJ~FE8z3T@5lQ#R6 zcxz?8Yr;v5NdyJe!JoT03sMRCTUZu$uq0}NXbv;3E~}-XM7-H?L3xh$`9YBqUXl-0 zLY1;5uymBfhE*0ptX-rh`u6uYbcIcaB4x9;^u%IZeIdtERW7*`@*Hz>iPiD1P?!kG z>HR*%?r&F7zCXfY4iV0+uXwi$-Z+n!E!?SU-uhP;gAmaqDO)DXmT&o#3D(xx9?G9i zi4ZVs+XA&!Vr}Nb5JTa&9~N%7AUHe;ic*G&C7My0TY?mVGm;cQyBA=9%6zn03v}=Q z_}!)LNMB0wT99>unslxpf=9YCSFV5%(8ewj^=hGU<{%ga3q>4>gzzr5zLB^BtElt& zGtwMrD{&8zjBL_)ddNJe#f@XqVSQujHL`PZtzFS?I+Y)5>Uxlp!u+8&7&FCUn+Dw} zC*n_!U;+$0_^VYCE}VVFIK?6FM*T@?9xk|Q)n2b)*xru0+N-+j#{rF}af=IMm~P z$@x3a^FEBlrfZ9>6dREM_{X3GP=pKbmABUK<@)}X8+-v&azvG^LSWUh_P5pl;a#1T z2)Q6bD&*h4S(b#0B}}@uQjo_@b+TH4|I)4~MOcxwvx1+GEwkeWL83uS@boNq-mdYc9Cun6>b@?MDQ=24#Vf%f7u1_IO#x#vLk#*z>RN6rzbL@tX?%zyJHON04#^`?@@bjv50jDJIH7UIh)8^ zar#PZa}c6z*Jydqko6m>E9uSbCT~?qDL!TV`p*$}oYYavm0M2|uOu|{9$OPsZVYJo zo_Q=dq+%FSPE)XzMq_Z8x@YIRA1cdLq;Dd#Wp!{X#_!cA!{}f!B78qC7+o~{xnVUb z2mja4{{Nr;V`?Km;+_c{{`=ZlVd~ixD6MLq3=;DN{|N14%F5UthrAJUDOZd-TnJRA1?#_%Xt>jrZyAl3TQ^)8v2O>@5(9RW`7@AfFc*Hr>yEk#$;Xhy9y z3SOO2f&ieVeI|ALyX!BK-n_T_*=k0|>oK;WH#_=m((1yd{SGwLZ+61>c2vjnz#2Fq zSIcJ))Sw}3KdxohWcFBq8l`W3@7Mb9h>cVg{Tw7j$XZzOI}6vdp1}v-?)=zts;bU~pg2t001LrikwV?UfX^lUMo zaA&MmbKO?=(~OoYzV^24uV>Cry6)}??|CRhLvwopM~$lM_Xq9KnYQZQGCsgw`;d7rBwdM#cKAR zCbw;Bo}9bgls(OJ{f$I79mm_he1WFb4?(dfIxpJ`h@15a2W2+|PTOB+@cip%05vl^ zXj%>3%Nb}pPk<=H)yvRn^2y`>5rTmlzyK!i?<|D?>lY-@L8%(b&RYeTYgYyQClCgW zk-_ziS^l{v@J;3X3JR-$!(2NQ*T-D<`x|^mhBcinPWbv*CiFL1)uGCqeaQ-;!GNU{`dr=er4gA3z?X{w^{ZUG z>&IlaM74@)xq}U7)qWD`z_DP!C*vfpZAXyFTaZFwW|Z@g^&=JMqZC`-@XPu^#oW*M zF{N2+dE$y{gOmc)Y;Q+jIddh_b9-fx1DvftKerjJVj?|4@o7Zh!Ayc6snuI((G3~E z|I~BNYGTb1NIRWjY)3pPv{SuCP1_R$!zaQjdwlL{u*mH$|!V@E5Gv+C?PB$g+V10jW6h&&cZ zcR;gHFpE;dD(c&C`1@D{L*iuLsuT;|c427D!4)XIKGT;hSxC=Qs3`9e5|D{X&WBcp zwy16PLpF_=7Gd3bik5A&z@%AAl7O{ZI}>Bnr;3#p^^cpfcoU7xZ&jg*3X?nM_K@U_ zzM(qa@XD7gfS*toyP%>@XB1gB-aqz-g-8Rqd{oI|@0CDQoi;ec&QD1`y=dneEmEAe zMex&rm?(4J3bVPW$75-#6ym8vHCcBS;+knNoXl3 zyI5sQ6UpO4!*3x1^4`5$kxg%`Lb^#l!iGISxCp-!0ey6uXVYhRffvHVjT3>N&6^)n ze*3|=Y0)LTESHF}I% zvue(-xK?QAgk#vXa5lQp*N)V?18!^?*T_jcqEfUGMZAO(1S5^ePLDpCx2V-VF12_lcc*SU)Q<~Y;HKr*s9tGXWLHbsfi!b@BaH3H{RF$bYo zZXo`-%&S-CZXO1Z{#G<~{JCR7&-y|?#wjy%S~z$$L=#QVA*C%XpxzpFF7 z53_!+yAPQ6GO)KOot&vU>qJrrVYyNHTBu1}0XD2P1O;5BDNe7Pv`wKn)|nB>Oi>n- zT4spmGG6cM^q#cQWPNopN4~Y*cQM^$LwA?+qV{kt=z5`{l7_McAz4Q%gsP+?uk^$; z35m+VPreO%F>cb1kFY%|X3o^XZ)}=x{8$1G3|GZcaOTj;HtWRDazIjh<4F8eF5lNN zDFSQ)4Cp_+rn_RP@aXWU?j|xl)=3;|#$2f=y*0Rj8Uo}sl*{-O7Q!qY2BM9>SFf3s zhh6jOP=XtNS3RqWE<}o(7}phtX^pK7l^MVA!JM) z(&x=Fqgq4qkINWh?qB4=?`es=Odc~|43ku z;LeyEQE-nLhuibi8&Wj#-M27*to~09=QYtS-Zp?$O7XjB+%V|^IPE|^J*iVHc?m{q`*o)wKEG#_AV`2eUX_}uj`Ly-5vtwA z!yBOU=GbF;antRQvn>45Wdq2;*Kt3XeFE5u+1NX`%Jtgx zym{E_cwR1*wi6!mTJHd&X217-nz4A>>TSVD8C^d2&k1*%ex8%DuAGi7XY6-}aY+1o zGC@n>1J7mH26#Vw~aDI0}%7(UlEv-^#dVW^|ed^Y6avd8;VYyfy} z)#+nK%MO3+qD4E?{f>&(&Se^wHhbFRk8c#WZ(pjPg15+cnHi^5<*&1CABJ;|MQ`qg zxx2BA7M(qhw}!SYqMe3E) ziA}1@Q|EgMn=0$3`{e4bSsEWUEObH;mG_rnG>(Fw>=oQs(ic2Jge_dIOFqL z4z|jkX?^Fv3%_gI{n+and)socy;@G~?0Uev0Y2BMIrwo|@_8@1UwSzawLFcGx$(Ib z%&r~(nrc@(w(by^0-N1{0ovdoZ%J?t4j8OC*tH7?7VPAIS$sj_msLiIZ#c9Y-GMs? z?4~|~OMKtnhjPMX;V?B2(kQRs&H%T)&q$CQy)uae(%J*~#to8?-~Sq`GLY*S8LFVE zQo)yFl9Gx9W)}vTvf&CD`v%J0Le|X`zNuhdxpwEqohz3K*NiJfLDm1EPQ6%yoO|SK z4s#`KFWu%^eS~RUljF!`SIOQ+BRDj!HGUi|X=Ji2m57L;jIPeQIt(x_!0E%7xO$?~ z&XBpw_g(BsV3o@cl5$!HF8lWW9PYE$fmWf1wI}=Hf;iy3#N?SJWc<}a?Pp;x#6{?Y zVbvk~Tby`5U;SJZGwMIeapxYYF|t26{qAuVZZ|Rb_uSk@D=~Cf&WO;>@41`TbXw9e z8F3-WP7KA-metw+;>NKtKKQX@@xw?-nYT-QLM15%+EwGcB!pzUopT{E#l=3mFc*Nj zZoRk<$(`fMz*V-lEJiwYu7i4LA^0R?$ZfR`6%r9z|7$H*fyVF%smjQ_H5Ia^K#P#( zpCk)Q3A9}p7pY65pz>wMKh~1|bqoAjK-xSiD0-tXO7%Ru@NM(lqTj4l!_-o)0i65j z{rHdAu^5z0K(0K!CC?WrS5%YR1*uJFt|eDmAawD8moIZrI9kjlmqh5rd?Ewn*9Gd_ z2|>GMCm(u>WDyJuhqhHiZ$?7#lOA#nrF-10vRmO*N+kjYta~0Zo8i8SDD}=EZ7B;8>U)vjAT~ z5XFzg0-@p+oi_2{fLW`tNJVhpWYtU9c^6#G3$BqOOGZr28`A5=T~4s3EhrTn1~&($ zT0$99mZIP};hpZg*6d493N3(`AB$ERW+iVljKY2Xvq2x2G>M24pg>%|#fHv42rVcy zEVKF}pFt2>hT_W*T7zbA)VadYER~qTNL2a)Lj`MlUi=RyOTzfOKYHEkbUCNt4=JQT z;!+LtJ?^8D9TDi}on?gd5^csaE88iOQL++D)ikkAmay4h<5VB~7~-X0TYN?GS1`-+ zT*T?wf7Q16 zZm`L{pC>m!GE64$E3=%e|E@0omywvm-j195 zAi+xNa7)NcCWFAm-S24(f*4w*9Fk4O$)ms#e;dI=ff1LsJ_dga7ecFODHmLve|X${ zd3g1!rAL;EWN3dEG}lH7UUu(W*y>C=Q>83&R~cQu{nM1*ALWw!N~y_!Z!gs*a*#!$ zbT+5(r&Y2q=7ovna>(`^NUcS8)T;P9g_^3&8K*M0?RZ*(Sh#;apnfwv89mG;s&5%Bv@h3hsUBN2y{-_{{fx$r9~-e2n3II#{QFb8tnp zso5&qNlL}C_8H98g#-6L%C&6W@Dx<+Fj+b|liYCiFDJ`^bHQv zO-^XB)g#qsb9uj97SZdf8V>P^h=K(NUZMah^X^AdU+pnKxvaVeR>_?zY%@9IU3ctmeHBTCyU#@@6=l@cD#jRo-73VG*z`)2qKAIhp0$ z)oc?ly+6KnhnHY9Y3DOv`415KwK?>{yy>iOLqq*F1xg@%6aY-3)>Yi!ApBR_^=4 zWiK@yR~lNch$MWE_FpNtJPi7>7?&SXVah${X|5IL6~rgJPU(`ljKbd-%F3S&FOMgx z+COj)#A7#lymQ(L-G)c$Tpdar2lK{sJC{$db+16@gbrKLzRxq(x2%0lc87@0SH5Oz zvh0<*4SRT_!F77NH?N47IAc|uXQf)~+#YKm9DFs;jc*PPOUc}{I`4oZ{UrvcyS=sA zGn+>#V}KX;(>bH7d3o0=OF~4_QTz3}VW{494^HU%+rHdcdrr@1+U=}~FpSY5eBIrn z>xlu*FOJW2kp%BO_7(25a6?=^3uNj1%y3r70MbBcKB?uK+`JiYd;Z4%iF%cPLz3~G z@sqHo1o;u{>D>?kSppsydBQ*$7l3@r=s(LnB5W<&AAbFe7vMXa&kVok$uMh;DEJ$A z26NDFP*`3ZO}XQ8P~CQ#DEbTMJ+}8bk|%wN?4fbpTykmt>JRI`utDj1_!t?%%cZG9 zCM{bQvW_Qt3`-))M;#ISsZrd-%Jr0^JO-ZX^hZU~Y*(NBAY}>Z!cDqZG>@qp%>wJO ze{uDwrD3FM^f7y0a!|K4!2D_fA`I5fAZ`hV@jRIvDl~)M#SOulRP+gA6jvzL6NT+R zmqGZ6C*~?Ggt@%*@GY5|6x(0pWRAX9DPdsL(xI9&9s0Q`B@Nq2a0KsE1Cg*Gv2fEZu*a zgXTX)DRGPpc=zQ{LCR|q>+cvT-eT+&b{%962mRoUWcweu+J~j>K z5RHrI2#+rb@vASSEY&;epuGty?HvIoIWs0PP`@eBs6Ug74(L=%omz477LO;!NAL$V zy*E~CoA?J7Uhd|}&pBcf3FkPIYnj!(5cf%#bTO(uSgCMpJYAJ9E+iWMR$=-`EsCK{ zGKBJMxT2Nw)!aXN1BP#rt;1|Ph^fTF3yoDp{o$2-B~Ez;P=201 z><_$qLJl3>3RdT`d2FcqUIW(g3fs~IYy3SpwEN6cefT{a&}z|I=}W@~7@&QPr-Nu1 zFlHE2sz{K|-DjE^imUxhrmF)L_ejfF@D09mbkUd0{ov(6czw)0LZ`w(Hs@qWxn%pr zB%Q)Hg>aBjrtB?W2m}|8*w=vDXPFY6 z3KJQRUZcQ8Ra``+{0)?>Fj_IDooKnno>NH;LU`+ck*wj(N#mHz`T9U710w20?5rZr zLUaQYSTbg@IFj~11mPs%F_J;QGZ}JX@VR+tPGpNu@KDnn;$nu4WCPAe5p!?7+u{<8 z!$6<%Hvn@Pr1m0z-2xsr%VvBaVh63Q*upv1G-Jz;H}zC}dgc{#zLmZNtf#^g!G{tLStgJcuu&Ql_n!-4Z23;-YO9%Z{yrQPA~b zMd%eea9%d^8O|>27d(mR{M6NP{hzU(L?xe6O(F=}MAQuOA3{D^W%&v*7nCR^u@CnO zRd8%AP(uX>0b$7MM9VL>IK2if>@%%@=PCq3CdvfV^E3&nG6(1O>Jx0Z$i@)vzq)rtt+nEY=!pouml(g-0h`JR5Rb&v0#La1^7 z{V-Q}KY9kb@!dszWIxX+0I6~?f3}JEwXdmPG}_p%p8p+~nR6A^<3$6HmHEjXcKInF zv@H59qFdg^ZuvNky{;S!a*Xr8PhHi;>Ua%F&DbS>I+#>#HrZ2~mXQF<&T|Em;>!i~ zZoVDQPeiNdeJxWPBEEhbdk-6UMRqsBjCNI^5d}LPIwcNns>#>w+JYxI22kGPWbhSV z)0mqam+Ktb`c;6`SH=E?X9*u z&(aC*IOUi3ZN81va2wDtv-a)vjSa?IZ-()D#eaFAtsFMZ)^l<^x{I`%%W9ih!TRvt zQ+fm#hUdngS2}iA9M+v(;sfDkD~0Tj%3;=0D_j@eVskpEL3QT~0MHzbR?8B>>$PCf z=FJc=kUkqhv8?j--L(J5#^D=nS1TU*Z;AV`rbWS_Oy_~%CAsW){#X6b14NLgyUo|Z!ig<4vsfRFbq)d*4aU!EoKj6v$fJ=NA4C*&Yzm7W;S#%cNdD(c*- z=Pm}Y=X?72R9Px;G{Mz?qFp<>esIZuUUZiIX0TUr(dA}uk%jiu>d}E!rE6OE`7N-X zm3FYX?yBcg0ZhyCyITy0yMOn?1cT>5cLN{*3kdx1-~Kj}@RxF@4TvlXYC&9tokRAu zeJ1d2>OZ;bclJ&tCwCRVj;dlq$C?%VKxAd`P9=LBwqYPWQKLe`lD-6OY0p?TVu-8Bm2r5M6yM-vB4P<83$RJHVz$t%Uxh=GNN%QKEHWt6{~7PZ}pe)Nn=yjQtCyiJB# z;m%N4q(o9SXEV(qjgdV*V=vhAlAFGWL#4v#SRVRN^J~6(Mkbp9Sv`uT-P>j$|I zU8IXiw|nI-)=(bCVCkCpvK-QkH!MxSHSx7V-B_qZ#4(8sO1j*%<;?w8-irN{a z66%C541`v&9BVdw&rD%pG;T1rsal0pF5;Sk;p+D&!^+5u>m`HT%)Qnurkk%Ye?YYFG^A0er>=CU26&>FOGqT1NEvZPyZ<0IXrRAWAP z!y(G_uoNBf`p>%}v`sYO|J;3y@bGEIvcI9VG?<5Y0eW;}oGdTn@i`Zool z=PJXYg26RzMAI=!OS{)6qIvKgsRG4;>KmwW{t+fCwZ<9)wIY(%V<~OqpYd!3A*y@C zuOZVU_n5@@(>z~=5C}qWx&O%BKK&U=P5r_sbI8Z+-C|bJb~s6|%W#D6k+Zeo^;V-| z>(55C&!R{>cTHcV=S-1=pdcbtl0ambbkoMTQ6-_Clm{WfOl}y4o^-7lUSOX1=!8#z%j*WZUZ<9_=^3g)EOx0GT`yDZ z_u!Gn5}AUm->>i3$9pNZJGFnYRp=?>P%KwehMqnDXL3bb1ZwNQi8P(;`Y3^fo}}4xL}pFaVvNA@ zG)35NdITQ0ix`eVFcSM|jr%bwbQYMq-UN5j2fqAY(J!PBj905T_{H+ z>XTl18n;NMk~=6OczvNL()JF-^No!xm#We$A>TIrmGK$qb6Pl|8&L^nV%xTto^!8E z3u*6E0FwG*yRt;AH-1&fJWi<^)0{IKPU=CR6tsQiW^ETZ8mTwtK!J~7-x;C7K}xTu zNJbN`j~N=iKhfvvwr|K}!qI5aCS1rx`Tozr5B<$Dy=36)pliRaMDI6hgZjk$JuXP? zZDCm8vdEC>fOjwStsEBF8UDNrjyU#S@q#oGMA6{qYN9UFg9>*-vWU7rra>A+aJ3HhBm z>M}?aX-u&p`v4U;1p)jwu}~o5^1WuJm`5nnG82<3`8!!XD6IHkxn1XPHxPbAaw3Yl zsNJ9gV`0Z2Uo({yk^vH-Ho{4z!`SL~X9)Z&KA#bQ<&ouo3k&E?;5T`T!0VI@_{z@2 zd&O_E>*L%A`~iX_lf)*ah7jut0F#4z{EEMI`{^f<{(H*qy?OZ**OU4D9bh0}%VmcR zW^&c@g!X9z%qU$+E*bmr8nvTLne&k3#v*q31Fv8mU zAoS=W<8O7}(E~ZIu`Q*$ED8enOoPmjcn>|U)(56O=7fgc2~rk$c*ll zSU#^c2P&8&@ukZ5S)ClvAI^iYy(Rv~@hxSy5DqdQaQ*ylPG;+6ymU|~L8q|oB0DYf z)e~c<*-Sx`rpX#x>c(rZ{FblJfN=lg54$|KbMGgEC!g5P8`1-$E*=j_*NF?bvCt=a z74G<#6N|AzB!Z&8(TW2COL@ZAeSP0|v&aF4E7M1vJ92}k3U} z;}#s}Re)A3#gdn`st3^P^Z8a57D*<(TvL6vR$hB93D+1phjyjF8(ON`rUvu8wj&1% zScLjj!Zm1EfCJ#hQ*7nhEWo!e%h&PzSDEQ4N0p8z_+^FmJbcr6^n5#T4ok1C{8BK- zSJSg)aiVO!llsAO2ikSu9cCDPEuMdO|Dn>$bEyxh!z*utX!XXQ z%HAVE&jf^xZnuz^TpqM%`GnQ$e9zMh)OXsJM`5~Zv|X*w{e#z8v`@(lSiUnvS(p3Wmp)fIVBFi{Wv0?t6*xyt4F()sJBqP zi-T62Fc+3PGEN~X*^uL*?;e0pN=-0Tp%@cbtL!_m#!!Tu_&LC=SSG+HNXiL}q3|Hj z8s%axeAJqN5V_qWy+FZGuVPApj`seF1PDcj!El(BLfyeX0D$qTgy7 z;IlkNTpAZf;Y*Bbh*&_5N|^5G878WMHU>#3yx^SXq`8M;GlaIrkg{H$8^+e}V%$jG zcB?P&=^0)Bsp+kEBNawIXwGp?Ob3a}hhAOso3T_eP9NGu^7zp5f|62pl)fCF`=?@1 zNMhrZ5pVCcL?fI^#7>+ev3EabTr@ib9V9i-*9i1Z1tk7;_%kYuGh)%noe~!_^3N7w z;=>7ax3PLzB;27s^`quybx=dJX(_7!vC(>o^n(Z%HO8{-FP;5}h$L!zn^Mv|AzT=h z#M-18@(GIBkK#*mJR{sYY(@=MsEXO4AlJMv4G+F4U!V;(FzZMBMVl44M(28| zX?rt;5B3goY5v(m)+)1RL~99tWzdkDwuzZfV2(S6_$JY!PtNJfH_#nqNg*lk$e((K zq=byI;PAW4@i+mKNd;`sKc(MLLxfQ#8?F{e zdads@hZD=~Cd5lCTT7iT|I1FiwbYfF-${^(WswPc@@R{fO+gi;t>RQi$l!+|{I2CW zKUy+D9ZSKPIvlkUuFHgWynO0!T7nYwO-~+8KfAzd+&`_8vYl5--$iQb&fz;bK_Wfr z-?5eng$gB@UmF+GVk2Yz^dvvO6|)#n6aWMvW(9+w6X~Hf;6||KJn0i;HmV@WId`KB z2Y-vyK`qEogd0Nwr-MW3p%5&-XWL>NtloFPq)AG=$kilLt9d>kuAR8|OO))A{6@tv z7b&7*%~VSSaz@O3KQ(Rej4Ol+Kq_WcAt(~~Dd(o8&Q`X6DuFS;lQ7iiuxu= zP*Yw?3C~}{0>AsSuvM!h7003QRs2>dgN>d?=q8;Z^%*LGT0RlBtWaRWe4raUQknT<-fn{MvBl0fm+KD4-cMs&dqB=}U_65%A z3~{jQWA%#K0W-qW*k4O?j8?>e`RW*iJ&J-qvy==wLa@;i1wxDpAkpZw;`xGpORbQO zAmF|rvN2#nu&SL+%m-!E8^X z?wuE#GEs4JQ}7Z|J(qrMaJAWbJPFu1d?woD^okD7n27%TSvmWI;9(X9lI!H_2hx^@ z+a85)`=*K(gVQYD!od=!7$IV6hD%)Yp%KSn6L^lXWg#tblNYM_h;dY@u8J?$hthr) zlXmP#mEACf+o|ZI5>k%0vtg8Gioi+kw&^NpN)ggzGI)tTf%ANyC8wBLt7z40A{LC_ za49IBRWlXxF8ezBx*Pw{rh#S4baaqamE*J=ZI!ibx5mhqb0F{i)xI)hQsT0$@OIwk zB4;}T;JZq40w_rZ=hjRc6xm)edW|rGoR?gl%A1F(;)4mj_9}BWR=L;MbalLddR3jL zFw&QxUX>=l`!#X3HuEWiogUeXf~z(6L|S%T&zY=AO~Vt&6v!l?;OX%Eyp)+K14{&(o9n z^I8``4qd~yaoIOMrwc0DdHLu2&ub*_hvk6F4vTRK~tyc z7Lgxj1uyqa=A2*iFr-#Pw(ncQg|E*80r+M8Gg(f=`1bC_Xq<-prjy+5}n65E_Op-XD?pqlbAOAG&kUC7upvkdsW~s6q)b3MbaCVEz>v9i$DD#l$20`$vM! zc-**l<8($6X~cm%4jYqXR$*MXgDnhpyPA_QjO{CgfjrI=Q@xT!_+BN(vMXT&8B{V= zmSL3?%ezS3yQ5siSHAw=M^k>BMfugi@41=xXyh@CK7zp_0eFaFAq?9Of|PJ?CLCe; znzb}8camzjGro4jY+-|8hG+t7GHqg=Gqbp+g2<5WhU6dFpUH@ChZdsxg29Pmfx0yJ z6m@H8(ypD6^*frCO4keC3~7+*dFc{CH4vjXMz*M`cvH10QLwq%Bsab0_c~g&>l9h)a zPcXWKngt6#Lp}mEflcQaqVe^QsmuaN;MHO8yz}9W7#`5^70Oh4qI}7M7-Fmt7Dsz9 zkX^c`k9WBOWA!9vkJf`qgcLpZfs{yHv31dZJYro2nQ&5Lb$WO!07 z?fHE^5HJQ#yJzsr$+7{sF@~h(?6uByQc4IixYbO#K@?kOunWH+WA})$+8QW`;ihk?4Flqvc;(kP)>&Knk5tz*9J zE_T5rB3y_5t8s@A|M9iJ;?F{HydqkWX4v7tGLzUBi)mUE`qdEh)$e`p&CNMU;hLbPSstH+n=m+Fb&@B;pfe?K`+bM2r`CjhWvLVsJLr%i_+ z@@*V%XeIMU>~-ZMeN!fpU`2ox6=hCIP9M8=UO8s}q`C76|M&z*j% z%$CA>R>F-;?TdL)v`(5}8D&mR^_0#P-%pn~r5d(xe_j|^h@4Bh68K{$`R~e7(M=~V& z{kcTXxVi#Zpbb&@0F1N zVw+F*3sCK_ngH$R2z97L8y`^iCsvHvs-W{-tI43;I=OtJw+oh|_H@tN za+j)gqXb^t3)YuiC#~Xcq9hnXFW(@oCvK|;qVh}KyVj-$kkyByO`GQCy1!Xf4!1Cm zYx8TwfjGiPUYn}%K$)ES(?3W&Jn5nUTKb#yyBimtJ3E_~6|IGf=@W|Mj)~KU=t)d= zPJ^4&#*UqPq^_>7T|0}Hd|nBsCRU&CN854AA^HsKoG-&wEoZLCGxNmpl;j-$x-`wE<5Pg`~uSB^?LaxpNa7())a|jJ<;{A{DiPUU6b`R8MhlPl-mMuIQx^5=aKs~b|_5(pXp2B#CGir4g4X?-bs z+5Lcw5Q>8bH10K8#rVqqW*z^aRs?LBm01gihxdEy=Fq zK6Le+GoLI2u-=!mu1~C26Eg?{+>_V1@Rly%*7J}PUf5*7#Smq}cQVB+NMG%zW8>(*z;feJ>`fI2A4@Cu43&{rdH(Qv&dB|0? z_$*^LH)sk-cQ^(cjBA_!(rJz#d4lE6>SYmKG7fjG`7+PjGaR_0NrM$2!cD59Wf5mH z{c~5yKzTe&F++{gk)~jKp?7!!t2Bt@`wYWHbP>xx9se)C;v(*j0Pn2cj6=Zpp7SCB-*82U8eEFO5?VcpvF>h>)sx zLxOGR+nk|dl5WH9hvHlC?Sl9oT`;1BQ;^_-ak9(jtUcU_XVQM6l;(}vw*o;tD9kc;0MrGCd2QY1j~D9@&HK2r^KT8gMdgLb@z(U22B z-1zM?RH^t=rMq1_pd8M?ciPd3GI=}?ZOL#gEg^*l4>9yb(q$IGp^!V~ZUl1We-ZObdA^@M@ifwdKq&T>7bgzRc@3 zFEwqN`Ez;YH-6!EvmD+Y^PcMmgc8wqWr}rLlo^$sP!WogQ_`GyAPIH58*v;l+s>>00(nt_8%%ts!bStP5hqG-t3j(v(I*p|sC9D&pb z3?V6rC!8(#B0`8rkKNu2()D*}Q?wA|)P=(B9F#0FQ;|GEE#Dt>Wb8QcDU4TAmVb%C zVmT2;AUXX`k*N7V*AR~s-rRnL9v<{BVShpAv~UX)m?(oR=fsgu5*hDpK68nnsGvnW z{zIy!Q=py?-)BBT(Xy*SR*@4guxK2BpRjXm(2^LdP7)t+a~kz9u0Hj@W&F7W{1&Q~wzgEDTPl;BAJZkUPGrpUhUDzH{A$gDZ$-S$-K=q&`_5KLVxBs&Y zuS=x)yy6ehM-KT-Eo1vAAAQv636bw^JRn>kvmF@HD7V&ucK;Rp>q}O>kI8gPxqM+5@IX-gVfGm*MW<#KRe?!~i>XDXHYL$Jxn*U@m^}aj&)(8VwJ)H?99AcoQ_aJM3K;i(;3@zeC z(m#OMLoZv$ZnV<8eA^F=w)Eft1xQ&wpa?Zyhb=9;{#d!eXkd`aXxZReIgo`)FEcL3 z-QX^GFgEMqR`FcJpbl=+Gyl5XSK@vrt*rACc|DIu?m4i3Jz3U23DDe$F_Bw&URXo& z@G8>5!FwafTq1 zZ@%qiUgdP1rMKa`-eR67jxjvU8``Z?ZQg8#+(-guf4DwE!c1`AjfCd3UpQYsz;LYg zu1xuz(AhLmu%BMIAl;x{HLe^S`TFi@O4Gew8X#>sFB|qV$XgEf&K6WdSpik#c`8}A z&cIb~U@-lEe^x<*dub5l#3v9zbr1mOOXUPNdw&O}e?~a@Btk7Ny&yFSKzG&hF9FJH z))T6E#itOSf1=KTNVn%Y2mN+W_`0PsvxSPj+K><3iyV?m{Pc9{3i-IODsjkuB3%j@ zw3aagbg8AtxkYdjmnbH^;{RdBzi>+7dORAH0xT&Pv39- znwnW%$AiFLO;rDW#cAR7o1vxBbeCQ-i1fy(bHt%sv$)XXxQe6nSF6paeZyLS7C2`^tI#u8f3!;jEqYRu+u9WrmD7ymaW!Zx>wvm^Apr z7sZaQdA}^}`1|#%y2|GzrE*M!C&%aJVMUjS*>%G?26z7@!_em6(ze+ z^esi*?ok)I%N!awN!D}? z`~1AL%|39<%JF1>OB74Ge0*0Bc5;OxfT#4UEN@r6&v}-s2K(P=K1cMEO$2>_Zb5z^ zX7+ET0>ntP_)T-MgTgN>F{zFyl)KzU-CwlAsg>Zg#eefQZrhDTL^2)?`!; zE<7eMN$bo4gJrFzfkVBp;?56(JR68}UnJ42A)Q<%?iDAY?4;+8wWW`^je>6{B!4MX zi`VGR{-9wEtKl8}u9%O|$A%O`sjp`d>mM+N6GKh#JN0{%L|RBoVZw8Xk@s%5CLz-3KDWj;g@#ZK~0La z%P@XA`EuS$*AvZ_IAO}t0EBAXq+w#pDJFM>(VcXzDE*{3ON&YC!c`|F#;=?Osv7DS z`IdZ0xSRbk1wR#owZBi$h}OZ*(ofKkTQ5Mkga|i8WaZD7us)-5+kYX&l=`nMZ!*caLr+o1-Pa^C7?LQ!HkH zOi58@>ihl6^>?FB*jgT*BBAY8DKKiKHHw*^29bZh8_vOWwx6-|Rr8!6=;MpM*?8F6 zwQ8fQu?3OB^6~!hqUgDM!z?tFj6tFmXkmM7TcO-PIBf--(i-WN2_a`-s8Cgi$ozo0 z`HOpe!CMj?tZ0+uoLH)k7`oFBFKtQ(`Ctw4@U0C?eyf+K7B9dx_s~N#yBMgQU#fu9 z67dg3z3MZ()d%%M6vMvvI3i{`(zt2pOJn}$pgtb&=@un`Qe^aE$SA`Y_zNXs-Puuy zKmWD`|3`+;d<{fs>a}(T%~P^BnZOX_7h$8X%AVn#fUUtYF{$YBe?WGlmT9v%yR}VgNfpb!yMM)e-$RYC4=wTRw1xb-1 zTH6*5&`iJrI?43^mCin+%afPDzn}bweXuv}p7aZVs;c4mkrDKE=l478PvTr`3+Qg@ z*6;T*(XHS1H)1f1C^D>E!U#Dx;01uiS+vD{cJWrJb(PnzHRk;0dxLy~ug`LjRz=706kubA1BiC4HMB@0uBUh=r>o^^fAC7gughOl zcZs8>*5qsE(NZ^Xt3{vyDtFqmG9zkS3@Fq5({+T>X6^ot7)ozy*p=zDUs^V`dA2Q` zoqDC^8u`>gi>OEXqI6LhWViYlYKBi><9R!WMCa-EvYBk#raLZyj>s1Qs z>71n}iqFyYeA-*mrS$P!$nj0`270}hHfn`a+fvv7d&_(02=?6xNw$;&@o!=vpR(x63^>%is?afWA9g+P7O)N;i@WOpY z9Gc{lMbCzQmh8_SfQAd3=gIl-D*WxZvp7S}nRCJ#ISN z_!z->oW+{zJVoQ+)o(+J(LT9}jA;k?TC7NDf>Sy)7mOIXJYr#90dL1pPe}xb+-@zj z4A-@(RHovb_u28;bDJmEK}b!TnteXQ%~I?8M*yy~4l^YFm$`R&-B=>D*!|E9f{yFh z$+z?DqZL^oTX(2!C+Yk4m*REeENO;Ud#uXpx9p}(ADFhu%2^IgaLyGN?*BuEt$@3t zZy5K%%_XW{#C}JoU9z|9>wsZ)WSUCfx%V9GxXw~g#-!iVt=}Ptz{e6-N?!Ohg)R04 z@QaV}1z6fg-V>N%$e0R`D%0!#R=US#Og22P)bNQqQk5oQ zT}6^|E&WLh`xiF6k_We5${`amKt?yyz2Cn98>Qk!ou#POJd!!_M_y2>P7St*?S+{Tn*PFB_o#!Ef4&Q z8y!>T+$&o+5_kF&oxMEzoqIFJvJ~&0I@#)rBdwYuglt{CWn((c+Dm|J3#@%a6zL3^!-m7^Y^Td$M=()p z8nv^-pnvDs3*gT2KMv=F^hXnX5LLalrAWe0|AmoR&VwWh-&QJ316c>`K(~avAY6xJ zOzN(=8y3s?Wc0zu9@j3+#)t#x0;&ti(d%L4umOL<#?#?u1mNjGo{rIm!KOI}u?_}7 z{6(#1<&;Lu{ygs=b8h{fd2SC>A*bK{#_Na(oVLqC-Zj%lXzNTC(qH?;>KVC!s#)j3 zF=aJYAU7BIv<>q z)}pp5hKk>SGNn+Gtj7qqY}k$QahlybXeCib&b>0URAyC7kMvI{Tzp}sh5ZAUM$o|w zf967SiCo?b<5dLX*lsuVan$@3_0I?E*cEq@W*f5d&Cy*H5CrJ^cN zgvSR1TqH3a84@ul>Jqx~=3oBxQ8%C7)+ZJc{Ft!Xf1eP&$O0QlGWmv+Jydec3UCa-1|LGyTt0I;tlmsl4m`rrCs@5kdLG@7++(~&Q zi6|zk;}rBc8wxDg)UpW0r+wOa>sf?({-@j#F(IP|V@ZJ1xWI3!gP%r>vauW=o3GbI z5OTZ7-^h+RKF@au-sg~i6{e0aJRI{w6m|V{KEQp-Z=Z|iJ~_a9&*kO~BJjaYnW)ow zny<|dI1j?9=(VDG<7}Z@l0`=GIi$8- zJC4k!gquJ1Wt{)e>s(CG0`KObv9CMjVeLJtHZ3jxrQYOjx2T#aiPd4{c4;_6WbT@} zaR0*G41(~TS*++{)O}rCQPc5h_SOH0D6(6z*^y^>-6KQduXTND;9*aR)p8v=o8sMO z)ar1WNjI}t@~7SWIMLb=_q|!n2!;ZgKkta5y}N~)_&NpxDQjcSihI5?<3j zc}o00M7>jZrCqcv+_9Z>jE<9zZFg+jwvCQEwr$()7#-WT?X}j)cmDtEeKVf-^1YbP ztXX4>s;Uxn2Gr^604H4hd*^OYuD2g=%`XU}eBF;D${0QF;B<)CKOgrbR^0tP&MAK0 z+@^NEDWvxKJgfwCOWBEIF zG>vIImNV=C1dJK``|quv94I7>&3jlYwd}8R2DRERJ_>xvy~f?c_@4;-qjwm20%WIc z{2n`9RXeVC{bh8{XWW8P5}u&x;bEj5FC}gVIp3tT1pmjZgdZh2z# z7D)B+I~_|6y>c_sS1EbKH74d#T1Y%dwS9$m4rx_n!MzoboMX(@ERHZ2=# zZz^oC_uwcGbqo`i!~{A?8SjBuZ@4lK9;snULI$1^TomqdaK8O2voVrsb_Chql4M9> zBFb>-au=`0{*=F;)G-j#k2SFJX8hY3zhQ&5DRS%K_!+RRr>riM{)*rJwR~mD#Bg?% zGuBq>GGF_S=~n0tK0_&)FLBbMODK&iwG#_jVry(v!(XYvvgFM}7t8x3%TaZb6dCyf zZ@dZ15-Ngxy{u_r8fB&$5BB5V`&VDSqIO|Cc~=|E264fb%(a_O=X^tid5jFBf-5i) z5eL1oP+4!1DgzCrBQ_A)J7S^X+fRsH*pnLBKCn4%bwW-FaVP=>Jn^klH$pr)RIwyH zq0$q!mP6P}rpS#mv=&z~Tz4EyqDFKkanWgF_S01q9_b{Z;&Q@snjYGqg}>g4lWIt? zjEV$k9bDE=)N6N{N<9n>^xuP)oU);L7zkuJZR;2#Y)OsFyD#sfh1j#el!YWi2+d&h z2T&7XH|WphtJX0WhAb5c(Hia8HsTR5kC=>(>D<_AHKVu5WacHsW3S(nwN{8g_~BD${AQAdgBbm6}9UV zTyP51OJ?BJ#aSWfBL|Izm}rYCrT7wkS}XT@+3tanU>dyR^@rn?BY)1EwMJnVoz zdbOm!H(76*B1~oL2Fpk@lf~Tf6*<;V;P%X3YoPbLnmy*IYe;yF-O0GGOk1grBf*ZF zf-fWPDfec`AOsWqGDrU-9iEg5Z6Q;@EFB_>HMz(nba8UXr!HF}F^*i#i;Ac6hq8@k zBASO^v(mj-zBR5z+K)hOA&jeS*0d+4B)UE69$!`qT09k-IyPm}oUCnJlx37+BSNZ* zvYcY;DqL5ZD1oV5{Xv>j(5h9qc^JD1Y0=t~D`kdU=68}z`?lvh+Y?CR1N7+!X!AM; z4J!GD5(dVPjL~$>mx>r@c(-E|de`tOF1Y#`oBEAMCmmHYO;cumON!x3B?=2u8*0d$ zYE7b~OG{MDjfQ_x>Jq$EIDs-+Bf<@eOuE9MaH2NSpQiDKf~?y3>uT_%3vR#1g~4g2 z6vTurH7$oJqd-7k7nv*?hAR{0Bj0m{-$G6_0H|Mh;W6nIzB7h8O+6)&lp(8y%e1mj ztkpcSpZH1f6w6(qMH1{(WRCSDL(w}+OaWD=E|-7=IZfS=zH9A9{HGyx*?Ctsti0^L z!WSAXM4yDB^kPFTR31awvt3)6rqI}0T9a*&Pr$WOTL~9Y{73NpkN7)F8^!vF%Cv(s zN{2gYwtnH#hi5Fc=x$B6y=;~4-W>J(kb1W$1?8W5}Padz&c;M+dBZ~_qGgZ)^l zwIN>d^;n)mu&H}Y+W*B{k%#5L@A&CSmYtnI>UxL}zi^)p8&Jo5H0o5C~x;(eD zR-MhC-F~|g*0oR7m<*ge-Yc9M+rS1mK*?Gyi87;HYLY-j(NLc~Ruib!+&LYWDZSKHOg02r1%a$P>gucf^WR0BOWwnnym&1rWd(OAL(DxU-#p@$VkMo=^JKsqsLPp>q zA?L;mo!|aJn(pU0Se5{2RxeEzS?_J~f!O~semB;m3foC=6C^^qsI$3*|Nu@d`;e+ks zRYi<|wgOa3&=KWg<|3=swBzMphR$55e2m$pZV??60)JiOz1g44Q_TxRYwD=$vTd;?r&uxw&R%qNWnpKx=zyIVRBJL=4Dux0qT;I zseHM`?($H0q?r4NLc5VOa42o8Vyr@F7;evUTr44*pX*$D>S4yymSvXYkfZkYvkv`$ zVuX~6LlROl1LFnpjpPGk<|UOT*R~;RtRKTmaJmqSKPE=REJCO}+ch;h5{=Z@W8qaB zu19++xvE7mDjA(ICn=2C7wT4Xg&*9ZuqFro{BRZ;TjJw0iAXWkl4|od;TqFfHqA$} zzUDe(Lw`aIrTm=Ta}%+O9hB8X?~2EgtL(H%BOL$6wlwZ&2UjN-?X8bqV2LC1*2r!y z)Ieg0%VJ_(BEtDSNx4=RS&?)2`Lx3?Y_^*{Q?U|k@s$Ak@n=$RDcX^Auf?c5KaR-5 zf#9YAK;ol|Uj3)$&`OCW&?1MzUjtx~`+rxxm%9%^ViDRu(zinyzzz))Pu35lW=%JNumH z^YrUrLB10sld(oixO(H}xrfNNU>y$zrB!$;e=RK{H7AZIH&JgpQY=vl{VsID6-#8s zG9HVjQr5Orv4nF=$TajhvL-c4>maEe@mDSoO8)r~le>DK&k%|%{r-3YCVBTKn&vf` zONzU9>FJ+Z8vJtNx%= zJsj{=qjjw*wbOhH97kRan{)1Vs>%@R(qDtw>yHMT!kPWw5^yLq3;KW-`Vzd57i2v2 zIhcIuub#IKc7fo#g5=<$T=IoG#X$Ub6kssJmtVFhwTKX=yz$qWE)#HmpLq7-TA^!0SB(2Y*1_XD5bNLXQW3{6~7kBLXU;R zXHO0AwD$8nOaf%ZXx#i<7A3H#``Q$Ytm%I{viIpW<)NO;+53W5m$jbA!|F5djE&rA zvAI{%^7Dy@2 z*!Qzm82S7#yH*QjU?(yzbi2k$8Fzd|{Vo=?u3=n=+Ru8@IIv_0U8A0nD!OU|UfV(& zqI2u{Jmyh2ecr-3by-#&MqwNR?$7yemfZbKpRg6SkAiFr`fLG69INkfGsNxh(j6N1 znp?Q(;dTx5xnp8Y#QOekzrNlt{vFKiNorm%9k#mkpTMF#)84+9JG$;i`mvf5z{H~a z=Uuf+l}jvZ+l64ewDoWq=a#!XXy8lmeFpIlqV3G4TiY{85bz#svBrA|7VCil{kgFd z6=1LL@$o{0lLtpgQhRhM-Q#jQ5C}N4iOO^BCvnMb+zV;{6 z%pN_T$Irz2EjrCWy|m2+&6~Ijy1OiiG>@I$E6$6Ga3U$9&QbXh(njxPdt{8u*6e`4 z{x8XOtBwm*23bwa9dphIIci##A6Sg~mi2(279jtr=YE+O5TDQIS-}>C!v_F(_y6^j zLHZ!!0>&56kJ$_WXanc#FfLkC#s!?*2atGO6Pt|UYTB2?e}VEH$lwzuNxMRFImXJ6 zcjjrQ*z1;9-fYfk%RYs<_c;8F=MTgb!wudU7doZc(x@MEg5}Q)IQv#sJIUZ-BZSrz zlrUeW|~)?XbQ;&NRE z7ue8p^Vb}B?eZ~n1-}{-WX+i~%6^ZTH2aPa&^FZI)2}m*3THlf!IHUX7p}w&+V&L4 z3|c3e&dXO0xv7}sS<-gkg`Xj@K?fSCDXhdNSDzRz1e>Hsy8IeTR}?KuqedA^r%Tc0 zt%5?H#9m~!#}FM_aLeg;TR908hLVgcocnx3G4c3!Ov0*%TdjmQ;a?JJV~@p*^e1C% zDdKNtk9E8pj`W~iwCmK37<0(a7!E!nGTGg4DekN?a3#SS_zeGT;QzY=Dj&k&{hq$*uh`hQz_6>(hMVE&$0HFs37E(Y9Q)!d9Q_PLTw2z*7nY2V zF~^%Vn<*ZP9MTCiR@yfg^Q`tqzI@@wKF~`&2WX*69Sp8ULK}nG!vsvqGcdNZ z1&RKt$uHE;xyzdYSlrV;=0V}w1HX=O&><+@uz`?Ew22RFRk{PRk|5_O8xL*RyC&hf z^2fvpEe5eVERPJd9mlV`&Qok(d!AqLO`*N(Zgb>fFBj%;yRWfUmdZF?Mg%18o8n9b zD8UTUZU=j-1wS3b|8erPV;qmtZ^(OY4v8ix8F1*Px?iyU9{7&egcq$sm@xH`)HzDY z9KeQ@M8k**1I5A9_`QEFn5_FMhejz!n2aS5Z3VTRbB@UBe z>?c#DjUkMs#JZv8#+76`5wLMc263>*3J%P zE9Nlg#RD+ITL^L>v|;nKIrxB`{KKav7BBb@CHZz?4?+ei*fx&VPU)DB8 z)&=(gxjyapbD1;ttYx=zznUBb4DaZt{RmD0<{Jkm**iKPxfgv8jhipbC?Pl(euUjcypN$zc?{+US0vJK>w>r5U-$4&vjP$Ko_tTy) z5)M3jp%~YHIM$x3FAxNK-(FApKE@6n{2c)*680_E+A|V2uCe9Y?uX+RTX|VsN!)Kw z{}8Rd1$+zLH?SA{MDiSMdhWcQODgUHIW7aK9Co&Me{*iQh~sYp*qRHx{@FMX$=00# z-xD-Az1-IxX0dX;Y$|MO*8&`$ST-DP1lzX<+iW#K8^(24hj1{d`drLSm$Wd1PUjQv zTUn{K23CV^@|`i=hebJ@2-mAGsb$xF4?PlT3-%yj-9%JQ7ZcEB9qVBgzlUD}A8(EW zyD3et6;Mqz?dQ3+9NVPAiGf1c2UN?-X10hR)7SxI&SCxa`M28E-ThQ*;&1Xkj+Gkl zS3}->?_Q71``?(3oBF)k@W^~!p{;L<7#5g&vV>dNYBtzVJEYT9~0Xnkx zAa3-1;6EV6Tk5S&g;k!6fLVS3@?M-RxdHvAmz{dxr9K$RCh&i(lkvBTFRY`3?$sGc#0aU@HIpY->?(L@ znY2ogTq}f)_CCWM9^1dVmp#{9Se2&XXEEGi9{BOa#j+^0=6VPRtdZ=s<4&_vQ8C_n zQa)DOuA3v0l;3{nOj|fd4##{7m&o%tS`{0)7Nt$PW!03gLS^BwU%`sDl&&rKUHzK^n@bBQN<_;Sr6~#@piWov%Vg-3@tV>QLe*k zHa86yPd|l=q(^L0Rg|99Vj%|WP)DhhH9=2gSK)>UJ^T?vnILbLJ_7$nRM9DxK;@Qn zUi7Qxuh!&HQwAF^$%I_Co!At!At!uomG=*AH`Yd-;CiDd;f+EuXo|3jWvg^@sv74e zW;F4UvAk!-Kl!lbnPD)VBi}u79rvxZ$GtezTI665{IZ(Wi&j zE5dI6US9H54GAXDWWRW=0%C-n! zXE?$?PI~s}euA^RRiE5Sx8=H;nQdNtV;jZ4h|aWwU(@gFS6Ae# zn2ikVV6ppaY*6c&)~G7(K{Om^{#ll(qK-V>F1bucO=MVo9ydYgd74GeFIc z;PShDL#Lm?LGb>5@YJ%_O)FK*6gID6Qk8< zy2;`cc8%Xn=f_A-o2Jj3XtWwiIZH-ksuHtutC&5s^TEJ8NLGG>dto`inXZS`4Ojg zA4z}R^}6NJ2D}36$U*_{IEh`q?#Ck5@vgYK;d+axs@>Ty@oTS%T{s*L=o*S3x(#gb z@wX-Z5^( z#pkD;-q%>I%#QPc*BKNCfxDpH_A3W|e+iUE*X=d|r13%KZw+dj2^Noepd_eitPj76PEAlIR7DQC}v9WyWJ6 z8{M{vCmRCycZZct`?xj@Z_{4~w?!>v*E?9=&p9T}cXuD%-cLst;&Fic9KEEUq-i&e zLr#DyeLk;$N}w3CIsyMWlNcvpC?J<>e_DoEqV|Qe6(G-{2xPdh0wJ@|Q8mQi z2*{fcdPPxCFl>cqL9IGUXHpplJLr}Eh`n)S z&yO#wIh7VKk87;TFsi<&iUko4{~L`a`67_4hm^wyH;y5=0_Xk%E7d`bg`PIW{AZ47 zZHl~_bL0Xjd`Pc;gpBus9)&P#R6R-kb|7_;UH3HktwiZvA&gQ$QYMjD~5<{sdfmc)D< z?l%O-7M7eyXLPlE5&e{8<|>a_QwQ|oL9seBiqeNS^eha3(VXh}A;}3GcUeNe9mUnN zZfj0Sb|Uk2vrMRS>Ab80Rh4nRlv$X<;IgG8$`u|euH>Ndk`xCcOTEKy&k{6`pQZgl zx{b<-^rYY&@P{0zxP;B6E0M6;5#7l9wUQB~Q^kSpK?{CEXqNoeX4YFuGqmXDm2fRd zkm73MYzi7sEUlzv+71+h_U3esIh9kQXu5U3^!kt;oeIi_{jk%9(J0#rl||FtrN0~r zVa+MSx1@8dTJOx!@fTSJT~$~*gN>^H4HFs5P!ccxes7Nx^(^;Zd;dfCL4Gn&xMfiO znRofg-*;Sx2MR~saNwyqjt2Q=0W5^Wvid$|f)+suKI=jhg^Ryi18Y%^qAUxvrG?b0 zmJXl+)o6>EQmNJ!=;MWocMCyWF%79WDUMcr_HgP^j1v4SmEs*?)8A_MWcfH@3EHgI z3~9E^t0RfczdEy%|B8hD3=w+#Gbf-#DGs-kDilMk*rM?DF@jkhAtBB?Q&qGRmm7=x z>(=R$4+B@Q6&ulxjN1vAOB3ysD}?iCIrwV7orv?R#K{y(4G&POy4ZbVtHz{l=nIUlA@1R)~k?6R!_s5#@^b^Q%gA zdRobvxxh41v|I`1!ZHQ!>rHioxq*?e7zN#)|166c( z9&uG=@X|r`#cDZGA1GTY+tE5^B-sk`MBAne4-%tQHOfs?xpze@Ypjt#D$&BF!*dJ; zqT?^0a;RIVT(VIzr%eTo$6_Usfj~R7YzNFl_B#9i>NSZaX_9=fCE_688NxfKu)P}f zQX=-`bZ|?09b|7gJ&AMjO!`4dtdww?4eBV%DMNhs?;^A1*_qK~nUyFX(ezqDG4q|U zyzQ8sY_l?We-hnG4_wx*nq7a`t@Xy9B!8=hh6|~DMZ{M3_TQqV%=BeA4Ob1GntlCC z;})*fwhyK}Hu74(hMwt~JOoe3A={Kxs`?ifm)KluoC>EQiY?i`RK9sq7AZ&e@^>(t z#Ds{5Q<%T`sm1@4lK}rFM022Ts z!5jj~jH-_V%6J)=dePX9k66s}_xMar1KjUp#SU6`RXhF2-2x zun!o}djzm{Fno-4Yvgv@HC$}(?8B)DT&DDBbl>ERavqVCwe1_uV9)F%83=+7)TTGG z^eTKn;ZJchJ`Yppwq-9PG%(e!+b_-7AkQ@_o9y=i-evK+dg8;KH=XNf6`<=0%Jhff z!tj%Uz4LYw^~*$qD^^5`H&fKwqZEW7$4D`*AMmYSWs550}{G>dfna(fze5^e%77exscF)3N(t+sx$p z&|hcAH+UmYwW4Zg?J0t|ru#lcrdNsgf(j+Ke&WvexcDfdm_= zCgXVGr_M3^;`IrC$9>Aibx*|Y=FaxZjBe!GG1l{S@D1O2@lLMG9zF5HhhS69b5TnK z=Sqil7IBCLkxj3&<8`8o{O10%o59*+C}4;CaG4O;{@E>B$A4DX^z2FM_fn%{TDwlg z<#hz1;P14y$vVmyz;e4cLAwBe3}IMxs3M%{xfOLj8zx4#?pOH=)*J=)UtUM)T(_C* zXt_UFv}#9p+JrxFa2*D3t@!#Lpv-uJY6OYe1{fkZ!EH_?Ue;(ofHX_%)&8m42Z1e& z0;fv`xigEY`nKEBGQ^<8C4(x^e+HpbAAS9-Z-SuO=ek!Ex}?hYnt!0cUv(jqj1%;J z91$Oxz=tn>oBYLZH5a_xt$^Y4qlKf4rq{#d|?LLm4EH9 zyyiVonkF47q>uW{MTfJ|`iGk3A^)yi+jRbxqTEncXXfFQWH?jJW(mVSfjMMr@DeQG zVh$dzULdKE^Uh}{40{ws54=jpN-L~$DF50Ofl-1#P+hi&idQNA$vs>Cokd8UrlFEm z-Vh`4^aP3cBI&4A`4kJDW`3Ezdi~}seRH1-yhhE}AogJ}HilL=v5Y5l?=W#8BE{g;qcO=TNqQ5tdeM^L}{_EjQFwj$g90ffK#h%^lR zwZAG6JbvmA4kQq$QA;!N;<9S@i)zWrn@D-avGXqfuwPROjH8b<9%Q_M;I z^V@!`j9j4|*D!(B{eq;aPip13Q3vi4NndfIUP6!!*al)~XWY-k-D6TcSr>|$#QR1$ znA`5_{Nr|11seYyJxRq9TD)p0)`ZQ{AHB-{g zz#$c_eG~_iQe@$bsrXBUnCN>FAFxLP4&QwI3S=_e}5WA)G79AF}+Ba zccv&29~qSD%e7L3wHH;dLxE*eirRygn0*psMiuQoI2IE*ccTl*WHYNX^U~#=Qu)l^ z%TFjd>N2Sqmp_;KQxpOj3LaAQq}mu0IE~}syY#$n<&gZVJbe+ZT190`)ne1idrCg_ zG-G|}WRZMl&s6^T%GPXu=$nXJzA9<33h8SHD4rDCKLynM72_2pw}x;fxPX6&06d^O z^>_T6W|TlqZ93m?!yagF1WhFi(-m=ica~XI5WQ2Ffkvo)FT%kPvQWSwIYuFj(5#Nz zl}8E6%QE&pxD|{#y(gnJOlT@yV!yM8lDK3!_YQ`OgF-`S`O;!C#0XQoDD&;Ukjb zEF8p(!kPyyUvRe;$b#Q&__4vjVo8&ydGglKpuy782Zu=p2{#P5O<7z=rj`>Y^UE~$ z&8LlVSNh3&_JQgKJ;iUrOUKMx4lO^SX!3sIc%nO(kVZqN^H?S{s5*c@D$YbkOwQ6{ zC8`Oy&o8Lt>>2y>6;oz!x+N;{7OGg<@CE;3)nxmh@_1#-6oeX844U)>e&Aaf+~%=< zw@ACk2K!1CBQyHLAx#& zkR-wJ4pidxP1bPWzh_MQhH^Qj=RBa_r0#EYE$TxD03y8*aK2>9YIuE+8MmaXE{!R6+2)^|0^x0?Z#kF=or2FivZF?JsEoTC*#sEF}zuPiSYp1zS9(K{C)=KZkN?pCzJTwsh#ESep;QJ_2J_k zoJ8J0?;G3aIqegnuijPFbvBPO@B%nRPXyRg{+Ql4OmWMTC4Ag?Y-}3e0W5BmzKplP zTw+98+_iK>S?-yd^}Qau$I@7dEKYy z7>Na{{Z0Y6f*77;4TG(a%ob-hFKe&SI_k;D?=AI@J4D}h)|NlE)h;$2r@I&6D^5U< zvyC1&oPuw6z4YGqI{r&!=6yY*7ZO)J|I7n6oCse$q6oS5U2e}!vaTOjO8P*P^L{Nj zw)+OWt8ar{*TCtsaQlyNJz(>I;{itA`f0QtanEfM|F+Mi@JY(vK7{?+k^g(k`+qT1 zJJ}#n-w4ny>m4Y|^1lU!bbq;zNR%?h0U%k^+4$!TMcw1m1xV6B8+5X9`sLg%0Ppwy zz6SN2w;uGW;2%G;YF=U+{kgAr6>Vs^%6eWp9ty;nI&4BVE%S`6c$C7mO575er(qZA zqtg`r9+hQQTT0Tt?${{bc*OY=s$vb2_7_r?tBrI}Iie9$Gs~Ui6emES|L0zNUZYU6 z&O|dG9s%i*{Dh+Hg8Tw_`AAZ38bUNJD$4F3%V8zDC;Jvw#W(c(MV2uC*VaAcV? z_tV2D>y!(laqlT&CQY5Gf8$2D5uqGV5ZpA1R^2S}xZa6Nq>0Bo&7j{YVJZ9e}Gb zHQr>dpbNs02d8AQDhT7LOtwrfu3qmJEN`LT8HXVBdoQEHMQT|ifS??f#&y?P4maL# zvuv)?K!8?fPlQ)iq|oOK5-H7HZod0e*z2O1Kl@gRBb|!nEKQ1w9L09Ifm^X|Jc{&V zkX@TOIdt@oOuC->81|lb8TE0L{X!^GM}|TbMGr)J$sfBGsxT$1dctIpLpq*Aa$Wn! z^2j1KVAXp-E8_5-6Y4FAkmE&B) zTDs5gLLEs4+#Aveaf=clt5PxASBI=uoE&DYlC^9v!*TnRp^|miYgGUY`yFy-;GCHd zc&=g!BJ?3s9!%oldl6RoqzZcv4>(sMbH$gfYlP65^r$o_Ow5st9BvCm5xEx~PNWe$ zdy074xSFvz9FM&2;&A7$VsgUZX?dDnMd?U9;_^e#k`!3qD%>gAQz20&t)xV#*(uMA zm&YIE!zE1#3uvY8#1^A^E%N{TiLo4}Wt$KUw}u%u1rtu9+7t5yLz<{AEmA_;>tcJ*Q{e^C6yhU>LC9Ggfyq@oID00)a~BJoSm)H}gyX0x=$7bZ2Mq;&s#Zz0ma=ae z!m>-mh@|4UIjYL1CKDar9nCj0x>9spf1@Y25)N8Qy$G?0#cUBgWnm#a8?+Mpb?H7j zIYK~*W#iNoRHPq)>xQQMr}GSR!~Jlt9adFyGCDsMGr}nn7X_|?$H+>h@;NkUXDFHu zu-4E1}L$NP0)D<*;4V+FfnZpy$oABxnPG^gIHx>myA{Tbax+{r(GQdVQ$FLY znS$cKpw^J}B49`CqYz|E+E@SIBo`Jl@CSOCYwdZ~hOJCRcf-~TA@#0M5dfLyU1!?>BO4)+Iad`Nw<7Kl+`)bkg zDvBuJ@{61~pS{oDJJdcjmCc9qy`F;E5WAhZ=Y6_n$>aeCrv}!r37U4gR=Rt(--&D5 zzIV(uetJHPKLI>8T-4V9`B4hoj;)D+VP22P4(Ep{_ul*L7>&O-UB(L*sk)a5gvM>l%W(ppj~^cn089UA_~RpoWzKG=r##!+NayF=!6BEZE%)D!i*I|?Y6*J8 zR6x9A2RwUro2@G1osUW<-~NlkE1AB4e>xKH8}!j2%O`#g&6o|`fTuBuya3;%r04Cs zDI~!k13uFupTTcxX{#r%8jKrAz3ZDdEqWYhr2?PRZ#7Z1I$qaPE=0USv5#36;S&Ci zu8#vZgBS)k*~=SOi(9#V>U<9kM?@E9_&+^@Fw*oY+%I1&J)a%&wl4GgCPt=<(A+Fe z67(!$^syLs9`$TC+Ts#W@EzK&0TOk;hZd&|TmDlw&-XRyzv&S0or5e0p zIJ)*+hPSxv-r4O2q#0aHuWekph1L%=tr!4CkFV0UZohQTnf#CQX~Xy`3hV*h$1^L> z96lqqNAjqg{LeN|pqYITX*&p?83WW8@yz(DKxWc`arX}%m2v(nUs)e1wFRBr=6a6ELAO?IfkOddihXv7ArtzllivgQodEo8CFHsbKDjTIF9_}_F|4{O2gcK?-+cE!g z5ty7cuVXBTG|3Qmy2LDra-zDH9j@AraGAOE3r>ti^Gla|3EWLjiAR_q;Stmw{a z^`euZ6jS{J%gXX0d*X==8T}t(!oWJ+WM_@3Jxgkp_sA}xsbXd3w=yZ|FosqB(xS#f z1(^PLrVV}uGEeUMb$S}Z%xrh^p+S$}i`4Uh5}!Ez7EwprzL=C__a{*XP+KYwrKVA`sB?NJuIP97Nz5+-WKO zw4!8jNQN}!^#sdE3^3~@z^2|xr}Aq-|G5Jsv?Bo0%HKN%y~TA4Jq5_7G{Y-bmL&;M zlpTXZEJruw7QhuBs2BP#;+ubHH7S=IqN&!Xloptt)A!^r`4&!4c$F6`A4xN7-DJ>x zYq0-11UX!a&o1>)!MCxYZa30M(NsTNl1b2uf8({@sKRa)#q`6Y5HO<3+LxN%{` zZ&AK|Gyf!^GW*JkO9J64d9OUk7{+6nI9PF$3@P&Jt+g%U2}l}gN}vb%G;HGsIVw?k zAQ5d%tF5G|3X*|#U%Clbk6sY@ILH;mX)z0SL7QU8W68)Y&IYaq^MrRCd zbZnX2ZyaS;!b?N3B!Sxl9k(QmM@JcM+nQw#hdNAzyloYkksiHv_2^SgBihrqNF(DL0o?r zlRRh84K~JCR>Ka> z-3Rv83)%5ij-GP>`dgCYnswZb|0}d0x7}bF(0eaQF!{QY(EVQ(jNkoV8VApSj?=fe z(JTm>@=Dj?WL`kyzb6e_;CAOnPxrQw4d89}idcK{T~ZUm@A;056L{@l&%c*~ zkmhUjcC!toxTEBq1|(UxcbsO_-vKRqOoP@UWgPq$Dm(%nv%dPrZqt0rI8(jP@!=LZ zxS=OU3R)9ZIXaZ`+D~ze9i!LI2OCO9E%?iK$2kp}$JItiJ2$5u#akZfAI10JEFUcA ze-U0f?@_S*PX6Lwx0^-e2`2EJT>bQC_UP!j)}wg3r+*>t92LJH=ry&bXuv75v3;p3 zV)R{DAmTlG?&l8Y&jl^8VwY(MNcA2KX9@V8MC2d`0OR_eH1LUDZZ{L2z8JCHg?;NX ze-$DFpV`MsF+?6Z(Nv&LjrY>MOrP_5VAl2fHq_j7)A+fH1QvQ3pEX0vhKvS0_Hf4! z-w*al@vfUjQ$DJXy}+ue&{#psWts@yoeuYsuDJJ&H^DVP+4{kJCF4TE6Pz(&i+2`| z`;4w#uwy9qzLbPt*-KR25=bx#6txR#Mdq8M3sk&$`1-YLpT=%2EE4pQ2ng zsa!}SZGUL(Wj5J4>2p!a?AJz^^!18|8bbk*F#rpk*OH!oVGLQ3tCfTwc z;p~@gV!F}4G3abSY*jdunVSR0?3Zom6%1QBD6M5VOj!3T3v11J>$~S=ilf+twzw&4q9$ zsvE8dSGdZ#Gj~SVWThIZlLT1e#W(4Z0)RGTf3zmpo`04hf;Q3wxKZuA78hvG4EqPX z69JQ~fOsh<2L=ht=GmYo?+!c^$IidzFg3y|YSC=7kJxE5Blx=cB`4Y>VM3B}*n~J? zB@XT}$;w(4z1AISZ0%Uu2WD_ycCSPlA<>vj%y?&EH11l}!b|gQGHgP$4*hSly_JnL z!;D(|+>(^ZXE~fSRp6&3(&~D(ix+OVW~0UugE~-b2r*elW51ydYiO`wM1M?xO;W4H zRGx}e6(8+GUWrQ;*x?szfdZ(+=s;g|jV#{X$!G~M& zGuTL=88MGiMvi0jsY~v*&kNKR_D8jTZZdPPZ7txtY5Q9jh)xnfEPS$$rbGm{hPInF zl)dPz!cDqFd*~`D5ARl)Q?ZQG%N?uzqmX_4l0-@7NGy#=#JLkERFoeFpAa^JN)tVu zy3_PvU{Y`Z4qCBn~bFmaAj@|>WRrApEXiQ^PU2F5Ep=n}-F%2#!4Qk{+dwxB5pS9|1k9IgD z$4(4hP25p_-HT_4lDwvL>%17gp#7g@!_oIVS{6D}vJ;aQWx|f}jM^kB)KJPzOW3z8 zyT42LkYgY;T)s%z(L|~G9T{suI0uyixpkub zsweH`H%Xl(vj!6KL8+>Wc2R?y!+*A_$7tL-(*@?4NyZA!k&;lh>R}?01Z_DJ?N{El zzi{glVH8`l8KZS;{tr>-{2q7MZT&cD+=fk~rm<}_w(Z8YIZ`=zRAM}GW{EBvNxcU=@Sd-t;xIH>IXqxFtbxX0t zKaqCd5ILg4xC+Be6pjBS3vs8{2;w!r!@BdTB=}18vP_B@Kioy~`Z+cB5?kSUvX(ZY z==ba7U8cOj{?4#h4DS`G@%!pJBUhA=+D{#~Zj=x(gQAjG#`Be{gy{+yd-Bih|4DOQ zFTxu*0|1f+_kP(!`UD$(Vyk|kYyd{BdVndM_fFtd+vDXF-&Ak_c;Z#;6=vuUW=^yz zCY16G_RQN38vlO6wNEQJ7wixCgDJSna5J5~{j#f!>o0usuucb(-skeTKFD-f)dI=8 zZ6fjkru`{&!58V()khUBwl^^{#; zG_-Exhd5QWz+{}J1DbT&rU^X2h)n+Lpp#wfwycSqy1vi2V1AB%=gSeAP2>LS5qmY! zuF7=hew>U&N-GH3jscoCQ+GGJlJL2i_xUCJEHlOZa55zZv@Sd>;HhC->b1o~={A;m z$dI$KO(MYU878aNV|FcF0e9)PIZWEsH_cUA?!ah2M=y}z@n^t{%) z*7yEIMAF|1n$;)7a2;JNqrP$vIrUOU0G*W9iicRr-y7bJTAwRw`>BX>yH}o5nma^v zHs42W)-QDV^BO1Tb57iEYrBE39FHtle4m4L7U1YJY3Q4*47xY?C(6S<+o6@zpoYZT#9#4ACX0qhEZ>P`!zAA_S?0G&+ynNViz+UhcJ zKYhHDie!cyfe{YY>NoP*hY#4+veY|)oRm`iU4fkk1cijfxe@0ru6RRFl3Ef!4mUO)@z-T4J?Y{uDHe9{I&xv zL8z*TGZrVbTz51JZRHezgjh6$1lmxLPy0$;W?2fSG@*>D z(po~H63efN+b35|1Y(v(7Hu}5C?q_LDJD!7z{`jE{<#buM8*}lUyd&ezEY1o#gIKN z7JU@RhR&A1)oJJzW-&loRMve*dlkyAYP#`k#6ph zde_f8S)xd>DpysRIbm5$vpzmv{PB%=*FO~7v@&w}=9Taadl;I}7!EEr4vDLABvnQ1 zRMRuBm@L;M599xXQAWZm1An2Yq+PK&xq;7B6gmpVgKFc}Ae;nw|g@Gk-1!!UU79@T2EC~n--Bai_3o9*&`uy-E9!_l^YC^uGg zF-M{p4!^edhcjxroCPZnz~L@O9XWN@j0SFgSk`aUJTtn^pH58cmpD_&^1~c@3Ta{Z zX2q!^!Xj0Nq~kXfrGXji#f1E@Nt}>Yx}we7Cuk+?!MFQ z---Dm{PSjFa8Xn%<*IBNNv$$UoDoVrD~SsDw)V3E!iYqPSGU$DkLXL9uiQ1q%tY=d zmg*A{Bg-Ji@bwGdNVf6!N5>TCq^tD@#@GLzbW)FJ8&k2-ID(fL$C60rCc=SMl=$>df?Ye z?c6?MfQ(K9AXL|qJhih(`{mF*4-Ss1uc5U|&_mLnDBQOK{gA$yig%b;xT+vWDx!_F z1ed+8>JX9BE}G1kqR1xZ*M_}e$|;doCv1MzqW1{>$M$H8ukpPl#YJQ@nTj(7chMge zgS(|DTqR#SL$6$Jrm$A9K8}#JM~y8LmmTf6_!pY&7*7lPnpCgE6w9TWgh~+PCov`e-^MR0S&45eFlT=Dac)3IfP&?L z-w2IaoUOn}G{`RXZ@=PSU^rt2l}{VyNNYH45ye&CtgMMAU`7}9j|h1tKXV%XY=cBU zGW7Y$!xyndYpOCiqK6z9x1>{U)>suSPyXFC#7z#5{Ii85!7y8{urC&C$uTmRG$F0n z8LXC#=x1N6@Qa44nALo$wn5?Ho(>p@CM9@E zRi+fr9~Nzg-q)&SzVO8nzCf3scjTeT%F4`{hT#>TWu7@#CpuG`` z9Xqs3!?+3(Dx{TEjateQ-pVns<*olNO^z{-s4zY&W#w0Tl!|1;pja5QXt@*-?PRxI zbKpvF;qh6M_opM_Nfcp)S2EnfU)F{p7MzrvRG>tTi^GnentYjxyq@^4e4tt1t54%p zeh__;s*D5Mk=T+yf}>-_UxCIPUrmz!zYZ z$2w?v&zBCQi5#DYSFk%A9_Mw}0&4YwZ}<2) z_xpe>8Yahb@>U~vyWQ5!Q1CIn?iiS-rbcHmkGOKL=Bv`TJhyxtj(d zm&5w7x`)r<`ZDiDi#X_I)((~HP2#R(6IADI>hRKs60nOnB5Btq-3Vx2dlc{mMRU-1 zz3*FX^ZSw=2CFu&7tf`;3{>O*ACku9woM+N=Xtihs2=YE%X98QW6N~(28S5nDL+TQ)8|ebZS7%`48U*om_?{p0^C;Px9E6^UeCT+FOKNua<{+npWxQs zuCWD(gNDqmJeJzevm%c4y1ky>r>)tp<97aH)$?4@n&z|}M{i!~cy;ztqt*AMoAKS= zl9#6insD%YUn;A$gKvK<>+DytsHHzYWC(QB)IW=6x~dBZVi6| zOyx85323f~cKziqUUv}X!FN6T^13#!muMj4!gVyB%DPtvG@wOgP9@jzjFB(fNC9}G zs99sn>x#p!FxzXF!Txk(vD`|(YNFj`>#3RU+4i{vql(bS?a8oM$G2BH;o8+S%W>C@ zXu{gHull-sZ|Kr)_3=M@cMULnW*GSM*+=~jFh;6h)aCLBP#CQ*(vL7=q8HR>0mH)# zFl>S^*HghPIpyez`^R=t4S!w*zDYAkfaG~Hf}9uN9wCIjE%cm1b?nkuR1odS*4vGx z)nrq6Pn*l`1PyZ*CTl4xvUt5(j`rm>qy&u&^o6U zdJrA3dZ5WiR!_b0M*mK_8&8NTOz%&QpL6-buNcB}N||7tyqiY?S*QmeZ#nr*ZfJw04|Uy@;@yvZ-Yv9xIB(mGsP!ka25lh}xV0y51LJwa?c7M4a= zCb@jJWN8oYmk;J*Ak(%(sw<%+w^%m}TIiWGwnp5KE<+TkuFW`QIx<+~36UrZBj(K% zM^9QD#Z={hc+}&0vN9x>U)|O`b%e_(`LC*26m7f{r~;Nc zaensS7uKN~80H#e@UOucXgpaYn+F$`i3FH}vQQLk7*262g`sfs8j1=t|I$^pNf_-} zm(zoMoO=#JlDDndsqsgOq~HR-s#YJz32N483sT@%362Cdvd+)a03EGed?L;{zCqwg zoA6_>S?;&kQV53+YpK`gGCbm(=UZZ!Da*x#jE(IAwY z*Obl%us*n>UXHL<{r!k2PQL)M(^mo)8=yA+d&knY23>2Bf3Sk#K~INZ+8O(MH)yR` z;P#8>*VDoR#YszOXGJO0a&qk#fs0M}g#+VNM&AMq^)}*wIhY`bQL5X^pl20URxT}=vW+Ie&dN8yX0Rl%ERkEdwLs@KybP_h2 z7jx!gc#_T!^rFy=yG_fPgigo)KSNz*BXKsR|9(c=ct*T708lGvo#YWrg(6AJaYBYd8l{5Iez^KKxvE8RyVoVz zkhN~A%$6gvMXSqB?c`|zPs)6~AXE&NVL-7xOA#8PtW|RiUKaSz^7A6bq!@i#Ys{eEU-1YYQE{`Z~o+_nC*@X@Y{D=T6=)-`2D%HOt z@8h;{f}AFj*FmpWu+mp;b4J^|+Rmr~*A#_ph0rO~`W*vB0$azS0=_j3R(ekvz$H_; z&ivaRpZ6du#dqq-=4vnRv=D&)TyVx;hNfwKDKA%_hqM$u;HmDRQ{iJ9k6l-CF!Q(> znt1Z&pI*y{ybxW^>$AruR^JBDH9OQ2zx<}4$EENc=2_w+p*MW{{m`|H@;h$}xcu2> z74V^8|5vt2gHF$@v0C5J;Ov<1ez$nM73h8?z3I)uzUW%d>3Y^V z{ZMV-v%B2#eyirN7HIzR-hM4-yWtG7SbWabv;@~T^BOxjW(nv!kA4?3dp>6f;5bC1 z>SXQ)AI10Mq^>dOZ=9rNpwd7*S8>r>i};)ms@w7#v@Pv@UIjjXfD(P&Hcad;>ufCH zeeLSCw-@ET-?J8OGoW5j-if--n-1T%E^Th!cYTVh?kb0gHcvs-TaGj2Xj>dBphh$O z3I3O!vgXY0byOOD?}*;Y?l)e2J+u0D`mNm_7x@m;ttR+Q4h_TJ6Mq7REnx1lzJ<-p z3*Rw*&Fp!5hyCR>|Hn8NPxfQ62gkMRaogd*?SlCT3PAFX?sn+8-+3IAK%;FrMy);mxLNn(Vc@wQ znCx=c+Pz7CjJR@dBj$Zx`?|+goLSpnhSUfG6M_Zw!Ge?z7$BBoaL(k5{6{g`nZifm zJ&{litIC*VJy45G(;fWU{J71n&kz1S(X?PnOAc-Qc= zbckhyZLlgk!HK9rBjeAZQlTzlG(}!NH|8xBF1TafoQ{7*HI{hFm6+`Mkv&bZD)WUs zh%(#My{E?pp9F;@FTB4ZwLu$eqx#Xxf~!)k5l(<|?&nwajs{iN3EL>imb(UxYhk4? zIf<6g94H6cZMK48|I8;RU`QLk3`V9-a4ycx3AcSiNHDZP57tshZcLmnP!bjVYfoj@ zLr06N;D}@{l!R={Nt!{`f0COe(++fGzdA=`9&6NgKtEf8V31)>r;W5(E#u(&!jM9Z z#U?tzo(zqg8tw5<`1_yQMAezdyrH2MEyIc~;*;+UTZHnQD>is0{LmCCZvP@UVLX*1 zQTZy>NGNNNSC+(G@x6-tWqaMl{vfj&Op0z{~g@wvk0{P`J+Up?Do9vsx9P?(%2 zSh?yC-h7h2iu*3pSwfJj?EDO5YjfFT?X!IL5u9@?@C;@ehAQ)w z3O@ua-|lRGz`x(UPLuH2f_4QWl)zEvx8J`?E%Wff{>H)~rMToITMt*4S%hbUd!p2= z!$SHJm@F%+g<*xvLb|FxznB}8x{|AQ9VfQ(IHr>Z5guI{mPbC`+WQ-QCvVoYv?~9u zgL_BGe87xM-x}LfkO>)%@^GywyRs>?rUJ`x0>+UyH~mb+g8zK7D}mb}&_N-8&s5t| zzRg+ns}t=wtF)40RXVUkX>f>yF74FU!F3t7cs;8LpLm)ks&1Yd2c<#%`yshXC9(SV zc7A{O4t2RdbEdm95+PJ`u4dZocJWa~wdckL_*JhylxPabT8Q5!L(e))*~{=2VpF|G z=XJNjuy91@RO_PWVdfvsT1RP-DO{YJR(PNWN`B=O-TCn?Mz*DvCf&xogAo?2xdGwe zf)Jv2w2T5CdX~2WurXUz0f%R&THyCnW~QYdN%B$Cr!q`%BQ?W=dXq;#`gKr$(3JkB zm&gA~SSyKZzfYSi`{$5oF)@A&oI3Wr}_?cTLn|F^^NX z8ro_^&N*TcM&GI^;c5L*x?vXO{gGQa)uMmiBU0Ie5wwyCyz$F_h#jfDqm>ZU5PpKb z1G`6a4s$qpv;0@?^*I!f#k*rcf&b&k*q@HtyX;k^)Ma`v`7}0P>El~dx};P139P%WSl_dLolAJF zS8teFHR+a4@v#O@?Owi`VLKxES`pn06rBV!biUt(|Jc~(F<;#}7XX}9lGW?~y#m@- zCP<}hca9TmCOse}MA0`2@Je`C-p><4Jss{IPV1O#D}(GkZ{c?mX!HQ&A=T~ICr=^j zD@Yr1hkh=Ed?YQl#Yy0oG1HjrnvXlHO|P|4fRwMsw5`vloijM3`b@))m%CXvF57hy z0CEfD_H9ey&?UT9An6wj}_@h|#8r^1X2m&RHqPWEi>A!?bPfK zJYQGigCcAg-u9!KA5ptK!CqScO!BCIakTxs{(8hq}o8 ztl5#!Mg%W-S;_LDU$$xsok&jYbpwsVdiv(U?Qe*x&W~8YtThR zX$22N5RC`ayOyVKY5qe=) z#M`sX2zs#QW?6q|>F8;WWMxXCm7&*o8=xKg>kVmuXCM{C>099fZ^DW<_>X6%!T+;v zv9QD>uj1l|D(o2)vr0u1H)Xu6d>AB@Y^62-?fu~v3{|}7eB`2FHE$2**tfVjiPGm_ zSnS}+revB~)Va!L2wto-g(5cPJuc24`~BcA)c93E+3`Z2sej{b)kmx z(4ka(q*1oa&)k?e{J$}x#V9xf{J#wYvaZ+vezEfNRI-Fs;?CJ4V@4&TZTMc57u}B4 zNBsf=Me}GFQ~zkl?BaA)kTptO$)D?ypKQ7Qh&aDDir}guJ&sDFl1hcWB37SclSas! zAu!208Ug#cBIEo)!G>-VQXjEBL-89IMf%sO%AG@^oTx^@kMAXdP7w*T6X@RLDM!>}~&d5kuv^5 z_sWbwI_mT#E7Z}J%FL89R38b6ROa|e>mevC3&NH)tMwKOS@p0!WLE!X)G`sO_{FA0TCk5b$~MtQBAP=a2S_3!ljwX4 z3NmNPcb>pm58fpF!}|pz`PytZFP~#0@8_8&S2-33E)Hg0`c`_{toaG11vUV zI{k!#wGLC|=>0%_Y3Sky({C3`JX6)3Jok6}Da3@G4M)L{K(b)sQwTuDi}93$N{}fX zaqFQaJ6esjgMCW;^G=|9eW%>AHegk1pc>Mv!ohQ)5X*H2<&8tDVrqAAS3>zJ{7-RA z;?lNPDg#$!K@z}zm@B31AFNC=$y%xB07V@bl)^HATSiGohLro%Qr0+Ew9QxxVc0vx zS%DlGMkMqT3g^}wcOt;Y<-)k7PK8z;)|nMgx}IW=*1KLwb_9Zs@)UcW4sBS{IW-4W zhXLEn!H`n8)!@q#uB4xqJwXbyhd6TsvsQ9QYS1}!jI$AoY;Dg4RcKL=|B}c*#BT?s zBw}FE=HGajzqHX{e70%c4~pYW zms3;*&iu71_)X`ShSy2JD_obO9 z`KBDry#vn0*DGJnYLn_mjheJL?g#Rui`~|DTA__^3+Me&w!RPJWVTIly$S=BWAfT# zI@<;&)x}as^#SDFvykgL_NR34{H>fI({{X?>_WutaeTj|11IogHasox@ZF_bRh`eV?d{JN_Vnd**5h*5 zeo?g{n(djM$kyV@Q}j?6jnww*YIF2Dtb44lS@}MoZYQkqMSM&9mF7Y;WD}Icaouj# z@j=wgPrG_}RDJPrXY)72*Jo|XY|9y#B;E~vle}LNP?3z@y2+ZKUNHjynC97U((eqf zyzepC$J(OLuf769O~M>0`=kG_59gw zSI;6VQ~0hM|7w8&G2oo~&u|Ah*sKb?ZpQrSy@DD03gEg|c`|G)maiBFPZ8QdA2|nr z2=JeP!QFZ*e=z*xc97^OcvON;I9rN(<+s!oV@NH8MFSq8wh&UK#Uu*F_atK=3HL?P zP%w!rOaaz+E{Z`EZO*OOqQ%-jxPzt{(;Uh^9qKZ|5Hg2>UoQN`P#CnKI3f)x`ege^ zTjTiC935esB1D)?J&#D$6081j^!6sNB@OeJ++PkMZ{a-B8I~x%Q04o!JHw zqz?Kxl=QEv!~2gF$trh>6Ye$Uc)Xf8T$)yzP3zKQeo7f95{A)Y`PtNCzR5MsHyWChXt5B(OlmPDbdZQUBzl%^m>}ddVsO)pcs#kcCQ2Y^s z3xb0>{*K7TEM21^LLKcWI4 zeJrj<-`Fv853SSRNGtuIvFtB$F&dW=)`OPx1dCDkiX9`>00*RGKeMj}43fR%&ci6< zh;*4c{kcmw#=Q;3cXlh}g?}=X_9i}?*1gMTdG=88CI~sz|2}Rq8Hu!qqPhc{Zw^F7;!?_QM&nNAVC1BEi+~h3;!(#L3tz z0|fz1uR1A}fpq!eZi{T)>yF|G}Xs zMgOhCs_YUHWaXD6^hN1oWo)>$;|nvUhJ;8sZF?qb`?r1k`6$c^Qmrl-wSR`Nvwv#8 zNBY%eU?!BEJ07lxwHdZP#8oeJFu{1qiBh5Gk~+_;rA#dU%e+MB6&Wa1)Kro_RV%XN zRQ)YlhpjyiGZjaWHbvg_4^>M|%_^f}o={%Pxy<5teNoe#s&O_z`d?!BAB?$_ViF7S zM#!FG%UAy8-Jc>aD*%|E$G%!1w5M7y!s>&29*`o#+f$QcXPZmj_d>O;iE)G(kEVId zplIr-Tr`4VugL0vmOwlAtdR2d&ez94OGYkZLJ5VOF;6G19r`QL zozxiMWRi2JFWE$U9HpB5M?li>;kz$5bAX!G`|fE&?>>N>&ba>W$n-YA6ig_i})Tl1KJtpqr~N zI6SGU=Gk*oO2DV&mxg*Z`^Rh}19B34jQd)r`F-y*hku_5M+*q&#c^Z#>0@bqzcX2$ zAjj*9`q0Jo@VcULIr^B}ERvnyc#=#__hxIA;gg81yscj~c+DvP5qI}i-SJ|?-!WcxjZNAK=xC**M~~` z$6>#!J3gv=^X7u0AaOu8--bJ>0`Esp!L^&@ADKgjKr)H87_i))uNEbhC4ExOJbtO((m4gAWW!5 zZPsQ0HvO+!y2;mHst*>QWplMMeJo_-%381J;^%ba>N1MfOUn+c)=O{ht!fT@1ZE1Y zJ##a-Ff$7BXDyocUJHqYGd2z@%$&1zIvDe_4oKHWKU%}*i4T_ST?09%8A(F16WD{8 z^0AT2f77X&KZucil}0%~R8g>2p2W+kACoFadz9vrE?9NfBCr2r5ZMbe`Yo5$0wvag ze8eIvb01m@jsRw*0kZ`z72#J!1WLGZ?ea51Nw~VM^PCl0Q53bj{5}a?*eW3l<5(y% zN0wsl+9R_v!*9o0$rfehx(v@rps`gZG#6BtVx-SK8KIpe zUjJ>O7mf7!|EB1Kni-NI$=*r(nuKS@nwJ(q;0rZ|T1*zjtu2m3zx@4-cnuC-Rv0ABb_Oa55jd6 zq%1aW&!L8MoR=Qg%u{LV6oiQi_C=Nd_{o_K!|(UzxnicuFgVYb%=l&#U_z|IFvWhX zxI|8?Q<=xDdf%`3!$mC9=E>1^x}X?O_>O=F2|6#7e9BKIGBfLz_~&tPDO}24@v9W8 zOVXDW+J(Dc<4UuJ5{M`XIi@gDbILY^3{8EdN)R(@#eL!%5J%L(-xF7#QY(u3EV|e& zzC>$$PdBBCK&Q;kalON!h^)+BC>!M4&UKzUA(thFJrbA!fNzAVfEFNVz=Z(O zWYpj19P74~2w6^`Vg?Z-u$f(eh{0(`|FU@I8s%T!YUCRk2ZxJEA>+;cC~Kyp0%@zI z2UJmImu5-yqAQ#KFQO3?xT>Ga;f-wtGUl2zE=T?~X@eUm2V4Wb74exEdp%&M|XG#pSzwAEhNre2R4d?oqdFG6nGgV@sr7mTd z9^=)irH)|~O+oJL^2Z3m%+j3!GY|Rj>**S;3=8{Z%sgxfZ&{QipY%|G6uL}4lYfW; zfu&@c-q*^80=3P`@@ORJiiF;`d8#W|=6Le`oQT{z$^5 zndD_VFkcnRpIYWePUad5(B)LIXVwsabc(v&I6+HHIt##^qfoV|%#X)9Q2n zPr!TrhMc#b%L4DKkL!BeoQE8n_G=sP>pNQbKh9tyQc3zCFgo}^fC?7`^)h|&BOg-~ zgS12Aahrb4DaOUM6`|4ZnzwF1%dOJs6Qs4}rF}Nqy@8R<3MiHJ;+WK)_kPY!ID9gI z|66?BQV+^lk6wQ+iAd3^A@ttU4c_fe(?k{uDsJD`aF4rHuc!VlnvMY^<+$KLq-?aa}U5ww`pgFSXo9D#ze| zT%D#A#n3UvAkcF%gj5<-1CBcMpWJ-iMsox>Y5*Q{Qhy&~ye*0!J+-@Djys<^&Eb#3 z@`E!f;P^BrcbhMwsvhbE8?KbZD;;JMuCqgj8W;Px3A=gAL zXJ}iSz`!@)xj^GSWY6JED}%`OzVwC5aNMq>^kw7Z&r!H#K3qC+z1MtTj*nG;;J$LV zjWw_r8(x=`AXv|S3JDa~y#4xyw?GH*kJh1T1#&PDc})A5T{!f4ZDT%neb%bI6J@%+ zXg6PJZ5v#MA>Zk67#auOj<4NUJZQFVIvq}fncT58C6EWT>m$I|Y7{41zvL18`~v2BM|-q8>z+IWdz0@A+!7g_QLLoUgUzVD z7a|3j9GFUFv9|#Ht6;MxVdE}uP`|7h5zE(lC~B>>e{b?OiXZS_dOfqz$eF&)WUCq} zK`@_2X;P&Op4pFCsGqm+2r0KZw@yL{( zhjNo}4fdpeTb=p$7p0>Vi}}vxm7$_o3aFpq#Wt*wEh5!OswtYS?8^|3`G%7F3<)k8 zXBFztA+iw?20uSplpd)n$+Sf3FVG<|cd)b@wAte<(;MGn?S9%omOJ>zCAFDQr4I&R zr#$}_M@!XHuk{=GHqbKarn+1{4xLF_;Xld&UBG@NMMf2evN*YFQ5u5GG;J|vj-8=< zg=qOVl4?-13Sot5p=1^DOsqxbUlzagA8saw>Ty= z8);5ReH5cLMk}a>K)_b*^!LdUTvC9HmL4s;a}f3l6!WaMZ>;f%XCkYXu6MwZr4-qS z!Qdx}CCgHNMhtfcIT2Eknz|DT!{u^TAx;E6GC-|rM)1~B7@o~WVgAmDmZQ<^-7XSo z)=^BJThNnP3{x4h#DWFkaMYYsc05fZAS_RZBX{ldQ~5R@ormf}Ih4+oL@47vr~5r7 zKDyf*R4);e0eG4I3=#SBYX9;fs9b>LZ&DVc$qzQPKs+T!o1GUbWR=x2;$9zA64Q(x zk0hyWiNj)6<_yltV+&AHXw*&oP%K81$yEuzHnOQ(Z}K89`rXO=bvH=c#Gbvvb8JQC zOE__i7T17Ov*9nJ=Qie$Xw#oRx3dONa#f;{_^Nhy)QaX77rOk)HI+)9a06xFwjmKjKo6Se8$4#bniVEkm!T`e)Cu_M&R4O0k0O1+h;`YF@{Wi zLZ4|=5@0#_L!OUwM<1z=PKvL^(=;8vhn^z#NMxu)i}76?cZ@`&J}>BtrbF(RYndAB z)oSdQRcnfdy&7rd63aURJ;J<7b8dDB5`Ek?U8Dztx*paz#dX@RI+|rojDnet$|hQ+ zOE*nOsD_rgo{P@wXLm9yJ!aAcyykO|#2kg5v$v8C3sHMov$^YS;p|RI6hCJsSgC7O zv*erx)!d+1^dy-S1ym(s!-FkL>&!+?AP$6O0ueL0aR020n4U>&&X?M*IOnO%(!P5a zO7G{H9qz~RWdp6}rI4SQ>7q%Ioig`ia`#Y})`IK_q6KC879izbLJyOEbs%HkD!KG5 z+$yn{-F~()r$11tMbK5qv4xw|1+#9~DU{{M-MXVj9MzcrS55%SznL;W zgx;n%UboGd`A-EVd7`_|k#+AsB1ak42~SauP4#&dE_rQ@qPAzk26eg0$|dpA{0I^R#ll zy3O?2teX2FR69c6`T%pKUT*tvt~x%3J%-Qr`CVPtevFVJw0Y}w>Dwg+Aw(-3;UzA| zrhPxd`VWVwz|StH<0KO+24xPtw|k_S%MtOb*2~uY{2bhmn9qXmhrl~}5WHLU?Pk9G zUA1oO8!aX9&d@@W$!mhI{Q7>x?v#Lo-=g~IS$&MZYa*;?|0Krt1JMm67Xmok)OHil z=-zoY6KEb%z2tFqKi|Ts9+c<&2gXbT+uaQPd=w`1x;?i2bo>Wuis0W0v@V8TrB>&z&FlDV_Gu)y37YgmurGp50bamG?9XNQ9h+ zA@X`2OFN_5F&bR&FRR5Mg-+89v*^%iT)ys)`Ha63oF+`_udP{w|yAO5WeVS*-2WldH~VNxc2O zld}A1z+?P6QD^kqxY{!P^Z349R}<(CzMS`^XZ~$`gyG8b{(!C1sfK`k(-~+*$a&sJ zgygmT-U)5j4P43@Iwub4uH(47uo*oc?&P$)cI&{J)(QFSzW&wJZFY{sE*z~#<@O5O z`rfR20unelz7lw$IPacZ1bxyYKkE*q>;p&RW z=1oG#CJ~Ar(P}F>g9kfGD@TmCHx?c1;$x8x>&Z?A8|X)>spW`EzcWODPJxoIaUpmq z$(d=BPDTb!--ElEds5i}ZUQx(WfK zZOV61R7I70*DYpY_>cY7440>X7jKVzsd<$&T_nf(XM1msn8rFOx9xAx-1P zP+MdtE#_oWbC$V?1wvY?@ZfVdA|6uFtxF=4*uxu3^g+ZbSqy}J(VqzD58jDX`O4bH z^sU6(YU8|gV+2bHb?vGMqm0_LpQ_(KU#csu9;tBvZ-I+=N7+(tqF+tjZa!ZQq91bh=nEZ7p?8WZ9>^Mc3uc|5Y543$;wNP+I|~;?_QJzPP{nG}RBSBNNCmM= zmn}j#S*mFBSy~~Cm1>-`@F0tp9LryeWoHeJ96ZxhwTL_avJ{E>*nZMUm3hT;MBLys z^H7Fp@Bvs2jPg;8P9r}i=5^(MGkzfuao6%10;ZJ$6VX$KA(Y4JX2ON)F#N*FGsrtS z(2cwoVZZ*tYZbzqDJeOr$6QE)Zu}BgyfFJuS#;8pD#YYML-x*jB^t6^P?at|6*iCF zdS4{)>qpN3odN+9Xy#}ws4NA8IgE!yv~4eRDjBzATAgVDh0#T03`#5Q8%)ita5(69 zD)W~$`{GnCYRm)vdFDXO!IU&!+T`)qE~PTFH&XrNzm!U+mT|*Bvmg&@dS4wmwX-+d z6lxaX;C`{Q9O4>9V*U2U742okMK_)xR!mp;R;Mxp!=9VBswJ6lhdu-Uw?mcQsCo~rr z0~E)&TPuE*e=-77nav*vz03c6H3m%&KkoPe=n$T-GmC@$cmw)k3rz59#g$h=@z?aK zGj?5IZ+62C!y%&uh~Yf?l)zmiMBhU z-J6&|y%^Q1slK6bOIbK@HW0WenT^#|zrB9NVKQQe`%$TgS@Vk}FlKc1y*=h@0$if< z`y%Uck^hJB8ccCLv0kzk2ER4RPS--|yoI?Cmb4AlX9;sH?(-Zy74D4{;BPk&rN6(mAG2u@M23Z?x1_dqTDw2gv5ay|O^AZp~i>I0u&;MM_4A#9MoXS#4 zUZ{T2v~uiYlp=Jn*y8lKorv*SPNmrbolL-z4n2SLz?>;gwuUgiJ^? zGseH98)b7HrTs_1$)B_CR(HH&4<7+`T1~03JtHEI%C~7ytr)6z``(gDoo}NShoHpPv zd?=4bziuGVth;q`*;fB8m+aI%W19eY{*opz1$aBS{aFk=(RMS$iE`ueD$D|a$Iq$l zy4|1q-Lj4KKBLKQ?awDHIp8;*W}r1F4EmvHF}l;Y`9Xe(_n`NhuYPy=S_>cidIp!m zl|h6@BQP*}BEH z9QE978v)<6e$ZCDyt&JFQhLo7artuN08qHE?rzzZ7T@sb$EZ2TbV7Gs1>v6mr zBIk1S3&&3oT$>=b{krDnE6LY6Zevy5DFd%_hVxh=n1l!{N}1u=VuGQgTZ;T4`qUQ#_q z-a7&x>&!MhmLwfkzkH=!&0Mimo_mrXtJHN1oU6*q z+iNmHo&=4GdLT*_%H9MIf6pWJY{7uhOKR?3UpiWFSst+?5HOX;^UcTi_r~A>H-afk zqd&1{w-pPH>JKWGFOJQpbfzG=;jbgQyx9b0K+U$DQ3E~_MPnfhVSCiV4R0J7QfDf> z7|N!V@AmXdjatynVFzL+;ok&O^%uIcABtlwLO#m_E^=(XJ z{Bw=mqLJDm(5`B`FB>PrsVWRzYtT=q-2F?^~F7dF>u^b zx_g|l)iOfU6;pM0vGjL}$_P|vy>@M~Pz~d5e0SPU%h>gsIDO-NjFR>wt2lQ-1M6Ds zmW|}U3d-s#*_G06!&8leOXqa{md6Baf$xc*4bGv}qy1|_`IH}e)!=12l^1vJRPaL` zSo+gN`QM&9cGo=DdLLuk1m&==me_!5}sivREnjpZb;YKZ9iybqbRp zs6*2>>7=SgC(Y7#-BcsCUJOfuZV|xZUZFe^e%<%eMn$|N&-+GVMhs~S$^`@J7*T6H z>QJEJ2r+(bxf{OIuDgdD=Am%^d~lNO%3K67tRyh}5CU!)$gnRuCm$c>Aa%Anz)*eVCV76hjSj2pEsUO(R|BoP)l zHeItWAt7kD3_>YtNxkw$z)C7Io|m0NWrVm3R=3%V8;DyhoT5v#s#a6b=Q0bjS1f5b zDTZNaOSc=+rP5(_lzC>^;R+Op_3;+vT9n;_FW&4_*TJKH#BX42u#EnmBZ;`NClbB= zf@pG|B;S0}yQXn$9l9b;aOK>^IKqz_Zw2%qU#xM)+g2YPx@SxFpG(_!eVIp1=ddF^X+BB|7V)EZWA}CU! z68O9#`Bqi`hOCp%#$}6D)~4tx^Ts)({dm(^9eqR>e7?+-tt6A8w7bHpv9|af3LLtL zNXFn_&Nvm)ib31~5v%T;)WuFBE~^r#90?;_Ymk5QqdckSEs9NOJ0~@6$l8G*29~FZPpMO}z>_-e z+d*n}z}cLK89eY^_Q|_iafpvxmwCrU3jgWa*ElSMzmwocdUblA@O z?ykz=84HRyL)Gg>6~kwQ{oVIvT};g{dvllS{aPFg-!XvgCZ$DBGwPddt5xmi-PKc2 zW_A6s?_=%V<%Suke^vd1spGP&l6`fFvEQ>G2?O)GCKTguCW3O}1H zk4bJIsCTOXlIXFe%Vy^QbRWFy1NNGTfO&_1-@DTDxPTyQZ$J<(#ZW~8@8Eu%^GJ+3c3)8 zyAg)am^tlMkuionqY!lrl!BzV#^i)DhRyC|!o5&W;GlRd|4tz^T+x{J*Ge@keD6VE zZS1@{W(=o60bMCFVM=Yo2c>2aSiKyaM>2vUWuS=1BF~NWEoXm5=<|a_5n8MGwTmx4 zlwkuuPmG)eJR#(ac?7X!G6v08>xQ~3_u2AQ_2GUNorIaRuxu1KTK;^$Qbuu&+N*_I z{FV@aKS&@;RW&4AJLm2%!8@Z&ZPONGpyVFiK|m86L0GwD*wY6$^>YH9x4UnaWI@uu z**YTXgx_Q2i^K5u4Izv2_O2K6XW$Lg%0|8BGlg&5@v2Ym3$`6V#I^2koP{8M}xd30T(k543%19Yb{zGH=bn}v1PKkucgRPO|UU` zvDx3}vD3uIDVrF|!j`h+*GFhwMY3+h z8L>?KW@&8q)Brt;U3~`LhTrWg8>SEOvX(R%r>{R%Nur-Kc zIVO@I(?-&QGMtHgF|FK4bczZ&R!So&6=9)K3|hE;nk*1@74-n@_jy&_c(B;S2+BwM z;pq<-ye)(;-+=oaTch4uMJvT*tyr^}cEd5=L`6xM0ggOC9@SHVxN#N|O6VpaKTMXG zgz+(9_H_p?E;aRwUfLv>^tQ`uIU~L4y7F%HIj3QU_ucK8kB`}q`;ts7GmGwZX}U1Q zk*+XpnY9hmy)lq9&9=WFE&ed_dJI5|o!+b^)^6hlQ7e{j7^0cM5Fa@UcS@z!xDdjg z^$(gYkTq2LR5egVOrJ}TyVxuy=&R}iv$+S9lQIMLm*~B>?-#D$A~_`FtQ{>VBHU}J zewud4snB>9re3A5FO8=4%>NjeP7M zHQimzblFyjrBLvtb*KQDYe1Vm<8JJ&ho)~ykTo99$h96LqrfYAE50`|;A)Q0*5f9T zug|ia8_yf>z1qg5%RM2x%d6#;)cvtjQBfb=v!~sO6}z65)#GWD-lj_%M>ymTA6v=93zDNz^}d3;AQ<>K z1>N92rq&`T9+8fIc$mL5{D0E#yxyCChb(`BdhL$5H0mg>TdP{IB2OMWv;I zuoeupAKrcuFDP?yzP|cxJ|{?S*$t$%yP-EZY5!%!oyOvh`FHsrr?}!Sn-|s}ntLu{ z4v2a@`fx^ot~IIc*ATb#ZGNNG;{gb|YvgOodT;mZoh3xCwpS_h5hdI0W_z`e9PAuA zCv8{PAGnU^vR-yB^Dg)2HBvRUyrLZIwxW9pPpGgnxt+DqKv+h=M9Yo)3o<2(+mg|- zU+v9J&`NX9$%fmGbIIN0gw?grRV2T9?R_@CjtSA-9m@~>L};w-NZ*@0429!RUX;y} z6X_n0!R*7ng|?cL8Smrw0~=Rv!nWIXtdrdP-lI6+Bb)D#s zw(&Xgrn_&*&UkiSwJ*R0FJSUZF#87h0Raab3x?|AGw?n-_apWw7av~~Gfn}eVmX4h z{P+MMqP>a}ernbSRnzIJsSue6%q71p(YxI57Il^lh_3^>=UqWbUD9b|A@fUXS zx_+Y8>MMmiDWOVxw`IdYDlLaQue02j2W%)7NH0rv7U5t_JlzX^WfT|eVjGtDD)e1V z;ejH>tVr8OUD4Sh={YnhMXq4Tp+OusPei@>dOn6yEe^V0$|^__&Ht~$l(T-7sX%!6 zxIxk)pil@VAnwTBnlrTWz!r=g)!<F>=NNjQS)a46gtwPLF=5iG<-fp{i0P4D9i{smSOy0rWY5NUX&uVW|?6 zzXMzOSmF8Cr}xISAlEBL;g_;^4g^}sr>gnIrnheg9W5)#iA zEsm?%%Tg-^P_o&aL#3IKDR*obEi_5b()c`um3nN?l|GjkI!6O^G7*j-e|d04N-@!s zJ<0DiQ-T?R%Z9IbEo#o11;E>~WeACtMy99~A$qlv;^kfn6KFR=?=#t zxLSFJMl7A^WX+fL0kZ^hgnq6ufX0}HHvGO79ceNN{=`dHMl{}3`s88_SpbuJ>HFlf z)nA#z=x9qz*AcSAc#9^5G&aEn<^+eLzl8|e_?Tv@@FW_(Wjus!1@xzlqtcQZ-Hu`LIRv!|LmG^)=Ph}Rh&Cf&c0eu;xB zs~39mh%gDH`oStaPgWseO2Jt%s4f*DsCq-$1ZM@{5vvhEHlV{3(TraIvCN`~E$>`_ zsQK@*S>{Zqc-{ts%1_x6+8G0f#n!|8NiiwRa*p%bxi46k^MOY3m)01RJ{MUzbFb@9 zaedPiM@iX%Zf*TO-R*(#blho)g7VRP3^|(2CPTiEkFz^KAOA+& z*H~;ER0QD8HTWqGz#p{;wke%u#2S`Q*bP|}kjqfyhS#!zA{_bJ`&i^!qi$OYQ-~fK zK$PiXpxAWbPMy0f)v5dN-68NITsqlN(xMW>iq5mQ5NXql$uKQ20Az0(r~0a`E!_eO zp#(3Ve^fy?O$b1MFc=IqiISfWr54<=a+0o5x08?D6?5lw)EB{pgo!r&iPT~#>xmxd zQZBh{QB~$f0a<@6z3Cu|(P0qz4RMroK3qBX_{ea@aIjX}Bs?KBZgy~=rj#&Nny&i@2V4k=g%-uQT6 z0K)zXmsrWx{hIUDFu`vZaxXJ*dX%}u*nxCeDCi>pRxxj3 zW<81S#x!%U`B%ZaL}W3=b8@#cwt6oIC1vShVWq51Lp`iHxw)XecsaU#u4-AWtm(Z7txDaMp$I6WWnK(i6uv*AvNQDi+A{wT%e5=Jp8) zY}hIKU^(t?zvhTnk!yO2lH~*CrH1mSw*Yh1E*`Y1JP_|}T;inM&}Oc>*Vn27dVozT zdo8JxL(jS`zEQ`)xa14HuOUeWY#fzfp86z-&`H`&n0dochysMP7jS z=J)pY5vP4otV+Q7QU$-$W6B{?ToFAs?Ewj=!DPpeFqC#s;m^kr89z|iGyC$o+3e1W zo}zE#8-bb~NdNf(dxooGQe%H1`egm)cN4eo`Nx5Z{R62UXua-NZu6lYb*i>RuH%)L zxNdD++k0Kf)!VXc0l^F>SuP|!>GTdz?Ly}%23A*-f7{q+FZ=x(JUkOuQ|Z13+|dRn zxh(^q;8=Emopp46yY%8auZcGtJ6&MI{qghrkf~{1lSC^l^o5qLuKu|yX20FVkH*wmPV z)N%twPt(<5<@gPrABL?rl<3HII@_kVgR%H|P(GeEc~Uj(2QcG^d_E2&ZUCfZq_Uc4 z+e5nG&$}Y9+v|zm8%nfaJs9t|7kCDX8MKtou924Y2oFAxzc6F|snx_k;kU|gl&?zl zP^+!F2SGE!0^4>rDL9?PGCcyzb;a@lo8uAaoJ?mnmmXwUD1ByZK+1+gNcW-sc0)8V z3~h_P=0a&&+;}^uv^4JAqX=`DfN#PNL6TFX(`-6;Eu_H&3yjs?FQ5gs^h`83>#-}W z(Uah_KA26`H8$Ud_#^Tr;C#DiaRf*dSZ-tl0F03$2jgDE4AT=Vk2z267|Kn?U4#QN zgZPXsSirTF|NJ)>%(i>7MlXfh>q{b!2U+3_eIC>5Ck27}do$RXVnY_#EDWqpc`8ld zSFYVx#GUt(8n>q&RK>%7W!=!ap&s&*dD&7KgC#SYY@*?^Qk!LkUbafISTjP+a;s3* zNs=Pg&5*6hMUr&me(9yJ5*VbKM;4O3K(Y3Hk8kK5TM`mgRPNiblL}NyM1TpQA{={P zx;jmWOsS&+XPyD1d!L2Dcj#Hf5A6aY**CE|X(|};w5M9~RoOBgsPD+v%&t%#3Y_O*OjTI$k@!>z)h))lw6O`Hd}UTk=<9!2{Idwg9m5M1hYDwj z4nFz+(OK*U3ro5z^r{tx1hPCT)bJGr+H^VQd;UKQnQ0K)6Cj z5<`I3Oj7IpTpD1i3>fiC>e59;O&l!4izGc$pB;~!8;;{>hh(1DdC^X3v-qjAafVpX z%B8XRCHX*Cvl&xK7On=4_qj@l(vJ#}2Br}hUtwp|Et2BDPo5vS)EJ68&)FEm`_vht zL|FfM`71AZVqd!0R4zzScB+%VRfW|lAsaB9gJ8^zi&ap_P1qv!T7Iy5pbD1_gDF$5 z2o)FQt>uEJIk*2lq*x%4+^br!Xt9@`L(4i&UJczSsvr%GnGC07-lfNe%_E|K)ttS) zINd_M@Kf=Y@vof8BYM)Kq-!QqFs|OkVX?{tj0`lToRxf;ni2l8rL@SezoCig0}K;) z>BZHuleO#?D$q{j!LcGRIC{f4-z6l=;MPnsvh%9HoKgSbfZ*UCeJr&ex)^?HrO~Q0 zKR)%g(BDJyTo1^HU~|^iqhO?g4Z(oPF|{0WWkSH>?d^|-8sz#JW4>NEnNi81k40*h zrkQqw0y4XblPmEwhs?bKJ}LOxm&@`m_^vXTOxr88WW-&;>LxL6WU|v}Tb!q|rGBAs z9cym04wuymjz?fi!p_wEVx%wJKtOks%53OBJE*BPaE{JJeIU3+6c=Kf)Q=auo)@4_ zh{6&OwlCzBMHAnK4uuMh2XL-go(d~UuOcjiX=68Zz-c;d9JZb+j{KKv5TvS-?!o47 z^G}ubbCDlp6HqP85-FKojJUw#8LG5@zIfrO9%^wP_ynSiZ*4L zXQm&Xq(5OAe6~$x%$A-1uef>}(oW|1!Cm;7?jL?a?V_-AE5RQ3#Va=;)J3qoaYpbr zRB@0C5CsOP1f2Qx^)#vm+^3)9KmRR946_7u(sB*4Kf}>w_MIWC<8cUx@Z@n$a?c?H zx*fxqfW6b2=>{B&ezq$8Sq1Ga=lKpRdl5!H>F#|f-91ce($B^6OPSw%01>J_uCQ#K zmO@tu>++I5UMkIQ-j=)ijtUS^#NvF8OVyrz9$za)@IWR-LCaO%us9kwI}YFh$hSG& z2H>pLh0PA%-!`hQ#dJSzvx17W5yeZG`1H`<*mL^r;MkB63WsP7+d?W7aKamyMn1_*X|A-4^MVoz6tOPVO@sawO8YbLa}Pu+r>VR>hUwY3NrqmzjwNWiz5vFgbRGw~HE#g#H&?dT z_NkAOqfoS(YBvVPapt?ja-eFw=7Uu1wgz%Iuh$^uHh@jZ96I|)4{mRJ!-)%WdV2)H zt5;$CpxgRul%$V&yUn%>$TL8k2gBCEjmJH(BE^%7P`qG;f8`BK2?Cp4`00Op4+ig^ zT7Q6l4)-X5A<@cLKSchWOX-1?^fPNa8L3t($a5P&urP;mSKud=N^l>1Wk!z2X5;(; zRvoBBnqeHs53QqAj#MWH5Ud%ggFqN92t>_XVx*xeQ|`(cTH{_=O75IsN|fbJEq0P& zWRvX^tV3;9UQCCoolO0<>H3}gz!G&ANh5W5G%(!-fv)|y8NP1zA9UKjBvsLp|5l;& z+6SYdCgKW}GZ{PKQ^dXh5eYBGge{8x9pRz{rNMYaWm$PxJW;7{oPLyL*d)de&ZV+{ zwG6^3b1j@(W`{pg;4MQLv5lAJ7Fqm#Nsm2Ej29iwuQG(#%g?0Ev_}JfEDi{=f*WdQe`H+)nQN?XSHZ(+${wZQRJCM`wzSd@EL=H30`M=GiuJ24J}@o1&gKE8gLEjN2bh{RA0qc+NnhI z(a`8Zn)>v6VgA8c+P3hs5Y4w=x9PSoOo&O!2_UfRt1-hIDJo_Ue-C)3u1bH2S0E^n z`!(e4ux~o#imGe~H}7JwUUJxuf=QcRZ4uA-@X7Y*&45a@ef+F#dDcjkZ*qk`#Bqv@ zQDLB-2N<##rx6L7CGw%NvQ=j1aTev=QzSf*U zHulFk9b(Wy`cUW4_{X9T9 z2Wp4AC%ZNemCW1lG{YVl7js~_pl7jdI4B{8@;{2&Y7 z0ZAX;v2&SD1t<}eAGi4ZWCxZDSN%UY%UE#>)2W5hY=e=;72&$~)o1{=n9;ui5^5ak zxX)vFCIv=lTVWsP{+Y`n5L6p3q$A$Q8o^o57SwB6P|L>kwJ%u+GQ6>&+|;&{l8GQh zZ&njo;V%&-o4|%|Dsn7(UX~Ii!xpY$A44};$;k`TSS98ii5w6|x>N}=3-6$J@M2%U z+x}u(jKtASRm2vMZg7zfKBKJjPPIXYQAxUuD$C1~s%6YL%F>ul|DO;<@qR}S>PZ4Y z&K!fg!|x=(ulBhy)vq(3i8K<<2t`gwZ)9*l&!^iy(;1ZhEI^m?Nzi^|u8H+?N^J*C z#a-4vp0zdD`kW>J)AXi+4qiM*g&tN^H(8D&5Y}Bb)84>dRJUKaO{a8^Ny zQ#qQxAiEbSy!7|hXZG%8o)bhm<&o<3%zIv2K)>cY#7{R={g~(ZA{y6YUS-bPUhvir zK)K;y;5+F*=9>0YKj?d2Q9sV&x>3rk0g`##Wt^ngzFSmvEm=;#nbGxZ1$d>bc&~EK z@NQ-G0Mf&Lzc2D+Y75wLaUQz8{|)Utfo$(L?)4Wo+VGhTy|_-h_+x%}93dM;5$ z{GRV$IpT8K#^3Zae}T`l{yq_v(>i=O)=Xg$Z9Zlk@&7)3g3W1j9>|oln%MUErGotS z7V7spe9Z&6E^}jeTSD>G?6?X*vhy|ok$b5jud;s}^t}N_a=Qg>dotS}<$6c>{?CjJ zd+!m~>NVm^Pk);Ll`2Ju4 zU4LC+Wq-dWL2C(8qwpC13P|WD^O?E`U(jBJX-tbrK(;$%Www>Edc}-4oTC2+qpfL@ zz4yn#(LUwR=jruR`#vQ=Rpbxi21aP4qg9BZmfOyVI&Lz` z=1*0sT8vn9>6K~yNdJzGjWy(GsfkxeV1P=-1y|}6k3MQZBBi98a_f*Fkq;n)LySV? zk(Z^@4_NGv4psP$iTUp|13L(KJbAaSpk(`H-TxSiCF+b{QBN9Ss$6+a95FRygxoCa zaH=p9_LGtjn7@u4dKxh8?2Hu5y(+SMF|?}8!Yiui1^3s+beCA{+8byNDbCO>%gWk4A%29Tz@I$LVaYhDWdZV|%i;#jb^XAh!E}tb+2G z(w`_&${+iC0i(IfF?C6CCvzrl0&i%}>4#m{X|>{;0;Sk1apUA~0SqRHEabAKIpf>KJ8( z6j=+`tED-~R#`Ss!JFgA`?UW?lk??{8{y^xiUM}_R{w}zi4Fao=NzYDoX?G4aph@Ehr=GF}L4>SskbC%M-@TEr--#3yq+7Ow@wgg!}QvKI0!ydj*{5&ux-n_%^rdn;b=_3{8t7UJ7(<)n=&Y=I9; zJS;H>2^$(T#XlzA?9)s24hu7;_oia8dnOj}8gl`#n z)t9wu<=v4g^<0a$0ihKa3T{Zb-L?S9eD!f4L#Eisf*4~8A{sR$P}ZnTa~@^E5=}TX z=4Sx%m1X-H^#+7!GwzpzB5wQd%3|}aD5NOzPa2WXersWk_r zW4@uwCoYk45{@ z#9A}F$!Xqh?Uzuour2~?IfS0NNV(o36>6u9XP$~qD-~!QoHJCQ@jK&xLf`~S0Sk90 zfmkxZ??S`BK291JMNcllxz9xS|LmhhQEyu&m>-kUJqxuZP|+@G(TZ=ffkBzYTIk(f`x4Jr^*)Zzn=H1QUJaxt>}tQ+G}U^+vU91$y-C}HfK+vA7|T}6HnIrV=nzGpoM)> z*W)%Uwc2t1`XsmI@v}-Zg_cNt)AV72Xl&(Vt8Vdl;~=?(=&ZYM9sQcs^oIvSj>JE=$0)2162F7%i&nAWWnHaZe6P{apoMMz>n4mG z4X$;Uf%u1x22~b@8K>)qk(u0Q>1OYhvj?mZKi|iR148gce%w(Hh}!cw#L4$zLnp5N z?n*7z)3kyxW4(W4?|MReRuj0LY>VdRc{zOW)OOl`E@idpddg8N`!E|M3%a7Zp?6vN z@xb8AJ_F^xBWgh-BD{y z>ZGO9hj+P~g^!ZQrH9=0Nx>HO2d>=`M>#!Z@E+EX-({t(N+gS&)p$hmx_uyI_ccp# z=~01YS7||+srq#iPJ=a6jHyrxwU0>5t}9%oYzTXHn&=o@7pTQe(C;L6o^kK<*q@pv{nH za-p3Xqto)xN_g?Kfsf=5_2r_DVtJY|U2J)><9L90HiV_KOsVDKoU`fXQzR;a@h?-4 zQdd&j3_?KHa`@CA7@>tE?ZLO=O$12FxI1Hg6%Co%3@cqbJE)rlrr1-3{Nn9je%(!D89GEMqWb&U0`t_PDRiutgKm;BMfG%;ixsYa7a zC6OsJBQ@2~^{`bho$Z8*MeHs)Xy#U>$FiCD&@bV)5}n%vG2Vr7WsWFZLv9c!b+;H$ zlnjWl(}q%JYciXjL>j^@Y5LkJ121%c4W7sI+v}&CqKesmvtT*#C)AmY_DP;NEC)oI z9vMl)z>nr}&D*rCr#N)5Sz3vSk{Y@a&$a)AVdb(7u?}y&byt-C=w&T8EHUBO)unPc z#&JRS^4`4sS2M>BCo#e)nT5do=zdE z^+)irfAo4-RMS8D1PY6M?wkyB1vYuCUp0SdD?f{3z~2qiCBhBk(p>q`tWdM$1rw*XAw&h)j4y)- z-JR`P=@^oqgIa4I=UV7R%jxTl{;T)j1}KkSe%w&(*b2u`5}*f z0jt=oX?bYjWXfi=1%YNu3(clv_kcr*P~Jmx5yp|uprrvA;inF|B|_8epFxFf^vZGS z`MsR-66WW$Rw%5_UpPg1W~rh=RbCI?a^+3)X6|!`M?eks{V~eS5PTjxac}8&Y18c5 zRhdfPGFB!j8Tfl~L^bY&9Cy1_UUWXfOU*y^eMYj6G?LzF`sz`MW`3QK6kx z{vbk9lI&^Iq~lOoj(o_}sYWW=VlttrS2>v7`4v@gKTL&whv+Dso9$ZKvr$Q02_k2v zvGK=6J2HwaQ~5UI1m71o1#UQTVSE=)h{)A%69FXJv?h)*o{OgeLD9)Ch3v!n?rB&A zxHpIzE*VKqI&B&vFJBmGRld@6a$;_3HsFVPiiNRp688&rsS`Q>`$<`@qng!Np4iQv z;5fAzUJ)3{{*)Cto0}&vQZvOpQ~5CYKZyko2*@J>72js8!MO~^pRqIQip|cW)Ly?* z)`&t0RN!ym&g>^H=Td5y9}2NZ0$Z5L+u`G+*F=@Cj>`@qeEXu=^sHOqwZH3$_p#)ZZ4hf>b%w#Dt{yxp^oXWtQr9h6_~noDMG>q7a+R@?pAo=!~HSI@L1gl7Do}Vad!W-~Q z)`s5VwSgQnhq;~C$V4iG$5~3xn%%u5w@aDR)H6H#^or|3>{@bS0Km3%y6f8To$*ZU z^2Mpf<0xT-;|;S;`zZ1>utARdx!Wao(_;GR*Av)X^z9audCyJM+0xOvcGHUH?(^_O zXarc_l6_li^6NBT!jSAM_`Eth?j#Lz+xGmZ%vPZ$aUu^ zD5a@(U&1u&cHUoc`$N>Ue_-gcUG?<#P7qGukbkR9po7q9UDNXa+s}U_ z6zw9e3JDSf0ZFQe7csv0$U4}I7}cT>j1T2zan`Hi3X+7hiIhUu`3kW_iI&QW14r4! zv1N2CW6AIF&`HFMVc28_kOeWVnpC5bN{)fMigZxIEpft2t~H7+xanhsrC$2#6-=J< zH0<+B!>juh9{zPWmb0IjT%*(|Nz>X}vrdclZ6ddZfGP(n)WxJmMs#ber+4r6uP8RC zW3|SxaipAc`ue!88ljTXJ^d;)ti=-bb8)R>@<#Xn=BqZA;&0Y{TBZD%BFbIhg^dxG zxCPVM2c%8Mzu(cjj)bEF9`bL9&aF##XS}|S5N#!CH>}E z9k~&HjXm`x;%hh=|8w8-0x%4Dv3`_kAR~k3hYzaMw;~gcf8JHXvB_eTD`cGFeaw{$ z<$V~AJ|)x?j`OURKI5eDxZkOY-k_=|^anDF*L7$MSTpbsSg-P#so2!=XL6)M5f=Cu}d~)QAI--)PtLeW9S#C<{@7-Gg@&{n|Tc8>Vrk?vyhTcoq zcdb!kV4vA12u$a7_!9*7-~XKGx-ICMe?jz?sO>KstdcmB6O%rP5)pn3ZLuCT$^_hz zENl)_k#n;VjXlc&fMmq&#edLi@sBa3rj7HUEp^4MF4~AW^jAbA2@>e=hK7)&-^~Mm zO2a6AJJv08t{7<)tmQSB*A>d4k@{=N63ilt^Z(%sYK$oK~wU*J*eV-oDc3DvdH3%V!>ii3}HTDL~|GlCWbW@JGXBRmrrm z5G_yt1#drJ3<%XS_pd6;dR%u6i;YjrjV$1nyvtKmA=Ej;mfQoe*fs&WVe(--nfoAsz^05Aka2D z;;F7^Cr8YnC67(I2;W4B5pVvrg3ekwJbGi{u@`V~4)sf= z8z2w*NV#TeB_Cq6n5KZSMw&TN)(K#`GPPHXP*`X+*~tGa?F(vc7VC`~sRh68%Oh zfQmdg{OmT`GXwjcRS7NL@#ru(5dtYR)%+rMg!?A)E%U(8%Sq&cq?FHZE@aoIuKM8NZG&_&GE*jsMDZ+1a|?d{^#% zJ~`UaaQw`VY3;9E|1NP!W%oO~+2!ZCPM=sx_G{Y+>Co-D(=Y?f?C`Wa!`qR0>AJjk z#Szd}Ij_78%Mtl%d-*S8EfRS=Ohex69G~s*>uW!56r_6WB|N)onT3$Xd9QYOPgv>B zXNq@5RX&%@FWhc99wnS8(Ev?{#HH_#JI0Jud#=r_s$JHu&9)ry9-8#%Tei!*?3&JA zu2GcmDvhw^I^TtFGI*h1v)_Hqz2Dt-IxnAgvYSD8VY&?y%^bWHpSS~Sx1lI^;J4Gs zpoN-jP->Ig#*60uq>Uc0tDfOIaGML3)yRcID&j(j};4z}=ZE)6&pHY|A@wMMr{E!+wuCAqz z(NS0X27%J=>*Jki05VTg_p|~7fjv{p9!ge&UnoKAIn6t$&gGQQ?6==`!3A&Ujf>t6 zu=(WJ+HoEAhQAAJxutVJ6uF1rrU5J_SKF~I90ae6h zyWL0Z;9i0gyTMO^(^ zK5{gEDSMfeuphSMOP*bFrbKw=>6hzT_w*K?Abt46e?jpQE{1h$Ny&5V65^$ekh4+2 zKM^=1=YNQQ=f4Y8qMVm$`U^+-N9Z1CPmIe5Eyki3r&*Rd>cD$+j2h>-N1rgT8Yswd z<_^z_!@QC4rzqu5vx>A$oEiItYRp4Nx&-`_hUDezkm?Uh|1Ie;Di_TkTXva=w%eJD zOVPWI0!dSVR$ayC;BrPuO_1^mB9-+Ce(46xR&W1=aKlVe1J~S4`QG3a3V<&$Cm6LN zrk<1#&2)`IEg;rBhXpgo8h!jFSe0Qq-@^r$!i|NCs3BJRb0Zfu`b* z3qBP6m1Kv)%h2C~l<lu%^aM=U_%$JHfc7&%V5s}dsCb}6{7qeRLBf6}ahR$>!d=l-zxms*iwf?_F&Ui4{zhT4 zf@o``uJRF%3%YV`lzE)6(pGPq;2CK$!n4sxG8BkLqoJ$|Y`XCa}_3Uw(Ov09%o)5l}27ZF;e?ra*1i08;b)QFB+bVt~~YEi`LNGR$VuaScbqNOn6gr_PWo4u+Nq~J7J96m}>D_4if%-?eEMl@y>3sJ ztK>BNWh#n!E%JLiTU7^h3|u}>qZS-gg1ygWXjkR`N7Y$&#Tji|8Yd74?iM7tyI0WQ z?jGFTo#0MzcY?dSySr1kyBAiMKBq_bxL@91u*W<1ntMKT1#%T`QLmS@f9}A-gk+Nq zTy5jOz1yM2@9oUSEgCn`6D2UVv22zxL!y$U;L2Ob*0<1X`=yOwJ$b&L_J>(GgcucG zEBK&CAvphw_Qc03s%0SleCMutnN1;FjZu|&IhRY$=pBKa3l$Ja` zUimdJS)I`(njc>FWTgsOseqQZM@X$W%#?A5TT#Jsh8}y;aQ6Ryz+(ZqxQ|8mB-Z~| zaHnIdwDzdd{@hS=MRy^ z737~G=T^Q#V7Kov_S+lR)|P!J{3A+}udtt2_f_Y|bw?!e+Z4y}Wy`>~;5nbrhbnis z;6w8MGoBmu@;8?p9J%bSSJLN+m?!KluhQDL!IZ4)t@Lg$w^5EuLHo&mKYiWnDcbdr z@(%l6{X?kbZ2Jw%UnI>2Qu=Y09goe>NB)9RWdoSfXc4G}CpzXGKu%I%1*859D3Yn?nR4;wmvv&oTh8wL)pNiqGzmxzi4mz3XtOoo>rgrs|kK8 znI^Qy@%{D*UEPb_kW}@DP~)w`*3YtW_ntsdDpu{N6c?$@vqu9t>= z^${Xv(vfS3&A=oTcGdC6u5hcKxNe0CZje|7O71(oUXO|C>26IzgOYGY{(=zyC@*ZQ z7>fZ0#R1D-3rf@6WO1$UQM5OSEtZyV;C+qr#Gxn%`BKP zNT_UgK~qgbt&%uRJxcKiyn4&N%~bn`ffQ9?LSS%{=U zNxLi#DD8bG?73B*(!X$}DtSk-8&5kUj_C4kT@* z%saF^FCWgAw8LbO3q~TWc2ofFjD#|3QWhCF-|6uq3g*WpTqGZ`&MnOPdPyZ<*waiM) zi!D_Kv~zAn*EkKFMAInxH3>B-h0LHYOO8iT(Og^^e??BVEy^?Tq+Mk({*I20Og3fx zV(&UYDae3itVK2+@Z*NVa{C{Yubn1?tUkTwSHGaV1pJ>xoWe6dJA)N;E3sc|nQ7GT z1?6i3_1Ym>6uzFhW!9vf9B~UNla=t*+iEo!EYQL&pSddn~_+n^cb$Hr24}`5`sc(jmAoEX9?+r+6n zfSoNb(ZJ?ztF$y>2GSoSl4h3v#+Nqb4O_L09%KF@kI@W~fIj_`5w*XG6hCD0rw375 zi7g3c+xAM77(ZRFWu7)ikdO@w*Dq3DNmZr2iHTKdJab)r%P(5~QvT#vc$xKIIg>H) zDCi@9cm|QX2=AWxxKc+#cL7Ahq?C*Iyye1IIFo2R1*9*MhaE_>0s?UDjCmTEYCxYY zV3el+?#w{b+eY9~`IDs*c2MF=j@SwOaF9zbdDsc#pEAr%3)8PBVWrB>XhioJ)R4mX zX!CzF^RLxxQY)LZROM6~+5aUZb@i)9YDG~(BoTZoaxm@tYMwyzV4W8i6~}AK4r^K_ zsmo%4h+Ia@gJyBJ8kJj|FOJ*Tud+B{xdR^F^6KG})Ad@vC*vhWl`zj6_Fw#}n{2JQ zn9R_s`(-5FWHmn0S~{5n_4@)u0Ny8Pt$o}na?Bud)d~Bhb9v_0vu`*fL;AVT_)5%=sspCmc+e+Z5J2|r&(h=EF2~{e_rv#|T$6Wdaqo{hc^Afk}(9u}Wybo)p zu|)0D-$90Xf?bmkw@(=#M6LxurRH0LV1bdFm=qu$Ovk)J?dr&-6^fRr8m%ZtMLBs` ztV*Im%W5%vB~d(MZR*W`F1L1B?m(xzv>N&AN+MVw)&Nng+Iz?1O z%0`aighlJ-ZT^cIFl4MPxHSUb@s-IIY#d6^kH*MZ^v{sYxTleh(suaSGR;EnChW8E zUghD)ak~_5NxUh+Pr571py|P!1^xG@I}-FF`&1Z7!WZl}czs+DirgRSFj;^G>PJ1i z{hiVH+j;9^EYJJOqS;ZT*=6^@-m49G%T|8#b*sMHRelViUj1WrC#kZKd|=`{8nAV; zpP=76<>6f}n=IIH-qI|Z(djip;^(j!;5F%K9xbgFjxFEqdJ=fG;d21F8OS*$M0Hs+ zTon6p&D0HjllC{D27v`!C_abC{9!gm9D^dZ()`|6efbym;vMz>J>r1*1<83gWTO;H#e zm*3y{81q+t1mJpB!jai^-Gnw?^s+FyqR4gssPfz0*!zYx^}ZK*Px{2@+Q&Atb+U8< z&s_hAyWu^_7ui*}mF{$fd}O@b>9U0XMC>#2=Q_vaD?E`~kKppIm!JJw?-hEHeiJ8e z{M@B5yc4czacs5UCDm|t18ow}EkRmt>uiUiDm;Y+0Q!`EH@@5N;;TmU({|xYZSS4q zY@;Gp+MUfuQtF-d13vBg8bD*c|5p{jQOF#9#dY3#Zu{jR<2?l3=F46pOBe?hY+8NYWO8l4 z2`I0pBkorDxL>Eu_&Dzz1fy;ylHdb$#oVoeiLQM2?>ij#)0!(>Z?SRoYhP?a3EQWZ zLbt$EFI1f^o0QEKDYgR!hQHIj4XbNvgF?35b`AjZKber_LItwB0)W}z zxBd@6;}r?m;tx+H?`SQ1S;PF@xL?^_zn?G-n?y{oZ8M267Cl1W&-{hNpMv^PVHAQ`DY-DqEaW*9q|8vNe7t^;_?6eNN_d@q0W!4^4hO@ujw7`T zvohJ@M~xy^wLiTP{%_yDZ}pRq7AFBF@yM0yaMAlBQaTu?an5#T#*_>H1n=gi3?B`#3Ln)e?01i^rUlpEt%*4nUs!3`YV$5?8 z-B@W^!d439!Yxv)or<&ymAFAt!sObnq;tQ{NTb!MIff0Lsdq9D64Rul#}e<$WMO1; z)6Sb_{PA8eSJ*wX{7Hmbf8TX?erPu@(r}sGM(TfVPI(>nJ3MOv5rETjJ^=i{0iRzc z4Ka`^?6N8Ozw^dUCt36?o5F>DoQLK2>?tWzrRw|uEU;D?=Pv#U@Hn8iQXXXf8eS!9 zz?uWQ;U4EU0L6zihQ?m{7;l_UQMlMb)-)Ev7~km|T^XF#16wY;s50lx(lf_H!RM+2 z=|)ZR$)@Y86LM%G^B$;)7j_V%4TW62QplR3o0zDW(x_Cf^_QSLmEVL}8EpEhNIkao z{~37kH?CU>x;WhDhf_;WP{}I8$Agw$)Dm9HXC>uxXcJOV4hk>8eBjl}7;vVRA-eL% z=ld}Lg*qVw=TrC>LkEyWQtu+biX>r^GB&A}HW%!hCaaaltvE26Yrunrf}`v+{@Di> zM!NAGf)>3X+NS(W>cp?}V_m~~Y7a092EW)HI0yHqdZRRm2yg!lIgzLAgt&GYN<@@p zwRaDnR0?*Op_&L1Sx#5$W~b$Oldv6JC?Nr@b=0N1uPhBM3fDn$7G-8xf_h*^f6w1( zOH-9;H4~H7^dRxm%8sI{6g?NlsbNAD$jG2Umty99R+oIYg0|tFea2MTwaGaRP}YPdVyj)w=*f+B*d4PHI7lM&NtDe29YJ zL~KbPjr37-#%)ll)-7<_j~bPd+WZCQ4f`$hndvQ5 zIlP+Jc`rnVE%C90^6#%QIKxrm!3|`AL z@#=@q6``5#>zr=H;1A9#fyb3Gx?nmx-*rhL+^a`Sk44+!uGf zdGFs>BD-e9Y4t-lOjllKW-p2Yy9xJ_p%-! z?f;tMiP&-YZ(~lrdX`(It(xuZa26pW8}u;%aO@bVh%I=- z5tVzD(6(##cRMe?2rm~KM-A;Zwn3e!1 z6-4T?o1M2Nk%CK`$NlnpM=7nq7W+W>!+jF>GYa!T-KjWYJ)c?ioY!%-BfHn{odXdn z?`lTx@@J3b?Id84?MJ6-C~v#tHatbEUh_j}kqDqRa1%YB;@Q zxw zB~llF*yF#>ofp!g!{p(J=@1`kdzMKepSR8KsKk#@@rh=rtYR)$*B}HRvbU;1-o!@!k3yRMCSbM%JLW>L1mg22Qub$yI=>lyLq%tA zGI$H!W9OVK?2CzIHi|AZ=r~iUvrs&GMF^l12DM>D)zkj97h|}^fF>Z~mL&-crd1MU zBU7ND@0NA#|H*NmtqaM5obzm7Em-#W2aaPqiW@ILh}7sH(jmUFQchU{9u-(=tkY_q zj%;8o=6HxNTk_2j{M4?CJi~SYJy~NXX5WmQ89w535bTYj4PnG)CE{ZX@ zhz5Vjar>JXT^e@ugLvd4_{TyL&KU}ES6ix}{ZA zgG#MI>GL6A4TPbBPt3-kYD!cIji}BW9qA7nnc6;33pjov=j4mammqN*wf2ZIU0@YO z4$%9PjIRk}NcqyO2fhH@<$$wa>q~E zNm8g_P;vh#HM0?>m$7SQhbUkCjJlv+otbqAX{e8`WftInO{)+R?d7I!l$ebFUaK+^ zPYYC|@gIII!9`38$-tm}Af3(Z((0mP&lOT26T+y1?N=fG)t8@M?J5hbjx>lMVM}89 zcS_HJ=XtgJ_Uh1@pdZY#^F@k>T4o=gREm|H!VE z$w)Pb<1daQE2cVa;e1A0ezZo)xlXx2J(2=GFvq<#m z0b*=5$9_e{xvdAGb zusZ;=DV__?{cJ$B+Y#?8L%uEe{Q3Mq`GksC&k5A&n=+~Yw3pJnVOQQ>^`Tq@t>@vb z!h73#ilwc86S>r+-fgdYut--;g*n<#6$iXwQo zaFji;<-XUW=Q!9;(g~^&v+Xz?yrf&NdhgvC&v|yf>M&W-d$`^MW^|q*zY`>vy}z|K za%SEIGQ|JP@030P>9-iU*1FkgqX9sJdvcyE9t(!chtpDTrcbIV8SR=L?hn|@kSQj9 zpwnb4TRpuwPv6qb93VK_?NQ@BcrEW}^D4(@OOZftDIgqJ+7kyzA(1jdG1~^RbMYvyumVEIA9uFJ{?6f zwKmjB5OP))otEqa=4BvmcFZFCQcj{WVsaC#b4p;24luLuvf{$`L?-T1=W$QW>wCW6X zZGnV-rRHkcDrY~iiX%WP65vd73uaAV+ z(09MC*f%rJtGgHJREZdlqZBavQ7G6s525f;8jm_}{Bw6-2m}KBFNU}WWm_t$XT6wF z*h&k`q|~iD(SaU0d57`ua;0I6tS<7%I_!KklcrM^rtvzR{Scn8#C_0&L>N;4@X9Qog-G7+YVbWwTx5f*M0QKl0Q=epVOJywEmL z#Gg(pw{=E=R-DG=2q<)EC0Tf4^X`c*3FLmPOTvX}1j0yV-^hyC!*%L2Ao}nL?H4cljG;8boNo^XIKZjU{s%@j?+AqB@imoN*U8RL@;_3enDT$w^ zaqUO=uNA}{cjN7XnDqkWJUQlkf`&09J2F(&X%sE*gr;k$aKuo{%3L{^I9Sm-;@w&Q zGNf8kx(CDh*;~Yq5kh~PwKNJ9;(>QP7(Dw7#Q1~!lb^cqk(JK-9$6Kt$B<}$o_4Y| zi`_l?b`=cG@q%nWnwR}VcB9s!%x=TLBw(S>8=F~IOa^$|&+%>^{EHeX-7t^C99g)> zRhfGX$DjZji(8NIxy7PHCfo`C_zR5@rD1}PGReYga;iLzqxgE9O6Lw*wDn)PT}Lct zXqdXpbaBhQL}8O2G%`xZgAN(wHf63aZG$IVCu$1T?St8-v2%lk#VnPmqPxucr-wxT zQ7%$w+d{GpW613D7i`pe)-Q4uChlwpW&$J#GSaeM458l_wUkF>mg7#CC2%;j9EqSP zVMh>OpeJj`Yp-^6akJxS)2iID^4U+f)w(r|TG%Bq-(@fx@9no^RTvoNOWn8GpS_{| z`8czP#+fHATG10NQ!u1D=bJXNiDOH-N2moX;+%Xs6&XS*jeA)yAE<#LPC~=cv zxuq&x%l0Ix>M(G^DzyyDqRSg#^uufyQud?L#xfk7^E`p~imbhN$pVt>f%!2ML%~v| zr!kUiC+ugnJ@D@(Kipd0*io@dyzAf=B2AdHgje8Ve`A)>i2!E**5XU4MWXfAF-Szs zdafz1x{@hI{JLnt8g#@SjZ5d06oVzQhZFBAT1znY%8&X}ro@1~@48rt58V3`wKw;~u;<#Y*RKTJ=QrX90QVlMHVWIPYB0Y~ z+vy2-r|6h;A93o_ZtQ5dCuuLW*qglnsrR$bc`Xo$(cCYysZM+7T5(5ozyI_0SKj(v zO1gu}Yx@^hQ;z#Z5*G>IuJW<{!I9I_OCuuv(_OdoQ-rM_*uOY-#pO)>v#sc5`wh{L z$M+X+?QK!UMfas+4nCkg8T^jTx6uN`IU;->jXP?G3UV&H#xigyB7a#(>y-dJ;cxdh+>QjD7pBhi!1H4jIn|vP z4o}w2%NW&NABT)iDO!MpImXpnD8Gd0l19sDjOC8EtVS+l)5`bZvBl@{;_7DShnTbF zRX8$Y#`Njxhchu#T|FzXhUVe>e6p{ahi;_0Jx&n#?YN%A?_=r&VOYmH30X}x%LQ~k zkK^Ti=S8_Ys?Ogsj7X3rciPN(naS4n5Jf`Le*bb)?RULP=Et0^uSu`o&28K`-6zV= zy)*A5zsk$P8 z$*o&mT#!r>IUK8b(Kn5yFF#GSzy3OV^u-p?@SM^5SiR3k0m@$ieJ_XlftQU>ymT3U z;K#}o{<}D%7{KYlu-!X-X8Qw3-+cLFe}->mVXa)ZW|ZL>x!@W!S-ozP!mu{p(f*{p zOjxss2VZ?R-$^{s{U2ckXFLG5Kj#LZ2^b3Opd7D%>?7jnNO}n1SsF~#$cFPiZN38k zM_n_oh`_VQCo>NxHmNoFs-ODW^63F<>5fX>-@s%fzQDGs^h0!;XoM+6uEi-5--j4R zjWx#1S|_*VtNmS>NfXb|K%;XRp8IYg=crM>#kR77I0J=DZUYl$Aw3(dA)AqycTeY> zX<*`}(ZJm_C*-0r6qH(S;nB|kGRfWxC0-n0)znidbY?M6rZ(`DY?mMXgF2qOO7};Y z9M~&f6cn{aBbh6zK!f0r3PEQST^3ncs18+WDKdFHzY#Xs`G3- z?b>Htccal&PneHtjLpcw!)VfH_27KM-?uu zAzPFAt-?w$mn)h4cZ!>0gjXn9sh_m)(KD0RzJh-(8L21)(^8iZ-N_yuo5H|gxkT}= zd9n`|>dq2Hpm?qVVVQyBhOILk;hwispO5k!xDVcHXR=?WxSk~( zg>{HS_*X-})15Bp<=7Jx1o`BKjEjcJMCd1fV*#Ykpl9TI6GTgq_k-z`OJF*UEmxZ0 zh!n;-3lVX}Vkl`;R)py}jT%7#JT4!}<>QX|<_pFY{Y7)pgorNVKM{?#Y1Jmk1zH9( z3d~tA8>L(tVlcJ;Bq+4IX3~Xm5ba76QmL9a8yAYf9sb3oPkh6+h7NpF2q_3ikD?!$ zi=Q;iv-4yPr|uA0irAMxcK_R}qlD)i@oj0Bfj>dU!jWjGy(yipDL|NUjMGt1oa@#) z=7s@~fmZgQC$&&arwUd3IC77bBV%wPMd!bUDPwXg^e^=NDYorr_*6bYx9vCQUTWwum&6Y{;VG5xN0q=0w{b3P@HGg4M{-VQ)3vm!{^qfl z5!3y!DDT?+(xzY0?DL)JV>AQ)dFWyWU!L&l+;w=)&e%?xK^;6lYLudLGnlgF>9UB@ zRMrjk9lok%I6=PK;n|92J5tZ%g2b*Bq-n+Ev+6h$QOvSl6{~)PWCwI<@08pHWsu+z ze{2NKM%K@FF59iWy%b^7FukjoR*y!ebYAxlx>?)&u#V9O4V?qK{9X=n^xB@+yKxy@ zUX+*h+IB@=KR_DfS-cjb#fM#f_xkb0kH9w9g6<04$m@64Q^LKwcGF{*DV@8l&}N$I zY$C=ldzxNHe9d&{ZHrpf#D334IMqt;4Na#;k-Cq2M*4uOzDPHk^Elnt`8z$m*hmzu zn{?S}o@$2yy@g3Pn)ai^jmJZB_Sa&Rt5wHUeOvnGD()uxnJxfWLiSJlzk9~$C9P}jRl0zT|K zJgM&R8reE8TJC^9ank|Kr8O?PLX1rVUppY)Zsc29fT8$*90J{0gmcb?uV&-MY{*v0 zbzGh;26l3^dA=Wy;f;Ts#<-}zOy&^NaU6)LY1cN5d-m0T?Er&M!C>HSj^C8uO!Xa! z{Xg*f=L}4LoHaow!S*~oNh3}pn6fVgQ~^ipQU~gZ?U5FJPNr&NSPaoJ(4B3Wj@^j& z5x^e5?UOGvh7T@{Q3_bH}SgA!iJ#s|AkFCy$g96@zH4{JhHyVA}95 zxZZRv00)Lde2TgG)3m*5b*7 z5urdNtLim+I1(OcTL+1t7k^xLK#wS6NJ7i!%qitiU0}8GIeSUad?)vi&CObXlaylKT5Tf;rhAew`p0CXP%;M55SCTQ+{dQZ&nH!au)1-Ogtcc zWz>o1am)ed$l0HjqddvXmSd`Q5pMNcg&QH~=xW7IMom(n9SEwgbu@h8kUA{TX?U=s z6UNNCLN(dfo`1i{2ro$|uN8eK+M5kxRjO69jm9t_lZv@e7!QR06%-{7&n2-$#mY>! zlv>6)b{Z&jyvzP24DOpIWB7hYWU+V1YcRUJ{nmLQbc)V5wRXAG(mPj$rpOl2X z0sP8?R(nuYjZ*f|UkGOha8-ys{@NVdjGZ|pd161DL#3ZfeBn4(U8~VHEkP_;IKAjv zc$DQ%F+nY5MH(*UpNZy6lk1X}aGd*t+p@;M&N5+GhgUa$KoOnQIaEN*IR04{4@44GE9o}q{xNplnl+^XF)?RhR$wB&quL+gpO2?+V&8_iG zLxe<5t9F7wL}wSCAuA;8i|LtMu}KUrhAp-w(GU%!ftuAW8CCo?vyn;%v2E-HYfj>v zNM2BSLEfw?J5X`mblhoBu6C|mgFmx`U^cF1Ud9a~@ij|n?$X`6YEe8qz84{P%OfP3TvWC*_F>0qmEZa3%DZfLZhN1CxcZNW7t0Xy)^E-T2>R zo%%;;O=$HBwPXKqS<|k0uta+!(2HKU)5iVNgh@#4A!tEFfK|s=?)AVU&bbdk6ZeD12bg7 zF1(f2^*tl=Sp9h_BmQ6M)t|%Pi3a5LQ@_6=nyyh{^?au7^>Q^63Iu=42pjDEptF6#Jy0Y zB%LvQiCr`PivrS7wO{e{$W7GpVW}(oF_L>P*QCFEt>!oPi@t)w8KOOhPFN$Kkxy4p z^=oE;go3b<`O~DY6Yk?rxqc-CMSDUUR$F&T{NBI5W&L@Q4Y~Dp-jEmH2o$@n z+&}IiY?=}%bB;Q^|HUnK=>45xiNB-usFQ2FbtNG1RO&zDg+<3ljar0=UufxhY~@TD zfR(C@SELauB$yZRYK#4iessN_Zfnu& zF07yPW1ct7O;9JX0~c^TUtZk?4sE|&897&a=(Y}vw>LbIpO>VjyHV-t`VZRaicwpitW{` zdez6aW{giWuiBMf3$Y*q|F43b#-%vl1XenxR}QLfhwT*3>;O-Do zt~YUYJ`A;SaoV+-&SL<9_#WqB%31^GgI70f@*Ry*mjE^I^bFN^!@on~eW%Mg&6{Q^ zf|%GtDMU5rNi&?k04g^6?z0yn9iC6DGPfhc%IclXCmfNK`rShHT`e93FGXh^-Zq(H#kLz9y-rzjlo`VYuPr2zYIKbp!Sj1?;jr2iqPpPy`(}ZPfXmhOH`VfHc~~ zB;e6bzj-4jz|Fr`oL0k!17GL6EubaX?*t5<{5)Hr&yzO<_M>{NKK66BL(K=q8!VVed zg$pE@2#6)rl2yvN8^75@R3*^9lW8hH=oMk{@tCJJ4F1Wy`$|)(JU)ZbuC?n8XJl*@ zHA3zy;i;Lc6wmgqmR5?=5t1aA;b13W94*Y5b@mNZt72;zEK$WLGR<&zS#!CKXT+X( zUGirwP!ik7-;{Dn+@-h4>Gv|bvf(Om8FI|XYVBqZjQ|#xPXudwt|}%?+|(LcR!JYO zZk73Y$waGQt_b>?#VQS%h4v4sbL@HB2&`5;tR0Dd8a7&eC8B<+*B?kkc+V6Gd*wu| z$g_AEayzN8*R8H?s`;t~inW-*<-1sgL8e9gDW^-jrjTeClFGsj|8^|~m@$6v{G-Q@ zJBUheNOAMRhe(QefSm^yW*G3$n%r`%)r}`=B)h=xXn`JK{_qBkExIfyhYBFrQc8YfsnUKWWkkhzkroBGp1}9fAa=30l?~mUSEs!|vTeFU|$? zm=mdXYr;tgr=r4=*RFMv(C@n?8YwmnN)!fMuu^Xd=>YiDyUo%R7%w6D_qt)I;bV@WwwN`0ZnA(6o)3 zWa1tSk^so0Z-aJ)rFrUDUlMz zO8%d3^hINR-_2mt5ZCOe=8c;TBtrfk=HpsXq{;zu2%!QISGb;))U3lZDeo-;h{j5X zAYgr1N>@1#XLT1ib)_j1ox4|H$G*UGdgHUFRdC;DxFjQoDW6%y-lXso<7k;hA{}zBKSF;#x6u|>-Bv`$6-4`+%`M3 z9^ce-Al`-E&^UwcC|<;6MwPy{5Cx5Z%bQ6vmekY`@n>UHGFkWUVx;Lj#pR%Jy%d=_ zn$+)7^N(u3~cKypXKyaID$#Dkw0B=wbbX!l04)*Srn8#Q(vj>vQKz)t^4~cOgyhoJ7F( zJ?ZPelP&i)HC35k$f*#lb@`1 zQ%Ja3l9j7hnx;%G4K+clurbidzcg(M4_ycs3|qQ3r^-vQlOIEt_XVFo0x(+;RUXE} zvgjL?#5TfMs2urPiu#$Ep*kgr#<7aTd6?wBwA1ji#B!|Om&qFLyfNIg8IXGUI zo`Nq!%fm~R;S+AC!|NE~4~!GmaX}aGT*vF3K|)Q36lVKr4)5|wsj+*4A{as(%ZkUAV zHT7xmg6`cH7(1o^9-{x@F&q83`f*B>(q&tTY?}0K^4zE2#tzuLmrr8jSLC~X{_-s{ z^KA~lUDO48vVyI=W`}0DqW-D$sF|22Ny}&SUcbt2%YBX1i`Hzq^*uJB+q&zO_`Nb^ z-QnhKaC)vf3Et&sB}=R+kB7UQqySp;*r;=KSOTayITY+S`dVLs&udF zIQZ_{JgQ6Ze!6P*0&gA7#Cq2M!yL3N&**L_^gQhW_?Pq2`<(Y0bNq25dP3!u>2S>$ zdIX$2hp2YBJ#eDrJ9nOI^6I{OUG3gV<~c`dsPXm~S9yHVV{Fy30C91)8PA>>BypR^ z_J7lv)3v=k96s;dDEq99Ugf-Ey7F~h;iR*3pB^hN0_Zyc`L5>tx{m^; z0i9PLu|)RItQkpHx~`vOmO}USg_ZA9IzWoh>qvX~k}#*?5QnM?G{{u3d>I*g?%i>C z!NuRs!P;Uly^v?7;|$i?_-!|b6CHzV-M+qP2a}Q0y<85T?L9*C3UGJ`oZj#mI>OPZ zTizHwCbk>(IVxG;ZEYrgSq)vTXqsn9slSJB>o&AGo0?0xbbjoD@2(x8wf)YWqx*U| zqy0FxNOhJ2>WM$FYXo=SgTbaBf!?~{!0G>77}cL+rDAPfUe&;|B-2(SmFAX-^X|{< zcR79<;K|pIo1FWOykRM8Lr4DZcfU2Dpk9%x8dI<=k7fyHZ^%w=r3^xiMkc&h5oS@^ znnHE02%P}Er9dgpLY)FUL3`oVi8t5ZKx@J1*l3UUJN%Mq{QlbfmMnB;m@|6LG3|p1 z=1U&*1%$yUouINJR}=(xG}5yyy($6f#W+#OGDq|@G58?6rxCe2v3*>$krakax_EIe zv|=IgL@6UtY#G_@8Cqq^Otk`ND$&LjRyb3S?I(g(PyQ1LqxCN;gTI;a&E3#hjn&X~ zEQLKTyqi`=Uz_Aq>o6E4(!=u$<24;{o!@F?TtJ0G={_YD($vdeUun4VpeqgnCDm() z;#4-UN#!Rjqp;Y=RlmB_Du>NW%r7VoBfnW>QsdWNIs}#xxhW&^*-~vFen(8MH+Z8e zmmSIsT~zu}Bu>3i1DQsN(2m7_a?QPWXu0T3D=jKAj{L*&_=(jc?1J0{F5$i7b7!xR z0Ccl+$MV(w4IK9^o1%={#)5l3wovSun{L|O=dxE`j{*KeB-nerN;@qSIlqV%futDTSaxt!l2)=$9WZeX0gFL8#Cy&_$3n zoJ+Tr8bzw=WRW~`bmh>k;>pL1ESGD-(zY?~5!k~Cu8@+&BZOO$R5e}s<1FUItb#}j zN{yTv)LwyYNUf>Wx7bPX3G|XVNu5e^EZjy5=%xQ zqZ?o_Ebz&DXCUYQg(-SwS=@){{k{7|!;-K_T|Rr>G=?#XT^o>Wi5ZN<`5U@Lb521L z%5XjagI&)qs!~BnbM^9ZMW;X{8jAh&)LXyehf0G=@wi4olJd(k!DnZ7tWqM|J=daNLDw!oDg*8)16*^n%pp9VaGSv+U$v|DgG&+hKx)yg z7zJXHl>qx*EiQ0lhkI8XeFCD@kt@wgddPev!l-OA>3v6{LjL;(2Q4NVXQ-&b{AexO zeSNqygP7Q&;u;sU$IpcXY)FEhxMR1uG|WGt|NO}eHAj}E8j153@F&9+Muu$vsUxRC ze);Mgn0PZ#xc$w^lq4E?qPZX`@Hdmb}0qa^byMp7PKA!%y`QonFBhXkEB)bB7j z0mIPvsHX$Tn8UMG(H`2EX=Td@C{IXz`COUhA}^#wgg}`2ff;534N&cv{0r^3(WGyL zR6JcX7|v>j8jEy7d-2)1$f4sZ0g}3fcmD>+1x#nqD_E6xRw+#3#O*d_Z-2MT^}=o0 zKHI8OI*@LrmawIo!QD+5WaCY+1$vk=PlFi)(FpaZK`5*V;8(`aVEAy`8P(vY*2;i? zIDCQI`FwNV4*mG5K@jyi1%8aZ$F zTY28j%Sw*X+gkiEOoF!ZJQ#bMiu84rI;kn}Z2)K3>4C>y0KPHrZ_~p~rUG}P@$h;f zI9y(%j>H>Lp4THdUyHMU5?NdGoTW}zx7!!Q4nV65ybVChw>wXpWIxCH_<9YSU*^SD zv!~hclhfOPUwWRZ;Q(vf!Rosx$y<$g8*L`GwO@VPHD3~dThF7fTvMJ-v(a56Z-;3W z{DRlp3sl`NLLRM7)o+XQ^40dEyj$zn`?Z1kf~KJl-`@MRPH=E^%dek1aTq*-VkjRD z!A}vJ!(3W<;1AORx~dkIQ(*%BZl#^%S5OXycGctfL2{bUh`b!w`QrKQ@UL69TS<%l zMwf5vXW;L~)IT(n`eNZ{+W88iG7?63|Uh-0gN738B1v;!5Sya|DGiv>Nd z$IccA^w+QcU_7Qa(%sCqIosQDpT#=)KKE$11O2viE<%d8z>^;UzEC~P_LDr_OP_$1 z&m6knTGs>QxUcc>8Q0n&xrXlT6O%r8PH+tp&a3z0FbQXePT|04l8!{zI%kmaEXTXw z3ME$Uqc`bk59OxSNnhKE6-Rk`<9uf81E;e*+ik3U>>r6u+slR-z}F>*gzA4U!w-x zCizB5Wink@j-yyks;>yWRNrOQ6^zO`PhE9tZ!XcR-gT(V$)`ghd6y{1=4d4I@!`jG zP8BJsj3+*4bcKquM^vbb^O#%lE;Sq^t5!BZ znqVnU@@cDdt&6>TRjuJ?7NUD`T zT#!>TV#DV$c*#{Y2)Lw;3WRnqc%gTy^}Zqxr}%R5gl9@j^}0!+&;4r}iiu3G5=d5D zr)L~AT5lACyf~(S*2f8fR(;?{$(+NiS*u?YscYc0@B)3xl4G@g{}Olm zIdf~Zd%a6Oefb}-|MjDL<#z%N1+9GwIXd&^BDv;^;lH%LU|DeW)j`WUvCpSWXss={ zhg3u-wK!1wLPqfF&Xo(~eCG;KmUEZyzIyQ-KXNpxg)FzK&$51)T?wE4*CsF4UKN41 zX=9Sv(fh2gK?9Ki4Ce}dQFS(;)+>rmnSjSc4t1KKf+FLY9qYtE3k#O#ly>S!!)@fQ zJZIzIWxw=KQz{zePOxpNgy3HaDckrJj{RdJNlpkVxR`$@$rpMzMs8#oGh3&mh79bS{9x>nzd^pkvRC+<$%txhVF~wrf>C0%y}U(P-qrZcc1}Y_gt3 zV(SSxCE!4@IwOxm=DF5YLz{MKkon92^cMA!e%!-L@F$5YX{BX9%Ok|4p1~V{B1ei| z0GnQS?~|6Fh25$b#lU@2yn>{FgA`-u;(!nug`huwgu2&)&17-e9| z`Mw8VVBlhhH^}#%-kAG8 z01iWzVjp2Y6*<{>+b*3IJ`>pnFb1A)UyHDYhT#7l!Pud_Aw9ST!a{x?CWBRxsCHIm zMdkNJq<5aH@umS*>$TM%|9I|cIoF1#-v@CYX<%H7EoJ!uQjRLfO7$lq#}mv zPu&9#bIpJW$_5bnaZI3QnLCT{SHhadb3zfXTR(m0#&@B8K%2;=$2Py0^|AbT%B8bV zJJ>ntTJU8HbkVUacth)Q?Dy2+S8I5Ek>h#%SxssTk798J^JEC!X4A~0{c&hV=vM7T z?7Z)VJSlRMx3xcjx8H`xHZn;+y;=@BpVsExttbt=rc>m*C|Z63s8osaKixcg3SE`)C~f*Y%g3(# z=s8t=s?{%FbY5TTwmo(vJ)Wc$ez`Z#ZQN*_67aSCIPSO3B>lKeukOBkVq2~OoO?(U zx9`^7O-w5ybtlU&nd>u2@pn&qrC-(EUR*b@+L-7*wX;9Xnct?E z=UM2jy1D9btH;(96!ji$B=~{4;PY{RE#!N3(%l^NSlIYsf9<=R<@HFK^9m&2&GE~% zDsJt*kbU~ivsHNs20m;Fq-zVgjj-f-wYK7JJtMhNHt*Dzc7L?_K3cAmq@bn@5HyaXuJSVCgsl5n9$ubHejlDqw9O|cXWU1)ZO?+wAT#4*f~^Kd@r_YK8fqXYD_WVW$kPlj6eE?@mXBT`r*LJol-!O{(Rb93VP7`6|7rSD zrT>ZD_3zj;KRiy7e{5RODW|CKXx$vPJb8g4AOhZct)kG*5-a1ywm7Tz1x?JG=-XetNqbrbX0b#(dV)wJz)4>)Lz3SIZSanTs{ zQFa{VkG6fB9~K6vI~isw%&7_lW@)BaUO(N+d7FIIwWwgTJu&GX$5!3H^O2mn(y-Q5 zIaHnvWSj=aI2h9%y}hyp`^m{?7uiJR;6%`8!3?1DT@h;38eL0{mR%(^tTg)plTma+ zCN6Y|W1_t;)TOG4P{q}+7#BggpRP{lgnKUuhmh8UQ3K?>>CbqSQTKZuuxx5?5S6u_ z*m*Na0uKb@Gk>vMi@uvR)GF54v)|h{<%qs=hIC6C|MU1_w|{^k|vD%WE%=!RA$Fe$moVfG!}%ly7n<@#P^n=)u` z!ll&e8{D?NK2Flagy} z_vl+T%x^XPvZ(wcuVPm(mFH@V)MknC8s2pA5p7ORQO-`{sJg3fOfa?PSu`GetqM;L z+2pICjr(6uEDD=~i{uOQV;+m^q6)f#*ZyWR^21Ep?IaG;Xx3SD5F<|CRBgU|3|MG zqaBivSv2Ag#c5R2)^GUy;}L35Dc$m_-QoB4Ft;l3N!bKSNFKYw7 zEg9T|j_~#NkY^{@n)DP+@tjZrp2q(Sn$g|s%Z0D(CUbaf!XPxz#M;!$UDnFDCBIOX zDqc|a$*08XXZMFq6ctc14$>u0{^&qVz)>&ruTQHqVoi@+iN9aJhX>T8wk@y_JbTN!u4KiENId3tqNroMOANt6i zZ4})gi_@{L+777BqY5FA`$dAoJ&?3TIs2;ll4mPmuR5xlR2V+VSpW8L-dW)G*8HCE zfP^mybn?r5quOir6&Mv1WbIT)*b;D&2Zi$XsI^A8%!EqnnOAp1$U^dW)SztJMY!S$ zIEAQR1zf;%&TU@GZB@+iUTA)ow!RATF5U@_p*7a7^{(%>cFC>XUIcuM(1w|p4C}&f zxL*0;ZU8tz93LSKC$|$E#+w!cey!IU+;Y=BKb{?@_!{5%Zw5aLJDBJVyABJ~m5iNt zeMh+n2cHL`0-Lw(MOIUEcN47Ry1X9du#Zo)nRqXR9>a*QPKcj?KPE*Wal11+-JSz> zLC@W{CBV5({pT*XUIRa1D(%&Po?k}FW6fsw4UJkT@TC@Q0u1Lbuq1fKw|Bc8CU=U@4kSYx4a5V*W4XfQ~ssLbEMwZL*Y$n5iBYG{42#sK~U6@E0niR8+H#jt5$r$H!VM%J>x z(mE>8z_=iSemZyVIFBUOsbcWcMSr-JEzW96iA_CWpGLi&4V8k;*-jl=e-WBH{{S4) z43)(hjoMuamq^TASDBP@+U>O2y&2dNErIUV-Sj;g(%qNgW!9!ck@t2XCt}-Mu5;h({rdzM6RPt6GXLOJ$ z&_)whe1--q^9siRY}+)K-sWX-$OLRDRLUa55}T>)yrT9gm^{bm6z}cYwPF^e7O;XF z=42%E4C>*O_CAw^2UWAn);$1vP>lBfn6tq$A#@YNyevnPHsaE^f zS|Hphzbg+(a<`~lYu+$Cvt_t1FGD^(q`|-e0-s`WQs1yvZ+6JHF=B;ysfFOXaFRxp zBbF_CB9^-)ExCXMoI)#y;_8lWGTRV(f>LV;9P62F;~utE?Z7Tv$Oa0&t73R{ns+dP zJ@MZ$#SU}PChSTSGNv19bQ?8p>j;*K8V0bdA3H2TT0{I<{FjA(mO>!8T+L-rZRC7V#hEvRQN&Z3Ge1MA z<)lpXuTdpyZ1K#q#U_|s9;X098AD~|DI!p*bK+X+cT&|C%Ym|9ES=C)1%Pp^}O6?dKKC#?qDSICe?3fzvswm}Bh2^pg7fl$^hd+Df=0Q(h{#YeL5GU#|0J*6^#R9&}B##JPlzVd>5d7xxtO^c6{|^N#SF7iAO5k( zIhdE7Ffa=o5%ie*OFBXRLd4)s`LnjhT)YjeEzBEkk4@b?kF&NvW)ltgqm}uESNK!X z#swjsZ`vVL^(~^dZKO;(ly4H>l1cf@4~rq$yW(8CL{Pi7UN!sVkGBqDLh=eEJq)4M z-_Hu{m?y37KNyg>i>3WKG}!YB>?Y+b)Zbzikyo4v8dyphyXBMX>hmoo#XT+{k?kiG z#c8Tj6+;=@UtN%j>7BBp=a36RJXQE1h{e&di`R0cP8Hk=3V-Eb7y{Ha3!@pJAh@wR zkeL4F(3TE28I4jhyTh~o$Zln%q|c!L>uKA`V^m;Q+0ngjE&ReU zH}oXmbk_aEe*k;|Ly7N@{*c@LhMFt)UIrFqGswTWekT1o{u2(#e1&!t91aWti;n*S z?~p}W-mF3}#ef-KM(<0z;+ZZ`y+qo~+NGIS8Ma)u9FH&D<7Spg{P%ONt*!#k`vUef z!R}Ako2@LJIj1SPLV?qmE&Ar;q%y5m%WBNJSCg<_VQ%)$Ehm|;&MDCZkJwjBP%Zy( z1?%$?bK~G_iWlI6Y?V%q*j@C6^K6fDq zT|0@!f-WHj!K3v-=w;)o*>edYJM8h`uG zc4l80^nvf|3aT~+IPYKnb;in9UI2>_fz$dvod0{?=Ji^3(EIi1Zwz7X2_6TNQ3d z!$Gs55?`jcA%oH_W>fY0GkI0i>jedFp_p-5e91L9eH#u72xfaO^t!%^*zdnY!V&4F zZO`Ggraec*Hkzalz4h#=mQ)b()G{2fzsCKzSUD}Kl^&qQZTy~DZP2j$cPbE#jZuKXkxX80%1&qsu0G>ovp z!kN;;46X~VOS7P#DiUcK$!in^?rQt2V>WHZV+(+>|%{wu8ab?n}dl{FdPltMvwbw!CFJUpFyMMacP ztfGXDv|?*Uv*a~PhI2GdAd`%gBqhJ+o_K0RNJ=a94d(GK;HXkFLkuGxvU>=|zznI1 zp6@dATiPGP%%O0poPh}OMQKjIU11+}p`NgnlD>Mj(~KmIdinw%9@1v;X?BCpYm^y1 z$txPQ@;k)|FZe1Q52bcLrlslrZKd8}WHhEXVfNX8uOA!lUxzJH+V{?-tZ#gx%wuL1 zlaD6}xLz~~ypGT$F#41<#q;Xh!6Pu&v5jS$uA*G0+K*;kLS%?D7Qb5lHHo-D2r|C6j$iXH>s3Yp=i;E)FWEt9&@(p*_!w~_TyV=k`o?ejFkUM714Ft2oYOXqd7$ps8tTTR()^W-F1%H&>tqL=8 zJ7WDVJCa&N#D$Zs)yxsx)P|Dg%Eok;jy1in7DuWq;9sd(Xrc#Czw)!}cZXr&92@LQ z(Zs!3Jap8)G6OhM8U^=VIpZbhIH+(A%5^Q|!cL`TYUr)vaNM&Mxdc{cm`#(vQh7YV zlm;@dJxojJ?%gsade@sCYp$68&%Q8jF!t}>IfU>#l6hIw$n*!Q?F_51EgAck2fftW zN{0>@&Qk-v<5E*GE^Kuc9Jf^CK^;4}Wegi$#sVjFd@m`D-#epvpXRA*JADNB#&T#R z^zZPH3W+95%O^P*Aq_FUJ^a{NTIH}P5p!kSiBhR@^Qwzt4e6CClqV?wJit%QH-ziob24?kkI5AMFm&P2Eh%pfOV%I0>7p5%aBr)ox2B$vb-+48a z7$aO8ehNUh({H=Ys>K)L+ZoWGnJ*Kg0$~g}0S(Gt(9@M`?F2A?3i-~`3v>Pl{x@-) zZaEipbO-jQzoZ1Y9U*|yXu*MCF><0DAy~5507&rYM+mrg{3kf?2adQZ5oM|!c)ClV z3Pce!sL5hkqwD?hi)-2UsCc)3sh_98-tp;Q%dw*wadXl`pG1$YGiy*IV4~F7->1zZ zaB||+%=9p1s_km+JXWc?Yx*G=TX`d#)yok0JIMF8)p!eD2W5L_YPVJU ze%a|hTR}5VOJuKalI71o4%@TPe#K@77o-Rmg#yW?X&_qYgfYL_AC_8hU(gH#y! zaETjWj{GSvt9^Fql8jjdz29#ccn%hvjsdsjum{^c;F-_#>`50? z&gGXo;?lY82d15_7!r?Kz?#tcU3H6Jk?WhQye9bA-EFhER^;*lGY#B5=znbOxAibj zxz1ohX`f=PEqFA^V&pILHTU@})5b9u+4*%YL>c7$s-5b0Ai})u&UY48YxL2mAFDu| z77&z#DH8NVzj)*or`%lkVR&xXbNk-P^59JGWGmu2rT4qmb@;I~PMQBT+zpjm*@wx^ z;IL&oE3otBXpGRY>GI_t^z{)+pzmaEj?eZ^{(8x8CvR*wd=M~1`w92LYY6iFwa{y2 zK`A_GLExUmAmD!V67^a?(#wCZgx2^a?t1(E>TJ7bm**yD)fhK-ISx2fjEd`AWEA+; zidzlvm-gjxa4OY`^F9YGoz)V#Ep+V1T=A3fpC1a~c6o1=_xQa}Xe+No(gwd-@PJ_ZSAKh?e{BZLBOhZ&Wa2S9}cP6c?(-~6sHUZzDV z!R8U4j56JXk{Fz&1YAl{QxQmA7X$pq7o&7t-BAY#TJr3VdT%Ae>;+rdz#41PspTr< znbnZLC&h{wQxb!17J@2%N0|0$prZ;cXD3S&TZMqbYHmyfe8H%VoOY(HunkT$ zGp0DT*`BR`hr#KqWe>E{NoPKvWkGhbNijpaFLx&4*XY?$Vn$RXdfDydmtWO0I#t>Z zQa0b5`pqQ}@0-i4lZ2aQurf06S6VIYj_D;F%uop zA>mF%$#P=DtH#hbbD9Tjd@>MfGa9kWfpD&+Fb&A1JxW%8v-Mv2Vr!Un zYUMA5+0B?FW)?N-c3{W8wG>C%2_i^S)+%}$0Ce|%Q3P8G`Nd<>kNz#G;)kQc_Q=SU zJhr0|P_ty3(`mMfy&d`NpU`VbphYkW@RaQ8ov?uR{Nlz8{WO9^ziL-K!hxp3P~pJT zXRoRaJJ`?*L&U?VRQ!eU?lG`dEYxcF*`A9@0d+13$%4-E7nx0>R==3jK{44+xkG+c zZu?`#x=KBi=+&k;cepN6ltr?yqiC=k-JC=WgDZ+EHCu!Nr%rwfUZ=kFKj*mezIi-C z>WpX-b;kD{P)St2M11@3Iu815fu247IBvWUk!Rohm<&oS0>!b9uC_TR@cDn?EYy>y zDE1Z3l=DDqC08H^A1+T$RgDDAnrAg$gCW``ZC~fAz9bT~IFQ{~>a>#{@ zLWt;zts3|0ax(>=PPG!mydCBxmJPL6dj=8X^ou)M~1)SL`aeX}{$;AO6nFo<2>7za zy_WLCt6w0}{NWsQECN=1-R3_v1MpsqBsmm#@ue(&Z(^@`1$L|;6gs7kSsuz6lB~@q z;BY6CoFW}|t~33~lfn9FBWFsSVluZ-_V;;~U7$+u)HfDR^e@M#o$RILN%AC5#-h~s zX8mkPPUg2kzvBa^N=2Br?S;)w#?;M=7~!aC|LXjD8@{ za#UX5G>IGvR8X58}34Lyt2xroC_J05z@wut` z<3Hpg!A<>#BW~RFyKm8l`Jjcu;Dy5^1Hpd=UE=^@rGKzS<*gQ1fbV}3uW-~DdGPoH zflebDcRdD{o6R+nxB-_)74@?)J%N{oj_vQu4Oc!MApnxV$5;Q_jxKt*P#L%o+Z8;~94J?VZvl=>e0R8#i7#2{40) zcAb^RXo*g{-)<7_H^=08#;iBas=DsUhe=<0QE)pwhSpx+n+mo4onwZ^{pxWsmM=hs zX6NCV!G=mlUIw=bF@X;!nG%-di$a!nciL+7L6b)@I_EkV= zcX|8G(xmY6>+Y&C?^#Pf*NkapjoS(G=jHmHiQZ<|son3rnAETZ6L^7me9>)Yx$TGW zD9;?Yd1aKXq8xA=J(v0fA`}c<=+8WMHVOm|Dkd~8O$Y8)jVrI8w&#}qV!HABK!GOe#f3L+l#ugx>EK^}D@bx5*aH(^jox(~iyYY!`~)ZGsQLb~?7luRm@~gh9kJ z`>pH$-&Om9{FfNn?uM~Sbv%Kv8h=1e$-Cbtj)tK$BvS6EikJ2} zmd4q5D>dvmlWI!*ig@NS&2dQ%VTl8=xPpt2ca!|*@p1Qbt@DSZWEDK-<2M{+{KwGX z%X*$fpVp|=P(e{s;bpmu;7FN8M#)thd^stH?1NGJzLqVP#AaO>wrr;R+QSFVoUSv< z=hX%u*McyEo<6Mqlw|h2PA4va(S6LLm8G(-$iA!*Q7OPry}GC~My#sVXCm{~Ee!qp zX@jBL7+*=_4^dSTo)lift??K0wxQNy9SWMkBpSKtUA7?P zi{jgxV;IlBGz=He-Xdr7YPT|xIysS|_u zgFgg6EKC2pRP%S6ori@lkIXVLjutlYDm3~{g=acnzpgKH5SNEE5#(xtKBctaMyl6s z0voLb2jmO)hYYSkJIjJp$Tgi{dKGgc3R-ht8LrD<-h=$ni!YHTCA%*%o!qC2`Y|P< ziZ+x7YjYQ7QU*FnI~pB@grbYMBXSjITytUxmbWs`_H=CqWVB2!RVBy<@;)*ZD#fD3 zLJt6FEw&0@+AFc9SrvAa^DpJyKf^J{9B5#sN`^gxPrp9ieI4zH$*U-m_2&#Fa(D`M znm`(B{-y6A+WciGiG&@#jTe^JyLF5HwpnWQdX%Yt2R2@GIm4n@Kva?XXTI>ExJ2BN zCQ@cUjG}H#Y@x(b6Rt)v3HO%|JWm0Y84?s3_+YXnw)Q}r)G+Q-&YK1W&q4IpbCyiv6ARPYYz+w=w)4ANMW21?WZ znd;dNV#Nw2gA6s@!+b%#MFoX0LV-doRfxu!nQI$3L2lBHg9BR1&MgBRn?lU|_lUy+ z+D3o@m~~@)!DEn5?FAO`V?Qh`&UE0lbS>as3pgoTS;7NcTwCsWTZ39P{4+VUYdZ?F ziX7s`0>8v-22>a5*?vca-E`Sy4zF8m|6P6mn=4M_A@MNQ4drj^tH(3LTSsXXIE8C# zv%CHI_`Q_4;i&lld-xJ2`^WK{voqhz8ZcxzRbM4Jo*Cpk?ls-Lf8ep?eV9=#boB>%IA_W4$FzEkH4ooV;89nl@@D>FPMv56ahFBy zc&tWglvC@pbLT_2=VfsWGPlunt8-0ha*a_ncO+>6$+@Kw;5~j~h%lu_#Q8ll$L!kM z>sZ3}^1zFG6VM@V{V8^eS7>Q}*Sj=V);%7hzl|w$aDy94$ZY`3ia~x`BHcm<9ZYHmdDps4 z9tXVwd1}^t;tDy^O^QXr{60Vx#$m^xgup)rKFfW``b9?I+m;^Gz{hHdKdphUdxx+x ztq`R^gzmk?p_BS8*Epe^D&P#)Dxrw?S?jc-=f@piZ4TMz(KxM}%XzVITJKmBly;rf zlzvtVuJ#xoMpY8I)^vE~Sl+gK54hH8C%6QSjrQ2&xQ!}hV~3rlR9YXCwu3OAbKQ=f zQP*r1qXO?hpOuaE?|@Hn=VtTWrhuc1*aFJ=Q+`}^Cmk)bPGE{+T>6#o$W-)$v??B$eT|(6O>mctV(=eIk9#T>`5L`+?Lm3_~_9 z;zxC!HmDy-y<|U1|456M^GBIlk&7we12DahuaRtrc}!JaG@sg1ag&u$r8ie2&6SLX(yYbgXoK1&ecKrZpe`I zRJz!iuP{Qzyo`H^M7S6RQ`$q>c7DCS=>#V55Dp1+dbcI~*%T+qsIY|{g+Gx4BTF%B zkCz|yu$w|%XA3w&HyN}_iRu1TMocZ~?bE1KxBwgQ`hu4@J-6X}Ws79Bk0e24xypEt9MCYD>Ae*6x1%Tj-+Y*|;vZHEuDjTk9N zHL`CE!P*)xp%Qlwt6BXlc*xNsI?5E|4vn2lo&0l9MrVF?^UCn4%_bg9%gci5Xcey53U7v!Rrl;jSZ+QZP3 zrW|IZC~=k=1^4hL=uS1l^s2PMWCd}`LRsY_yyp1al~mLw8i$nF1&6&!$UBF6jV#W_ zaGsgFBp4ydKjjuS67h^9H2;Q(`8lEhf0zxK`*LW5Pw%RDwA?B#f>pcvni+ucl`RYz zN#bcVV8RfVt$XwjLlBQ~f~MsS8yz>;iwPGr7?k)QdN>zU$SeyaHJuyL?&$MA3lv+1h6*z)=?uzAg1H@RVB~JQ>iXoL!|4d3uVuX3KuxN^MY-^W6d|6IP9d+ok zH~hNsg?CqTK}DiwuK4J&JWKra3|0DpbenH|bPhYKN`<*mvcwC1QZZ)Zs}*Ste+y0^ zeTjIH+k=Y)s5#&=Eju~<_}5l`nmbr6f9{>>Y9i{lGz73N8H?Kk!NY@^bW z%!6t8vsfL5B`W{Si2r(KrVymV+S5nD@XO@K7<6wZ^j*N!Vzrf+NN}lAugBJ`n?_=W zL(ihS<1(u;=BI|Mem#hu8N*tGpyKkYcHPETtEiyo%%I~|Z9_Q+nkkQ*e-mQ}Gb8C+ zV;!$`*lupA>yH-i-SH>6X~#zjACJ?e$5tU5#Pg#{=T$!5qrI{8AmQD^q^os{*OchV zA66hBAx!pqAh?<V{wZAZF;@R^9?z3!>Tqfr)_S!cJ)3^WYY;y8K{t@ zCv;R{?7rpW@Hn}ougT8}2BsZlPFp^M_B0uU+lTaOJ3+mk)rf?TxiuXpb_>lzubobKgXS`S9`r4TNfmQqX<9qgBxVVsyEx;XKH|<=)HFP@*i? z2Q=`YC7r)~xhEi^(O!I;t9UHrF^As#o4Mmfo`<;OdYWbJWBPbIuaza(N!Y)&*5Rey zr?YXjRb)ia_x_r>6RQJ+$m8!Ea_Tvu-m^jpZr*LJjWq@q1P*wzRCn3*)YiCzyudeM zzuTB%*T!B4J}QkLw|qw7b05`;SwGSC@G@o>#KFHh7dj2DHwF+Xmvcm5sf# z?p>b~440~0Gn2gJuLsgb4hW4mj|9pel&ZrjI}Ku(HxB^@=F^AO@4MAFIS*@+>pkAH zLefSziy{F~x-0>w4EosuL^&;E=I=d^nyx&b2{k?7onz9@mo(Z-@9?^v(+vx;&Lh{~ zOgdd{`3hh*_G1)kGYxZ!|B)?{IE{wK~ z?-r`@;K`)3rICh2%v{c`x@riRru$sq;oY34Wk0nipiRa~7uU914 zLT%GnniA|9jn76cY3pdelYMsO#Mvv^Skl4P=~o$RoUjqN+%~C@+$9hBXe4sN3uUq_ ze_gMr?4BSNrKsl9CmgX-EL1u)KlKgTqCtif->+$3i;+bHKN=5ks1Tl_;@C8# z3dI?KxJUe*JU?709y`_r0h%PC0|mW>bBaCKD%X+O5=e@&AL^?wFPn3s2_svBup}!} z?7uRa_Jb=5*RnfxCTA|iLEO%rYoPyM9^V)Sf84tvS+qB2E&*9{xKmO&&I)U}*iU|_ zARL4e0ox>4+Ynp~cN|u&)$Wyn1Cp_s*vk}mQgk0^8AZc28RhpzG>+=Lvb99{P_17L zdg@Z@I_;v!>jVQwc9H;zw9ADE#@R@!B}MVt=Wx3am^nrY6S;a^Q3-zohM4iNg?RS# zrmwMwWoyuM)w!9;cd2r=%^mAmoZ^%6d+>y*Qf0dM4WhJ|e-w+5OZg3$QcF0iwRdeh z98d%1(c~mrBk`gOp1K}pNPl4_$TDP`R!o|G?y4G0c3<;WnKT>@)aPx<`_&y8rFo&W z;M1(Y%1*av0+*moG<_=?INsJzGUfjvl$E=Czln#T^IF3FOz}J+%v&|j5-ZfyE^}=) z7H>2atA6~f97aWmCrafn5MA|&`UiN^I6I7t`I<|>)UgWpQ=yAlNiSGLG1^=eQUZv|fFNw%Xz?>)rS0tA|(H9`0}LYfTH!K6$?v#$!BvejfK@Va>ld zps*8!EQrQ&^$1Upsf!f8Cb2HsuAKJfPB{hTel^Uf)~VMMgZm0cmZmVIf_8`~p*cRf?R{UfkAVTa~LJ4IF?=*{p=+nwF2_ zi+2lHpr^nVsR5je{9N;n*HztEZ=lj7UWgW|@T)t&)6W~R*9(R+Bpa|SV^Ds(m3N@d z;a;)j1dOq={?$fBv)#3}Um7`ut zbfe6I{Zocm2eI^w*u|;olC6+?O3zs-WiWGP>tu6`#rrS>ze+;TC>wTpyqZ${L$ypA64veK{|C9~9cM?o| zzgy>lxbL}*n!NS_laRlxmTVLB7&<>*t168crf=S~E^z=G+ha)dy)WfzJjW_|P_$X_ zdi*YLSgPyRnk#{Ke*mq{z?-Ufitf&#ROzmkGqLBb_OACiWp4S$J%O4Q8bLQ`_Y0O^x zn^9LEn-w^Zq_{Bp^4CIsv#BCNZ=Po#_E+8yns1<((&Hdg@0rnaaEI@GeU+2(-HuS@ zI}eDc{cdhkOU_f!*4@6U=V?Es`>qejBlO%1tcVk?zkeL=c{(UQ4Y>9-SteEi{h?Lr zIm1m!%JAxPIbTFIYH#-&jI}lZLC*Mx(_>lv6$scFSJi zJHn9Mz4VZ4-j|t_YapHfavZnMYm}dJzz)R3AgaK@bPL~2ddvXB9U`edrhI_qu2Y&D zV!BX^zDwA)QP(-9o>F5zQU8p6}Lm%0sdy?*^| z=;e4%`&;PseLe0zu!E~@SM3?x6AcD~@1}z;MP{Udu-}h|z{-U{?LNm&Uh+v9V9&4h zpY*QDgaKJ#)^Up;m3WYXQ6ds4nANj;VBFt^Ur^ZvAe$!e_$+Yh!sWz= z5GX?s){Q?1-ddMk6ULq-S`nn&#Un{cGzZB7=5-7jgeL;v#33b6{zhUW3l_Ss80@xxC0Uk>tUeEPRkDD1nRU z5ep5z%jdV$V1l-D515&?2G4w(Q0ikCjHE5BP)*Mcf=%34;uOF-9vDcr#Cf2N!p%QR zT`kvbM9qM1fd+!RVSb6ildeX`zl$KMe{FvWSW5vl$Sm$hW=}B+rqghZKnb*&=Bejt z!jebh(TFYd!XAwf|4H8GAQ84hopZ4?IN_o!qcInU>KkCbY+)+fU`?(`!_mlWFd#j- zpEnq1xc!x@2B^a5z~B0=$S^!RDArOSnPfvSk6Eaobt_9op+FMm!M!6uc7Eg0o{f!*MfR$NP|2GmL0Hy4K%XX=kX^+gF;HDmJJl%%=+#_yBnBeqTD| z5zd-0E8U;TIN<{IyxBHvp8-adOV)q;WH<=EF`bSOMm`|w*zr8Khe!QJ4C?z+So6g#oT-Bi;`i5SOA55;m7R)f`sxVS8ncL>E`>71dO@}ZwhKIb1Byxz$2!8G9;X_p$b zx`cTQJ6&pMoDDne{3q18PsosA7peY_`M6Ig5PQJoH&15 zBpwp}5TN84mngM-=HM!1AHj*lFOf!)52xog(3F2^VahjZ#*s?+(l0uIIryg(`9)7R z_Ipe2^sgzk71S>8>uHTQz^JIQIks+(uG??BNHhhy>j&?3+#54V8_kuU1kbQYmJg-Wtv0D9 z0!Yysv>8PZY^bpfIQl7mmuzJoheZrxc5`r)X-v8|5oOpN#q63VP1Zf#8EmBxwb%yL zngrSoOUx5i5j5G$cAjhYF@zF@^q~_}+B5f)T6UrH0cr(xT3rHW1nJSgTH4q(301Xx zhz9DN#5QyOaR$p~%K64`GB$SUjx6;Tb{1Pnvuz)0{FvjOuZTClbM0+~S(IfN=8iDs zb<*EwM20PHs%Z(HnSl41XknjM9XuoB^TbFBq!q&8$Fj3d@@=8y;pL`@N-0>h5+bF) z7Zb_Zi5K@EvYUaWd8J@C>$*6o9bn`IXm1T8H7e}0*hh5g!&&n0GbAAwr$(CZP%V`Yig&-wmH>g+qP}&(|di_ci!{M z{Umw__w=k*fP`a>A=QOYUjrdX^JofUX11s!mW!Ta5j%s zQTfp^r2_2y#BVXzk>J7-81nLcuom&EAR^xBs8nN9xU2(zKfFq?_%u)67Temr2Rk(0}+&F@c951d3>ziw24;1BJ8^8k8(vHahv= zeRM{z$mNkjo;-719UK%shaZ{>ua@Ekd~z(gFzdS$YD(FD|1_a*6s$A}!2L(-3l&&$nwnVKEsKXP$`ty z>ewCxOU6OBw0jF(R}2wECp9&1S?!0EfahIv*RL&(duQe;_r2}ghh6M~K+kKP`s9Sh z((|708Byz4_uKn$L~YMmhRKU`?4W}huyT#upy}$fcKZu+zt}p?FaLwCwM!Cgt_sm3VKdA zd|eT!!GB$L);S%a9jwT1*eG~jAIoWdnttl)st?Ea9}Fm8UA}*eC#U7JC%Db-Qhc^6 zm_iIVi$}6=SiuVR<)p!Pd&Ls;%w0b!GxcQlI;w-5@4)J5G_tC0yBs0vvgo}3D@xRX zN8q-T18B8+dMKnnG;~{(#HKl0%BYpzdU-9l+|u*1OetxoSpCNJephvALDbQ=HF2T-A$1=eu!KH*5 zQ7*4Ld_>j}CMr@fGylO17o;ch72RDcwJfK6q;p_ARQ4$0z?OoV;gN67q}3pV5bo9h zS-a8w8)w;o&uU?}RX3LlCCMuX=hsDj{#E0Yvs@-Cp4hZ>)hG+ANoI$ZNCBHoC!;DVCilNT)HBnH_y?S441FX3#!z zUuB|yb%^)f=3BS=n04>pphjhiKyj}&j)ZwPB@Q<^LL-B{0-H(1+Z{aX-Ku5O7Z%`FpFR$qALy@ z_;uN2YBMZVxWTMQ<B8%<0b4&ZD4z3l%%l&0m%7S;Fl1lF7Z zx;K8Mt-R)vuR44>2+7WaCi*&|a35s6;f2~_j8*ERDdr94MlrRk|K0_A(eX2cM>2;M zCpqZN*3EolzukcP?paG0K~+|rUg65jlMv|86O+EXqQxE8AUYg`(I){6vRx=I$_Zxw zNlo+bWIhisy7cGx{fA9c$?vqkgV;!yY2dK6>%(x*OvT7eaauIN)V+`oEa72QI@GiZ zba(KVDcC$F!R;v=sG>}W1+e46J6yU}?l73csiTekchwky2T;o=4_rwUW8W*Ozzxfe zwYC%nheeKGa`a;4?cf-4VJdF8R?iXCW6zp?Ntr3@X#&kj_8a&dXGSW~t>vsj-E;%t z)GhnO=lJPKJ%iNe}Z_CHb8VVIesol>> zAWNk&oRA3KaGEZmzRf!{yD{qHQRmFYN95~`2stefb-8{RGO^X{c>JW4&iTs&pSC7-qE@mUa%3F9^ zi4_d3Um8N9c1%)jZ3b4Bh@2r%SpmBFMQHfh|E35YS-=$3kNipS4*f|9>P-U!N#{8QWeqDJTYZtz<1tO^ zMdABLSx%#}Q~0kk0|1}rQBzloi^|l4Cz@P*{*MAm3$Tyvf-OU>P0)-t0Q0i_G3$bH zndxea?SQ$I`>lMLpYtU?Sk-07PCmD7QPqE&?Ml-&z%8J5@=$f+gh&9eb3Wyv>)15< z;rmeIZ+rCb<-p40?a$p4+?MZgzi2$K(G+EgqtEU|Pmgmt9H{(?r3G>pvtAAr~R^8)lk6KDIMef@om4cN|ljD@v3bk zprq$RyesVx^F5$HoLhAZRPtJV#h>13fl=|k$*``N&)8zCxMn*k?du;fsq>{nKN){A zXmd{ZyX9!VW3z@!Jf&o~v#zkoezf z+jT8J)t5^4EW1BHSt$eD9^}95+Gme*m1sJuf?Iph7o2VH_47j~>4qz>A;78Cr<6C| z4nyxFo#n1I`5NS&%%|&;@Coj1&)iLpw-I3PSc@@Z=eRE=*yqk8(xvvZbnS-dBHEh$ z?K1cB0haz<17&wsLvF&4!+OnX-`$gzTEVxEnCPjVhPFVTYg6uI5Eo$cN|q82YeI1U zPWN%`boj$Di&Jr(;RaJ^a-zy6ANXfSwnod{6FOkv)S3?Bg% z@6Yd+&h@-EEcE8P|w{VR0~{ttc4`LOQCAGA+Tfx92$!D8^n2_l$pto zWoj=o<_izfbktg#T}T@#ZOhE_`vOwK)!0 zgGxn9;K{}lxN$)di7>rC8(p$6Ojh*d55gDnmdFs+(&y>|5Naa7jY~G6P!7TE?A{0* z=53R>x3d#^!Q+JwzEU0aagcHpDO+2)Q!m>1BJk52Ipf_`sg%C{%|kiWsgE%SE?}dz zNp&knFYBS4X=1b`i_R$<&c1e@)hYAD)v47G%Z6$GWMPgcO60@*HfTlWk;x;CXth5 zQ(#H7Rk+*M6s&aOTUbg{NPR`}*VE_qI*l#0+XUF0)q^LZfWvTuwL!JrV9?)wXrKw_ zGF6RImDgt~V(gumL?yi%4W+eX*rh0|h|7;#{XtTp?i5L>*Z*^DPEehK;ah|&BqmBl zlZVs!YZ0#wWu5WgxlJgkHY=U@11f82Q5VS{@#}~e6as+oREkfr*m6xgAx2W!WB-u*dI{Y8WcYy9kqUWI_LD|NQ_l+;nISBaM z4)L#@gmL~i>{ddxGIiclFX6ZPSnK#e9k^LM4__t{?udtGtb%|>_w>hn=eQ2J6+mR36U?A}ZS4f`r>%kIP~ z15){7Phs#GU{NOAsg_9*ReScf`xIE5ja7B1 zgdTF6HPQ7RilPkUIS)2wE>({f4O1tr7k&-Np(zjjoAwt)IsT<8ZjdXuT(4!#YZ$%C zs~csmfxbMUFx!qu31eJZHID|9*Ki8-(|h%e1LWNOm^(nf*}VanzwTLR$XAH1c>M5^Ym8iWO0hq<6HY$3bK*`j_tB15j2{%^ zy7497J8d<_{Z;iO#6aZAOB211PGS&YM8_Uw60FsN38|HAYd(kZ=Ln<7CtM`DR3I+0 zH8pf~!-53T7*>g_A`y44k7pqMLztpEiEAsSDVVAfi6(0H91+f+N70vFKoVWmOKmcB zmQDKm4E4-#|Q64Lm5Rf&|-1BjT4C4`JxCjFMtnEPKCdFDy*0@tSafChGgp8WrD zejL4!+BSTpmPjYSV3SfPOkHgY4%Z(GlI8qGrIKb)|CsV`sVG{Fo_M&*d^~K{Byt12 z`Q2)N^q$4NMtjU|bTF1b2en%oUk=uQ_NP6!E{VJ(cACy=yodB`yPbO>((${6)?F() zY?r2nFIun6<1cS`+`by4YWRHOak3%dvY`e24yx00+l&jg>qK)`AL53#5-;@`Qw`iF z4t}jM0Ji1N-gOo9txxkM6@ev;ItJkk9ej;|u0f#Z0P8ycp%?z#FMWXl7 z#LEWltTXgitsUGD!@7~pXGF=#=M633d3XcMfQG1h!-vXel(nDsu)3#ryv35h#UNJy zeq;7|Gd`DnarNL@alv$S8f|&8p>#RU_EKp8qxsmo?{&4^sq|UU*@#x?=E=iaJ}2y9;d!ZGWg-fZ~122AMzJG zwdg$b`Q~_NzMV0=ZPnfUtPtcnxDj8;=FA~G?(^+#@ zKl=A;hhIAJ*d^)mMA}+|P+}F7!tS!6YGm?MsWL;1O$+oE)KgmLuJiMEo0wtQ=!<}k zjY$QF6*N6!B_`UW#KR{zTol5Z@GJ=8jD|YQBhft)CcJFeyc`Zx@Y=^@H-~Y!ewK ziAiwF`fpMS9gdw7)L&3~az&^X!QUY~=|(S-et2MvIPUNnxE+i1SdtEy`0^FPssDzT zEYJ}*X33ygr~c=<`vd%+4woJe=+B!StFmLHSu!5yu~MCCkUHJ=k3*MK2Z7ywHCbv4 zf`mRa1kcVshfUEr6S)r^z65LHG zTFR?m0q^{Y+W;M!+{98pDh1h(Y$&a1rXefyO6#ufU@HBRiiYZfCTfPr;e5GxUgFq+ ze%vsuapp+31UdqwUN83KAesR;PH-+7;elR;5pX6bffEQ3W_J82#Dj91&)LDMM3~*KMr5|XqEL-s*GDK(O z;^kA?a&n>aWe)m>PV6`rN`hZQ45edx$Xj6XM^ox_ zBmx(s-a%&Q)R9!whDuHKfjyZUR3vbd-J zOdj{Y5EQ4C_OAfRWpRPd1-E#Remoxq3W27)h0JH-MI5=XN0df?$mw0Q3ZWp$Zyb~H z8AlZ37HOFwQ|vY3JyR*)h#~Jbe6KKGUzXYLlWR-+#Y$QLhek#izN(O#50)Jrd-um; zpe(`(yMABMuFDCp0$D>lFT$BbKn^PvU5zk>kF$Sq{QDke(t-)aT%|b+c@T7%1P^VL zF&zPN#$#>zcr=7+1Rp*2Uv_01%v$4&V3Qc;ZP`$-mMtZ2rbDkz?qk^uF|G)Cy~%+{ zPP(O=AU#hqkL&W{+Tib8k8=c!Ca7*Neb4>)^ zzsD80ExQD|Kz{a&Uw0nB8nE3Bap zMK)aAWYTWDu2=y1zF#tT&~{^QVXt~RTxEnF4h?lat!KvPbp7~fYx6Ov;i()cY5?4V#?6{gmaJo@ z%wWU=n=ZO$0=EfzbZY0K*RvTf@6A^PG&|i}!b^zIxKH{uSN0Qe*0c*)o8MQmZQFSD zT#r#`yPOAaBn`X!qvqkg-xRNWedC=fwwE6WyFV@ZL384GmBQ!#i*t^h0h4&1TWt@@ zK!InNGmzsM2iQPT;@{QZG( z#|CsTF5MdRt(?QR+50(Pie^Uhr!Yvkdx@%54}!J!lxeuAo}VX?Vo;Q^==$Di_v%}& zM^Pb>Buhvl*1F8%WW1DE>D~Na43v@j(HpYjc=r+T(8!i@9Ga}W15@Scs^y~Mq^H30 z8uqmt9f+xTl!COd*5Y9DEFO$BR5Wk7VJw|sE)6TPBCTbGLaBdM;CoR27?;ZPjQ|t}KS; zkOH$4Kr{TBz*IP`h`1TX2VR;nLDD2!}GVo zc@}UhBg+)or;PhyD2^i3O-r|M zixcB;9jR@*!A6)CMVjM2B~u5MCVR2&;P9Q@#8@qRL8#yPbr2tyPGirL(d0@2Cz6(% zSKHGOe>zShk>XnHRgc2X-xlNu>E}@>nDd=TJ>dj#dbm zkG|--XEIulocO@;e@tqM=|FwD#X2yaUxiAZ;U^yHm1KM3oQpN=6-L@n6AGBPU(7?Z zvliLMk6rk>QLKr?T^%ycV=kB8BB?w(4yZ`28e+D3bBXhL*N1OE{d5Mi9Ttp2>x=&B zXjhN(MkXAdOyjfuA#odp%p6-0z{(KP<8)dlohvmkmvzGP0kJ@ga~Zky+UTDjbk)=gd>!@=^ZxK^!)uz^Jg)`C_~I(0rqto|+I*ljjihxU22 zAtbqX-%&#|I!myh(d0)l6>9lsCJrOuOjo3_*m(k%$6<8FLJy3^Y)KJ^09UW;9Enf*V}F36lPDi;0p*;SVKzkNdi*;=eDEUJ2S4v~g|< z^sqKG-QHJgwLU-kGm2?QU%flI9^M=cRU349{*xRN6y*HehI6gnyv#e9<20zfQl|9h z(K;B7uMs?$Vih1RHgm{rekqQxslP7I-E8{kN7{OQeKeF>`g$=)AKMhXetVTYZ)>oo zS%K5MR2qs>Z zZ#c8r{2M22@c29WJkq;;Hls_rc5(z=5B89jRl9b}T?NXKUa#!#q(S4{Wup&s7IFX= zVD4t)L6Km`K`oreYU3y3&7*KSznU{C;>F0Je)q8JyW5rz+F?3!1wf4<vy^Ku=v@xhMX*~PAK~L#ePf<=quopAx z?J&N9ZYl^mc>S4$h9*G(VdI%h5N39#!Q@hT!KjY7Mo|FfFP z#S^AptH28u+h&HLC{B#k7nD4qj_U0oHa*R?T_KhRJ!r%_Cab4y$d@RL##EJX5u+C* zvG9Me!(4DDh$z+32()ud^SrSH>5E1HMt4a`ENKv~oKDOG!{_KllIbH+YO48^djX*A{ zlYq;FmMy$zqaUvji+$5v%}CO4)QN{L{-T_~g*t2-MAnw&{dx&N#n#!aB|WZcpB6(Y zHiVxDk+hck?(D%S_v{TQ%%J)C?>(WC4VLQ%2K%P$?ddOhE0lCfusQ)IZrk0ziICh= zi)P6*9t0fe7q(wtt$lvpN<=x1t?xVawo>oIzijG$By$A`LI-i8LEja8+(mfMZTo3SRGO2rTkC{Okh&PMv1yryao)r;5V^GG#Tum zoyH|87x!g+Ld@@}K$&{m1CRRph!$OM+t65G{CDF$5U2e+7NiI@- z&X1;4org4;)5W=O_q*Qy-?)poCWR7}X>UuZWAiXJ)_P8Kvl-J18!(4rFdh0b8G{Iu z&PXzzX6l!{_AQJ%6zDr<4uWE?vW0Noyg-`K-%4;Q&`q*h>xG>L*6TI#frF(8QNq=d zr=XipN6Z6;$6V|i&?Tt2f|Luj_pdSyPh@<`GZj%qSeEKiOqkt_cA+8{hNsD%=6U7S zy{~jQ(XyGZo@|JnBVD@?wNgdGXmn**sl^W@A1X&TS1n-=RC&MsP>ZnJY}BY14BSak zvP*at3z*>jqzwALfqH0ceRirvYI+h{y2N-L$Z0yvF|LsgZ9PSc{YI3(7B=Wi9`f|1 z{vzpW_^W$O(D8!hLUYwL7slAxa(nu z*bSqE<1Zs--0vv0sUrBf@A(#OK$TlG--JwY{04114^wN`Ss#ij%l`sPcie#IdYbT8 zb>qlUPfz-DF$lXSr|ar#wIyq7rQ#RP-zoy(Jt}^RzF&U^i~fikLP-*v`LZ+FGWrB) z_@tUn5>*SjAFiGGKWrQDc6M$^ezCdZfFaOlo-C#gXdIh`= zvR(x^Y5HVS3PO}^lziNz=w9lX$~V65uPX`)K70VTsyHR~R!&BNi)4n^CvCQ3Aa@V|tG)4^?hrOl5~kzi9Mb+906V&-=6CPQc&t<4)#jAF*=7YO-CHAMdt| z-OKFEJ;(3BQ&ZroGGMP5&~@6Kt7(P12>BoFf@^9!! z6L5Py6kIafa`pOd7^iE!>8hybH;3Vi-)VU_)3u5;q2(+KsB$uQocSo$TsApF+Sgqy zXUL2;@V(U#&_G_jz(hS_XD1=5^B9& zvMv?_u;|!4_{?KFWcn=ytn_dCjwJ2sw%ZnSFMBAVYkWXBEt8vP(-o*!=dRDMj+Z`9 z>tih+epd?tv~3S3tYfo@+iSYjzw~^GoSJGsvvYr^?`!1L_pgrmKb*W`3#N@F4D z{#}^$5~8iUG1~UF7ae$!W0T47m}IS0o4SO83V$I6i;eo=QU7+`s#hygoRDT;hWBC( zPa-yQn^3MwH+Ir34ktZpuM%8|J%-&BNUdc$NI$eLv2GmemII+hd&TX?V*MQX3);Sz zY;^;BBSociJ_tXMw&RiMjEfmYSx5e-_Bk!PFO`Hwt}LX+SGuognX)zyXa`brhBjL` z>`KGNe`0E2_C^a9sqK(!<9ljMzd5gWB)eGEqMWEk)4x-(z;jh9ZfB!BhQFZ`Jj2cZ zM8>F_PJ(z%c4UB(drCv4NgT!_1U%RO5;29d14JFt>)kT!dpnSj==VSN)Xn2uefRTTlTKYr--Mmbp+H(S)a=#|5>a-}_ttiTIlV89*hSE<%&M|97U6@k6v6J6rjgoyDd~1@afyw9yKNM2O zQ@~Tu=|k)o0`AG)#Xb35O-1HL5b!LlU~iASy&2kfgE)&*s3qpKu&3R z#}y<6(X7DM+o?8ua|>t(tqDF)0g6Go_J3ixws1AT1*8`IQT`A^Iu)HxgR>f!{ryqp zl%SNTLZME_UBFWyd;!+`OQ&v)wqLCaMIDke&l_mdU!+|1Pus3K7@~Ax2!m6BZFax{ zYj(}gas3=V8U`BSu5`3MN5Zv?3bP0|f1Mf#rAIY?8l0KVn(bCz(Dn-#&5wQQrcId^ zy@*A%DgURG*=cvh;(!;?&fgT-1(?hw=k`;dAVv#X=J}<)W@KArbL79%G7VHt7p)l@ znaj%6~&@*y_8UN8seKMT#eD{TJ?g zc)!?MLy8Z}+n1{^!Sab(lOOY;A2g^pT^#iD2cPgi6l`r=5VsG; zY1OhgZB;kuV5<2so2aV&XyReq9`_`I8gSD4;Bs=!UrYD{odEGVdz;j?D=q!~<;b+aV6(WCq{F(3aE!%yUH#nAG7k;S~sY&!;a_ zCE5V%Qmdi!wEI}ak#xBKdtdVC!=~=%e>dj|6nyy9XZaiI3+`Jfa%J*?I|&793r7J_X}6beokQu;6{VIpdsP(VZk33D5590=-+;@nX_FReE0M z0`8WM5RESsYi3%?3B67PW&-0s4?7!tPS{n>_}rJ;v91ChoQdeX1a3a(mP^ivR&RQ^ zt}V|nejRXfgXT_CfP!2-uItr9odO3sHn>cl6*U240s+fDZ{bC2ge5nd+pQ2a?a#5Y zHQ6`MKE4b(*MA=F_KWonKSF)&y^mfd=1|iC?QdoAS)2z6@{e5JGh++Xa95e0Vpr*S zre^|Nd?34rUsrmdV9@sGUCnFHe|Cs3wek&-E3(mN`~)CnX7?(zo||EM{wtF6Yh#^z zoq368PqdKCPKf_}3ph=Bjjt#B+{=r=-f^2?@}C*k{bEKZY)$Hc_tD(((w@u!E*Tb` zHohBcBt=#OSTq;NPWmTx`xL6;10k_OHy7m6IK#yO+;Qe_LrqRBDAHb$oMz3)kUr`P zo*{p(WB_+WRs0$>=af7Ep^Xayn-DDv)Yt_vacozlB zn^7|aQ5+yM1bQbsoVoYf!PaZp1U7=F0vDW?%NsGq=Np9Uy z7F?MHcsA7NgXO!*)#1t{R!?Orl)wsiNM-t&;?_Et3cbDm`+CK{APqkRBuI(`JQ(?1`toCh5LlwzP0-~;N*p!AnV}oYKOMEgE z7BC}G^2@8WvY*?WyOt1#&2*(ZxI;um$z9lGCsR;U6S=Q-U^AvO${{0+su>pBOKF1& z(-hIFvXU#bq@#POa4&}|1%JgNDyUYXnXU5h$n{g1m>zIRsr2V)oPiky{WX$swXKDF z<-uz>LD6hdE*(Rl&zVdyhjwjpE~m;&vfm>&o_CmT9H{p|NTg@Q_$Co|vXt05S7yDZ zq6kYI>2npaBnTeVWn{E8s$K%csLB;~|%P&EfM>P?il;qCR4}f}6z7ZxnMY zRrA~4awJMaqh5}g4Z>`ic-~9U4CfkZ_#lS|5A(K5vo>HV@7Kh9n9M!v4m6G6B zHI{PecoXah*%e!FU^=X`2rdso6V;a=WdoarYcK_Rr8E)CCg%@JlnqYkAhPPvuu$SR zU-ZVcm0RMdChaH|r4rqEYz^-@1IVw?T6sTc35GmXWVLsk&W0g5O~ToO}%wsFrxDseyjIQLbh&(W7X(K4V#} z*hWp(3h&T1aELN~@X|*<%}a$q13G0HyjTS-Y&=3{D@2KnLamCO)^%De(guNNq>%eb>;Gn+Ofb_35hifU&ZsBCZ*{aB>*xPT_s&u0 zpy<8?lxu>wqh|-AD$MS?JpX1Far-{RBa%7pCavpEF}Wo+?NqPRqdrmMdqFjU)sAx2 zkx{(Y45=Xt&R`{qYFqvxJYTKer1W#eFAdoTEO|skp|43LZT9k!K%2&-pRFJzIIwU5 zwau@KO2d{#Je)>3hq++%>}Qq20*iaWmj~{_)p$ zZfnade#$`)$>6MtHcm8|v%7U_COx2Ttvx(PyVL$u@?y-u`?AeYP+#`qI(=a$y1pc! z_Vcud+p4R@oXWTIV-jV^zO~2g@K96G`(bVO7R&Qdj7O0i=?@@|pVz&?yDHid=-UsS zEuW2n$#>mXylC%9`1ZEAUZJsm3~^a9r04$Ho6*Ml19WmoWAXZlHboI~{nZZhVt2lbuqjZ~^9FTDfJE57^YDt( zvT?l&`x!R`Lf>?2LHam&*0`eb^%$_P0*%%%co|2N9#%D+<}S<~b-4{5%@(aOswH{R z@pY*hxM2Z4;Bwr=65!4z32`!v@FXB?!lv>%OJt6h?%nPNN2dJkA}@YHz=TKRu8ApXIi4Fg@!G zEsG?Qe>K;3f;XmCy~15tu)nBnjh98+#pnW=MC}F$F^TJb2H&{32p! zqg}6Rl@1HO^iGAJb6TjNlZpl9I&;n_Ct_A@!^dA~xc5flOdIe>ma4r@5sAuF9`M=J zN9BmgQ?F$tK=~(KossG`k1B$|QhL=&>}age9C2_x!F0MmF^=VlGqlC13~Nbl5G;`? zXhb4)39_!->D$&EOB&*=hxco(1!{Ve2yKNtgR4T-i8U)`Wt2c>D(FDwG?6fB$P-8m zRrfC$uZ1Uy!}^F!brwdHsW=iV#hFcMq(+Bml^6uS1Bt1-%1^sR*+%*OEHG*10-p`4 z)&NAsU5N<@Q;1@RWr&6(ssR-LeamuG^+eMIDq_fAW$v{uJj97$wmLu0Gx?4qFa;Ou ze72Hj?Gwreg^}x{JOn9#Y9!;hFLBB2MG`vW;VS}vo$0#VK9eask|GQLN-#Nz_m3PE z&bL}XS_sY@u(0g@acV$MlgG7Fz!#_&!7w?H(L~LhD3-OXLqRSX!#xu-%9d+t3=3+* z7U95aLkWZ}-fTi3`VJgRf$t7WH``ai-o4BOJX^@WxgUm#-q)=a-2|H7Xpqb>) zR6HG`HY&gzVRZUPzoF9q8mb_WnMr(+f#BzhG>3+W<^QhK4m z=loMSiesG=iBf&R855V`q!(<96dVDUD10nKo@+naZ$@fwc80rVC5y~-p2xE|R>+H< z9$sgh4soG}YG0_LB2G~FCV_$9=8Rxt3(IvJj9Lv#-K}@@Cy6Rdv|0hexD#W)KthKm z&PyOM8A{4NB-pu8bFR&8-V!KIJ$woi#4<F}0=~}I$ znAfGxeqX;+-H(#TCQzYu`L-OsCh-AVec!IIpvidF^VcoUBuZR)NhYWi-@T87zLB(Q z*%cNnp|M^q%T^=F#O1fTlg@BhZ4`=W=|X7?6jT9=aw>!QSlQ2Tp{l3@4DWI4du|=s zMyiG|Fo>*uUh`TA%~u`H^5*ZQxz>F@MvJghj?){Wm~gFCAf%OXm8pioB_ERV#Vp|n zZA~7czD@%2*ULaUJP(o=E=G~IJ&o)vE9MnKT_xUN0;U3C_!=NE;;x}!7 zh?Z&$FQ4)&4U9A;|6ex#R7tdaTg8IZ$Y@AiT<$kj@4!YG4mN!36_ivmd=<2Pi>!(y zd}?_=Ev4DyLRM*>{{uIIkf@5tV}&3&0nkU+e{{zgaou-ccj6x*d&uA*&fNF-uOo2* zhYGy_-VReLCMOGSoNA>e$QX z&7tS>+?U>KB5c1x-{Mi{+ZitdZV6ac5chnn0ttQk9g#A5JN;~ItqAKEEH=|01tzSj zxD7X(?gDP1mZl8Pp0*)sCQ*?DADQoWfebHqtM80htB%brF9SuMLzk`M0*OtdHAKT( zY!`d9iU7@w&wl}U`n4bmTCNTP*WSiE#ts$%%a?ibj(7JK)sFD*PuXv`Z+9ix_qXR2 zAD2*oRgc3Oh0Tl6uf(r~NkM{u=B>8qXUGb@`@Z#lOIc6H`hkprx9rUTUBOn%_j8C% zZrdYGW@Gou9oJ3ZO4~!wTb60D*EjTnRjcC2$(1>pOVJ zG;iSa8xuUe8>$b1%&)DGcp&iGmO0B4>Ge_N(M^^&-_f>vK}ElkcJdknd%ZCAzz5 z6_pp`GokgZ@ddi(xsSQxVw}+Vem8xqW#&N8+X1aD#_`)#>+yTjAfmaL`$2k+moVag`wa0$rRxyrtiVbk>00QwUIzTrI!mY-;Wx{)KRe`yX#$Q zPX_O~Ke~i|G0M#(sOt(HqkB@JUZXgD&i5hTx~f6#=AvNk5ziZ1$QNF z3#)n09}jv2kM=)k;`JZSAA$7TPcax9JKT5s9VaD@I&O(uIY}8`^|d_#XPKs#fR7V% zjn>$gv8M3PwufLt2LBV3sSBXnOAY&{;1~#W`I?*YDF~|mYE6f(Jb2yloC2V0WKM!x zi{(uI=xGK~87_i`OuKzQN#%%Aw;iLCDr@t;<~lN{Y@|#ha>%BiPYh}#X9f~o%^DUXwTV)EnT!H~Yl)1RGoCv@(TN7L*QB~UmJ9OMcdu4gVs0-|jT4N#7S4J& zf^xvQn?0l3zEJ4Em&|sp`?t%8$sewugXSp;a8tG&iq<)IwB!KO1R~259T{uzZps_e zHUlCO(-6yG1&ed}5<7zWiNOPB2dOh7m_Shkj3%btfwa_Xz2XCPmAGk9mjx8W?@fdm z`Q!~a`*&K3R*1v!iBI zoCIL!FP85O{DJcTDo>4)PX9d_W8jU9Id}R-`#TbdMym8sEg-bP$IL$igZVHk{Ld$B z4*Xn*ws|21nZmwLs>E%$G9fZkiKbv;M9WV6e~3D#=*R+XYbWX09Xp+*W81cE+qRu_ zY}q5MzJwzY+WB~zfSc|c{uoD25Bgt4 zG!nqPYJ=Co>P=THQ*{Y`G8F|T%X2ql?94Y4n(9T1$FIzI~R`X}8i zt>3Hn!F3&lQVlRFz@+?S)P$5rAxN=~BWW8qki~WJ_V;K^9vuAgUlc^8juLzzVmi>p z%JQpK#`alu4Viab9E|n6y!42ht;~=|EP2l$jW^*t$I)ithRujXRTp&ID#@&?lSsvb zW}V-E(Ip6FjmV&+J_snC?78`-V=%PQbyOJfCEy7u`W>kB-B4r*R$3L}#ETH?$C6j4 zV51@TtjS)E?|{%Qb*3W;G@hO&(sJoz`{@Cb(m4KAeL?~2-t*ECdx!j$ZpvZ;d#vhO z={GMBUMstIv~q6~OLZqz+P!+@k^XVj1$gY>gg`K4*&7c)JIORD{BR*m`N@}jRX!d6 zCxIO{azD+KRyFW$Z8aNw3-WlTZyLK&9=h4C+?|7mdZB)U;F#+VqzrwMgAiUJBVT?K z#&TsU#6K;iV*WzpXgF3&|_Wm~nqhJ%3zMiKn36t|J?Tv$jG7!i6IhJhM%Vgvhv$^Wveuf1NdX} zv;$jiIi5}Og&E#29eZc^xmudOPqn+Mc4VtOAUn@9p2IJlNla%}-oSW16@*KKn{DptlE|HXg&0Z?@f-Tfu)ZUwWKlCR;g$pfSA>dG8#% zJC9^L#r!>QMt1F=#<%V=pa`5Sd>c5e`JVf#Vm#eXXT3ffJjH7vdYTS5)XgT7$kR3} zTQ6J8bsN`F*MoQP|IY3leh%+s=ONd6zC)e>iYPCz&*uNVuG&d>HKp=)dVG7d+J{Gj zY<_zo{Jrn*Ob4WwdY^sxRlASO7v-W#;!})ONC1~6-2rE{uR*zmy1X@mtg8gn_7y#& z)g1pGH{cWXD)(N(E>E}KX=UhLp6zOkT0gsrI;Wk>4t<@*ORle9)8t^)Ztq6N@~S?c z`0n8dVYR2c`SVv6`CYWruh-!X)x4(t)9T~v4g2*>*1p}UdHlS*XMR~)*9a~5 z#jbR$8wF+eRJ#ggzcw&adWy!7|n5+haCkJyN%DLywOi+<9r;SuimtG02@luzWy`EO{+dHM^CA^w@-Kb&4jk@+jf)A zkNPozBo-{jtr zh&>TRGUeh*{q+@qmb8C>4orCOI!pqP4odM*1@OPC^mJ+;BP$?dOA5#i7lPedbB9cO z>I}`eH*wuqm@x#Vn3atgxxrB_=5LNPbsTiehSCCIgicKOL+@BhW34En?vcmPQEJsA zn|v*cht^Za93_zUaa}1{<)UNIw#1p!^T@q?+o*mldRFC8Sp6wOHW8yswo1wzE5z5K zvOI^)i)c#4UPt|_9gW6pHPp_g74PU%{ftGIOdSe4H%Mk8TVANS+Z>_-l4Oc`YhKjD z2cs-RIxWZ4oEfh!Qe-qyg0pN+1)mvnZ38udr5k?xL!^g`&fO_Pq&DUF74irBFpC=X z1cc%RDeF|q;<6#>VHoz$TP^e%6sl069O-s5`PpM=@*l}MKeaf3<60V_@<+lX2{sCDB;yNK(e(-YEYW029t40X%Y>J(g+s#4En zN)@Uaz)W0p`G53V(yT{mOEp}FGjMjxOR>WlGYOlryHs!)%688f zp2-ZbOe;LE7aa0S9mW;QuquXw-DG((Nvo3Zway18*34I86Dd7jivIyya?b8P02;ca z%@tY|tdewTJTOpAM8>ZxjAspuH;Oo~Sbl{y0?uj)e=hll>~)^+ac!~Cq;-$Z4(FIKuysu8h9!w2~uJ`(;hkW>9yMN2+g9VWtK^Cc_*$AmHjFV z57raTsekA1{cuer45u{>X`YKvOBglHxqsNOVCicE)qDz*DP1akY*-kJtuWK08Ia0EBjFi;R}Wnws1G&sg+ z>k@tem9z3sz;2n?u-r7>AJJCwl}43GL)zx8GZ!vP(nbq&5R6YIV^UAEsYR)>G?>h0 zqpIkn>M;2~JOcMt^6uU}IZakD>{rkxV)T7-qc`iMaa5cs;F%I`qRVlkenGV_KZwi8 zIyF6qRI>2J7zgc22(@C?9+(fc1Ckw@=TeQ$J+v;T6&b z7j4THQMu((Ww4SGFoH823nQK&*#^bErdYk@R$G`f3qV6_{En>2remvv^rt{XuDtPX z6x~wFJX9s)A?PYLDA*ZL%y_fZuZ+n4xWwGvBOt?~c2{o>hzaZG$biX6sg`Ywc7 z*P(Q`v7T3c_O;1)IurKec-v9!vo0yZ?7di5S8Kcahf3eBt2NH;ciK%4eEKOp#bpsJ zTo3QHlPR6o^bTwM@T458% zKW*1;zT1>LKV`7(*?5mu+cHIZ0aiqw5>otpHditb%)6WB>*zL~;%6=&5LwuG?Q~yj zZ}pvqqPT57Hh81-EAQyPOh?K68?gX4_;dKQ`;oSYzfSqS?mxsKsr|dQ`RHd32sE$` zVImjw$W!aqzW(kKu6bTBH1B%bJR4!=06aXdEJwF}E~nLbTkt%3B6-%iY|r&~{oNnN zZ?Us>Uq4N&cs_?xTYLNH*t5L6V|WoYcCc^UkEEKuTrPgftIhZvCj7WPSoLr3dtJM-=2F7?9LCS)mo*@e|7RCbyPY$Y{ylCx*8sYn$}@gGufX8BiQGZJo{dM z=ZmsxzPs|gUNfIQ^xp0&-Nn+T_%2WFtBq!Q?-Y%*$ZNIs)9m^4G!J7%W2~vg@f)n^ zxd6-4h&*4Phkt&^b05}>o9&`vZa;-<V-L(Rm>|mv~KD)3lt#eDuQBdN1XB zzdTV7^J_h3k2iemx=jg7+bO;-`|Wa@&MMn^J58EC{lM`01kwV5y~laL_AjW)2b*cDC^@;zg)#-rx60BN=a4~|Qx}Mg8YrW}r>C>Bu z{0A&huuME4RWnDpG-+KR_FTe@RDtf9&leH!;jB|$>@7G5KByvN&d*&LDc2gs^$Wc? z-~&DcJoR~9it>>^1-)v~tt1H9;c@pX#{9g+gh;6fq^$pZlwo>dql_M$!9`vwP@^-I zF?`vns33(wexdKz3-<0Go63Bx43^hc%w?=?n(_E;%ivfxfRL^z$T)N1xuFr0HTa?@ z=Wojz2QP{l^KeQ@%X;3gN6ds8r3O`6S$zwxbJb?x7c(-r*lW;>BhY*~vX~$6qC)c0 zie8PlG+CM*jh$(_CG(u(QlklWz=Matndp46(s%As;gmX;?nv>pS;1HrWKy|9ygWx0 z++1lBvq-$oro*bjH0~FHR!Il<7n?*NOKU*Ao&q#&G;;ujQdb5k@j$*>aB612g{c|KF z9)^qrhnzww076yCM+}Z8991x1Phtgpo7P>JLhQ(@Raw@pt0(IM$4IN-;W*i4FS>cCG?f4$$WA&K^}ecHZ)Nad_NcFH8a= zk5*Ww*A8UvXo%ovx6(ubF`*G0U4OB#Up8Kcr@~korI>=3UD2pHchDv_te5mK)yuR9b1G3sf}4{-#YYDls8Dt1?gi80kuXvE~6~FIeOL)oys!SONR8n z6zQ@EGF9kK0%pjg^@=zd+dmgrBWl(0CVX70Wyuqt7`3fR;ds)j5!xMlH0GO(@L05E z15wDPd5#y}Sm1vzOedEeTS@#{eiN97(vlv5r4sV)Qn7;p$MedsbZeIBU%0f@tfu1F z4`3W?LubTD;p6#Vcu$=`LI??n$=6@KQuja@m3)W@P&={$`4~F&L|Wh{{d36$Ux?>c~9g za8ikna@4OthCE8fL8Sv9Jo!ZeJ#Cd&lQse=fd1iW-F{^N%>$)cjvq#rNSXiFix0x5@qpRd$m2-ifh-EqTGL~6 zjoGBD-`K_vyhB`UbkK9B&02>xGPF)obP{He*cTW{ELLrJ)_QB&;$UkDoZ@~R)8AR$ zj?HoXN#F@&V2rxM+D~(ib6uN1MgHn8j_~4vDmi8rNUdlPe`pO>j9xRT63B7+%@dkW z9^3FstTE&Y%Z$cPIR;G7Y)UG#OdNm$uD6UEXX;Mp6olTXE>kdNaaTfz#* zLR2~~{Yhcs-N*JJ#!HmKWLPjkRVpCdHeXxBDli_g*y?Xkq8$otf~S7un`23aFCl*z zK|KHcujM=xU`Ay5|MHkekXM`Q4|nO$U{v~biW@<{0_q{RyoAw%c&ne-pC3{qL(?_HD(#4z`AGJqWuzY9`HQ=?MLXE4X!i z=Z>MiZnpUA8jpU?>UFUDnF0!XdtA3U+oxCGUZ-%=G)yxPCe`iHyL~60S9e=iFUouz z1|G_God+UIsQn(+Tt{jquOxDERON3xo)ffnfI4s+FE#2jy8ef8gsU^C?1FZl zPKGvrKF)Sbw_DZpZSrW-@V;#BpY@%hXrg*vCd4P{TAE+e2)o-SyR5T%*Qj{g`Z`@A zR>Din<9Z)6X=iqu!Dya|?#5o>Z=S|Oqj)=u+_qeM`|b75BSq`=2_7f7d--KMxn%j> zZVvf5!E0qnMdv(-;mCFU9Q*Up#0ovl;=Pi_0J z8G<`hl}a=j$5oOYdW1*$Th3=lRu)w6|Z)9Z>TN=)MZ<)Bi_kR0`Z= zM*#`}q-dsM5Is6gEFncwxRWpZF<$`JR8-pWo^M;=tvQP?KG`;}0RK zfr=Vlf*1bThMeOdu79yqI>Inj>d-To_!{$ZKEES zQpczoElh$pC|1?ri}PV*P^zTRX+Sk#HM4pypeIw`wRCS6qtoEZCBTR*Lk!(YPon>9 zl-qL={p_nIboA8+y+gzCLf&>4`-yxkl5JE_PKt49s{4=W)c_?@l~yveP+2u4NQ$g9 z$*{#xwe2@0%lo(=<1cZqv{A?EBiBH=IaN;`<~Nz~baTzW~bx_Fkrg(t=TEp!g0+W1mIk9%RC&3~^;wV;W%tOAz5-IGmMths+x^V0_^VzGDYYXDTuc9 zi&ZHcs|bnpQKfWDvJ1!VIAM750_*`I?JhWY?!{ZadSXHJDY7(YhG87_cLFs97u3q) zhc$3&5mXW!oC=S<3tRtUSu49nG6t=0loH|`)j)2z5$JExoI0(&ZXT^vA z(9)G$)yCZa>A9g9OK#6cr3RGxFc3sal2MflK#FY1#h$=EIRw4%{zm2nKh}bK=sb>) zSH9wSK%!*BpHMY2lf8R*&->S@4r~%g%j(6Q3%UZP1~-YC(?FLbKsfBT1tR=)E5i|; z-b!bmuQxJNSQ-*yl3slmrnOt8QXo&c_$lGFhA}bj$d7~?<1$RYN=^{4WMGudkbFJ` zK3RobY|}i61%?5~Hl*D}Rt&fgxte4pIBd4+fuA%Pk0;$Flr$i?L1qk~5>zl(R^!fq zekIUHrCmLANF|K%?p_&#zgVu+!olRm$!*0A5r#X|YhSE=(eTYwA+Z40(CQ`NRxDR3 zMwD{Cnp35&aT23`t5B(sh#pGSmS9$;HYjP+B4@DtBcIr<#Lhxf`lIE&uRh2@gv&I! zKD{5xQ5zr0`7rP{M1v#u5ua>UqqsQqjYiNgQ$sScgG)wLHU5Ys_7@h~oXQUxWIv{n zzS&EEhX`9ARe=1*!#m+l(KUS?(C|DPm!(fWPm1iUw|!21`HMm=0@4VRl}AaXG=sI} zF-V(1k*EZ{*lLk>B*C=Mi=KcCDzt(8`5jSrVj_nHqsfw#G>mn#7SyIfUtI{F3T+UQ zmk6IM23eC@@rb%{NkzzHDuRVG1IsNG4}4uum}oj+Mp?FM?J7{R5;Wiqq#`v4^hUf$ zNjE_tgp$PD>2VZhK1~MD? zV=r$Lby2B45B`7udN7319k=8#3!QkzU!bfY%(#7u;wein0g;pD9fe?Rq?knvOE8Pu z0m*n_&l?H>XfRrf7t>1tMOEEHeb(isxbVzc^A8pfH&QTD1D!ra+It|3*tiVEteoXT zkKJJ^1?E=%W>e-PKL0CZU*3JtFuv5^JTOh*2iZZ?mvKvt@ppSy@Bjm(;qNEccVPS+ z{~OXL?LR`a{y*nD#$NDnhy3BWin$*}wtPFOoGn;SGk`n78xnUv>t%$pR>qmDCqF+e z=ksADD4`F6SFoNlq9wRZl^g!ijwgC{9YC)8(f)tTiNIdK?}vlnNqW<*mvJ`s``)gT zYi26->7G_^P5ZR)+1>O0G`cOf3S7cXEt~3>f9vk_J@f0|$@eVhm(CZpmv_B;_kp5Y z0^b7|_L}=|Abp!R(3l>uzd&Bo^gf&F#n*7~G^5|reg*2A*KcvGtiEe;+O)ELTL6{I zZ@IZ`7rw&%b(*E8&uQYa_ta|=%Xw6*GvRZYZj7PrQzA`}i|o8^&YtVKsu~WY0q}M1 zRJGPPu5ALQV>PdaHzffJr#CY<%i8!G7GEdf)4ef#mq~|e{O|PSwo0=G?l(=c$AAb1DeaLq|N4Jls%;*%Q0Qbt7R~<12y|rsLu5*nvo6-cGp$n7^Ayvl#fcr9=o81+W}+d1yR zZmiceAEnyK?^Ob@Tf0z%U}z0&@IdYjWU`+iz8UhOUF7=s(jVNzCN&!5YA z`3Gq%{K#D?CN1^zH6llTN4hIQ|7+h_t9R2R>NL`t#(M=vJG~e1kll1*Vo!h%96XUke|I^gjH(JpTkv|Hr}?s}or6 zDdZe(UG*=GgM4pouTY2S?E(6HkKpy&Twr;^5q3c}dp*PrkQv}l7XYj$F8hbj{6n3} zXjF;H82jwphSQ)OD3H z#SJx8QDR4ytt3L6}Y>1G8Dd4H*kY^b#H zi$m#@1S%sS6#$RyRhTpWN+!A(^DxonE{y*=P~B;Y`za28o7QfeUeqeuSRT`mO7K<2 z!m{BpR1_FE=~RrmG@Ihrjvl-wV7_I;?sx(~uzVFDd4sGo!FB{?AE${~A zz4?n(T&v<`3Vl2=tTqfzL!RcGFgD_mtVGTtN-RraahxP1i@b2|bj51SQMB}#ooojw zAwh;l!dzeDLXNMh1+xa}QG;A)vluL;M4M&uLnB6k2h*`T;nuAr3|3x)BF8?YyS~`; zFc`p0x27! z2{Oq)JJKALJiNGOa1dhDK6AMr1FLDFHT=CODH<{Y6V!vcgrB`eeg_!YEnq*dJ4UM8 z=3wkMz<(qYGT3NK$%UaDqK`t#gYl(2n~0f6>ru`ZKPkn=CS4TID|GxEDsj*l48!4N zTF+NuY#j7s1xI$Ur@@wM1ar)L0X7u7TvC6AkNe#4zonPr>HiYK`qBMz2g!g*@kcEldPtAuOu#;&YVacMbz{sA@%=A&m#MzdI(f>Id6*g~tm zK5wC9bYRlL(apFJlDv%NWJ9E44TDXpB*}X;X$3Xd(LXeVoxgfkwwS4b9d6?qo#x3R z{<0a9FQRE1{hORK)D0W+p35ZDbV8^lfGR>V>72a4>zj1BPHs06X;y9VKl1ehOibcc z`<$N{K-iP;S_m8pwq3Fh1R_&F8Y6=x>JR$w*%txh(IAa}MgIC8y=7PTI}R`W^lTk2 z30bTA80`mJ@x-;923fRq3&&;Krq6taP*?q&kAh|NUvBS-+dzTnlbx0^%D9?`kqRO< zn%>X;4Qrsm+u|+$W2mfu%hKx{!b)LFr+_mOV4E+iu6az!ISsIbQZt(C+OgK(Y3FYp zd#l@ZP)V5M`h+;>j1nu<26Ws!rQh!BCmq`^s?cc$9s77qiS^O>wzHjC2vhR$c+D8>RQobH%VVj3fGn$ z@|kz9c@pWpAGpy*!dHQlj^uP-eQ>8&UXyU2?UPp>L&~qqNXTdQgln^2w%6Ns>z=zy z+S;h6)o?xJJxxP){-4{`-fCQzZTT63O8UwY&>f2UvSG-2NX zQDp>P`vu~JkE3@Rqq%PvG)L#AdHNsAs%f37e5Qa-!o-=K>l^1>Z$Q7MI54u4+OOLs z>tQ7B+3$Tre_76cC_JQ>>m~=aY4b`ebY(|N?cUiv<&*W-G= zYP)rN6$hAi4D@dT3g{p3Gk^H|k=)h2#_3WT41LGeOya~$Q)AIv8bO};cYykzPzjoc zi=}7{Lu?q|Yfgv?U_~>yM!)zr<1DqP>X3;*b*5h=L7Hvy#p855DOeV^xs;?%aMY4W zr2!s?&8kFP1l)c3rL&<$sx{>9#BZ>?;!4W^`Z=i{eXF$s)kE~W$ zan4HwS`^ZdaA{X-9>Q+fyHPI5wLTy$v7y56RDoGlaA|S?_qP;@$tUd)<7l0#gG~#x z-BF9;9~fD7F&2Ew(`jY3f(!;0#|s2wNQU1r3<4@dN8<1Z9!`jT+`=1ESE-u#cL)CWARaz^W!Oy zY*`HPf!cMOQzGn4YP{p-M;P!-)5%5?KfqccNwpM;sV+>M1uExl?yT5mm^7%TR;9KZ zSS@0giP@H{uqKm#xQ&%O$Z%9bNZ`A#i7CqJdT9Rcwc@0v`!_1_h=BQzwQyDA$eMQ+T zEj-T=!WbCt$eKF(#2_Ina-nQ2 zyxb{HA$=zmx5*^Hg|Ze~xLl1f37?%HP{IUZqbmt#1=UwsiYRxd20_TTkZqB+MPZ&% z0H$%8Pc?9K`|HvBnWc7zau6KtyG>(IbV3nb9#%_lmdvMp=j>2UuS8srPf{xwQu{16 zK!s9W^~0*#{CXBZPVM-tz6=b=`V*{;bln3 zZOlKW>Xe6NtSIX586#@)5tOLVY6?IWC<{lkQPS{B;t^4!CC&fq`H_tC(xfc zirF^sJCJH&Osw(dH?7Pq_*qw0_&-Tc0gF^Ta|KYuL5 zGo^-r18j-8fw32?= z7t|X$P_PH$D|nwGS^!#Z|3BZnv@c~h=ZrYZdNel9Gfw7!yNvg6c^!9it6u$T{~7^v zHQ;`83T^KCact)fgx)_pPnW7@!d*9egPWONbG^2+K=qSZNdBWA!&JoBu?;o!$8X5|=Cl)o)I(+T*DSQyuZ+ zO-bG7b&+;u{cMylmfh)@%4~M+c1FCF-|tR)Y{hAn_G@r;SJ$QYiJ(2W=GN;1H0#E1 zW8gKecc`b=>oofG7H|i-e)^K*J?Gt7b6>y!thw@=?CRBh-MIGNbq6xdF0V>mC9E|& zo0>l~)q1acI8Ey3y)_01OzPbM#!JiM1rEwydR>l(d$*mO-re%>oD2-50oi4CTP`zu z73w9|bX;#oNO~duj%(DTbKI{e8Ma0^3x7kj4nps0#I-2`bw&;O!!5)SkF4Q}tv+z#9R-Px^~ z{UzOB=gZiV_Ft~(Z9-)g0iu4$D}NcACjfJM^o95EWY-?p;(Q?+o*KLhXya*j?iBwZ z|2~Jy^5;F+;??Jd<#}n$!qk=hs%U8S8oVSd27ZpLaObE2v<`ty-wW|ApzVKGApXPt z8^2D&b~%B8zvE&{Jl+#Z3hHk8@6z7lKDQqTNm36-9*F`Xd-|UE7lK}qO!m%EF#1r* zs7NFW`M?w$r&vO?oQGrzt*qmb`yR_Vslex<6SWShz(;GCvhYWabD>YFxXh%t>m`)| z1-UQGIEtXv0R%&ZX9@&m9mWVZ*w=#gHv7IBjMY|r=w_F0r3x~fcAcz39QxP;k5o=l_Bwxr4P(8PkTvn$6nTQ^O)m*sI-_5qTvc6YE@#V*@CUCCP_h zP(_NlM3iQw1Ey6)Mn}mRxyCSw%SzOn?1sab*0&^(<{+h_nq`u4``5z?j-aWs#))_t zDwstu4_z$KesGS4e8CVG;Cwp#4NTaG^$_dh@DeC=8!3ro-g6lsC%Ug>hkO^v7m38;y0~-v3l2nnBsj)2c~EAe^<82xM(BS1T;-xy8JD7AkL}+|lOjE$ zk8_D?P8$IhScxhiF+r)86dcU*7VIp`qV(47 zKiCl?`DSFALKIwnu>IhKwk#^(63tSwHLFW0J|p3;I^+>2A08~-iVBq_bCAB-`_(Fe z1arlpvXDZ&X~Z8MD+x>{nDiBc)%$T#V7s%S%SOWl z;%H%8j0W z6vi_In>6%i)XSNAcGWbMst9z4*nnCF<72aCUH;nwo_yH@*D%kjq`bE3O+fstLx>wf zxh?|6Vja7cp~e2xq&mPa2*TsLd}z@I4|3LM1miaZXcBNVbilB|J>}%$2?@+xV{k{$ z$uEadWf|U!D!Y;?Sn9yc3Cuo@Cr1AUSHX2athR`Nr;If$(WzziorgD}#R5eyS8pPV zPNCs^9YSo5G^NaC0BD(_?xZfD>6aZEpw7364rNIsBtlt^oMShEU_O%Hv=CM zt$5z3&XjDdktWzl;nL8!Q|6K={4dNL&VY?4!`KOqWW)rT6HBdu#By;K*QMejcWLD2 zgRtMiAUFD^NTcvKzO_`$rU~!W_)i+O}3lueXa^>-1IMluBDJZ-4ar|){nnL z&t}y=_wG;W(^Y!`k1zCImaEJwfW?+>-Bu6NV}KjrEa+or$2;`)Df;wAnQn{@P8CcYL z^@;HzQitDuLh!=><|5{IG<;V4hNN4-3&;OD-{S42bj%u%HDlbG;XL$Ng~+wOTi|wD zCx3d%M)0TScDwa}d--kB`qNOF@c#R&@%Fv{N;GxH6kwXSeQ{HEwLH6iwy%6**V>QL z{T&Q{D&Wt?p}p_C5>KObJd#_D*0#p;vV{~MqHgijN)KjTUH`ZCp6%)1wO=x9bo;u! zJBAMGU~Ij+7}tI=kk@-u_j-oJzFq6&;sX%gq;Gj`SbcWWaJ#;a#m9OCr0KeUvDP$` z(`P%K)2I3wjbf@t@A&Tb=&R}3ZaZzex_5ajHr3^o5xkC}56Gwbd`_AB_on-%KHYRZ zKiOQ4OWl95%5Qwuu;S8xU9_R<0rvvP<>F_#>XO!Mi)87yzAAJ4{eieA-6#0gJNRd0&TQ{~W$AOSB!aSh;eNbKrmuqSMEP z0>nn?SB-vUJ~rIDC|R$C_RW-B`1qw)<|8f@Ikm&^QWYidM*S{WE?P9xd&VNF%=p{2}P`OId z#d6B-D=YS<=DwxiG;wMfZtGgK(;NoN|_wZb`$5VLUc{SK~;JmGxSSd zF>{o%2ByvuWV64$yhs2)5{GS)*MlZap(2x7R)1W%5=*vhlnw_I;KyGR;|;qw;+3P; z&+;xCe~%Ch$;3LU%K?;p8X~K6!(*%!%@LZkGw_&zH)<6ddNRW+H?28T95*DP#1;m9 zKp>o28u(egY}~dO_7NawasgeP>TI-T@oEO&QYplhP)8LB|?G>Yf6c>eIMs~>vq}`+!g0)yiVYxfo?srmsL2GqO!AfJxg7So*iNTYa zd1BQ&>6{H>xNN^{n4>MUjJ&LMe7sQ`b)^Yy61GtZ-KJXvY>EVt!D2>zGW1VGsWCI< z5n86S9~Ba~ki%jv6ltgobC(%fu-IBxe*{SB`=c~v|1>=UpTFz}f2|{%eV%q+@xwW_ zztIB|FpGh4b9e$tL>9?ejB`_*oNUEJhy@%IHSZo;ZeStJe^aw3mLDvn>(r{duvg>d za&e@DCCwQp=!X(iz&y8~1LhJhxTeLf(@mRW6O5YBB@me{=F-z`8&)TiNmLGuQOIO9 zD?h&P7Us!zPlQ&FWHW3)NJMHcC`2XPs^;8+Zt}l(s1zs#y1!NJzpY@0YBQDzaDdy~ zXeXzy%#kA}6l1}}1_JXB3%2!t%=yd9rt-uv#vF+Ch5`53>6ENR9V<9&XDVFKBTqJ= z2v&({L7mwgM+P197`*Nvdv5c{S1?XH@M1}Hzu@{!66aCi#lGxsfX_%@54}ymtnzqa60&w;u(+`~lQFBY zy{j>(M*`z!+{M=41*=x5Mk?wg{1X8`^HP4V$+b}ZT88Q@AX8o3VmOvM1Pg@Q$X~2+ zK#`n8n+sF+B9oB^L$o$tXQ3($Zx&g%5U*A>$!Dv3;HgZZnT+Dv*0R$%R~~`&)pIK8)*XNBqn5vQF3(t@rV10qLALsHlaUqsETuk&oi)i-tI)DES*J3e z0}_ICuNLBQ3na{g#1PfBGRM%!2wD4wI%<8->H;fL5X`0wDvEeAo(6u0tUgXSX>gSR zOoq&?#(XsT^#2zC6nJ#}TI+&;e#TR;J#o(&|7=Da{{8I>As#6M_{dLWAkJ5?FYb2` zTrwM+(x>3rpWD2hq>nc*uj#s=*B3Rr`-;(uE$3$yek^e~Q0OulMq^NuBpL zd&7!f&tzs|iE2`ywTRxXp|k65aJo$2ZKmgL0}~1O1#9nD=Qpdis%L8FI8JL{?eXX- ze&u-MJxTZWXvlpXY@6Kfw2O4Rb+CXx7hd#KO})yOTFLL6Q~!WeDc#fku-?SiwP!9~ z@(ehBL0sFLcu1YpkL7oobfu^9>gQ|C>-2Wmw0d|Ira$e1mhf@-vV+=coER_LUE}}d zylXLyPq4EefP?rKF*_2$L8 z20gG37jvK2yQrCd!}I4}o%!cU&M_T#h!@xAGH`UqH=J8eHwuhAUIDxy1Tjzm+7?_x ztqHuKd_C1xGL^PUF^F_hHuacTx{;!QOyJDWf+z$L`(jS|40!_tR0z(ryZ~HC5*it- zi+SJC8Fk?MosSpnB^NN7eameg%a5<^ZCeL;(AwO7&2CN8N3YZ!tnT1@+?$5f}~{gUA& zn4jlQFY>!y^lOrCYer3jd0d8zHS&7LZOkJ>=j7Y2edpZ!&gy9X9<%TMT9@;iwOU_B zUzla~KO5qj)w+OOa4=4k?UCNge=N3r5~ z>MvE<0R}z`?(RkI`iEPcJ*>Oi4E*X}wf7k(K=C^u+#1lf1$cVO^o0%#j52C|q|8dv z*8v8GipWKcPj#+{yk0%=AMo=6%kGaK2!Eg?X%V}`n4Gk0=m0BdXWsbnav-82a%w$F zb(?k5ArtjxFu7x-c#(c43$!)+7;XqCxoJ}x1|M*!9#x)+xHu)MfF^{{&dZn%1O}_I zPOD0>&VkRRYLzD^^Q~vhwF}`E&S4R@O_Y-!qeV77de!8_dbSBWE(Vw%*c9+RLK?TM z+b1Xv&qWH*1(3tz4Qp`M$r_=>zNYHhmA)(IQV+?&q==!C${ndqR~jtO|5iqw+|$5^ zl{CiU`l$~I3DH}lS+9=$c8rHz{}Y#6goYynG~wnLhIYt@io9~_51r})Y4J!bNjp`H z>tu%K%mFwUmBzN}zk9UW$(1FnB`!7g{>u)k6K5R`wcnj9vj?TwMi3RF?i#B2vc+7R zRwH_ul$cg*3RUgziEr{mQ4U};k3YhO{<>jBNOo6~9x&iJOh5lgt3*t;?Ek&&M9g&% z&w)rpd$YgoxID8gf@kWz% zPcFI6Zm4w5X^2lmgr&fsYEkjoHm}Iio|U*{NLRQw^>;_0vbbuA>(^q$g^?fLtLsdZ z7J~f()%)OIWDKHOJxZ|HaHfvkv;xHrG%~$>bm36@rva4%$yD%n-*C(D5=ZKkhf1!* z736YjO*yk_7n-nYcn*QP$XqHjf$@HnzL~vMzHEQVmnlQLw)6qz}b&p!9=KqrcAGxPyH)dN@1gnC&jN4xi~o+ zU4%vOx>N4N)B8oWU7G+QSOFt5t*4FO7z-k~V55a8M4f>tl|?C1)Kpas#qyVm zJ?pcsZIL_n5f!lt)|$gcw0aN|P#Mxb&!`G^KLPm42?ZB(BN4Tf(V`BP?a9xWFox zw86>aDl)HB(M6$wW6BFqSjd4mZCu6Y7`7-~*GGi4}Qr^zT){ma_WB<@DmIu^p3>S34HO4mVce)v{t?S=0@J~V`GsiVhKUt zGruBzA$`wr&` z?jE{Jx~1CmyKt*0%cm#Wp$P1MQ9b4;M~ zKb6fkmkk%ZNol+5X@soWdEM8^S6O7B2s3bd26WyP@UYc38kS~zbCz9-pYTwbr(c@42|3H`$^a7O88p+Ya$ps&0 z3v4`bSmgDZgtWUUFy{gXtwU{rOP#kZUeCqpvg(uBPbZ>>dJApFb&NjQ*TXoS)k`bh zIR>`QcR_j@26f{z7rc0+55sHWHJf{BF8Uujvo0G9pZiGL&aZS|4rMV*C-qI5LxrCH z9edw~-Om3>RyY2OinndsIv&E)Rnj?ZBg*wX_QUQB@8vN{)OT(1Sjl@L9>ER8RG2m4ok9|JCEn6bSTtCaP9^69SX~OeJk01 z-JD*2fO*9L{sDYf<~z62CIPtTRD&YQePRP)f^WF&xm&hlhD9zKPZjaLuCv=$lF%!DIgNGP z2rYfL1UqXJsgV+5?d#4zwVwkpg5R^>HVoR~W4;*4Ww4%)SPR8me4|-mWcAtg)!(Xt~^<} zT>EGIq(-7PY9-1*$jD<0ooW+F0C#W^<4PuTfAGC&0Igbw?pGy5K{FebmVzV3?_Ylr zIWJxm-#7+1o4N6p_4x^4TAc9kzaQkcmZnmyL&!<~=x!&4_nuYAQl8M()QGm*KG-yU zZ0|!id__R}Z%I?i<F3fcw&*H7+_4M#5`?J>snYdnz{a zT|+`es-hcJR_zRdim@<#Xz?@4?2jQzHn-bH-UQn8Uz(Ms>0~73VlMqK}%Dj-0(qbk%) ze83%%j`?AI?AN)#DWEyJq*$A(umE3<6qX|>2A|V3VVJPSbg+gNk>baj^I*5+L}#1~ zITcOBc^XtCHnh`k#>ONXLkj%%UEZWy%!+#-HGz7IaGcB7Q5B>KpEIm1Q?~d@bxnF- z3srgLgTdK_yIPzA1n=|i{ySpdZfm|}>gP%=6s&U@_~;_LSgDnr5(cedDb_r7b6=|n z-`m<8^Vk-4XFDCIN`2J?;_5k1v*@inkaVrNKb-VU^`eCbktG zgKM;7%pzOFXD<3=q+785#|EP6MU+4e;!DfedCjt>hIgQ=Pk-JOkMhKfUC~YLG%JOc zMKbNsSIqSrPSJ7e_G||#)lSn0cl;=}_+zP;V)J#)k}p6Z6JEOp$7V5P`_z=0l%uGG zg=w*(C<>=Ynd_3C5k+*&it!Y8Z7pKa_OnW3?(nI;_)Y*WvAU64He1g15R~G>+QZyi zKhYAv{9-hN2JJ}_R`7>^l&eY{(oG$vZV+P2%$KfZos_6?#BswWYY${?Db)l86~K(y zSXUP#yc0uJ*yeyMVMj>uWy`FZbNhj_^9dnnx}#XXHjHe9GpukiED>y<) zlNtWL6(+JKDVxnE_6_)+f^qHwq~e`x+p)@I+Q&q z%95=W)7Pe^x94M)eOeEGHn7Jq{&@C4O%>Q4YLm2qvtOioB3<21)3qjsp-Z&=b z4DcOP)DRz|@Oy|q5^Ut<4TNm)4n~ekfE#7l|M_uh22ke$@IO32xEI(vfB^gqd=GJB zW4U;)^q{@qnze()xeT+NZh$WE=3m;TCp0XN0>t10yMV*j?Ytb&^b7`^&H;Vw!Qouo z+rfO!tGPH9caXI1qr;Dznzx>pS9ACJ)(|`g;A2N8Wac6dmiDW+-R){8T3`EOoXEf% zdLO%~&SpC|VH0`$%}jK78g08%d?e0eMp;)M0Uqu^r(M@r z9VVgsAQ$(ieLhKDfBvGHyA95(QAuLI!Jn(m9;DQpUX71uey0~rm&>4yoaX_0` z`U=0rNVTuf zKR9u)J}ezOD!}s-Si{>jn#*J2Yk<)2&d1rIl)jpc>l_yn{=n9IPy6!)e+U1o@$%k` zOMh-i&3fyS!y%FStM&Fv@nH_mkwW!7*?k)QK~F7dhPP)@xc!P9k6%*7MBeRx-o2Zr zZ#ca1T-dDxAuI}pO~WMgkc?Rh2z-@1Beaq(Ad9Rn$Xf?Mj~|5$Bw#uPsUxy znQLH6(Yr$I@{>i`?(To_>x;R5fBx|+tMK!0hhTKdfx}^GU=|&6NfHU-SNmy>W88~+ zxuoWQa<#NXXv+(1bK~Qi8>o6f9^(>W^vIbO`}lK=&?x1oknJkAlXy0jj&(AQ)yOX` zA(C>PR5Q&rTT1A^Nq*^pDqZJ`#FbDLZ?$*rvrdZIc08#ms^uA*MBT&P3r3P1r~iu3 zrp;;@6C+bDsmyV-urpTp3%k9b(en8tJ9=9y=V1)$t&vDve_yClOl45=szD*jPCM!7 zDk2-a8ATD3uD?4y#*M4LcS`IwjNWJj%8;65N7M zV?iwn1#P@Po)v5D_u5mFPj>sXmqfatpYX-{pl`2UjIkB<=!({6eMRTkilVkbF%HI7 z85bs!{ZoOq*_L6u4jSIKCTbJRn} zx(=ER6X8$7J;BakBdx_=jW_b`LY(ViiJ3eM*jB0r@Y|2mj z@h8P0mrK&Oigv|R>9p}-6=|g0Hmg;S3CpMw#p+)88p=HQClO8s+LI+^LE57y=U?)|Qe!;C%ij@HgGtD9>(Af1b(b|`ZPlS%*}LFAe236d^EW#zUK8hilD5i(RbZ$&xMT%wXcx^;Njrnh zjC(SS|1Br=WiY65xl7L?T&w?7y!=cI%oZth5gw{tn1$X*&_ul#^*TRox6JY(VW%$1 z#jaDVJf|%1ZtV4ryQaBg5Pu*^KY=9Gl!UeyjpOIAHNAB^SPTt$qiJcv>|fXt;<&o# zAuoXpu}IWXuiqQ6)RKV@Y+q)0Y@cUg`6nSN>-&zV8aa)l_7V|VgDF?MS-bouGJF^Z zf4`wgotUyAZuGTG>S2_>c<2W&iae(xWvYG8AGjK33GT7ENGsJ#B=Ws*H15>!!VuvN zt3eajJ^wSI-wC2Z)vzpZJ*Y^pq!d`xC@^Bd!@@5)Yorb@lC^rQu$ zS#Q~`8)vN;I^8Kdf=+6qQEvRIuAMeIWswa|ayiM}leg91KFu%F!v1T7-_44I7^TI- z=f}!xX4vVpYv)fR*tphUCrXE8>fk6qVQKU#jn&h=v?5?LUO=O+%Ex`Zk>+7PM)B;6ht%-0YSOriRy z)~JJr>vM_lUNuu=?bU+taUwf{r4@|XcFnb97^u!;(v#^qy13_%{!|1f97hC;3aEjU zeWhgnZW>pip%plHcv)JPk7TQ)8}*oGz`=_ z23zbsWmtTfV$>DtoVq^LeeNyfGOmR>uM=?wPPHF}R@&akF5&!LW#tw7_G^QPBMWJuRjq>4YSWg3|R zz;DjdF}TH^j^8_tXMPZ3<9|Z$vKQWzwy2V}c~fLf(|OpXC&|JJdosJ{I$d^|!`o~+ z7?a&(cNX+@e8cN?_BdUt(8D|*ls%^+@m9&2#-*RPT5GOLS0T%ulC>U2oWQfm_}7PF zdXIMKLejq-MxgI?EWJN)6GP?926P)f*L`f6(;RhBURz0D&SfAZ^X-oR zKqa?R@9akzyVs&dxAAN>x^{C?F1uk-d#j`**GDcxwXjzok{7MZwvigp>-H!;&}rGO zv#0qO0q924>g;+p2O2`**43wf&#E%unDlx63q*ZfDY{OG3G6cWsT33+T#ih z{;-ZqS^uJHc>cil9Dk=U1!DpFLg!>YM#eH&%TRugJ{PKfJ0xjJ;}CoIc)3}7U2=$# z5v)3fclIMSN#)Mlup#0I)d2)zc?l^i+!GJ8s`dmqax3RqQI;A{s*xFOBW0Mz>LEv| z?+xeVuu+1UB-~a7kji813dPY9e#RR8{uc3vDW~Xkr>W!%I!bhGE*&9CpUP|IDy}$n zYM@bP)WHhX;+Q)+ufvlrhlZ*wqkgq|DFRje?mo3Z#VL2+YBQN05)bz(mdQW$BEj?= zX%o0f$+yzT_O+@YqydZ-V%lK3=;COJF}cPfs+QY|oL;ju50;?torGKzk_b9*dYOr- zEJ942L(?2WZBTeqEDe>+kx99GlI4wIE(`m=>&^(c@V2>O^}QWo*%GNngDE4q(8}dTqF6+l;JV5cX2w~} zL4!a|xz9jEDUA6ge6C@>k;ZE=w4#9%O(!;Y9&4K)r4=btU^p)9L36Qjf~jh|(5UBg znsN%|zT>#3p$MB7Us+v}Gs|~3c0mwV(REp->>evU1TkR(y(vsBuSlYV<#%S00IqBb zr$mKBRjSx#p0piYM=|?(m`ZwYLFKJzLrRh?T&EaV=uw=U^Xd7M&Pd_Foh__2{>_!S zd7Lt4U-iJCD^cdHcfXKT`KaQ?h| zdI*psf-}X}+6dHR8h4}~I~AeJs(j~r#F-v5P5yz=Lbp6k$vpy8@(@wc%(kwNW;XlQ zpD-)X@lLV~J0308?w9NbC3EabT6fj_pKg3qEoSOS-U|tA=Q6D2_ zjXSdP6)n+&-eLN-Xmg!di_@cuxSZg#S{pnowCY>!G8F914k!Im9W9G0d zx1E~+$NCx9v~RSM<7Bdq%*suJRdY5<01|o3hxkAFFw#R9w+QDGJB;?tt9MQ-NnHXg zWgKI?XiRKF>$$Q=11wYbJ{W79!E>trG)#|@{dpTkQH4WpuebWJs<4(HC%4j6G__@W7^`1^oI0><`(ga^m8B9KRdZoP^^`XZ5F#KkUlmFGiB46k0R<>)+$Cdc;b=Tl9e~>b8Q|q=>Lf_jtu)*wh zpF^XkA`IA;2ywpCHb&wCX?Vi&lR%zqts`6@tz-1vNJfKI=}u3t+MDLvo>o%tTdI@h`F}jSV8Cr8YcAx5MTR#OP zZ|b-5T5wp#B0l8h`g=F;!aVc48BLjey}MN|b6Wr%Afp$f=YEF=p;cIvOMKf!tO?2L zJt*9u2eNhkBruCvt%BianxWGJCOR#7oa#B%yL#ES(G|HP1>Uu+-AuOtvlKfGt_ts+ z4ZQaG%_o&W3{@o`E>{;UF>O|w*fA{E@`v^&&&56bUcqeQrqvh+^+9QP7Q7@P~!_M zPHxNw+$M$g&u?gp@qj*8M~hh=S{9orpj?kx?=+GKht5N&2kSufq`|Qcjr~P;9nH%| z(ok;OLKH*~co}DNf%<;+Jgs{_6Dls`kGB3avfIjI3HrrUdC`4c9BX0E2j=&T%AT46 zT>_4R8Ks~{$nGl)DW;g+R+p7$b_Q#BE6dUQLLH*Y(&6g!}GkomiRu?@5)`rAH0q*>3jZy#_w--hnR&O>~{1#clLXTe;YawH7{oY=Byk+y&&W?zUnBfAyWzaL`1_1TmM z9L4xj$vupHX3>i!x|fd&j5)ra+KZ;gp^Rp8!gVIvBb#|EQid%QU~`EDCXxw&TIpZp zly%a`zw`b55DZ^7dz`_}IaecY6^k@M%*B)t`v*z!eVB(`XobbthtHzu9SjzxtvV>z zyzpbw(wOWVtiUSxa3DUxrEB)P0rs+I`O{j5woxB=*s9k^W4)Kc78wLR(~!Y zp)`NDS7A!;Pc%tLE$K`8Cl)(T*7r|o(+1?jVDLp#7*ry=1dF{!b4?snP7%}=seX6t z7`v80L1~3XpcNlw!*c3ojF>U+!W5j5QZlWQB$3}V-Z6a}_4hkRmCJyV3eoX>U1mM9 z?rJHKu}sU6Na=-EmA0rcN3KLWNn~Lxwq){|k^SBuG2n>t9Ic`<&qdnzofEmkLWi&W8<#1N#oFlSiXWCh zYs1a?$t0yA7-@mj2tM+g`eHTGRo&)!0foVNqR9|`8WK-Dg#B;9I%@KTMzk~=8%K4S z+;D{&{+w0!0>W6erxn@S!Tc_*lXZu-Bv& z{h(z+SZY7OIojJ_d;s{dUOlVPr}1^OXB^tdJvOoVVsSkQqc!%$1zGc;YKD-jvH=Zxxx&$X_d%8{tv0h?n^dX`I( zd}eR(uJl|5j%aiuD{0F#W(becQCd{ayyAV-k^k;I@)}+oCCq32GumGWQ5hh>a5Q%|#PM;NFxjeUu27js z-X~J!WPfJ~VY){#+_r@D#G1VBTgYfXcVM)WP+s0s%VCUGl(}yC0TM@7xqPp#3RAhO z-6!(zLK$V>0$RtqMRZKUk306X+#16U8%^}m;9aCN3Fu-o=9faF9Q*G3?u8i?#JQ$F zu?&Mp!)6PH0&4LFaMKqi*rRaiO8%*%kKN^aCw!Y$`grrVg$vi(SbYy&vcH)1bhw03 z>&HR}4~K0;0Ljy_x$IbL#TT;#6;m3UpgT>D3Z>@NJ8x|3ZE@R^p=`y5-`X5i$d*fQ z%iku`L^~o=@Hg5uE4f~eYZG_5BD;>j?Yg0S71SK6tK<5Lm-%xKj~2t_HS$XDR0V5_?giKy=il{6mTZAszjqY zD)brxd%1JjPs&IWN(xlOADBj~H}j^j?2CUeJqNtOIx_%<*gu85UZzO$p7+178L*`P z-C~64?D8B1t;YLFd7XBsU9#NHvw+GxUd;d5FJGS5b^CkVU-|WDboh2R-*a;6JP)w7 z;>U1(haI=hHIis`fS+q^*<0c4ahM`8m>vYzfSqEa7(Hzm;qs< z^bY7j`xvYD#RBdx>hXemNH67i3`-XS&kz8ZM%K=EI~78#BcD`=*}``|D@wZl6lqZ9 zca*w3C;u*&ZXLkx`G7IC;rMS~*3M_<7!T;hL26sqH<=_f{v3<7*7@W<_3CZlb{g#f zy(;!n5b%YhAPYga%}Cd(*RD4@o1ABObo6d>p|5?-L{GpMFm6sCMCY{6Bo^mTx8o(u z0YDzPu z%{&$n^!FjmC4;GcuGr$W!m+6FKnr<#)9-nIk^5=!T-{mhFvn$b^EM#dqpkX3KD-io z-xIr`I|jU8cH@NpyS=p@!X{ZgPSYWUMB_!RQVG3+q1wBc&uhV*XfDIoUTK9FPgP{&`6^bhx>3a>3WKou}s)3UU{C$edtmU|xYKEt6iV974vPY(uGkjaysa^3(sK$u zG^t>$UJ!b2oa&5bW#4T4+^V1bJOu*|zOg!AZa1GXp(AhDtGCbM_81sbK@O9(6k8%x zMTBVj;`@zGo;wutIaJP4JX8`FEcC^~c_O3BMM;!IHh(=nsqLin0h7}Ov22o#m^G&xO#xtg2A1@ox|p?G3}`&S!)cU;53RWE0J{nSlRxZNWY)9K#M_ zn9pK3VKlL-&;gl~SW;)CyfIdJw!AW7{ihSJn-kxIwC`L>)Lu>pRf%$LGK_?i!-}zp zOv-=j6m#NcijpMu;bJRW*%ob#jz(U> zam=A1)c-4f+M`T3%@<4jhRoU&=XLcc8VSXp%89DY(~eKJ#PnfgoqhJA5~VyfRwEHM zl$EZxU&U+t1Ma^~vr>u};tVhY9D6G36wA1LfXH_RY#i6`bg++VG_ZNG3I|oI<4e($Ls=Rw{;^Ul7x(Cv&9c0IY7e;j zTE33AW6zw1v{hB9p(>H_DJU0nETe4xZMuekq-e}-b*0X`U&Hr zx7mG@FiG?We7-m&UT(&p-$j&G^|5eb2uNK;T&;NaXJQ1frf>Ksz6H;`M3eNWSp{s) zapY6SLL5mp;<`n-IZ-g6G%}aLpLa*UZ$2NDMJW`t@V<#!%TMtv;aqT?F|`Y2I#eWS zyP0pFp;5<31n3||HO%3L?^M7L^Q!=Dik=r_%1PaFVdS+fH;}=D~F6{B?Y0L!XLXX0S0Mh9y^gZIM<_@ zvYDwMci=*wGAgp{oILFUr!_o$O9L=6Hr&f84R+;&gXb7S|J0d9*hHhWe47tX?~!nvzmoLTLi-y*g7l3S9VbUB zvcQDw5h}r(H%_babrfSom_zOl<DO~ z)iS9pG+jKXNZP`QBAc+}W6TvcqWgj}Z{F_)SM^AKa*}y^1!z+&m7lAHruk#H-PqUXzAvEybUlm4+EM6 z4Ot)VwkGf9e1qT9*?yXhw2$i+p?5x_{FVQT6_0J&lx_#w3!`bU01(Mk;Y^)00^uIRyu>hAPr8 zc>ca)OSeZ`FQ12d9}cNl<~KJCrIXrc)%PfkP5lu&{o*AefQ4x+HVGw^2=J{NBN7>{6VMbU(V3Y^mLP7HBea@rYLkMa~j{ZQl~)Rlzd2 z0IxPZZ^Q@!G#WA#*;3f^6Y1xtZ;P;TG;DEJQ*Y@LK-`(0>(ZEc$Bd542Ikqvv{U;l z<23H4opsE$yC*KD4yQ4p8d#DaNW0jZ53r+g#?jH~XEG$vy0PC~Th%`GaW(HFli$MI z{3&g48OEX)tRgPa2S?{LT8KQ?+wdU=T(?7VI!6VAHCTmK`@F$J`wk>NS|d zheILBGD}GDJvTSSkTpTU{kDlNQqtz@TBc6(3%gdm_R(jM5TqATL4IbNL`d-PEYAP| z+hEmX)rWN1uKZH3eWRT8uSK`{lnW<2M8DJN`Qgw8c-zNAbUsGfW^bL=c_>kdp}yqJ zBnYWP0Qk;009sE153@F&K!R6__PezX&0Bs?1@y3oN;XadND0vZ2c*ZV?gkEA4A7in zFI=fFtj$Gd()~=tYo!P^c{SZReAc~73$@4_VgTRO4m0))`(EV zhHpO<3lTRtsbn@zp@U7B+p4eswG(Z4ywG>!kiaI^M4A2JWDM??NIWjsw3gOJJLkKj z9&dSkU?(Fq%-Y9yAo-17J=+t0%rSE=t;`0HD<1{jwka>JuDkR57Zs1yLLDCWrL5-* zEP9~&(xFvZpH!+HrQ&Kw((gYO?yg zU{{g%?-@I+hlE|=b$&X1b24u=}Cf2at?k)o0ag2Bnq`!Xm?W;t zNVow=wGhIGABKb4|3Jj9Ti+F{*3AwLm6pJsvBo_T5{i7^`#D_!}jNlZ?Fj8f;=1|Yt9_J9UW(A00Xcqiv1o?rpVqopOFzDHV@L!^jqD~V55@1ho=J46zU?0N2J~7M zii4lBDSxvPYgbQCU=k&MAegB`*!|7zHY1OsP5?9*ZXX?P_3GwVO}7PAVZFoQ<(>Oo z!kEDNr1yaYGkW)otm!<_d}mJgjCX=RJUoe^vai^?Q>%tn!W4Y`o5I~ngAuMm5_eTs zli|vIpajP;hUSaFf|^p{E+Qf^g`{4=n&Rn_hMpyG|WV#GS*My=xh@R7Y&h zg7kZo?8t4?$Ko@84;xZ4aQ&*^H<6qD7Kn!1wWU@?>xe(%X%SXFD2%=bC!;=IoB!0J6g%2w;E$9E{+S#t z-RYnsiB)JazYYWYsc56%|B1mU9EIuA$77*~Gw9|ai{P=4hwtvu0`wf36qvvs_!%Y8 z4;Lm43x<7y`NKwp@x@A%;KNzpK7`W%w|~PI+io#^W|-Ha^sW|EE-v!?1Y4l=La)m? zn|>}JI}#pb{qDM({pH)u)m>yga6L$$_o=ed?)l~5@(p_NI=!`U>(1jlw|iAuGq%zF zsD9ezeNXgcHhF*A-8|y7@9Cxt+qNiZV)N&%a}}xkC7@aV|erMcS0wC45~}( zsZaN)MA^P8eLmUlkZ?YMx>?5db>>iYnBCK`-eUR2%46Z}&ZGv(Gv1S=$GOi1YOjXE zDRG-)?bw@R*uw323RYOP%5!@;2LNJP53Z_LFS=K}OInYU=$Tw7IG`I{6acgC)-@lR zeff(EL5K1Mh~VxTqdjm0h6o-0sUzgEB>&bsdB7>2Z6|!SmL&LNQ4dz2q99~+3gXhc zEG9ko4r`s$j>k_CbrB_5{D9c; zMS@7+A^+&b`Go1KI#TrNK)2wglZGG?uAlQvY6EOxN+ zSUxjqPhFsNy2N#1tVO+SaPV~lAdi>!kkZZ?Uz6peGQ`#%&vm+ZBzjcH5)nE{*G}Yl zuJ0m`V;UppxNZYj2^r|P)jp`#$>`aQOFV(s0}R^E@xMF?hi+~CubcmdO2`202sK{A zTnOIcYayvJm3hwGk9doKGbzP2O=Vmy6rtBM=&iytuo?K)*Q_`qM~E(66%ZADDU>Hb zT5Oss-8zaDqS2)tr|v|s|E{S(mL0)Dw%uv8H#{}0o-m~{E^Pi2=qP_JZwuomk2W8E zxRRMF34UgkLTnM~9K(p5l5o6_re@a29;;lHwE3RqM3+W+zM5;1D48veu70#FC%&p5 zQ2ki(CkW*m9f-}htHR9^17*uypNZO);3FB+MCjIE)&8GZ6hWFL4*|W`1uJ(tb&`qs zOJmgf9f)8ZnI9E1{&;cL?{qKf)aY{P2EdH%qk;IQ;~fi9aIarqzm*Y!UGBk%?;u=xqD5x<{rvyrphF2slZf z|5=%hQejk#AUeqrOqAR02rFl{@1_j{obBEZHcqhi=F{>b=?U5#@Zlz6{>EOgTVD6I z3TeF}&nc_+%_&PZ^5M1|jcrkFVVsl>a7MImtlvOWS(iG!;%LPgqYb{Jv$en%{iZbE z>&k2QiFE-V?8wVpDNgEAr6fH-P4~MkAl=wmvj@jK8of}Ji!s$I0G>vjO`7BvY7%Go zmsGsfg;CQ_^~tf)89ypZ&2&)UTea9fy{j#7EjZyb;Vr`QI}j3g1T_eZadgvd$NEK- zaSxzQc=d6!B^8$BU}N+8sW_;Yip$`7|20%)vM72<$HfYF@ny}~M<_gy#pV6p*j`cD z$*X@7jT)w&&Ch#A;1@UN$tu>NjIQy>@b|vUzF0@vNxi*a`OCz4$gwiA-e(vs(}#Me zi%SvPX@dFcWvBz`8yL$T!QbfB;yN`8`1YF)2FT+4k?ZFFLM``qD(kIF^}(6Ty~#=e zzpq*GM>j533nLCP{c$}z)jtW@BD(WMF`7}o_wQr7`uAv#Bh$?Sm0MK<{vL4KrnNhL zi(nc}`C3h`h+fUc6px5`l2S?a<Ql&fLxi&RYx1+I4O zu}dq%?%;%K=UDcRZd$VzpO(Z+8A1uB8@T z;x3_y0nyl&sTjM&iAOvR?R%(+HJ{XxU}>1=TI3!6)|GQY^=Cv`+ke!R9FKGy)6tBj z$@0=x*=5b&s1ak^>IqS;$@y5EI3=u2y{Dr>T<45R13qK+N;BddKKJ>4Hd6x{aPIWx z7oyeSTc=NkV3Squ(s4#}%d^`ye4iOULdl|iWL0566;6`=;%D=IyZa!y(s{Jb&@k@E zJ;q2+xVa%pG#`W0J0wq7hK?f%AY!L*)Bu;YecEJZ^G=#Y+?K!meG%2Y8>p;dyUs?Y z?}Q9hlrM3;Twtr;8Q43kNBK4KE*W1F!I^OXwyoCJD z_rC(uLU==WzK!6FVS|8VoCGDJ_cROnv9Na4L@>V_U+nvE|Pb=zf=OFi&zM0amfy8z5 z#q&nYfZe^kGuROlXuVmOsJaX7vTg6i;=W^^+M&zmr4_R*FH_r%+2!%p05YZJmlJ#8 zyCSr+Z4wuhw_g0-e5xKp=ymE;u=Odll7zdqZXbzD9~gAKXT#?UTVafLd{}HysDkbG zrTIf5btHx-H~m_g#+bN-{QK`~ZDGv@datV-XJh*QXSC1;4TvAkxu1(`g6I86<%G^{ zFi3-EcN}t93*Gr0u9DWRvU>aWRGf2;|Eb~sjB%0tE9{?}g8obNN3KWd`$v_$Wfusf zrQ@gpxn}LAVFBhmKDg=adg&qG=~69mlhCuOBYEz2KnKK)p}NkqGF>3?AN}~+=wE+F z*ULFJAmpPkcgbA_fZ20hwgB2rIAt$U&pi7`l*ylmDF!RX&ODET`FsI)F`dgnrc-WQ zoz}Z^8#gUfmjWkUu)hE7V}I-`4M)M}EkF*7g9A&TE~Qd&y>(-2HIy}&jftn)j#Y?W zGTv<2H$E| z7O%J9m?JHw6B;5!6_6G%*t#OYJ8+Ma=w#Rn0ZJW@u`3$a}<~3@fZug}qfRusvn%;B1 z+ga1*>&<>%EW`ape5)U1LsgT{CMU}u`rv-e0RZf6#2$Wv2%0w(JInFrgh7W(^FJ{VNQZb#3>8Y#|dl8_x(UB|y2J$6MED#jW76gua$Sga!bP z1sZX%YiE~_CqnIrBe35Q!l65I-weRtYn3@s{w6;9YX+iB6~3>M?4VRQ2>*qOO*>ag zFdvmXET`$kl9c(^`O9T_=2}z=e>$#AB)s@yper&1r}DBGk7-m_5htG-6NYz!LcDC@ z-{YqYeI}(-w4nD997Rp2`@{y6jEsF)E!^cx2*M$;?tVd_>rX9Fxg;Nr`98a~u4kfr zu4%ZQmP=8FwtcU-o*t(9(P}+1LC7D**c87|!Jzo%wk_EFoAa6zu>t6nVJDDSTSLZr z{->PRp9i((agY8WHp8rj!Qu`}329~8E zEfk{2irwcI4LTB4TQqN=-217Ckbx;jjNC+6R~9@IP*f0+M%j~+ zq^B3Jj9ai$pO47OkUQEwRwVGt)2Ew0*c2Y z6=BP3#v}KuO{!I`Wrd#gJt4LTgQ=p*TxQNjKdB422Rn5%;CF?2o3|y_ZV8rAvmgg; zyJlWQH+4UC8(H4Csby7^*st#R3TyF)KY5Y7!&$FU`P8Te@WOPzaI9PUa93M;i^3oB zEdmk@(-|ch6zuG0OxdDi!~G~(Xbsgo`>Cny(o+(VqEW@HtS{;2MYL~w^;;r*#JhBz z9c3-!PGPmrFtQ-+{ZeL3X!@(g&(tiylY#@>ODWkgq21?W{|rPVoEhcS<>|Py`k&XX z9KmSB%pk0X`gfU+9U)ZCCe+q@L&|XGVYDiX&Wr@DwiUtgR7!AL38N-<5_6`k7U3P) z1Zs^vCyL+T{t<+!G&+x-s5o8e<=WY+|{WFYW_TS6lX3QW}mveI1iV za#{~csfQ1udG^LuOA+}VPwtbxpyON+O0b(;eTt&pdn&5y-bDF>rIV+6jmcXc^Xy2P zT&GqXKeI9wy#NVyr~j9YN$;^+7nE$h-YKO_``cMockWNOAXZ+u^fS{FEK@x@#Z4Vp z9)R&1KO{(7MvM3j1M(Q}VlcD#%^~s3xX50pm4Pd!-C{RWF1LPDrRPLtX z*jol0K;SN=dOeT3dRtX%=Ss!AnEoniFe(-i0y~Q(B<#07F(^6WJh9xIz8Du<`<_SY zidvmZ&Af?{#FHTJd@;F>P&|40lGd}8Tbig0lX5F}uCZ$A@48r zLtK)g^_14OY7W~$pAExS-+#1p(k{$hWRf8FGGE)nn-l00%(w zfcAxa3M4r%SAz6wNw9U!O9yLn^@sg%eFzR)(V`b zg53qK?uJ@@n*|}o0vga=6N_$MhgS+N;O-v^i?#amya0_>T?<9PUFxj z`FF+n;FkQ}*#BVre4X>bZ$EwKk4}%8lliOhGL3?dY2K~2i$(5LXEjLsvSBQXE4QY{ zW*D+j_+r#E2?O-QNDW_Gj~`$;F%H{8q9y5#`J{SKg$Hp8`+}ADkR{!Km%NA5m!YTY zM+GD-d=jjky?ML9*KmVRFf0j6c2vhY6mSaMNb2poZ)jyAK{&6{T-zRWQS$v()yQVY zs4U)2w>$wW*eZ)_f9*MMN=U`v*U<$Gi*fdz?r3odUF>c(-jd{Q!#mPS$ z`Wu~>{ya2npM09fq?Bestr1GbDUGzD%u*_(jK0D*JoKWOk(IrefBuU%Po|VKSn|Vh z;HmDorOOmS&WcHbXm{-s+*mN>Mr0yF&UGdMFv(fg%#c6fIh#IZJ~uWZC5Fb_SxZ9p z8}HKZEc6}_0bh5%Ax=B~rCBM-GJ)Z13zM5ToV`h`>X$89mMpFq->6AxBOSCYC1q*` zAJ(Rs&zb#66s(ahteFHvZc)8#WDAY}>Yt z#SSfuaL{a0q#MLa0N0$ zRcn6|s!onq@HKXSm1D1+Pzl351ihLlrEYw_ZWRh4tt`^5$1D}T2>-B5k;F-%+Mlf>RJ%1^ zDPa{_Y+mq9v>bPC(uqjdZ@3(d#(`{B3Dm5-^NY7Fl(3Dr#2yFbml>(^${Yer1dfHV ze%1^8QXb{Vz}aO}zIS6@b@2&?Qb`d~bYR7<5$-6DY{OvAw<(T?0;!a*6ZX30i=CYQ zrS<#)VKL`BETUhu{kC=5^BxI)>nQ^#7h~+XyPu9I7IA+iS!2sqP%#UUpMuj3Wb2y;e_ z!E&pgYOo-wMj{Fo!?^fG8mXqMn0NiiL;h;rJY!|SylOAsl|jk~C{t+)lQWrR!;$}= z^3DYpIJbg22P}RC`vUeVK14r0f>A&9RrpU?4;4pK{$wcF2z)9?bq{?_0z*+8V;&KR zLj$(B+7LZ6^tko!^PA3TyPt4dF|1*+h=$`tNL@^62hAHY24}jjzF1T`y^e-%)@Fhh zCUK`aU!w`KTMuq4o+%WzPb*);aTVA8tpyQ#+JpI*xAJc9=V&KneKgnBZyT!NeQv&V z&^Hx7Wt1qipZ-fojcp&^vNU84)p`4Q(>&+`?0Ecpk#AV$U@tHXx}RE}DDiJ7e;uc1 z_=H9&y02X9TP*X6cwOFYKM1zkMxPU*<})HTB|UlGURf9z(?w^yoUnUbdM@!3_+2ko z$=xIFOKMi^!{J<`%P!h3i!#i{G^-o?_Zl!+r@hRpz8!4ZB7FGjxGp}yy7@^QVU=|kGBwynQF!pX>TPkHHoF@3JlayH8Yp;s>XgE9{1#=fJi-kFKYuSKAVK#VpXqIYXiz@NUZG z5caqiH~C7y7CBzP6DH6Y(J=Uv>|;~nU(wjbUAYBt z3xs`r>oTFp{yg_Jdj$ekaIL8JQ3Jr(%y8Wc376Hu3jSN#d_JdiQ@5TCI_MxN%=WfV z`MB@F-^1nwK?LTz<2ztCjfaluZDD)j z?KSq=?H#zg5IYTYMmMA{@a1ze!D;=_^%8z75%v`O%?4=AGi48AH~LjXD_^3rFuW=u zz(~vOnHe@Ir$X`^E<@WGRxBqi*BltZ&0LX3RTDG`rH&%qab_YNPXTF1UH~eUKM3+h zEz|N7p|%*$Y9AUlsl332Zrl62N6ZrsfG3(4%j0u`nY3i{_9dPj*Fl)6G6quBnbcT} zeV|Fe&MEHbAt@WNV9{$J53}1qJzz(t?w`a-9tNYpeGO!|8))T6=ljl(7{5ncRm->K zPPbxt)_=oQECLi6G0eJ zyw^SjX{qW@ej&iv-^dt0xcuk0fK{2k3UmauF@iLSmK1AjtE3=X+DK?ZM(wXhf@y`^ z7*ftqBIOmTTvPBOoU4{i3*}q%HUZh8N<9T^#u2m}e`vIo$E1>zoze@VRc4MM_*2{? zu$#V$sCE1~Ph(DWfkrw>+4B}KEFSh05OXPO)quDt1hj-V+y4w9XY0>jr5jTb-vLAA}6~ zt|`7-VXv9rkW=7qZenBtH7_iMFHwtoaAR8c7>ihW6efS<2Xx5T^ewOe_>j!j$QcmX zu%V&?s?I+}P)^Uu|1}s>F{*t`FE0QI4v~xc{G)OU`HyA%> zD=k6kyikYsJ;8C9EG1z?4%W_t)w3hfMOlU*9hA%+9~8ed&V^Y=i-vDE&c31cQV@W_ z_EkVHf84AKrPVm?bWMy(6|-mPK0mL_;`O3A$?QcU!sVZi{Mi>%T8niG=hRswU21u%}KF~*K7ss)>Rp~B^O;ABs2=@dp(=D46Ss- zA)(xRU65k; z!=ea@qSf>C18*a97a0vlo4B3a;Q#?3OP(x zi%-n) zVb(Y(Oy=IZJmr?}ZMx}e%{Hpaq{?grb_27Mt{w9vuHVp^zP42+2&YPKl(So>8*-Fn zS*&>#|4;dlM20E4`9ulGJprE;hBV(Tma{Ikcj0yf$>nFT0u%1`1fP38nT?<7>Ux^A z!zQ8hEV2mfXmtZ$wvagKKaX)lhMf`lPL6$8HeX+>4o_CD>gMR28|bIkLAjaxt@eW( zH<)QRJRT4lwz>{i*mDcYzTe#SKr=2F;0Sh`9$j467`#3w#@2KioB7?2_<6j)mnCd% zU;2UfQAuvE0oLelhdGiYRsJ^`cVVarXWjK#J`RtGJ4b>Kx+AqNgnxJD3-0Fd4R4&i^ zt-V*`_iM7Ab~&%ZLZ6SfKIb-G5?zz0X=0%1YsF{#v;aWcmnQGPmd#Jh@2!7-sQyt= zVt(1~lt%IUA({Vvvm;yQs(8Sd*6#J0*5c}M=4`mfKfQ(N1MOY2OiLV zvo6bV03S|szzG^YwtHy`zTGBgdHfx==f7-*e$?M9dT!*@Y&#rup`Et7z5UVQo4)ec ztO%^{tD3I&s0MD45yW-zD{Sp8n4xe^3*0d6SSZr*n!uSak=;R<29XgTWoKeurM6$* z%=(08eeL8pn#EjB-FNW14J^1_@49)(25wm2p5INQ?aXsB`g|y~WZg3%u9X;GzaD6S z_Go7@rUiXK!esCk^f^n;KhNb*<}8oObK& z)ujl zMb)iPOVrh4Bv$ueTR$hNDslFI<@NP}Bvq{YRB*=i4a_jqazmmm-@Zzs|K1{1n$EnP z0G+23bF>ZYt_DxX&H-msnqpE?3HjKQU>`_6#Z~gc25I6(Vo+&q(|qSe=*Ny)qd8lz zN|B6_0>OE(6l1zhg%5TcGEF`{_J**5M?>mKF%`MewYfe_12z!N^#w8!;xE)uTfC}y zt@C)6kapcBd(&(wiK!|(ZDPllg|u{B?%%Dp$mh{R-ATb2o&ASafHVmzHy5serctNfR$baXxg!Uv;B_W-c4& z7UM-aF^G484DNbeHi6BwRQ%ZPr{bSUUO0)2y-BvFSV|guui^DtR72Pe5LiE{*Z`e> zMh>cEsu#cS*vf(2TGYp+nTW+hU?}OS$-bc_ovkLu1TSd9A&r^D))A%T9Y#?`A1}ID;zJe*C(j5O%dJJ5E0k3^nUQnH zwDf7*M)Fpk?uHg-&yQr2D_^o``gO2dICh1(Pq6k?C@l)p$<5fuO~ann_wHu~7MWq# zLgO9Kv5Wr@53j(;I6~$`1{pg?MGeGXh=~1lk|8GKCKlDgwt)w%%@mTj>hOo*v+K}6 zv{1sj3yqklkJJU!+>OehioKfa8Wq;|yD7RDpD6iDQObc6*SsGQN%-} zkVM7lRAe~Oxc5{h-f`>3hO*>Sx^2P)ai#RlQ6r75;}t|ElclH+TtqFzm??#~$3^~< zE|&2Q$b0p6XChX>mr9<0S?aq78)FzQyxo2jeTsw%o%N0@IESPGOgG|urwG>0{Sd6z zo4}c4*$jjrA4{a+NS2iKtFzJtp?tzW9feI+O-;U2u++1ci5}R8nUgawmX?~iZ_H7O z{m3wvvC7|o_$fEmLZDDdD@8Lt?)HNYXRt63J6*oc1gpY63yUDNB*HH~&nLl`mA)1# zHdTx}Yx>&|Oet!WHDuu?BVsX5dy{hqDuL?wmM4~oVdCo?X=hD3HO>8nv_REfYvObn zx($upmx=j;MnuO}=`S?-=|7CqNMUHpvq}MOQ-35?0c9i}VmqDyF~C=gC|t z`DsKpXHbLCVXw1vx)K1dg=)$8NqlQ`oM@i$kS^prAzq@*dZRPG_9JAcRD1GO$kj03 zmf<^y)>xXh2uk;TO7fg$iZAsa1d0koQ`I7;I92Oey6;$HVWX1v4)0S%FPs}kkF zP4rZDX)<%}mTkDE<2-S4NbNLw$s{OdsSVDbImKg~7Y$Dk5?EkG!8Np5p;$*ogm3 zdPwQ9!$3LFtWG8`Vv7I@q##aegi`Pt^%sfOwz-1|ls50nI?4IJ1$_46K8!O}IJDYYNx@>s8>Wy2) z@A>fISN(qBvQxKK4dlA~OV+Y|=5cg&{V%g?Lc%&YHb(2}@`>Z#-x-85x3uO`@o_Fd z$^4c3IBS(Qr(uL!vyv4+&j@@u_?5VIyS!{Lp3^ba59jdp^rv~*fIx$w|647W8(5;( zJZIx}gZS*hozHtuRZ+(|0k~wy$+t2jyfxhK|D?&QqZ9 z-PaQ3w6z6R&h+>jzlD159*hyC=)X;gYG$@P?-bfuyuT0f1DP!@qdg32*L6BB?^mF0 z&fT7)pohvTz}+L4caL)WK+u|K_~vdNCWX){!$gma7`}}3sN4IOk`?kx&JX7^GQYaM&y2F&%03Ocvici@n zk~sAWA62_7Wq#FsdH6;k*g6_K&FFS_Wgxhl=<%d;@emDs9kuBJo+sq+zkwc6`I+zb zHbO~Ax|TR9^m_%n&v!o$vdE@9iY6{n;KxbCKVByGvUN<``eu6yss-=*{x&|M34G0I z`^)b>$nGI9`U5l{DyRhxTRb{@ z153Vvv+sb{CvQ1dHogR4t0U*2x7g|r-HE3c)z>-3>N>N-9`Jv>?a#;IBSF3i%~!{h zNRq;*_|MVo1ME#sI>~pD63vr;OK4Txhj>)(1jW(A$T?NV7Ya>-?FI=G1^BFZ--wve z;`(a&u9eDo$gexmT-vtqY?PtBu%hOmGeQG$C6j~}L_4LYPHs+;7cfe?VepV!3MIHX z%Yx#|V3VW>;H^vG5Zt2`l64s{){`%OdNDzHUuYCr2sxQXS+P3o8QGM2ejy%7>s~^@ zh$?+}aZsy32T2RMj0RyyA*3n`ynaqtZgoWk5Kubn4 z31lSy>@IzDEX$kuGA|;@twWb!?|m-)rO(`R+Eh&k5|Jfz&@8j$+MnUpRv7N#`#Ro^ z*H^;Su!U0X+}(9->e0dhhG?G=_+}@ETvm7vR|#hvh>CC>!EfYewh``yQRzevDpoKY z$7QGl3Tx60x-?j=IN?#LBJ`6Uc7{uOA&)O%vlBxXKhRD^!c9K`)uM}IB7nm?c>XDN zZ&IobLL{sAa)Dn%wUtNTnk0&4wL>v0k{700S4FB#I09UCk#_y_1d)tlg;G^?_eRaf zFl|5)NhR>OGN#-;X+dh;GVb^%GB|KVrYaZd!n&i@WMAQLy5p)u=7Lc%S)h7MD0D?7c4@U@D>+TS^pjzJ({gV}-l5?qfeY!<$!Gq1 zTVy>-{X>t5rL$U{hTDpZ{3eR*X`ynaie1<=AHzT8QjRKsbwy)%@Fg7n!CI&)($ZhE z*-C~HwGw6IOgN+5am;e!zP<{9ylAKj<^pM036_W=qf6T5R7u_wQWJ%*TpcZ-JD)oE zG zCep<*x*dz3tTwPR(&IWAZDAJ3q4uGvXv2jy(7&6cxwrGNqQ?}$*zw9Msr8}l~&K=ijQ69yH z&m7eqtlxx@nRnYP?zO~^`hVpZ_$Z{5{zm$O%KZL%b!F(6O3K9IS6HUYSi3Tu1E4Gu1-y9V!X ziJR$)_B~T$E$_Bx(B$4}1qR7Wp8;DpGLj1^+gG1mLLJlM$F-}BbDvDSG$7YO41IMM z=DJqR0p>#HKz$$O1oL*bdGoFTbH^+vz^!XV5{m^5@n{Ciao6WcvaPHyqkXfxAvVQgD`=~A1Z791r6#JYVaY$1eVJEF+wDmI^7TP~c_VUSDl6oo^V9jx z%Qml^23<7s^0iHUvaou37SnI0xI;CDI%-gW-Q#hwBp(}q@vP1(UJv#LS$g+H|4GlT z$Fe^K zU%&kA+7L@eR--4&%WK6lV+&^+xEpt(Ix6;Uvf5(99i-^ay}#(D*m-z}>fv+LCo1vw zZ86K>Ql3LH2RtgDR`3aH8|(Q*03MF zAA9$ut)PN&aJcLuIi=jiW^r@o^V{q6@&h>hPEY_$9V)^edfWA}FsY{mwqghai)naq zHHLDC6qu$lO7Z_ajZ&eD%+Fj8#7}_4tkV!ku%8uW6U7}n(8x%riyOx+5%`tOVXmGz zp*~mUtt-h~tYQZH>yH=~I?ZVABxMAJ#?1F(auzTDkt@LY?4u_*}tn& zEk`JnubM`&I6paa%n)<*l&0_{%ozK^(Q?|{8#CNxScReCBJs7~R_$0vZ*y5psaSb9cQ~LY+-SgiYV4DQHD++@}JErX0gK)9+O)y(UEPe#4u7pOhaiA;` zUHDvZ9_J}b^_+^8=B2h@#{tJLv4U*%@_sdZ5ng>!n8=yhh~spOI!8uX7RO{dEZ?4u zyBVh5`yZ5=yI$lKd38Gb={Vw$L=uT(u!-i@6m*a*7|JA}-Dl%;YZiK0=(^PP5sP(N zxs>|CRk`odN#R`Dtl{_H%aGV|*Z#gaiUDq0mC8MSG;94m3(8~~x-ssMZzU3p#-Xv( zB)|quIN`86u9iBpYS^q`Py^@OlJ#^b?yCWZKseuWOF; zPm~b!&itV<@n>=)w8Glr+~eUqOj3|x(XD6Q!6f^YcZ-lnn78?}Jh$1dNsm^EEKl~p zC2z&1uv37)4|CzWNqzlvOBKxkf^Shc1sc0!&&UAusdPQ$_@*!eiz8)@80D_iPU+2p zeJG3uOYBv@MR8bun^GQ}mQD%f2U=Jz4rsTaI%dV?MstNyjT*k7PFr-BffX^{ z=YXD+CzCB;rW?)_x7W2t{=qF6_gm1v@1vY>7smByC!P(c?Sm1#d47Vn7ChAaN~cBA zZ4mo$($4#+>6?K77b()!0~L8iD_pBQCZkan&2X9oc;pUMMT?nBE!&KIlltQY=gO$8 z))WZxJR~^$ij3UdSS39|+}6ud9qUI{^KHratN@AD1ch7^m{RfvZB6s`?;>~!VigLp z+~r8WOmnPVlUB-#2x~}X9)7E5un{Qz7$%3)>H2fm0lgAV*Up`2)r11)|0fFHii+f3 ze)&6EZf@Wn$2tp-RRocaXJjwsV%&&2eH~gORr@@XP*)a&WZcw#xt&_Yfk>9C^)<|7 zM}ZC+loG3~w)P*Jhp})3v1hF`DsK#Fc2EA$Um+7|nM2IM5omI((` zKU1s z6pici4tsjS$!by4eLl7ReTsCjVOr24VG=d%6%>4S>r)0t^1pCJqOM*$S)%uigz@bsDdy-b zugxDf8j4kzhSB=|dl8EKYj_4qcqF>I?@LEh1=U(sQxzUrPUout`Z2wa$ouB$QyYQn ze>y%DZxV{&2QT2keoo9f$Ia^I(dj2uI%A{u$=k=idEaCs&!b+k=Ki090XNOc-SnQ< zvO%ZL(?i$SoGPEC#{&yZZ*NeBCNHId)pU-1GnDs4^PEF$weJgzyhDe>>(K9ML4jJuJ zecmdM{J`fR9xxak++zU_2(LK=f1kerci?Rg0e`S&+;$r$y!JnkNF5(Qb&r{dY-EDp za^{vF!64=r)FI8+W84hg0Bs{MGwuK|1hKlrq=wD*W{-6I4%UcIPAwgwHMC8nCO_Vv z&Hh&|Dm4xwB6yZMD=0LrGG10v_~)*MwubtSM4qikCpX@h$yX(wD*qYGA(2Qb%LI`> zqO_Q>CPr{bG)sjge{KDktW(=sC)6YDGWzd7W>j72Lt8+$_=%8njcG9(Xmd*0@MT~2 zxSbQ95(s;fA)4DgMVDJzuG+MPyVJ4rjOs;~Y<_L|0!mLPn+|ld0jS zRIa$bt*o;Q{r=C$;8k+H^TaIEh#K`zFx0UWa`VW*cY28cp$F{0e|+6Y?|^ez_S~sh zV=RLe+%75?xJcECx8DiPSDDxdyYLm{V&L^y#dP*u4emzsHKZ{PbYPQQbMd2wlN3@E z5Eetsqy8z+o(sbuwdc>%ZOtNTj+Iu;C+p_z=PAcnsL7 z3R4GZ3iEa|QDQ8)YQ`80QQqu@0`acSE497p_R-?79Dky=iR)#|u#C)qL6T9ZH0Gis z;f)ZjjtcE3{#c`8Oa%Kn5zQ)sWy2nLF{LxRW1fq^VxPZr+PMdZg6}1bLhr!x5Gl|8 zVirPZ_id6!b92~l;uiQ3{2 zwvF^Jc-)A~w=lx7zAO8#WV9=RqP*f;yYQ?jgzaR>_Gg}(43Dz(`iy6u9xEqaX8Eb1 z$Syk&W@&cOr&y}xoW*^X^A#QdJdL3G1Lp?#o9c~;#f5xbl44rF9LHP@IO5Yy=^EYr zA#dZp1xVba(|9SJup`d7BzJ!DfhG$Pe$PQD$>x zg>nl;97=9gD*W1!*bNgb>Sej761@p7Cs=eYRSFDa6j<$fhdk!&n({o8bnMi)@XZt~ z+|Uis6JILD_{!TyoqXF$}B+dNSwPbyUlBjbV*`};iT;l}85Z^;$=r~dZsDNt)ND!hQt7t|ZtcnTI z$;TR+5MoX8EhAh?OPi{Qo)dw)|_MY`o9Ha$cL6#4E*!K>i2%d`_1qn$3x+q==S{; zHD-=nPLT*<|Fhlv?(h-xf%XO`$qXYZ1!aH-PV+d**krAdtt@tk>vCQKNk)b?9lls( zxxHCyqI3*lyFB&OwcRl$dtL>-wPi%12s#HRxV^N}61s+FIA92zUI?-_&;iG*8k*Ph z;`RMTPlE`a%r~B`uj+VMeWH6aZE93dx~_NTllAOqFL0M_eXk;DivhIewnj@PC-k^& zCl;9dI%nnM+dQAQs*eemn@^v6FFg-^Z~?IvIyPN`5x4;{x;_t^)BJmd=hzPHg|rOq zlwBY)#Vv2}$3Ea%G`8#F<4g1s#J2jCzWo#lyhTUB;Rh&$eM`_{RdjESkwpIM#;fc` zU?uS1*X5*4=$tlUgA1wsv>baE^Fz-`9q-A0)SSwf(YzGm#tDp~NP7V*7P6jcyB*k} zu}|IYa1cie@^fE%(Of@b6sXSbGDD())7S9!n?mk)ww|gHtJi>SE`063>{_OSeb*uGx$tLE^w{=-!{K}l+)DUzWZoHS&&l$5L zxZ!uR))M{geBUf$^IfCOCT%{)%RV8}Vbk(pvPA?=<9?v|=+iTUJZx|8QI>Tx=ohhL zJvd1n+D=l*bWtx#QwI+i$8K6Odv>L#t7|{1S=Y~69j0~|k(-s5GoA*{6opW;9UppM z?R?#RhXD@Tk58PBUFX%&#GCdBSuq*fpts(x6#b*JbDa)4pEr^SfJse~%38>HW`mpK zlZ9e+%koPkNlNy6%UnhDM6qlO&idVt_s(8<`tR2waKp%5Y{t&5}5Y-^dkT8|G+E~g}2}ppP0Z745!rc{i_`8y87sw0Z)M- z<^@=W@-g^nT|+FRlNW3ug!oOHiT8N%r8yX>T$y^1V<38k~gQC*2VD5*4&#g;wMuRbhOGAf3?|1 zezSH`mvsu{8_n=su0Ty-n_BT- zu&X40F(b0i7p1HT>My=zM;0;}EBj37_xd7SXPf$qDjMC|jH~u_U#Rh2W=f$|tT_6_ zby2#UUY4=(ZUt>jd$m-93K_CsO>|KVf@4IOgO^QMYrF;INhjRzP5mwD%+hRQ!ABY2 zgdoi{Y2wtp-XQ-AavI^mni?MjBF***ya^4-c-7Cj7?u8*60)|>j$I!vDaZZ?#Xx@8 z3~CSQ;4N^uY2fo<_4#v_@wIW|Z61hI3XY9qifcZoZH6B~+EQo=qZ4Ir!!OLG;jP9M z;b0M$XH^m)HK*NNIrME=mzqaOx5D<_{#US-J6DD6HVpS7G0)ys#;HA(g6I$7VMLW} zs)87Ej7=^at;fLoR|z)iY-dL4HI0UcbVz|qdfZL@D?s3H)UcNc4UGpa)N!dv(m?rW z7%CEg*tLMkupyz%9iE*puUGo}ws58nzx={v^0G!P2LI<`d7iSwzdu;8nv)UXaWVZx zok6fz9AaJs0~Z3cVe+C`JPx7Vvsmclcq^E5=M>a+#>?ryqS?fVZ90UjxCj@|&2_D; zjaaj+Jcj&X=@-a;o1NIVJE)Qls=6hVx3jb1$aIYshO+)c``Zz7?uA%d|Jh?^-Q~W^ zIPF>NzR$5{9Gq?e%MnR|KcgeHQBj_s0v*4qp)!~yLMjk~yy{AFyKl+3<0_ewO1wAZ2hG2aj|EsZz7eUL13if)q3#TeNvjZ_-TZ zY*jZoPW|tG-qiAd_9d};gqh#?{f<(u1ig5K4~U*o4MGW(LsjX~q0w@dQ8PFut!2)( zlz4jZ7(b~O#0)|(O-zpO36WX-QqK$d5b4<;ywe%mfBe1H&=`r22=draP_YU2GbNu- z2wq?D0j9vaXr~PnQ z^B4mdvK56=!HZL2iE;!1QL64x1+*`0-r-(*?%{fOYG!k^w?P$>PQUX>Glw`|8N-h< zbC_8T^rG}`zL}j7<%pxIO|~ekoy_pM^mu`?2)04%hOz4}`F9J-4>72#ngNdCKA|mJ zO<-cWmj0uwY72wxR+|FoT+}~`xX_%><1fo}#L)&1+mjFtKpFj)WRo2P=Fmu z+bO5bcGq3S9;!k_^`?2s9b-G#`5GYG1L_r*>}j55XtDjkdV4$dXd%h;_!p`>t#i;K z=}-{U} zLXq#r5V)CmaUcOfwM_hYa(JC1v>3PGyd~Dh&GA`T&!7Pir#>I=`2icYZh{(`Wz)>> z^L)QL`2s8MaI>6hyKZiyS(|-!lUX_RfT8RuM_^$-S|QetXwPm5*BI`d#@!9Uvyv;_ z?L_dwJncd3URDL_`+UK;?c4IH8S)Wh&Xs*OM5cSMjm>1E&9q?ivO*7QivdWk;K?aK zkHXJkPvHF8t7QWm*<~n!!o7P7r|G*NaGZZ(P6z58gR6cJzKWUZe&qv?eY|d#zuntD zv~t6dxSf1hy{+~Cb_|Xtd0mbCV0aaHJ?>@9bgI1_$wA>d%v?U2FnC%~PkB89>DqT3 zq~9K8ku7&$M#&lodTq;wN;>GSz6Y{N6kn%3SUxJcZ0<=u z?tq4wt{wJdf9o7pI&=gVx@<^jm|5tU{1Ri&4Bx)%9;qItyf%$3zbbM=bhm%bsUqVz z?xx#-+-^JTQ}5$t(A(~ph6+Tf>AVxH=6{FV%DSw%)6;!26on0^^y7+~i__C{EM?5N z9)vU)$mIB24mmqUrHtmRj6S|%I2GxQ(3)?$t#$rzp)v`F=YhbYje|SWL-KjoP(34X z+XL5nkQh0rTJ%3tCsLRrV8Q#~pczRgQ$*6+Xg5==F4fXY)Y6TrCY$Nj)0wY!P$xnd zU-27g1k`G-CTb&^#nxM-nZ3Oy&iT_jc1hoX@eFfZ^c8RQ6fq=|r`ir)-&`;EIuwvA z{s`wD>G(Di#F}j4Euft_mzcqfJyY0zsPdoOZ?aSJUC=z5oAAjt-vnG(&<%abx& z9u2dXvkHA1#6unN#Nx3miHO#96$&L(K25Cm4WPQ_35HTuTwW8^BBk_m&lNo|;B%c* z?pY!wBVRE6ks!UpP?{#QUU_OsZM!JSI6h3zU54nyED9a3O6n${e||?i=&sHXi6fJ* zBh7UXhV{ABIt^m(WEsJ!rIUKJY5OQmvWvdOIo+RI^&N+j(dG_gmk*gxes}#7qh4xI zK<65o`1jd;g_R!Nb-&c`h}DZPvT%)gFwz84FVi<}kc+Ji(a>H>AUJ&cQRt;b0eOi< z7~gTBG*ybJK%q?nhsKpMKOqexxe6zjIW(rpzT6ar9{y5>O%~oXSp42;^4OSo@e(^k zz5u>)SBoA6`QrQ8I1HCj2z{vq?r9yO7R#v@*AZ=?Op%`F=}RPv9!_A$g{yZO5})Oc zy9n$Cod(N!D~ZxuX;R%@oml#i{0z-;9XTMCo!m}5VjgMdqtFC^8RQ#sW zlpFfjd8-~}FI#?qa>F?morrZqpa(0Ba&D3qfN&_%P4SN4ThCR8LCdZUohBqGwbX@c zMa~@}FU5qQ-#IaDA3xK4kRG0J(I}HdGnJHC=2xOkUO~*HWdR+hb&^)luQ?V4$$ZJ8 z1SeEzE%i`n?i&M6V zW$6+|K_C(0Z@b<4but;DaCF+ttxGm(W2Vs|RjTRWP4umE^Joo*sCFHR@9^5#-yAna zV%IK8@r1g0q|z@+$0$f)gy`d@UfuHt5KYM89zeyj@$DCS<1LxSsk>6V#dg)vDrDFAr;6T=c^5h%i<7v22}NxeI9yr~hR zCo1P`TWEw6M~3)&h-1fTp!P)z)d*bTh@vTaqth=;ok|-qdFGF!-Zkj$X38{zPIbK* zv1uRRF`{Pef?-+dTQI&NmBAYEV3*}S#A0M1W{vr;tK~kMJvXVaagTYK8hl4b%tb@4 zO5BO-E$e1J5wdq;dfDbLy^iIjy?*c#m#W?HWMnicozM_s9Mgh4!;w%W;LdZe{D%SJ zD^~0?rVvP8XF+34v+cf6voXrNlt5rr==b%)^87X%&!u`U7b6tX&Vr?8R^J~dUaEBG zqusV|o#q5r{US8|kHp%j*lG`c)|)7;7kwvAlwfe(P&Q15SHds<11%dHsfqtlk-7iGS(va7|4<*7{l>!2ES$ncaXoPp-!x*+-#Pg5E>mnra{p7_ zG&x~{KWd<7KCh;@KG?y%B~M_G0)FH4&%0bd9RByuvA2Qy@Xtv9Nua`;JuF24xiMD& zDOKD6NAPm+(#IT7;~fVK!i9(^Sb0JgO6ZrwkVc9fjsrpDt~zWy&3x;a%ILVfv3Y~? zEa(`CFPVJan`LWOeq3%Ua`)f8Zb*LL$-F@2F@A@;5@2{AEh*`A`+4^9HoES3m;9|0 zI2XLS8Qc2OIUn<~qmH@au{ys!o%yie`Bl?Vp!;VK_O`x7%Q}PCtp}>1=MGVgg@!$U zEnx!Vdc&Z8^Xq=Zg<+Qv7ycHb+nDodoUqp-JMgf}ZF-88`(l=`Zce2KJBRDwv4Nyd zwuPv3A}dF~=f{MBEEi%gs?;x z?yH`rH+~*w1FE|UUhXt;%%i8xWcw!oHMSl9hEa#MQ$0>gIO+X29&4%|2NO=FW4eq& z`8_r-uNMzWF1vSEQNe5ck7L6cYt7*MHqM&PiO3Gw6xgm)eOyPBJzQb!^VzBrVBCYJC#gfIQGdGJwp4-hfPY3W7q&R# z=ZIxxkmHVD7NA!{{#XN(c1E{P1w|0)=Mgb+i?jD*iiN~}4aD$1u-@kgnuvtENxBgs zmW56DdZ}RtpIah+#|lQjI|%%qP3hxWg!Ndgv4p2kLW%`K7yY=Ho?}}@k7`w7{6WVC z;y1NY$@V7wF5V6WOTj}~f?9syt3eLjHB z>lQUhgb+>V)YG~wzEq7ebWLK=oHvs&;^Dv;5$dbkTbV^vbo^3vG9@FM^e1Kr?1kbf zFbKTxW(6(>lXE{Dsqw#ZTH)nscUFm+0{Dj-{zM{iBg64^|7;J@5H-Od9Tju3q$Jaq zk_r|Z95+Lgq#JeZv&_S%rhrz-*f)x?8!^v#Z0FjJ^7&QB<{4;-FGH(wRmTUVj^V0u zf-EI3?;c8&iqYynq%>9}R}38u%Y4w3eh`68^*cffF9ZT-qj?{O(7{wnJi5((`eKBO zERhe}j;a;AMx}0aQI@5cx+zd>IhaKW@#+RrG^~s=Xde==IxEpu$}>7PDie~0^p(S| z&J&w3cFwncR+RQ#q*^tv&waY=Sgu1REiH_cHE&x^y<*zVxRm1+a4C@jYRWks@t;b_3cnAGA06YRq@U$ zj4nxM6e`K4gv>{(*k;wV3nBuRlGy|7q}?5VYBo#;J=qf3(x7;lZ8~v;%v_n@ zOTU8KFNMU4t-gFIJSF^gCf@Hhh8Rt10G~^^%JHJSR1!Cual6*kyJC6( zuaZ|9xF~~-8w(gRV<%wTLxNn>P-k~ETDWv+bFV&qYNA1DxyI0>Czw=85tsSdt)rP| zj?FxzAcHkqt1RB;UxYKA21A5~l7>42v-6S$Rb1dL9P#iiQm84Bg6=oCwu&0u`$5s! zUguiGav^9qMIZsYuebd{&LJmN+GfWA8IxSN z%qro#V@<{@SK`7ou=!4fvMtP<%dnAX<0WUtG+Ut^L7!;trsB=&aCqcj;V{8-NxuH~ zPfTBzC3Vhp`{>Bt>=c;w8OdSSDqPUhVDSrZPUNdj!YRNS^A|QgZ>E6vU-xrZ`l&ki zn4*9lh2B|Bdl+9>$!+3+G8T6H!Avy8y3|W6Qz&*!5i)si*v54fNWaQtQj|d=G)zLt zd>Q=+IoA{7<+7q&_svQey~UEQ(r8jhdb5WOatrKMsBIOA{??^aNJrs2zG%lHVa!7L zfpawEhAhYggN6~e{!GHbGZt;U;9z073T#!gRCNsNGL$wM>tlm2bp(R0%Bm6hexsVk=hr- z(w&ewLf0EK&6m81;_yiaM@2D-e$yvE=*Ca!#P3@6OWUVE!SD~(Or~3!{7j-OcmCF7 z&&U&{6a#bBae26ZI6&vW)FNGWHWH^q)ZZmG$H9td3Vwkni*Rn%@vPUq=6zuNf}}7k%=cw|y&qKm0yD?y^y# z8M6h9CL#XNOCA+(}EpG-qUe*l_Evt{hK6}YTY27C8yLPP~Xl>mS zVDAVs>%J=mJ@*owrei|$^ONP(O+dlm-P)|s$eVnvtB#A){_Gf@4uHPLbMeZ{rUB&Y zb@Q^&d!p+yI_;Y0^)%zExbsn{7dEr36;!7F-3siXQBx1<Zn$ zfVA_uBU{@nZmyMSfpX7pV<%o*Szo1M0kxAS@Tmn*kk>nnmX z`=?{sDKY@h_?Z2dxJjP{0jDtlYe3xQ!*v+0hu`Wn^Qx!!oCI8L_JCDj9#gX2c1Vh?{zJ!~974$|lf=;by+1Ox>EVZnJTO-0oi zbDRWnLCoCScHvwrO8X*x849?KK`<7;&(QFa%F`S|5=YV3^%%&KbZLyQd{WVpm;F^i zt}v6~Imz*>L|28Imnc~xL-i;{%9x)W@tuA{IdkxE6iN_bb@sFlM^3ZlJyB)e@Fo9^ ziy6%{Q5%hkw^^_)U#^oC$tIye(PSy)S;Xrv$mL;|ZWBZzLrJ%i#dGOLzgq|9!w|PnC;kvx+)%c*TG>Arf#41d>N!A&F(sf=sF)l-wJ(;*1=6eZB=t_>ToE;RLFOs6FQ{urw){wz2rlW@3C><($`ap$r`$=<}L1G63^HpT5$(CI% zn5XjDxZ|*Y_3q(tHI-N!Mq8FWK@I>E!;=$*HAYx9Wj%d`hCXG`Q*m`pB4X5^$0Gk_ zi9JlS8=m$`t&T_OC;l&(yF*$n#7u8|!inQYG;)$=FnlK5KFeo5o0#iZ5FsOVUnN-m z%iqbi6~7|LGqp_GrWevT3>W%tz;1RHI#Of+Zg z5%EO*cWW+hDaYNLABF`NvQx~fdkUtfG|qE`&N%-1+nT4|c~hRw!IBo0LNLl0dn zE{X!ZtMzAn~1{cI`RxZjrPNWr3|%^6Wa#g+U?Urs}7gqoYJOT|hlvLe%Rb1X}d7wUSKSs9(NkOl%oyVbJn`w8%QogWJ}nG;6&t$7AVo+X-iA z>LTD2)_4hpR8@M;O(J~=t5+#fflCmVB2PnU6^MI7rAKomDo+IXS>hNN|5|$Pu0tB$ zFf9hSlVC^~?yNp_mO$n}}xIjH@{zqLOuVef~j?X`5_ch{(v2{=Rr zc|ZO0(Xqg@?KpYbth*cK*{n;`ed9PPIUK1X>j~(jV!sGY0}nSJYOf{2HH$J@Vd#!4bX}dktA=diY?9)?JI3U&UGJSkH1F zrU|aB#D4s|#P+~NN*xy8VQ0erZ7%bnb*~!-YxmK-xs~g`W{-+?8^+*t->EC2D@W*- zBOic%C$M?Hi`N#RYHWwS^Lm7Ohi|XM)E7|kv4hxk_2+KHy4wf$p1xs9fiX7;c!9(? zlVj+jE^NK)1eCOuxE6nEp;o7JumPo**J*cU6|{P|o?PsfgMp_hZJpo%65bxmBSCbb zmmWdqi+fJft9!>s?uU@|7>Sa&!O_R>Ol=D}yh4a$nRP<1qP3_KRgEoGZGQ-Nj}MQl z+xmWo!q;VczD99h%k(+C#Ky5SU1V{pe_XEY+Q94gP9oOr+zTHNrRJLUdcW?F`Ei{9 zmu5FRH#e=@htTW=?l#l`+#h|>;N2#0|KGKDS|JEnH0mkuMG=j?Vwo4G5G)Ep=aAmR zh{*M%>mr%y1A8ApPMgUJ!2M!Ta^XqYI?>~>k9k1F-?YFBsS;pfP6fQoXWN$;C=`D) z0+Qsft!4|-Ma8kNdO{XfgQ`aa1#xIo(1P69Ry~Fr7Eg&W3A(Ey+j7z~>UuTN1b?A6 z#D^bE)kUo=Iu>sN??TPL4B2T|+^MicJUH|vRhFhCFc>8-FNC><*qhyJtAsy_7Ld{g z1nO9)7iQK!O6zB?HWCUd=uBQrpW{;UQ)%lvino2TL^ShQwRJ|oIIxF}aTRJ}} zym+~2N)q)-+CHgGYmpPR?Q!sUB!|)7ncL!|R3Qg3?t1{e2h}g@F~-srjg`&dUxK&TiWek{{RpSDUybP=UK>X#lH^tzM8 z=j29gNRa%{$uN}TUo91^ap?hl2#`zYkkquBG8F~PifT8qjOe80gi>5Z_{u*M6Ly;lOnAgbWz#5b zcl;Rb+*Af=n^G98TH#NiZln^W8D!f^HMOj0%PDa#Iat+hIy^$QFzv_I<(7PlWtYt0 zfl0@jcpMCWTT8>PB^OVhsK9XT9_#Z1-OvdYwP1UksFqAi?Q-*zLDh+w2_^YgXo`znbGVjnHAK8KErzDgbu#|p-_*k6g;x`NvCXr_Al<>0LbA= zlSmtcHaZu02~G;S<1zSoKd_7>P0%*jy2CP~?b@RT1VnWtNfCHB1 z-{BZepk2EHMHn4*<++(d(oD%G$;4lF!crOybky+c^-GS3L#UgCddXY{I68>iNYZtM z&g}fFbRqRh!FpKMoH0y0=dj%Q6%8x-XjmMi_!FMLXa-_Qq0ea2;hhnV6LBL;alAE| z_t%vqVj)e*;rzl_ydvGs ze|^`EonA)JeHt`eVNPCb+*xt;r+}%~V_m|&uB;KAwp@^laNKiRFh10e#*(xZ$U=!% zisT+iB>UmeaYB#SAy=p?i%!G(+e3{1ELb2+%mAn;`P*t&-45$@(y#P&)Ek5@uLzv$ ztHpV>N{0s938G?PXK;};d7fzt>J4nCrju}Mj^}erm}z~nUe5BwJU&3tA?`H9ba1TI zg2$;Iq{I{tw`9OFni0rWDDu_28tn+b9vpHB%j`zhGS}O+U&e%D!uYnZpcz#hkdLz@ z+Z*W`KKn_L?fvraL!wc>i^VhpM}4W%>tW!-rS?!HZKqUHN<^a35v8y&2OJUw^h$r! zI$Mn=;$puheMC#4LIw;GH?FL6^Um@Y9>M-14t5LA;qia3YFrLq4Gu)u*eute_)YL% z3sVU7>Trr^ddAP9~ zy*1j-1^E!O8+F^bLO}b?|8(Ejz5b|WzzJ!NY zdOGC$G|GQ5RI}7o#lkx!TU|ezr1NgW0@&EmP`jzz*C6w@dQZC{J3g%R((7K|G-#H! zu2tA=o5?0Y(^>)EnmA|mElx2v&YJq&+5fe8xj1tA+3PwGt9vAX#hO{oJH*ext0w|;iQgk@X_rZ9@2$>b zs~H+-Tdz+zZXU<)8b4`Sqrpt;zk~%plzyj_?V{8X<-Pz}rZKDZea4(GU^T9K9spC! zp4TAztNLR~zf8d9Yr@NM2PihZ=@`p>J4eXR_^KLf*H?_+1hfdSkLCFW%9c1L@h59t zP~RkD_ThgH9WnR5Ut7nse~kA%SQ6H{3S>kBUeq%7dNjBq`Yr+DYy@srWbOa@&iS-` zThH~-Bsa4cu6PG@MbR3#W6x{bI4oAV>wz~w<_xksA4vxf8Wk6j)|cNeTJ?nU?m(t) z?@NYhc1^p#6n*Po5P7@rr!fpb;qdC)K3a$rLRGyEgP36FN2d<-x|h@OzddU^o_C@; z*{Q-v+egt@czwTbAHA+ZbliEZy!#fz-B zpP)P792IZgeI9OJd@}44nJ_8MSlD`28)=q^irN@`yyE@|6;a`R}ws3pc0Wa=@7uQWVtqyom``$B5@X9&PZDm zj{6FfWZIYF-I0!JOgZylK>0!#kkC_Yfv+Fr${|-bT`3|TMjkkIU!nSIP!r={BnzV2 zA1bW&FSu3=$Ejf ztGKyyc@FT^nJ%QuR$@)>&p5J%DL08)38k=c9IGy$ZrPJz_))n@qKFGOCqqaS0h)F2 zDT4`{ZLcQqk+4Thn30xTGp{Crs#>r`The5)pip|0?-L0~FoR0EeBc5v6D7H1*q|wq z7~KIHtFM|+chULAJz~km_;V6O>#yM$n4i}$-V>Rc<%rJ?e|k6lU=%U=O@K0Yp=yE3 zFymzQ7qvV!a4lc1Fe&7bG;ME^d`(W(*>*|#ND$eX_NF=b$&j@qk%aJ8FXRDEIol4^ zMPly)BSE#wX7Ci(NO~N9(T9IMoJA_X9l*7BD;$rX+r z+p1rcGDLJFSa}wUYFTQONI^o%aYk%0|F5zvi&MAl-hF!>URQorfKCaf|C%e~gI7g8 zuJ)a_Z}I&B-B`v@xJsyFcMKb1Q9r5!t5!Xhd?zOxPMI}Zk$zoSNQI31Cn~2Rh=Jnj zagk8swx#9Q*r~4{eL%oHu7SapP z8NozD7jCw2O0@oq*~VU}9xhf`dxWc1uANFK_cG#7xeoy6t5veLz; zIM~pX44^rSnWwOdSz@s!b`?zs+SJm zm#fEfGO%@o&N#+RQbR8ToK|@DV<)xbWfb6&0+Dr{nTVv)kni);KT|X!reHcWVe(9g zF)1TOQX}8OIj}>oPlTHoirVcXg)n%^SKjOT<3{h0vx=3c*M@UU?024~-8njDuQGL! zScGC)cZiT3@VRRKtkCb0=kC&F)pELY+6-mXlVxd@E@ijF^}PD5PWOU4&MU*+Q}m1^ zlx-EHzY7S6+}Cm3uqtW1s(Ty5YJY`%oGtX;la-`k9&h^5keuzlkJa-2?o$b*B|)Tk z)9&W0P3G^-z0Nplp{-dv)^>?G`W1 z)^V$=1YqysvV_bd)a&SJJnCg`)6U~?a?u4BR?{^SlEz$O`+SD9eD%EJC(Ebnk;14k zaqV$G?S9j1){?~femdF2818=LRdpSl>pf5_3=8(xvmfZp3%1E%G>Zh z1CjNeMO{PD%3N&mZqi@Ag1%YX1J_CHs{zNDUOfnq|M~qjE_dNG-YxjIA@u1@(Bh@K zA*fKNZ5yEB=ULcwVf3$8*0y2)V!XSg)-k?{)$eHHL6KK_8u)Tng6>z%<$j!SV@Ge> z@q}B|%UJWF$_p4YoAa$~M;BtLc}VhV{ZnuonbGMtQ8u&XG)F3|dlATs_PxIAtj?hG z*?r93@yM#FwTrWD;kblXL;F3aPsnA<>cwCU^zNj~D_Z^Mnvk{5_b@<~{2$SGvZnCn zw@%*oIr>q(HUZC5XI|zmP~oioT=!c8bDe-*7j44=iELe~>Em^npWn+j^sJwG9XFUi z!+#2Ra%yLRMro&*8sBWAdcgmrFH)Xz>+Zm&Z(yiZzbr_^TpFbKRwj8!Lk9A*`M}EC z07+U@EG)0RffOGgo-J~ts#t~DkwY&-(f6O47~r#iuzlMYMy5P99?;6h{>100!IhFo zk6)vCsALhsSEZ~YbHZ`&A$)!$V{`nmzh*^WSIg7?5;%2KA1_zZC8M(k!%Di^^5;>eOIQ}efB^^jB(tipPqH|oI z=ZqvQg{!5F5K1!ffF~_s@RXy^CutQxaQ5I*mLAw?KY+zCq@vo(KUYuz!k}Qg=4nE_ z8{?v!h>RQqk4{ji&rDj_QN`n~X8tCDgp zo{g!|Votpy8Zl$4%U!P)|4uXTUGql}a$e)6kjptsG+1Eqj88CYnNN9q=GIC6REY*V zJm?Z;ThBz&NwX0&T_D<(ut;Ls_=F+eAtXj?D3oR;ixb*n1ZNVID9{`wK>^=*B*p+c zTrbT!!qEwL^b;2u(tFfdOqEheeuQSNMu_t6j`PI3l&pvF2ffbk8)orXr>O7DCCD$s z;PcNJ8^PA%{2W@vV6?#angN4IIn%zaG#MUoOr==~lXPtXYsos!Lx>|C%ZadF9^*v$ z1;aUYq!K$zQY9DOEIFGW4X6zQ-@MwdRMucFeE?Fx{r?ki+k`+}Xtm>C?XSqAOpJ(? zFF(1eQZI&MWE$~PyGmh`A}JSqc8ek==5uPQO$~g(FRB06e*~A5kU)BZfQH(b!4o*L z?+Vj@X_sk|wOvUiamSIH!rXGQHexrAH;qjny}6f;Ls?VB<)p%}Mz$%mcwVGCz+2on zf^OnJ^WAenX``cHP9S+3)>CDEREY>Ze175~Fw-{3 zN!N;;2+2^<5l% z^+j-W)Z?11g;U=2$U_K$ozNa~&N<2=C|OQ@^d>a+q!ntk+qgEy8He$z4u))>$YE~~ z98)YUGIB}pZEc3*ta$|YQs91-Mjj<=xf&Zy1cgh7#T$vKj~0^hOh2@Hhak~D(|h@s zdL_*f5{A$VmTEiy;@PF+Jqtfaq*yyVz??H5OFd@y)RrxVu39D?%rWFekZQre1jZts6`(vEV)<1$CH+u@b%arb zcQuV7VDjkFiGi#xYT7?UuK0^t^5;XYd+!)E6(0SQXl$!=RCs~`p*osz(Zp=CT+8E( z{}$kl1p-n5BtkANHwX5?ySn&rK1RDufMC<8z6bPAXDjNDFtO! zr-HYW`NyuN3Y=QLdmQH#=#G7>Ea9g6MAquZ!3x@Gf%ZIzM7pdFo0nQ8O1E9|UrWqW zf6iE1hY7H$PIuUw{Nq9qYi1=+6WD4X%y(d;^zy>=ekB_#=v6^Ij2az7ChUW=|91Y- z+CF7ACe(Y)E}L6FTmhf^T!te&E8Gi$ctio_=Pa-OT7BhxMKk=@{m>zttU~Yps0O|# zcWo+D0*;5wv^&^s$1Mtdj_(TR>cE8E+QMw#Lzd_1@fjbx!*1~C=#8Hz@QjhE&uV`o z#_#Tly35vi_I5B<-{Y_+h$pEn>$`P`+A1(e|J!jPb?uiOiaJiX=T&oN&j+6GN6pX? zAU4Z3yqgZ299*!IFmT-S*`V>?qvE@X=}W`UolZ_ZFT*$ZtY^u~(r00>v)UjQuT$Fj zOgx)ib>6paLk+bxEkMSYeYXjCgMX^dbB15hyLoo;=Ow9yxxTZdTP$b-Fm~fO1ai0S z`0Ln2hEHjp{G?lAflKEKq~+0b$!iM!<>mp*?(2_oTiLMl5`4a-o=Wzbo;zmh{M%iF zwD#TW%2n@rNVvM`U^T7nSoh6F-k9Op_GRA{y-whu!v~@y8L81AU}Ci#OPsRx{%v~G z$B<*q^YH*<+xHXgjD+`K@E41~W*@WHWC{9Elu++Lk>G16Y186&NHF3kd%cd;=cXkp zuV-kehIcsAb^F{o<{Z`fGM3bFjRam`!Dp|rkI&lMaqf&rxa*H^lwjQJ(f;#BUbgp> zzL!8(WRLn&c-+bh(z169nDqesd?C!1nXV582)2NS{rK6%3w>Q4cju*Nze%4W6%;Q+ zh^52!Ti~Byh;hS*Ns{4fGrp#Z6@-}<0((ccaB;uD77^uCw;9Ueh!8%_A=z)pA7o;xYQ&tn{PAdB~W5vB1M=4=gENSLktx6uO3=k1DQ|WLTq5nfp zF|mhnef&TZi1;Zx(BZXhLSqytA zQp??h?RP^|yFArFI%%QKk1!Nn{(_ZGu@-J|E=sF55A4Fv%kx=C6=5axO~vN|6y-k8G4QLK*FVU{Q|RP1JmXyAYm**pL-f zU;n?7)>1fvML*WB#5rkNo1!<1vQmmi+yEA9gealK46aG4*59l zLA2Jj`jCp(Fh+e5s&-DHbu-p)VHtjo@@DB&;?+qRDRu86RNf!C)!b26C~DG=k)-kd z2is72SElEvGoOY;Q)u4Z5|@yb7Z_Ig-3+(doLI2p(j<~Zg1C&#r)s>b$6cKGG^!u` zW7m$8*g&&lg!+)+ar}G2H8Kf z{^PjZQtL9PSoBlu|D5>$afk$+Iek^*F*-_^V8il$}=b@4hwB1`TWACrV8eG;mD=zjIkQ2 zTJNb|$FuFE@Yj}^MTA*tk@-~Wj(pH>y&@ZpTNmLVI(=?uV5hD`yBk-fOion=+18$F zdK8(DXj`bqp;8)aa!=*sp`QD5Sd8`?CDfQgzIbU+U?$&NU+s_T-ogr`CvtSxAYM;8 z9mp=~@9x`)juHFB)V5=}GE0KZ_x*ON5LjA{Ahb`Q2&&_iQ4fhha(z7G>dVKOz?efM ztBj$^6n;(FH3IGo`_%$Dg_z)6%0H5TFuT=3QOIKS1LaLQ+ z*nSTT?^{GuHX=@7D0e7*Hmy)5bBjd5bO_%fLoz`n*Il$o`D)s)8Dpm&>ngJA3|Z=> zH#j8?kGMt1v;ZQ+s#9;L>P1YOigI-idK!{anJJ{8YcCUrjB<*qF{(p67V&D>rRRCl zt=p8ks81}YaBtPx%iRovF}PZSH?Xk+JiF+^OzS_N>U++QfXLBI;ZW8Z0$U4_vpMY; zYXT3ct}wB!ap}UBk?6Qi@0|KD+b|WF%#1UX3p?1bh2{B{f;sLT8A zIF|3qb9_gWwRd}ABJ2JM75M;7+*WTN69FUFY4O8?k-;2#U!1II&O#W8JsjmO{pkoC8L-^Z~xtj5Fk#pac zw3F}iiSezTzBaG|-axPEbxOjw_Y#^FSK(!7;g40@?*^@(0^A4XGj5O!Jziaw4*%_^ z%APSET4JX=b$6c~b`5-8=iN{U!-B2-dO`SgK)LKYsJ8vu{7h^3;&=uRZ4L*FlI^lv z7c1yC%kGXl=kZPZcpG)+`&H6jf8Lc(w474FWu+cs*R&vW?Vx4AjgXI-P0b850e=jO|ju=nmZv%8}e+|5(=D-6In z70@lT*SdEUoOTEH(gz25`+&)aGa<9B1Z1|QrHhK$hbTBopZdS(Fi!R}pJ7)&qTQ{tAX}M!o>7{1kC>AC04zq#chn({#2`c=E?JT-O4(7O zQ^1s7PQl<5g%$nM)RU>GnP3X)P~kp}b$Tz*x2Jt;D0f}_G{L5DXySB)BT$YD7pKWNS5e5Z(F%PIMab)&dyqG-F zB)LWxto_!(po~n=#i#ao8BI$z6r|RaJn`UU8u1SN-P_Dhbz*w9>GUa+ zNxyVv`BD?Uc9C|lUHF|=WEzM*8i-vgO{n$RMjZLA6(7W{`r#hB{f8eO|LzwoLrt3U zqx+IS$ya)r^4Aw)dgSL$oaHp@2da-2LWdlR9<##rfj}xv$FK-V&Q0bYnw*3t#omE+ z;dIMqKm3!I4x~5|O9J+T3AlrbxoiCKo1^p5(5)!Dm{U1xlO|(AY=nj+rGG{?kTB&D zrpjwRQ{=vpBpVk$AbD_pePs_gZX6-v1IwL}s0T9=0x#b)wi**~x& zi&VX>I;&_Q(#UL-3)Pa^MoLBN4j5#HlIUytdP6Upb!wRv71e|i)k@jd7PoG)q{(kB zc@GH2#hY;>yQ#HbW&2yW+^}O%k6aPuY(2qQZs6r}gG&@USbXb>vQtn!# zM0W}afAsp^RZaG%c1cchlT9GI1EanAqzQ5irNbnAW~|y{kAkp?Rh9TpDun0N+D8;m&D?tOo#5#?T4P8Y2&pHdY}8~D&bK$lkK=5mSvYDnZp zYbBZ61)#q^z#%`yFi)`?z--8Np77PSl!@|Sxmr`^(|JtrWLwjf_!KrtX(doyiF`wX zg>{plOi^vo%<7(C!paC`O}?`TDG)|Yc2cT1C|_Og3)FS-1`537+8DibqDvtV(+?0~pxFOdvGTwl3jb-pE3}H-5Gxi1 zrV^(7o}-2D8$1ZYHVrjY$|kQLhG?E7G?bmq-X7!?bQ{3yAg{MGQG4*pznb-T^gk}^ zVM0^HvP_Y4A^KW(rPgtKIN&2iU*D%!MuU1fmw#UN1_3!l2})R z{yNv4Gs0f@I)v)-na=Xi>iXWgDiZsQCX%7Njnw||b>FdD)34uEr+t6GcwS0s)AL@B zyP?mewrQ;L*;Z?qdg?MMn|dOxZ8`1zIrCSIXU8V-23e4+N9^}bKEoF3jg@=Rs~3V84}g{c)x71 zCvkiZGsm{uaJgs^I5+q6t!|s8X%l|u>0KW4<9ka#$m{<1T=&aeI4C8y{p4hd>}7mm zV!f#rJOzl#cKMqtw<$oUQrx0T%dB61;ygSKI=(%+1T& z^F73!b(z<0?HKlD+5F1|U1ucp+Vs(`0rx82(S0a;Zf?*W+5qkZg%`VyXpM+nux*DV z?~jE=iU!_~D?57UqIdfwBR;9#mi=4Ff7w0m>K;4hN@M=_+}YzD{R8!bv*!cw-4YxD z&Od6MfslE?(g@0?T#sGiNyzmdCq&O+b_msZDHOI7EkcGF^Az?eZ!+*DZtMt_M{Qb}|r>f6hqTpD~!BpR=if^^kG zi-@I8$5(mitHJ)Td6^stI!K4Uei`2~P9~`STccCaW&c3b?{7I|oj#dEGGH>VXQ(Sa zSLW!vU@CtE+f$Oz*iULz^Kdv*jW!e8i8%%1i8V&+PD!SS2*EpH^N1Lp`1}F$Ug%U0 zxSr_L$tXR5J}jYL?7g0hX%NEOuAud{>)O`$wW5oK^)b*}_nhQHa)N`Wz6d{Ea#;zk z8WdfHkmzOY4;om8?fwGoMp0?;uQM(W>RlJ5UzjFORCKHM00ZK;ONE;gPMP%RY{tpB z+}I8#{IGEdeoCfFcefc2+7S<|F=HctC2%}%!&?{En|e*io_3tCpZZR| zF?aOIZxIi-;RF5-l$b!`y4mwtWtfW=$~-Aq*4!I5wz5ZcLRIZ6V^M&T)qRZbu0*vb z2GxKOAug~U`qaB|X!Srqim!Md!hkg(7;xMegnz6~DhH4+)3Y5SEF@HN5w0?%)DLM{ zc7_{of3eHw!!XAQ@Fz+&^km0DO-h0xCMt3&Gf~rBmMs-4rsKilzhL-Lq)f?OkS^0; z!fA>X!lX<;;O~#)LA}XvgzPy(awk(`n8>A7icj%HI-B;`b&DswxHxP5)#ChL^9MOe zM26}L!Lt}eB9w5UcJlbqyEZ4vn`hM+V*16NK6oD-4X^uT};@b6s+ z<)r-R_~xUD?cI;c?JH`%j0U0vdCj17<1zO{Vj}URll+;5LTAOJ1FNBNXa<4$*kkz? z$wESgBKvykFAh56@Tos|CoXL~kGtuHr|M#L5dqetDh(`1qQvHriSb8gP+NJC=*8^h zN)C(FRx#BoV$#w)m7>DL=2D)E9R7#|Z3J75zp^nEGE22Wn0s(!k0RKY?|*z`*$zRq4=9DRoNnL{s8gx+gpTM$sxc=!F$eBa*hEw&p!76y3L->sbeAoAo2b>19d<>2G z32)kp#=1fCq3ts=l%_SpG8PuNwG{vh@_wDV?X?U^#1*~O)U!kreEDKiq zRXYtdY)0Tax!I`UgTq=IWGZ9U0S3lOc0Ho41#&U61wIuLSQ8LBDNS@)%ase|N~=VR zT?;{$7~ALZE)|WcCDX6#pG#6Jk~cW$(+yh&=xum%YUqAfuou&CQ@GK^k`iG?iO6S? zJid(AK575(Z&V|UqY+m-PY;B5)<;%ozN!Fu>(c)kafGw}ca^FhF)}(|2h?>+);Q`s zT+8a!bLLuuTTa-29u!hZqX{&G9rRzqGHo&SAWokZoy5OVt^cC&gbZh>MiOQjyWO5e z4$>tj(iUG7A(BPHon`+z`&3{jIqFPoulRkg86fw6B@X;uiI}D@>LV%L7yR7D(Yr5v zQtL7So%J^M9u}xpQ-%`OaUJ8D+hOjmDnWXxnhmDTIoKVixx;o<8^9%cK>C~ zym?q=eb|Nxwhcw)**GrGRS+~?3j+&nWBE6B{YE44h+UQwo&`KcxclCL(`7;%56#=T zdaP})9e(;|n{j^SbDxHTGST`TySEw5Rji41*sg7eEtx=vqMKuQde3ipc{zaltSN=U zE8lN7g=^OW-m4R1BnurM0?!fLJL~qVqC^6Gpy)qW%=+m-?SHKHb!!_>w>mG|EPqTc zTz7o0qr+a%<9u#w%93vKnvwd()UKup{>c(ucWhZV@gCxB8i(@Ps~`V!ulZrWYHuOr zi~6(1WeG60^?Dp|bX@|nv8!tXAX{CHo9@hYZ&mhn9B1@z1?3NE=tc;1MG2c;*5BDq z>GO2&&u@UHvRiEt{pk6vyQT|Y=49T#&Aso{W|`Igft;4v0S{!zO6t5nZM=R3?sQnY z#CdhPeSco8s;YB+{L!<@cv(GFJ3z#m`&#r?)pkHs{p)JZ$EAT%EJ5#MV7J=UKn%l4 zhqWgOPTzyg5hS`kEEHGMH<0DWxAHM@Pb&-vZlQK#=JUFi1n4XB&h3cg|mHZsDF3TFQO(VSpt}5>MT_1g)Ss@jE-~Nu3chh&#jm)a=b2TE|>Am*LDeoqz z)@HX!(F^b)_}o^P@xJi1dDS$mpl;arjh55_%wOm2=IIs_lecl%5xb=?G5&ry0haJ^Rg4rRSZY$iVpRJfN4#nTNUZ7xJkg5RM#*0N1b*v5?8~r)KjGW%z(w?IP6#HprTjtibdx?jeOFtNNdr}E)zsi z5d(ZxWk0#l)i!|@*{O_)3EvPbqKXKG7T$gmqW);oeaJc!nvIqtB;&S~ zgmP_5oHKF3ikOK{=n?~5mjIFa0q1dGMP0C&E+tTXU zKycn~=FZx(5nZ_DDm`U9_}g^5mOZG7?rrslQd+ucIX0ihRdgURPkm59gQVIaMym5V3AulaUz57}qLPh^Ata)O91qwn#md z_-vq++#})O8;+_1J{0C!QMoc)RH|J=*U$-x7p0=sDXtZCnT<3bk^f!;JoZa!8tMxKov4 z8~Y(jCqF`g@;LfMyA+g~${v~`?!YYFY&UFTddFie|tYa3XruE=Uyp{P>FZs#?gQlc$pZH0mKiev~?7WL+ znKWlH%!HW{2jq+osvSDkXL^Vr5)gvu;xqCF0%^UP_! zDAc|OGO^b;NBviOMclC68?5^*)4khfp`^PvVr`5oyi|66M zc4u=A^p5;9*{oOh`{T5Eaf>;zUpX(4fLTRRs)tXW`)d}No$nic`zCE(T`MSPP4JI; znn2UbRzjCjShY5A9qDKF{aVSfKWmK#8+bAi_^uG|>j3C3gLn4xSnEzYc2(Tk^ER~E z@wnXj?XYF~U9b@tX1@2-lc%rpK7qVWyTf}-wI2q8ft(iyUy}y)^|oBO%?Y#}AbUY> zffwxSdZ(en^gZ#NuXer%O})KUuf=(rAGFOTrrP)r_qI)*SUX4M^gSRkqLb0FKK-i@ z_8Y@B*r;w^^3*n(({a~!s@exsouc#HQZ#D2R7!^Frf#g!xhI zK+04twEJ+8l4sf6$4SF8r)MFlweKcd-hJ!(!(5~NWUxxMt+wqP`lqh-$Ke>6KEm6v z%Hw(84sZkRr-P2)Qhw$!Cu=Kbc|7?o&%kmLRHCPkEpDl5e zRJnH`Y#fsI_`QieZ&f1FDv^~lA2#BWcOWiTCH_LrFj}EqBT$#V;&%EZYT9_ZAPce~#zU274b5!A7 zAZ6${NHe*-{N|hj2m8BM!(jL|Z}QKnDD32DSK*EWbFpNrW5hs&TkB@nm`Ur2wHjJ; zl_eL=z2;hm3nNyIE?}h)MBt){|P%bAcr%lZ-?owytnTx}{ zKUB?Z9&*g2h&WNgW{X;oDI_8>KM=OTH7&3f<2|S(N$PIEmY$XnKll~P{9pEj>9PzAf}usaNXyhQF-lg0~* zfG*vp8nG!tMN&P2M@aALEZQD1Ci%QLwxL$WLl*G_>of=`YS0>{vAt3ylRFrRBM%64 zzc!8FD^*zMC5qX}pL(}WznC2MtfFRb(lT*kWhKaQ4nejWJP{2BHRBTF8X;}f?ka=0 zW@^1M?CTXFB{9DHm+^=Ridqa+8OcyHP9xx?%C-{jghdGEwwW!2H>{(jlzdH7Y)b-I*&K2&ZAiURQ%Nr!cBuE7AZ$0poIzLYL6n;Pk#4|?ggwYB!9(6W4~E{nx7TDssmr?rvt#g9tB$L`|^|)9UM0Vtf{T^3-AAmib+i6 z8vStobPlIdTy*9Op0$jT9kyCAWP(A7I#Xsx%P8C&h!JPxn9M1a;l*6hYzS-7S_Tge z@FB1`7fx&(jSa^>6;u(&{hNe}#fs}O*tHTj-o@;PN;Js&z%&kv9hV?3i#Cx2YJz;q zI0t&+rDZVTT*@>Sn_mUJs}{vJWY)@|_Gw6G;|#MUT9S+N%xzm8ac|H%KQ#Uw-}}pQ zD$nc7(CGUtQ@~#O%vd;ts1@Uo{prKYa(rGQvc}R)Y$! zyu>`R;C!_p{n{l+HuE5HnO?F<2WPWI=;ky5-J6;sRLrC!g(tgGNBg|at2(_@TdJ;^ zvMw1ouf}34`X2xS2`Lcgws?ew%U*TfMRN1M^co*m&H9`{4s{CZoIOpYtqnqLI_wY=>Zdtp`B-1N znN2^?^Z3|#?f4X5dcD_^R|@vXUjr=6$Aw8QKliJ2Ki8J+Io-o8Z)+zvhMZqJ4!b^CM}V8 z-%gZp?LN<aKcOrRfUE?^{+If>h5 zeYr}IZew%>u!t)F*#68ewR4)Ht<)}0=JlLq%-(iIbr?5eo=W-b<>Qa(KkB-itPG#F zu9er{0~Wwva|`R4k8d`wR5!#6ba>8imu7bbn?7$or=eqPAC<%tmeC;5JD7RxS_UuK zPvfni@dM@4(nUW%@_iHC5zb{BRf0S&(JJU-cI3 zxhr_#NxIX{PK7^JMHaMp1Q=E1)QGF}#Hpbbu_Hw*5(7LI8&uV$Zd-n#GC(*hdKo$C zL@G@bWKli`SVb~<6-r91#*{oGI0^_OD2{2mv}48PvGqWtiLQ}ZC5UH*k@%)*5?k`0 zLZgmK#4Wz!L;X^h3bYlvgj0}%m*p?(Fh6A z#W-;*l5&A1Rh)U~q@;w=M|0WasK&aqt8r1ZQ`Vah6Y>i=J+LD~jG;iM%<~7KWSSHN zaYzUyOXZ236P7>tKlp!+J_{utE@~lU|E%RJOi0XV{yB$A74p*!>a~HtM!~G;+9*x~ z`s2`)BGQsh)z)=6dk^4RvuH8N+y&1$NzC_YQ7#7hVnQO72vE_hHzptvT5!gt^c;V1 zSZeP_DZ?;yqe2`)UmfH4n~`Zt#1V%ldXNUa;8ip;jglGNzM9Y~!%Ii?!2VgrLU3GD zVJkUJwBC32N)orUk9~*`iMG>dcQs9=DH2Ugv-}Qn0B z!C-1tP#ZK;?)E|y++yRoCti^IK7dKVEWI*_raNVNE0lB4|pjJl=K3AnCB*?cfU`6 zv#z8vg}PFOUVbr1CkW9ZRBwvFxWVu)H!KZo-N5q!Bb@q01OlsyMxm1^izbqB({YkS zU#e6yLTC&Mtc9nq1{&;Tne}4%qE55k;(`z(*7xa_PPmf^e950o^tkBjfD~3ZTkJ$d zTuqcG{t%neWW4mpFD5SYn!jOnJC2jX?qwoFD!Cjv;hQWPAi*Td@&S&bb-PmLN-|Gj z`3B!|9l2;7y#ON-s3@`WSX-irkQLh==thZ!NwCym{RKn$Ar`v&tB!SnVgPum9GA+L z6**3z;}*3P73qtI^bc4u3e7)UR5SR@k_&60MMaQ{d2~@FJh}*C!VWqV_o+(4)E4? zBrQ8}x~$kFj*Y6}q3jcI{fJd$T&0j;(VU*ANL95Rj5I8bLyLFEB1P|sEF1&(dk3@X zGutN%&an$SM`%-XVxeNY^k5>5tpv%eeQ-oW6(y;-^Jwlx))lh&ryB*eRvLs?o@p{; zCuD`}@{^f~`*-$3ZGy>IeNh2V{QqA}4wqcT$YknGmni!#ms7rro&(8Ry=@23Ih{NR#b<-nZ- z=g;Y8rkzfVZk(<2;9|fj|2hNG*G?)z_Z~mFce$58nF1B#qu)M-lxCs;7v2_HBSE(&lAg>U2f- z6^^>ihu-Z?0Q>tZ)$s*8jgxR$M_y-memN7ivEx!|Ymg_Vu>`S-{r zJJaLkWI)zmJnO#0{h+Bkh;8(${y?kv>ox^58Q|3Y9uDDd}Za| zx`{3&9a?Mq+xc(1{y9U{zQuFedI_)^t-kURCV1>()%cl&!3WmE8b139r8QmowzhiL znx6T&dR0yzb~}-Ut(Cdh@BLognb}0gx3h-3Ecx4MxufshB=}J7S-!(#3fF#~|Lss) z)4SMoC>&^c>*Sz%K-Q7$rY$HCInY!TTY1k!5<|FFly7srN>bh;X zr?aVMIZr#OJACwXJ4Lv&AHCM^>~jAB+!(Uve=RQDa+gfr>cUB_U9q#b^Hw?jinu#l zKR(Eeq#yrsjpS}3AZ(t}4WHz5Y|i9MC_Lj`&T_o970;Bzw9{yv`zYx< zH)IjyF)ytgWvMRtbat+Wp4v9^>$TZMet0w|=(l>dvp#Pa%=13GYiK))9!zoO>qcj4 zr$y$519#B^S z@$GZ$FViMxuzw=y$!kjwSXGS3l>TC?@c_P-Z@K}roTD&47K^(un9OsS>Z;VtdX4ZS zqMR~5AVQW|r?;#wbLsTdkx}O3gU%@?Ur)TT<~-j|1ht>&JEha8e&$m5gwO`q`bRte z%!|&1b?YnQ(*7Kx;F)#pq|;2J!$l_i0A318+q70uh0NaWm|31djYGi4Y)U2UQ-@q= z)$|qT<1J^&=t|v(k0+RdJo&#~bK8|HHdV>-&Zxv`Q+)0_#mLp4Rxfyx0;kE)2Pc4h z=B8gwhOB6?s9@JEEJr7kFj2W?^FIVY$6R?)ekxhksFJIIE87IoDkjlzg=k{EwdHwi z=8&n2dxJ3>R=`u0Zso}17O?vEp!t^gFK4Tu?3av(1qj;xTi{h;YLiHkFF4qmiJym< z38gKb$Jm+hMKj1>D;IiItPY)Z`gu;=ok+%&c#o(R$5#=leAy%< z6Xv&Ck|>D-x2K~)8B)tQbRHnYm;6K2AfqfO785QWLr$$dR`q&$1zcCaSe1z;l0=E& zdtK$#ZzcR9muBcv&-Y1}OVv;#tJa!KAsYZh!&=Ig*;Ftk0}dYTZ=dnfZB(7Yw^XZmqyrSiW@N0Ep9LCPgTB+=Q zD&Z3_aONQ%CSv4}G&<{BdVsG45zmEjn`WJ3u}DbJ1~Gng{5y8{0XHh-o2tRCLV4aV zH8(AJ%4PKTn+3OEl~J;~^O~JFZgpjqA=8B&>^D%dsApNmiooso4w-}Bp+X8@ghB;b zh|xu!H4;=sIKuWIwYd}tDF3;*1A%5A??hA-343MZ2jL|2uQCGil% z1MX!oQ0|JD?n3Fl@KXkZY$8f5hqV6H3Zlt9XEw=eWIxELDx2xvbtX&T^@mxJT8ftl zrngd=xb5(P5wmk6d`YuTRrU#Kdyvi`b)9Vb4?V-SJiR^b0v6U>*|^KZ63LWnRtCak z*gh2*bW%xyceS>W!gpm58=ate2l8xcB{0qhY2UdaCe!wfVZ*$26o`)LL!2DB=7kT9 z%GxW1!C#7Er=c80kr-HIiw<1I9=7=mRb)zZg+F4~$#;J4?u~@VG>zmY+^idg<6HTl z(v1}DK^f9ZG=V8Yq58ACsLMc%_^>^YWinP;q9dK0$;4@&SZ z-nuTyu~Oi1`1Y)&e)*!REPB@mn{Tf8#~Jh{D0G1%Z?sS*4Yx9`BPKfJ6&2{#=hQN2 zO%*almNB!269q;JImOXCla~IJWy&C{YUO?GoY0gTdPFL zv0%(O`-F#(fgFPhj!cL!>j>723$2mB1X3}KT7)L23as`I7HH09+sb*u1|s`b6UE1U^?reE;=b1PKm%L!ALEGKL)D1Tb>G zp!|TXUr@o_V2}J1p!--+B!3(g&j3?8UdQETguolmmqgs|hROE<$ZMcgxNdVReyaO$ z89&d(-c%yr`yK+lo?}PHLKyio;AwSD!txR6t7dXqefw(v3Td;B-QjI`H`7j>*^k_-!-q{tSI*S9rUz% zZp`Qak6a=rpEo~prlViR`3UV?W@oqbUlDxt{7hb*>LNQ{e%xG;G2`E%3VQARwG5?w zUIPp|oKLK)eG-H5HGgz+%bWF1yH;OTJk7hm)7Q>kXMq6UCSEe{*}&A&oSui} z(_#(=nepAvL;|)h{qwU%H~x-WYZJJ={454O^|u4u)X%EAuh1@9-^ePp3AR-=_*X3zG9uX*u)*X zcldY?JMoh{zc!Y?tI|?4AnXe40d&`!?QE~m&18SKCi)3pZZ`WO=8?8;lE*LjCF*8qfLE{gdBSO)FR>5!y~175{m-h-t0cn9 zoXWp6HyWl7<(JtlyUn9}q3i%xP_Xs&Q1(h!D1ZJp%ddjRcxplq2$$8iy?N@*j_1K- zhhV%Dd><~C7d2*nUA|9~n-^tj`Dvj6op@0K2eCXT~t1C`A%ioS+n zIp{d0ay0{|RY}w&z-+S7VgELxQMXVXzrlaIZGuRn-ep&is7BS|WRk|la%N_|n^nX_ zYt{uLzj|zUoVCS!NeoKODzAx)hR_Dz3{p;i^@oKnW@-^*stfC!CHAms{^6-eAGeU5 zrz-SjUZ!y$h3Cv8kNOe8;0kJuAK;RJsBgcFTlvc(&1}H}Y3%3mL8HI^P+)EHxW6TI zVNj5IV|^=$?j$*SjlMjnoN)|+9}WABxC=!YA~gj^Tx|ytc<1*Nwv6+v5MwS}PUe|` z?(nGK=7EaQNk7e^#OY-yY)zz&?hGdij-dxRxG0%2U{Blu zbp|eqF7)k*eJh7IchZxc9 z8nY6GWTt|l9=6=9OAzh$u#-yY2;%{CF^?}|Sjw;&`1N27bL3-fh=u7k`fOuwCDI90 z6$OJbk`1;0gkm(SxgCPyFTkS~%m!~QdhW*|x|lFvBx4KNMm^imt@foP%y^_`7`ld= zf@mcw5L`g~6Y?w)+BG{lb2ka*MvgpLf62K063xRgjC<-4(OFO;R<0!X#M74{3vVbp z;OHvb^V+r@b%}y2w=uCqXf1Dq;xKk#hzZPSE5Jat({#$0Y%(TO;;m_;IPUh=1!nu% zweeD9Z7F{cEdP&O4yKiIzg?$GW1LtAza|5AD8h}bbr~Xyd2bL#+O{7B61vF4cPnnk ziA`nFxTxjKwf7%2>kZ?U3wP8BdNymU@ZV zMU;alO8-?*f*|H#hbIOtV%1@WMJ)XtMb9Sc`Xh(6GOz*Fo$;A}4S1Zbdy*dIT%SLI z9D|!%ru8R*UWsgSWD?QvUDuOJy8=aytcJ`IjImFPy}=q*M2u&>e)z_hW_8t2!=5V? zYeW&OW80!siFwnoJtNcaBtZ+yLIT^)?SbJCT}-J{Q6LP2rPr{z@X1k#9*heosN^4E z#E-hUKk*!6u4!>&XvRWv@csUB=3_Ej4TBzyB+)9>jJ|cZEs1E%*aP1xs1G@g%4o!) zFT}5d;M1Z4^7MoZwtQcoRLs`wzk&J3n*p-<_l>&L@RFRQ7Js~PZD*@>w4d-Vd`J^PXK0}TIh_Z?)qpN97l%$wJWlQG%Wt-yH{0ROSq)1+ zHy^7d@zvMt-0!h9F(%Ua_#O)TiJp-7+n@H{mk6s%2^gO5CXu#HLM!_ppxOZ|x|XHE zQ)_uGvzFJ_A4{v{yfUry)ekFE;vWSs8(KZ|iyNs>S#($%$>!S)${cj?+c-M60!TK7^t5uKx=n>CMXJ(2h>!R)8cl-ljO zE+5ex?QM@T>aV>#!j1C~tk3ZQ7(DNL&&{v90ff~j)js{K?MQFyHD^)hWNz87rycc7 z>H2LC#`Qj(TYiz*_4SVZ#QL1>@ypLXR|#KW=giBSuT#YQyoZbTkYjZ16^(b1WA%gD z+3q$=i{Fws_m;ErSE-0ws=oI@_GdCRA;9ag{#x_3IytL(6bg5${h`4HqrJmpo;(rV z)7{rfPkQ^wHV?Ph zZh^vwNy)gO$$HQi$^>oqvxRi2w|%dB5ZCmsuUQZBt`N=KK}*|fhr37l=K8BVRG!;g zfWNnH<=3v^9qXTOapYT$ztcS+01lF=9bS%4rSBKEdOkh+b8a;MVb_EIVb^_r+wz6* zZnxuZSyFFHl_=^Elw!<>kLFRY_m?mr1<(8EeKt$QfJ_E;adB4gTHkl+B6*v#yPdKh zG*#uWAvg>#o}85cpyF5PZio_=7*m-;(b-B>v4kPotwxqTIZa|%=ZFJxz=)7nrVJCL zMk13=d(iVqPRI||T4PNHB}au|`SbW0(g!)>^QZDg6F3Ok- z7WP0xn;a=97a^n|BGBZKUHR#ZHKOhN2sm+;HHD{!)(UiUCnA1D*$~P#iZ_wDCB|{0 z3}0Gx5`>6>miFeeDHx*BlxUHt;0IW79^VhNNI#J)E0Pl|mK)HI^h;`*w+ktYdIXAj zQvrg;D#>&vsO*e5B)~3h;`La7v07^_qSh?-5wKupJQfE`9`gQNWT}I7{u;z(R|>_M zdDmzzi->WTA#8VzK5dFLh^&}U6EGp*Mbn%H7_gw>R@lF%tzSdhXLNH>PaQcb$9NRX{H$ep~bC?9(Lo)FFm&owMGpf-}t zM1$1pgc!$eE>8}YfJO@Dt-fOO<IaMlTf0iLP5h$MsNYxWgzzobAj^ZOJJ ze32*m_X9scuY5Qf`!u(<^_~95T*&-|_`(_*r^eW4Bwi%2kvDs4IYPP^V zt;`fEo^qQ~aLlg3P&8Q{5vi)XGxShglzq$c5K&Yw6!Dyz>msTF9;@45b= zJ3GhWJ0z-fLo1@Dy3Y2lO#Hr-Yf6>AS&M-H=@fW^nVFmYD&hDSp0uD4D*`5@86by{ zXF^^=Mt#VZkYkl;6y8j`qUy|Q1J^0$UoQ9sJ#s|#dnm3Ymo(T$LaxM%v;R!bH$2fl z@Od24&y;eTnaWTH1|4jSnISmj3HTZXe3`!iEk5HA zf{Us+!Dyj~nK z+%4g7c~96iQM%8tk`m@X=mGUYW_5hb7>b-QTRsyFGYXOGq98_HpeD0ujBIpAGS`NU zExU)*HyvvLwVW$S&eXC}7I4eJEmf0FoP=G;#q(6iW0ur8t(}d@hZ4?RIVpBVd@z+X z2{5y@dSl5=LmzjSlB2Y2M_Q$)_%>>4!i!s@jm-kkEn|ZN1k3>#bq`< z&Hp+3Gnv+5!T5s|sl)re$gR4;ltb;PDvYpu)pj_9`{Rw#s!^Dp@rbT{Sq}H}1M_@K zxBHU5yTGl*x!U-eD=0d;I*e z>rKCQIdmF{qqhTmwnKHk_M09>DG^>fzktL~(r?GNJv_H7VX6^M5CDehvNLYp%;yl# z^Te}O^#IH2{+HS7FTKLz{iNd083YtQLmW>f=}WpFW%|CDMN_&E8%qkucpmqv*~1S{ z{F~?W?fP{G_U8D_%CFM{mG@7c4`Faosg09YPRi_^odI3DTixv^3FFCaA8iOxI32_` zfBS@~`S0HDKS;m7RA=zh%O?4=82N=GrKez&Oy$SS*W&t>`{{x({{Fy3;&en3pApcO zzI~G~PBV`-FZ#N3D#YWp(p}!G>vF%@-myNv@}AfUm>9!9(N*60Q7sq`!(OS+hob~n9fDpakIGD z=O&-`D)sd^2u z%;mQAwhZv7sV_ZMq<(p7QajbRp-y z)@Xff$mauYrs7f@Jgpaz%j0{DM{o1lSBK---NUK14Nz~5eS&l!xp?~>0WoiZ?aRPm z37P+Pdvkv=hl<->dLHxFPGBkoR`+st;nTJNTlA0l`@XgAgTFq+j)S(u$}pFGZ}J|7 zAL2~fI_4XyBN9Og;DZdlS@gK5C2{CM@kc+b(TJi2M7uL38!2*?ti;l?5uE4GPGA{( zIqTDrRUJY77Bl>FCQL5C)cnHABV^8CFaJ4=pF@3jTE+a!j+xI%#!6cBsF=k|6W3V2 zYMgWZ8D&v9Thg8?f+O?WH$*Z}s+e71$gD^|E>%ssC(e@Xx6)n@K|}kb$p!Idn4XZ8 z3lT^d4F^2RAncMk+~Wu>WRC%8unN3bKSN}aY~^D0j0Dlp5bE&vfOLu3tXLjZOKJ;` znn)$HD~g<5gu8?}G9rG&0f-#d_+$^3>p0706Kzx6-Gi50W4@5Z!=O(d}|BfN^hvc(HA**&FNr-32kxnk3Z;rXG=9##Nu)=m4%k}Pk)ljLGxu#BOam{ z%Z3@JIjqqIK8e(iT9J~#ANmondC?AsN&bpV&6ELOV$BoNKK098Ma-JdH>@^WZh*zY zC7Y97=D=fWBg(Ak9}QJ);4)aFeWK|*#s0xBHrA#X+cT4A< zDVi(!tBPF?iKAY^{S!}_VN7@HGMN=F!$2Th%2~2Zycxzq=gLWwxUezo>i6sP@*@x% z25d8Bi}_;?K=yyps(reDKnd@XMDy~)GBnVgnz{5hazTdt)=nI-TBc1ST_>gIOEUJBnPvtIpRq5e^_&uxe9f_hc)q#%dtByBRBv#5b*^os(ot4XsDYgIx`B! z63I3Y#p%vf=M9{c$3(fx!x0B0xM+1$(F&wF;&mp9?4*U7@m3LKqc0>v8nw~vCrcEU z;Z^!KP>O9<$t7)aDahcf9)p=Vwp2SBHA~=QFa**jZy{^*yA1;}w7Ikumgqv+XOYmn zS5Ucw{aSNNR4Ezp0uZ#U?x}>Qro^S+>mcX?24$OxdunpFK=~)&tNm2qd-WS|#jZ(l zSHv$>ManzwUj)&HQK`|vtz6`Ek1n!Js1Bu|NUMR8eKNH`uzjKg(Y9$%XrlO9&L&I@ z&XS|_#fZFtpr0r)M~D)d;hW=H)w*bf9D43;0m`vOm${*UlZxAb7@V@kJUmszcD_Hw zzwfwobpj}M@X&$66hvzi%0O*!LfedSg>6W)Z%wxJsfRhD|K{6WsKmE%j&5}=`rA@k+7oII>?G$~ z+jv?$*UxaXJJ*vV>~`EyUP*h@3`}=zJx`o(=6wIxT&;DQ1DCaS{kHvOxyXCXX?o9| z+`11|^gi*kx<9ys$Fp%;pAlEKlgr~hg@4Gc(tAlXKlr$3P#tOI;S|%y^>r8uU-M@Z z*H=+M)oxUIH9t2N+!ndp2L#W6-f{kZ!IBly*K4VZ{>N-!veyGi>%-rze)g>l%&F;W zcTHgPlQbs2+owgU%RFJ$oB3PpCtr$b_Any4J6{it(5om;d(5TpJ@;8=Ekzvikl)kdRZJR*tXc)|im~w(533x^kMX z%e-cJw3_y{oWIk--^rof>mhh4B7DpJeDcndzRUa6R{Wx23rbzLMgMdF>4lsRRi9_? zkhiT}UzX-|Tz9*5e|H<;Gf~An-C_SKt>@*^+UTd;pSYZBa~TqUdQKmh-1Vuxgu!k5 zl+I6&r2DvIwM-}5Q9s02Ot;nH?R_}8smEnbc*gS5ap<~&u;y7kUrkBlHk{6G?+yF3 zro4Np{rP7)v*dZZq|)t-QygeB-?)rgUB=Ti6d}IOO~CkEL5ryWzi#e#q&L>@C+jl6 zhx*%0M(9E1WDn@y71`DWroI{6;B9A7)HWg?cMpD3?A$lS!YWS-8&V-vPj+7fJ`%d; zeiVx|QaTsF>7tl)=)r-8Im<_vd)I^Ze(Kmw^xiu6ri z>zqI>GKU6rDy1xwY^=q5kHy|fN-tN#ECYAl5fW(EW$LISF5VJUh&_V>Y4UY~Oj~TF z6z6KcN14umP-w`mz%`Q04$%0zYahS3D$sDA2=}BfTMb4ImV3W3EWf2OP512`vZ;7d(6}Jm~|m@WY$SlM=cqE9rM_-=tx6_si^<{Oc%LmWotDOf}{Yeg3?op0}q_<7hSRc)TaIfLpT#mlG}SAiu*Hm;>kBOBeU zNND}R)k*@cUUc)HAc(Nt2ONxPfR-doneyf7{GgK%+Ow1~lOkTTw8u~7S;k@v=E7W6 zcBZUxkH5Ms4-IoOd3gup-?0;@GmWNfM>qw_ofpaU6SM^y{R^aYkFex-8g@w$Q$|UI zFtTK+9-`$bm%Xe$Bm=iN$UvB_9}HZ^$=rJ!cx_~Uy)&cWN3@**Adt+Xhi5sNx~Uh z^&lxU=B)gS@9qO@g8XzLM~N|bKA4K6uj4otWdj`6J6={?Cfp8<@19Up4xxJla5Md3 z&P6?}hw>#3G!zDz)@Tg8?<$C}=7p$ooBupj;*M=wjUtsv-pJys82+a$ybCmAR@!l& zqhU!U(7ccq#U-||1#dOkK2Pek>ddHcIVCCr5A_TFVTB~;_V9BduLdLeLHpAzwOT#b zFL5yiiw>ttFywbqN#DLmojhr(KVzI#70gjEG-`|$PRSXiKE$T02?IJ6S%ea4I=!TA zv8`v<2(q4TCEJN)6-mpck%*fjVP7Z5FBCh3OQV!kNHJN`9q^{LbUK<FM&(ShH? zvIH;M=|$8YqNF}WvPiTPs^v8nV1{J*KX~YN%;E3{(0&GItODPuhK@gu^ANIqzH+Pm zfHClVnUL_Z-Y~%4?x-)}crF6Hn>Vl&J^6Fj6Ds>< z7i7H42k7ldi@^Vo@0l&1G&IH}p4qYxKW4whlbxJZJ3@Q*p7FFa6-?07%>7+l4tQu?pLBOBd|&tcaDEyM=5JmYwGX)7Y?@EMuD*GX45lX7!}plwr031# zaD2&EUv9fuzs7TYEac91hx6z&bTR|(R?WiPrl;TVyMJC5Pe~CpF4Q5xqepw0cDks0 zeYx&v93C)Z4g-?bd|HpAfU~y6T^a8`ALWjd(hKwDHrtvv(5+RTzLvVud0vW#Z;pJD zWgYFE-+L5~DV}wFP7(=So1qZPv%RNd+ppT6+_|#=lbhXoS7i{}tQ83KU!#ZOhMD=v zoM#UepS?&;6_`HV#P>mzdM$&3)YJXdEyo(SE&Wp~PLtLs_SG$YH$C+wAHsNVQ@Z@0 zt1td{rqn6?I`6O9n_UBO%ZP+?NuR$WzkIaM&Y-rs1lp~`+qbzNu8_7odAJO^RmX1g zk$`OvH_Wf=%kMcaO7rR7bzKdBCF@(`;>pbV^~^H_fEGSq-qSu(*5{$=m!Ly@~tCwJ3R8&7!@eE_YKv>zukT1f5d-BxMYBWm{<8@a(*KYkD`x+wu&F* ztZMC*xf2N~Aptib*C33j9Gf)bFtm8so*tyx?7#DhT=NCzGf(~^pg4lDKvCt}$&E9a zDo3>s)hJPDR%tvMcY)l1>s#ESB$WnB*}^aJnu@5{(2)CQ#aX@Did@{La7uES7Lk&v zG$c}CTnb5x#7S+JLxBHUQJuoMi`p(M_{l+~CK?4lJQzAc>gZmWNlu|h8)?K-q)CpC z%34A~*@~jpP-aI=h^gbtrkvPijKc)^Gst%}N^)e!*Cyb1^fH-FAWGb(Qe;&UWT_V= z_-v^C8$yfHQ22(>T`q{uWPzYQBqyasxv)&NCPyr#kweN1`rMhoXV>DTbB_;^q8%oy zNPx3!h+{)|kRGQlsc;TmQC;{kKXyUNVSv^Wd4L?d_WiD40F@dy?81d6-$;!Dw@kBU zS(b9!z)GHWl1}`Iv&M0b3O7ES016`wW;im5Hnnwb3U%^~7Owgsw3M3otJXqUT4z^A zIV2h%3irR&Kj~bOWR7Cl`G1P^A;paF)vW&JmZ;=f#+^9D8zRUoXvzE>8%%>0BF4^F z5}n-lU-~QXqB1*zA<(UV!2MZplH;2n(QXQVEM1xlNtBjK)wEKk=O9*s#vsF=9Gf7? zR%05q=-nxf{UTyxAdyg>CYIgY_mg3?T&zf)64$%3G@)bsAvQ9Gz>7`~e zSV0%pqcCE?Kn)+Y*wPJA#=(`iqEA4-s@XOMwt;{hLr1Z)Fwdx~N#l!{cH=%82Y_i5 zuRwb^{W5L-g$e-sG*?VY2cGkf<$cGt3<}vK>r=3sK$O(Na^gybVl&8eL>xVYO%w3{ z{#rlfGNj)l(tlvaE|_$kQEN`T`e&BWuM?{#IV0~O++#@!@jFZ?BAeruA^qxcWTwdj zWF4#U{wFjwf;{|q?exK3!7Lu7Y<0!)MZ^h0u*Oybx4`C~(H}O%vYF&MGy)Jjp%B8W zcpAn@83`g##t30$=79vkul=sXDr7EQtW`>tMoX8?G(QmPex{j$GpSRv|I3TZl>6(0 zcgh8Y*=S+`6KR*5gqea7N8fA|< zh!u;|gyd4*fuX@-^(gr_Lq4GmdU&uaHC1I#s8(&DegjKDNwFx;$e6JVaKxWGv9Is^ zrG3c^q;w4ZFnU8;8^f|eeYr*qerGc82Z0L@I)iU!kYdgSSz_cAydf2n+s1Vo zS6q=q8zJq6hz+chVT|rQ@+|2WqEio>s6EPLsbjSPMJnjpSO3Nl({#FF^EsQ=$l`co z)v=pMIAp>m7AjyTP=tH&h-<^FLubf^uy>ebCMh*SAf!YSX|*z)O9yI==zFKo5GH+R z;j#Wd07Je{*|&`k*{NSh`lBx$KoVE?r~L1V5@ZUdOlAsE@6<2;0sa@HC)V!{Q1R5$ z!CxeG9A8csAMWJ3Y=BqR>(=lpo7O!>O#Fu{%VZwM$$)PD)6vY=mqXSm{nMx7Xk)eX z?&nW)yc?4D^6aYm%h_}LruEYEi%gNLw=IA5Y=P~q6BiQ@77mwJe7$t1g=jldAD7IS z%}5%4x4n-?`E|Q^a)9d-KDmA86i&2G!vYhW+!0-x+l2Ldbq8T8k-UYy^GrqJlYY|n z;oef2b;NNWzrIJiu^#8!L9!!t6u%D8{|?K`eX+^wJk~9f`Rgl)o=0DI6S%rbUN&6i ztoq@E2;gOW4|&X1XY=~_@L+ET!hY`xaaFG^<2jDhtuHq5xqh*++i2xSc|4a^(i7;m zT;oI8z%>PUXR#-5U{1RLKL%iB%ulyF>^jt2Zr<*zwL6FKIyk*gL--{4bBP z{w&SO6E^(j0%YEHu)D<+9NSxVx1x3plud6JULyao=1=c>9}b@8LT*33Yb4P8Y-@~4 zck@2qHLdJV(zO~#a>3@kgPMg)7fA2+iu!wX?bCRgj#<&@ecRBe&vmt6tN(JMc78}| z*HY9l*T&uUyxF1TSz%uX+{h+`x=_|QCw@O^CTQ`-DEJEH&4;v`_gsFgIuIdLH=Tz53dE6f~@V9AmQus9@2Y?Ox@AW_|hA^a>@qK zH0Mc-Ez~zd(YYe^XjH`FK#3vwO{5~h)sw?T>cN&roBqL{J5R%sWE4Q2)g;U*3OESW zEtVYTk||wC_mc&V*%q;6PM8HPa0XksDQV@?xN%MR4v>o}-Y|tg2T>9!TT<5OfidCb zS`88~dr!haG9TopX`Q-ydXKxI6DrE6-mF3Jl`I+8Fq8F{1m;k-lJ)Xs1#TLRLhWTN zYw-Xj8;C1yW;he)-@ucUbVv`!SLHg*4tCfU71B+^vlE1BPtBB&OA*^A4|;6IoG(!3mQCXUPg$cd(WC*_0~xP~$_Mo|H&7 z%H#@C(`Gy#HD<+NWDPzWCl!_N3a%y%2~mePB&Cd)kkSk%5}(NuuVrNsDIFSzbH=e0 zqVx$qGo!6w;FnJ)JrAZuPj**3=3Zr9jK&+Ilegn0B}ko%QR6jWf(I&%%iAmVhCojD zLc0ys=UT+6RPU9^IIpDvCRkeJaJjJe5?#YE5CkAJ8eEAfj&(58zEK9Idfk7R$9@O5 zUZ=l#H&(TDYiA5Y6W!0t!8d+Xhm-a!RyKB0a-%%SnL`vDd;|9wyE$D{E3!k|c3Db| z65_s8(yoMYG-gqgW4h6|3at?bEsh2ql_kV$b~lCoG>}BMN&Ay$+fEE5 zDHaD!<4LTE7dtW$O=j0S=XfMRqvucCjOe^;UxRU=DW0{A%Nv2}?;(uU9c@v8HX;~t* zhV5~}qLrMtlF^4Mqv82{KSFE75``;PKDxi=W9D};U*(^efwLLl?JHmXvKkQo&AP+& zyZ^%Ub|RH_o>CRr%|-H)%0T=P4-uN?52U>R1veO+Ec<_trE(QoCtC66Te)zn-Tw`& zXe3FmW8y@XKU(kX*s@bAk%av7uVcxV+p_)a4`RaQItK-AB%hK|y3|R2zq4Y=3Pd%( zADo8Y9rkvma6S>vLPSgSGdGKXm|^Ks7I>@Q#+4tmo;Wo12zxspZse^>LNA;tohC+$ zVLn$TwhOYfQjSj5Qedo7b&5Bh!gr}BYTD!}7jMLvPdV!tRv>)9x(Ro-fVKPfb)8Q_ zqH*|~BeJ-#S$MFJm~3u`vfYD>Z<9=sxs-{OiHBd#suGui z&HG%>TfKFY`rYhtjlcaq`qSyUec$#yq@I11gl8vE_1ZmLQTu$V-9tA|K-arB|KQ@T zemse7E$6?8dgu4J|ESx$2pY6WW81cqiEZ1qolN7#ww*M#nxwI9+cqcj%=etC32q)fRlvcmL=VRJytUmnRmv-%4geH5T;#5w^2HkpA}kcZYQ< z>vmu2$nN=+#-}<4k6dRw-9>%P8axw@An$z{l&stMbdU-tbbjc_AkDf}m8lN<|kDmEGu&QrwQ`^CSXfW6a+ymGG zhh>z5U!?ydl|XCLQFa-++}fN2BKpKxhUC#mL;SqJFQp)0SNKQJ$d5=`-H2iA$aQdO zJ=Fu?gJ~wz!#J{?OM}CPU z6?UQ;vB6W!iJyS1Eha44g8k2h65XocK{c*-n+oN&1D%J?^Zeoncl zW0JN0YZ~fkp4r+0bz|Y(LV_=O53+7I?-IwVqas27aD4;Eo=?QbRm5%Od6YSRL0QV&!hR)-kC6{8Jvt z=l457D91?4-EQ6K2_lg+RYGte>0!dhX82d^lD}`>uGv8&W7rTQg+W!}#GlNvTBeLh zd*JTQChL*jH8<&g7n6!ZH3GAKbwXLc*BkXJ)$@~Y&Rw>8wnEZXJ}|Vz zA!=uqi?g~ZGdn<~boQZa|5nJ0=R0(BnxNaK^4PLZ`IOU|G8$wy#)`r`C1xy{#7R%Y#QS3Wx=5LmD~q-*R#47ELzy9yA50#&A@nzz zN)7241e5pUXhjis|5^rn*kSsc{GU$u{|fGiBgYtGq-pQZ&y`j`v%iepH<}lYr_#tS zf40(Rvhtvl^k=C&<~ZZ}Bd2VsAajlHy~~q+;yhC&6hvndEQoXlPg*rQo##$kiq6Fk z+gFJ%lun0=?5QK4@f~U5LaNTRIgoiTmIoi7P?^t4Fmd+V>@T>Y7flnxL!UWJz0>)9 z7Ci=ZZFC-lhf#`vBXQSe#-a8hRad-Nrkd&}?~|ENJq@VkE192O@@;U5*Qr8m>#(S~ z8)|Mh!izc2i{_1$=%iui6a(BwDi0qhh2d3Eu{-(I%c{A0_K33GO@Em z2m8Ht{;{GmsI7CE`VzjMEEVF5WK+sV0%hcwIwQXG;-56Ulu^6T2Q-r@v%3LqhuLn zy5OeWUe_k}Z!WFKa8q0(CHmsMlU58EcbDxaFK_RgKrG41TX9hpBW7efwRcJ~@=@6oY zyHg$;mHJrF&V5O&t9iR8CpGc81`Z5onbkzrs1ErTM)Wx3`qLG62W7${9>wh74yCy& za`V?O6Vp?Opz;5|{2$xa!+*Ul7z|4OPj``0>yIJ5ZXA}pA=&%Ed)O;1WV{T~VH7g) zIjjIWb%u#%iwmcBIor26b-rg(*-{g zBU(#V+%*v7HVAH z&ZFGy{TvpRu2FrxH_r{K?`9WH3(Lngqhj>EN3!kp_IOL2A1K2n-X;|Q|Li};$ZtV! zyU}Uw<+Y<$2!JY5pE_n>+8-cLssg7n*7267pJ8}yl=$9ydZ zfytvOKDWZosf_NM7JGo{la2Zd)!WSvpLu)8_0Zh17O$SiUO+eCJxeBbqgF|}pSOzz z;4_szD{+9^()biS$$fXp{^a@Ed2y?uoqS&5px?F&&x>6HvUYku8b0G(ms@FY9KnC& zPwjr|%xq~t59kE59EDz}Z+aJYqS_Ehq8n7v0XITnZLgPcWbke~-pQXFT!wXQs+g}5 zYyxtN2%kq>D64!U+^>TO?I9a%AotDXLJJPw%ckK5Y?Rz6z{|VZ@q_2lvO;e%M{MI3 z^vH5CTls2O{zw7%dldV2*?tj%sr&5DzqNYBY`l4Gu|1`p-EmNSq&DZHoW0V$QlG)4 z=<^iD3A&$+=3MFW>eGD=d=hVXYPVzhm`FbjaHzTN&2?Bv{p$mE%KR$zpKo^# zE1jhU@^YQ5<1dmJEPup^Y`wm;q-jqgwT5cpcPY5QnhNAI~H z!3GeQ0sTma|QD+!qv zGAZG4yx)G@DZGJ?xA?&2vS^nzQy>V)HuNoGrU`| z`mq_Rc@mXUeJf}iV#H+rHT5U7%oPVZvj&_y#D0q<4Y~_7k#C1vT^T{ zgMk=QH7N{qNw&{V@yd8GldTq|_0D})tE>G}F>~bt02tn^wIsy0g=6IGFQ1YlQL{Z% zS3JD44 z%i%HiqOwpX@@AtBrp;dd?VH9C29Vlm8cB;XrW#A@QKDjr;Z&ovpUwLgBM?P#>+^x* zO^9cpbj-a~FTZC5#HeQVl%<8Y`tt{9eJ@3urwru{4&Cq`8|K_KE?b<@R#3sN>dXAL zz2nD>-yp?fyRDdBRp^zUwartqY;RS~RQ`*6nGE;zSJ)iatXm+5{6RZg3_|6_V?-Ot z^b$VJ$!s>)4pyP3tvi27Dod%$*W?c4;cqkpY}A1Y_u@1vW&P;=;R%{4Q_XrIhr^Q{0hwu&4(%zXh>Lk71}LDw zudX^GMV!aSq>T$>n4%b_5p98QTNE|mQJ^!z6fn{SGGn&+@#E3_{fHHEfbaFuAUQU% z^=_f`3a0AQpTd<7EgSz7Eu3bCMj!*1j$wpWZwDyz7`leCT3tZn`w{0^h9Ft0FLO{U zRWP?8Cyj8QbQ#axG%wxp%Pgj|jB^^DB62l4j`033JRftZhg+Iute9)k95hevFC1$< zcHDy)CiNZWlH~jdYF5YDudk|ZN!SDYnJH&+Csv8S?a-OaW1=d;`OICDByo36lx8n7 z7nD+nGTCIxUusRnL?T!aLZA<5C)}4oQF>eVDt{WH{&8*}%Bkit{o7Cos|oT-D$h`3K7bXUa!gZqP{lb^ zF`Z*jHrtp?6xS?Ap2Llzap5+cA30W}nXx>+xA+hl3w#p$n0p%s(&!e{Eq}0P8|L2S z9v0-l!oIW8S=Y(ILCELTR}T~q{+m*#YQIe=7r!m+>ayu|XuCP_;VrJ(;!sg^Z2Te< zM}0#B7?A;rv8|p&bMe^Usa8@~LMo$4Y-TxGaLqVtD5A9bZp8sig zz4rE&z&OuHA~WCMRnR`j-@`s&!Ngq<;U(tk&BOY^2oYZHnkwhJ$d=!@SNCDGllou< zV1R(X_le!s@>LLKUWEmr^R6F)KPVM}&@TbNo#yl1m&EC#B38HawWER#xcdR*vnus_ z5A$aZb#MKcZior)I0JfKCGd5hQ190tl{#$gJd!)C8pR$@0lKEx${!Ryc1VvV!&ChZ z4`)XS4Saq#8xEb(0=nM=&~d92QrcexE|wIgq?{gbr+jTx%o4l~#>0R*JpEc%!IX=j z=XD8!E~`j%j`eFx*ROA*4tDM@c=tM#S@2iB|6oVv%de6c00>f75%hi&P6HapPyT- zo7{5dCDhcj79ii&`kz{^57aK_SLmfiU^^Hc7Ry4Q;ZMDu!`L<0he?<*d*C4HsgQ?bCoUoP0nLL?+f}#I zGt8Pn>l2|pszxoxs{b6Oz19&d@5ReC!!X)3z?K=DrEAFM^-Ap&{X>jT~eHZWq zG9k|4I>PMe1oiTsRr%eq)8ci%J^g6EE@CY>ni444*?0#F$adNE5XiY3 zpXeTR_k7$>m6_=z%{`jqan{8tx!O+tq4* zcJaTX=6S#kWZU5Y*>-rmmvYAGy&`0&_(p>y(&tSEG}BV+W>Oz>*8vycJ2?obH(hql zGHjrPkns!Naa4tsR3L5U3K!L-)zk(-Wg@w)EOkL zExMLg5j*PC&Xh-!UPQ%t+AML`m}^PJlvei1E!ZX?l=s={)Z_%og~q=dcNkOusw%+P-vq^e%C z#L=}O$?rpzhf``Emq^4^?n zG=-t%&uK*d(1tFEc79*&qarUT_Ak{ER`ptjBJ$I{v?#f93*%mZ?sSh3*_GBrQ(NcE zX8zLFg%uvuDsem*JQ=PzHE_br6@jS#M-~1HjGz@WWY%m1w_@^8pyf)cMszBxjjrQd zt-(Sx_YfylQEJ+5*Y}0A6#IU}zF1KLOS4Wk8|}O+8&)zuaeTaDYKH&!|s};8TZdc6F<^rnYpv`l}G}hF3_N&3e;)2>-Dsvb@G>}T}>w( z&~VbC(suJ^rPcDRXPobC1x$Dj%(<%fMG#q(y;+Fp(D1(hs{B_AFLA%dkZ2>BlVdt| zpu0i~3ny*U0Nu`nwl*Q&V2Eg}3hl19_6qUg5C8Ff;XUC?UVx=Tt-sBo&3!fvR{ zN+7!z;=Je&A?DbH_^sOcR|?Eu!M=(Av*B$MI{}l{@o_Lj<8fJhRT2+HWx)x0IJtml zk6z@;)j)Mpj;qI;k=gYoLqMVVK^nguL7imz=4g;lM@BdnB3p{{Rc#|Y@pkywgTA5Y z-k0AXzgKyTR?B{wqXTVADO(rbc|P=WCH`V#>L8c+BtAd>#RmgSC?Gw&}VsKFetfj^ixGvh&2B6syT!QiABzAI4*< zX}2})5Vz-<5=q%9v68j<7=qOPV$Y7=H#s_uef`34jrXU3Vvf7Z7TrY3g(#6jEPZk1x8rydG>@dlp!Bq5xkiZ4vyWO0tj+t{i`Weki- z5~xKbp*J3z7GbyqXS3g_Ht9+#oQjo5sT$H=QbEF(zx^zcCpHt7)|oqCOb+M2)uLU)f#%W8jsH7e{y)FK zN{}J*;n@LTxb%b7B1~VB*fQhk_3Y5HeP@f@d z+K(WKi~5C-$4YJu8jtQAzt_FH!>gxz3JYE4x0#^hp-s)|j;+l-ZX1YU`9h~+O0V;d z5zzLoV?*z=Fc2b~50A9vHm*?EVPj?DSs#+yMYzhmOm0;$MGpTBep^ z;L_|Y5>v4N+%9u_@OyQ*US4syRd+Zwj^^6yz2-!t8lxbXHv=_oJ`CTsLnG z6Kxf?3wn?0o(n29V!-R^u9ZY-3(sf&wW<#8murH^JwW;xL8~p$uiIx51bVl-+T5Mp zSn5*l$TMg^q_VMiE&>ofY=6r1Tk%4=GH3kUsZ4DkeQ{T4fcG+rQjrUi_1(3mt!iHU zx@EQTC~$q`WwYLP1bw2@<#R`%arrS*!r0|LYgtH2^K{vG=#aB@KClP8e^ws7>Cth> zay&|}uub;VLttFFd4X;a;Bg&ssrkG5%;f9j=-{2Mx0w5sq4JXFv-{ED@7%xN1>McP zDR4JwVCOVWX_NEx=kFWO=uR=fH&$o5^Fd<`@P4tU0dQE9C%kOB2!RdixV&F=b5Y-C z(DK{M^gda*(Rt!GXX1WI@0;Rwo@;r^aQSyOWtaF}BhBw#sOV=EXp%z%k`F&lDi72E z-UhXB`eJf95H!!WaOmCe()yRbf#;sV?0jIm67ZS^3#8$NV^2Hw+k1yiq-3GtbuPlX zC3&8LXsyco;fn&k65@AtE{_D(b%>wJ1LCK0pj=^~aZ^dU45C{Y`Gj#wuH7fZA59iE zhsK0|>cqYhP(RYc#3|@AI*feB&k4Y3rrMaG(p4uzb6EbwZajUfY>BFPpEm=iS3cwX z=kG)j%tN~t4H>-!&&er2#{~9+C!VnUGU4^0=A}kL@$bH`y=v6-juNDwtPI$nGi@YBo(bQA=}Vz+suIt{#%3mUrw62;oS4dHU}14s z<;7rhLnz~pjxDikjynEiU{{nUsEl*_XGzKash+Bc(i^4%lF_zxcJBIF6T>X^%%P*h=o~)fCl~V%;rU+}x5%d};@_gLwZFm4m(3$aNYzSFgo;oj zX}SlKqg5X$v+(RD5QXlrw~h$vv93)ng#To>CXUXRX?*w#knNK#(iSPQW4AWU7iu+y zCaP~lQd3bxPJv|LCiriR2FA~qm5gF%U>Aeh3tzsh-CO&0#Rc<+#*FYBE!?5I*p5zr zqEf&Sx1WzG3+JnyaU#T9b=sU{6RC*%qgjdE!o)@JVz$;-VMU3pW#79n6a^jgjlmOpT+C>Lr0=F>vxk!iN?L2Ihh>YCmI4&Vzjq0mGbAKn$z4mrO97GMJEf4@GSq zE1E@cA%rD~=wF{uK?;LvAvDh zuNOuH->|%r5H6tb(v`xiqO_<|Pxo(0e*VNuO))8ykNGWmaW6J%1pDViD5a-me%W>` zkYYjR6AQAnTJIpW3e^G)JfFGKSoN5FF=}$o_S+&<0@|WH}+wIXG!JH%P_OM zouG_I8sQAfOpNzW?Z^BcAumJk{^>|p z?l_zR4M3+&r76Cr{==mKkj7(+I({dEe9eprbCnvkT!} zBqY4fMT}efFn;&p?6Fe+mA1R!?=^2Lcs2DxuEcMPA}#u@YaW=oZev3YTj>q&;XqxF z+nuK;NZ2ER`yMLg+*6g$wz>tQ$KD$*^!$f~q)eBO*GnDy{JoI_J5Ye}iKQ`xsqHBX z*Fon2b_+a#`d|}F23WP+6o0aZ{>lqB_cwEjvXD8NIePlr^(&`)duEmAh%Xmtw}85( z>9$862OxOZUZw3kB6u=-T=;Io<6Hc)MwsiO6_n!^HFKtS^I^i-{k%=8;p?l)k^!DR zeVeGe(%H@0i;rG+0R+cDEpB|om@UeJ{;1N;oLwaL_P5|e%T&(vFzy2?w|zBnIeL5HZ~ zO+`cx_OSN*rCXMkSVX)bTu)1-hKy`^p06mPb23)G-s$yOp}d7579;c0VoP*#gq9iO z)-T{!-eFUe^r;6QX;AJ2RfgX4LlM2d_hJ-=qG+7y7(bVz&L0ig0Axc89;lT{wPGcW z8Yxka1lSGN_0U!0?=WqyoJLwwRV4rZBImEWZk+EG!pTRJ+w;pyto(ttoHboPC;nDU zLEnCW{lXj=HHOZZiTm&>@`Y|lwrh=%V!^k^*2cM7=zhSQ(7II3VY-}xMo=#Ny}3%& zFklK|mz~OxZPHQ+MXj6poT!~^&2~L~k0l(981fH~PYJtBReW5EK6Dlf$8yw~mdb|P zHlMGJV(Kk)*@_rD7uW4?jt0GxXZW`W{f070p)gvZv^7TweXX%u)x`0~&&~W%#~8ip zXCjl>XIvH@TvoQPl~%C`B9@Acl?7Hy=vuQ6@#;-n;z2xvX{p=sB+^>2L>QBV(Q=+M zuEN-ruP29l2B?dwy@qWe5bkDcXB;A6LqE+w_q!#jOmUzR&ehpO{gSwx$Z0rS5&yWe zAw71yyd4u8I-8hB`T8ez)(!mvJ|mVm3e#a#o&}iG3^gL9pp%EdF014_5Z49oi*bu? zk`oK*ca@Qy){WV-n=%bZGTfj#OUxGCNWbgtw-ofRLG2lNVbyciDLm|dc&NGN!j;k2 zW|*=xqh+yw9w1_RL75@SF2(s4CJ$4dId7F<(K2a$CE9RTnnO34wS1Bo&}|4cl8=v* z&igc2zg#7GQzpWB`+3naTokphBU_x*rcjaOz;)bz849KNx08!hg>p&*eWN&wfbLL; zF4aMNyN=>RwOW;$3&{$*Oj$bZAY4!^>9@!182h3sSDac}BMjwxO-D-OY2vFV&034tgYx@iX+r!pG7Draap@!bRAd_9Z66sq$Sqs6P_LJP0ko`WuFgmN>L; znJO;FPpNQh%Rq4>Rzp_v6{>=VI>E&;I5tl6%y3tav{BFcS^U^uzMnt6w&|FjAREzoFG_a zwED`dPl>|emU5~3u+MLqL6#b0Ji7E2JFC5Sn~D_AyW2Uklz7=+XBVPoQzrhZ<2QHs zWmrH+G@`X~yQNZ1omN60i4KoSv$M99pOn*(_=P!=ll_MYuiD!2 z3teHcw49@7JGM)9H=KT}!K@N=kn|J8Cl}+k(O~1M zc4hf2loII6)V$*~D)%Sa)xAIVMZW{*mYq80x;C1_8M-51!|(UFS$OLgGTe)JZ6i20 zz8OE6^1-CF?{c+$mj0!H6WG1?X)E;=o--bHzT|@9FG#e`r3l`>CH$b|&m{b1iZQCJ zLzX`gS9=j*CJd+lw}2s5_^0oc@FAk5z@Kb@w{)sbn>97xwWZVLV?pniz#dVYt83Vfg$~rmF+|pmbLD$8Jwy9 z3I3L`drt{voc=G_l$+}kdAT2#Gj|?**EvlLTlXHk_>C(c7FEe-%f%`m^;574HKY7* zIL#6#^>665V9=)b`z)+I5QuN|G1O6W{XDlsXw$XE4d@&TovKa+nw~rmZamL~5v%~W zcn$b-fFBR<*?S$adLI!kJY`YAuZOf^j1m%=J=))?Pye~mnY z;ahi`xzU49wf^n(8v$0=hmg-@U5!3=)<>jB^DhpdOQ{}Ygs|DE-gZ5>nJBTT=I7ni zbe4|L45t6P(Po1@Ih#q>pnAb93i9kR>!oKT?7DOwP#HXH=2*XN5`n~r{n@g4zb9_# z;^NrPZ`!CSEZ!6Ftg3QQ^NR9(id$n`Hm@3b{2{MzUy1K}(-+jq00g*hr8VqEdeq=` zHm}J`aHMqXMvo1p^4%CdpP4D}-wgqMF#y(8U$-jln@4GGUXTbj=C$W;T^!+V^@d0 z$L*|w%VIQb^~(pT1K6`8HI?sS{jB-fwC$yIF=Q@>?{US%p>z9swKBnRpYn8I$gYcW z7|+-9biku1(eh-}>k9C2pB~VBdBJ$7;C&JS-K~|#@4n>V&~;EO0p3qni1FN+E-p+} z?@AQ_n=EwMUnD;G@k2|6b( z3G>7yqVOs9rDi!sLx^?%R{}aZK7{7wOD+64p+q&s!*Jo*=twC$u90H2rAr|e(jX^J zdZj}m@gd!%Vzty+M4CkB(iN4eIEHLCI$fl%GCF*%o1XGNhoXXpO3VusZzO!l_uIEs1vAEcoFj5V*FwrSM}dGZK_C1mdb6_+MikF7ga_}}jr#CKIFa=qL z=r$}=W8^)irLjn>U6H$CHuGL+ekP$Za~CGI=kV*)yw~Q?h`W!{no?v}Ht~aa5IwaT zrV-9q;&^u@kd|lHl}5A?7y5z*@na zz^SX)Bi?^tT$aMJGq!=0YM7LsQU^-2o=Bd2TIgIV45y*kUu-HsAJpyhft2)k{b37k zxpDzbz2k9$netvv!0I?HJ3_Z&bHZP@8^x)RvM5FZ%bmi1bp$yf;&PWo%HHDl8}_tw zledfF!=mOd;1nqH=rj-~?d*~{ICDU81#o6tOF~l0#3iVP;x(KoMOh?64_X-#Qf9K; zzu9Tm#NdZDuNrAFd=CoHw2Wm@)>-WMmFr?+u+0?97_Lk6$F+mLeSo?UPvr#Du+&N; zJD}uV2c6oAI7psFNP=1wTB6I=LVU#>J#U$=_?JmCCsv$fu;?zDM;`m>%{ao~sd4s2 zV>)sK0@oUq*^Ms8-WwttblbToT}d_ytRgfAKBu%Idr;JzN^D7JD6y+8D>dMuuwv_QeG2RQJ6#63i&U}sO&>a*jtonZvw*d& z*0X5VpjPi0H75IyZa7J&lY!kO?ch$A_Y%$eh31zO0jpt!xokMGH42J019V`zIqA2> zp%>xlv^d2fdESdlBFShr#)FyWBpKU@-)xx|nxB-YpINV9rRmBDDcQ@YL-~|)cLNBM zYTd=zvgPHCktx&ZF)|+VwFv*GTpbBBL4C--A_@3_pX4fQo~IlFNc+wHqmYsAV`>O| z<3alP3d96a$|WGfO#E$zzR5i!;J@C;{k6cGcE<6FaJL?EFyPQ$^>~{8@L+l|c-F#q zyfFZ9JGy*pSR?d(8>+zjy8*x02Ycx`yN>XL!>_UlWN3P2+zP+^*r~tz%LB_+PN?fS zv9dF?Cg8sp5zE)Te&b`?Lf1BaxgKI6an<$wN^OHl|1tMfz4Jr^sP&k*hPh#L0P_EP zORkZlre~H5s}CAuG+1?+bZ0cEGk+cF6VQK4;5<+eSl@fBxMKR3i0QwLwY}qZwBEgH z$H=D#d=P$)Gy8e%KoxG2eg_^8k?xsqx1f7rMn>Olbe$^$EpV4l?Cx)J4*#<$ z!cGrRu7lW>x8YIZ;UmAGjuHFolY*VsOZylhA-?}m7h#P?L(Q7%>lvKOkIsfjJDHE| z*$r_0UG!MQ7}zU%gz_y1hdtV}Wh|FxPXPd|@tY5u5xEzD;G_n2P#?}NPpi3}7Ac#_ z6u91}ky`w37%ntRnZnwyf-2rrr*WO4QZfy z*({#WXib_Lat_%nHia?B=gnDml)hb>gXHz2*d?c?iyuXC;&!;?o_N1#9{C{VR-u>j z8`wn!Z3c&tdCiuzf1ai`+;G+oZ_?d`PS-|~Nu{GX3WH*Y&KwXmofejiIbaUv)^m<% zb}@=^8@g;2h7u0NIfe}Nkox;ZcQF{63zY2 zdL^n)>q4qKnQaX8V1axmhh^)(HKKb6!r=%r_2uzetIqSu_o>U%nE6muFso57rqxbw zAFyze`S5Hxa4D;nN4K+g1&b;{C51MhgyQwWt9TV9M;eyPrwIQcw1T9Nw$mqVw~;L3 z;BKI#jux%stt4(UtrZdp(_5`V<@L|Asbp#^XCscWr%cRLClX8>v5mN}i=&g#9(;#_ zv!BkQy_SRK zL4i2!d!{HQby-E!W~8WpPK>101{=Bnu_E%YqOs zDC53)qxwmTpz=+4T!$NAKeCmVe=QR$CZ$y?lR+Ghw#~_*%F93(qDObuLHa}&K`qY4Zl9f-S9twZJHWPq=?t&LwNb$3gaonr0)q z{z8d2M_RvG_fXc?`ZZf%99xL8HXwkX!pci>X~DtaV+t(sa|SGcWJ+a~RYa@SrS=yw%T-_MOe z3?_CasJqQ3Q_nr_0PqfJc{yFcsZ}X4E}idqlgp;pf)9qyhq@UU-(7$OT`^ZWYwnB1xeh^<3D!$Mb2iz@;hF1E*aDvHy<|r)bZBwgvRt;M$itT{y(u)RrF<<``rs}vAo5cFcYQNaBF1(Gky$3!| zZ4=o=HaT~A&tFvNz9ITPK6)^A9b#u*`j{fr2*K)jgfrS%6#Iuy#)z z-cv)gm7XrQJ99{SFt%N1`!#@#L(4oj`TIxtvuJ@4aS?dRFszbJ)S)>&kTG zXf!sUzGjTZ$*aY@Nh9tnL&kD(h z1WhM2L)q@9Ly@_)M+Jl%9eYYT_BSUMsRkmz%kjAnu+BT!9Rw>+YET7E&;IWp2>u8B zGRZNp`&13FPLfoi?OXRZ(C}S-?0xWpnY(}=bJ<>PczlWOB7qfCHDJd(6>uLCbP!z< zt@KeA|*-ZPUUArR%x~Y;)63H)~QBg_^L8;Ds`kM%hzW5|!R*&nfRUO;O zBh4S=B-I||&!nSHYNo39(p(eUq&%?F7sOPWW*tM8eZo$&F9ng2S;98Hw#NKD)J{+% z3OcHlMf7t`pZYfaKBqZaSZLNw``h`e&NhGBZv6g4Sz0cfTDL>4bx z2C@z2f94-_JXdR=(Zly}-TpoOo@~t8U)E>6j#w4losU`!z}WX@dKh@m9RW;$;cm%) zE0`aFeNO-eTVF4EA#XLe_4hvD`pXUBcQj*-AnH1V)+qb?dikH~Mm!8h{Y(Vh=}wD` z+(IR5Dw$rf;iXPp=W=6q!!}15-b+@fq>9A2h0UvsUmTYSLaU7VEIU41KULBxo2`0D zoTO@D3*#{x$e&lIqwo-a-}^y(G+H(>9Tc2~SRaVB{~3`cwJxW)pxiu`#4wsHTz>0O z6I)6nqih9fmsq-D!D)pAIU18iZ&t=}pQ`4jZmZ)%G=b39Y@VcDV+I?>|<~|G&wT`*X?7j8NWNR|MTN_bO_$=13Jnl2o2AV448~7P1H^(ch zdk}cMnfjq3X<0ZG1xdcE98K1Vu(N?@wU>G>Dpu|05Sa6t|Ab=t@1%tAL^dU+w69=C zl01WQuq^=)EQ601q^UKYcKy$Cbnj;%Kl*PlicF~#kjwYIN%>cdCZrj}-j@!4FjT;JWkB*JL6&clptlG&3JEL(GC zQCy%XDw1!@%VkK?qtj=S*TB+wqBD4fI%N?-LDVt)I<$e-NXvoCxXHW6n4fQtq3JRQVIDVdE6pED7;fQ3G1a3lFT#)?h)H!I2v%c#Tuxr%)GUD+MD9I&fsERXi*aMut zDgY}&1r`w_QegB0AG;jrsvWN>U}>HUTcl#Q9^beX2vGnH*x;DA)o=?y?VYmC!~m|% z<;$lF@Ne*0XunyiqQs@w+mG~7^PUl;s`irzndx%oX6hp56h14o7bwHhGsPotE?akGiL;?(z0yk-4cW$GwHs zQwM(6kI5M&BzzF7<%L4+jN93|<5NS&MXylELNz4K>|%i4o{fWtspFmzvmZzkx!Jf& zg4AuQ4;(E{t-J~MSdgv&c8#^IC2g%|YI-@&9#dO1p~iH+e=PVXib}MF&@=K})gnE$ z-IjLfyY-R4TE5FHRo~HgMmH>=w(w{8Y!?;dy7;@jP`q6XXFGnh^MdasU#s!2@ozKHQuUcbYuNYch7(f8`&Z!ze z)L)1A3J#kYi;cJC$*^_r$83b$rd72Goz0c}?lH^M4FUnZ)xB4-M;g%MiQLEg@w$S- z04Sufv;2&6>mxdM470O-kyc_*qPj)yWZYyDyn?Us-9E&h&EjsBp!f;cY2~qUzo?Pp z3WDF19^2~Lssr$YLhlUPT>2h3z}YqwHBpP2Mmdk*tzB@7E@W4-2=>)EgLuhtGzn<7 zI$jBN9osY|yUK!g4*P%!VCs*ciT(56|J;=X$|q~U*Z(Q-GIs~zvw=5ddcWNf@KohP@YvU-V$C?c{pNxryVB@G$#?{t6QtZg%i!K~B#+$U&) zFpdH%rsUJ+v18Bmw2VUItxRRO1PyIVjGVl_oz^oCQK~buS0!n66k=S7Hs-n18-i)) z&Pw`r)~#_xHP~A_z}QK?Q6x(7cbF>MVGFnrGgenoNo-*u#HFd9cJ=AjIx3%B zXo?o%b!nrTTDz^N`()F(7giugfzZ*r9?n*J}u@#{9*S*3rp^e5Gn>2y}p5j~l zAybYQLO6+rRQ$-Ja_HGC8|5KT45WN$%GlYFXb>LfAH5_ZA+=G z>Y^6i@(P)((tate;@2PCK;e`HsV)(&R;6r_M>vl}CDxm_Kv!&NnE!t~ol|2a(6X&# zn;my-+qP}nHdfG`bjP-B+a24sZF}A9bN0C}^%LfpRrQTg0?%<|EJL&^?zl0c<*MN8 zLNp9XFv0|C-drlIrp7$kbIo&Qx*FWw+k1Obh`=w+Iu-ma6RmGWm46jyBz;!WQqN&phrtcJ^n?+nE26sSqOUwMz zlJU&cb6oopA?!64OPLJEgL3c<_6^5Doit{_eTy89X<`UbYwwZ+r!~?DH!qGA#*h#t z6NHQq4&QebDk+hNe<QgBev zajrOWDxaxx2O*#V+`jKYdLHPk)LN#fRip8UijiX?NCtc4iS`lL&I!L-Gt4Ixg!gwu zvfV#Gh+A+mfLjSFBE<=0Az^N6(szz|fEPe05L>C7LJwBPdaAf-;v&Gg5YM3u?FzRE zGH7!dfHnvifE%Hg#bH*mkpQ=VlLxNzH5K3V_^F_JO5X7-fGi`Sr@IR8#@&DOOTSAo zfQ};h$Xvgp#K}b(-p390rYO14l8i^NG7qN;71PYKFIuG#hGfUeNXH~HdK{BNTpm|W z+?;Ze4cC&sogvk}d)uxc5WP15U*UlvE*(Oj8V}<&U*GC`IWCF+u)(x`?uuDZ6Z%ie zbyg!j-jc9Jql=D*z{TW-FSbDyEn|u1b8kZO2QqD%k^IGps-2E~5}C?Z{^}N!OdA!Q zqMq#$JgSIb^ZB>WfyKXGlLq`X8KK@F#A*yU#FK_Zk z&30GaGN~X(z?+?SM!_}T^X5x5JD_nETCi>B_hd^MfdZl58iAhE;MLyP@<0TA!15qv zr@@XwfdBbFOrMA26rQcgk4eE-B|nFLRsg)f60ek(LlN(Gm-FM`mErYp4=;`$aeze; z?bYCvKJbJ{n8*t^@%(#7@@$^LbwU>u%i`V_iDk$*U zm4T$I`ab_k>j2nVJsZ`GWB~3Yi8sL8f0&%bYu2nCys82gv@P8rj}1R{-_zMUX7qE2 zT=PUKKN<*v_C{kC#&j(>x7cA~=9cu56nZ@7h4J`r$8?qfR#(m^Lp^f}ZOKy-v-wv< zg&`^3wjohZzARclfv>A&DRw@^TAlYzv`AiveES#sH`9xQb>i*VzmLdy8C={S${NQq zus7e1Pj-`z*c?`k!UPRE2IQfSI6k!9R>Qqq@1cP{m(1hkmYIuQbL+s5#JWpq-mQT1 z)pMd2KNbVq_kJY9^WgiMbYHYFy4NY04E@^aSwX{7sE6OroLVK`Q{y#TOQ8Y4ThXu} zNvdOphGCJK&z(o)Y{RcgS%oeR_fdBEtj@Q)b(A9YCtsHsIABCY3y*h3(+L?~$#+=c z#~75SeY1p538DkvnP%@+1RY`vN7s`wX=kYRLy2zo7H>+|1@iX|bc5H~P-u_w3df$c z6Hhmj9G4euUw${>R@k=JYgxs1=Lc%UMJzxq;G`71S^I6l)j%zq)p4c$rQp9K<$B;x zVDXn_Gw_(R{tF$byqj$7xBXGVnJC%jR2>av><3r~*Q#H@T!J%Axk-{r9=|EYX`tE~V52?4AfCALPNDZjk4|sSkpyY^j|3GAfgL^KGlLFJNkJ>F$(hxq? zvK`x7X?AWjAqtnRCm!maR{F1DEOhe6AWDz|vGQP4Y>e^+uS;U#P3k-FIT#FGW|TrREn)$o|@IM;x! zsfRoe`|BZeoR)4A(`r?XAl;hCwCEL+H8(oL8J)9Hq%>M|$4P(O=B9zUmNQX7oYGJ= zLb953lVB9Nh=*gL@ltBYm7GKhSF22lC9s?d36(6>P@$w(e?ztSCtRDdA9?A?Nw8;) z!!n3L8IumO=PKN47jlS2dGJZ?lQ9v8Hbpz0^?~J@;HDtdPN@0HIJif&Mb1cL41a)T z-L3b?K!Ws1dEa#$7@3A3(#4^3R28(Obv5!Gsd79m{y_<4^cU;m;D$TyX`ZSPF1q z4p-}#nssp|)zhY67wt%0ZZU>LA&YbfHL($N!5^q zWQrh?)F;O#{Z{z?bt%qYv{g`q0 zs^eSic_7N34%qx4!u^~BcqL~~GyrQyms{N5TlRfZvxAwziSe-t<9>U~*BLpBLCU6> z=iwYRIkZc#$d{-l%$vY6-KhM9jzc4Z#fP-~>}Fq-YcO%9r!*vpeiev7E{i7P6~lVW zunFM9cUmkBRWCuGjb_J_!v2Ah#3qPI{#Af2dOeXFJ=%J7NsaHt1nud#V&EW!pKhI2+Qtw4x0**Pa)&fyXy()iA zF^V9i+YkEt z=>-|V^hY!rE9}U(>?&hlxXuv!`aMws`>Hr&>M(0rIsJt7@4w(BQXIkz{I*5e&myO5 zIs)SS1;aIXUJBZBTx+tKt{gm1EMf>euH)ak+OFQC_)kta6I8JP#@5e!{Zp0t=n9h9 zb&{J6B|WpSp8S@O(}X^HpJ;o34-I)A!CXd%Js-1Q*}6Y&9=6WA_Vfd`?m8Tn(U5%n z?#4$hAESA_U-vZuy z=Ph@StjgA3?faw8S2icM>&uysKdSLvpF%UX>u30L@Sig<9sNpr-s4g>9(VSq>D{kT zDZzU9Oc_DEE*h$~IZ_)g*i!`Ti64KSlYZ7CZuMA0KkQuIMPz!;>|cp^JLB$2u9J{7T250}i)DKs$d0Xb$Zm%AMm^W_+4DN>J)Tr{U=z53c zBpU#((|xBaa~8MnLb;>#TXe39MXy}1rE5POUmgjj`MQSu9r=7tZ`b|byoZSzmjU;o z$SJ^Gi41~u|DBZeuFsWj*|?g5b-VV@WZUWgojNCfLVqVb0$K5ZJ#mjYFENKP6fetc zly6AyF*|24Ic6n(`K0$(fE~I%O!$U4L~=jPh2JxvVmbzxE3lBzZV)y^p-{Sj zgBVMK)4vYe*H|tU5#-){WFFp{t1VNInI4Hb2J$E~C1p&yCSKe`mz01fO;$E#Rhp|8 z2bE43$GoaAKCh0Fh+#Ftr0%=`zlZ&)O(92psDsoGL=OsHLUHZ!<^8`} zkU`E1;w|$Hf7FTq8aAI^VC>F^I9j1WDNK#I&s+d zeiYCMX+BI=e-w}gGu4O}e8j!kwi#v1>!VVr7JwVBBE+q5@waTcOP^A3ian9wQT6eAZbuhqh2J*`L2!fySUUY$&YV$!+$8L z?{#h(P_=TI8J6uEM+#DzQT(kFf^*}(7Ja7nPZ){^>n4yU{Zglg8*wm=fTg-3coklqz%Ea&K~dqZ3@+=ONu!`#WnZGK z2r`Qpit~)SIPzs4i_utUXcP*q>|fG12LRj7paJ7B13T%aemNhYgf>Gh811j&eTpN<$KrwGu0>e(|CuK1d&PGkXsZNc42BZ}403`;939ky3P?_P;fL`6mk*=5Arll0-b#EG%|Md57i1AZ*Y`J@v7O|WWYr6dFwnCqNTuN|Hz-)pKU=p+;tJk zfuTyQvz>E_ob(iMc{covkBiFsw$I_@kP{>c#ykW(>fbnLh+KCZrqLPDNM1`pMLYQd~OoJ!@q`1Q;v!>COgWp!L;feMCm-`-1;vXV@-_o1* zf6_a2KzOwNOvDwH%Oze&>_Yev_QLRn42g;XM|uMG2v~Q0O@K}jaOp+GyL2Xf&gNb* z=|P|7v(2!4?sAYl+Yd3nv3VFF?=|f11-Q-BjZ@?x{83-Z^bq9oubSuV28Iagw~wPk zGx&YTmdU5^I6<0SIbg&3ewrahl7oB!^UBaf z0i#Q<9$YmR`uF|*)jCho{x$Xu;#Wib)0a4w1dUA18<({8B?KnIy4@cyO)37Z|E4M! z8?fd#_vkzp?F}~^K526V)i#YIVr(QG+ZT&(99!^vK5JR`GqG*D#(Cj!J=5<} z_bt4qo1dz(dn{92av0wYp{~Ozt!o(9u~W_4t)~Br_8yMm%4b?Ttg~mf4<2~&X=(T} z*pJugwrmLaSb9IN45V1br|)!HM#S4}{(xGpdOPsX$#feQM!ss;oULFuHGiIe)+Kx; z261fOU>PvI&VC7Vci_IsTyEjH))b6Ip4-=a>IpEv%BM_`|GcWR++M`$_PI=Qj0A9f zhkrTV0(GBq9(qoJ9J>Fr>>U75(AeEp5m}Pc_yfnLF zD5lW216CN$`tG$leaI38!Q-~7NE2K%1{sB*#lPzWuul0E)p!qtB+e2{Qd!M5>0^Ad zXXy^aB5XtB9WY9pX|$qNXcsRLQXDjxO6PlnVrB5TXiT$e#h5)(PV&Z5C3JC!N1AKn z5BFHpa-~=JaEd2G>a9=M-ovVLTSndx)LtsYy z)!QLe63eF2L=1^#6M_-iB+m+W2sH~9<~;@>MZ2C@eyGMiA+;HdPa@xge5c$&An)Sc zxlyW~7EPffj@9&zD9{LRlT=N$h<3O}&PIm}^84`sb0;cVwT6OP3wzS1j-Q^F2Oh$Q-+rnv4Tk-sf33Ce$OaZ~ z8IC#}>3s#;Q;uC@G(%}@Xb`F%26J=u=m<1$i>V_cWYx5gT_m$Y%)=QR{F%WV=Odm1<3vh#NvoL2KHC|bd74jqayFJw6;(iF~6 z_a}!|qtlMeiftrX-kS^Mv2pZITP8aT0gb3aJWT}}Ddd>jK_5nitrWF-QxHeZnF+gX zgjb9lX_^6b$o>UYdAyJEj4H9r%Aw9b$Fo>HYJ^$kt+RtfiL56H@{P0FI+(=6=JK#r zzv#@@l32;S5DRxYZPN6!v4LMOumx))C92+{65(YRy)bNJi~DIPq*jRY)VUy5Q45bVVdwT@i{}^XRRhYYaB^h5zy*6u;5Gzwl7Q z(1*@t*6GeD8WHY#J2Sr!#WgL?ojLb4#Ytq+2IwNK2@h#g3!+bH|u9jIG?uS4w-VgAXmggQT8%m}Svv zg8KwEu2)mQWTm}i<*3C&WfCNwKc*qB+KM?9A6rVo?qOHr%DwNav?yTHGaxta66YLI zhZG=CyA8~si8Setaz+p{KEW)KXqOVGC^NFxLVXsG!FYL`iC;FxwG0<-&IPun4TtU1 znIr5_VfD_rDV31YW|iAesOA24Te}a{`ib%wM8&RFf%_2QH1!=e8_ld05e%A;j8m9q z^FFD8j{M6Ty-um{dSI_J3w$jTx?c}H zJ0uCbFOLT}4Ws^xj-dC>^!xC z;lrzsqH^%Z%pNvD&oRkAo}QK4?r{&jy^Wp)hE!h?kApOTz|&3GR_ht%aaZHRswRW; z0YB08r{Om__x_I6e%YY<`u0r*chBvAu$N440ym%ocsU*4!%!^^o25N^beFVV(!k@2 zs`X5~J=3079vw=vpAI%#7@J;?zCSkm-O$lX+;@SjjyhNO{cyLlqnWfz+n4E}Zg})N#`J4bvQnXCOSTI*RR+rWfBH*wQSrGw*YE}W zhOGtwN&>2K-JW0Q_m$Z_m@(K!>lG2|wURn5izsf1!bbH;8qHRX;&^z1z)ZZhIg!pGk@EQ03rcRpNO zn7I7+j|>g+nF&mgO}yk6P=a^{6`L?pItBF#3dBBzlj1Cia?CsF1l)vv4C1ilc{Uzx z7hIJ6`lWCR?zcla?yLEy&()LX5zP zv0^DK&kLE6V4y(&9SW8xii>yT^5{8Rh-16f^`mnUO};Uy<)E;1Ir^JqJa@TOyAI3T zavAq8chs`pt~zL8Txjjr<~PEuBCaMGm9J1VL?bBldB^mVK2iPyVLq~w1SfBm%kCy0 zcW*FJQzor5-T}cS==bBI^9tyW8#e)zs^{7@zvs~)+%Wt@r}bZ{Rm!D=tGVF3dp_o&mta%7}IW;%_u4O zCA8XuoCz{@B{KGgRO@ha7pYzN!ZTf^$~dM~&TXt<-eQA+YKo!|h7C{zM9e=H)s!oz z+2@kVi^n9`u|10khL4Pp$L7d|6}-d$Rw%V6q`}h6vMD|X5;KI9=?E#QcPhsCSYye| zTSGl_i941+;w?rrwO=*28i-lE+3n>?m4y^jO6%9@l#wJr{!(jMsr)t(tM>)>2|Kk<8-0ot0r(Isz)8i7c$|4h@0z}agCV?Pcp2*eSI23`r$p_~xXKAie64$}(q(H4{FOKuQE+hVv;yb}tk8^H^vT6+;8x-} zFfW8>16>ADc32dXL1=^i_2Nz89BZ(9QfXM>mt+{0NOmRi6gctf;QEiQaZ@P~U^6?e z)+5B`sA3iTAvh_6455dA)gowV{^(J)=r|S0?-g#1kaK^hzPod>oyifWs6#zrFo3(6 zIJN0aLZC`f@>4)r^D)9E)T{32SoC1)VY-FR)j4UKq;p`KV~CCO z-^Q`1m*{|37hS^O_amdEmt#PYW`IAm5ormV5i?I@BgYMCLn@W_=gfk)eE&DeGEH|s z@!tZB|K9Yze#@`j|H|)e&ONrR;0?hEFf#+54(^xS5w%@O)0O;DJ$Pj2>Uj_KPR;b4#c_Xu04qoa9yv|Wf=iE%4Qg#Kb zE3#zp;punCTQ?nV`-&k)6XsFwZx-q1yB#S*>j4HtWnF6c{ASWKx=DKcKZvrqug7Gs z0l-LKirM|S^yez?tE6$e_KBD0^U(2&1x9?)Y!@Jnuhf3a87Fm#UE=CcK(W&kx-3#( zjKpw{#b!6w+WRD7j)QN%2lj16C!1&7_>|V0FlcAMC9fm*b-#GZWOdgFb52g<9nZU+ zzCh9a=~+b1+p6fWVbhhPg{;AOK&qEOZJO}&9Jm2M%CcM>ad5e{sF6kV*LWc z{%HU;W8`Ak@tW8UG1Kh?+*iGY2WWqiYN}JigQw^BkWiwbx%S>%wB`Fz|Bn?ftLf8U zQZ6PgXTuGcBJlZ&yyasT!TG$}@p&)WDgGp|)BD@O`)xEr5ny`x{LJ6^zKZO*K4Exz zIH|FEGn9nXZU)@V$=3Urc~cF$nA&VOe9Qs|%&@ax#ZTs}%MnoEJuVeTcij!lrvNwu z>~F&Yo|gXAnBF%6fmpzvkk4(4ec=D>ctO?k4*=J1J%hov(mWxQHG-(F3SY~I8+_RV=x?1RZs4}R*XnGOU7nFMOA`Y=}b;Q0PA-mFy}QwLjd zM^7d~;>$R2lgxcDvM8ex{;8k8spdm6E)sHB-}y5!h&oGn2TAwOqZ%(wU8rqo7DECS zU!$(7EvbjuTpt_n52sM}M|7WQb4|#VT!m7bDt<|$zC%ptBZ$wi7mkLru?uY89Fzlb@roZjZ-+SSzHpo@=yDD5kp>e?nO;9YI^w6%tGS zc^*EJ%x^Z5UH@fCn=+RmI*Q$(!zpF13x zdcC`EsuKa5&AO@J=(0X3WraQ6lx?2568`!El+$-(F2tS1EL#BMV8J6{OEQD-OWqan z4cPRh%QLax@aAY}{nfy+-x!=xsY-`9YrHW`MSj{gGBcXTeoiK3jWwojzGbzW|1Kd70p4y%S^FpJ z2^Ah98le3+He!u zQcm#}3+06T+1jIJBr0z1BRQBUWl#FoeSz*XdWatgGobbl)iMnn7H;`Lr~%sTX+N>f~@I&nkF!DEdW ziz7Rv5YIf=4Af?e@i7>w6D`6N$S@ziu~8!?7*ArQS8mcj!O_>r6tnyeM0Z6%kuqT} z^~{UJdbOhL+w|$8E|P4XVEID|se!Z*7QA_3skS7Pey18t2orKHt8cX0v=FCy)sHo)uDkcz(f6Miro0YfzU zDWSPil8=PR8L(#3DX{d@nq~S4ekah%CN02}PhOMvhs|?(D(_9XL|XNNWV4#M3J8a= zc?RRXyF)CcnX8Qu|B`I6w;}G30=2xdQV&lBkYn7(LVKF-Jk6ZHq4F5e@I9&ar+%HT z{F**CAvzY^iD~)l$DRf#ArzFdh5pMC2S&YNe|vs$UXX+0Q9_H2{ghv(M*(lEq}Y^} zdi9h2Q|SAHtTHvgKyrZO7$ti|_3w>GmHs zI|iq#&^v9%a@s7wyfE#y>&X^x_aiQ-VUNuDs%cASfC??4JBQcTXwT-qj+2?^ryj8Y zaa~NoJfBUT`3j^iKVSwjk5SuZkH?&;;OdT}Exv!>r7b>}p2gSe@U)=)byTvSQ~P+4 zZq8kmdqPXkwT`9ZLl|j5db@kSq$6ocK?>mOO_1L_ldt`>n)Yjk`;alMqjTT0y0f6# zb5~Yy<%5^=($DZ~2v!F_;C|7;f14D^dytwAaDuLRDx(k6j0&M(n7a_@@uBu@o* z&Sst{3@F5DNVXi(Suv@bj-ZGa+533w-=T-aK}R3XS?I^%2q6Ac8&9-#A1Yl0FRx`o6EaTf zRG3bhV+A3KM;@sYB&?S9LtMWmOr0M;Jg&7OxGtw3CZVQen5OqZ4{>U726SW)Jhj27 zOkC;#*vIuM9JP5|*!J+YXLJ+o)adG2ORfRNAn7h&k zjfknuhY0x@6brb_NkvDW_CndRS{s)wyQJh!zyzG!8?#$$*DopPj#aIZA=qdq7bQ7dt+F#_!OigaM68*HtPyD7y_D5|xxm4PI6F=(Q%jjN>p3S}+!q zGgD98&AId6q_w7hYbJL6pT_>B#uKcRe})Mic|S;G=yA! z+>%^a2^w+&9Ge6$oy&;ktt7Aw1U0_wSnIx0k2Q$}oCKq!$32T+nR#K!JxcQ0n%KbY znxuZv4Tr}*lOfw^FSzGep+Ch^dhBDFT9L4e=G^Gdv@R1KwxJo(wG<_#sT9e#tq_s2 z-5mA_AFZ*Dfx^|piO_KTc0W4RcAaY#vD49GBJprwrrHeXMRPBGn5kj9W|c0}u_!^@ zhkqN>C7Jtf0Ca$tIWN;dyiZQ%Y!#5y3NLHo%5+n9n;of4$t;ewXL>|NVyx<=4UIMh z&pC4{`pH%_0TfX~2C}L$4w?~B-uNIn}v@C9^%{uF9pUB`*ZozondV zN^A*}O>1hIuwnZQtEIcFqn`9Ih$&$~;RYzb(psSCsV9qm6xIxQH3_Zl4-n8c#x8O9 zT$S9#9iaXG6KfBFP7b@YUcjVFeBeL|Zzf-&aELOOYmUI+L?Pi?);LqO46V<;sYWRV zvTHH>Z*CrHtPuO7Dit|qB<~;m&vI-O7%CQ3KOsz5q`TQAE%2`HEsy@{P0S9xzav=M z4cbx_Hgb=#rA)<8f95O2s0SzV9o&!Fyg>36gk^2cOB0WoLz((lhjO*G*x(~9jA!ZS z(tnEs0XV^VKN!4=J~905u9zfqs< z7t+>smuJD}7O{^_9bb^=o{mpG?9DL!wQ`cub`%mM~u20so@Gq;oJWUo4$;}5!yDaE&#N!u&nhv_`H>TzZLYfQ^(?a$k^ zgr4lJfGxCZy)?>bz;FEu|K6L^2|T=N{*8-P(IJ4ZeHq5*nfdc{)&;C!<7}3!AORr) z?ULu@=0%QL4au}#TDy<*$orb~Y{GKqdl;sI-p8*sYQviB_N&`rq7DATH`6Jvx5}h5 zy0+(z9)RokTYClp^XnTgqk~KD)N*zErpjnlO?KNY_-%vd?(mk!sQ12l%f`{9DAA6m zq}6>^mL_xjd9#o86nX*u@)n@MQc)XYXkOs)%=`#B+3WUe`*l6*)h3IO=rr?Y0(QM? z?tQj9%+X`rbNdA;nXYRv7bf#Zb^O`5MP2@}D04z0LAm(ZNtBU-gvhT^sOP zzlpwm)l|aD49BNmva59s_)<=Jj;Es(VW68L8fUQ5{-9auj@qzs4KC;}!gr zz5a8qNrd0niPqVi)3eEH@#rzwbA)AG){&xf&q+DOeb#56o#7hG?fy3+pmt;9F(=^m zxut$VmXhx771#>|THa27Ux=HDIqwl}c+1I&_*87Otrv>5DE(^La8Ddv;V%&U#Q5qD zpmxM{UzX))&3&ay%dY{T;NyrK>cCK(*QPMgpDvw?OMlDg#J5;81jno1@|eY z#u+{7diWBTZB)+sv|l~Vyj_zX+(kLM4LK-wWDeB!EWrp=+uExuS`WiC`fJA*O!oNz zil!w326?hm!7G`8z7?f+#-AH}m!DS`{#>F%f6iHwLD>09)Gxu3RlF+hFb|nQ$7GCM zKZw2tnq8K)M{7w*$b;sujzM6VoRm4Y-ehY+S`nL|UNPOhl4ED?(85fGgMLoijNDdv z($_mbinxT^*Q2*9fRV506momI(Uk}z&&R4Hi)bm&htd+7I{SgX3*n}qcMfsZgm%(n znJx`2oOUQM>A*NARpqi=eyI(^*eu;`@P|T&2<_P-ElGYHcKb6in>e|?_FIM5|8)pk-Z8-wyLo$~uls?feq ztTnGVpzIke327c+^lHRf4!5t&uiqXglQ=z^uoNpT*K9K3f5 zu^RNKPS>i|?+p;pFf>RdvdQufjTXu{6`TdPU3ewR*ihSo1vhC}FwubYL%vHEq_I>vLfM} zpp({?!?vssHB`Sjaymd&DpR|huKYI}QpXdOh!vZv9)SB)OrePe135foR~PYpZb>!DN=#9A=I$nhMa@v&TuHWE22v{HRt2&c3^x`lwVGq(5p72-2cH&B z=!o^bT}rZtkvEf(nenPbi(Cec`$2P4XhGQuu2!Ij6##WK190A5wyrboyMJqxNwIRNUjjw!Bbq-HbQvS~&NiimPWNS8zcjX?ES( z0^maOhon6B18J9RLo{$aDg5f+%oG~Id?PQtMy z?8YZ85wlTZQ7;}u>jxX0WJXiKWSwx^FX7y)1l-RyRTfj*vZ4fP)>OeC39x>YWtFMG zp|mc;oRGy2^bVbU4v|gJs0rG@J0<*#s@8yjme4Y%E3i02gqCb$puNMX+J@fIa79@d zC-BlDV18U6vy-qYSE*6U4>n{P5uhRUUMcX?FYap;vMLr-;vq*>9&goI!Xuo)!4l)H z_l-(@o|OvODPe!KiGyF-WuK4C8N$aY;!L-cqz1_UW?gH%}1-a%5*|ImKO*vX9=l*caIJZh(2WX(Sf9)SAYt7a~F+u!ht1 zIG9vtV{E3`t72_fl@}qh2%T{WeAT2ZHV9EJ4VS4_0P7jC26Dn{M z$N8m3uozc`)nO%VHHgWf=i=#nnq*MVE9hm}MGy@rFLVSv>L-1C+Gf47?gb$>cOB5* zH;revU5+_M9k_3ZF0WcOx_hQ{czS=dbJNy%%z5Utr*UB#=g&ru`5$LJj*N|G3LG=u zPYK1mFS#Ff%fiH;~^MZEHH;E;==H_8s&Znq}P#&F3fg z>>JybbGjdWQxvcKUthql-Nq#KHMKkkw@)K3{a)4>FS_XYAY1gZ+f@AAU%96-w^u%! zHIFj8`h^`exAbi8!-zJ|T6sBK9ou))Nd@O$fipnB>k$y8;REPe2Pgqbjz819lweTx z415aGjQ?Zxw$878cwl`3%7MP3KW=x2e+s_HiSW7-9f+B4{=NXF&B4zD=ljzUY~sD< z$GD6}htdP#gP|ZaSVY2EO^bz82VqFke;?%r<+5{-<@G6%w1t;=;AUMI1+vo>QWpOK z?0sxj-p;E+j?!ho>FTpz?^ z*K)}CRMsm4#pRMSf3%P&p^Pv0nJr}-ifqil)tTZVkiDxNSD@?8zx^W~YZO6B8%uWJ z-egxggrY%gq$L}5sVs8hgsM81)R?@x*hr~PLf+!55D>3|(M4?4 zwg*Pe4lp_hlvyyrsse_MyW<5Vu|VaQo85jS?l@s8c1DgSlZBU@gx9odgn`26+TiJ9 zjP(`GD7em==qyQx881Cv z45n6)x)F@)r+EDc1xVcZL57F2Xd(=aSr~Jnh8ufCIv1aty((<18(QKwhrjHXD(~ZE z)_7;tH-|~TO*k(N$)qh3%X0y9))c|sw3eXe7C8{H0KA922MmSJ8;58^J*Zy+wNst$ zk)axy-W>D6IZdUa6OfP-T|uV`!Mbz6$I*sV+fU=51bSKAhz=$79jzt?670HDihr0` z?b4`Jv)RlyW~JnpRj^FD!j4p_NS`|3s}U_Ck?x)#7TG>nurinsSoTg0jW^f@gdPGa=2&iF*<&bH~c}eByTx3?_y*O1{ z(`U@=!o6U3o0 z#e5eBR<*0(BzYlZ0q_U;7VX?LO`%u0No5$QmIuENB^V)xl*w}@Iz#AE`&EP)Ecc>= ztgnm9J3bm&}vRYT}oT;ffTqi0FI9v*8+ur+SPtkU)wR zr;~E4En2MmS#ZzLL8l)IHQ-w%gMVH#L5S{t&pu;sh99>r9svT_AxHGDnpRtA$X_AA zUzAz>fZGq~eq)SK=8uL6pztmuDNx#!OF|ezgaHoNwv$ef-9_B-?)KNxaK)^@gM-Iy zQ#1f(qixu;lv^;sr2ekL)9!WZ?(`k0^Kc4YW9=Y#@7Ynm&Fu_r+wVI0B`%?cXcO>- z=8KSR8>#4n`L<8N=6^PyVIOc5aTGG(g7-HA>zLnXDcjKidrO+{yt`=)&eNd7_cH8x z>uW#5L*FwEW1aW9rDO9Ca(9&jveimvsjr{k!*?9F$4**BxBD>7@5vf|=ZP-&le`Rm zuc7}()H#J^0=-*2Of}iAX{t$+?Y_yjZQHKNnrz#)ZQHhOec$PSo`aixyYKdT_IlU5 zex?2Jx@~st)P0UyZLhK3Rc-Yi({Pr)j`fCJPszMX+?Jc0*OOL{SG}?XK65JNN!ag8 z^hC5>--$dY5!Y!NpWR{DJn6mbUGDkMv**3f4kKJvc$iNn zauG+CdS#K$n}GEXSSPcGtqDIsTmA6RVf*vbRfpacfAlpEiEAqyfziDq@(8cpjdVGY z@50A+rrmnP;KAU26L52bh$rFWYHVDk^#tYRX!(!#x$Z;rI!?D~xo!39(QLVGjqBUAOn*;B&k6X5}91l*iRveUx6N=ag)VW0t#MW>(jr z^OE1DdvB*@XX}`Kw2jj|HH`N#*I6NCHHTL^YyQ;%w^R2kceN}pU#r*NEnyZpFyMw9y zP4ZNcy))P0We{1n(Q>~!*#h6&J9{>DxT~fwe7nnZ%LiF-o8v7MaP4%q#@;mxdjD^2 zuKj=szKOoiUIk`P4+05+hH?hv9}U24dRma*K`BD1F}z|C!PDyNG{srB_?Ok1-|L{B zrG7MVE-(#B^?CZ{Lhft4*S5%};Kfik!nYzx@aHNX*E0jzS|*o;{d<88&O7IL@vBlR z+IJl+f(OI=)k|E(PJ^OUemSvvshJ0}+6Ca4OiNeEmO)N{V1C!X?83E?9D0!C zU!A>yA%*@T)R8LNyNvT8mibcb+KuP5nkTSAz0e0wf%@(h7>}jlX3&t}fe#Jw%q2c9 zW(C%Rs=HN_#T2CqR6_O%nKF@GM=Is&s%bCrKi~%>*iDy7TP+^lyRu4+A~w{{QOW9u zjO|h9X}eRNHBK3&Uc6zbWzy910Y>OumI*_#r?Fu2Ih-Sw?g2QM;dbIzlwxLxV{Tv; zo8pR@OWe>lswpKYuEAyuzqk~q^9@{%0&6hN56=E(%G5`cfR@JVQ%DTlG|d$a?Ii~H zO^RqrPt`12gp%;2e}#@L!IN$0a%K=HQ%J+liOs@hXe91|t+P@)9hl{EmG!1Dh)B@* zQ)c-UN7SG_iJG@UpYrHDHS)-pE#gc4J`+`{m8dZhbQXZsYt<^HC_R`tMM9BsSgSQ6 z&3BqVN+Ye{9_*X=$@Cl73}Ka4f5sjmHO1wR#=lp}b!&2Gu*qF$2&OhJ8?z!Ux&Zyw z8A|z-p_o!1nO&S>)#$TC8Fxmka`cWQ@Hn3yS#+qRP>jtmd?$M& z(|2ZbyKWY@BPj(nmzTuFUfgqHk zo$hflW3g(%ts73Ek6%&KsI${2C0FgQC4Zh*Ll6i4#gfY?O+P$~sZ4N$a-X|=XZYDj zE;DKro{%I39RRz_Bu5@3Vbfcz#-eFKt+FK!-DqOP$!}<&R|2NWEjS_z?X5Jnq@7b5 zqCojvRC8cF><$r)pOHY6Q&~kWWuXGjxLcO=GpHp#zY^)!nOduQ+`qb2d4G-gWl6A% zLGwfwXzP_}r5!tRjwTHsEc7rX*g>&Dyd$b4Tqyy?ayS%=LJY1jMQcfX@`mM{I;d45Oh= z28y9-xbyC2wqK(=e!BRsePl;x%IuH|?Kh4HD43=vy2O~E(eaNCm^xuC;>oOBQF%wx zKhISu!Ozfr;|eBc;|%i)1k2G=EP~-JQ_d0JqCY4v3S$giZQ9MCS~U80n!J{95Lx5H zg(+zh$ArOuw#VB4-0l(-4OXc{y6PfGewt@pG|a3IPaJ6!gRW4juj^RHftd=?o17MF z{=l&+#%WYwtQZ$>{ArFk1ty>*+GCS=Ds^WOeZHq0tN&3ZaJY!I7715!P})jI6G|&Z z)6iZq7QOy03{HdDYIk2=_ZyCUn1LII6coZx8@dwRo>9}L1#|->=BSCKKyAwSR0kw( z5o+?TCG&LkfLeti8M>W6H4e&hx!9j1Xy>geA&+0_=;Ql55M<>aa#5zJlQem$!YuWn zCRno*Bx&lJMuH3&uL^fWZcV^v_m$z->F6%|XJuU;P_KTtkUW|IU;jsTYUTa(2h1nh z4H1DbRmLy-3^fd(<2iqE2Sl~o8#^#h*KQ_Sb7AUQ*TW_Oa9KI5>n$ug<+;rT-3r(^ z33^?N*Q}_jLf&*)HxDB8xhHR1HH*&7E6n7k)8%eBy8f}w;Gmp;l5XC8@@~j zx-f(}?85%6tp5>c_0>rkIftn#v1^D7aDKH#;uCzi+*NTe?H#4|y%xKEt&F&?Xx;^{ z&S+S|MXr#rYC81T*03+N9i|AIolU>^xLjvzsdQT1oy^RFdgk5)r8AnQ8&92KMrP`` z?Wl_KG|j%TS9VU0`f~mD(dD~9eVr|D*0HT5EaarnslPrtzSiY%pIoHRPx7!?*41?% zKpnw@$t`#D6tS%}t$vNG*$u*)ZbEEY2s=zI&yNh%(>e%PJ9RMO32M&ovnH0;nsYe>CV=EzFMtAGOfKYx?pUY$u@_)a-EmC zFxfDSyn0-z+ua1?%hFn;<6olx^BN|GX*3nxIrTbVf2~(5Y2g6lcMoyOpDg_}&Aunr z8G%)r>stHSs9_9_Hl*Sk$g~9LE{ z-6{7Jjpa!;OZ~in2{U zl_v$O5XwNqES5$iG^GqtD4H~RQ~S=HCi=%7alGM-b*;?ss^&7CLj+?;>#I`~KDA3f z>YWq=hunUGQV_V;r9aPVppPVl7!4Nk6(A{n!ubTt<95>ArlqIe0{E8c0Lqf5;A zqd+&3lCyggZtu}U4P#8ApXu1c}b(u9(K(J!(_N>BhH?;H=^AvDPf zAM1PYT*!}Lv_I}KJ3h40hnQu2bPc8UNl-`u&^&wQh_)SAG*mMDxP^LM5&M5o=b zO~BJPHF!t}U)cGp#ru_q?n%`!q-Q>=@Yj(b*(gnH<-?-R?^-&9<%)o^3wU@Sj&fbk zE6@y&cM_vmAL0D79Hlw3py%AFCA#kf^^71f0b^0fA){)Pd2?r6jx&1FGd|aW#UfB; z<}qjzUshrkcFhL1vLK&u8YSK~rfkt#XQ)&p=%<+g%tp3&+rI*|u3!x^W*-@VTrtT2 zJAnDG9EN(y*RL43PxB2VuTcuVboRL6gKFkUd2uUUmR- z8`MR2#K#ZRrRKEB#sgA+dM9}pYfJQ}Vof2Iz($M|6XvF%^q^_Sp{mxMI|MjYT`PSO zZ}dDZ<{BN~Y-KB=qQv!5s_emkMOr$CJn!z72!bz4LBl9A>jbf2(yi~nCKJJhLZ0y) zTZsMErDK|prMEZWvEIo?=q*GPhC8SraWVB8T>uxbF1TYGX!v*#{RI4*C;~)+0*M|$ zV#aHy(?UvrdW70*^|H?;7H%*{?q2lB8)WXY7V3jiQO>aise3b_A-walq50gZaB(if zOz?xCd{L0b1QO;b(3{IRaGOfdN$YT2ufWGXaV^Gp!rXrvSq&VCZ2iS-L>QUA?j zmSAs(*w}T0sQpDLU0Aef0)r`4y8)d~wL7 z(i@MkGaR&lU;MRY>dck`HD43wr{GMIt5f0)A{IgBNjVHHu|`ell}QoQIk2`4Oq_pg zr~A(NJqqSUXscq~a!rmFTsTX=N&RFU<$gS_A#K{WJ;Ex*kB3!YtF0ph%KRv~8_Wt8 zb~Yx*p%yUjSzzKzzM2Rm$v*NAC4#q_79I|tLBg4`JPk+EAVm#^-|Vj1Br2YQc2277CMnYQ}8cC7vS zkXTl2pFPrpgK{ZJA`8Uf-VnaD85*sTKSKgh~&&;|Y zju7O8bb3zr)MuR)!Zy%tv(ErQR-4@DCO!v)6w(aD{*{h=~aImT0mgt9d_XIGy zy6yJTHxsyIHDzUcU!oSeo?q*1T5DFMDawuuY6^C1_WE?85WKDIo6>ljIUHR|()s+UIhE{I zf9;~JS_#*B0&4b*zf;pXUxcr~`L1|JYc#eEPwRB+PcG|j`Ji8&s7CpouUz?vZaBF- zR`)kLgjBpeej-)bHVr^(R(@vh100XpqC3!h?whyak#}T$_97ie;a#=&YlfdZ+V7bf zu8@Yad#>&R@aNM3Z|SsApj#gRd=pQa>kfA;%$h6cg#Z0kQ>PtyK!F;oFJ8*Mu`?M2 z^t7#b>~nl%jv5*ZkxwV20s`0Ir%EflHaH!pefD0Tr#7oEe(>GibZ;YZfGpV@GI7_!%-eSBM# z-LN-&Pp#kb72z~KL`V0&j<4c5PG0tZc3akU6?w{PzFz&<+jSm-qR(uU-BmaX&DL!> z4s+ecaB|JyDYAaKIDGE(Ttc^0YWDG+jJ&C@VsY7`>3HLDLu%{$^p%-VG7f`KZqBh6dwZPit@~$owHlt6>|5mm0 zWFgF~E$;W2H+c*#H}>N-(WJ{E0xoMjbXO$Yd0`^~v&Yl^Yc1DHe@ept35LJ)zc~E1W4^pFvf_qRi%WgudBAvS{XHZp>tgZ}#U|=Nrh?QeoR3 zYVHTKl}LN392ggy1={gGrFAic!{usWqeb%&xZfN|fhv9AnU-z4B=+KKojnk8J*St`SU3H+N2r=Oz8a;}7(NZ^@% zfwCeiuE?kei&8~o}qQzJjDF?1elNdnSCIq7s3RT86Z;`gmuV2?&OqNNj?cpZMJmJK(A1F9^_VvAKRX3KZ= zni$b|l5cGWXlHQX&SzeYR3ly)wyGJi)NttkM)9Z$02sL#Wt1)$h! zPea@kgE*!Ql_)?k1em zG{>ojJoOo-OF;TyJ<6xT13>*7AUnc41H{wLXySAG5zJ``+Vf@|UyCq`Y_(6|QD?uU?;w;Y$=AIQe98y*$`xOA_3lgJ&~&Q}B=2G4`pZZ+rhhto?U z%WheuRe@y~)w9RPr8ZzyeiEPeHG0)%tkCffInDRI{jTAEQI(%hL6RWHkK((FdX4=Q zREK+;V;_v~wmg6&S1X=Wd5K3@;DP1n;Gy_o<6={HMvav5TN^Z9w!QI^I%w;8ekj^`B}q-|(-V1p>G`%P3uu0f z8V5Ft@p!&!2PFSqC*tW&N_SlG`5&oG0qGGf`;wZzf{qP9NFe@j^Q-b=Q1A$|dElNB z+FQtRGL|}z?-kMxhsz*$DQW{yv zk2`IGi23)=pOA%`Mc4H%lBMk5{MmOQ!dQgTpUINF+SH*Qlj7)^PEzfBXb`YDOiG;6 zN%<|5f34iLBAGgC8Nl`AB=Y-gU%-_i&a9;5L@aBl-NRmqm07G;)h~hD z964M^W)Rw0>99B)-APpCcNsYzlOv0Vzb*B@S!z-qqyJG7D1!|Q zhC~ec)~yQ7?4zw%90zHTZOT)tOBjte#7nb==<&m?e9T-H*YT}h!+p$@7nOOmCSjcu zgt-2JXTa!Ivc{^ELi~aG5SV-u_MIFl&6qpDA~*p~7?mzgUm^FhNhDM!H0Bq#f@g)w z>9@;ZXt5L&=iQOAG`PdYcJd8zK`I1ByBJb??5NF(lDERZs#4aDDe3Xr69IX3L}6a1 zN2)N05jQZ-L#70QdvfL`IRtjc;EYj+f7G{zVLz2f&2ttlzV*ov+6KJdjkq9i4J6Jo z9I(KeN#&cUh5P#z!D$tJkriRV7n^cTAAPDP7REiAFa2=~e>-8KPn&tvZp@-dCmPaR zs-Aw6W5l*ZW5XQLZh-q;WO}%mfkiLT8LK9DPgDvzFo;iJ$D3Zl2kZf6RHH#ON-eMS zz#AH6!?Q+NJD& zc*GWIqG#GWb#aX-DWF5mz*+s3u8f_dk0BiX;`-t3$?>;O{;JY-nyeYQ(WzCnvqZ|Y zsdt+wRS~sCf{5}fW(|eT;P2VjV#9Awz3Wk0Q!EoQKZTf2f2|-+lL#w8y8ET`yVy}V zIsSqnP{=jmP>&R|sVE4HGJRDbEabyx!x8JGl9Yi#ZE3Jdku$EW<-XXaUe>gMJf9}S-_lv zbfFYt70D!R6^i531RdlBrt~P4F#c#>^{D%1o11a!iw9x^Mu2J>)|U5>k3p0yoq9mo z_kdSG_K=TIJ#8_K4O~DDz>$3Bo9mbY@3)nKt5|8*7?aA+&;+YCcW9vq3HIV=(tq=?#qA3fXo|Fpr=;2*z8g66W!K3E=Qya9 za|8tk>B}fQ{2UC2D^Tv^p^{#peGIN3<#^H5D>eo1-_V(z!JIN+b?*i;P8sPJ{vq zaIGnXL&{kFz6c8NBd%9{ca#}InVm)4<~T;v*=d@$RAE5IH9q<<`?D_y#+TGMlY!OZeElX7h@ef`NkKFePh*tT=J61~n# zZ>^c!99Mt7{k=BPU43t>T;9~LJ;#U1d^jq#G**=-0#NBCX;*kZK|V${zHWmSe*<{z zqwBw#LB0w~h#FQI&jr(Ud@nbfGvB*h&vohC_Z9#X?VqaJp3BR&W>zCsb&j{CFjMd6 z9q*0XJodBAVU{SsPSOKHAIl#gyQjZL8QNK6Ui)1qwc8af*R%o0TkU&g0HFQ;o(*<) zptaN9r|JYi4ES0!P1LV;o~7>Pwc2gtwGl3wnesV(OJsO;(+IDl>si%x8Ecw&U|RM4 zS}j@w)FusjJ9%UO;W;~Ld#uwUwYBAT`l{&SVO_cI+P1oW3*Fhd>M2|G{)KPC-sZNu z?Ix&u#M+6V;Bgv}5%+wgRaJLSb=`E$na>7~DUR^89HP$Tw4|*c?-<vTrmq@_KI89W~6&a&`X-h5487{kx@SUD0j9)45g)&|ZK zCQeS1XLGgel8Rcljdf5=arwL+>TrI|wCUk(J9p39d3=Xmn>cyj`Z>E-?%uI=T0o@l zSC3EUfRudOhxJGu&BN2k<<)(4+g6zLbFHrXDbtPmY3t>|@vN4C%=NCDo6^_bG5kQ} ztRz0qn71w6X-~cFLDlug>toP=9O?6J;`&d3Zo((`2Zb?v$=Vmeb$p5>9YpKO0sa>MR-k5yvma)) zE)Giuh4_p56)XhLSb&j<#4j>LO!G0lHz#&-MNNXHMH@HIo({fr6Dx+5thajocWCdR z7bU`-NNN0oh{IT|!n~7&Dv4OC%DM|xws2zjg5L#LQ5&yAP9HDRPv$?h^LOUTKM+Qv zcAFOM^ul}uuSRXs%VVWxQU3%H?o3)#hMLUjNKV3tl?%gd0&}i8NtK~vP|RnAe8U4F zg{Oo9Q%}i%OgqEGrXkKTmN`FotWKmLGCTSn7+NRBLSrQb0ga3cty_B`VE6 zZ7xTnjWRIXz+ZqGG!yb)(J!(Hc372Ab&3s_pn#$xSuyv-aTkJhgF9bX2Ov^x5{U*vLJLM8RBdcz#$M&hSq2{*u7P%6o^-lf-rLa zH7M0ierqo`QqC|N2MbMSoLb8Cz*xgih1r)CC(p)zab%|ut`L^)h}flp3pX|42W^CT z&Z@5T{rC59_FeJHGuhnl&f;Vgjkuxw=9T(|y>1mb0{O-V5W(0EMJH@!kyO`I-Z@-V zG7`Hha;qKc6kcbb8rN<6>iEO{o>c+4q`&@uFZBOjkTIL5kz0$T&$1X7Ni(lG6|_So z5_{6)hIFE?-q)~GN;ZXBtqOv#_CIryR71KQj>z(KbRYBiX55`o_k^X+~nz;@Gq~jJOgA>rLV)NCOD)NSNvMLyH-~|L_d(f93I5`D^QG zT&-Q;pl%{qNLPgQ461*tYfpoZCC$nX{VYh5DdOGESbm?o?12ia2^k|EsMMI&I0Xxt%pr0b6Vlw6n~ofy!U!Pl^IX5X{(?IdKf%%+f+`g zfBNwj_L=`|j(HFQS8N1=k@Jw!Lk5(^7v0fR;E-cFKohR-;Sii=HpG~bXiMD+vkJf6 za_q2f}3VhmNmIiC`|BlaU0?MdZ_=2yD>$$J);7bE2=lJ8U6RO8IC6yYY7#8F8OU!}s zpcweSpcw{mMI4DKYQ4AT&trc>jdtzlg$>0#UBGLPzA2q&PvQCx@7*<1BHK*X=P=J? zfK%AHih4IR@6B;NGH{6A*5hGKI!gCF2ouPWlf9ug#r}66S?zQ0QpMv_wt7wU(}(n} za4u@Qa4B#cy1v2eLw%JVMy=@z3f0;K;lI9TGjm*IDAH?KV}GqN__21m zPgWl6it39vGASbM98|U9nZnJ4jiP}vt+Y+`IJ$swd`Fu9?+pXgP zKGUW_ms=aVRiE^)^8pdrEqhPfue0jS)4Wbsl9oRfeBMTv=~||%Dtv(B$T$>>T<)G8 z^Si@8eBPp)bS(p5kllQPZt0qBUTz?{34t5^kC#twj;DfID=(9(*Ka`M>&5Xf*MZ;& z0)HRJ^`L+7L>({4j%+zDTb7BYvwK4)jUhyiAE>TZT_0QU;ORW>vzLypEsq_F046s3 zuE*V8?rloi4%wHHs#N7FdL2ZM_JZy1UF=<9DIHyPgyfUYM<9p;2ueQpEs=dkW<3Y# zj=r#en5I}FQoK%!J7DX9B7xfOh(kP{W<+29JCquLCh>5tfVBXV za}2XrMLoF2&A`YoY8l*?-aE5J>u>fh{K7#W8#onv_H>I5Ii0DTE+{J#b!k_j zU1p#{zITH=YjsBpg6jvvvF!gRTBu!i`sh(qb}*}xD&rEU5VRDOeb1EbSh_YVy zjO;ezliE7c6)Qt2sokRQ82t1f4nR^gXG%>oY8$R^klFTHv){evktE`YnPNKVLUy$(^HbRX(bE!`NPl^NK-kmujjh3HX zz;OdNC$yA-wAUia3+mL&Xz4l?Ot|3>({V0maM1UK%(5gDe<;lf4;fbT^A@Pnx13OY z4?_k00@QIv=46hf1A;j5cRwpIH!XgXDFySN9;Y7j!YLyDZ0bUOZH~XRES41_7v3!bj1w4wW4yDsyZa4mo4AvmVxj&szK{NpOJ~# zn14lVU2yF!ulgRDw!NlS^hjAM=k4kc?+&{4BjO(z$%1ueLB84c;^}Q_>SdR04 zSxERIOm**xTt7r7T~?4+eVPR{S~!QilKm9s{b3%w>oi2~<#XvwoH<>njlq%e=C4BI z({rWoc#NY;ny43;62+@3nC9)q*jr&UmfO{Jq1(Yo;}-S7uZ_Z4h7l(rY>)gE^d2iK zG*#!kRuK+FG7Hk58pIl$eng2de`PBU5eG{AzUd(}C`DP^cyDGX$;l=J|4jaOqd)f` z!9P#;lTe$&BV*#8WsN=DgW3hHN(7sb)J#alR%`k1=z?Fkap!r7vt}9lP$E+Cdwi`_JoY26=I!|k+863Pplu6YMa#fSg!K*~VRFjz#*jtz)-<_lIdkz0ML2ryVhVNpI%laLr~dyz=*uogkdGw>A~szH zb%o!WgQ)1^1XfVO#})%PonW!<_bTcWnMmZ`iD!nfl= zTQAf1%+HN*d@{iL=TK1m0gw>c_kiX^|H3u>!v2;?wP|YeLHq6#QT2VXb|ODyt12^g zb!SC+^nG$jlODI7&Sf#WdBecJx@*zfGU^BL6|LL-C^~}oeuGa{J$d^netyVP;Tg1Z zlEJzvLh`cTl>*n2Y9#Sk zcSwCJU7v8@-SFJzeD*xo11_Q|L_eNw$YDvJp}rqarF zl_wFZd~OWv_l>7Foqg@y`pnsx9z9cpI2%h%wz zPawqS+xRi)zvY(x?^k2lCy4qBCkjeQEvxjseCyto*u=B+RZl6O3ITZ?0Re~A*`RMV zLz45U{h2`gN5JA2G?!_SYG@TT-hw^E%_mgyPpQ`U2xk+us5N7T%xLV7NU!Z5PW&1M zMrDD<;{S-){z056&dUdziA$C5HN!Y<9KB78*vOhv^+5`b)r`1Xx4&tX$@texQ!Ic{;pAF^+z#@ zNy*$JvErk&>QHce8l^I0VAklQ2!w{PUHfUTUMRS{wZa*dgw8}EF5KmD9yt#g`9lf! zDJSKi(^?Jt#R+=n(NbEbN@XFGP+{OmZZZoMar#Zq%pUw8mFQuA9LrA!l&}H5lO469 zbT}i`kPr*>dc_8PNrl#lenLk0MCrx=F)743Vm=s*7MZ8<*XRqfMXd7WFp)3dvI2p^ zQ-=Tv6f==+ZowbeGoxD?9>+9^qMtI(6&B6BQ)7w4L2R@~jDLqN{DclQ2WxX!VIW9$ za?e>|0rAvm4Gc2I&;oxQovK3F@77+FywLk<9dYA6v=Y^)h98>Sx}x8y;+jajN&_XRND{Z zqOrnxgtBHjllP=L{zCboQtLtr z=vo}>rkgg*bVb&=!YxMy>=U;og--2e(F|!-B2Vd8MtjPC;V_90OIL5!F*WGF6LL!@ zOQ8I6CTLfvN2Mu1{bC7+V|_CzC+o`!2glyCGY(wwZk|mq%u+u~{r`gyWRb%mLLUQU zUI!gh<7Pi)3odz`&w#o>43y!d3?lgx*f&IP*&iVqU>_mGj1c`eaYNnzKm-Y$Zj8;n zT{XvCFa_9}N__UMwk*l+)`@^>pR0Q8&$st<+O`e%kjt73G~N35yyI)P$9H6%np-N{ zPpg*W4aCc0n-B%y8A0`diPg#^xJ=X`b1SK zhji)M5xtq5Ge!f0Cug|_WYtclShb7P5xb*g0iV?hx$W}PzUtp$R zn-BAs%c$5}`y-vxUx_-$djO!(!8UtX#cd4YDpBV>p#I@?u|1o|;&mD8sLA6c=aNXv zU^u&@>z@79bEUCL#)WsIRkG_jh4;mF+FI_bN0iTL+Gaib=|p(B+Wpc2^SbQl30WJB zL;bLfJ(?fnBtFbH^6}T}w8Z$i)y4Xw5?%Iv`YU*D12Dgbr~8;ZjP_{(x=sO3F59C! z&Icy1+^;AsF_<;=@vpr$L>e#d0k4CMj@H)zgxW%RsLytf*U z{f6|d?;~S)o*CSm9<}XTopz<`_@*7No!cVQ)-4N**xBJW?_;;N%FA5TT)<#V_Vt(W zOuThI-&1YdoL!g@8_xkbHd)>M=ULcjorjf&4{jtSRiDd|Cn!mt^(h`&$D4zkUUd59 zsdoL+b2wGN{TdU#&&~d}uj_Jh0Ho^HPUxbpD*{km`{O53nu-y@+J zxNJvHcxUmlQs+w40X*{U1OcKz@H(L8)lc89wAfV_G~qLZ;3h&~Yw+6gX3Dv{`~MkJ)PKV-{k6zQFyGPaZ>WEgK*en~Qn$ybMu<`9`dj>wFL(m3`RKY0VE!lw^DO{-xH1)qGDO4iB zP$jTxk>fs7d&vw7hARkkiC`5gguzuhK~^->nETl)*?cP%^k4K-%3qpR7T3;wJ4M(O zEjK&C@=OdwDzHM3$dmxnlp8B(FEb8Xn^}w$NIFfpAg9~0V!s6ElSeO{8llChMH!t* zNT_K;31-;GCaxh}VRk1X{N4Zdt-8-h_l}lin_4;;Pv2gyXhRCDTc|{L%J&yFRZbz7 z=>v>*?3Y7KcogUrK{*61Ty##TPNisRED2DPVfCCp4n2+)O+snoZr7?qQ zaX^+lo}A3T=0`@2>=yAtz|)5Xtvp^UQpV_TthNK;Y&1@25DDo>vsb4+gcjctlQKi; zfpkp3Blt#^OGsvJr2+FUG4Fyy2R_C+&`8O)H-`D@?&NE?c*v)8ScNP$!SA9*1G66o zd^eX1PAIGK5Bu;hSh@nOz~(oV?!HtPJVs6XF@z#oA!|*yO4*-^h`27!M0&=i97}}l zkwRVn9E7Ye^srf0R9YhzAGDAw8yMS||B*WvQb+uxKM_QAnt@Q^S0HR=ibpjiw9Z@e zD3xG)ml?k6^=Ezp7Qc5Rjysoro2KLP$^0@vi_$^ofVD5|D zS^`T8+}2XrR!bh#rx$X6W&`7u{i8-EVuU^db3+ocyClhuNHxilrZGiny9am;b)^rl zsMzN0FMUytp?9+_bX;eFd9NzXGLCyT;j~wM=f3ZP?S8|VQ5de=s}QEi^*cC_c>OkU z7|w0c(WwIMYNpUS9(x?03Q0zej08yDC{mc?sH2Tk>4Ljh(qdozis}NgKe@=@drEq$ zEJeyQ{0@3>Im!--C5})m13BUPJ=8~4^RU<*C%n3B@042!2GBeIoIwf6SUhT>f*DKC z)yPDh`h)>(eXju^=FjbwpEMZrUN%PQ((5$RW%^;R5#X}KCc%?-p%5~6LhB7{0;oH` zDrhA!x$<2_MB0}h?g}cyjG^!`5Kv}CoYTV$4S%aZ23KPdj7H06&_220HjXWtZ$s2+ zmu%1s$ER4|X%$;OXtwg>XBwE(m_KO9(+=)wG%rl-x=|?}*`Yn{)2u&W%*7^xHK6{S zbqc>S4pB-yS6=t#mf-&hzdKtagqH8LG<8n`lML-s96)?xhC-c_QguAH)v{iNOV|V< zq)~-b-`Ar`u3fV*JMQ<-%&_b&&!Z^-wuKta&*7fJ*%=ND8w^YxD8A}GTJ zJS&6<=gL_hSzZ5A^`cQn*IIMji_6_8VD3-L=Re6S4(lL4=PM>ar`5|WQS`@Z&^pMh zFd}ubu>Hx~Y`9p5)4cZnS^aF$^-A4z@cx>IX07^pX}8dO$<2HoQI{j8&Ahz*THV2| zhwSsb;8V3R%iA&HV-L^?TBNxCSC+gv@d0$EX_UC1YX!V+J==E4by#&1H4wFuwSQtF zTX}o$3rX8ld%fZjeH!(LRIMHSYgB~aPU^f}A|mp>C-c=J-FPy1DVjT?j#kyVyNG|6 z-Riu?OV8HW5|jboAx)%>W>)3Ev{JhIDqRb0n%C>jL~eUzIz94f*_PGya^$tFZ}#~- zI~oW$?rH;?&}W1b*1R}4{_U45QVn(e`E?)Q7!Uz^d3EjKTix$Oc0EIK{DoZSYfuU&}pr3xO7$3wVBL6*bgPt1bDxkA!eu3^m?@zm{bP* z$lPcivxp{qI(fGBxgIc7)qR>X-U8^0F1FbhFJHgkKOY=V>y{|1ohKiXM)TcOUGv^l zLN;sPoz%Nn>Hfoi-&Li@puK-ecO`PvM&>fEsr4kWKfL@@jNZJ;QUthxzQ5jVTP$~M z<8MAxMyhbS^LkfuXMJEky;;8V)tX)P2P8Hx%_a>u*|=V7U02xZy3C-RO1f~p0P#=S zk@ai@j;h-2Zu&8?fk-u5J2l4F9*?2}tn1yc{~XWy0ERX%z1LGOQxX&%N|*lUI(7@| z(_fr)KIQnpU_dXH{?3b7H!K92$i-OoM znV&(h-6lY0$CL}PeOdwL%+!9miE0qb(Xg)@lIbYT8A4fW6ZnG;0b9v{PCG7fv`4hzyjf=mbvuD3qZVWs0W?H#KX< z>yLHSrY#CFcS9+}e^${-61ie{%+$%MFP=(Kxo((*rb|`1G}bJ!%DypRg!jt_r`0ee zOk+tr;W$G&<4~~vOHt|ka57LVCDuVGWU!DAlP6>F_*%r!E)x+!?|=J?a3mh%*AX>k zh+AR(7@nbM@Mzy|Xk=bQWkFlU7+)yTnQ+=*2RX>y8WnMvUK*BdTSkn4f>`%J_E|iK zUKiwmBWzNIHlKABHRPm))cT=>WMAk{>9>9G7LSTiXOpI9wHA+V$Yjht8Mi$G-d6${ zp`{Pvf?g}aUhAfnA8US)bd~@Z3^re*GM3M_&Hb+bpvOycZ&IwkB#KA`sh4er zSfB#s#86@~tu<4$+%xah#oP#8W1bg4rAbp0vz|V%Pnk>>%t<`R&k9s(M2-$x5%k>_efe;VTm=6nka16jYrZ3$bWHZ+c< z!$z4PnTJ?;XHzojs@wsyt_4xp^ciTW53T8yQ?ugpT0`_B0;H!4_%c3Ek8FX=fOn9X z{`beauXIg=-1o*H8`DBs^7{30jo$^t| zWhxWM0mK2ye|;Ds+i^*oI8?!M{dM*Z_?K`?aIJpn*(HzkE_$eE6Y}>YNH@0otwr$(C_ue<(9p|2N?ilZQ ze!f4~T5~=Vei=)`#re51GQVJ%7L3OFqXg?}ciFKpepEZlESdg0^y)Ejlc(GJUph?%7 zX$;I<`Xl(d77{KgJ%GqO;kF#)18VX8B8YQ2^oL@;fGXLaefxcH-88#KXObqwxTqaa+bEz;q-fxVn zI)oKr3udXe8mVLAAmNv5vyt>KYFeej;ozy!qF7z1H;D9;p(8#Vf1)BqFc>W+3!{)N z4*Zwn7|KD3DmAZ-EnUW%d81;WuV#G+3%NEE+P%UWQYn`QhG?l&ei>FQN5LvwYF5O+ z#fQocwKYx;Z(WH(ln#CdmYDW^2alaJBc(uvc`8C=gEEYszd__L0{MJzx;V*dyDiz$ z|HlzKXRqD4LJr-5m_eVGpuRBQXTr?%r<@w2-VT~~`p%8tE57@D8TO02&rf_ud?VgP zUI8drk$G_b2F#OI%#H$;cMLgRCk+5-5EoFu9`5Tmmybz=yfO;RfA!JY=X#j4QTaLn z*V{r7@GsiNXXMR3_HlYuQ_-i@Nz-`GPEIq3D>%AsUGMTItAFXdp9-GuWu=mJub`>B zKLe{|x%xLO+LoTZZU)BZEP-pUV|aNDvsqj>YM$TR&zo>xBH3Ecr9Sp1rgt9lSEjvu zzHGQ%<&D2QwtMfpbiEeIoef|X+jkZLJexB7q*e8?i{|`taV(;PM>>oRbEEky&yue@f({nzSdLZ5xJQ4 z1w+==XDQSAv;7?|+{$hatDFu{_sZd7M2$|PMP~bu0D0BxhUfIm)~ijc^X;e*=9Sa3 z;TZe??BBaVK3@3kk8P?5fXN#*rq0`tCNR+Rv$A<8d)#weT++rHcz2U!pzXaS8k6I` zq%u+M1#BwOQqef?G|Zj%SpmEq54TD7JU+M${Ou;fzwKf}+}Ojcu+i-_aBB2csL$~B~ySLZj z`-!dB7UzoF36DFVp6FL2pFzb*PF`G?iLcy#rjeU zO=TM}i`rW_r}l%byB7dTc?IPh<@lcQ(LbF5ZGSN0f_lR5YT|dsIzyPZdTeDDWycg# z5_wJS>&NI~$7(F7h=&^WjJNkUnNuf8ywHO!z2a}Nzr0?zlgPWI+fs&1Kd;2H>QR$a z^`y;aJmEkahG%z^h6TBBF^Y<;A9wN`WVo2p{Bue2?}kY6Zp{N+&#g?dDpXVKN>1j9 zCZPMw(S|yOzC?aeD7WLAy55H2PD}{)=Bh%y-_MLk*_tpA17zpn;4uz_4^fjPkAkGc zy}s`9flL$4;Yt|{T1+NBvw!sb7;TARbkfX^)7C(R=r!HLd3mDx%wO0_7CG!6KL(mKlk?9=Op_@$NP8rt(mFYj-M@>-2p~-ot~6ER77P(^oF*(6idvYUs73c?nTcM9J$#q9aJ;$?*JgYeKcN>3Ew z&Dd$!&AJiV&?N|y-^zBX+M$vuq~d+@*EpNkLzPNo$B7fw4}gbO;KTMzh>T#gPbiR7Wz-BX{IwQFnXJY-m)xs>j>R^`mK1Z zF0@&t3QaH|Jq~!$#!5$B*pZvu8_tm>_-q~kRC#&$eJGV`@nt5ov}7thNetr_&AP{B zPJG&yScb{aR7zs4g*!<`TrOyM<<9?Ppc6!7q$JH5n8@C2jH0UkY>qBl;(IKL1YI)Q zIy%XYFJBm=BiTGwC<4++h2o8F$b^IMEt58cZ~vt!PhJt^kqhrmJtU&9ZKQc1 zKwdz8tH*q3DPKbSqfc(iEG-VO!oxU#Rb&q4|jxq=jmZqG*+@`+(Zg;CCDo;FIj zJpoFZlFj5!Wi9kE?9YZtyP>MRA2J|U3)=}UX4W3xV)Bc0i^joL4ckP0G=By9&A3YB*@g-{4boOrm_d z5}Mfrz4&gMyzj(m7lKki^x+CJND?_K}&TzX^DwLIfb`&(W20fLuowF`U> z&@U7QG+RWbKNq}xxh>y{qAh6?Dt$A3{diB_9;bIBA;Mh3Ecdiu&GF>#Ec3U34NFZ@cFt^Tt}wK=Ttt^Rtt%Lh_0ubj>`a?PN@L zn!`OqNcIm*gtp^6)Q~cr#%sq%SIc9>8&vd!*bxL+ia#m(5Md;Wb2RK0Q@8$)o~C%gSeo_V{g-1FHN z$EMqSj(2doQqApFkrLf`5pq5^ra(vQqH}h8>5AYs_!= zwb zbw%5A3`Zt`HfDP*fkAzjZwdG!^ojmN$*pziX=n%DS zmiUx1A00f+6?K&^Q@c4V$TMS6;4Oy{jHR3rruJqA#;`*1AiIvq(d(srq%;ktFan1R1^QLlrYlGT?YwIf(0FEQMmHOY>B2+}|o z*sp&7rAE0$p_VOH5n*h%^0O1*Hr6~7)W#EdAH6P4Xb)>BM`h)KZ@D-qrw=MG?rRrH zKujfyf^<`c0(7I4|LvqRii{^v(kK{K3bFV*HLPS%nrkk|qClarJZQGaHsM5Q{Ie`B zx64E>8mye==#rU3I3Ud^Ss*-W6q~tNg#ScDnv?B^S|yaeauu3vdzDDUw1)ojbhI%i z;a_kj@KF99>;sE-@?&o?18-r<_}oxWrZSiAZ!6_d%T9@fjuw-}soQ!|W`SPGr;034 zGg3<$EY*QvV=5vNlf@9NCd z)QqV|BD$Xzxh(C>WXR*9FqLK%R0;7eho|8(Uc~}1XCn@a8;ChfU$AZcCmskjD~A(k zkjG@j;5{t8Z?zpJZD%Fr31uhzlws{>l4>UgL#l(yWub!Up{i2@qSyN!@NOKKF*SbW%BV5+cZWELDAmnUBjNIv&)o5GoBS7%FULxY11a_BDA%b+*1FZ%K~{Du3HR$j{U1r_Q^N_g|*TIB_7JMjh>cMXPdMW}vCWP9_~ z=t9mkNq&DQ{s9N2hKrFd83SbFAJ9{15{c%8-<cNW)k#@_&=$WQmyM5G@uSvhJZ| zCY5Aa34eo-tC1iQF4L%3r#`4=GeK!yz@G;Xg^v^&L2?+NQpR%X=qtq9b+3x}=4AT~ zCw}ze+lrA%Hv_yPWrO-1MCcT&27EJT(0f3Zt#k3}WJ!X4eUyIuV(GQtWmtcyg1O3W z_>YbO8=mHQZdEV|FK?^jJSncMdYT!lv}(g96nK=M48h;5@LBH5D3wzt8H4+qm48rn z?3oUt{ZV|(K=l;-1 zv~oWlf@Q^^bsc|6bdm`O?MI~Tp0(O^A7hL;w9UfvC|qMdoJ>#d z+TcD5c2z+@Xpl+$$k24r)wk!+$;mFbb~xx@%do7SA&j>0)b8Ay=;?OY3*A~$m5%O; z=lSTq$6o5HPeh=fJ%L>I0V{eO?Yy zWOHpjD?QDw)XpQh?)Nkur`z0ov$+lTK$)P=TDQA2r;m>{!h%Z5$!nJDbl6PNn}EaA3G-hPrLET&fN(k6b~)Uxj#xv6!GSM9m~ z@!ZGz)OOkq?}ugw@8>&b&DKkG`+1sVm))HIjn>;{{skdu^{k&UZMfo1dUE;SYj;U! z4(Ge)#TAJp^g8vWv9+(`i_T%-6Jq-Zwq44!xMWxBEEF|e`-gN-CC`hE!zBV=sdKiD z?GXA(>t&rT?Yj!fz*f;pZ1btAio2_!dg{lZi6@_@(2U2vY6*Ak1oV3`wN;zzOX$tA z3l<&`RS)Gi=&Hw&l$F72ulKs7l*-bXoNgcMii}Zm0zmFI;O%u0h#^|DvHn@vVVh}% z;NtsPvHGFgiJZaR}}iE6O5HrN$|J zT>xC|&!UG++}}|OMb`4+3r7I601{@aSQBM4QftNXS$9d+%T9>MK&)>?)n@)`){OLJ z_rmiY*TS?aBZgM1rK;TR1}v5088HznwP<7%1e|Ns;pu=F&(DGcJ&^0wZM}<>kpt(Tx9)bC-e(JBh`MWd5GX zG~^{b4>Z$=01S}xie2KHsq5&o--Z=%S@J_N#19}yOgoc9Pjy6MdHfzB604OX7)y-c zgGSi~jrygc^qG>>%)X&RcKoHtqD+4{gySX)MdluE83533zX=@GM@H&WSBdg%YeEx{YWuycvHis` z*(lz{A*42xs=Y#9m$1WBo)YmyI8_U|(l-{>D@0W_f{{nYtB|k3$`xib zs1(T>5}antC5aIdhMhuwvu|1F!#5-x?Q3=Y3G!K=kttRKgD)d|-N%pj!FOlQc% zPq0v-s#M>Z#13s=9}{l^HER=NcP%XCrKV&Maw;%BB&%|=UOtTUE@&R91Kvj(+LT=qiw`C*>C=>4jYq!i{3li~VvPYPWT{sgqw%y4^t z3x&HMSLQQ}RY z{0!j^#pZ1CJzxmn`U2+4l|_`w^e^wmo_{WIq;l3E}n7fP}!Danie3SNMZSW>VGm5&TU9Zjj9QrU!E zSM(chGv5-2#>)Z@`r=54yyJoP?sHya`W(~V9toKfrIrx|jdoYXE^{Yy!_QEA>kjtb%SV3jJ=~E5 zA`zX5+eelr)j=?kXL#p{i8EF^hB<-W z;eTL2N}E9}Bz|$`)uEkhM%{mzXsp1?dktqAy>g5bN8GN60sangMjl_LRzPFYXND2^ zKLhCd<)kY3&jo!A0whI#>7_ivwKczlW_|XV!}Jh9h_5!SF3{u#ml^miAzIp-5HeP{ zH#TVPC`k1E=CXEfV!kX1j`Lz3(Tz_dNXOx>gsMOAh0cVex@XM& zhTA!0q21xQu`s92ct^P=jSKqY%Kv%uvCdN)Kx1|_**=t$#kpP)zVp^cty$w*{eEq? zM>=pK3)o%qY-zK-`Pf-~yi#=unn}xS*c{s4eLhlIopDa3A@KG|LfuPn(aH0Atmd-n zF!kJ9a_P{|*~nf84%zn5YhN~ou2g*>R@F;>RzQ9s1#Qa>mMP7c)#jSZS}R=d=Uh*n zz?-$#5KO8pCYuhnq_fLJkLxAA8;4g?=;ISS&kavH?FOwf?>A*l0>CVzsqWKx_^=_c zyv6qM6yYnQ`aXV5GaGnZe0WT_2^dMi+sroXbX_6_ae(}lj@BAn+B@!tEq69g7IU)f zpS?fuSHA4Ns(j6>@vyqdz`1P8>jvr1PS=s~ksMdY15$Xt(|72Z_M6c_SKqs6w&c#I z*uPB^J3YX|7S^}mfE3#b+K0fd6P>zwBHwn}mZ^w=lxA!?rz03T9eWUIOhSt9!=UbE z*T2&)xu%%S+s<)=w3lvQJNuRMpN`SdGG2hzz-ll$i(6H0Vvtb+lW+4%T}kNr0^(t{ zAHla^X&u8gLim@}i+9jND$Z`E`W6x(nIs=xw;fFc=rqH6g}?H$0M38QjW z%BuuQog-fNfr=o|knfKqx?Y?bDdmJLT~OTDT712&nx%-Txf(e)#GnZyH^aS06<+fw z?GLMJZ;84+*&KcQAEKXRhjG~)sdB}kYxI9oCCU~4#2FA}&S%0jH)zn|L9%e@#yLq5 z+Cz?0>Z6z0_L60(X@{VDqXt;~?f+sjtf&g?BCM1iwWuFMP?-FNwbc_Ta&3zouhq`r zq!~0@q@e6S)}%;=?HfkWL;Z_YlPswG`D2FS=Gjlv^Mnp_!IjZ9nrJhs!0_N*vi!k< z!9_GjN$^)b#26q`L{Qn}6r-~y^7RJ`=Ops>&?TcZniQ{pb=wAEiPR}N{-96#aoCS` zSsonCcLzvK3Y75+MP0JSlA^;b5UY!Sq#&61k*CyqP|FOXjvZkThmHP^6A5-`Kjk3@ z?G(QL7vVS%ZBjV_**2x)%BM0qgN8QH;E0(qsHswhY-+!-_eGANQn-6rC7^NR3>$ej zMu_@fer0gMer<>>BNC3rfQ@TuQAiXHxu(ix(VEMawX-2xhO5Vb6*Y~^M^tpIL>bmk z{>B;C!=K_YfJ9M2?|$06uF}(Qu>!%f-|i_<@I8q0hsq4MONl$Xnz-E}$KO z1E?laiNTZq(jrJC4cBHwP!b$@q8O-=PE%4SU_&y|qRFW9RVra;%cNOR6iTG}s}{lh zl9;X?U_tGX`M{r%I>|4j%_U8@MZ5?}lTqypIZu+@BHLDU?&K;PdaG2HI;k6-9{hz1 zhLkyaKYFFCSti_wR~U$@_gM6tB35z|ysG~|C}`CVPJA^(S@*fqB=y?#l=GJMAAR@J z+Zw2Z*G~bV@8qlY`UM=wsZNKG8THL5eAF1x_}i%2JV`izIsgqk*BG`YpR^zdlTFZ1kyaE7RYYNd4X* zpBrPTAx&U}3I~=@EDuF~prmFYWsp;E+2m4;N{_sb!_PkV9GajM(fg*bRUcT6T9_(g z&xjsD(?NqUeDuw)L7*qpP0kbJD{QT*WUNRhpx(NAf8s}`xqI+*;dR?mv9#k_zHx^7 zaMS#;k(F8iU!IfRF1jakJbsYTzhbg<*m|mjMi|sKCA_I$JNga44m7$tNP5rdC`O*J{ zO09#=RI(|}gBuGVgwyRwgPCb0-dBC8P(*##-wDqRL2*1dI%Xh!Q&+jF<=lhY&E8}3 zEI~h4zu}z%{~mVPg_vori+Ws83n@#Et<4nig_($)2bQNj8)N)x8`|$Nm2dP35 z;+&9p5tf``G;C7J-_dzw-}5}!5@Kq95QqRAWGhWWy|x0wgNnZ+AnL`cQ#f5{$5+5j zh?5hx=tr{+3g#FwLP#$czt&ozrQrn#8Q{kg)gYGOp6RDXSaPb3P9gXqnYCa^X;SP9 z%P~b5PSy4{qj88NX;h($H3*On7(IFYbhX1T6RUEO#$PuM|3}|_dgSky&_Q)3QuRAC zC9V8QmAH89nZAYAq*Wp+>LDQ-bKgceQ7>)u4Zv}nW|;jy17rw4RJ)je#CIwR44j$* zc_UvX00)AoD}gmHgig%uOglhop1}n>892GeS}!Y<6+d>=Vjj6 z*UNsYYbEA=Wv6Z9-%!B`&#l;u$?~?M4!Zl^GmlPp5#R|nde!2eqD^PX+voP^(RAGd zG}pEF!2PHz;?@o3h;H+U&W=}w(}c`k_C&5`kYyLRukRXwbqCbFJoEujP;<|@s6^l4 zcu&CuRd#z%yOlSs&}FOJY@e;{culupU?z9pj(~gw?n+xYV@NY#M5%^GyFQt{-9J(Z zy$_zavM+61eb#zRqMQko3Zzpdv{v(8L1h;`5h+D4%z8#lWN)FN|vpHQ(BLkY%?kl$2 zZnoP)5%|lTdx#*Lg^DfvPmfs+p1s&9-p-S1Tl+)O;H?Wt8$`e;;f@<j(%D6 ztWLBBycC@V0dFKHif?pnfq`6=z}b7v&Y+43c>9(HA3a(> z0bkPUc;bW)*1-lxMTs!G3mW!hsqTxw#y}f(6|Tx zz~xUYDp<2($Rq}s=i+Xuw6kO)sbQ4^gp3P70LtePCoBM@97kL!u zG$|<*Y!~iM(ehaGqorZ2;a%1ra@nbjT$;XEaz@P?5eeX>rA{+q6 zVJp^|l9!@HRl1K&vH7tOKT(Tr5JZF{Z4@OCYB{brBi|<&=M0}*vfi!D>W8#nBEv)C zre*x*Fz;aTUaJVrqYM4uK#Q}K|Any|LLr6Pl}ZU>v=nvCZ}#JJ>PwyenqVC#5e?MPsCbCyVMIOnFdfGiptSqHvyu|9DJgnU~U#s*4h4yz-c*TXxKqS#+>q9)nW*8~i;e8x~ijCaK^u zOmSUBp2kQR;WqGhQVyvmL*;E@#i6<=sTE91X5k4s+0RqsQimAVbQbi>Q^q7rsD#U9 zvB{i9y&le4KLPcbB>I}H!3FwV{=PX0=~RDIS4J0j%hHN?$=o50U*-h{B{Im^=y7Uh ziMSYhAxZ@sV6v3viL{K#QFT6jHjx@mIu#08k%$r2L=}%X>Do7j=;|=I{u;$XRin&K z^Olk#qfg8*r>MVZj&RXvL7^bDqCcPJzy#o`uLa958&)7%b((6O=aw zS5+UG@fqM`k9$St{UXxT`WN>vRfxCDWEJ3+j*`B!-8*ApIcY-3L=%5OuZ5l_H!$>cg2M^OGvc0;<0*yZC@Gt`p`wB%=$ z@Z-f!BHZVi8Yo+A^pY}poM8*>$;K9yQYTWNhiXaDwMhAmd-WFd^Agb{IU-M=unb%v zNsJ`i$)L1pcE<_NVf2Uwu9tDn#q(sA z(@7N6U2Oi^hWg%wD{aptcnn*}1pZb>QR2465nJ}Ub^8eyAD3&{1HnP{`&B~Bb^W>r zwSS*w&6N|#Fo|g&l>jpO?Tzh4+x==_Mh)oMLg+b{bjeY%)S_{=+$GC?806f(q5Fzd zWBdC0v{H3~1f5%QQxOnDX#W`@Yn!UoHHlh7^Y*F#;M)V*uDpwPpXanJP`W$4GwTd=`<@NZLJIAXfeZIu+E6xtbE_xb$$*c0NKmT@mVJw0+d8 zwg@z9JWL|0@`|(|YTgGqvZ{NVd3JPJ8(?CrFt2bNMgyLADh;KRbzkNJb=%D&(652z zpNG(N+FtJ!zU_|#HGsP~)9sF$j!nABgBvwa{Y8t{w3cz!6R5GDcu@5f{YLk)(hvjG z_v2&h0@<4)coTlzc1rU}zTjYzR^;j^%`kM6F%eF%DvU8?YcRi!I_37j6 zd6aFvvksakZK<=>c#C(X&3@@RLIAgUAJfo1x>+|l61*8ZkqMdRUip;0@U8W20u}Dc zF8fNNI^KaI%s^qF)Tj34xB0gjC4+{r!FANNiTs>3-$U8U{~VF6bU7fgf0xP(X*5JI z9kUm{60m!GmDh#o4pS@zYUd%{Yggdjth%9$S^ai$P8UMm5c9u-JR?^f8^iTw#{Wt> zkd;a{Wn^v$!LVQTH{g|BJe0}kwS4F1M{;QnwIt0e$C9oYQW-b5;k&Hb!A4mCV0b*~Y?vR-b zwwy#df-?X+2+hr9+dzCdm{IBXm=-LBJdi^9j{(%m*!(p~Z#i-Ih6AZWb)!Rj-d~j! z)j z&f&;fSF;eLzaOM4(AH`t)qOAijwunq&K%C^=Om6ZR-bHnpf$*`M5%ydVBcr6V2Cvp zh$ieTx{u``z7h=41-&lPP~7O@Q-~@?#FhnSjxRns8!6lo;*z+YOK?~4E5=xJ2%K~r zdFjV%H5$KhskTakwLit}-@vo?YFgLJII~c&aEm0ea^v-M@<;ZD)4s^$(kJfu$d5lq z116UAf6bkOVnoV9vK_fk@L3XbXlS;Iw{Cae)^`Od~9x*SRn5pCz?= z)4uzkDM%GhN$H#?e7Xi-B^Z0he4nB^sQ}+W&I-fpLF){2enO}rR+aR6EsH-P;joI@ zo!8{7X)>0?;kJU!F++-ZQ-=~ovnCWHj$NI|vfK)VWRT_HZg1wBQR1i~){$lN<(i9cK zarKrCEAXJ5P-QG%UBXFLM~{qOMtQeJQ*;!rJAsxaAN*wrLE>J?pFBu0@F@ytsT(xR zQ2|YT;b04^;`&)2Q%5dv**Cp+2O~&x)x)kA;tz_xe6fAPSkbtfs$yrMM&?$9pIfz= zspykn)efbfm6WN0wQ#t50nSKBd9x$L+&6D9xJavF6ahKu;dhFh!|@PN)sG`aHka^s zzki88EpV%Cile-+RnBR?!o(G^r!YozjFRN_#DvX$JkKwzB7EPHXFDZnODB3o249Ng zJkS6TAQZJ0u2wYH5oUr|u)ucij2KuG7P8$WaG}vSOBtZ{npUp38i^ zmCyGE`)>)Bi$vAOhNodW)&9Dl7%tq)x2q8XcaWK=py9qP(jg*D%MXLUm)cit%M6tE zmOr$l8L2jUFH^yqgwPjD;WCpO`Zz0;RT`<{MMC>na+~cP2`?zMC-0Z{zpF?%wzJ8b z#lx7=pZl)?xG|#$*^Bt%x0gU~g6rgflh~_Wz}NMfrVT@pCKx+Y4?^swct;H0ZOD~G zSv|SS8Hm|%Hr>bMvf@_Hq6`_YOvjOSwtkv%ItTX0A|LiB)WdA zzXhJ7eDvemdM%LYRw&1?KUZPe8sn;Nd(APJlGIe!zh8Z9dfr;YcGIZwo`7HB9(Lah zi+-L5=lp3}Ymm+Lymqd3H8%`q(($_4Le*S3x#reiW1@Ro&mriUdp$0@;ca>x{`g$w zFm7pze3p5z;amE+&hFW`E8bk$z7dn{s;B8({O&oqV>A{RCSCbv+tqNBe!b%RwgjK@ zxxBj#nWEhNay#tV6WaBP@ZfU%)FQ*>1K8Atwr#!3ki>f(FM0;@vAab)ES`6YUT^-8 zZ}GK>VD%WGjN0m`*>v2VUZJqn7efD7d&9i;&r;mtM@Qs)%TWVe0q}j_`F+(UX~(WG>j8)SyxZzM$TVlM!H<|_q6zdXOuQv(KXQH6q?iB zGPb?W7VXB<{&?Er%H7l8n&JIG2LKhkg6MQWfuJma@A0y)578CjU5<;~3=3}&``qtK zzWQ}RlQx{<(x>3toUcpw!T2d>@v?|yJm76Hcn4I{PJiKxGDIo(PZygs{WQ;;4BibY zpXKUNO+PVl*sWP8wyk?7u(Vl#(ZyJxbV zyXO;Wn~5{h>Cbw-64K!WE}4zs{)t;7f~u}eEMexR?F0F?&GIl%#FSDFrDPrVg%GEw zzqY0`2DD_DVF2bsP8Lpf{-J&(g$yrS8T^{8>1`Q09S+kAX;FRZ7|9l1$ zfR+AU9%0m$$VRkYdI;f>Jhr3{cP6qRo+3V(y-=V{{J8F1wg&G^P^JDIQ`wka^Fd2b zqh&m2#`harpjwfbawaWmZm@a_o*inZZt-Q~m4{l{HX(%|ogf31O}_e^b?#Pn909)u zol{5DA30=Px2XE1KZyQIQtT6{9Q8YK_M8q+&BO-Zaq{GhW>3+mn&fA*$o%)e9==?% zWdcRR5Zv43_Gpt~>0^hrtp*qa=^;bZ;bXrBRL&_)=l(XAq2aCrGGr(#Yp1+-2O*8&%WyDpDT_O%vpt7Kc0N z3s9qn%3Y**NfWOgk^V>*TZ|CPI78s9n)wQp3qaxm)(|yQJ_}phXxtit(!72GO!faS z(Cz=SSGPcLLBSWn41%#v$PQzi3rqDd50&!T;_9>F?imMACJIbFGtPsYThcLAggrB5< z+XPdx3bR!mvp`^F|E2nf%Y6FOmO8miZ9)gVC*qGSJf`Ld4_?9MzDdJ$yZ9?lA>ni^ zz{(Jh!im#5<}BbRWUUWX&TkK`5~wt*Hg3W2$KFv_Z0?u_5z;F}_U>5wbSM+fI%(3X z<9*&qmo0rUXX*CMa|mfIT$5NGGs9RCJ%C9JZu#+_8pWTYQ&6vNk^bAILz-bLs=+qY zx?SjL0G`;w_5(oY zeM#~OutbRkid_QaP!rlbDE^!^4L0R-BpGHX7X|OFX~7G@3dH9yCL=BDL%m`wwHi&4 z9|@)B2*t1TC30~xBCD&-v47|ne~hK~E1(|WVOD)Zm^b+sAKFCZ5s&M)_9x_s9&rN0 zjWu;hukowN4A3qW9RiUo#mVw36p@o`w7h)zRB=fMUJ9avQZry#YPFW>@09~FP6MDG zb;GFRx@f5NPf90|LL~)$!qhoGSJHz(frJ_)`RVsC-V0fP)n9qMIyO1_xuW$Zlf?MY zGiIWud7dou7I_*N;*2ZllDENc^VnI}jROKz#v^(84<3{@fk6d}`XR2VXf-MkdKGc_ zg3{R-ije<=U!4{s6|Z7n9BBSP>p4aQ9A}zNyZ_fX@pTnq_|ql!KC}7K(-ZqF4r(Lm z>aY1qZVJr%_ILNkzqp(}-+A8yzSG~kd|27Va%e^LpI=P#PnM7MtQoG86U09|TEJXl z9iQ{O>y?<#tAZGgZ6edEcEQk+%(*?jwkrUD;4@B1%NP^L`w?xtTyE_#cGJ@_|F`10 z`569FM=^BUd#!2^kcZkK2{Kz~(JFLb<574S!p|<=PHh?H3cYSU>l~1IB~YpPnLiJi z=yn>OA8FEUJ5JxRQt`QE*h}BNcU_Ll-f+Id-~KQJUOvQBRlY7toOm6$?jC)q!;@?e zo5^<^b#%{~A#r*_R7`+&gXIfNoh+(t)}Gg46*BWZDabO~LK!VvXEiW8Iu?$fp`Q32 zBe-mvPWQGpJm z8i#zyAw7(yixSi=MqyfYjzdWj9!fn|Wj;5JlqSvay|6{#dkPr;v&GnfNzP@qJmI=w zvh}t4Xj#$J4;})f+$Zb3?CfdMVB<+p<|71bNKBa7qFLShYD{?;MgTol@P&o zd`9O}#8?7e(^*fKdvAC~W*o2C%J6+p`=qv2?Nbq(t%Kc7pmDRO(e1f*-`dmpI)=}> z?mI~I&KJ27#M%OUfHnU@xsMsjN$-hTE^|*gYqFGaOXq6(7dhS_!Z*|p(4SkvyDyHp zVTJce(RVvG)0(Cdw1_$EYfz&o?|`fZ+hF0t49?;w-*Be#+b>@3;9adn6}eUbb7_gS ze<~Y=>q>s0sWTFrg)_ZqO#PKf^SPe-YMonh4Dw0MyDjSnQ=**nLIhh8>5u5@Q8`(*^^P%30=}r8K4e3P~l+pum(Nr2U`+< zbHFzQzJr_qE!9_v<&GD=yw5p@|JhowY<@2JVwiw(ylUhE!fDVFLiu%!xYw|71KTBT z`xbvC)@k9vsQqY8i1$ytP?>kpAVZx0Nhzu%Klh%rkCb@!TfWd>_FK5VPEIp1H%{bx z$m;Y4EB0#p@)a|gS3K@7r?Mecihjj(bIOHXh;r43Bauud!T#b>i*JjbL-{JC{N^xc zE^7PrwQFW@;+m@A;8t_mp(Ckz-|VSML)sc)VM!{^!9(Y?EVY!~QRyjB2~S|X5LJys z5GL{#DK+c;e&9*_^F)i2p4p+mX-dH3r*OAe8!4XsT9SkD4oH!!`7T!QM==q00UTCd zSdEFaoe}ANifKJ6`G*e7Vk_u#`gzlS?zxYJ5 ziZGk{=vcOkCk7PkHT`1Ux~NP+bjGnk`qM~6&JbgPEpf!3g$TC%-gE}@&fu}%5XGl{ zmx&@5rNh@*pp$30w6GGiD+l7iWYuxmI5RuXHhBK?(<|@2u+N%B4VY%-#Q**)&}O3| zAvVdnMMS7JF}}p9Wun--76Y-v!ufgI4x94XQCQb;&|KY*^Al+z=}wA0zW5pKmaAE| zl_b96*m&xkcp%k&zh3`|MV7HZqG&OTpT!NMXO8`9kuzFxV${rqTg0v`-J%GGKd*2` zr|$>U+V3QLM=_}u$6$de`FZ%7iQ8&{G`WJ&3YuXY0Y^!X<5JV;|2IxRdO{45YG?p* z_?iFO;yTXMU;OF*@ro!OZ*K7n`vC_O`i%P8qEp*N3BDLWi@g9+pl1n%1_&1z@3nz0q>xZ16NXpyUyY`iO0vWUF5$7NwYvH+Ly|db5p!(sa^U=C{ z`z`$a-DAhyQQYomi?=nE62Ep#XSfbgrxS?p%lY&ekz3Hx{-|UbvmiU$e<05W=|T72^+Cp{JKV7xgP!Z6t~>7Xlg4y`!1iZ! z+sEYh=cb4yzSC{zN81%nx3{Tn9~UNFTkW^qpQ_TypsDSb>@vER|HITdM%MwgX*;&j z7){#P_GxUhv5m&gX`Cia(%80bHCAKWwt3E(yz859X8t^Dul;+keXmE?JrpUJ_1x=F zF<}HgaqoBqm-K)y4V@r|)}a8yPMmJTb<2mOZ88$4_sb=#tk>Ju5jn<7ki2~sDu&PD zwxZ$Aq?@wHPUu_s*?x@PIaq$<;t+aE_yO9tiy(W|si>dV?P+cD>cWNI0W)n$3wYIR z25f1(>w28IP*<=BUUKZv^1aEnatSx`e4-%cd8$ygYw8bMyJ~&2*)<&Oa%?v0G4JWc zmKN?_*CPQHL4bG=g05F5*EfhC`+w5e0jrb4Eyi#4)^D*wO(rYjyC{rbb2fnBOEADl z3et<${NZ8o2xTh&(Yt-@n+I~1)2#PKsI{%vA+$3T{1hiK3$=TcddM%JNzMxUaHDhc z(k7`LjUe2e(;X+l@@^L2+{b!=KW|C|u2!@lqE{4qQB)8P+ zPB%z%Z+gV^Kq)P}BcI*l4kU^eP0I{07>nl?Bu7h+hZ;ywve73+2nhTt=hGo)dHcOW zeL}h`(Ae5b9)x(6M@yRdfxJ*+O zn7Hn8|N16Q$2&|bFq7P5Da<{2{F^GOxYQ+7D)4h@IlE-|w=Fr55{UV@5Jw2Sw?1?f zf(6b?ceMp-;#@U%iIU{+622X|69%0I`z!ICK-7lVp9x>Za<;qSG0JtOEt^K zUDO#)wbRSb2vpduBsLs36_e^)852yXElG6vqDYx&QcBc9ZBgS2%%SR2a*Dc?SeGt% z)a&87sf&qbB=SgzE&>O&iMnN#+zZKx{6wtuVDp&&_S<-3xzuVZ4MI~cyJ=rI^GPV- z>*W#~4~LWZqiG~yPD>`(*~;!=kR8k>#5%G^grMpg z8jGsE60-TR6;<5RodxTxCvW4r7uiS9RIk>$g(+zpagrh(y9`MYH@MWWm-Ukt(V=$m zHEoHCIz>zo`Xe`xBE+U>-mNod%OzRsi4ZO%bp7$9;tVcxb!+s_x4HO;7J^kjPeIE# z8~;cyK=p5zD`SY;ex1)aR%5n)yZu3$-|eKi8!|qtBkiEW6nNyWdB@!&!W0@o0E3^# z_-KPuslaaZb+nifnWy~CFW8~CjPD$c>1)PRZJR>=FsX&AD(1QAf?Jldor7iqmvLrv zLz79^nR~gB2B-zH3xJ3}Z0VHjGGrD#x;|9L^0occEbKn`6bIA?AA@aefzrr2snFPAJC4Xt6DWF6ycNZ)=%Bj(VhG ziKbNMc|L&|dB@;p)m-ZG{9|tG0y>q4=C8kP^$XH3T)+EAxD^`&pAO81d_x-f$Dd8; z^WZbC7S>EL{Yh6!5kFS~kYJl`xGy*tIHcmH$~3UOEFrE&Wg_e-LFB-ekFvl+_Cuv? zqjab%L>Yxjgt%z96zaDg$9fItMd1PrfAlmJ^N7cpabC{p5$(x&ZOLD2#w@Dv0;UZm zoPgyoTs$ewS#r2;>MU@jI=sa74(baoigMH2jj)6IH0-mkXF-Rx))-O$9gcz0AG)gl z1%#NE0ePePPn~#SLR$y!9dXzgj+!1%QY0AiCn_JZ&G#!FPf{&s80aYQ6qlObbNb^0 zTvs82%-K9$7kTaz5{__(O{^||xvs&nZj#i(l;qsH)ur?)F8^XljI z4dMq5BwSF;3w{+O`&74;c|S0yj2KICJxfoK{kj_ZbZiGQ{;?G6>2qDyk^Ed$dy=3{ z+BEff%6kjlDFZNME3ePqS#a@1x}R2wLIl)r75n~Uftgp&c8a#Ze^cM2AD^cRI+p42 z(h%Gp*R*G9r%Upr^}NV{Naii~)Ws|}MUXt7)9tb0xunUm>Xn4LxxU`*&{>dUa27zS z$a31#*-PHi!y|M&y&*tw<(&C8bw}ZokO2g0mx2H8U11zK1@y*la{iW95~Fx(2JED^ z@BjnWE@HevwNCc;Nn8IauAWLXC+CgUb$e%9-t|0xF<%*-R07D{r`x-3)kz%hudVmS zJ{ZIg8_c|3#+ze*Go0+}wGW0Uu9CVRr#X#$F61%=o=Ubr9xoLYLZDt6?e$K3I||pi zA_`nbjT%4q&WEJKrWR69tG#X`vRaLJ-S^d+%x=~e&4<=5AmlG1?PlYU=!?Oqf567X zP}0-XK=szu`pZ?dE0qr~GsLva4xxuY$!`4*wig&A4`@7MbMj9Qxzeeuk>4%3y}*wF>%JB3i(UpZ+@bpX?qwkf;g6{0yQa6OpH zj+!Bn9qx-oea=VI-}zi2gQzdqN76{QXxgr+xt4`ISwgvD9V1Z$#pZ>hh$Fw#o`tf$ zt6??L;<8r=XX{c2D}ei@CXh<)^Qqd{PemffJA0lwp@xy(>(ZfQXx{-U)xQV^nd7VC z<{Y*HE;Gy)aLS6({>zHNlo}dQ?IcOIWir2IL+&zCWAllmS$-p-|LE|+d0=;-dk!&H zYWtNQSEA;Td4;=xEHfPHIFn(Z@3Vz8kvf9;O?*1emgb&v`f}6)L8Uz|i!0QvM3MWS z4+?W+m6wjG%O5LV+vD?m876vl;$%BQM2@2Ba_Q1>eu*h}PH&M#9ZGV~Q(>$WzJQ+{ zihfK77mloZ5alJHyd)Rllp^X!xpVHL&(AdfG&@=#>> zUT21hPbgGYGinp#a2PBMrhLhNy9JA|o%+6l#0Jk}Pt))OqU2G??UDjVMt}ZQppk=D zRGGEKPg)*}#Unm^#Zk>dkR@EyR0u}l=gA6^7W(%Ye=2mrzQ$I(D^nt+k3oe!DlU2C zwe;}22Y^~jZsn8yA9a?{l^?Ef${@EM4Y4nSC!Q8g|Bk2b}na96vQG@N=Pfy-L=c55ruCee` ziDnU7{~tx|`3`Add)TrrP(3hj!!CI%#^wF4$4>jLEk&a-V1-hqJA(p8pMOb=p%@0c zx!kLaa7=?A8diA34#Q#-weR;Psi#{qPG~CqodZFtfvAg8lpT8Gk>_y1iu?C!w6#PF zTQpm0*v&Eam~Y};r*x^yJBgCpZl8~$r6*L0rFU|X-1;hc36JEGmKj<`rbGxH?4yY?@$26cWt&Gpc_NtXwD_&qG&mJ$B$QYoQuYl!=KqnEsfn zo+VA8`O!d^DuyxBhn=F0Xx4*=b&;J$JCu~YG0t%i!CCPwVO-f|hVU_IEY&_b(xx&A zp}|6S5Z|5WZ;R6coO`)>A!i>6Y{3s=TIAh^d0+u}2v{rm7dVR~I|&AIL${h>$wq%HaP4{L&{w!o z0JOR3Nvmz(^R$C#xY_Mm0MZWg=sfQz`yu%FLLjh~t+)0Zyu&lXe&VZTd#| zW)Lu}RC4*Z$90;~3E=@1auL|H6hP8lee;Y=?7MI`*>-ZHw}q3l?C>IdnDYc~k~i$! zTEVQjS?!WH;O1u)01l1=c^!n(I{*){F#y8$6std!+l{2uKHwKgVV*o-+A* z>|}&jz0dN5AD*}?6(+%Y`dn3YEqU2m?B*N+3YceRCK;Vx2VhIUm$Odx?Td^pMmI{3 zZUQ5JV1stD-otf*^yZY2*F(yZ0|}|iQx4B7=tkXr?=|Ofg^j_eeW5G-k~3m6oJH7u zg{($uNqBGPCF-jEBpGqNau;ef60+BcD}3GyENboUl9DGb}6zc;Y#Q+e3qvy5>_bSE4TH= zIO0opc zeExQ;+znj0>w(BaAar1e9SE^^M){*J0d_Kyc|&}+>eCg8|4`D{zEyh3D%#t5C4Udd zOUFk}iwr6e5mY2jTF{cqW^n`Y0!A%D)0*Qg&L=xPz`en1f)5 zm~k2sKc9xx2Zu1h#H_{V)6cce(ki)uak=?#Q8QSp9wj$4t zhGhN}FYjgW?hYz%E2eR0A|;>6PySuPE>6IoX+MU~UKY!4-`Ai>6(J7C){gCfh9Jdq z);Ro??&^~$35n&{=Fi>s2_PNY~~5Th2Kiro~Fa8PXn(82Pc7Fj8W^w73fCnHP9_tc%k8gK*K8-&gq@rIB({Aj&on`H#fr<0qbd5(A;DrP&c8EPs`h27a_-J)N93ZmDPpf3=dc zfTLGKp!9}TBYluUXXUK!*Fj_OkY5lJA4^XCEnc6@fD$v+5x*f9&od=@7N*#wQY<#eH{+l| z1DnqZyHCgzdmR*0aAWi?O)UGbWD&>-c+7z((2u1VhSHnDN9)>XzE`l=o5i2Fy{h)k{FF$`QgbpIuvG=qSB>3vbZx^nRBD$Z(Lm7 zHtepGYTSmu^!=o^g=!H-Irss5O-M4D+rD`M}@M{}^%O8bm524B<4p{-PKf>rFy zRb)(XQX3`JJ1N+s^EB&k|4!4twD+{8hdk>xyprfq#$#VwD4HJLPSm5j}O3I z+UMh>Q{y`5L8gOx96ZDjL2$N`79hfHKU$6+=DLV01{4J z;KeFWqq7sl{XwO!6J&kEo9co`K^?yD9e3AvMOB;2BqLd_m0PQaDZF5pPLAit&64-+ z5Nb>siXas0C&aga+9kUTr>BcS;O)cssNR;YP1+LbSj>8C%KClL6OW1A+SW@|zmcy3 zwKD&u@86{!&;Y8HP}};_#29YPyR%Ph&$}F8rDjcjRh}%~r`xj%8oOwm6=gl#X+6>V zINSB-Sxl0$H^fK*_%C^fE<~G{ED$Q69Ya#c4!x3Cg*>Ks5(b(}^jiR%PR>ZwEPWa<8ZTOwz*lu~pqe@MQ+`QnspREtwVYRPlBxEb;Oh ze@~?6*giP%Vip=p$ZRKsDG<(c*kIfsCAsx-9ma<1f(Hi_HQ)bo`QCg{e( z-we;Mx z6d4PfOb}9t3)6fcIeXLu zg82aTuM#ex(Q}Q=SS9s%zE)0s6}_QZ+wQUn3@-T)`6S3Y`MyiqI<3gnxlwn7!YnFy zvhfxOR&(*}!^PtzA+4lL#4+P|h{u_>^>Q=WSBzrdDYmJSy62yEF%c4D>rN9*txkNX z;zA&{v7C+n3u9DRluK-xevBn9Wr|UHcq3z4B{3pc81i`MFBZ?RK7hA}aT;Sv?wEi3 z!9q;OtuEdPqigmZbhPi^i@^*6!nRcB@2S|CFZHk0NDDW2eOu7-TDRTn;Mpk=PX**DK_+Ana51pORUazhb4#~?HWPZAmUAoSO*2qoFnG7Vy_p(y zFIc1uIzHY#FBpfKF;7Jci;Ih!{tZL0<7NHZx#Rq$OSO!P49Z6SXwN}ca`ZhdR>}&CN2qCJqBJLbXY>f*7CzhyllpbF+ z%(gW&1JR0wA8={mG=z#;@X_eys+7iyy~?TgmtFds2~B1f>Lv@*tj=^6qK97cdlmA; z__CiBopoaC7n(D8fBNwt+@;wRn-^91>0m!3M+C&QNm+|}kqJP)b|$~&8Uy9LKmgt) zK4$+@{k@<(OYBTL{pGwvvp3OCH2>QDG71!wLZbSSDOKlIBI0J2dCatNyf`X<=#-`J zG)W*0-G{IVkrbsj4yA-SC#aUS+V=}+5ow`TG0djCLGfrAw4#^W^DYp(;R#!LvlVJ8 z3M^C&C;iyAgi!cCkwN$j02rhaT5!DOnrI)y*tyU|;6u#|}j+j=#c> z`xJ~SS+AubxJOT@G?Rb1k6@lqZt>i$LnQZ8J2^E`w_5WrPjbS8v+%S`=YnZND7X;c zD*v+4VId?AzMQN)XiR1SK1(dpn%%8>fq2lH^75X>M349}%`(#ISM^ZQN~zNLLKst; zU-_El+5)@O!HgU~yldFrW4kPc;;V-FxI#}X3|Ew%qvV7*MbXNN?R-&L+R* zh8SIm2CLP3hg3_^gIsFbg~EzYk3cn*cZuQL+hFS^8MkQ6oXf;L;Z#wHc?RwmqAC-1 zX4?jTkxK@6qQBSw;HsSm7bR-gpIc!(YV+cD$GNL?W90m!4pzmoP%ZTsH3`KXn8-AJ zbq$PVr_FI26re1d0^0)*QzvZxsN2CaVIHOp+4n5Uix|#f3j)?=UC?#S_u2o^;{OPu z#hrDZrO{(MwjrjJ8QWW>L7?);NtalNU{T^@wC7iv%`j+%>fC{#RYM`jkO+R8DoU1nDki>E4lXBlErK!r7!>ZL!NYVnU zN1~D*$Ug6N+6({fX0DscL%*h2Pd59qOtX+HGQ*E;X_nJU%$0`g|A!mE&Cc50U>zhp z^)6@X3;5$u?e7FOorZ{G@dfSCfstQrCHN`1Zn6CmwL>`I z;P6V=x%>W>ai~k)D0ls7B(NxWs|#30u+?gIVi4d9mZGHq3U{s{?3pQbf-R08i?sar zlN8&0i3J*;v=?w(2V--*_(aNThcA6ELW}@cv1ir(-%=@wOoI$NJJ>gn)* zmVMgfmU0xT`q$5JOq43&6?X@?_nQ>zL;e@|9ii(zZtG>?zLqEftPtH zmOUF>)d@D*_9Xy&Nkvr_n3~$Jn@?8^BF;CnG_S|1i~-k`ppKk%*9XrJM#(_a+Lcqh z!9~f!#r)T9(DPv|6TedntCREWRRd#jKoft$>uHix&r8=wk^g0KJ40K@P+*DAvi~g< ztPQq42R&5WJ2+T|G>4S7*j6kd0HP%9g=ZQ$Zge!I)2ue>+X@6MH6qJb7fxs$W?&+ zm(R?H%ygN_J4?0YESB-YMz$DBbE2gFtHC{oBcH5yQhM^&vSgz&Zc9N`nrXQ{bB~hI zPIwuAY%^c9FAnFoDU;hh7dJUgw4DbzD%W9x;V#CQ>$S zTI}EaY|inIMPZCJKG~HeNz@$}Y9S*8l{F(?ZqNM#$^%nPhc9|$>%1rAbNOLkOCgBh z_Xh~mtjC=;tZw3qQ#=uuZ6zZ9DFT+X?bM8#c%TIh#?9 zH*^}b+yzkWb$o77t=r+6HQ6K;4ZhRSe8`e8`9fnBf(SBrYW`VrWmz+H@u>cV45BA- z4&tgr`waa)yp^9HQ0!C}`jD=kqz*{`S}T!9(pKg3jKj#SPm1HjPcaHape1<_nlmP! zOJgC@8%mv95xQgPc3CE6aQ&;+K6FF6o-+?83e*VLcQ0~o;0euaPtT5g;X9Ui`D-79 zwKz`{NfDGK8a44S##PCg8ywcQo+~2(l_tdwSgTnss8^Y`Z-iGw;vcGj6|KP~@{=g5 z{bL$#-laH%KIp{TWP@C+SZ3AonSTZy%Fzb&shZ(ozW_{8M2C7l`~YF2c!1D}paK;j z$~Ve<_p%O1&wQk>(_w0nW67QN=)n&x1Bw|A>=H23BeV$$<>6c}ehyf$Z83a~<;Gcw zASU*&(yJPI$W_|7f1#812wPT2mhzOk(uZ|vDmbG>+yCB=_R(QeQzf5~Nx>s*yCDy`6NtT4vc-#j;woFLPxv~p1AxKG4sRHYWc3c~?QnvnEK zt^c=Sosq+w)~|x!#cWL{A~uN*#K_WZ^yw9N`y#^J@*2||5^a>U5&YzK#fa9{DzG3a z1%55gf{^c28zcWd4U{^xEYOb+nazxDJ97@7ieWo?D2AUj!E}=%2#==zV27)vpTwzz z`4ryBT?@a4RX;~FbvP!Pfc`tq=-cpTeb0vA;x8?FrbQxF;;uYg{}b*Z-*fo_nUX&k zBwdg46UF&pT zSN6nND56+Djkk-MGXJQLKloRf(L8NPUbIfhU5PijdU(D39)&rGxllfS-+fhgIi+?ikOKkX2L-P&93d zuwNSU=FP0UL0f_Ac%rYxLs570Uhfs;{KJgPH?#G~HAU37vTgxAJOEj6PaDuZA>!-) zL;gPGea)^Ce422_;%nD%rsVb7o0H>xeYLc@Q!c+H_!c+OegF9C1Uy06{TaQvVwy2r z=|tgkWeYAV0W@vD8&z6l(p9&Y1n1P9)iZYYT*wP@$9CWE?4@*;dY&%`I@a@hy<8e; zus&}LqE7O^g>lz2_VMb~KrWAb;V_we_hK7^FFUX2_jihFdK@O+YO-43TBIT9cRUZF zpq%LV)kuI~g1;l`-M(T9Lw5`KouHg|-M4Rbi_lP&&vDQ$M(4D%K)cPn%d8D?{zbHv*YkmPx-UwJE-bdt}G!q>uUXdfb%hp^!gbm+{o`q zu-EmD)tL9yxaHyL`w8n5B*wPH>gCR`2MmISwY(#uH9WPGH;hfWng@5Q| zF+ls^JLRLEBmfY6SCY@8h34V05-RzSqii@*55GyFEzdT)=(mt-D~!(m(^fC5eD7Qb z&96K$RjUa;RJQsH+V4b|Nk>uYa!esXCBAo3@Qsp*Dxy(XFV}ok-p>8iJgH7O@ zB?d)53)&RwLfgDx%|@3sXJgpue1*3W68F@f$3YT5<7zOm(2w!@@P%^hhPmeBDs8^| z8sSJ2IfWw8SK5STb+|K=yJ;U2-;BWFhJ)!MqCG;WLFy~E@kAObgU3Pm8;UdI;Gcf9 zY)2(#aZzE!jtuXwn@~Hkri5+!^K_CojM-FBG@u2E%$|skEgoW-_4> zT6FKf>YM)>vSzc%Yq&L}v^)5%_Bp=}F2Ow1vsFa5h{if^J^Np_8JFG8`^dFuDMlbJ zrKVJFJ?jZkq@84`4Eigq-RkITbT>Dn8mFX!oqS%^oNmt!iV`luoOmtDq5Ax?b#b2> z3|;NsupydeJ(a4oc{^h~+2*f)8{*&})Vz&Q;aglNzC~?Rk&m|8ZztItZsUZYeTT~ z3@y{p6HwHd&6aOsRx(M{aLD%}bDkBJ71|!P0aawGro#>8Z8pS`;!M(J0S&25QgRbN zB~&kWrAX+kN&|p>DEu<^GQTZO)O)%AJW?L-By1=H+mFNEhvK^EzaFIODq!3%sDsn0d z68jrdBD{srI6cHaRyjleLJcvoAcyclPJsIW?`#MEO2{>Gh2N~1KX@J%Z~LHDyJ|-X zKPX)8r=82bS-alJ!>IFzg`Y)RZ^VOa2NOzO981cxJv+&0vV+5KSI|XqYFKb4m8fBs znqA3kF|=G8P7FFsB_Lk!s_Y|~-k%m0u`3eQYx`9f)_+rCt;?*7eA z#)KU%lL!v@Q|%II=&sPX=)@&pseT+Yu9O$A+-@O!u-8;-#M(Ij$uSB_x5+dW1?5Gp zT0S|AMX*$CPrn%+{Yy#ctK;nBZk_fYE4`QHof+(-$5mk(RH+r4-#jKbr53x%c3;@z z8rtEt=b9o70@dZ%1^>4P|Nl-=n6QJ$ZguxLZ7+Zv+4lknY3BYjQ$xA z2+0K=0ro#`?!y6uhyBPua{7Q6O_v+kJ;?aokW1GdZ^#lY#j+moA&IBk@2+d#s=2$o zbE=@i!AGELuYv@$gD?T^#}Fyl@Ot6=dxJQ1xP-ZRIM8wR`tZ2AN@1Qf%iiCC(S2}G zaf2Q+yM&zb-FA~=QSa_>Y$|)h8QhE-^UU8chAmI7obB^m-1a9iy zW!U1Y?|P)!FD4N2|3`Drywz3TxRA27YLczG)Fk#0dcVdS&;jXXW?b?FJe4v#0keHh z##{W~5Mzye_mR{3$=}LRlX=D4<{r1eH#1&fC1uu;CQPrFwYSRa!5Sz3rO4P;wELVp zij%DC6r+13@PXJ#lINn(aus38g&(YeVL;APn0&US2>8~y;u3WKX}qd&_wEv@-Co%< zh2o!)N|(*ib)i|d&U1MbOUvnE4S8K|PPo&1pKZr(_{3J`!j-_U_#=v|O;65_jlB)4 zcM!|R06A@s@1XxeON8_y-@%*og~wi-bZl(53nNR{s3PK&-lNUQuT9>I@Js8go+IRw z_b$LH=tMmL3DWvP?0>gZEB*W7(rkJ>XfAdaqYA3TV)5Pf`&++FxEz5I9T|8-{5Q#v zp5x1WpHUZ*ejuse{gg*5#?V&3wnWRlmLq_aMF>>im0!gRGBqp(zeoF5JN9^<_#Q#d z!5z(lK7(COX~0KBs|!M*RtH{B0jEoQ$iWN56%6^9FuDUy0pFq^D%bz5wG`6Q#Ls}Y z{L|eFz*wceil4{h8|lp`Xc)4!3uqlf{MdK1)F4;@xX!0PEccpe@kkj&=jzK4*S5Gz~U6fiWE)T>@~}_Og+FN zRDPvYn~w5D$r+~^f7+LF@AyvK}isPp+QzU$BolJ zANt=|T_paeNZb%{vr%PbkQzHFgHT-Ei%WMEx6gu~!@qkDBKfng9(DW?Z*qgScXd_U zJGGd24f0v^kQIoC3KuCeL_;{v*eYTFmVMBFxexSZRf-Yn3Awo22K5Ss4o0w zDVCrB+hHH&foIho@{k6jNRfZ}Wqxh(R=a&zq?s`n|~;{h`Fl_ zN?g*%G^Z(H>Y1yzY-8@o)`L(D;Z;-HGw{?Cw=}+S9$C|@WH-MWxEFH6xNVC@*Cq_* zk@wb11WuQe|0K3pL0@%_K7FzMl*m z%;t--B5i*&G%dGH+Z-Ipl7)W1d3?C#nrnjrfox9>b4sup9)e*+ab?I9*K28d2q;|= zAIZ6N*dSaHmVEb%jcoMUzvT;a!p5PvD&&~(OirS|{DNYiSGWp&enwfBiKG8Q;TvZT zrIO+HInI^W`IhVaB_hI*Q9gdO*7P<&(q1B`7!n>X;#b4R09K52Fh-wC7la($odcrk zH$GOf-X*VdIxA|~OfVy{&>|#7OzZrT8PTQCWvJ(r;EU^=qq4);WBZc-1*IVj^fF9h zyTLUtQ|Z`+8^Wi1nCqR^e@m^SN=QPktcZ~;)VGi4%3D;3&BgI}EE71;m?MhEig4qT z=a|DXaTRB$ouTFrO&-WTf(kVZ&}oEg%k)&|9wsQOPV;bm{3e_DX;X@*&>C;9bN{pr znII!ujCT%{r>FqmXjB^?0-xWkGk_eB&iY)-wIEKnr?DYh$EOmWP3^3ye=iu&5QT5u zsA;7Z-3lefx5>B|ZmE=}^g$vw50_w~gOL!;pN)vN{fReRFY)wUf=*WxK|4=Mi_@D! z8S^b4?!ZNfWWTuRdvQ2Qk_ekQN`j>$N3Gv$!5xq=jlwSzB0=#o70xU|aRm@!^uZ;t zw1N(7$PpO|5Gka{4MP4-Jr>tAy;vY(^!Wm%;GTi{d)-L)>bz9K0Ec-Hlg3zJqSAG{ z5s}|A3_jPfBQ7g3)PWVvG95EkJz-K7n{pI-A;PMT(QFgl+0hDu#;5iP6RnmKj~qwK zBA2irOPjiA?jkKg*y;XnxY35&?iw66DHCpk$H>6x1G{Jxw3@G}}WQ~-Q zd{#`9f>Ik5=TS0cVf?c(H9NFT_FQy1{~@Aw_>i3dYI#3#=WS0m=~OR9WFbH14)y5SrVL@~u8)M_txKgf1$$ zo(i}<0?sr0KMCFb=~`vofbU@9+oj#5SQI(B-mCUHPNU8NPkbMCI`v1@$}za9rEpz1 zoAS4zwMvn9T(Jp0KfU~F=XVl5_VoAy3S7G+Dys1`?7Xk5np}0+=-b;v4?HU*nOoXu z-&LATFVP1T5s2tKZC3QW=QqyYo`2our0~1j7^VR4)G7C{r>=L*WVJvn)85tu*S-3) z){MG0y9J#Bgn*B;()Kwg2KDfbH@0sq8?WD8*9b0ke(Zg{%K^RcgkPK+ZTLNh8U^gs zqBj=Qyd6+~>~3|6nYH+X)ID_|p!G2_iMNfr)47!H8(W*5nwl#5o^aA_i6ZU!xVYXpxtD#~ zcz9YP?Kn+JTcYss%XaZhfE=o3u+}}*=@~gcYu&L9EpEP5%jc4*QDnLdaM-c5BCLVB ze8X7db{AU9sygs6-p63aSbXSMnFJ^XwTRHBMubBkE>#B@o@L-(5 zOJ(o|ucNNlV;`pBOuW}qU-H&wyT|t7@K8n{s|vw}2h8h;u3h%iJ?z@W>%hg5Fa)e! zi5d$Uzk?jTLyRsVpKF2F6fP`~kB3DP@?2T6SnRLjz0P^kN@o_5=K8T&MZc!10% zRWd4*M-3%0i}6{3R(2W+_Z4nt5Y6AT^}**`R8`p@1#W0N*f|k1%W=up@f}=FVUGHV z_AMnp-C2|Zy5E*j1<}*>+%(cKi>W-+3QOCq7R9iMSM~fMaP<#xW&-&djnXm5vQ;$F z;SLO{C>yV(j`)$JvZf36nslc`JSXyMDPS zh39sN=&a`aB`B+Tq2HagkK)7QAhx$#JC9m=B5T;@K+22mgl7u#zVF%i2t+x%btO z(jQJ`>5xsl;Pm#s$(Z?fYREj&Wzki#xX<$b~Lt%=}HFLMy zUAtw44h?+^?#lZ*REQQ^VUw@RA(&@k9B5RD&5Rz+#TuJfiyiBtjyE+QsMVr`kwz@7 zFpOJM@J&aUz~|y-`oXNqNJ-K_S)Mpg&@6tk=_V5?>sJ69^d92SXd+SWPYrea*e23#r=Dpfnk^^ar!xkhs-?j8n?k z-EAqU4e9cJ2P%t9ytkZ((|g>u(DVGe=RDVkOnp#?1HkWAam^pBP38KJR5uKs?{Wyf z01o<(uD6wM7G_dPG>gF7=iN2l4W#$B=;2X}RqQIx}+qqAMjC&@ujHgnWYSKdT_o6X4_5-B@@Y5vs=`j08 zvXrSG-1p_+jn3Jkb4s%&nD#V{l7pap-58p}FOrKVFxrmS2BqvbE@n05pT^{dez8vw zrGA@~Lpib3EDy72IB||Y|4A*Ez-(bGSCpSc5t0TKQ(-A^$bnHFgi!Rwesjh)LA1I; zg6YrLldZ^d#X`jf@p~rPc_- z5HVyrZcAR)S+{^&00_{`q#!Z`Y<-sot6%d!nt`mEe}FfEA|B+V*Rq(XuUJvfHqvrJ zpWx4=WR^N$vXr{}E~%qGHTOz~~BU^ApZATi|SA(BZh5{y_5Be);Q;H{gDtiCn}p z2h(H1-*;+uW4O~#;_pREFYn{(!Es57{%&l^yrb~p|f+chYw_Vf#6pNIwZ3 zm2QbN%>pNZ+knc40=pyG(Im_oT>pdjI9dSx6z}?17QfZa>(>HDe^)=-MoHk_LX5y6 zxFLVMyZK7_hSkuoD4@5)3iz@frA2F`f7$H+L=`g!tcAv8O7b~@87&t?rK(UK|9TSxj_%krmcXF}7;AB-$2By4uWdKH1N8zBOE zLsbNLjDHH&Ut==E(%rC0Yl?od8QG@P%8}2LO|vsI%c-H@&IL_9N_|@V)e0w%?qw(O z^nf#a5nZh1L8T(aF`sTdE$RLDacm=hnb7>TOJNZ)`o0n6$+;`uPLq~8*mx*DiLtR! zb{~Um;_F8G_q6Rj1>q!e9HzKm(D}29Uy?4v=GmNVH1O~vpOKVH^s=I{3r*rCaKjbbHr~G!$|<3}@`skfw#R=sr%=>|Ibj8)j&dLW-W%5)Y?@On zFU$XGw#(CjOb|V`TR7jeW}F(e(B7l*)i>F-f;gbwE-X1kP&gD8kEWNrIq==nEJ}D zxS}@M-~obba0@QM-8Hzo26uPp4jw$XLvVL@cXx;2?ljO?U*0t{cjn9U1J2s()ZSH3 zRgL}d=!njchN4}WbSck7Yz|laA?1#{j^K6d{*fD zgVkWxJ&~ofioab%?VMG6JD(4yLy$znmL6(MfmI8&0f}6;Zm4-)1tH_q;}iNf#AsUH z^2hoPC5?f2Znqw~;pWfHxwddr>P7V(+whHLYMC(w>B+LZOypU%q4S~wsQ6@89+eJ! zUyF}ppMlsqiqfRZkRbnk;d>XKlzR6=Vf+=Y03?7w}L(5sw;&PNTn~UGhKN<#z-T5csqln6lVl-S8-01oi#DuQ2$e>?H zh2zmGSRW)&v2a&(>`Nj}e1Yw$D%R)ER~Y&>U2(0zt|r+?cGBlCc|DNb_xn&nYOFNz z2X&%tx!Ce$I-jGA46pEKR+&#;R`D*B9Fcb(gjKLS;bg%eVQ)l za+GQr<9+!5$2;T;HqGzBIpE<(3xWJD>Fd#4VT%D?&^u`;Icxe){NQ)kk9d+S$PC0E zB5Dkq!{iw?F#93!#-exv4o|SAb(~*>H(*|R8J3>4-UI-Ql$G}*|7?+yd2Uua9lYJ9 zZ>!p~8(x|!`=+!Auk07W&Y62T&e2&Z%>|!u9{Pr&6Zs^ zXVCX6zTN&OlJ*HK=jigww>i(Fv7t&tvn^k`Kx=AB;`P-w<(n7HM%!{Pd)b`_ZZFUL z`Ave|WRlLa zp`3wrBA+dkL$vI5-`K)f-&4X_4PS$ATdsQwN_O4zU7l|@O@&Ptw6<4Zi8`Z~(aPBB z2nHLyia!ZOmVOr?_sjcc1J_8jK-acqraKVwk{=+UJ*cwz0&ueY(I%C4kg>?6ViZ{Y z>;eM!tG?n43;Kft-kj>|>1hJm1z+@bJ*9=5mI_ZYNQv~5w$2YTy1i$fia)$ymv_UB z8EBPWL*{5KzPHz%DRPZWGwZ-MFv+dYMiGmF3n(7BHk!rY@mClsk6Cefiq~mwScV*M zv*qR=Vb@FjmKLzB+G7OpfV<0it{_dq;T>mvHM2(R`+jTd=;L6WVUXhmN&`nnb_Fqc zKiI??)QAeT@3kY~OmCeA?s3^0fS0uPF2`SA!T`p?ypCxZB;9YAzpd?4q=MUPCZ^CF zU)!7}%2T$x%ue3jKX^s{`;2xz{&UYM4Ltp%b=R!m*U{+LruD?41(23wTVKL9OEfo6 zN9R_6Cv)rA{c{3d#dTKDkwM+|e*x~G(}#;1?D(N_FucQz@qRdd`onRJAmoV>F&aW) zbU!%X|D)(mL%;&hXt_^pRa8){<-;F5vuxz9@S9ngHo9qHr>sQLNj5xf=^tAY5TF_7 z%%3OBJk+G@>t0dypj*C;cj4c!sIF}i(PKQ~phXhl0&FT$iXT#AioxXQD08?_Dj{9J zEVO@EO1Nq!Y1Qv#r=6S`e~b9YHAfjI-)|YM;DB z6>0XEQ_uM<_|$m4!#_)rf2(lwR028gDQ4MQ*(N>7OAU&_eA-)N@BbaI7opq;f9&f-26{sH-aO+<6p<9cSx>{&$oMD0u!5ssZgA5UIs z@-r~h>1$F|6jeLBu=~C)A0nuAl-FTZ&yXId3vbqnIB8-Q@e!@;w!+7ZbW)u~+t$Hw z@aE$obd|)uv~X%Bp_(MBT@cu7l>4b%`w)LPGf~f?B01=911Ov{%L)p1RsJ>lNgsaV z%dtWGO8g^Y>vPd!-|uFZ+yYIxCc#6TR(Q3jQ>~xyav8Vyk#q(R%J!L;=sx_X@?oF< zh0<-4xEf~2!Q}^-ufoVl3~@y*iSuB}=>xELEZPss$>ODLgLc%B>$#55$fB5@8+o7_ z;#0`Wk?bPC6ZnL44>KuA%sKYCP3v~%8SZmUrSy>*FfG(>AwLEm0;PD;)%la8nAdAR zaS9S73uM_-Z}5bd>B=5E<4(S}A9cs=Sr_wjLoO&Gy+XkEdYSb}qc=;HDM%bY;_)aG zqo7Iv>S;fCpe#Q9)La#$!&P&lT9K!_o!IITrKe2&lcAI-6xM%J>ZOF?c!MYDMq_X` z?-T6G&}Zi&Y^%lnC`@HRdtGS3dXB`Mikw<@HWEVW5D^?YI+q5MPy?pMUG6N)gh6q9`FBMe*)e~?$>xl_l_*&SGjB-rPTGBsB zi>+W4B0E%MPCa~PDm2v678XLkkrQhXw^j~`93%FZu27H1EEV3z$4o9swCabhE#~G& z2{PnT4DPlmR4co%31*+){tP;`xLze)hX297|BwYNhqVvkqb@woU8;d^(SX7hYZAC4lt0j{8?$ zkE2Z)J=_wfJY9-|t5LYJE`@wzsaQ76URa2xdzM(D{kLB?LDJ9dw<({)1R=WJ5gM|d zzdY?;PH(%t%(FTb!IRcE?Mhvp8_4DM^@Gr77a#8^(8ZN`m+xSG#_0~OQg@B+X_5bj zKl*~Z`vm1ip=tZAWyo`q-B7?mt)XijFrHJ7?gP#LKDpTi8sSGfZ)3aP+pdJboa|Ot zcif&JT)J$XGK4jEd7SI+zPeWZu5LFStpv1@b3e}#6TTk39{mQ>h#IvxZabb78@+{X zyH^3<3!@$MBG&e@m=wKD53Y!Ovt372Wqc=1l|s3?-U^y8+aF><<67G8a?8=nJg;%2 zRbiwpdRL9+Bczaryd_)W9m!(AcHvodO)pEcw_i|@XN!x$8IH5hy;@5dsSEqdJ@tq8 zx${NKPg?)yIuk&7z033?QLJ2x1%+775WGb^E!b@0m@k+7G}W}o{jrnv%zk5AqsRFr z-SgfcMdz}U@ZEVnD7)JVe4)vGx%Lt{Ub$+O=`oGBr9UOWR)0#4jK*WQezVY-BD!Vh z@*dK?_8j1d19W?$e{4Gw25P>?puB8p{knT#f7JCaZtSXmsbYyMzxv_ex5<3>2yow_ zClvmE72@99$qjf|O?Z1V+}!=Ib*Wu$i2dbj&NTHq93-4QH_u(j@d#2t;}ZXJJ^r#% zA*3MG3VEHs19nVjLGT$VUZTT)7GR|rnL$dKBOqU%1+(xcE`9U}rQNYfry?L9jgUOW zl+Ok!h-@JF@2DpPgDYYobcwlTL3#(ZOZ%;2%;<6$3G_YD)YWqSrE8PeOvd`TgMQ!Z zN_q5tOTeEG(#f+*MN^q)6pmO2O9Z0z9r!gWm+cdPbxMoV3~)#0-9=e7 z8jq+08Iz>a;}gwm&`_isZC0s`B}yU^oK90i=OWtGyJqK~&8*xBiFpt5zd~8DQlH7L zCgb3Ss|ID00rWMZ*}k~ICw)adrlV9qPgufYohLM5LebL&7m;(ADB3E$MTA8(qQun6pJ`t+hvxtWEtzq$^1~`KedMXN1nIeWLIJ zmn^`$uObS;Ny>q~HBLi5j-DbkQ4p@sC1P+;tSY#M78;2c1}juwV{F9GLEGM&S_8h9 zL%IJ(C2u*N`Kt|m*^-_j)93Rdw6%ED(jY^riU6zQaIl9VzIS|2F}-Bhq1LKmeL;!~ z!Jk@_KZQk?_-S8|2zW?fVT1nmc6-0;O}xCfa4bVUR;B#T+Xn}ifVlSU;BpA#7+4sy z+{7eD9?s$O{axysjB}^Uibab&lU;7GA@Ttfdnu-mR4^Pz*cq>;lE(Mq=_Q#Z;$QWa zzdjY`!8~tbekW4+PPY`=h_8;o5nHO-n4Wb&Kd#xv`=eLILD$JL=g;YZ{v@r%5L3$n zvBe76k7o9LGN(^b7~Y+D!_oR{h`U0li}vbgXE2cm$WFEJ8mT6K=#tmjY!S+q$$Z>N z<8CGLxkhVu?OtHb`YzaI;%~l2Df@Pq6bB)0J8#;tF(#p`pRR0Z$NWHvlRhc2Hsf~@ zIMMr_Z7Cs}qJ}tAUYxGq#^r3nHXkGg^-WFI4Bpv);k+4Kx61V#VrY2ihkOueUWq{q z$B&@-bpJP=91b6T0Uh=Zi~3JcZ@2IJ`u5Xwx8=KD7Gv-V?F5>3bfMj!kU$&4KU5>M zk-?RgLyH27cQ5_2Ng~wWx{!UdQN~m#+->s*WSh(8$k6rn0FuN6t8E2jHY-W4J!bn1 zHN)PQB2&*1OY%P7bkz|4;$wB`DfwtP>)H?QmGp!2@(%FiDGqe-p8fzb`duzm&_O& zFVZ~wU#h16LLS|iWf3opeQ$j%bYdDur%P3k^EX+Gz(aiO^`er{ME>6m$#DeDRD39I zE4+;9{dxa8Ad4RW+o=7F#`gGrRsS1!Pdb{~y$IX}q6ZJq2Is2mV?CjPKCqV&{yoT; zs`opGB3sT75b%1rclP_{hWT;k>vC4zU}WDbaBZP&<==^Lz+uH_-Wv z<_$$NbXi#3>tqY7*{8g-7X+3=BPeDD+>SO5p}qPfED-@+Zb-C^~p7rWt*hB8%B?fjbHDU2Ik z1rB^EY)%SG=|XNBiMDlK5QGPwLkD{Rrx$=g&t=hH?3c! zEyog(Lds=wfHPXIFD#u)r^B5i@5k|tIW50%yC8FTU7ha-#RF#){-NdPuaA(Q;yf!uj;|^nM6waB4=@0IYBcz^>HP|~H zqv9YbXU#-;qg5FY--A{4a)@Bq4OjQFsDlm z*3I$-%QoWo6@67Hw%{L?baYM;c9wlA-`3N||!6NdrP_ckOw!v?i6SZO7s1i zv{C0WKXkP&&deb&owuOrccG-?-%IAmMZz-W`(oLMeMz5$`mIpDI!2v3AgIsUt;OA_}dZt=A()DNQf1l{#^2H|OPtQL;Y?P&n+EXLbC{x6;7s{NA zX#C))z$PntW#tx~HLMp5k4~O-w=FfnYWf?1u3{=yR&Je2w-3kW{5^?EGMw%=BbAky z87-9qrbyDb8cuYjB?VHgo+@l>iNdZ%{r7zrMv_={gj;?Wx`jWwgYiT~d$8TEx3-QT(-S72((|kLDcU0L&jp%qR1H*B zrrgMIGYIq^GZJiZIb>?x#?5uv=@huK}m)CTR7RT_Tc~LT^k0N=Q zNc(ifW9)vV9aF+b(nqO{D!{5IUN2CMXP7F zUI~fl^MNO8ib_?G4IvUz_?Gxfnf{{OTG$bL0kDx;=SR!O%kz_um|sT0X^9r^b!vs- zvrdxuOX??WNxkruU8i7$O|HOW`Qo83ljH@3uEe<$QEN%6K+G8#!^%Jx#Hd=$&9gP{ z*|-q$gCwF)A+o6YI1!YTZ&%rnhvqloNDhcXkvI+~o6XdjXIp%=wE8l(L4)p5kK1rO zjzAMt=#-Rd`~0Wpd_~F;srhs`DP5a|A4IvVF03{pI!xW{?Mhi($b4?PCwRMz456~y zp}MI_-(|bi=zF2bc1 zNNW33&-rS=Y83?i8i7=eoR#-5FbHG3U%d%UZ*E#%Zh5;L9r{fR9D6$RBc-=tPxvsS?#%*2xq`sXrX=nj*qXwOB`+Cpo>}7tex(xGQO-@ zv3E^o35)rsfQAxqm}38PhO5I4#)LxESz7#SbEjxB%buz`Y}4~`!5+iP!~%<3kMqXT zo{QvzlfrOhPfMJ-fGN*U8H=79RDIDQe~XRmU*{4R=*fHmYJ)QfI>4sMX~w$=w*MKg zq$v15y?pNxwPHTH;6I1 zw?&rLEs~=g_ovpdO`m6iby8q$$GQf?l+Hn|=fj`-sjLN;I`1(sa#OSsuj4SEaS$%G@X+;GhGDh}=sYmoel0wXPBQA;A6&1_>R#rP zem#siIpv<8uGrgd8HNGA_bTj1#^OCZJ%XnnTpbKwc8k$?CD;3N_&ZCzKU&Cfg;!jn z-&>0fA_kvPUK|q*-21sfIEh+8o@f(}ZD$7g24Ql)S$ny?+ck|x- zQ4V0F-?DzP@PTKw#arWWcG#1Dn-BD>9O&1t5~c-MJ#kaa;P15TcO}IaY}x2ny zt1@EDbOjR~UASuL`_`Lpe>A0Wwb`%gd3F}m4L*;=BCQM5zuqY27OtHLjkWGM1$CGWl5fVz(rsb6u2?U%;NYdHxVD+*}Dlqd`OWw;0RpCf zMypW7`3Pw6vWRQ{Ky6)Y$ZX4RhhyuO^-0cK6T{eFhp@zjE|X%p$Ozt%fA1Y)M(g{j zFKX%KC}=TyUHEI`*)UHl7)19@s6?m&N?iwacXPSW(dreO*uJP@XXHPd*IUu6gxH2= z4akDv>sXd1f7AvIZ;rUF*|(Dx;)mIko1=5B$M?!Z<=XUAiaAuc-F%o#>qD~tC?HO* z;FzsX{6?}`)T7$kZ_Q*YBj4j`TEbVd$EOQB8AgVXH3Ez1#^ zTBTV8hB2*BXXUYB9ETIV`xV{iq}+_B2j`$C<{IZpC0|S+CQ73{Y3EEAnU-C z-zG0alz^41qfu9xn#?#y3C(xL)t(!-R6oe7TZ3d!@&_^9t!f*N&#E4_PjbBwlsDn! zFpHyHP@#1vF|QCBl~ANgLL~GM@P=IVTBtA4DQ{JCab2A{kDrWT-hh$3wkLbj0K6Z+J*P zor)p-clOd!Key!@peL68{eY2_m7JMbx6)Qp`8;L0-v31j2=$sVBC4F)NrEGLZiM0ZGLp^tpUKcnk_{+a6PAAydUWmmN5WuVNa=uzDUaTNp2fySf*%f|lf&*enr_-RU?LrKz>Eyi1>g7D zf;HMRYSyx3=Zq^d?eeuz&Kr1@-@Ij58vn4PL6Oe$_`j_hqtvLS$IzP85obui6f29o_K%t4M?HXdch**~C&P^z$LfU} z8Z)CX_A@a?gAH*=_iz2XK#@m&V4yx=){W%Dw~p<{$jOxaOpM97PqKOyRV3y(V95qM zqf)d_MRZ%Eh>@kjj&f^JK5^{9it|^B+X%|GHBau~dj~%|jb~!Tj-?6y>71BOa9IK( zY!uI&7|25M5;v(rKaMtz`&QD04BIy|?77mezgNa7(KIwyheMz|&olqityK`J0QO1S zuY%u9fkVYkuPSe`y9{Ycpqw@7_x@Tp0MDH(9GkeFIv&^aY|qj}PELBHb*Z|W%bzQB zQ9U`(-5X!}x5Y20926}WsQ*G)%tsgnH14pG<#-hk5qyR+bp8bvsa{I<&P3?z5T_il zsg|lungwIu%B-DeK~-)|;9b!3RmNFupMSjZ-qCe~Zio^Q1bUz7xfQ&CX$)B0-Xi8` zya-6x27{p+{Z1E!*H1w>9^QVu7dttxr)kkSTR+44_8+_|X&zUN{7(6sD}7}i29XWb zfgF#!_GNglfaT`q?R?M8ghwMb%OheBAou~M*-Oxs_w)vt#s+U!Ic4Vo_{3uz1y(eDl=5HZ|I9W%qHCKUaY^?lRE-7*<2(FXVsq8orT5v z)vRigp8M`<%2jwh8#35mzkOJuHZ43EJx{Tmyj}z!Shz8Im3(qAfy{m^xon2em}Q}6KKYDHiMwAO59uHm|B zb%4=Pz*V50RYJ$-zQ;qMx68$8690mF`!}Dyww<}=zm_RlB<^K|4!+wcN*!K3t{WQf z^a*eo0>GXQjb@+2)-A(Fh}VI6x9|Qmpk`vu_JzUEvO8nC6>w4S=x;i87`xqafx`fJ zi+9v_tKmBGeVptBcX21{+(dM`3=6*OwbdT_j2fPJrs!YHbpo8ly1frTSLf9g;58Uw zp7Hj#_a%~I1125riu%DKkodK&Rt1x!K=%Pc@z(0=9o&^6c=-lm^8S%!{Bik%fRzTj zcZDlABrv*N-V+%0OUgD~D%|vPIw4B$3D1z@39V`1fP{IHjQMy?9%1CE@Fm3}L|(jD zt|zx2%0mZ z*_c;#N}}P^3Ca?oSe$FWNNc&g=@Sz?G4-DEm`_L|xX@=~kJ8RXvEo^pVeBkI@zuLf zir}SRr)vLflSr$ET5CDu@nYjbB;*Rw#1T8jW}@>Rz%2Aw!5TAVKgCgl`8^C>k>Pq^ z^J9YRq;BK!)=-BT%B7XO6CPXa5&w;U*<1amh-OV6PX zEzd}JipL*K&ZU}e-V=~ItpiCoh*C_i##^K=B=BmENT6)BW^m>ctU5YX5SEWc{!G6& zv%(=@=n&dga^FirapqoXjSEF56E9XB9ebCqj~;*9gVX!a&>ONT%fOvwRkmnc#cx_HA@qW}un;jtc#t_q14tW2MENz45sz7}o~^cq}OQG`AS#P9l5%HX1sil+7oSScX+DP4O38Az-FL zYu$~kG0cJu5vLW82Vfb2xo`FPxXGlLF%ap6f^x9xD!eYwjLKZSPY%G#LPa(CM|W}A zb|;ud;G^*Q%tksil6c)_X$FMT|NLE>{ zXrdfd8)w&GC7=*SmR3$-P^SHN1zT1<5w;A$loc5rs{q^8Q0=fJN{?)g9gmx?rEJFL z4;zw+u4$q(7VVx*mI&P!nyOP&Z1M>O+EA)2yI2I-KxNWKZ-a(`n+aoj>;&o%UKH$6 zclj*B;op*)XCOXS3pV0<{{8x|jWl@i0`ua&OkHB1Ff~eR0y)wPP76q}rA4WizIN(7 zELy1Tr-t$odxP6h(*RI*HMb=tDGbqm>Ns)^uCfYFWM3uItmUR`0b}^V=A^_wG)fs( zr8b*<;Z}~#WmQHA%f!}^)L6Bx8l(&->e09D-7dH^plOTBRiN$rkEP#$>Iyq^AK86R zz-5U1$rIKq&Aj0X{_*^j&r3o6)-NUgv&!X@ydY=QrntU>#G}3i7{(nX&%BE5v25)4b~mQ&><09DAQi@U^%stKcSIvPDD z`%**S=L)$`p~-6fVun(-9_hoX;rbQh&>zVza>kQnMXRi`M_v-B^Jb0|R@mp5x_{MG z(ob;fzH;C}&Evw>dt*si&F>fMKo6(I{WA*$1n@Y1CK@(DPT7KN9JJ;A9w+ zkb3q{{4fAEan8V$4DOuv?D)3NV0Gws6K~BI6l*Rbtq20XlK8iPF%>sKVc&&yM*PXZ z+5aAIq+jsgnwufuqYpm%Lk>PZf8WN#I@#>Lk@0z~HhPJJ*iBJwI=#e#r>DD=g#uV% z#VqFtQG3mN#I2(5ZAfoN$8yevA@y%)Q546+<3NwsJ{D3+W$b{@NUPU51k-U~7}O5W zGb5u1<-w=TO+9-zZKtc(Ue3E;^WEKEfOiF!x98KXo$261lWmEq9M}Ca?&{_V!gG?l zhf|}6;=<;*s%N{4j^fHjE?gp2)!SqtTN)v?q&!v z2qCsp*{Gg7ecj+W|GVd_hg9Bo{nuL!sUq>Lv>fpNv`X*fLTJybRdft3gBv@ zH~UJq-SO^0_UtfQ?;!2qLFb0VYU^k9RxQZ!D93fjd;5W8OR?Ln)15T48)D(9-}-)V zt}^WZ_UsEx5^`QWih1d6wIwaBa2f0r_NDNrXgE}Tgj_calj^-3%PH}lUYk!7b=;KH zrhu{-fG^j?)tV$}FXNAR?e=Nrv4}a0>*GW!&B6XT7D+)``kpWBF)QGe+sj_xBZIc9 zhgf@6ftw3FAo#Gu7QpssvwK0f{kH0zBJ8DNpT_HZ%aY}b!uv=vseQ(3dsCcKv%PhT z*Lq_w4YlZ0jN^ggp?}_Z_mO557>0CrWq6>6_5iLo0`65{)oIN}8thlx4A>NtIM1sg z9|lano$8%kJbWF37~Mj;Q-DI^Z_~qXG|^Ls5EhE}RcLOVr^EXjh@a~-l_?r_3CQ}W zyVht7uBwcocCN8_Y~lB9MawnHYI0u-DbuNJ&aUwF1kPVh&7(gdG|we!KIC}?cS$>a z!!zB2LxbJ`{Kg5l%(S^ywCb^$6GKUa#5_!A(!f6>bCgRZL-`?fKS93sg|t#cZzl>eM-#cw5KuTyA5p{Wi=|w6X)XY$+t)BinMEBh2BzV zm{{9%G|1bx<+x?pjY{y)MNX27*&)9cPQ+d?X46PT1zhQ((OA?}p4?cpTQJNu7#uqJ z?j+bF*TqhNUGRA$zeyRS{=K*HO3on*=UD#$u9gs_^RcjYT8|yU_KKE$U2hJE%Zs9` z*tCj!Q&|nn<0IglWQ5U!bFd@h8*GwxGd$+<<*dPTL64)LKTxOci(E^!3s?Q}MNeU* zoStXCx?xew7521LbX(>pFK1|mVBC<&B=b>md@kXjN%-mL@3nxDCNi?LXO3#|PiGvQ z+vEEfLQ8@SA|Z9*(dV!>wnAgIsuktxN{%H=?ko1+cWDDd=Ot!!sF4#aTEjViA?{0< zaiIk0f6gyc)I!D&P}jA{pFC7YV3C*V1QaW2jYX*v-%}22l6eWJhwC0|A=~GCYN@&M z3byhJ3U)xtD6t6EsEVQuA9ylVI$+OLsh$!bB;0cjIT&-3s+kjG-V8J6)7-`FVd(%O zaj-{OI?!e<32pejjzcG#x}_Vm@PcF4QPPh4FGAC*%VA7qH2kb1^qQ(Ybb}%s8mTe* z)6z73zkP>Y8 zC9Y25_-G(OrmCq=68+mpJo_4yM#__vtll}cV2j0pkirNrf?e3VB31~efZ!YyF)@*d zIAMcE=Uj+1-exDKWV7=5viKU2%_KA*&|mQKvoi$uwvtE<`r2eY&wBWVwn&lM$p*7b zt+Kpim6oe0dE{_d=TGtNdx_p9PP^ZbgOo`rZGR`-F(pnpbX1(EChG;Om`gp2T^s5lee(B=s}>CIUPH@i|MocqM1} zttX<}NVJhMKJjYQer|fH9wv-d6?IDvPeh|>vtdm}2{v`v z=hN^bC=^Gb|j4Ul$_h0PkBX^ zqMt;FsnN8AuSBOQ2H`DRZ%m z&+n5qg@O1)RF4+%cLu_}vRnqiT&n?{n%pv`)Y{?H?LQ&Gk^=4Pn0eOgRd5p0U&*pJ zu&{cn(k?8D7NCS>>k)ZfDg9*A-~QZY+Lixhh?=n|Zb0%|OLNE>;0>bfU)aA{F!?H1 zS>|S%83@&sN$*AJH!!oQu63TUcltd@3T3_=Ofl*0F_BjnHx|2bLhF=QP(ADjRAa;6NpW9{ zY}DnYQ;0-@k5$Xm?=uWJf;&_NhhLs23bYo!Iiyk=w_Y9<`b4>azaQvKr?Yan4c-)M{*$)p3(%4XU)YSW%_|Ej$g0c|n>8 zfy0EU>KUgZ=1Z;?f|ma~xZbT9Hv}PUOAzDw_q&jR;WOYASGLcCoH9hbk5)n%J^c0V znN;A-yaJMY9pcF)^(UwJ-SXhUx~VP@|)99$NW8dei$#mTVws^nLRmbNs!L#ve{BtRlk$> zqvFPav}>?(YN~r16#Nf_a;al_e{{7)VbpS0I?d$Xf5>fgA9l3tx4l(=v#^#yqO$2d zIOri)4Va9))$PBHUM4VF_Xt^*UH3ChdnVm_S+YU)@Du;QwSY&D&Jf#k?}?71V35P+ z%OjfoMWj}zf1jbS&RG}3G^v~%!1QTBrIY4XZhgBzvHLOU8-C>#?v-EZqX;d_%^G4@ zbf2eVvC`&VQe*Q|zfa_Llljjq4`csHxd*+2mZL0oMc%uaFlMi#3ePvJtMks*f7_Pg zf-iGN%e*oG(AzG9a9izG{!B zY&4=cnri&OJh|9|2|_L(jstRXrWe)9?&$P6;IsL#G*AS6y9OF5}%E5XV!X!0(L< zy^tfv)5_<@jpXqhzo9F`=S|S`k&@=C?^5dB3PwA`{S}xBf%G4BV~{?QW~NR;j3ize zK*IfWDh~djQ{X}sW~l*&h8y?W*E6882)N*GyDJ_feB3v#UVJ%W&Jd{$nJ>gEe3uSw zNb@aXn@|jN`omm=^@($YehMyqj3A9qZ`m%r#}-bE?g6f=T=(^R4gzv~1!6$_;ve#% zf>RG-qAA9bF}Ao7j6c&dly&5zZuQF0aAS6d7hfjoS_75gtYxkCtxMEZc#HMjdv4uC z^1@fI@V;(W)~s68Qo|%#BxM4yLuD78HghMPa6@4yW=cxl>)B{Q8?s9j zZmTkSl0k|U=YMrQod3?<6`3xa93d&x8r<78WRu3U*m_z9|;k82`!J$o@3^evxJX@bvnaTf=155@bbUsNrQDK+~OI{g?fLOH&Y zi`N^S-BVF$^nTgrtv zA~DjL=49bja@y4p-v@cjH$Xga|*xM{|;!9I6hjb&zW+NIs z967R;5slx3n3V~!{Adh!I^3nZA4*333~%o9iq&xzqwZG}a>QPW$GdahK;%cFptnwEjU3KrxMh9eD#P5#c9jD^MFE=B46)*X;(g8r`q{un8uR zX+&I$L9~HVTc{@zZhQvA%dKyU<_$@x(EU_*ADaPrD8X!?8dku56a0GSZ~F%qkpYed z924ycACyV`up`EO&g0%XIn;eJ>3D`g4={kZe=N)oso90@S zaHOe6sFE<)uA`A~-B5U!_wvMeNtE!55@UT631Z9tvfIyz$b~5^5^9ih?q;}^R*TwpQ2d1Yi3L(ueHGuO)na0qKB{jZ6>+p!3N3!$Shzdx3vh0w84gQCL(Qu9U!! zrY(z<@sYh`fZB#zyKnTENoi2br2t&@%Wgn5_tECv``t3r`x?nOu9RcP~30GbU&Z7GwdQ(76`(dz4LW9@GwUbzkH7 zy;f>ucY=DFV{~t9c6K%ee$r%#(idVw(ll)>Xcx;gR;&?gP`Yk-aQni%ZDa0HNSuvN7ID^Dijvc! zxqjW0G}rBaby29adQ%D01%Afbf)DF+yPTbW5Ds|$5XED6O&gL}T3r&(xC6L# zkFus53_!p0mG+L_EK=O1ud*7zlcP6bZ?B_w9+~6zvp#kS*8@S>D{j*Wc<0accR9et z=bgJE zKF8?guXo5BbGwP>?Ww=xhPicPJIJ&4Te6X(OBj5)u=l^@*`};XF74Mf8tLj{QhtZM zgJpk6uH}QFm}MCh?S{&UZ&bkEzLXw1$x2tZ;8=^+Ht0O|QSgsZQRkbw_gK2F&o_Jfya*KmVV zYlkzln0-_tbb(9)g>GKC-^-7L$NH{-7PGef^k>Xv5WfdWW&>mYP*mA(>yn=>Wz#^` zcq7#Q!cZqw85Fy!jmNrGX$-%A_Ff#6QtK0_d)4M69$@QETOjG9fhKfA(aO^T&OOS1 zrb5}2;c5O&T&h~&lu;b$(mGwdyK(#eyN`z(Gpc8J{TrH)#~Ov4hN?3DAVP z=(m!8ZSvXK6 z3XIW(f}gM&;Q!u7^>Y(JB`gTLirBg}UZ?@9k{Tp|Hq424Hl*8AFxrylmhP?gYmuZX zNmUKQ3U`f?ZqNb?RnbE8w?MzIM8>6niPZ^9#V1e zk4a;%Pm^YG(?`NlDO22D*$2J}E9bw(tth^v4P3|-0-_XaqYjiZ(#z{$0&wf!bmgoq z6Wr!9_UmNY;A(psC`ae@_jO7F5kO5MYCae&ntL8;l0ymfEGT0*)Xd3elUAyjBUBo; zkzTS%_^^qDjiG1@1rhz+?(FfoJ}49Ls{C06JE|2&^Y+D@18YcWd*;Qe^%WKZAthcT z_>D*c)_A45MGo{L3`zE`#KLiGPP?D=SJ;b*YYzXJRs99q(NBtS4xl}=NopB4=r~%~ zQm99O@kv8$D&Z-9Z3Ou@CM0p>8N|+x(8QtVeJ|x2dXt@?jr#dwT25zC?$nGh-l!@0 znTHGezUk^?zZfSMftLMxbjoFu#M6GpjoQ7?g+xP^2sv%3|GF%oXsRMD5p# zZSRH2a?bxKLNOsi`r4Y1g2iVCLsy*SfP1eeQ4y~ZIF zmkCgMYzXJD<~7dwa)*f~AJJl)0N2jPxU9w{{|n@!C|BsiY;9T!9fouJBY>iz%iue8 z8FtEWB{X>gd}LaPNdU^Th)3T^X6n2)7xxY0+M%n}_>6UpwY;0(mlU2@;s8dt`KoUi?d#i9w1S`+QYfaI-#A*M;VupUtIZ49bH#n|Ch?QUC562kuw*%u* zR}|(^^#;)p!qRUX>$I((jnR2B$F&M!o6NRvP8Xrjqgpf5O)(JwRpHkeRgh^uI!}kO_ObVxbO2K)5+- zmlEyPeLEqfh13JJZgDP!2(+8tob%FXbfx^f>UinreDZR+dXyN(T<_3g@tEJHw7pvK z4%m!NdD$Cu?0UOkg4i||$KY?psw$C+_}@($WqV#BXBc?(?&UMQCprgTb{KU+z5Q(7 zLvGKK=+0Sx6xw(4>ssRT3>%iitNi$V^XGX2Gq#>K%C(;UX>kj$wS5#%PjA)UtdDQ$ zis-zevRF*wTpq+kDDwP^K=x#!q3QA%8B`)_16n2pT(bcNVAgJLPo%eNjSG`r2&+0+ zv(`_tt0B&Mp5W^0$G)uQEO$S^+4Dr^lk~*$KA7w>_R@^?A+G;dviN?|4{ze@m_UY+lgx{r&rCd?2uR=b``Ckin&6P~*A=@Vafke0%Oq zzlH7df8N89pFl6cz#X#-zn-+Or8F4DBZ?2z3{~%l4=PaVHWwR0Pfa)M=fVd$Xw2u~ zy%eRqDtyXYPQ9h8?30X9<^y>MGII9P6o68yZN!%R?W#gM3Z`ExMB3ugB05A}BF6w} zR5;(JG&?7kRBxN8bytU{+MLbDG)XKXgyTr0HOx30kvIugU9mY#lr~DPsANq>wb02r z18*TFR|2|QW7gGfp{_P!z721(og9s0 zfw>;5TqM#07MU%E8}k~5Ib$z-^@&Yzy`*{|t15Rc9-~g?-JTv|PE+ZNY zx2Xc2ZoqlR;NaK^sf8Nzi1b)lC}j3nYJRNfN}aC;r<6Z^+(_<>->Fen#tWv``3hUM zq5Sa}e91Qp6}RDqtf^nWzWy0TB+y|&OaF~|cjjgz_UV(nh>s_Os!hl^ z47Y0(k66&17+gXXuv93sO4P6&NiFW`gE8vk^gLt5J`*UN_Aj)F{{;qx3GT_AUzVPK z%_dwT;&N(dx>?j09lCsuX>Eb&br3zpN5{9M3(s_*APjQ!lX2W$`z6{~8gG@(}GO1$g z2vy@cc#?c0*4;EKgrxy1Q~>4L{8he~f<uJZAnZn;2Yi#S6#yYHN#6cg#PD-Gp^JtLHw#5VNea&URrBcVTYL&YV!r(pCl zr`&l5$38Mt5FQyJDxz73_nbmy^f$a2&YpRT1787$b;?M;3Zh;0=Cz<#S>IgVN_G5~0P zQ;x9}YLu{7Ydi8mZeS9W37bsM^3w}!%m>$jAeTH~tWX4UUCU$EcE%pzXXP)^nkx zKlE_t4P*9L-S-MOziV_6Y1Cl17XROJ@As7jlk7?Q44SzH`JmpifZ8pZ3tK!czLwA+ z74m<`{GB!bM|3!GDnuS)NFH1;cv1l(LAI-YDTJBPy-aJ&$))2p_i(HA9I3!2Y;^>s zK$VKU`5wSKsC6s7ZF}Am-gMi(Kfb=(D*!gTkGlqL1Wt1L8^*W!ylroD_5G%GHtd%@ zEnkK-+xL=%dJyzI`iL0y$B?%kudoR;wVbX*5vnWo+xA0b=Y$k?KrUCuxi$@pSD8%; zD~zLAFX!k$#qI0#{Sp8*Rd%htlki#ol^Y*0Lz%wjcD-_bPN-0k=V2OH>TJ8=^W<9m z8PrMWtZElAT?ruSJ!zbI-+S*|7CPxRaH~VVw%&OikX;skJmK0r^*6B9ic5)M>Imq5 zO~5{Qw4R;F>}}cfv-Ld?wC`$MQeRm4f;3lB)B+efr)c;D+eg5#b33h{rzvg-Pkp$4 zLq6RAbFW5o>08cx3-LaFO(xz?I=T_HhCDyW)^Jz1PIn`_OWLV@o{{nS`K?i;yc|O* z>hZ7Ip7G2a`nAC|4Ku=Qej?bSUmxX?3AK5EI&bu@Z%>Mk=WF9ml&q_AeX+XA9txfc zDSYMlpD*kU7LV+CZ6>cM!lmcNbG5ag>9&>~A{%{k3$yw7=CUpL(Uwc}nQ%KuMn~wgCGF*VGrTyl{y=1^{BCZe zHk<}ws$0TdrenhhBc?-@t@TS0xxxp}R*8J`ST&wh1yeQ)mcEKltlXrWQ^Oo7z~xAz zV(xNozKHMJlqZfggbbrK`6u%VF1D&1XF`N${52d4^+WmQq;bOrHMTc7#Ike7qyzq< z^+UpYIH_qT@Abl~`?s{brAm1UhQgm}QM(gMsI)w$OI9TV?--6UMrP}H|8UvyJC!q* zqaOr|EIJnl zw0M*MBao#}=fwvKxS@gBR#HSSLPzlAi`*W`3|F}Dbcd%GX*k6t-Lq99}g{BYrt=;=En0LbiViI{EC@SQBU>WA{V+>uFKg zT;)L7ATl3K<|yBiYaxMx_s;?bw10nJxpK0;E*-Bte=6LZ3eR7pCR~|r-5G*57bjgS zr)tKv8Ecf@mWM86yF7_Y3Xsu>@IYwzO zofs2XO-^>MGyljy(mkGEo$h}wUh@vvPcl_U9Ux%n%pIQmyWHL}H>Ex`hrP!wSlWY-0O%TD8R;xUWtPX*kk*yu-Hdb7w zi&EzJttw4wlHo@x)k7`g&Hnj$Mp(GGdO>GO4p|QcgRA^=enJhi7ex9dPDe^{0zP zz626-m^N62H=}K)(nc2o=ZOIqI39WEk5F5yrj zouD*;&pf+Z#Zw_yvWL;!`6sNV0N{8C{ zd(c zCaX`WG~3Nth09<7pH0#s6=!=wN}0QQ)%sd0CpN75(Q*+BXmK*>j0<_Fng0#0UKQ_z zg9al(HuR*zjgPcJiUK#3p3jizM733-t8(KYN`8YVCbaMiK}L3HSfg18fX;rw-#E?o zzXcQqA>nv0dnVL)1N!_=^h%Vd@zWLL0qQr56j?x#@lAOpx+nVbIemq(LK7@$vgoxI$`@f zTAS-@3VNACcSv8t@XobqvBiwikq(IJ#^ZcW8oMd0q2vTW2N`3lto(!F+ z`Ms~)+3RtQrAWk7YZS}Xxj&C|!#~pLK3#YMGIp1)XtXh>dkNF3bG?m>aWi)NVK4O8 zuEPUicQ}>N#~kmr3)sTBgJ0WlCfs?y>;o!(m|<3^nS0w^vGM-g+evQ)_<^|&k-_;K zONZ&+Pm8xQKYg0m?_#{3*KPqnZYC}BvEN^=ZV9kIx&Ks@xNpwi^fVr4_QxpJb}u$x zb`h-Txn8(TXL)@RRMNjpE5{i$U24n_IOCsXfiC6*C39L1dT0EWGu!}D-WT!eZKbVU zz#-Mg9gx3EBKYd3o6 zZ0_Tt+85+u&djvog)S*N0@+&Id6x0Qapu*fW3t6P(`Gr_X8FY%Q}h9CFxM41oIm1i z)~_c@>hNWMtiE+-d0*)>8909k16AoVfX(w}Q4E&dbpuR2-A8&bAjc!?Y5wc?B;YAl zt!=Ad*Ek7A&&5Zj*40y{`1`25f}n}|LsfM@Hlgop83!+3RreX#L}g67kO64^uK9z@ z7wkfI>aE;)Wm)t61$!0ie@4wrdoT8lFCc{fz%|u+jbL*dWPDLMBx!d;vGR44pKXqoyX!^M2^I6d z7HU$TkhaSZlS*isHwMKn+u4{>`hrA?Ow`a5b&O#<9k(pq9rF*sc=u99q&agXqh7gX z&Cr+SDQJ@5H*n~b62QY?PuW)v8tU0-c!u;fEe`L$4|;C(eS0eam)i><$AS)5Zb{~q zF+b8O-oWQ5GF4jS)1!{&mY4eJwtgzJD}_XrKxV-$tri+$Gk1#h4QJe|obj4ia7^6H zVosGsveHPs?ExOE11l0QS!4)>*2*<&555Tgkj?e|<(-Nu$To}= zS3K#s!=VuxrfRbIMXsmvUml};BkVS+mS7@gpYL43Wd+MVI;7d1BSs(=GC2(*0iv}4 zbK0nwi%yBkkx{ZWS{2W=vMKI0XCJdQ=Yx*KY0^3DM#W!lx!FtdkvA-hi*G9wRnq0B z#jC>IM>GXBskddQ5-;@Ur5OX3@eFVexLOSe;igS4PVr25-fHlHEQ`49&dA@6P|H$; zzek}n?0WoKJxOOo3&xb3>w#_LwZ2 z@KZ0~RHo{!M~clZj5%rN3Do`h!*<}L{vbjbf;U8?g{>mMlAUMuBgU4{ z!P!0@M!HrE(nv+J^l}h5sS8om*`pc3DpEYpWNxfD88p~LM7$KReDL^#Hh*HudWxSzRa)6S~ z&wL>gzG&2i^14Jknb_p8%@$h{Y0LsumnkBNj-8cLPwpHPVt9%?UN%b;$pW4{z#O?L zxJOy!szeaj#pi#dryWhLvwlDC`~*PqySI>eR5l64*}BHX6KP;BKYVc!DCLI`p|K%4 zlud2Ye*RJJ-5`~s&*f5%sSF=z>sN!xw$p&%4XGzPCYT6)p*@5O(y3q>O*L-N3{Zs} z#iWbG1#;*ynZm{X!ziNHNwSlFP@Z9wUl+sfTkWIKkO|N}DB#_vsL`TsevKy47*}4# zFJ6}mkaG;;*Ceyxz=NaKty_0=!7arl=9(<_{~Q#plLL@NjuR{V(6C5@s1HDhHkh>h z)gJ7Bl$Scy!1Dq6b)(RyS2`X7#x{m>JO-hQ5i;V_KX>^s-a=u72?~KQ^@1tNR zpPttdK=0z}sk(rdepiYUd)N5O^XuGlq#*#O6b+4a%;&S1XI*8t=Zwc-+-x__aHKUb zvsw+7Az|%<;SAojMU$R$1|+t0^Qfps*0F-9v*tV`wP;aL=tNvMdgr-FZ_N3>(*DSW z)DQa(JQafEZv{PRH^sfi`CJJM%mjdx%AMgQ4B0=ve2gHzFSH%Zr)VE{Mh=qQyXwnK zx)9*?8K7EP<$l$`r=J9{(x2B}`LpeNc}(z+Lf`jd{l&bsymoO|0);<`qqz0)+Stf{8YWlL#nd2hp0fZyg-ygAX@YY0qOmB&uZ zuggfUoA<`L>n9NR4LAbcINuJYuH!yn=8{YwbXe`><0H8n^LrY^;<0r$L+H20iYL&x z+wJoEZnye2p>^APD_{~X#=hopJ(tV9vS9%T;P1nC*_K}Uyar$k`7$}|r~4J%tN}kw zo}h#}&HO=2!S9kj&pOiRxKBSGL*8sZ(A@U+IT>H)qxXWp zFTLt*xEJrnwimDg5qTGXjw)OCbX{5T{j1cy$LhHl>%8un>Yesu6g=C@p3(Z(tf*P=v|h}9@0(MP|<+p3J;#jCpuZQlD_x!71s)Uva+c%HglH`lQllW5}M==m|-3XHOE zJ^NUtFc&dcxBL8>6F;uyIWAg1={5h&^tuGRy?CAw^jN+|{(|qFy1IKy%rr+EHJ-r# zgKL*!Fy#GmCrh;UyFGEGjiME^3GZPaGis;d=DA!xbsK^{oBJm8VrJE@7NVBdsny`} z{UXd>?|5v4NqjMk(tPve!zc`?<#pl%B>WC~U-BdS)BX(7Zt@%U8yBOK_Srk{Elw)p zOE!<{1y7araRR-Boq)ViKVba)e5Q}g6!V+QK2>$Tn8xEaBtQ0X*Ku{Ca6S|Qn(Mc-)aks zYYff11{c%pioZPTs!duIEKrS#ibtNC8ZLSl8O1d-%g>$y+1dAby5*~tLlQWsJj9V? z9mS6rOu~V1vQN6P)Kkkp;X|<}76L*Vx`EtkK4fL~EN=B>yRgR)8?6i@x9{j{6=CrY489mqi#y8>Dr+m8XWs^=bl} z#!(hEz>`dmq$8GFddpjc;zL-9q*G45N0I+jhbW!^#!RjT}A10r-qg@;6j12kEMT396GXoSq2|EBrTYCUzv3ajzUQX!F?kRMp^yfnpT$H#!vDw;vbw*>GJ3r62Tiv1ElPh$CWN5 zvo2IbV1?UxX_cZ)H9+lp03(NZ971wG$l;@P&_wp&ek6Dm1bB-w(E37TpZ(XwcmfKK zkU>hTpT}_aZ*ofPy6ltq&d@gBXU|!g51$!A$yf4##aAB8B8H%sYdNnRy4P>S>?kll zHfaXb>T5ztqnuK(EPG}tZEAAuA4@OdsCOT>-1A1}lod!+&!7~nX7e^Bjh37J)99ip z?}9^?BV$3JM1jUsA)IeFTp}LwNE|CeR)<@B+9%<>LulsU5P3i7Nd*I-frpQDV7p#c zPlA3h%u;}eU0@7)WX8aULNJ?SE6w}xRTBx;)7i7YRrS zw$c|jH`Q(=EBL?A~c z`#w+RPv>n~u7(%F^2q|COSX=0k}b;-p=ePoWZhY)6PDoMI65WclsTr>f$-7Aa-^*J z28F>92#zvR$ZRD5P3krtC2yRuf6e*CukzJ8^Ax?vPnVJ6t968;%$6Z(@RP^86+en* z?}$r(H(QoPmo#w(g9~!a(`#EnPP<rKeK&Kl^>Fmm)rL{xwbq8?oXChdi>rz4;6Z8d-?hK zyEoSref=V^iFA)z<9y6BMHRc>gU@vgIzeL}i@WboT;40~M@9Rh12O%Yy{`8QYcANA z8oeL$5R4rA2HoY=qT9~vdX*QI*DY`lmp+oBcs1`a2wb{dP1+Yc%}+|M8%M5uNA-HH z1~KdL-VOB=1awk-`7<@ZjFqm>RZ~XK_qj=~!|ETudNG+iSy~6O-~W|udI2n?{qaD=aw@oBYn zd&_2Q-A?FQu;Gf9i@@^~nQ+5m=JIMVrk2U$?~ta?$JkD)q9<|1Ws~T~$pwQFcDN+| ziCQS=pOAsv|!x`7%6*4#oxPH&(($6ySeGJ zW8h;MWq-3q{+O)LX>tc$s>?HJ3oKSuY;&y6ya5nwoX-pQcP~zink~ zex^>oO@~VAwGHdR;4?{CKQi7|?4`QtoL^wux_ZiYmiFAu@4Nx|3?ybeKMunlB?CBu z1(pSRe($%Yh`zN}cklD~wS$DhLAkxJ_J>(t>ZhyR+gvPs=lnR2->)Ytekg0z1w_mW z94}uyY~&dbjqmMyX$Gx>Q`HZKD#O*Ug!Gd5I4HfEFaJ^vNjOb`gLeyZH>M$r%ZtIm z;vef;5wDn`a-mUeQiIxLzeDAwO|VB||CuW$(pxhj~G#!l! zEtmI6Zn7ioinD{$vW~i%A zH8ZQ20a|kByq_*kYHYh!Tf%XVcrtE>hXszRu3AQ`hIL=XlLap zEow`N&+?p%%S0N+zc25l3BME~<(VB|?lqKqSiLHtv4|GDBnmupE+YvKjd}LOX}q)w zGz^p`s(8icmhK0KSDeByXnEKE_p~)^C|9y^VAZWEs-hsYD4Y#Ol~5K+l0y+{S~&nt zsdg%Dv`kN@V-wv$kU_20638A!t!kvk#7I1#qb?7-eTav3W|b%L%9#$UDh7dv6b~`~ z5^iBlQ;X)TwvuQlME~GE#6nlz#WXt9|BZC>ysZ}ZS6z}?grg)iJ5WhuWa&7*o(e1v zW_!W+EYVzY2i$G1^+=;%qqWRWbZ1P4*T`H%vd^ooZFl))jY6~`#=NZ zC)9y(KTDHvC$hRHqi&E_x(37`W=Aepk#~TI>dTrX7FMr@Cgx~F#^{M2``ZQCJ1tRNAUndV( zz)1V{()1N@I`>$M;Bo2Tl;K+^#&2=L`Kti1#d~OL8ILOyu4H7Z*2OUiJu6FKa3)7B zzX*hhXNbR+IiSx(CsC5Ks!AiepU=Qiq>KoFEB;=E;=DT>40-;ZrbJwxRnq`l*`Ss) zWk&gPWRaAC;Nce>v^Az}0lUq3psXHc^3;XyG(|y?>@lA<&jRi;et(r(e`Fy`aRhZ= z3r^wBmD;neIC+F}atPIesy>uZO`a<7Isn%#fjsb_}z)0Z8vRUpo zc!nsJLsP8w#S@j2RNMn;P(}@rj3@r>)gauJpk#q*K!Y*#get4{1@pn5z2eY+;d zj-(0j0XrBQ%_z0*<&WH|FRa*$P?Q>op_1gq0dnb*61PZqi&`Dd=xg67@=26(B_=D9 zD#BG#4j++079J^>^GgwFLGJdp&;#oxBkDLA`<|serXrv$CoRLrpziKv%*oA82=@}r zNy6+LNh%sAPN|x=Q74dpswOHb9B91JtZpNso+bjImN#v+=WvuP6(+Mzl$v2@#j;%F zZcvjpS~fMvB4tU+6AS>wf4PjGPx}0%0tac*ikL4Ko@dsg z_%wT+hOU|Ti#O{wX>PK6fRAwpeN+Fgu?gB|nx{VE0KD5T`@f!da#|-F-}K$Bfv*>g z04Dw0D!oZQ;M0`QAvSWkSG1-~HcFQN)qUec$Q)Xwz{B&qJg5HAA)cL|b%e)cYL9DK z@B3a~&13hh6Tr^(+LuWfyUKMU(Vnqc{09Cl-+G&m)#D@-sOVwbbbqKv{XUK*TjhKG z3(qCaG1DA(d_Wg`;FeKi4()?3MogX^dv}QxL&Q*!J_0TP)yc;>O2% zQ(*oxwHxhWYK{efw z<=cT|ueRMpkgwYV@JW#P@@@LzoGEoU?(4J7v^R*?)7LN8nXf({1K^)&AAWC_>s+XA z#$KDZ&#ZAXWVQTTU3JYqRue)wZ-*MMpK-eELYca+-IY0O?(Ju?ikpq=GShnt^2nP< z)q2-UALzh|ESJr_rS61{)DP|Zk-Em5);(JoAEHm-+CR^ouG7aT(0kg|=3|!Ar)B0% zvXDt_;tllldPBo}Ge{Zq`D6Kp4CAZ+8|-F=i? zX?N_06Z#w;ex7(kJ}qA9es8}K>{x#U=(%t$a<1m?ASmebzj9r(uF6~23Wj?=OP}z2 zRRcd3PC&jBT#xVn)2wp6A>SdN_fBPl9@GERuS!5sC-gWx>?p0BQr=xE1|(wVe{Klz zgGS!>zuuSxsrL|~bZP9|ls`uFF+c%SCcK%}$Q`~csf)t`XmwTPx|$2d)z(H7oMtKt z63HsMD+qvv5`KJT%pm9s7g$a-q+x#gs#Nv{t~p_y;`}@t@DG_-V*GZo<35tjDvcOa z40U$&rvxY2McRBw+%mQ=EUX|G+Qd;E<5(FD$;+@|nhXakZT#GuGmXK?rLQIXJcb+| zIfOw7U;s^-U}{;oA+tQu6@0!${1k3S^&NhyF8U0cZ;Q6Z@h1kyEd2(x#DUY|^+1++ z2qU!W5M))P0#jLLeJ&Hne2N)6aA>Uo1qW7am`#k4if?H+9Lhvh= z6KLC^7Gzs4B-0QaDVC(rB3aM-4GO!~KB3VJ5Za#%f$t?S{B){GA1S62@aOWm+)RPo4}e%Rds68Z+xC=ZTR zCF`^UOZ+8VwPDh1N{U(unsN;)F4&JhV!|e(vK|Mt0nZDrEGEC&=b-;FZeB!+w=dF| zWyoW@_F0W1XD;CK%D}{9r*s%ieUo&py~g8>Du;-@-ZhGKKFhauK1EfUm!#pq9n3Z} zqWyW;LfwCowuUt&fr$e}KbRg3AyIxZ zYF9RDiDK1~f%R_r9_F>1I#;CfTz(I^;yfV9MJHJ3%7ch3 zuz7f63e&%pm|uHN;8`f+PHao3>g`U*IGnI$kjuuszm@Xl)na2* z3`u-_qqjcQnhi2m!w&=`X*B|{&2m|_+RO_Jw_3_HzzKmQW z0Ft~um%<&=LggB{W0a_XiHM_CNpJ(!{20Kd?PxTPtoRR1w^ns;m4#v1C< zskO21-eudAXdA=meTssVO$6V$zebq%xoc(k$Xd@gA7QbLS~W%t_)n&$HV>Gq*KnUU z74mlibJiy2s&>6U)>Su~QJ#BOqcJAI^&f%N?#mFAnibM4mlauT7{mF>CQcF@RfzJ+ z45cwxN`Dun2M3MCtK^*oZ6ajo1njs_sE>YLi7Yd{4yBeKR(=Lt&Uel4h^OFm{)_A5MfkxUek@X#UykAFX1NKT*6XTmulMdN7vEj^AoZ zhaMv_PV?Uy0TPBnCzFnMM&c{gPsFh1>7t_m3=xiu#oD1tHR;D7X3iBp0(WXei_WN3 z&5c7W!T#Ac&n!Ocs_d6~xF;1h`nFg!M@y_)hRLZ)r8fvvBY@RAm|2!O2*}*0*c?%l z>s`mOL46AfhF-n$lFyeamQib0g&q;?U+I?FEC>Ffd`U+wzyZ^1JwddX_CNmr%BLbH zB-wnfEJ*m|5hNJ(sQe{T#L0R4x{%os5419h!W9!hiJyERlCL3hqC)W>_RxHq^RF9O zKaPl&sN>=%@j6W$3)!B=w`N# zp#J&Qh~H=NF{^A?ZMMr?2EsI-VdX~e@%BHZrpu6(r@0fNt;e&(THPE)0>1!<1OL?= zzNeu~l6Di$v?r`8&k@YKfNGmOt`#hL`5EPj5m@NJ)?kzxXUo6GkjhE|ZRi?gO{kL;A! z0{`~*P3$iPkmp5}=0xwByQik}@ZCjE^Tk##qkh|`HmLr@y7J?teWfuj=ee&(ak|qg zLi5v-M*li2AY6j)6H5xFY;L)z3fi>w_9nTUz*~^@si(6$miO=9=l`nkBP|Z&BGpM zy_>3bvFCT;{&#@(DoHYuE6?#b1-8jHca008-*Lkwo_#KCimHCYx%G0)Bn04Lxm{BG z^^k7nnqOIPzoHON=%vtaFqY4*@d#|E^WBRHbT)|oCYj)7;5$}wVkm#ac`nIy>9z(? zw2#l~-ca@G27dg?3qsx+09;R-E^8U%y&wnj3S6g5DQ=_!?!vpd+I63|>fg4Tb~}tb z8ci)tww9;{QCzE%ziFPA9M_+`h#mhkw*gkmnPiU+Cx;yND8HuCcXt1rxc)rue%_0UaAjM-A zowFOFbN;2P*FQ$lnv^KVPu|0j5j|(#vEwFKs4?Rq0V7=}3{1unFsx6oDc4ms$F-6s zitV&P4H-Fz#(-|8Ua9}78`@~uuw~hzBFH*#WrmKt`|Y%eXU_Vkoh~s>V`MDyyl&kwj8m9rlZKP|ySvf0l%Aa+24T?{`><(fEdT-!!>}*}7%_HmlJJ z`7MhH_YS%r#R}x6QEO_c<0Z7+q2RxQ@)QqT|13@g#NYb2@t_Wb-v)DLCwb8;^+80(!TyTB<|9Q+A&|O-uEr9-kJKAidX~8iAA)9H6gXITK~{V?vf^~I`sIGZhazEhE+My z6u4`T#CS^5AzUz0ICs(>7zY}=f*3T9tyBP7x-~@>XS8WG3xhTE7Iao<5hs4L>V;_d zz_VTM^oGQ~MYlpJid8o==faUh>2T~qIgK3oDUt|DK70fS}sJ;`Vi{*8ZFD1%0Y&eLY2p&DBamnmEr3{#2G3 z8Ol zT21(r^IcNA6opF551g?E(>NTIR3#o24SA|gPtCl!j&XFn+Asso^uJ;$NQ#^+hikJz{ zr!{j9y=qb#VwxjqbVwzcyG${G*aA0a%cueg)3PxX&m2#;5nc1vnY%B@mv_V*?Put# zb2nxTH2Zr#XwV7zt?ku*IqdV7Q}pLoO2+a8aUJZla^E5M>zk=#wv@txL4j*cV5v4z z{bTQbT*p=Hh&GHgLPx94UfmRAhmKfU7BJqJ83@lNCEzMNMg%UbVIMPMoI)p3E=SH` zH6XzSI6pC=)BSOa;kRrE6d#oC%4A~e!<|zoT(F{4tUMZd%LB1qSr9)FQ zEb(Ps!6LoLmad3(Yu6XNllg8B6D?OVNQ#}hTazjyELBdiYmDdb$q)j^mWCCXo?xp! z1#QL!qqm0d%r7z75*~Q^SAW~+XM;5{Yw^iR%b3l$jhO>n)jubsHc*c4+j zMG~Is7`XQKqI@3a42Z)2Ew4LsDA9R>sh>epS0Ep(E3!{uAw@5lMJ@!WAC6soQiAFZ z?mg`FOKulYfFWYY{A&4rlIKC^N$1F=y++V+IWtxIV=jwAALuU^sc z_4;g`ZoVZF)V0dp=w#YnV3@RLP}|qGq}5LbbWn2dVzAwMf0}K zT)}?Z((bO@*547Fh-*z|e2pL_`2C@ms+;t>UExL8wH4FJesa^Wyb@c{<9ph2VtcRf zj_)i|+q-a3E9f)j+b++!{jqB@*6QbO^#N~DNHD$bUCYFjD)bz);aj}Z@^{$!%5PkD zZXX%3_vPYfoA3Gxi2VLxIul=;irjwPocZZ|ESUb$D)8I}crdVOT~em%cKb)<>or*D z*7L6xNMs%+>(==c3zG{t-h%vqqPyZ0IJ`UGx>`tGcWCH8=My^O|98UY*6`%%GH~^- z*P;!|fNAV)^G>YRfKTQ1d!YE|#^m+BcCpQ4v2>8)ZXI>y>$9MPob7bK1(O{k=l~+L z|8UCPWUa*85wL%W($xO-h4l_ooZirRz4E{oaNaeBx$Ia6AUuKwG^ewCf$NyPt zeHZ*<=v3QI(+L~;t39nfYua3P4ugWSIjo)sp5?78=hH4DR;^OSoh=5|?PrRQQNE2= z2L$IW$@;X_prGSq>`k9fmMzfg8O`G#F2zkWuzOR3wgM`Hoh^Gf79u_8zV?lhJlYOm zU~36p?eBW$Njpkm9Dt1ZJ&q#wBuc0m zYjs+c{+x%Z-G{YNl44rBWo({Ckp+E->PRz_x@4$;J`vbnK!hR)5Xy<4|IJqFq!N}%AVudsG zC&xU)S0{yXw1`sHn=Hi%Lb*CHk#Ik#xMcLL-T*T1wJ1eY)c26%twM8QT@I>{Qd{F9 ztvY($DS5ak0!hcHGs?`_wE*BLpjc52JuiXI5)J7ebt;^{#VFT^9$Ligz<+dS43Dds zzV;9dK{%~bw=wgG+ihi@);j!s;ZnoO6b%q)Pxp>7kZDs(2bnw-i41Z znVL-Vav2YiuU@Ntu#Y$uC4KwSajSfj9C(&P8Zw3GKVjUS7dD_m#%3vB>_lvCJDCVu zT?tf(Fdp?RRFYj)`9U3!R^UaklUZTY!b&QgB|pq!h&!1kmaW2M>vt+7uN^M*WgA2O zko=AFs``eUIt%~L05k0EZQY?|Z8yVZ60N!+OJkzW(7C~%j7PixCqz(hU)rRv(Q~l= zjF&12rH2uTo*fph*f7$ebOn)Z`4XGLpIl3UgHlbU`Y_{Xp_#}L78kpB0WX8I!}h7f zT4WXz?~)o3t#H?lk+HE_F%Pwptp_ih5$}<9{?5v9`CS=e8rsI?BV@}TN-5X@T^qxw z_|bz{b18Bawnc5{>P5LgQ|S$c;kmZRl)1LdY{Wxv0(FRQ_%CSNCcKY*_u<-yR}y3$ z;xQFdR@^R5h$5-9XA*9(DUuauZ7&~>OG=3CnU?%XhRBUY!*Pv?sm_2=~abS?kf}_ z|7NpO1W)E~8(+J_OxuTIDfN4PpQy*EQUVBGcRgS96g_tHI@bXVkBK*e?b|%vWPZ+T z!VjV9f^S9keh-6O%`Vfu%KDBY;J@r!jjsc{DHT6n>xvcDFP{GZbgkS^&|1444k`Gq z^;hp6MLtJPdL^{%$=z4q?mM<8$*XVVDHHA!VmsIADg$PglkHIo~FFtX) zpa+OJKDYWMA|O-mUYXl>-M5a5+RqnE&70p3jgo?!JH9!i-d=Z)u1^j-+!iWcZlBp+ zdbg{@sxMO?o!YC6?^nPa51B5E*YOfRougTpW4$-;*NT3k8G@~A>Cfs9iJB;F1@--<)u`n z%&K+T86n%!WbBP9;CSleC$J>IV@sWh(QA;XMtTPrMfAqiqvG{+al-J{{WO{V=yje& zRb!cAKPL2hHRMOU_Dk@sSL(K|hx>cq?>8b%ZV==C`5By>0B~t6>b!R4c^I9k=B1QK z@G+UoV@68Vd1ZsW^|(`QT8glfB}o5X+I$&)Wo}ye=6C{f$en1e zG9E>zI5Uo%m=UyNpdbA;CigV(kon2-88ltcb>Kqm`?BCj{N8VwGlMXC$D^sXGMYQWZ^#P2>#yP$qYwg%a6NF@d zxR}2=NC7f-8CwvgZx$jw#Ig2IdB}rIWpS#b=JKA_tH1pnK47sb`dcq3kN4N&xXk#q zhl6UaPhtH(nzmvwS8PJ5{)0$mnIua$*3P73m{ghx@Jn%o9e_>plwCK!SKb=0#scU! z(V>&vHCg7|y8&mx{QckBMuxKw`SS1hZHdw8gZF9&>k#ck96CQo!!rmcbo7^n8MDt( z?%C%_muZO;WrWDM%zEj6R1^#dFCwYngyVX3T?_^0j3r4{!%lunX52TQlJR4fZ!h4c zW%nSVoA8B_`BPuyuly^JL}B8vpSF_IN^4Et3cl71Z3|x9qr%!hFu6>G=Te*;N3ttK z&cQv)+$&PrA5z`LMh0O#WUa3<#Wo*9y(1=`N>sh7)7cjHsgshpA}==v-iZq5`ya?l z53W`sl1BhX1cndQhu&BPQSCoRYUZW_d4ERF0Q;3v}V5YO@ zFqv^Twdx+jdF>&YiGIC}eZxeT^pke=h_h#=#1RoA3?)>ES<)Ot_c2v6Pk7!$IOg7z z^eYn-GpR2D*MD%phr?=M-+F`>N4DT+Vgn+nMHDXk$8GYbVr}b|ND-ZNp4hfB2);64 zjKogWI2nm%;-TVVcza~!CAX+6xFy+AL|}yCKh+e{ix!%;%UtNx(g;^iZ6F_w*k??} z%aYDyakTy!B22I<36iLqlI(_rE0SHcC4K`lF>DI|F4-u^)Fee=V02eVi@VxG(o!P$ zhfqnPc#X;EJ7@eIPc`3gCCv{TFMw}6h^y0ItcsdXa!k!RsJ?BT?a(-fV2NEuanVGYJN$Kdj&bzr|- zEFqE?6!(&is20TzO$eH5hK_oJ=v?~VPbnvEu(;|_gtuzp_~;H{)4UPRJiH8q2eywo zHilqCYoq8zOZj!H?j>sNqPSSypz%VTnEt-=I;ZH$ z0%luxr(HHc&pG#wu|_?tvEFM{%{jl)6h4xb zsaQ^IN@B`XAo!W_*+;mXAJU&J=2elzqW*_NX&vuZQC3n6yVHQh$>idE+b|pQ&v?q{ zUsybdNb2bm(9z!<4ws&yFmdTrNvKtYNh?*a3f28hx`@;21|{Yhp-SYA!sxk(D1`aa zodcALm0L6RAi~pM zoty&SJ?kZvsZp>(BB~%Aa$atGRz!vkR0y54x>v948r6`p65z*7r1U1@nT?|OWsjkp z3YR1QnK6fWJZ5c7l~4b_q6HAK{&)R$LIXPS2KC=@f!?Gy#2$RvH_nfDKL8KDWoRM$ zFB%DtjKt=^mEFc4%b?+rk9S8oyFsv@YKmt<PDwb85ISIeoenV?5Y%oNQ5rMcFW=+6jmc3%G+xyZUsJrFyg1>UDwEA&;n`>_B zbN02RXYSa)-fpegYJ1A5wQ2p3ec;&iyx8@g?7avltZ_SET($C*dk#2S)pl=X*{z~= zJ`22nyU4nK{+E6Pa%Ly1f~9}@aK5lRaz;Y^$|fH}jy}0+`b?^^Zyt4fB6e6jB-U&n zM6m2j+VgiThKSls3-Bv$C~Lj}c(N#_04OuZE=u8sFJ3ogm+Y3C6Z6H@YJlU7Ku1IY zw`|MF*vog-skDncHQlZk z6WiBtvUenNsWVo49KW;IiNegfbD`2SX*iHz{q!~ZE1!Pu z80g*O1#0HG^4LYztg%1fC>XfrsaXBkPX){erb1#m?>rz1bhTb;+g_1JyAgD`B-b2itK{ldCWfds$55w7@Jdfnaob|k)>P3#?jQ8E|+<%Ad{ zfwPR0?2Jvx`GQKNbH9=NGL)H(#9+e0S)M#ihOb`=V$a%fdY{>gNIxJeRL9R-xXuWO+PyCt`+cOgE#C zzZLOsj!-R5hajg#vn9Ef=*PFwau`;LWR)(3R;VPEh)a9L^pv0` zy@t3yM2QW4^=unr_XMcyg?M=#imR8Z=hbu6SZ84TcOl<3=ZA#mLJlZY^u;S6xRzb& z7Xu;=1bfLEuD=c3FU!MQ3ROauIr}`G-TOAQp-!L(zu@p^mx}!)>?7kLicc!*Q!;Jo zsuILI;ErZaJx zJjVNZMatMXmsEW8%m&VcWO(xa!Volv73eTlTkaTc9eb*{^rFa6WSi*B_Mst(X=>&M zCH=>q#q3AqvMbZzfJ2iz4_B?1_5j*rC**G|4Lj4W0Bx~nigG7KSqZu(gC(=@(g+;Z zG9~xYnW>ryTOOnA+C{^9leXaSA8Nc>)3N@LBTa!M!7-xFN(nfH3LF#5l(`i^O_TiZ z!wb7Xe{GbJGaR3Gd%onJNapR2Wj~B!VCG>Iy7!u-3Ky3{Sj9>49R0OtAmY z!;)HFKH|fstYUEMB=W;;Zu7v|#USk7x+`E9Md(2NZ(8k#Fos_OmR)R@*jIL;9oJ9b}ZUd!?-M6wuClSSn403LhL2~hS z68-o-7$sJ$V<_zPg;8VFS&!2z{;{-D{gQEFB-T=Y}35G~NW5G!$3$*Yy^`PqspJFKZhiupw?gYK_z!E)? z@3}A|fhJ^Yi(ZTs8U`4|TcVMSOl^l4-fWB2CaAfrKVh949K%>c#s6OcLE!|%m;aYB z?Q1blaa9N;#pmJ!I_`ZTM-t7mr2l=ny%lrCK>3Vl#f)h~0?{Bm&wm>?R^PH;@#^PQ zp?37DL7S;9z?^p;yZXutSKj)KNL$| zw$DJvfhTUQXRqR^6yI%}j8D(#Ag;i}Ld4iZq>?3p-Em?iL(h^)YOVLA59ZEuGF|#= zKaB0!!fR|rr#XzJfwIYKCKS5^|bGuRCtBD$5vsB3R{ zrN-2P-SyZAe93n0a^dLO15S5i%JIApkDQtEwN3;S%3jj;NEyGl^XOpR+%DkvA59t~ zdHmaE&~=@rtKAjwjJJD#7_~*r>e*_cDX;6w@?7BG?5dVqZQG|5aC49SWRcspzc80t zaRH5#*zP(GpZR)Nbw14M*euf2^xRsWe&wiKaOk_a+!oY)ThAM%rg3?<@w{$gbOlSP zM(G;Q0z(~pt*_lq1vijDhRL}YZ-<&=vo*l)kD;rn+&4hAAj4fg$7Yt1FEGmiqVMQi z<&_nm%Vw^mp91hO7ZhZQ_f1Z+avY)aUJu}>b9lv<>L(oQ($qh_I21&%vzoE zBlcF`?xuW~a#!FbfzGy_>S?;rr~WzQf(hWQWNWhn=-=ef`pDk)ZN9M&L}=x|U!w2+ zcXN&PqWk(LNLlr=A_b`R+#9~B@qAHF)#)V4axHJaHgx@ci>L_=@HUO@BpkgyJkh;x z+`#Sy=U6+K`uc9QyY%z%t(eahG_8Z#&Hp-sF}o$?ec%P?-iNjAo#t)6IT$S>&@esV z1$>~+tGRYRF}#4F?m)XvR>OHM=`m~#jPRbkvGNNN$TITVH-sWh8p5>j)H2*NQeJfgjW~@rTYpP8W zr5m!Gc~>gWeC3>xGvJV>3W#izMJrR(873GrjZ>WEyqUM}@BJqOVX7#x0;$ zrRLB|DI^n~4T+#kDB6ZU3s@UhUIxcM*vnoP>ed z4oQI6;2&eq!4niIG>BW*9iShpWFTYF7(I9GMAng6>x7aFZ{I;ZAefAeER0%Lxf}&% z@))kMGOC{6hspAj%!NYH^W3jKdO1RH@sFpB_@5-9nOkt}7Qq50dKnxAPx$Xd8~$^t#1Yp(Y|wT8T*7L*qww=Gz!KMEtfgkFRg_M<5+ z;rxI?7=Z-+%h|7jjDGdCo!8foIBL4(AXXiRQ2u8a^B2(DZ2H;*%G2fj&yC93FC^I0 zu868%gpFbjox2}9vnpqCq$~>+6MB2#Jg< zEiKcc&CaymAMkJ8^&#Tq(Iw8!7jpfqtZBh*F0C=qjbmgL^6JX22m01wu5^$$X@P>U zwe_!LvuRGk*tp-0Fb9I33JJDvoI=g1u8r^U&L|6Ycq(FG@gmUh#Hfs?SPR*V#a^1r zcLYl}{G6)rDEz;XzdR`UKjG0^qzNaAMdI;_8(D!9Jy zDTsj)M+ik&6;{bhZfuY~eL8CRlE;gVF82;TNQ239QF9L zqf)o|QH6bbu9^~dd@GR9^9BEk)0qxFOGo4e94jQ_8(0;+dszzIdc)U4Hi`1Hj!r#= zcCy82Jp~#cEPwU8kdzPuDwZA=QGO_j2NHRoJj!`o5CQb9wxW&>Sl4I}CRWduH>j;~ zWvjWy>f*A{(Z@A+n~839O0Hx!JaeSLoHpaXi>(O}Ryb`6kmZZ>NfRyykhALtntELU z1AkM65Q7W;9>V;hjpcsn@b8~c{?J&t?=gl;sdu@638bC&kI1uNUtX)f+t2OMF;pK` zpzJ9})%LT&`#*9zjvsQX8yDTKu|C!}#zT}GS>4CZtJ?~+)r3I%@pWA77T5tDGSKT$ zr0w;N-G$vcVBc|7M(6%t$fuM^mEHRHP&&}e1r+-ln~u1^ZOr|vVhv_Bq-E%59_T8x zrSISFujuYCLAFz@`yuh-=HmzwX^O{WL<0Dsd(7VO?17>QIBR~+{#V=akPfGl-df|; zUn3Rd%W3#pXxA!02Y!-6i|_kH-N?Rui}7iy$?wYJ@{zB+_IWnF8PnV9V3Y0oE}(Vq za1T?-?b`r~a<{#1dJM@{a?!ooZteBm%J%efdf1D*JxC9YhvKz=Ksm=*T6Dc_^|@VB ziFH;Lc%K;JfAY-*9qMp;6oPj={FvR&;Jzp)%&*OQoyYHtw5($B1t;WMgUzdJr+V2A1Fii>n%-XwZx=kY7u-16)NAKFO1oF8&FNE^B4*$Rfo=vB9!nQkJ zpr`0My!}WJ)A}rYyCCG`z5h&?<2_=&pC8@YL-DMt8#XpAnUKqt{|jEUUSPdIthT=y#?5tTrj?l_2++qu{yW^lG(sDydwj3NCaeW zJ_o97btO&s&dRcVKPTQbb>I7>MmRkecPbxB>7K?^V}oE-w)ehHPcyuMENei-0)?R2 z$2VJDi4PiJVLqSKd&v{%-$<_2M6waYv9UGs$LJd^$lUkfV^m^TNHhvu3{XVY6zu|2 zxJE?EP;OLKgxisg7OWvL3}vyd->^U^p#XP>KVL}_kTGd_4Lxn1!!p<8ql|r8qs>v2 zuYt}?>W|n*JF#r;YGJ=Qaq_*?+If@lIOtEf9$2H|FEaZr>Ui1y|@aOjv#0*jXi=b*Zwx<$wgZ#fxZku0je?NkG7$mi&0(G!98WKz(oN*>3YS>VE^ zVO|cFM(@iB@k_Xd4H?8&<+J!@2!@T>bxu}zaoOTFY+$64>f8(>(Jn=P)@$`aWXs5 zO&^X<{A z|Ae2fQx9dHVpGL+TF;3@6+v^LXz+voz%3haQ={fW*Y>N2NskP(W5k2NuK$gVclFFo z7koJA(LT7Efp3`<7HXYa{b$%H*rck6k@}mBiqt6#DLJw8Tw@lNzIZb@F!o~p3)c>t zTeK$eOsHtp%y+3$df^K^7Rc>HXj}V=cgb-0z7U!!yn|TZ$~mUWUOo`#7%h{Z)6hv8 zY~5uj3s8nHm6@AbOl2v$Un2e_2HAY#7~B#fKa^!0@v8=tkRB(Pc##BqM$vX) zS?}Ad->gRNiNJF2TkPfBN9uE~)d%*IK;#0_*poeSS=|#Nyj;|G@}hJf_kemfGtNEn z<&t_0)^IU(9u~CDtRcx|1F`dT-raLluR=&+WS&R!ybWqVFdm}Zr=4Qu3F@+BVTPJv z78d;Z^-wiawu$c&ov=EY1^TB`Ja)8)8T|1<2F6ceO~_wQJyIj?;mM=mtI4EAOasao zWX_`40d17c#!3@oE$SHcE&W)AmB`1Uak1#ZHZ_b!%6VCtR50Dtb4r11>BEEm`B558 z7l+A2%o@=-_$ix+TNef2qoTU#bHEy{(_QL(S}0b|mx+Hud3PTwyUWTv5TsNjgsbl0 z>U|oRGaAfmESZJD{vi2uP$*dj-?9E#F007)b7?gpBP->*%bpv;-#FoJr5C`bJ*_Oy zY}14E|CSG5bZF6n$U@N1MS!oagx7|zEFwq7!xI1ro?HRC-#+343>XMZ1d(C>0Hwc^ z$m23e)0CZhw_X!?b-{*fd7YQ1t9&OXOok_?TGV>*$-6EFnHZop~ljG-0z+UEKP9C>QkFt37aQjwf z6KL;mdDnWA@>(|BI8=VzZbirbwZDEy-L8Acg2FJ`?Kmrx>H)0uu&g@D@xL!5BVq9a zMvTIpch!&cJa>?LS3UGVouD9wtt%ubhImgL?OI1j!2PhT!q4u7*ccz{$(w2ko8Fy+ zmzHYO9QM`?quZ?q8v3=jrfr=`Z$Q{?FiUGy&HbGIh|Up`H(&1@g#RSOJB>v zdyCg0^)tZvpfT#@_zJkN+1{$5Z*zSZbq5YgSF631OR4NBmb8}v2N@zjXdfcl?4C9v5d_LHzcA!0Lfv?TEzt}{ zTmqXv@1W^2tV)n1!V#^|fA=beHlhiL$9z_pG=($_ph^m$uA&%16zTV=Da^BH3DW4E zQH!SN53$lbhn|xezMW+pB$+J{$gwhGV>y+I6)m|0#cXgjWlWk6(rSS9m6wK#+gqNPyEOuBk| zx`h52(rcEC4&@pH6-Phs>@SfAdK?33yzVn6LmrBtLP0<86el*MNp(cctsZc%*o)T@& z?`jJiCkVY2hmyjLmNE??li?qUYs$DS6z!*LJtbNvdNb={eUc~5P=0n-RWTSVR7U$2wIUzrP<*~a_sncI{ z#~tAMq}u=tl`%hkgaStN==M*w$mxefbj0$2FfJinHfW@WET-S?Yg+#XFi zezGDLJGP|8DCzc>N(lTNUKTh^$8rT$Lgqk7ag&aMD0wmAqgVK3N*NlH4Bz4s%m0># z+@H{*29d=e=^KzY`JFka{eB=hMGO7|ic&nmPXZe7)l=zWfWkuH31oKnQp+H%MM*}& zgw5F_3?PsIoaeDxH>&0@;wG!*_1Kl0wC7hW?D}8wqHaL$rW&oyQ)ngq+jZyh5uq)h zP$fp$)yvBS)cI_y%Ws#9t_y_mJnY=9l(TuYTU8eP5Pm!R{NTCnI_@f+Da_Hn<~Pem zt>OOY+oYeiy*r&H)a^-rpTG89TJB%8)CRn^>~`9Z7B19o`D}}J&V=*Jw|bTo3UrJH zc&_wT)n<7QIF=$e?)GZD9oXh}gET9h+Q@IX3Bp%+^)Co*yRJUGeH^Bz`Y&c@J8#!Q z&oGgca&(+ON4LFmUf;A1t9SJ^F>eG;`}t~lPL>iWeKp+1Nk2LP!kH3)s!msLkXY-k zU=Pd3^I0f)jK+CYVvYk6zti?+%V%QXm#$9Pe5A9UEnrm}pW7bS+w`>J(!2gIA@jN8 zBd1+z&8?uJcm`J|rv-)N+-dH6>tGeXhf-S95rDE`EPGhkJD=+-)#>S)M_}8>VThV2q4&xCk(0yf z!wukID;2~I1SNnl2fvVtv!D;jecd}kflWO29`jG%w(%t)LBAr z5+`hDk|NSMuq3Zsokvl+OQk-fnaVQRa2y&6Omjb@n0_vLBECWhhM!}`2{tPa!rI5l|^A9;|L#mZ3@=*QLLVy=wuaa zs=xdfBG5^Lm6O&i)!lSlo}@h)CA?L=LqkEVJU{w?> zDMH2PGLo(&8PBAQ6s%-Q!EKc&s5%8wLIgrshTo`-_`i7|ATujhUPrOA zY47oYogG(RWrY+OopGd3XX--HI#zW+yQ5Twj?>7`0Z(9TJ_h5FyBLRzyzu)$AsQ;zfUofEETZGPm^8ajJhU zB{@QcdQWxq*Gd)W;$hcAh73}mbm(5da`tu>80h=(A3_P}o>2d5cs)GOQH1#VCfkqtLc_#zi)4 zte9fa0m_WFCA|*|&M-1{DoBH{{3G5eH~84$3}&jw`i>OW#yFPwGzra|4hsex*F^5tgvR`ZZ$e=o!zlrSqY*O7*6SIiInP=^l%ia{b0^#q=)7c~VhF>?(*n zuIj@U)?YX0;+Qb_yh$uB1vxR@VMnBCRLB8CYDp|(BiEYY0Hzb88RiM?2Zv+^?Y;E@$m?3H2ArUjHW^b8_E?m zuW$U~-{J~2&63%oIa$(GthjW>neR#W7al5;&)*h- zWs)$PVB`hNQz>N>DSIBS(3GW*pp7O;wL!gPTlp#qf!8Q-c%l!9==VSs|G||sQVELF zr?wM}f{b7tJ0|51bqr!NF~}cwS6m$`wSgpWR*mFifcH>N$5YL=P+M_bzt77 z(fex~2d1|SrvdrcDQ{>o!SQH^MP8)AkZKpMANRt1hH;6hRW^CL_yzVioM*-OpTfcN zGinI)D-&Jv0_ur)Z36L5&hWfnybyv1+b0MiC%u35RZt;_XwG0y06N4FP3Sl0qw&Yd zEfk^0@yRIt=UC3@rE1sd*d$M9@7ur^!|Dt2R4-G*^Hz{b4?Gyh{bsqk>LaoB*#@_o zlgN9P^yKn>^l&$I^8B`Z*Zd1dcc-=F>M1p+pP9D zoL>#XrE0vbv4Z#@22Px3-}(`x_|FR~y8(>Z{2r;LM>0P3Q~V57G_;(6h0@tJGcGpo zU22}{p4gs9i|Eu&gLHu^mqVPPi7f_zn9f~hBw`d|_f;q1&3n+>FVCaX;A|hRB{9lN zHuozXz#bn4?UvID%ZtFQuJh#8ve(6Ow*aT7<~ir*`Hvc|qe9!O!yVUmO)(wNxgv{B zhuc-)j)wUR{!yvkUAp&rscVVw#Aqko6=73yy+olUoUL7I4Ij|7`5549D(ZOZSC!uss19;0zJ8+QzF65Iqi@{}sAt=60gB z-LakYf{ty=UkD9cb)6qFeV+b(SDTi-bhszQ{CG{zwd%UNc&X|BZVzzu>~0v)pH;2# zx@}5yz2hLC)pmXqJ(;s}q5s_ZGkWFnFtOWX8mqMX_pP({y36uoO(4kfy5$%Zh)ifP zh`;l3XZYZMOK?{Ml}G0>1p$?1{}{^hqSM%X_=$9LX>OU7uJIQ3;1c07s&)gsJ^rDS z<9qO2nf34(iR9(G+^;(d(!Kv;odY+WK)JPKKy;AcguL_X^h2)Vh){5ve{d8ta3A=f z{^^VNo_QjmH3e!1A%VtmoWHuOIvQwvz{Nd^GLx8XyoG`f19CwSEM3F(PBddV^MgvD zNb-k_aU;dBGIpV5@;#oKF+{Oe%O{2A2ntD-Wef5UYotyM_u03mtbFxN8m2ey!st3) z?TeHs z#4T4?+s|Q;_GXzkGdAk%4-zP}bW~YMfdw856&>`s>4x7k>xjzqarDbsNEcXTHcJ%+ zdvLEmpd5UUXiijU?GHuZ-%IP7T5_!#MI>#bfVxnkrATQyq!5>+b z-{aH}E}L?L*gWMM6qV!>J^L-JiT8gbmlUeWo6n*&DUHT(EW#wHy2W85$4UBd#}h0L ze&IG3jWAMH+UrQLNrvFFT}&-iAkU(4XQK7na zqp4z5K(Nz^hp;Abo1+7I`9an}9qVozzCGjr_xjVPY5Y6r^+~y0P7jj98A4mwU@J;H z8~%fRUhefE3--9#=vRovk4fB3isWogL!KoeC`Ia_mFh9MGV@~6;t2MUAMVMv$IHiU z5vp~F$Q3>P&LP{pn>iju^d}A8j5U5P91gS{>=S>|zc`(Df6*skLXtJjC%(TcaA_C4 z|B+3PdWe=bT(SUg;y%rfGs3kJO|hv|eQ!XwLRkjmqEPBfgTgLQ z`SmBg4N+7>YerCe`L}4zdXqH-%cE!|H#HJ(1)B}Ce!7Yh>4qVNa7hJ)R!!6o8x+$8 zI*G)I0MZJN9#z|w+dD?vdNwt45}lC!E~;~bWR#;~iTQ^banBBOh&fw@DY0a zIQ16sMm;SLyTE#&sltpes%189+{vRCHnp-tb$mr5Uk9%Av>;p8Z#H7>22^Y$I*iB= z9;{~S9XS#kldZ+_5`+M6DVf(#?!7+nLma+p1~)!5xs#20y5*oT>%)(NYt?R1QWMd_ zro-Zq2t_*OU?IiiJyr+6qTB`W-fZY{;SEQi@zFEa1LH`yhQmChQ4@C?fn!CB4^S+T{2J%FWS9yCY)l zYRDuVDwd%)wbSGSGBlfo3ye7menKf~1d7@xW5SYa3sYce;D$~cRTv>POB5=>pK4gA zNydryVmJ+!cY19FqsqGIkuf97cs!92rEY+yJHo2CuvU zd5msmj$^xQtYLglNFLIf+e6P^Zd!(4uK8+xK&Xx`ymxz;l^lHT2jzzk0(>iON0gb} zjleF_9F4oI$M$65yYvfiQ(gD*s?yo^zBmSfk7qX3k6{fCtk6drZ~bSJ)E&<&{>kg! zMz`a|FEH0|@hE};;{}QHGzwGEx9g(x2!Choc=@80x4U7L`uJ*B zyKX|p)b??0m~e{=?Ix_%rC6wM!_o*#nB@t$Jk~fjM^XP)^B<3A$c*9Kdg;Z z$5Kc##@b{v?BjlI2HI=QzgCn6LeH?lF>*fn3L9x%wkA5cpoxrg=3;?iBq1z9tXx7H za-AD%qbSJ0T@F6U%2W^D<(-fe&b2iDZH1JZn=zttZd|7*cCB;Lth6Ni*)|xVm;9?* zU;Es^tcEi`>(|bn!_oI4nFNUr`5%E9%s)4ag_saRRVz4L-b=PC$4OKSEWTNnUO)ug zz)hDVv%JeHDX{2=%bwkfj8iE6V4$8Shi3A~pL8dUK^JC_8WUOto(}=tgJvZbFwW#9bmRJc z7zWGfFGa{!Ulp}HWK~PqqllBqBAiQ#448 z-#0ugD<;j7)%VZJa!tDV(5q;fvONerBhVuFiKYmD?1#c_LkIhkI{yXYfR~^ub|WM9 z#J6~K@ghhAdAc#lfE#v^wS>t1)O7-I0WJ{T$LPcEmE}r;a4`ByY532zr_cXV zUeTH}7z(%u>684s&sT^t3ew7vIvTeLJzt)1ZsocyBw4Ppl%6eNQ7sVc zl+T97tJ+&7CiQ3aTQb{%c4OHzme)=e#fZ8MUSJeEnScquQ#8lEVb8NDP%M#vl@i24 zR6lPMXXhJc$)!=Uh!o=DnyGOdQFMn_VHk*JkbkF_i}I-N=jg z)?SXB`iDn4)-q0K9U|hXTzw8=ku(!j3A#O8y87S(CY}SQeI4v4PUrheKPe0C|8%d| za9B9yNx7A+4$V%_mUl6OCD6_ru`U%K;wf1@9=2q;EW!t(q6Pi5%4S%ZK;JzJr>Er+ zCFUAeLM=%m_oObRJIE%0;ta{6JD#pdWxRJlFaD?6kXG4>s?h1D_NY)@<&L2-R#Ysh zh}J2T)XM$Ywyrwr(w%%w1J9*A>8~|6GB{Nh%gVG> zj53@6Cr|37e`H?DM9yhL#5)jUcJh;QaSOlAL!Ard(1d5LME>;uO0Xj#HTs9aBc4|d zn`kD5h_dupvDkd)cc^J~3622YS1v1#6z0%*15-ovH2Ixnnq$%H|10<)y01q3HQ@ID z&wy*?%&`OdvO5j`1ee`seEW0mJ2pJ;3+;98QZje=rNb_MMTf<^fdf8jptCmZS?*i5 zhgGqw`L2gYXZnuUWdZWZOy0X!IH-%)Nhy$v+fp{%44NEqYKPCRRIl?A%{J*v&r7{E z;p;)@*!R+xVW|kQu9k(J;fpo89NR86U16>g`*7FHx97XerQU~3Bw60Q1y5Vf%k1{e zm6!De-Z9?Ce&Z1@`&$j0Oq$j1^JPqqP5m91**TVLQQdZv)R)uh+<*P^}Lca9u9 zQoQ#x{~l9qrL|qJP$z9%x6Cr9H};fpSBjloHBEYRs~%FCcE5M{Y&1@u&039K+x07$ zoNVCFJk)|=UOt3c-)xMjA7rK0be(WMCm%fXTmscARv!=B_Mcwb#j zr+#j)uf#X5C3`fszH&T++8Z8Et8BHMg4$1t9DcOyyS&ixm_9u8PSeT9PT_lym0P_p znU_D@yqA4ksl8)rIS03$z+BKeui5gHcJ+?Sigmr-s=8vALp%lA0>)eAG;D2!j!i)J zkHTkBlf?)|CU0yU2C6#mYJC+P-9FJT$1+fk@uNoU%)BJ_d>C8!V+k*^VXT&vAW!w+o)_j7`sBx&^>gAr0aaB1n1Lg zbAeQwZMWChIB?`asGaqpmyYl2(RZDC-Sw0Mz*C0U;dCp{m7jnN-?s5G46Y1^(5%w= zJo|jP_BfU;<+r;&D!s~7e|q{Pbmw+H0*=<&jnVVu3i!O%pUCkY9VFt+TD@$THv<2& zJMKMxC-mw7o?Jxu_WSNxK~H?zW`Tyf4D-pkf}s(A_}YWss(=EBfawQ9f_;1&#f0SY z)P}Jqf$2ZDxzae1hk5D8krK!cPzVX%&fkQpb!FRCdxjm@dD%%L{axhd4n+l@ypaia^}F=q0ekhDIp#RUppm?t5iv(!#9M~C`4CqJ z2a_ml>|Mrgp@MgqMY08BGyBEMgQ$qy6!dAjvefBw<49k|=xy;nsU(n>6+zi!$(=WrrMm9E@;&FQw$vl#! z)lM+&pPDLTFCqA7s(-k*^JK)~vA5VqDk^>trs!0FX>?$Ob*18aDD$74{EA>x@VpcE zxARQ+hZ-EeP&H)EbbzKTx1b2^e+I2tBZH79xolZSvS-f^#{Jv_0nO1g|ia%Aay{b?{n@r$E+`gdBCrn7`9RJ z0YMn*6q&}*e?m&40Fl;I8pmh1Eb+}HGa>Zip`Q(!)%N_GPe~@TWSm-#rzl8R6*#a5 zL0S|cF`$Vo?WU!N>0!cl3sAK z+WRF5zv)-4nS$K3*G8bapQWDEP_C%;O&{*=XY5Loe{dbaSPM;9z8L#_L8q7DA#{Nl zT$dC)MBbbMWt?)Ae;5Uug^qqwk!85xcx~HNm?Ipy0MjX(p{9_Rg<=@wMA`8Xwq@M! zUm0Ww8_;?E$;veU;5DCUuT}6C@QL|${y;1@h7;%(StJS;ZxK2zO7LW&FG$#(LVJ6x;5us|@bBpVs? zPs2exMST&nWAUUzCUBk=>wgMp*I$pU`R_Xte>dnwWvKMCG~um(QMVVQ_cLOj>JPDQ z5isY=~tqE@QrX$`p9(=smf-DT%}xgyx`YucT@X6SWZ z%rvF@n7;uTkxX9S4!ExDg1#Hw1edC(4vR(Y@BW!Fr|4Rb@0#5Q|*Y(<{{P$_Sbo|oYlQMx;aMCt?R{bnb)Aw_( z{9PsUg+rUXYwdg9@5}jEmPv5KkE9Kl;ge(N1`te#a(uZ#Dr|giuP#83 z%xK55b7qs$3)@guIih}v5fL`Vtx>cRHs3+`?f_>p%rB&(pm zk&2*1dPx5-Wif|cCe#$c*Bdz%S}zkkpMf z8rtab7U+z4*)Cl2h^u+@E8&f*$7bT<29t>TcwYBDGbBsQ|uI8qrSt-emU#5aIsIK0o ztkh>P*d^6_kviS`QxO2|JD|{^1S3r)!dmzA6Y4iVN32&Ywd)&3vO`HM`7+_9d{V?E zXCg5U{I|MMj$h7req+~BFsb*}ubiiNMOrFqa8ONFRZFx0vr2?Q^{*MFWdv&vw~;l4 z>P&E`!9BeQJD_Qz9X1te9rrEt203`6_2P-Z0qnbh1arW5%X4c)EOdIY!kdKqSt#tS zy`SX}c~_I3(ebUw+U4C4G+4~;)+7l=OI#}G2+XneiL>8F-2ICb`(i*P zLYoi7pJE_l&4C$jhP*w-519A)B3UjFK&bR9gK>EBXZ;9n-S0`^O#2XwWGnzUf=yV# z^$DvhU1`TE3}n}WVX(ShCsy-G2D2Zgh2F0TZCqM%=sJXpr$lhoYB`?+Gy+5ll~#Qv z#z#G=+mZqHkI7QbH$$SSghpMwfmNK*F8V*mNa-&}2!*uCb8xWMk-lZ<@k_p8?XU=V z8&18ZWqx%t0K4`bN%2XQL%h=XQQnxQaM(Zd*1SFCpDRl5<*c#QRnX`W! zcGHt-pTX3mO1|&Xa&%3`FGRo9V5kT#B_RX^qaC>5y#fu#<-&9@39&3P=~k&1is*W- z?_|^)(7TBdwpVv%Dl?a#S<8!?KR8q2RnXNbqnw&cV>Fq5aSW${9UOLW*{c80gZr{+ z^UwS0gYq%nxIll{D(?{A6)1rpCcA>oehSDxTtyHgo-$B}fF(-MHul7~E|!Uf43Eh} z6*3hE0wR$a;0x#?>C2Fu7896ZbCK@;P~~_mg{vPudX^%wg|ak;6jzwZSh1D0q&ZV6 zekSZu+g^BXCV^-vKbC7>&cPth+bqVUx@Vg-Tfr}Wr;#5+WQo4ldLGOCpl&i(kol>X zo?ujw*+#NT06{2_>!RyRpo}X;T;k z{5L4F@yG)K8fD7Vz zTz&B1cL0gKG%)r(nqGHe2HZbR=-jj+I=%ZmAZr>uWmelZRBs&Tw%1>&5bJrZi$0bR z&KaCOcW&2t?~Qv9TKeBnHk~Ffp-~BWlfIvcWTIhs?niob*mm&t4By1l-#>3!cK``5 z?X`9N(=X$EHnKl&Fl~CfrpJZw)VO+;vp3&x{r)`6`P1n$U#=UTw&)P^U+X@xSI6j=V;266>GrVrF_c^!bCR z=JD~W=X_7Su7@7tM^1J)P0G84`i>K_!|^}#ec*WR67osQ#a{(lOxpR5SIE}59rn!X z?eFH4L@c&LN^$?P`S9~RRLroA3poY6Mjwo#kx=;2Zu60^~jof{f&FPrUB<48P$0f}7 z2AxRm@pz?5p5(LW^L=Gq(AnLuu*mthYDHeJf6g{`=kyO+ztp)*kX+n+(v`Q4My%P` z2ogf*ao-JovR#oi7wxup`JDtg5P!~@zxJy4-mbSp_WL*Z(sTjp_xJC5XYIZI z8iVOtx3AXmfd1dU&ognxmy1AlJ;0yhzW$%W@cqm`7f!0LhI0^<#RUy#ag3K_WPbsIcs z6MyY-AI?(qZ51nhh0k-}-Gt$EsMqLwrydz}lwNLLMlmVbSs-cpYQfSJTcoLFSz|`a zUp>-IqknM)C1~8#H1_e4N+qY|HnZw{D4nLJYvdN->nQ2}f6SL~jRa$stJrhn!MiUZ%*> zQ?m$#ZzwioTgPPKwRIL-1a7(IOk0>9mXm>Jk&~ongCLETtepd0F?*BF4`MJ|`Kg1C z{BSr@-?FXBvrdF3BNBqqp#IGS5AbCGxzRRRAMe&3CJNE4ttK zOM_jTMo!A+w^h)M)o_|dgdd(Ut#3MYtlM5%r7BM?c2a3ma#NRxOQ86D!xnTx1$^sv z$u~*+ZIQCH`zL!cuEnB`%v2bw{A;6BW$dMCr$WnLx8{+$UAiCfG^-T4DmEK1X zO$J9X8X}|`CV15i3P97o@Qhh6Lh>`^4?v0kd`X{6)(V3HFogykYpuIOEZg&AjeVFo zo%q~+e8|O^8LVm+!<@FYjx8|?UWCGJf)F63q)NM5898+rt6K*!&B;0$7Ge5p(xo(y zK)Y*KZM>JLgljxlMBNauP{#%V7@1)JZP%on)CHqo2^ZFvT&6p!7;Y@7SFR29D($i~ z3vcJ0A&Vv2r5{aGu==OSY2ALp_|yTIe42T3`ik<%^|eyJ_wNvxERDHkg7|hkj%Ii< zZ|4u>oCykO%eP-Vv+}AVV=nszGfY3W)wo)BkGrb&7M}iVGij4J)g|bnJ*#*M=O7z3 zoiT&|cSf-)h4M0kiSnpjI>yG&1#6vQ61xGC$#oxY$`OJeUOyO`lzzx_UQ(7y3I}rm z+Li~$QlykgD%&4ZAdGZFmUseGrwS4(f5b@nZ~~UZhAhjq5X@8gvBMZ@kYA<(Wzu&< z8kJcrS>nTGde!Z?UUx#NUtDbq))j@;Ux9-#jvJKZ}=>PdYLYyqS|&UT68pww8goGA}^N|`1(sKV|M0^poCju zQG>XDdMDMk)&jW`&gjWcKGVi7MYI^E<$bKZbKCN*-ZTFzuk%Py@9pWJk6U2KA?Qj7 zhv!>$R_}huHfg4e#9JR|Jjc>?{GVW@_bBnD+J71Vzbb5N@~_PHPO z+LW$vRd#FOs<(IF7ii4udaj4;^ID03TARa!ZaO~d=Ea*C_bsYt>-zt0Zt{gGtf)`k zHkXYq!QQBJ{^{KB?H-b#+kG9j(cdZIj;|qT9r^1KvE=R4aiQn1%RU}>O0c1I3gC$+ zP~&rXu=s*{-sFxaFgKpkeWeTwxX8VtOfz{+7H72$1rLR=>CY1Sjfzj}1Mf$D@<2yn ziynC}*j1ArRW^Blt|RuP+ylH%#4Tnz?Kdq-UAVdd4Qh;=@0+n)ya#88yVZne#4h`T z-A}}CFSzsGFST>~kiD-Xv|b{a57&s^Tyr2zBp(fPWbWrBoj5!(+K1`OjJf9d`u26! z6+55V-OtzM7j9I~1DzoeP<-!upnFaiUbq}nQ5cr?StuHG4I_{0W|OT}n(1Z|11>~| zbeox06Zv+MWg!fNYz3REC_auiE*!Whyjexif(~_%@R=LQBM3Q^%K*Yx2z@W%&$NKe zY!=5$TsD2~ksr}*Z~YE|_Cq06W37R9Oz-`G!43Dj+W}C3%0<76=Kjw5*1(3ziLmp* zn--|!#V~s#^zrAzF2F*rR0=Pf5c&qwQV;-MM&?fU86wvYXF(d{6sIv2R|mOUeH-#>Dw`NscH zxX+O06TETiAMi}vo$Mwb?6HF?)2E|-bf4)UnCtBkecGmniz_qK=VS2i1C0r)xbHn1 z8|9;01Rt86f@$^KP={DG|v3R!9$anCw*Z=3BG>@*Tzq9Xx_3?~15z6yq z-kZy5;OJL~87g>|E7WVe-7ezFf^|DT0*D~vemNO<_Ok_SmlT~r_bX(7l;f*!1k%eW zLk<^YSuMIjq`^UwST++P*cTevB+$k4$;V;Q&5RTZK$k!c+maUYJ_(1Zr(QvQyL^Vl zqEf(9tIGJr;Y0n6Jwq9-G&^H#t?GOa4)4J|r{SF=`-y;9`Y&?2i82JuGbGLJMBO;0 zCcJdEePbrwAq6Yqzl1fL@0t3uxF<@n^d$^D1V0n!LK2~>2#`w|1oNwT&^uTUQ+AkT zwkf1S2h|7DMI=YS`_vqNiS*f?T1$tHGndheG%A?7Bs*~ya&hpB67HXQLH&N=6R$vD zg@%*IGybvmZX&A@c+8!+LRx%$VV5O4B-dvgcH}BleE5agSbZh6+oEXLsaK^b9&{6H z-h8QbG}y!)?B0Z$hS#@4YmyV=Wn#x4CF)GmJOyt#p~i#VUzOKMkbg^{z_RA0-puC#tdZe5%?+%jsRlDwYZb zZHch7iCU}h8qIFfK~%;b8APu160v1_R>Wv*;;ozV;_P^y`sG?;F?f|fF}nou0It%U zG?kF1K9j0_V`72@shA6NLH~-)2G@H@-h}6U9Y4| zPFg*sq9pAHR=a1}&%jIYv2wr9zYTfDc!Y4)V`Jzq*tIMj^YW;AAfAhqXt}{Gbzw@Z z(XUxeofjRhaYxr2K^J5ZZR;)_Q_VV$5(^g_TOJAY$MJ=gguL>?ul}TAW@$=psqM?i zd;^1sg@I;FCQzc_B$qQxk%*xrdihqKB0{~!@uP80%@h1a7=pBoO#-%tr;>>0#&ni< zyJ73oUt>H|nabRc@ed|gMUq$sy}>VE!CBFT5`utH_UVlL8>$mo9*iYJi;Itgpa9m~ z`kMP^HHy7H{+9^saI6ue817v+8A2ho3mIs2?24YOsi!Mr1I0)YL9w5zO-STjt4^>d zs1_F{!ZIe%YDUdG3GNT#G}!NU43jzsh81lpUJ?vu%6f!rvE1p;x$b=EaXQQcTWPh+ zj=|Q`R?^~AxLGb_gZ3lNSnNqfs5B;m=ZnZw7hl+6ughH#R4wZKe8l|85C82GE9LeZEPrs}XDNTXM5>E2M zT>_>#Rc0}0WNI8+*lH$2NN8!g8mOpK#)*3-B0Y7jJ_7L~!6jF8yW~7dr9=Z*Jc`-E zPohH%ovS0vHh?6a&6qbC8dZtk;7Pc~8&=0pR-nx1{QniuVWZ)TuhI+_v8_`53`+Nb9rs* zXHk0T9r9dfPJa1+h+fRU=yCO(Uc_n)(v{Y(^B=!fk8u%s%oX?h9$vTza*Kclt=@AR z0Zu}dWoetnFC4eM=Z9<_T1vIMUCXrPwwprtXPqO-k{J%Y9>=M-3#+kP&(60W_lfj= zPs`(dy*pzb`3;{zJojBHH@!aS9>7!|+ul(YpWUtZ2a_jU*jv}ofU{O?Q_YKD#Al(C zs~zCOKFGgg2lAG{)iF2&kL!e{NrT#}Z(6P_!MyuYtUDTncd8tsz_{92% zjVbS8j@atxC7{QRli05Q{U#UbaV$A6l(`KAx>{JCc?FH^6|-{^6U2Fq;`#`kf5 z?-Bqy&Ype^$n9L0$OJl^=JoHJ2)XZPw?42^4S!DWeK?N0c*Nhf6YT(DJ?tHge8&L+ zoqv9IxoyV<_;>jI;{}w)gQWR&^h}!Owb$8SYC!kl8qbD|Z-(tCZ9PWaGdW&V7cPK) zJy8BE2=wO*6C3>*0O#xt1aXe_CxJ`=M+J|$)gTx|0gfaL^t24hXO4#eX5oKJZw`kZ zOd!cv3h@YXa}oZ&gwFu-aQzIR5Rd4ucHcd&P*-B3Y%`(>Yd>znEjT!M{le70;Z|Qs zuLuT81?tKT)9$E)Je!rz-Jv@SPXlx0LC=$_yixBG3k@p53>QwTImc7_^*1D%lBUs- z-1+VF<8DiEV%akV#y-8$@zSQI_}8+w0X0Tu9GntI?sQ{dc$^XlSr8B0$KKEo$5(AJ zl{G;@goJYL(kf2cCSv!(O_|2`h2W&S4SWS%A=+&wtv1lYbt{{StNgWg+TYxh&rxA-5Kc`wlt~X-Xwl*%&NWJ%M>Z5KV;X)l=&+%i zh0{l06Q*BIX_m+;yS^#0u8Wb=-rZbdiCx3$zvYD^%CsoKXwz$bn?Ld~Oe{-XC+}DF zvFO^%MJKS!2?LW#wvI^u<0PlH zb#7XfN9($SY=!k94Cm6e9hM?nLQ{u`v^W@yh4vb*+Hi4GqRaj(EBztptIAUTQEgwY zD|tv7C!r80K=m(Dva>Yh;|qfOE*|a*6(-WnIktkAUHqo&Gt$tQkNStFuR`}Y$p5-}?8ksfk7yn7fTmv9%<2&bmxoj{{ZT#$j$6#ryI8ned$} z66VKj2mbC3Uk7Vmtx~F^U8z`0FLq^0Tiy_!Yk}e#mmA1gqg&bR z3Jnx1gkOQ`KgQJ2a$=@UF>B1tO8Fp-3H^!4*)+tw-2RuEV+gltW&E$7fDGLsbLCb; zc^q}-FMQ$Rnzw>$&6wr#BwyS}35G(EbrLtJ(;dZCzKVSd&kVem5L0e~=@>n+9OZ(A zB9+N0B?z1osz@1_8uckqGKdYM=|tlRROy=sDt=TRTAu@H1&SM(i4Uxg7BMv!VVz+H znf9_gRYcWPknb`zLPodP(J0Yqd~XZiG-F^IQ9;3c>V4yu(-NrWZ9Qgjswf!t1v@{7 zNU%%qHP%PV7AaPfP_7hZAZnW>u)Le-NT8Jf(2B#;&f&{<1!Io;^Cim01XtlvI=lB) zpa+s{ktLxO42bRWGa?O(2xLaNR&Om1v+gQCWJ)Oh9pB74<}#FI$ud-qYe_SFHD^%t z0=FF1!;SkL{%gQBpCFD(g~@V7s+6RX)~WORa_Pv31hkliYvB^&d0O4dd5#vY4t!@$ zk=6jlTL=+71_8OsO@xR|ifn;DO*}?z&VXgR5z<-QxsrTZb&W~b`dM&7rh#!uj zKb z@0QeklNjNpxBZe=$HCFzz0<~G-*3SB_PqPH>9llS|Ei~XesRxuTim5ys3y$U^?Gtz zu=9oEU(lFKf4`rXb$zzOK6Ia#&e?7=_50!YoY&YZOLJ{z_gezw%^qm|pMJLAf|pw} zE{dP$W9=9nKL6s@jqxks+8(r6it_2dNkv=kkZ54Owmi=GK6G%z>@<$$5~ru}Zx0Q2 z|L){?L+>09Lc)Q%|H6ql{P-7`c(bR>y&OrqU(-XgmrzN*Dt?RET4M7znRhiKWhvJ zZ_%6Chnx2!+%Z%gB_{s%y+w`BBqCtJ=Z(6Je(woKLc^>**}ovNdYqpA*Et3L===3S zpI!euC$>fba~vIq&pZ3=J#L?AHnens=Ao>w#qsU?*z|cmH{7eVccGEJh#UVG<5HH} zA~Sn*Mop7#J!Hb(l6=F1`_nuw;GZis|7HV^O0RX@ z6oJRm-MUS~IZvQ{`L!k?qaQ3%DYb4b;hyIAW5ni@hVjuc_t84 z0c84F8ohCmAmH>-b^IsYoFR6JQL1F}lJJm<RG@*Q!39U6u0AENDaHSQQzvtn>!abMu=?-!ytLLP)OnFO^cFN+^6U| zhNCncyU<|Jv`ZN%$?=H47LXhQ1@6SNSQ)6DaZUNxdFqlbY06l{nz;^HWNG%VHPc!V zEv~h(yyFDKgTnwrO0--s&%iqxO}t&J^>%LY;<*FGVPF8N-T@ zu%!Gi2!2QPW#vfel`IOYK$3`+z$3~!+HYm>rgkZpF(|j%77HI=No*1iXqHsy${{xB1DNh@F+NZcM6n|3`$5wd#nJANDtTw(J0u@`(W-O<7(b}`3E?X`4TfAf% z<5*u=tg>z;d;wWIEh<#E+MM6;LUiOKW%vSJpqzOXE2?FwC}WLT}(3urN{vh$Gc zBjR-@AnKc(uN`P|%%BGJ>?K5UkdF`Hm-%36UzAvs!?IoBp5aTAZCy4_nN&gU77wL8 zEAr#}BEl@W-#F&C-h56%7wbe@>`wjCAIQHKM@C109kONcyDog66%jrqW9c&VS!j9% zY;h6B)RvGvQL&^8_88Z+x{;9uwp$fjAzD40v@HoSx{%s3R7@=0dkx5w&=&N~a7&d-tbz{aUvX{jblgGvCL`u=;OXO2SZbf_} zV6-@|$|%HN;QX`1B>N1nLS`I{Naw`j2C^c>>qYABlMcDv+=>Rjp*uLz5$3`KbscYeDnkMU)kz< zF8@WS3+QdhboxfVcvP$*`*}@{369%44mW*W?SL<@@vkfYNkeKW8?l|{8-0n2IX}Eqa4nF~yrgD9#UC!sy=XGBTFxw)Lb+0oRmt&VB zi2EMDoNyb)@7I3Ea_zgFDpq?}Y6_p3LhJSUyboK`YkQxg0PXym-dl=>_Cb5M$D(B5 zN4KPh-=B!TbW8HTYTuq6XL;6lAEfDg?>^J(`F$^U)AKzpUef*Wxy^5@YhiB!+*a?O zH5@u;Ycg;B|CZaFU=u^x6Ye`@_03Dpq;0mZZ7%ob2nzKcMsDoR^Aq=}3)P1?(&fG2 z&)dFY_BqmbUj~%0(;YH6KK7R4ZTDwB zoO@L~G#_f7_v=9OCm`{9(7Y?C-NE7uuNg8ZnDjaKit>ZiwTI+4x{uuP<-5Y|^hf#Q z?gKGlDh_U93N%Z5Lj!P_K^F8CR?ljNGR#mbxR9w!f!KjWX>gu)41?3=S!E~#UCNy) z8&;N!1;G}gDjJn^1b>YEGb>%jH}NRtn-~Qp;M?`PRyTMBa#~f&gv_ENt(?f|E6nNe zr+v3<`W7iFCZabO1)Uy$h+&9m?sY3)r-&kkWBbMge5*FN)Y`IP{%Exfsg@;oF1*Q$ zqAF-3WSO~OW!YLA(^j-l8*1)a6&CCnbR8jNEQxGI@liFoH17}~xzhv3Ap z4!VeD_2}Mc0#}Je=fbV{=SGvsZ%NC%%hJxYi#4Q(+t*4`bB(ut?$0Aw?U(}C2N(ASLdOnzc|{$*2ct%EKIa$TJ#zfVIG~bKEq#yTI1?4jW^sS zH^&Bu<-@LDfj{RZ3Pg~qH}@<>&4wehyZt=d&RjOl4Xt0x@_V6gPmZtgT#!}d(v=4n$-{Q#~?p9*6O#!Dk*V%*s(q_MWxY@ zlmR(68O-Q|rBD8S*Fu=z8o20rBb&Yu^$KVV-z&#aH!U+2QAU4u{Wg{Du`iVc%|E=S3O5pqlx6L;nCHz)nho^6Q2@fQh{LHbU>WyD>NeMusgUQ&tZL~=M=aEut9-ME7nMZU~| zEc}+*k~qOe&LSH-Bf@w&P2*wNXj@dimaM*7hx15XRy1e1F)PCpT%25532E%8IW$Y@ zhi@6J$-$7t1Lyihk-zlaIxY>xPVjG9$77Y6lrs(gHbu%EADGO#I4VIM(S8q+KkLD2 zMP#VGxPr$qiQYx5DnY0OHlAZJr6DCUy4A69g-jr5RF<43G-K3v<5iX#*&25ps0W=` z%c^Kqxwzq29Srx`{SJCO`vU=zRs_8Og>*+{Xvt{jTM;cOXofhdIg=18^$i@8rG=Pj zI#c77;>L=p&#kx!10N!FozP%@d&1%q<$`_`fM#~m2 zXHh?yr=5HxW?CJ@9fPk%?zHmsq7!-~2mDq=_^Jl@h@#-v5v^52AxX3E!bjn8S?r zM*_@`19~w6?t)ORV0&Fov+?UtVdibU_TC+!MtUUE_^gx~6DD~c^Z9iTPj~it z{-B2?sO~%ujkks|`FD@zuZ$B0pM|c|`I9(7k-u00Z7+wr%@&`G-a#q; zY#@NkK9BWtT)(C{AAZ*#rbuF9o_FNG4ejbrM1D*ER+H!)I!4`ZUQzPUd!qHc_vG;V zU|5*;HL)-6bw8OLDA=EZdA6Z?O59xklwzdp!6e63G6tJz1#b5&pW&r5TiH_vT& zUNWq$QFwNWG4fbv7yJ9)pJdN-zt^yx=C{4UV*>J`Z#C_R2m(M$c6$g!35`DcD~$Tq z_qisCZ62<9TaOKrO#arjo$1ghbsy2q0qPrfDCzPP_S=9;o=D>pALpfU>|; zu9t*ot*aKU_-2P~pRqQ++t(|BasBppOxT|1tK%-TItN#<_WE7VHt(bA(&T(UtH$Ar zhZnzF{);l6K{ExR*I@tI)Cl_iE#$COLjcaboOfyaa4{3`Qsq>i1C)F_&+ogb<*?VR z=Ye^~ucv_JL_`vZ1TDh11bG<_Lc4@2krG-F?Xa%5`504#!Xl=m>ivHZuCK_%@1)PkS@MWvMki>=(H3CdHz<6x;S) z*xeG}N=T`ubp@ixT(**rrd7#8>R#HKI%Kb7UQAuQ{>@m>+6BId6B(?0ck=N_TGzo< z<#++}kEsxie2@80XF!P=5+<*CZOJc-sqp>lwW!VDJry*iwj|?bS7-uoUyd3Z*FqT> zZ4~*0UGGSH4Ls#aHW>~+wKQB_G;y;tqo6otu_if8T+X7_q!Idmw@+nY86iR0wQ0$u zqs)3Gb+4MRNN?clc4e^WKN&03;uW~m#(q-5Efy=5O0zG@B!!~tkAH-Nw`@c9o^Kn4 znLq$(*Bn}3&>j;AioWr?tF%7V5rDHTt>;2Nh%b7ipPu)eKmQ2}{BL>nB>j+_XidB)pGwIhH^f9I z;}agQ{i_IJC$7re$6VA}KTNLPB6HtD122Bv1E5>%KjMJy#m9Zei{Rs~!d#n|j%LlEF%*4{|8jWS^>4vcdf zFGOI+Qe!GtTHQ*@FVqq%M&7XEe&a*{L!`E?tirx1N|`fsfXs`4a_JMS8W3Vc3OivU zGJlq)fRP2dd2;|A2!Z&X_M^aOA@k@8ywsOMIR!FC5)$keDeCngt6#4ar%qLWX-L$u zRX8#4jPfG6mfVTLOW#ZN8em1_A%2_XHgaynmDlXBvxd*8HFQi9K~k6cjVB~*QkcdVGiWC63;6aJV5b0uHf1I2?D-KyNp9!_~(sKmC# z0mz{!B@a9tSfBzf`7}O=~JhI`lb@(u0gmU`j)ChnH3D7T>;p zWLR8Zp2BYQ8HO7*V|mwVu9vo;X(!i7JLXf zcVAq1BoWLXcdhCuLWHYju_C#thFKEf`rk*pvZHm&o1(jNa7ZqA(PfR6|CKXPWso68 zo7CIK!q{APtUO5!8p=hlPRl z6Jg&v;T7bS|HDqXJ+*+2F5sHtRwz5i0R%3^l$P;w(#AGTW!pEa%$6tTx(7T$@p^o^ zHE6nUPS0t1BmXx&IbQN|`{DdD`M__o@^+dcH<+&ts4;Uzvk8D&cYxa;Uq zl=R6Od&0^Iv5IlMl21oagqzPQ=LaeskTNoxhCNvsHOd-^@SXfcZ;+ z+aFlg)4q5AXAc_+Cf%E7o&YOlm-e@p*Lgg?4gkQTITa}W%fNq1=Gnb@ugf>}0l4Aq z-QDc~9fB{vpY{^3!KL+pJ$>7A74~piX|o3C^GLY$ke`LMR0zwzW%-d)}R#M4Q;(YXv`+nLo~ zs_m|Ix{5@>3IKDx<#mqzh>(y_0TB*7|B8G?s&c5$<#syN$=iEL zD}LES%=H<>duj#)9uw1l4pYSO-F879=H6_*VYj|}`~z&)GxceEn%La=y~J!4x)5!B z#_R*H-$1rN1E|Y>xpmOT|1^n3xw2oYHr!C3iKYLD7E&FcnH(By2aGUXgH+zXjz3k) z*|U39&EA7^#v0HB;*pR!5W-D~M6iL~}QLpoejJ!o~?1FuFI@m!_TmT#Bk25J8UEEr#Pe~GBV2t|Y z-uo-sZ^ML1flAhIAr4Ox z)H;^m;eAzonGh;&bIQCZ$rL@M5a z6S4@tgU67xJ7mnTX?;LB)|YI_Od&Pd1f2^{kC(P}iBlDD@ zW}zqMBoW+9GOW@j^WKbYojOP?@e1nz4yjpJXPK5<`$q`g!B}abs_`dyYQ%C|dYqi& z4rH$p7jfI=XPZDHLP=P+a-wo<#Z;r6udt}UR!zqyZJs@zumNerY>(mbh`u?ka=4c2 zP|Ob36zDbS%|S}ACHnKrh{*UpKSa+3Iube@`Z9&frX;1BeCt>ScfND{-c<`1?}8U` zPZM3mmutH`J1M3yMS=wTXZgo=<0Weu29%q%zdY8ey%W@r~3-a zGAGa;c7G7a$(c1BnbRGAK~?}x8QERZFm~giJjXlw#p<^SIaO03O5m2?<+iT|o90Ow z*p_jP_{~kJz)h^=6CTi4IlV;WiSr4qfHzDP_zl zGp~c>w=Ordvc!XfWebd>hpw-F;%t37N6An2h}`*G$wFws)U~ilP>8bY!n?u*QKeeb zZ&`_PN~$%h&Wd_Bqo+I?TUp-_jWnneWuTSVZ!F{pil%mD(FO|7|F~l*@lfgXT}_41N#y8- ze~%err_AKtwKcEa3B+h+)j+liU0NA1EXYF>v!X#}V+X%mAz4I79u;ZQMVeyFp0x>q zpE7ewA(X6);a;pUT$*ijOF-i&U&WcCsN#0}9x}=PAj>xYzY;Jm%#2__{>4!GB7Sjx zwSXn}k>(k{=$S_t;eT+X{g6O|*y12k_!tsqT4_IY5DyyPeCK6De42Iy=*ggN_vtg4 zG2r2CuP<&n%_4-IAmc$xD$ZBZz>p3}XrTwSBD(=8M%(eP|| z8FEs#Peoi5%P*YDuKjzLT)lVa$;W*Xj1&(#%iNvcIcu@-a(RDo(6*W0T{vj72pm2| zMov4IoZGg%#LkaXcYOuiP|4HSzKYzR9^_Tqo9_pVE!jBa^d2R=p-Fn)cy*TtwBN4g z*YxjG^3Adpo6PM$WYXoGGm7__^)~uL+I|)y63968EF&g919PT9A3L|4IiGWEu`Y?& z&$xL{lj7xl!oc^BQ_0I#1%Wdk9YX(^)XSZwO}oonsybcJ*-kQ(;Kewd9aR6{?tI(V z12c`9mtMWPSHt~~)XwPoz9F(Lf$ANPBYYnaPhXes2}1pC?{W4e(Y^aS_NA`RfEXKB zhw&xZaq=9`*&!E-c0hgfuz;UQ>DYncuE;M%2vkIaaT(mlnHT=N0ulvUH{2pB|C&}vkqsM^m zp8=d8ki{qL*xmU@K4{^e#)l+LD)cd*1_%iq7a0rdv0usb-{t#!`t#Qj_=ZAHOG(a3 zOFnio^cLU63{*iZtf?v9Wu99NzEI=LG0AERdlfoDk;Xg*oj&a`sGT%Cs;a-p408h(Y0I+We6#X}^0+SCyEMwR?mLOU zOQ9#b;x>+3uxkp6z^lw2z!II)6bG1Yj z``~tkqVi!*T?$>{wYDLgRVMf-#_lBdIrovgeFo`e;LZ=4G)U>euT?0PnaN1xn~lgc zfW+&NVU0&qih&K1kK#D36R$u5l?Zy%Ww`oGtf$s2xV7BNG&#>12LM>H$VF!xb}IUm zeT9#P_(7EbG>T$KrAt6nxW)fMRwaB5`{`GlA3Q)>Uq(7z(&AU$bhYmg!rF})7BN7_ zZ>4K@N_)s-k9xCgyj)T<`aKqf@l}I{g$4B0;9^DeArW_-*e$o`u}V3GF82GZQyUhuvCRfqRO@=}uxS{x))51l zCUa(eh*Wrjlk>cVz*p456r8?k*tS2&Qi2c`zH^uM6rOt=+tiqy19Ll=U3yBdJ$W+z zPQESlp%bn`ImCIx4p~vim69-2S$1&_AlJ(99e(z*5>@ktd)InCp3h1!mHNRet|BU| zV-WzA@X>!mA&)-C{zvwIB_0}bklHx$G5;L6zd!Y_2sGkT>$V=S7m&mpnTUu1xLgS! z15O4^hz|rLsZg z^VUA~KwnP)F;Oa)=b;AVVX^PcMs>Wa#0cM0sYig@utuKFYsxEKIah|;egs!;+v~@u zkoVCw;#>D;=7!m8`Y746?2h+WAcWBI%X)7&H{KM=NxY{`) zhvxljg5Fug0B&4uP}Z+SW1C8by{)%@bpHp%Ksvt&hl!SW2gQ&B>^F}(i5p#a_b(rs zbLA5A{;=M|T6vF~USIlVjJRhjAd-{^q#7eD)wCC@n2A&;1Q z!NYglb-`1~b1@xU_oJsvD@5(%PQT~;9zW|BEw^;p3;WKx(fiBXliIheVftQfADVq&C<; zw^2BF|NPWSKiccSJ4tokZcAQu>vK08_Q2df9C5L@%3rQu=Cb$B{&C~Ola6^lTh}*T zXPY;Stqy+nwbM?T**-n~(>Z&+ddl$O-DY0$#P>gOW;_$z6nsA6e>VUBhx31sFZTZ- zr~Ut18UKp^G+T7B@|~;yhDnMw5n>q^djj=X|~$HmY@sEY(Cyh0MH`YB4+=7YsasGUXwc zD(1^Mtt#^_E=EdkK&m|oz>SDP%BYs+dq{$5SH~jWFATw^Sk*^J#bo6%*MrAGe&m%( zfy5thRau4UNGj zhpDNsm#U40oRgK!-mqL97J*@-gwbZ5v&&kF_d;t#1U?3AF1UI`q0>;XZPl1T_37^QOD#}Tiuz*3c|v2Cj{7zuiQDv<9o2`f8c zeYI*wQy*}Gg3y3mP@LqGqhtiAw2}IT{eN^M0Yh{=;gWg21j0@vT3z2u*NrHygy{m^ z4T}L&WJ9A*C&U7*6^9I@P%dgABd^*8TD)xLX{j>Ibl^IKgrzW=z%5GR6$BYzh71*Z zW*H3XoX7RmM8_}siIysOk&HU5-2`c1)ZwbUO5iXzD932C*auUoI6=yG%Zl)+$pw*c zzQDPDr=PJar7D9Z^k5{Da0(tJv2iW~G|V7EgK@gx;yJh1u+_+$#I@G2rHsUW%57Cz z+DIr!o+|VUCMcweMQ}j)JfT*EQUUV|fELCCPpXWgWYPn>Jqc>HRJXdWI)U}=T4 z#?zBjJ&I~w4@+n1`ZzNxdF3)MrE8U@$_>kAK{5=5DGrlBu1d*yy4g%58tsCRsg}A< zhXws?EAFYHkC_Ru*eInTH!_64Dz{BOABSW=nApXk&SH<0 z&-?vE(Ue3J5ZQdP#W#BltVl(YBYH6?P(7AuIMgIR^?(v(iJ7pg8`%btY?oSAcOWFH zBGnv}X&7{QKueUmU8KRXX1h}iqp_bW75F|=mO!251I7(a5l-Wd5D&&tJYCvt8jPmF zXc~;B!Dt$c{tE|!QRE`&Klt?i-?uTo=s#!Q{Ng2xfd5cQ6h|nO#J`6BkpJXA)PLT8 zPza)?PHhUOh;QOQ`T?QO}m5Zto_sDk9_f^mzO;4u#X>IZ@cHyfBpy$KiU#rf1R^8 zJ#UxARzK3NZhQV9`;*RH*Vr#UnmT0V9k;&c`1dQDOBwAan+%VuD8L1O%>H)Rb(g*3 z2NGnsn-^x@Dj%DD?fo?`*l1Pw))f!_&Baf=zZ7*8dClmAbJjTFEcUeKAzkd0jTd)U zH8edCUu_Ph758=i7*X02V`o%!mF>xCQlP9KjP zbN)kbsgqqR*Z*w(W$w-|{17qs45bY+8{BcjslPp5zLYxpK!ZGPn?1~V=X931xzp?X zeCd0)d27Y^#w+9Z;X7~I;ukv}d*3cc&03+X25WAz^Sx_t`+noWUtKf%g7r?1-?;Ra z>OL#)Y~_FQ8~BRg`+xpVj4b9Byc&j0K>$9-n?C7vMBc!9a$E=>PfD`9EJp{)4GS8J2w~R^rma@*itq_)kHvS1_pOl}i5D zN!7_bfYe}}?Nd43EZ2G_6OyLW^e}IlvxvFS$ATcOI!!Zy%FSYJK_`S#kC`aZ(QM3O z46cU(T(SzMxwvXWLZj?7wLv;ems1)OB~6qaq(m_ubcKvdn^>5qvp!o+PP~RURw^yC zRvScPpxNwq?N%JK^)8bw=D=`*REL1cHjM5XjDzZs2lW{6wqs2B`rD>|?WSR+s zYj(1uUNe=6oQVnBKsr{^iE4L*w6dLU4-O|aBRLtg1iVX+@^CFlP((kgRq83FTs8`A zF;#5J2w3KcLJJQOSOzdo8iJ)TYqXO}y4W6JZA&kL^r$M)-C9EGkbc{XDA~_Uw0boI z_V~WQ2xGC{#neh@l(WF3-WqgRI8jdPot`mJrASLp60w|$hF#Iu@B%a{DWI0p+7qNh z<70KGX-p%Rjk8o~5LGgOUMf{}HEyO|G%O9hLXI@)0-OILHAHAZ4RNUbos0E#E(Oi> z|9s4U(61iI~BoO9P7q{X~tBA%Yq8=}8Y7NBBT7*-jO3f+__o7Ez%Fcu&g=>zd3D(s3@^E|&_E z0pr%vP~XCeU@o3+XNHb&D9X20FJG&nFy?FUY+lr3h) zd>*W#m3pn^LWrW$KxFz31tt0eqS6|Wuv10#kzXj%R2c_7wcVqbQhwseY1f|gGF{w} zdm|6E+8%-o7`x$0fGZ#)Oozr*!|zHH)Z{Q1N?=4!XD#0-DNr(%w>&jOI~fU!S{WwC z3z90q+o ziG>vnD;sf~s-*^_5Xc4Yq*~3vNw^gs}wga43=BLBguspC$?V?{CR7pQ*jvkc`CVqd>MnC`k+16`L zd*hdqv*ep=WBR83j@-Sv->u)cVl8Cpjhx+(l(NFO6-DblT4`@`Z*SGv*QuM1PFnHZ z3wQsu`S2UZ){b6j(8kE$XV>&sS?njP-`=j@w%#vxeE+udHYa}FxMSx>Z(rqCuWtYN z?iZdu51sq_BhTLXva`>+>ezQzyZ(2Je=z#vhx)3kpM2T;yXI|%ziDq!W|dD(&CSj zmrJV^-#TH#-Cw-ysGXO1@Vk}kUZ2LTTe)q^4~#Z@kt+dxM`=78q`oM<2d#n0p|4Q`qUB3R#tCz0z+Op4Q zRwzC{cd*h=?sUHW%N@Rd>-np$T)q2)XV>R9zm{6Oeb3e#u&?hPU3AZl=ihS2-q5Q{ zK`Sp7-}K6ga4mP%bFZv??|b*r^PXJ)o$dC#bFuFoyz5%-Vs?hv^iKx-D!9!Y?V4Mj zzJAH=mcH!Zx$}2Z&s*`8=FM;K^91&-NIO-$Ztown?VFiH4p=q4bm`#pAD;EXbB=xY zA-(f=dgO2B|B(NE{`1NCKg10G|5EH<;Xgw>BY|JF{vUZP`z3VxF{W@l_PP0w`l<7O z+^-z}iRlGJ$%$Ibqe{_QSpMTI4F9qDFyAf*Br-`!NJ{NOKq@Z}nL1o8=@K{SwsfwM@v#VOqYuRBF@ao|(0dW&+QqF1p5^MJ5 zx}PfrhBSyM$x@Oah~cVJY8FAlb0%OHY!f{bEAn|OHO-qG0MBt`g0RaO!i|lwq_|!- z3<^$E02MOU`z(`c;i+^YgayKe`fVX}WE4`tIz<%y(ezXTLa3y`u{w#v39BNRz^hke ze9Tv){-~2;oC0pjk}ZsJzCxBl95i%rnCd7T(+!=Zf{sK$$sy7g<3ECddw5V&&3vAp zKAu!dIEOgdG*6h&c!1Y?6qFb>s2WB25-hMveL#|pNmZ?+YY9W@;DGA|F;b9=tyVvu zDC^@9q6LEh({lN-J*wDRU9WVYs5dgE8!?F*GJ^;NtVy|P#^15M-WVvUtbr2^r0(@Z zrHf9SOt+aOid{A1Y2%@4vvrve)HqqB7nNk`s!Q+^lp0VhnVZL^r8n&1urC zdu-3s0;yAAhIC|?nII$Ua?pcxL|3$Nc9rYm194|5>J9cj?%4VHHk^2ol!#)tDsBIPg|ePf4Bv+ew@UDkw6eg|9RHWXR)84 zf(w9M@O#)GDtDaf$WF1StbE>Ue6_;XL z#|R+eTB^YFLS(bUa1?M5!BV5NF~SRG>?RtyMwJ+3SQ{&JOU+)&g+WZO`)RELRW!WO zbP!w!706AH;CRa zo`3+vI#vtuxE}17jp@d-Ae%EKvW^R~+v%lBNxjB}Ez%_louWCy%9iGEq+O*1zJ~Rs zN)c$gI476NXphc0#SC6b&@=33hW*U2pBeTu!+vJi&y4-8As9(5lKf|8{`Z$+pX5Jp z+;QT*|9$=gCvXCtK0#8SNB@ob2mV7X0{jO?NeY3H=^DNW|2ZIAyX(xKKYH40t;_8F z<~+I+L7dlo_mr3CtoQ7J8-M$qllQ*&lES?^-+C-#Up~2h<(6^siN-0f{pf-<+x9c( zz5>qMciUU;`r4K^zO&mMZ|?f!O=lDix@GgTcRTOmyUsfJ^%rZeB~tiLPW|yZ$z5N+ z|NXaq_xdf59>3S4##7l%-uvV68{B*Ro#*o3IrcSV*ZYUHBiEY0W?_X(*7F`XyK>rt&LS> z&aH(lH~O)7F#n?;C(T#3dFD*vt>rhCPHD_L>4N$@EAM&aTA5YoW!L`=aPU#OCL1>Od#`-@@;h!=p|FD{uCUJ$!cM!So`LS$<9QlD>h^D6 z-)^hF-2adK|9@Hk4V&rz`ES|3!hbNQUJ1Wy{XgUTa78hl3gWUJH5C|W3bm}1FREj~44PR58R~V7HX~gN zEvDS)lc*Thh-_KSln5}9&K1#op=70)8lPr+9K%4u$|8NU^eI_;qJKVLxi0KdT!9s>Wv`a86-WhLOB8DvP5VO zsslSi$%5@R9mP`vlu|M}Q7xnX1h->G(MnuS_i-L5wiA_5!BTWi#q?^~9!pTyDoAFc zPLkcc%=`RgFm8?8vgl=#G8~yYSrKduH&f(ftO^KFGJ7?X@!FlRCJ=^Z=RG(zaal9(y`Va@-1f4cZz8{ z#afM+^|J$CnkLwa=+a|(WSRBpZGoUR+!9-yE^$pT0Tm?O;{mXYw^Ny1xxx|Eys8Qv z9t9mtE>UK#(o5hZ#N@cD?a(%siM6QBb*Mxvam0uxWyPrSD$s6~8+stPI^QpshB0j|KY zploF+C!|U=?jen$NMZ1)lyBFX+cOURjTQOV!F+jGliB_lXE~+ z3=@H91TNxbDGp&1GR0=V7EC2I2S$t*-_yZSBce*hR1;BaT#mKE{;(G{W4zGpNiD!_ zbSlF!oRhS%)Qw$~9JB_buup0_r1}lIn3|?qPMivfFg58{Fo)IiLaUiXJ-V9is1yMp zL&hK0M-Iw_bZy|NxhTjXlno^seuiSjc8RO!yFtt95qjN=Dpdj>)xqg4F870Uf*W;# zl8nOaB%j3E{KxulrkrYi2LEA%kNHn7rm0WmKhs0=kNoHVsRsxAqafU8!6K97y4bMT zNo8m@JH|SG#Sqe*IRHlWvTe3o)xJ)XnUY>7?Ub9*R2dhFh&#xXG0L@!CSK1MYCS3! zjMP!PGVGQ)79}U6>9Gf}1Qj3+zGRXmI>rr*rAvxXX;VT8Oy;yKQ4PdVh)^ye2*aY} zPk($H!3~sE#C|K+BvAlyMIoa=T-lDh8PZCLNyVwz^@0$9I-}LyWU35;cr=-Y$qK|) zy^fz1o3W+pnt}1rH&PkI7JFz5~GNB%**EzB;_w)cV zoMIHP$!z3JLQ%6Lwg~hckYfV>`4b=K~Jgn zR3{_Y&8B%zw6F9zWt&TYZB6obaXM69h+5n4pqmk|Oaf;0+TSe1uQd{&fEHxA+Ia zP#pdQ{@LYAUp|VG1ePFiWQ%`3@LpPqE;9moA*h5L)E+AAFJ#@mTtX*g5&MZGTO!aou3+fb!)?iFtHx6Q5a!Ypx}dA+SxJ8!o`4!CI6#XD^O-MhBkv-Z{x zc6)gV-#PlAAI#Zi)q4i3Z*||!>;L?6Z2ZEW7az3ux1Ks?*_X%5U%KKon{w3d;%K|l zg(v;z7*FwbZ?~wk#Kzr=HrS+j#F}sKwbxpmH7~dTX`cVYR^*;tPyfS>*F!hHTw8AO zmAH*g$?S97X2h-gEV0$QJ^Z*`cUa@CHMV&1+HHZ8$y}6BfcWyGzTHx`WOr_!{p#}2 z<1f*3_gZoF+m~PYwoBf;=JsFqo7!`~{&vah-o{>C`R*A{%X1~=#mE1!$t#w7>)Jos z&{}%ABU!>j#hcJG0WUwe9wR~CQc zJ6k>Q^)sV8^?OH0ukg-Kw|VwR{zuzgm_GBWz4W(MSnb0fZ~f4%@2znezE|$h8+XOe z+4Zt@w@V*&_=!L9S3TsJy_4jstBv2<`3J*IvGIlc=FfeO`~PSE|DVM_|GfVv`N{b| zFg)Y`zYP0l32n4Mkf!&y!^sCMQt)Z@v-*FyMKYmPigGM-rD+m3eFEm>1xcJKGtG~a zIPEj|4?bN1R^f^~I!#i?N=!%7Z-(V^XTj&NzkZINsHx7_sU;?COiLfFs#>IjauJXV z@|gb!2#Fls<*NFmyMU~it-zHF;+UuZ{IxVk2eOIEP60_Jrtc>yj@A~u5WvtKnN8q9 zU8wbqisNWH?#o(YocRdfWI48wH-%K<&o8Pm#hR|bRx3!@+VmTXc@&WSQY^cS;|?gL@+g%!vrzip;|zg#aY)$)#PX}5<6PC26sIo>!fRgc9_rW8g7l-P2O(d zu46?xqSP7%l9Iq|uA-z8{plX`7M!0v&2%Qy168DR9~B?}oUrmtk>(Z@C;zd$z>YsE zFHEmk3mA90U5BjNG^0?XLRwJyKAa!<*-q6c^>L@)OQNvXFEgR9(P_BlSe1gR67(Pp zxprL6`vA`8ZPy>$q3sC*#-^fZnqrqs)f+hSB;hr9+M&t`xmEKtdQ!w7!gNFm)VfZZ zC90{~2(aR^pOqGj7^!@UVJsb+o1syV8!n+P5f86HYBK-L}lFkw%uG_J9!exFJt zb*WJl0VVISy02i&aQYZX=;R>fjt2Q+ULFZ@IzmO9?8g;1cBHyE?sb_UE!$;(Y|<3>MH|v!qhQLDYKEvsN7L+GLk#Wcz)uv%gae_iK&W1{jF?s>oZYmAA#RlqFX|qa@ zm_S*6(CEf3sMhSFmS4eu$<$v21)rr0Xt6MC*1<`+3Z^hPQ49;YQJLvU<4TbuXiZ5Q zc##NvF)(RRXpkZiXkKav;B^nKLv?TZ+9fD%suJYXJ7|t84pM1QX>^mxNlI)@5OAW3 zykj;kq7ZAY$>=`iPuxZq2#ckbHYrp%1*;dEs9J3ni)6nJa+;xY15L#PupVSh)(Y!F zvDpj4qGfdljWFqRC<9X(AZ8JXsW84s$Ua+`bQQ{>wG=xlx^&V>YqaX}X_qVH;vv*@ zq>SKJ^3Jdk*Tx+gRSF64V>cW3r$_oT+$>xDbKNlQE=d2j!MvpM2^b2NF#@!<8IY4YO$}@#cWPP0(^p$F$!%bk#^24cd`>Tp_ZD3 zNmb`s#n2c`A2pg8#56JxIPx1gP3r0#-U-?{p%s{kDpILt%Y6L+GF`vyR?N+KACK##~cM7zZH^-G}9B$)fHW#~GixeR% zC*T^`E?82(=R<((biy{;f$MUx| zKEr>$6#GQ~&n26DQ2p^D(EmfiFai_P)A7&yf2hRY_y3@YMWFu&fscQg;R*=Qzdh5UU<_{jJuEav+d5tH244m@>_x_dY z8vAN4JGwI{Rx4{n~d&F_Nuf4$hM$3AdsZ})wYS6uS$qbp}$zK;0Q@Yd=s{JG3v-xV%e z2l?e1>z{w}Wgp&C`rv{7o>#|@_foeV`1-6fk3a9{!Krti|GVwZPAc|!MEHjzs9Uz$ zbLVgEw$r710qteass7;WYdo{k)*NuwgY(0scisP@9ae#^&2NaVwemUY8h&rN-F~jl zd3QF;p1$WHXWDn(^>pDp`L=U@xaNP34XwZ~e){_IQ`_(S+h5FDu6PUzoV5FIIsuAa zwSVTl?!1SoUs&aBF1c#CZ}OM_;PEXtP4B+v))(KQFShty&t9{ExYRoFOVmoKlOBF^ zJN57#zIOei@Y=oa?LM0G?S0_~j-8Ayzu}(Kw_R?>WqYUIyZg4+p7Suh_gUEE`9qg@ zZiiErye)Un-1$!}W~K7W>*pVH-G{rqaqn>_{Ykm6K0ie*Guxeg$hN>5*U9JHcjb}W z&)@d({nos|J$mWow|??xj~+Aov9<0u7aLJ=LHYd#^t|ev{;b!$gKjfd zzBKcrzufTP%&BBhif zyFRPNrkHfpwmG5YCdi>o8>?5yG}9}Vz}^t$3fve%rm1xtdpc+VJYv?qVE+#iV~IMh zMvWxc_aMDi>h<7YQt6m^Qyp6hLL)UU(;?^z=z3nxN@yM;<0ZMPr)qeV09r{xG_*cx zj0^=XHj;Ew2Q{StWz139Y@|ev$d0DB*sS$cr6ts?M1#^Ns?=0$eoPGgDqtIGmU9aT zhpASB%R9|>T^_Q6qjBwKUNFf)%+p+|ksJ5r@x&?>Qu%Vy8rg0(!wTgIt^zF>@foOy z6zU0qW^GHza#6pTW zvRg_IVWpEEj2y~SfD)J`!R{d4=elE*Z3t48!Gxq$YIK@GLZ%2!K&5=DOxF8ErQUY= z`Y;STAg%lLk&9N05NK8>31J#@a`?pZ5@f)4+jwDE>WyTV1GyqtM=~bVmdcqp7dlhl zNXAt{5_!vxIMfyL9#BxGp(|~)<9yujX1EE0iB8t|>Y&OXG zu2w`*Pl|>^3CieZ0Kf$6jR+T~m6(3@Z z#F({K%)xFBb7B_v!Z4)MOab$!{%1T53RuQ(bvRM>;!e5cR*FR+WecUEE)5kMui+!p z%Y%g^*0#kStb1$?9b^@G0QQk`Mn#H4u0r!fuHr{^W00-{42EeygGDO?k*jv7sb4D~ zjM78Xw%gPpy)8gO`pY*R7MSNU!SkqdRsuNq{@(u{sGj}M3WYF!-S0OjF{exY9Oo5c*6 zGYZJaH9|u08(h2EXxK!-OH=kp=zD_QpbI@8PYV{9g?cDc$nbq834lGQuNE2tTO#@p z*oGY{Yfn%VDv6y5BbD^BEYz48E;Pf1X1LG{7n3Z+}EPKH@hqCd{esSBGTYfMi&VT-$C3d;jtegmT{2GmmmcU9MoU(dgnxNb%3{&&B- z>-8r*_q7!le_C&J-Q6rMuzJ?%e`B zG`0IXyS#Jvvf-+)t%e-3_N#N-+ekhyj@{~>6R!FGe(S#R`?E{Q?GLJb^ZdgvoOAqY zhi!Q3A9s@Gd&{5GXAXSg_@8#smAt30^EYTuq$nDg@5n||}QOD

6|8>D0eYN<jrr^Og0mfNsz+KG*9OG_9$f~vh`8iF82rJG|(syOxp|MT9#<#>!mUSC(Dvy z4V&h0)DIF+Cy8V*Q7oi#ZMt73L#p3!vrsuFiN4#k3obB%>6|7OTE&r0=!~BfqNEZrnvR-#O z{!p;eOuMg>tjvi$+ja)60UtAAHc1%?QsDPEtKboue2!Z5!p`X@R zrpIZZ+$Llr>p*f;rogBpj_^s#kSm$E&Vi}IxSGu1VJV*&k&XhmMYl{kqGEK0u`3%y z3rZ?FtaL>PZ`H<~WEzQOuaTTkxH!xvKp4tc#gsAbF_PAr^w}Zcg|-xPEd_U5)lm^` zmOD&|G;G8zkU68TOGr4%W$I2Z8DkkHbcb-ii*-E85A7z1D_jrNxZNR=v5)R|flF6Q&J3#mOuFAid@D@3)i2TjU@v~LZ8)O78*jwRF(qA0!%a*V?!?( zbC4%DwN#109317SkZ5rk39`qeKb8nj)Y6=1|K{RVT@;5H`euQJ1+K-Rz_d0M^Ap1i`s* zQcHC0R-uq!#?47Sfe>&sfD=xUw6F@_l(T&)QMGu#MBtgcp;n9pUO;Fb2I4AR1rvIj zp6S->pFHL~+by&9ETQ^=c?c z{WMM}h|tT5u~ttZmeEAT)T9+BfhLw$G`P)lV?(Mi?$tU4fF>imldVZ?mC6mLR}!Albemy4GpuKZ^~|uI8P+pn ze`g3rA&VscnbH6GQtXrb$Ez-W>3^U9pb3(~P#8`UpM(D(|G}*%XCK5~Uh58U{?R+%ygc_vS32T`kp z9sia6-pkvJH#%_M;FYi0yBu=K4L85C`aXxfbjLwj2DQrciykGa(KXCuZONa{+(mz9dwxVvw3eWF}FVF4Susj zPfh%eT>Jgwws4Pq{*-4gI`N?Ou{VgVpT2A*{O4QkC@;40IXis&{wItTS9%sd5*^^}7!im;b|{eEf$u{^$75CHFr6Ftzflv)=9Q z`vP+AlMili>HHOsym`}OW*uQ2@Z4M1>YM#`$%n4I;Hae!4%$CSAASP7!BwlkSKfOf z^Zl*QcW0gUz=g}+{4RCIrrR5}rw-ojwC~)uRQ{eNUw?Sx_MG#6v)H=T2ev5b_1&Mn zWT#!R#gAI~9O->xet+xgsqbyK<(+#xcJ!P*y6_R%ccI^~KRf4%#pdnu!s(A4{@h!8 zT)*06yA7R#lFGgtuGV@wnp5e#=Vh1Culw=E`y6{<`N%iUU1q%O>$4B7%zOU5TlRhP z*lUX)-WY2i01qy$z4+*I_uaHkS3mgCNA{Rie({{y-`j7`Y&`dpxcw@GN2>{nd zA%>ya8KIl04`m zp)5Bb({Z`htu-1$Bdz8}o+|~aGxj>g7GJEX3B7ELu1vC?UIbb# z82)1XCl$d_-n65F)SnEIQpW0<70znZV$hP~!N?wjRW+M(*g-m;p0zsG8)W5F6CX7b zqU&^Z0JFrJ?d18I7#KqjuBXaEp&Vr?5lN>zIRl?)>BfZP+PpdjtHngpYh)#fY=Ywy z4@Dek0&>l!QUf$=4BKdJP)JlJy|Sj1GX$#%kXf+LKN@@f`cT}AuSqq zgrOP?fqrf%rSzts%FAX&cDxahO6if7Z22Tft5Q8Mv9eq*BB388t8Tl- zR}dl90P16+Vp!hD9M)a9Z>Q7cv2NrO|K|BWXpt%P)K6%E{V&!Rzq0&iVZzN{`H#Oa z^M6_hY>3b(?1upBW&1{Qo^Nw{Fk7-Z4{ zNJrHws-_sGlkB#Dax5g_I#RZ~2^EHh?NqUz@eGzsR_ub?;l~`s_K=*_VM}4ZIx$gJ z>6v)DFD0v_l=R68pvJ6`N{%s4`9FWhfBrr5f6^1b<+CB@(qS{6z*?a4?dmvL z0@`5Y!6^i;;+dM$X%EM`U+kd*fmS5OOZqPB_XVgn#tca8%RUzRwRDLVgNE9Z7{{x& z0Si>LE&|1Un9@y}0a+;5QzliuoYIVBJrwPx&`fyY5Y<$}mVGeRq%>?cO-&l8m8lZ| z@{*L&WL=TG!O+4jQ#J9ShtwyA#pST#kZriEYPnPi&ec4h=n}d+h^20p$}~XC71JQ# zL?yJX4m7+5HnqU-mjkKXW|3-MA4pV%t&mBfk}3E4csv=6TlsEQ$PI|9vU;N&a)_OUsVsYA(^eX<5-)k=hW^PvJ8{b;PYR#u#Ap2H_|N7`SmUF< zcBrraT6ul@*Pycwxak|eIQ^gxaAb=oFIr{&<+fgP`Ma+@=l*x!e(Thom-~q__e10H zrM;_{d-YlFjt_r%_qFDe2f{CIzwfbEtoWygpZd)T>+ZMzvEtshp1WEqT6rG2@2>6& z7p`f%u-awcL~5%U&ug99tfj8Fc$E)-wA(gYi0c^T4^F=C`s+&fJ}JMq{gK~pFNA7AX~vp0VE@YV1AFn8&B_uPEt9S7}v*V_-Ca^Ourjf(3naoI-F13$cL z^5!*X&pzbNQ#+-HR{iEfR}P=uEI#___ID2a%l-ez|1Wy_Z^TUh=a*vt3jcADsyO+| z@t;`n>FLKMc$#mbpP&E4|G)4b?9Uo-f1U%>Tv+}iFAV=tJ1y2mdbFh!%52B1l>rYk zI^AL^n{VbINK}fXWtvT*R1w8=P3tOjJE^zPQmvc!grMU4H7gLUkYE_6QyP!_ng`^1 zQLRK}3?axGwlgNWGdXK@cYbu7o>I)bJ{C)@tiK4d)$JZU9*= zQ6{lKWfE0c(aRv&<>8nOi|G#DWC^e+lI@H&=~Ds1luStT*>PRTPN_UfAwUU{nryA-HmIe4Z7E|HWjAGYO{^X|(y-8BJC!iNBD9kl^rqQ=7OXTC2seSG zO?~d<^)vWSW;_|FiLhevBs;)zMKR;k!_26QU;`|TO*+XY)y)hhK~yW??YdO0H3L&h zas|_L#=Z>Hl!8Du!CnO%3EhMwf?nRQl2$jtLW9uYAQ9>oMgy#561ga7VI>du66LNT zI$Bww`ZWqrNN}hS5&{>aQH`ZdHOtio4hHqbGEwy>b_pdjJeV4}hMy{B;4-J=WicKL zaJe+@D0B*t{hVLy*hI223VFX+i#R*BM4dxmB>}gsW7|%;W2a-=wr$%^$L_de+wPbr zwr$%^&dY!C?qrW^P*rPleWF~y5Q?m>q9{vr;1ShGMaX^ZiqoVI-f>IilJDqy$cC!n zkQc1ua#hhnzYJ0GQW6;QFqIl$)m+ZGN(v%EQcZz50UfHsZX{a2g#P~f)zCKqFX z)yJ{@00Lx*5fMBM;|}p(B|d#)2?nKh`x-{Wsm`ZuJYiB1=%j2a0j4={sozjIq9e^SgfpHR9=x!0WNck%fG`3DAeX$( zOc9(K4+hhmj2^fcs)ojcbuto9$r2BJAy*%b2XJdX*rDl_+wO;SA&<8!fKSh#0`SE^^%*Y_$I-zuU1%L$E>7BpD zaj)YiO?jin7lQsb1L@n0S3mieIo7;(?=VV9rGl)Y%U6!nC02h7{X`v?Eb%Tc!&Z_H z_F1CB=9Ej$v9U?%DQTWbWMOT;qQbSQZmK9ec0p3yur8elf3j-xNtq%UHJqz>23&3n zAp27-a@?xKd$k9E3Nz-4VX!P+fFn3-qF^$YJF4yzJEXuB#k^Q{DD81|Dp!=eFc3J zA3%V8Fc8^9)<1&+P`_Lj+Oj@Bps%r7yp2Fo0`8W!B7@btBsni{PrwB}?|6NIT#O6x z>#_eT{LEf`Hf9AnTbz%OmZy4dDVK?TPIdx6sKcwfqr5(<_?Q_lJQw&bw~1T_E(F*# zUy^gXhics3*O2)sb6a6~pBG%9TZ`-kz_@x=c=nE;?Od1r-nVY5KXqF58`pztLoT>` z_<(P;3c#b{%z*u&{V&HOqGKY}jT6(ISoqxTr$Dwi;8A*-gAiZqtfSJuKCZhdgNTe>t_~iZ zi_YK|qnrC05`8aa(K#E}tvuhuR)^{K#Nas4wEnB@)5u!AE*sq4_G5w6fH#5RfTt~v z#U^M3fyeGZ@Zm20BE`g8ZKypMk1 zL+`6;)w7zPycH(+u71Pk@QE(ewmwhyJdL3ryE?4j=^no;6n}Z{)h>6sa6E^C9~H)b zI2})F+~s)F-p8(0I`Fs8UEb^K9`YmVyk`eLd42r$Ods&)14*mTd=6LO@7dRZ7AUu^ zzqIRv$^3WK3N-r)_Ko_|aUKE&;6Byf z-!4RI1dfN zuFl}Aft>cfa9$ltlXlU%G+iG#)9BScAePB1sF>584T&{roVWCGvayG&j#Z>Vr-rtL zz#^TfLujIh&)`FGS7G|Z(ctSzHNgsq6-Sh)^7vRqN*wADZV zK_fswbJm&4cX)b<38OsFbb*tk<3pJh<3Z zPma~UYKoxc#OR$lGoUCCIBugHTdYOcM4~$Uw`rJ)G%v$jbns7O|1p$1%L_?DoIcRi zN)-5RU$?TR1{$$s)q#MSXXeb}$8a$eIn@%qg=`U&&3BM1t2#{<%CIUjZO=9^PqLXH8d*IU0S0e+~xF08xzJyYi=}U#5M5 zk=@^x^@6RLz&m0mp*J8*9>B6(hK*<7R*ml4?F|S4)&CX&26j8l!JkSOU$@C}7rSru@dC^aHfH@{OH4;3_03ELeGM zXVjv)$gJI=VP$g6%~7^4|Kb@;$DrXAQECUCTbd0X7gvPz6Ox)G>p+@=HU3U3j*&G? z-TR}g>ZJ+>uPV6smQF?73g}dmYL)tfpCo3u$NFZZqbz|-8j04@Qw{+Wb$uA90aSY##C*nt=taEC45-Kyp?O?5QbQ}NmbSxdi> zi4Z0E5kQKQqC%5du;{xVvwhJVn`H)+i5Xw76voZ(s7rTl)$)k(X3_3Z@(Iny;eQ~p zd_^o%rZS1~Xruvj@qVFbP9e2OUGD7XJW53Mk6?-f>#`l%k009n^H!o>SuH10`Ff}% zkka{L66ePwa6B02Q0Z3AwzVl#kK7HWGB}Gd7-}E~F?=!5QkcP&u!V=qg{Q7^nr#hL zRP=<_a%d%6_P^MIDYaRkSWN`~F8~dYaO8}(C4oW~OTg~9TQ6Yx{S?-A;FkbSNIsQx zKg2lRUkkYxK?{!vh5QBNLnx|zOQ9)9Q;u-iO#(VORXwfNZ|%YFTu%YA{@X!m}^ z=I6}ode3>kKed15K|avf-x4@&E6!cLxhwv=?ScJyRi)P|aPl!(MERuO_VJSB0o==u zXY@5#vzd2$-trEYXyH3&w9xk${Bf-NG)v`YY_0Kv=VeQAu5#My=Uq~6n>Qf#D9f+^*7LlKg~5~RaYTXtq{r=j zwN&7-FLM2g;Zm#pZWP(UHK1dow&mkBKc!NGClz=_B;zX)@Y=5id|Q7s=(sJ34RH4H zOKVVZ}GKEdJgDxsCy`!Zb8VXUV zr8yPE(LIU*exJ)ofv+3|`|9lvUKp};?gv%GRjr?AmHrPXe?P8Pb?DyikNq3R8fbGH z-zX%e_@0;a)O*T5?u96A{EutaYY3|}wGUc2t_;&OUnQ^!J(dnR=pNtLD1l#jJjDwx z0&Dx59jT8soKFJ+wl~3J%9NSNA6~NJ>(jY)ZYk5e7k-uAWb#J z6VSpY=R6O8CNTE<`y+7ot`;`EFVPjGj^AbDV`_mg&fObmQLwH5)Cc z4uQ=8EY*{-2E&eY%Md%?u$+g=ou*9vY1ERkYT&L*HM>kl@Kx^|4K;)asd2Befu`IQp0@Cf~1%l8c8y8g;e5cvwDM z`gVfk!i9-HthJ@{A%_m3B;y*>jV7s-cSNhxMX(`Ug&nb{0yObNVVbZKR#Ej@+F#3d zaCH~(keJ&xM0?vy__NFCiaXF|2~tlNn3AF-E=w5jBiK$@0#ofxNciU_y@`~HGiu0_ zz%b;QoC?%v%;-jc2{FqRLT%G6@z$>sA(YOei&;AsqCxQ=f@KS5R9MUp2p7wv=>AN5 zvRr%OZRe~p=WUG%T>QDoa6l29uvO?6(_g5){UG+QMBcT9R5&nWJdG+TL7YgHIxO-O zkb#3Y!b;=GCO%YY+lm44DXb=G$Z+vU$i8Y-NcsaW3MLN9zYjVBL4~!xq@UDRfaa$g zH!5<4nS3jS9KX!Ye&;w$OJvz4+0S?Sfq8DewLAJ2B|>aJBx}&s65gOs&y%s#zd4+k zt);`E5jr?P>WTGx)QoSDE)*|fV);gTPJT6#d@J-*F61dNiDL~Tfp(v08XP=euT8sD zYj}j{Ljf*DI42tgf#8J|!e9t^ zi!PF*+{j}YFITx1|Cwk;1bgXj()A0sT7k45TjBmLxD}Jxf-r7pP8fRk;ubeq@JNpw=(7V9aj7W?3D? zrc|zNce+^x=*#vOPq%dU(Y=TSUnLY2f+HJMZZXenh;S7nRxFQ0IkN2FSFTi2La{B- zK^ZKAw*EQKxJq;p=W`i_C_e~wg+Y_Nb>X@mfq&yWexT zLF+7wKCJa8-nikx6Oo(H^Y1HG9kP9E$mu3I>nn1^VT6y8H% zFZZbD&a^FF252EJ)Bgq_KDfBb3&(iCjKZhI(fzi;_)8X0w{hZg^1U1MJN3aJK_K1H zxF!C;KM~-BDK4Q5+J{#IUIwO7cGv>L>1%qf!n%UFI3&&)0?xf`as~+-9>X`G`Ily& zJT#V~mhkb-^*46%hxN6e_lq}z?bn^^S8Z%178G!JT|Kf5fHz$N|L#)Z zzud<&dajx^_?%)%^YQ(A_6jKNFmtpsI=h*?B!LZ`h}K}r*WF? z<~c(Cq`j$^^1 zb8k|=?xK*5F{Paj+zRXX*qznTJ=IvQMgDLDuxxi8)?C}(yg1$btX8AUWJl`oTyhHE z@CLpyZgd|@br8Q@c}Av5*QT__d|QBKH%>ywSKZBd4ooPFHpZA8!7XYycpgT5K5ZeL z@cE9+Wm*Sl>v8R$y_A?NuU2|2c9$}GUrF(F-Fa`4t6OMjT{UynR(0rJPP%2d#A&+^ zZz=icdb}HjGbX(6AGGPnoZ}4(eD)sJs@Li#7`$CC150m#0-ZqU_f8-R%NMXYCIAqC z_5~s5d;S59X7>ZdmImdJ;%)Ks82%mTi~k9YdQ8|p2>|Qp{VHS(1lFlbNk;GgMAHdL zuHwW3BjJ;~vT)f9k|m>YELd=)3CT@_q>xnd{o$%Rb59011LT)kL_{STMZ>6!KEcU( zMx2v@&N#xsqsO}MEGtsbq`H`kqey%=`YV2#creQwWuUX5DUl=8tawzWKaur@7ii;> z?3+v2f%8JT&2LcQsmW*;52xBVAH6M+00vmkrRCV6u%7iT}9>%?S_i!Pp$z)Ocbf5+MZ=tyzLAB|Pk z`w^-s)+yasLqNeJs28Tla~#B;G};<1#5jxdaM3$3%qmg@qf1miBRNBn4pw1GDcqra z#q3LA<+*A~spq!K4gz)hg9gFXbZ_S6Z@-TJ-!$EWiTS+lZVN=#AfLi!V?6iTM4 z%6go$7QYy+)5NRt96>Tise*7zrA$>3b@q)b@Oj+KAi_M0l6^!=u#3u_>UXUa>-T=k zi?E5+C+%FdCq&1AyBa62mFDyV-U>-b3iqalg6M{xfC$Ac2Fa%`%RS>Uu)7g9kQd4O1kjub^ zf|bq=8Y(yB<7;N92yU(Syk!M4Odjk~*tglX)vj8=$_P!X{Iv?Ske(Say0~E_A)FQ4 z^5e|8N4MQ?FF?kJ8C6)GNnS% zN9yFFU0GULc?C+XV(8!!z$vNV-n=Sb(BCDJSjrPm&KMnGl?!AQ^P$FfIp0Kpv7DNX zHa5cxoAUXS7i#RS|8i@yKKeO0Zn4UF(#=X!=Kbd|26JE9tAc+wFxf6c+Y)GGA`S7? zy62c%jW}Gw%{74U0=gks@7$Q?P|1!0aDs4G)@{!)GF%#`q#!I7R0)y@M6e^loF_Ji zFBZmf%5-AavWzJD^QR=gX9ZPtXbdBWDY&@Ivp31`_iThU=`~`QJfhO0{We*t1Efwl zN_~gjKXzf~3}p`+!XmRa(@2|EmRAG=5Z`=ItGiz2`beo6a6dzC#hF^keJ^r8Jj1BC z8E@`BibGP`{FWMBOj~Nmk8a#CfWSy23VFQkCKnUood< z){9j_h{v-jl)^P(tB4ux+V3nEEkq?cP}|mn=k4M1PZ=5aOoa5(zA3ddz8RM&Bz@Jr zUpk>;o1}&cxk$eqEa)yOdE~1r(~dAQ#2)T(x>L^o1>pL(-VSoi1(@>#KbvEw->1zz z{BL%?-8~&Kr2A0f5)F!h$hWvap&r<;U{ofl37+4fx48qzzRwMo(f9FO0gK>QJlB&V z+na`0q?y@Y7q|ijcXXaW=mX-a<$(L*O&yfmeK+9K)OGHLclq*@UcrYbl-9vpILUPb z_F$_5_t_)d%x^a-)A57W7NVT`}tw#-TeBny}kt zaJ!1GSa;LE%-`QS(heE;jg6}C>66KI-qYil*MYzvC+>OfgJQ&OWY_#$F8yNn87Qo@ z^V-t6E?MSsIQEJ6w@qn1&U&u+OnN55Le8$*?@sv^#KFX#hpnyvKxv1>RX1tZa-sn6 zkV(MeG==eH_w6P{VGlp2&9_DY!J2zybTy+F_<3bcr8ez<+iMNj5JOlBVl3#zgnP^phaZpA61QW+1xkx zYj#P~SsIQB9){N)xMYAkQMrY;DV056Gbs|;@7c%fZ>M2fwQ*c~`NJ#F-2v|m4*tIV zYsmV*5}*B~09670&Q6)rKgUMSSB3+$=DD9QS&cwWpZMIt*>Q_a;B1b|_f31#Y-GT? z-PeDWy2$UyZ;+n>=6k?p<}XN~P#Ye5x!?I&Pv37jBQbTD5^Bna|CU|JZGPZv>9i0B znkgY&1N;WCw2kCF-~;dc;j{ifF36KLZg7Gl$~#O6ri)JUmFQV-e0ZdUXWD z)(Ue?*!9T@W{(qjljJ|WFKAP&5$W(l4lTJrOn(_CQ!}$kjTPxS51O1RqYlo$s>a&Q zIZsa_=)5{ZCN{edNZ~>3HM>ma44`d>^jQ?3M65#*usfHJF%%F=PT8s@TjiNuaahn3oJ{t0)um_>0xlg*uh7y#N%J z4^1IxewozfR-fLH_=}GdG`%#F9&!kXhv^58{`h8463V z`i{oEUuQA_EUXY?ue-Zx$g8Va7QU(}Gx`%G7mmAxX*e~W2nmP$&qZ|x^ny;sJX z*%23qeWXDf)j`WPAFT=Q7tOPZGZyLOyBXGxTd>MS)gJgoYw1e#vwg89iLIyvG|8m5 z0e>}e?v4kJV^>?24FifRDMqp!fk%Au2Wk{%X;9v}rNUkn%&7^VfV7QOAx3e6eJMT& zsl=IjD8wp9m_Pp6i+1TZ&gEYkc7m{}g>*>okS*ko6apd+nb@Zl+y!5z<;l8+_%dcB z)r=HjPK5VgTWoT_GM9w_t?fe*@{*j)eub4tu@HE@aXeHOF+_)wfEq;c-@rzPW=BniI zXmZW|duhq=#7t_%GB88?>KWL-QM~T9T2Zz-PpkT92k2sO=f5>;%vx|+=@o)~GHg(4 z=$gnQ@%vUyk@}%m6CvxmI?vxvTXZo**JUj#284J{Zb!&y20#9iXV;?zMLH2CtDsp{ z@O8qNz^xONMNIwzFu{jxicip9!JGD>6EI zQEw{`%cbQBtL+&Uhk^PBO(q+aWT^hZfkn?)EGK=;*NL?eP3l3WI|ww0e-L=bhsvEPG0Y@yAHr#AjfH+AFrxibvQxKbz`^2 z`)_o8JTK=O+tB*m?3S-(JnJ`KU!L2)_Ko(slzx15Ex^yoV{iCeV8%Bk=Z>6n@blWl zU-t7ce2v#;9T;5u?1#`g09WB?A6D$yK1CQPLp4-Qfb-$)k z7z8{!2DZI{Wqd>@we_O~@ezyUPg#DEUP`irn%=;%v>X7xc4hOJT_It7rH1|%j6bHq z5@~!J3;%IP^!3}w*>YDacwx2It^2Sq=bHIBB~ic!>uE(&>nhbYr+GBE%h%?Zc4>*l z=j)Y;xq}Zd2U_6%rSAy2VHVka>t;i)Wy^Wm&Yi!+XEftI>Ud!YxyEtY0E!m)5kI)) zV1IjkpDRAC^CY(Bb0=nd#n+~i=5N#!F7S0f5T14W1Yfx7qOfW3`r^U+GUQ^T+pu(m zy#ipE63azzpSULEgnpYQyn6nDJ&&B)ZT&V77 z^S_e=BD?#(R7^YaP*naS(bHk_5&L7Egu^lC=eh%3m8tQ^lG@7TpV<@lA z`6^f}0Hg~Jt=@8$Q94yZRheR89_)D$a5L6?di6fRqxRjEigcVs<7&&lmJNq1P;8mk zj!KmjGv0&@NFZ~O2u`}^CuSI!4dgw9F(IPJxaW_(xRCiqGP5YPNEspl8xmb#bygzk zq@%@zNXGcmZ16J`mrZEoKax8}lOuW=%su0bhe&BJ+0V7+)b31)lIb{v!|7>qDPX#; z6f6c=tu84AJ0QqTD2A*QL7o~fNiew<&w6b=FY4w;SBXUK%u-}IF7nw<)NON&p{sHP zAqQfdW7UZ-nbZsoTRy+VH^y#V>Kqi_U!7#K3WBrGL_F zofujs+HIqy{i8wV5_Hl;usZ$vF*v~}HeZ+faQ$}1@jX&HfCMv>uwES7D`C+!B{<9r z(#9N}&vl`=3<2~F5VRDdm=~I`TEr@gS&&?@%wnvUY^vw92bEqt$&c$UPOl;pUziUl zeQ*D%7PT^hn%*Q&>V)&~9w>#L{v}DLK@ONdtRp)kNJYW21}ZphWdx{xgrn#%qyOTW z2Oh6q2*5jcyfOl*86<(kH7ll8^!RKDs1fJ>9t)y7QpGs~pHVrI*p!NJKc%f`g?QSg za6A;l<}8VFSi#vr#$@LR{B2YzIZVCJvlcMI0y=GgWn5jt)M*ydUulrirlGn+a<&~p8l$LCVURPmJmE6FaEiTF=n zR(df=mwIT`RS2Ha9aT+m{9H$qR!%HMcPj|wUu~Esmcv8F{_B?rT-$Ei>$G7v@Py8e zp$RBUxpMq5tUcrH*o$qHFlP%u$)tS1Q-as66j5lx3q>dDGa+qWj|h^{S zu1>Txsx{N7cKNSeJ`W6$sf94jTymSCj6&2@R-QUHQbZL+#XdThsJkCB1f|k`e$Rg& zK-H40)#o3SMhONPE>c;tZQHjW*5lNTjCn>HQcx*6+^GfUT5=ZGR&Y!Z;OJXXB*qJw z{#i!%^52s&KNgLJ^3idjV)t9 z-dI%=M8j79eoIjrC`q(JAH-z|X-mk5s+%&SZ!qR|HZjkgLBN_coc*8R#{(TxqWnGU z4Kn}VS?@*HI@W(CyG{hsyJSylAC!-B55#CgupwkB2j3{4Yox7jYykh=gPu+hV~+do z7DT{f!kt9uSI0Wgt(7#_+w$~?WjfdOCUNeuy*vyE_+|k*w;r>aV=I!$oe2skkFm2$nY1gt58t}1v-Fbfuf8}w_ zYZZFz&~tc%zQyZ$>|f5)ZJ8v7<@J>{?BJih1>kYp+(wU#ZyaS?&aug=*4qOE3< zpJz%5e(xbGkL||8HpYJ)HSQ;Ti~HTceukxJ4x-L%zv0I4)@XbKxB9NTEE)6dwyizl z8prQ^r{;Cj%HH|%3vf;7zbzl%AaU(=^fQ>8h%4eXqMA4F;wv26Uh}*byDGWe{1Q6V zY^r_dNZ{MdZQweUCSj4(=j?9X-j~m{;^FQMz*GFG?o}c1dP49yRcHXb^f~T&>mO>Z z)!p{ex;Wc95;#hIyN#{g>I7sX+u{4Y91Nt1yl1uP?hg97bH5zw81&FtV-l~T3WV!C zjP)1*bBBPyn=j%$moM-jmRq3BfA~@hNp0ffUoEf5KgS4Y#<q%;)6YH2aLG$^*icvV%R%0Y zkxu#eAx+@GSj=8BnbC4N2O4taT5*hc2hV&InW%%Hgbk6mYSbwWtDQkrp}>&4I)&d# znq>?=ATVk%xKpw7*eANiS70tw{hDkR$HZLRm$!hx37%jwww%Nm*Zx~Y+L?RN#GK=h z0uY^bbAeDPdv5-1(jqHU-Au>#RJg=h=;4xL3XaPYXcWWZz9w%|HpWdqX6qz892DGA zwrI0&D2wHcl{JOPRyesVky4Z}&0V5e<^YS&R{bXh|+*jJ8K zkB<=}i*Nn~xaFm}gglHa&pcG698tiCvTK2AQKKCBCs>rS0*eB2ozF1ZMPuLu)dD2kZWw)|MZAfs#n zFDi~1Z&}JldGCJTNbj_?OS=3Dt8tz-1-#LTz!Xf~_FcE-N3u=IPZHDdLkOMdbK!D! zKNxE=$}ulcT^!)*u?tTLd2!_Hzj zwLD>-pdKDBS;=yg@`!A(x;aE?7Hm|QJSIAYVX2Y|_al;$Met0MkcOm6MlE(&atiBt zsPr;8s6|n{>Kcrs6l0?pz}S}PxDgZOQZ1u?%!a}0$%Fq<`WsZITt)MDr#4@%l*ai1o-mRcMEnv!7b?+PpZs z==@Wla#a>(pXRt8^WP0;)P`!tdt$e4;0QZCT@%oBpK%4)NbFeM+`Kf}TKO|Bv$1UMy= z8&+b`r_N^)2}$lN5b`LrhGTJCt(Hs?E>$l~!eykbl*~Ibo@{Nhjt3(s*fy<5Jq=}( zs-x_#WtUm)?RWk$p=neR%vLF#PuzZp^U%j0^Ow+VVJe6-`_#CQiUvjX&ochP4At_u5g`Oh&ZP_l1-!ix zjue z{_#vRnvUau&wZTE#vLV@qIO!z1%df{R2|_q!zC2 zP3C}EJK`EHYTX*9=(rM=gDUSL5~rTg@xz%#xHtg1Wb z^4Pkc)t}aYeC!q5+Bm5702-D9G^QAvAGNP*2v!3eZX415^;<+7!%vuxQ?|Oty=;~& zZ~2dn9ojr?ysa8Ix5@{2OudiWV_rS3z1!H;>6ov_)dnhIgCA0wwn_GOWMW0fQHfww=Eli_w`quDjr)| z^W3)WY9FG{m4mSNtM!w$ZL#C6<^{ir_bvfm%{7}8wI%(_m^ZQA_UCTkOmO^Vg^Aam zZ!GUK#XgtTZcQwb~3%F8p23_9-KL$QmH>n!B@}9e2 zgS>TphacU<6b$Cb8&7*G*P6e*FS6!qyG^EOdPRt{em$2w`#%St@$9>#b{K_2b7)^3 z>gju*&3&?8Ueq|PAkx-uZGH{WK7TCs?7rn<1A$#{_tT%y{Q^2bM2emCm;VfeQ#-_S zU#5Y&Sp*&=O{5_P4ZzZ8xk$@? zI-uXxy#nEj#C&?v#e&>O4-j|K97AJvxX6M6YnPz^WNqy3XO%6|v zxNNu>a0=AB&m^SDSdJ%nIU|;w9xU`vjZp$qRX%OXC|Uf4WF9D9m=2;;m<%`UJB@-? zvRz>+4NOcKI$em+aTD_1* z8CeGT8U`0ib203a(diP?OvfQA3z6BU6nII8qp>n^-TX6{9$o5BWJ!@tD2H1=h&YL% z2*%d&9IZ0N#9*`n-4MRvY3vn}LstdHfgXLwan5J(6(K}s1BQTUJk zK1gFkT>Co!Vi{IGBU`;#h8VpGwV6~H`9uEtNGX4S1MSiksSizSwE{(*AsVLe*QUz1 z3)E1FlQ@`*B^VBLgAGn%hFx6aVNLc=OxEHV19m;VF~Klw?J#_J93MFLuAQR9vVrru zY2#E*tz1D8yh`8^iH9)=rSUiR9FZQSjf^MqDnrIt3*4c?dQ3m*5Ryvf}cprC; z>+dBDhzu*$P=5nzwF0qhWb+-|@a$};g8h-p;^_x|-#Vr4QxuaCVmykXBL2hVRzI?qajPpRQ*pxFvtrJ-3OKh;~l+w^r^U;e}|h%%_UZM zWey&TI#`_?QzkSS|0u60N$j6L9sxS@YTCG*VV3JeP(Df+4C z9~{;DU|6t{y^sfGaXV{#ZQ$yr=qoo#&T7D@TN|i(~>cAb8EA-b& zvCQK}tB?o%#tjToQ(ex>OHiYTJ%zwa4c=)adN5;GFst~1lA-t~33^|MK3&X|DD9Si z(^@KNstkf%iTqmQbc9|W$iZ5Ua{6m~=R})0$e(4n#GT$ z*2={U)YJNeVXY*QM5|&uM=)h`TG2n$n9i!;^lUB=ynNv>f9OD+*WKESZrU}~4eOMu z+_~awEJ-^OapDj+VHb?q2LHh(^(VgC17L+YRnlPMQ7-r)9#}2G&XX1btvJH8*&fEX zB;ly0^UgfWHIOW;en4F=lx37HC+nA%!uhVl#@taoC@W?VgQ&G^yWY!{EZ+S7DuQYz zDbdK)y>}G8gb8}ho;sjq=&!MM1pe>gLed9OaDS&v$TLL+b?yJ z%FWNjZBPHdfSZfU1ogEJdXjqu6ym=Y_|N`f4(L_$O44_hu=Qr}H9+^q+&pyreb8L1 zp~wXBgDHeW86wISt{T4Pz8qNfMgDb<3=(2E6Mz?360VSlB3l3h_T>V?Z52Dup=H_; z`+fep3(evC@v5_{LU>cR?!b4#Vbj$<)Taf|lj^7iI#iHtpY6=lt<<*eJ{*iy9LM#uL~`?QZ&@Ku%$V;64tvA+AF z%;Dv<{`D=-75G&Jp@J+! z+XM16@A<>zT=Y#a%TZI=_UG=$)*Nx^M`3QTzUCG`gU{Wq!q~F@Hs8qs{uZ1D8PI!( zRsv{O>UVHvH_gy?;ITe)Uwr}k1PlGOSKmk5oOz{6_m z{tm~lzjb9VWj71I-F&9zHh)D^Ryhvhmy0R%oGxX?pB_zV7xNK+7a(#2sFgKhf~F|$-dzPmevg$6 z6w`_j<3Wt72Z?m{+A7c$$?LdJ>K;pbix(_ZQ5FJebI_WMf5BoQKUJ0Tn{~{ZNYkn==)!z8x#>=(5V{!N*Q$?>Fn?=(IE4B065g zOyUj#=O>=IW(D(g5J(0d974onjIEt+ZHqQ0Vq+*A&P}fUHg#Q$s=X=84kfa7{$U1% z@T5O7EA6~NRt^mlU%X~S=F9`Ka&l%Kirc_x{@+}p5)#wiEmM8^^so~5^Rd0BE1MBi-7HIi31ah(bK|P7 z8R;+ddZGUmNsP1D-r$cd<6l8jvU&3Ac$6~)7-0!ftWp_SBLirVCvGteqNJl|Ok~(T z;;~C9TSZlEIqd3DTn@kA4cS{VR<$MfMSTz;rOQncl_ok&CpBCG`66Xk?xi$O9!+wq z1vg>jO~}+-c%*Sy??x+7ni7rFu2axe;plC|L;8%l)Yuz!SNG9+AF3hp8x}7(-3wq> zNIFl!DWVe8tYS;kz%a%hsZ>xRevwPjvuix+a!qm=w;{igQ|nk{fLI12Ivc0TaZIDf zVLR`8f&>XW?3`ySx9H5GD|Tt*BMwg-F^5vw(0W(G7ps&Eq*B~+!YbY$DWn&K@45<) zs-Dgx=LRJ1lvt%3A8XB6q>=vJnLms;y~YeYJ-E=${!!gXm}%!s8pRa(FRSIe;(QmN zU(SV_Iv*RPUlF6qM!oR8hOeA&3nugY*NI^fY$cBw!;EJ&uX0g;j2`DOW>j@IW~SLX zD2#I6z4dyuSg3=?+~x4pCZ};7vQxr?C3Kx++1%5qao4n9Ll zGXCs#IWOVeD%Gpe#FQ*U>yTzB)*+iVcYZx9w{#3cmP5F7g64z-kw9yTWkm7xP)&ou z*bYPT5v9q$*2zt$5Z{S#eiCj{I@AH@X1^nXIgP zL%9L~tDZZw95c`Ey>lLu%W)tR%q_+l`k@qOT6`*hi~SR!sst7VLWVO)x<+A{5AJ&~YHFYOaR?0y#T@rXLDw{#F97iGk6w})ro}1e^0Sqfa z3d&8ThSX}P0OUp`l$)ot5UuvtQErnOH3oPL{vNk@Ij;MbE3#2wvs=9Fkz(XYny(73 zMWz2YHGVvbOB6(kf}lZU-CdTfLK|v~dsGxji7pYz)k<)&LLRLeJ4D-J&TQqMj%DH) zmC0_{Dx+t{)pO8K)P;n=q&MMs!(s?V4rR9*^&`uMC~e>Tt9*5Sd5IzvM#I_I-QMU^An4kYxPfQD|5`VE0Jk}3U9b`huJI$BsG#Bw}mGSTu zKpeg(7g)=qli)+>`V_Icoa&+yd7=ON5l6Dfo(b7wgVk1+aUsq|uJ=QlFpOjm0w-KO zl;|Drw3H?Tf58{e^5KHn1|tle7Ivt%NM4!z4))7|houR#Qxvpp5gGno~k8KXwq{O*oK&yx$|^q8u9XrJxx#7=I!Oh4H< zZ=OYe4*7wPJ!ZXY(v1>}c(aR|sT@yKjW+>y`2zXD5)Td#QKbsT0dT4(_X?+p>VRe+!(kmJxVuNc?v z=vCVcpDwGMj+bgy+s>oGCrs|b7?_bQ$jPD=(A1H9XJ=oz&wi-(&gM0u&HbY+@#p$r zQARRF*2Z)B!{zqp80P54W2Z&R#t_;i_vf+?Qme&FPUY)6^Sv&)v#l}HjJ3~<;oD>S ztK3t!&pxyn$hW~t3Xu5qV7_u7UwH#=rba!l9HL$(10*+o9*miu?&-#c@ z^gtW%F&%5zJdQ7pX83p4Ts?ZXoeA4oVT93KK2s%t_13+8@#eK-AjZ|$$2TvN)=LXJ z+Bx}c^ywFHH@fr8>&S=KvzTl~-=6M&p8#}>(|k6M`5C!Qs~-NH`H%ndgdwj0g!wx_ z(BE(Vi;pP!)aIWX_gVYQv9tYPSBZ5oeq}{5CjGR0*g0Ms`MMsI`MjO>Gzl;kE6f$| zTikXNKJ4WF=N(}YV5OC~6U8-Le!2oTx@Ygvm&7wG+`BXte{` ze5B0E@clmjTi%m`Fl+8M*mrA5wK`JvwPcy32$G3<9?K zHKW9-xN~9np(uE)3x~sqcoM@p4uc!!;pu||7X3k@#;XFffuI{7XhnQT&=mcG8MEPv=B$~QB$YiA2FAfsts5XF8%;cfROe75V+FO{ zsD*0A(mYe9bIqFtRan%nl#FtX3?+=462MC^;!tuhsQ!}dd+?JDpz4gJF%o;snMczm zW1pMn9~J22$5N!cen_y4>*1F^-S2m1fri;_rbUJLDHaPo6P95O7-e^ zfhJDHTBgGBtz`wfbwGh7;a(e?8j9ybGbBp*sv!ku){vLzEG?@&|5|B_)@kb|7DDiW z4k1~G>gJCML~dzJtMsx6<6bs0)2gjK^YQO03ap(dl*a9;Fu@-bv4YN$0PWC^ou->-z%)SE*Yl)jYRT~q89Y7XlV2+9tiI7!%m+`R^hgVCX~Qri zu^1UEbrQaHI3}NP4L^NN%Idr+Fi#I(FbbP2N~vm0BXS}@Fsgr BerFL%P53(*6A z)%HZ(0R0wUIIsw~68^#!fT59(ZLgIkiiI|O+XR(xQ)fJjQkiEymt_i(_|i@blclE! zv=;;icWT?iqLxMVF6WkG$sLU&;|r9Huc8rD&#-T{6=+|PVu6q}q&8j#mx)%TcI{cF ziN7_F@Ho;-*$Xr#wG#0Qt|DO=CGWqGJGTGqM%|M$St+)=>pP)Vf-#9CWd&aM06o&B@oZs#_Egm>oa!C?^n3e}Q;7oD$MB~HjdwuG zGFr&>3+5o7Q|?w2Oa9(cE0dimo)5d#hc|Aw=(ZKlo|hu)jJjT;4@!6ZHUN$TqWBJW zs)?yvQ9`1h!=8cS@mXrpNTh*?Qfxg=Q%LGD9C63L^ji!Ik;$%19$#Gq$#3)qfz_59 zh0yxQm0-<@T4k)s`yjCq^NknDlz-}CYvDVw4wHTr{~+QS8`;#>FaAjV_@QBb@{Mt6 zD1?)m8yGW>CVV%q2^;r2qdFZZ=pRz=!ygrvE~pIdKZK@95pf_VE}m{6nRsXp6=#ZK z@xK5Bda{fj5|%IWP8p1St~Oq6Y}jT!*E$G&t<ni^nq~&IlM22EA;04kI&K@Q%@Z$FUR2-n+>l^Ik;`Bml=KZJdeA> zXMA<-%r<(biU%PntJvs+eA%!SbI0O@iBO&?Rc?MXp;N+O%Ghmz#I7 z{CEw*wa5Ri6T$;0|h%&a@Qe0gJTveemmcN2y~o+e z@qA3&Uz2b$>zVFe8?2VcWX}^qW@wxbr3*^*#8!Ykb=O(QnI3oa0MO96GTIx!GRx)3 zqJkMPgxSi${dS2g-}lt&E`DD=rq>YD`2hEfaJ~Ftx3Tvrj6FQFF>jvmD2jog7fl5QyOGE_P`30U*T92?OnnJiEP<&kq(pC!B!-jutsph@(wP zB7NLIFT<$>TM}EbHP|IfPcqnTAx? zkYDE32o`j-t&x+hl7iy%$*H(bT86WP;}|p&kIYlmHF4>vVoS#Lv9(fUTTr+4dqnYc zQmQ74BOOI7#7!cme>66h$HA)@V9 z?at{gP~CB7mgz&XiSg(Cx1)&QG}00ST1Yq#5YuE3#Urk?>A3J7mCN`DO^k#V)$^mS z!#d>Vh{2xocmW7H2-rWW%3sESvYr4rVm9SO%wo+b1Ro7p-3@&N+-x9 z2{UAVD<%Ss<82Gl`*lmAa&cvDiuJ0D35glOCb%wAnsQZ9l`~c4Be7{G%12EaV$YHC zU3{*57eVOh| zW4?_ubBMRh1GN&<3c+FW5~~#syLyS|MGN_uu<+3-)hq-(88=2(pj4~$u!6x2DUu15 z5xzxPNDqH&wvyo;a6Pl2m~fB^Il+$lQ4!T-%V62^Y>{oXa+~IF8X>nhkeN^X8yL1W zmk1S$mM2sMW@;pUS0`9!8kCqeGk&+v-^NLre6YzMw3^3wF39W^%x?lp%Q!kF_+)1P z05AzfvMHr5hN}>kVHo^*JuQ|qwV{zaNx(KIfs!RhOFnJ;Th?N{X3kdhTm6qjy(I)E zSsH=*vr1|ej{iBhUJ!OFsyv!^Q5H+l7z8$wHtkZ?kAh%6U`d%T{lUlc8-qO_VUHCasn8 zZhkVq!5ol%G_nH;`Ou;k=zN_xiENN1MQJpcM~p0VUaSXqrj{oZ;SpZ04q22EOjsv< z;M2ufOO>X^ju0Qf6IE1PZCKQv*B+#C-o6wXmBot8d9uf};+ISy%8wWVEEv1`*(&TDuUScfPt`%zf ztD|QJptNw$RNYq55A*o4vYaekGrW0x>VOfTE?k^vG8!pa?{V_+SnLOcR{fTGn+gpm z*2&D!@3gER`N&*av=ffrRNw6jXM63VLQ%Tynp;iHz|el^jK!9b(1jT!5qhwU$9h&8 zGp7k{o)<83U?Z%jeCI88Hg%TVI_qDSEK%FoF&6C zV~8_rump(yH{37a!XW+Tmjb16f=;}C=|ANlpOSBWevMz$zxIj!vsX%>fcLMm%j{`G zPfv@(&gYpt`0d)^(x*FW_K)-C3rv7%4{a1?%DTPkQR~iCDDTsXzBusWX(-nf5CGYt zbGbC#G*Y>sx7Ll~eq{#8Zi*QoJn3oxk{wLMT7o8>}2N0QW=Z;!}M?=ixP-%~q$qyr?aD)V?<%kn>hFw~yy3HQeo9 zGOTXEBQw12DdBCCw^28toT`j=fc*j3dXzey%W3#TcI~Q34``F~s((!zpIN7->Ch8e z_pT2+hQDXyC8gSaW#H<~?ARmiw?ZO0;=Mx{$7BH>1yGf4kd4czm^}^m^`&I-Wadk7e?eLcL(5=A7 zv5;wJb}OG!m6hIfS{-5gJTmjx&fU$s=Qe$;rvI{Aq8D=Cw9@6!C(X8MHih}<@voTM zR+XUj?Dpbk=yqTO`Gxxt^-9*2Pq*An4E^WF3rPDN^!E%fTJwg?hz9COxw(2q-lkPm z;%|E;&`}iSDPbFi(+=+L0C9kn-=VX*G2G?wVtLZeUI`p*-%GH^HK~hKbLD&>%+3zb zV?`7Fo|My?)ts?Ji+RfT;6+$)8B`mB%J9a>61e)CHAX{##o$qQgB(?Pg3|Q2WGe9A z0KKVv`lSO}3ys=7U{_(DX%jKT!izp+^T z7{u9uLK@?+U6mvH%1L+Z8B@4ktD2hbhiay>KDwUkV~YCFCr0#UZ`aU^UEJRjyIl~ z(hooWzVih+LGsvnz+$zjl(wwU;Djm;?x~XNh#W%|d8B%jsm;4VV0|d}TM<`y?3jNi zry8sj-jH9C?Lc)eIg}{^wBa8Fc40`gg*-NUp{B$`n2?yw+7e&vj^!=eH#$d8hag8cnqJK^WvXd*Nm6m8Y8$XuNn^>@bqproP3DedF z7|4p9v!{Po_~k~%A&PWY;AhC4e31*;E)1-KD_D73@R+(mpeElpfCjKOKOAP}%GgZ{jy@xH#0`sbUyvKZtqQqbVG*L5qi_ z5O+Q#Y}!oGDc%JXWi}9xAIV%$<;LL=E`4+JChB<@X|vp5JJu<1f-~ky-PRNN-ye=B z1bQpy`k@{WLLN}3zLG~*y@mgQNr}^;N0qBTK(rT;S;RgT83#!{z8XN~R9mz)cK z+Q|f8Xwk_ismvQ|S%laThckUw^mD7YzdspTLLG}|q=^Ii`8$HQaRwHxnlnwQ!2TLG zh_IiZGTl{agC!}f_aPZWH1ANUQvLh-?EuxM7L42*){tZ~|CCo{)JvrPoV7m=jj$ST zA`sItZE#S`sA}3&I9qI3mu~CS^bg@9TB(4e;w&ZLi2p03s(T7R^%c2(T6pO3NZ@;m z_`six(N4>U$M(EBLdT>QQL|$5x4W zT9tUoa)^Z|X*fS4gNdy`laZ%#*=vo7^$K2tjX5IwGcH&{^2+S4+3>mxn+H(}H{U`^ z;$dl?!LdD*>3V^u6frNee8DvZmkS(|!Lmu=q+E?rJqB8sNKLt}`1DVG#yK)N(wREC zdc|81Re0nNbHyW2kL-8Q!89N@& z(Txh)sGa70xqGh}{<_@*uM5Ea{%UcXQ}BwO?{W1L^73}wC$#%x!AKp!AA+6kS=oKw znyl8bFgMy{QY8J4hyx^S-L~eNn`JXPdvEUrx{Mwd9o5YTqqi+~y0sFIew*HRw@En6 zOWZ{6)#M6f$1}Z$l%PwIX&%cm%`M1iu0Inawr4y~AxSm1KWhuLk$ImkE!cAiGj-gp zZ+L(1?9CPh9p=FYNj~h|W# z=m5U9@ydzinOWrq^7d)VN@nvD7`>j@Me8W@%0<@})eNog^jEvt$iP*l&%D*h3VXhr zj%k6pS_rRWM?i|L@B6XI2^GQl$M!)@wfFAyh+h4Q;uG%mrkdVgY`!$@{F}L7SKjaM zChU04pJ7o`w!Rm41I?mrp2@8Tk5-RaAE!PQ+a4K$JKd}=d97}(?-eywj#p(h>)d2J zoo`cBi4C@Gd)sKGv~sO`r$+>@yXB;=?L4-<=S+6qjL&C28~DDLWZe3mo^?*|P6U~4 zK*i(Zy`qUO-D5~E_AC`soXc82YJHuFKiUli4>dlVM7%T z2%(bQ=zQC^Rjo8s4YMZHhz^f(;4?Q|NGawugII#i?~~VwCuCM+M=r^rSd_ghPX2z# z5e`%#phF){h{Pi@54li=!p`O8kbQ`Uz&L6J2H~hKDOX}CoBZBTut+wzu3a!@g7GtP zV2qfBv{q?h$`6R+ZCUAOR?RjTYEK>ex7JRDe(;A8eIAJ`dcV$Auq!W$MG%wfQCXlk zF7E{@SW3jm6S+dkx_N|Bm0e1ZR8b4CN(P>;=dHCs_mK6 z;RA+U;2a#ksSNaO9-*dSO-X`Ptz>c)@`o8!+a(n*5R7n+WW;WiH7LJ+*j3qKp6?5W z6;WYqB(*(a49Mfn9&r^U zSIBN>#r>uO?ZKpEC9@KZ%Y1G2m9cn9${UZ2xYqlg12N>T4g=8`@uYvr^z2heqSbGV zwQJ6SVPUb~J4a(cxS`)udlw|R5OqVFX?uz$bP;WgTa?GsnoH47BcpTb%cf*iW-2+u zp$!*~rV0F%2d=q>SDOQ6WLx}^X3A}`(^D?`1~Yj9Tr`kNBS*^S& zPc8N$1udmAjs*P8lX)sOpWsRzOo%^f*mCzIdT{79(fh{Q0kMkHl8s89bp*n6nB=@m z*LzfY0!^0MgOTPaCY_o6F-^5pYu_qZr;NMzo@DD|qRu^WXoSrhMt+9SjCh#h?Y~JR zFvkZNR%?bR)x$`S(P%p8wEHuFU447eJFn33+O5Cc`4A^7S$NTYCtv#*2Lwvi152Rv zp9s`28(62B&$KKRsP_ia)t;B1GiAytb2HQxN`rH8>4-{66u~Y1<%eZbrRx?p(GbUf zai{A^312F^v_Nx(=iGIe$A9G3S9Hd7--h)xnW^flD7*u6T7_<{q!tFYX1cyGq+6sb#*DKKW6q)om_N4Ru@eZ&i;GsRS46Fs0V_k*W!qKs z>EAys)CnPX)cB?8Fmq)D9z*bS&GY>vT|f~2MW}r7F$AqJAU>7Thk4DKrX640S=_fO z7%4q0GArWRSocS%5}qOR`(XJkBwG0V1Iet+c%8l)X_rKXhu1gAwmyWN$?K{AgRc@J zM2L`Df+COs^Bdrc9Bc=@pI*xIgMK_CBhD?13GDxK`>I^fe-HWm`UIf>B5e9)>T4ke zY`JguBMavMUI%NUdkA*aW$@OtIXuRb?iV)kpD)k!y{#M{ZLnJp-!D(;`MdUXkuzJK z!sIc4C(C@-WgGh3;m;qE`m=)>m^y9CR!^DtXC=`jM@Kt44>9kr1lH5|uPI$CS)lN_ zGwMtn{k!W2Zh?lAjl0kDh6RF?c^rN&5d6xH{T+}y`}4d;-Tm@dd%5j+Izn&9yeq&> z50Iwc6M^S|;=OT%>hrl2^PW6O<2XP)5mdwHIoG|i=yn%5=a^yrFd0!p;JNG4a{knC zlziEuUqyLkCmogJ@j+>Td07b^eYCv}k##jSF}?cy>2)BT!u>j}?`vx9v}mb~f6C{% zJf>awa_AY@v7>8eflN?qa+esD6Qr+w7;MD0?QnyW{XFv$^D=pde6Fo?&eY>^^{2&V zXPc!i@LKa^aWUAA|L(f$Z9D6Ep$*6GMJ=!A6_LGxUGMsxZ)rr2M}=2)^L_d6b&C7P zmT!;$N3Vyv&9xp+#mgl=v|G%FOZ~g)+vA2^mrq}xsF`-}(W>E773i82zRTk{XIb~L zFM?`L@XEUJ)AVRsJ0kPO;9}zFN&nwmP<5;M2{_2{pln2kRm13wH-+HDw!>nn1n?B* zNaMZ{o&a4zZqulDuW$!>DYln7MNLi*omJN9I1qmqWdMxC+xgub$Ny<`HK1+RY9@Vs zsoDqs$a~uRwC#J6eRyU?@XT<%sY^ibwO-!BV?gt`_})?NyKP!gRd;;*Mz}(7ljeKB zo|S>W_HsOrqvO4Of@u};@xR;f_19WLVENAdnLukc+$VqW-Xc`U@snvv{)b2W`{ieW zw-G2O=PS}c($z3cHb0zdrV509JPbfD-8k?pU(3HJU030O-yI1$haj4CTtubTsgIYT z$jwy02~B`z75%3&TqVPU{S_ezx#ZqsL6m>7n^lkdfXYRK?B`rw;L1R>Ri&A}jAiy)zQ183KSb)6Pvg+q1d3@o zg@-&^`M(|622BoNAuTioVm8g?rkTygRXkQmEG_+`z(rlE)1{2~R#GVTMNnHy_jfdM z33Rlhu@B}h4F(S-%D))0E2AGENVy#_TJ(z@+7CnyoPhC$9A^0+U`#OegVP;6E;*3y zpi$v*6FD8&s!&2=PqRjB>9A=pP>IkWw+rV%Jt6!+E)WQYPw35S*MeM3u<4afgt94_ z6Ff^GSs(e=j+&DHUb^8&8G-i*AuTM+a+HK>x)l&nteEPIMx1`J+a=d#&7n(J8#`Yb zD^)^DMEhGsE6<9}h^Wi=a4nEY=|=@q*_+4u0C_w!D%{b1?Na#>S7Q#|Sr8An%9^KT z;SgsKave;KTs;zAN1MT7HFCpFo(eDZN? zgNe}D^VT&v9t$NIR>LXjj~E8>K`{{SA4r8>SQk^k4f#30Q^V$a3y8vL0VJMDxW$-- zStf)nkPgmkw+O>5Zmv+nX6#H{v7Vb~-C$6EX_0q^5IiI$QoyNk#Tcw-R{H~vDt57j zE5G+!BZ|mU=$W4_>7KK;3#+)lG2b|&X!{N&Vw5R><#^GSm5dyf9jas|DwX)aF=mog zmy1eEV20gkK*UsTRu%Y3u`s8VIw3LU&A->w5IUPA){NGKSD1E-GnR-RmnIiS7s{Dk z{n%y=@0;Wu8 z+4ZYS$Uln07wm@6;sM%%?DWVDiAjU;bW_Cim1^y^SMdcccM41*cayDdayzL297Us)yXVjw zsLv9(Fs&uxp%M<@Kpip5&7au?q%IkJ+%1(o)ZGkT*& z{)n67^v};&D*S~(Og5-O$nR9Wfq*sTH}~K0F@q0-wD+GZH1I1NG_vL`#$gU8;`90w z`~c?rZ;Wh9kGB#6y@upQc~mbwEXID*0acQdn5j+>-+R}CA{Ko)ueyb zzULZJ?RHs9&FiqXO>g5lPR}k^)Baf1vD3QWRnzIq-KBU~^F>o%x-oh$81*DvZuN5< zEWd%C58v5oK6>pwOZi*ZFo1~3Ja3cmD-IEEyf3$shs-&)t-U3nhryrACbL`50U13W zLj{i*+LoC7E;m9A0E^A$=f|GbkL@%3fu9$e!=@2MJKWE6TKkz%J6dPH8F~PM&rxJH zFO|yky=u&>PVVNEZg0y4S%Nl>F0h86=9}aev>pxP9!;EcugC6|Y*vk<%M11XCr%)S zOU8ofl$NTURRhwed&lG0o1Hw}tH2F?NF=Dezq^L^y+pd13)H@qvVJwu(4$kAqH7neNO)=;ZyTql0WX`6z$k-d%%y}r7leVvv*wR_eK$OAv`-a}l} zbzdiftTw^VIFLX0pEj~{#=P z(NzKXp0QZ_9uhF7&3rz;C|(*sfOez#Yh1QO3Fx|~g08lDUSZYGIlV57O~;~;I>48b zeWtt7Us?gnzu`@mbxLYyFOHYim-nfbmnLT2c33nVuZVvi`G0^u-$AsWpx&=akgiW? zaPH?k?HK-H`a=@5g8kaKRB4!eiOGZuQtVExMO2{eP<&;#= zS8?YPROgc6DIQj+q7l|9Nk;vU{8@T`$d_F5#yNqX!ks;Ng3f93_nPu10&%;TVa&#L|Nt^`mSE1TAf(wk|hyAfjRd zGcT7-d-T!04TPi?seWWfv}Gb}3(t4=d|dIOQh52hT*Ha|MwRp17v~*(i2zS^Q3#Se zOW6T2*=+;`^VQ!&ztcs<1sk+e0^+_cQsr^meGVvNC?jgak{HH_{SB*{#q^=CLO>@{!lg{AOy{w*9t~*sEOxO%dFy_E;+ zBT;-!rSTg|Nrr_Xn}!ObJfUb_u}+|j1!I&E62YEq>}E8VFod{`#L{KZVmZP%d8|1e zt(&XNLy>9(*^m)u?R$pQf<^$%G7X0#ysG(Nho2_pAQ-kR6>7Fs9#s}`JE9MYDm7$# z?{dA&dT2=<)yCg{4gn%JP)QHwWWgHQ#p_aV&fm!i(7P%LWEN4A$Z+DWW-)$CQOwm+ zV|(|dI!mF=4Zvi%!M*&}|H-w+C$8qzrPMLsWTh!!J|0HHO)&vmoYOR1=KY;OWazf@ z8JW4{*yvvV18}WGRoP_L4BvB0@LqDl@6@#UJ^(l_2E`=aJ9aAg36?@O&PtdDlwS^r ziJuvhLlNgTZ;e6vz!Y?LCcE{EmBoa{Nj;F~uD~04EU zx+uaywPthY=S_xo;VAJNuT4P|A{lIr6qh-O(V2T~g0V0m{-vtY2NZ)@BB0kt&uUXEt;N?@Op;!>`jl2cKN5Y7e z4qyB;jnmFDh&=3zGGNNU^)&+-l7CI!4ff_M#nU4wFe1k~`NFEcP@LmG5f?;V_$rYa z9whAGL?J6i9*ZZay|vj*VW?>bBR|C5&LNl4kmVn!;$Byz@H8CEa3*I#JCWT z(JXro*}~eI*XBAF@bwl`K#>Vq^&&PY3eCj3kl7D}Ix8-_zSU_mouZ*7H3H=u5gy;@ z@Y*ao(~-3DdZVSokw{L9oW0P;s|>d$H6JcHOw>0teM_Z&4&GBA2?`hSWU4lpFH;&7 ztx}HmuPU`;u&$H^S`)2(e z%={mKrvL7u+!Wjs{4oVxy2#^bo}M+rrfoD(qULo`s2jL2 zt-b#u`{;4HQ01!k0qm*)-DkNiZ(SYjW)1P_xW6p_u={SM?>a6ePN{zh2z3eu-MWY` zrM%yEVJ?^1eBRQD990|X=@}S(aM|af0kT_n%PXEddaCFfOfTEnUAggncVkiry#7fg z@Y^{}LrK%4UGnU>KH1XQwa!S+g=kkj-;&LA*N@7LM}2+E!^fzY>`l9c+l``zQQlZXyXjOx}60@T;Lx6w27#4 z=_MQX2-#_W-14ft9Uhtio9A*DUqjT4qo3K~2Id=mHiqkR5PIxVLi0Fz8-^^5q%`W= z8Q5)pT$kBJt974LwFGF_jzp8o>w+|ZYr0F?E!*bHX)$mmJ3WtR>a)*oZd7ep?Zt?ITvrGP6uM3Y=&?cu#Tdtehwo{Tar*-HSYN5qt6B^Wr34yiZwA*_1hRY%~cx|>A%9QSxv#UM%z@GXcU&T`o<7MATaJc*0Af#3+o_P z82YFdai9IjTcX;_em;yB>N^h@jOM%d0s9Qv#3R#5)!-(#CD;=6X6yGg+-^`Y27D-* zb!0~w6OlPc#ZX?msfJu>js~|&7lZHE{%R{SiUyX+am7|NuFKt1q+L<-93u25vMPOO z$vCek`9Ye?_np*%klAhu46}RVA8-?dX;W$7ZI;gLfxcMF>%_}Zx2(eG_3^|5)`sz= zCF0gQj3#be4j=fljso+9Wpotxf`h}o-pSRc$LEMYtrWHER|P;ghDpa&GEr%DgQo?*e2meQ(5T`CJ<8YZaf){j(@AEl@kYj)9jIkGjL!*sq#*~2>GQ&l}tf! zr>GxU!iX>)WYY>m(ub`bDz1kwmqwH`vZ}>S;rYq)GLz{u_~TCgck}jMM_1Y>|Nk$_ zBHN~Fq0+@%_?v7ql86(gTlmMZP_HsI$S^-L61M3Vx`@hMY+rB5uI;)7x|b#Oci6+g zv7#lF(cZGZ|G@AH{tzZfti9;T=9lzHIgX_^-XTo%xqelgIgh2a>X80Jc$ltTyy*Wv;#ZX^ zXyBL{SH(A3?Bu6O_Ivv@hIh6s387SV#@xXwUMd04N<)G2*EE)HOyr#={8`b>yF_kh zB#i@QfuedlA?G)R5}X*8WGll+op=fwY=|RQ(MrYv18ItLqHc{byKV9FsN+rO3#-3|CM>!Qw)HmH2D=aV{zb zeBby}ouzDzd0Q4152m{5VpvL-Zjpqv9_8F$o$AuWZM$p@lQPA$UL3hjh*uKd+sazk z*-IBg*%%We70;a;?2vlG(@^jyA+k3?)r4zlG}%BjOo(B=HIp$>$~&eyiuofGIg(t_ zp)%2B9``9Mdosqc=;xA6ia1Rgs$+jG8*UO4BFVKoLrwtEI?lgNM!J{=Jg~{3EGU!{ zS}2QUYN-8Z-P&QrAQ`YT#Nr#w`$cp*a*QA&TEt&T_sP1|H$0`+Yij;xw0YRYe~@5E zoOVwtweT2~@qY6Mat~>dvyl9ShjNBH$F!oro@~5NtIPTI_CEj`0`L2MD-Psm27%uG zpZbc~^2rADpXw_y2lNs9*RKiuVsua7`I_}3a`<=*@aS`BhHPW7d9w<(L3g{ofzt?h zT&vXAS>CbFksfQHf8Ot7Z5e}==4-z=kC>2FPNB=}0P@qiNKWSaSAGtlz zw1syJS*kZ(mHYZm!);ghcw~3j*KtP+#Bh1daL25guQ~0q(ybo^nKc8jiS)Hi28eAn z%Gy^uro?eF!f^b&Iv*l4INdn!>s{>7p{98&^j}t|`^_qL-qt@VI@cieUa#ANa+Z_s z5io5@L{a+i~%dUu=n(d%vghOK9B{u8gKIuTW-XYc1fFq}`7}yGVT_y4*L5AGbW&Q6JOnvK+pM0bxh;($(7Sx51+F0Ne@Je zxx(W(t05@c*m&CkT+!QcbT*^8&Yz#jVdXSGbX)oLw88CIJP0+A#?jU`swt5~>)WdNhujhOAr1$1tmcoQQ z<3`PTb_n9KiI|!8FgWY0L6TdP1TH1nPFwqq1!$l9n!0Sr{=>-WPubGuN%y@qtJ#`w zeGF^Z=6Rab?|OLoiP>|rO}DD7&HuTEiG2C_M%szt)*S=do#IvBr=tEiFLuM%1fF|c zeR|i_dYyy2;b(Nbv>v&54Y*zQJSN-@Y|wqTv#<4jpxb~E-+UIm#h%eS%)^s^eY*p- zJcGdBkY5nLEDVF7E0Zs_c_GOw>PCJVFdVKGZ9*PKkpOnP^>Kpp`W1-#0iC4!E1BFx zLXq3)j6bUF6hyoap=mH;uU2e54UX|`&j~Iq@7i|_sN`C`LlHw2JxPL~ZwMopD`w8V ze^zSZ1er3WzELjsg9kQdG29l0h6hSv{U1}Bu?LoLCUS-5Iy|;qwJMvnoOOEh(r!J3 z@e6D8iK0GxVW25Op}jy8vn`o16jLr6Sb-oU1^I8bzf3OWYBMDr6tGSMe+UkGVb>~N zn!qwKl{=Rn9G2+dRW%aA!qUb@>d`Fzl0EGq`9Ha7CMDS7&y?Qw&mJ~{Bv=W|W z8`mPse5pRmVYBid7vuR^tRy#YlXQ2du1d2|7jp#Xd84d*G1bbi+Ny7MuZ&4|lX_5= z6ov&f4-I(SYV{<*q6*_gC903yewa16m4qM3=J)mAAd-xumYTF!D3`9CB`tDwwDBYl zpr8~rC@0tkw*%FsD3YD0l)BQan6q0grug5@Y+pgfa|TK$3(iqSep>V* z9zvCVX~r%}SGNp*o6dsjSd^H`YA;JVk$9^M-di(as728lgB~TE!)r+=`cQ6<|3yS| zY9i7agVp>f(Z#ed@}O3&EFvEeL8EL@((FM-3L;z?I;EV!ZY|2k9CsF@YXCZ~2Yqji zXz2Vq)Rh{LfViU$tnXDxRH{RVdTrHO7%?zYIrtZ-UZ<-r8b zf{H&aYfAt5cFkdn<}O&68E)&=BuIpAX~B~2TrQ0Ei%o&bCITbU8o^{MDpAA6L`Xng zDnKG3txlC9)E3rw=r4Rx#!pI8Vg-z|u`vl*W5OkyqW-u!_8TSM9QrvitaU951Z=-e z%nVBV+3G@W{TF%t<0?CDP}OY`s8mksbNZ{aNdk1r5Awmsy{>`opPKTpZ$}sqa7d($ z)=EnL@fc@ZGijX+(=vNjj{nFl7`RmoP zF;%~Ind59ZQm1$Jk`{i7eF^Z_k!-EpY~!7rYa(?%L>dCxfKbPoNNMkH$-Kll3VaI0 zUu~mdn)29#=(xX)rJ^``EJ~U<>{hho^1)vT7hP(<|MpN_Q?in+n^#+9Q$<)1t^+?j z`4`7`+YneHI9Dhom}CiU+w`J=yit4!%*SfQvW4|neIm(l?spXmWo9(uFsJVA5Qsn{ z^T{kj7~dMZ&yiv^ELJdwiZHGHANVx;I`)=+ampyOlb<_Jj9SCy?PX`sV2-Y*T(V^@VC&SA{F9`EVb z5IFM@p>N+*JHP#+JxHI|#BE=RpSGm|K3rW})8wEPz9Ta=eWxrFxz&3k=ccV4{kuD8 zU)8Lm%jSh?cQgaJ&Zm|Z7O{;jZ-wi%lw1$X)V7O8UR%KNz#{F*yW!i;V+!I}5fa}& z2B0AKTZEZD2X-9q>-C1dw9P%9W0^PNvcfWSIVN*Mm4Cpo* zs-V{c@}KZ$*^uV34wC_0kH`VL z(csJY1S{=kk9#pT%{ArtMLk@g=&U!_kBJ22s@fNzHUY!iX_T6mdtU?{4<*-QArAY? zk!i2h2CM7l{{2LS?X{d&I>T^OHNM8k%}T zyBxFU?S6Kh1~*Ioe6MAkB8)38+vSUn_dit!_?}0}a~tqHb>sSgr~PlAx~~#ODOUQP zPt_yza@#N0oMRDJZ6}8<)62>C>@ml{@sCnBjp*qyry8c!7@Pqzq_chSx2Sud< zL62RLfDu5jAUr~M5$90M3V>`uUP6&pM@{q}_nZ9X*BGX-e*K~cZ#hQ7OZ&A_^TWR; z@$%+#OkaK#7_p&Iex@XfTp2_o94(plk3=EKA+KX&0io830hsf+n^w8gu}63RS+)RJ z39D2$ts){meDbCriU>}M*6u%J+hSbjYtE&pml$*y*}`3pqK6suDENtib& z_+#;auqiEZJa}{Y1M9DNB)kO!gP81soLZjm=wX`73)+>k;}}VCm5WVGB54fIJP`AQ6vSr3cN<< z0tq(^TmOE82)v%YKeD;7A*5miYmf$kQ5H<1sML~3CqtU7##b3iCmYK$+lw( z{9Bt9sre74&hftvu<6zfnxsMFHnwfsww*M#o$T1QZQE+n*tTu%IN2x9`+LuG&X@HE z++XINnKjpHv0qDaAVwa{v63<@owb3h{w2Bq2Gb8^P;RbX6~6n3HE$khe20nhkC6v| z4_$hfB{eehMQyrfSc@X2K!!QHTs4HW;ACY5GH=oN;L!55C>7UC1@(xj_?w`Y=jKsE zaeVaQ8tFz11b)4C(<;`j$6B>k`_EzwT?v*|WCM(t#i~%xo^Rss3b104!`%05fPK)sITKlK@w-yn{}gX5Y1;I z003gY!56y7<2G7JKm3dMLH>I7GL0h34!YzoCOriWn2;APILk>$+I%aygw<45?a_22 zN(gW+Ng22S3nGW=Nydh;QJDD2ye~vXoyc-U+&@DlH>TJ4*8_9Hiq&6;k`c;Eg<1}s z8@*UNbLzL&w=>jDCr2V=@_1yXUv+(P6{k|6ws|&_%rKHgGi=F-9|UmE2GK5FIx80) z5qL;?LubEU|7<5#b7<#7Iq=#9wvV#NMDANABcJ)}jr{NtbBU_?Zi1ppV10BxX>ef7 z!H1Ya2FoJ?Ym8sdOS%JIK(R1GB63*HSe=a91(|aC5LEdc*^aDQ$v_%IL5NYrWcZhg z{YZl7Z$}ftG!i2!b~G_ukGc77LnOi<8;%4dstcQB%c|m+C>L&#w?!*`egUk06eU$8 z?w`US#+R-a$xmUQ6Mmv(Ngqp4{(kHi6Qd0u=Vlta-zV#SA(XNt&N9K$zo_DSk;$Fw z(0G5FDu#f7pnTv!p0s^Z*{-PP4zzVABe?chQAh|x;8Y1jBGsd}noN-3WYH#;G}Y9M zn^*w!u_x8cj~QQ_*b+PAf)+yfFk=Oi#XSMZUu~XD^EonS9-aG{MR_k$F%!&M&;vv= z7({sqWZb?GBmGs7tVOmRgE4owLC*CRWX(oRA`-mA6BgmdmD_UYl||AicfsDPcUVR| z+2T?~$prUx-#LD%BF|X_S)f~4$Xv@*xGpjWgrP@pW(a2~Doknu2~Czw+%8CpbtcUc z%ro5vmA3E@X!Gbwuz{v14Um6iN}N~+ggkIeJ!r`e{398g7@Z*lohP~0aGVm8ETYP2 zQpxHtkJ1fu{-1#2{0)$9iy!dazlf-j82G?k@_OCRchZ|&7I)W)8VG2KXCUF{cdOZ{rUDdCp%-hI_qT149> zhK`S2pDp*7bThK)q;%ODj;pn73ZwQ!{0_5ah#L2^yUN^;4=HZDuANu@t>=D0>VR$i zBje9SD?~o8CH9sa8lx@V*_|g&=Jqp0HXPixl-ESvL(vWC)E*SN=7);$N4>VA5bYc- zxAb>AyD%9Q0o6EM?5~eL&tD!0i2!FIvHT8Y%^%9Ujr1;VnBKmh#Co6A%dO=L zOWju+m#eB1!}?wZTe$hOoU9lQ-$tfLG&mENQq<^tGV*O)D?@ z&G*{q@mL$zB|@N0Y^Alg=^1-!P5Zl-7tQ&!*NgL86*-=A4tJ{?U@yM$xVvXl@fg=w z$*lY1-&CWX{_ByMdfRRH@NzFR$E}xm%aW{>*H1CKTJQCr$L}*7|2%*Zy*TOe`rh+W z=Q&PC@#Ke78+RFtOSnCJZld!X2InreCR-*g==yXxZy%ByuS2bBCrs+NVqMKoT)S-Y zI(M*hw0bU!%Bi(aN3^}vTQMOco2|P;OPM`f$H=wJ$3srG**^Vb*YNClY!7UkAcC`= z%fZDQesiF3i*#1cmoLnDXy)VQ6GZR{`0)hD{0jbn`wxJeK#zC+DLOc%9@Fnu?Bs|B}p4EFnu}RIE2?7_HnU)pL7>(v{NDwq6v-qBvQfrYk@tEsSx2b%fX4NdS{? zJ7GyZvda7_78uj0L}HhPHz9?|aCVSiSb%|XBQIagV0KG2lr6)AMglG@I>AtU zM}x=$;k0bg4(?@W;(l zjT)^Ivf3Ic9#SB#acJ{Xzcq$uTJ_`@@zmRP8(ol z)zR;LX~E!yogoW%ig4hq>n&ZB4kas>r&v7b4a-Dke`;UY!;>?Qc0{(HN=;4~P0Gb* zL^+o;{ZavEV5rkNY2H=DXD4aVzI#*YIfApUp}?5`V(z_@ND#UwPt9&NX~Y4^hSATo z$f&uC%3zWEyf}MPXeGjX{+(^5CC7;bKc0;WPJb^&jX#H%Ui?Yxk(ifE2$4@E`V$A+ zqToyp0*^=V+iZ%oQkr~V_8tMj$VmMupBm|;k|vQ1jO)#9f{(*r&j;=T;~^? zC2d6{;SUvAznwkh32FZxLO8$Q0!@xXMt+dTfA(I3)Ka|xeaOD~OM{&rjVgH|x|Q3K zht*mecdWHR2g)oN#cv2wu0!?U6sW3WkA|!}*)sJc{!*;OY34rGcJRp9*-=u%PnN`6Wf*e9^MXn#~=vZ9czQoJ+9H zY1Ddw-t1E&UE9*X{+sXqH8na1DmZKCLY>K6QxY2%dY<+qppxdWW; zy)0FGGTXkHQ_j?k9yU@1-Dl&Qtk9UOF8A~QPie%J|?bxpD!FTKg^dk*Ebq&YuVadF)f#t zUAcgrsn@SNgIleSJb%)!KOb=)3KAbzPphE2GUeTk4yUKxkKUb|BlWs!5aI*ZhmNm$ z3~o+Bw4drj^}H;H_ghA79iJO%7qWY80`|^d@#sOXtj5s?PMNssy#}8M^gZ_{FR|&B zdOceW{2s^o?5UhBpm&2=ghgUKz;Vhj9iL$=gz3k_awxsiP=tS7wC5;h_n+GJ>nNY? zYM!DKz@>Yy7Y>iZr{+57Jr5V4-)q0l+BK}_{794Qik`h?e5D5c9^;oY-qk{mtkZsy zd=PQo^)kkF4t;Iy`knBiaji=1BVf2(6ng9azK}h)dusN$>M8r_(~46l>}T&<SKZwROUJR5B0!8}B|-`DgEa{CN-H zA5Nz*87S|v8@XNRUU>s_Jq(&o1^g%T(%yRr&=YstOWKh*h%a{ynm#%Zj*$E9yr1|8 zDC|iJugSYXk}p4D5l8r5QU46F%F4I?%Fs>?2mp!96AK_njgpp*T2cH<4;Q#)*uJ9u z#Cm>Gsblf^^ybHt| zGS>8>m0&j_ftT@#c~~yvaSH*qDicdiSYb{sEICGoLyPR5R=s^#E<%?@EdKm!c;}608T;#+QF*>uO*NNq zhGjH)40O+FuuAh5Z%WeMORH4O9N8<+2767f;h{vWZN0Xl5qATQ2|R@g0@n>=Ap28C zSh^W!#SmDeBVI|Rfy_K;DVR6oxe^2QizpH|GjSs!M-i({1w;GCTt$Pi739I$cWmZF zDau)(bmOY1LJ|`K%+M{LDM+ddypj9Ei$D{?I7(hD7g)#kvEQ^{kRk6MPo1w*KS- zPd2M^igdUPna$B7YZB>KnTU~F-0+!KbiFz;!8x0B-Ym?5#U%{ZLtjCfXV#E!9s3yg z;s4yLfWvbS1yl-M!RKH^VIF2IRVEK$a~NE(b0p6>EG*=Zo8N8MeY5zzJc z7Rj{ymZhg4CHAd*e)c8G9H+vxyxlwCr{|8_g&zMouU!S3ws^;qh-TurP*2)GKEf+^ zc6{=_!kmx?i>dcFrkTV>tqpv{D0?VKLKXZgKUKF`1=|d#&;ER|BZOSRJ}aq=K@%&( zx+Y#aEQ_8@Qa28xW5)i@HPGO%Co^h7c#;~M)2Q#1L<$lz#7xFEmh1Y9qN0SncirOD zu>orF8>?jL&}hWs4-)M2kORL#)v{9$z2)7#5eKE3i1KtWIF=iC5mv5w@(^6JG+)J^ z7L`?R0hpOCV%3jSI*|~fSV98iFwUgAO^vdIQWaPmwv1x3P)wEvj=`RUsmf=0hC*du z6^^ScMH^WoBMGY|cq|(>{^YpYf`gDkvHU1BYqSx)oRVbNCojo-hB96Z%14xOLS|v0 zbI7bd_sI(I$=Ib7a`ek|37KDmIcjl~d<_v;tRt>7SAHb?7M?;f!A6!>S)ap2Rt)RM zqDeE>O&);BnwT)edkO>IP0G)*L>KdWh2WGPaR6zy%IfCXd42? zRgY}05|{(Ug-gmK7m;~Lh_kyGK1XwiNp$tF`(tR-xF!kCocS**T5W7Zkp?QluX~nn z_^jNEa^R#8G?c?WD~mf523+{C3E}=+X+s{v33ab4QFn%7jt?@W`<(>5r&z4I#^&Gc zPki&7-PJ{hUWmxU5wKXQvRLxwJxCW`PK_(hqEI+Q*hlKV0=y3oCP$zJC3mqG`If=3 zUchN*E2P4-tiY9uLRL}`%v2-o;a4Wk$(F)T`lc{6m3Av^^syhE2I3P>ehtI0ONRP= zQ)cLgWPC783(l*<0SKjK^QlKJqo#+T-I6?irr7rJr%wT{PaiE>ogw&Ymc$b)6)63k z_rt}2QXDZJ2MoxjWmx&k8g22*&eTO+A}y@>UVa-eQZ6jgp=JH)GM zV&mz?(YTg{ODl7O8f=yR1MD{y{p|6tkjv(r-}^pHEra$n#O&ql$wQ*mw??DZOFWFPGt|x{dRkmD@K`mQy8m({}h?>*sK>(wELN^%f7WlZBV5 z+{XF6+b(x*UzS_@XRyoWRv!+)lZBc7M<%u@J`xWbs08lh(^CGZYB{v=K=mMZ^Va<+ zAsdk(=am^=>bK#OZIiIg-~1(;@miA!`zEiC_V#{0d3zOh%G2Yp zYb^7-fOxn2dVpIcr{8~A;&lzavXj$|bbDXiF6(-no~F3J@p)}Ba9lIpzm3~?pEi?E zf2{c+;<|2mc;a_%v4LIpdZ{x?y&Zkfi44&7BM`w2Ztt9Z) zu+VE++q4$A#Od@`6r1OzFty0^wSQ-G0ukTiwdJqZLghMcGT`PeIi=k`Q5SFtGJi^Z z=fxxMY1vc;5V}3j-*_Kx{0Gk($?CzyAQ;FUe)0{w`n`9d^Vt5m>qss5c^f7I*9o1 z{5_zT@r4CnzyB4Vw2=hJzY|B10`=W0OMZNSh1nkr?ws8CFMTsYwyPpJYdK`Va`GEl z(w_}U@d+j0#Y8cwVUe4?IO0%iMe3VP|LvQ4Mams8t#GmOGNjYHe|YM{67-v9>3pM! zmvU@&>_vU|qXq<_)t>W$XOlAIAr(5!bIcb^5mC)(J5-ZejLXB}Y#YY#5X(exr!HhQ z$Ilul=h2O;GpEcU@+92C%>Hdr1DZ0bq15|0R^vdfnYw0)#1q4iDr)lziRVe*%4G~x z9P!p6`y|q`mWh`_L#j#&v3l0Bf}kY|a&4L#j0VNuU=~#hnoObl`yD*_Ge;b%Y_OO_ z@$hwWi^>1Q8lez0n@F4!etzANirFEV$)fz`&NieiZ1&@ubK}$gke8z#K*^=H9Bjd? z*eqC_1BZA}j)*_cn-rNH4`(CfF#MIzf>vP$p;E>;$TBy+rWFqJl@;>!H1eTT7fq?kQU`~75Iigqk(8)d3TOm@!}ip0 zF$+TD=&#O15PyUVf0`Kw?hI*7NiFEojV#6aV%qs*u`5MN;cPEw;YOZfs-=oSG+Qa(6 zJ(w!e78Mt4Btf-rAf&<;r0E5aw+85b6zZY48l+ipdUOrdMDo^KuUS%jCs>nM;FlM~ z!k|X~7B=XT?fQjm!e-1aNf4w6@_`4h4*K?_nI3dD#9)M3gicDEhP7mv{pC($ROoj~ zvH9gal7&#GT;;$R&Vp z)#2W)rj#yKpd0ZFBRB5hocBZUgir&U`l&n~pM!4UuZ@XJ>jT&>`YuOxNfuwSZ0k3& zqyQb_&2q7H)9y-5Vc)8!w*twrjiL$(m-K4~gcc=XtBE#VA6jh$4)yUqQvRtwGK@{% z2I`F$F5SzGcxjB{)%?MW8DKfBJp=ZCZG_2&Js_jZg5%J}?m-O;=2QHF(P2$oJ*fMk zP%WmYMxaavo$Ch5jcqOXdbQFtIV8XIc>~^Ha+mhM4DC|YXpakG;Qq|QqS#3R8!)hh z-WY||u$qwE`y_}aVa}@-q?bX=4W1YTzeF_ctiLJN_klRvH6Jvn5Z)OYA~P0$+-Dz38Wi&>p|9(9uLA=q^x(?UZCF!Qd2h{{z zJM3-f%T7H5agRY&%x_Xx(PocE;ZECYt6J4PQ`%Pl-uU9P0k6KPSG={nCx6Z8-G&4( zYn_L*_uC0OX;%5Rx@;+XUWd2cYAbkoR_v0Gb9*jI*n3_YY4yBJt4kx6y-08{mq_(_AliE^+xGkFxvsXEtQ+(|&p)ZwFFd%<6x?qiH}xc2cVrkb6PA9U*a*|Gm z@vNKQ-8oj%`vZsn8WT9-FtM;FZ=yhX>zVgn^#*}_3oY4>xbBOgWPUAlqc=a42W3QP>7>X z%}kIX0-zS*n#Zv4IJNgU0K#qiCj3}$+a|HqRa>FseR;j5m)ZONv6`;)eB}IXShryr z{q@zW%d5X-TV-=xF3V{$pc%krb{ZWEIR5m&77D%Woo^1sNy&B_Yn;{wXgYunL!;h@ z@qMekALS1`*t$YaRPB6 z+s8fJ*fq~~&dJ6cpS!q=?JE%C9w@c;%kiuXx(|*53<5OdLNoPwL6nML48H2NqO?T$ zYkvGr(7O68pl)t2fmCV`QeI05^zz_w#v+^DL{=q@!DV^`&sf#Yo5z4OYTd3JcDCT}@N@NU+ytK}%Gl?HJ_HqF?)3hau1}D_>&JUBw%ZL-o@QXL1wx~(Nb#*XF zYgp94jbbU&ri>~gG24US8cCMcpj{1*hK;WQ_!K*hGGES|ClR}`q%t2rmjMrk~Q zq{DEg9C6engF&c5R+ueYt$|S@`RQp|xcPA73@4e$s}&K6n@~lHC5SiT{C%JKRep?d z&6H}Y?VQhio8-5H; z*;j9y6l;|?B9kP?I%sehfq96eaGqH1S*AuasrXN@U^mj4EUGgcPq~VOIwdpa8|Kw8 z5k^axL+%BpTIcqH7;faXS%NB4q2M6fQA7vnaJ`K4pit%FJ?lTof^17_8|D{7xHJ}8 zl6BhX0cXnm#eCZXua189QcMRv3*q9pw1+pxo~4r{3Q1<9(n`b!XEY>1|2mvzC@`Z? zOZF=G4R+{(l1ot}r32;52t+2)>}yC@$|Hr=nX%CU*f|VH)9Ugk%E%J%4f-+L)}KkL zyx`$klZC6`)Gp%*d&{s{FQ7J%e8kbBr`Ok1Y3#F+WPWn{YvBF}pjI%fhFf#Bf&n*% zPS$o8Y!b!|r~ujr^$m^SJL9I68{qMjG4mGWS?V>avS0F;*C%WVa+BIB-FTw^=*}AS966vV(sU#fB-dnpF8w{WcYS2-FCCL|YXd&UOU#`+kV~q+WnuS6AL-~o>pDp3WQl2J27IYOt0eyh& zA^9XsWMimdo}t9Kxnwnff$hwgZlh?9ewj*QQe`G9`Ul%1&9>!yV#e9Yzz^Nh6Po-ez!ftI6q;iW;n zwjVX6g_yLUL=umFDaa3I-5p146Q1=ic|=~I#2OoX$Lx(zw^lKgCoaqZypEG_v{Q&2 z0==eXWjuU;2Bt6>acH?#%QTBk&G}-4eQ$cDI)zEmSUffyGpiu;1oHsT|H?f+6B4}G z=f`K@^aJRH9pP)bZYO-7>alnIsrXq@*}?Gl z`2}jf2@qzNZA{m8yH6J1dJO?AJ8@sNUWwi_-_t)m%vWsdxP;7@KiF-=ZW)|GudF54iQ(4){6M#Y2Ddf7TEkD7x zmgHN4qxKwZSJ1wz9GdkpXR=J=G6UuI5&w$~)3&v-d)dityKZNzTHf<~>oA7%W#Pq) zr|zvvTuVN?bsyi&5g)N~a{oHVYc;V`Rj=~XW!cHL-SV+{^$+!d5`6FO}4UNw&aEjkY7`;qj@ZO{27{%$o6$H_oo;r+nThFPofUpu-?0@)@9SK=?pj!r zSv}opJ>?U<3fSZWEwwiu-@ml-^sPhmuz)Sp^*6Uc5BAB!x{dp}SayKfV+?ju`&WyfL`30&ek_I*B6@$z~3 zmq~xG#Ls6}xsLxbfco^YyRdKzY<%Py)vc*M5MrE5mFn10cqK%DyubvCMt#1Q)fVkagi9d3hlRX%-zYfiwoLmUtn0tu{Fl~665_;+qRWaVNm2(Vd*X_IC^iks5oI237-!VZpq+En5g$0P zfgzNZbFZosN}rz#h(7L9aUMV?n8chz%?7)BzgG-#(fp_WR_S0$W}J_kvP zwKM5mQnc)?-Oi|jshbN{WS*d)BbKnxkm>SCCqI)U(|rq}Od6H6%Jx#TQUQ z81K8IFd7aUwk7C8mJyw{@Dh(u`?Lt671CL&tUKZ(H>>2UBxi6W zlhUXXK6p|kJ_^^tr-dZGTYnB{+P3h+KfC6#jM-|A|M4x@R76&D@#4*`4&==zlEIhv z|Hz6w+zFbcTdmGYm>t2Od;klnO$jCRFP0w6ALfAQJUCJf9EL8I6EZMIyAUk08>C$* zMOajN08>{T_e`oVQ5aO(K#PMYyvT!d=!hVHor4Aci zu{0!>unUj4eFkjQ$dmzD0p{DiC$V_y+NPoUQ@IEqCLGqeKP7iXas~nXlLLzoL#uJT zl$JqLKAxf>bd5>FCXYpFHPw!yRG&X(P0ks*lceGvj<{u1heII~8ZQKMz8)1}Nk9nF z^9yVW6PKf!k*AhtL6as%tkXBbHZ^@?>K8OoRwPl^uK`>rut^ zLrl=i3}CM|2ShXLeD4OjP5B2n&>{*+M8j12Mg#xcwc*%ZG<$UVZ9mStaHW3ZUl2B{ zFf(h7Ye-WXkOE5DUbNsawg0S$c2;J|1eHbwOd)FojoOeflCx%WQY$-N0_bV2f5-qc zt*qz&gR=!gI#D5z8W}1)(X!*HG?QTkQ4hL8^s>?q-GY9EAGQ z4~G?|UCC*1;(pn~uN746hy@xrHizkcU3r>C>UUUUtnw8|smzKzg(8>~Oe-vgT}w_( zsBj~|0x~yKLQU#efR!3HI;AdCq1qfVxdsa(9J+uyS&`;gvK7(;J81X!^k(h?=$P1z z{DyGW9XVI9xItN(6~#sz)>|=($r6XP(mi)%uOL%uS@p+w`l6hLA7UXG80(8n+IM(r z+(sA?3PKAv#~xn7J6uVr)-K=gr|6Bq6@#I8jpS;T4l~*QCbPA?u~ZLj8MbxeNeC`6 z_PTob0r@B%3=L;(TjvcUR$JZ1ED?lv)t+ttO^I^I`BdHbwdp5<`leq9Qol@ z?Qt3W`=aA~C{%Yw_kJ{!9yIvM)XLnrI{@IZx0%znTHmhX(R+Le%$eXD*IDDx6&P7t zgYIpe^LigIWuse}-EdkLr~18d=kXSMSIwIHd7nNa{5}WwXzW(eb8GBpt%j%$Iz=Wo z#`}0-qSkqT@b68($GuoYR|7no(d#+=L+{q7t0F`6xVlMcEB$fNWLf==aCnE?(+z@q zQeDnQ^*L65nox}O_?WzYimAFx{4~#(mldmjHqM_bB{^l9mUwnoRcjM>$BVVf?k6``x{0q{RFN_HXD8AS8 z^Uu({uxRi~7R(mPHE4)F9E29E*04Vu!k3bG*LLLL_nn=fAUa<`!$>PhKG3o-FIv1~ zI}CIBhqxkgpmMbcypgQS0xhZ_>_q=dNJ0@I9b5CM%S>}d@t#C0?gCQ1oF@Z`hiKk> z(MfB_BZZ%d6beo{PJB>2g&2$!N&Ib^3tU=SnFuZ_!7xl>H5#-E^8?R>*kW8{LtVlI zaeB@QP3wd;N}yv99~P%XeRNFGoFBVYb(fmKkL}TGhmP4!vDB6>4W-|J( z4OtXwksdu0D1(+@m&8kLlq;7d_y_SqezrWGYGkkf;?ySWl&*E|yPz>`e zc23!JE=0QHnfDTs;#yX-7Htn4lB_TZGS%lL8^;7UG>*a;s+(~70#`}!nxoXpmwul8 zuwY7B!}L6$JnUjk3g}Cp>QfvZMN_h@rWCA}nWb?u?*2{C?23RB<=?`L*{L)ZId)pd zCTrE6L_D9Y#id?TbRRDX4RlZv@>xfQ>DB)OZHc4UWP(`_#kQNZ1#P72G6LI0#1K$+=y-2^0}9FJYl}V<$qPGQOf$YaWfzF| zSHpfw4Pz;dyA=@*u%C#^b0|-kN$=8|x|hxQ-DSk(?;zK`{L>SUDWncuWNAo?I8J(z zqXofFpoG7b8A&=ZkM>YJVIS#=f)GYn+4d9Kf&m$eC`OzzrM4W#~~B35I2wsd4FTTxJ#ZOSPv*np^R6$$Ko7y6k4+8&zpExI#zVO3Jjxw~_}Sjm;SnVq%HJU@aauavGzCQl z?l`_q-J10W(IO2;9tSc^GvZEmJrdAcrN5nT?IFBlf4CZ6^B;7(pG9KLd&aVRv zII>`=T8Y+3n}I(b5T%B{Wg)gk3OmJO?IQzWLrzce4ijH0bWryqHetri6DDKFP$kY76>mM^ zKS-bQkER2A>5aS>05Kk}+4??TWf)=K0zPE!rt}8?Vf=(&#L^QNmEs}&4Di_P#DC&N zuh+XDkDa#8! zb~d`v_Lsr?zD7Hd_ef>Gg?;^0KdW`~&WneL)@^}vLoa>p$MLQeQE$N#r%fmOwFdBb zd+pC7UN2u;kKG}!Z)ozAp54?Szq{RXs_$H8_DXw`d1vtS@-NhYxZ>3M3G z{R!cX)HL7Q$>}zk{Hn9#VX)P>@Z)Ue@WEg4>&{zbuM6+BX?E8j!=wv2C;gq7@77mOe7N&l{PFYQk((d(@nb%bT*rI& zFw>U*+K-k_zwTxRy@vZ`=hF&~9pIAem6l8Ms)r`tTV|@}^^)-#n5p071XxVWCiiU! z^EpjPRgb~fc#OEV@wrb_@BOSEc&vH{zHZj2f;kT7_N=_U3f-K}Kem^j^Lbw?y+R~8 zm^)2hW2Q#gb?m**O*uWq=A-`X*p1h{>%6{C<+jx|DIZsB7v$*6!_yY1Vt*2<`?w5N z-?p>1@_sAk#_xHBu5e3peb@RBo))aB-VWH(X}82~oq>$w@&TAT!}Sx0(2fnJWBvh>TGVu$r@x_qkKZ&!EZui9cX zKT&+zKNYvv9{$t)>VN{jnqSj1{@%3P+UM9(VYMUT=!)KlPhxjV5(-R}Jog9Xx7eHd z4?s`EXJZ>7Cly7zz2}Pb8UGy0Ga_jVt$CdEdWM?vYq(CycZ_;!2Bcxp4jY6}^adP+ zU8Uf^tUS2Q@MOb5g7UB?zwfgdm0THJt&^K|_^(Ex*3U6$7!(_#mTW4mi}7AfBH)LJ=6{k-J0IrI1NWb4C%)6POcNP$&}1U6GNoS2L23D7wMwjt~lD{}dr z|EQnthz>G&!cm}%62ZHd^dg8Kbxj%LPBxYjcNz!@QIyMM8sp7_fI{A1y{j|n@Ku;~ z3RNPJ~Ko1RWy)^auuBfDKaEb*axD_06$(xG&}vDM04Hr?E@)2@ zNT{-i9V%Ap=CO2l@mN`QQ6nZu+#9#nRbhgHHw}rR{@e45b%@kKNH$R$7Q)gafZz*J z4Anl9Y|^fWvw!K@sbru7>JI(o>`P(|3e}}H1mvD zr}RgOlDo%9sAxNewk{g+q1MiRoaWg$Foy-Jr=N1InrER-hId)zMG+3(xx1kFh2h&*nBQ5@ zVp`wON0a|TbUpEC;+C1F`oG`H-td(mBqMC|_&GgM zqm>O^5eNxwr5Httt3!j1mZXB}Sf*5{;=z)$Fo4W#Xc-hF>xr^V z=34+SQrKgu{HH8Bmh_iVDf?7dzVdt$`K6P4@!T+%YXM9%Myd4=S}${pn0eB-vOvWj zjch8oc~XUw;hMW9)!-=;Q09fn&IO!;!@5FvKq#zi8LMQ&YdFy?whSx7uZxZ}m1n3|Zan>>RB zWKbK{AUB}qPku;svz?7mAhhT#3r`3ZZ=I4a_%EGlx)uz!2v+f!OS{rf9aB;MMojdm z|5oC{vJC-iUaplvU`U?%R`+Q(kvK#CA`cV>X?p(!7CFOsJNL4mqV7A8abGBB^aCqM zj(+3F*9I^c97Izf-AGoAMY$Ad)M+s**+i=JEyGmDPckP*ZcV})B>@Qy zbLfP1-7Ja+{`FDVluTe9ROfN!DonGIi61%YnSDfuE~r2OmCC$DWMlFDkZ4$I!me!C zza&?x8lu<~0yOBJb$ov*$)q50S<;+E+BoXTq!2E!$x7q2m=Wt&tE7G^%lYP&u2hV- zrPm{p?a)B|{-*UTbL&3jVVY(3UpWT7`5Q1i7C+>sPXoT(EQOy=rw3N&A7685`4VLY ze_``G7Hwo*8)85Zm98BPX$a*l~1^* zbDYv2#=*J|HQ%Zsn|wiAlE+ytr~5;jeOjR;zV_?$)V$5(Z1Oa;xG$5J_&#sx`nG~P z9L_ns7w^K+UmmNbCMzd?r|BhR?TwaEVtSV;;+salV>sxh|nZHMLba$t^oOY`SG z^aSYdfcA#h%+eE7GBd^NXD>sg?c+o|z;LOi@{OlwV%!R^W$&x2uAjU(Xg8bSt?atI zx8r{wkCr=oXX3e@TGrn*X-r&k8|HblKFwdN5C4um;cE)LN1tie5&P13pR4`ZVfW|+ zebl?;wzw{vx5My$p3`k8imjx0D`lwM*MScwd$&r+U2I zl(uS^T=ySe@?YxOZM{BMgB-sB$Fyc*E8XlI8=aS~ptEk5hquQzJ6|nxyiTYmd26}I zUe0Qlw}5St@zrvPaO~BqJ5?X99BaMDJ?DBoqn%D~xW8~5j@-7p_jmYnJyqP7wM%I% z`JSe%Qt@4Z<=oevo0Cr)MVAcc8Q7zhOR>2)3$-8C>CT_7cpsnd-7V|ptK#9CJv|`G)po?L zX0(4@p7zHjn^R`Iwuk6)o7dcn>v8zImxuRHI)MJfX3l9{T0PhM^-k-$x4X(5?`bBx ziBczRknw8iQE#jLedaXR!GhGoN(p!N+fc-5|1WO7`Uh{5L)^1vp8GFqiQOaqL*d(h zs3r8K@6@03p#(D@W0#SVFZ03Daz%fLF%PAAxNCCQ~>)`37Os`ibXpkm&-MFc~rLo!9NQyP(zxu&H|2iep@T;Q)3>#w;C zjR=We_*=}sq6-+c_bQ%c&WZ*oe*zVUPuQiUW`b9Y(q}{Bu%z2kVeYEMl*o({Am=}% zdi9YpYj&c&%=<}Df+~LKkvD)@TnyRhpA_BePAb_HFIqJ_;?|_*7QNr)l}8q;xMo1I zky_7)zZ*ALw9LzbpGT;)V*ZmsDcfh=V}3pW9QidmB4u$2pJg6f zl>;kTUB??VA8orm?GCv{ML;M1n(ho;6$6I*9T=Zwui*O1j-@UX^1^?y37xdR0OatM zk`RDQ!P252gan7GvXpez989S)(rhpeKOlBo6r0J)ek!r|6-yFC*?bap6C}czr)M00#7a~W6Qip% zaq2Ez>1fbrto@agaH*w9vHoO_i=Yj$7#PT`ob+K+sxi{JCPXVqDa1AKH6&kQOpf7k zHay4ZRxpxwTEh`8K2|mdp=hAjj63hNm4h39L(Ec>XVBKz6b=nm3}}V1nyW$pT4$A# z&R1#|tjlRa6r*xkj>6yVLx~ol@zojd=Y30yg0^>?voHUtM3*Nt;+L+{cfoMQP8%~a>;DOYiXiB3fsF28#5qR8|$ zDQ6cs*#no=x)iDI(c0;&g2eCHB8U{L?EG@LtRV!kw$b&(u72>BZv#xGdLy02SlI9s z`mq~R1{+VAMzZ&lLekc0i(sQa@U+7?q@TvyrVt(Ue^}P@#4vv&tC(HPxC_b$j}*Z?=#phZ>2{E}#n&<& zdQ;BY8*N-KX!wYP(|=vlr3FG_c2>j7{e8J4RaW>qKX^z_O%d zv4o6o{lOT&1dd{XEr@)DHVIo{v?v<@M3(XT`UdwfxN+9>I~1z)_DSui9Jq#S7Hx zF9Mx=z+c?^hA2$wkLBb387re0IR&!tw*QjVlWKhj^Qm+u3u4=AU4y5I7-nisNfhaTB)*XFKlB8aYaEz|AJ9-3F22t${E9`-7qoBO~VDsZ3HWQCLkomboj~ z6#Z$TZ+Ho{sLcf=F*%KMbk#}hsHE}Byos+dS%q~sVP6EA`rD?8)@Y1lp+Qz55cbI< z#wasC7xOj!zw*M*WB@Pqb@*&{^d3rY{MBCLeO^AD(EEepAY3`{Lr?RNcI{j#UgtNBvv>$Z zpJu05bgQfS^Ys72)H%LY0&xAhnKXH-sU}Z0C)>6)*|uwksV3XDZQHhOW9QoK)APLV zxz72r{)Kg|weI!1qd`}Dk&hPk=YDRn%{HSxZxu$A>IN6J<|VfGhImq|~RR ze{$PbAKWp+$nNgix0OEe=emZn!Rnn!D^JZ!XVX*N@98_&S^omoecP5FXzt24L01d~ z=em?zEtfB^Hp2Ru&_Kd{+kEoMM0TPjmuOA9@j%mUoGoy>>TyQfurBXSDx^HX>J;Qh z(G996%T2JRrq7kFD*ej+O`w)5F80Pc;5CcAS?h4X z&aU=8P`ydF9mwq@mtA=*x6iQtAY~-ufnuBS@q!&v<*@cLcMuS+y9TkX&G}qH*0@*N znr(2MH2t~?bAT`BAc|X>%2e5-%mZqLMb8R0o z&wJRV5UMezN3Uy#oY-T<+2c-yulUFtH+7qlPaq##gxh_3y&*abKH&LNye2eX(>p5} zLgn}pS`TyPr?|iro2%&^4SOhS^}cV(vZg+uHXwlS3Fd}kIz!XbG;^nnu*3U8@jCl` zb27Vqr!ZSmU8}S)>h;RP&bo0vJNv`x9ZdKH2sAqbe5mi&KcjGr_V!onfZ0W&UTQDy za`4o#@;{D^rok`NuP99=>s@)uF&CcUpE)Rd3*aBdEuxVJzhLS)t7a|V1Qg57p>)_b zU6HSeIt`1GZxI|L7Nwv|`OtPEG-VY~rxc|))ukQ8Dsi-f5pGld+_qzgL3_F{TQh|+ zS4Hfu#o&e$5Fm*nh>hW;Uym#H*95ci$r)7!=O4n)H+U-iEud6UD9220q3t09l7+d& zb$Tbz8qXoq)jy>1%07t44J~GhbxjU%Xf*R;lh!HdWtyrhN!lxysm}DwSVQ77R?V8! z=1UZwMns{l%#?cK{hO#EP|b}{>7;cwo|iK8=fljvlY`7;hBooi zCsl&{Ib^@(Z?wwT?p&Igi&Kt@A?>7kl@Dj|vbRnB5ta(kIgXdEfu{BGmv|SDMTy%_$fv*#7WQ z)Ona3+b?_Cqia25oL>%2Rl8YB5Xt{?Pd(NdV+R5Su^8MOkghNiB?qJfL-l`?EVCzA zBAmwxU_Wr6ph{zqq~fqHlKLkI^IrZ8^-TG432|8(-tYrXC;9TW1`C zrdQ*fLng8)hO3_bH(S29NJk~ihGS?~P^DN9ZirKea_R_&h=Z z2`&TLKER$@sWUn6RrM=EDY5vuKE*2!XgftTJ&NQ~Pskbyd3R0*G_Af0z%=_LHNmt~ zFZ?{TC#%S#X1^JCeihO8O)5tBy;(rBjRbEZdWcj!eyfI|$U~+GreaS2`+O?=yI>CP z{nsj{BirOp3=#xLJk)j@oFC#*>h>Om=JgiFLI*}Q3QoJ$wd&u6H!Ilgz30wN!eA!v z%VYYmn05WqZYd+bmMNb_;aB$~t<4{j^`lt^+4OqDqc~+6HYuqm67QqKldtC$C-PKo zWyNrm2j%@uVTFVIQoqlY8aKl}Y#B~_rzHdp9XCT(lv9w;6>%t2A&9lwXMTcd6Cz#{ zrGRs9;G=*Ojh3+tG1J#GPg{TRSg+v4NLA9XCl#onGA2qu5JLCZxk@o{W9&W7WEbBy#!2a%ij{c-T0$| z*hUCrL$Y~KC8qyHCjtrHgjt*QfDbKDzbRv4Ux_0O5kjp_Y;rsx;I#MKh+?548Rwpp zFWz7%DjR`W-M(wNJVmeMq{S1r38WE_j&-}~jrqXO1?gv!J?CteJsC7fE~&;4!XVm& zqiNIlaA`!D>aPYzFB#@oC5N5fw=f+kcEc`(Cz5C2 zli%pp2R0A0-`;d*cHTU?+e`%> zU--Peo}9p2Z|(&ioT=}zUo`DqO;@?z2#;4&6K_8&UY|4Y)s}*9u6Zy2ZF#Qi$Yp!< z)}vUUbUQzCA{?$h*(kJtcpAFyaieY7)VrQr@2|$ex!rHJ`^s}yQt5a?dC)Xucaccoeu10H+s)Qu z|9n(8-t}zmJ(Vww#}uyV6aDFHwsoq`POW$!MyhH#;vgsX8cc0a)^FAljEo-Y5dL|c5Z}cxH?J<0k;*HDmxC`CvZzlU&7qT*kZTVX( zkFoVnR`1Oqv(ZBWXol4f_Tvohw~0S;{Pxbvyvz8neMc19@&^p<`kQuqsha0y(sC|W zDK6Z<0izg+>&blg2g7=s*W@Gc$B1ei4^6A-phJ2`b}&eFS9+zn`i$@HZGXD;a8TN+ z{xPF-au?`ZHx}D}{Bak8745#ex>J(B^xp5;&C^uG!+w1SI;k|>ZUZs1^R-UKeFn(X zOUDG6foxwwrdM85%H_GeK3xvy-6?AZ^v)N%-5fWMnpT-i*X`+5_fz_y2f){?<_VNK zhRgdiO}i`SZJ)jVF^_Wjs?^PHEU5@L&fD2WfatYB-ww5x6?^xM{psYpUY`?k_GN{~ zXxY=$>f73;E8hW`Q6(9f(J5AIzAcw6aIKGIN!RE@%I>0N5Hy>0mF5Lz{QyUw18$;k zvp*@WpomW>UnDJhOpg|wO>=EJ8YasDhn!dXipb{;Z=#(hrm}wN=sP~W|@P^`xkBDou{!F*56LWIq|U5b!IS$EJR!- zgWKtuPm(M-lbHC!h=o`hy638fGsb1K_z(tF%388Gj&|M&9*Lg&CM6UiPp8T*y0r52w;w*zDFlnWEz@TD5XQ>~tV-Tir546RyKEZc3eGT}^g5H|;w(C6I7UthM&s>lyniaMTC+DQT*7RxG1RmX;p1s5+V$LgMp+S4t+RE9VIB4{;sjH=zrAdN)IuzZT&9b*OQ z4F4+LwO~JSCrJoCm}khwZ236_ndY-%m*tU`mQu#Zph~kSdv5JFkSY-UNtsfm4%DT} z#!EEE^d~n+JPonPo-p~xwlIwgBl(RkUE%$2P*dWDpOKOH&$^b;M*+W5vq5r=y2+-M zy+Yr>WweOPLRj5S^R+07JN@B3<^Srlemm&8eO$fJJE{#Scm@BF8)FH&U$g z@69erwA7!+X`MJ3HLG$GKk{HSAFcW`I7nIir1MP4X0Pf4cy3ueynsd*x*u*=>)^xZ)sr+O@Tw4SwY5esJ z8N0^LU=p9d#(Urn397#A*&OhNr@eRw35dQd20j`D|4LbvjsR)CZi52@I8T4|( zC1D3vDv36!T-nM&&iM$M1%h(4Gq`a-VquLSVJsO@TqzbSMl>*F@Z&wdW;kSFAE*Am zf(>TTM&#o)P5muy+IK&qO{tiC+?7TeyiN8<|Kg7Pj z1D~g7uaUE|JNq3#AyFgUFBvV1f*|!PKI@wO=BdpE@Ge0&4-Ke(@%)B49(}8wq2)t8 z*#~@qjy&)vM>j!S4Y-~Ldx%;zaM;(T0lYZfX+8N zHBsbtCC3ST7a+D5>2vL@zrv>Rd*()2-XFtuQU1b)jp7SOV=j7v;4f8 z@wlP7J2SKUB6li3gwJF1Y5Re8gdR+0U#&ep576RvKw@BU%LNTZd`=ZWyeeQ<%JCRzR{6FX039ce|klNKHw2jAvQRwBe z#^Z#Wt>$B6Bnpp7=(6Vq)589mEmn4!kIl3?ym~Pfxt;g>Ab0Y%ezlE~mu=$&K1Gyo z9nliE(PFY&)1!wO;gMG}Lp&n#hWVUD72t+_+x@zSJ9-0xb$P|+!{y4Wz501C6ZqU6HGXAn_ZwyN;&oro=X$7^ov-Xx_K;~$JX+WJLh~Zljlj2;Hg}o( z?XOjp?{h6sSL?BA)rz69yso!snE!1)yV2g|0iPWV%ywO|*xmz0XEgCk>NdWK!hWCL zu3ca)=NI6;2R6!agPShxWIj&{b=zA{6e#?_cjV?Rhk@*^4NQ)huYkJ`6gTjL1HXrH zf1oYks&p3xlfYv)5n;7v)5x9m?OLI!?!>&U42*I%{P2~OhB^p;OW{NSct9|h> z1`fRiF$`&N@+XBzf2vkIQm>1{6XEB8Cc4(<$Ym>eDyQVk-u}{T>uQl-5mzBbuUPsY zdeug4I5-*5ac~le@+7QR;xxj(WiFnprk6O`cg2=LslXsm(GevEsEk#7)%fKQyQG%b zL-oTw(9&(*mwqoe)D!kmVoF4sw_;u0@zj+hJs5K7>mMd5BGyINdZIZdh*D8M#BD5< zrRyW!F9y#UX>d}kjcO!8IjerECJDu8_NAuxupY%cGih>2aR?^AOOu>wV5I)uah?Or zIW9vcC4~s*=%G`;7d7J&Czd%R}Y_x0KZQHV*W!;FFAga(~AG;wtNBK z6BW25>JiOV7myt_hLRLpVJXm{`9_hfG~kV-PK@(#K~-D?JB3Nuivfo1x#=$E5LQ9E zB2M+G@84l?LQ|;K(4(|1YbuVoW0_0U1%qcgPW2M_QD6J5M_s-)j$rBMU*sVv=7W-y zAe0-~Qjh%*vzJmlRTSQ+y2Vp{D9qDS6b8o?6DdRzM;HZdM${t<;`&%h0;B8Z2O%n0 z&L!oeR}3LQyzh%YU&F!_qARflI!LQRsm{u7__ur@a18QoYh z|6izL3H;Rv%z}iRrp%7z>JQmk$hf**Z()evhhbO)va3q*Ig3H#xmU7z8_qtosg(WN zp9(xj1Ly>u96JnKm=pBXmv~ z%_XW3N`qMQT9CCPN6NyfWqqF7x7J9E@su2u1EO^aGJMha^V5!@cmobg2i`E`_AFG1C6=aP^+{Oi&a|THxL3S_vMw4qbMg|s!_P4UELwKpm6VI#h(=v)E7v18) zpX{Zu^lT}}h=^>DADb&)FRVId_u<#85C!AoJvw>M9%}hiiDDyhEW5;5f0?)!u$}po zHnIux{$BX~f6G2U^3T8#hGeil;WG-~Jop#^oA7~<+UU>fJYCnLLd1Sv+O=j2AenSce2Y@++_4B@ND@X{@T+8#4D%!|qr%B$=>tfsVbpW|cj=p}NC^4&4jX zhZT1&_7FL|+nmjro?-1XSmbnq@l-C0>~T1l4=aCpC-#x`X;O+-bGMtEcilMqYBk?% z>v&(}adO#`$y=`y**Yzh?UZ>K?s}9l}V4`f|+cKgWpCS5NmTDL` zU#t3IZ1NQ1^td%{EltjHhs$bMeYFPgS$VbC_GQgWKFj38ampI>t_^5k3{NI-e9DI9 zx9CDYN??87-Uj9Ku2`wB9EGAM>7Jk9KJwByZARhRwhpfXlc}ricLIUr&0)OMjnk#- zv>q$E#Z_LL6`Bi)fP%Ye(Cg9$f&7MNcEiGANcR@sE1t&^!xF!B;|HtPrLL!CFCjbk zM*%m@v7M)jRk~e;5O4Elu3Ocjhj^zqurjN|c?yZ&_bQ0cm!bYa^huYc?ZVwR`7-+b zV?UB&`zL|pw3HWq_ualh<;TaL5CW&k|81=kFZ_BV&$J);Cn-3-hi3pr&E_17K6vRW zXdh4Te>&?YnDtwBiAo_Ve3r#QPX~O9Sqx4ONizvPsx%(=^N}bs_S>a2Fd0?Ck1ev0 z>k^eJHQXAruvea78GEVy-d~qIh=?F{>(k9p(0(adRZ+awNw2bpu<)HS%?SM(t+WRE zsDjdY-DL#zTtP$)dR96DwpA)$7uS8G$C4z_F)0yNwwnQ2%OTjZ@lcU~QCn*kE^O0W zVX=f+SthD8^p^v6+e&zb!Pn_QxfpwKXn7=o)_5lmExbh&u5as&Dshoo0%#TM5|g#F zXL({S_aZ0cnYQA7-xMWE6w+&m!;;D=G4_F}R z1FhTR;lDW{ng&tF^}DxU;}Eb3zELMjhU-$P*>m-CAV>GsJjVw_7!z@-g^ zr;P_wdbAdh%O}v>RRc0@~!JQ%7s09v`a47Z?)LJkQ8A(ksAn3Qg3Zn7d_2CpXnnXQ^*Fey4( zj1yw$CzCC+1m~phvRSNf_X3a1}u@b9cE>J4f zxq`zQRzUPy!dMHB3}TEJwqi(NR6N0}rHy%vd0N*w~AaTLM);(SD4+7+_mUsDDjYdy3$5!Bm~*yScO{XOisqZyM##!U z6Qgz3&m1BAf!INctWx7tIQ$mGjMrr^l)c}XPljM-QTix{TjiL((TtjI`dP#Zw`)RP z7K*#)C&R*9Z`&Cbej}Ts3dU6y;!U)$cX14`*QsP6actUP5m9zFxBLG+6{a;O-~&IV z=k7^<@G9W@#Wo0bFg6wR2|fG0(Sv@qTq`Yq9%7q{>S5nc{6E7s<+~O5{F$K01ilFw z{1j&kVuM(Ii;-V?b_e@|Ljn3fdSjw*rmytw4~>3F39UGrqNjg|?{h8)HDx%VbR0ci zxLPsPM0Gz;PiriL@7cvSJNmH^*isues;{^W`=?IjH$C^F)vY%-C3SeZ-l5D(U(?#} z*)lggR$#OVXD%nX+>a;V)@f5{-7lu*A7746n;ZPN>2+L=>v7p_US`e^2)q#6kCL9I z+Pp)8ss;484{LtYb9$wk^;*e;5S*dxZ!h0AZo;jqbiifg9i?7(z~qg$gT;E|7Ze7D z<{;4f?EU_88-?$aACRq;q%80f#Ne^j{895Ht*r~N-ZOoIJ8a9$=6}CWKF+R{Q|HUn`GEb1X7_wA zDrVc$+uFfu&%9e`x9W0xOhO12Z|rtG%_YQ{e%xsSoAPLToAclX;`-q1zi@17x~7A+ zyP*ofVq*@&S9h2AUA{wa$#ykrT?h8w-lwrjWdvfAF1MYA9RM(nuhwev zP)z?JxBvG8uA1DAp`(a`Fr$6w5R0#F&uIhxZKM5+=)}a#4){p*R{AiI-Na|oUv2Y# zZ@(F|u6qOI9G>EOZO4DhJ)>#fxPPUJcQ%-eYPWa@y-0N9ZG(=?s$b@mukJefkk@r_ z2TZXAFo8>sedT$*_#HOzySGnu>^rp=C(x=don}GXn%5Eh#3P&|p6x12Yfk4IrpW{~ zr})>GuM!TA59%E)n?R@ew`=}{PNeNtskdG_H}A0jW?^-Y^MhMIC=y@)f&G5pf1D!K?h8>jIZd!T@l%N*eiZ(`hg~+V zan#Z-p+;@fO@;CNuaNIqD=F8zG(aNq>xBP&_b{HYMR*r#Owrd+7^d!|TG&IS{M^(O z8Vmh|w-`H-VEU3oL|ES&*~SLjbY>NsH~l~9d$SipvVd;}0XPAxg!DyHrv3D`d!nlizIF=82ApEi==D#y^jO3u}T!GW4-RWQi-N3M`0S zbQ)tM0W14Ch6==J-+m?U&-w{Ya0upDYRD+T49!Re8k9GpE|v}yn*Jq!BY~B1=_5Bj z-dAMBhh@zpeYo$UjqoE%`)AU$D$#{`*HUc%4VkSnxuL}7QDgJHS3=Kl@!*b{^Je}K^mro(70Jv)6*nqR&kHB4D1Dy=-JP@Pa81KN~ zAIlF@{`f(-dZgcXYxzn|O0qi;({A%$R44CLhn6y;hA|4mSVo<-oFUO)al)xp(rK za~SPCVEmEh8z~_5GCQ(2Ul;K;(m?8TIJ1UZGF_`|o=AMIfSp?Cd*K=z2J0ImPO>U8 zQJ}HVI3;$L&0s#9{qv>B#^UR?7o$m(wo-)Oo zMYJCw(L~K5pdi^^3nLOxArT=+DCR+LT zLil;91CmwdU4>DoIOe`f3j%y{_*Jxwx*9l!$3R!|eKV428rBUdDk5mwU&m=xOL*MK z%FE2Faxhjk|6wn2qftihh5f@$9u>?qJpR3;YIFp^9=6=NrVw|s|BC7Rx<-T7he-uEl@t6Hj!jqzcK8i@3_gC~UvUm7P{5Pl zJpojKQ>QWjm0+Terw9I@|9ZbA2=STgKdqhvjyAf1<**m-vUP2X9g|V0(Qgmp6+hqA*)y@no6nAF)#kpsHeo28 z!x}-qk5>0{a0A-oS#y?qvzde0v_V1HWGSG@J-*RQc<+?ms_ge`^7qDrv3v@R&gR#ABphmLdz8Pr8 zXAaxh`Ek2^-Eu2gNum34nuOKmbc2IC?U=RJ{5BVfwUMcn#^*apxM9ENvmO}DTX*oE z{lU#Uq5WrKC+dFv0yt&SRo~~~wVSG~xda=fg7FN%6Z1y+cv}nFPSb0BCG{a#lj%&sjx%CPvwj}#Y1;#RfTc*vnsjLC0_U4q?;I4vwqfGGf zE%(X($Sf#n3F+r6)$<*2P0Bc2B;aQ;oLf%EA4pA`!j!@J`3&~AI(S7i#pCx9i8Y*! zNX?y}>sF`*X_f6VX%%4TwC+7x=7p#DR2vA3)TdI5KH$JpHo_mthB>lTE&r<%3i?;hr9zsu+SI#Vcd zIiENy24*sc!^dS*4Bv@@qZnuMEA8*fyZcL&ynVLJ%jO@6kT{&yA~Q0wzsp%8UBclo zOObh#a+M0T+SiVx9taqEs=`naNTPH6FCs#Mr52uu3Fl|NM@N)!5fh`5kj0 zB6rjt2p&EL@2ur;jQW191%JMezK<<^;%AOP6iBU%4?E7ta*+ovu3(28Eu7fZwnh5o z_qc-~dTP~wa`A3!9+g(bZ8~aBstOFfu369;5V{L^qWfV8q=9;)mrgR1ClsiVsm*soTB;DfMjKeT(GLu9wx+$IEPe9 z!%Jw)^*!}u>~?dyDBrrJoCN=B6UIm>rTbbqE6g1#bUelE1wyp3+jh3xkf_Pwbnk!iW6u%_mfJ{lMLA$7$H*L|}+|0S)qAQnF zxR~!sVOWVmsyVr$sYI(Jk^sbgPKKuZtta#BKfETMu^(LM+5~K2jcldtA}uOsKg!q= zzm4yv$i>iFkajw1I+1Ul@0|5vYD$Z4ZY)A}ZV&P06qzh&b2_=^$a z{eOj6;QtX~<-7VAM}s@T0>32C=CNY~K2P8RpC|DD#C87qNj}@n=RbYLPl4CDXj9BE zENRE*wrH?tS)A1XmY)4nURA$Jg|Pj4Ycp&&y6LhX?&b-ou+`H5lRvDHReJ(6td88m zulUk0eZhayx!trvvTu5HE~jvZi~0FyOe^ccI^W`l^dHY*y{%F+eJeM->l#O6Tg_5K z3VGFapYxZGbvkBol6_>Gp4yNY-bJ-%*hU+trZ*e(Pd}|wQtM|nm-1HcRGp7!9&X3+ zrrnOy73?UWt~HKVi)VKA>drljZmq*7+{~u1+PSs4<*5zpMCC`HJB}LG^v}6}Az+33GP;|?p@(X8SSwb3C5RIQ;Zj+()Z#0}rGDt(T3%o%VAk zA(%^TPJx;rGKNl&8v=VP%2z$ccj2(3s@t;TcaLTL-tTE<1do#*W6LPpM%j=(olP@( z?&jlU$(sP@(}!suVnSBmhgS4YBh`?LmraW*_#ytt*C$@~t(%soX*OEjV$*%lAJ)d* zyyj!xZ2L8$alsPB8gPvhv=OERBb-9(8-I9$|IC5#ElZVG&$ZINs_#Zd<;P5VqY!@c+AuOK$Ld<8OBL zUKqFHa|RLYoZi2`8(eooZr@*aX8XW#?xHx!wVX9#5N^F%c*MhAxqH{F`@hefab0J4 zKxO_pd)*f3`)snG@rk(4is0V=N!QVQFNX8vd_?yZ1WBLs4@wv;SlE_{IbIO`$C1_a znb|o5SUCwac2h**NdBYqnb{e7#WMZCtf-NGW8pRzxRIw_{)MV2XvSMwHB>2$%uA3s z9BD;Op&{rHq85PHlzCPK4TG($mNq(z6z&&8`ajh9*)P!#PQz`L)Et7X+@K4yi z=yUOT`YVWChWiK?4^s#lX42|GD^fA?UIRXehduKza}cVWkItMmkXLAf^0XtQln z3e;d*_*p8Q#a-LTvaQA?EbT@~zD$7iAYeRduuAJr*1|4_Z5VUcCey6?#apJ7#q!dd zA+;PP-@4j-6(dadCWnT~v=!-^1;N->)=sSUA(Hq%VESV}qp2 z7DX^A%%i(vbHq1ruO6@6J~hRJO&??fTuq|`zgYzUz-;*qz4y7->AnB?usR2eJ(R0T zkq&&9Kx%JG95(-5@w4BQGj&2+Ds1$ZaKpEv;mKfmMuq+W=B)hXdeNdV=v9tTQYbf# z$c&%iUn;j^0zFGpSZO@zXfVG6L>@eyouGc(gr4681Qpz?z)`7k8@ehLA=o$a64_^~ z8qE36{n%k!mx-Q!dW*7LtB|UV9rF7Gi90*l0{ zK8Z?u9Dy=3#J_^MDnNv_oOpsl8iz2!5NlcVbJrk|FoVW2WJ@{0=|>^Hzgn{6Xhd=h z>~K-eCg?v`CA;z1G!{+i3TA3+;^Y%kD~MlxZ|HtR#d^K;48Z7}ko|Sa$aN!rmJRP1Dr!`tQv{0NAM@*C#etU9|Veaw- z5p{ZBu*6(XvE7Af6W7v(4kWslAZ6BojwNZBrSXHIKmDhFp6Prk(qHkuLtgTuxfJ9e433TKLEKIH%Zl_503=V?IamkqPK?EkFs|MOfm1ptL?KYyk|z@Tfu z6Z0p6d-TM>lCg|X@$;h~kN4vl_GaB#{??n##^zP4rOtBR=A-oG308V7n`4T{*P#oS zYh2&sD~zgc!ZkqaUauN4JKzIp=$3uMaYK!Q;bN-Q^KG$7^Y~jr?_-rx&J%=g=# z_A5=Q=55Q2%v7(X4QcLe+j8#Bx{ufEZ}PM{Z$3Wwmo2Q!Z+76bxe;x2YR%_OLU}z8 zZ13`601D_cGuY1;iMwy`QRp7&Owafz2~yal>UxFPtajyEu~Zww22HJ+5!)l*jQMLX)n2zk?b0 z^E`e{2)Y?4YXO=T9|*a(BoH{Us}Zbu?OI&(`CKP%L|58%@@<{<;xk$wdTbl(df;ze z`q#ZgobpZ(v_4FBYu0SObIW@_x3${kxY+=<6=4ZpBrHck$=0AId&X|tn@5_xYntf| zD%$~Z*zVe`IPt8y2UK+)wr#G{H7}`SLMP;w{#S8pzpU4bM!RaK!CvVJDN;2n)Z?s0 z9%?5APhjimTh`Cb`_9*Z%4tviLg{WmZ_x1N{mlB%)26nWc)?RL*3sq7;}+nnS>;XV zwodYSX)T9@Bl$Pv?|VKovag0;qQMyVgc6RpF&A|!pM09{Cv!%YGZVv_LXOLl4ljL9d7GmR5zp)CXNYK5ZfWq%92+^s{LRKTTLBFy(KF!L(;QT%8YnaU;cr%Ug0VK z=eN_Y*+~b=u@p)4xCPIcI;Ty<6;%DsDiip8=O5giDnU}zu1rlJ>k!dK2e`rY7#vF# zgcMUPE@D?PAD008FA@S`5vi=W2?K_uR0%L8Y?P$NFxd6x(4%N_cxYMUF|~ipq>vXK z{cEPig1-ES_)|c7E5bXaU_4qJtWhm^RM)8UndMHZ3|tAmaMx^u2>Z54#q9mJ$A-$e zOaR+}-zDJf_9K2=-xM0f*b`!rXDXj8;wB_ODG^;Zh|-W3eJqDM)so%ODE*gU?4UHs zcS(;)YTL#-f*2PstqP}a$|tWJBQu)@Q;dzl0)vOP11=?wS_mTScv^otFg5Yz!s0D@ zkHeHY&6Iqbq5J~n$WuQZKJlaETMCJL$3`QN<#eUSNY`nr6x(yIvqW*O2o| znT=TlYPSYiS|Hf^JCt$YNDMC<}QeuXP{1>aDsM*M}o|f4#Q1J*M9Hrr-E3)0?_u zudn01ySrvfAsIEN$ZN=G!u}OYf#j0TJ*<71O9sgzPh2GU6mVrSddnlqk<(6$1IXpv zHY8bJ+&4~&^#!nlJNZ^7qNx8KD+Xk+4^T~zc6uk$$G)bV7kTOjFDi8w5FfroOG-%Cq z_J094EU*JsKfs;1whbTh%84aLO@x^}0iM^VBBa&;%hIP@TAWBbr^PqKHf&R9Sd=*+ zE1COnEFrW;j41OKo-v^LA{6b5M<-*LB+;OK{6dUXe5S3uAH1(=Sp7_0pM7 z3nyfIR@#~aO4zxU>k9p`6|uC;m*4Y}N*Yb3u`ZiJ5;DJC)U6^TRuL3eY`YSENdGE| zkYXwjKyO8YL4%VOQ()^)1lf|PLhNBK2YPXaNr)K*ISqOmzQzZuk1pdOI7&<#2(n6^ zPFV-hg|k^4+K`$vL6eS|*6qefK@=h{E)rP(P~s~~Gj3ZQYr5b&D&|6Q%!B#{Bd1jP4ehUb0$~(C%!e}Y846o(D)M(?xD?o?Z z5i0TzV66$2T=`)uk((78tC4#vxbu*H;apZEUBPMUQgp0ZR;3Uo$q|S#`$@Xe^w&Zw z_%K5fjfw$2o{nb@&i(s1Kz~on;?HEnATm<Ciqag@T{PA&Q@?3M0Pj1u zvbtQT95&duG15S@PR}d1{?6d^XZ6k8hAGjLW#ko0vy)XMdJe{Yl^)m2mRnx6&s#7nz_r(Nf}yFyG2}(wde!+Q zzIuJ{?3e%mj;bcG-$pvb>T0og906&oC#<}=a^LvV$sL9*V@$t}!l|^QRd`;si(fhq zYWLd^=rlez4#_ud*Valu-IPDJnx@MFqd(qhjdlwGSzz$wN8rRE;LWWOFa#L#E6 zA*k4er9KmZ3}B5Y?xBPw5^n`2!DJtdxh6foNz^uT^t)55m3xcau?*aWtQWH5@#homhT(o zfGPVT?@u>dzwnRx#gd#inAm(x{nt9~Q)CscM}gs@N7afWcbA;>g)!q*E=h{Rgi5_= zf}e^YZb~IwWb-T@`p8m?&Pb|krO<+M{gip+T3Yhy5{z=4nv3L*ET8X{6`^BdpAnhf zZg^ke5)+Cmepo3h`x`UdqWv>`_tq3T&00lz>ttiP8Y1IQ$VW{DI*An>Dl28q22{~R znB$r^rpmj6Q5MZseB-3f`*R7F&v8yh>iQDmZJD@`rIL&>t(l#M|#BR?**+A0~P(p90RP2{TnqM41QC;qV zM7s^qEZHD{{IO=HoF|PqoR~}Td`h$~!}))R`lj$W1FqY~P8z4N)!1mP#Vu@P-o?;ci^T-fBDW$z2p^N$SLyc%eU8DQ?%qt3LW7~2NqfwI z9FV1RYSyQv$c^>ARGh#%YY=@w9Kw4atxGMI;p}Vf*iEzDW+J^F;iI`^6i{TN{4<TwX-0Fy?d9kidT{`3nf@9eY+Ud z5X#=c=7Dy=%1OPlpHHkQ&GZ%l^GmU{B-Sr0aqUDiXNk@fRF`U*8r>*auXf@YtclWN z9-3!+i82I?-$cHnw46CMFdmT&i;&xDLTNmac|&ezf7Wi(1>@ zO7)+f6K*Xv_ocg~z-l?T72@n45k-DMbmQk(ceCX1K!H?Y`TGWop@ z%c2c&e6AACQiDMs5BX_Q16d_WR$!zxR|<8;*QwNM)*3Y|a+ndUjBu9>6N9?}XvTR= zKI*7O1IJ*>xOht>r!s;INI_v(Z&@neI_db8)H5x7t#8fj$Pj^lgr#^QIU#@DOR$$= zzv8D~?jZhl&!kVYIPs{p=jd-qXwl+;9_KqNco6mHlk@)L2;UcootUg(i_b$qN{h~+ zQws>IVOC zoSXi516eBf4m3c+VvzI$W~K|k+dpx{Md1H_f~()#ZYk`EyNRZ~jdo(-kkLw3g1hJO)%W5;17kE837X<7< zBkEe`FO*%B?RCETba_NfIw~AIJ_@}*?zB@7yxBW;848{(g=P0^_PEEs3rGpw^~uOy zyz2Rb#uYmSkYWI>FCJUIkH20NH{1Z`TZO@^4xRe`=jFER-A5_=P_l&U?T7Dkx8Lh# zmOZ`9I~PM2hda%QYu(YR7&vb&2a=jnd%LSp7)9F zqsyjQTo3T>yR2gpc=2PN=ufS_;*T{iYfS$W0pfs$$IY}{J{JEc^{KVHfSyCcP4e^i9bc+;I%&~=25-d+x{5zemcD3d-dbBKX`JAAKGBw)dta$Y^mtrfe);6t_0X_&nZ$H{e@VhD@Rq-5s3Z8avT4Z3{PO^t=YA^1Ot*U*Ey+4x$@fG9L*BGla+oP?3vxOf3HZN4rTDC>wJsl4lT=zwhBU%V)`A6z zak0j!sIsEM#mK4YT&z;&TjqCo%JgM2YGS}x>^Pvey=CcAxkzv@%E^d z%2Iq9ouY2kh~}MbL`zN|2b6#o?&M9OBVk_hIbrJN-%I4sOq(gqpqmMhOk%%zo(B+T z7NlC#H@|BCuf{VKFMJ{@X_03r-M~3H_E_>#Bwf zz3WW^*}C33UUHucjGbn_jyA1`G)grF-afX8KXlo=&GYDcMAgb;lj&np**MD*d^R5} zVKY3rkP;uAiX@>i2NDuV+;NPoU7?8rUqKU4ZHZPJp2^%gNC@zlyZU_he^04P!SKCuU^E1SQ+@HJREhJ zQz$LsXq&&xe1-J$l6vLbnV=L&@1LP%Ly^4j8vMwtv`5xXT1EPruI4dx$wE=kd@pL{;mnso_2;v4~!b?9k}SRFyt|)OS81-WLF2Ns9_dbP(QK+y4pGG z1mSh)Goq}KanospHL2r}1?4QAHE9pop0=(1QBs2HUv(FhZH_`7yce6Uh)qF6b%H8i zdi?yWFlma3a>w@&HHqWSWF}>UGvOqUTp#RFeD!;Ya+qy{V={G3M1%+z7E5EEDsSOi z%3Bfx5XXk(RWZ!+FJNEjIpU*Van$Sv6hX#oX&16zRjk^`+{jM9O#)P`wC8wx$1^dL z6&^b*Di~MGQR9%gk^iAA$%rh+(yIdbdY~huqC+P}DFTV%PFJ;BzcJqyN{kjY&_*N- z)FYP5ib?B}UcePcM^aabYs!plbj&cV63f+I=>+j+o@cUg4rs*@3UTi5 zD0zu1D)Q$*i5ea&>wV?CPQJ*p2V@Ax#~jJhzUlZdK86+*9 zO!rQ|b&^M9b#*cklu5Y`b?Pvz(nkD*>SvTz-F&-5((iH|;m7L&59d7R&HQbnVJrS{zDBN84Xr6&HsuJ)JZ)wkmf z_!e4hd?xTyksX~|P6ZtP|M79fi5F5oT?F2CeFNl5zVUZ_(QU>jA;S8F+zT%7L$8Steyt1!L#L^J!!o` zz@4F5@~WO`3`g1JpBUP zyM{9~4|v_z9<|l=2Y?$j_ffU@?=~>w<+gkRjG<0T*EWUPAH%v)`MLsx54ut|M|!(H zUKQAp_sF2DeiLUuNI*mk(yyXKYQq)AhRR zGq4R9=->Z6NAL;>BBmlNayo|R?M3% z(|`4z#oZ>+Tr|Ah^T(rXIJzDBA9+7qS3X%LPbDqv^}hqpK?mcHxvgMpUkFER;v=*l z+x3>39S@s(OdSW&rNn@{OuV}NWt=K5#|u@^*qUNjzyrmW&qu8L)~X?*;l}l7WAE*~ zx|HYUA3KjP58H4k=amGcA=#D}Q?prRevz(jdYm$`` zTW$Co;JRZ_E!E?@!->{=7u&tuw%sKEuhg+)|7liRxAtBo5bXT{etJcN3=sd|wsQCY zbF2#O36=lgG#B)I08sy1FmPk#VtYdc_<>)_UWIaH!5J`3lH_gsT4tG_`C-k2?ch>u zPDEB-4a|R5XgfKnU+RBTK3cJ0(Gdm7Yh{XB`6pvXJ@|F2Pdw{w(l?3@**=!`>@9^r zSC;jG{;XQ3d1h^5ykJ{A<6^I8tI047T}>F#KSld3q*-lPZh}xz zo`J;$s+ln1giJg!244O)W%tVXy z&PbUJGXKL5NjF%%mC(RYLU&u!uoDIo z=UUXEi#;mL*^aaIv#1B_xPcwRvR}K%ozR-!f74{&#PN$K;x`7W-4uF9?u9mP&SXK6 z(d-g}C;R(J=R*aXZ2|RE&H`AQvr4cyQXz+uwrE+N50z%(chr9OYPo zkUrXLEsw;&YMVl{1@-hxBU-Z;m^cbH=dv>SKBta0UYBn+Up@PEvaM_}@u@H+DISd1 zJfyX1knYiq4&0L4lpvs^3?YA~)GiaWaSyG# zXmT<|rk5XAY7#$os!8_~<;jT`1`l|)OD z%&Zwg@ne4!lAqTRP`Uw6OX(2saBZ#fY2{w&Rzg?ZRib&w;pWPUNnOktBJ;!xu?(0! z3N29Qy_HTU`82kq3FwTqu$t(2gg;?jfwLPZOTTD0?|ABgwoEwe#j1l*a z)o2CU?AIGm!&P|ksUH3cDACgJ&NCWBE*%eGVnm}5t6Vw`MjNaPM=mzOLsdh6#H`w& zzXs_rrHHMbP!f>oXcW!VtmSsc2PQ?3x9U$~g=jeZIbDu!G{)hO!nD7X%;#mu>@WC# z<8^EHGqyx1=_4s)4gAKjy7e~w+WWTn@mW+Q@|6RL4EnzQ9S+R!iWZ*F5@U?_F8yu^ zK10>>$Yo5Qc+k{yC9nA=6yE!=pyDgo`}St&U9rZ0++G^Y|F^QXP0~9D_|!g*#-ixw z*lDULxF5+K(9HQV?8*d6(a`~vHa{Vv0#EXC|J=__r}6D{M5k(jc3TZW2O);=1Z9a#S>QJU6d~`U1vV zr=OTs-ti6sC#Mbe_@zMabIcg6P~(CvtE01gh6We7H0_==Xz782`X4jCw&6#Y82a7o zll=A%L)C+l2R|5tTLGZDM$a|RGgSiIY?lD*@%!FY!0J1P?*yU{an570dDrsv+Fr%{ zQTGZE)FuUR8@(C+$t^_o<2Cd4q1Lc>12?Yi?A;JVngiJPGyq?G$Qriapm$z*9pD;t z*?v^h5C=@_%H51y7;J$AjYA*_Yg&HnGCWNYZFSpBFxRiDJ2JGj*KZE>p)Low_L|qO z@6HMgdnQT=H6q=upl%uNf}&nF)4+90wnt14bJOh`k3!Bnd-3lcz@_Rfn%p*@*wtAp z>zNgkELn|7ffwOL5BU)K&Kg+W250?w`8@G?m`1?aB9iO~U5$ zu(OO-sa}QZruW**4sZ|5e<|jt&wKwJA=eLZc@y9t0N&%c2sE7ymh(;vgAS7rAIu5( zzpyKF`MI3Ds~L5SG8o8zAb_oz;=nUZ`*`Z@Riu{#J8sDkdEz#Es*P!k>b~}pgZwpE z!7gOqW6QgWFhmP6)5MadzS;xPBI)@D7iVXz`YtLor?<^eXCkWxIMXAofH0~xwk@h^ zMM3cFBV|eWmb#(?RCz|IKgO%eVShL*@*Vu5-@{kUq*wp(1uuNVfRYkDs*kPh>pT&4t_o${_$RWzVEA1kT2{kK2Bd za$LO;a*(S3M21M4DHVEyWo|>Ial_sN2ieLtq1&Dv#f+=`* zMtf>r(zN7Z&a8;ySEWs4#5sJXT<*7RL6vj5;fud( zsF%uU?mZMYeo1A&q&mJ9&$PvzJL9fI9b&jkk5Fha$G$j4SkYZxHvZt3ek^Qy#-n?S zJlldQGd@nm78}eGn@BUf7X{WM{Puh^H9TPbhzUJ0_DsQN*A-dLfizrQrHs@gp;;)< zK{lupM!ZtfNr=WW(_#2(#A@p}wtyiAdQXJ8DI`HzE23=g;F1H1F9C4^Qm(+>9NMn(9c==lhL zxtxHf!R1i_`3fDIktFurI{N|`|h9bY%v!C6_?8lx5E!;SXf8nRI zC}Cq_W$OQ#g2vjQR39_~R$^p}PE^9NPDKnet1YpaZR1@3LTAL?$z`;tr+)1=uC<}6 z&{Ph@D0&p$5~-R390J&1)}KjU6i>v!3=RxrxLFv#pHa^eHCgi`uZi6HOe# z)@#6&zSwBMxFj%pL}7=?9t~A27_TTx)38+>qQR<;IEBtCnTyvSvkwI}DE*y7sVsJC zj+w7V6ez;{LVV;liIrdE9l@SazWSJDDxTk&q1MW5lWpBxwEtYSdWpSPZXE2zL5;;A z#%;p8wvqh6d z#;b#A?zlgo0I=_HFsxt6`sBi&DL)!pAAi2ThSxf56yp+WtpSE#mJMF2H6L?5OFPGE zM)=0JeB71Rs@wJJ1EeFur`7D((SU*gc`g$cjO4zdt&0b z7e8p8SmN$(F|^%OP$Y2z`+Na?WGcP~R1@4yBz-)laN$N6@SO3+btKx>`JSLOB`P;(AmXPg+ ze2teZ@4d6f4u9{`})!p4stCAit~rXn$SSDe>iyE7vCL>|`^p5t_gO zgwR37c_=hSuaq*ia}`o?9GTeE4dY>DEb^PCtmQeIUK3gm7I+oC&bW@#k&euS~ z`D|ghU+7EpR9ckd9`38x)I&4&D{Kh?!=CbIpwYQLW!A~pE@sk#tb^H(G zphzwHLD^`LIF^%**-;%^aZzUBkIKWuhLhHZ7@aBDfIqT6yXiMxgwsII2JNaf&JiSP z2Bo~)luuDtu~x5CJ;d=uXX&aFRaF@s`GLG+qMWmRcW4kn>x^s1!qVp3>-js}x8ph` z+oua8TnEF5_ZYS9`ro%Mv2%{k@S4jr&*I4kW_mm&ZiMFmbkrxTEsIw(i z{4BBk$})Hl;YXQDzHTeQliaUkHP|YVovZZ7;R3Q=>KBD=u)NAkBYw`I*H#BAWa$VZ zNlj2PHcm2;0wwHKl&fiXI_Mc?%?jMRCcszkj^Y_hT2t9;Oz(tm)4L4ZfScUGa&W&Q zy9BnH{YGP;&w6Fczm8+YQu(edjm8WcnQa8yZLHWD(~^!VleqAnERt`)B0)qXGxl2@ zpvU}6zf{+N1v34HXo}n68lVc zB#I6JC2e(}@F;g|0wlO^1E2rbNn@j|J$wZ0WIS?F(7&_D+K}>W9|bPLs=8F5cQgFhr`gME?Mj zXEDaZhTjZx!;sZ+#;Z2jx6!#W)g_>D!L^|2_gSCn7qMmF1t0+&UM%GvRG+4I9yi5@N z@Ij0L4Y%Zp7n{5%W}o^$(kiTd116&7U%yMy^YT=HKyr*(uUd#FL@hY1{m4GQ#XQwy zT?w-~`dEDGYUFxUXqH6?1*cw9e! zy2>o$eE#1!0vm;}ra#NQPV0T-Di(jLw@s)&4weAD;5EKY~2})n>6abS&(CeU-`;Yha+*8ftRNCdECX;~I`m)c_ zAFm_c2t(JcSRpIBj^Tc^GXl^O|Jg2y-`kOpm>GeFAwFEjqSF8pV!XN>n8DFC3U((Rp1)on} zR!Y{uC7&@X8|neA|2)z3>JDdt_E+G!QI9*{Bmak3-Dxib;B&CIltA}D@Fi-Nz55%x zo2uT$>s8Lp=jm4Ts)r*Szrv}Z_tOkjPZNhRhkPCxhiLx=I6y32Q59J}-_ z_s0H!hsN04F85Z)9IhYQ+NP?B0(OH0o*zSr!}eDdz46St2a~EK?md3jB8Tp_3=no7 zO70JwiiXd1uERZ7I=FfP*WBEU0!>q*uS0jnCy7GS;M~9Oj;;>?!Ia18XT=aGq{E{r zfbiypXxBLNs_Ogm2StDxD0l8?8c@-=Y#{zYQI~!DNgY4#KF1%o%J`M2ONr!lhS-SsQiYz#|+L_;8Kp-`AyDMjS#{7BSes{}Em z0^_{M<8Ig_aMx^1b!NvfMo|`%D-`N<+JDABm(6_ln)lGGbN}i-7gtb>@8&4{82@7 zh!C&a$Cyjt(QhXWn?;yb>x+?m+W5so3Kn|DQq?64ihngU2|Bv?rJMOOetijQy!QTC zG(#PS${OorC#(Q1Z+|zKz#RNhCSICfMPbgPY-=7Z>5)w9!A?;8UGBSK8chHbktVh{ zK|O=c@PZofE@*}TD`h60z#9O6*a$TCw8?|DU&*FkXUOQs-tN z9k=oWZI)uMCn7@(>biU+UMbkj=C2t`(03-oRxGHXhmrDB=>j^la}Tlcrcz=HZ<}@m zsdCCC^8BE&bB?QoztkQq4Tst1*FmU zlleuQQj8{~2eRh!5cet?3fomy6%V_1;S;hMl8s4CYuU!_z$hv8W_;5P{OXuKmR;>x zDz<>}GuPwfm=W6KyTE1hbY}yFs31p0IU4)XYuZ|NpfHh@i98v7yB^_SxpB{$8XLzR z{7>y6M2Y}BGyWG0Ey(jFX!gODy`U7t97KFKvILzWo;2Iyq42Z*C^G1p1lx$09t75} z=l_Up(W5qob(}!qZz-Da1aJW#mTe6{ZhrM(lpVQ_SRef zYECtS6ox8OE(Yxp1?;d#PhLSso@i1>BL3-LLhwa`Jm!pR?)R>ruHvf>t~5J_AvRvP zuvn*gN&yB?I$GinWqO?QSlA&437z0?7^Fh<+G!00vE@mNtazfJo7h!5X~ZgyEcu(L z+_6EwuMH>4)TKujxec~M+9klNuYxL=vIPrq)XHCy&+!NO7Wr1G7geV3Nf-Z+>I*0* zOU~Ijx6w+Rz;0Sfni*z#RY2~V)0|qCYODn%G{t<`{KAHUB8MGLsDOK_U0p({WRZ?| zblW>=JWGi4KLZ>GYwGmKej;?e{;^d$`>_dl>~*@L0)sw6M82}UrHM3rYO)Q0J)x1$ z#g&CeEKmz4{N|Hekur3jaPQr)-s$nx?@=idJ>G*fweX^yoZ`IEc{UidGgCPdsrD@;qdDA)Va6SV$T`#LU zl~wIQzB6J;oKtn4n?_GUB> zT~770=_2ktI;9yT&1pfK3@Y|NO}x_d;MTD8c1L~HFneNmnAWAEM`yY-M-e>yWbT&WFw zV)iGz9e{}cI8SL@>beU9&G-Ho=&Y*ebUt=e5Ujj2JA8l2eKzVg2YBST-5->t6twc5 zCXOr2ZS+qGJlL)?j*|fNg0_xh{4@6pv*#W3tZ$R%n=QF0N!DCO@1qQ#iL`9&bEOP` zr|bGfmOZbB7`5N{v6&(?FNK_U1D;|6p7tG=yicW)9=Q4M64i6p%H0pkZ@pWq>qf=I zNLSe#rx6U-@3{BWyB~6SZmXFIJ0|0f8l=|Uj#~b+tor_US)KonDJmUUt_fN{06-0b z+h{uxqLJTj?s|WbXoIDm-(M8%JtF7@wGXdtK5of{U8(x`6^!>gI}mur^k7tmRv1vw+8!yj@6 zt^s$*KxizFXuUiLp&$A>kCSf1Vm*i^wh1~*k6ZWZ?}<7PtX zmeJ(hab%;V2>1LT4H-VVgJ7A2+-~I@cJ+T1m`^4&MSPThDrr?>5jzU4J#?7HgDA7+ zUE(lrEhHgI@R|4IyAs2i9E?IhB1_0?KiP=U79FbbA9U!rb@O1u64Q=s^*YWZl&aZ% zLFH8jlTBifM(+Wk(Q>U22%)Qf2I z2ogLfXq!Wdz)7?_8FDp*_QT_(mUQ|yW!I6^5EEGYgYy8HIFmZQ8B^SrpD?IHUBCWC zQ6c~FEB}2a6)2NMeYzHv?HLg~s~GC13eVF>a!9XcucYx+X1dwhWtSY{l0)0j+@xIQ z@mOY5u|8iFN{znEQ#79q`Sk~yIxkUhxgT@iP`kpa>1(};q{VO??oPsFxKHXN*)IoA zdZNnkJ*fV4e?+4~q!y5Zj8(8{p`HVxQL|zby)t@mTjp;_=_GpL6KjhVbE#?wo-te# z3Wn4=!j&`_U-*R~{G~n=cFVf|B5OO?()qUc1%&>4lE6TJP$q|Lhwjff6buYL4E3OQ zcv*uP%F|?w@_}CQ3{_`4#|dRS>prvu(xmzW8x2Bs1y@!b_@~e@$e|_gQ$VlW8oQH5Fp}roTMyZ~a2WEWl_Ya*n zMaf^W>n+j6&X~x`T=yhcBrjI@XWa8efixPjQI%cyY}8u!*Xb?CSQgeVwl6zxdRaje z42I^imw8a!Vs442=_qCLsNu8{P2V5lB+Cg+SY1l3WoC z^7;vJN+E}iep`pf!k#44g=B8fy#n8jl;rm)wDW%S<|w4`l!#l|m+Fc?4qaqYv`_sVs{=Y4Fic&p8KaDY~bk8l2MQ+rGNZ}lYvb2U5(Lu=-B zHz;Q)pa(Q=xG?4OvEwMJTT@!|a-6ll30MLDUPuvQaCC;hl~C>6B{jQpP2%RY?PUI- z=T$AMc1Lf&UWZ~5xOI8`mF=+VgxTRW6ejet3X$c|`2e~zj@AO4G=2x@xdc3%dh=Jg z5vX-KEo>}rc%(f5e4ZI)H(HMnJ-50R#;7jKrFvb5>bLZLL#VigbWu)aw_27HJskmK zD#NDDu{A5##(%wepT^8-EEa}40c<%$eJ=phAG)AXFD@AF51yer<&MTR4d1Kx4^0iI zEFrVM-sR)R+%4J~A1a5-y2)oW*#cFxs{h4A<{m#cp%lIzPJskE?@OX`W{_WhYrK9IW zQks9=_~09}^TJEUYdryp_pAdj`rSN05Kwn8>zgTs6hd&=>o!?=25`;b{vBrMxB5eo z$-XtL?#Q54=;s z=bWmg(6g3l$E5|1#{+L^JlJWVy|o6+Is^txfWbN+FC-wiv3LIu?yp%{V4>JYp}~eE z3EWb&LGUL-6=T3D8wU6~{+K>(#_*l?$9?I#<^DMUGi%V1G3PV@uXhyO2PkQz5LTBo z{;loDmm}as&eBK|3>zH~{&8SwM}7!vstbkbBa`~!rY0YDe~Q>A`<@QMgvb6iXPFs0 zU`YABI_KzG#d#tTeA5YhJGo&DZKdLYo9dzA4Nt}uKo|ZEl>^IKo4qXAVYB7}`Zs38dVF`P7(T)+uEa_pT)H%(lohHf-__B9!wnnhj9$OezuGYOcV4&al^ znGP~&I$qt?DBN5mXr##;tXF^O?SUI4SAXx!LSGSb6i44L*qY~hDwQvf?4!YV#Fk8o zsdeGREt1cZ)wNk084WrZ$&uuibfYPSOKDLHMXF#7;&d5XkdDS@^Orp{R!F~~En{-( z5Epaj&xI{sUzAkgyF5mc~&7` zxlvSDazW2BD_1XbZ$pP zEKd7Ip6v+XO#8zDwO%EJwF~WDbYY^L&j%kM^wcm{(5d_x)<(LK6lYsJqg+&+6 zRO*+df;=|3rg_R`3HVvW`D`xcI3Hl2FQ;H zqS@w}Y3NMx!bPd)X>W4+Joi{f;}acJ>E+$4*C*t&Ldpo(ifzWvTnxhYvbm6v7kuIo zq-zJrlYYm$9V1NbEGC!WoW*bxSVs}I3^VOM5GlFrVDO#^7Y6GQq*>IP*-Tn|4$N9}Oft#*X+p`Efyy-6`prDV`PXdV`0wIcI zTt?=GtfkMTKk1TWrk!a2%eb$B5!k>mnrII!@D%-~b1V&yz({#-5I!SHLneIOjpiSi zk7?lA>(q$x50vf%)&C~wTW$G~-h8Ot;O7?i_%gX!S`!M2frsJ!_p70c=LG^9%7|BabF_-qDDHsGbg6Pz4jPDN zpKPJ=n8aZBt}D3z!bb0Tu{jWVicW)};8IpdcoLeqijPClyz^wTX?>KS!6R?Cf>X*T z>S|Tat3%2&^>qA0*xZ^6_aFWw(5@f)tX#PfxnvbXu)E8ohH)MS>Rh5A8XjWJ;qDs- zMY$Z4ZgTyvzyTOcc*3c^XBI{0041!m2j}3+JIQKjQAS#ewZ}Xi;?#j6BpheEe;P{V zUrV4;kz`~bE6xAGDn9Ak>rb1yTP4|Gf8cJ`ZB$wcn zSj1s$wd|XxTYVsjgE9lEpf|13spdG5>oEH5R6k!{{ANZ^i+ip-d2-^#vU|(xrZxsM zzr|b{&Vt#9FkSK^edLQ3MgwiDJ#JyIeB=DAR+NxsW^o~Sm2E;Nv46fGMfIaq##5%6 zI@mddg95t>nG;pS0{&YHpUQViIX@pViUxrZspB^2ow!WeXA7eaxdAV#d|U`18;ovD z>NN+X8jVXa`!`>EBy2Cl-Ti@qiWayIOScC~!EWY4Hyp9%je%L$oE6^fOKg6b`5FqBMOENBZKIxP2(xlvp?M?8iHn$4H2CBU>bQB zjfZRuYx^Ef@LIK2WBky#vi=Dx05J?kN;C0v&g=1b5<}NR!*~&**I&iI+IK_82v1)n ziPt8|Jv}Sgys1l{6oPLCU_qi*rDRo2){7`Ij=0 zr(~`_jKil#HfZICu2OAdAMR%H)AD}@^#{KoP{0u5vr91JHMf>hP#5evL`MTMMkoXS z{S+BUzaoOc%V5&&L@jWVXbJAEG(j7)D)>&-@6A1~x~prNjJt>Dsum7(tlQh^7!j@D zeLA){4ag6y@mVom-g;Un9?q>ZrGHBOJzE1jWxh!U<+OuS?iMs#bl(1^ zTnRL|P5foO?iONL&cLma&SCYu8rCdm;kv2D97m90rbAMEj={6_D`Md704cooA+$}BW=+=1k>8{m&$er+K zUEGp(Ux5_=G))i#yiI8QHiT@R@;*bqQ=Jc=uel#{K|`>G{+p{xPylxDzr9-jk03JF z*(p!U_?P%6z}kYnJzwYh=31Egp+NiD&eZ4~>gsN`t%AUFTdy8xXVcr?ox%9Mw;Crf zbHMm53E_O9_bsAhhW5(^i6MCOVZgHI?)7!7{W<42sWL5u;7ZTyv0^8>^8%?ghCP1E zy?Lj3XVlgL&;f8cON;k+Dzqo=fbeQuz(zk_dO6D}O;rGcKyX5Us`#SEb6jS?v&VKu zY>v>!#M6p)CrL8TZcFr&TV%Dz5R>2ytPCy-sNYIXut1wmB;|_obJ5cgv1li|=Pc@l|ixwgFH1k1f~# z>^*zGU%C$d(M{cOaXjgspwq4P?6+MU=L#_E-*|6dq(FHe24sPIH(yEMLq7f9EC1>J zkbdWX5UQaF+vlzU6Hv0Oa?H+`NN)kCd<}~}XkecKK=4JD78pt~X+taWWBj*4oHN0aAx6m~hXtTh}Nxb>}6YhV=-{ z4(ROrB!4R|cd;i-qwo0jz>6P=ae%&C$ytu{NV-l(HSgsT{Ltr+{C&|xvCs)iWF&8T zxI|@nIC5z;+9J1fJ2HwQgAu|Xo2y3;q{wxe|B{@MZ?>@8Ns37b+dZGqjyXx5J- zec1FH4U;!}qNcZ3@Oo4>a6QZ+>2hr-AjwQn{aS`%xm1&~KB<=Y8N|8cL z)6ZB+OpvIqOcBekv*fjcFjEQ~b6KX+AYnPm+h)P4NILF|G)(VALQN!}&sH%M)49LN z)`=UKt}hA%S%SS<9XThDCq`^l=~@zZkwfrKP}NJQ!3-O;ODXwL_}Oi;D71Wm#|^(L zU~E=zY^|zU^2}&%UHcOnW?X)RS0g9wz0gAMD|uRB+m`MQgno^l`EuGc=b%T~(4$m| zBGSlCG?)~Q=&3`IZ*X~o>L{XDFCiz%@$);DQ9D$l7pzeFq$I%^%)vxOR8q%&{n|MH5x7fWWW)#RsY<*v9+`X+rTaEli zQU}pzq5U-iVNZ0(!3 zyV$ML1~P2!L?juHSsk4aBhWCUog+Gv2}DZzZ$7Z47AqTN6yN;Tcl;(yJoPxPuS)8J zMV0F7R?1d3;=ac2-c~m39ea*E`xQ+ospzdN_$)-DHhs=~exA>{cG&^ayTnh>?VettEM0rdQuS^X;E-xxl4%Z2iyc zF1>>v8^p2E^X7Gbj&)J$@<0=!+(27Ck>GPCK3o50^Ph-;txPf=uHHeNcvT$W9ig(=Mx#jyotqxwb?>i-1EQ zi>Xx)mlj?>YS2H^7H7PrwkXc80cOxZDkC^sYS* zFAZ7ki=R~enpycG{$dP<6uEo#SwB_pZ`5_zXwD9q*hg7j>1rF)BWF+^cBnwNnj2|3 z^oal*Oc@WJlTJ`En>B^B`MkF@N@cqSv&n#n%v6?G`?*#HO{=IxNtQ?|ifq!!o7}1# z)|v+t281HHWtHWSkH!CvT>w0uSRU0JARza#4BXzdN5CH=y*l5mEQahl(q3T zHn~c~FXRt8B>2N+x%Kwbd@Wbs-RtR-M97j|_de;+b##6k9o|Uky*zG>>&&W~@;kfH zF21sOdh?nxo!GEF54bPhKAoet6!N`!o7-y_=<&aUJ6=N)5%Eb79K{x9?PT_Q%zGj_bs`IiLdni<#rODUh*0Q#|)TXJur%&rLRieso*NT&`zOYH# zaa&jYQ{g@CxV6z86|f`4^OoIM>v>RZkbSh315G2f6+gdJJJwz&H?0wJ z9sEgZU0vU?wE0tsy{?RR1Ch>mKPSCsS_kk~yWhjSLvCN;-}-m1INlRByEVHn8g?&m z2-!K;-sW66xywN>T*sW#(N?lQy!LX`Wh(|vh@av-ylbZ!xm#MheJ0<^OVwYNZEN*! za$KOFcb?Rb|9tj(ANgI9#(nH9mf{cTdf~NRuyb5i<~#JYWS_UKV?zs zY4O|U0C=7EN1^;%^3$>u~P@V9>Dz-|yh9x1X<2 zcu@x(75g;m$v+D8OaIBA*8l!PBGV6o0M*9TYdy;QOW|V}ZP#)~rm+xumP2PIMnt#z zkrL!QZBg6yAAM_f!D8@fwWXw=HcPdYJF`h9)8)h7-qs+xr2wuV_8H1?Pw z+9HMl!tJ7kdaWh_GjI^9RJ##fkyY?FTGo_8#dYhHQaXKrYaO*&FbcOg(N+;d12!qX z+U?B^rw`4mGuF{`a=5ZvsRYT?mBt>88m%Ir*or=x-pCd<_>UzIZfc#7wzV?Es2ey7 zl5#tQ>JKdhwAaMX-SBv!ev0%}TJRn%9ClcQ*3;jrPI-TS#o?cLY=TyU!98;8FQJ-P zW=ukP@=Xh`OBL@xf~gXuL{Z0;!Jnn&)cnor~q=zwf>c+rSR`I7yW!7OO~< z++%|3*`!g39FjN(aig!SFZKn4JF5p(SPfhZ)~q5Y`{8VXXuPCSr$q(n4SpMLo@Yv_ zL@R!y{*sb<;69B*m{wJgII1G8GJZR7aHYG$#t?54te9~T81rcoiU0Uz7>OTW^{}oL z55#=N1y1_++5ZpUQuDh$`$uaoqqB76)lp!0R(uAnrO?)F9=nwNKXQ&xA(h|FEt?f8 zVw^ull`I9h_-#~9ngy)$idnE%O!TPF3SoXRRf+~A7ZD`dr6!ta5<=+}f~ZvFx zk1QP*?y#$~6@&S-GqZ8Msba#5sL#b|S-XOWC#BKumt+ZJehYRhLaNIW}!HOq*DI`@#ecO=wg~%;iw8e>an@XMy z4AkIG%Ve3=5UWv>aj?UVL72hFO{1N4X^IorUE#T5Q_&sjv;M{AtCZ>*bzEs2i%Wr2 z#GEaq$ywy-(@KfbSeSKzfOS?6{kki210mlhGvu^LT=ZSod-#P}j+(~cW(r!*A`B{7 z8idLzL=B^&(g>&8pJIAgUUx3jGCcU3M*aS@ZOJmz;uT4qsX^547N8pGdeo?Vc1ueiEXyLlrnXo7N)Z@#E3Wn2<#vk!9UDzy!p54YJ+`*1^i`;mJMUS{Z?J` z+Ag5hX)&M{lA(8{v6)n0>5A`j1Fl8WyAZsXk|CX!vh%`lgI1zCcp$E({?qKNN8#fk zSgz&uNm)kUJH6-c^9661-?`k^RGhln$@Kfpe$+9bZMP8M?0pT;>jJu;oTS)0EVt4? zWn%-~TF>J=%ql;JrtaoV@7+A6tZRJ7oCNCb6?V5~G|!n^7;4fs3lg}laysho=RHn) zwzjO3Dz`k>UpJ@MU+66=B`}V6b`MS)Bk<+DZ?{GM(qFq{);RQC+xdCs-{d$RkUxER zRH|NizZHSc^t|RpwUGO_GOTYI4=$&~oOC-(XGPh)U3RetZe$aFJf6wTlryZIb(uU6 zwOkEMZ8tJ*eyqM<5w`5~*tRz3?E+rkw$r=67QY(to<>uzO^>r_dzz+)%{jYz4Nh*I zzv?CylU}`ZQ?zeI|3<41Os;h^-0ZYXe9hbz+Sc;e&6~+QKfNTW@2&7WBwT#WkKlH9 zyB}3e*7$Y@(lzfL5pMVXE0AIE-ix)a(YKoX7+1he&1!P6ZGIftQ{S!IRqd6!=p*#n zqOkYxitGFr+KcD1aIozRxwW@R;B_l3p^32!>^d;Ju5x`j>rR&UwG2~D@wQn#SM$3< zy54d>5>wZE*sk8yEc7}EWE5}Q^>wK|&s}#6*-NH$yXyJQ-M>Vw_i6z1KaY7HKmA;m zj}AY4pLM)h?WVPB*=Key=2Qt@)-`+OcUe1(i^1E`?7J;LwbeEeG+iG%i%4sFjdD$= zxB=!W^u(g)#3m@1oj{a>bECc(3s>Mi>-VgEcE~4J! zKK-MBK8aKE{$m=yiiRI^w~SsD_~g>pS$HwL2rLoPK*}(Tr&=G4l;=WB+O0FAt5f=a zE90g##VQ{yO9fUpC$E`Kv82(B+Dr$YdGK&o$u)V*4Fm`rU^yvPl9VT$p!;ech_Fll zlr1PC2QSWRiRZKS;`#>qg%cZ>t37(ubH|<7*~Tg?tMEl-6(%x?i@4*o)k7jrAEL}hRKv!Oy3^a zuHe`2_6Y0F?K7q*C)Y|wC%rzCk+O*5$umI|rvKS~h+q4{FI6`4`Z%#(HHO{Q90 zd&x=Y-8g0={6A*yQcQ4yf_T_Tg;t1aYlJzDR2Nk<41<{k42vO^^(=i>iZDIN16*=PMr|`3-ifllk$rXKiWvIQsXARK$Hd2TYv*hu=}*5yoWP# zfXnVsYUex>t^U^Z2??+XZkHHT&XxNO?m5Z407NxzeQf(*e8*$8g%G)ubNo$GF5Oy`rIOe zR4T^N5kos92RUurY%rCne#e!ciln43!HM~@*pW1+Ox^p%W-pNl9EcdkT@0;vK$5*% zMsU(>0xUJ}}4K+Jz25OcYViVQdb=(8RH=7)!NofH{Tg z_lZr1vyzBrqJ(MFOv+R0w@!|N4_F|l>rBcsCFzZyA(3>G{$f`69j==NVH9|X6QE6c z_|B zyD(#+NSSu^pkcn{hB)z2R_JUb22bEuXNEl$cRCy$7*k}uP63#R@zJSV5KW9xM`ZBO z5VMoY{8QBy5u}&^afDc6{Slc+0R9re@}Y)NSV7=uAIQvVT^*~hI2OuXh6(W~aY&Ge zjA0lWEL~C!`>hS@>a42)owkikfagpUS*`P$s*Wu=R>^Xj#c9{vzQ;3~XVH zb8f##XgGEYm0y?gIW?0#{CD$evvW5!6}LgQ%kxY`fv31>=Mq)ipy|lVUV}EFFfOQ| zldSxI&9cl#zWWCMdr*AQ8o+WN@Mf+s5m*1*$ z^l9U%>iwH4G`P_njQPZs$(vK2Eo`^?_B61Y+kH35>3gj*s|SMTv{cbpw`=o8d8rx zQ+F7B;3wq4p%!KJ%Q;f{K82-O_*5Bi~0Kq>&W9gC6-@vx`)c+-T!nXF)CJB&T?Dx$1T>Cf@ zVn4-m7W%5b+tI%*bJ;KjMG0{K^14P^A0OPQEugP>ktj{x(QSIymAD$U<-J}@_UAvR z_CM0Le>Lnny9(1h;b&ak`Fi>R*Ber*o5ET{{rG|N!vSX-<83f5<}?kx_XkE;0k6&@Po1ac+x^P1eB;xO z-KIp&#+5tL{20QdjpvTix7B~2d-b7+;X~zRG}${1)OQB9`a6ChfzC_;^~FALzmiIp zH7EfmfKtZxui%?{w$DAxMxgdb?MLa|^nETQ70brMf~txN&UZ%q<2xg+TDu-;XELD( zMSUFRiDMutQw-H+q}sjbF`!~HiIOH+b)1p4|0^EVx<)XZFXmCyv1o$0N=spb=A^}l>Z58Aq_tZ- zHa6};41#*8p#Vdrb5aUkcnxWHnC`OqPrYESZ$L#tp>SK6UIn&Bfuh4H#>JLWU2xz} znrg8;Mwt@Mc%iF$zpv&zM|JuE}V4DO6+ z6%lL^L{PR&(GT)-f2C;f^=_tkTshMD+SLxFMk{lzwAm6FSc*1yC<^?!TVj>qbqFO; z>d5Oiaen%6m1!`V=y~C!?6U1~gJPQ>a4hta_zU^QCK))vH?ODaX(Yv6>G>tswu;Rv zp~56pL9jOL&7#FfOW6$!kD|KsBUY9cY*sK33Qnhfpty)0tdsA{!qzM^rj&)h^`rBL z(rifS8xB^Nt2k`T(DM$Qn(GwnCx;pAsbI!aC`b!*gD(A&CEk^|sd+q?VMI_XWJ1X7@9QrQzT4aI2Abj&G{J}+>k>j(FLcc7@Zqv$U5Vij1ka!&eK9w0;T7sNP zpJ=VIA!^U@PiuhC+OB)Yf?BFe#nMQSNVUn1`S`d z$;5JHJOgZy77fBIj7wwW%};VeGa9n(&*iYHPGMTUn&g@nrSjP_uB_EBXQokXwCsJ8 zEkLnk(PH#xq>qV_0my;nWrKkU2tdoT^4s*gW=s0*vdBhJNE>zQ~Gr;6)}7A zjwFJyk?-zWCdM;HJym`bDupWcPGnuNd1Kx80G3#kV`ZH8D)Qo&#KIC1(j z)a7qV{1k68XxeDh)zBbZv06S{xMah8c!-zCH5rj;{A2zl%fMKbwlp2CPx;Qw#$jLT zww{`VR8);{hL&qZ0$&NLP3P7Rr92SMA%-kdlwC0=F-_##KSA?vg7iyh>oC`7BBRxi z>l_GZw+|Rxr$#bt)p<%s^l7YtLt_L#KZ$k=Zz6Q}C%Y3DnM(#ytcdN9WgCusAn*PT zaUBedt3WEAyRfLvhWkY3dn{$;fh^d(T7+w6lq{dqWgaFeDKzk^EGT$p9m^!M6i`CD z3`CQ9EKzGe;u&&p81TH7LZ(PO1WF;vyCp8N%bd{)EzWBA)g)xs=VHI7|7S!15wS$( zzHQ~3|FM;aif4~|{D4w{-~EDnE;OG%KA=7+f&Hl}U)O1v_XvIK z=1QMky(CWKGUX;##(#zP?P1ZqxGRiym*mVldkr`o<&Eg~xhbJ9z#Ak#Sa|Du0%*J! zwp=YPqkZl@-Mkp^bvLQSufg0}_VH`j*|_GvyMgW8cB^sHGNkHtS(f09xV8#QUfJZ} z`@6kzeBZUzasC$o^jHCV?z%VAm)`;XiwR$F!Ek-u0>iQPi|6oo8M0Q-TkI`QlTyIt z00jWJ+=e=5{BpRr&1r1vp8xv*o=Q`c>-pE=VSn;^EHBP|GIh&+F!EWYTP$5uU9awZ z{Xj0YdoSV}PGPtU-eQ{t;$mkie>c_`*A0Sae{&;oFo>~M+2pnvzVV9D@zJ-vg>q?) zwkmnI&G~sdayW4m_r2C8?RsA!o^18beD-!<42g})Dczk(zaFoT`qgba+uJ$+V|CW& ze^@`a>-`8%@}}IeNLbaqnQMH%eyrwQB}r+2Zqu~aOU(wH1aux3j#4^p`k&OsAh`>e zOdquJHFqBmoUaO4YZDgqW^eoKklsIS+BleeeZh%0re?I>fg|ZPZZ}iXLpQP3+_v}H z)v>L6J;%ln@R|LFz7HL}yj>{3ba&L(x~ls~HZO^y?HU*C-Bt$fl>GfvXZna$!^XfTR9OSdlc%DDGx@EiW8%me}UXEDgP1edYQf_RNPCjT;RmOe*E5QZy0BR^Sz#5ta5JHt|Uy{ zvL+qhio3A?GW)Pe2r=wYmBK8~D7X6_h?tu3lN?qxNE|;7+N+AlX*;D|MN1@vWBl=6 zX|#!=h<^`lx}z2frY@PXd?C-&vny6LAX-1&LU@n}t_W;2)B>@(0IwCct&|K3I~azJ zxkA}jmmo={xZlb__CEGkr1Y>7NfS66^r8~Axoe|Uhf$vJ1znZ_ML??CC` z8o4z$u{y5Vc{H_#3zr2IiH_r>M+>1`fb=N2Vx1_&bde_g5iY*BO4=G3%{W!s5M;`t z#G29)v<#6(rL-QkawY3_VEV;lM#z}*hM>@(ZCd=4>xlYcp5*^KLIv9%5P3zBJFrfgc?a)`Kgzd1rZ1oPE4ou z2wVhaw!H~brI6bu=6n=evLx8a69yP@!hq6;yn2EqP}`}OdQu7YzYBgQGdH;O=-e=hChj|DW1^4|3j>ego*yWBjF-_G%T;PT z*!ufQ@W~9uXr1iPVWg!i6mwuHa&G$tI`QunN@;A#LJ)@&Kl7bU>%-xZ9pT;B=&U#( zhilZU*q9?$A|JVwu)XQXx=pp-r$>MP5)Ar+>cvW{i>h z>C8VCk-%iL)}H1XCCaXR8rNoK`DXLj@oH0umh8=D+rlDEGyYvFGCA%49#^Mv0!-`1C_D*KEQV{cDi=)`fyu9a zb=uvpFdk*a8nH>i%b4o8SsTls(O`yNXvI&ZW>HP1Qk~4kQHaO)8vyxiNo;mb9NYj; zm!W_vOjMzw(Ok>%0OykR5*-MCL+_ez7?F}5-VlNkKfHu_ia8yDWRcHLJj zFGe}+lqcpzAyh$6U&=L7gq4xxCv||P2_}4&Byi4zy$w%9%1JkG#<~e9>H|HRzhq~H zo^G?@lseY$(Hv1SstQeDV)dge9#y!)%9KTK>DT2>U7lHnhEPN+lraKG$Fc#+}a%`@+I zhs_86@@m%d19DqvB0hLbfrnaAP>7FwX-k$0sX?w^-6}#&nMh=fG8DYFx>zMRlcM!k zVdexy01FuF#9hZuOLrjZzz+>k~$jUTpb42?z5mlJdm&Ct~eD~$>=B0`|~ zZH)o8^vI)cOBsO--zqbY&~HsfeKsrJI96^+9<_&T#F=A_L#RlM?`ec zaggzbz<^R29c7ZXUNib1L9IG3d)Zn0dj5h^m*~U0VBw`5R4_6L5L%cPIZ~LX$r~4tv~9 zgNv(WYQ7sYD|24MA7+lVpZqW&k@WqiM`&B!*7p3PFf#sivbLasIj?@y^xLt1zaf18I}S9^hmSN`62QV%5^Pbamfx#Hf&cQ1*o zcc6?|<>PYARGg&+GmI?yGIqQsU!o1PbXL zD>9)R}{V(19g!-}pa^mHr1A8N1+&?7BS#fS- z?g>>4sw^@(Cs+agJ*e85<8lMk&wTsqC7)8d1F-mN;bIw3QkKojy>dxQqo01BzRpFg-BK5}rpR z2uysqB~kb(hl1#mFdn2-=|MxM z@N$raNo%eGm7MG{^$)xE{MUnj@5~A$^{EP)Dg;u$>=z< zal(+%^2a;Ay5TNPqR5|RP^+8f*mEtOJ9?8dQP2zFVyCBMnn=rSIgnR8m9<09@p z-EETN415&U`-j0Bo|zawaeuI|-jb>8ca={1tc1p<9mKbhomgHWW?~8_i&4Hp#ci?j zkrSl_uYT2r4-2WJSzu*qm>_Ccuf(919!qwP9Ca_3bIy8@cjWE zzs?%bbNWB$4s!!3Q=7SBeul$KgP8mw8*QUd-F$UZo0AsdXh3J96|!Rb7gxkwgE$lp zSCNfuj@lMez@!*P293Sc#Wh8KCg{CSduf-=6xqz9Tz!~aGm zCP&l6gV$g?C*|!|u~+Q5SzeO$8wuJ4X7sK{2?ob(ItQMX!Su07%KE2DrcO1_8A2Lz z#ZT%*Fc`vF45~zSahSO2wQM7PV`RaodvR57jfzyM#&gL_7i5aam$qe^XuNWq!s3xM zmj|xx0!w4~$|W{)EJ`X5gFno%dna#5 znEox_A+)!CP~e281vLTmyi1#-Ma;RQkEz!#teouS&ofJ<=*CDv_5`WIVig*gJgT2y z0PJDa_9PBtK9#z(3*JkUo{YqGH4bAfXtiQ~%n72Awrn+eiSY_8IWZV2qNW~DwqI=J zqL(JD4a&M4xuV%7ghhpQVVkcMY>~K5c&U_4hbNWD$-#Unww@+xjp(IwtmENOK4f*` z)3G%!*|MdYGbj&&kw!CE?n8K*C6iR!tgOWm<_7$Ye9~z@L(Dt1IFn*2qBH-!fn2$~ zW^Li1(s0%M5bEH;7c*feG(N!jjp@22Ql&$0;NdW2-OaVE5FO4(#SDhnlHssy0pd3o zgph>=lOb$IrdN}ylq5T66{NCG3HK=rni~yk1La(ReVlHX^Pd6a1Rp{6k$T8Y{{raC z`KGNc9je3OIv`d?rO-FH`mv#zx zv6uYjDP7dg`v^Z9d>$J+E4+ z7}w>w8izsPx4$KG#ZT(-)c+$4xKOS$WAAt&kgE5ww&(8!EQ%rIZb_K1)A$(d25bY~ zRjzDI4{yA`{v{9GmhLv}$!EWWn4*hnIQGMBUO8@7`gd*4oX-aX^*8F=IS z&m*2+dd!%vfBw$qWS)T#;B!CSKdQWNUUS@iVkquA*{QG90zQ1xpMUh&zok&F(r0J% z)xGu}#v_en_IiKwl(}iIn%;s#u5E;Jn-um!N%i@z;0@lR|78?s{x$u-nS^9&FF3(R<*wB9q)(U>#JtTeq9qWwE}M^ zxC8>Pb>9}Vi~*3-#Ow=5v%hQrnVWRT(Eh#Ip1q7yp8SQDMtt4>y8qsHE&c94 zN^uqZDY|Thx&|0)fEG~)0FKb$MTk+Sa;j@~SrkYOuCo}&WK+7J{Lbb?j32_y5j3v$ z1^?9SH7w=ObbjGe&UtZFJrvj^$lhHt^L9t-jiurR9HC2Maig_;=OuLbrZqO#i7^44iE4u6`(K)TiPIn|33V3mq2ln%-A=c}+UU#N|**gnh!|jpIvU#M3MzB??bc(0)R49ZQJ%hA$pt#aofK_9G~@$LI04i#KRSC{p)q z{FJV?t0XUSUU#efJ1oyxi^iv3(>P5mfXthsDLppb2eNkB8?X7RH9{@8UxGSE5WQ(b zZW3l%)*xQ3_F>s#i5e$TRQ`;Frse%YQg}*g5&x8)1>68%^u_6Gu(+{9E$_2Nx+KW~ zZBR)m(vDYd>D=|Zjk>T4g04Zdm~Koo7iLo}DXnPRO$j%qNUH!b+8V5sLd;+Cm=&MZ znA>l+mKR5dV13{rumb8PKw-tzwTwk552D8uE+(Q-6vsNCBnB#A*=EjBh|MG4V3k|~ zC8>$BB^@+^ywS{=57x6>1R=;wFMj~wNOe{Iq-GKKmLEErtbY=yE~XbSc&yj0&_x=w^RzV>o#0!N!CLX zj6+Frt?u>IC!Q1~a+-WOYlldc@L}0m&819wYLde=reww)vHK`%;wB8o+;B*%;u0*` z_b^3Rq0xrCz9Wv;)>kl>A;8nkPg zu%mMdM^bXTyotJ4QyX#}!)oFk$2(OiP}sVnKA@^{uM(CiVa^3HCp5iCo2^v_H>qO} zrmG>hhWWCrk3q6o7o8uMNs*Pakp4m*2SRcTUjVP>`cUG8ho zu?`&aPb>$v197*{TcZQdRB0ts%VT+)U0};mbr+61b;XsTq%g6E(oOV0f?a5>3eh&i z;}a8M>zooWU~nWm7TM+F!WZT+QH`U1GYQO^H|7YJa!V12#<*4Q9=ybAT0ejZS9@fr zP7N;?nZ|5*?T&+H*-F@U%^f#EOKnK0!qY6;hoH;oFjhW^bdQ;4a!j38C9qlY&67#X zwNVySOLwpu(oKV*W}KjVwF`tIQ`6@U5m^PzhernLAB8}A|hQwNHWAFCWp zX8*HOQB(Qtm`Nq@gG)Qwt0A_uU#hyi3BO<3#Ve?ypNSkHt&BtKECpJ zTRd=$<)8OGF;VllXsWJN-tm3bc4v4j^{my|-a6~(cGL20q~~mB-ZEd|9v(kmjXZum zaV6l|-aZ_I^Xq=ZA5%LX!1SZ0|J=7!Cz`Z?^>R(ht(t||jbr@mC)8FlJW2NJwA?S#e)0uItABM}Mz+=lPp!YSH_mPv&bN}i zOt0FtA3kKt>jroFl@8E1rfNTA6x7~V6EgfZ@bf>Z;S6HG_IM6xt?|D;-Nm0GDcyEG z+q%5sy$^y~(YQ|eH}!pji|06*^-YjL+1&4)bZsM!mH+fyxdKm4S&N}5D#v+b`BFY5n>DI{|8 zIWJsDU{pJvziC&YoP6E%X{YW!TqpxJA4oq>MdbP3H&Va4CQ&G}yFTon_#K|Zaw%`n z)cqWLoNl_V0TZ95neF#Tz0M)8=XB2t^%E%S+kR5TLIAe*hn!bje9!j{>#O>G7zKVh z!cW;%?*sdLVB#v!b_Cd)@x9lMn(~@mI&)B_8URuDA!(QvL{*&TFrRb%J-=o-=luoN z!?X0PFj28w9Y0I!xxNmt=htWsQT6beMSKIuOVb-cFzXKMsEwL}M}n5*et=V7B=d$3 zDAB{`^9Ykunu+Vp#7^=rCt5GcMk%ob(I}GAArO(4{R(jwSsFi6Dk!;;^CfE9H=1g- zl9Y*frwd2cqUP;J&6YfdD%6Uxbmlu-4QpC)#m_s!gsWowscc#wtz1??>*lG0aZ#ja z`M4RskcV5oFS*1_$y=3|Q~1o}%tj_-5+ND=S_gytsMs@ZR;RN;zmfE3rM2IVL*e*$ zMV56bHZgUu&Qj*FyLiD7m#G2+3;Y`RCsp7azm*brNx2(xpdzt8-8wo4EqqwaAC0E4 zwk;xMj6D}*k-3M4WfW66tQA#lg1~qzOC>bQ&FmboKJvwn#797U@Hv{6ScSNP`IK~s zQ+BjEg9hkuM>Gaa10M3s92I-?NZo{FvkoaGx>wuJ(hfsxr~yY2><3DlR*g%Hq*Ja+ zp*$8}RPtt~hJTLOaJn#xNs78x<`6ZNDYR~fKYpyB)yHP%`oXcNVpvPjWlq7d%ZOH< zBBPVFZIsKM33nHrp`5EHIwf$P8WJsM{#=39$cDCAIf8V>!~{iP6`Dy_ET}Q0QN@F2 z(NJo1@hmHXC&74yA*R*>5R;x7)k7J&Wh)C~FQOo>HoLK^LP|TbGNCyxg1rw4>n&8= zq7E~In zP{5!qW>f{<*S__-YDZ!si^1AG)-bg1Z{-uXIi;U(qLlJ;(V151~Sjgg>)rB3#$N25h4X<;Xs@sxsL5K z^Bd*gX#l_CY0;Y?6#alFb0-kKQ^^v&=reqivZnUwmeJ&i9KgOfK zq)`^H>O|(;`1Y)&P?f=Jn9F#(ap)>Agd1lxBCwc$q?)EQCbwXap$hf{uYBWbCE(F? z@L{YMsi9(->nCEmh5m%F9&6ap>V)C{5DCKG7Z1*RHzv*7GOL}#@iZkWX)wqtcaQx2 z*8458gdZosI(NdqvC8WEeU>69-63~*8 z-uP!A`ILgt-ATXYEeucD`@Sz&FZELXo~GzyK;wY;dcWed-|@Njoh6-ImEd`Po@od2 ze(u8lG&+VBt5B09xU4VD7?x)E`_<4I`j+T_mcG$e{9RL|8;1pVPK=BpPb zGqA{PymgPV9F!YMLUqPU_@ib}SWp{+1(VFNPrkDuiC)y}cO<>)GH_)!(aObpJx8nJ`l;jPP|5qs z_hFcqFXuGN@zRp^dFSIxhH&@koRG11qEOrZDeI+Q>vS0th7gWX5BM3(xam9^lCgv@ zarZ%*Y2VG`W_EH!ujlPPPOB#1w}Zq99;;WZ?A@(Em)P|>zI5^Ta_V@e>biMs73p)D zQ2%DK(Y_*?f4{M2?EOsgZw4-@`FbkPe62s-H|ZkPT((^DuQIk8sdm_%dQ#FiUKD@lTCdS2 zvz>=q6!5J;CwpHCcS^MJ8U|4R`fcd8>b<=C-c~kjUaA(^rF#!ucG5jsFucCgbB3)l z=6)$#1pf^igkrQ}%FK2j?uRnB=lkc*`zO}Jyz>ztz`WW4OpV&{j(QVl9e5ljY@N;Y z9_I-A-Abt1=~{Uwb2Dge)3S*emE}6Dq(F3X?R)^^UhOJtT3p&r+JccAVK0io;qNj* z`H*1W<+|iKsRRebyX$j5{9UJV(r%h%k&Q6B4eohf{Jz5PBWGN$@B}zZzTS1ciF42P zmG`a9M)b|=_(ovSt7#&6PvHK-?e;w;z?}BF8#(uHImrNcfkL~L(cceM-d1FOv48o) zz4uOE0Pka>zcI!}n3iiv*J;2s5l<4M_5%1>;P6H51)!aA3s`!aeNPw{h~6TQo&%-x zl=kB>_buo}VO*#yIz#GclSvMlZ60FbB7BhLj>r(X!UpU6Qbr{CX!dd2FG?5YA(sw} zb0P9YJcFXl@>}vK4hiWE`3>|PR$rpRGmYx=;R18zKU9x!+!Lu`#iD*$xI717C-TuQ z!nLU+NCc`B2qsu9mlUCFr4gOH<0yQ6ftN+%R1ps@4&Yj#$ovY3v~M*cl<*GRcU~HCm}3)Zcti8R7<5;mbr^R>JT>@ zNw-Sa{Q)H5+dc?usAPr;s<`djz!EM!c}RPRs3ugA83hXRI#G4M?M}9Q?U<_%DD4q}6%ujYqRE?RPAnv~BZ&KD7xg3SBeTXh zv1z7IhiW~0_z?6{ewl!cbQ&5rss44$G=>&Mb)N;8V+`@xGzwCnbYd;Fk)7a1FvR`0 z3em#~1-&LBzx!La-!OjN7f*)lY5_Itz7K=n6zqhafC*NH1gIpAEYKhW0guedmWRkP zC%;WDqO*l?t>dxSh@rdyRJ5dp$kFs-R%t|0D%ptsPGo*3?Fp2@lCX{y+9pABNO-C2IDQ1 zs$-x8$`E|k6pb|G+*s4eL>|aRr9D)5e>#j3Ekat04CkfOqgkSeP=Scyc$pk_!=x&Q zg8rdaV;^8A_nR6Ki>DKcCOdHwW`wDXq$A^s&4+L>I$|9L+p3il5%?t>%s1BVNVis^ zG{WDXO$J`VXR)bTy+%0?V#SIDh(1Try1y$&&Kx1C)(xxg5T+H!gz%zKBXu3cGr9x1 z0b6@(ftq<=_FZR3ci`dEXNuIx==kcAN4&weWrM;;0}cV-N)~#suhg?$15R3@AA7DV z+X^k4U<`5PBJTK;0>0NAX`(>#_O$Eg$Yt!I$2^4WkAmZ-C4zh$r3GAGk$;e{!f1R0ZWLoua-4p$vM~Z37N(J0)97ZMe`~2#BoETPa!PqQ@h|36NE{{(L#KCA!BdEOm+=>qb( zjfG_T!F_}kF#i-mNqhMgR$wr2ZWjzFRMLpu|DA%?dIY4}KTe?aZu?$M0_Y2^=^O`{ z4;KBMrpTYWoEK|3Wciuile^V>5AtJsuOOkWJhp=+wsCgw1zx5uLc(Zm+wLnRSkBc8 zFA{URK7abZSmsteGBBTG0b4Q&UX$A&gHyMf2t39M=Wt}Y`QQIoJTBS0H;uPnBRE%0 z>dR5NxBlIv)ajt=khL1%Hm}j|)7-3D8TV=W8ZUC&cY4s?n-O0eHj~ePz1^KriMS1r z3T5xtbRa+LIOT*{(#q$zeo*7-5=Fjd`wVccBWDQg!{%KYSGJeia-TKxe~9BcU2Z1? zx&hvf&T8Xy-iK0LmfTV=>o>CjeE&j&Q`&(&yW5F;XG?=KAKO`^u{zEx_=L7jQ@Ycs z{_M|}mkgP{%BSWEH671gas)bid6$7uSKI$~)RD%n-Ie4)6;Q9%uHVO6h7YcCI+t0N zxi?f(b+h#!4pRI_7rm_)E-LMHT*W-06kf-@v~$(4E?U%U9$zMEzu%1(<_G&1F!R0F z@a5#(-|Pd3i~ZfvNhG{+?!S8GKb6noNWn5myhw)hb@p{1@(%RD{DhiBhcgaAFAcL{ zC4*nJRQ^yQ zK=8$+PBGN2F_VU_;c#kLPU?cx1@$tHzR@jMI2+XCVa`IQ9`K*Hw~Upm>v?@-)vU zR-_xH_49Mal{i z6^hw9m}VRycc;ucofNTtH?O?`}GaZDblc>`u?TMe#-sPzV$Kfk6{ALwW+U26(gO=V~)2q!F6pmSROIenD!J3 z3{aw~aS&H?4Lk4(Udpb}z3N97YHfGa$4~LG6>jbG;YA6zD~EhQl`4#75zU|r%2u15 zS^JlVbu6h76kkJ~#dTkq3!Dtg4n|K)Hy1-vE7(OojsTQ?qi}+YR5wI09o< zum)jy-$N3+DAQe+@tme+fDF1#!B`BeU#V^5VsKizeQR#2VH=~AvL03&K27zLm`11> zELy`gVhqA5IO0NOH^4~)s+iTF@YtP|JXShtTbdCmF&pQAlJbB?(9=g)qC--omI$(9 z-7M2_)Sz82rQ?Tn{O?7?vp_7pK-qRZ^O92XSx(+UutOPwbZ02KzfYsZJ%Gf;C-W~- z38yoe&(e={paWgfxvaiA(Xykc>6bXbvrORgUB;L>DPoN%*flIhFVmlM55=pRm4eCXfHV{nB|tJ|OksJ~-rz(tX00iLUShc7!41Z}a+6^RRP(ktt*eoDeg%eYksOGO>-IPt$r&mUTS_}4> zg^-Jr?a~YX88NGd_=H;qo|!OWk^Q3hS-r+ojge4Q)H`R3hzd@{J)xFKX1#0;t$Owze3RZN%k4EH1hR+~{HHS1u`(Mbd%t7=XmV zIxypCcdN_ilN5@q&2yi?FXTbVDMV0joUZM72J`B%2Ui_AZ|i+$szae>U8q4#-`}ca zPe9_z&9;5qD=POc3)3tHbHh8%+mF@0CM+n&-{98&-HyJ{zQgvK14)4+d#ipIzPZ}tuXC;N5-Z4_TeC+G9Psdaueh`M20X38n#DYunRNrK z^Z5IiSA2{-1G3oMJydo4lG|0*KLaSRd%Ko7wg?86F_%xW+nZgM>hd~H-+LG<3A)Ed z1iuz5s<;FhtdY&M}KOaO&-}K@GJpsI6}E zBxiT)vMsOMsIF)IA*(H}8?bG-I9fv4pIX>-cy_NdLJ;J*yvX5HEe}zaXG# z@eIRx`FygAM*`TNRoE*t&*0(p4DD1V+j9X<5ePeP_ZI~{>~bWYcaI}SMis6* z6YO@H?g&@Bp!H5)>N2*J87o(FoLqlbJ58Gz?0o^#UV(K-dH$6^T)qQA(48@lW&iGT zWc;>|LH>CiBPm|l;8^gojfGS_l7+?_KHC^uHsiB|IF6q3YqnA7O6C(PmjF!NEK1iX z^9V5ohE-h?Tj_P?v(C`}1BY|sF2}Ivdz>;V#lx9Wh8P7EI+#{U*j5=4S)*(kdyJBM zZ}nPDK5^B4yfNUOKhX61y8K^P^rOAA6XaQzjZdiWiLw&%10MfMX%p0HSJ}Z|Ob`gn z1dnhd=n%(P^Uib9%;!W=b3 zDUnJgiLc;08P{)A=xH6t-qi3()d}zh;Z6;Nadkb5W2aw&Iu=%*yA^>~L@IXP{LRa> zlqJb3ge6{F(5Ibb7GJ^ZXaflg78r*OxfhG2vgnkW%g~TC1C7YkL>@xuAIf$=-ER{W zPuW8=;%m8kzt1^TOp$pOVDZY&gFZ|bx6~yB`=#EkQ}3K*vI%x8moM2w2i zh4k-gmOL3Y7^1_&i9(>1oA@G(n#p}0g8+d1;3!cnG^da2E$#xfVz2B1buo|jdko6~ z8j)<_CVP_533<=8;oQqU+qiULPcV~!pguH%BjGLwm9K=B0H}0+w zcmxOn36Z9o5C&>&tgHz`Llx&>6q$SMu58LiCpc{LQ-YlMb^(*-h=z;h7MJ{%Z__3s zsMg8s>-27?bbJk2Be|>O{5sZM^3>;=5E^Km8A_@g#!l6o+w#kzn`b7qtkTbm@c*ie zXsPZXLM88+Ib@3w{>ZXSNjAOXUG1M!F)e}VRC8%lv*&0vAX8lhSaYiC42d-BLk!j; zo}bD0LRE|urr{n!{?TAXz{4@$6c@NhjUXBM4O6Jwd}wI){)rVD(WF1X8s$lIVj9>i zqrGgzDeP)(I|XMGR}O1X^emCxw>w$?;=Z@cibKR!vx1ZrBc1l0LQ~>O&c27ms&E7ipKur)~Wr|})lNwFB^;UYXBFyR6~SSX(XB-7 zP%_}avrbZF)Xp#Q)1}z*)D9s4I-rIgJ2oF=%w)hH*S6)dP)NFyj#lFP&r}M796;#bq)0Tb1T~A{}h0 zlQ6TKggivp)9X&YLG(8i*|E4@N!81SPg(6B!xo%BzpBoYf5Ffx7(<{v5lvl{wrk@^ zP83-TN`Bvm1f`Km3GmK{fg?3a=iANyAg2uDAC1j%<5yu}^HTg7S-((;zBn@B5Pz8^ zwD1>FAH|i|n42Ium?5L2hi$x(Alm|==D8mBBO`MWbIq|v38G8_1re8ieoq)mjXoP9 zFy17SPaV}9%~CwU?EemcAi;yiY+uZi;IQo1EGLVA0r27Ot}N%{rVc2~1RGf9A77^k z3>w%SeJA`b?tmpxQMU}da&dncVc35B*xZg5uxq`MUCmkoNyTO0U#Xoxv9Iv_TP`!V?-_H2`#Q!vE@ZzYPOWUgdK!CD$+jad5H-xa;Zl5!yf1{hx@%YjvhaqUWiTNz(lu&XF*R8>!fNG zULLXM&-D(Q?KRM%ze& zHX%XBP8>n|Z4qXXZ4397lC{CJn_JJpx6imTJ-4mJ(TejNN`k#hSHnu@cNu%THo%d0 zWQMn(wrdJuuftz3bHTPp9J{^lE<&wWQ$I#P3q8PPw#c3Te#hVd*w+Qby?X=LgHpgi z6n!ZmOgyX=K;CiL)&?*q^Jc0146&IS*Qf>tg1v#5e2CqicS6Kmf@=rB*rP6;=2zSx z3!F00_)m>u>liT({8KQ;%7u`46wNCY^E@Q-4u{N-vx#YfU7YaR?NzLM;6ai=QEF;?K6#idxUsnH9Y5ICKrzfT32@5mo(23x$J) zsx^d5_JpBS-oZdB8$stD(LobVKyhbIVxo#{ImThK_97|t;9`(ds{}`tyz{<@hj?Rf zez1it08(c_o@v}qI4`YNy z$qo@d8^anYg(8Z@&GG~Z36{KxhCfNyO!S3d(5l495Q+1&YEjg&4b>bu3+VDfZ=DIL zKi1K!MEf$8b)1M(;estCM8rqw!RRjX#g+{F=}_`d(Q9J=zS8pyFl~!dP(69FilZ*) zn+>tBOAnn@ny})-59!g^HxpG|rBX@?5L+?zAJG~IF?@(Y5h&oV$)qT=+%V;2tINR}=H~eKvU)XuMRTEp()sJNMK+bKl=QFOa>VIX=&20# z+-)jKrJd@`Ly#lM&{8YCu+yS`{49DXUo4an8YiMHEQw28EZad;v)>}^>ilYX?`r_X zZT|k!3nxz&Z{%;%ebxFx0&G`-2n<<+d2^>{>l>gDqR(s2o%=50Aup=u6dJ#9HuM`pF!3|Ch0U{UCYV@Zo&hB@>@ zR}DF_5*_s>n<3f+znFBVe-t7*s#Dljgt#av-y_IOJxXBv>RLBj5*Z{cqinKuX3mO& z+Ea)GA*`($z6GHrCx&EFrH5C=V^e0KfOoN}hK3r*+-7EC>1eq^2RCFRP?P^HWS+N6 z{4(*%2IG~Yn&w8!CHldz8w0h|{{)W|Ia;u*D$IualD{8ZQ7pZU_j9~`)dsFS%V}fh z=a6yG)RJ5#K`N^hoRbz8dBYn?rRf7+aZ(8tf?B?~CW7*x-TNaL*mhYOa19TF(2m*n zz9UmaK;t{%zTiinT>3ob60jKO!SIx}OEEzyfN}GpObemN#_lIEbE-@UZOQyFA!m>F z;Q1eVT!@zW^lDaHO0aPJ0u~0Y9{p0~Yt4L|zOBp0xspwegq2V!xDTT|Q|{ zG{sW}fdlIj>o5NQGamfy^SMHOXuqJcw16KJqbHzHP4*psK)HP&a4zCU0#U=;=E-Lq zAm}p(NW}C>e@lo)A!XzT$9sSAI*VEwMh4$zE}F&GQAa&mmHR z=8WGrZQQTWFNy^=0ILo_Y2bWj*x)s*j3zN?Z)26&E-Q6ru*jppPZ8!QyRFZ z1b6!_xwqTymUebAK;_tnOiumM=w;puy^sG<$gzOqN-8aWHN9A!>sr`D^kp7p)GLU} z2h-U0E;s_kk8HOnWR~PP&u-dR-v=R}c|E_~I(N7lZ0Hym-PO4JTtv(tDA=Fn`VH8h z?{@k3?RN3jqW#@+-2OFFg6VY{-BdSa#c3-$-Ez(Cv#xPcZIw7#*E?p+2|UxNd-VG} zIc{>l0rqRz<9U1-ujVE19#tN^vAaFXx1SGUMq>7Qe<8G;baVQxY?)c!3YLcfZ=<%y z@^nAKc9PaY+MMd_eMbj6Lfk;YJaCL43&#_Q9gS6A|0K?UlapNELp_-L{1=Y*1D+T5 z+V#tF9Re<=iX3(7TJ{$WU;^I*rT3S~RZEmJf!4n0SI%D37x`+I@4-XVm&+HG&++RQ zu(;Kat`?16ng5id>}9;t-R5b9o_C0{XG7O5qNjHKIHwO(?cogMyaz3hvLk@I!>^Q| zP>0&$wO{0Y`2hN7LeqUpwANfjK8m~LuM-dm`-1rVG)fj41w75WL(rbQE_X`aSqnxb z>p<7>dzXHG=r1Y=Ay_aaG3Tvt*@>5ig7d(h$Z15O^=of^5h?E?v?Up&b{JJw)?~tl zpjak4()govZ(OxmBvAR;?RF4%tO7mlsi1{09B4W<@R)0Dh zTNt@ehzv<9Gl;N};9pURNkRUgTKvYJL_HRnS$0~; zFoh>vhOYV?Rz<>r;YSt39C+w5@iN=E^pCsZoAg9!%;<=`nzirzD6}Dl%bbwxAMrNv{xXZEVC)wx-DK=Hs%ft zK@-x97iLH-8yYx!C95i!3?Re&WUg~TG0R{sLDN}cniHq1E@+hYeAhN|lm0uYZu60D zX&GXr?ZS`p{Ay=BH}jV~b~-YEwP6o!PwAZr4~L&CC+Bdfy~sa@UDN`AV^j@7V7WKf z>CZ%zNuZ8(_^uXED;|WvpXMM09ye-;pRL4)mI41+5(&f1kW5vXX#MWzzSQ(%q(u66 z?v*BfGW+t`Kyg9D)skH1KC59{sx`&^# zD}tO@ww=*dT1jtACBCN8R)Xp;p>l{$dT%Ub=m>DO>t$R|Inr@E>`1P74JIkMN4V)V zb(b=MKb;Bl_MPc;mJe+jix6-W6k;mn)-n1O3zA^Pv&T6$X*3?8C1bH>$i+0P)>1Sy zhw$sRnUZC*$A;F4H3>2KsqBeEQdFM5`0y@p;4!}q9(wvvDeRWDOhLDN22h(VVH^}$ zU}z*Fj&|Ut8=(K92KXDon~WncKiT0 zRf@bobeO`Ga9Taq8Il!)kT%4S19hw^o?>XYd(r+ zK8Ut?q#$RkYqQiWSK;9M?t_hUf}%>28sGYRIdr{&ZSPfcEGt#$tr^eF1?}FnN&R0- z=-i%A4M|l_gC@R)cQc12m_q@Ku+*yPdiJ8kVRsx%>(a}ZV=1d+yp#fB6Lub{ zSFI{$7m8|O3cx|Rjt%!atc!P%i?Bvigh`DVO z&VbJ`(X$`3shBkm!+pE{iatE74 zbvMs|d&;ezg_{+{R_(9)py&IQ&C|fRD~S#HZ8soAUdQDm=fJ4aS+yZi_z8V~+=r%Iag_JeIJgcg~}s$-nmy zvELhMkoL-L4*X_2uiLr<)sCnMFfhya5vG6k+BOPx0(3cDkk|%{U76J|r=ckH3f}c# zYOGrk+t)1@m2vjEy4{^?#CCm>eC!>)eC&vgEV_@MUhKFCrf2=K11E5rYJ6P$p#Lgv zQuMGC_4DcPRBQl(y#hv9x+cZz#QILVJPtzP+;Vi?2La!nj(fVGPT#A19dg?my2;uP zVf*;*f@w88E&2v|+Uy$sfGVT&Ql5Q$cVt%WoQj6Q3H1VdeBO83uKkud`e-h%Y;zvsn+j(r+==adhxy&+(A{fZ0RmIjpCgp9H{6FaG38!QOGkb^*9x=KDXEuqNq`a9 zgPUDnzk>ED-NU_-MDILDu|uEsBfG~$s4bU4Daw4owYL?_fddU6AgC%fE%vC_9eF;y z&i5*18OcXz%S$!a`4$<lf1bOW z{&S$;EgI-gdXRTVID*q~>0S#k&%B*J!Et==2=H|U-U*xtF3yhMZ-Wal$28l~@#K zTIE&UvJpOpyTv?~BSM_(4(6j5{Sbn-KtsWSiE6xbk%(7(Zf^epWixB-vaP#F&eEV5 z`Dhe?A|Bbs23z^Zl1a6bhtK8kCsrn6NbnJ!8qLEtSR%2NiSuE&5~rZs!<>U^OeZ_> z`W3={bCSYil}|^KTY+|q_<>b}=J&u)stEt-FaKoS4Ad$LG!A8-EIW4@h;lXRPESL+ z!_e(ceaJS@m5E(24zrr$DLw7GONf=4w;!CSR8f=E_R*?HKN z*^Gup3+KW_LSg8OtYAI)_?vMer6bl2Y0c5c_=zydtkAnI=Y9M16LGXT;xq~|)=+Uw zHi=d64kFYl>@~7b+o%e1h~>33bImhNc5S(1vZ0b$Nb87AtPXnDEJ&ACP3~e9_nTp6 zLYx$~gv9E_v6(vwZ)9ohVGxD5b{hIVs8P zDgZ-lL4Lx_bQZ3N)TrCJsVpjJfZ%i-0HGt_mk8!T5l7yh@Xw8^25SGlc!IM6?ZtHk zW8jULLmsFXK7D*o#Jvc9tpcQG83O%WbaO|?_J9NW03gWS-OOKyD*B6Po$**}GYr+# z4Y~_q2H&W|Y3U4|(nf7$oYc_UUsj|pbGgs)Lt^&I5OE(;p=atP)%j^^zYIq@>VV#`tdVXwN{>-JM!7TI zhzSh0X#|6!VTkH9qE$wx!f)l7sa9jSfkXyACsJ#9ah{EAvBn11BGAWpmAg1ikAzaij5W_JLkZRI<@2ZlHmy+K$4gMe zmT)Bvqs%(F&=Mng8Xmh9;53W=VC0-mXmdRmn`ScY`OoNHoN?|!*T2>R| zOH@@y4s5&0*5Q2W)a4n0tmNXtse@*?w+@}4&=_=`62-hn7K1{&Cyo51Dh4TrXOC6T62BJ3EiX(oE8e<=)FEYS9Q(k z-m7>|u6(9BXs_SC-Hs|_0^L@fd;O2#W~z_O@%f;3kLGTCA4hq+a-H-&4!Teq?~%Xg z`o?<3bp2j~sxE!@9{So33*vJ9o`UphUkLMBCSg|ddY|s%X8Zu8#fck7Oy)%fK!>{= z`6<5VVZE%I&q-5^LBzGss|)!JizK*iL7Vzy-;+S@`?tqTXS*K$o*mPa-Kj3`j$PMQ zo)fRzVz|aWkF$gqd7hIsT#X&B_jL)GUeufR^HS>1Mqdp<`W&BqiXHv}gPfW?*X6zq z|5Ux>_8|+i9k>^R-c6xR7Ut0iEghgqUP(0XF}~CB7B9*+?X}?ImiJCkmwllg>&uq2 zo5>3Kj3yB2gW(yKLvt^&M4?ID?{1L4&DZtqDbM?MsH|4N=gTz~f5&B?29w}*69MS3 zp-;QB<^S)F7HE7%-YU4Y?XkyQHvMPD|MqNp4awTO_iN!7{_mn8)U>_^G5^=4@hJ7U zKBJPfQ~}K{w{B|;p38%QrnX^91DER*Z@SLAO4@EM;8kfCz)0i9n>HJ`qvqXHlKuIp zpq>qC3MtyT?$Ybs5n1~f!)vH%16bDC3qa}7^WPkk?|OW+ga8k6o{jrFyl10^QESuU zwR8kQs+Z=K)~xP6k95J_Vtj8NK(^a;hPS{y0Q>U{N$_R$6=;7A44qyAes+z5il4|A zESr110ZGO=1%nfdaqr(>XAh%3!+_UsaeQ(faxR&-6o=#ASAl=w{s~soOnlYvv3D`A zSsd+IK@m+`ZH~VoD8qr`dYy|oHdHRXGzbv9LP4k4QZ@2&s5p;XM*U#vkfwGlu4XZQ zgGu?lQ06H)I_Ff|gMJfdY6uL4X>_hN8EcMeP=s3C@K7PM(4=T7m}wUB%2|LaHf7~g z!X|zxy^vGW9U12#xOKIIY^mOUwRWKazQP(qF*WqHs3o{LUM2V4f!TKWVud2AmtH0_ zCAiy~Qb0j)y4B`G&04(lXfc2I1SvW`8m$*8nu=Cu$nmNEG=7$7D{14AolRy;bM6SL zm07YzCBsj&OC>Q%+Qz@^GA=0-mar9JnMOo3nyV5xFjBtsSjt=^Q+2%9V(gjKmErKQ z8&+HyuR77b{znZihRC8uUQ z)%)n}NTo^I%5X0E#uT3sX*c9nXbg!p$}H>*t@yNoRKBI@X_;^RQ^v3>^y4nr5(^mo z{azKiyme*T(sRb7ApIGcFxiZyYemY?LL)r8aoxI95J^q(MzevX(i;kr0$cM+ELP@? zvF&zckzafhGh&5je|_lEI+{CvL){b z{I`RDCQe8aRDvW`>Cofx-KyK4RMpNB6&uf!ROyTaK3(7YN`Q?}iqAJ9)yD`p9iX1O z8<3al?|+b&RqGoNnU_G-zNjW!2@1snp^D`H#qqQCdP=P}m_koltWxe`F`)pkvhR@$o8ec5Bg_V3I^nEtPpSlW^P-&=WZB}O zH}S!`KlvSG?ee7SuoI>VYGkIm#w0f?r~4qiJZelsF+7+!Ang%ajHR zWOgGyXjyXreGGVjQ`R%zRURGC}m1ONVJtaSy zocpi1(duuwj)J&cRdn*tcwA2}67wvy0JJ2Vv3*s&B7qB_*g zC`&ml_&)2uiG=t%7V2OSDpnY4(th0z&H=t{N#)uZfrKj71FpINNxU@glxRik*PzXG zMY4Jp(k)HZ5t=dODYr(phGrg3ou_c>f=k2c#6ER{-jyO?MH8T%PjO%|hvy25A4$kT z?J(!KU`oL_EL)(eZXth$oF8KJER@P#v3w`)JL8n?kof)G6ul@xSp08vSH;f> z5g1OeKpF`5uggb)Z)wstjn^yf$oQuaW_TGXJZj44%LJOjCV8d-j*R6(JoCNpD)Yb0lK&7a3R_Cke6crU2p ztXY$WTK^$K1uj;H_90yxLTftLD$;HNzet}^UW8xF2!AZ-L2i)VP>4;N`G3bd&>uuH z`_h8c$zM0P*m*B`zN@|EZy+-Hdyf9c-ydIUpHLqh??~)9Q)uGEYak1j%D;bdo@f6s z&XQVMM=|nbWS5eGi{hXxi}FX8f@T8J{K>o&6POcCWd& z+S@(mNWX^s=Gs5Y!gAAj{b#JQdYx89bao-OyaqYm#qV}FzwR=c)D7NV>HY6dUV>j@ zdtFl2c?12Q?M4~2KZ4n2=p3i?X&Em|{Cv;my#-v}!C&a#KBou3 z6|9^wfNUww&YL2kFdFUq1*RFxJewv|^+;P)t6YuNQY&0oNS2mz7Tl@UWVsC_D{nlO3 z6EJ|(w&OK~wDvx)kqhz@+g;C(TY{+Nw*f=mneBXCoU4T|=G2W#woZqGyVJzdkF1l# zn_R6iX?MH6OLW{mANRYnA|yVS*%1S;>}{X7PxZ8Jk1rUB)J4^^EoTB*e|Ww&^o~Xi zZ6|888jWNGnOQrZ$=or2m&?pDrmz_)zK>hNar|8Vhk?abkNf`XY~NT~q5V5t1A&(( zPROk8KhLXruRP9YO*cIDZce}pmf1Q7XDfw^tKHNR_SMac6Tw}hrXr{8xXr#DmzyZR z`j4FLo;!(%w)4qpo|El6q=UR3w<&M$9HM3358}M5ky1u?5cKwqaF%JHiwMNIs@lD?A+A832=)#zJHZYLO{I1gRX7hu=UVyId<3BL_ zOn3o4+p0eW?4+FFa4^fXL|-G2DsLBf!h0@w`uHaMU~8U8 z%TNzQ!zc!X5g;>QgdGK@Glq9tA_PVoqi`K(xF#|47agAd(wkeTR+ljw!l)Z|@$(uA z`^k5xjlw$B?pqg*`GBA&*``e|z7$~jt{CE>8#!RrG;M`EK|L+7ppfp6hx^Zr^IW=@ zu{a1Onkyq)z^Fu67Mh(UkIoYIhg87&tu0z5v1-qD#XWlm>=Cil`D!O@venB+M5}~L zmp<6M57~TMk|ix+tn;7wI*oiLlR}by4pG_&glXL-Euk15ykY4Qs|J34kTXSu4cVA( z5$gz^6YnD^7!f1Mhok1`F9D&79@-T6l`7`t^JI)2ZFq$U2X(7>IrAxr?oI<?#;6_ob;m85ZwffN^A)x z+eol!pQ4G-78AKTnHWD<>Ujzzu}^3dXkFr_Qh^_#g>nh14Oz6Yr$#%Y9RjOq%00Tf zFXW+@VU>mEo#?@#ia~gP$ji1`Sqr~?yyr8YZEkmmT5-+GNt#Xn1i%dM#NAr^*<+!duicx!`_?D}Y8lr0gdHmAxtIhKDOsLqBh3#e6bZSR2& zuBA`*A>nfn)-EGtFPNB3-_`+G->=_hzw6ln7X6bU)`1dMUcLm@6u28d!jnr;GvtF1 zAQWTKut&OT6O!b3Drm8b(2|5l%Gpf+QhXn$L^%jVOM%iJ$<0l4qCCYFlCL$x&Z#7# zr}&G6wK9!9dPy~R^bPj`y*^EGg0$ry?lqq2dq*46*j|j|N9_u()%&L{q#Oc}m!Jv1HV5l3e3U zMB_*f%{n;Dy|IWbXD-5uDMn!tCdl_tF>DJpV@zkW_TboJKAC0A7)CV6G#gBFkYP9y zRgnsS6M!IghI4N<017bWe>@w*_?Y*2`0ykM)Dz_T=RBig3R7`ltXsKAzm%nA#05m5 zU_A&FQO6PQt7&>(BPlY`!BtDy`_`YiEUJxj*e*X(shT6(cT#BM-|y^V`cqQA@jJrk z)t`6ZTGx%oScJ3VYqO%LmRFrtr&hH-v|KCMWGcB~L>49;3>Vpg9uXnMklVpbJ`Wyl{k73* zS}W6h5I#gKRTgGwF&LxLtYG;q=#=Zs(FdG-ojFko7oAH<0%hE#N1KkbiC9TA=|1^E zmV5TU1GooiOx5b}h6FGN66aSu^$`~OF8VY0y=RB?`zvCFNy29OyyJrq9SRtT3G#k5 zyb(gflJvy^vw^1_i)OXMs+qX3|Hvawm3$qwhCpl8W2WaH8#U_cCX_96oP73zd^rNl2@Iq1!J)H z7CYDaV)OM}%gAUW7BeZ3hd!0ge!HN)v@j7br|a32CPo*dbmxCyiQ9q zJ(2G_+L}IYUUl#5%x_zJtikxQDB4Z$({kHZXe&10viQ2~O^f5Pu9{H+6cO(9&A*=( zRWNe=&3zBc%FAZ2^EkPi#T^+5iW;@PfgL5a&U-hl(|@ww@7P2%Wz;o}b#`EuC1)8$g0pv`pgeqQLfScKk#i|zzn-pZH6c1WH_V4O!K8f?_#HjdxG-Sfux)}EV;t>WlP5VqwlQ(4)K>&r zlsE|yLCnH)u)O~SyA{&4@v4$XHt7xT lT0=W=97HWhpcwi*cd@ZtLe;xB1L9|CA ze9SszDVmPbf}9i)KI!+7-w!tQSegklklh)=V}A3e$6q`38*n(+_1Q*>{UNtEd=+1A zKx89rw8>Pq!YFBOLmTXf#6&R*W@#+hRJ%55p90lp6swMOY^Gn8hN_e6!d0=DE%F>$ zGGO%JwsVNJs9(}c%ceBd77kb~+9UE-RH~*>FSH@z?w3@)^UWnDo#_rZP8@lZbIsM3 z!i2v`%fFSe8mh%8Yi66BsvK?jJD`BqNkjVYl&m=s~>K0YW z*5vO2g$J$j+z#NlA#W^DY5mVcrM`r~x0QE$j%>m`73&CtkJ;C;6G1q(|M7iU0P~JP zF(2GyzuyD+n+qG)X5sslG_OQ_8z*B-V`-QZ$Da%Pi>FMOQsLvRT92@*NNen9Agxs^ z&rE&vnN0it>cq=>K<}ud2HT#UHS2>k$QK16?URn$8?>%Y5yGu<`y#Uck}3&JGr=*D zD${lG`}y;W0?eRXH>kVu{?Vj1uVH1XlLVDEvQ^cyY~nS=e>2stAu3P@-<~CBSvy3h zR3n8~?u1}t6^DqK`eyl8yLXF(yD{y#1T4KU2`iZjkxMc9Y`m1u#l{*BQ?xvaH{UK? ziO|?ckpU_AOq*`@;YofAOOz~!!eVPCKvkM0$+I~@0*6giWI*a$l6bmm6jGB{;Ju2Z zJv6$Dtli@`RuecF6x+SnuRbkcjhy?*heGzJ{Y4+S6cv&x-bjiweViOGxX-=D-}ZED zq{P3P9L}&9_M7C8OYAkJE;6zu=?_!wi%aDN_8PGAl^gM3E6iMk?%7I3zw1T8W2|c; z=Ows?Vnid((Enu~p87%7Oi*YULj4e9TZDu3E#kW6N*ha?W)npH5}2usf5>~i217?`p;k(A%D5ax6V?Bg z+mv5rh4sH<8DJg6jAlUf1(mA}{2<=o{5q+1ag6~Xt7N(;3~b224JglZ@Kg{@zK~1) z_wdVIo^v2VtJg=9>n`=S$0_}X3nK69zu$y!e=i8Hx85@yHy~Dv?0 zor6RB-#T7r!Gx}wiAvAQq!vMlE7l!Bs&}#jhCC8NPnWZpC`P0guiKO$d%7O))f~ni z!C-&?g)XF;#cmgQo*_X$gQw;{cY|qyV?T zFAe^Z&pX4sKH%M$4R8*7LD_ugYlkE*M@#GQryV;q@bi;3wKqh-aB)_BA93BfPffi} z09dAhv`Wj^(=uFfTmAH`YvM8RrLpU=M#xx0;CxbxdFi@V!RpWK@hI(Zr=V|s#Tl3D zzCdCC*5_sT@=>ZcoA+S$v;)#$h13ByRX>4-8-4qNL&RmQz{9*nOe0`I;dpRezlf0z zp1(WjB>eLCiv|QmUL7Cet>v$kf)>LQAOZCBiG(9>vs5dgbU7`iPyb=bcbvy*Xt8WZ zrSh?5lby-_cGXn26}kEl3|4Fg+5;o6aILTMeq!vgA**E{Ej+|da;#HKI`LoJzU6JU zn0C#)x@9JJy{n5jPqo2F+m6gh3rQKZGvZ_$H729=%L(G+_a;0f$|Dp)1$?HDwD2&2 zl0REy62(mN8xoFCSx{+Jnl&l|WVd2;8f(U@U8oqBJ({7&Uw3o9ooG*@Xvba-2AX{75d?8VHb0qM?TG3N!-Cw%4IpWJrxf z)OPQZ-!dZ_Iw%r2P9aaNS3clKmpoPk6IPu(L}!r-#IG3C4)P1SPyYE&T=&}h8i*S0 zOl=^KWXMHch?2+rM73GuQ@z1}Y_@@3rPxydyT?SXid~Ii!ZdY;s^7GUPm132UD82< zk-Y0;W&w-3E>E3bZ+T3VJIO;~tF&8d275EZ% zwO~hMQRbg{(Xf(rK18n$DvMU5pGhJI16cT8Ph4g0l4#b>`QiPVeaczcdox4~l;=XN zOaH2t5hvUsDkZfr^cs0U0q5>(-Au!LFc==yWK=QIJ2#-s(V`j~cM6y>2`l6>nhpdH za-Pz;l;IpxWqKIvbhMR{)`x!=V3UYlJ*eU{kFW_uNjp4nf|OTZ{tM7!tr9703W`Ei zDRkr8KBUJNPUJsx#4|NKxnT{(OGm+5!A)iABTLZXkVd6es>$nr)Wwnq?;E!?rqY6E z3P;mGv#72U=_R>p2x(e1sZ$g`|s#f*rQ5W8b(jGGpFk!vtKA#7HLt_Pn*hNxG7 zALdtT+i8>1Tt!UtWyYtI?U_v|r8*d~v*!J=)web4a4A4EzT;X)dPJrb^W%$+?l|YF z`lhy4^rKX58I`*`XyxKAfmApdISi^co{&UqW0bmK!R$g(&vt-#X8+6sGARDLs&kkq zIUJK#lCp2j%~3_cB@e>fMRGr$jK+jV8ZuLDMVnTSg!hool01z`e58(V;i7Dt%5ylh zAtF^9emlA}LZ%^*^P=x72l#ojJ`}sGS%wjO4 ze?<7WOw99DNPo43PN?y0#d5=9v)n0_8I11B5y38^>?D4A zIYQsbwq>!fdj1)&Fae7QvK=wOP`VIkAc7j@&0VhUEf+lpGnl`hs@V^5H zjxefdRPab>V)bG;od0&z4kN`n+KL9~{L{b4*fBfs- z?ZePgcdn*w$5#2=<}ozvn2g841<0$eX*qKh*Ni)M{Xd@vBnTX5Qsc@}w*z0TM$#rv z@Id<7jZ~R!Jil82Y?pq+2fclYe5U89057OiLG8VD)5Q%omk%bd$>XhFtgn-xyOU$J z`<(kSxyViLqD4#Q)m;w={jx!y_KIX@@OlJA>7&K(OlVPZ5^Rl`@iB@sb0U-5cSzFb zH)po~qTlJ>#k$)E1T608Jx!YO$cTm!dJN--0na{PICx&l$MXCi*1ccEI9>=mkHpQ! zSsP|w0Tnue4%@Rx9~ zfw@ZSVYr<@nd$|pZc!WOZCV}MH81BU6#{&4q-Wrog@1oTi^PqfXVp>OH9_a{1?D4T zm(8d+;X{1mFLS zs>Pu9>J)I-2`3qgCwr<3gsWC?i9l3!a%|i~`n)tRQl(J@p)?Y-fd_7lg8xO-Ikwjs zbz8WxZ6{4*+qP{rb{ZRv%^f?9ZQHh;H0EyX?307*ykF)oc&=xzHP#sS7~$ADMWN`i zFuw)N8lqC24wHq5`Ztjq^Ho|QwJm!H*FgTS zT15`Vu(JrtK~xSr3?dB5rafJ5^0;dlH6Nhd6hiz0UVIYz_W;<+mH8_r3`~Z+Du9hg z%fz*R)+1_}Q6nZc9BiG|@!)qwKkLPkc8T_r-nuVuaI!%MWZU$Z%BDW}lw_!H*g2=< zPlQx<*2HAEKNKDu(F!{FCQqZ&i6h@jl4y`8dxlU<6l$5UtVxq#uy@$_y8T&8koJ0z zEp6AKxd{1`SFuBv>eQB^$)d~<+AaFcE(mift-F(jLgd^U96G)kk4^zkgvv9QhwApf zG1S!n=p?ZMMZLX>$LcA%=_bee7K4jOTbk^`tChD6d*>vwf3sTAt&e7rk@it0PUupq z-B$3l)09!b&B&z(u7o?W3?^e4$}|G>*e;>Ptdhr74U91nI0o%e>HmtMlCFfBMeN~W zN`xAsps*JoQWQE>*I*j(Ez#DSnDdH5 zyO}euY!5REg{c_sr+_A*hK;}u6$wdcg#XUFWwr3~g1v4LqgYZ5-KJ`e^o?MIRwO>m z07K1jNnBO7U~>-vS0Xl9wqb}yUaa3`L%A7Txro8AA4d03izs006!M@6rl?ynxsb4y zt>*E~xU2#HWVw9rYpoIxlDWCsfbwcTs9tZr#AhU~fV;de?U@QN>o#SWe5i_{=3QDSNuIjAYr+ZkGFgCRF&8Ik%@D?*b}5pVz-*Kf~A1Fl(J zbilx3`xGQkbiYyUi31ku{qsp#<%XtCCNeX=h)1miRR+-&V|s{wndu-HY;CNfxPVYR zww~AZx0#UE>|Z2GnB~zF%B%(#h*m~#9mH5O&#fmaCuAZ%Z4ptmroPNNj7gu@xr$>O zUX0)*sGr{oyjm+3O;(d%Sg=swha>2t&x$apovQ$)9S@2WKxAi51K00PMPWTV&FZp> zIgS&e*hSDh&8<>82@&2rV{+i6#jAOV1r&A?j|wl zn^-tWgTU9oTPudbB*oVuPb#llu~_hQGgPWSv!CqPOed+S*-%;FyuaRVmpYR0WH z-sYx?>t-iB#&*WIQKnohZ7b~xSjmc0zS~woBs^m&EEf$UKq$?&obW37|M3ar#1$J4 zT?m-_UjcY9z(Kd(btMtx1?m^^T)=?^r|1a=C4lyXPDS^GxWx-lMH8N%DnRbX8W;8r z;x?t7xkmecH|r5RP(Az()al%yU0!eRa$g3qlmfh-8$D)H6!lzVVGOxV9zWBneEaPo zusck4&KHbH4BLmJm0aUbHA%G1chc%J`e~mGJ+}x}1Aa@{=5FS^HA3Vv0-H8Q;->{) zuLTshF8Lkj{hm7AF>Vq~-M7px#9uZR4#KlNUf@t7ue*YO`5sb9UDpk*aAmuU0a3PI z7a98T9u3ok9DBV-xOuKL_EINXzXD0I!vZL6he?f}j@O@~Ouh3+C~R~BEZ#tz=NPs4P;70orTyx`QHyLtkefA}_!HKpB+H@1&a8h_6f9DIs-Pm%>Z-aYF- z{nDz~&rM?GpO5apZmgg>P~Wa92q`ZLBqaWZ^G=mp*JyAir3FGt!b3{@!%B%Wu`2+Q z`uw`I-Uxc zQ{=(3wM;&-aV|{VwisjC)Ig&TPo+nMK~2+}Rrt{@D`;*9O+J#s{c}TvnABxc(Gu1; z$qE&&EdN)hA9G{A6oxO|qeIui$J3OY-ixnccQ3z0Ump<%TW%a|7UVkV|a}egNe#?JPO?fpxLlheSG&3br~rdGt%y#BpYNWNBk7{qbhab!Nk~( z5|EP}#eSEVRqF*uo4c@BPq@q!gSJ^|dbIR&tYN)kdX>%4iCH$mlS8V+DSz4#%5Cc* zBTn^^#^{_trWrjo9drGWHc~esBk2gOAa5rp-|_v`6)=S z!}=eXzx|VGs5^ibF@&(|3_8I+fhi0;5Q)by@}(=}0E*a<7w7iSW96)xa3~}u(P|5r z(?@G;qQ0cO3w${I8gGuFzAgWiSd^;l8CsU^_`zXzKE=(eDo%J&B9Rp0m@-!~_>DqX z)ORNmVvmd5JZA6pZ>2m@h>@<|R$6yRqUs7fILiR1^gUE*t~+gkRr;l?CPnG5Mh&=E zVfbI8yn$t!=i?1pi&5?VR?GsAZ_g-qmLL_-Ou%0|<)xC_0RO4aM$*A)5K!ng=n_PJ z#H>m!wWD1PZf|Di+FutM#SNf24;H1uzd-!4j#qUa$WcI>f=V!HDpC-ZJSf`mt0e1- zc+UNuA;ygxX^cWN9~Qeh)VmeZN1>1hc^!W_e?U^a)vGuSyqc6AU2M=8zFV{htM+#Y zxAKUD#pR(lSc0tE;HOo7V9n4lZDAKQnP++06?VFMbAd*`OeqWT7uzk>wX=@?SNsff;MKglEQ{>^@s?rsE7b~~R^^atFN@E*=LSx*6 z->^bNZ{DvPd1d%EaZWK^jYDhQD<8ye4C%>AVJ$z5nJzwoIqhAkMslt>YRoJvIiibk z<>*=)fp^oTbrjWyivI&Z(-s5^xl`MGXCds(!h#)tUqBK$(HFE>-IRGf87!ikiq;}M zdh5hbJ>byT*9?!!>{Z+Us?1>znVdYX#)(@=^(J0g$l2tIO!o5!Ez(3PA_|tX)uw+b z=`D*$^>PU30_80drWHqKwFtT1VT?-gMmQA&Dwa5hQWeil!zCQLkIgj2nnzW6n>FptnB*jqOW0drwB zX!idf_W=$4xUvk%pKQ&bCzOSrGodk=Jfd#YXOyr6YD8n$ccS-jUEGgwQWnI)`mZB& z_?7crjl?C^@my5U~1*3apM6UH^&NM4H5=r~T|7qq+n%`076>%s9B z1m^*7yuSY>LZ!5=pyT+0W%ui?&8dtF@pO;dgSQmuCNefp|09|W==pIti7e!^oKwY> zC-A(H26Ej?^kC4;^V)<Vq3}(xOP(*YTx96N7aEE z%A3#AWQ*7B13Q<~aUJ$NI+A`OlxThQIDVgG+bo zW(er+?DnVGb{Op2fM?}W4|qNTN_WAB!2ul?ad~;NK3vte&m|u?TwMnVn@ZgQlkaDv zoG1F5+HMl}pWSWt0ierlwSAwb-kSoqXfAbR!;gmxp?3FLtsVXIjG3&b<)_{KK(1E% z;wM4i+Pwf5|INQ;`|h5_Bd%#*uSS75A;Ru=kMldDtHs>U`$ixBk4QTyg5Oyni(&EG z1FAfco$ZH2z3aq*LulKA4IiyK9LXo4r@f<>$HdxL|K{OJ6qrfD&O43;ooJHovjR4g z#rch4Ah7+W#O(RYZk6{y0x4ed2zo(j4j2w#RmH4*KfMk3$)buHNh8H77QDM1(BlTm zBPj$41I8JsTh_--y+uAo4N*Zf?SbMh_L7Bl%4Ma4sHfJ}gjCTrJC&4nn2or#3`_UA zEpQZlX7u*U_(<&ZYu}Gomvr5g=~0}xzbwez^2q7*X%O%5f*EN)qVjiY$#iOx;`zF9 zqnfA{Pk9pc%lA?onqf?XY0UyHqA054z&Cgc54uya_t8+}rLdYV!ZcvxJSM#f6rl|W z(_&K%ADmV6ucg%!XwRKWJ`i&utxf`d?+^G ziS#8Yd)^y4EqMU4*!>Ot2rg7Lx3(ZSQ!aW?yT2bGi+@8#pBH&!ihyg0x|0InsXs7L z1AC}2knk(n1f=oJOvFVEvSc;(VTnpQ59-^KucOtIDVPyEqnuUB;+L&=X0FV6+8EI5UOAdiRm zQ=6_NvnN9w|L@ZTXnbb&1$P<5I8<`~t*W_n1r2mAv==`cfNj=gO~;=o61& zk{Cyu`^DAZ24l^k`!i|~p}=4Q$^?AW^Z>{sH4yUJvlJY!lac&p8y zCP*rpK3UJ4?+Z3G0wJ|lJ22oEmaE#MtEM#(cz<98(Smk)kv4 zD54x`4Pdm#RQl6OWSU-c%WAg~&6q)XLsa@h9AxK|52y=rR$JswEEo6Cw`l$YPh#N%8_8El<;Z! z+Ko+6V;a3RH44?`?h+Ct%Ec$CthV9Hc+>42tMNByQZU4K%K|I8(=HO9RKoR>NO`x9Lo^2}nWk0} z2wS#xG9{!`UQ^mYs`#pfYmksvoD!kK_4(I77)2g5WO#idok z(=JrGI-++TvWDoAUL@*Hzjq3$w9HqOLK{)-mycukp;j5g9we`{)1QoQhXICLL1-b> z5!JdCI3Q!rhm)Y#u`ZrcUQ|HCoC#j|f8#aaPe1M>@Hh{&9)NmD@&Q9pvI6o?fWGd1 zX50IW-o9-Hz0-Sbp2^kTB7t~5V2&_w#T?-&Ldvz4o3wr2xYrk;NeYsQ&=7$U9Cvt(<6+Rrtx$*FW~J&qPjQ=rb}=f0-Y)%`PqkbqNgFuvT!jevXg6EK5g z;|_4{oHzXFX|f&;YNp<;X)@*@!FHng0zBz8s71}a!QSu2HY5*@1} z`y5=l^@Iq%KU}YFJ?@uB6Jc!nbjDhq69~C|V{S9m3OH!aQXVlT;IygF!Hf#6R zNYUE0BOJ;RJe-s7 z1UXZSh%Ckd0!nJ2$gf3CF6>s)_Z{G6MJ;i!Z6YrHx9i174D`t1{=>y^t?GB7nYiVr zv-%PE6(+*(bR4lqCemaJt2~-C$xmM$7T!3D<3%z#(2Ebh7~h}3h-v<*K)@*4=-l}` z6*zhm6{W}&i&{#41y`00oNY8ME_}d#7Cm5!PBIDt^j>81N0~-Ox%%L@o7-(P6ciX` zEqT%gCp8;8e}<;1>H@I>a`9){Af^PeEA-uJYK-c9O)8}ldqyqo`4^D$%=P<6?8WqF zvow;-EXcos=Dq!=LK-92i0rPy9O^nW(KZVq)W6~}87)2uIDEdre4YfSVoD0z9Djyw zxzKX#bfVNkL0yakR7y)#q$cg=7n=;TSCIt_6F1V_ai7GRAI+E(arlVKa!D3~NF0WydSh5m8KRSmYV>#_*U=v`=g5A}VRSzYXBU<%D5Zkrkv z$1AE5B~sA}id5vC7c4(&5)ahpBDG7bysy5LJpy7>T4d~mHXdgDZuFt}82MI?m~!pI z)dfto!AzuCV^)UF4YXJBVXeDji&~PAer>YjBeGsd zWKqveeUV!O^hKn@0(3;u-*b^*oA;GrWpmLW+?L7vSk6xLibdO14tc*ELg8c#i;i2P z3t;O(=_0F3de%ylEqI0{e`&!HB~{7E2!_4+@Ss)H`)$DIXKobQL^X?SM%B2yn_z;h)qriuY*7#Ow$(~{@V_dGb6E@Xh>Biv-rOO z?Zo!{%~E^tP-f{{fifA`GwH}--}DJn0W#~>O8u>~%qq_&T11Oa}eJIWh)62ky8Z4rw8g6ygred)bVvqC64aJk9h#+dAr3q=UA z6FQ#y42N%syXTZ=XevSLhUykzfN_OSNwV!o8n3bQtb-oFkO9EVPE}*GhGh3Hf5~2WU*{_ z@rYP7@TS^CMf1z_33EplA8S1Y)@G=T3_hMb+JR7M#*20+E0QQCw(8n_U3b`DLBcfp zdX%iAh+O%hTVjV|sxjZfX5M>I{EfM!u9{vNIrdu%=@KtR^M@LC5Y3p2ck7@DAoFTURSL1HUWEHQyN#htyZAZu3y$~AL5ms zC-`1BxN<*l^SQX*ZH|GhyFOjlqsP@*zOH>~KwoP+x4ERW8bcw6(GQESmg>D+oQf?; z9G+S`2&OmS49M&6mF24E?#sGUmho+HW$(Yo+qAY3mz=@f>=(_ZVFaK?T<=@q2V-96 zi1qu{wn=FO43qO)?aZ6KMW`jyn|>O!twZ+`fX}~eTtjMy$Fh(rp#C~ok6|IJb-i)* z>Uj^46~5}g0!&U3+zJTptj%$n6x*YHZ~8#V=#hDk(77NcFzCFY1loCiKA?1OXag%7 zIor;=u-S@W%4D+RIsIThV2Np9=M$Kpv&)APhw^|Ifp*KzTt9^KaGmwG@_0}At# z`bQSTO^0QXSHsh|85UBW^e-I0ohj^DIM}V1y$h>tE!5x63 zMb+dBOWd4rbr!ZglVS&tE#}7MsW$jqcwDKw8~nbsb6%rTtWLv}VAm2$m`qp`*#$x` zPZaYCW1`_R2PB&!UVGYItt@ucS-Nqj?Pxs}_cgFEw>IE#1SJ?(w=qxO5;GZ;gxHve zZBk}6hH@6sVHK;*^R*c?wp#I@(~}9=;7cmV5_q_8_K?1D3@tI}{2@)E%MHz<(~rVM zs<7}PdwZE%s?I$85^0OF7*}G$@G>P0P;eM3vJV1%MES2zlOUOxIa>A?;#z1L3fWF^ zWU<(;L)c|b*;G@gS#v!J3)Zj(v#AMub@wey=wy`{ZAd@}QD5Y_6=5v~lqKN`Ipelf zQG2>-E0kc`tr_|S6`)O@Db=h!^hKca*vwq~^kk&VU<~W)q(_Q>!4@Hr>WxQn53Rqq z=!SzZtV-Q!!ykzvEr+jKQ52*-bzd>EJ-0jq+CW zXOMQeHG$%`Lb+cNRW6FuWFk5xN3AhPXXGBK;QQUS({Th$*IR^n(k~V zwPt>PMiYl}yg431i>fMeG;2dI4|(upS=o{r6JDrOU5N_q=vKFa0^r0}UD zlE4n!zr^fh5k}zxU7>$6JO}p`6dB5rcC67(HdYU)+|ZkV7d19EhXnjoJjtY?)NkdA zJb!pHlGwAHWtjxv!i@_sY4^F)0SZ=%q0w)M>fT<%FTRJj}h~h^w`VJc)m?( zC8&5SpRG^#ql< ztmz03W$jSW<&l9$lIC(n7&)$J&K!&P^STf=IKeIBh^&MDtJn4QtbwH+{zU{3%JpD@ z6;1yz%@sO;t1m)si3lK_Po?9Fcaq|q{9cbw6pVTFf4la`_whauI%JD@DR0Bz>jT9} z{FocQ=C}S7VHNUx!lCKu<16BT#0nc6irb&E_Q-%>O?k74YF(lj0x`}B9F6ZrRa8H@ zkRF3ncEi3kMpGDvX)43ThBjCy@@qD9WQW#?7fe9aZH|fOsAS@8LKOnj#p;)-uxLm~ zp)mlkY2W@(mOeppjzKec=IgXYG*AY;>DC6mKj`U{&qDiX~&qDkJ*rkTMr)i`_K;Og_u-toS>ekI?2r$`lhL@ZF8H7%6=uS%$oRb^uAR$8g|~98Tz|5X9?== zcVPgZJ>Hbsp*{~ydIKh@vUY|1b^tzxF3&Ga)$Q1wz}rbg# zF>;yCN{fH;I-0L+V4KzR%~H7j8z8cBEZ9Bip4a33#)!j^cei+z=FyMRG5vZZIgt}j zh(b2H)3e`n#OQhVhu|7U%Zpg|UEuvDwx<1jS<5B-`hV8%BMD~S2Ixd+>C2(U0s$H5 z@B2wEVMpC!EpF5J&*LfY*Ox=a^qxeXJ_0cMaw4X$40^e~TN!U^=5LTL&{ak3*`TL% zi~{2yCSjEfAMi|98?yK#wN@Ud{#_oNslvGu4?9C~rg*pqLT+ks(6afKLthL-F2I7j2bp8@l)2z`te3|MJQdYp(YBs%4^ zlR89{Q@94%%(Ww<>6h*d5tu%@){qCr|x)NEs*q)OFxrwe5b4Iu8Rq6sY ziz8x!q$xKwb+<^~=@MS;5=|!@T%}mh9}I@voUXr|TU6_?tP^c{wn?fQ6CHj`0~lpn zn$g^IXIiLY%vPT~|)c6FTT zXV}yZ{Z65k3)qB3S;CbSo4|2Qr?xT`qCW~SsFW=9x|Z(oIlC zQ=6DNwAMD7kO;zm^v5j-f)vW!P4Wu~p(;X_6J8Bc8u*B_ATH2XIK{wciey&7=?)Ip z-15i_uDUVsB(@_^FkU3F05hDdUCmA4zOzVN5Z$g z^<;t#jbwx1jO2?0V=|DIWFTcQb-j!+Lt9V?#?znu-l>*zfkFejp=&luas_Iiccx!8 zT6hkh$3kB@0)^jpgq7SB3E|%;uu>T|D*$F4d2@OS)jEO7va>NaacTs@AH)u8-qOni zk!I*BZM%HMNKefe-(tZn3~o2HGX8Sm7zFm)Lx=wd+M=a)*o;{=>bbq z^l^a5)%pwy*bK{P`QE){aRQrQ-pMJ(x`UaV6-dyk>j>g1dEzZI2`HI^RS8W_!E(%w z>x41j0Cd_*Wlo6La$~`;7K17X^^L1ky|EQ}6m>a{1nL55Mm`(St4HMq4D`b$f?yHz z7-;x42Cc@UvW*E{uu4;Wm_=86^urwKCD&{e$rNuUi{vctPEI>*=+%F$-mP?8FESCf zSbFe_srMN&%rtH zpP>qlpTJR50Lm8)tjvDZ)vpSNw)?qkyx0sW4QBig^zVD_G!hXOj+ItXp;-zz-V~h9 zZCPna(vZ{(8k!_1X(v8qWLga=d5#J9QF>hC`!xiB{ZH0u1*?Wxwbc1iv-%Ah$*^gZ z%-6$?M%<7lo?Z;hGL_y-iJ$XP!GSi+?L8_rNrufUs9@Ue2i78qwjc0}9|4!!9&HCp z&CFk|VNJqe_+gwO=!4n@tjxdd#wCUu4k_shv{M;$8tim5>lJ`vzm>ywjH$(dex!ZM zqHq-VhUmPA0;uP7-O#C36Y% z$wzKvI9|=(Ee?E7By?5jb~c$G(~Ls*0LjK^UY$y?m~i!mzkM7t+5C6kwK055x#KX? zRrwfnEhtt3332WEv3T^V;J}Fh5rI_Y---7lqHxvj*(8MiGeCC`Bg~%l_j%>7Lc4Ol z%KAuJs5cDnFouL5FjN@aoG-Y~9yfUqzxEWp&0YYdyT|&1Fm1Mt zXaNHxydyhQHSBqzzzv30_c@)q;p!|x*I~*hV9Qt0L+4=k7U-Gj1}bm&9^>^gkLaYQ zl~;i1ecE_&8DaI=B+|ac$1RV+2xTS9Ye40Mzjf2TlHc`XCFlI%sJrHK@Am|RQFhyj z9t`o*Tn55ty3e)ck(X4gq3_G;({|@5e(A3FXwB1HCD3chCa=bIFEpN^?WR^ru!*SL zwdrXlO6Z;K@@Cn=r?C~J%GC6j6`*>n^?_59>7UV6?Yj29P=erbr`Sv$uy*EmVYQolYNt?hIw{u@Q-?r@{nk>BIv5NX-wHnZjMdOmA6 zTKjsRvYGl@Xq^vt)#&BxCBE50r|{$Cx_vW{jnn_WWf{nAp9XN?*^5Tt{6*MxQ*hF8 zF$^T!_M!TB`KF~`cXk|LB6I`&H*evJ8+66u$#9 z(_;GAQ;LQ`wwU!Z*eq)p#4EJtBK(upj7&`8r}i(`7W~vJrFy0NiD+-wAkOmPHRaZm5LqOYQO{~Wz$Z~GOGT`R6g3IuUvu%c^ zUX0A8I9iC-uH~)b`Z83DNi7Q?bo!CP>$B^7LA0eYyXAB^@LbiLt2bcK{XV9e(|ZIW zX#=6~yM3O7M}57k6sZ}1HS5u03)FbaU zCon3OKnP$Y|J9*3h4+&s5f!Kj`X)|K6#h3fOiIt2kP*2L+kv+tql7!CdcPp{m^7C~ z){vYLxkDpf{(xHDMYsLDPeoq{4$Mz^>hO617g3g@F#*Q*3`|$?MXZ!@&{P1-sYDEy ze&^=kJ4~vHd%1X~c|;~61tNUAIQprn{4Z`RHY5WH-VjLh0hJtF9INJ`N&l$DD8HGo zX}e7uH4S|h2%&8p0+U94!VJV&jqpBgTv>B@I*P+=oO42UMpr_=G0{Tp<`BF@_BgH1 zTn*#-BFI+P7UW>#JUE&H+9%h^Nr3RulHTrofQ`Iya*d`!ea`!BPNCc4ME<(-HVgt; z7MCv#LyB4w>q`4qb13a$rLsRet*+Vkl%OuK-auc$B2b;p$JA(RYz{+9{9l#}^3N51C=Btp=Gd!o3%#tf) z+jV>Yuu5A|-I*Gd-9!bZ;1dbK(%EbLk}Zi+C;!GeB#i~0gsvC0tRYc2KwXzjpxU0k zbtyZjiyzt!ZgeF+$Y>zraoM%ODBJd(wJysc7(2oER&k0#bceAO#!rn7?M4wvtT!4I zVU)T?7zs)?;nQi4kiWwF+z#0L$}`X}xZa_F>am9dRFPJ3y!{&N!D6Km2ttR<{P9>D z96AeGx5a6#h?By9hB1+re_y5dfuI7Wxlx}6(*GT%u*!ZiC%Y{l7Z&}OD=cf>xQn|d zS-G@4pc-!@siSg5-dzYpn96^|;FMm3$oknK0@GtECK`}U=T z=+i1p(ZCTEN~M;nj}17{Du!zh z0*5?{vg3Bl6CfoKlR!>+Lh0MXxQi%Vp{#(>AJ+1q1mH-Y`)nUGWK`EaYBl9SwRokC znAi`UXr2!{{)rzv%t_gvtM@V(W8>q-O2OKt_OJ>enyOgwXe<@lHH#K>rlS?QsnvBd zM0ly;%c8xhDjfLa2i>e$vvSQP;P-ciMi_jK>p!pPBV*aH{#0|M{0{bhk(^VEWy>Xw zgBR#gA8&4psBI5EHMO7k?QTt@-GiE^*3pfaF42xg;4ZC+Hcl8H)1j-vXRzN_DU3uLg^&c1xUG=dD+i-j-;O&pkYseyshePl<2^ z&@jxT2k7+^>(XJNYSo9t=zi*^_18-&6SDqI;H0M5(9; z-Sj2b^wL2V@!K&H0`}gCq8_L**kR*6=K!c{z5NvoGp#$uK{=7-GHTuiYAF~*R05}T zKRc8x#5!T}=sC8F0B?+H{FZ9|cLsvtHGDplf(O4(w76gIjGAUWtA$LTzNjSml{tP3 zqX=A`5mgQySN*Ni-p3sidIP*3Ogu5wZVrTqie7tHM2_Z#i&wm~xdk;;R=(+FW zvxs_xN3mt!x}UZF1^fSFfg!nB*Fi{<+BMwR_uY#$PXk4FGI)-4us!;U?*MPJQvI(B z)OI~i>~FZKFBf|b9tXk-(s@oYFH*C5z5L7Xp4@-=T&!LYdhZ}x>N|-mZoc-k&Tc-% zT+PPhb|iY^zx@r+R+jJ0c(o^z$W2pj{pUZ6sPBq@bPr`b)ldb&+m5BwoE!QZo4!mKe7q*ViS z(5mi%a7a{n$h?z12ELANVK`l;R({mF=896icNu;vzx)C-PW)d6&GB|D_*(aD{=NDh zT@ummhynDT{>b#o#7N~uc=wevJS@PCBjgbz@yso!!L@STX>23(7_)zGHtV8!{#QI4 zCH35l3V|SV7y@tBf;Jz$(udv(vMkqXyhP0$O65Qu5F#TNzg&QrO6jF;k7WLhNQ7~6 zNz^P|Oo}iYI#jpU#5^7RJUxzYNLl8R!#K<3Jurcw&~ptM1^_(O@r~h5h5>^UDh-eV zp(W*VR8_X4%X8eh&fPTWlP9Rh6W*}eN%qiqDt10C9`!>o}XkH;M%U6u$e)KUZ>;nJGFuPdxP0G zb=e~ax$)a^WhKfkv%us|nZb}ve+rUc6eIlDzgS|w3pM;ppE-0676}G~VHH%QRrRI8 zz~&=X*a7H&u(bWg$U#HHdVmbBH-jQhVC0-i^woE6e38DwU|s)CGf}Zr?oXs~4!))K z#+g79R_tk^jJasV(Ek`kthwwM@l_$04*lROUQ7=Ql&e;z-it-G9b=xCP1Im391fb8 zYy53jvzqprJ5h#J3)YWkS_aLi{>Jz@=$By!O(QeiYAvx1AO#C`(WG@jWt>AU`{@ju~bzw zSV7Xp7k5~{Rz^%XnX=uJQ!GCRR0dkXVIBEev`1fywjpW2<1ugi;&b^N8OE-oi_kx0Q*&jJqDFxX>i#Jglgsj6w`>To1r2T1t zf4F7OkUS>dCZ_t>MfJ2DPCZ$`8*BifY%_92-7wftVtv7w8&pxBgzA*^3PG%UIBA>Y zN&jbD86om~{E)0rBiK^`{^n&md@{K4)2N2UOM{o93j%TFp3?}lu#`ue#}`f@%ir) z(D&2z77E%g>-E>^*AnKABx4TQoBO)gT57Jb3)H%v*lP89z&wsEvk`l~ph&rq6xHf; zH+m=3y^nJdyD#G_?Ld*RKflLfC_1c>)Ht6sS>|TCKQP>TUm$CCd|vyw8#%2QdOzl` z*2iDdPL0|AO`U(-Sq{Hq@$k>?-XC1H?9vu^!Mc2nPAgl?viIxD)+-ITd21(uvwc4= zQu-<+*FJl#ylzwO*lX(s)m<^9ZEEGVj8ZA>q%+O(74y91YPGK0k4~=8gC6(N;sqq- zW`x{cZZuX2Uv60Gay+gSggy?_ZH`aqjQqB)h?PhxfW6~1 zdR?A|M`7y(@7E>|sAiFP#T(>zI40)|gO#njFMs&lUymjbNP->w7q_mis|`1w(&zb4 zJ05C59&fY8LOSNV)yR4$AwEinY3~o%s}5~805*5`T6kCS_JePU_g%_z@nJXPs( z&%SL)%_Y*ueZ!>pgeleEKceeXk4=c%^|O5Q5;RpF@Nzbrmi0EnR_mX*ec5K2=l#A+ z#kH~8E79M&@fusqG?rs6rp4cRhJ|M;^L<cbhh=$aRd2o!fFO>rvlmQR}`N?y+4r zdDWQn=KVzCal!zcX;bS0o*`)(`KK5N+0E$r%uKN5IcTHU-7egW=H85VrtPvn4G(s2 za}6MSTfcJ5WGKv{?H3YyCABhPf>W~$I6qs^cz`{KGpmXEB!G5M zw=yL3#n?Li7ea|L6tw|3=U?en;5| zFp6-JB38WG=tpky8!ZGhZYkwVWtkH$Y>F{1q4m5e1)kqW7YLkf4UdwO#`UC4jx4iBGS~BYlk9qnsQW5{{_X9U?Pt zKakL=Nw+=WI^RK8Zyxf?!?anw65$Ji&P{WSsa>MKY=tE(&pg4uE~jO`9Si72iw?1a zv%oYQuP>l(>S$rFN*6O$Px97n1$!<4$b~G-*|kJvBf4ja&raz8R8Esfb(MbC7i>Qi ze$P60o50-X^;B04abmTQ4C`xg!pdhU9psT{qL)vd+|age03ej7f;umHV@>VFayN+I zJ3*vh8A6?+vtyxms$S}k07#sxc+anLNo+7hx@2B^SOz@R4hMoLo6Q47)ZfJE#mls4 z+y|nSGil+DmLY8n^2bTR%Hv|B@vVQL5vji6QZ;tB{XSG(Nn;9_uh3NBpx06NjDGR*N zsUFyu$5v&QtXPYDrQVFIH{P|;!~b%^vw+8Z8`e{)PH%-#p3@k0 z{iV(D9QVC_+_*O?c;(0RdeJ2%D|R>~W;1k5nA5=J=&1GZXa9MxjygyV6bS&$zWxfT zvax0xDU?VlZurNYGDvGSOalgKhVq@QUwu%dWL^d@-9EG#`a6Pat!CvAty@o^4tqpN zWi0=~BUZe#kz+w9mj&YAPg zJm35?H+8))_I}o`Rjb~Lz^to*50_&TU-?R~gf=Yy?Ie_)(EP(DqH4g0P4rhuvS#u6 zf?^vad)5)_Q3Hywp@{+&TjKE;&}v_c&sQgQz(f+zTvXd@4)-EkJmXtlENP)$_ly3W6-weH!lxL_or# z5h;*@5i<8t+aY1rG_Q^PRs3u%-@gj0F#D$=7X>?~?>^3=_B0A9Kuh9eN# zwqT6^MaWsyET*WhU93qk`kU(5V=8Za^YF*4b%$9A*MGX%k3tzC&c zK=?-h;@X1MhyL?0Ir8B7Mi{>K?8tNbQSs!euiJwF{!f>W?Dh+tQCAiLzxO7zo6U1I zaqs3kkYy~V{&@7VmlQck@AYy#>RT7qcn|+k-94EogC5X5)E_X-=NBJFFhSb2YOoBybZR>XYLxD3=|^y?^krjLOBSo8r&t)8K<%YZAfaa|_^q#-lfzP2gylUMx?`Sz`gwPo)IdNScU)rl|;)9d}3iMx31oODL^1!13 z3jytpmlFwhzr#Y%6Mx?GaBTl-U#A%xT;%Yy156inzo^mJwPyOx5v+b)&!j1=^|}Kw zC#U>vZZ||$A9MW&!3cq0OfJaRwQge!$G=4aX87h2U+D3>UJgH>j;mfvJz6&|7e-6{ zPJ4ZKCr5#@TUQ=5(-*T0vvf0=EeFcA?=M#@ng{*xX}T}9|It+=kgfti!-`KDfCy5k z?*Sgb<=yyF;HMt+Loq&u=0NKWFbTK;5D*Xt_75fgI2uJyZcP_^%DpdmjZ;$)C!-S1 zX0{*WQjdi&cSxStv+@o}=$Z1-F3zRbcxFQ&pqRg_-2lLe$1I z#}=Es9%n-ltOycZUdCm>w6%&>UuK%`e_uA{+a^lIZWoH7rp{`?t@b22b2~UP=hKvldhuZo$u|Dc#~+sSOcur_te-prcRSuV7Q!(GX6S~ zyc?;yWCyRSddM*xvajvWF#0DL#H51^a43mp&h*)R*F(?-46Tn3~ zr05lA#B|UBWzQ;I)-YxJ?~kGGa+O;6nT3~;oXQInLY0;)m=|ptL>kc3vdIwj-z{iZ zHE<2ZY*bU`BbBaDJUe&L42hSk!@(;o#PHpJbdK@l=U_^Sg%l_iBvHa^QB7;I(UzD| zGaJlOKe^3y-$X$YxEZRWKLB1|k|q2^i+$gsrL2VH4P@CWX)-Gaqr7#D?4Nf6~``hw|ijXp7ODFDs>2a`i&SKeMBj9A~N~TCj zTB&!b_l!h$YR@^jBElVI5~q#uhr53WHuGk{gyZi+hT_6Ca`D4D}wmSN{Fm_YYfMEAM=>+V%DN4N>!xahcx7B>?glqD*h95~k z+ALDYC9h4}Bk5lndAG_CFJ8;Eon7OZ;OW){$L$fqo%A9kV5UsL_uhWDNJlD|p-!u_ z%C3o2CE=H>cg1qQ=V8NruI2gQPp(6`qF9ob`XWvM_nS` zvSGhuS?ay5T)_oh7>^xBn8RQ)Y`?WiBeYwNm1#B(L))A*y_)FFt~WMZ6=GG^Ok5|{ zoJ;p7@4UGZJdNCioN@A@8J$d)kSHR}+L?Yi^a@0x1#=&>QLQ;I3d3jp$qg$bO?hvn zQ1kD~JQlWrJ_1AhNPRr1q|Op9>VJxV@;A^K70vfqRbbc+dC$H8hh6i<^*!>n0Hoya zU-CbR-|c3Adr^fzvhP0=1etT5dyKy1i+E0~*}l?$3$FXfGP zpPMIz?h`=NtT!cTRolP;W`|xr%LubLREwW>%2kgrk<% zi@ftoY$b?eH3!%j)n;}w1^8TM&<~Bv_KS8s%S}vuEM=HIDVW{?xJt{%+5;^L^ox z0D_R3F<;L;z|+Ew_hF7)zm3WZBFE#K7Tx_pja8opzjX?REo(xZ9{^U$;82HFxYa*2 z-Td2r*Wv9abf>{Kdfik{(Ej4yi!dBJcaoQx!KqpXDYLs3&u2E9tL*JpL)TKXL0EjG zyzTk^6dubI5BBeid^Eak+cQMIbu=Fn|0u8O@2qQeTkkLh`1ZGB_^l@-{dC*89+_?LkRZipW{b)!FaD4h3F->n^f_VR!Ta4sw zaY4!6>ymV2P0_kbM8yBOFROZOu&c%eJ;6XQRpuPhWoeNje^(Nwq55% zV(17z%A&`%ZSX&evcIg8gFvvIAYv#P+acAtu*jdRf3$Wk@f>NnWJz3A5Eg>fOGDJW z%YUZjbU95oiNXo;{%U;9TMPM+TqiS*K!RCdgz-33M?&sCtkVrdM=8>dsgs7bLxB$c z^xVTzOt@x86~g+4sy8~zhK>YR=q*CPen%{A<0|{06PPskYRY@eu|{~=WUS}Vcc=?j zD@o^d$--N4sH+U)h;f$=nUt~*Ri9E7F>L-bG!d72oJ#mAU%W!SNW>}6qXVK6P1-r; zUM`?P8d3`h4;s;t*Ek+!Z>8YTfHI z&w6zhB3pB{Zto4W5dQf;fcAhSg7lzdAvC>AV`#pN8fejoB?-C#s_%B~yND_{!cT=Q zrCxLzt>Wo59CnJ(EHMj)MQPtOtNV|}3l-cs$Id_8awp0HOEG?h$^D{;U4Dwhb}`0a zAyIPU$cjFPE^JM~r92t6BUQ_c4wh#))>tdRbkHQTc+7t8Gt{wFk8bshDrdWc!x*hB zVj4#gT9aCcH*fANbYJP$W1KGeok)V>CS0e|kcS!*$?dFLBa})|$ff!x)XB7P8*_p6 zl1YdpLbj!3(n){NFfiZSUu)rKUOa7SMOSD{zklFk3Mw>=EUg6%CM*(4tum@ep&r7N z)6cV!Fh=yg%*EMoItKj|2{BA(u-<{v0aa}kmKF}yCZ?08Upj0-bTNdmQ_(bdv+*X zw|=fOw>a;~kdG$hao->9`aPj$gXwjB%8>09Y!M&RZ(w@07&qrV7ij_i5m#S;h0=L1 z8%8_0XNoW%3F5w3Tb?)$+aFe~1S(ZW(%o8DmABYLd?e+1cZ67;aqE&&#$aKq!=Y(+ z330gNcrb6+lEPy#56!WtX>smz(){JiMbi1`B>z@}dB`Coguk;71HUxp$DjjO7eQ;v znpdnvYgT=u5S*8&T#BKl685ER!Kr?@+BX^W9;SU1bWaW$Hl9&?{oEQoFlSz|YjQiJeK$t20N2d> z>ngFitp-10XASOK9j^R=Q);C-shWK7zRv?&7VJN%)4J~0**8hT?7XKs7WF^rBC4B# zQ#vgI7m<1ZU$&R)Di;OM$1k1SjGjj#cJIBdS)YWRj^pc%o9B+_$kpo|BJNx5GYpSo zrA3RsZud8v0e(y_UJY@Ctq=YdmyK6!W9>52QiLJ0AH#u-0&RrE$Xip6(2FNKEWO=` zrL}jb!AAQa2-qh?ukYa+DKf9Pw^?bNKDWbDJACPpv_sW?w$E)u08Vv-zt7WA?u{%K z5toIXOVl#`d_TdXTpa(ToSvZ9EhUFQ-Rg`7k@MGAZ7*Q!>wW$LfJuNdThntS)vI;8 zgUfN*aBktE?|rOq_D_TezkOjnYfr|%>um+Ji|uER{K9J#rX~*%dwJ4RMsIjzxv2K| zDs}*NVW+HaTfE8b@NMv4CX7M}ZQ7N({rzR{_c+P0;=y$}789rYuAJd5r*|LA8O(R<23c0l;(DI$|H@Q93^dWiZk?w5C+f5kKnxD30Lp^c zxcd7Bce%=gc_BnOKm@4C*n3yRX&vRqtFIHA51=b3)jTLDJTCr_)O>#Uz)%5X#ViIY znDG*}W*#{SijmH-cCs2uY9rE>;L3aOPF3iWt&kRhZ@9xdr>wMTRSli{nsPy4%Kw8% zt-+em>c~M~5^oUut8EqG^e(%hXdIXDA3UsP9CTLQqV?3oPeOm`$QqmG2vqM2R9jdG zR!F>!@_F!IJ}NXAG}@E(h<`Jey7y)Q6}303_v{_W>g`aK9Aniw#kVTL?Mk(Wlv`?2 zMvlrJ*@3hg)h@)W0{MNjDW^&*Pek7t9?BJ=bxtYTnnNtoE>#3A zC|($@QX=|7y*|MfhrDPTHYzMmHp>bSDcUiS_@8zy&oV62215&o2++(yrq>+pB5k{UO)v`(aJBWQ{OG(wJ zSUHi0equI2{P#vJ6Z5F=O`E9}F&PP?9!iidP;9>GV0t5-+N&;OnwYEdLGLpx*0249 z$PtuyDlUqvSJ?~>cpMCF2U)^}hDQKIAvGRM0qcBA_Y=)hg5}50W!oNz8bj*wde~qgmxo$vYA+>x>y1thwj*yN!NQyV-o_f6Krp zMeP>fv`5tbi+E!CEp*nqD1c-12yyRY{FZhi2YkY;(9C@lS$;n9}E&aqSi+qfE%a~v_B|dVqIio-G_|vd9 z_p9GZ{Y#lhTBZm7_z?U$^bI>J35En7jm{e~bffKfUsJOhH%IhTN>CWLk!jU196al$ zAysA4M1PwsJ$)KQnTj5bcLV46YKkm{5>KzQjzJ?v#7a{gZ999s9qJV^872h#P zJtP5IXIV~W4sH&M>S$|N_HyGwTeL`vWN&^;Q*1~_N{*VX7Z<(O zGmj2UmYo|(ZlXuUzhy@%RHT?I-Lbs!K_Q7!<>U+*1>arKS!tUV$=~r2T@QY(RBVut zK|7Z??4{sy4s)pZviwiM0BZDMi_@n9g5|D&enfX_z;(Mc?~AY(B5YwH{9wlLS4@Bi zpb;pz2eOkH!G$?RiT6D2b5-Q^KFSx?7iTh?x2mSqGau&uUEl|t63O$OG#X4pTm#m} zhbzwja9glpH;!i;HVkj4xziA7TDNlxy#T+fU^?i<)K|xTOqZoF_-&lZPd7gco8z`) z_s!hK%WNo`FR#@&f0zBst=P-*QHPcXuZvk7Mu*LZSe<}SjbOYq?}loCnBUhzEcKV~ z(M9e1<=CVEXr`y<`LgZJG@T1wO>rggIIHiT0bg^F#%)CYSf~0(!TJ|CY(MGee%)!K zzLT}AxXLH9{dEl0NVIFR`R{eD!4D7vLsUN|o zjXMS|0x`KR7Egf;^xZN1URN9j+iycJQ{8c#4j&TF0WOt;yF6~q-7PZ1&t3;xlnJZs zH@aQ@mwFD|csjs`QX)V4*KJB2TmPr}Q~%nTw`Ju{UX}|KyGBZm(%rAq0?XqG$va$m z6@Q;yf@2Jqx=wq|Q+{^fPVN%>ZacSXFy}t zOGf+P?JS<&hmAw^IpJ)r$4XO7MsUlPug5s=dnulPd$JpzadudBot3D0%ZKaf=TU#! z-`d%uIM3%0h?>(KkA>!eD!G~;k4Gl(fd3PGT3dR{C87qc4p|{Yd!FD$qS1{2NK?tk z3>qi{jz@Mk0)}cYfGW~}*H220c4YKy2EQ}G7_lcJ6Qvnok&hU?8r@JfZQ}45I~BM- z^1_qtusW)!tjpk3x;^`xYdiJo>l86=6QxX^@hohjBTpRCq;h#G$%tRopi!`~rpW;H z@8Je}yQLOA`~%jDrt zWCUx(RMc4(C1sD(brmfQ6QYH@sUnhjqpF7@l{=}`a1A@cl0_J^5-4BP)Q2FG!g#pT z;W+ackoSvnEu;Qw2#LbrQ4Y!T!Ciy8Jp6$E4mhBy9pqd~y|1S`CHBioQr( zvY0n$+eL0h%OUS-CNzp8VM9@2>X5wj^kSI8bQZ=@9A%;dPJ5E|@o75?Jlx!)=I_jz z_G4`j%t>Kj?Ky)3!jsMW(-b*BAyaC}-ptpOlF-x4Y;_M4L_0kYT0I>YB zP%6m+-V!;1{Nuy#e;!iok!9V!(Px}9xzbq^dwVQhr-0ZhLndDcJC#`PT-#4h{Y2qH z)njH3fvBkUk{W|12{_QsqGYMn1fUa z5!@Q-;T&_RI5CxJt;Lo~@j;mmFd;Xzc6uBWmm=(l8s;~YWn8Su<_6W4jastA;lBR) zAM-*a%gScGEY3c}X_1t^-5MufKLkS~d1g?3i(D^6-B4Txeu2VC5md=q%(Skwjn*18 z%N0D2bLvbZakOk2xZL`G90$PzHGcp2d;gtFxam6J5oiT>cA7N+_J&5rZX(9))K__6)x#YyP9mdRuZ1f& zk+tXoonQA|lzaF03u%+K#kPqaWZ%Kg_yzN@USR;uxojnzfF_~W%hsSwOwFWRxlFfV zj+o0k?e1GOQYqIl$pO`sit(1WgO$lALCp6jE+GU$QY68HMp%Hf_-&_+|6ZqvG+2&y z40)(z<1B1i)PZ?hbvvDaRL&A|KpBsKIi_e73H59T?3cNWky0(EQlYX(4xzrBx;7I@ zVLzhQh}Xn7cv6jD!%^M*Bjj3QkCbsDf9{KfiZ{)XJpz|h(enO3{#Pym;~#QN8DPda z@V5IuX=8jYr)!YHk_9UKftL*09RT&b`9NY~1QEj^S;5`m07CG))|qJ#yHf0lfP)`+ zZWpZqXfu1fU4QA{*gO(&cx`vR(dOapJ>uyspGb_mxt)Si;5DAjUgdEsEs_h9*y1jGLY(bhkRm&5C4GAq9HJkU+ZYv=#3 zOe^C%_vgW`!>guw3MqR?V(G3c5cUD~zFKF;ef>e--}^WkFOA{aZ>+g?yZLecnrYMZ z@7JyG(V9nE&qLrUep$ESx{H8Jcaw*!-2Q_Z1O1VJ--eH>?nR8nDxd#26t>$!&Bu(V z#oLK}hsUPLNiVa@A|k!E*9d#JjeM>}EVm0grxoDOHdok9*JnnqCFRX|b6TkWHYe|I zZ!em=MUED~@b>q9QouIAWua5ZyLMj4&|}>(!>d+qvj|M|#Q+4;-q1SvYc{0<>{@uZ z@ubAlA$U7WU6mUI+TGD1w&~$3GiDf@AIQ#3pzES_hp#4m3Kd8abwaIsS z-!6e4`suv7ViQ3lkj0Os{qo7Ohn33X9iibZW5?*xy~WV7apW=UGl6(OISbFQdHuLF zzuD!#o*3#l4z=@mCZXPPOTQtMR5e?a{8ozx7_m zb~-bzZ}NQK%NymBl`HV@J6HF9!~Ev@>(=fGA|AN~`x!V;>vVVk;$-l$o-_>U&CXh0 zF+!_J{dyhYn zIa7eWajzPmr5CXx0KAoks9Iq3eJbMd=#*yO|ndMb@;1??yjzj>6BSkJzrbbbOi@XVWEfXRo8K-;ZrH!M1 z+@RNW*v@^=f6lC7==W{RO$C!82v@CAKqwM5!bdjF-mzCsCiKXe!|Ve;9ab?xQSR=T zLjORoWNNSP$Nd>5ovat3iaJ*rw3=WeqF;mYQ_Ow@BK}C2vm&sXtbAkKXoAR49dE&7^*MRmriZWv)r}aq$mtgm1c6j ztu2u9LpR;b+p(*tJO?`F&=sZ3gsG*p6)$~xN?trW+ge(;l1M=nRoyoP(R;?yRtt8q zK|DDcx(;R}em^f0J>7T?8P^qj?pN!>_NRsOnY0qSX2htpH5HGwhL2|7g~-(Re03qR zMe*^-ckQ6TQ^GjadF9nojK*K#G0N()oxdkB!W@UIUFxYLp0Nj(C0!2VoO2M?=;5g< zj>yc^9Mnl`4JM?S5DWgqba1z){!Ncg!-WtG*=xzDrXeY}m@G-_I}4wdi6v#t*Hmm` zG2eZJinC~HVI~%mo_k1f_7Qa3&*mzLwnwY;IY+6r2G^pdP$a_NjMTjYCB@$Ln=uQ& zXbClLX?1F0ETxs@y3?xJGSpK&g5zb}CcZI#|EdunbWL`Jl8*3$tnpZER|mhJ;1t2O zs#>dst*Mf*hnZZ^qPvPn>4|%h2sKh*Y$Ab&M9MH@tr-l-O96$Ilx!`bq~AJU70xGF zi1J?*s8%SP^7)(fUO9k91^;)uN2>@RaP%`)2bP`B`rGlZ)t9YkU6Msis=4XNb(qfS zeH6OT=^y27)9#2;##D}p4~o)s)}h=o&(h*@u327*c86dbT<47Hy~aoQ&1lCT4OK@v zmc{AnN-ZV0q-4;Ti-D9upaaxVYzi?i(Dl+oW-8%}3%G282VA9wL&J}Pr!ARHt9G&0 zjJnZ#DAwvmgtRfdLbR_<#1~>+2%|qbRQD08OO^{03?J->xh7PW*$c)ZOQ56|ZA+AE zpwdvZil8f&QZC6fV-}{tEhjZgm)KzfqujakQ_h!tp1ipr&^uyvEr)H{WRgD+R;;p~ z3TzdW6;!5Gr7aVcGp!+HCdnD~YutyucYiu*%m%L)%@Z#35DGu0IC6#t}2_ zE&;=Y0oMZHa!{au;nO>gG`Ek9XFi;4`$#6$WF9_+o8(Co%aGs6D}n?0abyr37e$RZ z(%i*J(qg}jY=mr*b7c9vh9)`+HcTUvB51x*kSI5eX0Rq(i%@7-HCf39D~X{RzY?d2 z-RbIDgjoM@gcqM9>$m37IUlNAC`%Mqidw};+mFnrRdvn~p1xY@+Ub*7_AXnoQ*SQ{ z);u*Gr;l^Q&l55Dh8C^E;ziXD=T0vTL+X*2tSnFeL!?u*Sx?Q4t&A-*cAy!%Ln*vD zG883bk0J>+W?VoqmNDqOMTAXDs?)T-kX%Ktk~Ho|P4+lf;CP9P)64`mMOh%lf>f0G zPqf2IBfR@XK0-%~s*Q6Vwb+FP_uuij+xav&)r^J*%khZJIJnm*6J_#p%{Ljwf2ofD zTY$yifFGN{&s9LMp}`%IBgkm>fpyF+CWLv>xrekro=oI-i8n84z@Y$ndOyJNFO z_r>eA>zB&i5?ZG>iAn>{5bK)MGry}1 zlUcsYeXq-B7}+pD+r`Y#+mYXD+k4X&>Fsnd(TBk0HcZoh7OwX~Vo&W(yG{BUDi9Hf zwOYt3Wl~MKlAV%lCmU=hQ*Fcag-^T5P|oK>2Iee&<)eAubR!c8JN$czzr9Bt@R9Y5 z|2NBLv)%3z)$MC%MRfJxl}krY5BR*tit9O_7KmoBBj{XHqnydc(9!n^AoXfQeC9Is zGqHMp6aap1q1EJcPY5@MPMy5?FRz=X4eM`PeZag=VyTTgo7l4gi#cu>H$9zLes)O@&wQ^DDp-Cd z&AGYG^QbVkbvw2C0S619Hu~cA(|^*vHP`=}O3!xhV~ND9_ha^QEe!<&E!p3kk3LX* zdegr5;$x-}CihL+YPG_9A@+sPY4VGRo}=SEi4BQ&zRhzQE0zB!ly4`1l*w;+Ik!!p z@1{-RTF159LxIzGBiqfRJ-=7z?huAS^K=1c(@mqxmgIe?8jJ5@hM-mVvkYJ+QNwl8 z&4;{eU}XQvXTSsKh7hRgb)LuVJ9qlGWk$dA{)Cpw{ZjfttGf355(XTt-FPmWfq8^Ce0idtr29&_>ITqMc{hCE)2DFlSusS$3yzF98exRSD zk8N-)0~O&-6KRg2JQKJ2jrAiaBDT9YOw*tizNqULd-?L(br=q`PCN%P-67)KbtDjFh^-PJsQv zU!?8q$~)(as!H+gkL1FfXA2QmwXJB+6D$$#L5qX6f?1IWwhbCb3ue@jRxUU4`BnO@ zCV2P*drQeTD=f>-W$X<$1Q+?un(BgyP1b0_q%7C{j4V?1D?1(6Q`%=uvAnNxLb)F5 z@ZFgjMyvfBWini~I>Y5)I8KrbE7e`znU?PqUJJ8hXJ#!XuZN_DRta-eYIB1_7@Hgh zm^K57ZLiQ%wQ5I^yRK{*qY%O)s zop@(RyI%2f&`p+D#S^lKPAbD{v}pg}87b3c+y`5<73_##=I++i z-ydRfNL7QP2`ghJ(-V*``9Q}!{^HG{3bBhpV4-VWvuoKBCO3!`t3f#Q8%2Zdfm-}p zP=v=r)fuF28|L`c8;cTrS*KKf7$h16|MZOjjX9+yWN8zJJh~Mgl6xR9XoG$)nS&xx zXk@;@9mV7A#!z6X>j^OT*?9{$QgL^SH*gWKg}bk*;9K~m2!DvX|0&OAu#U_sVALXi zWXzs{fGb7_vQtELu~J{vJc=inSWCQJm>& zW06@bO?hau5W0+Wh63Bs(I|B6ZA0JTwu)d5+Ot6*SWP7!93eZEg}iwjD$B_*aSS1i zNcz#m~xKYNK~=7Ddygy+U@KnNt&_aF}U~|MX26^ zaMVUfGNe?)W?)*1r%K3A5zsiQXv6t`tnhV~oJDAcQz@MKf(l&|Y1u|n$}$*PGebMD z4KOR6?aESgzQzeW&stO=I+=$H2?fq?4KWY5L#`W-L``w@c{7GdCh*PA&gWK467bDn zq&r5?^p?%QX<<|^LcbL*s?opOq(dbs0kQ^YpU98Ya3pZx(XXax&c5}Omz>y;^A$%E zqv%n{Q9%kRI+@;f5aT)rRzmXrWDF|85)Bz_s>+Z-2&03`FCI_n#2!{{&Zfb- z)NBw+3FJ(P_EO_L-XmR2Q6ALhT4Bli5kWpxWz%AuE#a2eXJffNmeG()_3=ODO@ZJ+ zeHLrzoyfKVZ~}v4Pz!9g!@CF!2>3#d7JNPYB}v{R1|&lG413QV3Q`0H2XgYi5k>l@ zz32LIXxfh?E$(hPY*V(Tznx+3U`X_a_x|YidKl5!iscvIZn@5k<3Q59p%du5$-LV3 z_@&$6fbFS9C1MA&s8kyUg5`SEqOM=9`S`n3&amwJo)jZ&IxL%F<%xpcp9>td7*DvW|l@hgIf4a^1S*~ye zdmJ~dZW#00HTr1)P46yx+T453yM1(DOLup?F1NGz-zRf>l(_6S9)_S1tuh9x;#xRQ zx=*qiYdQ{)ZL0lsz1H0@*{)R-^l!SgI=frX>wDK49~Wg-cJ^{6ec&Y~30^nt7-mO1 zX+R*qQUPIJVHs@AP4VmL>4^ zAf~SON_fJAZCKM)diVSn20xaeYvB)3)ys9uN>yd;*2~!p>`SXfUia6t4lur-Num2= z;2s%MYyXnEuiNN2!p~$@eGU!=a6M{#?rUpXwmuE5sIxLSY&*a_QDtOo<`Io}l^YsA|bP$U_g^OD>zeaxMw`CA~EI}&(# zy{bHVr%O|^fC58PLXu6we~gol|JP+j?edBXSd)>Rlh|M5l}NDzzgH8 z)S)a)p{A7zwpIm8vaCz9nvS36jycsXBQD!gU9*O1$*lb9m*f5vnvMx8=Mv_n-avfQ z9qU}K8W-MHjTk@R4AsaA)s#B#@Dz^FHr0?933nK6DuI*0V7Q0$T&r5{K$$tJ00(bl z>q0Sut>ef34F$t0mA?TYw@rQgecwu8z+#0RpoE#*enJ@{Dzv$VjYnsC86O zuVB7wHy^er94VS)MMHs&f_c2AN?ng_H= zJsN$Z4iq^v>CKZ~U*IIFBo8;`wE?jdhAr76k-JZpE`gcd4#{>xUE?!VK0!=e~UCVp%>qW$Bpu?X2+$+QK< zzvwZCf67YyUb8t~(k59h)1XWs6|)$3Em2~Jqtp8C8zPEpN>Re4Cr&Pj-;diPQS_Zn zM^4DoP||t`{5##T^4y&JTDBqO2x%k>Y43ItZB-3p%I`kT3eCP0^$D_1p(q?gWj)o3 zMc3*?dvsh<^jjXarv4>x9S+4Jfn>Q(rbL$AYJkO#wsAV36J;|kbAjW>N5G2qe%h13 zAd$h>tgjqL088H6I#5nfwSrGp{alK`@n6|`;u+EpJdepHRm&8;9?Q5yWpSD)5fv18 z=?PMk3M!EjE?74H1V^Z5~;6-^fYv4ta5WjlTFp!deOO4 zbk@41<4Eq*#YTUAz9Qxw#=%FNsv@CKYGMkSGw-RANpGQAj6?Sc`vS$JhAV7UlA~0@ zpewKk30F1o#&cqH%7+kEQ@zJGX}EM^TyzrKMTS(apLXn6`J z$8&=B@Q^k^C;?CORctz-4~s>;%i8r`c?J@nrSDvd3neq7_B_B@xa3~$NnlUoN#G$i z#=!t6@QeMKvDu`6`q7;>D-uC4_fi#_Kp0sZVg&SaBNt3yc_TT_}f(IE8&NBc9x6&Y(~Xah+`l>-s^? zH`ur%rLI^(k)Ac^xhWNLFG=N2zJu!e~|go8k1tE6#X)1pq2>QNJGu9T%((w= zc|#^di6qCA1ooGL4ugc>xdFWZQwnj~V4svwiav`ofhNJ%EibG`f%1yO@JOLAL*%9^M_+O+9-jOzSe> z27`Gc0Vdb&i7{YWVLCn7mepnD@1h6)mBoeXGY@b%2f6cjIqAk?cX5T+O95~eht=!& z{@lrEgYUYkV6G&S^I&t_V&?8m`BLz;VuVb8zu7(~mD}sR%87# zd3M9~_Pvql>TReQruzEYX)a5r+CaCQZj0?Dl`EIroy+$fPwOl6WF@lY#`bPlx|HpG zDJqR%dhjEQQF4&QzATA@Z0(reGxiE=>wC1Nd6%i-b@oDFZi z*~QkZ|NV%Mfu+yOb-PQW8@uPzA^B>q*K)z)8=47&smIzy;KeW&kpi9b9@GeTmbgR_ zmXFg{F_P(D{l~wBXhhpSCSQB+bR4^B{0_iIcAm5S1*?m#hk>XY!rmRsG|n43_a>eP zBQLJE0rdL~EIGpuH2;1j34_j25f30>*n)6t|FqeD{o+!>-|25J;V_tP^8=4>eGI+! zYp4NC=-?L34ewb@Bfqa>KDpP^)@IGR>2y!g-yN&Rt-)-^1;lC& z!p&=3`{EC70j~S#?OdO)A<7+HiH+?K=o9gKh&AkZAx-@5~}pauXL4?ymj=FD*!(Kf)r#ObncU@fS) z3&J0iJ}>>~{lfl&!N|mUW#Ah*X$2}gY*IFd2-llH-DTPrGUAIc;nq$FmaqJ@R48f6 zQ;R!FrVv5w1CKuR<)daaAuD?_owRft^c6U{^{h{x5j5`;7iQX-<7Hw6lTkEe;3Etq z9e!~YiE=YrM+!rfmd$H3m{7a}lb@do7aT4VnAuk>MpJ87kH7iR+(j|VrISGFVYTXO|M`j0kwM9UQ06pIJ8 zSO*GMGIeZegw63m!gXeLHUNCs#K2`@$eC9>feMZgD@!X zzw)Y-#6|G;X$ftXI>eDj^)yo(>6FG}8#qQ!LLh0=J3d6JE_bSrJt^9mON~PIEbPk z##u2O<{?lj`x9j2KAq7q^{T*)^olm*#8mBeW^8`(5o)#7#OIV%^#_iqM(I`{JgLax zeQz+PGjP;hC2E?|Ea*SgAH9r*OZkDCw0UK_7Bv*Y)mL7}y`rl=>j6ct5{N3^Tzf0B z1-aLNfH`el&J+PnPJQ*9uM`+ap`cqPR_s(PK<$3zPE+Hl8$=hV{@vlG32X zHuX(a#bGcJZPufW(fl_cUaFHS7;^NpjJfYal!oiJ@{Bv*J6c-M%{u%puz=*5Oe?mT zpblg@=IAG%BQ7zbn9vOf`_h%DTzcFQ+3SZBECgT~qbV@gazeyPvm8hqRjH5Gd?W`BQs7l@=X;RJOm7 z5{qY@BFxy-INchFr0=`}PIEH#CsU;oEC?2Bw0mN_79Mu$xOPuBZ3(a2|;XzDvc ziXbHX^-|%VG!4!U@GQpBF9Xfp>2{-*$Yp+k)4f=&fgzKHzO@7RFt z_7P8U{Aas20^i|&Mwo(sQvr?V^PuJf7$JkvP{K=kqJX-M>ljblJ1Fcdm?Gf+B2=#R zbJqM`o?v)#Og6nwT}Tb~RIl5x$L8SlrxxPL@{pmOPwg z<_7dkxMb1x%A959@N1sja-dG{4NTDV^7zg+dc6BKuD0-Anl?OMBaWg*VCeI|jEEU@ zTBdznJ~yuBYIXmsTWw6sCe!5TW^*ZhIxfi7zXe=nJj`hRYv%ZCP)17Yx3_QO|DN3h z;NjUWKRKrF8nl=s06xn1b^vDNc5J$OYF{lbdT=tm{EL}- z+Oyc29){r1@wphD!!y`)$N->e^wt5&ORK(wEVdm7KW5iueJl!Ne(Pc01G~;EK6ZF~ zHXIjo_^IY@B4oO>1Fk-vbM3G;F8gq{-H5&(x5;;XPlK~^cixgP2))jpQd)Y8*4AF` z79GZVvw10B2A)eDS{4%Zr=nJL@2VEv{Wor1Qm)CoG@`dl(^}S$Ip6lKE_)YDw znm*@k&H3aSZU-2B-AF{#cvblhW5{yi(0I_m+C7EyqF`W>+v)2Z1_7epSDRge&Qb?7 z0*MW7fWagxcfc@gU?gy;-nvRc&SI7+3w(2uSrBi+3*! zgiO__$+8y6)CO@hr!Y*1v+371wmqW`+eJD2+pxb2|BI<}?9MdYmUV1(Y}>YN+crA3 zI<~Fu*tTukw(aCSS!bNR_W5%Ef@eH)%&MAoO=w}s_a(q2UAx!%z(tX*jan;LgILUO zr%zs#PD`YCHK&x-6?EbjS&=f@aOFtD24oWq$d^Fl*vXMLJdz6FBaxV;U%tSYFZ37r zQ1>OHm?%C$h|w-n#~5wgQj1Rn_o`Ma9s<=4N_ZKxBtbjCO7oIS0B5gI3H5+%uMHY|kOgokual$TfF-vjHJ?^5BgA)jg*8U*hW&ULf3^^aA6J|W!zeUjS#%T zR-af>jx{%?q^3E-WSbpVCYvKdhGTD$JZ2ZE7%Dy?sDtHX2Ub%@wQfA84_hwy^&4qW z5ib^PLl2{Z+KvLnA>{TqWlU1z*6&q$W%u6(Opl+V5Vd|;5e2dR1I0Y0Np+ok=$>kH z>0Dz95PCG1HjF!gkEvoqPuw){YMtpva83PBV2#U40s1xBr|DRfB6VbSND4>qV?OmY zbw-dP7mXM-=*lE$5vp7(a%I}hsnWYbWed{S>C8YC>S&515coFQcrp%PRYZ|+WSoDa zcFMjfKFk1lt2-f@yh2&)$pD`tfr1~Oesaa-fdgPQ9R~QFLwHqJ6kQtF8}16ytUI05 zJT!`|wm_XwIpi3Z`Y|?IiQ%YFx3Kvm`PK)JH9f9U4fE0sW|6H&TO5E3E^;rE?mk`0 zk}164oT;0u;z^NeNow4;pKy#6dCWJN!eWtX;a)86*MmuWtTQwYz?5M_0mY)3TuP|T zN1Uj&?=Y$r|x3Yh-35%vCD#P7=u)$YcAKqoD~k(mQE#Qma9YpSqlp0v{TsL9;+v zp%@Pg6mBvWh9ug@6~e?dj#Z~aLrAr)DVx==?vBcZK*@K!DfX@;l)ayv7AYjtdDVRf4+A7!d!9M8m6&H@D zJ%O3E&IX8z6R(+DT9P})=#Trl)1=ZqT_bK{6|z2B4!+LmzDu|C3yerka7A_~mMg_v zOI0F0wKOcI%j+cO*{fJjaG+;_7LBEGs&(uqY6V-L53j7dFMrbC_cr~}JE&~Qvc_Im zIMRQ@ZS>SYs!R>lxCMr&F0o{0X18um!|Y?AH}qSO6SQB#LHRv@qx>`|Nwu!fdm z$Bp9#EmCs%@3#*2Ezkv+eh|q+=f7zTUA`TnLpZee&JlB8J;*=YO8)Tqzcs$Zwwect zZR@xtyhQBnjY*7H+&sa>=`vn?X5o9iy>RrUO?R^h9B{Z@ET!f4I6v#lY}Px86t_`Z?b zI5do8>Hw}whgibq6cj(-!?Ii7u1YFfU)h)YUbgO|9%M%N+)rIswinp(JD$qu5Y~V; zv<18)Om5aLFds-;?z3#-I5;*v%e-^7?AG$^)Uahj;GONv0PfSDE+G^gUi;@^>ZNv6 z$2E`ooaVz3VfK%s3D(EyPcM9nt)5|su{&RjlSG?D4A2z#zp1tKH=x*kJ^0KnE-n>L zKQMT{^D|cT8!xOD4#tZ|y=|InWFHDx5ZfM~)>>P)E_p;@eXRBF?#$9i5n8`q9PC}j z*=;sa1mdrLz73%fWm%;ymVcza))$Cp-zcV%HJOBB?N(x9%#QU87`D#>9+Yx{sgBKvtGc z?IqG{b}C$*N7XdBD3^+3u`Ai2T)-6}%ZI^D?4qVFv9VLnKbH*Z{S7+WL`DHwJRT8z z6pW1c6CuW0-d8PVDMfq85iQ8HS{^Q7O@x+KZCj$9^sZ<{K3TVA%DDI|_IDGf9G-45 zn)$|^n=-b{9)B7pUs*&(s!5^|M2ZCh3b!Q6&czhQx;PQ@RD#Z2ob&L(r0Um>kypw~QIhKLR}AgN zC-Q(3Zd5GVh$>CBda{y0y#*uHR zl*ClCV2gE24jCc3vH7LtYD^t^$pmVi>=_GkG4kq50mr@*pSNEN3r)CYg$HB%jM0_}(nW;9Lqi?{5gOsbJ^a_=Ufq8a zO-D|LeDQ%m%ZO7X)X{O{4|JPn%3XM=0o( zL=82jV2=i67l>55s+@JC*?IYPkjv+p@!uZ8U)pyHN!y#OU#FYXa_x<#5iEQ$ha6-jj_0dde6+akL_rFdz(;f z4ZMT({Y}J0(?f8O6yA_&4To0D@#qSDvVN=8CN$o{4_kZ<3=Ynb#}yuQt72kYuq+=v zQ)j@s*hq$cOHE3K5cQ>$HY5jA{yRrVlOn2odctx5qsB@?PN3rK%P1G8r}E6pMCmEj zreI#_H&f|8r%HB{R6BBpDrCV#II*ga9>oJr@;6j9QL<4{C_E@ZLpZsPItn?=1Cz;& zPi2|qzt2M+4l>1B2<8^1wIz zy7+ePtsW7>IrO``tW?|4S2X?z|)Z1~nM4m)e)wyp9H5~T9JhkU4?P8ZFz{?uV2)GF|PHf8v4o@WQ* z@Oh0)>g8!Y6h1=eus(m3J$Bxn!n@nwGT-Mm%v%stq6+M;54?hq-I1KjP=eml1#Z9v$4*ZV~ zc{k2~5j3VC(f>JgX2{Xj4T|l$_N*OfJ$Txv?-wO4$D3EWP5zv1v-(~fq?YEbb3fcy zyh5N!HBPh3!k z*=lH7F1g0a(ml`!d+D|2w%M26HNsY}zK#vi`yX)GR2|KD{&s65xqdnMHor!jXi`vN zfKAS$`}%15bAkA6^J#GV?4K105SaW4nM*{(I9>jV$P=Gc^FphXaAF;luX4L~2=tBx@KIm_Yq)mxO!>_S^QpQXj)6;n0Nn zOV07TF-J~(IC3qMHdV^v2R+6uhZO6#(0NtoyXINS(_|h zso`_zl9;T>o#sM6UAdRua#ZMcu>lYovmi?+xLePjwNrB7a(yV3Rz~u5c@Ca2w^CaY z#F8U(td=2JRN;7iq_bi*f?%XmPkBtsB*Wd9OyD63>x_P&-gO~McpG@;`vvh+Sk$#D zNh$TGLn4a$9Q@N4YsYeI2jU~J6{6q$(-EQS(^9A~gDD%pxh3Hq zC3zR4+GyiXDqBP*7K7CrMsnWFu0(e6g7wPO@fF})IUp)*_?EY#=N)ef;&8nIY4hUJ z@e|6?@^5FNbFzPfx`S1fLpNnIjOK2N6%i{Tbu+NRh323|S@251)UJTgaD|98YgXW- zRM;5R#JotrWskVwwI<-^tr}CRNnw6dovD}tvyJ?29)(gQhrG*GoKCk2xIlv-x_M+{ zpiVN>xQr?9uMNRE6Beg|KT0-44Ku{f;_bv#7?2vsXQ5_-7=c-=U~M2rki?V@SFEor z<_u-Dc~WMdR-5JBWWA7921XGc5u3w={5KF<=+xDnK93zwcjjS++4NCI8xU%^ZBcHx z&W^@Pv}ocxgwNq*iG3F5CFKy_)SJ9*v0!gj$0T}t{NpRAK9xQ7btogL~Jb1`^%e4QV@E`n10}M15K#WSgX5#NSS=7?ZzsQhZz)U* zc}9{2}3QM2lHFI?V5E1%PC#HX(W1s#HzR3-Ud zurg{siDYdmAjoJ8f3V@OwHH+~rVljzUpb7#N-uBjxl0ahLXB!WULjuGQ$2W>-5PD0 z6)^sxquvU|gE~8S(yxWX%zs8{kjxtM4{gb$Bg2VgE{iVUVsIQ9#LQLgFij6@_}L?o zTlBN^S_eS32oKMc=fRQlE8N(H@HzHG;4eddn!B1ixGBDJNVd$eY0>7iQw8^wq}1|p z9i}gnlq!wh)diP6C6@Z{ngIdQ82L zLWAZ~luP$pvMCJkc!mAg;2bc-u{Rxhsi5cD+*6ADHl<3Nl`DKp;!VgDZ|^FLVwn&2kXy1OjA3Sne1qH!>U05q=+*02--hIAxy`fp`1l=mbYjn< zvO(gv>&Jrew)>X0r?A5BJu;7MkxMU|=N;=kvYcjH_e{{-{kUXt{fw{swAqs8<$b~D zuKV6OmCIkQyMA_+L%-n@L9@(I*O6N{GF{Sr`&#r#l{b}f_hEvs?Qq1}w*BDesdjw^ zKl@R<)BV=p?y|VxZIMUQ`FmyBCcERk{&NUtrpkfytKdSt=W41ex5Milp<%p(?b_pe ziR4hAyB4wIT*SGh^hObp!}~mN4Tq*^<7`KF-N5ddZlbCo!|%?l#vaw#K;T;H+T(Z$ zlz=a&>nxc><*7-YQNYh(80UGj=;Fem?X_*V#^3w$x_haS`EOHls}@4JGtUGQl&1^doR={p^sh8Oyr6W{0C z-WorBwd8@=iyV%Zy5q0^Syq4Uv*Q1QiU9AU`;u4zP!Ju_y~;pZAIw^p^pSD$!TplwNtEKLBPdhZH=IJj(nD>`7DQ2yO-vn~T+=Nngvt&q zwezf+&cDVk^d7s?lj6*V#t)@VBpYdqKr1Yv*DZtDAb}$L?vjV(6ZMf1J&=`9T<8zn zaT>4NeY$btuwD6Qn32HQ!K(!k+t~`qDR4PsR+8D3BY>AM=W9M3m9L+2gxIFt&UKYd zN5Y|6yqQ#h?+TA_inK-He7GeN^+}>Kod{x{WRwt#n}7%_+DnZ*>Ga1*X){F#t2eF} zlbArr4bz{sQ}YOZx+#|MheGR1HR(#VD$#k)+O;YdRfIs1=AWM3AM$kdWB$Yvtu&0K zAHx@PCgXZ_GvQw3u1qhGfs@TU@>IsF;+vBs!)1c1<3~QlgPg%pf}EM!U9wXSSicM# zwM|fHc?(MYt|B|)9TYxToBdmmo-vXkS|Qzj2g5$jCT>rnG5ZjsET40Da|Tq-c8Q!f zy=2yITv&ea9zVXsTwi_&u%Gj{kgjaDq`s%ZqKO_#P^ausYH1-H(ruQ6RX}>lH|)=F9Tp5TQTg%t|JRLu1dM@OMx&A^%(DjA3s!Jxoxu1=*|w>| zxRP-%Bq<3^d1gfFNt!MR`y;dLCaYkX56HHx!Hhd;g6g>nKHicmK6ZTZnv++=01=0{ z@Scf_a}z)y;kbwVsmfx#C`r-JJr%cAW2JI29BW@ylUpE;HXVi_C18jfkzJluvJ*v8 z!bhf-wF)TieI_*DSVK0wHB(^PkI=M~G^vau|3$nfF_kNG;xvzGsfNaIbR5#2YUwg0 zsovovtiCoIwduqapeQrdv>}Pv7?qzL5d@xDf`z*pCuC1?Jy@`}yI3)a*!lqwCbo>iSvEo2|ObG{ra;PA;hae4d^r~jo3 zu(7l9Bb{Bl4H?S7jsBd`t~ieQH29#?toXsO*y4G%e*9jjG<{sZ8CYeD3*l$2*E4!@7Xba zNg?F~i&0@Aya#bl4JgiNz|=A3;5?>dYEo8+ZNX^M8HzHZ$u#IzOfEL+#@levBxy{kU`&4iRC#i2N8iisQ3N|(n6{cORdVx7> zO14s&)826rKT6or0mCaBJ0ufVWT+OctEM5bDu z3_#@MO)}%|3`Wi$WPSKMIPdK~A$5?xD8P**k%J6xe?(t!0zKES*P=%Ph`kt!%Es3- z2AzuR$A+Air5!HsJjj}wO~2`bl?aXQ#?3cKT)&Zg9d3(VN zyJ!1_8Qubwjm!L~(>x0I@BQkkKP3KU?74c!?II%B@wWA&p7}KeQR%&ku>&m^VISZ`=E|E({+R zfalEjSrjDw`vURLigluP%CNeiuhHUj;>FWEM6-f_f0k-EK#0kEQf1t`1 z)%O?PI|RCZrvoq3865}Nc+Z`eOE}S|S78WVM;aacOYPQXmsBou8tmH_WkC+rzUJ9o z3BN}g?Mn3ANnNI61={j`ha1x9_`RFXV`_GMdjsbf{NMIw^b?P0q{lSew4YANWMp); zcs8+dU7e4^M>;J;MiI$Nu(avewNaopeXHvK;X z8J1`IFubi-o=y+^dp3WL>=Z0J7W4EUsfM?o13R|C<@rsAU}xT4p0cWO((Jpwa%EZo zHlKi(cLflkl5_uWxu2Xs7FY)k6@$V| z!O$u{TnQ|HzQ&P9r6i-o;Ofv={;_Ta5{r2UTPv&})FQb3vTjLaIBc`!LtKVLCyQo6 zk42+v;)JqUGp!3%GOyNzooJ`X2;2#o5QLZ?2v+(B9tk&wNf2`6ruyq&=4FDLQVF(@ zL}7?HJ*F{mt`V`PW=WK6H?t=fD}j1BoZ<^Li3nUgK68FmJ(HzJ{YWgdA1a9~0`52) z=9Czo+^MV)0RzN*5M~<>@!4uxhZb4t-kviRZlYK% zCeG^(mCiYhD18!-riP>Et>n9ruyTgMdSe06DCOL=0&sLdk1$z_4KqZ%nWZF;Jp5N_ zRo9gx<@b*Ikr>7ulPqLh@v9U=$&w{()d>)s^jZ=V0{&VSfLs3!EmNW%LJYn0(3~n2 zTi9DLS2=T5Em&2-M0d%i-Mo(8gQ6;QDn8(8XIIS^1rM-+HbITOz^lQ%h`k6uEr8<+ z1@#N~Fy-r0t%s+#Jr-6aeW%_K;bF}fh>qSm@Z!}=10j?hQX{il6bm%b3_Ew7P?J#G z2x%o&hVK6*fmgeWj-phi$_g)1mco{2YZVzxO|KgJ7h)F%U!6d-y>Ir2KEbMRKLJBz zQE1t@j#W(AD{6SamR;XUvsNDpQ}TRRsEmcVlGH#sf&Xtxva~O)vw3{drE1HWDG`Gp z%Z}L=Qr3xp@7ay8ExaRlh682Y=ZrST=e&RKe;wD1yl(+sX*ZL$T)}_*hJ$KMhM0Yc z<1Wpj)W5`=g-TEk6%EYmxhC%`M4RWU>!ng3ML4xmqdBQfXk);{QPl|rmyts!ueBWLpenBCFgS2|~sGGX2s0r&x>y zhWFyp5f59TG-dUts(f5i&0%(Tt5g>ax0F+Gfi)UM80FzXJ4-B@+0NS0u#iwWLq?iy z+SH|Cdn|=EXGxQ-ER4W{gszCm|!5?$RkW~+M2MSfYeFtr!Mcm*Rixp7|RxYjDd(|{4XgUMM|MpEKpy4ItW#cGOY?}J{md1_GZps^_ z!rqwQ|4KY+zDc3k-ejWMYegyV^XyKQ>8;ky|p$ z*|ii$EZk*7)I!DPG(FGPS4UjC(ekekf!B3xi)<{NJ+sH7F!wtIHMb4#poJNb6`rq4 zwHy7{&5G%gnj>?5_Ye4soV#9V=`lE)!%$ZW5n3GW@gWIxYOtPQ^QulXA1~#ZIk} z(NKzet7lo!-HZcjbNLovB5nq7&@|EGJ#e$CgWu_Ypp|lD-)gs!mrSqa#!{j3_VuqK zuWrUQPPc8&dqEy!Jx`#1Ba)`t{UAE$>L5+uLwhgXjG+7E4KT9p9l)cI1^^I3VG1@Q zdXw;iS!Uve#*- zhXOoRzY%t6;(WwjeShf1C)pR=Cyf+x{A~hVH!GeyHyu6426xx66oxdkE0@q6y6;ys zZ@c@T7`XbLa~@}D98a-SH}2Cg{pX1A2-`C{&MzAVo!$hO2^K?YB-sMH_FFpFYJfL~ z9M@?fp6!>(KP>(at5~BP_*y>toej0qzmEUpjndF|jSu6{y}lWRVS8`BKUB5oTUS8h zuis{xoMfA?VH{xOb@#LPO)zXVY_m*!{~n;&3$kzfoK3pHpEkHSm2>yG@*YQDkCOTH z*kZ%?AMknHXwmH%{4DA2HZkhFz%zW>?KuVj>c1hsO93;L-wzKF{$T*PNXehkkpS4* zTy}N{BR|@HE-?l+`q2&gwC-wYiB6v%=XJ1%Yfc zods|JMz_qV_n--TApy<~_|ymBx>XLi1M9;t*fINk!4Oe6Xey-p$;3+WXaIN$w7^BceF)>C~+D9=?b%~lmf9RtlV+&BQx(v!rCbhdp zLx52xD}$6m2#R6Uixm`@CQ!1-N(=V##sFb@s}FJ6{*rYpExD(Y?05o)0%r^aKLn_& zV}~D1#ixHT^|d(s=2Q~-Zu67ud@52CFW9dQS`%{I1?{3k#K!oVQ76bTwGX;KFSELh3&Kx@OE-mQ=qfgCf}Am`gfqP4)UMu53<+iB{Sluc-jfE! zV@$H{2xk)+o3L0HniNhl2Q{Q#NdJ{_Mrpfp6;aq>&RtGqsd2spu03Y%WTx^5TZ!F@ z#(a4sx>;Y?@^`Y(0p`i=9$31v&q})V8?ySRBA{R#_fhH-5)cmn^j~&iO!c5eP=FdBL@{uNwz64k%}n^uq!*Wg)JfytxuAb zJ9l{pIjCJ=q`+(fo|o`sR$@M?PDmry-eNBh4uL(@=81|=w$U)|b@-cTv6@=Zuj(93 zTF8YvH&Vq3ZoRh|bHrpR$A#IRR--KjBK&Au~N=-;Z|_Ux>^0*}U5S zS4uP*b+g*_+-@LiRmo~R9Xy-<47X_J9cT)qK+BL7HrhOJj+XIV0FyB^$w2a()!Nl`tmG#0O+*3PGfD}294KTUGL=rTP`yO25&B|Cjyloec(OoPtV_Z z&HNkPPmvpq63(A$6dBid8k^+RZT|0fA`OtZ-on?JBj`L%4P;9nHD0#Sv~F)K4%zFS zhOzY7FVmnr*-T-+M}zNjH`@T%z5K0~9==YW42ngXz`yQ)&H>M5OFN3stHuu$FUj2{ zo9e9q1qy&s*Grl~vCA|OMYqd`y~7S{&gUR=3D)70!Png9hI}G=XZuy%@^Xv!ofuDc z-M!pAwSez+T$Y3L1V87;evO;IvCEp=XM#k}-IC1Y%}>SHpVNzi6Le^6M$jZRbSL zwPHX8Be&x^!tuGA=dh)w$F-^=60_dIX2v1tqto@tzN+J7=bN%2Qpqo%gKE|DYvp*& z!3?tEG5esWVR~T1kHmY6`=qmFtqOK}`>3VlviSr-f=>Uj+LJ1mhh0J2&CI%G>%{J5 zfo-Y9ZTo(TRc7ab$k|i*E|o-Yxos)uAOsyp5=hs*`DwytQvGW)&vz^ zRe#!i0~jv+!{cuASiz=_0W&1uc;7+TDvbhP^LKe57Zl7Lv&nr5{?^|ruRjBK{Ab|4 zN(JhzCNIu|tLvzKA21|-hglUOafVqYVJnRMrUG6M-nPim<5&ro>ZQV!4*utKDG->NQtPD_%L4xk&b|AWS4|0oVZ63s@mG6W45!NzSJ zo5Q{o5@NlR99(^p-!vw8K3C+^j&EAd9rJ26NM!+JRoWQeZ>a2yDobSZJefl9abAks zgkwa*%0fAR&ACRIRjO&FnxpPKRX^rJoRh^$m`HC9OqmwPU+^79*Y5??OkF)$Z&Z@g zhgM=2B_>_()F!ANabbQJfF?(EWWDX%4Mkg&zofI?|VKEn{VAp z+(%^LiKH#q{X%RKSWGM5?N$F@UHX=y`h=V3&+l41X(l>&C4Pu;lhHEn$;IAYA@QV+ z_9bZewWKv;%fKmMzFl4f=#q#ZDZT_7qIeDkdz__+Tbul%4FovZta~=T-PeGiJUpi4 z+^An`*${}Dc|xlRW|cM|Lb4(#bJY%0u7m6PSx3LBM)S%=tvpb$n}<=PGWd~NsEDD~ zr$UakTzFU*LuM6RfgQ4c?HYPzl3(E7(9xk8RG@rwJEKf&=fEal#w;@rZBhz#~hb&Ey5!O zN17s8>?%e)l-T2E$hq2n?#`G4Wu&+UwqHwjrlKkbUI~MJxZ;bjMeVAhxB__Wu75Wr zB?^Q~D#%1Aik!k3gNJ3=z~A8YtHAapgUAE*#DLj*rytg$ThT>64Bs7lGiI z4$65g;D0wz-MSH-Bbfe^Yo5Xs1zS=ui?5?1p&C77k;Nk)O!%R2KqRMJyk$mUs1jzE zqXeNq?R?JyB#KSlUZp-MKH~wjgS-S2{;Ov@<{iG7bM^rT=mpx;Wi*SkaWMG_kDx)L zv0g4C!YTv5SCPD|n!+*W*>#dCWx*rv4cnJ3X);*Z!Ktv267R!po774c6oTQ>R_A zRmxg2xyDvonbe&ne+B-d9-`hD^fGJBRs9E?O>|FcEH8x#=289E{LVa@#}Tsf370v( z3_0hCEcNljEhK~M%NVF(c{L^HXVFeEA3bkP&{X>q;LMLO$a~?wWIuwu_iMAfzX_p| z_R~GCeJLaiKF%(ZacPvpBDY~iCW1x2zjGPul`mv*F}G+4NUnvoc$TcydWp>D?3}Te z*qwR8)0}ID_9Wwow;|gi^24A_M8DdbR~;Tthe#wQq{+hS|oxcoC+k-$=hsW9dJ zVZKFtf4w1!^8Sp|XI%4QuL;P><9F)KM*Cj) zJjn!~(Pe`8)OhCHtMaZEL;MuS`%Z>*3;TsmyPOq$54M>zjZzJ21>Us|^9R!k z5_K6JMVa$8I-PHi&;Va(N}xj!##U4ArHo*Ex#f@LIo!hps$OMu$6h}3aPGV?>r=na(;60g^xJGh`gL0sPWj*OQFYMf`C02=#yQit1$} zYX2IKp8id`(3&unzKo--EM$kmfK>6OYcPi=n1JC8TjnnvqL`ElMl2D+2v1=u@Kxln z$;zdh3a?bP;ImQo9 z&wF1l@F0xDW|I-CSIK_QC2W;M8UIX&a(Gcm9K?4{+I5E(BQdPthz~`%aPuMGjf-b>zo3YG%>J|-fDvA(H(wOBsuxGkzvbegw>~S@ zM9WTwQx~eA*5gK=XzEi|AZb#pugU9I4++-GMt8bP?RO7IXA-*BfH+)mv z}*#K3Jp!Sagu8La^3DOpkeVllsx)_2P<zE} z0u7fIsb7=zd0NjbIQ|5T&jbX3=bAUfKfb{L!LzmRos(a)-7=eyS05=hKg!ESElu}l z?fb89=l+w(|CD?hVG2uu4b--sJ^gb9{82de;RU>X+&M5t8WIc%bogI~2|Tzv!h{jp zUiX;te(cn5WX>?OnwwoMVRS!S;@uGNeU3+22-L1GZ{R-c2f1(Ye7(sNbzPg?*lHKz z3w%|ny=dQ#gtd+=r&Abkom|A>{=SLXb=`p0uy3pUnSew4x63n|69j;%q?5az9fdCA zscWl>>$V{|jS!hj&#!FwNj(kT=j~1M8h)n*XN&E+jg^+K;hHp0i-V@T@tUUjIS!>7 zT1)`>jID219&U!`$>6v%#|{5Y?4n`H3%$No9oaN@wexVZ^G_OK?i)csXW{F+t7Ypd0p3#7&7?&zQwTb@fnlp7TKmgSvxq^|N5BlzsDGE;A`9xV9KQf z^m}we+kIML&Wz0E(Cu&(Lkdwte&0KknBkuSYN6?;z8Ch`RT226|Q@7Tun z2awet+Yu`vS^Rlj=Ry4|HR}b9Pf9yJ=Pys^3i>|?7sr=8)$P}V2nzwXruJsLQ8|O9}zCg79~cXWD0W^TPC>|Kxav)%v6^j-FmD{+Zx? zEMf%ADz|M;#a~8!7Cs;VA@f)ux(4#FNz_IZGieGKnvxVk-B-Rxhn<6cVfO4-G)nX0 z#@DohdO2>&jDX4slxqe-Ny9UI8y!anA}vQAA(7<}XbHfZ1+NTbebi_-g2lg#8pqV4 zm=Fap(^ExrLfXTGPUP9(#n?E7VPRHpda>Fa}evAI^kOSbHR$ zaUV7(k%buF*>?~A*Tym6vQeu>@bzHpH0oCJmvMnk%U3~U`cK+Wk#6z1DVFrfn(@hb z5a9aL)-ExQ9Y^igeJTtZW4DED@=;)1XHBw7&h3KiHg8BJ>>tE9M;-Bu#XJ#8j5w}Q z#G*a%=v%3Q+U4?Wx=UgC89S3GY;d@T>r362LQI6pP0}MPBgN7dyk*R1?vXjVb-{ro zEcS{-s{K$yLnEnN2Qa0@DX1RJo@p*a*~5RLXAQ ze+^2bD#3p0u`bbmDoNpgR$cI;)&pv^=$oQ(U`pV(_6gWp;UQ6hLYp?ntzSpSnhR zMT6UtXbo3>Y&65Mnl8Sa`*?&=DO;qWuv+UuSu7W#&(5iZcXU-yLRbmn%FM{o3(9Vp zRHsA|&Cc_M7keh)hZ*|rn#+OREK=O*xUR@?*CVZ_V9fl=UPV56GN;y?lxZWBXa})) zg_v>`V`RiBdGy)BP%wOXmh6Fwdr|r&zgFKGS)Kik>U9d%dPyyI>r^e->MAu*^}@U_63Zsas(fJd<>oN?+x8$%jhuuS?Tp-=lo0sNjf!sT4S zD!4XuK4l0TwLeXt2mFY+h zby2&0wwt&`S!u%$FB$8O)}2G;^gku!k!Rb>#>>_)6pSH3R#KxPF^`hU&Yz9yvtGtB zQlDeJQaVQTqTv4KwA9E%X377kGWUX8FBIP^7#~#3&ZlDs$`5k^58SsUNLc-4tr0I= ze15d(#9^XZDumvo*aGa`o>8c+=TXQ8aakJzcmI}f!%oQv#LY@HXC=1K)Kjb#oZDKZ zAla}c0Jso~d3nmup89}&66h_-eK`J2l5zb2S3w6ROyzRikPVC#&{8`*iNEEElOAyULBi`tW3Ke*A~!s4;EnNV|L> zI*NT0WkPn9X+6lW7;08e6dbCUjFl}L!H4}yy)JaU zPgWw%q8SP#*>@2K1FBsR69VX^m_1!i?n!v*gl4}MF3u@iT?IR}+J>7qVf7zN128G+ zaJ?IF2yUP7|KaKzgDZiWZ6})8_QVq#6Wg|J+qN;WZQHhOPOKAK=jD6v-gm2R?W+FK zKX-Li*Xr)I)`JAK%;AQzf~6pTZv{B0QdR1?LyNFhu`Edor{_*Z2FeL`L{Skfgjt7e zZrQ_M9QJ%k55|RyZc%#5B5@MLH38Pm*%Ya1?&N>+BM4L~`6d33L;}(cbfg;Pijaga z7Rc2`(qdJ^38HGwz1-HtxIfoK{l)KKjUt12uRfP z<2yNuoJL9+_(AiQ>-6kwM(fWhCJ<9X`0 znElv`&-Yt+xy?k}xEFuQ+m|i9?f{H`#HD_|Np>ejKVI=1zMjN-oX>UoGPdV*JQTRJ ztltjs^|S&@c6sjigm!sv#>i4M0dD;SnBI?R6RiR0^j`NpBr#|C%`PpQoU7_^Q3XI|pPi z#9wOE>v*+W%k{EebS;oRJ1boR{__8*zu&dggVceR;#Xd^b zbB?bTzH#8hMiA_+kW*ElL;VSXdk@O1Swvlnj@;{eytw^cu3t{G@vWwmlj1yiEgOxY zNkzu$Sw&=seP#JWQP`7#jud+fOVL8Y*%EuMnHXD%0}J^qor&!)Y!?fG@N&2{Q_wGb zgb(ZGzgfy`Cy!eEK2@b;}WbuQdIsN?eFUbAt8%o9vhnDkH9djP}yXm-|UZHuNcB_7OR(5DW7A>8;NUInl zio+^VMHB^x<5?nAVK1r#GKP-IdlVQ8Jt2+RRB|hb?Y}|cSzIvRB3!6@?hq0wV`$sj zFQFR7;F( z5P}A&H;5oar0gVqm{Wy6%dyBJ%Mg^JsH^A3!dtZ?3H5|!Mm|mhuE~Z%fWyC{^+Fb< zpN&xHGGLa%C5{I5`O!-L2m_QoOxQ=FJSphLJ0Ob)T-n|jz}zjtpH1?tH*S<{n9bEA z6h&)5EkHltg7!S1)Um@gU_zW?v){=@bd2+G&ZjRDeCw&^{K|q?ANE90hR^h|lAEIE(3`={p>utBC@ zF4+nqF{52Hr;9Kip=lt#v{k1n3iH@TJ4TCYkTTZYc%#-aAew?#MI^P;WlEs`6%hNS zWxx}TC;rGNdqPP9wh|nUzbBs3*QL!&Xbh?2q50JAm9z$negXGTI9++Dva2B%3(SbFf5E`b7YuL_Dr|v`CwB@a$5($6Aq-w{d5^dP*SW-&0U| zI!TpAKIkx#;MfV$GBpRdh^bH-6)z2sjEUwZZj_;< z%Zy;a%G74GHY4Q9QG{ahB;BFf@KzgJAT%u91s zYL+NZQ-xWY^K=oO#w_3gHnS7l9q^m);2|B8??s$ZCF{q^P&OYlOFc^A$az{S-y92v(8=M*IZ`(QIFe3KVM^fa;lf- z{rhU{)1TrMt4jin0-j;op~jSq=}EdVTv`+*e)_QP*(WC12zw*~-*-uxMMXn)STp9`l{u ztOU{jxjvI+-Z*5ZCTtzJ`rz5zehM?8QwN09@;X7(?=Vr!?%uNR&dKrJ9Np!4ykxaJ zY+>&-zkglb;J0dCcC%`a4Y^18fGqcPj*`CQ%cPWD=oY{nRyBya*i z_qxBea&g-q(yiv)bdRRIf3@ItH4KSVe(Y~_+Y%DE4=mi>cCxO;?C_Ys9pYRuaf$S{ zC%(Pi?apZ5o?B_vx}H(CQ(N8BX~b9? z%2A_99HQ0sa@NCigm|0%ay*jvjJ!eDR!~pv!9$AACg%CVlnSj1da7ocR3}a!EjtJz z88mRZ7Di}cMb^Lw5XlqjBi}?PCKrwiE|-QXQO(L|4HMg~f?p^HQh8Uzsw~-p>fMWb z4;9P_n!E<9_FOY{KM-O!g_5y{Fqrx-!0L5c^SyD)5j$`KEhzaW6qkPjLYKYCmOdT1 zaL)@4m+C9D6zfBEA*jqpCsZ!vr`0I{Jjhv}J0RofzJ@Wa`x|AW4AVkgoN~(?uQvYU5v<-yy=&C$K z|JxL4BTLW!sXStDN@vu8mg)RWp3G{e@}`-nhKn}NKg-!bN2IN4Icc)26i}{Z zT*VN@AISLCRsBr{LGlt$eUyFDG#m_~SYS_vB85yE3+jtdvAV>e5FKDM!;&;$gyMh$XYyMdl(# zn!B_OaKL}6vQcJ?Q-_3BBBK0~Dm+%litP`jd{?j}c9R@06ZXUS8l<_z7M_T?o+bl~E{>X|H^p{gDG^3T-i#uuPaf%sH z2e2uMi2*19$BX#g3^>eX0cOk$O4CQ3lIZ3E;beT|h;tQ!Buiy( zMWaF6Z^Ta&2-|J2dd1ch08cDIEFQ{y1}2mbtKqm?10@oh+W~;Focb7N;*L=YfTdLI zz*psRXDzm}W-P`g4sk7aHi&$Dk5@SA{GAs!7&sfH!@l?x4-98g`z(63n+y9e`?v9; z{*{>N>-_D#a|j9k!F+;@U$l2Z87e(k?d&rJkz>M$-pqSHB&$l8idU4;R5%j8=+3ZN zuI%5!eQWi|GI~thy=|(jRb?*Bg+-hc{Y$)LmvCG;^y*PK@b<+Z?gHC+ZGeibf)cl5 zTGD@`H98>GvQlSwWZSlQ!v+(cReZBBBA}3UEIlozD(zT7xZ?Z~#jtQW9S2v4JWB_v zG6{Z+R{CeixiIkpNFqGoe2R@mJwX-9k%%PURFsaHl7-8Hm_!O2jR7)3CJIxYtYDKM ztpcpQ416WDBkAmA(D5&Aar_3yL^LBp(?X6|QkY98(Gpfg1#~_YV>*sXMNwPN?~=Zi zsZX7s;WQ`F(T+mrt=QN&C#(TwiK0>!Ys!=3oOF^L3GDxC&;CJ(fJL%LPYMh$d-ux~ z^G*U@`p!JH)BgYxEnsDh*#CV&`+)o+z9ambXYcqAt!;L|&$lPCc?NRT#`UZtdqe5H zwrBYzP^@IrwsFrt@!9?A{o>2B9kAo;*w0+8#pbj1c}v8nYw2+C(Y&kS!+9p*wbk*= z%#P;vQSLEoGFq(ma#q~?zNi$J)ASiMK?iB#sCqqN>fP7HCAB*1XL%;IJ4@Lso3raT z)!ij?)|pA`ei4(3$#szR+yW=(LpyxkG0qwFX`lTW*Jg!M)v*;7^NFx|mN(&|_ZWma z!+ly1cDpUN)9#MN=lK9w#eZxO{Vb3nwCsL*Timn(I-bA%3BpD2x_j@m{<;JUTfgAu z_~YmO?1jnKJ1A2bW~Ep6`WU6Q%k4eAb?tUF^$FtZH|+O0B9jwH*L6^QH-BRL^3*U| zn%iwZ%=P>7;v#+$!0onk4|D($UJtnB>fRda-(LIFO=4VUIRQB7$DC#vb-x}x39_@? zit0Z+xV{XpOt1BrwD-p^5Ok0C8+q5xKAKy5{r}jNU-Ja?dfpqocQuS$jI{T9KIY}t zwq-x;QFoKAW#{sIj{hNe*>2YBxJ2-Lx2cX{>$>ZD)w9^j!+7!p7>;WyI;Z+z`F)IQ zt!O%ZS-CCmtUnE~*zbfibGdO}4Q)SbJypZGA{ql4SG_j3(YtO>XQkM)o|T?Yy!3iL z_qK|AU2B}5W@G=V2JHxE+u_@<(O>%>fF0jZyi&(;`)}w{Wc(z!pCXYploI(uVsuA2Up-hVckqt51;9R(nMZlP4Fn((W8aL znyEID`@uwz3fTcF;Prjf`3rgLAShh}EFbCAd(bokO+MRz1rrA}wD&A7+bog^Tg8&(fAKVJi?ZoWoIeJiN^|Fd6nx)cPhDK!aLRTw>CCjEZVn+dqA;I4 z^~wc~7t+MZW5xxb*nUO5_}A3A+LPK^1{uqK!kIyligL@CTaFgikjW4oWJ=u@gn6(; z2&*_He%30nV<%BXqgB+WVpMXOA6I2uec%VOEeuBa%CE>!$#T`!oxlUxtjOFXAr$x;?2|m;WRV~9BlpKo%p712DMwx zp*pT(9^y=b*8WIiO@zZou@GxMe78lP>`Ey9#yyEMrXBHrk!b_3*5rEhCPHkjbDG*l z;53u)osNuJcU-h)g3o^hzumj#aaX{>lI4X!rg(#Yhfn#BK;2ha$_D%tYUljWdjc9z zZKLUB1IT>G{CMkAUm*V9Fu*BXyw_xm<0fj zBOMP2WMZ8n*DO}9mKqm!#&)J+cdX+ex~Nv&#%@rD1wCht#fe&nIVdR=s32+)p|^xP zYsdg3h?gr^jtrG$H#vsj<=Sn0Q?w_WOqV8fD(o0^wLtI6s}4`R7wMrn$0?gFe&KMg zp1#eMP00S#S5xi$z40sjO}=E%LMEJMQ=k*Y5GCEA;sR6>tyzRy$F?ODnEAy=+tC{j zEE)sO14}g?6@Nt94{=QTV-H6`v6%dM$g@*jZ@VnF?#{4m9j$^(k3oru=1!gTWUSh^ zz@>?kN)HS=BFkfqzER-X&aX@=i1C?C^2E88)|6C>K8G{nU~N^xdZ=`ftHvtJ8e*-~ z{8u#77vgm0TMkQlhNAH-2yZfBsdcaIGX$4kaxj+^MZsGx9-Ru~)t#VmiSsY12{gu1 zm5HQ%hu|JVr!JsL1GgE+H@cXK$fnt=PyyY>1=lzittZbR$*AC*V03~bM zLcwNURzTb|O(GqCe+xo;Pzu>Yh$8Ri;6eDIpbD~KQLx*(Zy}h`!<58ntOOXDW;ZD$ z<}HCp>%5_Ap$B{(1CK>=;Fj_wtEe%P3wdLeS<2&7LypD@^Q5P##;o;+Pajr*H_tq{NYStQS$#(?4{k*m+;nyBsWW0X#fW9Cu6gLN{skLkd1n|((q-g>*U zjn4e*HV;%5Km?G%b z?!GH7tj*HvKHN0pZlC`!@pDhV|FWZx*PB#sBHU$wQpFQQ)ONbg;p%p}`a5m1D*?Qk zfhFvCDlYtZK;`S1>;=QGexE+3o#gu>cY1NtUC>+i9?uMoxJ_*vUumgT+n-vBzw=G|jp4HMHFc~6V6qYL+;+bcavQYY!M+%b zdK^90{&51kFm#?dpBjYhX?lv%;&};@aeGGm;~6$d$oqPRo5AH+yXA9s9Oq}hL$X6= z)!lGGrsnhBZY`o)+qGqiXbVPoS@li_tqt7!$LDqZF+X|rM~%DjKof9H0Nd+(UGg-) zTh!CCzuC)uag+Ob7~&>qX5+SNL!aQ<=I!yX;vhb`hVyw3v2FBT3(sp_K|f%f?7485 zea&FCJ#JxB)JXi5QdA}AEhxOtx_3k3N>^COOFnR`aO}cqoorzs$XszgaFYud2 z^ABaXC?B*^CTWHE!tYRI9%xLVJw4I%89K8Ef}utGV>n$Qg|;xAz)l$OkAs-A(6Vr= z{NWckiMXq&7NnJJ@p7pT&!j)qx@{DC%_>n<&Y__WMxNNTFwWmqKM3oaZvaP2JZ0)zk z!Uk-odn32Y#v()Q$rfc=jF7dW*@P{L68qcySg{u%2RaF2`B)PqsphzuchbyC5RvvB zqF3FxNtqri<6Dc&Zsd+dE%Cw@ePt9C65>p}cqnl7tpCS3Nq5O)kayG*9@W5S{ifC5 z7+cwN$~e=HNQlr7zxjbgi*wYmCligcC#)p8p*3OW1CamX0-Rnlz%Zo)vhgn}FCw&q;$4ZGg~-=fGqUt}`BDHJtLUg;3$ zbVRp<)J47w;xy_4L)xL#IT|(Fp)z)c#=fJgB0?D*r=@bDqyJ-@=<4s3tx$k;D1V35 zP+~_hk_(;M9>uTS%I|Uut&m58V|e*o*7|i={BfNew2?+Y)KvkEqn&NKnVWY!)u%qE{=&rx^iZt3 z=r1cgQWPg`h1O4WXDSb04uz}~ZX`(|)_xq0-2Cbe?(j#L}xY{;a(7sNR zcEt3zC1N1^N$)2Z@O3vGn9>Zxn4wZ(d)U0qJMa)wvRYkE!k@&*mUuRu1X zxLEtJEnqFA7$Z-@k~k1rPQ)pQgvJEz4ytd!hHf#3T;TPW$Hd0m-Erz72qAsPd zHWP%WvMVRb0nXwBmQA3!1~QE^C;84EOppMo%Mw<}9c3`}p8re~Nm;zJM`P$}IG$QS zCQjnR)`&C@8_R-AY34PWle}nPovWIdx!I2a!@vOp+*x#-LFheco))kT)Zck&Z2z8u z+l*wmF7p&<&WxPr_94Foe0k`R-Zdj2&_QTOeIN|6TUPX^DdGK-0@YwIe~k|#T-GI; z29Z!FN|Z1Wa|Q)SJyoP^%6p<$^4`maSMTAdjob?`hfx-qa#X@*n20o1nWvynHxy{7 zKKT98kLK@<|A5Q}0DTB<6~3ItMcuZZAigQpp@IwoG)c1`QeQ#7-^bw*#H0}eFJ>7) zR|Thb6}fIq57W3^cEmQad^t+sxU)^K&J&4#P?M{Ruvxx^6LG+hu3-o+iofp#J$eVp8nWb#s4aa;xkE zVf%WF%hz>C)QivIkmp+d+EOQ^Zfl;2lLutdf7_%pS9Dd&?K$vAY!WqeD4>>{th)} zYRlG9e(5YbJM_@o1fMvdYkgmeKuP1PRIB!50%pE72e|!j?%=bL{^PMxuB&rncprnW zYq8@JXml;xM^HL39DoQ16)cnFlV}o8CZ5=2fg+kxB$2^3y;5>Eu)$`N=q!=Z3?B|Q zhEU+&2h}jnfC-{uf-DkmBL5_Vk)UH7?}N*q;wN_GiQbm#@I}1!p6$_-&a0Q}ddEs} zJ^rWnn&n4_Wtsjq4rse2-;r zf}GuwDQSc&3exGQgOGpm50UC1)i({-VdOUaPKAGDkb@2= zk?yFu$ZO|j!oz@lLvs7n9cQifrKL@9?u#zDC&IzHuenla7tN1I{e}8yUZ(A@GBq zAiNnA8yCvW-<$;bOltJdVB=KCBLymm6`>Iei?SsAAG#?pP&>FO!rZ3I*3Ew|7s%Fs zBTfH?2y!s)Lt8;T&6Kheb>pK9}Odi21P=)pFH6+CYU7>mZbTuS->M9 znhi=Zzi2Bc{W~3Vx&S4meg{fXSm@!8{1MdbK_QAjW|;vpIr!Y4R)XIe$`pqKbvplw z3`kj1uj)(Tp>}IoIV7!@v)PC(@QUi&mTjPI-ST7&h(*-2a zk~BI1xyP9B4TePmR^gvO1bzQA6CeX`P;E1PZb70 zbXGVPFCz%-efDd7H*mdS9QyLJn!a(m;G1OH`X~j4Pbvb%@bZ3(mI&f0|0qbZ4cxXh zIhF1F6PxB^E#9isgtI4&#g)w_hM@&AEo1~=5NsJOcfe1+OIxW)yeNRb3*wB+5^UUE z21hb`wSg7#=uLmY%UL3eIfX1LwFVsajs-5TA#zJy&z(Qh*i`^KhSN$QqXL| zu-ZxloKJqAG{GDNPo>s4PdPzNsPss#!y^$Y%onDj zV$axxu`0zuuyK%c+Ul@nCkFsca$uhVl?KtEO*_jO(z<;Y%>-%Ixh#0^|h5W+h*P zr3<{5d~w~?MLkJ)fPfAsEc#&rQNWMI9vSnXzB>0M-bPEzmV{u~SZZZphg&2btLD*>Fa z^LTeRs(uWR-yLFgHDb8$UAi<0A;J`{ZXD>SwgbsLo(?W_1$7@{d~$m~^I~j2#s$L2 zXMGmm5xng?v&6In98 zcC%djQ;WG<2U)Z&-2493Pg;-g7Sl48Kuh2{FYq0;y1RWnCM>qY>Cpz&tTRsM@iO4z z>t9aw@z52}7##vVC^uC4F^cThk_d$--xXslT;OH}! zhm{imVzdm8_$y7Vw~)7E5%C1jKG@p)h)P}E`Hb;ZabMJq;PQaH`^Njq;&%Jq-_ht> zL*R(kv9cKidCg%mi0bRUYE;|xHY%0-P3M}<HENUTcOB9w`vRKgtv_Ci@Ud9+ty_-oK2DxlvFo{KXfjV;shzp~ z+K@}&!TbWq?s-^!0opwg9+EuyNzD!cmdz7ty?hQ@#F_g=-aNw(67@objq{F+!aa#rtwUADbj|PHCxEl$H`xso`f!0QrMzPlD}9Q>lqBHED^dV zO;+llu8M3-fhesB24soABv8{tdk#e*U}Zc>_hzl_TG%p?(OmczyEJpUxHI}62!8hD zni0$~Sq_#1N%4rh2l9Ns>)g0M2Zo{nLJU~9!ALs4c(gHA1LL+F64=}=esc_C&D`nF=s)?mseqRZKXs!@Ba)o6_=^NyUk&<&O{`Fq4GY)=gL&cI3mm!rUB@GLc-!EYrimv5XxA z7cDYF9&zTU=Y*!G5IZK1_#SdUOCQ{bTrY!YNpm!$KB9n!1>dzrvuOWq1f`Mk#`mhO z=8*ZX@a|#5ILTqcH6%E_LQ03^XJ_`9^-Eyc#%zGNGsSRj+3;bVwtKuIip1?YxJ3N-`EhOj}VhL+jLWu2`46{p&oUa zFU#rihKNFNga5kJiwmV=XpC`abqP@p%3X>?+h;)veXs$jP;=UalFDK^g=pd&b&F`- zk_mkI1ZF6RDkzHgoLELit-p;{9T#ANK@VH2$+$EVo4wYVM3Ej&Vn~`FwO-dwwH=N+ zDx0Yy{Y-O5!VCnoH6#{$EpYv<&rdkumUqTak?>` z9rR6kEZ*p)3uj}@&5sntI0}WGf=7S^r_-tyaKc!`g5jx5bB+=Fgo^UcC_ zvgHgKgw6_;3D@BGb+Dut)1)h+Rno*QQNI=>T(lhHFUcBSE3(AZP^-tW_6t-;TD~@i z$FRXN81w!o0Gr_j>L1J&{7hGXyva`nKo7TTp!z@NJw9QkWWmz7Ik`Q)vu`2pm+y=O zl*l4@g6PfBZSDy>r)7aIaPWGkd*8+^yZwE5bE?B|xUlx~X!ynBUUu{4Ar-T>eJ|VT z>Elt!-Q(h(UB1`pl)Z*$zpYencTeY`=0@#uV5l{8YNaukD!a6cLR}64f$ODC&6m&P z^YxnNy=#KkZJ#KUo_pQH9bi8#6+`G_VH5#8I)t_WO0nBmPmWAH6X4N%I>#)gQ`fZ9 zH=hFVdy{y+1v+dNu63Lr%I&Tl*3+r|sCRdc0FSd=E}2d}7PQ=#2|DA|gzm@Ba#gR( zgDqPpSs|79uM1a*Gwex#ou9rSx754C!>PRQ$ug?EPh7@R+P)e%TW2MS0nC0r!`07U z#}j-2zl;9W-M8XxjH-@>)>&Lr9&a+NWF*Klfum zEx=pcE;AK@GP`3G#H_Xrs7ldwKR9f+Teog&c3Jn*f3MqlaVHhWIq5s^@e*ky@0#j>>+;HM zkL$U)jGAd21*~|y!hY|Y8$KoDavYBexx9BfZW7+RFI-=5D`p8BPCyW!5WP9O&uWr$ z={YYZGU>SY#7<^6eNOmvzD_-?dK(72HYDY3Z^7PCqgLDYRxjvZ@3Q5%pNCy`I)8z9 zO6@e;a&~qe9EV+X9T2=<_ntozI1I!B4eY!gxx5;w;yzfvfL@;z&}6_UU?1}HwOgbsFK8fa;$ z42zsf-BKRRVJ1uUvJ^HL3~4(JbJ@{|2{~mPLlaI?+rKv6^G-m^bTsWG*&y_gN0H9V zAyP|$8Vb+Pv3nRA7bG%jBkAV7?Q3RiNokr9!bf_Fn+tC#3^LQO26Q4pRl zF_o7#&rspH3L7NG1H&GsDdKQ7SL>Eu2;KT4`;GNjp+nmPn} z=X{!Jg#O1P`MaDFuo_PmdC~u(>&xR%{Z@;|^WBdCkmsJ9ke;W4J150=1SP zfZ4#xhl7t-dvu*}K=U4RD5tUcA@Cz^)5Q8vE_?%ucHbv=X~VQ-d$Op}R;PuCSE;hy zJ+Ux)piT-yQOb>9+6yl#IL3e@5QJFgypnsz?$6NgnODVLHGAo>L52n0;ifdGKZt(M7;FFLMrJ+1-6IlHk05oS&(Ub)W zL}y95`U7p9+To5swe!hr81=uSCHB7h$o*V3$r{|#ay{(G^=lr8xy@U)o3 z$v-Gaf~YB*W8aYOz>5Dj`v8lOdCVEv6)8zO(lfP$G^=-~B9>|thlon0q=a2$u_gIF zrS8Z(nFLt}bi#acaMq8K?x`c;B2iW=Mggnu{XRKv3b|F<=|h1+uSx8EaT|I>OWtdX zsDDPLRJ*Q&`aRWjC?C8eZHH4}#ZR59p0_Vayx`nnLyk`27*X~l+t4_T;NA4Tk9)6q$gZ62wmAtprf(;6@G5q@`b3nO@i^&8RMmKIp|AEi!R_6= zEqmPQc39rGk&`UVdQz>8!oLsMe!rL1(Q>yK98!?Odsg2U<5MGfEvn`7i?924J5YP| z?I*b91VmNqi>vN>(Yc4E=vJzv$=h9k_N4X;!;Q=IdC7kUHr)f1KC&a4>Du6Q^s{a^ zoG5fYm+W$oDmr-{w<+8_vA@RE=(ud&-<>eI-SqsHC;p7~I+$D?8TH-`v8}wjGoa+Z}YhBGX-8YfUlU66~ z6tXpN?0S_;b86o2TdP-YPEm6~bnZ99c0^je+re^~oxtjW*2B@+db{njrNr7@yH2B( zY`39%K=uysZBwq-^DvGe@SDTEz0u3*@m%T){Dh6|vAn{Vjnm`#t$uq(X6O4JYiH|p z6|ve4qtmh3^31-|ZpraF4ah|7Z8+z8Wu|Aa-L*0KQ+`=@hP$UleeE$L(*1&4n_UMm zh|6uK&hZH2@x3D0<+|>+Lfmrw0`!B(T^ZQ=9`M#q^Bh#j+>+$@xv!wE>U^F;%XK>r zawZE2xH%wn?d?tXW`X*)zaQDo1!GSAabIp^^RmqiqW7(^pUqDtjI_~O1I({P`K{G@ z^%MGjOh1P&(xs&0ef|d<&j1DZ2K-F#`1q2aww}jK@GdHQYPum_lF=8yVPHyzpdzKQDyKAGIF zZnsWu>wJ;ez&dU+noOsR*MOgO+SaU#hOI*%gOR0L&mqnV!kj%2Qnx7ebJ)4lxa<*x zzF1mag%k%{Fi|#TauB=9qEOng>QTP~!Oge`mQ7+y%^?}*2T2Ixus2n1;%_cQqiO}P z7ETHETw%%{Ig@Q)M^3)WKLR1;{Ggn%85?zqw1zm9M}jTY(f(zUtN7b2TE-!)Rk!{& z%@o!>KkHSz=L#$HbL>TjT_un!9Ide6I@1*u=CiWMafGrdKB2@RQ<}ZM202kRC(u5m z^*K<=VjICo23z*#4z%#2DbekfXxow{iLKTm1Ef4tQXyFB=*Fg|}z>#XfCW_@MIl+Mk=PbFHQp!QyFp$dHzmK#@3IdXj z`~yW->5lxETzsg}VP0$@f;{bqPh&FKur_7cxgy_~A|<&>kqv2ozwY8 zm}R-!7{M(yv0@Z~=kMOzR!qe9_Kq~kQi^P2s&NAb#P<98FiZdM?mMoLeK(YiR#^d= zCMtJu7&x8oW5%yuA#ckH^QVF$bWpH!p2`7+(c(tGlBhF@;kJ^OlTQ4!P8IIFK$mU7 zU&aL`Xxtd*u%H0jEWU((@zFZwa12dRf7J5y6o=DzVq5`NXal=tKH;wF;Px$ewXa75 z?8Ub>+rHrMu2izz)=*46 zLeiUwr()5CFqnXgl&Dr2jasmC~Gpcmf)5dP9qhZ zbbc0Ws>n?&E7N>E=M8}3qG(|7j(uhtBISzy#w;;qnOV7S0!A0NQfs_$%yXXU%vop| z>km%fvLS%`-1XPVmz_;O%r`W?BYcT7R5)~eN5oGgzWH`Ne~$ASq_pRfm4<|*qYXzM zQ6jTo0EdILIZA7THpKSSr*{60=I|$82ZsU>8x_Iht#}qyQmRQCTj@~E_-7pafQ^YK zq53m<$*;}hz2LDgUZyU@@O)M${qKj$m@Pl1mYroF8&G% zYU{*{QQjKeLAv73e8C-3&7F6~<%r8)OU8yvi(&`$nlk7vw8c8BH8M;JN27dtLD9eq zr*Mj8ksle9pezU6%rngY6@Z<%frc+;bAAhRQ`dfeRDi*+#NLOD#{cx)Kxonk+0H?V za$wN+`;`jpa6AIiXfs{6fkk(##gcrsUoFF~taaL1zfa&G5-{-f&IYQb zUi!%a^J}-?|F%luXj8X88d%wJKA+{bemVDfy6yCizh>?~^Of+rUKIK6Rl4n{ZBRQ5 zK25RjxTjO)bU(qAI-b_|{yDo_UJ_dAToku?&i1kWjRjf{Z~oAdsN;U*X7i` zT*LEGO5vu)ZBz)qN&x5>5YRufg7x(}$bvXY(Y-&pY}PPPFWYam4s}-vRy!W%JLP%~i`*i(c7feF zevb*emmh(Q6i&vE{ac~>7dNTJ=rx?dy~exK$JHu5CobO8u*oxDquWmX`LGwyn9o{{ zYs0X59eq59bz~ojU){I>-)*Wwt4Pgf(3R8u|oo7hrb-&G>|+LmSN-Cm!g9fE8pgv`xePM7no zAe?8*S9;2*98|)9;99w!TOW^MV7On0-WfYZjbA_8cJBz#uMt?Z06gWpk^TTWZ}1)P zNiy0z@tHam%+>(;7cI!C7GS8Nn6B(xzZ5hH3TY{6!AR1AsVo_HPQoS4s7JAgA|92 z-W>a9%qC@NlN=wf+R8v7vda*Q>lQ^TDT(O#ZNcwc+qxDxE z)Dysy*L%`}McS9s7r4Tm)}R+LsKHwb*-R;M~E2d>Bfy zOy(c4Xqn(!j^!O3J0kdZKz%pfMD&DUt7h6>^z?Smf@JH$HVS4(t_$QON^<+`yMIW< z7YL&FqRpnqKS$)1C`d?i(Wc?{WMHIS8OqF5WUrt_;)23>N>lo9QMm=?hGEQOqa2ba zj0XP?QQs6D3D_n*v6GqDb|#wGwmq?J+nCt4ZQHhO+eY{1`*-)>o4V}N7u}~$)l+X( zyJ29kRfdds$|@pOi?L7W zagwO>(W`IT4Tg0t6Nh0oBpqH@U=IPGklDw#L08T)LlqjdSaE0si^}+`zk8Bk-NW3g zMZN;}6TKOeF_0)JpLo{3EMUn$Z%|FUV(r+jE*chrLL?M3Ly9&AXq0m7^;??-Ku@G9 zTkWG;^iq{snW%iD4RY5|g3KXo2qan(+wWJmTY(S<|KK10QuL6~=Qot6a`RMvOl0IdhE z?d|GPetKgJ`i)yij=@@|%~o6l@KKmZ%$1sHm~H-<2nkz0u%jY|<;yG$3G0Lm%H8Vy zo@5L-h>vFSaN;=d1;eCl^&jZU{9HT{d#iQ7Q_b4Zp}%WfBmBf`b=ZucRMX#jebYfV zKG=a{KD&Gl(#R7xe9U8DqKm z2KQFv*|01OAy6mGmAG;Yg)d7l%X4aGZ;Lf_EDhBu{a%!cDD zJyG!66T)!AEyIjdADJyF$D&G$;=+;0RV;@%Fb-P?_6>w*|5EWJ zR+RgmU&D$ttJY4w&)Y^VcS~g!EiC%E<wf|0|1E&;(jE!iOulXw%m|(dY!?7a-=v!cNaGFIU8J}r*eCd;c*D9S zaPlCPPv=(}ynmhf91<&P?x^rMVw%}`9H}VFx&~fP{nK`MKksp~Lu`ND#2BXM>DXmM z`eN|Ta9o$@5JtN6q;5Nb9LNEl&kG!^3*0~MbT-VK{S&*fQhhbJ3tMj2MUm`6!>|S- z++QcPXIRxg#Kl~m;c>Y2cDur@c#D*6;$&*_ z0GcModwB{z<{wUM9JaXidV-M}r~evS9-OQBd^RU8eyzht))tlg&yeVFDj;XG7J zztDSL-g9*HGzeV$yHBr(Vs+Qy@I5M#^E?W-R0G~)h&4pF-wduazovZ5u$4LA_?pm| zTq7kC@O)KmtZW@lU;u2c*knCnKXqEihmdUV*I6!Ri$q4~H_gU8hAR)`w7%+{{cWw9 zw`#V#J|^A8rhM$->3QSl|8~86#*4toc@1>fk}(568DoC+d{2d$RI$=)Xz|(3;H+pp zxVtoo*{p}QpM5LJH4C+q0CqCK2NIwuz|p-j~=3LuNheVJo73SNN3o0VgqCo&)j~9 zNM`tTpz}HQbwY9h^uqt5Ae;9E{3aGqNnY~x_>NmW8MO0%m@&~O{@%F7`NJRil#CUj z-4?t!tI&6qA2Q#!Q9ul)N;?(lol`&JL8PSOkb58uT9I0Lk^C979~!G4#*gay9SBjL zkE+Kr-HRiO)$f`gbHFoCB`ou3z->AtU$TlU$SXy(nvp^BkSQ*<#4GA!f$5Dj%uKHE zrjei1*baR6kyxTFls1elfI29a`HnFE#^5SIWU`27>B_uc@PWLuxQq=0#VkeBv)NDi zSw35rz!81cXkqnZPg2h`E|EVfk6{aunRKDZ!Ajy5GQW6fELq1~<-*)h9^Q`*7em}p zzKUZ@2TsMP>Nu|`RVocd$@aNYpI)N&$U<8Hnk7PoEa^gGiaic|g4jq(8xNFp);XmC zAlF3rWD$TVcM|L$UbJ7AbyWwB%3kp224d^{k$nqYLTv%uT$=tlRaI@CP8o^qrRSJP%jvRH&8*3f@yM7olQZU^tL3kfAy z{<1(^BwWcjm^?Mc#gu3UEjfQ;HBz~}SpL0-3G@=-vZOlLmhqPWM2Svj80KY|UCSxu@qiduXujRM#7{x5<;c0XP3z(H^)Maa{K z{^^n@{?t}Ji7vpjP={8mO9Q@r{~FWCd}2uar5#%Jw|X;8o#~VNW2PRS&G(yizv)(q z(#Yye`?nkz?opFEul_|_r=XK%cAV{Pu)iLNi2uQ%Jx;}*Ht*D~HjFgR&xsbHT3G#Sx6q>bBSfL_r0im}bqNj!#KP90LXK`!trd9sL(i}F8q*`rN&^&#NSxG1~5jx$_4|a7N>DoNbA~YrGD5U>Ff=XJhjZ zZh?FEd$ob1!eG*M3m|5vD+ifFal!IY6N*)3eOe^gZuuC--pjeWzqD zH_(I+8n1ER`TNeUSuC%;e%NW%`h^;`NXnCseAX~c5Kkn`zzTgGZ&0(myyet z?Kwl%a5B?j7uE)Z+@ZYjohakl=E!{7kHFC`t>pgLC%Zaf)oR>ctLb!aEb;c8d%6%k ze!7@+|7eer9gfLhF;M&5%BbLezD-M$y6KYmp!1r#D7vY3v&sWLcrTMydpkGGbDm^1 z?`C_WSJ@BI^tDfcyevUnTsBQKaP`p?`nsNgjlWa{=5*k5;8gNHysi*TdK>R7Y-=&*cB(t5hJ%BaZVAbB|Zx@xi*;)>R zl43dCFBGi+ATAKt^!WgD?;HDF`^$X5_kA?UIWA2oib%Nj)y{lO^P*kQ|F*_XXAW^y zl!Ft^;tcx~_2Q;;FsQ+hGIkh6L!)Wj?77k z5Z?3xOhgum5%aWxBB?hO1F4UxgQN_8)buLVby@lbawr%8MLk&R)7(J~^Vx1&@ zMej!cMwl(HBz7L@9|w;UjwnS;h}U&p$4!|sCj$xSh+~>7pPa3x4o3`9tXVl4PO{m? zDC%ceGj}E$b!mVPr7BR49Xq-tEp##%bT~bZEtj5s=Kp?P8lPZ$^rQjLTyQ3#BtDKW z$CW5K?yK(g`GA|4ryQ@-&i)od1DSS8PXoEIvgDV%I<0y@r+`44?9Vb}Czv1W4?`mi zhAe$37AR@<$GkoDF#=5H#x$eU$XS3!0a{C|iM*F#Pt=@+d}cp%ZHR~H>^N)rLvB_X1W?>}x|D{n9Z|T>{(hQF;gHv;E9j$#> zpCRihzjxe@&$VWyjeWgMIOuAL@-F*)|Fw{J>k(N9R^=?z`!7d-o&GMpx8P&~9|qIN za^ix)>zBz+N{eHw$5OV~1+k`n!d*EM6&@Q^R8SaFq!u)k4>&I=YL1Hja3LNCvl<7OOQstwD@DnhaDbJ9_)q`bRR!c5`PJsoYVer`N<}oD^!&k4Bf<}OsHhb`PwT> zT&_|nC_x&B`KCZWhQz?P@_U!1JD|#^yj#9ra;ZG**rvDFs!Oc!jpG>L1K!g7T zg(N@h05f5l%zT%8IUWF{bje?TvBmf#07!`5=nua03-qL6zb2BtJE5!lrjb&6JnsVj zWqZGr06w5DTbG_bY*u^TUTiacZ2^&dymg093ppI8OG?q3U+zAx4mmknbpS;9yHc?u z8CI^ZXFQ$l({#fzHJ}@T#MKke`{>;C4YBJca8|ozd(@hWp8M_jM#qh{W4-9f@PwfL zWiO%WuxVQc&#W@%V?V#7`*y$oaQa{)r{fc2^JbgxOW`eab6W~>#cOXBLadFC!=(!O2VlkX(+1%E5X1W%4p+U1-@Y$r%eeD#ZhiRF zqw!ERT<*Eke0R6^JZ#cHvfG-o^Zq4Mvn}dP^YUP6;?JjJH=$B--iv-QHBQ2NgMq+m`^j)8?g z_DEiQQTTk{_>9F1JtgMSeGn(ofh2Q>^@qShDTF~a*i~`r!FY4>5kFK%lVsO_)Hp1j z2cvkwKANY>ZXoVXnnB`h-5{(7AIGSZ z$7D+Rm5YoBAIl|&WXF^ISz|4qLPf$AH=#BJ>1_N7x5G-$4wY>l$qjQee_VvGvwRvY z1sl;~IHzUL>J_z${!<9FG{~B46}^`fpho*uWamFYLyCB2$yS0RvRk><_I64*~>Vmmvb{r`P z$;$MA3x}X+VX_{l9t)Vk)?nxaB3BgAO=G6RL`k-WAh`1 zgmkQ&Xn}p0xDv1eL&hEXt9i519X2n7vOa)_UOTv_X~Y34|_zEz1bNOdyIc;NCac zy!9;ugmwa8+lE@gkVdS}PwK}Ck3puqxipw}_Cn*%m{SDxW>ToRgt@5XP?1C)gjo}O zP^+ANB`WNhvB^aRP|Ii)~soxDPtB#tEMP$IG-0Yt?y9tj-;?HSgrK#D9 zFtijg+!X9NFDUs$BZRm(oq5Z737>$}{FqSnHZWJ27Ir)@92Y86rsLUAOIngz!5UB@ zLuDpy;u7;O2gF`RNn9rZ{F+3eiuf#1OX=U_BLXT>8lp*)iyS4HcPPr;Ijjs5AyPSM9;w&mD0zr9)6aq|?1$<5OPj+YtV!2}GHI~$P!(7RU6`ij zDmOF=+OB3Is=|O1hFh@gkh*J>k;mDTiJ{@h8p#jzLkrFM_yinB5kVjS0YPR_Jkw}W zvlNB>otNNZ3yue*jp49k74<9U+fRd+L!Z z@Lu(;<^mkK0=|#wA)%;2WO>T(D6dGLNPvWQ_*Xejj;kqXPVY``faC3q&HLW|6s^&X z>rD5{>cr_>Ae^iBXNl&u<0iuJ(F5YznZZ}+7|e+_ummSfWv9(?X%nS}2N3D${#94? z{V1&8yQH%IBy&p5SESXmRJZk_9|fQLAq?+P?5YDJt8=HAE$eY(Dmy)c6Ooag-K*o8 z$@a^x>V?kN@9+IqMD@Z!)ruRN^DbErhwD}secR{nn?BbaPsbbQn=YF%;tig|=i|$X zWeu2?6TTLF^==2({g9g~y9qUVjhnZf?f&hi*Rl5~3O2_ko}P8U{yvw_T_AxC=S4Y2 z03Nk1!RNc`#iw~hlI)o7Ym#^Nra?sqQje4d1n zt=-j}V5kj@XxqNRfydunX+N9B$$8siYyd6+nAEntK5HNM@vh-w5dB1^00j8Uiu1?HfcN{S zaXwF@5_-93?*wfi65OWH@r|$g%VL48=WCagZg#`QWt*Kv$r8QxN%eDDRhMUAl`c0u z_w}-EPg5T+-`c}5o+|L&edLtl=A+nc`qFf{V{i6kKIW?Xq|$bUO;8bM#+~is>$`Kb z+H<+OM|_IYQF~Lp^9Bv0=4*BDp$4#6tmWY2t2mRU@h5bEuJT61?M^1ghw?8l$* z4KI4Az!d$3FX0Uwddi{ikdf#M^O#OpyBAf3n7!Brzr0tOfd40rueP^ zM$A5~mBN`aLUM8|WWScBDU>?{TQS=#06~n zOocwOl6Uy1ObgmirD@2?(8h^7)K&abXs@_8D^2r<36dZKSO5~7QMgH@D?!N$ zEtJ%{v7$Y>5O)oQrdM@EUON4Q5-mM5iN^sDj|skHyxC0;94OyDOP zgb5{(@KR0ADjlitBB$p1l2)LIGSP9qFHfE!Mj*A08GCk%mr(@EOnN8#fw9nVavru z(afNd+u8n0;*Z6?uyS~LGod6*RV9W)cmAwk1toiveODo8bt(=L^1QH$*^f)?2 zMZDq!Oe}Pc)A-^~U+oe=&*#a*JMdA{L@09`Un~C0)V?^Q=VN9+6PWze5sfp1IT!w;z?_O~TMVuF64}JwVf{tl)9HCKkopjnW$pY$D ztSXzyj7CwJzwC!giK@(*gCu?gRnzsJ`@~qY5*|Ita_HoD(UmdIk#H1^YF@XlImN3M zta$8Fc%G3WLdMCcRdOyk_TraK7oL%{;)QIh5-wy3e+eUIOwo#stQTC+>5(WNUi5Dd?r8ZoOuEhz0V{{2qII+98Qo>^ro{ZRJ-peTLWPB^ zgZA=c`7?tEc5A96skI?IIwhil(D&wu1(=+&g-Ir9oRJ`5(soHvw;8!fC#Ic%!8xQW z3B3wc*rKr8w83Da!!C~=KqK;Dj_js{BH|TeRs+haR1d9oc^q7X~;~z~{HE0Sv z?V3{~px-5eiQL!+vIIx7^>fQ(_2Ne9wd+xqxMgB*_HtEGN870t(3Qh93yVxLJpTv4 z53phJSIuwra?;~Xd#4U`_lf{q?|=e{2%(9f!wGwWfW14SKq7^p!C$a~-Qhr7Gy++A znW_ZcFfa4vt;-m-j*r0?R$arDC{mR%o6iK^&pWD>&9<9KEKP`qx~lE>rYaLP zWqdDiQ%yc|>4SJunTQynWk^r%S1ycV5*Ra}a1Ja5-Ao_#E*so8v9_xw8N zb-GekjdSqmo>tu6>Wm-cRBn0>`kY@f+D_b-r9LL-c-_uJ?vP$^r+1w9PE+0x2Gnu7 zUhlftGQIE3KWd))q9)Qcubl2=HG95po^!TTvs*Twa}t+LknmtivbeJ!aK8>6#V$Xj zuda)1EBM?GNf2JvJh$2Pw#{#<>ZYRzfVFjIZ{CO;g|0gst4M0!8!dcv_Zax}U9DGh z7X*y92S{=wVlO+bHw$9wEnt@87r4k@H(y?B4@f;8ZAvvwCP4d)w(a>d zr0u^zzbA{BY3*~dne3)#pOH}lE4S6=65TQL*{}??XborJ)^*@Y+8y`Too)Gc6w?V( z0qu16ZPA=-PC7)!$c=-H_?G9`K?+&r$@5yy&UGE0&)2odj^@GkWXy~Y;8U09{jxHK zquKVl$1|GGB?&=Ev-@>{#^T?B+NZ$uUXO1dRro#b-@nf`B*{)UhcKK+4zi;9qDIZQ5}U=H^FVcKuyYQJ2L1N0w@6-B(G-DB1}~QwoTx?Nqx_hP%aZ)dQtj`|Kh>}m&!i}t zpmQ4Ip->WAT{6(B*+-GfWbQH)0+S>PCJ&ZcstCt1?iYARh?I3Bxm9X(J+K8XY@mYvwL^5Rh*ip2RU9Y-r= zMMEm)dvhzTC!(c!&?Yj3Gy^uq!htZ+MJqATpv((z7GT~7Lh*XiDX!EUm0@O7#$o9G zgH!C?Qn`VVM|40OWeSUzbfxm9LiM_l8N-q!HX+nJtb7FvB&^z%r;M?I@ECajoQmQ& z!>v(NtUMa{6AC%SrOH z|-6kBF{<kAnr-(5GT4^rfmEYK$D(~ zk=_YzfMCUg*LLlI6I%cnojai6@50p1*N8eiaIEZS-$gEhlF$zUZ)G^8EJQwgtgIX3 z-*{)WU71=b2OvygT#%`YW!Ld zsvrZdI5JH!Kw_zOS-r1}*lcON6y2jzeK?M12ykEe~a>JDw+$7yRDFqQ`O1 zG@BRJ8G)C-FVJt13~3Z~l!zmbUs5DW=~q_8Bx?_@n;_h>`{SR`ly}U~YsRh0467!Z zKbS9Ssyq?3UKM{zIx*0#=i%dQRkut@1;H)2eE->Nn-mY=x0VXd)y|8DB^*HM8^|m( zMb06)P>PWP-$O8?+nI8`w-B_=)9X@3iLzK2v(Srx9sr$J)r(YFN9ZCz?C7o479nZY zsVVGF++0fkYkYo9xun=fdOAo(yoD{XTbukd;H*8@{CE0r{{Mi+pKl^P{3g=VN5Ia? zubjJ_3zKfvlTzDlU+B<&BHRJ0eW_QZd%5qnJh;z){Q96E5~)9W!hxT3UFfd!JR|cF z=uOOFdk86Q5c;~|>Qa*m7o65p1^ z`Tl97?Rbud&VMz&AM2j1Rhcd;J~Mten(z8cYUdNSp8W$8K6b+>x9UYV_^p$9z9BZF zm9Gc$9yMyoZ-;yD)GK5@JzO1I#Vb3_3mqjqwbxkazWXW|m8MSJzR`N66rBX^6V^v5 zVPh@c`1uzoPtj(ZdQ{lRtHkSijb;i+#0w8nQA%3hIui(9n z(s&a5c}elW6Hb0+J^H`%9MSarVv}BU>-`Qwx zU2oYTstCOBwsODtH<hIzaoRV6Z^n0ADjS#@SBV{WXjWU99&y39 zzyCV3dQt#w-X_A7|B%qg2r~MM>uIhK6O@d_3l}aRbP=XVvWa71B60B-?$I#5+GP@2 zUu8+f>f!>ghNz{_zv^anjW`gRG`kS5WZJgqaa1KyMor{+$+{@gPovDfKOm}??(@A- zjTXTVTBA#UOgMor34o)D`9yQMSQX zKri3?Who66VEHXryj<%9itd>VM|$2?bIModqtnPd^eK1tTie9Me=q6|hzx%5ke)1h)mP zVi)dN1MQ-DL1+g4mOXTaF@lB~-y?9*NE7RAN*7n?HKha{nzV#@uC7*{83*Hhe{$av z8alo#!lT#E)Gz-zk;x6(8;aTQnKtjEHpsJY1CJj$U8Ho`H`p!_c|*?p%M4gb^I+)ui^Z0Hm_^-HWFl*3CDou%8<>6Ejgf_g!1&OVA7dHu zMt~A|L~(4HI&qC_K(0uJwaOj+$LToTC6_1fQ(%$Ds7nWx8uG|gPivLj)!hO`!;3Hdpe z%;nUUQeh$15PsX^5s)cUdJr;{%d-x`6Edw_lP_^Tpl~8Yzgl>dgVqbxs+B6?n!iX< zxHbv%JBbWhfB$TdlzPBa$Tk8?axh=ZcF8tBN&Elsri;cP`fVKm)2@MEO@pRirVml0 z9o-NBApuIkc!p4K7@z=f%=gyT9~eu>`vhSCey8$jdPBnX8VT0&C1oEdqr3|^NnJUO z$sWJP8bUgvZ}*vQd+-cg`L#P^+wHu}Ihb=y%jX&KqVsk~&8KVl9GQi9{pA*gN5A73 z+~K1gWcs!LG^P9bCDXF$dDm{rvYif8etZm;;`4sI!ud36$*FAYd1_EUT*}xSreI6` z+BmwbqTe(ZeN(H*>{)p30C-ik02@&m4)&&=wcLA(T=|?LdNywx#C#p57&W0P9PA#h z3Fy3+um*_kQr^jCo0!yi50;iptQwbdeBVcQ#Ngar76y?DE1FC3Tv{-G0!U1OR@OHs zA6fP@B*)pCIyJK*Dod8uJ15hR-I2tTzIdKFo5TZ&DQ{j zA?JVAT1>ngmN_z8H=i9}rfp61JbSVKPO{n$I)`bXs(nv7I|9M~_UylH#A|Aub*K>l z^}%iK=g+}C&&zsn3vJk+Y9Zvd460z!TG&B5&iY7Rc(3J5@!J-&*{17Wc-*JI=n;~u zee4)4@Vd?rZ}|MW_pILb$s=@9@5VYEYhCc zyk>c3{pH?xTh_*I&v|^_Hp~6f@G>FyrCx_4ejg zK*6_8y;VsdoD7KwX%ck_NP^=3bA3!xU=%M|A-;^PwL~9pmr(7gTr8i+WxaMLrGRe< zFF12e8m}Tw6%uqTS7Lbz#?p->@K4+{r*)uPAu`fv#Q0FnpR= zl6jVlk*_`6MeK9PpdrpeIzz1o}qq;AKQJJCHKwbi2=VR8LR&}NWzqp$VffnXJHzq-=GkZ_f*DHxSHI)m02 zle^8Sc^uDOK>7^&1*{ zYgxPZ1j>eoZrwC%r#;-w^o+ z@VJ1z=T>IX)lVqcuB=B}e^3}kv_2Yk^&7WNK3yJRjwiA3(X?dNTuD@N%u%gN?l`5 zhCB1AkynCgU&FQcQ5xxwnfOb-2&S#i7NB^<0#J-Prbz%zYLP~rUnv52Gx^IZ8I!;B z?-*2+6@e8$C+?^_@fJe>;ehGIFF~Rt=xbpmb=#mk`G4qEn)#9lxmOTdu#`qky~BoSh+m%tqaSxbCs2u$4fc+E?@3e>`PC6oJNNr%a)v zQeb|#v>A#eDHD%UEEWfx3TRJNP|@&nx0N;G4D}krfMO*%6inuBLJ*>6#44GS1gZ<0 z#q7bLzfn73kL9b)bgMumF#cmxO;+NPGd@i**+#qJ=3f_+v1 zLkAb_0HDA;uJ3rgv@~0L*`DdwKgJ+072BqB4~xIF`UmCJUiv=8B_`zjGDcx(Xi-_53kx+!M&K$t{@g4R$*ew9X8BhqEHI6gb6qza2(x;G zj9pQrWc353ptA6BD2S$BNOU~1cdoZeDNwayU(BJq)LE!&aXyIqI-mV;@Xya>Yo1fK zK7D-UlH`Y`QnVvZV{3+An#L9es+KCg(#e~RYA4=29A-FM%Bh!4PPJRem<5_Yz*|wB zVo3`yu+mW<0vU^C9;TRgr2h{_fb@EigWXAhK)D;BH{Q23Jl12Uf0FS+fZRs~T_6to zh5W5$alW7^7(;V^hJR869Pg1>+paviodjK{I}ea}_W$TTdCz!#)IU7ucuxyC+I*eX ziveoCvR=Yy@a)(0Gp4a^ceHqY_S0`@9UfJzrz4+pLR}Y_~GSf42m? zoWg#OB|mwH>9)h)3kwT!8M(L*trggPRbynjEN;01+^@SD#vKU&Zu5L%5+Vohz89igO8`6IAGn!!725`pn49{2YqsASFHx7}E%g+i@85d% zK@CLB%{DM<=2h>5?;7y>T#~)`O=>4TKX(AFjzqu$V>#WY)D+X}_c8s$Fikl6oBQ() zq?sqn8a{S*Gk$kK+|ib$&C~)`$L?33J^oG_dt~ zy=Lp_GJJ2G0+rW7%kxd{dDR<83r&wrm!XB`;M@K{kEnHUk}|ntK10EG%1`rA!`%Qc z-x*8|1BL9m<+S#G{wJr?JN+fsW87tdtYQeK(g6hj06${Xov$A=gsj>geM*pzSn8N+C{Lte`&SSZ(aj($Nsp~*26Q`Zn5`$b!F262Fk1ey_D{1USl@nGZNbi z-;k&|v570_h=(BGkG@VEKY+?9+`u}+F?$jTX9aZ?^cCO6p<9CClh=2`18^O_leYn* zb#T(LioT~zsFb73seU?H)dcI6pZBfl3CcyOQJ(G0|f}`gRN;N_XqB1AP zSoNF{=yM1sHG0D=N|F+ED^CCN!8m5A z-vSAz+wN0N6GTxCvp#Q~r*Dn2N`&6ks5>ET?~EY3T(!CoWghj{SV;V78lOV#tXRXq z8wnP$BeQ})1vOE>Rqqs9ve~Y(cgRaJ(m%NSE^3waI0`Bi z4$5#QK3Y;gIy)+hU7$bI>ZCh$oB51ic^Z1M3 zl4%CI_)7Qk&AeskoWYGy#3Tx~{@mjMEX~G`3zEuLa)sqec&Zs>4f0CbvzKpgl0p_? zO}xm669L*|%RlN?PZ5Y&HErwz$~;LAS#RyJ>n@3dC)PySr1f|e_4lKD7qO=jIrA^P zV4nWM;e|>woBZfP4VNFkDkWyM`GaOieW9#Qra3y2z{wfWN4-GJVqGn@{P5-! zLUU*#LQlJb!@B@QSoF85MY)O4b`(6&)KZ_Mv!_vT-IupDry(&b%AxG zpL$p$%>s!;m_}h5IPz5W8LEnWXo!7rLX|}*BoiO1QKF2LO(N#fU|1Bh4D%Y3T@T$N zr6fOWLbJb!UO2r&9BN@7(KfgSSWVp1EVZ=BQ8`!=&VJzxDQOF%8NyPw>TtNa?JCO# z81iIuZ5Vk-?4?vlu!j$SJqN6r5T(^HkJ=>(Bov%@kpOBPgBsCpdzp~p3cd=c))cE} zZLo4(h`}LuEl1L>%AW|#ED!LD? z?Qxk?Ez@|1a%>4?89W)dF$WD}KkRZg{%FSs*+5434rAs&61YK2)ZB{}fzr`p$O1BO zos=?>)_XmO*qnhfQ($M(#na(Mg*K{fI<})2QgpGEu+F8+mmh8ZD8ohVAPY`qqNYdds8gAzBaZd+r<6Dt6>ou#6DJdJ?}`?5I&6Y<&Q4muW9Yh0Z>@7RsrNcv0d^p)wms?u zE^HoO!zpSz?jo<%5Hy4v|Hafdzf}Tu?aqV=lcvdTvTZjt*)}FjJ56>?Hg~pd+qP|M zXV-3@-s?Tz`OYuvFLjl#>8$o+bH6 zl=(O!SoN;$$=kf`(Octi+5V3{X-UX!;KqijyljHd8a#d`3=^G?>orKd|$!p(zy zReS3SA*x=(rMCy@Zr+`Xpx(ow;Jc94Q4Q+XOYm;I$(;Mqz1&pF>tUjX4Y>WU+3Tp6 zJWtyCtxHzB&#E1t7o_|9q`+N{9!iFn*=2^yREyU`-J`D8LNu!P-9o{I4&ZXob}2o* zY5Sc`|FzGhxFF^^ny{Bh+5KQsC|#1UrU$IE7;C`q^USJK*#@v}ac%SWaq2c3>)^c& z>Vtd$$wm-gp`v%V)Jcee#2ekaN(IKs8@dL>f3y@njOAiA)f@O$}E9*BW-W`gVoTfkk|?AU6%CLp8E z29Ov+Z&n@u&>5#4wNZFci)fmbk3@3ge1YNTh{2OBS*2S2zD_h4gC;W%W|Z_uoC;?pTcR$)kT zJ_M!zE_KJWamMpaMw~`h3tAwr2v=MjImq}1gQf@7*&y*9{3*xy-KgvmHo%SzpAeA5VLU_~8@M`8Xbj!UZ8{fN5(tQtts&TwVUEuL z;-rD-;<8XqIE}tYX){m`0qGa7=MtBYW1Y1nRN6TdXIW!h0KoD!`Xofm6=)SsTW%4> z>Y)}Z1uRM{ZGu^H`7S! zLSIsEF#k7y#TG}NG`mATcvf$AlxwD%@T4Z}I|pwXoyB)f7|E0gxVPq5awxW0VEW?N zKd0Fz+IQgl-FVeD@e8CHQ#nA!K=>S@wH7E-4xyiPymf(SrN0aLRopuq6i%4E2p1}T zFSq%0Es!dO^>davC0Y7U{n~c$NGSgRg0%YR;nkIOMD=9Hx;on=SkPP1nJi-PHx#d^m7 z)fdfn`wKrptyLh966e5#O^ett-#H2WpncFH4mR!u#(cO&{Lg!F=09CbJaQG@uQ~wJ zKk9CLq6F!3Kt^)5ROEzaGq~($jHIl6*86&Vac4@rF%?v-;pvzOf{}+c6@;vT2>_E` zvdtFT1pnOl{|rdZ=ilVl40pr?Fh!4$&Zwu4N4GpM<@v$R{xk9;QQ9ASLcO-WBSsg2 zcLc~6{YU!ba@E=8_C`fFF>$5wrOd|ldA3c!bNc~5{i!=~sPgaPrAE8m5oRW@=hoM( zyysq>F219MyYQyCW16f0^Y*`+k8DD}^)(^Q9Y+Tz!wpMj#tv>G~zp*p#XG^2e zr-<%;UCoDYd3o-THCcc6rfLYSf2bmIb*SPZdYi$2WOQ{l1$0bYs5Ba*+P2GJHqpPm z1y~F5j_B-TKyKDw6<tLF8WF^zOMN+L53ZYBQGpF zJx}-_`YtPcY*=gh(&w&;i6Y;hdv5z07+V^fZoP#GHXo<`6x2V!c($bujh#&I@stjw z#0{q%qZ_TH^$MG(8&t@XKkm_mK$RT*Iz;PkCffYqLF;Jhth`J6#U(noto&-Gq9?K{ z-Bif&)$|hd_k6OBlDNWM)HA(wB*eTlb5g?WNue0IJX5$&E!K z52EF@>zO*+wHkQB<~fENI1Qpsm*%UgX9)fSF+8LkBAW$yZs_mY6#^M?GBDWP3oXxY zRS#EJ<9vlo1+Du$W=(-0b>trnP`pq-1~{o1J0Z#8dqS|~CzLNVKmUQPeyp7}eaa#e zOOE?#N}w`9ErlaaKTj}-e$2^zD4O*f9Hx&3uWODMD*9tgw)UXJV7`XmPcHH7`@gB0 z26?Nyk>Sbe70$DM`J(*!W&o4*3bUEEBKi&TxYe=t^r@(6wN@{U-a~xzbPi1~l%vK7 z{Khp5_6l=FoCxCOm37iQ9GDfLl*?t2-)xnL=VWLB@YTX#ZXSEsZN`TEOnXO&gd;L6 zHu^0{7-d~r#VH7Z0pQHD%rXN-(HH~uasKzB|5m*)e+6xl$We_p=U01UoQRY|8;#K? zDz!`kHjG0eC15=;n#C%oCwXbJir8B0gU(7R%D>?m&IEU>izJ@L9b3A8dkaUfq=>e(a@}3U zz)CLABm?>Bm+gVFqfrXs4a^+nDo&-5iXaj7qPal+EwggYzCmTv*%2=Oh@WfelqXgm zpQyb{l;YQ86Pe=l^~OpvTQLwjF14zi@$h1PKb{xNB)ddU;)K4?c+kYQn z^A&YF@BKY&yZYNJ8AgUOLWg#M2jj%2oF6@&qj@F}zi-0Q~(VXFPBib7Ra z-i)%z4Ds~gQSlOcp$zE4g8M@Qy)a{^PD6!X@iGq3rwxar#CEzWcaznJZMosI^g=4YOuao5@Gi?~m7>!3YaV zsc)02sm$$&8^=tc_nqT}*$#@_5z$@1+u!>5@@o&VpHZKk(W76 zA%vH%)weegC*1prH(sbc5vI1*BN5!+vkory(~ z&uHy%c2?}AkFn`~aEHYS(rN^yg3>eoB_GM=mNkiYgOY1V-9|sUSrX|Fb&6q}tHaV% zDL;wt>>mWm4AKs zLfakfpb8j2^Cfj`YYbml@ugud{<>o&c)mZ!pjL1HU63cFR=P`slP|-jt+KurVO=5q zTm-kf#dnTj4=D+RTfNWmCQGX%gQJVY5hx;J^9!(rl19OjB_HG#Dre6rk(7<0FHK9S zN}%!2`TUiv;-uBM16r-mop-WsbiPbR6`4(%2i}*wgimjm&01*g;eQ6C=VS3cSKNK5 z%l^yk9?iPcGez$ZOPgQ1=zNNk5URETfu6rOtb+RdH=iW=K<#{tS$0qMZ3N(TfPz`nO5dG^ zw$EgcF?caN>Aj(P^t*?F<6h)#rTfE7+LZnn&uNK)6<8OPD(<1q$s6kaevB^|R{5Be zb>b=1Vd#3Birvvf*?g!o1OkWH-OH zPbs8x**?rEG}@c%x7-VIUAnJyt@*SDuPenFv>qbuCYNb~LIN-QxW+xjJWbjpP$VbU zwtK-J;C1-Y<@MXwx}=4dJt6*OH_{)RP)WStc*M25nIpKSzK*9$%IpUS#6#hTUHM13ocf-$75+@I!LIRj=kY$>E0)LRK#B5w|9a2 z{{fcIh5F4Wef$e=AxqyOVGyLjzcCJp%n-Xi1%;a=0@&ChEDwWKpZ$-uJEy(-CQ>QG9)^nZgpKL>4#!6T%UP`<0Z#QPDAeG?z-}ov{D(N6+HuSXG5a0Rp zm=?e$S6dK^aq{r!O+hGUZkeJQ$26mgvkK|x=S;O*J-zN-Z@w%Sx?y$j!$hYJtWJvdN*Lq+|fFp8!Xk#M7spR^gHU&b!=)TQF7d(TLP!nTV>me|^ai z?iLr@Q#T^BP?e$^YmqOb&H+nnrMXm|EuSWza~;vTcz&n=rLQ)z2xZ@8Xd z%0j-`n4GWd5*;@0N-?k>Q|k|=Wx!``btB2M5~8?@6aD#KM5LIdJ8!3dt-93M3%ps* zVxfdUqb~piA{`eR4dJ+xQoyNVx0zOFx~w}T`ePaz!m2fsN*bP|(X2~p2;byQg)$SP zmZQ}wm{C<4wT?TY$gp!-Nur^)2;kOt@k6aLJz{2oRYPFH^g6Tpu^x%?Hjr5?cV6 zcf49x{IYF=dHDbbc8|3DYc&S?Ckf@kYEnsrNT~$N7Nl-*$eRqKWaOQmpv4Qqpb8YE z$nL4mB>yKp5MWBV^|ddqPXk#_Lgur7L4-0H_5l!7E|lEbj7cG3LF4r&n9!CS5#Vv$ zOS%GB$wvu+mHF|j@PfX4be?@;iHP3tFP`O8*Jr`V1^6$aba>jsus_ic=O{&% zy5kpAPm$nNx2^JfO4ui|2e?5lsXtJIer@;Ub=y-C)>f%+(ljS~cs>N*BDageb zS)j^ZK1URux&*)u;>dg zyS*uSKBWd^fQF)ev3#c@MC0kPZIX5Eccayb?mb-|kx@kJ)vi_k@LcaGMufeJvT_)5 z%S<@U3J1~;yAm;Wt8o1ah*1Y9OQ{YsYDV`1P%B*gVDj4B3Idk0yVj z=1Karp{ZL`=I*-FQ~6sF`(-J~hfP;-3RDA1DO{nErE}A1$Ix|^rwI@n`7W}vrrkS~ zW+O$b<39D@;H356v*ZnSt83=-j1EJUb=a!IuUD^ z)XY^GA4(g%w&!lP_`D9FZQPHZ`6^Ml_#Mwc=35Vw=Pm~NXLoM+L}?J2>jl1MT#x-M z{ERlnhYtf#3l+V~x^l37^T>sUf3)YUo&M_|*Pcy>GKmd*FNp8+$=15ohSN&)#YW7) zhj}_wCM6+}N6{-|<1to4f%1wjsnc*v{40~|W08=2`NLe+SQ;(<7Qah{5XfOo%Y(w( z!^UF+j;ZbXE`hkK(|$dVFXL$}a*^LUn94b|X2TXs)4`?FEE@U-$~63v=sGa2vth zB*l6w@p*mELsthyrrVWSQm1z}=Y5|1F~|wLdEsZuwER5YMbL1ghx(TNG&<_j{uJvJ zoF>>ch^wP}w&elo_-fPgp21ck_n`g!K=O9sJ_RkoXwZ36a<;q64^DsmFXAjBboADA z@@{J&^MN?CmHf$Ak8^%sgEZk%v7DQnqTculzN*0)oe#4D8o^6vC zoPoW$k=7ar)TyD#nC5=-b!bw@N9G{9perlTmi!s5N-D4?;hoil+M!KzJXdZTHFFrw zr%KUPlu1@>8vTQ|Z89q;?o3wzBaN)skj(6^tNy!n#5*#~(zEdL)xBa%vPP;aL3;6? zosLy=nO zPMWtY>iV<1MNm8*Jo7YG3#4z;>mQGNMtGk&4MNB!pVcu*_i61hZ6p0koYhzyLk$L( zmQ7q*x#%$(Z-72FRKTXuN2Y#`i>QwDF@qyKJw^RgT7ZuYlxGq$7tBRQ-P9!i)c7*l z%8kcc=2rVr0<2oU2ZBN0ixkp;@Z?|2+1|LIoI%*gzc+?sBnahajkCk>cy7QWH`NiO zbTP^Kufi(CJX=#f$?z4yeBC+qrlR;(6q&h3h)T6aIbT&kiiQS3%h zZ@Z8ND&D!##t9TBI!=0VQ>EIK>tomTV?@sl4(af{bYZ89{qu;he2&*@hDEEEF3YZ& zCl^_#*qAyrlV!b2A2j`lY_Yvi?RgrbWj; zC{MQA=bB*n`WJ|XKF_$CMEnNEtDjxF3g~DA{Avj1?2LwxLuw)TPpG7eRk7F0s^BSw z6(1~<*5@_|y(A>dk&kWI(07;@X8UiS?h5v6zU4gfqL_*C@(tXz7!QjviQtgOz-e** zw!MVvvVEJD{IVXU!MEg?8g?cX5R_X{1&o{DxZ^A)&oNNUIelc&bjS&ah!_=7%_U9h zm%^E|pDo6P&Z)UKid(iEHHwaU2oP?d!#vQJK*ss`n5tN@Aon_+eEDPH8)32Ac-fN{ zGsmz>EV?OS*11;VP>f+-5(pE2U-A=s-siz$QG}6$>sFDUPy2qtij0#eGI;c=>@yP~ zB5}5;#y^NCJCuTA(f4#Kw+QGekmlq+;S}e56JOR-0gPESP5(m}Wg3wCd@`epemAIF zr+6Rwk0B|Z92j*w+r5XyM=7wALS;0ZwLO%!Jxg0<7CJu8U7cy3tyV}%NGGHP7Hu2B7^8#_uufi zndoozQy~GX@l-uu=`^$9?zQzNj#t3tEO>a0x|VAlifV{K+_QG<5S~cHE>$=IRXu12sS4`Bdkez1CAB?4K8Ql8$y$1BueeM@g6*}%4p}Cf82-DeK1L+cdo)`B7 zU71`SXO{9eUx2`t>-k@fxT#qlkB41eso;%!e133RAF;dXA(?GlAU0}dM-Sp@;t|6P z`0h$$tid27sdaCs3vcRSx)EZ+uk*Ix%IU}X#5i~>*XpoaAhdSfv51>SShs8)E*L53 zvME7Kpv>puZwKh$Lw&lpvGj7ATdb6Fyojr;Wp(NUqSu_|T3oDL`}pQ8+~wQl6@$Lw|D=7g5c9;`reYZ(TezG z$Mg8#1xz76w;HcQ&{cooi``u1>%#j{g`fW2>3JDfJA~jN6Whk^Jbo)$-vk8$u6+DR zcaIvIfp%-GU$6DiJiKs7@^;_3yn2Diyg?psrn>4O`0NW15F9Q%m^>H@(nBTjFQHi!DucYVlVIjH z+}se?`N#+P^>qo|H_j0pgaB(L7VaZJnyJp%D$Rs z-9QCVpB9w_nq+a@N@qSry^Qthn4i8QZer3R!ux*ATfTn-t>J(_OCa~m6f_7tQ5K`#`d`Q+C+yX@mFOhhsdJ-rN$&$BqKK6tIn8o)cI9G+2jhy=Pu5W28Mk&Wl6BV zi}peBvqza8L?xTS+Dw=CtEe~nQ=B2sTQvD4_crXJeV5u(FD}IGhcT*8ES1@dhXW#b zhlrbI`we~hGe`uqS@p+<&9jMe-0CCMB`7F%L}UmmRIK_|fHT5f^DjGGoPdj_Y~_yx zLVb+Wr_C&W3!YRv{}EWV>^dJk&o`ObR6|5|E+4y_tRx&wNR$oJUFcfeTq%R~r(IFC;~ zoIylu+|THj`~$DRkFU=Be4{AEX4Ya@t+#DBH5*|Dwx)3;s%8SA*})-5`P6|9p^iGj zaFq)xdzuBD$MxyblGJ*Y^R)9Oh3XVTK`ZwjcDD0ZlIaOLVdlq;(G+sX-SPU9QY2BD zlV2%Vu#OwlKdS2Z$;wLq3_!(9m`tm4q~R`sb>)V|Y@ktaQR#SpFFA_AR09&w*YDO~ zb-5%P3E||pWSdQEH*io5IfhV>Dd|YO$O~?i5-t1*mr&!pX)8RUh~{fPD@u|9{GuIg z?cFsoR7gKA5!Bb6!>Y&Va0r@yo#>a@B7o0(t00cWR_7!BW1cRX?sUl^-D?jv`S`;u z>(B4j{<3L^+e?%zBXT^x#I}*~o-GoO@Qf=(q4C>rokYPwg@!6THCpIwF)@_|0_x${ z0;{L6_ROVEpVlb@J;NryYv&2m*(4Ir$63dP%`z0ORcfJEJol4~y4yq**Y>%W(6ot^ zz=@Jvu>Pc6gGDqIfrYD(TD~yW#N204J`k-yc~w`Lwp{0DJ3!*Jvl4L5zpGh)U{F2Q>7qFX{*>m&GK-_Wy<{o{f9rdp(B?Y72I=e%sM zdPMn?(qO%)#PsPePwrj#VJ34+sCAi^Kruwh*H{(;3QH52pm5nrY;Dde`!ATHE31E5 zkugNSg&?xBv{SJPPHBxyq13?G3yL))p$S5Bh`8Ku(%}n_DrGhpWdh079Q%?-=CNhINq;^M|YH>Y-7SAK2sygZR`c~%+WdyX8FfB*CFD|pGJ_=iNl8Ge`h^O)YDVIF-xL0wHP zc+~kY`yh$m^!v%f&&jSUbJUHRt48eiomjYNkL^Wp)ecn&Q=>+Nqt~ba~SFcOF z&dl{2)))psvvO0=T^?SBnVu_!uaavvldE-$?M9OaW1DqzW=Hfcmw?y{qUZ4O4VRJr*V@c>O*ClRjgXghnj@b2P)v2*}Vbu+sCzF z&fw`!3LTf=d1pUQ-KdN~W8V-L|NFVcV^>-F&C~T|z?zjH)j)>I<|`;|)3W^U%eqYE zSmqvo%Y|8P%?3z^Nf3I=sAOosLnm9?DvJH8`BBz3WJh31v~gzTDdFR-CW=Esd#jo+zDjeMN=j`q7)Cc`)f1NC44y`0cr~4%fs)OWS2%-HL>6DuCw_#zGwm4oj99c!Yjr!jb zaVZMS$R-}ti`j@|e3xLBrYZ~`dmMj;F~UaL@_EBDSE=z5Wnq`P_{#o&spnC2R&tF& zP~-U}=tQnIMS~cg$c|R<^K~I&q4y!-tBNU!txv_hoK`u6jd7`o)%@7Q%N2mmJ>!KM zyq_mI3B>_Ymg`k{73@LS2zX(UtQFZBHhqef@shZcAtR);C}YrdeK!b%$1oXa7z_DI z3PDgKL&~9XoEXcl=}Rg9a&@Ho{-(CV2naQE5FtZKSI?+~hhyaW!4~icK1hovmU`Q!O+BRy7!eU51 z1NZf0@-ZD`6Lw;{+Y^oERX~o*^wiRXTq*89&XM%IW0;)RvI82Gr8r3))!@|Gz=fR7 zzDoTyor^UU@l&K5C?|ilbN;{*6zyxP|H5&|WRVB{Dr1&^6kbv$WSg4SH=GfvUBfdO z6ZSo)Bbyj2s0oWIjYvH-HtwisaT6`GXW;vDuu3LLv~UoowCFIYiNuP?dS1psIkF(j z@JSnKks&P;ZZ%&=jL%J%Y&1Lhe%Lb;l_9)TOXT-^r8vKd$+)xC4I*}An6Qf;kpisE z0_-1C0%!@&qHhey7yEN@iUs`BkgN;H&wN6)G;Nu;(sww>$pVCa`a=o_tsMj2iZ8@> zx^WzujQ&)B003~Zge>JIA8!xX@Jh>9vPyjGt6iytO~IH<5QA~hrXK#HzojD0P;%lJ zYEKfs)((Z%Y9528gg&;-%yv2?Ijs=jHf&~8LwtnpRBMwTC|MF0GB5Q#sK3Yxm@{Cc zazTkiNCd?&odsiYdwD#}V!dyO=lv5bAKSIJ~ezO`f`W7Cy#XkkHn z?mbDXbc3&SjUp~GnZ=*bP_C$ z20=c7D&-~Qe6C-awR=vL3plMmEQrcfb(X(PIaJ~F$n5&Ud z(P@=?o{ERa{@(%F@!iIF%ey0X1b{DtaXt`%HBQZ%#J8zeRHz}PWIvMlCzN++NFF46 zI=b5jEufbahvG1+yX!)TYQyp6wJXJG0{qbyf!sO8W)9x*3*O>=Kxz9+;$3|+{H@Hk zs`hzkHoB_@<*yV(-fE7@7i8cGYDL@1ecM#;;`bQxILvr?wi^w)aeEYM*zMpW6k~c{ zzG&MzAYi%6j%MOb^?J=MD02vUwdx!p#Afhboor%sn7@s#bhP1eIE!>Bx_mc3e@?;f zbb1V%N`IX0>A6I_Q6CDcQVM>zpKRZF*gOoxZ}I}2&cB=~)5#0jrg2E`mf~j~Os)Hz zSvaWcm3OX$XH9KPQtLGwEesJ5Tf?`z9SmtOxK%tan_=hM8UQ~C_S-*C`G*~rQgbfS zom6_&U2JT28#|&$SG!r}wq4aA6=e$r=H@|lbjQtQO>R*3#G?Ck!-x7!7cvXFKpCoH zb^#%W(RnqG)l5?aGqz4#%oSdKoK|%0POFT0TSO?JhwWhE<)b95&Zp^>OD6j<%W%TC z)1p^{1#q9tly&E@@=`_3nsv!U$@fg>hYg?Sfy?!27oVoRjHF1LwZjNY{F=TjwM!4f zr&mISm*+-X+uL*T33DsU3~^hZuvey&?SGTmU9+i z7#;to%;qWo3tle#vu{K5F}P(}k3BqR#GPVlnJ$kq5{^q==Ow*2XZmjI-c?pUcbQ{E z&NTv$lINs%r99ykUR#m#arm(3S!V5bXm59PM;Usll@qGwl{{zRADZ>&3v@Wadg!a& zvZN{(hUx;3QDdh4LxK0@uY6UWr`}b1v-rI zQ;izX7q%iTtq+^KCq<8IYDX9R#kdSLF_yFPn@CwH_HM?rDT`4b3RI(XpAu@XN&4ko zbNOd>O}FJT8IHOzKf*2zY#e2oNFa^l^hL^vaawY|j4RQ7ynNDRVi_*=#A3etcR;gA zqLKY``5^1UB8>MYkI_g2;e?A%&{dikLesCa} zjNe=!UCE6`maRfCxPHwIXZm`8@#{KKi+qeoFd|8UA9LPMo<7|``U@v+>Fi>dG&)vX z3A06Etuuj~2K>LV!1k|;A`Z;Q)SiO-Xr(bVmNp7hfU9urbgij`6(@tGNXd3L^+0+6!pgEE|`cq<(bq$>i^P%M(V71!?zulZy3>TvBTY`BVcqd z9aL*BP57~f9*G(UEUFPrb4<1oj<+blmC79zqpy&L^nrcite_uy{{R@Ssm_JIvTnR> zd?56YCfSOtJe+iVin3413M9wb3ki6Mi&ubr%20I$-$2^v{?Ke|shn&awF2s!=lq1J zvu}cLGVB%%m9K7XMg#_!*?V%mNEDTpW&lf~|q#~JFKL!wE^8`g^v z;u3sKziUW7M?ew!MMe12oIGjD$i(1%5K$A_a30INM%qR>ELI3V!u{K-^<^#pTul^M$}mvJYBe8-tAwg}H3 zC&7$j%D5rOG6aM!H&4lC+N4IrOVJrK_p;r+IL6EsT5?c68a*;hYPV$qcAfhL_qT)- z9S{lFBvA%WYp`&geUapVE|%8+>>!3erUuyn`@Hw~yqmv3Oe(a|hay1Z!=&^7vre|= zw#?96;dd#UnQUS!i4|zF2|y|x(e05x48hR7`uZbN4BctLu|xTLDU~shWaM-hr)i6NT=F?jA+omOy}(~>$7P|O0d*nMVdDtwG6VJvl!de6g(|kuakVFn+!|PTD{+VbFYPhpJ&LYr6b@KPQWknzL%S`h zkrJbtsuGhJ0vxb!lK;18)^WShF;!y@ z#n5Tjl_@!+84Rrd9pEZFczIHxkMNS!|Dcx!kHqgmLa9O@shVgQImO%vUT_c*?}+#B zMT(9$#6P;CA?IC_f7tU=(TjhEeUP`GU)XA3ixN8MITGg-5-pp(AQHM7Ww!XecrP+d7iRmrVJcApirk) z4>Q%cg!WY2=2qZ3)x)hF_qNTPz$-@r9FH?(v6D_*M2Ft*;}%DZob+1`SIDas(ZD&K zrgi?Z+Cy#I_Ul_d6dwFmm$v~-eEp6-KDs@wDwi>@$8+ad>kPX6m$Wfmmzl~X0YPrV zA)ZU}rcKK!wg+8+-ScKg10AbO+hcm|VQu)v%V1xYzJ7I+fgb82PuUmi{tK_=sB6vV z8NS7o7BEM!mBV|3x9h}W74h?CL7U}?r4UW$?Q{FtDr$Y50=Nwfr_1JYpe4cRy$m-b zwzL-gcAbn_$&tnLQULcV!%s%+qJMaMpS66`EhOj*{dQetb^oSL)$TnT`*s^`5Ldg{ zZWnvsci#h7)p|22B*0rlXbrV7MI8U~R@ZkS3#y-F?RLH`T%eBTeVGjQALG*h0bRL# z0&F{YY%yyB60g0@OKhz<-QHio6ES&uf-w!=pGAG5H5sd&g-&ZLc8t%e^K9C7;yWhA z%!Ow3Q`dJMP$BhCt>)Is>{D&VD=8hXmnp9|QVQ?q3o6l)HZN!6wy_*j0wxdayVI8X zUzR-1I|ys1oYlP_3Qz6N&!(!>vR=cvh?-5#(zci?-Hf!AAL#{zv^{l5y&v_>HyqZ- z%o&|WX^u40DjGD#J8SJ;w{{`X)euy6Oo&g&e=O6ovYXL9W4rs&OFq3LN0K|}Gj9`a zoo$f%_ogS*9}W46H1#Yzx!ChQ0kEYIUpSf}3)HV>lVlBXiEvN3Rky%2sR9&e+C3#q z0!Os0(G|rwO!!!7)v_=Kd};A{QQ{nrusF%ZIoi2cMMSkBazk|JHrC^ztJd!&A4!td zbV|~L%_hbq1MYr6$!uAjb1jis&`&KRlVN{-T^g0-2`#kEacJKuGyvgGTDLy=sIfh< zWn1%m=TeI#HAc~W-Bq&)Z;HN_AP$0AO{KYk^N{aDDemkX~ML%K5Hp+k8bzkh(gzb$M&=VlLQE@Qd<>mB<@Y?jR`9*(9(e@4aOGEdt>&$y@ zb{5C~1srlcZuqY>Rh|5<_4C49wNV^B+yjXkg=F2RDRUEFMC6%p-+|=^(~TbcbALBM zlrBouolHdHl^`IbQz;xExVs->6ImAET6m7yVv-p=&OOPVuP-!Dm?7W9kew=N{731| z(ikf2{sR}ZUQ!8kH!*+x-J(HI41?GIl+0O7my!7?Ellk*GX{FO&?3G3?QcRL0Wwaqk`s=c8f^}4K0%7GVciepU^!u%@9IX$ zz*jI{mKr*A!7(>Y5m;y)LY0CW(J&Jad7JPdhZG$NeP#d8D%JkFD`d>Mix)d%GymBj zz;ZKtXLO{P9f0+;s!0D(XM=z0o)?wglLv^2FxS&yO%v3zMGn!=aO^RXsO8S%7Ut+C zGT}YpTt73Ph{NsH$|FK2;*Sz?Hl1ufhP z2T@8?7?{Xt%x#i*xkJ+PaSFhwn96sMad*+F$>_$4tx@W zpBJ^7CQvPVE7p>F!~@F~TPj+qZ4P~A<%W4GEzl;T5K49pygD9|q4 zqSyH}6w0zt9>`GvzPy0kM&Ap4oreqsz)vbIOWLs2u*5B#i8r3VPJTEqkcBH(Pdw#| zM?0b>j62lxRP)2)4GuBLcfT1=gQSDX`9M}Hy)ZGAm^Cs=O$!x*~6IQ*E@ zl~p9ij`7qCYW%dYwBT1o7Pg94AF?Dyo?U5$1%VoEfN^d5phqLwe5rgJZ;SkAMEq4v zebAmVUJe3mMT5t^svd~D#!wen9XE|PgiiL2xY=J;8}|iKi#5lSc8>UkU$jtF*hW#T zj6qQiNQ1_laenPd5gk@jKVb%{Mw$Z_RrkFDX~_4I(9^Bi$4>W+%K<7JBL7QhtBl|J zn2>M>zEgwYva}(uq=QS~A-=x{*pSEW# z?P&HZvCu=WhIh-v+K_ea2rHQ4+5e&&HQB8YYR8}=>#7uA7rO1q}mQ@D)wdbw|=53;HSHPzhb3tG` z0Hx;ndXbl_^Qm@ebH8HItj)7!>f8wg+-UlZum4b#2Pt|x>OH_peUN*H&ToR;Q;izY zZLz$8-?IpOu-iN>nJ*J&>WGD$yRnD(okzLY0w&e z0S%1$4--v-&8H=nwrw4sFT2(VZ&ChMaX;3`qzd^w7CP_tedVlUa}??v7jLVw>pqT5 zlF8_(bS-1u`=_VjE@a2`Ja*DFbttH_-!d2d!;F#-oBn!d<5jRMI%-(x?xb*Ov*t{> z=`D3w!2Jx4Ds#bdV%6pBr?*E+?MUV0`c;v|>8ip-tQG|XOKtrRL~B{%NIHX}srg?^ zwZ~?he^ZuQY3Gslo?c$`CeyoT2FGQ~&f6{i@n4{)jd zXfA$ygw0>Qu_JS!USTapw-T*BzJA~I1j)K5#_273@Oedz{K%}9P6#pfwtwvspM4XU z=0;A?j)XLlK5l`jUML|_?{{w!hzE=0TQ(fIQp#=F?_>-ikSpmroyFQWVa~YX7=6JXJ(Yu5`(e0M-nN=mxlBYkDNUnM&71^A-k{pw z>~%9dKyYQNQ)l@SX|kk$iL+Av3rLyI#3M@i+)}J@`2LJ+-X+Ws7d3pccx2ixni7{5 zHDYwZ-4H_uY)mFw$cLA3@dad9e(P_K{GB1A$S`^vJt`aDRK(t6K?*QOdqux4t?FQ< z@|m&!}pJZm!-Y z@{?Y!*AhIs{6u)!g<_B6+|)N!zkNskKd2cjqIs_KMhw>F4(&zN$;0N$wX3_(^U>s( z|8RWn1i(d01%V=k|9I>=KRf*VEM84-U2huFm!iqUGirR|7&TE~*rjG(P9p0z;heis z#><(6$Y7{y+Y=YY8SEWP!aoo#_) z(`e-qeWEiAGAgY(*&#p;Xqd>ydT4(%@~C`1?kNqdOe5`z+wA6fmT1T>?BJ|3jCDod z)m$mX=ku!NVpOAG;~pSYh0uU13ad#TCb3vHqHK#we4lkgX#Sf2p#KjcR?p^>@u_vg zuly(Y>G{tBO*en{pJ)O6N05^t+l6u?NCV(bFoGIZu{2J|Juh4GBM33eu@TW4F)^}& zrJ#zfaw!z6q{6yt=Ok7!F_bhjL`B4;rURhb*h%X2o2*$%sBg6bwCR6jW8t zMX{7-7YDW*QAyLN>jNSkW%Fp{te2(F~r zWvc0_h>o!sJJ8!&GKYXtN>X`6^pjmt?sWkd zrN;tEs^dtCM-9m_aD0GNmAY96Q;AVVNI?QW$XhYUMtRm%Dv{Qcg{Bl`iTnTsVhT@o zi(EQ~=k%1PiSfE+lDt#*V-XV$k{!gz)@y|76jKeVQ%TYtYk(z7W1o_c$sC!l0A;g= z^z4k#uv?ak#^XYmjMYM(j3Wrj_)|nPMKn`HGetC0L^DM+Q{#IN1gEecrT-99>wiDQ z_`3fbcilr*{RsSrBI4-efuz2R|6u>*Kgf^3e=r1&6F7!L)c5h9Iom9^$$rdBhs=tf zzSv9hs&kW19{0f#e_D0;;%UZ=PhY=&C;Z&c<{F=|iZ+`0>GMCk|D^N5qaHe7|0~8D zBsSDmCZdP_`1zcZ8|%)wYTm}n>~!J#*Q|ZY6EDp^KFa6LEk1weA4uetO<%k3s^4+@ zUWd$j=gHIl@ZM4j>1SX5>)lW6ul-7V;jQ0IWwyQj`eSnH*{R3(n!D+ed)@u%x~JVi zoU*}s2TIG|@Swj6YdqT;F8}7t_0~9STKA?CKfyNM`RZe?-4d)UwfY-Jof}-d$OE%~ zb;cjBpMLX7`Hyad8_O-f;r4GHb(5$)>TbPf{Gur_6ebQBX z&fSOQDo2m^XmCfIzx;*l8m0F?UvJjBt8M<~Iph|Jtv_Wyd*Xu?M{A#d;c9O`b(Xgk z_UJ#!VAI^MfvxCyLXvceQp1t|iPn>_k zTm1hI*Z)9Yum2&Y;{Oja{uTeR;~*Y=OUC>o_8*0l@JY6aNYMiH|B=6`|Ibg-e{gxe z{c!XoTV7!Q$t{TgAe0nj?W)htd zHAx)DeciF5Zpy56VMk3faa7iaZ7oWJbfpRqUb71k?Ob6%k&$c)sE)zK0%nzC^r%M0 z@{wXEa&D6}>`YcDb>KpA$f_FMlT%y;Q}8wr#|BJQEw&I>Db+?$EJB-Hf>j*{cIkdY z^OLF)^*t|Fbi-n$F)G-lJU>>YA~Fo)nPH>@C~R{1kZ{zprE;E3Ny3;Q89iGmAf}KN zsEnW#J1MG`E05T0+YdV#+8o$1TuhK=7Axd|NEXxr*{5?clvOY%$GW3-TEsF6LgWLZ zW2i{rJeUz zmx;RGce2fqTSVjn3%ZihH$b^+z|4@WOUY~(%%+u*05sE>C5kDr>WFl`R3jN!&6b`JEga#xD%?V;L|-AIA&_n-yKx~`@Z)Y2W{M+{pp1IG z??F(*Y(!x<2k_HiLoL;5!Ul7{&qIm!lYMrec*~)M0U>Ud6`k z%D5BDbgVLAX-vr<)QqA9*}h)~bu~67?5JBG_i_lTi@XUm&2mHUj`(gdlK>fJWLGk&*8O2cwfHj0f{#xe|{*J_HTfx)K-j6sKHEYq65gBvQ50niJ3 zjb6ZjO{3z7k|c>5PNpcW#WP(?1W`GUl@k_9gN1gflrLARUCcIX4JE8p!BQac0)Vi+ zWZ2*e3jY84|1c64|2F>_epUY?7U-5cnNfihCe$kPuk)fjt~fGO?IwGZsWr-U#ZE0X znPQ#%uo~j63Ics&oCf~#ye6GUqO!TZ*(L);)W#!ISFvV1>rdv^E+`J+ZcUPuQI5-u zp+dSc!d-s^;Z6>A(m=XZ@8<&-iHa)kHL6uCpQ<#|&A8%#okEV!$tl!^+xVcs^oEr* z*#yfy%>j8r|1`HP}WQnSA zoLwt!=K3GaomRk3Jm%;t7PD^N_m3-S*RC0R=7xQ2Y4!K^f%p6{zv>MOUH|3d=9b31 z-){@ueYbwnp~vnw?R4kM;dvVzwaq#g>~+dMNB#b1*{9$1mu~EI`|CyfltotK7YdR9E3jm#bw8^^cKH3`wDhE@0xda1pMDz3EwsMN^$4yYFF;o*?!B{^_f>c zGv3bL=u`K@Pagej)6UUXoV)t;GvC_e@#|(SbKuL@zWmW?&UyZ$XI_5qDu2BDCGs6@ zIODEMrLBUiewAA2whOih*Lv}Q=PrGO`+UW-F1`A?f4Bcw`eu7Rec9ok%s6h>-A_Jm zDXn$}amH!seO}-FA>hwD-1O{oug_Rvzg-Dxxm_>4j-E5^n1yexEOJQl-a}_>ck?@| zAH3_3M(?ZbEX{iKqc5(7e)ZydbD7)@>m1VV?zz)h9Evw;8Ppx|TEw5CjU$oWg?;Lr-N!z@C!aMI)il^`A9(3-X!<~iW z3)dZZ$+X+%y*s?^lUt%C&O0nz;jllPxHSFe)3@p^_0q{tufB5e&gu6*v;UbNal5Vl z^q(LbyN%CX`kU#qk2`C_r4P%Vx6zUI2@9=0XVa&z34eC$i>vgnzbtD!a>z2sV|U(p z>1X;yNQ{N8O5;iAHg~>$+5t2jU459H?~$ zE7~}1j$O|dMnx*5&1$xn6tR}eJKYonwH$X;5ao7g)4By#GX*h9l62Y90IQ%iidC3^ ztdyh`B}uUSNeZ21O2yO&GKbxC4`nd6pJ_LlOolM(V@>QAyM@A_TZ1Y^jsQBPc!Me! z>7mY>id?U&Zb>S#u7=XNcs@Vy+ZoTFq?;iFtBrmvZutXSVf1WQmU*w~mu#Srq{;y@ z7>MJ-KsM}ZQN}2;qmpH`jb|7%6@=Y(bCgixWsz@2gBnM{3??xM4P72INS$gjCfE+h)~ls__aCwWY!L z^PjX9i4sibt7SB%#4tZhibV*l8vV?WCwsMSj@6N}9T#dwk8^NHW&&H-DF+DWMLo5wb_fPyts|8tjTa^~g%Ts8fq#5#v<)mCmqQX6hq`WL0cf zwmSvD4PX>+wLv;>B_yjCD3%QlOT+K8u1LrR$5>|Hrw?ud%$&7kkEy~k*S|~}CCRZ}e^r)rv2SJpmvc66gbYl#U z(`2z+qsNW}Ykf$J%MtrWHGvb3v?S zqgsY77D1Vb`d}$gQ^9VWR!H8Bp3y;YG4;6hzLBDjb*B?n{dsV zTFa)gc`wQgt*DE@z7%7e7=Y^~tm|j9g!@(hA89PH(6{+d`78gKf5ExAxDR}Nzqj1C z#$%ec2*-uQSct~$Vksy=Y#*RA8I{R4V6P#Lk||5kvc(Y1R!d&JT;lPz7RND)g&0pI z6)HDEeLIz{i*UUiYvf7VQMAcKSAy$W(jn^%sKwfus4tqu3YqRC44X{r^%|Ws48F%u zt!OYvq|%n*isi{U6~J5&rpz9Ii=|f3ulB@9;OwgB69UmIx5QyG5bRjJBxET{X1Ht~ zaWNTHnL()uV`?0$xn)L>l3p1Y+Oi$8HpOQXO;%?>H60B?UaIw)wU~f+z)FF#oBhEs zY71(tIV{EOA?`6uJHzGE;E2fqOij-fJ0YFN1imYPuHI)Qi3$j~+@Z8?Kv#?DIGe3= z>H0V}w0aP4=!piM(7mJ}bLq)E6&Jsc$4@!Wl=DnE&y@2_InR{y{O=zKP7yyU|AC>u z`VTU-{`W(SulvsnH_QS5^ZtV)I6=TLg5cl5e~5qbAM{7yKa)4=XdH{j3FQ0u&xy%} zKiKVbaNd3!K7Yuat-WVlJ>%ENCR<)VT;zxs?|j0awRY*C!C_YF;i`%bKqqv%%+!pYrT}yS%=5h_7AC-M#(o@bY`i z={8OtS`GSqWZUfS+m{X=Ql+y$`t;Jb_ulT1lV4rkyt&tg7tg)@px@Gm zKJ?fs*Iz&D%AN0o&v|U~T|RE#bm}7q)zAL?vl-=Ch4oe(Jn+=ZA5~smq4C&H{dQX7nrl8DU$XMN>;AC& zPS2jX#}{uApD%ycRiy(z+jrZ&Q1iGmub9CuamA@uXAZw=iFa3u@0i+S*W({qJ-*HC z;`TG%>F#;T6*u0w*t0VStDOH%l$rCh2cFpVcg`sre+I3^pSSVawI{Y19kgp|^PeAZ z$<{}Xw_EA+J^uXWLVDqsdmmZ<D=xL|a>t+Z-gR@M?h^55r7aIyCV$V&V;1f%v+M=0u7CMrXLXZn9Cq6W zcQG$M_2TIlJqFzc?ftj-{~z`r?Cbl#P1S$?FymkGA6RtK$)8;P4=fdOxYVkmQlu?F z{m(b{|B-)s{-cF*!9XT?dN?_+1@#|eLHvhJgu|eTXGtm7L`xzC0^PxgAwUZ(!WvDP z>3Fpdk0UT8$L*j=jAS-8v{GqTR7gC+av8Q zNoiedrX@u8$$Y-iA$o~ETn*%*Y?Gp^W%+JOYY5Dcnj~Ys(}=NYjw}Ko&y(G;36XjX zi(s%}3}D6fidLslrVBBNA$2y52uzR<5ns=a*hzjG!Y~&RdA`D8X&O+wa+xT{R0@Kv z5+y=|_OKD~0+VRTegvU8BF`axSPeX)#3Dlo_6aB6$mEoqW%(@-8vs%_9eh9kq4U1k zEO#^Q>cD5xDLI$zcMZGKva&vzgPWG2cWQx@B8s_|)lyQXO2>+}+)IqD|Bt=*fOed^ z`nM^8fJi6_q4zQrL#$q?ktNxdRV>MJk*Jns$+lc%%eE}hTVQ~|gwQ*oLtyA7fdC

o6C)55Q67b)TW**`DcZdn+Gg3 zqw6@6yI+BFU%Vbol~>m7BE4&RyzyLAaLaVNA1WMgwJp(g%UrX+`y#XuNTGAvZAG=y z?r+^yAaIy$Lf$`k-(ZPYzY#>QJ<0Fla9=#{O^lY4?39iP1q0$&9x>XH>Iqh`Gdx}m ze7x^Vc%`+zhNq;f01kI6+zwYS4NnPOUux}N*2xwG+`8R>YS)qMDR+Z;-iV9u8h}R$ zg2v~ut`xv|JXt`o3dHQNADN4%$0Z4X@AgdR%AwaM!+m07-@C@I-R$sH1fgqg-8>)A z^_sto-x=Rytux9 zxx^v$emu3H!1d4P*u8>TKQG!&ruTZGhrttXZ|^h2Ar zT+v9@JPA>#U=Zm*tW~*=?L^*SpkxT8dLYLjPLhSK_c=qDPMRuIQ#y|j6PHn58l1W^ zD?ye^i~?JYMEh9SjHNuaPHb2#f@Zz(i!i60q;gA0!HqLqI1>77umZ2FRcw+V)kxQ{ z6%_V(2Ve4ut73!$jE<9P|1&rCDrqP-yKcxZK-F-ka8r+|w?Qa|eqpUsKPAguatH!7 zh{2N^xGTz+PLuCQbFy0~mPbNy=pJaoLKvT&ARi>Gdt1Zt&#O+oYB4+%3dNDaxHZb4 zly(VD;a}d{7Ge5?vZw5+{vzTTg(58VDW!^^Y!!GBvZiVAuZaFd@&1EzW4@qY;Iwz@ zocM`kcz-OHM>yjEkq1$qkq;MC}4Yr_sj) zEv%bz`_t|h6d0yV3T`Z$I5frx6UA&fg*84`GgbIj6i=Z@BZ$bH(7qo~Tw8&JmA(j9v+qmzfYa0vm3E4bna4l|qXnaDri3rSrmff(3h)0@Qt(!1@3)Li0RI}O2l|B)>#NfGH z48=+06>|=9cxSE1it$jZPkN`8A`crHys-(|I4j1<+Kez^wXcEo! z+|JljxC{wz@ zt56j$nPHf}FDO^bwVc~R#$PvTZ*FSyvQhsihLi!tqdQMa2tKU-i^(bQ({{+I3>Z=k$9w1A=C*@K^bD_Nb?38RZ$H@G+Hhp7|^bLa+A*r!j za1zS)Y6^|W<71Ur$r6%w82v4r`V)S*{nN0eXnMp}$Dv%cL{EcN6>p4_Q|gzS#5=yX zo#&|dmppDOTuuVtPlK9f`k1*Q_XpbaVH}^_U90iCWD7~pkV1C=kMk0FNTon{Id@MM z5k{?i)>l4=Ei?vqNB^>GTGc#CkOYRg zcMoV3fU05nkK~Ziz372+*AF1^49G5)vQ!M`tK%Z|Jdh}a{mY+ZN*&ckU z15T{%boua5136w0Kz4r%_Win(I_r)F?f^yudwdXohvxnI7BZS|vq4>7o(mkec!!sw z*Y8`LH134lu3Iy!TV3fL&L;a%Ja`<2%!l!l0Kh>9y=U3@che`m`ea@cqu0&*r%eNq z{R!@AwWoUQ({ z%%+aZsQ4=NuUmg%hYGJPkB>n$m8+UQILfE3OPl^67Ix!Q;~Q-Td_Ph<>~EWnurz(eUzl%t6ttvM`(HYE?^leUtmK$pq7Q zi)s0LUPIafR+-lcxN2g9T~X72kiiyTfB16yHh=u#`FW9b$a`AJ*Y--`!B_hVRjk!; zN#gI->_hTiOcywhp|S7FyUq8#_{Hhzp9}Tw)K=r0_?bJ8%*5dhTgcO+-qyUMyv91fA*?(xpvwOipF@- z;^5iwoI06LF2RTf+FqbdLM$mNckPCxT37>YVx>IOybbd!qmy?;zEi-K9}(`CFL)f< z9goW|K%1xRh2%FNY3}Jq_O;;$%hx`bg})Z2v%za$3)&Q= zhxgu286)iSruoWFeznzaLPa)>?VHlj(TDEsYZeI|=zkXKV^LRJ+ZY?}5)wdyCmpHO z3{n$9)Kk+Wk3RpvmI{N&nB3$^`I3;+#Y2tX7!6$cvLf#H##|JGR)rYd5*GZS>ID~z zobnG8s1q{-?L`-!6p%e*HB2rc+!5`oe@rV&Z*8(TCF=n@A8D=tCXuf_zRi$2R>&b5 zj!06fhlf#rm-r&p!q4L>617A+igswz*60jleBQbp2Lre zIBJQpL2&;1l`kJWNj|6ANyRR=ebjcSSRRWu7f`H7J5!9?L1Mz&!+w%Wfa2^=qN<%s zT`8tITO-GWVHBQ)<`Fhf>{yCj7Wk%nAu3*)jwSEb$0qW(nrH8O_<~`P;-vsIceW(( zutd@swiIO?>sE6^cF>WI894?E+q?(qDL)kwC+v<&QKU^A8;X%W8IUjrp&8ucvG0^ue8p11caGG# zWcID%AVU3qIwR+YRSx<03OcNR3J*8FAL4S-AM17b=jVkR1q5wJBQlLQktbT#{yf?E zfyHE3P>90TWn^gKt0)+LMk>xO`{XvF3kK${4$77HeKpAJS=GMx_QmHD}Ft|*YwVCIil zhsJJ%FjElRPzOFU0sc3%LS0_iHhd28as?}mO&xTtKZyO>Hm69!FgU`l(&P}8efxwg zCkJm&d$A<6fC{u#V06S0#mgI$bS_aY8|PGrZzz`G{^upUTw0(g^w9{!IR9RBmN{Uv{Wm{i8W&H_pYa6J7U*X5C z^Kd71+V+-Y@I5>0Y!3Zj%8XFfKkd64qkXCzr?ay+?nYpgb%2F^;WS%ynjXWB9j#{8 z9&VktH<|J0^Wm8+2K67iEEsA7>cZ+?g^x*i6;1QS61a11A!+^HW!If^6c)IT7qHHu zM#ga%g3q5PfftJ`!wg&c+d%td^RL@CtK}7s{liMo;|qX!Rg(LhCa1uW*85BSJ^iK4 zZSXL`8gLD2nDxsO?5Uh2n%AH-*ymAlcI9e+0b)wSMf>w8J)Dnwqlq;+qjitvk|TQM zAZDD8=VdE+`>U5d`Mx>hd90{uie z>K(&SJypXk$9GHTT&7gAs^v229l;Gj^;JN4wm!WHI{bz~tx~m`b+}bYGgr9PLfgj$ zo%aE(ikEf2={1G(+Q)L^-r+d@*SpF}W}zH)r_fnde{4F2mvv_H3(1lYJP#(|VWi#r z&E29fUc1fUurkU0zHbz?I-6(zjO@rsWs~ZS#akNazn2-Q#QeF<@SR_Zp5FeXdD(<$ z?tF-o;a<s@)0KW!Kf7{1N zK3%>*&sHD;>m_h|^d+0UA^sK2ENISWbtY;~ze~2tTMJ0woVzg-rp|=k@G8|B9)syH zvp`-&Kl6l<{`=A5d-A)@Pce1zx1o7Fb|@1Y(yBfw=GMn`;nx$dHEm(%NSS~Ed6B(O zYgw2uXAn4K7^0oePok{CH_JlStLfxK_h~a2Xac*1W59S_0?7hWulx=x>!VYKF_qI7 z=ug%|DA)il1$Wc^i%Mfj%XEE+pDu%Fg6irfRj=ot-Tez5?)`jjE|D-Ho9WhZe)blB*^~T_M)b!#?R*VDO(T??^uMk=i zHl<$0IF~MS$(lorsUj@nehAZno%>DNTa-Lqpi3<+fT+XQsh3jj@S#z;pHp%Opwr!RhvQgwvJb6I7i9%yv|y!kVn)=D$A!xSVIIL!R=!-* zJy>P)kw+J*QFWAx9ojFMANolaZgg9BAZ!f}!%s$wF%Y(HWw@pr$Ew7hC}unvB}m0@ zuemI1*f**l%@hDVYY7f!{tKiGpc|{KA|1@hsVmYFjdli^cq&kpWwF0%j~s7Xzgo|Y zcvMn~uIKR?_g8w5NlpA&DFFN+OqvRG4mXNfF`rfdDZ$(`eIxtzI576jWtVL`k<;j{ z%D-P+Ln9J!ZIV3rOoc50 z#ty`J4Z#8-2?~YogVrRuQmSZ%sw(;}$i&oChvh=c)`h4=YM}1^JrwFtyqFXU`MKjO z-V!Eub;!DnmQ4q4d}p@#O-Tc3jTZ%RKN|(tGGhjrr##BYB8YM>z+3H!W*yI@Yh&~S zh~>;ier{Xere+P;bFHG!gH`{NR`<cfniDqQ+5lp z$NbKwm-PN|$XcJ&2dThvRIcE1w;`GXt`cfNCvQDbP1IY(^rHqXHzG<}lD83)3@u%q|*Dd0*Jo`ZA2*{T2ui`e@z^3Ie< zY>Z4N_lpBH$ET~vxm=yBiWP&WcFBXH!BoR=ykTvo9A_Z;`lA?*;}qpm^ucV1up;-c z2ZUIIgpK+h3xUBA(}Q^VTBG50Bs1{w;|1%MM4O{XpcG&Y%#Y>+35D33Xu^)%7PgGW z$$th!lRnAm(wtife5)oR$(6=(PppN*&`c=dDGKeIwFqm?-cy^h{||sL24APIeJMbH zscfJZ#s2s!zyaj*seRnLiB4pC(^MI}LWgCuB#kCiFS8Z<}`Boe$=~Yx6&r{z6sx=+M9Y=`5E9y?k z(tku}DY_5k8Zf_m-DT^J)6+`tSJy&pOYLjxXlNS z7aUJ^KI|VZsY!PjkU!opXN`2XUFOkPeIEF-RIfMPjTQ&;TCd)PI#l^QW~u?WeXZzP zUwcoc^$US0ATPQ zUojR0A2T1TcRsi@&A^jcl>73HTHc3X2lkcyuhF|w7z@C7rI*CpgpQB1{0F;(!xl=%V9zGs1FyX5LrUt zq9K(0-!y+!;Vz0Tyi@5&dF)q|T3HjOjaCsW#M~2R*HMe5i~35TVOgZQr_|}Q(6PEg zN6--I9tZfRanNY;ak=CmRw=6#vMz2a8(_~{`PM_mFYOc=QbY2aeO1F^=?yXN1*&F( zksb5C4Fky}EB{173xv=XSSjcLSonfJ6{PxVLu;qMIq4(cls7GZ)Azgz3}143RphIu zF09m>8~mPvJSv9846yfr_e$-Ekvh-f7&=ejH+7PyBfkKgS6kUT1sS3FbLDo4O z3&NbLRPOO0$6s;%pd|~g(Qmh=CX+IPIn%Q(w`|pzHa(Ekq5z}_73H!h#pO_w2@bW- zkDNs{6k4~V_#m=vWAxRuVu?5}?}60|^3mL~N^x?`vQ%CILmX=AvMfI?;Qeo@+T{=E z3&+-uu{qZL<9c!4z6I)tVhCHhy&U&Wxr)aysP6Lmr2&u+@x4ENc1(20%MO*-UZ*<5xI%ezI5L-4=|3ui&fYsCr4JAsW8lWMIyMP+V;yqDIckYMh6s=XtRjJX=mf){;GMkA_5aCNyC7x&pDn{ak zEC><+bAY@-)BL901WsyDp28p!Su@z{MHEjT5eJGz|C=Yakr)Fto=6S844b=x%_yYg z;a#gzr37urGfzPpMgTu&(XuIVnxoFGYh4swNk!4!F~cMU38I-87pYFLc+Z4fdzQ+7 zt!2MFaO;n=c#T5uye$L7%cy7XIDC#Cf;fjLC=wzH5hSAgxjl})e@%k#S(uQ5bEo<^ zm?6uxxG+?f`zox8L?j7*Plme^q=f(8vBcx?DzUfX|PqH*xFZrFjfhrh}8{| zI_UG)NoeP9_;&9rOYH4PtBmA1eZjRxV&3np2cGuftNiT#!oAa zVrkPH{$rZP|3U|<*}4wB_lW5Dzyr^fRpAL+p0sbTK_+3RMEZ`$yf{c$jbK*?vH7wMto z&*Mi4>Ga#{=WN9|NvX-W>Gk7}=&$(i&Q9O&pXRSTV30v02hDfc{z>YNYG3^mC#-Y45K6Y%=!S>PIh=@V}p%CfQr`5^1tqZVM(N z{Fhcs+=tGhC&UhHX6ZZl1p!{Sv^QJHN!uScZ%oJ4_os;y@qlE47IaSgQ-mznquu^( zFQe%A?VMu2OYR0pS8X{^`R`M@8pM&aL#_2!s-Pdenbaq@s-M*Wf9X{jZj}LykvsP(5 zf8Kg&sdUPxXuq7atsZN6t9q}}MJX(KnVw<4VX5%CTzIQwzR4SPk4*+^W4v2^CUPvZ zG`U9?iR<_*c{(*}6nVXTXLT9w?sjdaIbXx7ZGip05INjem-rup`}0>H`xhF^ue#O) z+RnfaxMv6nvbWxSE-m8vy$J=6hxD(TSF>n7r`{xu?B)k{0(xgvKj1}?Q3vm7 zb<*l>k^i!0sMbW=3E&bCj<42s))D^XdDBLgwDJ7v5HQVQ>CI?T{+ZnY%y$!+&@ci$ z`{c;xHD4N57%j~LE=4pZt$mbZM9(j)UGKUuq|B;+94t^R_(v}TTjE%LUoRZYH*Y%J zr-NRF$s6;29)-Jf7RCK;c${*Azym7ftvS@}XTRDnnskGQoBTUkg23zAQkP)()U`Y% z(av-exEt@@h~+u2+rQ>K$Q++qp=#c+kKX39qW0Lv@xWsvXh9i`gkOJOtd8n$JMLwW z?tVPjwC>ocVB=fcPtBiS=3?-v6EutN&)NE7=pf8!TK8v(&g?o|rm1)@e$Szc^XLSQ zBByV-m_H|RtMITtrx#z9c)Bi@KJy7*z3fe0Z`O|wyKH$c&QV-FosjDcOl#Xmetu;E zeRkh$2A&^)zU247X(V72P}d&+`s3|Ggi=Fp*G6aJXb7<7)7AW?@w9vl7?h>N@DHV8 zC7yw~006xCxR~(p&?hr~a^h8Gh@md1oNLOP zkT59uz9C)X1RJtWbe5XXycrX^fpHwsM5$q4P3=JSRuF>3R4x#1I-0t_$yUuV+Uq;e zpU`Q==>q8@D5W3^lMAEXJI`tP0gK6(?W|-9ww71rHa# zC`!G!77g5?CnX$;Y8%?Qf^e7gs2M6KiXn#Cvy@57Sgmy@n5uzTfP_-l-l&#Cgfk?y zhLlLdY=W1%gF(%Oe*x!QkQqh%9_w0hr+2YP!X#4fuxO3)uY)RogUldJJ;4U^h=SWc zmLm!C49KV=j`FDU&HEoAHa_c5`BSly;y3o@j63>*?c%R|Fo@nvpi8qc&q{P5&)l@D zRB}uY#V-gzt1!4#AFJ8GRmciCf~S^ zH*9t=>=h=gg++h_i3sL7{R>*HNg@(aEZKA5R6xk%FjqN(4h=aG zTf!m&s?N&{xcTY|YA@ebU5RH|#?@w`D0y^F*&K=Fnh3G*elz`Q+-IL5_!!+*yMvYiI#ok5qW6Cj!1& zsbuy5HxfS~hz{;Zr0+p!)RCP%3m>|^WV&;Jcs-P2T$oNBfBNIc&KjbIQl3?8? z#n)gU?49L%@JI0*0+1?Q@r&Xef%_}#%?4%;K{TS=>YwQ1n(10qQm7$rzAMZT3$h&D zQjfbr$w-NCJuS>wrl;1#@Yo??>Oh0BR)yhjx#Ld3B~Zz%-BCisNO45?HEUTv{r zPMZ{_%L)5c_o?M)Sj}jkU2ElpC{dZIK*Ak3hmWBYq(I%BQVcMO3Cb7sHiKB>rk-Ff zW*FU}HK+Mo)j5A+r-mW6oJx|T>?_)&h{OH%pgl0%jMB_OBRDWm&^pQ=agHAuY1ID( zS01U}v@z5{J{n6n1eXv8e@bP#2PBwRS`1+x^xSMH(cA)K?OXt**|N>}F{_MJ-9(XT zGUrDAzwl)P7O{ULa0-Zj-1bg-i30L48g&ot!T17qpkVz)5y`#3$Btm~frz9~zL-#c zfI*)vE^`~unCz9ujfc!?&4=4F3f@L#Hr3nPF`{rQ_YtLY8%+;~Fy)r#*FL!A70QRb z(23D>Z?6~Q*W#tnZO_5ZrOia&##60fdMBA;$9ds_;&~2$eke+px>qM?QUk=`WRoeL z>!;aA?D!8FUawEM^{KV9yky_X?0-?)=N-W=T3*{CO!`8OSdDGlwr$%+V;hZ=#mt*T)4t$o->tTQpi`F8zm zpy|ooPJl-@LGKBEqX83-@2b%3>+N{&4BoR|bfgiC!4y-Fo5Rl5Zd#dd4jUU&ZtD@( z-<*-f$hTboSDBoGp7YcVz`M=~FE)x~PQc4>h82QCYX-J zhQhVN=EwUs6VGu-4k#al-SsI%0cknwGquzk>YVB>p!LAg?5z&To9pM<*PE9mOm0c^!2w)v$ zI%*4yWEBtNujRM`TMw8N5nh@|(_+>Xq_vd2rC$ka!+g|L-C)^@>Z+cOO9UY}eCE|8 z$xZi;btyzhciZ{NL@goSnzC3TWXPO@o)YJe6$fK(rp2nf+nln&Hf-A6S&p6~KPeR6 z-PdgIZlHO73riKbnzVDP0zWv4xMtN)|+a?SkBj0Be z$)+#klLfPkg_dQmxl&`EPTkHhX}KG6#kJk2INS)#vq#<&6dZ{3C`_qF`!SN9P7sd3r~NJJ?6M~@3q`A0Vd|;cTL!o4kM~}MJ($m%zKPCkas1^ zcT7C8HXDyULqh_p3R+955#P$SS@NMW1>Ik4^fv<3@~%Hh?=#eL!!z7_}1&2gq)(wnt8zAQ9SXb$DdNrzedbrE4or<@bm7l>>G(vAeoK-mJ# zR~g#avUhI;jhiHz$#p~upTOKlIu=D^?F!K>4^BwluEl)v`_{!uf!=bxS^0bxejD6``&4 zwd`>~oUBMChizL`+N2g;TEf$=?&MhgRx3(|jEz&GYYeZ$0GDa%Pv(AWN<+u-(`7>Q zR$Extk`hQ$8>sCxQE2_)^aP5=UA6_nsQwLFz1`b=r+R&OnT0^&`f|s)fxkyK!!wZ0 z$MM;GulOF*gHqOkymaa(qs5Mv?@+BydH9eWhC4zhs&se6D`t+cE-j)a!Lw>z68F>K z53M9X4lFR_2OCBK%Xio{_^CiP85_)U38){9xdNIc+zzzUB1H8q&VMM`EC{BsDv{++ zXoMm&dR=0sdNuILk`$#(bxxast{FbkTKWF&%6B8pUJB z0S0q+P{9X?--E3^F&i3~-~yQ9-(+-Ri(gW(PyVTMzMC&27-P9SJebxD{< zbJ)wMfS5zMWhqW)H0Qa-z5tm~!tA~(@!xC5P zYy3A2PgDNp=t#Peu46^hn0-Z&!nOt}qdJdN3H7o`u!3^kermFdbYfV9uV0$YK4^lkc!}v+wi0Q!7zV zk8tGkjx24o3$+G%ICxcaSKFq){eFDs$mXXtP-pZ|VP$n1$9 z{OV=Kf~Fg!d{xQe_#Fl5(686~NMbXf#5y9AN2PhxXW;gTYW_X8}hcepxyOqpUD|rpr4Yw_ep@Q$4RJM zTaTSLck9M>;*_rHnnkgg;qF>afU-c3+hpr*&vPy|Cv&-ALeCRz_t=9P(eCGdrl%1$ z?@*81D*npmqnCO&r<;G|zqvnjC9{Fi@z>lQ(pSE3aW8CK+yB0Ftc7$xqs#m98*$So zyw>i`Ogx(-Xz|_P%W?i_>t>kmx?-^s%hqv`N_^QgNGIS~UHrZKa&Kf^09h`GGmyva zqG)t`w%>Em_3Z6r_G2#H&+jFlR!|MjA-{k|&lCjhGIwRoX+1qxO z(1T(%|HtoGMY;C=^^c3x>wpL5eYrcPgL8lo<;;$H_vPnelo@dtM$nr3C4kF-=W!`p zs~-JgBB;~Cz4!J!;AusW+h-DKw!miw(fV%tnj4cqcJZPN{P&-wf8QeITgup_fa*YC1N*=kNWpQPj*~#bC;1iM1MMnFVhQ%IybxM5!Sw(*VwwrWf2tS0~Zo^lD3jKLd5P-a@ zIMri`PX#wmFG~Ag8aBN``FL)So5w{k2H{-j<;w)ujo9fUc(GK(nlq2@NmOAKAw6;O z2S;r@eKE`b3nr-gGtE|I&=Cm3T+tNBr!o@dlmntBM03~-8w^iZ-8DN8FM$ykF#F|% zMMuMn2vBer&seCD#~!@Z<{GM4lOcmON=vIFleVvT3e(<{mg6*UexP1TIYy1j*5R}E zrq!8!@U3jDl%&pyezN-^k}~oN7AHPL&nypF$=ho>=}N808ZN7x8SvZo+X!dyxQA;L zsSfLymmX%wakRBESgh5iKuu0$Qvg*x__rUT zcdSOG)y#lZ1PX?_8{^{i!-HetP&RF$3QtKo_R$~oS4AG0l-E3X2!0#*K)t2+Kq^cyfa z7`TD>5&IwZE4*fCfKAm|_MA?YWvbUN{qP%uVl8-tRB3eHv38~Y)uF{^n2%5gkS1Qv z5|a~*w(LjrZ8A_W&Xsoo+f<+~eN5Ill^PvaEb>enD)BdajO&NxH@j4Q8Ov69xdqV} z*a&cCm;j|%X^S}=;b*YuM7%Cw;x7>J)ycH12oNKbWD4qDK?EHO9U6UMKj;1kx-@%F~>+6 z(bR`27^!F!`4_<|q?hs3)5)WuR?rbjYu012=+{g_e7&}e7aK}D>;9&Q?c(b3*o8g7 zH=2}=o5NAg%e9aMUmh?r$ppl@yz&?_-bW~|(Llu*?w@_%9UXEkTCBtxQe|Pcl}sgg zFe|*qi?-L0A&J?Bc^B`|{yVQcePcW|JLnVb1ob(G$x{+e(;A)FM)!Mzr8q3IZB&2M zruiPFs{#UlA4KlnLV1`)yMr$`I{qCLt)n$?v_nQ&e7zEE3ulZ=;khSo#b(&pM# zfcB=W+*9rm$>O62AO7;k91`J#&495mpG5*`q!I^Q$Apx<#t`ihT8i}2w5*?-GU3Xh zX@$`?9kWuh#pT+j$rQ`qv%U>7mLDbeol1RFz&%y-TX{69?5Z@6OWGei6d9d#ndUi` zP&Qhl$Nv8kmU)+xAa(XGXQ_gIPDXE(dE>uaf2 z=dqSO1>PP6_1kI}^e3Wv`@{NtMK5E=cj6sOQ1I;iA<N*p)0Ygzx!{-+JjOb|7Fv3nS=WfZ@-+Dr@meNhhoqH zQoxC6$5rmKR!XB4=s8lOZSAdUR%t_oQLrQ5{}{4#w!LAdPcyfRq9Lr~u5rd%5o_%u zip)yL5?EgA0)(cr?;T#&>uG$Ey;JH?@q56jA|>uUwgB0HaGkn_e@q76O@C)H@>o?n zxP0dDk_X*KOo*J=<9_(OBFENsyQC z@$-XiXDHBZR%NDdvF@fVz|}99UDLt-;8krBJTkzbba=+&Yl>9M%r6Lit2p3=X!AW!XelDcs7VpE!ULUbEU zy){N~Wnx&9mr??9#a=14#?hKkRIz^4 z55r&j2pdcNGj=A<)206akvhYnutc0NZcnON;m(Jt<-qFUvUPe$Q5g5OuXI;{=^!;& zam?lc+3q`)+xqt*KW=JB6+2)&t;pW8j-;k=z(jtY)loyTF zZM^VB$XhWwBHF{^%8>SwR9?Xm+DTbkmVa-^tEA0~OlW5kCGdrJ{QNe8vz!dxWSA@v zca6fWHFsm0S7YoTNB{W+)4`B4M&Z-v!FGu)X(;%!zdaY%Mj=<-5}AW3LBlu7Pn0pZLvSh>x|=Aa#d{!-T2)XP??h- zqJ87&xlsR5Y>RZw@B6du*72C)vfFZuoGq$s`A}#!(_2e@Kv@*LVxZMNLGZ*iyx^VH^YLyX*@1Lh=JXZhqO~q56lb) z?@a{)^=(lR+1|OA<5EqFWa7FhMnV9(64uC9!aIhWPwG`3rTp0}6CiDo$d5W<&w7FXZ9n{i@ zudNYs%F59msYCGKe;(#y&xaD`6gq!LVg6KXljZQ}i!X!vJ;#vcjB8rVug5~*xo2i> zY3fe)Dh`+`bZ|LKiz)I4Di`c4@ZR`q2Al*NBLWBUDf1Sj*nZXZ z2y8d8?W`8^bw&UxMb_1O;yy{ajR^E=U%Ikd|avc-}% z-alfcX13im-8Z?|tFNc)7K(YVf5NHyRJb2La6_xV@F9P$+XT(lKd$;F_%X%lns?}~ z{QhS6ZMB_qmOk1{*8STz^5o-tTRUVc%X1HM-EL-7p0!WfIne8GIDEUHv}9_X%G$Q(F#{G_?imv|7&rO#BRR$DF2Xx>_<%GI|}Bx7I=cn_Ux}P%?Rw_o~7Y))dW0V=`yif1+>lf ztXG%L1o3TA!1a<{iWojl7oZ+CT0QD9@f`l`)y!_%oiz6anLP>$;%=@m2|k;E4tE0s zy#I|%>g9Rp9e#MsZh!70nEc!(z1Vr!KrW_1VeEZ;$Dja>c%cX$y(qk11ig+?){mCA zTnoH?C3w;C`@_li_P(UX+H-s8eMBw1dENJ5->+xp_YQ9Zwm~Cj{TECa{(%jC|L$$v zu9(z~{NAo#K$#E3QNjHeLSyEiAfEq3Q)t#290Ym11?`ExI3b6?W8Ae9UkmMSf=*UX zg`|JZg!*(5!nwPOe3Unld=BB8NQ?i0)zUM-^bmlB1>!&ep&7K;HsZMCGqthKvYmwp zZO?o|zoeCF?O)@P9C>+5Nmwm;IX88q?)0Zm(O zM?FMpvg)xO$TVdqJcPo^0nNLh7qWrt~2OQlmd6)O|s6UFi7Rif=cQwBqffgSC0 zEr%F|$_Mlq%XO$jQR~t6Zp&J`qe+$mtS*5*z(U_JgknEhvI#1#fBHmgckAy}mYV!s zrPX+84yo~9Vvp6WV>kR2IYf~(64lmCt20o)U@WV``R5kpT&*(%q~qy&W-4;cJ3`Ij z@2HSV#fPZJhO_?67$PHg+avq=h(5A+SO+( zf2<3!lzRtH0Kg_0It{|g47_mg_-68TqB)&X;9N*?B6+ri8uFsE4p?j64*+mfWEua! z!S6uDMswb_8C(nln{YuyKgI^Puh1k{ChYK!aY=_e7nXC)<&Y)VBN+X~#n71em}t{+ zYlL}sX0_;JgUAYZ#y+KGvIp8=PM>lldawEx0eekf$%X@8z54RXS{$VFHsvW4bT{te z?DA*@#tUoBcWy>jMDp145&v3t)o0r|`Bv9&{2Ika{BamI&;Spq7z%K#*;w89D6cJQ zgBxFpa+E*Y`bqV${*nhUhx%wKY6_EP2+(LPz!Ym0Gww*#@MMc|-(;`@jPg?U1n-py z@ey-zj%Ow zIb+%I^FiS(u3r9d8jWf*EwpJ74C9GNTj$bZ3GuO#ZWWP+*rHHsZ-TSJ-!wyA`qODH z?AUlOq~KBNBvueku;0ptsIdrUw0IF|tk0OiMRj`PJK|_hzSWd#reL5X=7P}>F=k~H zjT`i2Fo5Of-kAL?J$Y!eTX4X7aN)_9S*h0n}lyQHr5p=J8F|H5iin!Hvv+^>d3bEMocYVkr&Z=9kQ z%CMgv<qB0c%`?qz2`wI-zut zi9BHw@!n;hb#h7NNt$oq(YwVjK`^qKs7g@N;jIS5me1rg(oq#NS zDWWuH08u(L3S4n-36JqdN1gI?X02wuI^!~YoGD#n6y=m784LiRPF`jZtpw~*2XLn0 zL{>@LnFgy$pedu7o8!U}Ij9|$VYP`?amyFy>LkABhI}`nTmZaCYHD0KO1mS${$QnuonU zP6+y2QU8KS`wSo?Wm1B__OE-Op`eEU>Bc|zqs>U83J!!&G){g@*1JELTDg_4=i!%J zVDmXvVk?O@Fx!+}oY z2v4SsYI_fGuQ@frG3xERc6DbN47L5oL%VVU>)cNaU;p@KroQcfa+Z*+zyO%59on5} zn;w_5T;Au0ZcaG6oWPz$AWFq%x>CXJ{xE$v=y|YRNPoY+wUWw@E3fyGzWWZi|Hj|6 z=}}+*0o5}U&&FhU6JxeRwX*)IwEBdyl?D*%uwGsy220@W=z62j(s!BTi4A(cCwxPV zm5B@p82xh*@c9+U$guk69u#yP`P5<6sn)g=Kz1G{#kF4EEgn!h%9$uHF`t)iU}Se^ zclp#UMBI2N5<95m)i3=WMU1Iqf7GHNr|}kXkJZ`v&lSMld!(Svm{aHS-Xy^?bQI06pm7mgBHkDA)JUw0oxKbF3LzcI&;IV|z$z)R6x*svB9y zZUfk!pV53el%RVRuJk=;dCer8!gJ&1pUxJR-(~UgF|1bY^Ev~ce(P?H(mY1O^Ly#p z=}otz=gP~IW57z<>E{}rbYLV!0e+9?`T>2QP%A`}Co{bqU^Bu|D5?-t~S2Ree2TfuPfr<*F7o*%@KG#;`Fyw8C@bEEi)=#c|9*730zfHN-?T4Yli2S^9$!yyR(b zmjbt%(GEvs$}&s1rWJyTHfH+-Rxp}V<-}$6P9gV?-+6>%9Gg%VrZR9p>L!!AcFPXj zr(0wrPR+9lWuERG-Aru>hxI(njUo1|^_9}k%98MK)O(|B3ENYUNOM?{RqDqq$RUvx zs)*EdP-RFUX<~B(?9))EikMuj*`>xyqFo^$f&cl&lB$3z z+O`fb4ti&wg1YdwEGp2_-Cp5qqY@|wPI;cq<(oypjlDLjdTm-2#`psQ_a%4%F zt&}AX&vkFOH{BktSnxb^Qi4^?Rz2f1m>$>TjehQeWcwHX1^G7p71~G7OgRQgbm-Sz zlFg7-PsmnuR2acfwpsfeu`*KA#75M1?J0G5xwrA$d25AB6}7rYWH>iZ6q~G=IR;^w z0l}PX4qWpM^LDG5u2QX?h&?xR3K2rvrhaI>WfL8jOJ+Pa-Y4t<@}Lw2^XbBe(r_0XI&ckY8gHtDg}$L9eqR_n`gs1hs0>zZH{^WYs$j zm_oFT3|3+LfgbXj1YNkl@QjM4_0baD7Z^{bz`l23uG*IaT|)0pdoamqmE)tqv9yK; zOjSKa%a#+`F>dfuCy~fI)|AQ_8uOiSobxO7eD?|oiH>9ga|mO37&TVn*&Ql$NYqYZ zJx$aZHN|$>a$Ekm-{Tb>wRp?X`~6bqq&+k59Q+4Q#Z0<98*1pzC*fN?S$0bQr6z%2|- zG*Ltc$0Oo)6S1I7T|u~Kwo_7W81{N$CCkdN1BW~BZxFmRD!tuedemJgwqi+!%jp*f|oO`tYpI?l?HP@x#2X=>V;1Cg_zG!BbQ zCvLyz`~i&(zQ=5WP_d#!+N16MN|8?E;{7#w`2lkv(Mak6&z`1%)unWx05}#NZ{c2U zpHi&g08IZ-mWCIj=0lzjBX3j*T5~d%&KNY-PJ(uA)|AsWAk!L^mnqUG!zJ$S#i>f; zMq zct&ab8Z^UEjzP(!{8PFq2vF?2FSSbun-%bXEvO50>SfXtKdJQ|!2UvlFMe@j9;5j? zfimp3u9k-l6#OUQcFPIlitr(6uar={PnoGxEtC`)IS_aHSG3oc=%B%Q8Uc$mBYrQf#P#nnZ<`T zv=ps38wAbY5O{ca#gqAP((ipdi7)8AvgK*W+Szo8?!qdDJ=UDX@RK z)rn7>C*ZcsgnjYX_YeN~WI>Sr^vCBA9X8)_T-H}c#tw@UQ0qK0BSY_aXGef|+0frC z3*|c!u@0dB<5&V)D%;7Z|E1Ti@0_3;%4JW`%pG`eI#GKacv@{Y(|4NpEHRtr6bSL6 z^oG*3QoiN0qrjG-Gtzml0^E*0G6>z;%A2OiL~!%9QviL0{tc(<_ut64Q3wPLXaUIf zkmZ^ZKVItHS}gL%yqyANF8!xCwCuhAIc5@ovIN=s0*`kdu={gtMeoI-Tcrdp@BMv>xO%3pA2UZW zgFAMKE1jQV0&QI{!8&)2wa4dP^{sdB6uUi^nI61=srAD`z^DIT)hujA9lHmm*Rh42 zjmoFh_hTi!X|5Uehgqil>Cc%g(c0FxYvA*H|GNMPH24V_H2YaF{!t(#_s;jpwm`1& z@$jNlR5R$)j0~Ji|F#DDPvZ@Y|Gc}rCjP9Y@$vcjA!U&CAv7gj=0Q1U%)K1_Pyz*k z3R!d^(YLE0GGth$39rh}FHiGfBGm*Vl9CxQUUky)s#=Us*I*%ob$~TGl3gb){9x(> zg{UU5L}I4UUCT_XDVtTQohyGc)Us96FfC#kCye#$LNnc5QT{l^b?9o`a|*A}W}_^& z7xrJHBMy&h5zmq=JiqcGI9$2jc0M5@!=wlqI}+8MiANehKTz2Hbs7p80I%V*HQZF{ zNCm#P-c*Qb(2HL>Y*|qxQ=!8~Rz`RzQ%XfKIgXk4w{z~-c;X~02Jy0}OvPh}cdkQ= zdcYK&m#JNlu?P_<}hV{|8Wh^oWhp{sZaT-0Ud!xN%aE?y576t>srA1_& zV4W9O)5-hNrw{|Xp{|T|kIC?U z-LEW){}H@j5l`Nu)!dp*rodaUG^GbpWtvW`CO)G5!mvhqIrDMXg{H&SgkqVzbxa4&(N0)#qy!oukscm$D;5p=5N$2%0S~SUru;t^C?J#b`v&Rf{3)GQ*5ZqeL6Wi9V4+|C1^~b#c@q zU;lk*h^Qz@+Q|CER#VfFN_j9zqL68g+bqn!Ac_O}g~-a{K~wM>(ve;VY- zbqe_`$37me7hB6Fv_hNGfy(dTSPR%w>S5FsJkuZ5pF=^nKF5(?RH5XcXQh0_guoWi z+#xaJ#bfWKpY8kHHE$~c>k@Q zqY8MMW!|U6JuD3THPNARk(7&5f(9@Fy2qys8**52sF_7HnUEHn)u}s?gGEd_J85l%|DKbl%5tHENZDo!kGC*|q=3g->s$AuG91&`?DwMc zrfBokI#6FL6WuTojzPukNY*ykt~YKmJ_m!CM`y($#fLJ>>c8bv4s!Hn_&+}5UC^h_ zLHFlfgnQNfId(;PG#++;!0BMW&X2;HVovzsI8H@hz8TXH#je zr_trZaPm9RBC_lJn-ah4&SbqKxsWoS!zfQdksG7HX)@oAHa5wagjEz(E@7*eperA6 z5X1A$xVl<)k%{~GA5RXz6S{qd|M5&9HZrpB;igo|tswW~bQ-w6EoHdXz1mgk{4rF2 z-FEosm(LHX-Rp{1#r~V{@n~^70^~F_>_2JSol^p42sYnM-Mz(oQSZ2J7q4#JP2kG) z)aOPJWb~hxD9i*nWbG4Q`x{q!l=(A%)MWtzpxN6%i=*fGnM4MB9(qor*o)Oi&Da6Y zr>e68EvIfz7R_|qytxUptzQYq&8vLneLfd-{Q|eYyHVCn!mHZ?R1`A1s|hmnO()W0 z2l(0qeJn#u*De*i{dcYEgUp{F^CqX?wAU`C-tu>^JArdAc5*Mbhi;zwp7j>j!jg)RUb}4 z-=h=qdQbtzqrjs6YYv}gcJr;|R=$-{<9n<_r z=QeM984qb)_QNdKh`dLwZcMCR`VA_jh0qAn|xEk*Y? zBQSxlA+Jh)BJY5q1x-|@2*H!GGuCYz@Sfs9gE6JE@HX`%v@*<4oqD#@tXwV@IoQ#! z_^||aJcQ_lhUEkdLZ19~9~hY?Nt%evTVY>yyd`HPkpX|kB#E6{Z@q{V2{EQ07BDt$ zKxo3DjhL-ayG~t--_Kvk03r+c_Ndrc3|T#dpvA zQpyONCZ!{I(Q0NEi8MYM!b#^wL@Z+EEX1D>jOtccb;{Ulp1LR)+2x3Uwvt#e-YoH3 zd(BvFMr8&C)Xvx%C;RU=ok56+_2}+ah3{RRs#JnA zhx#g2y2yVufvjb!WJ5UjWJM+`<4w>UgAJr(WZSo;m%0aP!k?p4#Mev3sPI9PF&$u+)G3nqZKE6Fnh)EaKP$X|cm8!I%b|j64mT}XhD!>F6v|5HY zUA3i_Cu<_WEM7va{|=oeJ0gAjURdp-Q@MRksmD-I#woKxV4@kCK&hw_BEnl69K2vmYc>?NLu3L;FzsdDMS(t#y)6tl% zqT6ONCR?zdA^Dfh)lu8(L|f3t_o)e=#*itux+1vfe~*F};3VxJPj+2O5fx2NkM($c z@K>~2kmLp5ul2`~{GIs=N4U19e3+2zJhOuun@bWx(oEQzwDN0FIrRez_Yf*MW5cy9 zBXXG=?>chYUsfvu3qIO^=h!ZaWCNqvzb%RELPo#NYKXn?cwKZd+17U^O@t>e>CzXY zc6buez}Cv;cfJFjqnm5&Y{`fG#{ZUgY?!#iqyIGEiy$F6e?SnCeq`t0&o4u=G_!~> zNlf8U;y>cspfAOX`iv4ihy(qT{5|!&|HHEww|u&Gri$ou{|gYNiNfbNJ?~fDJ$16u z+xho>^P2BC3z^?4a&@_tNS~p@dc5~nq+|a}gu*I43S+?Y8Bc3gJ7LgaEAT?|uj0#5 zyU~{fKHfZ4YuMzi|6*zt2nyV$Vsqua4PKQ4HG4tP+s*y)Oo<9c$IVNErw+5VKG2UW zfhSq`+b&upC&4^Q;{JCa->?YsBq5ikW_3+4FQH+l7Zfztsw zrKOHvHYBkOpEqF6F_HVt(pLAA`x9-u*5*)-nJl>14QF#;D(`{^QM79#2Qj;?z3(g; z(SO8l^Yrh@+P>b#!Ojz6xj@%7@B;fDSpRvAdj7zpM&QUy|6Z`gJ4Qiv>lg;{QJH8;2iw2&(Z%4p-rdpe#9i$Zxh?C0o!BdA6?zSWqW!*N=Tfz_Wi%j7ZpV8cMX2Y?Q`k0m;yd83L9Wu zL~cBAo=uGeP1-gJtA0}+NwB5Zt$i0VrWi>fPn9k%0l%Hb|5 zs07Q!1>QFqh7SSqd(=I7u2C~5Jo_?O?|czaJ}N(*P`QgiFS37)_Jn8+{@w1MU{dvu zzDva{YrCu4n<&1Hyv$n7fGUITo)h^pvTOopDiHhz7-&H**x{g4X(2j}BFgNGl2KhT z0!VSMrQ&j@&6{e%Fk!w7bp=n~Z?shKmu*Qs_7oJr&NvNtdg@ zu{x&n0U5xiRz z5iv04D!Nlj*p}5gd*!$$jR_tXCVtueaEjXP0j^~2u!ks}wN+g!uYzsj00b5fcnJ`=qhW;KX(dRB zzhy;1cX>m+xV}eDW+H;CyvlZ|+PU-MNgiRf7*3Vhj{xwnnBuLNyXf2j<1I$kUad80 zc%E#ij(9b{t{=d+CpJ4XHf|{Du@09Z)Y0t7cz`Ih+GUn@t%9n>x=l_Us40qP+Su9d z<0& znR)V!!;GuE^9v1Q^O;Cab$U(=ef4Ccy76>p-33kpT0pJZ(2|X=L``=)B6L z@S=49RmZM;%O>-hqj6eb96JKD#z+ghDw8-6Gx_pmyQwmh+V9tjY5RoihxqA8sW`C< zo%HV?#jL4Ol#TlLDUMY#l&K0Nq?M#o5BRAO^i<4(BEFoJ5pen8+j#R=GLVEf@Chk3 zYjF|Zt($pz59dfUu;1%)BGgEN@8VFIGe*+Jm7ZsXr`8HqLACF2AQ~Q<8-%-pGtpP8 z&pV@!z2G26*mmlVy*Sb|DE=BT_-yUef9|Oc!18_tZEdV68=&*c=6aNC<8rX1;cP0dX?}2?ikq-zTCq6I&A5iq zcc#`Yb4_yYA9}1V$wF(PfoCJ}#$%Fl0aU4}n)u1Fp6eF>E?ikFx8>ZJ)5l6%X=D8{ z4X1O9{w)~&UUKvgXd(sMMMC09(p2OsUIM4cl6*D3vPPauv`Hk!BG}^4Uvq$mmYpID zv!fl21CwxD$?AlZEXo_74%VH!2SD3Ca#ao=r(6xdFgW62JR1^Ik)!t8j)ngV6;KY=a#eN%9 z4%vdzMbSSo^KaU)x+?(fd?HDzpnhV0t^=zDKh9)?t>L9y+*3ixHw3L02zrF~UAI%o z#E#yZPe$Y4Is31%+?snG1>)atT%8m@o8D>)`doUz=|BETbuZ6sav9#0oB5VT1||DC z_6qr1A^W%a8XL9*a{Aqs^S1ALoKwWhJ?Vq?5%IPK>^^0EaBlSQ8e~DQ^PdP8s z#ZMhq@sK+{Vrv)KZiA~cJfH8IC;Tt-`Q1bf>!WL~C-r?`>(-$hj~jo5t%|8KdG{YY zX89j$xK=w#D5q#=dLu?G^V|o(_3|I(d;0n=Ja#8E-Ey2fx4uc;GWmnH=!7;v&*?K_ ztNaqL1_V^IJ*|zgoSk9YU!i_h4tK|#S1Z*_k5j%*&eQ8Tmn_%Ao3lPQ0qzAn_<0`x zQtSi*0F-=xKc2H<9U8jO3oQGdUIB4ddd@jPru;cUQ{J4=T<<^PPMS{@16K)o9y8k= z)P>F)P84gl8Lu0*7BAA71U(n6uTKizN>_Vq0E?HATAPCvMnTh;L#3XZ9_57BFVoin zGCf1qI2=JgJ(b2=Q5U3 zUi-BK6};cB$6>KlK|5tEe@A!UBr-ms%hvX4ed{3U44u+nziCy!tCY2XO{)Ard%)C4 zHRHoAKj5pLyP4vhu-oO=Rg= zr=xn;6XO#m+=ZZf? zn@m0U7#ar>b`T2SX12MD+W;<+Pe8TnC@%J`F^8x;l2pqFDDusx>GV)wW~ zEPZG=U4^>1$nO^-v1cija>})v;P@kF#2HIx{d?AXg9IAppBo^gWE-yReA&apMNA3g zzhMY=@)?Gn)vx!$i#-|)pHFrJcQ&7DPdOiY`_U!eKXcpef*3?42#Cy7$kgbTwmn6V zjTsdoaH*Hw&{%7i<~risr&Y++kOsMJi3c#*6rZ%>8 z*&qYi2cXVG>5#@d9pRSHeZ{8ZCcHI7{;^`Oj4E=})7*!RU}}+eLk4wGQqfo>#itcH zW?Muy{hR~$;n1+7z>24nQ|ZFxhGYEFTwGd+yhN*17faj{JheC4a?X~XTPr5j(cRz5 z$~~J4ArJwJIc2IgOxcVT=%xPp{_l2<6J>Ik%?;cyv*}R2?=BQSRc&ynHP0OZN)i-V z)_<%?tHeIp10HR0Y%5sd9_b3DFsq?3J@O`u7lNyYLP+C$vg1;8m9FfBi_By?4oN&o z!BgXGvv4hP%S@bMU!viej!$V*>`=u_1}2cTIoUdY7{I33s^qLy#lz7jL4|J!+iEB? zprW$~+L{ioS+vUHi%CzavCNm{uv?V!rR(cQcJ!s;`dC=*J3puox1f_1?tT}OWJX9i z_23;=u4+Bo3X6>NX`!`4s$*9)9#`R;QA!c({&Q3zD^Wb^Q^y?h`^*={E!e)S+dlsR zvWR7(U1AJ*EN)HMk0p#|e83{EtIW?E##Q$$_f#PQ=xHemZ?R_c9kn&f1|mzdORy3@ zOZDhSlyu3^u=FSEMnU+Uq2x=DbNz^B#RyyJpZ*N+uYaUq<_ELUxS09v2Kwl%UUZ*RwJgv*tYXB+aNuR0m~pnZ&NU5KQgP#SH#9mY37*lqJT9qSoS!2P?AeRx=sbvDpk-* zPOV=Y=NUOOCV5_Olhfq~4Mrjm4;u}%X_m6;-`p%Xy;siXxLKz5*AijYo<0oFxV^BY z8}O-~Zu#kbrv_P?Q5QmpQZP-!Wz^82v6az6Yr4=r@!7zqoi;@bZ7jBhZca*< zS~VYn>j_dAbQ>a79yVJ;%+~QPqi5*^YFE;L->0Ff47nbO8kPx`;9gniC?R8qNFqDw z)e*ws1b&bjnG%>VqAX6-yJoM7W;xT%CK`j#u!-7)NytHl&jvUuK2j4ad?Q+5()XbLy=x5I3)(JYXBML`$>foiECIkMXb zmmspXRckwi!XOij-OBvACr=zo6u=YzTnUS8_n?+|yMzStFKJaL$` z<5{G9f{$Eo*H`zx?xhEb-r4(IeC!#^JXFWjclU56 z$YQ?;)?8-Zyt|jXG+leFeft5ou5#}6ryp^Ge#mM|?6MEfeW$juy5#r11)+E8hb+Ct z((i3~^gE~C{pXXGxVv=ylXnPzy86LKPWv$Gz_<*s~U%N?-APQ81-M}Kn5fw%6K-uD-4oc;WDbI}i1Ic9I_)opUQH}|;V z7l)pA2$d?$F}{2ED*tZ%&lU$B``9kuKKy|t@2CuZ_vCwT|MYZWmi*K+t@xdT_wOfu zx8x?~9@_K#bvvyTUh|t}*Is=m@%GDrSC(D3w1(Au_QO-YyU#Dzs&25wzK0*aM0B=r z2)+G%NBl^9^NCkCSnI0Y_74s}@chI&TmEqMqp!T@xZlmO_t^9?`UeLrMsIuiR{P#S zC62wu(SNjHlRcBo$GhCKr#r(fciQruU4IZS?z;&kE7S$;yZ^n*ZGk?|Ie=%e*VV%lOF%s^9L+{&L;bAcVEBYUL1z_x$iuB z{BQXoyzj<)J^Vf5<#Qi;>ZiqDy+3P*pY%3?e=Xd9(Os1d*2~cAFa6Rb<})80@i+hf zAJ+e%pXNU^{{O47e?|Wznkf~FziIj(Oq%8c)2|_Mn(%!={SN|&pV|NIo2dUmB*(x+ zXJLU-Ttxj(Of8E3M{u=7*eRrZv*`3mg)IXWgYzs}69>bV$oUaWL!1K=w8{BYuI9B& zjc^i4wp=Ubhh`%~lxnpm54I_G(5N&5O*R3<=@Wj*hJsuMWqWl9FJ&ra)uoxNg$((0 zzE!PLS`y}~#SEtjt^uPVY9{2q*{T-%9*Y7dIs&XLQ-FXNPPB(^7%1;iZU94>Ynw zm>{DOozSvqMQl!BBKErVI4k=TpDBuJdsKyiO07ht$FS!!ERC~VHH}%ZNRx>%ih@F+ z(+n#8)F_V@%5pVH_oHN`RzO3V>bnl(2SJ1YEvxe-=l|rQY0g+I2(;TPl`2j*U!q2X zqA0n3Mh-F0U|Si~Hld_fhJ>;&rI?}6mPxk4WW#kwFDI)I?Z-_$&^wvb2Y$(5(bBsMmZtEa&6NbX*R-( zeF|^Zp-4=*f?%i9zMqJ@lAS9Ds+DYY130B-i-f4wdOE-lQ8Zt!<6tshW0|xVm@=L& zFzg`ihyv*fp;W?}!@f5tF>;E|3@dn@XtM&`B~wsnR|h~H%7T{S*T7;Y>`ym)Z_q;| zA`WU3nX4GXYO0nLCDmyt?GdQD1&B(cNw>fYd7*@qGj0Gh(+P%WnqtntD}g`Kw9wHdE3 zrJYp3l_<5I3Q1;IqY^m@*K4Kjz$MF$D0{k{jSA#=l*$QsHKALbp3vh%uMGmBNc2Fh zOb*CgM+-?WPxsL_F)~^NnF{k@7ix?rSx7=MMGs2W$RL~L+GLxB_;yfkq$(vKfvYju zXvP_6K+RyH6qGSu>ZTnjD`Svs=+VeD;hr)fkV+QDDk2&IhGk0T zB#u=1zxux!B4>P_{)hQQ|D!Mz{)P2FnfTNF-#%eSz&{TJ`YfG~f-BjkYXpTPXwXF~ zpGHv{%vjZ$KJWpy(N$3acH(Z2PqWoQjDTafX8TI9DpBSzs`k>QUaQrDhXhSjRo=o$ zG9eH`s!j%8MKOR%1xy--+p4PVOoB^ja<<#2ds#g{DUZvkxX{Wgs$NY+I_HQLj08)A zVU#Q}AWAu@vYie6i<@EB#h7LQ9BI^Hq|maT3a!C2efFphC1brzxdaJOy=# zf*EI-R#9jT+P+HzdCSEpNRM%+5;S~Ei+UrJ7&-aEcv813?F`qFDkDCnhxJUY+K$OQ zgvX_7Ph@4X+%3fw0PN>d+MqrStRp+aOwwbCu^Kpz3B^LP*>_psyGIK|ba`Gy0#e#6Hb`?4t`O|Ht_c zI$aC+^sDL17vMk8*OC9=1WZhqH29_Zzy0dUwNBxGzvl;gb(VQ%Pj;n0F7d+e?p|l{ zH(z`FpnJ_zT8CfIxbyDY&(P=IvDh__D;tJ8`*)J-pS$e}7e2e*oZq|OU!I+H(ax)# zTNHQR;)An~*y+^Q=Dv9cc;ha|bZ+}j_wu9c?_d6#7q0yMss|r`{F(3y47DS3*xuJa zb=%|ny}|Ck-uqX4Z=0(hIjMZhABfWrSGveinrL`!0iMIS6Kyt06P-d<_(%WC(lXE&~2 z<~KXsboKC&Xx?9z++sKS)UyvfR#!_ipFUyT02w;kFHtmzI>?I(VC{9@r83ef}C_nT-zIqTgC!&MQyezsC4Q zYxc&kN%oSPM(+EsKl%L+@7YV~{%}KN>udG5Z?`|ZD%sfO(9A}wfT`t9e(Hg3Ruz8S z?ZVC0-ZzhT-Q{QBef&`2p?m&t(0yxOxk1kQaLZZt*)4zXLlzLd&bG%tGHc_@_ca!1 z&`JHrn=5W|$s;dYd(1hfvQ2*7z23-}TzW@&tGBe^iKB~4yp~?`z-3msSX%$qclWGj z58Ytf`wsFyI`|Y`T5uhD--08Kn!VP>>pu0|T6Z5UUb(>~;otoK*KhvMjQ{^?>|fzO zdP4JsZ`%AHbu2nHOfG4l#E9@0=Rcp>|E={+<3AEZfl_QNycXl>$D;C|FP^|o^Vf6? z*1@qsIc7z#q&pJ{0IO{&iu{~6hAhu7)I3B|D&=e_kuK8mx@wHb5QezT2==lv6=VH+ zH_K7_P_86fY7aL75mqdTGm2wAB>6Ixj76ahV@M*cl!|cLu}dJMwfcMobE;fIfHRFE z9Uxetfr@6C(l`-_niHfuuBW?bqO2!lKC7hgxYNVNGE(%_UY^M13=~fYaZ$;|mRvGL zHK8==mYN|Nf;(Y=P;Bs`pDoMnfl}%B(Xydgh$hBmN(l2!q*t~JNIo!-VYlfkwjH<; z+DXuk)yH1W&T z@;$#h=%&j(mc}|&3t;uW_2u{vWs2Rp6Ae_bXBE25Dpg8#UD4}d`Y^AsC0*b;^+ZZ) z53^DN)Z$XNfs{MrqCVEKW?9Vv{FtYqlFZgMF4IvGURc1eNFVX}_Mq%#l}XF3%> z6p@s|vK0eT3skbiafFc@7OMjupxs2#?-UbN8fy^c3PvPaM%QbpWwKWcTM1<{nYs#0 zMXi2fXyz&`St0v+GcF-yA}gUG2IL#yNUz4sAUmR*NvEO7R@sgzh^-f*WD;|XvL1~P zIDjX$iW|`p=<(txi5caF5T#QA132wk*XZJPH=h>za!{)k2i3BH^Tqt6tl18Na;0+1 zXhYnXYP0@Cv&m9qOy9_DjA5t(=|Gy~f=Y(Ulyh>5K)TbXOFZk;!T;s?KdQz^1TxeA z?Gyg zXA4kdWdsN2+eWVd2H+$v2E<^5yJoGH&bNA*Gz*}5B>7G%(x@JutE5q((JSJ0lgBWL z_rpr$lN=s+eLDovcti<3npAq3DBHvm1F$}DFo14m1Dq!6j#%(|PEbQzp(?w0l14Et zDTSq`m2YMSNvzCSR%IGFVI~m~gS1`giNkWMLITv->#~kd708CK29+vN=u@qt454w= z33c7B2yC+ir(>^~8?ec7i>Ro4B8#|aTH|?FZvhQZz>2WkNY%)H_xvA+8Z6{LN%H@H z{*NuyC!Jy~)4_NotRx+`*c61ZQiww#vhq|VPQ^LOR)R3(aoUC$Am?&X#upW_oE(#E z7gU-F(yu~By-cH{HfWUvwxePiJ1OZ!)*JNUa6s|-9ILC7M22a@K*e?np3WH6R&oG)=hPbky9WXI3G;4@ASMCnrNb-7gmd zJ~a&CoII|Tlbu=~#X-ARBifb-Yn>8O?Q=C4^}nye zKFxm)+ABKtKhJ+4ki<~}#IY|h|A&D8iT|X&2K)y?P#A>C6bgSC{&V%!m+gPYMZ=eu zIriGE51(^)1#545@L}t$y2b(P+<&>a?8&cZw?65+^qa& zZ(MHeBeuq$d2`qMpW5Zo{>%EsOwj$let++p57t%Rz4kXx?|60XIsUXCKYaN0cbt5k zmAU)e)$1SJr{N#q`R6YD)^@MmeyPV*-o0Y8t$+T==5vp}>*d~IXa8l^T2Ed6&bw~? zxV!Rm`~!cs&05v^HmkZT?2VlKt=~!q{^h4Dzf|?Mp8diddvEvV=)>8>&G7HnQ**DJ z4&8Xv@!#M3x3{jh2YT{?n|@^7amya3lM8nE$bH|w_Z;x3U+;h7>=Wu2U2;TqlP!*1 z8Cmv#*XM=!Y6re}#?3Dr^Vp8TcedU4-_3vW%nO%aGwbNugS)?d!_O{2)>=Zo@~m}V z-~a6A-dG*k^%!|C^UyQ*DK1z3@PXkh?d8{g^4lkMb)|kAuv_mpe5l;61sKjYf2ctm^cRTrP% z{q|P(%s%J#IrH{j`ez57wC#2e>e=I0o?SlX^4k{6kFWjH7VeI-=Rd?&-k9to-}mbk zeznY_!E1YA^xfp%+x@9Hd*_v|I(D1CocY$R2QTy7=!MG*8|*df_9ve|@v+_t>B?J26{Kxq${?qy9 z@gH_9GX^Nd6g<5Ki^_laMd3emS|S=DJw($rJ-`Yj2VmLI0xNog_ZSmWLTn&7j2KH% z-4+{zJd07o0-S3Z#a_lsb_-!c7Hg*2tBBoZC!cAQ+d$M-s8OU3#_pt%q6{T%N>M?K zQ;Oz{!Dh1|>EpJV$zsV;nP{4WJTtM}afj?r<8THQBLiR@*d7Obtqs#C)db6eGXY0l zLh16Qv^8v_y+pUuKt8e$G2f=*DKq^oJE8RSMKuvr0GLuHzuawBt8B#ja`g0d{) z;v)=Y(s8>dyDcz}`GaIVQ%H(Aywo3NM%5Bc`@s$;tZ(<;0VNhN&ZvMvq8&GXi%b% zHw>X@hSDEUVVJa99o$ko2>=;)GeZ_sph8;> zV8ySoFllJP|ML7FweDy=W`_TKlljl0gqy$fA7@eck1Y8qkh9ZX5vXXxPJ1vSvk=^B z&_y1L(i)GuMA2(B3pT6PsB+D6Dtxsn*?75_9FKZLJV|yVg2W3QWDF!6Ro1zbFF+Hn zoPbDFY@zZ*XH=SMc0e-i4s(@6BM}wY$ruVctccg~NxCv*aui*cvjQ;T(+LVLLDP3v zs!2xfnQ>I8w{od~V64Wdm>PRkd87q;m|)-r?B*u~O?&Q$YGtvQ;QN5<`(YrH>73&8 zxR^rA%|af{RsE-58%U3FBHI5TKf8am=JM(|68XEv*sWmJoTv`zOd0YyT{R%@V(>opNY#AHld0%Js5f!u((}knR zd8pnaZ8@DwLB8p@qfQSXvYA4LKpUP3RaiwbG;|IM8Lohsmg;3Eq}PSpgNPAH zw9y(0OoARr1+I)~MF;4xu3uHdTzP^PB~KB+lC5{DcB$9ahm=Z6R@YG)-P%y8CbA&a z_OWq5N@?6-q>@b*5-L#R^-MAWHC#32GESytNW2Guk(WhEG_LBL-3$wi>v3^YYPR}a zQ}(fF1p3JVolyE>fdIlnmgfah z-n94b)0Z!|#V=QQ=m36$AG~_eZF_mEjJKJ;+6&vQzQXhC-TQEMlXp(J{?&B013mqi zd(n&6Kefrvp6i^s$I-_=^wNpnf6Tt`H?z*e=IsK%N!(A^v{D z#i8qVdv)n$AFKW(NB$hG-+kHWsQhDp-u5kX%R5gzYU7_i>+kn!d-DaiF8yfk;?p-i zN?h~$E4*dk)$Wj&A%1ZGE75w_t^4ohKl{AM9CKUd!!7XE^3?}dQid-cJn#Pd4*ckV z;&A)i>!-E1T>ZnF_FHV;`Var+yc;Lp{`cSZz`5toSu=nADto_r+MaLT_V8}_PaO_X z;un*f*3N%?<$LB;7aaGOqwlPpbKz6JxcN$Y^PASX@RmO?(JTA>=zLFGDtF$7>&+8N z$#=iCTBr3ro4)Gl?Y6l?z38OZ=Aqy7e^p-G=^e1acei`~H|w_6-G8mcPR;Fc(iR^M zX4mmQVC#zS%zB)F-~1D_=0*G7vCrkyJy-tZx5NGSx$S88qrnaHPx##mr*z+4>ufCj z?!DqwdfR!s^cROM z&;FbL|N8ZRo8kXojr}Y9r;o{U>vM{eUtj*SaQ00k#uO+sEcV6uPyGK1|3M^1LnX&X zMQ4%ukGLrOr{9zfhD^~)ZIl(7@hAdv{eqIO(M?UxcGyPT%|Wh$M^;r0G*FwS55=%y zvK5ZEr6FTrQHw}aGk%oq!FH{ZgmN)Jb-7W;YdSWWRO>^3n!KfgLN`lM+PK<^3{|UQ z5jYXsIWAY0t+ddVf)Z587ihHZ)*I~+P|{R6-)lRP&|-b29#?{dB_?|ly_1vLW+TxkRVQ%eeuNFRKl+o$(uO z*za2*>Y}LBVL4%Cdpyn?d7X}vR;vr(hKQw$La3)$ zpF{1OUGl6T@-)2{2XdEo8Md6ZaK)t1hSSxG^<>E#O-8)n=js|<@Mxf3LkSHU(TQ4} zbUi4YGAm z8*@R|6|W-!kT=9$4f|3?hQ3G_eC ze^C6>{onAJ`rlV!;G89&1m`Sq)8F~e{h3!1|9SocqZmwra0-LJ0RKV%k^jKp*Ma|F zIGjr1C`f)8{&Uck8?W*5j+@&UM#Wj3?XT7jTxZ^0C*63`^ZTxL-Mi>n!>8fX>*fB= z7sHzak1U0rwD$Q6oNF$WfA#y~d2c@9)Q;CGM|~h~(@nqh?c;7(uok^Tu;=sZj4pXN z{_w)wb$-RXK+WQ{09QD znf`D8A^TVO&-7aH{x?qlGfn11REpI|bnGv#|B*gx{*ROX=J6jMluA50&AGAZ>!R`> zby4_F*MPjVHKr}x(TKRBlR%&7P@G^-3d2Hg!i?pJ>o@rh9%C%yOMV<=jV#F~br?;s zUS5&<#8B)o!^FWYMO$Rl3vRmloLfgnn8P#ou&1Aak=qYtDfzsKMVn}(s zNF@DAM9^Y@w?Mo^r&>(IX#;Us>M()c=@?+WXqdu~ONZHXujHu}ILHn=ow}nIbAA|Q z5XVo}x@Li$Sc787GTgWn8V!I)VW9;TdrDgN=piUYGVOxpzF;uia74oHpynDyDoA#S zVT89@!xCQtOLdWGHi}f#q&&b8Xi>mQw5a6UW}F)tEaEa1vgKQD!ZB-R1J~EH0FZSNm9au<>;xLDPWlp^t7g-DT@5B_B@0F4 z4wz8YRDCq=*BWkAqeH1WX*YcnEjlPB_<-+c`tbmgQ$sk}!!1ni;=L}7>ol#qgeb+y zv}@NV-E^-mS#-}A%C4R%)4Az(kW9T+P=KzHp16gum)CUJ(|UCpBD>Y_%gp~_z=fI* zfA9}3b`pB!&J6$g8~@?Q-#q@aNa5zc_>Z(G^M7&)gcmC{q*Y1-J-DrO*ajCz$%ad} zbh4nO>wPoN3W*Fj3Py&SWb(~KBgY3Rl*l*vdb89ddB$yGWt-54KpqURTD#dwwCjfF zSX95zvU9AOXvJ{gjq!dJR%|7Y=F6%uASwyJJj5bNjXfn3!((+g1V%k*pt^s3nr zl4c1c-Ig*9K5g4hv!Qo2rPj|Bh)LQov_i?mCDf@oR=jH~czhibN^savn(mHaqPwA`qLD@wak?uU+&GW1E*=IO{t z33Y@Qu(~?{2$y83=^`Cvk$lLPrKI6eaxr7Hyop#Eq-h~yGJL`2M*|m^N_nu(qO7sUWFaPzFrXSLj6h`K4@VkU>qNR;FZ6t0rjT}< z8(1PdG-?6`upK8ylh!cIG-RS*=&4Z0YO*oxnx(WxDAetFOGlOVm5X}stnL#u&_T>%6 z3G8dhe`e}`Ux|H+|J=DadF;jidH#bya0+{0D*26p0Zy0eu<% zbJ8AbhTE}wzqj~rf4^$x^|_tdXTG;hXZ|0aKl-rC*Vtw7lPj2W-K+QAW{tNVwA9mXzF?WB;SaXn^Saeu`OPiw7T!5>?PY&= z`b`I6-~Q;_(OKu+FgRfQLo4ow&!U41FIi^1M{vTs2cEd@EBb+J?QzDR*1nFr`tto= z{`K#h=acV0wC5FTvo;vcsxSNVur?exX5#aH=Yx5B(1 zE%)8U@4jgJ;_k;@x5<@nzqkD0)m5JO0kq(lx4egrvUc(hxpIGGXQ@zpd3@~)YtP@} z=)(06t+q0;(vP=%bNNTj*IIj=eC7R*HIH6GJ7Dgt=$IqhzrNu7WzIeMn3aOpesTUa zKk-+;8+`M@N1n~!aP?-ZFQKos>UJBfc8>Vw%XiERdMh6L+-BQ6x6vQ=YAv|;j<=p$ z?^m&=%u|Lo(%*JS=d0X>5Z9o zveoxWV?g3EU5iXgQN5=Jcr($7Bq}b{q#|iF(M&N}E!J7Ys^qz7JpI2NS&lW<3tJ}A zQpONFrhx*E`bn(7Rp6qD4h2dc)i|-(OO;WLa!d=t%OnhIlvZdYcmzYKrkkglU*_)gQc z4RJJsiR8#aEOWY$P$@U;HsMJVt+#{}Xh29~LgJZlx*wcySdIpogM&j8q46>&VpuxJ z^{cJ?s8mImR>)VFX}(&rLbjE}Dp3Q^j@v;VTvhXEBdV)C*Cs znQH4r6`o)*F6WJcLc$|ZHoc0hI=wV7Voc2=t4suk9xG=lTPYS?(il2Q-s-4Ly`Vax zMd4we3sVV@n1DK?dTxVi^PxXvc?n2YYPoE-kZ~$VfxszDu>v}o!N(}vAPrG(@bn<< z5D1;1doDHgueH7|_j_rq3zz)9-kt!k*9>&8VNK8M6a7zGWXR9sKfx#ZpInJ@ylF%Q zvM67-7Orz$8d*IFtaZ8mG_=M-H`l3Wry;gi2x=3|v0(5s{WS2``$`Rma@=x|Rveee zTs{+ZO*<4gjTa~U5UM2NsBao_zTD-TLRT)qBi-iPSf@#)@&Gt6CebP!tz5y_Ak8?H0+y)`*!NBB>%)gC~Qu2k;9N6}lA2GBa*A!I zoF-}aP|1R=sMgG@VaXjgyOVKmAd8GDc!@62OPf%tm|+`(EKrjgdcPZWayi`{QT0|b z?K05BulqHA1|H48qZxQK1CM6l(F{DAvBmyc|HHqI{AZ^B&sSrg=09sZyzKaEz<)3V zOJO96;9r3M;9p1ngX75bOh6p_GW_ReOgbWX;)&N*Hs)S%cKgsPo;qW*-_8Z{XFeN= z$g%g{@y3<+&!SUD8E>z2A9>c}hhF&8$@M?^;evbTAHC(3Pp!Rj6fxgl90rfyW&Tyl zqt`xhPinVUXT$f!7ajhO&qEh(b?`?oZg9;T;8F5V@4W7u^AB{uU;fcnW_|n3 z-~9>S@X}e0?{#a-efwvBTyc-hH(hzvLqGbxbYcGd^kr|Ja`Db51Pl4wS46Z>!%LB@74P@+3EVlUIH%Ju{Y<`ffk7F(+@5P78j8}U-B1bw_7h< zaq+qEF05Dc?BQ={?R0mRs<%jpx1aqs^Au`h?{2 z|4aO5)QMtI+TR*oY z@k(lC{LqtTU-;v_o%Mm6PdR<->(5PWw#UBGv$xkuD@fmJ&pqeZUz~Wy!KWP)p0VEb z-%$XX}ri_pVAjcC5Q3vo^Vrx%2Lm?|gOm=C!$lXZ`NzU(Wva z+25w0*!EA+V#zyBg!Z02?*}KZ`IGIRUj5>pej|6xvu8eh<8yoMx!z%GZ)DHDmj*8gCi(f@5` z{?Aup{{sIhu&&`d-#GpgOAL$2B@tOzXZzy(=d)RIV{&o^1YIeHf$3_ILRF_V@6Fjl)jzRd0aMyAv*HZ_K-73 zsnqP)Nt$(8)9}e8piL9AiEm_UUV(MmZF&ri6ZW83nnX<%M1$!{?F6}L>XsJZ7FbNT z;=G^hpk@JM6n`KzN`Mg z3^TIF8iRHUHG6du6D`0Q5dzF-(0I}+=s4E)3o+JFviXDv_98zoSrFSZ`o<(1PH!OD z7}qT@+iH%}siZ~p1HA(9m`qd6ve2nGBad~dUX6s^I+UFxN^IK9bW29IP|7qp6Yh~F z;zzZ%m8ywEGtQ;)>4Rf|cI1!0n*XFnM8*!iIH7yWh^chp3Pd;ATIi({HBuGueB7e* z9e%*`9Rr?>LB=UYg#j0L#vKcTjW5hVCinV8r6kBuo7sLr?y=39pCe>?xm3>8GLH$oy z`@0a!z~dq`Q~&c9{~3St{AZz-o4@(b!u0JTZBC7RL0$|FCVw7?`*M#A~qjFM} z&s$1BGySN$<^)L zc;Z)Lj84d5l&+H{NVED`txFeD5SgtoY?sTo?S|qGGBJXh79b5qe4Z9)VL?Tt<4|Ls z>4A)q$SLJoXJ~_doiGbLN3n4$CAq0twBc@sf3w~ zT(+MbgLH3P>NUDP9AyS7o~6>YVk%W3Mud?cCUPA}YocYk)d&G9S58G3*%AKgKjKhi zpfB>D+F$%(vp_FV`F-VmeHqRvf^IAvLC{{;1E52^xmF znQE&JiKc*0Bc$lJBq=#=xk`f^b6CN^(2PT6PB*D#CFkC%SADhLy{`kz%vmrLP$;;hCR!h@Z;em z&KtOu!K!^dipKq3$|8Ba6f;91sfr-sK;yKBr}#=%BU~MyE_)3C^{aLc6h+6Le%7zl zL$V&F`li-w#YHdEXDkqdlo2&-HHUe(Ean{@Mk$mlWovkI(vKCu8+8V0BBd$$EGIi7 zJ;^GORLZ3gGpchTipw~bs*mulkdJtKiO`VRerbi;dfkeTW!^)HhuDUYu??cZ353yE;YbE&fE3r z+!I%_yDyPkv3%9XZy!1T{0%az+2mPgto@+%P_)%UZ*Dx?=Y{Kb$Sw20$Iq>JuRed{ zRowdzl3#(AyW(i#k4qeB?(_I2%QODm9Zy}nvF9I<9e?%C6^ASa7KZm+;%zKGuI>Hl zFT0PggMZ)s^+`(}@!Tt&{SNuzW@{|7g?Do1?ep)puU)~|-Cb%+ev{?V)lWY8qc+{& zVfkGic=)n&P__8>KK_l*Iv*^3X`*@G^~Cv&SI@lo7iBwp;T}g^y8Iu1v+oXNcRlog z<b$dVa$X(|yf6(q3`6Bm(EwhC^&)AT9%KT*e^-nBc#XPy#vcLb%;mba> zM(OqU9+|W2evjN&fBwVuk6V{`>Vk{TEiGGJI{ES)OIM_m;DdJj^^4wtjSIGT>%8rv zkK(J}+hN7#`X6=W*OzL?dHA%mKVE@8@BH^)-SCO`cF`|7W}i)#K5MhWvTNM1pM25^ zOYfTBb-z=BLtfwL)BEqc>a@zY*4XlcH|hKi`3Ha9UghlXcW*lMN8F|3+fQCGagJ^X zM_sw(X-7e|E!LbfU>d(V_CBd{jq|~3%+>eavBkHZy=K<$*EsajW508JwDWeq6=qFN zxNv!8{W<%su=t(xpTGUZKmOwArH^^~;E%s}{(lz#|I7Y^eg6D6Vy6D*YZ?EJ|A;Bk zOMgK!ya@YGf#osLHIQinh<$ng`DguqT;ZGNKk{gS|4c6*7GrZ^{l{Dw|EZfft2cH% zIb+yCifa-;hslhFu!lM=+l64?rwW}^M*?fZVKSldlhhy2}*(jNeHI8k!j+@;e1JCHe+ZEXCDvs3+xaV`!VT zQnx26nNcPHB3%S@5w|ToWzc!DT7qqoa7~2#C?=#g-pd6 zCv?a(rZ;-390Mt^X?;cik<0>@Cmcm>pebl%4Z#6TXRFy<9wGBR21NRJB~gqA6$~!K zIkr^@>|E$&-D$STWDy;x3^gJuf(198pTW4x83_%4}O zO*7FEO0nPT>yfE55ZTiJxQH3P*N0NzAlr*-<6ek`#l$#O)bL(Z8nuI3t}$>7*R*RE zT!f(x7^)gmD7KLy@AfBSz!S2e>Ew}mtHcXquc7;0zLMu99MKvKgH-xvs#b5vR9)-H zh@5W`Ndq!V7=_h@nw(%d0I0KF!eZ%aq0__JMzc$^P^?9crbm`I{f&)DT^~;vrLDC} z5Nr*)jzbjDm8G1trT&LaF6j9Z7XB{8@`NyO zX7(Gu$^Nr2%gx{XXJPvP@bNg`Xhk07k&Y{- zhHAy1GNDa zrxeS@QNJ^s(9bKCKs9}pL4|BeaS9}zh2KFjjmy$Wd?#Mlm>iK-ECp0dQMKxpU z)mCeiNY>T*WYl;2rG%2g3Z+C54?8qetK(`GXjH`%(XqHxaWL>8u!2+v)iKEGc!B10 z)#WSf7l6k7MoDp5v; zZ3>L5csuP56g=ov(vm^-%%RsvCh+bwjxb`GAS}C4W%K>GngDVV54F*5*iba9$vavs zU?kpANfil6^sF#HgWC(ULtE=;6oP}EX=Ic!WabO{X;g{G3L`ZM%1Lq9Y0GebW!^fN<0 zGvi+kBuS8qr2il@`+r}@_`Lt@e9N~FTLkTrj z*t4ITs~@z>Syz5??7e$&7hl>Jx8L%(J9EDutpC8yhaP#-weMcJ=4SKW8l8FaaOb71 zt;DWPXyKnB|E3B~hD}UG{ zcW(EdP4BySz3qR!_(fM<^yu!}+_TbyKOMlApLAU3jcaD;hT+H-dbk&wI2U; zt+}t?b?m`#KHO#N5BGYMO8jE}CW8$hy*vM%w%za&*FRUK*)7)k?r)ym?)ew+dxXu; zo5igBM)J8mPhaZC!FBFxhn>6jb`Q+G?UJ(}e`)et<#+HhBBCFr(uQY+n&`{k2V`x)-=pWk}O`TrsR+4}Gk!FBd~$QP~~Yd<)? z`kiyv_~Tt;?U!5I*R6ls(l4*_;O<=W!FOZu zfzxg|U<3Pg&t3Dkz5A~`|96*u&tLTsWuDV|wej2Qf1%4c}UJxlhhOuY(Wxsi9oezd8#stKYJ|zW%jKe{|uT<1^Xs{p$C`ncRM- zps%gDSV=qZgnQOMe~*K(b&eS9eCcP)EOm@KhdX;6_qTsE ztnKvY$UWXTa5nehuBi9+G3Uin{_^r+@imLTw#u{bT=|o^mu>Xsp{H-S{~IS9^Fa2I z&7{3HxoVX;$6Zz`fARePEdKwO&woQ^>VN)Q|@K5{yd=vc#5w!(pzZugkc%l3MG#BRlw`zszlv*xBCTU?vgq#ZC>WCe-mso1t{+o)7*+ctOh&3SRpm+=EuTXT*! z$LPI3F6=efB(NpY$(5R2pomoh#+PKqodY9*F^56ePrQB*m_|eq>}4yb@XEbl#}ld9 zbwB-K#qbIfnmZJxt17MR;%GE*pE#ni+jBP+Io_94T9ALJ#oV)iAfD5RT^xww%yAbO zog0W3r6~0E>o{=UHjPMAsVk;+io(~5RxTIiSQF}MGHB#!fmi$hF9;bn&4Y|uV>yqg zY23#~OLs}42Gf;B`Lh+aM8-=DTW|mdl^L{)0Pc=zRBb@ zQxDRu)22hBiHj1pYQfgSsAfm(FWPqFuMitko6Z_dTy^S^mJ$T;S>Kjd3;;C5*c-p> zK;UBeU`e22kT&n+yI5HvnHOmSKGi>wvaq5l=X^F9p;CLEtq~SWE7(w6q{AkQ`64>- zvD!!64ifVInrfrCuEw7T(57vI)j!@%Xeao(bL0+Hk4lSaf*rKbq1?YQt)L(-5pjbw z0hg?5P{llIE*JGIW=#z_E5wy@p_{Y#s02+6UTVwgsN5&&7}*qO?ua!huEeEO%vK8T zQh2r-jD=B^Cb#WJVoB0{hR0)}2^2_0?tMyj-e{Ui*a(gq#xgS@BqdtEU{87Lj~YBX zs&>V82U1O(OvM(uij_mMMi8K-7pRI>6v}ZAs!ZVmaaGdPgTZh#;wk0!gl#~M%JvY) zK22zqEv5rLqJVO}USCa0lT+WnSv~W2K(`#o zg)}Ql#}AO5lB3M|+{M zTj`l5^8T|@N=gkHqnr;_>z=?CRCOYqwv}mQZugO9xXqAsXe=qWKX14O2)4?MYBVq+n(=Z={aM zie+T8NYVqqc-k)e*D zSVimDP+b%$sGYW0ek-S=EdIBAX(EzKD}A@xf0sbN|GabAw6Fed2J8elVFwu_kP$!1 zz9Ky#eFZaueFc+AM~Ee1Bl=+gI~-Of>pu6~uwLT$*m}Mis7f@S3AgL-Zewq{Z5+O0 z;k#QOf|uDYwspFVdwALi8gGvJ`W)Gwno}^DgnaPs7LzowxU#yYi)0z6{nG?}njEj{ z|H9p{*6A`TEYDD*c;sSjdY#|2@i+@vTR13LTeSjW}*!15)xDhyW>w{TIFd z48H4iTmhajSEwu3jT?W$d)f!Sj!R|r)p}^!Zmd@>{dDiajfVLAf336%@w-yFFFYZ# zBXtJ!iFUiicEs@ux4+L`G=2a+S3c+HsvBOc({4P4?QI8zzGAlw1NI(Ao;|Pb-ZuVi zHQdb|DK@9A9XkW^PjUhA-7lg?9|9lAM0WQ*Z(}l{4+RUyLL3IRSnta_{0y~k%X3Uq zJ!e9PLOD;-9<`Y*1F4pYy47yS2_G|l77Z=Bj*pGAhvj)+@9CTKW0$?F4wo_k-p@XY z$4tDg5B7OGegMnXZL{s$YX%IPXBnchx*m3)6(5yzdq=j52xibBEgP#0=}NkCqjEuIy$>vffEX=+Yo`1>J&r!sr4(# zzApcT$?LU-hQQwIi!q|?&Lyp9fc%S94roowOi9($x=rX>43bbSVDEEng~9#)^yvOZ z@Luul$=>dy=HSKGwXEl3h42)gr|XfdcYgh$KtPqr;dwDd7h${IujOiG^I~>Gb3<k<97)eY!5NVVgA*+bD5rg}5ebsKd8w7diM=>bK3rvr?v zjz4GW%)ev0RmT?o-QszC;i=8a)MMkpk5hi#e?5HnT&W#?AdNf|hkzgBA*4?w{Dsg} z=v|)4+#r3|D%)A_l!8bP2*QLnjiY8c`JX^7GtF$9Jf}1FkeB?{DoYXqg_s;Y8P}hA z3W4N!W2P3-Lw}+-PnTaYIsFjFd5@$2KG`(nf&VNjXr<)&IdRy4o-pX$BT-NSyQL;x zbAXul+u5}NUn>-D7-gx_N=%$MFi5Fs=f{UV#C3W4xDQS?`9(@Dw@hJ+G6_zaIY!7M zrTU6Vl*NARz@muqzGrVdnl=WpQ%k`}G%C6^uMo9Z$2~JRO^bAf8k(BRs+_77XiN!< z(4sONi&_0~L5P^GMOS8>1Qe(%OHQ(vMtsY!n#n}pw)pVB(v;e%31Lgl8wb}`a{I2e z^M5*T%hP_2l*@+pB-bo}W)>m;PTt+qd?3Q5r=?hm7$nuHji`UxR2BSgirfnra1798$7fOx_INl6NAffeb_C z>l=~FN7N7|+J?`ambllLr@T;Yhp%HH_=Rs7Y@r=1>pVjb+_1JHq8V30(gNbtXpk<5 z55{;hm0f{B(}UbpayX8_v1;HE_O_H=Yov_UJgSN`(eiyRM88&}Qsl*wMBmje_0o9C zBmD+$X@`npk>mj@g%-=f602{~fD`z@5i{p+KhqG-5Q&JzsD21pu|F)dC0UVY@f`}B zM-AP_m<$S+tHJT(ZAGc7kK|i%n<|{5@32c5QV`*$RtnWk^vHMMP5eKwU_dX^c7?Ey0h6fu-j9$Bsvj6il3l zF9|shuKUElncNr@eLG8>f!nmsoK;}Ot6l3vNai`=%*G%sVwU_nb8U9bKzX#NZyAWZ zu<;i4IriOm%}l+$#e)M>fKALN10^}IMyp<6aiki|Zc=s4|Ij*BYJ7Kgv==PI2 z7KbMT=P(E*^eT);>0yGzESllPu?up=fp`70QG!Gd-9#4j=&o;K5_HUdq(}KqEJeD@ z=_|#s@)~B5js;V{v^CK%CP|=_p~kXVl>V+I$}8OaXNrcnDpKNh3hGE1RZnV!1i zk5CNbbN{PMfz$dMCSdlyG1L4iw*&j57QCIo246ULSsY%EA7xa-IC{^#>G#`NCvhB) z1GT(UG?5HCYkzPMasF34X?9^&1fK~CJ;+n?WwN|K>d0X6zhYCEwsy6=sC#lL>Kb=@ z(DWnRcxL7|x#^%Wf6)jZjLoWf0n_{jd*O=2fBl*ga&t4I_*&5gbI}j~xM%)b{=E`` zOMe+M0pC`>g7@nJYw!J5(se< zY=uPK{+;mUk7z{=;K|p6&}0B+HvY@oeco2z^W>OPcJ}rfM8ilQd#+~d_Q9EDu3$SL z${usaWr9rcZ74M@`;N?M=CnVFHax)foGR|8?2j}a`w8d(rx^k!0*}I;Rp}Xl_7{a1 z_-T&mKt`e6Pyp4~R)d-6;?!Wv{9chJmM&Gmu2+|VlR?-f5dF;m%PW31YAnsKaarD+FPM#4OK?mYhUw%tVc>GZX{v@|Y6_%)_DZO|#; z_~#RnjX0ngU2@8Hf*&ab<$J@(+uQr!o;g&V}d z{N?koVEc1-?jC}{>D{Q+v8}@hdz~_0PhZEOF3skh_RsZ)RDRb3%}@Pf2`-X!zlR4V z{8{g>(i|cmK;?&!*WKR5P9J~u>DRO3EmbP_Q}g3#@Hb!EZo~ihJ3}Ok;Q1d)mSgJ! z{jWHJ2qdKGID-u%A8dh+7cv-K?+=O{Ui-4Gl^uM)S)QXi-9>xD&0kG!9-0nRhW_Uk zk8Mn!PIt2lsBP*ist)J}+Z%1CEBF!Lu1TfobCThQq;sCj!~z831A#a9 zGkwo_X7?^nLbuVt0EPoYioPUB=y?d>gHs{1Dw3V&r}#-x$imFD-vf9SoNTdwQJ^VY;pS6C2>n^->&KEj$kSw7VB5JcIc>_9DJUB zO2Hg~KDd}Teu)q`Np6WxwKCxg=D5t(1$W_K-27vnP@4H!td`_RX^>g|*~YK1k|oF; z7^%75abeG~{mNjSk~Ou-cDl-0>KB}yLv4wK3q7d!2QGD0ofi6m(v?6vxA)M@Xs|-v zAo5g6cpaDb))0*JXHRdMXUjC2NStys?QFq{v?uo(et^Wnu;%x9bm@Pf`F83XoFT|# zVe3$yLFQRzcAR}!cXB8rU^P{B=!p*ybMh6-VDtxFK%sJ-Z-z_=kF;J(`!fWqG_#qw zD5<(f^oM^hXu)glAxNVz)J8^NNL$2U+|wNfLDUA%OS>F;Qx!%j;4&jjcUEvg;o#3m zvvAX(Kg-!^%gIIAo{{a}$x^T)3)>&N!gI&f4S zI?b{@+SEBy5{vY5H73Wg%kS$~x1j()Ej;z;@lqNAZznG~*DW*xzX>SBP#hQGP@q$D*I zXWe>->d4d}4O?5RI;@7_92GPC7ns6I?wRSJVYU9toh~9*=a+=IwTYb zu?ce~Po-7k&8TqiNk>YXeg+BXZ!nf5F*G%3yOx~MZJ*?Lr(KvvxP zrcJNhzkR{rCZq_4$QMpiOSbUY$i;wkk-7Qc#v)Wk7tuZOt`T7MMgr(z>gIOBS8xqu z;O_oy?+5vb{VC~N^T>(PCZiAxJVVh$7VfG}G$P zylZyWut>iaVssLZ-aNgTXc*P$uxK&Vl4Lp>suyLhd@BzvQ{1~CcT;dTls3SMVA0mt zWfRFuLL2Kyartey@<|WF=VuS?XItvs+w2&L<6y7Mnh~REeoli+L>L`*fJOZU2BgOn z%(-HIJupwQ1G~r4b87WX;OrU~*5KH)jK_{y3npUtyc|0XPUZ`xUYerEU)iT9QOPpD zgoZ8gkcm6F?bxzWh9i*RIaVCwmFv1M4 z;Z`WbhZf#rmW6=P7V&K6LitCzDuK$Y2lpT^NZ48t7=~ijN3J9edY{86fq|YT_I}l# zQjgG<0CEaSVL24WgTIQAt0Izd!N;&AkzycLdjCi8>|WH2nVy^`3Y5xiQ*xCUm%RtV zK;-im8Eo{rv-i&mOI)}|MtpZ?7QHGwho&eO&yw1ej>~%FCK3#UECV6D1>S;3c)j&< zEEzH)Tj}3SM{vJr6rTCS$%9Y2X&taEFD*y?E&f|Zcj6$sPNGZziq00m8(W;bIv`J( z+tZIIVE~e}3VNgx_H*4ufRq(VHBedvCVCJe;Zp_>@XU~LqW}4dkp=aFKJ#s)ric?f zd!iuH0rLTtN9FoCbZn*aIy_x`FKl}_ZUmppPnIF3wa<R=(|cXHfKeK%pgN-02{c(Cu_te4Q{LUU zSKPJh*JPica9>gcsy_21bk$)I0{7zx>OV`8@|ULaeYlO zzyO9MWj<*m z=iYBV!i8L-ye8<+ecFQR>WcJcZd5w&H|=)}NxjZXsrLE494^Y*R@?6nd9ebzrv@f_ z0CO^RQ!bi)OLmbsqdo;PD@q#mfc)n4|1RJ_eJNtb2*kCT(H^I$3_{@t^(fW~P= z-E`;U+a^b!!=oJk=b9lQ!4{vj1|odXVlJQ4h7SdUbEUVi2X~o7ON;FQn=hhN!Sm5s z0pP(!T;Eai{Y+YKg)Q$W=ZVmTko${UR~_HYoT8#GKo`q8t>(E*^4Ni#z-#syOVDLt zH2nXL^qGPH|M5}urrzBw0$qJ@LwpCIjtX^w;Ih>)iaYy-qrl0q&48x30Pn92u7)pY zx_W!PXfHjJqtL2vRo&y@BG757aqL!H_m2O z>|14c8$dYJeCld>opSMcYzj6wb1G0Tgw;Ti_SsvUxEjf6BC9l3&=3WG>UnalF`LpC z5o+U&RJF+_NevXg)%Yjbs!my zFPw8|>``KMy0lWuA3QWQC8bMDEHq?rvV))kTiR7!DHT_e>Zz7oYU!*f#G$ZHxd06tEJP$qoSU&W9C!@7M zcAJf3XQ9v#RPM>AHER(?6*@5P_JA!}?*IBJ`{rtk&(1;{=AEy8Dh^`6=xyaQe%P+V zYUqH6!$g)0jqr`5fTu)FP^M8>_;LtU2v@OdPwEu&AcsTxJEZdipV^BzNw~|Hg^fl| zkI<2ecA`1~bxhJQQ3a@wT1ILHz$K}|ue6;Gh*$|`nx#xnDn z7F#d+<#Uk>z=^0=@Et;HkImvQI#Wq8S4XSs;Di~|l5&hxa%Abbnx&C;O9-lEPsf?21s5>}jw$^iVS!+ku(f@u# zHg4r7f{B^sbA~a9#ZCqE0cWUJ^pt=}uR_m2X^e%1EQU*^$bXqm0r|1#9sWJw!U@yl zz7;m+yyB`dWD~LH8d0uFFRW9n8CTFe5y|AWdLgH|8`MjeVv$#9v4fGuKcZz2XKR~s z{%~3NEXjGWR!-JP?=aJ0C>CZ3(Es*gg7{;?=&DtzM`tB5CSQ(Ryh7u}AMs8Y3}Q89 zujzxUlYC{z!0~e_0i_~F#-9B=?V`O@yBE!arQS;3tUhfjcNixj7ThtyUY5eCbJ%U&V>AgG^;-;rx_}F zIM*3_x&Oc50Bwk+Q4PqyaffTb58lxezzKVFg=&3-8G1Jm06`Jd$6b{tLNg+E*m z=X&k#Zd`Y$ZUC)}CR6<1?|VJAJ>GeB*$3hTyLH}YU-uaM1pU{%W`sJr5txPqd)4o; zbZb2yiE_J*u6u5J4+LKxanN2T9yS*pm>2^_jXi35*E2SN%i9+NPjOzCS2veW(N@OH-H@$1ovJs6YA^3SYe10N;88+6p$CY__; z*Y+9HB|M|ca3hyf8`0yL>IUF31iI~Wj&`H;M9&H(jqu^ptt=0?ic3{pzk|{A^{rqV zTc~mn&>P!yT606({LH0eQ_OMwtS2 zlmDG$jMve3_Lp#${_88_bsiKS&@S$CZrvWb=h@0{TMw)UiZ5(?nU(ZwTGj*_-2Eu9*M?t;}PUd3N|*i=pq4zM;l6 zhSa~_@vV`l5JoCwM6?d$>c7aMHxd_z&>4)W@7iOYhni=K)x@$(!`4)2$GuEbG|7^! z)E_K3;jHDMK?}}fZJo=sBF<%)3_}tEbEy}gSSkDMY~!mus`8CHDO3ikFjbJNjq-n; z>6q<%DltlQ|3D9FB#*r-Pn{yq{yUC+oN15p@;71*2Av)JeWF}_3H6!%iS?rJG7%tV zId}#uSVA76MuoJv(GID2FI|9SUg#WrHJ@;-rbEexE!EMhO-m~s^fy*yUC{&FCwXQr zCG4j3GMkQqyGj!TCbHZuqf(RO9A6T4))TqHoAKI-te0g`X-1gRG(=u93FMp{n`>(V zeGJt^W8>RtFGI=>5`%ZG`H*La#ib)ryOK1&z`o#M*<3k^-Hl5eM)4$tXH&E{%n&^w zQ=-I_0aeYbqLw9iSi7RZ4TgP$H%pA|JQp#`7aR+Htip)?R5^5BzBph~DQ;P$+@yiv zQ(lEY6-0T0Mj>bhjl3!OA&nb9rq;I5%DeuEHS9)fBwNYZ@5)>Cg40>;B`Rq`%TYZo zt{{W-K)ra1GMB$CDqpt5ijfKBn`UXuW#i<^W&6xVQxHGgBepqokvjRT=J%T%SD!8K z>>V7EYr}ep6?tN!KF4k`6M+QU=|Kh3`lCdoXQpJ%IdB49A_qd(##9ArfgV3fC73;3 zaUiE*Mw>#mrX7)|))~f;oUS__e0~9z6UR+-JP(Ta2Nc>HJE7!$KqpYq%t_tYV&RVI z3*7I&lJRU{D*RonX0z@OIgrj-^1S+An$s>JnuXrdEr$EECi9{l-VIh&ekJi_a|JYy zRnNZ>TpVaLZGBwf!Yc|uxfuEr)<9%93EEC=tC1h8^akx>niImvkC4yc@N3E=ej;|l zdZ}bYcM%dT#e<@(b))7xLx5kEUM$yFYGjeCdesnE@)xV^yG5t+aVSwyCP+0Jp-jg{ zK62w(RX8)vwd!@rvrE8?uJeFYsG*EYnCXtm`u6lEN+Y`Lu1;#JZ_OyXcdp8}{Xxay zHsDzLA&gVX7eDKM=Ki-d$_lUCC{V|?f+37+ahn=dK+`^!uf!@DjetQ_HkMJ83@Y`67W6~PzprSbWc}M#4sI7W3O4U zn~lbSzLMw^exAZ6`{PW(XCqyNkPNv9w%A6GeSeieQ^uCDSdP{yHA3sb-+qo@(`vxv zzV69vb1RNmN1k9UEMA4l&sZACkdgK~VPoMB?Tlzc4wCZ-l_yX39~ZTIWRgEHXh_4SM~etMnC?VtF;HKP}uWs=|U_}dNvBMvn#21 zyU7xG?bh#O&Pl9bm!5Mc&O>EaS^N?K-RC?jck|GDT6h`_Nv>*1)om%HMo9r{q|%Zx zAcfQG(B>$>q0byB{BHrKfJ-Nilb#9vN1!(OEl}(B-n`)ZdI5z0c0wOa5IejC&0Kcz}0nA2wRqkdix%oAFeodg8YGp(?mT%R}V$D7F&RU zf)fpQ?=tU$@T;pCsyabH(LQ(@ezJhgwfNFX*N5BA`gy8}N#0GZU|I73URHD78`9g1 z{^S&oZ4^@LyAi`d%i4Vfo_@n+_g6PrSSeIV=0lRB!^a(FM%O}HkI&PBqqpp4>bX$! zbja=uR_;QryY@bz>Zw{H8>{_d2*-|{j*Hq0-g z12AlxI_8pf*=B!}e>HtNu}884++Ft}+_W89zP_o|?|VuD$LtCydmKx1_`J>u9g3&e zuG3@4X`6l!`kcbu0kAkV5{k2myu0a!D@nSCJXH^rJXKI0YW79B7az+8_J z{Vf|(owf4J%!?IUer*H)PM9SE&OX2E{`mZ6T5MaGUQ_M^HOV8(s6mNg)al`@3vul!S<7q6GJ|k6Tsvx$3)N_uS0yx~+5516uwXafY8Q>V21kn` zitrzrqwUgKlp-S~5o2^Xplx8OhPiyk8?};|g z1iXw9BDgTka^Ls7ifw15QjkvU2tpnueTiC?m9EvgN-vb8LSq*~^2d;|q?Ed<8nlf^ zaHeY97}@BwQ#<%$mJ~O;^OiTwFgVjK)Xx^Z2GN#F#J{D%8ni!~CSj$$P*+KEcKe&9 zn~8fZxc~*C;v6vbVHSPps3oyul&kJPY!~b?xxyEAQ75!E_UG-2E=kh$D=qTjg7?pg z!PdJi3e@Cyc{w0vd1>0Ue3axOmE4rBASjXvDF620$~T`Dh;gEa&$t0TVblej3r$Ec zq_9tt6O9`Xpz<}e9Vgu)4gV?!O>!JJP-_fc-qp}r`R3b!PaCmx*tnXD|HMuZ2G!q_+6 z(ZhWD<>N^Srm2@jsk)#=| zRR9tWj9d4gq!JNB6LS1LT<^_6FgI6)0y?2uWjfcrao|v63RDtx>^})r$^{*84O>p|SX`kLb!Kd1594*~^^dX;h4A}A&ax95Ed#%^QQTfKuuB%8oSL7$G-V!%@5 zgkmPkmJ&qMQ*VWFkmDNLC!2LGVE7Ei6uP>x-**T76S*En`wds{8pF;}u8mu5v!`X* zkS*ntb8I!f`k8*-eC}=;)L?IxP85cb9V4FkhgHO1EWJ=&5=3-*De)V6lhk5YK}H3* z*F2x$Jm6=W{&v6pzw!Xw6iy`XlzRU^Gvf>FyobDS4fN-L0F>KrM~4zb@WkP_@5)vA zktirc3U#o)&h=|U9t#BNo8NHw&D1Uu>b(3MOWo|ey+qW_Zcb@p^m@NUo6{Z;A6e3v z33#21yY_Ub@Z%gGIEEhJj5N9BQ5u7^jc5RIs4QK@R>7AXaAbp^l_9Yt-y2t7-{ne)Oeq= z@8f&bEMuO$R*gnVVd}o@SricByMkHUobf-@?K{8mn39&<_Tu+DsSWPZ+`23R_ivUo z-ziDlxQ_kYe{9-K)6{>9Zh7&upW@?u2)o$i^l2bt^m?s1cg$;1sJ3?-`W5c)9QV2y z8$OE!R9ZWV`0)ke*z;;-`&!`Wr`zSeF@!m(*Mi#l%8-`rL)CgzlLid`w5&oOV&tQG z+S05Z;z|cB#H1lt#W{Yyg0GN1+<3nZSGji?A&G2S#_;qp-1xoIKIw1w8*VswoLIUX z?{vKIALLRT6J(JBCP(aT90l*#F3$k9y}b1butQkI=_kbW zz6ZB8wOF1{O!|3hK>rIL~|PCc!o)Fhen1;)(j;POR$h_ zXcz(!99{@8k`Pql#R5nXD^OGsE0W~?hmf%;StEz^c*!uI83WtDyp{w^YwI67?=K!- zJ+@kdj;x#ngVvyC_~bnn}eIjAgBw0+h}x+P_4$}6c52-reIR) zGDaaHgm$tbie%+Bi_8nIbj+1GsqyeZV9C4dIN@xUYF3!0ILEA=)JU`xls6hfsc`5j z5)ol*gwXIj<)AS->2vHl2y0gnfO&4bVeqD_cu%dc^aR~DC9;i@Nl{+NH+fj5EU(|{ zY{=Q{s#;lr+GJ<1BPz9Z4Kclj;Z%vfvuD&X2X1M4GSgWv{YrnG@+BUdoRB+ zIs5yvfyJiEDkX=r%IlDunDE>a!fwBkC8{NqLAPRcVZx0P7z0zyF`*J`Dk|0N)-oy` zo*RE*QLn#AuZ0IE&o44_#Y<~gdqx^_6nPU=o=B|C!b7?tNGsPaFWD}qXA{>*7cDU` z=ZfNy%(|8s^j1BJhtE?lFE=LOXn^O)s=fM~m){zds(ZBCV4^NctggTf54-=hk&de# zui|(^KpqhwBb~6w1Y>z${3w4APuahyj&U zR>|CE&flng&~Kwu)32Oi!K8MLYTdahqZBK>L2cMnH4>Z<(GaMXY`y$3@2`L$w`_+| z#^V`-36eb3Bxw7aPz__XfV)BBirj#}H{&})rS>d5<~t=cWNj*+?dzce*l#EV)Gj_d zcKlZSq64MV{To2M$Sl4`1bPTbPwb^mxhXct#o4*U9RA7GyDIpD0$r&vbP@sV zSXJl6Ow>tIB#Bz3lQG`E$+Rbqg+qB=`_!>?J4^trNR-hNIXgBJARSvc6&yz$g5n(gGVbU>{iM{fbsNCz^$5w z$x!NArU%xhLZe?z7+Zp{y6!QmJYjHMmE;}Sy(T5im?pOVAq2^dr?$RzU z(L$NC=v`N!bjB8yX$Av7pu|ukm!=BNhi?U=rAj$73wNlOC`}^d(cr+fYK%j`C&VpI zjt+d|mX~G~u`*SmhG3s9RT&ZKqB)8HRsxMj&|8>+IKJmXJUQ0xNqP|UHa#;!qt?51 zFB}{qV*-U}OA8s)%J2zL^F}f(@EFh*kxDM0Ovi^Hlhm-I77Wa%tT6vyA*~%(;E=gz=iR^Xl(Dxt!x@@G0)u{}y0&7&3aR);khU)7Oi7^UOO^_Y-Q| z=LsNOLBt5g)xOk)JdusiapCoit>*#pB#k$j1dN`@Q{BI-_JVK~=rnUs7`5~MR5fdu51uFW5U>g@w5hirBIM|P zqM&Pib8w;GYLIxoqqu$dA=GZEp34WO%NmckZ4_f0dn75F{b|3S+q2wx*Flilb=jH~ z;4ygoz`1t7l(Byg-Ew^eINlyxPFeP0^Lw!#!blcq1C8r$|H%4_HZi5KaR$I@^LE1! z^S=emUmEu93Epol#C={_pBezXW*9Oy8a=r>Pf8AHUB3c%yBzhkZ}J3ueCOr2D5e29 zz7s6aTYhUF8!$ToUlLZ==8K??eKC6eyLTtq?^7{|oo)+A1xE=&)4IR*4!+k%K%!?N zFn}FkCK~8Vab!f}Xl4qAy`6oua`~IC7hM=4uq!VM-`y0ttLIDYdQCd!BYY<}LHiDUtg1Vp+ zGzz!EM)Pm;e6@}!rk&^k zI0SN5dTaGVu&Ii=H0En27DCFRO9*cZUj)gc#)82AQyXHbVNrmsE2|XvHLI%QU`!25 zF*FK=$+h^ZQ5))hka?V%PiRnB<0*n{)PfxgSHvHmFr?5DXdbH5iP}z(u#8d_#x;5V zD4_|#m6|Wngz9C_O{Deb5#(fngvRWZF#-1V41ov)Ee|Uic3ABZ%=CHRxW{%toSkqS zaBQ|eAB-KREPFxA8STxSvSgFFP#Ya=fC^ttA|5WRF!)FrTjmqCdQN%XW0Da44l7e! zC5=%`-WwCQSr}!E7~v|wkihWQeQFt2ASyx$vu-6Yq{1Rf>hHjA!UEl`P3L-f*mFSE z?iU+yf>G-sZt&aIg=3@S@b7h|>?_z8@M)P)ngzTkvR0l3qG)Bj(4mna81V+?zKm@NMf(I9f2sAJByOrue>78pPQQfUaqJ=py-~RJ_ON7)|+I1 zKxe5q$@=qLtkw+gMPYJ}y3Vpx>=2~UM6aQ$9HZHxM}vXnrW$EVo`RuXPz_RB$MCc!ZDUDGRETaCiOY8&4COr0r{DD8U@tA%#vxzo|P|w65C^8)& zX(Kwlo5@a!tQGz%ZP>%)=jJ;@uYwz74-9-uQy8pZa*1{#jAK7Fe!9?_59pv6QL!*m z`6SB$(}1rgyj{pZ;}k`Jq-?{P_#;tq?h;O&M!4u?h%Tl`I7TxvcIdV zpWQC^u&do5X;5q9UOlb{s&*}I=GCvZkTftkC|C9T(S}r0Q%*~gUzn4kJR`*>njll< z+Qva5>PrQuyld7X4QLTTTN^L}B0z z@d1{{pEq@-e#-&>sNy!AS#F6?#gSnsna|;0k$Sn`k>pijejd!GRRTLs&x31nIM=V{ zYl!}Cxx6hHT|xI91$6J=w&4T!BaxyFf(<{nP=y4IGCpzoc3kQlFWc74ksLiI6&!E8 zC$n3K`Vwz+?lxoE`i|m%5OrJ(X1NP~dYzPH1$4)DyYM~Lg6jK^)lkvD?H>E=G-G&w z$euXzfYSW z0$9!1Gy3go{wwyJ$Y>M1y=9xZqS6?2d{hv6Y#(%ak)J&t*ji|QNfWrcQ@`m5=w7&w zGwcPvdju$Tn9SHOdtXDsXrCAV(?VF1*ZDG_e~1*ca~;6*>}Oxo@fV)y%Iz>V<#NdJYk%v4v-d1m z)}!|_@b-lH;l_X8js$8FcX?33o_`2h9Mcw;Pe-tjpd4p#>!WcbE6p6Ynx z32dmdYhTdL;W}pU{R}__0*AhWr!Rrec{adEAi6Lqe86_l@cxxhVy^gMazrE=6mb6= z%y$CxB>-5y_ck@8@5i43v6cd&#VdfnCZ&wDN}RPFkNA{oazW@t3)=m|^NNFTCt8?0 zQ_zbGjAMB_%;+^opB(J<62jO6p|$IHrs6C5S#+{1-rcd=!u<02aH+J%sD4hIY`9l0 zGgTP;Tt*&=IMw5$*2SS$@Y3L)#=MQRbDN8Fe46Sv561zYrX>_UsYDgQO)7V^IQ(hR zkLgxl{@8Dj;6@88SXwwxzhYuTY^a3YqLlHw#9O}-hlWz$q(lQkxb{?%hs5&Dm2pQ7 z(j*FFGDbmCt~Hx6Wv*Fej^Jf*l(^PpLL(Q7V1$@J^zVzavrn=e*pRCNKG&ymZ|b;| zaiXcuA2}Jf4)TZxcRn2XXlJ-E{M>6Yl40V~5MvxL*oj|6HtA<}D5n~eHQ&A2ZauD` z6egAmRCk}ODdC4P#VBy!BA|V zqDs^?Ee@SA{}y62k%dEHCaD)8bkbzbxEANnIsVnqmZq5UZDF%sCMB>h`(uSrY!!}+ z=u(_byN3fg9a(4>vp~GR@8*?AK#D=Yg|agqLgA17oCNbX6K0+YdXtK|GBOT2dGnVImF$`*QbpMVUM8K(NC!EbDNHx;#Y3NT_ zS;0GhZ&7FujlV>R)baEi2f7sdX4b{H9GpGq*I5nmOQq6xu{-x$&Eu+jwpF{s($DY^ zn;?b3?b1T9jH1WDPRI=!dx_Owk*Cv;dxwQ2_-7sEdpDfRJu)-J*g2mzE%4MHchW-I zX2@6~5I^N}%#m^lFg^!mW`t~r!sL+K@RJ>VP|(3Ig$Lz{Ks2eJHNKr?g_PI~+8t1^ z1iqg_fIn7iHiKE1=>U&}GRN8AtAGVUPkE4%{0xo2V#;W>svo*b>_XMWV+;i`Z6GfX zqn|*x+~x@#z-$Zem2%3{!h-Z7dGr4;b&lP2#$C5>8#j#_J8A63&Ti1yw#~-Qj-4ir zZQHhO+qSj$KDnRgjB}qi>l0jK%xlg6T)%1CrK@@x;GpB+6#L`TSB^TvXaek2^*U3B zg?y4|f>}gr>LSC>bWhgqicj0rD?}sLY%zT&lCu}l-dNJvczS8OW;=hwSeVXHKdT}+uXTJ7JfpPWJfq0SQwz$IM*(pmE%%q6oZOBMJNQS~ zY6BBcwxGpPtD!Z&vn9ur_Yrr^y21D=G!FS{YZn|>a*IF-u>v| zw7si?n5iqzYsLcjzMrKl#I?;k)4ub$g5ogK`F@q+v}0{?{e6FObH)m3ySz*nBx5tc zzCPoArR~^fu_cP^VQlo3hwkO{w5yX(dZQ!Pb+C>T^q7Nv2zzDjY09bo*27J8kX3!P zdW}*tL~V4XLi7rLaXoJ$1id3$X?y-|nO<4fs}?czW)(jrTSrQ(|-1 zuwEWJud7iFEj;`R@XS2|*b|5!)fm~LH z&LIjSF(j)W0;z_O^qYaqOd(TM`5-#*9_&6F>2vD~3L{5FO?s&`Ixq3d|7vjahi!Oc zpukxOoDWMMWh{lLN9+Pzj#ssfQu!B86P&d1u>BM)Fkswr*=q^KZ&;jYjdJAiZH?Vy ze&BUzI#1{P{yq1t->H-|^+IgJ7$ApW+xvI4Li3{_sf2Pvn5S@w@zkl-Zsi|`I7L8B zuGS0}e?MX0(bok=#{LE``UZPGN>Q3kYp3mZaeW<~~Cy5>nL&oxMzZ!Ekk+^XQ zeaYp*^JhU0uk+N@gNE(iIpBNUhUnnMJ~J^Z&Ujdzud0X@^b9e2*msM=TbuZvkh%8M zR3A~xjvO^HMd7LCaBYfFbb5Z~k<5A4aY_phkycf_qR$muj$QjN0PeUllQbLpGL^i4 zQGW;1H8^mXh_TUWW@vMRIFd?Ck#u)61iwYS8n0HDw%a(ACX%{m4@PhcR&~2f(ycb+ zUq<)Q#!jlIi_IFc#C0cpw?U_H_m{p7`$^;3$hM!4rj7$0zH#sPi%Rf~V+Jp$RwF6Y zZ96S=+fPI&EVWn=UtEa}BTQN9_^Eb+@+@W_zNihsOTCIp%TONP&rk<(pG~}*4Eb?& zF}Y8LLE(pof7+5a11{$Ri_YoMwyAwA)*wG_KB*8j7P>@zGKL2m!f}1fe#t-DA2_-v z1yTWMlrg$LxUCaJvw4+C>2{*W64e9SKVJV-6}jz;u~|sRjj2NrsP*OPlyA<}6<_|P zjebwaJg~Ib9ZP5GDZom9VR86ijIFxWUW}I$`O^;hsn&6k}jWZi>$xq)ve4z!;a-t%$Jn<_7d_b`4iTHgzH%vZ77lBmG_>Hf${()awX zp5XOOLklyex*#K{L}{hgQcH8;-qTcAHZ>^v?CNZ}jwMOS9S%3~h3<%tMeaZ$?^kh{ zNELK ze_UnX^!xMbWJpz~DySF)1kaZ$;MDo|AKOM%TRJ#DRh?Va=9py5`;q_J<`xDyuR#ECU`+w;L=ek}HcchS;ARY0hZ1WK~pD zHf4gB$xm{}Br6=)L4oUZ3eq(|Rf#5<& zQVY$~e`SBj@BWAUK4d)+6MVSUed0JlT^}AIjL_hm-|6pq87M=@TrnG z^Sqo(EE&|@q-#S2+(Z-W`g7;dwS0Lk^|vQ;mF@NSPRv}jodT!zzb((JQTBC9HM{$r zH!bUHX^2{gSMwP|fY=o`JY)OqV;rxx&#D4ldvRpHr|!DT5W5TAq~;O`w&SEBfctEd zOWk&AO>^q%x^32#vCZ>{L5|-O(pL8d`r~%hvFO38-BQ7p>fMdd)%LKn8RaQeb@>Jk zr{Z^+f0H_IpJ8mfP~`@__MWd0zaMw*O#!SL%pN-h1Uo{N5UV^%ZQiC43w&G}0aqi9ksI$#$aXGP%!A z7Q)T8p2ymlmVW|U8+XpCh+{H9J&8}9KG(t<-i~KTJC2!n9qg_JtTV1zOO?ylKhGA< zw)8|-!aaNv8V>oKpJm0g-!_I&JnkZQ2gGy$c0atXmyJ+tJoin% z>SAllxQSO! zr4VJT0pPqu!`6{lSU0^YG%+*YFKLVBnUG$D{I-SSe+`HtZ2?MOH>Jp8Qa`gZ4SKPW zVw0-x4W^)0M3J(PiRvua{MqpNO2TsDzwB$pEz;x29LmNObJ9k>{QKlyKiQEW_Yi*r zArzwn+ITt~m25U!iS1aGW{eV_4^?%VB!g`fSsCsC_9A-OcmV_5p1=GkAzLkf#|Oq% z-d`_-oF(>6lbxYKzvSobfoPPF;3qm|QTb)Np6C03Q@TAYEcLnNf_VuMr~zVWuXOD94m3DEK*ifAwiT9~Mk+wc+5@5_s4(!BIF{+ZHEVkUAA zQbA6MzW(<=r__Ti45g&$d&Z6OC}HARY(Qf#D0#3!%1qqlxH)vDlp=NiND1@*MQc}b z1}4alDVM?!4TucEK8Qf!e>+GoWg{*9Y;lnZhqHil2EU5)W0=LLp5K`VjGq0|@>`or zjHy_MLLH0uu7yAH*=qK}O_{#B-NUONdt;rq^(VFv5*^EjS#D88o!EP5UOm(p+q6%P zmcmxIzgcjUbXoXIgjuA^P6Sef$ZTdSQB?=3Pl@!=7!#6XuA%+XGW*i%b-qhy1g>eU zer0Y-ej0L#yYBm$_=nfLl)^|}BA~%P3hA1bQ_#=0Sc)T9O1Ox-H#}5RK1IYz-p_$g zco&8aQ0l4QbCO`ViLW5fkIq3kLK%(~_LYvJ_2k<$4pxuyPxJtSrQz-loUi(J|B<}Z0Z~v7NEn?`xtiR(%;a)cV_HWtB zJZ^j}g27=c#i$FVjITW`BgIw6`Tj7_gWd6)q~W9-F(-WRD4*%}6AXr@!yGt%=U`$e z=m;^^T)(f)G#58*XNEi|Izhx(8K z_Fq;RpI7?+Zevv5$7N|_P1!D<>QIUJNBlfKbzIh;YXj`U7d!$ae=!BfR%w)^l&uEI z`SahJCzsqA(?q6?<+CD#Zb?MywA-jslNA+|+**$R7JrFyuCf<)5@IjSCk9U-8fAlMTm;Rmp(iGHbIrR)GyT{g=--IG{c24 zC$0T}SE!6QE;18s5*j*!!F0Vc>Wdv>1ON9SSv;7m`s=X{)Kv~Fv$*q4@K$tQu#vDg zXOePFW>Q5q1MlPj4h9Z0!83(MDaKlchLMj=kTm_`1_|el zd{gD5{>(S5iT^i1(dO`i3K0d6@p6ba#YG+XF79D#7Yho~BM~lQPw?{N2qGVm2Z^B$ zRDccxmfQhlOLZGpQZEd=h}&4>t%1+|hr73Qp-;Na?}%spZRCOYs$BXZ?uPI359a`z zw@0h8zgvK7F+iKlkSbGB7XbT_^B^owRbt;G8g#SANjKIBTww+9o&^j6be+#^uKb^P z-=u999FGpOsBto+mKlnVq5+TX8S$bY7eMW|>1N1blCDfIi*mq*8y4cuZ@x(&`-=tF zw>^d{di#jv<@=tOrOHL&rswSf&koEcx3dTCr%Ujqr`=ZKp{-+?aN*?<%GtQ1g?%>x=#wF|PUKs56`&q;)pPL@y z#*b1FCbP7PN8mvvpt5s|62E<+{bBKVb*YKhGkWxR8xh>RSUNPN2V6S@1}??AT+YSz`G9@aB!W*cNx84rlunrAT;H(TeI@7C^bT6Y77N@*Je=Qu>HPv5r( z^fK>uvyLVid^|&hU381QA5d2MqFa}_uR7wsipd>LL5_naQ96acN9$q{8g?FNgS0#x zKn=v>FCaoO2H+^}q&u*|$XlN`9C+u|lm<`=UQf z*NI=v^SLjo6Lh(FA4uq++g+}E!BNASXvO~A2bDj z2jX$YN>;JAATr?fJ7DKuFqBjrjAu9Q^}RPkDP;abbny%m2t$$;edz?lO>YH!;o^0^ z=$OY~@d)Lz*Y{Yf2*MXpJnZWlADK`w3=L*SE>!azI;5Wc?B$9q)Togt;`t3*?RX-& zwlf$$bBCAr>q4emR+a89eMrzd&@3-!+3A%p@>{&cQ9TGgUZ_b|iQ?aJ+JMXVX+vJB z04FH|H1gdx!7jY{NQ^)%BpJFTw^Dx={XvI`a#^)g-PyQY2RZXoks5!FUy<2IG=aE`OA@->PLJ{|L)g?m6e8>E$ z*^U*3%*KDks~8x-otb{o{VfQe^D3)L5;77?l^7@Np)P%5ifsAFT(sZh#N?p{T(ttBs{7lRA9RXeS%SemdK%iwR<1FlYAhU$@G&swp>MV*(o%^ z9Q!jWtkt6yMn+E*PYN|wa_2gsva@nYg!$H=cOokVT%Al8)DmWnYl~OOr%32T{C%+& zRV!mC|9?<>#l3rd!y~JCF{zsk$vF0SV_0NV68ZS`i@po=dW9qoyLTl5Xev%q^BCO4 zgJI;;HFpK)Tp8yn`Fe)ec#K74Q|80gp40vAzm-;LHI2xt_Q=ROf0=HeEzc_T>;Ix= z%ZTFE@5W~Dn4_s?!FCz)V*ORUFE5o0Vu=%)C^eJXv-FcOgTi9OOxA7sq)ICk^MjXL zrK-CHp&PrF2;-1TQsG>{f?R)K-U#811stb=YM9rBQsccOr;oT|cn4gn-PQw{<&619 zR6yugo$mC&WK18sZ;LUtI84Z%C9*Fb^pEaN^?w+B(bmN_Z1UAd=mB4p0_zCJ$WOVK z*lHbenLOs~ZMfVTO<5&2t)lQ;I1s6S93m_v3JZIC_!4gKXKaD}(1=^ocM zfz`7*pe=KpS7DD&0Kd?@G2(0$sUz>3&N?lhnG(vZ7Qg&m^UOb;m^-KjmVLEjGuftW zf_#Zkii_J%gAR{ev_TyKrrh5GlRL3MSI{VLq2{28*dK6gyR7vha2|(-=|2z^ z|4aI77H}Q)vTF_HFY}(Zi@vx!O;iz_2~Q#>QFVCW8XIBW@PL~y742T>%*4TcZV3Z5 zs5}aR<@8Xdh=pFYmhxa$6+cm&KMN20TV=YH@Gq&tG6R6%_aJKn7NW#6F|EYk-zHpP)SZH>o0fIi`JY@5ypP}R18PKR0`>@BHy}{^*nu$4Q)O#{*(WZx% zGUbYn1)^jL;l=gSmgX^(Q4YxK9F9Jx3Q zG8VD@>n|<(@(s;SoIN?goDu<)r*ekm-TR-(3s`;ih&U@O%S%(!;|A)9^LIp7WcK1y zm7|0R59VO1%mu&C$CbNuz?f;v-fPFg!XX8Y7ZZG%#DJOj{{du>^N&bY$44ZK!cE9oXWZ_^)oiUd4fBcb;C zwnAk+TG~$bMj7SSxI*e;CB10cUeNUfZQvd#~gjhHv*;(iGwNwtnCPjBLGH zgRAfncILd#aMaa38xWMzy4AAM<>_iUKs$OrJao5GuUlXxZnJkXyqZx`jR$${RL-a7 z^ZJ;csFl%OEU8;I#Jh~ytV4ZZP-`#$&Cd}-elmB4x;<_<`&{2-g*@Sg@UyOZgF68) zlc1*0oQQIaH+OsYX_W%+A1}YFQ(9Xi74@dqGmc_}&+F%PjIlmG2ent_&dYOESFI4A zpzTZ)J?^~5)$^sLHc;y(mQ0P;!-<(YHfXozfvzd@dauntFU!5)i3C#1dK5mv2wc&# z%G%fj`mFI2Zvjd=4t=~%N`UKl9rA0>Yf|GIZO%J6XOay@m8-X6Tb?FM4M~Y|{I5An z#O{A7!cpvitHD5PhOU9yC2Kl@ha3L4$^>fNI?$Ef`$_O+h#b1qRrSuI))p0$>wN$U z_~2gUQv0bPFjzmXjrX}8$?G`SG-i} zttqBdZv18xixuY*+}f7yldY%2G!OV9mg$kG58c#V7wWGD*h760tvO`NKn@wW7#SX` zB7voq%OJL{?fO(zvRNZ*zWWD}L?_`^-jk5-{^Uni>flik%1J|W4*6a@G`K|aI>8!6 z*`FG+lSt|&Lg;b&hIy$0k3$QRN)N42|L_DqrO6`ARwrj6Be0A<%~+48$}ivzsKj9W zki=C}0{xo(C2{uez-RQlNoCktC{9`ut6FsOb1Rzmy92mS<9FssECRp9H%U-_Mt<{5 zGbJLA*gfeYY#aMpA64sia)u}&ZSVKx5wkyp^J6ccFVKAz{a#gnASS(yOgcR~Cy%mu zTjw`t4&XYMAG;pM7E!W|(jw*NXesd(q%*h_hbCH3DSp8b7d-g6)w|lFX@e29?4%u4 zrap1W>}H-5Y2l zvrn+9&qE{2FvW{Y**%ONep%e!3;*Asz~yjr?9z9_kXi{TxZ2ZXrrm-ci0BETq{tPq z2~|=sg+iLPHNI*R6G%eEa~2o~)MxmC^2W}MeW8>g?5jaOUt{*NgOPIm&s$s=anV%5 z^jmI#X-#0dx2^$2yg<|UqqB2B1k1+z1Q6@wJxiP4nkT_)Fwsx9Vqe5B(+sywbq5~_ zxw5gvAR*W*gxV@*Se@+)8D>BzCCoTp3WCZLD+OjlgJfPThP>~6X+}*_>fb#NXgHoi z&RPB-dW4P~g;ZTRN>mLZ=rq-AA(NW9-}rmeA#E5E-!r~2!60WdM~)Z9veW*(%@F;0 z?TsVy!&x~PA4^9%=Tf99(gCsYabIyZ@G^>R^c!pazvCGfg(EB9@dNs#seD4I-Q~gi zy`r!1W;cxS1!K-d3BC<@7b9ex*a`Kz#l3DlFbQF}mM&eX#pJKQL}nL6X!M-X*X!%p zqoCD^-75S(CtA)m&nsi_XzA~o7S5k@wUnwNHq0as$Q0o}pz&?=fBMH{k)lc|{Loxw z32CB4r@tnSdA)i9-f^cVi*Ds)*@uN`hsSa^*^Ln?!FJT=7qGF2VGQN+f4NO$VLW>2 zu4Tv@&5d(fH}z~UblI_|-S3EBALkS*4_)+VR+Wxv*1Mfhblg7u`1c$x`O+QDL!or2 z_1DUbDqbFECH{Ma!|K_iHpeN2qkehxh9Zhx!o9%^s~cnQt?AU>X`JA=G}|XaR@vDR zC-zM-!7l8zbWHu0!F z*pwvW38IGJlS`A7aVJ`hb2o9eePST){6#|KWSy z5SyDqnyT^z;TS>CPTPu2-lqUwN9-;iP7p4Hdynn_9eU^|UVudCpn;{98>@Mo+_Uk< z)KeBD35fbFV0!9$s#EXbU=JRthbvfqy72?uFuC@KUw0{B2+AwyDKvg+o#61eT(Kj1 zz219kzn={n#T~5Sy-Z)RJV~ofvNUV2dm9|O0x8_T4wRKk4m9yynirMxyMu!_61i?> zjwUgY!8@kWmn>#U#P1$&d%)L>fcP^>l&5ZQN#gbDo1i<@Hm53fWKli7?ZvD0=dxMN zC=+BpQ0Pbr-8#qm)fAQXOD^bUdqZid!?++~h!~=csj6Fdv+;s&3cTK7-9ZT8jMjL} zj7Wm{>v1CToT9R&p}KmXN5x?hz{|9%f4QAv)5+;sqQ~!c^lo;kaQ>3u0P&Qwg~ShU zBqvi5c5HU63H-U@)O&t(Nz-edbJ^?wY}pUV5PQB=$I1DmP1(4OdSWxSXc~aiBHNZ0 z)h_7u{_HePxkSJ9ySaq8fZ+C4cF^}$zNR{FWA&ZtHyaIEsL^dq>My(EW$fq=IXH7& zAonfm=d5*3c-m*Q06Yoa=Nymp5E;gFng$2QQNlgP&xoI_FYe>ce(#6DajdaCj2ggg zP;V?i4ncPiFL62EcGqd0kNx!d!}#9HwSb{r?>x*j}0r`+mUM+YM{;YVHdSjWHin_}Wb#~QOOBBb0h9!J$`vDs{FTWee(lg}a(*(Cb^oPwJ zfdRw+>sKdk48_N zJ$BQ41bo9dem48hlMNt^lY-2)E)C4-Uk(qRFs0cvIIHCOaV$)1E8$|nsAM4kTC;f zDX6sj^zTSu;**n{sFp@QZ4@<$SyO;ll?HWG8+ZH1?UfgM1jegRhB+oRnGBa^Kt3;< zMsEl+ejD}Q$6-rjhtE_Y2=!Z^&IL&{zNtN;uhc}KKFoGsAs3yve6Ed8#zjI8g0OkFjAR^E3cN}eBcEd|oUrD@WsUjrNcMb6)}>r?PWU-i!sYcxqXw&q zl|8d@$*m@)v!x5n7ab?UvBR@j$=d|gEoM9h(Du0u%^?@Cj#5QL17-BNRm~I;v8W*S zEu^^Kwd+4YEokzgrIM5zyLA?;X9@Alm7W*h@}9I*>OY_^wTg6f%st!d3If(-6&qHU?RPX+!-i<% zecSMO^tE)8ep{mbq&B&`ke_N|*SxeOml^PBVBQW!K7NW#QLlO!wZ!=@Q>^|6slqN? zo!Oil%d+vO06LX$_DRtQ3tGZXx>{;Ij!@A1w-Qx+`1I`52caP}N&$@iU6G@mW$HRC z#o?tEKHLRuZrhOWKS%y4K&6LLh@JT2iZNR%TKzC}tLYt0_;oCX;2j8a5iYvmrAPVW0Q#d)lqz=trx*W|m#}oAc@49I1NIAU?luQ{s3{`pI6lv}#8(NFGPeL_ zF*(+kLEnoI>5Abb%BWz3xqp)89zU-m286~UxH+I-C4c{(HHxRv7w%fi8x}1|Xy8eh z{Ppe5-zrcdM}|FRx_fRWbkyj=p<=i(xqFI@J2!3WOH`uKEBdCD8hWe*!h`6DkVyn_ zW37xtxjkV+eoG1cSwkyq+2M@`y9_%zD6DKck6IX?D?8VIfXz`n`QMF5E(yGCX4I`8 zvWkZ$5n{ijc;fGx)))B+U&Hj88HYU5>1n6GTD+*u@;+%+xGgHN_ntRF@C|) z*MfGhji{r=_`!w|7p908GnyIl_)z(nAE%Taz_!SIj8ACMIU-@%$#Q-4k-rP(g?j0q zmex*8Eras8E|^P3juI~STXKe>Q}UC~S){*0lLe!#h_D##KAb48y}#A?%2Bl_ey)|` zE^gQF;tV8WGjXr^epP3h4vWb zI6?vuCER2x=7{t>jB+gI4%TYNUR;E62b2VPC*7Za>V7Fu#Z$OdFkBvI7h%dOZFA3o zJERq&@V96oPK~nH!@=^{GwhOk)$OXFC<|OQwe+roQdVaVL*d~c`Sm6M=nqCR>Nf|6 z!qXaPGa-qIhSRt+uRHeSBYzc&#Z)ffLYwolE`$n#=E&M34Ht;G=5kgU0Wviwb-` zs(aB8Q{GW4Q2RJJ+MKMq0!~)x_8w;X=5l@;-Nv0zd89D4xozYK;IlW5J z*)et9Uyn}1bv4VRH;kij^1BCwTy>sL6B9+-c~6(`aWv}!_Zuf0wD^!D8ooooZMSTIa4ya|3`1cKr8;9ewAE3xnrbvhJD3@T$w|0Oui@vd;YVq<45dPTiO1 zhQ!rskNev|FOGU)n^=7{IW0mZVmz%r9iE_|j#?AT5m8~P) z&vpxlUL?}220gcQz+iB}3mf@!ql3zC#7~z7Mq*=y@d`3fIX8sp+x7uB>^n zSW9ob5-!ql-{z^idh018-nhN?aRgT%xDQo0N_(paly9~~=<mF~eD5ZdvlC2jezNV)4X;8%)&V1uV|qp)wjYEIMLu#YVv-nIuiON zhk|p6!IeNZVNvD4&K*1haz`K*kFh?qf}PV^to2Bu_CBScxHY?0BEt%8qsUc9le`cD zJG78YaZYef(=_QlmgI2<_^RE@O9LULDLLl1`_-lMRXJ~+X+;^`S^A!%kLy)MYBtX{ zVv1MGm#7f~Qxfdw_3W{>JZaDQgK!PR--^Cr5969vrhDpmCau53FbD>sy`oZPp_=mX zZIFrMQwooB`U<1IToiMB@|FDV!iyBY6em$CZymCqjhj7JngsJ_DV$bV3?_N_k-pAI zv@sQ1EWxXdgoC_8cFCPx?oiTU1TQqocJ4C&Hi3EJoOJI||3@GOC#A=nge~xVuyTm1ONlR5Ci6zsMk0;H!A5SQ^^YT$KokGue@iDM9YBoj?xY0oJP7hN|7+xI+dce z6lv0*d}x)4V!siH;pY@#%_?~I@rv=69DP#RY3gT+6F`iy{ynwpU#TbrscTz{_hCy-52R7 z=@SE%dxG?kwJ}a+;`?Mm0)S7qKrG9am$uIg(x9eXvfQt^1@3tnLToOIiKzvf)l{Z| zqwqA;UL%>fYCjQFSSJE4djqYmZ{}@GYSx{Ue{ywj(UKuZvPLdn=BJw`*qWX-C?x$0 zMM$^s_XrTB#+mM@C7by(C3x*-`Rx_nXh6hOTYu1KmYj^!79~7^CSmpq;R!2y(q}js zL<5l)dZWx4W7L_LeB_{ePnMY{^MvqJ*cD5deB;wd#ixkMbT{0VBwFs|e@wL&0aQ>v zJjocbb~T9tvpj&vqlC?poF=R8;Vo_0$lwA2CAX#XIuy4Fi`6& zqsUq*-TTJi{w5I|Iiy%LTrWNUG}cl&_t&XjQP`jc|M829 z=0DM2?0vsV+`c`=e)bRYrh$8e=fU%6vClDFO{kBji-R2rOA$5eZ5UtwNiG$X%TNt7VP)#R_fu;Y)A6qsBMlGOh@AcTIXZ0{BKSt}nN z21VyF0N>U=^kw1=<%<$Va1X0o?+1S6nHU5Y)CmI)(1%A*f)*sv8vx3#yOkjAG_CMb zB>{nD#}$Z+U~+VAU7npAGZZa*;6cFB*Dl_JdNG$R3GIDB=ZOgz==Rt1C*b>x;3{EP z=db3=7FL#HhEQbOalc!D7erR459f zH|!c6i7IR2@?PqYd(LniKYMm2)^@zReXe*ttpfg8;E6teJl18>aU15}-R(0f1ZX@o z8wFAkt?YL~L8QT?uXm?RTfqAtDqK^$QIpmt@7{##q&9)~Lpq(yN*ZWD zC)(y^E@89e{wneEc_gJu&y?tWM5jr>b3QTJ3sRexmh0l$7(twYva1SVQ6SIN8X2 znNwP`>+Cz5(sf)WD#71>4ZGveIOyP2dym(*qAF;%;_xz!_g`eX_Rw>Kr$*(qI|8)N zw|AXZZ9?v!5WAY4i)LEYHaYFKmNtRGZSYc9pLk_!-WbpywH@x!E1V#Zyf|S^+Hdgu^y+Znbu+}XYtJn7{cUnV;`6$3;uXYlL zZAXCj@dM52cjbZ<&zfrR-N924>)My6 z8&|9L3vY(8p1n)isV6WyR<92nzbg&n{_;FIU$WpK?K|Hvwe%JyG_U zB3`1=QOW8^wOct*K-$J%XZLqR{Cc9?@cI{jqp@MR5e34zOE!-LNop9gVa#aojj!dM z3$!>G8d-QKvBiOM;uB%Nn*X4@>$k}=HG3^#sC)q$vCH}`L{R~}28S5V<08B~3r=6< zan+y9rBS7ylhM|Yq=V1$8UtkqXuj1t4?Ga+T0NvWi9Kq6x{M;-D&dHCYK+;9w=Tjo zJe+4)v*6{edt6n>suaviSrRWzYz`cYt2K*Uh}HDpu9c^X^J1DyNw&brKsDfpLD`OiEXtY!I*Sa7dD2FTr+mp* zB*BXY>gv-bi8f6$1@+K3$PO65ZrWS_ikNH&u_HvBd?L2L-MGsN(zFF%0uYrTGI)qY zdyBW?(UKbdpA6?qSI(LqmI)SvUpPeO<8QJnX#KXJh8`>$;@N1Opw69R4Yft6+_eLK zE&t0kPi88-Emz2VR-loel@*pTmJ?LSTZN*CJGhP%nDmsl*7VAm`<~+yPsx=e zBM0itO-zW#*)fj8Oja!04PhnI8#neK7y66N=VwM~SDpPdB7&TIm_?@(K^SXK*rYt}$pq>_lvGwWK*4nxiM7F{Xr%=C zhX4|fJA27Wi4dJo9SizjWug;wWmd*rsLU)`+V*^7!TG2C;(=!MjRYtCbf(i%KpPMcTmoL}y@%KrF|_N}KCt|f&Cpb|{kE@KT4W)e%{EqP zh4c;QbTlzi8P2rpCtG!4h$Nc%9zxo|z9{E>?q=Y;gCT2#feC|{#(93)E`LPg&{yH! zFo3z)Egt3ZfkLL$-}ubAhuHc}8EQ1#0^vODIt9X_VbMC4Lmu(qNUQgsDo>++o5N== zSib@UqeCkSrE7!}#?S)3aNb>@&2sFQ%HJ5s#LXqMebMB$6~fT4-z|&D@b{vp$HjBj8Q4bL&O#(RV% z36y&?EgO+nPj=(#Ih!b-c6lAJ%>5Sp;^F9P8g7vj`x)Qz8z(JHCfrwzjwD)X(+smk z_x}#C8l2GdaMLU>^gl{V_Mx=5dl7t(4A;bX1Nx~X;;$dQo40acC?MiH+;7w`6sF+* z&Tz=N&y&H~#{Gve{XT*mLfrg_cVomv2;4H9%!xRQNcS3PcGnWBwmd#lI*A10`ok4 z>8>wTa%)TAiwCuF2EP6(236H8pmqBz>=00uHskKrWVr?CRt6jr9wYL&`i!0Bx?AOJ z6rsXuCCQZTU}xI3w2%dSzhlViFmIo?N$a{kC*|GvbMiU`fTh1`=a&S$epK_gzNUHq zsA#w&Y`Co}Qauvz-g0=t@3Q~f?s4Cpcw6JSDc)tj%tZIma{Y3XzM7_G?X%5erSlq6 z(FB?kJmZUebOCKpreQpSgL*GKZ=>j-vaFx>qAT5Ow_3(#290h;U8h>OTF17We{Pl` zcRHIvs?6#u1Odj7o|2S->q!s-g05+Stba>jen@+a!B2Ts&t-wX)4MPF7 z@{(FE70m)%@2~F<#W;!TcJ)M)>^dRD*c#RpXM;LVmlbXojbdG{7FQ29s%w{%Cu>BZ zfIq^nPxz`jr*k@^X27fXCN=xiCQN-$GC}OFi~%r2Y~t@j6s+w=s5I<`i|6RM|&7%yX|B z;hrYOfub2#fJaB6hcL9BAtzKr2eU& zFVR5#ovzXRokphdmsh(eGmmd0c`@*dBsLPJg}8B&a$%lkfXl)=7x6ZkHJgQTpGCN{ z&JNup1dViyeY;<{V0sceg$TyT#(&RBgxLxTG+NKK@8Fy@abIVvPR1r!0!MU|7#?8Z zLb9)v`0o>Us0d*tb#B~_av2)OtO=d|z>X#kvy)Yf-Y+VXDTH_1b?84)IQhIVgL(5T zIzhZNg>onxC&gDIeU%q3cbLV?e}DPlIWFK;{t@1Q$&n!XDY#yV=_r&;{fodkd@z4F zyFQDiD7ju(b^f~&eE~D!H9m|e>VcsaQNKg(>vCw0mUNG68TD=|xy~78WF({ezj+I3 z?I}WbrQ2p$3xve1Z>SZR;y&Zu7)aJfl$t99U7lpFV)Wu;Wd0tAC5EC>DgVz|a@tox)((Bw*rsY|ihy2H+2jS8b8bY^xcoJ_ilhS1VbdAQ6~Cx$1Rvem9Iafyn z{fQVjjr&AwiZWW*UnP~*UPVWyrs#G41wYXS)`ulUX;L@PA^YS@Xf^E(gDbE5+QJr*dAxm5dvRn#H;(}#5vMZErU^jO)(f&OV z%~G>rgK$5dg27uaJPxOUrD;FahAjGhxckuJZOLKsH9YJndyB6lCSscEEO;Kxe-p#; z6SK=_%kU%yg!69-6@sBGGLf^+y?1N`Qs3)2We(7QiFT$hrvDur;E-SNcp%l+DQif` z|17#_knw}9c1Sj~$nN|&_J1&=_iM)hj6g-M-*I|0kfTGeMH~H#nc+&rh3E2JQ(3ZO z<1>7_ca|f7*Xk1GlV(?pA%NfWk|@p2XGy0CnQ49deC%=S4V0DT1$^@#v*q3!AL9T5 z4|q9RJQ6ODxo=O3F568U#x9=+vTPk^!o;LD^@?Tex{MCI-jZhzIDJNo7Cl=WjzZcl zU%}UY0hc=Gsee0iZjYKQoyX#oE z%q}n-NJUNkrF5!M=Zw(iDGmE=qGUdG(z~kMbN=m}NDIS`#F6R!I_b@;{x0Doim>^b zfA@OF*uF!4^1Km!O7D95m-n*ic7n>rbzt^{EOXVvZJyw^sxGS2hMOiWTD=@KCkN)9iwBM zFn4*y=zgV9G{t*YDs6F6hgih;Ht+G43FdbjGq^hh+-ER8x_BOt!7>du`Hc~Fk+v>k z5@&hsP?hQ3uQ(31m1QPx?w==3c|G|WX>O;$dBSzHoPP!I0QjGHZXy>l0h7ze>2WFd zGE`s91YUOPq$-|YQGEQn?0X}$TF1(pMz2(xAC72(D;$dt4B>zP z`(6OY{|Eg*0>7;Pd{go7_)pvG5X1rwC%?V^lgw=V5Xok-(#)Rq%ll9Aul$Gm?)i_1 z%v>s5V&;FXEv)~D3*kRZ&|sllGr|-HZFVR&8K%nBP-cBAfXA>|4M`hf3o|>z-iYB% zfe=PU1Ml-gv0NR6>1NKEvJUQ5JQ8IwZd8aokxPxBS{zgyPU|)cM9yILxR4<8&2d1~e^&P_Y$L9-2~yg3ZuSK~`v2K)M{wWmwsiTfJf^ zI)v;qI5e~EY;a17T%_ag1cAZB6gUbmdoodc(xWAhJ2+1HX2~EgNM`=_58%(xR zi_5KE!DE>|sR-iKACN_9TAG408{K-=0XRccGDbxuJT1wj##748RWd=uI!1Y*Ta_9= z4v<1SwIBRBS?twQ5hojPH3ei)n)`gjD z)g)R~qv;xo%#Ey}#Hudb9Rx61Zpog5gGIOmvXil-;5ms+b$Xeih{7{N1B8PTI`gK@ zVM5Kb(PFVhqJn^wYnoc;Vq61=P8hh=zz;a8Hp(NEBmikUMfeCu^mveKW8*PmTVN~G z3kFUp7a_wg&ygZm#QSU}H0((QGc~x{ma!nPrfAPIn^d8fDkGZADivcu)C8B7(Hd#C zGCKQJ@_*R*Q*1Q&hbgvYl^u9C|L1f6nSS^DXQ7sxzxz+J5dKpzLf`R;(Wp^Pg(b2N zn$iR{a)p^qG}QwPXJ%APEU{b2hyD6M0YH-pD%IhLg$h^@x_JQT1wkg=P<&czrud=b z0Oi=x>N;Y>6B5z}#jH_JQwoXUql7F*B_UfP@P^d18#QW7P3dgZ$iPhplp3;_PE7$Y zr?>qE;?pg#6?E}%+T$F)Hq0Yty;mr^N*?i~W&s{@MVpJYMl_IP#F)m4)FOhGks=JG z-R4SVwl?);KG6&po!QAD3BeU`a70m{TrlERci^|j6hIKdpdogzH1 zhG-dVTy4-ZcW>P2GazRT2hBvM63Xh78U?vNv%H$JOE|3vi71$0he(K{6S7h-i>b8I zDVGaMGjhex^M7QKOE1WO=+FH}veVE4{73HcwY2$V%eti&RM%~OzRv&^d>|V7Y^-E? zuQq`u(?J~SXtQ@e2qACkdZ(i2gRG4d>s2V#$R!~ODfv-9&?0M+h3W+Y^QuFoS}PVjO6U~0sb1&= ztv<$w_^7B&L${kCw(hItUZGk|mFrG-jLQi!%sLuI`sJJgIvxuaHGG&(3Pf9;`ks*P zOWw3=X1iioaebYVL3NyU45!sgDW1{O*=n{ltO3n#*ey|AEsGEcpv#gR#6Vk+0Y@6K zNjb({R?Gk-T7f}{4Lq*M+E_0(D@dnrWLs1u zAmWh0`-(N2?lbE}vtBgoMYCQs>qY;^0wHMZ+vqgukZ-M_{D23oCMA76|@t=ctT;)}eUp_t^`r+zpjXu4KKRigdWw%Tn za!Gs9>rPz-J%QMTI4Qa?>^`^TDQhY3E%Bhc#&Xgk-WuqS|J=@R^X>sVKlIo`@tKPI zeu=)w4&zfZt-1LNwmIgCgOJIoV1m<`5D{aqE4qT9a?z?*z@Rl zD_ye3K9?QQy72WK&TMV+-UTZ@oV_-MAGyRz=PY^tY1z-tX`^Ked(p%_D8IHWWIJZGyHkw=A)M1e3ksczKbz_0V??>%vWHa*Mz z^A0OMDXg`%@|Pv9eiK~x*Nbg%@8rfu{tE2TGaK0>cm2!H4*KKL<%d?dertR2Gp=n9 zn9Y8*-+AxN+wlqF!E}Q;;>6$w($5OOBi0Sq?LE41k@|(NesJXd!I4YinKRznde2oh z8SeXhb?!l{UrB#Gm?|rA8jwQSD<@^6g|Em8_B7FD!r!xKT&-wQtNiVGbR2C-xr`2o( zE@{Ax>9B1<)fSSddsDnmEN6|zaLW|HXv<_hhxsnQ_8*=e26XwrbTdNY%bq1PnbfiuNH zpfkoKLvZN0YkN)#9E;g}GLhVjP-w)OuNJ6w4forW%d>nsHM$)| zrgXUj)V+40p;XKih$ZDrlAoq4RyFN_^&AM+G%;>L4J%iwi(@feXi+UkGZPx@E0vxK zw&JwR%2rw*yCYpl`E7Cf)%=HR8%cR6Hv2P=U#nA`s&&zJLS$4dG!oNpX9EEA*|b(} zjJ>#`10z*NV>zt%yS0&E&us8PCE!ED$+?3{C_3q;EHMK;Y%;FTBQr0hZrS64-0BjH zn;m6fqtYphQi6sU#t&SO8f&RE++o5H1I4l3P=6{mdN9`Z#3N)M_wtcRt<5sP}r zake4Dc&!x2cC}s0cC*7t5s^uQ^58*r5R_A16;IntAQ4m1R~wmH33Rj}@8%hQI)zLP zu^YMUBuB*VU|NWKRWUHiRjmO6Ny~`}652~49@892AzTc7r&$*|J;AlBD0|WKYx23=KGJp zq29jJS z_ND`quNI|Ana?4^RE5`g3xVqzfJc3mRz?&j#l3t7X?98jIiC7hIXgy*UJC|uKqswK z8Ua8APA?BT*%4IBq?mF$&9%&4fhluhl!oBG#KidyXy$sRWvSh$s=Fg1nv@foYE>An zLCb6=X}9w>lBN`*pQ;5-4T1&8FAed2WrC=9v5(??Bbs?YZC?z-dJmnpD$=Y23{jqQvWe!Z8MnIx-K4WolgQzn^po>}Lab)H%0nRT97=b4TF z4uqibZ>9gt{{HvZ5?}P6>*2!n-va-kAdH4_8bQ8<|KR`RKj^o>e{hH-Q5YvE`m6ZQ zQFqB#JiAKgsH=YO|5R<9-#!15^``4RxWN@~t+VDkmbdv%FWkG*De5KXk}q!g+4t`L z1$`5{@^j-;*YKTcKJ7de&t^w zt^8Oi`sul=jf#u!zR{(7yt%{T&8L~%8mq1nE_K8n&kWwUW+QpS_bz|&qoYq)^rPh_ zul6=svuYlFQ=$at2}YeC!4+f@%pRz zEB|TE`YZm%XsOsT&%HN!epP+ZYaYAi%rU*gYa8E{tFFw>TjZ{tf4|%Pr|+=zW-lE2 z!>sz#Pu}=cb+0~AS%2Bu8V~)~C0D)u*z>FHamUBMoNJu+r`E;?uJmVkiA_JeW_xMw z8t=xpzq#pKE1i1UmB|)wTgTjX(j4G4a&7YIC!bvAGww&XAO6B=;!+!Jv+QddeX#6x zkFKy>jXvO_c^@6P*`F4D@;&~7R~!9D*5CP{BbPt)v*6Cfh3D_y=kRq71LyAe((!|> zuG_u5*EUNO&icdLcV7gzJ}crDJpTVS|9`{v-$>%0{Rf6-`~Q3`@$dMLZ`LZs?_B;5 zB-u0XknJ=!vo}S)y#M^m{y*PE|G`A2f{V2}F53LU`cHjf{AbcoC5o6*3~!*R7W00B=H>U0PiO}dz} z3k)T&r3|bZAre9Zr(5r}vfZgLZH)3GJ!ewdIKbo#I;c3VrM0IDt(llW2QlZD0Wp{I z2hEucnm-AnQlmFUI~>{q`c%iU#xwUQ$_QQ+1;$!TWMvocr}eDO*fiRnq5*+)M@7Aw zV#KC{XfSOVI2Kp!8swHJ&jdzf)6+phEo8dmJ}JWusbZngBrky^x=pgF0ev^DSc4$22-LL7K;P0* z9E#vy&42h&!umsaQqqii0yhjB;8ibBI(j4SDScnh>Sll`a+SqBQ?1MWp;b|EGSCZJ zC+yYal;*o=Gp$kSm^QIOd%#28yfntTg$!qynb9Pq1+|Qsz1Aoan>mtk1>Dv7oNH8E zr&k|Gsm`DtYldfLR0kW?47}mv6crLBK_zn7Am9SKf|wM9f-oUMIfEaKm2^ciYiU_- zCFQi4>eNhQZ0dD(pcN^&S<@lEQjyU@m9K)7HNxz~PDd1&H|qUDL!cv@3w+)hkVzd6 z%OV=5ghr*4Zl;5FT8;HdvkIxPL+bf7ZGvh!?AzoJ8Obrp`5i%UaXqNio2bNlii31# z#<=9BhBAs*n_b$;!KTX+*-GXc@jbgP+aC$9o$~rmWLL3~MWH2AcPk3<{FdvYW>Nt#lJ5X&ViXV3y(vYEEzkNoj8 zp0;8u-=DTIuQm{of`^W}sXAU8$JuICXt1Bxf1^dlUy%Q}pZm}J6rTnA4>P~dj|HXY z_xS z>5bFVdaWFYUJ>Q9e{w!S6OiEAsFZ5 zxFjffx{HijBe;d8e4#%zhb36*`ozo|g=V7#(h3b^x|6;x40Y9;&=ELxZ6N1WYXVS> z`9`la-=`*SM~7uOR?b>he`n{`@3x2=oy2|0#9DW{cJTaN;Uhcm2 ziNEqDcdy<5{$JF+c3bS7#`Df|JKnLlp+DrGboyJnao;n}{`knrmf8(hpYyzMceuf3 z={q+j9{BM&AIk9oO9|U-7_5nx|M*`gzw{3KN$Ijx&To=CSi4gPZ9V6r&vtnC)zV{c z9$${1-SeJpkM3Qt$cCq{y2J<19e1z_9d_R0?(otF_Wb!7TinzB?9LZ|_@lFPgk)WM z`XBeTuDd(6$R4kqci#FN-+RM-$4cSuC$~3UWXA^|+2;7|yc>=__^AHbf4XJ4?O%fN z@1OGKP0QWq+%#89eRTR(m)1Y*X8%L}1AW|i;3s>%wUqnuPV41eqW9+*ySYf^4g1suXVNi=t-+spu0W$hYxnWaP42dy<=+QT|ZiW z!{?8BY5VQo+5Y{%9(ThDzgidm(G`o%-TU|xx83>4hlCY_#%HG-ecRRhuJ(BL&_hPW zEl=C>J#%aPkf$!#?bz4Qow4e4-U}BT@$?RhU%u^+_CM!T;jz`$!J(a>eP=`S!XqwT zbBV>5zSSU0cjwY?i1-Shy!lD}(W~x#c=3ad-fhlFPwJ;T8=Uv)#aq^Q-Q>;o=&qf& zJ?3}47kyVh^WD?dys^Ce0gwG?+k?(qufF!4m%ps+q3m(Y26xlPMcaLH$no!8b7K0V z3(IF7v-^U_|KH~SZ#e%4N55GAZ8rbsYl(lye-MZX(%(7%fyG2iO11g>(*E?z`_I4Z z|08|({HG3;Y8omf>50fx7S?~1h4G(}P=v-L&_>&6rE75GBvm7)oK{Tax+f-uEZ%3! zO`%tbt#q6h$83n9=V@BrM4e>9<7TCi zyB? ziV;P-A&jI(v)8aN#o%Y2D!&M}GUzxnaXE{O`o%(n)FPo(&O52rGz)$;|H)W}?H0>P zxvQ92wObR!0X@nVr&53#%DA18r`0+;h7xoD06@rc8Ny-1k=80%orns;RC?4k{?A3j;kZIwAu~lR;y;`8EaiJvP6jkjEqDkmL1)UsXet_mG6u@<2G$q@>2sOci z0r6DZ3%jFn))$MY>95vE+I!J|?anP@h zGjXFoRQx7Wl*&bjo2Pny5CX%yA1t%pQiwVpfqEd|OaH3dNRMX^QACa0J3DY~C4cck6 zS2Xh}q(Ugh2x}ALXqc}1*}mDES|xSnj!`(&^h$ONHE7akTO^OdU9y*tkxDXA@JhMb z#vQ+%5+~AFA|bz0^+BUPVBv`y4b)C0(uGbJ4?Qx==E_19Ee>1Nc4OwRQ^m)EvENSy zMbgaYQ>CKnB}xeUK8+f!{*WMmu3ax=sBSZokifR99+%Urg~$n=wAxnV3RDx^8l?bs zZe-C&N>spfB$jk=z!Qm_4)~~QwmBI#+>)sGn%((@N%aoiEo)dC3kG8?T>|oGJ`R0)bNG~cnL5nDr(gc za;;1q^L??*7ps0h&+zp^iV%_s+X^kEkZz;hj2yW|Vhq(#11mDrh=}-}CJqvEfTYo& z=O^isM;k-bHUuPUag|Ilh0tR)7dd*Iv^qhFFXl|USWmZTdpuyNsX%qR0ofLj98+sl zh!I5^(wJyaWRnX8*{J~26i*nY3oBdf!XCY_!&g=d85R z^50vxck=Jo8gIJ!HiMJqZ93TNqSw~^?V7#wd*zF_Ugq8P`j4FT$*1zI+ijnjd(o!5 z%{l4A12;b5?ex)CYIed2;E;j@|m2)wVe6f#ALye)IO6m9|{wxjnYljE!%z4g#LKm-*Q)=DWmm?{0Ay z5G=j)n)6nNRu*3U@hyKjfb`tmN1OFJd%Su0&iD70J^01fK6R2m?fuxIOQql43fWn0 zpK{sG_guC9xpzNw=z52vdtdk;@}KO%ZF#S!Yxk`2wDtJyd%tq&(hs!uv#N{U@yj3V zexP&sb(buD_c6ndw_R?r{pN5RE`HvfXPb57MvXL*V`AKfJs7(63&)`f)d7E;IhgBWoKkdp|$Q-}~fWo&D^w z7jIj9X?f+C>h0Iuc+amkKd`(0soVaseckUKTko*7%*T#>_QIQ1{Pd+~FK1p_{({@q zzJ2ZYcRHc5$G%tm$h~F#clOx$#rFr--}yvig(t=b-SoRnUVm|)7mv9=pfbOHs1QDN z+?$`RT)eM;?x(BVvmCbZHs=?)>qpo8dG}Ai1D4%q&S_UIy6=a_U%Kw=?=JJ)YTUaA z7>nJp;PL;r`TraCALL*3|G{SG|F0wd9sdEsPA6PIaiVXr|CDO!iNuJBn55w^??3;t z|4;S1=ReBKWm@RWJ{Bo43tj(BTNwXQ(%n37_;x{1+5%6jcnT>6)rJtKu_0Zeb+1^f zVB@H(wfG2btJ7Ll?1N6&9N2QpRYtX`B2qn@A7rr(-)T6mQb+;K5&||GQ+3cC*Gjl< zF-=|@=xHq}M;f2S3{InzzGDG?CCj0MLD?8XeIng&cR9+g_kq+jYg1mtG^}y}YUwII zb0xmc_G6OD_z*|sMS*Ti+Z8wvH7YLUqckpdx^_0uupH9|Gwsv>8XMI{ZrpckR*v!} zWv5=Pwc(>rrC$Uct6$R)4;!krX=HXlT!fuWo*UP)3 zc1DF!JTv>S7z7p50cbTuTi_UpuO=hijr#&6Qx%~D!ur@NWbGU~4e&tj#at?ys*`$; zQL-h<$Ws9eu%k57Qof4+Warm^i%S16#ZnMkRcHO@yX-#;v)ugMe-^6$PkrWYX6p^5 z-%NR`)3!zs=IKRGX^sS{7mP9_)5;UIdTF3|mEnL&D5Hs6?w=c0DCPK@aulN5ZbH(?rJlYQk|zWD7Z9oG*`)xTWRdaLA>yECuR8x-c2^1AgY;N|d8z$tlEDC9Xaw za}#VR@vw&g?XEVigZQ{18djepV@z=f7i)Buyd+M9wc@_wW19$@?mAJ+aAlyB~4wL9e`@9FseAu7tml z-sSQQj@y0J;eMkFE+qQvV0)0kz8B!@lZ(Io!&O%h-+w#Tx@nHH&Q;ih;Fi=Hr#$2Q zX2-Sui`)LT{jwKT|Fq*`d;h7h{CMAB-xs!BCbiAA+ittw#m*rQ&-s<}t8KCmuP!gM z{_3qq-49+qV9%46ef{CpYOk!a|3{lWy5X-k+hqfvJPEk@vsdQ){*l)6_n13e*=Z|~b5dG4ca+@IaA*7w=-t~#*7ZNSUFf9b$g z_9QPj{ukG1S8Ybzu>8+T^0w$sXPvRwy!Mjk-@ER)zq$U6Y^Qd2eaFLyBZ|8;?DDcN zdM_POSi8K}hL2w=UDDd({%7FKnZY_6N6)?gy`@@z`H8j6+njvtt?OP*(mVBczx8eP zj#XEc@4fGeU3R3q7ha8gcFBi<_lG$v)>F)>XT*P8^bgDaqS@L0KI&)P=)4aG!`x=4 zbx%0#_?;hE^T(^0^#hORwtq0*;Njb^o%iO`d$03I`3LlJFK>VUyvH|qXbo%UO806nzmHv8^pfM?&m5_yoZ^c?e~O&%FF|L6Wc)Hm%v|FZtu?EL?= z#J}M`^&G_+qwk#mAb&fIo7v>mwB$?sPw8Lw|M@QZ4=g2pT(tYBm@IVukF_xV!$jpq zni%IXSsq%6RH9Se#;6KIZLcO0atDP=0?$;jaeY#kDkj0HgI-$T)tXI%o>WGUZnio>@&bVTV(M5-1QRQJR2gj_Xvyygl<>Nlw+lem)qCglKBE$LY*8?V%k~ zst}5xSvAW+V+hbG2+O<0GduUp4>VA?Za=fP0YM9T|tpP2y zhS|=TZ$b!C76O2SGQzlLyO15^b&jtLLqcY-K{GiRNE08^vy#%GOX=!h7+G~w^L&-p zt5P{FDX#72oDN_)<58j!(M@t(PDe>x>pPI%%Kw}7->R9gT1_sX#oB*Y9`R%T1Ag=P z&q8fCf8{^o!u0>)YvZh;+QYJL0eN!F2XT+>@k+VqNk)PVq_zvD<6NX#+#o2Sy^w1ok?g?%&`6-5&^N3I&lgp_)Ay3DH|m#crr_D-wAT^3eKKr` z4Ly<7*=D!ZH(MziHT`6vi^v1Y0t!An%**LquTsfN5DWTtO*BSk(AJ__sHhBAPqL0JEl^a@5?V0X zw2haY1eGZV!i@gg4C|R;Ju|FlhV{&_o*DbA!8l2NE%^^VlmGiF?6drb5f5_y^ZX|T z!32mxI81&4{zLu)|G~Zn{3ivY2!>5h;!E}aIZBu_dNZ^2-D`voud?-qOIa)4b>D&f zTECk6;-6k9twO&0!&Bdwv&;?~;&--h&z|++%^zL&SapdX?zP-~i(l}PasRr;UI#Z$ zd-RYc*0}$szu3q9c+Cy|0DSAR%E=!cqrn>sEARb_-PYJZx%BnTo`TQW?xfaXI_xAqzf%FFQBKutX_P)0-d9%Kl^kxjdefHoQ`sLO#Pt|UE`L3rfJQ4ZsCCkmb zJ3jMcZ_^~yfVKCkWg=k;?Z@Bio5USDUO zyBECvKk@%xC;d106aF((|M`{Jzrue?xru9i3DUyFb?~Z04i7oAQ4MxyVs2j$&khqZ_HX^C=fNQ zHJveL1ysbgSEidolhmR4(J(e3QeaFMWE?g5EDcWpEY;^zDxI&Wc-^U_GjU56>$=;@ zQVh?*F5Ie&MzEhnS~~A{N2TcQXu2^c%PS?dsNtz#EBA_u!BJ7CE15^QGQkqihT4rOAaO-%4xHMd) zlIb24w0jf|IUT78wIUm0Ay&`#zv*6PZFaH z(HE*t7nzJlvRz3vTisenEFkxj91anqL`RN` zI4DFG(+2ysa;6TZ$`wx0yk0p@Cks%DZ*)siC!}bnXT)M?4dnqujDch)5e$Q#C^lh# zpus9ly2$iy@!zcfR^{v2f;3bA^G)VI3$xw)jsGl6|DSv^;t+UDa5)tKm2!+)9F&y@j_f#6a;CqnXc zbq-9j#2PiXR~tfN*hX=UcHnNM183r-HBPc+h^`u3x29*CQ7VNH*jNT2#c@2m&XDbx z>skE-oljfEmKt#BRxubunFhm?k|)A?Qg>Q7F|wNwRv4vGP^6=DSfhY(ZcKH3N8ZjeeQse)5gpr|(na7!PQ+%8=l45MVy_9Z+Y&`Kc{8bqz= z#YPnSLQl46Two@(p;N{drK*Yc!PF)_?0T0OMZAMvSn70+8zubxLC zKFygqKRdFsnwimbCJRpTMklKh8mlS^8;@iU2xef>3@n;~MKiEy1{Tf0qW^yz{C}?g z_Rskbj$!}Ee^6*f|K}?)aQ0#sfU_4p>Qnx+&4$>E2krD3{&VVAicesKOwGqQSc)Ks z&7pO{?|p(#R{LE3^S{;KrW5CL=+7Qs`Psu{ia_8LjBox=5zpDTjNW-@^|=o}w$Gx6 zj-Ofb+rK#C_E)ZY<;Qtu&AaAeiyv#$gv>=pW7OpbopRz?XYK62v&RncuGS{h-lBZg zu8-ThY%qA^w@W>K>4k^hvF2S*Zxoz%wmfH_bMYN_VNY0Z?W#z36gnu{EDBEqTrjhoLvEQdvyg_4xa?KVa$PF|+5E z4te9W{qI=q(mC&3aJanxM|-`r+NFEVyQ@2R7T@BdL)LzJx68KJ>n~3e{8S+gW;2W;uFNP61c)YAfC^`I0s&L^_KkG=be7_s%xJ?lpZ>4 z_^o9gEPSy4zPHX<_q?Njd(?B)O^!eM8sfV5Hd^`OyN~Z3x!&=2?7idqAD*(Km*4f_ zt7dQ3zl!|j7EiwL)V=3#5tjCv^VS-d9$&a`m0*u=A9?Q~C-3Sl{UJ1OtHtUOb>DYx z`e5U;ZoQPf*VrNX9QX3uuYIuHBIob@$EBXQ^UzmX!@0#3X1%`cz)ZO-o^|FqFI@K6 zy$o~DZt^zQTzK}5PfM#lfnGRkuPxS{^Xyft{ds%o^-GSr;TLp|m}2<@ORjN?)yPbmzt=9eVb;*S-DG z{f}KQ>~h3!uDt9!xn;{M{U5A<`2Sq}?F;Z92>u8D1E-*w`k$}F{#h&=f6RY!|2vko zIaD##1tcfkuWKypz@kh|c$=CC6AGKgZw61dKaJnYpU;09A@JGQm4_A-yY|w58~dk2 z2maNue>!yFUmg3WLkFf~M|gR9qb^qwG2KR|V{h>^`03cy$~081X@yZuE&J00x%rGR z{q9=Ou&8*x9ue@x8&b47ZKB@nzzW(7>sI90URe-npwOt+6i$n@`M{cTX6r$XPSHH(!zpdV=wQ|j z>xBZ}uEKuIcxZQ!V8LoN9^u1D$fZXhT9xaCac#uQ5+KVy92XjOv#JSs&F^Puw;|L) z&VjmIWn6aUWSw^^n#9|RIHBYohh$UvV%I=gS|P8eG+^kdDXCAOWv(}|kZw~4 zQUyG(l^X-NVvQ=(NeMSu6fUct>{lp9>T+D7(DmCwpDrV#QgJ{e6BeAzQ)yJM^$@AS z1C2o|sg~1FRGOg1gwjn+OAoxH-0^%yQ_2iOQ&!#})L>YfxJ|f8PHbGfvvc#RIH%R$uS?Z389y(2;HRC z>;i7A7tAg>ba||pvMYQT)i_zzNMYnu`Xh#!VB++gy+M28bck$&ZROPn^oAH+$}$<% zO-+X|i0zaKRZmzxst`}-me~pPZVL`dtrVs7y{cD< zEQ~-#1EC?}ak=4E(iU6>VxD*5oE^gbd|w{stx=iib?}(YRv}-Bf_$rqCCYfIT}Vwo z8TPRl%lN8H*Fj1qC^i!Ts94mMLRC+@dNr>U^mr%F5pGXOK)^>h^q z>$&Qcvr)EHY}^R7zdC z4|Qp(+&0jpn@KeKX${U*)QmHRj2wVAAHqW97&v>eN5R>P-uzeo zlez1rgUrwHpC5j;1O-EaWYZGzr4S(C+?5TCuJmjd?pE_X2SsQHI_<4HYE6&+y)035r z_V~#*2R?oVw%1U*Kg|5(rRMn$9v#&aKeCSB_khixzC+pJEc9J(xa3~#KX0+!X6G%w z|6#ADuDqf1i11Q#m%FP!dHulsHb0tQCx79d;ckmP^UIH3zW(+_*1G3ipJY=s=0MHKLcK-l?w)&*T zXA^Lv*&B?S!_n3~quXqFz2RtJSiRA3>w0rEoem>+xS+D1Wl!lJ^3;CU|Mt;aP;dET zc3mA=6n-o^9((A{tKLhp%Rl|nS>IdyksqG6GPhO#{)aYrX#4bGC+3$vc-Cb5E6Z~) zd1~G>53L9-*1PS3Yk^^4i3Zt_(9k@~D}A8}E(@HTuM z|Lk#(AHNNB(3$n^E|5=qakt~2zVo}=UH$%C_4SSJKli@NmRT}&+zwa$^4630{pgD0 zUp(O1yLLVP$=Oe>Hd*GyKV7j2a&ma?w=Y?Bm+CI(CGsmayd~D$BYpRy#g~tb&PS}{ z-J4eFsR!Kf^dF^pFK*uX0_*={|Nnmsfc_Q!Go%0c)!0AfKl2+B4E}d>icvPi29t0B z;zZr_*D}}@WC;@FYQ)<*D%kq`2eRut?R*;GRTjv9cpBBxat4_Ou%R%aVj(SsJmk%P z5B=MFnMllfVY>!K%!Dd@a#p%bxrz+%Wj@S&QV^6+Q+`@kBY%EnO}*=O_;NnXP#=HB zrYV=NBYe9IXTj-fluc8W`3C}M%HtUjbIn|BXlU(rMa68s0*2ft4IRZ=7 z{UnN&t$MMLcZc*yqRX-@PN$9NFqmA07#a4OH7#3`nyoa{98AWJ?vz451B69~L;?+$ zx+F!KK^5kSVty!~SfNlOqk1PjfV$&wJkT(s*hw+AFev$~UUg`!G|sV72nb-aCzokK zXWMEtO4q6~o^VIL;^0A}KIqYCp`A(5gjgRaAV~|;D`8Q3Q>>2iJryqHEr1?yK~$)U zoqjvl>Bo~S#S$);_eI%6?NnhR;1Q8AB4`j3C?8rCSE@r54&<|goU8bp3{3Auis`t_ z)YXdGz^v(DZD%;LaV|-9s_CAB>Wa?CQlsd|R5Q=$nnQMTxUHDkc2-LUMIakaFPcQr zUNoIhGFAHI;q#A!*$gdH>G>?^A5#xZ_(|$vy2Mmq8cpk^e%3ChVOJ14l9^E|m1I?g zdQrkFW|ej>C*|ch)hu}Z22#Si^XFTwRnC#!GE7WBAeU~?xpA%DG8iV|v^6Wna3>Y; zrCzbfaCFRtCWi64OVxwySa2J7N7vQ3q$ft*0iDd0fiN%DvWBNLtESu|l13)w#?ye^ z!ii={EagW2aew}5~>rb zobKgCf+GgQmZH~KIZ;Nex|=A}dq}gww0kx$g(g=Q@?)Uq5ME)3kY=qQTB%;MJ23`d zhX2^}`49JZ?se=@9e5^}_;KEF>a!Ny`zQUi%q1@DR`XZ>voLPfsS(yh1|fr<)B(C! z&!G@Efjf*!jlBX>5pbrI35HQb1yPkuaTbC4t#01PjjMix@>>&lq*cOh$5FM)*aOnZ zL2QXJTPHXyYzJY#XB5Mx?GO=(k#Ms)%xGZ{S5w)LV<$DIg9L*zJBf;DVT5UpnFTCJ zF|xflSrN$qr$AW0w#oL(*_0<%L#Qd>y6(7HFf9*@j)cM`p&o@SuVqIx-R+kZ_ubIy4l$beE~s%^D*%3AWqdMj?wBV9`>CJrpy;cDrAX($0iV z`c4OE7-mvb;jWYbZ9e5xoxCex7M$*-+Y(VB2s7F3dNkar*=ScD`&r4Mhk*nty;8Q} zw9x_(RHB-UC$)j}KW-MBUMqV6ZZ_TcIH$x0o$9j;&v+D- zP9{T&nh%QpkrRFDvw_b#ZED<+Nm&@BViIDz@o?aDnUZgW1G_2^oRBfHO`XZo-L9!5 zxE@gUv}V#xVDX8WHu1Xs?>&@GOjVDRF1{*wr%#>U_#Bvj9u=w+horv zyK)~;GfKBU&gES+a5LjX3mg}{DpBY%eY?>vSwX)-SK0Ig)VP0Kr5u&LD~+Jc7n4~CJkeT z(G64}CJ9Y+DBM(?L=tKQbPG+8Z6h~m5Ph^D^6g~8tJd9-+RSI-C{gO#c9f>@*kqd_ zu1^R+#?U(0&ahq%83zNnJt=fjBS$N7Mvvu`WFAMHU<8Mg8U8cFe`fg44F8$oKQsL2 zzuD$z&%ciPZ`e%!?<=v->c5%q+rO-VHkwsIQUQX-=;J8>!|-mfCNmEFoAs; z{kPfh+t1(livKgW(C~KI^Q2{Odtvj(^7lTq@ALbdoH`S|^e-oz|J=z(-u~Qgt^<=N zJ+oSF*IO39+l=7ulc($)_?xgd2>wtaMFrI!@nfG3W9uIkatz$2_7U-_H?78?kzx^}t<_b6L zc~kb%ALRGA$mK5)c)+O6Zyy1zWiBs$&2^+2r^K7n^(ayW=W!5&DyJcG+sr#omAT!VeDF^Oapz zSbOokf0ljip>r3>T=CZ9>mTy?!MmJ~9dW=D=*`@ZHy|I~TK~POci%Z=J+u0u!d<=2 z_^PWuSo$Dj?|J9nvi}nEuvMQWM_~|bw%PC3JHCD2kN5cH^~ zKP`9Icdox@&iD2_XOkuEofo|RKk@(nVf{DwANdagVl(=mUy1!I`fr+q4;tUN{y&J2 zrb5A%&}poSeKGyF`RwC!`~Q3s_1|D&QiXU~f(4se82vY7{%^1_52tJ8`ZQ!_TL~5_ zw`oFa0|CT{Vzr|ryFSiHMnlf(mEu^=49il%C($nJjtiqs2COw2wrUt+J>P6jl%b{6 zKycJc*8nY3M2T*Sp$gWLYR(V~watH#r0knu2U7wKNXt zbhR?_VZeb$_9#HvnB@_68k|9OFx@qXoREw=HNr?id{W0y(vK&gVaoM(>|4~pOKK8R zGdQ$A1k!Mq7{s)a$9r*mLJrMbIpc|v3Oktur(xwLIOG$4a$PG>xzy@0`-%3w?otex%Pr92<&ojRJa1xRbPvQ#J6f%|$v4V7N#6>><7 zHEV1EQ~|eIn0z_?H>8V&>_YL$^#klJ3oV`76!&4Ixh zQg>W!C?-?w3RoCJ|x z&gs`nM#!$7IExX%b^H^EI z%|k2O zs!hKI%4(?r^;=#@aey$?2Mw5nE!%JkQ}^c*^=YIZeyJLu`G`Fb|IWqATwI`M`u}{Y z|F*!A%dfBg+d^$Oe`7!k)Bh)5q>>WWt43u6aBL8g94mHpq33`+krhzWlX~NNVN&rc z1pz{M;}B4=vCJltvaMJqzvgQZbuu4RfPZi|o*LGw@pd zbl9v9%PQ}wWvCd-3a+JerI8^ki7+!j;!x_?K(f!1ezn8;XxQw|nr!8K-Khf=a+Cyfwt&e1Z4Ubh9iBT7_hB40ISsivnl588ipYGN*`1TO)dmK2Uj- zuOMo=O6rOZX&E}o7>3{J!myDDOkIc!5Nx<5z!uX8mDB4&FXqOOP>BY(IvJ09XfMoL zFsyqfl;r~Oy_uR z9OppWYyxC07UO_d4>RBiA`+J@n$aKVSTKe$!jm zIbr<`waz^cdnG?nA?95+IcVdRgbQ{*D$_gsSPj49vefY6{=7$LN6((K_p(>;C;aC1 z`4o&A*0ndW*B-lTc8}ZDMK@|ZdeTuFpSS65 zsiQu8hd6YZ>r%Hob=i?8EV{<}YaDmgl^dS;ME<2Y?(TOU`r5pm{!RSn+s`b0;F{p> zADn$}|0P0u>Z5JuZu{KK0&X&*qj5p zXKsG*Nx$Cd6=#-?P|uNs-1rl7`3cy6L~3n zY?2BPtl0**)^JcH*ojRkYB4FBKGM~ibft(GLkf=5k-!gXX+s6eR^UYznrKW^--0c& zTgwskMg|6Qgcx=5bu`iRlwwhgsu+&rRbJ4C>ZoH6s34!=Q#g_CQ!Ol~b~38zXNrSH zUF0y9XPOBhM#*%0%=dJcKq=NQHYVx3*Js?CGtO4JVAV|verT4(RD>3h8c!KqPH4AD z*^L?yQuRAPvgMIMfa@Nuj8v%Nb%&;iR=R1s7LI*_JOzE<(a%#iD* z87>aFZof|@VZT#sxlni&oyI_x^J<{lS zZPKX^jd4ZvHJWI33;^|ObTdI~?$~Pe-M}J}*~%CkI#@97)>wE1VN4Z?ixWh)(Eh+7 zAlnGg-k2IedB0mzCcrd$CH)-VEt+tnXNr8#!Bu)peVIHWKA-=L{+|Cd$a3_#y+8iz z@`xYvANZTce->)H`5XUPnEpQn2Tk2=sj2oekhn-X5PLebX?j1~DQ0AutvQ%Af3!wOE>_gdvts>TuZiN@t~ zLPz9So$40D>F!j;@gUQ7*sO-MFe8hkyqaqF0liL23Y8JlC0Gc%EQfbe)0s4)NNgli zb-FY*vZctVj%_a2u5g5fL<14#FKIK1| zG$ne|>k7=*dlM*XzTR8=W4*Tp_+l!XaQtGW*l$`#g zjwa|~(vT@WS=9Y1-7nV19n!^3wbqbGQ_HJpr5b10vQzacZ6!kcAqR+ds}U53NGeV{ z;~|yN`XxUZbYU$Rr&=zll?TlZ5+yUXHtt)D-hkzdR}rfnw}g$$Q56E>xYO+np)^tJ z#FEvCOGIh9wJ8Gv8zw6bnJeo}mKL*YLMSxlycW4*vo%at(lw)4V)|_p@UjUnHOk{< zs2@&vD&MkT&&vljC`<}Uo8k&`SS8D`lc_>ALyM}!eBIE*1WY!&rE#c(K)Rq!PY>qx zo~bt`gsEp$vRtG?Au$*PL?c!v9oXy{6V^%uScOe_QmHOCSZo+;W~hNPNM{D=%pjc^ zq%(tbW{}Q|{WF78ApEuDKdG7g-&bLu(^Wb+^ zc=n^{{j2ide(%E@-#hK+%g;Jxxd(2$;KB!2ed4$q?|JGN;H=|L-Go|8d})_enU3ZpXhJ+ z{=J9Iy70IaPk21BD#{*o+0~h4xbI!p^PXP&+x1`VfA6vUfy)h-yWro%e>{6Bevd1y zt*-mUde$z#c!J$;vnv6ExvR77G5g+L*yrRQ-0_FfT5s+1qo*Ib@z=$%zQ$m)QpB#d z%Q6VGPidLo92uUq(gn-BdZRk;z*8Pc|G{{Fyz7P6obl%~m;U9eYaDsrfu}!pT=SJ5 z{^-gQf_w9*qBudH0P3o-eA^7~rHEarDDCXMs;{zSwm?-Fen2Cthm4vCJ~xT7TuEH$N=@FuDEeJI^~1yXKCS zPKOTP>`&^oH!M$df4jAG-;&F(wr6Kl;7jr!5(;=tB~k?}r&p00R*w+^qhh3j7Y0t!r0ZFxLb^>1^JRmubb}xQpG$F( z%Xt_^1C`DwISi>GGbr}Ed81rw(&n0D93jXWij-KOZn{T7zQD+JiDsTMDAMxmPQ z!6*ZID1Z>1yw5dM$08z~D-l|f6L~q^&je}_q)P>q&SwgeYoj=r;stQT50kW2Bomm) zf`tK|0o01wO><2mDd?$oyE`66Ue&N+HtUztdfiFezQ`wi5*=yfQ5VLTPdbCo(y4tpgU zYIr>w2Efo`nY!jroyLS~BlMV{+Ud%dNjhfIA8WuFf9GO*1I!xD)c<^w`Om^^H-Fv*n2~4mo*hj}>!sl$PB(UkE6$bsXkZfdz zM7`88^VOQ)D`t}7aJo}YmwdK_Fs9B$URE&@wWu98yBOaASv#n>^@2w?>!ZP_-;*&H zZZ!r36OMygN=#HsHdg{Py5(1ynCj~s&ULt|)UUH*jfEO=-qD(tU2~FJ+esARnncp6 zBtHyrwJp}5iZj6bQlAGHd0;0I+NgNOfb2vbnF^^?u~ey=#k!LfN~3<>rb(8qlyOW; zL!~qq(b*(|kFX>^Dv}}K)LPU)9;l*N{j~n4#Am<-@gMxJ^*<9T`W*hlbn-IQYImTq zu0pO3lj8kNXfM`!#CpD`jmuVk z9M04L%>bhrU^D}aW`NNQF#7K^I0YhKNB)C@Gx@)-!amD??i7|d@;}diNCd{g)by43 z0{jR0I`SV3BoG2dQS{63pC_K%X`4gVdoFgzn^<7xxfQ`b^_CFYx9_%S^{Sn&%o%HM zv&Y58vPZ4H*16rPvf>91j@O^}+^(ZZ@$Dtg-uQsk9>4F6xmO-J+Ku?#M@xOU41D2F za=8uWnn&EU-RmcxId_vAfBK@k67k?h7hM*fx>`ef_4K`0=ePafO7Q+gN4q}r^!;=8 z`Q1|Z z<|+*Eox>IzZ@bh=_C~wUy7W%_XLsLr!)-@AywlRklGhaWXde317`%-^VvaZvj00C;V?e-rROwe_Rb3QQQybkTIIL*{cPVyE*uZj{G4~@5L=Fatv|m$vg0Z7YY+TrasBYt zw-;@=zcGLJ-dg$BUwrbYd*TzfJm%Glp5qgTKh8dX&CaddQuRn&~ z%zXI@~j>sHDOb`Fd;m%1jHtu1+)ZC`Nt^^4W7yYb$}Zws%# z@ds-5aZZfwar;3V-=jQvmi!z39{9}#um4Z{|9`mtC-qtWlY(aa|5suE3jYZZY7i~p z;qH4r!@Qd1rmWFvs=5ta9RMu$S)BYx*p8fNu-1M zcoM4TlvWi2Y{ZNj)8MMo9x=tXOxDURsjm2--OHz16H)0al212^774dKk}Wu0#VzoP zUC8&!My?unfI`VY1F5F7wM0}TvuVl9Yh?$tnwe%<$PmTYD}cNRXY5LvFb8JCY*KO* z>wXQdtq{ z`9zh;75N4`09qL${pI)%V>ZXN1_jepN$X^$(IAu`5M;GLP?7*zf>mZ)y`n)IkYCK? za@B6HF_AMGPbt|r>6%5r*7%HT%6O$2G@+4ekk~j(HfmULpfSx(J3$poMTuvMI2f3% zKt$OV-mX`8)Z&SeN1HJ~^@U=u7gqC9wm)%(M8j}uGB`5Z9e+?CG3iXAENMQ#Cb94GIozFtQ3Zq7vKb z5HjkxTrbxiG@?+}cyW3t!0DIU3DI+HFi{liqXbUWnpjWqDT|}VRFxqVyBF6eEv43E zsvMe4)<7^KD50Gslx~nJAdF&Rf@U%}%q#tRVt^#FyzdXcOb#(QKZiK3{GE#((=24n z@Sjil5Ax09KMS?p{Eh!i7DoS#Pc-tmV64+2fF|^WALbh!-{tx^6;*33zTy|)5bKyw zNLb#@*^{wB5=&NdRyJK6N3H(U z;lqhTY5;YOiu76oZyC`Jv;0$B}@TNct|N2o>TrGQpQnI~-t#LLNM zf=OafZZc5x9wdsatPs7LF#X1Ezpsy4&3Y$~0SY2FGed>VW=x?ErkpgzNX1^G*@`tx zV$~sBp@~9$lFkN^VSz5(>gQB5E0@p(sm3ES5Ha(U6(6^I{$yjyrO|Crb?@;=rm#_D4{z1L1^7b=6i?bLyys zrG{nM@HlYdhX~7#bbUktG6Kfs3>{}`Sty4LlWGb{8SNR)GsAgiIL{2{nc+M$oM*;9 zH8=&LUrYWolmGil?6dr5-m2F=@HOB+1c{#qE^vlx8JDQ|8r{skn~ zeRtMX)K`yF9=p=}>kjVP>4_Wf*l5WU zp6IMy*lCZSF2CHS7l2Q8_I>cgHU7BBnQPv&eddL-{nBB78Q!tnuDJ(JTYp3G^h*zY zY`0m^_wi-7D7UCZ-*eae?W^lvmDt+7b@opfbIp^NT>0O`f3ouy-{#)(&fEO%6(jT9 znJX-_+C58O6dq+_Ydv`9miv9Q`+KvmX^!UoG<(s(a~_{{_R<$^Fz19I+4~u=(s~Cz zc02Ik>JL15<(@}ed*brSX|FuncwLtgFQ61{ck z3Tx-E&LL$hxZ&O>mwI&ndBg^LW%s}O(GAYt;*>3~yZVf?u37Rgt1tfE$BJNS7QGP|3MYH5P#$9e=uQE zg?W1#m!^5-3-cf0bNl~%6ZsD+%F=Y~4NQJ(gxeH{u|I4==;n<}yjN zr>p+Yl2L{r0+(^wyFjzrG$12w(zI!lCTX+EY?7vF+9qj|Hffk%MTW?{iXaFVFMA{7 z3W#iEBSS&9Y;Yi;Z2bSOJU%`OJaUCU!t42+*Q>AISAVx{+Me(E=A3sv=al-a8aZ6b zFAimZ)6tGm2_{@t8nZg%=z`EUrg7JS>yc#^y)nU&HIg*ba%`g`(?CkYYLA3za~Pz+ zF~@x}{zKNB4w#E14D?EIJ3sZyeHv$A!O1FxmJ4@ny97EEA^KCe!WWP(;g2Dy)k5{r zfKa$f%7iL{NtZ2PL)+^L5{C@`COWH2{$|J zj^xA_Q~9jO#rdEelH<)9AT1O z*bIzzN^=@*kEyqsSf=WUX|O1QImR4R5c}p+BV0_B<#YO;#6vm(z02k zkV%0OQZnvg5-{YT8HdN4QK4I4by8pkUZp=}@~C4@)1g7B9vS6X3PRd~EltLuRT++> zkx4Z(scyGD?iGMO)K&_vsUiSx7qJ@hNotGf#UXY~{X>X_1g_kk?f>>g=08ia-TXKI zVV7k7Ppw?V8Z1Xn?I1;3X5^N{c4-Wjuqspax_wZo7@Z=FRYg{zz=4o$xBwvLLgo77^hui9?CGwHC|LDiS*gDx>h__B#KyqW*haDaipR09H} zI+PtvidCE8d8g4UV{8hC25KhXA5_L>Hc^o7kTf-7q@aC9VilmJ5M!$@SVKuSW|l27 zG`wPw3ffT2xsZuseK>_>A*GCXL6_tC)_`hoV^kiBnG%91ks*#pT9hjn`>jD*q0=Qf z2Ubnaf(8U*=4GUo?N(D9#O7&{V44HGSRanL(a__;hORQkKy71ekWRN-JffDH9S`g2 zB{r>&c^L*<2;ao(s#Qxh?TI;5Lme9ZcmKB>Lv%li{|x@df66wle>ndk7SI0a0*fEY zr18Jb{`p9W4>HQ8)JdYU>Bgw2yQP7Xw^a#d+r8=tE|yCHFH2nC`KJg(UTgRgbIYyQ&DO;iq2OduVy-62E8FSV*8dFWw4dMq&g|KIfGb%b(hb1u??3z%Uac*MmR}7c8)8MQ)~FACmpD zONUIrkU+bQJri{d?NkWW?ffmuol=U@*C1*80v+QS<{minTS@tu_erD|-3_^kI=aT*oKL7dI;|Co2 zt^K~Y$u4J}dUEfv&F*dWoTIw?g_qiGaz62$8+W0->x)OOdgss9zy9id7Jl;=um8n5 z`UiKC`~7~^70@fadvAQiJ!XOOB_O!AzsYmj&wl!?KONrw(xtl|)vjJ$*}t~g-p`6T z@+jl7?=JP-O_w?EtkNpS6|&olS1-Hg8hv-pjX$~g!DZgz@B8CZ$yHzHc=X!&Z@zxX zde9>$?-c#$yjxE~?KLjgGC1THE4Xj%-h6H8HD9c)e#NTWJaY8TJ5Kg^<-k9zwsrcj zeIB}D#iif6rMA*x!xxU+;D$NvM-PJ6eDq7yF&mxu+KS&G=AM7}Fa*is1vjade8KAR z4d1+ES^xF-I@eTJzPLvSKe}kkt#A6Y`oDb%T;mFFt0}zSd&ySXrsn1RNtd2I-MG8d zVRt|A=LHwasruvk^XO3F! zsvn#H{_u}4tg+y1J_SC0#A^4Te|qMojaRxev(0ZO$3Ok>>c^e1=F$%|UO8^{7vKKF zv+M119Qx>SCxol~<@=kiyxf{^owx24Hzji>Ti(3Y3m09u%R1P)U;X-W+Zw`AdvHkM zg6qGr)_Bf&N4&DsN!f+HIV-d}mz}m~-!1N1Nx1))zggI-0 zt9x&M=1FgdAHDwHkN^MS{%^>v{^vhs{|^7j^m%gn5y|i8mj9^H;yL2=riieF7=L{J z^P%&9tS=n@vGJr%;4|L^nXNY~OUi%5CE-8eNa}kbK;>(FCZzpgKIPiOaw%UJMdLmJ zR0Q4`xAh_m5xI0vuF+F(s(CidD5aUaNWntZ2azU*;wF_J04LB!G1dm zk+xgo1~@etFrlu&pgai5A`A;{t0SXo%i+8xRui&=AX}3g^oXK{jZ}-qY9kD;xh;Z2 zd=2bEoac4(8Lc*mHwhV7*(HdO?O8Mk#R2wgRZzXcQD( zXe^$b4MPUroRXqHtoNiEQHaPWszY77U92d4q1sRQN^vr*Yh*@fio;YG(WOtue+pCF zH<&!`$92#vqvP5Lt<=bj?=Wz7#z}@oahQWL6^i95R0ahArzhe*X%r^5+AB8YRIldN zWVT#Xie%lI1g2G?3&jEE3<1TjadH9bCxDN$Rb0~xlbjQjgr3%i1|aKBh2D7VqyPZ} z4FV~4z&c&Qt0gGwFgZVDle9c2SV}ExVsK?tXt7hiG^uMPNZ=5Ma=>Z3=oYv_J(Vvz z)jXa-VKr_{3{#FWy{0s?cWHp4u~^SxX}QPv=(I)~(m1Vg2}nCVtjU%eE}I?N<5ZfE z*`}*28rN;tD6lwgw41GI&Vxs#@QD7Jp;D!}I)@5Vd8--(GdH7jGMaKOnc)NKv@!O z7lk-Zm&dh$E3*nCODVL;mn(T~S{3?E#p-Z%5N+XU!5L9AFH4QGy)bK5yH%LidNigD z%VPnV3G`*iu*1A*X24XfNKqkgr-!!74EwoeFt8CP;f6>IwFj-K*dNx%CMM1~mW}KdGO{N|v=ksNtt2C)WOUx>Mx|)W?BI$!U1S`0`yurn0 zmLT*@gix7-O%+Km6U<^Bs0-9q6Z8jxKqb6<(^fW`qe-j znltBdwkTII&Fc82OwR6P%YIXh+JolI3z?>_#Z*esK)M;toL{IY8YL)MNk$o~!{^5^ zOE%JR0Ps~!F(IsC0k#JaEteRfX}Ak}lTvv&#F{BNHUbWss>KYO5qgD8ZW;$oF&Ik| z5{_I`DfCoZk^LT3)Y4s`7Y#L&_oO~Q=(3qc+N{jP=mbUjxggh?;wltoTo5TYdT}nc z1~n*?rFz2#%heHq9%yx0C@?Wt?G##4Cz*KlNa2B0VN~Ecn5|c`0$u0IieqK8feDFG zzR^|c#R25gwdS;LhLL2D3JSH z@}JrH-=B$nkpFDw(>MI*`40#zWnw?R3*m-+N`16Ru*SUyrUqcL5Gs z>xq5WeeWn*HF8$@jyD$CAs@HTbRS%ti)T(oPXu6`D<-{EZXEblIBj#;5wr zopk80=G=GkM$g=F=M6U}`MtjTVB;wM+}~dM>V^kJ$ql#df9Z}748Hbiec#)*z5RES zqfW1GT-G}Y3mFCPD46F$o}`!mTL z9({cN^P%&9zJUCPjF@IWJM)=l4ta_7KkAb3A5u!hE~Mu=tj_i^-m9g`Tv=1q^vD>} zOx^@b36l&B&GSIg|^lTv}CXPy!G6DH0U36Du9jYg(G10Bg5k!T~&CpC!C^Xvf07iBLsuCb*UH79LS z>2@Zg4onn1wk9>yikz>u%Y{O*o0D^aRK|sw=PNBw9Om1R=CN^Jz_P_cYVp+ePs)E> zvkSKxpe(}R(FE-zr7GX=^l~H7=yMU4Gt<+?Wa?%oPRgo< z3DC{Kun0DoxH@v&64h6z;!qg630#_%$J0P=^{sMFsZ@a;k5Gn@5dx9zlAfsN)Ku2f zSSCG021BMJBT_A>hlw2NpM?Ju7uO6Y#eWE~C34WRXZg<;ng1-wcJp`svn2C>D&0bu zbs8ftOj24KgV+d6%TqfW4O%tDRnxMNR{^aN)EY3<)NQSn54;3x#O>lJsZnEynixX6 zjL0$9Oi~lYFW6YX_%H`ca;us3tfU~vk%xt6Pl4cR8 zr)}J=K(Ia$x^M_?o85x5M@e3tFJOB>z7+T$iPOj0V|>eaL+UlR&Jl9L%OiBZg_jZQ*2*~)|~1a@DgyPn(YCJ|*1Y+I=~aGj9i z7EC(DbgGw@tHxj&RroGynP6{{pHMjyNqUBz=2Vi_!#YbDAypsrat10il1kCbjxY3)P((;{)eR*QvWFZ5AZksv)DI2l>bo42lYSyTR*teKXV>47_(#) zz)BEzAq(MaR*2O{DokS$-6?o{)*TY*Rt~0cG~1?aHf70OW@PYa-0&c>m=i`VN-N+n zZ4H>osB1AOVFj(OT(*ZoM;r2Sv(=>0K^e~`%n*uPJp~|Kt7(&hITVa~uSU}V%+{qO zVk8`FQ#bl)_eNR}muGy=sSZX^qnPVx%#h3EG^Ud(8`*xd6@*o#HwLq=ZUZF* zYW7QB-}4-otXq5)hJ0HpqSYP(a*bMK2-}`ZIgK@$g!^ZNErd z_mt<{r{?dn)Jx_Or*68;&EMK}kKe33=Sy3%KlRq$?!D4&Kip==t=`;m$7i1C{`jDK zMev!^3mcsCz2m_*m!6k;>e|r0wSDw<`mS$ny8K&Deez3FbpFY_B`rH6kGqsv}-?%8kg^#gX~@xu<>`?Z_EOD6CR2gceZzdmB#vWKqn zEcE!bmp}c~{Oh;8`LJCtSa9)U-+TR~OWt{K<@fI2@#~ed=T-OIVwLC?<+aPtb%Xt` zzkJT-rSv+dOfS84zm%}fwSV}r|LB)472aOqkB6OlYN5N%x5X!3+Nb>eKOJ!lv+{KL z>r7*frw-VwZ~^ecT~D~~$xn&@d^LG*+p`W}zS7!g*(Z0$kJty<`=oa^_}z`?p1D5t z%9XoZz4KGv55V=m0WEm=7dInYowfh@yPWo=RVvAb50uu~`sSUkKsNI3z0W%v-RdN} zeDT*$%6{kCGsNph$Z3aYr>N^q=B@Z*|CNLHI$(O*qbtPtZd)!YT`pbl?8&?5Z|Xn) z>V@fxpgSJ@@|G8#@T_{Rvo*ZRTQ@wv*$=*a#8H*i$>%5bb*z8rQEI*>@3Yq-b1HZK zWX*FkPhqFreNFYUldG$~+dcW~7rnUJ&e}3hqNfGlJ7AyFcH4TMI{)7Es@H=*qprMb z4t&*K8!p)4Yg_$k>lb&9$tQs`4!tPbU1h88T`OJl@Jnlu+1oB`Z@%KStFL1I`lHwX z`|QZk%k0T%_HuA~sjFSh(_D@@C(*6jL$$=cqSNTbj|98p>; zW_$y{H49V8QE!+p_4}DBDrKw^OEsu+Vy5a5*6Ag*6a}W(P!yvXS-h9{u;6k@yOy&i zlA;rGP-#_iRbCAwtLy`5VNxo0{U$mdqN!5R1t6(fSNQ^(2{ZOVoNE3zF`bmb<%X5vC+qS zO|nW>@G4G|s9q>G3mV={(^6(K^L42L+)MTNc=8G7|Fl35%#kXWsp@GlW8mYls;G?` zZDbHK$rJ;})!SiQ&2-s`%k}zYUpHjEH-g5v&2^;Ifa-9dpI}iGPIU-m)EggGyc@2gIrYWS(DUAY1UexXlA5#Ev^hKBpNiPSRRUv zoH2~eez(|mj5-a>cngjKUM*H#lftTb6X-F`*sP}XC>NJ)Lj*>S(gMA76%spc8#U8S zv)gZ*GFEp>x?v8YI1Gv=rt)GrkZY3elq_&s9QIN}wGSDSq>eG&+|XA#d+cCrxJFc^(T#b|)8lY9$=#-R3)4~6m z)cza&-y}9{k34&}miS-%C;P?YKTEXT{GIHv;p%`sS6_v5IvB;t+wPMvlD?ll|&<@nj z*mXP_%n>;QAtG%!?N0J7q8V#e&}*rBHIGvs&9+8DuNCB}N|mptRHt5!$)ZQ0iRy4Q zQnlH#XeB&LAvL)i(z!gTH5_(QwsZMxpQM>uyP#wGIC9$N0B`6igH&otKpTB=GE@|p zax+pf%}+X0S{8h&Qh>`D$_O01-xGjI)gq@6IxtvwQce?4(esFuHS;!JJ)n9)%)&V; ztky+yFpY=J@<_JZGf~#YT6LkUDD{%w8-V#-kmF=gsano30=p$KHNnd*Fo9_yU_QHec*>FqagRFI?ySNZD6cKu<8sZ#SCnT&5Trn^;(N`M=hGop=O2S z4SE0~R#?zcdRULLfez3q9n6Z>RL@kyjKc-l9!)l&mOkj!yOz{xvzlE8p|qZ(5xuO zs1TPb@Gxi^;lP(6z17X9h-Mo1(oG;z)KGGDS?qMBS~{IH$G*$I<`fKacz;2V)=vVEIop|L3G9uUP)5 zwU%D}@mKHKX}x=YT$y*^tz^^L=)ODbhs7rzNOpTUy!5uluJ2v>>elD2n_QFZe$F@d ze7$nijn}s4ok;$2-jDo;Zdm;nbH23qE1N!a^!mI1G~DC34Wjn*+Z^|;8xGoqOFf+V z(zASW>!N4B{_A_*z12SC7mvJh*DEJ4{fKdSbkjqPcULx`J)*lBm$rH*taJSQOF`T$ zT(i(8{7cq3e~;7G+LGJ)oqv*d`VaQVg_k`5{qU-bSJ>#gH{N}}-ne$&5nmf@ z``WSJJpPyd=8y4*_J4B!^U5RAR}a*Co4lxRwlx;u_rJH!MVGB~Q02^b9(;D`>1)rg ze0t%}_cbStuCdnz=j0x{@k-%{M;F|7c;TCPs*j9rkjcsSgHXGZvvty&N zlg75K#!edBwz+T4xaW>@zpP*IzGFUXt_dC5BxK!e0jndZaSpxi@Yc3mTDp#%n@#I2 z51$iXx98&rkl#D#`y(*(0F)c?!TUZO{EW>6G zO5}r#6NK5}4l0$y_fvzg^2z(>Pz61$xYu~0(eB{I#Nz9dHRb|YDvDD6T|}*{mAT0p zPA!uvo0PZDAV8F|sw|O$>QAv{O#3ogF>Jw;l#Ci{vY)X|v~qPNDi_u4AjR*Sav@O> zw6og1{D$a^`uMi%hN6+@P+&0)rH#q zi81?-zv9ZfWr9UYNSrY6YsPuzQXTMXj5N9Hh#;4{ z6%X{DRI=to_j>*P=E1K&=To$FtET$fzele?z!Ae#hdi*bs!(`_+K1&+L_zw1X4_x@E|0_^dn$T?Xb|zkP_`MD9r9;-DIk=fdaiPyl}?E|4Q?zvFjku| z5yJ(23_Xu64dTXvrJQqIGUGvb)Do4e56NIH3%Bp5m27B|Z5aN5tFvl(5j>(+CC(a{ zXue?2>}794>@=NRH6YOx8mgJX=+NQUxHnHC(aDTxzU&`Xuqa0gbR+~RO}QbOq`P$Z zrN|-^wrlw8dP-cO2-+l%gpfTO2^x55Pt;^JZJUNkjwEa>^6LFWHYSog>U`2Lqh=E| z7qR)VV185?`kccc!H8pKzGzgO$z!bv$<ma$gESnZ)ZT)w~&jAU2zRw2HwMpPz?rXvXs4Obq25F=YbCp^; zRL$NXb$&3%ypTQ61wzq=vcOT()T7Exe4Jmv4x@2wAJ?RGqq8389`^{8G9e<4n~$8MRy6ER z9)nP-G7>6sqJCz3>-m5Ly|}#gSi)E0z_U7L)haD4{8f(ME|e!wQ2PoqugOQEQ2+ay zghEber=rM(=|t8v8A9Iu?>FD#L%HYjqRrN0TrLSFSBJ41A2U zRy;z*g}8N=QiK^bFH=LCSG94`k9y@suPSVo<^Xy3O8gfixv)^&Oe-muz|`CGe=!S> zu%&Yuzc{3AcnXi_sIG977~;;pEn?Dyu7>h@c^~TdCnn_YvBSS7*%Ss!`B|j;kRyp% zgqk7orMhqt{5uERfiW@sXZ7G+H$U9j{zIj?;LfmxZLf~Z>M-mC$x6>^8C#?R9gfbV zAq7Re(9B4Q4!gco8xM;leG2KkIGAb@KQOra&;EEYmw!4JQdz;N4X8y^o$Y^oF$e}x z82sFM6lit?1X4T-eL63W@-BX5gTp{GA&!{!tq<=2mH{`!*Ur5_1K1qyK)Q?|fiJfB zH3q3_EoT*5->Yiujxq=MBE6QarSs6GYX^8p?@;J5B|jd#QQ3k@**eK;8>1k2R|Hfv zoMJ8EIqSW#Hk`jB>7hNg?FA2uGPfLE?8#{a5cwK(1aWklX7X#KdEZNUFY5iOb9ykP z{M?SL5pX_QC^>f@CPIk;y50xzk{;RT(}nT*f?Q6l?cMa2uWnCic=c}g2%0~4T)wjF zTV3MJk=3-{rhHv!+i}(*?fl-?x4yT`R=r(02tM7s*U0PLJ>qP=OeU}FmrKy%md zU3CpV>eXJPL^ZEFublPtY|7oCfcBnnvP@o4>|V-s#oV|h%Jq7tR}~o7pWm@K#ey8CK2N%%ZQTOv$O^fD*)@!kIE_udQ z_xmsFOX66H8XAS}o9%Z`Bd-GqcOKA&K10ta!d7~ZCK0#c!N8N>{ZN>n&txs=UuuU! zwo}*jb3}=)YGp9sW!&4T#_J;v8&my$GYKbKYmP{e2za_$v);L?(87_UnG{_!s{2;& zaN>^gIj&VxeM;|rT*R2`ebmI8Km9M&)BRyfux)+*is+^ZCpF#J&g(B4ZFe2)s>L`| z53e%tXr;;onM;g{IQ9GWOnt|u1MC!NtlYFTCZdA)ZSv&I+tqhLtf%_`?EQ!!ad`4= z$j{pEqj#;@OMS~Y$YC=T;Puf%3<3Z@wq{md?Ef#q($~R1{|8}XUlh6`6jp)*mdR&9 z{{SYRC^AXi9`9l4QbuoRYnaB1dPbk~`uU&sMa^1SfnHgV%PyOH&eX-=rqVY?T~Vr# z{jk5ySa{kp#C(Jh46EcLiAlDB8O_by9;t=OpiS58`- zhE_sy;zTGGi8$#vjL*3z1&@KTM|IlXmVfyTJ-);l@@GuG4W&|p5T{zTwvae+A0+m$ z_*dvT6kuD%gE2i6s&08P>?QqQ2`haHSsce|tUMlflOZI2**`d|z(bY%Dq6WJ(SP+w z6nKV$1eTnc?aJ}>PzHt3J`J=W_)FBz*DsKF;HQ0^9*3$^QIaOfG+h)$w7)`)bKkZ#YbOlM;Dm5vV zsEV%!S)Fh~V#qdjGnoJ<;utsfkB@GiCUz!NS;l4w;~P!(ESykbkWCu-sr*dR8x%DW zk}{FrXgLND-qJ5lF!&Md5jPzNaPesm$s@-viUo&=wT)IPgN%wczBa~xgw)?j#OSjj*gavq*v1;@rj%)MwBuIZ3;4Lb1tG=L22e0pDdVk~Fh_ zp>mlHm#>ecVk)`P1nUuYAUQLcP5dPLB^vGML@|oMKv-KJVVY@6WcUp(RunZ@S-mOB zxXMgcq0%NSbA);54GYug&8331%74<*Mg~5G>^;H$o~&_q)oPk>p+c!LI$V~tgn}=D zb4(}}J3yfUv<5f@rj&v*)yTG;6vFXUN;O8gg4Hf(R=k?x*f&TDdEl?mHX9WswL8lt z*%@V9#?T~4LKftFJLLnHANn~^jPOSj)9lhiH%3}# zsCffZ-n1%*3k!;P%H0JP=BD`sBgKFTekZnK!;PB|I^$AWc9CT~J$_J$jpR|vmn6o? zcukVr*FO(op-!8@Swm7sNyV ztw^h!*)GM#&xBL5H-Ie*TzHv0Kaa&M8r*+Kl5(;*a|1iw14CJ)6nzs{8C9LE-46i? zvQM5lc6{5{8Yp1$~YjF;2T$5rBO041>a`P&#NH|)3&*th&+j_sk| z(5t;fSAi^$KL`>e2n#_%+zWW~I}FQ(Qp6oM;x@?yj(SY>*u~tTTp!uBC4x3~@J4Q) z0ItVl3YQPH{zw}PDZgODRPsjd40EaJCW~OBm2&=FOtTJ~~n+j@Kv24L|gRFlh z)X3s=pQ6qLStuOE@{Vk6y(AN)0?%F`ak3!*ICQP=uIGPTyXz;Q0rRQ)R@v@2n`mr$ ztH$pi8(ZryNoVrhF1bNl=6oFxydaFdl~3QH2J+gMPPqYj)XVM0Fv1Pjz#03eET(0l zvtZUsROG<8eu1se`F+yY*b1vPJD>3k+GEDb?osA7)=On)M!h>;^DP(q+KY>@p6j5P zOAjV)dhemruNd+#g$dAo&|aVGp<`VCWuKZ?_wM;2EUBh4Tp{@C&rY4B-E!14`&bMJ(xQ8m55-y1{OdHup=h*@7Wj~c)ZBfaj)TG==f3RJqM`@k1kk-4w?F4S z`Wz=#^qSrq##-DRd-{;)&1$_LOKcfMS@PYRB-Hb5uV1vbuDU+QaAy!ynDmK$04;qP zig7^iXP@@4&kFA_!m}$cfG_;65Or^F{Sl)NB95^8H5SV*^Z9jOx@nVjS)o9g-2a1S z&1g4vw}ep7UOWTRc3OId{lu954xW!Hhn^#)N5;`tLf0o@GphTJd;2sz(yHfFV22PM z1t;GFRJFn&mYl>SV?uioKrKgYl_+&Or>CG@bueHSCMUh=`K*%Nh7=D!WB zH#$H)gdH%L>wSpL%mLRh@5kp%mHmX0Xeixl(D~eMESK_X>ve5} zyCMTsNG1>CfV!5eKAQ~KYb$~fe^13ojvrWPGCag9S>}FoXwI6Kzqe8udq~B$m{INctv7K$l`pjVp8>_HSR;<3!vH zLx6B)biCrB6*BGLd#+5^^lz}w>gpDAt-@RbtrZH{%D-<}0?DX}w547j5Ywx?>G`*- zQjFDL|A_XR>D|mZCexNkV)x3$^b?Bd1P*fxCLfcjlEiZQL8#JJ9zO<-?y*=; zf6SRMZzH?dS{?e1BC&B(@T`Dz_0ei9__CsnD0VnyTG44t=N!PN=dgztX0^NiHaOfv zQE!qLfe{sz2-0z*62D3%bm*okDpg-k8PZdVAxPNtC;6#DcmU_ccMWY5*J9&RI_7}( z$7IL?6Su&e9D9P+K}p72;7D2ro<@yo_AWuP42#txHj20YYPxbzubmNBr$aSntZ0=g zhRPCG6m>IB+OAuvjM>$1w^j73`I6g+Zrrg*|Dvo#rjo6V26bWbzRQ$E588^zbyXT>KN&F8o z`~0oTRoA{_dXDCOPXQ;@o-2pOMJR$rp)Z9|*oDjMr3s6aV<9RTBVQ&aC7-jVj6P$} zeD9S-z!dm-7dTf>k@8ysaeXSWaVeu24&wXJAhhPs7`icMNam=bvFu9YxLNr_dqX#T zF|{|cej6c>HGkdufhY8|D^822%*S0;Zd}5p;%Ki1Itir%U*K=@Dlsqv^6H2(d4@=y zDrIJ}zWVH+hVwRY#aw4Uu}Vo{ve+pW?2Jp(GnlU1DNHGiQzck29HW2n^DRNB)RiKj z<%uQjrGgDyV>!xd|G4D%MXCh1&ID~^^RGd7F|y>RIbLC?896h0saHrLYIUa3T-R)& z2l`oYtNlGMR3K{iLbH^VybAk^&PjnzLe^+j|8Olt)oFL8C zEM$#xF^iv~n@ewsGmok`%9Z#~aQiwjeqFgA08ipD(E>29x$n`&`?t7RA4{*qsLy;~ zW}0vQx0=vq6)&-)vG8RI-QfM z6RGTqO}>vOpdKteU*Q#l_cM$0lNPf_P?wp*W?(kn&AI*6=Xx6s(aUc3aFyoPZg$k6 zx*ONW%ym3xYCpC#3O=WwrI%R!YYookO;cA-J(SOLF+lgJ+n0m4XL*d!_dt!(h4!i2 z<=UFpmO1x*USL3k!PCC4?=S-<$Nkz+JF9K;2h2Z?)t6)UZdMR2pyyzXepk%oAxu8I zXCZltV6kJ%&)M+obfNoY-M8biXLvF!tA0fxSHRo&w%L5k<1tT+cI)nMV(;|T@>983 z>eiOl!>61KEraXL6|wE-OB!z_f_>Zjb3~VlUHn6%!+`0OwDpE7=(dOZfXjSAgXkma z9w4#VIORyYRI*0gwV`p;?e-Z_qC9=!w53UD*AF!tVXY5bk5Q-ryL6nWIeb4@E2;4w zi+N+qQJWq-vW?aEJucE0kZHAix##_tG8d`6?)kn6d}sYQ2&u>!zjBH3U)UHC88-@4)Kkh|S4Ijen7SNY`|HN32bH5j{J9*yHNJ31q- z9Ji1qD&I%)-mV%Q?#8=;c)l@f8z%>6b^u_=a|aAI&FiE-`xW=qMxuTfrI&_)`^#>W zx#dz8KKWDS6j7;F2fx#uYZxI?7ytW()Vg;nu&6`5ru*|w;j&|pMjvn=7>4t`!C=AD znZfgBn|G%|{`oOA&Ks%Ka>2YS6^614g0JlpiZ+I!ZFl)nq6YM|2Lk>ALHas;D!8S9 zd?+5Tj)BG4Y4(0QuRY{+Kl&^AovqyfcAyrnK_3fH3uFE#O!^BIv$cDJEGa|YXGsKO z#HU2iV9u~gC}763InUxKVrx3OK1cfs5;r5aPD?rJb5JW@-vBS}TLQMGc-m0h%t<2Q21^7%i< z0D?#pV+xRUqmV!BWX?WEZ&IRQah5J0e`YX}%dZP2baql0>HWX(l!eY}vP9us*zqPb zlGWyYf|&PYbtmTNOT-pjndk@5JQwiEhI1w?242kQ(Xy+Ltmsz?VCEBw>5c-nEvu4= zC!CP!f2m2Wag4ATtn^&}7L72hOx+v)!0boE)r_!?m*y{l&dO$w)Ug}Nd*<8luQD3o zFqXrUkn6zO@oV4Zimy1CS7nr3%asKMb*O5N%8iH@Ss}xdbtzxZ80itqJ8^xNUJt(< ze9)^}p*CE`oYM{g!zjfS>EqHSCc#b0@0^vShOu-Hr>ruIWd-X*$V=d0`<}Si^_8b^ zM@M|dVtRw6Pjo~PZ0K6ZWTi@hYxYWA&Q_+nTd5zv?_~XZABld zqB3CVr!h%tiYc?5^9iCs0eR2xxUG~NxCMB!h|NEdGk^V9h#WAe!WbX)uUD+bhr%AQ zuuUm5*(I6qIjE|CPyYdMgQEcY4?VwyHkNr7iJgtC8|na~x-znK7zzIdZ)|%o0H{^&3^}Lpcz9EE$iwM2 z`0m3h)5MWOwNc3vvQl}20cFMvvX8IowBK$CGs52J;o;cYmjYC9<&G!9=99JY5BmNPNvsr{Eo2v4Ox+AweM-N-ySRS%y)%YBkNL9B6>W zc(4;fIX1)-x^ygJ z+RG8d#N&EG=%*#=EQ3#kKjD%BsO}|5IH{q0%uw@BI7ouoOn4`)%KcMgz~G$xk+5gz zQWO+%g&XuH*tOc{Y`A5AK@F<`7b0nDWAO^74mgi}k zk1N(Xl-pdu`|8HwSFQ;vEVv?A5Yx8tHSu-sGs^v!4hc;+yyK zs{NFAMEIx&+MKuJKMnjU#RZXf?2JE%=&j!5>pm9Bza_JQxUIXQzJk4u!m8I#7ZY=J z-VOjo_MYBHP;oWB_blG;+vZW9t!Dx)I@u!~R$*R%6#+ftm((lJ#~Q)M?Q;kKV4r&N zS!;eB#meAgp80TkRO7sxh>+U`T0tPz-m6MBYL);zSiocyXt3j7`3SD)#kSMuLx8v5x3c4?8*}T7u+lriQ{zMYnnZ)>^?I*Ph;AP-sT1m*VZYnY*|V>w5r;(Yj01%H+$Y94FwGPWZOvX;Eexx1!>4VQ}YjEPHbP z{*d}{Q_hafAJ6Dp<$i57KU>5|h}GG(s1!5jhLYVV*siqha-f~d>#}0%#|!j#nZl9B zN?vWCymXjonHrxdOI%oBxRyD)YC-~@c6(QcbQ=+ZHcvJD?0aaVhimjYTF-boY&(zD z_v0AX+xWYnr37xSvs!?6x3OKDP+f>O?QcUeL7G=9+HtJ5?G*F-sMDX#Y z8e-)%azx(LUr)1;dYK+purR+}aU#U-IQ|KZ*-l<8MX-|vlIY8wmB1^+|)F~37!Um^ERkMEhH4Tk7W~z|5 ziOo0s+5$p&P)EW=Sec?E*s21>^o~P`5WSs2Ir&BqU7A}Gq6~96Y<#kN5%I400@1lKZw^W) z_7z@YM$?L__sbz98f#?8s_D)ejE)r%xlp$LGs3D1E=FbM51?3()v-ZjTz1!ki`vap z`!xSTK93XaqI$Crs%M2<5b_0hzTy6F-(-c$PctKQvxosAAJuRULCnpJC4HhWwM;ra zW8!Bbi|9jR*1*!5&LuO-N+D`!yC zUDgJ_RL=Sm|I!Edlk032VEn+GpWrST4+4XG<2x90;6%zKa2dLAj>N<>(16YSVYW3$ zM6o&ZMuuq>Y-16zs9#5C7pwRbc~H-EG2Aq}0)sVU&a(tL&DO>!5O?P&BRxJj#g%PM zoqnd$nu7M*3xztt2s;bHr5VA_q>A@T*K$+-&b)NN>NKf5*0$=69}@VRPuClnND_yy^};S$=)gYxv&n*m$4x> zW~*5ULRak28Nw+XNN7!|v60{fZNK5oM2S!9C2OWyp$2KwdVkWooM!h^vF&)FvP3eE zIk@)upIOarOZCn0xZ&>$lCyn85Ct+}y6Ses#EZ;+zsVMYI$k0r{~egXd9h^bExyOD zSa}m;dPBU^MV9i_J{a<=@l-nf#rJQ|tHSNgU2c(<-RGCvS_Kq?Q@mpI8+kklTrpN> z1e?}Jq;m2WNT}}LBAcwF` zrNSiFV#3!fUI@m;aH7zS!Y-Os#q^EJjCvDLP)#aKzg>*B9Gk1GWG!XRhGtp1y6gRm zAEDcr*8K5J6vp;D_5--CIB$EJC_9Tr%wL<5({xEx@7M#{=+z8qjQsgr(ZxbsK{&;R zH!|O}Ub$=xqrX4VtuMM!~(5@;*Gu z@ip;=$=?)8W!Q8MM$xoY9GnmD>EjJr8e>|Whqo91#uQTx$c0W# z2&0luX%3HB(TD2Q#?u=KoXj{fB@qkV5C&wulOhR&7GJ-u#X^=sEu%^nvzh)O`l&YV z8z*A^B3o9aff1gqiJ^fPqT8TG=ctGzF~ppS-JVpurXn7o1=Xetww?Zm%1|I|N#Y+S zW6}|}i*U>F>qrv9FD%QZFx7N1XibXDg{;zPBq6I(X1A`eAZ7q{OhDPR*PqSkk|cHV zHDBM#v7Ax&-JB}(&d}*vPpKta?m3Iaa@E&nvPnd9RpSdYp&;|^Z`a=GJAV>r`)nt0 z($EbFm7okB-1_pV&9L{eW*Co_MeEphndQ5^7V4Tm2Yq26C7g?h#)tb z5$L+4@ziq%! zY)|;P(8aqSaAtdC`#L8!T-E(Zj0||$oL6|ic)GxT~p)rcX3w! zePhH_o9nplLq^ZXFLjZKz^3P;cqxvd+bd=~KFII-czV6&ykY*4lW=MB-Dsz+!b-3H zr7LXxsbK{l$L3}myn|NLE6Ul%w(m5RrDpy0$ZrROG7?6odth%=JBpLzO_hRi>)PORWC4)KdGDu7u#L22Lw@w^TzCEk2*vk22pzU#Z5uDluTsuS=y}HTaUb4po!4%}STAe% zxu)L6+@qBo`DO6ua9LDB;B|u2L|jR;b+vLV2%V6d&s7?bc7tZo|y=pF*~p^}Orem-iBf zCpMM{FWSUv6&iQ?A?+^gk-0hfz5mi*CQN^KnM*%inuZ2Y@2pvBU%jnD(h^?piz|G; zUlb|38<>pIRd~KFkf`$OgYtF&AZ9gWv2tjB2nF$ZJ(0ydKVVz|Kp=DwVD}F2+;dIr zBk&2t-P^j()ylz=IDBI(`4#&ifxj9t5?*Sd`WxjEFaW{^_5Bq8yJ;=?1HY)~A$M-> zIZohuuFa+v%d||^fRhb3JRyIza^E_XZ{m7GC=Waawwv{oZN<>!*BU=s~sOeaZX} z%?#m~5e36`W!7~g5^0xB=ySt0YFHg9jLIQJRu-!P>iK4E3N0tP2v*?no>@gH?O=ba z;t7X#dLDl-TPg`bQ=LUC%Qo@=w*DUv;2+b#(je4&K`Ngra(Ry*_-9Cl;)OyLk;3yn zi!%HQxPb-WmrZJB$_GByV66>Q{f3u zri!eT6wpS?(9`HeDZJ_rAUBLcohZaTGnO$`?GQg==WLgJ7fa@p+j#r?eUxIf(V}BF zvI6;!8eXY@G&Ko`wP{XYzEkx-Ia(B6y(Whr(^sU82=D&r7+sJvj z_0PEY&8U`GNGnQC;5gyxV4RT;DeRkJK+hSfoa70q;x#OgM)t4hxH8=x2UY|d$|zfH zG%8@X;xQOhn;a?S@zTXCGy(|7g6dV%iu^-kX3SR7erz=3Ekwq!l(X8nrB8tzu0obi zwlKV*t)v^CEbAVD*4o#`X8@Uo_4i3&sLVV_;;dH0<8+Q2zPHeFcD_%~3_Ho0yWPAo zN_b*&h2bttm<;lH2+&>G4;z)0XDO~0S|4ALnjnl|Q*32~DIh&`aZ<{;YB1X%kj0^S ziX983<{pGHEmDTQQ^~#UX(_n51mcb!VxDmYE9?h@kCfnbtitdi86|5rtVB{5i9ltD zEvh-K=L8b^sAg&jITxN3Fce_8c4AHL*7-Xls@gh=s~(TLfI%1($zqpFcKai9j~c(r zLRqD^)&Guw@#(T!px`11uQJj`2uYbr9ZtVZdPEA{k6Mx1xSXC0LDXkm=3B=FO~2&k zjL2_I1IK_5#I9-M3=JSA=dDtIP!;zK06SqGeqvc#`de~dy=Wf0@gNBd>=&0VzUz0) z=7VBr-a<9Q;A(j}pxis9c%jN}VgjDj8NB9lbHC*!pr-+?2VQmHz3h5uQ1#AdzmC}&s)W*|RZ!e*M+i`zZeJQ(5&%S`{z~|^XCfidcNE1LE;L)C0&3Tvd8ua{tlx{^bzK-m?3;9KoZFAU($0t9m;7Nm}0dY zVC26qbH7@?d%()kxh5)?Y)I2;Bc3}7DCCuE33E1b#bEL>o`cP?^Ud!jr)F=nMRk4gBlvfaV!MN_r zylV4!9t&0I@|C_mw`?0%(0n*r>uTG8dminu$I|oKP00j+jz8S}0)VIGRZgi%c3ZY_ z?u(u6-r%h}*^8_T8|50=4ol#!tKFPfl`tB7H#U4DAQNQ^}SO317(h{KSxu6C>diU=#b9AlQR4*y*XjsPq%3cQLkzRl&HoL#m*$7t~4Y&Jin zB1l}-Ucc&R*WYZOI=2u$+^?ns-fhA-uc54$>O?|mHy-A60bC~IOF-Y9zC)ZXzB}v8 zi`}l)8*FP|ugt59&c!JG^}~-Nkp3=6;v4|N0D%qx`<);l)!x<(u^yE9)bJG0VAkX6 zT;@l%%-1mlI0rlc%neTiY07NERnp6P>+=|@K;bfb0K2+K2@^OeuSs}9)jinbp~S2! z_e`Pn@;LGad?AnTq*|sr&J7t@1*R0Nq!?v{spXNXd--i0?)*~{ol+Lm3zjIj^K_Zg zjhBzq(9LJFI*&$h_4C>Ac(Q$`>1ZqiY|-`(er?RsF2#XtViGBYQBrTN?8IR5!|5sH zcCu)?)-x4>9#pPs7-bsP$#ATqU(9uxj9=AuQqMs(Tc^o`Xr*MyaTp@1X=sZ zL%LFvz9~75CDvPF{gQ$j%Kh+p;YuZ0mNu!9*1|=z*{<8#y(9B{HB?YrOZ zVMURHZc0U?b{ejnlgNl^sj`>~;^=|XMz{5Kr%iN;vj+G9Z(APE^+k05bQX(0sh%0$ zH0ammde!Qr&#Ygmt#ml zW*n|e`IDOAF&)P6^kS;=H%^Qs-hZoBjVWCpoHet}hmmF@q@;7kbLTzjoD;HJb-vIp|HbCV9I1!7b+7#p<)BFMK z3H&WzlqE5pGy|eu57c$)enK~n(O;H$-&-AL(pr(09<46$3#n;CY=I$D zu(YbE?PHjGe_&@U0R$Z3wGdWGC8}#|?5>4@2zRZ}XTdVoiI0CUPc5xNH4`gwjg>N0 z-)F4%KTsK_#(MuK6zXgayK+~?{jTM)qo!huW|hlNxhqr;$!#JFOhc3rrNrSS?D}O9 zbYcR3=G#JUs?8yo7J+Y>W?UX@Q=Hfx&-7<{+y#e%M++i9Z=52FJ40TFcT|gJGbhDB zz(S%>9}y{P3<6PKJi!W9g_WIRVy<$w`e;vpu>w+0F45(DC4{6T`F5kbhN^&tHmFI;Dy{UiZR^JgUaCskqO> zhm_6CK`o&E?w(Zv@V^22fc#--({@j6;s?4Kzy+NH)Gi)RzEJjCa4)JD`Y{YQDCi>y zWH258LS>5We1iF=g$?4iIG9*ME?0{ac+I%74tp~Pw2Uvb@IPA`h3vIVn0_w5e8xUK zpscWiY}Zzu2VJZAZpx6LH9^H{u>sY(+}>OC`YG!7w=&D@sbK2@*4YAWpQ}wk_f>g& zowo3G=GEKzxbY8_0HhSUb>|utq9ukEP%kZt0`PnbS?38)f zzT@Pp%XV7t?8zGBQ^U#8pTNm{+a0BmlFQ?Brc%@N#22}7c7%eo#q<2)zCu1pK8;fS zx?y!2lga3FsF2aV@|jBLI~k?_%%9dN2D}k>jVWkVo4TlOF1{WdhjZaS>L#=YJf)9Y z#jsDk-v}LDJnc)T5_exWPM^15Jzdh)Ld8!>d|ucb@x_p>}om&1;eVM$?HUXV2|6)I0u~nflEL zXZQVh)#b}*P%h&JmRajo6>IBJ)|CjYuahxI)v;$FmN#a_G&}cmdvNdfCpE2#@%}ES z+lG_E)$(B9r@3z3s$Q;jmDhsxQ$^~>N&Z8-{(S7%dEJS{W#fMZ`< zKiXnf%h$7m{G2%xxI0#X@*3Om{5#Rj>n22QQmls0P2TY-b1lp)$Hk9m!|^I+*s;d% zDMW>1wQp#!D@U(>{xVLdTjEY0^lNv2i{CG(bLwpx)bke<*ZN7o0{lEGzz4;Ga2Zl6 zIu(RFzQ4syO!yj`%IdK2%)mSnpXh(}(c!)-7+Qy?_5CM z6J9aFP__k&35d_D#QqAYv$#x6Jmn{cm7H*f`IjV*zhI{32BRl8L7uq&7o%UAN)yr| z1Lsb8wW%0-=C29Hx$CeW;+zq1k#0{?MKY@E#~5kx@2O`OFqjLo+&>8Ur;e6@9TB=8 zcU+tdKioFJuGcYJG6fcGusfh!6w9Va*@ef7=s53Ge#;k1n{&mZ#g?hw`IHeI@K#T7 zr)iIC-1wMS_i|aPu9An3v{scTEtRyEKagllHsQ0dVcU59vqXpP zVJh1;gU(vJIt(xrZ!Gn}X4uzSS#~-l)Nq6gB?~GHT>g|#dR$$#8N9+%Cssnu{XrDf;6o<4XA_i9i7E2X&1ME?}i3%q^(G2Y|xvg?z&lLSp zQZCSmkB-TO8;;(R@87DRu-tY4cWPuw6|w>jZawGT+e5&Rl$s*7CoJxp1+&!hVymU* z;YML zRG|(Z6$Ho2$;*RlB~~<3;@^!)Y4CT~Et7?!d|uSsph+SrWe~Xk^!SePawS~JV;9%? z^y3kv?Hx+24bsdwI0U{+Xk~l?(D&vf^{gK&5NA%CN`xrt4d8dzII83F8T7;`Ar`Rr z3)k~JIj0LeTPT>s8E}qvS+t^l;t}oNH>=&U!p&HyLyIR9Vn^*%E}&Xp^aWcWQ*F(Q zujKCz$Er?Y`3i9uZm_j0GUdo;f39n95FPv_S*wDKJVk84B}I(-vvQWg2TmJnP=0C# zC#MRlXz2-SI`|7o`ub)B9m#1o&`6Qt1cKR$Ga55Z35ks@jG1#1-?NlJL$10vnuP&( z8%c#e(wJkC_n=v&u|P5-oQ7T-DJuWnsniO-G8HUxcL1JFHL{ed0Y0*TJYGbSFk#k+ znN~f^uH{@zdR+v8?03RMSq^dXmp+3@s$q*rl^5*Tm7Zx&)Y9aOPNs^#+nffje=+ev zqYo)7z(c)S;BD^b++q;qCl)rd=1A-g1iXk<7@9a+^8PQ}@s5!ha~Tob;z^${bWgUZ zn3c62?jb>aiWUyWIujHAgg@& z-ir^wgu+f$5H6xgJIA8iqi4qUETnfQsfWny$W;4CE_Ud6(`sNiehKh;pqWA8Abyia}5$VTE8e|Cd2~Ar2f(`O8NQr81Q#JDuxU;gfR;A-FM{3@9mC! zY7xa@w3&|b2@5=N6eOp-4?8lc#iXHr{Tp%Um3KqN6Kbrsd7_<-r zZcd3ZE3a9)kzF6Jmufb>=dAa~!*qM*$m4*oNel8lpj8R=I(5&N*O=MV*q+_z`I=7F zQ{B&nmhRPV5apKVYiDk?d)TX-dq@=W+u!2cQk(b3`}2N=9&pB<*Z7Vr52x8dUIEk( z_;FkPmj_J!y`{w*01s$hJDY{4<@WG2$~;Q`Q(*zWj z14C;_Wq94s=LCQ@a93oo|<}hf7y04kaIM_TLo&?~mGB)IP2cA8xOejd`TD zwP=wxcej>NdaV!p)2sjEmG=Q}DBM>d;<0D<_Yx_r_?_X)cNEg%l_#q|az%MDKnKuE z>IbkfE)OJ#Ua*_+V~QWr+47^L9`keH3r*)SkIw3jY^sXjnwb>Bx}AD1N2t z)cuT`aGHZ2uiOr&px}0rKl9e?A-yBvo;$Ge)T({0BSKc51`GU(7Qs|JHNdtr5^FBK z(fReWmnyr?r%a_NUhg}sXEpb%Wkqpnrnq})pm4hC ztOBomjq~*Prjg)ECT3qXPqUViBZClT)ImNPjatXLNWD>qDmkSV`+#-isk;XWrK=j_ z)~VbJI(R@;{KEE_7lp#%jnZ-<0y{&^>WNOmrX324XZm4S!uFDl0Nv9VB$`T#=3B7HEJ=uR$+yYsLfz6F zr@abV;Q85Nui5rsCkf_3n=eyMKgeip{9%DVxsQpy)R5B6>hld6Nt&Jo6n?^kv|3b}KV|lH zDxV7chvpb7I@JZQHhO+dAh=?%Z$gnwdYf_FDVzUi*Eko~NoVIIX3;WC+ty{4uobH4VZ? z|HSldIA+8qF69(O+?wVXZm3rhqvj2M6Br-%7*Q+xwd;hU@I>nWEmACi|v+Tn$1C`FsD#cHdON3_%=rslehCQ271l zG#pvxYGUxD%OJvDzNoafm4f11$5C{Fps{d^(O&{6jE+=2#z4J*TzXzC2(l}v;5^c_ zVQl!a5)sy~Ym~B3O4BEfJS}U=w#7&;q;~o9)nj*SaLZq@Eiv~HJP5Yy+&`fSa_A&SCzNu^w+(k{Ro5<-shIxTjQ~Q<0)GEc zpA$|wMqVA{|4&~2CfGOdDKD@5A9*=y4J7iE|4fM5 zXNpH^h7S4y68i85?|c&982V5mC@A@rx|eD3z~ZjQF}A1evmDyC{<7kZ+Nsxbe6RJS z1Da#xQHPV+Hmc6Xo!)&J*SiXfDeimg*F(uHp2J*FT(-6MZiHN1?#Jd`D_dpF?e((9 z?FmdQ@bJ*s%|`g{ah8?7l^EIcAyOt_EfZYuXMBJ=r|3?pG}j1ZVTz zhypY>%mB%Nz23p%?KJS!P^UlgQ2i(oYiyYJVQkN! zyW=K_q+GLe&-Kwl)yt0LY6~=;92Oomn$bS@q@%W*!Q<@l!t^pfoZ0xg-V6fuvdOqz z1{nlh-paH?qS zPWAjgT79@-lI?XeMpyq#;0dZvl}2)PJ(uiy7&dK|WOMZjCcgGi&Fu0r`3UFB?07*7 zj<~&=xQeZ}p-Yh&E7oKtRpBym-4!X;KL%XKIc=@I42O4l9H4c7 z00UEQZv1A|HF%s_mS0}|>Omj*dkh*8tu#?<=ey-N%Ye%5t`}b$!sZf}qj;TljkVLL zb^u_*D1G?cg^kB09xWuFuoF$^;9oftTVnOgV-UOxw?#947U1Di*av@rB|mhK&buey z!NH6md@#10z_54rSRA^)jWTZ|O>VIdp8T_j&r( zG9LqaDB=AbgOV*GeN%N)A#`05+!x9vA9E7+naQ~1!n*u+(J&C;F3>aD8KxLAY_E9C z?Tyis$IE049phwK>ac#TA=uVZ9x+)qlUdl8ufvUdazC%Q*=o+~@y-+W=PbttZK77e z=gV-Up~FL3KqX}e3LzUesv(Lovg`CmsKLiq$X8KlGzoCMw#Z6L#O>y93VvHCr$9db z#?c}b4vls#9W<#w$3|r)a<%ZKWJ}tNh@dQ!k%71lA}(R~8_pZeYCINyJYJI*?z&u19?)e9>|_t_V&2McA|Kiu;UmE^GX5(zT?RupW?;^>{> zWT;L_@+$7PRh{-@>WivHRV)$Hu`(J$ru+_(k+G-?!^m*vRDf*kwQ?I) zfPPc=*Ero;NdhlV_JFc${J6){C4<6I)F*b@l)zw4^LO!$6IPjHO+_xW6C3Klza$Bs ziHN?2wevHYvhmow<;keISe=T8_U|YT+&(oQ>O=mC3O=C}baOyM7y=Ht^T({NdCC15;21>+0M{)2as_VlTgh&==Ruz8_;myBA!z66$|u^dyP z!jS5oXOXp1Uy~LH$sOT8S(OhN<+8{|nS<7iYp3rjxyK?J zYgxj=h~yto)_qp(E7m3#cjpdd|fmulY%p zZcGSH>e@C1SACD6^95#3MhiIyanruc*oK%$9@Vfn@zuTA^jqF!felN*jiB@`)L~(6 zg* z=I0F<3DAQ!U=8T~R+|1rd`K>=P)2n!wqb*CsU=7jy}eK-@2nns^hDW2konzd^FrD& z)cP zQ5?=Fr%boPFG+zE8z#&dw)Z1`i8M~h0?!lVG?cOC3DY4NGuMH$273B4gMb38ArsCozxiy_>AQF_Eh=diXjNizw#mjQVy)otJ!e)>$7ePF=qYb zu~mwcPF_VQ#FtXWS?))rpCuCifn#tFzgUVUEzqP3H2wKYTLpMG@V!3R@9_PE7DD%( zBRu#(ZsmSM7N18KH(;-&207e>hqHRSJQTPY|LJasT!vPcT_9M$N-+CQ*mWfT1kd+F zqr3fet9h!7gUs_y)y2|r%X!}`3%t8tZT)(gxb-gtXkLF@-AO}D@Jey_R_U^Ro3^}^ zg9(tgxO8#fUjsh7y0z>lN41^A1Us)B`CKM5zB`r)==QYAkXtv=qFzNjjU#H7~>#AzhtgGxl<}>h))kbKh1v^_SHAF4ainZqM%p$X!4j zz=9svr$cEIt8SHKPkG;o*4yPgxa;+U6>xFY(O;kb@p|%UQ}Wsf>$zRde27nLS$mz~ z!~$DKzO%mW5vu3_W~ai_w~c(33X>6=)=#5V)6c!mzI+@c6S}>Qk9b#ZG`;vWPOaD- z10R6h&BGu*?$aB{?%qw;wW0T{8r^c};a#$>hbM?;(C)nkn|-v`ec$Qg^o8A(DnP-_ zNXRnTpKax3U6$kaaQmzhu(B-c{f_YP2-8{~63@ErbosX%;VLHU{JJ>?up4db4LGdz zLVlf(U+;tsBtDXL!Ak-?l-~VDzP`VjcIK#k>icgY`LG(a?g`FDHu>NJ?Xx9>J=Kye|e$Vr&g^;IjU%#>A$ZhglqSjvjU*Q_k%8zhsHRk-W0)1*k$ES2J5`brVe?(EGt{*QG(0znL?Kz9e%Ge4c^7tJrJTn1q>#mu1(;`vdecKo>DPzqN?JB+hsido81Py2;xRB1en8huoy>yUemyFL?^ zdo;_6X$*kPyy~;(B}B}`g&F##YLg>_ZQP_%Qo&Sc^^D?yAfKDlkz#>1`Sa2Q8x^Wr z_5^*JA|I*j1Co^{DGZ8u<}II(9~qRFW>NuRI+Vxbip~``QRF$c&G1~FT&37Ec>Dat5hii^f2v!#;Pfj0PGApwI-5?ozGjxaLpR7 zv%5%pm=`gaYPtpFMSy**ZjM8ER>3>=|20#thAw-PJdt7--JvhB)IcojekY(|26yqL7+@_Y2KBy z?zl|d&tEw=HAIvm{V#aO{gsmu5m&fwpLAT{Cc3`5VNii z9JLKQcvO%3^JTHZI0#X#9zB<7z^-Q0`RFVBIK~l?RCx}mK~wHZA%g#cW#GxH_KYEw zL#{?JNtufDU$~#g4kGY^i%rFcA`>e`Z}{~(fll%Gi~IK98-rLOkrQ)xXds~%2Zu~GRpY-+@fG3hK{!oiw;&6pTlk^`J_TrynO zTRoHE53MclM`6MJVkbnzT#mj#&YN48!6t3|@@INzb0kBfJ*;&}_h(TTUBg`)+LD^I z($K;8apcvSBO)|X_=6dSj8T;%Z|#?nvuJx{f`}j<$o9|F|LY1Fm3L@k1pr5gkJ{f9~{b0N;wBEKbQH-K= zIRd3aoFc+`6|kN39%k6&Q2TITH!#<5eqSVC8_Hqt?=0!>MHN?cDpQ&+ww6k6D}f$= z)hy;I_rSz0<0W*WiWysc_+mO>TyhjFQl3i5A$ifO?L8za?$C^+HkgmlVr16-Z$u~@m9t@aT3%w9GK#$`I|rOy;_|wkZ0T%uyw6!219mY+$ObcwgU{E4>$A0OYqneu zPD!XdB__9>r1mm}NvEA5#!&va2%uD&d!m8MrFvl8vsvRe*D~3U7)GU(;RpYv01N-GPkjxr1S+;ED^=^2qqwNV+4Lv6O_xoBKTsXS78_D)}`*o># z8VJg*oV>bs@pQU})Cv1`UMTzVCh9>51l@z_ZUGz>VAlVr!!Uc5;`{r@e08_l-bvDh zdeFcg5HWZh#5egV-KB(%lsLGV8C=y-NuKi^&ArGPjQ9&|Ar3n&z&FAvLDXg9an`QKc|m@eyZPsV_~taXmvcjl+C{9MN2HwO{PZoT2CH zM{!0u6h|SQaAFpf-9ye<9J_MEIC`QfbmXM%ei~kDg`BZ+D{2`~_uy}e!6OQhRZrE| z2#fh&l&|&LPW0$41QdsZGQNJ|+q?4fk>!ChcJ$BOwiJJ6iH^h#@XRB}>LTM(hIa4? zzAx%av=ak@UKB}%bph%>m&zf`!u^TVhoJN}?)+Ovg`(?>TT?3E5#i1bN)VVcmx6fc zp}sL$=1_bOH@+ZH$x3~!MN}1(ulr}J@7Vrxer&luo^*1*A^~B?tert|1dr-F-r`^6HL=0(NRU79 zg7HcUrThh}NLC`nd;O#d%bBr96;8`wu+p3cuEHJ)<`{+jMqK^+M;$Db*vle;b>AZD znPVHg{t!HRh7!mBiocC%NG#aXtSC1Z!TI*hJibe>AZQaR7>xnj$Q{mziFv$%%Zh(7 z_qHZWxu{biOd#)1gYjjMAAL~o34Z%eADXn3gJEl2+?2!us?y80kqGjC0Vgq{W|$|R ztq1bwh@@793>FO%v;tIbO5>E?G+$zG#pZrSSh9B}z>-NNiNGx;#f;~?{1{C4EUtve z;O$w<5}5wy8-3ziggHlU72dUR=3)`Xfl{MC)MU&lC2!rWn&4?bOFv8UBho~UX3>W43rG8@v#*xQx zd`hz?=<1SF5+>2)Og&0l*mW^?=G4;^A2A7|Mqxn?97R0#s~b6@345!i^m@65^~TkZ z?`2liN$}_P84s82gv%pY^3oX${fCaYJ(*jkVd&UVyM8mMEcCw*?;56GEBqD2>=sBx znu3rHx-0^`w^I%oI7%=BVAtahqjpNajC7miE@E>C!}!beCMp&Gi=$G|`4N7LKq&dW z^rzN9C=89D=!irkY68D}jbgjdh;|618Kj@7q+mIQy}mMO77u{j^#9!{{uF&5K1JVy z{}z2m0at49Tn5?ETL9CaSsqM3z6bOAfM>uvd{H&2|AHUc4dsq9U5or*|+(0TbA}?VhMY1ovg}x zF1l%5nBy59&_MVPux)~+*$m2p5j@{?-^qVZ#3X3wuYdP~?mT^x+~QH{xNT5e_sEF9 z_}dMt_gd0&Deu(QDcMHsdRil)(z@-J%+mR=&a0{$KV7fg{#*dQQy2A#e$Eoo_SS!A ztKLTMGWYGxc>*=)~% zX034_yWK$OTMqj!O%uvp4co@U62mw9?J42au1`#c-~^{8F4Oo;q}8h}d~06w#l$X; zc_WKA9nHh5cD08nu4_JzLU`xSa)~mG6m3JcipAysyjz^>AVaT0@zLk^69u* zp3YP{Pr1nwG@tcpEeS3gT(90OC*!}aNmm-MzC9eJcYEOc#;G=vwGDC7S-Ee?CUhUr zgE^Sa;%=&L*k+yfry`-#dT-a!Ipww7eq4Kv{`(HNUT@teh-{}ijObU@jsArd(#^4E z<-OPOSmma_n{_f|Lc+ye5Bo6^eLc-3N_Zn^b_}W0dQoQq)~)pXhp)}p3aD0g**qNG zD@wm=9W6WeJZ=nU6)4=Yo~{n6tl4i9t?U{;Uk94)FXFcH8DplB98(>jOzTncIgz`# zA5YLk8LGNUxjihzBg^U7R_ly&;aX-kF4ARrfeLr3f^F|}|JqbK4Z7*@J~fTAc3A^? z7Ob`bATS9C&;WvrAK`nS_5@BN8-3t{6sKQN-s!^Qsh2_iK)yb4DhD?W6N-=jVydU! zA0NZsbd6bIB4(7>tA&q*9%diI#!|+NeTPud29p&>!ajODg$Gz|@%j!$1rm@CFy`T9 ztwHRks|XaFD$!@75=#l>45j^Q={5oC8}>t;o<7TDu=Jr`4Rqm1XTPH+r6nd~ds@-| z^*X{7#5*HBGI&p5IBfp&HC2IkvZf!}`C}uNDb;Q>%8%8o-jssGzdcK1qU1xi*n*Y& zbF0{_h5y@|?awBX^(n-ep6{e3RgJchgtg9LNNNO=5dExI1p=r7tO~Z4Wc+AibYo4! z9^xKpWTbHwQ9;J@MCOnkrO21^I1c-$>nQ=$_^GMbF{+Q2?L5?X(CdT!HPtl{vlJ_M z3cJ*9w4zaDIm^n2dzu9Q=r7Q*%Ja6z9HDa;onFORznIr`L>vQFNVzTf3D}KdOOy?d zi?oFc?99Hk56YBbUC8x2;oxJJspne^)ck7>VLvgRfyh4pr3n*5$}VhQ7~=S2l)x0N zGEw4$KJvTWzrQ_EOc`S0fmdU^iA{T1tj=w(#{E%69ZDw3+@fC+BQmcK4h2*Q+4Uj@ zbvMo74i-`l#a$T{EWS$a1Qbsm=GL2w45HT_v#v>yY7AH^9CE?V$T6hbrIKvr-#O zB3X?q{VY{fYcd?SN9lYfkT~glW_{Qa7pxYl{+-MBCfCKadwYkPa?S8Nx`*$1qK(O7 zQ*BwbX?k_|_@m+34hJ$KEzEk6dwI+yRlo-+jh34lgT*xA6k;^y=Zd#CH4*u-T`HbQ zO`r-}&;)<}9kU?juztSG3ckAGsxLNsU`XBW$0u#CFh|kvOeD=H zm?@4FVN|PGWFRH`!&#CfUAjx5!Vx_@`AeKK6$+RBQ9fO^)<@${J8a_;y|S+ZBvX3j zAF%}5;*$;2l(Ksn9AbOl#Jp4#GNoZV+DUb0iG)*};&?fEEC{?Yct{!nObrgMStj}p zIc6#Ex$~!CytGT0wv|eMdJZ3PJIyA^t~5;X>`CD)?#H3%7}}Vh<%KO`sY$O+K(^47 zv#I+V!nXTHu%SWQ5z{UkFqp-yR-ZY&sW$)vBb+jbar#9Ho)m%^vQtAcd1v7liX6&M zinf2k@%R>$F?To{@>Db}M{+{BTVF(l`9@X44)|>;5n{<6zB}{hFiOcjG+F(QniI-E zC)Yzc^Z6N!zNo1^@soC51i^!R2)4$5U76bKdw*?`7?ZY+{a=EwP*n>d5mL%A<)OX- z&+|Zf4TA?Mj63)HHE%M2YW92yN{h^Cp{5<|u2hBJCL zmRVhv?O@zf=DZb-G8XLpj9myRG;1a-`;sdUJJqA1zLcM!{1&Xi1AU&Lx;XYYE4{FEpWl+7D`%z?J zW!Ekr87Rl|s{y%8?$3Z6s3@B+Kse2PDqgkIbs!9g@B=cR{AKdah6^;4EZg(PPYzw` zH}1zZ%NFNw7hpd_dX$dNm9o1pvD`a`>$K6|INMY2bXP027;dO~2%da~Dq736o0i8J z%xc2}%zGPTjAvWsvdYyq%Cu;HS3Db-=cR%?Nhh0;*6yv&@}v(7zC^m=x`yNZ`3 zuk0Qsj@BvGcAu%3sx`53{CF(B1SEPqE-^i(tEf8^!Vq$vuHjl^AiLj95`zo88?KVa zbxYw@!TV_4|Dv!v+IJ7bD{6bZC1vU|g^cl7&M)Xb>l|xlf|_l5IxYbZV*;U<=N0!M>U2{eRr3Ugbt7wjFSVRsK!)Lo3PW@@G_FjW6 zM|`-Z2YuRp!8V^C^fcJF%MFCg?gg4go&z-xUK?5qq=CTHGRz}27}8Ehb`I{rKzUkk zBWd5mf1d^RIPok8z22C~(V z1@b;K+p}%Ew8F(!WGMOux_WR?I^xy}X+RW9CX((QjZt1dN7>iFSYhICj#44uJ z`TB)n9t`m7gjrx!#SYQ-SMhbGwTL9WU+aiPSp{O4vk?p|qviYd|0cg!(NCb8I~AWI zjEZxGhqh|+1m=o3F9eoU6)*egb;Uj0iFfHpG;EmHXFfY%Ga@@lYIVt9eJv}mtCKq4 zY?Egc>YBGm#m1MHuq*RhRi6(t7o5cXJs7nRh-Td#KSkQFhbZ+Omg%?p)t6sTKcoy3 z<$B&%wevB1(Wwzjgmuv8+zJqIF!~pSf);uT{$SnT&S13IMVVr*lm4MBp!njbH-kUO z!Y%zLUawu{7n7+Rf-(adX{)&+?hiLsHQDC=EW~fnU4_x~1Qf9S@_eQya>57@R?Lq@ z6wLe4#heKuSY2zLALDyT2Fz)h?HsSq8Yrc+sv0PYd?t{Ej479mP~!C`U*%av^~gkF zO{)`6u!e}cxCGa#atqk&jo5ycsfqdFH{@cWHVW_@k<6ArbZMR~{z#kmkZzR@#kqDs zAuOQKdK4w;RG2jWSzCQB%y8KzLZ?%x1T{RVX&eH(8o_-5d76<}nV29#O7%<~SwK;* zA{9xBXcn+|{s+-PbDK>=UZ787v?BA*D`V^fe6E^{M4g}`CI5kBj-TqkcHQx&Bd${s zy0~=$|0nE%OtF4bOgl-z@9m}){(o_5QPX^p-V2p*Fr;{BAYt3mWf=OcaSU<2iwX9{ ziIgWw6R7N4l%+(;H~aA1G)tDmEPbGq8Z~|Acq*#)rTXN`>2+UtIg?yDH^*KPL+l== ze!LO1@?C5IL3*z?eNzp!85W)OX+!TmOCe`ck#<ToG)En}|aZ;S7d=kHTX@q}oP$Ap1Q?j(?soJDf3eqOQHIXanuPigW zuKa|69sgQrPbz(qzp`^~#qBsZ2x0E?k0=k71k(z85D#q*5n*sAF65U}A@*Hl6FbJS zTP^k%t#YvlJou;v1irCF1?;v1Us&&y^dI}eql&I*$L6m7mg*eg6A0hQNCk6$&51eX z=)Hz~;ZK=ev=g9pR_7_?tvU`zRHi8M*z=J?3y2?EY7~g0Qt^=Qo-6AUh`+bLy=b06V6%KRp%El(EOJTL+iWHM>bZ^U8 zGPkCg2<3Mnl9DFOMWX~`7z@}JOj1qM0dhOkn{o$G)6G7XXL%59X@P&x6alcBiu$Of zme>|D(&bm%PaYM@3}L#1Bfd`?3fA;2DY(tPHpm-Nzssfn{?5lff>Od8_V39?SC5w{ zK4pl{P&ZDM|6AaN7v$rv28l1}63@PJDXitPfaj|g_45e#Z=V?JT4|3DocjbOF2kZM z=H08`-hdWyPmwnC#uK&AvQ)yMq$R2B4_5ip!VDx9a{g0cma2S8HACof;$qQwshWcv3knI2gat}m)vmvC&cwP=aDG`h_Dt2NNUOyVvK#VA6*w{c$<1B){gZ&iqeup3 z|E&c9K52NsKh{EBAdBLwCEsQ)f(`jgY7v)kTEK!#Ec7I+x~4ouIE&CBMm^V3yFL{; zw0+dstPG;fm~dInqIehVi$Pdf>28Q`z*vY&CzSBImCAW5wA0S3X6`0iJ#_lT3PmNa zmEb%n^Z&rZ_1e)@7Wn5qpyu==o3Ox(2^_3`jlBNx{SH76H}nfmq)Q0cT$*)HJOR$7 zM-325A?lI^O@~@u3tN@$Z_h_>o$W>Qa$oy)PPrfMPudXe?AAw~6FfElbFCjO*Rbs9 zx%$lh*r^Q!mS~wY$at9M@;#_-ywx)$({;fs5v<#FFNT|7ZEL#LoikY&O5e3&D7I@k z56$mbrC)cf3MM#!@~JE}-H%1)t3gk{%rnuRUOzI+R_*yvM2Ul%8YcJe&A^`a`UHinsT4@yYM>_ebq~+cv$)J#ar7DRZ){aRl19xkuPRrxR=AlCV1kcdjl{mIIM=ON%_ZxY#;u-h5*NHysev!Xw) zW7Vu7=z-;IH6o}A!g7&EXK2pPFo z>4+>D>_1uoHCBNwSsUdw{E-d&%gX}ToUIQ+PFQvon_E+a-+ZkEAI;szg8PetAq9#= zE3)D1{Z$g_zG`~>`@2IKrQ!&0F8eF}B=;8TIDTJcdyyZr(V!|Vv;dX;G0r4?3yO8p zQRCFsiW6h@C$wRaimkgjx5NV}@k#_ds|axvR|VU!-*s9jtLihHy!6lIxTfXogWoJ; zZ-Y5n&Zd-f4?WcUvWzqhzG$W_%;O5fhH+X$rO^h+3)$dC>wQo+uASp*Ydh4%MnAoxQNWeJ`ond&aL4H*mGK{SgZ4Mf3 z4aPrMx6NgXu?%ui;=h(myiNwkTRj&1S)ekpU9ocONcHIu`BuF=CRRCF_^V~^B=XE4 z?RXZC?Ns9T25mUz!btHRb5mmC#IY{XT-n^VZ;-Wwv<{wZ^bg>a?N$QdEa?> zZi%=tBMRpna}1nx_I&2|l+2t_O1y<~ue7VNvykf4d{jB9$TGG3k;ZQVRaCpywcJrN zxtmuEu-ZAZm_z*nDSdyXzGfOa{9I%jtQD@YED~_|eu)TCB%^LCgxPLh1j*smg-ZqJ zt5@Y8m~SX({YXT8AxA-G0CkEfnz)AXCosQDfc}t3n{0@m;ws6%g};?3+iw_JKqW^- zVnmdd*jYU29<^Y_>S?Z#C zI=%@vbtcM;-K>DEkj?9+HO-N`Jsf`1d#t52UZrm$nZXbIuQ(=1kDeHWQa#n@-5d(; z%++r;t=0Dc^yJ)b15otZL8BYtIpoB-X0}cF^HJfRupc?=8*~xxg9AifvyxAuqKa>w zlM-n#!tlT<`t*u^Rh;EGF;`FDZ&gd<0b@2aoWQQU1FPP@mhDCN=4m(ZQb;}$`Xldq z1L4xtSvURG%hFt>q2WbshwPKRp(p}Mz$UWypbHnVOjxl?pEbeL0wQdPR0R8MDfC#FQ0q6O4fE8ct*B=hBBt7fu;o%>MysSSBFH(rLw}5p zzHZCfcRsb~;30D13H^|tTACBjK5_SFO?}iNXS!0_PeU=vXen0tu#B^CF5v$X*J5T= zs6HN>ZYXz?CX_BIo5Rc4bU~|O{lJ))Jn1Sl;Zm3H4M~v1d9p#H=59$@C{BP0k)Boc z%o-^)&(8cG0L!wa_~a7igLmeS0pMSk=^(`om)A_tAxOxFK1vr|M*hX+hVbP2Blu(a zeR?4<=DRNndl-Na%rUX;aa5>Ez*hUry`Lvpa%9DZ^1?*;@p?o2G&`z8>pW`nHYN?e z)!6RZpPQxI8(r+ZCuJVLAT9p?=R*0)`+4<^#SS?Y}@sASmzcX726O#!wMu6<1w zmK1Qud_I{qM_9=fcIk~nCb(6Cv|<_F=SC;e+E=+eCY3~&vD;3gM$2mUj&Edyk zJ3>i)bA0W$e)Te8W2)S>{mRu-*D@Tg ztK{9=u((|a8L#90Q=Z2|;m>YQMWEnUAgktU;<3wcbIZx(^keaM4@ewTe`5Zg;WVz; z4Y&`0e&y^)zj<}t9rZ8Ia_A$Xqjl?T)S&afvU{m=yYDrS;n91lb|F=1@$?;6$?8mZ zo-FL*;m%`vm-n!$;yjMuS<$Jg8{DHp z8N_OK@dmD8<^B1hdd+DNomyUjt`MAQ|2lMx|5Ed|n$%1!H?ySeezY3QHCs&;5HP1E$iGC)edRR|sb*JB+5-*n6pKf9CT=l~PNx@?# z(Sh~J$h?4etmRbaoAF1y12fC5eQ@~;nC^-2CH-;R)|3+j{&7ioONilz;jaD4$EN}= zjrt?qXPA^OR>cdt0^L_WZm02afK$_p4kYBXnQBX`UmvrtyR0+So5Fa+Yk~`z4GPGY z#L1|0_?0#M`eV)8S%?y#XSSh&s5pC}b%vd^FgH8tVSeMgTxBk95%%Ovhu%A_Ni4lU74IPj~W9reBu4YVG&0 z8Y>r0{v-nftSJ=K@30{L6hk%d1-A801hJXNBvoHGbsM8HsqFKj3DixjgryYZMfDZf zJxk>|h(?A}3=6NckwcnE-)}8!q-2WSx_$*7DszF~p(SAGN!O$UMd5RkAA2mvNpOAT z7E3*2q04e7z4^c>f;D^YUQ~PVh-?BgP4s1=YMU2`3vH=?!+U2K3#}E=8|)aak0xhb z7bwaN!Y>gm=|p_Q%uv+S*-%$=a&}0HQvNcuXW6>T!HcX5s7=PRR1*evh$>(FlR7_) zTK5^f`q@8Rh-CKF9>;=IuemZh=o{fL>4}opGW_U(n6I0jMkT!s={}|Qv{fr7^tOBY z-TY2xPFZjP+EdHEsHyvEor0rsGUQL4P@D`-6VQq5k#@7+`-_s6JF-iUCFLWq__J6YTLPW&Drg-K5@34S2;_)yune;3!`k9L zE37ush^8$A3%3w(Y9gcL&-p5;PC~gsW&WDu!xHTL(JUS*cf)a5&mQq_0phVnl;JW^ zsXO73Q7BT-C1>P9D?x?EElDB#C2MHP^z#D>-t%@ooc|V12Iw{HIGr}kefCxIt%y9O z18^ez%T%1Dmiz@2OY3a;nsUr}%cKHOi&k%coH-fUl@U9|TeZdg4$PYy6%8uu_3Rvr z_?=uW1C2zJEq&rvV=OZkU*n&U@q6tqMGl4mu@Wm>@wRlp_<~i1MFfAIwCLyrHfd6^ zBsicyEMr7pGmmD~THzu-(FX;gRY@*nYhfKmjdLmbl>te~A|4;ip{7QYA}6ssNjXI zR4?=|V>s^utU}8K8IQEYO7ZWRq303>EG@KVj>EoX4+o){zc6r^(*)G%5@L~r_1q*! zS|L%sRLU@0_j_+uKcM5mMayho3>JqEa6Cp@dTqA^WcxE=;$-;A0MZW!F*k> zNCv}bCM+%-x<}*TnvDoI#o1u@e)y-Y*B}FD#psv*%4#f`*PW?tt*Z&nvoqqQ&*8}$ zq>WM4R@pFq{euvf<=tCY@qIm@z9-59kKsNXx_Q<0RfC}8bjf1M>-^cqv&Pb+Schi# z;@wQYvOiISEcn{F$GDh^&f2`$d4c)9pdDH5sfmhD6)X-i=y2VvPFl4%9+hA39X}aa zUs0J(x5x&BAmPuJ@SE_A>$vr~o*r+lS{^DtYZxEnUv+`x;W@9b+Knj&jOfTZPS|XC zlKfcLbV<&}3_gA4lFgR(yM+LmDq(7unO9uP#=gc#x~h(kT4I?_=fVTKWy@M11Y5Nx z_u<*!C@l`~97!>)%TUvJb?4gzRvlrs^F-tM<=^vT9>CdIp#OB{8^Ys`Z}z6A$j`&b z`n~-|tSk-A?nNXr@NEYNIG5(V&&C9=vB!$)GPSeXtA|RK_D#}#ovqo^V4j2)XX+d6 z=EoXKRq969N8XukB_gIPD0(-`g>aq+uncTBAq3yQW3D(=kh(io9mg~;dqQB~ri#?`GaF2~A z%tb&Cgr?_{lf1n^Q9Z+|TF6-qqn5972fnw;M3ifGCFUzs8h2(}xiI9gd=E+!6xsLP z?vFv@L$7HndgAYpS9vKQzf*yW4>IBzBQMbW#RT1^G>S%QuBzNlkTAsmZJ!($HwqXr zSHZ?&J2w$ZZdHUQiuBb#YQu2z3JYE$vivcKlwjiy+Qpu zwzZJEf4zm3+g}lsQ3FC3BGuJOW@(q><1MSB6)I#|VZULf&kE<@1R7FI-Zt!Euw#Gm z$J@tB zcq63H(OLF&vEnrQLXx^iOA>i`(Ll=z3FSFc3BfsHGVA2CU4cwzs~`4cS*6AN!jpbJ zl?nHyVWFX#<;Q`qnrV2s0(tTc>>O%!67gYT`!t-fzdil+@S*bd#mQ(3g7%p&m9;t` z91**{4US z4(>aK28;-eypO?}%DQd8*s(hrQfZ1I7YijxhOe(wnYSQ&vd?^qWK&|zs!NP z#Y&k8iPe`D?7Deo{ytNn3rJRGuk8Mg@Wuk1y3W?s4z6jqVQbt2!C-v>*ziq?C&Xzc zNIIfnM;gY22!7?xQLi}(!2A{r!JDi8C|+p9(eI8&2GJT%&dg8jd?@0)!zA3ip&|%N zR}^f@^>Y!bDoy{c)RU83;5&Nz&*8g6`ojU5a%3XKO{^csm~ujKu+`BL)ad?)HHxMT zN}ZJ=Ib@GR`4JjVYpD{{oB`I)!qWogi#Y$z8&elTFy8oOCXvkJwVUQ~9Y)7~gx5G@ zBafN3B^=x-@>EtN%%UR8Mj%v35Z6#Qw1*W6F!w)2g#C8qk1u_k(Z?*4Bc4pA51~3Y z6FNROri|)!G+4n&xYhqnpk%f-^t%{m08UYiDl9gH9nbuf-;fiUx~V9L2w%^Xg+omJ zWu}CFFoN{EKZFsoqJ;UHchRNE|G@EfOD|N!2RYE>?IZY8d!7d%b>8)FgU^8`W$-cd zGDPGL_#ZH@T;N=9C=g`s%mN+E=(Q@?>RGfE`+N+Gz;+(@Xi~Jx>qSQL;?59A>~d;h z&F(R?W&6H(JmGEGzMPbeVyVgNUC&hI?pf+0v*j@;D!aCK|NNPEsMF~LB$+J)zf7=_ zAs}tIl|K^@YC5mowi~eF0R}OzHK~(LcqVAQ-Q3o-VC@Qo@2J>0g(QjFHkQs| z`m%t|6I|lHG6wUY-C-73&dLQ?{wRE2P0vOJG%d-HZ8x8w6w|ei9~>59wmf$&^Fb1B zfP4OSb35ESRDXId(#{DQ-brRJnz8SX(C9>(Gz2Ds3x?b+qea4 zv~}AnL-lt36(cT4d%gAk&|I?8X^NLi%l^~3clUx@jjy=+ta<+8!Rw~mpBcT>dv4wK zvD+zpQRpwROiiuXJ}h1h#^KwGy;yUBZ?>yiOeQuj%Q}ay6_jc|% zZpQ=9c~sA>qrqIov>a???rkGurcw`XeXPZ0>hOB3b6r_noE6j7QT;EX&au4?XzkWv zlQc<_rm=0?D{5@pwwae&%Wb|*8xSxauiR69Y{Hv$}-dZ62l(@>S`8Jk|0{eb5hp2xC{ zSk+fgXMX&)9$(XNwQkwP*J{r1kP1Gism}Z3&&By{eoa=7gU>sBklp|YSPMelssM>f zAA#NpzeI1gX?5BF(D4PZ*UDl104% zKSHkEhzE#oZsa3B6Re1p#!zxZ&{9~dOygU1S4a0NT4g9vLAY{DBoTcSX2I3y3@tzJ7S zC}*&3%)nB*AFNSXjz%_YyA#G7>rmq?qUxNbz#=o+-^UaomuAzE8JgHsvXBB7Vevjs zV!S#~>aqm|QSReGiUm%~<{i}tHhumQiaIMqtY(5@B7`5W>RWEqkUzhmj!uNpbHx9FZH0< zh?OFUQ_TGW3Io%>Cu8Au#wEm>qX>kBl!EubP}W2XEqVv zG=wpI+xPD_Fy_vSS9|6z4Gl;u$ND!nB2vcbyVZeaYFQRdyTO!j! zKp8+_&*+cL%5nO&D$PlR&QZq|bR)1S6+@)}&#Hv)3CvM(p3qINH86)QZ*MKdTzktR70xk?^7keuh{e24Jd zLGMjYZj|*<1yp(82r{Q9@i7CXo{9s%P((UNKc3(G?eCP3sw$?j<)u!&37Qp2tJR}W znZy1J#0#xJn|e&~3C{nIGF0F3kn zW?7a!iR`6UvSM_hFcjhMo`9-##|3v#lJhJg zl8ugmVw7|0tWm%JJ3w-5DSu`N3PIA@pzDAJyVt1!nhTfDm>wW(q=*Dc@AlO;;5cRm zNC`!ukCO2Q_2~fOI*x00<+}JIx7#T@s?qqtzD`qCpL;*fw`-O?(u!EU>~pX*>FIM2 zug7^b+pNg}8$;mk^)`Cv>b^UrrPFj{wXscmpUOi2+-I<$WA=H}H=-t$2#t zyA+FIW1SC_GVnCs!vT6c=`+Oxy&cKwJ!j}-?3q?M&tD|#bZ;2$LE-yEdr%gg&TtJ zveWznPqpKDZ^(z^2o1pJA`da@oobMHrSg@jaJ;6fe)=~Lp_$o6JGB?G!SUuGr(8sf4+YIV?1XQYGG_= zuf6~lYR_*|aOHfK7ZPUN9tmEwra&)LuSmpJh>TP0MOgqq_hZRbI&$SQt`Su;p`duS?fhuC>O=V~WgU;X>9I3!UKUOBGqz-)N$b7_sn9)hWs@DM zMa42Z9azC$kI~#imDF0PCQo^Q|1Y%Aw#3P$a0f;zG37F(!YFrQqn0ux%u@4~2M80k zg{pBR1A&6R;WHvWk@4xM1Xf80k!GqR<>;Y)V{8UCxb}fj^3sNYzsRyhn_m3oD3qu6 zrV5tEG+=*ExfQFUg1yZZR|IL`exM4^(JB8t6<@xRDB(JZm5q~>&~H=088F{;s6Xbk zHDHE2^WkdLIf*)kAKxaI z5pAMkT1iV7u^8AnaR?DjBJW~tuYdg=Gg4SwL`KJ55EJJ8PSY`OClut`mKXQ+nV1kK zsiL3Y89t|(6%+0k329y`A5%~}ZQbti!va;@?-z38I_rjEMiuP#^3SywQm!9=)wwAY zJAN2DIUy_|$|W(@fckbP}V$RjhxR3qywZs5?CCGuCmVDC0y2 zedoTNMK*N$s5>M7h5~W#RK{_N(20Ddk6-XuSO8bQa{6UD-|L-rlYNr+%hHv#&O3ij z$$eoc&Dvh;4IlUV33{h%!lU0$BT9%xY<7f6jXX3>iR8cZG}mkh_|&6nd&p!CJhy{;Tt#&qcA)s8n{ep;suGx-pp5O23D5r>`Lpki>>U8EomE z<(OGu(b@m#j`U9_JJWot&xcRQKB(|**dU{=USLi40|CPO&u64adB(79%t&tn&`NTL z&DhgZ=YGEyI;rb!^ulDfZv)nCblvLV885FD2*%AaE5pNm>7$dl{$J**!y0a-%iYkc z-MP=;B+o?0J|(5^O`>@sL&&t36z}J)4{!6##mfHGB#--6;bsO|F`(&eZ|P$!eF;$i zy4LPTkm)q#WmRBCk(4fjCqrt>y??Is1;cc@AB~y>NZ@vL-DFyIwGNMdVvK=_Ww{LC zo_=0`T=I)Cc-&#x(Kh0V)n5U8Y}h<^Ryvc;=>bQfM_C;XVUXC#owcXo&E$aYx6yVC zjmLxs-_GfXYJAYVW1ks*_hsw#J!D=CK$~$}*L{2XVe)nFqPvqf(<`do>8Sq#0@Rag zR#m@O&k^q>|7M$(?edYv;M-toIfV##rg)i>GJ_h|O2|7Aq-TEc#sHpe47z*Jdxc?oJFmMh zKhkC3BO0wd`oa0^TG!Dm-%`!YzdbCb_m^YMEo9E}t=nilYsEK02R*Y@>7VY=B3^X5 z&j&hz1JXiFNd1MCYu3a3(I<&mH70`x2qGfTsVQeu^Ko4%_QB(~Y4^{$qwbIYt9TW(Bl5DfKbpe|PNwHEh+A=QH$INmCP6bPUvlJHNl%it z9fiF8_5C%5AMgSY9HBKWaHcPplt4_RfCfYTw$Op^=PoC83~nVvUD|G2t08;ZAp?zQ z5o_0&C#&Oki#O$HP&qrKF<LMMD1S}T*0VN&K+c%NsN39mOvVxyrpEWU2#yc=^A|)#E4<75(-uG99vOUxEtyW?(#<2Xh2lh9L1?< zyu8Ckv%+8rNjPldF#1Xbx)bk=T-k;)lszY}eA#o0in%iaW%V0rYVqyBbW)n2wxI-r zqEnNfdeQo%Lrwzia}e$hcfhc?*ouM|0-_gj7?P!2KKq$RVyq zWtJZ6DBL2)=Rc^_-mS+6JTJHar4{f+GHB1{=-%0=uQIf4B_P@UwlQYhj zKh}Wjm{YqWp*Ri1G2ydN6U^ht*Dw6qTc4-V@*gcZgbWmMgu*5a&bjR@U7*RR6#cf} zbduA{v8FMPeE$uT;3R$(40lztyVux-Oe)=)fCK!SL%uBi*^_$;5(=vVRRL?k zbLacf+G#gpDigWfm&K9{I?n(9A~!Yr4hS_qD5>A`rh_z`dO@9V*|s4~rKL(uwslKh zSQ8%+Q8Hd6#tc}9ryQZkWsW8#FUtPzJvUb9dB{j}Iz0>?m_li9&o@#6JEP)hZ?*0i z8zw}yR*9PwNHK!CWo4ZEQ$3@tr0!QDjYum^PiZ7xe@oh~Uv6eIOzDsKfVqriYvmBv zbJo$i=?IO^LG{>Nlmcl^nS!E6lcbv8K}01&(SpbOC80r z9+>@>u(TkSSWbn@b83IvSHSV37$dO7pOvl%b}Ks1WQat!ne@cJjSgc)@Jf8@EdiZQ zHnl+#e?g$H6+9|`Sag-(^^(4tFo*RrVrN%Y<&_^;WGIdc))e8Bl(M6F*a!7^e`Kfw zz}1<NwSH$VW4W4Tt@9e{)Bvl#AnlYc@NjH%)CXZOCx@u28@dSB?9WIm*v8O)P1PJaqlH0NR@F&Mzd>dhvG8`O8{7P3s z!D4BWF^Z7X#vOV{Q@VtU|Fl#{6e+4u70Euu^k9iv;H;{QNG#>b=dX%IW1&^w7_nCe zH|EORoz6JM@cG56+&Us@kViXk(qs`rSH+=B)y$kZ%VNVfxA?yUG>Ay9|1Nd{n0xw9 zit27PSStIPAPBFH9oWvuGfZqrDEp?N&`TbA>9;7oMLR-@hYMz~7ddNMyml;GU=s$31} zs?(?s@amQj-Imbl``dg8W@&1i^C+4vo6&de^&0!IN$Odyy2Vh&>3~BwwQ;ELRS4s% z$oZVYW)74SbKPv zVedB1KIMEg)*rSP{nj>|p2N<3xPABg59nKL zowsQGxXgOf=h3P*i=ISiw8$~I56}A-%k^5u`Y_BeyevWvtj9RE(2_FkO-kKIPDLp4ri5Tw`I+%<%9@blmx} zl70i|Oy|*eu4Hp8>3GmRiqMU#LKJB% zW{7mb*Ly+^5%I#u`GteA5ja#N$uxVqv(Yp@8+6Y6aCWntkW(3fxM-$O?=?lS=)*zn zbCj3!KoES4QzuY>Qnm^JGdT$o6#S}PkfBkjj(O10-FLP=ezakg2yh6Q(P`vjPlZbN zYgcW}9wrs@fMOt{qgIOrLm}SqB|u@3rY>WLL1lBUPtoaXi#$6DHI6>o1ZPYX<+8Y5Qs{Tz=q-crUWUYeCdkacSHB)lgpju&~DXfOHMOVgY zTT{cBwjZSC(-5VdJhoc6ku09`9zC zQ;>aN1CDDEP3|b;iB>@1q}WLlGKXMK#X*3j!Jno290??t_{Tqe<=U+RjX5=EaPdMy zQG9SCuBk#P7@7!5m%quukGv3yjOdBLYfy4VM1;)S0z4C@3prt5{gxTAr~6O7*%vMu z_X$N2HkO?)dXN;J4p_5?u$ug%kGp4t%b}iCH5v_p)xmL|mG3NUw7>UynQC4DLNXQO z%3hIuCVZIr{wFAv0U`;W*8dyW-lPIHEG;sR+_1PK$@v7Tbt9OLRyxZ2;}=M-Nr)_I zo{Oj-xR9(eMZx zJDOy~QuP@NC?vt-3GtW={e4tXoPQMOoTW=rEEB~<+QsBkG!GSRd9hhxi~dT^#n&3G z3YP0iMy>v&n5W3))`zB)j?qs;;u83_HlU!L0I!)(fS9U~sXV>x-_e56ASSMrvTq)O zyC|A;;cDJLc2A+%BpCb*W@XHb2nDW9GuK4zRLzqeA!5s!w*^5SLoCnL-xb&)o6jv{}r;wzQhid(!@5+ z`c%f!ea3k#vQ9})V^K-Tp+WwOl?-zh6Zpy|kMB=P0UdBlG%J#76-qhB>1?pqwX}y# z9p2iC@N^+31!Et(P}oo5_O5>yUMKty;JVoFsf2#j=W~)2|11NPQcVk7E~rC5Ny?xl zdf{;p%tOq&x&}68oq$z)-na2uodlsDX?*5 z8HY*e{Fy-znkZW5qD|||`|ki%ull<@G8BTgoz8%IB5x@m-kS4FDGQJLj=|68=xRLA?MH@;_cEU;x;(@wEtafA|$kKC7b1 zrI6FSI+4m=14dx1^8lOs7M3H#AImWE0h`YAw>RhU-f^U0OQtU38b)w+;21 zrdx$bdbfJ}04c;htHt)l`hgP96{*yPrC>G9ivqpw*YOiztKHn~-NC7`aQ>p_`U~O{`b+HoprKw9hcvv{2hx-Yn6fgogdMJ?Kf7{I{a5K%^gqJuClfl z*_mYTToGNYoLPc;?jO@9WHI=@11C6LZF7$lxTd%q&q3El=YzM9PubTpAMc&agXD`V zRt$3<7463y!!q~_E)JjoSsjDDGmJNb``2boRb}_FugGpD>mu;Ox%7U>DS7Q_0e~(S95}Ituc-aE*WZkRt#Q41yT8KJA>2K;BFj z**Dn@!DhqN>o0&2TD1sL6-W~m?a+@c{*!lt#Fx{T7)+^#_&5t2>bZ@eFQkgWdkFN2 zEEbljMHSXp=z7@Jsk7kMc{IpQF%CtrFc54If zN0cg&gPHG$Oosf>E&AC-W0cAwztQl}2c_2qi!!DyWol{{F#m~4-6QgEe>-qw(Xr|~ z5yTB)A4yW+6XIlq5%|e-DAaPwlQ6)UWabqRuHNXxv^h)GdP>n6OojAjyp-MPYBc6iG&q3I6<11_+vXM)d%R(jzA$ z4S#HrXt8iaWf=)0Yv~zi@IRuz^2~-H=n5KE7z_lZr0zIT>#8*Ci>U+m9NBG#Wii#n z=R>}AhL+@8B1zag7_JyYK>UnKT9zzcp-9x8w0qlloEMLQ|6#fdy>)97&mk!ZUp*|| zX*FvidtjxV7&)z&R3fWn4c@cu+MU{howU>L7(H+0N=3A=IbDa%Z_wa`=a2BP2*v`% zp!x-SdonN5#6MwHL;jtp2u5V%{5_~iTVmMtyU75fYlwF6yV?~v6I=*UHo-+RLU%%uV*7tsq5IHRc z;nHSHjZ%KtRU?=6M6N)N%5RC#Y5HrH=Hd+5Wy7|96>28Jf$_?smx`(H^V4;OjFv+d zVm~k$<3+K5>hy+d5|oW(>S9A!YrvkN+BWez#w7YKK?@n& zvMisAvRB_ijHyCnoh|Q{LC;pt0DAs9Eh%XlZ?@#o3Rnlei@AmcKz$#I(MEl*u z)wns9XK%x42t7P7W4SA2a>{_YZ(Ec3M6=K^y`*G^g`rIL3L|?;+6->aZG2}a`HD8u zE6#E39Yq9bDkMt~n4v}|mjy@8{;b){b$G1bT6oOGxmlXDT&d97Fjp5mrT>O`$CjjI zmafX~$V^Qb;-^RWsZuNjcwr7WX-FyDSHT)Y5cYbBl66%+=fT>JHX@^9zX?PrA(49K(KHFr#XVE@O zUb?KA^^3{OA?Vl<{YX!CU;ysqRW@ywXY$DiO!;J3d_Tf(T4j$QJjTD1d%t_~HKrp0 zULSWxWZgSIq_x9S9P?ycKTf)R`lbWeu3ywX#C$$FANdGB@D4L6o_-oUe}zHP*AgW4ugp$9!qR zNtJLPr@L4u;75PlP1sgcl6Mnbu?aUqb<|%4(BOwNEl~XjNjptXKmlL zmEH5``Qyh9Fk9CxfJNCmB&wqj3HZ|ZpQ{vD4H7Unt@=FLn*W3YF}YL3CvDgc$i(;;YP56!u0=N@c}76c+b{43oPdY@Pfq?{bUziXRj&_h9sO0D|AMUq30 z$BXOLy|t#~p4SQmWZ4W0>(u1Z9$#N5#7Yi|un;nmZYH)97_k^=vprX={}C2 zIH33oAF0MKIShxa_=J_!Ot~IUw^Zhwsmx?n}z zqt1r*bA%hYxt{66sDv4FE#w+|o=LE#6u9bEIBZVRl&x)vcY~e`fUH~LUrlIqvXF_7 zHK3PwiYYmWl`=njS;>b;#$V8XwVLaZ`wbG;&p#h~69$mJPf&3+B>MIb-loU}*qEmk zdi_&}Ih}6#vF2@jWY1z&q=bGVR#MR0*W1&boHJn=X3 z2=Ye;5^SJ)WkX4BRPjaKPbbz*)3ij1{CTyZ7grxi7fX{o?%_AcUORdAA(cVLzLL{6 z@<^ zV5bTYdj6rE5vg6e9Q6D)zb>ma&{!*ylWn$vtW|SJFbc#lgm=a71r+w*0+-r$)E0s0 zrfo04PZEal7XZWp7#+FrXbKE$BqH*l2rX|p#EjME|FX|=h&TH#Q|N!7x)G@pM~tM z8gG_cE2q^vFLscW9i{0Qt}1EG451w}uc%m+ciXG(=2D|sNc})A-TSLJAs2>t{olrY z&BE`AhUr^~3gv-9Q38B~x(;3(uMG{cvM&Zrf$Hf#s2UXNC;pP%1k$=70gcQRoKIbz z>3x`u^1#1Se5iq564a&ZT)CB8$u(Nlb8gYonBjf0nmq)Nv|~xG)#Hkt%duX_78@3J zXlIpzZgX};M+qU@khe0@Lg&vX4IwUq>g9Q%5~V8%H28XC7HT@SuGxg^WHN9X46$b* z^4ARrsmfjjQ!Qo7gR(|U+x(-UL*s(|1(?@uwIf-eQ=n?x&-VvH!52_4n`0%+=0z2n zl}jA__oj8NR)13)%moMFp0US9BJg|^h$yZ|r=Ysj&com~q{tfQ?H#gox>Gk@p!Ox6 z5-wSbFwT~^h8L{K!iWBA@U(7YC;ZzMl`qVS^-Y2e3564Eu(L;^0UO+9!#y-^?oWZ! z0I3n_1S%bmXp>N6ZUtb14YoN?BSD7-MI-D+THd+5^c{C+{O9Cw^)38Mi z(7GHUsC1P$30<;VD%#VzYl6>(tL?zQEM|CJFw+>{6j`=Hpbhyt9in5$5V8Uh_rt1|KWSs z*>V0xq2oQGd929oIA{7~!XMcQzjP=M)dJZ96=+P7Nw>E>rR_;$wU z{LkQtoqkzJo$W63jAPArh>d>bDhH_YF_n6x*SKraedd&0(Xk%1D~eRv`2Kly^N+vU z_-ggMgiUV6JpDw)OV2x3M2UxNI4Gvw`LvG3`(q8z3aaH$?Rbdp`@Eemjdj>eFQJ@zmA23EoS2I-L@0hx^FkysbIW?`JCT{h*WRt zuN{GoW1AmsCV7q%<}`=0IJt;Z?&;=RLdiZmTQyaq3yFHK3+cjw|DR> zgT5i^xwQSZQx{KO=qg29?ohLILymV`DAVkRNSP~jnA{FVR3QRONjP2MJSotOCMD4} zWK>e0xETg3ZQ{$1WnJwHHmPAo%Bu@|A(ozQip67XprTL|S_ivl4VVR=M^H{2R~{Ot zeLG7aKY_3%I@cFsL@ncp^H<3xca_LO-C4)Hfggy=n2>I-{Rt zlNuXyW!PCfG8Ov29|Gj*fn)dBD&v=rt0)Jr`k6SA!il0-X4a4W{?<3bzTb}{SL(m} zCs?|Ec$#ITI`TPiT7R$4SS$)@E7IU)Ld>bc6V;YIRZ*&BUmH=^m56&so-6`ioWvjz z&)P4yW}<@r!4p}^Ou3z*eA(QdP)Hi7M48T&m10jjhuJrO`PEL;+iNEF*OS5hLlTO!;ji*hn%dFf}v*`zeDG%3CKv zBKMeuZhbV*KY=WAT$!0)?gOb)f2um{#f?Z6PKf(C0r{=lYUbvvYY_PGZkGFHPQOh3 z`!c7+ZDLQ!=PTsExP)y}795OXooDT9v&ME#z}fZZS|L=4&yclEBv?Y~{M33-3S?6p znS{5)*va-3b3%=O*su9-vfYb6Xr1@-dZ5-<_v%Uu(U(v<<%)-LL;FTQze zPQ+{+-Tnp&Ok=T@)l$M0t;sTy6%8b+kldX5pfa+ zL-Al*wJT-WQ{w!sKHpN<3hmAltQZZ+AlH=4ph5yHN-T&<|8P`HW5s!X- z`b2-`dBH3s*U;%wy*L$#mX2c@Vv!RYz)7DKM)d!U`|g@v&Rf6)0MrR0Oa*PUw50Jqt6siTTlHrGrbu1olXUz`EE{S^^}sn*{%pfoYG--P)!9^yY> zUgX{(83dAJZl)&n?hhEAPhg{eA-9bH?RYuX4LZB0@0Nsk>|x zZn`^0k+HL9VOQM>wLsJ@f>Rt`^53Kv6SSnXPi$N-guGXcbplTfg&aKJxRxqhM|qxu zUX-}ovw{8m>Dld94_X!V26r82u31l+3tbQUy~isvk3lf&fauLuNz&BHJnN0;~3#bpV+?+_mX9B{U!3F zznoF_@$y^otK<&T_9;CMZf zT{G;{qOO^)>q+^V_TxII_IsM! zL?EJK`=M&9Zp~Y=j?34J69fB)IA6SX?(tX`Cv6MZ%C|P zFY}-V5PfeHMhBPAefCxcejOQpCUv$dNEk@761~2V66MftOiIvsh7R5Je|VQU%z1G~Mk(PcRY*a5>c%AtQa-QNf~KDKGn@j$ZtN zBv>LI54k#>-wUBp+mS_+6fwv9vQ&*`UPqxBdYoYJEyE`gGp&NwosdxMl^EL86R`9(xI5k=wy!buDn`BzK)wmYnc?qU+f4+@guxSZ0J#mF&GK-zil~q2CtkJMILEIAK zZ;35yd%|HzGF3RjG7f`!Xx+W#(!3cGtCX!&BIq3(HKKKQ2tEG}}Oq(xTGc# zA!EfwBU^{Rx*<)J^s95R83ZoO3GY-I>#l3%A1MnI3l)}tY1nkn><26NS@y6pom%J0 zOo_7x#{lyE!{ICGG|E9)wm;wNNaXO11)P-|r6y`fYU)%k_Y4(n%lbzDOvrHhsTjp0 zq7L4UFf*v&@@@UQ*{PZ9UHh|{#BJ0iRL~X~>i|hrxk}2qyAnLg=GlO>W17LCj(!pD zD`kr?D;`6M!6bVnfA5EO>|_*48mELa8f6e{*c1^7!Drr^qcvNi_gd!u9Z3(zf zcKon6C{Bwxr_e}YT(h}#WREZ3c~pksRdOj(C;SO$?;7E>~nx@mzhrsmD>)a&9!@fv#{xM{yCSkjX)oMh6lJ;%Z1j5#K?bBQ zr%Vj2e+Bb(Lkb+KC{@NaknibMZ0dZV#fm0}tDD~iyARg(Og-4;0;Jm__wNn!^^z6Q zP)~n33j3|TG>k7AjtG8y7eX-qDWQq2*2r3{NI&5_TZ4?=>D|U8==aBJ8G#dFH*4Q0 zk$&@1^@3|F^)Bz>`R`nu~{PQ)u`s1@$0l3>Ei`h zq58I%`7U*4_rBZNobB+Dnbdd%=QbzyW3y}TNR0?-(_z5xi6Hh|k%yMov=ouU*Zzfu z{&zAzs0Ar7#BwV_7jW1J6TSR_bhiHCuKV(lzSSD~yy+oV-E^WOh9B{9^K6HUPO$F# zmY2vL5lJ_-aZ@xx@{q{xd#Gl1)&5ZWDn*g;gzoZsBR1tWsZ&||s>I`P7h_t^(K+q? zdAb37RtIHtR`RHJ%&$IZlTC{g3X;ZOGRv-tkUOil)7~ z$^B~D>q+yZH=?U`=8O2&b`-o+UB5Y})^+1!GJ*8P+oWGZ%Erfd@sJCTc|TYy=Wp-D z{zroioNTk=`)-_Ef567BaXItEu(E$NclAyh90HtW_fvKEXjhwRrGKi_%k*AuU0`ve zMVSt!ncQk>41JBzruX^Wy(9P>RGBRgbr{>5>S*mxopozEc zoosm!3kInB%W{|pVMdB10?5EWQIG#sY*L3HLqH6L3diaSV^RNOY& zg2|VgDKTswldDmvl7B1}vuS*XZxeI(S5L}qo7$k1%y+k&jFEiE&e=2A6>pD{sLDE_ zSQ8gkB7~sYy0D%$={6}gLS9kS+SMF#?AW2a&7*SANbb1^O0FMrqo(8EN**>+0gYyr z5~)-9am0>DW-PIVXgX*Q`lV2BQVcifs)ax?`PoYFqD&Jd{UH6maLTU@IHcpU;;H`A`HZ z?HT9>4sov8{>`jgJ%E#{CdB)`cZ!yVTkwxpB)Uvf0wM$Us}s1E4@(-ePrewnQ6F5h zIn)z}zQHU`KrooAJCPi5@vj1gk%3fXktW%sCwOkY4BxBRJ>MoL1$n+@9b4|) z)x3eHfGYjN{q%b&{;0UU0jGnaV}{&OsWiN(sZP|;khb7eGK6&Gi>C-gjb78lJ8{2kc+sVw$ zd%yRt@BZ1p&sl5M?DOnLGE3*LX0*cYn$uFo*yvQXn**{-@++BG1wT1`h^Sg6w4~?k zYmeh&m})HN=yDJ}Wjj(UV44Qq9ZEIm$LP|DC^Wm)%#xKvAn|U)k&;4-Ou?1wEoS6Q zJuzSAfB?;SWd3U42&fEbE|fk)xeS^e+nIiPrIUCE(=7`eN~X}i&`_n6aLQf}HaQ&) zG-(NnanLhFW%yHJSy2$&l2CnW+WtL7$myF)BV;inBr=_|=8zo?~!1KgHr=G!vGKWWUiku<|7{ij>*MtKz9S*zppCF{r50)}EV$X;iH$ZGuED5oMF^ z$Y(CiU78^}NIR-DMireyxk$0zN_1-RM3F^GeK2w#jli&IOG;r3WTS1FC@?lAV#JNo zavyM*1oDfFcHNy79%%E96iOKORB*$$zeBAU%PRMK`X3q;nDB8ep+; zkz0tyDn<<{6I#($EIlh@6x8&~>m{sps4ZukO$m!Yj_&R*Vw6ecK9x2k2Zq{h+9e;I zc^~0hOb7hGQRA~{fFID41caQa2Kk^}?gJZ3?{}xauKi;_CBMTsFeSbs0wH~HK4Ho8 z=;8yuV={f-1Mi7A-5#@DPe4*_rpN3ldiyUE@&bA^wc2ff*ZUPO$NQC~&)H{Ao7|Se z{`>i;Y5*UfC|AnOcoUYzBt8I5RmlKTXZle2BjPFnM=9jOHy4Tz% zFX;GL^0#g>>I6uAnLC&0jLPK2u&J{F|3P&o7+n+bf`ZYJpE6-nkFp_!v`e>!{(c*}!A1juEO(!+mzI z?{UttU;O9Mb*rbp*Sq>PpljZRQP=6@lJ?)Fi^3}hOz%fuerwh30z2~B=dfQqhz`T0 zM%R49E%kM58^GHw>>2OU$`ffv_i64L(X8OeCE7kDqTk zuOokssPSZI+=co~GZOf`#WY`4Zs@UqW~ccw)4U-W?Xd|QruSNP9Nt_tKk|3B>PwtX zmdvj<$Xm9qhRoeO9$)2ler(vRHs?N?CFc)0T4 z+_-qTDC|6sdSJ_oW7{=}UgvZk^|nkz_Im$I5X<2M1&S~;+$h;@8$_-# ztz|E|3vr)I(=8o=*$Dlnnsh*UB*m1J8un6Nd{Hc1;a^U1<$9~xLh9<pV*AScBysS+ssB**6)kXlu-k zh7N~g4Eql!jvn6=iQ|QGSr#E>mZ#3C)Rg-lxq~53@NY%DL9(!7+K)(e#lm5&btvP( zA1Wa{BIKtyOT$B{R4b3;m!DESDCPg_%dfck%XO%ttwLAO#!p}lZEeyjJDta}YX5Ug zm_D=mzyiX}%U1(RHpq&Ts$z&U({n7;iM%GGI@P*?hY6}&R91Mg%2h-~Y|rxKMTxiX z4R>3?P-&JXwYd(tEhUu-F(J*YCQqto%Mw}`oWQKqRF$y#XXpO&U(B8GlDafI#RJji zzm8Tmv9hU>P0EdsvftX%&Yv3OsL$bo<9~Y!MLzaLTAD#?Tdn2OkTbE+r1WW`&JVXJ zVyZ~&mtFmV(L}q3Xrb(M=$XgnuA;3|Qu&4}=5piltG||v-+K>M( z_n`7v0O2b!d+LjG2XTH0E?zq-Oka5Wl5T%yI6Ha!%kk8hIe6AoctBGCR;th31;0pQ zQf$vJDO<_cp9*z%d_o3P{VMCX$)7V|;pI08EUID>+xE+94@O4R#3U{ z@$x}sC`?MU4dLM5v6!&F*^(iPh}pUZ4AQU&RTc|o$+o>h6%{8WIxVu zmlq>M$iF-9`vDXj?dBoflF@$Hq-1n!7ri?S8&bGIdcta#;5l+br~!0?A~oEB%=0THgyF>B*7I=_ z9hPYhjM>#ICUe#|S`J&r3o7Jbfj_S$5@xwlrd7E!s? z^an7qWfI&voY$uiCf5Sv9(;v&Dw+KWyKrsh2va_ADr}INhpY5goN%&(d|PqLNE_j@ z=X-0W!>?lXj%+(-%72h3e=LGk1bgKRFxW=#ye+4Fk1ovrchr39201_hmETZUT7l1E zO>yrt?a$p#m#KYz4OECTZ%}udAFx1JkkEg$ZT+a>XizP?V1<6$e)67fF`22rsk?_L zT0)Q8j8zLD=jo@s6rgD}^PZ^3ARCKu$9c=zb;G-H2e?~v&BzT{$kne03V}70)Qx_^ zJRGTX`?b4lZ~9$k6Uw;qUeu|sPv`H@-JuY;KXR*YOB0#ePF*vnffiIB?_;g_z58;J zxjn|Vr>?7|N_H6I#eRs_xr(l;29&$&cp) zb~VQ(+5Hd2?b7EKM%a0Ld|K6wXpiWI@h&&p4%^Pl7R9==x61oR*AnUT+$YLBc5gAj z!K2|Ixt0Lss@3!};(iGM1-R`+iQn_0+38)`InR39xx#gD0m$(>>gI8d^K)qrs_nHp zA5+!`)gaOLf8M0!L+f^4bG#X%Efu82>eum0yUA$`_ zZ8ku!=?+%`lg?TG)<|4!*I>jue%(RMGk?5|`ufAtz>4OMZa&lX$n&KKFe9$lb1?Q5 zx$6Lhh%1lj`o>fppmR5IsyTWn5S*1fI=S%7-!|`KZw$mb6+ubslF4@7`qBNBe5&UA zaDwgDi`sFwFaip@1%27GQMkWw$F&tG8uWl?=6ADnPeeT?Vq_$!JQB;_333L0g&9YS zVw*<*9G)=0ulq$J{00Rz8IX+>uR0X6o(MN~!XsYB+p?96+qlAH`{UeN1dK(O8YU%E z!VSL^FE&Lwiys2X1a_^v1niPF9Q5kBCHs#`Ex-;&7W2&B5~>2HD$+>@&VE?#%2p~- zvLTBYZ|yTriw-yn{|sTWLX1?D%P!hl`=g4vWdXsjaJM%71KDF7mu8rW-Rl)`GpC|v znecSLIjpH%R+;U6%}S$mZ2RJk&nXRI$+EHfZi~e~p2pmatkUlJ-GW-(&^hfJ#gIFf zC`-2%vQq`Q-Oss!P+o?I2-o=QisTagl_r(aX?y$cKQJ?zHHH>8^LXGRgY>$0`^yj! zs?o0wQQ2hNXerp)Z@fv8SQp%r=0*}WZ%NAIh;inn{Na}*{rEw98eEBq!M^#Zebrr9 z=zp2y(h3XoD|k%uYuP@dH!G64WAtPZCc$j9GL9*zhZxVg9hJbFw0dM?ynIxT+l2y@ ztRg9Pg?|^YLRO{kty++=y))bT--*JX25`(*d$*G|c$=JbDBcD@u-=jtQoLi~e=B*6 zHHL!RMz5HiZGuA^%cSp)4oc<_9<+tc?}T4{`cYfN(G{A>fNX0}5xh9-TI$}h&4?Uf zNdD8*QrUP&=|nTp5R#b-nP&GZ034B)a{~OkDw-P?eZKg73KA5PG_yvYvdgl8Q;``u zb<6R-E7x#Df)b}oH10v8N#)DO+|$`*Tfd31!w;KxcTql= ze4pL0N@d^_g%zG9oDOkNJ*P~8E>2j(m`qmf*im8X(%PrT{|&QN6`qVKlqu)JCfioX zgivQxza8b`_#J+rVBzUbY8y*KCH1l(5H`ER25tae_d$C}t9c;@#ts_&>&5;mSfz}p z81)gHlP@P&SG<0m^GqUSpTD@T5#Iv=X<;*gIX|=PBcjjaUS1Tqml4PSex#`NezLie zEwj}L?3i+V__aAY*$B;_rLmpi7M_+nfT+U2i)JkAKZNaHcj1j7LaHa9G+WnhTy?Pe zlKumHMngO%wJ0TU+!!x^QhOIi#p`9v&XwVFzEXkVZliXCWQuPI?1G$3Cd2`TcDNMf z=vsdod^jq9q&t-L8;CK2!Cx*Kdve*8c4pwp4<)2Av=l6}Vbw{~OCX0yG1<%q9YGaE z;%AD8`*dv%;Hs{uQwt}u3m$%QB`!rjIdi;^N>(`)iw~G2c)M|tjI`zM-xv4S*}W>d zRUw+k2g=_;bCs0oK%?9^VE0YraN(AQKUho>D-lb$tcqiuG5sql6( z7PR2!c_A-DwZn6ba%|Urv~tb;95Vjv!@)nnTF3cFW)4z2+y0!rq+u?91N6|fBu(N1 zqVj#v{ix6Dz562$Cjx5T+(hWW)ygM z*s$}q*&f&C>z#V!M4;_f2mzwCwx`~~=CX8IcO&Iij9vb&EmHS(U(oNv2IaktdI7rA zxXp6EATOdcW6SoIMNIdfsO!#$2eFma%OO?;-l1xf8IOF|Ij^g&E8M;Mo!p)}&`tMJ z#tg$5fBjZJrT2a|th%mQ{Pa-jG*6e)9>$~BXKKzm4QT2u>Upq}&tt1YHcO*(;AGED zp9v6=%Au;(@t(AyN2S{_?39_a=;OTBt;gr66#I6{GOE8VP$Ns&daM^^sUXmrTKZ|& z8pM$BXPd`*lehULVG?y&UzZdz9OCf3|BiZO@lOF!UJQxET1XSP zQO?$6Wtw2xD|LD~I32g-msRTzS*`F5SCnfbJ8roV&DEO6099ztxuUk zSu2I|zjUOOpGdrkxe&SvX2jiW7V0EI^tYTz@05`s`J4M6rtB(%~JeQmk<05 zFKmCyjr)N8ID4HDmgDrh&o%k_O>y7+A$zj42AlPmzX`>pw_+BU2rF`BjqX>1P^WB2 zERssQNj@8u5vB~x(_ua>MvX3~WJWG|wVF!y5u}OFTc|uuZ?Qi90~*-&f#H_dje-c3 zwFnK~w*Dy?4vtkhuS%!gVyc~TKvF?JmO#FiLcc*HI4T$_57+(dDPk^+5Fq$>R^|tH zz%20taz0cJC9j>G@Te(793rDRh>OYTC@Y>_+uG~$x~h4|TXE{i$(dD^+WfC82MX=5 z{Rt)-__P|6Ohvpd%tJuaMG7swsuW66F!>!c%ZjBDT#&SsQeC09fGuLZc!v=x@^8$9 z4ApcvUc&W|ggG+LzhqlK7j4!p$aJd$$hhMfh57L^45Vv_56xy-kz$8U;buaL&|}^; zN~pCBcqGf0O1?+0^D(knG%zIksZQIW&3SR+)2mcB)LKNbxM)=T zp;SdQt+>hu1-lcP4tZ-%U^b*Ow(5>Z33=)W#ASwDd^;A!Lv%V*)GXAo2+re3{Xl?*fgi$hft4x@MVeX zGa0TRwF_Kj3MWpV#~+zm2XzQ12uh8azlk)Kc`22Y!38e~8rRLrhly9l%Cl^_<`;O*+PKiU>@M+UhGtR&>N|2Utb=f@Iklco@Ad^w!_O|5K4qH3L#M*TIK^hdA z2)+T|{>Kpu$s{sSiH%JHG1g2X=ZAu_=JtU@d8lk@gY`7mO!SxT;{T10W8@zS#8E|{ zJl1zV{gIa{P**U0_f+qWpFNzE5H%+89^K~!9x3u>BsTt?~CMb z@7Evaw79ih?C1Rwmm-W+y79eN15un?+ybpF@2+5WHM0CYD3LvdQNlqt?!U- z^Q2&Mfc7?v^*e61a%Vh!CXjYAFY5PYR*2e{;6IF>d`I1j?ML|ZwLvp?+t!~|o{PzG zIXB%BzFmLs27j>$kga z@2w3?ue!_}x_$0(6EQwk?C{vW64A4QQm>4#KU>-XeyP~lI~RcnD>d)!O)YnYUbQYG z`JEqTVH5HIZ#qBVJxJ<9|KY87Y7ykkx37Oo)WkuSJoCEuAhzl!T^0J>7M6M}W*6aI z;g%=|^!xMZHIAbjMVM;vn?}Oxe|Nihj92~fp|KVT?Sg==f+UXaNR`8s7=$Q?h$Ql= z%5cGkID_uxJJv#28*?@D_i#j*f$;JcVtQ8O02s_S@7z-ec)Mr>OKP^v-Px0($nIIj zHQ`lgCw}p7Jtk-*TxWRh$omb6LTZ4qz=S)EwCE^lN)sEly&?jNRM9oADi=q?joQVS ztZeDx0|~0Y*-q-n$AP1Dd|5Z1nhL(SP99Y(U|dQ zXx2;lsaC(1#7U{y!-^v|F)I^o7}mf;(-E2RkF;GQ#gaog$5BOvL;K!RFF;2z9`g5R z^16*3TWX3<>yvG}h*th=Q_r5tnWvT?b;`)vB&2K`q>z6zkgw1`;j)sLSmJG-5aqAT z(Qt&Jso8yi_~TSUIwjwQFez5edUsB>*1Gnim%dzirpor!D%Fo6e;PVd^kwX0uMabj zsBQ6t)kReD!HEs6xhhWBSq2J}iOVIDm3hh#4B8jz9vs#Y7a+gOU}=feF^i+S@Sz-` zNfEh7RV01W@E*-yBiX3^cIg{@_b4wx--nK4ir;SheK3H_hh*Mh7}_S_dclz! zCTioi%Z9+$#I}>PEzf08#e1(1eYUFE6MF9$u#stE%I{sl!EhS1$BrPg+@O+iLFq}2 z@?+3a#}Q`1d%XqAWmiiXbus_cC`r}`t8RcLK%dY)25yqUK!RKI4YBYfs5u`QVH47p;-AKI)!sjMK^~ZT}tkzNNQR2(qiLqve9FZcZI@h)(1rv>OR&bTst}@*7Voku$I)q{5Ujvkh<=V4G z@mv*KGWqJuy^}w8Y^>_~{J{R@KKV_gu+a!TJMu{hk}U+TAyO7%k(M9l(PToCNe1$? zI}eo%d+N@RD0L9Y2u|BmWNlqKm?~uTC0dc_g0uXXA5mrhH|UArXu%pNOJ>$cj}sW9 zG<85X+x&)Omk@6c+v;?v*P&RR>PVAd#~v=)6ZgZhQ@KncohAwAwB$>a52fKz5Xi2X zFO`TE@iW8<>;W;ARfVv>GEY%v09^(`yfBHW1WjH#%IKT?dRv)kKuyfjTQ=I#d4Eq8 zl5sucqlrZ0i5|4cw}d~o@&HY}Slp>G|CKO!x@apcu|ntKIPGY?Z@ZY|vW2zZIm*b& z8UwIV2|DoQ?t-46V!F6&lA}G{2G75Vqbbr0A^F>6T$O0+ZK$%_WEGoLnGbvZe`6Sg z&y*vKEd@&d1=_R5`HGhaOIhiP+Q;~&Wt&w`zoVEX*m z=FE9yay;oK;&a^l^was*7Psx`(P=E7 z2&l<&*dTV(MK<5?qJPici0kspT-esSeY%g;R%mb_Smwfwp|n{eaoO9t50xU9=$LqZ*NJ^P;ei2)bhr`w5U^xscJ`kU3>8F~kG4IW1C znhVp(?N(2xH#k$=avDF=YXNQ>b_n%Jp`5UD z>7Mmh8?PCVIJ|n-Bs@>!vPYasH=X)okFg0?yX;e0-UGZ=INY?(nu1bR>zY>W%Ntwu zd}ezuS0(&9NE+6|o*6*r#Zjp>ZRZKccF=?#JFR6`6a&-6-Cg#>%O7h|JB0jgL;V|k zK2LEg8iz?dgqr`}te4vwA3u^CIr#r^YCqKedj1UJYG$yt~z| z#;<)UyaaUnB;~b3qFKKqRXm+Y;ctH4Z2cREEjpUk=Cu6-8DBemDJwu5lK% z0>T9Cy$bAzf&!#j1bjY`+J10;U-nB1xh1NITH@2OYlk9)cJN!2RUu87eCP+dXC>nB zK#ufDGEaWDJWh5PXiaZ`Nx=gvFZuS#_3Pr8T1I37lCYSGG^oLbF@9noq)r5;+_mS# zbv3}$RJ`hx*^$XE&T`}lpD-Cu`CBm;YS6HW38I$iLX=0V=5@;D_CxO6k;Q6dQM@~w za=x%&?ARY7O%j?I7TI3RV=YTbOt>$gvyp5+e?|L|R{$&3p^aNQVq_HkMxa6uKSpu> zoL)bV)+y;R85^U;JlmKyLM~D;I(S*NeNgrTl{+KI;Bi=^F2R%DN-!eSqKSmaVoyz7 z)HK~X!dTsZ)xGalMBA3xwRhwn*aG#7*2uJ!4yk538|$|Td({}KQ*WaL%uU8)0h?a7 zri73xJ`!z9E=rkG<#O`GgaPCj!cyeQMBgpu=9Y5|!FrWDC3S{_;jBPcr#}nP=#br^ zMMl4VLmOmL?f)_TTNSZ1;`#?4<+lj`C>)M5T@XgYp4@QDqHww0Jesv>Wqjj5EmFh6 zyfHI^`j{apvh;s>b{=WgCmieXiQ_{)Qlp_YDCoqDJlbRgjA_OD z0?}R3aTJm=t8D~|P6g?fO#;6x2OTL>irID8q~EnUrGco@%Wc90l#Q0DhEP%fC6m$O zIsQ`$&r3T&iSM~IG2Yo`YgJX4+6L+8(OQpY{Q=posWmu!!7J`k7vt&RE21=d1d*Lq zI5EXK!gv!mKev{uzr(c;86jii?gt!yXCI)89>+X1+u)sJPyk&nhzX<*Y~U7i%vYoo zrq}00MMH7#EqW?Y-E>$T{{}mUasT?X98yynUm23RAa~M>Bj?uLVR#d(nEj#FXpCv# zz#T%RRGMOd#&X&qpD#P;Q%W%bg<~3@rSdn#{U4+<;&&Rg&csNGj-N5A;0}rf_>lzj z?3AjchfC;PJK)|K%(Q7Ys!x9Jc%WCSx86rfETv|lsOcaa=D6lvtJo{#4kM#CGj1a} zVVcykJPWnkaI}(mtwt?5&7eUkR~;PLREaKGh45kLn6JcRTG;_l^70A`)B;740#q*x z!$ZVvQW15Wf4^vs*+U7C1Gz1cC7Hc{xWada7%jzGl)kjZbA%!m?6G z%z2E4wFe0PgUvB$}T)AI&Y$xs1*>#qryc8 zycvwTf;azt@)QgW|C7Vw1B-^Eg&;&OP@p)3TI^}9IKoP|ieqa1Nn!fKzhvscFSEV? zhc@HC1LP0BPi+(bkedz^(4Y81uVk%2gLl7P5UOG%)NdwH-*_Nk^$WeWe4*F)KvXDl zDU!!8^ctL*HI1;NdlrTc3}O|KKgtD8U8~XPbexyN_V|nt97r9_0hp_UmL1~wmAOrF z&+WM3vV01C_Zf4vk0Z~wHxt}BIoqGcB~p4HZekcd;a&e`c+sZ|SeA0S0=Eozx;=wb znVlMr#IAGiCjmV^_ZQhb*wx@|9e*rYRzx0`Yjg#i6e)QOK9?94NX zO^EB4ED3~(>aPHh7Ks2J3QCUcW896a_rl{`{?ljJ>W&Qeq4cR3H67lz3zqv2*jf+U zLJxEP`?)a2t+q30?JZtF@s%3hR_|DCs!b(r&)vB3DEOSbfcC~~n}@78mL zx%mo*Glo-9BL{6w*WeImcISq}G{!Xuh~3)b@`MuWd(X4@df+fHfh}O0{ua*@7uyD? z+?-nW9Qe$$P5r#Z-DvLRJKr5b*|txqzkcqH+4fR+TjncXLPpAQFRZ&&@O|DoDJk7P zAx+$B6@_)V7%Yyh+H`pv19y7My7oQJ&?kHL3x7Rr_WB~xUq-k3aeZD@HyfO`3w@uI z4(p9Mdhd5Bzk{Zg0XQ9eY)kvY6&1>tOGJ4NrrKkSs%})!S_dILOy36gt3{dL|v)OqUckAQdu`VI7 ziDL12>h(74*XFzO*(74etKaQV+bjTj1(5+6JwJEs-6?>61pmRWdb2S5Gg21Vh9K%O zWUZvqYb|3m;6LC!$_z-U*8|8p)ml1MiF$7+rFQ}Z#Dv`Dew(vOMKJ4;37!M{6SnJ2 z(r+lh={z;t+-6fofwR8wDy(tdsy(Vva9-|MUd!38HSLV5e2&Nt0h1Aw0vk^t13-oE z+Nn;F3~{bti`^sr3z?n)xu5|SwB%ZSbZ6SvAPjCf>wzZ6P5F)l~%1F zbAJNIPE>k1{2OiBF9VM#9HYcgoL_A`XF@uhxq-S>sHkWw)61S?Kdo2YX{jcZFo#Z| z(sBk{xJsP*L?vMzrp0&Bj**-p3f8jlAEqK^D`VhFzNbp}D3Mjj74P=>&@#xG|7N^H z&(J8w6_PJ+r%A$M;Vam*j>FlYeK*O%*+rULN}%{16p7QFBf)1=lnUcBk0a#KF8$*D zODTkMHuXN&2I@z--aP6a6QJB|$g&v?OMc(dkIC}1D!6$>C4c$Pxva(%&UcnQ{}PR{ zSQ;auxN?Vr$rf-i*$PQDYYnNoeLU2we8_h0&jc{qw3fB%^ZbJcxhjn0NO@A@JhX*$ zS*Vo=o}5IgVqVc{1y7~+f5{q~PjoyC+9D|FgYxlt?^i|nrO-3dB*p{??rFF0!AxTu zlKcp*g6z3@4!D33CYj7{yU7;1&F367h7^AYjbfG5V}wInqG8hKz!>=YcpS`~ z#f{bHY}w=Ud9$n|jS?)3qnwpO4`Cjv-})9 zKjpqeqT@hAMataOZI^PrD@G)g;y6qk+oin%m6$bHF=ef>eo(y6{H5dcd&~{_1(L|i zkC!lnbY+n|=peTgK8%FZKJMxa0lN9xf?20{<5uk21NTD23{M%wGz03a z*>#z!jS%=PlT<4)qck&=2=EDI3o&4cp+Yg#^O2H4^=y4IsvQIDqr&lZ3*XYM4~LmI zo)s%~2#aJic+xZ4iV{^|5Z0rY?FGSNv?}IS0wGMx3W9HhCr{g%B$p+~L#N^o3DHk9 z>r)lfElO3X9&kD6A2*QH2UbOuFK$orB;|MR5F_na&ST&PWJeY@B~}vB=47?2`E?{C zPUU50V&?7pzlv_WvM`+lp@g(}l-TV#RGZGZ$l=SuGLpC$ey7~pSf4B}lm*S#9lJGw zUCe9tGp$pshop^`BFOj3Qrnxp#g=b_A@ppSyjy8YuX)Q84Ak$OH-}}Vj!7%lFP&1c ze(soMnGbvXcN`12_ql)5$NYqaHGcy2#NKLxEV~*PgrfXGsBlol_7@0`egmLszZHQPvsZk<&rqkpzW@hKT zMzygos#ojjAZ&+sFWLhe_8RXi#;)rU>MeSLfoH$tFQN9f#|wsf4;$!k$_!-IyFblsHOA`ZW#9O@1nI|qoMr6> ziu{1}-fhMXozQno?FhXoU0eUW?rFZXj?uk)-T8d@dz{i`ky#lB*vj8-dTjQRbgEl; zi8(x9UZ-@r`4~{xbl8H_@AgSvI{J7hN8$Xvy#3Q>6}nURsfXoxgviW|DC>nE@|QZ1 zo7Wis-u6I}Cf;*uJCf$*pv2YNn$gmTK-c+Qp`Wv|5Af`ovHJyibSA!VZ)I826aX)v z{ob#@fC#dV(C-2@PHx5VdMUc>v?6!AI)9G5?{q9rta8Lmapr)|eBSilr*ocf^~w?A zRPuJ{-#=u`w`J_`rcb+i{u*_5&$?ef=*F!YmD=vCf#RMHY3WN4DzyG4y%-bsxT$dmt)m+jTTX0%E`QS|aQVe3Ku1tHTtt z!pS(AH^`F2%}O{GFU;Q(C!x;s0zWFe`XQ1zOmK+6BM3nMuB z!=HN$44Q4PZC|J!fJ)D`5z4&z6Lv~At1*EI9Y-V!&*6!UM?|7sNFteMiW@^rqcudu z#%(ZDvIjukkzA&iRidK{8*J77( z*4z_1tGYmjjtH>|w?yDiA8Zt*VwO}=nY|i9K1bnYJZ6wB|E=;4e-I+8oXLXQ94F=8lpjN!N%#T7+Tx9lINAz#P6#S$RDX=bf6 zFj+-nR^TkkW42tPd?Tsa$UA<7>kyFfbB`(glERVhXw9FP=P@#3F5~YIY1ojn87@+D z{>(`?F(mZxXqI!pm1z2QtMe>%`RQUCLH)iVx9p323zHBG`P6MN$%bsCMmDX32yZUk zKu4OTNP*c=l2-Ey%vi@v`?!JsgNhqEiX|RZsa6CF6HJj%`vI(qIh2YJUMytgs1y2H zY#VbxG_F`%j_CpJ;$cMK2APk3VX&5pTyv3hIy(kVe5KYe#>@#R;{xzAwS?I5z=B)U zFm^utWUXI(ldrxVdz1^dGqBRa0W;Vmo>O$r?G+h6qeuogy_&+`bKew{B;Rw71x8DO ztl7zl{E)zIkfPA{y~pK14}DsBt!|PsmtTO6#o-XU>7~X6@>ccRX1Hc;rWXYcQYV{2 zT<*ubot8|DI^tv&O zU}eR0IFB|8Gq55IWWsT`yOvo}QJVE^r~75h+-s` zHDp4vS(KPb!y95?Vjy%o)=5s$$ojj&IxE6lnjF4MJ4dRPBwd@cO{vIH`W$$03 zd`oQZ%033wunFd~cwcP5S?v;}r_2R(h-J2hb`E)6SHT6^1$ZxXy%q>&^ls1G>)X3k z8GIkId6u<2hmIPatKE)!&L?|ZQl3&=$2{B~V^?F5I1^L1UUIhlZYq6d+5q*H-!d=V z7&@#jU(~1dTRU%mA9oG&Hyq(u^Cq=hx$l};oWE{{5b67_&A00Ky~4iZzwy4Ue)uSC z>w~tn;{Z)p-EM@yg+c~jjP8PpVl{U%r@1+EfcGxpO1%sc@{AgHGE%@KQEvML7wzVC z#Qq(~Wxl4=8xXXf2tcXPJltm8*2#A}c}C#}oKJu6{iVM~4SEP&CGWMQ4yqmXbNyw) zg_G_1QaPc^l4iZ*^x8b}k?#G_-OQ=~Rcpl9byPCY=B1_!%wlbDDq>9*?dN)KEw!oZ zkL+Jc1sOGy>brB=RCBzyKel>0cCV%OmN2~c8Fl*9Ik(yT*nG&&?ed*KsnIaH0ycWV zUfT~N?1ohGxsKhJPOW>zysrp64Y2!ughlBIa`OJ$-+A_H1ByuGxV@ikYyeU(gRZt- zVJ9xja-Gq;-Xv*LwL*+m)2PoYo6M`+*)_(i62lQ#E+Gyu8n=nzT07 zMX6lEUB2lku^uzrT%pTdMVqu|56T$c29QA0q)#4L{@(H!P8B=&L|!2!{e{ z@+Ltf&>gtPG1`Wl%nZ1Rdqs=*9R}PNo}`Mnh5TBKDBM1ZjbMQY>t@+;o@9LEF*Fu4 z7ZxV`Nef2x9CYeD#iBY^-)yNbTYMPwsYgv!tXqA8>mlg%tK+ySY9wvge?JM+)inFh zT64Y=XWRqd~6}5%GYF9-NykoD3}JV@R47s>j3; zQQ^E71jlW*&O+t#z`Brz?>ZUOpZ2@!N~{{33Z>p~7bvw9GT$WOn_{elQ+2T^!GQ>x z|8d0~^Mkff(T5AHs?PkUAoR`Mm_xy3-0y&b$e-2`OGgjIV1;%RcHi>R3&ko2Ct3{D zmf~6D1G1}xni5Idp(!PbYm_iBmrf~E;E^>ZaKx(_087-P({ya0In1O2LxAWCxS8WoqOG1O<*^kJoP~hcWXx^hAR&zhAtD4etbN zsFsAi;(%Tk{gnT^k$XQ&o4!^u<^hBX)o!HK5PUXdfoG5M;|+4!AkEDx!0GVYpDGc_ z&eRIm?mC#I{4&chZhdk1;Uj7cD>Iv}JiI!3DtJsp+N>yT{4FCd;>tgfdZK5%zfxG- zm&z+I!8c>#kuQ)h8f@f$k`AyaCRe-B@%Po~u=Y14y3YMuGYl(JGDrfD-?ux~s+&>w zS{FgdHDj{EeXwtHo~1C^K~lHSuFWN>~#^dLcNC<_?!s@{1M`>1!gEW%BrZDuY95QRJt;oXi+X-`-zK| zYKd-EL_CK04{g923&82a-|%*^En(aRajL zy4e_a2O@JzwcY!|>>K_%LUSds%Th~1v(Gh!qaGEjsS+#Bf7`kPlku{%FzA<^n??LF z_0?eUKjYJn*??D!Apyv`06PBSb02dXUowmQIzgyEp%UPr{&L+xe}sMTfQW&gKoNgx z#L#d|2x9$VzoS~;Np=}we>e6^&|sHe(=~f~e-{Gx_#3uP{mYiy@}haGWWf$aHP-Lm zjx&nA11wJcTWkfJ+djvml=4o6*9E7Uu5iM(C%WrwxtMk6i9$a?&-^&Dq-%%!9N)dj z9EW+l`?mIL&_Oenp7!2~dS|6TL%x9Z`Az&qEYIFx1|`4asnYdT;>&VGCVt1f)!p1g z>4C>zv&P)6p0;s@xJX#5!MRe>BQ&{m=C6W?uy?p3MyzIWG#SUUSM@Dxj7 z`-$W8?5q>_D;wi!{{EPtd7#SlNC=PUc2VwdpD2)M>!WbLhXk~@y#2IZjQtDfu=0KHb|z)O*ge7oJwHtE``TUIv8hKN|2Z z>NcbN+&>B`cQQd8J_|jqRbID9+TQUdn;+bVJs&?jABbcLdH+! zS2dymrt*XkTVJpNoBzYqImX8saN9nOZM3nSCXGF@ZQFJlPSdDy8r!yQ+cq29nz=dm zy!V{@WzUEC`ut|k+Rs}5MTFzmX@SjG#7rqrg=}je0~KoAW%WSHOSe~w8tZt(drcZM zYywFadqYVNv9Hr60gJu-hqAq-CWX+$*=U4M8@R%F7$MOPVZNTKQ5zqZCN@a5n+qR; zOGK4HZ}0bM(qLqf4qeRSQ>o{vxl;K(K3GNV6kDtbPov8CXk%e?U*}wfi}j;&oPTC| z4ZGt0W#OJGRw}*fU<@6$kX2(H{~^Cix=q}!Ctka>I{B3@D%!pwTIk@nEi4b36{mz< z6<)%fceRRQ!ne9DCU^-U_fRId14$-6?9MN2O+5(e#xAYV=R4~3se$t=@TqQJAk+#n zw&}z_P3s#=m~?dUXU2UwL2rK59OqhUx=DBXt;8~Q*au=5gD)M_#z{7*L~WKh?AcD( zt(%ez^S+!MGU%g%1k1IInRi4ZwsnC9*-&e@wEfDWZfck~K7E`cJYBGy zq`$G-l?k6)dvh}APe_yC-Ku9Nq6#I97JRtlCT4tDX5*Mp?2NECxvhO#x%h1mbcNh9t=q{#PBqqiN{*+9V0wC0)=Sz6 z`3Q8tALYh0ysue*hfL-h|3GJyYK#w*Bs_rDfyefDIN2Nt#Z8Erpd(yc+c=2Y#)N{{2IK3pXlphb(#`$VH!0_>yL6po8x|(xa~^2w ze)_EmbMi9X!Elu+r3Z=RU-Slivr~-&29=zo61)(o6^J`xS|Lfb-kvkqz0N3V+&Cxj z9-SXr!8kIefL&+@WVN+`Pws|6id$@6n)cVwULl?tj_fO`yuLWGI7IAhh+wr!^%G0?WjGok6Clzwyx*m`);!V5UzcH zJ^8}xAXV32sgr=-@IArYyq0jX(69tYWrQx zl>gHS=KKa|xKa6|t?%Hr_*9p%eSB_&=?NO>dk{;r4X+`0`84hxdB)lCcI}Cp3OHM0 zaqYYhyRk!ac=H^pAEX(oM|l3|~(BswVW+& zPdhqZ)XTj6CBiyuz0+**d-2@fxa#4nV%Eg#x(nGCGP3lh@fdWF`fDgfcLzSrAA8_<7c z>*@Uo?d7KZ-`J3c;(1ag@Rn+L)AL215A3m|sB%U0^Am8gOz5(@es=j2P8*D|1u)I` zgAF}@&U)m&zDKMk?h>|sf+~}}Xxp0A6qx9!mpwz`2Lr>vV8@pu-~$Q#n;n=7Ju?ja z>BQf5S+(j#D@KzAQzR3ar)lf;0IuFiJpN9YN7Vgck{I#IXlbQCfSolX#9ytT7cyss8Q*1ZLfS1wvqerbbHmr1mMsqQiu9==DC>*^2 z@P#a^kiSV8sS~Dd?zAmQX*ZDlA$i(ddkja1uD7Cxko&`Nq&A^phk(kejG2Y>^z_@J z^ja+|Hc)nt59-&%9A1sG$l8f9@X1{6`|X9Smdb9{VJ2f1bSv z)hI%7vWc%t>hGR_%b&f|xXm`|#oFoq`PRe?GT=MnYyL@K(H6r8kSh<~ruXREr*mAs zl#HyTv`v9G-X%u8PDYSJ0?Rm*WT#)GyHtfoszmH##3RJIajZBc6945wL6k$gio!Tr zC43G03&-twiKHcUtF%nRyou9hHh4YgTIoYKL}|0+lsxTeJfm^aNN`^`%!E zc5K3B3vsb(RweTd;YxpuSOyaj$eA#0yldPo1oCA^V zAHgcA!o!y-g*Mgx{+r+ty5yb}!K3#bgRYH4fhIvN5wPm}E?bpWWFD?x!}IdQha`7B zI@Nc7Rv^Z=_<*lYVdYx0s)(DQ5^8^lDBZdi1A}poJxsOOA&RX=aAEx6lAwU=7hbJo z!@5~5RghY9w*MQ07Nuj{MkL*~M+#N0u48?Hv8Rz%@r#Ot7p5B|=OLvmEu9DH%rpb9 z_Sg@(R%4p`ugY^W%l0QQWHSh+eS@u$TKLNHY~{xy-sj~X9T5mh^%2Fn2^V6~`+J2h z!FzSk5>N=snfD=HQOX4KFaT)}<*tmzh`8Y)=t8c%oW&D0qB`ileKl|NxP8I>+Sio8 z(Ks<=ZaxJwGZfax9FK?;|RbK-6|`3;u+u znr-^CZsIa1K)jg3D6@W0O3fh~oBdMDH81x02+A8I)F={AamEpXP-;Oo;x!9v0eGnF zk}gvyE!6om^nOE^9m~|CESB^m9>kw z8H(H(a|!@))*vUakCmwuC}FwFKDZc_p7`hSPdw!5rL)0PL;EflDU*W0h5(e^FO zDYupvod^w!$)h@p<3)4{o{CfI7fTwu^6Q(VC?|OIn_wY=98;p+gu^~ESjK6AtE>}g zd1NzxN9)uCjbW&zn7EH;)Y~*%2tdxFid|A^2)Qi@yjuQQ=QZ5TIJ+=-YCh*51 z)&GibyE79I(^lA|*HTW?{ zJD2wTPhmV;BwIiC|2OvQO?xk2^0dH#|CNMc+OK~AaDm?Cyf8|@z0OX;IOrnpR}TRA z7TP6nEDJIQDI%~G5o)&Qg2`F-)j{>llCI^+hWBsaBfXz%^0wbQVa?nfz{arQ0mk;T z#QFs7@?ldTNynA@%>FUqu)}uR+ccgpnfp)M>4&Lj_vs=}AX`i|2sB|%Pap_hY8>{z zkN$qujOMm*Ah18R>AAKyy67m7p?m0A-PJWF-S|3vW$-!(mHqZozD^Lulb&%sl;~RN zs-Z)&{kqw_Hhc+YWfcKrbPkA?zYPn3c8s~b&r}te$j<8|PtS+mWV3xHMiu?U9{|Jp z{65n>&C~urw%($&dkx^SJ2oBB0H9dI4mJL>Ee=e;$93fZb+@|)@4pLtpA$yw%$tb* z)sgyTCjXTpOTbm9&%xWM?o{>dddI`3-`(#L6cvbbMAEc?TMWq;4hL}k?X$}13BHL* zcZ~l~Fn(zV0v~#hzSmxqMr1eUdTnj)<&GPA?Wk;bzJzOXzjZKFckX`ktB;=^)uXZZ zHT45;y-&svcY>C19|aF8^b;-yGTS9Loi+r^Girj@+6=a;pR+_F>Q7h7)jdje4L`x@ zaL^=%PFI23KyXg~K}W+$sxYXPhroWJK6^>A^SBA%;C+N3nb~qh^;FsL^yO@Witz>{ zji(1XgNp7p?`U$_C-4Egq{jR^;`(_0-OQ{v2>S2i{%4KI%hfZ$6*Rpp07`t#4#Q^{ zJ9?SU(*c{pifao)>;95;p?LrO05B4H4*l5f3VQ&Q!l*Uopq7lJA!&kD%}Rqyz{W^Y z)YoHlgup^(XLMUMRpNvb`J9Zc=>$u z?!U@J&h{3Wy#)5X6x=7*1=l-`Pa2|F8NYTPsv#)5m2dYfh!GQ6oQ^({TCs)WeSJYj zD=lQjb*uH@iWS!kMO@{z@@b9Kr^%>GK|UMHDb_5-URRH6NKd)nF;khfL#*XVhM}vU zRF{f##GBD*68R~Duph!*6%Z@7$RqinPj*^|x+NOlv5QbCBBIP|r8=H&a0agN+@6hA zUEX^pLl1}VOb)^=`| z^W%QT=eU!m2jWG)OS|L!_E&R?9PVLfJ2*|-bMxE!9FOFYZ^zT6%}&b&+smukh`LMa zs1oWOh}5n)NT!qNP$#y3CR%sSgfB6o5PkHoFD>$~oS9M?Vr`Uo5zVZ&+6u18#|G@? z@RsGV7~aY(Ma!~WJlvr$ZCl(n-|rU_V==acBXaw4&8X!jSaGV!-{1zBA zeG6O&%Ec1|AG!Xy2ONMByqfvPpuf(ZDq)xj9a`JW5#0-s;`9EQc|wtGrjD8#!9Dyg zjUJ{tXqQOaX7G)Yg=W!gEK)<(Cm=4=M~4p3*N{TeSFjAbR)HLcgH{m~?7PhAy2G9A zNFOf(Se#VMWK4`I5@#5zhf*Zb6!QsU_s&Q^2b#Jy=}h=TZ~nGDWKkh-B#j1qA^a+u*Z2Ab;J@%e`vhCp+MUb7*!4 zhz_mGdG0yu-m&VnzH>Q0w9^I5)017@;`$Q5oaR}yK)C7Dp;t=eGna03wev9Ay;=9K zse4n%`{~v^>1A}o_A^$w1>W39FE_D{$i&?Sc3y4QE7!Nqp(LNb-_orYady3Dz6Zu% z(8OXJf`-QN9Gc#+C~Cb{|30%a8?5qM^mDmR8)TkiUUn}pUDxt`rr9tVINQgGV%vb( zw*=ZBYbb%`$9z`+yOYUXq}@+Y)u!`FFE|!_?zu>C(JM0*GT1)VvX*n@^*WpRkLY;H zSeKv+ow<3p)!1rYY)CROu71SHn3(kp4YtOIo`P= z(cf-8pOFWQU4fSTUi6cvdX}#`_H{fnTGf2$oHs2m1)hIJ5xYe5-UpyCXTHtqJ;vI; zw!VSemQcI-YE{vm`1N&9Ho1x-vL8mTqMv&^+B>tEKZeJMJDtTSK+iG+nBwzmtIhwSPuugul<$8ft|mN%&`h%_|^{8yoHq`-4-qLUgm zar^ZP&IW9iG_`f_wXvE!jfwd}WjbPV4x-ap@5+Hktbg;&1fDi>t!ZbF+L-JGYPE)h zvMJ$6FNij&w8~FIF9=M<5iU$P5#$$wP4f-c&jbOiES{g%Mb@PAt&&K zrD&WL${d>x6e7{qO(_YQqY(|uH~p#0wnf9?{J&)d}O zWfLHmix;jZRX8iH(;&j4*BgbWDv6@SCQK1Q!IG$nomVvzX-@Z54YXbLZ_AY*FMKV5 z&Y?)hWsQ;!jlFhDVq1`Df|7xc{FfN6LFl6DqgFfr1)w04&u?DW68Y8u4QJg!q??xk z*#^03H0LXSDpTsBLv12=lCVN-xtxHjMO(xc#QKAABfx#YJQ7qQK;^yfk$ggyV{*fm zj4^O-#rg{eXOz>-8_`8A+vVKI_+9daebA-seH=UD*iAco^2_T4@cQaA8aDF@xd&_K zygD|v=~;YuQ;|S+E$jPHEYP+H?LJ@}gD8%_(J6@y$$xW1T2C`Rs=DuB1Iv zryv(a`vFfh$?w3^)ANZoh56w^I3$LVR92dsW@{d+H+jBavZHqT7h^><9f1IP!G*8i zWZ|=xsj=6K|Uc#dGH+@>^D1V_GfdT3}Ow#L;XjS5y| z{VlDWC{cq(LAw?U1iYlYx1I1TPth7$yp|nu9QAaI!jLF6FRFy~hS++CHB73AUaV3K zDUX;K28Sa2Yr z;P%*M@y3m0zhNW7kd|3^|LCPlxibWbj;`*EzZXBHf)`pEI%hy^u7Q42KpmvDPly>g zBWq2HS!J#Pp;<7#K>0hZLthfF=`M@EWPtdUg@te@+71} zm$Fl&j13G`=cT;Emfp2QMEEza2GiA55mwX-gi!OlCiEtiQdsoJwXe1~wjpv<3R(4q zYFm;j2AdA`P&8F$<0)fu-kB2JgfR3NaKdD#V>09Y>gzNz7Fa2ELRt5!C&gXSWf(L$*D#oTw9ZJ>LY8=)4FmxzCyoxnHteW3$Q&dC%*WRZ*aoSkJP| zQCF#x!_kI7^zZ^|$dS&O$xrMs3Z7!boiv&K-{HxMjw#ypxqK)8@ABmVdzmffUkZTJ zpGctdoCt@N2wxFFfuBatoX=X1YZB;Q_@Lj`KXY$^Q}?IUov)W0Z8a-wH-?_;1t~g# z?H1w^ZN{b9K(}Wa63y?43f_2L%tekqZx$>cogB<-HY`VrToFM1n-tf77L!lS8%F8r zGSvkJ*m%H$>MQ7U! z*X^}C6T2%mZ(t{qf!k!i#^&8V%03DzQP~=?rEE;~pUkG4rKiloS084s?Dw10alj>G z{aX`B;Afk*&z$oS%RuiKhL{t; zTc=r@p@h!kUjhxo{-4(Sc#0r-o6GqtlDht5Ok?@GM4l&smR?m)R+2mB3}}I$Cvn3> zz~y{LW*%^?-(WFV6y(}?o3D?iXA&`A&G2Eg$Y!fa1nyaMC2qYPeli4!J>{`YD_s_G zt(Joy2ls8S?>q&(?#8EDA1lXSca#~bzI8R9+Il|xW9}Y7>Fzu)d5t-rPwg(?1YZn| z>pcw+qh&m~S#*oyeXI(`XI2zWojW=%8v4CWBKa>Oc+fa>`;`x7@!)mcAM|}$zAVXl z3mi>KCVraTMzcedB*N%m`!E}IcU-UVGy7F7N2s;&PXxH$xxS<-84A#S4-GDC-hP;) zsNV2gWQfwQ65Q#Gm}<9OW&>tbXZ`5NUl%xjtIifUnpg*4@2R$^+3-7KyS|s}f?qp| zJ$#Td-eyDJNE+S|i>1r!6{}u%>ZjX)x{eW{Y{?U=7yJ5EJnkerWl+Q$&d+ZzhJqmQ z4=}L*1#p0O4^Eu~zw7L6Uz5a}x}?SX9=%KM;;&5LVlp{RKpud9X5VFt{hQks0Amaz zYK9=SC1JZ+2!BZG#lDk#*9ZwpwqCqw`G(8O1J~2wF=VY)nGkD{nc^AcE$faCZ@`A` zz?d%DK#*>|GKxB9W+~K0)r*ra%}L&df<}~_3-R^9g43#snJclYJeH!K$L{v`)v*I} zVevP$a{LvD{EhH^Gh;(y3m3c8tX0ldWXUE9fG*rf!ASFrjAW`(WkWgnZ-qU zYBg2@&-*1KQts@;m)?ZhO(=(`+(=n%yo8*t=)j8+{SdZ4_>N>~5?|HwD^*95q6l5T z%CQ>zPdDC5bd9q0U*r|U&G7Q+Ebs7kuU{w{(#*<}Ed^HSOoXUeMr^vV+6}Bv6%c)k zhji%oOA*w*!J9^n%CV)HJ<|G?#dWUyKr|eMmhYFds2c>N*|>{(7>!zY%IH_j zkd)ttisaBPGOYiWB}F<{8^-PDPj0C2{Bi!dM@^i2mXQpW6^CE{?YA@{G9oa4WsPdHcedD5-iu8lqmhuWdSV5$^zVN8nLaVW!PHS%d^} zhOSX~!M6YI#2ASK;24vBK-9$7P(_Y(<^5fR=@*&EcQG>hI)#>g zP69=pPU52A1l(ucXZ=i?HIRb=07a% zzkE3rT%anbaMU@;)(ZQS5Wk^2XN0j(%hs}4alv=$^z|qGnUj&yGE26;!Q%Y2mTL38 z;L8+&)J2+U*%I&p{B7j-ojFMLWdi8N%*5OPh9AW{05eJfNDD`XA(lBG{6*t}b%L3` z`kLbJBW@q>t7b9{xGUTp)Xo}lkN?&+z@g{!V78}VVz8dGTCPxqWeK*fRvkJZ!*79d z#BK^DR}F#ZF;}>w&Dga}dXdW-?qNM{@|I&Qq!r6AmO(ot(wiBK!~QMk#cC0F$-=HK`d@csm`NsF;W&BKETdp^topq!al@ zJ~dr@L1)iF2(B`-qQ0XNDvQ0?yizx@lQY4%Rc0Gsm_*j}54+L~NSjCp&#z&cCH^I) zP+^(wS=vXb|1(~;ap1#pw`IVoAE2jY%`b>)v(d&kTTw?5e4{9Sm_FO<9yenS||I6F!N4%vV(7mKV z3JBE2RqT8}E)Oyg1ht{%+^u#Kd)T>lvjN`w{d5m6y)Kd{vXZ$vpB@c6x^EW=3^V-? zI|%59w=tNzw*D0pS2OutSBC;w{~4wjT;d&BqNM}-zbWD!={>*aR~vMl?&?;&bVl^t zHN0-cbk%POpH=#g;1;@Hf@c4DJomgsk#yc}I4Z6kg=;==Nz!+32l_@Hec0s+lDbv(i(;b>CQ3BB2znqDDz1uvS1T)S7!X7v3Z+wYorK&KqdYv4Xp z&|_0u@5V01-lC+_^AAr{&z84R5<^mf8pNB&Tau3Vsd-sxOT9ai+w3iYcDUxP=uPKA z9fn%npKlZG&DB%uWS_u4fA2{KuF4dE`3=RTp&96;*M3^{?jO+Q+!$_a`NSfbJCJ{8 z2+)AGZvCP;<^Qv|zHRvZ`9c=J`y8@HK~u1$1N%^>OVs$TVp}?11!i-vxp;c|cp)Po zY@Jhh$^sst0_SC~Bhocc^Zf5uh*IA?%>cgs_468~8$Z3?pUGuFVQfo^RfaFW=f+Rn ztEU6f0Q$V0=ZBh(XN)fU`nL7V{P5du7f9`0Ugt?qz=3U_r%$JNZC^e^)kCv5)P2^| zJI8!Fux{3-J>xdCzxq$o&q~k+o2x(X$ELk&-PvX5K7}sOY2=XR(zUkzaOy~}>5}!# zvu{I#Cd+A7w0dz${~PzS_v6V6-p4d3(0?CvC;qT)aR=y5diH#$;kryrd-eQ$=?rr@ zAF`3nY2lPpeF+!^<9@bhZx)YbccDxhDuMsvQGz9RiX!o-jSRSQwa{+Kc3u$&Jr*2# zWHvK!ZW8Udf>Sn?GHRGiR~}uH0^qz`8MIYf2F>vg3yj{JS_|ZOL-Zx?gbFX@hLq>) zWGU9N5Ode;%}>(O)r1?CV{YTq^owhi2TP7RLJlOz));WKxQ>M4rS5cFu^}2aO`0k0 zLe%8zX-A~u2`^uC2=Yf4-2N#XmzcX3oS_uQg`6RzhDcAv*~zBw(4tBIL76yj+pN+~ z9eLrj_=7Kb<2_oockzgwa3%+YZsk4mSnyDo8WmtKeSok!U$xuZ z$NJ=a@bU}ZkGs1b%qM0+Esv+^|HX<=eH5($RQ*hK*22dkvdBOTWkVa(%M1$0*m=U6 z0&>fnhPf*Nu`98+D>)&Y>$0GjS7MCd8C&b>N{%T=^2?^n#iV zF_+`GNHdwT7*@3^G9qY=Q96>XV%9VfU9SvF^7UQHaS`8&siN^`y9Fm^nYQ&pgi8}o z)t5ztq^ZZug46`US$tY$03*tp^DM%Pw_#nnT(}gOnm)%|k_1OWFSi2hqZ=2PkBHLgZ#KNPKnAka@8**Q%Jxo}sftk(7LCge|0Hf3zIZ7G z+M<*1{5w^}i>D($U+YL24g8s}LOh>oP>akvs8$Y;N|qJXd1RrrNj{^hKr|d3-2bpGrz}Fh_z4RJJ}dS`cKd+pg~lfVA2iyr zua4e-g(GL&5|L-zsI?Rt<&vnVYZfTmGG7~lUJQta(!N?KlmBGLR1I`) zH2fOVr)TAPN0|tx^k?+hMgd=r9S^oOOxfI%~10(8ShNf;{Z?|wm*GFwz#HD04o z%J;Nox^Lm}!n1OCJHx4z91;bX15fE5GGFc{-O5!RXfijx(jW+qxs!Pdg`A1^=kBqZPqlCLb>1*=sd_UxrS*y(V^4!Cy+jwV?C@&LQ3}ZISSJ+`w24 z-?182w&YpaBNW5x;#MaJe5}FSKeSUw6wEm7FoRb}%Dq*JIt{4^GzPVhVWu!78tL*Z z=HJNp$>xN_6XK77@SH{FzMxne#jal;A>9?*$MyPe!9%iN098;-GHTyk9L(=k^+NYa; z-nq2jTmJ_!qzW!`?9W2A3%5VtM;8jH9cUB`iT=oU;g&h{Svd9CjQBDj(AXe;duidc z|7-0!Kv}x_>R7+PCM)otaR($t$L#->mcYL_ZECK6njR-8I*P8y@lq8@_ZYBmr$_KT!2gd~CHZ zs1&#Epnr8ee@Jd`bNOBro?i}Cf$j$O)BiI2#zKKx<{VdDywi&X^>za;brkh6!G7^X zm-@efFKt95!2QBNE)y=Frw|Sg-N(!r4^4^TcavuI?`@`yaFJJ6z+RniQyp)4qSy7r zE9R>>mwtVAABQwe9{1v7xO|n(5(ghArQ7zLzER$wx{1AY&#Uzwy_=O}YDc|il3SAd zD4%V6Tm_%Y9(n)GD8Ulqr{AE_dD~8#jMp9gW_?i4cJ&8Y$F@9PHV^mxEr-F-RHxNy zvnCH~URCM4OKW^B5y_h4C;IbkbhgR#UxDLC2*I0oBwqABw+%a^H4}@t3%~}L8xpEYaa`fJh967i4!<5D zP^guBzEXEOjB>g&(0Yk5TgFr31sj?8sIXZ;Z(@g$&f3>a?|#@EAj-jE(sRcBfD?xx zNi<(DRK`*@CaOSmZeK2~kx=BK&d3gZt1JVYa-^|*Ig8R-ut%ho zi)_(4*X5ZgCV&z>4dz#IeYYqhwxsvcCgg*Xu_sWqKTb23_t2klhqLSMxmFS{k#ZMe zBP~mBnPk--v3>cQAb#6gR~`8&NjU>eNbgVGnDtQ}vO*HHxaZt-g?gwhaQv(?qRNFV z^h`HSYWAr-SnnosbP!cXSPURViP{S3{H)jPW8-nAPWT@xBNZjEaGU?CCFX%h((djwDwz}lAb1ZwW`-qs&s&x=(XUAdz-Dn9?1;C z@d{RF$br$iY0zcj6f)I{KHn>_OMq+R;@qr=4dri(yz$^=j>M5?N=~cnO<+vtNt}AX zX1r{oFW`n?eNgt`WwJbXiDyE2!*EFGYvFa3wiI;mjXWxio>O77N}(xpLm)xxB~wKr zu#1e+W5xDGJ=P3?!lHJ?U1on3s9Tif&DSUjkH=@N)LB}oa@V!rW=P=GU$#K`Y$Mn*=*OnwvNXN=e>`|D=@%^f_BKb_5NFgxOd+FK*^r_me2O}M+ds$4T-LEgXwG(dec{Ql`M>pKCG8^+q0P zGI(b$n3zCF6`;k0H|FIJ3V(MyQLdaJ+G%vrE_>uPZy1fhNVZ>n)ygHC-WSj-p)7S% zE+~^}&Uf?aQG<}QE-P`mP(U$e(3?vw%iXu>2wF7TuCv`oU8#`Ovq>{w8%#>UW@Keg zpB?Cl7u>*yoLIpsZ_`THpWxB}Ul_h00aU@0zg@ikikS}$^y-MxE2h$pKI*;@4R#9t0YMH zRXdxJ&88QB#-Gg^vUFzhMU`8hg^Z*!0ecKj;`0v&0ZO@q*9j*juebbQN@~Cw1E!TI zdZ9uwIlHY(YnB{?IjN~`QBi%)Vf%%QGOfbALFxXwjZ~aVH?yX1y8xSg^Ekp(DKxv# zX_QGja-j;WLFF+01|%}AS%kg+!VIoVqh1YeDa&v zzOUs+8_4?RU3#D1?Ks}H$JkC}DrWgCk{@lM2|83iZhT+AXx#`$IU@X{_I(rW6Edkt z)cQgF0{Hn9b{b`_Z&TR~QVsmxnKZDavjmlK< zb6kB>Q?ScoDoJ*H#+WO=tws1FzcIV}L=o`5db+Cq4{R~awe|8WdK!SVQt1Jjt*^Wa z^Ref70D3tY2XAVIG~Y~4rSUjCKa;m-7=xa7WaB(F*4*1ambC%yPm=M0pWkFyG7#t` z0q;&fdKNi9n>9M#mIwXa7T@FXcENG}hkq9zGtUIT2bE)|XO+Pyww{7M3m=CsT>t#% z{w=z@Ty3muyG~MUygjYMyb=@>IZvZKy`a4)zHz&U_PxPn{O0$(`Vuu3L*nb~wEp1v zxr@*EIj=G;d7JHOZkhJgqt~yR#7&z&3hp;d(I&M)Gxk$+sKDFhX0?4y2Y%1^JJmDL zF5HJ^q9>Q&+n*S;?bq7D7!aTP!?jOIq%ZoV@F;wJQ}w-=gPpedm~$+ zAuHqQe5mtdx#cAa=~BQw>Uis-FXmr$*B+Ict@eQmIL5Y{zip~z_khVm$2n{;P!vty zgzdBw>T}EE@o^?U#Zz2@p|m%q%J@CDZzW^Vx;8<(CJ)PXr|WIOIM39yeFISTO! z*VEn@0cTMBBC6P+w#r2C*LqK!t&XAkZkQ;?InLiT<3Vwv4uu;%_gWfbd@Lc(e zGl$NQ{8RdZ12!1(NBuZKt~SQ0g>9iVwh}&hAmn=Z*e}dur|!5Pr{sepe+mKvI|3sa zWR@WKPTG2pD>1mHSTIR~RctEiozXm42wX(d6Bk=fpw4S9hhBQ{8??wq%@L`bPE+;= zst?@j7qMPc%>KQT6KRe)>rDRJ<3?Au;%0n$>nk|Le*HDZc^!P0-Jl)jQWyO|(@G}e z(e4(ZE+MzV+_0-sxRg?-?03A^>Z{3limy?60LP(u>`{Kw@#+77oS9jb=!w3~OsU2h z&Z_iU4L2aZ4#{2qkuF(l41rwPP8t73l!QQ`AY{~w3PzWUV#uKI!uRi+RU9dVm`U*nG8}Yu!n`JGj!+lAr;%V}(P=_`{D?KuA6R+JdWeC0Ogkn{ZedqH~6K4*e8 z#n>|AcX|}k-~Jp8HII=vyb{xH+qnG(5$xjq)L>cnMrs9|&0ln8f%I86wNAMM^bo7q zh}x5wr!9T(QzI@gkQw*$q;X;BbkdOx{W7g~ZPtM;+&fl&6A_r>*nwme=+JPYLSy3M zs2<)XB7UY1+aM0GrSNIDyNocTmK4)vv#Eqaus-5sdmua~g9vjdPOA6Xby?Mhjk}0W zfH=*((V%qc60tgss%lv}~d{FIWu6=X3YARXA)KG^;@&Gxxcxg^b z0(GX`LcK^gcN9lyEYm>XeNS0CgdlN2t1=++g$&K6(<1K7y#jvdZ1p6e8Ll;9J*mUZ z(D7*>`%9XKXU5bbH}vGJ0B&9nM2@giidJl@21CW{NG$nm)2pCukb<^(Nt%SaFn?N^ zSuYyCl}K@c^WHHdjIy7XR-`UDsYn!eU7oQ_kd7A{3wv%=lCo50!$oTOXkPrE9u&x! zh*IY@EED>vz95Md-_ok3qWG>akwMOUMeq2gD$?WloE0|}cN4tR|2x2CLQ;{>oUha8 zPu<;FpX-#c=I}Y@Q=}T9hhd^i^cxm}2yV9D;a+f`(O^}%qfJ->zDI)3`DlSGnwv)< zB;C(_*3WQv-QA}&SDTHurro@|i44(N-XuPa@i8kO$xHRR%#S-%cvpAvIE|N=Kplr# z+bx|agO^C0Z2gZzxa_Un`|R@$M!?2}&}p12%~(I4pntCKUi<MS17;qvHI=m;Jv=-bG1%a4I9M>wB5n^Ts9t_S$2Nhzk31Nb~jv; zT!tF4o`AGET{Zi%2kDFPyRNM$9v4+PS#|I3>uN`OGhU8UcQH)q0>FNvs#V(?c@pod z8GX37?v6qFvux1qs>`YO!ER!*&fBjYI8P#v-D5aOL|N#&QPenZIFS-Rp>n)B7mQhk2t9aF=vBjRw}zkum%z_BnUCE9WxE za{z7!+&M51&=>;+uO!c=;0z8fGpd|c)8#fnCJC}0Zb#F8t6iQp zuv~PV_TRg&e>(WjcD49`qy9VnHf{GQU8z1rt23l9MppsPOY;g4+wY$+7e+12DOmNn z4+LoaG^beYi;z>W7Vp+|^*n6bAngG#6B6s)$_8uY+PEC(yn62Bhf3kxxehhWrN_vl z+?Ea)q=hAl?PlE2x$+ylGjh||bgT5{Z34|ugC2Uqbo{jjFme=)9)!-GiG;@!7u1%P zwDUsRZ018aO2-ahISdD}(&?xZdj8qSj1M4pEc_PFQY%KEfTU)-;Muoe1AH@5?u}rW ztV$?@Rf=BZL;rr;mff$!D84lCeX~+>^$Rg&IM3ZlZEj-Xsdf(MNWaHk%)Nw`BUNs0 zZ!A&sJiqPnLF`%Xz69mL@V*Yd+{D}n#AsIe$Up(9vraT=kvVDgA-?KHK|wgh4>rE3 zrqM?3ZVoksRy2IGlu>LJZbeip?iz~pA{R(_X@%xk0_ZT#Id`Mu1YV>gKx+U?qN_wNtDU=j9T}DM4X$Od4Aypaf66@WE z)a{#bcI{J`do{^LV-_RzdQA2W-_l5RU(Q9DVdE~FhCX3E;dIl5JXO0QsD{Px5Hp@t zg$149A^b0rED3U?8N3Taf`Ico^SbZYAI`-gJ1K_gN?wK&iMAMOw?vSaUvvx!Q_E7t zeXP3RA~e41;`jJ(GXBtKvqfKYS-INvS1LdlA8_qhDkM`#5KS0Dq+p6>>B(m+N;D25 zr4o-+5AI;Jw<4=&84fH}JnI$*>wqh%$O~6NfNg8AcI@FNcDSDO14u~*0~_d}!EE$v z27eZ|Sn`X7ro5iSiF094v`S$`8n;va)lGaj=VxPiR+`D7wWcgDqOQ~X-#P?m9!xzPwC09kviz+KazA?`DchjO>rTUHTN-iP~#?v}|vUpA+6Lo}K z$ySVY^_#21rWKpbi04U<0v&Rce7-Q2Z9SV~Dm9ydZixlMqR5XSFUDmhCV(Lg0?cXL zuQBC->;g+%0kI-z`%^XVl|Llr6No9o`^eJ8cYibUEOAMbYe&k`iCJM4`e~D#5Cz1) z3JGE5_QlfbJWl}4T>g20Fu}%c*)NKm#%aRd_g>rcm47-;zik?YSlJ|ynyL< zNAnzgDGK9=i9Zh~Bb+0-JjC?z8YvdqDwlEC|H@kfa?R{&2Oj%Ufpt{4wc!Csr3!Gw zQ<2C6Zu$4_Q?oN21+u@uc5MN+T^=Uv5<$k*19s$ z4r*2)k4+}eUL>RsojeKIgFK98)2@1{%45qLjH*$1{L1q`Tb$I+xKaBA%P={ZlZt<* z2&a+tIGN_gxP{e@$3l`i3+2Qc4JV}wlRW3U4!OKp5UbW9xv(i4?zZTB zMS72r9ekdK>;EC@92@I^x^3Myw%yoHW2dog+iL9W*tTspwryLDZENqFd+?qw<1frL z=NM}|C-CX{+AxI?#OxCs4c;vOCwQQquMzyA_J+jk1$=fHJpMdxl(p+R(EcaD88FS8 zsZ8~N@l{*G{)XhQ!~zg9aQ`|I_oET~TuKys`u;Y*5lf#9*mPO*sqMN>e|VlaudUYY z{&bkwzE9NM=UWbV3XZLmt!;Cz#c$!Q`!led_{hH5-FBx-iJm&5ueV!|kJM%!YB)&-?1(a(l0z(J)p& zv~&H=klf*VjRyF;F(IJ;*vbKLTS8zoMS8j1M6l;?eg3#xd!Bv#OF4LN$N#6=yr%6v z`73q&v*Dy|=BoXH@{E2&;O|nMHiL&<{i{-C)oonQsVgnLkM-)BTLV+;jztR_@U-R&j9u zZQu46&-u8+;3((ddy9Iwk9OPK@;OSQ<>&+|91iUOeHsrPkhE!i?AIufbRYUiT?KA3 zdODy4Chg)oj{O?|-t(a?m%gIAj|-DRu3j_PYI@q@9WVBT3_`xIFQAbR5W+F&U&9w> zLgj-8xKLR}1I(TP`J1u(Bmy2*F%!Q`Sp8MdamR_k-;1%E$r3lSfeE@Y5G!U8aO1CS zu~Da_LC!kGe47&Pzl`>Dce@4pzG02CIN61P3JSffq9wmadLy${;dFoYkO)CBC_z}s zvqo)ssDTK9q)0I&rgjAGs}`xR&}bwJp=;qU%M)%hr6N6>Ox5)$B^bW+QI_Cx@3_n&znqt1-M3?><6zGk(EG8=)F-*28cuY18x{W&Nq~%)K-|V?c zK4Of-vV@G!TDns){_R}BZRom{#qgaYF2gj%8A|F_ZqRzCtc{MP^CCB9w2Z@#u-b&t zb7IvO$nE;QR!fc*E07VtlBSp;+~xx_EPBL*3sulP;x0J9Yya(Hg+~bgo713d*G6kb zS=efDE}Ml~5T#{>%nHL9Udm_!L{gM(AkCzx2V-lVKp>mOXq9v&$|O^jY9Vt@iW;}b zG3FtGmKx|~4%4zM>cu5FH;(@PQRTmuQ=Q`CGY5ep7&>)`5OkDi^QS8-#sKb4j5D>Sti!jE0aIgIM(HjSnZsc{ z03cgKOW)&*j;oAIA+Ke&AK?nKujjyVMDyW3s`_*({2%@Yx_|B zrc#^(3R@rlo*520S_w5gs^?Ic)HlQm=%qpHr&s@9icGeg4D%M?%C^%C&1?#fk6IPw zMDB5=Qz=s}r2&J=YdJ$Csx10LCBGXkEB>$(@p>qTz0sgH-LmIAV^M%8-%rtbfGgC^ z%6}A&q{BWz%ddN&``pv7NIRxQ+iU4pf(Jw>3LOlueyAD^4!&u1$SS6Ut7o8mB_fmT zpb>6_{cFTbOl?6|`)3XKdP>3m$1DCFFIpaU-KkkHKu2wooFwl76n2 zKg3BcQ(^W-h_YxhV5x~m2>78=(3DVm=lkuNs41H+yKW9Qf~mB+x^P>xblm;6`IY@$ z-(I@dN^Z$1e%-DGA;r!h-9dR5lD>P8<*(w^ne*&PUQ>us@`R}$?3yJlMp4K5Ny7)B z_R)xb3Mlb?62QthKn&9XDaMZ7vz zbJwuK>YAdHvgCS?JgdWzH_AG4kpNPGNv8AW>kpz##RXib<=9W1ghpsA;t5E&Z7m zTIh-AXr62YNq*n8`M! zy(%tj%4`H#lNJ5F8H{V6%A(-|y-r4!`e+I`S4{|4H8k-Yu4G2?kV;Dsr>16J_cNCDF-nlGq>UkdBw6)WJPceV? zx!YPv4cJ?W^}Rn*)qk}V-?EO)J)0qb2AL+8w)4znJ3V2T>px6fx~+Yh)9QYXE_dJ` z*#nil#@HA^4OxY4D;%39fDcQDD+bEPTnY+8c}DFY?WSF&`rQV5wYa$*a^7aPFQfY@ zA2$)l_@29wbGaQWpTJ&mIel$r`JIEyrkGA7t;^wR#>*4No}1ZPMDL4D!m7u2?IN!; zyo=|}5bd?dk{9uowu{?aO|P&H+fGuK<-_x=r_$_}oqMIDM>OEz?Zo!mR|=}5mha-| z9;oE~1*gi%>e=1T{M6L&8WY~>F;wU{-L;LG(0jajX+$b|Pvu6yyL4Q*i4sN9y{MX6 z@jQzuwF6FND?7ICAl&OQHK^^Xw!Le2Kqm5r(}b7+pY3F)HT-E0rztQFwh%A9j=2QsPG)lg zoT*@6;NXFI?M3(JCQp_$hhBxt1($f4cmYz+pWV7=IuBzz;P;(@D)VDR*nZeI-5&m{ zB;^S8gIeC&7Ld{rv-QW@%7)rZkGhsm&!gJ0(|NPK?rCFgmeXxk<{%dX9W7z0U$o2lQA?{n`c z4EheAeKQKjeflS)Y`vg~hBv(SM5bJ0KC4knY=}_dn&FD>;)I@S)&VYbF9vasA;5vo zL|8aj4?pS%P@x_P2skJ>`~7UwbBSzFqY$N8lnl*H)owOKR66Cj%t-FgBBefP$@&9L zWD<%q3M{#ihq~BGX)?jtG)g_h+f(6~9B&}el3zj{p8kTuP*Fj*y(V(Ou_nGS3%nkh zR9A*`3mjdxs^t&vh-ke=1KQe&Gc*VM)UOapdRWH{)AWV{Pb`_Y6lK-LRt1TR#{D$S zWd@}}W(65}^3{1Rx<7XmnKi+NWv7qMY(rzs_>@ChQyGZ2;UXS)tdw4Doe@XUUECbM zFHlqL5Wmq=K44A*II*uZ$;!|n#v|`E#-bp}D@4$t_;#A}A5@4R)shEcWwY4M77_wp zoN2BL4W?xwO_0BB{bZp^rf4J=`fjMw>%DlH0AD+bHiT(wiH`AtY07EYU2Co7kpPct zTdYNAB-OG&Inf0@dQjL8ZduP_A1>XhQHHP^MR?5SjT=PAR&31&q4eeoDFkHz3n>mW zdZR?iL0zoNyQlqYHorDT^U+o&t|9Fq~V3dyi;)ehu+NGjVn zwpNpSH^*bfCw2kbZ_BnW_F?10^4};q!T1*F0s+Tg_ToeKkKQhD}OjV!*9atq+ zxT|IvRJfUjN?d9Jz(na(sa2E?1B^$t5+gf)DlJYNe!;_@7Fa+p`tP8qOlY$i0xaJn zfwBLYzKkG6%p#Edba_I-p1cS*(v2h7bF@E?r8;%;Y`@>3bys)zupm2qehmo5Spl2|6*W)Lda!IKSm|@ywDzyGeX}YZ2g(gy@xrGjp%>8kXOwrPmRyzml zPGFS^7L$t4%(k2>vj~hgbEBR*1=HXXXkZ$}XwU+FZNOajrk?=p2NqB~7scB+aDZH2 zZ}}2#I2USq?HkZSM6;a|-!E|K4H&gFwdD{JnaV6T|+IbTHB(P~axly_Qb~rIv{$ zwq_fw)WYi}vI`}anMJm^PlD+`enj~BjmDD~R5`7dUGRZx2KZgLa9$vQ2wq-3&|fA{ z1cGLs+iF;9p1+_G_L;}No&r7FGh6*!D6l6wG&~eqfkqXSZeb!2Wv_w6wcx6Fa^x`C z<-NFYOBv1;S|MB=YSR?pqYwD_Gw$&HG<&Q!&D<)?3pq)js20NuW8i0=d^s;-(Av1` z%qlp2%1!mjzlYR}7R9EHc;`k9 z%LVRPqqRu|n?%@m@Rr1Iqrvng7+8mRn5CKjM~(%Yza~3?`V%U94fIYjJo0(m6x#8T z+6%Av`XqlK{2}xwqloIk=@GQX;r>Lh#ed{Y;cFIqm2F}ed9TlNGP4gh zOPk|km@QxzN|3%~x`mJAu^*AR45@oEj@7+AIQY2JUL)_? zR@{r|h_pTx_$gdfFp;H@?;5l~gx|;AdGADj|Jt2^} zPZA>Kz+K$WW4@E=eXhrkI7Ua`mBtK2t2(6*>s#3~u6hT;aiCBk@FEzC61DyvnNsj$J<&vPcozhcoecJuf>EK%J0)(cJgIlr;SAO%(q%ejVh=l+xx{53GzT#fr;eV>8nY}1W!?d*7?=aa=U8)5p)tUYzB<-K-! za%aZ~BnrI$1R^5obWg?RY(6SlJzFzsxle)3k_)U}9y-Y$e%fdavS!M_R#ZAR=XVT{wq!mz+*5IuHoyYHN2NgKAL;ccYJI{rmWpXp|!M{=4y8%Za06T&g6a^9j?^;eU?LdY~~H* zmVA49^V+W4#y=G(z;L=huc6s)TEhJ5Gi}`oeq}k<_038nP0XA*+M`|_h zOFU)*T5_Mxu{eAWItdvy+dQuQ|0td%EG-dUw)IaqZMT=7bZOS$H}v;q+UnT!d?Y#d zl?%*dvy8M^Bu29c*z`CqzbKH)3FH(=1Yzw1!f@Jg1?1rZK|01cqt z!I96?or4( zi;3rni4+St=M>Rqjh(Fa-($TE#HgWdY2{5y8j*{?EMQwUP)GBIxFrLh!vwy~%Ulk`*Z5`DzM zVem>L;hq_+i?~!={1sMD*@98p#Gkz+813k^x8H=2Dyb{KdBbl#J|}EkbG=&Oy`3vUFx$oCNMH zgau9bpxc;;2uto=^F+BA`+!&eN;WCMFK`&0O_N_fl-bL8k>2EUqr}-=(qid^WZJ-n zX>x;#ZLeyg9r+2G0dcB5%`1x1VBlDhhSGrJYL1N4Vr!<|LxXd;VkQAX1_T|1^<#;Z z0U}<(Yr$}c(GFXsEq5YaUZ7612`wsqlLZsaAxsaL1#i;N2;Wrbvjt03)j+WgTCb<$ zyIj%tFw!S`Av&{``7Qak3lLzFe@}fGfN9?LS_z_)0}%#W*C9BtW?RD>s8R-tg(DWO zmnAs)jA6i&&W*l8Tg$^L%~rBYqw$KSeyHUk_5a|t5M@sa>AfP-^&k8Jp9Cc*_59Ji ze%(C6Y-bXREMPXopCPGjNGzvy(wa00V>3zF>y1xwrq~lexlv|a^jH)~>n9znboYR3 z`()6jAf_V~jaD2kj(F#i5uH?zCnqIbWI{544R_;+=^_E&2rqe*$3EB3^bIWob+N|3 zB!gXp0x2Uu<;oM0A~B6WI(+YeV}K>dP6hJUz(hr$vsXlj3k$5_bBGi+7#pT_yRizj zm5vjcU=ifOlz2ERIA2HT6%sxnGbq~f&*!cQtkpTv<7f3GP%n`eA_P3QA zPIvwn0-qi>?!g2>(}^1|MXTPxL~#0&T#zG3N2KIc0xK`9p5N(bn!@(GQax!$Cf;&#FM<-|cT&Brlpw^Ngas zrNnf)lxGMU@n&cB3Mc{rrR3(BQdp@rENX>zFfe=;3;EQQ)^PVXGI}}2VG@7%s1(J8 zG42X!ADa{8kWIXmtbp077hM`fyg#ob@}{_$4BURH(7(OfHQo>^R_RF)>aLiBzXzbH zZCQo+)I_L9MDQ64uspH+NA7cZkWoQ9N4bCt0V<%t7qGAwke5CK01$&^G#vQMX4Qg# zq@cBwcL%&Q?@55%htMl{-!EJeYFK}mwACMagj&zS{F?iTpHLvek3a)#5#K1l(@Q@g ze}DmUL_BN#kN|5=TWTkO=MNsMc`Whm6Cs}c7H}JJrV6-uvUmMqwm-1K#<=#?bTERj zc08kQuG@+D+8>fCxBm1F)$zKN zb<~gh<>M0bApLX3-6yiN$29!gT@&7sKDfX~#d6aV4f#xK7%E58 zlU||Y!RcO1#ryonX8e6T{u@Vo`2j^{R?B8O_@4`e(w_DOhK=Xtc85eLdF5_%yZeJp zmLo#fQMX#3Mm=AX3n!9<>& zoUOCaB5x3I%h>)*zp<|_)ZTN3Vka(!^YIyvux=~hn&0F2>A2H<4Or@H!OJ7G0m{C$ z`OLqyfwko|ANY$B)X-(sqIm5gc%qKa2yeE6yZhh>z4dQl)x2rT^`*Ew7?;0mNNzt^ zK-v&fNk|0>h5Se zUx>XjZI>qeJN9_mP=?Z0(V}%cd@t|yp!xLSBERikKcs!H*B0jSoW3~2;rUSDc!yNE zK0a4!>!zK?>>ns$Kqcbl+}!R8j~pfb)-;zV@LkJ38jIcCRhVGb_83 z@7&L>h};)92rVTw+wL7ROdx?U5UAthKK2vpvlZ0)#b)b{yNyNN8Y@65eFxnSoD%O~ zHZ+1Pfr)QQ6zxiiLkCHm@saGECk8o|j_PQM*|7;7{iQEo-TnI{wh@l}iMcG8PM z4jHfiywcJ4BiK|L*@6N~Kw>%()O78{L}L#knEkquUoZ24W;oMMddxhBE8*_3QVrSa z+n*18(U=KCQknthx>#1|B?1~Miob1Ai99j_C#bzhFsCFOx#u48S^2%w3PuI5{>-Jb zG}UjHr<8KAetl5v2YDlc6H|L%FjYJNY?Txz3$7bnuL2QhOU=g|T$#h?NujS^e~QBk z8Tg@-g}~IqN*TAwRqsULd+D69h2|(ehUwHUn`kAEi@36AppGqXnD!`J#S$Aa`}}_O zpZqqf@YAfx2J6A4M5kU@JN@_P-00~onroJ0rHOvPVdwtiDQ9W|&IBq<%?b&uOWIf_ z1m^d@W@D)n@v!0L4#ZOGkNLmZ;_m$J@&C$TlP$ZIaXLq8oy2J5e@AoVK3lKf35N2- zak9)SAjZcYfc>#n?NR(o`^qvxRtN>wi`~r7+di!PWYl;lXag+t3ZfsBtxarcjc7iHo-* z5zEC7Pm1y+MJ0{JpGAc8s8t7W?WfQ9GDP*{+e3--t-Z%(f3WAnjh4^8-Sonv`Zn<8 z+yvnT)8nF>MC50j#2=EHe@8uqYs2n<@M1uu))V5wT)lQ*j6Dy?|C{YPT_~ zcH|qvV-tq1h~Y=Pq?ig?Sg92~h5yO1fIpms?*5iiAz_XmVj1Mppl2)ft$fHTBtI`e zLcze+0KHYkPvu-Ef9y~>!mva(e6LuH>#vX3w|R(;)6@{LfuTQt;ao?^4Y*IWV73;A zS{EXC8I$oyPZg!HGdCr6_pXZY23?d;l+)D4u}QhY@i52DEB#R=40Ohx{i={(5N(=0 zN&A-hD5&EQ&YV_}Kz(cWA3H%SX0#`REbn227dTSXkgqE5l0MYWC|GXgucN;IhF}`H zSXG^iVMw1gNQo>HSqbvYOmTVkqKfaz5n0a$*?*Az>)|ymUS25WL+rwY(dmP{c%p|Lb)AS;J;g*p56{L0qhMo$+E zku8t(qx6>rVI~q~QtwxvGH(DkJp6btgab>Qh~bu)_hv;-ZWh3}lyB(<+m(p)!*nl*eosYEteO3ljLBX{+c@|r7=YIJz{EC+MNSvKq9cC2Ppqi$A*h#%U$1Ll zISWng$|F1t;cw#!jpv;jR7qZFBEegQ#n~_Urn$5DL!g#jt8?z8ICQ8k)A}BxH6NF& zdb6J>g8<2*2o9S>J84d7>&L!jWW6~-c2f-z^=ie!;?mr2c$`f9gMS%r&n-moXTesjoH&h8K_ zok>+Ay_z@wj1#q=enufW22Rog@<6eby1?h_FvM41H8A^g`XPEdh&3uW>DdZ zjd7E=CV?DDI7k_{dH*M%q&kb|j|o-KeLe`8<+GD<@`VRN8b}Ysl%N97!M(;y>~5YHt3hvABy zubYdtEsRf7HDUL2fNitpi|0L_JRczYp}Lx(YKE5X<7usD!yJlf^)Z+>p_K09h{w8U zo3i7%`U10s+w)QLbgHLr+%dfCiSN&bEr-9acW8fZ`{1cGLESX|^EQ%KkAPp!hixfO6uJB*whG#vQPMLg%Lhci>Ptk3nPN)Ifl{60IH*X!c? zO@S@*GaTJOi$f`wQmp4eb)K~DkKhk$M!pu3hDkl`=`Xs7HAuH-t<^sE9Z7$8*$ol6 zJ7iw_a)f%{(xE`X(Yns%J@d@2L#1=Hl#&5>%BFiC4AI~DC@ZxSU=U<*|LyUUQ(f=r zYyfux>f>FUfrl_~nb-ZHH&7eDI_AN;=7i=7&DXATZB%O|{1igAqdmJ@}>4&Kw z0u_*l$kiBiIyG~)(Mv{RGruu*?rpOaGE@Z{3rw2ww777_zc&e$>SY$GZsYwj9m36Fo>&myVZ@67ypoG{<3n4)1w#lhj87p;} zQiWTc&oaFnND`d(3$En+l&V}=F}x|$>|pe!EWa_TAX|y{hko97;o2+=~`pDLZFRHb<+91-MUa%A3PhF-B$adSEv!As$1~I%tgj!GD!&M7L`72q6}_mIoO#*e(SzA+fe^$)RK) zod^5TxYO|D$+T_Be<9O$kY z#?`<^DfgR*ZlDhwxV0fAAj6e$d)rQ!qns@}z{90gnPWc>f+sg}h_#kApxpn#%q-(t z-yp_=tG}+@ungtpc<-=x+Qn59v+#5@~lR#GuEVL5M&TS{%}--wT9@wP~TMbVhDU7Da@?;ike(k}|*-Z#luxH0YC! z*L8e{5~YRn-}4G1T!^V9MZ@DO_jh`20zNk0daV9oEWfIi#=i2hyU{h*f< zAVOg?%8R3EbZMVk3By#TZh@ZMl{TwLN(N&DW2uJR5;00uqw%rWG^8zqZ?~DIGOp4e zzrl@e^runu>w_uv(_phZezRqj8<*ry=@mkmj2DX7WwK2o6bTfnShG*BI1~-HV^plM z(4CbHXUkhVg%o3tKatkjBxH5BuWFc{9o4qW?60tM=s(wm4;)G3qPq)EV6k~XZe2O? z^PC~Wv;67jVcdRq0B`a}nyAIcgWGa0)hi2am}XOwp=bWD=|v@`viM9X^1RfxG8_hn z_%h9%%|B!HLG@&IOC%oPNp4cT$l?$85)BK;P_sY(D?oXKput_nV$kFR2q^UB2biB% z5=aAJK0<{slV=p5KX5*vfXr`5(J1J0$k?wQAIBFBpBo&!pVM4}xw(9gYYVRYH>-Gv zJ+~&nkGAr6HJ(Jitj#NR0GD&*O?zrqusq1!OYG%oTD>S`^?oW-z86vZd4$7x2n~w@ z?v*s=EynSHyX6Sc!+Pu~qjuA&&u62%!OlLrDaF^Me1E6iF?g4@^n%NJOFVVUcDwU7 z0;`6f?)v_t{a6q1;@K80-^K27XBlf}+yxkyA1uu`CIB1^XS?w^3?C_+G6kGaNiQBpOph)c&y~e%T}(kApWXcLPip{8%N28^p5rK|*|?V!ri^*VXJNpyNu>Q;d`BbGtp!vAXBn_?~g= zeQ{wXNl(A9b6t$L+dyr;+gEQR|;>_kNhf!E0RM_8x-}&;G0AmY!_qdlCkwHSZ828-+>a;R*H0-l%-n_UvoX_p)ygzuvlCd_UcR67X@{r=Py($s~A8eYY1Vxd}Yt z)(){Jtl!f0i`HrW;HD+?dcG+1G3yb})p*Lo+g7&&ZoOLDmp)aDd(gSX%Bn z$2sdenz2!3H48o&j)EtENs0x2PGrLLdoT&nsjQNuW7IBplJD z4ouaY&N_8qwaC`_th>-GkqK{ECK{ir1(7Gp&ALYUFv}&$>T=ozxJ`WFZ~I@lBY;+< zH;~`g@MZBw(_jJKt3KrpeRYbR2}C*pGiR{{Pb=nI@*#VR#1V+8A5d5ibm$Gxsp(_j z1_IKtxxvx|$;B)4eCoIt>8c~nJcMgGh~!$B)3M{sHdvGDd$7+@IoIa``+ zO!@MWQo@Bt=v;;+WhraPEy*V*Dg~yJ#KDEmw;prVs7U>grHkw%hj8=qh?^^e&7NN3 z&dH6eA99A+XAzDKKg-j&P@`8O*sXqg7BDp;b_GKO{#fJ;Os(UJC+=Beg{&pE1tNz;KuM4G8B0hR;8i`=W#3`S^UR? z|8nDj!jM9Hqp9-%vnSBknbZM9UFCYe0rCYAEB-7sjOq=W`6n>C^NIu{zad1WM1d`o zcyoH4q2G$k{inC}v~}K`z|d~`Ze|&{u|28dHgoBAc;)>s%6jkKe!=(Ugw!7Yqk%Nl z9eAF4=`-T8>GH2Zc$`y_Wblm50tTu;8YWlL@Qxa$#i z<>STk!{77*1Mg6sam}h@Kz~?$Nv~}4>FqIF6;bQ4U;NnDXDYHq6{*#wJaKB!&3}xY zV57WLYX#ezC%6OV|BWrI&SfoqBL-5d(s{}XHLJC`)It+Rx)hP zf2=QDRV7ZD_3Ike!lk@lxzzfA>D^QYCyKl2U#*ndIE;1w+ZwTRNpII#k>7CxvhA$I zXuB2$K2Lrc_Q?ThZeRBH8vaqh^(PX9a%}AfT{3odb{sIQ?7U*DbQz9pI09jx=`uNw zw*sfR?I#AMk3oAu$!a|>;TWmghqKl>Y0pqT4N#1t)9dfWU9lVPD=sN-!^GygACv!L zpyYe*vuHqR{O@zY$2BV{NII^e9>d{naC2R?-30Gja+Nkci(owZ?A9X-M+iMn!ndQ3 zdf!vEVtiaxuWkOs%Idoj0u@k&Q~Z?S(lfy#O0BhktOu)ikDm+UgY znHmRO;2COQ?2<4rv^fk`Qe3zn4pDvyp=pK(P|EtoWdb36oB9sP<^mPRa436)sMB4) zhe;)NWpG~wBq|28I@-7lE^$UHbAnf!B!KHIa1SXeu)($|Rz%?GgpH$lE=ooPgTtZW zB4fs52Qq~k-gVONA(blFh0&CTI2Uo#${n%p{kwR!Zd+U)C%B6cAsoiWaJqPbC48rO)&%6R#+M-i2!7nxMVEU7rmCYap5 zcj`R;S+p-Jew9M6QobEVZY*{`VmP*R%{5-ULBs%J%%O=cdET2beE=LCp9PHA-q1=t zP63L}WI{~~vOZjkMDjfbd*1}RmA_ygVojoXPOnQJ(xJmxP?fupCV$7OE{e^>lN6$) zzjeTDvs-4pH!o=J$A;mU$P6n95`KR0ZeAp1>B=1u1$Bk8S)mqY(N<$3^np-CHj`=5 zcvw)fRFs%Mgp86c7izmw&tmGUGh7u0xGcdCM!vp1R#?hV6t{r}$*kqa+^M(1N}{tQ zd|oH}l;;px^f%JMYm+>g(%GwX(vcL8YW<~5Tc$)RWGl+_2vibfJ9k@Nx|9PHUb9R- zdzlnR7om|llM=`;kbu}elkAj`P68UKX8x4owf+{Uw1jCf2$+QYp4(*q;t%T8=L2b0 z9Uj#J7xdskW0qDBN-87q^L`vQgM9U3OB*f-^j11z4c_GC^LiJ5eP5AC`Ra>+z~NaHr>=ni>@9b5LyMrlwOjg)ZDUkHII&E zUvECO{b1+f!b<<%HitSb8&`jVeE4_^W-7{87-n{j78@G7RN8Q12QspgjFnST*PRpP zx+tXnURoz+B?~;mAInOtGi3h2vVvgpx(((4lR8+fgi|G}il6AnBBaTvXQ649nTKMF zk%?W-V$hcrTO>3Z{*HIkVdp=d{?MHS)6Gpd!gSfE+^ZZw^Uqzg*ft{?33n`}BO|XX zlDdXTh-j$7w(%|p#h)6n5VX*Kqb`6R5W>E40k*t@8q@noK#~d|5K!Q?EEknlP|Wbs z1fAy~ND`5&I^$CA1|`i@X6j5U+0dtV)gnj!%+${^ekwo3AA)*GeXGQ%Ld70AIm9q5 zU#T=ZYkG{cv@U32f~VXS@tJoNwfE-jN@;CQ87OH-303uW1Ga>!G;W|2e&2pXx7`wqHknhZ?&VLzUFAvV707W8Fm^kTu9w8~g!XKb0= zkiIhhDmi^vqmm-?VNbKF{}o^$l+fPE*O(nm|LkEj^4~ptlgJ)J^fA5Q3iMxzH0CAWxhOFa$NYVy&!O`c%M)r zK_7Pk*Bxpv+gO8YT#o1i33aE==+@THNU_;Wq9x0vL39PJYnc>!^d(A{pdj0rn z)NZBiuG=@=TAQhLeoA}?-WQVt%XhvfnyPV0w&CrZLp}Z8c#yri46f|z9N6t? zlX=Anp(Nb4Jl53a^a$OrWX}NY=(4OLZNky{v1vX7ob$x88-%s|8 z0-E)|?A!^wu9XY?m(X*4uZugrt4_PNsVbKz-Isnn^+_Jnr;9E(i7u~2Ys&5P%BqeY z@5v`DUAF}*+KcPX=FC*@TVTUZ+iw4+Pi9^$Vaq(h#OpTjI;Zn-_fh#-;{2nSa{KQT z_4Ra)4{+i-+v6xQQ}Ogp2)KEj!viXJY8{Rxu;Rh782~c_$m9aue_fiR zKq{Hg?7&8#fWF>WWoOeBb%`+-IdC9k6Y!Y(0*V0rQ>x>SH^ReI-us%et(?F>7Cs#; zQN0Mr;F6>UC%=A%Gp;G)zePXe9${1Cr9h%)y>*92XS`%_=R0VsKXl z0TlgO+7v!bH9yc*6C2hvZe%)g9>8iuBMialciUuQWrs}v8e0E=T}}$wT}V%uaapyg zrhZy2A)vI;4Ev7ZntY|e@@n)=w*GKA4i96)vjNvjt}H5|lPF0fbtREcy5a#UL)9Qe zZDi^;*r6bOH<9^U`IpCfE75*@0(t&A#GVtvtW~*laon+l{X_Y)W>eI2tv#-Sm3bjm z$bO>H4t>ct2!5E?z$-c8sz9t`&W4ivX{Ca$M=xfG8wiVrxYEsww}4Fgw7@_k<}FXSoP65 zXs1H6L8q}UTmmL=?n#5|S&+_n3}i2lb-4|r*avkciO^b!dVwVO<(<>}i6Vt#c)0l5 z*hy@0iiG8^>uY89sc&+%=`eoIqLye&;3C3Ni!(v5uJtowVR{wvgJha2d9b;aPsz7M z>a~lsrp0{`F69yq<%Scp9u-QEA^5E_Wdw-`$##O+a}I*ZlxrD<*onAPmVqDN=5fgg zZVsI9%6PR4AhS^2*8cQnLTE{X?XRXZ=}cXxP!j~4vnucYZrHRtU=9&aiC`6JZWp#p z2*NIf+dwOvVBwEK(4Ml2+~*1WMzsnCDUU4dxO$>l0v-c7U}Td5TsrPaH|EiPPePpl zRdo&4R)OfI9q-ja;aCHJdJ)LOi+%}9SHEsyAw&BU_n^ySZNnO-d0lS!)_Jmh?pJSz zL9RF))rG^VEvg52|8Xerxqu|pR3)dO(@BXp*%WAqkjua244HDv+79zL;J$Q7meJId zS_9uL{FfB+HC7jexTO2i9hZ)`vc@X&RH43V=n70oXdYXgJy_3fm?+J-Wr)L6R2@An z)=z(lLB=PLDAB6t3yp^91UBOtE~iPbp+Y5{u4AdZp=!(=w^ap4k$->i!rdsmFyT%o z_AVe;m1NjC8nMefWC_x2BN%_PEV;(I)$fX#M8qoAf|_*lOKIG-4qku8 z<%0>sd4-7Wp%sF*=V^jF| zj&q!J%c&%pU?57F&0evc^_#T6$Yv=7LV_hNY$~3}Iid?nyH{*9IYJV?=l@XuV$XbA za-WqlA3wE0fzPm5Q&#qk7lI5#&X50fN^9ihmpr*gb?w&S35nCZPbFf+YUw7PZ@Vn! z*GpwX$!AEBtfXRbquKgRJ6Wx}gcdVx>0L#EMrb-s%Ch}81}wUw$);Q&T}GjhkZNK9 zY_Ed}1+P&3`5SW9sJAs_q}gAK|Huhw`M1Q+cjmX5$>W}$w686;?Pxa8>uZb6SNuU@ z__J7G;?;ijYm0sT+G24F6@yAF!`^s-PWQI<_8X}=4`{0akyTTe688-JrzZ%h{D$Gh zshw{a2fyzARRdhF1@X3qZ9NW4(A^#Gk}LJ<36GwDTP*(&DQn8M-6rIph_>5w_(3Ji zx7nFh%5BDg$9??PeZsY)aaoR!BV)$R@K1}b$S7LSKOg(txxR^97T(G1XI-zRb3)mx z*FR7mo+HY>ODo5EE;ER07%e=8ht`PQx6_BcEmvzdM-7;~f|R}nwZ2JrcYz!=z)|aL zV+NhGwoQU*%S8HG@4Fc%f{jD0wOsv2CFkemK}UhDKU4PS*93RtOKy72@XYp+9#~g~ zUAtZG@1&tEPe%u(zL7n*^H=hjUV2Lxj812rJc*Q5KD!rea@~KvFb}%ES9nt`@|$;? zq|ZE0&ma=e9AW!G{!KT}il<%6yDz{!o zIq)8l*R9b0vhnkyDL`?N)7AX3>%L`rKl6~W}TEvelh=jtgh{;6FQ!fwp;ana*fpmE{A+EB@w|((pREY3IF=K+Ff;M3#_Ho zaN9SWs}1x3R`bspcpc9hT)mNb5mW59ZRZmQh`e1HIKP>=U<&(s6x)o55? zU!breM6TQMQ6O#6jHG-kUBdRU;XU>t{1Z@Bn*(y*JH3vL7*gV$(#Bc=EDoK562V}& z<8x06!^i)MA>e@#Y*`|aGkrM}#R-dMufBbDGG%5$lBZl+sOvd+%W))>`xc_LkQid; zv~_dSvC?e@5+*p`&?61qP-BMHgQk`0L?fbw7!XLP$11F%U1^dN@*)nfpma!fmru8U zi_9j(+c%HpaNrzC`6ZPj(>IX0{yzYfKx)6nS%zj!FG{H0n5%P=K`J#V4WYd{XbrVq z)y(9C5^BVdBbM1DBYJR^62v}`7OYk@uAnKn-JvwSOl#Q@E;$oSXVl|Q-wb}KPq~e!>T0(AqKL1H)u~xM@P3@RIUSQ3@98VBLNVucsSV{A8 z#*D{#p~->$Qrh)Gp-`LV@dibDxSVxaAqRM#jzTWQ5j5p$WjtLIjz9GvD>RWLnR5 zx|mQKG^E@xHQ~FS1lHYAJCWvdiD50nY93IMt5T2>AfkZ{;;<=$gHcJGfSMBZu#r{f z$gYOVQa?9}6(Oi6*&>#f3RSU1B_hAC77~D%fc$D!rTb!TdY6i;(R_jLRXQ&?4edBZ=osBvqccPQtSxO2UT%Q)vNabL3iMl4o^9=E63lCW!K+^Z(6L|C#gO zI(&8F&iKzq{)2q={AaP2oB#G7X>t1hWHUw`iE~DWC;=%<#qDtt8@EwSP^@lJ@Cg?N z18z`adU4w@IRPn30`8<3(kf>Ql#TaDhsD#3O$!`N0&Xv_g@QpbS(LW|hbs)nsUk-O zHk0u)Mpw0+fsHT)ajfSxqvTk1vD>cK2R%|w%42U_0McCOdu&j(QjVD^^izqV6LsoQ zt=#j&Fe>GExWp%%qS|sDIW;hntwy^OC1|~y>2ke>Uj>>if9SRAx|WT=iRBZXEb&za zq%t5>RMJ&n$?8QIi%2F8N*y%EH*x{m4c#1sXFZD|RRGH=S&xmJ(R3Xal3cxC>6KIz zE{!uRMCp;5jPi04;gN}&bP38xlU+;dv=KU6NLG41H~~yJh#y6GHFAUh?epLMw*F_a z&VOqQiE^uKX~SGNg7i2p4uz^WWH4Vz69A^>(3D=UPSO@Wy`cQqk|!bA7?EHe>+@x# zV|Be6F4xYA} zOZEE#ghtal6fieOr=(H84YOs78`@b!ssIVa^a<4s&^{biNnUU&BMu2-qRWq|Nbh&M zEU$L*IYBdP^>9GwtV5V#5<<iSNO z?6|omooZ-yU6*4fBS28M8fzXIxf0vefoY_L^m4CBcwMzl6@oG?G$LpmONju}T1cwe zNlq_{7zJx=KHn}PLrNU;QVPt>oc}h%JTuHQ!#p$0Gs8UpAp;?C{NL_BI5y)y|E2-W zS@J1p&ew1MtN%Rp>gxS3f&Wl63}F~TL!ZHa@W1mP>fi4_Gz3v322&W0d>;QfbKe)l zJKtpvTq}R*DbKID)!gUbSrOm1e)S8JT>s2Uz*i3}&e~+(HK~^lC?5a(;8pB8@)~S* zbY896J$ilR?lYD~_j`KtE9V{JT0fZ;?Dv~>zgIqRwJY^*a?i<@owr^2PlxAv?M8}U z|1V3f|NddS{blXn+>fU-qrX&VFMDc8_!RywU-m`p#;P92z{oto$|f z))h~L?+ET*V(?D2y5`ru^-kxTxgYKP&~K0a3-R=|^Yg#kHR+8{SmpJf5bMv*pTGXB zXv<62S^v=$sb=%}Z~b)7>+f~<{f+g;9zVP2_P6Ihcro~dfBLUag06YH`{tX;f2Uz@@O&M+-hlfjT>| z*B<`H!`4#tU5zE&J9d#)SYy+TzxJ%-MBoF@WzN~Qa`VAk-m&ej$2?rW@vbM9U+=6P zS6TLi4bD8W^UStS?Vft>CE>}_f4%OCkKNYDH?wa(C45JFZwKZlYaA~wxyqZ?V=uk; z+#LG(N1lCZhnwDNZa&*OzxJK%)8}n>+mnBJHmw&;`&c%aq55S4O(f| znpqQd5W}vFhCl_0uu|R*YqqE6oTwkS`?a8x7*%aB(+8t`i>No*j$z|oS<1jAIZmSlH?qCn9BTU3hI^TjL@tNkwRvH6KmFJ+u`tVg=ui@HpnF8WxzDrh#2=U)6{1AJ;HFu=SSuKKtJ;xW z88vf73N>3b6LL#H9v#4+^ZYj|rn3qJw@`!iY&WJytxCVxp<}l%YdwO3iBwb>f?n9s zC@RpHfVJeNit=F?wdkY@w1i0_-K8zgt(N6phRtQzw2;DK1sjwc*Q!g+a*8%-nW-C{ zJWGxRtC8(MEw&c1lTI?=fT1%iPbjq#AyfuZinVb`5&FrXm=z$Q<;9s-}^sXFAiTp_!xfvdp>a^rh+) zO`92!q$R>(A~YLrFEvq!08oNKKixn;xSvO%e2p@iaG1$AL!(w#=$s`mQfrj;Yl6W_ z{YglR0y`;}3jGQPRpPwF4uDE25=#-mdk)h?Js1K5LZND(=lr)6wCKz)fABXUHbw`X zXvTj&@*ni8=Rb?J-2Byl7OVe{Qyj9@e4iN+fG_mwSW7o+Ior&N)v8f)!EMtzn zT5=Evy0<7`V#&uD$&Gq;&^6P&zCw1WVJ+P%;6Sf9s2PD2@pS?!WfVvp_uXzj-<7)) zs?r_xQJ)zOIg={#RITO@(@h}>2AvRdQ&_Cl%{q{-)TqLQjm%7aoHLbbt|%lm-w0VA z6N@FVDN?Xi%u{3?GOC)Gaw=5MBe<{}Ocy(;Ci{S(3tDNEku(|lFaHr2t=*q?{@cf9 zC-4!`bl6ru>PJZkYZM_Z%Y%9{Csm?|O*GY1*laK<{2w7|4Yq_Iw1@+ZxSE)`R9j+dB0S}FINTs}|dh{+(~I-~*c zrd6VGkL|iys1gXn}Zln_E4Fkp2{bTxNX%W?@2EUQ?u++^Mr#8<>3v;5~0#hguaGCX2~z zYlx?U99uvVMGGr}qp24!NU1a^CZm2=wL~JKf~o9)5KvWMt3j}f%YGh`vU)Ye902= z*ngb=kRXDi5P=b?)YsrY_;->2V8qluCQ=CbP594ACqBLC#rxh*%sKoJW$F4WICagI zA8);Ilnpj^k2TS`onv*ANy#LIaez;t$Fp$$6oa6T6;A%TVW^X zwL6OZ5_^{(xbBwYmKhz?WX{Uh z++z<{^Un_F*B0ORm0K@4dfkV&+ISiCF6fRsjymc{Wv!!MKIawVuCuS+>#<;^^Q8@M z%byNiegU}ApP$=3H*fxhPw%wt)7#%XUTerp|EHRJ<|1o6Sjc?x$}^W- zx%oMF@3ix+%is5t7yj~Z~hOB-ZMu~ z#T~enw?1+QunmEStbNnL%8AVI*)wVzHIKjh@!I0^4!P#z^Y7S^Tl5d=qi>#m&3pL6 zWZU18d*FtX{LZsfVLbKf`qyuE?0!%G{O#YJwCPjH?N+)w1Cu{pSI(S$%AB>fx&wOZ$Pa!qydd|6T0Y}X!0OUAzZKux`K59W!<%RHjg~>bmOio_BmeJ^_XMkKJdqR%UxO;p0ND~M=RVu zzh5M=%41I)bM?XfKX10mN!I}LezaNR^iTGr&_5PuY}&oE@nhi8^~-B_T3a{1?EHV` z|Nq1NKj0Vpf2QYuemnNB@Sj9gh6mrb{-1WlyF4ngIZRaf$=ByUU#kDp`rh#$m6`}s z%M{r%DomOS%YSMM!+!{>t9y-ZFPEH3h_j*G1~Rp{k#&c5vYE+o)uGF0d?wHOlUBcm z4LzS^>3#}FYJw$}LtlYwuI@y+3N+@PX!?N3q zEI1Z?VuBEPwNV%+CX;4|VmMAIvrJ2)!itt1jeuwvjaw;YI1w^^T*yPcAgS;{b13%) zvXn*&gI;}N6!?KysW+Xdg&~OR=eWKdaK2Da=S+ZBVP+EYrH&~EH4l!+n%*_gNw*3z zY_IDihNNQ;f_gtGWdjIG+T%$);WA`g4^=6Z=#2r!91YBzB`VcgsCBZ|py)KZVh>dW z6-)Q29ycM(kCk6WqJ#y)P+MWClNizgv*%`FsS+Zc!Km2k;-&CwWu1K zA(!MuIFi)NDBZ)LyaA)B0SoDY&9jj<(i$q8at4~1XShNKP=aJeX{XU1jbv*Y*~^w) zXH;url?fxI$5^}7MUu6#!t^JyX6xzVSgLcnJ><)BsL&Lt0PUFUbTzd$^fe-=jnC#QmmTrLhQPymEf zmNx_1(YdIK5_w8w$rfKnARQ(hyo&QVs8;7#tlibdyuu|wFZRYoO~EV0DrQN^J`kkS zogUlIQr)!aj=hj+q|$9gX3VO~bEViCDZ$9X1%gIuBG)89&M0}#06__u=g8tf0`x*t zgDV`~wqzDJGlVABVQq}Yv=Ad&m2koUYW2&*o=iK1RLaXuB}aZg$)`qSA_S|=8j#Fm zeQsP)i#ZQtdiemSePiPInF%RY@>aukM+O|Ij>3d=>v0e%}9+S1GqQ6;XjKnltnT`@ABAdRG9OopgUHv`&hhyk}&m zLTpzVHe<}yVem`+H1O&7%8Cs$s8~6_O(M-CH{=ruq09!OvST3`D%;PETBC|q=f$Fv z@~A>KNJ)~ySH)zy1Wal{xl<}MlKMzVlO>l8>f_jKR_P#_uX=a|6*B5T)j0<>Fb0Bk zCRxGpLY^25(HzC~5`eD?jkX&n=@u!rr3pO{hEOUWx49^3;ZorCL5yq$M7uH3NQ-yk zVI8A$6+xzmw$!nQS%5B#QtTjwW=ga>2KC4ktOki8`DCS+%1i~|x@htyCqq%q4+gzt zZ>05AjmF2Lz5z|AD9Lf8U0Ek^dwfxbOAn(T461N1~t-1H?Q!ZM2wIk$b554@>)F#jW=CSZy>%}(? zJGMKITKrcBEVf<}`>lNiyZ4IoKRNG?yKddRItVssJK#+puYf!PZ)VK;9pY1m|8>Tk zr~bUmZO9TcPJ8b9tFB$-r4%E5$*l~yDsdukBeX&Pxoq6dDOg{4kf4_aV+~hCk-c);a-j4rP{&UyC+|rjXGYhSr zN?dd3?^eT>@Q(lBvdJcQ*|X+-Vh-HYpb%H+MT9e2L9nlfDD zf#T-rQn^;55UmfQH+ zThG4uJ$$R|yDzFYEb_of*~akNUs^v|qVxPp{hxci#oiq4{l^U{^uar~xw-h1%RKP* zA{U;v=$77f7oPsW3<6m+e(0Inp8$ z=2N@;@s6_=|9Hv6AA7(0W#|7h|NkHE|G~aw{@b+v&$nX#0{>~|3fY17{o_9(+n&lx z+t5^A`cDP9|Hgm5RR8CD$bY!0WpbdX=B5(f+QRam=EBT>Yh^VuQR!t9l2Yl1CZ+;r zz?+&^=ZKiEchqq|Iq*tRJvKZiQ+F{u-}b>=9Sl^Qw{muwt7RLskt!-0Ra8a(;7pY2uwJ9+Xm&mi$|X;OC}J#1;~}2b8hEo>g+a5==P26- zf@-S;Y9V7yIvI#*Xd{l3x>zhiT_*!K(~uA`g+`sv2>F~1WjF;(atS-GDkZX+qsGNP z5Dc8`H{(Ba0dHi`xY5qJPNq)7AH{! zp;MRIM9ygfG!LaH(C+$XzmRBHuq;*iI*BTT!X-z34_C&$vZE$??X(HeVm}-Xy(FEG zt7^q+yD8QMYDFJMv2xLI%|XB3Q0si9N?T|R?AAx+sZT0zP_16aNJriPMCGv?jM#o! z3Mw@&6DqJ50~yvF3+4zXd!vyx@YSk@_T(D+P3nrN1vUSm@eeLGBfup76)yIFS6%UY z%YPOo-29FIER6n-pf_tFgi1a(21-ymtd<9=lPRVguR?H=fEi5}LEt`=5Eve2ATUhm zWQ8xI&74uJS~;&4qNG$C;cUel0rg~|q>9y1x|xp+w>ypnYEbC6Dil`3dvWZwy*#0o zJc8)Z5hIEe5+xW}Rx_B1#ZE030YkN9cB*4GER>nu<+W8kAXBhniGD8?@*^ zQqj=KM|CbPj0wl5>4fWRhHR4o(7~D_1X^|#vl^c16Oh-zI~`If^aZj!v>c}8F%Y7r z#VD_|;fP6y=+NwB3sO5Qc3QRuAZ(ov^qw$`gGL`yDimAiazQ61F;s?!eN#1ku9A_h zL=sV>Oh|QVRzXc8&?qYxc)g|ppgF3vbH%LI;6CsF33&$mD*n^>oc}D?a6OrbfG^H_ zlfTj*Q)wtsm(3zl6&U3rQYfd!F=~Z}rB)ay&E@E8SK( z=WuMQV+~3K?&S4iAFgYaprdzc=#T;6L|luhd@nB~Z4XrjIWNN{o0BF8OJ${F5qaFs zC&3n0mWmbH&YBjJDTZim9MnpAv0AJEOc289?4StO&9T!%t9*w{B0^D8po3S3aw28nOf|8wQBXFhrCYX_XR z!p6z{_qh7f)<+w+=ZsE%cd?_+`f+py2kpEbw9%5cU2szOQDL!dA3fpc2R&HYyt(1) zk2@?-&yI#BQKDiT+UnMz-NBnzjyK79;*1qp1wuFd~%H^k34amT^g4? zyX)(hEdAtT2j8&i+uQH>@}4tZ*!HHMSGW1mhdS`oW!Z=J+Ww?7uYLE;KRkZ_k}n

mTfO*WT;=gtcz(thj9Vr!URD_~tG5IDCT}thuiaK3>_uw|cOA zyz$nv#r|snr)*16qDo^K%$kSI z+TMK7+~n?!Z{nQOAK2~1`S#5>-e>%@b5>)`BYu$G=88klzI>l`t3R8$-cm~}@`<^L z?aV&n?GMZAZ`?!PlW)58^oyP;o%6=;`mb+2cjw#o{ncyd?7Q(}zrS&*{eev{*m{k` zjd|j;GtF}T*5cOBOu$<^&+e(*f7x5(!gPYbYS-*7j(*<;@GD1*hQqeA9{c(;XYPqqXa7toVExzEG`HC4k+sc5-@kUJ zPpZ9lZeR7w&i`lr|3A!s&@Y+)Hr@a8t=PZ9e`JO&eDCJJwa5IV42rBhl>nCGug!nN zFV+9?zK8q=64>@s0?bY2>g|Q)KlZ}(|Csf1gApOIMOMtD?fN=U?B8Vw{Lji$1=k`5<~VhnJ;*Xhf?k**tL z$_W^b3w=h=g-)YF*IJomnpURLX|mHDNQPsj<7AT2ZF}5Eur17v4IYq3lJU*>PgaWS za(d!7nhh7J5=0M6sxrr6I97Ga)v`*YM2T+_grl&WJECUQ4BLfEu<4 zyovggzQxrs#;@C9Q1(j2Xc)BZc8{a&Ch837iY4(G)2*jsj+m5eQ5jC1pBl!d0U44T zO^FZ#0jB!C#G`}Cf&#Bt^}14Abd412A|7AW%K4g6i3)IS083eO*vz;Ij3pfykcmlD zjT>O4L8dUhEo7=_hG^uzNxczYQ1cJOe{iuvj&tL$aIycp>W!cBAME?be-Ud`>9ZF5vSiQ)FsF5SnV;NC*_IsLEtwqKPoX{I<9Nnf+L_<`%E5kyf?4~PBjsZkBn`;=B9hJ(T^PeHl^uCJ!RR5d*u$0)7qtEnz1d3Xq|6_lu z|MOMsC+9^ZF~Kk_$$My4k~D-i>ZA*F#d6DFGeS6YuyU5Ib~^fk-x_crgj6B}dQ897 znUo2>fEM$JLw9R>#Vadxz8McE9ahf*vP6zscxWfmiAq!H!o3^_#W8G9gDlRZ+isoA z#)DoeN>Mgebh80x@HxDrYP1GB#as!ZMNUhFVGNOBp*FSVT{N$f7YcJxL8q zEd+1qo{}b29&F_7v{UKJM864A**;DI5$lgdN^ZkBDuHK+A=^!s+tk3d!+tqE*2mSr zs7l#7+NzR;ZVIpKj#rNO6vxDxmze}KP{D>7zm+ZH)R-rm)#OrxJ^^fQfqrqRzd`uX2sa0(;8ll*7; z`tNVWzQ}(%M=ZMPf1dxq5H|HUMW&Fi!GFkqFICbpi5BLwNn|oXDa##^LqO#TY*Fq~^`+|RCXVZN>{rO*BzVTXlR?_x3pQ;*$>% zIx|l>VT-q(7(8?PMZk4c+)Th*oW1s{%dGy%QiW9xpMUh#E1X>t&P%Nc(^u!_9I?fs?}E>sy4AxwANbJ@i#>BDh4c6C zbkzFCRm1)A7yaevA6$O*D!*Q#d(L$mJb&rGmH%wb-SeX}KG^NfmFKkYSe==n&YF37 z0*?0m(I(qHk-Yx$SD)A^MJ}D#brtT4JLk??wRhC~ANWUJFmvV|t6X;UVn5#Yj74vK zJI*~>Z5+DA3zu$CIn#OTqn|x^(^>Z2GgsSq$2a4_|Lax3kDuI@P}RGZ`{2Z@cRg$F9dBRt%>1kFt*!I?Is4xKXr4f|U3b}q zxNy60%Tq6U?%>`-j?-b_b*MdW!}ojt)Q9FCKmXK4TDw14dHV51?=>^~pK{v)Z_N## zJN=YnXSdgT;o?Ky+2f}5PFV5kPpr$fxcI^4c3=l?VR{~waBQWgwQ^0b z)#-;~!yaQLw-}~UOhN60=_)hyVjV2YZZ;(Kh*J!AP-2Ud2xEhu186Ebwd{5`z(!fh zOLuyl<0gfUEO4>X@kpH4D>)Z*c&U-gD;XkClVc?xF6pER7RocSuvEspMSo8ctsIChfjSHL{A`%C_A?QO>0`qn4%sRL)fR zz{u5e>7L`tgJHAIMyW)QZl&yE8!xw{h=OdYqX{KGZNU;L=wqq9V1k^aS9(MiFqsJ^ zO+t#86iWjsm&!SH(^iL7KMlp1ypIIKs8kHAPEZ*`U_nVMslXo$D;14S@CrO6fFW#E z6H#Ym)LPwo3hm^5EzE>iLkl?vr^=azNq0JCMl7)@*o~v1%?`)BRPRms517fyRlw0m zqB!tXvzBg)j-FT8PB~pQ9St5?34Ll;Ktd20)pow+HMu?vchVd)=SY(*H+iRu2I?=$~dm~itq{l!sGH$#p>2RW`RGoD285*G&$6e^^hkmYzJDOrP_k(AVQ+OCY#7=^^{$V=rpVWcEMqmVC7CT=CiShkacx_+YD9{0W0 zfH$gegxe6%sr8&1ULN+73&PAej!NQKvcnERih4s06FOUfG_)cYO1Ra<$MVE*7<_<_ z#+g72n@j)@kj-~lrtTX#87!hDcR~z0BU@DIj9+lZhUqBdd>LtAZP4>^#kP{jKoFUF z&oI(fdn(ilAY4gDsPA-ou$`B+Nl)pjDK*zpv_h68gnYoUh@EG-B#O~xs+%#2ZEsi< zymq^ZHLD>&`ZeFFD|WH`x&DtJ@Z9jL_z(Iy|C!pAVXp*!k^e00Jh(5fT4puNu!6BH zNemb!1=(_1y=F_!j8Mkr?KtBWv;905l`3TuXmdUT$qa1bo;VsBW}{UPJ+}=}gExaK}QTGt!y;48~Vavi121O_6)uQ zSI`_}4eO*;a_NFpWL@4S@?E9b7joqRZgjJ4z)MD%q*t(1I}~eaUdIRHPLhIzbd8k< zRd4EdQv{|nQrXr^ASs%l-78aiR`;dms6DEsvOwG%ba=5Au!WkJ527d}Qmo*Q(L#W+ z(x4V~JY6lf;i#`Nq>6@a599GkK2DJ|$!9dZ2sj{ZM^+403yEeHE@j0c=amA1&C_V9 zhc(SclBQGrY!(?#&x4zWMbofo8Wv5%qG?$4ztiB<|8x1Df6jjp>Td-zq+VF_gr}Pg{AA)F#ln;5wh-lhwbR|NOoD4~(K< z>I?Yi=imDBQzQz*5Qt-&{8Pqr#zFT~?l!mXa_`-Jw|-iwIsb>3t^Qm4rtSlCkq1BA z_neFOdFr8M*Z<3YFP7FaPh0)N-RE{66dvAW&K)o7hj#C~cfE7g-Sy(-$B*B8=sjya zvf--k^75K`r17QOWcGS6%_ z>&R^m+MD_4a_1ML10O5g@#;|7^bLI0ZJVsQ>}=*pddrhPI_hk0hr{04__nndpS8t< zXWo_k=!}`?W?$R``BTQ7wbDixUa`jQo9|ZIcTerIk@EC9H$VT!S9ZB=g$*Y6t$*%k zjAuJ=oBzRhHvf$AYy@tw*Ls0D47TVtI%c!i9R_~G=?23sbTgRR4uLoP6s3I$@S&Jw zwC|nQZS?Fm^-b{j&gxE&J+#?@FMoXFj=%cNOK$+nfbK8XKj6{}mSx{~#5v(!@VsL; zdH%&-R$sHKWrw5PX_mF2!_Ufo1cOI_2v0{?X`04q1pG(+wHQO?wUDs=_mj4 z{wm9@y7gPXI`~)TKEV#JPriE&xBPDOHLt#O)20X1&;E;f$l|Zu_`+%z?taKq{Qm6+ zmfyHOkDT|>6L;)=*>=&7_Bn|T4tw;Z%kRB&(|yWsJ^S8!^Zt|>elkd&JmZYHcbHEc ze$R=Qud)0Fw;hJ}NI0|kug`OrUiG=RmpkU*^w&85pZfp*xA^C4=>Onf;6ETf?f<_G z`)5gRyx`(=|L-qO4>E%ZfyrORf7tJ2k}Ie(Ca^prvTcZWsRfCh&eQGB6T8w^@E>?; z1!$F3Ib!NtOsM>4tE#D#r>Ow1@DcYJ5X!Ms zpRHBK{RL!2?|3a<$weIX>2q0@@^~HLZ3Rw)Q-8;4mMSfHA%LcOJOg5$k*Nr!3GP z!;GZR1{w4RiUZ_C$PY<@(4uT#iStNzEP=<6^#? zauTRj=%;xmJFWl|(GCcEG;nQffaRyoiQ|K{EM7wEG!==VgYir_Li@coi+ZhbIWIRU zoR(F*VA-mN5)hy_M7BZ?;&Q1SWzza!05R1*qPt#>G8J3k`ivlCB`cAhNO+1)vJDy% z{RS4ANFkwj9R~=asV_~Y=-zm0L#dSXS@H4HB$lI9id|5g{GTNUCi<-8F!g^jAc|I> zADdxQt|lcWb}YQ@wUyY`dTe$W;q6*s#3w2#P)=i%pbv0Q8f0b6V2ZgiRIV~ZK-b|O zlXgX$$SGxOgqu{t0LKcK6?=uqDquuj3u7`E@@Q9gi|GKgnm%6=Y?mN~Fqg>z!}Op* zN6fh940K&V9KXj)z7i-*)6q!a$vhO?p-z)?!cr@URKD zdJY5C3PGooEf+I=zC6&oQ30!=g`%2ESgCx)wwmQ2Z{|?e>6FW1H8Uhiy-7pY20)M1 z?IF?dBY&J#YgG-)wR>ZxQJ?g2eiYQE_DVlp$)&1TD?le{xuDsC(J*C`Ov&X@TQ2~K zAyyCN4u;bcLhI&gy2>ZM0sEmBxYtqQAKYut@ml%m-k(qFg#t?>eVMER5 z><3;bH(Sy8%tRmdYa{~<8V=P>eA|48HL#|MU6uFj72`-jt z(uFJ@kUW~k2T_mh^8klw=}f7_PWeJeG8EtHxK$!o9~Jy))UqmIK0(NkjL|Au9o7d- z+-d5dkg$4UzC!VXfdfPXh8`ulP+R^lHw(5SW%3nnmi=^V8(CWpcxGg?EL8wnkqs_D zKgq<@O=0Rgrv_Pum8b5oNp$L#r(lMGHMCZNB0WwgIz|*|s%BG=fHXn8^cVQ?J(&3hD$n4a-7=!-!CD+7aZ8 zoH1W-w1-(N=&>CHZdiOu2V<+|!YtQtX(H=cZ5t3;6PfH5^R!k((LSOkXsT`vyLBC- zyK_P!KNm(#tjfw7zFyxRFIC=c&)!E3*N^q%7C)jJ;`*~|7@>iypw$G>&rQ>CT1e8=5w4dj@UuX|;# zcheppA57o(gY{a@?#hHx17Dk ztKrV;t#tDX`@MCu@aBQaRhPc$zWLhBSJ&C*hY+*#M#rzU^5Od~Hur=VUi|T;r>`=1 zQrvw1{g1DIApTqXf0oyOcf*P1ZFPC}e&_D{_~WNtxXWJX?emUba=T+*jov=meNYZI zrid%VSJxaCe=ukLJ6^eLrEQk@A^ZLX=lx~zl@9yx-Q`YPbDQNhUHvIonfV^InAX4e zgiGJ(#6Ky{++mO3VbEWHd*EYl&%6DQ^C7-^2hYQOOAn&Qq-7$a1Kh6GdOZukQZ+zmtL)U4(PTY9?K6|eE)b%@8?|FNf zIln#()XxR>yzt>$kBpCeW6Mo@@80^ZdtGvy)zk5Er@y_|U*vmFTw;mI6$gFU`TxxS z|A*(lrM{&92b}i*--i7w{XZ7kz=W?zc)z>-Ke51;F_EpsyxYXSX8#Wi@Lx9n?R(k( z1M?~m32ZGAS$QG*e_U!|`hUDCOANE9QsewModm}aK&lCuBNIlYObRfaOG!vME>6%v zs+T9UzHQWmLP^bZ+zRalbtOdYu~XwSDBgE_$$%)1fMC*2Ktl-;79+e=Qts3KeF`7j3sMLlmvJ`2=0DIjTrL2&9OKvZ&lJWy~P(Phd_ zR(KAQk>>E5Tt}W*p#L)}{DX@%JQy5I*A)M&|A&jdfBioT6>k2TWF-)kjAu20q#A{$9ny}*FkumZ#0 z1OTg4(a6y7une~o-9)}$>lXQPqSEvmIb6c(!Z1CRcFFZr4i3hi)h~}(t(j+1Ras%- zp6dgnT9WG}ayT0?BpS)QG)(1^ai`Uta_Mb2ugFxZoe)@UBIZm#qKmvG3ToJD>m8-# z^>qno(wRzJG81}KH{o8EaikR3#qvnj?w0I?W@)L+u!WS>Tq#0{ahNSh6@t`A1u*a2YP>C!;7^X5x^j#FzSi&#oh=|gVYz9hKqfBU%%y_KwR7Ez8gyD5Ydedu} z^$`cSrMlH4n^_I~Z~dRt)OP-={-4h0{Xf|WW%QKcm&|`#7(Jj2IP`i0c9c<= zMk^{+bLqht(}{Xo1Us@m;%a?W@%@RHnGBdxqo>MoCMMFRsWdx$!qFhWiGz$RgejC1 z8)3GtR&#aRw>Y?Og>=8s(FhbBRWQ;_G?m_v1v$yK+HQlec+ROMx)mLu>Zux4&r@9A zHgS0^(of=SR2fbN6YR zb@W9yqV~Vk*m0$2mQ*&(Z2rRRpIx20xwg}Fe`>t2#$MrG)fawo)YDK0-}?O}?w@fc zuxRi8IOpg;U3CBM;qyoQ^q}RhcwoyV_kRdG?zr`r*mB2J zwog`154QWa@}G_HOY8S+JpT_r5x1<{r~dBp^TJz;=M^7b1-oaZ-Jf3h$m{nae(}Qj z8$EfMbk?s{8*z91_=iWAp`~~F$r3BR|HEHaPgR#}H_kXycs3Pmdg+pww%ujBZ>T=D z+PbH%z3iObU)uN=?sEssf9vj3GyL&S?RyCK=bJxSX{*J4_j2|9(@#I@nBVSZ3}0Sj zFkHU=@L_)f*MENA^NXMV1FpS=u=2W>5>NkVC+W#Q7(YAZJm}naFZk<2AMbg{?R&g- z=xf6u%V)o3nj7|3c%vKaOX$a=S0(Zg|5I^S0h%v+GW|guQ2< z89V15U1P`YiQ3EWAN1s*CoH|*IoDGk&Ai~Q$DXMD)!*&Dd(S-KhLg8`^~=uxXa4^? zsQ&{^`~Ppl{uTb?kv__Q;X>u_JpU0@3Y*GXBayWig8%&gGXIUATIPSXF{ukX|IPjS ziSAUMTUG2)I5NmyNzAqCK{W@|UDs3Fg~^D43%Qsks&RrSxi$zYsYJCq;p_niOGTL; zHSlCZL#=k)QiB?dr$mHJ5@ijTM3VxYauBu+Ych*yc!GCXr#-0DyR@NYz)Hew=!Vx$ zriG?P)FVf9;!KGqt#+Z2$3g_q^C{5CaJC0d25$FSOp`7fa!$1}jH6mUt@U)T0Xb~X z%oDW8HnO8}6lm4N#0emW3d=y2vKVM8KLf{O3^NO031sWN0UZccfo>zd zp{C#g!89z#hmne%^6-q3>6tJOVpN#-fQcz}!{KO>mf(EdLTgaEfxBQciOG7T87hKV z1}07Lgw)U{{xIKf;37U@@T}!Da*e{60|qs&6i5w!_;Nr!?<-6CEyOKe&qIzgk#TR?Bn8x$n1*ud4Qhonhf0>=gf4X`!@NhxjY z)FMVqm6KM*BqiA_7y7+nFp=VJj~r8Jb^^q;bWRc**(f?EyNHF8dbD_xJI9l`h2Grp*Q~V&! z4;7Q=ia%K-GihIf74)Uby{cQv30b+XpP_uju!dtK1#!{8ko_xrAo+=S1$VjV&B$cE zma{UWXPPl^s6cJ;Uq70p3EEKOaQkv38cXp|U|H@wXI_-JNn_t(k~Ea9ly32mlGXf} zR3?@xN#{lcg`MHKANTNXUoUiCAj+9rbB(&EmR|xTZ zU&gD`-P;r9C4KgC`3yHGQJQ8uO%vyzFSQ_ekS)lzdb5BjaeU?-{XD1v`_evs`ar+I zAK?E-z*azwA*6`$M)2vV&2UQ`khwOF7J%`emfCdzuVKLFzn{jsyma~*7Oi-fb*6s# z-d)>|LP(s_>b5w!&A$EDXJM?wxBk$|1K4moe3?EV&*}Qa=h?q)-?6X7n**dherWL} zX}N2!+48=%1fNRPFtB5Kf9&WyroW*puvTn+pgn=iE9~1x&h9!_-{0<99JYjNxB>A4 zQ6I`*eASMU)Bp{lhtX-Fo6U)&kFZ(8r+;4u1>#;W1oI< zOrMmQ34`=I{G)3Ni*H=Q*(*nr2Cf?1cZJ`HbaoSVSZywWr}Zs@O}=lz_+ja7CStye zoB-e?y@DfU)yH8ctPdsleXKvt%-(N|+c$QiOs9P%K_-D%(0_w}$ZT~!4zWcWoMgO65Bi<6<+5};Y|sBz8v4Zjf{F^dZ8Lb9Hsv(f^VRAd+rS5k=`w@qp$yu<{;<9#ya4A^s9$5$cvJ%?QCsh>}un73ONorc%#!ESbu1D*5&b@HeBU2 z6YO&lqua4C3S6F4u1W~Y8Q;ptCUfnu;!J= zQodkmlNH^=T$E~Bvt2}3w$A3N_9nbor>FMFN8$}Ve6icL#ULlAyl0VDr+xj~Kl)*R zE=%wWsd*wIc`+^m6HafQlq`BOEVOgf3a+^aO1WFaD&M#B8HLu2&wH zET!&C97@sO<0l&aNc?mVvBF&$J?6vor_hJ%u2#Uq>_m!dWe zY-|a?S+egojFjmE*z`|gZ4f5~U-WStcE#t4cTZThcvAmFUR(DDm$k?u?YpCz=apEcpmGABKtb zHKq&I^|1Z=MkP<+NDg;nyK|NhnE9I#3A<8! zL}{37-GufHTAZky#aYU_O+~exT!iX0YQ{dA5U*@~sLUS}6E$E!OkPtwt2z*8h8fE~(h8_x^ z&sAO`VcER4J8tfSL4!WyCN9iZ8ThhO+RFil^l803BpO*qu-L}KZJi*x@Y5_2e`lXc z&f6Ww%1e&i9yS;bR|%cT+9c6^;v0=|8Jl*BcfBT|VHZqCE^+-5oQ?6%AHpp5-1;MV z<|xhwYrl=#t0R_dR7Ie5k&EfN_|-)mu!>4jriJ4NU~_5vWxYnoqNyy0%tDSQkS4=cT{@XiGt+wssDFoV^MHrU4-SS3y-B%YI3VzC}zSGJ>X`RP9Wf zR!?t+iuM{qj>>0Axk!KQdVdWub!3jJYS~D>#GQJpyZ05@iuU(o(U`3ZMIqBuC6h(L zPf$XNQN0bSu3{yIyAC;e3ouzCGqdy$2bZgI#&?g?PFYyw4u`x`Uu|+9RZnmERL9ay`|iE?dvseRN7Pn4Y1PN9(pzoRaNc4g zF0!%rFU*RUOmSZ0Sr5r!)uxyChy1u|@{`&3xo9>EP5#|foY;|G+y+rZksQFEwfUl| z-!CpEV1z?j_Kn?ibtXZG*pkH1VGd0MNZk6J_STYY4sWR>M@}^do{i18YnRGs z+He*LXY&7-j~rXLm^=d+aIeKJz(D-15ZvjPllXr6L7ArQ=`D{jB&hJgd7twR`$F)n zfYGm9<_goxVlV)R@v-i*nD$lK@(!)S1r~SrpLcw6o!swZi8*OSSKGYX-bb6HshRH& zbvo7FC%H!oDa{q>phyXQ!PgU&Kyv?}YS%4?x}zywv*7hZ#^wuR2mO;-H~+^ag1yrS zUcUAr@l87-1IL#)0JqPhh>uyeBCOAG#b)hZ|MYj~lSc=T=L7w8>-pqjjo?!up+B%6zeT^L=3!}V?Lk2dmdgT|=wyTN>#r!5-`CJgh4UcR+1YX1??^Aqh4BI~_04DcZmZ(rwIBm@Z?y+5cm}gqf;n73>#1`fY_Qbw zYu7BNJs5RhXfTd7`6LzH*B=}%I0=y6<^z}YR7!o_xK}O#8>oVfa0dbH5d1Uq;>32x z2T|-wBDveNP2!vS+WoH&-h5OXY2wGM9Aoj+R2icd!Bz&pC@wyYd6SJ~y|nCpD7khM z;?9Rqw~+jb>#Nps3{Vdl8+ahoI&zf1@TN+k%eT)_3MEiqP*b=x5>Krp|0|xT5~@o< ze(ajvFN%gXFI+Ov8EzcHS|YivRE4Yx^d*qF-iF;6`{J7De3=b*lvxq~)2HM6H4^L&Gxcpca=+*B zeN}6L3YMXow+WsyAA!OUrlQezwwdqQI9;=3iw2=`w1d zTWk`Bzl?QBBE#EnJ%LPOcMm$@onU*9*rLZ;3ucLxzwTXO7B{KNM{XIxW5de$sz~+P^|jxeli4!CHODn3@Km60uSAM5oH3#k(d47 z#x$-$=pZ_aAGC_?7ugmNj%A7c;pVsssQk#x8Gf0^M}4k>7i_QT#EIl`uy6A%vN;U9 zXO&3#oxjD%c9ES2MfaO2z9gOebsn6WN&F^Ss@pbu)f{$%%OmkVe+n!rq!^ieo*o8a z`rW--#204(-xNCGKq?47*{4VPg?eFWlGp;gq4G`;Hrpw0KaBFk3^j>|zD}JrnS6qs z7R#EHvb6=tQ5CwuPYr+d-}zITUDc4^Q3D}z=IB_~lu9)fDuz;x&WX6fz~>wROvMxugGd4!>wucdItE}@y?r>B*VhOyIF;+ZlP}71}~ohKl(vAVr5|UAl+YT>6+?z z3o5-m$4g3u#FV7*4=kSf$8hxBX_@lM*rlXoHslpJ9x!R;x+4MdT(Wp3Y_dYX8c0nW z&C|jt%=6F+Vd#t0DNS08A`y0xM3Z1_Je6Vy`^70`t)tV~MLXT+nh8x5pX$5e*a%NL zHBY}*9f~$kcVIZC{ZU_(geNm*UaneEr_OLtV;)u&p~8&dr>>#B$UGgJ4T8^O=~2Ni z&KNsVVKGxVWg2;Wi|Xg}6>0e1wJ>QZaNKATMsYtgwaTWkfV`UH85UWg$a{qP+gpSN zMWi~0G>FG`e^^-#zQd|0aDK>e6A z@vuDTo9R53{2#q~u01~1Dc1ih^B@@!N4gic`<%2p;_l2xc(9jgv|NnfzRf?uG+B%x zR=lK_Z=l3?O0Ws!SUD{CJoL|Fd%A1tSOe##!D1yj}ZLO;ioqs^kZ`Z+lG(I{&N3oo@RV zc!ZLkN_ZAY{91*4c<%ZU2n*A)<-KrH!O%5NfBk&;;?q6JX3d+}5SMibbf4#r-X^*Y zq033;%TLm}nZtJXwP>8RzpH>1n!a$^X1TJG*hpQ^|5%psfYjmr4w%J^BqlKcl^~A; zK$osSfZu{rF<>ajj}e z>D%EJ1pF#{)w7tBMd!79N?WYJcRX^?ys;bpx&|vSXjWJRa2cX@Ag=3es?ZJI?0TA? zMSkVMe#5bSyO@H==6@PYT{rH$TP5^;OWG${H}F0Xa;ZSQXdZ0m%<8=8owHWRtexL& zA=Clw1e!I`G8i;>9vUmyvA?e?ymD?&Y@RTPYv&7|D=SlyHm!U~P zQ!(t5JNs6c>dkflCGvCr-54Z7IZ?b_Eh$pIPAf^H-ovCX1Vvm?gtjS1HkSC?NUb`X zO*z=fErI=-fjQ{A`b~p+Uf>sczPvxkkQC$2lfCfuRVDwF(a3MY4}@P%zVAc&6_(}x zoKu@5mVmAyJt)@d;VwqT`T3m+Ht*j-Loh{t;GlFoDRybiJh|9FR#{otuu|jswyhA_N#ZzmEG*YY5h!}y-I~hX zZy$nkY$?!KYDvpR#+6ITUc$k`< zBe9j6X2`==>@{k?aY}`eWO%^!z)7kcU(3N<8RxF!&;+cR^^M`Kg71vvx34}#!X}mR z%Xsz#w@txXNhgPbAE7!)cYrY*C=?j6*an+lCI48B`sgSI(|QFEu((48GlJ)v7?=*-*qf zuAn_2!)>`zy)c`Ag-qc4w9>-jknyy_Qjalu=^g%0v+E}1{wobjqATe}n0j)HxteEu z&E$E*A!J>V6gk!rksm0FXO<+}Hc3NxDU4C{xw0h5t!FV5$}C}dT$HPd+Dyu z-$q09>U2f+e@}6YqR&?0EB%!;RA5ewNirSszYK4VC6ZDMCFl zby}@?6>Pe176lwpzex;P28AKVu(|(u2-kAJzZ!ch))AUx6`#%orC&=|kDowsJDN7D z5aA@5Q|>KSIb}{@TT;L;obpFKRaF<(nN3VJKk#WTl;Ca#_~@s7Lo(5z3*8Mvi_cvh z*!i{)Ad)A+=A9J92~`fizvsKwoUckBZL+EyFXU<;BwCQbnZ0_&y7!9}h3$WfozZ8v zeQ5gcZkzNd1(w9gptTE&dwadZ&xm$pi}r-uI7Sp-Af_^PD?`y7`Uc&N=p$53f48R0H=q zWY7lp@z1cgtpY}S;J|?L-w*p-LLHXG43F%tjh8DBHZSYTmej3D1F^ncPS^BGX_>9_ z^pk_Py3XqfZt$bR(zfYC$>X-y)+?@q8>I8BO3BCLah8JTlZHgiIKTJD;lkpwZpTeq zGBV~?R;cUcSQ9ZLR`#dMq_A(DI-LJB(bJfA$=3TunZ(rUGaIk&W9)Eduw7eh;{frN z_qjs@s=(gHO?*d@#+unS>La&~u3y!r!SN=PT@&~nv1N02x`dfin6R>I%S@y4(H11+CjBUXF#}?wrMDiV=NH18xZ)&lm8$5nS zwC-8L&X8##poVsd;T`Q7SqJK0h1e+&ZNCgz-BiA*bM2s9a86g$7~<+;Hm0nYwGduz z8NdHGh{b+G4e@sdPe*}$sV@v}h{aRJuK$B$Cx&bX=qElo_v5>_>5^=4|0m!mL2)uS z^G1aWV#jR*>G&x*LxzmF+ZSD}7mGl^j~?2E;;GeCJp(yLp~R-$=|hSWBh3+dSr zu3IPg7yYH^g)N_)+`&6zE-T8M*VtJ&k3vkQry!5y_wtHLHfBN0-A}RQP{sU0Rb8(1iG}W$`Mkm$`dcr zWSM+6*em3u!YcB+nsRb%5yVrAVwYA7!L*M@W}=^z9yJ+BpLNlNN%~d zrc`k2LXY8-l$}IN{Z2tj`Ermg8S7^I&wKwKQ?+cZOzw-Ep-(W3gi9{UTvaCB1A-f) znpiaqaY}+U5!Twf z6;V58-6D!+ON|AorRFZ<61Haankvm~{aMWLkOEXv$Z7d2A#wXAs`+Et1tXvh>@}K4 zKw&nCvA8;GQ@|$m0&fAqsQT%jfc-bB3FoMji1~Fm^9b@ET2+N3qI1iCnKGag4}=(P z2Li1sC8Js)jpCVb_C>q1%3qz?f742#5)4`~o}WWt^%{)*padPhO#hVQ1U%)4eIB|b&e<I;TfP2boY_CWxR}3xl{UlEdR>5#c3m5=i}4gmx0g9 z@z_=T$1$~>Q;-~Yb%m+%ae6U&S6InhQP=5rT;vH`X*GK zg3{4XquElWKV0B z2@{6GI7hP7iT_`0roKvZGt(qQ*AR&TZ}!;5i3nLr-;K*WfAf)jE&k-PHEdOcKkge> z*KjJkZ(GBld5gQj>Fb=z>pF0lDF-kN6zCeso^Rr6WMI{k5@7nyq5b)Z8NF!#c}TXp zn!i;pJm^1RRLD7>pMoTPwlc^K)8B~Ji9jqlW`-nFNk2>d(P9)5uaD0q#U@xfZYk>e z!x|DNvCCb;zOhd}wWcYkR6T^MxcIMr04hs4;X1-UiIc*O$b{a~v!8o6zenI>VDcdd z+(_jm{{`C8<{a=c6tKeU(oiN85b;-=7iaZLVlvTwX;p{&kj>xzEe_B2w=^3EH*}RR zT*I(<)=smSLvgHD8~H5nYpi$^OTtrcaiQ~rtVXyHtfAp>a$zA~oTRAYsIe-=={IbY zU-WAIES3OWce%_VoxPJ|Dg`9cvKwigqAvMRH3}jigG z7;?zcnZ^Kh1Z#qXZIxHyaYI`7jp$o}WJzW*UpyvmBt<%YXdmg=GFwh4aaKdN|6lHb zbtGINe)J!(X`^62{EI|TfhCaVq~eL#_Vsrj;#=?0HSu}QJLL=eH8E1}-27#xEa`t} zX0(QNfsSXfBfk47BSHSty!3e9C+1h&*dH>RPls79K=8E`(2)W798IdR=EiD*>%3I1 zA#jW1xo5r3;1inReKxr9c=ql3_!IN6I9>`k-|%W|+*O9=+I9QAN(uTbyb4WsI3<>h z>tGS|#+6l|rpfYWd(L!wf^aYpVeo-?>d^Aw z*V^)ETiG^wiImqdX`rn3Kh*P_=k+vQ+D!e6yX_6KKU+lTdCIsO+x9a~K1aL~_~`Hb z`c%`=Hx}DKeJ^8@33C^+NRoN=YU_QE4wE68Tno1xPNvFB$E*4|PEJyyuQ~A8Cj!E7mOOcLU9+(@U2;yJ;4O zcFm73&$CC0@`|!KtATWMxZF>{D{k3&=khbe#zwJ#sbhBk3S_bIa z=XLYmQd1FrHr4g7Tu%PY>TX7D`MvQ5tn?0!_<+qS13#)Y0R{o5U6S$LUZDQvq_9Zp zB-ZuWqo*7NesIa_N)^8JhTtV4S@VK5lIt__ z?*Cb$rlKPKH)f7&c9w12nD&)Pn%T{Q?v+KY=2doD#%h90M`b`=Q%z0gcK%DSq_;ln z7=$c76}O&b42@&duSKehG21@;7M3FGUYeu^P2!qg?(8;3E25|62RxjTEd?ls?&--G zhvUVnhDpt-#u&k_bz4lBY5}tGMDrRCw^Wf|?PMl3D}+=!{3vQo+E)s})@{|K9~a^@`bzp$<=Hl}p~ILr z)9tf3%H)D=t=r#g&zh3(_CTWq3zt!J9YG*O5pigb= ze!}m2O2;#Gng^k46~odO@dnJxM%b)-)y3a-wVjJk*NKQ^XB>$(7es^ zR>=ZmXkaf-U?+g+qsu$bQh>ol6bZiYegNDOTN{OCA%RE+)C)K^-y1Wpz-??hoJ#;4 zv-Xz`Fx}XTV5P#@VyiN8E#JSxa{6r5c17Ghm*P<=C2`!yU?Fz;BucsJNqjTWD!5E3 z6z|H*6}1BP?`-aK=IC9UF34Z5o?ho$la9RP#<2L?sgU^bpI}8Ceqel0fgis7G8b(- z>P~4CsUhr`sVZ*AOR2WVB9ZzBf)aHUM^o{*JSsxFW(ebTpcHmcS8FOJ$iKaY$=8Q! zLAZ4L;aZya(VGlL#~580^TPFuE51w(j?NHtvrSP1)8mH|4|3X9AiwHp2t_D~PHDm@ z`llIDRSLV(h9NZG68Q+lh)Y3iI`|08;r8eF5Yjtped zW^X_xZ<&|gOxT?8UlSxII%q!56Yj>8nYS!|RNE57Xx%(Q*IePj^A=j1JoW~582sHY z;zkgpNw*9NoFpxXgfw_4gj_2G7ODxbyt1<~uWAJwgCQryRP)9StfnHIW4Y4GVhdm&-bk~ONSU2r`N&ULtoCYP$ct+Mbx1G zN@7xM(4Ly1Q%}>>>d2b%>CQ(oQ97?rW=VUH_!ihG-kCVgauA@8GH%2uIJ?W`$d73B zM_PyBB`&Byy`J3Bx9Wmfm=Pg8qBzyLjDa&fsa!HSilVKZDjf0z=KoSP{_6?cLJ(l` zy!;uw{JHRz{#^JDoTJeCBEQ4R^y8E9XCVlNex9gGfTc(k2?CX+-XougU(LEnkMlJm-IPeAw#xHeMSSmQLH0NkwEg)+%ypJ( zk@fsqc4mKljZ9g6KO-*jxeFBBs++721-6gAJdtf|PwCbE>)Hd|+cVO2T}M5Q=kV2S zech6O+j{Q_ysY4z-(Caf(PuCH8`m!B^m}N#;c4r0Sugo;;CES}mjRvp>0bwGJ8img z_?^^ZVmTOh-CUr$bMGdM@-(ffzw!!Ji5<<()_VYIoDK*Gtv_}`j)jX3+rb-?{yFEd6x8kNDT%b zaqdfe(`$DUpZ?s{&s~Un20zU;&M!Ky%u6c0uOhd%{uN?Absk(h5I@dk0DP^(1E)UD zU=|otz*?6d=qVll2F@PO26TuXiyIFrQ`g=uX8gQAY$_Be{697W)jvZvjySZwxF6a+ z1^Me*ExS~=7zi}~(S4uVfNjo7<#&C|c7f@*Y`$ZWAZ{9SD%)Jrd2hZVYd_iqJqjFc zc2n!R-8eL*VWu)JT&;f2#WgM6Zq?4?8^<@gmq}(EU-Y{!qMtar%_7@YJg&TM zYwiPhFTWALCf%3VOl_Oo8Eip3EpeUweml~CzK5Xg@~NvmqTiWa>_7kl?w(Cx9po^B&(dFbHr(2K|@)FeeNs22X>5hp?w zCdv`!XO<%kaFn$u(acMwVrx3y637ph#fUDH$i1aW)7kXa+ILVR}ho;#26cTL~(gOhEK@G6kXW*MO9iV zX#?fdNWFxuR5?)}y+lqIs>&B9dRSO6ZMnBHe=tAK9DeC5);iV9VzDh6lu^E+U0-ii z<93iQQz9-m9q;d-q=dnqkjW7!{7x{FSTP5V#d;#tyuap_h%T^8h$G%0rl~<<@M`gtZHN$4~Yj#U8jvQ)$!A-Uks2b46fgEG(YpjL{UcM zyJiTEi+;*zdR4E6P-f9ot$B;m$u^S&)@EbSd&2P=vq=BgY)#$`^~QwLl~z_EpOkJ- z9?+cchtZc;^o*&!X)FyX6X%xLG0srIp2v^VU$QNV=SirMz*BKEWBxiasJ<0CQk{B~ zu}Y+|I1K*@3F(FHBps>A$_w?Tdas$Rg~=+9`Od8&GnWzmEH8E?EkVs-s1RFI2oa&0Z@E_biE!rfScI`D3{v=~Q2TE3qNWm*;Rw zZ&KO4iAw#dHGhkIMr~s{614iHqV3XBEGG6*1s{ozGd@Ez*f!rc0XQe`#Q3Ak$^Lmt z`w*1TU(J@?;?NeIhh|1#s4zLjVPZ*ES#qd~Cus06Hf0%_`*f4@NsKEc+!zP%fx^SNLk*JCWq5iLBXdA8boH9&O`S z%kicDlx?Ww>}#SLog`U^o0n$6DvZA3*-RWhV$@d&{@CB&&>4+5YH*{rT;GdV(aHwQ zmA`#~!22sK)DywBI)*!pTppJb70rhzoR&-F4js=C87}m@Xw&&G85$8!?I@}|g)|Ze;{~mzm49hYx$6A1XSkDF(ah_S{ zp$Bz|mQ%hqc106pb}W*J6O6Zp3^|Lnp{jJ7EPQT5uc8}&XwSYOo;RIJ)7;m=;}E0% z1RCw7AG@amr^r3ERw*ROs!0Lj@`W4=v+Z0PRghJtIauj2%zhD{jsjSLhP2HXd&e`# zZ@wY!Nz!(?xuxZ}H24NIXlbRfF4A6cc1bei%`i!~@+w5=F_mOHjfnEk-f9}u4U#V@ zNMb>u4-e--eMTi@V*KoB$E1pxGi1!{GtExw_mP%81I{h6Kq z6r}=ga~76+0FGEvMJjMGLZ8@oN|XC(XgW1V?Aw4&4L|7i^rU~v;5D5y7T}`q_vF+9 zs0B~$8E5G|F>a^3)UiTZpC;C9V>HV1?Ow>79v~X{n{L^}f)9Mww_iabcYwM@65OoD zX@v1C@M%ifg@T%aNZAAq05r8{@dR#M3Vf^df2jT zg-Y1osGQzj0qaa|zI+@k`oGBAb(9=_cfVYn325`-=X@$32iNZed@TCJb{wv*BQRz< zJ`&Y@Ywt}^hPS9*`#2S(K*{h>^?vU=|33WYZP8KkalG2nqItH|m15uqdgziXbg-%b z+aBTiNZ7xWAWl5|*17WjK%HHutZ97m+I{W01!U+{b$Xqq>GZ)?HK9Hg6v?lhT&R6+ ze@zTr%33y25mLJvVNd85H=hglJh!i-#Pud5w2n4%N-cD`Ei6*E9-0&^5gw$*1R*eYO2|G^rB$1;CHsvE6nZ zG>O1iIJN$C%-)2#L|^!-u;Ng-E%u18%+0K;Y`qbpFkzCy>r{4S2RyNMIo`z8owoNp z-ePnB4U?(TZn`|y1SEUBTXn7+25#$85{&aV?j*`$Mzdm^Vk%-S@JOk0Q3ve z2P};G?7UVAp{O z7!7>0auuqv;d-sL&QHJPd((-?vlgDi0TPS=8&rXFXG#_T8R6jn>bJwH0o`x-h#NIE zU^-o&5Z{abKECUtM`F-t!~G8op3mNb#W@%O_4%IWzsA;49f3^|F8p(90@>St%pj9| zgWT|37{OWh%f#5TB~V#s8 z_l2s}?r_r6sEstlp+p)=3*A!!?w#P+9E}tg^>##aj29=kXk1C_SY)?#63+c=(63^c zR0u!G84Mlxi#aqWn@dMsb=?F;)ih_fD4}<_=5?k)?lAU{qV|y4rsC8pret@6kx}e# z(O={(Wpkp;44)0&GLzfP@eVXs=q2%;8^wI@@sxw597FIa|NgiTm(tka2x zbqNVmSR5Uo8^cC0m@-btH|bX4vv7)2!_C|Es^pvlWq(eXGx1cb`DszgY_c2_%W{7! zBoxJ?JX0eG{q4-4^Hf+Vi_2nMy%rLtsO;RD5WU)+$?RqlRD7Wn0xR~joNYJ_QeJ(( zHJWk)Ax!xK0`^|HDDybsdo%gZq`7>Rz?h86<@VD2S#rPz4bIn&%tvdn{2xN)h)#;a z)+-RoI|J(UX@*~#7@MH&Ufnre`1Q>()0a+6L#rLgG09h}wCpv6U!?N4Ik_lNe9N*; z_Jbr<)HjDuJFg)2xj4%^lnBR!XnrD7!iWVc2S5J=sp$W`Lwx|i)opgGj8E;O0ee9W zlJk>*S5)BV8}*r#QRvPQo{{tim#Zu4A2j^*Nz!LzCJlMJFvLWKNLJ90+i+8+sa7hiRjq^QA9f1F)s4cd z21SwFiEIR+>cRW;=orM%2U#AD-~Kh&DuE=t(j$Br@omt-tN6}XtNxQ;lOZJ*NjrYD zsdbZR;%%KG1i%>&`i9p_E@HnxD2{OkCgo5T{FEk_j7Y;P3o4-&-Ck6&8>W;nr-v`= zio$>kr$WWg`r;hmPE$1EAN3f-9G7D{gsdXtkqfQ_iHOK^!FiO2 zY0x|bsO`r_{!$>6z(Bq|T_kiEoCwKg5n0IvbX$NGC%>TKnNuC-cS8Ttr&8o#po0pnbV&C+Z9!=Zg{AO7UYfTft0r5Z*#DG!U;znN%8T}^ zf;9#B$*l1cZ^#8FU%r2;m|+z9xFUWWA6@562)>{`vR~)0MVbCHWr3#zhJkh8dOkFA z0u5XqvL(jP4m37z3h4UnkDSIjSnqA=Q)+02G6h4H5>Q)XSBez*D}~x|JSMQg_IoIpv)HB zhNjwi-ep+WM+ff5O|3FofS0uu>}6PyIuDBftNY!sOaV}{{La1xl&FWQx!$4E@o{>{ zkw^@@i$qRkw#a(wc)0wyFuQXu;sj*-e>gsGy%B2z3Rv5(HvHxj1Sz(jlMk+(go8S0Udwa{ht|QHvN^~HuBU(Eb&Qou3$0zNV-mexyJN!po?)#Cm zE0TJdtl-$k7ozL8jM~C9=^9Q7JblySmB4Db_rX+um`f_gNvoXL74vj;FpCvKzBGOF_h8YF!P23ps!-Jo}qv^VP2)f1pu=vB+ENV8_qt52YW*0)(xLZM_amo*Zq zw+~p;*KI)x!yDrdZGJB=wxVxag5t`4!ym4d|pY3*vXXK zgut_zPIVzAX~`L;;;v17)8k)ZR^#pMeLvMm@fVh$J{;(^~pJ;Q8c{|$PesAqH zchoOf>ndF!A@r&!`CEU4U_z|ifuwEikwG0l^8ra3Ich}Q!|I(UHa>`_@;&*ds%S#V zcUBHcg58ikVL@{OyD1_bSIV#INO=p7%+VB02?hgHL1Uc1H^QKJx&0~?{$(l>d2k!- zRKzXWvdI)M^HH}HrOUIQ>6Qeas_RPC+GpC`iF!yLIm&xtDA@RPH052-)H5Et-r@Ld71`tR_dOUTuY00DpEL5{6QmrTUv=#-F^7FE%N^_Q^SO!%!sVRoj3{f1n#QC~!I5e%A(w28)+{>4Y88BsEyjGM@77(!d7 zB~VH)3Skuvgwft%&dAll|Ew=)7j1V8{VC!-!DbV)@hF)t)tlTpu31&60u|kd=KNc} zCmD`sp-sNTv`--T5Z1Rx;ki*YT6wn6ibbr39iNiGv7Glp`ytK-1=h1$!R#4^<^lhg zFhW1%qHIfh*d;f?=C{E;A*1Gc*6UASI(UntJxVC z$8%{SCikd6ho}VV#eaXv2<1)Yr#W-4<6n#66?+#h**{9R3tASulF5*lCBUbfKe;WfEM&rFoc!o6qjg#K7Q&^1aeE8DsI@&yn_$XuP2~hr+=yKK zJTn=88GRWD;aO^QE-)vRmO52yuM#pXFx!roez5N&;7U~06+%!WkH0i?Q^j-N&|Rs` z_Z=N*xBUZCiGP&ll>L7NyouZk2Breuaz0??KL38XX+SVYnV@kx0af^o&go+qbO-es z^K|uoLiv6)z?iHMr-~53GK!S+N2QE@2RZjaU^kInU=skcdEq2W3!2OMm$M1HAD2MG zlIfGeTfGIaWtSWYfa)VR>zAB4zt`Ot6sT}^UTH)Ehb~)pY^C+@_!x`6E@%2A5gJ$# zxr5*d^%UM})cO(O-H2XJWbX$yqlEp%O#3UGVJfaO40F>Hb{)ql2iYDi@eNacCtZ0Mlf z;$`$l%={QhXVmjPl}gTFP#gzjFIemie@Mvu)z=<*r$ z_n_ZgmEtYFdlhK8YBD$|gypms?EV+uHcX+>{d7IX8_QQW$e<8Tj6aPs;|@0E(*cTKy}%ncGaz)A`fqIlnZ3Lht?hVNm}JV3M}jEX+Q418f22EbnHD` zWqI}+;}Qc-)+zwkcicNLGTR=ld|=48n8~RP&pS831pSP=u)~@il*6*fVdm8wkXO>* zD@Iob^uSx~dsn#0uwl1Hdk@RG-PL;0ISgib+SkzMs`qOBL*zMP*1_j%*Sf;bTkZ4L zb#!w)m$0UGtbL%6>f6(Cr)L|fep{C4Aw#oN)=KOghhFWbcxtxeuyGpyWAY*K^*{b? z?f0B6{bduXm6Y zs_y9mnx3_*?toy!HL(ABpBYGjeJg1m{DJPWKKf4Vk;=g<2&k%y2$)>OZ38?KL;{{H z5Q#SbCDo?!{d0->Pu?@w0Q5rq0Xrn%1wuud8~`&Gd??tgTJ8{+bi4z!#$)c{2P79h z8Ez6_ij7vay3|b*&%lsq1Zm{4>ql|@DroqO^M>^uHcMYfnZgE(M=u9PS61|!7QE-0 z{&UyHKnD}pKNS?NLC4GxB}>L2~n+X4K^rn85NFA+bGkrk>H*4BSeyE$g ziq5;)ioMtTKdR2LJriha(y`5sZQD-Awr#sRwr$%spEw=ccE|3R&*aRUnfID6>o2Tb zwQAq>T%a|DC6pLb_CPrGydGEMeVQOj=hypbb)OYre$Rbv`FN z9C@Ar$0W(jK0nVZJ(41L>3%*PgD8QRI0m3#CwkSU*Oh`(ALo>IgBVMkmRO`vu^)Ue zqdklc%fw2aA zg%ZlqUxaUKquIjVm7}3NOJ=&szPbJ+{L3xgeuY;?P^|(g>=>6M4Km6mp-7IZ3}$3e z%roI;qJ}_%b4rwlF7j2r9(DsEutQ7%PMvF-@w%}6%ivwjbn&`1hM=WG5?A2>97z7r7RRnk!7`TpH;zP zBW%+;jvFXttg!Q#JypQ=Hxvvt3DIgw=h1~8tavV11`*u@ZVP3E+Eo;aA+moe%ntLn zKa9&>LM>NQntH7JaE4WEi%_AL0J2S4l!RbD6t$3$$TGeRnzKrn)(@marTbtZ|1tJYUxwm&u2MV}4y2d`)d8N+YF2=7TKn5lKC!uPO5Mej*L58qz3 znGQ$U@sfIzg=htB>R24JocOZBio?&_h*LL`e!R)1ZLVZB0k=y~yv)p!CrFjhy+O6Y z{P*x%To|>G*|phlYmqqex!D$?f3}&ldP|kZrtc!y6jP#&KUX9O8MRH3`>T6o8cqHk z`3VsH{29HxFOwg3uixc(JgA{X(G}~`MbwH$F=i`Sc%;5<%tC?cTUSt4!>UvzcZ#4Y z+9j>>1BVP;nz&I5^SyS5+_2_v2_;^Mw;RJe(Gx5svN<9QcqPJ5Xksm^$;cnX>YgE+ z8Z3%YI8hUTR#G-Z7NnHN12pyOs$p?jOqDY`n}yI;w_crUj59SYQntm(zfg~aD0B`w z>e~iArN}bBnMwBRgeGTdNKej=;x-a921|u~$PCOiV*-lWP5f8#})1Qh2Q&&!rgh+8=6rjA_ zO!lA?$Xa)WC0>sn`&E%pt2?W3q(6^6E%GVeGPi622hqdVGDKqseOKG z%Tgqa@0MKm*Ocox+qg&D5$7Z00f%OX~@pb==9{I zOu(9Ok~J{;n8OBOQXVs6Sml-mjcLW4xH;T5%EWmtR^rSnN{z~8qEbq;*hwz6zAP7+-#uI$f9$y-SW1cml{LMuM5;x;tG^W!NN_58VD+v4i2bGo z>6Fgo7|Ejli}x_K7(UB7Lw`8+KV!u5aB=hgXX6)iel74-=b-sfsJ_naPaN>|jR;MV z3?u50`QPp;5M{1N3n+$yp-{Fsr5SbJlhFdOzclKeJs4D1*gy~30f{Pg;)}O9X`_@1KK79 zymvEuof;+cyM85~&b;5ed~TVZ=)0_>dS}K1kNe#nc9VQ8q6svGeB%j%@|ggOd9&MY zQ|rI-=e9n_((c}64Y4$WrVQ0q*XO_XNrZilB^|dvr)KyZTY0^AnEbqMS;av&Jl*U+ z9BY9%yS`6(Q;|$t?XUKqx(dG6g<^59>#jn(c4vr!Ilx=2VO6Hz57^kIySxm24?bS$ zrgyLHeP1K{H@*#5U+KM%6Px9^PQ&M#{tbTso4)xzjzDZCp{MOwq-{}#9r7LL4|8nb z*(;x)Z@=oF(cRqknNQcRmg8C~hK}>HkD!}XMn9VM5&o|RMM7R1AYOev!~L;#`4-@x za_jw%ZxT%Etv6?l&RI1-ULiut@Wr|Lkr0Uzd11c3h2!05e?{Pnl| zdWx^qw|w>y<}YkLCC08tp^ThIW10&&OQgWL^ctWD=$Y$#-}-L%8xeFOA`62≧G- z&>CQ-1yhl$v-esvu)|vE$LzHP6 zD<(1kMXOrcT3m6XFKQ`&lRSE^F&3zJ`y?A;JKJ!l0mv}pJ|?Y1pTmJMQnPX&agvD) z$?cAmi%ianJrb)P8+o~!(Bc_0;~E%qA7!+gtaaOO8hN~q-F7&4)X2?6L1b;4K1p%4 zw)xwOHm>sv(#|pK8F#`Du(tAnl`iD>zI@K$wGD{X@htU zP-RmiFBvLfwO7DBP{+%Xu#3V(!3Ku_qFRS3^BP_)z~3z8aEomdqu zBrzG{Jdx^-zNcx1EEncrXtoivmd_NV;{b3-Ph7YQpPG^%*(gvNRzCXDVo&H)X8e>8 zDOJ#_%n}qAU6_DmC}moyU^O4s?jasZ+FG78KDA&jUVf#+eK))U@1L>DM?tg*nWPCXmS!k-yk!86?b&Dm4wA3F2+nyh+}mO>J>u$ERz;9fIs#)DK& zHb85!y+s*f5)i znEm2S697~5z6v;dwWug{ZInN3;yVz5L`*7zMf&5QZBOIb4=g!U@ZHCAfPdB7vXmh7QQCeFOlB;Sp->7*8N2y+AKV7`EOfvFc%T5tOmpB^d5 zL6-0VoCVSZKbB<1oOf1UBq-Zvjju1FMjMO#SoSJYM^Pi&KGcJD(#v{$FsRg@qgiC- z*RfW|TZFC2G@fxKMToR(L3Qxl6vBxsT)VoOWf}JT`cH zJbX66;&&U=$^W>Fr>p7xv+$Q{N`4SFRI};0`sjVJkK8fV-|sXhyak?6=pLZ?tgvC~ zbvRqkZ9(u*x9ZPJ)A#mv+hn1v=iqf3yk|YgvsW+J*_+UN7_Mlip#^X=w5X&L;{Nyc zZm@mSf8~HO)3b>N3=@ztHudrxJ)W)ndi5%-)%-MC*wggG1`A*k2+q|%_ydK;?(=>+yhrX z`c9{TnbSZ+#Si$eMKkii3qJ$!x1XE-7(m1@T%B;!<`xK;-{EUb9BYAoo8!2`AOZscoss?T*QX`aa@ z%49n4RnFk0TC`drb(AxyBo#{X@}TCH9Fy!2Ar-jVXF>NQ*ML2pL)4PTcPwk{ zt;HPOnzHP&;XGsGT7`j;kQ z8O6>t$NV>a>f}bU;QFPBb=QwyAxI{_K8kn=Ij9k(5(!)neh$$)u8Z&VLuL+Kpf1C| zAkpA>m>)Aa^15i8X)M49sWw*g_FLuZH-_J`@xyUo{7WRD8iIY*-*bpmF6 z!EmC{GiA=4gQR$?9zFS`l$fWj#Xiyn&C<`zK)n$#z;@7t9Vj?Lya+sGTP`cWs-8?D zSq*i#8nG*T;M9vMooM-!H;-1Q1e40xfxBvzZpb1NcFY($z$(9=IOyj;!HHF8 z%Y;fSRkz&x3O6iwANFGz)bv?pAJX688-M#nw(ky9P6rnXFyLjj=?il^dl-kt(ZZ6Nni;969?4RIt>7 z8U2Vb=t0YV$>{AC3^E75agvR=yOiD?ds(UrtC(4qi_t3ekiy0cDE+WjsD~VJ8VT!S z=CtG1A7!j7>_HeA4v{Q7KtX5*f$VdK9NJUa12<&sCswkxvN^m3XoCTSjc~ov%rBNrydC8(<0wZ!pdbOQL|0!pD#6OF8YHXp4) zEq0fPeZPy{NSvKS_W8=z2t(ZoT2MV|7K*Ak#5;l^Yikk+Q$MLgEqEC9zZ2^*SynQm z2No1{V8dh8dm|VpE*NV!%l&TnOB-i(nC)TcJcwZtyO?}E8tG#A+$_3ILKp54-20ma zQvJ>vAW@`T0|iPRtgV;7BWO8VuVZ5Mden#k8kNIEtxp+;u?D1Q_98PGOYC;)Ynk*p z_1L&yEeJ6+7W{uhyedoGz00K1*)qMpeV>bQdaP-a`TrTfi0{3sP5v34@xS+K^H=jw zPWrVL#7B6*ID4Qm_Y=i8JB$kWY6sp?zv(}h$q}Gp9U*>KuLg8Ie)J}A8;iDo6!do* zRrTh~=l#fPjoW;G3Qk>h@V8vZ;d>7KVjXn>47ZjBFEPz}x8C>TTiiu|vR(60`Bt@G zSH0gfc%3{`F?K%7kDblLJNjLoqNf9`G7%H@&OX!gO_ngBFPqRJtoe-I+@TuOa6@L&Jfe$qb7)lKg(Eq2_F;OE`} zwzwbHH0d+{$|r5W^RmB)y#UNm^fQIXYUm$~AsVdRZsU3MI0&ac_1$l933+~PhdVgX zXFM-?T_&ICyPaj~?t12Xs6XzW3x(F+2wgR$(!C=S`hG)AyptcoE^+y;?xUY3$0S}D z18y&Os6M2=p5Fgi`}?*1>VI>bKFM1v?OV{8{~{8awClcl(-m8UouY{2Yl^z*UN@2L{%UTmL^gPL z+SyMR^aZjEcW$O20X~k|{60VV+PV*V$A6|`Bh_B3bvq2?z{_qdVheUG*XLE(^^KMR za2hyZSQN)^EM|WD-Zyiu?{j@Om##xK=XFm1(tnGL z;o$MU^|-U#_20{!#D)Iw#O@Ij@C5_B{wAU`^!)ETiW$VAn zb?bvDLfG;=I|^#3>AR?NaJW zj4ddtNag!YCGcT6Lheu(%6O2LJEpfSjQ?0IvkH^HKDkej=#40 z;P5!wj?W}<fFSe1qt0 z0+(yDG~fY!$Iva$4?*b&(v}G{strMthn0 zJK`*_Q5TsZ3G&!>HEZR>{c}bCH1CN*ogvHzxx@NlA;YGf3*tlQkvtzd;NlmyjoI*} zmG}`19r7HCR{rx)C$QUm<(wcBtY5^u3Mdnd$ z2Ps=N>7&go+#VUAbZGj2@XJGBAQrw$j@)`{{$jdDQ6tv#*Z@SAhG3x0pxUF7$cafm?HJ%IiOU3`J~|&!2z~y0Bt_A zxqxurcFiJDfb!|OJ$(#@PQNeiX^}WnbPApN(u}G`{NX(rzfi!}^u2$UXdnN5$&>;7 zmm%==fY2$r=KqLQ;2qYWKZe8QnbW9k7le^KEfR8U({LEK0z?hFRC>w}y8*=5;gp<& zK-*eB!JyU&BMi-&vg(Hb>eVYJL43^0rImHF>=Bx20?1Tc|a3h%$DOg zns|bQ;H>L9);g17vGZIzU0~9SiiI4EZvmQAk4$7mdq_7Y%V-q;F(tUKu!S%>1Euzl zqEQ=<^W?Mn0JvP8a(*|s+JQf!F@+>-!$@ZXt1H zOiY*1)jF8?dVGc$--ey#Xz;g=U%%wwF3CWU9I}M+tdi+phUF)p3>T3 zS!WeVn3cw$n4)F8s;MYZN)IuO9KKCK_XI+nUFo4H-nmhk62pR``;JVxsjQukp3q_~4x+L3|ftQBB9L+g$ z%v(@$jH|g7+QSYjGk`{gDz7Ez=*iVQHcKyUf=B5&D+4^lXZ_0j+@| zmMdTgL)Q3#y>dV0b9S z@m#)JT8@vq+in5gL%O?uZ+x5kGlUZxj(U%i>T$sNvhwbKgYh2Qk2~h^gddHVwU`*~ zL2;Yh9rxe+bS5adw`bge%D^?lke};yPje~mKi5{CMXk&fjZfQkSt7-}!x~(>2}zt#JXG@%~HyOxR_MHBF#`2M?flGA$o?T}$74SDM0?&-*2@0!R%KibI;$fr-9nypO#tDoS7A@Ojl5-xejPi_l8G!2MUsm)u_mQu3$}49^?^BvI#9W zdqiktATv%aUQDc=Y9nu=nnG7l`nB5z10qC8LDp(xVaZPdu9KK#om$nnG6xCj#v>Ql zivpkgD16;>IZ=%>c{s{Mb=#zCl5LBXY`VauKJ)E5ofT(b<&`bxXL zA*TYRh+rLyjhOX?Kh%m@r1O)oXVRL&yx`)oAlw-h%UO%H98@%MbpVp2#XZqk@-S!I z#ta{xvLmyMBWH%Z*SrFq-0++-o=2Q<N3#mxhj!@6AK~^yHTT9dN&|Q*J`CH0c2pY-H zTi_a(&>LLIZPWg+O*PJ}O$k>4XgyHNi6GF>CJr0Bha7?WYavh!kCLR@ov6}45IyP$ zthA@-jW|u{ZyHNlC*#GIcMFB-}>BjA}vE=STF-b zlK&+-OE$xS3L!4o=VVC3$gP_7q-E4k+o4X^v6fbg0)kRTp^6o^RT>kp1~As|vqHUa z8WI?J`o|gtH5h7`i{52cBs_PRkP#|(e~h-JP!<y6~?E>TJz!xryQ)hwa>>EL5xr(o_rf zz+D2XJ8}YJBrG_0%XE&63(=e(S|}c4dPm!n~P z5`#K}1-7wiNZ9`azQwaAWiVX=H9oU}K3#iWIIN&eX<7|*b-LAajrwxPS5Z%)uiRvm z;0$U$>UkcUcjUJp8K7QYbEgQK2sv#%2OuJ4X;*Pngk)GM4cj%?tYsXK(lVjVb(LJQ z5sK9kNoSid2c(2Y8laX&ki>K}xL|+MFPh$TyR%I0?#AFyF-{>jTng#!xH#dE>ykLauC-J5xo{XYZv8i)eXCiOOZ`4L`EA$TDa4(%xLn*U7n zLqv&NzD)W-_67M#@k@*W>M}B5NyxYr_VWje14l0I}Oy-C;jYo?!WmijNSsYbzHW{2Y3o`1Z(&% zi$Oawy!S6k3IVqi;II9jyK8Oc3+LeTYaGppb|frzu;X*u#rcW80e9g-4j}K_E;EK6 zKr!RjX{JqZL7bmZl6`{ycZWmG3fp$KZXR3*e@=uRSc&@lMg=wnSMyZg)jL#Q&)}J= zuf7}~^L@IP4bn;I7<_{}7n{nd$_0OOyKYtW34I9MBE6)_{_0rpao;9W=(H<0g7p-+ z!g_`78MuOO2yHj?{K@y2v*f@v?R%fI72F<|v+aofBq+9XlF0P}@b`U78$Q>Ky*W|A z+u~ySHNp@r@cD_H^!)20UwZd>Fp?=I&5r5oNgi+=HqG(Wc*ZJ4> zJs?-{ns*yGlY4VbRMQJeI)UeVb7D#FeRosR;rU0=zvUWpl)!0t<>p#GRRi!G&NX9r zHN2ee`yQy?{`yks34P7t&-B!)YKT3A{vssgx|`VN@4DF|c=HOh{Q@Gd0t=eI?(?I* zQ6)J+DUf}}_x@#>;(2Lh|CS^z{o;JBfr&!Dz7%i2O=AyI&jl?`e64XA_zR(p!I${K z!l96nVP%fNP-*&55ROV{#J2qx(L$Ow%GPV{J;+FbmFm?sU>FF<0U?da7;Va%1kw8G1rB$t#_DQff~eMjbWfY#tia zA(fE*n5bgwEO>(64RBninCH2iC=Fa~I_SY8_DnU|+^{qUl1GR7VotG8@up!v4=aT8 z?rmi8CgkL+n5@Y;=|reE{+j?Xne0~QK-~Rx^mg(qmQ`LQFYk`0h#2+ z(XA#{r^TG)I_O|5L(YU&Xx5L_uZn4_h(m~Q1;?ahREzRC8V7QKF53P!T%`9u9ast# zB^M}eM42+nI_Nm@KO+`7XdJb;_wG$8jGS6ls1;gabCN%FT4(VDs$?JM_xq!ue@qWy z))hu@6S06tl3fs9s4Qb>E{&R@&ow0y<4KVrHAO8`%2ui&$54@FOtrr)ev7a_30j1y zDxrzmGm$ug{m|TKED~i(no7UeAxhSMIQ76_$@7`AHxi>eiIvV(O-4u|6j`xfa)Z%6 zu`b@hsPePclB7zn#;c2pCaHM!gCF@}j#FXO7bOiXx%qC0=xRF`WO$(2P#(tw)p1y3 z&=i{wfLjL09pVyIX=z=H=Pe6ofn+h10H!EgVr^7bO;Ii_t%a94D z8Zarw5Q8CW4>tIzfF6th70dgXgYEg*@6_CuV-E(IG=YOvKld~8a6C!04H2A0)g5c0 zVTzha@m;JbEbusCHB`_ZT_7D7?Fv8jR{=|Px{=XdY*F2ENLedz6=;7fYu-ENU(xp( ze`#L8bems9hnu;QZhrygqioo&c;SmnOr;iO>VYN)_cr!1JG*bOJ)C(ye zBxZH&pfgaebI2pk&f37&&NG#8cVdC(8~?>8CoY~lRl?$8@wIHE91H)rFy)tfXTNsH z2AVMa>u9iIG04`p$RYYwB9jQoq>RHUAqTB1B)D4IAqGx8{ype>`a(1kwG7ydk-UjUv8!L)o|YQa>=r4wPI zd@zBXFFmFT{(Fsx$O8WL_q~ew9Ur*u*X=hFvGGWNQ}5WDnve0nQ}gk3eWFjFS6RBf zzdrmPT!lhI+tXfndhUDa?7a}|+Gg-U%6;?e)cp|f9GOJE!^hU)^Hj>u_)iD(iaCBa zphHLLFY62Wdd;TBx$)y-8uLU5!KV|Z?Rwsm(QP-mzR9-%o#}Hz*9jEuJPN@*t+@tQ zF;uI)I~M7l=a*C~I`J^$9R(ata)rU8chs(iNC z4nxho+5V@`yF9*ueDOu?dS6RDes708NPr_$_S_w_>To1q+qW$`MG(b)-M(fHYC8z~ zE?DP#TgxwJQ`=I_9n&!kOK$||Ac;JQ%68oDhOGq77r$XS1F{AjfpKoEr#rZ z(Cks7CFu0_LvCejIr<+j8z`-JkIp%2-i3=7*3V^a2 zWkMWuLR)1+gra;=>6D1CGOMf(sS7y;6VveC;tp=0=yc#v@l(dh&MYazY6?{#gVGT( zIqC@vef8A67zp8Q)}p)06Pj64G1jUI3B|RUkI*=Vu0f*c5$!c!$6w8r_#{nFkM7rE zJH13{f+I*u5q8;tt!m38e05Q&aO2s#Q>@0lJA5=kX#sw-oe|Fu*BI` z0tTy1@EolY92l+NW7CF>bSM6q)!G#^^lxFdRVRxueqvHIz3;(ZdTH= ziy;SYrGk3`I~s^%M%H${i%*p>EGI`*5krLHKPzwq7ffh%E-FUXspfY1&0| zC!QYX;kd0?D8Tdwt6%?dczT!d`Y@z7Yn!FY)! zMWb^fZuGQVhG**J-!*{~nW{7pw!;^x9-gOYTd_m+)CrQ4XCG6_C*H*2x~ELIgES!p znit6gxL1cK7IL4F(_70CE6K;0FigfL!&RSsd*RKdR=-0geflz8ew0&o8h1rLfYeKu zwJc24Taj$fZLFhBoZJ>@BZ;(}Z#?qqBtt<~L#uzUj=6NnN0GlY-O%bem5HiGpv?G= zNoz_QSc{E>&K_vvd9>Nx%$qCr|IcmykMDfg2Sx(pllYLo{)%iU>$BpYXYlw&hYboG za1Qx1p80tDea1D!_zagj6!$uA^(}qNzwZIe7T4=@cD~LSmT%|^_S|sR-#jdA9Sc-{ zxGWb#ZO&cPeH@d8*R`zlX49`p$+bz+j`p;y&vbHd^*XRwhqD#N*7vn|SowvrauB^Z z-^Uc+`1y2_F};eQ3f+zh=^Z8t#C?qGRtvB^b2$>W{B@lmbQS8|Uw~iPv3Vt8*aqBZ zT^X00_We35i}sH1>w9JLb9v+Z6fofajdMFQGYY6{*fAU0p8edX zTi4Cx=(DV8+B6+u;}dKxDe^msq&UhAIGiy&YwDDx_q=4A<^MGs#-;ClH9fI{&Cu~4 zcl_v>-!XH8^ws`0n|Ou2(|vF?imUqEaU%3~IeX`@%KzhZ0!n$`U-!70LXnSoR|HHff<3fJ*?KJ5k zEguNsKXHYftI~NeH!vdGI#c-E0RtS!KhBG)rn-iR(RKW;;~;8|55o4RhZ-ll=gQyV z{#-H9Bq%!)((wu zKjK4%{yS-SMoFIr1?3xYICWVOayBe6AWAKx5t#w+o3})1Ld#G-UZzqEk$)EdVIr04 z+yPg0rDn2@pS;fvGKed`f^Xh2QewSHeD$uLkxHpXR~SqSt5E9zNwf5z#AIsF6Bc4^ znxeu7p%=12P$XL#$bT(L1KG3lN`NwV33RSszd4}_me4EC6#7XrUHN-GUXDDtp;Iiu^*zffFKZCh- zb>KfgISam@(v`f7ov2Yv4YMg*WQ1*Qp zZ9*bm0VTy|yG4_*rh0_WsVQFJX64Q_w(1^G5~vU&S_Vd10I^7rvr?&)*3a|Wv|eHAZEzD41r@rJ1sUHuf((L&Ptv?o|S<|?j=8tZBuh5)W&@H zgDxGIA1}m2vqD5=Y>lj7UJp?sFgkxOk#M+m*^^2m?uf{jI=(dd&C11>e0l<0+I|X zY*v`~ibNg(>%4~*KPBb9DLBnao720Wmj4mF(V`-f5nzWe!YMb!VEhTn@6y#lJwP%i0?y$e`y|#6SLMbcu^i?8VxfC4+|ySe1$2sdjn7h*fm##^$GY? zr%v1FyAy9_{$8b&Q2|*urtDtHsmTOA4gixq$uIQ>c|pyY9ZR z1cQ#)gFU(qK{wgz(40TuWv!+#3?{hz@3CQ4;UZQ)DF@ zpcG)`G)!A@5*F2%%t%s&)>^rir>8gZFRgqhryKhK?gkdfaRjS6ndcngV?rAC-+S7^ z*_D^6joF&d|2ynH`h;PEv|2vGU#fv6mN&rOxR)3pe=EY{6fV#cD1wSXL37$Sa`Mss zCH9dF?2irr7W{x6_z{e_B_(m&d^<|qGF`AWxVaE`N+wkr7Y^{UzHI!zg0 z#b@v~!>cRz)iSa@uRLv=q(2LII~-aajI+)29U%gd$D-Fa6!=N>~dmSN|C0)*nK)&%Gh~V6Q54&c*4+gh&n#I((_p&_H1BZ zj=a;mC&?se3{>_x4_}7&f6VItOzHp-9g`&!Z!*kYdfZ>HYU%M}{?D^4?zq;o}Cnf^FAL_mOOb8GT!L z^RLx?hA)lpfPDT|paJo~kJAy!7|tH={L#8^o`4v3-!ovc25_NL&A!tk<^3SJ@+9jw z+hacYiYFNk7%^#0Zr^n9yGwU=bGsNy9W2(={ql9cN=+-|>bri$xC-Jk=v>vluX|hc zI@tgi5chtW0o{fKZR20CI~SRHLSJBfAL8E`9ycWm!m)(gsO;$k^EzR9+=d-0yJLF3 zkO_61a@}UNg?Lf`PH`UdVXlH*uDj9yV>Fk{&%Vvtea^0;eaEOu{y4L|1p#wDAbtOdO~FZhh-bvObtfa3Q)$ z_S4vNDK}2&;*30k>~NCHTPW9Q?{I0j<6|i)c<8K*sGOUci)~vo2kuhkI6IIfC7T2x z9z5u%qR4FF@@1!^h0Bz=j8j-0=gj!t7UkfSy?T;+a-j}?mHG9T-_(kUe;7cth&6F# zP1W2RH*5c*WecZ7Gu19dj{(#Ty&ma^qW>oP{>+OQo?3=sU&#~tFkz-7SJ}%41?Fl6 zUn<(R_SRyHcqs!_wy9boztKS2Y$SjQSt)gX5;d)NDJPx}p{gNFwFqm*3S;&!U>yn1 zuo0MT*KCtl4ejyA-5s;OZILVnXYsLVvvK~qCEw=0RHwX!^y(^d72f)YtJFZ!OEE~Xo z$kj?gYw8RY&AZY~*U&E4AW(-{Og9+MNiJvnat@w~ z0?oNnv(X3*GcFVhDnl%hjXP_dn?Sh`$qivy4*|`TmN1IcgD*@vU&5 z4it={1?Ol$1E^?5lR(MsN0>limR-2WYco?6eM3)-*G>wQYB720f|RYmRnwHIbm+2a_q z_{>A`(wP`1z8^GmNNdpOn_ctQ#^s<;m|%5CWsKZUOM#qMs4n@lhEz#@7k^NXlj5*5 z$jI8cV5)mIi&NYMb)(|7Ol$xnFMJH<$N!gJrpNl6MG7Gv`?=tMyZ+u+PxgJ?twiU; zV*>jUBcTpTwtkp=@FxR~`zQSD_h}PHbml+sO_ln%K5&Ta#pB+qUgwV%xTD?S1n<=hQv7?n}R{$5pGkR(JotuLbd; zmm=rmuKIeD4axh6-K@>TOz|U($k(k!*jC`K`5x5yDx8w-Gg|k8BF^7(8Q1a|Z6y1# z;!fV}2t>5g<<{121AT@l#=F4nE8c-zC(Bi)YKo&bmK z4X0+*hxlwgjxS>pK`N7br&^yxPgf9Y4rkWruI4}g;#&I8NP!7g8aBzBuw!9JHPfvp z5@U_lZ;)5adYR`1Z$bT{6r_T6@i!*U`wsp`H)IP623g;H^nwHpg(kDv1A zRt|E{-BD6T1s`a{p`t4q|0CkQg=hDPTvju{bN3&qtki}+yx*!zLY1FUWc7Mho5}NI z3)fw8L$c>vVid^v_qEhx&V)k*zz<{#+%R)1`?R?fcuLVhLRDPOe1AuZ{*b*)nplF4 zM&hX?$Z;Qvn`1=MYH9dz^YdLFn!ap8{3tOSma=wfbVz)iGOQW3+X61l_nMAxucdlz z-I+NaclzE(UkcP66Esix!~kzbg=tc%9}m78xq!|Yx$nZCy55(GR=pegJcibE8+^{E z4b{9C=-IGo@t@IGu)Skd0A7v? z4p>`61PVNRR?dU)Z_fe)(-NjS_O33cnANUyysv4n0NzEnOH!lo+d4z9jllotE|A`l zKB(V&CSO2mb3gAaOsD7Sa)9v;%a!-nYTmRz5SQ}!X5ADzY}DQSlONIYg8p4FAiTE^(};e`(gs5f(oly?c5B7NACmclavu_WV&Q{p{`Lh!GbANgs3>ImO|yTjY}t3orMPR?*^!HX z?E)4aP|*k2API^V>dZw)L~a)XGY>Cydu!{9qZd&1YwLcsrCE1X$i&pd4DngYFba3) zVesNx;}J`zv8W~sDI)L?6pXs?=+yA`jwKlY_FKR0I16)84#)z`BAKZOLY%+lv+Q8q z5_#^X_b`Hl{~jtPlrlAFzsNl0h~n4+hy4z|+`*)tP#8yEgMX*NMSHY^S`7za*IIQ` z=1u#Im65Fy2uyKPhmf`IFVj`7h_TU&snlsw_$n7oV}*z?@TJKEBxK0mNo;t3tKOac zwnTlBHc&67k$~b%QkG>TSCojI#j}99HJUg7qr(JHM3q)^wo&5%Lr+gFz@Oih^z5cu zqAXR!{!w<7%l81su3)ZU$||hFZAc95Oj{_Woj`!2Qi% zGJ0OKb^K*=?wUkmUafD45hLB+nP5Y9nFoR4=t_Zf{FzM6Re;Zj&FQb571zbG&})D5 zMco#4z0r6T7#RkVvMe01eul;fq=D`=-uu4gXg*V(-(XbmTDBMpWE)eI!pXi=>K$~( z@rRSBpNFtl9o9R8{{YjvBIWyzB-IMuA7-ulg!(%I?;U)dvmrJUZ-!}sBOh40Tx2Xl zHT>;_0;mE?ZH5TML7IsnL#vTBO&N|H(#>Oe!-s2dKV5U3*W`$GXDLEze^U3G zkEDF}pi=vm;wU$9}XkD93zSvr6>Z9U11jeY$MX z4A@RlH;hBXrnKn!A^}HTOwn#F+{+oAe zEy-%0(!WI0&0q!j(0AU6y-Jv!t`0j^q1iR`^q}2@uAajUXV>pLJ$OMsrEpQbDxZD7 z4V+KrJ8i%GbAHCCeC6}I=bBSI+w)#)+wZgs!xenGYlKH_A)*2oUN_5(U~sdPzO9e8 zg5kMqHZ5lf^dH`K|L3;p2Z+`J6b+*KhQjsLW{Ko4)c-CR{0z$roW2&w(F9Tc=jZu* zA`VJcHVYNY-WO-PfeM&_fyXUTjli}MSP(#q4Q3!TNwX$aZ#q|&vhGlNh+?>x66xD+ zWI{!u_jOwHr3@*T6&ceIC-UgmCK|tW_0i6LVUD$FLc6pspMP+uAz;g5gPIdwr0A$; zyY-p>jetskVsVN&9i*yPTK-w5q3;kUJcC-v#^sN>=3K2^-fHawBN<;P9!bdBjniQX zm{6Dj11HT#!f+2cq9bf{n4p*FcSaxcUWaf0Ni2QL*H(M3^qRiU){aw7z?47vjNEp> zZfx|AD=3UE#d8x5tLRNR9txmB8rL`A7=*n4B}xeWg=XU@N>xeyiXw?=T%9T6Rpm>7 z!D6~W6dV4dPMQ)HhRhMAFG*u@M<-Sm-D|K;{#>N3kqq6v5xHGDye`1spXF1Ccy|I)A(k%=KlIgc za4E9Y+-pbBa<`FoN$IsXi=8|}R%z5XDUv;^^wDv#+74ncoXP>Bru>O+T)xR#)|}%v zMI26^PT5*~Se#VLSg?qn=R13r;}}Lt4OwFCs?f} zTCA7OM6b|5m@q9vu&N9-?~CcjQYa%VfV0_lBxE8h6qIW?`3GdqdG0sHm$JRr##uv0 zIrp*k{02^!T!Ks`XIdeqE|q>JL*n>jeW@harB8gE`ETsvTzdcgtOJe(v=l-i0) z0|LX8-pv0oPYjSYPb0xqb{`l&W?awRISQ9$DC3k=zGtF{zlzvLHkk({XqEp@(Uc*@ z+UxQ!8|&MO#8La1yT89q*~SD@S)hg_3Sktc2Oh(F-g-ZG#`o{@h(euUf05Bz#6KTa zRDKA^X_0W(qUoTWi$ZV(B0TB`u+zA}hr!QYQ3s)x^mt zx|Go+2Wx9DDg}ARVyz3)d>i0{E}ko_d}UHupn=Qhu7#&TWjK06J`1GSOnaJyT}b$A zOPZ3hP&}2-6waz1!C4*$ol8$Wi^H5yiqu@PEly?@8L!{NUp}uHG0`|suY*vruh^Z4 z^RPcANMtWep5RDssgAcyDVodrCkc-AGfD)5wjmd-OJOez z@)TJ}`@PnuvEB9sy$+UK_NZWiFz6XS$4IGBEKF2p4eP|dvo5h30sfzIxeo=}mIJ*m z1A}sNZgSEdduoaU-WhI@Td((eURV5@kFZ!%+Aq+6PG@RkluY4)@R!h`dFY+ojr^@w z;@q0u^sL3?W_x|#{Qsi|M<7C=#+@$>oL9CA;9$9=wY|P zISah&b@KzxG_Ujjoaneig623D@v3gx*Oc2p$+}_Tl)BQB_qsbG+Hgy5TaV+d@|0i% zTtB?Ky^McleU8F9&Q0%wo-sRLD>`ULzLsTT&Aetgcqa=-Qdtd$V-Ct~rpN4m7q_;F zc-|HPYMpLHRoyDw)>(tDzD84ww(a)sKB?zkqXJz|T|SB!OmB-?_t_0dud_o=G42nU zTCSUilO4EjoPLfO7kqDbS5CFOnEQQt(@k}(z7Ie*L{Gchk{oB%;Oy4d#vr%0kNl$N zwO!Gx4Fm@Fhr1Hu+}pTYYb4uuxuJ$d@u3Fl*4u78Px|F|gYALo5v$8z=OJ*RGuM@Es^A<>E>XaVJ`oq=p=ubuwE#@N|p`JKJP zdz)=Za`M}MHd$%iTnN<+jmp-psK(fk zc5Mk1~*4kMgE@%x#Z{yeNhbV9Sb? zYFgKs=oLI?r!A> zcLnDCSZ_fU<{-;GJo=CQhg%SE-#La7r<~S18N{SF9#*3~2Od_3Tt_yPK942E@g=1+t`YhzXv( zY&NA9J1-vmH(IyR?Nh6RKFAmrNqdp^V>SGBLrPYHJR0yztPhB0Y6-gqU^#A_hv?YR0kB_nji|^K8JT!p?7mtn_t2{;a z=F^9M5@!@OUxX5bZNgGro?zR=W1jjW7QUD${Z|q6?n5ArLU0TwkwE53{VD1oop$EO zu?Y;%i#d+r+MqWv>=Nn9Z>&DJL*=v|Dh^g*K(L9o1m`4-G5Zay&`nFv{1T;9fdi4e z37Nu)LL!X3U*j}n{^$WDvQx(W{LmhvRvUB)35LbwB44jApHyBliWUMejibVg!kJr0 z?+Rdv9(eFyjL_GFp2375|2`)l`UMAs6wiJ2MzT;TCr!<7|Gg1PTUHJDqDnja- zitDiHM`}kE_#}^k8)C=wLl)2!`H}{3e2EBatH6fdRoz%j+Y~e`U>xEI--h%RN09E` z8iVrTqVm57vPWn`BTIhbPH;X*mJz;{&p;LxFV!9VhVr6N#zso8#YYPL)iR^sMdGY}gOx$?!eEQ-R= zZI;Zn?=G^``uZURYi}ZBuDDIp54YHfliF2VI2waL z5)6oE2g@tBWCxV4Z8A<}Av@S?Pv6q3ngnLiZimf8(h zWJF%oO{~ZW);+|-;Ug#Jxg)N3OMf=u{u0YZkMhh)0V9Wl`-BmP9|OTQ#NwUgV3@9+ zg`P*?NJ)hMu%;&?+#z!GzN@5EEcih`2N7-uH%5|;E51j9g zg*eA?Pz;v1Zh+tpP9a~ejI3QL3n}Hnyp2w^jdr3zinZxpypB^ZvZbAxS*TUUdKkuD zxrz>vuTPR}u1()sm{VwyBE#(~>?4DSH%pU{iAESW0t<}wVqi#TP&h2jPJn56%^Yu~ zA2U~j>-UVBEJQBCRtps&DLglx4AT@f{rv-+2&o(v`a3QMzLjt#>VbK^k&F6dS;MRL z=LlS+Fah;qJeUeLQhzsJ)Y{*HFxaXUd?Y5a zINVT$wkt~ULrl8}$-Ige8quR(hOS5^%8U*vv!!8)gmt0gb~x~biJs??~5}uIF+CWfZRx5rT@HJZ%dNvdVLvw>amKM zRISo!xV#*vcSY*{2AHxy0(!c@-S>2TYKO1+nZa? za+}jbdU@*n?CDxYl&bN5L5-mAxH~+yX_|cJC3xQ(de(U_5M}^QWt{hNn@tb;IgBc_ zT=Yz#oU}I`KYPBf_c!3R@Lyl2ci*)P`<1;4SS1s#ex~mMTz4l(b3C;+EK06z?B~v= zv%0FEUOsgEr0KkZI_D4Z3_QLr81_`gdVYgWf;YvcK_9tNwyS3w+jiS4e>~wmJo?d& zrX(1|REv^JI-40YjbE=~&9qRom#7+}1D4#pQCvj5mWm z&f{gS>nf+=@cQ65$L}CqK-ZBPl+nMu@d(ZNb6L-0r_72xMP6yn79V4~ah;Tb>$-S- z%QMv1dMo2Z%CEz@J_giZvNSk{*RVZ1&HO-Q)nu0*!qI%a>s}B@n zmo_p92xhfKi=MZykS!@!7oHg^SR1G%2xfAS%-;;jHeDU{r(RW0vw;{rg%lZCqlgc6 z)DAFj(4?5(V=+{51Sm$s%F+KW@N7b>l@%S;YMg)U;M*@~-E#_)<%VY?FNZbYT4I@v z4Eu|mF)mTyEiO%>xD?R;Q8-BfC{WxvTw@~JOpbE-=UfzT;}VamSKR>yfMos2Ej{*F znE}r#hDsi3O2j#D5@L@^&z-_Fia12wdO*o)5+mg**qF?QL$Xb4%+3c@4x96C_$q+o zWX(C&b^%uB&3z^wi-Ii4L1gA#R-j1U$cJ-89nP^KYqVl(IuzB6j_K826>a5Mod#A} zI>~bCOe-WaROL*YG5kQnKMI}ZNWJa62PIWI{R~p-rwA>WQl%)TvyRH?t`+wba3# zi?A50xP1YIV+He=zRDKL#+9#uk!m|mJ>%W7Z^glwYn_JcAwgbp=)kw|!e$Y*R%Flt zM=UfQO!M}a(8Zo&wgPcH32Xol5VEt1jmXo*5=VCu3o@d#GuR8Px z-Cq^IlzVg$10{ZK6GgG|`Fl_5Tl_gFb+I`M-&^eO=d~v9NAVGeZqEKcaL&Zf?K=}v z_KUlX+ygKh@QD?C8MuiRQpgGfLxljvw^{wlg$0J|QWhOaFLkM-T;@dieS$=u>d{bz6p8cl+lpEE^8_m{ zkd=QScOg_H6x6GXurg^@;gwEdXw6uR`X9pTF{yw31VgC!hZsthTGb&U>yMxjrjaDS zTgxtjioX+w0}oEF>0E(Z)i==!p8h3PX&FYdDWIwH8TC=y%V>C4hY z0H(=O8p?AMaD5sft7{QkJvLh}^^Y8~R1^%?Aaqd-R+RYb9Z$Get$xWEl=QX> zb99QqU*)_w_VhLJ=9mz5QgFY%+@0b@1Fgw55r-RO1#O--=+3>F=4wv$kgf9`^(eIS zF_N>x`}Oj75S>+`GA`IJs-yv4-*pp(nzjwYppjapP-HZrw*0vyG6)f}YV7+a z{3{S@(14R50A{V>pR`pa%F{v#Xi$b$OD}QmG2M_VMZ`XIMXJhLCmt$YsCMuJW45UN)dy;?y%(1WbQH zT5I0)soj8dE}@SlZpv0+&{vJ8Ukfwm%R$Bt{-p2WOg|X9`uNRq<+KS{Jpd0UW&izp)0+!cP8Eu0=R?`A4me2WBh3k4x z$EW#~gVdy^+u^P&-X!mxSxRsgMDwlOy7_HYcE%@R?QR-nmir08GF^kJ^D{s|$8($4 z_icn1N&B%Pw7ShbB?s`?AYAXnNcCw`r9Z4f1R%W~$kNjFdK+u8Ezsk5|95_*eKX;> z9)XqJ^}s%>I?-?YA{?}KvOI>SCE&Auw@>bRkr&{a$?Z z&{fm*dA}zsVyS08v0>dxr!}GdF@jbw3?se6xAq0e)eGzO(gF*_!SfWkt2IpMx5S;{ z`n2tyru5>K&r2!s_pmhsiKoErthzsx=-Tdo1F-pqD^8q)s@@?qg&}6H7 ze-p1+YaG#Od;KaAi}2l+{(1cjxZJyLV^IaW5?bp9`pCy()HteJ-3A#Q*S3H%1@b)l zKQK%|AFAekM0OgV@#ZN(YHwRx4LhSYP3tub^ld!%fNJk48!Nh|oo;fD_1wn2#c}(X zMx`u`?X~LiEC=OXev9+}X|Q^qIXEDYh$ls7;B&jU#!2BrTvmD|MB?AkAHyB@zn)-P`WPjeah7*8 z|5o#|2ZF^YE0aGI)IvY3Hzi40FEHLDb)@~_LVI-v=ovCqE>gg167V8~l*WdO zWWg_^ht&VEd&RO##~8_}RWh73hAI#uG5u6|c!#YaoI@#(98hj3i4FYWUe%a~qds;G z>srryfoEVE+sj=>R({KN_v7v{eW{wHt6K=~FgY{Cg9>69mmkldj6YIXPzbAIl7BC$ z2si0^38F^Rbm(v1?PlqoBdSUo*|4Xd0dnaGa8;73|6sjM)u~PIRF=O-P>a#Qvj|KGMT?Kb!(sm>d^H62 zlb*6D7ZdSJ{3f!^*Dp8?q$P)c;BSRx)qKB-{bv=4qUTsHhV*i!c!t9A`@r zz%a$m*F8=Gsd(0iq396LbWu`o$T7-!BC^x$v39s1$$0r)hAw9;%7ixtO7-L+#8sFz zK)R*!#{~W#LtRJDbJYl1G@rTR_T*U`W=*auwEd6VAMbgrSv}z#i>4I8#aoS`Vu6oh zmlVW;I8K6;G}JC6?_I|6_>dME_B|JG0?jjx>8#_yU&5&mgoppyj$a8xG=efBqQ~de zRj}d(OQ!Ty2C(!oDmw^z_9(G+X?P}o94q6ID$97F73th6eL@bVqfLqQ%1&9lOQMBk zTJorYNhW}6Teg#zDc`@SV&aH+E)R^GCzMK`{Y^)DSLhIrPS7b|D{JN1FfJr3E#a1| z(OQrX1|#{2@FvP(%%>z))|!dGc=IP7No>`+dqEMdp9bIG6HBeCQj|t?eZmwwTm~L| zZ3Lc=5G**H4r-8(_7<0mq>}cJL55fm#?XtP{h9(UD!9&Vt#nQvsyj4$ zDwSO^AD9Y@EDz@tI|iW}w5!`22g=CbvhUv{@${Rj5$iBn<-uoA*9$V|f^JnSj=9k* z#12arFTvTH`kIG6%elHZx)0t2K&_y4l0^{n_$2J+feb2ntS=4wMd{}s{y$nan;g{6 z%9hajUcLK16)e#KQ^e&)D%+g%aAA-%D&}j5=W3UVa#gZ#`WyBYFy?7E9or$pI_RvP z-t#V_8~*1@&V16}2znHzR{`Sa7+Z}>1T0b*`e|2r3I+sdBeOp-{&0kt3rDR($;`uL*xAd5g3ABA2!0gN;O?5KpijD`!%<^~#E%yN ziYa9R`4Uv2lV=bj{1boo6*18}0myVDd8K9b<=xaBkxA-N^T5Wdagt_CLr0MJRZof` zhzQWx1oT4T8LTU?iOqyI3p}j(s*mtQONHVHbI95_033AfM9qrn)kq~MP(`MxW+5K` zTY$WHk!Ux|b6*~=uaSMe&zxU%TH@5p^gB|BK4h!C1MWLM5CW6{D(r>=1{J~J|5At) z{L)}%Dz&|vpFfM+Iv)c#vs$1Xmn#pqzaJsKlG^FQ1-?st^tPGlhsM8+H9Uw#Tz6bJ zj_duYV!bYMIs*MpzW4jMrytgVCaR4APAM&S`mV5YW;Z@a*+ESa$sQukf;xw6YkFGa zlwD)^0jzogPfe40oy2~=`}tKhYfl$?HjO(-yq6zX56}00yw`t%u5%h5N7d-Lf%l_U z{OsCqm7GhSklW3!^ZaXr>*oIo>>WYwz-Z5sBakoY_M8u0F( z`5LymIJN7Z+L4rc*3VN~Uh$B&dW?YNHIsn%nDMP7@9RRd9Ighhb*(S^rS)~P*M$}4 z$Kz+pa#{@k?Gw3T=DHA(W%@nkDkBTa9YrBvcpd#=Y_$oGa<{Ds?q zySa@JJ9kCmGn)#BX6%|J-9wnpiuci<-WiRUzL}D&xd7d^OXT<5zLsdaAG=2-Y{1)Y z90iQwv}m`_Ui&?yYz|p3<`8&4pPe)4T{5_jf49q&*i`rMS|Zrqc3&U9R|C|K`>ch? zb*p#yP7^%w?%u9B+F3s>lW&3U_jwr}4e!VHlL(eP$VNG@t69uIr{+T6_t6kP9bB%n z8+bm(2*!z=uE%cnDYd2#n`JiNCQ2SbF?%4t)~^=&X$<^QvI6}uF1K%qu19gSAVNP#>&ptfUzEqvRddR7;Q5VKA%_I~`rO@r^a-@M&2H2C$Ed4O?y)+xrY+;TV zwe3yPw*E@M-b%-oJAu)W&C~&Q4f6FA{&VRHS7EN%}j*`i1)XWe>&2H81hw$t>7VAa6^8@s03{9cn9{MqP+SZfEb3K4q_puhKVEIVpr$s8WcPg#Fj5LvG`Md|!Z) zdca01^tTSo9i~)v{o=MXlK1h4(Y;O!pLwo@9E#^4}$U2ttI`%ch8wNu7er2lT zLcTK9a%NvM5ywtKkL&^s0>MfYwBp6R0nH#rN!?V_-gy56m@KhF`tx)pxVs%;aYZeVU*&{Gy&xHn=BY3hND?iFj+83Kx+AY7} z<$Bg3Yq?lPW%4uL0i-th+-G1i<%~}han{G9JVP99d8!c`xYeuXo|RnT>agJOaJz_y zq6iv`p^@mRFkI$Xofcq+lsbYGn|JCkhs{?pZD1w6BX)yK88%NO?Hd75Ll5&1ZMub1tw#yrSDWB?|DK7R zkrioFtkB6&pQe}}mi%MRf;YRm-GWCzaKRrQn;#;PMS1ijs@{3%CQLcEt&=jD7NSmb zOi6)zQza}Umh9XHlZNTryz_}ciXDtRLEq?K)ml{f@Uy}d+~y*S>F~1PD@u(qF5*$w z8c`;QgfJeQtYZWX!323I$6V#b!rd#fvgUA?x$$p>0+<#;c)v|-7g#b}IUiOkE7dYQ z1tWt3wrmm4jM&%}-sc^f#SnYT6ZO-D0L~^&DTt=O%|e|2pR(3t$s|jxCk0Ad1s&5` zo@7ad!u=d1e)6HEJ3g$U{m_{r*CHPX9&Uc!PIYdZ{l zW87@MJWs*rO>4P7IpJOMym)ova6|gZ3Gehb$sxcwl+$A(q`ItN@w@S;X z&eDFk>Jz{8-FQh8csXLQ;;+9IeZgB+>$?3&AoMu{GrXVl<#JmTGueulG5_N0WT%IjGL09-_|qNradKj;86r7KC@X^m0tr8 zVUbmiXYcF=YY-u4^CarATN$+azEOgi({LKUxu4Q4>9_N66Ssb~RqqW7dXDG4ZUC89 z#JU}E_;?2;F)|XV2|SqlHGs9h`%_ML8Rh6aWJPzGlsrGRnF-uQ-DaIYx#e^p>9=h1 zxN){L`Fh0O4+|?GY#S^?`*rQ{+?#fJ?e0o-S16nSzU&o47h`+yx?0b@T~})_=~=#? zV@oyZi({r0)_%ilUOGLgj{|z1cz~Nw2L8@nH#GvMB?3;%-DgG(hk}udxVJvf>C00Fk%IRH#Q98WZ!65ce`VW2PG36fb4i%}8g zQje|(2nB1@FaBGy5Sq7jf^Pk?Jh4BSV3`j2V!GUIwchhWZ0TYLhS^(2h%qgdTj6Le z7RJ}5Qi>2$ZoX*)YE-2GU;1BWHRo@RkYnsEY$wUAhmvip*thNC92E5Y)I$lX^(s*n zJGHp}9tzeXrXHEXVj>;xr*rh8oQZMNvYC3q18^%}fdA zfhIM}6U+qNf1D%aS8!E@lZ+$kB|RW(Z_-FNurtUolkURB`ZZO>e?b`=YV^(%xGG;S z#i>HgI;dPe21^Gj+1FwcBM2CYGr;At2+$O8l~BG*>M;8-i&y*}utJebg;I&jO~pjr zZw*_4Xx5;*J8Va7`C==Q4G_b*5@GK#ynX*HnQ9Bdt~hm|)KnMnl3oaJyUWcIU4c3! zDWz7G;2&qF@X?SI>zDqHbJP`HSVTG|g?TSHiwTz&lB6FFcW9-omz!ZxFjGFS)0jDG zrrsc^M%U=i5jG=x)>yPi9z1=+UPF2qs3{ELiGE62y(|k4EBxDx)|Epq{~Q6k3i}hX zSc@-7YL6xxcBlwex5B`bMq|@N0k{AdlUx3BC3TWi~I;t(aKUJ<&E`zGLOMA8`O; zf?xjd*(dsCooZ7kKs$KXV>Nq=cPU%Y)m9&vnk&;6KU1KK4>>*eo&TT2#Na($z#Hyt{@xeL(G`^qwk(R_rQ%ps$0yX}uB$d7n@Ue)oJ~cNs8tj=M|D%wFV+YY_Ze_y#){(e{0x{g z;ZlNx>hl9<(P`eUUrL;kWxAvR+^~O{3uuzQMO=oVsL{lyD#GhpYzUeQF2f|ISTYy{ z5gmijMKC|;Kz%?;5M}W{xm%+4EP9_OUAvs-MZ6mgudc^HL)*8$xnLF!lK8sH73N5N6#eL)t+S-(vfSn|znZR30m(}h zQDP9bv_G`qB=G6}e8%fR{qfAEeQ`imkjUc(ClG!dbqHjLT4XXaak3wW0eF>iobx4D zxlphDc)-*~Q7#-e{Pfm^B1RcIyqB$0M2!qoKz%%2Oh1hvsD{BH8)(ct-4rv*J-(?e zV!br{mQu@{&blJWrYaL43f8%aMw`{RHpmm6PW=d(Z`e@8mQ%{EX*=MiUufQ9-Wfgv znN@4*=x^F<4i))7<)o*kk1Os?^KDxC^SY++%R-&4epi?y@|C3SWBx*?{xT1|ugbykwyx$)^1)=v7hzHVrBKMQ+50{JMr{xFS|ioH9$InTjej<8t6VoU~SvG$ZUIp z^4S+&ht&O|W(NBF^6mVyr>QUabsK~k{{?RRj+ewyI2np+#piPpo2<{Jrt2*7(UtPFVy@yhIi-rXj>Lbzrg$tjpfr1RVFm02@>!(p zDKO%{tv@8!2yE~lzw9%5-oCFh(C4`H?a}JAui#AQyuEl%a6bc$x2(c%i{6l$pENyJHUo%?xTgvWVy=cEQImnXx(YT?m;KcpnJWJk4rUSj$hHHeY)$6h2oj(+iCb1vDIsGa3JAH+oq<12+cM9evTY^dad0h z@pUIUMW=N`vEur1DQ(;HxQLw5$6y)ad2KM-DXo8h{HUwDys!FY#B-RzZHXJ}y6y#H zt*?d1N{_k1^->nWf%dSq>DtfZw!-hVSHAmxqlr_;sLv?ox@$DZPGG;L>9$`ESlYBI zH?tw>B-?rLH#E7;=29(#`mz!&C1QE9$Z=X?gCA|2 zsaPw)3w#%VhQNf!)?Mc-UB`h_=BiSL_#|bq@l-`m`F%PHMYd(}1X!QHP^3<%1xd>4 znccohVee3R#DXmIg1Da~6l>YsS8N?&rrhNgCel)v;?!7jEerTsY~Cxgh3SSxw*gDI zt9k4J<;ADt@!uQQWO+!$gxP7iDN-w4e{3*5Pm*a*Aw2{zfd*?*6Y^i?d zcch2O`y5f+|KzR;|C77A3qV`sk^N2&;aIo?2l#2CEQynRbW@yjutHNoUb1W>gdczD z`}6ylibyz0jLjmIwLi%!?#KXI&cPcg-VB>oIReioA0x9^KB|=t?MVJ*rLNm!@npW} z>WIo|wXKO&$c7@qw?w?i`RJwq^CMOW@ZW1e%xt(0^B!37h3)43cY7=ZLSnS?8KxUM z{akVVZ;QynRH-=dwaY}}imrR1Ml&>t*tumMUYGX+>Tg0W!a}>%K%&h{51iyZ2 zItQGP#kOZOCCEmAp%+bH=?qsk&5Lm>}Hohwxk+p<(cVhu)Bh z3qerPOGOWU?_ZgK2uTm#2tO@awdbF$N04i6IXf@^mFd+Oh^`auD`u9H%Vke zIZLSj?vsok_Kk$)+gy@DHfy~1w#}SII8%nO)Zv8?Po71QG{P=Pm8O1&SO|N=+khLB zI1Snej6zy8_mg%$MC5q^*Y67VfC-9DThBc71E${XG5*^@oZ7qlEm!4-q8v6{W7N2>>C(1Qsi*TmIDld16iczh-$HnaJ zex1SBPa(PMr+>CRd{>d4jzFvRuE!aSmh9nY!tKZS1lhW#&!v^SD~;<97WwCG&&8G= zE8RP`#?8&G?aBiBr}}X>uOn#fz&PwC=xbTp%ASr5<=T6BJfK?_GaNhWFD_kSyl5LxJ+H*kv0t-Q%XAXk`=WvpJYCy%Xx#d5>a}91pMOZjnXBSeejJ5W zESGn&zPG3y%eB6>4lSPvP#>JhsI9;DCPa(tcDbA{E_)dfitTh%`P~{3X@d-W%FK>( zwgFy*z#AZ5=ySlO6_P<@)8)>4$Auix+XRarA9YtBPw+ahaS_7Jrs;iZIm_n_@p{v9 za(*{+;^X~zbKvsvY%#^}dg#$F$D33A_0swB6oTJ%SoktCA)3!;TU_>%&TpMzv}ENO z=(#$L6b}7@cwmr%Z(Gwen}s*6*VBHsuaNiL%dr0GNO-BYxLVNISi51+(!&0JN$~u3 zo4L(^d!6ppG5$HFb%8xmfTgwn0MSy~?YlI25-`NuH&!FNv#d7`K7KX%d)#7SPR+z` z9oea(#yhh6apUC0)%iu{p$$NFzjV=JYje@G@vOS2DjX02yz|%xCA@&HpK_+NK|#}* zU-Yp?zdk=)@KgfRZl}lX`1!%DK;gDwOQC=-%ar%ktH9!QHi)e_W&Ib(wJf`}7O12R z12VuVRDo>RRLxs2bY_?@^e;3?BlzWlhro>67DPcXEQ4y-N1m5F6-X#4o+lsgWz?BE zf>6RJb!H!%l+a-w_#+T;4(g0+*>Y^)0U(z^MSE&v6Ay3A*UO|PgV?LaA2Opv9hF^lu^ z#GyQ`e3bgGRgf`SK!tK#n6&?4sE{e&lvdS@+|r4nq%BrrEcH@pX-;X$YN5m#sVp;^ zaR9P-nvjwkx~2ujo`fNj&g{HD_bm%|L54(|43w4Z0^9$g>KxlEjk+xzR4Ns#V%xTz zRBW3S+qP}nwrxAvvCWE|-FZ)+?mqox{(yZw*Pd&QHO4*UBJ4UNl}(n9-M2!& z+?;Fu(BZ+Z;QW?ogUS-Z#6NCSRl!__$?S{@`e8a@rrKfC!;D1M|6&9qk;P= z$jrm2xaKGB6k9(JtsLM`zq%-b2OPriRkVckU{}QoPmhER*9+a*_q}1s+j;;Te=;{K2f){wYx~XolNr;`#IR zm(fJRpO~wM1ZUAuOFF{AqdXaVcVgJ8y2(g_0#q&BZf?`NKDX7gW=&zG#h;iKS!d*K z3FcH=epe4r{A1)DCUH1e^5xr96=}6elBkAe=L9gznv@aOR048yVj-(kv8+7+xQS%b z;)8aT+P>HJCv}_*SlLG$z{Sy9z5O?+Bf{m$^Tib_p2-Kd&xx=^OBU4*&Xz-x;sBD6ed?Z<8{>4bv zsnTAR3L_jStzOPIaG(G$yGBc5HxZ>YTk39AWDccKHi5*DH_QRLT8Z7^`}?8iKWVlQv~il zjqmy}L%Uinppru@RJqa|quB!AAC+F1`?JExlvsK?C{Lah)HTelss?h|egubo0rHof`>8q_=>)=s-OaU>Urd}1_P>pn4UM)tY}niUm7LVFJNNrAf5&X`dT+5y zbDZ|EdikCvlxBOzbvJ`@eJ)4%vsy2SQZX++t-4cB=zz^{v*YS_*Q~YCE^CIPkVAU0 zPwIz8r(f1J8fSjr{UDp31Y0~F&6Urc!yN(byD_#l%WqkwRcL%!i(?Rs>(wcqaGYFs8Ug1uB z%jjC?xPCe$w#t2XZxp}xW-_=rb775zEqGl-FgD$uh_89;x!$dkRIo%Ha%oqpE2fhTN+6sD!^(JI>vF z@XefE4ZZttO0VjHAGyA2?`j|7C#Q<<+^N9C36Eh8 ztvP~WOPQYky?1v+f$2S86BJq$vh71mqo&No9~)3dR^{^&@Y%oaQMKsngHjm1@UKHyP~hE?p{QS>@)GDWO02w! zUc5r)Lep3+VzQh@Rahde9?3}lC~ld;<1T3y6P+bjOV;3{F|+W|VGa5(gF(}*Kq{fu znvkwZ=2taxj_&ZS?_GAG6 zF_i5mOsEFi$Fo~vx-ysxkU~Y?!-))Vj`Uf^mAAN!l>hy~2&s6bnI(AvM<$_o^nihZ zK-OH7$?C3S;Hghlm@inJ9&#@<$Si14fb16A0%{a(?q-f4pu>zUXXGHcNM~AkZRtChbG$sE=MAz zF^FbF{rE3iXpXVM1}!6VV-G1xcZJa9x29wmvI9b;a==9~B36o29cvH;gDB@Y;w2|- z~SEXp-R(|n&}fd|0Dik=LtUy>(;k| zjduKjuOK@Yel1X5fZ10?P7rO)*`2d#;pZde$_1Va-!Pm&#Ii&XY1!022qLN& zon-dtvK(n;?HEdyU{Lv)T>?vXGH`L^e@qIIRrcxq2?jX=5;b%W`73Sy6CGF4C=gw9 z4@dS)=Jwwid)2O6Qm4<8>V6hmh*|ToV_8N=)w@UNW9oLRF{Ou$F|UbNBsr* z1($}>81-%0H;m0Gm@7j0=_Sj=kd(w`5>QjcH!x*0H0^qVWr&3Hq&Gu)IZ`3ms`@q6 zF*tY3!?h8&s3-|hdMw7>FmGo9Pa3Sxoi|%n6Ra7&9pBT3(yzow$~(u;zw72-YrbEj z9(H~F=t1v9GzA+KBMFaQ8C7`%<74s?3X@JP;OfcH%G&<|pxp(Liv9cHIO*e$8+&jmZD69o?em@#zXeZPcN#K?;B7lkh4WMIj-U|jD}Yo-F* zp^xN%768p7>B;_2zA7qSG?MQ4;}j`fON>XIy!?%Ja$=3gV zlJneNw|;$o36n|Cgp)JEz9WAH`eJ|oyupmfg!#3~z$@hARJDKUGHRx+fY}|h?W|FB zz5Tn5Q#DPsYnPYxXMcL$&I+fo`LxDQ(U(rg>;pQty&2vUzFO}(&X<`AS9U=EgqF?2 zE#q6|&4pC8<8^fT$#wM%-^2FnH>os`L?rj#s!NZ#3h%w>`S43C`%w?yq$pEu&BfK| z^>6DO+S=ynzzG1*$=F!z68{O~QCqpvZhsfq%j5L`eg}QUv3|Jy-r99E2$!m-!sk=@ zNuT}P?G5m?xZ>B=fK#O2>DYoK*KzSW>aCIaI**OzY5a7@)^&JlhIo5I-3g3QZt=X_ zy3AS}S7P_!?|fz);l!tF9+2d|^mz}@{KE9yJ2x3`$#}q*X}KWpm0r|>WlxD2PU+hH z#%p#xU7_QDes5hlABPsQk6X2y>5Xc;M;$pGk0Z;`Ai&i2zZi1(jrW4&m^G)~lbvm! z&igXU8Q@ua=CAIX+#GMGTF96l{rTvZ;+@iKUJ$VUf+uWYY#cTCo1=`>%ZD<=UDS(h5XlEPwTC2sa5SK5(_bvJzhZTziWq|Qrc`6 zpX`I(HeEB*ISg)gqpkRXF*>clThe>i4wKw9alFSj1@UPg@>6juvKJ#_Z?Y1fxWs5j6^9hWZ?@ohw2ul>t! zT3ySg(=B9eJB~)fK6T}F*p~0Wre!)QJg2qB?h<}(o6d4(D@hKBYMS@{W7N+8q@Z8}93ZlwkQsRYD&@>~y^5=Sf#eQzx=c-nrQQ5Pp##O0l zr~~WKO1?6gP78@wDNSJD4cMVk(fw`}HbOU2PF_i)7b}c^ArqC8g+#zMTL?jjRBFy( zd4kuj{DxfX5f3VN(+>s(&{Fj?fW5tf5y?}gEZOV*k=4}69Qk*wPjZj;Bi7;z5%sms zR8b!S4w3>Zse8)p4~saW+5mKg>Q5|&bH8~8WmuLd4}CT>A!l@Kqd1#mf!H6+EV&~G zx}CXX>gxZU5E@GPQo*qOCZxuxXNV&Jc$#fr#Jx0*z*+Rb%LdW zc8*im3lm?n#kLfSQ0)PzUDy==O^mpZtMhLdcg*ifD#hAIldgp`)cyDYp|=N9O2ZJ6 zbx|C)*ijN)e6Dbjb`C$%az^7(6~?WjaIg|05G)UwnJ0&eby}mmvD6JFeHTkq2)scI0^=dXl%O1w+c1=QRB9`PAdylmvdlmX z=Ak5ox=_2?Wz)zOfNfN?&#G0-uwmwMX2#4RC><#Q>Q4DHhqM69S>2BTPNUmDd8dBKasm!b_?l#yf_z@ypWY=7G8%%Qxl_8Dt_)(z92N} z&)SWB2#3)EU|#gefG0{o37_Zh`iqkPs=vqrCice_$%wHmqk%9YjwaJkAZFLe0iZB! zPlzh~E=Y;Mp%bN%nB+HDspBFS3dQK{NKCNycondu>#&qA0U+_>O!v39sllJAiMQB|ACCWd5X7@Lc=hCC^weI;Q0 z@0quP5ByUlpvD|KAHa9v_V2y#SLuKDEw>z$TI5?<{v=PW+wzCVm;=!-cT)Ob`I42x ztggA-ZPQ;egg1AX3ZQqmCAy^0-Bx%9@dRJuGwy{$NKA6cccXHtFymlA%!{ZmoF{4rt_r ziUrs$!`0o)PoZdQmLnHz_zcu? ztVhRmL&e5^uhE$PyejFx6Q&TDOthfKKbY4n$i?A8ncMpHH|In2yJzh&p)&rbaE*EL zieU3g7V&>va%X3APQ9={LPdW47)dm~lX^k8{qA@Cc>jb9*)@g^4I>HgK?QQ&<~^&{ z^a!h4UXkxyTU~G3F9n8f^Lkd3KSQ|41Fgu@rPMaPW=P+wJ6`wMvss@bo^y1LL!Nzs zCtEh{XM=+-o8?nCO>aio#95UuQutc0Lyz#?&eI5d8IFsbC$>%78@}y68;LuUUN~32 zLq<6*UzF!Reb?^F5q!_|Ps-%78qfA@XEh(@pYY-NpRco%lY4qQFvxGtcN{M|ki8}> zJ#YR!LD}NN!O7HA-+(4e38OHZ%tI@uHU$)h~3pS#s(P_G=m+Jxc4|~?i z#Y4IRU!Ls8H%QOIm+QdMdzF{sXvuB0yT-qDWp-PA>fTjye$PRPk2mwo>oxDU%j(P< z8x@vs>~+Hd9D8+6+LkvJL#|$mOs~@lA3vYm%RH&v76&zZI`AO2-Z6#-zu~j{Z%@l8 z9krh0q&dE>{iHsf?~AZju2PrjP!D4G{q#&qF_ZV>xY5!TdbER^*AeLJe}rDU&qkfoI!U)qb|HR2&t!Ol`!QdM zP5R7`%5U21n#-}iZhBCCjLEOzyQzLM@dkbWoYuV29EyEGmjOJox3#)^X&zvEVn(af z1EKRdLdbE`1rLY36aU0;X?R9X!i`c*$N~6w2IZm(SZDDpF1rP0df7pAItDp4w zmKB?2_-#LYk%7I=k2|J!zCHO*wJ))ml0UZ5tz>;7KgCVTja%maPzCR&&H@$qpFeVM z3V?YLfHY~qX}zXA+KMk0Od?PTZZAy*v0E8~vM}L~h5(z+gi?TU*rvcFdwo?3QN!cg zSak`GC|qWkh|H7=th3-0jyg_SIa4rMCNv7s1jC-$($4~)~!PVatjlEeNs&N*^I4gMDr$bLMAK! z^qQoxHKYYquvqvC|8wCp^}dG1;k1oNM-)Hz&hv~A|J+WX&*gxzICDf+lGXaVaWv;uIYWKP3aw7!vm?jv6 z!)aU`*~af-Y(Ks0#9p?Pb1>z0Tsq^9rdeQ6h8SeqMQ2S>NbNwL$b~_u_o|sB5EfuH zMw;J>mZyqCQ7n-W6%oemSjjT!5T8KIjfv)ODUAIdJ2k&gLxG0r^F~l(B~0pzQ@?SV z4a21au!P2G!c`9p8o^rMf^`>E3tEsy_S$m4VavajWGf4Hu8o%vXGS78yrFush#aq&siUnIFn6CB&1e{yo7ifJCWe1}s|4Is?36xW?mLI)! zX;`(W&y2OqD^nU&p7$jd5-6lvPWd_NknG9)q?Da|LsFQVk1$?ds?$3DDWFMm8=zfl z_A6Uhdpm5juz^L=d+TurizlXCPu}pJ-;(~8`+^^adFw+DsDOU{k-IP#M%v3$Kp`N3 zuG~|?jd;uwm0@OgpjaD4YN7$p*@Ctk6r?_GRZnO-bj%RAhDidAyF5$2k*5_W2EU7e zsgorw{&z^$R~fCWM^9niqkEgOn5+2*b-?39AGMJ)RfXW?s&t$wdTsIQu`ySQLHG}$ zKSB~RNf)f}xJ|+E>EmIya|uF}3Kq+sR2VB$#=QQk9o8bCxd&?{;wD@+iSZ5NRsg95xO5#So~`yW36_8O2Ewk&sKrq4~Wj-52FlIeFwwJd;3% zJTzuFPak5?DC>$PAV^RPX2L?4;|UAq)%I-^e-L6SL%N%bB$dnm`zb9fU4Sx(tl<5l z?5u`=Y+QAY-Y5HUho|CO>J-@btpctHnqUi1xo4wfe0N%vVng6Ld&3gWu~5G1aN`;+ zJ4n&ZbAiP)igag8rzKaY85c#(n@;hi6SL--DV3#{4|W{2UvUf)z{)lj=uSqD6nhDs zL@AnV(w8h@l*2P5nT9FUz@upji9##>G%6Q>P==9j%oPgI?Xi?9I^sMqsOE#~6mC*e zHR?Gn)TcssFVdN`2p1u$Ax%Rra(`7u&x(O0*bjlIPs2$)tebx#ofW;5^kZ*yW9 z8vUXvaX+qrduxG9n~taE)`cekQIIBfv|0xvKuTxaNEiCvQxSX!GBLH}n^~WOd6E9# zBmD^ht{>`7>y&?W>bbW!{YeAZ?gO=-;M)o8laC;%CkaCQm--L?`=ZMKLsDNJdgQit zpTAe*{@h!)JLqIqV#n!OX#hzrdn)^D{WR%nV3MD0h8NhKth#fIw^#U_+x?NGzqMn* zJth?$EFQDz@_tXR`_#VC%J*1(JuAy8(RuXmNRKkN^+swmw|ztP94po;txK=hJC+n} z?Q;3qM#FVxG!2_^MqqHkwZ5Vs5vzVRkH=w64oFt6I1C=e4*k zPQzcz#FfWTC4!|jj9 zT!@wWUj7R;dfxWandC`2$V7fls9w{_R)E)i1v$RAaV~qW>bD0v?>*-j&~dk#>8t)V zNsqSH^`3fw$6 zH8?Hop=PVPeIBJ|8m+gKW7XICWqOu62$aQ42OZn5Kf9LWMUy)ZCsHKPRQ1 zpC96#Xq)`T^Zk3Ube7%R%I7;Dc&!EOGphO6eSN5zC9UD!-xj?|rRsHy2M*$AlvCI4 z9Odxy^d5$!UUfJ)Zf*4P3oS3MNdfeL+5DGXvbK@A{A`$2uDX{x5hces{}w&bJs+=5 zSJ!Rn)$evW9a}kEXQb?wq%w74eQU2q^r5ocU;`1hec2DhRLf#b< zjrw5#mH#e_7fFcVB2A39x=gVDR$+kpV+5|T$6Sm|gkuOqw2Kif%*9pFge31=8JlQQ znK>*QSI&x!SszB7Pw%c;fljT01+qbx^hbY-R!Ls6U=!Djk)2l2kR3>*3?|sR%Ji(E z1*G7qjSi`$P()0=5Uw>!^O<6aP%@XS!B$Lj0G$TLUYIxM= z@`tz+xZbUBMuK9s4U&|nGF8=4zDP-=Cd!y(g1c+lcfoS#Djj-1m+YTJm-XndIZ2IA z7C(QNC<`9sTd`tl<4c3aWGhGMAE+8U1z^e5t0q5iZ^5_I@>JO4JS_4j(?V?6XzcnF z1SCcZb+L%Wlt&rUaE5mW+tkeGlaQS%COC?cjEN*33k@?QDLPgn=8-qVs^Y-Jp?(#2 z2*lhks2V?i_$N>OHX+pzpfX)Wi?(rLihvBv%ei!v9ohijeq!dpaEFrq&Oxwb!Fv{> zgF=Wz>R2t98_$g~rk91Qy?=t`G-!W=xG?6ie$V+huFs;_Q$I{#67{A8Ng^Rot#e;crJ-)7OT>3u9e|L*;tt1PjMk(Qdo z9NGam84k%3<2>~U9Bbwzltlpa7@G?Hqk~abVfjy3b|zL{b~4Eyq5}pCt`@^+CR(hl zq~Qz@zXtk5w7@8qoB$8xf=Ji57z3!tyz){pIze}@4m~m4W)MeF6*mvWTuThK0!Pjj z@~kof1rj`crn zqN!`Uj)R3jTu>#gwh0@TYgWm{D8cDHy9j$FOS>RJ`W4Qq>hI<)ft^APls;6)W@@S6 zjF9ATS8ODla0H>pwCn%q&CHqI%+2B6$|_LYK^t zArFPUJC!bF18f(u!eplTtO z^<>kMUD<$ua)frfvL-6lMJzv2mNNy_qTgJJ{vc;L8q>qNVH8Q%7r}4Rx^w@ZL=4ID z1L!-$59|bz%+DSI1-`$woj-w38Xrhzxx+RuOTH~Kwk?wH`?D|KTa+S~fC9RdfP%9- zURY6U09)w7cYxf|s|Wbu`X#7H8TJADP34T%;|mcY5fnh|I0E{N$hpoo((mkzJtAn` z{klecItA!{?uO~8W%HjL%HVMx7AGczZab_{($}bHz7Axr)OJ7aQuV6C_IxFKhX88r z7H*pZ(LL`=RPbQ=*V{YB0v#``30@9VHYzW6{w;7r;yb+MOMN#;>CR55eI2i9oKVka zZtyzZI}UiRG-LC7ZG%T{dLKM(SUH>%j~>pvn@vj^WNX!QNwt6UL_+%VUe_s+`F5Nk znBApC9_!=J*J{_VRfbM?*LA(se_c~=zl=0|RaxdjAC@V4*=FkTc3cx*xWHSw#Ct>AoAA3gw-6bs(AeQ*Ta zhsMV1EY}gP74PN8P}giWweF8<@JdMj`aQyh?X{hU!r{E!Y0kqsl`p%I;a1!Fos?OR zUU$2hin>RTu1)btE4P&j?3-3&p_grQOP;ppgj7rf-l3^4f$J>CMJY8~#|GES>DJB9 znEUle>Sw$z(#HvG0PX#ZoXy5Q>U&GR$JMOM&OdbSD)ztiGt7b3cw2=|yTSN7^(W4g zxbd7%CF3%+x^`z(8*1iV&$_Qor`_W0Z5r)Vx@Td_tB|Vke}Oi^{9C=3jkC3sm6QAq z07vnz-lI--UDvgaRAse~{x$k3F&7)0o`qn98+Cr~`9^%)ueTKwKxhVlk5B7$_o-3! z%WjsQ@e7Cs1n%6;0gB~g)YRzh_)halj5SNwoJZOF5UhE{Xcvs4~TLmt=)u0(Q^uHr9_&_Xk}vcf9mHq zvGzvE2x8GxET)E%Z-*6B5Ea(HK}c((+T;ZO7?;y&QAT&d7#FXYcS`Ew*e~sT$>^82 zC`wU9^9%?t?u_zCox$Y%$}1NzAZW5Kt@Li(G&?0-QgSjQ@f~2tOc}RqWV}Pn|GAxl|9$lKc@8yslF(7=^AK+c8Ic}C-e1;-} z-k9;VvjeVBG(2l1<_P@D9Fd3i!MzyAzm^t}{5#f#ENyz=F?<=&uZ($0^1-A`3;{W4 zC=;+mlneikR8v68dZHxUO3mr*=)sGW`3szJwtjqH1Q*+``5*?nDGii^n#~PwBG^Kk zrP+hoXoFIY%91n~3!(#&19RsrjS?-iTiSCVfGP4gTRYN0S-!wt0^+xeGVQH$x~-{# za&FDoJYg1+kh<`l7ZAgMV3j@6ftyNm^>EIhJ;#R*s8UQFFG;#uMSyiX6QlWANQvmVGUX1Mx0;g5lI-$xYo#;`GPdf{HdIZ|Q#hp zf-ZPuAfoQte4E_t>g>+b&qkVHpZw3dor%wZ;A{)NW_%}ufy*D5ax6)M}GCG(*P(<-x`VJ&HGlC7a^I(xo}e5JkIX;N_GKS=&!zKQd@BtYL0n=SH+ZCK!C; zfB%7A+Tyc@V_83>R@@!Zp0PH-^yFb1kyMLo)-Ft`4L(W<3SB19hzd#LB+Ntvk%^$3 zI(tKvmpb<7?$8l)UNB?4W1(BOZa}8Q<9>?B=2M>NQ{>l2p@UsyZ4>Jd3ZEGkAcFsg zmS`(hb$nullteDwptcgB&2@g>r3og8)zx@Ru~V99k*8A>JBBzUpZepb>5@u7y|I9K~KTx5U5-jgJTF1e}iaK zYb%u-qEW^=F{+1Xy4LG#tz~8wKLCpbv*6|DTXs(-$M0A{&H#-f{~IQNI6{#k$N-U8 zg|fd;vxB2dhI`F77SPB4)2f6HX3G%e>Q-XI%!MfINxpN+C2jSVfvC{3Cy)`**cC@e zsluw;0;HG_S>lszb>*G3@ye8|B=;(Kk=tLpg2yxznTRXBV%((RiUL4wvuZ zI<1RJv&#!2vhkXaf(55EQHRUDR=I#XZ)3^Ze!5e&J zqRqM8EmQqj(4tW-c=W5DqDlSdy$HQbRA_dG3Bu}l8)YJ{w7n-@N~};Bpb{EUXNg4I z>Qr4Mg)9TMtb_T|q)~?(r=1ga_En{4|3q7We!3@V>cOlr-%`78ZYSXpEtzR-$!Ck_=~RH--xq%pMA7+ zo=!4lbx7ae7hSr2Z;s&GY$JE)rmpzCZ!3(hIq#3}V^-e_wpLM}u4)u^>^7KVI!Pbz z^o}<0iiN+3T1-`LxTu5oIS6xJ!lY^h9%WyOi-1O+MFWbdQD2fL?8K<9<%`KuAy5 zIn&ago64gUp<4l_a$EHws&(W08mfhpp7nYByj6(cvwNx&g9ie+(=2#4es!bgybb=I zb~1<{@u{X;n!5$JmF9JDNXw>xw{1BMezShDj2#7OXhI4v^y zKH1j#HpJr503%O4Z$9$u?@_5q`TkqDKLHB7NPo847JX8`^4De29)BB8dzxSQje?6u zsH6nfRwcd1zv-~@e63$v@13c@L7Akp3<@oI!(g4&H(Lk`gBhUxeaL#KX4XZxiHGqz z908r_yGDM3pYS@SoB+Jlo(+<-*fvFK=)@1+74DMjL!Q+cEPsWi#=!L-({7x6)Pq%U z$EBZr6R8S}1eYWssNo_dGAHMOx*ZD{(qz*v8-LxitP(ROOX4Ib34}fNNs+BcxAfJa zMP&pmBPh^|xiDePlMr*A|13nE*)(T7F+Q3 zzZF4=kQEnemmZgrFM1-kP^6td+|L^z2?OWSDLxiA-j`$`B4Lk19Yj*NeN)Pf-jcgp#__O&O~TkRd(fa4b9C!_!Xh(bS6~FCfdv z`3bkC3{|Nvkgu!45-z@c-iA!>K-?ia`p3AyVC59+u_!==o8ZZ~G z%_$XOx`a(`P9Wl>*bn(6c~DAt7fZY7gSQbpni1syqFbTHoPMfHX@^{{eEQz1b>u zL_cL(yZ!F;+YG{3O_($$uvso4 zL=~9=S`8>CMgj^ek&^vHqJwo=hk+2igNXf5#Y7Wiq|vfmr`sa&;*(v{u>JB==y+HtlKHmNfNnU$A^7drL8rdPux}*7*^!ny4Xq0E@0g zA8l~y!8zhCXR%3sGn3%_G$;u-O6hb<1w=j$rVg?ghBSJ#5Z>{Te9atbiPAunYPLj} zcFzz>;seH z$&gb&dIaYW>gZR{jZ~1j6!Zt24C9FKAJ?Q2Ima|2=$dgzb>ORKKHK-->Ctmf2EM`pBX{LPWcRW+GvWFg%AJZ; zn(co5QK~xDC44ftx5hoY=6f#&JQDV8p4sw!Bk(?aQse)exW7(jPhTjw!-WK`)uy2R zIyKy@mdflNQFWXtqUXKuzA&{;)iX9x&^v!rB3t{moJ+~(@iV4r*}lJY^x|o3IERX} ze?S>nv~G6K*a7a^)wXpP0PEJdx$o~fZLg4Di9>{~JofL*@3_v!?t{_V*UhwO+~--< z*Bf4$I(naWTJ9$&!;>-VZ+FqNrmHi>ua6mxlaaGP&Cip|_Z+VCGipFDoA-%*=uNNL zFjo@CA>(&{7VVn*jgI3&Fu!(ab<)bFR4e*)X0MOs&U=c-WxbATdh>#5pxWRt-UQyU zZRdC)yGeWRrR!ZM_qNA_UaZ@G9=_Gv@q(on0*US9)jNi&!krwSR|@ND`+KG9rN~X# z^Nil{=aFpr*Mt5$>DLGM2m6R?%@XImnWITv1AOPNwxe7MHhvC;mE=zD8+*F|;e8NTmL zH@Pe?`{PP8_w0MuEl}bE$o`ISmwxY?_Z^xxUGLrJ4`-Ca+~Ea|qcxpzIraN*(jHE} z&z^j1g>-LnR2M2=vtX|IpC^;_7L?H@Vww&dXD8KT@ylHW1Abew?1v%&E4X|x=rDyK zQ^&)|nWP%%(g0!|3q&fK21=3|q%tX%E0IBrMpib0pDFsV7k*ag6wCj!lQ8!=L) z2~A)CQk3{Mp0(6O!UIJsM&rF0a#dtlEkf?-r#}(rGF7%>tm6={FtzQh;uh<(#juSf~38dJ`=Y*7_U*I=HUA8Ngp%Y1Qdw zQQv_Zq7DuG@x%QoftiU%qQf@H1?yt>0!ai#8N8a6D-u*#EjOz8vL!3mQ#I7)Yxtov%@iBR6xA}nIxY)p!pL;Eq%xE^gJf=#DRy$z257`UwxiW# z7UT@4sdUoOSO$eM%t8Gq5>DhQjW_@`niZ&P9#;h!g>bN8S@>AC72THg3docbQP*+0 z3DxmrK3HdXko@D6Vg@?NuL5-ieE0-^aX3%i7|B9=fJjA7b%}#0oY*8U%aI=Y?epk=}Rg^I#jNuIg(q6rkftCES}!e z1E8OfqhQm7<`4cQ2?#qSRFPXWjUe$E5b|cZT9ZpmLR2bS9sOY>c1aR!sqw=q7;UN% zaI4ArDGXwbHVIW$$yu?8s!}`t?!NFq91m;7*$?MfYgd?kYkiCC`3ox^q$f@2HI z%fTlV`cd}N$V7XlRWXRfffSJvz+J|R+w*Ee$>jYT@7=wwO#gQxZ4!0Bdd5%+IQ+Sn z_Fu8-GdNOx(llkCeV1fis+f8~#KLMTdKEJa&DKK)aFr^S5u#CUMGlIiJmbu$3F7js zd2O(k&Zxg&A~bM3*)>eW-+r@kDs5oo2l-<;P}=i|K|jy;3EzUGNTjnRZzr{3Fe5j( z3VtVBw%NXfxY^o(>*(#ZhgGl}3+xjiGoD5z&?NAHf?Ex%#LIA%LT*)piuDr-(zfYR zDEx1?6FpN0N8BP&exMzz3Z#Ze&i2*;3eHlWZ0TXK6FW}J2CX35OH?IAvqO%`sudM0 ztU(1F>4(({9_TVgLa8muS|Can4cnd~9dF7sheZU{#B!KyL%dLFp>(D|a930d=FmfC zQj(gcSNZDM2}52#!ka1ipr%3Z$|)ihF4ga?e#`Vo9CaH+shYl$2Ng)Wx=MBT! zGw!6{`9_jb`kZ~l`?5sbST6BSf#(4wlL;J5${i`$i71kM3)v9Ck4#5-*aLL33#c)U zKc&fJb2WPT3ruZDFQFYbl7NZxRJn0x%yCy-@YD-aZRKI*l>+ z|Awz|<~AY0f1GKrU(f6d-|f^F{L4zf&#yod^enJs61&T9Z`xh#S7J~P#8+SugV%bY z0nMYz$4P1D<-fUZ%bW$D+a9><&9C-C#XERFuGhUMd5_D7W2Mv~H9+TKrrtF)HT$J# z5xB+69bVfj+tvH}dawFg_$Rw}JW$*kp=VL+$ZGiTHdSqPe_lhJuiLOzbyL6ox(YIP zjZ+H0Z4XWAx_+8|XZ1-gQyFjV(d_Q(zEP^z9%qQpc_tE4*U{#yq_}v~!Lo-#{U})W zWrH;&bX$#rpY5Wm@@Z`{(^>g(3BQ{WvdN@#CvD^DwsoZDew%a-rKW2)t;BAF zfbX(#_FXokbtH5PG`i_2#4W7}_6N_8*!DbC@vF8G^oys}NU@fnOQ6L@jx$l2RB2G5 zK=Huf%7j4#-FWXebxk=Tsl6# zRyRIRj`DggD57_DSR5IihTYe8I1bA#uAuq0xqR3@<~jq!w%zxZPM);hmCfo+S|Ps7 zkXnuXSv$0}c`VvDc%bN?4;?pq0Q?`@Hd5B^pCKFc?z|E`_h*v1XlRi&eEP1A^GdU$ zHCxxap*CAKi_w!WEso#S7M~Z8pLjfH@fWIQ+1(e6u30Y!xJqwIqu$XDTl7eQ}u{ju7m&`W|ruoenuUvhW8sFA%HY& zmy<*G2e`~Tw5BsvMEB(nnYL>oiRp*mY2+S6e|wg%q6S(F=NnP-qKly+;=tCgdf*Bk z!%NT_ghhzoBto%TLIUOc%%ttFoC2P>n!PgYG>Vm`Qc0-!ZO~OpM%y*voKQei*#k^* z+|4)Vs4GkPsDZi7Vuxd~Ft z49Ags)DEA|Su89*_kY(JUbJ&ln@Nu_8=Nf2pE55Q|^g@?6AqSp?5)%-ekL zgM3nym9C6IxZ>bgunwC-q*kLTP3W}680vz3z?fL}lnxuQ;}@!Bhpd}K@Y#}>X}&3% zpK&%m>T5y~LYi)Mkin4+)l~_%BK7otx^UI$Cn%Nkkt<%psKbW8K~!Ucjx-$IWotF$ zAjrX5<(e&I$)peyQp61cfoq1%nnRs@!b3^g0h2Pz^Fn-*!Mt0g)^qkDM#(A(x=C`; zAR@E(-!C(=5+PC^$*E6^?; zyfs|hKh_OtiRicH+f*++hVmkpMHDMUht^TpDg2d3nebw}8uHj;3FTD8byjKlt(xTm zRj%^uSButxF+d`XVDfk7ykDb`0Nvr+mO^Dvae;^cWes0`rM##enU^Xcd5lS{8iyC} z*g+!kUI-bpEr`zes3PGMASKHO>V(W1Z@gw|!gL0R0AG&y)R#YIZH=NZZC0=?7R;Zs zO&035MJksl*z5TI2+2Z=6}Al=SQs8rA*(0+V7*>pfKYB|pB-QP)$|{wVx^TZXZ&@; z5=o#RYSaEb61D`p_fo<{nPq@UVh*AS)Svj_RBC@*I}A%R;vWr*o-e@LR*f1Og3yzc z=W2_XNn65>E_L&mKx8m1GV(Swof#fXEcO`*5L)g{MEy6*5!6nh|7@NSE8x-t9JU0> zs){_?%%g;-V%O1FKu)t1K@}n~qJN47)3kgN@mR@;uvMeJ&@GO3Dd>U|Cs{O4u!$E! zaEl$aVp3(#hn(SU^1qmR%dWV>ZD~7!-~oaK zf(LhZYuw%4-QA(l;O_43ZowUbyC=B2Lw7&yGxmGV`(^%uHCByz-8HK^xo6pM=nS!eyHyjr>H#ac?qh{ zM(;<3Hu7BOJ!SIV&S4Kv-j|P$ANzJ`qvFL)O1g?ClSCMIhF; zEMuC0dkJUVnoU9xv46)A!{#)XcZ}Cy%9GdWz>|Bo&$a;edHdRfg{Te@##wh3$C_~t ze{S-hgZ;EvEjKoCE`pNFgeR08+fC$KUMK0uw~ppnw;0|IWd6^a4vBh{%zska43U%rQvn*XU|^1 zyceTw!;sc@dd9+dLllnB`w!Yt4JW1N?iP8Tz)6dW2JbWJeg?9I@}kROpobkeYRB%y z2~}m8$7~JDUHkr+zf}uv`|io3oOSA-RM*D^*2ezSY3~v+)ywlyX5){(hwqb}gTuo_ z)V5L~wXz4PZQ4QEeQ$94F@-Bq5~?kNN4oQE|Jl=EBN zXxOu3fB8A9SNlxRu*UDq!&qMuSI6R z{hQ|AXq0i3=iIi&CCAfO*Qd0awKn>@%MrM2&uWj|(X;a-g6Dr7#xT!o;&Fs8kK-N$ zkGh+yd(UPb>y{_jE4@#r2Itk;UduvYN{j59S+h_8_+23fV0$x1D^qhucb7Ij{AQ8& zdQh=4H@OLV%d@|o{*l!KJfUH&U8}2~zOcYx{jPOi3(fd`etw4G(E`9BNFti?d@9(# zs#>mTdX))X>f-c=1bR$^Djy(i&k%wgNdJe(UY|Te?4p6gKxsM{)ZS9Axu;d2Xr|E1 z%vIlP49s=jGcXEb7&J&sq9^{Pvnd}u$QTaUCy(qyv|A5i6^_DFhYiq(&<@`eU$1B& z@yeWWog9B>s#}Sfo+V6{2FTLkYr({2| ztE#_&L{KQ9;HTCfi!AOmZqy|&@BCuKg|HDpx5fO-B}Lv;V&oK`kSvPzZRDG<`5AXI zjqf=O3hdj7Q9(*5k~E1bs~a5BLH;n3)R@(5g;Y4Sl}he}G2(?h z8S0&JSy=Q2H9svIv<=fNZ-I$>g|%)9x^Z`I^9y1ES&>v&jd`iFJPPJ3wPCfYRS_l1 zwffdK{t83P8l#5!nl#^aTINbFYBCIM{sb$E15@3pS8fYSYIOz`L)l~_y6@##VkSS& zdd=p%SCO6_n;ii-?gi_a{tGvuwWEEwTRU9Iq` znua(;L5;`g=SqYw&+W#Grq!V^popq|>w=aUuAkfK)T|~W;V%Qmi)fdMVR-}3#2iOJ z%AK8RzBT^X^`LeB2{gsZvSBH*+qW;a=%?v6&&rGw7`5pwKXWS(^vo>}B(zjGGf82o z%Ig^;OlKoPtP?8AN&nmx*w&eb6V&P%j)bC9y&m9Km+`e{Tc($Y_g{KVFiCFEQy0kv zI0Zei^jvC&u*@|M`!Cr2%icD?fsFeR8V3WvHt>!2zq^9kh#DbuWA1kzkO=G{AUug^ zAs^ouo?sfqf=S8F^q1UmN<`}JOI62r*Db>cH4-+|GBcp zQ*pi_w+LEZVYhbuXu%=NqBUj<_VQCBa-=28O~$OTGWtq{`}kOkqOCau&bpf( z@F9+(Xv~37+ZV1b1YZ!rP2j9)i{QGuymxG{iu?Sc@Ead$R@mFox}%+x(!98f zY>$JTgtOOq`6ZkuxD@uT1%1LSDv2=6d|Zf2x`oD&+8Kr`uXR^lf+aD73D8GEU1Meg ze`RdTGi@djs*F&MRwA(c^T4*sYB^?TRWj>EoYQek+vRWPrsl(x`_Q8d{Msq1^_S4S z?&7gNp=|iCHMWbNO*^?Zo9|?KXZ}0huLzlh3jZUuW&f4hHGZ$pTPVk+2vY8=X0 zhrfX1r#T=K{>a?oV)Dm#%6&h=%CJM#y__q<(0M)$%xKuRT z-&W-5dY`;75_%sZWzoIOq7dc1EF*)xM!SE|Cvt0^0RSevOpXqG%YI}K_=#kV}^(IMdW)d}g20Aykfu)_sh-Q#rdS@x0uy8q|-7%|sq)At;$Hy89?M^W{D z(BE}5@rKWLl{*D|pmCp*I%#RD+YIV$giJ;ClurAF^E)pmcw9uzY@X0KnBN?pmTC+(ccv6pa_q*I1I;bnGV}s$qGFgbg$ho+B>fQMl!JLVbcCc#|D^bNQad%x~xxI z?C2YuZI0F&_%H3BFh^c=9)y-f41!W~ZCx&x$qzEC5}(fBhwu-QV>}El%3A*Pwn1iO zx=&Z1Qm0MiKh&XA?m;?QVC6qTXwz(eXH}tpV1J4$pe|-QUdYeGd!t?6ofX^&IfA zI*aZ&fBT;}U+s^kLO*WvH7r@fl=0&bg8mvgr!K?97fGw;6#JgFWK6@rN|ZE8YT^r=Kw?sM}Zh*fLenb$s3S zCJ`;U^}v@k3p{_%5rPBMSpBPfGjqD0nBHS%RwAAIs%6N|F2v&;aGdrE5gb2x1MEyZ zYrL0j2V{bXHbHsm9z0A}iV1?8yAJ1o0gVSpL=%7y@-Hdq{-uBnP66a61SnE`&zWHlJD`kA#j!dimng$B%_x8x$9E$7^3FrQ6pL^ATz(iXD zkHXv(37AYf75Pd61vv30&a{@)!9%hnY)IcA6SYzavA`dBZCAn(9_0BiMW`-*-bY(n3dQ+n#S< zF3-k{!7QzpXLLYNO_(TKoec{U3&1Do9+)kBjXpG^+)~%Q44_CJL-LbOs+T5q>|{}v z>>6bCUauO;kzL9ck04ZIbjcKB50tIok$%cZ&c$ipTVDK9@au$7ml1WAPVM5~cqc;Y z*)cq3c6Dl$Z#Fi2$^2*D{jsW+rRgt!UxaGZ4V`2sir=k8oIhNNV;NJb#E;MT80_s4 zTL_^D;XkA^;3wFti5ApYg7Vq^VPpn6quf#$a8AqK#TyrcW9X4 zpFHW@j=(gXy zZ9OCE=iD2W+7fUp)SGk^go<;?glmUZ-gL#G?3AZCK6lP4D6(Wa;t_D>HRJOHnqra! z3p=sym^wFJ`KUSJORg!!$i4g!A;fZK&ZUu3biwpdM5}KOS|p+hS*w-vOI7^yf-m;Z zL}@%F^l&v*yf_gpSzD_DEe#NJ$zP_(y>u4iY2Ms zv2;**dh9^kLN6cHzo+@p820JNE7q1k3k{_=w@+{#4Xvn}i?>P}}#s3*Q__ zy}`2rb?I2>6HzA3Cv`�e>%{~Bj5WMBa}aMg0p{|JQn`=fkjxxGM^q-XN8fLh;u z{&Ir2mDAs#L0jYGgGhe?L44o%>2jQz$-~4fabT-Fz25;;76<%E}_$!PpeGh1(QlG;lHz?JAY3IE+iQPz7X@ z<5U}z)<)Zy669S{(dc5Ee`s-z9`8UwD&*qoY2>9GTkbS+Hh!zh=f+dZ)k;Nr(opbu z^78e>nU1+4oYy=IN%^MoL9J_K9l0Vpppdo6u0~2sC(YI~D`Yx$blKV?6k@eI&rh8H z8q;Sh@=s9pIu{9lIrT1C+9WgFyRkvXX$x)995{8PBvrP!2C^qPD~!&U(rIs<&Zr#|2qS)y)M1Glhy5ASJ9!}7Xg*uBn=@97|o zq022I<*kmMg#XslVwpD>H6_l$pj2zirCaxGS`PSj;@+!}(=r}8a@T=6v)bYKa;p<3 zpUR3Tb(?sxwe?u5X`LW=W6WA1^d+keSU;}4*?ep@aqdVsUUCRX6@?-YP} z>dQCq_4dB~6}>Y=NTQkHBlzI~Rqv<&#myG56;-hfb7TWYmLzFcI{E%FuF? z(0y0iSyg4nc6IM2!RWu-5xZ_NeuVsQ-2kAo_&`+ic>WjKuY%G+KwTE3IAF@$n9$Q)#7#fSDW*J!r|7#KbI2z%XH~%dxN|9VUOo?g_&;mRgAV;&$pzy z8qev2v~2D(N(VsGL}i+9BZv2m(0gKBP4D1RFK>6(VrUZ)DaVhPmGkbd!8PmCzaKu3 zsSRUr-OUz{OgK@)U5_;gLJtOxKJ5JckLoV{M|Gzv3UDER-zCC-NG4CH)V&;Mz0G`R z?u*dt%#k0k6kQYXkicFDB%z-V2AHoQC7GsW{r%xuUTS9;;z;#%`4nCy!6oK*%0xev zh)9U;l9vF%uHh&JE^)9qCR2&~Ey2cPlpURkd&$5eFNIz{N#8PYPArnDS^*_a*+F?B z%XP+keg<=rb$dmt4C9J6&($Ii4SnlSt;VB&oqB9wEW~k-^{lkxWJv7JN;Jv5VpCPP2|cG z-^X!Qs7Pg@{8FlHJ>u0|>NK)w{^<}mR?q@{xcSc`-owZL0LO0WhZz$iEJ+$ikU$d2 z#0%K~rLcM&GnIC_0DAQEOHQ2Rd)T+CWog+18{u zf#6&+akdE?9-A9yfLh77s^%4Zswrg!gsio(m<-)YOpQeP!t^6zK!H<|uQIdDxNps5 z_@}L!CBg4<_tyM8r@_knaI6GB2*%=P)kkY{SI{=``s6obWm%+-CZ=Km$_dgo)x*m!y%mm~=fW=PoTjp8AK~vh82g9OSQWilDKIT;*Jd#70zc&-&U#n?~t`tG(xa^ZD z-JoeoAa?=w&-iPNA0|$2zg(io)Yy}YRnQB-U@9Moc73iC4$!KNFx}WP`YBS@^`mh5 zZLa>jU&W{m#ez}<)hJB9Fq}qw^i=j+_)ihuQD|vDK4TVp#^tXNDxJ{@nKP*^3CA$K)7c!1^h*>U`0XbPK2s;2xL%(IzY!@e!lUq@oTLyYD{E zfSGg3w5FCVDt#(Sk@V1S&O=lA8FzhrTai{f-sBTWObAS!3Ql3em6PGOE?fHOiwbsF zqgCRp@kcnbI)Mk7ne^5Ox{#{eOy?7$ieg@WqQlX?d@C};`3k1SvhTxlhO5vnm_-!d z+N5oMYL=KbPaA_s)N)4(t>`lUcf1Orq!ZsMpPTyq^5% zec3CV9ObnOwsq0_JksRz?zB{P#Z0(yS3NG5MfgxP!S93L-VL?sGXffk#53@}o@lxR z-aZzkZ5pj@8Tg(J6FhzY`{Qi;aql#bD18gEx^)zz$B^qb^@x}KOSZP>Y%)HJmv8Fo<`LcVqT|~DsT7HXOQb}mSM8HUp8vr%G~w< z>!HVdwkNmdCcty>khb%3wx<2iICzwO&Bgz81314f!>Z#k0qsWAIke8dJpF!%cWQXq zWHf-Zz0Mr=`dBQKY519qzS!&l_9CO=cJ`ZHJhEEWn>MC&T}$*7x-N4q37!jkeIHei z5TEvQ61rRc<^8<7^aw{UeL>;FF{lhEPusw83wvJw2&BAD37ws;Q!w14LeHE&dRVT# zp7X|eoP5`A`CG2OgL*>tQ>+2c`L&&f0HpO*;&|hBL`T=}e$uBnl{;T&?F)l_(^^xU zzHfv7NGZ{|`%M8Y!#2?Q;f%=7qNV$i0C3sus4xz=9GK*M-fBAI=YjKjw20C<1o1xP zaPBR&>78?bTzSVq%wEFm`K`gzGB{72=haI(LGP z+F1T`ip{S@A6p4r1Q#VC)lb?j+PYRhc&F(wrIwM?>Th!v&>Oo%L5Ruu?3V%=|W{TKZUy z9PLL?Cg<6&uW+)hSD!kTRU3;OL#`yn>{Kns_5}8xc&)oMFTRbV!T(dX5$0B3QwXW# zl(py#%*K)^`fl3MPD~Lfm4b*p4Yd5N|0AhZ?Xgn}GuVwvOZ^U#KD7#c?uy}6D*g>zW z@$?2PUB9gt*To9^?$kLkb{!=+4FinID`C`sshsg+Wkkb7MWLs!FWn8>8Ubv`&OnV_V=s_-!AQAqa;3mP1sU47o&@1G+Jb3(<(61lZiriz9nd{{$Ltj&_x+>F&Xu=m( z7ECgs-U3$a%hy%e)9RG|-6>hA%g_(so6IQ&iC1?4EoJzqJ$J88r>4-=D>F`oA zY#ptqPq*4z<(N&i8mO6~=j9Ye)N(m!RHPbL$#h{btLK{ceex`v)1~Bo$q~WA3Ky!Z z>SY#IKhcgSG==GgGabo0`DjAPhKk7WQ9`}9TO(MIzcz(l#@li%hVYcTc%~|hAy=te zjs8Bv=wX)_?kp*EH3?xc z_|8*CVD;(EiGv=jvWCmlyTzWh`QiFp%d~FZezF~odO{^*D22)ush~A)EJ>HR4>F2+ z70iFSur6dI%}@Vn+mSJMccUoU`LU79xoq0FQO*aj_gj#orPGcJPi zEUF*EfZYxiSXX_Sy*W;o2wPiA)oZkMP6vbQHemw&x(Uq{Sx5WZtJT=L>gIV`~En9@i z(#_7X^&Hi**?CQ>dTfZ>vJG7TKd)MKG#!1Tq<_l)qUMEz|JV%M2o=;Z@PKLuPP zUYz{vzg*QeXFZSKS_bV8ZjO#_V^+6M@rTht#{Qf+Xs|pQ316+6Om{i)nJ{raJgf8O z@^+q=cg4z1@nzW=c)Wm)zE1=F)6%?)pdWkpz8zK58lPH62X zFuk3-O8ivSk^F7$H}?;<+R1?0=Qn~l&6}N5!2CL=-G$zxsfEYII_gXmcCQ%(+8V&? z5L)vcx5(}Ll`Q(3?-z}@-WzP6ZdV^O$dkMA_P02nV%EFivfAxCLWo42 z+iyyRO>nH~E-VSklME;o;ffwXDw6P@$*(04c5{c5Lf0ioGNyFa6<- zeOg^3bFJ0hzzyMabI0w`=e{J3aroESWpk&;dg6xMeATi5pNEB|)gHT#!OZ)axQ9Wj zq;=BFrOwC8?tk#|Q$2XY6*TiIb>>Os<&tO0c@4wvL0eAyfo7K1f|*L#a+y2 zLIuS}Tl(4=@M5Ftw_8$#%!;w9czg2UCc-80#JKLb`TgcQ2a$xa7U)I|b;>ynBc~ns z0+(9kKO?JJlgJNvvdO8bY!!bq{lN8Qj~6%TSZCTG?hBV)uqNMgG9Y-EkloBo7R5J( zhCc`jT+i`-ttBu`(EY3t(ojyZ*`V(F%&}IMh*)w6LyTlxELmnqa)w)x$QbL?J%J-z zP~nOB&qccsnKQ*+Mf#0_f(E&Ey*QtWOp7lz;xYUfy67_*eKy3=T%(`Po6+4Q};%H`=ONI{hpY#LbAo)LM09^Q*?rYInAY&{GEu1xID|z ziZsffZOn}DXxjaj-JA;tmgwoIwFOi}(Z%%7evz=-X0qj-uz&8#B&G4BA?IA9;-`tj zNO9J`(Bg}ru=-86zb~&VLVIyZhCdN_URbS6OB@@fqztDXZ1h!7Z$V~XSInGW7jGY= zy+pF!{&-aj;jqVry=5N)1J69K0q>OHe=jpocK<1=fH{Gvgqs4%Xh5Pa)=nOgUd2(O zgT7cJ)HK4;PFizKNneHX!K;TGW%D{zRT-+5s2=cL?R zQB7{8c0yH%Gfs(xizrrK?lnWdP|#q$s8^t>vkvN71*MzH7Is7|j{Y+iG>ytfuBT6% z8g*P{>@Q(EGJXE!G*w`kxu#wR$I+Bc9rO~2@kM)k!Kr$-Oh(0_qPEYQA31Z7txsKq zVn$s8RQZ&%1av9?cLYw71f@OfSl48hu&B45=5wUTIopcd;8ttG`0|~lZS}CgHU(y( zoq9zeu;yfzlSc@f^Wg{Q>noqqdst60%Q%rvR7EO^CP}-ACdX%L!>kjgO%CL1q(Y;9 zT})KTm@Q36G0wtDKWsl%60IrIOTFk5Fw|&{lr#o+0r~o8_Ksi zvsC6^gZh<0?15#=JcUr|BEXT0#(sXwSJ?(vHW4byTbkwcZ+v57_%M`TqRdjT>4vi_ zvMF3-stw%w>X@ZFB8O0`K@kE|RKK4As#^k0#`yGVx@Z03S=@#!)Zu5Yj9nTtIaNeW zOx`am!Osy?(eutm(NgLht@Be(>2(`W{9|c@lA~RN2)P>Xv9b!+R;L-Ix&JpH(9jfP zi%+w_Yg6af_p1#YgO6$+*>=c(d{V*J6;=V{y@8P84|F{HfsX$&u{~@VMTdMi{Vsd= z$V|JRcCtR2dnZ$Nbj-jbj6_{4aEzdXRy_4F`}fZF!OTDW8$@rDH=sOy*J<%2lf(0y z_lAA#U<1PUJwH@>{)%2%xb^HP^$k9!qn26qJUZru*AOj}5$S`x-`_qp0i7@8y6kW6 z!k8s@E*@7Vq9Rf_39D=U!J9=I^1a+HJxy=iDLZ=phd<(aocfWUBkwqX|4yqIwom#~ zTc*{rdT*mheJ1st+1g*x;%Z*x3sub}yj?sU*4^(K;PF!MY$jRs zdcBa}-Iux7F^udqia%n5P2fsrz&E50TRxLHz1_Xa+N>&I+Z{Xip0kje=?-JZv0PRa z#@>0z`7&$m>jk*3w*!Q`Vhr8x4!B03=l)2JK-XTJg#PpXCK3nmc#4*2pW*d*pye_5VSd6RPX{`41K!7N zM`K_&cvz-Y_bmq*%mf^_%j5BH10A*uJTd&Gvm0r^fDcE#*;KMrd6KmH@1*?hQ` zpVXaiAY7FLIM?lrMm<7&#{>Xp(*)VvI@~Q?`_WV7tj)t$tC&6J>>}Q;l?sm}v6}$5 z)hvzQdEQtjZmm6b5ShG)T)%B3FTzdl0$mcN9 zs%({2+bXl#?bmmeqo%K&H{u&p2mbyoPOk0Be$(R$beZ0xf zpnez$gpB{r;3XoVx8#FO7{Vdx%$%q39Ml?8P`0h`U*UOWCF=*FFcXt=T=qme4`%&_ z%GdNtCp4kE@hi6T7Z^OlGjU?0oi-IF?9GxF#I;a|G5e%{Xoh)U)_zs{qJS>7>RKX6 zB!+|cwMkpwVX%Ua!l=6eDpFNXq*;D`UQ-;s*@&bfx$Jh%*&?1pWX)Q#I8N#Dp7%mU z<|cuUI4P|ZT29!n`rKd@_mCCp%%%A6L657Y%#swwoBM&4%;t0Uur%84>edTePMJU7 zc_P^;!tKn+(P!2wznG)%FY=kuew=Nn^ZI7g6eF26F4eXR_CJ2V1*4wvKx?tOw(v@G zA?UEMwkFi7CcmnF7neI|v{kz2-ZrK%9i@2H9FCqDw&SRJ2_3 zEexTK$>*vrd1hTNTi`>-qdWATgUJc}4MJ6VtX(?{9WBQ@j2ig%7B@ku~ZBBr~ge5NWJ zo$D|Y(uw)(5A^b1hm@ZwS##X+P3&q5@YGm1EE^HeyxDJ0`6orR3wtu(TvXys^U~Mfr=U< zg>vpw<*Sy-u^LSf!yY+7CFKBS3a5{C@~DJ&3s*HOL+ZSsj^IfoybZSy49=4;t)eq_KMrwHN;&Vql?k`f^!yb*;H?#_I+QK4`>8hZI6a!5NUW=JT)HxS+D&^SHicTT6kX*7uj5vmjn$giXs;W6!_hkbJd z%xExGnsB;6CC3H!i=qhPz7JC(Yy6aV{-y%6Cq*-mwtGbMHnL~<k%GFN^`a%oR zf`y`EH}zEi=S3f{;!G^BKhXLoRWxD?b#A^sD##ZOr z^Lse=b5Jn=je8s2q(%7v#UHsZ4@Tp{iU9&G{XI?CKCksP{{EotOKn~Tk7<}Xy3RkZ zT>!kE-A4!DK%Ubs-HG~U_fZXYn!tNnPVXgLw%@bGPFM;>SRaJf?YM}<^L_o1!R0=I{N z*V1d8T`1(BDQ5=fWTeMqs_QI8@2J-6z@CWlFwg&#dRd#&zgQNqCMnly^ve;2(8n5}6pt1G8>N8>zkGphe^3aj(^XgQ45;re>C zDkX`s=WR2Xs1~yMVL!g!5dd8$*4487ersn9fd=bBUhFt$crPj`uLLY#u#=JFwo4l= zp99^>E*l-3&qcH5N=Luv4!$#;}jn_YHJJjhO_s2IC0SH+zXyO z#Esi|Y6f!f!h!X`$Gi?c676=6TR>%ffw`UYc6wc?~?C5eXXzOlIHI4^7k3T+XbjIH#oN}G_IDPuWPV$pzch{sSLn) zOWm^4so=_>OZxJ9`nDZebGKTdfNj8Uc=b2mCV)H;Tt{?$)pvB^ynJZT@}Ib`-mr(A z(lekx?ViCk5w8Y;m4Qa~@!J`oo_IXrZ+Zf;6~s>DviIY0_7PI?e*In+=({Z;;s_=U z)mMa^(1k-3NwWwBtk4#b$#CLj2_!%4H?tvqvsX?LxrMYe7uT(<=3VAF`<(|Nyf`je z9PWQxOB>6@P>l86ZS+-KX;gH&KZ)AWO2f8LC|TU$NNEkgN9i3HMc5mt6VtV zA4+w<9g~gaJpe~WvSs{-yXwUvBEF%AkrfS=Lkdj?ESie?j4W4VCJS$fK3%;TUoBj0 z1QoZ-pI~IG)s;@i>9asHcsQ)AW!8YKX)MG-v!!E2nX?4l%Geiiq}Eewi3`_8wo|wD zg!n7gTk&s)B7(Q{L4~G!c2d5o@xMGyKhNeT;sA?n%`_QvNRNTbJ zVi_A=fxlTooJDIa@+A+E%C}=4<+_kFAswClyAE9dHzpVSjWM=#TLBGysW{Gp9O6=P zDICGXq;o_k3<$}nWDJ$|h1r*VRaUhi*L+ksW?}~FrT0iIm+47_N4q!#D zc61?A=AH5%iDr<;PzV|D|IdaU6{-1|mNE_0J{!RBOVmDw@z2&aLMc07jg5#Bd88|^ zJ#sf1{Cl4Wp+Ei6ua+}juZ%J2EEB+5qdDMJ4_|y&K;i5eXN_%$1-+D+h!u&PYk4^0 z8))im|?8L2@WMrp6AVd@O3%d#a7vM0PZ1 zZ51728B7G}i`IRL5Q=d06I1qv?UQ6Ibt#lJQ<_ilxN?|c$o6A3(j<0=VW#Uvy1mLu zuk(E_YqyrCDkHzP$KufPF%R^E;*Z3F2#$x z*F}cF|Mf_s7Bf7r<%U8-O2!ZB$5o;ajRQ57K1}6fafj;4Bp5eGQg^7*NYT()-#5MR zu%;W5=R>v8rlwKyrleYvTd(PM7+DSqDG>#TSdbW+mKd&C>6fSp*i!tUwRRU5UTW0B z8>Iiq3?=OsFXd>mBy0`caFz9751h3_{!;oqEjtrK(w$)PpCJ!oe*DDuM6nX&7dE!j z7_xd61k%2vn}Wc*VQrl;HtpbCt!N5Y#3rs<`T7f8C)IwhwtxVbE~uZO=1VrQ>|4c- zCSQWB^J72N|8l`yQK$4$ikM6uk$rmk|2Xjf5aACP3?}LY-R-=g#u`D+0aSc`kRzQR z<9SP2ZQJ1{F*X33ewaaBLugBCB=MJ%e zOjdbzcVa4pG{^ z%tzzl>F{O7KSEki=x;|q2ct6JSmLD;`X6tXa6X!EzioJ|{C+M15I`2iW_*9s$DAqp z?if!J3SQ%!1SmQEyaaI?t-|%na$=@-%ZT{to|K-@LDRr~Lua)oV*@VIOZaV{8?`}1E z@Y2`y&f@ov3=vMiY317^@Wx!=x9enM^O!iL!Fv{E?%Nck?==iE>Hv9v0<*T5el&I) zLj5Y+gS0V&yEfThQ6Vo7R7!q{X-?)Bn@dRh&dO#>FuXD}SVsl+?hcweMIp;z-zKH* zk%;wEPj=Pq?8-qU|LfHZc(@1}a@qvEIqv&7$rk7%pqv)JQ4z)<{|uI)Y*s|p?4Cs* zPoy8GNj2?&hgwY~*GZ(u9&gP?rgxQ;gzs+qL_{C5EsWZYVIA;|xZszdrgmdsZ{TEF z)~6>E5r%`qKX>Q3e$#7vCR(gl&pA689^fS#$n|{SQ=MO>(1ee!S~bZ>^@l0!`}O+d z2pxM1jj?IU!}fU~RG^AEU;~$Z-Su|+st7vITS)nbvTmnzoR)N2c=QGaW%bxs<-X!` zvkkXU*HLHQQ912GmXxnOTX=EW;U&j8DA5Y@+@qz1mDt=Jh(vLig=8c!dgrhWbFlkN zPol^{G8N}Z;=1R|A65%}KN4=~|`5KYumN zl;r=sN28l}=%Qr*RiPc<3^m1GHFvdmX*ttMQU+T>Dq;NS7Xe#I*K9KjHTxh*2F(`? z;-Xy`bFyV&I>kjxcodm-4I6g~0*)ngy-GC^zRE<7m`oNWD`TQp+e8}>0WDq;monLNJC62sFH1E(tN$5I=9${XQ&xeT#dAZ zNNF{tzavLikOwcKYX3~Yhk=~LtVn`)Ix9pGYu_&)828$~q=JaNlH#O=mnyj5R0q)4q?S!=GVzULU;l8dYb-fY|lHpWO5l9sVThYW{yP z;ZQifmD!Jr`zhPSE)Y;IWFU8=t6M>Fa}J`DGN@35nXWoW4n4EdBkx{?t{f8$R&7VK zUT)6+h2Yo+GoH==EtF&L3v-zw`S!MI@3tXNVE;>T5el<}dbYIa9)1ynJ|@VPg5%YG z{rq1O^QsJ`ICarK)e%<7mN*ooe<8S>Rvi)=F|B;dumMYK!+;E~<$)J$fr)dPY6OkrpUG4OVqR_?k?SgEIn zo^<)+Lq>^+l1yeasJI!*Ez)x6F6F!+?S+`ilIPO)Mt28%9Qth?#d_2W(8R6 z$kit>VB1s45c#a}h7Kik4AC0>lntk-@4TyhwW-@kY66PYrg*WLDkdZgg>QfJ=d0Xc zD???IITn{Npcna*pgI((LL0JOBOpZdL(W7+2Z%8=`00yXam^vk;>czJ%iBG+Getu66Ul}nXRZpPUo^Qc7 z8tDF3o*ZJ08M(I&?}|)HIUwLRkv>o_23$+q!2{FCVp2L6bY??*5vaW1YJaJDn#MSZ7>z zHEyVY{fe#M4njj)T^Hl14M@{U(pjnE68T|6WMcO8@|_Y z2a-WU5lkAvH$$Y>Ekqx~=c-|Yo?L$CP?<{s{-?Gy{mom%+q4yk|6mjc(0V)Lh$QMH zOaJ-3=TYFHsg9;Ss_y;hrcpxAWzoUE8{2E}_j992FZe#`?856!Um*(*>^S^xK$I!5 zyq5;#1#G_+FK0>|->iE@0)zu;CK9$dn!nOru-Nzn2wHqiKXdk^% z>Z8~@?OM0+PWd>v)@iglD4b< z-PgQN!hy|F%%)(Fdi)cTYV|UDOt*9Y1=i8K55UYWzY-=ggW^k>vTHX9XF?gBLx^nft)Qe(9u=lpWD!@ns)8i zl4Zi9hZV=hhpn3(UNxtO<%iMCzMNj~quLsj_qj-)?cX!ZRXHSl^^aml;L9-+ecxuE z={yczv$aW&RZ!Rhl09UprteOs$MFs(3y}71yfK_+OLW&nTEH6XmBkD;ChEFNywZ0* z;3#{H17q$%K+h21j{xu}2rw%#4aoq7bv#47njv$*ZCZJ@=bb1FG2cKdtt|zv?7~5R zYF3jHOL^7hA=5bVMXg(&N!T-%JzzRAZr(9~C0KoxB!xKUsdIj&Ri|PuGpwwz4lURR<4WA60 zGeLqL!E{hlToRoO-WC71zS)B8&kcRkT7%ldZZRx}S*M93g!wWFZ~P22Xr_?S4)W%X)^vbd_MVF z>eW9WZ#Km6(boxYQy@k?;*+PIT&KG$nZbN@@@_8M*(FSVYGH;SFj|I{*oZ0Um_%muE*ac*wk5>46nA6oaVa>{>=PVulKhspko&6&nIZi^J@P#$*| z94$6v-IX9!%(qksl`d7ERc7y0L)nl+t&vY5`R-FpRw$SCiC~V1i(larlp@o6rXq%q zD0C|Zothx8Gp{O3vx-&I7lEMak3NHfe98qBb@>$OOgJ?a$$$t&cz4YJ8#ON-MX`_! z)7OsHy)u5_|0C+0|LY8!Zr?O^8arvz*tTsnwr$(C)7Z|A&BnHE+uYeF&pGe&o?qrK zxbM%*tZU78g)_#c3Drw9@K0h{Qf^l@lS1Y|6m1W#B>XPdV8LZ(5_HY{7d&b_FPv!g zH$%Op_(Hwe7<@FPUktu_#HaEH84uftq^gzxE3fd<-{gU_9TXWcFz>%uFxR0NWS-Wu}oR#s~-3n za3rl%I&kO7cwxn=a{SM>vJ@VpHwRJi+toRM3ilnnGH}pRRp<^tcDb6KY*Y-JY;mS5 z@hnP4c;i83ornmNgxd-T*HAnUGvEX>1&^CbBak~&o6#lX$EXP2kZdOrlOHl#Vau%T zt1}sjLbaLc*K5jIU2B-d8mPE+lN(v@HRASyk-PD&hz&&wYm`M|8Qp3u$ zR@jj#k$*hlkbFgptw$&b3TgXp%jvRVHfTQQ=pY9WkVzkoL5WiOBM|WK6onS zP<_$_qf;7fi{Z@5H}HMaVT#>Rt|q}9EHgFAaegw)C}Rf~@;9AI`?q}y(TMD)FrrWm z6nwmSd6^6Qb~KRs$j_rL9l>RSaTN0uyNL)$2^2o+}b+Yf|L04zz_V*5){Piuc9 zl1*y!WKYy@qYlL2dQ4uLjrpHzX?HVTrIwhKe+_DiZs6R%Gw0)#6I~m!Rg*eJh?SdF zOxKNCx0+CVxE$k?r3;L70={*^$XC3?$G}A|^_L1e9kdM-5nESpCn{3z|B?tRy?~v& zKF16#=A_T^KLyl#*|m62ZvbRR_;PjMw>8Es`Hh2Kjt;wD-s~U(NgyN>VD7#MubGcK zeifjnSptDvKOp<}AmV5thQK$P$L%SuC*RN67Bbm1PX7Xhd4ZGqnQE0R3uLkIUH6U`qkb8n{xGrI=OrN5;k(Pyu}|rFyesuz`4w$jPcEfhsOgQ>LuUzu@HIr zRIb(T(DkVI^?NUCmqkDy)6)IBU)aa35p-40gB!Bnr3a?rwoVPTZpTi<#bOLUUDLbP zdQ9HrlsBb^S;Y1B`}trCXRY&Eci7N<*7}tDB*(#uPB$mdfy(%M%3I(hVKQ%A4bP_? z095h|+2%9zTG6?udDn8!2^q87C))kJQu|9%=>EC20GhvsfscPRSQ$+vEnmEe^XOaTt{kR3_Pe@2O%V~McE6L;hrQagF>6YLnj41P zT3*ka*h`yvJi5B%yI;edt~-G{?9W8Sotr(kBi&w~Cw-Hu+h*72EnWyO=g5)EydT5- zoi``Qp!0x9x&fwb;hd1-o{oguAZ z@yBHk_tG@b0lxbx-v+wwZG?uiJT0?;v}Un_pg= z{^ncpbdJ%-r=iw8QhSfzWigg&i?8*v{k7HdibwhTHQlEDc`6b6Cx19d&l<=c?$5u+ z&%uNR;*Wc(`HHyIj zrGV@YUCa84zMQ=5$yPC*axKF?WeVi>SlIABc)f|1@Z-&0rrTv<7T!FJWcw6VjOk!( z{_D7$CsHDRr5Cy8t2tz|EJ!j(2OepZ`g!xVs(V*s@rWS}nf{4sdMzZ5b|!$W%Jep~ zD#`zGb}-!GG4Jh1=dAZoFJwM7e^T}TjRy`Mjx)yiyIDm5(nR5L#Z&YuCI44)c_0O_;|>Dz4bkJ zG!&lxT3V|M+9Y*~8&T83e$bUm$Wma*+K^a*W6BHW)_rOfD=kXJSgxNobHp7pARo_j zUF>Q0WD@<5*pUo9N6u(kfRO7%fzknkTQ_VFjHfE8_!d-jCb2qRQ7+b$Zo~N^fnN@( zdvzoAbDEW^t$rsV=YoA*Oh3StxhAl4n*|C%)NNg-)lXbt=ruJ0ZMc>E~^7~NY23(@+zxzhk`hTv|GHnaB zbJxx%S*-Rjvms<{8#I-)EWJu(2?|w9r&yiNauCwIlw{u;5}0I3hg;^PBF9C|BhHYR zNZH2S@Lr{gsU7o<@N}Z!#)DCo4H_@(Q!hMNllSj1M)ts%(f^=rpXOVn#!8E#NQWtO z@O;u(MNryd8t#Aa2dk%#nAOS?KY^;62Ajd_pXpVr;n~?jh+CzZ6~fb7n`8un7&LF43>uB&UYFv>|iW zb}5kaQUOii!pu&*9$b=Q;2AfTT@FfpqMOiomf33Ol)cK-uMo_06<4GPd{gP#$)Oh+ zfL;He4SLG4Uk3bb5GPDM*7s+*6ZlWc>{nADPrv9&{VpJJutfC3<48hTa!qmdJ zMB8W1CRhqE5Qe{JQgwsljYLpF;v7rul4L7f6>AEelfZ=R3XaW2#Cu{rH%1F&dyN1r18L`=1s*cuvN0D`>ZrNr8GfSY37iCas1W z2AR{j+5fxGGQNMw@M9&hjtQUGgZO2;4v$5KzMTbT12Z?UIPIFn^UMMi1FlVI@bz>-E~=Pa#5!!6UrN{KiS zE0rjNImjyo+AiFsDga9s{EL*b^B&W=Uv9AT^#5P1Kw3ePC~rz{(;Hurchc`=phlvu zyJ-3VP&|Z;AVg$9Zl7NseLiR+2SZe!BgBsk#HrtJ)2s#Bqm9+`1j4iFxWl+fVtDFj zKkf_167U*>_iXoP5qeckGgNY$Wjo)>W%Ihao2^4nv*=9$U;KT#K?iK_`-L7odfu(~ zXJ;a&5NIK=x}M`+;RY_W{

K-g(cbyyd*%koTE~!G5c}2U z+wXUU%d8#@LT^{F_l*?jEr^Y6AD2lz>$@4IBiH_U-_1$_kC1jCRCyQM$YXW8Z(GZD z>w%Y5sZ|U8pOwd1T;S8Zx485$ zr(2nwMv=Q;udaeASn~kP(2?PC-c1IPq;$qouq6U@es3xRZ$5X+=+^2 zBEwuM;UfNQq-r8KOEx8@qi#7K_yB{eIAuxSzPTVCDxfv1qSa^BZsN%6H+%88x8_Mx zq)<=bF-|-0_l|7S8K#Oui?uW=O(^p|_aAYT>4uV|2Pw)Y$WV~6Qx#=eR#eL1EDbcf z_D%Nsk|J@Zo#6IlVgoF$^g;-jd!U(HN{Z_a2p> zC9C)>a1KE~YEA#))Y>q)s?w@tLB-n)L*&R{=Sy%14~BgREsd|Jkm%7Eb{Q}U)~Zei zcJgHs-T=|d>bwj0RB%G5N>M1rO~8VjUZ#)u@#Ru;f z*-FM;6P;SF3;x&RbLy|ZbO+{8DcgqDI zof6om{H=jqUEp#l0rg-yMbro82bC0+F1Nm5*c$FxmnF)^2$afULc77SfH|{UqF6ur zfmjgZKfsKbWlhBjcGW>$DY^>^p2`Ix{g|S(X4e)k;>vlwWvpXQ*M%)qwNfM%p$ynv!=^ z-9;l5I!K_5DBfNhG38htbE2RGjf~SN!BNq|71iG>E-D*j z178Yr8w3nW%ovVt=Bd)Ec;`%#$$2kf${6Q^5>2dIl-dQ!k~vqnqynxBslTwyt(qm@ ztG?3U)0@RdX#SP?=$<#h8I@*8Xh7LeO16)ie^BI-kP8S;40IQnkZV>W2&PsZDA=oy zEQsku0%m|KQqR`kWmD!IN<9)$PYQC{3S-a(AdPNih`C_0FF#selu z3j14E;W4Z|%a|k^DJ#hsiH9FBfRdt49@I%<(l=Y~ljV7!VShD~5k7e~w@w!GUU*qHQz(<9g6P!MSar!T+tg=Q; zB(BqbOmvo6CCCE^4+UBlw26OjA>rl8h;Rtt4<`3k6m|B0G9(_Et=*R+|zkEO>!a!c^WVAuvL%BZFj5S%Ib!t;u-bR&%=M$ z+AYhs)I-v=u4mwB8$Rz&;{**r!c3q=4~Fe$p?iPCajsET67#jLCMCYdmSHLW0@O0E z%*UEtoQKPx3Nqj1%aHBJvb>KQz16d{uQyi87_iy%&4{Dnb}Ic|uG6o4bNcl#<=WQu zh@D$2cg(K)6=_=6!`JoYfH_8sZo@lWhl`yCdpT#_udW!$jGgDfd$;6JK4j}{RA-C| zk8b5=b(1Zbjl-{yAm>33c$(|`ynwV`-FU=ZQ`7M%Ifiqc^TOb{lkH`@%4fH`P5i)u z-)5gVsiyI)iLVV(j=hSUy^N zHl60cMhK|sI+kLex8~IkMc9CQm|@l0dcL0cU+E~>Sj&D_9|UUd>)Zz~F}g2P5}f3k zwQB*;ebd05G1;#nrsEb@oBYd)KPUi?h(e<$Q!8dHJfJVu<(WlKfU2_4Ta{balWOa#_t++E!67xp0K=4 z$JaS+kO^>GCRonxxPrTv^LY;#>~X=(YQNa%@MCDdj}E)id}Z(0(&YOJMQ7VGdL{C? zzSDpBL%ecFFHZ-0dTwqrkiMJ3a>MCD!E3tqc;)y8s2!FpwrX)oYB*M zo>)6pStr->^O@1yO}S@ZwHXh&@9O!y*dGEx--6(uh+d4IKohT^7*e5VAj-!NzcA3**w|<$jGaUHT)37lGEW1r+lvK)2&D=BxrdiQa*~lbEpXHJ5 zU_V;OIa;{UIN#ICquQ@b@0LptmOcJ1b0#xV9C`P`}AV)V&w8TOcuVJTTHzB5o zHy{hDCrpmcUn)~t^#75;rB1NqjF$u{Wajs7im6JudTDx32}L90NQ7n;5I&K7{z`^G z@wjDwfFLYH(D0+Y&{^%W0-vu+-M8&`k-HggVgDXQuGE|Lurr>6d`!P2Kb^-Ej4Y`I zF+=zX^P7AJe?;aV772)Dq(j|4_s%UfZXPxp@aCWdJZ<=F7V)`Ps#2nX=v%3CbI1!uXWj;HAYEA(9XQoU`11YYBardrAOx_gIDd%NHi$QxaTy_km5Arv8hEBaM2SQjgsA%lBNtNr-p=Iqq@M7cc^-ugm5Q8&C zAD%4YtAI2DK$jrq$XMajC_>?ytdvwy3iYf1z~W9%NW^8gREQX1I}n_VuuK>}4ig!- z2u{sp%{CNqLySLtoRQ>@Zs7Arq6+N)M@BtL^cF|sv`c;o66AXzN-y4*zvRD2R@G*Q z%V@J+7?J&69t6qu?pFq8R%~fstV2wK(-N=v>$%caCcG**ZCn4X+VUiY<_x@_QUIan?}q>0 ze$C*LvZ+*+;`t)q{<)N)8Y>wysMwgs`bAOoM#77qu4G%a>sYb1OCoYVA!!rcclfO@ zk`+xtZ0@2t?)(okt;?c!x{C;AaJB||L^LH=lR_28SELHW=@jEM{{6)NmJc(wzYq!Z zDWHEl@1H>iPUn8P;$NGuHY*+d>)<;wWG@3;5;l|{97yo%7A^d17gnI)fS+TK@&EdU zW4X-w7xRywdq4^OzCkul52*AAc30Q+lO6O#w3{V0KJIqp&dVfpx(?|c9f10c20WZI zcxXVEr01*Ab=PkFEY3T=%UXq9OKKOz+LF63`I#G(dDG}nX6Hh8n>xpu*!xqxz8~tjwJ|pd$&Z-26?Od33BYi#yC_%Yn|Wy@UL>~vh(7* zoh`_rf2#NEy72`!<|5D}r_JW|qc2EKD@^<2>&QC_M5TVEaFPZeyLP&PC%5jqO^%ew z!>s4&)pK|ZJV<$si=|t6J1!(gxG9~kpLDDCectu496m~YdcxG*bhtgYiz3>14N0=~ zs`Q@U3gXToxafMosHq+1GoAc8&~9q3z_8uCz4&AfOJ=`zB)|Ht`#A7g10DCIC&itn z%H9feYgyWEwG{I66MvrrEOFdV1R=ZkYiVp<6+3+&U1RP%Lca-2apRNWa{auNzIYs= z{l~Z!v&miA2M3>uf8EA=KQ}xm40=rX>;Qp*Zm2<6sva^3|R?~ztqyByeD{^Bh~Y^ zo_TA%1qptD0)fXyQ=s1Cz5myBPmR_XK8o)Bx;sA$>v0RvEo3O!cI2=5=i}~)-oM)M zr^u7(Ys;~al%l#aC;@BG&l+v=xz1w25(cOcJc{yHU9(@2lyhO&KpD}ziD>-N8FE%h zq-2*3qiNa3wEZVVtRMk3io3?d)D_N>O^0G-;FFYqEK&5NV=|uG4gTf2#CExq{wnJ@ zV#{BD$wa5WGWsg*`@YnHo$doatxvETYc*h4`fUIC^GAC7sZ%sTjwHjhfA^4xjZjfX ze1oEQN$$RQ6k4Z|2RtxnQR5V(J#nf2bmk6GL_)UkKO*l}MYfg08?39r?NvVI(k~B= z`Yz;L!8>&J*EczNHV<+LE{)#e4;ss;#&&t;DtZvPznNLQh+BT=Nrk>s7Co8VjGdry z1K)W!T8ZxcpFuf=G!qT5LOF7(Tc#0WR}6U*ff&HpHw?!4uZ{PE_}m}7CN4PLqIdw$ zL(_cLW5^nrd}#%{((v!irlnxbqAWh`K8A+c-@0I!NIOcw5ilc9?8d&S+Ppkd)F|{6 z6&$teSy=_LfhS@@xPl~^CJGp;;5AdN?`n^8IAhgOETelk=-9{(M#==D`enzDjJd^J z-fOeaDdHM5eG6uA%CKN2HdelHXy8m49+KKgSdBhIq$cCy<}qpFKF z+$wg#acf3cz|O5m9diHBC}phM_}Q!5!mJb>t)1@}5nFoRZUG)UDo4JGN~MlCKRxe( zoG_MDWoEkH2&gTxZsEkHU1?InfQ5>+p!ls!x0pA<5n~Qn7!NJx0dYLr%7T#p9Vc$V zmZzXX<%aon+Uq>LaDqR0Wh$8j&*?l|&jh5A{GYDNtb-1MMXL^rU99~L1{jI*u}eIS zHD%NaRq7)S#ip%Ny>HUibWP#|dla$MOo47o6)DNae)8tODkVcFD+lift4fSH5eqmn zm&6)I)UF%xJ~%Wi89gJx#t%`njDM`^K8@1vDnO2AlzoCvQEFOM7W8?-rHEH1pU)bV zHn53*Vn~){|7p+VuiU{L6~W1-lC{88mzh`!zGWUuB2GKl)_i~jfnfT;r{Bn%`|k~? z$W*Ls%aiKJikF=68w2@mpJl@-N_D51Or6Q=Nuv1_gM=zGhbu(0h1Vvv_}2^*C#9A| znzv9U0<%x~eiALhQiQuqgUotZi3|#xB?i4xkcP7LdAi}wnWv3}YY_T*05M8qJ-Dri zix%c{J}8`N`Qsp*W%*5Mh3TmA zck-!1hn?RvhAXLhM<-Q*VsU`A8y4G?KIm_wihNp$Gymq@00TjY$IONt9N;@M%m8nQ_kOP)c+(U!Xcu|v&;_EkgAPu=87OCXL2^m?sl`RY3JX!u4;%*m?{#*{*V z_hf>qCW!r-1$1n)7DE4WH1H)HOxR{ASqToLc~R33-Wl|;Gh!=~j;v1*149J^)YDJd zj+zwC}+jIwlr)_o(wz_Pi-MAsIynQm;w(mA> z*F5cvN&{HC>bw>ltO&h-_Y9Kxbz1c!<{jp~H8{^29Dh284KMRJ?`BLWat}i8Lq7E> zUZNU$kIKStcY6NRX{~l%@wq4TBxv1xp{9K44&iniIyY`JD|CzQ$!YR9lX;z?o%Zq0 zG_qAg_C2z-cqH0>Z79x5Q`33NUnDonwQqcG0P1O7Fz8p_u9<;$&)(TuOdruSmV}x@Xlv52{(YtrT7=XkITXq z&-+JU8fb0Za2HWOhBa09>22}z2o%h()#Y1xzQl82S3Vw!ci7Wh>;4XZtVavd0v_*O zT|a4G^o(4aXM!v?u|98-CYudn%dgzVnT~zuy>hmXX|Fl%+b_R(#;ac@;_T>0s1evVKfS`PmPFXjvYVHa$Pmv+g&cN zlg35N2pot&Ez)1m@GY$Q2=@MgQi#4TagbuJDZ+^ zALQNkpu@~0KdLU3_NKct`YT!>)$;^zP1V!Ka101}4}^8WKOlbI^TX-=KdMX33o^}k zFF6MJ+ua*-iOi`6(wSl8a6s;wUveBT=(zHPziezSZwzjR21`%*3#>BerzBbmf7tsG zpMxDpfE9%N+H08d{Qy@^znmY-%U!PZu?RE z=Q7z#7Ic7x|4$ALM(KPVH1}0{H6seTIeY2JVoCI4%F@VPRmqDb%|>C!M?Q3As6Uf; z02-MnGMu6So>S^Ju0-5K->GFO7cSxaYH<~yMSh=gXc;Cp;%v)q)+)`6Zsq!^a|2gq zv&EV?HSEDR(TWr048rxF@mu<-HCR7uRYzV7TeKp_v{n1U;54F}Sfcwy6cjv(gL+rX zPFqT`D~m~B!nqsuUGJ!ZU`V>TMbAx)sBZSq=@A*2z?d_vGA^6(V~qKe_BFZ4WZIjk zOf_Z6l4g{^?cv$pS3k(nN-C|ZGbjyBQOh0^@ScV-xHoYe9QwXud7I|TU5LjNH-r#R z*E~Zfjyb`HDs?w-4H*ALPAV@@14gWwsF-FUa%W?5ABa#ha=VtQ zKH^j`ny@-lITj;aV3B{@BOm;y1lO;LB*^K+AVaO-^hBI76vD#9G*teZ8GB*;P_u_8 zIy5=7xCE_v%S_C$PLuFNfXemGdcLHPiLJ_PO{sw+*30@E* z27cV$03u7Y0BanRx}hJK@fDA6?F6Qb_SkNd%CtXfl}Zfm@U8(Rnh0goD_Ad=sK+iy0T!eW4KMPaT`1h6K;iK0H|_Nt zE$NRLzxbLQ5Y3$Pm;I`cX6%)}&-!6UQVIGLX@=T^R>CG#$+y^ct=~O9(WD_aHPnNx z#DT#qh^7y+A60x25U^IYaN^7>R{ZmXq=`vGC;*`V!Xn2xrh4-9%|8)*@nEE6%XV=V z+XZgE&YE3`g#O>AMX80qe*U+F4}AtwWxwPkg1o+gbkh}U+4AZb<05DCevgf-j_8zL znNq71SP)feUmT&hPwB z2A#V59S$3ozYeX*)G|^vZK~zl46D@|xgGpi-YNeH^o<3s5xEfG2!l??IiHixdQ$iv zatnq>zJ5$og40~!anE@#7)Tq%R`INNvEdg4v5Z_fntPC?BucM+P@)}~T>2t_7#ge0 z(2n6dBLhI@uP)^`*0#mV-uMLSKcu|UJW*GY2waq%!Hx z2&k!+VBO#Xsn2N{ zm&f*p9$CL_b{5KLNrtF!5np9l*gyK-BYi?Ny=kd)`E2*KJL$+bN~yYq)ZF-);ltoNKqWx9z77>&>m1g*}4I zKOf_H7cQqeEGzMHR^D>Lnz>E3v39|aZp-a>IEID$L(jbp8tY!@monO?$ zVxd#EL+ueKISpb9A@6Ged+dfm*DG>fzw#~3Lj^mbZUyk{`HQ*Ia1FPONAI#2^yx4| zxFMP@Ew`A9oP%|^IPflAn$>hO%4C1n`G>I6WYUTqc-}cqxcRz1gZOE&O?BP)DL75z z@jy?%ZV*+ukelr|@g=o7G!t95M%A6J!PC1RbUc5YZLqs)-aetRhc3=L)qFa>y141C zuU}qp%lqxslJt1=3ewBlfnH}TbKGX-#B*4x5>Ws+*p77 zEJu5S5}oB&+HLtBesL?^JIxEaK_cgQ)vT#s?TS*{-gE;{BT06CS~Si>fU(^_ zJvCaf3{GQI8{<3<7G!(UBYRxu{}Hki-;u}<|LB&2*O^Cp?UdEsv{+W6Qq@!Z+YK=1WkGJg4V>Sgh2fAdOPR1l`+|%Z?jR=Wrgl1jZko zO}T7_R7sm~> z4X^T3j$;|Kwr-BvrHn;l3i22yJl7$0JOxyM*2M{FluTMS2xW@H)$W4k8wS*0GdV@n zr|9vcLf8~6!X2yQcOlN*m>Sh24`Fl@4VRu&Lu*QffPyV$}Tvqz9m*-#d=G`Zw zs0BUeOHSRVBOjkoVJQ|(D0-^Q^g;8Pu9%WjhP0JU>Mk}< z^$|%lM6)i1x)jO)-oPa`YxLGn9D*qI%i-^ za#jw<>jv=`(|`PgPY3KyQ;}6R#&w6o#>AO%a;}hz$2Z6fe;w zR5D=!UahL^=v^_!jgJhT-8f6$piZjy@U`?-WC45=LA6A0@&U!SUz&5h5$}mv1j?!@FC&CwIwB%1q&dHDW41t zwg!v2ZLe%;e5~AakoL9KU>Ljz+f@tJeB3Bqnb?0^$fZh79s}(*NNSdS(s>>8aMxNc zGc-l8NnXX0w=MjfSnm>Ru$^#WAVB-ZW!@HkJ|7{EOapZ;eD1yz9lYfwe;tR#yYLK4 z8X(wXC*x_{uPiOx%o6Hg$aXvkTx*>Rc`@y%c~6GTli@`uK)1XV=~$a+j3N|Qt&+rB zOq%-k6FoEx?$tsi?`OZ zUvJ3$Ow>BwqrK1X)Lp)A$I08ab*z+C{9E_84b#@(?0g;m8}I&U&o4`xVR{FIz&EO~ zpJx1ir~TwTlsvW1Mpo6YbIk{6MK1q#*@-+}&eHVU`yFO9uC%l+E8;*_oOK=#D%Bikq6!)dy zDzZ%7`w8JP4d!Lf+^aOF8R#VMQO$O)=GWZX;WkYBxIF%J}hbj`m7*Zb1#tgfrDi!=G%V+JPse&M=1xvWAaB+!FOB ztEzRswdj;J5=qAsJB+o0zrwMFu34SG2V)9dcR|9S2wmG-1fU6p-Mj{m^Rt6>+Y|o` z%jC7XJZyT_ee$HWI`T0i1ewZtx*Tsdf6fl2b$RZy_Vx2~n;*`*>$^X$#bvu5n5gl# zTwuL|N^kvo&p~1n10cJ>ZYa=gy=j2e@HXcs306v7mgS`M+2^jnRnJ{6eHLin@A+lA zvpAJZsg8BBWAgQofAMvf-=jlTJ;hN$qOqer&zXWa9M!ob?ce*)%47# z9Y7VI4o8)gla12IMPC$n%A0reJHJ#5hhnJ9VL_@vXYfxepY5!CUlM?=^Jh#!?Wxozgz%K2*=qRlMO24 zcQr)PGOZEps7KK2BCK%Xv>2H&KDJCCe%$BaL z2M} zk7)TX0G%2u?>vijHIBWhCIPZ+mlEw^bmwU^ntD>47C}D}lLZpCON8n=#YmDv*Hi-L zCQA~XOoN6>g3DiWtx?;OsegS6M;N%cjjduL#`#Q&%e z8;L}Nl2BEtpk3nCa*SlhG^L+qDz1`b630^RT`=Mfk`@n)90}CrDJ%wgDSSIxs;cK2 zF6$S!V`ch)XiI6=c1PIjT^NFD^94pP`*&OSS!Up`9K06Qz zSW^ZpI186vvulZNpgI@N7<*H)NGwBBL-vhg*7?#>yaMS|#TB({!e#kqrNIih$R5sb zDL7F&q)dI&79wL5{y$d6K^cGDL=~f$ zP_$T>vA;b=KRlGs!$Qmntn2f0V;9O%BfD()YQ-ifa|HG>NTuMcsQ%_TPMZ%XNDZu& z4WvzXMkJP9F&VS4(4@pr4R=@Qt&jO#(fq5DfiC_A=W%`#V+g+5Ny=HM(b_j{VE zPy1E({+6JL|1c{7O}7~49`lFnWBNFOeG$L~4YA>TNP)<8#CJrA8DHVwXLysKHqWUV zOJv~fnJmA>c8~Bo*1FG&y7LoI<*NI!rm}{76Fv+my{LlO{tf?t+^c1I#S5fz&tCf3 zc^>Np{3v(vZJbk--gvmNG0To5n$P`s*kq-7Tx1qLxNBllclVf3w_4gs+$ZX?TE?gm zYTi2PYpQ13*E#lfENU0Iic6PH-30aBX{Pl&A$44eUS9;KTUon5+~CGQXL@xvOh-cN zcu(&wfVZ_=zxEq#8u`w6UiM;Kdq1@5={*O5S6|YB2Dq*Gnye5v-9uOdL&%@rw62{g z^gxR)&lmPnnEPN3X187Ugc<8!9JX7#Wr}Xkc#jdHD_`eQJl(a+vCU_~3(Di&v^-HY z-izi*RY(zX}L#n97@wCsY zKArc{8rOb7{%-GUv$(a;t-vXQy36^N316eQ;UxYKUy~&{Eh6_5v9ubWKE;Z6hSxLB zMZ{PhpN`{LZN|r$YyMXLUK^(&`4$}*U&ldtU$=*1w+pvpWK}r7=doS>)$`VnH$T4D z?@ex#Df0BUQE94J`9z$#=s9;pqx=qYRi)L>%*z`ti|`H0E&JrAyb^qmJMCWlz=y1H zUu(U$zFzFt8%c8DE#P_U^K`ss)46{Yucu>r44#*TaJ&14h+h{N`wU{?a=7w}_n>@F zZJ($w<>5bn2sv1dvEsV!z7xpXxa*A?QH;B6J1-P(q(1?4&F=&^If}<1zdlmET(%JV zb&sviu3tHVqCPVSp!{i;LO&LU-^aeWfSzegh0 zrB*U-^3BObR)utZTB5%eC}^$i^#`4~lEjo3X~nJ01s00Wy2i}aNkY||4TZD;E9Z5F zIxsS|L1Bn>6^SMr4tYi2o9-2>>;q5{&I@z4!+iP}18nCo>vq*IBhn4J4yeoi+P(f= zn2b?xkq&{)X-e!)y-1FMI3;VCFFPTINwryTLUGowgO1N*#6AO5`KJ{?A*l|iZZ@b} zW|0)s!qQxBF0df%DK3J{~mS0 zYGCk{caq?aqbQ42VJb2fl*deGM?6d_|40b_oHs3sQ2mxTNOL#&B5y0PYaTR@_{HY9 zO{gM9^JHR#0{CWE9|hT>RAlk=zKb&CD$c^%XvGxdLU=6D8dP0=LtQvjv3=u?E^A!- zmhFmkiHs^UZ!}C=T%{_Z6p#_fWeQ7?n8;%%DU2;--%+U?>Wuzf*o}qGHL9GAmKz-{ z$%uckQR(*vw#*$vWyD(e6dQt`DfQ*AlyW5EEyKIifuFJ~lg)q7{?!zAmF%GVG!47p zrfZ@#<(1$BYGn4Aj6!svsxp&Mf~ED%ss9w#B}=5rw1}l{<0xdHi=T*h_pOR}ppaop zl$jM4ki}Og&Zf0zSQMv5w_qy^B$Hd)|3TMc-lavDq>5hu6IRU=QNK#Yy8YL)MWfOU zqtH#ehJ-^U=-|^XN0|ZjM27a3`7_ApYe@6{;(;IX-!p^6QO@dv1UJF1!5N|R#W3Z{ zL>MfGA9F;K$HSB9_fcVR1F)B=aRg(0YH20RaeIR$4fcdY$%gPtg~>@Uu??c*BPuL- zLn;Z%$B)QiqBv3aT}aT2hQ-K?hV51C1P?KT&asKE#i^QkTQUTLb2MI;dM2q z;^nTD7OTjl#gY+~hmfsGKS~e_OBG@Li8Qt{LPUnQ_z#r?1+a9s!T`Ci^3S40uu)ZP zvxH$(Oocr2{g(O@g zx+duC)6TEo?~@a_9Sq0#y)h8;XqUKhmNuuF!B{a69!KIainM(}pIpa2i#8KB9f#%d zs`V;a(n(0J0H4$zY70h;ap$4QvG8vd3xeog(g4hKi3>ZyXmM?vH0A8qCgW=mOCQpk%^1fxNq!Op9$nIa+Ug!a+ThcfWzzseQ) zM~;m%IEjxHyM;nbMHTu(qAOesa>xBY5nZI*nwPuE?SWsq}(4Ky?n!hj-|6sv-DEs}>xY1B0qzcDi27x9cK$N-G913&tUjayq zZPIxZG7ZyHg_3|-xFNzc|e;6tRh2h;KN;nQ{$ zqwi|9n~=mFW~sK-xcSRzdfTU8kB>-P{_z;U-pu|4ad)~IxEVE`^Jo1KwKMRS6LP25 zV=hnI;uLa@yGY~mV=;jo_f74>pPB<_->2qd9^U^$)HwxL7H(a;W83MlqmI+DcRIFh z+ji11I<{@w?if3^ZCm@#Ie*o6Zq~)Bb@|pBHOKqRF?@~ILjN)MOrBCd#3!KO*}0!a z91*!**T5Gf)o?ykd+Fu^hKMwLqEZI;WHsLkxGJO<+kAq@Z4XL$0P7!{As?4#&uRHD z@arG@+p|h`biUhUTDEt>B`u>!D4UErwZM2DzpJ-J(Pb+t-Y7<|%~!81`vo~&Z^1Rc z4gU6N(X_pFrxzI@?Nu|VKjy-Fu`Q+QG~hVmqoVkUmiu>ltfQimqY4C=~X6gzSrG)0^`efsa`jTPhqCx=!7L}50L8gjJ74W$yVy4^xev5}TC)OE31qr&Of)i#a5A&Atijc6F-xgs@gL6mqfinqxZqa4%M zFR3^$IQ`?aKA;Ycc8D|`_kd=<)j&jZOrk-?VjE+}%_~|RAW*qdSSU@0k&4Im_m^O$ zh15Z0@op**T`&az3N2S^56&9>=ZJ)p-ejaslW$4acRPv-s|CZsQx@lBS^kvNqLPG7 zah!vafn&+6)=&4g?T|`|$#f_BS*Yj{naOD(M?pSybTDncez9i;Sn9|(XnNV(fw1We zMT8I=qUe!mgQ)`Ue@x&l*eFJzQ_jdo%I652srE;t?jq8_FTet2QcHENC>rs>OkoA_ z)|jA#PkM>wi-)}pPC;C%@$hvC=5ou5b(yC~y=b~gIzkRs%;sJWL8lMK%{j+vCXMVq z=_xYc9^LcSs+n<+A{xfZ)>zaoukW9n3w@;F#N`R;e3eV@vdaPwXxJ!Po?OTJ>G2mW z)4lROxxb-MCn$uXzPs~_1qc=|^`8dlRYo>%G|*d-k3MXg)49LYj!pY2#B;K<;h9H(!^N>8)Xu+`-eK^mOo}DEq=EsUOx-xRO8$HGHB*$l8iYi>IBa$!}US7dx+JPO-?s( z?3dE)6F&{Oz*;rZ0v8~PSVd|z4dl&Jn=A02oWB?nkifY&q(Z#)5wclWHmHcTbjQx#zjk5RBwO#8 z)`T==tw!KCZ?3-y zb#@YSTY}%BmMNo_8;?;7o|2Hu=CsHls>yt~dF+tO5jyeYE8yK1LIdYXiGWqoyRQq7?6CiJsGsDTo(nj|kM%t~J^&F6RTN2NwM8s1;yDyCpBs_^c%+BRT* z>xS6;>kVv}(TFqBKaNw7Yd=hzP_-wz-VOH-5N7MK^K-(Y$Jgg%4`tb~A##h`1LLzF zpzD46qQ>B|^dnL)j{wx!fc&w|2%v+Dp=-I1U+Vh2PfOA5{^7AxNf^yz)^G<8({(@1 ztwnslUdD6vXS4Zr4fL_!MN23-UeTD7p!+gfrwxi&l&Yv{*m_N=ecPaS-n{gEJ_1}i z)cMX-Xni`b>=RH!eVShtP4yH|roTA3c|FVq*L3F>X1&dxSHyUOMva(PB~Bl+hV`_p zyE2|OPx26K-H(K+x$)bMuGJ_}o!c5IgsYW5)IH9KI_cR;!;lL+zrkX>m^@4$ z6{Z}|Q{6cK^3~C8@^`@QW;c+irMms)M+duJH9!UPs#}-GDkj5^YSVWBONyV}12j>k z`nk+`J5S-*z|L6~JkqkR(|r)2?Gx&?7*NB-017o@_j_H`u_L>5KUjH-*6LU~J-qBO zP`asoLMhViXa=~wP-R~bc`SmxMCpPCXtv&%%n6q?KDTMpW9aUOU=p_O7&m%`G6D2` zy?(l`A9~#`d)z#guh%)zURIZ$DK*|t7cC;86xlC7Kp@snkk<=JkRi)!j$eWg;pd)6 z(cv{u2`FuZ+EbSvEm4X7xZ*D7OJVOe_5rE5au}-?-Si&!@3%RN@7FofLrkYd+Hgd2 zMlY&d^ha%Ov{T){GL*MY#oq?d_|l$QdpX;SPWGwIuRO z-FlttCc#C+@o=0roWbBu=TLCs&>T3a8-=XnEl30z2nx-~2vrP6XCAusS)scvoYEY{ z=-DMo_`1SEHaPATdsh52i6lupehtA=;zASR8_Sn+Oy~(&EDjvfDc&ISm%``JB~rmL5Tj7M0_5QM(S0 z&P>n1yl57r^v3=WjTZAyPhJuIb-BcwbgpimdzhGNo!l+4ftoYy7jnB5r0#|rm&u{T z@s50#^YYcWG3Iw@_8B7|6U(_Fa{B=}J-(eNIWyNKF8jQooFy7hPo9%ny3wjSfmBR7 zMT4!C8$Te56ivI9brN2wg1|=ApBl|+0S-3FdPgxoNm1#Hf0)p1vRKYUh?X!imtQ^e zQ&qf((1J-NY?Z7A^^wgfK0IAU{wyPV5S%c$$VvJ;F(xwv^#s(f{b5mJ>5w$n5tJK5 zG5O9)CinWe6An>D-F-pK??TR9utVt#i(tG}O2Mp)m@wgJhVx?fN_gy4f;`ixAx`Fu zEO`a>{>Kz6bho&xRqAl1hvoV(6HX@H))4R%q6F$+Bx`y0wsy18NAXr;($zYzoWl%N3g7x zA+545aYH{V-{c_L&oSgBGKlINQ_O%Xa&%@Jl}6~iCr4@4-CNGsZ5a2K!UyyP(s2Z` zFK3?=ecw}>Yn+P8+$r8BvA0yTC7gx*IEA7`%OF)=?5!0tG0~M;Jk6N!l*$Lz zBBNlIT+vCt?V>QeIRBStIzy><3qPK6$%=Ox# zTDIvV0!;h(x%u)^!9MviDQP)w8FR(?(35N?+hBFdtc$X=SUap8yV(dQ=$#3YOuQhL zKzmcvDa8I4lwYYqp9{}N#CODyZ(g5)=wE+8yTM*QY#+#Vqqy(3{g5Fxw2Z!*bmqOpOWqn#ID^mTvv!>hXvT`xX?jmRP07J*``HSKo)6wS(wUz#Q@Bsl7*N zFtOh2&fQe17x6pU;fvNK9MHb`_1G;Xwg#hPfXA9+9I%~7+}+0M`ge`;QisBA*<>Ud zg}4ByX_Pj2MS{F>$LBVBk=#|zPwO*@+>z5c^quyCIJ53XmuKC4g?PPt2j1?6_NsLy zQmV&g5e)D(!6DS}-qpo$@V<;zMEiM1MYP;E;cR$c)5z)8M|n(QHS7&f!Ns`WJeB3l zSIA{KgP`{vsQ_IU8>2Q`p86M)R%Yw=^Dw}91n(mpAchtH`*{}+Ve<|4RkhO-yBcxp zwVj>D)5AYcw@vFq9G{E4tf_852k=eH+d6TO-v-h zrZdg&WIAPY^8I{1yYtlxYcClI8%@>SeCfhY^GfC-&day?Mo!J$Zm-}- z_hx?d>56ts?A`E=Wz*{*v&71Zm&NVQYN^$w0rVq9+jo*|gl&9_=RRZ(;LFvts&P%R zb_d|2h+8uQEdXEb>uR<^e&HaH=KEdKYtNr&>30zOIkCyV1dqYdPY{DF@{8nL*dAjB zC_$5i#js30UA&By{A+A>X1arSbcwU@Nrtl2>-QU)!^%xk{uL$NupWmwH;1Dz^kXUQ ziQ~S;Pb$Wwn#Iv_J2mQLy`-WX+d_{KJf9|dHU~VP{C{|2TRiAl1&q5~5(2Qxoq_7>VEjFvuYop_1eo0s*?s z$5*OMq8LH+o?a}LqoaW(@uV<+4U|cERKGorD{LB?D_YKBP{QPzMmc&&ElYVwR>yDM4z54`mzw~%>t%NJ9vRGpMSfM6waBoT6h7}k;z-tSW zY5if4_XjpV$|17gH*1cyy++Ls4Vx+3fRhp8x+L~ZTgrB$s_+TNSh#Eb$5liKZqKxwm zJp@+5(P@SaqpOG7A$FWyG2Ld}R$DsqDttbS?`mOC?(zqry%(-3T^3`)nHfq5)Zm5z~@ z(z>Rfrr8F~b&HuRVkDff&etfA1XBJ0%KX^lzJ#(2O!<)D&|*)U;bdV*{r2nXQ^CBL zC3{m|r2X3B=7tf^E}eR|?CY5H)X3Eq$em#*;RyYyWnHs#+k5EN=k>t1h>68=M?6>N-_zSIaDRg1c1$I~EDv8sOQZ>abe`h3S} zG$cD+Ls>;6;gCs&k^k>a(<~KIW`I!g1hu@PNw63K)_jvhu`GKM@1R@8!-7HjFK6cn z%Irn7zmX?TCEKJhHT%K|<(BaXDzi%=%G~cREudM4e`)QudHO|$XMQ@ck96bWFhM&( zD*865b^7OY{&}<#8HXCSICLRJG~-bNwuRSbEm1!mGVX&e>BzK7wb?L{s)RH7)<8y4 zrM5F=yA8RIwK$9{QpmWlAa%P(q>B_Jb&N;z;bI0Ir2N3o5pHKuA~bw)oD8N7lNL6}MzKRIOeGa}Y>A+>6yKles91RX045W~mG7P1n zekuixLb9l3+7NEEgvE9(cDfHrL3`A18mc2Nk|gmy!7>p`{Nw9{{IUZN{v|ps3qoAA z{@=0kFqx&|SU!dd`SK^uMIpM4;Cu`DdEwD1O71w#3SAX{%e_0ahjygP41`1{wAgY} zMxsOGEKS;9%A}But7w;gRTSNv(6Hy1w zT8#j-z6)n9&gfsO zqUapMS@y<9^~v00A%X47y&JC8=SQKp(?^qzOxEC~zg-laiv|UidtVaOLL>(iY8Gg_1r|Ryt2#0!l%BruTrY2p?UL(+iT;<>S>7hy*t*mQx~r8n6fw z*#6HKXy}8ekcHjhpGPE5(I$Q!SM3jjPyDwla4cl!YrVw}e{9|`7< z{&um>fpFq02ReGf9<~OVgFUxh(=bWoX~q7@M*T24r}Oo0 z0fpzv^TC>eKxt|H`6g~$ze1whX&{Ds+-_OjXS9Ps>wx@rx22}li2cGGr2HY*YH~lN zqjpJl$!qp8;OiRw;cU{fbfsasu)yGv&~tw-GzGX`3Y3c#QQNas=l#{`YIA-q#*ykJ z|2$J|w|ssW)7cJ^7&{3z8b_cwyZv=$+h(4wzO%~)AbR(Ha)}%KeBQn6YPmYZ?%vK1 z4nXp4J@gFM0xX+8Ipu(Cb~)s-9kwl&coE6VWU#sPA9;>89JY7106s5b(c086&MqC; zUK5PSWnVb(#tNcUM3-^)RMWaQr_3bv(6|hiMOix z^AS08K%*}271`<+vjpMcq#i4>a$R*38g7W#9-qY+x3omQgI8`JGx--8?Rd7fr{#Sj zhtLRsx87Z?6&|0~MbRhk=j%^1BJZ)e)&KHmpsjTf(hy+S?;7vpi__2(1F@j?M?Yqr zfv}~hJ;{eCf0Sh2sLg}^g54mz^*C(teZ;_qQ==vE!elXc@jn1WJbmv0^y=A#_`>Q& z1*@qc3HY%i`tI-(h-I<%Ww^%F>5jDOcKzhHC;X=~_pOypKmHVsr=gjb{$bpA!jd-b zx~UbFf%ot?iOUTxsUZ22^vZ-DJuVGB;bHBk=+I_7@MrrQ3;II$$f0Ccb=i>(mTg6$ zVNsCwtgWH|9{2zxOmu-Ky`o9jF{YU2hJ@M3GJJhiDOn_$>p3geWUO{5LcC$g)rv-e zVW1_0^fLo0zA7n?qmVKObr5xd=0+15z3LqWZ_-mFf%2q_KyWNy*7QrVh^FO=>KnmA zd9bR9JS}+gaSHT@LjsYEC>Q!gjAR+tcV%6U}+j{&acv1Byp;D(7H0BZB13v>9xE7@4b#5%oFAlb5npu5JCcNe#7yCa9cL}yess3UGV5*6)8?FO( zqf9H8_cMi16x29|lgQfNSV`wO{8SW8gF~Nr157_(V(G_yd5v! zfL&8XjM}1=tc3-lF3?kD5z4YN8UMw;R_~c_r#KfGnxf z%LtJeg%CfbV{08HlTsYm#2;4pQ_Rr8j5#$js#-K{aOnE~LMn=rx*E3dyMD*&3sNvE zt)CPHWPg*758q(uTh^f{3K2(jDfgU@?_Fe_P7~$-?b@!aP>WO`8R%QTELf2j2XyA7 zj#3MN9D?{Yis)ohCgrk$#>1BtOU82&IM-2zbd;pY2(|>TN|ALsFD_wIG#iX)FkVS8 z>o`^NuqzMUZa}_>kNhhYHUgSMgk?#BrSr%U3dh=ndG8MgpNqeDTwxTe81UXZ<2MhB zxf%4uL~a&d<6Vv!6Wqr*lz?6&Xks4JjrGP0@;E9$@B>{P0e(vEFtK;(Y}fSq<@W3W zuD`C=wIBdahH6wf%~2_jNKpAhQ}SXNR-6b@!+eH~g$R1shxV z-;xG=UlxaOvb)9HXNx*aP&_|&ovea&s&kyAJ!ih$Xeq|_iQSIur|3F2dtyPtW@YD~ zuLP?{bSZ87>zk!+?DOu2@s}*wo@3m*W)9+y(SdY_wci{-FrxGLo@KiN9amnQPT$4y zipHx26u?g3mCtnpN_LLVEEi8k)@k1xJT1sJfrF?4Tk7aC%VqV?4TG8O&B)Z*#f_PD zWLHbuvHa1WEnsu7)z-RO4l%wI=ylrYbg9d6K8x1c>s>Iz&f&5ehWN}drmKssYrx`) zzk6_<7(Io+?XZ5+?!k;>)t7KDBE|n0^0fHQ4DfW$*M|SPUG?NH#@d|!*N+C&_R=rY z3@}#izGK@7V98?3c@^iWdnwr>NOj+RY06$Z&ed2-CSKo}ZzCqEKL|haZJg(xY??mu zwZ8}ZN(Fm(xupJXJ(5)?_!8B@?&n%UJN~vYZ)>Z~bI>-~vay@K8_amwwN$^gb*Q?3 zi4>}RmBkWlmAs{n6pGT-3Es7yys}X(?AQA0NqgBjU$laysuRM0kx%9Oq<2-spY8L^ zT;bEWnYAGIX}?IO@H8^F=!50?I*7rb{Sp}H#(6!PRNb-v8I$bubkx&n=zcO8sfz4% z^Wu}z_8dL8IIj0TGkTQcrM#m%-}clyo~?djVzcLTbbe!Q(voUH|1|TlD`sWu`B5MG zE5@dI5ThfLqxJg52Dk~t*4r=%#n4?lSy)($oyRzzG|v{Lb+u|aC0WHm`R(zIo=B8fxY&mvLm-%aHxF7 z_gcq6RxO`KU>~c$nRQ~e@qoOjyXAC=jYA@HRa-gHLEzu`>-=pRi|%YQLws;O(1NAuB@4qeRF#!m}> zKUAp|H=e}*b&NoSs7%#ts-=xLVXDaqL}seZQzTMBTMbqxOeI6OB+2Dsn#fPG#R?>c z4ycMx8f+b3VB3hMbTl9>-Xyg zp8DVldthW_NRvS#TksFwB;N#^&W+!|xAqs5!zq>iFwa^$Fe@*+hiM8%oG|&WNd?v` zWJ+r$F)I>5>U^z1ul`1hibsxRgt5#t!T$_0(+rzCKnE+*%u;}=nIk%K8yo!h?~u03 zyNh+-a1eJ4E@5ms(0ram6iybR9CvvjskbV$XnEHduc_;`HFESra@GY?eLuvJ$(C(S z!3%w*O@gnWxTu=SlxgEybif%(-wJY4fS#Z0(LR*ULcBaMh5SBa9yQ_4GA!?rgA|)c zU&x_2Hp7GI(sLmqR>@WdjlnkK=Oln!gMIgOBm zZz<^o^RT7K@wb#~6r#wnN+!g{4HGdGes1zjP!&GKFC+HTFpWEmmBuymfjZ(mq3W$O zWCPaZ49?(dbFl&+uqzQ}z7a{d;t*DQ+}sQUwJ>{Ue^qA3{6wT#BI#7cj-(qc_)PO; ztnMFCjkSj5-avc2!cd9;$)rqA(SM{9-^_W^T;rMwc8sO*!-hIY*9oMU^9rG{%SpQB zU91jDPjW|nQ51w*zaKCW)Io9dzN#ipeEYDJwb`ars2rJe?uQ=`CyH7KNRuO{kN)>s zHbqWEA)z_gE@Ts%+6|Yli67^yN$lLNVvqQ5K*5Li*gW6VcM%kYt`x|)2gm|G19>Oz zg5RmIKrYQdHM|Q5Oluxf?R5&;;(6=E+bRhywbsHlSf+^KAubpBK;{Dpj<~ZBi`A+M zSGXi5oMHS61EkP9e^lWUrgF#=8az@X2|GCIN+1<8ZqC75wAd=Yni@NvOrzVKpqse-Z~PX zNJ-VF-&B@3Kr(zt11BE;{!K6k3T*xbswSc#x8)m zPAO4#tv3;FA2^RpFL@Qn{uf0`Ir_Z=+OExjpCTbvcdf zFKyLMh&R&n_OCO$Kwb}hdqZ7IRqk#NtHU+V1ESw^oS!UO&V7bap0s}UY%sudL|*U@ zCq8N2x`IZ@vb#KBA>PlQAl#46?A~_(Ng!*t(JU$)l-0w(QfkW4ekU)3 z94i;)<9h362byN153;LwJ4)DGhAW{nQH!@JEVMkI_YCF-I+k+8DP7l+W@2Ev#9l9z z=e96~If+kQ9~(kdYPzqRzG{3OTP)9%%TD^1m(Q&`;fr>}-U~fv=`vU1ge~`{SH!-L zhDmGKSs#zCU1o0j?AZ_3kqI4JRrGDQK5Ln7_;<^+<2jCwR$_j8Ziu%7aok>8Z77T` zZw8YKL>p(q6w43cO3eVec(>nc<1=h_2Z{@YYeQsz#?_2TF?IdAd4dF;D!pyd%yjw#XHFDj`-Q{hIn7;1LYS6s0Zl{|Gi{z$9w#}{?qOYb&FFv z6qlXZX61A+E+eINd0=PGzDn#>KILCbxN{?Sv9LZ6=+{#+d6s*Sv=;h9laK9A+3*L zj?!q_G$qH1DYpUvM&)Gqi~1%D5na=CnL4TepZFhAW}$#0+u|i9F$)U;(&XTDk;VSV zZ?e7m+m;e&JJYsxx`c~u&@3ZIN!6FXi6k%_XSN;lIsZgBqBmFNr_Fqz<*7U;&IX2q zGo37+ZpniJNzHjLYkwyg#+f3Qn~XUI12u%HS?^pB4rl^*{1qe9uvZ%-YI*RRZg^ps zZ37<6yCL=!;jCf{d>~aO;gD0_IF}^{ExHEES*I39LS|^EmA9_2ZZsDv0|%h93rW=k z*QGUCUeK8Y*EKg>-D8L-K9m)fB2+h;C?Vsn{0*aRNbBU*}d-SK(FVD0VTzVf{qM@UrEXWmtsHPTIoy*toP8Vx}WYvxWI-= z{%frfd5YV+Kkix)i>>8tr}(dJF^r|tv+F^|GBVtQlzrk|Caj1r>%AV$3Z&6A_rYTz`~e3x*KKO_BZELaH=GoW(>F_rJ;kj(ZYG$a;<$imx`NC|NW zY^Le{>FS{rdFI2hd6EgR-5OWxwEPn`Nc;tz&>pYPN^gLgP%iQS3#9nxVWctOTM*z_ zl(|BTLhBF->+atFkALbLd!I!d)4aO5B0BRrN49D$fMkynnWFh$~&7;Mft3&Jcwmw;73u7i;|ue<*hAKGRuB zTB{BQf@R4P5*0YBH1eiX%mF{45w#rRKkF1W`Ly+xv)GmVgKvTi0?0zA&SwV z%pa|`j$wQTSgX~+&hW$#s>%5#o{$yiX0OC(I7(9~H^d;8PZlKeL!7%D%q&nxx4qt& zFWpR}zpR&MC)3ahC0$ZH8&JQ3ZLq?Mt+TWRp%t@%ta|369x2-{bU~0<($j|BF3ND^ z`Y)4)__tb8TC%kt@Q47+c>>mS`DjI8bOBo5EwaRs`zT#9mS65;Wn6VVE?k`jHD#JL zcJ%{3o&JET1Udm7QK5;dn6ZJmy--boig-IU&Wv#xxiNw?DgJ$yEfn)X7@TEg^?gU< zY`G>Kf;i%0?3vMuC9>3kF_ui|V4`5^Tow4)pWr`e!6$HW;>Nf5#Xp1b#}{6Om_rjO z9iia1(~)4=IPFq8=w=qhlFEm1?Zd)4rJxc4A%s&jXNpu>rE2(aRc4NwAtHar>~T#Z z2oonLB(O#_0&K#@oJ(S+efDqC|@RY zHfaA+!+Z|PA0&TwjPkPZjB@)Wy*gjgiyTibi-w8pi}C4X)j9LQb@tF=%k>h`k+Oc! z7IPa4dNJczZ(Q1;-E3ORmLfvqdm4-A>Gmt)f&mTb-IoROr_$56+_6#ZRdi?h>YLb9 zgGXp(WpUmQuIbTQx2$$^Os+JvjV6_R?(Ui_ZPN4%>vZi%e$R56yLqaf<+p4BAYXbI zf0#|Jx}coCzu9>yoTTKmoo-+RT(mqd^S!KcxM@0^X%VdzwH(Q$05&`QXivPHFHpSp zZ`iO|oTOU8q$1hnR`Kv=088%;b$8)F| zdj_7GR}TAEzVp3ja0EPn%HEH{_5kWuUmk$z{aZr|;Hqw8>22losN3ma?gRkj2L(?V zS#7zz(lTD9YVQWREo4xQR4`t-o&@&p^?);IOKt1~j1KX1q38wMcjJG*Ya z%UYlJTvi+LOhGz+n{BV<9hX?L>y{E9Z98JYSt+Y0l_he%PNcid8FK9gT+hcW-8~y; zPM`Kq|8t`Uzuaik!yX@=N0;XqMg6ljMhRaW?N0~^2P`Z;{5YkBmud%#M;U9>8%x!%n}GM# z8*3!1=op9Vg2N$pVd(o$^W+6%djh{vLkJOu$dgi% zMPHa`&Gvj;0YRT@d$B6`lhAPHSmE*MmIwiB=pt!E`%9I+at%^Q7eQFJ3%e! z77PHoUn+T3i;+U&E%k)LyH*mp=i4IiM50jRN1gCXLPqY#hZzf&{X{#(I^!cRvXCfe zdzEXqLYOpKWi2Q&w<^xeFrGneb&*CA$il$1r_DvA45|AmQgme)UB_|_SNoW?t$N$le9x|01 z?Uicft$NJGM2`N_Dr2WH?`t$cf_21P8a4Zg+YoE1h+r5E5uRVP`vR_u{F5T3JQ}=E zhbeT<_!n2X$@ilE`*#{-4fT>rVPq1owB4h7;_~oghaN!n(@uWBd4WHLl#D|dTp)q$ znYg@LXyJfzd+?#YXQMc372@3>WQaN(&~E-)YtE$?Vb8f*$a|_{NuOb*s3?euwK-qI|m4u^G)-C}!kfaJ06luB!^-5P%Yalg5s~J*l%2%T3!n~lcQ4gIP zbpm<1qLV}56v#067u{8R2g+bJa!kWSStT3{8uOrZsx3TDi{@7WrXfzoibec{fD7?F znx1V_7k}DgL9-euUYYU_9v#_UZ^!uqSc9onk<|=Q@GX`q2s~ zN~iI#$9&htvlXejfa9u0SgQ$ORO>2S>?QU`zJkG`L?RMreq zp+fBziNn%W@uU(ZW-h(mmTqI=dAlA)Oc+e6-3WEzio#3W=vtHcp2bkg33$tpYe~{8 z=SiXB40#SKqUz0JLxnVJeCSmN%95ucP)HSr(}Lf}L!oW&sh|(9g$hoF*oS#vwz>?=T1iARnV#8A&(TBkfO&U zX39ni9y_cw%bor6Hvuo^faUCo6$;h&Ee+}1x|C~GuFH)39Wm-eo;)lK32se*cRWA6 zcn{Cq^$hb>#;*C8iefZv`v=NwB%d^eTpYy?J8`vkzU;5D-voy8uRlYU95Bzq4E+UY z`JX-@4i)`Mxf|k$j}gC!UumDhAdPukbB9-OFiR zWkmJUpLLvW0uA@dn6N;X`e4F$3gX}ob1zjM!ox5YjOiS&a7qJQF?$~wW&WP+l(-DH z;(`*@HxbG5k!LpXvsD#Q;>ZA%sD5T?4GhYiH4WhWYw5%$r>k?|+3j;==Et zM(m9o-Q-j}dRtxO5Hy0~5H8!d7`y9NI@Wr;)+XzFNS?0K?+&wBH9kVNlu=fuowmOEb^QYYR^I z!*kRU;nTJk&ZhU~MrgGcj6ESp^Hh2F5`y@-*UzM4GY^HxecZtgsA2Q61?2X6!tr|< znFFlZdY>W#b84>?QnI@b%4-O{{zZS;zwIcR=*?dvIem`z3Ct1bb~RFN^&zTgi}z-E zX^U&0v4YQGHHYd0>C<~?PHNNfw7O=h%l>UU`8yFj=i5RsaNUBB=_P7mir881SoU56OEP2H>3gg2fbIUUcrJQO%5WR1P& zmzJqXo4d6ogpQn!QTlOm6xnX`sh*c>&&Cx4IY7_l_Yz+EY}c2^`OV#;@lMCzu8+S% zKRq&BVzO~Z|9$md6IlWEzSP27!aatC-CO2k)UBG9&*?pKv1>0S#xJJrvEzx}ssH=y zehQVf$K?CCFVE5UyOzv`_a>`EJ$}=oKBc3a4~ZpE=nV*P4w$BTM&bOLum9d$JENW%N$(UR*Q4!Jmn?_wC_0sc?TQbMyo>L&*(S`B$=0e?!~ zj<-fIhRNWsZ!BviAsSs1;yyeT^Lx6%=SMze7yFapzeTkxbpEdIpjH|Z=4pp6dxp>7 zJ8q)W!kHHeBIR<}S}gp`s1fuWlDt+di44TZODysj4zz|(ldfEcCH$>xHXT&1(#hPI zuF7aE*%zzEO@U{Q={08zBsJk?Dy=uvie8hJ&HR}#PjyLB1gB^wm@;0b+q~?MSWiFO zxS*IT?dK20mJ$sXgI~nbrfcO{VahxSONe>ZAg^wc=Dlud)vjRI0l9IL2{t3kNvd`d z)9ShZR%PJ-WK9J=|7{oWm7t5|M4~2Rw@a=WH#q~FqS{_eS!lt(Baw#N_r-#LXCI_V zzQtrhY#4aICzDoX5sEB*71(yv@nBY54bUV=86h3z+4C$Cc|u(Ky(bz+pru{C;Fd~S z;ibx9^TIHhL`4|Rfy-)r_-#22HQ1UYp-sDh6%&hU>;_kp(w)tw*SvW`DX8F~1Fpuv zbXJ6l)dF!$CSKg@Z?I*<28?6*%y;8ijoP4s&IknKB!gG_>AzCZftaNc!*Id_!^WoI zyS!lWvh8Pa7|pZ0GBX_9Hod1LWeSw}cN4g7q1nJf`<3{g^0t2!4VDzYV($jcq9NPdp1qN(QLMk@BLG(mU<4QaY-se$ig> zcNg9>4Iy0d*VfX&wI54PV>-?x526XbE1kG;W0Z5(NB**T#!}2ld-%r zZ$#3mV05`8!n@mGNLEW9d}5@cT1_$dk<~NELil9Ve;(&W^!JHG`gI)WTCn-U;sLNN z_StZ}{wxeK*o#>Lz019Q1&f~ZCYNlh_eGFUZb|e`TI;iF#wXmvk>AoZZ!gPWNfgdO zfIYq$2I~LGBuIhIjI_YU?Bi-=FIF_|{^m(BWMv{rx|lN`7eWeU(XCF;j1AkTP0_#J zx*a;n&JfY-TucE^scwN)t0;%P46S-RuByLaurkIGSGWt`jECb$2zdNLnVD}iY=1to zz-N~*hXJ6yH!CZCW}Qeh`Ja$v|Dm+fm;V{xq&kDBF)bzN9iKw5HUH|H*sCP#XU?s- zHQcK!x)3S=E_+YOfZX@fMAR~;+>#}YKhMdzErYvfyvli*#t7<*RF5)EiNicZ>@8j_a1;$r|@Zq(M7GdYj>B`%D ziK1+dacTSNV;4S(Czo+T0&1AQ-mlii^de)!O^`q@se?hd*p>Pd^?A#3ibZSOdg zVfEtkXtd2q{JiRIE4^p;kg>5wdh0dx{si!P`9hWDIA-zY)6pgN){MaDcOGrieX|RF zs*zDita`;*X~S^dlk`CwoyG0dq?XftHS`4irM-zc+@}!``X)ICIldoI+&BNaTV3z# zH;O_>-YibigbsOCF0NWu);Y?1E+%8_+MBuuo(c4$usa6NgTI3wesOdx6{GO>EICpg z4!iY6nE_i;CJ5aB9cNwr9{zanCmsa6Ke`i~1) zv~T}eOubt1xy)K!ZMD4RofrXi0=X|2liWCX4_oP@+qWMNHoKAM7VY&2VYJpeoNwix z_*)MLo)*+z4?L*&o;DYcItQzp2=A^}PI6jMN#+PN;N1#6zH(%}+a)2Y}wxv)lXdL@&ju)e;CM*&G7RiQ5OZ*S=+*RDn08p~yA-8!SKy+l#$f;oc2*t(+HFaxb_F&9_FCfl*jNLoip> z#>ZTEqD(`YVPG3Zj*hf(s2Jr6e^=!?f3&YW#e#%Nl3@z|AhqI7Ks#VMOye#*%p5F; zkUnido=6bGVNNWS8NN5{A1}kca2#BxSs_Bf7#LtEBz;;W_D1MB0MXD z{+6h+?2hbigvU*|K1fbshC)$A#_}aiU(mqTGiUd=6ZZZ;roJh>vZ!0OJ5I;8la6iM zwr$(&uw&b{)p5tRxzn-jWM|*}_ndp~c^MDud48*A)u>rD2Dfy4pKs@}hJBnOoJ{o; ztZwFx1-*Ppnl1aJ;R5_LD491-@mW<= zduf;Jm*_7BGPAAX){-nMO&!QMTsUbHEjpv|k-0MJWpuMY`{dBmRYG7Utk_Hj-@`70 zjD+|r*f*GIXr*YSFrW)kF{IQhLnL%R`cW*r@*Nb9vmlW#>5db zH7jYrw9T^i1xD=?$o5yRVhx-I7Lv$E0_z+l_z@SRe2D@lE*TG+|tyx&v@y&od)ijCfa1ueeqBAY&;a8Tfr9@F0S!w|1 zXh&ld^CcHj`44W?`=0JN;S=JAmYP}A&IOx<;f8Wc7qZ2nDl74m$6sPLLGfMot=Tlr z!o<8GZR8|ve|dd6LX%Rq9La_u=}4oTMusnQPV^AxvSEiDrW$O|Z`dq|^3PlJplVN8_n5Ju#=`$KqCiG$5YZUH zMwd=wUT-@Q8$8Ue{Z{X+(Om6xDpx#$8RA2&eDFat>xmkvz(WW#Ojr-brzR8;nxp)4 z0ILI}8~=dys+jab^c;8&DU8%GX-dn=v`@NxUN~+6%hvA@G8b`5TCvnbUm_r6#LX>l zUznn`_(&omjH5orw&2!W6)%tXn?-@M#zenX2|wN_f3d*^9x9epYa*@-w-)nO4^T)z zL&pv!zg9u1qS3KbA=0WxQI0N#_)S_(0a-vbTKoqFoI1*=7>i44QuylhDPDb-U2^@g z`SL`w$5z2&iEOAS9d#;{S0mMpP!@!F>-sguh5{TZ90#;7S%fr(qzH3ryi>K<@414D zQZ4~*I~ytj;wH|oJVj!UNoB;gUu+vRM=vOXIlW4Shd#=6VDDh*kJ}~Wv05#9a-;SO zmBnNWD9y+Vh}6A+N|g?yg4XaDFgNH}9kru3be5 zyafhQ@9%%!N9%gueE}#o)E<{y!Ppn0z4&6ZVm}m$A%2$%#DnnP2YmWE3H+a3J^7@k=KV2I_uPkW*MHmA{|sh)y({)? zvi&qC;k6u}{2&r&oh7U`@Sh-abm&@K%=CW>w7K546m&k2xa%ox_V9bGf>c~xg9h`O z+;@o(peBL?9zr)`!B2R8?Jh6WuQ!ew4eJy9b@e<4%R`Ri|J;1;D7zvae6YW`2RgkO ze|TK8gt2D%3MA`zo&1`d?)-%I?Mnw3Z$}gL9{n5GoM7>-4Z3iBd~R2$B^R#;^!x+I zOHtfDt#489-A!yo+B{Kzu|J1<%glY%x7@e%tHH5HJe~p``_+>M>Dz4g$Mg4Z zMDaW>igxV4QOBOA_lN$snMYs&C1%4tr{Mm8zsBZ%;@)&h!yWJ3uxy?&;4zyw&DWTr zDFo%;wSd13w7(^q$0s-aRq8vy@H*H(PXF?ybf&wuX98~Z_~rBjf5 zPx$%Ewf`|cnBHzMN%YF*`!YY9pK991H=R+c#;EhY2Iuv!%sv3r6*gv(Ey$FA095S! z6pR5G_5%SHZ+-sM`(K#=`NjW+R_i_~DKwgPix|yi-8eojKJO!efxU5`;EZo9o!G9w zwGzMTGgH3cl-+n^S%p$fhQ3-e!(t*R@kypNw1g(P47a(MR3oNK+%WOy+5?%PAS6bi zST!uP8tIr=-bJW&&siwR!qvRUL=75W5D)vP1BTl`E9IIJvj5zbrEng#aY+cPhC-F4 z^G~|*gp0DfOt9Dk+J(^AORmM+%p)d*1Ug;&uYi-5L3gYlRHHZ-_o^MwR^Cy1Nw|g!g_a8o8v>rlv*FI?CBh zH8fe)^4(A>v441mblni-%XrXQcK)G~3#E*n&K?VTCpbVm8;0K)B-gtY#i&oXHOk4{ z3-y)0HWYG;1-00y^(_uD#Z?{NMQTJ5wKwveVKXaDKiMM4PCSUC(Q5wrPP7tLOfqQ3 zg5#652b*%D#FfUe_N(BgK?4S#_o7j$%M{A!*KEi)Jy`JA2U5*37>hFd7p~D^!h-@m zN+%_*RQ8FmrfE(Z9WirVo7!I`Nq&gND%@3Dwh_p?cWD_?8HboDWstQem1|ttqZcmp zmLEq^YBnmNQ4hsdtr+w>nJz8zHNME^yZ&OdXYpLGp3XszmVb8}LkJ z^Z{{3RN$PHBfo>{9*6s0ksiLTX~S6#Ukcur9zvNfmV`h5Oq&36qp(T~k&u*a1lt~V zKaDR{a!&6#1)JQhYA(jcE<~PApCwfwtt6t35izs)Q^K~VahO<$N0+X$R0l$LdhX&_ zja*yWOvj_@yi=N!hTDIDHVM;ob6SfogaDBmsaU2diGo;DLe?F(Vp9qAxCt=_g10Qe z0c)uc)_wh_NvBjG?#l@B1Z>i5GLADm?Yf<$T&%m#Qly(z!O0=IkmtK`R5Y(XOyLPb zo}KcW+nHLoFoJor9ewJ!hw5RAYGtZfH>-kL1&u9Fv7G=-)FLsR;x{`wgrr(6>*J2B z68B_SZJ4cY0g?@i0FhmYErgV+!e7j%X5BIKKM>$h5OBuHqs0**M1@e$>8~+=aPPrw zgD#0aj-%H>)1g90A*069$CBg5GFR$om35dcK_1(WyV4s{zbUe%At2c_E^tY)e-{jOB(W%OzXIPuTOtRC_L7Jicj<%<&8=<1~IB@XKkuryVu__4u zg68skS0kpZm!#uljkbRIDuiAc4P3j9qkbQ1X&MzAswC>4O6R6+lumswR2k z6j2HT1!K}*$8~WQDfMR(;c~4MdN?~l>Iv7dZUf){7KvFk9zdWVSQwDZ+w9bHU*CU- z>g#l2>+us9F*Q3;uF!TqK!5y!v^c z#@E{OFrcfN$*(Az*FKqf&A|0s$Sv6OxjlWYeX4S`w%Ki|cu{Ml+C{X$<$F!rt_>nI zT5VpNT=DhUu64v*9?#mmz zAGvGtj4i%j|M|zr(OdM;EPBoDwEnTPN*HL-F#7zgeXVOt@Z-v9Q86x{!5x@P3p{)q zJnk*5_dJMPdffWKYp}C+YYClWnCY%`yr3Ba+q-J?G|Whtw0w(=YHU zmLOAqZ+bsZz^^Byz4P?teRlhswq+#$cIMMCtAz-R8Zr3Bw>);D|-Mzs3 zlAb}w{XT&AtGh{j=l%grj&+v6r`vd)z|Ucg>$Agu8f%GjvR&IP$4Cl(4zZ8Ha zi!-pihwF1cGE$=-E-GPJ(wjPVUPy#CCR$3+{--H?jOh;` z`WZFJ=Aj>|-n$rkhDW4M=^~52EC(0dfQ*G@pLv<&RI6bzS8T&Q2VzH!)q{gvPK*ZY zZrG<|0s}ZNG~A^nn!+2SHnDfZWxL{CVA)p6vGR+Vxe$Z9&`hnPj@CM*AAy&mgA9Gp zMn-j0DQ<Dw=I>LGrZAD;4kDq(#vhc34%K zL(yG=T(x-3ZYqAGqs54IQmS%WzJo9%9(+Na?ll-fm%Qq}$#UsAn?Ak|ECtbfmXP;) zitRC^j&ot?^0+%2ceW)x8uef8s^mhqUS<2NVi(MWa?RfWkFz#4{L&3`Q{1~vH6|CF zzGQ8+05P|Fb>p`a;aYx~s#XTD?U>|U(@g)xo_>k~d z1p;q98z3y}ATU`c%t%fjk%QaFEzb(A z>*YunsHtD1p9^DP3{+?_{&C=NuqoMJzRQHz(_OqVZyhSrg8g2}*)Gk0RF5?Vvyt|jfLq4CP734@(-Tp*JQLn66Bg#9fPSMJ+L462x*EH3j|Sr64L zirnl-PDP^8xLWQ=luqF(3QD#`h4V0cYoU2?;r67d7@oAL3FOU3!1sl+YnF5;>PUos zKgrRWU;T?>vT^$9<{35vWTOn}N?qW~$ErAbCrgVWfn&*s5^!UlvicLl(96z`(OX~W zdLD>r3*tnh=gC!a80{@eMAw=s39&)RLf0C1qBYC4VnX4!j=>de8Ti-ZLSV(j!QGOW zm7SQ(#BZG_KRib;U}+o@g73$pJx>vx(*i$tjg;}7q|qt2zLDh02y-)MM%B$$3Z5qO z^a4BHx;_|lNJGkf!DzQ#-vCk4o@ollTGDZVE^jW@*v>k#f+C)sKZ^+m1G>|N(N4QG zZP(4LLZAvqWD9>cN$jS$X8D|4tyKHls6pHbkMbJl*?3jsLfmK?fldNVr2L3va+IKoUzJ`W0W0!~4o=(goci~8j2D4NGLDO_ z-j9HuTmSYQzYgZ})k((NzZzJ*9a~8gWq6LpeF0@3D@UVS-4BDuJH3QG7qt-rZ~K;t zfX_SAr=~i-<4D~!9`EDxJ|z$}LGQ*{HQ&>Pp1tkm=7MQ6(YCF}qY+E7K@Jz|X|D%> zjLQ8vk2l|S$diHh=#W1s-?S&6;jzE2E9a?aQnTZrG=ImZU-9_J5xu$Co`}DxMVa4O ztA7*NdQ7-|rW?QWTJXK=5$#kzo@+N9uzfO-Y|wG@y1FB%T0Q%^|9)Zvr^sc?X{GLp z<-PoIr)a+Or^-#w9=JQfuc_MCu}z&Vz%|zWm7-BV0J@R$TKdsd=d{CuwNq`~AK;t1 zqGLZ3|5Xcea9F7g@V&vld6`^oL%pWA_qqBgHBhjc&F_9a$R+Cb+X@GOjE=qW?48y( zE%m#m9W_Xc-vfGwa|dOgYquXi2W=fZ{Cl-Ii2ww;*DI!$CiMXDyhTk;;p8pG5 z1J?p~71u!aWuN!5IG{LC!4J%sUXS-a5)%qII5*79pI)FQlIOtJ_=o={u(EFKIlcH^ zS;>rbAnfRUL3FECFPhadrxvwIwnB2Dr2`Z8Xwl3Hiu*!2WVMPm45w}8MqCrzFt&*C(S!YrruqQG@j zPMN4Q{zs?pbl6yn_|XQ3JemF1AqD|0xC=Y$x$UoV-4A;1i*Mtsw z2ntb1w#7DrD{~U@k`XBS;0R0-wxw26 z%cEAZuuvaCqjyk2rrf`mA=z$TM;e9MOZ@{-U_!{i`GiuH;mH2 z%vuT(CK^PA+zFp5s;MP}xhSW|rhSq8%eX@IvW)rwDr#be#%-k>EU}JVfSnJq;{w47 zHBE>g1SFU)p0lVbF zSuK?C%g_9)bnRz8F`JP-aOJOMgThR#)GzD8Yo5B5gbVchMO@fcT5wVaH*;3^E~5=! zR}tlmog38;=-08pGRwoY=^)UBpjn3KpVKW4{_FESEq5`e#50BRjXy^B{`8!=F1ZT@ z1cm$AB&e(R4zx_?L20d*T~PM2)M^muE_h?SSHG}LN!j`Y+%2ju^uQ?7c$mMw7mO67fAdi-&hZRy%8-`D{ z<8kg}{i_O@F0vVyZHwM~Y3!Uu;T2*sQ5K>wJo(I`{L@CqzN*p_NBMTwrx88_UJb^C zFZHSg>WqAu0E?#m$sK0p~~M?5du z(F$128=if!ZgCo2ztR!(-3z*0q1N-c*`b7(%yWUwugHIt+i!aWyw4LkRCGU#DEWN0 zp)pitSk`*Ki(X^Km&EIOMMzA^+q)mN?TTyWJAMB>t=n*gxd}Wg%fFEXpo|K>zM9H@ zxp5Ud=}eIVlTV|n>i`?Cx|(TWVzwWnL=`~CI;Tmy*EQZi-=J$lm)$m6T0q~wo`Kx< zS1g9+NmX9Gu5nDo+9e$z@VGD8&}mZTe7oz6ojjo8jIajS-SUKswH;jRL8DExf5XIu(Q1FaCm*E9k%kNuo_bye>a=^t+#XWn-L`foPy41vJN z&F$Xf9+=)`uaF*)+wx{ad*JJ_Wd0UM;9UHYQDZnSh6M1Wk=#%D}FjDUiYbk z8^E`}E=%ZmB%tMW8~uTHy!~<~YUO_pjk!{}p#B``S^r1jsIu>KM4;up^vN+O=~g)JmHGiP21);9nKnRzRKsz7`RRR z*LD_E11kBuBnSGk@Vsz-l;@wOZf=$PaRaN*1s6+Zgv!0G$Vb*^cR-SFL!W{htFwVM zQdL?f5x_vquFp{&e2_Kg21Uu-1EixGdoj8?c#P685M>GfNk^Sr_wwe$2pxt_P~_a7 z`|JT)!dQ-jK(mx3xGW`uBm;SmIMwEfHBC%~Y^uXG=||<&i~ex|h>*$9n(lPOWskm-!C`=>+o~Yqw=LlgQ72u($mzgF z8S?;Y)H3bD6kn4!HVpFH*>{ zxmbJPVUKo@w z(nz*f@C~l8WPYs%H=J=Xx@`$)+`vKQtDQN?HZAP0x!Q{2@9I?bQ~VC7t%fSF%&^hH zevTEGxA3J?{-@rj9RH4=BGgzlc8($y%VT38WLm7@oRwJuyOhdsVCB~2=&3eSbKuob zuf&lv9{;CoXn6=eSr!H}DGdfg>`kqLf^tx%Eo&khs>B2t93Iz)43A@C+Xb5b=lwp7 zK0*!6LEBgN0(&>Cx)P%{)jW4$^?s)*uXd9KCnV!MXU*0FKKQPUqP!|@F|!At;z_41 z(JV^^R>sb+TD<`DTbGH|Q#4 zxu>Uqn_3*#?{-6)SUzl`wLdNJI}R?BI66@pvM3d~R8;I7b5y-WKt-(hCm0VO&8Zo6 zVk;Spr9_nOkbg~H!Q=cGe3gfO2u1rz@Z3X>hHEPRW-uDTbWP(n1O~OeAv6uDT1}-J z99}$>xUh1#I&3uapTYH?8P!Q*IQdZMjZC)@5-E}L9cqba&S8eU(J7im_!A`HO+O44Ndoe?cwWTbAp1h+1lFYDW9gJ*1fH!9!&< zFcJkSor^JzC3Er-P%{XqjVI65wP4xI6iFrs;u>1ZdyA!^a0N|yGLJ&bqULR82irUf zvQBkKD8=Ehyc+d$U2-sMKuOK&YIs_e03;IThwvytc`4=pu%a!nzmna41zb*BSGuh?Lxr6tO~5 zPVbwRq`JB&QPk-;AX@*G+kEaXNvq$Jp^1;G6~bR|PRX1T|9+B+>}3*L^hXC*%DjUl zc@WdKv@pN`dpXHVI>LtH3jsq(Mt5aC&{Ap6#Z0}Ka=x)Bj{o60OMQ`}IvzFA zAXHx8NwAAx6&GbSVgr}>@9_W{4uX9Fv4cKrLDGd^mz%Mv&o7J0w`ct`5+?wK7MBJDiK_FHInC%w!QX_Ra59gTqR1Ux9o8eAq^TqFAJ z|7`T!wz;R3>~R?sqSs@nZ#v$h)VP4pf~zQfAokIv)iP5_AFulG%v}hu^y!b}sTA z_#9WjsP5m+RtKu}ngRLNwD+~9j`}ZXg(cGlPbeoTf<0nIs|7XM-lxA!-FY9G0=OEN zY&D4jt_(RgFAttjTc0)IIC-qiU6L0V${Bh-!(Z@H(-}6C)?L#*3He{ftJ8UX|FNGN z&TYQD5?pN^q9XYlh4ESf-48!m53l(e$lO17H35BEeZHU6>-%kQb6y@0?I6ni^)u1^ zb%-r107Cei(Vy1ErpLB(_;BG#xA2f!b$>2?f^c9zfa((MuVrbh?+pfT+?D_J1KgG0 zac>0HmCq7c{53^i>wLBCh0`|X=uY5;!a}Q~W7nu^x?nd*Wq%-GAF}e^W7Dr5FFkHm z;9t{VeYWonnx*Vt==-$`+3P$ykOshd@=QT7P||EQ%XiV*v7YO?X3C-A`N=`n&hMDm z%XIPlvjN9_zw`+Vndd!jc1k7a&l~c0DA>*Rg})YZy7JeRwix(dYKm z^RG#k@~5k2=+5|Tk)xM)d$FS6ekM^M8r9bG)pl2|H_*V9}&U?`E~*v(l4uMevgIxz_9BJ+MW#x$A4fbA{FG- zf7b37nAiL<{Os`AycsWGbU5n-1krzj`VRAF=Rn8%U+&2m(3eZW@UUjSXn0)c&5`?@ z$x>a?X>ai(;#20R#-tP%j-LYE6h~W(YmrYLgX+APul9rb6HPw<`$7Tj`Vt#b?oMWm zm`)xHyXX9MLLZ2MHxZkYEo+w?E%_s2R;Drmr~`>CBa#6`4&};vuqqX}#T<{adF~R4 zglj$ke5MtT_ZE~v6hpA?J^)}vlMls_Ae2gI&4gO&8>fY;Cwr%LgyN5UoZb+COnwE-)PPImnUv*`nP3)Nh7{I}DY8d!6B6=NN zm2>uL^?ZRjHpA3O5RiYD>ui4~9oY93E^$!QXBqPmpsM+K9H*DBup?3_`dg+pGK_Aw zfp57IK_3M#ZQUSC_Ia+?BwbFPj)oZj37K^rVZ=P|$SW==87hiA;_;Uf#P-kl#9$aD zV=>kejaBnWPs-ZvWp`FS+PnQ;DaBopB5}2sAtn?U_D*ow$~6oXegjUfhU#%YVwa%U zkWMb?AD4}CzElpcA)$+B5?-^COE9;*ETYeH_%!#Xr8&+K5Mrn(jCdCu<9hyL<|C-^pw*o7)b^#T(7gVFqt=l7@?;?k-wpL+Wprdrz{&at+X~| zmj(0{%5z;kZnO-8`lW{S%L6*qTPntU*$aH#S`15T233g1E_>gCY|^UQ?u&mFzRJ&g zWLS`H3ah5tv7ktrmqIqS8gR-DoKl^Ta2ebJ--HtXkZ-WpXqj^d?PuxNiYiOn`grXc zBPBxNTHz9G%)zt?v3i&7o{T5ZhEX)&-t7Lpn?}9r5^LAkPbPulGOIp7G@&x>0!sWu zcO?kL)|KuW5!<#Ch>rYMQplNkj%|@wT@k+4hlD-d}W@;MB2e8Z~eW<@rf9pK$t=O`K~NLd4727LK~=?Shv zD9dZj!ueJy?6%3?$u7vUY*vS(wCpjJjn;ck zX+M`r4RI5q3^p5Qt?0bvG*INRjgCiB8>G+6IZpX@i7n#Zri(L_rRQv)Lfy!RmqwY% z$7T`k4h>^nooGbC_(3%#BDGc^NHJvr^5AOCQJ#QVWVKMvCMv+gCGN1wZ-;ngeE;|W zKWu3d{}swA1XV|}$Qw$dOHjFp=kLQbOO+$$qgMl|tw49*%km_o^t~!6K3JhR&pO^@ zbXKE(%}(vyxJW(tA*UZt1Xm^qk`#MmWz9ZCbd*!ndQaQh_4mW5|92)G2}rjb8yV+T zX1*IIR%<5%ig0}$J1_7*a>6nA@}28>Hn&4enpQvWu{S0pm`e6{hrVU}%kYSV`RX}X zm-_hzITo_atU?#*6#s*UDjk{jmo{U{JN^768ix)+>3GU2G3sDSdikPIpUQruNc@lp zd1AE7GM`wrh+w4IA}r0r&tJ*$qP2p;YD4#a&cuCi6+eCq^}N?na2&%0*QVcp9iWCLx@29 zDmVVPUjpU$(7*jXjn{7*I?I%-6eRew4NS-9ag1%&eEs~@-mC~TUXN~jy$s%*4Y3E-qOaDNt<9qC$_w#(hnX|zoayr+q#$P(O zcY5G-nYCh+vE2f_%vwF~NOJl|?i4x=2e-~_HP3zi!&Kz=U5T45wE%G0ZZ5|8oGAJ#QLBAl#5?q5mAXQaH%I)r90G89bL_6+&pV6Towc`QWZ2rsN;hxuxW1DBUfjg3z zdOmyc4*m~m^4C2^)uN6*e$S6-KA@y+MIB{r=gATIEm_W;fYs(nK`*J@oxADx)OHS^ zi>n@ug>(auyf6E0(qe0bCE&x$-!ZGp{cxERID&Njhc**Dl9o{L6|NSf?Vxy@LAJAb zz2~pdk>B;uYx$Y-etDw#rjzD^)w`#9X}g2@SnHtm#@GX>^OzQR+P>L5mwW1U0g-r) zdS}~B?c9%;Rhj()$C`(m$=DDRejW-ZnmJyBxQp>c{kTKlbJEK)0V?+35GytH2wquAtpu z%k*`hYX0MZdq!6WozvW{t1j&0Ld1{NtzfTr<))_x?_)#NfUBGLfow#-2Rx)#MS-qO zu=Cy?<+JW&1K>7nE7_C2L*F#1zxT;$=^Cp*1;BML9u1B|J&^BtFUVl;kiTw4;TvUZ z&sP)YqIU?|@y^{utnM}9EU(KWui)t$i0Km)@f;{BXaEW^X1xVXVuKWbiv4c$yZ>>6 zW0*2vV$x4M9?WilD8WJ%zczg5S|C<=lQ3%$S|OAA&WuMvewVMOs(-9f5>>RYj0eE< zNoY_L5^&u$ElEZSS@gK`owkUz4?Dyt@{gB7^>I9)Q}tlOn@kOyWZf%k)9hBa+*?jOUAZ;}lkAVhJV}czBLIBs8$F@Zzr)L(;D%>%|yv zRAT16Y)MQ_?W|BR*1B>NwRl9j^seMe35>DC^LL6{>>e%x{n0xZ%aJkXtIIS`*TQ6zQ2t zvoUlN^EL5F&{tEj9!yoo4GDfKb)gsFe}A0$b0XU?qGnaq6o!6Hy}R z!V3A$0CC1N6@&^pmhe?_;%0p+a4l!OJO#PN*;sU>8>?_d@PO^K+eGt_OAG2qOVVoI zT<A}aH@#Z!jwFK)J4tWHX2^4SEj zRnG&MhO*%})anz|G7d36YU6As`AS>@*ax5$deX^66{U3jG>97gpp2%!JI8{(>fsnakU1=<`^e+QKFvw_I_-bag*nLvelR_8^uTrH+$w#Uxc^!i(G!m?e zQi#Rmr;M+)wsEzUl*?#U>5t&V#4;y@Ll=7J@X1&{JtuDT+yS!MjR_X>cB)A-blYOK ze=G~+btRXibM**YB=w0GOkoO^2KHn&=E*H&ii-@nsd5?)7?i+@LUm}V(90y*_}ivm+YgCKs8B>r5c_zcK6S&sWL z&<61V;0vyvRkcBHR#hyuFz%v)_me3n2^vUDw^-UKcfwCmeTK4dwa`!;%bgXLWkDnn zU6@Oh>=btPtz|J`QcV>cjp#24`PHgQq2rT$i~bNX^T>}^3j$dz32^VNU~`UH={zOm zC5uwP35tjQLAh7yDm@hZqRmj;=8{B5$~ruAUkGjtk1-r(F3zoix-uACUD^4gT)AU< zWADEBNhsJZEcIL1S2#YN-xgHn#!%`Rb@K4QugpsDx^Vix-NJ?`YGacy%FxUvB`A@8 z{O8X))69S6upVIQl0{aD$YMKVAK*|EtKJ^76xcCJ=4{x8MS3<4s3Og&6d;ieOPhds zg##ka8%?{Jt3fooW_nCsg!T_K6wMXy)NXCub94~XBL8myX9<~LMFCP@FTAcn{uulB zpQ?fu*BE^sAYmc&e&XP)*BjXvqzCy2B0GzjVlJ7W=siJ7iwG$wErn#m#C+?Nv_!1{M2YQ7TC+UreSCQ_4??rXc@22aD>auv*4e=;gxs7 zcRU6y+i7Tq_vG$>ve(}!^_r(u;`s)MI!8wGD~RwX89q1Z0eqD$R|rJW@r0fWG+6X) zLkdsV4+FsH>$e??VGMgI>wD;@i;kw=ig=fv5?vqj_Gcjp97vJ2=b@9t{yRv zvfrz_@;mQ8I2HPC8?SQOkAEvVH1fU=tUp;?e?HV>0YKvh(fkeldz;95hx1-r+K;{A zEgwx-TQIq=Kv@Q5!Qs)aJYaM!W8ZC5`(*aUCSUW=C=zKzP0J?3$b_Pu>RaJwGLfMx zh%!R&H~sBE(je!o(otW)UI6s=^D+IZzIU`eq8{ie#PdX;eQO2!5_!vaX>ZiuV^x30 z^V3K59@QaN*8%@B)4x{`^taj|>pohQlVfi+JfHvh?&?00h{5;0sobDzbK3J$?xW}t z)c&QTy(2}sVVk~Sv~|f z>gIugx7l>T_8ENLE>TXD`Ao@-<0*mJAdw$K2qb9guf_!5z`~X!zmpni)3M&?x`;`K zeB-62TKp0Gw4lUdkp%x2our+jn*OJnd(oc)b}mjxoVx0GTmJdeaS4@KcU&q1V>5Et zZaSGC&dzhS4=r|`DTrp0tO&)Kluabxs#Uo$%+*JJnp;qDiyh43vyb#-JiD)%(|^xS zAS2Nql#rukZm^ch)Y605Gz!o;S3cCM93R!FqA7Q!PgE*rci4h`*-4Y zgFuzR*Ae2v)v(dFnxHVQRZ~PZ*Glmsv@^|3K|n0ZNbR3N#>S?ZhEXzCFC{YiK-<2iH{ZAeTh%mM|v6WIDi?sM-JM00yJN!Rsg%%h}Vg zfeX{%b{24+HLV$q27S}y%EYf0pE$|hP^$a^-Uc{)^%)dPQfpirl$0k|R6&Pbs?3w% z0pgdrOS-q}(#nxf%(gStVJhG*@~xZ6t&qCfL028q1Z;}adQ@RUi7*;Z>a^CkvJ#A5 zjvE=YVGakngg}0(ev~8Y+GZ*p8kT5%0^GZ90$*qQy7gbaOrT+#4xj%7zu-5Ph_jr{ z_y^9kY@%B;HpyM6z4rk6S!nhugy{J{}HLtH5Gm@?ry5zAUG^HBz|{r|ME4M&#V6<<>(LUOXfF5!oy<=$ehIpdzx)=^JIp z^nSaXQPmX~hq+!{vv9hiJE4VY1UL@(_nx20xhW6W);6b^p3biUR>S5}lmEb1Di7%; zbC(WxrZ{EQzpo&}a?{6wCIflEEP=G3ao~1f)%aAZmKn%cFkkF}@v=M%U1)Kp30#u= zPZ=ex3AS0SGi7R}S#~W-{unaH3C5Xm`J!;AISe)8EtR#*c9GKM<5nC#*t7>CqBEcU zu(0;n96?Ro@RC#Ag_R|_ z5^WaXKanV*uACv;^NMs~e+D%)p?PSZ?z2i}gh&0u<6)-lkkp7-wE#!K1zA`0OO z04h`U&^jt}P3v)+Waa3v3GlBsReN?3KaC_YyWHL+7S%63O|62_n#v0T)n>PyUS};oayl*XtaIW z-S)_>^SY@z=D%O0SMX`y+^=812$s#KRnvSwi1iNy?FeAe7CMjlQWEm{dqo`2>M8VG z&jYyjb3w(QtjA5$iY>5S8*6Tx*;B1Z%Z}NL)_%twri|Xtx3!FuQ(cy?wKE&BJ9i`5 zDlfPwu~#{&TS}VpvO>HpP!TE?nT7obP7F4MetwMq#;?{ z`yz(sLLu-(fcCO|z&jrBH1p7VAK$zBoTD4Zu+wDAG1Oxf)`XgWIsxUNM7 zrA+D13;YO;&k7VdHnHCcm(=le=wjsIo7e=~HtkW>@RJV&MX!JWd!W@V5Om%&=(Y1d z_?t^7M+0d46ckZYkkgW4Nl35)lNV+P(9g- z7ntpyVyko@CQKY+Y<+tOC`J$y({oH=c2-vfyQV(+U=zGf?>OazG|@2 zCdtb6{(H&CXH~`qP}XZ%`1`T-jX+*!TEV`?=9l)P*!HDVs(~sIGt@5)cUbwR7>g(BxlLfU zrcteITqQ9d31%vF40zFNAj!;E??Veq{QDHqpFw=Amf#doEOFZlzY^z@vPAP$*tRFW z*)1k{lZ5XlYI?GaDd7iEL#y1%bmbDP-X$yOl~@1%5dlvgd>FS}`Rz__3G-*Hn|e-} z`{L6NIkMTKZ~|(L7u3s+0GixGUV19Zb|0PWGUYa#DY{u5`xG3xX#P-}AXE-vxJQ`~ z%8e{DYcTT;d@24$|+yeu|a?5*Bae`-{J6KddFkQ{DNWmG%t zWMN{GbAk2LW4?%!#K=;KGg4K?RI0{YsWZ--ZNDX#9?3nW(m@AR(or>X*M6w}wvR*m zp4VgfV*m7i+3wc?3%kvasW)fJy#<*E%H;6u>r&RV3pyPnC zY20c}!c@RJ{ZFkX-lV%OIED9=?2_wxv67hlwE+L?*;n4)JVC9PPE`s4rg7V1R5MuY z2J0-?X_&ZlSQZ;aeCfv@{nRO9wU0XMSXB}m5tmx3wMY>}-F>~xnIU-dA5{jhld4ci zZ0YI*-B>3Ve+u9r*MvKac}jjot`Yy0;TT@N39ywhjZM5TM-4k9(52eEg}0+LEw1{yP&sHFeR^{42MFOlta_T>6=(ahRE z5okFdH3q!a>tDh$R&L&`Gh-E{9V>k zRazI_MQjmUzRL(=?68g-d&xcnaWr_>*kpwQH*RI@uluBRiVPEX#X=KDC3};FJdK7F z2?dH;52C5Z4#cEKro&C0s1FJU42qAIbVYzUO=0(vJ875RsC6p^JTs&{x>!EAjdv87 z>hjMtMj4a*n+NN^-llU;ay)jJrzoX5nO9CZ4x8WrSej;FkVT^vX7qoLlTB_TREgfi zPtmCz&^yh@{~_ue|Lg3dFWsO?qsDF;+fJj?#G)u?f5h93B~?eI5*N6@Gl26g3V<%XHw&$URGOt3z9 zU2x^#1+}iHc1BTqGldZFycf19pr&b@!&y-e5O7+~O6C z&|L3yx#T^EJR1o@9uZYu%Dx-yQ! z9~p+(xc6KU10WfXj;)Q=E!8f2oq(<9O+r^a>rKM)@*4o)n3-9irwe+^=ecNoyH>_i z7n>%~Ovi`JHRkNka9Q=AM)9c*1nk zbv+#-KkhVcTW8?D9>{?>j8n>Q8pP_mSHFqBABWT5B-nL2g~2y(IYH=`SI;|DU#cDG zD_RFokLXc1eb+F3Kj%V=x%acbC^yUWJk5dF zpAIiCf>dJ|GVe`~JLMDG)z|&@v!>j$bUhbsa(KLAb=@=uHSQj5?0mtn_-$;%M7QsW z?iYH6l&84W=&|Drw@60`o7XERn|nsYOx>=)wU2rG>wFj&;P&r)n|QX{O@y>>+W?fG z`)RnU-{Ty0kN~&x*i&Zn3m5m46$3Z{Rd4mxOWU^blDJ7QuaM}bPhNg?P}gRW?`rjM z6Ty9FYT?rAx@F^uUcUhh!GUxiy%F!-gW1<1m*xL$vaftaIqY%)0oeVP6%FHljn~2X zdO#$*M*J@9av&zVbqpksbN4I;XK-u{%g3QuJlBoKysM^vCC>e-iYx~8jx(8xRGnUY zykX*vX0uRUNQB{Y>lWI8B>inkW-&4+I{df(DH%cqc#}=vY0F}2S~)jOH*+mXOtM!~ zy_-3@1z`fbP*@&+!n%28|9}Z7AlvZ>oc}7wHiX^ZIn63XmYhX-zo1AZ*NEE@rPKmw zKy2f-Xkdy{_L(-*QcW}}0ntjqkj;QkrAX&o8Cz>Qg2)f;&u=d`BrPW?_nzP7^#xHg#rBR0fAkA$$cm% zTuR$`om{O4f?{x46G$hId6<{z97LI=bPN1{6E1$~EvCRO7MHTkEfQl~*W-YUYVfz^ zz9|PkJq%5V)UCIca*w5BOtSy{Ea6>;Do01*Pj`v-F$TAdKXu$hm`A}YrlFvPV;Ybo zFwmNh(6<(!n}B3IgLA*-YyLS)lGUc2E1LOD)}VN{J2x|-^i%cJg)m&XN|W&iB?mB> z)PISjbWQN0zU3N$WixmJIpVHS>&v<;Cb@7)dLsLvP@9?3Ce2?m(u&Wv(nSjkGinN& z*V3FaSyCpLh(mH5X9*}!*lk%=+?8vJ|F{D&0GH~!a+QB>(xCsX8V8EmU{u|dI<)n= zQaOCIjB(-aos~^zJ2DKy1ehxnixs*Ps+&czQo@Z@c&Bw^rvZaa4LV(6Yv2V*$~=kj z#^kJf8I_%S(QxvSm_$u12rbi>T8FC~A!|RQ-Fg9k@VH;i$9KiB;Chb=k;Liq`{Npc zVR^}8eWau(UAt&%SMvNwgS2KeK0H`@L>T?0aDadin<5uY+mfC6HWzxhU^hO%tN~wP zs6IirB2mz0jvbFTb`0yG`j%sfB_nkV$`xkh+Zy~7sHzO}6#qTc* zbb|wy;kOcw1yL(Ru3@|^ziDSi%S|b(>7y7F(xa0Jt1wd<(vsGyxi0Q%Gy{fc*)3!v zllMr8O5&2)^Gj+-07*qiEY?W`q82QlB%p235?75S$O#OE(1u0GA5+092%f%Uf8g?% z({rbtSd9ERof(9Rz9{6=DOa1G^BDFeM*=D9a8MGz>XtpN9~K-rkhgsm0r?6fai1w= zlZF9X-7w^cp&BWi`cv zv#hT((nA*LjW3t01-Y8XX)f9SQ$RVKA9C9r0S*ePe}Z)Vx%Ggw?wieV_xKsWhAKt{ z=P`dU5#P-qy*+mRkRF;}Bs@||kqeOHjd`_>N&gn`DT(^;xk-ffZI=(##nri0;pXNF{Jvq&s z`}uBY%YjRF#B;714zilPzu4*#S8A`k-z4e#y54iTP5U5rcz+~ab#}CzN70 zybojbyE_#D4_@3Cpl3xV{c^_6C0#!~<3jO`J;xLVKQb@3-^XUx3v!l3o**-_$Fa9s zU!dL93zUN1#}RV|fAbpq&@k#Iq?~%kLOrW_HcwqX?E1UozSz?{SBBNwqsv5_{h+R` z_9Ng7aQ^Lfx2oN)VN@6(S|BXv@su@&LI?q8rA)U;yL&1%=5#wbnM8O^7iOXo3xK_} zz3sQ@@6}tKu5w~qt)o9;IG@+X1yq%*qO*MstB<3X?F6lg3uA~H<=5=`W#!ZSCg8)e zJO>G`FDXOW+RrNmE&&BL!K>hT_d7wCV+EXHIb;IPGyfP}kPyg84cRu}j z!34p_J9Tci?rXa=Kf91=n;^q{3Ya^c?-?5HOZ`O#VyMW(Ey3a?KW~*jzWJC*F zZErWSS5|&1jZ-@*4|VrBU63}9M)EDc)4@(@`0I7;-L*)vi&LxZ=dHgzR>K9T6zU!4 z0n`yc__BOXHmsg~#%_QYBT;o;(_g>)?p`r#LHr^i+dVIK_3ztV@&6$^ z&E+Tk7BlxU&H>85ns5$!MUWf~x*8yf-6fD%8Nb)J;G3O3wT;5V8CAAbFAtq zi6o`GBFv-%dACHNr7#)BYww*U3DM%qKe)-`Uv;L< zRCH{FG5t#9Mw~wtP|4CO-6OBt@`ujN zhP#%3SNVW~OiuO0D(|C-Nq4N9hkjyRxcQgbb0Bfi`)OmqQ3YPLHrG^LCguWlT_%Us9Z-*@l?`XY(M~`$8mL59SAnWZ<)^W4;9`fbSo0~u z+SjOLZ3~rzk+Pc32a?a0Y}YaMrgWL^t3g~^$?;6quT}|v zw4~_NRAS_ynhnZ{s|gHb|K3EI0R9g~D*QJk-{8DoN(+!J3jV?EYUCXOK5p z$T)=185*o1AvvCOmgP!BMj<*;%tkP~NKJ%!#r4uiLqx5dXhd-j(EW%|jppD@>lAqA zhLnnL3qmwYE|0q3iaS`|{r=3-s3#+Fq_LDbP%WGA;{R3Xvk)bLu}{PlFW|<0g^Hng z!E0ooo3zsCEVPvQdAd6>Co_X2h32X_f&(jreQAtPxhv$WXNtKaVVlpV=smXsXa{oPzDrHXo^qGqY&Q*NSoU!lx z1taMx3M+DH+cqceB8<8x6a>W?E+d6$ZbEIrby@JU^B+ehj#xuabtQP6WS{Yd*#8Z% z12gc>SMG{oPpIz`Q^GUHnz$QM5IyN1)r$AhWSTK;jcsKSf_dXio_y)n%fz6Xrzv>Q#TO+Sx%oI(dmm_q=6`-1ew}|KZYH zSE(6evUMz*d&J~=hqNZP`>Bos# zuL*Ym6kh`|4nSG?*fA9R{vi(L`V}07L%QxmfpFY29S zb1vL=j!}>2yItHW%66N9+e#aD?Xs1??=9(Kw%%5aVXk|9giD^LS<$GVeW|dN*teY# zn6H}mCH2=^cMoHg-R&>9%|r=p0)o%z=XXwSJf=^=uGWg}SKE*H|ULJqUc6a_sHcrS56oxR?Wxb6>I@%$`2 z;NzS9bCeCD2w62xnLLvXm1VYuD7ri%Q#tmFMyO%O@!GyeX7 zAns2OaZJj0vjhnEoL|v1f8e@&%9GUAUlPs;#~yRCY6ft+Q3c)KmSp29J37T@@bU5U5%ZHWDo z?v_5#z;4>7RX%3Z>wMhzwaZw~af8~AG~3TE%zV|j`an?6BSbh{+G=uE88@kF9`1J>mSx&jUPbXO}MEss0ov5To%D{=2}f>W52nm|y$b89>*g zojrTyHVmHF<7OO zwTQ953f24p^RnE^H2I}!!|6YDtW_HnB~X9O60+K;S0@rkHfK$mC;E$H+Huq(hjJk> zrPfg@QoA(bvT&-5Ln)30X}|qEb8(O()ozLXnl4r1Ry&|RYcW@uUqI|sQ+-wzh7(eC zfMrOP`o+S_f5FQhWOb zd5z~PcjH}2mK@?cDUZZwm`vwSGo?w|n7U)7vJpQ$eU&O6%Xs0fVCZG6M9TM~Xua1; z95zZO38Cc7-4DM0<6V{hJT!8-7-fWaL%QnEq(3qfZ*NnndJ{3pXg&eI0}J=EVButHLZE}IU>!ta z94pxxpE7(IKOZYmuXr>l^ZUdFj&>yH6xdHL@^1r;PU;w$!m(2}*p(0zLYkR<#2#GrT({-mdrwgqtf zzH=@zz_VRLg0rJJ~QZFj%_*rC%PSn-H^{a|ADv~0>|mn2v~<4 zuU`O=>Nnr|{cy@4u~LN=Wvj+Wn~8FVBn^?h=8gTuFn~zu_>*wW8j}%=H174bbYri- zpT==;;OI=E`F7&jAp)T`!-2yUZM@qho>+q(R#(&!z2p!4hB`gOl6hYz)}jDMkS%y>0J%qz(kdvYA?)r%q*D{n@N7{xg_0YGhAz@ zog<*$e7VS1&faxRu^VK^H6cfa!vgE}t;NN(eT2;SwX^Q`1jw7&SvRm=C%5DfS=`uo zf&L8ChK`@+ou3>foWNzgNIYm6X0wMAQZyHmn|-Mmk~vp4Xe`ZiX6U2xyg#3Q1QyMtBau5-JJWziDg29ofX#_qxc~r0XTT`Oad59Qca{ z2(}bBW;nYOzO0d=^%@-iuRL6SV?o&ekkSCN|Gfs~1iqh>Dg@}g0$))B;|Br(Bg_eq zAV17^_~I{L$PLjxOqCxFjyWw?!t0%m=h@H=M-Mh~(;yTYqfuc6Hr=@_p1%`mvzn);+ik*XKG< zxS9AmUh^U(_GaQXW20sqUH+;?=Jw^)&*?d9O>=&J#;S=2`Q@;dy7Hc)bMWhUcl}#L ze;DdHb28uo$lgri+fmqd2epj(T3J8waYRK`;`Foz;;ydrIS)wzxV-$8h8*zRQXa>s zf@hot!zO~5bpO$GzFc@cRp{$KPMBT$gmXO!+TdRt%})t9e*B(!`nF0Gy3Jd?#wi+l zk+`q@?&gxXZU+9Cbx&6|t$?14t?azVHqI{+{tV&o$M*dwx7+BFNP8j%<|L%}ncSQT zs$T%hqiyvaZ$ZUxcMQkz>Qymy*WUI^tle)Q)nlEux3I8{+u1h(x%17=BM0g2+cDzE zS~iW#4&7uy;Gqv!xAD~0wyswKvCZ>sO!P9rAnMlpJmZULF;BazTE~ZXRt4`WsDF2@ z0X&pOeXj9bPViy^%~X{mb!)sHUS7Kc4}beAc|L}60!pO`T~nZL4&Vh`L+$|@MwG8@ zE^Fd*xYy!2O%LehCN;RRg3h-@-H`fQ<|e_H%L`+50msdzjg3w!@eNQh{JA_9^|ap% z|4R_+_IWC-(uv8>J10MAm|5rSSi0kVBB+-f z*!g{e=p7T-p0fGW;^c;@I}6BYd+~P~Y4!Ra9fe!^-#VHU<=5{Qiti|c)8+DUC;i6u zsDg(zgQ%?^{+9D`)KBj8(NduIAeK`id0I^HLqdQ#M}5!J!NVfOvE1nWFs5DgxrG=1 zBv26OIoO48_e8~V2U05(RDJ%Sf5mgA`cd}n1aay!8)-(Mo+KYjTB^Cnk;aKOV)~fr zm{H?CHCGb++)v+Mwv1Imq$MQ>WnLN11-HEoCOqfo8R*gjsC*6?Sa(duiOfp#v8*qc-0CVx-mHPj zQw5t^91ue&_0(1|wDAJ?I%SdF(-}L0M#rZ3poqWzXYW$}##jsS;wWmFnp*{Y2lxdt z_Y)F?3rdX0eWhtu!yzMB45XEMT$8t$Rp+N<%a^7|5sG-XKjkt<5ZR(K*kecYWSDGb z{&LLq1!j&7c4?a4p=H|`;(hrun>h9pQ}g^WE&HlpXNdWWPM*X+U+4i09%oWsWzmqB zAqV9@0q3Q+B@5L{=KZC-fk;uBf{tVew6LZ#Cm0E~X_+zsEFyW|clH+5l+x4U84G5D zX!>Ro{~Q;SxtyU8HtCu1QB0@YWQxGS@z0qwRNb~(u8GRh8(8N1k;ThL9;_e2o3uAp`%@rV@ke|Lam& z1w|0(%@h^N@>__UQi~&DwNWgaDig90k=AM~&-xn%*s#;iaG$x55-vWSyP%m<$mJ>~ zm_)g&$RerG%@hi$&xlbDIyzyNkT*rIm4vSN80~QCu3R)mICRSXgr0Gxvk|5vsN48j z4)@_xB&RMa8N|R~QxcP0wMZR|8E93;^4purHV*WeC?SZzeJaZ@$`dv%7l|XU{$7N@ zWtXq>aZq^RD>drWA}Qyk20w;eVcF;9f)lERUzs$8BU^dgYSXr6Y5o<ai>8Nhz@F@JR|kLXw%dw;U!d-KuEEAC5rx&Tj(!$ms?>_o?WtP3qsNl>c7L0{F7;S^>W#`)I#i_mzu@@pcTCd;Mk z)bTSL`(>@I1%uhbFa14=5oVnGRwn*R6fHyIfS2^Y5lSJxD*mwGgWxdEkA=b%kY-XgsO1s(xA`Tz~R+VbEOW!8Y0Zf@+w2$fkq93cN$(F zc%j@fI?Ufv2gajT@(OdmNIi`V^`_CqfZiH)-Y8d84v78tuss99iD)!78E0RyYAZTj7iTr_BO8aSboj|O$`qd|T9Xi%|wzoe3c ze@2jjbU`w2tlgg<&a`v*d^UH7hMAMP^PG2$kF6h06klWQwCpM)*-wdVyY2_&bb;{VUESwW)vipQ zFKzd6mnqiWMpWATPCW#r`}4<}I=ZJ@NmDIX&raV3jLO+T@E~=!;k0>MAB#!CYry^3 zax$+mnDEN@LA3kzUB0=~<&<3SeUU&O;5Ftc&M-~M4HNR488F*%u?nQHO6uI!+V9Od z+TQj6T0QZeh_!Z&3#xZ?y+oRM+xG!u+t!RDyZf4LTi!N_nmkP!O%EIRs(24-&Yi}u z9iBo8^}Af;uP!nG=CNvE^ZUy!r0q79jfXhUCT{+!-FoghvHGhiPYlq#z~oZmk_VyW`V8 z?AKeVx4U-tuNl0?Oex=2_l(W~Y2|h20=RVOkCn2gGTQ9_W z$8A^du|H?CZ8E62qicTQNP) zucr`qTwZb?9dCOc8pAK>{aDtXc-~!%w6oJk(N);CUcYDZGEAx;V%~HF?WDpyZEo>7 zj{@)MRVq}ET-|<{98Sv9Z#T~3RzkW5A=S%%B+%dvh(Y}=q#W;K;)(_TkNX9eo4UIf z%{p!4EYpK*IRQk&38YqeV2SpV&66VV_hEU4i%H++S@j>)y&~1wz7j(xsHl5N* zXr;=~uuu~oZ-OFB?5L5n!b38%8^!b=bV~S7DAdCBM0u=@v_QR$%^T)?D&y1uEV~685)92 z+qI>D-qEvn`CA3T{{OW%mH=}DK`x={&4 z9PHyzg?g660iu~IIJ_qR;$)M>5O?34Oe?&=!txA3xJa=y`F!8jg#5MKJN?jMphQTN zGZsagwi9|jG8Mwk&gw2~La^GAFDBMr;JDN*Kip_7Pa@ljjSWpzxa#6&ao*0E!=0S zmFS_O*h=F&T-otqHgbx)QBjXG4Fi}#4sNC~#c8Bl14tf4nK9u-CeW^WFpdaJCapZ$ zBdgf|_FEDC@skpvWo}>%X(<_K95@YkxdP)!vXX9?EKR6+5!@!6yBLO2(WOoEf>*2q z(pqtT`UcMBN2EYIVq;!4-1*ASzeseS)+I2JhQ;ffA%-HsbJ`ZrdBczP>$>t3217+J z#4Ea~RESLqYJXBbiaR+-YMGxlP=tzt%Bv1pt*D`ChMz~e0>ML6AU3HfVW+3o;OXX7 zKOEC`P#A>a1DT_giITqAk$m}yw%DMTvunPC>L)8OEb5>8KVbUf3Q- zT(~~Vh0m53{=($3Y zp5;Fh?>$2Q44EW5%=e)w*#xGIohBBmyNE`8VNRB395PTz(Y$9go-6p~k7Q8zN zltigl?L@~_Fqd(Q`?K(6BvY$bmomxKi5!PL-?WRt+!eO(k}5oGm5Y3Vb|xsWe!naPZj_$i9%p3{XH2I@BUSxv)k zHq=%><|Xx#tQYSW958c09eo}sDl#Akc}jdN+K2DR&cEoZ`R0NP^8gh#m&ly&$ zHFs9i1i{zOis4T$r=i7To>8_rIk@OB zC|;6#aW();JQyMs&$MoXOfQwI9~Tvv$gZSWl22yMlofesx{=*P37>VCq1l!8{|gbM z8Y+PW6#bC13P#l*eeQrn4PMSxZ~L*tj6)45gfK{&B!Jsh z-k=S5Z8zVhS@gXtKhEiFbU z*wyoQ^V+XZ;r`0qcA7_D`ozTh8kF(qDZv*8xbFjg*Ij?RAvwJWOUY~7;XMFU-v{L{ZCqsa z&Dmi(9Y^W6*jwE9c;#rHzAImKdjrn_of|)Z%)?#v*zkIdY;PHRK2)-})ZQ$^?XP8sF8&zm_LwUfQK)yaC^x2TUT=7ZC=0N1HK zLV?CBsi!W_p3+n%|9>X1`c7a}t_;Y%OZ10BobJ2+yW0f}lMF8_BhgSY!IjT^2}ol82u%b(g5(A0 zsM*6ddjrFCG&CTrA2#uw+R{TJTvjD=AtIEAv!w}^YEuX|S!od=`)ixH)yOBHYP*;$ ziXL{6Edf^Ilz+at+z56H$3nao#RZBM=MdxT>B0m#f@7s`=+0U&Ym`bOUD(D?3A8#= zR3Edzr=48%qz3C*+9ZLc*>Ue`!SAUBeaGp>VzR9;iT)E(#Q>u+k?z&mdf7hKL#e2k zi*(fzQrm=|&VmAX%jL+FxN8Iy3)=tGewC#5McdNp_nUPYjTA;!q~6*SOH$yozJx-> zI8ub+{y{36KvS;Cu+co3;1JFdt5+%J)W&^Ihbf_@s-)q~5e?d!m^bnHwabTsAVjC! zED&QhZ=eDZgIp3Bs0l!~S+G@}>)==xN#tz>=yr{jmA?Z$~5-riCTqd>9RpvQg zscN1X*rt^8Gr%@~&0N@}IXl^>`vp?-^nE8rc^S;r86J$`S)GSpLs1S5MIoJ>VKN@i zFb*5|d%TWP+VL-gG@54?#RG=rN#`<}P}nEZ2OLj-G|$l<6aRo4kDdLaoKM^`Bb5D} zW&+cR!^bPhO;37W)xekLWOU7!;CKg>l~8moSgDVY|XxLI`Ok)@%X z0C@%4gZxJ=i&(yqI%@6`x=Ru-g`%GBUu4*7B$cjg!)`al|Ngg}BDz%CZhx>#JkF$%SGVW;J=pfq3 zd5?3%B5Q-zFglaU(Sr+ zD&dg;Ma9otV8))SU+my=5V~a`36LmAIF783D45*E@h&CB1*WT_Y905~N6Wx0T-BtG zVVL23rR9(V;nO3g@rD)r08i-LZVSA&WHi?OXQZgouZuFch#i@52=$^VL@{FzCRG&h za=+x|;I$5OVbMex#D9{Pl;0x&hBE%dQ0^u3)DEq}vRZ13v1iIT^3mn)fBVY~GF7(n zuqSf(CI7qL2J7eF>~%s`UEOJRsZBHbUrV3f@vMb85A(%=lQv6VC;uZ)9oH7q2K`D)KODp@XqP%Ie^7IzYObVpZpADsD zoW$7wOK~(TtJeVK5?5k&UnrSqBBfPtmFnYqahgPvavN_;w7~XFRE;lf&Y3tsE6W!l zYYO6c(TLf25G;d0KBtfAU(W ztXRJjnD6x18QZQi}*pcwa*J-hEMhi6nK5HWQ%@feM*OH;1 z>GIFy&Gym@RsW*J&CTnvYTXxfx2N9e4Xl0WvI?>Cc^+U(dAlm%bMZ#WOAr)m1HK+- zc`jTKP3s&b&dUqDRggajAM4ycz$_3`H#2KOZazYtD;kEX#u*)>8h5k0b>ekB3(0Se zRF|jdx>}zE&2*f^z{vu!!~l#=NSyCvP+0ffr>FNZBc~K}d7*qJw4U&xHn!V!TEK4eWy(`K3oLpLQHDT> zj{rBgCw`_6Iosjy^l!sO;fhb%!+s>a7{+>PxfV1pi$Fl(hsxjE900<56ci+F<&0O3 z0`G{uem%#UI?dD|8tDjN8ZfDU4Vb_ixbq$A(`7c@ai~3^9(A5fYOMHG&QtMt+wnL4 zM{(R>oQc^>y$S(CI6|naMUs^$`V2Kk`xsxBj7vS1)Cc;SuA|&alX-ehc48#Op=mE9 zW?v@IRFEO|H+Pskf$wy1s`(rYR1GWaCXE$G0fWfsXbFj@q^N{T1;0}KUvMzndgUxd zU%RBce=-Jw!X(wK>5rQ;47_t8Y`l+)&IiM^l&YpB-Lr2&Ndf#;3%>SGGaa@1si2%!`0yzr;g|Sre?NJ%3dFgtX;pe zmyqWqsI>RAJ|UO;nlyw`k~Ow4wn{ZKE?eBYTn@oG9{43E(?lmgI*+`+hAichBKF~IwdFe(x^H~Bhep%c9(nFK6=I=WJ9g}Op>?^Ocz&+rh-(!p zwFJv%HC#~JnXyCQHx~TKN{LL}nK(V^%eC){6V4Jp15b^Z&&gM%3I)vPmDOj|_P%YP z{4(Wt_^dw6cbPXzdTR7rgT_rdj&#-&CD<{2jqx)Bszww&&T1l{hJ%9v`5aUmwl1i@ zxSlFa_w~GBZBr`|(c1)%A|%Edc^A4Z+Z@Qgo<|K znh2*ReTYQ8smFV*V$h*T-33*P3L%_kB@O1}FS6XtQ>~E!TGVfM6emmbE{<_uq#c-^ zwudS|l%wF-N^r<;88UoY^FEWk3&^?6d0rp(!!d6M5kfTMz%?a`2Dp-qxgO5JlnWGt5 zr^(({Mlkj5EBULVn0+%FGhYsHN{Cv+9V1wl%7`v0NR$dmpNY)!ttDAA$@_QOQy`)s z)-LkYP&;xsY*V62^wKNwZRz~0RXjSGoK7V+&Lz|Ax86_zbHf1&hBk7fiImmQ&o{bs zs1}1bWpoIwrKmdu%eDJ&ET@627u@YkvW*j_J+k4}tn;gwkn*az@W`)Wdn>45l(3#X4@&^(l9~Ugvjm>or;D0=mg$ zk-U%}X#dKZkpW#lj4vlk26TU~kq6RLa5L3vYu)Ir# zH}^?Ec3}*3PWAA+ZGz;iWp7{+Slt4ua8#lwU1}I7{UH^Zr%iG4EcHjl)2(GQ4J|V9 z;VL?pg*#QUn3f^O>C^AQGj!~s?4Jxs1=9IKO!Q%%;^!*LG)yXgs&Yo$qf})2qs0bj4$ zS0+C`$IBLRCjO_z>D!!yZbfhCe46;cnFS6Rs9DBblpdhqAa%JPD@5`g@C+}8c5;8X z?Ft!UCZ@bSeHF%Q7zF(07x!2fyzks}9nC@Q1g*pnS5opP=j>Ozf_B>KzvipEGx0~S z+bt*QBQF+LZ|?WGJ^CQKKeqyxpBLMpH~IG;2LZlkiB_QPZ7#3V{*>+4sMqZq@Y`5y z?CZYx+WY#K$#ztCUtq@9w_cw;xUq}qJJfI8FH_Uh3Fm_1HtTj0?OV@7t{IhIyx+Fk z#>fT}s@ji(yv$O-?h}lB^#UiA3EAtQ%3EgbVt%+Sr%ld`8@~MB>KHHQdJkrOJ#SVg zpt4g{tAP7s?mIJaB{KiRzRQvT_1o$wJo@z8;fZ^*F|(jobP6W3fa{YT7mr6s(oWbz z29u}d)BLn6aV95{w)J!~_sK=lhR@UbRLkv-3qWf(s4&r^nHhLCogMDh@%n;0{hWAv z@ddm?j5ocM!^A4ZJI^#<0X3AI>AhQ{M-ZYXS3Ay zTJ1T(N!ac1QgLRZ4StZ4-adPNnzI8xo<2=&z)-{Cb{W}>LkI+P1X^y2>rvHaH6u{f ze!M$B`Y$hAV{LC-hcY&cF_SL7H@}@U8q00FEmNv}v$NT53<90hZUewIfXvRh{*81q zX2*BI?k#IcrS|tj{jSzo^hy0p_jtnxE`G>Sf6f{IO`j3!w}*Ft-OGWUp9+szAz+V3dMO>Wa8M;r!C&+^nV>GjH^pAo=oKgDG>dDO63-3^Q; zTGoDtvmtuV8&9=j0*%+bLVz!mOjF~pc0Tj{@LPT>NLgDQHfnnJe_UGkpSOt}_n%+t zt2}P1QYpnd(dr#3&-ch3TfEly$h}~IG3Bd2 zm9nz&`Ct$tvSK4d@$7nSy$#283k=Cg;WKlb?@$magXF8F5=!+{;hqtR>vEv;z6k^I zWwRcR6RScJK04FN!CFDGy|r3G)95#WXpx#4P|C9+GFXiwa92;-jiVF> z!-)ihfxWG?xyj4;97Y`56Kq+mXRDfBy`qJ^BoT`4QektUdl_0^aIAvmHIrn>L>I+4 zG8{@AD2gnx4d%u;5d|0%q+Q1d3PQX;t3`Mcs5cuAx zNdJQ*Jzr_EZ1gABIC6BZJZGPCDHbM%&`$hPR|vflU?60eY518=qqvoRF6T8;_9^`KCLjGO?nR(B~Z= zX+x=~AnLhsSeP5B=1$o1nHQaTQyd|U>h)VI9R-X1NK=7MFhx|8vo2^etv1g1Bul7E zUFKXyJ6Xr0cqdI@Sg(n3%BNL76qe;3st_-Nafr|Q_XJD35o=Qhr$9+A^6yyzELJp~ zDH*w~gk|YO&$RNXVK8jTdTLAI0IWr=2uad9zN)#fFY6v-e(K~I%ZYTQ@839a(cFke zPQoKP9H|x|obe$Tzsvy5e*vg*p%E(Zutm=-^hi+1vlgVxE0ZlT6x8p(MpZ@7;XTP~ zI0oRqb34W#jV#?g4_KBjwp9(MDSBYw8Mh0Lx%70+=AQp<9AYJ6k$F<#O0!vkfrD3Q zkXKasA#YN@Xgx#Cj~Uqw_qr=M3%2(=))TknAOfX*+k5lgU1;=eeGJp2aSBIjTl60C z-TUlNKOa;bFQ>Jt!1(xSdCYz+SJz~$kt@M)zK-#?W^oK>y-L>=a--DD1&)Pu5*_DY zkhU}Jw1<5PE*UmKF(Nwr!#x&X*`gN=VHCZLM)_GH`>jMnQsobjJK1bzI&q-q;PfxX zFF~}Fb>%!C2a_%A7mMc@22XI#@+P``lWd70T&HClebDwM{S5RtG&4JB!cqrP97wTG@_O6r`oI)oI!(9sMla}TU8z+$sIs7X_bR;B0O z8Nn=LRbiEC36-g9gl8VG{45{AE}oEHFtf!W2suk>)l_?>Na4}<8ey;bkwtv3{gg_= z+3g}9n7-Y1EX^sHlkm);kzEX@NirFJpOYq1g$BprLyRxC64lp)*g z;gkJ2`9DodddJGSN4&T)U|bOoi@|5s9~~PUTG>Xj&w;Zaw$%oXlTQ^@F-4F?+G^@z zokwo^qiQXK1H#zk8HjBvk?^0Y8=@m~0?F^O@!yvHZDlRtyJ};OLXM(TDba=gjD}qR zTFOt=n}e`z%CSifTW;Yad3e?<)T!37(z4d6;&*cGnah|^z3vs2%PqCMnc1J&8cjV{ zq>OoU8|N?#S3b<^i9rRb!9XTMbGmrjZ zaCR*Mw}PoZgM+~Ens^TY4McIpJxqUK^|_y^z}qtcAIh|E9aOjDdspPOGGw;)VG@x1 ze!Lu;{c`JLmDzGK8BO1I{BD@C);`NDcg>Kcebt&#I-9g!)!p{-R!Is_ZamdRH^VvO@``yS> zg8YTo1tzV7-Clb0=^=5}jX2}2lx6)E7=ds#_a<^TZ+yE>rlUXhA3O8^CFWdtom`azdm3#8U8a}0HTH_HukS`E zhc8?9RT6C_Z5_>*Zw`it(yR+X2`)*UC8z0 zm`~EUwtSY;lC+&Z{LnSn1k@aC^WFQ&Um$kVb9(- zzeWv{VeS3ITLnYZ`G6{PwY;v|*x9mNHGRP<^1bD4R2ZI*$w}6}*OeF-N58;F<1Wy{ zEYll&I9yu3&B*M<=kqLW#o%Pv{V;Q0f7QOrW?$)H1wl*QaGbcdZMj^*oTBem8BuzQ znR;7&TGqU{7&fyryQuw8bZ`me=6&PIY})gQgz{;kec0}?xAy`h`5vESi3)MOofjPY z2E3q$7i=4toi&cV`gnNGQ3JYmPx`x@Hoc}FUQ?#ly_;cTceIj>yUpMI&LEKf7vhuq zH~5TO$bXi@OO9f-U{klt3vp_*hDO|Rv*}2lz9Iw@<_&kruiX3f0kFogrM45FnE_Y- z27TsdWclj>u-E`FSo^#F>sO!AVh?m82fYGM0xkjC7F8&;veluJnr6Hrx8`l65cPKi zL=F@SR!)>Y4emK!(WXsV%qon1sYV1W_$)>B3N%y9VyV)qid_eKTHHR?A4H>3N-{~G z-DPBR=)TrAEmj{0$YRN;NIO(bvWk5+DBxed_i?94^`s^iE$t{sy!2(gY^e3eACFPC zorTu04a}rKB>J~X(^`cLOfv2KZ2*KeD2@>7&Sp~1{BlgrFY=j<(QP15TG?Ubp+~P; zt@OWeiSG^JZRzt)B$;_mEs9IzEHGD zD%pvy2;Wp`SQ)mZYS$%v$uNe*Bq{kdAR`Ez3)XzKH{lvIYSl`8 z*fYOQe+f1{KX*7z|DB8Ny9Oo9^#A!x{{w#e^gj!<-TaLKElB;hqMjU9r%RYMGC*YN zMPnk0?KEuo`2rc`iwK;zgE4N&xMA=Hs2g_6k;cU+_DO~|dU?GB23?|GNEI2e4!HSY z2}*UfQV&9l&3sF>s?M<08#mN^-OHnOs|`_^1l$j$HaF(0QZ88-rU!Jv5M(>{8wr3A zrBYFWIJ{dM;We}`l*5GEu>4Xljhwt9y(Ot3v>k zvh{ooD(FSNSQbTlY>8zPAG7&VcGxB@jP2E`Ijdk1X|9V|4M-o_Jx^;?v(>g?Dv|(X zDz&0o(8g_93vvlA8LKgx#L-l3I{p^tusTz&Dt?G?__#UFK~&Q(6^4;)l?*(J(`5r7 z3Um%hR`U78f9ZenJlp&-{SWw={%8K&`0Dx}hAR96EBdcx4*a9`Cr_}P9tw4QG?_@g z*^sNGP`8t*s;R_E$8(Enr3cc}mCyy-rFI_z8j(5nJ5J1SanVvSd(ar=GF-!g`H@c8 zSX|YdxSPoL3wqE}#0HF{W%mcoJ5JF6w7h zyGd1oN?e5tM3jZmFgj46a4z+Dxya z4h14XH)_1w5eNM)fe6s3)RB}@Lxcvffp*8b44|E=R%}y=M#C62U@g=%WI6_IQti_d zV>-{XEio;$h;b=FRcodurYE#V4H{Gxw*$jsGk|HreOnwy#f}ytVit^TiLVK*hRfw7 z)n^^C!*ez@qy3rTJu|##hWE_yo*CZrf7f6l1uc~P2cOCReG~S1{`2PM8}Iy|=RY`{ zLP!w(qx#`;6FG5kuV7%B=L3l&lUS!vE^;jBFA&>$v$(L*?an(6_=fp zc$_`?)miWT=G=EKy!npi<@cO=<@cA_DYfzCPh7hECWoJt+<5kD^mUtF;9pHGm>OZAh-?uh)>yRUM1cB5I++)WnW zu&^?}%L+$&#!c&ObjSW{|6acayZE8Zo-lIm#)bE9+REPGkGnsxOkm&SzE53}e*WR| z8q3@__sJ{Pd`;i`u#J|o|G4ia-(Qs2b=S+*TDx<{Waqh?pRi@_z6aMmYoq2oki6{j z!!BH8Wk0^-=8vA8z3;yFF23(sKYs1?chC=ZX>Y&CGC#nw_a1WgUzB?fxN7ZH^mOK^ zBUWDP&;M5bv*XRN2PEz92M{yhIGdDgqiPmYs+ zb9_&wmOAkS?V!z9{`JGBpDCS!p7qLJ+ocZMamDLaS@rmHj@n=@zX*L52;N9OJ6Qky z$`8?B$?NXvF2-!j=x@Am+nXzA%9p+L%T=y>UiyEko7qdUQW}{n?8!yn!8}CFHIcn*bM#!}*J$C+2 zzXz>B&APO8&6#W6zs+xNUF|1nmAw81>m}r-E95I5|L&|+e)`UX?g_uys59@J;yJ_o zJx}a^{>DGa-&kPBN-d zp)Efn<{A+Wf>p6(C9R==*(w^j?E#>AZgs3Ey4hE&R)+vH)6+pHqPcRm2Ad>Nt`hBW zTPrqkE0qFq(Vq3w?vLWUm} ze7vM5cr$O01{GZ`Q<`ToR=u7WG>Nndw}AeT8h$5l0_1u+WKU+Z=hL9Rvp(15{Kr<#rEsOABFwvSnM5s#s4V;Hyiz(DwJG0)eO zyjoUE!%VZ6cT-q;jL3eGhFZbUsZQvY&`?l%NRd?_TLZavH&f!f6VWUT;YztN3erk2 zNa6#=geDc=nD`?lKj=q7O{=>Vk#{kLXkh__`kh(}AiAh+Wh%}nFAkJ?4Q?X|t=k}i zwqynrXr6A>FuCIQrW2*=IyhO13x2ZFaVFb6r2bnzB+3?vG{@~KFzLr>-2>}w z1b5N_-)5BIP$IYnQE9Z=nG%&6M=i<8j9__CrQ3#)%7kRy99HQ`b<|5XD4-Hn{CX+O zq#-wqx?a)Xhh(7)RtR&F>bIM2gV4QxhifCrOx%P*5`l7NmuN(Cu~g8JF$AOtL|`Qm z844+?*t7e=7{vIn!%3}NBb(6isA*MVE;mqnz1W-N@;2Y65}Y0M&5FQcwK~8?Y&AxU zLec8iQGGnY9gwb$rI@QS)A#T2n3=;h9jCc=ODPaIhv=25+a@B?9kvrN>jCi4uhkW$ zo)*1`wR2vIv%RL}f`*u-3x$H3%(X;S9p=(Vx8f;DD5*~9eiY+XLl~92i5wug5p25Y zu~h;;<39tQGrz3=PxUkYBU?28mHE$nvCx-kg@Au57W!}c0a@WB3+TD1j0|97n9cM# zjCaa@+)EVAIFZ*P9pegO3KB}5oF-^fHlh-zgm{l-1+c5cisy)Rpc=thGa%}%PO?4h zbupC(Pl?uCf!=V?33wsAMaLOhvtwwW5U`GCx!!?J^>LtxPFx0q(5C&`Lm z&-DAfGMAJQ6&g3{Xsp!@r2_S=p2~t5F4yX0<%U~JjflSBJ3eY884Vcv`4OHo>{P8v zl#&T^EY8598CWy}i)LWa3@n;~MgOY|CQ|Ui$bYbz`aj=@eUAUUw9=;<2v27=2&2f?;XjwZua(w!w|n8X%+X6Pmwx;QH|=u9Ew}&f9e|m& z<$kw(`0y5z@trHT`>xn|@ThHn_PzI>KkCZh{IOB-tw-+$?qT1utB;)vCK5b@=sHUj;ug+;~M})-l(vDQuZMTZJBc zH7u|A-9PTP+;XMvb|?OIgDpGBm-qPi_)R9^RU1EX-X4whZ+zSI`%gU%T)dWXqko9; z^yWLB;_kHP@`t{?!&bGQ&3${R+Np0p^YJ~$4K}atx7*EId}qmPZa7ihbWSb&(fJ2% zv*P{-TwBZh{F*~|z9f0wpWN5yY`f$354rlhpIlU5x%$H;Pk4{1U$Wxq+usHss@;3d zL;qI(v%Rzb`m-*+_qsV3jIMjDcH-W1Zr$pHBcD3{hvw^xlDj&;|HD4{4-{=hly3nJ)CD&i&+*6WQmsfi9n!yIIh!@SfbKN_J zzdih-v(M=6_Vl5n{nnp*(xS^Parq{T=9jzfp+_#t{u%t;<@;}-z=J35edI4MUAf|2 zJ@~-RWfwd#`1r|>H*TF1_C@ReQ~&=T=0C{i`~P4w z{Qn!Ve}VtF6kgK4wEo+|%YOv9iF~4iVW-G8 zT2`p?4FUl(JUVVkKmn=gjN+$~q}c0qBVV<9?Q*`1)@9gk*Fq@KDbbwP=VU3t8EK29 zh6W}JtP&7CtBNv7K!Wj<$$>`6m<-igRaElH6y2L-nY5YFBgv`ilG;yA2(T|H1D_E( zQmA)1DC=s;Iy!19K%X8Jd%QewiVYQ4$`ia+wvd^SX+-g`up1Q& zqA87>N^LSyi%t-<0|4|49&UGsp{0`qR&HXwNg#P>ZGwSm32GZMgqBALiGjZ7CB_4& z>5MyN7nI1p?uNGG19ZAAL3o2SNV?bYT|dEiVb{q8s#Fd7TEhx>m5NGTzUXwEaEp_=Q~BUxuF9UD^zLKd)cfn^Lm*P;!l7OP1!%}|OdjM=iAA2kq&cc5HN`$2(paE=2G+yo#itdDD*W|71u?b^UenhB%D>Jx*xNRP=qnP<5V1=Z4j zP6ZR%OsShdxlGFKamA+W#)O$~z(Ju{Hr0#{fb_6{Vi+E=bXyXJii4#}-A=6%CR=?a zlNZ}1xaO;<;L}{lbc7V=>F$WG6(y94RI^zEYAxE+;R;u@l4Y`+^9o)t@T*e~MVHhY)Y|_=-F){tnE17f^NF_%>)rA}{ z2~i2RTpBpN794RDSpiiZL`!IF6bIg5Qe%4ASTC|-#c0FzPDR%U#jO|~&@WnA!jCd)PRj#im;OIp^Y%2s;Pt^#$do~N*w zhsV-5_Pbos@Tyg!rx4?U5DvRN1;(1Ku8E7H$p&mXqZz$aVu1F;aO{*2kppnoC(%5Ghr>QS`WaL5)UrD?=8XSm(s7g-B|y=)|QY)9DA0O(w$`P0$SHnZZ0Wm}ds_ z%wV4XBR0Rn)3WkN@-hhd>AtCE)2E_!an1>L2(IwlMG?42DzF zYeLAc!+&ni6F)fiobxwX?68lK)@sjKhX7~%l~{Yf(@)=PR^f+l?YG~DyTupnalrN8 zThyJbGOw}sBIaU0Z(OD|4u*1z=1(0g>Hqeo=kBk-sr;JQ>gzpW-hSG-7ye;|xz}#A z<~kc`vtKC4xDKVD<;wazHt^gdkHGDlx%kJ6ym<6Sl_izMAX zt3JEs?{@!S-u)kLF1=C>R?oJ2TM@g?UGARlPHQfC$%>maetF`S7huu-hun5K_S^}n z8?F(g32?^p+c)3ZwGF*+d^C7t*5%Nt=kA0@81SM`{+ zHv4$!K(AToqvADHp$nPed49#j<{=C_Q351dp)>4^1v0>|7`uM&m!+%oZRTp z3;+E3?9*00{H48*KY`o!i`M_A{(s@C|Ax=_|8Kiz$qt5X9zHa7!I{UDT_DI zp=8vkR6Z<%Oi3NOi%Y~eTnwJW)(;+ZrfFyXiI?@byn9QZ&Q3gOw!qD7Gb&w-5 zGG*(M=2R=Gd<_X)q}?XHDk6G0XV}jV3Z?e^l$eyPPHMI0IFFc#m}>(~xDrILU`<9u zHST3PCY|mVplZkLB_~K9!}UPdtODHZnbTktY||a142Oi3#W)6SryUIF6?xci)})x@ zhtoN#cTL1}0y*0#Qz~8PaNS9>j}pyfa?nUrvsfwc*b0s&#!wlj6>O{n?Sug5i%Hhz zOGQrt5sT`3y+)##Z23e-^>s|c5_YLrX`y|c^0EpvG)A4ss3kicJ>3#Y010{4*VO+M zpm9&g_Il+WMk?)gtOUrQlJ1ma6G6Q}TMY{(%go`;z^V1sAehFEp6++*a06{AkOw&Z zKI`M)D3$PR(V2{e1ebArUNiV)nrf(6)F6gooS>l|MNLoe38kpQijZMzoeV6?Wdo=s zvQ&fZ8mitA#|TMubDUViOqRh=Y1j`6C8l91eG>F=so)}_oKw?X!}GdWQde#(&^%AOBgP?dEU%CteW!PtkRp ziP8~l3a~4jRFQghgfj{jTCBDqu)~K)rKPtku_6M`C^gauX8|3^IU63`->_ z&+5B+8xZJbyTwv1hlSe)sj+b}N{S7FrfQa%N6UOpC{!!~wbO-hFUe|BUY9GGVc2LT zyXBy241iQPhSNCi3guLkHPfj=)6l?X6G75lxItwrNNG?E5GNDl3hi!N<`ZBZ$}3tJ zlsplO1q&EY{cx@u8)3G6;ZqbxO9LmS7 zfs=I8opBCe;$)h}Kr~t7|EKG}S=3-Y|49=6ef>9=6T?v?k9!kIOHQ0h0QC$w=c&a4 zs*8~lwc3z27R(UQ!XnQ)7QkwDKch7!hF{chj)2FRnwU$5nvp}XP?y0q9jOQvTcF{*ikGHK z7%#QKC~lRcwAGAAP*gp?I|5W+Xk^GbTIzI2rO^?HWIa~v$r9t{NVi+735+VohBGP* znmnYoyP|{kP{f5TM8iY~#eqtN7`ybKCgt%cJxLAw{O(HXBEaXNAGKJZ_D|Gnj(S^cB!*S!3+KN2fCVh;Mr z?0cc_UhP55(hnW*=5J2e=e^*DbM}y4Tf)2W+?NhKZi_7rFP`!G;;aAR^5hzu?Qrm6 zPcL^&xXSBw>u0C$zQQw$&3$tH{g*!=I)B^u9w2W0&YypCzqrEelb?U%#+9!~tuF*G z{9F0Y5_c}~&Kve$PMI_7oGowXl+jWb`_JvY<4fbi=!5RM_oVG!{@#Q9@~Q2f-tFMs zcfa+#V@}kbBi6ZX&0-W@q?30(wy=vSP4rvV$4`Egx_Q4H4#UoV{n!uQ+3UL9PxZ6mJ?9>J>zsb#`|GV!x$gsP$%%OI zX&a&9cG;8s)a=x$%k22t8fU-#_Q|_FcjC6pcURxGu+&+{ud>ziH||V4RXB${=(c-* zf!;Is)bsy(%AGsx!0z$n@~=I)!d!6CC3kx4w1+P+dsmZZKKsn_dx`6gC{L2 zz5ML;FLtx*{OEOggGXPRvkEi-wQ`fuor|NkcJ zU*SJ8nuE&Uy8b^%iOHn|SxgBri+pANBYa{1pVqgJ|Jb1*^DrOhrhmi*P?fxhW+jcK;ZO{3bm}GLCrAj$f<|g^7;doZ6?qzb_AT?%Ntx+z? zHTYy9u1wOB3^fxd2y`XePE~lN#y3NzH$r1EN}G5IEOqoq_BB)}xB3BwCaEAQC#&sp zp&n*Iq!u)F(`%_t8)*BwO;WCtZkOwFp-N~{*e1MAUachkI*XAW9r4w+P88}@&u+R| zJ3;r8c{*E5b>vQGhyl8UkGrGDMTsV3I|#;>p9}r!lI21!kgTth*)FxSz zC}mk0CBzYzAv7Oq*6IO&XyIXoOG7t+vfECB@L1 zLPIUl=}xJZK#gQkD7EYOz=ajjaE6X426cxWFuXwOat=?NFaiq z*1FcD8c;$e>S1&Y676KQQ5PUmxx{ZX z|5=dj=D+xlups?^a#k0&F{e>&D?q;7!zHyiNcO=ZCJwMftK|v8xG*k9bvH;PYW;dD zD(6bQuH8}8pvZLSK!Tbw*Qx7DF(d(e#4u(*rpv=|PYtVXtn|rjZjiz_IYXskefoZO zmPqDutz4H?hnAi;sx2^S7kdmrhm|fsHGJs>ofasp-6f`B11Uh}ZCZ^cfw9-)`IV=$6a*&ZIqCbS4Nl2KL z>Bow>9+*_~cpNKbbd*VltVPyDuWD>>)}0+~yJLXS_SYgz^i+T~n5-4sE(KsCr5!)idT zZ3>Ltu+XS)R@-d4E7n7yoK*dhImBYIo==fkI>dsA$kdJDC|y(r8g56qQHp7H5W5fX z^-I z4aYrDd8S(g>!W?wt|qFl?vK1E-?#p6FL=UzLM^0RGsdi_!Q3~+(ad{@85O~Q~cmJTmJf|z@0ZA-`wN+%9?Mk!~L3n`1y;;wR(3Q`tru-9r)|} z4!iW{8~*<1Ki}b}>(FceVfWsaXRY4e!rpo7@2s`Tlc-0Zy!u-Y|9RIR#*cse+E2OV z-#_J&=T?7NBKO+u(sMRy&)pY3@rvy)eRVSydSo3G{?#LIT)VAu3DdgI{G#>$ssCU2 z>c7qO|M_O@U*SJ`t0Pcf^5yh}m;aywLm|9n$Gp{qzB>Q;!u~(sM*af{77GbX4iRK? zLHUoeApED%w?omYbiy=;j*wiD20G)|qiS`u*M?iU0#CW=u?pHHt>qDF*(&&9X5_Sb zX{(Xx57TI@)UpLx7lt-b8VNe3KI@LG11pu1vN#2}^Eq4SLZ@_9`kSD~_BcVH-= zs{|BE>P-yCE4B{vv^hvj@|_+cnm|4)C3QWHd-iye777xdlfuC1YQ8jJl#!JYiYnfT z$mullXudU&QfV?dK4tkus}5NteyzM zvWd&g7y)Z?Qp~DJu;0^*mgWhzR|G&Y+3~GrZ9paAJc{+96lSQR1d<7LIvXt&!lSRq+TIolSn4nXy|2plq!eiZc-Zx zhS`Bpm0+MKNaS)loc7pB8Zs-P(UkM~T8je#7Oz*cMq)@S2-+Uihiw-X36On^Lz?#O)>;IX%DhJK1=np)G*cIVfu`lP3%-Nq7H0_TD?(aq{T@riCI{2%(o{si8PQU6u$< zmSnl8SeD#GwPjn9tzyfvEsMUP*FXq?B=p{UCxi}xEG+~GC1L43K!6bH&kGO9lK^kn zkcaZ-%pb?sbuHz@9WIKca!JYeQxaTEkI@KFI$EtAczwEs+cuwN-BG2WiN=4p|C^@^RW~`K z|M{5zpx-?HvrysY@BC+B=KtgqR7IZNq1+$W9LUE-E8{(OSSXFzoK)(0tlBQo zHL8({S;I2mq-8hCeBcLkJF22h(iu15z!Ulnpell1Ld^D2lg{w`(9O9FouN6s>GgGs z>*Tc}ovW6*TnHxdK`S2&id-^T59BUG8deP+0_B=c(WaLzmBs(-{%`-N|5>R1Z%sIk zT1tkO6>NkkW4bU-sPdqap)m;qoPm*S3_IhZlu7m=B{%BG`6xZy)cB0F{2Xp#fG)luvYs)0?G8Umv-lz>eqpvz#M&l)^bROy<_2PjfP^fIPe-D(k2 z&|HEGt!^Wg$u#l4&he$BIfHp-FwYF;nZZ0Wm}ds_{C5~aqQuvd|6nuqzc0f+$$w70 zEeCz&{0D>3B#e^;MZ%wh{}BJgf5@+%|6maQ;nqem^o#JHdl#*ryu|EH_uiq`Y6MGe zariUOHqNA;T}(LP)dPQWf^;dwFIo`2!A>(;-2g{?Q+ z_KMq|67{{82QU6Hw#PlYUUc@q#edHE_9BaZ8vnu2L!R2{*Bcvqta4ZBMeV|~j@>!y z&L?)6_t@>TuGoHb^y7oKA6xB-r#ox?V5iNl1UB3TdUcacmna?ZqaUua?0dWI@knE( zEq{FGuii$$O8w85Nb#}1Ju1+*|I|;5KU|~o(q#wN_?Mr`vGX#u6}FgV+yfE*8qPhJuKmUe7r;LR>T|&M za(AwMowv$1^WY`tFS1ttmG#y>`3!pg8pp1@{Li*JXx2}^^KjI^{Cfw7hZB2tpZxth zsRu!F?LF!TU;oQY_1D6$va@F&ZES(AfxS=WZdmLd=BcfZd4A~)H+{5x{N$O=3;k7} zXV2NW@M-7&Bme)^@*fz&XZpW=MfUITAJ1m0sZaYy)UPxDQO2T{jU>%LWVZG%2Xg2E>#SxA?Sg@N z-4d*n6;2(GI$+ClEF2NjngW?YY;bib3sH1rR&3WUvfXY_~WE~)vHT+&7-RUTN zG3)c0wmK*!GnQkgbVEx)O%u`GX1SSR^iVKlX zXfzcMEGfx?i}G?z`AGtq3@C62W;$-UVoVo}0e;URn41M3anYK$+At z&2d79>?%3nEQ=W`5>~}UuHTm>Eldye4(?0hfQBhpCp;Qryw9M2g1PCqCrDufY23U zqFZQErHE|?5UkkUWQYDD{ohzoowlp3yvkM{4qD66P!-&*hq@c})QnRF5e6KcNBq?|e-$8C(a_(TF^yLF=3NXw$!DJXuHpkRuJ*uI+Q)5Bb{ zFkl2R(j~UfTbUBj>r|p9io~3(I+0B_wZ3MA0j>4o4%o5tFj_^kx*{;1H*q;3$o7p~ zEEUvI(Bi>CcD@iyAZz3%A_}5A z>M-j0aI27?_;63vGwQIyb96VaXXGa16ojrPm^zTR6IE|e$mGKW5*Rr$u5?RfIHl zbnvi3(FtMDR=@W$jt5Xy(M%X0Pa;;8^%PaM?6*y5NmbjLr z_R@4+jxaeK#Yh(s>UKQ9s2mL?QwZHnJGCg`lv^?YdY;2#;n*EAZ9P;o`J@CU`zqTQ z_N;olTbHet;R}^UR#FyBrGhMPR5Qz7x16n1V6fl-9zt7{auG|7Gqfo2nG6$%4JR|` z)tE{=)3$8}(aa#48ALOKXl4-2jD2xKNHqDi%Y+dh;(|1O7w8Q$vX) z{yF$h@}Kw*^)=u>Fq}+M1c5BLfq$R>Tzy84dwZ1~-#dNh<4zdlYX=|mz_a08=%Hxi zb$@@xNqZcd+F;IRN1S>~_T)$99QgXGoe`}vech@#tOgPexu0C`a#3d85B~K24G-ebCBw!6H=Mu6 zL9Z_|dXqer+4i^0P0PGvH_pMO6>(vcA z^^4-}f0X}hec5$)%-->eJ5Ji*jkoT5Y_ng@JK~m8wx9Fnu0J^a7cYM2f(_@^uetE0 zZuX_8F3Z**Dcqg7?&j!@HLiX3=(o=P-bJTx^?d)98@63__xRN7-ow{B2z_{|wU&Ko z?&-Z7u;l=N(F1q?{_fE7& zUw?^JU!jk0eel5s=|kqMv+@-euYO#9NnydqKVFzPIQjou|&8H~X(E?e);Um-5kBH{f&kzw(y1 zZ#$vA;+l&uKiQ^n`BnM7Pg#Ha6HZF)lG$Rn7nWaRub&*b=~>iDkKOob=l>)B{}t4oV3_NnuKzKQ$?nK8pUhEQa0--e=XiznprYvg$w`YZT6xUr;676^8XcA$)yfpCqi9s) z(qpX}Cp|9{C7PIEP|d0|N(Fd<^z=ZBdSk$8wNgIWYt6n8f2d$;@tpw9*ms@gL4V$RMqWL7ywrlm2p!NnJIf%=#jAqkfGQmx9u{rJ= zBBXZU=_dpGb~)^H_?pSsm9mj6Rq6tr)gy)i2y@VGA#so}t#TF=y<$RYdn1GFDC3e? zPBZ?Zk-t6V1N9D^gkcg z^oRC8xY&R&z0Yc~`QKHP{KoR1g$Xx*=RXTG|0i3rpg!f=aH|E7c&n+VMKwud2$h35 z-i^~KBErXRHc{z8EwAtDT21hWx#Fmo>8G4lXn?To6}+Gj1iA$fZlUS*+7+7a=sj0X zb`WKNDnljHh`4DOKx%5rE+W<>VRbuXUh_TEiHhY;nILSL$}Zmb@igKGMXQ?abvt3DL)#S~$$DMAD*NT0f|toj z(wCZ?*#(VEL&&r%)n?zpxCp`}*GH@4v7(8p3Gm=NF^Pk!3=r{F`L4f zDx+6>;~Jf3%7UJ8MWHrmWd*a7g3_J3i5G=tz0C$ziN=aStuv6)faHt`RPh^$^xyP9 zDUl^Vi~kHh*8k)*y5mnHDv-gl&BlU#UXex(Pl60L-J6EiSa5SrGcygbUU6Vd@J<7P zKGjbHAAYV3TwzotpH;XV&yPyg2%QkBZ*>A*O-!hP<{2G?YFCr8DeyIr67kNsPjZp1 z3@HGm(jlS~8tpG-Hc=SpOrxmi&j9 zssDW$_DTNp;yb|IUp@bUaSWp|*5!GFlFBmW^N3`dA0M1B$ebMZ3Ky?NB4bn)zWnT$Dq$t|xvy*Dv8rV z#+~QBf5J&?R|>EEb(8ctD_``jb>X>l{SC{Dtvze=Z8Yn>_4Yg9g{7dzK_~7xf0by1 zMR!en@cR{3+hB>kpL2h-%S#*lNBPgTtF7|Rtskt|nRE5h54@Pg*o)AMR~9yV>4?*| z`QGUVo$-hHn?LlEQ_5@1ed%iTw)1ZL^_r!_-du98EiYL6H#^_=*bZ}+J^z~Ht{A^^ z`L{2-Y~>#u_EdU}Ym~(neR%#~*<0o`HhXUSIreLpzwqK|7bMbyb#7SqiKm~u=$IYP zKKWUqQM_o+c;9Dd-d=QySQxnYSI7vy@0_7qBi=+c1HlRa$E(;}jZ4;4}Ynl@u=*09i4S-VL! zlt~9kLLQA5Wvbe8_*R0Enjx7R^jJ&w3QdtoY6=xNI#L)wBeqco>LVsqqVtOF@O*8U zX@J#OD@-OrKBRPr?ODY{GU1YR1M9gCCc(9!UamkbIWbXkK{)6NfG(pAJ~e$(7!(|C zl9BtkD)^NuqoG5vSwrZiE?OMY%}A*X4wr|d+=5ej6VCS0@yPYFO`xdgMX1)T4O(qB zrMJuy4plfDPiuluERvKvl#PB(o|IL*0mE%alGAn1VL3%dupW`l^#Q6NjlLNFVN0&k z$%$&&GBrq>o`-;8RfDk$dfYZp(gf{9vWQUWUT=^oCn^wPvlEh%QXLYb;6w!QWEJXB zT29B73G?B+Sw@1r-=d)><&pOlahQK*{Vdh-ejV#|gYi2BQ|>bsfmj z_Q+GS6);E)&)N!y{5mx~QrWGa6W z^M7)(MA)9$NHu*R7ht6%GvxXuINQ~8p`1^7c9{!7$?iD;=+NmpWD|X^meG7M$Sbbs zNabualp-y#P&5nB{HQaobgcHE>8Luw!bQJb8nBhBToN(ev`BsuigY=HH2I8J(MT}e z8&~XZPk}+Z5_c(}W18ip1T~{1T_ts8oTW^ASnc${JgdmTunpBoS}jcfxX=;^OamvA zNw?bzxDz$l$e|6PmV^yo zZ6On-o=EfX2+Sfto-SbZsybl`<)&L7ctkZxh1F4|oeS9lI7p^Ri;?SzBoc&lGKiWZ z(gJfPL`=*)%CqbUAi9Y_!}MGN?tZNQ8Ho(^S^TH|G5=Yx;e3T01E1{orhKM9rc>T1 z%lU06=QYFJh(kmO0^%$)Rx^q|)&k0*yIo;S;h@0VdK{Jn zN2yCprk|!9Ps><29{@2MPlRk^>~y@T=d>gv#w={aRGP3B>6J=NZsnX_7ixi$rG>Pn zv}%SEQJm5idOf5l0YN9qBV9DF4w@QA$^qq3MwX;Aqe4e=R6=g}Qk@-{av92s&3wDl zjXU)T-YGy}gO_!<0PtbtM}*od+17~56RyvDsYXt2@hPx1U1Kjcp?a$b4X5F<&>Ql4 zz9#olW~*Zj%|sVZkbslvK*e&Rnn5dSyR1W=*acG~!^l-@2`y~9^+|sm>RuM@rbnYj z4P&Z=Ww%p-!ID8CqZvT!|GVHg!+B;n&kX08;XE^(XNL3q*Be5j)Yp>#BxmY>Uxs~x z|2#Wum33eF8t@;ALSO_T3Fve1AL<|Y4+cSB1O9^`C<;Raj(#Ei&oOJSdEs7}rB-ju zdid54cE0n*++A-x@u#DoUH@}}ncFQA9 zUi~2|d-FZF{`k^$9ucm1&p&hHyKa7j%&a^_ol|h7Vb^Wrbj*%z+qT`YZQJSC=-9Sx zbZpzU-PyrD`F@?7r)uBts!{75Yt3nKk2bf-kZ#a^@$ni=SoZq0ohZ0|7MtR*#ouz9 zXU}_Lex4y=7roQ4jH{UEr)dt(ZBhGrgWY#ZxIy1B(5p!2@uY`jclWj6!T%Ees^D+4 zjmFV^({E;xvbk%XPHL-ICh0s)C-T+)=2# zs(p*|_`u=3?HN2gS?+tEJo`Ef9W>wuB0YWh?RehI-m!ZSIsyp~{mk)OJ|nwOnjCh3 zUAyjzTV6ZLiUfTtkhgd>8#XDcUcN~k;d=A!XrGe?<~@8e?i#xuRib@;f}N-LkMSoj zhjB9591(3^w;={=yn>+ouL`~?{s8R0x0|?)ZdsMdTkmW7@EhQO!X4DK#~2Bv1p9vRz8lF#ezxg3 zDomAZ;SKwhQjw-;GSf=rpYRBDZZzu!1K~x=_)xa3x)IPglZZe3elxq*WX!?Q4pJ9+4Cxyq-D$6Xhap~*b~cR2ac#O`16w0<5>7FxS`)Y z9)lZea5Cd(+- zX%OA0+-f*ZXy_YFna2fl!q3_&ca!TMrhA>DYg4Ua`upDP&`Y+^X{e4W;~R8rf!0)t zBSnbl&FmeAW+Dn4rELh(`n|tJrZJL8S)7=!TSu*Dm2-?zKy+DeFbkPtmi_5rN-yjZ zoZ)meNa?#+tq`v<;$rtpL0^6ui7_V+LlZ|P5$R8wMR&b)iu@M%0ATgwhd{nb70cKk{bIcp;gcn+D!97OUyoKFi0N{zMU!f7`2j|Ml+QXB)A5{Xt9Na z*O8iGofS%xuu+*n<{3XW{;k!vTspcXdD**N1&D3(uxsU%z4 zBOCh+yK(N?5tl$=*k{{BH&`ux(bXjJ3h+0#E(n#9$h=&1Zy`7fqD;oY z_B+lmR%Gn&1V6=RhmY_QGXv}ZHlSqTIpkx&6w)cs7vtRsYKv%o6>4GZvfP&uk9mA9 z=0Zr8AuEzY;D?gBEiO2&8P7t! z6TctDf4f1L(y7^$>!G$g#ReH=+tVJ+%~A|sAQ!_HY8`4CoGls_l9SR?@dirfM!k22 zqXce(dv}gv^9wsHQIKSKB>2nUQ}qo+SVD@!ITxs@lBkg$fvRxg9_Gp-eH5W?fQCRgAQ2W+QQlv{F5mM> zN#-E2GFeiN&$O7+G|F8MY>$}*cdz;FHbFom^lMBotzxpm)>@~w!58PP!Tsa&ihf!L z;M_-jJypPZRL$lwF2~R7uU*^a)@?U%%p)MQwi(K2H;;ku5)q&J7QfA*>tl5_m2>UA zdPmw~>69b(SHSYF+jCO({5quoxA*It^wafb?dJ~RYQRVKcAQ_*BZ}9ql?quTkQnX!H4E`L;lvT%f;mJC(wKAtF3nM>q+v~j=xuFhnDVHQ8<`{8!csR7dr*M8=7E7w=ro23r^a-Q>*uu(x;Q&)01_NNjrHwaq$I(wfn>Xkia%d;C=7=-BsonXGLa z5uQJsbZ}f4WSlpWUy3dk@PVdPuqfT{!_u zP@mVU0@T2lKhKn~;eyR)pHK05S^=kJidzLO%awiWH+PR5{M0S0y@%t}JE+hf_hAS# z>%c~fw2gPq+e91A?JylEaiDj?`x=r%_mxXF5a|;Lr2l$L`+yFeS3C>I|4y?_GX~O- z=F(9qKmohBu+6EUtt#?{1J>%yB1zz1_Ol_e;TT( zAI@2&@}?SllQhVX4SWUN8U+9eFvqO|Y%i3ChFouo)Rx&csBM00qK|G#3QF zS;CFU47$-Zq~p6hg$qvBHCdwzCrYPLM zzb@ZJP3Tqv|53JZ;5%M7Z@nPH=KUNp$`b<8Htj9JpkN%TG2q>zRz0@XPKfJ>0c*vl zmAWWhdDU19md>YvK`!OSO)ja~Va`c-Z{L(x0^h7{RsjJ)o6fw~DZ;ScBqe~Z1uOD{ zZF7E8q5Z>@%^76zfi`Z}R7~RQG{a#+?$7cP>xr&33F*GNH8cvzBh`Sc=WrBS2 z!4x*~6P0r?NHKT5kT7$VIdNg)$rmA*1ei+>trTmIC@fY9&!$pwdFonb_wndo*I{ZL zJo38?EwZo%P+Sn`+QWZtu=_!#jt$Y1s=YA_qIzvqmHji}4*o0=NXSdA=yYUSDbmoJ zfk?}YH>ojjgGC*lhnLP#3uf9=#WMJ+`hGAS9;@I?Gf*jfx%dTP2dL)d|15<{e!x~H z$w^4-B49iWHcujek8M|7&>bILRNb{QlE(|cMN9g{bl*L|u%}x{W-t(199Hc3y%v8T9rlkFKB6oPBuyyMpx_(DD}4auP`r;-?lYfZul?m5cjyHZ~5g}X9ZtgauPqh1iq2!#119;sWPuF3C# z_Cp)posa_sLF|`*jC1eu`uU$3N5KA`gP_%kY0CfsItB&3%Oloxr1us&E(Y83xAadT zxI=SE^#(z(it|IqT8L(~PS%KP2$D0>LKVp%bDqNGTJ30?NcF-*s|&PJu+->>`h10I zbginQVdoxo{1nO9`T{2q@Hd`sDPllwRI-SnR4gm6t>2X#P1P%hg@`>Vv2G{Xqj|>G zV=it+qm)CtNWbNh2n&5j+Lu8<6zim$0#+7AzxP;i^<-;Pm|VL@3=`_Bomy6)M8`^E z`K*eTe4kqBDF)iMK*uDtKA0HD0%yu4GjLufu3W=Wv>p`-wVpawXEKD?0G_6d?fwL?UCWiv-c4X|`e7tIbTmebZJ5nS;Z>5Leq<3& z5kXF_uikaDdC#Z@jF&wG2glM$rAltlRswIOG|NV~-R?n|u6?0g`Bdc3jRi=U8pa1j zgnVCA1w>NC-U=Iq$JhPbUaLO6h&MYlJBBWN!9aYDz#X-|pauLq8QSSD-8K|*?4PXB zk?O@6!F0#57X&OQSXqN;u3D3$KYw4D=n9nq_#N{NJ8V@PgQAv0rf!5Lk(jCYu}GjG zVS>d7t24U`D~}BME|9`VnN;-H9YEx5LPDFhEeFbV7aJ8Aa(VWoD+Lb#gCR*TNo0A1 zWEp^nbHsCN=3EH-SctB2H18U3*%>ed8dPr+n>C!0{Yw59W3@R{)pg6tki2X>V&6rZ`NSN;c?_6{`T8O3*aR74s(}OM9Shxpv7-@k6^Q@`qG*APmx#vlsJCnW?7M#~i{@-D?waeoEl zVX~vLCR>HEOe>XQPq2w*m{Tosu3@Oo_Qe4ReI||ygC2vPFX(OWOW9t;uHA>!`Hh)^zV+^{zF!r;!{|?j-GB4oj9xb}>!iS;(e_RMFu_fI zzxa*rqE&w}0g|TY4V_(^Y+%(;sw~-SfKx|P0AKIz7VbtF-gllU;9Wp!+pWrJ;WIi? zvik0Xn-@Re3pb$K0>;MgTh|LPz3WV7(q;n}J05pB_Zv2-ad-T4Zh+>^epMe5uVCKw z$5Cwp0VLh?W{S2uJjU)O}ql&}y|^I$q3ut^sM&-H(V| zUoAPg+t)Ya+HZul5>qY#Yh4dMHhrD|ZN@8Hy}Pv27j1Rj%P9U4?uV|lT%YyC zQ~WQ&WuR@cwsX(q?C$;5Ccaw-p~KOQ&-H-?p`(t?IeuJ#eJDEz-{W5ohH|~`SC-R{ zCnQGrzNS3?;i&s-jh@D*bx8!yb)$x1MBT@hvRBW~6w630Ov0BD$HVXsqM8~1j;AikNuQktiPx>NWW8BI z>`yq?iJy$eY1{#$SJbn&&O)HOUaRaJRaZuw9NZTgSv?Y1IMajH`Z+4U*%7JAmixkK+J8WkEFhoD)Jf&LIES_NoON+y7aZ`#B2~7FY+y z{x$yqrWpalzD8%8BfQUX%f63&isXNds$P`(d zqfMNX8`)VStxQQJn^b`i`<1vRxX}b62RVpF&izfKj;)N6n`I+KG-<;9 z8R5cl@J_EYOu%=;!zA8SU0?9-@wYIN)dY8B!C(uFQkQfW61cSFQJDi<2H z`$^33eA@e?vy17oG&b_@Eu1YyjwKIMQa0e0>8>+JMea~R=BtW~V}57HlgpZH4oagQ zk9x_hqG74lyQFlY=^*AMX!24}Mb4t3n^6{-oBd8uO&$;&AjF zk4k%F2@V<4$OZzmI7Y(D zFY81iSW&P#nOf?nmMfwIPndiB;>uK(q)5`|DpR_ccX)LaC{6nVHx?A@jb!enGC~s> zVqw~C_-v7tN1yc2_@Y8gy;W1`#$lfvj~GQ|^`JMg~AEM2iO!mATGfgvhrtjD0W z*6+_TD@r}q<7Y$mGdQcqJQfL3JVG%>fw|~mfOh1fB#BPmxHmj1?X9yPPhb(zo#I*SMj*K>I2biy%Yb+*vHA4UIY`_jd)>EKuPad zx_i!IsYb_^XVA16Yd9O0ry0xRLMA53VZ2y_Q!%3G8swmN^+cs9Vo-rvp|F*6%jeF( z6gg3@y6ZsdVM!`wMM>ir^?VfnX8V0^fE82}v9FrLo+Yj9NOP`Sl_yu0Al)%7gXXm$ zywz#}^=7Z$Z$h)ms%k|w!CkMnDg-5E_V2`yO=LP7`3Sz@*Q{je5Cw(N4o1*#8P`~u zXof*5hiHTZJIAqd2MkZ%#Lt4UR}yOgfoW!L60XNTC#|P)RJ1*DIcqs2c2&YkaXp)i zSSVDAeWeT(xM{;|>=@QyCv&D5_>s3dwveH{|HycA0MM8ETh=#ie{Wd6EI$&WQ(#O1 zrH$84_XO_*?+O3e{0&gT3s1y~=^tkt2(U-xu*PrxBzPzMRx4q-8)xs#&ja2FQ7xCLROUDo^ zqr+2p9*qY>pl;jcC+CjDw#&K8t^Jap=fi}%2Y=&K=cC1S_i?}Cl;3ktR^{!kkDhh- znMoVFIF8157QQ_U5Sye6ePCL-PuLHHi|5gy+?7Hh%|&@T1-3#KR${P1$WWydK{G*WY5)BEe*53y^wx zvrhBu`Gu5q^8jd)wQ~jzZ|(`Mojs_<6$g0k79}^0b_0f^>HOvmX0`x(dW%)ScE6Vg zpPY}cEEh!Gd%Dvg!aLlV4Y6K}l}%aO;2bdh@M_1BDm_xVl@DZQ7cUQWB_*{n1^_rf*LdZ%UYu591u3!j^0zdw0u+t=N^H@3eY zceXEE#cwt)lfyat_P#LFd`%V1YCRUL(ykGEy}f}jHZQrGS^@1R8e=DU?q7lrKm#XW z+fmsRFwo+^Sd0jyKFK&Z!sP^7kl4UBgB(g_K6t(N3I8vNzqP7lOz}+kV}Mem+V?u0 z?^lR>=B#>hp$Zkmz#1u@pp+DZ67I4Dl^KA3o6UFHs+4?;^$*@+ov|UL%v07h+ae<| zxsvUxjfetEluCF>TF_eYtLOHxOBvkMN z%5LEV*sn`-9%j>hea#&695m!hIgrlqcxTaog~zC2f{{2?_1RKlunn&$xFPU|Hd6xO34F?z^K zXVXMAh(9jMJsK37u3a*FOlPjN&9H1Toh3#1MbXQV{v1?gkTjT%2sAm#BKC9GEYHm( z=+-?Xw%Xi*^^3r3(sg69N{UMJCBIOg* zE?4C3wMMD{M;M|kdl?&Y5lC|KCyixW>MDzVuV+ejiz^)U4bGve}c zOPiH}$u-taL5SfHg&i?;>h~c_H#}JEwGbG~5OZREXE@r}8qn9a!uj(~Y};tQIu!}F zSIM8=Rcg2Kq^^mTPe1VM083RR%kcyy4@vlGNYiZFV3etM4%{^c+Zm6s}*CZoM3hoS;N9Fc2Z59V5I@ zZWa!@W#+S^2`(GTY!_0hHN7SS&M09rlDj6-R8z*yJA;Hz$%=47@cW)fje%W8lldon zIDR4tYK5zJvTKl#YOwo=d)V__lXpi@xHYNv;BcPeDfj@{a2StG%WDlRwH$khX130SfsTbU$v-CNEjZG-XrF-H)xIfe|;nA8ZA z+=-E&Ftwx&5N$dmQeoAl;>q>i4ht=pnSaj7|4=EQn+#Z6Y*AfJ9{b~#BcoBPT|PLT zI(+UXE?$3VeT;sl15J%P&oQC%7Jzm}C!oi%WOFdh0-6;3ok})l(+#QeOWvN5hGW&l zD=59gh`wQRrQJrUHSC|RZ0?QBtP03)c=$S^C1A<6Y$#Mes|sIHCM`SNy;NT>oYA|I z_@dgui_;014HIdx{!qiD#@A1@YxhHJltGv#B>avMXq|MLSWQH8330V#JukVxC(^Of zfFgG%tD<6T{e>`9-*s=JRxxCZ!12U{G`(~UnqE-jz_&AUvdzJ2ruZxav`9;ra?d6 zSc)p>SB5t>oeB(Vaj-}sE{l0rs=a(8&meT~3L_Y4&EOhLH#@}zGhIl+pkKjP_J4W$ zDaTyw8P@-j_rP0tV&)^8@c{F0V;|+02)y#xd*%GPcte5`C6oID0TY1uovwlg6z+xk zfEFDiQ~2}aKJ?#g2DI+S-4Ir9qsnK)j(sHW#DKC6Azz)xammy$?UqQj$5x4AZ|fV< zji#;R$FMD+duoC6gL#?+*W};UD5w0^Tali_RqelG=Y73*PG<`Sm#3zVr{h(mS?$jc za+}SZ6||B(yPkDW9Zp8=I_}Fm=#}=Hai2In^OE55Wd?5Bb1rtjFrVu*jlQoU^0+L{ zozI4^i9>ouz~$YH!kdppZPylD8Qnv)pnlU1^H_(+wji*TQa|Ii?o|l+gsVzZC_vH z$BDwLf!Dw+BX;O0aDlJowMXYx@ZwD?+zzew&n1m)2VE~>-^Nf zkD})jyw3RX@t|QBaBt(1x9-$I^f^^Ke_X@~4kGiUI(R)~ z7ZIH0wmryh^5{f8y(%u@aMteVBV1-TK2M&&_1oRkY;FPf2&?%Ow@>B>B`-gYc`vti z{46OiqSjMN0-XEt>*|6pCL)(*l%7KHlCGPZ$3w-eipil**b;ORdP6c3ypJ`t{HZAh`8>OH}!DMRh&g(_1zag-LY&dy^- zWFf;^FUxP;=?&5aF#nO(=QZ1TC9BC;wWQId=L7}~M2R;m%hrW?)$qzGDzzS$|E(`E zH)2+D$)Cr#b7x$P~tNvLdc}ZBXGMMTMAvq_PtiZ5No93&b%< ztB*@XbADkvEhDL68Jg}TeCjchF4r2iZ(^R#{3fT5va!e!H_tgm^tyJL4d%H$Kir+} z1KbQy8fhB+lsiZ?nw?@Z<98r8Udv$a$~adr*luW7WC85TlfVKkHjW4yT6XD}t`v3g z-vo@m>n&?F??YU1(aQL=F0rbU&z1I#Wu_*^#qT^xVh!*lOkq@aqP}dX-o=BoaRe~B zzeaz%7Kk%@4_x7}7;!Q;O>)LCoEF2WOy)IP_0CmWV>3_V980ht;EFb8QLq}Tv=|1c zJbnk(ncNEGzJiE43}PuUDp36)uUb!}*J&hIwv%o(oou!3h(auAoAW_} z_>rR|avL%SRzS8i_dX|r`-2ZWEh{UedsK)ZaI0xGGlTVex0GjP2l%p+_X-3zB0NYW z$iphgwJT*YO0&aV$8kV&8y`YwjzVd5u*^W=Qp%E#pMGWDpnji@5XPwpF|h)f4y*r5 zq%x#s_(yh`Rj*bBX0nFB@+oYfys`w649$@kXG!RGF+9kd={`JLM>3<@{wOdv>ELQS zpO6I=Uj$#6iAO7K1vva1z|%Sh9_ncxaNqY~@$vbX_m*k@bs-r0c1MU(`lgNl-Rw!G zWTaOnY324y#zjDxIE1x z>vv3>AzzMy(SCk(!lFj4K&^?Mb@JSXDSyqdJO$Yhs@}_WVN6AA=e3osP*At_^;?S4 zEoi}P*#rVC%9VS`*1g;`oeC317#J}J3~Tkz7$_7E7or11H0r`4XVWrT(_f$isfqTW zxFC&08^PIs_kwm_B=wom``cxuDMZtk36$k6X2oynC36*Gwy=!BLg*d3Gc&5NTF;0D9*rCMcA;H-Ba zbE#!Da~rUQ#RZmbQa3{Jh%(I&L08kUjp}>RU6QBGu0Xhyj}GFgO!1P<**z(#rIC!m z6g3lKM65mYBpTC}D`6`q|G=QGt#PX=5UXKHnD=g2p7bkH;uGa(U1I&e z=drJd7(L9N^3%c`c&lRtJQM8Wvf=o^zauo>fOgEzFR$AZJoA_jpb8Nph6wLf{%Ui< zw(GTyerG# z&sMz~Wm`)=_-t_6o()tRu$rkws>u$Ss{YdC&duj9Mw7zyd5=jjRe zR3KpeaCJL6$8%F6yzcQ-+`#_p<_dvht#s_>DY^qU=Pd!y^s9B#yhLO4hwF3rY>odQ zvkMQdre*y(w2iGl)5FNmS3kDZzMK5XT8Z7wYta4Lw6Bt{U)qNap+Q5In;Q07qS;Lw z6^{g6d$pf!uL>XQMX}KFUjH)sHz^sN-=PU52{}&$?wSs^ivfW1)7suI6_0A*zc|c% z$vo!MYfJ^bkJ0$r*S|1TjIUoUU!_C+n|pb-Z<4fL4Ne0s7Pn5b6;1KubrM_mTen-A z{;yYBoAb1}ozwD)_P+GKlYX)vrcDQCqd9TCa9bT;4jwbtj`fXChrH9&bnds>oHuTo zfaT-56AhkA%C2o!CZB%@r!*dZPvec@SI$!@L>9U|Aa6%0qunnu#@*o%HQxKufM{9) z_jT;s8uu@bzHYXLqtF4kkw0mCeXqtIJI#Z7oCfZDkhFPiGo^jqr;%-G+#bH?O_M5Z z1-wpOV;;wEi^J@#rTPY^v7$3?jrTyW4?Z)0RzS(0Wk@Tx|7VJa~w4|C)e|BM@nIZ<7Kl88ctq zSr=knBT}8%bcqqOh8K_{BS@6@Go{4B?3&eW1<82?w!m@t`9@z-u(hy68L3j}f^jKh zZ+d}S^9LN*=cn}8h{A>0`C;448PzWE2v{7c+!eY(3?_l;Q~I3{P`qEr?W9nmNp%z< zIMjhO;_?yZB31V(aZ($Vs*^EUc>6!4`_44<2CaUy?>+Gq|FMi!0#TjZWdq{k#4i$W zM|SzjG>>Pm$&FbFwi>fx$8dWR=uo_;{Y@|`k52{Ly zOHv|i(WDT2qJbf17@Flbjne>|xKTUTQm8r1ug6&%5I>7gi{8?#K7b-0;TNgX`Pww* z13x#I6l9`J%ExbFD-G6uf}l{y$%Vx~2wq8@8|rYa3-~_tW!o2n_~U)BYXKqpfa|>A!-wB-Gr#fkkhWGedNavMoGNbfwL(ctA6bp%35W=Coy( znDnP$UImwE%T{UZEXjNK3-Gr4RR;X9dFYGuLPj&>&`?9bpQMQFtu&yd!x@pP+L zVqu*Tlam@wtN?4YAC#keZ7|oe8Rlf zwf@+PW&@6gXDEEo$cU;_fSx$6tMMAfp-dr1$dXvPnH6uaMr>thNcM?VflkJr83Ww2 zsI_SdUpLntm1Z_bO{Uu2oftAxM`UT5_!v_7F^Mg)eMRu;K0!^g)u_h16tv0)O!pS# zxk!&}LS*3OI)*lM<+k%i90JqoAgXwuDG5-io+rXhWZ1#pq_5zaE1)0lHR0#!3a>{6@ck1yJZUkFS^8l78?9@*Z%BY|*y829 zSc1v=!)hAr2Kf7oxXn}8Xb17YV0jGAhbMEnd*CQtl*CuuRcPRy*3+snXU)A>S^XzMhlmb2qp07oh zZ<`JeH~2`{ zbzOi|O}gWIk90yoi>}XI>e$cvdgW#iuIJmM)eZ5Iv%T2B8hqswsE zGsVj=-ry==?Bp>)5wY+7$fGU5t^XKN+uijwlD9X5$9HG_nviT&-|aBoeH~8k%tBGm zL;Uii$>3e~`Mm9>N215}owhLc^mAn6ZMMZgz~{pupyybiYzK8nQqb4^hSH&~apTQm z`=rNn>rp4SFBqQR`6f(O43oe9az=8h%d?6cW9RcuewDl0_o_p($3yygM!ZgcYonsx zirVXg)P;s|$EShM=Xg3TYf-P$Z?$1nn06L$?2Yyu!-xya8wK7PezpCl%0=d#=Zlr@ z82s4hRIq-kw9H1yjZJUO?-?LC@jZGd_Xd0w#S4B40bGruX|!FwNt;6mJdeFMPNE$a zix2bu$WI0#(a9B4n@ziNEl?bkQ^~B&bR9z3x)S;W%Z1_PUdM_KU64xcI%gj(^Xeyp zZ}wyE&Z-^esmXBL3d?%1EYvZ*B>~;$8T#Cmq2k}q2-{R|E_a7P=>460Hl6W$F5~@rLp_@3nZ#@e<2*jwB;A%IKqhIk}F%X^+K|g z7oan_%H*${U6io@Sua{6J)=f0Qy!NpPj@veRWD$imYKG0P#{|tyHr@m znjD&oKVMig_D={kSex}_0E>-FgI-vK^W^Rkg=I7=cu_xi=BHm49KD3r=~vxsyssK^ z0*L|UOje4W{0s<)g~)c$f0amJrD^FToKocrBs$io5&rc%MgaJf52LRW?U2|fgiVM3 zrpF9x+hJp7Zf_L-d>%9<1LNmH!+rx>L-JCb(D4hRpwtD0SoYS9?(D%^pZgg!oSYbY z=U90Gzw8fMSqw!AaZBP%4iUwZ)^^F9SZN_4Uv?C!HlUIf`?u~;!2#V_49)80SM9G# zjDN}+X?XPWwo2Kf_u788k5>61RPw`wX{E0?gk)r-IRsBxjRPs2;KtQu;fLAjkvNSC z!o^4MS>;IsL2^~HmEtlph?Rim6vfTt;d^pUPYqnUtp!AJ? zu^KE+2fW9#2tEf4Vc<$~(*z?%37HT*q6%QO!%oEvFjy#tFxbDs_FICSHYg_y>2Nn! zhwbEZ3R&VkRzN}C6KGmmtA?eU{$43Zcnp+Uq^}+hWV&vq*>(!cabL}c+uzqr`eWWG zyK1wj6O5LDll5m%OsXoE^+}x05_H|Eg(HyV8eS6%A;mOldbuEM^Z49bn}pZd{puC3 zCX>d!T86@i&3T&ViVYBxWe88l)Ig(D8y1A7XiW!=MmPp@*N)oWJoQNu=x@FvR13}>CZZu3nKN>axFCA|)LvwzwNQ80%si1&`Y6m}=+3U%qBfWrl?Rn&KXfQ znvZv{dR^Q!iA=>On+gnM^T0*v!FO5G%bsdQ^#up0Ifb?oWDm^d^pHrxUWQ)iOqe24Hph_5L<2!Z?tt+;;$+54tT}LJ8$!BXi2(3_#2ssH( z2U)0uwJNoOio0c{O5FW;>c3@?O80imE_C%@+B` zpg-X5wh*W^)J**2EB3=8&!jMo!Oxw0zXRNTGeFw;C459{_VeE3eTD|F2g95Db&St< zhVn6ppOg3IlfD^=<&bwG{I+`sNk6^q(f+pDZ}C#6w)v&zJ>q7giJ||CiokzZBDzo8 z;KXU<>zZ)SBcNr#fZ&N!)BJip{w9di)Ka5e;Jn&@ARKkuT52Hnvda|guOe%oL9b`@4`SuMTYLB5z3Xc zHOKi_kGE%=E23VXGdR9(^#1L z9M4{_{a@0h*{)WkwkreE>!;@}uKNabUdgu0WTl0E-~Cn7iygo3!S-qH+bA@Wfaj{) z4ZzTM3q}_IQ{U?{EgrC4l_mH%UgV+s$N(IV$JA5ZG&&t27=pC)+fvcx}nv%q$o=$(Ac8NqbNFZ`*}!0)m!M2 zXaUJGk(IDZyu+oYDDvjNJqz^2>TS<(;`CfhB4E%OHK?q)ehoL0RQ%%NFHRKJuI8{^ zrO!~#{N)BR`1Zt92-ZN&q`+|pBQPu??ZxC;^+IK)5<-mF^wupSt*wLtS+QcBTGac~ zLMaCO=OAB#Z0B|*_Pt5V?U&S{oNijaz}a?X*BsetGP314FnGwM1q%U|!@ zom&_N_A?4l5@NqafS}SUxfxin7VPcawW{CTWl${(17&ARbI@@a?P&Y%-+EJ_4Z9i* z{AHGlr_%IBN~B_YII1YmLQ^sd3REQH*}sY2&`VMxW(9os>TuhQsO}L`Q$M5W9rN8( z)k7aMY#Yo@hkX?(g^5cy&UGu>YELr)Do(d|N>9Uwgi^B1smdMm$ueF~an2TuPB%Wn}~3Y!w6cfbtQc`RaJn-#-Te z4sHv8Q?ss*8sG2$2&%9oSyv(~)Y$wjr_;bsyD0yZBQAjNfH@q%ZeqQ72^a z(nWwmt$eBxQ!u%(rfVE-oP?Q@x_SaB3afcG`nUVm28(8`WlqDK#rH1)uOqpctOexb-A)HBbPUl&E!)_onz13Y5axK4UsZ zVd^{e`w~z9&vTGc2=BrkCO*DcYy)M|U@XBQUv4=#uld2_Z*U96%&I(6fd`>L`2ePu zD`83#kL?GGwW^#_M8ZC0C7KsiiDq>dAIh&ZWTG=Za1Am*{9(!coY+_ZFUV&0Rt0KPfVUcPKDN~mGb8G)gM z1uvPNxW<%q5=5`js-wOim4Wk`y+6dYDHe-0TYJxvy4-$C4(@6wNdEK#47JL5gOM5{r<#!)mvsKKTI77UfTj3LX{jG2ZLfX10THu5egxgs9S9D6Pqr`L6b1`tO3p9Ee3bvN=u6vYXL%cn zS6D0e{wtirzf-oe?OlKnh+Cc~*f8rbeQA9Hb2(e9_tM3C}qlfWPQE#)BeSQu+GJNuf|{XFfP1_k-vA}Z?+b*&U<2{Z{(Q&w(q&5 zS$3;)Q(tq)0FVE& zGy#l4+qxg7BBgNdJRjo5`5hN+D*B4)nAh=hZoQp*Ib;a(9!#+7x1;L4QTz0HxEq8B z+GgdX@e2ALuO|s?{ToA=-3E3y=?gqlX4Uz9%s-)W78f1o0u~+b)$F&wuAecyjr(}x zHXoz@hqp~Y(5av8g+;X=IAQ&;VGJo!kKGDGQ^54is{~l;fzS2PF zNyW1qfXt_(0T1HeSK91aG*&D(QO6*b@%su@%vh=K_$bs0=`vVql4eZ=89fqpwW$!b z$*6EEu4)lP;;lA1rIkmlpMga1mBIcJ5Me2NV#(Ik$@FejT1(|A1srrJ5s;{ZiMDLo z-}RtY>7*3%ZbC@3`7KN@{JhF-fMa+}79mjvb|=~Kg)gG<#_8$_4I-pVqIKj7d6wAB zisW=(rI|J_0&6V9N-c@frJusxmGLNzNZ|Yx;Otq5q%w{=Vc#d@C=AFEL_zQP1NyhXE)V{pUKzCyKIpiwe0?kwQ ziZvxtnfQTO*ora!XPZECs{^|BtD249+Z2w)VuC*tTuknb@|SOl)gn+n(5VGO=x& zZ|vl~Id$v1=lj$Dch#=lySvwVmbPzOhMej@TT0Ynt-e~aCKqS$_iBj**M(1%l*)ad zo<(tE_x0^o|IYUYFgxGKk`NWL%mY^yIv zertslQ_&U7P6L=z@}Yg2bJb;GyQ|Ng!F^FOO{n5h8xZqDel#1EX%}YW(y;Jo+->^`5Qiw;4)vi^3oaMw z{*wEU{9rp-vHZ3gi;5?C`40Q{+z_6=p9tQwZ+$HJA6I@Uye?cCj3pwd{P-1`tp-rH zR?fmnj3Em<0@omoLYHI<7mH9C!(*nt(dF4_kYI;4a zH9e4Cuv#4ZdIlCi)T42l3P1jtw-#L4fE z)XV(8y^#edg}loNW00Jzr%*P#GpVXL6p{Am)Bry^B-yamVxOT$Ym|k?Vzl7Q>;zWJ z@oCtjmeCOpoXewZO$YKY`Ea{KJ7^c8QP2%xj6d_J?ZOM?L`hY+-L?wM@F^3mS-~h% z!HyaxCMyrbWT6M8Tc+y}T2G7mCCHCgER3!+9EOVcv_rF3Qt`yMY}*sz4d@qk(+;S? zEPzld!sT%2Opg0tA{-plF_~r&{t?(5btz+M5<|5d^Yq6T5qXSxQXeKr>}o8Cg>B6y zUz_N6Q8oO~q5^nwYmE6v6sv-D=~m~THA&2LV-S$CyeE-EJj@MqcxuGs$C{I*(K!ec zEs;NsC_!u@g2r}}E&!55bBdN0MLZ7F@ zZ%N=jw$rO~3d6@?85FbYzTYV?Tl(sAQ)_^P{S)g-`R3D3ko#^n%R37(wqoL*Kv96_ zRW=PYgVchtd&=Z0jk6w*0PyZ}squXqAheUzZ$4FPee`$Ut)HNCbUw{#IeN9JPHX!@ zd~ya5?rnMA1-lEjecn4y8Q{B(E2R~3Zuy#|eobXZ5$13LENX#g9b3zr&TD%`l|LW! z0sQr61rT+kO9)?Q9Wy>onm#vOzRTNY%b<+gZnqcD8}7aC|2n-t{E!7ix3ztg zoh*g>IX@O`Tz0N00O{!5w^3$%n#>*c`Zoy?06bT#cHb1SfB3hP`ek%0GJ{acpf=+|{QCT{qlv^z`3I6Rblkg7uCkZAR z;~UfLL%g5Ct2RqaN7aRTzB>-7ye|o%l9ifA~e1j^hO zRL-477;o$Dg6WsdV!Hri!=JsLzpbtsf*Ia^7qkjJXQ)t=>96;CU%g8c!y~;j8jNu~ z1ONAi%lVGTlLWllS?Y-e{;4*ne(mN322<5@sk6Pa!oHq=-IqN2_r!e#`*t8_EZAz= zPr83`di#BpiJnmZJV$NTjdOpKBZDAwM#~a@*XEklZOoQ_0w--Kv9_CJuK$5MCCf7~ zZ)QLn&#<+8AHvD>&}9=Kix6tf9|Zz~PrHO%H%?~89z}rK3bPieKdG+G261M`E%Ii< zY9(F{2|16GM>#yi`mH%N_hwW!k)VJg!1GnYsN>sB?V)T5A1+!U$yOPxtzw-d&Dq*JvE81l?1mBn{0>Z!?xS%~(L|>}C3u(P3E2&$05Z$magq=et zD+#@4)3P@K!6F)aRFPMk?m{TvRA}A1f*xR--uJy+h6d%N>qwRx&uJsV`HAKnrbSY2 zIxJCAt@M^|^@?K`R4qcQfO15mcb>+=5*SOL$?5@guri$m)F*8%_hbZ}-RG0GKdE4cmu6B!Oi)7Ft zotChwliDdFLJoK=@*O9TcBCdn(i*#V%)b-0_>&7TcCCInaJfZv$ha;^HyT*U`}8Ml zsA?0MQi~7VqtILwR0~hp8YG4m3tAp^r|O6u8STXTwL&^9vMIow0Uqk}Yvt`Bc zdRb}|YX(-Sl71sWL$Ik6-5@k(ZsGT8zve0lImo?+pvBWx9l4rt43Jznv2actN4MnV zQ}9D>G|gE%8k44MP{~wQJr+G{cgd?{LJx7(3j|ul;=faL6ADJV@Q-BDESGQrACwb;qNS_(=vpTlwKi{_o-lI~D5U@MK3U zjRlyrF$!?;u_vYMYid;?jA-3R2pF+4d}yf-HtHoNUKRLZY}<9jcC=$jr3&oE1gbdt zws_`3qH;9JX8jiP&K~|`3JQbkmcY7j_(!sHm%fA*tn~!0D)~#1S$NCs2{;nt!lw+f zUoOIG#5_GJOZ8r6k+S@0F zHyQnkYn-MMrl2TIYM`JWs}|Rq`#zNHzz8Kw5iJA+_u2UbsC{EXYl3x^!n}OrZYFPw z$2xyw6sj>-RIpC64)XoC06TF+j27MJ{mlh{pVdwN4|#V(Wr8n&=R7OPKxn)Y!%Nz4 zgtz-wus_sCIN2Cks2tG!FzaPTfzbf?U=gzrrT6mLKDb#hL9hS$NP^h&vT1OGj^@tOIyI+nOUH^4kJJ{q3(C5uZ-YDRZB8%dZ<1y4JWa`CiwPPA0Y9 zpS=gm-;8A_(ss-%E03L=Q7dabZeu97n%7ENFMZP6)=UWbSS^b5k`Hux4Uo9d4S;(| z&mU(Fj6DwT@GIR_y=P8@`nwJk*)Pl13fJzo$E#+56-F)*-3HDbei-qCj|bFQkqbzX3`e!_edFr-hJ*f`Tcc+$#s{6 zU<6&$AvwhTj$;YuIPMq3+rW~YtM)yU6L@!?-^=m?#O=K9nXQX{ow_q$`CYS7wBOm4 zqWZ5;hACRK*IoU}?)<;U6SlsedbcG@WBny^1b1fm(plv58*BP`=Djyqo9B}Aw7WM- z?yWW}^An(D-5HZxvDrR9aNojxu$X0_JhQd+vDK4>^vIj))#vrt&fh^BBk%tdqrEpk z$+`A{^B!HsXuD<1*YrX;!uVc^&#-9?Nb-~MS$hHUeF3vRp@_e>{SBcrBY-;+-`Cxu zz_ui7pPdh=6x_1}yr|!??2-m+{!Rwkz_N$WdqP|#Hm^6CVNpu#~ut3*)lz zjk3gozY&@bu*GQEqcB3meZy+3O3;oA8xw&nEnqfv-}Mj*vD{Fl=NL?xuc;`GTB9TD96#-)>-Z;nT|AObnZG-!?uH~K!W7FUIh)CPC6j9kUHU9qRLV{= zmmyM>It|j38~jk1K?Whphm-l=R4L~1$Wh&A2cc_p`|}^+VTrM zBH4WCO3E`I%ADygtK{cTA$r!c=RwB}`^6iW1yx=<=fytUU)#T}OE^-Jct}^+B|U1Z zxm=7+Ls0{pJm6>cONhe71LEzuQV|Z$`jAle;wf;fdN<~kjd#Z>axF8RI#b||)CGp* z9#oB2$GsV}X1Hv=B!@GD6CD!t%>pRBgsF8zT$=K- zCGLJ!9(EiG{kr%hj>Y_)>1HfNSygYsk`PArxcu<*rmBoN46t~UZQ9o%7c}niBgs+i zX|pGt07^Vq#5#;CWKGvxG!mw3V_yqg=VCIEFKD2& zF!t?&6~!Ee2p;ak9EzT)(<=ft`9iR|)MP%(0IDh@?MX#YV4)SU28VJ8Co-vSJU zFQ_~G)+Uc;eD*q&d=>#^DOy#(KEFi!(SC}OMf#@P3y$^P6Yl?K{*6Qi7gL($yvw^V zIJfs3Ux&qq0r;yIQf59rww>cqYhHJUKRy9?Og=9a zNBR~p=Y@!T!jpF`rt1DfTt}t8EuHTjI_{g^%c#MmD_pygT9mfTo?LbgFY6eL0;_u1 zo2H*p4E%z(k*qV^E^#gQeYK2jN0F3BJ~drX&a}?c6M~3&d*4!~{F|?k?si|^H+2R7Y+hhLA%0WlM?u>Q!w4lo>yx!EFiVA@)2Aqff|jv) zJtyt5Eva!^Uo29KNZ%@|WTM^Iz4xetoU`*?#HG30{766HiSJ@&MYrLUz4u%{y!vjt zpb^mKx>4C;C#)gpj<=Y_%YAiy5Aa^3!}C~_2Py-#j>ebzFGEwdb{N3k?dy)K;CI$O z{sgPK6$x%N$-Z{w89ZM!a`-q8(yI4b-^VHV{_dt9RNvIOxZ0}Gx9fJ^sY6I`e;FbL z=sJzz&TA_q+UPaxLM)}Y>AElXj0iMd_^qpN=NwT^+vqx8Rykk$0?sibQ>qd9_K%`k z3jFR=?N?~sc)?-a7#wD2Xx$q?&NW;`luWgUMOT0O_4ZoJFd)^rsds_NY+j; zF8N-;yr$|oUsU&uCm3*i3C00|`at0V#xWpA67XKf%3#F5!Vn(5*ZstwDPxIJnv_4I zM)+jVzo+Rd?(y5k@%G?!^&PSO_UMxbw3?0s!VTr?TB7ndrrXK$F*5(SvEF2eEumRO zl;c~27_??Uk|7PnCEIF%eJc<>DTZB6tLC7|x`IDd^Rww)eJti;Udtn7MZYom z>UheU#9G_aMsx56j=LY~luGv3l6@~I@zmKs<`ET^O>DCvIOm%tH+))$)eqK@sR!t@ z03Qpk)IYNa&B=X6Q*J#;a%h_s!d{k8^s6l92;M2s_D^EkXdBwDEMtcSrm&;Wv{agv z=u>VR&?cxWVPf6MXvGgx zAK`Ngk8D&2PTcuFw@D9(mn)WpnF(D`rMMzRK?s7iq+9-l1>KXjnDFu^=UZnKI~2fU z#A9K7BPlg5BqCSv#Qi!&$tIFyQ)yzrD$UzCzPa;lD%EDuFeSo0s+1A-_GIujD1|Y1 zKd#^Xyp%yhQRWHLWVJ;5r9h&|r}jf}jFV{(Iud`MJND)oP3hvWv4$p!ad+{TFK#f? zfv_mBW)GhCEQQr+iz?NdC(1T2xfB_`fke%+L~G-0r$~HiPb*CY#tmAH&7p=Z{1}Y= z0k_1UAGzm9&VI$IT0`3$w&pYSPo%=+gp>kCQ9g`Pf74bPd}Vw{6m5Y(n2N zuq2%v4}J@8{Df6NSwjZN6|C`A=4dpoNzY7~FiNnF9`PR57OXY=-W*x!Gxt-z|ct)fV4){UD$moH+qGM{i$ zSiq#Tb0*E%g5;b7vcCD0T-NCbJ6CbelOeV9k3qa*%B~VLsX}o;G+almHWDU?{^Lc(g_F2U`&9|w->4?hhEfwe(G5w7!*T+i3$M&H2|*KOq!l!k+5c8pKrmu%ADA*` z^#scv0;IDkGDm-$k@L!hxY#t?mWybt{(5-G)|QL02HPHgX3uq-H}9D2#8_oIFfvZ2 za#l_j_XrpxiCw|f;N3bCa%64WAlqzXZDRfZ1 zg)Gjz6y5sR>|V(FKVD_`n+f*>GWO55GhV2?I3Lw>x)ppGQpxn0`(>JuVW-l4wUg3xi{GvfKxgoF2V)}5i#YozgQ zYbM6R#&V*UHFrvYGdCt5{zhYbhD7erqA z+oUYSDZJJ#z|QB3f+Sk(>LvAC+_Nr+MH;!j&sz6Uhah3^KC7ViZt!4mH$zWFhuxl& zv^Jmrm~ePc=auhnWK?Zab>iw_Un_^7^^?(?s7$uo_TfKHk>cf^-^on4UaP);h*v~TIh1&=u;9-bo`&4+!-|s6;2heLp;?l3Lj9p z`XJ_Y+HVWe2&CktlzD0oVZ3=?xKAtoGI7qj7OJiJ%%}_VCmLqf-;k^y?L=|&dBO3c z^Tal(BYR~H%61UBx=4~%Z;gPTboircsx_EM2$^5p$C@24XQ&|59i*&C1YBL{YSCWZ zn!~tG$T(&KCs}k8Xp1y6!g>5w%q3c85G^_&hZtpui>hexxOtzK3wb((V=?A*?^CxA z%9}HcDyiI5SUw%Cs`P1@DR&PMr59?=FMnVKB1~knFMWg~_%$;=SKr+-30Zwd->E@__{6aSXHmkG+6ph=K6m zcACs6>8xiMA!77WZ+J{q7q9k3Ds{tJ5LThSE{lKT#Ly6=>&C6kS0=%u(HqWkW`keDqi*RA5Q6NkN}o$GH2vqx;pej#?M_`M?~p;{Kdk(UfiwcQYng00^OjEwQ)9h5!iExg03z9N zte*k+bi7pR8)_Us2Q|SZ{A^C^ST2y&v?nk}xMyk#JhrXBBOqD}JPa*Ra!=hMdh^R@ zT3~R1#MO4qYkR`x1bz%z!gR-f|SbG4i%mC|B^VTuThFih9)HY!7VGT zS)<7irQJ_5thNr9!)PSf4j~!De2=)7G6C)4*z&!gzz0r+EFU^wh3k>Ufn&Orzh-@d zNKwr<5Xw}HYA0ePnRcadv;gf+s3Jb`__)5acYk%4jNsu~JYp5KV;5(Nvjf~iT*9Cd z8n$C}T#HhpV00S*sE3aN~6@yYevTb07s~RXvo3e|`XssVnLckfRQtof%XN*(^Tan{PCNUwl zTCw4nKW+-q7vxI*#sY21%t&Bsgtj4=L zE1&y?*srSreV%EvM@>kT*1*L#4aqT=!I{qXGT+90UkH@^UHdkr53Z_7Uahs|7j`Gz zftGRRD4l>?VPQBFRJ^Qwpv;5lRsK^xsOsQBsuyr1`8SIiDua5Vf+nEIg-wCfv3I^2 zWm?gGyvhWTU;8-qw*2#_sE37pCqTQY%22`{fSlLWsH;*V>OUm;xV+K`!0g2(Bp$R4!<1o(Oxj zJC^@;!ct6qKa;TYXO1hM-|=u9Xbn2D8btVAQy^2f;Vic0Ru!RJ*N@X@C|8OFJd;5Y zKQY|xs^>|sng15xK>hB6kJ2Qt-{L!FG4;0gRj>^2Yx^lm=nF9-0a^-)>`CwhXm}>h z1Psq?AF;r&g(K~e{hDdM5WFkO!@Iwm$kO+H6R1S5bEs`P0H~)C7)bJ&q#0xCU$g;s zd~Vz4AvmjNc}$POyX7=`E_C9m-REx!OOIt4fUm(DOT8D}z-5jVJ&#W%?@NQK>#W|I z#!VK+>ja9|jO&|RekIwzCbynP$!NCC!(e_IhDPOj+Ke4Xdh5GiGOiU7 zPT;G;`+be-Tuk=+X>K@`B-H@h+X40O*_*ycXiq;L8xHKHw%W%dFC04g_5VQSU4COj z-T{tJ9IcG?U++2GJ9_6yQ}CaMk26BgI!;ZKSvvr%YY;&no7RO|SODMoTyyXIcQ}WE zQ~#QKmo1>~z)JAk3;!*@vR2D0d{24yv$NM_9wLVqL2K_r<$7mm^N7WHiS<~}XRE(= zD}>{{vgY&hwT$p%mU4toIdf1zW0__nTjjVe&7LK;*^T?N>A;(?OYGw{T0uZ}?+-bn z*KwUfn%?{7MlSzFx7^onfD@FU$KjlU{nx2*9<+r&(`c! zVAql~?WWsmgT?1wovT1sedFavx1amhnxN0`P(as9a5aLjeOdb%zWyP?rfEviiWUeq z@D=mmUcc8r-bJm%}v|=ZNH1NrNc8XC9X$~Sia+>P0+7n(mqZrE;h~c ze(A!$j!hWo!|Mq4++f+B!zp<3VW&W^Ia9lFTuEum@jN_}3G|Nv0{7k=RxJ*JLXEe; z3oM}gR~%HV#OBGR5$4_p;ZVHAlYOYB)ZrQCH|y-jE9*tCFY3L&d5=G>k`}De+Pugy z5bI&!5U4u)*Tjtn$s~#>xepBYG_<4Ibyqv%v2HY_q5wG+%{w6O-AQ7h!?Sv|9$cg@ zMAe>V@2`AoH=nZABVXHmyyOv001Fq(WV(7M4;e|F$>Us8-)`96YKIbbBTtl=R`PM1 zYMeV)Jqa3FZ*HdiM!~=vb7ln?(-Qft7e;My11ePQK7?X*5!SlgAms2Z^_=`=G>))h znQpAJJe@g&DHV3gGF6IviMH;KzQS+}7+ETAm{QKhhmf#wt4Y^yRS*jfMwVZ7{GhXb z4e#_fo!LUPNZ?y~MeX*&V5~wBk69&69VCG-eMRM4g#gnXu{N{#GqJ)&xH)xym}F;I zw{1DJ4{v&yk1Rvta`(5HGzLDzA1Bt{!L)JU*j(~;(J!`?dq~X83f{@3w?I=*mxZ&R zFr4!tewZ*x`j>M#UMar~t$C2nGX}a2O#=u@z*_W89?*Q(jV*q3m)8md)DOJ%>GWe1O1IcttlagPe@GZ-! zY6A&)s9Q?NhwX9za_KYz{I;}|HP$c=C+cifELmYnkdmrLLoPB3k%17-S!N_P_P^=J z^uO~rnZ9#Yl`(E=f7*V6daHpkT61qv|0$Yhvlb3@Gv8HfJ{OyI=2OH?@=4m=lUDdW zDPKJMil8==lxY&-!+h;hluPHf$}x3}O^AEcmpy0XD1#$sl&8|E2v$ea1N)dyj87Cp z0DAi~_vWoW5ZfLM= zr8#Ke3`83~|AZ=;fTxltR?WfJ>jcuMO-k~3CP&W&Vy5k5ro-#YFzQPAdW~BrU3Azwu`E$GKcw zEz+8LMgKZA21N)4ET$b2XL$82Ij@(TnPeN~FSH2cW@b&-(wIJ*mqEybcNIOd0M*vB z_${=^Q6sY|HrXZV=hI=a>qixjY$A#Fl$FYs#B?};C*36MQ%klSPs@y#=F&kE`h2mO zy!WrsPx3bPKU~9l`lo+bLWo-9OBD+1Nx|TZazT=}&d_v_CbX=X5^u2o`m} zYrx(5F}Gzgk~5i=R=~L9bp&>Wzw8CE=G#kOfjIg>(`nmq3lfF@vZ|p2yb3Id)fFzx z8cB2}@IAT_oPOWJ_V#`63@)i@FQepC*LtP0tiNd4c^qQ*YXF}4w?AA#Ve+2tK3lH? zlDlhN>NE%wPxwDKPB^^IlSy0O=hnjUAFT*Hjds*Fk01Uz=V|-LjR>xJZ4b`%e>@Xz zxy9FYb92^u&*G2dwmE!`#&N6x8g4T_^+NW~Zuiq{eFmWrd;B-Mj#@KE&{qWgufnIj zZU>zi^lm?8-1MkDohfz3@$NctuU}r@Hta079H(RB1c0YAE87PelV!NQw=Xfcg!j97 z>RX;yBMw?ui~WRtP48x9^f7tvE7_>g=aHwrv^i5%jf&u($xxfx3)5U|+UionYdn23;J%bYbbyifVonlDa@JTM;68Ta!RJh*C9Oo+jZp5<%1Eabnw1~h6Hbz~#bgHU!3Dhp1xkIsb z7S1RYhbq{t7!M)ZiZO1U8w_KTfErwiItit(AED|269{Qc2~q%Ds)nE_sqc@*4(R5i-D8N)Z?O*Z>*U|tnGB~i;hMi=2b zD3CR$P#(O1$D)y&Af8gPGR7#5!cPgm#`iQHPHO0zt5nl_xn=hJNk!mD# z7|n4!XzLsfeur#Ro?NC-s6*FMoGMFcm}WEuR#`*l?e!s^Mq_vjGV-=iuU`_G+7kl{ zvP3%=z{X2p-A4}VFl*KU0*#hF{E1QDMz`_CF&JtfYEAz+8O;LtDB4dYg z>H4n+_c`1Pjp%6$GHk+MFd{Z+YFN8gJ6IQ(k_T|GA;|ZXXW-BE=)I}8nQ!ID>+$Q1 z2tB9&b6#jUFqO6>K7nXsAsUJeI`)@ijNj#4BFMAzlbDTrMnBnB^<0V&N460f(dr-4 zVcXjIGZ*Q4);$SNt^nrFt$_J}6U`yN`hSQjt`uYJFu9X4{Zj5CK?~V7$Dq@s5P9Ru#DW~od!6p_Sp*I9L!gcfl`!{Nx>{t9Tb-IQ<1duj3+ z^%qBYfgGs%%x(#c*+1$hMr4 zVpQSi#mP9$V*-24UP?Xaje&FHXaQ~UI7BhVI9BeN1ATTY4IOH?!qjnR2b$#tTCIzH zkL9pO3(RE2{8egK0hUm)?doC~865F6!mQ7s!;i#9NGRk{O0P!D)u~95t%F@k@uCbP zvJcGLslUqjRsUE;N+woWriz6}4dBf-g{=h|uh2LyB(wi>GiCY%+LCw=9sO7BDv~yV zi;7c4STei9igUy=l@non^Y2yzjIf<~eK=FwkK+luXti60N+%IkvS7E>L+PSy>~H7| zVAOM+Q;5TAN_mFvaq|Dl#||!2M1Rz`Svwc#OMhVSdD8rfDfmeEOh^Y`qJ%aw3US5? zECTic4+RguTQ0`tC{|bjnUpU!ko)WgcUkMn=!SWj7i8;~w)r$gXLbEM$FUqDAocU* zj>AuW85L1_$MkByU4wZ1l2dH#T1om7t6 zI(71Jo1PDt=hL!qf2RWz0D;%cbg!TD%%*jjAFcCj7v-}K#FvZ5m04`v^H=B0`{D8d zhtOL$l{I#T)6?%ifQdX#=dq&B|2UTt{pji9FB4 zFx)uI{rbzK*e}VblujnU8UA&}P!gk}ERhs4ui>iA8?%#5jgDbx) zUgnOU3993s7q2@!2A2rnZmkT=j?~laks*~LhSp&%9OKCT= z1sWW!wRvCHi1oOsoo}(1U9N5(`xYBDOK*Eni1<#EqW(RPPWK-&CtJM$oB0~Tyt``U zwsTYY$r?7`t43(l>c?Jdt>;>G;~>Wanq);Uv! zZs4m3=Pt;}u6{pq6!V$zx$&dyGv=N!IQR8$Xw!bG;!qvNvj4x(Tf&X|fy6!ZRpDub zx1)G)PAz2{0%wr;S)Km>|U>) z!MRw5sjdbyJ3c5tIUARnbfkRxgDn^X=Kw!9~i2+iNOycwHi?eexzB5RO|~gFi&g{PjeiCb^GT3Ot!4VXd6@; z&e2t7I4HH+{}!wh3I6~&3^!`otlCg9j)w||WD$Z*q7cRn!9XM?mQe8;a94sITUN1K zR_uR5v$H;^*qeVuV*y#U?H~?OB8IgxE>FZ|`j!~zk(S&aqTx98}avM=Z(b28f{pTWCCb!Zk zBg>Q?jg=8kVaXQZf-xKM5Z?%wEqvsGvIHZ6kejGZ$zI@PG-s?RF>INQXsN!a6*P*t z1(%`>Nk%KttnO?c3L@REK3T-#aPEs+iDbA~gA<};=XKD)jAL{J?ylJL&+T^a$I|*u zNGt`x6(zR)CeoWo4A{TK(WC@=r<$>ocSprmx09uI-?=Ym}-hR-+aWjB_F6v zauy+`MImYeSID;IFoKW=Km7jgzN$=I*boh+O)S0q*q!EM1J8`d_$1rF-*Iq+XlsbU zvJe|3I4&A@+a9L#4T9OTXZUQtoR`L%fvT}#(Sk_>4XT{3qVs63_Ob`auh{Q7r5=pWI zBB9cV(~BNa7N6$SVXShA;Pw9^ab>m2wAplW7EOONIS+{0COm?U{u3vQlRZlqs#9bM zLxX~QPgIS2RE;dqF0!RfnZj}Xg}XdY-W!J~QNIdem^%7g-ypg7k z<@O0x?)glz+9^nG(8K-uMYt6;v-SBE*WqyOd;_*uzs$3+WbhKtdpXYissrc-R%gkh zU$3qz*xj2ltzXt(R|3!!I*l9Sb{te^y7pTR)PZa?1TcB7|9Cer8QCzsft=0^Ej9ix zbJcn2@3#Q=^}SY`8H0;p*W)}`Lqb7dR(PsrMcdA`oh`NJ%n0_$75|FCafktngWp{+ zV6&UxZM5WGpyz7K?7o%Uf&XJ}d+0n^!NKD=@7RD3t4&Z3;LgdP-F?an)%$fdw8LwE zvY_7n{1h~6E`Z@y&e&??xw0WYR{hwxbl(Rn>Ak|}zoIlVS=95H@}>atWhA3>^12eY zbyL^w4(NE7wjlVe2S^+5x>`c*aenxU+TswT&w2l9Pusbf-%=3pTJoHHUiN`r`@}d- z1oV7eRwH5{>^O9dYd`DR*LH%7@bd!w4!|LS{rY7Z4(q2w-Gc3Kx^usCyN;6$YFzij zZu!oai(tIBUg+I&yD#K(Smc}sltZ&>g(&%;-O?Nkyzrzd+}wIj;6UTa=< zyOSM=e3qEBwlfD$Ypr}HZ)5q_G!7a0zfS0+`Nv@a8n)~NuML{kBhIC+hrB;*cMNiu zeD_ns)wRFmtwNnlbA2D20Q%~mRj)e^HAA;0p5>JP>>SGMUDA;m%(gH5A<_ zquFq&?rS7$^LvIk^p674y%_Gwp=dEyFq2ECA3c| ztHju_O4bKV%_?Yqs*auf3}V#q^1!Kh*s`j0;J6_5QbxLk;den!9A@Jp1Q*Y@^kU~t zRZ_mNFtsU+YRErta*!o%z&a3X!8yOGTQFKJL{&Y-QHz2plu^*@{K4xxqX^F8kvW2*L1BZWQ8z(kHGsAej6Ga-)V}l0%_d> znJ(760l;=^VUD%_tEejL*tY`JutWf<$*We@(X9>@GG{bjXgV}IFU+IbQIL{IUt?rp zEYzY@MJmtLIDwSor0sC>d+}GZY+eAfrhJt;5fAfl@rXzug9LSIXp_s`X z7MK@2u^{_{5*SYCR`$W_r!p8z#guGvoRyhKiCt|GRdU`M6Fv0&8fXM6_zLGn>Z~m*`Z&C4UHKoq_JXm`(vx8bvXu0Q zj0uPr4@EJM3?j9Nl=o&S#qfz=nsmzYoFe#=w8>ZHd=I?Y;u^>d6X{F8(jWR`$I=Rm zZOU{ya7wZB4eV&tjN@1S7GqMRtE;$nPQID6WcH)8g$~mgm`o}sSud3bh|D{ZhJ-Px zPNZuhFGhOigOpebGlpyt+x{XlP2$j+$}DDcE+C4YK*I^fStSGG&TV3wnC%xyRl8$T z7y4&JvvUR^w2BJKaFjf8^{}D_yvn=t$0+^6O{;YAa@{1Pj!ww%teZVwqc-IBMK+u3 zQaemxqIUrw!9o4DTYL7TrpPAHOA=XX;Yl^c&|Ie6$@kxhEiH@S-IkxlgEpxuaEzbU zX&;y&;x}J5#HWf|ECx99tQYitdSz6eAq8=Es#!3AHI0 zhm?_0`!op)Akr8=?tCpeoMp)uSc4Lle8=e`>by#E3tX61wwFFeIO0|tL30TrVHfI?V&je*i8 zuswaf0Kt*o#vzzl+TQlJDLZKgVF!b{9aM)IEuXRyLcg{5D8H$anJ=%GuZ(-Y-v43h zod4^LpKaeXX^f_6Y}>Y)G`5|_wy}f8w$<3SZSL5%t(|>y?)RR1&M)&9d|uByYi7-Q zs~pTot8KmK#IMi&1%hS*7x&c)90@t?Coolx=pV=!CP9F zK-nfOS1?*~;0Kr4%3Hy>z9F^Vt7lZogjlafR^F zB#5u@WZSuwwe`c#3Er+?SAuZ$=!2h z0o&^~qZr`&?mk^EZ(Rwo{%I#%0P1Z%y`@~-=7$i>)%Z-U-C`0FynQOvxQt8Zfi{4a z`kL{UQw->vFTiH9KIT}^+3oNYH>KtDUeMNae{8GGFpKh$priXu7&Eiu)TKvi8lHEm zJxkXrgZC+bQ}?BkK8E)-K$}s!=x>Mfb>0jv7jt94H0x!VIYC#_HnTHDIco74Y!e;R{O22p#^kPGCdbH3$HYkN}31r8I&=_?LIu zq}aW};pd&@I;zHGJE}W#u)5%>n~&4_OCd^;aNsVH#ALjPH$ck8)wG_EMFggtI-kkU za>aCG;`qzg*8-6Y4}bY3Dcz(D5vCxK*%87qW&sSM@EUD{VA(cESS}wIK_; z^k?F%FV3r(S_ieMRvAoz79!2Sk|?M}YhxB3?YhpN83U%NMXaQSJt~^&Nv{Xc*ibhU zwW3QUTT`gv1 zqBcpL$2<8z*Nvbc5=i_4kwAYkMTN}VKCo)iSh0jFk~4Z^qFhl}7erxQW-K&Yky?%{ zruqXIYSg^!*a(%F8Js$pAj}Bq)}qsR^3%y9?#6`lXvBvtsH9M#CPVAzBMuI8b}KwE zJItifax7GI{2o`xJWo|~tamSsx;o>*S{@hucixiXFSt3OqAlE|)8%>RVcRzS+W

ze(fq$bsA6^M^+-!7rO`w{|6UlWun&1q5c}|QquUbXcDM>=h%^(Q=+})2Bncg6}C}0 zwJvEo`@u)7d0~hWWM&35dAu;X{nyPJ-HQmx)?1U)?%IKX%$RG!({7}Cqm*=CvSI-C-_2etnVI-nirdts))8^)bqod9g@d?<_1+4hl6F;8A^(7h}=SNf7dYo zJeA=*2o+Ny$TzXpqsi`xz9@s%h^H{X4raQwFTl-$o6 zbjr%jpK9AmQ|HCG0fNUYuxs!g0}@^&vDE5VWQ#%YGV;5YY+p=jv&ES!^32$3a^Xt~TSuYZ2?kHT3 z+MsvkoGm9!T5gfio>t*?>rLtu%SzL3AnGV(sow%p7XBB4Rrq=rQB@ad9fsk$@U#W-c!Y)@kuZ?UB~o!AL2NTwX~Mo1Gb0(>_KAUIHq|Ls zMB&;hy;|Q+qA9pGMv2Q5CJW)BQmEQku01UT;w%?r;BKjNbLeljMu=^-LN98NM1P6Z;vK%;)p={s7_%?l zwfx1VRO^!;EnB~(<(_7~C0!8hRH+@OW?08k@QsJ6(d?1PHEmyUx3(IXpM=$2wrFNu zks7v1(azLRf7Vj6<&13zC4o1VcX1hO$W&wL34ef7`+3a)TeERWw>5D)`9J0S8Sp7> zYd)oI&3~kAIr!ZB=K$T;4^c%ZVUeG&Vz+=Az&#;V=cm*~>>rsZrp#kZ0^fZm`AxQV z*H6E6bM1t(Hut&$_Vx%foo9UuhbJdJkH=!VZ$JykZFgxAG0VI24-DPD&6RWV-5u*v zFO9ZWwmzrQ7oG3T3|uF`s2IM3Igs?GC?{r0mz{$Po&U7AyGWH-f_55#hzd zIe+=(d-0X++YM?=cIP@biVt9T3uKsZw)pm(c0(OQ_c6RipsDV89@{AJ>xfT$(H1zx zedpuyB#2;#R}b8qrtg}@OSw!G^!s1}%ld8|xvu)|9dAA=y{_|~ruaG@}<74Yp{LTAo?GYTzwn53*?0iDG1^uVVeMuwB!+|)XS+V>ALgP}39Ad7QS9(1A4q)@O2Onrt?^d=M``m4381)d_h5Z%+~p6q^r@fylj>W<-Nl5oznz# zSf1I3(T)h})~wyQF+OHJ^1$G+95s!9M0PNDUC`YuwG;SP0s1Z(D?10-DHrl6-^{Ar zfJsX#1g$UsS-}Fhz%XeKIpF!vd2#X2H|z`CBS8clhvB;MUMUg4&4=Ka*(3Oc;uWO` z2ZQAldIbmai7)D`Y1ZekA=ynQ3jss%6yj zddpdXlR$-}xE@VJrg_76?FN!Ov`CpX3kt3rH;7Uyc?2wu^j1QCtf}9895(yh0gLT6 zS;x&1?9$rMtP0nmk)&koQ-|ldnXX=o1;S{tTi@V?8+Fko+ISpvyZ)G2Dx8m3iZ4iL z)hIAgB)MXS5i?R98#7l$mMf}G{bO3lRI}(}VkPy1;A|K{goRcPzOiyCh4$oI-Sx!c zg4G#jc+HIAR;9ZC9uV?L#)2fzmsGLve=_Ln|$hqVx#VjV|n`I z)RhoZtFPq){Dt2=#r+%;V9OE*#o-Zt$*A5M(nkNYou@HZ?xB^X(5trC7Y$%!f5jGI z-G-=0`O{SO6s{0dX~45oTX(H7&DI;9imP_vOY0|$h-_)f0Ml?MFi0#$6IdIhm|p$4 zG#`=o;>eVyA{d%nEzx%S8DP1n$YV~+N?64Ipsk{9k)|LXUMxhBvG~wo%#3&Y0B)tIG!}z;g@`OU%6wBtgbMCSCxrP1wqxHBuz6KnoR(JXVwn+i0X*|U=_0Mtgt&KVjDz712v@}scNek> z_uQ@cdGmF`R5(lRpuDp-r8KnFtYm>qm3EqyOD>B}HF-WmrmDzv8M^^Ex-a1iWf!y# z(A1bxH9ShnS%29KjZ6^+7Y&fAVon1^+`cyEF@^L0CQvD^?BL4mlZbU4x_~o)&ibi1 zio9A>ws@|{{%D2~GBI!Zo4j>PydJ1Rv=mXxr!eM20n1#bDxEYZ_lf;%L`M19lQ=K~ zUmSlF4;Tl}9?*e2K14y2fS)OHfN1cs&1`NKqt+tQb4Qyk!mUqw>~ChhoMv3xuh{02 za_G44^KqUkyj93i0x}DzLTX7Rx|oU?1vqIR6M%r!i#Rc|I^I%LegvW)j>?~ z#in*?@Rkc18&s?>X&sc){^ppdb;Pv%+r|wM9UXe;SRh&S&&qgnaAweQ<^(4#!&)_~ zo-OQ&Y@_ub+3YHev~XM(9={;$-1+Nv5nvy8P37r9c;x~+4GK27GHwx-MJQJ!OVsxg z!9|Ou;8-5PlfUeYgvsvt$jhGjTtXDAD7Z-6(M1|1GQ~>tF{;Hl@k#_a60v?8z`SVP2BKZ7Y<|pP)^V6fofec9SO7MDuMuLbc9DoY$ z#S{Y*e@7IB8`O&HYThduM4EqSA>K%a}M4;s}8oCZJvxr5qZ1e}|nkoDfj0_8HE zo&{3Sk#o8)C{{YJboMx5m<7G9+qT{lR>$C{FS|^#H9?p8fR287KD*Y>h8rxXr`h_E zy6bY4-E~RLJA<7AM!&yFTQlMCISg6SdEPT}+t91eZA@{u+Y^22nqJ*rq$jKv;J#|7 zwY#oq-0_a(J1Mgx^x1ORb6Srn%a8Gf)U`l&VPH-L|(HwSR>HG zd6&%KJuO{pHevMHD-rNtRuk5`eb}7)inrE^8+J*pY#n#$Q4XpUG}X-yD0J)E`IYtOst?Up+L3qFjRK-xxbO?khQ?pVn?J za;)3WFueF3Zk2z-;W``%0#B-t1-CX|gEw;iGf)N-KIYt;J)^MUg1e({uAb%V2g)Yx zbU@9eeaQ+d$9*)~q1`QDZ#6I>>D}ZVA*xb*TBloGF3gO`o4kwRr+hJP9D8Ps0lO|X zP-|8|h?H-nGtn0o{5nar4zV4X)X~F@YqTYC`ZI}*i|>Mms=-vhVzib|lincDH{Qu6snJ-P zA#YhJ%r9tl;z?bKRNuK9t=f`iZoIHX3MX{%`%~d;qDyM5RyzcOij@OWD9K^Qqq3wB zpz;hd$G_I;+f&i_8@TQ}m&5Z_-7w{~Kg6L0n6g^GIF#;ZPpm1SJBW9N!n(`j z=84v9{zLtuR&qW5f)Ypyd!b-NTSZbTys_8;!4ZW@ozj0tU66_|rLZcK2Z#KCqrw>2 zl24O=Dq5Oj5vfs%q7aTJBaN>{Z{J_1Wp#KHJ%(IooS6g_`oo3Tg5oRjaN@ppszP{! zTKA8*CW7TKqbE|#l2#&7b#Y*CjqvrKUtZYL!%#8IJ|saNNjfN3!+3)=q~%KV8FVT` zXJxs+9Mex_Sg6J!9Ae2viAJgHn}gYeu_~jb+OS>M3ZRfr&1);Mi4dAiR%wSM%K9SN zJB$s(pmDHrGNfn>t{vHjVTDTz3f{7!X(gnxM_sRr(g}G@^7y)+Y&05CI7OeK;#2r4)DknKyS0MHy<&Juv1XNLRW)V|XWOGAD*Ua+?3+ z8xn79nMR&UrNN$J(kXD)nTm5RNG6_E-Cqvn$e6V>iKrq&zL!{bWxwGd1&1_-1itC( znrGr~4a)4+(=>|G1EXndRkRCB`F)f6p{t#WEHr7Ynor z8#6I)!AI|yBg?5Xrx8q(a+t%w8n5bT!2R%+}e07rK5+;&Nc#vZFv6t@Z>^Rd7yXEQtU+eVHd>l8^}>T1uIwN(V{o zv`qe8W#DB58h0Y5nj$yN&1sxzZE*B84(DZ$zh3+a%pP+Q%lYYGF{AWjlc~L}$3xbQ ztO%(#I6moLcxgIRk1-QsBXP`Kznbkl^xb!{;+Z1q+2meXZ&7OKe*$DXi!Bo?BNL=S zsLKxJEI;y>zrJb08jLHC%#SM>%X^Y-VhtG^pgyu$M&C{3QpADuY8TMyGOevHe1)PE z<15-s!~U7nE7-pN%=Ozh{;u-s%brqN-Vwe(zAFTk)G!ysW9SQ;xA_xIStqDklYxX> zw>ZqkkK-r(q$5cPXddBy^icznhWTeLDz_|(h z^nVS8dQAu=ZV#1b5B19O;j|UpH*7`ddHO@X zqi$MU{h}#*cI7-X%I^-D>p7lM|5<|T<)3!a(#qk1-8;F)M}am$n|&dOP{XutYSpiV z;B|T1{w|js<@I@Pa}GE-D*M>_;_Y+yfZTZi%n|{Y!W{86o@trsw|&T8R_VROcR#6u zVtjk)-fn}2H=EXhA^NvFIZbcINhv6Hw(sk{?OAQ-)7fX|Z=g;$LoTgSqbaa+a8y%w%$%?LoTl0kPt|&S1rsg$1W^#9EM5d_22hZM?dTi z(xW;%7=Lf|EE#uRV&l}3ke9U0^;!9uk529A@7gBBO`#ISNLeTBSgZY}vw0lx` z8Dmc83G*n=1wIf4ptN?EFIdg}RGHGuzrlUhM#-rKE_!<3aMjrhJky_)=?Ub}eVvxS ztUs~yefkjQdSf(gdE^Z|Z#(j=> zn>Kp@GuLhLf#WE{wbN;;T5^%s`(9%jnLdovlNxdtye@|=Mv6^f_UiAq9RVt*;ot&)SndUH%c_Z_LIJo%vms8^a|zA8-6q73Lg)W z;-~ukqZ%{s^$T`E5%OBEql!iNPNT7wL{E*mD{7Gib3T`;V@oAFb<@{-suI;v$3G~^ zr={;)Na8PW=?ry9DYPNkv$1P9v!;2jrpv!w#wZUEHPV&Bwxm!H0v(#ZluW8*xL6cw zPM2L89Gc}EK3mcZ7xF-6IG!ksH1JyHX)CT*kUk@^XHde&Yh1U$mNVJXAV6(!+>_q{ z=4yqNqqX7SBQcH7W8)p&MKL2v%h<5kr8Id(p_J?4ObzQ6lWRx(>w*N7FL5>GmMn$l z`xD>*>dlvVx1eh5;D;k$^ChtmXvi z=Wbdv)o@E%NDks?nCn&{+tu)R!+Az&j6)EmToY_n(tk2GzQdy*^2(L!lKt^7my!1H z+x6T#ZNP0y5M8uhWo|7ej%nXw=y5FY%Yus#P z(Nj!C_s#4J`sKe^5Pq~m1*PnE4;D!Ek(Eud?~?CcU@PZn$}dy%;?%wyYSZiu(V>r;wzE zN5Rb)vVf>$;x33$90QZ*Cet-HN>{9rUGMDk`(j!gJFRe{D+(!n+u%9TrLH37>hz6DLP?IO?mhh50e8Hisj zCc5>N8U?%@+N}N# zMMU8j6!Omtj%~B?3GAt-d~eX7n*$XgJ+wQ|WBg%TLoE;ZWEPR~SU4fk1w#`{ zmM)??orlU`{Q}Omob*wvc`8P!v~(%%uni~wRlzVtr#54Cr7rrbM{>N&PR@-NaFVEr z_cf}+%%MO#7Seep9`}V#1Ou3!N512^{0rflEp*OV>SxHeKwQQ5p8G&Qd`TTCL!B;} z{x53u5|fU{v{?aoZP9U+8PWRL|2wSgGqwyn2azkNuuJm;60k4GdIkRQ94ZDKEk#|? zJtAEbB8n+7v1KuTHhZP5UtnS-B1A*7m%{g>`%C%hHoY|cOT6ok>#6ZAuI|>k8>@dIHb(d@}u76Y0)5@XxzHWFs z=&-)K>WKBbk@(AJ?46)ec#x;q!Fikvv319c!^t0JpFzxAENt%^NIIh z1KlmPqhYmEJEOfO#oD>OLBM(T%q^2?>G^>kv)gCry|L`0cz2>`V zH~2dhonVl0X84HFPSBpI16b>Z8SP~Y4CFXHp0>z4@fHLZ$GbGM&&KGB^|pZi$Zrb|z8n}0kJwA5+y zz_+~6KI9Y*oY_jEon5`p{rHR@y)l{wZ|@Yph^`M=rP#c*FUipmGy*{hDbmNICPqIooC-I;F7P| ziRY#3X%)}r2}RKRsO_GmmtoemkygFKYFru=vE*%Dw}&o&p<$=1zmlsaP|we0w#RyC zefRt%u>6`XM&N#u9d$A;&+l_`M6mgCP6>V#HGZ1S5(-&xF8M+g z4xZfsiS0(?K*A^`@eXuz(Fta2K2 z$q9J{`9MIVaJXVTL<71qg#P?*G3C4m9tPp4Pa>104gaqRow-{nA3*3l!XLCj1ONUg z)0y4t=ose>k?&FVxhBeb0?d(j`NnOs?l$gz&GAZgVgWX=6%Q4NlgT1>+oLa9Wen*e zC?t`N#+;~<(XfH`EC{b!E=@}mg77AlGv@ggc9NVcM0*tM&U~ba%7v{eR=kk>mPO_t z`hC2gJ)TV3x|^jm6iGqRvDCmbi%TK8^p_rPIFU39JN1$z`mO-9c3dvz57`(TkTVykK$@m?lk8J zzvl6k&x7>=K%ZR>m~Q^!u=~BZh3V6wAn_%fCgEn_i_o&IXoj9kejurin8kfU>T1@{ zEJyqROB3B~AG%TGI40fQ-pvx5wD@#Z9Q<1B#Y7QinlCSw6MqY%6Z-pag(6y8Lfsd> zFN}y+Jgsivsmi1_F<)|werV9$l&| zQ=dn$mPpjPPz>ero+Re^cZnbqF+?&O@6wt{_~NcCUoJ$$85f>LLOK9V;+dM03v(H2 z?k1T(g4;5OwkrhuPT9ws1s5ivQQIfiUr_|-flCu3hC_uFmx;?kp_39R8>mD)=FH+b zkdc~5ySAW&%0T*e#gcLdN*~Trl25Y+S|f$`(&ih&asJpSKcF*ZO zWXfk(&?KWsUX7l};XbM$m zD-}_zCeN>Sz6qg~ViD!tVB+syx|TC5`?%0gt_}9n@5i@n5;wAfM{*(ov>XsktpA_D z{C`=@_uvOVWvrK|dqQ_p@YNYs&SQ>Q_I~v1^cxDiD3p{4>@QykFfn)(ux;lD&ZUan zbB7%A zdRc_!@YTie#GF+E9G{mhx&=Wy^#mD>^)R5_re=WjcJ))IpF32x%Y~`>x%c`an#m-u z*Q-yrz;)-Afb^BqR{7oH3#gjFV-H4}@n5C@z)Q++2|vqmRnyD1Gs-q!~K(bfdso9jQC zPHCDC`q!f-y?`M0rS9u>uiLeW4G<`#$#&h*)}x(wvE}*pQvFm=P;0o$Yif$prhQMf zIH&HmaPkoNLce5A;C!P*smyuZ{BDzC;CPX#oZ|ixcSZPo$hag`)$Z+1o$kC!m;Pkn^rZ)vE4a+@W7It@9 zjvt`(0o>NbXbI|eq=zeNM=d&WV>Di|v-CdpjUUvjD{dps@*cIz^?nH?b=`3fb`?7I z95!!uewc3bPrKjpN)t36%#L^7J%<&Vm@z)(KF-|A@0{^s>S5U2EZmuhQnh1}AwPHul0bMD447N)hpgu`HP4Y()A;bU#$<^NqD1<1A<1J>SQermwK zl`sd&80xPB1j@lNnQxCT^4#e~+uLj*QQuZHHNXxSW#H-W`Mq(UexDa%by{~G1%lFA zP9`Yb`Eb2CvwRw5$)8f5?c3>pw{WEbzgjEgTL#E)i_c*IXMY{LIigux11rn8z65(z z9B?$$&Gpcl#9S1WO+v2(KpX$!oPkQ5lKoc!`@l*~MgN3bh`~xQ+@wfF!8S{Z7X@8Y z1Q~A}en^vNl1zldz=7}*J{<5sr(IP1!d57!4^1|285%;OHfgp1UA7&hw0IsPjwt(8 zmB(h0Wb4W=^GjkncvAT5dqF~tcYuw-KZ zib}PBq0eA4d8fRw1qRnT*#eilg`4?Ka$;PmH#hA5G>wj6{s2zg#L8MXh@02uCNO}n z0`jM#jW;(~@@;m6TAByqpQKDZ4fMKYp_XMyaDvvN3~9~2q-xo!eHIN56<3j1u1e~Z zbo}z;nEe+n#m=1&k3X?tHojO+n*9hk&M2h|yer~18hIf~pzRfLxm&=*N}2qO@3uFjBjR*=0= zdADs&99O6RF@lqcPgxPHo2wl4OXYgVvaOHoM{*SNg-FzhZ~%ksFZMKoc?UAhDu48G z3^Es-5OceE>aX1CC^YaJJuDQ^V&N5t=FRgs!p?CN$5`?yd}u7vJ{>y#<9|0yp?($a z{Tzu7D3cCBL@}qrPlDf(aGLd`OruX!?x=Qt|NM?k1f<7E-Vlmd|D1v5-4opU1J*2A zo80emll-W_5DtPiHy+J}Q}>dp zhJb51RT&5M;KuUv7LB3eepx6ht8L2q!BojaK#UY*o&s&l!w>zS^&RuYd9*6EhO5GC zJS;ngvP{ffh6)-k|Kgr&5Xryx&;5ZdX#=Y!alR@4Mw!W|dn}qyk@95GD(bF!yu-($ud!zR){@nz95DU+a{oj)o_sxASOe3*t#AQkf? zTq(Q=*?2l_a|G%ee$1GnCE|V)LWqRP@Je9TGErwFN5KNz+|#e3-ALH9ZzPgvt(GJN z#tXjVkfWAWBgr(Rv`NPgKa!eQ=*Y%3>FMhwAq=-)?}NE%IPUm)Dre2ZgU5wx_g9Uu zDV_Edu?tn%cW9aft8SwHlwE~7@>K02m5(DCcI(G>{G!VvN^{H5j6F%BaBoMvkL2h} z2}3?0e>?CjJm6?GF3o&6HL_N6Zj%tL6au!)2b;crOfXF&-u-t0&p{M_r)zF#dNmt!~RWPzty1l6VkLv@U+=-35Ut=dz5~WVngS}dikRLf_--(8em(gEswR)H7y?h3W9rle3S=2Jho#>TT0XW zfF_T0J;8S|mrWCcSLc8Q0bD{y zv$uZ8$4+nv(v{f}(IxJ|;_L|Pk=@5o7p`98LhqSoJA*Al{nN+r$38*@IA#|N*8cdf z_w9Z9-h6VE_6&B31SIW?BXCf5g1fl6$1plQ3w$?U?9Mq^M$r#w=tdTVYB2G}_K1K3 za%kp92?JHP+#itg)n9CCSVCmbmJEa`?c(S|NVfE^neVR%_xeb-P7De7TS(v-g2{+-hxGH$8+_r40Di3SKWW&)M!I~{9o z#@u_z#H^+;>)3Zv*dWj)BfKr_*0Ie$tkrqQb_SGZleHgD0)McMn4X*$cf`DP*ypiwh##uuj*kq-3}zb~I6hEL*w55TWWWgE7UO z#Xn56L86sQ=W9#6KFLv6R`Js5BuZ54@zP9qgY854EMJJ&q6{}=PY{Ajm*vy=Y zovRXb!6zk3at;^?@Z-P~xF4zE6Uk=}u?jQrU*acBq9ju|+P-0qm9(uz(|80=7ep@8 z!eSY5+-^{jD~VW_<9BN^km^;0xcpr}q&kSv5JD-E*Gl{Mw&N@^s&cY7IUEzO5uHr! z+IzS!XvfXeJFJZi9Nzg7JY=&$pA0WmyE{uxa1}{mZ1sb(;jchXNXvxSC{d~Upq`t- z?8R4h`wbGD7Wd?V2QsR!3{&Iy!uAyF#(!$;10&F-&3he4B~vKTfOtqD;tS+Mva5yp zrUZ?vfAz2*ya$M_B#VI%yUtd9kCM2Vf3b&o^bhzo zF1Ruy|Awqkoub0XPG_>fw2za3g%MFFwG``AQuIhP)o%GxWO<;FM&@L=oW@|UE}!W6 zhpA-YZ9*Y^K$vAgnt|&BND?gSj(%>;op}Pf zoAupcYY51(50mN!LP#*27pnVag`=mfeJFn%(=Xx%ufX3F2@qmFzC^`gZG+0PiFg^h zK+F4%+hs+zLIIU8O-j}*d!Ad9G@3RzwK~M2{gSi{QN#k`?{Zkb_+v8*;D3eqlb}yK z$tKYlm(-*lz$6BKjW=Z%N0*qJHRJ%gI@PGbu{1I#+`@zTI3p8V*I?PM-Wc?~x8 zP_5#b?R4c;tfec1$`w&53zuVobaB8pB2O6KNixj?j_m~2RLl)(DfDrzV5E!Ys~Hs$ zD=MCw=8W{L6wTquV_T;$lo-4N*1rUZp-jvolFi9{>B)VgLNTMbNip35)P8I zY741BHfa$SJbsZWo%v9}|CEpB$ZzdOTLZ6z-bEirR@gaZU=N3z@d<2MkPi*n=P$vOjDv+IC7QxYckgWmj6w`|Lz)njfOWto}@058CJ9!YW3`@#B4q zvGHL2F1u2rdO}mU&FLDr1%59;L3uyXTEaN$aGgsV7ht$>ct;m5*m&4Cq;;LvCiDg0 za^qgv-_QUmJ3AH(rEl%r<-4!Ptq4}S9OsdLZ@o6NQ=&9Hv1ZTd#=c5|?$`RHmF2YI#0<@w%L zYzkIgdylEE?w(4Zy_n@CsR!!GXOXo=RQrBy>(k7?d`zMA^`4$(v}JlapMCoBk%&2+ z1=t*%_Hk!zK1JE`CVM#iLK3Zg`r7J76?5S*8e%2T{)6tk{Z5qA#&sKG@1m*uxGX8B z<&d@#oJO}%s^jxed$;Sw(0S7ZdbqTCLT=*IR$5=123Ss`FvQz?fSWltPuXtL`g5|4 zV*n;|+AhGPT{q55J}$dGt1w<=m^Clr^689v2l$LEu`3;}_m2rN+ z_$!P~`)TJ+ML%QPVO`n%2rstj1$sn9e~UG-wci}lP#E&mnFVs-;)OVQTuWIJl-y+ z(^FNz)kElA6+qW#!{@9ZWm>B0{n2XavPSRi;y;rGI~{ON+G|d=#XIkVAl#T;_*T~| z;p~*izf7@T?eIRmuY_3N1@7LP?TkRv0asq0r3mpWw<3$+<@vsO@O98HLEK2624)eQ zOExzMC7=0pSpMaczfsYW`Tr9AAdAN0!}d$!=tQCluv<8mcE@e%W3HX+nEYJ4bNI zFA5rCR*3l?k^Gsm!dVTAB<~SP5;7B$wjX;OXr00?LeiGLsp1y-LoB{lbN8~GR3xHk z)-p#eLu+4bH4HgyuOAvHQ8g6GmTuJusnap$=z3y*A%=+73rdQE^a>NNB=_Q>RyFc- zq9{W*M$S|XWKx)UGz*=Qx=N|1mZc677A(0_yXJ{>*UF9eM4Zw^gn^M&P$`b&-&KSS z&5v(pXkC<(@Px1)`clrpkXFt#z2*KqG9I4!N3k<4<}Lq>DcTG4EI4Z8B^t%Te@^5n z9KVKZn2)C6>9_`n%Q1Y7%1jsLF-N7zQ}Xy*bQ_BAP#HYL@oE`BM?*ptH;O!HoSG=K zr`D|Un@PZC9NUU(-Wf zTS@pRs&g}R8t9|~2h;Py!uGO}My;^lA&M+nMYfH*LSc_((=NaVL*`zqB5TP2abEnz zTfEGq-d6kT%d(6+`7e8Ds2S{kmOR`8i7ZoQPC&*mWTtLh%@sWIsX9W1|+S@(Db7;FsLQ4T6-61>Y1ldiGINi7EoI3%Q}I zRM!wOsf1jjYgs$}F)I2zB4F285WjTO<2wWjD!^oaLE~ z0vpg`E7;Q~{RJ6@(W&$e>d89?WuFlx{X7CE*z1H4PDmer6_H23mA!#wx|hCjB+7uM zL4Yxcjq7l@*1$s^kKXGCWPHTD_YwGZjbx(Sx#%zr~xg%oX2 z6uW_F+BpSYM{4KCaS*F;uFzNjN6oQh6QocT?dFue)=Fb2spicn!$4hnm?WY(N|C1g z#IJ#T?loW&9v@-CL5a_o!SqLy?S^WN%3Y5&rYt1S7Ny$ay4 z%KY|m1cDJ&`W_HyPV?~X9p;r1EZhb05om}2pK1?9(X9f`*}}u_ejBo0==Pl`vEtIU zVFwpY@qEm6e~Vt(emosZsa&MbykFC7eM;7JXdIHQzhp_-FpKap)km!W>;Czmx!o1q zGzH$-y1%DI9O8l0E-STn1;H;p$D2zZ@470PP9bgU{J8X;gH|Ijm5V&(vxM`D+Mx3* zyRRD_FZuGx0$lb?=}RucfK6N+*o)8 zykESPm$vh{oI_7{H19z?H(~NTT{tIq0-^6>UTz+=LB}P1J0a%|vIo=6N+Gb?{Pz2s zl;D#tq$WY9V&yKk5tMc(*DafmBnZczHm7RAOR@Fvoc9&Y2>!Q`@eE@DD-Zw=-0c7Y z2>qe>0DPu#UK28sHb^zv>4FI*Vv{WDeh2La_!8ZKw*RG~*I$rD|PMd?;UI$TFi9+SuLr$}~kRX`&N$)ZPr z%8zu($^*(bZUL!VYy3Fub`iH39k(x7I`i1bIOh^JDK=QR(d5%sdy4~Mq}}^g(UEy% z5f6OK}V^QJ3_$ewX72JY9o30Wu>F&Aai9Tba zP^~=r5wXx*--CnCUw=WmNEKB!;j-uIhJ-3f+8(}f{c`f{?UBuapAm{|)3f?|E0cWM zAG~DT!Jq=0)P?qQM*QEXScB>m3o-0>ht6@A+5k3< z8Sfn@61c+t94(1bwHE2cWkBC_>DwF_MW=?$>)s!PV=+~h+M3q=u7^Ew)fgHj5iO%_ z6JLq!vn|oD@y(}}%UWK=cin-xUHKu#iIg%W5TBI$J9>->jhv@jzT4-(3~U~4zNt{{ z;PN{~HF*@*~g+&}W{}1CVl8g2b z^ljlDLndgml&@E|n<@7d*^m>A|8t+5r+hzq82nnqV@{NyWm-iiiUS4}3Z9n!HLV-# zq_8>16~5}H7FtMD4ob_Rkjf;E=hk;;6t|r7V3?n@jXL9SZi84utm({jG@{o?-r@61 zhX(kSzU>f`3xO&4MXITr%qtW%-(=63&C^v=JP`gOoA>1t;x54AejqI~7$@tNFS_h1 z!@I+BhOZENB&8Q(q+qYQ$Le(PR{mNffXIJMT$KZ3z=ZF$o6Z>qcz2(mLSVKX_*yW> zAHnfyv@9phC+F1?#gWealKZ_8OB8w zZIk9$9fvD{EedO6f~CtLBgLI8wl!gN;F+}ZRqb0q$f}d9pxl!iPGH;j+P6iE{Af+_ z;;3lR^Gal{4gT(9@WUuJS?QmOeN{u{p@<4fFS9g{hAtYeUK*>jZaeSxD6y`pHjTb? z+E=(&yUd@;B=%#QR3|XIz{%yngigkkzsItPy8~>`g$FDc4DkmV@D+$XfmogN`u0m0 zsO7_b+_;ZXlv$ahwiqxvQF1OSdz95{O_6TMQ^wbB4E%&8U6oTPlHc)IZOU#WX@bva zhp=lf!fE8Ky5u;cp5V(N2LAs7uK*OTu%TTkknq2Xtew#g(rTG3`8g& z`U<;#E%-cLgc&qtmPyZhCpi;MKhdiN0w zLG7#4ONX}m*Q>oAHHfnPOfjQ&o~lRk|1 z9c(YW^}W+qQ}X?$1^Mpk-oWkQ{LN2`>;2!a&~_aYVVVX$=l3PMeeQ!<)3!VO#(6{$ zE%{sb$;&5>t`j(U5ea;^KXJItyUK{Jf9rbP++Y9$%iG^toDQpf^xD1a7uwpr_SbFG z1x9@>ZqbG$4L~vg%lVi5A^41|UzY}xX~CxcS_?@f>D`R}zP-POM+!P^R0Mrra_}bd z6RurO-!xrbwtf%kUkKYef9ygVO*UH=(0CvVKD{CUSv`GY)IAJTIKJF{m24+F?gmX`9|%n;M?sy4S&mM8CJC&v$cyr$heE=LvHK+b!3mx+jjk zKK%@Yku%FgeS_Vn*MQZ&y2qjQx97Im=T+VPf3L&S&jLE1GY&BXz={Ryo`8UV6`FZ? zmV!>_lPys(hfj+==acl$+mp9^w$o!r47ay@9TWf3@`$=N1Z)lgw>l=P#{X8B6n1nB z?gQBr&;|8Q=FnDkL8-rFwQrISpZ(d|1}`5nZD-c@+j(y`?nYAbfe&7m!Ub(W!FbT_ z08nu6t8R;DwEs|$0@<->xBHz)Dz?H4pRO=C52>#cv2N=ntFS|X6;x#}zCp-8Ht^mxJ~!a{dvv)GGx z{z>xN4gaN=wDGIqwTK`}4NroKgrXJ)Yukj*chzZ4 zO`FYfTn&v%2E|t25n`tTM!qPy83iU0^4KX>_InC@mA?D$eGr|tRJ4eTXM$?C811ck zky(gCU^J}aQfT!Pz@m8wtk`f$+dipn%j1twbz#V>S^X|$?KuxMEt&nFQrGSI&}j?q z#w`dk)m7Bq4bNaw{-kT)t}cBENH zUTMl47m)5{$?M2ec?#g6@%)6a16HPOZXfeA=YhP&lNI67&Ne zL&wdpp4t)>hQ_fA`m$AduRSaK3Me^Tzv4`*qo?rAcD;2|{2n%&Bed|EbN&+96lHvr zjqq>pPsPSr%VkKCGqh6Pmp0JGL748eXIo z6L~JYqGrP7)?_5$Wy8datUrsaFeT}Uy?+?eOK`+0vRX%4*xUpwg3%SZHn?B2m);j1OtTG(|l7^RU{FL71nTY~t}}__w-l*#? zkVvQ{#>=zplkN^+v}&P8tVaFGbw|BA>P0xviBL<^UJ}ulPrm)?io{UsjxRatWr?Hj zWK#?jeKY3Y zzY7;rndP`q=>8!|%WzAalFGMedoTQ3QO<;#NTL)Qtumw(zATLRl-kEUu`zC@*-|%- zEq2u!=+kVYaLA@u6e(ATd<{FoqI&yEhTTFt{zC~T{hPEMx?dtycRQwyi;gNq-MG}a z2KOoJ@$Ve08g`k>|JA(zNB#c1#dm_2{KBgt(^nurg2P3isi5z}I>-w&SkXUs?iLiq zv?utNb3VWcHG9S`Q>Z@{l-tC9my#FNv*Y!A!>N!-51PsO#n^OfEo5E;Iji+Ht=c$N zT(J9cc?tLKwI5sOxZg|hOC{{KVGF;`XTVjr|F(W^!|ugZgYW5T%UMt)czN02{N6CP zM;AI55Ms%+^$_;9FgdB|aKV3n_N8_<&FW~j|9N5Jxy^kDHDBo@d6|&!@n^m@GrnFl zF!V^OS@nD5%<%<27dxwew!F2pe5dLUViTH%|t961Go$0(efp%--e& zyPulpfK|QErLqLR7hYXHkNJNnA^Y-p?I^%=FW#HRr^#pY7dzjD2N-$)E}Nvm@p#OR zz^f)_f8+F(p)RKZy9u`4GK%Hk)mE1yZpK#o1nKgS>*Uf&fA=O~($lAeE>Yv_pe|A8 zR#8Kd;>_Z$p#1>9+eP~zkI#OzhafSk4 zM~0U|ulRA}f3qB$9=7aUdmk0GZj~<)Z5_OCJ+}m|!%VY8J8kzmlgTjv=NeaoRgLba z)&jj&kj8@nm;caAO^9g9wvWQ@OFEX}X8Uh>_n~9tx7sI=^Ct+U02FTW<$3(lrQ2cy z#sbi-xJdilzw~CbZl^(uTw+U*x#&&*hvKI;kj(GnQ!+@*M_AQ`0MpLzE2C2j8??`7 zYgOSr`18#bkhJg@%)31F$y|e~XVG%u&*xU?Xmy>5=w7qKHe;6(Loi0wqN4koN5{8^ zAcLBiA`DWgx{}+7NNE#{udB z5uRRWHM0p55$d>y@t=i1hJQvme3=8mDwR# zjt`H~ICbLX4<7mF?q_m^J!`a=mcRuzBQrhMGP7yAxu?uFJ!G~!WlH_Hk>Ie{7M}8Q zGHH1aT~Fy*;^6NbRd9KDu>iZc;~>OT=rrfBL<$Jx4?Y4T?OrykEYr{fydOKp|16p# zEWC7QZ78D?;!5?1DzyyHDdI>YI)dm~gt{>*uCu~P+eZmncO80)<&db^<}=(1*m_$f z(2kgIka>n&*70+R~RDKPVbG6wq~W`VPJP4g%z?K>v7-w7Qp-o>P1 z*wgOB91?$KJpWdHH7IdxR9nQsG0rQr$Ox_2hvfo8Nh?<%St*KT)LLlUt2pO@Aj#QW{jJ!WO2>Mb@eO!BZy=#fwrCkm3@-{H`01U#aqQt`2ULMk30l z-DhnMXTD4?C%sd~W=YP)D1j7;exB$VaVKkFn9 zUAZQIG`E}Ms~Y;~)L6D!4WYcI=1Ax~O~RuhNX`A{^?C>x9%LIt_@i)9h8$O-rV6%h z$*~MsZB|pX##0bA3M%7hXsMpM&0%+@OjI5`4{>Skf}FEy8u<6J>k)Pciu+~7nSh6H zC$4~syC{$oz5116fo9V8)8jrQTVz?3%ERyVNRDv#d(#u1ZL6J(5zHFt|GGdsQn3RTOrr!QYRIC_W+uS8$Q=-CAok_yjCy$bg zT1>g=E{S#DO_5EdHHI#APw=9fRY`P+y|LO%wwqaul}3~2y6_OH808W4$_&gF;`vnK z%>Rw4S4~KT{WH#m0E>6QuL7M#pzE34-Z|(u=sU553A4y|!=q2m$AYhj9q3mS@CqZu zQDbz_*Io6Lw(N~Gz1KliKsY1DLr&!-f%j0HV5k4Q?yg&hXH>do&%a9h02;klBXHgO zlaF-mt&iz%WB#|jbXeQ&YJ002mjnI!ua|U|j=dkBX;uF&xCJ+X8@czFC4qS9`sa@w z0>4ka0jcg8)_G1>C#Siua~>5$py4>z72Vqix|e4kZoi?)+bh6o!7VVO43qz$l8mrl zN5Evp4p@A8tMhR+=D6+K_sE-R&Q-Sv7Q#GDisCSuIcr1|*mdbpo~(#077jP_rSAd2qqBKq-?q-m8Ka8-MXC3tXtOxXE!GPyYG*SYd- z3Fnvo-JdUl9awV_aXVu}5U@&uQs*&coFVW)`|ficc*?}@G(8mXewMKN`Gss3d0%XL zmHe)-Z0w)dEQxwP<2423>jTCQux7OV;;1??R=PbxuFRvRR8S=F9Jp_-yZu=zoE7cl}6}jQogKRbdA;DL?%Y zISy_^)~B1)?}QV$yq5ffq@dl}bnH0W^-S~L=O@s48g;9u_S5@yNwh)lKM{2Lu5t9D&B;b&;mfNgksCVU>d zRj2p?CvO>Qj;k89H|@)$83Ld^f`(eZQ_DI~!XYT28)*5ZXav~&=bZXSBLs*$0?jW3 zP(iI4GytDzlrhM3C3x^f!BqWc2cw9s2SMoy4SN>N2GB9Zf|SVTg*Lh89b{SZrkV*8 z>ujYaVILX)%(1TGLo*OPZzO?}M(NRaLU5+${-s)rbo^>nup3kBzs%v8)yTfjL{bsr z!f~fb6~oqZK*qOKJA2_JES6j^iiwBp!$mx3{2?3W%O3%+lUl(}nUsLutMaoEUfdm= ziUg@Pom7T`nM9r7kGZnI-*zhTIfsZU>ru%k$kk>MLVJ_(TEwRmITXCrH<>GD6Vhog zBwi|S0}8P&l4W_WEcyiMQk~Z2a-BcbMO(>@-X&D~Rve8s)576^W8fDQ(J7TF=RHPOq?&h&!6!X8(;sX>yh`n)B@JE|2tN8rzfUf? zfsL`SXlb0C=>p7bHkF!z^>W;k=9WLj5jAJYbiPzOT8{FcR0uPoEz@?l-MW>snI*$3 zJ~~V~gNUl;lDWf=DqiZ`dpjp42nIi06PIR$hNfwy;NGrdF9qLb6cJgXoD4qGjMJ#l zq`g2QgKi!wC29``oU6u@>&ii=W=X>@^~(WJdJ0cW7d|7t+Xk{^WZo4xwt(oT{&R9A zsh0^99I?n}W>|M&hjjXQ67H@oOU370Xl&;g;4a->z|Wa&8>gR7M5@tj4hgz7wxhQS z5r(+w_>Pv|gFB8xhKcRbQqCGKy&2Z+E`pOlQKN9^EjQn~$}y45jckl%(U@9;z_{H& z3VXaHl}G)=HHq3tlGx%K9kl7tX3G&_#-UuJVM19?;T#gfYqBs|!GqHyG#;s(yf2q$ zFRc)O`W898UYt3?FJxt&<0e8mq)>Z8JlAgRgFMV*Fz53t;7(|`b?|I zRL$XNxs!K}Wd>giOwvP$y=y>%$DVzE-DA5+q=7;O>Lp;U2gPcv%2jz_39MN3tQQ5l zk-TOBT05OVH{FbV5>vg|e7)IDHhl}K=$p$qzZ+~~=#I~AFPir)J4q@SN$9}Cz~Koc z;tOk#;{aBOut#)?&tk&TdyT6qFT8Eo65S{CVaBSf>hWC`zc<;lD} z$tvT~q8#{&sunUTZ8QGS1`@t_s;~ZAck3^#qqr+etc%iiMH}ViDq=zqmpwKmt5v16v9|gZGLF2&mV2%MDZ5yx0~b@EQF?F`An#uP_K}54P2+wEo^`)?}vVj$OWLsw;qS?cgUl@Yw(k2d6ccwiKFN- zdiXoe^~0C+UvG^-$rs z{mj**W(pWJY01~0?lVfcm-*6;hN%`G4BuZBQ23L(p0@?e}}tu8t$ zqoHyp;In@Hv=xS9a_4OnV0r8QRC|&WXSk5|FvI0b^i)SyM!)vkk6fXj8oT3kcNgw3a*C*EL!+j@V@X6|1QXm2Nf>xZ40gW9hDi0Vu)Fe=4i zPlA(?h0n8Mv3+NV_j`EqWJp17??1y6!;6b=fRgy$y+_4a-^Z54oA=i=#g4wZt_4V# z@>8r;-}ejhwa?4_o83e--jD091rJ%B^@KvP6W$yQXHU1da0|NYGfshY2>=cz#T25_VPek?xpOV%;xRn-Q zM#-<$#ES*MeLWV6(p-uICF7t>giK8JMB?1W+>@j1$Rt?=43ox`?Df*ke76vvOv0?l zArfuT-&hysg7~JQ87$~g+q7Wzb*PW24vi-#U58ZKYb#`xc~LIa0$W6V5G&rz8=zbP zN5r?8Kc_$D!Kg1Wf*nYolGBIkI#umxn&zSoGCPb!YA{qBplOkYxP)1?;5`5?Z3|eX z0u5$e&wpRgScRydiq6)x)a2Fd5{*^!oQN;&_%qsRrJ?r8v|F6Ef?LkbvSZf~MWn(w z&Nd)q<6nQ^Lz*Cjv!A{j0df2=g!P!=#i~gQuXqu z2oZgL-GP0F?Lug>pRBA?Z;16T8)Rh$_a6AvWN;;LdBn=vMYKS&e(7SZy_)4}Le;Hz$S$!fIt;kFP3jHg|2gqe$rn~Xn{xl@`EdzY)7%VJ~5 zMKgs8zk?3sfRPf>Fm(42Rqzr_@WQu(Tr&1FRp5omS*~6ec_J^8j38&IvUZpKu65X{t z_Sg)G(IQ)qcb8%UF>lfVo%(KZVfh)^JtWjv; ztSm8ywD|~A2$?-E=95}3uTZMj>}uB1P#LjXdrA{SJ`2`55-s5)Sm~Prk-W*hx&s$K z76ML~XY~M7XaRm-8y>+ZV-=x6q0EC*>S}O@Z4!#(2Lo zm=`m-p0dVF=4x55X?Gt31>4Qd!fZ{10xd9ejwsosX(m&i4&%ZDN#)@}sOA7(HWq*A z0H0}_T126+t+Y~i1^wG2czorV1eMBYV~ty?fB8}6vUkJ)l>+(k7L*)@lVQblyEJ8( zv!7L}u6_Tsk-x}!=|qXi52@iuZXB{QVcGF8l~}sBbnF?f+1Q7v{~NI&eC8lyK`~I) zIp`lCw&8u2q2Wyz@BxSbOX3ER?s47`UHu0?gMZ=YkVV1o`R^KUf-v->22MNrzV2c2 z7Iht#&vP}PpY7>-k9meKzvlft4)tRQoZo#vqd$7Rw;UyX81Ft#nr8bE_Gaw2gd0F7 zi|$OF`v(Q}oggo&j+O8E*r4bALQ(!({ROggZLb6r%`%vT`iB8?M}MIKC>yZ%0E+1yW*LC0}o_kHq=dRq|JNWG`pO>kI z9mCJq6c4Z4r9}h1y~a_T$^N^eo{ycUlnzBLqr-^we7{5M)q;SXdMrM`Rz-n9!1ke| zL9^IfuKkSw8FWDZgXGGmq=#UiO9+FaVbZOgYgTN!Bi~2isGqpo>5#|PHUG;>;`aOV zFV0JY-aWGd$%Zw%T}~$NP>Ek3nY_omPX)3Dlh-Z>#t~a?*B3cEfUQ~z6wkXgA3^j< zn5Kj+pDQl}JK)@+p#FYR1usIr&))kBqw~@D=8^_*uXXnn?0zbyfXlLmV3v;mz5M}4 z+2`Mvsp<{yc|Zc?27{n?$MSCQVHPxQk_Cu3dCypgaRlr&a2kTPOm6|Q?p3`SyN}8G zDY|-~hqM6yNAViKMd^WINbildnD+4~yT*>=q&UxI{*T^4#@{!z0dH5DEv+edimZLT zv+)|*@ggQ+R>!|farN7J+FZv_iRx)y#cyY&r#w0_`xQ~VTLeDugSQ;2AK-nbOq}|* z<%(SgUlFl4Af^LQ|7Jkn0tg1e@&NS03d8{65O@83%RWIDGy?rtKBv;{Kzd+&n!fCZ zbG-(ce!hN=;rR8DRPhiOWLbi$W@11_BP&V`gT0i8i5r#bG7xZU6xCsNk`8KT_`+B; zcE#*)^=M9c5GrCOzve`m6-ZH9Tn03Tb!@j#kEAK-hg%b!hLD+AADr9=;Bv7jm2)-5 z`*x-g?bAy`%YQOjg>v(QxMItu<$48fboW9DHyMgebmeOH8=(rbGD$I>42a~|%5#WG zcQe>23kt|}Y6(e7bAPUJVK;FRs#^0AlX@J`NxOLam$$^Mum-KcyM+COAu*6-Jeibd z5u7mAGeVJH#YX&q#E_Kc4zbbj*+PTjC)-cYpKfo)-*J}`w*%AG9~l-lB^@SKq`}oC z{Xmq;;2{qB7{WD=*Woe5={{H1uD|eZUcentDKmBvZ@LB12DBvSl9{uXA zGA~F+6lP$>5q+w(>tR?O@m&fzYdrlt>EkCR_!}i=|-8iAw8E;5$R!UX5lh}*>qj;3ZW(4UQ#7GXy1g{ zjy51v9gGz=T(HJ{S5mysvP45(tctWm4bq%VbkqKt%e^VXrL6+ad}4bvnIExw?PD|k zGCox`A*Q%U`_M>qq_S`(mGl^jU7NACO1YU7zVMG|hmrM_QiH##=*d!KrC@6MO)^#b zk;W~{9taC6Zp^}X%Z@D_nVD!NFkJz#P0HyO^I5$kL@l7HNwZ(jb} zi9+zX>teGD_eLgI`lL3BlF&kTB9dVA$T0H|I&>-z?>%n~_T}SNVI6E%la}w9?u1Cx z)XQKz9+B!jCZg?AM)*z7QtEaSt1%E;gH-P9H!450U};Tx=Ph%?OD7Il^sb#5anmo# zvQHpM>O5jYVX~(Amg+IM8yRVj6*ywzYne0uzUAJGkR>oYdnz4Xlv&U}p?!I)WlTJ_ zilbST@J5up@Y_`Lk>k!e^lYNTvPD?okF$}AhjoMYV|{8fnVu+`ZafBUAVYE@kF7lk zz$0h|?g)a6*74QfSV0kEudxsAz(c=t!CKknlN-S-?%n`=ry0?4s3))6f`%3%Lfq^? zTNImaD~++-Ou5X))Q%qVs+G zHSQ`Zg}*i;jJ#HHj2PlkXhDSHKhfe9urQS6Ow_u~>4KzO{7e3@F>DAi1QS91p0BqA zbEmepH&=^bD}mrobyBf+-&US?jvz!#t00o`%+`#y0@KLOT&*~M^o)%5REm-fI$Umn zWtJ&_JW+Bhi6^1#j!Q(8OthrDe}uy62&4bOl7$QbFTD1BL%6>Nul;OAXWUm=T9aSU z8oU~xoCI?G%^1OEqJ)oZdTllqF!g^U7Q|x&F%*ypg#3?uOmtWSe0Zj%iwgh)h9tv+ z@6(*+Jc0%TB7vg8E`1Zb9A8$_dnpt>SzPngjv!{W6qo*YV5e{4m3p!MP0yHPGkMxg&wQwZ{XSqeCmuchGdU z>&LvOEwF!Q$FTI@p99Id*1*n{wu~)*{5$`i{>ST0#-2Otm%7fCDn~**hR<=8oL-;d z264-@+ogc^i`@2kBtf4yId7MBcS)wK-P^Pn!R@yuBmw{Za{zLWzf{%lS0vaK9je0#(vu?(0uY~ZrhHI(j8D&;1kYs zwRr8bSK>~h{m&ZfM`@Oag(>&<05D)9^iEMQTHn)9bCWGI7 z19Po-683i6OBZl#%c18s_rB<#;oxsiqjx#|pb<8qm_oNIck(qO2HlbUKxp@1%N-nnCXq5n=8fuA73)FF?*bh4j=FLXjHxqW`<|;

O0U#SJ-SRxp;s7O_fFY*UKg<%>75;%y6f>+;{5bTLSSj?A#zr?|3$NS7JTeMV-2;bBtp09t=Kn8aWu}|KcY@JJETsQm|`9?m#iz;XvlDwKn>Yhqn|Xd_pOhF z5Kl6*JH8(h<=}#m9iwg)McbPh;nhhiggepiuLV<6&DmAtsl>!%c6PDyy46UDW}MZ= zs3qMu^62mQluClx*mcL#kE{12H((oQDf^6kGLw^L&z3v?CNVt@Gi5$^uFA6ryVJ1)Lr2G~!r=eja1&5zjm_8KVIrC|w9cn$4!%3ybX=mAW&= zvfPlF;Grk*JBA)JWVadvST&cO+YsT#k`O|Roq$cN=QK{6k9|Lq{3kP2St9ZcB9$;X z#&MsCDP!`WzPC}638U;$pfW{zkujl$B=h`H*kI!(os<+f{RnAg0y@w7Us^PGa@ksD zWvNM;zeyU5>|!%`vAqse-}cy1aE{?mgb0PAimpPSuc5_%pfxq+TEo}Q;X^z8K*Wx| zhHhnohaNs7UB^Ha8CfiWl}Z&)qI55jvi))XCmNk2CNv-P1#?|opFbtH1Vgo$E0epj zJ`0!tFu=RFSw4Brukui@a}Zf-7rd7FJ$WUhS!Ej)p~gx`Y*dhTFM;v+U#e06Xa%aI zXbYRlNvbrv4VzLoo_gaiEuTz*%!!v^VYNr7>AX$6V@>^!ub+s|w;*v|bB5ipv({6^ zgu;@)b;r+@i4E|Bx@@t~4gU3=-M zE?9+tCVBknhn189nOQ2On?gE|1zC>VW}KB7MBYFZv;bqr1@bvJN0P%EC7}hi375-Q z>cO1pPXv#u;Nb7_LwI6Rx)dW?lpp6Fl~U^@iSw%MSyJ=vMb+v&b-ukCX9G`0Yl@c! zaN)dN*pHIs8RlfWHSMF)JZB4-3RT8QvQ(Snh=H4hYgY1G^`8Y#yYvE^KwOaYY2Rak zid>TGQ^C3T!z}P&cjYT6tc!SS)i{aHD=c`TRC^aOr%pOqX1H5hMlMi>2*GBDn8aD4 zo55`Fr&>$N@9GPj%E(7(C`JoAgB$HCw;G!J@_Ff@H?Db$VGqb#W&rpcm3l!{ypIR6 zNVHeU!LMGPnymFAjfTox3}dbZ`Ef{`6_F%~x%QPKYzZ6oYs!t{o(-@_sy9sCc8s~? z%>#0U$J}%?%?JnNpH2S$nG9wamU<_=CbXIV+G#MxmP*4y-SU?4ShQ~;xZ_80DCOeu z5|^tv5%lS%;+bh@Q~Aml*>ffo-+P!xe9N%^?#|*^icTi60y(G z6Y#iGfEweNEpUT+A1FxZd4rmu|Lvyzl&b6$^K;vI)~^sBBxK#9u9>kK%jD%+rW!#< z)G|fz$1{PB!y8ec-)CwM`eW_s#K(PT{^%Oq>!=!mzuRn=E{v(QSJgqmg>DU#>1a%%C>^EZ-Gu{?$;w$TCzekGonL3S^ z_nF=U#tD7?saEWg;`h7@41Qfy_$`x7G3|1-G<}XFr2ckAkOdx;RWM=V_1uEa5U}`L zig`EnZ-&)>bsYmlnFP;sp9y;${IWfweYjdqzS=tk`yRg_Z=GSp$TjEhWy6Eq5y36{ zmNt%!d!$dN{HD5=YG~V^);Q#je_qaXD8`03&-}>gw z8$C`%6!0-R%jgeSx9^m1(OlL2Mc{mdyy>**C8+P!B{~I3@$`hTiUR815k-OYQ6Dbx z(8=uJ#j8K%f0?S8V_{+_?uQ^x|2PVd_tm;TPw@~unah*8WXx`=Qf%GZLOM&^ecHUnJqS^1oARqj!#*%>%y%N zm}&?D%R;?s$P3|U#XHs>c&MpT8rUiBRn=Njl-pv|@b;^z-u89kEDRLjV%j7r4s*-s znH6K(8ptayGBCK>XjN`mdsS{sX6o*UYD*BQjA;1v z>2-GNr_R48bvbg_Yy5jp$wQ-bj-WB?TYopMia!kT9fd0(gaXu-|6Q#>oi(1bD*jZ3 z>&{P8%`@A&WasLebAJGsP_i?|s$x77;G0497x~2fKt`l@d%gaQ z7!Nw8OiA%6URbdTA^&g^3KEraM5o!wP5mnMOr(kasoNGbauQoS5ez9-t(CYW=>&nD zPSdAT*m6;59MVfX6F#yuTxoegy_&*+$y5et&HeXk(z7p%-O!Z1$mog@ip$L1|6McC zzdx?5t2uAg$OKduLA)CqAj_B@!3Gzzm1ZSKV|k+h*@kBc zLCH%?uwj40U?(}nQ1`W1DU< zL53yGuGf8JHOh>+s=bX{a(gC3l57+uoP(;-W|%3pdbzI>-)t1k=rtSZ zo6>95BWiIZ!NG(_qSL3<T-I*&@-PZehz;7v;DMO;$9MoFdl*#c{E#hp3>5 z1#-jJ?UniVq6~`{rJaaGi9`cRb#UTcAfaU_MeY{=?J$j5j@T`=bCI;3|J z;E5-mNs=ekPy-hb@c{L3NHqQ`69}l%Sx{LLu36tz-~rtSDhzzdPNXh6?A^C)%F;BL z>!G2U5=xU=`a;xbT{;yk>GS2$7b6zM3{OA1bI!8YyG_{P8V&G}MXAK)Sidz1+^E+{Qcna15laa36gE!4CSHRRMgJ9})Q6J~sw>|rd#9;lxw2BZWmZS_0jc)_}f zsbAf02g&nu$ufRg>bS~5vaBw_Acf!X8BDksi$!4 zBgOO=OH3Q9QO}PR)z!X_olyyH*!ZEWZ#`;4*i~({t`_$QNd)^YFuKrUWkS^STM#9e zO5`yuRvT?N!P68;s?*a>W~D^_q>Bcpd~^GY#io>XvMXu%l3?LRt=D=T~Qqa^V@a2W|OV!;Zd^!^m z1Ot&2p@*k@hw_8`uZ+&ffPRn>ajYT=>>%^m*XE_b6KsF^^Oq=S1li!~Q=2pPmsgnf zQ{2OhY#$E3&%aN{y#5)_m=>7*W+|`hnt1L*GEkOl@bOpgpq|UNrR6Qmjt8qVh!){M z7vx^Eo9q2K*z=>G*Q@nZhm+n_#yDzzVa&hzsAx~pC*AGia1@7U@8m(>#A zQ|f!`Ma0L;02U?d223+x}`+VOj5mz-Z*7?>hniVi2&zR`a_D0RM&-pj&_K ze^Hl#HkeID_Nf3kt=KTB=-uwM%`i9Ie%%^vDR|GA*4d9teU0kf6X5(j4_gFgd*2EM z)B9x; zdK(0A0`|Hge;M4zFVH;bzgV3lg&1H~tOQM_VuZZ*fuK`yA`Aag4Ij*RYg-gGh=!^|El&AxtDpkdaj#Z z4Eg(ISnTgxT`o*Y3Op{fBRKj$B6kXabSmtdCec<6TDI3W@$bj-ZaOPm=gDjNdQVl~ zV(1hB?@hm2J2DI(eV)C83SAepLNg=8+MxYhL0Pt-0-_So)OuoQSSLTfnuP(Nf*%E#GCx77 zj>%O%fYPJ~T}KYqyDtm<&3mF$D?X=l*&ZFbuCFXIOAn9I)UBJ5<)O}*nxiOLp^FlZ zLoF9dQa)BDRm&D?$wi?~BL+c%hZny!wkcl-(ik1OJUkw+4>|5fOku6d@+`8mzt-_l zsj9TX`;jL^S231^5LyXLQdZNpa9|rA9G;4fc{Yx*y2({IR1o{JN}nX6Bq3B=bE|SI z!%hRaRH7-RZ$HamAnJCcBp^{TEb8#9VlZ%48$G==Mhn>^^nCCSz9>coR$`3j5!gIk z9_Cm|7E2O_L@;+Fcn@kI<_t|%sofEU#;_T#eM=RpF*d#q^R@#zc_}gfo!uXzXVjFb zfkY_f<5viI^-DOkzbktu9ghWs5y+6qbW(4D*XwWHre&Rs5zL8UkMPmju_|&}aX-b0 zG}Suo#JiHXE;ay-a?#P*&^E{>D-x#Wk*LnmZZyHuZ|I718r^cK4-><6=-<1dd{7-! zJXpmjaA_#jmznnT@uZjR3)#-dG%BJup||m%RTRjOoQ6{~!})J6b2pMz|3Ntphrk=3 zLlYXcF(b&3;YxnhGNs!<8OfrSXVfO?%0AbOdLG!miy^Cu&YxFYUIYf}&NXJkwH*~+ z{8A6Ie`%?zw9de7^Josru^u?FFWDb<3JXdR+mSTsGLVW({Bh%woO8cN&B7{HLWqi+ zH<@gweXYqRvG_7z%>G9&4{FXc`O#BBN(j(MhM}Scf6#q6|4R?VV7AW3{h5tE`IVdz zC8+boDW9L*0@;`V0rwiNYQ#Du$wXj7N$jxI)7Veg31zC&-Q#%W8WLx}SFSjXr|Hor zC1eQT&$l{%3M1s^SVFHuY1gE?EW7bSu=Z_@O!>+?Ef`tPl@t#)^4zR?He8;qF&EhX zEh|ztN->yTaayZ38d9(&Z(&W=9L_BzaE+NDSdTzNKLP*k7h-Q>Zk2!qL*u5>djUEElrrkw%MSbttmB1 zye&8UnmdV){xHu0fhEODR9V#~;i7Vyg%V;Y*p8j5j*qde|7+DUVoco?kl*dD1k{Xd zf0x3nMl*nofonoDzmSSG8_R>b%5eLqZRv#3l!6;3MR@6=L2PE$V4W!C?Uth)qAN?<`oz()aqD$IW*VBm{exit^; zVR(h=T!rBL`e)H??s3TR{znINJ$RX*Vvasw4ln#Jhk7(Rx3QOP_-|as^`!u$14NSe z4hw(>UETK*`A3I3B}#(^Xcxo7B^JTHYM8+;u#b!~l4Z~Ru_GWgjAuGiEX9tN(T z4Gw2p9&Qaiu0`mSrZ#r2?ag|JC66`=Dn(7wy*Bv2(p{~mdai}>z^8ylQy<(Hnwd$lQgz%+jbh;wv&nN%$z*ebKduSS)b zdC>cz#%0jI60=V5>geUxuukJ^wOVy9I7q{NICg#J7kyJl*Ay;Zw)g%xjqg_WThtNv z)oa64=lvcnvPUVvujRCSiU?GH<|y9TvOSw&XRP-`rLw)Z@1zPbEo!zsrt2)zc(UjA zaYTNb=j?@2A^4?`sh~Aux2T$E)b*EymPw&7P+43zF~HSAwqGA9+rGO-}%lw(Q+7b=b; zXDT_O^9$%|{75h1yQxjhHR>HTuJ5o^=F0Qn6{`0Ao0&euRMNY@ss#jcAj9L>Omx_Y zD6j1U^H%imDW=T??HEcfBa2eji}`%=fPHFzKxdpI$MY{W?nHM0x9abfQ{Z`|rx!Za z4RM*-{+}Kjgsw><5M{2yU)bFhtLK8c_0Cjvt+RmOuuYNQ!?)*LZi6hJ@}{VQhZgUL%d*8i-3ZlOaOK+<(-IDMSA0b>3uK%i%dPwyHBS?V z-`FIu{daBtWKJMtVkRm*6HKr4dEDM_SJ;MC4dCkNh!<|p~eCZdF+{L0UxY8E$ z^;(;r%{mC@=m>}CD|Su7lcl$Q8WO(++ne~9(>m68-n7k3&AfiaWc-WiD5H>T9yI+eg{*p5pdHq?Z>P{JD_OoP zsR$i%0zU^E36rJu%lRbc!n}Ka9He81a*7b_IIa@YS~X>({8Xod?l9HKlsU!Lz>P)8 z#?{nG*K)@y8e;QkWt~&Jv_oy z-*3ifCYQ#puY210A)LmZ5av#!50PHtHGd^TA&x#+g2qx&FbT{&2kpxSG)IOb;3h$u zPkJz>Ms_2-_G;(*;^n=mmXtH;s;9mEb3f2J9yYPV?n`=sS;IWMZ)q{uShLnNOm z2vrC^@H)=?R%2bXF(`nJ&vs4~`c}hoYO9uoek$RbDVP<~TrO{{&9)n^%Pqs?ExrcTbKfj#1B6!fZegRi3p-?iv<LsJ!~zx7zd3Um zeOh%h*oLY|`OgT5TJZ+Puwf_YERmNK!vlpu7Ggt+R<*d&Utw@@qGu?0y0YoWAZSQs zu*X=+OBF;k`TG9_ASq`?9_ntK$n>HPHH{0BET%#f;V7j4e|bfT;p{l(A9yFSK6>iu zNx4~k&&i5iQu{c5n*yi#mWw-JOU7NZpMV1b{_~?uXoo<7xP_Kca9iugInEOipvL9Z z@Jjdo@^zTko(?c5L|fT-gIlvO^`Zm5kpB8|LRvR8i9%RmSkM&cL|m}tJSDs&Ca>n! zy}PP;#{Np-mfWw=;!?B^c0BgP(_vmS2d-)b?!T;`)HLfnG+(bGXAE-Lx= zWh^r!hi$Dm3!6SH(*Z2X^gv8^3tr;eb>>(4n(2TgV9fU0S%{fk!{%TN+jT~qxSRLc z^DBVoR_-RbN$$=5vB7x}{N+85pyPv~ zp1$id(WOPd$-8{^yK6$LXJv0EB)=iaYsgI7gvaaC?*I;0uh{ZxZ&}yfucci29GLFU=k1doBx-k-xC>Ty{%8cG45BTe&^aWjVbH<7K&BdBJpZc8BN~bPti!5`A%# z+c;&<@+r-+a~U#Z&rvY{*j=X7bKc#q1|RIalfRRu@U|aPWN5c-%zCNN@mjZh7q$9*A7EU`^+=7uOGZx#=}5y?edi6pk|y{klH(qSrM_ctG;8h`F1dN{Vs!al6mT z>S|irI;UR{DtTOfwnnrbZU8tgznrXi*Hq9RhD5#{F4Jh; zy)8dPBIGX=2NkgfZ;^4TeWjaba~7)Jmv6Tc*VRR<=V%3w{SokNM0sKQnsWA_} z#l{uu*_#j46cp!JMJQD&k2s|T?#(zscGl2Dh~KlRI}p=RmaLGcs)wcP6_J$L(5|nI z*sKKfhJVXbl|7)zoMu1aAE)RN9$$+OMV+d@_1fQ`w~T{FpM=SczN(^J+#=54$fh{x zv&JNf$yS&LrR9yQ>IaM*eTUnF60@eX_i7JMIMf}(NhX6CDUi*t@)JaJ&~jA#iUWur zN035DCsg#Qonqc>Y0ZRLki5(8ZyFsQ9A=;2ZrtRDsE`HRkY(u&&);_4bI0BEI6d&wRK&H^o5OicB9$WNUnsf3EU%=Q#DI>cZ2+6KNVnWZl z&|nmMV82F?0Yu-DXXO|cDlerHEnO^ye?f=$Dpp$N1_oxB`a2skSd%d*u}zd3dMK6= z(?W8SASCH4P}{X8GDy8$)&h%zvs9^VnOxb?zV}NZn9ef>Lq&PRC1-}u84~B|6gd5y zhC#jb9{vCbshFaT$$YfX-vPQ^xvya|z|3~@liP^qx~DydlxaT>P+DYz{f6CtZ>SRY zH_@)X&IqC5v{|t;{YYo!ls$Oeue(4WOQBq%&llmJ7*~-Qla)5RuLSg7SkGXu^?T{zEFWJ*J@mnn!$jSER8IC8C3CfZULX| z7`3jPmUmth7o3*s*AkN#!yeAEVVyL)2dd7Enj%r3{1i=7RW`VQNPn`XKgh&X2tONy znEmcl42kc*>1&9Fz)~A)mTs1N0>#KoxJ%D*i1Tj^O?S}W85aj5{cRt=U4OUVcSLm=K>^#-~!(7 z$jJ;8+6Yxv4tKWU^QEX7G1)s?2+aGFPIimtG;s(+v zJarRy1p{fD-(jC0L6O$AXPOCh&e;oC_x^7QL|(ICocZ|PXV5Z`!zzt|BHzx+6k%6S(+(d}>ySp5t*O|Qvn zI5{N(O@bHc0JWH0CmYO<9A-hg6n2C3^sl2iZK7s5XVPl;9-!5?ZSTy_$pLLQlQ*cU zz_)1#6_1~bIHi5Z?@m>V>t?{DAtr)t>phzE0?SNIt<_?Zxl)=Aho@^ZewDOYSHB9+ z-FS7%hyKE4-B2EEv)Ivmn4;i2cB z0*8BA%rzT6!~67EzC-&RwzY(fhrTfcJ%e`DoMsRkXf1xGX>U9|N9GC4m!3}({N3J3 zu2zOA$8H|?u}^^d9n#$>FPo&*gZ-SZFhR($Z(&}Y-N%wxrghuAXoM~IMQ#6_>@GUS z!eI#8ZsF-CecuBw?}q7Kp3|&|8s#3!L+D~?Vy;~7RNmL=tzBm;YIJMA@1(fdKbpH%R}aPSLUd^sY0_$ihdVvNL- ziv5r#m1ZGvGvWE3f@g5)0&L#1vnB#|U2AKG*wyL|Ciuswh=Gqb?7m8A)^Rb95>CuX&hhu(pWRjJ0 z7qhTf^)zVE1N#oS5sAqa;_BZYt%PXBOuUG-Bv_Lx7>)&9Sp~nKaV^@$$W*MtGEre7 zlxI&oF#oBph_~QFi?gQ8Ga^288VMb=hc}8e{YE38K@)K-9W?`$_{Z3r8!RbYguhif zGH>>PdJoNv3vsBL)xI*->=0qwR2JLI1xhuwB2yjr2+psU`a>kkWtq1s@kO`&a!1vY z#Twm#wW5#`Hm*1}4mT2gpwXpv4L{O_GOb{2q?fusR`dxN``ZM!-+b4fh1y<@9&($!h07M8C=R=Nb zAGP0{gT+U}8jTWzbm|rUM}-vPa=11}l4O_UO078PzZ8EuInSO)q6T?JlhS?}MP-$J zfO6g_Aa5fv@I1Ls6+}bvLc_|3b1kbtqD2pvJjDG);(sc4tHM}7Rz8nc!2yIMw-I5H zsFeeT(}$kNo+;Unm-&8{*gmerxo)}v(A66A`vzdAe66mNe zH5}i(s(zIBq7)2M39j}Z5W|of^$CRvu|%!a>aiGhnuUj^H;K~q@h0pCia?EGi3gxF z>^Nw^_wm>6#+Yv8CF!#vb368(;PACSarTQ&a3VPuN&~@$U$3wHk>YovP;wT=#M=)z zg~Jo1Z*RV4hB61JSlH?@qI=D~Fk(A}UA7$x5x-b26TfcnG38N~{Po3*afGDe5&?m0 z-H3Xl6PEXS4g9}~ga}{?$)3QKvJ?B+j5Zr%jMtk;CJrQ5MYb;t0ni(&6r>E~9C+mG{(D;_z>1BH9el)ewMmP83e1GRA7Y8%s!7js& zQX3c4Gy1|0-T>R|9)TI+R*3#7&l)7yFSJBq!kQ*3Qp2?ut2v?+Pw$sOGneI(S1IFC z`V&LAHIyR{xsH9_H1uj}mMTk|wpovH!XXQ96p}1co2^Aj;2)cmBnay>W-KSDWXZFV zf2rgAK^wwCSDZ(MSzs78NUl=b*_;|PREknaHW%3Hnfo(4jxJcCSxPSOCmH*&tXb*j zQ^lkxP!3QirOW6~%0`n!k(YbbaA$C4fr2vPS}i~LwMBpWf}Y@JoNoE^ptL_eNZ9CLfi#jyuOBcoI19i|C;5?@J1csV0|RKBrAX<#IrnGR?H0ej z2HMs5h`MEY<-G29(`MmlKhJO4o?kX^7fg4C+2U5G`yL-`JNwdfKiw(u`}B6a+?)Ac z7jTRawN81!H@Cfv4JQy)6L;6odfJ%`P}*%*h7ss#lB?t)`$Bp>Dj5j1rJmKIKh-9I-wtzqr>j*E_YQ;RcSZ6 zXV#UITNf~I-3^<;2bCrGLQFt z=JRaYRh94Kq{>Me*6}3QO@MUG>uy&@7IkOSEv44B{kd_x_H7W6&F%FhO3T!=+4<{4 z4%1l{`_+~P(X`L$tVf34wKFi!ZUJ!eJlw{L9MsiEn<4bvjz^Geyj`_i zt+z*4`Lb5E;^1{z$J;u3;76IF6{~TzyZ5U0TjOmsX?*KZ_#eO}rz&hMaz9xxMdz%t zKWh6I;Gn?C)V6V8G(-2NcROetBxQG=paouJ&Gx-=HrYB#sqt3#VrThesq6>UA$LAK z;^A?=S8M4ZY&gwWsL?+xoXPXIpISB~5jnX`rafSG-pz(- zO7Z@?uiZAWJ4v1S@FJ`%Mp3LLnX&sddRFF)lh0m8vD7)=xu z4RZ_gHuRO?YxsTsR=7pj#vCeOzi*yJzY%eSd1kR!BY$eBHHiw15#3l+nkOL8oRy>K zu+E?+VV>YCUJFm73d*-mygLVBX~tlF{9->L(>b9!L-P<~yD|hr(J1xOaoa9BL~7#! zVN>y8ohkUFUWvyac?XeumNcan#Ze}|0=|Tribvy-#}Cbiu0WQQ+m>V$u12GaHF*!H zUoQC5A)G>nh+=BvtG%}W&1E$zRVkIqF+cdSQJN~6=GVk@DDq=KE|Vo|LQ+xlG2usC z&C)KU;&=h8mBN^(hP;~=Y@T^2jwm9RcXK4fULhak+u_uAWer2?F-oOX9Lk=}$%HWO5uvUlL@DX5T4k;hWAGs1$>~S#U`e20?k~ zKRU3k-d)Egc95k5i#q};ZD^5VXb+KA{KUhCRs`x+g8kx^`isi-k?uApI7;^X2@e{e z@+;5Ec%k`$XD~<&DitkcP8uJ7~^2}Qr za?#yWTCNj?x5iVo@HT{yS#gc)I~PbiQEk&|81wv)!G`=MXqIm}VyGB?Bf_;?r_sfd z{Ck7OuQF~j5TkVMZ2Y&%GB=WLz2irDzmv9y!X(?@W|aqjT()GP92KN}sfnAUi7!8CaQ@B53oI7lWDA(2 zSLJ;drADmri;$2JM5$(=Vor@r$0k(I*0SHjN5c?6qC1hw9L$FZP`%~Z35NBrz{U7` z1{;kk;Mkntmf(YXC$2^IXELzW=^fzVHqwOe*7Z0t<7U2G~N@YP&Noj*%pMW@joPiQZ z`QYm_$9m}6^W)54;T)TPSCE$}2JIl(0;;!#Bz;&LB@2qJT)mrX&RaimkSNz=l-fo(ZpIWWGXS-T-4G^5@+}E^gX&pH+yhBMRqQ9e z`riogy;usgQ*7pb$hC3|E_^SHf(bkvI?~r%q9_BLlLUuD!o-i0p{)rqvNvOTNaTWa>-PfNj!t`=DlSXBYp`gWY|=|zc?)1`VKO*8)~=)id^R~^0hP{{`+ovn5wL*M`t=c# z*$sZO8Nm8D9=fAH?Dhf+GNuYpp_9hd?DDVhe}-1me**>VQ3*05ME;1_;}_p(>UqBY z%c{%oy9nwg`UFhIudG{{C-}%~okd?X%VxgZ{|SjqUfrGOsLANLc$?D+tTYeED2)ayIz_MgLlMeJVFycjC0_p+TBLk?f9(H zs&p4)enfLQl=XBmuyf!FMsL|q-c9N0=D=*kY%6p|>kbBIUu->H+v%oveRSd>wO_ts zT$yYGPG$~ObstI#Q+9f#J?0X*bE_v?)P{aP}@kaN?6*8A0OH7*6Vg-Fq zfF0}8exK4EJ@4I9M>gPXe|FYM^?h&`fVUa=yJvZ@Z}mvE#s|8J!Rcl6FvYeZF@~q7 zUtWIWbrQ#IDzolh&aLuwpm@5s|eaO=* z$AeiOd|h5d)Ve#p`3j#R*Q|4j{9pxWn>H24x2|?PjI=SE?RaEgiSE8mI+i;)t#l|C ztNgujl>KfV-Qzy}An$#Ea#a6#<7Vf1)^;=C-xe^OCAzxk>se zo>_Z9z^{31__*2BoKhDBb{^J?6p!9^Jfp3K(BrX8I+Z3GGOLE!ZUSY{N2^v7$aR8x zhuxCxd?xrz|1GA_y_g(>x9`AiXZ+ajgD?CG_n)azo!DOj6HC!Zm6+dtAsfV_6@- zLnf^<&p4PH>o1yJK`Pk2cKO$k4~D$eAQ0QQGC*}?_k@A{@0!gFt$zGCTTvwFmL4| zX_G7ia_#{H{X|JhCRTQtJ2|F{bJHe7O@T|!kTkwHDCw%dfUEii=PNUg$#@jf)MrHI z;#d&rztnO?ms&zC8#86g09(D(oqk2O^QX#A^+OAesMzXplVMJ+X$D|o<-F9?{qJS@ z7~vM4a}EJWns9=ScstbvSjrM&r`R**4-z>G?;t6CmZ4UkfeW>7z}*!!S|0hvUdDBm zZ|M;!hyf76gEG@Qp;SXS;uX$wq7jVZWBD862Lsb$l~GxrCA!PA;IH@BI`DRT%ySy} zy5K4Y{AqWtC&JXC92r4Sy@OekjqJt$L$k(bn}<_{4RPKk@mrrD2l`|mg%kt zcZ-GwKa1I6C22(Jt3#_LaT2p|l{JN|pNM9ef2o@o$Epi)KKzgZy5+tU`L&KLE+sjs zF_(Hk?$CqolB)IZuO;Pa*pyD8Vl?@X#!9L^EU@|INCE!q^rft|T#Z>|TF@|Pzl1qo zzR;giL&sZHDKgs7kQ&H{Ca07iG{r67`w^QTGLFO{RHw?gA3BhW@0atAjJ-6kPaJ!) z7|e~L(k$-KtQaRU76Ks`MiPWe2x^TApcDIS{o~sru^;)Ka^e#I^^}9P9-P3ltA)*> zpa8ZP!+a#~i#$QSSv;g?>v@IZl}mqW!b492Ju8HcwbGa|e}?il6#gF!RmL$QOn5E1 z!~rA1OjxDukO2gt&iK%!Zc5$_)LKgLmhF~>C^|(fD2N>fQL-71U1}ku_@}0Y#cGES zKUijyi!mcaM+_P?R!q{rjQpw2v5ea29f@d`k!3(zX4c$d8y3kwBfF=Hk*DyHLM2aB zlR`|dNLu@&r1&1ki~~>6yBI<6tz`x^i!l!=#t(6daP3v$V936PQwnGkNZrbs&!7UF z_n7-}`jKe-gNy&W$y_dMF4vNZ0(BS8P|Mn4VL=p|*Z+S4#`)}x zyVYNjS$)7)>!I|o(|1c7KA2G8JnYC~hj22#CZ^Spcp7Oe4 z+}d0_775!73$UW&#-FM?E}90Q8uq6!b26Wf-3sLC^}LFXb39IdS)^o)<#cnswcUy{ zFY(&l-`Y9#bllv$FatC^j0&<`w~ShMpd0R^UZ*+xhcDNytL|)dO(Izz)6VEq8~&lL zZ+DMhV3ET&3B#FfJ65{y;=S}}yFBq8AFXNW@@>3L9TRGOnI0u{opVUJa30-V?|Od@ zv)Xjk`2fAqYx^w0O<`OcF^5}a`c6#)0P{e47c<|?&EpU?y~iEdr<^<7`(etx@yCDs zr-UfRbbM#;HcRffac<^xE`fCmIa#zVd{-%eXZQ6M)kOA>B>SUBE!!styfxr#%Hzs? z9r;tIThQdzxZY#QD1lwkGI5HINwVWn)e7$VhO_2X9gidwvQhOpY4lcgn=exRI4V?bLTrNG znYmID#gpQ;&8JNnV&ACmaT8qgVJK)xh<=z0mL0-XiLh;pA9RaQWEAl!Od5+9luks8 zEQVOn;81wXpVVb4o?CrbCSjwLtK-Ym3RyR`S6RlM8Q<-vuNYAzS4ZJN2)Lpe6fD#Z ziIrtdTc|jPHo;~x><}ONn-992MXp)@^UuL~KKf!cd!Ng8-{qSy6D4A&41+7oBDoZ0 z&_B9VZvM|YP_v^_9IB_hjc#y{CkTD4bbzeBec!mvIwEDhPW=SQx-%I$?t84Lzd8$e zcZ4gRUe&uPYCy6_fK5{){2<|jE2cTaHA;datgPh=TBN7GMex{|NwZ3nQq|1BjpPnw z8gW>LeKXU6OQ?yV_D?ULwED?JG%HNu)=ov6yQM&RnGZh#o>ic`2>0Z}sZq!Izh)?C zwndW=cidZ?8Nvd8G)fu=jo-pwxm0o)W`obO^VE$R?A8S9Ssf^HFV&o0B@(YiqJR4R z<=01vmM9kv!bSvohb+A*qZFHzG65eVEGn{wBXIGk`%0@G(gO_BgiEz6F~cEq#@2q$ z>~M3+R<0c8Zy;6~7AWKj$v@bH?tI87Soi)59P#wUu+&m6&$~;~#Ld=7{@ z!I}hn)L%0~CzYCI(zQ4!4{=##5*O&%L#tl~K2sYjDe#c^6WfJ{80UEzk;x%fu}i!= zcIKF@B}M&kxi#i+9lA-8Wf;UYpnj^EH9}aZhIvztkEWS2Nd3^|5^LC;E7c>U9h@4# z72*vyE9OHIfSW`>aD5XiEp2iPt`uNcWh;tb-~W{fH<}l)3@4FF_6Jg}R4YBE&OcRB ziYbQ(PJ#qVq{)$6uHq<{k&2aqCDTT$iDvmXMIy*gVJ#ctlpv@!6b?Qr-LvZOb!9+m zN4I@z+;aySl1Ess@y^IZsN?=@J{VhhD9*+siAXeDAJdsGQ3gCZk z^1+8!?pnMat%6hqgW5Y@zh8(U^W|*Ru}z0S%Y$aNJU|oaZ{h9;7QAoU8t~o&BaQ51 zZH9_dkcpdYM2;p7XTds`l?~&kk|3$fNGaWSS&Z4#^iwP}la_cZa_GF_e=DiLdQ}`; zsRDIaybmEtSw?b%(_J}CVlkE_!tXBlW9Z*Gip$9Y4|nrcl1F+II-J|MF*_zj`efB8 z$|{$zq^qxl^1oMXT5}4D2}m_NaxGl#$R$!yq{iNdw4ns;`_CoS(P^Kpy`T=p<>^|X zXBu?b))h)A*C(zC4Zs?p3NY|Oo3D8kXPN!4fEu8Rs0|(NiQuyT+Xlaz{eu$++kmgO z01S{O-|i8cag^KY841v1n;Fm0~U6qV2mzM@wW7G!t1;Hj%K&c*Z>4p6(x6^h8<69#&De<%$Xi%H~wQ~r-I@0d6Hfpt-!$> zz^cBV+A8U;b$P7qkONUkUQL2b`iZV?2db@d+;4wb!Jid$*z$S}!^`=&+T49Ps(jD$1j=Vdwwgf z=QFI6Qw@IIeWLRzOz8xK5oE+{bUut$=rvAw=AbXVKX00V7&OYbz50i5R@ZepCm&Ki zkqBC+T9jZ4yKKT~o`aX1ftvT%jeC@J`=f7A&8(JZ?#ASloJ>JG*7= zTy(vvX7?Y+dlbPM7v*osv^t%%aXQCp)836LM>j>$8X=x1oKhNYgY3x~7G93P0QUEf zcX->^$?iL_doMx9wC9Z8i3+x1iNnS_j{RJR!oF` zx9nB)d(?DuUFENfr3HY_S_5)8+gsqfkE^7sUAuhlY0k7i*2q%T02kv^;GSdf)e7L6 zegd5KdiY;&`Z~wA4{P>aZJ|D*20ZXbI*W#NvJ6-5z@-pzuPE>m^dd+{Fy%dR64d#0(RrD2WNRajj3Q5td*7EYE3*Z z!Y`G=(s;ue1hXPZ-uk)MAHqt8p_I&0xTS6t^)rmJp2iX08O&m?U#(3N)0bUOAXQ4S z1|vs~W&`8CxYP=K??UGtsFw%?))!q1LiEDcDE^!$@7R>G%tjcxU@Xe`j+-18h;}fd ze$G$}i%M!}h){^cgi=?ZH;&JTAZ6Y?1H&c7eKnjg*81lMLbD<|19$o}XVl&Vt}$7k zFUyILg^kPsP40+^rgQg(O&nk5KwV_~=jG6o)28ShQ8T^gsBXw3>G}n57JBL3K-v$c zOSQ;|meii(L2xAB3}aU_OzHJkW%2rprU3Pyh{txSSnQ$r?WjhBd8)=*U3JMt>*#ST zV7#_u-`Ij#?5WI}uYVl_hV#il=tCLFJcWx@`8}I9`i=p#p{OPHc(cS^`&f};W(&$B z@Wh=YOSKACCyxeO{*U0e9SrHDbc&Np+pnWo%N_+Q2p$!junCc|NH`-k`=BZ8`?>GQ zc2ATB$qf0049RD5KMj_+H_Un9U{*xVpQVBt;TejYAc$dH3f0*3`Qe7^t&wi^hbCR0 z4cJbH)T8d&_p4bSb}{pcGjQ?*Rf)qx^`>6Cf>j*T^)YuIApeN1qbGb39KB4@D2HTs z4Er3jO_=fah_!w0&a8zi9RfjipU&&^+c7_U)5d#00MimA&wEQIGq!}P)Ct&j-uf&LdD1%n^zvO2=~Ehk+wkg2%1g}YcTW`Suj2=Vu@rr#BsCKqe; zWMAuS37msJqvL7rKD4k;Y-I^;zgUGS6HVwDZ~Pf+7+r!r3hoo6LWnc$1k~?N)@EF6 zoX7h zOOUM5H?r0bhEtA_(e# zRXq8VZOy8U=7>UF6E{d#@J(qvA!Gb+?&>J1L<3ZbRcU5*%8bKkSrR<%)IG(QWG1*1 z4rShJz-y06k@H){JLO#)_+THp;RMuA;V9s=;K%>w^)w)o#n^C*Hn_ePHa4duO#Iz#_;x}8%d1~%!1@ozGbbD-R(%3m*&+T^jme#P`&>v) zo=kb!I7>Be4ygk|A^P5yZ_~nsfpS3br%J^h)RetKk&FWsMOl7E9$CM{fi^D$4MBf^ z3#WLSHvGa~sW28q&zMZShv?69!Q%7)6?p3MKTTQZ#*6@b5gu(6&(oF30+MOuGc-?a zdG-$7;;+pCOd7xXzKn5>1|Oa}=Nh0I36d6X_y1FlutP|gG=-03>>Q;ADu)aW8C#}a zaudJ}t!uKAKa>uze8|jC|DOPSb6G^`l0nS8;9adS`q!BHImTn}Cs2S9f^h!#8=RbX zz(>eC7FZAq3j7Z^O$duWj5P?D`t!(pRbaFX)^OfaH4AJ|G!@RZbF8J3MJa0o6%;vtAZgZ}Y>ooL`0^S+@eZ(;gDXo2E zb2DR+!S@oR01sc6hIm(=mLEqa~<6r%aOvaroMWbvS^YZ@A%W#kaCoe|@Gd zAumf1Imi8dcV*d6+RV|mdz*M1@9w^@@%4J%3g8rn!=iut=?k`jF^%yCMfq%2Jj(-1 zuGV&Y5B@9zqzLYhKiy|fjCZxe0=ZVz-%}Zt*UJP}Lwb56lv-z-4bwv#1vlNuJpf6@ z4WBGp_6;%c>g5*w6wl30!65-*_xa1=l{+XN@dT&hqR#6IxQP5bDtPj6Fby~c*Vi7g zpYn@e+Ji1WV%WAXqbYBi=njs-%LYA$rQ?aL^UFGnR*fGpM4QR)cmkOp<0V(?SO1BDeG;#i|M7C`vRTD6xq4jgmo&=8r|`L-M}_3P3~dZ>-?{0^a`~oJ1i_1&h09NC z$8O(dW?`P6*>JXdFL5KUdg+4aLVDroGhf%)A6SXB`8%cy#8F--qtzd})TX$0PA-m6 z%dqq$t)8~QB`(RIE7sOkIds-_qmB(n`1h`3{Ez-cxWLu%Eawpr@=tDlmVLFWsdG@` zIG^YAl#~4GQ5k28w)bR0ip&JwSViUzPkHvzPWSmc*b4-Xe(TAbe*<(^JiEP%+cKx$ ze%uiir3w^VDr!?p-F$k_|EasE-2hO5To;Iqrm3~;DYvc`Wb~gr$mZ&Pg`mNGia&{e zyuS$~l2~zS2CC(A0Q-XZR47aC>gEWW{#4JOjRB2Q`@}_)NOpUBPdYb<($1O7mw+Fze3 z_AX5KOQ5}+VhIgFQ@Ze&?bzu)XL3-wdp;ynus?lZJ~x{D+h|D<5rtrEf(2 zkPh8%NQex*ffxSKI0Q9yWY+7tSqhITRhn6s48LB?Epz3!+M@km@Rp*sGdnPX7=wKV zN@(83B4jVYDKKmOOy57TipIEue|0RcedMdsNLyeni;2Yo6a76s?UYL?Ws4@$I44tl z>J)L5#fo(EWla5QrH5TOO-9w@M;ELtq|4s;f)GA&PIx;?MIIS81wve81>T|SX*4Ro zPq6vXQOh&RjUm64KEY5hIuk^h;C@(^W2pW36PvM-D<|dXG&hiEz?4xf`s|LnkBXjD z=*eo{>?6sn5{XX+Vf}Y))lkPo_D>w7?stmXngfNBQdLie*?q;J3Dlo+tRV^3l)Wc% zj5!iom+FCiVzDT1U$Eqcf>|z*IR8@99+FL_=oBuffGnVDFp{ zGlS#|!1Hw91b7tjpQJK2o_bw6GzcZhD2B#&7zr|x=0BPoT6f|kYP6?ICkbaB7zZC; z80br?=+HS;BrO)D5OdBNM91ZfsGGGS;OeTFT$pm;3lwX(6wR~eY0iH@2||5oLlq-2 zCZ9(gW#g)*?*Akc6e#A&x~0PYZE{!K5t8WJMxl(m{f7)RxA3 z*sCQ(#n3687u*JlihT7NhL*2-8HH7!#Ee*tcmIL{YFyDL+s9m z_Qw$W(2)Ij=dsnYG1L|Y@01`ES=|#qb!&_L>WIPzh<4aTh(`k391y8 zq^=!%ajzS~$=>!KSbTo`9LEFmOa1IVN4@*m>z4Cs%f0k}l+zjV9!VXC6&b7Rm(3gPpV-Wur?IUH9!EuR;mb6j_D#lhI;Mr& zXfk0WM^^`QvEReh&A95m9b@b6{18P%thQ6Mc(Xf5>*@C4SrtK~t>=3b`CvLdxOqQ1 ze2IMNx-Mv6m# zlXoQ@or6yotxeF!|tI>&TV@b5AnDWKP&nM0kT*pPOmeq7^x=hUI!BMX{qA=*9( zv=mqPx4?3(t0$lq*LBLjW^RIqFSgsRQC|HowCB1Y*_Yx)-#HCXr(R9>;~bCYTte3z z(lY2F6fv6ruo!FlefRHF2@G-8zTFGj{M*Qe<%bcBzWX4?3)}TfC)U^JPYC&z*&C@H z*Co{BxpXt&reu24<(RE+?C$D)C#gY?`(-6#D=mY-B-+r|+qS;;HR6s4uT#$E=2=XO zn!W2~<9E<M^-%BIgM1kjl+#HsBXA;LM2j=xJG-Wa!%yGEsoJ}k#+#+pyvRE@eH-T(l z|1>0)2bjih604c`aD+Z!L$Xq&g{xO=1~nlpL&w{EE2qVbd0e)kM!?d729DV4VQwv^r~nkSm``M=ijd*O+h)jMYF~V35ph-ck~6atc7fex zQ9|e`ko1yhtTn^V>#nE}cZ*`@xrAvyCXDAJXaj=htAA>LF*anruFM{49QT-GGln11 zpS2kFHTZkn0GV0+s3}?7j~%|bxEc8GAp>V*H=$YSCb07yA}BcjtM_1tM5923hG^n9 zSaa(i_$e@hB91cSnw)fKj{~(q4t|sw5T)d|j|}sLYc@$K5PE+9!_+qhR~EHPPi$-A znb@{9u_v}|8xz~MZQ~>p+qSKVea@G+?)~n)RlEAf{<*96>gx6M)6K6{FA<_r!FpUR zKs8!X(deu6LHVp1NoWqF9>QA_GAXl%@VgegeV+MJw;iuxU)Rka#6*i$MRq7eer^UA z1JKdxMrsK0@OgLmCAk-i7@xJ8XU;6!h!Z{u*MTV{>Zy^Aa7Nai9Rfc@Gp2;s-pZk= zEF_&&yQPy#3QNnT&~KU%ajcNpy1BCtg_@BlRaw9_yXf9KEz=N0Sooce5SPyf#eBb& zV<;#=R-!{`^2NVJ=iWLM=OWMb&?K`K4@4cgU?r2TMVAzk6at7U@m~K*al~77u+Dws z%ZbQR6LqBYO@aBDLQR8|u|nE%t<1w^g_Y&dVwJvD%WBm5ijMJMOT;er>*mOF#Z^lP zwPVO9Q$1MT&H!IGt7c`N<@}+hc`|L`OnCXyifZM&n3o{;mmEjs20umG6g)@nRMr!! zq?bxwBsk&CT;96^nJJ$Bk>J}2@V5eD}F2%+Xs0a)EY$J`hG*?a7U&8=+k$}Wzy zc(W!*c~l4&BC^VvsY;)(Vo2qn7a0V}h8&4F2p&QrSD+abS3^}% zrtGAd^M5VRmM5=q@X4j8L-YRiXYc+y;y!c!3;-MUqpoLS^da2P{_lquFDRdkz@RUe zmFPa3l)?AgHH4Sv&yyAVq_F9pdo}3Ildxxi2YsvW&18eeVeXB9;QPvBM_l$p6tQlj z61nT4o9a=Kb)60UXM~^Y-9ZlL78+hx)}}AW=jlKp3;)vZD(u3?>w*#4N#FmXPeHxY z;1P%84Wf$QLG_(+gP`?YstTCkN$&NWng#TNZX1dIO#LpA3PabI3_3TKWFt9#T8%!H_<#ll1JrH`=sPTNZXZ?QO_WRa4^d)RJa=aY= z1W;HE0nx|QU zx!jbu{Z6x8&({qDM1tDqfLEAOl_Q~MVF#{-ydu0i^`*3_R)*m;= zG{=9iAdWG-0OH@<7~>V-IZlt)%JXi1Tkn2`U*0?aUiqEEZfbMl1h0*-ccr>)*nNtM zuLXpCLoJcx{NxXKbMxr4(r(Q=GV4AA*#iD+s*5uKv>*I$+jE}c=|e=Fg?#h(_Zbxc z^aQS7$}p47X2|DUJ<>nj(60nM}d*tNsW^as#r1fP4BI zZi$iUf=LQ{33LsOXn9tAaRCw47;}h9D8a>`qs+o+h5xBl5SbFE*AIrQE1z)E^a6@N z6Fg@wm8?b4uAQSThCK_1Qax(7U!yY0Xj`_Z=f%oPVq_=ZV@wt6hhz?75RK?iV*Fjv z`Jh650j5T>lx9?5ZnhAVZgQ&Bff;LH7vDePA{lqsse9h`BgJ@3tyP~zf@zYPJ0_$+ z%?VL8lwx<)bi2F_lBp^N`d5EE?Lhlk3|%gsv9Um1zkD+E!ct;7BhSxVnE>+gA1Ove zxbKkCRP6a0&bUaI*0|&Mg&H{cui51z|B6+G9f@xLVoyH;$j(bIf}vtu7D(oh=M$p} zR|4Q=u^Hxk};p&$q`t!gSw(jxQF4r(^B*vG!$VMSw&D1;*qbTTdUIAb$(8hAu$33;Sc0MXrjEzKpEbEFQHe~`j35E%3=cxW3HZvePWSXL-H30hBtl`dgsyd&qO!YdUr8ln-K zFl>pSJBLLZ2sMa{^$HbIg}EI~P@5Xb+ob=GH~%XTwvg!9Z^9H>lkDhU37RaLYUr6@ z&1L7SN>r%XtHvgEr;useAm&4fsg*pj!v zH)Pb7`1rq-zpU4U*$dyDuzh1nhqjMfg?e>AyLTNKhO_Dl6#a$^t~56WjW3_UfNeY2cIkY8`l&TeP(4gPLn)YhR-(+NDkM)k)+I2P17=S2KYA5 zgUEf`jUJkR@0V=P#bs9`g9FdLmCut0BRjXl*Y;C(Hcqb?VbxFD*%B{Pg9}Xxe^5W~ zs_0mZW0ErP8G!fWf*an`YrMcm1ZwzlcmWKL__5yY}J&?^Jk%A;(o!7G_uiInf zT%p%vLoTbPX*tpTqsCS5tq(tr>*=%1EZx4Q{h9f$ikE;>&@SgT$ku*SV}3^CUw+Hp z&lSS%ap?)UrBfWn22~i~t^=q&hq31v`LH9b!5s&7+DY&e@bo~-d!3_yvc{Wh@AvNx zNjvxP!W@O~p|T8NB(J0CbrIQ_gLaG4`eMAvTff%sRn4=cNgu%N>HvC#Q25wzg4t=` znP#lvh^x-KgJiq-uc7TwEokFw@@h~0AH#A`%FhqLJ+X>i3tS16Z!3z~&ySNYKJ_8~ zgh|r`HW^{7Yxo&{mI0W6qRnh&BYTOoDVG&IM*ZOYfZ2j!v;^miq}mxZEE0xf)@tH% zzYUv4?qWKouZSWQc`W*t02-uqcb5n!!UClcTv+HqKdjc@@Y1o`N2^gt%(GS*=O#>4 z^FQekwFsm-Y^5vbhJoflh@ zeT$(|%ObI@AY7h~r|u3Yv%X_Os_NEVfGu0GP0p#%qMJx@;!Cwc*3S9y=RsgAf3lNS zX&|40-K95P=sZG<^zRF-ymYNrr5eUoGjtij3bI@gT=5oolLc@9*H$J~D(#n~yP(Hoa4FCoW)HaY6iWB45jHAEJZAtFSYV zzjCZst7nxZ4e+3TP^QzY9`BJwx5C0;70sh@k!u{m!$O>1iRO!EtW>E~L_HIev5wAA z@&0=k|AU>xWS*m2YS7)9&-jsv^uqb$$HHxq7>=qJJDsU`hK3YGHsqS0f`x*ZC^Cup zzNjWcD0fUOX_2)^O?N6}j)O_yP&@$^LI?6mItBF}v#jK=p)qhf{HJqv`*iCD$MUx! zW>sSG+}AG}#V`D1d&knI1KDq}e%ONod;Nh;iW5_UALfR~pnr{*rinFXYQh0z$tk?b z1A!Q-Qg$lhX!51bc8%>>NaLQ+7ml34x+v+fI;L_kButToX z3xfDP`_|G0P$A^KBqom3HxJfCa6AxKZB?GtIK(0Y{IWUJ zt3cb@Y~w$y>VKDKUkcLh7d{ovG2-KGK57(te7Rl>L5QY++i?D#Fa+PsTx(D?ZLtWc zY%D#65F7Y@Al0%^6GC)(_}54xmnXENd7ZQjd%^(ocrH1is`XN<@)xI&Abb`QDKg#^ z=3g@}x!Pd&p~df{umX&v2i=e{$2iHiAinP_V zOAJsP5E6mQ`5T-%3lT`R_zhz`c$+s^;uH`Jhbr>U_s_!V100y97N?@0tBsy`gq1(VTvj{sd#Q3Kqs^72p-PC_YLLMvR@PnSDogS|e-LJf^g1kvDdR4RB7pm$6^?lBx zZ?ao%Q0nAW?YmBcVC>T$`ytYrTRZ+S$^ds^D?P5|Wlt&wyPYF^U&%9j^-b?jwtY}} zyl@R)Th!b4YujqK_Tmt(caCag<^Xn@k8jqkpS!vLN;|x-SbPq?qN95|AHCxEwO^>c zflYBB+3c?MON1HVfzgNre&ZS|3ZGky=JVCqwE*^$pHIpbMd2PR=b2IOW^WD4YI+WJ_pGf_LGtL`KBK{5= z5ueAkJ+a_HJHpCK-(FYlXTz-z%I4WuP-s_Nj5&fs69fk?2lT*ISBren_62gN@YFRj z%tltso(m5mpid(C33s>YBjO&!={+cZbuw z?}mPt+-sn*owr2;v7Fl(?tPjrysjyL68N@3pP91ueC>Ju*tYE(*Ku@oqFU*G`TO;D zXolSGj>FS9k5%2MR@=)@6{L7E#{g{hYOG9)nAMRXQ8p0& zj;@B$ha{lDTN!?kPo^B%O1!Ehjag#8PwL6IXRM*3+YFxXWiIJlwm>Vjz-t5o|Lq|V z3JHv?40fy`it6&g34ws@%#I6?JUo&{EyZ^lgMCe&ag?Y{tB_}rnP>Ip?~gKXN%2`> zMz-mH&6x1ee^aKl7Wb6d`Dr+n#Wh9JFTP|KyiDqdIO~LN8ehwDWr*QS z`NUi-YUAZ1iWFXp{;J<-*{jv6I~n)lE!|S8Np<0++XE9Z&%{ryG0-rBm^}Q2)c`Ll z=6qT|F@}VKx7zuKa!HSubn(+;(!9Tq&Cyh%@^Xb$OaQ{=Zir-#I(DzXTmge+o=vJF z%-~hNfO{GzJ@XK$Qd12ZDypuFTgK4}5Shi2m{NQ!DOLeahCNLjW9GHzB7$Y{crY~* z=cE`*J$u+!y|wBhSxRsJCXi;AfvIiDpvNVgQW zzH>}p=zx!*9YEuVSl6vtDJIp9!wg7f=204o&&`1>+E0IYtSs7{D&PDaS-1SExg;#a8bdO zgf7jJSVi)(85_EBj9&yXYUjb57tA-9#;K7pM@CKZM86!wcgIM$&HVY<^@sd3Q)@W+ zid0@L@+mB@|!=Kk8V|$Dr0k82YR~Wt&K*T#!~4t64eFoTf~nrG`}o#If+LvaHANes#|F z{UC3m&DTWUDHr2#a8pXx~9EQk&TS9ccA zUsX?*cKnS|ssAe08p~(A7hU|$@w(X#j>exu&4N^AJgO1yf*L0Y)^A{=Sup4x(>|aP z%by$*y^~Sy5&utU*`ZL0bSetfoW-!L=KC1kJc12R*6&cuj@oGYADlE9o+XsHNg%`~ z2YY2>LCVRyp}1D?AvL{(_VULgt>?wk`=IM6A!+Hy(l}WPN;djA2O6lf*)t4T*#a(> zGL*NET>)KwNPOsg28~fji$4+*t}F<&mK+c$lldt{yb&}B&L-Mb4fOTfIXxXvSqRj; z`VLE0a;jmbe1Rk1G$I#lS$F=bcFJEs>OUdG6PjrYK$cdp!Mdw7u=^$iPI%ZdT8Ef2 zv8s626sTF5R_V1N%i^@!kv&3A@-R;{zWYZN=)mPyb%9s7D296qRrp&q35_DpZ>F{3wqQ z*JUJ2v?U`>ljB_cfX*k0U!$ke5wV425I~1=SH3uvjd3)opCiZW`1-ST9g-SiDHB|f znws;~7hsln)b`gYATgtir2|Xr#9@yT7h}zR%!l30{s(|Ku_0Y2JA-e;KBd4DTHG%S zwx{#iMK9P%FB%o%9_F9EMUW0i^bbe{6yytW{xxwgG)V4e+MieiT}ot~e46GQ}95}!8!PoV^E|~k-g+H^r-TBk= zP_D`Sw_Sss{~0IBI<<)w^#jq(hY-YPW>FO zH^^!LLXUT0+jWOh-`Dx-lY>{u$A0Kp-{)0LFsS#l6X?_@CUrI2gzdv*zg!!p(c5i4CC_(F6IB)8XnY~y*KHQxPeF}Lfzs%aw|^GxcsYXo(koIG`Sb)+p@6J_l4?iuHo+xp3!$9~#f1KgH- zy0%`T+2d@ldR^{c`u5F1+86%i4-IXv62vu(ewfR?HfhB4wujpqw`0VCvrly`X?FI0 z%NS{bOrS1vpwR>Zo^hwPJJ2tt6=B=auy{!O5K$sgAi+yLOReQTn6cQ|&dKHJCA@u$F^*|V?;u$_r&BIj{ zD5D1k8HN@LE|I`}?%W?URWJE1Pe(Jh92K4yqct5{Qwj#&XxTdE9QL%H9Crk-b9Sb| z0A9Asvv&yvAFgT6d@@y#>R~@;$`zuMOe3vyp||pA@JBI*udS#DtYXcH_3ZT_ z2#@TRLObNhK^{Thb)#Stw9+KT))WS#k?vU2_dmPuA!M9S-$t2~W8_0?%_SEm)ikBf z#?2}WCBzMN#9U$Jj(8bP+$P9riBD55#o||K&{gk-LOG7#H2$G^n z&2|$i7+_1(EUa_(0x+F>`TPm9)Sjs_);XMm-ob;#t+=@_QGsStVvm3jt4fu#giKT} za_kr}iGn?YB5bwtbghc(UlMVa-7u`c=>H6Gwxq2twKC%-M!#hmA7+MCR93L(Adocm zuCHDg<4`@nT_ZUgbkGW*5Od$$RS~Xex@y!QLS!|Co(iyoA!=i0-ind@fu?%eIXfuD z$oiCpftKvqlR$O+GuC;XXq2pZ^kEHhhcMYogp^9@5vdk8Y;CV1jB2|wEufGP|(4KD<#9WU*X(eU?-rb;ZZQEdGli{0Q=~p%|+%?mCC|^ z>qme~_ucGNgHmBcSruWMp>;^@qVyO9r*TPwRA-X3w|ofVZ_%a8i=+tZ3d}jH5!^(a zbZJCIFVAS6R$Ro-p9$45iF?QCY-b#vBCJ%u)uQk$T`9K%ZdTZdj@rRX-;Ww# zPAq<0NlB$=HAnQ^cnt-wx{2Y(u|#fNkR**>rk<7CYWVO_H*d)|6j1SHv6MrvGwu$l z0EEDb1ahR+ZOwVuVTs)kTsP^=DZXbK|3b79;jdwv&7#t^=S|d2%y!(uBfCdV0M|`Z zWKl#r9qqZ_xuX>>1^Jca@#l^8 z_+nbLbuvHKCL*_t^4)DE8m6A&CptFCRFmO_!cbHr8s>X`LZfXH#D1`pKfwjrAQYY9 z>qc6up%ed5Wx6WUf-0p^+bjm}w1_qjjZg^(lcu;n&rFbTrKxGXGlnv`$YDtZCv3V( zifM-^5EiBt+JwD2k{jhP89m9=S-w$#=SVaOv}DRBF)8kIajlkS(4*oRXik+rbsKfv zkQPixqv1%Pc1JB*t4Xm=3ivK3Dn+9E&!&V$8vM4LJsPTel{RY3%ut0=g-nWb2_1KT zE457XY4!GJ4ih3#L}iQ!&4nAyBi_}$unr}g2GnJwt?;2_NtLAT$`B;y0?2$g(2T(1 zzX9lululM)|DR5;&u4WOfg`~>yLL_UzLgt6GRS>0ICQEPs1KMoO3C1 z@E?%Ck~dI!*~igfkX_GHpZAGCFQJ#rksL2zyTV?uo-+8hPs7}u zqX_cM)$y4*K0e+pAnb3d)=eU-`98F7pV9KomqXxGGq0UIPt<&LWr5zV|8&&~+;E2J z0o74T{wAD7 z1B2DpVe0dmGGU7|v$5YU_pAdt+tGc!=$&kwVWc2lH%voW@iWepwvp@E_*D4;Yag^)k0o% zqjeqU(9&^S#Gu$~fEdlIJub##Z1sV+*(W!E`_?uh9>ZVQUzb*SADyMW9RoR zCy}EwR^*=jz?w>+-rAM=_S)9-&^o{RX8m2rSNVp7y^X`&&GLrtO;K8}`^gO*@Wq!g zbFp2S*KQeIT^GaQ;<9B?#u-@!{-dHy-)~=StE?@rYj?%Jdw0l{^DEU^UcIO7sQ{*$ zRc{YC`O2B&vratiYZ#J6)SW26!)3lRGVS4h;*8RH97<}3-OA(NU|pwSRrM95VraF1 zVC4>8RoAeP#8}JsytM+;g%U~0g)idoR~O~8{0VaW0C|1FknAeF&wM3vOAq(%3X&q* zBXk*oQ0;z>f%a&J!A3wNqAP4jLw)9hlT)+#asCao0lojIl~@+88Zq*27p7)#P% z4D2NYQL`qLy#FWztd{|eh|r~f)x>pMV>!`VHZ2a-im;iRN%hX!V;3*t<&bTav$eo} zbz5?}Fa`#+AWu34?Bq3%8?c%Ei|kKA3Y$TMUlOR`(kl`vvniWbW?r;#3C=DltU!-; zol_*7vn}7j^}y)Rxii2P&p(*~Bj7av*lVys}(*A+g&QFxumQ*he!SFjR7ZCWD4IlfrpTzNI;N}Y zHdt~YOQ0o%kL1IT8xZn_3<%Mrwf*3t?9A=6fE*T1+f+` zacrk^gRV9%1*00jDA)f#l$#weZ?vP(P6wS_sFpQ3;McQavGn^_nc5^-$$Wd>gyo|& z2?LpQwoJR9WP77e;E1MRK}0<{C2=btQU5tmJU>>aX_{sS0GFjD#PulT^BhBs|h9zDcQn(MX#` zArCY{&Nqyg+aARWag0hrwG)Ng7B5jnW5?NlI;2C2kRWOary1QZDlX7YJ;c-ff*7wE z=BV6bD&;Qhr=n&<3%?AI!@{cgP1wAFePDVSs<8BJEBQN^1SAtQXu+S%h$lyI#Q$`f z5=c7SykrcW_e9*9IISAvw!xMztU4mDD*C?pB3sr({Vg`+jVq4>z{Oym9k_7?BU-Y8 z*-j8T&R=-yLD(C>A-%*U>*>mUz_#E~mnJnrPVu!j2ODsQojAP5LIzpBIy7uzZ({0* zswS=|utZEUIT9fpN^j4pe3a5oeCK87fMUpNH#!AuyvQh$$Ctku2VEvKLs&YoAc z*M814p2t~jdkxbGS6Oq2cVHfYO3!gSDKVeIo83ELAywdC3eNO4;1#u_e@DKZ8L)hi zHfCP?w3}FV-J0=CtYjx?)xBb)qL6|=F{YM>AFf4@OZz_>v^@agmUFi`_pdmetOG2>c;+c5#pZX*V!Ta#E(6*x$F&;cAM=n{12;v zosZLJ96R8$v$o)_k3G4`z#`tLQPfuVi+%0R&9$lY@^6qDXe=i`2QaIyDB3<;Z;hY09gcx23*NyWo^bCAI*Kpnm)p=H*!Xp5}SKF16>9C!22HuQT+9 z_PYJSK2^i2jeNT&aLDY&3n(h1_qNU;qnF%^F` zu!{XK^f~gnvoBcQ`0td5gHT~7>epl5L*YxD84GL>l4xb#G&3xxEV$&O(XZ$1=>3}X9C5IOyL42mQ*z$T$9*Adg@g>ZJTFApuE%pfW78Ry* zB*+Ao7MDyCz72e5`q~}Dzo;&sO0`sEp-K^Azr9Kdq@AE?&KKA!X-~e%Su`e7xvoWL z1k(C2632u(W)MKPz^$FCvSJ69&?IWmbWHhyyKHF1yLr`km1bW2SwsB;woNneM`qQw zgP5jr?Ev48I|E}W_b~WKSXnU>j&miJ70>P&H#v<`p2m`Ao2s>V&I8dj5O1lp-K0^~ zy&qDxB&3+FIFz26NRmJJa%o@|{Q~e;A;5-Y4p(m7V?xaP(`1naF>yHtR?%}4Y#DXe zK{bwq?ce4Zp_o);s@8rP&QAtVT-PXmU3hi=u>OGRlw$IsbG zC=0=$u3V~=zbxjSPD*i~WEF}*^?A}oiyCgPZdxRn*Hkr)aI&xkvJ<wGt&1bsKc;-tqh|2V<;n%DaRngmyMVuNZea6 zD=TxO%6T&>Qe-mc4Pi*(<{7BaC)K!YY!#;2$_1;8HN6@tB=XvANu~+;B{Q%P`Wgzh z#ctlXNQj>*31M5E9OBKndb#QS@a|(9L=54AI5(R%=Ht8a923Th`)g;nIvf=|5PfSi z?S?8yh^$U6H*h0ai(zlbUrC@WO)^eN*fHIs#bkY+Qp zLs=$akDh^cuRe?o$8kn38m6)J1SAZst0b-G z*)HK&hUwRcFNSFhPhr2bS_8a#my|k>Dg(u8SLa}$!SF4%FO^ZJLefRKw#4Uc7W_8w zf;d#t#7O}Wfx1(6&h?a(Q9^{6I-;^0ieK?JZ69u;WB0ZH-NSvD5MVY&jbf2fjjEV0#||uZ94(I zexL#-r_S>PCg?BD74C@uilSnQ^fSTw;(|Ixdv^ghz7DJRVLQjyjw^qv1awgRj6g`& zJujWai2fbNr2@>)85_@8k3OQ-08L2-j~UR~+|-tSj2r(|c*_c;pWArg3`K6|-uQdl zvYXc3o%eAT{-&SG-hjT&#waxJq-HhX;S8aWa@!@94&Xd?d4%v_9%}ertWVaoi`Z`*3=?qt*4B?U?}p)8@8E2>3zv z_V+stF*^+HH?|B7o9n%gDEzyD5KlX265fIz3vw%fn@_nJqMM!dkLN?MI)&zU`_8A< zwJCfQEP3D8vM;j?--Ekn0O%vvxoyj|?GkFD&V4wcEX1A2ldfqE zrU^T{ej@CIu=}mGZmLmW^Qsz%N1OBPW_7_H`!=L=gIn6<*F4m55e9NRp&@P;JXx-u zsoip8=`Q*J)Bt~Mx1DDxEWX_P-G0?q4Pn1dch&khNjq{T`n%m?&|b=khgJJej>jRo zXZTNP!q~g~19JzRok2C_i*zr~XYDirm9BXsQ2aZsUz|=TosZ=>+_jD<(|B$deRKT} z&u!h_LOfm)yYgK7o=+rk0F6SoJ3MM!%A275tt6bBsa~h?&^O&x^DPkZ2&it&e|M%F zlyL@nN{RL#^0%_EI`mr}9^_p2XByLdkyt~(ce38a`AYO``WSh8dY$PH3NKC5viRln z6HpE$rH=$Xa4Tn!Y00TvU`(az*MN&<1#G+wmfmY}D&@>BmtSjLb&|qQ-(1j?{2U`%(CDt%w0T%5920e+5S30HSevzUI4Krsymze$%8QiusH8YR zxj3wdIqa8{p!UQnM4%W=&R>%-1D2pLD1+!>Mb%U0pGgd2=`@M_+ZdV~EvWPvRB07b zoD2_`zTYo8b<;v2luqTpXC6{>qrtFu!~T_od;Q{FD`~JKkEy%@GD@`Dut} z31g#UR(v!fB6YuO_aVO4rRX;H@sq@{9$*H!@V>yB?~$o65_0w94@ycwn+1dC+|+{#tUYITK|RHA;2cLO6tT zr=X*gcmg)D|AuBSZIF{FWG2(T;jOBX^M*IJ6bx!m1^qxasfQkSeJdWHnu~wP8R;8%J@ik~#OwJH@2HrVxR>mZ?RxvB?5pyQYNteNlVQmp;aqErp2LQED<2qROdvfhKrbBmGh*P z%b_-6GHw(6wOtW0@S{9DMJejryf66es|YC#H0+w?-D9wwwni8eHEV(;WwsJv!QK#J z&SHvb2JwFKf8b+>fJv%whYlnxa7PTDxdwWt87})gDWly6POe-F4)$w;p<^QZCcF_p zC^Gf?(F9+umB#zEqmJjhWUhA6s5BM!jRl}mBY5vb` zUwOYis107eftr79<4Q2s0{AX=n$LGrS6%+y8~6{N53YZI+uz+Q3`mmfwdcV9q1#;8@|%_^V<7g-Cgap?@m(U z^uCO6#icPTSfIz;BAwd;9%b z;ERLT3LWJ%H=Js+YITp^wup2Na!Bha8f4Ps{9Xny(mWq>%TO|Mcz$-!U~5_!jP zf#&a5a-5GavTA*ocN2+;ec#N|h;N0TVHAXiRoyiN0g)v;o-vplYhE6IhZe^Y-&Tuc za`o4L2B2Wrt-IPCj|*n!=p9|h%%fy~j_RlKJ%E=yZJ9s&9|T4e5Qv@9Ma?eu~2pS$fR~XYD zw@eweZqFCu!9BKVCN|yr4rX#cmI24LI~|uOQDN3!c6g_Ex1kt$ z&Bu5D^SFBOnD+w~2iIP<9EvWWpIABPQS%uzatpG4B8CMugC<`<>MUQ9 z*U>AS;p-ffpvF{MqZW4x9PX(HjpnU^%06rE^U`yBg7?K@bv0<{oIc}Pser#H$(jIO zlC(cC)W8W(UUY;8k^1<+Q-8mwpt6@JMn{Qi#IGhO%R$EYgiy zoKYwjI52TP1v1s61}(nx;ag^y@Dy|y1 zT3MBPvrmE%`~n;PMV5Xe2xXwm={533*60t@uG>Ocgx=B-75~11jpb8R zSqdW&brMY?%sVV8;lKt3l4R6)^ld6(Qo3>MPs{Z>oS0lTB01$2u}$2=V3i%tJ6Db^ zY!<6x#PtIwG}>?<=~1vhij@IArokM%4r&uCjp!62mDh5iQ?;3n_k0?er8C?d>A;nT z%wMIYEyLKtQVFCc^xX*UXzEfFUqPx9F9wM2U6rS%?+#=SFh#|b;l^?HSUd||#_`{| zW9T-dZ-rIANg?63T{%iag{NjnqCJ&okCCqD6Z0;-&L};k-Q|V6haW5o2Cu43S>dz3 zhwqqyG?R~xdp{)fih+VgJV|@!x#of2_$itk{dB0sAWJtsrJ&_S|MbZegFQ`nDj+f2 zXslQz{8IH+s*r0nkgQk$j1sOMh?Vexdxhu7#uX_q!LByz zbp$z`p~SX&+jc@p$jsTLOW@P2gjJ-;6jRblx-xHVVO3|h!Wv;wiNlkj(V1AC$3o)OfTDFj6cyUzWgOb$oaps=*9|lO1i?gR4 zRPWNtZyAW-PnVG|Xmx)-W{dpM^a(3#gvac?=0~2@>a5!GQ%S0}Ks5^BxHQ3ZX4Xig zwi+?e#?l=U!e#I@!Es4Zjd_|14XroIL&QQ&Hi^u6i`zw2UwRboN*Z&Bn`qj&JeZO# z>;A{`Q>sZH30s7U%T#ZHnS_<0juzG=Jsmmxr%Ji+9AA5p}lk8nCbnTFBIu8;Ji`4`U5w&2~R2sjoevakd#PFUUAuT=>; zcO>}YNTvS2pMN0`k$=Kh3*ZI#6=+MXfQu{R8!Sh5cZ#bzbYMDrP6@e$)*=tL8^#PW z>0`of&3iqb1z&*I_({t@p~k?Ql#Izp`3H=#9J_|TDp{UZ%58irBi1pyG#~c+UjW`9 zr;{~&T{r(_efQTNdT9pfJPoQb`apcZNJzn!NG8631A}}qKEnp3Fv%Ji-GLjoI0SQ4 zm?)n1?!5gBT|h*mA(S}2{l6Rf>#qf-5+|4SdjDu2881|yHwv+6z%k{JD6Hc)VM{PAvgZ!hxRPKZI5m#Baq%{5Soi|aF`z)MMY ziQ{|b*p}Mozrv9^|CVt%JD;nR6~T`^vt{`SyMGtDZ!)Qq@5rB;_rRzC?a&?Ww^Pv|f_31?HXyq3`Fgp)z2~t@ z@9qEb^o{LthHJD<(x|c3*luh$wr$&1n>4m<+qP}n#>CFd$v$VF{bl`vnRi{!x)%z~ z6ARo{Jub8v{%z0j$(!naHsjZ_UF+VzS9G#k{OVOMhF&zyh&jZ-Exsp=(~>w%j)xvOW^u zPQ+Ivm(2*}c0Lb(K<9XEd>jrn*d56wF|KW9Kd$a^7>c83^SQOj#`kpJg{O$mgomi5 zXqv5*=y`pjzx{F5zt*wedb%fPrq#IU=6_yN4HuARoL> z=;XB^Ku`pYjj!ToNh=i)t$;n@Nyez({7@(()1$YRmPOO!=Zj|_;xIM+Z2XkaNS`x| zs35!U&$vXiiD)6RGogUz)nb_CLW;z@Bp*~61Oved@8w?$)#eRbLgfad9=gV_n8^(6 z8&>-DnU=!E%bIZyXJTdZD}vMt=cy@#@BOv%>|H3x(y%yj+JQD>>Q21eHtG?<^XT)X zTIRv<>NHB6n5l*QOurCtxCW8yAN(+wlo*VP;vC^dxqO)iIFzmkwj|$lMQB~}tupVd z%0oBQ4s*pKhL_59X}FAFt*|szLJG`S3`yRI0E;L@CDf09=|bNMndts@Do(c=b1qN^ zd628m$PUwMoV|E*u(1=b<6pGkO#7Z1>BF(Nz|Av}-R8pGc&{rnzz^*y^3lL9r1MHYkL z?1#A4nN^vs7eee5LIOoGyOvQ{E~PONfc#Snvi?Gra_c-Poj3_v=~HY@yv{4#I?tku ztqik#?6$RXA2KrHhgUQWV$qKRNbKRJiqs^y2rv~XMc&j9)2<2JUe13B(JH6J^i%>i z1J#LB5AQm8_%T(>rD#u)O4Lz%OXU}uBt}b62t9wI=KCcoU8U3(Prf#zVjlmQlkwL7 zHEl5chjVlL+Y&*ieMe$_OOTnmmPytC&Gqk`kb=m7R0rR86uO-T=sZN^AQMt2G|M@` zbiYa?Q4UM8%!icQoXdV>ydNNBBX8JB^r=kHQy9qST5q3Y*&oxk?X?3$Ck4u((gTa~6)L0laU8xJ+=l}i2?25ANMtr7p1?$Ixu9@ISQYLEx@s@FA!rEH)o zu~c8lxcJwwU=3+dA_AWmRT9o_v0QaVVO?%!CfQ1?PO9xU9isSePX$0zy=}KR3bkIj z@z2ua2QNGY$-&0-q2{?eUB5^d)p2UIui)R#PbIqS#xDUoLjt`#i8Dnelt5aeZ55G7 zmURI;@li{#&t}|B`B*soebE0ce)g^Nen%?jMZV9lknvJrA?#rWc&~rb2L|#X+RV>{ z7T2~yAu21L7!7jCt1iY1RHHOB2nxrw0wbiUqS8OSqhNpyI!icN7|7H4v4M)qCbc<; zw?AaY2PKA9d{&fYQ_O6j$<>&s#mtsZwAk3uT~s1gkXV2TsYzgtc9hEkzh=}`jb4n# zid@00di>X=TIt!BD+b{Q%2wSC)2f;b&1s-j_&ALlV_K%50UNAofDbI5Xdyx{`_4RN zAefR-T_gmR$?u|YF4Yzu$S(CC_kQGz9A3Mj zIAr~XmYk>G7LagUGvFh2jFiyZGC7SjtB00*og`;gvYdwRLK5h=MxCg_gyBJEZj)H_iM`Hj_@3BS72eHR{=&y;(X#|hIq`}Z`1G4b;wH+{hl#l zgOECYM91mef72VabM3Cn)NV4f`Dwex20#EzpQ0QF=y@8xj4bVVx-8upY%P9l^>JP3 zI0EvVQ74h?HelBtzlyKw22`cHUjym=x{kfyb0Di7o%y?1Bo_k4;o9fA%d%aUn zosY9uC(r_4`D^{HwjyrNPJ!no$Qpf4Yta05$j-0#JG^C(h;J02lBs>KcO=;Z9@n8F z+hOl1hWBPywM*CEONl*J4RdDODWig8-KGJOF^RqFQtNCKt-3d@i6_N*5wQf|y(Kcy z^YC)illi{=Rn-=g?e)^Lk;7>vSU`2v+4ekllndkoz)YZaesJ96&gF;a)AJ-Wv%z80xFFVdy_HsE9v(<4RIZ^3(*8Wb|H0RLAC49uF4e)8li(ZbR%Ga~%+-z=AJB2I0W6V41HfbriPX8kU?Ah}RqMp^ zqV&nJNB*3tFr#I#cgzJ@7&3mkMUr+fm$q27bc1M)!+5N(Y@!+<_qkgY-6W|@tj z$5M^O4G|xyJ$svM-x7Uvqt!a1kaAQwei=@$0v;X*(OHmT&O(DX2}kA9#p$Q`Kw=JF zGMwth8H?~1ZmJX=NnUO=Dlv5=P7TXH6d0j4H}KPxHakKJ9#65@(ccXVIerg6I$)#| zS6$-ZbczM)y}sv^5lM)vla?Mg?4L*;Bd-5S&-$}nvDsQYqP@y zO2Jo<7l$EwiN#$Q#0w#p#>Ht4SN>bV%Z-!&=XLhSECR(S9bp*$I)}0)EbRzah8K-t!|^v- znY;Dih2?}KL1!z#OmHcHqA`QW8fL*jilw*|2j|a44sfdn=cc;r4IMLi$5bP248D5F z&dL{SVy6^p#YQ@!(WLJe3BGJj=VPOI7wL&-i1MwMLdR8^9W9hV`4y2?kBdtoI$H1- zJFz~}&iTBROZa9R#_kaAFY{&LC~shT^onILJi!qD@}W~vP){l+xD_!Iv5}QwP0Jq( zw{?$M_56Abz+RhWVZ{S2X>nO7#&=1N1i7LZxTNZmVw`eT9GA$}wN%u^!$p&3df+N@^Y;=`nds+V zv@5z#n{y&?NeL{dX9Wg*iiZm5g6_vW9eM=_VV*UoNy#7;X;oFX)b9#@9FN9lMEzu) zOdlYN&8vd}-;kuLc8xc~vH39;To}{v@0!9mgP~UC4?9|Qj5bgS^u-(=#uFB#eq!pUfCMIpF1~R`e>YLSVlZvHhsIDG%HRg0WnJrRzhreTl z4kk2TehVimziO^34(oq7P>_tc$)`;^FyOu?*+Hz$%}q7@QB*3%XI=`?71FFl1BWG^ zFZV}?2s~DrD2QJaNkac?MVmprqrcS}=6i~v7AU6cJ=!~~5^rRNK*$8pCH^Jw7`Di+ zM^ad>H_C#;$Y!w1Zd5i~DhZm{BT9ca8AIm#a~YK@6BlK(7GQ%MOMlZ5b9zwF3)l-q zBIus^d_C!$_U)0APd{#tzqr3XaW+-JX}GUjyHvjw8y`cIs`BeT+W-7DF!dCeVVbRZ zoc3P;k%A?V)d{{Kac6+ux%XLs_isl2+ZJ(><6L`=psj1;+1z~W zZNOKrzAY!UeC{!o-Q&7gTb^fg0Lt;5K}i1ICu;)hj&1iV<89BcHwhs=FW>#qK5gpz zaO8a(&xB%ZyT;@E#|fKmRVPXqTK|#jb>E*3>3e!%+{wc|?z|Y>13>2^G&ur(&yN7j z>!K+C)*+;APYErvI#W>XDH!FHrwiq6B3}rjCID8wx+IhTWanI9r~Tr#sFrkDTh?oL z?wB-&z~#1Ty8KiU$)@p6sX~`=r{&X?=ljk?;6_*d_%Y*V*JRmCeT7ZiGWky0LWk21 zR)TU)&%yH@2FJ(0PMc5tE z|B)Z`YKsJG2nuef{yaj{zC^j+=6R6#m=$$@8$y{bFTh{kcKAdXD1j?k4(?KD^$a^5 zb;Z=bUKOD0JYq8e2AdNha${_gLN_V>b1D)+@ z{4e4Rl-95Bn)Ell0`Xox1>B=SE-8pQW(#zZaVn6?dL?+@EzMXq`SB+2?DtXfH`!8MPF~uf$xA)}GsQP!Wcq zJa8$KHp76WD7r)wn{FIF{guSnWoT_Y7(vVL|I34+t%!4oLDN##b!(5ouG*(qKSvtNeU_1 zqKFluhT-^r%AP}I#4vxSHi));K2Q2nIwY4c=q#0_ppZmVq!BO>3svj#RphNhh=XjC zW!O+O52G3z9@(_cX}a#;xrDz%!~OXq!OaGaXjXLc zPf_^lZ>vR^Y$|yrk&TZN#Q zoxBt2cis!NHs?}co^P8(cQFNr9TABr|NcNWflVG4>XluLU?%37%f@1|H=?R=j zJv6wopXjr+Z&jolpxO)0mbvSSH%G7YwKukiYqAv?67Q(@?9#ep(L_~AzN7+|Fu{wg zsFOu6bTqztRE*e%^D6f*BZ{c8f?`h!QO`Y7OHn>1*iuLYygtm7$0EzV{~!IVLpMw- zXL!R=VKGk^x7p!~4Y@A!LS#vyH(3ov;d$+EsPAKIx<5&9^(c3yl{K5zFGIa%29?-) zRVMJkWlaaKO%`Qvw=kC`j;UVTm?2yRyopmN zzQfDBK6r{Eu&;GyDs}}phNf{QRBkyDsQ?v8)m5hAlyHZ5Gt`z-lJNXNF_a9PyEG@+ zgWr)qY1wIucYp5I?yc^Qrgi-L%PfHjJ@<=klp|lS3!|ulEb-7x3?pC8qiB6`VW|x2 zIH}%rY3Wz$A*u0qlXoahIeFnO?L!#M`BkE#rFONP>JsTbR(cu>=YO$g9f$#@;2Pw0#(kT3qNCTOkD>9Yak3Hqz}LrfvQfA)({4+BmGe&Y_Ipp(?q>zlTbkNsQYq5}Yie@j1p2VFydrhu-;eeixBX5C$|cH)rwU)O1V z^Uf8_h#k*aDevsZ-YquYl&+R?@WXk$O=;ccL6Vsd?yeba%I8S|!nV^}Z66mTtZ^A=I+3iFw+1-MU9w-)U9qF$CZ(dl*zaVnm?U=TL4u_K%^`58u&uqO@d8BGrf0vcy5};q! z{txJ$hH>(Yk6rCr=SK<-d#|}AET;aw)1qx)#mAdD{$uacaVS66#Z$?Sj&*fr4uQAT zS@iHz8F|cyh|b@lG`l-JpQt=S2b#`@@rcZxQ`!#D!+OK@_Z&XIr6v6} z)~4mOmStyJzLw!RdHTjfFAn*Xms8jdNAdeKaS9e;ozpDMf%KJh#yWEl?iY8HX7w%*nbJzWW2GW7#`z0OFQe>Og? zbg>GBo3dc3vp<&W?;un6_DY0Csg{ePOQzwfaM9nT(~VG0ih?ohfs8xW<`K^x@Y>Bm z=Q=V~hmXHGBzT$~;<96*RNmDTQheNj!vLPc=HfEDEum$Jg?A1W(CT_)cpEmwHg_<3sMH_I~%ip{BC^$>Kvk3~) z7U1mmX?!V3O`{WLxK5luO1(y*0*%~Ls|Qr#{z7u8HXXQe$H4bz&avE!bn&Vxw-No6 z$0bIFjn$6A;ef+*7Fv;&qG6`*Yc*&tFNKZBR2U2tPR^f@q7Z*xh-ZsUSLLg|Z3diK z#eZ{2wsW}*oqsVJCiM+dpr2&zz09?}GZhZwc0r48&r+$usX$+$l!8h=XLVLYmZYDI z)6CVse1{E3q(}yjAEPSyfvE9Yw`-U@dZ1KydN|k3%Lx{!Fcrf^7>8}M`Ofj|AAvnZmt_8VQUfHF>-Ge)=(l8m?g%~ooIL2&>mbWRD7n|?&ha}JrGqZ9L;UAfO?Jy%VNQ* zAgnNkP;{*UjlK~NUW#mPv&o`pK8PVj09S^&Xb!Vv;X<@ow?!TE-9w;UHN;k5M$Cv{ zaY^vtbaD_%Vmwg?9Y8fzX`l2Wyx&ZFg*q20)g)BtO3y+oYZh#;2kt8$$Cq#50Z;8J z@f)*EhDS3Umdu2ki=gvVrz|OtRl%QBNQ@&#Xh}j{nsU-(If&}pp@4sXfM29VU-hx&Ewj85LJ$?&TDTxs z6W##R81vSNw`0e%Y-Xc6zFwqZTf#fSa1sTW5yKDZ7o`41{)m=TM__;V6X6%l-+v}Z_ z9W-}er^)vdc^`OgT)G%H&b&e|J`B}#-{s@mm;yv;R~N2wblzu?vQ0Y4^j@PHN_A7X zK7N9hpV%uE!*(_SY=9#^mP^{5?$f*dAjae#=a;VM8s}|TXnLUOYsbOvY2R9o+n0OFOh_H?$E%Tb zfzF$bQ~BMEuL$h)_p8?2TcDA2(aHr#Q|mVE*0My;;nC=s@4@~t=Mj^j%IEx!kw42K zMI@nQ#`~>bok7>NZD?jL@G=Ln1GdfgT{ekN&c~xbx9Eg_n!jZoR=V@9ci6p(d5CQMJaY2|0Bj2irF-zzg7x`&fKJL@V(Y1fu% zDD!RS*+AN#PD5z+SpqF?GpH$`Q*TC{jco5B;}oR{-L9|JA2;jEo^49yosVs~6@iC~ zm^%f#77m7OGl+7JUekT(GxrKi&G>n?mSXcdX1%$#9*@N9I(57Y3s_Yr%m?WD8yB5W0Vz{}hF#0$+S$I- zj08N!HEk*UChIvq5y}HQ3eWhUs~J2{&NK+l0MxPu%+Z(rpaqg5XgA(X-4l9l139eF zl2j2t?|}DTwCY3p37xQ%cAtA*dwP0*A<*@DOIVsFc|_YJn041@QYqsjh-*5`mM>*C zTDhHGEPVx)j7rwQiStI5;{e$M)?ib$Ht7lcgP#lG3jb={7)b8rJ{w9yMWm|pdm_x1 zKkViwU$Rt^PwC;XNzcyTVdXaT?{T*1IP{byi40iCq>-YK`P-$74d}eHzjAjH;0uZ& zO{1DILx`b=d>qQmAGysOO2n%l8;*rWrkROEf*%Ns{JMTcW#om=53l>yS%KU3s2wu2BBYRY86W;WatPG zFy_-#^Pxpd3u&*pu}&3>l@D~EJDVVS8YQC2$+sDfHUHxiw|jR`TF$3G=a(JbMu#K= z^BZow216bMB2D9F!p*cXel#<{7oCNPZbpHl0(%e|F0%5rL7( z#l*RBdsb)pB4|@`_DXw^@P*Br@M){MGImtIRAQ%o>`=wvq(qe`fe|kU$>c3G-5QZc zh!>F{YfCW`%`a8XhXu)aWsbe35s;uah!p6ZF{=bby$_I?ji|*e1o$*BN%d_pA6M{Z zK}t7)8ywMW*J>wy!VX&r30-68LNYEdhE^PhpLxYcjIidb$mn0PiR5FP1Ya2{Q)B#6 zx?xJ3`3Ac;XY6bcM>fw=K00e#M~<04|3*}y%u4G$6*fZ_%eZ?~X<}Tdu^6G%2d|m_ zo0sq!!r@1avRRMuN;zoba|c)lH1B@vX*$wM96!ZT#^of~$c(HlCk#lO?Z3qogl(l` zy(h@DLW0BQ`>u@E1a&+lY>$n6K%hO+a8(-A`kP+e(9wF8QRaMUI+bK=c#^v`2Fyn` z0b}fFLNsE!-ll|i2rl&c4Lm`83_gR_(niJVUammVth^h>>IY82S{mh#qUj|=ZUiC- zDLQrA?Q3(RylSs1A39HFx??=@f2kC*l}6`R(Nh&lxWr=o6;C1PSDdfdRm#cSw%=4z zg8tbN+J|_lf3FiRl26xYsraD-iJ-05kO&|myB5TlQGavI`RSJLwwS=}S@x5ICJ2$p z(>3XemFG&ya*AnQuF7c^fKY9O}B_zZaCH`RfXc$@Xd*KX1f%!}Ff(a_Poz$gsKiQ)N z*Gvv`lF6}taTC@2eB7R*3(_cWxZt;EWk6Qb zcGNswJ5!Ut^qHb@hkx!Y-*J^YtuN5s0qw%PDj%#db$xz)2i0fa4UCb#`Ot>;0qMs^N;j6TVl$!`M`g+>F?zTSjP6>SKbO?N~_p9CMat3GzXuq{BH2e50 zr7(K9hZJA|4{tWM1w5p$s?GJi)8y3rKLf;k^V3KIsQO#(BGSx2Y=~-hA(QSzZIajO7I*TQvljWtfOEF@$0<=93KAB zBf@Hm*UI|pj7mM7{Mag+-iX~mZ|LfwKcvy$6j6rqmxUO7YZ$4;jdaT_Rp?N4eX{*Zi7vDod9TX zFJQ_3zD(Tn@j9O2lsBij*Mk`~<7G-2eya*#va!gLD~jeaBIiTlKguA&H+wD zsMVJ%rsN*y<}}l=fD}}b1zpNxWz>x=wT8?Pak5`w_R~b_`1xcMCrjQBJa?GbFPiiU z`0s^T;IxYFc4ojvOxtFBwkP$`luXRF0nYe)jAPX3KV_uXq&C2}zQO6Vg-umXTxqR2 zP?1rcC1y*sX@whI1kZ&otYOY6gx2#b?EkJX=EA?YUx-s#DY4a$m8M#Ze>IGS5>w67 z&p?b!a}BPHlCE2iN~gEd5(-Om&pW(NQX4Nf^G@AxC`ZBBgXKSENiQnIr?p9{VA^#L zmg!OrqK)QN$*LA5Um&rAwNfnj(f3Uz&d1rrDjS!Q?H|m;w2O)%t!cs4$SO?OI{5CQ zq)cC_f~>V!7elHen`#KF;VkykXW{JOTYluNT^h`~o>t}YnUQP$fkTUyp?I`V5tQJ- z1v9vLgDLd0ln`}AN`&dGOiFk{{laeOKVmc;_z=sj#>X-%QNxjQ_Yk{|^4_yi7#=~t z?Z*O>dOcoep|Z63lChBF!E}g|e)sk6y2ik}&|0YI z)LJ~1lMgXS1gIlPJ9I=dtH@w}Ul67JMU2Y(o4hJAF|YRlCigB(+8I)cHs z6yLvfk!UKteW%k}BwH&z+WDq-3tc zH1UTiR&#wC(m24L^P01-{WnPf8kMs21M1mgi5pH}LcnYzjADG4&mShfCNlO;w*e~$ z3y9Mu9v2i+UoD$QD4QNUWX;%d<81!yTno-eW*gE|bjfly5*o9KI^rg?lR_7?09x0X zM%8cQ#dtUgh!LMg1smVqb!}2pr-)S3SpyVYZCwR3>>8$?;2sUQL)*#8BOn*j47ukK zro=k_=*VQO=f;hYuN@kfQ@BbNW#Af)*QO+e8{wQK7UjuMYG!kku+^7B9>g&VJJaz; zrE2+_{Su1PJn*35d%a-g!JpQd*Z(zj{LpiVxE4K++2CMKaQ02Vv1BHNILj5Oul#Jg^#8|@qN!N zO%5xz;e~b1#np+7M~v(_lQ!PM1nkReE$P?hBvSE%n|%W zOarf|s8ur=*A8V)r&-pKEb&Z4VrjP|b0DRJ0&7T}u1=pAAQA!KLU1YgTf0&R{PcY5HVHL%*oa}an}yd(r^9JntI*5NBPnB$C7{%!N`WzC>y4G|b03PrZ+2upB*?yM#;OkZSLnP3UV)ult2)?KbZdO)S1o?uQWw`PSWJ znTsml6wmWl0Ds5l_Uk;{&bsq~c(Wv->)?LGhe?j8pYzkhCDKZdD|vCxX_Gp`#HQoj zODFBh=HvePLXYkluR+8FW}5fgHZH|>eMH^PLQJ;v^adfwCXQ#cDDFz2?I^e7TGPGi zeMZA>?y-g6z77xRWp0nK%ZJ3PgYP8Qd|T^y765u(mPK5DsMOwm+dZ_d-gXo?)HZ$8 zv%i*{(KnGg9hqR=**B# zYv)ySwa@J%{|`?8Ua=bc+G8nu`p+@B7XA0b{)+4K>(;rx#RYo;zeVM7unPi*zBXv@ z;gcxP*DNN;<`e0kQO<47f7Ao{586ioSv{vQ#=9KIW}rDu83_qj)^C+I#tjex#Nf;o zC>eCT1PV<(WHra^ep4yVxYq;~m>rh@M;y52vc}A|>QnneG(y1d@?yy(QjRZ>B`tB2 z<_~53dpUze6O2^QCLMIH&3S8JijDp{`Uu;Yy_Wy{K`M6EuYiEO;Xmer<@XBWqq>X1<&5O>CP=BnM z5--fS$y41fijRp~`y(YdM%I;M_N|J!ehyhS+boYdQ6)n3SGtcZ#9E9y(GHD7OKI}U%2+}AVE za7piKIZhk0IavC?tu*K0H7I&-$BcVtFQsV%`oyJo)#~+eibkxZ7ce^nZJ6JXI>h1c zM#6(!3341(47p5IUg%Pq{4kN2yrzxdvMIgYI|FSxyMYB-LAG3KuotXZT6OaZKgHnY zo0_Gb(=}@J7tI-t?COZ3l%V>U?5q?Zh}q^Z+JAk6?i^o~3No|OD*o-y%>05L)L_Sj zvF90=OkrYtyy_%a9Yti|pS}!b7>i#PuPSDokR`*`t|LDxwY@^4yR3#@a#UEp#(gj( zvW5`~o3@AM#%Tp6RJ=`3>_@>~+rAY40r#3YJ4=Qvp`O{ic0IiL>vQFe(2?r6lW`p+{;vIrBw}u2f9(7z{Wf#8is@mmY35OJ(j z9=l$VI)X1!p+H7m%$i8p1o}zvp@F{M(%sU4m;6$%M$ZhD7zc-7mC#vH`}u2or>Ixt z=QbfrIw?|<*q0i^qab8>i~}{e>vH&<7pw%8k1KupG>f+;N6V0ECkHuU5O(pm%Pp70 z7+!Upf&5(2=p_A27<*+{m%UP^&dV(Sd!`CFDhs%8Lu@3J%KEUiM$xbFJ#Oo!e?%4; zs*TF*brk5Yfz^=-TX!m1>Gg%^FDQCNWWK4;rKoxsqVDP7B1L;9_(PQ6Yk2<^2V~DK zWoHE(b_bmpgU%&Kwug73@_Kn*2Q3^_HIQ8=t zEcuN`UAG8rfS+U7l$wj2hfhyRwwI><#kjJ+-znnrFvhpd9PE`O$lmKsum=!1-OxezR#l zxL1i5u)mq8ncRBgog&~e{G-JrjD=zK3{BZLZb9mPEnH*Ucpbt+Kv4O#JW_FuO&H&0 z4N%@>L)1K)yCCE}{qmY=w)#y^3Fw_zeZ~eoU*X?<_)2fJUuCJ&->)WgL?#10!^*1s zHtLj5dlP21&6iv`#GZPnaW);RU)no2;LIx@Tv{)@N~$||j8cxLSD)n=eD*iHx!<<9 zTdv592BxpZ@}`LiKmB$nD^>lLIH9`l*H-kqh2qbhj)!C9_0PSIiVrx}t_dCtK9?@s zE-E3m9+*00K;>n)wL!|r~jvWFzbusfNNIHf9Q8oRG@M&nQp1BW`>jqf2`{f|{ zO=Epc3c;03?-y=HJ~sCu!s-tXw}L5kUW=@toY#fFw5_xP{!1QF(lMS+Nht!{UH1;& zC!~lpgwF|m5s|)qRXq0Y{gPQ2i|(6}>z!63JNAut;+JnJj0xOeSIhkNAO74RP{?~v zUrrS$?F#hzIQV5EN6cxc-)RNfTh1wdMT&$DU+;3hcz4+U{zE*C%LYHW_#VELqX&3@ zq~604u_KH}&4s#cDc=Of5j$@AO&(6RuSju@g(W?ULbL_-L{&(%>38C*Bosb!Qn&hV zo~qtC>soa9Q<_N<s|i4 z^+?#B8`-*#h-PIIQ)ZbyMo#hyJoBH_kBS&>IY@{40#*|%CTOH|Q#amJVerv*RanwE z3G8JHuHw5eG|WlsI7Tw@|6!~!eGLL$y$1L@vyOjN9mPq#Y! zMjnicqo6{43#Z^LLRaP{p+P*`IZ<3rY4%OO1_KDYl4;l_$%+CwVMszmnEKeeiuA0; zrSjD(b7{7XgbpsV#T4&_;+5~-9&V+Pf%T)&J3P8j$t@VexA8zncda_OlmtkmP?4IIMi z0PV@+B>m$+yZ-ltj_F}vEuK#7B|u;M9L9zwq#IF4;cSCg2wdC5E1U3X_zE`d^M{XF z{5&nmx(km!TqQAAqi-r~C4Cr;(Sp=fT;b(RB@_<7n9{v8*=^*c#;W#87hoPGy}x=G z3e?E&&P9R)^Mcb?#6)wisZ;kK3&Sbrxfi6Zt6FJLLKQ2Y5d`)mAuYM(z(%wTHEd`O zFmbJtPh?oi3^(P>d1z+Okkfty-lkb5T`Acj_buMeiWp>x3kC0M_D4C9BwK}8`AX#D zdrOrksL_}PP6^XMF7Wl9B0#tAu$C3}p-n zm+Xo(e*Je5vRA0+nZQZ}_GX1F(1uh(+~TFW%FtxjU0?$bg!Ql=7lkzkxcM*$HI~+@ ze9ihSFeCp9ryzq~GDyZypvdGC==DEWbLXjn7~i{`XF_->WlQ*sHis|D?FAhQjDqh9 zV8bh;#{i)pn-DljX$J zc>J>4_U^XqXIpWi_tXDl+R@s!D9dpG(wy%!+tR*qeeH}^Pu~$F+TyLOxp#Ud)m_Dz|P&iMw z>ITU0F)+oi0qO-W-{lcU-5#0I>vj9fWxdFf0l4W;FF0YW+3Y&}if>JqRz58*%yfF} zV$goPly4+^C4LOwhuHtc*CHjOUeR&?JEk+MCUZn4z60EI{LWIP&oR}0S_ALm^c zJARKyBd^*7U>_>p7x~(Lj$2I1uZx$!lj7#nYCquLGM?ZXd(Q)*mY5x#J@b>#{n;fX zjqz=ho&x{6g&FqGAs}9syO&iAMw)m_r{}aSQvb%}nr+CDd>i1edy_sv%chzDsK{IG zWh1EP{iU6uIH%|FZi#(Xv!cpvN!)+?tlV{a^@56}$*7}cbO6cPyvr%Eg$YBy z>nVx@;NDkETa#ay`Y9&P`>1yk01%k%xGaus3^t+{uxB?oJSmXixkfuhsP!o>}*7#P26}8fjPT zwaHT|(#GFL?&P-BE*2${e=`ikSm;#^iB?1)Mi8voKVw*=iU^IA7Hc>w?26Wp*Ma4= ze}?Z6W_W&s8WP4z*R0EkGYBdQhdi>XH!!ScN;~{5Y{zk6*&v~LoSGwN1+yGAsP&^v z!(>dh6Ws#B1?jFQ9ps>}d?lYJ47T_QpJb}ZjqDj_PvI+UySI-GI~M-yK1aR*cY$$v z9$BlFq|OFMk+5JLwKr-!w=%5^-6IQm38m zB?Wb*>iO|q5xmi|q+lg20|6UV#&DgC-!9oNX4Am*NduBNcOUX4x;O-}5>xOHNl5x$ zMa2t!#%{tF?bsFLZkf zj+3BhOQ{#HcmEGl-~3Q{+-@7DnkJhQCfl|r+qP@6YvN?vwr$(CZEIJ%eS6P6=brn^ z`V02{uFra&^{ge^cL6rl`;DtsD?xDJ_!57TBQ&%$!60}JeH!i|VRDkqK6gvXffbkS z2fPrDtt0`e77b4*v<+@9QO7udt|;IAXcf-L{us-~{9e^Dw9JER(BbHdfpeu`j%^U{ zGA;!koI1X)s5u|@1cV7JWxtoir|=Thz;Y>1Kk=pXm6V0EH`aSd(Lkdu{EW6RoPCBP z(N;}2C6^DDE67&f4={b%I zWaCzf9xn7-Bnnyn0pdHJ>Ub_*0C*TnO1*JP5g`I#+B3FsPaL_iHn}i@ zm&(CIDjskrcU82*&Xuwg3i|*L6)4aMsZc142Hwo(v6!Y z_%0#spZSZlErNm#Ws3rf{h0Gm>stc>gk!zJWP3tWz=l>&h$>s+b?g?+~KUrct_*eXn zQLaB8{WIFs+>1BERmCmkR-K8{urXRp>V&_HyE403SxWs5ud)KG7z$X$A+t)HD0DX670OL+ z_?I+J6puq_F`rkQ$oLz-;f!W;I?}n>^t#8wU8NHmRXXP zdErzA&bURv9~?F8XL6WnsDBuH@Nj^CF7Az}PK&m}Qy&4;=JBkW-oXKN4E7gI-() zzpRmf5)NDju&>(AHFs=F>L306JLnr6J_ zEu?M0!`+dp+q>$H{#~z6>CU~ij5@9_s31%G0uL#>W7yV9-@QLQM+cgJgiofr?qRZL z8)M3@ZD8!?^Ue-9G!>)qO<*r}XhrK~_Mm3NBkL$;+oxx0tYD_|(O(YRLa9rz;c zQ(F$S1#PFicw~DSjx{|9XdDJbA>X;3np%I|^s>J}TgRyDURLouyGwK(%A0TZ0NSK= zGjT6@SDAXce1?ModghSU(>Pu?&l7ZNt6n!gpC8kD3^i|)auPjih%4>@AzP09wP+U z_Zt-RcTfTnc6vTd7}2%aJmfGZHM%0NPxa;>u3L03`sXp`4DW~G=4~)~9gBS@!0V=P z=P8Q?LV|F+*{PHt6Ml_`Kd9+&^cvuNo6}O#}7WDl7M{uSN|Eg?5WkUxQTR+Y#ygIKRCYR*brG@Y_TT8fZLkQr)* zL$gRBZ6^NG#hrTu8Oa7=G4i`$A9R~$ga^|N>bA+1F!_(y8l ztU+J2J9&{ql^W?lTf7M~^{gc6Nd*8Yh6;@-G|E4Pys+||TxzYDwP$z_BToqapHWL1 zB&7eCmWuj?VQlbGZ?iyhy0{_jIXNS?m`L3BKfKm=xU1y9`%nwzWIW=ti^=l7#+|xV z1xPSd@T4JeVKJm#;f0zN_6n-F2jC4xcyeKXrAca4Zy~<9h2*MQdL&%8a{L|ri}oea zy=yiq7b}dU&QvoX=ZvJ4XBeF1xWR^_h!dm2^J2I(f*o~Ng}*Gl_1GwG(2#!L`Z+Vs zoQh!8)UPO|oF$%{T*H?rd}mp{$KVTSd1tFsU| zy2nrOR!VBZ_06HQNW!U|EVK>+{^3$TVyfe`@fw^Q;g~We{wm z;gDIfG-23HC|J?yDMRQ}XShd2@9$K&2TYw&?ZL_qB`fXG4PyZrpxs|vfM1|9(3GDB z#lnX-D37II;0Eqd>{;Yx9yWKcIMa|^c-lM(^AO_$S_xib#^4r}MX1$^nk|GRwGTgq zv||=INEwPu^wO+pHuZNx9sFPF%#=CF(iGgI*&9kzGf_98C@WZW)wwk1>WKlU(5XB_ z5*fpEp@vy(eA5XncDdo=FtEZAoCU>gxN=KX+5q94yGR+0MP0>27eBBN+aXrzgi7)t z4Y`Me{#=%9_IcYB40mV~qg-3`F&(4@IHBL@tlfl)+`4DK_*&IXp`Wz43l4PbdvSEF zIEg77c&Mf`HJdTip{3ejE3juT(Vg+J{;aCtljJob*UuNI>6Ek^^rPQ0->}fG&85}F zwfr%T>}{WVJeB1CJ;uy!QS#TJW=P_)5wba|@|VW4Xj)T_=KKE#Q6K_F$vn8PXs`xA zPYubJNzG5kE^H+FW9A(x+6X;h9~s`~i)6pbC}zJ7ns5Jebp6*gvmNuFJSKNK;4Wf3e7KzkAg^J4P%scs-+`0MWD&wn6g1Kt-1I5|;tecX|Ji)ugAyn3Z= zd<^#~zplJq)<@ty359^edz$Yat7(I|9-xMd{eA57`i4-~-@|QcYDSBr z>5NBU^J0!Kr3ZLs)p^BrGXZmz=ni{MP%r&B1(-SLn>y#lqhomqr5LSnT;W%uyK3q0 z;OXvW^#cdkG2g9Pr7WmteFVQD)sJb97Ihp5=ve9Jal-jr9v8%HJFGpf@9Z(iZ#k|! zwRBa|b=;i4bbC!Y%_hU>f}Z1-HohX_TGWFoFele;ZxQxa^trA>uTqYdyR1{zXI2C( zB5V=g!`e=)R(QQ`qy%4zF_eR8gbw!Bs!pDHYzlI=yyx_nCv4ht)q#7OB|UYQWfLEc zD-=Nk(>VOfNICw`l41Og_04{rU#o%WIXmdS|pr}HOjOV=|HZpZyR zVHou94kY0HscmHjn(-?K;(fB@o0b!JUwyz}Rx;CSMOn_5^yjSk4a!%7NPK`FB|pN$ z`B2iVXf-bP-{d_UKFnoaY{(~>NHwUi+cTfRD-epIMr2z9tN8~V zu;SNouX!hvJ`u6uMskrk4tWL`*9!e(M>gf1(iHq5iz@VUM*d{kyZNghA}u*54uyoL z88?fTnciiVpET-7t=j5PsWjve1{e*MQ3Y`>zAmCT&Q) z(l}D(sq%y3?@rkm4C`;|<_|IWWm78R-g5mafF*WM6H$gTWA{NXpNabjW2#a9u0(JcC)m(9E%7 zPa&bOb*Qojk7>UH%qxIKqt(aG2Spr4__Pc#C*}j@;|(xlB+K!ik!;;L$T?#veDBtw z2Ts9)xGEhydVyPg?1#zeVxCgRipYAQW_XBiciI?wv_pbF*&L7c@a!`U-!6wCFix zvMyM(R*4~&;yUNs5#Cbi@GV9-1y-=GSC-t)?OPdI2rV=4+fs1lcd7eI>*%LtR%ivW zZEJAq`0<3b#Dh5aLKs&kUi$QUn~efa(Ll_tYfjOoxTgjwa_Tq{@~RWzcB2yLR@i@{ zUJ6ju>E&};Vd-+ZVnM_dzWt$AQ|CmF!)xcQ=TUrLx*VVS$6Bg`DeuNZKJScZaOpDf zS~Kh^>*!;UN-)Bw>t_bB$))@qVfy>1pA=g7hbSn`HQnzy2Xx2FxtoI&^v+5<9*PEW zQli+*pslg-+bJmAGg%vA7PfliH$Cy4Wlfn=@|dVNk8TCVA2Di*bTZTuXoN|dTT^w( z17^9E49y;WdNNJ2yaPUDgU2A{y9nBJ0?x}(>w0jdF_O*FtH}G>@0f>D@`GozA+xDF zG8uYZ(qz(6xddb#VWPzp5PuAoi^4Z16{UXhT`iyoqPcDcf8?cB$BImhsZzVZ)4YDG zz*X{BfIb5+c5!mS9CsKihI6KpA4h{6BRD0l!pi&j{uRW-LOoknM|%r7O~V*OzBDIP zqdFUqCs4a!v2kZoOj(dtj<|andbX_MsL%p2+hR>Jn9&#zq+5Yz$zuE`WGUj|yQr5= zOWaBwlbUsaSp>(JB%QGmiyEu3*#80uWX~v+uP^yEAq2fEt&afBFMMWt&IN7+7Cev! z6j3SoCjj=R0sy2pj9Wr{VMYjYLwo@5=fi2tiGb$`p8*TZPLIy@$xf?l!-sv$XU$W$ z)9d|{{*}NBvULp{=xx-+i=b=%rv&gcB!Yv~&pE~skaSV)GTtE}u*6^GGV=5<>wAvN zHuw9drtewrEndmA-%+Ra@%CNRNM%WAk*g;t1u65LcOmV4-tC&}GUNT=lWB*`hU`xP z%d)pf>!*D1KYDGqF?H81%jxKgm2Ti|2441b<-T3&+nys#=XH!e|7~d!p`BUx%fvR4 zR9gYV=GCH?Z^x0eo6bG3NYCnHrSE``u)6!Dp~3fM-j2ELxl7>fT2|Wo1>A2NZ(~MF zq78U9v8+??v3=%NNyhIL^N@16cB8xG`($YG&bG}7vEzKZeF-#w>fHGJ^Bgw>)e0P; zX%<)Syc-S{I1FT1^gI5_q6cQYrcrC8cO9{r_q;Wb`093C$8;2>pP+gP+#d_cuU3Ml zlB60q+~0mZH?7QQpJxY7_YwG}Xr2vGWZ;z$tX_ZZcRft^-p5g}XnFjiBINw4yw*8t z^p61x)m}ysTnMk1y4zmYwNb&r8GhzzZVbNXaRwtSi0ikjd^fFbVR$`F_x2}DEj&&f zTIaz+T=$^%y%@x==@y+ipW{TDHT}aRT7x{#1JD}L`(Rhv4|Q;2MgYJt$;Pnt@K*j- z5hGXKp(AiMhkje7?w44~_k!6aW?e!j!L$8t{aD0uaJ3BB6T;hUJs_S*mG?dw-kIzf z+VBQE9e0Dahd74uvOAO?o&Q`z!SwjvrX%~Vn)S4O5_v7ha;Ap9xN$zW_}YAV{pVdyUNRcdTLWmrwu2#Sd(cIcKKSs-h}3CU5wd zD}IYZcZ6tiFiO4sM+7EyMa#3<aK+h zTy5I7xRI!`g1$$=(@nT$#s~Qewp*nr7_S>)Hg zc`O~`@rA1&&WXE3gm7F1$EW znjK9gELApWz4hB1dJaOni~#K(saN&|% zbEy40quSg9fsV#QUgc@KHQE&#H3SKz=f-(A>;l60=gnxl_}m&J@>O!;ewSn)gr?-p zKDId=*9ZZTN9uV|riwCs5sU}9op5>eUfS+{4}6|zBx!U^X&NMvw`!;?+23_Hqu3_HmQH!9_B_-?Oar&VpAyQ z#DR?(RGC%#`b?Y#Wx4Ux%D*;G#D$AAVUDsv5l7E3&*;VV&2ks10LU#EpBS zDWiofQcPX2*-j&RMeLO++_pmJM35wOh+_37fau}ZqD;I)>P9#SC`k5s%Tc;NI#uXg zhSu}ft&R>vuir6S&}0_~(?*GC%;|cfnD}*O;B>TqT#=R?%Zl89|B*vRb=isxjb;xr zVP-32f+dwGS`EQgi*dd-Lhcz#+%rLR=VY4aHy~&t--xCT7(NY`={I z9e!)RvwZjKjrlNF+<6rR?U57ifF1<0U|>EP9umE_^59gXYGKj(-E&E~V+$qfXYFDl zM{&qpN@p4IB)fU(iM4P=|6b0@KWq+;59m>4|FL2|L5-l^DgDKp-n*<2CT=%2getRf zfq6@x#qhn8as+mgdIk3H4G_ zerKwOrS7H{sV7mTl0U4J2 z{t@0=p9FZ^rdkejh3JB zKHeD<&7;5USga zV`NVW1-f3Uu&(Ql8%Xgc+YkC^GHB@2^yGEjw(GET9VvWDI%~sR34p3c8;+gt2*Fco z-1WX^Ypb|7K-_)ry1Mtxm7W%-r}q`U#z*lTzLz4jYwiaox6k46nqimQrpt|gS3N7w zNW5OpUgys*{2!mv+t3{RcdzA0qblc7gXyDjQ*+h3?fRvl&B&}3U7&@B$Za+7rR!2sldDttH%I^kDhGEO? zc5Q>-X9)_2L@ zN6quZSKQ3`R}M+cblX|e*6U8C>$%*8zS9kv^-kwtXNzCU4T9x$E}XB=8i^BbNoSqR zMYf2W?tSW7tkeDa$Rw@~-%ZfQ^QzDF{MJ~^*+=JqzPl%a;Mn!UaD0*KcnSXF$&DRg zkwJg`%72Yv>v`oWn(qK9hxJn+5~Sbvuw(WClC}gzgA%<9h5e))?rW++L;I{pcKw&0;c8p|Ckb#Rs2>&xsoN>$ivv38hPmt2{HxxEB*Qx)&Hufd;d)y5E0uT)kQR z&R3*EcgIZp(awKW=0C?!cIDWj)X3^Fh`MEFlxyleG{F@sws0!CKhVB_(MtW71@!^& z@h<^K$#6_&PLvW9 z#BDKT;(-v)7M>|upjuDBp+Oq!N9i;)Y)3+swUO~@6MUxxneC1kpA<=a?BWQkve}Ua zbor0b3t*lKY{J!XZRMFxfh3wuPLc8%e?eXUU(|{P;;qvS$Uy%mtLC^%H*&7Uy;@4? zeXy^tjlKP^Dnw~&Edq>2As?AXCEoJ^|08y40HShi9sG&lbZuPqc_s>}HbmM=NT~6> z_cxPFA?yB4h@-khXBy=2kG7@BHd`f4$3AWcJ!B1>d9dO*5J|&!cpf zaYhB#Xcm0lupqoty-nRbqW4g+te;bc0QkWIzMk^hBdhjc{22oOi5tVd$nbI z5aeR&T`m_rw+Pl)tVz&l`6{@qNkE-@b+YvMl-#D&V4y?H=vpLBu6VEPA@fZKf;XeE z3L18bgk2$dEVNmacb=X>FLvD+gj)Xx$_6b0x!I)bE)#?{BQefX?kGS(80o4wJA{ma z3VbRzlO>-#=sdR|=4z2BFJFc~_*g47a{1zL5C%ut&5^8<8x!wm;PsqNG1A77uRtLl z32G^sLqI)_?e9biJGw&*y5Pj~`YgrX?u4tQdeb3Ua;nVZAKse`c^;AUTmdRp%ujay zVHsd@q&gLeq4yy`v22i;;`T3)Br50tV4pUp0drqP3U#cR-2@AbVAwVDU5jmlAaBVm zh9Q|Jm~!Q4)q5wRG(a+c2_HOTAw?K}V%AzK6Uv4}RaA%TCnc}&tsZ!@Q;~0kU5BYA zTR{B^-f%IwP*dCn+?8XcDjzwDRJAGBo8HI^8lmj2quxD z;ur~IG!gM2dCATx3ZKHTU=#WXhjNm`U594fM}M1^V8r0c#K4SBHl@f`CE+jwTyGqb zCG|dMeuF>0`x8Rl8C6bbCDJCnM3G*V)4KXPZa?}rmESx+g z^Hbu`F5wv#;YKR>qgNa}_tG{B>x(c$qsfh?4#Vc|lrb)7M$(_@5sSXt+8=+k;9R8D zW&aOYf@Tc@27BT^1E>F+R2K$Qx_7@=)#Qi7cVyA9nO%X`FID^erD`EWm9hPEi5@*Z zPHqKs8V~4UoK{_X4aprRi#t^=_3o!a zq8Ei9(@Dy5oY$#O#~CU5JN(vt6B{*-!?x;`pviO|ThHBg*{k;$dmqr6t=R}*Sh8fh zm8y}|ndm9PWgiADp~o)Am$?N)d>z$qR zBMKd}(uR!_}9ht=0p@IN>o!%RGggsPP^i*v8pCJ9dYVU5)@{}@VwUr5w{b_I@s|bJf{)v8 zm5x7LGOQE%zxSBdnxyz4I&7BC&aFa~3LZmM4Z3LMP;F4?m)fULkh$CgN{diR^~WBS zyd`bewfjPENlJ`e#{Wzd;b_7^2Eo_ilB9RZiDSg}yMslKn)Hwo3-Xt68$k#!H1{U8 zNfl+_nE{J8ro_{%v~dPpIDao|OwwCI>?8lOVn+FgAXO=W(Uh*v2wt3rkpRn2MGl`9 z!Ar7ciy$jeT>2~Nv~DVO826ig9dwsxRA_7HJ_|(Z1!KV6A3(gU+yXtPU7tv~$=w{~ zEL{WVG)b2tl)9}wFSfHKfAN}4vQj-IiTN88)fpQ}H;s6RxRx(JBxID`iPJSG&(WyT zw6bt~!eV7OZFKQ!tha6n)}m0#giRhrctn=+XC=G?Dw7NxY}AAsJ|i}#Rt8LLz{+%D zmKcxCZmp_YCTrr-#@Xt} zQeE)qq9AlsQ85Kf$iOlnI*GR6^$XQSYB&@fCuX9Kq=fa3-}5!kCO5HXE{rKHfVU0{ z7I|=S|Fnq7dV;e^lBP->Im)n4oNbe6Fg11WA`V~%YKsl7c_M_qq2p_9b z6e^L?h~mGbLdy}zpM6+d$5e4o5O{)KA8tjJgTWWFM4qhZ>`XlOuU#YFu>zrj1uTHH zLe!4O)QfxFu3a2Y`G;LwV)CI5KW(s&W9A~;EMfm6Sk<^c34B6V6b7QmVyKY?tQSTi(mzR;!s63q^dg-o*G~-!B^&nHuFWEM~JBtOX0{{*y=XAH%~u_Y+ciX;_jSmN>XA^ z>$Ix1^Qr==MJ!CDjXOP;FOSL#QOXZy{VP0G?=nctaBJ_;HmbA*6{v$S*dWh-%%iuH zxupI{r&~evLa;-3*Q1kl_#ubUPLHbO7*u$Hs~%d<`V)Qr<8h>ndDmfTRz(7W-t@O} zbwtv7sSXAY_*}*5y@uMwlCSJEapZbPnUORToVTYEQRbQa&!Ot@d*ax-gaLZ%$13)| zRyi)dtelE1tLphM10jfX;|>v_WO=b&IA!Cc+c{Rbf@}A7%3=}Njf*93Njb4f?{rH zza6}P>$ewhI2^d)cYpNvn(ldPzU-^ne4(@3dwAb*IpNRfdC-55_dS!B7I@rARR8>nQk0=hHI38}NQSFxrpB{nbm| zV1l6I50rS8*Nc{wZu|AL&q^l~#XXGAgH(*?rQ5|-^E~uJfrRhpW#@D99=G{O)L_)H zeFR>Ws;YeZ?f5ok2fy!izmr^2iuRj=9Rl0uG*`u?ses3HsORqVLL&1+hKKr9+n;9! z+!{VrE!RD(C;N;H{m)|b`K%q4yOuU<_#!F-m_+Bt?7p1ZnB40~OtN8%KM=L=<5 z?x3#N?z4F|SC74R`<`|XM%5sL@5>`%1>w}^*~tliX%8#ES&IQ;PWugT#6FUs=X>{} z-u(}kBTa#9w`bMeI-pZt^pRI`pV(5aa(Pg&mO z@4h7KVz=+-g8#RPkgtjg5aaXLuGZXP+Hb;5xU1B0%!Jp6t$LdRoIXpXK9eX-fq;p0 zmY~e==Y=_bF&Dctwsg>GsR3t~6?-@>WRn*fv}D3MHiKFG_9I|lFyr@fE~@6ZnRHObt}_=bV0})rZ0(Vu6jkg~J;Y*2Nk^Z(1{?Jzced_z&IOM zB?WqcI5pieyvE@_gTC^|e+F9RCeYZ*qbmj$3f4qd%xfgEg5prv^B*?0`17Q(;ofGs zhla%pD)Dzj|ICQE4BKiG{i!`QGq>gb-2=mq)v;5ht*X(`e{tm)q?+L3pO8WIj@M5t zEtJnO)E_Cx0u~H^N9Cz>DZqREVhN*aRSu~0WXdUs^!&jz*IFSmAmfwy;>i3HvYP!- zh*i|PAnM(bBgOI&xkdX7OSn^Z#S^V^!D4C3xuASS3VGv5Txe@bxc4fv7)4Ki3UWATS@)^_nd>AK6 zc^3;d>CS9;q=kN7rub_vAAgR96riI8kE)Y2mq?tCZZQ3jYS+Cc7LGd?n)b*!gdJw0 zMKVs(8{tK#B+m#CCWL>IVo9ouI?WButDI=7*WA@fM&|o9e}83^gr8QX7Nh>d*!8qT zr#hq1zmx^REva?w4-XrzY=(1>_AM^H=2;SVprzShuQAP3C~Jkv#ZOhEe^O0X)WA>V z7(o{!R6(ix1AcsR9+~N)+3JP#-?4ZiaS`y9TH4L)^$Qa7#H;xk^(T}^!a73aVp3I} zj#c_22DvrO-(agr;;D)J^#tLxis3MEqdWx$0OH1l&0O8)Y^z#r)$j%Un5$fAvgSd^ z6{l7Y+M8>U)E5Jsx~$5SO)xEur7-*Ty;>BIS2h$qQ=nfzQx z>;ioee!V<_DloD3NADR~WxR0xmZ6+%OV%RmUnFrTdHANpP;?jKl!yA*wW$(3pUy;S znfH)?M$d%>sIKK?bKJXeoam*&KQ@xkJ-`qjq}bEc#tGJpUkNfzY`>+;C9zDi9Ps`x zfZXt8Vh`2l{ch8qdKe0PHvN1(4^W*xA3jCoc!YnD6Qcv*KSe$hK)d?jAYv43XyU}) zyRUKZ2x3h8L+3x&&D_UHS&pc@2F=H%muj3H&$-u+EnlVfn>YI^2d<9WSBe!a^C}4{ zm+R(z*L&d69)`Uc@jD(vW~qJcT1bQVCgl5dLlL0MeL%ehn}2nCzVqhaSKrZ_=89_g z3!O)Ac$bHpZSx7-#m};%w;?b2{qq=Yx18tky!UM2tpC?dQz-DW!l7}VpTX(<+??M@ z?jo^bbhvJ&v*oGgn(ID3DLM|x%e+b-NbBttv830!H$#EtZ~n`^wcfdt`KIY=Wfic$ zTWC$_?((O9-kzQ>MMtB{G-|1u%X6*hGZkIV@67q3yrOi6&-dQ-O6DNuAINzlL2rBi z9HCaa#{DeWXQfBZ$9HAQO&c)Xk_t7^!z9pccvJNZ6b4fC+#OROU&^0*O<{~oKMz(; zX`X*x9sbkr{)DN4-=^AD?Xdxny1p3s43=FFD2+T9xfYucD4m* zw*PQB-HUAK)juUj+x48C;X9nLSlf^Dfeu;VxKFMfgj$u(@*W}y@oDVaT=r*Skb0)q z&$e2AT-pivShV@RY^xSj*?BljJ+wWyh#3{ZH`5oAh7Q<8t1p1w27ZD%cNpk*+^4eK ztW|oN)?j-&$9d0ybZ%=8p$#pon_C{&VJrP9$t~PgDJL%<%aSjRF+I6Et8UBC>V#f1 zT=G9VK~gc7zW00+dSo-^&PEZ@DL7q6I_t_>yoksS?J_hC2&CBL=f zpp=-^!zELBKfrB-x!->=E9f5(<}>JFXE*H?WcnX=eY0(f{a9ZDNn)fqo)6$Ry{*mo z(fAqxb87NHUqK7#f_?SIiYQ;Z*UPWn>#qg)2-<+SSRHFz;R0x)B?zqO0N6O;$9i7p z_p)ReFK;H6afu?y7JL~2qCZB($|}LuOi4_A(5X?Z5DePZbnEmGGR$f+8f`iHF}MXHRQjJ*%VAWDoRBGq`>*|y6+ zzwEOXVknQ1F(WYpVR$q*3G6+$>KkUH`OjgC!VO2Uc#AfjscDw$zw&2I+K0b`|T?-+s|j(yk1KbFVG=JNRyXcz+JysU|R- z91zU27qOF8T!wN)`i>s2nkd^XA!DN`YxOSRj<}445SKUQ3QYaU=<+Ozp#W!L;Er-& zS**~TLDP=aG(j6EMk5cQBhSLiuw^mC7}A=aK5|-%OUcpjtS?UR*d85>3eQU87bTvE zd`Ob)mm?o9J4#(8@z8-631|g$r52XHbIez;#Jf;|>>UM=QqY#yTGH7CSXD2BUS; ziZ$%ZLmx8RQLVF3Du7PY6Q&eHwRX==g>hVnO0%1HL@{dvuHr(P8CPuSfkwf(F0}G$-%N;#wS~K^l9l`klMxy>)#tO5 zW;MVV*cuc|cCKcX8rb@rbghEKQI__&=kp61X{!;{#?252rAqOT(}-+298rV+r7PtD z_>;gNb%rpr%;Mo3`Th;1g$`6Gsnky#&z^D!1=RE_t`!}~Oq7cy4vn>awF0{4Un3uk z@U582#XB{dK zS}N=Qz@Cz-Uz^s!X8cxiEJpxATLK+^XX-J#3gJQDBQt>vVJF=WFCL%$QNHcJ-mba- zfdF&|Lpkb2q-#-E)*V*5^gQXTP;Hzp>lU!t021v%cX5I@%Q2Wba$~Dg``Z z=XzUu!ty=XeoYI0px=6qY)J83oe2Zy?Tx7_uVS9PoTwoB2*XXm3n2)V~$Q*4E{^N!5> zCchJKuyO4@@%)0?@>9_RPakkhcsa-W)`k>juKMT5?^m`wSms(qx7TPz2LZYMENyLv=geXMX)5yHb=Pi-n}Cy< z*^4%!mv_=&9?eeBhuZK&D8H{>qL5kK+vCW&P!G&#G6}8V4E&(DFc)u>Cx|MQ;6?L*B;Y74cmF z&>Q$Nt!1_rD3|3lMDE4FxjzyWMMz-(pyX^hyhyN~=QA3UTOj{SuCfNOy|LHyQsUr! z137=e=PH`@IcMhA`PzE$nDSY_fOkWuqrLVg2fFh_Iff2J`h?DHR_ot|TMhKIOQ#P3 z2?5G8@7+8WZcI&2|8Y##TMy&s9>@g3u9)MG#WzLM~}IK>Qbq=@x_ zi9?bn73qg^Xxzntp=uVCk2CYZziBRiQbWfb$R{BOBTPLml(UBuWmQM z0&SSjEicgNvOm)G);@6@m3;Bn#JZ~m3iso5o6RGAVEIu;W1+C`F&IA^qvS>xk6p&9 z(}EB6^%81~YpTcx-ke4%tYoP0P$J3`87y)S38vkG41h8+=+Zel3cG_AVpmUM*Cx z&OJpk4?7@nEn$L%E20t_O$)uvgCadwQ&mFGN^T8>!o^ZwE#cyGJarT-nN7f{xPf28QN>DTvP2#!6DL(P}oO|W|zTdEk%i=b4HDNCRKfGGOEG_Hw_$k z4-C(Hp;PVaE#y;-V@1gY5D>Fbm#2=ePuG%OjLG~%3=!#wpvGj4YY-+sRfAUqcWlMm zE#g+5aI3GQF@CBfIkPE(Li^2Q7nMObl*sK~vXj8eT4^qY7Q7gNO(v>H|1H80E7U5Q zP@DJrnkBz7HP%>YkhN`fUR1_lp}}&HlEhI5xk+Qg6S2Y+ zW&&S7gwxc%P2J&=7JVEF zoOjC<7#&jzDr10(^fYpGC9-6T5fk#3oFt;OPWPG=F?wpQ71L%Mh8a<8t6~g~Rzlez zx3mX+YypX%LTCqD9U`F0`!Ds{Dr?=}8WL=FY$VSn^z&DjNg;&=p<(cTZOcr>`%MEy zmrPff&`AFj)HtDSR&P5M4hW526&Uz(qwVsOz-Y$9;d-J%DDtYKphA1GVD7bti)JQ* zIe<3;Wh2YrEKY#Z*3o94Cd*zBZ} z48{Zaxwk@!S&>`aiAUc!qWThiwGA?iDste{gdOJ(7N(}@1aXa5f{!v{Wd-UVOcDrh@K!L3v$H*dJbV3 z3E-;|+hWn14%TO%3stYsz*j(^MPpPh!_jSl%fxLc_!>*C(5|-kWzLar1hdlkJ02$#D^sLM1#1QM zocBz`rEs+0${f|Xbyt`(ekV*m&Rv?`IEBAN$dzC>F{Yk=V1!GFMb1>JQXozmMl4KW z>q@%^IrIX7Bu$?1tB}e$oiziEBDF3D=RNKJ0YG5G0QEy3CfBbG1OsRVO)i1}j<~Hm z^GIJW1DAs@6aPDDSARX>LymH{j*yUI0O@!1J|^TW1lw=E?;;@06XlN+LNH1wAMf{> z6nH^ODdBI3`=oMzLAZbAAhk||PkMSbUCp}$E{69{@0AICK&Cz?swo!yZvE?cJ5C2t z6$kIUJU3T+Vgg962%y8O`&dVc&TY->;X$)~w`bT^b= zP2SqR>vr@4i=Ye8=i&Y)?+=l1-U63bW1B3=< z3)~~fnd+5&+2FK++G7WL)-3&b7dl;;^2N3>ZtS;o`<}HMSf!G)E4Hku&3k|NPNV<1 zzww?eKaKU}h?|O^J(A}Wq0?|oiXh;A{S0Jpm2kJH>9{$X{)_0>)%=F|kGF(BIO`Qy zqRw->H}>>@nEJ-<%)&O=q?2@P+qRu_Y}@GAHafO#+crA(6Pq2|#&a?=Yu-6u>KE*_ zu3c4kRdpHQ0B@=xR`BkujHvZp2(%|Mi*jcQC9k1PCsXp$u00QX(}vbJr|qCt&T3uJ zydNElbo>zOoDQTY?b)KL`JTfyp0~Dt8w6VTKWF(V>@+@8`14=X2yU+o8yFsK zzrA$%cU(_*`MFoN?}UujcwD@$e2Y+#?pPAFUe|4$TOL(Oy`F>TuMlZ^Jwx0d-b(H{M7&wa``gZtU* ziOC(`HU1b4#EHR|&9KpcM!Sp71}k|5Pvv2IXZKn0gY* z2N!pHQI-Q7@gYamQ&Lh96Auv$4UCj#XP3Kz3uqOTzB*8NBn*&0jUHgAJYYhhT+}p~ zXn^X7>P>xnUs-KWca+G%!78Ivy&9~lq)Ap$0ue$HzX-z(^a#aaQllrJTi5#ikX=i3 zOPcz&>#Y^)1P+GGgOUwe1{}c-O~mX$`lV7E|5K@Kd?~PV`*aM)3Yvv$!oS_OtiQOV z@vmt=qP}WrN+yMHOfFdK!KuIM1Qd}bjcPVU%ffqJc+#0<@}-9tbqyk;3KB~`Dt#rd zp#^$Zt(<{H=0WNq@C(i(_efCvI^q-P5|EGKE4Vf8PXxbJAE}<9_{#(mWAxK7k$C-= z1XUn5VnKc2@HzZ|u@o+f4tco@I#sDWjn8CV%)RW)RY#7%pbUX177DHt=okVHPY{?k z2d%eeh9hKDD@Tk{l8r}7s6rJfajY$G99yx=+L=PARV3D8M5;-mo5X^5vY4|U6I+0K zl?cTTgLBFy6PqQrCgJebco-}3gOr61lMFc8q`` z=$}b{1B@|4|As#RXT=o!oTg|Ar>q~*qG+Y6Q<)_|eBL*Tcs=Yj4n6=2ex+g~{F4>#=RxPfcn^)^ z?9{awA*X_HjkFC{f#yr3IIO+m%qY;uVT+GcKaX8k3tuelAfCN|hYS6awGT4&Q#eB=rXAS`r_I(+)V=g1*;?_bIv(x|RTWn z_pH~N{=qpTN=&H#-hEeTP#a`i+rl`U%dlsg zWZB762bx?$j_t2|m$P~)l3}810U-=)ibbw-l>%uKdxt$pe>OdPUs+-XW1~I`!=NoC zxL6M!1!5aHnQTIN%Hvf#&7##Ku939Xm^tp6^7o}2TVo{(~Q@Dohp!7_5I1xJcC#_FP#`h}sH0hO7>Y5_O;DW^$2CYhs^?1C%vvLcDt z{cSyDn~ywdi14BEOcYfXsHk_+LNfMroy6)6FQny%rh>29 ze=RijNS73R2S%eGv>Vv*<{1A3x}j6|vjFMH)Hj+-(dbhtQXh+WEkb zL70_fNfDBin@)R`amL`8a)X&ua2Ma~NKIhSeO5VCgvmMfgmxy1u7JO<1qOFY8^!j( zpyiThg|G3!HG33)>o6peuQlqDsr=MwB*R=wrPoS@DtJcmf`#jO##x^YCBQPY7z7c4 zMG~$nxX)yDzv6Q?+?Ju>Lz;QLW_(Q^N`2CwUl+V?iKY5nYA$&dh+2;Zmm*%UyZGFEwalx;I!k8daF{iSghBuxcT79b>0cvT4 zdOdf)o=I(=4@1ZaHf!Bi!`iwI@dYEdABNljgn6Khw}7?d<|Ies_p;NjxfGaV{K6}j zclz_G9GO~96@#-aMh?M5@2h=Yh4u5^mGh7z=c5vT-_Mq5hTh{2IfVA(y`)9l26RFm zWv#CxYxUK=c!}w@+FbVuCjT zuL0yFg#8(<+r}>WyvCuG$(ND8{-KCHXDJ#OQ>nQP1iV*>g4UmHhYGqzKwI;+wp>RW zyE@dF?C&di!J*J|GvK{TQI+E{pLqS#*={3!`z0B5hCio;ljrp8x4gG`)iI?llMapE z=Lh5?KZn;LvJGJ8(%r~p(%o$4bZSVv~~B+IoIWVg>513y9sIo_m4Hk%3p;W$aZ_7ZByU^$d9APFMf@y9^%V{LQ{y z)6ln}qF_Im;l=WMqOL8D@Df-A{CVC-ELH5? z`Qn)#FY00dcuwK1S?(#T16>js?AZ&$Q<7$N5(ZA@oD&z)oVD;~91ngW?I@8TpoP3P#IO^KwMAl+Tcb07JFi>HRgQe zYTgtVu9JSNnsZ5 zFE2OMqa|Ge2#=nv%3?9<`3Q_N4>AN53Vr(TmYtb+&*mL4h>Y0=g5-TV;}2+Sa)c=D zM`2QQ@n)9A*dO`y1ySn27}}-vaz-`hSQttsEs~_pIEl;Lrl7e}W3XHHxHl{fR7l6d*=iOod;I4cLX~OCnko;|3e@SGXv8>kHOIY-?N{ z>fIAO>nrH%d9#OoY=12SrI!Wf!Qm>4^yn>koBm;FZThiJt@AC8sm~7~jSv5eAmPP& zFxG35#bn{1%7+6aFOc99wHs-4?x&0F%WBt}Zc*ivvtGJPr`?*+<$Ia7tbst16(d+f zkS;HD(-cCWL(3vV7bw$>ISH|hvt4z?$BBl*eX~Lq~4Ai zg9BI3+>+-XGGx&<@ys(<%s6cjtDHc!>@;^(hMrEKMJL*(X<#9TV^V#W_~bN@Gy)#A zn^r%?z1fpfP%s*Qat;~8DuFT4uc}Ns=!jV;h};Kg+j+k|6R_pR>;T0@6kY(uT67k5Q+g**e#MXip2?d zghyvC-2n)8T~QGYe)=4revOenomM@oX7&KqMgS@Ec;TuMOiUq!sfimGvi#wC$amur zIZjW3wmEUXOpz~@!f@xE$KN@1u}Ku51KYI_} zI+|BfAVWZK`sl}~qcNMX1*j}oFf9)zz_S>bEK1T*E0whFGev*SMHXuUq_%u=Er$zh zc+lacUx^YqSV1-^-%jNf?3*mxb=;Gf!O(Pir2j@o>d6oAB{4{W%8!5-vqW>UZQdI- zuAEEt#3H&n`~-Dc$~1G5ZN*eYjV*|ZA=rZQ$*fgigUQzuro1?w4L6H=Fl)cu5HPyCn{a@5EH*0LS`ml-{$o8r2GG&a{4A3rUpvEzfdcigkirub}1%f*x1JjCo)xD#yBR=RC(d+?Mk;dOB9? zUURIu{O0SfoZVFRoR6fa{Emmm&wai(cOhwfzz1$f``dNt4))k~d412%wXTnu)kBE; zi?mdqYvTQZX_DzvmAIUx4LVsDwiA<=;(2akDuS+@h1B?xgFDzN5S5kcK*I3&Nmm>>nqIXjgLC(FQW=DLLVdN z$LURuEJBvYR7mxm*M*oa|6wu9DnMaXj?yrVxj*IB+ppKFjt%*aYtx*qnas=`%XR$z z-v$bP7Fo2Fj0zhU?vntZ+o_xRdDL-D!{Wt)CzHjEfQk0aAHJR zrB>mR*znuJkcUOrsk;~+4_`nu-V_DWb{jpyOLf=`Z>4_5mPB*JmMSmyBkN{JGiRXG zc&YNOV@S3fVg6Mdk9D2_A<528Kt0!$j^mYO4=Cf$#|<|sU1SQA3j=#BSEC-z_EW!n zI_EZ$ zG;X!%v@Zg3zGhLd$ZD6n{E8sfo4V30 z>DF=a(#E71MyX9jCz;)7=Dgsf!CP-CwD=KW!EQl{EURz`;f>@Z z+IW7jK(&U}1A}R%RcVujWUz4FEg6@tKRH68He;1C5k#gGd5GR$%VnlCBhh7rhE^Yq zJ9)B6gsIwX)2BlFE6Af*YtNg047`b-gwukZ1e-5wq0+4q>r~kd^p~FTVoR}R`9!Qd zJ8dcYEP7jrM%XFNLLH)OmQyxIjVW<8v^f&sM0HZQG7YM#eS7Z>hv-NeKK(SXbLYok zEW@}1@Ey-n>4WmqH~bOEJ~V)VAw>BG{7C&YHzME!KIDa*0a42~ZlytEj=(^g8>Oic znDr-AKTUY4VpmMd><@5FnV<@Edj#16L#>vF62Zbe1Vtos#ko6Rf^RF-VFCg~Cvl4# zvSY-9j8|Z{+#=1DdO2L=%7k4i{}ScmlIW>Xyf20?-1$IQ7p)P)bQFOsYICEMr%jHl z>d3URwGU+R$gQM@5?qpw`*Do_E0-}_^iYOuPy)v^8eI^VTBm_$=gw+iXN7SEi6aT- ziQ3yLj6}6qp`uwzP0ep&GF$xpd7IYAQfl+lXx+ruG=0JgBM%fpOztSzuP+$~)X30{ zOpH^HJWO&}R&4+^h)VLtri7+IJBx8dwv7YtU;(-;_ZNv0Rcz6X!-rSWSa=In4QMA~ z8u#DJ#@ri3UFPgj>zg)^uy1=;$+lf7l`(lEUJ!WLKCg_cnXL1 z%Vf9>lyZzKv%14}UaeED-2j#bXZZN9lP+V0<{SeR&O}^Y-7*F4xS90X%D9sTTE~yl z*lgnU?~QL2*a4@$Jl6|9-H@X0QPUjVG?WSUk$el1g$do-A0um2FB;~mP!S}NNfe!!y6g+WM5fEv1=xc|O*>6{nu-1Fa^u%~qkS#(93vO^$ z;fC;_?-j8J>jm&qgbF1c2YeU1BRu|))2XarKpYagDso>V9L)-g|=aRy>!*$?#X>9e%%i#5U2^+E3dmaCw z>iNoLm`C>vfLQYEb(39IX9de!!?csleQ#rPyq_`&Sa-hk1!w}Rywl!HP8m0>r*>Yy zZ1-?a-jY}uU!A_BG5y126;fNTq?}tdzq?(`{q!Dsz1o;Br#3j#T_!^?M^4MqxSx_u z?=DMrqWD~|OIGmL#5bWP(?VYX1FX48BQD+_jcZId|8b2q!Vc|fgC z^QggV-RD*Xb*^nMkF&k=WF@{wJ5jAVm7iXvKz8;1CxJHJYdVIU1{gc~_#)DfZG@Pw{SQk$`IaDH_^16};w316GwXyIKo$$r5(OILiQz zI_Ov`n5T?PEJTgS^Nkng%xqwyaF9~%`tgTLzZBDGaz&(4<$#Mq>`;*1CidBZ zBsB38_M8$SON);)! z5fNOfSuBl{VwM~WJPiw_XU**}sIlkB%0zmEf{XkpRz+6gt_v#BAuh~_Xy>NT)z};9 znMfQEM8r+82SSRa{4lmqRY)5(85U$bXs+TvP=)~v>MHR{F>88UXX-Vf>-ZIRyqq|2 zQBuS@*G#XnAVb=N1VvpRFkriW{a>kc@~?J{u5p@*4F+uT3O`&!V20`6T@UOMzBs~UmSp-53?B`e?47V$m%8cO#UB_zzf!3&1K z@9D=S=i`ylBEw&4be&qYt~BU4PSawT0x-}GRi~c9uv=pg&m`rg(eZZ1Em_Q*br;E* zwr^TY8gQH69E}w1+B6xd(boOCwGtC$vlQWxk&1qXv(4x0Ib@4(#FOezz*ggsP*f%u z>#*RY7XD$$n!%B;&ICZUB9Y(>lFh>;{nf32amj?2h1)GWgB6A+=ay5Q59J?w4o6tw zoD7l#h!%*p2{caN#fI#=C}0*Hx?x?D6qzX9gD9=gl2)&!Nx0PJEmn4Jm!OE%MP`H; ziPkZjHQ23q8&)MIHE4$E2QNUkYf zqOkW~$9)O7x!^=xd)7JL?(@AR)A_h*P5N@OeOsi((W15!J$(`)) z{4QhA<=z9UZfVnf(R9CT;2lTlp2cn%R>$E7Y$0c1v~~Mvsk05~G3@3z*S<@idUf}I zEEBm_X2^2CPLy*$=B0)F$BXwe^f<&nNuHn}=duj;K>N1=Ha5U)=k-K7uTT7+y=~C8 zudj28ZCjStz-f!G2LH#2R2v}>N1$l~1NdO+v_Ep0*3+^H+2-f=o|Cpo-P^f~_v?)wnu*}|e;mADS$AL9Vp#nsoRN#ulc`A^w{HMqFGD=sk0JE+ zIUS~48{8;5Tvm3~9C)QEba{<)#|1zxf4RI}bNKiJ0Sa2@g|=pO&cKjibiwq_POsb7 zE{pT-&%eJ7X88QB!!kd;F)sYpn+OTGO&hxg=XJWeTW?Fc`tsgh zTHXiAm#_Vi@wzA1Apw1@4qukEo4~Rv{SP}{gLXT3+p5nMudk9fXz$wBXs5Fe`_vl4 zlfC=eb&GKg27_nA{Z5e-L^A?A-$Wb#h9^IXn&ARm?QGjjyT6BmBF^ zL|P{WgO|s+8ercj(4gZBm&Nhxcm)R-0ffp;ZuFZiH*|c?OPFOFv=JH@9vH|5LifLjr+K1v4m$WG2v7sSK;k$P5u}Qi~QWhy*#fy@hS-Uw3pJqY z8?_WNF@}TX93@*&%V8;H)~1N2I+3f>u+1W z4g_v_eP`XZgKYSRb>IVp!?e2Aem4(&3qaOz`WDZ8&^B3ETEtA6vZRMd;6!~Z78#2U z`5N>#)a|Mqp_ z;T_#gkOLLcy0kEsphOT@er5qi#pjvSN^pv@EzDFd>SrrbNZN->rBmXsnZb9TrtSW8 zHe^;pN-+>fMMn?Cr)HtStUcbAJZ2Y2?%T5Jh_OZQM~JRE-3@WI)s}m*Rv&{@)Ba6I z`{f|VI9TDLE=8?Ko+?JgPNfv%<&&M3X^1Jqo!})3z!Z2ozw#S$Yy`U*V(VJEQE%q#;Sy7Z> zLdTYHq`;3G5fd`4GK2}oWhq@o0*iyxggDdSp1S3cBwNO3Q)GcW)GqodSecl3#3Ef* zUh2^lFrIFffnjyff&+=ReyGl#AUYr6m>zS;lgxlC)uACWLaQ>-QkabzB(086=iu0^ zhE6J9G9^hcz!QnROh*HzC^k^H#~vC;PpNh`bl+ivzjWa?9E+O5c2-hw)lYAfx)E90 z^2@S?R4vh>q@!1+Yyq1WgvUq+`BoAX_jBjXJ~{sCix+tMG3c*Kp>ALT#8#;P4mUK^ zKkoh^94wTbnGLG7%}{J49iD6sQB}3;Hv%tqnUfr5ulRVOF`F_5s|3wWuuYaIs6eV- zR#pbzE|M!vxqdwbRgsfHN`u0mq(5+BqkCjUFrvn%*cRsXkPQ#6n0ry;jb_Uks6XTy zb}3n*37H00E2p5*60bC`M8_|=kuQr1z-G-+&`vRC#2J4SMzRYTw<}Pe04WY(f7^1y zJ!cjv2&U)~^H;sL@T;{oAFaxe5t&XEHLEnqQLmDSV39JF$n>Gaj)LkiS{RXx{taw>O4i#}{_E!gHG>>!u=<$bg`;HcqVo>YKpS=oO>GHSMYu-Z$UUJPiCZC=;r76{jE-_c_w<$K=8M-g|N{w{VX;E_yu zJ9uRE*vx#`1Zl-xyPq32MG&K z%T3s_9==RgN$7vPd4F$7fB3R4w|n0hx$XA=l%9JWFRycXgvT$N_J!^_J{lf@&o4mQ zJRq_Ei69vdGSENbHt!`aQT*`5{^~=4h)GEo3PP8zIX>?~@L${m5IJMj9^k+F%R=0j z*`&eIue1J(ls+1mobCZpi2^4{#6^R3^}_I=CL;o#cx~mAEGHhO%3&}eX2?-1VF(J~ zR1WdkDBm!lj)m?q<}{l0Yz`B;)o=PC{txaJiaG^X?0_ZKhlX4yre??l)|>UJs=yX3+22z;flz=| zD50<*S4?6~f4!_{A~75}^;ik-{?;E9@j;SlHTA~BLZ_(!gODYUFlN>trQLGL6-U#a z#w;&ZWqgrsQj`tTO==B`2~TrSZP7ofM>{=)wnYv1nD||!ez{d|uvh~ut zp3QrPIbhroU-8#xWA+Uj_L$dHojx`x!Y7#~7Nt~^R=vnm69(IXg%rEurgdg6Owd?HKdJucd$85GehRs|D@2A z2y?1buT(@61<#DdX=a>QD9-CHQ)M!DDAAs3nku$>QbTI+R8ua}5@94JrpKgOpj!;u zw&51QH=E+>M`OEYGILUM%8XZ5vXAC9sE`@`Q0Rw1Ypai66KH!S@l$zKkXzrNEsCQEnBRE8mtheBRGMeXm>ze}z`{YD4s-D(qK3)#mr$+v z)9lcA!8pVJ-ip_1#bC2@L1%h~xZY?RVrCD`o^u)YVlrl`mMUPJ|IrK^$sS(mLO148T^l`?2;FXXa31Eh3K~ejZ<(mI;2Gzazqkpb0B81%818{{pjs z{ZRqHe5z0(@JOVn13^gpk2go1y7KC3{6;ZVPsh6y2|M3;D^|eTV`3kFgX+^0AXV=; zo88G-!I-1V0`}|qyzg!_>};S{;`JJV(6`2Gs$$k`WY2x8X@|W70POr5y>h+#fRE5~ zG4dk+Zob0X(Q;uelZMdiebuJ=(7Gb%B|3rcb!5;h;5c(_w|1=HpX<0~E^(FBd6~6I zhz+{&Ab%xt9AAQKxeNcX2v!C&5rxw=G-A%rI_hI5^0I`u;_f!t-TNHLsmtWKz9X>e zY?<0}#mDHI@BD8?0-2D`cf}x0KqY?0C2a;-1xLpRw=v5gT!^Oi7Uo@6-?d7Oz}GZV z#oyy^)W)?heRYHXy4A3bV3%!1*_#H?F5^Jw_^N(odo-K4`tefA{^T?@;FUi+)=HN0<(+k2F%7eFO4}?|2_hpg29df7BQqK!O`^D$FT=tL$ z`@KAU9x=Z9#H!%Ccc%5O@4|TZHDz95@0`Zb`+gPYKAori=CF@jm*=Qozet=lonzw* zkJnGAsQc6{l4n<+r~5qY2AQCu&*vW00lUoI{g6i9D!4mF&RDDOeNwcsJ(Jh-UJ*C7 z`PhM*>TT6kan88aeP1vLc-dICdVhng^*D@Wz3%;o>h5=ZTca$K>ofA{UHABgO_=9> z8_5&N6=QGEZ7r7m`O>qr^X4Fa7SQ&l=b$dm_n0FUXZJM{vUM+iqU(2^Czu^f_`Z~F z-}bl8D^g&uRY4H=u&46mQQ~&Eb>y`{@c!Q>uRn7&FjQ^`Xkh$7`L#fkM19n@3><|U zDusrQ4mQCydRX`_e|rOl%igse3l6*##n%1x|76nB)C5v9L<6C)sh6uLxp5y@Ra!yYe0>347@KLn>h!H6n1j!&UZlvla9goDptQoe*AyNlan9U;XfDy6 zpCov}^MiP+C>dVV@~`}!7XPT5rhg0J1XS9E?)@+)doo=ABa0*VTe=K+8Lpl55ob`z z9y~l)^nHH{L6zrHyA1v|VTfrYCCZ`&bS}DI&5LA&qbOvVsJ1j~iVLDTOKyfHc5Jyk z!?G2WT2(U3;cFet3WU_IDPp-YV48p}|D867FmV@&A>)(DWrf3c- zUglKLP2mnr;j<;p-XSupLm#vjR7ncNOCHj-_W28)VGt-uA87(H1JW zG*~>Xu#Z&P`qv)=kKFk&>&b%iK4e4IbKl1n_!4&j{P`b? z_Y^p|5}iNz%OyY~pgMCg!X@60i@C}wOfk`^Q(54g+h}s3Y51XDxVfqGN6G`)NwW++ zBZ{GBGR6tQHCu!b!7LrgmPV8kDt390B&jUM+co?sB)KWKk{fGIHxDAP9cX#j}COiu=2pw&DbRu7RTICz*~|1qPo z|1gN8Hfx^1k&cS_$M+LUFHY!9JNKVcf~F-_{NHk%I!&tYcIpJalPqiUSdqHqy@t=O@+U$+!;M0fv*mnl(3a}wy=;b-8hmD36|IQMIc!Y!9hfVE z6rn}2I_O=Ue|0ZcvuaY5rx@G$Y0jWc^Q_>KWxJ4PP;^glHMk{;F5=|R5vU@?5Ui{G z%($&#w;)+N+ThL?l|)L7Ud(dYI#i~j45h*cTM|~G2FJ-R=NL+eb;f7WiylGok;C?C zO}`j^#md~XMwRfQC^rxMUpV&v`^zF+^Z!$p1^twKEtzi!VT7sBgm3fafnl0>pJ5}= z=|oB%2_MIR3yd^^Ci(q;&NJO6#~Nup=5`tCZ_Y69JS&^dtIOUxOEt|pNBr*ZY^@Fl z4rdn&D)0PVhMzSV)DqVnb3aS(4>T6^+s|irTgaXA4E?db9^JkQJDp2EZ)yMTH*I9) zMCmVh-r(-mpGU)TWcf{Oq8@E_4d0h&qY+)%Di6jSPR-#n{{CeUGqYnwCI11a!2oHgj%rhi{;>rT7n{!_HCZk@2sG3h({-sb!K zWEa;K%LSIUlf(Ynd%CsJ%Dc(s1~@^peK%G2l`d~n_|W=_kPTH)=0P-BI5oMuigIgI0pdM4hxcisywcz_Zoc{ zm+0;v{K*!VqzvvK+;?&kTRoR6-?Lb%`T^B^0-jG&D?7Iri%my(IhxNRb?=M!j|%-g zGwmwv)~Cn7O>M8bNq?J9ApaMm-{bcy9^ePdzThn(fWEl1uj5{@V3p4Any4O2`rE)2 zoChAaoeHjUtq@Sw&nfD@djOFFk;enXU8ld(x>qO+{>*@yK~v2{Am~(0uMA43{LE zm@SB6&edyeR>Vi8bXt@ZaxWd~Ck5ymM5twmQOkHM&u}{IJw2ptRBjelzce(I1da}_ z$6RtGE5?wi4j92fvsF=6qaHyFON&QZ&9E*!{nIOk^-GY4NMN>KL+;JRtjfPX7=_C( zrd1mutVK4egy^t^N-~tc5A6ov90iC|&n+QJ(hKk=p*8EOe>bq01-_aIS;1#9AaeQ6 z;g)Y{3dFg-*;)NkoR-J2GKQx&KiAa>dnm8rmK6BVFNDq38gS(a9!*mg+QH-C^S5C|iKiHKQ^SxCqs+i?od;ePk!x z(n#T4fnCt{goa|H<#Qoj3OSrl;bIFOc09{_c#R7U7Y`&PxyXDPL)PUc+8ia)4a!?L zk}=W7&t7D(M%Q_HSSs}y;e945caye4EzLTu$hF#?m5IxG@MG_8E~j(lL>RIX^=gW& zVS(cK7=dJ%KUDCqKlaEfMXKf}-E09*vcmLeylTA!Zoz!W&Tlk%k;AJ(7|mxXjf;l+ zqNS+Md_pT>1W0If6OrjDR$ZziDsrVnsFk_DB5McS*Uada!;s?7WXQ8^`(ql-sy?;X z#OMkUaHQa;NPe;LP`QjZ4|_%!)O>C9y#N3zK>96v6IVF%L2+19C3N*{CzY9Yv%%E4 z0MgNHra>~J-2TE=_;$tc;Di8m){P>U8XI;TW)AJD-N(?{)BJhX95)t4{3bTN; zcgfP!fJ(<2yo3jn3^2_f(ddWU@yXfYkiTnjID6!qW1}ezDb%CXW26bws+0Lir05Cb z63Oa>w%~>v)zF6`auNTa@3^_B!7uz=JF{$!-{ne!VwqN#vK#RZk_@8J9HiMRkZ#gd z4RV?~)J=*o?^LIRJvK7TkLs?m)T+&IO*UI(%Vc01TUfj3H{0i!w^PBNL@W#v$3z?# zNVg~qxIp7M6i{yDZHR?(5z{4P6RzS~~!`p*~1I%YPnt4d8AAOEg6>v#=eZzghjd2$mpT41GCU4nw&nD`LGhfnuSw*- zPDIDq`I<-{H=CpCpq26Up?M(jD7!W99$$02Kjtv-IlN&k2oBZVF#6dYKiV1YXqk~7 zr%KUYzINBIZ7RgAUgp>e=Jg#kbINq6ItQ&zHQ8-@=RI!g*yE3QH)Zu3S-nnoi5-Vwzt7MN@d`(rr^7TR3M8S|yLVM@ z`vztiMr*GJrMd5kl9>Q4zWa$+6M<2y&vj5+%t06B_j0oTJE&k4Fxzuu*?N1<^Q=&g zfgsl(flGxSy?uZ6IL@D{hnm^8Vd3PV?#vPJ|EcfrqBDLsHJmJ>AxVOt`(^%)15s5M&68lfJ|D*^ zlM|4Hbk2im|K`sx93DLlY_&R|*Dtn4OXYIj|2&;NJl5KRFv>fQKd%^kUOwh_0f!bi zI=+UB?AB{NXZI*)7!92347XqYLt8oKfXA5F-(Ia@3{)`i=mQcZ6NLe7gt2hn<*w`< z@Lx(X_SH9QMIqw|xgAwSE|}HU1kPcM_=n=vWk}1NBZO^8oOsFs(i(AB|6^p%4*?}C z#f$yGbps;n2TjVS4Nui_umyHn5zE+Y=+2zQnyEK8g^I{M--@#8AEBOnaX4g+<;WOm zY~do%;e2D+$^^@aQu2&M)=X6^4j&^Q(D&E=SP`uu`iNA8aZOf8u38Sh z&9kK)LX%_(hThHc&G+qZ&|SBCDy+H%waPAPEhT63iVlMKXSMli#3ULEK;q@7Lkg=!G zQ4!K=RF(o2#90gn%9BJCiI^&>l5MsthQ6zvIbX06RkS07T1Jbzun=*6{&~ni8>CQ; zA`x!B%Hm6>b}&V&a6hMRm_ZR;wjvw8s!v?8h>MQ$goz^WB3i6KU}mC$2UVsB#g@1` zzg4#+LU?a+0!Nh|+ys%2yBoI1G-T^qw#ZktNbv15iB8wVEG?8PTDn?2P=-}?|mf-FV!C|oAHq0!~?koGHe!)Gb z`&Ly~Y5YbF#+KvaH0doAb*4A_ZcVf6-GC`o_E(%@w;687y~SFxm8ja#+}5B5Ls2s^ zJxWliO@D<5E;zbdKh3RMVZgjKvGzu;^6a!Wx{Etf^QMB#{Rxv`KPRyDn5K(=Yxe@E?cpQHee+fp=u2{~Wsv-s_lpf2qM>yWk z`eTfI(od_i78wlBNQ*HV*xrFu?HX=%g^$V}LaM=w1o9s!S@V>i!jO0*5mu@^#YS73 zPCt%)V=PVhnttq~YcC1nz*blNZQsdnI9MSRCwG}>HZlX7KQ<~?V_9s6F-3whA1ZHR z+?X~3+jo9zuy~Qs?@v+l(>g4{%7%_tfYmnFu={wkuT!)Q`b?k92?{v|F(C8&7% z|J}#$K4fTh$n2LE?U$MV*pE5>V?VBOIdV(@zd(Nc<_j(QcpvcG3@w9xfA7|w9qJEq z#x5+lo-ED(b`3mRSWq=$qSIYdHk?%KGJf$(5PpD6(|VEi#_ODdX(!|xBL}L8gBGqd z{V)w;Hqe1R;~8&ovwoML0Pc1XeXj)R!6n`uix;3JbKekJO$#r+!p2Fvpe4X(C$_E4 zyS`zDn60=73;Bu1u(Hyh#u!@_Mb&D>4CuEUh711~xqO zx*2xfL7IqmlMIx7>?ZI?^zK{s$IBEH`(AlZo&X=ScWw-}yNcW9Po=w^!-Sv^g9HlR zjhA>vr%kfP`@_h~hCg19MWnexPS2DN>yQFKUBGb%j!L`Vz{TIR=M8}FD=R732O;RH z0`56asCPNrPo(2gkTJ+}yGqbg>DhB2Ys1iUi5KC`V;D!!5ODhgweLyi?Kt{gdHwXw zfFu@pbB9Ap;&Q7q&Dk}%VOF$TmB8k3*E({cd|!4Ma5#x|M5UC??U#L|TlRJVuAr@R zn^^DolP3`z@b_Ovoi|4JdAx;ZV*E37wd=}yq{7YxeD?)I_vDM*=P#nc)H*}35&5PQ z$r}1pYaAMl`qc8R)OxMKh$ta!1#Pn?C(L(-kxJGQuwevb?t`;uiQfag2KT91`>)u^ z6Ku77fO zj2_Ae4I7Rq?FQTQ>vWljUV?qw6GS+mnE z*apV+s%^QqyRx~u@)my(e;FPF(r}7gL7-HSpe6_$)~MB+)jG5<{hIY@CM+b&cem>p z5G|*OTbjXPN7dI1r33mw62M!xqz+6~LQF&O3|_I{?tw=XPw0$T(INzzz7_geUC`QDX);td6@n5fZ9GPEgsb!o$DqZT zm1u#)w#F297Wp$u5Am+G54*HWUy=1bt;7;=AA8+uYYw&m|!Hvk)qk%Q0j!_p2D0O>KXl{uP*e~gE=_`!!8$Vo;JKDJt-g47~K25w`C6`AG zjjE$KgSkw=TWR@#t3P20aV42kjPV3VRe-p;C`Ym6wjLsE;D4r zW73rlMk`jlVbI2BDB(oBrOvM+E5l1p-0Bw-Y*Z)UD14AkOrQu>GOR;f=>{w1nofn{ zmy4Q=i^rf!SoPM}zG-dfv3&jZ40gBS0Ll8A_Qzq096U+a*p!qpnGo0t!O<0Nz?hvl z8pD1F$7C8loslb+2OsBYyP)u+KHh3kFx;BP1y4w0>@AokDFgSoZEgK9BN zDo8KSzE-xnm_K-6#y;E%cqi$aSP#|$Uk~Jx zmty~%#sXZ(j8mvoAmLjim27NI z^v+n_9^kRg_XM7|hY8^NkmCjHbkyn>XkA{nSU|X3H#7tnymSjE7zIG;9EA_TMdNPJ z)g6R@3s6kn+C^obVMBJ|*8NJ`L+JL_;Htwz&e_}hemCXss^2?Jp`AO`V3y~qA1#{DA;kdi->471uLWF6)tyzmb|pO`hG&rzx!&t=kLf`B zo%#{6CHeU7<7$nDbAwfqSJvJ+k}8M5MGm{%fYl}^-pk^hm$sLgfytwcYTdr)D6G3z z&F6r#p9s8xTbqH1565;rFTVo}a{|r@N2dS0-YOYf|Dip<*Ti@5+IPU)r=3uJgaFP- zm>ypYCQ=^(dq0*eh3-xW7$=?j+P5!XI{E6?r<+JNgDznZpymntXhOk;3f;%r0UeCf zf-f!29z*jnS8t61(A{ay8Df_sokdi=i@=2}y&l&~J?Txp*HPq)jEOSRhOPN?N_p^g z$F9rBoBIPfX|9L;e%mS*!erOKzYYa2wvPblgYE2;w1fW~(o}+>|KVTb%!y0E-EZ(LWU6_Nb^mCCGn!&`=62Wy80DR&%W8^*& z1=x027$ld6?v+$k`!(E_^_EbtS+PR8U!f^aP}CKu@xnb|XYol3EbVw_0v7awpfgqJ zs)G1_7R&w1cm&P}Lyx;o0OgxDrpc9x0VFY-&?%kN7ofP^rZUF`2Oy0|%uM|p#wB$8 z%-`<=K7JD1ZzXz}ucr;UB*T@s$A|ITVtzz;swEifpX~zSU8{N&3be%NGK+-yVW`B> zBG&_$akvOR5~1Qy%`w~tWLJNuByz-I2N*5zwP+Tt3m4>NuO=B*JR*)@>9gmKDtw@q z2r*cQ;4~;6dql`lL8CF{M&yoeWHoQs2PBo>Zv>{0yLOmlGVxhPSya+g(9ZLnE}n^w z%PUxTW~sT!g$liI0Jw6oq2hoLBn?WH8uOBVV&_~r){R>9?B+D34p2TN?dt{T%Q>%m ze|~-K7yQai)9kMtpiGsbvLyt?4$;pwqIO8v?FVh}6br7{)4$m8^-8{FBheN$r(NQf zvY1Vg1aL!l#Ss*gO#SS~)qzWxzVH?FKKN+z5!~A~oOyCI60+bt*(&i^x&LetGsZE%fD}3^87G#P0m+gk;l2 zkYdJ&kbeC+|6EMe#H?Kf3$)d&gXF@wqiFRMT#MFeMwyv5C$NbWTRKjrvo3d-*{nN% z;HuX=pH`R!%f|lI4mNp_co4soTjDzn^*TX;eq%{VxB7O!EMLMgmd_YlnmzIoe&Fn0 zyJ{O!19ja3yc~soOl1eWOmI{dZ^I8In)=&QlM$Pk7rLPYRr)6TUlc_LIQl8SN*Az` zg_wEg`~yrisy^VbyKmZV1T5OW7DZq@dd!vN)Tu&K48EEcLGev}iVM_BU;6?;fNQV! zrVpEr=PoGI_%k4MN3ErQa!vy_QP-rFPK_LktRfGyUnlX%6;_{SKHbQk-aX0rEF?Ga zE8$oowU@mu+SkXHo3Di+MVT5ndtFv*?*?M^4i)v2R|gd0PbgI0;idB>_wJ$JFz6BR zl9ITVrPIhU;61G7Wm-5j8k67|MWrLps09%%`LNk7!dYXZ=lHT0WxY~&-Rwo`7o@7Q zzIA4|$k0}y6-a5b8)%=AM`tF8^?wa*C44tLRHMzwk=vzd5IJ#}hO2{!4C3|?=R^Nt zFi_9yw5?(invkNTH6ko?VCH(5ka-I1?~z?;b#_-;x>v?1GBYzd9rzHOMpk~*aZNxI zLaQDn&?b_tXwR25tjoct^KoR0|A42&`#074kNw5M3$Qaas<#{>{j?Z_M4a`K3{kVa z2H~}N!1b2bZ5%JXHoK4#RD!G-&JH{%aPZR3KYl-e6`YG)GOR=!t2d|8;nlen&nR59 z4txA&ASTJL!^}m%9ab)5(x81>c<_<%u(4W;k>|soo2Af`IJgq=2>f<6i|b0EFE(SB zR+*Zazte&nlJoHz`Q#{2(?>P+28+Y7b>&J!b_u?CxqT{e_$-<2)cWizG>WZ@s6|jA zu8hG@Ym{_>hWe~VFAFzs8!$WCD$5}8OwBNZo>_~uXdxs_RA%C_Dhe{D+@M}>#bX!A zWFO9L><`Xa<~R(M)tDa(Q-xVlX*5!b9mCL&`&uOPQP+ap#1EHo%_hN}CVFeaMMZr6 zQ+QL7Nx;EJIOdeo25M4eZs7u&@!@>cgL(VkdAhUg2#ICrFj??LHf;Y5&^83|LFfwj zw(nIL^A!OqhWCOlr|>$n!jZ2dF9JKIyEm--WDGrfPd?M@L4G?yKsbQtvGu}PYSSHkHoHEg-|L6s}GO{oXyn|c-^LKF)C3u7GhvRs+cPlq| za*VbvmbP@)L3lj4+JcK{zx>{uPtBs3$6c?o&`E;?4Q;1ms-}epbc348j0^)Z3>Kd8 z>I8Qi1%dwReC5tPfy1A?>K>dsH``wtYmQCN?CXugg*mO7kqKlSu19v9cc5G7Jlpq| zeWiJuhwB}9U=weN-S)#3|Lbcg==y=vdKiE|lMehkLo+MY#Dj7s)}ChNdB(kiJQ%X} zFlfwJMWUn_Ig1LBvH`-0M6%va<2(JBg4-54>OnVbwcLShFOGm?*43OYJ-+sysR^33 z*|!YQH=!Sp@Zop8qAOp5FCki*dA$#zFyPAt-uc@+1^Xr-cofSi&*K$~6w}%JYM|{r zrN^o4f<)xJjXCmGyo&b8X6ah` zG_zB`9>eMGkvlyUl^txL^;bkG@0qbCa7R@znRQa+=KS|W)ng0R1LV4wa1vlYfSGA# zTSgMJb~*7H)Oq~P+SQM3VgW zU1S)pLwS_24jwJkNx3E+1~cM{kKa0!pQOw)O$YWkW_JvmC99SiQC2!x)L9kZ3Uy^* zRi%I6c$jP@@T8m4C*xZQ-D`q?-HNi~qLJYd3sx>rvUPz6+vyrHRE;E z4RZ|{;FmFV&2l&E(hnOsC)ZXg!gXBE@qmYq8^oUJ^T#ir}fO)8)sVvxfUAZghf-15Y;7_FE_EeVlExaP4J0^ zUb~eUr|iT^a)SY>h%v^6wN0uG#3f|i#`u~|d&Pnunw%lnbnB$bigan?L5ZoRgsdOf1m4eM-$3#b??L`n=8 zd|yL5BgDse_*+r*D#`?zHQ;TTSvKw$v}rE6&oPbuwzP+3a58BQN6M;-qo&?nkCxDX zYs7SB3{fIbr2#s{)A;8p^AdkR=&0zc$^McgL+5pvl|tT0!!LuLzn#BrU1Bf+LSf9! z7qq`4mZ@$7Ni-zo&#IJd#Sw6PY+nE8ZM~8f#T6>Sw*&f^7B~<387E5)vt&bf?kwpW z8v1OmMWFd}-~()m2?0-7?AdcCDO`)(7b!MfOvduT0e9d@R7;&PU~+IBI0smUg!va% zQum*(1N$71mBN<~@Yc~^Yc?757fX)RUh!Gw-kW#CZN%*>sFN`A7jwi-RR7JHczqW~ z7$W;q9QfB&PJYfm#cKHQ!C2k487HhFG&fQ5z#VfemS&%$Xp9;T9#j*deQ38d-fpeD z%AS&;uhwSkf@^ak5vqn9kbSFhthn% zkb{0S&n~)3QI}IJCZ4!5w`UC7xUK$hp|PwcyIi4l2rLf^L|nRwKydGI=~79BziS`$ zlzwhsB=Vk$PyEXW{(c{!QzxeM1kV^&TifBhGmpIZfqQ~FfkdJ~Az5@$kug(WcE1RU z)HJ);0`eF8WnmYz!7<5$ob>1K6x4QWIjlUqWcM6bUWBl@V*J%7VT-q1e8oaH!rHVl~+D~pfRe{ zldQN%OlhSw&n;$inabNb!$6h1C|)ljIKwe5W}gyV=;r(%xCIK~UgiaLfr4h0K|%Td zk8o&(SY@ChtOVTN1H3VZWUzVV3QCT-UdYcp_%f-lr2Kgq-%7 zij_-0-|I{bJb>M@^hJ+j!hD%X^KfTS<^ul<%zUTwRZQ#aztc}vxhb=JU!`tiRj7+Tt?pt$iGx}yxI1h$bqd>@g_-`$rptluh`?iQ4 z`OtN?U3VeOkMX9WHOHr~+SXHblU=@wt%2)-te4H|L6OI;-Urf6PQsA-B52Obv#TKZ zDcr8ZNEiihU$(Y#)pLd)6n?ZBVE?o7z!JLrLVCS5s5s3m54q0t3u*-qvpThw-kozh z)v6lpMe#dTdn@b!2!44ar%h9qFem7lkTi{;K8ieE<7V`HF?_!;$J@zk2aUx91{6!= zEmO@6FKZD!t`_~lsq1CQyX~4|I$LI3-fZo~gZ30@xhVyKmyqM{+R@R1y_jp<_>|s; zPkZNeq_-;Q`J3`OK>UoG^tqiDOWfFrPV%l>=eiCH#r$316| zq~6(`SJy?P7qjP=o^dcQ;~7)e-wvH&>+8FKyN%=5+fl)t-h#(y+*ZJ|w+ZiF>H@Cd`QFCL8w}S~ zJL=Xw;Q#UezwZI>^gn`h={|IY9g_A!TC?Giz0(14`dMsyqOK&6q;oOx5JU(!fBf*? zf%XUriuDFv4V$+HEA$+GtA?sne5-hWs8S7Ur|L4!d^`bBVZp9_2~^`44(pz}#=aMq z`4SPBCaxv^O+pH)IAihk?PE3%AQ^In6v44^!U3DqI5ox$N5gzEwpQWhW8%f zww}(wsxaqCV#l|%*TW}3+6YWcO-pj1mZE0Lb;4h}rlL!pGRc6sQN*qB%(CA23wE(d zWpVXq7NnBGTK@5wc7h|%vh8<8H(`?tl^PS>mU_@?%7H7+5YEtja5o2HIRnE||GK0b zbIYQ&^35}*BP{{*Fu{#SRz`rCWFmdF8jdwNzpRpOtwFyzH6gn%>1Xvt_fH~|n%c}} z7Tk|0RdZ5jM49!} z47tZd!dWyH!l7G|EyFv2FX#Q6R(noWKRUM7LSfE;#0|y^@>+cD3LB&sJ?fIckTvAF~1H|dmRKJp_f8i!1amU~nXOmbp7XA7G183pq zI-5GmUQy-0*{}#ImiuH>0*Ta-Ij1}f3R^YZWGO3q!~)bnLwf!00Wr;+;H_ZX5@`19 zsD+xq=dlZ<*=9o6s0=#cvzA1czBPOr)%~pR7Fz-qRq735yMe7mF^P1_TMemtTsJyh z0-C9|6?|+`Wcj>@=CcP9n=%xKCY$hj_(}u^=ADLhVJ@`T;r>|kruY6`OEc8|ViTSt zvKHzVBRJjPqd$Exkz}lU-0#eyP;pW{UsLe-V=mGAeRe_P6LGA5P4r295)~-Pge`TK z^LuZkmM-&Dr|6ojec0yAP5N)P-{1Q=2@MoCV>wdVmYf0)l6% zZcWx2rsBkz_%RDD#ezSI7~u0urJH<@Ri#$6<_G;M1BVn_!q8bTv;v0>7?Qp(+6&qk zt6?lk42X+2tS1?#6v4A*+_ZBP+;0wkkLY5iX2aU&`mHeJLKa)Vm6uSj+hdHBG=GYD z7@s}*J$`Qg-W-lZnrV;rCY}5q(~)-~E1Jpuptr)uyS<*AFh3#5zGxxzqeS}6Z;I{o z5uyn^(NL^)CG4d%*E#$7=)b9ozz-#|q?GyU@X;Uv^3|5kk3TCEhR*CRs*@O~s)ba! zPB;jPM*=-V*Bykntda-}|1wA>yQ^~-=F0$4{3~rDSP(lXVaq?V^TY3_0&G54PZybs zE_J6`VqtRKPf2BE{S!7gjEI=aVY$up%(p?v`Y(V^h9v%j`oPTg9RL=f(6^S@nU|Rv zFYn41=6^tSB%Po9Utg%f2oPH6K<_7rL_cyFPZU+3Dzq)z@*yuoN!!``xnZS4FLH(1 zFt=kK$eQOf!PboTGhwqt!w!5ot&*{GyUC%Pd;8a9Rb_?5zPs;rErzjx+vLK^(^BZ2M*Q+>SMByu+bx6O>0SUq$5ks*zFa{`Ld#d>CEz zcKXG5Vu7UBK6}TgV=*Dn{Y){zjLZ|liO`#DwB$c=|)FG3Cp%y|Ncz*IYBlOH2trqrNgX3 z7cPMT@A@~`2hL0BWiPu?&*^Eq<_Ip(ZdhF-3?7C?}$nq)%K|vPU%iy%S^g6#r zZ`~0Fv!Z{|V$uol-$K~A&TzooywZ`~}>)!lTtE8}+JtTRz@` z0{=jrR)dVeO%Tp4=*2rf5Di`IL?wMId;vPuK}Q?d)BdW+ek;jmy#fF?pcnsP{|9e? z=Vg`Q?;<=aa8~sbPcu`l7@sap!%IJ91XW^$ixDS<`Uk>5J%pHTDwdMeX4P=)K-E@Q zn^EQU!yJHP^H4aKBUiK$&m97 zsfr@k3zo;CN|G=2RaCeys89V{fg65oLHd3!MR{=Yhi^%?B}-=*E2&O?~JRIOk%$}+VGc_@!LJ%mi_X&&+7_!S)(CC!s|^`}_P!_6j* z<-RhXPSWuc_8p2^t)NTO)*p%J$TKd(pK}jn27e+dFB3T8!+rPKObmBp^ zYGJG7p_WJ(TS}Odt1&-9buPIJ@>fWaS3gMRRof|82U3X1e7AyVy2^g%RI7T8Z2w_h=YaNDKImSO}|2*!* zv`*G6MOxR;dizn~bVQ{LZU`^f%4tS%`3OM!ncA}zcN!dhUi0GKG!;=$3_HJGrJ z9ivW>!sm#VW!k5hVTmQu=_!&nw#eCN|9MY|F2!lL@5HGaTPil3CT({WJ^aw61838c z*{Un-M^Q=Ogr3zLGNMw(noK`TYSmAri7Xd2mtTh8`(w2wB3;I;$F(n!3X7g>CHdxA zz|LHIjz;P}eK~>9d5ONAgK?$(y*2&^8MSha%Xx6oMs5-UeBs*3FXM#RPE($biIOgb zi#2GlkB6Z@585%u3KXP0|D^vyAOG}IGbS!9sXm+1mFs#DW&`mqpSh)J?EBOgiG0a2 z0_>j|zodL%Q+^;}nbZS~Inhq^)8SKV z)`L%euuRGWUlPbl?2HZovt^JbXGeb@s7b{pUvt{DgfS-&p;L~aA6B|2GiGZ+JF2MFEi^CKj}zPrc1}6eSN;LgnNngi z9hxNjFQS231Nep)_O>byBH1nBf!Irk6S{ zY1=f6u~?(q3`*FU@WhN_6>o-`59G-e`;pC-n}l2?t45yPmy2;b`PIxVN?UoFM}-WE z9cTqKYMoay%Yl-YBt=XPXgWIA&yHVxeiq|=7|ZZ8jmJ>uSC4$wU*<~m9KmSf+L2$i z>Emk=igKlKrO+O z@7)n}YwI{8TGXA?Y}I`@Y^hy4%D>0sI(~C*FmuXTyfVP)zH0qp8@cG2#r?a-HswWl z!r|c#m;eF_VOiI1bVIte+I;Tx9moD=kditN#+qOLIo8_rS9)DeX|v4@C<#2yvIE}4 z2ac6WS33|tjwsF`iWo!x9pIk6*0$90U0Mwx%v5-``B}v58IsQQ?$rt^0k~R*(MTn| zdV!lEJxc9Yl^mK~S3PjG(wE-w?av)pR`ANx0vE%ymSD+t_irYV3+b9h{D(Q5H#6s` z>wV|08EGu_JH1{DI?5!z$AoP!PJ&Kb)Bs_-9#WyJ#0|^+x!sNP8#AXhX}b}owh)pTTo!?gL`F}+zve``DlAi=GBhyc8)FL# zc+D7EbzYO~R=fJTHgUA$IlJqY5cm|vtkr(KHE`Rd-+4_?MdVCb%hI!*wG#wh1XTAP zoAT!TTi+xm)qgp48`_&@1(!a9%}BRB)?EdSJRgdV>&AdO-TO0)=aEGHk46U>tkaB} z_ve=z86dZb4AU8F&bzlul#Gf^pL>xx%|~G*kw$g9BW~%<>9^BpoDISKrTdu<^MNZ@ zFDK_wde*eTvzJSi_4OGcA8^CnGy=&pIJru9Vj{cGf6@bC>vlzOTc{x5LJHuYuJve> z+jAfnXeZ#P9NdX70}!eyEiIB#3$6=$bSmR|e!Y9h9tEhA3OjmG-v;uK-eZ z>jNnYdIXojk1=p(`bw7G+6?LdSa3;5D&Z-Qz$DBMd3U{$^IUjK z>`3U1MbpG#r+=65rlOV&o$C5hRWfQid?W3xjZr?y$3ASz&g)T^L*offkgqPo<-rV~W&-R?VBm`K^t!Xey# zrby)#NjZ`c6w=SV7+Q?PG~xttl|q(7n$#R{hLShz=e{Z$>9%479t;KFW8g;E%#{!N znZCOcl4Mn^fKaPAZ$Rmeao7T!L}&Y*dkdg;nc*aPDJ&@`#%GwAIhj_qX3ly(3<4tZ zSeRT^471Rj@>Ggb3Kl)#1q+Z_J(ILWVJ4Zc3Eud_SxFK~>pZ>inX0f*%uun&fNzhi z)5p|C{vkG*0wa0`^Yf-dJ_G7 zEHLS)U5Zlh<#UewL4bfLyTG|;z)KmV$kX~%{&i+i^2G}Je03Wf93=9^T4fsU#@iB> zPpFjobxr0fRnpM*d>1&w)T-KyiwAGwlfOtN9e zo3nRiEG2QsdWGpEI!lVQKgz3ROvZmIH!rax6SB8_rEd#}3n}ByWTO6H zW5@N2ts`_xPPCmutcC+I9_hkWM7Y1If`P91g#}>B8G%7d7La)D;GBq+q}dCQvO5_? z=v1%OkA1CI+#~kFT;gZeBSP!U!GGRtXK%&`$JM};zQ)y)0R-+m{AO$=Qa!3JhDl9eZhQb}jN=0qDbI zk|Z%BdllZ4Z-DOsc(_l>NJA>gR2Y2s8sK9LZw7Y00+-wM{sF(u_HXsKsC_-BYrN4j z)eU=a3C}Tow_x9lT(AC!AKWjwMpLVnGX|tRH)VLN4;xrU0Ke@8g!Ak3?(AhghZ%30 z>s1n3qE8Mt9O;wZQ8ANVPTqm1OSPM~;O*gY%045Nm?Y5jieq8kI^;@Go%e+t5e|{cn z>l=YAT`+dDscqa$UiG-k5~Uw?f=KFJK)n`78t3C@ zLH_$&PU%X}|M=Z*rv~(#Y8qaLNeweYG`AhD9us__d3v}Tbv>mOJsrDo(~(x)oj?98 zPYcb|_(KDs=}lH765Cz}jCzpMQ|x^#VGwF7ILr0O^RX6kEq9xJ%sBplXa6|sX;tSE z(Q%|JP2~0%0qC;1xl>w309aqO-=rbud3($(?a=bQ5qLK^S6!#!0eZo;Jo~DoH7#TG zepX%qUNLYh8wK8Hu{hVvjHKA|FHwS*E~gcso^w{xwVQX3p^?bJ&Be5^k`Y^{MaTXu zA!`*2AMj;BF?%QGym5bE@#?A}*uyiYZ`%j3YG!x@aft7=k#=w)-SoRZz+ml}briB9 z6{T5bzCW6Vj#hH-xtwh||JxU%-C` zFR&q#zTrQFGjhV27>bdrAJZNv`=pH^f=>{IO?NB5($&B zYp1aziumKwqQ*KUQNbDmWW=%;xo(jQf%c(k$6rvfx&7$5kX-f?5|4FJUfh6f##IblJ z7iZdFP}OCTIvZjd>5`I5grjahlc-+#T%9a-O5S%DONC^^ws( zCfT&Typc2{Z$GX%gIJ!+n)py0Z?cOlxrG z-msf38C@#9*@pyA7lbQhFL1$rMYHWt)kjj9y^}QrDl>1KD%!ZsCgQJF<$Jz%4V3T+Ab$R{ z^_dl^0jjg{rE-Svv8rN8us4+1H;W3wX-aN#U7E`aK8(VP z*W%o2INBZLZc_ZiYI(AM9KUcS!pP9L8sj!F*CNFvq2(LYud+p8UvZlz5SW?D*;|)X zI9YuGQtU_Ylv3O8(XvVA>lXQcuvlLbz~dGZ(X?}gt$<5D%N`?1L5On<(jHC?M79|n zGpXHBHFi(FRIXwAEop=ns$U))RjV^j9%s^H6!VWPjX+uPP}FIj#9}VcLwqr5bV7}1 zQ62VAQWUlpL8pZbQbg)*gxJJoI!J1(bjmgCwxC+z3oSu#wYr4-oywx@tiX;8vJF1o zgmxP>nS}r+4z|$GQyg1Gaxy`*bUL>vu|W?H(!s5d0;5SEgjB<$W|@?}wJ5)hBytSn zJ)^%?Ko4|~p!1NXfA#sS0*s%Zjw76b$3hM*oLm;Q$Yw3FY}On|O9&GsKP4GWkjm#Z z6|oyJi%j89=7*T_lIdq7KhCAT!mT#=EmK9QMc8yKeH?8;h0lCxZzPN5s;)fH`7pJd z>seYA3+^r}LF~je^DipnCVcZP5ewxH(jVZbVX}4{`3~0=zcT*iS6p_EZDqlS^Es=x@$McP60>IBo;^Y9xpKThAtK=*5^V z@-iRA>*OB%bGz{mdC=QH!7+oDzVG==FtU^XqnFmsYLER`TTt5sP1n`iw%^>5Uf%Ec zX{a{%9-*Wt!~5hRB^+>md%T&TEO1d?l^1Xve3$@zW(KUY1Hq_%qe8b!mw8$^o&o=I z103Jxayr6$NVogj{g%&bSaq5RYo8xNMx1<(cl-GMp~`zd&7&InzWifU%JG4W%@TBo zG;C07;d<(Vo|ZIwjNQwa#MU*Qm!{G+oq?cPQfW}++4zy2snOT zBWxyFt!cRcEAsqmo3a2cTwOJ9Vujc6^vvrS@q0oY054PVie&e=FYe%{_^z^`1Qb?3 zc!P6Z!OPwwhktQbxIr_QE+=CBS6<$`HNwgpcGp!I*#MD~^Loe$E-Udj`_A(lL3gil zq&iYp!B()-rGS5ncS^=3WP2tLej8o0VV}_ouw~6>I z@_3PYjpz`(tv*#~S)IGAFy5|gTSZYCy>06d8UcGQa}V>jpA)S@8CjkVqY}L8g3KBp zbG*7I2kNSy{w*YQ8waXDdG83{-Q(|f3<{4>u*x3YRV2xqA%SDE^4_1r`Q7b9PA{z0s4&AOEB)-2p(c}>rhUl*cQdx}*J^Find~gubVV!4M)4Se zWQ8Jjt;1xAh6M$e+0XG28Y;=M)F#7ZAX}L-73Jq=$F;PJKrC4}-Gf;R*i3Bs6ai*c z(}{TfDLT(*j2OJA=E{2ksZgYi-d|b_?8WT{7JNvNYuewOxpGrsQjlq}3RU;Nd&KsW zW24b3^zm1s(9vLIre*O(Y}6aYFHj(rp?GcXHyRkQDuMDg>2SNqzAL272MP;gQbm0t zl%?B~Lgbi!{OvAoOB;p_ds<<7e$1zDvuaZN^Nx9SZcx`M7?D`}D;&S0cn~+#1k8RR zV32F8AuM09G{AMSA>;AalOcJJON^nOs5qU6NV)uIKRt(a=}#-|VT_c1fhtX~xx@m2 zyMH}p8DE)7!!Ba{gBZztldIyvnv3Gs3}1G|pZB^-GJn5$_A4j`8dj+~!%e?;8G^X= zKTU)aBqV$(7KmPr5RfU7ovR)y7%%xn#9bSQ_)PF*~0HC5wun50L|(E?fB<3$8w0$1i&%B^!r1q%zq$%Iv~1L1*(aMD-Nc zkt^yd=8gmE`K0osH?fqAc9c2l`@$Wm3YEl}+o=3hV#e4+1;%eYCU^1$mXEiYd9dc= zXbco8KH>})tG1l5ambbp&sUew^m7VFws%RR>l_f%xCw59j>fn`5*GhRp`}pJ^TM7W z37BJ)BhV6jZ%ey~;1+REYRsw$A}n>u3F`O}SyHM@it@Koa(Yqi ztK%2BrMsun46!63l#L>FbX$tO+0-{pjz~%EwDRNF>2@)_ERzC@lnXI&^Y&cxvfK}* zizQiDY5De8>SiboGWRZ@6!X84D`X_|tYlk{5vUArsF~DcU%PRq7WK58Dj3 zDZfzCSd^&R-z@}Vm)jJUqpR7L0KZ9QP7o3^S&l_-$ji8NXq?jTvnOCrNHWb;{F+Bx zswc13CsLAX3EmH`z=^wB39F9^(abSvL>+cyY6oU@=XgFSnn!;6Xm4 z8X?1)elfdETD8oS@DF&X2s96aF%neMbdXz?(f4 z{fF(!TmES0x%F>5k$B6$J}_szsHlO5kVhc-{7p*Pf>RhfLXc7F zT9Nw*>g`U`5f8LgxW1S73{3Z6_nXp@YVfwoSW(dJ#(qP9liz(XUhUTLFfGF^>;D0~ zKtsP+_Z@$Y*`pPGcIQ6>iyvG)b=B8inD^l?jyr3|xpeNBU4L`ok7izK{#*TLwFmc| zcQ`rspgUfeWgG?!_Pg@X<%$-t;)1opJMVtt`yXty^@eYL1aA7~`pYeQ;swa;7iVp~ zQ*h2p=&29??(rL!`NRB6N_u$wjLJzX5!dC|#Q(?MnZP?vPzxUz7Ac#k2!aU6PJw1$ z0Fk6=(xy$Crb*LA5Sk`Un`UX7G;Inf0BLm0|0s;bp$TA{3vMM`@ zUq?Qk&j)-m@E*eV?wQ}*nO|>jZzxBGx1Dn15;=CtLZLD#YJ9*`z;$)TZ?bTLX9W31U z*ou=CU)|t=Nu|B&ZI8k~y5q1f{rdK{`NAP9zMk6u)(3xkqBnZ*gjHYrV)Lr&&;0sr zXPrjwnlT=^ueQcHr$ceFLFvZ9SBCpNzRmL|H(&XyceRg`+v;O9{=e9;%N z^VJkF@xfk~tc;Or-Wj>D-XF%@S|x{tO2~3#ztcs>hEo7A$%TNtO?UZhqT98CmC5^( zj!LPaG)5|DIfe=&O>Iq*o+_yITA}IabewdPs7T~!t*t9KHy*QgTGe8S>#~gr<5r6F#3njHv*_9o&`h_Z>99z{U?an_ z?M9DE)pAY7X;am7p@B4+AXlr8+C(j)40l*VK&?sg`A}3;na^;NCKDbaF))w#Q=n8b z26~N5(F3X^dU2buyt-La`V7>?H9Zl>aHt0Y7!I3utIc&i!AqxOzt9TvO|~0a`Fx(r zcu7p8N?p$Qc>E`qk?WGq$`GOykz$soMhVWNHkqb|JuGj?nM}G5si9SIdfcQ}oKQ(0 zt&Yp1v{*G2%1O1bUe%nE;?PJCx2VYO6yo(P-K@J6w+ZS4qvUsWD-36rLAsR*ZZ#5x z@Ad`;B8eGu*h5Dk01{wdfir&Zov`W*J~}cDL02|o1E#S z1!lSKC|lBKMNf%Mpc>{%xqffTX`WT=a)rSN(TbyH4F*e51n0D}?FkjDIN_(&VazBK zu9{9Gu#!aMu_~q-I^~V(q>3p4KuURsH>!y<%Y1d*ALwCGO1iCd#7x!h>`f+w1<54W zw(@S<=^L|qUyqCw7N?PX3magvC1SRwqdC4lsrCN5=f7p@gx#CtKkxD%__N12gO@y(hn)A>=RMiMwmDrCD+Yef?goQ6c(tpPc>&=oMSGjy0* zP}ho`rfucW`p_0DqiP7I9HlnUTK%wJtBK=!zG05brHR>xv5e(Y7+6sl+$nGhT@L9o zfDF6jsKc8T+U#_cLN#wCsZO>sb;G*Q$D~0`ZlQEf&r>huPuPGdn@*TKLcCA*BwTwbu9yY)p+s-BB3{(S+PB27A9-Ft!l3YTB zw%#j9YCkIJc&2N>B_YgZQ_X&_3emOEw4we_&wu+T{`226|E*V-fK*<=Va)3W(+Dpm z<)V}KTo&XQp`cDCP1uOBbWI(XJ=>r1Zj{gDr>JR6AqemAVV$Yhx~cInlQV0+noCLn z)fsmLo(y#t?WapPC>4;RNRk$73UM979MS6+94(wcj8%7;P&4|5m&%jba>BxVQ&!xr z3NLgqhe;z z(NVKmZpQeLsyh^z?C$mcG?vm)+;ejc(uc%;g?B zSK9W4M>|)fpL-6ZRCnEVo>?qQ0=elrxzm4=J%!j~(O}*s-@kAEy!GrepLz7Ldq4N1 zBd;cE`bx`fedHHk{mrB6-gwGF40&_gM@}(DFF*0rmoM7+q4e$aW9Lhsdur`dHW&k& zjl)HYFZ8Ahn(3FW`SyW7J8|ttzx_4MSRUQ`3y&f9o_vnotFN-<;eXs)Iog~o^ScuB z{bRQc#@u17dh>J3yu9{JkN(Qu2YBumThvd#W0fb)`26TJPg`rR#~xbr$R3A2x8*Uf ztEaqv&Yxd?=A2)0ySe9VAinhY=P$bB)mLug|JeP$aQYo*Zi4(dIQbiAUVM4~nE5BJ zd&hq(|M?oQ_0c~)@|16X>F$*l931WY0I}I!i}pYG{G)dbuifT>!%E+~N~%AM-ea8e zz_*XYPd)0`{dS)J{K~Jc0bRHFmMd>3M)qcVELic;_ERsNPk;Zf_Z{}+xucU8%uBEK z)M9rZ^ub5X*Ra91Z|{D;x0blt!Zm)Uue;pc*PmB?c>A3nJpQqV{&xRC^WAw{{UZ2Y zx%BpLw%h278&0p^G1zyT?>_o-#`^A;zm2}~gQs8KNp z+yC>)$VcHn;P6zboi? zM^aTkPnHp(X-!-&i+hAIRFRaF9k*;)_6;ykG;;#&j>HU^=^0cEiD}efMu3@-s(DQy za_$raGD~tPPUz-UY0^q`R!zB6f2d6cnyR_FAHp?Q(}J1>0FI9~Y=W6xs&SX(1-$}U zj!+b^A=>0R^>8$(57Pq%o~CTZ8-u1fWpbzmfJw#}SKNNF!j@*&ww>|%aZzweT{BBG z(ow=1sAWvK^a#^|e$D}ysFi{pI`i@P4{i2?mQv(qH!BhpQSKKqqJ?Fme3!`e%gzw6 zr}20)%LJ1iRP5BueiBtfST!wxvf2ca;tISvAg6w>UFxZACc^HoMw_%God=8Tmxl|LP^$#7Q`XK zG@sEEo~J^kBW7bB$JlPe??3^i{boN<47^n>A=6x1 zmKn|Mk!_r;ctp8l*#KE%71GLA4cMODg^~y&L$xO%HtH#y-7!MkCE!{^vchyPlSQRk zb6Ov2ahe!bT6|6o%u>F{cDuC(QAC4jF%|aUQPr!Ks(|9a6R}ki1B0tmphiI>J;-*D zC|^bxU++n*sbO8YLJr2&BH6&$GBS1zD@BGl)?}HCQa0Q9k&|zY zYAx2`fp#;^Fj&)LXOXuDx>U0o*1DY8nWQkf7*gq6OK%VPt_lZ*T&HWcx&nuTJtgCt zgqaIkL%h(22WH^-c`BY+Ua40q=1C&2ut>^Ks$)BhvziV3PtSk*=l-9in*XK?ie8jT zECY7b+;Ci~+i}|z>QOO4%~UHSb1cD3ac&3a3&Tbz!N&0inbdTh_pAy_+6}ogveU ziy#7!9tN~kKkTr5mJ$ZpW|FF=v%_i-rOhJTK*GXM_D6ceyPoCrT(KjPFxqwzj-8A$ z0^?g#Qc8^<)qVDIJ5 z{0IN(Y_`g2p920vfcQ)!Kob2B{0INn{O8b5`UF4#Kv4ojA$-esf7`rOQ?rxW7R0s% zwgvws`Z?%x*eyptethTZd2gD3c>TQLI(v!Ft-Jj06ooPOO(r~mkZyPp2p{OI6oxBW$BqZ7B< zZ@nYFPn~%E4#%yQJIaTzhM%hZat*~e;rK-t|7EIfyZG@nO6wha)^Fjj{(kZ0G<_Vl z_VSCS3m#`Ll5&~PeZ$-nJ^ZoIIQ z3+6%7Zj_e&^<(;XvM*oo)ZPcIeAJ4sZ+@b)$rq?=kZ8G0US7Sq-i3>we&HhYa{FZa zHm1J*73qTY;ME)4z41dA?Qr{(xBakl=q`IaY5aQq7w&bgxc}!z{Py+Ju7EE(`FF>@ z<=u12IKkvK$=d;LvkXbIC2n;nTE9%nnpVrdMf5Ry?sehN*@C|lmvx!IG-MjEYs5TkxGPqE^JxF0q_l}giMfd#rWRO;kmgO3|%F-p2ChPAPR=TO!pao(!?43+DcZ6GP(WeInYpraHF zE^+eN0qqAVsyC^j?(A%{6j9A#jZUVY=9*YJNAobtG{mAa7R-FmR`|;7T3C8q0-W9m z3`Crxj4JD-LXGTv%=vG~%xXb;h!*5DE5-xLY(#!Kop{zz6?+N|k$$F=<79SVNVO7H z=nAtZm70CHtYzE7VyY;(@NgVthiw9%G_eXc0%`+Qwz%@liMEYKR9AF2ZkLj=SMNlX zB8dwK643PlY)whH8>VVlE0>jf<3wxufvgQ1V7m-@r0XZRHGpSnal*E2tR`0)@ThK# zn3&`ex><*3+Dzl@sFZRwe4JoL6Ly@631x(GsZ;aVQhOTb*^*QS$6RMJmX+4T8Are@ zy`=+~&J}<%NHA4yVDc%V*^jfxxJOt>CCBzq-%)uKX#!&lkqg;KE`?2~*bb`sqB|_L za;>CYF6ul-MTEo+@8YRx&xdDRt{*hRB)Km=``y-4Iw(^B)fW$;H-aziQ3Z z4d3NIA6Pg1)bgLD3pfAZKTEU!r%*&mXNxyCVDs(a#AWw!&Nco#W>t1x*nTphpcKSg>;!F zGdRnQnJ7cSA=(hBHk^j25uu6rxa^r}37nQ@R+NH@QrKv=#csCkcmt};QqwS#^e0AA zFK6gty$!a_>JSS;5=5J@nZerWA!}O>7YKIWX%dqmq&d zQCRIL9z0fSyjANJd^M8PB#kf=HDC&XGbI4ICgNVzsqBMXNsh85>euVe4qonz6|BtXFc7M?PxA$0Q z>Rm*`*PA({+h=MHSF9y;jpWK^uiK1eiLx6`!|PI!3prw^((d(C71D#MG1e7KPg$Ug z2;*TXUFZ(mgMzFPksFnTKxaWH>dk(1m@-qY650VbgM}Q@|`kNx^kZ zG$}P((sHOWsma7tk;su~+kK&iIE^+WW`ZyrGF4iq6TcV-^)T>#jqKIDq)y6KDoz`H zqee}VO238o4L~UAE@ez$v6BHQBio2ZO$XHaU^^$s$;50Z3Og=(L(;8H8?~%CO64^S zgWd7Ksz(wcvuv2}DXLK#izQvLDah_j^4-2H^GqQL;aHCqf>-k)5Tw&JbAVT!)VPi! z(wLG<+L)*??YP^gNs@(!agV5g_8g*_Lo{=UW)9KJA(}ZvGbbNgAQB`#mHcOJ|Ia5P z@8v)H#83SB-_L(Q7)Br*#31ZL@E_v8@E`Kiz<&@7CT8!10pKI@pBJy$>w+w@b95@( zU1r;(rpE%vl={woPXy2Ww zmS662tspwTpj!`QE#4yZyqoPX57{zIyTEedYQ^*By>ty6sIT zJp2bC{iT!K&w0Oo_O-7T&e%;@dx3S6aQ)hk4L9DQdBpBN-u>P)Hj=JCFJ9w$`_|S4 zr(OQ59gci#aO49|&)ek2Yd(L=i;q396#Qr17Xf$0Ta(9sau9IQR^vZhb>)>`c!C%s z-}(A*&t3ku{9!+uuU~Lp=cP@4Fl0{ArKcZR=_+vft;~~d+wAb?E?9_d^rOwc1@C!y zBp$Z-^aB0^wY2K}8{TlqLx0@?FFdgDr@t)eNq^n(+8ftye{5f6%X?m2hX31N;^q(U zuYGs?H?f*ublJ6s-+%0?%W=kI!@`>+x{bQ}*Vp?Vx_|rmt9LkH-Lrpqqje4#p1aoQ z)is~k zUiPRRzWXuk{~iDTZ|?sA-lzWunDhUignShKW6eBm_cOoMKj29c!~|V8B^MkNOo{@6i(O zSz#HURx;_5T{RPaC?V6aGikP(PQXu#*&Y*X9YF}l&Y&iE1E>w95RaRT5i39>lWR`f z9E2)BI-785q#dY}BG9XiD{={ikuIT04o~OlVPJ;wM0BDt1;&FE>2O?CwPMd4s%2R7 z1&Gh|2!*T@jpCr2#TbbS8ceHRx4H$dqM{rrV7OhRCTi4k49!kW8Y27g_z%+wJ$yRt zL>aHrOHh?H$!;F3It81NV7eowC37GG*-WR}s;ao1U)-Nf259Dv4g3ZP+a`@hyU4X+if3ieV22qpFZeQE809+HekN zl6DVD({kL)hz#xnNsjR<0o|5o&ZSC7wLIei9kA>Ns>$iei$Z@}!`Q z;=z>iG`A`Y#ZiZ@6q+?K_Wg7Xoz|#wz6?(!0l~_2t+zGm3S!+)t2+dSM zyh=18C+VcX5@O+6#=#9Wua|KtltzY{L`a=7wVvxi5!Yp6zFZ|d%@;?r6CcAWOqO-1 zG8}hX6+FdNlTxFI;pOzOH!3@6d`$N!qhkkXHXTJY8fWWPiRHyXWgM7B6gKIk4f?hX z%wleTAXZaSmV!94SDiA#yZt}3zz`qAf5LbBe|Uv*f>}gO<&lDEEYWjKj16A|S{~b< zh1O}w<6Sd93$eZ&wi47aAmDxdbm|?hXMngCcH4EZ0GY#{)|LTEF4QN3x}(!(+j10q z7*X()DrjzY6bVz%&(&}s?h5tPcsglUkaT($%xfLM3T&USJJ=A2Xm9p*1SO&jW#K+t zW~(KC6o|4{Z*dIK3W%{;3S|#Vc{wH>;ciQX#G)XPy|F5bIj;~KtkcA>^q?E#=>+iQ z3^vs}<#gO0bz+8B9jqgvZfi`X%5Ddd5Kc&AiO~rRm@FX%U#Podww0z18Wf+oEPH0JT#951bQ=~HLkyYZK<-g5tCU;W;TUmq^o zV$m6u>}{7VN`Ct$%J_f2_6tuwxS+vdHyyn1e*PQm3hUi)z!vHz&#d47?(^Tis<6x+ z^P9IV|JQ?e{>!@ep_|}ubRWN!etg|E?~Z;t|D5U{&bw%{TPkn8_Wf6oHPBmMTIpEf ze*L@)|8(%v=dbbkeYZPo{y_`hx-q+98rtVq3pY(yzxDZh{`#ZV?_PU!-EEp{u4OF+ z|G6^u4^)Q8W6hhnU$ECL*!`AOe!9ZXuT*!u@V1+uIdSESPq{ODrX#JAJ!rKBNA0wS zM85RJdBwwl1N-8)E<3@Rm|GuuDL|duKJVv;{@{j{?wQbQ2}jf>`kkN8)9?Kk-9@Y)9+^2}Fk=*$iGKVrEKwdW*t&4U|}E3NzR zslxTo6V8rLKKt6S$A0f7``!Cq_jN^_K9$GiM`Med@e!yrS zyWjd(KDM_9osE_>b3ka2huC;^PPt(5AA-|_~rU9t#HAKUtW8~1qXi&`+vv(|C{@N(D&g#bN>Gm zk&nWEyhgp{eAec_Et##O0%fK$`@aBvc>eRg`+q)*{AZTn3aH3b5>Z)d{?l8U`EP7r z)5So@Rj`rZ@rZ_`+-fyqkZ!1`vlEVhdN`qaLPb!U8HueF46E3!6LMo}P28YRvj95e zNy?uL3V5-?vrW618c;q_?{OB{MOrMDZ9|-)+j`OoOI@$Y2UV?}o)pI=Jz|_*j5`qt z!0je%x|O`Awd6FK%2JhqETN2uyLCUC8_Hm-(g@2S%QWQ6Cy-O%{j?qd>&v3P^MTn(lKGj?@F$>i04l-Ri}BFNefj z-Uj<ue?*Cz{`5r*C<}BTFOG1QoYXs+bNJA)qn2*A}?Lsx40r-gwU#_&a!ri zX9%#FbeP^iVn!%B4Fp2$rV2bhq_nCpvtdrOu~}XmIupo|BzW9GX@k~jj1;0)twn}z z2`P<<3ZK>Wq1*tIPNSEmQ$fBoDmZXjSMzM9C%I@#s6<@NB4C~JjM5OC(rRVYt;d?g zHB25!dx2Z7q;n!ya~QoLrTA>kFmtG?SlKjOnOS_7Y73cWQ7Ps8Vgn6;X|6z|>sp?Q zvOUUFGt9`4B(~|haY>a2QL15zHEYzd8bhAolPsr!1Zg)vR{syar2i*s{*#M!A}2GL z<3FEe{cDYm|@024cba_M}iNOsGn|nqsW_gyZ=p2!$iAWqTUiMRc^LWw}1jXnnry zxeQvHDokG|;-WWdRnwKRhZ`B)p+8 z79~cIWXlbOXvw~1_u5%NE0431uQU=jH69J%Vv{EGMT79fHm~c0qCnSL>X`H(ZV_4R7QtY=$Q#)^JY4*3NPHW!Q!!xzu5IW%GHk?VooG3njCqNZZ3W>3D^+Bs z9;Wjxtrre6n#vBGZl%vg{W9KCMZAS$DRMYgTAh-@7nP)u%UN2Un3QPDXL~eH3FUFx z;YMn|(xx&>j^#nL)9n*px)~KK0s>SlCFQzhQ7&i3vQjFh2WlxG@tkb8Xw^bp2lQIR zkQG~8M1fAzYP57o9rhu^SI2oVYAEe$D@7sz1`cL==LJ;u1%pn{`Tc}pL+ZD=WV#?;r7o~TV$U8NR3!$tF`C<=$i}Qj&^ut znIj6nJ?4mw4!Wcq>#Ht2=JMlSsJ>m(*64h7;T?~h_I4M)$>}`LzI67%+N*`*cjeu^ zuHEX(8~#bCKepL3CyUszB^qO1OFelfXw8C_`jW&At#?Jc8 ziF@pRDjP3;YuA@=7v2Fq-vqw#UqH_`@9g;54A^AvuSZrGZRJcZg^LdLN?ZI5 zD*V7-dC{qxVck0q5x!w=ozi&+oVXg|Bb&cyv{?!J0=dUbOGylXW*Z>+4q(d++?zvj<5J#qt^(pS5P~j2CTgx93-Wttp+eaA$qBHKfPyop;cY!6sY2vF@Y9 z?zf$dJ#@}#dw(z9>5!w#)BTS9(#Fcqu2}i(TYt0VIX}O2)lK(Z`>8u`cx|5#VgG;k z|Npc2=R@@WVDI5Sz#RYiMC4y3!^x6?G{f?LN`@m|1dZ(Y1Cn8n`BWyuqS6=(iU0~s z3l^OgGD`prf$qJV09HSM|0J^`KVl0`N?4My4FsR}~ zP^(M86_hFrYUAFNC!}28Hp7OMl(Zm-dyM6BGA3I@YT%~ZGyRG9O4#h<^=g0$M7IzZ zsY#|fyK7#b9&@b1O5MJyfheT7&52tnh9x!;rbgkRj;>Og@)KEqIg#+ zf?~i36P*_Dng&~rVzz|JfX{|K(u0a-M0Ryn6oy7C-^-;>=O ztx(L8;^coVO=QRKlqO~-#-z+-P_raZ>9zCI)>s~sK_|eCG#g-k&q)&6DQN&40#!Lq zleu;WtTfXj1%kX}*k$tRrk%?2EoD?qJC51I=uFrXWpbp4EYu}k(b0Rb8dW4(#^Ts6I>~+Zo&(w{!A`epnSg4zDt}i6zOakHxI4#JfUd3}sG%r*v4IA{(JQ*YD z7Q}z$#^-h4DG6m8E6V$rO6BTeosH?u|=uvCM#S zy9yOX>2?Jw1_iLFLAG<^gp@RJRzF$ z`%IVm-&kv$xz-P!{l&bFPm< zSVASPgJR?MbiyKbF>=v-gwdSnQc&8#YQ(hNsz+?S$F~TGOVQo9PFtOE1mMvGp7MCm z)TYsM{{Krb4VongKK|ae=mOLSY%)b6- zf1Ubghduifgc)lPc08=1sD&!xM$QEfsQFJy)r^V|`kK)8$l)1v`8p z7dKt8PqPt#W%Xj+FLdh;UnZ!u?hoo^B_kwMUvZ@gpf>3~2d0VqfKsaXsNko{Y@IE1 z0$LRzoi0;7qw5u#C9Fi3^{JN6lPFn=(iqflwkox@1rP%}^y5*2*G6g)7z2Ka5oOgK z8}z7K8{x_rARF~s)1a9sK#?H=R`3B?7gW-7D+$C%l*Xac7Lld7DTLyqp+%?6Y+P;t zd2AYWvwUVu7*)GV0zEDsl9DGQvj+lpjt$MRp*c1*$A;$E&>S23-!4n4=by&@A9Sw% z_ld}R`+x3UA^o|3fBz4JK^U?G|9pu3KQqnw6!!n%B!Q9u^pWSkopqwS*#TYq+UGaC z|L_&=YklRW?TefIBsV(#oSXK{j<(w1 zi*V!bowe9l$vg0hFR}Hz&p2$09XG%A7r(jY1a^%l^9LnbXWhM&t?XZvI>YdojUKuE znXP{E!XAh6r6(?~2;Vv7w!?PWZY_rX{_`uQZr%Qxa~og2dYR%g8y2q_F0<{%Z!Z4v zK|AgEwJmSBd()ePi}$)}y#;q(y3*=b*00!=+4J&49>30g^O#3=p8tpHMdGGsUNa2$ zcp%4kYu&qrUHaqrI+Wf9xbwiJ=>OSqKoTRuyu6Y(>FGbx~KWGn>XL`UK?N7O8MvBeeo~%xgXwZtyNB6?b%-)xBgz& zXOikJi;k}BxV3x8BY(K=Pm7V_2{&qmw~qMy?N9kodH<9Cw4CNGd*GuRys+E)%f!#V zYA?UeDeUCv)qh#udea>?ssEta+4FC!9*5lj{p+um?zrQy?<`pS<3;;k^X+f`<}0t^ zTi)$_hEbaauhgzEXZ>2!DYAD8%3XI@W0;5vGaAZ~; z6_QzaQbe^@BW7x}88;Q#N!KQ6yW-S}SZ3_NNY`c3RU)T22~%+$ze{jUMH-}9PC#PQ zvX*P1L8hIirfR;=P_R%m+i1Go>eZVCxNXtoEEDfzEwo+E!)-TB42#vo7(|MjinI)t z0Sk6PCVNt@V%S4VPS=`9&o)|VjtNTu<`y!84ywv!GBVL58ep!T6y%AZMVX|Os#zjm zmaqwKRFSyb0Vhb-nn+o$&5+E{BO^~L!VsNsU8fkJVv?zYV;n)iwCr_Z+8Qz`+?a?B z2`M(X5|J6=0cdpCA|iDEt zZr{KEhjNPw3JrbM>LM_%gVLk~VL2ONs>57Eg^QfwWCJTUeKgkSFwL1oBlHYNx1*tp zH=8LA8Ebi{)!?kwv_FZn7N%I~0Y%$MDciBTQ@OwrN&pabC)>h35kpI(#-xY!s$7OE zrrju22XbPBXRC%!6tM}Rmy$9t7`b>ard7892ZrtVyk-TJFz_;ceFDgKtDaThVc(c# z<$5_)&g4sMz3oJXOaVE;O^=JE$T4lMo*%>*sc=veS1+y$TsGYp6M zaxK$g7*8*`QT6GtJG)Dr;W!KMh~vsg zwO^%FphclfKMaf(-o?oZF3V$>>Psnzg{KN9Vfi40hWMbZ`LxrZFa_NI90BazCv3TF#3=FpHRpKAJqR-|BwD3hAIb@@i>(Y zS_N?l1d=lL?CS^j{_uFQD=9srkcn*@Y0~vdyEy6use#Ul_|%I!p+=0mFrVmh88U1X z1}A|;tC5ml1qYbu~+DcOsPqp9pz<-}@|iJ=V1lxgr@1MQkMRIbR1Tz3*x*Sj*- z!@cp$2Cy34Ry#s3ZdP%=DPdKv$@KFynj1?L*rW_R-{`LzAb zZw}tLRHE;(cX{rTwbAaXuW-9R`e?SA-(;=dZ_8YJ(DhpwtG>KD`Ii&h`(C@**>632 z+?VdZdAr(nYhQNXccNVsboYB-Y|lIPsgQX4C-$wGcSI<{5t!? zg^wP*{-sZgr>y^tuicg`eE!r^y+wyEf8ePP|MHwKT(Zu-%l|NV`CQ;PgKyFB(+^NnR5yT#q}tWzKO^HT7iDF52|S5@6BUNml7 z=g_Ih*Z1DxZ@c%m+p0S6_j^P0cH2Q*m9Y2TdcoTQixIVX3s0VG^u@xaZ*H>d&laKk zUFW5a-R92MSH0q*c)i>kN4rm1Yu@OCb^eVEva`kNod~Z)|rEi|SI(!p!*XK^SW({ zD=4bx%I$<9{l20zt_KR{_bmizIDMXg;Vc8_?{E)yZnU5PI=;y zJGR|_OX&8MbEOOad?o+8Hy`{M_WzFm|2Oadf&TOSH{>1uGspiw5&0O|`^Pl&d|E92?J^mvkWkp5HjEaa;VQKl#htGaz$#1TggGnem&_f`t zb&G+VVhN6u>vbI$g{ ztTk2D6zBQ`U}m903dhR7BzBy5FgBt=%$a$ru|Cs|25jcFj2b%#D?xqE(`x{(7@peETCyBk<6=ACN5MD? z_#B_gma9cF4Bz#e9RdN~VE`=Qm63w#=mtwPjIm?6{{W^gIys_lFj+YshratF-0 zb)V>^axEPFc>E^|vQfK3=1{&eWTveca7zXuFu7{28bw7%R>KaKYm+hNQlm(>1tFH3 zPEK_Ike^myGbOtwYCDsm9^l=CQtVtN3t6(>6nUFYr$-znrqe=PHv*WLwEJ$hQFIF~ z5$CD)M9z40J*E4_nwP29!WP^LBEtnZGGwz27Xk#aUe!#v4u~Y_g(WQ0sN!Ipj}%OZ z$A}8VrOt$jQnhR!CTy&puRC=aNl%A1RO^cbN@J`dp_*W!0bK#c5@=31GaqCpG6J%u zSYn)3D_gXU6dSa%)pWBJnGGisYE^>Oz9FiVP#arK{EEZSk2)f0kzcTcLsIBBxq9J5E_?JzW%8zyzIiZ>FfeS}zj;&d3lDN!?DNnsEVQ zfTamF?h7i);W|1&04iyDTxPU zGpEI&Fd3(7wQ!7Q4NtTu)rzJFlAp3ldb3`EA!}+?Fh42uU8^k($)=hSr;G-KzJj(& zEI&dODNVFB1dVj5Hz*c5*_ubpN>B?0gCOJ)=lQ90uZ#6P3!UYi@9zH*gH0)SMmbNzDLJBBwAf3POH!6I$Z5_j zp$vrBun%Wz)qzkq#+{L-<;qKvs3en}#X^KiV#}>lC{XHJ6<%y$)l!mD3P4#dl`>7D zPLFAe2SBjTv?gMiAi79Cvfy-o2(J0!wO_;@+>{puxZos8>MeL5q7VDC!GNre40nA8c zs8WhD>?oU|bk7;&p#t9PR7}Jn42k!9xcmRCTF$|uIao9Yi{@a_94wlHMgQLlL_+`L z1K>Uq|C#&z_a`Fn;Xg00`|H&n`V{aVf`kEN3C#Hr{0I6J@*f149SV#<$VcA)v+pab zUHR;~(<76|-=djwe}8jA-~6a}-isIAZa@94AFsB`KGOa#+>qbpxraCV+{@qFvU>SpV&PAywG{rMGsx4{_~U5D!W zf)~=gwkBj1>f2ndhY4{Z`|v<2c2vG^n|sZp|@$A zw9adVsU)*rS9mKsf;E3BUe&Vi8 zH$9}b_&nrK=RR}%mAO~He$4I{KK_$Cc7Ais-|Y2&*t-vC$EkBs{0uNaH1y7d9_k3N zdZ7d)%d%x##kOS04kfm1%a$cK*^;GDXXw4d(0ebTgwT8MedwK#5JK++c;@nWxi`T7 zGR*(M@b3B6@;U3Awd^HX+TZrxKkskf{Qkx6wHv=J-hI)Dn{0G5;;r6q_-JcdB7^V$ zad_}nyh4%l_WbCbFV`R`k$|}G`EvR~>_1YJ8%t_?EZPkI!~Mtpf5m^W z$s>@yo==@${}JZLe+o5l(9V{SbeO9JSvEfcGMFCo(v+?BkWwejDk@J_2rF>$23ipN z0iVgbxg=?`5~s*Ig%la9;1#-^5>n*rww+1=#jXgKTp>2e5`s~WXHd;EA=jrxAzt$> zhAdRkNKQ55NP?7Y9|f}`RBw;lzN-eQQ6^UaY=wx|tDuUhrti{rKdP7GjZu8y23%4w zS&)l&69^_@a8ni9jgHzMQM#x&fjlmh1bAEkdP2KE6&f|8ZwXL2?6IZ3%B4!#M5D?I zAT${P)hM-7f$QlU7IRyC0x~*%qQF6h1e5u!2-F-sg_WFUS5|5U%QIEm>{+F5)2!93 zOd3m7N>bXj3J_e0rJ7)J@+qgI$tk-IMhTe3Mheg!4i|9$A4bAVT~lx-0hdiCw#|uc z+qP|UV&@AcnrLF%wr$&<*fzh-?pE!;FZaE>s_XW_J%_KGq|JBd0y`ubzvl2&M}8=p zXVMEBo!LOX_MO|RltS_{p0)v0yNV`QBhXZ+4C041LoTX6Wf7?pXCf>ZslM!(pS4kI z`8M3|P^GbR2Vl?a|taVye5D4m(h!Z?eOa_coH?EvTue(|Vu`FKEbfWf= zELNzBG!k2+Duu)Fsfi?q>~*w}eof?s1=#TB9j={7qfV`hXbYs3_zAbU8{=+o&YU)B zMpX%6TY=$0#^54d-c5O~ONH!8sIu`fQjZ}1JIPWd2@ z3afk)e_V{z?1Tjx{=!%-eXv4umV?BREWa+5NiL;ZSaswaOpkhMp>}V0YYgJPGRLSG zgB7!D>Eg?5c!{^$(yxp%Jv_OTA(pf;bOZtItH-dylpr`#7DEhfN^+2xb$afh0IF7Q zMSEARQng#?p?+PRTr2!x9K@!UK_=up*rX+W>q^Q5g zgeudm(wyNH@3YcrUe{#IL~&F1Y=Sb9ohif)Zro`gM@Hlsb}CBzxDPr1D@o4wVq zGrm951NSchpi|Fnj@sa2yVo`EGH`OmUkDbd*MihyP_zsxf^b@ipk;1?stdGSL!Nsi z`Mp?#)wv0^tjq+nsLY)j^6^I!UatKXQJDga(9rMeVQ9WJI_-;Ed5E!cVu@g>h6lnc za?}Eu^2wvOsBzan7>H9I;i(vAY`#h`p3GC!La<^kk1vI)qnH>$%sR#f^=S`G5F*6s zGs&|C>i5`X!sz&aEl^N-A}&N-8z|kSrIpMA~#S|9mK11ttr(#94Kk^^ouX zjoX|bc_^;N4@4$5z?>Yi?n}Xk$|1&&*H0)>>day%*dqS`U@q`TaJ2uQAXgMIx|oTe z`{zvNf@0(r^Yvftl$K}161P_zyN{#u21y1Y!0lU=1FzXc58{y>f}!`N&U4nUMZA&a z7Y{5rEd4|Sj|_zF*7M&O9&_&RR_|?q9lwbo|E5n}R$%JZjq=URbGD(kWu^TLq3ac; z;nhvbl*VrLno;mc0)cb;(3UUjWIkZ;BKP5^1BJ{W7c(OKigm0G4v~Y7&oTedbC6H zcZ@dA`NP1?-1TgYMenuLtyngV&=9k6vX0R_=gx8%<+H>)gYIDP`Fj=A@zTks(7s`< zJA=q+Ka?`NE(F<6`E_a2s)y5q?=!~!V+IZ1&sKe;lZRvEiI@q-QOoB$*{$r<1+Djp zRoz(ny4{A2%#Mlop7;BUtd{ooLCzXM_@&?(hY9*y;kPG!|Bgof{RCr^IG-6GlJ*b8 z`?CSvX{h6m)87wGVG3v#*B^UlaI;@M(?B@Y&lcdN;ECE7ka}OhP#Spmjd%XB>1i~L1+1ihZ{6b&08`sIM?5v+T~@iup*;S- zbre>)d~{9fM1Iw>!gHszVLo=IJQ1rq{i0YQeICgYw9GlP%jWBn-*&hx5OCB%V)?Md zI%bhk2CUB6{gz?&e=bKnW3U^eRaj58rkJ(SJr`rn^l67FbvM@7@iXizL%SPT!&Zry3G<+tCbd<0G(J_hsBYJ89Z6%zYMiI4{3hPP z!vK=JG|rd`EVK^ZYq#RtKIAvMQ;-o>fr3I^p^)k;nJ^hW6&Wg0ACKFpjkgmuE92vi zS`M#j?u3Sr*pitgM*S%g&7Hq6E~n6~SGd4Ec6X7REFHx|NI^T_YVim5x0m!p8BVCQ zslPbFf;lRWi%N@f`8vtL*7(Q= z8($)uVm%#;z{OPD3UVEG7Sk|-_;5Cv$0cY|d3t<=sB}~f+0QZUxqX2>5AH3Az1I2Z z=fjwa`XVQxA8$g|@Ns;w$^B-*(0?VS7G9glS+#$%?Uu@d#~rK_c(7HvPxv~j;Y%es zN8K#eh9=7n!Ou=5;{4{6X%Ujcq&77G@scYzR|}wtg7{llm>P&M=OtTCJLM}UapoLf)VGN}UspGZj!%)o z7%gcPYTdg|m3%6N!8;sKt_N93VvfG*-=dCPz?{maszbhCe1e}&G~1S}H{tCcdx)G& z9g7wcBTN3nO39w3E^sv0L2?$P6e`74znrNw1vlKREm0y)}-h$Y?Tjkgeo z2;=YMf{!X8na*yxlBITs@(0%%!|ts)!Pj%nW0`)ZxH ztY4bc{7pjRv;Gn6jPLNXDN{GH$y7jdx`es8kC{)6p4*%Mcrc3#G%c%`AwDmv-+kd^ z!eL5$3^|XU-QkB=oa~-^^1RgiP`USs{~0u29YR*%x>TP~+3CP{>b;GxeLdGZFStP9ESbD8y4=U# zH^KDzHJg)LLg{AHg|Te!D09{)fC{h1+}fSuJ2K|=7^~J zs%f#)@otOt`S$q*(>+Poq5_y``D%TRqGU+>d|}m{WD@vpZ1hbTdIGp6piLW+p#kVE zFWTHsBa@zizj7q;ss>UnuR88VG#i0;Z})3g%WVg49a9-z1fJ)tih9rfMNN~&GgmzF zcJ`fqLYqws4H=ac^16qo=hdA+e3Qn_gp^C?#k6Qyf8fKhi(#qn%Q{3wCilvV=QLi| z=}hj-ZK4*DAv_DKd$xcLe%(Q2kNzvhZp(Gf%fWyPC*N04r2kI0=TNLhkA2q5M`4u50HfRtN`IwsS-fbbZ^0@TET2}K_wa9_;n;#8C zdgpu^hn!z~pC_k~d-s4`})nX?e#Xtl~CIKP6q;y`GAa;Y4lrsQ;21ZyqlAW>S%-Uy#yEM1aMqTtTbN(h_g+$4b- zk_n|LCl4~1PXx{aiLnsOl)LmpUUNZh1GQ5kj|xUbKJr=jc5I_B_fh&q8S_KEX=6XP`Yxn5wb8x+RXC8p?4IL*XFR(xWZs$ zE<=WO3PG}Yz}VXo#66M1^c_MXp~rXepFEzve{P@8G2cp?jEma_H&hn6NCTBD zmO>4RwLz))S}0n08!DdR+*%~4>@ZBYJv%xH)*cUkc-{=wB2I+qP7Z@&LZ^vNt6pZl zKx{jI-k;($Ktf&K5 z9LtM7>^|Sr*oN^{3ZdMPAnL)IzGmgh;M6L%R=G(Dc?WD#7khTFb&_c^+0fMQ{$^No zW39HNTiHZqwS7HoRw|yr@)VM>)fPR1($wOj2SIL3Ls9KfXDkZ&esxVrUt%CbU zLT;JptHgZ77(YLhjD8mLN3%hUvjPYhd9+-FaG7wV#+2FXd?|NjRHemKZ%6jLMwdbM zjHCw4?!I1!mWvn3mZF(Gx5~zv0r>&}n9}yYJ#Ue`bWaUNo6uxOuQvR7`VbrH^NAup z#sKbRgzp}cplI<^f94@h1VT&vV7-ix=I8L1TTpR<)(2w?4S31ez#))OTO@EsSHZ; zPQI9+D|^pu*(H$hsL66j`W!$cWmfaiCR@p2wF7Y2i=5~j;8{h%*}HycFi?;qM>K_H zlOe02DmX>xG2$LJDs-hEn3;oPoCzS7#&3aE&W^Nw1sMy z98A7>B7JKS@a&hrjtx)NqiV1FnjdApC!$M@6seAmt&ZGz{QD4oH&QtU&YPOIVEEl( zLP1k1uQY&FuY~aj+2Rpx~C7z+>Z^@uE+9D0NJY$@n=M})es*g)srkvMERl| zEZ)P9{t8RG5v-8XA?SW|OnKwE{|w;d_i{C)`m`+nno&gEdCCEs>}$-~0sOkFU^g<{ zq7>`}+=R>lsBkI9#z6lG&I1s)UE2r@x9>^NKpgrk2pTt&v)&SP6?YB-wo+d23c!F~ zeUcl3y#n4!)>jsb%)C2H`?aV2tS1^sfPksg`|+xpIY+vI>9pJF8UsNL?-103!y5kM z>}2=Pc1?oTT>>mYr=59O{G}rffYT>wPMb>z|8>``eg5Zgbj#MSXP@;LO2(!`W)H&m zQwm9jsuz-2c>r`N>R z@#XzAO~Z0bHqYx)SS5~TkE{OYi+FpQrhy&5i}3z^N>0~j@=;S()Ac5BQd~2_esQN% zkm#%7AUMaq?O<*(<6p&6*Us|Ohx5_AOODUskei_2YE{kl=2!m^QAD#7QhN8O`ZZnM z#?7Rt!S?gOa}?Nh&vPR05)@~kHx!Voc0)*LZL}M<7aj?a!cC$agvR(S7Yx#I(6JD z`*C!X#cAcy?Ry{2Zss2{(Xx74cD(=8V3^tbaBWx7ylJ{sgvqV(c6@R3m9}zm&*1vx zR*}hhT{ZFiO4pfP(Fqt8Hl>f~SLgjPg+D=s{ivWUK>^DIh&nJ%v9pRbYo3yNNk|0b_Ql@-%drR1S~6cWn>Bh$~;Xor2Qt$shFxI-9>utx9eycuof*PM zDIVuIg!&(JHRvjImHY)`BW599-O8aXVU&t=r;X|JW zb=%bsEXml~F2t09gq0llt8&T)BB`R=J9^=3C8H`G{?N!7L^z zVQL}V-=L)YyF#sNed4L2F&K&EQWA=k2CLA=KDb$za>uonvQ}3`_^ykzP^l8ewTW@l#Ll3r91-CX98~X8!TABc zJ!-?BmuC@wo47K8-Y0`aKy1Yqhn-KL;^^*@H^__O?)*tsi>XNAEi(X1 zjy(4qmCmrzDve}76|Vd8Bw2P>BT!x_gA#YTF$huG%NA9a(cwy7-^@i;WS*$&To<%05uw;TwG;unr z*n}#OSAMeCldqc`Et^YrA_19u}go-a04uGp(Aa3vl<*Q=cz#1xB<6-X7z?-w?9Lc(ghvnnxt9P8&6Qg>bK#-jHdNqb~R@-O#!e?P8t*)F?IoKpDsV=o|ZKMr-7!ohdezR$w=%BkmnYO)L) z;!%^11YC1XOX6r#?D^EW$&@dCbvGgPp6>LydbfJBfA18c%;5sW@eUu?C{$W(eYb}9 z+Fev75Vd-4N7(Yy5ny$gzuZ8$#76dftir6qh7sL_9T4Qu17+;n!q65ZHC=0VIOmEj z0z0Z*7jcoS4e9((Ml?5@{7l!qbTfT#_**VLx0fe;>lRqf`8!rz-lw>HuJvtgDFr+) z+tMt1xZj^Up0~GMl3H@!ZlYAv{5&S~jgS~+Mp6uqs~;tn^*!kBPQrZj-bOGCaRbut zHg#B?&u>QTXVaYe%KKbeYEKUBbzK~`cO!Ive5+&u#t6&Ey>!FMh1A{l1G>-NDf*ZRv{m24B{C{AgbWJ+-3Rd$uB zR4WUnKD?BlT;gDz8>%wd$7+A`(nYj*&rC`+7-&c{B>%o(S0Z-$(vd>f*I*aJ(Wteh zN4Cn8PqoFQ=AwWcKKdIWJ9DFwZuM4}F%QzZ&rqSM!>D0Y|DoVVB5{c>Uo7ds6g;CG z6xg`# zqMGEF?V@f}^yz6mqY9;ROIfM4CE^D>Sqs*)^z;j8HK;PmMcE{OvRts}69o#9{6uo5 z9>JGpXHJVri;x=#1#8F$(+j~~D`rtpWWJs3*nLzLCci?cogL`SaErj0f}T;B6<;}h>0gg3t>T9FfpygPizn7 z(1M<$_=$LGp(NvSM71Hs2^!Rb>)(YTigp{X^sH-Ej>9>L81W2uMXX}$kW0(NIUTBB z4DChcYj>llRrhv?obj zJ98;-I{Sv|14q_rRrq>)Q zk6FPz$|N<7Fv-!Lq}J3|k`wz&?FOY1k~s-kzH1L3m)g|H{86DwLQjVd)(GwMLX9Yr zmoH4$K~GLkvmnE?$@0yhJG-SL(@htrDne1Z(=XXmA`MX_q1doWl##F2o`CM+F~DCG z+D6E@D}0^@Cw#^ZL2kgFx8v9dvKy(8mfr)>RF}ebip$-%)Wtqck%bvhYoI65cmV5& zOLTIZd=;OBcjBlWvsjE_C((fB$53R?G)DMlV-$*_H2<+YPQ4Ln9F$()6J6s0r7NPg zqA7nE`LDcx_+&$Nhvs%CP5PJ@kT;UTOyZ);Qu+wMi8f-Srm+h%aS@>#G^f7y{_ z5(!H@PY}zb?j?S}?mG6g1qG+W!GUOH2@;EcpFD{~#o`LgM3VPaX&&=g;dy~e9LL`S z=T%9&9eFkSNcH=Gto#I;zz`XX`1W?~F=z|MNn^2Owi0}+@xbE$43juuDv%UQ2H018 z1oZ#&(hTJ5nloX=`T@*i{u5voPYehE{{7y#FW(!NENC`?G#KSU@@*zbQ(;3q^>wpq z^3kXB<7|qT57q#%ZN38F`?{ou+9EYf5yG{ z7PMGrh4S;=Tk0Tx7$V}oyL*9XBH-{oboyxEzp_(>Y8)!i6sCjYu?XGQoMrJJjv^N)PocW&XQ)qi_$(>|4VPFlJThGs{f}Oz zcSdLN-!UJ$4EbAu1nYj!lVLzMh2!PU=aUV@%|NScpLMXUGjcpE&eRTFmk`El15Uj6 zmqS0OXM)Zn{rl~=C5NV>=FbI|4hN3UKUE6q8eX^86`OabgdX2n>T7t6!=y8g1B@+K zB}snUyqyiZ`5A(Zo!y^?CBTNS*sZAbQ>0G!leLtu^fDqQ8E>B#r0b6k%M9K93Y^JL zysfT_+sG%P&le`Ql_A4-Gs(9sb1 z93Lk+1uM_`S0`!QPrK?o*PC@mVDBHK&0`LR4sRn4|yydI+PVewIgmP zKN^8G_rRG8LGZWhFECNnult0-*xQ`h!?~N3<8SLzfLKNv{LAl?u=g2{E8xBC1Ciby zof*rlIQd4VA&~i7iB0e7#5$+d2&2`y&E1>@Es<|9B8Rd`A{jJ`hYdDg<x-nMIi&EAPw= zcE~{}mxcyE%*z>s)Gj79A4Ac!ZiLX&Fp+?l9z2V1rY1ROm~Fga0ozb6NCAobNu&;^ zwo}&fQ_6($IGkmuRr?BqgpVbp6{{=`1Z!A$c2F$!RG13_Or%>BrL1_tH1y}S1XZ#$ z!kgDJbfJ4Gu2$AVM7X$1CWlSAd=Yxxp>q^+MgjBcIJ~Ylq|&@ey!ClOdjw}KPuA^^ zoa%FL4qL2H(Ixud2F*w3#jAx0 zKIiOVS3Km+71gw_7Hw-5#lvD(I>ut%VZ@xKzA)HINLq(1Nk6YNFOMZYGHQlDIA3^b z+qs%_Lr7#%!J{HqB*ms1eHiH{QGz$6lW`K|qHnuNw5$@uE_1qsic~Hjbw~@svkdmr zl9N)?t8_qbO=_vCd?=Bcyx90wLLMJiKA1o=l4Fgr8Nn+xYB)+)#Tj=LAruF77Q2U5 zDt^YMKnz_?haZ#@)UY|Or^EFG4GDiSNlM)ZSx3uj4XuavFr z-Db>0OE!j5F}ris!*A2%V62OYTZWlv26H^dpnNrexp7o1=hSSqeeVb|a~twrE&cK! z({6j3th87|aeg3l=VFA3Q(0Ppf$DbJ@OMsH^JIgfGX z!)y?X4V4k)Fy&Y$R6)dd&?b7xokF){dqOfr{C;O5RJ}jda6=k;s_bi5@y^k1L6U?KJu4kRP)b1+GndOOINdrNlHj*N{5Y z`2W0%F`B$u>mr_izG1LyuT zfRTZ-&`nBjGismzYn3w0elvc!e@BWSWs62*f&hX5^DrfVc}(CUKT$~mg}{qT7#F-L zz+~5jqR(YW7hq#YL%?KhVTg7{$Dx>s%lx>)u?<_$=oL_1cb+{#*m^x5`#{KN9tL32 z%(`OiI@#f5O|Q6Sxpz1lA7n{N>r;)9=mNy#0O~2D#k)AkS;CPnX`||7?16 z<-_!=f0uX1ojyy)Bkp3UN1|;+po_%&J)igUl7X*1r<|bn*kWSY+p(&BmnDawZtocI z_+`NV)=#_4Yg(4jnPfO4_;SSxs5hZBJqI*y>nOU{gjw3%hFu=hx&Mf+x><={!U#{; z>2lWn8r1k4-ck@?)w-TkM2&TNjl_b~J{d72#Bqr?~RJ|?(q|8_|E0}J#SIRw%THeE;dau|JIs>HVqyzzd; zsXIFA-%ZyTwr%nK3}XApS*2+((LD?xrD*{^?g{2v+eO+cGQ@sYm3^O0iYLB~G`1#t;$4ys940z7!#0}&({hvq-8C>pE z9+(*ko7VnsDW9l)w&c+IM*;tGPssSs931qY3zlNb4?8x8$|zfZ1b<3?O@9LZ^zZ?h zdvxA|Wo=F?2C@x-bw?#%8>zt!mCF;)tfyn)v!el+Ov5;gJ0-EW(yq zsGTk4?ZA;3+!Eq%Cn)Tv7W6KJj;zLZ4GFTV=)iw^Ey1aGET_xNi2<1lt6Rv}rx z+4wr_NTno;A+iGnqR0(q)@is(bQtB%@{HUXt!US-6va{@qD5Y~6T!Ga&Q2#YQH*8w zaQuWZnY>xY-aN;Syf|$3Az>;^*=egqd7Zml8Vo79;{sTCcL{WwxNCd$saBkQC%}$(c8XYt;62Fz7 zatTpIWd!%xx!QlyeE9IziQ9mdtX9s#&^OSTGkP%JxiI-xCa*sQ1`Z6h2^;dgEpA{# zr_;h!hqT|ipgv7RtOGRd)4yyklG|#2G&b6~Y|=zVb?nfmNlrL1&$$>nRi<35#WcyG zW)bFBMRge@ZD3!}i{f4d`gsSCe8@yhW>WE+ff)w;Gt34~YI@uQJ|weqJ^|oS%G~^0 z*Gdq%@wkVcu6CAt_6F8NLf0pc`aC4o5U0f;7Ac9un>^K73H%m1f28`2h7j6dw zrhDBWX4jQ{m5A9J5Rf9jkByPd$Saa~4Yo=s+ZvK>nlsTQZK;#1Xik~z8xwPL95tg< z#O+ys!n4&XR9JZ#Ys^Ho3p1B{O!P@5qVXhABb<_i#Y<>CPgIW}@otgGFCJQy2%21E z>d2S8dBLAVy+HP<>OeFHgSfD$^eCtgHJ9+{ zop4fWE_xhrRl0lIYP6)!MUz*cQN1(~uf{pfN;+7J%AK!Hx!)ACh~L83ZG=juD>z^o#aTM=>ip$Rr4wuc9#4(Ge~I|rONen{5iSapAfMPiTDhbr)oAx#~ujt`&^KhzlxoxPnn4vora76bsr;lAUcrWX0)-=b(dIP>-ro-#Idp@# zKPTNHZS!225tow)F3Y5NUbAZo3Y0@0=1b`f&)0k)#v}~k0YMn{oxGvyT+e?|D^pdG z+;^@Hg<{EoriCwU2)3ATuml%Qf1vd0vuXA%y8c%b_qS9x6)v?-0xSBhi}??a4aG3R zp)n|-r<`E9thjCog$H*+?jE9*OyJphNc9#jjsknhOMC`$KT5zMUXxrh>o0&%GW}4* zg6lW0CVT465+f4rTNSBtD6u0IhqF)y;iZMxDc3)5P8)p>GY&djhdMus1Ho!QZ0akk z2v5`HS%D#3N=pTvMNVKfi}kY+8i~0TCtlt5k5_T3<^PRifCe#}2xH=xsN59r6aAJR z_-eEt%h_{${7eL!hn!Ak4E_rGB?`;{B7Zxpl(^*Lz{Q0}V;^$(&#?rYk3uQCx~>Fx zn9i3QniE#UcCy}IoXW&&44g{R9Jg;q?~?B}+yuSv8k^uehNS+r;7uixuEP|w(Y5AWzN+bJn# zoMt&a`*kzTyg-_Nf%_|7r<`H#$?L#PP7m&*&nnmvI)AUcCcO6xmUA?yvzbb-fmKVv z4OiFQnd;HfQ6UBOG?;QN)Ok0TA$>B@h)af)h{V=9{41K>q|m_bDK}sg8SM& zu}8H0Q{&Eu>&$r%U$H&MwZLZ(W6?ccPuI;X>9)Sl&JyESVciCiz+TmFe?~abuHdiw?MTTUE@0mv@WtM*iP__3;Pd!f>ZSg6DUZOKEA$pwu`slR zygueUeY@4h$Z7IR-RiIncfn&v!G)$6itge?FePB}kDrPpNN|oNAn>b}M!BYi)j~@p z6<`aPdQ6OAq9>r`y1qr#&`?>kd{`p{>Cl*OiufG8to!h0KnG{#!MDj=y~%9-u8|{X zj`+_%*lkJSR<5gZHf^F)0tLsjK+s<@QN(mOHKER0XXFh_KXd|bz>$_l%F0brO!v#P z*@R{l*b@xOG05+%x~t#^g(@*C(#%l)Cj7+a6sJp)S=Vn%!sE7|8cKMPI$sEB6<6OA z&981>*4)_%>-aH0m{7V^y8JhQdEFitLI*vcZ9z&~&30dajjCm&shDKW3_`<=3-bHX zN`rV0VZ*Sz_tE!P{3Hp;oaure(ZHlvKxpuA;En{Tc~0Di)0}t=S4<^-km`3~Vu|oD zk3Wuy#Pyrj>2;irfOB1|&ZgQjXJ+EF+;YI#<{^QKWyQMibFA4~<})Zqvq;kh9U7CP zkdg#tc5+P|`;cQ!!>?+!=*eM}Yt!?(60>o$HAMGcwe`zS1p{Uc!TtS5+-i_eq`viU`XchAK$+^Ms z^>1L<-EmM}(gkyw)FErO8Fv}PR91=>bBzU9#RTp-;QiBW*P^SFgLl%)GniGEi;Ugh zVqQc}4GM8as7iBbcaTtyBp9I$gsDqV(aGit-(c59^UCdOXw_cYC5G6b?p~P~;zt>5 z{|3mLn(RFkoL>Nix=dzpRn_~jofo9LZ?)s~%;D=$@V)`4Se&~IZ+M}`jvz(;sKB64 zNR_42&l1j;rTdo}W4!|4H2Lcfa8%xUAe z=&H!~-RjD2xjV$W2o#>Y%P@O5pa zUZ{Umitb5T$)asc0!&=fRM6$>wYJ*IM76avp$v1VtQPPz%5vrN9yn_Z<1x!20g&2{ z#P}}CTJOUEbY@V$93b+}ODs0?{_Atj*cvAooCyUA7^NV^6v2zYyHh_?OrRAmil~BF zl!WnxMg_Il#PB>$GS+Fn!Pss1j~_f+Ax*Blg%@#!`}RI!eNt8NrnDim*wGzR@tGz= z-58RKg;@y_XSoLO#!48JVQ5d%tsqfO4a11glL}l*PO%>Aw^a)G<(pRX`bpS%*DyGmJ zrev$+Ztg-u5}q}E@2NxcIAu^Ko+1!YQR`B?qD9G0CZK$D%j5Ju7jCda{z>vsJ#OT}H=mE|{%gZs6;OlMy)t`NI z38Rd!mRXnisgi2j@cpe&pU(F)d&|TbpOe?e*sj}P(U`6y)%&Fa_b%tdoi555+Z?wc z`GseL;}BiK(3>Q<4qx91^8Mql+86Do>xm7(cuTFaop!$8p{dO9=OV}ggwgBL>Yi1#b;B`;l>S>v7 z`TZCY4-0CTxrQx=eiLxofalw~EZbpog!;bO^T9g71Z!SkZIY?(A$k(+2o^4nKfJ>&Luo@bu8GEaQJyHE95Gy_-XtUpY_KJ}P=Nw0ude zg4fQG&bNO>DhyR+Y{hWmtLbFrwTL$fWNspgj%@T_wC@~>m~utf-|dZT;J=-rvbOO5 zkV>)yRZQd@@AjXL!pmA&dHd{BIl6wve>hBWtf}p9@*y&+ewdFNKtt?th~8Dfs&pQ+ z8Y{58e2(>T@U?pLcl2$ZBqb8~+}r~AN*j12b$ILm)`lKj0D_iR`;zu=AGeNE>nG)5 z$9ldykdfQYGi~ocr^rLaFQaXp>uh&Jbz|&hnskZEP z#_GrJ7NAG6^^ljfab%S{7Tsa{>9^p;%|!*CulqvQ)M0ibaMGa#IKV6DuU_2RbvumM zyQw?>&Gf#7RYG5<-p6}X!&!-^ z@44~t@I{;RbhyB1*S=>7XyXThtpfoEKw!tmz3Ewxe0xCI2T*koz}bt?lRis03bYR3 zmBV}W)P4~F?qZIERu?8y1oNQ9QT7y#e%OeHmX9{~;4ETvj{x$=P>di;C}ziU-R{IF z5?eR57~Ff_h@NVIfr0O|nVJ>uXQHm_Z34~eikx#lfIv>Hkd#p=gXvkqm56p31c4z99JB1_ zB}aB1j|xIuCrc)nr6DDEs0!9LijZntB1B!xfHv614WIgmPCV>zNbHM*S^c3(^h6+_ zLp5ocPCxWa7|O1+foM?%nz)JP<|40OMFkY27+l82hsB2~I+n1Q?67y*%D5^m-N1h1 z?IOma&tCcy*bNyZ1o-&006y=kh3a_vEYp5m=8m@%i`7}3<1mw3EIDsmNHPROlA@>} z&;EuZ@UcnmaA>3Fb)pQz>@bZ_yt``@D>wird2p?U{OMYzdW1}k+R1#3g^s8Mn+xe} zyi?zgi=uR}N=l1Xu0l;&J6>9Pf%s3#?6q{O2}NsvqyRVZu``B^iSkmV>o3$FZ}^O) zVPg7OgDo4gb7g)(NXd|(QHuds1IJ;^8C~S-qd&e|G$oHemoRZ*Fv~72*0P)ff_ali zT-q|(cj2Lus_pwWz4UDN$v!qK3Zaf*l$ei+2 zv77j)_{%sZ;?!qm2ravyluvEe;9;-Cq7JF)WSj~}sePML8BB4ymo5Xl5LKvFA#&S) zeI-)yq)$>LN_<}Li2~q^v~>znL&6e(-kX1;1$i7&Kk-5Tm2y2*{+>?P3s;;kgG_G- zOI}ss=Zy9i*LbM90}sTL{yF25q@%uP8RuEEX0!JrcrlFRA8P&bVZ&jk(%}Zqw$u`w zykSfOzkc;n9g5(TCn+_3I6d?AE4w*3RA`N!OMJH2`U3p=og`b{TX6|J&$TpHXbMBA4Jr{zu5G-8- zWpT(tzEdeaD#-Sn`Gp_4I4qre+*+dLy8uuRW(wOFHm+*i8EKp8C zCfR`D_G{)kQ>QF|vn6mi;f{0Z7hM*?4QW6GZ3=Hjko|~*dks{J&vh2aP<39*7G9~K zSeW7w5=ZpoS&)}2pb*V9J&V9|MP8|X#vpQ&$12Yopte06w3f8)P5a=YD;O#@RTl@3 z(}DTXtB*Ms*|{sJQMTOI_h&gKF(4*gy7?a&WJ+uzb425Ve~(Du3lq*M7)3l;{rq1c zQ+$-(L5zmWM4e_Da%OW`S50$2W?eIW2*MV;dJ+U^E~E`UZkde;VsN?|q!5`5GL#Z@ zG8V{(^mQqz;b@YdyabhExT4#*e|!Z^ALkpgMlBB4f;g!poLWF1eWN&Zwz^YhN*=_h zL*+?9ik+%CawB2xpUp92Ofp`7n{#NsZg7)aCt*ZndFzQ_1OS>c0aKSwuop`C-oDAy z^dF&YJnx42s@eu4A8X4SKfYe~def7YA?ZnxmNA!ugU5COb*)&h#7R)8LHZPbtR}JU zaM2Mbp@Xw_&FCbJn+({&%f%9#dKJ<=6p)%}hEZ=&`s#WVSy$nv= z=0$jhJDoYkR%rfUJv|hc(yBvVdweLYD7=wFDr)1hT6-Kw*cT=a#f*YjN6gUsqYp9WS58jC(sWYM!yz~a0U5XrU%SF5pcVB64DmYvq>wDZR~Ky`fMFPjN? z+GW3Y@NFT-j$-{8nJRT#p$aLVI`gbF#YQ2oo-l~6Dx&OvG4+*QbpYFv5FiBC;7)K0 z?hxGFJ-EB;!QI^n?iSn$?(XjHZs(lG%)9H(e5oJMYp?FTt9DoMCZwK@CgPCFk*Ke? zQ5s9>ZOhyOPfd`+jvOrh3nx9hnjT)=Tu0#F&aZ+7BQG8xh5WZY+bAIr3S0q>=+3u0 zz%*E>7cdGY#R~c$Mi2Z=4VC!w4fh`K zfsuwc>vzSM^T1<}SsU&H^J&1{I0?73)#oY$;&kuR(L*-{{+rU#!?fNm&yF6KEl+&3 z?Y4S&o93rV-ixQ-4z0e+kM`SlZ?uA3b(49L)82=OuMf{0e0=VU{69R$AQ#`$d~Y~k zNGm~SN7bop@YupHQP)*&`mI;r@7>!?S91VPCy5m9@{Jpe6S$*eftb`*k%P)9b{?1?@Ehd#lAGVchdHO$RWlVY}UEvf-)6XZYH{ z>FwsEABz-hUfq!fm%Dy1xsP|J26n#zk@!J(Tg)Tdjz3*4@_V@3ClY+$Y3x{5HEbooftQq&b7a`*Aw{C}LXFI?BoXRKR!u!t|Qs(NbF6d$CPQ%}r zbNj#u>|+LGf2l?m{BRI!-@kgLtFB;*F;`!I$QVNb&~M-McJ=tw$&XO+gL^-wPTPXq zS+;n0lj*_?fFf<3!#usCn@F+1`ECu{o-++1(EhaD)!;ecWv$_`x@S`x_|IVVow3Ex zcYc5EKHoGi8!*o4W~=AD#tb{vbKjZp)X-Z=Y*qoBrR?+jRE3b zcBm^k?pcir0>#GNfvtW)B-nUWguMCN=D} zn*7t&bJHr{M~oI?>h-6Op{1ya$N4HK=cR1Lc7P|JnuY02sXi8HvNR!S*p*cKs3RbL zln}@}`Xm?NUQa2a`Ea3~{-=Va!n%H4etIvPLm{g;l$|UyP&fBRgt%#QMfUBisI1vH zNAj6fS_h4=7?O@ag}&I|5JgPD95g*MMHYGJj^|=jAgf;Qb@`QGT%Dg#KF|ht(!scs zaq-8Tp|<0=e3|}qYLW?kscEqZM5mPNy|QM~iC3|Rc&7gHT+J@4@VvYitr8Y#=?t}# zJp04yZ{<;r!LkBJL`^A;>Ub&K-$_8f6CK_M%EcgzVV4b7@uG+WQ;Ps`p><#Nab>9%>;wnUcSYqH|G*6MFZPm~(^f|}k*6~!o z3wK5D%h6pv2ciwQm(m2H@{%sY>gL9xZBL=%*)S&;%VaQ0oSqzyg3++i--~V)WU3P9 z#YeLteKYO>Sf(AXVUP^cK+X&~%C6`&rtfGZn^H30QH?Zhe?x~8w}0AB9-(*ri-Acp zDb5-Ui! zY+I+BO2Mm|EL2KI{z`PoV#QnKHJOgTNV|keU20oZhCG*(J)5uG? zWd;(IU6AH?x@YJNyjL}i%Z%@^r|nJ&c<>HTlEHPTC-S3&e{v1Eez&NU7!bo34VB z7{u=(Vi-l?c8RWGo-juh{N-Zi>=0NHhWb`5Kie)~U5M|TkjP*R`7KUNGRv>RiAC!T zzgx{ioF#Q?e7b%kmbcEs>)3ShMh6(W;w11*+zG5&dUM;RDT=z3sheYnl*mDH80YZ&G^pA=rG zp$9$}=OyO9|8hH39P6++m37g1a9O+YcfPik+iFuSt?e0jO{l@=!qo|G{JzA0nrS;1 zmtFsC&xoVf)fuC>w8ajxU93LZQN`v z$9i}zQcZDXdY-@DqkQfQI_r$ow#z_f>F>}KHer3*5CYCxyssMmc)wm*gAQiWkXL;d zQAQsHJmf%cYI6)1dE0H5(0+eon>IPMPd4}9#}AHeL48QW+^W|9n5Q$AKN*;V8Yq;K z*zTjT4V6;9zeoEWxh>#!CPKHohqRc~)+dIa_ZMd7onCT&lZ8}Nx{vK&$)*4<1VU-O05OW2xrns3+JSobcc!Kv@z(0M7^%N^2r zcgOn~N|o!T%vC0*Z|pg^@DVJi3r2cx1*86N=SL4RZk{dsfMY)2I~Pn(o)Ac;{PLqE zSYaJZ1z7~p0Z+c(y(-|VHu9AHY^ZBLWT*i9yuG*>dT3{|HHh*P-FOyf;Ua(WCx`oD zYl@yR8ndYSU3Nxv;#52&VbIO)!a)?r>;@0%uh6eu_BzSFeDlZXiiAv#k3cnOyjStn z2AXj4=uT-&TxJ8g2Z1OK(g~>_nsc{ijI^nUUTpr{ZIY=aLh*_j`N0eA^f?cZ0(z%M zp{Ai|nj52U(q(1Im?VmP!hxiMqvO79Q;mBrp|s7`%`B2Iilfn94O~`yf2vhsPNI3F zhp63H|CHm@pH}{6iqbBclQ!MJOc~W_9`+zyig+oV_GwYDLaaq zvgL@UKQc=PH*RFArEW`bCaWsmg$lyw06(`GuSN zw?H1a&WgqC!iy88JblSl8;;5>D^VYvSL~-jLFJ~9c1su$-niL3be8bifYZ!M9~HE< zYysTNY55J?zk8mg;y!|rV&-!3qjk?JO08S!v6%KcHJMO`csST30;Gz5CurCK91Q76 zFEK^PAa+|vO;(<2RmYKN>MY6KeiyIKI_llJ?9=!7Z%f*nv2xOcDp=1NAfM8tnu0jVdi?{f}c|z*mAJY105K%g?tL zO#k`z<}-DW*ze4w!yYt`EO>df@#QCKci_Lav1tc8QT&{ez!<4O9C)~B!PcGr-20-L zYN^Mu#7SNkq2!~RaEl<@9jq$&E>Tr=|3ShTx|R;xzbnc#=&*%82VZ%BiXQm4S*P%O z)*@?e?0`#%#q0HsQ2~F5Py@yo;QD|33IcoHOP_XW-2Oeom_B1WQY=8ohz?m zW0PY%f}4z^G)0hG#AQdqb2<>iC8=ududzFG8*9GjviAxMNTCVMx5`bt@2{}ds;8b! zsZz?LZA6;EpC%^7R}{)PQV((B%YGZ`;inH02V*`HaWW21$mhBljP#Vn^#`Pxg6 zHiWK{X?E)JEiwQGQo>a z9eY*9L@H?>uh>V@X+)22;;@1~+nu!=PrHuyU(GMOHmt`1&l#heg1VGP*0Y7z3b9FyXV)OPN-ucdOmy`5uw()ci(d&McX5E|p^MA9cN^2?_@Cd}P!j&mS|w1l9I<-zcoix3Ibao^r>hy-n8N zYjv%}&UpnbAKkoO6<^MH?^-so7y`jIE}Ka1+da!i*S2i~@_>)sXMLFP6#Gt>=|0=_ z&03t|dxTBaTwX)(`w3H&cFWa%^^fs}Ugo)sHtalJ&C89!YOnc1_lx>zH97&yO#52! z(vUYn-JkXkE9^XvamwNbd0&|q6}kqsU5V+9np)R|t*L5!ez)x|d;z!hfO`oYzWQ+m z;)yApX3zoieY2hb=!rttS_wxF&F& z2osCOn(-Dl)g%B^WbC)nc2e@V)aGJ-F75l8a>Zl&Z{M2uX5{?emG=gd9^jsMSzAKi zv^?jE>-B$U-zYsWas02NCGcl4Vu2kKEU5inKO_t_MVDk{<%7jOMF61tZQklVr}=GV z#)!715>P@D6HFuGgLkmzsWdkBG6RSDEB!L4wfvzj6_wJjS|G*Rg$R8Zw_r;&E6I(i z-dhYlTaj_FJXDh{#>}J$R~z#o)`S95u^g#A#!cd=A|Q0RTvm~|1r?fI!fgi5xqzCs*UPZ%y}ZdW)it%dj8?3l|MlY9WX8b4i66?*Bhi{tGb7ucLA%-4^TO~UitWy8;4jV(?e3wmM_Y7G4I{iG#u3USfid`3gEiZ*3(p~0 zOk<;dM``?3nfiDkMlvPqLU1ivFn{ucI;B60b_p-F`rNl)hL@>BO}t4ZF_bZU$?}G7 z8KF%c8`=6JgT2JQ|4UaP?U*l4RqjK41MP+m_TEIp?7CztU;qGR!>v zRf*`+xp1VGnz(M+$zQ%O%(21QFGZSzBVWSq^xnv)6LAldlCNzw_r(_V%L0f*vZXCB zB{?WJ)^xZ?X@uKL-pZ|^*ixK8R;Eq<*DS8y$wH`!$?>V9Amh7P4jqbT3e*@me-_uK zSLs(jB_Kds)jl6w#0qu=6DM4Avdy#f&%tb6+Pn@X}pFZ>H8+WhZsSOu$oWa2e;H~;YPgJD0NxoB$3R>xHt8vn&# zk(e3Bh5p6)vCOKhnY!a7KJ}sAe*Oz@!J%Z2N8jupsp~jRoCQ|;x$_T$^@FY^mY}r1 z|3Hoz64JkBFS1deOi6$fXR%$v^x@X4v{Sl4@2-xHY~Hbky1-8=X62hxONO zvWxB0u9iPEqGxxRGvUmxlkfWKs5aS;(C|D`lOorhzy&OTMwVitCV?7E!(g--B_MH1 z^5eO|2Zr_)jjJm&KYC%OeaE;+Ej46T9}9+s>E09?GUJorcV1xqFWd_{^!~U5dqe%1 zJ`i*U0=naG9l_j(6-eS>OR$i+Go;Y(FQGRIDqtin0w63oGc>7T@<%kt`Re9&z8m4A zz3F+~x+Me(W&PdHF3-T%*;?E8$f_lLhT z&Rev|bPqfAuGTARx7|Wq$m*XNOS3)J*KVxSY`llMbZWrrFJpS<_H7@q#pJ}@UJkv9 z)_$$VM{zkC6GMN~x?3i(3|5`IP2x6lEr4#TwJu99AceT?H;K|q>umyG!Z1t(XD#OuJ8~fC6aEjU>B6#rqjyv`v6L_hz(XHp`>GT5wPj(H32(%dfTGE zA=XK0U@8=>Luu#av!FUN;qc9HHB&J#N;^j3z1%YZUs%}9bXU2idZqvuqtawIU0&qh z6dWIS_nW&OUKVQw%3EiJI`p|}H6aZ;y&-{HEyO<8b11{^#P4Tz?i(NduupL5R0@ao zf=o5YSDSn7`_|K2T-tUpcALB$-M5_x>K!hhqA~2I$4$mcn7g3IaL&7(hM>pf7;y{l z(VzEVC?}Mfn`&Z#XEnQNsEp?*PF@KghYP*OhVJ{LT6yOHEoB4bB5hLL;%U_7ZU5L2O8EpZ{w|d+v$B zGDm_t7oI`NWO9e1=_A!*HDF4HNbn3FmMAp&ckklFQcPx8Nd;6Rn`6T`(*{`q;-whn zF{m7B){;^WvLm{HeZ~AgYm{e(aK%WPRmAd1KUi38r-;q{m1B<_v}V*+a9cc9MSj(U zfb&nL>>rY=v!1oN$t!RJ^~UB?DpF*5;>c+P^{s@!@|UXE zs>lyBHj%-OwFJ(Q#5>ax;_D_>E{~VYpfh8$;?_W)>CKBk(ikAGDCNm2M&PI{wiY$4 zepnE!VI-W0yo@YRJLs~EcolEi|0PsWZqs#xW?@g3vm_dTXmj!$gRZ&gRprn~Pn`D% z9D>J?b}iliw0d8PNL{c&QH8ge5T-9k^YE)+K3b)vkYQwj95dYn`+!6arBREP#}Y67 zC*jDC8x3)K7cITHisLbrGP}G;7Sv{yG0?0L=e_`y%(Cg0Vn!ycHzDG+)yyx1==pO} z%S)0Z7p3xNYg5e?+DteRtSIa2R*HIsyrhwmWy_AW)SoG<{VJl7lFE=gLW}AOr9%hE zxZo2Vp`}ixEqFRn*+~}W4memB9%NyX=1+goj}XFHMOz1NDDog`;2c3vqZ=U&pCHqS zFkpt=n8Xvih9~e7Wzk4sgetc4cz^kU#^&Uq_{c+I*XN03^PYkp4$bc`8$utU#wy-n zg7iM9Y`;_BCN^3rUb0Yq4wE51Ago*_efZmE9(sRxkwDiaG?zAZ)@>H{4-0AWUlI9d zt?y@nekd>zKT<&k%K+=j#y6<}kl;Dutv%>I!aO{x987=acK>On{mD+*~@?vheM%-KlQZ|W+vhsdEAo!Mfp)y!9BcdJfCzoWBQ z{{HGA_KcVk^CZ4@cdX5GT1(`=1(wvHHo&q}Po%~QDNvBIJGN;SSg})0sKAU)OC8v- zT6|HG*^?kInVT}g=&{AjK!Z_um#o(vSVTN@yeTphmczzQcPv!HLy?x%Z0e6CbmQ() zGSu{^SK%W%!(&wIE_<^F9|(fu&U)CT0*d|)8u8Fh3C|uCSvEIWBGIDf{`q@tR0c)B>0YFR7n>mC0#U| zw2|8yVLI>nmp#=rnvZu8dW8skFG-TIk#{1r4@I5e_i|u43 zgX4aub=%%N)6H{$>(J?&vF&ixY3~KOqKc}7@ym90< z@Sz3=ui?Fk*LFilS6+v!s%Jrq_e<1sPY{O80;l$VS(l)wpPTAso5;2&+O`wRuc@Yy z4JDO5&5MsIlr2AC2&+4{OArh%;Bwji;JWoVfBza}*xhwz?B4S_7k4b!!jHS*V)g3Z zLj+#AoaWqV(9pe~tG05tb^aGfOnguc`bVksGSbw;e^v)n=g0N9%{UN#f3)_-?!L)F z+V1xGZqrfkwrnfG}Z_8vo2RP>_zPzt`k12Bc=Jay*&61U$^X|UE8!R zb1aueYGi*bxhzi#cs$1*ZVuDA{g^4428 z`)$Ao#yerfNy{=*=Re=mf|Tdi*=6)0Q$TMuPP-p^ePPga}))wT6K zHw~u9H8zhE9TI}oz(7EHtKYx5-qGYA)V@9lAU6DRlVjceK2`1BT`vwQUViGa&1*vOQrEh> zac1N_xiMh!ov&qE5jboce7$Q)JnvovkDLJz#)dALN+mIwVKi{IN$(DjiH?>g^M+I7`W{lCul&E@L` zZ?_cQm!2cJyYaJhpP@m2MC0$>SH z%V!H14GN+~crT|y|G^w}Ay_PSLtL_^1ifu7y2z$9TapBa;viDIhWg7?x3c9B)qe43 zHymeT1@*YPRoRhY&eRh5)bXWRkJ=#O=w!G9C8?oNHtvrE1n6&qv9RLXS?DPwya;(& z?GdK8Us6VoBXR9#P;(%NR>}D^G|pcWe~tc4SWpfSH)AL|gZ%{obAe+{6)#@7y2Ujv zO+k~hye_34-)ppPXSTwFlmIm@xoC}gz2~P{(Kv^yWA-*kQXfExhB-?zsNN?q+>9?> z8}(!)$>heLiSw8lzJ(L@=u=JZ#3Opzg_v>luDv43E!7igHj5c=L~AB%ek(8?7LSSFn+J0`tLnYFiqc_q%sD(V!<;2Db*ZdbT^`9vZVOMp;j8d4*b`X?TS zU&bjC24)eiL`JGjscB}p%?og#(XjMq58o{L%*s!IA+ka^(quu3xe>Z<&PDb}b28QJ zwp_BV{LFziRAtGgIMhog>_hSrzl{>nkS%lhF9ljdpqt>JxhXnp2Mm@&dVcy8&szMb zbKzQtl>wdTPr9}#4{FliBJ!`yV zfsC>Q?cLvah*7$Z1b;=yW~F_kvjP*M+3;!gMjLmP`AP99r214IXQ?lW{Nc|Y=QFD$ zOuDD20tNh4vF#+lwdXyLgV8KGyjUMB@6!b~oZw-=!RO$r^0S%)8sTf29V88l^h-9a zWBW|Nou!4%X;VkLkgsT;98JCT42qLf9p;htK8(PL>v^0g>yo3{ys1Nr#UW^r94ko1i0TzNT z-MWKzfL&cdoM@zcyj%~bS^}E(f{h;CLZxBH_eDGrg*2Xib+L`z5t^e2Xi zVh1Z6=S4O?MuZRo7yjqe}|VC7bFklo=O!8b22U7abz5pw049Ue4f?)wH~v12?Z zseKwD@KSKr1C#+x7c2ni=sY%(ZsGbCSKfzF|)aZ!APz7Gz{5DiNeF`oKOm1ym#lbRMDn{b{ojJmZ%5?}vJrc(v|r zAM`!2y~zEiTG1rtXbNn;5L-pMsjS185}{I>4+}j+A3e`BJ_Tty^7~@A8acrd%-Xk= zMqIhpOiOmes+2u^f~~4OxSRs2AeKSd1WaUiK2?VReM4m?DYY*sO5yRWezoh24<7PX zB+W^LL9Y?QJ3e$+Cc4AzVyo1B?J{kymWoC^LeLGpI1HGFtI!r~lz|HK-@C5%)lh;| zg0jQfcUtq5GRwG6xa`^`@YVII-{(1`|>dTxB2_5B8@E@?&(&mhT1BU53lD^ z{Z-EG4FP}4X)jG+TrzW7~jj%^Vgm>yTcT}8ExOk z(rVM(%^ldDDkM9uJAC&Zhb6OR2_^v-_)P69pq#tMt9NZpi_Ten=^)IgyMgD~O%V8G zLIU)q`eTB)c}o{Ot^vq<1ulCDa$9>mbdQ3aVW3LH?BA9GFp__I&?D<`+OI{up zdl<5-4xKfPvOb%+1?!+g$BEb%Qrg&6?gX@9Wo1<4v$M zNnh&%Gr_AlI@rf~t=sMRf}Sh(=N%tUV=D4n@9}ciAB)yz_c24nsU8l6i>canKG*8o zxmXtaA_Z z@6$b(;Q3E=76pL@kKOy~3mHX<*kj&U!2wvc)Rh! zU&TN|Qm9uKNtyK6X07(AmBb>rB(6L-XFXMio<>ArdHD>cX%#M=%xcxUUvBi54p z2U&Fy&yhn7-ssD=dC^`a5^f<#kaxo3`?(RAN06Fe;}dS#sbXrtWLlPkUq8Zd$M{$C zCJ9t?;Y0ik1389(mJC_ns-Mbct=}sas9i)7OX-bi3z1lf5NxKijw+b{aqvJKSy9tl zT!h2s>!6D32ozH$SN{Zjhs=qM!_t&L-6${uNQk+ zFn{QHDojZPYGHyk9Vs=bULC}8e}(=Zk>(A?sQ&V-OGE;A7mIG)DIGM)x_pEI?k}Nd zNz4+Sh-s?I`Yj8@3h|i1L*n9R&`_`y2T0$Y-bn=HlG?o3LLFsKk9DcPVHO}P;1ujV zpt0hor4*PX{k9}HJqE#u>}RnJ z3`YeQ5iOtMKaZviqJghMbmSIml}f*7#D6qP$=y#$+R+g$)OeF>Oe>`83bze%ke_^8 zesF2$!HvZIGoDZ`j+-DXvxn9wn%enwOM-h|%}PEJDc;bVcDEq)&bEmu&<&9{v>%^b z8Tl5Znf2h0Rr_jOwZG_HmlAt&`jfZny~}ZjCxnes!jU6{-JwkLuz@HMEfR>%VcRZ5 zV?aFm2tfnm|5Lm!z4k41@ia3?3X;hM9f0UYs3ulg_gib@qRql77VmGu(!kFcxC0^N zE760WgTb#ne@u9-(wgKLbimsn@|fZaswF_fr#Op1r7LP`W3Dcn-wE@yg1s^14$ytNS3FU_}mqg-UB|!|6;wlA`A@;J$1{(F|GV0U*d5aBcck3#G zuLr>gX!?Y#t}88gjtoSGaM{FC{B$w=h{#7{Zfc_9BgeFdxoroi@lP%xsQp-+37LN0bq&!ni z8*J7kJB^%KO`EL5JmKCXUY=Nc3(4`p@8C?(U5Jtp5jXw+4vmqBnzcfFls-9RZj4K97^r zY~&QM1^6BO3pM@6jzSVR2%H4|P11_kCIqgm-OxMSqa|jZn;JP zP#C1UFA>FP?_c$AZ{Ag;&F{mU%go?EUw2(I=_qKOAtgnv%!@O173DoHre!pNeCFct zPD0P=9j}kBb6fxA_qg}?Etq-hcs$W2>zZ!g>^j{nlE;NUZ|)H3YjW`Qar?d!#_||d zdZKK#JrdV!?7H7S^ZTYb170Q~mM_kB9eqzdHSFEaYVNnTK>gp{^N@KL`I)x0Eo-{Q z#nULW_+3`ruJgR2UXEodhu*FIyq^)6UaYOU9^-V+Kf8eL-RSQ3e?T4GkE^Yo?R$QY z?)m{SP8(51 gKJf?bFhxh*8Kx@X1-JJPl?~1pR!@?w{HNaNKEgGG9>gr+5Ruk;@ z!~F0y0_u*<#h`ZsK2spr=l->DO5i>qr+<8!2YB?4)If#-aB(LSmW7GJcLa3h;Nbwx zp1q^vZ#2B`^r`7of?a`nTe?;&y5Q3dh0OVT78%_O%x=%yW+t}dyvOsQmTBi{uKiPM z_a8(Xr^#Jg=QS@t3i-C9Cv*L-%h)yKI3fV({6>M;`}gI0#Xa%+E>;U<2mfCq%fl#SzV|ugT(C1k5ARuK+@ABl{0ARfDS=(vb<1%{k@p#2&S-!p9s<%Jg_Q>INHY$gfUbB=}v3#sX$ z#7bjCL6@%T^0J)NF@=O5$PWdL7G+69mdB2m2GFZwT)Ncr{1}a&SZ(vG7i9m_HVV5slfgMy?#0^73S72JU8MAn}IZOs1PkB=6tgUQFFaDw@vV&@^lVqVYGg< z1rZ+UL_(R`a>;JiYvpV=-&mQ4=h-=QJ})@M_Ft=(zGuD9+wTg^Qb{S1q#7Y?mb_Id z{fc8cIDg%kn~V^t9vOqERZd#sO6XK0rTgQ;Kkc{rCR*4@_I7~f1S+GwS;FQ znC=KA!7b_r(!nXnBH-H1s7Q7dHOOKW82z<}Jz4oPn#xCnN{&$Wjj)vYLMC{UZRQVa zj_fLm?IXUGhYbay?WP}wQ>c(;3Ri@=RyYExefnzaVk82N1te}Yw#xNvg<9P_Oiz)rI2=cp`u(! zjyoJ(Ovaz*QGvtsS_fi-0C#yV8yBc~ibnTu@kDcqtfTE4;M!B73a-A zw@c{|;eXqW80vm+NFMq#ufVOQcA%Gws_0u`CI$<6$2H{)%$~&i!*+VyFZm>clfZ<; z&yELgI%=OnXBKEYF#xfjo$7Spla1eW24CILDF)r!S4{*p$R&}Ox@nd6X0$yXcb3zs zu}9{*QfTQ%z-5#9w*yG2n;@qz;>7YTah@!}UzLcOT3^e?wIm1bLaxK4g_!%LObP?a z_m68>1GmigwWS%gaYFAxV+cGsE~UT_vqK zmd(SbVk(m+h-(8Kg`;JG;rg|!IPN6L_=!Hl5)L-slEc0?kzmB*uU0+l;37JM&ay7LmJRKrNV@(o zSRFmr^T#Y*AO6<;a)hY?!H+{nV){04rH-yO=y6?88`$0>z})J0N>NtXmqlD$hOq>W=txif0C6*@GzOv|6IOpri$RFmvzkTn)_Av6ZbLPY2|$j8TOV3_WMJZ z(@|&F_Oxz$Z9T5M~>D- zlk4_}h%ws7apNH;|K(#x)_R_T{%xP%wwK#948E2+`lGq{aa(*_d6!`L7 z3))Q=nQm*iox?H*6@Bblmo{wc;PQEPrKPqlZ{A$$m1G%sgBs?fBD(gvi8oNtx4G}a zruFx1Jnr0)->bcQxwk)NrN-+zd~AU|106ZuYYc)shcyO%)@|4PA3@WOKtLl190r8_ z-~_R1fbajWm>Wr=C(`W#1SD#0aI3Llq_U&DJ%H|SL4xrE2i-m(ayg2Up+M6WP# zjXEb(IICsTL^V5kEfC7Yd86*%ej9X-1&f zDMw?=6pBRD3AuLEn4r3nRAX+gfplO9NfJ{2**Or9SxQ=YrUcZj3WMgpdrL8}G zH_12l^o|8P*QMH>b#{2^!bm$4+{OX_ih7tiJn)HfO7 zepSQlkcA-#hA5}O8(7o?XGg>A6JDYMY%lKQFJ}y?5tZ;urZ&lnnjxv^g;*wwUlgP< z#p#8P+Zp)K8qdEHq{fsbQ?IqT4OWP;&*OdnC@;isqSb6D`$ztnC;P+t-LM$@tt?ez zv_c+xoN%=6(uZz#%&X3jYn2j>O^Gbe3S~UHZ#kfOrbg{delUqpVs1!&mhm4y3e$@? zRpKm~##4$H8%;em#<;S+@>RZvPAn|EG z8Azq%=8Ec$n0Ba5VSVXxdf&Uui|Ti%n~eW3l%XQ^!9XM{7Pq-S4~EYSU1+;TqP1A} zPj*3uCDaoYh^68>E#XV-$@SkwK)dECYf`j z6+#^|X%~isge>e<`lXT*eFH29@Xq8$1bDw7@g>A%A=M4a)RDF)GS#;d zvc8NhwQ;Ex3t5q03#*9Z9EwdxmPV5Z-f8z&K;&a9hqT#i1=C8EO%thjtu%```M&Z2 z++)%3s8B{ABK7K!wb@)GS8w4*z|O9KVKHn{rzS4OC8=$xgL_H!I^uE0E+1>QdFcIw zLoV*?Ct04TNA{{3+==y4P6b(R_)WBjJ?Z~7!w|_85HJe&Zv7DKFri^)nzQvG^!#k;PrLu z5WBb`?Xo9%I+b@uyq0KHz;o*;OxN#X%oldnpzYveYTmgx1h8h7)RLCMAz+z@px=4T zVUl!>2@rVW@E*y@@^MZIY6)TTJjjJLSdrCnd+Z>Vl_C}}n%MeX?FqU%nyci%%I=zE z_SSQCaoh4*fXQNE3Zq(6*m&veo^sp@naepf7PIPsk>PCSdi_!FV&L?dec|g;JbQ5t zxZ5LK7WnNe7-!$JU+E3R>wLVa!65A*WD;z?>Py1Vcx=(&SU)Nq2Of1@U#E4y1P)zr zYkkDJKJl?R-q@nGJeBhTKeT*@gZysZ6ly>YTShl|Ic~aM`z-YrXts9OdaTwTyFkL_ z_LJL}-g#nfneFFtPA0iUg%l2jXTRpj^0qK!*q09<)=UBo^xboWJ5Vxu?=x0!KM5$Dvn&rKQP0KvL5#ORc%>HNreupKd9g)7XW^wcUmuTb1;S<7=c?9>0pOcK43dF z%`&JIs_oNHPgOtwd@M5tP@XsKo1e#Vjxqon(<6g%m;NRN(5kmrGlrWSNJEICYdA$B z$s<~4v@aLm;FsZ^%K{Ubp+Cyamzib3uI=Pd4wy1Y zHSp&-b*V+L=g z+J9`aou?XP^LQ8JKtz~C7HAs$IF~02#^-MgP^T97dB2Iae}GB(m5RLGtXSm_B4WB! zF{Hc2Ptt!ZNB`KylC?cb<%AfQ==Z)!%W7-4SYwlSpET7|N>DkCu-(bQA$}eE0>icV z_3rgWfi%I~R^i*AtkewczHs3gKKhyqTYaW!A`;CVGlis=U509f*Lyxu9R0*5`8g=slqk#%U!s5;MTXAB%6+E@|=2uipQ0ioK_mF z-JNFW_>{!ZyLy?{H4~P2t(FzEGI>#jx8RYO%tPkX@iFBM73o*2X=i6RwlKrU#gw7K zP)r`U-!t~f(y~xY2Y2;)^g*sB;hvcU@zNF3Zn!e1!N%KRheG2AGfy+FdJ4i^S~il^ z`nlB2kZ7_gzP3Baz;uWpUD63PPr3maHy+V=XhZe?q3W!H;t1Pq9fAjUhY;M|Wv~$3 z-61#xcXxMpcXxMpcLD@=XK-c?```7SQ|G3uFQ>Y?=IwW_^{rKLlg>k^q{hS9VPEV+EYV$C8SBMd?sa+G`p4X4 z^>;RKcu&x~nf>2s-}~H&y(ut_Y{MA&;socNs$UtJmX7%enmLTY517rA1+fjFrQkuF zL(TkXeUa@C6R8zFu zp2j?AoodWs?4=7~ac$8uRbB=w4!3DJMIUW7qkc9RS&K5R(wYS0|J)@iT{eS_)25?` zeyogk&eRn!D-M@MMJ(s&%RW*6#WY_^H}CzJw4Um8Nh3<^!OZk|}k1#}NJBQC&TG3O1P{%S{*lESi&?kzuTf zA|^YT65MTp1H zOCa#iq+eC#xx6jXnp2|Bl}o8s`a|xYtQT7I#Sm}yR57pyDNiMd{XtU`*+BOVS##-~EPx|^jq7Dh5&J3D<~-E}O$;ivA>z27gvjvHilJ$2SAoS3hZEXuXOyS`!p29~nuu3$u`q zsk&UeN47y9)3w>C_trk#0EX~)D#+;ra1Y!IH<)K2x9aZt7(ksd-nV|BLL&$b?oSZ| zCF&Jjp*Fx7cvFHLZ#f^v0X%ON`ntU`{8q!#QMEBO6SF<1MuuD$?2hHxV6h2?15Z!F zuImm@U#nOWn{pCm0q1B(lC`7e+{7c-U$fOES3dtvZ}hgp2V~?F3pu}Ea({6J z>?e)v+1?$T-b{|Y-S8Z4D$g$(LEEl^`lq>dp&f6Hj`D>^0$vBF1cc4Ob<5YikHGty zt=AV5af0;oEq4qbS6im@{%gCp3!gpL7J-<>WyjXNo<#6?P2li9073Vn@7)!G+5vHw z{gu1?yOZvYuYGM}4Bu;9a;`@upRXnm)S2Arb2HI?^FCCuoR}kc_l(uL@sNXZ4Di{x z;`+lEe!X+uiPAf?eImI>JI?d>5a4OQNtfGw^o{oQBl1bdKfBI7OIjb-md$Nv`uj2Oz-8Mu?gPAdrK;)~ma^)GC2~UIHha88;rHo_c_>x*OIma_Q8*JurNhj|S4sw!IIXhmPhv?|Ip8 zPd{yU44$UuI9zIbxPBN5zw95cfl1cEzK$RA-#*{D^iMNX2;*Cy#?MUa%I{osxy zEZRN^!*Q{%wh8zBc>mrvfnF7KcbiK)G<-SkG>(y?b@58#Y5zI0>y5kPsu5wyqdP2; zzFrtfj<+e1kY(8aCf`S<*`(y@y7< z1Ht!S^y%5$^}`(!C37T|Fu$XJL?kqP`1~Mo&0G{xTk6d7+mwVzp{-$I4Xig!G?4%K zvl8}Sc!la&6tE{Hajv|fty{*_oP1r&kUCt3pk}$F*lYN+YEWh~fY(4D(=!YrxfGUu zb%Yy+e0nHsc_bJcZKQ19$U~Qey||3b09RGm&`9AHriP2qg^2kY%?HVO7ahaiM9|g` z9-`q38);f@EEuzqXT>6#JrP*ub`d#Fth3x%9jgrCC}0DoHM2$IwF)>=WK^@Jl&*FKsfzy-SRpcBQWsmN-m?-`ejW zAzHFr)ZYLL(T{X<#y#1?EDbI~LxKMO6z(vA956NJE@11hg9hpm})oE~oj5{X!f8)jcBhcfh|EBlmdsbX6+E{{S{CkFWLH;T6{bjlcdzJ_O25*8Uv8 z>0U3-|6P64!Gj97OZe+i*UUoep+SZ#MRg@}_B^m>D!8k#=!`_^y4B}KWN3o zWCJ8p&3m@#ABuVejc8}eq|t;hD#|3*9J9&+XYdr{OC}4maEk5tFVo+ak=mq;RW+h& zVAN>IoQ$0gQ0h;iM;RD*rk{n<2}T_b$UYp@Y5L&%;j^tfBGq76e{0USk>I*dUHkPE zNL1HRM6o(oZ1>@NDaXKIERBB=5zh5cuS+jx~N(gfYB_N@GqjylGa@I(SpoOJV7ZrNd?fP zWjbgGb1--6WbC~r`S6BGWWvwqy)^(Xz7I0~gqwZ1Vp%}}n zQDp`^EO?%fDJQ7OSJW&r#uFxK;?Z!f_ua;eaGg_7-$UQwB6L!lo+p-$O)`w^(-!v2 z^2xgE`C~>Klj5ipNkxZS5KeJJL+#OwbLu z1G0oi6pD1miAy43<25fPPly!ii3k;s2UUMJ{2s6gEyY%64ud`2SAeI%4jE}`Fc1FY z&+-7~0=*o+!+!n=`p2ce@8FQm_2|1}Zn&nOf2s^F^h9>^kgi@);H-z>Jq+$-In#gi z0j7y?E#3}}=8Lg6;~t-=tUNFzxQ{wxNHE0r@qHjQ_op&k!cV2SM=<8Y`$@lQO~(PF zX?gQgZ|_}yj4$`~$!ZbXl*!|U)n^r~52RL$>&1q)uDkJ(S@lQyHHpAN)3@h0lAWgy zu2yf$P=M}h|3a|j+a250D3=eU+uOVMj872tj?YAJtp2V4LnE7`eDD3i7HrnXGtw%; zIpF;<{XEc>9{8}lgNUQ^cJk62%hn#LFL0cMk+W&=xU$;SaEx?K+_Z4G!zeSO=XS4k z9^snmxco^a_E34BkV{wH*|}>ys>)4H^>vTQc+-{Bsn{9QnNbN9fXJJq+#nsX~}Hatr(gG3$? zmCbM6{mcp--Ma>`sswV&h9`(F=1*I`L%}XcM|wt8t$8a+IbE+|*Tg;RN48t zw^A|IzPWNaZ-0U6lf65(Zd2aspF>sK`Zmu5D7~|J|Mtse1w>}3Uq2f9HWbiv(_HI)8OrrX$@;^5@w}eE{XUQG7vMCMc^sm8vR0NKDgD>usu+#H__F#%o*DyXeJ!9!Q41$F?*5d3Ya75 zixChy_XluXZs^i=)d4qbAyT(o=6d)(9-F9U z`JH#)2W&3fLkV-+_SK5TXBd=8Y=%~d1zrv?h zDAyb28+i5+3}yno$lUwprN7QHiGeif`81c}D9hesHC!}S0{vvX(ZTsCV;U(KhhZ3% zG%*SB5n}_3&$1@)Z%ntDH}LPU88u&$saZm0_7_=j_Az2A#FNE+=V#}7LG(DPcOUih z0Y6wrCP}KLu^Gi~o}*x)e{gh*h3M2r0WVHl5J#S2C|b1>@=p?9Un#fXeqFwM6L_UD$=7 zQ>F-2D1&NVexzP1tcYM*6~-Dk7k1r<$9YywP86Qqf~>?1>oqCISK&qO7TWh&D+OA# z;#iKti4XN3w2@36+3Y6(s^YJes-?UPW2~qn@ZzUA@=kt?11gy=j2MS6Dal9CEkUJG zDhi?j9Y2sQX>^?@bq5k9V6IKOdxoU91m`W}g)pwoiip2r5@Z_&FJE|dsLacv*hs+3 zp^d<0JX$Km=JS(8dxmFNo(6KS|9lbDsN2uxtiZcNldUyw5y=zqARj0P+p_I*ayd?PzynGQvXPY*ivELlJURs zU@4cf1Bh&Jl!(Y<`OhvZi}~aY4*xKPtaeh|o60epR8&?Gl66iWVRkAi4H^ilm4yM=3S0AQXQW zO%JG1jJi%O%*lpPgxOEHYvV&w&qU2@9|)s!ZE*Xo)DjwPSxqY?H9O0ESWo<9A(}O3 z-=HPdInc(ixUZ)8fI8;rnS(}#D--?&%~4#r{=Fk!JxVyG)Zv?pFMc%;iE zjDOc>z^xhFq_VrzR3aGvp&)HsVP~&9t-prS#BJ)5W}%u@GV;g_`BkiU4+T%2N#&fP zctuV&!-0nW@nu&7s}4=I5-M5BM&;(9DI=i^+y9%tRjcuKg*Yj_DYZ~6A6^R!+6b=U zQ&<-(`7*0k3Vgecaru|)ibAEYA=Re6q%9#TgEJ##J2Qw*LB!3}^Dw!e(ZESEaoij@s{Ye?fjcw6T1UCNol z!TQM697(ACs%ydTOZ2;nV-9isj>EX7L%Kzfyg@V$zl55SDgN(eD`Y0c-=-ll`3Izo zh7MaWGJyeFB`}DPl~_cR`9!)W+#{G7uHm#kZQ9SiROh>PO1}TNTqKdJl;6AwlFM14 z_%fKaQS$fSI>G*_qcuP&Vx&07q@1i8>4?R@Yb!6omHX(NGl(l3$%>8>BzUJ+rpQ5Z zcrJzZbV5kWeBuh_={IAtnDay!&BgE@B_@R^x(pT13W&tEh0p?ixP#AQi9l(|qM-Pm zp9T{T`Nn1CmlZjf5mDcxN5r>l@770xEFP1vQ!Fdq>!@NAs?d{I>EUHUcv?^Su;mm@ zc~np2s}x0o8g+yXeh$lsi3U2NFMfvJmDs$+Pcmw7zsdQDoT^EzxFO-L;l`hiAr;lS z1-~+DGlt29&f*v}@}cv0Xw4YIU_;@1$HAZ#&n0;ls+8K`>_KhZH-|$QkG2~MFA|o- z89Dm(EH8HO&8u>j-&PP1jn&)QJlmA^ITLjf;2W0 zl0AnJB2mvGIjQT6s$jhq4~Jy`O+%gd3BdxEfo7V0$@$+}asykN8O+nvzZ|^3Y=NGp zcC(*b+(ZsjI1q4}{+i1qCa4E?Jf-WG27_L6F_Yv>^JUPbKJH&hFkd@gNsQskz>@uv zxZ)*NZ&g6R=y-3NbtD6^KB!~*{MV)TOS-&u*D~7KW$)(RXn*v%i?8><%bg~G%4XAM z7)Q?6A}|!&%Or7P7{#U;oD6V-dPmjhcton`oOG`2ZW2(_+OJMd-MMOLC&^Otx()by zu{ZtXWtFUbq}MS6xAOx0ZR2ZwWf*$#TG75x1K75DiA1-}bpc)P#9vnsc8xUbAy`$n z?^Y3!aPu);LtOO8dToWY52Z|UB{#;TJ5S<==6akvbdq}3c0XmKJYM0DY#80IIO^yA zsloBS{`+gstoP&o_hWCK`*9^Kv~7>aG}lbK;qXqDy~!DC{m0;Y_nXcA+BDTUU*>kq zd5|r@{_*en9m{5|=VBF~W2$#(=ShSK*h%LqzqO|Gdbbg!;{}A(vI9Eo#3=-Yc7rPD zYIz>dnQG68n@AnEzmof-F!`G8KtIC2XWe(MzPI?uU&b-icHcc`6N86|QklFuydLjo zv)eXWxVm*jk#m!ddqF^55;ss&B%|kBJS5|#b*ujG^L2o?_5G-tF2U<-AZ(3X&1rq? z44A_gsrbL}LV*JC4isv+Vn4V>>GDC-wPzZ_+Y*d0js+YBwM2_sy#LZ36{* zRNI`+yPqLZ1b#o(?q9mN?Yp+-x=g#@yYjwDUH;bw0KtMjHHdWZm;vK_TUrJ7|ME!k=)2$J1q1+D%ns*H9ZIEZnDjno3-W~{6~Ti~>ri{f zh{Y8vqzM)rIL?o^C9!X&^Mhef(xW^b(W~oTTuVqa$_Skuy!aT^N(852r1RM!5fT+y z|3Whqzn!*Nl710g`0dJkVv4#oSy7MP@~5hDOke>!jrsbQv5(H=5!u#F5n*)88F4sw zy#J|1){Pb?*_Urp1hSzC)0XtKvgSbz<-(dEbw@nuOd|a3+bO3N||rnph*{f-#<_M|(IFI_I2Mx(FSIg1BRMNKrl1 zVJGD@Ie&Wv;=n6ZQ}K`QC7aIn)=+hep#TF=0KhV}~ zsX?nogm8*jVNkJ78KL3w)tGK0FR}6k0+0HPTDd+_kV&$^pZzDB@TS&@ft#r4h;{7v zJ(9!gmy%+!8gVo0s*p!L198hh4~FSJucz5-gJWZj0IOH zb4D6(SPUwv%}A4u)+DV4-f1*m=|=fz5B!@b7TnU;Y{p4+wr>qlTaKs_klhU^>Fn1C zIqCEiLA2{pcH*`7f>~4j5^`nIYSM(HUBt)iUmmn%@)P|k64lDdCuGFR0&8-UDPzoV zs&aIY4Y)8k_To#8jOHqZL@WPoNN8Og!yK|tf1#|5qgg{66yr7LTrkGw_s zFE^;l8LHeu)=RoC8yZ~~tKd7cGl-r(>Qq~dlM-sQMy3MRanSR0m(WHr6FVTVPm9Qj zraiO?>WfH)t2LsMR~9XDF3Ys02eZ4SWid}F2#xrS>^jtnQ}AlOF#!SendiPrV6KDD z+r`kJ8;o;b?EZY;i4f4a#kc2Q&Vn&&*U&MG_U2$_ihFbdDZbD;@?_+TrQY51iYIjEJhFOHdDA4}j@I`$TCX+9W zF>mqF+)WJp5L8N2W`yvB?bFA;DfU+)Evm9JYy|5}%utVGV@i0h!5n_mozNy$u^mpQ zUl->oiFWpfx3w>B;dj18t#rj`0dynlW?3q*>cfkhpxa3WC$W{x)|AKLCvXM|dDP2E;nR=5&18?U)JUM(K!;7SHkyk_UivYiwyU1v#?7L*1QcDFrXogepjKh&RZbv<~JY~LCkT`0G>)DXC&fc(yFpQ=MsPb2BN_`pfa zDWLg3jSL58+LSWXE0VY{AyY+%tU$=hJ&xj*<)ty2p2L6i zNw(iFJ%PWesMEG6eceFwiTZBLJwSil!Oz}qx5)*nPh0q9zWsvB*2naU%yvga5@%}1 z!~z7nY16Ve8z;&oaGx!WEcoxXbhfvdF4v#9=S34m$7S}NsKPbZ@m=0wwI3D z=GKFKZW_7xx!zm>AB*a)V{e(dACLFNi$2*wPjA5vPy3!#^-DCh;IlWbYLEL@brKa~ z&{fuz)-eNcdoX(xG_7QY&kTB_+K$slJ9U0xO zp@#^%M|u0K+kTNxh~6~+X-$S@U;i>&ieip4+-N%2;6*h|y3fB0R3$XHz}KT?hY?v` z*jq^})V{2O=!aZ9r}{;Vne61aw!ouLN}o1J^&)A+T6NkTB8O&_zuW(1@dqoSN^oIR z-XYq^vGj);$=>-x-bSpd2Vp}wDiLx}z*ZR?(xMIApF)nBGr_?hy0r2TUZ#k!4Ypj$ z<$auk!szE76lu!+avhZ!sx}g_cW9g|0%!y0KL?v%p=jKULKTwK;%XoKN{Tsu;a{Zx zS+j60k54>%R_gI@9gWpgvtgc%i|EmI%Qs5CDnz`OWzdY`sXz5V2O6VjRL;VEID`r>L6&fwuJKhHb zsnQ~lHRK0F(S(SJk(awjPp6j%uZXKHm94wgh?F`joL6#miXIG#)K*d4heH%{D)W4y zOAzQ>je{qCLc=$!V_B0_d~s6C4jV7glrh^>A)7y4`c}qDO=VcSiad22cGqb{{Qg#RPo`?uMNTrI-eAl4p`OIwbE) z6XpH^b*@w2*F}~#%i$tAh~u;qg^R}lWML$yss;R8X1(Rhn2BSw9+G@<=BX2y&=Nud z1v}1&pgt2GdwN*4xad2XIfcdXGBb%Oaynj&HDKFmYXOCZYNQ?ITA7LZxkh#6&?~M4 zrMM10iRko@)kp-1e$H8sxVqOQ&v}w|{x&?|CFU$ojZBq1V|Eb25#c4%go9avu z9*OnWL17G>e4o~nw&|5NGONEE8t77|V2r!#CIu8StAafntRYd(UCKmSFXQk9Ny zzU%BqUc$k*?(ke9j1&>c_KfK7Xw^uf%n~ieer7C`DQ$33&F@3ZR7BoT%TiHuN{i9> z{+%lQr_24MMr@)uWRa*`)HLu$Nj2@oDzg9G-?+lhDP~`>kb) zl>04kKWuRz7ZodviDV>`Cp2)w1KnK#f!9K^G9rd zT=8(;{HPJx?s0PTu&BPOvA@kF_I%z2+GM#NB|c@P^;oMveTv8gTCUkotJ-c;BRE7( z3)Qx@j>i$#dT<{}uCXbeoBBGMZv}sBbn^c?1U#+yn$3iSZ$0{62-zvuKTo)&4qk6G zwarMC5_*gXSm`!yK*&$;+z!3x90K)y+{*7$LR&hRy!81m$a#kWAAx+P4BbL8>TNd1 z>+*n(Lf5^YPb8|g2&I0n{$H# zr~UM<`cB6-cC)RZ_bu(v=JAyQ!0T-i;mL!Y33PON$*A7KDoUpcnhqhr?xGv={9KElU}A$>qgkQ zk+gnFJ^C=bEY`;p^ieztK91e`-A%Tgs=wp-*VnymK38p9jr)8Mq2Z||>^iNNnK(Zd zeP-?9urpQQd|sJ23c1aj?YXc0-qvfe_Yd$`-TmnjA>ukizG8<2yt`Dqsz8f_!pJx1 z+wLG7-P6zl`E;cGFY%79v>POK=w|)0xbi6`3bY*u&cPI4QX*XQUc6{__JaCf$(4AG z|EzHz?7g=7zTU_lS!$EbR=LhF`E+jnue(lR1DbW(oLU1ji3lQq$GJU=puFO%2v)=jmnXldFX~tVIMotYe#pa0K;7b_${nKWMaCcz%czeO(g!0o`Y; zGw42`%-Rwg_Y#8Kk1r5?L+518=_owQ2?L+4qCpi;j7pP+Y|bl(-c77tj&&x}2|+H) z6jX_;*2s$(rb&?~D%5RJ`AiNUAj=Uybuj)TcoQZqZcVM5<0ADSASHVULqD>33`S?N zTqOF(dUI3=t`X4UWC!k4ik6w)Ee?hQ2hTGm#~g>%e{1C3-!w=nwKjnRsCF74N*aW*@$j~ z^LH+QO!E@?H*U(Jss{T#mE=1H6Z$;+(Fu|Oi@;kBzakQV6}PS?x*0o@L_BBXG*L83 za;4Y>DX$~?TN$>M!bR~gJJI(&@>SZF{}~cQm_m-#%OFhswmYoRA9uCF`j6S!_mCAM7xxDfGgRSj!1oErCXGLTcZjIS!dkQ zkpU5aJmEav^@mQN0@^S}hI2&9Bgq!1+N-hOEfF2*TyNs<6Wf?k zZuyn^OcHt=_&2NqTzL$BM*_dBPJt~9!zm|MnlQ!OFNDPZ)DuG37pPpX+>HkXnQrZ- zO;IRC5tc~SZooFz2-+nl#YvU?0!D1NM#UIIVO95`DyCObE?fJ4Eix|M%4jmyl~Vta zV8J~YSI;h5oZir1QDC$_gKpDAA%FnlnyCQ zhqUokC|cQu;(He@Lq*fOWt)DmIf+ivM51%AhWU)9YidOeq^wt)gkNGPCgeLmYZ^={ zWlS%|qJ^@>veFklfx@~A9gledj)5hX$Vj~bkGr&R8LCCfMO{&lToB}&IEs}e<&>*5 zm|YhSvUsIN@$^Ym@&R@gGrApvL#7g%rb89YhOCEnx@AjE=NJq$g+iwPpHq%V|JuvI z9P&e&{C{M+`{1$B=UMG@+mCx&28eg6&sc}D9p}BpGfD&bT`qkDdFgSSKY$F}ZrAdO z&h1hnl1wm%Wsjc~1Y0F!wpqf*^HRtB&b0sB#J zKAwZ8PyF+`N5zZCJLkjQE*iU?uru3Nf**TiPc`S^0x>ji!jwE9n)^+PtB_QP(jBQ6v-qg~y>88oW1Ii?41V$WAGQgA67%B$>E z@i`mULZhk#8bBB zam^~%Tcj=DY5FF1KHCvFQ=4<&QytIF6=Xflrl$E=Lr^%_t#TX6MbhlGUybT<$#B4M zTe;cHDSN4^>AHN`<9KX{^4InCKuZTak077pVQLCiPD>3UGrbl#E+P0ls^+b>?iL)) z)NY(CO?@z|yuxdKydUT}d)T_M<^3-~)73V|=V1Zik-qzBB;1S}A#SDJW>3l@^i64b zNp+RM{JL}J4rR8%rTw|y{jVCg;|704y_`=r7-F z-&xmxzKH@{Gy)-?+T`_n$F)2`^ad^)Plv*X=c!lS6(7uY8(Z?*J(D~*)eCN?rLP09 z!KsgjfKd>548-LAvBSy+%+(L`f&m38Knm`Ai8wfn9|CTEiQ-9(PdtEgbHGDj^=A~F z{4;8*6a_{-YtSGgGWZipk`%FV`8^zXhZxu?21Q@5i2r33*xM4V%lk-$31vU2 zN_8uUZ$YbpnRevEPpMpnDJ;oO-wNOiesNP&y2!Wn^fui+#5OVd} zzB%r?ffI-Jt5)l};HR!N&IK=9n>hDiR9*smK&}4a^-guYl6Bj*YLj2hJ8vDfE;e3n zm-E|os$YZbfqz(b%6iioo-+^$k+Ujfd~E53c~fLW1C}}yqg_2N!pA?dTW1B!ZQO98 zFpi$tv~Vk@jY8aJ?>pf)_o0h2QSRT(k!=+*7Of$8S;%?J$_&7Ho60Mv%($Euf_7_k z#uAH6#Wyj2$wWxTaGb>+)*wvQO5@w|qdEAFWJs)Twr1Gs_;B_{G&X#gKR?AX>vqqE z6$gi9ScLx>m{rYn$%&ZACYFh`(1gCgOyNlHr5Vfotws5%x!)3NR-SKY+FZbElwnO*6h&v_z@#>d=VX)}aU(_$=h!SOiVsj_ zI!-7=&ldU+nK*AvE~?@9W2gihL}=U!HH-#LO2D~PQV_-W z9JUv2BZ{$i%WPYG>(=c(x)h=@O6f4X4q@ys zXNxGc?w0jHs6xY7aajRjcgYeA^CSvH7GqYVENMk_H3WA}b{IQ&1um`}W(F5fqK{Wc6clFfVrhB8+Egzhq3BU`!KZDKVZM zox#aQK}nC9W@pvR{S0|x6B}KuuVTyT=VwbZgSnqF$ibUp3v>suL60aneM-MkQ4gSIJcpT){f^s~47ao^ux=3T1w9z%ot z`Q+E1M7+soeCRz_pHt`lZXpZ2p3=XcsE1H7QMUnwtJ9rRnLB{qtlb5;^iZ`RIX^% z>pcwmDa)2KW(;sYq^GXqGHG-}a?jiBs$_b&)ymI}HUk>5=d1PUzopXW00Z^2TweX3 z4z{sS+}_QNqJi>bJ$FS-^Si!Z9@mVLt6jYh%b-VtVu_zx>RxnhSG%qm-bwEXUj0^m zS}sqYvOEld*$9r~i|V>B<0i#BRC0QDz^dbIx2qs3z0Rvl&usV1_O~vs$B)~{(PTNz z@4d_IyJ4cMTZgAaYHw;5Gg4;69%}=lYJ01EPw{lEOc(ZhpNMwQWab}LfnMO%%Fbtw z%~iiOR`+qG_*lnV$|c8jzMn}q!3}tHD0{kH%;@EH_{8|K<({h7GHlx-FzWR$IF&6U>et2vh=P1F(9_H=0LV<%;r+316D)ww@o;_T@P;yUUf+i}==cdpl;^-){9 z&RZ1x&sYU#zV+spf6622pVZGVFKp0Y6zyVY7ZU+k6VtbVP&Kw~O-PUfybIcW&mH+( zRAmCSD+L9>=mVO|!-s(7;avb$i^_QX;6xe!Cz|iGaF%&Lp=L)?RVhy4zRL0w?(l3~ zD8qBgIE`UL z4-!l2d{`0qpl$d#A-_4i1k~?KbEJr<9`I0t@@`#SP;Q3*-jr85J*)9*&pm5vtw}ET z9ep;A-7XEy+f{iED8`$qZVXUzLg6mh)FJsmR3vU5n3c zsj@7A^)YuFXG-y34ZJ*<_>{&vMV!kr`309+97iOJDSU{fFsZPOuWncip?FI*V(C!O zzn!Uemk?0 zg`|YyEDb_DN(S6<$&ig- zDiTz4!`m6@TN6zfC$Ja!&5J7)yf;z}M49F>RfY?s+M*ItiY0%ntWvZ=HfO$np>c!r zbL?gzZ!eG0lE~aIk!6Yc6i!GP)rdCaDSwBFM3wOvIUaIS6jYm{VJ!(&uXtd?i~zr( zHapHhmBRBA`gDOd6^sQJeJ4oXJzlY|z&@DwwaDj~d}f1i+;=7LZ2n7XL#of6tdXfvoj$w1#W8>mXg7 z?BEl8_AP``j(1q*>yJ*Ms8`~sG32ZLeQW(3!PAJEaEMPdn7aqH{bh!pG&}xXQSNuU zzY>p1MOdTpFj8725l*aqbK&VMfvjyi9C#r_`?Q1^_GH#&J}cFtMT63!cmyqz-)-AV zV9lno5`In@DdKxlvu2QH<1M8Bze_k6lQ}$ZN8*!oaRly(crF63$=CL5bM^U3Aj%3a zx_tFU1`B_JSn6#3z^DjR^^%0r-iqLM3&bru6sz;kq))Y{8u8x_(1@*VZ*7;Bh1>nL zE5(c!iBF}Fe(R3W&s{^zHa3VGY zRI&Y)U48esz2QT(yK=Ge0;kiZe*6paw!M6RToPb(cg=QH|2^9QRR0|5jdG9eqq)AP z8JYUB*oWFFJ8ziavP?alvxTRF-uLH-#BB{==Y7ih`IR)mq>V#H>92T4?c$nGPsJ_y z_Th5B_tNp7l`Zfpz4IjtkoD0An!NV9ap%kSddBF?c6=OZ?XtVlrb}-{jYZbi0*5&} z`bN#{+>MhkI*#JM)w*H}zDmBn%KG%&(mFon<*+gBJfHGa6V0$9^8?jv>%aNl8SZR- z?>zg&U$~tp^Zji;lnT}NviB}M%SE>(eB5|+0q0Q>cUS~7-0?AiFT$B>TR%qV)IfD> zJD`WnMdkY%cW~H~E&t=2HJI->#Z_D6c8AXjJgC=uw{+i*^wj&%ml^{)uMgdNyLw8` z73^GNTXT3llIqT*EPYf4>vwlEsNkkrmo1j&C`-he|-=9qjj;Z?XJE?2^ie|xQ~;Fkk|#@A@%21p?@+ zd!d18qO0(M)!JYNieXIhVa6Y)pAU1k^a_0c=Yd4U5@-K3&)cKz^s_j0ui$xh%? z@I@BF{HdkC!oEH);|6whgivQPes>hV?b}6GZ zvd&zG_yZ8m=79090`+peJwg09z@~BG(Vh=4`4e$*A8xZTN-nTOkduCm&-#n}Z-d@d zI7LuRumQm2q>xxaw({@y>dm&H6vO<<0oC~7irqQe!FqpgsFf0p@3N!|?boFPSNQwuCtC5cdrM06IM@q$?KfEmf!*FUuL)4vk&saHv*3Nz0yE_*I3K09u0bF7Py6 z7xz)iV9;V8JA;&Pxp*ySK~6cn=?n?0YUV{!>4rK_^-elK#c{mgigF%?R1*CcTXm1R znrg(|qN0{MRk)EArcs>%XN18B%0)xYcvO{_wy?R7)Xn!XAZ>w(R-q-%=f+2oXk+rz zS;6!zeh6CB8ngf5A-f2MNHEakJs~T&ND3+gF%(LuTQO>|W4@NwIp>pjpr%Mog;bXn zabwSR!u9<}JQw%Za&hzIdfm3*V9BN>mv(p&Oa(kh1L5%podVMel4~#-jS>DkJ-8p# z38E?)$=w6USnZAo9FEee~&4?e4<3!>>aO)RAOX9l0L_Xpp%Pm!8pddGv%&-2!U@Ddtq$LYq zSyXt+rRx_$OQ>nd5fy|~{H*9a$CUDn&O1lllS3BLeOq?PS@AoR?hrmOqZ}dwq7aYy zzZbA4L?YZ{^h0j?d2esR=h!8@8|ye&y#_#~WN_lAi2-8420LQlewM5+@aDT1&mthl zBO^%pu6x-_5j%ma($T|3b)A%o$^Mn(UViTdz0{tGDNpz7)uY~r5i&BbY6ec|)epzJ zS@GYq&Cvq+s2z*)CSUG75x<6xk^z{}Y1qiU_2=laV~UTa(XIeO(* z=g>~e+Sx76m6jynq=-n#3_I}uFm=xFb;eD%Pm?ybjmA!6+g4+wS+TwK)ygFntVDq@lozm0wZ~c@2fuM1R$ZU> zxtYCvLhXa0vKEmiD|_gtJl8mE103D-!9T)4GGq}4xxloQmZLs{T+oRF`bmiLO zM(Hkm|J>y8v4Fo;)nIemBP=0kc)fPJ>S^^ciqR#~zF%CtiUhta(3hZWo$_P|h#I_^ zms~Uq=c!L_mENvb9crr`H3tx0R&nxp3!QI{*YMxO0J!*oi%BwkIa@|cb<098(YHMfYw*I9?kdWC@2N|hAsb3y`IBB_@2d>6n^V|Z@0oJ{u7C9ZDO@+u&0` zi`&{^B~Q=5D@X|lN8Sx#&{pcjYS3(NT59)aOkJjpmCm%jE4*MrJ&PO8&a8IgNYLm*Bc< zTNcetak_er;>VS?oI1O5K4dC63BnFqJmqpmR3t?GGtLUng!l+cf{|H;Sr|=$HB&Ax zDUZg{oLu=ARSFgpQ53!u(rWlE$n(Q_LtiQcqHWETi{bc0FBYQRa0^x&gX#huwO>it zprTePr7Ci5&|eh+vDawTNe5D%7*_4!tTVIb2Eq~Y zwj<87NT@l9dB9alb*f_8z>Qjdh{eEeMh~f5NWwDzk!}erNB(EYdBw5mkBHo?l+!xN zV6?E9zez;WnFd8mT}0}lQ#phreoBYi$K{`H0;OA97Gu+*Lilc*IOQ2O6bj|8M|bl( zKhdt%HgVEvLewP~72D*D-w1nwlXRvFnMj3P>+6bHg9(2-4=>55KhQ}t&<;Yj8_N_= zsKrYw);;~`6nyPdd9P9hi?k2YZFySMNcWfv zvXQTtq{^3Cgr#nClZdIrsz`>`?fS|C8@2LHuf@3?t%`rp%Y`ab9O=@_k#O_ks%ir$ z!Xl{}=SOjkXTPmHVc-5EaNhiTHeIW}-x7g(0hKh? zDjK;%x(zj0*&|m;+H?Puh^0|0U5@p#csIyL{O8+dSbXlftPnxuDTBnHzVC~ugP7nB zj&PBsy}ngWp+yjcXNBp%7gX79_uq(=O+s=G1-fEB%}MV6mV;_<&1)W?EG8hRPT^B+ zq35s{DEdVm-^%w`V%jvnaJ6Z%2s8D=4IqI;v93v2Y5lAk-um z?}0OB6^^!%>Wj4r^PfWMmq`{)h2xicM%Ir|mP0f@*?)?;v-#IXYE_4)>0$3e5T5*Y zCVXTeA$t6vBBj*Oii0&4Xe_lag|6NpZ3s|f7RhhScA%|7OpTJJ!|!vTNoS>C1s4p0 zAI%f1kN%UF{tMh4zUd;Jf7H>kf~*vurS+MyCN)AGTV)hP;a+mRAJoaU|_blAdU1(VV*X$DlH~p4vVJsU^&ujjT_UU-68Yk<~uh~Cgo-c*= zFZcMgc^{#cOe}BV=({tjwL4rb4jbc5w7ur*vxVDLzdprx(6w{~>M(&O&6lKq%V&2s zsd;sE%=L&SuL9rK8#ox=56UaN9=tQ??=M``xB%;2MA@|$=XgNdALsSXg4S;Y&sP;{ z26mi{y7cnRSTc-HNN=MaF;$IoxDo<%M73k_FmdRL_V2agWslp+u`-`o_^j{+2u4YM{rz!9F#p1ykw9!+T_uP1hy5=@sk?5TsH+nlI0AP{oF<87#gU@Pj+V8CrJ?gw4=H@;2`*Yjd&%|!0 zJRIokJRPrHTftbF?rV9t`y$0m=D^cFop zgWK6`PbWKYbsB5^B)Tgl{o-*=pRsbQZv7jFT{lST`a-kAM$chMljFkcLfmbmYg>jf zr$VRWw%v~EQJ|82>vmFvU3>gC`0djf&f*^p>wzv{N zJ>f4uf%_>PM(^4!K)j#l7@|fc`YnT_$Im$mo1o#Z-(w6<8X*JKDJEHSmDnSZmC{EE z8rG;ol`e&+hI%hcF-$I7cszFj<0a~WRN0-sh)bh()t}V7n~BLGEToR zp^1G3-KhxAAPYS?yRQ$;LRV!T{As76Uyy&+P-peJXuesv9TH6weCeK%gR0rV+HfhDtQxscJ=F>;uFNoSxv{=#0fIC! z9TeBwY?x;gO1#?70Wd1^b0zQG!v+!!qcSt5^gm zqf{#r&tCj9rAdVL!FqPWM+YkUW&{IYieN>t27-umL>3e?-}I=9(j6B2lH@~2t@b%1rg?rT46SzZwuDRWVWsS(JqW z=@a&Ye@9an-3wndf2UCy<8+~pu#7@Qj?DO7G#IF(s+#njh1fESc#266o$cM*hIxiO zZb!SR&tL%pqr!}A=ueQunNRZ?Y!Xc+xJ^v*pRV{ytIp{1%BgV2p=vT~oh0Yq~Nr%*{Hkq+7cOiPBC6Dbn2d zBx-8p9+QgFyiLNj{9E*DO_@@xF&=$e4iU52d={tWkTVGi16b+|Oqz~y=I%yb*o)&& zj?4n4<8V?Tq^!Y=WF#WcY4cHE>OclR z*T34`TmGjU>x_E-O~6W!7l^et$c-FrLEs7aO7~8Uwn>xQ{72)U%}DN2l_scGl=T;Z zbH7>hwbNLuAQmKK!NQ|x$>55O0Qj)<^2BiCK(L4&s~jpAR2HgwW~`DCFO$DUAh$*1 z417}cxd{1B+Cwg}1>!B-m`zz@Bei%whBB{A(wEM7Bu^CLCD!HW5nj=FaLqr`w}mBV z_UUTI5<{de*t@#LFjyyoc_D`Nwz2~BsnAOFG%$?Aa(~h7VT8p_wAu#T>ScckzB--8pF{QPqIzX;v;U#At% zM9_i1;(aCkKk^?1S~k)7o>N%NHUZ*S-|wy@{2Ksw)vbq*3c9!AbcnzUAeEMN2@Bw6 zr{em$>(Gg3)A7V8Wy!pz=~g_#?!flJAlN~kjIr6xHG1PBaC}RdFa_A2H*3~%&+aYQ z<5vBk&CYRLuH^ZwvP^*AH8`d&tW5#<3vz7Jz1sZc@M&Y}S%k3F`L>BBauzyUW5(Bg zWMgOdWY{>FG-X$-1MBnmaU2owGPX0&q|g0U*dXH+9C7LSjNn!IcL-`AdDyP4casNj zQ*pRo5#!;u-;~n%6oRMQ{*WG_-!tHCKDp}M@l2$0)a9=Wb_KW|Jfo=T?z|9bNWR~w4L=f0K7!5{q_02IAkew{-DqTCP;t*x!adFestJ?$?HyPuYEQAW-@8ak@2`=xy=W4o)4 zS_5MXv}4|;SjM*pwj3pGv%FBD=#|=mg>uaId#{UaC7cT0C62Ry0Z8}t92{EKh)xfG zjmI?wwvjY{H5^^S0h`a+Bt9-FH^(}n#-Fz{+bSJyIwT4fbFLbf7?=2uDC6z>J{bug zpKbJfQnlNbitnSzABLM#+zic(2;E4s$U)`^^7mDH8;GKm*9(45frDS4~ zb56I;f4PAhKvKXNP@u{#3v{v|X+}$}IZdLRp`{A4U8{?uQ+<0H^kbW zHvi5Rofn+W%T)NB>|s8cHuThXv6Y1i)y zYH7*U#<4Tou7QMa_s0N7YIaDmY@DqAkB+t3V{$_JKZ9BSF=WF&G$x95`*DWDdQDv7 z5ZiqD5W_w!Z_${QQs1@Gg#)X(rSDJiF9bl z67b4H_*}CUWN*%-M9ViTXCk`GX}R_S`uqK6YYJqO`H9Id%DHkn(dyo#G;SN&zi;aW zjTheH&wFM|E3j}22S)WYSQeFp>6ap<@ya#jAz>)ld``IiBJ!wlMOK9Bso)bGhtd%( zOXzv*l8fyM@Q)qqVmP@7WqxNe%~nyb)~mzWc+5>GPlm!nW{bD|G?FUcaDq&;3?5xt z(ZIQ7oBV!Yo3j*vUS2ZMZN)~KvRlsQ1#P-3J{9Rcp5+WNfbNt#{qtAeswI8Qt^t^< zf4gE$E0mlYGN9+3^1ItY}oK1~pxg zBL~J-YJPu{x*yZnJeVcRphu_thA(YK1lcq3X1CFo9us%NNX>qRrFDn{dR+l1Z}WpR z3$KoPJ|*-LKLPGt=xN|Ye@xJ*_N7{*B5{&i-lP>(mGsZUB`3oO7+HSZ!N|Md2m6Ud zoEe#wE7gUFdo3_H5aT7`(S<-@&_q3j$!3KFdsYQ3e(zBW>+q0jo+J6%EUK|ZH>ml2 z%B(t8()nx9QjY)3FWQ%?cuo3SdjAN;FPywKU@mS_d~y*V zQ=tf?2#U)%`)FNeXbbl17S5i*I5JL{aUktt+9~9zQ7}zaa`O&6+H-J7Ohl0A+c#i7 zL}ByC>0&}_l`&TeH6>$X_lBhe1DQzk-o*Whzqk*R=qy*}FG!Q#7Xs3%)t9syP|Ja(Vv6`e>R%DbOktJUv66N zyEfQhSa*^ffAYG&i>xXyh(@i-Im?+tu`6zI(hQ?sLK{p-REh$%iD^&bN5z`ZEh;{8 z;qXb^K+(RcqHE%Askx(YneOOISFT7=bPuFw4SOi$fjiJn49sn;?Sno<^Q+52_Q3t#eR9b zX>GuF+AxKeX`XY0ElF>Pj}Tv>L{Sy053Y}p4-ODX&o>}MuVlC=GW_?RT+qistUh84 zaQE6)!+5=iaFDUJgUdVs?h^}<*Lbw!m^ZH}M!UsF$0g^t`m^oEckMUdh$2#hb0|DI z7V|44P;GDeZhOisPgQ$A$?zoiYik7K#>ttNy4Kr^0KwDnb~a#px|+A^z2IyP@NwRH zceL%sZ57f6fQs??(e4`M!r^(H&vvyUv~m))yh~boxW)0-^KNw(Tb1JZHdm6o?X(qt z3_RE}#>~aK^mtGDvXZw6pSM-F4aXDobLa$f10^GJ?5avQWSI=3!yOx$Q>+&13yUaB;Tz1Rn4E(19_t6Pj z9oK@D9Bu(kqkI|LJXCGdguT^_HtrYt%S+Rmo@F6ey z*ICaC$#z5^3#K<1!%5}imFa6o$LkZx#OLT^+)cH&wS+*hxEl zS1-jmz+HB8!)X55wFfjsyS05>Bfy{Uda&n2=owu@;9~YNfWl)7IQ!OAgy?B7$m56b zCh)AFX$rika0Ohw@|-P4E%Cpv{17sg?=YDOn0R>t&M zfIxQL_+r-0>z`(Zr#fUZGz7=Ze3IlS%&f`s?i~d)zltc>@1D<&n)zMpV(3yQh$vT3-|IiG4&W#M3ox)Q@JAw6+#FKoc`|AG4IlWN@t&VG}oCU z-vh?lUyMucb%5zgL$6Bc7Xcxy2S#`&uI0FY1ha@!`?(vPVvG}4lkO@V^GsfL*$x8!l@tNo4KaGX(IY_c51 zKQ5O|P~%b7OB!3H*^((1lVnsdBA+aca;Rnz<>9|_HcGwnRU=owD*TqTaN-bQGU_Mc z_EXA+g07@+rOuLzT|5abixu|wrlAh5aRAi}9sRm%#LWP9V#seS;h)455+rgYk~w5f zP3bx@4jshL2Kmb74c-;Y@x_zU1+V_=p_GJ%7E*{3k8uUV0XpU9v>v_$?_ZSDO~}aD zF3*tup`pgrWZr^rY3b@l7f+HTUz2GV@ls1kT~yMF0AxRDOC@;}6- z-W;HAUZ9#dxb9@{sh4DDWY;S zvMPg}q@?dxQ;Y`GUxZ{?Q1sGI0C8f|2A7nT-VN7d1Bj8v`?3a)L9!4 zC{I5;>U)6@l8Gwko>@_p06{~G+sroVn5MIO@Sv58U>LW^s*ZDe5Gb{5y->ZtLr!_R z2AzdQBgjb>EVN0szS+E|VXICA{pp<4jKG|Fv=A2A->7@5>_Td3{^3*nW$DO_HTH8B zw8R?Ffe8^vHOYMWMw}lj0QX-u-fEvnU!5?WHQtv5>wJv9<$!GXICr+QC>3g@coK}l z$(etasGdF*-vJ<~Ys#Gm<@_NtRrml!I zk$KpY{{n{_7+JhyIq#kPf1_v4Y0$2()B}hO^kEK?@}2{jRfB+*;2Y+*P`%z}pGU@^ zRd%;GTR{5*8qjG>eTf8^SSN8uTAf`zBo6}S(~2H z-D@XbkN}KTJ4r?;UA=B`?Nt6=uW;jdS>2R5OR=>dxl5^X8D`i$mFaR%vEP!JF5mi! z7n8VjI5r+G=p|U(R44WEe*J;f<=6eL;={AozZB!9W!?7Luz-=WbsF>t)YEys3+X3s z>2~Nv!^-L;sQlRV8)vRDWA_BvgJ$lh^|W+BRRW-^-aLo#jYTydm!=BwmM^%s8?E4n zL&32f$#mRR*Wsi-B27j6JG|TbV0=?fw<_rJGDh#5W(TpZVb`U{!}ena$7`H+>a{nd zC10I)?GGP>ZtGJVRA(#C=dh_&OXh3AVs%e-{YCsqj(#7b=6wl~&@|$XD+rQLoBqS{ zkevMo$Ci0PE9pFuy)3y!5TieU2D_g`QLOnQ+dw&ELpGDqbt$f znNc=%+YXrLy|akx#-racyye!dtB;hbTi!Q7l_?F6O`9Pve(#)59nvU}JKWzxJhj%s z&xn1bY_Ekl_U0`gZTM(L@7CeC`)fdcFQdk*zbV_pKVx9+Rd@~0yGKip)7iy6;>)X^ zn-8db9f{{fA*4H_stQERsplhPkJPa8*)LJ;?$diwLfFNa<00byJ%upyIYFS?XD5BC zqsw&unW%f}>fD2)y59Oei)Gr~d{bm%@xFw>!R{r)!wHGYoz>& z2{EHZQ-B5``7W7fX9mh{-R9Kz%#Pq=<*lqqeSNfL`>Hi+E>c!zRHqzm>G?!^>E}5kcpcWsmrlnma8TR&7{Yk~h*@?nu6b z+TGEqD9SNF0QZI1v}%&cM$X&~bTfeY)x}_Sx`BhPxJi$&RHu^~>8<;xc?$yEvPu)a zdaXC@#tkN|O>+-^#Q{3M-*ak&7$lDQl_Fz-HBvPGS})$k)E~xuuyl{NN-Y(bO=cP8 zX;Tz6%X#M;VBXrid}FLni|Mfo2=_anlQHQMD6EQ zAS3^we=E%~!pEn6R)$B3N3)pu`MG5h+NjH?9HL8VPC-F0YA3HPy0w7Xc@V4&Gbt5& z>0iI0?iYzki8DfgK4PRU%PmCr_7{;}G3al@ppz+Pc~GqOPp-rggQWtU-YLsNY1(Z> z=08~rs9@Eo&BNqSsYTyOjzZ|zvJIm20-6Z?T-VIllC_`_&NiF<`+hM-kJo8WHHl2A zyOqDXJW_m~L$2s#%Y7}^S^D+Q-7OKsDr=R>Mc?QsAjj1}oJfvG7Etp;l^}`1vnUTH zd0dEt-kGc*!BQ2^GfFHtbw?ANGw>Je7sRpdliczjO6or5o9X6 zWGl+AdXeSyzj>$Ro8q*U349dtm@cab{--s*4pjAObzkeg{ysP8wiHBY)x0c)Cutlcm0QD~Ow_$Sd$uve$K$nTcy6FJe-{wPh^yRz7A*R4IGK*SO{EjI1)N2b)?5!LTM$k zu1jHTvYIIUD3kwIiusGWrXP#QiZp7mPzPWL_9k9r>4JO|ni&Y`Svk+quiCC7u1{nc(~#-zzn0so+t| z9Q`sy#$=(({C&sS2yfO<%HZ3SHQn6Di0{o3s(wJQ4*wQ0Kltu{I_j!Udm98U(YRu* zSM>xPO~T`k(?U<4?1#Rb&xw4_EyNu1&{tFZMk7><($~anH+QpV$DWaN%CDsFlFKhV>sLk1!#ZtrM2j?{)KPG(P5%lOnpwlN3tj`yLEfhVn;CtFz{yPZY zXDW=+B>83WgM)B=`gM}1sDhAQr(vA7g%AWJ@7cQWKcCTs-^XAI zyksxxFEVJ@K11oPeCD;^JKnr+tE_JuWIA5COd8KXm|ZqriuJU57fHDBT%OX>_H5O@ z4cX8V#A)r{z~um~E)Vp3nlTgNqC3l5?!9a1-Psz1cAJlpG@oEFI}V#qIu65Urm&!A((&YQrBWy2vvlE8t`1@i;TiN8>=hd++4gk+#aQu=5;cxsvU= ztHP&4$g1Kx`{Bf8Sh!-7NbhOs^D}DO>-Drnjemd0h2LE^{r#h<<8!BzzPimdD&flu ze-79=xF&EpgR=U5OjQ3ulF=PjZJgbxVE?*qp4ENCbq;iREy2R~-rfsSc~>A--?$yQ z)V}cET%CPi-gsOmf?LmVKDI4le!CHSf${<#qQ9MN)opwjM{ha>8N0QbT|?CHI3;-v zMQ{Y%cX6m?_3RtRU^ngItuiKbeyxyiw|)WydD;HQT7MK!24^%AuyKgDbN-xuSkiq# zN;ZOf&3qI5J?&AJla-<@=x=V5-s-`|Art>AukAoR;ARp#=#7(^=E&5IMyC0F8 z;N*eo*CuT~!HCfBN(ML!ahzr2Q5k!_dbpIzGm`@ZX5LWuphn$PlilVS){y4i5Wh^Y zZ`yL~`9d^@MfgY z*EI00VArB?c0sjBl3+8P*}H_)JR@Uiq9P!_o8vTE?HfoZWAS9zyosP@VzXEv8?Q7Q zH)@9<(_wu-JOk82NE$&Vd~Gsosrm=7o{OMWQEEymRFDt$redBa>G3|DvrdTGm(fYj z4^xvCtjMu$@`F((l)>h!LZG$qK$g35hBD$I#+{JIljj-m)GHF5A>?mPc@zgM?Q4}E zjjXPXoSNA;%s~e7ve=lzbkbm!FoG3)WzSp8+`=kzDajsf22v>L^*eZ|Fl&~_+vZNj zqnCS%{|OR?d5jPo@pPn)G{TAw%DXTQ3+sy-Q=`VgRs!TkWg+Guk)T#nL9|4_>^t|2 zEFdRFpBd09lR?kinV?CTKm^B8)SU{QQp^wXct-b)yA&ivA7pR$yL2cZ4+*L^sPPSQ zN+%+3h$;q1JACs+jn%!Q7Co;woTej#E54k+O3?&e&Od>K?mS7hUm{V*LE28?pi+=f zkN2ZM#KM=y?u%*q*^;@^FOdWbPOc@`fTAw*k~%4_i>Idhi(Fm&x0GPht|(OojtDX& zq;C3wqj0s&eykExh#^H_zjHZZSvB)_`$~ATPSl*G3ja8A<0_)Px*cg-jY;@7d^@yB z_QiZk@JxWjsrZ4*{lygzoG1F z&9`{hZN?5U4dw$s$0a@%+vv|8iqZ2Xo(KD3I-kh!-1h@jt7k>mXB$5G_KLO!N zZQu`=r706wzZy80(KuJ^`;7<=wGd6lf*|P}!q=+IohfQxImNYliK7%$%sC+O(m79$ z-dic*y+asX+KMUjwYJa%&dqDq? zh4;S86CWJk5S{3M&00;q&8S}s*uw@WYlIVzGM)&$Up&oq1K#Gl;RY5J=JdJ22l^Y> zYY2Fr)1C>ln}A^w1drD5OI}~Z%z_^rEltDft8dU}wWMY?t`sih9|4|PtL@%;E%obDfJ&-bI2UB2&;qy65m$CCcc7hRc-MQdL z%|_E{w|17tLI|a``}rPLkE6W%K5C1e<4jur@{@ZvPrG?YijVu#VTJXU-udn^Ve@mR zEfBMTh_BdTYmCwH`Pv7ltRM~C+}1uXLh^C_r%PMov2M4d@3el+UpI+SlLZ=h-m zn+~2j0T5h6Let?!0HGO!7fZWQw!_S}Q%~yx=nA*s*->J({|kopz^~ypeICvIRD}n+ zd)o^k5VG3@Wam7(zw;b!$s=X{UAC;b=w8S;#zZ2#p4ZF0@EKnf*tnVEvg&%LG;1rl zrk~e%d9@KD!loL@@NCF&en5A|_Rv%M-8 z__VJ%Dc84q>3vTS0KKF~=~)_$S9$*96Ep2PRMWH9v2C$J^7fip1?@~$&8Qx2d^DWb zGCBYOiJ%^bcaSW=o&p5G_;S~WM~b-~SQr#Rknb^-9XHO_+;NY4$D1H1@BsyFkX%WR zH!wk)6DKWR6E1Cwp&axV=y&Cud48Zxu9ib6sVsCCxx*!xP++|D?ecHU$QWOaOn7{j zwLc8|ZYwU~o_!dp^$$cEQ|8*LgV<}+p&zPhQeuo0tgGKTb$$lOK*(2(bIUa=u0llw z!Q!>t=nVSdL-eoL=N{?e{>-kH6xP*l zNj7`Nl40h?OD#`*Pgi(#OONhKOR*Gw1zuim-4K+PC82KArgna~Flq zK*rbI{rZ&W!F~|_g5Ou6nZJvw1)7!k^-Hc5T4c@A(){(qQOwFDj}>f}zu>FQxXA>wUKXtq_Urp| zvHWT+mu}O0Pg+N6)R2?UiD$7RJc=$M?+}~8R3&Abi0QX7DTg@?Sm8c+Y3Rb4?&qAB zGHw&5t(Iq&{IzsG|IN_r+ZwW#Xxh>m!#s9xnP9`3W}iO-lF}V1vDn#uc$kcLNjfHP zs~SB*A0IoUkvI_qFYaND_Bwqk9AA&Y*P zKF(P!dujisu!y{JLB;+FGRj4sN9z2H1PcuWtw^aI8}oF?xUlsJFuLrtMu!Nf0$*mO zQe4AAi^xk@TFY55k$0V9-2&A9Q1?1y`%?}75Yr?VjU{%u>hd4H4X;mtUpC4_oYqeBSfD@wRYIWUg62B?nDHOkm=I43=I%((?=)DpABW_9c` zQN`)eiHaxrc`#K(I#9fH3qzZCj0SML?UY9s&!pxZoLf1DXb)5OSp319<9ywW8Q>zA zFgbC4;WWi#(k}8&CCj8ybFc?`*7VL!CL4!}Gg2@4%Ua2bSh{Nca1y~8=}^UXk~L3s zAjs-p;Z>@bHB+vIB`X&TCVZYZiY(Ip$g5^`4uc{m)P#v1Qm*~OeU{|1TU@1S z2xJ1v0o>()(trZ8-KH7J(E%ZW0dP}fQSM!eVPk@8zpJ84in#T*GYu>iWgb~h3i)@G zSk!CEsQ)mPz3#UDoB$rzPuBLIfz_~ABr-p(xkHeFHO*es%^TPu z)`_|xNZ~SUYV3RUknC_OW@%*QqZsbhK`S-*PeqzBGt^wxGB>vJK?#$}u_!e)>5K*I ze}2ZP7e)o0;s^M$QbolM9_-!mj@xvFbicZm4E)XoB#mC=+Sg>K$hpv z>uGY}CZM>5l~EV`BjleFtcW5u5FHpm7X}oG|NdP>^{wFv#C7`8lI-zxr0(;&Y!c$# zv()qcNV&{oK8bO?cDb;QSy?x?C}Q<6gn90X$8B>)yA50qxoQa^x4(R@#JB%{*hI68U3>M-g-9>_Phz~XkoWkc_*CV z2hDht9R;y@Mj>ozpQd`8Ujl|AIoODXvMS1V%@D*_G^Zn}3um|(nEXLbyP%h(w(c&Zy`+~#50_|xU`tmn17X}4+;R8*@C7}@|9WXN|B z{*~A3aBzosKU-Npr2tM2b;#)Vj4kT{KKwhfb#8`syl8E2hZgVU0irtYjV~2=9G*qa z(?s<|x{4n5X%*o$J+-e-6D_H2?0=w9I#PAlJ{dXBKu{Ppto~8h2U7d zrGqC&{U90=3*Vz(x2?hF@2d1#^*i4wt-$Nq`u1rJ9N)WPX z?^O0w1tq`M@VEd21^l`_&-=cf-&I|`HoF6SA6;?ft#na=Y23bn znAHhxW{uj-M{X8Tlsmq4gzL$8l@O%qzb$P1;%|hDAwNRYtz<{26ui%9?SK!+E?mfEBJCNpIa6ZMZvX+DzFWzwIj+a=TGDK z{Uc6G-zu~uQ;_E^!hUTn#T-Co4n@(+6|x}1qbHtm`nFwF!g5tjA3; zoVSU3(&xV5L}N1_ex}7c(H@E(lBYO|HKfKN<}Zj3JGA$z(3`U7pk|cuQaVcj9V*cq zk4ZtIHO*GVWVf@#NnR0DYppurh=Z|_8<|+NB^m#i$87{gbhIW~qD}vn&?t3?_kGx` zBXtx*snsf)k5z^}wG{{9BOTd4N}NH`*gz8Ubd|l18)uxDm~+O2D$jzuWY!)9E8IBP z_E^btO(tRUG_Z~?;O9p)4SSg~ti{+tBRWROqwpdjAW)uCULfCGfR+)xYS<`*|VL8RnJS z9hzy`2ETwk0vg`=t}k4m*B)R$@EF%#=F60ybG%0a-C`DjVnpCRJyA(Xp;Lc`p5{r0 z!vtCrq|@MZ_`7ntpHx&I`EDde-p9+h3~TTOJciZJ+f&lXCcXSs~ z-i5+}uQbxpChSwlE0$PEC%EkIs`@tRbmtV)h{r{rVXDi!!;0TV+Q1gAK`Vw|#`a$3 z>v&8ZG_sxFtr1^|t zqX4JnJ2hDXt7>z_7|>)yi><;!+|na*&3V>RHOf|@EXfRQlX{eZo5vcm30aXc!J>)S zwOFqUSAEB9twFbL{Sxt2c5G${R+kNVd%sce&wCjdqi{V&M7=o<0i5-d1$gei#+|r7 z;Qd*kQJ}!rTiHDB4YY8%x~@}Pbd|_@;YY`kxO)cG^Y^M0^AB_xioO99ajq6Y?Iza-V~!x9xS9v$ zObTtVoXcOVy`+Ws8fB=L>6htCl?!xQVnIu>Cb`bN($iTm=}y^P$7%m9pcsfed*`r+ zoVH^?j?6~~DD!^eNdj;S4EV_uw%=eH_wgmIzzEPk8DCH?r+6HbP~L#~Lym~rHgIGL zZMe#LRt%u`8cyUCRiooMSY&to_%e<3c32!j-!Tl;+vPQL&cN$_n$tYg!+U++^Otv; zUct_N+?AHm1-O}2#j*7i`S5-rGMw?_*0&0AJA1k&ocFckcTFdWy9Rz|eRyQYbG7Sv zKS0CX)q~(n0|@?nQAPN&D390r&usnjZsdNAF}mF{=lY^buWq7&$oqYDYOBWo-y;$K zXT$T7z9;p2(II;stjf_r6OTC-)+L%r0u#M(B^esQSYuB-`AJAy}W**IH?f$5yz4dp=OMmkrxM4~6J4o}sKFE%0Fel5E>9uRJe=$byHTP%- z>2VUU;i)dWIDTKfo{`q_=*@HKaucMD?sIpKR0BAUYFa>O`RH!|aQ*FpO8&ej=jpt; z`MXmRQ++>9)FZ0huBB2ehUO_Lw9&rv2gtLxo=o@hy8Ndk7KqU7jA!4{8n>!0wpYZ zJ-r`(c+uQ;;bnsED`F<;bpEf#f_}Us-N8I=A58ZH`hRtb`--~!a389(<7<@nC zQE}fMfC+!&LH7FmAe54ZPcAx(2CrBfx^hrxges_N*R+mZS}`|RLcUxd>;~GpJQ|bz zQY&xMqBnVBHW~~|QS`V@y!u~>Xy8CNGMm_;1{uv`Dd(TGdW39J9<0QY+mrh+V&>BLzgYshPgFcmGixy_;_X6z7^MFSzf`SB zv@12}oi?Y_GYg7aqLAj4^g87f!(!_$lA+@?L8TgO=vyc!O>jluYp!@>{TFWSdiz1S zYy<5YYoo-OcueCVYXF|=TrX6vbRAEUZnWo{1}$DZPw1I$^KQFS1i5J_ujY+e)gb6K z6OgH-e`2M_!Lz`Oh8lun3QnohoQ`BgsDEaJY*RqRmIw27W|=ZXoghCPhiIwCwGZ*S z`Z)lfGA;K`AAEiAW?YlPAPZ&a);I6Uky94y%nN&Bu)~hpHRmwoDi3?MpU3)th&spa z$^vC;haEc|tAmbh?zm&yNyoO69kXM*W83c7wr$(lZ_c>qzW2-g0c)(WYE{juXR1=h z6+kvDnpFz^4eGC1NQ`H?0C|pQAVGJ+JMotp9@;~fvz)q%KFrP+jEyS0;e=_7S{O$a zL18)(Mx9ZCYXv(ZGC;Es$tv*nqL&C3Bbpa*wA>b)imMDT{$!UJjZ30oIAW?`%bv$m zh4@j_)wb@xy7H_|zcDD&&b;VWbd$kGrRZ3u?1%P&GW}D;cb3ARjtr`h7VPEnMTi7@ zmd#gYAx3E5@QVJJdQPjHkHGbtLsk?2e3%rh4AGlFp-&*@JuTR%EPGIia8Ndv%#~fY z+{ZVkp;Q~gLVe+Hf+$=yAp2|wNs!`$D8E1_mwF9? zvYTGfl0OirkfIH&g>kh3Z0BXT2GH=PBBlEtIJB`<$p{v3JMlj-+f4csb0I2{M@4X} zN&?my_ZFPNsh%8Yw#7^RkkPvJsmfGn$e3R$3id3j4P7X!DphNQqV2Viq)x+-$<1mS zh;Rgm9H5DyRCFyG`=j}3*xOH<#9M`tg9)Y{6`2)FeaYtYI`|==ry!A}FJhfXO8(-g z9J^#jWKGr!O5%i3M^ajLHpFH`z4%cK98%RpxQ9YpkXjh}vz&+;PD_U9v6i|0YKZ^N z8(Ye`BIKY05rS)5(q3V6G`|=&ikeWuWqXiL7Ta`3Vg^+zz-7M{47V^kg*%-IKJowM z1BeS7{9C#JwCywn5{P+r19=#?H%Gtke!#r7M4?C(&d57`!n|RFgp$EPJqi$cB$xry zQ^$Z%!q18Jr`G!<{VLzlcO<>8*UpDcfv>({r{7X#+P_a|u(q{L+){E!2PsfS3 z6b7G`_jL}SkEP?R@|G8f6JPYI`+kx~y8^iiXEOAdOdd#O%%Nd;arD@p^t_h?1cCbk z@c0ti(yR2`7Jgp(E?w5&)-G)S@c=r2nYZuxdY`2o*?@WtQHuPqwAhaPES!XxX~ z+t5&7(8z09an9X>diSTTSLj$3Ckofw;Uq?ieRDNv^a?qSt-t+k@;S!m-s@F=>TP<& z#&Pg!>S@XQ<(PFTU7p_Q-s-a%h07?aUN2rBcuomqyJe8v=^+{dG(~ouNV0lEx#n(XdgpdfU)z61j`TT0tkXSIC+D>jX^lRR&0v|T=R zhdlakAKC|r|>6MVHBXfVDe7yQ*AexNoNKl?Jo+VLP+yj7Kt zH5O6#MFAO(gZ<0s*+nBr&W!nwzV@Ci-H6aRlq5g_& zZ%a^|Kq)9j?fLd4=2qV&(KKUqWzaQl3Pkm_k1n2Jj46hD9O=YZYAoNCpT=YJ*j3t?>df@3};HCc|biYi36^2ow&+z0F;z z#b);Hhy5h=22=?U;GN@@m-G7kUzYtryI|Tv8*~MVV&$uN=$_ zd+c^tEhJh@IUstpkj9wVHtLYB7(ZmOWj5LKPpa&}ESqLwM)WUC9_4KKP(>h4I*Ea@ zn4#!*WeGh}HmEp9>mN1|t(eP)aTe48gTm|^D0zl$^lkoN>_3E_giQQI6cUgd)8P^$ zrFgY*u?S@T1ol!bF?l!b*61~d))CDZ7QRnkWwhoVsggn1n9RR%#GD47r4_Vlk$LjtBO<-Dy@6!`frmb#Zngld z6HnqV>fePQil-S3bLby+zS+C^Iw6val5VLC?k8SS~?y-%92Q z+C3yi9d>3RrNd}Q2rL>7@{%MhuH^7e?PBo9MVhRoH2rG^$j)Yx>uoz&8d;z_*`?Br8LKKM{lQtqh0Z_2*7WcTPnp;n|K zTd)>fQ}#3>(*?^?Gue0FGCM!&GkxB>p%h1Fs8R%@&Amw+=gSHcCHaHXzM&QdTzBT* z&LZPxm`B&!c?lt@q)OqlyIYvl2qi`Y2Xl z?Fg~gz`BjwMa`In`a*N59J1D4F#VQK)bmBvldVV3)0B1+kMqXRqu0Xb@n*tm3ZgB+ zC1JMbMfeb1_vjC;t1y>E-H&4*6yW21nM$vVu>j3?PRFvrLtx$cPs$Kt^Ih{uG{Cf*J`v`p!MYH5O^J>`bRg%=cth~h4;n}DSO5G zPJ8p?uKX9D8$`=13bD6yXd^O>@3_u*yX%9v|&wbl!7R3CyF z-P`#}C|osv)0tQE>RU*L&+{$b+UE6qdiUo*lDtjVdYoH-`JddEm|E$J_l5SAoNV#S z*U$DNo%vRe&YY@8At$u=qxbE2d|*&VtM^HUQKJ`{%T7k6^k#?I6H1QOL&T0IQA%FU znq9(%c+_{IgDX9oE9@%nqst+PTYQv``@4Auj?NiIhRw^f`{wR$fv!n?4!#8bz}I1) z`_ZgHVq~H&!Y#|lz3M@RDw{2HdTl_t#~1@G$g=GU3Ao`fu(f`_Y2NpeL3~?`(!`hI zd31br*|f%kV%xMmgP_)RJjfmmcsbXve2Th#_Fs%))H3bk9BN+f);0M&KI?7+)}NmB zjNSIpPT^njzFprRv97SX=~XJZFTy5hBT~3`KYm~THId@$+z(@x={!-VebJTv&el3G zW#{wU->I)_j?-@EF~4%9=lYqjiT1@+Pe61W6nnOl%T(_)cJmnHwav6v)A(->oCE6l zg321erjLPgetp&5T&dFCV`+5|QhW!^PYYr|tg^tz3-JlY8^{~?116!4l-w$7h2rdM z*8H0HjIxlCiYCR38?9b216v7+M&a@yLtT7Ye=%atG+CP@5b3(cqjB};VO(XHC%`NFSvTj;YGT`&iYW18Qv(Fv~2xivcFWO{`Fr-={ zhpf{R$k&fa2-vp_HWZMsiZ)I{4Tv3O4@2=IF^3oD1#dTGnlQ!JRU*cs7$sB>w z6{Xu}vWqy2f~B(}S(jWAm*59f<~`Ib%f>_smJ9qOKqBwe>9JB5FLg-bL?YHA0PO(e zYWIM0wW8G$2w!#A4V32l@@^KF{Po?L%DV?qlgKSl@2KWmfsLW-nl8Rnqb-yyP4e4wfBoT-pCQA)sK!&q0gDqS>|dAX6+` zkE%}KNo^BPhFXfzM9Xnh3%hA_uMAWlor2*hNlZ7GeJQvhMGNCPnr!E14T+4 z=Xtu-I1U-M>>fke!ANqBC>4J5!2A`qB&H5gSULLmx|;2?0aIZ^j#O}^pft?a=kvaA zq%q4?qFx@sbt0%#M3U6mWhb=3s0~MgEakX z7SXeeC)Db%E~J`wE_uzB!dSGSDAF^g=&HfUCRow`C`H2~F)Fo@;%!P0>&MkT_xH%< z)R|1gHIC;HbD7TqIk48s$e~C#OSgEsN<~$iSWAaNB4Lr~@<$qVo4EopC4BGqY_IL8fSFbw+N6>2u3Gs&cDe@i(`YRm(iZ#X? zoI9C12NV;%zk00cIKI|tGXjU+ih*|ZSD%MH*bE+?Z|cOG&++xyK>aPprLFh#=sCGg z%bqIijg~_inYP9c_$`%cUEo9cW*N$7%bMNp7anE#w!G4Ndh*TIZMCU-6NGVIZI@M0 z{XEBsCe;ay+*7YW=2_EqxZjT!K`?_oG+1hQ_pG&-xlg#d^rXyaW$6AmRv&jkxLUc6 zCT8GsOL>`X+tPP!B|8GV&51neTfR>qvwl2S^+i4E#I$&9xjeb+KRvas@n4N>0l20B zhJZb{F`WjKHq$p0$}LZc_xjY0n$O-|-nb`mUIS|9jF+=Y-`&n`-w#?lT{Zz_pF7Wk z*10F0<&Fpck%%n-L^|NAH!D^(XTvE9QmyMcWG?5q$Z^H3dEyIwlG$*Jh43vO;EeP! zoYG^1wSGG;Zb{iVI2fa!w1eDgP<&*&%IJGJ`rygCSrd#bKdrrKc|IH=ZP#(nz}pa( zk{j4$vH2Xx`GvtAe`5|_@SuDm`iZ{jgJ zzW+X_^xQX)7-cU{=hpSMjmAOU2O!2}U=8pL1S#Tl1QbYlM*IvsI$588D`5P~F!Ko+ z8P4+3LNax}B)SQE#fL*!BV z<&(!%un#JbWj>mNTO9-y82{^Ht(ZlVm@l)y9~YiZoNMgBXyyyKcv!PkVl~&dygtW4 z#Xu@Z^L5K4oPGbdz*SH<*K7Ufei}2R9T~E48#6wJy)IN);`pbW4`zZ${@DJ5R5T%k znu0j{X4I;b646q8Sjfj~ziF`~Eu86^l)hMEYR$ek2kl*riF}VD*Zep8q+Dt0;3X5k zB4e&S(xf=W%k4A>3*7LvTt~j%D0j-R4#aX3g`UhsFPp6@?8LaS6lxrib5jlIxddu3 z*B~MPAzn#NvEyLNSmWETl}>b%wWYKQO*^wtS9RE2s?b-_5Od@i%hqy-fp3W?$$x~Q zf>hcX+&@K7N?|R;R|?c*XR7q>t?5E*s_2{lDdArB2r;mcTCZ9QI&_hHOfUfyg!s=b zsWot#e8Bu2Leg;f;wCs_Z(ysr%ggyig;#54P(A=pT2 z=@gAt$+uM;m~u{1y}#qrjxXPqp$!*=i^ESKr1jH}y%<7ZR=0R1^+Us85Ig6A4Ws$8*X>aJaHFZy3AL0Qo0;W zW*;pMLu3-fEy-)9@(~Qi;WUV)5i1`UC?)GZ6u5k0VfdOpo4hI3CXe$oymxAVWj#8~>RPt%4HT?+xGXt$1VheRJbsZ5=V-|uYX)IVR(QXcFGh(8SsWFKQO^ds5 zNCofb)wpBSxS~)S#InhFGhFb=m}*VB4SoX0N_l()i?*zlMrovKnq(7CnmAeKawKbC z8v@pcLP<1>P;;n)4Xgrt@e*#+Z8RhTba+C&2F^o7lBKaR#CR#xI9Nc6U&x&+AOd|{lOd%U^(M9 zp+l~*5jh+~kLGQDQtJ0^qAKR!{TR>@8^-Z}m zV553vIB4WP3CudeL3T;AvY0x)q}RP@WA_E>Ixf1}zqKi|4sD%yEFs#^!92sp|L>WT zJ-uanymH<*mt@PxD3*9-Ua4k6c!jpus%1??D%f-z%oQ90X*R7scWo3At~0{}M;_Ey zq0&+rx(bvy{&GPt<6+zm1a94&g!n&5X%|rDjp%uFsj_*h!IYg^oN^HLrYWH`SifX4 z>0N_o4YgkdceNkm@eRpv{xjGz;or8@BQUt%GUKFf?a=xuJ!zY6T|vduJn~w%i@~$ zZ=ff~Q_y_Zp}^@Wj9yoMUS-?8R=1VDXpVrVW83+gw(t{4M!^-A=~@!Ti?jJ{u;gSbO=2v0iO23Ci9`ROoGwZffrF<&EEY3kk6C8FSX*v-%g7-{Zkb{XDHC$2L`r#G1>Pk%vB8nZ%(1+x7I(%-hw(8b@m=@(lV+yo*K@G zY^#jDYc76XWwv^H_x(QphSQh9dZ@2zgp4$RxpHcUNQ*?Z`Wq-mKu;%9L33~aexd&g)oJw(C%246C_0$Eu z<45yg-m`q8=*UJqB}8sq*xIZ5 zKD6j&uSpVOrWWI$xqp5%9Je#TVd8;rxa`4mEZj~E4_kSIjf#DlsKJ7qGAQQ_vUv=g zUac&)dE7(TXIb8W8be_Wl~xi6np7;scIDJt401Va1>zIrk*YEkJgumcc=2BhiqSO5 z>ohpn<*wlA7moLGY^h-meEaoG27W3AEau4Yqp4+cUEku>JdD(-7OH~1YuRyKbP0)< zMh%Cr1xC^g6D%ajbW^XvMdnxkB~}<=jBHCML`%qj`w6)dH@CC%GqrwqxR9^`zxh|0 z=x>Hq_-mG(?@lab^G3yXHI`x!s|-i<*&xhQp2VC*{vS9lB)RO3l%(=<3Mx|SUf!J4 z$hx+%$QpHXIOQ(-#Em?Epr0HsnkG|5oWTt?jLObKgnV3U_2O;))11o>Nd|=GNbhdX ziHW_cY~orOlBH4VEG-m{HVzZ3j@U-bZ~AeLhixh?zIz3OO(unU^Ra8G@(ue>XxXXQ zhhPxZuj2lqh)b0nAe*!Cl3QXsC|k=J{NB9_w!(qPVTc`S@%3R6#@r6F+(8X>AfUQ)TMB2I8{@AN3X|O8vH!OPfSyCtwKGHM-Oc7z*xyb90`Yz%W^)y zwWO>GsZ8b63KEBU00}pSStO*c(Xmkdi8Y%RT&5Q6?(c$Segx#B*-2e?@rr%zBxsm; z379boN;EpCF*tUbLhSDUtd|&@0DQH(ub|Y38O5IkMu}j$_%j>MSod6OL|Dp7!Qpdk zKPDY945=FZT&$$VpOk!g^fTOPxXaWr8WC^1upLTJui*uuPfOw#>$yal9e<=2^Auv~ zoKx#rjNe{7LS3qu5Dj-fM)3zDf*pJC`cQ8&Y|>E@;~vU*5NHsa7?7X*O= z67xpGh}lC8kHyU^wdV{bVG$!DpcbQ41O|i<^>FfyiP^xRrPAZBjYt?*I9+3Qsrq1_D-^Cs@Dn><4kV*;mN=1nakD+w*ab0`W`We1c*NdEF(M~av?>%($y*)dsoE>}@ zEuM~t8IL>|ES8=~cpEOsf~#i;2_?1Wwy}+(WCUy^{u8sMvqy z{s1wkckav4{rA6)Zn*2~O3~L^Re@O`bgv=&3+88n9{NXUFB5#P!YS($XvI0_=;)$p zHoMRH{qgqmK1!s0%jfdujl=!0^h2QRb35+==-GQWK|9&Fv~rO=r`PdV zqkN%$&*`>#v~Qy3e%Qi4I6MgC2SpJRcMG%*fsaj@U9MSWxan;j_E2W!=g-OUU4>o? z+*My>x$SADWM*Vn@m@V~5-)7$yg!_HRdlReJase*zx>q)bX_oBdN}3`YTwbM*tso~ zZF$^}i#!oKcp)aogB)+%7CXh(t6MEw9Kkx?zsAs@{>cz|pc$*%rd{*aYf=8<#&cj~ z@&>)Seu}o?9Q)bBQ?=$Yqi)t_W&3($sQi_lY2V8h_x$ob^OZ?k?QG?eY)sBm(vU43 zk;6if*@Y+i`;4QV?jBL|xZoAt(;5Z}*J<$A9a6R3eFA^X>81DjjC@toT_Y!dr@<9A zBVm{G-P~FAIq~}D=Zi=c-}%jWY5UdVW~=^+ani!pjor%qqR*8l#E1D=^(sC9coJE; zHhO@e=KIp$&gdoQdk`AqU5&Et+5h@xjP!v4YDO&R|LmH)tXFmj+ zL6^plTFV{TccW1xh;uJ+}6n-Q;+7E{wc~G8QxTe3DtPk(+9& zWM9k)G=he6mO)2j$AHx5+7IK0@QMTM1z`G@tDF3Dn)}b7`G(SiYX}s0p3u@q7jNz> zob(;bGUcuH1TNwPrt!+6b~}86_PqnE>yqd>UU(zjF56%^y@-zfMCcsmS7G2BhY$j0EXqX`r#H zUGT+y84g>xIIc6I+~5d@MJz;x6q4%FazXzkS9H(4 z@X#sBXfR?c{X1iwx0Bzt1iD=wu1!qP#H<1qJ;&sHwq&Q^udl*DT?I5G^-3+) z-MjpV1YWRky?Htt@~I5H?j?$|Dc1s52b&z?MsocR?grC074jofGEx*-{7im-DWlL6 z6>!#rU{4-uwE)Lx!fkQgI>U~P26kErH}sWXsYQ%4NowCMNLOkySn?HpR^=LE4HNKk z2K_#*orQHKf0kt`g*$E+Bt-u-?i57#=#rq-KoDXjQ5r9zqzfxBv`M}8q>g#i4t_Nt zH;468xn-xCIPu6cRKXLcj=H-rKi^5^WyYw(IHSnpMm$T)<)xU#Qt2(YSxz93br|&+ z=|}pjW82Q48m2gfACsOBE3YIGFn^J&cF76vF2IlZu1HbN`L2c>IlB3moWsPMPO2gG z$|DMbzy!@uV;!OzTbPvPi8Cao5gV-g-G)Tnw0$gBq)wWa;SQV!d{|4E07O2F%S<^B}2J27d440gcet__8A$% zS-KEDO(7Nk5u^2F)Nq-qK&aUkai%D7$P;R##yR#tY{lRuQH{#2jqnHBcgAQ^Vd+Lc z0_|bhU;MJ1r>3c=LnkZbbi2=CC?2)Zrh^|2GxLoVY=4T-tO{;!jQ0~V)Q--sE``A7u=7d{*5a?wTp|6oBYqD7_~v{!6)&LDBBL_ ziLpi6OZ&6%*9ouB1w;p3j?i zlGlBZ`l|=6O5Se~*qyQIPt)%1yB3Mq5?}W+S4(Ymr0;S0_p74W0DZORN#;Ik z>L;$lbgx-kb+^R&=Xo`Up6LU?`Um5~>BkbVX3Io>?XgMvQFSB6wrG>@=wG3&j_cBb zzVG1xXO~Mu-9umd2Bc3y>+@7M5T753B-`f%<$xWzt+;vQu(~XzTAlZ%53(khx3XhA z`wA*Ucl!C_D|E0Kxg^T=G27=(ZijO*s@ZqXZSmn?HxOq1p4XwLcj@hNbKGW$&*y>f zs)*h9Q8eM>gP)VGQm1hVt^Lnhc>5GyJK*lNBk2+znBjoU2fRjG`bwx$qXaznIyKuq zPYdv>e>>}Znhy|Jj8?;`D!ED_yYVtd^~Go9(J57-VQacf6{+?MWD_xE>um zbOF4rng@Om^EAHnNWpZ9ofCB2i0<{c`PvT!_Sk7y)ZBlBUbK3DF27tk@#=US2Gdqi zuB@6ASG2#Q$+s`rHmD!2VOP}Jy}^XifsS^s79P)tiC%kd<$cbk$MDy{5w4-%K)Wr3 zoX^`4k;vMXUI)wejXrXiC~H@1-2ylF^h)a89uXhCgxVjZ9(%iFocjNBI|Q`|%=q7m z+q5u0^Pd)1WxgzYpBBAFDC z)Iura!}HyA)vus|hPx$HmQ-Q%ZJ=pAFVaB!BAK9TDDn^5U`sT62oon&lOgs@F&R){ zAgu~FSVqd;08CQa^6#N%#3{!Yx{VNJP1R74<4>F!R>AO3d;cJzL_@NMWyO}|;8*s! zv)GCiLd@bKI4a9zEO?t%eF-?I$od5WweuZ1l#mUA3KV7M%&W7C7%g396PBt~GAR!g z`BC?R-9n;7$Zr>M-(9}zQ~ZN6ByHq7ASgF2m6{S}i#tfOVBA|aP$FAC1UowE!k@F@ zqTnOd6MscmuYW~YV=@tvLgYe8K)@Lua~WvX;pIvu8*A1Xf9VML zx9{4Qs&#bC^Iz%Jyt%=fKTtgpB&l)}f~KuXL`YCQeaw0f4k`Y%Bd-5yeLAecaYBa~=$t?`ZZ?clb_#K?Ns@`ff7(@p)L?#9uI%-E#Z!$hO#!hiT3?F4 zkf9)Ap3AcZJ$5NS(lO`K_+OeY{TI1SCBMQfQ+mj?Ls^O{@Dmek%?S8*Y2_pn?3*r@ zA9R)ro{coDQm7Gd?5CFt$~wa?<*e~W8eg+BsHf9}w<_c!CLGBrN-jz)uq@`dRtw7r zomTN=3FTuu>1K+-)mV%*6`B1hPP?W_d0bof_93IZ2hO;&86$ z4Xe-N42CAu7?bxy;neD-!qZLlXf?K#hW;#1Ly9?*D>YCEWUB8st;-j3I1f={D0E>a z`<;yc@yS(leQ02u2c}W>FxF#kyvi|S{qwogz6NbTQ&BeA;nL6g-VNEQi| zscVr8=n`~V!NSGygheVV3u(VS zV|Livqc{?D6}mP_gPGBZNq>e)f^;!i^~wqxgVBnxG0|=lL-b5%c+QJAEpE&F9`tp!s{+Az9@(*v`0&0U8G>^SEnVv|QtV)5$eup8-lhBB}c*}sRu zMrxKGPRW>+$5Op7|0=d;#leo;b9G~@5mJ%6HJ*w{U-^-PiNMo)Vz^>>So1WkF#G=m^a4rx+1(6!ss4cZECG#wem-Hd{@Y0DKw0+**9RU001P^vpJFiH z{lMrq;TI@j1=uW)Kp_Znj>&h__Z}GUy1}8hDbU6z%&6&)YqIzHJ?zhGW<;SnjbuU2 zPsZFM?DmSrfsCt*j!FF6cC%ng{-RCCmvC&I=4IRE2Yeq;0Ji?>!$#Hn(P>XJ(M32) z)wO}^-56s_RLkMG?CL6u-Ie!A*}?a!jLfDnZgsu1*UcvRN~c1^Xm#$rphm_H@D6AD zUNtvsmtHh=8y*+Eg3b)&_QSUFC(ZZCgw1h$x6Hfq+6>?FP>vjZpRr#>?Ni<6`oG=H z+!Fe}mXA-r7u!wpzlh%C*(7_~SJfMo?+rFrx-Yan`98gzyBde4z2)B>(svGG9VI+m z6;5YdPSHPqc-hf;oUH3x*Y339Z!YRQo~Tk*f7}d7ue(l@&A}XY-A-(&&(Gv6Ndwdc zo-MZD-srgYxZgWdmOL+0*RJ-k&smRJo8phha_YrcA6`eReZly(1GPW#@2%UeJCjmY z!F24NxP@#8tQYIs*_*fUVaVE75C${28x0O!VR`l@)_tG$bdJ~ifYj; zRhkt3NBgVARWFN+Ui971vc>N0>&4b@AB)W0Id_}00M6|U-@E0^;w#OEY*kKvo8|)` z=y)oIp}|++X&C{utYQ6tU&!yv-&{jc<8yQj`0#AaC^C6lcGKG^|Lf$%52akqV0D?> zS)1h%!%C9lUS6|({_cfu=X5IaHlbeVdkax>8SGQOp4F-}vWD)Ni)C zHku)~J>NV`)c4@WbU{IP~s`WTwga!dJ)!gdE+_p_3oZ{jy8^^d*a z9J;!XU{LbMQ8)7(`dZ984c7z(IjASUj;-#uxnD^H+8sFTcXLNU?W7Zf+zPG@IS~~E zG?C9e5Lfzn7&6@}O@9C@P+l{gj`3X>Ozd%hAk4YL+r>JgOTUVQz7|ou7sgw;z^QC^ zU-Oz+zd^=gAtLcByu3y&`$bgNAH23u#As|(qEeWpK0He5;L-UocV56fHE%c|%ifS4 zx7euRVssokePx{H0Q82339qt4HUc{iBoN=(?*&c0^a7BJ(0>VfVQ@$$trh&xdi`+?c4cnVl5n6`stIPodV+<_XSb9|xCzbIa1Od&m2k*ihw5N% z0F5L{GeFuQYsWnucc%cs%TVC=eVt^ZAdM9q%h>OY*wUE<@zHgvQdXy zS$ZVYnel|8SQQ|TlZZvZd(X}ufTIGjFz&v$Zv+U?8x|ubU>x@*LTCvF6YgQ23Krc} z3DskboXN5vJolq!FbZqPkBSY)Q2$-ISgGlfn51NkMgg%>P;q^Fpf0rU^mR>#%s*^0-9Up&}Ez$aTXxGH7Lpa)pFyg$0%A)z8A!s;pXw zOx@g_W#U@%yDW1zj#ZG;JP7)+GP$j+|>Uzk)(ZC&+Wc}3F_ zZXbghUype)$Af)Gr76F!5YmK-ugY0GSWybXxn?1%SNJEL zXr=#(%@cwDD_<)BVG5zR6$n>NHnI;>e-sSj!cROFz7KyC0a8pMV7rvQO#A*7gR9>Y zx7js$NL0^f5fo40#Y&GS>tD#*OFAE>uH#H4s zp4G2Za}62MbiqI)B!20kli}edB&`@FMEv~+17Xy|@gPfTRx~mCWkhY&tecvN@9FEq zm0Bv3iV;mv-vqhoW>jILp`=CDI;U~8TclZZmVZepGM1#sjIiNy9KmG~aNzzX)hc4? z;u)7mmm07#`6lt@tK{!~%aoe!%-mq=rJIqF%$7x#{*daPQBO#%O_D4fT7@oVjApA@ z3m-LEwEqb`S^^=`PkFatSS?1|vK53B4f_*fYtp#51*b3R2OkCWO2BB8p@kp3sLFto z&&KS%fEpHt?KG6*fv4%Yh>rA23=_fwS;l7&)7UA9i*w(*k({L#bfV-2^%HgEM+%11 zM;eMmF4GxYn}zF@kl@>fz^H`4`m0}1If5Xvp}cLPoh0s);t0p+a< z+Fn~!NhQ0Z#<(h5>)!|Gg4sJ=(@gng+gic-SBD=aP72v)9=8gMqbF$FDG&n?B25<& zRAq7qfhARFbDqs9ziUnn2wq$V;OK^{r5_BzCro5=8gKc_uOjR@Q=TmTxv|duWpG>V zqNiqcz$cg)9dA^ZPHL${JciGpcMBq+!m(%G3aQyd&2-L6KATo#ejG@1;lX2$JwrQG zne@=4NLa*{{#d%)H`=qZS;x4lL5L5{u6Tu(gB?}odKb5fv~8drnWH8%J(3l z9^lv)Mi1fzz$Lnki!)*hu=;4uIoWXzP1zcpTK5>RntGq{veIvUA4?$)|#quD_T5UHEBE36dySJR0CA;^|2PqW&`bBf+4Y!QutGm_rhlZy% z-fp|h&uf&JHp_>zs+YrD;E|p=ap%BBv0bcy(WWacHt11~DAjF9zi23u(%UQnvUy9| z^YXy#^R*8lzPm!j`?l)};5jZ0vo%iixr)bm>sF!F@!mS@>(}B|zG`RhSbWNQ#3=kZ z#ZX=4IOv#B>HXqX<*{AxyZoxN8RIre_9^iw6QphQ={ul|+zGaF9)9=PbWaqz_C}4V;;b0lX|`7PgrYyA0T#L>+b)T)LeRi{#&5(@z!jjfex^eC)2;uO=p$pjg&t$%HC@U61W#hT6n^(qr|46W!++f?Rqk(q!U^rYK4 z!pQ0AnTBw6Rn_$7==8za-TAJp{uOpYIy7|&Tvt1tO^JOY@V@Xb&-A@iy(8+{E2YFs zVPtoENom$U98uaS3~hewr&%ThxL=pTe7+1$IR1;md@Jyp&$06|ZNIw`c#M5O_O@>( zvt4{pPBf3~<{T^X+_fEzWl8|6VQNwtSQdBJKxO>wt*uIY4)jxH%Lc zv#>#>_r`M2H)*)EuyBDSHvT*6J0OYR7arYCf9O3YjlY~&I=t)pmq!144puAd3!vej zxBwE5?>woofbvL`Ux(by`QQCVexseMzbJ2(+y)&j;gKHEoUd?Y!;&;><;{}ojlAG2 z7RIw8WqD-wy#XKMO!@pE>2s8r;))wRC zvY6gurBZUGmdh!;k*6y-Akl4|xRF9v&hXTA?r9pvs8fGf^5k zxS<-ur=^=ej6qj%srf5biaE1jCRsK!yCkBWu1xpcrlFVhNeQ21DMk#O(PUga7)_)m z?j=U0dvN0y)RF{bNFh3p-f!O>fc6)D%E@@J-59F|@c|6o7mn zXWh6U2awYX*$t4bDQ~DPm6FQ-JCoGqzZCK{w#@67WATy7;i=U;aHg!OGha-m721Nn zOBdQs-YF78zgU8*9@XS$%p>)agOS2(EE+f+#-pKOHvVa;ao#v8n@ul44NX^qmZml= zkx0)~VIt)#y+dEaCFjDtl+haYeO2*?7CWz2>e0R5RSd-_SQZQ2e8wy+bwtg`Vf?Ft zTS(>40p##_7*7r9Q%x~KECU>{S_#TCjLo7%*U9kqjl4v$c^w->+1vsWR!DeTnF3+U zR91MhM3i!9H7eDhGIqpuqwOa@czyAgKUPvn&c}bC=S}TQ(OXp zT5_rP@?~(F9-&K-NO#F;LJM;Zn6hn(7bIIBW&_>6Y7|~@F#8%~MoBXCovb{o1Z1(z z{I0J2RZB!}(EyQ>7E*lhNG`U&NDm(B0M?sCaiyP4+kfoE)0M zzsg{OWgdsD9}{D>$au*R0`WMLkI4C!3@nGsJN#b=E?Mwe{4P@2M8lG8@tjM25xe6n zNg!8aY!U|ZA1N`ZvAhG{(a~vHG=zOQNQfd!D|kzaUnP&@YS=%RC>KbPmKf1Jr24ki zjQ%Q8hpP5SmZm~($Ow_;K8k`j)_#XFj{%d(3~i7Dpq`$1M;25HUJU;hU?b=a=k=X0 zm#1ESbP10Oa;VMW&}sW|UvFMGo?PRpP77w(jUR*O%$kLxDm+Be#wZb&!+Ao7+&IcA z4I;q^eGtGKagW8i!J1Kqlf7%RyKVa;xL1oMMNQAt%ADpXi>^YO zC2(wJ%``l@7@YBtt4W;xU#ULwgJrv0xFx=a1dU8)gM85T@;~n&d`>3xyFlAqVL~Ly z!LeV5UTM{TL8v4_B$`|ZdpR?}$yZ6sm<2|!lTt`vjpFG+rTW(4iwkm>@h9#Xf#Y&U zdo{2@w^7b>Czv%^<2I{!ds!pH+k=s7J(~abODk;`@Yr#yHH+))-R%fuP}=@$tVP}H zT=T4h?P^h$;rU`p&2-SVZJzx`!X zid-|<{JG?QOnY+GyyO1lYq^#BoH_6F^^hdnah2I}boHKbS3`pq&Ar3-u{sF2dHVAr ztKsEi_!y#Cq(9E-B)s>C9Sv}3?MLXa!E`;@^g3u%)set$9dJc>p9e>9LjN#sWMktr z`@FW%<~T2mjMn^;UCshtNKnzeoMIJ!*zF^;;%0LjS8bn%*{y!+K3D1NlZbm8j-EwF zNx5j$*{x+qwcodVHoHRu&L=CY)^;}|ZPY!1!+?)w1;W~^*4x|W{r9bo$0peI>gy&y z2lTv5$IsXC?9ZJrS=^SLn#Y>XrI)8dQR{{Uw&ga!tLYZ6OEYQ};4Q_Qtql;!%XK^S z>1e}z+Bx3sxsMm&P3QeknSSkHJ>_LLD&0J`$#dPS$;O$_Vw$PB43X6O{I=c=xWen< z@YMD>+|_(>)p?HZ)t<{Zmw}-iXIb_+>Vv(%Z%$oOT?Jle8-4*0f!z+@jofhQ-^735 zh59RgG4*uEQWZ!;Wsb&G-x*Mt)D87@U;DUSrppVwt>5eWJe_Dn)O^c(n=amtro8|% z>1_nmxjWlP-y&Fq1A|rq5TJcr?r| zPgBN7T@}#e(uR$N@%^F4po{vzlfXD5j^JdO#Z%7~X!;bY)b+VL?z#W_FnZGG!xHp#d%Jjj)dexlSoF#ktz|4A9Tq zf9$)Xc3AnC+$iVjy}uDxLDb03iq^cAE-WuC@QdZWlw#tf+DOvoNfo4zhonshuwILF zT#4nO$lD-gA4J$TDG4xVs6ZSn;wJlbmIxseB0RaW=&%-j{0&63M%IY>4(qga>Xb_} zLRdORi5oSFjbu=?M_X^$4M9Oe;&`%wD6t(W0+d(>aE$(T1?V^xYcL}}4bE3nRDu>Y zx~0O)5<{sL-}s1`Y5O1A)ED!La;6vlg|V5}EY?}3C@IcpqKaM#-xU}}J~FI^Vtuyw zqqcit#M6o^SwN|(q|XcJ(&t2+vQzMbz|`!toZ6kN{fcavuQE`S>Xu8HE65nCr#DhL zvjJaxr{Rv0&l*>)n1WuKL6E83;n=H=oH3 z@i7C)ss7)plkb(Ugg4vY3-s3X=EZH={}d_k8h80uSm893=O@)j9nG5+6$WdUY?scB zDkpX(3Kr(p-4|en19uUR<}I)!OeGadV3_MXN_y`2Qc^`DmnM`1`YDZWyhDV&Z2Z_L z{c$XiO?iB}L-148*@eqd^!@32dlTZNs~ zQTz;Yj~Yo8n=@PdoGXwO(Fb_|CF2wl|0hGa2!*v5*q}W9>#fnl7xq(%g=qoPH6`7m zl)25n^~O5^$p5jgkG8ab+QHw8@6AABZQ$?MpTO5>;P^kHFXEH{0+zplM7T>A%!! zzZN6DqR}Nr#rc!sQ=4rXWE2dQJNe3-q_a3Q&xMrQK&{`h4^H-F&mNd^%aHvYydViK zWxJ>lzTer2Aq{?`FmVMNiUT_*FtTw1~B}%;2$3NAUN%RE0 zr?ortmCU_ku?Z9w!WhQA{08Vl){56fN?ch>ZteJd#%w`<(+4P2FjE+ZTWQoUi~i}6 zzIiaB1_h}v8?;^#lfc73>Hm&Y?36fJfDzKfV`PQnpWL#;IB3^qJb08UH#FrI!w2EY zAiPMe9&J`9HFj#(%8S=-j7>(Q9>}2p{Ux}j5Z3ZrsGGRpPaEABy7;j&#Sn(@YWIZf3|X5F!{{cFX3uowVb!1O=UzPCkPYMtcRC*A3D zoXTa>!~@s`-*ftds%+leG>=+Vz0FE+rF}faw(1;OoUM81J8o&5^+D2d`6ND^R~F-K z;Kg*ezi3xidH|bcySLOYawVJEpGQDdw~j;IHMyHt@Byzo(A%7cz2!cXe-Qw{mP@v% zf0|eAk7?mgTMpmea%uDXsiiT(<*NEGE|1&gZTDTs>5A^Hde6%n>5I$kUxBrrsF>`K zbpT5su*s_TU9ulpy1aURpC=MRUEUp{v^HXR?gE2(5c;HE${nP^bGeso*|ELZpW)m-p#Y&YaW37A;?|o#;5C- z-6m1e%W5yD7jPF9i^#O&W$4Rxn)^92`wa53`yzZ5^vRs2CBN%CEbh;`X}>CIo4v)* zd9!I*tOMA{E~EQ6t7OaaK4_SfOa`6|mq*WwZhw8@ZfiXrZI1%h z-M8LlZ2&L5x7^o)?FO64(N(tIt5dGpU9YkC)09=Qz(G1-%lys9Q;vD%0aqrxw(Lak7Yc3cz)Noppb}e9neQ{WP znj=ZBf}4C9iY&v&A#5b6kE1_{MGsSc7>BNUahnpqsQ)W~(w?o>auSIW!Y7Ocb3+0m zmorkHn~1#V&#o8i=D2JSOrLB3)(ly3DhT>7YcG>}n8x^stl9L!)JqdA!ra_z?9~o_ zNoi~wLc=DjgfLp-lo27tMjr}Zn;^bnCk?+`7D(d7W9oG5X5(lT2^SDl3YPrFM~z=1hJ;MR%kRML$#DL5`h#YX7m2Hs$XrzQ%19Oheh zU`=>pv>Y|yKPTZ8s@D3w;jC9uRlwvj1&;4u5!UgG4zTvcWb%g=g~~ybkyG^N<_LT# zoZ-M(GNcPLrFa7jG%#e=#c^dh{;ZV~_B&NWiJfAALb5c+MUjurBD-a%k`rA^vg$*c zXoVL3Ot37}4#ajYmGIGq?Ec(04B3lV7V-X|MPs9i zZ~sD2yr4t`b1YK!t+BS#aBmEKT1Tm4XKh)dFUs~aW2XUZBV3m?oL%B5d^m?3xCSK4Y|wXS1s)3meY<`B*JS=#+z9ohc=7m=;{QhD3#sSGCxZ;#tTd#r@2vEP z%4IK1s%>@LLAr(Qgn6GI`}~RV5|1{)ZNu5LNkW3hM9*Umfsv080y0sh8v7BtYY0`k zOAkJUKaB!IKh8;CWWv&|S~t9SpYY;P1BI?dVxvl$3ci0jy#;C}YR-1LBJOv2$cq>> z$DuD*#R>^6z9`KiCa1Ysn&fD!JY}#<>l&YoBG#Y#N0SM*wfIs5yHg(B!7{zjN)?95 zko{btf?_RmGpf-Myt@L6+q~uDdo_5%7X^lF^!c)AFrPtMdKwmZ<`WS~f1F%QC~oS_ zd_rTC<4F-Kbm~>)I?&=IshirLsvn4$9G4DLh-IZ*ribP!SpJn<|Ab7C`8O|S48HmS zLRR{N3(?Q`b?>=AJLuEL(p%Bb;3k;CvQ;y7QkJTu*cuDUY>eztKSl7OkQnw&I7ZTu zxExPus|x+5@LFNerq>K*a!CVb6Wl++zm(Sg)hfi~Iw70~IcM6MOM}$}z=4W8L=k+9 zHE<~HnH2xlSJn}*9)b!YAvrs~nadFT1IYbSC<&`)~kLd247q3XuHp6gardA7wfyA@h_BLRU z>Seu=m?zGc_!k3-i$2bvGmrKB$_Qn!QanZCmZfnUBmUR6*&R+{aL5v5gNaK{h|VAI ziU3vN=E>g&0T!In6-yJRN{xlXsa&`dLfDOKi4t`swY4S18;F((Seb2bZt;2*#lfu> zT2wJRN~Z{4*~cOEUQFX`|L*~wLkQ*EsD3YNP6NAQZsmcaRUIjBs5kgO$?BK@Xi2i~ zbl>N7HeheJ7tpr{&i4;glwtNFK!*J?OUmTRqnZ|QKNZ%w`82H4J)|EFeBCOp_TGy# z+{zfPaG`1LUUEC{$c7^8bXqod&9ocw;M8_K^MP)Ef+3?1ERN>AK7-Z8-^Rmrga7>F z^-)-D-Mqbz^?J})4tsK*eC0JLb9h^{KE?ZV8GfziKArewH~zXj4RVB6LtQsoEnAY? z_f);CYxi9%!R5Ktw*5Koe+);ge2==(LCR+?;>%eoD%QcIB?Q^@{|AY`6&kE0U)ayKnuio2=;k zfF+Px0ESx_9l2=svnI$Si*$eY^aK14_?ig?%!jjd-OqmEc~iRjt=4*n5Fgggp-FV> z7Zca?wW4ym?n_-CXYqHM$G&cmZFT!c=`c;}mVsD6^>yd^TysMg;Jxmhr)5)`x7_)t zy8N-gn>K1|^)_m;3OL#PtL;5Vbb7-+e(!GEhlNI0N9{h7P3C1#J-YEb8P~QwMQz`+ zx6WStwR4j!`!Xe%Z0&mSKC+oqRpI*l&em1`(geA2v!ghlUk8cLhxedhe~GNxcDhykB6$6-2)K5% zUAaf-cda8+#%E>gJO~Ep3~8GbM-EuJs0(-)_xf$yvI89_fCziQdcpr5G?fj6Dt<);y$oZM>;a zUrJ@DC&xrz+K0`qBdlR}V00sdypYjvvfxEX(I3Q9SQZFP*i4de!A$A5|4+F_XG9!1 z66FwW#}ho#Owa@ZCuRRlOk+Q#WPg7$m5=p7T@^;t zD|xi0;iCMmLf;%|JC)=0w%{%2)#Bz6KLUJ9zwqpi3Pis!}X- zJO8eQlJF>*lwSl-C{ZxfG8VtHMC6YW_A}y2pZyr3T;~`n7sC{Ksh5j|u$R5Kr7Lh4ls#jHkOlI@R4MeP-oF~y{(cluOQ}Z z;fTuV!BGB`Uj%n6EoJkd2hgza7I3G%HEwL{(@D~RJ6_s|0*)t%7C-t;( zFf8Fwq)A6*L*rjQ#jHi*c^CLZK)zUo^a|IJ0d3;X-cl8_=P^CVjJHkFyrwi%j|FUO zrBbaT*gs{;W({i9=|!msB2rCI5uVPds*qBy7iSdm3i$yW9J_>QCI^kN7DL4Hyv zMsSYWRQ&6QIz$yx#$@CL#4Ki|eA3c<3{ww?JR+PNWT{*dJ)2TPC(VV7CZsV3vgHk% zA{+|#D1-4Jkd_uCbjQ>X58)(uCzM)5^Ptl3%$vlVcpkVVMNwxv3)ty0z6yWmPQJa< z$bszR2_Y^6qx0q%ED{b%W%@X9D2HMra(L?oybt)Lq;<1ohrk>Bx9GXN5!qATLlOS> zgF2fYvPI|j7BBp6&^;x0jcLQP8j-rO0yV3jNm+tv-2RcqJmArq`n3Z?NwKPwvBG{O zszZ?Q63S3rNmO!$W+U(xOwIXI2e%a*rOrx7d`4wI6&Mo67k0hUoX$z&VXbMA2t(07 zu3~Z>oa(`aWsnNsh6+%4m*Mnmsm)EO=t431`iD#=3Jq}+N&lu}%B1n5=4_`MH2dHKZvwq$Cnt!9f-d)0~6$D zotx4(PfkQZ$YG9h+7n(gFiHWUDL5Q=;`+`Y_p9UA5UL~vv9>R%ux4qW(a7UpBJ$?U zCIK|;xt938+@v(9t|R%tE{dXkfxdu9TE_Z-pEk_t*G#Y?^?JSyue}S<>F+1oY)&_Sd6N2n_j_mRGCufO=pNeN4PVrk6m+hpNwFSC7|7GhAw} z>mglyJG$o^jr2p&a6(CZ%FUW*Zrktstkv)(?T1atW)tOKwU1#=m?eoowplX#AiA~c z+JZYKs^xQS*)I?Dy$)@*Ou)WRbfz<@O4~{8#L~F=FppP@({L-GLoYNuFFU*Od84(u z!lid^;_2dSd*!YN^;uIAaL|aG?N#<^4d-!u@uB(Zsp{d(dl8%I!u)}bpz&FoS2LZ- z85+IqHf-W}%nfX|209GN*k<~CQAjpLtv?m{A9dgR&t{I*i)Pl0l054;u)e)uCU*hO zag(c>U!M@p0F_c~?4GI0)2*3q_j&!Vx|yDD?{^!L)o0ruktDht8C~!z&#Koa8BPxJ5Uu=R0GwvA~k)i#q$(`gQi!uWRChv~1?<}l7IpE!q! zeBQ37#y#_B+=j1hS)R9B#r($&w;$El<_MQf4}#^LEw35ZEw0tAK;egK2UnXX@|Ou? z-oJJ}ubRu1K3hDN72VHlw|}Q>ZNKDqWnFcc#!P-~T5e?~n`E&AZ{B4*o~|T;H*3=G zx;IBOfVU^<`xNfy&n?03mAmBgs+E_=hwuK;r~Y8imHYs=H+{$}LR_!U6PKe4GMj(D z*cG%QGV9NOTk^JS?;lrl+17W-cYAlzh`iH1U+Ql0nAT>pe=ex@xY}sWtnD5sc6qN> zJ!{vueJZ(jcXn}JrzI|@m|Dx=08Zw+KX4g?HM ziZ48`|4VvT0Xfm5z|>0MYhc9m9&g%D6`m%W6_60gvm`1KI%KHX#7o9*E!ZGoh=2e zF;vD=QJ5W>>H<4-e?YPjSM1~=34n8uJc=@aqm9wPvvttU$PH0!m+0@aYFs=={JL16 zrpHWlG^Ag@`b`y{wg7OYhgwD4d{F%C=UJ2=#~kVD`8@e!z!VE@IaG&6z50 zYjtqu;4cq1XpZI8C}*{sxAKhrD1xoZP`2ben9BtgIK;PSt}1Daj9G%V11I*Ym z;7N&c15+($9Asu`NxpWH2qEfTiA!&K0uB#%okW59g8|-vcR8Od7A{{zJ3pb4S{b>o zK(!KW;kUZ-P+PNKcA;brchJV;EwJSAm_e8G%G7s`?2k;^@8vn-rw)5{@$)wbGXm`BBGH1 z;*Z9(C3f^lE2E__#?hY`C3r#Z77dQTQATM!WWN2ti<8(2e%I?CTK71}Pf0UUa1vx@ z-&%rA(X=84t%4Bp=Nfdvq9HCvx6C+{nE$PCH4`>80HRBsq*bYP(b{M1IP3~q# z51*T=T%tP4hS>)GPrXiu&RHyX@lcDJm`s=&8wo{&nvF)Xf{nc@hZ3AqfNCK@k0>h9 zdLY5^QGq~)iAV&@tV@mJuuN?{gVhdmFa@#SIgdzEu5CEZx9|K_UwnGKiOCsKW!4rk zH;!`FY%-w8I|=8fc|1u82nQ>FI#sYTNjPc>Mciy-QXcxEkG8y%Tt+|wNHYvk$_%{I zMyk4oFc$oUA7VS7Z$e5G>%GPHmn;xT_$dAj7;_W+MKovhQu-Mz!_!)^KHPL|?q>y| zU}Cd8He)O4Qwk;_CY&SP7=y2@AkUcyLzQZ^!>23TrQ@D=B?fx0Hko3R z)T&!OMU=m?VRC!|_&sdZDuP|ogx0WxpGisDKwKSBh#Y$o@oN?)7I#^z*oQeZ%f7`I;9K zYN7|q7iskyfJeGt5pGd$vf<(;cgSH(>%Z^2zq)SAOl>XkQ7!=iE~76aY^%d-txUGZ zXTzI7v9HX#_2G`Ti6>s#ZHIHZ>8+CXvBvRPOXH_bvwhvl_QBD~+ucnv#CL4lPd&l% zo10ED+?M&TV5(@`yN`7;Rh1mN+ve?~uVb5E&0B_c;sF2dwb74mnoetA+Nb;NNBnn4 zJ4ScoZs@j{>%&4D=mN|&)bX}2CL4<9-KhI$LUTD7x{u;8OK-N>@&Y!dMQ7FyQQB5j z;C4U1CpyPpCabZSf`|fb%BccIxjAialvs4WKG{G$Q;iWe-fL6=&^$I5o$E`%>{OX{ zgX%kF>l=Vulkzr&;wUy`#<4aj#IkDrd951?)!K; zoJWwB-*i{(xvF7tLt9m6NU~`Kn6$X8KJQWQ+|o4rDa+F`#X%-W#_cqQsae6Q6s>h$ z_`cow+S?51*kwphc=mpqoX9tGp|KpDZGYeP-Uq>sM<}tR%Tzz>*hctn6T4`-Of$tV z)p>v8KRoO%rrX_k7?TGu=xUbDb-dqbNAWbg^lfr7+xRqjLjos}uhwpwhukl&$g+8# z(Qn(@wHvSWIkhXKf3>QN^15EZ7GD9rHnweQPr-{XU2q+O*A-O(-R*r$jq^0$CND>X z5l@a}E!OL$$m5Kbw>AO5y(e)+qs#7^Cgoby+tr42dD;1@?LKe&=?3Y`^=WA5}*6N^AVjZtSgW%OUonLIw|7gG!&rjm441U`~f8R0*rpe^8+^lj5}5z zK!G9CTYR$0`vEc(vNxD_S@CWAmIatO&_y3p)ifz&vkHeSH9L6WHDky%2U`L&y(#56=^k2a_mU?j7{6U?j z{xx)Dr!cm{a|Di?1xkG=4v&@G`Idx|M6k?y_TL7fT& zj{J~IWw}BfdP=>n4Mhm!3I7psn39rKGmhDWhZcs5M$uLeZZj4kPZLrB#_etk;FHdf$@gK#5?u+ zGnu!|R2p7>s*pw3T))!RG<9ixHAWD*NYQ$SR#G)abqLHFqX*0pys|a9WkrEZpC^}Cge(O)qV^&Na*AfyZT z2K2BQ*D1M##Hm!Piu0d71@-d`?~ufZ?jp)X+LR?RmGr5Nn)cXJ%0v&z`A;0C!ZDY@ zh>ttji_Vp0@-JU8Gb$Ox7A#O?wduGVK+Ao5ZCsm80H?);Q%|cIAz4K|+s$EnbCO>J6qDZl) z0dws{xr@@LjUsN)H=TS)Sk+=8%~XTJZS00F=V_fyks}zVAFQxcD@}1G#o;_Mb@*Vf zdc7-$35TqB4@O3McStXt5KG8B8@x(t`vwi3poD)EP?W{Gj{k;0$9P5ditv&Pr0!tj z=>*Oc%!GK^?FJVr9`LSxc(G6V0-Et@T`&wM)>P7Qi-#9VVxtsJz1SVe{xAgQVS#y= zu%x+*%n7&7-I@Iujk05{EG(%=sfLwrKT}AGNPx*JCA&J&B=CXvr zqRRK5$XOd2bAf>f!NbwR9WY;2u8I>KI}|gM)6nF9;hKY2s3q`3&2Ac{KYY)Pq!1_;; z0!^utBUm)pzeUgke~{V;F7`nYe~tZZ+7ORP5I-tLxr&<>0LKR_3xW*olK=)cQs4%ni(Bu%BZGO$dWWk zp7r`V4i=8x%qr}+WvEGjqg~y~+ZC5(Jll@>48G(pma-<G2{@^dr9H3GbkZHlYz;UyNGZoR`L8@>+R z`C9ETwovwUQyy|nwzK8^6VmF|re*%4(3O)JFxd_(Q>feC)ZpXv?a`Dc+vrSaU2zY- zayXAK|GKbwI$`O>Rq=4TtK{BV&1Jp5Aj(=l?PYN}g85#npt|f5{i}yf_zacV$b?X+c|uLscau8ShHjn97UNy`i81zW8b|L<`DPwgxk zE!U5oo6RFZHlX34T9=EyT zC~rXFqKx|W)nU};&MP*YE3z=tmUmIzTezwV9UCkA!z?d#(}Om`^!CnytxbF1U@*O= zjrW0yX=l(q8D0HG6!!Jq-y*xkvuw|0~J#wLVtyY zqK0PY5kB*N9vgm_XXAcC#>N4-KExK#TEEg8$-flI-A-i?>vY^+C|GZMidHWbWt8Ea^k?|)+LUeuTT;Yj33QYNby@qwz==&m%+-~h zAaQw1Ovx}gAqBM8Sr&`5^!Mb_EjBIwN-q>I_K78-u) z{ahL!6j?1V>JJh^hqs1_uG26bm?y$4YME*%v@~+vgTKe%RGx49!*4(R)+rg=ZSu%gZ z8E7XdP6T!vxa{H=y%2!|J2WHBf`D|c2&+QjU4WdU#SVC4$Ir9VyMSm7SjP&fHB8T{ zK@ej}IX(3Xia}uimM0&ljL!S|!=E>j+<2*fGg38a$|XeWan!4I#F~R>%1OrJN#R!G zNi-g?xB{3S@VNn7aXp1o0b7F70@t0-U+&+DYtjHZxDCmj?D}Pn^NE*?{Kv7aYoE^N z{m*rO5Cy77vLwxlp@4(N@Q4Lav$w3!N#0UNl;Zic0ORBok9=!+$6duQjLq$iu(5ujH{psp4F@eHGzv z#EeGWCTH_QBWr4SlD}vfZM5TfMuiAd3~JBRf!{!jX7NvBI2wC`d8`62t?Ue1il4;C z!^KD(i0L7Bk1b{z#XLYo{4erHx$^$>$vVp=N>BaIO0Nm)OQA zHWr73V@l^Ta04L2(V+#{hMS{K*4|`vq%TJ^!ba2>oDS{_AeHi_Qfv}=9I0l;OZK7q z(jgvlgqDO_SUIBcVa9w$bkIIi0FR&NUa4Q{Pk({(Y393B_t~XHpWMJ#TWAuTi?DAAVI$1s;Up!Tw!@VtUFzqMF>V(5HjpdYI=RUl z-o$c1?_rYQ$Hc6ZF0ZDs2>`Peu@}Sz+q;s+6n*Vmuj-(nvA=<1&Qq zC%9NxLo)>RcNr~_Ueop)^awgea%yLtIk96tQxDLg3lIsVd~xCVttghOBo;Ndsgr<# z7?`#kIg%9z@`qnl8fDseE{teVo!44*)}eC;id#2`sVu));Lp^9TQ%lE9fkDc1+*w> z*arK^zVkTc&$h8VFir9!J?IPcSG&E5o;*x7X3%gGy;(TwG+$w$ET)vfi)$RPhv~7~ zw!doxU?cJr4Sf87ltF?DK*oUf2LJL0puZxB{Kkmb1^Z%oohEXyzuq}uYV4p_1-lw(=hSbH7F7 z-~NLRr)~1_xua{LNYU0{W$)r{hCbIsV<*>^Z~nmw5+8 z_t)3C_t{3e_F;|gMVr(4Boli37udA7&1RwO`^j{+Rv&F`-Q&^_m;1@Z0V5TT&voz0 z8(CE_-P6N8SuGpQ?L%?m<&%Drhgo!{52x!YEZ*wJs3dP~6!y|mi(d12^2)iNDg;Q& zMEgLbXT|vR=i}P)mEuaX{c!Iy^#!-x2kBHjCxWfdv8g7tRF&Nkv}&at*T|-^VPd)M z*Cg8tFnbUPVE7KaB^2K0gJ4Dk+4X^n^I(~}CsjZGQ-MH-XeD5t?-Q%C@To0l!2OHY zpc%w+H}22OqDJQD=D@Ra-RJoLt%A|HwWz1Y(K&jnk z>*_QRFBTm&m3(ayPFtFogIyk1?1fyNXsl+^O`oZ%AdOGE!lWA$s2}%AuZ|&ZppJFM z@bd`Ehhkg&K_L|`5_^(s5qoKcS>QJ}8x~5rd}4s-J`4!Ln>gxJqOVDWLJ9>W4|%!I zKr;L~<9wsZOcdv<$XaHOj8U%CM~I|Yl3^7|bi44bg_i4{)Tng~dM zpRxSaDO5tO^cFb*nKn^OsrsGUlkqs(L0BaGv_Cwmmq$1H+d6g#1>rZ>@?`8xvwUb$t<($A0*7EY0q2A3=2OUbT~ zAq};|mr(k9ko_Be=>f9<$q(re+$1WOT}cgUVCR_sxBU&>8~8H)6PFEe$P3E|B$H)- zt0_P3Q-a6H(Hn4Slly5-%AZ(nGU>u$r!Rr(@XFsm&9Y~ahbW2+eL7l$AgEszo$5Y~ zeeMHVK*s%#s`t0TrL+4YlzsXI`U6yTM4ZSL;Y18`21fFsO{ldqv)`W5-$jB|ZJO$S2}pe&h0M$3>(wiA(#{=MxEG z>5x<3qXYGvJ@mhLcoGvOSPXh4_54v*&jqK@hhT624lHy;;zx8Cu@MyZVyNLtvCs?V zgqvb6YAcP9M?}@TW-Cn?OZrt)GN$3al}o#d^p+J___R>3(Uc%|9yFZhM1}cWN)=*4 zyycRNC=3RF5G%4w+MG^@zn|Nmyvn|%KA6DKZ!|8T4)iwu>L1d*0KRG={Ce@^ZvhOr zW7R5Cp!-3PpgY(N?Ko)nl|0?VD87=)#p?fM!(xGl1{WT{sf)9|3qa$TZIN0st6GhK zc}!YxaB!Ge*0}mX`>;MoK*r)EP1?^G^F+0|a<+_Y1>n<2Lcd4O-+hoK9cn1jBw##R zSz=xn@}f`9zxALbTR}>lRioowaG*gIQ}pQu{a!7>R`K9xKV_cOuvD-a4;`H}eb)hK|p--twblUEb{?(ht~*ZKn#WWwz>xp(!I|+@=(bM$LJgrckWHb`x3Zg-m|bJ}V8+T*`h zzFq!aFx7YxUFWV=ERQShO6B@elhOd@6<>9KWMuFjTi+*i+H!jxu+kn!>!BU%Zgkv@ zoR#C>UO_BxJ~15Nyl+fzb$*4evuzz)+;@%7zY?ZQsA z?9Qq;(*YLJb?nD0qdRWOjK6Ne2NlTJlFPHpac@h;@a%emhSObnI;TaCKZoTt@f{PF zRCT&v0w-6L@#GA=L0+aiJUSkB>-)-^J#2!xqtu=v_kG-tm~J}4dD>q3Nh+R~TF=~` zNH6mWX;+3do{KhByWLj(O?2x<&tN-|DsCk9m&yT7Odk%1A=<7TZCP3??T5dw3byf@ zCpC_#o2QXCnW{&vf$31szdB6KpF)OgZ0Q_7u*o{*ZEXt|va%faRXB0%GrauYt`567 zcMEqmfo{d>Q`Ipoj~%YP@6&2mIi9u}`E_HX*cq*NTcS3&6Pm|?*;-Eb{Mc5Ho+g== z_+8g|ipQI-x3BFV?CobF^{Ri3+Ig*=fbQ5)EBW~97;4s;?|7EFwO?ncfmhlEpCENg zho`~lN09AX?f!OybZ6N(URsqeQO5ZcOLMT<_YxX{gFl1 zu;hP@uK)2tR&J-P34U+>yEGcAbo~s}8$M0Q%H+gJfka1`x+70q9g~V26|G;Rf;ehD zQi2T=O+OI%Nnye=)}x)D|GLCMpKfkY}_JoUxGx8asVZR)>Nq! z)#=o-MSOmd*_=`Ly!nH(8{&Wl+hTASGh!sRz#s+l{3^o)*@_1zJj;C>Jv7qd6O@Ew zuv!)i_eA94cc51@LeBwy!5a0g)Q2pRfiJQLbnPTQ=ig1KgFp39E^IDt^7)DwWP^ru zm=trJ(1mBEiy~Ibr4*rQ+@OY41emHgea`|#SMHZ)6=6)6%u9=s1#I1LYpX`{iPYIF z`N;yL;M_E8m~v6Pj9jM*#rlDfw%NB$P~r%6OMyBEZ%;+$-+NB%PUA=CH(cNTy&hP=`@fvNY1j*B3%2 zMnw-zHN8#^`+#tKN>Mn7gn?eaelARkU$&~wPI*xA4lzh%PN-D$+(-no3NTHXO?u#+N}Vje0WxA3 zE$Ier7Vvn>a2&qpnLJjIjMK~oRl1{kmucii3Xu+#gi!zf9Jj~Ol!p4rTgt^|5r|K! z@FC1Em_rp3)^7WCXvpGAsLf(NA{kv2Fh=63H8M@`Rqg#N2;%5B)ovm}>kBX{V;!`J z?4oQ_z>sNnWW-HrY`_QW%BGjY7YUD~gjS947;j+Sn*AYd>uQwzRJO>!b!gt-8!F$! zL@~egCsBE}R+ zCcXt$15M6x6_D+m<{oxftKnmQ+1ka3!&?<$yMlT$q=?BcAqqskQ z8}4*5LH@|MDa7G>Dvl&OV?YRfp#j2BdZy>TwTdUH-hduX;SUybaKsR6`HutybxvNy z6%BgswjA>#S$#s(!W&#f9OqMl?C%9 z(TJBS?35-Eh&vXfL^DhvGaw}7MwK*~DoleOCu*`VmzerJOw^{kYkP@Be8^s>Bfh4a z4Rm*S@o7HyBL%P0O~R(1q`SAD%^)UNp_gNJ9lEij}%1L8Iw+L+KhWbt&DPjMZA zz15cvAMKWy_|0uS{-&O6T3nXR(g?i!pvODqPpc2qdehj|oSyCYAG;TS(LY}U3>$}= zJ+J=NKertfz0t~c0B5F;Gi$Df>P>-H!^4|x#(?zq9j5o_!Qbaf7e|{c z7;ld$s_%a99SC%MyPjHn8;)ZO3y>FC{d^4pZPx4GjRqaOXg6Ph!X`RDZ z-P(Pfk5!}DPsU59H{D#<6NS^O`(-3(o%#1a8fS(jCy~B)1KEqJZ!(M2WA29y3j+yT z`yVo^8}pUTOc6TiqJEeVQB(};1!hN)LZgouU%_f7Me#71!CuwlwJP0v+k*(k#i_C} zCzRtTUIvEj&VNv@gz5sObN-F+U_nb_Q@i3x2R%WoODOb)WcBjn1$Hx0koM_KqCO*s zl>0ULOn4dr(DD4r)kAWE-KzqaIqNJ!l!?V8DGZYhNq+4(u$HGmdM^Y-OBCwANNaKy zDPXV@DY^6;^Xcp0gic<}C#ukWg_5trgBZ!t+e*|XO*GU%BgxdIlo-;l{C=Z2{+&N! z(788=ErKh`PVdpz*c-&-u0W#rf%0B9W6@}!`v@5tssMXZVXed-x_6o;Fk;tkeqO<$ z6!>7qj7J=6j-@R_;6tUTO3Y#4D}|BRg$dl1>y@p`lA~#H6ILqp2nChTQ^c9)r$4ZA zLUE2Q$%7=SOshFz7r6MRSwF>r#sqI*cPIp&z-kqFGPNz#@~H zmh(hd=?JMLrQQqNx?fN??av8%`N-hp^RWKCU-UybDOe0r#*EKBOTahm&%2%i5Lvhn z!by2_mW0co4b8u3Z(Wmg^(Ir5A`KjKl;Ub5PQn1QnZmUDRXr_SL@Ql*p$b2dsM^hl zw{L>OMR|i5n?FkkUfSiCB7KFWTX#8#!$z{ZD6GsZ@z}$|U4PAZ`S%%q!sFma)8L!lD6Q zu?+neN!|CAM?N!Olk@LO@TS2KlmEX^{0bb`y9H@|UgX^2A4I&H7JoinV74CT1Ajbe z8C@Q~n>t=T;PXD7V?0lXZBz03DPqP8DEtyfma`x>Lw_!qz8)Y5fy><-hoc^MvuxDVa#msETk;7Gt0{xRtszA>Be!9dZI zcKy9X$#&0Xk|kc33J=tu*ZIk9&!?=w*gG>NAT?f$4zxK^z z`2D7yrRAj;()05K_h`U)N@H7Rza^>&k*B3gywzrJpycNp7DDjHVac3nKnFcex)CW}+45MOBy?1*_~`S4>v$G>o98xWcCJUw{1Sf}MAI30gP#M*g`=&D;b~pL zgNI|9x5YoG8!Q*+YrMdb_*`AQD;KlFpd9FOXlYQ-|sdwg}dg{V;?eTqE zd~CUV2&oWx!+9N$PGgh3pn1IZi18j)938Xtma#+73yz&u`kMel`e#ia3jZX?eP|R^1ig4P zuQysntnJQx@?y}GG7CWvBorP;yMJ@v+umCkFNipe7N&EOPnx%?@&zmEcP=ek;b=%d zkisEZ=bcve&WmjrmiQq@CGNSRI$tl%qU@to6;)Rkj80OJV)#l^V8YsKTTNk){e(7>TouAmLhdB&V{Q6fDxQfnoVtC>EE7>f7X_$>(%2GOdGQJUcc*^0nH z=%E50F`Ck=5`At_p3)@#o1Y-h1S_{SWsDn}@z@}oiAbk=M*0R+J$ z?BL=2G@4b583Nshu7l|4{_`#7kfh;WbP0j|yS}HWbEhK7ztV&FAcT8SJnSJ3#H-Lq zA(gRbMC8+_^hwvMpG5t2l`SPoRuNBJ!j7qhv=jvMLvyPM`*pIRcwp_Rqi{l(+u5~o z{e^y>kbBYu3`zb*s%!7JcZMVPe5p?J&G?$5!^#{M=ZuzhGM&j{7f%tUDJ8QEIr*Xe|M)NKDX_oK49@UlQO@iGyeM$;MAS?VbqgQ z)C<95!D|W_@efpA_@zlz?K0l=7lMigHT~6s2vLJ1ev~jOpCBxcra}cjI#i@P^Bd2C z4Wpa3t$bE%|AS;+JW(TL1Ow6PZ;HS%m0I=s~W zDC+U~YKxggJEpEdySsNkf#@3cS6gBEhZb313;&66ei2 z29is9Gngh+$`_EpnVn$i#{@2{CIkKQ!^t}iXT*;z`t^mD1)EiGH2G=#$dMy;qWb@6 z3yl{q1-wQsjzl~Zk3o-?6)Yt=^oBF?`4Ns0Eag()0)x~?!WxfK0@XF1CBx{CM*?Fn zIPOR{ed*?%-fYEN-WL!{b!dr=+UIq}$cV#{DcBSISQ^U(k>m^)^{vm`b@2wu92ot$ zIM?n6s21sV50Q|S^P<&Qcy&O zA=#r=-NKk=w-)|Q5$&|Yqy~S>_bz5KJ%0KT6D+F?yDdXeo)U)hf_?w_$0(7Ykwgi4 zK=PVdewD?0t+g^_>~a?BLi;)n$~P1X^x0}kuZ*+UeTOP*y;Ua_0eN#qqM*yJpiQr9t_-XH0|{*5?0PpG=vWnS864_rHSVK_ydBH_Nm1EQR2 zjaJgLw{4nGR2!trRU4gsAg?BNvVM0m1-P1APr+@yxYoZc-d!1h5dZVOu3Eu(1F~jH zZr#;ff%plb2MK-=PjlLuYU0P z{HVlnO8nie#`^$mZXL(2AD#9ACa{ z9;DhB&*5&}w(ShUKqy`KcRz&K?e?_zQuvnad6b7xcWT*!_prBEqMbdT;#r0I&g%Z! zH#vyDdfA_M7jnFrWs3jxf7!}yj3>jU>uFR-;1E>X2Mc;BSf_h7(%CP9cX?U8^y{f| z^0}Opr9WbS3a~6Bj&b*#d^j?SX1~iXea~q}p&s{g8&!k?-KUV_xEy>SYI!fdl)Rl= zQ-jI7tfH~4TJJt#TXj|g{MGLJn27cVmdAhP`Ds{LG!l$lISD$t7@En};(W$IZ zcE0=FZRt?g2|jz4%!*w^T3ydLtJZ+lae1{CH1?$So0b%(wHjAD1%bEsm7hAWG*;V{ zx}H~4PupFS-KJf6PLHXUWf_y6_b-Z10H+Ym$MZW;?t?D;_s04Y#fGbm+mAk)GV90& z;OkltIlvuw%zKgOx#U^sde2d-pthg2P1o^WEh+Mq(z$wuPYasYMBs_u{`i0Tyv-*f zdjaU>VrBUR)axiBIt{!!0uAIVWPPst1*-A&e4WrA&>%Tb6zKB-G@+XhH$B}uSlQ$I z0bpn%_yAbt#f}g&Q?f~S?WSRPI^=U=QWy)sXc#9a&6%mPp*9f8cZ$M77-Z@> zb*<%))Pd_TI|`zo@~LSE6`!hom%~nT;x3iO2yFj?Iann47)g7XEYLa71lbtDz6X*U zcdV9E(!}F2d$k}W2Y6M_W|*+MBmGs>m@g-9L{5fF=Ux#Vm1n<9>a5iI7wMgyBi9+Z zlw{wvFj*(2Fgc5p^Y|>`j*Ome#tX(gOhPEb-Zz<~jZbd2UPzOSlk5PWaGNGWK7Z%9 z4{h4#Q4HG`$(C1od2g%Tq=L!J$MYk!KG|s^n|tE50NgUFRlgar*>O-|ZE{sQgU3f{*5-5Q(aBD=GW!z^xa3>5)IiWqWsXjId z2?;&B`p1OJv%eDMK?xlV#S;nFZo|sTevlkpIUiKZ@Nd_HYomw@BBJA4QW8b15w~tD z2}s_XrpkD{mMU|JRnZFyN>v_`ee7~rW!#ErC11!A)(T-E0WfczC#easLdD|6F=iO3 zNxD zn*3KIJULhr7Q={^2Zj$F=mY03;^M{4c~uw0#nJrs*iZA@(rsGRF{J`Jjqf!$px$+} zK> z#9KBBGBr$;EfKLAqFZDPlS;%etci_>=EzHD&u@_8u!8ZOuWdA{*fm;*NZLWRCe=ML zSx0A(nwMWpW_C;kf1CWiN(ztWS}RX9k;Yqz4Q;AfKqdV{Kny&|ez-+hVPPh-%Is8% z6)-YrT}E6uUm70Ng#)$L6wl*75x_R9q{Mk&Y^Sv-ytI*u0MNe|0I&ko z%y$QLD0-AT#}3oL3y!l=fNWS5NH2LKooMv^MuY}{H^EL;w23^0l!2;a z^zcO%ui(92W#B&A@U53(x_Ce z*4JLlVcs>L5Yq5om0&9+@ME)woh&XeXrC4GHEI()D#N5kawyp@AFNZ73Nuoqs*{;H zNx>F0T7mhfwm`6BM=iMuqE~Uqm5B9wINg-e%T+bk7mmG5mzc{GYx5m>0C!8JAyusY zx#pBz;vGNlr6z&YMzWwp4!1u~BC%Lu?Fqgt$yaW$7@xb{I4mrPRVIMSkv5TwbMvRt z1#(f!IF-Ius~A-R zs2l!`2qdoC@M*pM{WE~y?PsqZ&il`Is8`xse4Jhww@oPtq3Rv}Q61*)Kj*-g<3 zu8qd!n;TfuZ`2u3bnYL?p0v%w)lfLaG@hlv%?D52oI9Z1Fr8(aTM4+wnL`?iZPrsm z$TTla#y23h7vzdHKtF-nbQNFM;atAKmHTw$J|@~*KP+SjHmmj_Pc!qSKP!md{*)2W z^I1(yr|uJin4H6H53jEEFt2NnGEoew-I7#&@@YGlgc=PyUvJq|>w%E%Z2rVr*768f z+BU43xAna8-@kJA`CyXaJo-Bn)a~;N)Ti-wi^%K#qiN%Ut~%#qHea>!{*tER(_ow{ z;osI<1RL+#?&@)imrK*|1}?fU$m+c>AVvqh(rb0M=?(}y;;A|3JucdJsoa0Tz3SPx zx%$ia5@MqfR;G1(oRU+z*>c~Wf*(hOuz5DM*gChjmn~`iJoZo3beVIvUDH7myJyYy z?Q9VC<0WDAq@7DP8vWCKe6M&=vwI>%iv{)Ty#=Wb<(Ea2CgN2@bXJRyzE zYk-6ed_=U7RPLkexHkmA-q-cEr{yrOO_%oWQlq%+eSV^wLdPMYaX7JvRiSmI)nHw% zvtiuoDE+9=(cw$Mk-x!`5}RY4=G%uKk4FpVYyHQ_;N5+^&42K0B_;0K7xKff}Ac zHHUy->91dHAd@{%i@t6MD3p?NA1H2r+c6IOn=c@JCk>0#u<%@Qmjf&XJ$fGiuJ5-9 z39Dto8Jcq6k1NP)=ie908^sq&Ia<~6q{*`I5JtSqkr3B@BZoU)w3mJ%CGh-N7lQ!jvq8*l!_c7~!kg7g3yw^UTZ=YUQRhMS+L=Z0Mns zbjNTREY!VSKS$5bzw@~8{UWns=?zypfu00Dn1z5roF$QnpU?gW*(=WG#T=EkWdqJG z6FhniCUaJ!=k-Dt^{NgASp{+=0do4)UV%OJw#AQvPU*(l_W>#mLRrLh@x`AV9FoH% z^k*55Mtb@bWhQ?R;_g;zPskgbi5B=brsDf-qfUUgB;%+YL6wy0QtQk=W zWC_6*FX9Z!hkERPB^UUx*#9iK#8>ZQnU~bG^r6ZNQ|DTye9M$^8;v_#tBZj&Ky1`x zP8Z=a1Vh2Zf~$|u7Tw@Jr&lZ1I2AW(Q+H%G-bjUW%B+MG*2}!b7O2*GWMRmVpe|$x zH4H9L?{g3_iLE-6>k{BcD=4RCSCg?Mg&%T9QFT(v8--K?lK|hY6hI?NE0L56lQO7O z{u7K$QtTlli5snmW}Jy``4EjPwXc|kS$K}cOFPORVr2!*<6Dq_5e*5DnSlCY4P zvce5x+@-RFerm87k|7;NAaP-!bX%J{P)}JrN#kj8fVNueS@0> z(8lV8Ib|T{H5a|w5%_~Rhl*wf^b*aSj2e60Ay6zuA6VDK$*EAN`S{in#_#14{SuQ( zF~E_(7a@cP9ZJA|)iz-YZIWfebgKqg`NYgKyzJK&NPh+i^{HZ&PG1p%!{A|>d@Yh{ zih4^~($%DEWC+X|*H0HM%0iv%h@$Kxv7(h01EKC~5s*>pPSV66CWqly;er@5ew^`q z#eAal>mx^S5!Y<=dQFYyOQrtwkIXc8T31INZ<3y@7X@D(E0knk6r_@%MwjcDP5Y)c zQy&`HJ1iG|%FwuOqeO;FajL;Hd|wHZDG50;a9=*^L~`&m7=OL+j2l)RGzbjzi#_#Oea{&?eh-;aFmQcs{|o{NxtsEW#J@hg#QzkZNa#6_PqeB^ zkuW`oSh7#GpbbL>3z5^BwCa}wWMU%~^uT$2i;-%RMA#e2mITQ~4b9f6ce>(^TkeSI z&`d47)Ko`Ad{^IlrpBl-WnEC2p8%tMK8o^4)6W>QyDGe zhLcn%lR_phGcyE%1!wumC!X^%MLBY=NG;u%gbVzvT#1-BWZ$fk`_Spbb=HtuEE5e1 zzj}%g>%u)d^*c2OL#cf)%rhM*Jb}2;GaGTkz-zV3`OZeZd}oDv+`|5paNm2#Kpgjr0K`wJ&YOl?rcLbSj21(~s1h0L zt&NX;NC-@g6E!zny*z7G-S@wJRi@L(&FhPrH&NrZn=g@|*6WyF@2Kr3m9@T3Yh35e z3tlpmBT89bFNeoZC_K%FfX{#%$$w~UtV{OO-W2vThn}`B$G89H0d1x&LBQ+3$>e(z zkH9aB_`FXoN7Ck_A)uryr|0ou9q2J({wio{+aC0I{wR9XB4%56lv!{wbt~Go-_czD z!LNH-_~l%_XzM`qc3zrZ23Q0H#qf9>S|W13UmgRZt~ig5r-taZ)`QVGUc;+w+D+Ns zCm&ojif^aL0IbIsjGq0ttTvkqt)KuNPEkO^5Pr(gsX8`ok0mqbQzDAbfcNz~%v-k) zh?q{dIUjKr_AjuR_uW*~53vjOp@r+8-`%S#Gq2a@C{N7>o9n~qSO_-#I3F7TdeY~y z+jUCkmSA%P_xfEVhEC=Kv&Urmh+!FXT=i+iAg(2!CS~;lhx=v=Y?E~4vY-#u;`c^Fj8fNoU?uKR5F6L)yD3%7UEEPTzse;9Q02ptasBVG3BF1kKN88$gB zc81$D)oZOGggKDVHD7}G^ z2(tUy>H5{rfsaSj_;Zia8P^52B8eJ$Rt7< z3t%ET=@2Lsp-UK%1<;`ZE0MiY;#Y ziOG`Yr4kHXBgFhGyamh{4jtNk&*Ix^+R?#tY7kf39C(}qjV9k=U+UzqV#9&b;I;6L zxkR&AYjVbVK|_db3Hk3Da~X9+t%3v>EqvWIO*~>Z@K~3(^V?HOc^+ZVuwep0gXG*7 zk&b77Yf^5+T^9m{m@kyQOSa;$MufoNwiUm6=6U32%n(o++CFj&GyIac*Mj!3n8)np zgU%7W=_Ape_bdO@0uiYfkt$b+F~-$?tEn#dLt(Cxne{(#S~Yg`6KMs+C#E+Dl2_Yx zD#oXx66e*WRfL>|CE%lYfDL$ztQ0u*n`4TF2@;GD8qwmPVGTPGE>t#Fxdi98LnbGM z8fi++p{-e?9ahR+3JGRWJ4ZB*&2k8goN7eYsq3{nE!3w;#8@stHF-o}H}kn<$~O0< z%k5GJt1{Tj!d&ag5i9C%>HF7yVg4dyH55Wl0)3~94`5J@DdZ@UtTvW7@bSiLbIsd= zV**Ec@q}GmVhz@fn8J&4Q=)1E;fsGM^?7WR!jmw4&v%V7DNE+p;34-dQeiO2w4DPb zd_+KIzOWIh_~nW}NRqIEy27KkH9s2&h9`AjWF5ahBhtbDaQl{)q=P2LGUQD0i&2<) z5F;Y&7uE3}3)E+~pDfVEf1vEr>KU=(Efb6UC5KsL{XN}W+7+2_vi}70;T3AIlo+yF zrWq(+acIFVtW)w|9Fz7ZX$1cYmG5CMj&}eXZ*B7^i<6y!n1&IxuP;~cb%M~@vL)6F zn4DwH`Au{vhYr0!u3-*j5x=McJHixXwJO=j zlyo}jdyy#l`txwEIcWq_DM*G@12=#3n5aNZ-Ue-q|AGRKxK(yRPdFglkk9f3&ax>a z9J_;T!i1$#9~C+3v?+kV(tuxj_t3;KSFBOp^%l~w*U(7L*h0A3k0O@(d%@#9Dcn3l zF>KBgNbCpvm+!mx>)9e86$SbZ8g0$IU0&tYHEu+_Hs%3LW)3R<;3wG}TL@ELGRKzZ zu_0L%Ntckq%)Yh9UutEPGYR!TxhIiL5v8A1nv}DIHVn8#L1QpWxz3NnL`~?;O(~hw zFJnk+wb+#X9kelmk=q{g9irPdRlbAoPGm_bN@df059h}s^`gEj1*(Ucc-;pD;WDfl zD}PbNzJW0XXKfWU1s>+?h26j`ITFKLjiz{aB)RB2cA=oZbj1+V+tma&5Z2Wx-NaM5fco#zh2h&8$rF z=-jU_0{8Q?X#XE=m;NQ}Ize!a%ya0I|9YWAg{sFJ_Er3Q zPgVj9JLh!VBnM-4>SJmTh-!pNB97p7XYiCg0}S&esby>`g84_7Mt~TjmulYKyknQ3 z8Vb@$kVO~^7;bo_#kQSM@KZic*f`kQB6M41T2Lg!YWV45c^8=pr8%Tft&W;}(!xrA z1u{KmZFwfL1xZRs82ItfuqFd3r<$G2ZPx zGW>!>k<)zCk7ki(?V*V!PA|VNGjoz8GG%h`9|T4V^E}l)E`9huie4i!VI!lRC3~^mX#Q&; zCgW-!pXv|v&>*8&WfoG=cK=a?G!YRK?@WY^aF%;X9kX`njc>zsRIG10F~$K%*qSu0 z`x@35 zx&(o36(|js+b+yZC$VZE;M6LWA8(mqfhIpJLt!Dds-l>`+hE0ug?7rQBydN=u4r2} z7?`2@tLSLv??8N?4}hiEJ{27cqKG^pKqu;xjAh{99c!=losF=0YcKCo3jW6N6Xm~F zwVNN;IRYW^u@VMGCQN@p!&}~bJTls_{RqFyPXe(B@=`G6nn>npB$JKRzfjppRO8Aj zO-7RFfiPg;0_68FU9QNSza@g@P&{e`ul#0Uj8j2b*Efe`f4krgh_APwDi2xyS?l1b zuZg~KZ@m>#8#i+j>Cc&PYR^m~yk&+IVTCzu{rSqb9_kWb2z`c2(nr;{iLp#*Egub* zDj1DN+(Z5)AXWaYDZ%XLG~9_!>^T&vt&r1fs^my(A*|QrqbC{Zv7y$KI6Oxfvi6uY zYdg}~(U=5csI@xQHAnu6gv0|@V2Py$-~d%IKSYFMySnfv%CH#%bOcdQG%w4OOe*ra z49Tp4qypw|Fo)K3*0VAlN4d|+Pjb?k&y<&#yEM=rqini+e9ljQZ{N?1B^$n!oI(;I zgFOec3ggX+LP_IN1w>CUl|`jk_;rX#g^o=R05vSG(sauomaLKhUXeNIgGm-$>; zy2zSdQ88E6hMq-pk&_rSBdX;}fk+rd(T)NMqGk{QM9GUlpi={k^u$sf9(y?lEkX1f zX_E>ymNohB4l%~#K}anBi>(#PQ}Jvn%gSVv_Dz2JYNE=+=1vB+i36h_3uzWC6<`bW z6>;8y)^-I(KW(V{f7ob>+ijH67ic&qmL-kt8?`Zf3GCX8_~??t6f9FSUCHYVLz%qa z8@o}8gW;{A(W1)4R@2hOk;T|AxaX&s{=4w-VvB|U?T+{q$kNap#+piYxqi-#$%bOoj5EWHj zS39SWHwTnc91X|Zpt+xjQPZslg}74y*|HkI-BFSbc9-XgCzQ6^koarogD&@VpLcer zX-^t}^Qa$UZLVV5`IvZIN2s#xGY=}HW*?*L4vx`uy5h3K{G#742PWD<#~BHY!D%(saMx^>Em;^SC8K|^ld3AhekELky-v3{HDpxT^>6eKMq!N8 zVFK*>mP8R)zpt?7QB(r;zo_uLQN^ z?dGSGe$Ov}*;$2EC%(_PFn(-IkJIyS2-gA(7xm-WoE$1tmu;T4%awwu4A(tDMDKuq zp!sJ|&STE>1&HZk^7PBZ7Fn|oC?E@$>OSZ{-PQ*2hg-05JU|Djh4j>ePd$5W(rCl+mfCsC$$$kU*q-wcZg5fqJ)EM*d>Ph9f%^~qv6v|outQX5>^txcX} zG4Cis<=hV*2>TV)=)U@kMNQ6bWpZ z9RY)HlyI`GQF;rBXSj6((eJyds=-x^;Yw==7v)k(1mji-VEOi2`nQwx&Epac)g-9X z0=N~*aBBPm>ToI%YFe>f>BsKIgSaP~t!h>$So}>~yc=V58-?ChKqkK=oy~o$!{1P+!Hq`6va#N8tq6e&vt(-yQ-@ zFiRpzICburGOmv4X-SSM%w~;}E2+OmZFb38uQ5f+Vr6Y(_l0rFkq64#anQ~3-JaHXCSOScKPu>FXBo;U-@wuZ&m=N z5w?~f!x)@K?!CurMkNgydhiO;n=IiH9nz|shxH8;$gdmt1<9D71U=;J<)4ERYW7he z@7u9dAU!z5%ZFhC3_~4wzN^cP+6V-mF3v02?;REJvs_V2%(^y=6_Sw^Uk=~bZHC@A z!_AUmjr#I3+sznB^penL{9ztgft+wTu^PKNW-ozyRhoto(q*W(X%~&E;?x==gUy^o zeUs9WG50-=rMN(#P7LjhGHSkfBtxOHY^y50l$B-%n<%s>fXjBNbU+-vD^L7~NZO`D zm5v<5V1Xo-=#Xe##$GW_+QBKe);*bs!;r9;RKHw}x@*G_P5oz~??r{xti_XMjM~WF zdhQS0nI7u*3l|m$zf!I~w?+t)3^x|Bbt`Gbvq}BU#B?*(qT(|FT39RrHi3+Q=)^-D zD*+`b#z~v%M2uOAhx>J;d0oJe3;K zJlXfJiAe2QaN@7C$|%+y zoN@#KE-*B|`Wz%Kd5LPGU&<0#1=;jz?OhZwQqxV=DOkhZUk*p{H1NWNi&bF(JVFy= zwLb|$_*0KVzB*@#0UHBo3OjBC1{N-BKE)TN|6M%Z=lK+bZn;hY|GAFGzOG|#4js@X zs1x)HI#O`74CVXB&(DN+43M}F)O!fuP1#+#nEuN0eNF>!Tn_M@!7^nYVcX*nk$25u z%G`BPCIiACiW&;4=5B8r&*vpf*X)O9FX2c-7+SW5^^!V}=k=h+26U5!h}*hR#OY&a z-lghMlGXmS6r|j_$775CGzzw7+syG+(j!6hxJIdo^Q!W2=nQ1JN>e_E0-ZmI9leig2k}-aK6}Z=Z68{WdDkd3EC&VqKcH*@twzV20QHbV6*tff zwko?BVE^#xY5j5PsdCul-CD$M8FAbBQqv-2^>F>NvDxhw>1owcmHnw!TgK-s48^p< z)T*QK`O{_AFDM76eQzB82+Rcc_)@*6=h5A9@@2W^dgjW34X1ASV8t85*Q*T7BQq$y1k8>5{1qUon6ee*u4EVsj= zamc;NRsCQZVrTt@zpAB%9g{=knO!c{P?qb{dm?Ba8Mq9(}lz96rik-8! z-Qs*%clX5G+vz$f|1y>%QbOhmIGtU$;rm|AqL4pDu4 zU5`2oU(wz8;*B|vv}I&_@7c0-p6on`OxG`0e*TS-)a34r?vc2hcu8VYC0G8kuZ`n9 zJtjc)k=JxQ=;MDl#5_tcJ1h=LD%`Wsz2WabT{f*A9-lkKK5Qh1&}B`{%5qnNjW(j5)@>tY@My7hH8C#8(l>e-3MCHHuI$lky{fy%r<@1|6z%K!A` zjmdY0m8`(DVUe#tYP6^h7Zt9qeif@vGNKQ5^l!DFA!kx&rrz4Wx^jZNp#0S zAT_Nvrb(d-bkbi77u4+A(Ya8Em7(M#=Of4+@x;ms4E&-ymGVH=^utig;+5*x+Wa%W zJ23y8JCjHN69O)Jwq)N(K&X}TI~kTjP|&x$yqY!mWhylRYCm}KDhg8SoAk3=D9bsa z?s>75(5MO}px_xs{U_vy!Dw@5g*xUC3f1Mq#>2U5X@ zNI}A_0&!F1RX^6QkWA`Qob|nM1Pfr6$SjFvFA6mo5N491}eFBs*K+Ig*=o?14$|FZ!cK zlwW!j#iZtE@YDj**pXZf*1S(Xn!LdG%cu(}>I_n6bO%LuQvtYo!&*4O%hGJHz-+8> z<-*;=GoDcDCUZr?LE4zOep+cc=5youht$4c6Snz80|T|Pdnz9er^&j3fgjlrV`cRb zY~uk+gEbH=NkWypbmKplsTxDUP5gh+72XxjARi(h&&mtdJl=^**dnJ7V2FIc@KFXO zZtUwzO~P3UbpJ%dVXZ-YgCmnk_ZR3hQ8`A&ofUVP_ui7T5b&fDTh=%{8=xi0z@&E> zjdes#p@@dBk=4NBkGgACBD?mjCiDw!@#2&>!&uiQr1#btGg-g*(lB^6K3;=idlrkmVGr(e*bl^h{s2LyUx(0r?8!n=}4OJK%94&WJ zLv3$7Db&6}ZW=QD`*&0KN}7_h0{_eCJsEw4vcvvZO4Q&^^I*7*$)%x$UuA9H)RE+) z45|sZ%}V13soW~x)gqW?yVVTOPQ%X77J1QxqZe$OVq4WCBWcqsnA@G)8O;Va6>`y_ ztE#}Yv?>DxEcEVJ_#)pl$dHq&Y2aWL**G*HE;9A_*-SmHAE#VjHf0$$+?z9&65Ed5knyfh`WW2nqtCRHX|}AB z%iBBr%K*GOy)9zkTdxBK$(Hu*ck3e%9 zA2E1E_&P_I+heu3`-ZmT(Qdry`F9JT>F#@*I~4cfw07-w_Dq*3Sq=O4H@50?FPs@K z`%R4Kp4XZRgX!)IEa2ANV@?+lz)$p~SZ7D*5H7W^T=L>V6LD(zARVG_ATx zgQux>`z3Ek)>Fr75ASCwn2namr5uYU$Qd|q{q)e{d6juGp?#d?@&WdATA~Y__%1n3 zbME!G_{RAT(7D&Sm`#(_@f32rI!=3scQ-m#WAOU@-tX)@<>YyK%h?mB6Rh_<56@eG z)N^9&smgv4Eu^Y`js=ApfSu`hMkl-HqQ2R6^csT>f?WRMUw{DTfa|Y`M5lL<%Fyyn zju4F@<!JE2EKNWQoKW)!Qc6Wo} z-l(`wFcb9g2&_>iqp%;s{)j7z@8%MD768Tpf(oEP3?B-TH6Q{#~utus)Mm1+--!tzMfdrC?+W%$~n|z zc(9llSD8o^X2rAMgkKohDf65IOsyx%?ESi;DG`!%ePCgIWYB^YbVcjM%(!WW{Ji)h zw)IykH5pgvuwoOOHlBxzVp4s85}ue!l}C*DqQ|BKz5{)iKbg@4F18D5-0Ov{W#Q zBKvKxfZ!-5YAKq=`Q>0DVx1G!>sylNgGGyt7cm^UYV%7T=MM`0!U}8;02yJI;fB+I zKkEvWNBMOH&OseZa6K)b4HWZ}fOk{*N6;?#s5NttPXpdJ_x=GdVBk}!jp!6MbGZ>@ zcb2$Q#i-m_1jUcy2rnA0UZz_%_OhCDGe5vMwd9^%Dv&e@E$GlwlB+m#|QhCHTYY zE3r9J7|IM)v|_fK=lkwTyF8kEsq8zVl1El33VXhkRYR8s1U?^m(%(8 zL{|j__McRk>8LLyn)TD`V;Z>pl_;iqJemsm1ub^Xo~fwE6ImdWNtN@24$@~qrcvsn z*e(r6Ne~+LQrgWe^JOf5^CRH5Kst~gjLGXA@U=IWGZT4W9gF9QJYgMz5VIy$j3bM2 z<{wH+ZM$b*o-v|?KhQF^$xT@UxGAl;(oOQcyXEpQKH4?Ua`vv?Su#FKG)D^)|` zLrZcLnjQE>6DH0}U~*TQ4{ak}#Zr(mT_pDaIf50*Mx;Nx~|2$W_3$Yn!WLO7P+kL z-HJM0B|5IxI27Q`%+26-^$o$@@>8&_;)#2Nz4&@*ewTJyr+d?TH6o^ip6Pg!bV_SK z;U&O(YQ>GbM{Z)03L)9sd320ydQ#o84H5r>*ZrSJOtvp?JEFsJ^uKUZYj?!!**Qe7 zxvtCJh-5|`H|LwdD15#cU7x=Bx0>c@NJp2zt&iT`4@cfLO&^2d6t?w4Rlu(xb<@ag zsp_8f5A07H9?vF2T5Oz`3|JG|C;)J9zhY|TBXNCM4IBicqgLm60?`cIc1jn%VQQCOhS6ecVxgxjS9`aXCEnf7tq_=t#hB%Z}4=haIP5 zTOCzw+qP|VoOEp4w%xH+v2B|*nfYhkduOeAIjiceo@#$*pA8wUM1rq6mA8H)j?U{9 z-fU0aRYS}-a<@~oo{pEpm6XT8N0YPEt4PAtJMgEb(D>V~X}Ud2SPxb{ID$lDAuG!GH->My^6} zjQst|+J@?u#_;^@v)nRkIIGM8fl7Tp50-=Xs!*;MQ63ja-0v+7E4j+>r~@O8oGL0* zV-5z50aq8+kyV{$`R2p3fmXlN)>kQ6h407a6>W=ShL^Tx^VfeNmDO- zKh$9M)T>powB(&h&GKPeTPMySg+fWj?EHGNHPxb63cuZd4m+{gFG4|FE{4i_%9hkkIw!Z`|oR3 z4}?aF<~W3*1D;jtH_4<5_e1`jhy;aUi0`vcA+qx-uX)C=jBD6$ztE690z`Hu3geK_ zCn31dVir|dOP(EHYeL$GvrZWF z3V~41G>s{wPh$~H0$-L>sW(-j!F00i4n#IGOZ+aj1;$Z|ESXn-IE)r3i& zCR#rjH_ijKKoNqYQV9}ac$^K2E5s|ulOIV5yV#1H_){a z1@p+?h!9x*MydR`*#U=AWJf_nWrVmA+!fOpC~Q0VWT=Rgc1|@Gk>=U*u`b;hn}?yK zkaF1OLM-uK+0jfHl{C|8I>$Q6vCLf&E=a?q=0zGt4GjSjj+pz=p#f3qw!d&t#0fV7 zO%pIPxZD(zy$KocNK7_}PJ<$XYt)k=cLoxVb=Cd&#U|dv{M*J0aQBD8J z9_aUFER(`Wd-~7Ku#za89#=}t1oH8gE$=Vmo3@3oqq901x7;2`FC0N48M1n3HU!_~Q2H$1=Am2m%`gb%Qd%CB7*t7-1kt-l`*Zna))pa;Kup zI7%b3dj%alkk;`g!v(1QkjRd3q+1A$Z(9|&P#q_$zyaSj*XI8!6K~LrB5{r)Igmh- zl-`h!#8H5RvE`sB5?u^p`uQtX@mYU{zWn!QjdBP?$NJ14SUEJ`U$#x#&=7JPUvG{~ zRHpPDVnN$pO@Mh*xB&;AXF2b6eNo;T<%k7?tQonDHv;<@e*-nUfM;P;mhDFKX;yya zm-qa9xdeh9F9{{4cCda+F|&>brLNP^MUk2E9u@V3(S@M^0x_Q+wa6FDtixuD&4rFe z!_XlpU*s>|vSU6kHu=2sw|07~Xp2t8>V;pey3)l)#)dK|KYzN0Vh39zQey*x4H})A6gmmCF?%t$IKR^4scxZ{sPn6>lw1?bzS-06E=o0!i(rE3h8UI+=C`H$Nrj8m}6+ z@%Q1ThU&Gc4YM?tP0dsBhx`lnR`2lf1r}9L_k$-r_q`@=Chi>H=cJAM2h5z7scQ#8 zp1a61*%!8^&-NZo19q3E1!P^n)o>0T1@)KNVFF+wasiH;-Tm?)p^fk0cCihz_fuwt@Al@)sf}8V&lSy5&imO`SI-1rL|6Tz(x+&@ zlkZChTF903)P@1>;lu1Taz_#U%2Rp@!2R~NA(_W_lEUt}x98(9W4oo9@6$CUHN(B$ z$JPB3v1&3x?9ys_#Xbelr3)HZu5X%{=jdwQ5@29xx*Rqu$w+9B0%&@qiChytnV+<# zdx9Qt6~!dwRCKK;w<_AUhNidf?`j+1?04lXTQZqOEm)enve#V>Be|b84P&rdGTVoD zDXhObJ>Il$r*zfyv{x_HICR}N&RVAVe1p~Y2Lcc;Pxr&vhAV8nJH7f2ldy|+=^lC- zZ9U@N&Ipe_Lf-EBard@ZHxL4SXS2nM+(2qe}EW#&s?5YAKdl)|}lg3;SQcpm|{7 zh`{N57vS}vZNs?7=)KgxxEQ=<+RYP6>-(P*Fa9}5RC*X>XXK3!qFQO&OtF!@!G9!- zs}{=VQXgU0>-rRX|M%gi`So9jElt*Wt6V=W^SAtKyPelbd?n=0jO>Kd-pznYxMD}Z ziH$O*lb-(-SoottNI4cfhaPLF&2~^B1Kd#Tv~(}&Hc2vRqF1&}%p{OFUmh6L$IMnn z4?cOXJ~?Yyb81>zzd{TrC{`(shcDNiBR%CzJt!z&46W0X5%bVYt4O;S!Fcc_ zjy}U5!M?7by$?4U&M4lz)0iOH>zN*Gg|Nf;P|0lSB+qxMs*HmkJ95i2R!-3ihMNda z2LEl8*qkJK1;x9;lGPb^%y}NNbn(riNjtb6btu0djw z5kHwLKRO)t7Hh?BZL+XW`7g-D!pQpqX{uTB9fcOHu|;lMnZx!AUlbKMVw)7lEZKU4 zMh7Bm)U7WvzC>(6ahN4Felgq)Av6_;&h&YiUdOwyr`O`juFYON`7bltt(tMuaK98Ph_`~a@8QM zh)-l(H3DPuR{$W_DQ3-ZHJMUn)yx{pG6@b|G%M}xhb6yR6zIs`+G2~qA_T)P*C z`A&{Gl8k!#O%vrc>#>#OCs~&*wBmH*t-|(u##>LEp?_@F$;04P1BiCa`Ofb{OuO*I z&+$`SVGTBi2Ar!OYYs)=pXg@aZ|Q5^5UFDeD@ZhYzS5D4?l9Rg4PJ|0@@%5c%*d~Z z8G039`Jd4!+HZCE^HIz`B6GN1oY;mUqvF_T3VZS;R3th}Mr30O`3Qo;KjRQHH{f66$(m3B*6Gvni6O(;kyMwa1eCjtGH0TveR4WE>b}*dVH) zNC|U79^f3DEc5Mn`A2zz^x)*<>!5)&GHrlOYvjD$Fm`gHQdwjl(LeQ*p?(zNvEL3O za^@;>aX7(8d#YH+{k1E2KOV-!L0{ zqEcayXi6t!wueZvArsv9{eT)!$?1Kz-YdbbEp-S&5y`u^_! zB#XajV-OUC#E-J8LJ(=m5~w@s#shRx;!o29@tH8-aDRml><$1Ge#xr>(MZF|4Pal| z-#~b`eRD0FPM=*Zc;0=JH24nvMpw*!y7)XMi1L0~yhpU}ABc+}{oto*t-Vu@=<`cj zygJm!*(|qdz8m7FOfA_o#A?^kcPo0$y;U0}r{wqN83?u3JCcVBBTNvT zF4v>*(}+p3IZqGJe_(APv?ghD4DISbZuu_Uhu~;^XBNP$uV-#b=8=wWVY z-yeNYpzC@4^tS2M-v!{gjS2o>UtzDaX}x#o7P98AYLs|E=Gb&xcwIh$`EbR8#%P7Y za*naiyx`j9lIvWYGh^@?Hi8dnxQt-{vu&?(9wvUC)=V)0xH}~zTy?^1mNu+z=T+&c z@9h+fOK^5PcQ(cCW&85*z3rYhJ)I|deN<;nGw>{F9Zh37Z)(`@CWW5cAJIr%km-zN zT3C>{OsZUFHN9kv=BzL93EB}HWg-zUl~?<1(82s^DQ16P2`uUIo-`n=`FJKfB5huF z*wd-zyxc7D1KcePUUkEdR?nt2ZAobT%{gxaRaW_SzgtygH@iF(@yb@83vBuB54}-V z@X*t5YJWUGG-hqKr4dek9G|QU82NDsRROMta0!c&x!=~Y4*lYJ-na3Q)RMX0wimY4 zLbb-Qs$JrLbNr11Zq{r#9yLk5un_uL`|KY!psiG}AHvz0JG!r^9yy9-y^IBDoDyDg zn%jZ63=TP3zxGeiR^O-H{0&G8TW|QQ&;*ju@9NYq-p_B~!Jaz&?eqb#i*@;xQ+!X@ zY7X4Xr_LQr)lvpw)BXja;|2z;P@{^QKP@l+@#0TAd8mUmXfUCkRnby0GABhSqW~7t zg3Xap$v2tWQTHGWmanQxK$rx=<&^nz%_g@NFT;>R8;siOAm3W&b3tN++SP@q2Ex#B z3$-Zvk60#QqP7&|o6m?72RGpx5AZ{9RjHK-)7tEf#1{ zjndK!rf{#pYP?s?T~-^eK#^7Is^6j@jchQ3wl@X~dtE(0=2jPGl-Hj0&;|SNhVvTU z8s1T&Sb+f3orGPA2smEa&37E`+MH2FR+(+Jtl9Ft^@F;MGs_^(?p|HDH>3b*!x5jY z>Lr*J3R)Ktv%NBuv`|&?mX3GZd(hu=Or78sZq)Ug#I&~%X!J(6cxNt9GT%rwKDzf< zU!S^NnX%Ehpw|svl;546X+oH;Wow@@2ad5`PdSp=uI0`}pVi-3BYN(klj27~v>9f3 z$caCj*&hc-;%fAcUj&GE*hw(F6x1f7oRI&1OOb_9N6@sP{|RenwQTZ+K!jYAHJf#2 zQz@0`^r%jnrxbc?8JRd;&!CFn5?l>7fIsrKo7R3>yRw$5NV#_sS{oFuT}k)yyO89CIb zLKK=<$OTj?R9uIsV0;z}uS(Y>XKWMPYEH-1g`m+H#B6X*)bUZ}sYpQ_VmQhT{CXK! z;U?LL2ui}?@5tjC`pT9>h};JI_El*S^+Hi0yM-HSEQmzXFs@=HnmAfa=iV~X9`b=d zEUTikstdX7$7||hSNOf!qJJJh*)QWgB7hzIbu9-=x^qP;jjBaRcG7effIqcwR<|0? zHo!KZqLwa%K1k)&pfx%55tRE`#GEXt8ZY2Mj4;BSxp={joGN3QSz1DCi(v4sUO|dc zW>-S4^pwa(H-5WK8P%}SdnIZR1{snnm5y0nZaR7Bm|*;6E^ZZEsUPaZK@avb1GV^7 zf35SMcE1DUkep*AB7@6%x#NJI>rEp}6I`u^cc$LQR#R!)|fD7AHfhtp7< zpkNAXLD{+_aKLf%h-x@-re z0xydlIl2vt8k^Lusbn9%4cZsiv3}f6&%AGUr@6mNB1#}Z5wxFc>I32qM14y-K3tUm znzR;99Q;BNM)hG{$|*&X9oWb}mX{2^`u|YCry!4)Y0x>~_~-*Br1*d1DcEHC4J_+f zs1x8W$L1EG>kTRb904eNE4%|p9T0S%`59r?@N|)1M@zixhp^tJ{pdgfj0ggJ!vHVu zGX_Et1)lI<=8kuuAD*V5swVwV3e0!x*U{jV9{Y1#7zP&`lT9x%4vuczPY3Rg#_0s^ zNiEZrwrkfIp06`Cr{7Z6RZB9#!|7)w_HTm-trq)efO`=HyT)6S5kq#@@^Rgy;CZhR z!>7gjvklAArqNddE8jiEA-x;z4aqSuG`ss`eUMMx?C@*|m&5jbB)zBYeWiuibV-K2 z&H1tNO|DoLaE^Y`hsfSBz4q2_hSXuQ=ab!jo)8ER^Zt_Ng(c>h!_(z7#N{aam}!&4 z<HB%3b%~Z)JNU`*uO=F)ZDs3%bpMtmM$hmD z%S@Z&ef%v{88af=*P$6v8t~K7hx@w4vN^D9{ukrN7goO#V<|>+daM*Y zws|g=vA8~uKH^%lwB64B?pU}Sj50dx>bevi#E9wK_Hjx>E8io@*2wF6_t9}{szPLy;S@lh~NOZU8USi#@ z`SC)|-Ml4BvTwf3M@xwv>4a_~2=rNzzW&RxRbSe)-qPdkFQ;LZ%$K9xZtl34fj7tH zc``U3Lj30x4j^oNmq;P313JF()s8dMY`(6)j-d7E+F#ea^De~{E;wH0JheBT;rg{6 zzI6HBZp-m4TZO}`0$wjuraw-mFWaQ}j#p?>_&!featY}Sy!991)9~rBH{CK{lr3to zVu52lzYEy?rcHF$O$(%Q{JMQttxssQL4GkHklo9X-z6xd4|EDpQtJJ>?XnMn5|3pu z*$c7%g2-kO-Eopkj>k{^j<1aKwUp25N|S|tRTl(M^DB+&DCI)ukhzVeJR`F|z}4bZ zF)R5E1PyZXQqA28GiC*E^?%;*lA|`rF5B=ckjowcd{kW6Y*dx`DZl@^qk?sCUM)IX z7}24mkr_Y#PDXD$=Lgb=mdy}E!)PZXg_rrjH92XlzYhOKeF2M2Y0MjSJz_EsZ zGlrbS^Tg<8)GKa7r5vtS0=&C8K?`_PCJVnH>C$KoiJ5j#Uj*9pTb7A7I1mZ!oKu~d zXqt_Zvs3GmIZk^?J6gyCb*!N0*$NZ#TN{C!Q;vpjo=h%!XHjv)fh zNy{IM!w{N>^`aO9IcFb7P+_FK1jQZP$V#h`U|$jgZ5r5U&=7B@Z-eN9Q6P-;7lNL( zSG&IA5MG}Ox3_WuB7O&$L0&>dkv|b#YN4Ul@7d%}?RJcxuxd@AA?}a&!%T z1b*XXiAA(V=6?MGhZGV~!I`P2J1+l&p@LdrGKtu`G}{F7#%9gvIi)zrW+5DcND24& zVz5aTcgq=6#;~(!r7G_fTPIiL#DrX{C=ZgpR~MQEoD-xzuSLj8XiY+7PxMW+n14frD{lKcm#_6r3p8=Ewr5HxLDd1qS1q!;=t2hTs*KykANd~|XXJY}gz5G=(ntH*kxpCqf%z?5*YAgn07eFIw ztsyOgz+EBowG(CVQA%#O`J_LRkgmtS(q+ndsn~>_@SI+NeLM#hw+DeV#^ zb^-Y|Epnjwr=TTkykYrIbg9WdbYVzL-{f19Z10-Dl%yBMMJx6cXXJOnwWOlqIx$LC z$}FOXDGmg{F(H72NgWt=%kYNg(!%QH#So%t_jvG^t=mK-m|XqEGwgG;88Yx1^lBD` zS`xT2fwifWmcYWnXnEX=Cx`khHrVRKZ1SuxFW7$%0zC^_ZC()lB4~R)2lS~rbadv2 zM5SN`8b0%z3AXAb6)n_1{(2w&%JVA&{Q})R04RfE&EW#$YIHzO>y?NM0FTM6MeoL& zh6KQGo69^WWZmmSF+cam7z)}h5huqjLn^{)^A+rIg5O@7^>@IC=y&_U7IvY<-wC=F zSBD*h-JAt3YqxY}7bR1gXW{UdZHE)1k{lL0^kV0411DG+gwqp85gB-m=QuUl?vo@> z+SZcRJ`HDj;+0KiZO%Sj_hY|1Y~0>oukf8mRgWsY*JadP5-9k553ML{otK$dOf$wX zq!?b7kzfFANKKA4jT3et`!TVD$DGHikDauG%XYl>>uq4DQ%br^-@+20Ycr1FBPSS$Ea=jmEX-y(S+d^yM%x6^))uQ*%?sDpU ze_Gh{irOUu4-*Mkxj)C%)iOO0DFyxh*xX?#UkW_a>%6i%bz5g3#vK48CNgv~+z&moQh@+>Gntwah~IEE}BMJic|){%Fx|o7d{$M)q!R zTCQsu$6ar^wK{Gl;C7GTf2YNWu(3eI%NsZ z%1rT-+yrr09Ofi<=r=tbZZrdbl~l3&KBpc`_xSNb@q7g3)XZtV&?aj+%yZ;q)~(s5 zXg8}lKW0@41-IcwnpQKOg(G6F(Rx1Cwz24Xf7aX%VqNv%eGG&;9W`!U#4Xw0&RioI z=Nu7qpXG8~ZdwkqF|;4=UN%*{9Q9nUZ$*DDFlBt6d>~eP@h)jH-fik+cO10Kq-fD= zef(cNnKmfU+ZIF^min0Ub^OVC%^{e~ySUQ(h$(fA%V!FUU`6vAd?iFc>8=H7U3sa2 z&`Ju*VAx$~``U1 zRVUCE{cvGr1+3AHbwlXO`Xd-ht}ID1Vr~AZ(OCWv3M%FJ<>WwyKb69WjoP!K z;!_cL(9lhh=|CZ~84*X6)B4|}G%hqEV@p=LOgjs8mcicyNtO(C*bH2A6}R$2bus0B zs?IA)6{ibI+7Bdk=}xl>B%i>r=|Xy?y>pU%@0ww)NM(m?CqcAMr;^@3GbYDmDx)Dk zYsV`Wg(8%|s*&gy;ks z&Is~alJP`emh;u|xkTR(bvWY2ZnKdd zbjtV$Tv#UKOGgX@|Dp*R?9arFcBtDQoo?ZzLas;ipPZrisUUROTKBn`fIY5lLA}1j7=VtZMDAMY9 z7;oAnp#@U#zr5qsB+Me_mc-@1it>K^8z7B~#U~Hn&sQbtmt>q>4PiPS=RAK9Z&Stn z#Xos77hrp0jT^KKis^cbcFk z+f~%+UQku9PEF||+ahddW~j-Xpv7FpA#L;?neD((-^5}c#w_2JId%X{sj8>^q@-hd zY&tJ6zu~*yk8-_rVI;EO5)FaOqvp=3!uT=65s(KQ5aq`yM)DR^ zLfPog-a0Z-=qon;h|JF1QJ&gYixc4VtI#B)5EU{}PsBPf72Ed?SHTd`FYkO%l}%59$9V zlDTI@qkcM_F+OjtYco@qsB{F|YoqRY#{q*(xoh5xE7IJw_MD3|)LOHFGe#5n{uX&= zvkRJOL!^_`(#(QM(Q^x21MX$CWisM*EY-@B29YNgivpg;RV=QdKzaIToC5_vdGH|5 zn6S`pr3Y+QJt?9xW(h^2mFhXfq;D!E@EWPw(%-8B(r`~rn^#VqY4)s}OhqsJ6FB}f zBS!tewfJfk(6d2`lT9CsGF|jat8LG!XJw-hq8$y(luMk8G@)Fl47@Ftu$NTWtzbfM zE@!2eg)Aa&fhsfRjA!6HsbrvHUp-zc#FI5h#CDBnLqfj$uH_gk$a{vMN!7q`&?Wi} zb|E0=ws?|gwARClixSuoh-A>023PEHV{YEm88j~CQp5@H;Wq0t$BZ=nui@JYmH^qv z|0-wt_<7Y42D;C2y1=#7_$nU^oP?C!KIXV4G#9uh%p|gh6kyp}^s{Zdu!CpNs^)?2 z{#d@0`gq^-@@4<+-s08rrS>`wTeJN*Favma@t&VQZ0gyZ^=!H4cOQ?xQjfTNq-K12 zj0eh2XSX~A#&qEkym0y5hf7^FPg5ap_Q1O1bPS_;(LK&)!{Bv)9*%!Zbz3EMe70^@ z?+s6Tb)RV8e@4k&@~ockYaLE_Kz+4Molyhc()2qUFgv!O_v@Z&e6P^lsyYwqcXgKD zEpW{$LiO_9)(*yj(e4j;%I1PbDP_M3&;CD zu;ogl$g9g)_kkm;D5d>ft^c4*(a?y(dgX!diQ|- zD8_6f^|-tbP?ivxF=r6w$xJ<1V z>1r8p+sCMPWCqD_Be7FIoK~Ekj)h80(#foj6txU?E0aW8HIU__{L~V&`dn*OvolK{L#< zHo-xx-xFZMNXXp}#4g(p`>PfU0oE8MFQKeD-m)towBPn4qK=FevI8O%oJj2~LxBI* zdYVuntfV#W7Z+vKnPw@53H^Yxt{RXPGBC(L&tUNwfjPL2*gZ;7Ic*VaRb`?K8PjYk zf@RoEwiHTo!8Uw_QiXbG(i=++gV>c^+C*{;k#nt)xok)IqMbnYfpM$^Z1Y>x%N?OD z`l&x-bx8?tMZcPc?o3=RzOhG+qZFc!EQ~-8R?07364Y3R7r28$}_Fxhz?RlySnzZ0?y!e-|(XQzcSMhAC+p*S@Jd zl{1;A|IWv9uq~K_JNeW5LaG8p?UaQwPCXdMv~Uw{*bJg;SAoNo=}-|QPJS@!PT@D2 ztDK3Ast zO-O-S0tS^sCJjkwVfd%II1e=v;^w*BioXq5kqCbLG;h0`^9gFxrWqot#vClPg;zmkRK8N9S4nK zQtR>j?!)jx66fR#}1;f zcIhiij*M&hL%sQ`)GiS6n4Kg7Ej^j()b|7s_pd;Y161-^1o}yQ~igrznuOe}Di!ozIL1JM1(r)9xz z4vkHEkmQ#JT5UJNE;*=^*1ERPF14F48c@?}#^~3>IwY}DG)DkaPx57v5|sNa4I+~f zgtU(%75J4ybRns6vQg)M^U|Cm*1;o+O-ih|@<3m<1g2dy0T1f;RA&aSQMWAb8wZAq z>Dma;ym1(LlU!mg2I(WsqbkbW=fTLT@r)zCyc`l-vvg!hw$17DC{~6A5Yo6q*(K_l zNp+&kJYdY?%!aGg5)b#RnKa64BfYLD^jF5b^HM6%Q8NVGif;OU|8f~h@S=|AX}Bqq z7PWMiR)GukXr^BKf>j`+4!f;;lf|7gS|XUy{15as?K}1p>m>zai2Y>Y2EB2If8lRv zjLvc1)s`R8PhopVp&7efz;(|Ha@)7(>4_ZDY=0C4Q1YjfuIZH28h-bFa?d)K-}!C@ zZ&yD>&Pt9>{absNlkdZX>GY9mtA3tZ_UAf}PtjU21&`Gb9X*Q!V7?g#D1n9l3QM+d%euxq|NGfsk^b`jK2LUF3`zt)h7*^u;Y{QFd1TV?J`=W=AZ5B+R9STswjc>@+#2l z{j{mZ^Eh#PBe)WG3E|ZbzK>};`)3!XlehlQ6p1i<+2~)*{|dTZkO-w zw$upXJG`uxe900n=Uu*CU1oIN9^JhBy*@p1It|S>yRsK6y2W{E5L#S2uXSSgx;Pfu z)O@+XMX|g*L!N=(0JW^@9rpP>J6$ew`skN6-*GR|xt$NLU3hrRt@|ZG&`({q0h#S` zT<%>LT68r&n_t%peA`~YhP443HzPED@O&S7G@MSxHdA9UIl!LX=5en@xfF3#MpcbR zhIiE^X}6@okND?gHdK=yv}yV5UsGiF7@KZO&&o0Y&!GFa!6m(;2Mo+^4~izY3qo!$ ze6Oou8213S<@0>6#m&o^GtBn$e=J9rwQpq=-Ovmm0>^pRqfD32C;-62W7pv6P$-)F zIXY&k$Ej?T3>18MvmWyV(E=p!+|O=P!}ID@&FC~HaO|6R({|T+sZF_r_WMlW9+LqA z&ipr)K056|yA&TTpbh}1#XJkU?#%*?-s(Acha>*e8)D;nNX@3xaU0B*%fX``Hz@5z z9RwNyZ8?1)KN5aI_&0n2dJ>-5KUqx1ZmzB9DX{cG3NG+UE70YwBIg-zF>flL^KUyZ za_p+=Pzv#m@n%OWUxoBHIhzykX~@snfqx7I#|2@xi*Q7+<_{o6BfMMU9zO`MBSU=A zIlUQGBXkoFjkwvqzsZIrg%*fv(5tR6Aw$hm(@;RpJS=1reWjXRKn)oOHN9I;;A(SF zxMm`-{F&1zf;|ef{jytKs#6)#aYPP7jhRsE)Ch6$+gTn2g=>u=aXDro=EWhT+^Glw zxyvfm%w^JA50DadrwQ4-M}%O1hUZ(h04opOyG^9ozQq{B;UM@}N&YS*5B!oc3Mm1K zFuFn#)Lsmv%$m^8yyOY%o+VV96jdte-}J3(Jx5EySHST(PYhk-*`Ud+BGa6y>e4mC zr)XBj#HnC?b0k-POQy2JUzEn}IP(q9zm6necd;kW{h3tjxp}#-_z(-4^!_oPSBqD6 zGG?rvJFZbkU3V!Su@`Srmmonh2ZK0wwHLBc+u=!)+bIv+;IE4#-VQ1VNntBh-CWX; z`giA&uZ|NlJCb_5GWFAcj%4~6I7E#Yb3?F!=3}o39EAehI_3!K$yVrhUB56{1})TMgKfd8=jfKdbGzjB<{R@Cycq{_ zXxS>CxLRp|oleDoVD$=@kM)$Sk54__7X5rjK3N#nCIKJASumhDT-_<<26K!F2=Y;k z0cZ;mYw3Woq;G~H^ZLC$ekOBuv7(bkNRGZz)ssK?%~;?Ezd+i(tGr7Y&% zaixliBsK%g0R&-DlnUR|lh=v0Q6Kf?%REt&CV>HmiIw~9P-Dgos7rdT4@r1SJySIdbM{%HyRIYbFac&JUQQYBFS z)nwofX&^>ACzXd*8Etvl7$0sQiR0iWW*V@P`P?&g`<{GDvnwY#cLKH%_@5qRS4PKf$=?|orRki zrqJ~9Mj=1cSdn#@aZOQFgU{}#FTT+$S{PLnG`r=T{&;=p1^8wPzoGWzq%}p`GSh=3 z6QX=nUea{ozVS>c28^;u!VnSix7)r9dWe zTbr%+hd~*?v$k$hdqBeL4=02l$Fp052RqPOUH7x1N3@+&$uw0>ztcXSi>$J^r!^)! z%r^Gy08fpJqHa3A`z+&eElF2e?pYOlS1TAyd{&py{`1rqJ`-_R!A`iiT`oJT6Ywo` zx2s=Cm%J(SB^>y58*|8AUN1kE@ZGm(>@wY^zKr`*Oiq^?ubX-~t`D{~IvqT%F9dJC z_jS%Q#2IXx!H2F!MrDT=$Ss#2qejSd4Ogoj$ZDL&rHHbv9&KC3DDLfh;oR@u!3`CD zt*4rAao44T)qH}#uXEKNncRGc{oYi%Ql>Re!_20B8)kgbv7Dc8%;WFQ!z4$8e$giv zCJ|OwsVhqBudtpeQg$!*ZaL8$+$tMKm&RIl4R@O!S6OVAtzP4RRV(cW)fx4>cB~d2 za-Xr29QPDjx5FwoKD|x1aro#$*Y(#+^Ae8cWnlX~@NKCwv+LLt`MmMce_*_2!oxU_ z&aOeV+byd}^h$-{2&Kt`9G5zey3Cn(%P_DGf@qwcbqwmom`b-tHJ&^HW$MQrgBo`DEoKwgi8tamw|ELxzutbvvrLSon2 z{m?~_OxocFeYza2x9_y-IAEWNzGF52? zNxpFehog@)4=g%8fjV{6%cFRSTHc>HZ$Wz^v~yzz5~_ut9$7+E9@%4neVklKMTWKj zeBQfTG2A?>KQ~+N%(C5pe1TR9JL!*Aa=-LUgc!7f2$5)RMuIKgWM(>UmEtHiQ7vu& z0;5g1i&m;<8g!089qsr2I-MX4Epghi>Q`k-KQMMXT!F;aPog{Z1rebWutYN<-Glpy--6S0d* zf^VWmM5qEqDhRak>5sv=Dd=CVZ|OE_(g^iM$}Uxz<;5e6+!nJ2>Elr>n!mIfT3wL~ zd63OL^zA<1L+wggLLbckgs-Qbe+BP46t2!oF2eLDZyi-73aG)HC}y9eghB8AQ%}{$ zXB8bUGC*_r)r(7$WXoVW^s*^m7h=nc7#HllVTZ+5YsT8}5g&D6F$FhKj(DcIIdKRS zjSvsy&A2I4AT)ngWQ%3VPcyAh&43@W9JKY4P$zfi4gRjoyKB-Kc7&73|18upCypJ7 zWs=5}H2K770c*U5By>~647gJ%0Ut3-llbOZY!oP<{`;V%c6MY+&`_*~@poGynsxGD zaGo_O9FJj%U37gf??HTdL#RtN9o6FqO{rlRnPrM}V=yZ>_nFi}ul$+74khj_Md$9> z?8JVc@CojB9IkJ;%Qy0w(##OtH>6GzO-lF%mXk4{YrXXsvD=}9MF*3Ai1B>Q*vs7bXjmO=zz3&%0VZVa+S&W9mL zEiE&Zosd_lBk#KrHY_oqagMdN1}8&vP?~aP#9XZ&!z5uFeO!)QUfdR7h)$iGp)SyA zow10)anYGrsKlc#4$B_MFz&WIRmlxVDP=OqQzDLn7HL?${#mKCG_Ig4tp--%QfkQHg=_G3}%j^?|$Lo<$1q-vjgpLH^y@|DMqNKUDK| zjvR-^3*z3}6CvkU5zTjlE%Q(0cA{5gfj_X{trzQ8x#|GpM!y=uO(sNg**BGrUzav~2 zKA#2I3A-AdDPN1h;DI)Zf>qsNgcIPw{tx6&n-jLn4{Ptq`KOD|Ua2ddmeU9?K*tKZ z*vBhYnq0P*eeGUeN0&RXyIJ-78H<`bMfdUDR?Xc?dez6HReTL^_Y_!8Wlw+h2R?^h zbMA-52E<;@GQ_`@-Wcv z{qn@?a)#5Vu4H}h#^X9?@=0fQ(T~2!EkQPp@Z;g}UsM%Z#JFwa!6kCf##`ybywa7A zeJI^pl9C^=C(QRH8&P#b?|D)-1?2OzWy|drm*v}hC&KW~^m;eg+cyms_&U07R8d(! z{oTyeb*;yD2VK*BPmZwbdZ2$%ZJrV0@gzpHVfd01C$-jC~OZw>j;ui@p(DmK&h ztl%5B>Lo>Ar!hUc;k9%-?Z^Cdjh6jV6XV;&_Xr=s3A!iCem3f*ebM|^C*_6&L?rysgNjh-3aM}1I$RPOvxUqg=o#Fef1=7&V^ zJ`pc~L60(!#9ycaDpSs-8;5qBNb+7%{bE}z+F_X?+rtnGW~0*wW{#m9e!CDT2$^=_ zAp;EpD_2xRWM<7V>W&v%2AH-c#|`jRYt-3H@Tc^HLTxw+2tt_-o~=TflW$9!L`|*~C30411c8pLe-NnoR~W}p22I;dVKdAF5Vfd^rm>du={#)8%H6D* zP-Ryte>Mb(D~Q5Wm^P@WTFoTr4!P?8F$bQ_vBp!-8c80|FJ3CEvq8ht@=}Lu@-I3T zl%F@3vg<6gCJz^nxz=!2>ksr+?GLyTmM+Rz^PTxA8p~4b@l`f^LE!o$O4At|JCI(B z@Q^J&$Av1xMJbCqj&fE<+ay<@*Z=stC$ESe!SrV-u5zS-jOK4hv`#3CO-&qJU$P}K z6rt;Ql&dwFOW?$sa50N%@ye<2Oh)Pc!~)kOCjwYS;h|UdHXXkvC4&+Qj!= z>|=Kdpb8=zWIkqe=m}W{*==C^?f@k3`|ol*R&76XK>J4~pE1fGhO}yYf9CPNxsls8 zN6AJt|5XShU~K*=8!7s?Wk|kBG^L!k()8eiDzSz6Gj>nikTky>I=Ko@dvKUtUySyE z_y_Sn+f{K6k@^2c)K>+?6?V(w1PBr|IKe%*!yo~IyK8V5+i#eNu%CAAs;}1WUj233gqbeiM3U7@+VF}oC`DpfA*eY&yMR&$_*7iy6jGj) zg8w-DgbO7or^1jFul%=smM-C1HaR7&*^!baiw5T{*1vecza*iYHG!Qm0(+=H2E9 z^yR3sHSwX=YXrA-;R$hT4W7|+KJ``IWc4Jy8`n4kJKxOrpo1Z=>Ed^ z*of@I+$E5n_X*H{xGx6wHwVmMsojssyS6y@;tDPFGUf@+AkaM`Pugg__d(AG)$K*~wv1s8k!xg1oMi?d5Isz7EKhoj33!}t0fnBlj$*vzS9XsY zHe1tu5?0?@_eh&B)b`OYs>rhHC-llT9^+mOy$pA=sF~!hX?FpBg5Y=o6gJDih>$e%k&(!p|^JIvff|X03?vRKJYtkrrYdEdd(0Ph)2^zee?2oK$~Wx ze&a%&$E^VMPdFF4Z6?P-O41b7g+R{TKHYYmt0OwwhQ%27_g9luFZJxi_MPqnjmLQ` zz{Xv~z}kCTJSJ3c4||lN3Z(?`x=vt9%I@W+hUnf8BI2QCpR>#@b2>=OM)<6oP^LVV!L_q#Q9SyX6r8x!W$M`s_I{MEB%f3N^z8zfl#YSycASTmLN4?Jy4)(q(bJt- z)H$w1$E`qUDt$by!rr0mLsNTYi!vs6Sq_d6o9?sVUo9Th+FVD2R3!^i zttJZcI5K+p!vspvN{R%I3DOGkm^>*aJ!XhQ8O3B;svvEG=!y8@uVMnMg=Ii2d@xI46#NfLTtt12 zLz%u`x;0-aG{<(N4!`u-av?6R7?aOHMM$1TZBrmcxWj15B&aHrCQo!`NnK|DSPT-b z^Tu{5LN?$U)N<#8SEQ!f^V^wa3ul z`I}PDbB?evC1Q)}s799GnvE%~L}Un2I+cZB@O;XtmO=psILmVDnP(+G)?+3k`--#? zlGb3hI2Wjndi&Nhj1;U=%2$pjmu{#c{2m_TP~jW>J+kwb)L@JMgX#_@z2~*nvu(cj z(HJN}*uTI1)6QgqCZDJBF;ku_i3qqyP;{9gz_;y7aBdlDO4A2aa-Dfk9WQ5ob&c^P z{y~&WE3fyx{~kloA=6hb zx>w^?tN!vgGDI9P*{Rz3p_s^GFR%31lVI=2Uiy6(Vh-e3OKDooBC)qZMdr#*pCCm47< zZ`D^XHhHm3D>y^jDJ$cVtvTMHBw#>j?2=%StHxOCAaT;C!rd3K9lHUpUkRmZb>GMz zv944$43TgAd-vSHa*yDRoV;yBOuywR&K--y`jrSwug{&Dy7r^aKL5JN5~}~% zk16S*Y#oa z!V0h~OMt=7e%MPk<|nBaTH6dMvzN`44GF-cXlU~JMf|5*RMP=p%05j6@n%6c3Rm2M zu4~_#xRZwaV<*$Xre^DVy7Ga~U5r{Nz_Qj>po&fg1f!_ zrVvCZ#BZK3&((ZCZk~6LK|JYhzBSH2+j|qAAK+> z$=&{xf`_Ji?1zVzi3rhp;VuI`?urIGjMTNAUg_7qiGIIm9YM&-Y3sMK1&$Qidd@P`wk9WhsdwmKk7i&ADJcobK zU$RJn9{dGW={ml*eiRRy5Boz;Mfyv}T%gr7d7X!h*XxsWmxmc4tI^jg-`6@X@VlX# z@4-xT=3Bwjl-f&{o31mFvffdHj{1vKO-nz8=cy)X*RSgX0a!!u=57sG;KoYM%2qRZ|3^~>L7zer zQzjsr;@*T1);=PF_sdtBDz~ka&6rq@Zo6}U0Vm`D@dyxF>ZT~(gh}<~U>;QNaYagc zd*q9>_34X?6&*DdtZADLCG2uC26kRs)Tud5g3^57b?r&-7TyjGy-7|m|7bq1Y)T&7 z`GU?p(LbF())v3Y?z~$rk#(he0+f0$<#0k!5WROCb^y*PHME1a}7@crj zx4if2yJo>$(cJ7w6GWo5n)Y6R{LCpFUdom&xE2UGK_GXr`1(;qEcvhBelJB>4LelQ>Nxw>>(3T4QqHq|X6@M$II`mB_3oM*tpHNZFE>MU>Y0f8p{#xl@GFaT( zni$`R08Jb16pFv-DH1SUh!7qH{pDsz_xtL=-gxr91EpO;nDfGxAWVVqI(-o8U=xs> zzL?sej(6~Q#tiEO=o{X|fyN9C&CSJVycV1v25@|H?nIC;Jo>b4V?7l_Zi9_Nv1;Y^ zsa1M0Udbf1o$CIm@mMiCU4yaP5gCRQ0lz|F8VTo4%R^Ve^u6dKv1Bhs#G~#G05E~1 zB>hK0X8(Qza{L=>MW=#>#3#&#hVkcT*^_7*b!|G?JfTRWv2iEwjH-q*VIURi*Kz0D z<{0p93bjAGMaQi5959!^;!Ag^lXx-RT-vNdrH1$q;M_%$$6CBDS8>sGGvGJ1{~Q9! zAO|;2+!U7zMULD;WMeQbQ4ox06~|z$Y^Hw%qt=B>xPU&xuNl>nrWIJevny$p^McmI zfS0~$i)_pw#gf$uXSS_CxD#$@l+Uvg%BBeGu`68KjFg-u-X-TIXTM5L3XE$EJrdrt zp%DJW1E-z8Y8t8qDCcs{h-mwryLrMqx|(yccnN&nc>*7d8j7KMOIRO&7Xh5Xw4!hCFEHNS^YWtbKu(A zJ|{*!Yy0o>+*kZ}N^#AmUo#RfGOW06ZUF=sj$2jsst@d>~D&?fRQYm4L| zwvNEoW@L3fabYc28~TLd_6O_h7wUy>diq^NAY)JBc=4q$!?0J9%+9=mz(Z zyr+6O?h{pRy#AiMyH0j%PmBD=cBk(B{CK$P%j>V!9U)blFF}hJZO`>I3N40hF6#W( zVLtbHc91WwBMm5mFW2+8lS3D6eUm4h4T&vBeZv{w^|cKmJe*Qqs+x0I@Hg#;Pw>1M zZR;-@!Lvh*o<@76Du5;L<~j0{jIPU}os-p`hP5Xr@GkyG-$N+IV;ZTq|e?Xdczf;_928xv@1_*FCbQb*6yeHbRyzYj-r>M?z)| z`kk`T!R=>LG`ZX$SIJxNy5=*sw6!;xn|(m$+m`uO<9_;eSw~UUrr@Wfw|}EWehrh7 zULEriRUMbF_{Ju6VDxHU9Ha`Oy5 zdK*YJHrDzb{5G$UXwg-_sfL)*DD$4O2o`cKq4x0g!SWSafB>!`FiQ}d1<3zcqGl}% zzuX}n0N4-4zn^1!BN8owN<0T z`bUM0pneFS2d=nU7Muk!@lxk>oXJFMknj<+DVV_o#s~#?JrSG|V(%6m*(L$aw5ns{ z{@OZ`?a>eT7R0;KA6cW3QR<46iRYFeiY~=XVchV$RIeefaulH6Fe$5ICY{j?^8}6g z#E_bsWGRKM#U}!-I)h<;Fw5K&_O--}u}GKVENo3DW6;&E5Bg9dKEa*4`$OY7m6Iq` zAGvGG6H%5~HdHT@ihTJeKJFYVs%34MluJU@fR$@D;BO&2Z_BHc%6CzKDBTxR>?!i= zM$YWGFvXGe>;2Y-Y-}==cqSd%$-jZU9vNIW#eKKfAf=?~0j$&}*Nv0E5rX}mNS-hape(%BJbjb8&i zdE(&ber+aWPeH2??Zsx7J#;tzpovrF3{ODCP?Rv@x#m#`Pd&;dA95&Qje7c0mDeY_ ziA27TIdZ5~C+hMXqh7(bPGm(jfb{#=riNw|`mc)%X>Q<`RI9J#qoJ16L_f(?s%4G4 z4?b4CwCDqWasqgNm=thHI5}7eSbaN^ubdrM81;j?380fLc4&F&xC6c5L7uWc?rlBj z3QAvTk~%gRQDqF97A2YIiQvHLSO@Zu4;2lv&Yvr!z}f$yWJ;t#)xjfB>)iR|tTOZO zOZ=FuLvrI)y`p0g1$J~%_2izB8OLOaqBf2MY*zQ*2>4+>aQul#i2yQtU+!;CLT#D- zwu1CzRlZ<^5+35Y_8J>mhgQMg+flJW!mL)Fh1&{b(XfNdHL^v-k<1jH=Ho~X za-*)4aAWy-mD7>Z!RPiJ7#G7#NVZ>9QvDp3F(p(d<)GPuP@KbDB(YWKV_~&-4NFul zjMgh>Bm)2T{W-?o?$&KIQKD<$y0eT=lWJ@bp%-CV5A$J<~ul~ve5 z`o=LOk|J4GAwA`Yxd6N~Kk+xKvA_-gKR67*XOY4{Nre1^Tz+_mA@B0rfVYE0W7p-q zkCp6aa&~;ozMS!o3qaeOuZaJluYKL)mrb`>f=SC}Ib#pcXY{KjS66z5JKUQa zp3y-8#!Y;Y@DN`m;1E;NL^S68Irn$9%Jy$^fV;6eki+2S<^*In?#fI<6L@i{8t3hz zfWc!PX?|W+{_wmHAX#$`YrZc;XE48Lc~0%f!c7%B8f<`gT3zkLMG2D#*xcM?0(#r` zI^SF$2l7bUJyryDDm&**fq=SgIhNC8o%Yi2MuOgnx2Jg;cCYVL*DmH+;ObSoGu_(L zEQ96!;x~g9zPt{nUa_T>2j5om4pOfkBCnRW^_NM3o3(=76YjO=jOYuGaNkFb(Y&@w zFW(mT8)!hMv#t;%Oq}`o4jBO0>)T17VcEsjhUygegXbhS!w-#TYPIU})_pw48Ir5$QJD!=_7(K=j z>}+bcDoHb1jvtl0i^LYSRW*+uMntk;B_qExy=tJYS!H$LEq{NSwTt3aU3p!jSZLln zG8p{uP+3k9A3$u1PSAN|*3BA*6xv=&48x1gb@DyA%}Aa1Q&CU?8{dD;`1bAZjp;Q! z7xTIwb!<_iFLL`hEIWY~&;Xa{YS?=_a{Xu3PHtS2e6CeZN&5G<|0@ln=tHxiIj<*a(2O+keG+B@%t zmpM~TBQG;9pnVdy#=zP|QMWE>nlWm^icBe92vj<1$~JRGoMcqbk|;j7L$th6WM!$@$ z*SVmC&{sZT{wzlOXJosgcF;T1}i|OiE8I`6=&y*xUX>a(q|? z0VzMYfPQi%nVCzvG4v}!#H~~u(8w(?8_M{t#{Z}guVgUw0-SKwTwd#kABN;Y_fdJ% zhBBmvn=%-2SqtLLxd%B@65DYpVRA&mQ>d%lf@8P~wvd1S#>O#)d=OWU?6|8=>Vfyo zR)p7_XRv?`Hv|lt^GJbEEYKzs<6N%rAlesy-nOq~u0|FT_CY`)h=N#0+ropi*RPp31(O7p@lR26&{O!?g~>ATmB>|T6J{`JYk2hOWf*m zWpE-59hatCc|lK$e^#;7pqYm$_>}_`g^HaF?5W?(uU)^WfUI^c{O@I`;)LJU1`&hv zuHQe^21!see6gG-c?X@YBR22!xA1sNi+%~jwBm9Wh^HgmAY z0)Hash5P=&1948diSD)RjZdZ6qJ7)pmbuX8M-ifrl(Y>y^ehMs*1CtE z5On`IX}Kz24PvsD$og~%D{^7cX<>-WxUN;rEEQMnC6pey=sM){7JrS@@gPgUl*F%z zaz&owvAd(Ek|}D|-~2Kdk<5J^Fm6xzq&yjlSQ;S9GBqN4jVgOr#sWkc zRTql7cbd~*oU-j#CzmrOH_k&DfqOzu2jl$Bo)YyiUFRVsUGoxwvu-&}7>%X0(EGS0-N4tC&NzYBQfa*Bw^hRL&TEV}eT*=yGc>TKk&vHlpY# zD;<1VC*xWz@ir)TZ~Hppd0Pw9CR<(AsWUV_6M~eK?zndwBbl@4DkNXK*>M|LQB~A5 zeYmI5vOkQv=<^iv!1&OwaB$1@e9}@>)i~=#BUCqjq0P_S5_K0+r>^_RZ)ZmGw3R1A z>i$|&^gzOQmK*S(Z4J-Vwv*Tb-S#7N-KDsvG7;LBb>j^$p@Z4ez9GQp;{oxUDqk`0a@%exdsO$PqdhGNrWYR&wuI3fy z5iAYjaSQ2f=~^pfHQxeGw%FImJ)yfA+=V%PEI#=`t-;GjLr(XeeY(4U7E?zXFLYZV zg%@oh`(UrfxrC_J^O8L@lJxgOyM;e#3g@pIqT#yt$G;yc+}Cy1Q7+o8uWV3I?9NHO zCqJS~q+4Al2EMyPr=vqy(gDbqpe0mP!3xMy-I)A$aJjGt$5Qna* zFQeU79aiJyA!iPf*6k<6C#<_nr26;&WPqovd}q^V3WX2rd-ta2&t;B%=vA7B!A%!} z$A5s_GD1AgRci0f(^cs12*QKFbN3MnI+K{T^oOAS$g}%wp&Mg@b|Nh+v9#Kbc5yzk}ll??w5DR*|g44*+++0$ip*uJp0l4 z9c=vy(OyZqB3&AGSqIa}-=f}=)-1w{C;a}=Kmc-pJdNLgIwRlXaOTfn&nf&{yYDui zQDPw~(u?^j(r! zZ#~yThnlBr|BAX;k$V?V#rf%&%H*e$&q}H8v%ziHrtm1?N7AC#Nqv@*G@_Z(&R_WD zFfE%dJ5Ai=MMZBI@+W{kh&h|pmk7H>(;;<2wJksUt%t>Q9M~cn+kLULRNk~N4x_*FHUg%8HE{j?scCkEIGT6T#e+<7!saf zbG(}fu$&66gy+Q6Spwe##2vL?|nrHt$HONZxB_g->`s@cKsuWNi57NIpqS6 zp*kWUUYSq~hv4(qNaRBKY1kC{BiSW-zhPy9I?J|2sy`k%hA!A7(~ek`6*}xmw0@6# zOF?=z+Qm*jK1;OP+H=^gVlZ|}_MQ7`eymGJ+{%vAcGTDtoUOd*IL>Kx1)j7=DPLvM zTZP2eWmzxGhA2mO9Xg@$wMu@e4k(Sd_|*oh|HD;H(3MbT1d|RRB^-GEDqTnIA=5bl zDx+2m_gUsZ>&&}rCR($jjb<-=mxexxfEsQ*Y+fE|SzoFMkt@hqFL#Nf)oL?ga*^IqJ9pc8UlM#YF&+tTcoBOv&3i=RMiS5ryATa zydFH;Ng4I@Sigg5-s8Mc-poY`(?E}4|8$57z4{i?rWG(B=4)o~)1LidiHU*rUdq!w zwi#itycS!GkyY$|GzIQ1GRFEbOJw>kX;+t&Yzu=(kay423jx^Ey zh}7C>UWbXv`-YKvNlR)Zt6&=^s&&?32OG`X3|97Trr_@1j!x9-!4h7WZWL6*^1MRw z%Qb%7-~3COtVB7O$;4f@fBS?UJ$kdB*Eu`E#4weqcdPiID=JHevzVFj`OE?Ramjnd z2`G-CmnJE`1o!$Io5PP3i{#GTiDXXEwM9-nd3wc%sil3muKM$yjdA{L!RV2oIu%g< z9txXb`s#08_%ZPgxdqt*z;HS7 zgQ6h2YYML+a*q3cM4%OrMTaKaapHV=oUxdQXdbhVt@or7Ih@6H^T~k|7PKW6ZAku2 z0oh4haK|BA2ZzJ3p`Ug{5!K2CD#w;DXEr5;%t`H! z1;LIiK=kTMXh<jrt#+x;O>JYyZDQ(!#@jX(LVnW4&aQL1=5-Bf!_SDJ; zfOMj3n`meDWcFWZd`m*Wg6zEBY`!S$&%VR<)V+WVBw^hQZok<-h*!S#gBt%`7R&;@ zM?q09+D~v2Q;dJie|-)VF`=+vvX6{@GD!g6XF)~*_FO2S*4I^V=l%H(zV$u|_JsBA zrYIO6*c`rBB({Jo7zJ6|l>bT5cXxQ9vVelS% zIpZzUHGu3qyPb0JKHxjQv^=70r2;fhUoy`njj+`n{9gs zz=;m>Z%I0mzAxPTL{Fo7FD4gV9KLRw#0M4L6Qbc^595St+DXi>2gF(02mWzMtJk0H z!d(`5&nxfL+jiOo-^S-PI(#B)dN=p2jn}Fn^dWXHlT>Zq2WxUy;kbHkP3xpjhH(!y zYIgi=;pZc#kE;!fokyxZvkB2bfVBt7nHr!F-@z^7#bH+Kac_UZ18O0-0<_uErdOZj zbUAzD3!sDP5>nHJ@-ARzREg2-q%>~czSM zU^MJT+N40!2#R{GY#NOvd_4}1lTUxy5?>X%ESf~Y3s%V3QwKl2*}jPPsGwI0nIE}r zY1%-DogS>S#nw2&q3tYu5f)NIG`eJul2}IueTL=I?_t&oBm!m zVV0$5@gM=bJ#cDtKkRdAYJCly0Cyaw^s)RZ8PjOndPo!Oe79s+;_k3NLI_vhk$I@T zDQQig4uywTtPsIp!b(o(nFO4h~Jd;`@!POd)vT;v#&_%G>Aza`?6pP zF$27u?tEmoyRD(>V!w~4st#|le{sXTn+mfGG3hDtj)IV}3l1+>CX9?TT2Qc#$cbyG zB2OB=Kh#1VNwAV`0*ZlttO>i#(Ov~*ypk%=BDm!H#u)T7E#E2@x3|2tEL)?fh6h4N z-rmd^Gn@j=Bo0UINz$L#Cuez0-(jImY{?YKwv*wF*NWZRq*0HMkiTA$-pGX&nv`e_ z2Y^6|L8_6dpBi)#tr^%MiV19fQ)Ru|uPb)W4(}@hm)3$;hk-Z15e}es zmr|NXc1loH{_7%8kui2a!GrXMlvH5Q=>{b4^3(A$Sz;vX!f3kNNRkF|m<#;r#mVyY~gv&j_6Z@Y1lyqm2)pd%q@tzE#D8B7Zm z44+IUm7}v|LCxk}aWEEXH9SWMlSEg<)?n3XdUu#}n8>qXDJJK7A*v-X_P9t zi~nM&u-^G6AgCm2RgRPnu+Bk^Dun+~`k5qaBYH?rO zGKO_acq(`N{QT7@${CE)ua>+^%2cdCKZZpWV`SG)avMCS*gX`-=LC?qct)m{e$ceu z8UESQ{%Zrc0)$!7kc)V#Yf3hq5_i{BHM(`VDUbXW^+Rug>dv&`MkyFzaUwyMmp+H-E!y{LGO}ia73;mHKg-UqK-E zkeW+6%!>YN?Nc{{uQ_%SyS?(E0)HRtti8{GZB$XlKF8OxkMcm08Q~ zH?qXf`IJwmuv+T7@VtGoo|BmL%0!;H28>tuT0e#-oAsn-QEeiW`UnUX5eDLyO8x%P zru>wyA><@mf@AEMjaKaAZeZqcVukq*^@U!eqW4b1X&2W}0OL_WbDy0ZuPL_|t9dqn z;I5W8EJAl;7B<`HT7BA)$ng-@y9}mrc-)>m;+e^J|NinV*Xq8bRo%|z zmyDt;GgE3*mp1{%bBAk01>OTAIzt~jS}9P%28Coy6e(-lfA;W`_Jp-VE0TX5H3v}i zzW~u#eO#euufl*2CV#~lL z#{2d(F0QtA@%hl>@*doYYS3|U*?_W)bx_f@ve~;v98{*!a!B*xla31_@qOFtk|@HJ zU(UE4a^sBZ^nyH|#yPo7)HDg5AsYe?3wHFy^#zaKnrKKxXax2lCMM3kyf>Mvd;*8u zMdkJ{2F%U2X`J``yB0v$!+lupjfegHH->l7PU}bwgC&P6wzSnVH;`}kONdug`#{@v zGzy?`^xn#<44r$~IY_yRE+^Xt~lh=*Gf8q`2N0X{R#E{ALkg6~#CGI<{U zJfKV8+4&kCq5nNY*SSsYAk}YgdiTV8%c2CpN_tZMf%nJ(7an`o?g7eZ;*cdV!oyR~UHg zgzQhaHd>_ypG@Afi!k*>-WoqQ9}D0kx80@4=cw>%-;Lb z8E5BS53hNoI`^qgQCg?xbr&0FGwkJ+)JW#U>$=B*dgzgzH|{6DSGilf`!>hdA)Y1$ zXKwtI+UI!U6>IP5e`Ik#F(RxhhZ+$kPtD(2v`BkTfzW3zkk=@!1Qm^yV zeXoj&_M|AylRs@uItXhQ4OJ}ffG7xL|JiQ1=(y{5-BXr~FQpa?+S*zR`J zLVY7qW>NMNxWT4q8UgF>R#Nojr)i{+MA6L`7f3o2o2AZsgX@?A$25MnCOTOO3?vP* zely$pvyTR4$&*;bA~Y$>yWSU|JY-$uuiiD+AE2~yI1^+k2W*+;LM+%LtDePTNOwN2 zN02cNzLKU?q-3M`gx>@#Sc6LN(fPA3I$q*X^=IFMK7%Sx@j{i~I1lZJFYiIbiHMi4 zbgxabg+@Xwo0x}>#Ldh22kCH!KS!lmjFPphDK$=50<|*nJt90}mPdxoZ-$yufYmD7 zz>?z3MV#O$40fO`&KdnFyl&+R`mT1@1+s2eu&DZPaA;zPvTBBWs4jg`K8y8SktK7{ zqlh|pfGTes!fvkelhqTzq^D79abWvLe6=gy#WuVHZE($Zx7%XAVuaQ?#(9-E_rEr{ zvhfqUhJ*IcpJ^I({B;ne8AEwIZ23+jiSlFWn;prWPws{1CPUn%mAzZ+tQDT8C5*&^2H0fvzXi_z0#;OOX}_j#oN+$865jG zwqi#BJB}ntzgcKyei9!B27H*^b_be7Z+V`uywGeJZtZfFG9)sC)F=-mUnA>6gW5>u3O+N=#E|?D`lCF|A-ja16 z)^d)@QP*4=CngrRctH6tj8ZKRTuEU*P+f5dDxQu0b7I=l=1RMy957Fm1~9|6oU0wj z3oWio!PvyunZ3L%i#^P_UGpnSpcEC+MXU#f;BUA?#dtCEXt-`4)N(P2wu7%fEmJ`R z`VUI>dv@9?KWV~RptEH8qL_zO3iNu6eUvG7$J_zPBWhs^WYQZOkFFnfKf|Vi5#(0`ACBjqc`UNWM$e!TXA1&yYWobUw zT1uO1Y{-?7UAde2##$gFtMD}+d#HyTUABWX@E)1j8i%k}UxTTei3?L7+}cpRUcjoB z5F>9&txs(NcQ@jfwT+{)Hy37G3Q6(-SI+!&%s7!6-I zg@=&3^>f0y3<^!AhlQK*k_+)b+ZfRQasv?i;@;O7|KK7(C#DKB)!#2Ytb|NC#}mEX zzA(3&OYoRMjeOnvb8JS0qE^z?BLZhPNA&V~TqkRK5JM=S#e|ge>nnyC;CUAcic^-+myB8X9zivO!m*yM+G$U;T|g{RRuf zd_MvtMpyxz)Hy1Jf%J$#-hHu(25@pKdb&cg1_Sq9sV>rWmjUgn=e{BC_xFcQU?-zs=XL|lxg%=RNbgP- z^@*T&?&T8SE!|e$kZ!}}OGt*Iu4zzj&i;1FLE`39CT!(K^WEv@#>RD!Oci5A?G^OH zn*GVbwAq2ykxHhw?`8tC&TWdMdi#;xYS$x7`$=7!ZrgT9|A+pM3|N0{D8lR5ubo^I zzc;X6P4n&F4$7)%%zr!Qzc4$`#d9;@rzTxfvltRaQPm6Pp)v7sXK3W z3mGv4+#g-g-;NK%NzEXs9=>3~h4wF*+=#8Gy8ogtp3*wju-k_8Sr4)|GaEMkJm}sn zZg#>jL%Pw2HucUHwtaNYG<-yO&9-1&^=~74+00Mft`OYDpXOJFGG0XQ>bE*WtliFS z?A9O$l8J?@52zsf1?lHcdY)lrZnTt5Q&s*&c98w+lT6-+qv0q;qKKxs_cHa_7I0-9>I%k-*>^F=3XSHV0j--IGSQhJCBpM_tTxW}s2J;1; z7CN{kSzk)--trwe*qRT+!|Z5$u#uDKvCS8yJ_My$AKdi%KOXsPkwa$8s5nY8;#z6f zMNfQ&)W0c@>GEkK186_fTeX-zX{k}+l$+Cdn3-goNH)w;wPGNsa7K#4TPP1k!l3u@ zR2aaY~mmr!*gLv)duXx9-gMpYp^Y z#EBBX^Q^I2R)O)_EIvi9BSzVr!z0l|+(QseS%|4#CaWTay-Zx}JXz$SWb)UYNchaG zNf{4WJ(YmkLOBbn0<*-kAm7~BeN{${;Huwc?kkx6u9ZYov`g96wbp?(^l- za6Ns>iYH_>Og@Y8Qn1aR zR*ZW~#D1YO4EA9P6;J3Yl_&1{WO5b>Ym^wJO!CyeYDm7 zqlN?~Be%^;LnjP~DmZB=)6>MS#Wp(=+n16jS?%miCv)N__TYr?9sN10c}h%{|6|G< z6x9r~QbG4;TUg_i5$xA6e>|;^F&zqY*VH)>JfP zxO4(Jr8WUp%{i5PdUDmT<$l>n3kPI%=$Bivq;v}<=716iH8KqQWBapRio&a8w$m2g zJt^PQtFezC*fCS2qq{o!TmzVMHt6zm(ws9geft*|JL+_J+ueyDbb@oX!$OQ$GnDYv$i@>p$WC>g>eGnSs4 ztk5pMeUtU{_oFcRac|hpe1~mK87|f(W4S%9&26@Q>df*JD@WT%+n$usjlc#2qg~sS zBd1@=C@HO=cO002DZ-&v!D0I2la-+WBiI`&#UckbdT^fdAR!OqSiy%Dzi59ixc>!!bQpakw>=df!=Xrd?@lN{CV@;6IzCm?wJt7v7_}lF9zr{gb8X%!jNI6fP1201q8mwq8fu z0fO=yr~AMrt$Q5E0Tv9tz`N1;Ra=vs-9yuSuAI=!g-}FCzxUh3P&98~SD)8m1dcQc zK%kvk_YR#q!zHI}#?g(@cP@|Ax^bA3JImu(d&w~z^l2j*Po+p$<`z%Ou>%!MxFmV| z;BcOOzwERgZoB%FI$jBY$6L3ry;HI?xIM_@Ui!QF)OXU%S6tb=Pu_v!R`>AHmAqL< z_q;;GF8Ov`aYxem#ChE-c;CM7rxO~E629ppemf;Jf14ONcdQxfJDu+Z&~<&IA!)fn z5Lr{%^lQD3K9y|aWEM1SAaQ$H1rk>;M|ov7U#bIzntvP>oG>$z@SPG>=w0@t=xnsl zwdCnv9Zd87YhO>)g@S1HYdvMYTq_WR-aS{DZbqF>+Pzok-Nx}dL={dm64xzH^0K+- zQ6Q~zN=@t<_uu(<4qXiTG;}Q=M@f>JA0Qq(bjXCC&=z$xSbLL-6yl@pH0?kl!?Y&v8ykp#7|ht?rV*Ykh-#K?|^s zmXj`f%y7H=Mp*s2N6w-9x+QfE`4rp(5tO@WJgLH95!GEWGQwPnAn( z?B!SVX>!@E#9Uja-KMUc51XScWMm}cNL*xIpNXO6720$w0Zo#JJ6b1>u06~kKyGg; zCiphv;Tq(50xzq6oK+lm;@S<>>O3ZPZ3#jG?^WaScTI8$e1PgW9#44n=>0-&!Jpf9 zj<=bT^B%$7O0XaO<;1g`N{!IV3|H1W?uCFMiOGaBCMw#;e??d5+Aj)hJVXYaY+<0O zin;0+3BNDUB%YcHK+zK0ExJJSz@{=pR45-kO8FzzO{8?0r67#0vlk{RP2=g?i&nlE z=_oBxk*OSGj?R)n$@NjIkD^;501@nMCp1tcJ)ByPl-=?=J^=z^2O zR&etdz(!jtmjqumFAZJ)5Bd=cKIuz5CR{q6Wxq!R;_n>1F>|rg@~LWNsXK0{{61q- znFZ6Pzq$EDlp=145hX}rstZ!mtzqA6$oJNDr~%C|A-~H-Jg}JB3|NN+h5uTzFrv>n z;I*Ff{%ymlKy$!}jqogJ!iy!SO+gPN!TV)G zbU`1MLz2ig^Df?_Wvw=)7gtY$+Sy>m~H@=lH7}Fl2S**_J3U>$r z=uIpoj-4`$PZo7G(ToU#qr7`jXC-!5uX^GMfrWOyrz$5_7rXqI$G{WlQdku#%y7kC zX)rMv7EEZo=&COBa9=uxl~}7S9;@KNZ9ag_?Xcj#iD=PWNjV&>4{hF}YZc8J&x+r! zu0lMWaOVk);z*1r=z8+s>vo4+lwEA zIamvv-V@82527BV@ku}Po<^|(w>+ZsG=Un3KC$<`q~!}pY4X95K-20o_VGss6*RC) zvkDa>SyjX|d+xWS1}8TAu!NH2kYdH=)VTrdf;k=Z46joo?N4vIibLKO(|La;fC{am zUViRriKaROZd2s8jRZq{8D5 zV*Rfy=T(I^8*Iyh5}0OwYpiMoqSXZd6Jl%Lv!LIBF0kwbV=S>TYcHxlU~s1Q#S0Gx z9NEa5r#Sl&rH{k$#9(yNEEE+`BuXFAt0c-SUB5t7TF7Z;8~#K+3sE*l?zDzFvuCBi z)d)SI3E9@?Hhd4rk|-p$;U?pyGUA_)JS@^9n!=d1F5T}_;<)p+g?>2#|q1GdOFW9N826_#Vl9Q$CDolPlvIdggQMp z-BB}LcZWTd_WczdJ@>ClJ8l$Kpm?wINWK})w?+LAmz=Gyx(9Llh7&6AelH+5Odr#k zryNd`8C+d{(<2{DE#Q9D&f0ZJPYvG7YnPXv_w{S0z*eoC#~Anl-pj^kGaVUYX7%{= zo*daHY{Sfc{q^K#+f?i2)ppK~J;qHpy7K~--V2Pb_Yt{bcjkQD`O$B><7a+3B_&r4 z_6N()5ZHk42)6WgJO{~7V~|${KcdW1mnD#&_zu+l_tM#FDA&ni+%W``gg8Dv$xqgEBdh;L!KBP8t%iJHmO7m8U`=qx)rmT+4T=?W4ANPYUy}h zs|O*!`5)7*z^^4?UTO(F_dHM5Z;2ep-Q~c^akuxo|H0ncPwWlqU3<^{T!dhQEly%! z!BxQA%2_KB!+FWz90*?rumt~vU$k8=*qJzgWU>cJsZLE>9*lxf1j@`MK&0GK*hsUC zmf=yvDV=xiqET!@=cOVkwjQ!k;*%V?u>NUABu>DZPNKxZ3PmqpSjww!K6r18hjB|$ zvk0t0h%2X6Uk+kf_|+$_Q7%#f%U^~4CuX#Q;WW0qEk$7$4HXA5tSN0=3C=({JU}B% zszBpWn`n}mdIUcr?&znv{3tq#F#SV`uSgBb!nfkrIHctxf{ou!9+6ISU(g%eSMj8w zD5?fA5Q-%676aSXshlmbR$04>xWzH?w*yT^$I2YowgL=G)m`c$(}@}}QCTJ=%Rk#^ zC6%7=e~dycqu=))qZ_wA4$i3DQEk-3u1lM3rehd7tcp4kC;MlY%7w_38z~A)i#Riu zKW+YkT@FYgP3boL;3zzy1#CA8VG3oX1mcA0!SgyURoFS&LmB`XOSzsWGVTjl$E# z8e&5?#BsFxVOIL%cS$xzMtTGztOyH07K1^JB0wGH2;iTXt!ue|F04MJNvGZbXCqv# z9L3i#;)qaH^cs``BW=YLpAN_{9*kIr_ac&O6+t%Tt--(brnEjwF51NT3y-lxGj{w# z@;5&whE0|cfPhBUzn!-KQem!ao>!92fE3%xzCCdI{`CZR{ zDVHHHCw&(Y_{22XQZkvRfrbmC`16%oUnn`SI~jiRLOGeDEkdA&fpW$OZoQ1=8*S*S zyuXp>Y`<4=JqqjHPl83_#i#arX~GZ+`J10`Col%#a!dN_Qc(X!oDfwTxMWX-xY+1j zN5!3@6PDaOE%>uh!X=wEX$#3#jT&uX7B!0{zwfgI{HnslYp4khMEo~TLM6f?I4EI> zq7a;cwVV%En12qvHOhijA|1lzqDhY^k;k@7Muii5x9+#>2MiH<0-p6)_q@*dEeCxEH4$wFE(Td~Qo*ox>Q?hNS`q1`t9B4`(ETB$EvMNevlcc=X-Uh2 zWV<_3#1`E6!@rcK%xr`l4L#%??#hhsKlsda$^&t@%FKiM?O)(^ioxCEU-L9&?NsytRUl9n|fNj*j3R~o(iUg zYu2dHq;26|OR{ptRRaabs7Q97v!T-Op&04zA22d&6o~ZY2acNG_bevQ@Ys*MQ6U$U zmZ>>E3^X0*J=qe;=L8uy^ox-4Qzo&P)H`HxY#^_3#1+^Tjb@@q?bBp7_zQue)vOXC zuI2kF=M-Vb<)qQm=zq*L#~&a@s>pu)SmgQpw^$@wECRJUsbTB?j}ZF|69cOtQiNY{ z%=DjFh9+Wtb9o$JO(Ap}WrjM?Z6z5A>JotC3@tMsV~jw%?$-SW zp6jIb>u8f4jptYVs0}>OAw#xNa17(0$F}?F4T7DU#+yPD*D)Jq_w&1ZdLF#CNm)1g z#^JGh&9Gl;J0FYClR!p7$B79qgZaLWEBliItE{GjEVSn~shzi=fg~m5Hc*)ep}=ch zYWhgG8t1Zf)(+ndu%t!neba5=n4t5i!3f-Z_SCX^zjuAv%N*NPw|#`0?KJW4hJ^6y z;X(_u+Y^XGdwoyVeF4|gO4_juRVDIQtHSk#)Jd1~vWsJyd?iQw@zHdgZ=}Nq+&D7L zjlk`bt8$e_=dou~(%tCmrs;E)vQu`#;190!6NGx(4bMw2{1n_$occZ1HPy;e9VMmD`BlARwS28fOl%%|`fbzhdgi^^R(puJ3Ebm&2* zx%JeY*J&|)?9ENb#8&ye>rb8AGFl6LSUwCyllH6CNaxngM#@z--OpKp&7*Li+7~`< zzhCE2ZGw(@&tEg4t!ipN_QWc0%bisA=YbNw?1J8lU0^X!Tw$ z&o;L61q}I|6##2|duEK@M%%P2dfw-|KD}>#Js))_%mdE1zRXf!E*d4~rg54pG~yfC0?Hh8>jUjlG8v zwa*q1xC8LPGuZAi_u_N+E4ce#Gg@~vxHSPvD7S&@1@SRA)=4j|GR-;v^C#ao%K;nt zzP*{u>q2KTC&GD~L`nV8l^&MhV48V1=!1^k0J1Wl{tHOs2`U;c*8{4$u4Hl2r_u-OU1rlq0S zau?6Ol*I`Kn1IM{#|cNCEvkz7l^1i^5OQIxJQ>SQ1_( z#tqt|cXo9_l>1rTIb$Q#ywS9jd_N~S!Tw($v8z65(-uwhl>nnKm11#`7&Ah9FrIv zGxQvf^l_w{8aJ<9GdL?sV8bU_OUQ9}#92-uBKYc6SB|9|9G`iv~)Yp|Dx$1d%w4N|K+fLt+;dZLK9UHpj4P6S2 z5?zn&G#FilbSjy!Is&C6QUR&%x@tTW${{>%*%a7fLapo+ymn&G8|_Y;wI88F@Zen*rn2&=!9axJ+P8kSGeteqCNgQW;{6kH zSl~76N0Z>F7H<}WV@Ir1PzQPyCDeR+NKRHUlE$&h0e>{Y<=458C^rVw%j@@)8NMeY zl|S72LNQ?9Q!(NgDqoyhw1z2g(i@m$8b^{gpc`k<5F%lH6OD_OQJWw;4KF$^veqB} z>5eN0S%~u-0X`Md1@nUQ1#WZUvj6ndg3%M?PQc!Z$VksCf%dr`SI7mzQ`XuWRHq0~dm#9P(AGiy(v_UEZO{Dy1N4{mB7nnh_GpOjWO{rAzzoD^nkbJ3wsbZ)a= z$wn@eo~~7oZ>&fs{~JGDay~9FF@3JwgjU^#CX%mNTuK~~;MWT^<&Dh5RLK#BL0{zD z?Wn&*a`B<*{V?1e5kg4&vn1`NC>Fnk<&gOfi|p=LTq4e_Ex< z|M+fKz5)}qU*7Pr`~POmrs*eO@gUf5FQTtA7biVE|Jn7n`35b?K7Wd=5D^f~pLvb( zv#8=fyWsQ?_+T@^i-}J*p4~FI$o1<@5%7J_UaIza9ZRkGxMX`X#%U3FetZ;hJknwB zI!@)-=~%Wrzvu$jyIp{;P*-ev_AtzZaW8xxBNw086{nwpiY?J|l-Il-xm&e_+Fn1K z$BH?!9G~=D{mfokma!>D0 zC;Ycf^tQH=wD_L)+*-N5+DF4BsvcXL|8CxC#pJ4Aw#Tn)K!qHbw8801#|)kw-Fsiv zs{OXIyrxGVcXTW@jOH40ricVOoZe)1uFLkzrFP7&ZdZ|0zvym3x7~NquRAok%G;E! z&mr47pGJYODe-3lRzBXZ7KYFJde&d>&h2tK4(8m_o~m|t<~9PoZ-zZiF5ET};dcdS ztNidsJ}&le?1DPLtDMHSsmS~SYpx5l8_*2x8)wo_yGF;|A$m2o?MtYb|J?Xzd(467 zD{p(a%a3y&Vf$jM(_DE#-tKtKDR5py}aTcul|Y!v%dlbn?00Gql6)E$lY!3&sh!IIv*E3lN;sD z?~hOXe%Hkn0xxG$*IBif)MmC_?}c3eh6u;EYiMNj5oDXLOAWvAY^S{rM)2{Q@2kxBQ>er+RHUrqke&v**=YUARt4g}?W zo-)E%H*g$g-LgQF$dS86>+zfT)M_ftMUHdV`r#kzsv{le`yyMXuSTm zoDB{NXJyH?>%E(72S&Zkd`d3R=AN*$Qq`xYFxM6)Z zTSJjzYxTNMcv1_me{`tXWLc>!M?&Sd#g~(0;tTe=D=h19{hF9)osohPF4#wwhvvk; z7SM4eWpMiz(mW~@v5u8o`DuV~lc^u`vqW-*T(lWC9?hxLY@ErpEJ0bT=WI06 znTzwkVIC&v@Zler6U+T$#(vN$Ybv|K6(@{Oa&sEE2rX^cPnq%N1PZ}690$a@tdPt&>u@NI4k9a8?h0&dt1Jsl`1$UQEv zKJr(qchYi85>7^!%_}_=7W3|B#|#9*P83{v};2qLx?Q# zJ^Z&^Nc0pbzoGZsZe$l+G^<5(liOy#WOx9HVe=fF1ly{6#!)d8WSun*VbR@-b{4$^ zD=7kbhyMz%TNY#`#b$1(dWk{^P5{Yhyakf6iEu;wuYa21DjDhonSlyDxlTF-2^db0 zE$c83o{<@LhG@U_qqRlsyyzC__BG4culgLmrWzqmdU`Ia{bEYKR3_1MP5vEapis4e zXU-#8GLjKw$^?0T$CRGHIM^uf}HFe|D(9TVx=M`4bKya8E(YcKV3G^>Hhci z{htIpIWgG9#`-VZFfpz}s<)L^DO%lXbh2L>zK_PWW9>)p;~7<~ zdE;mPi)-dYQRK>7*bU~M`^n7~-`GfS`VWXkPWl1X0oy2NCuM#XR78M{KTQMw^;W%` z2~LCeAibF+XLT`gzt=M*kFccd#DqvstN$V{wDdj(EGN5S9R*;o%o{gd=QDCbEZs@;`GzE zVM2A0Z&$0~B(H_U$fvUW;}38LbwB}Ka8)YspsnZLyZF*>8w07*#1;1mVGZ ztxt9^I`fW(Fa$!wuBGCD3B9hrUU7O{fWJ#cl?E6C$eo$=RisFWiKOZ`$+S}FHVP!` zP1aKAG*YZJf}8W{>3zdGqvvGTqzKP-;7m zG{d+fP5SHz1N(ud)LMBkgZjuGIS;P_Z!E9>#l)aLdE8uQTHJ<&{5eOrkivr8*2_T~ z^}cseBS0z8p(=EEP z(k%30vNi{MnPtG!RDA|)5G29;P<1GC>XG4}Z> z=I#m%_T+-|^x*`Fz73AmaD#1fv&(tn-*z7FL^#0SJ7*6oI?t*PARf<>uTE7!hBY(S z$8^etM+d31^+Uv`bf;<_zbKBs{O-lqH9pG>R(cz}Q)zFWX|D%kYE`Z;+Z%e`LPs8Z z&#%Y8r!=p(I{`l9#}~UEhpqYZLpAwazWu!hFM-zy%bJ;iYHzP6T-70tXQj|J%jx`> z%+$1p`I{9xySFD3*e~;EcbR@ z$Bf{;<(lCat>RVJ`TWn=p0mC_9yLSh1vS;@N1WF8*37%g}~$7@l!^|_9t zdr_NiYr3hJx;ySiJ+|%VckB2QHvI4mwzpkur+VG4eeT!AEpJC%PhiWV4YYJZ?K`Yg zEf`S4)*s3#zk_%}u(fN++PG?bOH>>D-`0y8r>hkXI_lh{|{bl|8llx_S+k~!d*I7=}N_E3iLrweskW8-bM^S^@*7G{I(@gT4 zO~*#pHD8d()4P2WOEs%4tQxP)0*9F%?=|QhAG5k`&C5%t;?FgI_k3ZGmt6~a>grKP z2k+ZF%S=|=;(C;B+v}Fh0m6Ptrkd94vCe}S;5gHd(`#8YY`JE<5D@fywz0uye`jB^ z(NR;~*}rk__0~I$#9?zk`gM%9+S=M%r2- za+0iOmpzr`H#PnQdRPe^HOi@m4b-A*5;Uo0XuXD3|!+8V$0fXtYz@amr0NvjW z2ksk&Q-71o1XKJid7&g3RdLQJDbULSd;bH)KI9JjL4-zzw8kVI;!!Ylg&YaQgzO0r z=VB}1EK*Cw$Ra2yqUcL!h^H0>M{#whxc+1ODH)ubvQZ|i1W0!DY1|cO#!?kV#5NNg zs%44su1W88x=a#Qg#3N>>dP*)ehd@l1V`)N$SiT=-8OITRGU&W6vP=~q8wa#B5BSF zk*Pr_;on-)-YIbi15b3Gpj1{dL_BeLICxL`b*|hM3X7BmoBSXNzH#&XMa3*><$aoH zBF@!-b^P?ebCP`Cz&7g(w?jj^|9S>wMi(*uB3lKtiGiznIk_PniA*_fftQWFr@%N` z`8N)nZjF4M?QoT%tW$JOq6wZUx-||_#{wM*SG4AT%3+er$zFG@dMpVGnX9r=K{>D) z`XjydjfU7Je}E2LmSo)GU-GP%Uo$=g9P02=jpz;So0w!EMjRB!C-}NYMstEg#4!|$ z0uL9|yAPpNmgMdu`O}epF-rVU%nwH==MNkr0#Kl#ves!M z4ggid@E`kU&nyS(jHI30=OWOPiBY})O~`F6)>NV7)~1%l4-;Kja?lHNq??>E>Xy9W zMB+^UsqB+zJ>j>~pZq&9Q)(VM@`3$gq;n%P?_X|I+sC2Rq?^!0Z^KkDpkVNsscRrA zvozdp)#gb%+_0rEU89(&+(ggBJCf$Ffwk^l!V#Jw*k))-Hv$Kpr9jKBBvEl45tnp@ zop1sy_NPV&H>I!{ud9jCVaPXBrfTq?F)Rz-fJNKOJHHD!YJuZRp7^kv@eBHwW67x` z^&SrPwxz$-n()J5*nCd}(Th@wUB@RkLDdHnEEwlSN;n7~^3A<;sLPsh zQARd*?(!6?CUMvb`lSTf6)!u7pEZv1@{OQGp}$&1N}RMmv$&a)fca81O7ch&=^Jxk zB&+D}>Td?Wl$=*Bn^O<^^SSgVws@rz)#II^4CnfknU?NGbyo`5AW59jE{IWaJpksY z(nRq7m993?dtYN0X{L%+p3rw{`mx3CgCST

vWkjOJ?J*h z^X(Dt4U2G4tLkRL9TsiRk2>w%*s|~`pdGLyDToeHsn@ao5LcE|nzE1%dHks^5)BcC$f!PFcn9IkwBm%oG4_lq}dz7jE90FZNfCw1OoJMwQM-G;lS_F5)zM+FX z2*>H}=064XH50Wn)3X#Cj=#F^V>fv*ghksPj_1R7eK99l zFAXIpI(`};o=gl|GdXPfHo(Nn1~T4r>QJXws*r8jrV!W!)NOU`Zu|J&;p$mEv2({< zJ5uepv#H(IaA6>z>)bTOzGI)rlETI4d3SgkCU>m>AuD}VcKwA z53aSSx^>%zofN)Q_0U0pHQtfs`0lk2;s*nyHlH6~1Op@oraErxu)ye9{tOQYy+vL}N!ZW5=xYP{yA^!QeR(HcK!CP0Ihh+!Q zjV8NuvHtlf2ejt{dZF!Z9sPWIcVl$-*s2 zAS0~c%yj!sKlysexJ)zpHSWg@h?VKw`nYl3B{VHea~t!X@PvUJ9%DhRlV~GT9jh<@ zBe3iX;Fp+HwOs)ThN$F0a3hHD*M2$;i8PR%-umK0gu5r) zG-WvqC(7jUV&1~pzr;kQ2_1OKenT~43>49d($1n?8Zws5)s5|yb0ed}ljdz*!xG-_ zy^B_md}=T(OK6q}lsd?Wn|9J}fM7zgi{@HF87?c*!v2>Ln#$}^KuKaW$b#Nuod*D% z5y&Nue^swMD5Ywo!A=xsr%-O!x%!f~jvz0e*c*1_W~Dvchx>gC@RZ1pip$nd zTkx}yqg-`?+g2;Y!qVuWLpJMx_Ju?r-XnB*Aj4KvLXKqNL!M%=Nc)!|7msCXtHSWa zgX5+ANOCPNb!)g#EO!^bGD|3aJMvKgik0saD3@-5OsnbQ-Zi0gahWvZf}MDUeNmTI zYf5n*Lg~et&h4`tR>konfiaC9j;5rJ;GZNZbZJyK9~RnF_(dw}&-O8LW&*y+rI?}x z<4s@DVLY)wq9Wt_Xy$W!Bs_I`CZ>(Q(f^?3QELI*S<{9Z@UHZN^utL3ZnRL70D|0v zgUEd6dLv8>DdLOxIS3~f6AzMkXC%SM?=)+s{@bh5552!t9D-%U9oaVIZt*TL$G@#t zFHv$KJ+UI=52)13+-jGY29Vb*J4wbB5BxiS_>yR`P`=JQt7*|o@iy$P9UTQ1iPYv0 zbQg9sJL9VTv!AtaJ{Z?Ul;9Im6)l%bUYv@B+WZF_59=^fjvTtnV6CYk5Md`DK&dA^ zaM!j1~{QmKSe z9>Pdq@B}%|mqsN8JI^}SnYBa?Xm`k-D)Y04%5+00ThLA`Fo=^L1@i}LKwOw>{|jK9 z$}?{1G|-{?K_wuF&bot-K4GzfE*y4^R4der3n)cA4Opc=P|97Y5-DulqS&LFOse>* zK{{VrBi2<^!!fQnc;xNKiJj8#%caHenYKwE(Pl~fwUI(KQyEWray)A|Sl(eHkpztq7pN(7JEus!MgG z?RRfNKu^M_h!?Zw!(%?OB@vO_YF07&;tnB+#=_BSNv^Y-qySwL`;SmWdk)dkW6KS< zo^P(aa8CY~tSr3UxLcyuCB8)njUkikTj^>(cjf#61e{s6ujaMu*1Ea13T_$tfWc*T z4uUm@|JhMi5<^LBbQ+7=RA?j0w6 zs<3GZS@D4B(sEjy_|(^E#-@q`kUJD`Qa=ZKk|oH)lxYUx_@&2yNdol~S-+R?kNGJQ z@hXAeC=jw(&gFKqh8Vz<;Iem8r~lwQYSfT!X)yAw!zbYGeEaN8CW9%_hY9Sq z1kZ5G<$m31AAX5RZTEWx{q)Luz98wp875q67ErMTEWeIyy*|TX+R!unY1Y1rd;)Vn z8A5IVf?Kxw?>fMqAlsR4#}oICBMP}n*G=N?r>o5>AT4o2j)(7OcBabfn!!p>YW;O^ zYHDwZs`t62S(kvd>&cqfMaPHT@>^M((p|fiEm{?((0&uJyGK1};~?EdPT;xNOpkAo zz0<0iu;v=yhpg)uF17~nxuon?y>we*yO{c`dEa6Oq`eY*Nq2Mei|5Yu-JgS=eURgI zO(bu5T)cEc^I`m=G1+^Z5Dqh}OG@r<&zV@M9>r7|hc3^f?5erF-6R!_>pkcH9}7yN=O)rXvzo z^Lxu%;d9 zlE-#kt%vD#r!76Uo-Ja&kYgPDeX~6|N#2rkPw0G0S$XOLtZhttSC3pd)Ycy$tA2Q$ zhYh)adD}KOt&f4O>=2^@A-VPIcBdbUq77Aps(EC6>zhg zfKDS>*;shLpWQS|0(W-&lnjQ@kTt9n5V;@HuK7I2+Ag}nc4WJrc)aIWwsJQc7TI@k zPikr>w!~Irl;qkadjL2dcEo&~hb7R2cgu`sxgN7$^?bp8r(kf`=Lv`%NPq==nb};^ z??*;HXX!2LaHlot7u<@UjP*U^IA=BWSfF@j5&VLDD9{ElXjaJI$UNSJ-vTe_Vu2R? zdGfcfCg`i+y{4R5WlW(2d2KO+!&9tDKRiPKnP^gX`B0%W0OMxN zS}t8!8(#7Sd=UyupS&1PPKMR`vi%Q<$m~{o<{kLXw5neYWU=KrRmsLW7omKE6%7b% zQ&PBG%dnaZT88y61idD+tI>6JgwjqA%BTV5!MKSc0VzL=m#%9i>hS-_huwR)4I;Vx zypFaq@h(6RHj1-{=9C}7qYOQ0%$BHlA={yH?9!zeQeG2XBn#H1PiGN5{4&%bUCkU< zBYo?*^4gOZI$!=@Zh9|Kh`X9xoa4C(95i+bq}QbQ}6 ztwL1{4U*wYwTiV0H_-gu6|~Yr05)KX`zvWb%g~&O5VCJdot~t_XI%ni^5cYx7N;ou zAJH54d7Ub6d?^ynNrzJEEXwOYWU_{@H9zN36h*^KghmgR>X|=2MA;;efA&xjOXeKb zcWdpvemJ)srKTaNDF10wVq&8(mLS5=VS-6e2~iZ4%_%`oLCohjHPy7;c9il=hAtG9 zUdZ+x2((PvQMk`qOBjxm-Cc?(`x0c0Ej!Yt5V`Pb-atBM*&nk8c>=->&`4P zUOIA;DcinZj7_$IO`Nrwcj-Am&ii@MDxX-C4h08Whn~0BO3JJNI-m42>V@PZ1nn9z zG_x|{bj`%8zxAkayvH61z@yoMGQmk0qF_qB$WOGjcA=pAfq)BZV9n($h2~_UXN7qF zp4U&#lBBX!j#tJ4kPNF35s6kCRy8eXKG0OF1Lz`_4V(@_lW{P4wkfobbGcf6F0>`> z*4edUYR6e&abuG9vG$5m64ky9%8vh1Mwm!0*GiR=?bryP|E+9CQgrCf9d4d*z=|s< zGgAuC_Vdi<7CI~q(v*kxut~%35GuE-|E4?vXI>$ClU@FY(%%zDE=r~_76zb*zL=oe z!d0I5y6UjXyMD2h8564TC#reJMoEISufy9mA==ntwTcWnJ03=Qy(|ArOE=d%fE()R z9IJ++*t?s`q|`cJy}=r`yv>^Fb}l8?TC{ay`7=Q{l^N=UG!AA_0-mf-uo+qH^GN0f z-tg&U%I|IQ3W8sV_4A0?+1^)L&eBGAE)(l(KmVW9b^C-c7#LK^vHsr<~0R@pJSe2w};Brp7y6y#q&7(*119zGKKO@4OhjQ`ajkwV#mvPQUX zJkgM)B1QT=pTVF`zc!@&=Q}lVY+Wl`ggyxcvwQw7rcUQCSyx`B1?oplNWHlXUX$i~ z0J)kF>B)C8JW~maB>xI!$>|cY45rD%%QCd9=)Hu%G0CFbcegHoU)1CQP*wHl82L1gmQy~U1lSG3NU(ijLbVtZvX5sIW$?4(L zjWI=2&eVmlv+=srnrp_n0M%0AT-mvY9E`tv;xQf1(v;H(1?hsUEa9e5bCX0F*l({; ziDWOIV`Y|y9=k#QDL+>oV7-7h{IeWf->)oT`+ccT+T9rSgJBl&t;Ogj0k64bsxdq- zY{J)cJw@BU1R=Yd*IK?s0_AkabX`BH{`wR>4+1OlfyWF20x!(ftB+FWo9%Z)xXoF9 zo!xs&nLCP4J2XULc&{6Y$X-sx8_`@(A4Uxgj2VnGTaS+`w(fVe^r?0|FR4m){GPS_ zY^u(K1YswBUXyQjc;188XMViECLe-am+y9b_v1!h4~#hjYz(jG<961!`zSp+cXAau z56aIV$&Kv~JW%$~Nf+omYUNF#1-|CJqNSP+wFZ26RoIXCIDLi4Z$FR_`}m}OSlyA6 zmCAKR@mudYe&LSxXYslFp+iqBj2%B0b8`Ls-n}`)mXdOmnvfxWNOt->yNFTeMl*+8&fS&mm9KFBR^i z$UCRFeo;?uyNo?xf&0%84iMoD%d4O1Gnm6rF9dv=F=i%E!ufJ}B#;PjD;-oG@lMU~ z_5cB~Uj@D;fxSc z@>Z}+ig3z&xJD_bN2jg-*4Q(`ERA%^q9Lj0@M|sm7*XRh2o}$VFqpr^9gpy zE5gG$0Q_x4YW2|Hiaidw;V6TbD zVjnBTJzh!y0hNxIiVCT0KKd;Z+jpZL;Mu1rO+1eCJldqL`;WDpNwD(^(W@!&{5BV1 z;PrXXLSJHXr6?g@-^m<1nA;sG+w_Bhl57-4jZ(aBtymXVXTYyjy zKGRU?^6{iHbY+nhFW(l3?biTvx@3MF-EQNVp--{K#YV9;EkdRYp@fMytJ2j{HqLj1 zy~kFGx@=U-0qVNM$wA#V{ZVrhs?xv$SpCFlbMGH4K-HI8q)?kTbrC#e#H2XYw=HfZ()sMdv5SAU=rtZ=nn}iJl>b;BMflqF8L*O{T zhXU}0;6y2&AlA#?uT|f3G%$q1l-EO0rrBt@tiL7d%KjqxV;dZ>FJ#{`5@SNAW+V8_ z8mfZYtxxVARATsP(BSab)ca$^H&<;@PUe`7fRko{gstBi_A^khxLPQrUORO$E>NH4 z8sq$*xoaIPOsq9k@x=FDj4k;u3(@JfKILS2g{mBCV?xeuMT_-K0kMkz)EQzHjLq_> zOf7h+;a(h?Ni*z!0wY5aN<$QLs>&C316=hGc``3*X!*`h%#+H~Bw#V7?YH6im zAgfY%Oh>THfTGMRC5uQ?-*eRRmUuJml8XbO$1#>kD}R+WxbBcwj@4QOISdz48VV4X zIAv^{rk)ptm`S;pFd8-{Lbv}cQer_Z%o6fm1ScM2?*pG_ZVExUozgB_7Q&GA=GA44 z>L+XlMNg2k_RQO?jl&|8b{q{0KQ?L*Vqlk-3~pFHSa14#imi%9|7Hb{rSpmlnx_}+ z`!^Y@3iH(y<8UEM2GNVukw_g(+WLL-N)%*Cwu&JBA;Fv*Lr1e?-eyv@n0`1(&=-QU zHui7x8^(&5DF=ZHQA%@(ZM)#F>W#iNvazL*J%1p}msE23E_qt9Z_KckHbtAbYoxkY z&}EXdXLVcFX?D%o0E%A9HY6I=C_$BgQi*=nHRY;A%&&@%ukqYxEUW<(7Nyo1rCH^y zv^udRK-=_?A_Fv~LvcaQTr9SbJe~cKKKrb=P}m0Xq2Ax|)1aKE|0S<3kYr9E{1BO)#gC@qc} zv{sd;E zmvHdAefBvA-%**|ZLU$bg7-I4i0C-1zj7-Ooz#u&t;b={hi|zI?)t^xAwb0UY4*sh?Zcd4$8;z=MRD!IV0`D2?^)>i%8rl|d^VCb(p|CY zRt0Qqew+ios__Y&j9!8{Q-l9@&TE~?X;nS-b_w9odu`}Vw>w;MwGtGJ*BRMCptrF#%&Qi$>)n0gUU+22!L$~Y>$kCa z+~(Nx&d$vbIYRJ(4#;^?)=$@}V(*gHgM-&$Dl%+R&$q?q?(m`A2oTqY#PfU;X z{J2St+o8fmR}c8c6KZAI!smGEnn)XkYp2X}Gnjph*W_jdDtqeW=YHJp0Z!CEP4bxE z#>lSjjS3dj2Q``bMYy$S@)a=hPWk+N|61z}pfdLHai@P+Xzo0$D70d!`tIiL0JZ|v z5_>M5<6g8(;(rABa%HZW%(vOblIr!MZs;`BH4h{Mk9>%Jcg(`y{w)ytWFz{HV{ z+kB;KjeB%u_tVy;WK-HM+SaR!{YSs1lsB~tze7DlKa3aD4}nq2H@{tU=0fme%qk{% z*IZx#YtZ0G!gf3q$LfrP=jBxk8zB2e$1>m%ad0BWJma*?d;OVe4ox5tJg5x+jP<6` z>(QP&;d?Jvp9^^k{mgw~_Vx8^H_{u*zBWQqnznWVCIabrObJ)ph}x_}%4_%s6&U$( zz%Op)n_j}3zYe_A&!9&2pOj4M1BpMetp7gi!kZ%q^$4|5sM$iJS_DSqrNnOvwX^h9 zz-`0A@+{&(#*c{0(YlHdlw;|zIcNAR5o><uMGJuFxrA;6quCJy} zx|@)!+GHEe6GLWjf+ouakHmu>L3Xd)!sWWr1q=DCsrK)tbgo75LE7vBl2f%Tgp@m| zoO}*~xKxAKD_;>e2HtXKrGGP+njIB~U4k=RL011O&7an#T1#eA44FIy-hvR-WPQbl zzv=lr1{zT$3HeZL(s3S5Q2ABd{cb>5QY(WYNDulOl{Vxdbl@*Kwl7gt%VF)*fKUjL zO9vV(7&;+Y4s^)`PeSF-9jCX$%wO(qLu4lMKfS)wg=__9n$hsXamJ z<$b|HdA61fO7-RFUkqC=X|_wS+y;vwF6altKCrB~`qc~gE>0Tj{r+DHQS3ZRq+LAW zA>kC^!VAwuX0Q{NlqqYt;dy(6pN1Us<)V31Dsrq)8V3+JWEpD^&GQn@RnzLw&Vp4^ z5AK5Df!`so?nRn~sLG01u^hH$uMQK5QE3{Xr4&fCZW=>#k+3G7ykIGQdr>B+SF$~%Fcy+t;bCLdpCY+9oXWSM5Gm|0 zAf-;7|I$yl5^ovwHD6qk$#U&c%cHJTp(KakZ z|03!dyE6foWF~edP9~Yywr$(CZQHhO+xEn^ZQJi=?>W2oOaFoAoTt01s;kOlfB*SG zB8JOWWsHo8)Kx>OyR5M2&mXb7OHv@j3d@hV>JAjN8x)^B)e5F!kdVi2g&XrF#cfZ4 z;)sf%Z$&eBKf_AlYl>6_>{zb}xzsQ*} z%0dHTMP8Tyg@E6#M;1}2gJajJQ_Zi)k%7O8_-*c!DD%i@!Dz6hB8(j$7iub}gdUGUU(a4e;N{=JZGlBLWME#z=c1t*KCq@kxPX>6wh@6|jrF(s~? z2%`rb_K$(nIji}c?-|C5XU!Om@4;(~1WuXROuEn+b}|*lYYSQeTG#9;{!vZHsdeOp zvP}b6jUI{iZ zjuxEHGq5*3%l=9|yV|PietgY0oQ8AvTJ-g3rIOooYqK<`!|O#kr1y1?CDq0)pk3DP zcBi^}<;cfw)#TISCHo=!X@=|I=5b=i)@?=aX*r=Z=b=4lrnC3+b&a* zw>#1dq&2Ut4?&45)!7m|y<@dAG}sN^$61;;+po!2gO50#c@s5Uu8m76ZFluS--+5e zLnl=Lqp_Q-RsiBduPYz}f;)2Ou-0=>k=O6zC2PAB9URD7m!}EPX_#|aqpfZptX%h% z8cDH*yt6H_dD8LLdG$6qlZb_5Khih8zLF=w@5TM~zcvNkFb%|?3 zY-$QPkiJN`{1JAiGsbpBYLnRSoNGAShO-H*xleqVHcnL8jUa7wJ$)?DdY&|+b|7>S z{&gNyRQ+4`pmJis$?bTZUCDh&>-Y$TKyBZ3X48Fq&|W&-)_7a_(&{leKd|+z^~PqK zdZ6n49GptC=}>BYz4~#;{OCz5^YzrVurqn%`gz_xoKl0K8RPRMvOhvP!)v#5k<#s$ znAoiR-0@E8nKkQmJn8P5?Q-tnyZV|nn2Py%*9^m={ayUg8Ch*-nE$E;cmzXRKUep)NmwmnP!@4#nuz-J_*~fd>pICKJ!rHyKuy7d!wHBzHQ<{q=!ikLO{= z5pcTbU+Zy=o6T{nJo8nk2!WR6Y3`5VK3VA1`b&Cd>u_OL^h77IB)nE*2Ew9xUwUVB zx_;mhpdu;~8sQ#N;!g|Ud&jHxkXOZa7G@)sf*tpd`jrIk;e*DoU@#mK*Op#R$)y|2 zj!sL#gvdl?oF-i^gT&mXa+Ayvm|pK%Eb!l)qus4Gd(CgxoD9w>2PQ8fkY!s5)EuE zAt`o=A?woZ`euXJ<_4Fz)BE?ln@6Fv62oe>!bmk{PNoVz^}c*9SsEy6X_KxZ6->!N zEBCa3?)qX0@!x}GMBzv49FxLe;OTS?sCsfXpkpN|6EY+~DUS@wfia$ff913KS7$eZ zBh)GqYZ%Mbnrqe=n5@EB81iA~y74ozaa3^RM>EW0MeumLVRZHJ=0qRD7#ggB0?3ZM zLjNcW5yMF`Z$mbBP#iYFjyZ({rl~Zbs@y)%gvzs*t|76T$xSC<2NC)}fM3i~0$ ziIu(Xk&Pla2U4RX>l7O+1T7ZZQBiR`{freUQ$|?)wn!Xutii^HrdrfWw=SIX>Ujw> zXxUyZTZf4z*aqeZltK7b$8bMvukzd+D(?9p5qyPq`APhOa)}BsFTK!(hx4q&X&=)L zO__`3CiEwT{Mp0#%0iSFRoWLC8qcxL21`PYKA-NT&6Ta?p8cKx+^u|-dKlV74pDLm zWvei%Fd^${XBW4I^<1{tvG@&k3V#@MqXsu))DP>E@~1-bkYC^AbjN2-4Y z%F^FcWS0c+(eomWc&tIc(7=JPp<)+G#1m`YYkD<}(EXWl0B$Ys|;%H&6uyDaSEVQ!I@wL*r#)jd!qLrVL1cnSNRPQkb|i$}kug zBrV(P8P^XaspCVYRwpk`!-FwLmBNH__dkZgB+W<3uCpq&Xjr*GNCFjSst^-CTIdV;B#O3yMnF zoajO$3h6%42>8@!RiMH@_3f^XxNaDq!CSvw^|Zu-=15GW6A!P0xQ|*jp5)MszjTf$ zK%!%6j(rKpk%msdih6+(?w>SuNKrn6oN3=IEJnsJK}J0@aM&roe9Vs`{M}w0An(0T z*29HQh}?33HzD|Rx-%}DX}#qS1$5}TZMN3R`_unFOrW4s27Y4)&=UnGW(r&cSo)6o zs=Q%;KhOgO4UG0;0qMicBCv6L0srd70NT1=)Ljt0abbkS?YXd>M8>JsbpSlY2927f zI=-wMC5JwDd}L2;k5YS#6>r~pUVWwRqTGzC_hDO~b)tKhx?SDqvI8>yow(#)B#3rH zS?RuREN5cBMiSo;Z0lNPdVX1d+dW?Z`f{YX+gt0uxF4pYWWXB+VSHFMH?Bij!#uYe z2d;X1YP+WR_b^|`(YqTq=|8&PLVQNM2z^>6Nzk+6SDogz4NG-BpWtQbC4240-mtn- zdE8bij|5$Lia%zbLQ!dzRM`Mk7ijGU@yNZc$8)2&6s@_BiLG%H%bX`2TRQC?W0EgA z7U4VAwvFhY-b)8G>f+uzFFTKSoPmdoPi);eTu$a|OJqL2!AY|t{H1dr_JfU@zkIumb;ED<5?`~q9u&V%@OaB$aUHG= z`g#B|dAAR)nTb!IeX*YowA&^SbZWcKA4;zQIT(he)*Z)SwcpQOZ?u;WBlGDm8@^qI zZyqnB8?A7u><)AR(<3TgX15jXo6}faY&u4v?V`2+v}rawI9eYFNxj3r06%jBI!Ipd z3GYH-#vNcM%o`t|erwkN;KfxyfQE)@*__$qg@34)@&jxCbq5=HuT6o}flK7gk$df( z^eCP?;rq&@VQPeyPSR|MUqS*y@^Ks2xodjL>pLP+9K~r3guyVl=6G6i9dP z-({#YKYPf1nh5nhn$yZ@jP+geX4+RBGUe6=(EI{M-#;No6 zm$_ZG+F7$?xXVcXdAm(0nijfPr*?w*d32UoU$uVvjFbocX}N~MzIs?<{D(|wGHFP| z`gj=!mp~fQm2qejd~>jUe4z!O`z*%WogSq6ULRB9uoRJ|VW$q7P{a#!MZ}&#+MKv} zC050^Z|#W)C#nS{A&Y@}Hwa72Q&=vSOErA0O4Bm>L733x~OptiS? z(8d=N;=0O`IX+0^5?ltdl=ugCpIK{Wwp8(KQ1WbgP2y;I@lk_#z1NiKnOAe#L6pn5 z9Gw)<7CzR3lqdlSVa#s|1M2`3AjAH5#PTLAY4jwiWL~e|UxA>h(i13+eqi1W*!;1) zRHAYOgundd#}>WWBs)-JM&15^l193>FlSvKDX80ki?5qG9E95rO8qYQwSk1?wSwRw z?7ey>orLlmqWUQuU zr|6`AQ1l8w1Ut@m`;g8^Qw66c2LpJiR_V@0QACz+^cQ$%HRc~)6tu@1$806cQ^I>vFbTJLE8%e%0iL6{wIto)es(y_xJjy&^$$YWJ?OOwmy`WMM>mgl8z&?*FoOCcs5c z0I_AuuLy3+0y)Lm81<)aR5z~V$gr<8_q=z0odJINb45#A|1d{?0HK zrrzSe%ukqs|G+kf+YlR>E z6g1kHgzg2MvoXp)GU;)=!+$NyqwE%tv)7CAO_AXVP|WPsNQ1)7S0!7(@de>7jD^t& zYI7MF@z&_l+t&s@yI^vgr>z#|b$8K*AYTGdFK6Pza!2cD$I&M;Z{hGEk*(ew; zMYayfhxTK>Rse}8NDvPwfVN66)yoJ$ZITZh;ZTKpIxBeh0!T6YW%L<0|B*0}fL+K0 z7wBe>R_jkIX_uG21&PR+{hjDgDCMz;MWEKaglh?3#U!*jezseA@rfKgksYF4iBs3`L**=Jmx!0lL1B4rf1vK$i#c- zoOvK8C}RvdbtKkJyGkt3(KAibTu;b!1|MST&ZfcEq+)1_6Awq_()()>TR{Z+EMFrC zDpXZ?jF=xNw+Dw%nJc$b^vhS}Qg66-sGPimQrop%4}!GyZ%~Y(Dfp>G!;H%{TqMh6 z@<*gQ1=^du&cFiF_jnmUO+x^ax4D=fZPaBszA#U|bXGqkM)YdwlW$C^4d=&BEg-ND z6qt}G#wY)KCIIyl>I?T&GY=4$hat631gWnp4>(cnyl$WIsRW!J@@^&-yy(2~9kxgQ z>D72lVGR4Haz^Vc&@?Tbs^zeFx!qox?Y0zd8I6YgLa(BBqHXiJF4)*6^!|3&BdHzP z`?cPK1&k0Y)9ZV|ojs?BP}}(R*}K&?XFq_TXOZYBt7NnFnbXU<%>8DoiQTL+%T#|{)z^-5aGb%wb;Q6+@jF`D4ocIkYkd*kj@Hxo~x5-9ta&{@TY{?2hHZFr~S%?ND{vtohh&UB|+{S2|u> z*jHrTv2@{;Us zdb2z$Fm?T!Dtl02=eo_0gx9!UB~C8uBCtQyJl-iNL|Ap->GbXRf@`gIS?64>50+f% z@(T2h^|WoTezDlP+eCXoq||L#aPGWpUG?79Nq?wWdwPz1c!x5bl+}=|w!f^U^>m7F z%zJ4H*Z1=|V5loA^6eTJD);$S@(keB$CEZQ z4;cGAIRo4#&Ocga+!6pc(!KM3LagZN0#^J5cKWO%i&rw=PmJzF{#(Y{yXox zPH68s6C8{QVx1Rj=1a1Nk4(n9I^Ztcoa%c9N~-iQS2NaYTw(k;g|x%2NwnRSDHnPn zDWDX$noL3CVx+1(3psPhpl8Bkp~q|*VlyLz<0z05fJ+o$wnkB|hg=--lJrvqTU@Ai zP^}FPFB8&N*k%j@I{%~P`rGx;gqgu$f|Z=5t^rzQMu`Bkx!x_P-j5vz4H>KKmsV4-~3tla&*Bd#)>Nz`8pWw2D7oNhNEO8mHKU2MZau2 zWz>|etRmB`*?_ur$gHM!D;(lLo&yrOHssQZ;0EZxHK!?yV&K#}NrN1{$GXcUB|dw% z;K|UGphaVQxtIqT_GIEV5){Y80wqOo0!8j@vxY(az|)u|471pX zps=+ri6IdP)_xUU{RHHAl5?#dDR_FwMdXSyCWq*JV^r-eeF+i&IS47s`SCC(G%_Z; zbSpYx2y4=?ce<)M?$v^xm~VtY+S6aqO|k8(F(;NsGZv@sysCzud;rq-nFWA)ncagd z_z=|)72EcNpiGCF)FTofejsQ(zL}DzR`9G%=rsugniA{C7E`HMx0W-V4T>gpr_L0t z#90~JoqMOC1#m*1x@ST;5PRZjpw$X3>qT}OD!2|o1sW&4ITPf7s@#hIk2W8j6G;ng zNI3@3V6C_s1aa*lWS7&bnNv(5z(imcgBF8EO3U%E$3Tm=;P z*_0h|A^caGh%Eh>LxsPlNT?;ry0zK=aQQRgD52soOq*D{NYPxu5i9Jv5m;BYH3DZB zbgjY~T>@+elz&E@8|wZ@5i!hjK#HHmR4MlH)>V(<`|$jfH9RMvXmG@mW@~-F4J4=M;gL0V?eql~*IwZ( z-xQb2Rob``7tP{^%kkta8TZ?*>;B`AW zbG4^jHRk=TUDL*E`&gA50Bm?UrPHx+q-o>w^|^@^`{^Qd)sZ{Dew?q}l3vw%4y`-n z+vB>bE3^K_Qhpm4I!)5HqwBtXOpE<(alQw4AR5#DwpxhOedAiXHNX$8q&O2uMBgz6qND#*z=ZuPh!@t_j=3weno0u;u>VoNqnFm5cpxZuxsw`}J6C zOe+`b?Rapf|DZ7r|6=8IkMMN!GZVOXBW%CFdGGidywy%|-j_MEYzTcE$GU7gyRA24 zWzncF@zTA}#`Wm(Jk?l2^yz|cfJ@f&0upU)rnH@TI!o=waD7xeZxrOTOg}G)KQQ~j zdb?73dt4S*5ZH}pR9S6%z7knuigDJRN~O~dR>sYauHJU69M33TFt?vOtG%D&v9??v zd~mg2-(7rPuLI^1vHsq@uK2uI+yIBOa0$TuO$z@=a&s{ip}<45d003FaTR2&Ue;}=2GS@!*~2D78S z71<{ut`GsgQt_LRxw_>S%3d-woO66b^k_8%#KBbsA{uS4aAu(jozd2I)mBg_I^RJHss=4FJd5U3wganSMc)7(_hAFO1+^Dl-HC50jFXVepVejsWs*(Eh zGL^>p1qr7brkgGDGE#+6fG>08zXQGnP4TBr8VKnm&Z3!wAe|f7Xv*yx8RRwC)@lsB zVINja;_Wr5DKUe4kRJMltflTE=0Sf`aat6QNr7hl~QP)O1VIO0tdC!veJFrY! zj`Jyq{3WuF6zUQCmlCCFy;6Ie-~iPJK16!r?nH*O7-Ceml&n8eVKI!y8ka85qMFOZ zxj-a30vwz!5;>-peK@A7gj-lXD^q{m8U|2nfP~Eq(@kxfc4u!RfO>CEe zB@^Z1`X`-A+%!>P?3B+~_cDATY4TTAifm?EQJ4?;NxnpnwnV=Yh&B8|&G^t17bB#x zD4Cvg;kc(>3v1T${5@#+6(X=JXJh0l>l_Iv1j`v50orw|q+Rz-bQ)mG(J#RXqgAoE zotsbB7@(f?A8R*tP=LNO5{jv=ASKZ+S_(U0^&;#=myX|>g%4k0PKss|jG4{iQ%0tZ z^6cXdfsj-Zh67llRSL@U3T$H`A{{ayVzorz)$%2*XCa0nN*|4wv1E3}ZdrB;rKhSw z_N#K#O`vbcCT`v&VVt)E2_jkZcf>D#lGS|MIq{QyAVVn8u*n z{G69eSkewBP`i*?mb~zdE)3*{p4PfAfRJsqaF5|&3>l+8$x0`r>q|e1e$sz99P&$& z4*OtJgEib^kw1U2o8v{StsT1o8XNNsN z>$^xacrY(GNwNoGxl`~26)LnAI>@o<1995E8xLPRUHJ0Cn2{X@$UflyL>CB}7UwbG zfVAteycn6v%e0#E0uWAs=8ilBD+w zD^-@SYtq7AP@=vJ_0qg)4Oo2&&q<8L!?x9+Gg>M&mI3CV?!SD5OpKPIvN}$7DTI_B zGuj1zgU|gJB2p$n%&PQQ!1R-TkrQuU!dzderUyS~W*g&kd}{jNLi4Tb?}yi=_Kv{N z`u$=&#QQO$Tcn!$`SO7f5y%#vm_BK`1^}Ur`4$v_1Q#R%_m%;$UyBBE)0AJnkMc`i za;%#~LQHPStR`tQbgn2uY`0FZOWIavx9G)+=3Hz!y-bACV%8@3Sg#yyce!miPHSC- zRO-5SuJt;RKZE5x4w9<&Se#|cs24at_$N-#@EqjmMQne6A{*=*nW5f4z7^l}~tI;(hCc6Ku2_B=VIkJ3DB%2+Ph zQg69YHe5yH-n25?eI5_vTE9+;!^r3!#C{jrqVjT_-j$+-^e4yeI8Og-*43Kn0r4_C z8|kL?wcL1te@nU2VpRM7k&E~u0@O`kD{XDOU+SB^*F87gZk}9oHoG7FbU#PEzS8tw zx?^mp0Ue!t^cP=H!!4b!^^q}M6c3Z&yqdP9(a)aO<%e0E$KILTqHTJWp0#REb$PQnG(FIJrCWwy3XjITb(KkG8NcqgS!(5INKi$&MMB$hDH0iwVH2x zwmO|(#Ge_sB{ZJ9L)|IfmP?ihzF6lyuFT5n=fwL1r8evKffw-G`=yjtovx9jwp`EW z*|IM=8HjE(5IVpK#@rC~_b9uwZP^-Y&lnz9|8F zJs#hTp4Uy`;o%UG*912Jee_{pE7#fT<@-0Fe7lmRswRIv=|eW<@F)FKLb2*f5o4){ zQ#u3Azc`5;&XZ+Mj|^v;R<#BK)*->*khr^26&D@&RUq{l$6XY?wgnsyus z12NI{N&n=KEoUD)j+_>AAKPIG#H?dtw2RTvnu>BOkkIIU8znn#%JZB$iJ~@Fy{{Lo zON$7uoV&1-gg#Sf7%gZ)LESgzUrabFtD<{R?uI?AZODCt(Dk z)1ycn<)Y-gm=MKzHQ-jTCswm`Z)ww^4*O5Q>d$3geVD@~P>1?RPac3M4SI|^78$9U zXrBgxxVep6soABSPukc>O`n>hsq>E%WO59n6DkbVTS_dcdw=dMp9Mx)1bjq(WicfD zCr1?B^MpD&3q>$2@yG&GmoF4fsHtCREy}Z~8*w>J>0avK>v$Zequz^))ST06 z#DTbx%Gndpw|bDFEIBcn#G6GCaEZ`Dj%i9_{#DKGY!VesdQ0|sm8er>`;BO*C7jLX zbo6vOc~2%pqlmebtx~J$sQqe;lray62EY*-%hKW$3dPY5{MIObTK{s1Bgy?Sn5};N z9CD127mHNL+6&gJTBzFPYn?oPt<#_o{edy~7k8;ahL98tC2P^=84r&Zp`7(nGFrhRyea@22oAZVib!VpJp# z2nZrs-;@vgWImLj*)1RTigEocTEQ>I1~Tp|IDI<#D*0h6$>p+S#t#cLf{p^-{L6Tb zauDML_;G%3zDWiy&U@%H`-qzrzE*Vy`!4a~D2gb8Ilrn-2KMnkRhDk_AWNK3MThF5 zHX!CR!=hmL7WUzl0=IbOa%F3{uB!#+EM;;087w4zXnTAhh*_hFF>+!rSUK0|pHaC2 zl6;D2s|LL!30W9@IZT~(9vm(gZB=OV`DROOnF(YR+7eu5Rp)|699TLEog-}CbT(1} z6uMi+#0x0tO_!lB6w}nBL+IGn+5S(r=1>#ittrdFRE1gd~V8 z22551yvgrkzZ<8JEO9%&4gfxYemO`|L?V#F+*VN2z_6j{DF-@5})dr$>4 zK0xQQ@mfK8c<_Wrx9OcCH|_cu@N~^_KlOgZ3QS#5zmJb~>DBMv6vZ9hnb>k%IsbR$ zv%KyUdQExp_jPC_6x*A^<@!g}-*UG>`K8e2+1=Srio1Ea)*O@BtNym>ozm&C;+c(} z@*3uDm-^And)fMcRO)Q|b~lw6%J|UQW!tsyj?2>`1Sk*fp0(vBu)(E+dCutK@K(2| ziiNk)I35f>kwmXRky!}`VxygEX&6#Y^+-%yH@a0mt%<}fx9S}0K<5T9Uq-&pu#Cm?0@f^!R3l_>n$^8iZ+g3g zUG{_@a&+%^jahsu2;v~Ry12u{CVURQuynkxl5Q^1tLS1Uu3Y=Bd^Kzyc0a!n&}|eq zx;#!jCB3i029R29oMzWtOJ6wN<6@`ROv?=)O&4T0T>;9cu`EA9q8)a{X2A%wJ#TrX zth~E-(l%`$(+DB9J)Ji=GoIVYt~<^#?s;!d5Vkz7y-O{htG&t|##gN>?k6utSTk;? zQ_49P+{}QfDOsQW;HQ@@6V5$Y>$0;Nv>uVm%oi`%AQ=`hmY>CowipHZ3@0e zE{0<;zMro!5P-`9WOu;b5>MOS#g4=bXS)yG?cp*+?t336R;MO+18~EMMrD@k1sZCN zy}+XH+3VB}+fmS8mENPq9f0rD&w1S!?vBo!(0npZEy-*H;C7Jx<6HYucJ zQO5M~W%`nPsQVWC`ty6PS3R@P<0I~_rT(nJgjDl;hwE+{&5Z64<()lhXKZ{R`ISgH zxO#5Glg>n>$wnjW#&I>W5k3@_ER5R8KU(408QJy*!WfBaBmzm~-^7YYz;U!Q05`IPL zb7FOo%~tJNqDWx06%uo1lJ+bh{HV3l@3(AeNKS>?e_grS%j@)dH51H0Cht)=I>EKj zoQWm&meg@DSf$YmOQmL#vAKerD=;9uOBV*s>Q-rkV7u6F6D+01Fl9R@ga92tL%SMh%Sx7re3PQzM z(eeC%Ta1c+p3HX?6%0&%fjKvK7kUFp&^-zIL7hmuDkFLbtXpXVx13Hbs!GIX@i8$6 zPx*)cRC&`MQ~kIqSetq%@zb_hnpPxJD(>DGe89x(i!D|`ka zstUs=8x(rQbRK$CRz+5Gogyr1?Cn2DVYicC7#{={kCODJMLlTn6jy66CbkFyulSd+ zo*+*-u$>;hFG~Nd?611Vd!q#kvp>CB>S*bqyfo7Ntr2gLSFW)1>8U#(kfZ_?3Hh9Xb=!>@!&plm9KlzEGf`bHnq#b?r~Rw1nSlzHOGh?o+)x zz6^8>AANclAF$tn-+_RGR}JgKK80>g4L9B&x|{4rOH=0aUKcGe+a@j12>LV_fxMkAC&tg~ zN3I)Rs=)79zX4mDqy6!_3GuNM)4R%`TnO!PA-7HN?QkgO#PRw`oN$PAy=LEQ!D_9Fd`M$F#x0I1-@!)m*x`8% zr0hhv{&YF`NZkQk-Sxcmdc?P8zGlBIhrU{`)Q4JD+NQss{k`F3Q#TA=>V>FrnTTio zyzXH>(fyuV`tZJZov>l^3H`A3^vqn$fOu8?etmzqRy!hk+giZUF)U`b*!jAA0q8ye z_E!MZKP1S5WcbVhZ}MVTe6PdT&Mu%#@=SwZZou>gK=M8D;9H@~4VW_#z9EHBSS)G8 zjXdW~7QV|x+RQq(8_inMuu;dt;F7!7@0cHJNh}|Yf=s9|PnIA#Bl(+~x(cl(8!5ht ztJF0D;8+4q)Dukb`^rkPUyB`vp zV~7u39ZgjOgwo7g;PrGCMSqyDZj3V!}8V=tTT@ zLtI{f&LUreVWZz0&MKF@@}o=2q5!cVnd?mh7{S2No4+;Xn@SK5Kp4hd&qT1ahstEK zR1UW!7B(XNI~kU67btP7LkadTIAJJ8V=}hO!-{(B+QLXGDW|acZB0ElzmODTCVn_& z)3;Y8HQB0IZ9uzFoJpOH?eqvsor>H%OPb{cp3V(~gG#0j)rZd_bfza)y(H2s7Xv{~ z5badPkV}}EEzp{e(wSd~B(7w5=A~qvcwc6fNSL=Q3D+equ^Wzb5{_5HVa85ATdd*% z-Qip)sb@Y`CenitgFhyLGH&~aD+^}L>erE^F&Np}R9FxN)WR`l0j={!;_URi%}k>~ z;BWc_$91mDvwFq(id(in$CPUl8ODh&?rN0n4bVhAi1kPDdK3&LDRV!|Qzhmp%-am_ zi!VqcK?ZKQ<4-h3@PGPj??-GK*$E(t%rpv`Mf#b#FCa;wgG){=(2xX2H}y|DPNv9L zyhem%$mSXT?vUJupmcdFgSs~MTfiTAyxj9!7pNd`Kiar^B7&;$PSLFMChB1!S< zJOm92{6fWC8JSL&GP|h_*^vFWIzyR9=XhvSC8}w9e&e^ssFZFpeuz%Kd6ZI$hUZcv z%5iqE7Qb0)q$A?eO`t(C8lo!-#lgHXF60-5YDt3OfkM@&GZiR-1(U%jkwb<{OzK@M zE(i4gVrd#@gqCdw%}mZ)wp6qhqOJPBbC;;u5TPgq{?aUrMoTul>$rXU=#74RCjCzQ z#{K9uek*{C_Hb$xHCo_i%jf`}QMGKe$5S!m;=Ay`dbCH8c?khmE2LhCyw{nnRu$ki zKF`sRiORAJlkdbT39eW(S0ahfH+Al#M59(c?<^k^YFOnjl@qd{5ySAgWP1uTRMrUE zkW02=*J29cfGWh~DU)q8PrFdw`h=v5sE}%1%$jKhWyk42OUYqL#z9~5Qk)?{!WsGw zg1r2tNofrIrVqUTR@nyeC*9{_^^k_A-C7QYWcUoofsr}~M#DE4K=mG)FtM~Q z#<*N+t`nWM(LO(Q*>r<{AsP!KPdD5?|{KkQrTU{x0$04t9I||jrXIFCB+)|+oqM);Ga#n zsg}2Gz(dvAd6)Z+1NU-y{Tmpk(6 zd$D@$yjb432rf<8Kw3MEZ+&U!)2;6>j#&F^({a88B)i3W#??6^FUsOn+vAd-+N9FsLZQ?vYu%lk59JBWt_K zov3+^rMczs`8X))^F{aWbGEg0%=+E5c@7abp8c?`e!+RJ+^J(f`h&0b%d+}>cd`PG zZ?#o6k5*LaZn95Xdcy$N6vZ;U2W^(Sxajn+mtgPUrZnwOqih1(&q0Q&0B^9+Ex}k{ zeT2Pt!I@;A&Q9<8xypxHY%=ezN19f+0!xq5zGr72`@+)LO+2bzr&VRnTl8M{`RvLf z&D5$+@b2sMR!m>^(>OH`_o-MMuJ1icO9YzEgIu4lEQb@U>Dm-umvWH0!zbtG)zeYw zmtVfOaf}|8Ptti;-(3|Qc?`6T8iw0A551m_ymC6hSP;GU{q&x)Gi;^rC(JP(5AlWe z7h&fKsx*xQyJ6@%y6W7X6A*94E5byN$Hh49v+vW4qyQIya?WYjeFNZl5bMjx;ee3T zs_VmKXXBo;m*XK@b%u?>`yM)T``+iIPmxvUEow{E5q{eUx>e& z&bZRMvO1>oqkUssCh9zooFIcmDy7AU8L(<3vXcs8X8F)iiCX9+8H-L6HtB(7bAps= z*!yMoXddU^j_W$82PU&uZ@nQo;?ms5@UFCpz(z}q3TIYkiXeXQP;vrRf=t8qwcOpR zbVUz}_2^+H*<(tNY{GUOTA&iGQyIy(~2YV$Di7HT%V?lY)kREVd|+Vx>&wD+!M5@nWpRJHOH{gB}eVQ_G5NaeS-j zi;@b#vU&Lo7O-e4!vVc;6PGTkNaltua=u}(tcIg{go8yL}f)F^w~kTw||%-lS9 z4c7gDb2ptRH#@zJdSF7#O0}VQ&_xAeKkGAh(Ge>{7fSdhuhGYTu2b*$8(IMR*G`{R z_r=M8ta<&LujSm`kL2$Y`hBKAiWP9i8|m;JYgVRC6WS_81Y_r)cPy!t>H=fdp;gFZ^ib+P&A7$(SauPUL`H2Pz7o8VDZb4t4$qopdoWA zi{U=M>>N7cmzve)-B{2RRF+S&2#h1zvW@;#tCJRxEJhU{XoaN= zv8J_D6Dm{I$uv+Vl8ax-OiM%(xH@kYZ1(iN>EhnYZvCx z_oMd5etZEC9Rggx4eIH^uOuE&wm~tq=7JcNnI3XejM~l7P^2>O?~Gy=<1z4F&RK|? z^Ln5w{SMW0SL&{e?&$rCDLdzAJWPr(+1!z#g``kRKWSuaukJDxyP@CZ7bA(7$lrnt zg2panVQ=Ay&V*C(zv_0gY{ugjT6E(k(K!`o`c*P8il!OTl-NwCd2-0$L6b3@7<3$pNxHPhV6g~O&W0d}7YT0w`XEuU}bu)KYOWU7Z9yG6Y7!f$_*;0g3V zZ1m@}GFCW_sSeU*((bedOd8qwWQDwhHij$Ik7I1KDgC+s7Qh%EA6=u``^@J1PAbw5 zCLhYp_TzZ=lSw^lWrPF@d+-AqGXQpZR}FS~*&=?sfe$m}x&mgXJGWZ^9pvT{jn8g{ z-^=R=-)>JYIaxOJ0}ykAqqq5CISy`NvPR4?nX+iqX;J9)lc%)aZ@ zthqZnHGF7Oxa@%YR2MIa2q5ikfYmKp?nVaDuzL zySux)yF&=UA-KD{yKdawZKJ{6eec7$_tg1s-Isn@Z?opCUfrYn8~Q%;7tJF{#i^Tz z(TJ&Gt?m2E_Bpx-Pji^%wStG;nxDTZ;_pXwje$?-=loVti3T+UUCK6XFYU5WoFHRc zkLrD-wP?LZYr9%iPrrvSqLWEc!8)Jj=Iq$*Ez1+be-7(@*$ccExpw;D`3LFSp~5sN zEj_Q{oh^{lTqYMI-IghOmxl+)9iaX9{^G|L4X(G-R71#`=jXQ6oVeVM+Z_2z0at0P zo`40@*@wV~>#s9No^NwcoIEQ%exLwbLFPcEjfg;DoS`IrQa?^bsWyN+lE^2yIMx6lx%E#P$FzqJXN6vzHPo=jWy zj_0#M`l`DL0;+BqTwDOopBBC09k~9rV8UJ1Zg!vg+Ah7L2OjsZ=XUypIO0F`D(;8M=)Uzn_{m8vG9UtCj=)6ld2&DWSSd&`JRexz(p z#4Kc^r6kdqc2bZ1;GimU`8|x|MBw;n=D0e;f^WJ?-!FXDV}VL8kT0SGeMohm8lKhHUB~=CKi(Mtyr0L>Fje1 z80mDsLt?p$&F~nBA6;=men{?BuJ($3$>@~jE1NXx#c;Sai!pjyvfalg#c7DA=;>9$ z;(RxxKYT3S4N%=`qivVso+;nQ=F4Yq%cLC|N?={oq3{#Ylsn0%W$a{LO=jsD!OEm>5d$tgE7J1xOSm-gW;Lbx zTp>X@fwh9VghB@}0eMtq|?D?42@$+xQ!6@n5MgN|4Vj&rj!0{YDBUm7x$(`>l$ zuWl@z32W3#)_uXS%2gpu4m@bInj0T5cW>l%UrNc#$yVi6ZChp=4pal^zuqS5(OzOk zb||z^Z61UboKhMe1a^WmFH)<Sdx)$W7fYog=IBf+RoH|kO_-S~?jUGTv^ijA=x zj1tN^rO0;Kx)lX=rPj&~8dD6G3XQ0u+lmcll-#nzs#uvtw-Xu(23hl-4b-J?vqNV5 z*ZC`?(`pV_%0#~Jhrt%OEG0{1qp;d+y33ZDw2`bW*jTu9dNtFxmJYqL0!e0a{3zZ` z(0LrJKcLbzW~uiR34yT<+0-X3MIxC<82(l_Hnuv#1bBU6ULnn4TFvVzV|2WaN(8@o znDda~2`pzvze{^kHOVHo=}>Y1q$_1!Rps@ea70o$@0AD@1yT(c+9k~{=GhIg@z@+p zG=2-K_~>CjDeWNME{`y+ULbH|O<5uA4DDkg=(c3*@QIz^EH@d!#Du1Cp?6O^g+V={ zA|(HkO{Pg^j*hqdXXdkg1-Jlf7l9n15X1S}(TVdBT?2ZStl~0a$9aG_1Mw9Hi8xre zdOMb~{0hqne(FL5&0oSC#E>jiE58is|FVx&mc49YiDNP8qvrotj5PSKvIIzSYes`C zoLE;=j_80EH*4qPavL(-L|wl-sEEg}@coet7a>ndIBFX%t2Nn5`7nA4o|KArz{Pyi; zXfBXt=fBe{>Subj?B3e4X1>nV&Vx~i`vj$3e}08Q>ziG>+MPKOJmL$qd)S@N>^B9H z4?mL5Y_<45zco58Y4-vuUoObWZC_$*!DYVCx0y?^oj=$0ygf_JYxUmRZC^fVC8yIL zVFyzUlzy&ESJ-inzwQz-1AFEj1Dlt`ZQpkm(Np!>P6gh)1FuhFYXUFV(S1f^uyf6` zXgZOJM(R*Onu=9MhHaC{9{)&TgE4I614-MJj5&QYk{tCAi zyc%UIAWZN7?5P0UXY?d2;WKvFJ%1mp2iCeO5`F9iteiKT*l04m?HVv|2V8cCX?mNa zI|>js2L#;FYPvfboV|=ZZhjGXc|}H+%SEnzy7f6*4iDxKYXMnJv?{(=^H=$M?WZVy zR9y|0+PSZQI*~ozE@fZjJ#}}74ZG_HeXUO%RNUgRWxN z2>5H4pX1TVo8%E+V`TdW&)xJ|%ahnB@J$aN7;qxtspo%H$jjezkd1BGAo!ZUWW4O$ig~}6hD--E`bft?b z!q&uYuFA#zrzMk>OGaqNLIG4ubqarUHSh|^)bH^~QD|er)U;|@2I2+_)tVKM4iuDr z??wK4J8;ozHs)i*+P9Nn`igYZ?L>!Tym;$M-N3WMzY@R7*Z@8fT)r=y4wS9e54LkV zdCp&>m4&#+mv{;rs%natAisjfHHl=ZPV8j3 zG9MsLit556F4YblTHP~0v7{0r-T9@hi0;}v2*oeO)m(>(7-ABW8O8k`E|J=6iHj-% zvE-u2zq}$Azsz2;5Y3#;h1;N3&CJLultE9-!kb#oc!7Z=syL0Ry&+D?y+%U*O{6a+ zA8QlAt`>NIE0NUfJ)4qFhoEvH2AQE#$@nnp(~jn4Ul<%_5Msx@?~$+FSSd$N12bg+ zU0V5jiX`zHL45M&;4qDhw7ahv8xDjQlSU?&t##wzD7I7-ok();d49zNbqBvJtQA&C zr*N_R)h?6=Z9%wb5c9m$Lx$O{T;nPq^zaiR5zS-i7@5%ohB$ixG7N#s*E-TvLL$)zmZH3yh*ao;TL$4H0$qoRr$bXzZ) za@FpvTcC`r`3-Z|Er|ZuS+dxao|Pj_ZWK(qSojYaF$M?$B>El*|mJ|=mE%QLD`0In6_y6|-AhpRoLb2Nup%V6is6EG!xCGXHKx_QW99uTW@jrB2- zxqPPRz-qWT*=@Q8tkewrusTb&mI8L|df?ez-@`xfDtWqwdf86-U4#(Pw~_j@bOBYb z6kGj-0B6>&FQg2wWj))#)7Puy!1vpH-4Ewf`_T!89|ZUNr!|VedxH)eUqSi{&oyOT zipnuxwVAC~OWs=lHGe^PjgN_lz3;a4-A+#j20nGq7xIqh`X2)moCqB)fQ;M5W%sG< z*p1`+=3HK%F~RrKe8xRNU3@`p?{s>GO)o%Hwmy-Lt!vU-$%9hYI<)Pq$oQuH05r{hyY%;L+eo~;@KjvE2hDE& z$Zq||DtWHW`+R%+<8F|EWfO|CCSRaq7!p9dE!C~l?wq`@IjmW&9(b(WVzO#+r(7z2Uysu8(yoj{b7|mh; z#tI*2Zn?vAa=o>Xa=bl9AFKpkrBEL6-<`P&YT2}VZVSA(xIgh6*m+;bEBK!M&zzG5 zc#Ig_1-6_H>`8j&1EF)O_1q_KfP<%P=FK!R`$bel1scIp;M;eikIxF@qCCwEUHavp zPu-{Hdhw~b-n6aQ-a?I#B;&H27FiJ|GH}W}lDTA~Ey=U%fAUCO5*>&z-NI66n@rcV zel2OM#jC@a6m-e|RvjH><3pyIKt#Y<>_-5Sp%2Co?zH+m zXfUOv(A2T}=1W4aP_mfzoxncCEh~TTrQbU2my#9r9v8!8f!nCi$K=W2y$n@eSFGp% z8O*KT&QZ45&BKUhAVC?XlHjH)Q4T4N$X2ihnWQLNcsS?PtlZxk|cgmHf0}GOjZtn7XXqOr(JZ5}lW;srZ z80aH(t$fmhfs)aPy)^O2#46FrOX*5B>6j9KDu~-=)U-=y9S-M>*KZ?{_NmA>0@f}n zWK3|ii2E)oLVQznPw_q#su2}UTx1wladFN=WM2~=JAxO*t zl_1&Ka}o7Rb62VmHYDDX$3|x|J+N9#p=1%4>S5F!|X>ciT z;^>sDn5ux%;e;grKODCC*j45FnvaYG$7ZsWgA)}yi9 z;Nut8%RPZMmqR9^B$1$#MORvF!F3WcZ{LvC^QlmiMhE?ruxcaKS)GBSqm13lX zZ`z!PTP8eBj*lqarB_j-p+t01;*=5|>b&sNCVq2LSt0Ytt%-&>5|OJsQu!$%Bl#~% zDfPS*A00Lx#8SSJ00rD_9nZ9)?(1Sjf-)z5owna;k-%gG|8HHlSya9QYpsxcxzte>;|a^2?bjE zqV96cI?zfkYGRe~(eTT0qL!?a55%s) zrdI+x29#$*L99>^4Q8+`=Bc6!RV8%R87)_<(K| zL~A4){U{==tT0!wF*ytNrHS#$V<@7SPN6C^#Yjm?2v$|f@*Q2ulgL%0G#qM$xpD+c z7l*?ZB-Zg7@Q|X*6x2OR6LaW4Ctjd%sYca?o)5?}mI6(arwb2*(G71)>kpdQf?HdH;Huiox+d3M^rLgHwyt}M zT7&LKuFfq0f0OlH4bA8PFavmM0Ct|SP$A0LQUew>*az?)!ZgpLc zjalQ(!OxT#^V&7R`fm*#bJiNvJ=Fdc=y9IPuidvsq>vmVj2X7d5HC)AL zcGb7McQ&__;kV6Uja)ttidyEnjn~%r??!C8-1ld?-U0X>lRc*c&UQ=x3heD-rUDlGD7y%H_o1^eyj9i`|2DC~k?^?? za$BWkjpAuv((0Y!?(cIuy^9uy_VwX9@>QqR5-ajS3t+t6`|R}c1K86sWs7%y^Ufwa8wWCl3up0QDPssrqk9^v?Ta1+7 z|L(Y@6L?-JPqHgg83~45K^xTXs0vJ8}9hyyhIaj1V;3An^v= z-+%+&!IW>ve68RO!AgI8a1i;oY(LO@STpvKL)3yI;>R)Q4tWOr!uN{YPbZM{Gv4w^ zSXTw?oH7_l7bzL)zM8oE)82huj$mhrx_`$;VTH%K*{Y9Pr}Y)>I3+_b$(c*nQMvpt ztF?F*h52nuu$wdu&Q2mT4g0~V*!S>Nlllr(g7Ck4FIog}l?_WGUgOf-qE%|9-`e=> zP|)cs-~w#K=3UrVDjJ(kEWO3pseX-W&^(M1PA4G9U+MacrcsPwxgs#Ivsam*%X`im zyA4lNkSfY;lbmUAgqbWXsk}j zqWpUtNJ&~=jgZZc;B+Wn|MQDF4t}+z^1HcJ#ft|0e5TPr%D!-m2E&PJX&+g)8er`Q zRy%_(@rY^@p(uexQL_<0e$%8I#W5s7F1A2AILzzVUBCTu^3lrzMe`3b@N+n z6Bp;$zkHBULJ$GZFQcD?2P1{cbagx~wUcb@MhT}YSy^*Q-f7b5YDvGY#dg98*?jAD z1|Y5?_R~C35#SNrjAmShGZtvfv<#C+w1;ASzE~Wp+7ZFgFyufY%I>Nl#k!x^alLVy zm7lV-a2{Uks7Z5D%ixSfWMa@WD7p-+n-#g)_WmN5xHOubPIig;CV}zOA&k_3K&Lwb zm6l<^)SnF3nxFHe*=`5}QaiT^=+TJ*`(fgZ0GWf5s=s!C5G`RWi+FwVZMsz;9*lt< zwmSQkiIU08B*>}>zVm*}B~Nz%oeIjjfE1@Hm*n(>mBt`spfzj?QkJfY{gs?ZN@U2H zMdbaYY+r-a)oqye&tzb3f-6Qc3U!)K;EOkf2IUlj8X)tE;OyhS!1nrZ z6MPdTO&L~|!kd7?J2(B&Cb--yJQQ9OFn+$FH#aV#v265Z!)+?g1deG#?SUgzbsVv3JW)(<2Sa#cIN!fIKC0ymGRVHKh^Q{rTJXF=49dYh(Yf4rtJZ298FCvGp*XiVgLI8I_)Byf1SP( zar3+w)$F%My$?_!6a%5ItpE#^FS~D#Y3cOrL!pP?#BCJ|=v<1%iR*7jr_(3KNTRJe z(Iye_*ZVNd@_)mTVP&7uA(#{VJ_CX*416HM(K{C${cLKNF7$q+`onAnre}ip1bH=L zH_l#C1$G1}11tO>@^PU1sZyqP+c!DV<$GhcjuPF$^R72AjL>iS>ys-F`8UfwykpS>I*veThI&|Nhc)?97&ZF~~Dk&nF15 ztf_GDv<{xl4iP^CyOeuoEI1xIU|w$VrTV{d?VUa4_^w4}_c&d+cp~Pk75yS|RX)fs zZm|c{X?{WnE?&8LKiccxhDY8*^^dYzvCjV(bkIF4tF#I_oj*KPfiC#5UNviSRD13Y z*#T|N0}I%CvW8N{sh~UiR3KnNUN_LSPXVvnq11Ez=$Q3HGDLJ`G0?vct~R4rdwacz z8}$02i_zL?3g{#R>_*)y26UZMj9%<*7;e4fc&=zS;WpivDgxRX!BuN#niG?rH68cs zQw}-<+^#2@0f3QCcQLIJ;meQ3@+*N?T_oTBZoeqj;uX!a?KgpYKg7>QN1o-@+iW9w z+Y2aDe)7ibEntGx9Uzz!t+;{on(P=DByg;K+Y&U%+jq3C@>kf8pNhT7EIi0H zsJoEh{N^d>_j;qbRX=?(=6#8)_~$a^ZAMYh;~7>(CKXV>oT%vNoyErgdN#Ae4gNj@ z6tJp(ye9x`*(_lby$)~|vak5My-?P4KH%T}y70i)17#+*=$P(uV^>3CD)e}6K?At& zJ2myA`FpN@KfE@-j0bQ=3@jh4T)K6*ylzbhHt3z^@6VxsTn|FV3fx~OFQ0od_*&(^ z4tb{Xn3n5K^X^7z0%^8X)>b<1is%WoJz}!uys}+?Hy-7J9A)zdm+oikGxXF;h8f)&%y9nlOyeU*Uo0= z^BvL00FC8y7=1<+y#NSx80>ok1~Y!%?<25L;FX{fN7U31Sh4U!am>E!Id(yEGf>)r zvIz=re=O_*ED=DFsH-v0g0DR}d8-iK92JH9&w=&NUFsi&cNB2?bj=rK>2jEv9ww7S zzsZD$H2RmQ?XdR;{~>D4+d>8OEUW~-hmXqnqOOg&FA_!tdvC;QBzKT1swKfg4fBti z45VrWCZO(EWwR~wb*2T>JT$JiK%Jj=dwY)GP`q=gf0fxLW$ve}pM=BNu>QoEySkH) zp@VtwX#dvpBrh&vLt`iLq&NEsf1p}2{#Adlc9o@Q@$}`e2x&ZG+RcOd@GW(WiF_6j z3ta82Yt2P({upBsVXyyQ`;@0bLPO-$9R;pu3OT|K?3&Hr)-94LDetnW2yB^mp$;i}m06uT!{mzdTFcEulUL&)J>fZ2Yt)s6y2uHyAP_ zhf}qno|F^Vk}%1bE>38Yq(i&qzi=>=!Fx>_(LM`4Q}#j`y^FN`Ax{&^+UT9*Jkuo(uUe#|7nQLq(RT~|4KpiG6P4mkgbnL1 z**+KkBIlmxJXT)TSX9HcBksPqaIJ->T5^n9j)Mq0q>4dwVWUo+{H%cDmQ3^8xQYqJ zMIiO7UHc#DAK5tE^#1dg%Ss0KbcN)xo%8@3SbB(wA}7G26ucicl;zX523Pk=)OfzW z#~%u)wx~Bne#Pen?XZMf@Xg546?v_=$arEDHYGTqJRhYSu*me*fwXgH0ZG@~q*hWH z*;IhkRBy39O{Gt0CR>cbRe~v+Bh~=B!X4C?iP>Q<3|)Y5KVLM3O7rVgjn~?mF65s| zauwRrs!OA(NU=b!5$YHj#__BH#KS1rQp+9rB+P&v;-ifhJMv-JA6O%r*yog=aQ#gD z(c{`Q8+GeLaQkK6<-kV-`cgM5vN`9qlSs@#S7ybq5Qc5ZFeQ058=>)Hw4Ui`+i(u3 z-B74qO!X*9tN5ENX93s?8KR*gwfv=JDd^uFVz`p-;S$F*H=~%P|B1TiYQk&*N$vc2$kuU`GC;^hP3>XdCvK@!p35N@US2cnKzj zr2S^`Fo=I0laBpLN0Hi!*Ck$u>@IV_tB`C9&v3Ihm8sNkMYUQ>RGgq828TJ~l*%yj`bNeCa^ zihr>UO&QW?b;S5A@b@3KkQR&lfYMw|T)5Oz#724dxYNa13wYUAa<~ z8_r+Yucphty5?DKwf=DD3?(5PYyaIDRku8dxkX! z%ukCr%ub{5_4cAxk5)TyzQ!_TKBGzoNTtz_UR9H*WOt0AIERtlvCYPuzcb~|lrDG) zC}RJh5G;Z-^M52{iJ9CA@Umk_f-XV*;vz#?b{igZrcik5@ejP3ZrumdxghRc32PlKYYrf|neIu}aL= zPb&F;F6~T+(`}3nibfq6(~aL2CSg7Gv&=>fX>?{$dapryPbE6ZUQ3hC>_W+y7QzDM zR2Gyq@*5PWS%2FqG%p->Nqldnr%zC`{u1p+m)%IA9GQ{AJAJNPV8BRrps;Etgt9W$ zhOeu#VyUac;^1OTzjK!;BUmP>@A~I@q3D}g21_KT@?ODg$f#yd3X9f?gg3xw(S(QU3H3<%1|8LHZwxkE}}IM9~Ir zw!~nPf2PY|zJ{4crN_u^?ACyXMXM-amo8%mSFk_2j*a16$JtDsBcm5UU^hIb^>uv7 zm(X>Z{^dYZ*Al!mV#_ahHSIdY>R|A3CMn=~B%9g!6x7^Z?N6jtH>1*e?zG^DWQg8* zg)O<1uwAPicq@C2shLY*ms8W-vORVN3dmeRMxg{YJ|ZQoq^?_m?%woT?w%NRuWpYV zee4$yR~%hh`JQ6-4ek8)*VzL>ON{y-3x_^Wxn|Uo0`A*=x*>`maxAvGSja=={0f2& z#cvGl&gqE3QyjV$b=5bAc*Xi)x3_V|EZ33r{+RFdKBrmU59&S6k3eK_{t18Jc`oi* z4=(sM+Be`H$jhMf#B!F_j0B#h7VLSb8PV)9Pc3c%n6q4!eY#sWkGusWyyjjgtVZIT zyZn5Sy*ufAX0KfXC-gULbO)>*$57U8TwHw2aG$>m${E~T@`wN~uqodkD`D!^GT|Ks z?loxx0}VKQEv!e_ukmWsu6T0EI1H~{yFIsNmfOI;u;B+UD-GIakdb(gQ<9OvbHdJ# z6SBGBL&)!f?(acEm7eyXx57?i-zvZeDgXmJ#1}hnWtxZRHV4!2&HgImJy;OD#7s-q zrCf5wa|aPv>|eKaID&Awu~RLW>o)g@mqncOuqhEnWLF*fe%d+VUk$h(zuI~lP2}YB z9Il$#_60jvUbZ;zpQdW~nmmc`67+*40q;koHJ%MopH}dyo({>Wj+^^_1+5Oxx7c1@ zbK-a(0omUx&N>HK7#)57RpZ&etfzYFJi!zBzXOQC;IRim@DK3OH29@yW277`UA$WL z-d+h7w)D0cTpdayeVCN20;fYv3T}d@p5K?iTv42)A~>B1#tG!r;P_iv6|kzypmfQ? zGMPc2S4mvO*KU~k_OfgV8auNRh!6$&ULPNX)ZzCw9;9R$*}qYZVpz0;Cob{U`OXoF z#WDFw@s%-fsE~HGxyP8L{~{$;@c)hr(~N37D^h*?p}#yYUu=HT|$gW^8_uGY6kVj#MRK!IHs!G`!U_~)GErzuDL z9#!-A))2H(bFtohzJUIQQ?;`QauiyuQw7r$uMn0`-(^G(6`|7R9}8zrH$X zuJyaBI=)F&xm1WG=J+eLmy@QNyanqT^@-Y+aHE-bGJx9mN-H|^-kzbQLF*ooS5cT+9@=tF}^p*r}dtd0!r_1$43ONa-TV!0DC zB(pyQw|-~Pi07QHe#U~mp4+Zmh$J~al;$^2z*kOHmqvpzOIKBH{Cx=k>9Vg{33>CJ zNB&?^nla@K-c)2#^J$1d#^9;6?l(K_%RXfpyW%L8HHW@6HF26&U`8tA4TpGGM(_ZI z;y?A$YNnvXAz?l8shr*w$?Vld%a317Dt_Ci_h|wXrV1R(&n`4`4F*vQj2W&h3@mPR%5Y@q4Mk_W5zhgvj_!{iAjEb(#>gt`^%%jQ*Qj;~-9@Bpj$ z^}uOh-RGIn1stSwfx;#ifMt+}*qO>U%;*Q&I|DX>WJFaN^vNicaX*naJh<)GZVE;y%s2_E3`{?xlNvSyqN5hM;0BA*B7PHr8 zu1ZPL7CP%jc}o`?e|m=YA>R_4m(<@2(Tl4$?n(I6{PTsIBEvCpX4s~g9$m24QY?~-Fq2pbZ=~)HW>x47yC&y zcm*af5MPYARlWCf7`MBx`&0uwwH_iM^KLzJwq9>d9kuU|GwzqKW*)nrU z6SzjJLA32sn2r3A-gWLmY51D0Ic6Vm$ZR>m+tZNIzK$um-#cB3pOW3Wa!`BKv$){v z|5n7wX>SOrGozu%cXKM+>qysOfqga9-C9e$-J*MTk7dw&>S#FkO4)PTt=@CGmYMMJ zFuY^Qx!pb_yMo>GG{v~tau=J{y?hjlvI4cD{~EdiM+{4jkQ@GQVw%w z9lS2GTkRLx58Jj|G~@_dxBd2ujskDz{VTg0HWGE?pFq1wZ;U>NYxq7J9L1tN4ZAdy zJ#HtByz%U;vi?Y;ac!}P$hVp>P1ZTV8qSl%AI?E9g+ z%a`fSPd3U6^d;Wjylz(DjIwSHBwdHw*%c)oKIpQ;aL&QoVpnwg`SvU|I(BPUnYRnt zAU4o0#@&p)`GP#eJd2>mPnlNW6uI)e-smm3$EmMyzj;o41Z=e?UK@DU6h%8t?aB9Y zw}e!i^U>MJ$>ZMVc;2BYpv3o zoG4)@AoL@QG<^-gH!A%q2?X1BtO|gFz;1$`AkqWN)S8h^Uv4jd>5rpA%Em^$78P9S zzfj6DP^$3C%=-{L^Fd)+=@$>sO|w5dF0_&M6h{IwZ&YM(r{l=b;Y=lVU{(};jkP(4v=HhB=C)W@9y!6|Fo_a3``*P@=qD?rc*zo#-ba1CQ8GgS5f4ZvBWzHjNFx z5J0(uYr1^ASAqWJX4C=EOp=y08A;@)%6!dBS{5ETmNDF#4HphmlK{?2{9=)A>wyH$ z@`CW1ee@sa`mIR1Uxz1(KA>219r8B19}H{9$Q|Vw$(C6Tj&QzJ>NbV@4kkBBwG=Kv z)~YYk^#s;vXANaM9(h^)Ukin!9HsWYjI)=DYO_EmEmYb%Ku1GHsk+>^A<64$BEdoG zMW46exWlU>WltNp)=0<5^7m3XVW5eHRK(p7D_*&8i1|hjna9@^e4050M@qfP$XZm3 zU`tE4Pp^hcinV0ooElZ&q5a|*@z}G(J&*yyp)$uJt|#q?h^nxLSq&#P+e8&h#GjZl zBR@4N6C{5y#D^~gq*usOpa?bfD@ZSQ%g`Q65qRJeFF8q>#F!M33>mv~z}%|WY+hkf zN~76e;x}~PmT}5)v%#Cgh0V$$~+ACBnvm(l~0edD>FAkV`)HnoX`TSA>V>K+64?>kwWp#*R+yQ9)>ZQFF zNepV-iV`Kyr2Fq^whv7%j1$rW4Qq4N_=wT@=Xs9brlKX|iyT$Xza(0m==~-0?hznV zB{3v7&18Sc(Q^<{9!z>gmlTzjSB>a(82KVuq-vCn;VL&*)FDqZBE9A!tbR(-XP)^` z5&umB2gatos{YhzXI3mp{FvwTsTn3#?<-EEM4?K8xdwRVWBX@GwBPEB;054WF_>(S z{4rNM?9~@s{|g|9VkJET34vvbikc8oqgPfxWkFOZQffukvhy!AUcCGvdVN%k?C1Si z0AdAv5`lS)p9Y;L4~l)bciw9MaLa^_{3xu9c&nlY*?7!CJeLy1JC)lI(~gB{eZmtW zQ9Q0fOvtW_A~b(zI!($e{};+xEOIDmy^A-K+{{59hXFfM0&YHWH;4sv*X9;6Ps(aJ zZDWFTbzap1ew^Is8;f<61w=!aOoBvRybwWG+BSuUn18WEk3BM4v%|7=P@Uy zBE(eoeC+ucDtdUbce2;Mg+S<-ClK7x9Q@sJp&>lZ--a1yRy-LLx|C5Jr+Pgwfhrn( zOv>cHkLocp4LPOCks=RZ87Ka-lD`_Te4A}uGj#%Gi4$bZwfma=|B}T%8Dn6)&-^=U zIUjiV2!2sp|NbGlJGw6j`MG$#1<4e)vlhD}IBPi<=!DVF!h~QhPy*Il=-k=f9eM1a z<@9@*7S$~15zBqwe7Z~nowmz*=s5PNoK>~lGt>f|{&h!91JBO)0X~c68@!H$`Fd_= z8lAPxCylkJ0RP+iotY~;^$t*fCj;LO+D@#XjwWs{N*3|CTk;s+qaSz}yKDp-E>qtV z^mtbD^jI=O=sF*ytFN*N?nJJ=1ro&ao22UJZeIO0r((Oxc6#Ti%z?V-vN=k!UFm)N z=cxBk`uecX4&+okxAz=Qxy7ylycF05=zYM}Eh9U0|MUz%2VShiZn{pzUwhTjpqth4wQYGpztz8nfksEbr_QUKg$To( z=q;Zk05D)=n>y~kpnl00SZnXWp)2)_KpQB6+(H zu|L-GIScNw{2L1CBucEzRCIXV5c5)axY&IFDEsbuTJ|)9_IX!wyX?a({S!K2(54*IA-&e@-5gf#Sfnn-1ID``7pW9#149jGN3JGXcNRKIPrP?d88+ z;JM|Q8%jkb&y8Js>$g(P0GKrJ;DjdF?3UGkq;ORnU=nM<#23@EfBMN^nbP3|Y+cma z-Bz#Lubh9(jey^7z`1(h;DFh{x=FovFx&db4N<*4?O+(b0x11~h}&cguAvPnG#PXR z+5Slzd<0{HgDg^Ervd`wNFT@_a>o;%k!xA7`tDNn7+I64k`KN*sL;G(^1;wZs08~2 zcclMPWRdzV9F^01GbiqDSf zBU#7EfeB+=+J9;Oj3<>-1aT-SX+G-Mur`z-Oq*%@6ujuiN>g;fsZEFiF60+5vJuMG ziS=RS+JN~ZKiE#R$h`|NMCgZJbjGt=$QG!Lmkg{|)!bI8U^+O>zIKtsyxFAOG_SD= z0Wt_ZBZaGF;G~-`{w($?;krah+o)C}b=W1w^0-g605h^03w}k*y61@`eb1c?94C)p z_u~37PYtx>G0qr5lOLoYAx$8bd=ACwa2J1QU@uLGf{QRoWl!Eg{R)vKlGJ2N z&^bB#Pi?}rSubBZHvygPGIZ)UUWqvL#jg`K$KXvT7@LpCgpm=6;^aA1BU7F4Kf4nK zP39bUj7p70=2qq6ey7UUqgMufj}htM9*m!@k(LsLn~auhS%4HHgvA81Q!nQQ{hF}k zZ&?W|QEx_n6oa8Jk*~#PWm0&BUNjAT@u{ig=*M4TB`J!>9CT1RuPYD0{eIB}LFTo2 zD%DjhbO6D1lC!85ks}YWR6e}O#3}P;Sif!$M{Of#2zcVZRv~E-w9E z%&YgWD~7OpW_wW*rfM?uo%DN{4!%ht0I}Y0M2wXP%>>+>0=0dYi>#0JKKVM6AkX=! zh5Ew2mnMvyuvGnIIEEzk|1}UGOcV)|C~n08ESmooKDB4Bf`Q6~+K{5s2Q44#L55?G z#g~dVWX=CwqZEg#5n-0WLrPRytu_20tdH!3SvdY|Ab$;)8Y*Mr;5{xVGI~rgI$zg% z2eK@SNH<9*+XL5|5;jN<^Tb*qNxa{us)(I?uv`WOi>h=Z7B(BzhP?)> zZ=nR;Xn9p^VF^NhkRUIXsylyuF(xTxMkR*fNY&lYK5fV?dyma<|A)FG4u@2#+kmtS zd41YtC`7H6$QT|;7EIkfi(vXso3Bv|-u*2q)-*quZ{2tPy=PxM+8|3VUeIctL@uUY6tz{u!U8h9OqZ$4jTENf6Hb7_VpYlKXZ z;;s1R?93eL$CoV4o&7ZwK|2i!x?=v64ML#yce(*zRf&J>&bx(w8bO(OeGEeQ-*xgG z;jz&r-6>C;;b=UszX(M-CVhBl$eqR$9y-T zUR8Ax*@S}9;`cV7bMK1Tj*#w8hAf?G0L@fZvm zc2X~SQ&w6jYoovqV*ZZd652hfZ#rwxwu>-`G&WO{;fn)$3hroyBTV+rY9y=15z_AV zo(Xsn0c;dfiN7-v6aGHnXAndCTRx7mAMv?Pv;J?m3+(7Kf(FTb?r4Jqb7ekDUwjWG z?&qU7MQCwWCx+lcqM^VYz+LX<=jpn|^B$~@jKIAWW_Z?GNP++{~m@&O<)k z93b(Z=cqn)UC+5XUg?p2oC1j+6|r;LA3*f6x@{x$XI0NT50Z>N2a&qlZHrsBTec6T zt-jG;a|Lff3Vf^YriT~ z;p6(52mAODpAYtXXE4XRN<*BF8}GfXr{f+`(-kkm-g)cw7|5tSvDNQZ<9haiv-9R= z^AZ5w9qzkQ^oiecNYo9m?cx?<1gR*?U{ya|hOBfoKHa5$8gM}&Gq&#HT~sULxB4|#a`3gt^Ltc0-Mf#&bDqC7ifd-S>U$5kzf9CH z{oN4OxxZL&?3wbpX;u%OqLB1IyT5(P_ie4NUh+BY5DWkp?^oHjq(61jV+DQxrMX;K zjI`AzYFg@;&)7KyP20Y$oA1-=9^tk7id^lw4F>=;`)3V*Zig|f)b^Y6W;R^7-Ph_^HNOMN2Vm;P*y_opd?)w^_H z)q%sye50m7vhQ`+Ys`ARrQLJ&sd^@$;i#}wpxxN>15?x6qBY?r*`7$iawAp%v>gl1 z?f%$ivSI)Q;$G}OD~4%8?cTM3Gx^NX?42*6T^s!_3*QuPW8X(U-d|?U8;VU>CX7)v zbWFg;pCfOtq}z|3+yEVV#W&O7qc4hdKH-xVYE{@l)`*W|O@h=*>_1ODY}aat-Frn; z&y2IbmI)>DDBBgvM5rVu{OHf)n*Jg;m5DX>b0LX)l{EObS|f~=jS4D@^-l6E2?dMH zN@#;_oliK@z6xpz|F{EE!X7a&vgFJ15ap5^i6bY;rz;pq)F`uB2Z}Sq{2)(&Rg>)y zS>nhEhQ!2ixG73%^QtQ z?n=Y8$=K?Sopfy5=yYt`X2-VKv2EM7?H${;_T#4d607~KmziaiM z?B$9~Ma;wtiVON2aSDiHo7JfdX6a8vb|4s{>)d1~|G4PTo%?FgwO$p*_cem)$o4H{ zQlEIJQIi~r7iJmpi<3Z+3@&F6(_pdVc^Rif@|R_JNI)n3Wy)6Xl^2A8-+T2&7eFyA z{L=K-IFjYBreyf-@8;y}7zfpL@IVsR7Cki;ZKaF&=slduDKw6qWdPE={!q~I{-C7T!Z2E&~eKn&_%5VRN;i@b=I97?R@#zV8fX zP@k^vJzVzmOOlV&3)T5I4~!>T!fc03LZEY6;+DM}vlm#`(B!$rj#Ey3!7u(~W<2rJ zZKfe3_o(QPzhf98t{9C^6?PUfw<_*YB|#mSEDt*4=t}Wx3qVj6l&e@3mm--p3lM{8 znX(tfH-6~KR_ulQTfSjyfFuNr$AbaOMq zik?8msY8Bi3G%NWeo=+WtNQg&>O?;*&e+<6ts|;EVP#Z8MPRX%*U59#;w4Lt>M+>f z=aLo1ifFZW_kZ9)knzQIBrvNIq!}$v2W4kkVLFsUvb` z7(N>~EJl1vvXZ@%vC{wymCuGfsPH}J@E#`>X8sF3x`BNNcN!0bXqj5Tch+xidpzuU zrM{bUEr1f$#~GB%`0(Qc`c(@k)HmY?6r{}7(vE=W`@XOA8`q^>vhI5iOST(zKG7K{ zB}^5@@f_^Vm^uy{E!|t%vz)IHEY+Q+Md+!B$sSMZM&CN^#(KsReT$EM{;j$rpvA@G zVDl{9tTN?QgP7a6YP*U$>t%Y2!t*4sEyudy67y-UM}7UUKB=tfx)Jk3di{De z(A9i~$8_d!rTsC8Vf%TVyTGkxC1l1e_CxThIHml$e&}kvUDb3!X-Ef|$+mk>azDHy z)uy`RYT8%8`(gf>-sfxBmKv|1rUae%pKds!Z;(b)rw8N154W^}IFmdEscY z(Y6zKRQ}JYAmgz9h{B8|QBBbYjrP%$5obTzmh^va_f2o`zXmu)h zJ@)o}>>zY^E4q9Zji9M)=5hS>5b4TI(Y;rtw0_~INr_hTxp2wcc2S;^8CgB#2dJm1 zx)Hul)j8*}markoskyxCCAp0~)*1S8e*}B~1hjCT3?3GZZ}#}?dRRd|{UdQ{HS6of ztep3{npA7ybBuPU`9#|&xZyi5gh%f5y_sGf*SUdTi6Y?qs*3!wX%eC5c?^qe){@%n zXnS^1`?`xBVQ4M$+K*jnJ%UzSQVPv}A~K^R>AXAQ11tb`n^;`CcUqureeag`7D{OT z=aE++@Vf=&6<9LQ9|Md+Z^!bz`k=@@%we)RR*1RqBV6-c^>zA+75%oEn>{_)vW#9R zvPdgxC<4nE!hudAtyRn}>_(){L;j9PaoHh5NXk!V4x)$q)Ys&Y#AtWNB{KIt@avLV4Ud*tNX%;1gB98{C6wy9lol<2;p%Dj@B(=?{I>q;0&e*S& za_&+92o<-I!A#{<7r(*f%lCVyRjRE? z*sRiNsgiTLWuQ9%o-IQ9jPW8KZdPq3qgqF)AA`@;j>X?1S#652RBoGmDKwossiu2hu{wz{3YNzO$!%Dse zyVhSe-26n3n4jKo5;CGihR!&Q-@lp0uqK%nl%|MU(mct(U=?sUM`3OfGiwZ!@p5DR zqQ2Hcv>*k=Sn9$-EyWrYyreU5{-qe)usw`(E|9Cd#5oR=_WY)WHe2`x>Oe)!uk9`1 z6bGEXgDv8Bx!9i=e&4SK(S<4BH{=e|?*Q4E1;U>9Pkbhj!}0yv{G~clfDxrqO``P{ zR;2Lev{>;!H5D3y{3ahV6oh3w|0E1Wv2g7_f+y*y$ z`qIT@Pz?I^%L^IF_*lUqLF8FJ*v^(s9{gHy2BdbcV6?Zti5zf5zziCk1OB}=Px0Ub zC|-$Z0v2Y^gH-vc%fM1{m%Et%O2_oQ8!>o26GMkyhGmO}qKz)a@~eT)iPSjfK8 zu*4T~A|7JwnsZ~uD=0r%h5}0)STM+wK>R^(5RzF`bmB1#ZQT|IBht7%6_~U9W#_vu z0F-*~VUoyOxB86upFBkXLJAysRNSwav6e&Et^t_FHAZb*(s4wzpPrg z(8@16MY8<@Yx9Z|3C|2pGJ0)s1wp$&zUoxFNx^)?ps$HqzD-`dwbp3SxEf^=?2|HZ z00F5~#Xh|i4#}*jl_`D=4lE#gRnk_12i&JQyJyh-3X+=UavNF(f33Odw=uka=@QYq&T3o&$Gz_R zD0U}pf8g=uv;$aW^SI3vWv^ZgEBSbAcTD6c=~$kMTzA@3+1MW~$0cqAPAo42#I598 zbiJNtI4mx`M%sE7Tige`KFb*Ry8tz~GsW3wL5pS`=XnJBYWFN#G)vgVPlU8M7A^w8DKcl1oS#C*q(n{cZhX_uc!pH z-UU$j7;JmY6Q19NEZ*B~{l)F-4?yj9`M67&)Ve?J@ZH^W{{#G5@zuRrgyg94xRg1T z^}N;Kuxrk|odB1_)rTYS!~~!tv$xT(i7(wffre`yG76 z+VfqDhwgE(3c7uTpmFIV`pL`v>orun{k8Vp*JVX0#RpieVt4&3vYPuYXqu{n zplRpwe8%gc;z~w){{?q<^I4B@-EL{B`jElnP43SpXxJ0abtW{Sw#y}VCxg?_A41^u z2ykZSe`-9b|3hDkb4kXJFFy#mOcON9C5~94=tKxNeZS^j1#+amO;yhZE(~|DRufWZ z0(U>NfCcCPac^M&S0Kv)ge?eBj>DVk+%U68T__4kluXK@?nI-cVkTvq#8jV5+2t@7 znMg}GlAQE8dAV?*I+%!1Bu{T|R8+3QP_ANyEj+eUK66byq_#+%5Iyh?V0ic1V!US<#|q=%fVi2+PB*bfDU1U8r|OeqDH{Rl>Wl%M~lb)&t=k3lI#kv&PAt zlxUe&<)__;<^j5~_-f@$X_YXXjSO&1D*4vF0Y~Xr3@c^Hi6y6Ss|IspAT~j_g-KpxJ526CIdE>p8 z;`_;*bWe9fz6t+o>%B{v_K_x7j zb62u4dw;L{mM_xk2g510?Bvg*h3KO!Qu(dC2Zer5UZ`BmJL?I~qv>E|#*bkPi${pd zpdnT-&7Q7~R@kgyTP$Gxp7Q~YKz1TASoi@EW_6x-4RkdN>4N@trk zbt4k?sb{5e<9IG0#rz-Mntbp<=#jbbd5V%o#FZP8ws3WkAkQc0#H#EmY;`6FRs;E# z@GH%E;`6UvdP4>z+u1{bSeT?RxD+FIWXEi-nKTGKeyvMlc5pp!j$71-m3I2fGEcW+ znI-)%103+b%p67iKAIfbYh`SQ+0dtr`mhAM>w@YzXd{XdHf4BeEE{m!1^D3;Pvq4U z57tUH9L8H{Ud4$v9>0UA5)%4yamVviPo9OW6(PVfgUVs7V)abKc|M=uqr-~vjVpCQ~)*NKesFE zxCi^PX9{8EDHu!( zhul~buaTyDRxuv#@)ua#Xx14iAX*}20V{o~8PeLaaClAQY4gM>KQaEy6>h*kV}O{8 z))YSO`m9M;-3sb)D~tdW^dJ6xH+gewI6ur1aAeC{kViHv5)4WhJud|!US0%UUqeR_ zte#9OnO39Tc!GVYo)i#I*Cw89P4qAu3L#vRC*lVpLI{IG6bF)r&?R$1_W1>Vfj(Po=1q7NHfR$yXQbQ9@rtoy@S!i`Ds4$xhz{Bg4 zl}4>u7v2{*CC{y%^WND0tPo7*nQfkOTkrj1n$9MltJ$lFiU2Gp0HNt+C0@r^ zV2eQ8Qh}Y$*Q&&fZ{s93&&!OScL*!s_1=>MGv#XvIj8+Nkn6jVbWr2u=-9i(#`K7; zVV%DroJ4NJt_u35f#Kx~5n4j)vTlJ*V9SlrvxRHs%WWTdg6FbxFS|p}0k~_2chfSl z<$2P}BKMhWe^s#lobAhK=<0E*GU#y|&JwZN_2+Z{? zv|@_u>tZ4A`l=PV{?t^<`g5!7nZh+|n?~1bBD0BK*hQDh;hDfp!0U1+7|f0Nxx^;f zZGx+VtlQ@d=dlU6s%f*P_{Gz!gX^VL#pjKlLR;NR@Z66ofROE_-Ll2E{yLSu-DX!+ zz#kFQEq9sY{Kby>G_W*DBKZe_V9h}7w12wHZh!FLB5BzNm{jGWbG@o@?OC!Q@P0Bj z!r`%#Nw4W`+Lp5ACe-0NgP5)3+@->>H5g;Z`*^ebs(rgvG{b+pFD1Eh`MNXhs^`Z4 z_}1Kk>?+6Kc#34kUpqfWLBZY$ytDd)EYLj(zGBDZn_UGYYC72mF1!M_&jln9zB++K zEcZaQx$ZC^DTGVE@BSH3np7+bUfNm6Fx`Ca^H^^QILExr3;ba)R~Ga8k90)B&@@n0 z2LWgR0b|)bmN}ygOPQDe2j7S;P_qxGcbB0kdpuZeht0pMNQaKgmWie*{`euvj>qjI z{Zc)IFb<2z@SvEhi>Saf3mV=3=I~FtOz0=Ry{d49eLl@9N+Jez=B`?jr9hr=T8yRY zp8t?rkyw1-IHMQ#8&n+%Y?Md#3AZTLqpu1Ead{r~ zXENFy%J+FV$4*j~P4KE7We8~ol8Vr=ewyt#9x*7d*)+1-*^i&HK+RW@^tnlztO?A{twR_bnrP?EOa6rG`UsEN z6v{sKJB`UolfO6(kCJWTS(rT1;{>}1!P5vHL||tv_0q2IVoObE*_cSTji+$YlVTkB z!hbOVam#|zd6j_2EWq#{_pb)^iK*>RGlw%EOuLi^6v0Z?k2u;VuZ{#3Mn%L9>xibj z7~ZmF&&rHYNBJdKXvCh`urOXgHCJ#zQ2o+w90ux*JYiEWB}ijC3~~GPEbmx(LVUO= zcwWw5to1Y`bwfj^u$c6zznkO~y+$pFV@$A^GJH&>sfTYU|NKk$8|@d7*cjBDt?)FY z!-R^r&rI*V3#Jbage722=EOp469`pD=$dG;S5e4zQKq8%lflq53;qVxX&0*$+9#%z zTl7WM6;Cxf*5jI^ma2*dOOVm;E!Cxv7X6T5Z~TimfT}rR`Ai`wS`7934@77)ztFr) zTK@T?#9HpIFpCOAM|9_aT>08BMHb;7Ps z0$%uO@R4tY?~wpJccxszk6vZRSIwd&X6iBnnW28o-x?=g((pxtVN>l?P1^*N)>_m& zyz5r5-IQ>Gjs4bLO zk@#WZQei+i)}8gHNm3_OtZC+nVk8g%&Rp9EU}VXs49Z3an9v}Rt=$C0imrw=gWs7OKEV(oMB*N^ERhon?LDUi>HY1F;IFs>V zacd@Huuj z*E`pd)iOWz-h4KL=XMB<`8D2Q3l4k7yERmgW5%RWYk+>huxp z3F~g#M3vjPKi@=tR+ZfD%XyxSuNh03@~H7XfA6RX@BF%W)hcP(uzuN%O!*#l*8Bu# zf3q1$djxc?Y=X1d_Si*6t9iYYUjsibWqcD+R*v_U+wHF1ME@x2a>8qUPFqz2U&{!; z7e?ylehfWbxQECC&k-wND1aaCaqd@Nn^)60?>O#5pI@;)U5dOL%KWb%$WL6(Ww=pN zhZ(j!EkC;37U$1?_iS3NIm_`I7PKMvKur36zS~Xm@NrwX%WI#G^0{>0p1tY~`!;u8 zjd8?Hb$89pk9?dylyrBf?vpmd=yp{BTafwFUHQE? zV`Vpu+yJn5Z%sxk&$d1nDN<8kTmNc+muhBbLmVkx_etp6pQuo%g9a6Pzi3+?6dR@u zVtq|FV`H@6v!|=nHr>|Vx4%|L6fJyRp39n$JlvlJCVV&cDHGP+CoZ@bFI%3bDSghv z;jc8$3$jf0GBmG3I&z(}^)7b_^;)?Yr3z!*$T&5>b{sG~-ZQ&uw1LHXwgOhCdpb3G zs%=k0lRVl_<9t`NdX;*QlX!bscCX6)0*6~YRou@<*V>N@6gh=@TrYQ8)gHhycd5+3 zd*r?w2TdG6r^mT@1x&B!+S|^8mG-;QKsoorf0r#Cp5Okfl6zne*B5l!ZH}+nJJ?sk z5jxd~_x@dv&@ZKa(keIx%E_+p%9ENip!o;KjBjH2XxOOJeIy2}gTrS@9p|k;fI(sZ z0ZKp5wBP=}YGmW#s)Ir~<<9P1Zdelb2+Hj8SgS+Qnpk+*lB)Y=%&~E&z>}sSV%3&G z1>#@jQHbo|3$dV8SR)u2{R{P37UPJjw&Pu!%j`b>xefaOVe%6ZW*) zZ4m)Tl<-(pX!2mhO)w=~^DJ9${oja` zmTQkL0$c|?Vl`AOeo_A2iBv4u%au{AcBM}UfisbVxdxO?4v`}xhoZ(s^X_a3)+_|j zMa~NjY@pYLsLc^bAS}m+J%zx7C8Sl6yEaQCDU7CHbKn_Ry#93#e6mN_U<3#%(6%eo z+;T0sq-&M?vK_WkM&U67V6dXJTBa7o`H`=u3roX~7y#SDH-8zmgAmRG>btgFQU@Hoilc^}B=lNihP6DRuVQISU~gIB z1W5&WG#OUQMrFrNIh1}~wrnA2(;8KLcREa_rUa`OEL`W*05^R7JL>ciZFpp89cR2)NHu08*Gr|3C8M~U+396-S*_6Gkg|* z7B|6bI?rj$Td;#-B}$Z@8B-}ViaFnRVpk}p(|~z_a)O!gfM>%3`pVBCB!1Q!nWa@}=hlVJAQ_PZ zL`cFIT6i2`KHX25uRE=r${D3PP_vriTm*;3F&zv{mjR!tt2`&qD~s(Qgid8nfn1)M z%>T9X#Ed=7fPP7n zNCKDl0tup>M4~>Al)ecnF%?e@eu~$9CuCjw3=LTbj{=`IMhV8hXTT$0r6GhaMqnQQ zJ>ghhUhqro`nW}7SErI5fxNQtN-5KTmJuo`KfDoaLGT(@ zC>+QY8T8k}@Orn+X`(Kt3)R0q&hjJ+;=kb-iN`#2Y%|XqG!5~Po9J`k&vl@v$4Dy3 z;RHdC0iZPibRHuI<1K=ug>Vq1aBDHlTLWFz!&oknw^XinI*=+iU#OMC5b_VHQM3&7Mepk+G4d;58M%Vv{pi^m|?-E-UZAr}6M0GGEdy7Q2Iitw0TD0gA< z0f%SCmzv3HiY({BZbCmPa$Jwhe^ltiNT3W$IaaODQcG|CU^Ou+< zEp2!+Y{<5m``NeC1Q|IA=2ef=!xefTCv#Ib*=<(SI^Jz0w#@9ET)Q*fyNd$Y$e6ks z??KTV?Sn5b^8ne_D+ZdXhvO-Bw?W>|zJc_VeB92Ct(GY8>ov=zzKiJJHpgsE-fdP4 zKtTQT=Ia0*e2?pVNlk4XTIrwbo`pFB=LN)}*FW7K%X(EBJk^=%s=u~f2>a#uj%z|U zy1QZ$J0Mow(S2Ls_qPebG(AKy=uiKcdx9v(r0-i_ceb_j6H8NO#{lfYCV);rs4=*|WJ(a+FnFm7Y zbX()0F)(n=i{`3J5O4i!!;bMKG*8hD)P+Nq44Rg>;{Kw;kna+YN9|zUUGd2M*trl5gYNhoAQnV@Ma6GC9NulPr6LUl? zFea!AL{Ic?bPtsT4f{$Oga&cKM;1(mLx~uM*+g&91GORehe-2GfbrI&H7Ynv{!!!9Uy6Mb9HES8oH~_M zgoZYco@|2RU{f>2ljSygrT)JInmCB+Xi_-pG-)7xrqFc-2aDR?Cr(Zb1IE8S`luv`ZV@4OB^#3^RKdln z{1Uq1oZa&%qRGnvr3Yv6^T%t#6|4GQ5me?sC`E0C)z(Ak!53uz;2MaSoyC{9S`Ntn z8;Qa9PP-o%3}E@5!Z-sK9*$Fn&b-WUtodS?wY~OyDXC|^33v&vsRHnO$B^_39|&~p5bL&1 zk0cOe(=Q|RktMUO5!_s(>ScHfPIa*ruu|}oD9XY!?GVJuPf&}I99vgF|NPeH44L8& zJ(S|}ly_W6T#6!6UP(7sXp~M8D=pTNf>tgPc|<2BB+oDcFMt@B9wzA+p{NkFNpvKx zk%$={nE43BNDE&2&gBcx-VkQz0pK4AO__DjF_@|V6o;OR?UZiVtvb;sNHi=Va->SN z)a{xPBriVMP_kin&*TeD9hn-B#|QT-wHQu=M!tNO{}C7 zjC3PT`-teDc48E;ZoC>ohb18CA6P?W8W%{~7Ha4DaxGncXv%UF)~X)G_phQ#HhIYy zH(?n1mj?X$bU|66luPvFR~R}a<*y8wE>t=u|7VCyBS;w9Ig1@D<$wXtTR-X^VBU{r zV_Y^&TJEvTxc$8t!vZJIK#@Z8N`NPBDey!7ua-z8WbRRj7z;AFmW=`{i@`AU8(U8= ztBuL9yJ@D`f1#Mp944`_JNYYc>YL=Ef0JC)?FYQ)Z;=^6#KF=Zq%U$uU~%PpDdXGZ zCWqv!0OZPa-(MqHPHVELyI-|fuCd(aep-5b^0^L6s={QrR%fV5^lqcUqs;6HXR+&v zR83{!sNTlNeBMg~6sT2s4Q)|eyKZgrIIn0uisA5>yqj?Z#ePz@jel(@X?5LlgJ;%W z+YqXp(M)Sy6^M|JY{lYFA46Jqr? z_oBCFbbQbc-&7qfj%MLJUWsEruZkveq_P|?K|k<4xAE}ZC%ruuJ@>-~j&1LHLpS1k z<9pt(vN z`BF%hym{nmb@r~)`i0nVO#e(@H`j3&;pkJF_9%av{E#=I-Fd$W&~secp|Hzg^xXPj zW7pm1IQO-y;BoQU>G#y*tZ$99N48&Bv+7DEjR?Jjyneqjx*n^Mq_DZ??CHC{;xXI~ zw37zjHuJb@80IuE0QRf&_#C(1r=eHypGOv2rg|E-$Xs<<2yMMzFt4Xv>0j7e4l=9S zA4RTkGaWzv2yDGj&={R>cJ)YZ^4))R0%fER_A_JJhiCb)*BJ{o{>In9A9t0eDsBM znZ0cX+Iqc=6&-z?wAu$AW&>RBe-i?8rh&kt4?Bo2E+Db#2av`>Z_qaiYmBVh;j4k@ z8k=`Bg}xTW_&*x+GVouw`~^%<|DPO@G(cl|6BhuRPZ zO-hW=u`v|4Esv8#$F2Yzoc{u-csNVhjC^upBQ+XNnI;(KgINVDa`S8+Xg&3kENq(Q z!P?K6&(paqAc}|$D}Wx-5uZdYf#Dg7%{ET8CQO7n`NCkj3HXnJWmi7dd-U0@qIQ+3 zGt1X1DZ@5eB{&q(CsLG&ZVh|}go;Ott}?;uPNWXZw<`2hm)&?A>f z1VJ-q8g^#_jmcO6DILH2v%cmJm3N-T+n6CSOLH$YMaPI=5Kg0)T1Sv!dd@=hU8Li6 z*W!W`1Eg_4D2zNL`dE@J+9iJ~cT&2HOIPtv2M0&w-xCW`SoEL``s*%A6OX3#q{u|nu`?v_ z<}+pq@y-Ao{O9j%|NLAksxab3MU;6d2NOKJce>dMZba^+qXMrOd*;jPY>bhny3Ak* z;#0paTeEoF3cn3_gZd~AK9W**$n>DQUH!x=A1a`ReKl4&ka1`kPQ9JkvHB$qDEVCR~CfEb1KQKr-0Gwf&>DQ=;UZ ztzlTaz`8+{-4oQ3MDS2l!=**{%wEj zh~In$?zJBC=E*n{U_b|D>+-i?q(}-#@?}GDDPU-*IH7_{n@>=eO1G>XmwYNII$h*s z-4Np-pdW1`{R@6#C4mys!|SInntu;wrsRIU(p`SA2LCNxrbTDn75OP3Yx0*2eqmhT^4f%I0_UCpR_ml+W(KnEbN7GB`_JlEg%!7D}M}K zC{T9aP>Vw7hx^^0){P{l-?YL8kN-D_(#d4@(0Ji@W##w_EK`EzcX!KvV-SR*ff(_@ zuxY(q%A_I<2o4fImI30Rh_W+pHorB!R#jqWH!+KgOjQbJX^GV-CEbw)B%U~!@bg@A z;UjFaWSb2cvhj{TN8=mH@nVREKj@>MOBCoDymLKhKIqvGGL0YkhBR8E%YY$+X5&2s z?ZJ0+g+TQ(s9yV@IkH8KFk-8`6d zD5Cpa$9KSpA)(J)A9k97Tf}zZ@@=CSqk*#(WqD#T68Qh%vLQt92FMEhc>W61|6Zt~ z15j0-F z$*Svg=a&X8ytm1a@h&OB&HL#tyA-x+{O;M>rHnWuX=!TiM3D=-rkLxQ`g4Y3> zDeywZwl!p1F3aOtLE;E~tVfJV5_ofkk^&)tI#+BPEp^mrh zZO4LN4QFp8EA2K-U+sUk9b%gg`D1wl>Nz<<(0!jha%~ z&dh!uPghCtT0*F87wg=zdDPYM467=6$?SD>^Yt~}eXi>+Z#Y0RvvFET2+y#!?OCF# zv$yZ6_dO0d5f23A;}H~iqc~Z6Q#x5gd)xKFgLlUCALRW7{=ql>HomTj?op*Os8h zAJe4t?7kNyR5~xB$^kxS&zJ8c`#L!29cQ2ZWVKz$ROEzpz9&pgU)MPFu6tHCFB5KS zbWIR;_wzfl^Stjnvv;`;gbq2!wxRbSclgfiw?yRV?n)kIG8tF-^r^OS9d~!C+Fy_$ z6Hc-`!z~Aw*tR2OdkD)4*gr3sF(2nxQXNmOy_ax!J%ldm`MTe^|KV?)BNv#!cd?YOj$AHfa(FR zT+O|e!@YQ(d=*t=ce|XHAGuy_x_90qr?lFYbw#cq>bbjLgWm_zZ0QEw0>?gp0uus} zalr2nOYo^dpcmO?58x#R^TXjS_a=wE+aJYbO8SI$&^NW_aQHbvls6_!QWiCyoXfg> zjb$+Lea%!(Ckz->qUNWH75%$7V@*8WN60X-PWcJb3-R-PWwkZ#w!joIVgWTB_)uPs zvq@#;r;bMQq=Yig7)EVC5I<;9KZ^klf3NXBIggo|hp>hgZt z>9q^rhCtGhEO8@_Y~6^*QD|<=gtG1Ak^QpE0@fh-$d$p=fR#i@0v^1*aE0KMg33SQc6voE79zF^YTR4Ngi7uzgVy~DVii%>pxpXqklJ#a{7Y? zd{S;!&W;~ z9WuXX66Jn-zzR^E=j~mg5lSX{L`-dvj|K4kk^=yu`mXSTQ zXbMBmD!LA8oo2CXbO4lWdtAm41rDDPx?-|)2;B*8IelRwr30xtLpA5$ZJa3JM{12T z&d?Jj;MYMheIK2rwlo+u|DL0M6`r3iWYTEjrIy%+6RV=Lmkb#yNh=>Sbd_NfH!aMX zOP0vlny5KWyCk9t-zdnZguwI(*)VAb^;V@t60=3fnNuM`BJH2q`h$7mX%+Z3DBXo2 zW0QDQJacu9`9#!ziQ16!BAco|g6Zds37_46*Bh*nyu)Oi$d3Dj+|qD4Rt^LNHE|+7 zM@A&q1&2?#DJxN{oh=X$;qth~F?X6aC+rs%Y2nt6O zvrw*_l$^;b(nZHlNy1mPX{01ZQ1a*mgT{Kaq3AG{ev4scxV^IBhp7p z^4>B#goqb6qj^=1Q&x5T*Xkz5*;EYCrE^(WXvvvqf)OzEKhJE2TY{% zDUwVTCR_FK$smM3t?UWcVvXM$ByQ2zm=rHJbMhA4MTF-`ETFYx8(MsvgAa=gEUF6J#+LzLiXh#xdat z=yJ76#H#tmO?n)83*qbf+q+GC^M z1+qqu0-6CT%G$?>1RCk6yn`b#XHnt2B#=Vy+-4od}X95t&(K$@peBm}+oJ?P`k z=D_*G9wVUB;mER^*O)-%U!dxenOxibT-DXwlYrf!XUGcW>)tM|T@S00p4B;^dd>9^ zU#`okqb0kwnCUo%=g8*o@`fIs?^s^KE5(ObxrM zPvpuwn41Dr{w=9%$nEoMlLOnXDqha7vW_bR_R{Zd=!cV$W&VS=wO(Ygfn{C!qx}qq z^!N33DKd6M-HoT`_wI%*`_GY;v6+s$YOcw9K#(5!SBVqAf`=DHP|COVLZ!%2!0m)% zyW9CX)YR_H=?^U+i5>NRnVqI z(4la>_ipQ%>AR7Ic~E7Nja4YOO1ZI6=JxQVdyp`$8CDlt0e`u-f(wUeXn_>{)xewI47>y>Gx z8lvj)D6qs(ih%Z`zqIE$^4N;7^J`y^jUy*E>+_8~x+kkyEwt;g=sG_5oY3QO=e(Qb z*gw* z;l~UX3ee=MWsig5tAsl_6OWdAVXCsZ^>rK1!{M%{u68wXShGmQqz0ZQIC~WTf5$pI2 z6wz{yZN^Jy;;6C*1asv87|pMMHHi0ps4>iU35?=9QUj_OJI9}}97PahBoMvt?$PC= z1{v`qhl+9_?rM`ut<9l+8vmkEy$vQ0Gto#L`$g@HDI6kVOFc}PyQ_NfOsFbG z?3Y{8lwJJZR7(0q>$geL9~Bw&WJ}z`sayV>3jh2GjS8-I9%o7V0y;{Q4Uz;wR9nfA z285DPowbkz*w*Y%kei;k9B}uIm@s}tw$TjT+4j=7F^d!?X7_X0B zU>TbYk?>FsbC=LY=&Yk+%X*E^d}yNDgAFCkkLEa)@Tjv4=V_q%S`;HRjcQVU1xw41 zqhR!shKbVHPc~Y$6a&sjjipEw-kD#w)vr*&-$tmGPZLAGgu_04SJrkZZUx{ua%*fp z{`XTmNAA!VFqwsKHQJF?M-o(lXV0V=#=SHDSAw!)LjNFTj<&p7(Gr|zv@u|^cTT@F zrlT=kUtDG8XMr&0bRkS*P$^rlxB(@eo8np-qE5mbuS(V0z_`;eA)=>{)_Ezbt{OAy z4F0%0H|mO2ttMr{>Nh2hUhXc?QtGnRrFWKEyM zKT8;Ta?NeV@DR}M+}1*Ck{MRXetFVGJeCzor;!+E*yu(0ztSw@Xt;#~rIiy6V2spr zNTdp=6{MkFk&v62InAU3v?mf%apI5_Hp(l+tMwHJniEHO^0-(d#)QZL!nB?U5_Am} zjfJ`r`dM>9xI6@BCKdZG)1h~~SX zG|#la2#~gs0Oe)|(*LW%LvTZscGX(F-_fZ|flfB8I2ZJloedUy^@dGsd>32Kls4uO z$~<-u%cPgRLkNIF#GYd=tJmYSus9jM{;&SD?jPouZ67#k8N0NGWmVk6gi$Tii9dQ0 zeL)2G@LWi`HTOzj7m3SNIreI~dqFrK~Zp?^$9_K~m1(8;j32&zeW!)^gK2h+5k7iXOpJMXc*DRL2 z^Va3l9?DM~9YV2&Di@Fu9H^!f;S|>dp)$JVQ~JXtrZ!C0c0ZXJ2>2=eSp=y63&0gb z|DA)CdEc9~`<|M7?=9c2o5&Vf;P)%L1gS&7FBq>M9~7^0U-z#dxiwqgj{?$$j6%Oo zFduRjthUH-LwdY-qa$6tcG}#nsyjY|aX+p?wsq}$Csvr%vKqMSm+*cdW%Rt;_D0q1M=qq06dRY24` z`saE?==R^6gF}^R2UD8K5vi}c*{mV(zdia#)j6GRB252_sBezSEdIW3s>!w{yC%CP zO}1^@nE2$HY}b=*+qP{^w(-1u-=F?D_pbZjUF)vTzGt7a_nzgoZPoucto5?@eM36M zwy$^|c;lS#NTRo!#u2}SCxEWJz8{?Kcy0z#&nc~I4(ahSy6c-(bxp~~=KHcfy-ptK zyz5+~0ck(xlRwwli|wvArp#^J&$1aC=Zb-?m%v1I{cA=YyLsd-j}J`W%0SR{==kwP z^V>Ulg2sM`qV_i0^KP}e_g+_mI``=c6{l|;NcHW;D}l2r+v3NQ={uE2FA=id0L-8oz_+0`-O z`1|gDrFmBKF<}OF^2dB|b#_Q+{p)5m@bQzsoDRV6l+C|-d$Mm&-PLk*x31^;0xXzh z;8AI_Ncz1kk&v$}UaU{6y=UlkUG}p+ctHEs90KL^ zy~dS4+t$w^4d6X1Otr$|EH?l+31|Dp$|eu%?S0ljDI%z-uu$Uw*Q z;Cnl2ZjEA9~Q`NrkImxQFb;<@DeZ?HtH;$*_$z|B})y~e~|VJ|CHcWh#R4&_6I_7 zz?I{2f=NNdRT8WDe#K(4$+}s0N{}SwG`+0be%=B)EK#FM=_+~hkv9`sLt~-K+4FdHs<28>UJLG zE@FkA6_i-yOQoK}QwZkBIOBs^9S?%nJB)aRfm=)43}q}JtNuMv6W`fA4!n}WuZa1))EtHgcX9B zNHe-`rIj+=SfV6yequ3!Yo{O^7?K*RWE8+IS&4vqem(vy?0feQ$x->D-L@PwdKP@31J7V=u(#m~EIO>f z@S>QK&&V}}>Nj}BZ7Irq;&HRP2Qi&MKjCar97BR+_(Nej1ce|er(Z^qeuXMKae4q9 z5{#^pVU;;2>n0tMTBxEFE50N=j(HDOaGeNR1m;wh+?w#eEOYgDBTSOLq@u5#O-sy) zcJbq?@v))g14gnn8IH^2u^LV*a(nY{-!R}d7iw6tTGQstKgq%?x@+F;N51Y@Tv`-B zqjLN}kgef^pC90m&rY?WE{K<4$#PK*{l#dzM{1&kIUYS~AP3#W8FoIIEpHOlN07dG zUlRPJc|I`m3QrC^?%p7FEJ-o@ugRFT8~S0oYFd?8f{W`*`<cMBB&`{0auPod zX$;KO`0@jsj2LCjC3-0>qEeSdC4RbgGc}|Dj&uw<7ae-beMe>*r&gVEyj`lEw$`1?|J` zbj5;DSdRhvqHi6b4!558<}uq%?I-gFzZ_!|)cO+gs6 zd~UGuf?x4^Cwo-wdh$*L)bsJGZafxn>8IhHuKKzC>$yig6O;FCa`mVXx(b#E!dY7X zDWUZ*-R05t`XM%cruQW4DCQe-#XHH{*6Y`3eytf~RPLU#eyMl9ubpVIWY##&ZLiX{`ZHv|eGF>r4;{9-9kOq-i^M@cnhqPMT!>DqeL$H}{s&tN&C`0vpRxeYrL%5wLQlKU z`2C1Su8&LY<9FM+r`_cg9`KjP!<3G{K>mM= z0yfUeRRZffdG4N#s#Wc;56F0zckZn60(8>iV>3ffwy^f@6N_HiwVTZ;0*{l}<^piG zfYnWLg04qhdA;WUQh%MPgP?&op#Q%CC-h5L!uLz~MVzNBOddigjReow2I2yZ0mi;` zUzUR3DLFf#C;tx6+kFsGHFJH=PciGrnw$>q^-LrnEJM^}YSFdB2g zCRqTdg;qP~*o(YzN)i)ZRT?w`sxnvV;hEe)n3!On`FMak@G~Zen29VHDc?FdvF9qN z_R`==R?HiS|D+9xL>;;9l9kD{85+VrS#edR(4J+s8^9GDV?Fzts|Ueu;2FA+fx%-Y z6Dh9d+QdNM5yr7sD#VwBB<{@9rw>|UUhu%?9g?H!Uo{s$<@_V9xJn+YT9~cRBt-pg zQ<17SemN{8P&M!EymrxlG-FEh%{-((XQp(_ryp~^>uL#%H>oiv8w_hscpRSwPG>qU za-LuXhno=JAn;`V1#AD*!4wi7cD|XMa@y5}X>%uu4Orw?v*7$Sk}t@&)3=l`5@4MY zd=8phFU-+_hYylhll={&g~%Wf?ol7RELEaHfGj2lJb99p+Li61fbcvopfVLDi}WlU zJsMGKpI1UqqUQaU2ckFC{7kjl7~YU=ndi!_u5?`&_OCv+Ge{lxX44L+&I zEZ#kB7n6dt0gKa*u8Jd(A~Vz0QEK!+%h?`PPCBeysFY~i2=_!ndVFeF6~w^-*b793EYL?$d{Wu2qwid1%oSc@&jT| zqCB$f5f)nvcCj)>gP9g-;cX&lOPKITv~15+LgTnjhbCH3e_t?JyMzmm;(fD=CFYX+ z9*PumhR%kHb*=D_kvU$p+C%D`S-y1Jrb8j!S&@^}DAM>_GMt}2=0HaQLCMb$20h~x zP1He$g1r(lO-h&ocXp0#g4P60vgVSGfA6h9XZIj6!3MP@eSvu}U;~!x+7C6^2@Uqk zF4FkdJ{xTJ&IxmTL?&ecg?Gys<_fiyYX$7AJ1;~-rg8?MCAm}lq52SB3>Zx4D*aZ@ z;#g``+onuRA3D!jG8JLKI*pwP#g2CwVKP0UdtM1#dxxO8aO2jgxJCNNcfbAk9Tb02 zI5Lp_GU!FVb@#LURiM-g{{oS~?e&&SZ#LM{sV%xmW>chHhqpKFduxcAGX-JhebzTk z%K#DR>Kr5;dbu1eRYr)DQ=IyFybR$tHheS4s-pfdp7Y!ENf^j#ahd^3jG7RfvYf07 z4w^irV+9=iHaCaw<{P$ zG5;ZDmRBop*2exz9utmIfqH*YO&4FpwSY{LecqL(lsJ0*as)A5s89k*jU_K!myVWM zcM#|MA*g@L$B$P|Hv$~VhcpCFq6FeMB91}|y#$zMovCK>2F1FHWU}dMo#~foOjw$l zJMNi zR+*@AHFER>so~r=1G#4|bFIuDkXC%KyK-}gPW9TJW|ihk|6APNj|E8}KWJZ(`L#jE z(zrx-K#Jt;hp?>AkI#eZ@4c$Lxt%Kibm;Gq67|yQ?)@RKImSiNCf|Or_|e>9*?;I+T=B8hq4pVl zQ&-8$(0%(*Nz^4Qq{XRMFWK<%nU#cGP2YIJZf@_j$qc=b^-mfY+%&Vl#MtS+?GAXI zvius>t-8ekj{Wfa4nIxE-`m`Od7tSGV%xPnMwvG2o5t+lo62nh(&oC-Qt(@c8T5fV z=PjJRwSD7bqwbl$>qXU-P7u!LM9teet>#hagp>NIxNkR~#TCvkdvpEP-JW-C@^<%? z5u7*?bZpJ9kEZL}b#1cAoL}-P>?*G1+pz7Af9DiYX`XGq=ec*1 z^WE}Klf3uWc!+5&&?%4~bK7Oq@!fL<9l%@GEwZt4_HIk)h4KfKd(UlS+HaKh%c6I6 z`*R2w#Ob$;jZCP;>pG(2O2GITxJ?MSm&HFXxO~dH6FT9%vlB4s$NVGoGCs}OW$)3U ztZj|>fWOBu%@6Re-znW-441aAF+H6f?*vv%>oXtEh)?spWk$pdzW2L(G_@T zPh`gHq(THf2~h_73at|cHdhCq5nfZ<~jm6&kF4LK?`15e32gzt;K_064y?NHmN^MGLJU-h&Z)ZSSFfwK^<= z#es&5(A+_Grsh>*?25OD8w;;d-lPMpG`|#o`^gX{hY+9D|C>mYIyKFb=_ny{@DvcR za}m?fyE+)_j8-Jzx!|)QEljgnE-E)`-V{c`L-iA!#?cx>H2c)IRlVWH&Q8VbzfAt{ z-Yn+Z97Jf}BQ+gLP+s}Nmpn#RWCkN7)NIl>S?Kq5BrM};WXU0rT&mQ@1wT-_Xt%5@g5%VjtBf9$(;_G}_43lhUO3!x^Fw2VTu|{@ zcj18=begXAJI~v69-rOkuD~eia}2SGC5uIlqB4Yw<%r-4dD0j{_@K8t{jlKyX;NO6 zid6FAkETSlVjK#thLDwEq9G%#E4r_h{I1%ZLp4yLL4@T=uPddENUrzay*Hau z&&Nb^n1vPlEq;iXei6-DY9_izZaoszZ?v{FA1GA*E8E2n;gVxR11L%G06KZK{}K#? zSRb~X0_Cy@jv7ZQ5UEsqclqWZX+wlGnliq-3Q^!qp{W0Lj8jf)OPrJ&xrGdjgRE|4 zsWge?!iljW(_nNFr5ZPiqF0p!^OktC>mF6ln^_PHpDR+pot%v0FebDOB)>LiX&H6$@Lj=K^J;BC zKUY}GX4TYN^k{mlnyq^XI9n5#DSfDBxpp~ng=ATl<3Dl*rM;lb@Jdh2qkoAfdADZvbZ?v!Sc)cZTV%~P3))Mzs-}WwqOs9UH?V@UcOUfITfJxPqPQxu! za|P@1!ei4)(T$i_#rvA?o8A~-p{&##gZ0R0?zsM+d;4gQTVyk-W(4X0bUcC_t7bYO+!-C6i))rdmrnaacy>? z>&@bD(--#(?*dl|I*ku$Uvy`PJGwZ&*dR=qR?s~?b2Hw9jZc8wJEPa0y z-{DN@rr~a?JvfAB=sHqW7vOX+(0flws%kS^=X~tg^gSDv&K#KjINK&f1a+KpK-co> zRT6&BBC7(FPi@`p)GlZ0q-Hw&(-r^qd`rn|93JI-!1f z-DgyGLmk=UI$T?A+oeD1ZSa8Kfb+B6z0+%LjdSW{QG4~lj`!j5W9;@7y8Cv;0yu?M zUiqY+(=^Tv-^3cDYj;AwB49Tj`q^@RCeZ#b`uGDFH?H$Ic~0c-KD~Ol>&~EixVx@D zF_6;fxmzVqkf)N|TcvTbhB%770%7lcv-JJ!5)^q8^*zP=c%afhYRMY#_yRI~2c0eg zGA=-Ohmq6!0s-k09f+W|7vv_U7`n;#E|ull>2rZOs;_hwo>yd2ik~_%c!rj)g7FMXQG0m^d1$IPta}vHhV1y%{01rK+ZF zajF{|Gq){aajuyDJgZ0t;NjHAkvu1wt1NlOFR@kDUzxadsk8_uMw}OdFal*(FD^n6 zza<;qB$sGj9Fi2?C6=iO73!1?xwWekcUbfo%wDm1_{wi%V(VUNe}l?! z7YS;0jvh~0H3Q=TR7@I2o8Q&SG~|v}Jr-=#k>MQVJ)1$4lS(Q~fqcpZKjVz(_>IR| zCG{0J7gTH-YJ?2>xjTp{2Tv2PJQ0yOzy<=zX_skpHkd4*S_`JHr3mR{AS!+j{aGoX zGHc6$c4}TPkzrDuO+1pIL8}O33n62&0<()s+F0C?;2s5yuU)4x#OZY2N7#6O)2?LHlsw#$St94M9NUUVG=Zey z{`*!s-gN;5$)KQZ6RAt$S&y7{jVys2b~<|ZIIe$uLbwv|nHOJdA$lQ)kzjFfz{^_Qd z9afwwb#^^m`SJ3^=fptlj~YEy@j}lP|9tv=vX_dpQ?(Lq(1?b;7p^cQ9ObVW3 zesE4)KMHiKF2d#(3d-2h8u$1YZPFmsRB*H$K8$kF<%%k1;(ZEM=$6O*gdlN6XVQ^o zcV|#0ZU{B3JYdb6P-+BBoX`U6!jd&wmC7)9X~^@jhLF-zGJeZRpQvG$BN+pc$teo&_iC5p(+^S&uON!w!b+iTEy)Fln?g z?9h;4{Ss+@ZxuetdCIe>JW`N)f%TWP}fF2qQNdOe6_p41E`D#-YaKQIr0{Vf?plQuJcM)GC$o>UAZ}GMvkca)2 z=F?`|ifDvK=+NEN^T$cd_PzRXUjI^;X((qGd^MhJ*DacP;&GyykMS^X681d)@dxLw z>!*VEiGh!)pwH(bd{-lD_w!Qc#~CL+r!8^i=cO{Vev@^xqo#3I2BrMA+weQlPuKgc zD45psYu;`ByPAj1hvf(cE{pDd`wohgMShp*q}2$@;p~@Fk6Saf+PBk)@y(}60V#X^ z=AWL2K9%!W`q}FiX|@mea<$XEH*@yq&U3amvX;(`#myMmzCPIWk4W zMq3-r_ECMC&R@wJ(9fP0F+}{nvwxQ_9DBCx0Z-z*zeIpf_0CtVPX_zu#8v z*Tcn47p7O62VdaoWdFnGkz%}yZMyaT;OVi=t`@k-V?Q~|lY(8f?Z9YTxTpt*?GOq& zec!+pr&%ZLUpuRK>J`=AjNSGHvM&R4^N8R+=TzI>u^n2PvJSM?7w{OjUJx*%8@#rdm`|aze{&V#$XUQ2_7cm zzOPbO>pDCNUG|mPJZN?YHZNbuD>Po&wT*5-t974Rx}|-GA6sb0k689T&V_bk_*-zZ z;ko_iUrkCj@7alR_}j}~+SMjt&A%L6{zu1B(~8{NyU7&E+T^zG+XtCE@7HnW`(NnF zxeVyPj(MB50Rb6Jy$M03((&uhYcJC>N-3fu$stlU``xx9AIPAWflq;~Y9I)~sB~M{ zjGxMATSo$536U*41fRLO)2uPS$rCeC_O>pwP%fl2wCiI@BH@#m z7`51dD}TWoO)d=K{F%a&ITu8WC-fxF?g6PXyf{Q$F?ggRRf-s8(U^o#MNP&{DjMR% z#7n+&UJ^~Gw2|eKugA+Nn1?Zqt|3tASx6si0+TvOQJ!-{;~``8Q}wEN9j5njkDzPw31T z#LD$nkv5TheZOr>(yp*vTMl1Hc(d0&^575)_43;0AkD$j@>c42sMl%etPt)7+ccWK z(9AC(xQsCP}6JRRlwV(4!}S`uA9x@KNB4LnQ?Vdq83(B%sk zj}=EFd>WZwjxffXrQF1$O0|ToU3;{e_VmcVgE?+DX(Mq3LoFRwTNF8b;+ZKcZyn%p zt;~{h_tgmId%H?xn&q9>rvOS(sBP>~aO@CpXZFjyoN%L_H?C|X3uoc}rY|1<6V8{Qbo>CJlVqmR%~)YG7spbvA4Fhj7@vnU76a$2BP%VGEgx$EClMtUydLd? zk$WS0iQ&RblYamniGL=Tp2V{{>wX)W^{_O|2eMd9dA~1c$Q-+JOAS@ZwZg-f%52xM z3NQR%?x{g=gUV6MG{~v4@WfcHggG-)tfQe*)vU%5fj_Se=Fx-q`4PnHQ_CD~ysgZ- zYDGq~8V)NEFPa~->MN6hD(`MT`ts~%@P=_ z2bt0m3$6vp)mNmWdX+?Ky@C$jP0?o7m@a*s2X=|z)##YN6wCXa&cyR?>|s=9_Shrd zz7X!MO$$O~I2@{chl~fyh^q$E1jbNas4!eSk0_`*byMpGd(66D z5nmh+3_Q4>HjCmZD(V$SQNGzPMsyoZ`d(Q~{27~sKDy1YaZ$wSUC1tu$t7<71*-j9 zL8jU4%opK8E^|rqWEZplEuZcP7{X!y>1>xkFaPOmk3*3+{=9Z?0>aXGzhn(CL8!o9 zKp5Z#c;CGZfPu-yva^v;1}+0G*Z*{5UvBuU-nnyf{5jYP-QwGMu8g78c~!a#`G^KI zCx9rLQlB7#*8U(l;t3o-MRY3u=~M+6Hg5B{PYrrHcOQ0iKFD9SpW9y%y6t#LZ*-fU z<#H0X+%YceP;}hfJGXl~%)r}<1J2FmK99#Q-L@ttfX6ltbIygq{H|BEhNKD+GLL3U}`L}jcN@-ZIGpA7Bho&b7oOf_$|8Jm}G+cyrW-RJ>) zocHq?Ja!k*FE@C+whH%5E0a|;Z~a_B&;7>H`d0g&>~|M^-1v-7Yf2(mFDKuo?dsOG zPxZdmg?ikV^=@ZeIdpR0rXKGub%nG)o4dI_50s56oO|JUot`E%-{>Dtt)sq_gj+4j zy7>maWSx15+1+!P>b5SInsiw;eN|Ug4g0t$oi(*}9M3BTRC{@a59ma3fac5J+Y|bZ zhcDWQ|MubE0M_ls`_NZBE?MwL)s=iVNA?Dnn^8?(`!!`1^mj}CSGp2cF9*>^q5=my z-I+~1Z8Cr6)9#M1+{dTJ_1qk9W)3-DKK!9=TZc-Wo6o#MbzhR4<#eRDTyMOp_3hz7 zpDCuk%QySjz{Wd1uZPb%|1UG9j9K2*bu5A0*M;QjA5(k{`m;(t7j|ayy%^stmG~+PG%|GGwM%Zt-b#Xf!(h_Xe@=t2jEiPvphpd?MHwq zjjan8M~EY&3@$F+K~d&;PNfEBTcb^`?PFqe!ZAyS0!yFOJeowlX4Q%i>Rmi!sF<+M zl!>cwG~_sxkvdL$T-84Wo8nWZzf+lQ1omzY+T3Ve+l|h_xga?ka-^%_AKiSdKIH>J6ZY*XPxyb3t+VC6GNrP_0m=m1x zEjg#4SOJ*-%q(6aUgWoMk4*!vTKu6-5j2(Y2(2ZYzNy?*nT_pZ#aUqwnBkoa`rwT> za22vUo3-5p(F8zYfYCB&!Obypu-5Sx(5d;uiq0iiH?jZ3i{w7{l96L5XV_EOp$TGr z&k32z><_m@p_q%K0Sm&=tA2efFpu&UnQA;Ks%o>;A|uT-?eR_gfko$A#wk)~)+d`w zyLi1yoW_$@R1*I|3D&q0mKKksGA0<3{`162A^X;*StnJ*ag^YtiFhY3%RUBAvWu}# zFB9!Jc9#4C^|bLo*x#lO?8imk!)cou3YOS_Vms|tSqhHu+E9u*rT8m`!G z)cf$~lx`^u^Lw>?s#MdM?8)BWhgNkB&H{NingrLWXl0il+Q^1KSssh!T@zS-Qn&&L`FXN{miMJ3#G9eJgE90j!+vaJB%4q9~cq z&Zy+gouSqu{ENL7C^U&}@?*$$J_mNxa#qw`V+^xxzD!Y(B9MN+(E+jzQ+>&QcZN{i zh3o0H#?rz>_|27` zcfg^Nl9fW@J`pdu8aczC3P!7)>t{)vY_YUWxcdhZgPFN>=VZVvJ?OL6h-bq;Dar2btr#k-m)6{qP&wCi3lgHA9u^8Q#a98B(5%+d$elrN@hwP5C z`vvBd?&p8A6Z%ssjO#`jh#V3eo;Lg3;`;dU>h^q*G2Pex7xI-`E&Jb}q~M$QcE}$u z<+3|2R(Lv(GA@j3F`HiJOWS=xJG?Qm&%4mpS-wL_+iv#SehSdg);8_x9mAcW431*T z9!Coi>2!AYJ(8h1UUhd%g&ej755?ujx*iW$$iLqAHX3h$TL6dCiqQo8!sd^` z?BlDqQ!QzEB37mHi@H7IP@BgrD$meg?gGL3){%hD3daL~Dvhz<=2dOI8aP zvqZl-TkK5-sdjk>$lSHwhQFYea+%}F*YeUG*_+SfG0h$QBFtX*=|16_)8%1uZ|`oQ zu*kf@bzhm(5};#bqLxFsE4|lxU4gfE z5Ys0p;|UZ?^hD&e1nN$_@pw09t8#m&&Hy!FwTaU|KBT=XhYGZVyp2G>t>qa&Y}x=v z@@Zi3_rF++fP2v!pc;n1@z1n|Bs1!0=`9$GB#&-*_POu1lZWMfTrN1ql)D#l<$DcP zu0y}t&8Z{^&kC&UY<0>L>ehSaX)t6sZArH)zKI4jv2ZiZWORbtetk(`NNl|_%`oLX zuHH!W51n`mHq2a zdLJB3zuq=mWflR!pepooPHbyhn>%;6Yom=M1_pubp*rzWh&o{8fnBi(#grX;A?C4= zdvmKY(U)go?isYnxWJoej}|L?A}k)iW`?Z_k(0iEj}iAH)qj!Maj;-aV{1Igz+*+_ z*+?TPDskD#(?INEW|KiE!$%j9_@^>6EnoU0Mb72SBIA(&eaaOLpXUDfch8x)AHy(C z-zrg=gim(=5UA22cA{w5oaa+#&^(pdau$aNhU}oX(#V2$nk8ZU+hPj~mz74LvXZ;o z7xc#nh&D23YV7rui<>17@)H)YEm9`t9!XLSHU8rqz5plao+B-j@nb>yd%(|I0ySg9 z!UVf7zhaJas!x->;_=3^MXEUo$oeWPS_q?+;F-0W)%s4hnWlYupln>DUcik*q6(R@ z0xotjcRRznZLsya7A0l*hm{*88XH>$3jQBXm#8lNGK9Yb$V~HfYeU>yP4tb_UxYc7 zUIMH3JT1c>tl3dw*ZFa1WauB*w68#B0f_|MAF6`C8FSL$dh#|jmXvh}ZD@??d@mZRoiCP!2kiCohpnkU`H6(&RK%vLTro8vx)C4y5vHY{ewipD;S*>5h~ z4c4(7I|+DHu(8%oBMy{x>98rKuyzKm5Kve_c*(|dY#M$2isC6Pr4Y>*9cFEI2yEjg zk(#M5oC&?+Zvg7JEZ=kx7tzbK@X?D1$S^^^`r%P>0zyTsQ}I`RYd;QdMp`&)fRXy8 z2zrc_nMqirRBK!X`#*(28+8Xql_p*>tm9%Av!erMF>r~JDOO4H7hjVdhgIV8l0T*=6vylBX&NOJ}xsG~@1n&V8A;f>lf zU3&?Ea|_}|@J&(>>xQ*$OJ>B@R#aJd=E<_+@crpV>gpEV(k^zJ;twLeFHf<| zYaXY$X8&JVy#Yc5$KHQ2%w}gGZ<_u6PiGKW3h?^NS_~)9kU-q=x&B%HRsTKo748{1 z(%2GCm3iwfF3@;!^{E7#s| zJ(@ogcnwuA!5=Rcl=s;$3G`Lfy;yJGhP>0p?(*3WfY&$=G^=}A0bSMjJe!Y` zm-D%g&x`k2(}OBNZeY`XqPSh&l8{Kq!`ey^Z_Gp%Cx@c z6TQpqE#t4JTN3DhjJ66J7ccYro+s1m!`lEO@#kuMNORzy)zO)E($2+pKt@2SPZ_~qXpxF8kK-YgTmkJf!{F&zKwRJ&h zqtfQ_odW~d9OlmxpUSUa6!YWPw5<;Q?k4RwwxQ$f$FL3tNQjM;HK7lW`6xjWwHO18 zKrY0ANkU$Xe`B}I&=N;uaBE<+P0MqG#yQQ2q*O7uG-Y>9(};}3PzZ3pr-5> zlv0A;447ymN|dKZ`#Baum03M4CBomXfT*-IFM}LcV_KNEkI1>iI<$Dj03n5HnohY@ zb+CGlIK0mLkq6yoPLUm{=&K!%Xtpf9Qj6M5?x{oVQ46@%3Uju3>a`|uZaq?NdmXCR z@5lz4afwWG#GMUdfB6ZDTP+!XFfpWjW2Y9V!HGaGsX#3Di3mqun#V&^j{LcLB`X?> z4i?LJJcbxxSx|0V6_}ip9plmer=rKH8Tr&LGoVidu1E`I#X_i0w2ar8s;0(*sB9X4I(J6Tky-JU*NJ%8op*R&vaSB_bll8((m)eH=J4whO z3m*&2DB`y?tFX=@Y!_R8-V(7ulqW?)1S^O}rV&hOE-k4d*;P8oLP<=^r|~TQ?0=2E zOe1fHHdOXt^D5(^mZ1#zav`N(LCh*8<_Gk;z>%Ra8(H@31E@vtgn4v={xb?R_Lo#6 z(&*Yk7IJqmdX~DnoxW5QXW{xydAb1lubk?C&lc>g(}lI`x^^0 zmt-}ycbWu~bFLPRhgO#n0|QTZAhC(VIope^sV(ypp_czio@6QXR?B_q3v`Lz&yEEm z?pt2uK{Q`eT%d3vcJ0u@(mDT*t5!0zOmBWJPJfU%xdVU=FO+&2{@M~SW^F}>Q_Q}Y zN|`uYg(0muM$~KiSBloHQQ{b^fo1TY5a!9+yvrIietrjwnujS9Yw(}43)Qr=7j`Q) zks%`!n1xk2N!)lbJ^JVi49y8-|42SZlDKc^j%dfHJ3Zpk1=RtXjkDpCmJz4X$_F`Y zjz9l47W(0`7ymuzcbIX`jZ0*36qHtT_&%oEi=sl(W){h#jQG$=NfI~dRzFKJg0w`` zE``&Q7bgxEN8H*H4HqR=e$u7}-IHLo7QiIlM9SiXz*o#!RHC#~E}M%p>{7&A2_0lR zLqU3UHt37to)I|PqK248lYEZ`IkU>l<7_I(yZt-@fQe%lm;{{1yi;u#Kgd54xfxy& zp=&);Fo}XXpQejfr)O9_{ElV*+P1mTN&BsaxfYYj4!i}eqK@#?23jvo z>UE`go_8dTGpZe3K=OO`yu3~6`g3~Wf7+!Pm!@2GI0_ura2g=_+_yYC8amLnA6~j| zkLb4zEZOUJy?QlIYacq8-5U5FLQkB=nd>Hb7_3HZPub(}`;JDXAXVLObAPIrXU5YD z94`y--V1s*Zk91lcsTXibF_S59X}Q8dLJo?Z$0(!ZWb>409R~kynS)6yqX6~@j-R> zvYgp)-k{IZZ{j`WKV8W)JwS&~3~!ZhBko)8z277H_XZE#`jTdy$_1LYlCqL6)80Am z27G(6P97ycHjg%lAJvAnFaLhEx-VV*;%E-!IpKfyDv6jAC=ziTLjSKIhxb$m#4Dvs`J%7&-CKaFONlFZ{hME^SjGH zUXb1GQR~0_aeJT3<`71oyIkz_;4=Y@gtZSU#?0<%M|XQ)*-&$}vg}sm&dpM=LV7OS z!gfZkmpOJjK#}(y>o~#VoX;Xv6Eom?A|F{_`~6{T8}ubRD;3}-pxE{>nPzh92JMYU z*!!aVX%~`l7QguDt>@jcpA-NU*?;^yjsef|vLk==zQ#2_apy7DIJVd0-p{_;7WrrA z`k>yVYZ}Pu#mgW7NCIxxtWs8QFdg&aGt{opY`J>4q+BTNM@_By79W>gJ82VvR+Na& zZ&r^%p*Nsy9S~y1=6_SmBUV$Wr~160xcG0BwW|dxL?XaV0DmoL`paF`p>zwTupl^m zl=N-dAnp-VBg_f*9TkdQHHmy0?A15P4`QG-G{O0ttH2%p4;p-*S{pL(~hQ=qx3R9TZD8@F0p7RHzR2M?@SgNEXSHgh=c zJp{qpe`p==9Rn|9>q~kC`z2RyR(l+uZT!F=a(<>6>5}8qNZ$ld`g7dL;?&iNKq6VO ztXiS}DxDn(bHnh0Gjtalq_l5tD{V04D0WO?2zR0wQqHHPtNg|u zW|B8l+z~I;+rcQwB{liUx;;Bk^$$*k{?Jd2I12yQl#~_!9_IRQeaiHKl9WppIYQL= ztpx(rf}$C4af)sgX>#eyL`&8H3KN1SUKZ#AMbtQv^5t}uB4z(*xKoYj5YV#7(^r7u z(9en&OgIpR5wp`?MEzNWzBx!Uad=YT-CXe%l!(>}#>nk3hzx&tw!F){>Q(_(RG$9kRQ zH+=NSGJJ05Fb@%uxZeW}O0b%Vc?HOrf>81$YSHJ%Z$3aXa6f6&SjxodhFz3~zK;2* zkc*XvHw*oqN#WUVtU5)ki)Lo@TSl)90*{`pO!tuS<9~lcnEGK9e79$)R^;V{geC zvFB}wL#J%2emAL@@suf(Db7_8nNWt7#5r|G9vdM977CFl!8zI>%o9#JC2Ofa8wJMn zYsVeSLudhIPF()EA<|T{9IKw{f(Vth+k@eM0q>rhL)f8eh&@E&M~C%vtk<;y@WnZg z(SkS5Ai09DUK8r4mE>quAQo3hdD*J9p<<9_&VMY~y4R^=*~`C7i!$F9pwHso=`{}` zD(@Bd@hc9RMCSW~PQ$W-OI6{W#se1}SMg8u*KcHNf4~ppHsDWNZ1+xWO3G+YxoFX} z{EHm=fkA3e|CS~=Yp1C=LjNRPp4xJ)njmUOG0?Pe`ETi#HzU{o6-CvcLq(Ciy zW}Ao4Ybo5U%HqFp1P1#HAAzkuo-f~Fhro+~+SLzKgXupH`u_|qE{AHsqkv{wUe}?n zQ=dtI{G0MKR3ALL0vTtv`0O3!Rr^dQ>hm5?&Y8dwV21>10PW5Atzja??}!r>q^QZUpK@TWd zb&!dj&GB{-H_^rH4!mO9<_J0GbMHB2V7e4|4XgqJd|OP{*4^kg&%>-I*B^N}Hk@0w zzD+Y^gU7^p_}vHZ539NWYIW@Pc9R!O`tQ#i9BWT$6vS)0g9Mv?wk5Wk9eW2I%lP`J zn{`VS-e)~e-pjTfd+Jox4_8JhcJBqB{mAmBhb?KmNbOW?U5V7L!f_rC8_Vei=1Jbr!3@c7oiz~8)}aPflX)$HF5W|(Ps z4w-5A*4Vds>N&iyZd8bZ48oJ^3bTspJjPDnnc6_f<^u`42j>h5{yW$gXMo7aJlfI1~Uj#ZnK zro&q2nc3F`SLe#x)s7s_t4YYshf|FjsY4*&$CG#WbHZ~5fA+%ekj8rF$F!O`zqY4g z9|54lrz+#=*bmrHQc@WYA{X^@Y3DH{x2v*XgyBWr_D9ETe@F19Zdq zk_5fQ)8yAH7jaoXIU&GpdUy+PSmNU_xDMPk5E$~d$@;b2zSnu^M%tp=;PwvtYP8j3 zlHI;;-_tUQYTx~@wCTYByiV8i`j5$5`E~NwwY@eQ0^CE6v$ErE%Oa{9|6d-XRTdzR z^H>tf>+i9olG(tNsr8TLF1qG-q+9UiH5mNsKY6u~?-gKDa;g9E8NIo~+jiEHPVM!u zQ$0fcO~pRRQ3pr8OH(!~cLhn?P|(&zrTw+5y@IW0V`6!t4y*7D2a~f%{9#-5!p@RX z7O^z+CvHZUsc*QlUJ>X{j*{l0VqI4pBzM^vD6m?z)TxFvQbTGW2|xqR88;V+?grK8 zBcEq$?hpKY|19rnX#8bWYM~xS$a>2)Ugu)Fg9w4Q_6-lNg-6%BoL#P=c-yxQCa6Ee zN5v$~N^I9@X3L;4xvT{Xekp|AWWlVvPG1P3ZcDJR(0|G&Sf(;HF;$4wnR+-RgeIJ8 z^Z}=u$1bU^ zy;EK!H-M=$%8MGLgx-H~oJ}%iG_usi51>gJ+fI|}*kHidGwm%I;baopolAvuwY3N{ zUMwIIz=F)2n&;ob-=iFA6^<^UPlPv=IK~e3>EfAY(&|=XpV;rl4ckrA5EJU;aV~mu zI1w+B6}%Bdim#imF#@?nk%GDtJ!rqrI@DEBCgQW2UG!$23c98*IMm9TPWXidMCkch zaiOu%;2QTLo6~CtO>@ppBCC~5kkIpg@EJ~-ov?N|INlhf;G|v+><6V?7C>Zm#7#5~>qo{X$ja+gtujH^0D(LuIg`!B}f?f_A1$$g;E>&a)yhoR_D$#?DB?Xi> zwm-A3*jIEB>g*1m;MC?!_FtWpe9&|X#~yQ-J$}6T+A11(KB=6Cyh~T((4Q0>kbUOC zQA|d&wrDUc_2~|f`FAt_F%Co;jfea0iG-Q!reGg;RT_k$?3qOygT(zX`OcHMa zit(U5NqmDvT1fM7o)m60UiXaAOs4WpA~gucknK50)mxoQk=-%^?GI2JyAA zW5%~FYt1$OQ_7zx6rVg?tl!-0 z_QyA+f^Ep`HM=Mm2jRxm#0Pa&p5csbW<=KM5Fv^FVG#RR;y^dZ#NUK&2sHEgLQ0-u z6Koh1ZvT){hQ-gzNpaD5q2nGVF`}pU!*FkN42p^~|{%#oOD5a3`rKxTwW}Gv8S}U2#3yq;dV1 zA0h7dW7c26;jAMNA=(2=u$VtuPK#J`j6wWiltcJhUy7Bgs_sof>`~K+3>TgS&Op!$ zdwZ*le$>R_){ZT;vbxlBvhicG%y=@)Fqo8M$?3;kQa7a#z2o)-xCy`u`}V~Wn;B7er_fpcfxG{GWdaPWq> z_r9k9JI&{+Mfd6PDK+9XKvC6$U0jMNA_f7V@u{c?`V@Gt6)Ky)PsVy*+YyYDqgG=A5%ye9WlDwyY z?=eHqniq-L_0Y7zVfyN9IfKtWz2EF4P{8N0ebMg8v%6=XV5H{tZ2WMmD91c3;YPs*;+kX z8Pvkbyz8i8&^k*SKC8OuKHCVY+fx(Zu^U)l(u+*}=^+2OJqF`_rnk8l>l*dKD9ql_miGb72|6%gAsq@M1rOqo7IO(Kl_+Yg$?I zHqOX@Z?EUNrDw4A+J+ilg4Bkyum2(s#%k5!*}i$t_OXdA*_2Wb^Pmn7M3F?ksnS?2&UnZA$^lRB~Nov`W3szlRXce44~k_*-TZO5hKYysti*O8EUIwIyVy zc~<-m^^I!wI*N$o>EDl=d9Zc<;T_Kpda;<-q`Ee1o!5HngF`>gsV*i+?jE+NRX)xT zcZLZrI(NdkKQf%<2}l47l_}MFYkqgq?Ol6n5n#uTN$m&U%StG}*2%-y^M*T={m>3e zhNHa_1+V)R74|ObKJk*8&`j8K&%$Zm%U*--?iI+(oH|*DXXc6@?m3&}-7eiLhyGDD zt-0WbeuA9(G4~!YI35hxdm(xHeB=gQz%3-?-4gGp46#gaHQkx~;3cpq*R*&K-guUZ z^^AKZI1J)>{e259P3Gh71i*a6K>*S{%y<@<)LjA(PU(e*f0FeyX+7cpGkm%ASO|3 znk!bi`S;)N(!j^`sK3O$@B#i5wS4$45-I{9Tq<%){G z2p~jB4l%3X;B8%X2b81ddoj`q*`d_9WrmfxxMYWk$X1zQOj~r2b8RR`Jj)=g13k1% zLBxt@alv^Cr0C*82;*WH6`a%)VWG*qWYdk#!a`Etbjhwph$^VtMRI@?ooGm??pMjU)Uc)H8YOz~=FesSEv z%F?4MN={_9yyUn@QN_!5blXjeLx-lqYym5_A3u)4 zOjerY2TcKWNxERBjc^=(i)??=9F{H#QytwZpAq2!yiM#wD!TAO9Wj{}HI)tqe=s$+ z5u#P8QNj-H-#@Z$+r_<;D>kLUS+GH6fFDFxZP$!?hiUW|PC}?>CYDl{$WN^*toTaa z7W-mo1dBQt^>dJ3b#oV~tCHtvR%zu3ndG8DCjWU!&p6D(`Cr{>k|!t}{a$3RKQ9qc zJ{>QDCl{S=IUv(3KJ2R^E%S=)TPy|RU8~C<&i^oIS&Y`vX!aR*nJ;3fNV#ejh<^^U z;UnJnR!WzK&rNhvl9U*5=L`iRRvgifp2RQ)VD;p&EIBC}jOA@%bJ5ym`)x+BuxYVw zB`YKvgwx_PnA9rJ4J&>Hm}(xIFZvK&aSQ41IXQ@^OFt_f+IA}Ax)$_(el0z^F3QtZ z&I!i8uzNqFA73qwt;lG}Wnr#qMPQ)!dN7NYV_=BM{2-B04sZ#;Os-9RJ7uVF+#%gtnRx;`?XGOA=TcOg7$mUGvf-1gHW(AFMr< z+zSZ5oqyPa=XpuDNlty%rE`JpXnFBhhQ*4JVT&X41 zvY|qgm(E;WE2&0=zuW(aaub$;N*zy{)nrHxpKDdv!>|ex#>*R77RO^F$)Kpv%t^+)KLnIBjBD;61>Mh<3d zV!8DXpvtQR-)7+9Aaiu4k@CSss3kFrI zIj(e}OBKDkRO~}g_Ho#l*~%yoD^VZm4oPB^$qm{5(xVd_>Wxp+sxx*PFFVIuD@XG z?c6hh_?DIB^i<&RIEp{Z=cOO9DXGQVDM9{pl%S)6{uat<`~dX2srm8918^Jw4O6ZA zb*QIdhe`s26fVHW}KjF?c^GGGJ$DJ4*{%D8YUycNrqC!kWP{zW@ML z*6R)fIi@pRx12e$n+yPIGbPjOfJY2(2EMUw^E3lL*HKIBXX|8rutgPCbmMYi5tcx+ zMz`xyN{_Z(AKtO=miPmwC5)@750uvb`{1Y(dj&VdX_#h?KQ&f6SOte=|i=*A&1HtkbWCcHga_>UjZ8C z=)`z5c<&S|H0Wd-ywrQZbx4UZukNvp{MEg4)&*`QtEY@Nu-|vB;%R6V?cUS}xDTPn z#4&U>tZfk2reOgEwr?KIN!t3b_iqk{6ge%XLaJMtd`@r2Ei)JzdV@LaD|JDU>i^ht z>J|V9-%f~H@hQ$m|=P=y@#_xIosBn32PWz7mH-ufq-?Jv9W8X*` z+kHcaZ`okfgM}63n3^XR^$?_7ps2JERAa1D1c|1`tAsuUKpU{BcHx%ad{zE%KS>^u z(bE|#@#9DGtgW!XG4QFL^WyyY1#jDn#Seqn8D~Y~Rz$|?EoTQujhqlGlDELJJyx3> zQ)#C?&jT`PV8+|tm1U`{UHS5zG7}bm%nwEZ=O(%|`c`a{M#ebcEA#iG$FBic@3g#M zccgmEhZ4&5{OPzNgpMUeO%iZTnNaV9dwA(*gyj%Vn&g|U&7>OFA(=&kVrqpQHSI}% zhp>*}4HpO#C=>?l{(NL z3(VDRfv8KL1ZNzAubjx0hmP@cdtMZt=5KS_wCz3)1f1u=a&ZZGQaD!DBE-to<{dYI{jY! zXUKyghm>@ctli86xi~q`T~#PlhuTattO|ohgDg(a8uhNl%L*N8hH+!bA;u6TvM7B% z({GA|#fGTx<$*PHJ?bVT4Uu)Xk(=IOk00#sE=AK4iR{-#7%U0md1?`DqtGgrFh|Q- z-$s!8*;z0}lC~$Y$K<YLIknG(*|S4X z?GkorjMW+h1ELql^dX)n){Xat1a8$w{{>6AGycE=IAGm%h+36|>ODM&a+0 zNv^cC3p&riD-}kTSmK@#1Z!vHcIDK)<>HwOf*F%1^s4NY{T4=xN2ECyOT|m{7Jo#i zWa*4GZpXf*1T*Q-{DuD!2sdDrZ^--$KJ-Uf)}^qPnuW45cNnLsj(uUn56;Q-__Tts z+Uh@=Ka|%q5g*gfi6tV*Duoq1B&W1V5k`lM+K)>O$7MJ*i){LaEKk##v;RLFKLH?v z6ixi@NPJ#iw*(}8)&Xx>{2eCbclk3Tf$_1ZC)YPSqIOoey|ITH#>qNAh%(Cy_}@6{~DU~%Jj+4)S$+U`0^_J%UQ$qq}XuUp6dOCaFAKc`vCXtzXz z;f;7Q%AM1q;lf*k|8>70ClkC^QSoIN!0-2Ti_xQLeEQ0-f8D}C_!BsBTde-`YogoFjtB0y(qW0VO)r?H{@oiff`bVqlD8%Yj*NT3M zlB&14sq^8Bkj~~Kzm9ASJ9%p*rP~V*@HG?!9@bM()PMLcQX#bG_du+YN zYxg`Ss{`=?rFp^#m45W6^I>BaXFOyY#hj?&ZeXN$T4KMe_m^`-E7h0B zs}|q41$z5E_Kx35SDV($w1N$nAm_Ao1(wIxlUW{vg=Jp`aK^^>L!P?~0-u-s>Vs@4 zhlnhX-j5RC^ZYm1i?=>51$sRP1QMGW(uzx4pC{p#>6f4PA1D>N+@~P(7`;fH>uQ{( zp7-H`m{zk@So)Q1=8vM0YMs44V|Kk8ca58v>Nq~p?k11jS!;XO;diP`-|LHrDX)cR ztFhClwe3c0yH=CB$ETf*XVe?xSKt;9{8=~5q6dBs9DKaa3I181kfZyqkQs4Ky?h+( zxft5h0e1OFc~W3{GV2ztCfju?VQ=|JNFxB#pa*$LETD-wAEBg#dI@3-rsk)VTKFzn z#t60O%Q&MPL#gl}ctS;BQG{H}V>m)4pIAEaR-!n04vxEYmZ zN0Lytekvqwf)%fviNcpg#-lM!#GI=cui{rbbD*Y6ddnTkuux7}2!~A-CqwdxMk}t~ zLl~t+uB`ZscG#_x=HS8mCTIQ@uIuQE=du=zgz{AlC@~;Zr7nmSh7YNh^MlIi$gRQ5 zD^_Es?ETwnd1O#sSO?>5!DOcrPk6M!s~r|9+0ckZNL&?CcVs=Jvfb6?n3IZ)YVPV5+h@eu!QGS^AMU%1etnmm z2+ZT7-KF8kk)VlJoQ#dJ8Yai)aS|%bQ=+0OM2Fcg7n=@1AMnXvhrgA>r}4-3|4KbJ zjIBXeHe@9=>l`2K4z)b>;8dp>+Ew_Mrrnq-*v{WpOe@LB`B`<5uBy5?mt$>uWuppPSLTRTw7U?kAOpoHnihP-|A(6-gQIPPt~?PAY5c zK!EW4Vy*7fHDCT5DkjIyqKXX?1&BS-+$bE6QYXQ0mO=e0j8r-qSM^vvOBgl_DnL|l zeAXpT;0E7@7!|VUSKd8bHm9b9G_A2#mGYEwGG&yuRM~OhcPL(}zX+~;-Pl_NKQHzDA(k{s?ExLXWZXt)!-as{jU<})Ki#0I}_;!=j+Sk^toTFXcOv%H~!?uN5rfePS z*O_MdFfVzW`L!PB58&1_u*dvE0sVpr?&#U81;k+bm)#bQGhLqQi#b|xyq>Fxc`hOH zt9rv+Z$mg97um#kAFWUUwtjt|C{e#hULrFb6$O$=(=Pth(t@`Yq*k*c$sH~p?Gj7r zzZqonpPFqbS&O6#58A8Y!etN_c<~n<1vdT!aW46MG&(-ZtWFNhu&iT*^Ror=voIZI zWX71MmXulz?}imSMrpCp_yu1~Fiae&ag&0z3#89W$4JxY3$6CiQ=nczx-9nU!Crwk zUeO%z3mX<^BT(8_f3+1QMq>jrV2GtNGYgGk=p;a@`POU{5}$Ga;;(n4VWdf<^$1~0 zf0ss?O@cjUtW1Yvg~`N%fM{$Sw5KO4gXKb)O-yJfLr(J6dlUD+*TRddEdC2e06;F< z3;6X*?&ZF~)!p+J>bI?joOupj#2nPOkN`#WAP3B6l#jsam=BQzDB*dyJKy)i?XG)@ zv3>a_;MQ(Rie1}4SQx587{87?sAT&6KKq4Bp{8-B?fj!}UGMfG?tZK0szL0r`&#q( zA|b{1pE=CKHay*GnaTBFP22P-j=kfBbIN?qW?3C=k&c zM{7S2l4JdLcsi>=zkmPrdT1~W2=+V-)aUeykeT<^1s}{({UqqTzM*UGCV3r8dMuhK zSth}}uzLG=AIj;nE>JN5c)vY4Yh?Ky#$N|(05c7n9(az^k!M-5A!9l|)@^j@}>t7JuF)o(}rQ_Whw&*q2U=;YSZ z)D-z7HyZ@qhZoliR1Sb;hI6x~(d#3iski%ZDgq33$Ol+!vTxA8CNyiihyrqjoPDfa z=5Qa6XKY%5vY0eZtLg1-H)lB*#{Ft{Zh0zQdMbLnd)vK(Ui7O<=&XrchVUmyQ<^X4 zQ6vt3cF!Yc=+-W)Xn5@9IHQuDS7b-(uL9ie_mLSkE>GDEHs0GAfPdsW-zRd|r!`5j;E$TqxGvtMJ1`^LlzX~Fzd7k6h*Nd8o9PBOKoqK0gucsG-Z0O3w z?wdIvwjX*@Qw{ric==IvnS>LH=a07Q&_W1m}bUAAUt>1)6AfCx&K z>tP$LU3-(ueKl3*1K}axeaQW%<$G6$-gP;X{Cd1P3^vBkF=Vw(r*gvH)0S2HVS1{L zCC@k+eDMf2xB0mTBhlLf~59mgJi1 zNFa4`>}X-$f1i`3<%0|u1gE!@eZXk~o(N5RZjjDLdh)}cs9?&wa|{kzBwbFS2* z=jy8Bg$=*pU}m-F89Z_=kMfPVl80-*3ab;?R+yQEa`QE1Mg9m;OSqljh)i>US6{YZweO}=i?3N@Tnyzds%?S4{iI$8Mwzz{-($9HF`T-3XBTDrNKPHfCSmi|{4=t#193fyxklBCW_CNrA{a95|0$OCw zKG~{s!It7KfNL*`JSSw3H3auuYROHLCwW^k7&a7FaL-`@KR7pp3c_Ps$5FQ?gQh{S zxZkUYw!u-SZ0Xc^F|8dYPFZ+@tFgok(ah?IqQgVJPR6V!F&^U>s_(1T5XGpnBj;oW zVMet=S7uwOCDpiQi+#T(9*wyNXm%n!t==%!&8qwd3^~II3PGc!+uYYtuZq=jbg>13 z-&NeI7rR`gu;Etmh|qnKZfg+eYU0GhZa-JmDe?8;z45BJEtae!bsum^aUX3O2t^Y) z$6s5O1<9&K$z2_DMO)K;u7X(CMQDkdmB+)AQ$pv~3jd502xri_8mi7hWY4b0ey5zW zW57E^z~8W1OjzQ51`3>lmwrf%rt`CWs<%W1_`qou`v>+P7{DlS>n?7KoCGU!E=V>% z93y3R#%=gJn{0pA_is`lBPC}T>Rl&KRxYzr^bjt`fbko4;|0hnvwSh^3k)>KD{%s% z#M<;rLyD$C?knmkHhe3V3YRXocvEhQpgrzI9|QtXC_+yf`l8*jZW1Lg>zUN;KLj|X zni?Q4ipl3vx+WH_A1bvW8(1PbF5LaqZhSm+hn#IXMGlx5YXQb zoqQpFB4O;>agca1nXAu73Fk$K{0fu`QXFK_TqGA4lf@AKog-QNitz7#)Dbk@^n)}q zo)X&aH$&;8%5Met@o`BYttXL$#k5@X6s|k(Xr>Ekc(iy{XQ{$ zU}L0afNat&6Ow{S#g#+q=9Bdv60VP8*6%ho)$^1sVy5OT)zYm`-F01&Ztf7>c}X~E5#QWnu7WM+uyz?Y2*lu8TI8~=?)xps8tu_W8&K4$K-i{jkmJ@g*RAOguE4> zV}a5C$EaErTRr_Tmjax@@plVqUw5|p0JVTC5*Pj}5<)7=uYFPhFWDarC0DPe9D0Wb z7YLs-Tx;y*lPPUTq8_)me;Rz?&BdBk91FzE%D3Zd+eg2tnV!RP$C)U=KwaCC+T+!)Wn{n@7Ay3>HNa=ut_?HluN%W9I}==$`M|DQj_ z&VqcZ;_ga_in}L_f5q9<;TD;A)hXv5r=G#nvq~d3WF@VP<-)@ugX0pN zo`Z!)SD$x(qhQnbx2gHzz59yu5*^|vtrnU&r?gyhUJZ$51Drc#x&;k(#u*rnB0Buu z_Zq~lKQp^?_`IW*6PDTLNj9O-?vrW~A3Xh@IZ#>wVP?)*;m-9<*Jq$jXR{b=uM4xA zj!9llXNGJk7F+Ub^TTQdQPoqIKk`Aa{ciYub zJH`ZdjvwMORd27p92C928XHb!7=c9MC4^4P<<>dfv-KqT4ps?W0s`Rj5&qXGz@VFq z0q8V~zT5B3E~iOAfN376HGsEVHP@-4?|y2#Duxi@Cq?hM*OkNHI;EV_$;5xv3H|tL zL|^~>$*VDEpW~2Y@PBwU_CLHTqZjeElzZ|F0{m_(kUJN$^*O-@QtwCRT^7ApSCMh;kC*rMVg#% zCAz`qyJWJ+AfxjECqYyIJ^P>F(NVPX@;tR?Kk_fGwI$fPk)fV37v+=W0axYucP4iMfzA$D5EuqMQ4%F*B0a7z|ae&wypiGSC^7F$Cx zDrH$}`pW7g<{k?5t4m>xCU4Ch_B>J>rz;aPmtO_OsY;xl1P8t(c3OO&H0d*lv?Xrx zvBH-9I9^BxUvq$3YwA%EdXbvElDeOI^v^v)#+3{@45L;t>*p*OgW2LJnc&~zbzu&^ zYu5D&9IcPiz-awaUPza+w<@xXVMC5BX2nol`UKnjOQ_+5n|mrWZkK)vY1{cfRVEoM zgd(SEJ1(iFHQF2K02XA$N<=lzWeAL4YIx=UL|tXh|I$%$m*t+Z`D5cOt_s;4CP*2a zlGDgG;*KyYJ8oDJnCVx1?>;o`6ha%eEa6^KM*7trs6SJ~`W2R8UJ#lszg;@OgMTqT z_Gei?TjS>WtZ+rr`5kDy6~=I}6cT#BQgJ|5V&Lc2TvfDXDP?xwiC|Hle^Iqo;a#LZ zd?}O7l`KsX(S1Iyv2>CAD$=pP263bJ&B8itnVhNe%wI!D5=&KRWwzX2tlKnAR|F%S zQE2rZ+~+G!K80IAEBJOmJ{ni&SaR*28qfexMKjy*O+zcFu*Bhm?4BB=|ATB~(rQ z3m(==me}aVOX}Nkx_WbeCAuKoLYzgVzQgz`=ijKE!q}yH^m&P$P-7j>Fqd-^et`#! z0l_cj%1u$>&{{O?cV98XAtKldnXxTxqN4|iH#xez;>qUDy0x+Wx{zU2v$FeWQ;psb}$(`~* zSrPm6gXoB?!mqaXxxvt@=x9OkfT0QZyx6cOG5KGn1jXQEM-^%HnOVi;BBr@hgr;;6 z9S9;56-v@kOib7;KYtQUdX2i(gHp*wAM)=w35-8RD79p{68s2mqlCK{2hWw)<{i|cRAIw04_PgaJC6d{*3gnA%)g9XEa`wk$%-_gQ*71IaDE{_E? zKoe7|SfKaRATyg@eZ(Bk%}Wwaub>PwJNMg9i4C|BuwlicU$1A}@{8EuwcNU4LZGfS z?c;5ZBjtXErCQ(k_9d7^9q4(T1u4L5J#Rj_5QxC*_cl63vfHdzsEzwkZ(T->tiEy>5>bJMOLu z0QUQNa<-DV&lo+5B34F-dEX{s<@Ma#Ac;8vw-(TL11vh1Z#NJ7BnEeR6v=7tS88(= zJ#*Pzu{wLe5R%$~o2SiJs6+ae`LPmxzbCo~{+=P}D&uX>>zr}3%PP;){Oc1s0iUsS z2A?Iz={ASX3;B`D9|oO>?}v{y`>c)ieLRzded6}lNKkXA9slD@ zj*5MakPX{u<^<4_q3ue`JuIZCh2MTrCkCFIs!EI3`ctm`<}oDza=l|RCsEpf*K75? zu+$+*U-8{Vtmb)_d)GE^GqCBJ%$lCF)?dkv(|d?kiM_|kzFu*9j=_Y&%BCTWjv$xd z=QYkMQNfLxmI*iW*I9{E@SVlUVVum%j$1DT)5J=iFpnzeS>8ho9&_pS5=FJD7JUYN zt|P)TLB<%>8b_tGLc{DU6~wgLO3wVM#3QqrUdo_^LkV}S%&N?*Tu`MIl&R|L)F6KJ zQgzKNN179>8dN8(g-yx)8EI)%#B=9joT$+!DmbhSf8gkd?pp$&D|!Y%(lD`iH9=ZQH;5U3w&K%_P@bg%hCD{i!e)G-Q=q ze%LClns9n-OmbFxAM@|OpTEo|J!Q{u8Gsa{9qrh|l0)!Y;=8$Baz@WHaAOiY7TqzR zUBYe^x&DQ^)XV+1#`rro1^KWFxNetRTdsAP;M>1aeJrsu8w9>of)o`~Dq~D&Mx{BU z)?6#H8hn{v3+9`XRKsmv4Yn8IIX0;8zo``mo5V8;&e7Bwvh!DzpqJj8X*fLu1bydh z;#!%L-l=-g+&z+iAq6UaD~vBr>~D`!HLWI6bzb~!1*9|+sgNx)9y@(mT ze{?trSFg;=ibU_CI#=+}o&QPeTuK8HC)^Nvr&Nx;T}Y}u^bsTtBzP-iAea-~?8?;xCGdFjYO8Fio~SVSJ%A=JLU@`dFKRVA3@< zj3c+Mza=dEvftF~bX^F;`UDweVIN#(XIOFN0%!jh-fQ46g~OgF0NXuJsQkVkk0OID zZ{~3nkKQ*~&%FRR!aT=N%I(h;?%>;z06ByRXIS3M<6VyRh44HEdU#s0Y>^&7q z*Fklao$pIfPS-*Q=gGsS&YafX;Ls}~{U3VG^_OVGOV0Rq+ha-E>D6vO*V=jY6#XgU z*X^8@pIxWJ_6FTAv^pT?4L<900MVZ=-@~C4+ZGMihJ)9U zR|a3F;pUjG#%Uah2Y>e%EnV)TNayg7pWYuRB_zu0euuW;#@8r!lKbiY9eSDOSof5) zrpfsReNbVs+QA0vF4XMWMbh{Kto_yaFhOS9?=isp{A$m}(K12z$D}x5rNe8h15wZU zNoBL2j<2nMf+xY75R6}k;gEP&VVrRthHBFweB0pbvm4^KNoynM7(U(Tgbkp!-bKW$6Y#xmI|0*l@_6(g$8zlc5PLkk9rp7L zao9nUY~IBiZ1Q;=uN{3mUs_O-ehI+A;XZS|_`pft@I2TbvB$UR*0;-2P+tRga{vI( zu5{fUuhaqzYA%?2Ywiy z^YC|?bSB@Q_5FLcuXg*?t~mjuCC$%2`il}GUUP^yJHXi*_=wprGxt@s&IcF`Bzlf{ zB3btees>E#&W{6229KR|It|&I?q$%+@1|xT4vn^xX|>HBquz_gB`G@Jm(ff%@Du0~ z+_MKJY5RZ$H-ls6Z@2tnpNKyaq?5<-4yZK1fqR?;30!6;K%_g+`(e&B_?hMfHC~0q zL*DdCHzY>~Ts9R2R-JL9IUwLIbM{jtFoOH7QmH{;<)tZo?Fg5KyF@0^jl>bID|i=h z7JGl5oKXr>r(@MThBVJGAeCvqL-eg$juabrsBq&3Eh?sT<y3{9 zqvLg_n_xJ@BZZFoRNFX;SK(PET|6ly z++%HUst?G?=Ns|kgV{SrPbt~FIh&v(yu+m1kpyQ8dF?+E@L}{eM4480K)m|25&0}9 z6Rq(?16 zBCEJMmyVS8s4qn9Fk~bXqx)prh!o!beEWL%(5#44q!p~U{Z{4dI2*Y5?2uKWR)0NqWM$Z*7P za=dt(vYgCu5u`ZUf?wElLj{wq|JI^VmStUzFDyc}&EonXvUgyhp(d|cr`-Ch%VI*b zDGLz_AY?d7^Vg(*ixdRmoapBjMR7H)B2)C`C%Q~${HCEr{o|QNSIAn%>4L%4s6-gw zD4Tk_Cva@9Y;*NEh$1|8&|_8ioa6fQ$>7rzc=u*r{a*&Ib>ZH-nTpqfYK+5xE>Lw_ zsKxD}3rGe9v!qSO;!zZmlK)$7^i zR|s*4sI5suMAYjNAtdA}G`F*<-}0*dQ7gZEfEO7rU+o^0qC`(jH)SJm`7`aodVlAr zXM+{OyB8|0c<#9{BZ**3afvdKAOtIY0zGdvIwf8IC+C?`+#3|5KuXt9HzmpKK{3{0q7xb|XVmjuT%Hk`II9S(p-T*Ku{Ot8-}0lh}fNMRrw4 zuT}1S5s>ag`=s$f_OS>E&mw05ehkQgE_%TWgcl^<14;jw6V6&(AqFbmX9^*0G7t#uE?pMqvj(>0l!zV~{kQQK=dW_2Kq}jF46CUdLg%se%VidUudPaXG zzm_e8JI_RO862hmcE1pUx!Cv~yYzw7L_%T0^l^^e>4o%)VTJ!CGQq9@#>T8I<= z?DvY5*s#6`H_TyTO;4yrSh82FWTc}#s>3h^wMIVTG#SF{1gN0-5vR$RS z^WS?HdmGsm1NX^W9}Vn>W!Y*=CDG+mh>rGp;m2D==FJu2rToK7W7|euMb2X%9njb7 zz?;u!(N{srvS0NbUYt2TfzRoo+F)D#IJn1tDZNfw?Rio@7rGhET-?>T|rfk zyc+sZyl(q+-5+_U z7Bh7A3QN?nfDYjG6)>+k75M2oGexYscVZq!R{gxUQ7~TPm(K0sueZ90%JaFdz0ttl zPspJ?^SG>djX%`|SBR){+83mp&8u9TlJu;0I!!b40DSLh{w+^r_4HD<@Uog0pR*8T z&3!g91K)4Te?5BJtp{C#_s*iKHN#s^{YC7v9B=dyHyc-$sj9O*tR@!SK$cSXnGeea zH)aO7bUke&Z52W%)8_w&sITmb16qP4Kp;Q}?hqunyTjn_?ry=|VIW9wcXxMp0t5)| z?k%-7L3TE_SmD#)jxhMt@a06FvlB9R zJ-hI6f_7HNmW;Ld_C_;x;d1peB$n7<+V7?$x7&Y<)6$^*{ASosfzbC&UeRI5zj^km zUe>>HKprLgYWd=Fv*)fE04bah?A}89&FH)p1oS=lFXe537;WW1L=~1GuO!!guT*pL z1KWx<@9-m)H}l_X_?kENcRqH#AE#4_&!tCzp?T2N1m{}lzE+Mdgypaw$i0{ubsws~ z(-EvPDU%50=t-&}U7TB>Yrsc{^^&i^nUP1yiH;yTuEt76RkC8iBHAh&GlZ9DmLpDB zmWr=&TPOMukN|ya8g;MVt7%(r8$ZSUEWx=pUf?EsLaoq}WD?JQwn(*sNf#ArmW}}8 zP@yULmx6|j7*KimQYHArtcsbBb`pEFmBIrve7`qOJENk)ruTL#+_5unZTvMVnz!5m6(f(@2aKRmj#fx zh0C;Vvf?DVrd0|d1#Z6n9?&B|BJkI3vW~V*B&S||1Q&&i=-cJphjN(6X>^EoW2yC( z$hn0l(T!sKL&!WgHV^xh?DUJl%d|=E1%nxolQ$^Q!>GfvB??VI7%W0i^F$LZWv+V@ zP=Cv<`Rm1x`E&DVcO9l?fOYaYHe&vl*0z|*yWx-y!1rPmix%zUrQv6>j#!d7?1X`$ zLQ<*5fY^-hq^uI{M5GHXtMFX~f1(x&NHJ8w7Omrtu&qhzba>5w#EHb$%F#@j=Z_7y#x#A>T3@Lq9EBZ z?k=d41QkRC_iXccqf`9h$*5OAjpi|NVxLmq0%G(Jb^k^8TtiR$gW2+4MZR8x5x zGhN9g9lZfa*+^@?qKh5hy(wo#B(ab+l}ZHl6gq#FKERFh7%wOw56m2nli|vc>4xwd zM4eFs|1$~PKJ^6r=sN@yYV=gLxcv)TH%9Eq7cc%s2#q^R| z`4=*8t74#8gh^2Qy-7n1v))!V<}v<{A@n6CsL!3DXa-ygW*xwLVtoZSNHXNh2lo{j zpT4~S5dQd7{U@~N8H^D3Tx%>08TBV`Hds{FwG`7i;8u1pqf47@q!JRZ!_~>|s2N)z zF=lr(2(`vva^pJ{V>16ecqTPm5kAvaafe!xL7cRD!nhKZkCsN?`PmvaX*AqBX9l%V z56h8P!A80=h%TgI*-hDPd>R?2_9;ZTTJKniCU(S?fX1~--Zv%~u^d_hhW1p=y=7Qi z4bw>m+gV!EVV|v9Iq6z2`G}bX@5--YQBtZrLvc9qlzHVuC<@@#-12I{4*L~fb6^tJ zJX#^}jNMjLoWMWW&jnWSH1SQ@pb~c>>`H*fx<$OM@^fUtF9`t#jvBJEq z5ym~X;S?#Yp~q-+oAug{BBA&<2_8I746nuH3~IG%3_J5+%Yin zdBnRp_*}7;cn(O6A_OLE;9<9T+GoS#06iN&d(3KhgYObw0T)Z$E{!X?@3x0QZ#Fe6 zyM@gF>g>C#OO1}JNz+&XFdO`et)}xFQU-R%O;)sr?$ze~hYRsA5vpF-T>DgQ=Y>vd z_S~9kj~~P)mV4*HMWuR}%do3{JT+vf-ow{>Jx7+`^WOi>Pf>S2N_Z zT)H$AM3pukjgsD)toRAl88obQe3A4psPCg@C4Ra45VpSD=BHNI@4gfp?s>fXF4De%8v1I9 zpI^lGuM*QDCu_eP3(NQGedT zOs{@}-*7%EZ?#|dJHWZDN^Qa&zga^+{1f26{_Oq^~~*z!dcgngSR2K$9ooCEbwCb=WWQ6 zgM+-R-hDqY3K!G7Vb{;Opzc;qj2ho!;rWNPcLl#_aBViHOQpVopstV4(ev-im;UcQ zhPmJgcN;=iU&u4S_P5~8x^+-|4HGx}Z6+VBF42gA+h%f*`Qp<-*PH!@_gbVT+sU3q zHeARpoMA5n_#M)_cfYk={*rrH;fDc1vzDKQY(As(&&Ycw{9#y4+W~=5AjKca7{qUu z&da-LiD@G=^ba2ZEwB)LI!GZ3gRP*as^I|%vbvoSev{KZ>#2OyEV$&odq7nBD zer5bGGF31dEM+yC!PL(3Eua_EZ^l20HN$>-W)W}%O6?SCD3Yrtov1a{Gmw19GZLMo zNFxVDsE={d3y>bd;p{osD8F56aoWrDFpob{?WmqY3-@*hgL=)oLm96bthP0D_1Sn- z;G(}V7FdhYw|$iU@-{YW0vKF%Drw!tN^Hcz3^gfFgcXNfNBHS42tPfAD`_nfM_Q)w zz=B!C*u^70ME6l&kNNh=nW{7g-5E|=1Qz5yMw%9-76!A3rr=1F77?jac9&_BmOAh^ zQ1GRwD1Us#j8vOjz#}@*YM74a>&m$a!v8Vv*(6ldq*k;rw|7y*2d@@!#X$5uN2pEB;rk6UT7?=VR**0O4brd zq(sPLchg-4{W4aSiFS$4uUhDS?qL|#Ueook(4g3VY8|PTzT;djLJC~laW<{h_9XXe zvGduO#lNyCu8I9;vLI=YRMfFSDtKOX$gLtI90+-}tPjnE+!6cNKR`wvO}&$x)_&kB zsU@e0QT%h#VdeWb96>~YBi;0^BJkIpu5#}P2qFLPbFoP;VtRDNG#O2CfR55uo{vBJ zAFGtYARTsmi8hg7|6*I(nv|L{j&Umw(|)KMw}m{bf&&r~YP=pjP=_M`<0ovQ&|gBM zZ9;NQJ=Ut?$_iD?6`f|$7J)HTJ0uEROfh)QxuFniT3r({yJ=hIh7_#Ocy;)4J?}5D z*bIu^HkM&~e)1`7)tCfNqD0oaO7n-ScS3lHFb&F}o1a;Url_+Dschh` zEJ)8kIo6hDEwrMBk5kmQKg+})qn}QzF#Vun&v}Gt4!O~YmsU?u(in>)L0NTFQ>YNl zgVLT*h>+(g|8OLhZdjSre2#rogp|*gzo3Js_MySQAX<@~-wChGwUQ)1wzXki6rXA` zK52&!?(rK zvd12@5)vf5i-YUA4`$HP@bWE22-I1>>Z=X?DL|KJm#@_5aX>Iar<+`H{W6VgNdC?vRn<_mZR3R z0v8nF-I=Bd8&fI2fFN%?gNgnB;IWYuRfInJJxG26;zxHL`M&3MY52AQRz#N|@x5Up zf981o{lo?7OM!++QyNhRZlivOgudU7X`O zh~ID*2Kd&pbKTwKHH2QP`ymd4XD@J^n9EXQs}}Oxkltm$?@~V_yL;s(R}AO7)6oUj z=FAo(?DZzQSFdemi0_rMt@~wm5UBh15E-StjU0;(*l2d2TLkcf8?cV-Jx|l;99-OW zF7gPbzMnTvIxGrGq-+mZRo1wE@r#01oh7W1+sh|Jro_lyEZsa1A8faQ~sdqQm%G`tqV=d4bQdv-0ZBa*A_*4 zZSY9ueDs6CNqnlmH)77J?HB>4pWo41PHpw`ng8m!%O&^owmOg%)Q7S`^6jik`@r?C zp)f_?H0a}ppR`xTXtf#prz*Z6T~)S%nBYAu>cRd^5Y<~?)2Q`Pk86?dT%qJdTNe)` z->pVKYTfI;)6u&SYZzxz>tT6mi~qM_bb9a0^EigtOVS+Qhhy5#Na}{ueGOYKhoXSl zqBD}Avj5vO%o$S`(K(%cCmd`;>rOfN-4nYL00V_W>;}nR%Hr27-vZd}q@_0oEQ7+P zj&pmxZ<}TeVhLSFcuKSXy&s&<22nw*g6P&48i_Yu<7$B&M_X*&q9|*?A^)RG{%kW3 z-`0*{4mx(gvfBj>SGU)yO)2qQ`|I|bqI=7D&eff$uC0!t%K{zayE*Tl%C#CEn>UQT zjHe_gAo!W8Wx1$)QX8^Eg`$6y40CwN`N5C7{P$@iXCQ!B$d=O^$~(n7Tl4!->ugUr zL~R(84mh~KuW|N_mAfTs?J)zzpVcTw;dC70J@>5~8$An5WrNW1mY1UD;_8C$Yh> zYL19cW$M9&8B_5>sZ6fcEORXB7RULF$E7wa9o6B;&>q1W)|)Z>?QY9@UG#*R*V8ul6+3d4V4+CPL7@ z9WMw<{_Fk>_t(!tDZk;kb6Vh%q`csk3ujd@$?}!#4!sNIlH=}0bYnhC3l@-6=M0*gGovMN# zbtA_`UZ0|_G<#lv5S8p|J@QHwE8Sy;2gkN6t-cg5#`>k1GaaizeQGJRW(&8Oh)k|H zlcl=sQCFSR4%Y04@a%vxmBy!jLG~EaA5`Slv|DPPGZUF7a^5mAJe$Z(izl;QQmIvy zF7u~p9_1_|QinSwwT86{p)&1w9jw+##FBJ<@Ep-%u#*)KHU35AC+9CmZIwy2Rdl1Y7_(YVqu3YD<2w) zRFMq{-;6yxJwZ0uw;vaQ*p_Y2Oc3p?Hz49Ev$?8%vF1)7W!Zvf@b`tt^8By5LCRRr zRLX_M*&jbB&rDoalffxu^cX5i%b+6Pn7-n`~?G-aQe@hQ>MPtAE^b71*>~m*d&j9JivZo(UC(!1*>;UB%G9|9F!0<~Uijy?|m#a7?Ls6!HCiSsn zJ7sYi^xA1g*ecb!H0u4Em_eujm0Sy1Z8kjqr=_4hUhOizM71?qnL2z}Wy%8@C;H)C zmA*u{5v~66y0;MlNzJhO{6mfQzUfh3IfRG69ZyVIwY7&ljgi}dIs@!o-uUm_3dL1X z+WCRX_$&6PYS83a3T2k~apNc~{QBgiVl3)})Rt@#mTIHn1IA>!)^|fe^%w=&9mH&K z=LO=31{MLDH(F$-UzA`*gck~aSz7Dh*vXzq*+Lsc;bdk+sOI6Co7&Og+!SLgM6`S7 z0|=3$^N5k_Hrsx8SRfH{y0sNmv@J}qi4?4qU90CA7`-;BUyx;t?WFx&7@#>ych31A zK-7@~(IK_ZN5BVS*f$S|w4C2NcExCb{jgNXBeachj7rBjm9XFv|lWh_9wawR) zLD4lYT0T2-fc1t2id;buftHoudx)iL(u`Sud< zm8Z0AYD%Hwl-=XrYxJEf$NAZSIP|f`Yee7X^rdp zTECFPq-lR=>t#Lu>H@+f$tO< zr{h5psGZw=U|@8#(|r6Dg?UIRj@oDR2mXe7?5c zLPu(Gl)}Y-+E1Xc=I>!O+<7%nkA?2*~_C5AIXQ*{oUO zH2_?>4I{nq;oTcK^T1ZWD>N&B$8gI6zB|9c(Q&0-_B4F@djEZGpWAklX%4<8_~Q8q zc>(+&@8Gg2RjqX0`5|0g(3r z1iwC9OyvAxsk?sHfB!q{b+=yeeN*45q**B$f?rf*I5uVgz2SajVMzowab9DK6|m@T zZ^xL(W&}?##M%L8UJmcaZOZqnEOU9E9t_`3(x@JF36}SS@?4M3yr_t!Yu{gFr{0~4 zaojucRwQz9_#b?C8Z0%vjNbsFPsV*9s%v6roJ+{`4B%b%s6%n->3+iF-F@mU28{m( zA^yLvp|S56!`n?_Pl3#blvxWJyf*e1c{Vo=sp_IJ3f6(R}Ta8K4 zUl|=Oz|B0ZR5~eDD=G7Jf@fl8U+FZLm~yNnf6-{hGCVqBcAhQ~K4ZVy0as+w$FV<#5L3|yXppFqLeapLTIEv;!?A4 z*N@eh1uHWu#Z${)=s{xMDw8Ob?GyVG)_ z6+9F87@h_(1p4kIr`~k4B(0M9*?F*Z12waO=nT#M@J_MtzY2oE>I0&z-$JACsMFnW zk(h!jww+*B#ptLV%-l#95QXB4GD4t;Zi0+0qTsnXE>O^*Xy=L|i`}w4(B!I|P#)j4Po%IBesa1&Y`?We0HtB(GSAR^C% z)y~Ob(=0UZp*tMfLphNO{lf@ApoTEA1SyArwiC2zBLo;I0Lk1Y)UDv!bt>Hh!B)NGdaq;)^Jj&~Ta! zS$!*uh`4B*&+`>&#)~X8Z&*@u6H29#P`gszq(>q#MeGx5LFiJR`N8H|E+TNnh6}=S z>iifHj69T)=73^3c*K%o{wPC3g~HH;E4k99qxwOET$vN>K+1`uoV?Sh7s@q)*uLcK z`tASl&Z9^ViY#nz)&^3fERa4a5ghTz^;vR<2k;!D^XR;fme?S9r0B+kdB}oE+q<~U1PyM=CA(`P6=}64WkWVHrcxy zWJj%9^^WAG1eVM?{6N7|D?tF^w$LgZR!fzUCwEd;RIP+~cL%I$&~`z2-=}+~9gYvx{^7*%F*N$9RGouP#YeUIYyKSL@KxkYWR&A646? z){&#`NVFJqp6Gg3?dHsXUz=teuxSMIy@FFxuQ zTE-TBRbk>C%Cq$G>#+ORV|&CtuNI$g)CoP0Oi>YqlvovEKSuNCkLP$prX$N%A%VEy z4CgI>Uxjg1f2=53lN8tPTui#qfw6nA$5n^jw;LG)AwpR$5G6dWyMMw*Teeb<-oPl1 z_ic{Ia9@>3oeKX19ltd~pZ-|N(RaCj*PYrGnPU=N4O`LLDH7hdWI8#c@DtX%WLh-u zj@kU{4YTYBB#mr*)g)U!`W&LwF+t%Ic}$r?J_0?^V8$d{ulAe#M2nt$1R`pC$hI+( zEh6j&Qd7s!mEa2VMW{hFFGyKHG(a|~Ba@Oda9cP|KwJ8Wggi+;L9&4l4qo`Ha?UFe z7@#4mhUNW5@tdqYl5|eL9?DUKy2j$zib+<0HR2Gs-hO+wU4nzu)b&?NR#&bQWvi!o z@mJU90_{Jn%B7{q8Hw8fYpEUzZbNc^+8yswyF&of$Mb9LUU7`!x9ONV_KvJ zgi3DSUxJH$%YJ_;bQ@vcf1D{3h#~V zrm<(Pz>)k7K@<#YgrUFj)*i?<$)ssX{~uTz+D2MTr4GFiyN&{Tk{ph#PJwYSv9H(o00F<>UYd^;iuR8yC>nsP zGvwQ)tkw-ru*alf9i=;{`uC7#i2vQqX{jMWCm6nx&}RqV!_x4Ab9^}Vui~qI@%`$Z z`h^Y?_tohEqo?5Q54zO-x3xK=nuTR=4DbnlKXJo%OVMzA-qW%7sZk_La zO}zE2ec|$wb8^{gD5du?P8N8x3MT&Y=zH_8mQ&~Pe!(Yo%G>R;Lv!gP`0C#cNIs)`O)n}J%)Gs+)zK>i`ok3h~FOm&CyM75FM16F#xTtOk*M$F6SC%wXt@Au(sC_0Br?dDOST?atVW=pBx zydhY!lF>6Z!^f<$zE94*7YQjJ+R zg~W!pCm3r?;NRn=V+OY>z}~+pD4U}zNBY1LfK49{l3~|H=y7-9Wj3eZra&)b=N?66 ziO?i_?FL1$=IPqt^5XWzLXtmvy?)0bj_={6yXATU`VPO#a}Li+=@$Ni{{g{+7OseXQ?%i2fvTuq9c0x_A%jT z`@&!)WXH;wy}dXzaF5zxXHN zFx3sY5>vS6&!KXkS<}C{P7Qx8tT_Qid?;+|NAS<@OjMpqR;$(a43U&-4SMI9?8q8s zWQT3_PU{lEZQ`r?(r28wOSCSes(ESoFrU6>+GrrJr&OG1%p>n}raRY>$x?75%M4<5 zazlgK4{>K{>&@s4p{^~~tXtafS7RlU0~9`e1q9f}#&6Voewj?;GHxZ0!s7{4LtCko zFfP{kcHectZI35|pM*CSJ;a%FV_VR<$hHh?@r6O{S`D{M&@T?fwOZ35eXgKrN2c3KD(GtC7uzoH7jY|vZ@W`j3_7x=E5s*bFGm{X zkC&2gBgVJL{cxN;CNVXrrgS;KZVUa3VG&2u@a2~%j~OPkUs>Tkd+=W!X(e2bj3V48 z8W;&v6Z16VQ^wdQEcM!>J(5F_bB#|oZNhmoVhdy-Qw>5Wg~AzoI{un|(xWA_5rlZB zNS%WFtsYxQF7HQMr3!|;Hon8Zzb`=O7aea6;hMBSy({wHK$tGD%CNibdVl{IB3W~{NQF!4LS9afTRLlJq$(e}ZTQga%c=`rCBl=Dv?b4n6Lxtq{) z@&x+IHzs9JffZ_a`JqLe7$>x>Na8O_DT3_M}CLA3dT)B_tvdx@KGrBlfeQ`X0jx zn+`;jDn_-Fa!0mkTv)WmqExwOHju_3uGAjz_ql-5oli^#h9$Qek8thxC*}HWWy)xh za1kbnyNY^SDs`s?R=ZXik?NqY2#8T38xkF<_Q{29`b`C-|0L?Oa-BB_YoSG^!ohyg zvf5`JEs!aoXc0uTTCx1+H&s1B{lEwk-2srR9~Ao~MZG70hE|8=AJ%T65SEI! zz4K@1Kr7@lgAEQ)wo~~$uJ?%l3TQ!`dGa8{7_c$)V-&99z?g2sL(*;BzLdaAuG~@=rRywXGpO5@bK#{0|e-iRd3rq^8P$Dy^%<(0Zv1Ao-aN2C_5PgwXwdPBbJXp;WSu<*^!#&> zxhJXrRvAldIIwbF)yx5v3=;m z=yURqA?QE(*yGKU4o4|0Er!D#i~yH|Js{byO~=cXQX;_KOZ#vB7WIh<{nmv;dV#lW zu5YBohWD5+_=ig6cN$?c6K&Jq47AfJ;BnrEc(8(haCjB+269Ul zaQZ=!(IqJ~ob7O;=TYw=Vch`fJMVQ?>10CkfgrafhxIGWeu!a?=N6)7Rm1%~pl3&G zXaD(7qDsDsdA3%|E;-l0dufAsViOpR6SH~NywIu33a<9CGM%#5(`;j13;Ikj`a!obT<=NFt-wPk81~~taX>jw05s7Pa8-;+#b6tVY!eHYq zkPh(n@&>tm>b*OM1j#QzeCf_JpA;2?PtR-9vh=*);NRfqrse*%yWjn1e!m1{>jl2g z1#4x3EMupn^R&;G- z6Ykh=w^^TVc-2IpnJA0V-`j|#^cep(=p!7N!mO*z#eFfGQ{vZelw!~@2}{7d?F>qx z{O8Y+d253QC$k`}PPUhfKb&bMJhYlJ>W%t$0UWFpKEl7<%Eq!%5lYV)m+j7)qPfbc zcgVm=LG4)+KWD8KSVu)uto-6A~qdBS2h6YjR65?1j>q)f?5GoaCMjLQW z2Kh3;R0xRHnvfpE^Ip)@eRfaGwk9JbM+)-n+WKmm6zVaejLOccFjyUA6$pb$Wc?99 zWvsiSwhFq#!J(9aSimF?~`L7~lQQ4&0 z#xFdq&T50wxr2ErkHofoC3FotaI|-oN}N!p{nzRY^xrI|B)B61<0C~1?Vq8i^NqVo z_p^J7QW3X7Sfn!rzj77_Yn1c}h47Nu-4Bj%Xt%0t4ajpQP&5`r*} z@(MesBXd6)CQ5YH&BPF0q`Q(_eNa_h`O*qwg-rST*M#MmD6J`Nu_8zCwQL5O^;R$f z&=DiOBqI*s=&`p&*Mg!%uv`(Z{vj3>eP~Y?0(I~;JBkR$O5ww}WoAOsw9Yf%g@Ro^ z=OH0vVGP5c)XU-|h!3NN3QW*MM9}YsEy(JUvW4zi^cdO)4eAa5)i;4{Wfkaz#=&q_ zg;n|d4aAaNL3S5$qKw(B{SU&F|wr2>i@$rcmVH%3pvBL6&*S>*p`1dC8#(X{CePM^`-)6GITle3EOCM1__JK=}F_6oF zDVIM;v-GU1;jL6vaWmTRq->aJ(-Dugb0A02LCg^6^LUePjNfff`~8LrsO#Yd;rB)N zcHXUz17Q%rbHW*gX_)~v=6K6#f1-5*S1{Q2{?FFb>ObuhwE3rvb~;61Sm_c_(}-aVW&K@6sKKvwN?2 zOMM_Q*L!5+xT3?L^8~~35Q}T);|#5mn9FC#Ax5|MCQ)`U5`XAn*ujfRq?c5#)9=~l zcj@=mi}8W!sm(RFkQd@b-}6!rrrR?*pq>l9Cxz=0-XI&X#-+fSVr3xcY)gFug}<^{Uku1xkLLT8A0>jbym`{dZ$X-sbIKgtT$7S`}FWy)^z84wd@o( zM%v@wK)xDPpQl)lt)~kK*ONcDEqsRENq%6z_J^Uf(y3C$tuc91FcFt&*Cj@&{q44w z&RY?|In1J=M`h+>=Y2~dQ!nT0)zmO68)G+QXl_#9cuF(27gCB8A^6I7xYGE2eb1F_ zV7%)p;(xpqR}c%*8~q^v3O|ZR{m@+r5q=hzZEbJ1N-*g++ybsM-R2HGP6EkT_t#JN z+0D`t_doXH>$^`VnJH$;DOkJ|I7G~4nx7hZ@W_yrvHqszNX5}s9)c0|YQ$&{9+jQa zBnX)=!UsvS{+a`t^cgVuN#`82LQ>{;97#q-qcc*8G3ly#mt`8=6Y!&0X5%sPvsGQ{ zt&v1dCA2{{*-eQd#@Y92^wJs$7W`+zL|DwKZImoOqsvQlHc5(q%8WKE_u95~XH6l? zJUfZjWq4zXqA$3|;U6G!V$-0WQ8g}f95q2P6uQgJ#JQA{)hag`%NTJa!t9v>mtj~~ z4Qw@G?MSfGzy1AFf(9d-Rq&-L!|{n(_3T@~cR`EH>VSzgUQu;kWo@ekI^M*X!E|U< z%mYfsXFGbiGJ#Etp|3g!<^Eb~o*eLf(f&%GF-Msg(jiI)sja+D-X!kZ@#0j+-X7~G zJ~c$Yhg@s0h)c~@hN=^2?_jj!SSu2g1QY{r(tj<+cR=kQ_>TU{iVzHN0^TSbVR%-3 z@vsr885ez4_UB*RqaD^ZkxQ^^QVs|=6%va{E29yq$t<$9I=z=w&{o= zrmcw-t%X?g!;IK0gQW+p;Js|!A@ZuuO2P;+qC) z8hb>rdD_GaGsgT*zQ%>-t8Ic+h)PVNvw3^k?JhemNMztkT^DsNzInk4O>2MB&js7u zz9>{8V;TOL0@TJBRRs~6XXxYw`sJX!c;W%oDi{;7wM>4YS~X3y@Z*DRH1vW9>lZcF zQO0x)$Lmo4bd2x|IsjU`9oL)gCs!toSm zlSVZ$e81vA2{`<@S+b%qvj>8ceo5%ha!Ts(+=Vt*)CLQEWcK0>#vsyW4fS)U zMWAA`?nS?94S>?n*u?W$So_qpMZYv8AM<3%aP;v`u#m^LO@2{IKO|BpH#Z%N;MzwY3w{CC7T$|cX0l4=$X(JAH@jzAlZ0~1mKw&@(KR@arb*yAW9SZZunj>q(v5x)hueg8^Eh7{j}zWX>$U?sh>Js= zzQd{ttss{TZ(7P_Ws}rkUp@jr*5-v8C9G zpWJ)eEvS!`DM&DK%JNt;3-0v`37OTN^m8tq>99u;WJU!}o<9sK)3grz%HKaW}rHW-y0RrM@?b^QxR)kIGH~VlU zB+n*W)RDHMj+Gm2U*@IMT~NugCpb`tQA2i-WnwE5obY z#lva~NC_yqan~Bo=Ti<(Z=A2fd8C zGZ_w6-=3}y6Z7n%zQ+8{8)#*&(Vx~z^S#Nj`3Cs2dUuz(%=OsA`nHL6BERT&5b~Zs zMhtw5M8UM*E5qQ*Q`~qQO1C-db$?DgXyLvtgtre)>Aj1!gmK`{hi`t$=`Xo$$-F*H zQIzxX-WVGmWAOdnYqi+paq0iq;ql!UhejFR-v4&TlHnDkO;z26aeqT>05oDd`J?*D zC6&s3`RC^~-{aZSgeR2d*NerO0HEabR+i`aYh`MXs$aI=MvhN>2k;W4N%@&M)7rl#jCjO%dPg|VE_?Wu8m zolWCg-dsyYYf9rAN@;e3W9Lt#RBex1n9V-`9VvUcp??Czf^Wwmm9}21{YSNYCTqwj zUC#pNZ>GSue#y?PtL*~^`sIf_U5~eN68o1!UWE6XKE_xq-Cje7R8cN|x6(v_pV2Ln zA==am|HH_2tC=7VtqkW>Lcslb?a3U8gm3NWnbASHArrp zST!6@SjOf}^JI$-4*%_Z5i&ohF|6`X+N%8GohSzI`nq~=oS%UgFc0Oi$CLT*cOL!=i*h5r zdk!_ofC;_@-rVAtW2mrUC^|rxnIvT#cw?^9LNFwiOfx^Z=SVqhBClI*jk{N}Z=Zo1 zo0Otcj-bzLZLHI(l=4b_fI09DEkYFGs?RFv$LWv!jj)JyrP>tw0Vh_2eg!B0SUa4I zgHQGnf%+G!=ihA5i3G8kemf0)>hskz{!|B>sLh-@kVrpsG4FD1W`Wyy{x8pzRX2%z z>jo*sUO0<*YG}e@A@JBAm4xSK0tOP9G*n*3SHf;_3uyvm^9t?g@K0rtF@2xAjZ0aK z{-9^t7O6TFXJgR}3X^7@a^CPqEEnpj(!(sYVaN_2%dDI%HcB@S$oOWH@D=J%@YxP~ zOX*vX!?XOvm^k9oDwQ7(yZ_6eBWq~67J1ow` zGs?T$8&?tmIH>%j5BM^rser=R{NCs}Fadm4Y~sELAah3--6&UQ!tW|I_9x%`P{O-^9lZh9Fp|gg)kraC>e}e z29@%$s|E|!#iqP9E*qSK&8$tLi7XzNwAdT*@z!)Ff3RY0$-c(_c)|NTePaSxIl)91 zyd{1g*i9V!I0pG`3z-8pp#5}LdHeXh`V&|j%`?pNYKC-$F!ETvtb&P63DDlbpBIdp zPg_hja5LB|7LqPeXeC-NmbP(iJ4_nJ13C4YM})(P;_!cIHg2%vn zGpgD-8uNo5T%>d>v(c#V^jL?+S)l@zW({X6{is>yl1)U~e z5-bru`4v5F4BNVENa1<{b4%`j&-H^X%u+fE% z=mWi>5c2m4VAw}h-nAl>F>#^~_Y;Ni@cSOtb($!S%jD*i*A>ey`Q3$@dhQ4ODBbeD zVp%e9yaR#!y^nlsy6gL_OPMY8I{RWY$$n=$osQ@-*>1km+Z(*Xy++(b_FniEbXz|> zn`*udj9a4Y=$;<*c9_*IHJx+CrmWGPSG&wT+!|!`PB9VFEgca$-gjXgDIb*pp}4*o z`W$km+Dlja%pynkn=4j#iPy8|_;`+h3A$FL0Xb2zV?DknYYyG1oHIz@w4H8;V!3=? z1rHlqFE<6c2QmR`77r_y`d$a8wPj4X?+@V2Gw-w2%n}E$n`l`J`|)*;{w1VMw**a_$3~jMe*Ny{9`!}OAj=;QkuYyQ7A#vrakcQjoaC# zLJQ)0^7qEQ+GKaTMvS9%-{g)xi`tKj!sOT*?-@zmDzWp2ZMSiP;feAr-xqt}*3tc1 zYv8~oU$Kl0OXCgmLANlmj(e$hKC4N z@7bV>zRjDJ2SBH1Ncz#n=UlTh3I>VhP+-2C(hr zj(Y5q*&5Q8mN8hK_P^)e^;f>MICM6mO{=}cDr=Gq6{rj%bSyQd znOSd&_F$Yr6$*73s;031Kv!DTB&zndKl5y+)f2ht$guik(8hp5keAUF)Q6aW@ z&X%Z(f4ENwCwObnb7($*x(nb<{~=^Co}u1C=x{9D{u4XWXhb$;;nym4j8=mrp20ey zM_ZY`eX%ZCttv%{fy}o?Pi^D?vQKN*Dn0ngZmP{lqeg!%2&xIOL1ARNZm9X(*l%#( zG@U%l(2dY+b=n&Yzl|M4@PASLL85LS3wIJ|VJtl5E?b>eVtJ06N)r9e8dbj>JE2>~ z;$JFadQwW5G|#79xCVae#Y(x}Y3NUkYziMFci(l0n(i}G`h*s2k_bmsSVM6e%z{co zjx?FEzmQE4ztZREyI*N5pFwu88ex zmDoCO-xs4~&-?D^`Z!09!T?0}=bn5lxzJBq<91AevNjbfDB9+QO zCl_jWS7vqV$ssD`9vTCW$gxqC^!t)D2m5Cy#-rAq?tQiEpq{h4W#nw~QeX}FTP8P* z-bNOZd*4_dw z`E(d#AAW~&cm>H6aB=PnC(jffF5?A>FP*Foq_Inx9psM&P_j4pl5LD|LB(;6m}t8F zb1!PzB@O$=>zo@=XfNs}gEx7v^Y)2-v_&hh&j+g=D_pn{&$D5LpE z=v7tA=}pa9(A}5y`>#Th(PGe4T<*j2bT_zBTm5Fn@*9f^HtwStj|O>)r(yMdR5VQL zhJDAP%A&D~!%K6jgJq@|`jxx6qRL=ldeNV+Zm-7L8D*u%as6cYZm}IVdTo7C5&8m1 zRqv|!_Dj4h6|+eboOGQX8_kXEX%9NyD)i171NS za|qN0d|=`+A?x8WIw{2?bZmo}1&sL;6@_x|*tkWN!R(nvf9{i>Jw{}qs++)Rjdm=A zREdDLh?E(4@;^_7LKPglV27QX*T!@Yw0z~}v-X_G-(vY4WBMwr-_edeTC(VtLz+nt z%qfi;Ze2R@rBW}QS$nK3Jy~!31XLPjL#glo%@TA*11-KVPwR zo>q((WCW%BJQ29qm#>@c62DTd=PoOAy@!$OvscI4zx6(3=&@xj!|g%dF6Ya(0q=wg z&0M$R=?}ptf2WL$B#of{)rcVfrpGD9QC#AkfLjacd=Hp@P}a>WHJ#o2Z9MsSUsi|z z8V!@MT^?rw;G!r?i6Pc=I|!?3b9X-fVI{%x(>3P38us$pIdHQJ$n9jb((m@FGRR4t zA21h98t_i<<|KTX>*v^g>ipgrgB*m98+?35*IU+3GRw?imGc-G-|hB}*AMi# zoD#HR*`eR~`$7xL-Q4x+PA}+bwd+{$x#MR=gYT{nh}iEL{F=*$>szkih+&!X6BPu5 zolbcO*=94vW-_HtJ0+`wPBJ6%WIKbrX$qE{PLcBOZ~PYuMKfYJCJoJA>wfcM-&aGX zSM|m|&^n2KZr*C%CRaTozXV%t-RcXTc=D(HPO=sXV@a zcZ2Wmn_!=whWi9*Vua_umloI^(BV{;TfXme1IYU}FOJ*D$e+38Nn*QII{i zeftkaZ>u7gb!7en2v3~X_VGP(tNY(MDCPy^^hErEKL`2&1R=Ba$AEqzY%sk)yhkQT z#CCXeW|Ct64(e|L%`5#4Vi6+$onrKd0$`{OqGgT+sh^Rlx~zG}n1{~<(_4n1S>b95 zSfu^dXV9F-MiUr0+_dJL&o+dVs@6bAk!zJW$04r4me#eM=mz3xIRjfO+7RJnoFQe! zFT|R3h@m}r3`R~&Tpqvz@=u)@4SJu&r_`p#K&So=h%cCZi?%g|Ubf zhDEy<#{s~8mk2Tb4wGk>7=DVaCZ=%Y+8lR2cK~mOp-T4#1u>m&tR!NlXQ^HzjzTOGwTg{jLBh#_(|lbC!W^duA0e2Y9UC0>uub;;9!*g!PQ1z)OZL^Hbm* z2h&MH@vYyrvc-#Uy;bM4ABk{i6eXGc7Kap#+hbzw*lnyS3Zo#UG5d3`OC1?)Nj=`- zr#RTbT{TZAnQQ686c_Rybi_51pKF2$VSK?sg%ql2H6iknPv5t+EX{d#bjc#sg;co) zr{fSQLDCq&s=g4v1H(e1r_2$30hl5zAt9z;YYE*1=ypT8?w>Yf9 zb=u%?3QSoJYoUr%Qu=XW^mUrBV*~T^8EU6ME1~zGQ;_(*KilCC;Jng$5Z00BSFT#8 z@>3XSC~OvsVL%2J6mFt}s`O}|FZsZvQ#B#(li6@SYHxVrK4r}N=7-I%Km`HVTAGu?5IMY3$PS?AiZcith1!aS`r)v^rMvS_i@ zt`CDIR$uJG{ohpFwqSeO(pXPYta7puA{%ios)u{mJT3xeg=PXvEe6)VOW!rJu23>{ zrZN9iY9Td4bD=)QNx;gi?2;y%%>Er@jDc<-Zl(E}e2^_7PvOCIQy7V=m=@$sSX~TR ztM@2rHfrDNUnBp?X7CGq-JQ#Ds>H{|^$jO&!C}jGfv#-bo3-EvMNVuLd)<%a)yD`f zIm{NB^=s93tLdc)`C~d(oJvG>2z!L^%v+<6AfEWw_D^AoyE2e7u50VyXG&CmU+pG$ z`*qWMEdjD$fGk)T9y5j1qkaXqttMrRjonW%gqoFGA$oOK1$rb2?}{oUDHMH;?+`}+ z$lYaz^6J%heaiS~7WT=su1KAmD5GqO78N}?^x_tLgtcn05Ib}tvaTqE|gF0Q$l}+O+ZMQ=)a!p`zeSsstJMa3*9a?XN#SQU1ja;Y{7IGI4?V z`L23K=SBScTVzfLiTBOyM~4$h^K$vP+6?=s!2btO7G#L>yY#8B+G9{);;jd0ecx%S z9~1}*L8l>zB!Qs98vNSIC;?G4QG^b`U-aaIcn?c@wpX!y4sR?Btws^2pX)!2O%Ll@ zr1iar7jm}Ypz!NjUUk^Fw@wa+4Y~6z4|tCh{TkfvonPgG0xNxt3I*JtSU$$QK!aad z=eE2uQ*NgAIhc7OhbnHT!>jwbVrk*lVN<(4Ye)ADR;~W-)gg9fUB~%n&w(dS=kd$< zzQ+&e8g@3fgg&<>^7VhEN(o!LPV(ZD;z*kwSG|lG{Vu29hsWw_j1b4>GusYJ=7sO> zsxk^bPOq>9J-W1#RXen?8~mqZ_~*O>6Y`V*hi&BCvRl1JF@v@H9c!keOr6WyZ$+oO zru1|CzTEpGil^1+9eUU6=UA|+HT65|CRJ)!f}8nm3shG1U2}7NKJrVMenL906Ntot z0qqI(hJH`L>wRJTYqrbwDY@jJo4Q*7ae>=wcaBl}L&Hj+@!ZV2>(Jkm84DuqLoFqz z`zP>cM`8odVPa%4m1 zd+%mD2A&2h_=(y}gK(d(HmCF4mymK=9Rn@bEuOxvl0DcTgs%te4Wdpb(oX)HwdC`i zAZ0tiGxS}NoumJzo<+*<-Fw4aAKlMGuL}9qb~F0e^ZkMC=EbqaZO2cuh9f-u830V6 z%SIOLfXa5;oWa^Vg@9WRWnj=O-FBN6)xuD_xTY!GbNM%_4bZo@Be+c z1w5aeAXyQ$TTmp<&S;RkYE4FQi~6ck9is0|!Gt{?8?Wn2%oZHqOhocyFvobL9~ z>SM$!tn6i25+zvpa(!sA(q;Ozlb&PI$R`q^@FpV+SeY)}_D^p6(MG9iVz_J)F&*1twc~ctEkb_{+IoR)FnT20 zC+O;z!{-3Q4THy|s8v=Uw%Q4m?aRNpCb#N}#A9XM-wER=#}xI++j zf7oSK#97j+G{sh1JvA%iH)Af-BEK=H$lMykihsDIPaKDs_EwYg*}Z%t%Amy0-!Z0( zIhL^}u*~gFS6O4Tch$F&srgyGleREaxJ0Z844=3Oso@Mk-4pGTnH@!(B5TT@jB7I# z{V+TZTDX5k{dgD%U(;n>pZRe~{^75=a)dIkM3Y;31+ph~PR)OSocrsa0`j-DqzN#HXemUBr5X@uQ z)U=Y?AsmCJ-73p-hVcL$y6x}9zNvD(iwXM%hpyz9O7P8-GGlfl`Y@R6YMuX8fz*?*%BP zKR{o>Z!+5QP?R?RE8mh^Kb)Pn_b#mXJn9KAWzOXwd?F?>QhxI2XKiu}?K4VjnhHDCDjk~r6%5Ej&sR#=%{SdG(J1Vsn2$kfM$c^zqKMFdSYaYIv}T zHTXOAEhZ=m1osX*^ou7wSAWFou|TaM@BT`V`g6PQGd^R(E`VplwB)Je=E&>HW9Dgk zR&c}bGk!Fk=dBn$boz3dsn_~kC*l3E0oDO@^18>yZP;`R-9X?w6<|j&T3>!WIN&w6 z@?{L_=y)!|{&4MiwmJx;H=w-sUhKaPaR29|^a2T`pW}CS`AWG#TXnR9q+^eGJ3|iY zT^YkaS@d*Tx4zG~T0GLVoAD1Mce@?sD=>5i>*5NSN0cV;ekYFieW_pc^gld`$=-8V zQM|c@b!x8|8>j+&OsX8`f6X#!=B{?1jb_y6b-l)pd-8V#EC6R>&ZNnYx**%Zkz?|@ zhWMQv-T#vH_NAN02;-CH@I?U3`OY$uPE z59{+jB!iZK#WGm`rzIPFIC&|=-J*@C`Cb>_+bl}2ZX=WSom{^j|E=D>{Fg|9H(*-4 z;P>T(*Wp+luYs0NBW5EZ3%Zs}dMv%y4QWGKM?tSyowDh!{dfb=t;SCUXOk}S>FGM( z@#dJ^t@X3t20u5MUS?z4f;<7#^Pg9T;wdco2Ltcv8CqwM~_Wj2y zSjD`jv-{_P8`Z1Ro>lCf4KlA$n?FvDdPDp&ovt@?SKs?T2Y!J-mLOUGzE3^Vv-kP` zro8T^gek!EqXS_>P}Tr0wlgl$(S>L0zt4MxkD!AKrTL&v+0R+26bkMGd)Kco*a!|Z zY0f|LtHycOg%`J*6$Ktl`T~cu+u&cd5H|DESu?-H3;1%>x(npw203LpD_cZlr(MQy zH^qV8=o!gWSXnrL@&g5upz07#zwdy0BDctEGSw<6aRysWHcoLf6zfFWEK`f1gUMq! z{wJEX;Ex4Y3t~cL|HkE*)M^f=vX3!+)-YLXvLd=YIc4EYDy*xa=@^dx6wYVC zZI2zwHC(=}OZ24DP*j^BvfTWJpl;i_5XKdj(EjQeZim*jTC_|A$(l?mI3v!J z*mU=H(_LBR$rxym>oMm%SX^!wQzO9eJ{3oh*(9^c)XX7fmeeA{liVc`8=DePLMljEoK(ogmZ(bJBEm-?fs!%|D71_! z)7M6amNz>WEy=iiyCf508iSe{#y1Y{aJ8(KDan-JE3Fxs-TTE3D^f4K6i1SnOioI8 zX4We+D$@E@#Zfwo^he|znv3^qXMS>1!Y7ytpsPKhQDZ?I>-K|lekxeM7=To8HY~BQ zApJ4cc&?fsXHy4u?y*I{i`K)Cz*FsDMLKO?f;3US2q^t?`lwn;zAj>TDvyfZnQrvC z5cEpm5TN(bF_rO2zDesC@?pi6)PE)n(m+Ofu@&w7Sp}PsGHwQjMWJi0PA4^YT}2DP z>g$aTO+*o=G=)PJFq~Reoy;zOh{z-R9rxe~CaPZ&K6+4VIFA9&re`B<8ti2kfoa)F z09h2+&Lj4azk%=G(?kakuZVTr{de$TT;CKY_9XY~9aP@!ce6wAi5Fk(mU8_%JSpAa zf{vzTl~df!&E_g^KGiSqqO$3YYVQFQ3X;H8le-^GHO6wnu}B_=sJ554B}wiqs|81W>0o8@NZ7zdt4ayN$_jit+i4zj{)@gl8DINWXev)xo`UxCW>g@EgPG z0R){bp6kCw_RYTgXbGneyv}LW+Yx`f{2ZtU{FN^#zuW|r(Z;5CtZtmhEde|?e6zIV za|BzKT6q&@cx$}gSYzsX*4x-u-qSkKPp^H?Hm|YGf^__M_#0YvBXcV9`$mAP2w?*S zZiW}@m#zoH8N$s^s9=591m3I1+ppdgN8=fF+dGdlyj>-r*OzUlKoq~IF1J(8ZEKDM zVz2n2>zxzVIwnDPQkHkC753J}=M{`gvXN4EScf%e-hoy&t3L0Q6PC zMSpXi$CI8D4spKc6JYQ3x~^k2yJL|Xuz1{>TH>NKWlk_^dfe5b-Gm&>VF&@xC$CY#7>Lvb&gW%5d5@) zO(s?tF!K%o?qNIfn>uSdF5)^JV)i|(=K1)hNjCPZ`riD!H=Ja6wBIl90=)#>aGVAC zzV|KG%Mq>9T<7>rY@1!CY2^tCLf1AQ!g4!tz3MP|A7~lBZsY|OU4UXPSUdDz?e;@g zpKZQ${n6`zwm{EFK{WcEz`~{}j~bz;Z+<5^<1^g?0f)31Mtgng0(Yh8-x_3N1doY; zWBl9$Z6^_tLbU_0oAQ=d`jhsR;F!agr{4f8oqzYDIirA-R*vj!gG z6YNei+PC~q^E~^k6N@wrInn~JXE3q+KY~y}pxMu`z^^};?8`eH^y}8(ojN%;_l={Y{lp7T9fIB zNNHQHtrF*|J=Kijw0sM%Tm7*$a4~7c~=9+5V!#9}vr3c5)B4J_;R4vy0w{ZeS zlm^?m`ygk6^HtrbJi(J6Zmt~Zyc4BWl}sF>82>Kxnex&5iT}b(>N%m5{<`$^?|;Q- zqfa&c%uiunq`4`LOqCSD!Se(@oxoh$IB2KLWn1MyZS%sURE)uPZfD4{%N0DPf--So ziwuRIh2G?HUd0C#Qv4-6kiX>G9W)+k3Qi+c$X4*NbM*6BXbs2!$vWnDZP810<#>|n z`OA3q(Vmfs zu&9Vmh3Vpgh+&e^(fEG`QNi&}%@^bNcI7ltsvT3{Z%q<3OkJQN)fvY-9!e3}4^8xw z-_*ri7}jx-%oGhG(ZZk(_C+e4PjNPf?Tq`(v#WZU62eu}wHDVGDp4owwG(q8SQ!q0 zWa?`C)hm$fn0Qyb!-I*Y`lvSoU5556DH18K3qk5kHGw%G^Zo~7Qt`d-7sBojkN3hx zD`AlRx+qsUxsmFN@S!Ws$~8hGjCFKL&`ngWS*RG1;CVLf2bL8(w59NYrFT*#HB{~) zQ8E7#gG*fbFb;&2Li>M@cau{`EtZH7;Q{QG>2`|_!4CB?oop)=9#2#$_E_>T{7v;y zW?2;ADE*dh$mAK^!oN{I_)b78pxieG(MGmY=-I@7m4;Lz4)NBsT$QaSHL*l2vij7eiB3EsoiCV1jG`wCP>pHs z;DiK={+5=5m}Qp)DSEfDUTOQv{nduOY8UY29PLw{Y4smC7B>H)zVBbucj0{bs;=U<0=GnOG zrr#}2%=gE<hoJvuTv_J;hvxbJtM7lcs53k;YGC?FbedWAD8q48r0Hv4*sn>G2qqH z2Rhf(5c*65v~9;;_SbjDgW9#7j`u{BYMylyKKzd@J|kv)y)Ku}nYUV8N@(`jd(0c} z8>XLgz31m@GA#AqAB4HWkpmABIzay3YgzA4ZXIjpnwO6qj_)6Ht8+Y#F^t>md!vj< zK1YPW_>2cVCvDf9xb04{w7@6D+P(*vm`~uJfNR0~jLlxRm7N|v#ULYKr7EA7y=X+ZYlL6QK1k^>4PCPhSVnQAK>#?eVkF;_%0_s9}$S&*>y- z*?QZ2K98+sqq3exdV6%Y>aH@1H_=NJh%TBNFaeG1iZI$?$uIYbtXYyK5 z#E(%Bv8g{cD2fts_H`17tUjYmlYu%6v~T$zx@-RVHHvW;uc5a zt4Sx3hQgcTJG7WM5m=^`hN*fK=6<+d8G5wdFx#Z1$B(R{nilcmF$7n0^-1#ZKeDz8 zE0PhKTk5PusOd2_I1s&)`c~#Dm+6y8oC~kX=vhS)l*2qcvWeY%5Ed%^gi!ElB4qi* zdoY=FFtzG)B)Gg9^N`CpIgUrsbSt=ODO=tY2nUVZVLY(=RXFOGc8Sd9kFkr-YJGC* z3>*x0h2*q&Nx#Ag#0W&f7oH!9X-S&%8RN4Caj4A8qP?3;A(bYE09k?1e{D!@5`hrpeI^M;0X`F=GU42+#VMQS+Q!I@zD;iHWu2kNWSz^A+9laNoYZEKG#QpsofOCA-zpV*=S+x<8xEJt zFyTr}Ktu!395KF`YLR&aegqYKe4;4Ip1#y{C=&~RpTP{l)n~idAR^s>t!C`jbOR+> zhd<*KN-)0CLQ=4R$Q%~~|M3P1Y~PXMxzV!MB2%9+2M1Gx@zkFg1T24b;z^2p-Ekec z6SmvAaRb2z`F^%2cjSCItHmBcQ5b;1Hf>#aFn+CroaIjzNh-ql68VWv87-Ikw4{L5 zA8%E;8Ei1&DolGRlu;te*mV`}gBPd8VEn%}Vb)}M($%2!Wa!fWHlRi?bc}H_;4&jK z+H6JWS+)^*!wUnl8DbDra5o$%i3+0vha1D1bs?tI%kg!p1Qtv-x)8$PK6uuizGd!A zdZ_=hL@#2S&^ohWtkt=qS+-7PZ+hXuX?@39Ia4(NbMskm$W$gerq{Jn<2j5IE62( zr=^c~XI?5_38g)UoYGhLr|~U|BM-l(uTUEPcVbQXmOpJ%MTZM#feB>0c5Dc)s(q#@cPe`qsUo$UNDsBwe!9w& znu5M<$Nl5vY%7)bBv_O{U$_F3l-yuRatwE^Ww($|f-xEbX%tXVC~pkkmbfxrcTf8a z1&6QFBir%ho_q)_=O0hKHU=ZTODO$Azyi!$Thk?`LMJ3;mjs{LGGCT5k#{f_b=AtB z_Vdx9LI+($aBepVb4`Ec5|}PADZ)}Y(>h13YKej0XvKUtZvC??x#Vre6RN@5HA9Jr zn&ALV6}T{$>aE&}9}DH$aWZj>r`qfjNPMc2qvy&B2^AW+yE%rKC1Yl7gH#K__;IOB zKVl^6Y7!+v*{0IRmfSo-WuiTh5n)_eAr*DzQy+i)2i{?kp?-f>0FMWriJ{)AL4|6< zppRh$>w!_?kS{mcRmN8%w!q7HhVWZ9Xy#KC2sP#mp;Qbdgu9lW0^hWa?caRF{f7J$ zbb}mQ%<{?kx&8q=@J{44)$#6BbbNr%&HtY3v3s*L>$G!i=~|_i4!EnvT`O*T z%+vxYUVml`T=?yY_82{`n8m3H>-mB1MC|}pa!SPRQl{Ik_=G$T<7?$TLN1@9_(B|f z0dsZdLW{lEsj~%*@?L^%?~x_)pLZ8dPp3kj0G07;UwZeyyS}ZNAA?L8JFZ9PK~T>< z{_FA?`GK=W%pMut%X~J+Hg?-D(`Sp%{lHjifdAHc*gA7V&~nH%Q#Vo2afnmD-z6V@ z{wkxj-KTF{P9U|9R)NY#k1Npc41Sn=a6Drz;OUf|yVq?s&&$u`eAl{;J%+fxe{`#k z+5c-;YJQ*=`qFDyM-L!~Yz3~$HkS~c*a&;) zobdstf#{G9j~z9NM(^BiFZhOlP~W$!o!o{7Ps{s1|H3yt1xVWVM}>{dn)G(u3)b&` z-Lk>Xm`2?f_;T>OjcV;|TeVqX=d_4r86MOsDfJaLt=JB19Xsq_BDYtE4s?1X^>8^? zII;8q|AjohO)CLDB=*)XzuV1i2Ufl1_gHs`6YIOfe)Rh;y!AD%Msn}=c(-^JU{>}J zxUT+VG?(I-o5Plw_C+a&|u$h4j zqHfQ1o1lvfc-s1yC&%AL=9hQar|>qgAUKkwAJ z(oC&$+!ABKByjb66T8PJ3m^Rb?3PK7BJ33TwkMyJ{TdK>{s65FDi{ZWbUuOCUrh?# zAdxlocM$1VP{v8beGpH;O%NCL^S9Xbn^PxQ_ns_bi{j~Nx~XaN+=NcqP-?N1gZjC$ z4I?VAGN;>umxFK0l;mm?6h4IasJM5ytOxva@AE~VcLGd|mbtZsLK4EHF6MfDibL$ zu3aH&H=J#%Q$}a$MroZ33U&IH)k?8)%J2XTOIK~yJlyx~fW$4E#GWF9aQ4JyvQ&?q z*Jg35VKK6WO_68q@B9%zEtdE99gqFdw#=YLk;ppvAi4~6&uP4l@zyqLeHP@TihA%q zpri+!=dR7Rpqd+p?ilfDbM5|87s?@&J%7wb=2haF;^j?_ld(!xAjp)M1JX~0@W%cG zLf3f{PCH4iJBF;#IrkPkEyLKZvU@_)IQIjp#Y@1?$0W!ZR80Dme|fiX_y9fZ;B-Ty zSPvN{e$n!;#+O<5WiX_|KsMlvb;=$=mbUO@O;axVcaJ8Z7)f&cv9B!By0)s}+^)9L zKti(b{|jfMeO2PyhvW6eL-3l5C;B0ZI&n11XM+9WuAV-gkI?a^GEthS-aM;XyOXiO zMBrlhb1t;^=L(d?lG77gYH=}ZbQBsTqA}`fOyqj_T)4x+iZpzIsO~3^)}cl-ygZ`X zLW&t?>Yc{V#!NkGU5weixk-Jc5Mo2#yiz}mo>r2x;YK3tfK3_U;s8bt346Mn(^&oQ z;JRVjRA|8B6-)4NCLZl8=Me5#F2k7!{G|DxUN&=d3lD)@hI=toDW7Hg5DD!0W9R9I zYUmt@UDFDRD2RWEuiCh|KgvmrP^!y9*4?Wt)$JrPVjli{OZBt}Iym-;7Ge8UhVsy; z>hXhp+ilW)>k$qt*)I%=xVup2d~oVL+XZ5$L8e-aUB609s}%1PjzMecFq4RkTzN>w zqvgvBpem^3Fb*qXIMV8_sE+HlW^+_hA5peM2G@ni&#+r5!r!@Kr^Sajft{yb28|^B zI#G4ZPZ4TT`xO%=ALd|R`_qo^@jdxIU=;iE+C=!_{o|AMgLyX%?@!xV>W6>7)r6Jy zi{2&meaV)z{+ixw#uK_xCJR5!LsIX*gCd?4D18hvexcMET9-O94@#p-QstHyytrZ= zycM3GWy<4~h|@4MKjDWLZIgNNBA^>lWT7jZAfITIv*gOByi=3Ic-Y3X#Vh$}l=euE z(&aS|JjY8|X8A@%VI4KnRCOEV*qoBQsR%5m5Wx8Nh3GW|V2JjI&6Pvt;v|JZ_-0L8pa)q6O4U8a;>Z?pvrb`O`sYK4s-nn}-{52pM zAuD`xxXzqldTbmRo)_!q+A!^T2dT(isawmGA}B(Fr$U7Vsb>_i{^G3v(as`YRd7ws zmX5Q}*2r1l9vsA)CvfOuULfmc6G=gh%uglD1YMp*x01VMc^PB?t1YiaVcm@7svHnF z%guB8VFcl$5L4J)qil`Ox#3KDj#1OQ&glbH`3U$GN|_+JN1&;Ip|?U)BUvhiP3eZi zDUBGZfMCiw^1J&~Rnhc&3YaD%BCxhFFN@1BTL5`k|ll<;?7*BC;B{D8HR1Hq4%A%d$-3Wn}RfwiZl`p_j`#ZPq^UH4`&qltc$8nLK`8{_H z$a+U{$3wH06gg5|MUfY$W|?V_+2Bb%!gPB@C=X7@!uaEp9(VVSa#{T(Ri&%#R$D8 zs65Xn^t*04M1BVDAIm)xHvYcuZuq)-VS4(VjOi?`Y*G>NV)s0qWz83N2;v8c=6Zto z7d_1#yIAq&{IfJx`VJil`Q0MPk+*J=!$DYkj^3d7Yx8Su*UcUyA^X?X^FX7I+0o5Q z_v7`MOJwGr1Noqh*GbuOT_iSckp{-57e%e~_}BF*lbV7g2h%DGI0{@lAzXo@s4OT<}UR`mk z0rq3VoAu6*aciF)^`1-7(}35JE03q!o7#`d1iat1@)g(XJ)o8i+CSNTf?gZEOJ?T{ z%_{c88YMk*yr)WwN}D8pdr?#K_|m;Tr+vgG+`?X?S@MF;qb~fjy&rvNDb$yrGvMR< z6@=Y7H-B=)iTc>Ogui;%+d!Pm4Nu$D?0(WpIl$NH15@eu)2c($$R9=z+$#$FLQjRD z2eRWJ&#e}GM~@*5VfwJ~XC@GEK}qm#`-;~={A%)znH>#+&XVY(S z8T-HG{Gcy%_NV&RX74&KZ5ppYv-wCR(P)UctH;VN7A)4QEZ#F|ZzKtwR23;0K*7T}dW6Xo zmEMUKkD027jAa**OB??v(a-!a!=V&Bgi{n%4E0jE+=MyW5FITecA4lJldonzX*{7a z>brgeDLsi+mr2yXCd#bRpe1!l0H>L(zeX`_fp)^lIu<=cdj5=G%P8WhMyGj+7CS9d zlY2En+GH5#AvlXV>`iJ=Z>bV{5A4jQz(A^~qyk&9AEHl|ij0L-OlLyQ$-{_RFl$MN z{m90_fm+(vyOk>|P>j%U+B!|c+4@&a2iuNfdjZMGokIAg8(LlHYhhfb;jTQ-ImTwB z#11d5Y*rS&R!tr#7w;w~wEa(yNS{{MU|GdBiS;4Gm39-De;g#&%z9z50d62AktjM5 znDv-58GmZaTTUOA#`4D*aAW{?@CuM>*RLrFYT}a+t zI0F-nf#IzGJBr%i}B{wEeM8zv@6AZ6-7 zKu`0J2fboBJ_Edsjz_ls+<|kS;=A#D3_&kR+LR5;37H_G11Gprp`2VzLk41bQbo7t z0v^@rT4AL^{m^wPfg_Y!r!Kd3w=w0keZP@AJw_?Fa>ph^Dj!sE8l|uveya!FAxas< z*7X{^?MvSr$X^^p9HAKIeW(|&{b_Yc7#R3T{d$`BKb|&3Ym>8qrnADoX`K?9CBf}0 z@ey6AKO)VrXS_r!|G|_v#}=}h^HBL{pi z_WP4soOZ3jmr;JTuE^L{>}R|$?qAsr>y6tb2?v26NYNNuM;4`G3C$jnr(ur768mPs zCvRD`#LKV<`pgkHJJG(3Ge`_uXL}CAB@%U4950^S8E53#td7OBfwgEK{l8=J4#Nw; zDJoFi(#kg{vF~LK&A;#ez@(QD+@fz06b@TLop*HZ3fz|5({%*9pXfY}`v})fO&T)} z2diT`PkXf~(>XQ2x9Exg$}Z-NoU72|m*J<0;gT88?ZfCd7-3H2r&GrMh>odt%#Tfk zn*=Mgi%hoL(TeKE`$}{3wBX51?EJq!S1w2}% z$?P7*cSR%wGE#gSVJF1FZoTqajyz8WjAU@$99nXmdD&ahmPPy(G)x-I784e=7!nn+ zq->iC++i&QfqiS-)W@EH?unOuO*Gr*$#}3<*ARzgeSlXoPXx|z@nZagt|abQv%Byy z=Var>ka5xI3&h5gNtHFfN-vVucw!=f9uhc?g%NhAcH1KJBfIr?r3yD2Yki^ziLx@f zRBr3w&g?2%*SwQhi!l4=mO{Fo>iuldSYj=(ZbMmU(H*3HEW9x(U(;kgi3hHHfXr}W7TOA^c!E_!EZR>B5<<9>H zp96Ss;iEyRpO8wIpbwP&^Usz|=!&bGud6u$`H>PHg(5>RXk=hd_~h$qej`Da6^srQ z5hM))J_38LpHGBtUju^ppBHz=o=lN@KwTDG{Zd*r>!&Xqik54Uk`wGb2bj4?9jUR{4OusH#h>cbjz zFIRTi9Rv4a1AVrdl>}+?8rK)&Gzx+q`mRin8T+pKkOl6H?Lh_w27O%p50~8B*L80F zZyC7ns@yHYJwAQw!}FSayH`HT>>%eUVW!TvL%n=o<0i_11W>1!i(7hD5g~9wo?UB> z0_n4}ZA!FHBk*?bRL>T&@<>zK3k1 z8GH=s-j+z`Z`pUC>(PsJs0fwM&)4ZILzYL^J@5T1TCZugb2Nx4RF#oFa|71Cv5cq5QBt) zy{juW!AiMaQ$|QLI~}h(@jRPGo~W|kHV+5HuB#psF@d*3W7Iw z+}Wa(2Q))x5OD0(Y2nMgw&cw!J{N>oESufe_}TK$=Zr#OnZ{%A;XBM#3o1uEE^Dw0 zA1B=?v4FPR2ADX~>XS^ryKRD`MMm3Lhb}t{i~8O}j-ok6{Uiu5{3Fa+ZqSmcR?V zZn?IF(Uan=Q~mq0cQqqRyh#~*HBvl)D;_s5AG3U1f8qX)sK&gzk>kcV5&czz+?pIL zLPKD-mef^w(#x#(Hx^F!PYJ=ijMt+-Ez9ORHb@M%$q(6aDoBz#d`P&WCh4!1i!QTb+f|}_)}Q)hMD4NqN*udBLgMX zzWeBTyw;21;0$8irG%#)6B;I()W~6OWQ)Yif%ZRzV`q-Wm!067KsuXY1#id?i}wXT zy8-WuL0ILV_%W@}Ycghi=C~+!S@C~}#@XDlIrEmxyH}cNnA#6L>yqI( zYtX1k2I!UQb*B#AeNaFEKnE6A;oHygE$QLE3t})RXw@Lnpg*b8~ z6J^f1dA98+J_lHq;?tx{!8luhQRrSa|I=mNKouz7oDw(a-=l_RhL2*bto~%2PIELGmpB$TaCncQ{xtw|T%9tSB&_rOH0H==)j=ZB);) zF%HimjrLBh#FqQokzG=$VyNDIv56!Iv5F6`;qK}(d0=;SDq%e+bl z8)Px;g^>yOo@J1p4u$KJmMmRVXNQKxdMU1RjT;iIWs&TC)pSQcGOKk;q<8`Jh}pN9 z!|@_z6MueMb{U35bQ6F_tCi5@=C^N}_BSXqj!wdqh_&d}myigryx=yfv4#rIS%^Q z@PhnAep3LI{%b#lI>cWKl;y$LxA^+@zRUxhB>YX^+ zzm`&^`K_lxJ7K<{`QuR~qRp41%OgY8jk~sGP;U3&`@fJLvz2kH6ZWQY?k?9D_9}KR zzvo|(j%zys9$5~=xh*4472{VvGGxCYne?wa|2>XBnSG==(Ht=Z4j)hH0a}l~EaI=8 zLBN+o!B2B1|Lb&EBELA(`E1X>ae7zX>$w_&4|x_?ve&A~w5) zv#ZJEP;q9?<7nqoha8tf<_>^={i0+)aYPKca|26_BIa#x2k*I8Z_${8+h_2|2B>?n z4byb6)J~=6p&*Dr{#)?cu?qIC5 zIZsM3a0p02KMCUR#7lELv*=ii9AH<*d;Alf$GVLxRgNYx^hA~*P0ieAP-1#uEuVEb zg$GT`JuW4^4v*F4a{Pr94}QC$?tS}nK1>Fp*_ijICWx(&egA#3w7 z)w3Eq_u7(5bpM&P|M(NcNn&QycIEf;Z%&NEFa^=N$m;c^O9|?@O2gKa0|Q#o zH{Z8O2H2)VX2)#V&WZ8^cqA9J2rA;JWFe#K-7y%EZD|hz?Sv41b(Ugyg}L`fCh83v z2&PD@7H#;FbER5ENwTo|Dw3Yk7p&uCG2`9@!nFfsmkx}@Mkw}G7O{4TWvRyCJ}VC+ zq5N-k>P+5^uqwa1w=5RD_(T1Pm2k*1taE0}SO%Rtmj&vn8KT zM0x7#*p!971eed#lf(OK-MkEo-c#u8R3%80AcBklSCHo*xfDQAoi>Gy89u(Rp@cHP zFI5_@-%+9Zz#^X`+(rs3>6bL9B|AxZ{vaF+(I9r_<)NJIhJ#XGkAZX)79u)YUd2O0 zNzd%mt&@#EN+{pA(X6bmr#d8zCMVmNAW!w=)|gbUnV?xZ(H0jHPWLA$Qz(CNHUv_= zm_$sj{QISANgxrE$H2qV!%$bKBh5z5IX#Q^Y_RTe&(EGdU$0wT#VV7ej^cD6AomUB z0r&;t88)A%fR%vSCNls|CTJd;>&h z`i<hq@w;&&4>7su-Y{L*akY4i zr!X&7OlAa60uUpNo2p=*6l__a!DvL1RfKMTwpA6ZX19w0Mu;yyRag zwfW-;eRlFKp-g1#R0gC~63A|3W?)WvQrcp;d*XXzs1sOePY-7}=*@82Sr6K%j4xH` z$mR-kbq9!(uMh&VitBBG=Y>AWjo+HK&nP*me`bEYCBR=+AmbTG3AE(fz()O4dVLP~ zpgf#{`U;m01$hZDP^632?BqYZ*(tZMKr}L6EOF9KfzPaAA5Mg2g`8V6a?z!=Bl3@T zy30s+zLG3e2~68`uSL3TCVnW}Qi;oG$_3gVl52@1{LcG+FhN$_S7Sx#C_NiG*204S z^jj*HX82zm@$ek>Aw6{QWnQ0?Ws8fo-afcI0 zn6v&;L%YO4H3sFd79VlOWxQb-Itjk%opIBGrH8e|_#);vBBj4WWn`R8l+;shW9qn= zveHWu6~^Vv`7GN>kTPRT*s*Tw-$}{hXNO}-EVXF>Pv;VSu%umRdk1td@a0-6NmM@|R*K7~*)hJx0 zG+GkAt=@K(PTq5C`q28t`O9p~GwF}Zo~`Zsn)c_C++N_##bS=z z_~zBRMBBP(Y)<>*-qBuErYWE6+)O4x_lG|~-Di+~*6S2t!sl_iE)^K=nVO}$dE{SR zW7)mTYxP8^IpzLdjG&g?z373m?Q}{_WWBrPf^#HxZL0|QsEgG2oV}w3UeTWw0J=Ok zh<;V^*>b-RQCh#}^s3vuLY(aC25;Zo)&q2`?l^BtHwImad^E0xHC46TXZSVYJpI&s znle2Xd5%+BISq%^WL^fUXWlxU=Zrn?rnhx`Z~qarwh8_T*jmbBwcIr3@7V-6MK{++ z^Iv7(oanlwZ#7(P#a`p^-&{f62+&@5IXlecs`Xvv*)(y0%%2i050Z7&%XjOh|u|fG;ycehfi;P$a8Ek0weX*4(k@nMw`6@KY z3Jlb#^=vrHor5*&bd-gP{zvh+5s#GFQ^a~U?tL=QWotI<-iZc( z*s>KXlSWPOihVL_<9Z4qtz%5s7%wYS&}L;s+x;tKXqsTk?Ml^b@BGT-DA4T{jksv^ zDA;M`CLCNirJ>vr?=!c=#XEyV8Azzf;zz$X$W?@+3Tzhr%@2#KCG-0ZJxVh0;8{O} zi3l4r+8#ev_&K*4fv?%@*`teDiJn~0&!nF0+*Omz9Vie`4M&JV@+(d;QD3FG5iGYd z6Kyjdlx5S3D#w0mwkrAtDMP>!iNb5hSk@9*Fix~W?0L~*KIDzvtx)Pm34lJ+PTOHK<^O~&UX-gfo#wU@10Z4(5Y?jeb*(@~D8FOUpYT z*A~={3roQP@@5WN=E|vUnAdLpc z!swLh%bH)hFFH14D%?<1tLvTlB=YFz1KHo}Dq78|6)}=LfwVaYdRxD|UyENpY)YLp zAi$36>DH!Fwc=Z04K79ckUYVnbrAAL7=n83{(x0h`G`U%6Wx7wL=NFfrIUHqJeL>U zAgNkG87Cg3F*BqhW*c#7l0>&WUMxO2A0dLXPWl>ZA$vcQ)$gdBL3=G~PIj4TvBW0z z6icm&AcaEdep@&{(Umo=9m+{6fPq;)Hhaaila7PL_t80vizl-`23>VJ$O#M@7V_ZH zKZwN!Cm{k1HIxbGq%7ux9-IiHamp3wo7!q}DV!wh)ydDXWoXfSvVM){aDaS zVR7)+qj(?=bVeuneU#AbQBjQq!NX&At3gz)?BI{~7Wfa=Y84zVVX{S2LIG;4TAXWY zj3pd8w@G~Ixnb@*BnttzsluAmT?1enM0%@!6Zrx21;QoQS`S>GiKk4-zAG;8EXCV? zj2rifL_dr;AQ$s$Vp;76=;eo*3eLyD6YQ;_9twEZiwLG5;G@eDC66tFG?tcaI(WLP zj9CH=Sg++M%`gj`QY4n%3{#L^p_K-h_$0`A>{f%2N>-h4AI(FoMz)caSsyp*km2c! zHhiGiJIlLRYa9wqI%5zd)|X)W&k!5f3;D4eT@IDm8%sLK=V0o1S7n_VwZ`+ZKgH!~ zVY3Pf%nNdI&hI$+*cLc7lcX6W&*9*!aM7E&zQ0syD3W*1qKJQ^_;4tw91JJJNM4TL zpvmW7d=Mb7dTzi+M(ZA*yM-&kVUjh-GQ&ZnT#Xks;9O8N&cX!iy2A2E8C!L0lpk-Q zrQfFC&-qDd6nGjlL2tV7>)mQXS=712c;@0Y9jp+CDdWEbUJ`_8=YH;4AkUOf|SUV1S2?osz< zc5bB1PHQ6pUjLncI&Jj4gY*yF?}p{794@TitpT`Qu4hX3Io%esudP+m^!95i+eDr+ zy2&af(8ERdQ>7;1hNok=kPB>>NVBu-ACIHls;!TCq3bKZD$m7gfaW`vQ+#2hyFFg9Y~5m|_QCQNty8v=;7S zm(l#13}|}~OPtmG)vk1m7~yRNiWTkEw!F=@X(RVN$1G$AeY_8~tQF4qchUo26nV%t zR(pJb=jUj%JGQ8`Tetm#u~q**y+D~kA~=pS7Cc$#1U}v1RUI9_o(~c^o>trqyAx$= zRscTEwVlU1_2*ScwfsJtflrnxk&JGeALg$Js>ntem9w#<|OmaVIJflKiED zRJ3?{5vQmXOjh9`i4>1sIJdCqYPdpu*6z+OWXre*irV<9jZK?%u&uHJK!dSnc!|Vo z7s{}0COXlQ&h4M*l4E%$5np!8Xs=>OSdICg_W4K~3@MV|e;xdjOxQ8F2a<3yzfcS} z-J=5R#9XkJJlDex{zT)AMoSj*hlu@w=%XM=N2}(PEZ#uXiouOZtQQfxFyLLMO1k5# zIj5K~E9Fon(5{wQjkcyPwp=X6HAdy4MtP7VFUVzV7Nto_249r7E zH^}N=7l_oWtoDg0kKGc4vz&ufD>!MuS^0)`d{}!7XksIY$hM)kHaDrvhOJ~;#o<(` z{2n?+e8z$0#o5Jq>dw7z8^~M?$4~G*Kf^(p8}`oHZyEy+Dy6lUj3(Y&-FZRr&lMT> zsq&oFkJ4*W)aa=Wn_;Y~!}s>XGJFck{<4clyH=S%0^-2Iwg_`$E=(G%$_j^6`(hIj zGEE^;K^g+|koo!{Geq?w7&>LzuSlzkWtA1&h{C1c;3L?To-(#;OQR-zAu;TF2@Z_W zPS`V7ea;xTzsl-K#ixEJDRv30MSDRP3vN*{7fNsH)}dR=m%IO=pC*4$F1C~z3*xOq z6P(QFF<@=dh!Q}_h{6!7LN75U4G^nJdQOBiIjQcN1y`<|%5+wiG-f83gR<)549a@t z{uHA8u_c5!0ZK3k7&0#N--W55qDwlL zl&m5K=Z3FK5p-G8%7xdj;v0wqCna_g5r!U+|AB2bRj)r-pJ=1d&qgNJ4(7*$VQif5 z)ia=MC2ICB13Ka4G1^5fK?p;lrOZr=5?fn^cDWw1RH&ZGgt}2nAXspC?9ET5*>O2w zxy-~$NEQCMAks4O0)DIftD>)gtMT05*FeK3K$D4BxKk|+x~BuP96qe zECCF+r=PiOataAQ(Are~;BxfO8AqK+C6|5d0UV4jD!ts^^1SR0iD%W_oo zBcr=|u)|AZzQ-@!g)ZLH#bSV~Ud2%7=d0V`jlpZV691ej%W2_;qohxBKv#XyKnOL& zrDd%*)aR5%7Ou>}UBc<)pD1nW*($RzQan5&A#Q?EB=%qtm2lWNrBx)~Enn0wN**Xz zEs&QS|qlW#e%jOGVAbPiaWNApnMa0CyAWr(Dm(@t8>H0uoO z0q_4eZq12_L%b=0rX`=V9B8?>xyC6tSFclFh-(g+3mrr}^#PKg{LALvwb$4$S|P_^4k-F{x>%V}Jz8+-SU=;>1jrN@5YQO%w9Px zG1u2Uwvp3P?LDsZ+CAUyJ~*`3d1!prhsjjraXyz#XXh=c8~Jr#yEZE2!4j~oa1?{L z#iI3oMHGe1WfB>h;`5QGt0bl6xK7^dcHe&f>vJABd8zub-61x^jl8Qj=~=%r8-Rkv zPTecr^Vvu6a2hF#l?e00s$;p*)w7eYCAjk(DbogcCRPaq=26C8^4A0Prs-F8-pe)& zMh0gIIo`{g8QtH1yxY3&X18Mhg%hKDT2!~pX7Vw6M^AZ^aoAbCB^vxtI8)s#hpBbz za=$3vP(A-Dmi)Xk;h6+}H98^-gQn-|Uf z2kutL-A70q*L(u5X}()4bE!n2+(VGye}<0z?*ICHA@VI_s358VxC> zdGjdvGJE_4n*Rz~HXIFD_WSX$uxIG=m3N|!4bmTt2t^cNC1^$~;`UzrrgT!_0w|L> zQvG4e1jJ7~=uqAfLZm-{(lhxRcs2H0Kjc0^d8Br}%`&tsF3%hf&u^WZsVIXKUO%c| zocS)T^ml%tft7gcWuM%8&K3qY`JaCsJHN;KE@hiHXjDimIH)?R$Oa>j5O3@~(cIG! zBR#FN%uT3#6eID=wk2c8k!|cCG%gD(()v$}im2rC9$|3LQH>P#tlSm9rQw?=imC@> z*pw*1HbDvBe7^&1L2Lv6w%gT$xzE*kKPfmm?A zx!RZsel+lg!)lGYtFjKSpj(v43nyg!dqLij4KQku!?LfUu>8|&)n`YvAdPi&@KXT7 zyoC7pt-Q|w0c&f9^y`HG^?$qC-kSC&&LHrkx9CsRQQR;N=#}t&R#1im^pG2T1|lsp z^!&~fNDPUa&Vs=PU9s-4SBF>P5v&MJTjDeyr%A8+t+0TIY8^KDO9w?yrs2kNY>`7< z8fvvbvzqZ+P;w+<=R`q|0m-vH=MU9NGu;}3kiV0r>~D#QZ?ew`+Ok+v30sw=ZGHQq zZHE;`2!$En)Xv}qQ;DEV$RqOk0sr!OSOs%6C36{F#zaN64S3W{-=rOY*S@Qg*u2~Dx-*8Pe+L@F(c zt8$<=EsAqQ!G;)7G>B_aXo?vOkhXYd`*RX)p3e__WM>Mf1l6K41Y0-SYVWK&6{SlI zs)EAH{RQEn!0H?({+Jn?(E#4Q_FA0T4-$|)|6^`|h(+!-;2}T*F3%$HS-3j; zV?EX;PvqO+zOuS>F^gh_S_RvJU|fml&q%5xiJ#!CRkrtODndBW^eV6cIOH4pgM)Y^ z>WlbofqH(`$eBlIjL;r9XAk)u>%~hh)D;>SHOGBU)!_FB7>bt9#am_BmyYUcf44JK z&WtOx)Ubq!ndhb2SH4xc6RtDlDF#P1n+P`9W1pW#=#}5dyKXA~8ckNDH|!H}!zNom zDl&P6)vCt+w#_oiPBHTg5qu=PFodaL)ES*WN9N%^_Jm!ZqsKfP5SAgb_X@d-EzFf^ z-WQx-T>L;He<`Tki#l0gMkPCFF%QHt`3K*;WCrQXw0fOVU{g~P!mR&9U4nKZ!lfLZgUT#Jh?^&bNj zhxi}!(KAE|j0_(AlKP&sJub)h^GAirE~w|BA7W=?fhZ)p79Y0)f*aP0y;aQvGvmg) z8-E*$S>@;&-ZgyVTE6d49Y<(p+uzeV7Br7Z1=&p#FsSkDv{UkUzQA1aT;FXMQg+%C`LijRBt-KL2pJzBjA&dY?vn=F~UaoxBVa5v+E)XdXoM zS~YBRk^kB`{W>xC^a2Rp*Qqym?6*6rV*_`$*q+CWk-Ixu$0nMURK1ydl|Kt;`9I!= zHwi|sUv61qw|l1*<*c3N>WQv;jIQchujF^eYJ7KUPGqF2JB~CsW|JElcY)(3GrJ60 zJ}ey?pk!e_??v}J!`jc23`!fZh18FDjoMEy%gIhgPkSKiwN97O?DjD}$@@bFhD+b4 zTx=ms!M?ep=`@!Y=*_YcaG$uD!QtEW$Ua!m`m;!h${_ly|0m$L> zADS0ax8E0A)tK_}S{ukA9d-#PcORyAtJ?#Ly=e#fa_@40P|aB|%%KmeMLB^UUz={d z{HKytJ2}5NGBhxY`;3`;?r4BFjVN7OBmm~2tP=ND?`@#n-u_LK9vX<+kFtka>Q?N- zY|Eq(I>SS44DQd%-M7qu%;s6gK{q5cEt`@Su7%ub!aKJ`tQL@G)HiTyk@Se*{Ija5 zG7v6IB!gt|vS%*j_UEz#o*zp98NdAYPnzcBgt!M<{dQvvQVrbDxYe1Hahu(5n~MNm zRR=Vh)dUJVd20kaXzFaR@-^cB1VZLf*^BNhLI&r zx^yRo4+DXHK{5?z5Ax(yL-ue!d{$VBR12qyEVvCd^SUVU=O z-)8xdt7sKNSUQmY`5&V9j_(V6)Bi*CA}oVO_soi7MFV4?>)7aTjkV7DhwReI9y$kE z^!N3{Ql?Gn|HjfHCf|4l5&vP?JTGHPm5320m;b$zF$CO)Jdw9fgodcziWbxzuMZIo zH?mq`fn%$b_Ta)_wxq* zJA9~Bf)iEocxix+8XSxe3u+!gk;Vl2e39W8;h>02S8AO+6!u?Y+Czk`Vt@yHaf{fdRl8CV0uLz}~*xc>#uPys4hd0TVuz<);1 zUZ7{x7vRwT?*Kvh`~5lVJOOZWI)bh+mCq)0ELOYPj-4O-^%(Ci=zF_#mbG{)2Bd!+fp%I#$RS<80;mxoZD_e9`dlIb1*@bq>| zne&!8;6mG5w@rl1K;U?_zFiE^p?`f6Ilkb0AFp1(gXq)}u5yTM09NrGtEnD7r#U{& zq+0ik=uL9u{`r{a3Z3P$t4Bx3UhL;+jps$Pri!Y^>3p#%5=WO4f*I-K*i9(P zG*1|pabT({ui;b71(@ee>FsJ)%j2v|MY6rmHwmWqQN!s~4;r@UN zpwoWIa87lb;VC8H^s;fe4L?7E*yZ<5)a6%sy?uN&EJhJl0bE~XyYgACqYyqY#LMj- z{3EF8Nzr_5RwLro{PVZVIF;Mt>8)`Uc)J-a6Hn?ezIQ*{2T7uW7lk$TE5lsh}qk{s^0rPli7>g^VGTNvv#veP5DccwdacP zJmmoMp}w`2>t9HrO?$QH26?vC%*v3d4+-uKgUN6x+h|nMliVW57}2udipgG1mw7{cls8 ziTj^%cg`{wYMrAyegn}xNPC_qzi;^k+|tfY@^Y<6*b*fK;Gt4>l~^W$F}V<1O$4iN z?Bqefh`jOhoP1rvqscUcoeCFE4hk;=jJc{DAG zNxP|9STHT;XcMQHsMBQ7XaZF-XkK0Nix!+kBSMCe`=h&!aF2uY(`D62SLxWm7=OI| zCtSe_^3uq-JU*eHCPh!bn-`MQ5*$;>ihQ5_>?dx^Azdsvr7&PKaAA;X9f9>%-aPb3 zC~vkhWeDDonKjGOxWcTd6Qx3Vs}{;Q8~5dxH<^cDAuwqpD0@xVlSH_MRXWuyPhJY) zi{ef5Se`wU=CGm_RidO=X;ZFVcc#II&xo^NqqW+p{2pCmXyna?0*}q2*d|(-Q`_gA zPy~h=W4;~r+7tB#A>-WOwky&h&lO&YKVuA4Mfk(RQ1;wjn(_46Ec!@Hv0!j$X>1;~ z9CELONE#P46xkR9pF>nsVu{kbt2%%#s0lLS9BMG)uK}}MNnDD>FFcdDne-IQXDMEi zl5Yi~D*b7MAt^spDg|`Q6;{MAiq=hfV~gC9kGCXv)Fq;1EEM|@SFevPD~b(-8kVz! z(Xs3-;bdFT@=s8bG+NcsrZRFbC4;eaEZkHAVjXo(ehbm2qKW^oZjQ7F#yn%*F4ksu zf`Qz-Z>U`c*6GqH8H?XQ!%9C~%&*?&P6c>|987&}zU`s|2Va}-l5fvV&c5r4FP2Tm zYbl6M8btIRYm*5V>DycBcQzMe~A_@o}ps#8%| zy!x~hl5>@6<`{d7-C!3)oI=M!NyRcEj;0 z6r-89lM{jk$PVvRwx9WSsER3XsisZfp#+`JyxGV(UbJ}TA)0f3ASo#>u%fvj$5Eje zmLuwGUd;6caN2~HRZ4UuNd^TB0J~hF)RHswj@epcjFI!V$G2&p;+3K3(0f z;>-Rj8p+|M;aWzdO>L4$E%M}BaT!%bCC6+~vkJ2=UOs|ZlrRt+FPM!lV#PIi|6QMV zgbuIylg6&R_BVY6vMLQ-xbeKdc97D1+zqp1$@Og1{S@c_jt@p;$f2<7BGA+l=vDM@ zwKNzZ+|I<*{3olI!q&f`X}i9gCs0 zy?L)>dGJrPRu9pp6(q1oO)vCA~wNOF10ytA7Y`p4l{#9Wvds{Ha)U>D@25v# z>NVGO@QAr9pTBlnTf;WayB7gS-6)$9rROtry`O!~rPC25dwj>`FPv|S!`XsoY|Cr< z>mgQc(UbSvO)CP5?dMI&YVBt#sLi{3*k!avMDM=-*Z6w&*t z!~Gdi&5PJgnDJc?fchqX{UUVjmE+A0&nIEWJ=gul z=8ETWwwjLie&KRz%PN0S%L0iS^0lsDnwWOiEwda$=jlGJP20Yd|xNGtR^7;?STPoroyz>Kt^6lzv)`=hkDp=B`152gnq%!e}~4LxUXI~AlZ<$gUY+M+Il zQ;!@iE?ZHuh+FT6LyVl@qWINbLG$HSQp53(Nf*`-JS_YsR7B7{s(i;CnkrRIY~FWM z23x_h{BZ6)t<2pnSaZnDFUQ^S`^zLLM{J2)=<1-uj(GRG{W@KQ4IMe1xx@nKWRSF{ z1T5Qpnlzx)l+U6%dZ4KWSEf19=UEzsKo7{PNox9XtV;d@<589B=3g7ah1864;(+%g zr9B$tUQkS4z%GO_%s3CKsdcYYwoQ5LnTKg~h+19RVp53urZ!9Sm39d2HWXcHRe*BT zbK?IMiUp!vYVkF?#962O4iw*p_IADw-cE z7XE`a89*Zx98%b{A2pm(Xh6h5=>uSAJ`f&LGF-EsvujNj``$~*4pv`EynHdY^x&je zCPkL+jE_;+#nM#Qn=d%~S5%qo6U+$do+h&~yfD88z*Fn`sA z@*v)+PHe3cD)%z!zbY|j4+#0xCgT-pu(U!YwhGESH};ZE+C9lQp?;z!FVb;$^1>_z z^3{vo5o;|08oy#!*2wbNlYClI5GCQl7ld2n8lAQojSMkV5eMaI(7sDq%*1ry6wLii z|1R7{qeH<~U;WEc_IHAH363iQ(1g4=Tvc>WQCz!aLtN#;nT!Q%m`t9URAk#4St=a5 zS}gphic{nEif?-v5dLvDO*G9Uk@fSw9HjU4t5PpJ{ReuBZTm{s4vMFjSyW0>l+atN zZr&;)g>nm5<%GUYty1MkCOQ;DJ&j^zQXh~~gfmYbH2CU9PZWg4--F_dU@nhq;i1yg zL`Rf#G-6Gqg2Sw~T4kj&CRxKp*E>uUD=F!G0#FO+{gfrp9Sdm{^F!rMgS7yVqybMPtYl zaJFMjNMkgjoyM=0H@N8#J!lP)SQgt)n0rohE~4H#aI2%;<19OotE!ITEL=A56|;a@ zEuEo8E2~lmqSI5+2o|8Y49=a$B&sVTq0|4=?&~%Qj(rt(*k{p-WeN2E!R5ACR%{1X zXV=bNq$%GG|0%cP+c>rl4w66v83S8c665_06l}^>z|L-Bb};c&X_=y!=Bp_-bGEJ) zRXGefSnaEMTIe;X@RF?zuvw*D^?6C9(@tWNRT5B5;4IZl}elW-6lpsogy<8YPH&YNn!~ ziea~!K}t7M#(Hn|N}!fL*4nXA{B?C2-t-$xnvWL#K!Bd>`(n~QiTy_QOde+YX}eAm zE~gP+X3ZEBM)JEn7`>d>Z>#8cPQteRxV<7eVps9b>9=LCkcCL#K-o<2ALs8>B8`QO z8*U3k#&7tvNsjg#49Jt~9wk%Bp+f3bCCxvr@V;plDUhD_ElNuc#mKIGsRm4{Oh-Ka zcTjwifB!D^pCj|X`~T5V&1e?;jD1~{nIKU)fANv_NCR6Rdf!kGePBLdM1SLF%nc3DmSHIe%siYe#)39L-nI78{31^ToCf2;#H z=ox%I9wUi#f4(m<5^WrI(dJ35@V@~YS&zG%{w+6;#(E~r+j5d^zD(yk>iBc`x||+8 zX=>;IJAS0}etUf#IlQfYWIU&YPbIM2X&qx+qqUt+<^4Boh(68d%+ZK+6Yw+p+X<+hRrWApotr$G$V}9{k56f0|PeIb8YAdu2&Pw&g}nRVg0=v}#0<8}JY_2(7H=hHybJ(Z=T_)O%oz-0+? zIJCPEvGu{`b+^@Tj-AWP?~$k(_ucp{>PKb^;+E0od5f+(y|9>h%n4UICoNEZYL_ zt>?l+`E~wyXX{q&ZkC*YoLhN*c)t55`x)A3JszQ$)_zVpGxlmu=lae@05p#;C$Bk( z#uy!^cC))<+)h88uV1j!AIIhsyL}uS&cu4(()etm@zj8BwY0Jxdw1u#UZ)?GX)ss1 z6!#C@liOY!lVO|uj#u%;y(=4$rJ%MWQ9SS0Tad&j2zkXfvmEpqJ*0L^#8HRz@uhGP zoYE823V@n~?(G73>41nL-#%YaSowtS6H$s7y?`8^`X6FYSvMz({=B+}C^_Qcf`Snh zX<~bD6U5fkx8?laX~On!;^Y9HVWCK{qA{*IEs&LCjTOcclWsJZPF4suVlsyviG$~- zPx0pQr7$g`=;1L7r5+@_Q;ef8JVHEggQw*}ER7AJAD!I{NX08J>ObN^?>vr@L7Dlb zq%}JJO+5B8jyq#0ZmKOs9BI&{IimGkAwOKeNP;fD5TDVp(4bfVq3Qs3ak2MEc1pS= z_xjhJ8*ZLva)QRec-N{-pa?kKO5w$W%uH*gF^<(+Hll*{(FhO=N>T_}jVHYb12NEn z#!#;IYy=Ynd-;qy+AN`g;@PS;DXoa44o@G6fAJJ2&x#DZ2CGx3B>RxFf|B?soVt)) zYPr25?S`A|`?#poeN=&VDtI7z9Mj~Rw``#MVvuwol~B)mC~CwQq8nAFXrlALgb5k; z{s=tJ*`bDCS}FUwC}$5V+uv^!KSi4T*NZ`?Z?@S<$MdW}-=5k3s+Udm-#~T|^JfBZ zzeth6)S{t+FJZ>5h{U+7c*|~d5D&cA$CAj43&RFIS`sT#EmgHlpjg>+FdUK7>mjN& z?fZMay$FV$rbxF&L7!$ADjo<7;*@xpHwb&^aFP{8C``HvP~bc>r^cPqB;!+JuB5*B z8)0rD?#-b)a4LE$GNze{zl2vAC~y^IJDo3@mW~?ih&jVxI#X2jXQOSzidFAF7~>fk z_rVVH_O(#;tKE|HjT z8cWS*BZd#IOD!Aql6cLn0zEN)-UF0DGFO7^(xId&BW5tn8CD`T&^Bm&!?+iJ#}zSP z3_2}&xJY(|&megiXk`ix_l|s4D#C0noe0M(oC(_duBw%_5@?r(M>U=5O>xta{CX&;Hl|h(((B?(baB-2j_V_QmeM6KHzvU2f z387ro?u>_09q>a=nXu@sua$`OU{d1Irx>~+vH zcGr8hnlWR`<5$ZhJY_bp)zruCv;!r3cGbtSYZV5Humdi8swA=Iz%%SJ^&x!6wde+|M5dBQCX*4zSc0Kf*t~rlwvBLR$ zaJtE!PtoXoc1L^=IvU8e2F|Ice%`jm)}?N@qt(lq+#ib)Db;GXKd-0(B>@M1k-9qd z9`wxeuFMgmJuIz~+HSiv!uzwAQZ+lU0F#6FUurX2&)pby*GeOklnfkgjzrF%D7K*L zDANK%liJ>#N8A{qO+CVmXOR35F&aXsp!p+rRzM!px{zuzP zJ|7Qz@8%EdP(bs`huX5p^SaTX%rgzWiFW;ThU+DVDIDuSJSv*PPbCticc*My335o}Oxs7IhuK|0e zKp0_@I}isdXgk2AA&)qk^0O4GTDJ;0EX&l}A2hc+4pl90uII(uZP3gn9+nJ+)UL^E z?AsAW>+28dTO|E`{tzH%uhx+NJrUiXK?bs{chB<#(3=`Pqy=D8VVW2sdmmR|rzujZ z{?;`Wx-R!SEPotqyG$eys$t=bi$KR@fbKQcm-g%0*ZO@YX&;{x$TKl-+%N)9>k*bx-k{qEfAlO~ z*E#BqCMy~3JuS{nU+n*}_b;nxtSg>nDbZfl4E{N`^yNDckWajH{UNo61JwJgkjiAg z*D-r)_g4w8(RXa93erMZftd1*u&Y+E!gzag$_N_oqN@jl$2nw{Kr~cbuGQ;)Y{qBd zp9myDkqi4}g+u)6G(%1%Y3O{V)-o7+87)iby6i79QgV2^7)1tjuj4qykdI9CmV53YC#xtb>YfDx|18jP_(#2Me`=N!ye}z$T z!yni#@469f5bRQjr>nA2Zxu&QOY=lEVaB*I6cZDSQY}U3TB3OkQZXAw4pe&xSz53V zxH|Qf!Ui5DhxdtV5n+Zs`XBn6QmMJ3;J<4#aVUCV*T@ZpjA5#Lzcf!8S*0pE4i6g+ zX$U@0uk4RR8n0DKB+;Q=D9bWwlxDI>`%RLe!xpW-ed{EMnYOjdK?F*vyR-6_VE7_P zjxV7Y-rk=E9?sdmNtC%%4Pzw13-5@hY-HzAR8}iz5*0}QQW1Z5_?03pasE9q+*}15 zNjZd%o+IEC+(w^f4`TuLAU?Vzwme~;@pOyLk(isyvadM@2rn35{Zr6eq{F*INvklUHDaLD|F< zR9rxUw{@^)gvqztgpQCAk#b(w5lQ-c6&5LV2dfSKuKy!s74-#WUqy)3+tj4@#?~`X zk_GsGs5-~@I^!?v2aOswYV0OyY&&V}G`4N?#A(vlwr!)aZQC}_Ig^>|_sm?+oBiVc z2ll)o2H$Q7H%+tv1J0k&3q;BV$v}- z=4ASVp~nMRrN?cm5Y1uIPf{)C8EI7UrkiMjl4F|r1ZX;?fb`7npGAy)bQ>`b zqdf=>qdjt$X5|GiESzU_boY>;UQd>J>nS9a%n5ovZj3;(&^X-SeKhEbM06!xy6Cfc zsi*CI_L~^UjD4R#_ygH(cBTTBbfkyk)1u!|NB#K+7CxjBLOawE37Z0Q_+jFSkcH*r zCopWhidv-7q;3hs8Lh0kMVPVYsEz)2nW;1s%#A!(q%djm>`4iCRdn$`pt{++BFFj) zgn~#GPjPQ4{`KPvGFG$%tJ-yd7)bGI(cQFl`;~y4RYpV zp!&cdn*Lp+-%ix8Y?J!2uCDqhY@rq@L*5*34>7q4W2vyJm<*Z4Dos8BUqxO-AsVvw zRLU0Mb!`g$XYh_Mj0VzLSd)F6;*h00AE>iMERk0&Tx7U#5{dZAVDj&jsbba@?F@n@ z;|gvS<(jpL0Zu;FiwN?PP3C0`E#I+coj&6%@_OQB>i-7#+<5oubxs2uH2pHY%+jp` zc5VSDd`}5{BhDPc=6LEI0fXO&q4e<10o0N52Jj)q`gNe=;KwIjcQC)(>RrC5{EN?0 zh(ylACT$IG_8HOJuHQuyf!|FfqI%fJ;wap@!e{XpE9^%Pe&zibH+~KeXXkm)YY*rW zpYfs-1k>~!!+jT!am|+KTz_xh1JkxMk8x$G$GqUSZdjnI4o>h0Xt2D0OL*qGubtMj zBC7S?i7^?QA<$2QINDwkhAw}yJaw zw0-9lFsG`%;*{Wi%4xjIYh`Ts>g`U!ZtJ!`taJlq*;3?Y%bW$ z1hI{OPPkZe(CvB;WZL%+?K0hf;3m8qYl>O=f zgNeW?-5|k%iC265@fVs$!2*P=hi=DDNa$%!xTQcuMF?B{pGQG>5^%-+c6Z#PAVO2_ zFT@Nb+3m2wN-%TUU>UfM^yf)}$X_zt$^Ef@4#nUs0^9lW5bb^h#=@^|o0iBHOV@-hvZFLwUw&%vB0EPT46$Z(-k^yP0YP2sf9wn23WAz*QBCK1b zhOnN(dfa5AaGf3n5_2jJ^V8^qruag&$|J9E zno^1+5naWhNxGmAWx6;Eo*$f5zen8=br&TgovR>ok;;1G7r`cdZX)A1lZB+{kx|m{ zm+)>OR&Ie#aTVg5zhTeG#c4K|#;}Tbh$Q!+7+RRBiQ&n5hlQ-XE+xHn5`Qbun5`A* zu}XQHl+#EB{?6MhrEb6Sh?SYu96^(AP0T!4gRGXDms_EajQvW|-k&J59=eSux7Ot| zjrAver^7XXI>sx=uZ|EUC=?aJ2o3(Q6Z)qQk(nn2-5 zvOVcIW?kCR7#8ySnV*NRU+7h3!^XuZ31|~+GSNmaOy0_U6&l5a2yy5s==#Z6OO@Ei z3R%5$C}@9n4jp`%N}@xJ&+@l=tnl$mox-)$D;=Ac%q0mxtAIuma#8*VuYusuoftoB zl47c@_v5W+6HK*(C+%sba0^%j7Z%v-0jG`VIl-nvf1N?vOHXYC+h=gq&|If#A;krD z#V2(?_-mfz8C#G5^HF!Y*#k>sB#I>)e+!n7=OO#ZBgX}LAy3$&< zM`QfQ;lPQBa+D8_HbkVmG|wlF1*dqFlg6E)(0K~7CH2s#x!zFZL`_e~-{XpdlWMjSNwCYB(b1MhVg zt^H+hKhNXl0QkVRb#LGi*d(ERO7;_6wnzOL!yJo~Nlf?RG?hF<3mT;4#6_+*lT75wsB#ZC zQYH_Gqc0YZFF3MV<-qwopW{^Irs^;tUd19yWtbL}kuB%&i}M7rOS*|pUdNoweIYTw znP=p z90}4;FI>OI4ZAGAowCulwjv*9aw+xNaxK@d2eRu{G!jT3VMUrWB_6%R?_20}(c!~TBVjT|DBhsB(9>yn!7*zjcp!mJ``X^VDX;;A||4irAYpS zmA!sEe=gSxLB^=z_m5*BoE!~8k!TF_^ zR&M16~lH>=0Cx$iaSEwHLh#{X16ky6%^o67Au19232QvGFW^ zF}fT#kU4#obPo%DEDeTT)jrJ=OTuNkZM;I0c+Z2> z>%+h%OIpC;4D|!`k41LcEbuM!+;MLiZ&uf{d(ZO>-$~Uc>3KJZ`&b|J_dIeP#naHi z6SPCM4Md^E3-?s8duiQl1r9&+)eSjv9$$a-UJes!Zzr!t*+$jW)@bls!2Q(hl za+6Z}zEWJ@e5SrwFU8#YF49r62+d9PvvN|b852%yFWCfzb=UMdh?Y`GpK4+0ASH;= zu5{s_P}8oeJjC+bQD0W&pU2#?zU$(MY1uVF{KcRO@6+|3Q=xTghof$?sxK`w(V&m4 zB+)H1HIXAV6~x1wD^!m#$eRx;_=Itz)7L0Z;sJg9E4VAB8Vk5Kmm%0CVumM$6c+SD4v zDi*Xi*1-=LjgUNwFNoB=5H1fwS0X$PrU-JCuqFNrk6@!jG+07V5aBI^W#TMzB=`Ye zj>uszzO`blU4(6Jc1MjAmKD6=%GxUOp2TH8Yud49NqI;!@WVFa(IbV;I<9O9;z$31 zB_N(teDWU^>}j~(-KLp6l(&&A_5wpSYFTTdBuc+sjDxWzVXbA^9E-Kz7bk;!M3QhD zWVN%P@Z|DPJ2>Qi@%H7yS4edhX3Fq9+%j>J1+I}O#Q6^adQ4?%o8>%5qYXn95BLW- zX~?L0tH?y9oaP}(GIp~3pcY$B({Q8qLQrf{z!8z|mBs3t4jV?sj3 zdC?Sng^1y9damuOMA|pvgRqhznk*%V1{UVLY9|Z9(gpd*o)Sp+`xM*54JZryq+xIm zP}{gxdFSJX&L%Te%2avDv3v0^3U{ATB5)X52AXj@-#qvj|3dI@)5b>%m~QFSUOwcU zEx0f~K7i;Hxud_G!%Fy&VRpGZ^)$_bKmbO=_Tl zuUj;>i7)o>s|#TalTp0M3lCrUW1@~qz13#;A-M@NY6O>HbVIF@x+gbVuMV$jMWMDv z-K=ot*b3~6V;AzEZB7Y|Wn2lBaNe5x98Gv(7!siqk%lqPYHq;$VD8>(oI8X5QE9z4SSk~P1#OX%x9TlUf)}^7_VJjuE_KMn} z9~*YQ$SuCwmAn(?%7)wf%$+JuUI+_H zl(v4dEDn_9PY?*|H&(3d%FK<|7+DAxl)E;ek2lqFPn3%+N{k%6c1cFOiEB|m8~SpC zN>xL~I~lN9)!-Z`n{q4KJ^K>Y{TfvNTHsymE@l^gHH^KK@X=v>F3aDxO{S|She5~W zfUBLKwWxxDllpdpF50R(?3E_JN&C=hMpLr%caW#RQ;D7QMs|a4MD^Dlk_?TI9YO(m z&{J-f+{z!_DyjjR-2O`a$!|-w_=$W2NAE?Le<%$%uLeBeCig{{gF+t#V69{pT5N~> z&5$hqcbwq!VqZ1VCxKY+U$1LSeMSLlprsn{!b0>nBB4i6L zWC@>pnPJ_cU=ys|{aARs4V~jz97#}IPZJ$7EOW{~cg&Sb3-@Z@$r z>FRZAxbo=Cs3dT=dH1F@eF8sp(LMu|WWbL>3E67ZjoWQ^3mMlQR#V@W32H%sW6kS) z4pW*ji-4wmm?_qc_SXUqU*rA96yNK>ZFax9ex5?lOU=`5)FZ!`F1PJ`_%bLUIr5B&5Bw?cd&Bb;grrW09Sib9G2jBFL7qEFc5wuiG zWKD!G=zMRR20gvG_v`6OANaOFrO(Urtd!@reH$c$3Ou)!*%RFUY-kO9^#<=w3%)#- z33h?Ha|Ca{L8GRpboQv%9^0c&IN$5bzk=k zeqJJ|G5E41oskQd2Xk-o$)9TnUfXN zxTNo#)9?fwCwKx`G)4CT{N|FUb=&$w&dnsQ1ps?XBW`VYrdu8RLE-UR5X!G+()0g|O@5t1$B76~TaZ(jl)N=Fl^ zx6jNG(Sz89`kBf`#2P=SXQk=|wqQuZiNuXCi+vRgmFblKAbAglBCYi*my@q+K95$x~$0J)x}dzSjCm^7ZyihjAmXQ!$TxLLah>O zuI5RZl5SDg@7E)uhKBnSQbx#1T;`_#PWs)35;NPLeeTw&RNkk~>+zE^)C*bYBJ#V3 zaBiSZTycfomlg@rg29LYWhGsxS?@Eq1-4o7cD#sE3C#dPpo6IoUmLc#<5F>TdDeyvD0l8U%_iBFQXX3Ks5 zMU-lm4V|Mtm&rM|Nf6co_f;Y>_3OENhbq~id+6`!p?W^-!tkp?En$(Ng##Vs+CiTA znqgE$XTGTA5|dtd(}7IP51s9^dHE0jzK4v^y3b^f&FV1|9<2D7^U-vqZuFsN zxlkd0frgQ1pYRXh6RcgwXvjJFrI$D{nAQtH#70uHVo~gzCWdEy^s6QcIi0+*(lNaZ z=XNAFz^e2ZCXaUc&S3F7b+2&&p1OAaTh2uv>&{RW0KP7;|=}roL=t2-;@uKb$hAxl=XeFDmWK~U1w)r@Wwm&fQ!h!d7i>R0^k%=1QyTo{@ zKVg)T6C??f3%4Z898C2{XnOXEWu`yd46jWZ9zOtzGo*x}1t2-v=OU217_` zTBEld)JC}tJ5ZA zzIk}HMnIgchgh4a7v+mOt_ZPVUidKT3CJf(lryq1RAe2Cq;!!8Wd7>q;-_(*d~Yyb zKsZph5Lxnt4RN5f(8?3mDw4Vqe_?X2_UicD3)71Amnf?N8?^X;#)F^{-G-%h`zOk? z1B}M{4$vQdsR!G<_Q9F|w=fn(OBIvyiu-^AQh|k&p}@V0f&acm`uCKB2|8DwRyvj^ zdw^k73@;C<-pgr`)19{CQ%8t?Z{rFrn@iqTJI*oP?JB%ZUBrYRRlq5|N7qfhgBJWs zhgn*{nNHn>BbADF4U5Ln&m9mbM_uEXmpAVm;8e=bH4Id`4XUIp*k3n~rSb&BN`TLmHd({`)DAD5&zWYL{E{JX( z;#T5|O=gR$9mM-9?zex=Q(K-G7k0L*64ktnV6(eTcj|G18x{3#hRCOlohy8E!rP3^ zX5HE|SnEp9hy5OzZI8+DoNK3D>}k3xM~KsuwVyZnTQgP;-=Pt3 zlQ5?ZOg99clwO8LCFocrJSs!AX$P|CdSoCzRsQ-eUtO)^YjMaz^{9CL3--;X;mAtj z`gMP*;d!S-pU*vOk1A-?X-2bU{S%fw@po9DeJ-81to9g*NaHv$iuata>8zpe!q=|t zNbDNU+^(&2j_>T`RdD;P(AKZ(9C!e^ywNoKZMo-x>NH-LSUUT~$a)HB-u+Qv{C8T< zIj#9{@w7wG>pHOtwd*~>)_uz)O;lj@Jrg;a=j`@=u}l4Zs=h}zZtHa!4j=%CAwC9l z9Hy^lKB#y+nloy9&x_MCJqK!Y>YGHY#?Y*bZf`wIIbUsf&Y!FEcgJxGY(2T{w(xXb z;2+by0m08NVB%_UZ_kAw1s?{uC;AraLqht;*Z%eZgdi)`fW$d2qNIMefmxl^L(MdmTjiJ zG=MFBlv3fb!nU|T;lzaqkx=n5v>(&v#-q82IoBA=;){W^=422>`y37vP^w{ONXw0| z{J`3gl^UV*1QWVQd8mt`(i?aEq;YJp{MyhMfX?I-Wft(~U$9h4Lvfn{FY&IVrQ|ak zaua2CqQ5MHlE!yA>%is0xhPph=kRi#fO=Q7%p*W4!n6OGzs(AeMHc%GA+$OuT0*FC zfXiXTJlG|F{70Rljb?Ulm~x=fs}?2PDnde@*P?2ACt+Vq@ZslgwjswtEamXn%0J;rZRBa zLz&AhzhLkva2-nHk!0tU7jYNoviPcg4_O>6BB_Yee4Z#y99F_o`D;zw#c9u0Jt zoh(~zqP4dvr=YZotOf0C>&)L+!-_mLyt*tyI??|?k#{lV04U;d(Pb; zlL`LWVc=rnyO9%?1WG&q+1ruC7q=obI#Wg$3*0NkWl}RZ_WG%h8)sRjT5jgi@*TFH zWhaJdx$0=%Oo1~(B;Maw_zFoRLsF9>LzKV>-GU&@L~i4*)NGoDRWrl>-Yi5>y6}h- zg59*KthcpD?aYWGLNQOjyb)Fs7e78)+aD1-P$dLP(7@}LHy84lQiny9Wt$mC2RdDa zuh7$969M~sto~6?i*Mwx{UXU&-j|K2O(Qr{&SLc!sDnB`rPh*Gep=dg#$!nZ52^fE z!4B|i=lsfQQ7ltJW0O8_}Nty0Hph5mC&rkI3ys9tQqz>)vKcNBjG zM+RD}PTgA4h&BD@bMwkz=L3!f=e~mq(&!onKna;lUvB_B1XnrJq4V`^5FBd-v1chC zCLs#mhF=!eh_X3&p^|KyZEJM{a`S1Al&?|?s!kOk5^%&;AYjI2Ve$TYh-v;|#{0b{ zFECMbka!7gr%p}VTx6jUmo3R(2J4)4^rvKz#zLdW2VLFy2YOt|xrqeg0*i!t{!#F> zWt-kIgsA|ei4byAhiGT~j%5vh^s89pS&>?vEM7iWvBXg7_*_>eOuuRcZqd$`1&I>^ zkmNg;W!Tx z8M_{i+&`LrXbc8Jb7P7WayACkC7xF3_tvp!?Se{nG|^79bUyQg6+;=g`>ISqAg_K! zp$Q_3jGAd8Trlo&nq&6=4e+Y5VM$2Q9AG33*i&QdvkG`xdwU@M?|mzQKCge0zX&z} z9|)d&YG1C1yoZNXgYcRY!7zoTcdm^EzDL)3U$aia#?2-{o%7!D9PWb{cOp-QhZR=d z>#XhTg?an(p2vmy|Ep|wqgLx?*S*yQ9Vqkr^~zZ1ZW`?rKJjY?9C6|TOT+ljVSaSmp5Cke zs^gEm?rGnO96nEj<#%FWriF=K_j7WF-pfvCRR^bS$M)Bj2X&t38>;UgukPb;Kzn}R zk^mwH;&LLz<+2jjYR~g7?EQGj#=~oi+V+9^{;PTC-9yb(9MK+S zM~}~4nte~^kREWp*PQOfrE9yVb?HZMXv3AyX<$+{|6PA13~Ej1Nh+1X>h4C)WAXq% zzKx{meUvk?dBZ^X^@G;?9PCr#S+VhcTMcLfZWJ8pGhO@d*%q{n4{y1jTNia*|H}5d zsOI%+>QUXL46#;-R9FKy^Mk#*CW-OZy*k?7;EVNg@0h5-KuU#Ga>WG#w*4pLf%OJW3n9~6C6X*j>0(}-<0}A zx^GelW#swWN+rQ2&MHY%n6BY69t&0GwBCq2G&n_x?o$cGN;?V5qozB0l_olDh$a<%0h3YvJr#m2uzntd5qGwJYhV=fCsob}_K@$#tJ zPV9mfun=E6hT>mQB^t>Ca>SB4uR}F|e{Q1?RUx_73x9}Wpm7qV9K(|@lGOSF zd)+d4q)+J67Cpo5VUu&qW#90`?16k%(pm|n7q8d0LppB1BNR8+k@r{l< zz$%Gd0nf??tL8vOh)ohFGG?iRj=yj(dxh#HaH|n2`^pTDKl=eAl++TLDb+;m?<7^E zkNE~Z@6TfTTnu_hXt%t+dY$G=Qsm4dHfSYQ&3<$lgLa)?7nH~7Mt`l$4!#+&piDpU zO^7)moaGj4P2 z>%nwWPWL^Z;JQqZpmGSE`a!X+T7!^Td^D|;q(b7N2%>0T-F1-*9m4}!?ZOT%DOo$& zRe}wa>6lH~pAixrGKr?OnTZ7g`Z1`$FOLl-#UjI)^ULHiB32fkSgjGsL>~5aNi%|` zxKU(uC!9i=Bw4~Qv~GG3!oEf=btI?``^;oza;Wt1@!#sdVDGu18;LiU_i6;)0RMFRs&XpbKq6zbaRN4r?F@|~2@4Hl{VZN|19(@^#eM@%0Y2>kDo(?bAI~`y z36SkdaAw#Xh)`)g?1*pfPYDx$!#O5@H`;~Uq8-N0$c#qtF+khY%qd%_=f8LHQAhk_ z;g|XuPyYHxomdSGLv>$An<92sk_;yj&bmyCS*1B$iG&7w!xn-M$B@Gat5p2k02R^7 ziKtc@+OP}MV-@LWTcu)6@qY7sK0;kp=%ob|6;q0%LBCb9Y)!l<%=FXQ2XI|uPtt>q$kid8MLc~R?uOm~x3 zN>M|jjX^Kcf?0AJ1__5=A>wkzAy!`hTn@QpsgV}*gsN!QgNY_*rjdXX|2saWiK%6G zWC}i&ZVnivHIxE0f1+okYruR#4WIiWHSc2d?E_994;U6I6+iT6K>aZ%$g0XVAf{(C zGqdi(BBW}I`y%@Lkr45PBX`gHxpn4jj&GlPXSC@UJIcYdB>vVFys9w?eNuoMiPJvpnrLz9@AI@sh1A8L)5Nv zI5!`E-fP+NFm3BSnkHJB@(}C({7+V$xt!12`h{PJb7ojal&+VR~MH`Lvj$_8(q{iR)$?EN>e4<-1>Ex50J`Ige|1R5b3y z4=+DE1n>R{H&lc?x_9r+Ia~*KKAxQ$PJcE&vWrc zR^4rhU%SWyZ|;cseb)n<7|ZqFJ8S_D?^teH`&pkB`-tv3--h=~8?g_pax7W_|l@Z$b~hpvP%+&qz<_)2b<_6@LeE_e6s8b?0G0OwHC+ z-DQ{r@#BTJ@mVpd{CbLJUE7Dk>^h2Hur83d2JlvSJDg+hwKTsB-0fU#0v@Sbe9>?f zeM|s0sDFU&ck)%$JIfcnAEGa}G|soin^$jlD=dv)hTqt=&0-~LeBU~A^xZZ<-zl{P z!Tt3>Q%=qQJpTHC@L5#A_c?f<*QC;k_RJ}_*}ziNA!KA3z&buDD(p?b=hDrw&j;tu zA7Cj_`ue0#FjRvvzYhcGh8LN)@k(gyqOT;wDHNX{#QxG?2kZGk$TKnJ9rHEFMw;fY z%Zv(hP-suF<&+k=q~<%j*Y*p&{c)D2w%)iIZonK3?;;WZe>?x{-gM4Io_?|yVF6i;+Lw- z9q|GbSPp_7+y+8IGuvR3b!rUM;loOtVr16!3RG)Yl3`zE764TC{ym`6z1Jf9T~VS|GXCfx#FXTh ze?Ce^(Ax=#(iugiA$FiPuyl6T(d@Sj?O^h{lTXK~m~5r>sYf8KRPJRFU$Rc$j2~kot7QsG|VI3kBXj3D=m&mw!sRAw`rd)IW<4 z3)3B-XoM^WaH9xn`-UuORc3nCxFyk~@@KLKqD`^A#OG(Vu!hWG=^>^%)S~-7vrE-y zQ9AA?Ylo0sVxR(s%GW=OpEfglM04aP=A;imxy=XGtUNsG`INkGV3*ut+$gePLI{sU zBz#kK3Qbu%clh;441V>&u}!s_wbCcWkxHiAWqgz~8XT;IDl6D>9&)N+sfDI^IoKJt zc1ktt5JTOIa}Ha7l3o$Rgqc8-mOhfsD31D0o1+E;(v;~ZX_i^^a=C_i+v8ev+M9nG zn1O1dH;tbR%4U+FZw5mlGD`l~us^9zmR_UB|8g*JSiMG5Jm?hu34>2P{?*Flt3i}n zZS4a?xG=X#gcDt|-N%4RSo0$;dFxhLmh<$tO!UIFr4dibd-->o&kL0>xaGppE1d<< zW}$e$xf?Dm0{LOJkq)9*Obz2BF@^sS&Rf4ma?r(ku~r0>o~3t}aOnlI^JN~;E#yJA zktSh8;cY~gF@A)_t6cTm6CWdj%P3Zt(BG$B0)0mTYk$3o2ySX>sS_Ni8dI$bOc{fU zglsGfFJtS|jWw^NgERXVC5ci0A|0EuK$Mr99kf;;jp7uUSoXz^%B}@|ftjBjVmijP z*<1jsbxS37R);E@Jn#f*6Jdh)@UT_0U`kw8H4dHgBe`-TnGe+qxnG5PLahZ(0q2g$EF zV9$yyzighJAzhlF0>3q1^VNz*Vvl#bSD^6{*V7C+Czp2uvY+D!>hi~qcZp8ZV>z); z>*`@ert<`D$99iB>Xrvs_u0#LIHsxjX_LQ3!LIo(EQo3K4)@s3L5)>Mvw9JYHQjiq29z!Q86)gpEdE`7By_}Z6ZjsV8oxZf0b1$bK>_OaO_%A;5iyfq zH`?1her-9rc|>iWn#b3i5S^$ATx4>&){*Upi|@N6^ep4^@sXKS-Tt8EeQ8d_3j!+i zKGzM6)|lzHxm-afJi|@vHLq=?==1r7m~RJyJ>DiyJpn7cZC4x9@`&?ML23|so8C`F zhtZxfOG}Bp10E;l0)^okJ%k>)D z+c$BA4Oe2&ytDV{R9ILyv-hTYG}moa(l-A^6#bIEeNX{55Cr!A0HZF0V?W=FZqi=B zuK%68N{&zJv(E&R%r7vLQkiPdTdd^2PxoAa3qIYz5_DQA+kDEj5Jpo+U`ag}2pSJ4 zUlvE}?OTaqB$5N?viVa{Q%=fXx;-G0025WjhuWOI4PBy5sGji0w;9Er6VCEg7jgQ2 zpveld&%lPHBN8f;OOC(}MC0(rS6y;z$K&nOT{#dTOqLYpkDY3^hY2 zQuD^YeHOXG370h@NV*F{?jiI(t@v-QRMkl6p(~)#;(Tu8Km4w2mhOkLz(S^Q4`H-$^xc+$qeH1BFvYbtpLe6cWM)-uJ3^7D$$na;8 z0DSyD-*M z^_c@k)@=^s2OQ|=^?#zxhk}3S!BnEE4VTq(l#X~L4XYYsJV3idmUov3lms4)Tvfw2 z%zGvRNhu0bC7Yf;ZPQwM^1T_VaxK&R8`bY{!`wtOGf&OSvMJi5_313gv`6&CmrswuG$&~j1Dx}G=uH7q!nYETS*J=^izKU{KUcKSU8k-x z0;3v)Syx|z8kz7S5GE_#c@zHaP2?vr(-p@oRal_=Uq)E9d&*MOS zvy8Y2KV?bAf3s^Li#;WkH>BAhqtqNH$KZ}(Ff>4-<5NlaslCuT@0dO*pB%+kj7md~ z^i)+lW3wRI9H}0+vQw$2HiP#?t46gV1WCX*C}Y*>Ywezy+;cf;Twu>lP9B{bC<~19 zX*u_r9R7GBcD!Re17M%?alv0fz;d1rx*ed03ekh)5NvVygo@mIsu+fTzCZ1;~ ziK|YOW@2oJbyJ6PB@Kj0)rs~(l%&U-)dpn_e9tsIan^KE9_56={tGKP!8u8wyW8#w ziQr_lO?r@+Y4i26xiBJxn*WMc=!Y#@pq46auFbLMw4B@9(H~1|OXcHs&7uYCMNH2^ z!$4j3EH}lt&?4FFe%9aif3$7GA-wc{5k>Q0fuTQsg9DnEf@* zA_rBD!rP|SLBxX9!!t^CMwCrKg#uBcyco{eWjeMm&r)J|LxIIcu{K(0L_q8c`-j3s zc4^7$9Z)k3>!3ho}cfWqluG_y0&#{Y*Fo5rJ-jg=_^ zll;F|-Hpc^7&v+ukZ3=(>?}?_HAwU`4!H9fc8*2B{4paI2r36Te;ggJ0uumjLsQQ> z9s95uF;^N6Pi}&5Hv#$^6+nj&Q&fDu_Wt!%EPZcyQ${`09^L71ki)6BdRGT{tV0jj z>s@lyxk0F9^%ujh)3|dLH1HBmj1|oz_G+&x_Hg z(`#FPv-Sm_3F=@HzZ^j~JiYEP9%JVO=t)^Vv?plmYkAh&aD~0xB${6H0^OZa1gX6L zovTB4xnB#W3fA`gFsxze5jf6jQs@5VXSW*F@O=F|a$TXF!!Pj8`Q2XR2T?!{08Qg| zGbIuE#MH|8$mSC5byuJ7*}!`dBQT0{{ju~x>YU+){I+-TLf}30J}TzPgmh#Y5Mb-m6VbzDE3UW}VP zUcKo)7aL#cxGrg<3OLM3iI|4*Mqda#pJU{**B1z8JIqu8bPofdkMBX}v{L3a^qHW8 zPh`9v)?ax)*QwQ`r>Q8oO^4r*05yY^zu7qwf*&ISa5fK5Emt&zZRd{-4XA`!n{Eqi z)9s)!m}!7{%6j;iTbo4nbk)nvC0vZ4H!0Vhc?}iLFb?WdT|BZ1zD~VKb_Vb-V4_?s58yS$2>&j09K zz|YTWLNR##f1*^uHfYu*`XWi&H6Ht&PVyeD7wD+#J8k|OL- zfa28xLOHAisnbuXao_2ka6@AXO=vFb z0W(Idr8SSJzoadB_msbBb|5Zp*mD|t?UXL%Sm-GS_sMJ1&dM&`HNPBmAmOQg-M6-_D z)Xw?TtCm)+vMSWHtEybHfllYg>n*B1UXMV6EdlQ;^G)+ZP0n+O;|u2}(Cs$7P~P!DZTcDb=IZP-Rng zUW59y5*r-0WqSZ{}bqL85?jkasBuYLnKWx+AcVDRu z5l~3DU=YKw5Mf(UrX?3nh?x;(MphjIRi{$Ukzh2s^i9F0@U(nHm`KSg$yt%re@)DP z^w*!Jk51L0+vJpkzb>fMUvY-gU7#i&@3O2gAGzomk$?Lyu0ygzJT?my!V?*t7aBo~ ziqyfX!b!r(s2L+?+!$(b!pg&Q?~Bci{D7JIL6T&HGb&FJ+1p4;3!Z=6{&>)EHJc0C zHV3f^u1^ZSOn*FpfAX@ICQ|As`=b|94jXCPKPn29a~b}{i*J-yT);Uu8ErjLL&GvY z^NXT20WwEmihIiKY3mk97mbC=EMs6QXI|M*=r20)9iU@u7$YGbURvx$vmjf2!Ejg# zAwxP6rf2{6Ru2)Ee4t(;Qvsb1!=_|9w@+ciBdTcol|IltK#ThX#)b0;a5+b%DgWOHxt?EOo1I>=b9B`IEyJvBH_c&R%0l zdp6j^mK>ZMp+@WmZ$H_?ewS+%VM+=ImXXSG+GA^?ek`5!tZD*?z>u|Ib08<2y%%yv zzyfSx>KB?tJNlWXGlxunN_Nvf@yuK_t>{Z-$IgX{6*7-DO==gbKdW#CC*A1U8aXSq zQ8HTYBZVzpXF{m@*@lWSbh{1YV|6ed1=v=S`bZVBV`Ih^v@!7ZwtU+F8iqlAEX~O(qNZ26U3*J$H*_)sb`I9E-{uqO} zb#MJx&;n0NSc4JZ(HA0hJ+M=!?veFQrG_0s_kPKB4Yty3!%DRkjMKm>*)eDSEO`&JWZ{chlb_69juR2UU%5_SkKV{Z)aQbcEkHfubs_p_`QeOUe*^=JZ@%w zS(RLPJY3v~D(E*)(w^(oFPH&;wU6>5=mH(`=CF?$R0QvGQT^`2G$%LR8Lse%SgaR^ z`=HC!eI9zn)fwB-`8SR#2`}!y>zR&M`DuC|8VDJrXza~|H_TskfFJ6qPy~hquYx*a z1TES^=CAvUuw~2n9ly&vc)rhys(>Z|=wy{I*(wjr!9J zw&q!+_O~TT-6-I)%1-k=Cg33Am8QTeNOeI%;j-<7T!G(h{%gfF=sxW{e3A+^S5WWf zV;*G#@Gk2db!`3OcFUm7F7N$XdjSV`c{lHz4c=rVDigOJw9jghFk4*ib!{~NZZORc zskNU=WzTK)6vOC|(ypR;JF8DuznP=9_MED%*L706Ea%HM(A)nE%n@XU}c`&Jma^)On(40&(V2q<|NXQ+1xukAFVR$ zd3$RfvtFN)vtKrA!Qpc~-5B@#F96U$FTW8}WAF5QHojHfxk5W;Xb$jPyPGHf2Q|9q{s7g zK+}MBe)*3%Km4Zx2P2v9`Q=<5VVhc&OL(pqV(zGw8jUd(=y6)RgH=T{?xG{D;g@}} z3~;WKcI8Yd7s<_n3Sd45Kz&X?Ym-SsP7K{*)+r=uJV$iI7RYo)SuYecm{bN}3=6Fa zPbUL7C4sshD~3Qrl0T*<`8)`uaUk>x2}5h!QoCY~gNY;PvNpE+nIWw*W*8QopG{tE%1v3rhr+#j||6Jw@gi) zuIJVIxiVE~m^s-|$~`_HNIpGa!miVACGoJq$zZ}IOgY_|UZ4h4;PD-EY}dIwQnu)1mHwZu z{|2=qlKTS0{-2dI{5$`FzJL5@zP6kH;y>Jc_5aC=DcNZWX3a^YWu9snTnMLuU{p?_ zhVS{lhBZobx-!fIZtV5cE`XZFIH*#}Fc7VNJJf(-yEs6HOv_8q<9aY4C>F&`IEwj+ zn{mfdQS&*Y0*#fbgJYwrRMQ4QJ>AVrN_vx2bV1IV$bf5S+G;7Gu*D#25E%_aoR(BB z*07-OR%1)GaEDCC;03t1n$YP}Ck-U*=A(eiDmuv-4%!a~4Y`5FX zDHf`bFax2PaXhT0`*bOEO_t09>^NpxhC6kmz7w_@gKpd#aFZw@S4c8dF;lqd%L5=P z^*cF5E%U8zAX`$YJJA3WnOH5Bw6swkOHG_!OPyYFt6sxgEyJ0KPNohfQ)$bD!*8wr z+duK2|C#!4J&5<~aw=VsN=gUw!hFfMMY2$?;}}@1R8W9`42JCvonkUbWUIL*)3=!s zkW6{RB{R7^-!<}#Q!Q0g$(vqvKCG&?oy>wj7veBJ(Piy|lWXzK zLIu~6E-sU;bPr4q%vz6Ra5X7X1*z_5xE5bAF>4%{6=}$kfDAUtj#`7QL`l_ZT-TV+ zZ*_#0GkC-+bUqUDLXH%TnrpCJl7`199M||7oM(Mf4l?yzGdZeEucqq@2^_F`IZ|@b zKH(Vyzcgw|*{P2%RWU@vWle2nA`FA-4OcDY{3s2yy((aul04$eeh(YOi5`?})UYn5 zXpKRRspgZd4&Ikb9j6p~V}4=>Jg>L0RzJ+nz@iygGy{ufV9^XLnt?^%OM}4-{+;AM z>6!fBH({UQKZzf$(tP#X=Ra5q#Su7-gI`AfgZ~Tv$$SU+50=KJV*yj(SLHvq9KP;{ zyD7@SuN}C9_sa9zzi{0?$ZytPsMtJenO(^I#(VGcEAbWjCd+xxSpAT_4nFdl%DTt!^~x%|ZtAzE|LLp~9@%8p*Wo`qSp3DEC63;C#U*~^Sl6t0 z*agb|_ilgso4`&lo?~p#zu1wh742?}J@OZc`%l?`xPI03)_!UI6RucTeD`z#qSk-; z?X!1!d(Ep?VU8o9O>L@TdtaOjcH(r-TFUmhKX1L05iTy0BegR?)r&tty*W35XEnnJg=k<4dsrKxG zPpXeT5E}Hm=4oGk{eR;BzjO89AaJJt&o^RUf&VatPJtr6clsZg6Qy)Tl)#G3|J#P# z|KLBL+yAHe{o_C8q!K$28}rlHbiVaJ&iwG7R#*xKdBpJBWY{6|CXy%!&15MJLUlg| zd|ZGuwp_AX2vDYIKZu>ty!3s)rJxeqP?JRi>7}ZKA_v0`i^PRmP)#3Xt9HimlHaT8d&PL5KBoaoHO*f4ArAeg&R{5ZOMsBH#vzbI5OQj zjJ8%224iFB040VVr+ix*Vtx{9HF7z!=(cm3q1TCSvCgF0N=6F$`AIsP@SVuErAo!f zk<+-d)9wW+wNu6kD&zXC{4^rRvr5)4OJ-PY4LT&^gSC9E(t&Fh27u7K<~eXw{d)X| zDz-$YuY@=klVK&xh(#vk^NLjB=`zD^PS=L%0UXnzSsDzLkqGAbp2rnyn9-*yEyiq3dbBn&I%O!K z_RAe7?~&*EZ|pZ51DAwOSjg5~xfj zil`ir&8lf*Y?DCylsBXxBHxqpc@wW_2%Z{CR;%4JLf>ZFY%{J=Ll|UwfXd|kMiS8y zcE9fC!8StI2ukV$s%7y`T><~6>%S#OXfmGRKi_BmGe6tSKlso5^#7qXJQZb4Ms8{e zs|xiR1jEARXi^qrxy^|6MrBf_Bf3VDg>0tQD;K(|!J|wh13pR*h;Xb^u#t8cFQp<0 zi1O>Y4+ap=W;3eSsuCpt>_rWKGA3XsashPcqh?qq)l$2g!a}&KAZ0U~(gm0(>J1`+ zj;32ujvbU4*$l8`p*a}@phI+Zy;~{@f;Zj2K*x1EXg3auswt299U;StqSz{!aRo#Z zNSP)EM5k|=cD`g43($z|7MjIqAa_zj2@K5%NsPw=(atf$80B*$9IMr$5>iB(sTCP6 zQSOXdx*$zp-}ll|JbhgB(CN$iB$;&WMz-E|6r|NhTN6Gqs%nex=>)(62-3Afd+3+w zL^&jy=|Y+%i^R89|LvdkKl4-nO(ErO!Y|~l%%GFOWKWuOM@o~{QUTl(6`boeohI69 zBc(hI1cF#Eb;BX)OL3O2>HIibuLIGrl%P5VO@+8}(5wUsPc%oll3@c{6E|2QrI&a< zXrc%t^KP2&O|qS^E~Qz{SL>Z-vZpqhTte{2pkH$Ap###nRN2ok(WqZ5<}!%S#JjFsM=Cx z*>Crhc1D1dVZ#YV5m`bFuvqJWIbNUvp6w+p)8#_ELymGeowE3h9kmII)8`ct9U*ax zgGzSWE@w)~LhMZ{G*RkvV>0%5D@;W&;2NLcli8oofBt*_9Kq1^M*kM{ zoNMpx{-)KZ@gLpxN>x3|4?uP1-F=0~e9 zzxQH0zjyGy;_LU^a?~03t@ot9a|a&GI_U0aUby=Y?=JP{2ab<)YmY0oMBn}3Sp#dX zb;%pp(&AI9#@zhZrJoFrJmB!UKO?eA)M}d}-U2YInRf=f!x#*EYTdTzmK< zHF0!th1%^GzIW8wcbz4?bN5_G-sI}~AC_GFwp}mgE;{B(?V(E-{r$81Z*uUvJFR(8 zd8Y?|9bK5ceRSyclUYX}6#h*s-hF<&@`^vcec2yfC33;sin-I_4;*+5y3JNsUVnZS z{Q1Kwaq$^*yt)4Nd#=rGbI-#5hi@!&+{=}t5B&u6Yy)ofFQ8}BPe9KG;Cg$mGiZl{ z&3bCL-ST?jAW%EKLAaUL9!#ghzzsKRdEL*$Kyx-3kCkoPH}AXIezR|7U%2?0yFbXz zI&0Ynw%Ywn;*meRBJ`!_p&n>%;9MM^Dr>i$dZxmWkm^A97 zmFJc(y5(s!{rrZTZhO~rJ3ZDi=KQMio1>CjFLBnXfA*@^W-k8A!_U36#82 z>zujUX7Cy8UN=7gy!puJx^@};p>)mfSD&@{Qmec(T6M3~+t(fUt96gpc6jB{4X*g% zZkL=^T<6h^Z(Ha$D}9Oe|9AiY{}=!Kd;SA`w*DJ9)Booiv40o4PUgLw9{l&0(+6dP zO!Dn7h+Vsd?_}&+5nItTtc)v#d2w5I-V50pn{z&m*Mu+NKk#$}=|({$;AuP>RpRWt zCOQ+2^yYn*{>Nv;c=}mnHoVY(#tlgy=%HUr^+6e;!%Ux~|36 z=!nSv{cpuW)@3!AHESsnoc=o|3t3^_7bS98kIjRKt5eNTZJ4GYBQ`655%USYDHrlJ zUZY6x?_Vn9#HL(zZ zfSeN94POE?b&q5GPAX{_5sILys}LPC=@KO{>Y&(=Eo*WnMh(2ia^uj;Wu$_Sn?OP( z^Mr&Z=^_nOD`~A;%=XHo!hn;EK~qf*h(adsr7MVK=15p|DuTlxvEUThQZkvY=D>DB z1Bs*k71<#iuvv$# zM7pU9LrJXkdi|)@?HX{ZhQs}Smv469+%UpAV-?I3I53$|X|k!LQ$rCYlTM|LnG#^T ztwbuCJ~Td?^TyK&C1$IiBp?4Cn-V!OTbP%e{MSrEKKdk+FkNC|qSJu2F@%Hy-DfM5CbjKMe-b%EHsNDsKMAR}ND6Jc zgBxb(23Xq$2^kp)mLJHp(9Ni#7qv5;iQDmXhKvlT*--2@Q7eF2B34v6hfo339#@Cs z*eExwG2~@NFe+A=3|==JvSp4sQai)|s%wq>9vzA~T+@3oVWyf|f*J9eMy1MwJT{?6 zh84DCr{{PbB?txB0}2Qk#`FkYB`vcRlSGL~OtiR><4asa?Dt7P z0b&s2Lm{j+RVk&~MVYHLg*HdUY|X5ds6YruRI^RhCB@=&)J!ZIexglyEhAy}|&y49%S`HGdR zs`NybT{V%fcB~0mb%%8(70X$mBbt_&^dl+&)1jJDxKgemNIe4pr)wsYt?Ky>GO_`w z#nw>*w%LTqk5Q(lPCTU8pOmAqob4Gk4v%__gW}l<&Pc^xGSy2Xh|utdVXDsAnNiBj z2VlpN8e=Qr597ET1L-~d%y%``y(mJ0Tnb5ZLyS@ z^rJ#Q?uTr`5KH4$K@V8||GHTajD+|L+-$-8dy23)9X6X!n*aZ#JG#{cBEJJ*U7mNv zaoX)*5Z4sabDo1BfNlJ{uJUr$m&Gw)k5uO8JNXb%Q(Jx>m&@2Q% zr`Qrku*Hk95m^x_4PpevQuU@QK|DqE<3yNJf}RJ~S`xiPQOCZI_B( zJeh{{bX4zh6&cCE`CesUvg-7Zq7V${7l;I;q>>q{8RVKw1u=k>1>kYa3Rx}is}`cj zRi_>6RiN8avfZc+W$VqPz(ZUrgG5C7OV8Kg6VbY_swf3VHVo_`nhKgbOK`9|!s`kyUte&9#n0sRjS z!6=wPGw8q9|DfQ%=zq}ffc^&uGY}5W`|T_0e-6C1+fTlG?sm&_FF$|Oxo;i)?yoxKAO7WlIo(%w5jMJF zjklJ5{oU6tUihZBl`wtt(b;eFI&svXOA||ZBM@Z_%cVnz5ieKxc#=bf4kAUbBi0#eq#3h{Be8k zxy7E3pMLw6AHK9hY1NCb+T1_%<%>^x{(&1RH)MCX`S_3TEMIZt%FsbCuX)NVhk9?_ zdBv5#pntu>s;7;1JaWB1{Z-*E^B=fu!K-$9oS@dFvpyztX&XFar`vFGk5t;uftDEZ#nwL_QMYV+!> z<(MsdYuvHnY7+UQEiXLd;aARG`w?Lj=^{BIM-TLe`=3KhT-jx>?Ngec;eUpDZ^}x9| z*mL(@>g`pY*OvP*+DJKNk8M|9aJPfbJ{mf_DlJU*4|{8$SI@g-mm>~y`{(TP^e#W* zS6K5td)#t+>MM4pFQCwYri$W{QCdI z|9`vspXs9b4FAc@^#A!r?5pU1*d&yOzli^QXZ1hnifw{yOhgr10>7mG2Trh`TmS9* zsQ*D&k)6ij3S6;U^Qr%dv-6|>u^T|_N9s80)JIN->~|6k7Y&=W%Anf|+a%n|%Siqu3Qom%;ggJpHYA7ZKm3))cD-k-WgQIH3FZT!I zTuIJ4r4ru2EOdyCL_M%O6@X4Nc|kI{JTAq^NEA&fh;2EMaWYLRglVuPJ1AY2@f;b3 z&bVS@k*FmdmoAJ;?TqIdR=qZI%xQy7CWp-Ltkq&yl)C9gGZG^Sx;JSjE; zG|Av_p*?KqfeC`8f>@3QW^X9b6s)DnA|2%jWsvvlJR_QkUfvD9X8#|Kh%niW@|-%R zGL@E6YxY4W0|Q;Dh~>o&&dSOV?sI+2?^Ij4N+VMmXWKqsO=o&Sb)0}QK@LvQ!ZgZD zRg0!2bNErYOcrJ2~b-(HsWT<5PibS;I=I zk_i|-;E(Sr~W@o$sq!Ah5>!5|4DuS^gr{p-TZ?A%}@O|CMUWY zrdYaSC;F9ajH#(y3}bbLbgi_PhIxbz3}w1?#1IalU4Q7t9hfsBt~YE2GV9kvfz5iU zMq21$i70Dpy(HkaO zqZHKO+f2e5wt-d{Qb@UK4m7x%q|AZ{4spXyXD|mH>tMwwQ>nJgOTw_2@jy?_VQs4i z1ia44B$eQ*;dJbJfObFa|HGow>HG!ypKSM2{ZBE@>RvAVtp2B<(B)>svb07nYzoM* z+2Fs>KW7=amXO3u5}V#hUhh|2Qtf0KDw$P+kc2Ir#Uy+TVrpm^scy5BrJJrE+8vy$ z(aM-2&|F>;5?L?^7{#vux@EFXTya?}5riNN(=)`o+mo*W^NumZrHJ0iMWp0>7 zyRI@UVmU8?*7CSkDy00pD0gkJ5w|BrmtsgPB%21`Q}cBoi;dx8t(Alrv{Qh4qf!o5 z!(t&OWwsl4xmaNe z00H-%ve6@_XEvy0v}mIyXNCo;QtnV+%RkSso*C9N!+K^|&kXCCVLkur3V>xVDu~UpX1f1pR1qJUi*-H zpP6;%8rIc6^iDo#g|``pw?bm+e)%y1Cu`cNcG3Y@5gKI^)EpQ@>hHzvZ2cuh{a~Qf6n}{iRjj z+dz7p+oiwlAy*u>0Erd7jAxPxeoT^?C$PoE!OzUq3L55UF@1?Hs0at zRZrP*or@NA4ukL0mig$&4-dIsYrQae_FVpst&jiRcJJM`Kxe$qyO%y6Zg9DJ^VzR% zx#$mH`f$Zx2Bp$Ve0t$CF5WYE;f@Q=TIIX~?`w$Z|y3v(7fc)`^#e&%T5;_OPBpLFAyhgjz>IjO?Ru=~r^ zTw}>ss$YKnf8zhY<@#^PXZ!zT&>8>#P1slAKXtN|*1mWBe-QTX2{|dA#;C}b=RcoY z|4sk?@gE1Qh%JaM%)1}-{PLeKALvfwT&3^2d>bPAMWC**p&%v@wAO0?L|82~>ylM> zp%fo01dOSq1Ik^)VY!Sf&~Y3yy51<%4aMbpm8bx>J1MzXP3IE1p>EgPF~lWhp&(M0 ztY!+T=qHqBvPm;6~5} z#PT#K^HLNisa?Y5(YTBDLu}md`ABsL2;*iZCo!m4qjVAm%BxVZWvf4 zNM)FEj`hmbYLjR>+<>z@ywOfKs4^6=y)2|j1dleIVZ@b^*(Q-Qfod;5>e@s?4dA@c zaa#T~a1Ha8PmSHCnIBh&DyvW?T|!h{BZ*PH-YJcTQqHI+As`%7F+c17|x!CBRU94bAVsa+G_$mK^zkmE^zP6ix@Spjr|E6~W zp(yJy>LiF^hY#oiiAF#L;1q|FES*JLD3%|_p zC54&FNJ{{jcDA0R^3{ysg?3kFr|u*U1}V*(Oe};>=ZSVFJ;;MB3ZpW_LQ%dv8red& zOh8DLrpZLH)epNZhOD*!tN%}%C8IB@|5o~x|L}G$`z860VA0|iYl9MBBo6vKZBQrj zN*y`KQJh$dqns>vOJPDDTfwL;LBU8c+D1(TQ;ljdqS_M?B3kdLR9Y;bX||hv23EjUHba73Ttz4@ zlS{gOGi7RGtDJ_EB42GMB1<*~ly97-AMWIf-{(ajV?vz9C*__FRAlv${UlU9=j@X|QjvkYM`>K7v5F)oem8CGY}4r5kv+g!K4q*vet;e$_?VJWs?1-!@In zDmQ6JC-_>X-YIib&WGScnV%5{%>bhrU^D}aW`NNQF#2C@Fo>qUll*7q{qJwYKFfc0 zJ8Z`@zIFbC&&vxV>FLDDdykLoj;tk*Mf_D zc+Ml|E&S&_o5~3b-MqD8gSS`P=h~Cj9*#P1lS zPpyA&)`@SdfAAQddsKeKhi^&!_4?eC`&@g?vMWxmT6Cooc55H;g0?_ok(2k!k&FF$ z;hkJUk&#;{668fclMfd@fJ&Meb}WdEH(J>qJ7{KesK2w zuk5wx@7Gvv+oLYp|KKYxIbfAbmtAtx&d&66KlwWRXVHV+T;V49=DXfm__Q_Y(R%m% z^`qK%rRy*m?ZU6M} z-jn-IUgz;tbjCevpS15{x7_vG&wB^%yYZh+-s7EXt#c9j^3wLlM(~^$lPhCXWvtQ(to6| z{4c_}Pfu2Udc(Jye>{BC6E5rCx!&I{!k3gDeR&S8QiI z@Aogyf9(Gq{71}2(@-0#6tYppR_2%g(DTKA5I?Cux)Mk?l!Rt95gJzN94Lej^2Uy%r>l zgXD5b^qVHxkHf4rUvh7wnDW;LBy1iyuO^LjxX$YJqICkuJ&}2ENj>Rnui^pXFV_h$bcQw zN{*0eyp6Ls#$ax*R8uS^+ZCI=HqZnn!|B0g&`G1ysT4LuPUM@^G#m~mjev|3BISZ1 z>cL#To6#ZJDeDM12FnqUcj(D4$CFDs!WB38zRcl?H>ntKmYqI2HjM5=x0! zDEEl8+h)?PG)A}>0l^D&5qMERA z&62&i7vz~@#RIEin9AuiRG1K2s1C@g zF^C(o+K=skz=aNur}^=`a+`@L)uvep5>!Ir#e$+#K_7FC#(=Gim8RNAnK>uOr0Oxz zRT`NPZ4gD?hDM|#xGg_WqhVqob*6{mtem4eIj*aUL06OI`Y?@#KS9H41LXlC%NIF-wdSVuI9NE>=CJ)8^N>heIyT?|o zahal738Q;~E#%V(MbrkhQrb&Q3~M0us@#Zgh;${7bhFBU*8{D`hV5pLXtX9~s{iu~uE57u2)T-@2L3 zNPqlbo%c>9Z@{;DbCW;po&L!z-d|&*mw%q`+6%C3x9mWL2sGYPOLq;wYb^fjpu&0!!ggSdB=M>pil=ohKcz9CKTArLx7z%fEH-O4}^5_4bc{aOYO?^V?r|p>*nXC*Hp1 zPsW?=wn_J#=aehX*!_U#{`NEAmHsi#<10Uh5C0}S{-^i0+x>6G9oJKTR3BX2Jomx1 zp1b7P%$?_#_e)>((AufHs4tLH@mIiAM0>0)8OdI;JxlCXCCR5*26pd z9dgG7Z>)aKyT3-ZnZ3@nha$ma@b1wG-f;O@nO*DQ&wqBywl7>e_vy3Bj|BT&u<~Oc zB{n+qu6I}JRNCu2x%=MLXMUGte&TE!%sTALum4Z{|F_J4KBxZ=3eNcdZ^FI`|8e}D zA$~z|qVFvKaps{Lh%HDdPGtXWL+*d@pZN3mkM%v|KhV5fDl5|PG#;N{{=?1>|KW;- zWY*{~ylXZM#qfrS>7)VdHdjW9e4z`{)S%q%M_5^x3ZV&_j6PJH0UTGgQhAW)h8{rl zlw_eqG#J|*=TlKHL8MIG3Vntvuyl{^$6~A~VkqHkTZvhNp{IceQsr7kwwz{=_K?(h zsWwT&=}0dIrKVp`XgJch8pFxZ%c&(g(`Pe6)JRHVL9Ym|9i(KX&AV#f!*saO_amxl z>v-t*a`HIo*|te0N^#HR)hM0}@@kV7GfKT4H^)GB7!TCE9}UxkVqC<+0fm$dH0&yk zV%^aiURtk@=(tFB=4CfKoRpnTYZOx2A}=U*$SYpo#(Krvh}I`z0c-f!5P%0&u9j|f zR7dl3DFh;U5$juc!ly&%>+zo~$*4x26mW2yoQTPe)a}&3%osH~jZsWynjG59H03^N z`AM{6B4PYmh(&=8Ymt+jU_54E`V--gwv&g3E zOqEndL%r+tsU8-!VB7@+${r=)e61LR1#`@d8n_8c6F1MtbulB<9lBgW(&fIL3stX@ z9n=bLxjoE*SV+M$fY|@D@`!)uKVRGf=)1~)=5M?C2mguZr~aE%#KU4;sYzyng+j%sV0wkbzv+phXf%H@&S=) zO#NMBAhaUVw#6)Fw8kVq0;(M5FdT~OQF^Gh1UJV!>3ZLddqXQR&f}mCQ#|9!5!35= zN&(8M880tksFu^b)L?8&6vOLkBVc2iXeB6{P_K(9+c zwKddWt(I!IN~>gzMxrCJAn4@{&5c7e*S|E2GR6)k^f|7@_*lmeU|^+RJ!{4Z=e4_APgfAibG#U z|C9a~{)2x9_zyIVThd@=I;gM6e-3zN+g+d7@uWHaPJ90JhWCPH^RKS3+;P;YH$1)d zT0m{@1>Sr0MnjqP$hv!P44D_tnzQ@re;|Lo@A40weCV$2n@)b;Ug3vl9wVRlyZVXi zzV{0FQg_uwcBsC-z(w0%^6J|S(@mc|`^sHjeD{qV)d!#>qxGJ9ZLjUrgO>e0@$&iT zqLMmzz+U(M^|pNB@@t*9r1gIC7xVGn+pAtJyty#H({7VmaoNSj;L^Xlc(a=}-==IG zcRd8Ye%|&EzIgaji%IFl7yYw$?`zB4FW&dwqDLIM`X=og#C@*Z>Ydq7?1-Fh?zP0B z2QHCb|0U;{55=pVC~tI3qVdA*FMhnDwzqlloy%{y)=`T!-aL1S9kYw39+fV!Z++zJ z@Si#N@3Qg&CttV7)3Us_~EgZTlQZ^XU| z{|TK|a{PVk|Kmj5ydRNBRYV2)()_3Lx&42>hx~__4xNRjF*?GE^R55k=ZF7Px)4gR zfD8}&RzMJ3EdhC@T#?EQG1se4W0smBS~1tP7VTuwbn{)-OjR;*eHdkZyvue_ ztvgPYyIKeClSYE7jcU2f2x6mNowHNWsICx5e7};24a&jnFl;yKdKIv%5a86XzNi-aqXC4%b;n6%88r=#+jJ?m`@*1+ zM=KhHbdi)G0o76>Pt^mbhUi9p0sz^eK!drd>*;iyibqmfLot)>8b%vg3-9Jlf6({n za7e3Zt6LiKVKL7nG+6F`J^n*9>(kZaD8vA8nktqu{ttWS9q%}G?R#3_B0>!?5c*I; zFd)gQrc0JASyr)ZRZ}gw%95*WS!RFK&YWJw2%Oyh2BE%B`^>O5D3o` zE;ly;UKqHSzXX^IMlD&2&14VZB9L#x6{x#&BAVz%``mU zLv#(!O?*G_Rj5u%K-H_Xnscz-V}rz~=M~B*h+r)4BBiWU&LWTvC408rt5rNi z?HVbpFfhQOCbvBoh+P!+bb}uzTDU5q&Y)yX=&DNzF`+lCOwNvSX%Y1bO~*_m;Uv}4 z`ongZX=IzFfm|630li&}ghq`T=d}u=Q;5%Qsuuufl(F3q$Of`-c$Qb1Nb^)Boq& z%zqYTx%n^tBQHw-pDgCK1coZ5gfWnbf^-AVvjGJQ!vs0Ovr#=~)@x`SOI};f^h!~$ zm|@)_By{pjKbG81Axm`!F6-I`rR9OtbQ1>qJ&53bW9azNS4jD3U>G^F1ZI_*KSS}Em9!(m(`{KRyHche1) z1C3TfAL*3UYFk|&mYQrs8M_#Xb2T7VXgtBE%#j#Z#7rdjEVbRrrCA{cn+iv842u*& zPMuC$zds;-vQpteO^nh~q$&wcE&vTWks64xOKX$1mdewO*x_Nps6k0TG~ zW7H4=Rqh~`!IaDv?ZgVt77~OOV*8Qf@E@0Gy{ufV9^XLnt??#uxJJr z{Xb<0L}1@Y{sYhK|9u_yY5wz4ZSDo%0RBTFNfLrnB=iON5B5#uKPikvU@V0pUy}bE ze$jJJy?5CQckK3^4Uo&<{Aj0TI+c0%{5kc0JXvLXZG+{ky`J9am?IAQ?*6ag4hIHKY7t&@`-aAz&#tR@%r1<&0j5V`qwk;pWS$eZ|yr=YK!M?TWf_ie)Z%vOB_mm z2Sw8BZ}I8@^WI#W>u>Os%H%eF^RDa(LFu&*?!NS?ih0_tXB_#ny>488jWwgkZaeOg z1Ia!5Jih0=T`z#v0%)JOA~*SNBH_v>w=tJ!R#SnLVWs&?PnmkA^CjtoGd8J(a~*UVGld zH~fX#_lx`g$MOH)%zw~N>%S2*@&9YFFT;P(YN*rSy8557tm$KgkscHcKIcG+z8%@`FYcFC+!L%-YPr%6jI$PUxBK?6%Tm2olj8#d$R0X@s6B~Bc5!zMYl z$edkl--Y&Ez{}TP*f^ z$zA|gC@JH0s;N@9OO|AIMDVi0Wy&5?DitFs=t4rnX;!GAUWyvB2hfayd`12aad8gyGn&1uWT{I#w$IN%dSvcm|udGLF`eIG|)?MqF7o zYyEz9kWW%#KP9xPHp_yNG*NObWTdBR9j))RT)yUu1Z%=WpMj?H!`6kKi34IB+DVO8 z$^mQjShHhw%t|#~au6;>fxgIf(;3Hz)RJZ@rZ*uNPI3vasAkhgC4&?6+IFF^7|M%O&c?rkPXPO$NxCp&K{a zL$~TQRSlB{*3@M+_p9)q%-{6i68{ilp<>h~XSN4F;Xl~7kN+&va`Siovnc(4#Iacc zOYIzp)q$GrCTew14!M+)xA;+2Fp?-aJxIQSmyG#LoD4Ok+AL2Ecl zMR118S%5V{+C2@V%%&tyM++;2RSA+Kr=I6S#|rYC-%NG0t-9pPd01wWRDic^8cO6W zJet>&`?|1LZe4Gz+K8!Jb3NJ)uKxPMi{s)chNQ^&UE5&JM2aD8M zP~^Pwznm8ArG2YbS)Tv8UiQMhDy`rLIVlT8k9ixx|8ODHn6Ai&BDG(I4R?Kr4M#Vr zXTQJPNHEXPl&n&16vh3D0B$Ue0eXLgzlMO1@Dag-AK}@4U7!=p|DCwP(f3%k=2qj6 zoZ;W@n33buv}d51D6h&nghbgc$bLrIIKWV)wh*~-4LMNb?>ub5<~^u#3q*$Huo8@r zM5+6i%~SpC8;WpY(~|poNc1a)?`NA6?N$7~R~I=~7+uYZ31-fBL@~X|6d%g!aqpP1 zDB*~fXjQJlX`auIwqwn_pB!;e?Eq_AC-gUk1 zdrYf?@WW-hCzmV_NSLDw_UB21dt>tH5Wwx_DL(q7zedDo=KEI8(`prIu9og|)`g=k zz$zz7*sl|qO=D=-6rkmM9lN^o60;KLFSmKucEy~h;0aOgwuP~E?O~}zJNG*EjJuV% z>wRI!vi{nn59-;CeJ#^ejSp7kv8uh)s# z)b<`}pxG-LHZ6=aqZ%G39Sh&FTVCA+qs4EPX}nKyljdDqxo?!t)wM4CO`j0)Go7&i z%dW-bD%iUJmus!_pf2^9-@N@j4{&+F@YgrqQH}2=53W56rB}(YZ6Z<(x@~ z>i1{c|H5^*+p+jK@16dmyj{&}qt(+8)a%ZT`uE!Vwnv~%Q%MBrV#L`pV0yK#SdVQYHjyyZdK>BPI}PncHIk*3iUnSUAxd2cyYc%vXqdZ=Uy9lxPta| zEx=~8it)mLJA7T3t-gl(XJz3@&8U? z!U}NM^f0)7s1F+a^^7)nxz8R5&{;B548@iV!e)9Oc?XZ@uYfJZ0q-wLI7wVWIvL}N z00VW9DT^#Ho|#MB&~9Cjm`(#?Nuz()PW^Pa z1F2PdxDq=?uZ9W}e&ZBXzg=C5tegxoHKHy)(JtCrhGH4M%=)J`t?gHqr$UdU^05jW z9_UQ=(bS}xxD1t*2Dn}~fh&Z`i2WA`Wd=?ogNk8qp_zF4M<a zq8Q#H_7WMNt**wNDp<1>Qe+t=b zuU?9-j`XoJ+T$sRvUbdofuJ{Jlt_gy4#9yb@vXl`A0*&M>vFz8F=y94H=78hR;i-b zKP^&VxTy24z%9_LNYQwY!o<3@W!r~|Dwp&Xfe7>6sB@MGhS0A|5yeBlOPQ{dux*fR zkeZr)O=9va;fZ=&=}q{KLj3Vrd5VL_f*eu~a;;Gs81 z@(~)@`54d^;Et5;?ddlEhmHei7JyR@pt z=Uq#`cDZ)J9H}n0JznTPG@E+wRY$JS(-n7Syszapds+I0eL6NuI7JpCNQKT!!!W7) z=NfVeBSNMa$HwLH;xU^R-gyjdSg?39VhlRb#7;$~Ou-=~>nf57ELJppacoBqF-?OT z>=CD6@BmZU?4d#35-k!w&14z6r``DRWylwQS@BrS!NdUw<@pQ;3ZhkvkbkR@$iIz4 zV!aIFCMk^=RKAu!2MjW8i<5Vn@GB%G|EfbCnWc53MobDeA5gz=8qSbioQtB^ZSZc0 zc=wiYYYLpaAIi#+<~u|nu#i2@Vm~jzR4B*sf)!XjCD^R%_!1|XL3-4U3=4F;==WB4 zBm+ZCfV)B2sS2TwCbFbBZ&{|&ZVPl2jf)eydivss{2Ou-Gn!~s*e{}T?cJ=up0g?^ zSUJ0JHd^#4<{ngt*{1^?Ij2UFFn=fH{%KYX&W|~M!h?FpF5ZD7j>Xoi(w2?<#jE)D zTkq=f#Zt1_VatfJGlNDV@x0iDbKkJyP2^WHuTNk*%n}BM*kh$J&qSh&yD$fGUi`No zIfCRyiQ+RufmUTJ7jh;^F#--oR5~3+D=l5Mv!WHdh0o73r+;qvIbGCsl8C&tP%9Bp ztwe~cR}#NVWWRIFB2!kzNekd!{vG~R`-4@D&X zwZ?{+{4GxRTtlW})h(=2wtC>PBcMMU?YmHk<$uM|95t3mzOpZi>kzLezp9Vd^ zSZ=$5^k<`KMC^LIZ~yAnxi7-n_B}H6@;pQ2{mXM7RzxEWC#qw*KnYO&S^WVDZJv0} zpSupsH4r&3R{J!8!@aZvhy_p3NOPZ|{L^b2506Y0vs*pQAs%4`!IAoVptFr|;KK_| zo%E-+$*1#bsr^cgzx?gFB{*}I^03&!P`HuXgMOeRefEn|S(ZUZmuD0xothw&GG2&~8>gyqAAx$-W=ZXe7qtGhw+1|n!dL2?WrpvbUd{>&<`2~!|C>>pq2o1bgdJcrD9r~^|_Jr>L$~9aY(E308GXR(v=5*iT zK7->A!92?U8~bTu7zU2W9Y0m-bN`SsKF5^FruNKgf&VyZegn(1?+JsN8=jSjlkkYs z@I5|n+ivMc5rgFKI{f*=#Em!HTQ!H!^fawHRI1Xs6e?=O5(v*13MJkEe=%tKdSOr`xfP|8Py3YrT02YHn+fi@ zDwErtC&a|m)Tl%qdJYrJryC@$M^*S0h`ovw`o_AHl4ROn%)?%Qsf!szqfc-4JA?ci zd=0zPcxf%OP>A~|HJ({BXYre>MpZIs zdK6pm;pbM{3Hnq)UQOKA*%jRQt*Kr4(WQRHd!JTP1)6T`I#&FQTzTj%ZoarHL`h4e zB1v9nK9z(_*-s;N1~h)!t2p+gYjF~`Kyk&~8pW5@S89DsjbXNjQDv&7RL!Pw+beR5 zn;xxW-agIY?wNq{&8KsX8eQVf;uJjfCa!)ii6H3xHn=#u%o!8q`ny~Qr0bT^+J>~0 zcg|{SyUxJ_6I{DRn90vrW(E~2?4?^;<0DAvXQz=bs;_>W^P8o53#^e4w3yos%Mn;z zoT~T5X%(!UVS>w6^u=xEk!%XpQF+Tc8u3qQF>Q0UcEghs4U_Ma&yTTOZdJO~|+ zA~j%Yi)IIgoX>m{i_cqjYG&_suIK@rnBrsPWQNAYBwG6|*;sqB+ed&j0|pYmO(H0w zBSFz~;K+@u0GpQ@kBXao^v1`zd1v+3M;f|sLB0zc+Ufyb#7&x5r6XkJSe-YX)*#W? zcSMIu;|?-DzhgtyYD-Z1_dvsx5mh!jT8^pi3>8Lzs7T|7n_dPT6m1ELDo|-uyiRel;0fKFIc)-O@faqhLtt7-=+;V2O6MnJ`BLLD zqa4z83gO+}*)FIz@vdmjm=7^Vnl^`>_{0xb?`~P=P>9-utrc>2mS7{S(*)Db>Emz(Iwko zVLc%`0z;qRu=1X%6R3D&?}>%n-O85PP9cr7A2{c2)+Us@6N)9%O3TJ7uVj6Kk$7_J zPUmoF2NMD3!92Sh4wN1nVMn04=(_Lu<236H{a(2Hu?Jy0|rZuoxS%U%(?&}_O|~L52N$? zIZqE;JDgtoD(s)tV7Xp@?!#+gzOHNsY|GDfqj$r^zm9$K?)Bdr%ugI;cKhVKu6B8p zd9J-iO-ZK(pkMa$w68&H!NFHtz!J6yB&&mgAbKL0&L%0*Q9yNkq z8)|&AFFUtX*Ga(q&q(Jbr5XLFGs{6P13N6{9CwA6ppW~z+AZeet?bZhQ6-J`-h);1 zIpMdRm-AC10nqMLb9|0^zTw?Nu5b@$*DV~t8w_`m?+4ERYd8or+aaw5{Dr#)JqG8q zxGrfZi8Sc)c>)`MQcluKL~5aj@#h2`{o!MTeUu4p;&J*|sM*emZh3zCKeLuL1QxGuXx+dsFby`4t{pUNV_xa=IkyKysdN@{VyW8b~b7K2n z7ZPetYfKdL`|J%`y!(@oclHvGo?~QsK+M0l^$8x%%)PmM0dV1VK5q9Gh88|ty#2?# zruwAyX#daWcsZdTJNCJ94&GB&*AAXb9Lpe7N=*9Sw; z!{6b&Igx<;-0f4KFWPs-s4b)?#7%*1ePLTr?!~p|z5vpIJJd%BoCgUDOl#e#u)=nu zCx`1r;EqrccC2gL-ef!~-%-e6(q{$ssf+CEOmcqjRSjml;C0i)w!Nm;MO$v)Glx}m zdYcH%OwNXY$xiu`LBoqo)$>!-NnQXQa0CcGd;y~@1F|E*hSC1`pkj@?CBOHrQ2_Pb zAPQeuoJ`)^f8b$Uu!?Xsc&3&l)OnJ+%3vYLES0ncI3HY*LM@TCL zt%of4yF%OTO_;Oo$XI<4X+v!Oa4=*?zJXw*D{+lLrpicCwj!mt$ugvdgDk8P3xP7) zPC(6$XA4j8+{S8yVk;#*R(=+d7?nhPq9KKxSW?_S7i|I~539gMiNKgU{c2D<7H(Jv zOZi7UlaD^JM2ek#(PLv(QMEDUAeNA%aXO|%GhF%4a@`0T*ur);uJn2jT1bl_JlY4z z;J95*{vDUKv&2XX)0}5fGOpFhV#c_}9>b$^eE}FXu3`mbIfER=Z~k58Ixc~9mXHNO z?za-MX-kh!5_B8p&5lzh^8BTGq(sfan~K$X24&d!|Da8BNIgDHis)2CPB=>3aOleC zX20u40Tr4aR#Fr6sqLH#jc{bB)N+bAt3m)~VwbKf>pzVMY0$RS&< zKI)7>z^^8l#f`he49S}%t(4i|n-`z>Ixi!#38S@cwi!;}sd8htP<^MRQa9Gy-?Sjm zsn}D8$e`TCaTBjc$Y8Hb3j3QDdld37LO5^#n*tVshbmp!`EG|&yRZ9(%%noUM!huc zwhBQF+A;!P&A7>y1n*w;J^mE&>7!d4h6f7f+A{Yl;z3zqmi98CHoKWNMGAiWxsGX4 zs=Veo)Q(S<2_=68duUfeUC~fdEWU|8`lAQ)C}I~GFYCo)6@JjbITPwCq7a`(W<-l# zp|4K?B=ZH=MHl<0?z-jbhAVGYT{Ig=x(dKVvcr_Ld;|Lp0!II{lSxm_0B%XmRo=iy z^ALGBB@w9ZU#_i%vd-VRGAh`hkSwR95$S0}jp0}EX1TJyQnq)b7*?#DkqF>%Q?SR& z)tM0bWpWX)86m3ksI8zcVbhcSeo%#xMuBb?ULLD0GC8eCS5Yu#wSsw!C^$!FLtsEf zToUJYI#iAb%nN=^lWFklU%8q3`pH;N+}u@sRWuV&aC^hMjAT@6wzoDBm#w3@>6%;R z4_lY7ew0L=$54bNwR~a6mgsbmOY8mQ1Z|5i*H2Lk)AU(>hg6S#Pql$Ab(w4GS*FaC z8`9Yh+3F2L6BW<1cg>VxM1kGsWjxR!i5$3`A2hAAN2)Be@kFeuOh3}$5UDwiLQl2j zh7FaZkvJ7=hd^H9Re{1U6>9)*y*Yw^f}5q^933c@w5sNvQg9{B;TWE*rX!kMsP-}= zM6;~jn+*1Kiu7r-Z1@>1wW|b=-d5U9u;9uxWy90o}y7qb6IbP^c@q8#{TDHWSBB-#-W(~8$1WW%~>QNoJ|}fp0$oEO;(skl_aiR z6g2B9wKH-1-S>2gM4MXOqf%M;RHT9(i|!vIEX`)B4=#~7dv4)n3oGGFNI$kAF?4cP zzS931cuvq0AKXYx&c-`S{HMr5b13Fii64ikQ2B*DFzw7}$j_FYKJBiER43)=E8nKr zcv=;N#Ox9F;z|g;ZUj+Vc>51+8%wD+Y{d>#RrjD}R=dQMJnYBBrGI1XAC4&VnHT;-lZj=NHAqT#0Q*0 znKDMOG1gns$4QoFJ}>B>GQV-`Dg<=`8OyLHDT}?xbF|hfufr?~T;|@I+HvYUpzp!fP5FUfX3GK$rUls=w-O z8+h)(`+Zw626KWX_LtAfd<3C8;#oY7%H@oNqCw|RHn$%o^J7@f4j8??Mcd&pY z+*SIz?&4_BQrdn=C9>xc8ST(>kp4RIoa1^91Mq*vjr^c83<2k~FPcOHaKP3;kJo$4 z`bNTK&S9Q*9S;#wZ*bGG18@Q6K#Yd?r;Tu?f#XhO%S!UK+uuC>&D*<;T-h`so8ujx zuJh3FwAU%b{+(W*6*9|w-!+?Mwr&T|Nh(_Z$I%Ylv!3_)Gfx*_*kIZ}<<4@a?STI3 z{9FLk)qBYQyyLbHSDtT?0{}KM82S(NvXHP@_J=hYP#UiaNbbZ`50&#u(Pp37aC z?;ok_=JS^tZK;o^oX6eH%{}v_qtCD0nbbZiS?%AD-Mb`ZtB*@`_u+Uxq4AF=SK+Tv zRsZb?lcwSJ<{^zPk(XkF!OA9ZcFJSt?7!^m6u<~RdjasyvyuKsBu+@W`jdMll{TUL zX|f$TC~epSj=$3e0;mT+>9L9>wRzJYwoKb8dg`Dh9V}3>%2M*VyF^cpMfXxpAS~iY z$LXt8HE{t#v=fIyy4;|dLyGK)M$T=InQz7n+CpP`Xv{#|Fm3dbMpaG?nXzKH3DJO* z<~N#|EQ11mU_-(RAttNJ9h{py56bv=H9i`Fpki*dRzi?}*&=4K>62>oq zod#vh^DVz$3fQa{p;59*Wh(JCo4%82Cr=)-FLTFa(3<@$4viW9%js>eV-F@0aI{BUcEByxJy0NxQxTfj-w;u$-C7uEzztq@;*V9?hs4a zr2;Vgk_|q6?t(g28VIAlp?_U3N5J|tJYH8nM=ao>oEO+ zwrW~KRr{jL;LXLMMZ*N218uP#IcA}H1Kfn4!>5krcEZ<6(JafE#kRtcxBZhrw&m1r zkp8lcC2I6mVyTMVpQmyovq)B@t%B}rHdQ#fBU(Qkbg+-m7$4-~ybn#DI<=}?BqZNi zqes7b)dFF*Lr*nz{1skcxPiR}#lFIX>oH84`p8A=U`r+sM#C`yWj`=(wbZA(e#*Og z`Z0%-+LRuBRJw1IC_)x6pLlh4jAx8K=9dZ*L2gmLuipFAI_c7vMR9z}^kzOR6VtN$ z@AH40gTKFmzEwxGPU8(c7>teH$r>~)g$Def$4@3&kCtYj`h8}SW>Woo8IB)jXYDG6 zFU@?4S}nF`f-*+2cD>-2j&;(clAW*#zs}12SD|B+akC|}0TYDPVo9b@esTH*#ivMG zqy<_|lS>=nnbs-cMN2No43Oiz+UWQ%sos#E^X|h`u93Wn7uAyOtG4CVl@zHmO?DPG zCJI5;U#Hm;Y>%QWROX&k1`xfSIEgZ9zgEVNmt0F$s?%UvuoC}~#9t>QQ;wif7$-ZG zSXN5gvHtiaYZHurti0EbEn2@=d&XI5>W(8redM=rkr5n#UQJiDOR0-E-FQYHLix?? zo1`LkVh!T*JS3MA)^LK-GDPt7mPH)fyE#zgHNM5^3M2?@SMsL0K`1gVSAu56bqZeh zxIYY_bJW;mtdTU?G#TSsbrND+8IYamAwro-lt$~OD*Nrq_Dk(ba!O+yBIL+#@mrF) z@F*d^z>|O(_Tkt5jq9@wGbXEJAB%V;YypeYHtEC*H)zUvn_rH{^Ezos2;!_SRa$@K zim2|P@!fRkGHp6wxo*E#I;13b27ZrD3%c7O+ng#RbWey`z}cs(Qu~KqDCc&|SfSp^ zI2swZ!MRW-bQ(Lp{7rx!=ia5SrVVeIwp^FIuw^7|fp$K!tO#;L1rC#6EHNjbhX_Yq zF#hWbdrl?WV8>QEPvK&| zEU&CB&lo(PJ6_wY{?IiFAPPMFu5&AcL1BbPMn)uCRzNy<@%|M-sX){j&F}1EOy>A%ri5)211!dBwnu_GakE7zenrPXojz2JZ6bIevfF?!*7Gq z^LHD-HgiBwVC?MX-B-&qx#bC4rJO;bmKpC8`@@ev>Fr#3LOy3Sp1IwJkIPYx{aj$nt3hpiDA>e-Fo<#WN{h0eRpE=mjx0$>DVLDl>tUUIv{mV zJ(u(Po{g$=GP$LALlU_MxI7yJxSIXpS=~CxcU^%fZyZy&NoG-q18`on*_hOJj`aWw z`u9$$A41yG@|$zVLEh;@`7?$cw!kib&rTgF18}X!=*Y{vEp8g`OM>oJ=va-f&GX0Q z8sVPr;hWN4%luH2t`Df$6;+_n`H_K;gqQEOVB?gnJ~jUR#&gZ%{zKFA zY+nO_&y4x;{kyj*UwKUr-sB62{s;mj=p0=fcb#;QV;^ybqR zHUs)(-Y~tj!Rq_ph`BHBP&3GS?zE$RQzr=Ii=5t^Bn?&u5s+y}9C2lx4%iy@bu`8D zEv!Sb$KhsyGp$M9Ij}Ax%4)w;#9phg1d2OW)Kq1^xa+<})Q4a@F2+8P?Op$pSR(cq zDg0#~V}>IRCmC9UW{u9rmN{>IDY`TI> zMjRm~GDm^1vah;@!w)3^XO=XzNZ{}+WU=C7j3pn;L}6haYl7pT2)YOT;D7T1o1B|q z6o{*i6d*M2MQ@X{4~FQ~qf);)7$PeFW)p3diwM4iu0#E1UDT#O9Jqm3%UW?>rrxsm zMbcVXuI(f5PwH`*?l>+mQ9ri#FEmmS#10CkzJsdVF%)QJMOeZ96mp|q~Pg~PmpRGB)gnc7_IWm&|uR$xR7vd!^;rnA=Iv>sa=K z;-SQKuY3&w7DQuM^fn}pXh$AVmO#HGrI;-`@ccN@mFGK5udpcMmU-$j*tqF|94J1h00LbgmkAJwJT3=jJfM{dZx|4&z0 zMM?yxRM&0^3WCX(i`FWR*;v91Qv`3!U%HZ=lSA6AP|Y?|IP+NRDp|5+DYTE;P>SL% z3bhxxP3kydaTF4f^z!6Jqgij3#l)M)1sTH)V};c5rG8Orn>`m_5!bYITGu(YMr3sv z2}kII1BYN)&Jq$)idhxu^+qW}>^NnhMk@sVCBgI~VnX$^aT2kWdJg`ppt*@{n(gQ%FAcp2M2`x>b#f-Dfag zDqq*9yomB5sL&3eJJYlv#K@I~>WSnkvu${eR}A8k(}bYchCE{YaAL;}Fi3za8)8P0 zUAnO9ex#H@Go8GjGPfsa%gM@B6qCWW=V`=23soh`ps3GoDjW=H{+b{YlR|(PqiP?) zo?xP*B72CX-(>TBVgi1~AaV9dIWg7byGcPwj(efRDXh4qU;%&G2CH#X0W>m91Cz>i zEGBx!;Z4aEE1Qj(Oh3YbgJyg+RSTs8M(E;0B>jf;l06CIJ-yzn!e;11!RqZgiPPD~=GUmhhN^b@FgLjNS9ia*m znV(}=k<^y3H4tQ9`-pLE^dug*RL2n?h1ttm@*fqp1H}d9}(6E zyDsyeFukKxfPbrCjNY)6fF;HEhTlkoC?~K|$mdzK!LHk|-NMWHzE+-=?_JoATj2uS z-oOvJ_&o3|(%8q?2wL0IO+3MoXZfn1GmvLWYWJzzs6)&*6N%)*DpMHB4(J^snW%4F z3y>3$%fl1|k@P=@rVFzBjwmShE`F?J>gHeUDAwwpLN!lY3MWj(-hSp9d3Jxyc3$M@ zA57UI-PnxK;Z8=3*ci&Fo|$5 zGtjTx*8n^N<(l{Nu6h~FcndWDw`aX{o9D@T)=qYVa6o3X=ANJDewjCx?|Fl>C-kK9 z;YsRGqjT@BI8Nj`23L)2xPBM>LS5D|q51rS#SHK~*;qYN|M>iNi?gGjrnC#KD^F_}6BNRyfTNCilQ2 z+&2aCI=p-=owD(~^tlkq2L8QVK=2I9)X)+Hd0#c;TOJ;wM*d+SH5xE9Xx*Od@4C$t zsnHQO6juE#4}_B=6;*+Exi7xyn$#w&Zy!3oUA<=Jy*b9L(++r?O7r^J>oOC30wb`e z3J~wTj2nwUs^7c|8nVm<%tJ)n?GyUyxAr$Zuxt*?Sn{uhi)`Pnvit*+j)4KqAi@W0 zAdg=d*pKPS{2Y*_2uJ9r`0ov+4xETjm?p?WXX|r^v&j$Q=Qpd_AC)}2WIm?)1`%z|-CG>$dC{AExfU6eyUSr&|)$s9$Ai9RbH8AZ#V zYh2N!(+g?drCmYGl`SK*P`_@cT?M&-jx*M25K`tQ%Zv+~!@KX4Xyb|0^+z&upw2y z4C+TtORQ*;D-1oEi5E9WHO}<`o4_yXTY(A6gqS}^rtK7-!_qL}F=l?y7vhYDh8b{~ zF^mfc{?wG1J&zBI%*vS9%9JsUVL19yU>qy`rsA_`&9M0(!y|Jfs-fA5V~JeiJb8oZ z?3qRFiQb;SQ02a?5-DQ=sa*F4o``ZZ?R3repakEg?nD98zCG#KmT?mTG0muSF_$|Tdpsn2%H2G&N?i!A z zg`JxT5yaf~x+-yj8b7rZ%2duN?8*=<4+6!EsOpl^0|SUX+2XzzJ76->2Ze=^#LC9QvSySgYd8!XQ&Nb5 z4DXi#BfmhJOKf(a?-8}3lO=q`;3pZN(g#xwSUctT?=`ZO%EO+-%(X(7c&PycWH1&b z`UV2lQx$g(5!?B%daPzsr+EfxuQg{|@70q6o5~A3#riEZpJH|^tuZ66OgB|F$}h=f z7}zaMBc(coU9uwAmp9SCzNh+5PIyR-fig6$jCvu%TE1Eqyd)*Q#*nPS9AP#v zgJRaQR=xNblM#enk#Vr~n5PlhVCG$dUg?oR^$Idty!DmeVUQNv?+*5(lo)K-JZvDE zFU4nBdz7U;D;*nBCAJ(OUtf_EoOu-B>MYPE{}IT^&S>%ai@vmDbpRiSbN91!(I!%` zAb!-k?lijcFW{_y0pojs0dQ^~6UZZ0+%xO;1ICL}*BNKl^)s>39^WNc-m|Mkaai<* z;lnM`9v9Xj##<5NZJHP5F*XVEo%-BF;CWK{Pn>}D*F*~$fuG0J!t`d}2t ztFk7~YB_ZYHCW4dPzBMRzf{ZVM2unAAQQcG#h4UQN5Wof{^;YVD1<4585u&(3WaC> zMnL@aBqpaI<*Waow5F~#gbKyDF}_ETF-r759}lvOyrwNlA8fZWFDux?X`>wc7>;0P z3)a~frl)qG$jhf7?Isi0Uq2)~1E|w^8f*mtKj3uNGoY!H=^l`7NMG__(C$$7Mew2$ zc_C;bS+>9@O}0f#B02XRt?w)zerM@x!XDFw&%(FKsXM?~q2jJN1zptkvp)Z`i&KUd zxo`u|cYU+?Mr?(>C9&&lvc#4Aze1D-F0k8g2w(eFXK?swc)3I4WY8GEX-5fFIAPOWs-)`> z6^Z%^6to6tjdVYZZWjtTaFtset?TBj6W%Yn%zh`{;Lk9SwcwrxAD0!Q^&7>Kk}mSX zdPDbJx8^?kp5&2&o_d;}be*5%k|$LzfY!-e|F+LsIpi(^qYZJ&KmEYoZ{Ll{Cm5Kj z`#k5*kc3SPdVHVqPlpJfx845)op|m7TgOO9EFF&0v$yodhHwe_pA!h{cccvh1sk?r z_kd@K?c=*olNfLaorcg?x;Gpi+HadMp1=bEo)RVRDwpZ-==y+F3{T|;TqsD^E;^kobUDEg~4{snUp(t-7H$}0Y={i z^d2r!+kUzZJqh%`ZO~~kX$1WJFYI3f4)ccvXa1K}=TMefxjb0``CGY!T#BOocqPtf^KZN<9 zjv)DnMf!!;VOg^!=-ib|D@v%_s;qb|D|JQfR9EYaFC~YpK>*`KJ+tU!>b170l@WT7 z4JXNvL*oUM`%-A(QTS?#vtkmR2?)Jb{`}%#W4Ms1vZic7*luw#Q!9&NQi_2g5>*zd z<;^_Dt6Uqf`Mg%?D+Qz6sij#QkbP;x?_kX>I6QFT2A#1TZ=|DS9}2`ZRNU*iA?dZZ z%OpFQqsUhRTIYZ3#WG~YIyfF!jOARlycQ^SUb&>l*5W-kk7umvv?WXx%k=HJ$PNq; z;2Ac8l?t}>L+n!Q*TdK(7bsVisAN+TxytCQeb_nQk~RA?r$zHphO+ec2v)yVY0}G5 zKLOUeuN%f9T~+oU$bD!Y2ylqVC(hkATvDkv(#+(_bds2+l9=Q)n-M~~py8n*$(HBE zubEQNb)Z&6rcQwJw!hk$zLAI4baO~IH6GewI0y}C$w0Pohg z5PwNJfZLD>=HsUrddKjBtZ;gg3`NDQiPQy5)6VIj^O4w(%}V3q;Y;*l|x+Vo5SatX?AiZ2E5f)!dY5u8?qSCKC#%1y*Xx4dYUh$~ygX8Co5tG(jxb$x?KJ zL$%Nnc0KQPdNga3D2BVD8U~E~e-Mb9-~Oa}D_^Z&rbA56jOK=xCyglx z8~*LsGRVUiqcqYZ2d->MaZ08#L4rEAt2Qu&tLl;1VYoX9nWos7=7(mpcQ-z6q_`?G zZyNauvic;d&q@rhLzL*IdLy*Q6eQe`2d+kI+E!MDa+Ol3I2G&H!h8(;V78#)R00X& zql!0Z>Tz-1rVJeoM#$o-OSkUGt3$dZD>ZsU>DW?Ms>rhQcFEk5uix8*F*pki!chWF zkDF(I(UHI2TEQzx)*!Z!JF%;jI|)`j638^CoO)s7*m(+Sbe#XX7}{7(nL^hzkdhf5 zw5|{)Sa#FBsI*HWL^JtXoP#G?$;t)K-F%f>z&3rPu8zodf?)_2_%!{D*O*@g|pU==h{p+6H~9nh=XkUGQ&5Qb3gt69wT5f^ayzX6)-$Q7yM3sUk)cEIf z$FMI#DXU@)|1SRySOg!5oN9ea=HN$`pk)*CJ;8GezIF|`?UC=AZ#nIX0mqxs{r!LM z-}`)l?YXv`4C&dPTTy?kS@K+mUo6KytRq2R2Rtrl_jdLduZcVdHnvEcv$K7^Ak+8% zJZZ&EcMsnt*|H}hso+OrDl-6uxL){=C0g2fcpm2-w&_1vy=VHu+wI=YnE^W1f(Ok< zB6)gWfqPe#dEK{YJd64H{Udj1>Zn4Beikq$ozFZVHHyxQqBTeVt5w2$k+2Q!UZdU} zu-}UX3-DpGd``8c>B`LhSKs^E zCR^mGSI~3aHFoOhr)aJBDHN{9TAyuw@)P^rt=cxv$@R;CD&dvq6j{HIS$eQq@lIE5 zY9m$NE_Z)s7cI#3V|O+gtq#2SCa32C^nX&ScWrz0^tE!jK-v@0-TX6T$^w20D6ebT z4>PX|3D8Gmrg&=Eu6Dim*aD2C*7F@=0R!#R^rZs+o}2}@2|ng}pGCE|Ky;&t& zss%J`deboVW|RHk+3Efk9GPxzI8onH5?A-M%&$cVBqiCk^XL5Zk|_oUGTo47`@V6*&OKpuqjHK*oAzMR+LV!-CeOh0%KG14 zX?UK`1{T2=N%eT79Yl2!dauUaqg-U6td{YL9qJ@RaT%0e^&)0*5o_USaBIH|kQ zB&xO^g$W|83%UL@ua~04g?$o3(d{oyqd6L;>Brb7XbtLhuT9x$`MT|kh-3B6BzbvW zl4k3grNt{~+D1Q%uRt2LObkt&w4k<3IZKp;Sf>&ch3}T@MMi5ZIMfpJY;bz(9Fyi# zsW+>lcO`vtT6Q{WY1`Uy{aidBpUPNXqlkIU# z%)%VxHWk1{|jO+9i)Lzxg$mK?sS*MWsHQFFm{J&Ru zbU8sbCJrj)8s|kRmq5{aL)WebS(If3X1CI@aMn=Xg;Iv<%6qVPKiguJ#9jZujEjOq zQ5g;ScF&YtO&z3gq7Q+mgj`iTh8b>KkSTAF{Rmh0!{WnW&5B|B+oHrMJ+iY7vF=mH z>EN+;GOt+6s<|+w3HvS6J^Ays%bAX*IAZ2db?#Kp5sHF1BSaaH=>x81XD2=D;<{s?a)Akb}W6*ZG>PivNUCx3I(@#CViElO# zOWK6QxMib#rpWPRqEj%2aI#H%Mjd}Cv<+p2c!A^B~(XZJR$c_MwM?`uy4Jp(&l`8>ctS*#us(l z>6x0mw79QdvT?*Kvff*o=HM&88<=4UHsw^2R}o2An;yk0;8?9@*Gkm$^U(>7gm5lK zxvCO#Skw|;nOKVvTD+w!nmMl@>D7Isn6J<|o#@08=oV65a6x`BR;^G+41>{tum6!f z)bxvHrxJC{E2^MjJr`9}5D$$}NA`^E=PiXsfz@;~Eh{0sB$N|dB`l1$eT8+g!`eUY z64m}aCsAHBS8eGTv*{S+#wrx|gvxG{74rsFGEpNI=D)dN5RG4cOSL7L(dX&Yl-w!X zb*o2Dy$M3R8Yfij+zwPW=YEa75b8LrG|sRW%^1Q$0I2gs^1Wpi=l{P)=Sx2H`20eBr90l3Y_PTxI0#qRS1|8C?&RU5yYv%Dcasy-EgmRD`&MgbUrJCDN%(>ein zxxJp;1_tkNdw@3>^Wxgc`uFSJ_KQ*_QcD)!@!osR*4(6Y(CT&ju7B|JTJ-MrebIY> z)3fkdZi0JTziFjs8vqzPc;N@^n!5F*M$35~Hh}x*aq+s=E27`?^07IF!qWFvmL1Uj zvURT&jil9nty8nh_h30y-}-h_b*z-F=aTdc0x@g{jBusek_zvi@PHQ$fHUsxoAdoA zP}Kg2?0zm=B8Gi0`vV%gy4MAU%rDGxc3pdCjw~J-qRB}f;Obt|dIji9)G7PsL7MW_ zU0#-GqUY@e!W3rT!(Unka4fxNQ9}-y|A=YpMLrgZSMG!Mn1QQ?5AOZW(-2$4FUiSL z0)75#Xis5(wmb1Oyk6K(&KT-*cfA*iUgmKAVYJ(Q$ap{Zj%NS3AdA-zxShjts$5~& z6zkm|eynJx2J}7NT#aP|OPj|gZnS$3x9Fg0dH(wMLGp0C;~TmN0OU$;NVnx1KR{~xBlvAeRcTQ=!*l8)1{ZFX#{W83K1 zww;b`+uX5j+jctU&b~S4-h1BjWsda&))@8FtXWkT19IL$aQQ)Q8a_Fmb0g9=uTLMe zcKqlx)l|6-H?eM0vM0oILyR}l*UxXuBik>hAFtWUem&2MCp)eydL2HQ`npj$e!zT6 zt$%MF>zJQ{TYhJ7YFmCG`aOZUZo?EEABPQ%DQ&l@fGxj&HJLh6;wQD5-X`9PSEX+J zj$0y>0v&q{?=$b0Kv3-~NSYr+&j$dVOhnEc2$Z+XoP+lE9%^eqMQz>K_b7Zv@2nqd zK(n`-uhO8$uO~GUsS>KtK0i=X1GI-R?8ix4^NPTFWx{9Jp8^HzpVlgnagJU$>4>2l zR-`p8lt7@J)aNP8)HtI*FgZFxCx>4_T~i1tlqW)Jn&iUF%tYcJ=b+g6`!6>JTgDW( z(ezQ_c2XX_Kt48Ys!SL*vDsP+dONRF%EpyLGyQR?hpLFtrcAm&Q~Yk7ic7{o!rIuy z)hHS#I@v^GiY}EaiT=$6)CIbRTjXxFbG=HGL`l?p^iKq3&#oE>(;o>-P_hRFGZsrS z3ymUWXmT41-RCiLic#hsKXJ{C87WmEJei5HbJQweGw-<3Fj(MwaW(e)b1_aBdUwi>QCqy}Pehq6M!}?PUM<|6N=pcAxuAQJDKN zFmSmYJ4@!IS5m4m(78or6fMY^Ubnc;XkZ^Vm|R^Io5E6~O;e0pH{*F#<~JC<`8rdk zn0}n4Y0@7ezcL-CXr*JC_Gz5qxkwr!*OH#>Oqclu@K)akdQJRGD!i!+F47V$-AM&Y9u4z{ z0(_c^lJ8B*!3&(B=80*oRN+|X@DhlRS#5-B7V>z^i(bm+Dq|Hf9<;h{Sy#So)*#9& zyZYf-G+7}5C(AV0orTfGQc}Em(zi5YDz!SM**eCWxJt}cjG7L@p~dJ#f!`q-{$_`b z?hy_A$^28bn}I+Zv;J0)1se8lKgEjp; z|7BbFl1aRk=`17@d_}MXDH*eGIWeV<$?+^;WcT5Rp8|MCM;aTovukMHAU3iOJ2V5y z!L&uCwwh=cu~i1v-+pZs^3_HIwCjf=RbwZH(n`{76e?1(gj_cFunAWjah4~JG;0(7 z2~L|s`>?<*luxTn&;IUS5>c`c%6DuRzwqwTn_28z1BwbocaUeZlhkGqhMb{gOE&rj z*@4X=KS&VG*KG_DiBy6QBFx5TvsLZ?`je&{fHnd#&oQrAYfyS`2}fz9N#GR}8VR}J z?DSo*>zvB!fo_6uP`okngg6E@%@!_ElsmsrlYoF&$YC}O0g1Fiz!eR8kml?x?^?;%ciekC@C*+vZ^;ZSdM<>5wNhlNXm;H!QpmM^J5uE@&?(WN`ROS%oTOC6 z4ITo2YrR`W8p$NiRk5L(pO%~FT0Fi8Ubl{8fOjdJG)*qqILPhkZ}bW;YVm4em6bbA z>N>g5*|+AT!5Sv^p8+C;2>AU#dnVvCE5RoI%fYPf^`_?eJbtsn|9ObNa+O_aEw;dLy*h4seL19JkIo>clqU{}YX-zlfb=EE6*V9kFjXOli_;F0=>-^ku zpTl?k^ltU8w4)Dwh{(BX_BT}7?~TgFTVmt6#zpR__R}8jY}0(u=JRS-UAwFOguRr^ zYUpGo$K1MmNxYQ3#p}L#2d^io{<2Sg%T@NH&nbBUajd{@5;WN17Pi5lb<&Tj*7kg$ zuiu&3_=xYfY6y&u@hN!gW2UTC^m^3Z9#8!^8}~}L((Y(3tA65t2!zzmYFJ3w{KDMl zoV;W>fzFfW9g~#x7qe5V9$&jc<7AZ8%T&OylB-A$!?y#%HpVXgt9|X8H&l!ATs^lP zaY}xt_3IhN+m8XS|FVMgh zeuiTVzbfK{FUb*^!aH1|{*-HiV83;QhcQKgW$v)oyg}l!)W9MqrBbzjC6-Kuk{Xtq z4ILXsP9Oxg!Ho!v``!Fc=5c`=S#FYDmnAj(caYBVUS&4kf~&4o0%idnCcF~=yy~xQ z0%`<1cID{=!Hgfj^$i^jiQ$a@EHOwISaAR4#f$w0!;q{*7U)G{bC>R!Y}IjEmMfSo zB{q>H-Da(tk#pdz!Mow*B#^#D+4u5f(@Iql+kL!0qB%FH$UqN zkcJhqZ{EEvX5E6Y7$@6%h>+!|Eh@$N!CN2FZj$=eMkNpS;lf|2qh#D13qp5$F?~I~rLHZNO{i_lPVAd@St5lT{iK|C&sa?NW-y_!O`20W9l$ke#SxG`vv zO0`OsEFEHaT{FMMT@|4@B%QIA@$0g;v&z7F)Ck~Vz*SAe2C3j3uR^iSif80JpfmB% zAVT>HG^voCp%j}EjwUK;6+$f$WQ+@~sf;X2r6+w0%0Qp>h{wj#RCE|>u^GkL91$n} z;~X^ioi>yz+W0B~<_9WVW^}%|&{7o2g#tOQR4fW#ayS=>ZK7d8J4!g>f=mbAn@L-U~ulX7cFog!em(=^Ko?|%kp2l89|s`|X&ywioB zzUW6K=+G}tvisX-P&}FV{*Q#uFTC|Z2ZjaTvIb6Ne4aey2DN}*&g`l|!!_!N0Pf4e zNy~SgWb4*G-Pw-~o>cvJpziv6^#%YijF_{j##IcL>wE-=-F*9!G~Lc@kZwA`%KYkv z64j$j%u;cMKtOWa?TcXvBoEu_Q<`_QC)}Y|?W-kJM$k3vjqdwAhBjlzg^dIuM(!H_ z#Tj7wb$aivW5@lF|F(r?0Nm>na9}lWR|80OeurD4x6Mcum9SN3(&tg(KXx>~{h@tF zw?}XX38s6Wp3Cp>P`K!oxdrt1wDhPvQS&W=Vdak1Z@W{Q-$KgnoT7X-+1>%I0cLl| zF>T|0FAh-|UNzriFQ=!cplzIATSgB3fVT`N5AWJL9!AmC`cH_w=VpXmPnQQTN)q&x zSsL88t)CKMuvcQYgpQBRMbWvFmvz^bmmz@8$CtiJoEsN)Z5i=t&}nzKxhW`crt-WhLlg}F%I#Pjzk{-5Gef?76tnA_r!aeEq&|Jv^0Kq>UqO@tP7rPDy z3wQV)M$Y%I`0gpK+Xtaiw|CqxZc9H=2pSw7r+MxsOl#J(yUyF*<$0WIac4Rn?T^zi z)%^gz!!sP({YkFwpUXT)%7mP!rCl7g0(YxnYCpGE4dE>AF;m~l>+g|zK-bx$z*-yo zolrubysXb#2`@xO?hUSg@0hiZt!G!Cqm*WpcW*tsH}y-Yxq!*#;^O)~vm21#6iC1C zerLAr10*(ha!Z&Wsd8Dn^+_0Pwn#0I`EWZ4>LPmH0iNtEgI>Ackm!CLUrJ;*FQx7a5a1p)G7zPA$M;amg@ZuTmAuaKXJo8;1Pqc_yvr zLY8t}RAzMfb2loT7|miiJ;!ta;iF;Vm zn8*}-;pvmkS@Kf!(uSlI_Le{M(TacBkTXy$TiMr^fDfsWXA+~@?^=};3uxY+363Ele>%|r9OWFc-CTYzhPR#gbJ zy@Kmg!h(~KuM~ko7lIk3!-&)Wr{yMDgNN2 zJssgbd|v#xgquvUnEnp)^bA)UeeC3~Ks~{E>whBqh`gCXZjVh#QUf%6kO$u=BTS`T z9c5&tVzE-Dl@zgsE|Py0dBJ1PsTPAnESUPCAsDc$pH4GOF&@UtXyB?EV~ZrfugF|H z8X`8J4-Dq>R=P@w;!a10EtYXtP>T@jLVhn)0pvwu#Qt?&o54L8l|D1dW@YiI+D?*K zkfFSe)G;9OE?9R5D{(R})LMWnh&3K)g|O#dFbp%4vQmNb2%`l69lFwUwxmq%M23z^ zLYkCtR>4tJMjXg9;<9T@%yinI`^vMVJ_uLvPRh(;Jdgh~_7?<+P(V^|Gn@B2`oF(m z^?{Kq6?6v-lR2F%(tvhr>P*~hKYYm+1D@e9v?OH zm0t3>qqg?@h4O?Q!;HzLb{7Ia3~LF2hl@tG{J{2H=}FkcRK_lsQognOIo)IYruSTp z01r}QeZNUZN`CJL*OMwfyR$#Y^m)&mRsrv$otXtkdIGoInJ-hW8@sR1Pi^^+U4;x9 z2hgRwoLf(K3vD+g7+!Z>ZmXrPnzvJ!uB&GfJ$9d_#&-_R3pd%X^K3&1E1D%9hhq~} zzW)x~5>f&3yk5BgM1D|^StF91zFsJ=R|o>A;k>0sxz@{0Yvrlc=F=0&+UvQw!^aF{ z70dUzR@f`Qtkw02YkZR%4^2G7D7W*kQGh-7b4|I{*M4c8(9V7RxklIMQT(PLHL!8H z=P{W_8Pg%Tnqc)=+pVT}r;+Nj@y0RJ+4u2fPX4C-rer2IbVtJ&h>t_a*nQ5YuHzf% zJCZUu)(z_aOqbmuTjsV{Bdl@-&6UhYS#;^zSOu>JH76r4iz_3u)>NbbA5?q#hvFgf1o?|&O6%i8`_%gE^& zS61gs@^gK&t9>yU!AJ5v^=jT>-~%)l-T$^Pcqb_^m$POnZw5SnVxFU!rR+xEZ1ujQOG|F zA=n5#4Ui(HDJXW~ylshDDX%fNCXKR?cXn_DpI+N`>A-O=mIh(fxxu>~U#qo z?b+SI?O>R5X4=wvTh8h}>%$jQsR@{T~D&OD|DHgtsI>R_>#cd6*qA4mnx<}d--Kwlb$wu#c z4Ry~IFmcasF{}^6d5~YZI=YBB!9mjV874x_R-|Zup)59*%O->I1W+dB--cobyVbyf zJ(^lsUBOVguL_g0Vg`~H0y_gzFu?%vYrxt!2^=vj2!mjnLQfQU@vABfCeFF)i40Zz za3KK3YjsM+6BR{j1jSlOsSBIdz6)7DUxWHpBAa?Wy5PhfdfhKHhdH?5s!fM2>wsU7 z+m6X(8#c~NKiH{)geY1^06L>~$Mpd?C+;FChOsMHd0H5k;?1+PBE`Od(iw zo~;_@H6tbj9_OTb{P1%oY{c;grGkx`$e1c-dh(_!ZUtKepK6tHc(%W%0n^TxsTo1y z@eRWe%8d8SOG~>-Uald3wBoI7)y>g5k}v6+4;>A`T$BWH8KcQsF%>kLHAb70EyiL! zY(79Q9~^SWYy2OC;XuFTf`gT1KMd3V23Z*(pH5=C|~@v{o~*MCy!bqWnGlT2zR=a z7Mwf2V;Ia9fyZRY&1OoTswue<*FK*&A7udNUIk}r!*N@Rsa$-t-G3#9StJP`68zzH z#_#>>r3;#RwbPXUSqYzc6PE68CfHwdSob$iO()CHKKfKO!g~6NhbmRZKP9pMR+3*e zF{njjY9d{wD8;!Yv`=K2U|y_Ii<&)IifzlbdC0I-lc0`iTK4i=|NCF_Cvd=|XBFea zN8Wlb70;k{9qG*Qbtf;C3lD~} zU5;aQ)QS>P;zEsDx7_)$Mty0&1`Yn!-UP0U=YKDWoirW!gUy+-K0)t=YPgLQ8#AyBVgJ0AY*Ue+U4(Ru*{qyR?bEe1Z zu=dk^OkVE8<7}<}CkI{qD(MO6HsXB`6N3)8JM}R>v1vbL7+ck|#6H94F>#K0=`%$x zpLKUKDJ%VPv;`s8v0v5-3CV>dd=E_qRRom%~t1a_;Ui!7qfLW(~S`6<7l6BM$dlP zAv6D-!DmT{wyMbIJ^v!+3g2zMT!H~~ET+A*ttSw3@wnpV?)xfxfG?+E_&CmtxuoWO z$^D$Ocp5Cb%>BJQ}dBB7^13*Sr%x_ge=O1pWycc*>c zW~x+PHQw*FI`T&t-H#^6*Ep>2$IZQGJ9*R)Dra;W1{`K;yQfOR2pO-vFMZuWN8`tY z7`(n_51W5_vF9ZR{Y!{J23p5 zH>Vd*T?AhiCvH->$JE+&&yn3>`twTO+XIOlUf|yo1~;|KlI?T4&-L?O@Dp#dO+Uvm zmiO8$r}E}QS4{rq8?_aDjkc49y4f4T$6M{4?!8hZ7B^wc${C=Lr_aiEhn3Y1&(Q#B zS>+Sx|LU`}?w=bvz+6T${#Z~N=k}@Z)dw`NDdxpGFbw7|jE^hm^=nn!9rGDAQo^=g-@ZM%Om|Sb-5-KCWXy#ze8MMyR5fV=aS%pm9~o|4Bw1oX zm16E~sXj`PMs(GLM#aO5b$>BHHTc7vT|QTBDNgMrQn4D%eB^sJSP6>s??7Ln29u__ z-zyb=0HQ||sK|JS`1u?^zcZ-c@>q->5`9af!dR$Lu~~4U$<{$Hp*$-mpP)uL#_uqT z?aCo*xkV{_K4?hB9p)_I)S11u_i*lqCW6hYI$+DU9Iklr5MfAfDG_T5>|28`=6Foe z8F%bso%qg*V&9b|=zZql=fuVW!d z&7`=o#>o8SnrR;IQ<581I%AA#oo2gs7`(>qJK0}tn#cR=R;bbHiKvbRHp3a3!!lvi znFlsK=?JB0>0T<<9B>q%_^2p;rs9(?5K!(g>tJ=1^BrE6ml_Iz#&!@Aae)%5Ok0EL zZo?IjksP|koHSK5H(3DZn*`ILISVF5YMHP5sDWJ@`vXAkDoj6Z zQV+W@x-U71ra+0e8zkIUS!Z6673C5jzd;=Z&x6WNod>pZNRKeo+o0j{_4kcC1osz9 z8L`2O!3MXBW1h4BkWDH*QjC$ObCC&gZpmGEq!UAfL+eG0E+L^-98e*t{hrymT5p9; zTA6fYU9)0=j(}Ew(dAmPT^)s(M#UNXPqd;B@ulSVgD%m{6!Sn8`Z&b(eJD>?G z_ybTi2`-+BUXHhJsRjjfm=!@GRqgjoyD$jq%t0lpP)s+VgL#@LX6F^W?<=}sP9B^T zZc7p_vJ{-Cb-iT>Y7+uPKG(r7jwipZ<);_*<5kKM$Jv<8d(yM0epMsCv{YoOw3uq0 z5fPZE%s>r)IRFEVhW@6N$rgoKmk{w($X8ZzQ~OsFZCHdl12!-k<9gZBnWEWc%w!_f zx{=N&e?W}eYS;@oj4F42M=S`;T^y&Hmly0lZSh34SwH0bb8f(CE1_ZOs=kF=95G&` zP=Eh}^->-zYz%IeNYx7Ms7O~#W4MJ|jwQUp^^YKo%Ou+o%sj#5cJTV_QCw}<88>tW zj!q5~`AQkM0h^Rn+u9b|R%R>Bz)J+z|6U4zt%or|+C<2bzT`mY%>RF29O*A`{3XP~ z4$ZM5Dx%$Ce}sL|ydlMqe1%;9JE;aaEzcy$>gx+_)y=(37Z$r+tbAI&CL@yW=veRA zBrY#ZX28Am0FSq$_&yU^vd~lGac*|l1RfW~rwHj@XDxcP_u~a@yI!doX&L!Em)ypS z*`~dMyC0Jq30v=<;6h@n(Dn2TK3gMdJyf4CwM{Ndk=k$FPWZC!5k3C(R;GA3jGP%C zhTsY`ob0LFc`V~B0Quc5m%Ij36LAMwp1o}Wmy9(&7OfKujL?9~#(kz69YxJg#PQz6$Rg2Yf{`ILN}cm;=Elwy!oJUzkP(werhuk?N^&x7TE(6+tVEgLF;D6*=^kcOWpjfn)13?%nmi_C}}Y z_ycpg^Ke?A`>imuU}Fw$o^huZ-*J;X`_Z@cEex;?#TW9C@AmvvpnaY`vkm%6)af|{ z3e0YP<}%WLfvbC#6`X#@n*i2|I^D_5+ydsa9G=m5e0wN&YlpL2Fy@uO%k#Bq^T*?)$Md< zs~LQP{Wwd#an5CbIluojsxw*lSC&v6En)H~;M8E+J#)=*9$nM<6+L-8`15do?c2oz zpR{X5RY#ct+&B!Bd6J4Ks|lyvxdN(9!IdUz3b5V0eE8Qw_}{X1x`&R$ zia0}}b&JSvJPf@x8-dOe3Xb;J|B|5^%s&&CWF6V981A_^GmOyK{9E%ec%)z(Sc_zr z(8qH6)tv6mB241HmyRde@0&uF!ePUX-wGO{J-tQ5S$G)wpsj>doXbOZ^Hl&GZ6MW+ z17nnZRckOBwl(OY*L>M)4$YT^c-O*gU?7>hLrl2S*#NJX=vu=^^5rO3q2 z{AbSWZ-^=*n&VGZWNg9%JEXd6NplpHT9n6egxGGXI=mpKS`u)H{+IiO2Dm1qWOl zC5icru~uTl;wXn8<3;FHE7Ber$2+76>Gy$}VwqNPHIpt19fjMcvOlSJB!9|mYVhq* zM+dChC_2Br=H-rhnOeO zFy3n)17dx0Fb?}^fgp8255dHHP44|_&GCSX=EqcorQd;IHto`9eG z!q8z9pt@&2@M-I}^Ha1!7q{OADWZ-QxkvKXt&&a8mcvLm2YAJT zi|LH-p2%YspgB9T8p4jpg6Ss6sS4VP()KNAoU%vz-`&DVb%hF}KAnegEGprK_st3W z&RfUyle%7`-Je&=8P0>Y*srvY)933?U`!>w)4V4f!?w!`svmGQs(f3LuhO@gZTf`Xx_h+ex!X`|3^3kjo|=~V(2bqzY;mDO^DNbk z(f9Vc7=XBO(gHWV0i*ZWa=|=!uD)0UTE4nrp`?!lS+}k1UX46$I3Cz~rta~KkFV%- zoj1>bUf*lG+CD?Jtx91BDd`=OQRTUJaXe`+>YjIeY#&`Pu*`6^ailr?`yR@yBDV>y zYr;xy-tV{iY5>{YPw4M9R}4aA*ZOb65-T8!sE+cDBngzGABLYfu~VSkyJF{) ztLm?K&=13_;-xLC6vC;Fleq(Z-%0Zkb$UM()@@Omor9c?or^d29*={O9lo1Fr)Q6& zh%t1Yu6xq6tevixFbNu-O~-e3x1Gtb(s`cTr)kd--h^vL3 zE{ARM%5B$WRDd;xonIgcVbfixUC&aUfmAN=gJbVY znLYEF`hY&h@^pncPs&|a4w%DS_PY!z2PucMR80k`8FHe~!$4;Wj^CL%m9N<)^~W_$ zc+|_IbwDIM1egHvF3DmU>{eFTBVsK)lOZ@|Dbn7V3hu zISog>(s_|7DSwhBvYbAYm2-CKBm57j*Q&7k#Yln7$ zOd-p2jlo3}{kXS4@Td23B?l5XUCpZo#czF5A$hbAJ|^5<-3(m$VCdkjM|V*gAZWt2 zW|TRTXwDo@y&(1?VQxMv&uQfEUh%8TR$MTq6xKoxbfWk{(cqkMd6vDs;l;}S>BYZg zQnvEp&wY1nk4G#A9=tcPdb^GVjn_x>&Nang``2~1C*NC?X9v(0Aj!2AGKe7-A!_wU zRi#leEHRv3H}fPH8ex27amI?M^Xe#$_}1v>j3gutg9}I2U~Z`Mk|*-msmw~jOiitM zW69fugpCt_C<5cHjyCiZkhb!*IH&NwB#e?{LS%K(E^plNg}uDp z64UqoQ=#fJCN4sgBeC1u`BE?b{eNHJE4sw8(B?8!TMeQ+w7+))X?_83)w&{V!aQs{ zjzOin)a=*s2pMgDsG!=kk#e--U$);&MiT~YOvHlHN0h_~=Y*#G}q-?g_aqQLY&{%RD*CsUxJ}#D?`#rEwWzg^C$vPm5&JI1vfg ztN~0XLe8|LK*pzQo=t~+9W2hS@NHseVRgZ+hB8{|hD|cAt?aZn`Lw;%2S*?OMItVD>ubHe>0Yb6(AI&1ULnR?Uv_XFjIi5!c3k z(X&)(-;!yMs%Gk-qYQR3VluVm7S_dU)@3-OEQP`d+nLh?ZW4T2RssX^8B`T}`tm{? zHcp_AS{IjtBx&MX4As)m?rZj%HknE&(9|uT@9kslomv*FiVd^Iq%42T8n-DUc62X= z1U1Y@1^fDQRnx3yGq{t`SqTTW+_Rda(~BA4Z_tjthU0V~G@qW+jShkFjIHrcYxur_ z-sIJH8}+{|2lJ_)g>}@v1VHF36V>*mYoY^7NQVk4Hd_P7?<%y@tCK$t&Yd69y}6iQ z?ca9K5`mQhfc&V1`rbLYZ^ni}eZatdFb~BE$slj-YmIOfiYghAQ&lY@HFA>zYSUlk z5+aCtm~{@s{qrs3MSsL6ghRKo2SW_t!Oz3lc&6QzzS*o)TS^5jTS6&WkDGMkDVzS$ z`9XuSgB|{-DbaY#5NCyceKM9Q{jLXI6nx+V(+ zrm4G@2VN7YYL>WL8kBG%F|^KNn5RXO(W-Tzkje<7tMQVIu_a7y zjl~i})*rzE=AxuuQYBGSqO7x(kR#3>Jdp0ItaYd|6H@Q#Cg0S*@!*zAg*2S=YvIO5 zx})aI=2#u2tK_j6s7@E6DY`_!;Gfp32viLe zX$lUJ<)D?-EXCseT@+gVNV?C=6gbaC!FztgY&Jqd)mP?8UWPlh#9h z3Fk$G^`{rmbF4kwtL^@mSS&u%=eF&*W-ZL{@z6bgV20m1_YR0*w5D?z7znFr1<6Km z(Y>FRHdhZH6=(9;V$cJo=SPOU^j(IZF0-NOK6O9|d`N2_Rj8Pq@@;o>(2fH9b^*Xt zzGK8t?c>J_Jsqn@bry-O&SU0WuCpXR{)RW@*ek!it@kB@x#KFo)$Qynf$lwBgCNz= zsK{LFyZH>N&y|kB_l|+aXU?NFfWCHszE`!eW5*8Y^CfsfK;JiWL_BQgp%;B3#U{>C>$h^;pB z+)~8>JhT6YZ#N;n15}4^x&-IY?P~Pf*5l~x=)3Q%Bbw=Hw(=?65$Ig1xcN98a(U9O zeB4NGNF5zp@}1*3%U6Ae-p-WiZ0X+p{8-!oHEg11(#6`jTyY=PBCh+HUA1||_`KL$ zy}qYr@SUtLI$8C!E0or(FP<_>@qX(9=(Sr;L)7yBw9wX(`S9%HnQq^0E8cg*fPa2}m4(A|nURvP@jDW~ zm6Y%=z4Cp$DW0h1vw6hdc>_AQ*DVl!bW%n@7ld=JvK6N?H;D1dbaEeIchtA5`;EglhM#SfZ6d% z-p1E_37?=>5a0y_O8xIYy(a?%G4ld?p8u@mvu1s^cYMfYqZ@E|xir*u?cN-S zT(BwS+|q)r3XZH|eMV}y5UzMX>Xv=Q0TGw*^}47X)tz;-A{%pOyzd&d2|R=T^?(R5 zF&2P%x1cKZ_(-2QN_s03$NTi`|R{I$r zdeJNU=S@(xAFOY=WUJPQq;g11tv5=BBg?h;Rg43Y7=h=Y%}n-Ds?AEJM4ol4M{3;9 z7pY-Q<%xEC1ULe&l92Q6Qj!hY|5X9Y@usj6S62XyagoM9%^vU>T+BI%_D?Cc48EdG z68q}T9JRWU{@eV7EMq#H4}T4H;kf~`3PsxF-^fM(h*|ywDK=Vv#hA<_1so!HaaA}y z&DqSZh7DJoM5SNe?AJ1U)aB|u*mn%i#$Y;a zDt2n!!hKVAN;quE{LO|u17f`z!{O4Pt$Qc!rC)=})uaM~6~&`D`*Fb~4%34b+ly60E!#vC1@XAh zcl=wSDZ!)$TeC9KZH#`ESr@xvd?)+g0dFnH2k;C#L8^Jwe4T3JbI8WTPsFFhbT3gX zDiE@s2yUkD!sO4r%>%*sDHMGxflF@>QO;WFsnjQtN$E7PQSS*6n#nv)7%&>g47R}Q zzmQx9JW6qfuuny(qJ=`tY|+CZQinzJntsTKBWi7@ErMFI*rZie3Dt=EVX8!!;=)sB z%~+I*#1%tedw42IJm{H&gWsV%iE{hLvyNn%U?%QG`$e?mpvVsmHBG9Wt$rBTvz^9! z2LC3A9<8pM?yVS5RhhOoVIp3JCc<0NHqP4ZR~eHu@WzVG|4D@+EVx4NeV3X5pgmD%(MugPxTR?vdmToqYcuM9u zVc(xA!p$4o6zvIMYq(S`($U`!ATfHtR#6f@+F5ww( zN#q+FUTo5<6KqYF6b;lA9!94x%@m*MZCVG*hcaLjO~W#GAxi^f$yleNMpmsPShLZw zK$IRyVKbob0nbjx%G4)VnQa@dC)AkJo8Cec8>oK=(cLWh!^#&jjf`U}Up!q9NHYs% z|E;LTtCo?em!g0=6}(hL!$0XY3Q>5>N@G+wTb*u(r_~$>pUvYnA?d+t=?usH-jYDL z&h@(@epBNIirN4!VBfSGN_a?(zW95BL^vA-SGhQ;+C3BSp@g@7EepQRtUwclo+b3rV?Jt|=( zn3s)XP?pD&(1l&=zNr^`%Fc0Pu^gXGgeHKm{h14iu4VXu)&>@|KOhgMY1hml^{nf< z5QLO*lM7knH7WNTiQ8SOCw3|2ywkon+f(y0a)ikVwSKE&6yZ|qYxw7w*f#SWL(}tL zl1FsI1;z=Z?KFx&Rr7oOeS0>;@oH_H?{Z3yN!NTbQ=@l2?~>Z~a=_K2jkDTPcP8)l{75Nh zuG8lGSQ2#2ZTVU{vwe|zBLKXAqwL{%>$SS+JOf}}zP|-T>3R<6MQwfP-ucZRnIT3q zdL5@w`nj#Nsq4#b(Oj;yvnW*}Qri@T}np5L=EU=mt^7hHhroZavH=aOjlMf4YCBA1q(FXkm%f-P66@M8 zXGpf17B+S(C+gjeo=gMYO%oL>7q}m%w@!}II^HMM5_Yrl3~nM#k0oI_ur>BTF|#fE z`(a8w&tog-EuYaYjvLpKp0Q?+y(-M>9MzBGdr;I1$Zi_c*L^O)@+i=g`$T`|C)&=8 zmnYEqLCCax{K@B`qtZCaF$p3D+tXk6dnY~yAs39x>W79#K6NhpDW7?igVf@WD54w= zSNn}>2u;NVPb1h?oDxhb<6>~N=;E&)!d-;r%I;A`SayZ1$1J4M;v5Z>hOz`*3z=19 zX;JYdABdqw(ej1WaPFcFORp2wgga7AX`(5#On=MypW8&qxH@%8Bho^QRk4X1qb&2<=Qs){N` zt_kp1x660+#A*h&JcRGo{zTHY)2d>sTDdQzvOwd_Hj%|WTk^Ev`6>oZ(9{(4~(jf9juG3zKbZbH%{S2+()WQ zcJR?>+FMJL{H#=v6{Glz^p=h{TlG?}QC6xURZtK}aQXwcsBYM8477I~x*GA0^eV7W z?Uc{$Wc%{xb7mz6cY5Si;J#t=W6S@z_){DFEHEYOc`pO1>`I8(GFrQV#WLTm@gtHs5JEhoQ~b;bZpzUZQFKE$4SSwZQD*d9ox3;b6)Ovcf9vA$Nt$r`(xLv zTD7WR+w*6}$de6!%UatvsNl#%ffua0Z$9rfX(w@YRmLDeAv(+bl&TBWb!>{OAu(Pv z8Pjf`A2&>nFPN#}mp(TZDNhNEuv7UHQ1)~AFDi7podQG<`5`-UIDLo-<$`4&BvUoJ zZ+w4ugK-ANTHs2?X7!;Hl|a(^Usx$qD-~L6M=a}8N%FcjV@}22`a9Odkmkj`bc=uq zkWw(~r`zLp8N)q5G&A&=3ltV@RloU^O`iLN?|XuwI{^LRnrmQ$y?K*lW zH9o-%2?H4xhn87=%0t3NBWeVph-7|H_9~pFB$Oeke$y2whi%()K^g~DRy?V_flk4c z?DlG_=*%rQ5bjl+JN9BgZJzm3ns4(r zd5o%T>w=TM3r^XV!#8T{z$3|f6|gMp<#{gFgmztazMLkAdZvmy^mZEVbaxVo$2GO| zBkKfyKUFv8vLkA-k_@ECC_GEE;_!cdDB-B;^>H~R#QGg9&&n0HUpaT*aB(KW=68Yu z6RA~+XQ0pnHIq}!=X}jKEJpnPJB|SwgNE?wM4uGk(^()tqRUDkq@E%b@cr`}F=gP8 zQQ!wTFz8<_P^5rVI-XI?R|fRDs36atEcfJ@DJ^ifwDnI1^K*Wx=D6!&+~#|ixW ze#^F(2;|N3nLoMQX7Vv0Mg;I55gJIBq4gY?txZlvebRfqun^F8$V8Xdz0T_WxY$d4 zCc1jxG7S<5PpxS`idX3Oh*4`1iT#{se>t9DXgawdi|sz9IG`n1v#ETaT5EP4eB&tX z7`=Y%KY8J6?bX(E{Dk(1y3#va*f!mh z_0Lol#%8$n3YrUDv19H#3d)i;f9_m8(SqTEJ|I z52)O|$;rs)+h>&s_INk&0>MJ}wdd|MeZwa5$}QIKl1C@Ueda2a!Sg_+|DXo*(~e*B z^@~b!q^_Nk)wS&G|83OCd0c<+yY_F{=sd2vpU*_r+&@Eb=XE`X{{6hwetbEO#&P{} zKJidZpW!w&xeRce6#m8*yEnNy>9J}0-E?}rPaz~g7wQ*1o2kIT^Gt!3 zt#KkFpNprRUjFyJGoD5Myh@ZGTq}m1a}M;YAK}lvuOFaaKv3qF zOLhd5{toE5ezN6XlrRi6By=r2 z)P1j~T!)_cVlwr_Pk2JrbxP!4aTeYAv z-Iz1a9yE1$DRszpCB@2Qmia4o8pf0aJ3D0vduZRn(C{5@xFfYEz0;>#u6>QrI5#+x0IadlweYYpW)aop$S+@q+hQ}DU~tnCZ|;htVr1I_lkqg zLsEMh+p=W>eOP8_9cs407F3mq^k5=N>E@u#!kZ zmBJw?u#9Q4<-dDMSU%MYBB}A`dr{>tXi!!Xe$V58>hLDY5=Z-Hzv5TOZHXdVVVydb zF_CiG7X{^+hATQdRvo(|H9=H9HTL&TN+{~(Zb-TuvriJMLs})HZ_+9@*}aoX_NGaN zcsC%>y+~SRDkVelVnL7b{0SdU*eFy=|8eDrb5-OO9(pWWbmlC2n0o^^l|_|@^p+K( zo@|sHA~G8|&ODPe}SS&yGJi$Ku1!s8Ov{oq;#X&cU7SWp%Aa*>j2)DxITOLkrupt!jeQCwOx{qoEej`TwgJ0Z zHpiOHJI9b=R9hOg@kam&CYp9z8eKSF^W=Rck2KnswAM?w2YX4ad+|wchV7L9rsF#BDQH=e}MzZ zAv2EIc&#jakh)H804A|$3P$W5@V8l83rq}uv59|X&Ucl$alSZ)YSB%|osMk&F%2V4 zdSNeXumOqRa_Rk#S${p2h*{t*-k@)1D5SR9AR11Pxm=Z@6O-7HNKq-1_KZ!`d@xeldZP(KIp;)iaftZ4KKXXKrm`L2Pss^j znO-id^gPNtH&O=k*7viL)6hWPy11gRd!2b=B@aUWmPkC>nuF)z__6oi@o42t>UR{O zq8LRu^0$QX$Bq{A| zG0KF6c*b{$sAwgDxbNxpx&J>ven>%7u00RA>G!?Y#eR!`gH5d7;I`$5Pu zy7eRPR8I#e3I^}-$JWCLEgysG|NMQ5kUwp2_JMC2bT3V%H`aR}BugE)J*#0G#q?e0 zO9-Ft@z~RynEZGC&h=`si#5G>#UeSi)$Mz^wYA2jn}s|o4T##8!Dj|~Uw5!>H}*N&iWB**?7oik zAI|MLANj97__jkd)(#$mrnlMRFZmu9EGCVOhUq+3PNLOP_}@>UL0v>Wnd~;l?tUOT z1#<7+kB`{SD#rnpa_k38Y@HhST-VX!b-kChE1!=&tero89(?X*yN41S`rezLPri1& zp9Y(*wU@n-AX=w&GX{cAIfq8{YreCq=vxtcPH)h;hvv&}fbWNWFBh)o&Ax<(=1qeF z%B_ARJMUl5lc9TL@5W!LDUj!btR0hs$GRQ+^8#!4MFv-iT`T^(5B*aMfpbi;*OIyo zF-+xG_b03C1U}1Zv7oa_g6F%&*n=s}^Syfk;0keJ)vG*ksqyII{Rp-9WYg!)s5DjM zbCRBja)WuOLgJFqCt}bZaEfS^IDjwX>--iS%Uky%2mD5HUANpnC}!_J4fs6RzkZt$ zXnh&7-1W)XaNn-J=9^AyeB5LBIO*%H@r~>hI2{LIk*uJ zczvsW@AVx&?|nCICez^bE!@jqH&319)zNY;CsFTsclmgDd{6!R&HnC;BNt>a1On88 z3~w~9Kmit4fOr43)>|UnXZ-BiO3;_*LxHr8K-aXo9vAW3S-)#$0@& zU)gLRio~EIasMGNm0CtSfHwL(BtvsV{QJeQU^;c{`ebS;37_g_HKj`J?&A7vb4}x^;9~H#G_sdxq$zk>fV}#H8a}Rl9(92zG*b{PEA`85}3hZR`51m3s|+yD8@Z9wVMey z&ph+K>m-m$nvOBce+oE~Maie87kHhGACQdc)Al@D|)yJ${J0MfX|Z z@uYEO{p~y%zsv%7rJm$lx!mS=;!R80xr%8QDCMD1$i>on);*+loc)ii^cwI}-V<&` z21VOI{AJGW?ffA)NQ+ALNk=L2($E-Pkxl=WXmV>MZ`nG&Q7nkcxJB1MB-TD*9&r-A zKbS(t&@44-BIPrSGMY)_9yTWH`Gf~$^ctL{CFDlIjtZ znKC4wWk7IHKR_MtfHQ+Pg>*Tp`wIb=$dS)PP}6S*UDhj`D@ceVW2MHpiEw6JDK!zL zQb^wp+Vq(=%ZHyG+U3vAm#QeEu$_7`>b8|bnT!{5O-Dsg9l}T_%HNLg}%M z(Orr}mEA_emN927>$@^$n{k9_NE4{5#=PNmT)YBknPvb@M7?j}9igL7p=fxL{`G6( z2v$9q4c>ZeKGK2W7xkr95zcfJVp*EM*Pv(9YhKZ(AkmFT#1PE#@KwEs^;`Ze&?GuF z93vHFCF4YF{v`3dZR01;GiP~c4_iF7Rxa_*EBrZjNh|N^8v*`B2ZJ{Qn7_km%ZV&A2K(C5-+@}u*t%5Iq3caZh z+5~43=`2I?O*T2FzW|pu&;X#PJlUC-zAVw2H6>%6RPqjG6wDB9jb! zfdK}6ecPY+0U$%h^kAc3QhD2R0Qv6El+-o>hL64!6eN%<=*PRg&r&=`um4{0`sYWu zT8e+FI*K+`{amQWh1WU!1b@J%(LPNsa9?c!=@8$(&2xC!Jo{xX&?6)E+RgktygC)& zdLOpce!1z_>T5aa_CwgC_^9fP_h}@w5&2~kf=7@hsoF!HdWwHHn9jYU!Sx^ubIJf1 z6()UI`eb19{y>qMX7l4?$o8|Xu~xu3q_E?f$axsy{nBr1M9nOD@oT-H=j(#T^bs%s zUb5{s8VHayt6DrwN6jhhZq#0HKYYH|c!ILErsrEzo-{3aeL5+oK%X?DJ&Y2i?uU4n&eZO65QH04euTAby zEQ7CiSm_rO>*nb0ole)hS3903P9xg$Iz@7Eu#L1oWoA}wvY~X^o_=0PR69m+EDgl( zvTqIpJ6=eRr?gzd9Xwb_o@ zV^(vDj_0->GG|$vm3!>xa*sO|=z^jHI|YtMbah-YwR7=D#590z|o00}9_c|KVOb5+GSApcDw?zzTg@UZrn%2Yt*!cClNvs5|za{m;n)azQwoaO~nUd`r zPvq|MmwUe}SN!Nij_MmW3A|oQmL3tg*!@QFphRmkzRxY@Ys^o_YAfiE z0#`^Nv*@_3jfE$qO_WZ$OIBu|zqt&Z&@M5bHFU6)vC5VhVa%{*!U+^yY+<7s_lCH{ zg|{k~q85WxPh#@~j6yp8b`HDi9NSjuu@~JsZIx%ktDr1@%>Y^!Sk;||CdH2(RdLl*HJ~C0Y z70dF+c+-olHp97n&JB1f-2n>(hRZ2jrOL2mEDW^3DV2$>rhT07@L8N;c*$rX{dCDM zJ!)hp0w-QlJg7@$9yxI0+B8~vJjsd-nli#siT*(7M#uab^U+mC9>i54Jv>#pSa?$2 ze~-|9%>PXQc#r7P*r14A>^S;mVDxrHES>V-=?zpBd?SqIn{a9+;SpZyW?btZ&xF{A2NP zEbt)#@BbUf!Z0zp{YjDY4K!||2i@}3Z%_Q#jJImI1VeWik#dSo!^%QncD4W4;vZ%yV z82ZNwO?MQIGhw)MEb1&eiJO^ML!Rim$4C7R|Ye-EpteODq;o=e<~nHOz4{pI_P;I z8ke8_f?wYchC2YT{pSX#@`rAy25mhemdv>AUzatd1T-i?#{mfARFz9*)8$5`h|0w` z)7HqrhCR$1QoDywTbRoe?~)){@xUDytT`e4rnL$a$40(i>xMPT1=-Y zlCcLZq zqGg)pRpGd;{z8Z~mb#+JdSE0Qx8iBpZI?+vr-4VBVc1e3j)M2g3bo-Lr#t2Rcf96q zegW_Cmz2N-de>jm_&lCNilP4e5~E4RpkhejFo0jcJN>0b8&Psy3LpbyK<$CAp7oXX zoW+NBD<6l0Iv;{kf*!luho%c`B?n`(8MD{!2!+8Et$v5JNwb|*- zhW>!(O#`-Pfy2DbnC}h(_JblZo;Nkiu`gV{8t7W53Pjfs{B_rv#|$3Zzs_f3O_^zG zyLbF1YFa<}IksQs_Bp13uI+^G`fF>xex}QO(?4^fqgbZ!|vmKRpU8F*LE6H zMxv(=d2;D08wHub-}N#*($0Glyj9O=6Ms@;c>|fyQXywOXiB(8_+bwlQ=%XAg}%@_t<~&>9F-!sNj+2_o7}) z*zPzNKE-Jvfl>1sMibji1gGC~IOMSzt*`~N@-W}&?;TY)EzxmuS+@O; zx(Mg2uQUTiT%kr6u;T?KaHb3@GkNN=FO`r7?VnQodzE_YpVrvc()J3o@Hy6F)W0}V zV<&0(+QfGH8}X*DQ@A`2n_GHq^WU#Ie{9&UD=16Y$LBa+W~=KwYkaF}Sr;x9vEXBR z-%vB~em6M{ci;#0hJ)^nzFH^AfdHb*^%sTOa#;>h0aj21bf>gzYr2wB@_@sIz+P_~ zNWyepfER@NovB8?b=6L^?(_?Ht-f#K+qa#VYAhin5^t!ChJ5h` zltGNs{b+CY^cJ0p%VJ;M81X@6dkj2d0wm`SJxb?x${%ZH%8)OjGKA`SnxY@V^gO8V zH5kotraV@=Sn{Y`0e`t2#o1VBmz4Mt`?#x(>9N*_&85^b6PXkt691gSC|eF~*03x8 zWDLRTXm_ek+Q%!3|J9)yxa^5i-0##(HZ$_`nzT}T)d9WQdV&CaRjG6kPmI7t#`fUA z=McVn!BrOfF<9E$1g3EShIT!izE#HSJAFo02CK9X$$62te{U2Rv^$P*&f-0DMVw$L z91q0-k6R@CioGA}X1SLZ-e0VGS5{naC$_?-ae4Ceuu<&`n&PNR2(*jf?MXnJXf)0< zf;WLjRKMmxf0iV=us*voIv{S5+^_I-z*?#H#jFF(VpcyC<7jGG+-nY_fjq9MUbkEQ zA7Z-n_Yl0vq9mh&h;}`NNph+-ai7YKl4NF0+CRKqi#be5nphyXwUFVm zXj9ExRZ=Hh)0rq5(*KQ30^9zq%V7*e2Bv2HRt&`1N76vCrL;1nGr-=HS7iHrI@S0u zRY$7wq=_?F*+)EoOG8ukT205jmAJ_yk?Oo)RY)}m??kJPPd!@DUB^igO)&tX3t7a* zj9<{J4mMJqnPB;htRr4&$2Ee0jONt8R{}@G&v3at0a{B;J*lwl5{ojJ`f&#AL{2oe z!CHw^Fi*E93}wR+5xD`h`M6D6P$tDP8uCTmUIy=Ty|nFtwV?2OXOO~IYs)+i&!rl4 zT-?=4ST_BdU0R{IIidw#T%LrZK|{D~iMmInofMXLG5->jT2PSM#GRK00$$hpQ-#|% z!-G@P;E9CH0B)spTvXu&2p2y~M(UPKtOJVdAIzK&rB^NI1w1xC@jCB_NA>?|Y>g(`ImWTfU4T~-NL3xrs(`U6EJpkzW5 z3G%$Xv{?V@5u-}z_x{9K!>XDuI=q3T`MyE0J?<97u4={N3|Wu5V8V@5r)r6#HcM@_ z1@-erHE?>)&TC=LIO0kz5yzn1h0^TX0Th9&TYH?euwiBB86z z7l9>3q?t(dSjgJ5I_N7(!sYXuG_d!)7k3y-gML1HX(kW0boFm#vTpv;MUhYY6i&U3 z<{G}-4j$A_2~!&Byjx{BP7fw#aL+H~55!+lGN{3Uzm^vpAC06kV39(~)u3XA(Ck#) zS786ebAyAswxr}xvPmcg$A{~baD-DNYA@SIZU)Px83J}F$|3~%7myROZ}{dh{!HR! zP7f-VrF!!-iuRi-UWQ^SST*5aqRwVUeF`sO@G$OSjX;<-;Bj%-MAJp7Fl$kX^JR?V zbJe1y$ILu{E9Y}5-Ej%*{DP9#hPfmbm9UI%XWo)RO-?IuR)eb~fdG64Is0 z>#sZ5i<^PEgD*u6m-^G<8YW)8>zH(|kj9FGVLU|Z5_7Cp8B>{pN2NR7YEfnp>TUji z1Nh8_SQ7p^2QdHQw5ea5*6SoGHTM1a9VLdCQHl%>;}r%d^6?dJ{zYncI7294(G*B~ zia}ZQ1fK_`J`7&dTIbhIcj>#=jWi4mv)Mibzpmaj&E7fh52W6G+YSSAv)^x}IS7H@ zDa{h2wNPlg&PGvkU7xh<9Jc3U{Iphg?g;-3l`3c;0QheIM1lJL0JE3ry2K{Nue=bu zE9=+!1KW;ZJbr-A6b>S<8d|s6rRhL_RJI0JuUpKHY1>~;mZ!TNUuS#$j!1kbAr0=z zkg_l@5uQJ9xL%*C{oU`gFwf6hpZuSz61R~CP1FVM6!!2bY@b(e0Vl0G$A2ckefWEK z0(^S1dwjbipR`ZsB|27VmVm5g$qWX&C3=qU6=nvb`qpd=;9Go#mz@j=0xS!k5rgc0 z$ULC%kW7L{+}t4ZXbo>!xE6Yk+_uxZ`Plcbjk(P(vQ&fTFkx7L=XQW5;>)?E&t+aK zmio4OA-{Vxfjz+7+_{;{pxC~<&=_Nq+pF1iUvR%A%W$AeqlsVBI5j#!+bVkuWn5ZK zwEFTaanU#(F>%2-cJZ;(GNUG-1EjkD_rCN{v++@?kp<}A@&P>@C%Y^Sq`WRBYp5F3 zUVsLwFQ890dtV(ZUuGs!SL<$>ZubkHR#JQ|iY-!YbWPIsF;B3!eV5vHF)hx|4M2vK z+0G0XbsJmQM|kHy+79s$nx~v&ijaYxG7rKR(?oi|$WwK?Q$G&g3>#_q<; zLOC3^p8HJSMg16Ux(`xTE=>6SZViRJyq3^WYTpJ5pQ}^#y)xIac|NK!^$9mylYk!x zxmj}my!JDvK@5AK4-Jsr5is|<)DIsN5!G*c6VwT^=(t``48U}}#n&DC^Z>nLKZC+; zufmQ6lzBZsdLNk}$NMvZwXT=g4McCZ0ii>tg-ZoXd1!9;lA)-Kv`IGC5GIQK;FO0y zTdpPxdkCJIe}*FdO4bD%adqjC$>8=s`_9qHHX&w&Q1izW9&RQ+ zmErcQYH8iA;JAH1LJ=2{WwVP=4Kmvp204-(*0n0dxx5I;^pD9V49iP!kPy>+!H#o@ zGPu+v<*oS)ZWJo*PwfLn4QgsQZ(i}CHl5^p&C~B<=4mNRf+Rtj?zD-dHr!-|#3*t% zyooG3f2`I!$Q5=>ok&wURtac=)z%c}$H4_~xyqM3=ThG31nrUzu8#z0bLfI$tpuZu zq_Dg3sL{M=D3ZeUOVprVQ8N*me?&(0DcjA-!DQ?|$CWMaQS(lzcAcU}*#_jjY4@b= zKGH6H-M7*xS3Xqt`JNxJ+Azqvgs|#wfScsnllbUN7E>U7C|;l`5-$w4k}oSJrXcBx zr#oWJnURSr;Z-;)6wJ@O3!`T4oQ%3(7on7#Vnc`5oWVOgiBhR3I1Gn8HXFkc;k_v= zOnJKzei9F(j23EK0n5F}IZWOFbQR?etek0EVqmhezaafmf-0lu2Swu`5DU{vy@U9V z8`8TDHMzyjg2mIQS-XA3?+(fN=zUm8!kkwBh3(4*iY9662zO@VsS`sZP_7ZevATx! zbH)yx>sOuyXB>ZeECUdj3FH8Be-1%4EJMAo3J?DU)+>Sk;Odsmw^vFQ<#jT!@$bn- z+TY*Hh$oWmQ%+Y^^W`!Z-Ln)gy-d&W-;SB(d&P z%SbLnB|X0UlZs@t%!XUCE==8Fc|0QAVS0nem6ArVa<-tt6)wGySd|1f4@=qd8!M!^ zqa@<4A-W$b8D03hb-m{T?H@uaCQFZr8o`cBaHFL6pJ!4LZMB$=e;Nb*%THT8!JI39 zPRde1q9tW$h0r5~^wrQ98Ac%Azf4AOuGPskM`H$2R+3hu{2Z}rnHd}H5QJ=l@%*DQ8GeT9wh-+ODv(+To~sb z#>yB%7)eq|VC+i`6(| zgbtiFYMoc%=WJ(ox?sGW;pv`4H1a#H^~PxP`E%gJ8LAfa2>&kp5sD=79e+BGq_W{uUbK&djxE3l<&IiV1q4hC07qG+IF(S8Y z``md90IV{+>r4S(_Lp0{furlLvD~jEdJ#muu7l%!k ze(tBqb%u}o&bRz^hIB8Vbc61u>5}Q{&kG8KAIx6w-Qzb;J_1!qz_VPh+4Ek%-CeWM zNW!<8kF693B?fC9U)45p$=ZJ4>uf7_2M}`q?UW)ZGH2~$RSjlZ-(@y`qRM9<=&-?i zzHrFk_0bp&XbjZXzl&pW&xWQeXK*KW-xEK+CNy~1NcOS!otv#Bm}zruwUcl6PdvJM z@#^jT#T!!%a{ly#bXcrp(Dj)3OYhJF+FQCtazD5R#BckizXT%mKZD-#dJh%Wdme5c zX{uf}o>~o>2fB4?d-cxJvbSG8ky5WF9OMBMpjF>U$S3aF_D`0ZgQMbWj%~m5mCMxa zPQansZXr)Ser?Z-UFKFt+tbW`rEV_e@w4F)-S+$O>h$(+)2Ek31^SL@f0GrjokpZ5 zuD6j!1Fe%23S_PG53#S{&Dp66Y^q#=ww2Y`ZoldHe)Yp3_K&>!w^;Z zycd&)(}`HE8lAiPFRp%|ik{aqNXud!>E5lYj_#s~tDdKX!;?muAd;r^zH|A{~SGWFmmT&TrPH*U!^+2y2N+qT7ENa){8Q>e$C6#}{-u zKwti?O78~%Wbtt6bH0Ajnd(f~e&H1B-;vzC_Uggrwd)AHJ*q~a?|e7!eS>s5Q}STH z+A_-}ocdoovjEW&AhR8G>|?b(0!SFvCVcHb1oauy?gVO!LG!#%p7%z8?tr;O1z$eq z&1`qT)p_dCBB0`48APXN-QxY3q$A|5O>9NV`SWiQ58WTL18((+GdcN1a$ML2W+NdB zzVXV}ByGtd^~4ageF6dHn>4~oB?$_hw$lbTg5UkZtovg zN;0Wo*A~4+1RJ%9l7)L#Eme84z&{F)<}n7RenAw2XmUOHCo49{o-(R4w=wUDuUr zHdvQu>6j6tfyP6@K7w|xZ|81!}S z_~lJ;!t=5iX;~Cwc6M_(%~5fp@06Q#D~oAE@PX;H@2{-jlrgc5dP@PG4Sl6rQmlyc z5v#hm*1_hj>nG%kT_J|{EqTauidthkNJQllWaasyPRJr)n`fsTE5WQ1wnpe-!W4EZ z3xS}kHwRDEBo-Fny~tCpm)3t;8t+{}3ND8E`AgTDNQz8Q0rj?;HSE&mlTr$dwpIxq#kwSV z5pd-548|cwy0-0wh{sT`r@Z?h6rW@8OHQ{-KX24-Xy%1{XvREysX;~4i3U2I1~Zuy z)4xC4#}dqR8f+)f;JTlGcwcuTk_K}(DTeBYA`>rs_rBgH^z7;ayYKIVKkV*Y&fsaR zxqi$d$!?5&23mnUME=s)Rh(3osghQX7(zYZFw!h=ZZId#v_)`U8Z9Cw%XjPF_^~b7 zhmr5ihj8OhH_fusnT{bx9I7ThE0LITZNRkYN7!KI879$lO3@a#bLrNocepcY1wb|mp@IsQbt#572-A+4O*tzx1t*_aQ#`Q2%bI83Z2yPwyC zV18JX`r@t}epeheB*Pfr7LKq{pq_m+h*;<#AZix>`Co7VYca&i_wfVzqOQO(2Vm37x6@km*fwBt(h5> z;o%oYVyVRsvY%3@2vR3`k!iFj>rDz1>tD}_myB>QE>fHuf>kU+&@o*p79cf*E{wxS zi>PfXE3s<~)p1^ceYDMqMqrqnlH^2{Nmr3aRxOq(-@*(eOD{Spl{X>skIsgu!j|xu z_c0$r94SRh*Xvau{{~x}rzV_8U&+fSv6T5kp_3P+Aq=Q0C`qDgN~YFA&zGem466*^ zf(vC;g4ZS~z(J&NhiA-M0AwEUCT3YA+{-%WNKM`Mt}BNB@{j+pUmMbDdXLJ-TKueDCl^Pz<5?#ycZN~cw9s8QI--(yEmP5!D%W_KYx<%oo2CwyC2z}Y-Yw@?I zAG}i=udt$9ZMQ-Kp&(nAVHOpB+Y|?#!|a^F>yN6gORN{HH7k}18M-@Fx-{pBL5pnf zXP@b|tNU0zm#43KjIMd-&+T=EZnw#i&3z(no76exUM}-vJq!A#hxbg|x__rc8|_x7 zH%Q1`SIG+TZ1gK`?e7f0Qto>N8T(r$n`8xtdsWY^oA0|QSb85pK@}3!Z+GH--vHD84GU3A5*C`#HvD?Gzs-6^yUk?SEzXJPrR|B+4imQ^?_r!9>$pVD`ICya$sg8d)#q;Oi{|OOI7DcV_=$9(v z9$Z3^8kQbcE8(0Q&s@P0if?P9DToOp%p!x)=u5J2SJB z@NO+od6#eE11HtnyNOjizjA#%{EVZqDw(>Z!kxZ>+^_1o9 zB2kIFJ+w~M@tfoBkR3mr7nSArJ=^HjFFqX0aO;iqBv!y2L(9R9mpq%7*c9s|U3nz? zj^@l+AWX!xDF@`3nSGnhS@HI(_DX_F)*jEKL@B6CwsYDL)YE3p5+Hb}X6$xavZaw^ z@YXEX!8QJ-+-a>2@y)mq^b?SfbTdj9?TPquK4t4dI|xQ#^d&7|O-DKkGwH@Rebq8@ z^XEBf9h6DW-V(Cl*TNrKH^iJ4`j*V2cuz`u?D@MJ4pwA9;)Fk%mRdf0&dChd4U{EB zo6yRG0Q*bV&hqVlX<{`!enO2$Fik=%KUAhE34XR2!bcaIxao*1A)Bz#RK$FK zkQ;7?O>UZeQPVwn;}UBz zDxc$T#C?qZySyLy&N;+r?Oi-*XIvr?P3$m#%d5tvF|^oR0+21Bd;Yz!3EQ@?u2^)y zrNr(1)^4sRpv3e^5LPu7o&MwTGX>WSeLSPu#8SR&WH`qtMu>~&pJ+M%CDUVqvSLPI zma2;)gry>;@ObEONtQ`j{k&|GVf;`RT7`=_cEg#O1~y!-RNN3_yq%^M>tc!+^Sn$k z+48U>(hRqF%a{h9_GjfAk^d0IaXF|2Fbp`NZ~Gw!16F8uuhzWCybx?aw?9}xJvC1> zua%^xI4>2+SIZLkPgq+q09Hz+JYttkkPnkvI9c7N-07g*@#}I!Y&B(Q>dz_e@NrCo#F= zAXv~M%(}ZV6jZ4A&Ud*O=r0P~D&xlv`7iBtdHj%F{^zd^yqxmlV2=P@xf`5Dw zM+m*C4d>8OPMjIL+ok_+pN>ExVT~<;xP`Kz=(3@)sfg^C5OeWc-E3 zDk~hX3i<8VnF0c!h(gW?mG4ZgzDGQ-D6ec^UMq+f1%gqgr~#wEmw=Ds=~P?qgX^s^ z2?_fU+IefB+cMyyXjT<4m z{uLZsUW1Qy3bt)@zO-H}^MXweY!Omv`u6L5JVw?I$ z{m%}Ob}f=D^3OLihd%ASh4t0V9|CVX-(m;0Jl*fZet$$?6K-EPcx@zk@T?Er;_EPm zZUaQP%i2=!MPxjuioAFj>>wT7V(Qqe1ZQz^ad7!-It#C{)rsU<`+dtX&u8;KA zZOIMK#Q+Cgp6d4let@52q}$DLD;kmCsOM2m?*>t|FNnw-^FGKdmO!x7p=n(IpJm;X zRA9?0FqZChh(}`EZ=Xtn-VMEBeRHTP#3GNVx@});xN>{ztJ=gsU|RR3-0r!mx(U>6 zx#3fJyFy)Xw}r$}&3>7TeJ8Ws{C5i5p42O~wnyfw(9Yjw0$v8G)yJ)QHktuBmm737 z_@r$ME@H6Lgk77SxUwH2v$b-T0LjtuHuqj{6HD}x%is0@pNtTzeGsgnKT@kn=;v@e z0a|j$hBE-3zt`r-<+`n%S=}@|BZqf4f$n%}y%#Pb6`+`D6#VWShzPvqjCC4AeT4jO zKA%CUK#)ZZNQmNfdfH4N7!)3yh;W382y%W!VNMN@9jXZbnZDf%EWN4z1W14VAq&OO z??Vv`Ec>kPCjkFm_XH9kj>aJN%%nei7UpF0SlF|uv2F(=4B15D3<-@7LsQR5=iy7< z6}_vDHe>#(&o>*5rkX8L&+60J-OCydGiF49Nl2PkxE%V0MyO)b-o#N8n_H@C%9e7& z7?DL+QL?0$B&B?_4@fkE=ZJLfDqPF?P7@|2IMC&b?7)srQkRMv{WP>Jpz?V zOzAZqM^(14mb8g^#Zah@2uZ3o#ndhN{(Ju&SP`ANGA{I0bfas>Pm4Pv(J)!&!?jz_ z$b+Aif#RITg5n9Pp(H{(VGnuzBg#mk;pf?LU~@{EA5I?>Dl`E()rHx{L8meGXay&e zr19S}y{6^Sv@6U5tT&{RaL^WnNaZUs6po0gv4sPVYSOK~aH_XmQ{N)}EA8r*1_=52wc_~_a(tz0!r#w>!feLP;x0|3Ilw8E zS@x~KGp^C~ktT+{UrYL*Bx}+`M}jumct}NC=!`bCg@nd_mF}NfQ;0lKaj7~L&YA^i z>MSO4VjPdyZ(rf+Nt}^w5d0n9)a>4Kq?5pny;mEs`v&(fMq>aq$>fzi>CX*(8mTty z?|MV>AZiTlB?K=_DV(^ap*i2tKUMl`Zn|A2#WbF(^07RDI36J}8Bt!|bPLoqn}Y+K zGh&6@rChs|hmIm`1z&3rXL++`dvLxq_@j!e=J+UFS@x8(nbduAPio{>l=h9|e7*}V zn2H`puJOkAcw_S*YYe9!@|@JU%bCMyYZ$1tIrH!$Tj%eK;zCmQ5xlXn-UutgI+N6?-$Xj#odk&EH<99h241QptxGFt8{b@ZaYsmBZxE4^t@cPfzQeN{8O|eZv5poWt}$MeWzTncG$Vt zH$ZF=wb(H z*Edr5OM+QkoK0Vhd{mMlYBlb!eih9y9l^+;Nqvq*Q|Gg~BDLGw-)h#fT!b)pY19W_ z{T|PAic9r2RnU*k+MKJ9mI>H$cLh@VtmBd7Ub7&kFX(+EyCZ_g_y_vLc#;F&zq^%J z0{np@g0O-6q%lI4@uk(OegTG;)S0`-C^G|H6=-YB#Zj)0Ex`|W< z@BOcfYY@lPEdx=>&&s8x?*7jQj;Uen{=g=-<@KlGMc@Or_9nB3=W~jLz{lvwaZblH zw1k28B)Z_NE>zsJ)@hAP;`(LBAux68@o1|Q?Qm%64>g0UH=i1V&$-2?PUgm$_QyRD znx57RnG>N=0;ip%^)m~fQ9hpsbkNIWL!<+R-D5v_=2qWk6G_KFK;)vra*W^ZssN6n zOFjj%m)Ds^W%uJpPNnC>bVi4&OZwp!cmDehT_cL;S=#xJl|0U7x#|a0mx-ruZRY^2 zIgicMDY~ZFfzIqEJ^Lf`i%bsP4sRnA9sRQ$niMFHwG(rfiO14za_st1bNjs-&q?LX zq-w}iPs@6q2?o6p1FxBaq4x95r*$^ubeB013A+!;IaqHNO3aq(eQVIuTPG~1vcU551(rn1Dz!#ie_=0s-$ zXy|%LmG+h;_(kgf0oOn%zehM^tZtRln6EN+0kG?Xm{s%qav(QjP6KO&xHj<1U7;=X zhN0g!Y(K#3M45wH9a&fHG|?c6B44d3y3$O+S%BjwuHDG9vq>cwDCvBdV+qKuRb`tH za@l^y$|xz;mZ5@X*Rh;PMuDO@B@)iyQqXam9l)YZHEfpJ<`9nAz48zx@{o%OO;aN{ zuF)uWNt+%BWY$V#`)I8p^`orhH!HT9=}g4AB^gMyc>{KJ0iU?D@j5S2YDpiNy|xyl zbG-s4!HiA`H57|AGC7VS9M4U#m7rfP$=tvz6=1;j?aGhiKZ%r9bmQe=xrD@{qTVhQ z6Md#WqMDdO!ch=(+eqld+Fa66L#n|I0Os-;Z!!C7`2wDVnF4hzMZi(>+Tn~<`93a+oP*-XhN*l$BGCjy- zTXiZQvjjbF^<2G%L~XB`6cG?-Bq-h2bAnvX^WnJY!M0+T1)xJVV^OM8=QSk@$z-8! z%YzXCmOP?g62k!p(_Y?+N<+D0`Srv&+ZVhpFO=%4IHLH1$N_w4#}cxX&NWiJNEbaj z6`9#eKwop@u!Xn_* z(lVEiqA{Y#89N+CvQTq}uHI*&Y^`DvVzON=qSTN@Y6gZ5@FA~iof74+aHl+SCPq-@ z+v-@z2R;mr16GGwvpx`{hGs|_Tn(72&f-$a?3o=5YbKCkX%r}Ul*lEznxCmikqV?q zQjIly6B>`IsiH;~VrWyNjuHJ?F6x&}b? zcs{U{$|xy+#eZm?nOFaxFW19d{=+e}HBbJ-M6~dIW!=7L-(!nlccf%2Sgs_QnnD!l zJYCC_^%mY|;9;Q|N(tDpM!Zio{2>@~5-eo*1sHA!yaG@qB}TY-GJ%$3t&ti_Yh#Ac zJ*4RoLR^PZaKymFJ<~n(aXGSup{QaL*rh8ihVP@j=qAm~BoUuoEYC5eaFaW~If>pa&&0?ifLRJuQyA z#i+ngxY;Zrxiss=3u32+wIxjs5FN>Kb=>mMau_y)T*2=FNp<3*PQ8+a=4#3XJtJQz z%AGh)E0gVeCOOX}=b7X@lbmOg^GwMmQpb(0~)W-1I(3)T3liz$R|AGGp{h3%eDDe&Y zv(ryLdV)kS3W>wW#^1?#?tQVo#4evNc)*iKEh4Ud|2l_a*YEd-?JwAL!|jh;cJcLY zet&~v_x3}k>PsGeJ=G)A<$JUDEVX^()faY+y;=;{oPG0I(Yno>PI&tMbHP8QmTp7` z(jU!v{vP0uH@`FE17S|{`nMmOvHkXEUwFpFdlloK*S3B29(UJ!7QU;r=NaAK-@VPW zPd}B1|G3q2UVrt<(@%eHrgr$WW5J7`T;Yu67JT)>N1s~nkk|IQf88@4dmz|)*_&s~ zdgymPb=h8@JUiw66Bobh##rgPogeA;KU#84^vsLS-t)q>&l%fmZ*zb4#c7Z0M;$tC zlLb$|{mG1F|Mufe*5B^NTa^9&aK_Ag54(I91AL@=&uJjbuQ|E(0b`U?u2KjT)k@i#JBD{^S6gyd&73)MWtn~+6HZc=INJJuHEV6 z)YNC+e0j!_x9$5Lw(ypZb}QxC{hb#r?|8s|FCFsmrdKZe)EeB=53G02&3COO95h2X z;m_}!>XtX(eCjQEr!ZyD=}W$eOj&Q0qYv0=`N7HT0~$ILz_TB1R4-?iJoCjV7tY!0 zg!OZOI5`*c+dtpm0Wq@8~Wa z96f#b?0wWpSFG^)vHYh6e7B45pYueQZQXkBjHhS*{eiciK5v(McG+WX z-{N2AKL`O&)_?va_FX}5_yzw-|IeV;9)e*so=4E@{8EG7HqJ*p#M>HLV8n1D(9`*Z z`Bk7-`gZ;^SJD3)K`xKZE6D9K|C;+(QwM(N+`pPS@I&YR)zpExa~C8L&;oK5RSNn}oT}B!qjWtG(=FBaBRr&0owWl$>atiHL551HLs{htED!sBcA$lN z1G4a9(*S(mE5|Ti%uY-ssL90^RwC6D(=y62h9fIgEuBm^Gay+EA+HTXWT{`n(lS#- zEm!l%UI0`gyw{~fz2J{{WR&T5&3tKSGOnJ%8L~%r(%oik)DrnfZi!MN9fCupsEr4V z!n&%ElL(;h>iuTLFO2b83-|i@p415Zs*S@vZAjCxFwE7)c4XU4*ut=Oqf>3h)OMZB zr}}ihl5RqPWqMXFC+iJ27ZV{erJ;2)YmVAoDy!;guETe!R)5q_yR~M&VGZ+HkOCpN zLyd>2rX$uS?!uRXL~~){yb_Z0d~`fXHEm!}HV~xDWCl7zK$ye2ai6bw<-9TQ@~F`R zNw${~T#u(BF79|%&rjENe8A^@tsEO!-5el_af77CHLoqAk;K(FEogg$ZB_D`Rvw@| zw%6A?xpLL@Qw^r3ml84A=RqPF@3OouunnM-q?9TO6>7~&zcCoJit>oFj6&P;f`CCs z9;Oo_I828rwv43P?&_>NV9 zhs6ZT7%i*P%L@qym+ZX3B^6L;_fqZts9_pbuaq=eSX#7v3~+kGm<*~oj#1U5uYtp1 zGe?3>+bmiT;dF9^Vm;n#+Dulg zOS0_x`M}eVxbBa#yays?a-1wG9i>_4+X6eT6xvZ*z)?#WumA(XXxfyjrC3(Z6WFlW zu}dzl+i3j(lpJ0*u>YK7zD{)Eh|j?n=XRp#MgQ2z-3&gR`1jS zWSk5tO{m*Q6kv#HAh=e{l0%*kj83=Vb<(bivkbyHoY!ZGq?6?g-Km#arGf#nc064L zCY(3dvog7oTjb2Ln->@;S%NG(O()A_x>+|_4@3Q!%!D3NZ}Efduva%a`3O!>L1;T| zVB(-6oFqTwVX)IRbwxn(xhh|QD>!A0Mtn@IW)lr>TxDBkvDzlwVN$2FR)dSt{cf*U zmw}PX(?+f-s9ZI$69FlJ_ec5ZJhfxtR5yf(1m@kUVh-}wK zI1HFMv{MMYj48s|0ywDyH_3Y@dCw&8ndCi_yl2wB%}^Nnj{~6Ztp7p3$$uvG-+mf{ zc3=2WX!nI?{Wt%~eZF7umT&N%6MtHQf)fZDM+rDi;qi^(b)dDrk?^3!+Uy8T+o)Y1FicJD&(f4s!)R7QSshlh4P+28Y|#pdi+%>bmo`~viR7&4u<7TWe88n&0-&v- zEx!hUHv6*BXG3WH-Pav7{K4j3z0;`my8fWATit=bxzQL*EQf*PZ(i$lzKs{{`|@L# zFz3DW#NO}ByxyPn$efG#`r1z|b>ObE-+1S}mo7Nt)kiM>hxo>)FE6ppIrXPE3wPT2 zu}>asDc4SSuXtEU9CoDXzyILDi~E=Faxk*};ZOakxA)AM?xWL=e>hrv!P`@JE_;Bg zdM7s4SbNHDH{AK#Sw|cToXB3Cnzq&PFRP>Qlv{U04}aj{Q!ZTXx#O#=V!h?>T=4Nd zsdpcGc&kIFK2J?+pLNw9m%Zn8R&#z6&3t)Au;?G>v{yS}+J>`IuXxX`v)9yR^Gm<7 z{+hezliMzN>K4Yzf1Y~L&5JIv;{orU_?Pv~=Z~|gVSSB7?!7c9+_C)bpWnXK;ty-Z z@dAH7cl+9E``ot<#J@FX^Lsv9|JW@rdf`3j0p} zGdDrmFZ_=nc#x0f6jPo@g0jQ>B7x)W%L;Du zWhlsfS-z8Jk|ohdv(OiBT24q+MSyD^2Wpfjeo+!pfVX9ow|Rt*YGc7}!-CZwPYk8; zc8j$NzZ*fY39Bl4LzqHAUr%u zxkH$Vw}zvJC<4{7jG0SIF9YYH3b}sC9&m=wQg@9xsp+U(3V3ftR?XToRihEA7y!! z6r^~HZ_kkw$J%8J`hWw+>B#Vna8@# ziKuDZZ|BoRU$KCqA*cGqsKMx!WU|$@BniYSxU2T^iR{1xvz25dbKzKo=}a6f401$U zj1WIoPgw)EML-c?lPVf-t9;X@7#WYDiqhzC7VB#KiBVfxNAy zSQBH6TE%8VgXnbwoE%uKQaDucej?)rJ_*_8kQ9hm0}-%%5i5fY3ej3HjNncKAcvro zwyI_o%V{*#9igCD8xQ+%IqsN4D$IL%Tr*`GwyI7Y4A^W3;zo=uF(}GJYJtuH)f^NU zQPQoXvKg=2XDtCNWvX(`&-M|gQSN~-ZFaQyST^E5S1<%47(#qu*scrs#%fQYKJ zT}ftQN<_h)Aa;>JF*`}o^%|;lnqX1|Sp;l%woxyn7Hw*L-&N_yGb(nUlS>oy=jBN;+VJ6nqleswV zqzN9<$4+x-MB`X$B*cKE56QX?4Xt=OS1^-FD-2RdfcDTl&18sNFQm&}y;b0GAJ+}D z!PEv_jZh)WwRl61v~w`+2jco z7t~x{R{QCEAk@44m?Q)Fyfha3w$K8}I6<>nCKAgPPVS7#cBjyRl?Gi-m-UHPTOnoY zex@03+gzpHhh#pjRRa=e)FD_h{B|;~G!srrsX3BArcK)K>75BDZ8>y?i=OqMVWfqz2I*wk^c}%FV)lpv=q7rnE0|jTut}c?K~j)<+I#1vc%` zG!23zJ@I4TTl3A(Q{Mzg^LFG(s{qB+3_R>%P0=i?2q{|;Qshzzpi-%^HMvdql|jDR zjTibhLfWdCj4DAU!&gMokJMacXmc&CgP~wiin=gGNRE&a?I_8&ff1IF`qeQ>7E%(Y zgjr#%wh2wh)jI_0b%x_k5g(I`R~(LvC>~3tshSzgTK{!7$-!_J1_VJ=)VytO2p^Z27IUf+r$d~CF;LX6c&%q zZDI5S_1_LT^P=ge=JrS*xZ$qXEo)x8`k#T9E*hLl|FIax7e8UOXV1R#=#xH(9lGgJ z7cR8x=L;?W8o%EMhg^EXJF|~)u1#Nf^)BnKf8^ndobci4t8cUTM2Md4r@<&t8AAj~zd80FySNmd47|RXRP|ybMIVr`y2oA;OqCC7y4_z`)C33ryWr{?Y)oJJLsT~ zud8I!yB~SZY56TLy?X1$p68yl%f`1z|3KHgl00->>ag2R+u?$Jk6CzR9o^X(y?wM~ z><;Y672wyGy!)(epZWaI%dzvfyB*p5C47^uZdR}jPDuMxx7h4Q_5bPKp4(Et;Nbmd zANk&@*L=b`7fis4RD z{O4J_YKw34`LX-`W!m5G+q-p8cA1@L9GyFO0p_C0iYJ~h`}PdALvi|wgY4s?@#2f& zi4UCk{4$>qzq!j_`i=8SrhK z`pL`twa=HQK6=pm8!x?j;@Tyq9dS$Hp}Sg-`SBHR-t_&4*SoFq%tcFIamqbUKCtGs zd(PVak@qe?|LRi@*lGDsj*=Sj=f3~`|I+{ey!vl2@lE~{$0q&%Phmeq|IINNP5efp z>X)wnh6+*}79?#VsH4O0r~fvWeSB;GpUSUL{|)6M9u@3Vz|UX*pYhylFh38cTgA~t zY)?8Ph0<#SjMV{9iJ?VJ4+$oyKyllZoRsN{r7X}iolgI-fciv4^?D`q=km=5D2 zg&XBA(rqGwOJwjYV1SKS3G=%|Q4YOC3T^m)E0!1#Xu3OMEEmDLG^)pNo05{^AWyli zia{0Pc}|K|i?t-g0?BdG{&D(m$t*rHChnjJ3mzOO1qp&(lXQFKUM$qda)$Qu9Hymc ztWxIMMOW@Yjd5K^5}=9~wE{KqQOU)4UWgaUJ;Mfztd(q;qddhaf)y(^&3jT6i8ACD@b{hv_ti51VCc z$T0ShMG|?t3{fN+Q%xri<0Yi80$Q>b`U%SvBp9QLBXCqmr8NR+SBa9=0`qWOLCQK> z(sZOBh$BbQRS~Z-odiB^NulGIK&+lHXo?&NEG9~1fv_mf~AiBYsfRqIAt zdX({paKLrbu2y#>%(B_4RP)L>K%{gA%g*9S+O?=3;GC zl(LgGKws&6air~gmZ4u?cX&nGky5D30gcU?|PVLU>}DPPkXrKXV5 z9kXB0!^y5!QKdnI813dzEkRTPDi+;bO^7lPOX_j~h+$zRAnOeynM`$D4sJlXda2M+ zP-oaqy2F-fbCResxf-OF0^NuyXm)4~Sg0}ptDfnRK(CZ6#QUN+>b3BE1?s4&z-(su zWZ)+IMP6+cLdqJCgi+UwiuuI2-=mp9yxE6Q32CL_cotyVY%4R$J2XVHwi5N>#)#HXedJTk0mG#=F zgQJ{RtH%OWX<$j+E>!y!nkCD+HE88crj<-2VH&a|zG9>oft0&C2nFOdDk~SAasEfT~D;M6r>T zP=ahf#wJ^Rxn)^mDqA#i12PrbLU}Mq$mM#+U`st9?(xp3jH{sRWTR0k(`|7jqe|(8 z9A0RUQ7@UOI6k3MUc8yalF3{|X>hz(5QSXMAJYRA$c~JLugDcokXtQUBG`I2r4KBj z!DBrHnmEVN8q_2FgxVcv=th0Swi%gdwFj!1Cs3`X0`)*FC=&~YqWgIx(5V!w)2@OO za=JT)#7uf*TB#hHO!qa9&lh5ZAj{20OHbQ=#-F$dabTFsi zbt1|p^;kvh=P-w_kQUW1Ql6v5ty-o_l(-VBB~u~6B7n$+%&3`brsB+q%4WK(#6})H zsr@#|cP9DHB;T3jJCl58(!MejhW_IUa6g3q;FJ1qKZ$*l|J+}_^5CDJ|Bx6;QgEDv ziSNOG;IHwY_%DF}kOU6nC{AJ659B}lt-RcAM_qsKgZIAi*2zz{9^PDj?Wrr3d-mJ; zwW%}Do_YM9$E0rNuYGqK@mht3thIJL9H zoWs^|FKDV~U-bLzn|sBNIInX1B?s^M!oi>AKY#ha$ER$t`zv=KV{ zp-Z01mH)88vF1saKJK2h(vkn%pnvYC!KL@Tu;a3;UUmBpXY6R$`PWal?6gx?{d9Bk zPa95O_U?~wGOj!C^iz*J>46Gxes;~*-Z!kv{&4Yc?=nxG1}yejZ>w3yUVq~(a{t5R z!&Y?f{OhrQUju(7OX914+_@pU>lKgR zf8>_;Y<)1MZ}ZXrpL%=W{_%+~ZSul4%Rc>J?)&fmFa7_|-2VqhzsY|l z>wkU{`yu>iL|7dCtLy)R@wSKy5+4bXiG6?m^R4}Vs=q$|V?q-FFV0IEHW9baFaMbz zaUzEA*ATl@Q{1xF21l}j0TR?S^PB&bxI16;yWwT>_plca0pUE6S7BZ?0baHklrjoCN~B3^;%2Lr+I z2gOVe^jk>58yDF|-Iq$~A`sNdie?u30R|3AWFD3wCf|ZOV5N+>Ehj_NP^3&SdZX&Y zBraJDy<3cu`x3VhL43o&HtgwS2t8}BV1jpPI)QgGrZn|1# zv_RyHkTX&ZLhq;heG%lzXb6lX^z2Yb^#xt;RwTkVIE%?vf|^BD4AS7b!{QJT zjkuPjslZXoLnZVIWmXrYY*%+WV?GCfb|v3e@{KS{c)3CbLq}DZ1Dot{;!=qW$&Hvn z7H?==A8nct9>tI_TY#}EVWTmkNQ%Yv6FlOgT83+q$hRSCOJu#a>@e<4ryCV#;R?F5x(Tgl z=L%|(>te+*EI-gT@A%HoW*HH?B`+4jy05w$EG+jm!MN4igTqf=R{tc1k#1EWlNca=EZm= z4uZWr#uMO}7OFipuCzu52la?*hG-!PZ>-Z+B_EXeZW?rrI+jgqWx%qFbx zS_};*4*M!tBwJ_&t=i*MF9(@*CTUYvc0B0e`Oqy2^#(Jr+-@(`s&(y>&lWR|vj%M9WMg`(1rv3`NDV|~(ZtD-d&mAcjH z7;>ZRqClHfpdlQN6L_iLOdEkqbP1zP_${(LBo%!mkgO69qzdhEz3QMSIT}21%nKb0 zYZGiy^ME?Wr^!Sz-_A8-$(SRx>O?tK#Y;%ab*qLXdvqlDeB#=Smg+wp7%SL?-s zmSd$@R#xIbWKP1ONmw)qizZ>wBrKYQMgOY}g(2h@$$uvEe?N(RlmEO?xXk?d`40s{ zB!tH?82=vp2l*QR`DO>8pPv6v2#(F|V^5JkkpJwyoOI_pYkzv$uF?Lt#!73vvisA^ z72cn-drN)nz>^Mt?BPY=C0;rGhU@t`!1%Ov7unjdj@@s!X$vQgqgK0bw>`G|@WZ#Y z7q5D@%RWu7No{-kWj8)_{DRBAqh1>J{L6`BrS8lZ57_OH;~w5-9i;x!!86X@Y_Qzw zzq{d?Qx4i`si#7H@r^ckeJ$>!Pj9*Vvtw3tFCcbUWpnzbWd;W=_3o{m@}FNlpLRb# z_naI4R(SBQCm*p!@v6$F?_G?ae8M^}+!yS4-Ce6+Tv}CrWaG29yO7xJ#?!46X7Bda zIi(%Svo1e>iAT@$4q~=l?2(!Gt}QI`&T9DcGtb;Af5b)$ox7v<=w=U2eP(gt;myyV z#*^*Y@KOl;WB5Jkf_TKTSS2o*csj2V0W^Q)Y zrcYi!;}08X`bihejK~+R?Qtf9@eQ2^W8E^G-Rv+s^5e=lOmZ26=#E%W|YAoyNp&Y9Y;EE2q zo+UUjsFKBXz8(v_K~uppcu=+_T^Xu*KV@Z*Oczj*bkmDxnH<>BdL>&_d-;y1GxX4w zO|!4YYYi}qwX04p!i!L`0Lr7G-*?%(Ux}&_+v@>jFV-~UeFY5~Ld#3lYyFXB^xOT$ zFezGDF0PS&pgK^I~a zQ$cF@C~dL>7_-%CROmQf61AXEA5TP}Z3AiYW>)Q#fv{ope;of|f->m`!vWdPGx4sM zWRv}xT0?!h1#-Aoj#U#)y(DrG-tHB(cBMy3R1fXh1h3ekQ7!^Z0d2YELba7LjWm<0 z^_)Q_@NVFe~Lwo+}4j#YY5 zy1bqQEX>A$e^2Vx0-O8Oz4oARs$A|N8~UIa2h^jd$z&X^L{2~ zICi_J%kT(BnqX^4aXl&}jMIwmYoh^GwjhQb4eT~6jq~FQno0KJfa8@*T9(V9Anf*|Ka)wq;R54V}R>Juj_3j3BY2{)u$7+ z)XOIHu3@{Qq?oE%Dlr+SlVm#;pdr&tMie-#7npQ3of36}Bm-aR4or?941fj0R1y(r zz0e#P^=_r5lshPx>ANU7$V#~Eqo#m)d9`0tG*M6zT?7y7VYMN*op#u1c>r4OaA}2;qscCQd-HleU9$#>rO{JN8CttrvMB(u=dXT(3wbx@yanWVys<%@P1fO}rzN zg_1n7Hh{k`*C8q(#-Q7pJ3zNcMV}iI?k8E+$X-8kg=+;?M*{G#N8l zl+--xbN>-V&i|_WKj`QFBThGxuk;^2{^I=~#|b+YpAJnv>Ifd*Y5ZRq0KUw5dZnyv zwM!;8M2%bnOBt=SD@GbGM~OsDvzb2I?}oHKNOg1x7!}&XBE{Ld0H?sATPPrd0mB!C z>8f0Tl9Q;On2h?Znh6V|CTB^5L5?VkI*mA7uR%+F7Lfbou;5G+XC!Gw_6XuKU@NrS zEwLzNktD*INrf1|X-Olwcqk3~-wlFsmWuPVoP)gOJN++rCp*Rp^Vxo}g zdZOJkeJX=_M7hlBO_{bNABMGZq2HKH@*a}5!b!?OMt~~!RD_zO6jCy#!+1CYRTv&k-Vjje7O z{OHQ1Nc-md@ue4g6QWOkx_96;-C1v}ZuxhY<>lVZtCw$*eDr`juyuF4<-~iIOkA_w zLZkEVx`Rg+d%UpmzL%_MUAcVngd5)Xo83$9GgqG6`25bdy?EuUBi4Wa`rc1&d-BG8 zesK%__;c&5o?rXy;g8MT_wg>daK-aROTN3rmb33Z#Y1nK`y4|2={U)HbccP;pS}56 z?bZ*|OUaM5ew$d~Fl6;>Ub_6?y|$3LkDPVTGYhZz;58dgvg9?_-1O^u@y^2DA2zht zZ+-WZWlxgM3#xZ-wd*q{9`?%GX9MpDAKtseTy)80|1x*^2ge^?`07vIU-ZZ~-20x# zP7t6azm5NJPhaF*^|JT;rrY3;S z9Xi_OGiK$oh#mW@~uz2QfgqvBgdU(zW>_q7y0>3@)OIwzvu}!{LnmaqpJ?Tv~}t8Yy9oV z=fl@`{Yhe@htxjt;Gf_8%hmU9mi-I9;)ge{e)X!Y>+U%1ja4uH`t$#@^?w1Z|29+q z^E-)e;6J4#TIoe!k>oD8{(~1-2`{qFG_lj>!++xcU;JnK*jad*hmS>7oL~PD=f{5r zsxMFmnqddkTrxpe4p6jXMyPkjj+*9MM$}Guq@{OyX)_I`uzZbZV2Eo}QwgZ4G$k!p z^jZw(jL;;Th^u+8k_WUwyIlnbSRvEL>d8K=nxsyrS$`NH41|>ViP-1HNx4FeNxPck zdt@DN#K~@h2i2fB%CJBO3B^zvS2BWM^Z1a&)oeEvb-a9%D5p|gp=Vm0$ATTKR1-Tb zsG^n=GKI5BeoWU{rjr3Ah?m&RM9zEViI~DC9k!gq@gy5qCL2>Xie_DYjs-iC~mDjI?~K$CY|L3FDn+7&tQ73q#n_7+oqU zk}c^2na&T15KmNsWYY(7{Zi&z`cJn|&PQtAYtxmc$`orHAqMxn+l{jq=JEbVj6rPJmXQLCpRL=erW7o2gvTts`bGS85MfLFtTLr8H>? z13N~o0;qMZNm#{&UK*?>q;g75$_!8)X3|!BAP&raGt+aW{KN|hm@FVw$El8aCJyTj zQ7{RxBylj<8cK8=5=ArNH4!D#kXir^mdT(DB_CEu&FCGt`AqZVhIq&<;gsC=n3o|qg)wG6Y>Bp?ExPEf$d0m}E0;JE|-4 zqkNurx{_TblLK6>IBM3cKt@so-Lb_5N|nOoQdZ}xH4NxF$wXXlqnv40;!-NX$audV zQw>9B${2@NIX@ih-N=izWP+mfc9&vfHrF;fH7JrovjM>MAlsySwU#T3YN<2C z^N>OV6C&(Tb!Y$za;gwv3|dYL2%Hlkp+8-k9hA)ng@h1MZJ{#k!<{S`uyrDt>*48o zFBuL(AZDvE$_)tAM+QMxqWm~J$!8`Vw`{d?rp3yN>!)eBUNy?YVPileb+^{&8fZA~ z7b}5S01_i8Ok_q*k|d|g5L+dZQc9h<(lcW{GuAU>Ju}ubV?8tRUxC69wm|w1I&=Q_ zUBnmtXNz-ITKqrmKQIJQ5Q$MViF^(J!T!a6sQ*Y7xIT;Jlv_HUMwKX7hd@1f^rw`cFPE4|kBxtkbf>%IT{+-@5>qd&B6*maK& z657VU+4s_0m+1cK+LJyyb&nG+-*L}j{?+`dueUCHW6i(qeOm3(GuOUv<(pqio*{_$ zZF1)UkDmYZU?<|VUq`#0aCvjjeJk{~t=D!wdaIj+2X;NZ?f+obQ>8f%A4%PO=-Kx! zzGn5FgSXuh-==kCB>pNty6EN2&RPEQPj5b|efbU_?YHjfcih&$aVh)Ad*@URfAPTD z@`t7OMDAbg`g(<09r^I?)6R0|_$Q)Ed@?xW!pCku^xlhq@FMjWyE^-4hu8lQZGH41 zcaR?~chye!ZSUXl=nByLOI`Kx{_pJfZTx4Ww@ zp1Sl&$Ly;(C*Qp1ZQDJ&z4zReOI`E8swZ6a$ma4L_#H=Ylbv-*b-kljyz;mQp!!4i ze%dTTEv)_WR*y86`P1Q>JpVlM$`O0H?L)8kKG^K(zpi_7_Nw2QRpX6WPcO31CEF@X zS9X5qkc*ZZoYpw*dEn_49$O;XZ`JMV?iu05>wLQ5$!o0lhr{oi^Q)6rS^JhVYx}XU z-n{G+`pfPi@TK?ut@``{M_zc(`I3uyGW=MPt*i`TzqyXAIz>Zr^Xef)?IuRHPF z#g_Z^n$^kM>#taQ;gz*U7acPuS38ma-4gyD+WGR_g>E|Jx&z7Wicaj`v+Yuw&RT0j zDg5*KUw{68w*D`G_1|Xt|9mI$P5dWYQ@dYPoM-{|pLq?rMOQ+^Sp53+-wI#a|EKxA z^B(8rk76Z&xIx-yKzW)P@JPESY7X)1*;J(0QS*XRE_5o@bJ! zR;pKQwt1`_Ic~8~uIpXe%D4<{3v!%n!WJfJ9)#1iQdp4yuink*Xi%%AizA3|^NP|e z>g@Go+CQ4^orPD2^~mCA}73nDCwlz$va2b2{f~BeSZ|KxgyYe1G)ikRAK`clXr}pTMhU89SQvm@X_{!o zc)ctX3Q|6hc^gqWEp})bT4>~QyzP##fGt)_X{zn1$9hivQbzd2W_x8{cz<|0qfeBtB;ya#+5BrPV~7{#spl77^Ny0>86Kl zF*j+a3p25393_%=D7wrbR*axpt0!0#&9#ezT(;&4MTY7NG=_)vxR3x0d_)`JNY^pF zge)|82rD4QYinXfI28zWVs-Ps) zCWV|eAapMg*7fnYme3+_I^WECE;Lb==QJ6P8M0GP@h0`u<344Otk zOr-GCxG|~cTqK(tHHM6;YZ-HtDx&qUT=eqHz>U17EE<03w~bCKRhC`~w; z*^3Glxr~eTVJdJt^;n&l5fZ0+6lINvu2ibw1|P$|C_*4=H+8d1Mq@=FDu9?_m;ybW zEv*ppP1+zdtJyH<#8}Iv7_*dgTkUpLZJ78lmu5qXbdB1uJ}L~ER#`7r!2}@C3dK~- zzDaBU?)q>4Qj7vV8j)&W0Q^QNh_tIm5`5oMbVx1yD*&>mY+dYSbk8M3}CqDWcK= zs~}epKqjRyI<18k1$t=|gR9}VMrL~x&KxrYogW1AerJa=lcXd1Y1or6M(IXrywDB0 z&Y0Aiqe<2$STApsQ7?_FOp!u*aYptDsABl6Oz3#R1Hc(9n!%zOESkZh87!K?qW`}G zg&}-_^q-mYzwacz=s()ee!j~B;6DV65Ew-u)YtGId_nXd8iz>&CBAX}x6^-WoqyAj zZ(Bgz)7GRxeILE}#Erc5o=$*{kr=vx$TCFH}<*l&fo0+fV=G6mG=7OD|cS8 z*WXUsblVPk*KGcj71z0VTl!Jztv~N|^k}&yUa*#XNzpS$G7>#n;3Uz<4Ps@wNjM0+i`|IibDIP2MW*4ymxC)eNW<;IQM zK0EtOVWBr4U9Pe5rTZNCJb1~j#~!on!FN7;;OsqbJ6wCdy4Yx;8*X!{U6y@$t5r6B z=9lvNEC2BM_F~6>u~P(pSyCVdS5;F+mjwi z9l!cQ{6TwtwD-nqW!`%uQ@`e-}-rvJ}(6W_#tB&{tn-?#d2^Ul^ZtPo3hQO(9*-+#We z|Ihc)e-Kg4P9NPtMAw;L|Iy~B|4*^dm&f&l3+W9dO|_xvIKbdMl@>=CNNVx6Cd6=^ zgyJ@v&Su?Vwl|4wmg)=CFiu!rGlf%PkgI0kCRZ0VEuSz#pfPX^Ijc~CIZ6&wsY0R9 z>?Yu{BzGHCqQ(>vcw976UcKA#^l)4g*$PGDiBTe#&nVp*SOa=lR;_gF87s~!@}Qi{ z2uYzcRwh<1)H{i?fON9#D9gC@mW}a2uEnz+jAjxEbx`QHtBMJj`Bp!wxtSrW=!{ZN zGzOqM5UL3Y&w^5|nWoE8TG# zW+TOR3tl`ZbtnOpK&S||>uo0KfW!1 zCo=|1qqeSb*;3uCVa@ZSrs-j?uDW$%;BqN4p#p`xH_#_m z9?H^nqv^&FCr2&8D5b(yx8tYu6b{#lC8Y>g##l!h$*PNtTcQEt=!A2*c>}4{qRlY_ zD>;0W9?(j~E{xT@2C^b07Yq)Zl(|j=I$uQG(_h~0Sl9rDhm_hC|4th49v;70CBCL&LkXLX#wnnMq0FB zs}oOV3#vY^3kF;!i(1=sO4*>p*Qfu7W-2yZMLz%uoNHyj=E-d`iu> z$G{*F8{>Kyf>4~N9XvcUXij{6Ob#+8WWj761#2qRDou*5v@-Pg&~n;AMyfzKpJZEpHb2O!!#-3= z;e9|Rh=N7pw%#JT*f=-PAzjAHqD<9sCE(f=OnqZ}onf?elE!J0Hg0U&R%6??ZSB~$ zcWm2ilE$`eH1>XT^q%u&{=jox&)l=tni*|)#!2}n+|qPxZ#yb!MJ3k(*JMU^8Db7F z2gkgS0?IxO)k*|c#M?H>M(9X6$P8Rx|$}9Sj^zn^l3uEUfN3@$_M~C=1 z!K}pW^DM0b;43t0Ftq4rRjg2s5$t@3UYlEwJPc>=@DsNkP-BWq~Tv!tnkM zV-QZdqTvb2<=3*0h%4HL3zZF-ohjVZB6m_LOIzyWF&6k(eoCMTl(tC=cQ%W>u!j;B6P3lpoc$9f$WfHx0Sw zQf)e&M-*&+%6v#OWtEC7RawVm2i^iA^dF5@jHY(}N~*}&m^YM4vXV|0RVif^K#YeZq7laGP_@k_3D0Z5wZJ?*b=vz{dU?h9i;9#54N z`1KE0>)n3S2s7T=bZ+}W)}N<~TSCipUYE5&?X|p4KAx?{1tG0Gji7h>WBZ2F)6%P+ z6K@V%w|Y z3UoW)&%x$>^AA(9i}zCfO&;$vQR_)x=Mh!6>Z%&wjyIew<|kaZoYp<`tXTXGmpf$j zmttdU`>7h>>8D}wlPoCHJUs-t=OSeP5%@8?XHC~TKho;s-?hbkQQl0DpjG5KgA`udI7%gc2sWU2K4W~O*`iO2zuUH$MAAo%>B0)x9s__AEejyxYMYQSXlk3 zq+z@pH8rI6TJLjb`(K(B6n5Tg`2007`45Uk`J&kDUCMMHQO5$PWx&w~^J5XC>=}Fo zhOh6}JnvH==NbrdC@YIx>B4q^Qq9x{l}}B705dnSTA9O(j!nCMN(|!08~U^_;QkPi zBE5{JKez2Tj6Rit7>_zMD>&s=Enj1Y;}V!K^~FSVNgjx4lQehQMEXhSe+~O%_u`pZHCfSoM>%pViK+o!Q&hcGwiG)M<@+Ms=FtdlHuCFfMfAa)2d4Tj@oux5EPO6Xea3(Ik#OhdxLNg>Ie7^I!!T zu%X$i$i}I+WBnf4u+q;K77kKm%EzM^M^8?Cm3b};jANuOlnz)m;^m6eu<42{bl|Ai zsKY8^H}m@yx@AY``4OhnsrZyN>SW)-iZk)IZ#MM;fGLT7@6kJ=h7olEjIC3#?&INF+rVV zZcsLmmXeO}YfhyUG{t%z+B<{7$c|p*pQk^S5pseV_XU7&$e;gzGW->YMzId>(6o%^ zR0hM!@()(VYtex>&l_*p6%|#y^6b9t!ei8@{vvrpu>&I<9riHqwXct-T!*ckjN7U@ zpY>F-aLWrbd>Ce_9xo@kzl@iOm@J|FlXs52UhL z>V1eH?hQ?a4Zl@p$!9I*D$&cjtm8phwyj#gLVOF^axtYnq&0yk9rcWr6SoZxh~mYW zL4`U7Q=}d;WRtNltBvDmkH(HhSf$Rccq2)nF7#5aivJenpH1}jp#zR*qyqm6r7K{x z|LLpw7GzhUc~aDusC8JOr3`x*yMcvGn8U)HH*3ed=FyS7P*!z)$0#b?USCyi<7Ob3 z902J99#7lKOWv*rg~VSA!U!*~y$6mRe-75m%mRCA1;;oVLp)>rr1Drk?r4^cLJ@?U z^dGe%bjHT}_eJ0(WjJM{TI_|A@h7nEj1ed3T?*n>iwCDIBELW zJMC$@j9RqN9>>r=LV{z5x*?AHumMDn)^|CI9Ov)(lTUNmyofl7H?xk}@#t^6)Umu} zJMSCIw_kXXxj(4S-%U~5R`)x*$r$utO1uv@k#!fr+x79}EQhNx&Fg%G!~F8RHlmxi z;ruz?+w0oO-Y^ifUL}qHvgQl!`tp*sRa&d_3z(%A(kkF-^c*yp+jU`^@do!eHUETP z3TT^Mh3Vz$a=iRV^(*S{`G$8#4v=zq!mibQYVp|}IAem@@_w#G(t+;yCup~MQ@@|< z>9(rL!SG=5?{XPtoS^DwmJzc$>?42+3wQKP>7x#AETs5Qt8@3qy zyzgqfYwJHAmZ$VW+8W&ciG^K0-gJ!T%zGae=-afVc1+Gq>%DdIq^|G9mu{!3@jTTf zz1+z^8-(1cZBGN9vLB|~A4r|2FISTC_RVr`3Uk<>54jts+srPV`P1(r>eoCQ!EE2E z>DMln2{zvDHO+M!ccs+{9FN(BUI!=upXkY%h zZvE$T;Xl;&pPox+m2?&F?^9`Vn=UUn1FlD(m&tssJMYbYOiu&5q4%|afgg@T%3E(Y z&x0+Qv_pvMKA>+;@b}+AFDwARK2@MzqpZh@Lp1^jTEJ5nfggnSU(xqG(53|YNg4_^}Q68#A&qY68>yAeKlJLUH{TtQY3l|R^6}Y z$pl1k!_fQ2Nt@+zgU7sYMajV&EC{kK7R|X1iloOkVbwMWMQu0rO2BvJR(O5#S)M1*uRNy^ryIR$g zDz?xA^z7A^1&bFD{oXS>ZJ-+nOFI1qo@vR2VDNv{rHd)UxcP0Zko6T38A4yA})uFHW(k}Vm9f5k8Qlw3w6Pv zvY(D)pch2#!?=>TWur&+rAy~!MV28=AE79x3=JL=T7g-+2{#We(y5zcxQK{ATAVmz ze_weba@xLFt%Y34s7LJ76BcVl%Dt1$2}F~SgNL_HV-fk!(_$$;^b-ZCrgBJ9*0NN@ z$MkF+IVPcEvUECL(c)2mYJ~Q_W>zN6>2GGqIM5Yz$AsS*ek4Xp2g^H8wYGx>r+DrN z7D1K~czHr$z*Ep2;6oe-0D3p?X~_aSPru)TM%~un1&SIKe?g-7$zOOH=rR6-$E1-M z>8m>}pa}>{XHfV}VeS3B);cyRwUVUl2UOcSmI*3G(t&7wADO=z4Q=PDUhCfBobfnz z)0q&o>APLdK2wdtMY=0x;o^l>_yH+Y3tOG!op6mVdA6jIrMY8Xg0xG6k|<53AL;SP zXfR<~C|gHmg4613=+D`PpdYt{E!XPgc8&d7`>cz$q@=ZH&4pgSelTZL9GH6IMr|?? znH`4CLW+ykWaIsE%8bb~iXhLgl4xz9(#9@=V%b>>_(37NvNMwm-IPH4%k4HIlnEo4 zXuIyk;BQJWv#vY`I&aXKU&zJ6tCIO2c`L6Lum}gc8SBMg%?V}$xv;Fzl1i?9YN^Zu zy&z>2u9M35u;vJ(jB*80Ib7iA5+8S98$)Sd>^ktAr0;X-h#Df}&x=y3mw5 z$@cf>;iF_GA+fX#>c{Sn@Mn7EMXOU66*4r6_3z2}{Ko_r8*!%GH(jl-GS1k@-AyIs}YTC8^!hc{4uGvsk)dMm&875M2h06iA5 zoa=lhlr&IpzSXqVq3t%+Ah&Ju7KU_DIxTRsVXNo4y}CPqPVl+=x*Icc&G_`f>-qS0 zvUs7i<$Y@>-Ggwg;cGOGBj4suQuY%AyE5DNbZCeikllmtdOX;wSvk6j+kBsEq72*80!kj|WHUQeVx9#|xL;QP*XDIH1+5$@^{s+)o`) z^=^{8PTL$Go0y-^WXN{6Ti1M!Ks>+C!;-e$bhm){NQj(QklzW`JMsZCduQXt#>4*A zJPsbjMav7>dhN>;g0q^=;TZ5x?{#rj{^KEOlc2-4jiTp;Jqh#aD|38RuJ&@kRx;-C zD(7v>l&446cg*)a4v6cuy@%QBGxiIhb2ebQ{K>kq8}Nj@2FOz8XzN+(CYh{hc(etq zcBc8AJesTfonr#O@6(ij0Nj_oGMeL)2s|nT-des5{nq9fW9WJAb6yr`EYEVeR#mR- zc!}x4DR=gJOH$q9J^OZ7!Xd|S`8i+hr@mo-*H70<>vVEiThaTnZxTe72h&pVG1cyA z9r!Bk@)3h))w=$a>Ai}4?Q=BM4Bz|mpC?fu0UuD6!d9s6R>S>TL-W z7Bysvq!3P4)yMobV2;#Z0*T9h{T;=lOXK)uEha}fZV1f%-op?><$eUCg25^C$_xLGJ5wqH6~w3WY#sPv@a5TcvDh z{FETpj}YQQ^he~?6@I<>Yd!=|5o4juL`*UqX0zyEt%QA1N124f#F_E!1LH6zY0pA| z3cKBFy+Un(-eA}zb~)XM5~=U|-^INe^*dWe`+E zu*6~&O-saZPOu$0?C9sr+2t8}lITB*>2l;O6RljoA&+y2kWv6zMzbzGwNu$depdps zPt$-S>&_Pj5Y^O|2Z{FQ!9G%rGab6YPD3h{)8fY8)H59h_>?w+`}OB=L`63F))`p( z01*v5#zY7Tj9zkh>MA5rp*4rkbql`it+7qqbgE6mm!lri9~Sf$k0 zlG=io&S&c&kv+`g=iW4zD;V+ke`X*-oHR)*dyHL{SQ=^2E_oT!+=j@}+=L+(Bm%L% zd3S964f4wmX4GU-=p_1`46DsD!el3j?|=9#vN821Rw*Jm0=9WgkyxAD!Yq&V4ZTZ$ z5@WmvMfRX8JbjRMoQ2Bwhw#t&Qxx6rg2hK<8u=UT#eMYQ;@0V zCK0Y3U`i>IMn?hfvU2uEo-nE|^QSx^8u}_35&y*~c7D1$gREuZjzy;1RwQY)T<_*tn_+2xAQWq+Q^seEob>}i&5{y(rs@O3BE{dHdqKA8>j z#ry{a(zLrQecZeexE8<)&LfrU|Fc{U5(7nn2od~229yCxuuLBd?}#7fyFXs=uuR!f}e9VdN`^5+IX|KaM{T!b^x!S-s zc)y9u-dEpWe1PM{=dGyoT%UQ0^%}QlRlu58xBPO)LAlXAjosZ~?(|pGrEh6M~qcKDKTx~b1ynb8nN1-_Bl-U+>syFEA3D@B? zp;ix|3)DR5HnX25yI$Kptauzvncn)G)dlcAt@h?PD!3d9y{voWw6i)t+S8-*Z%FXe zKc0JU+@edPNV~ep>NPHIrrEmvrSSghIab8?zKjf`Pi!XJemQJE0k3rdxSiMcZWMLY zbY(vbL-7FX{(Ma9HTIiY=QvE&;1KO9jchTN6ZF77z2Q7{9u|cB-kxBL`y0pL{D+32 zS17MjSbT!pF79^vAqHOyba*Kb94Bz?s~Wx1=4+j1Ki19kzR0JM|9Gy`*5`hiEoJC@ z&Q6PMGpZTTEAgMrHlA7rzO8f=kkxjqtv}^BFN4Ru-%FwzOnZa=r7U%P)>zl9cQ>!a zg}Bnbt(J-(^EYjb3ADe38&7%cyFXpEP2Qf{y8aWxq|JC+EsM^5dnCHHYo@Rkct5LU zZ+prp!OeXbY`ij9>gnZuVQO7tJH~UGpEU2j8;BF%;YZE^{n20Me4aBe9s>9roTu?k z)jaMnPuqU}*IE~_2IyGPb*tyW!;VW|E$h$rcR*-mat26GH(p2SaJbTgfYE&># zM8>svYhg%vc=Su5b{ofhB|g#xw)%Ijo{egsN@1W{0JSjsjFO3gS+-g<@ld6Yv|2?w z25qraNrX{Bu2afX_%vmCp#5MmygntQL_S2EFB?&!Ak_kNQ#J)I93po>UjR|rN^xIy(8eO9!L%Qzr^)a_twQ1!bZZ7+4o>ob!DqT36x_GtuqGyNY=_ zW7N%{9m6e@Mu}h4$Jvr!1*w*DWw%P;?ynZBLpVz1kb! z{FKf8*vTk5u@cXdW_r_P3Q1C?w%xd*(aT}B1>3?nMt{u{VZm3RQ8}YE=qsxoHs~xe z6vBCmxHCv;J2)zeQFBDnC}V!%SsIvZI!^LdMO0JTH+m&e$vFv%wXoE%iTslUiX<6z z6ewk?C0Q^qF_#hya;s9S7)Q;m2ZzF>$`!t_*1mDh5q9Tl)=3MRa69Q5-=RsijOCg} zOSD`eYJ)?^t&aw(lMJDulCQbcGRVHR{n^nChGBy`HCqe}Sp80z+^$o~==(O}fhZXZ zyK*V7?{u(8_%nwv$S@^E$cpxQ9RKY zX*OZ_c6i5BoGH;O4wJ5%V@G_*USeR#R#@3wu;-mL(f4bJeyuSyIv(nxgqV#>uT%)R z>W>blnv?=^r8~LS=;dKqiNSI(e!{sE%9?+(Q+pL@*3asgyi*RDs*7(@)=EcnhP)R6 zgVAC5K?6+wV5fG%IYJBPKjW} zl-CVFxM%PC4f^N&%Lag%-q^1lRCnhE;+*MX2!K1f?gsRX`B_~!e6RDtN(rO?qjp0% zP{M;+8{}3J{y+jdqANn^7-~l*Y_9jB1X1DICX$VNH=mz55!z$>lf2`%!i!Y!eHjN#N8h=7srK=^xrSU^!!mWM6e|m1bJr0pkl4X z$avCY^#K>>28tMP8X}QRA-ifl1uuH#M8PG5(FpM}?tPL2kPiXosDg6&sK#MqNL;1r zjM*Y|U|h7aPu!_Fcy2nsRkcpRB|=fTLrFWXkY0?O{`Sj?O>rtMr-Q|xh!|rPqcvq* zVsu;zT8r@FdBqnWAtsSHH`5Zo(ODb_#?BH7P206Mu{I^5F-2mtq5gmv-CwlBEe%PA zQ<~3UHWpxcWcgn}1@S3heF7#0K#ich=iXOjv8m^;h1<+l6hFje_g_Td+q7C>jc>yQ z=KFEcb+Y`AY!N0SY*>*WS$)>O1wNwX{oW5hzkxVDg&4no>^%T=d+$a{9U(;>0}D7_ z2=dLhjnz&s8<%t15de=@3mLwf<*m4qk^bLmr!#EiHg=kL$FNJcEw|RNHxU z5TI+nIaeVGi{3Fy=$*izvHmCav2e@tq3bKO7jG=cLvZ(qxCp1-$V@j5+G(Ch4N zichzLmP?z=?7P=YM#pQ2f$K;6z4$)+22Dk{#2jw=rUsS;CJW?2;tua4#YPIb@|F{YOeD-@cw$O7|?AAq>R`yQCtsfAU z*53-k=zHmZ+Pf{axIAy^hgFv7`2qR8)a*a-3Z~b9G>C2W~@)7)h>(=6!U4CC7p!&Cu zm>V&GbY#riYyJYzt32>+Gpba-M?C`XGuhvs@5=vA6p!(~s=e;TDzN5$kGPZ0YkWOS zcg_3xYCl%flft$<#?N+>t@O50zO~D7(Rvj9n#XpjAIJXbo`%7+1LqoaMd7XI@)?)* zB=CN?Au#O)D4shiHf_bS^L+?gdVRv{=5Sose7mg6?zyl>UO(R&A9?r<|GG$Xb2IpU z#p@Z}a6kNaTK;)ZIPGr48ncT{Nd4rqUR&V4?Q(h5wOCVt^MkX~`@t4SYqoIY1KBmm z;JTR3d$C+-YQ~q7ad(h$HEvf2OUwHY)gdelUw=)sA>v!$qa_#O223Ie49KE**ohWGmK=6ahW84sY&a1hl?&IFAF%k%Xlm2mwD zI!j^gErDBrj32^Tmp213ZHJtWN#hOcF3TU2x4U5Z7kE%aiM+q+N-xKBhI)2b2AT#H z#`tGfts&?c8xwv0bERBJk=o1&$fv4m%594N!_;xY7g|^|^|W4c_GP*NA zv#qZpS;5u~mZb;NkbK%(CPhiuflWP(qU2B+e!?t~zZhE*XXN{sUXUKjJ?I%?@x6Pa z=6oJAle{PKb{hb_YQy{%@|5+~OQDX&a{Wd{@zrlvMYtXs;RG!uXR|i@r)_Hj&R<=Y zXec}1Ft9I*f3vy-PGU6BG-5Hd*)UN)KCgz7bDj1{q|n&3IaHKYoAq?o3eP4Ae`YYS z$F!oK63<+xp8lmfcHLfrU3cW!r9*{y*+7k4q+n9x zP+v6>X_`!Iq8vVcRyXfKtE#|NTe~9nNZgt&Nj`NFR(W}Wkh|)45=(+)+wNWRXx2$sv7HV%&TQnczQnXY(-C4s!q60iYoXiPaq-wn9U*dqo5SrqqKRq&iQ z^6VhpItC4iLT@`53CXo8VbtgNkM3U*$Ba$!VcRU(*#$ z|3v^L%O5 z7<$aA7Cj5E5(`(not!zEzq@3*eJX^O9htOK7Tf69%{qY;;RXrY&02Zn^b>hVw?#OC zNv(iK)hBbPHHE0qL`2I<<(3J9Y!0qU5$h>_%H`G4Q%XgVJnT%6HRDFYH4%=+5vzfX zBIy@a&;G9)PQ!;nG%I3VarjlV%a|eJ<+*dOiu8LY)$Irv+zDZS6$=iJKtqTaCmf|U z>jthX?FB!YsmiZVC(!)u7<9f`dOffgNP?m9uhP1=9^qhh@7<0KxGv8sFkY2L_S-NW zoWvLn9Ljp8vgxK`1CF?TNv(o zYD0u2ro>{ys_56~rbXH@6?xlSV471ZPsu~vjIgF^9od?qK^Ya?9fit zv5_8f_F4rz-C9KpaA99(AZ9yoVkm>5U`t%#CvbtAb0Ko{+7!c3+m=Kose+km0}yQ+ z3y$G5h@llqV$2l<&nbrO6W%3%J$ram<0XZtkt*dX1=XE@UMYWgaMLlfT;s3&a{ZOJ zo>#sS?n?6t7^KA(m3`U{UhVo=W*H7FgI1ygmD3dH6Cn6m!GUZy#(~;HP_3Z~q@?f}ynm)0 zTb2BJm1Qt0KY74hi>kFN9Llss66dMb`Van0ff)OMHC3Gp`_-jM5HR^2f5lkZfFRURa#cgN&Dts>86mGkR?X)|3Xi{asTPda{VU^@BvtB@^1Yhe}v3)t{?OYWK9vialw`a z0hU31<+a8i$RT@-0evd32uq-Mk9pJS@vH8sH4fw6Rz0h!kDWZ6<7vwco2rIdMzo&w zb-7-x6qvT_8MOc7}}Lpf!+Txwjj?=P~Y42}$6rXV9V4%D(ri zrB%O6-Zw}-I*Wp1qbII;FJv8XGvD2b<3BOQW7G0SX#AS^vU@0r2J+HDWnW&)Ze*lp z)e7e}hJ$_hiD&O4EcI=^Hg?Q5CEHlnf4j@pV~TFEd+|(CU=5V(n=BpcqsC_!BTxTW z{W&L~Gl=gXy@;IM*bds6lkY+QFv)`HjO)Golw4=17c;LLv)$Hxv^wlM&Fsy1D`jc% zLs|i0{>@m^rTDODy~Ec*&2b;VP(Rx0CSSSR(FJ;$BXvyX6X0Q1)$I;1Z@!wI0m?cz z!&fBM+6|L?X?olJxoA+0qUpMxbfZ4@^ zIwt(01)7DHiCPC*VjCZBnvxA-VUe34FHfrD3 zQOwPImd_kAipq`FVXfCI^DUSAoUy?;{KuSwLv?v=oRPs4?&H@a_!oY;W*^T%mFT6_!+%yb`4WQqIRL2Wblh zOei7L%45%`A^N3Cbz>VfId^c>z^H!ycK7gX!ReE&Zq7~o(MkS|I=z-$lAyy-{`KJ}(``jsV9{2VSM)D#DjgnxL*%OT>n-@90 zNp>iP?O(HtI*f~GdDw`9#Ayg`PCPj~R=PAC{UxhQQdMXNyDf=vnJIrS*gJKdceG6# zQp07~N(2kVhWOR4zcrygjB%k+!|qMU%OoXEnC?0fSJY82`DZF3Acj!PE7aXK*hxfYG+qxgN`^_rF%7|+cCaqdJKo6J-QUCZWlKV8I|g*Vp#)B1}cYL)LbMa2l zE?O03uD1c~=x-~K$g**FofUjl5bY7@r>iPyHceO*`IS(9u#tfurdOa*2F5&z=dd3% zp2lrY_QDsS>ixdnCD5Pku2-Pwm+9J0Flr7Y`&Xu$S4)Ji1mZ@F)n8%lFQ!sa^g_9y zA`_mKNQh%AKI^r#ZpeyS&jTidJnB^L)tcL{Nt3V3=PT3^DbW-O5-=o(DEd z=BFH~FH=_0o)N<7cr-E7kK#0%8jFR$l$h*mr)}Wy&@^+!*#Q}lKQa+#E61toZuOr) z8cH>9_GbX*m+3P=B%G|T-N!Tp)@$i25VREH59s-EvW<=~+vHD0f^&GFl1-liCj_wz zeGLbeisOB{RAl9-6Lv;*Mwn6_Y58qTtI%q*;DA;ldRr5Y1N@XAv!#KOcDvW9wf+d!Ifnrw@ z0Y?Ugp!N|fb8_NJh8a26?+23QVHh)tA&Fctr7nK7D4R*fZeFxiD2=pgNtWS|DaZ`M zuC-XOZh?Deq(y2DGq;P;1uJEh_Wl41NjsTPA2-1~W+DvifMXuggBMja;wB>82kG3+ z>JDS*6WKY9p4^PlvBr;hrGh2_Lt9?S5Ll+kfpW(CN#c`)AftJBVm1YeeX|VfH$BTU zxp<2fHH%a?GfVUThR-Ktv`J#c(@Wo`Zpl$^Y{a1MB%$0BUf3-%~!MY zJIn|6GqM~CY^V|`I6w%*<+rGgkAL|z!R1ZxEa>;`8JTA`F1zhgNqXyk_=&&>SJJoH zbEtCBT6BN+q1{{k)uD8G3iiz7C%mfC2uA-D|z{%}E`z?Tc0C;_=<;)HP8YT(6&s=^*K6$=%80 zt7=GX_`_CrVCN~rjA;$8$s``Xp1C9{q28MHs`;jG?#9KC{7lS}mmAb!l8|ErGX2Uw zmHoA&h~91MOY<}jRSnS<>yB}wJH1c*yCWzHK3-hiY}|#_ox+$U9VD9|>AW83~|M$9n`vO-S z?Po4vsiGI}@_uU!aEjNH*?RF0xd*+A7Zhtty?kCv=a%enP@1*Dy8`;U^t-#Ep`b1$ za9jFkFW-x3*S&}BzFWFjorMIN6kBEky|2l^d_HfD$aze1`AnDhyzxn^AMpu@=XgJ5 zOfJ@}UM41GJTPn?FFcK|uXMZ3$@gAfR8OxCb2^S#uOP_1Or96gFnAot%)U6C^=)oz zS?_Oldv@|a7Wpmz8sF-@h2IH%K;ZB*sC5T8;bPc&Z$eMOa8v=<+m4W1y6gtWp`9@Y z1vYWJMJrH08urvJ+xcUrAiDuXn2%TYI z|MDnq8;l+nWYijl(2*fr3jo(avY$sUajA)k8EK<)2`Z=b6(CxlTkfPzH)qQEeut!J z8pofd*2;Yew?oY8v?N4(Z-sUo1}fMhnV$4~GB1QuZs_SrmUuM5@WU}tPPG1M$~~4diHl0}$<-D0eW?3J^85QmhS6W~2qV-2i8vKWzoNy}YBqmye55zo zGM*@4b3%^gtKplhu1vLR3N6C3+ATO%U9&TJ2EwCG|GoR=u_wm0{L4sKahfq3%8{)6 zZ)&KC1|m2v%DL(9Vv2AyQ}T%FAWmyE)5hNi5eax!is??7nVPrUO<-fcNh(~|ryMHw z+GVmW>|g~qThx+c;qIA4L%=eYSmt4MWLYy}CgrQ$E>%V_t+#W>$rSQk%U zxhVu+uC3grZ;;LBfqR)_{H-eHp4iC39?aDgGavrCka;IsLo>cwe$4@LUhWKFSU zqd3w7u6W0YhRO1K*-t-DGs}VysY-SQ9;k)VO>(YmM&=Tl9@V?a62+@OgsW<>1Q-g2 zQYBVe@;0j$@gZnfSej?cH>|~HB}k9GN7a_b#=$F`|&=Id$4^QnER$z>o9uXJqkplxNW(cR` zgG!R@B2H6h-U*{4$@uk7LTs=l@_=bKurW;VXF^Cns{z*^{6?b5rWMN5W7c}pNAwNZ z3NljiJbDXk^1m4*Y~Kz~)KCt|q@fbB>9qS`>8a%Osg*PT2+Ow4ji`u}(2@!dP7o?5 zrH3D|2B$U_zxwZa+gEoBy`viE9d4|^cR2XJm^{-=tTTUsybt>L@o%&S?#u}%anj!jahNm@>{-ZC=T!IuN$>9$~!wBOG^CNS52$-TR?UYm^gQ z%|;$q5Arr(Cs|atBGb5DPgJo#jvIPt`AsQV{M7)ctWdEt!987d_rLJIjYs*NL|+;t zWHt@ziTqdl={yBpS`P9A5t;G3C!%q&a9|7o;sLh=7uH|?ZMhxN&|RuCgxBexS)1LL z(od%9&*S6Ih?P^T#~*8B&d2ilJ>voZpgK#|cJKKcW)7p~M_gwvolf(Z+Ram|+7swQ z`+Te8{K^_c*6`$aFnewMg!gXv(y)zqiO)}Meg>0W=+v_~Efr)RaM$dEa-^{LM8gh&;rH8K9{?bE}Ymccut=rJ{ z>_w(^#*kI}w%1eJD{x(b5LJBV%(J+x3z}Vn+q$pIVYkU{A9>Or6k9uptG#mi%lBpj zQ|KliT`?z0w%M=0f^Yf!YH^aU_l798Q!cmYsf14FT9G7<(3B%e^K#rLE zwsT8hLuqJl`OmkbxXZPN9obH=Tqb8(LQhSMp`T&ZeY+e38a zy7acBTkZNQp5;{pjqc~YCZNBgmhoQxYV$1wUBBxyW%B9C{cTWG-rik;L<2CX|KX8D zN5Et8Ik?vo#YGcUS<(ZrudF}51$3Pj{I21$j+N^| zX6Us&UjMRrgXlg1A6KA^YS4?-Fy=oXy%frq`XCT7YED+#Rf5-!#M}aGOy3baWE~5L zRn%cW(RX%>e2i?t%%6kEZ&o%2&;DorZkP^;hT(2<=Q zi{4;cDxq;oq?gPG5G;A+A2PaD*M!VR2dJjaU zRzo16WAXM9`}NadR$~`_5vIDC)SLL~KwK{kz(|YeT!>fx;Et306}hk z-TEO{(a_&Nyq8WHCz|i zQz(6jhI{c}UxZ2P&mx|^eL|Ky7Vp3T!FFLTj9@qnrk3M8hcS}?u>QAT@z!(*$@@7+ z1ayf)p1boAU#tgVOW`7MhZ#1$E!r6LwQy$Fs(=?X_GT8X#$gk1O{#|*@J(5WV#%c! zA7p7&3oiQShfoHsORQLp0^Oz}k2z5h?8%rg$kPU?;)WghfWM!x4yr_dDX`Y3TX;0) zYshl(_N)DPC|L6ich)(%|C&xTZ5x}R95Np-4&OSYCw8_k$lOXxBNEaex9QMaN)qxp zK@HL|3ybunO9YcBOBv<-rd9m&16H~|fGp8P9H;ou5?6Lp#BHqstjR`TeP{0s(r!5z zt-nr|-Lzv4bn_ul+`_f=zWNHBey4bty!%g~dnIsHumReC)?Ju*66-*`L97*82&Tfr z#A#xMzsO~@!?3BZN^6*RYdO5Zsew6Yab-fD6lWjReO+o87D%|O7$dHdC{18eF?WPf;p9fa)wbz5W^io z`B%wWM%ka(G1H7`>EF%tp@JL&ceAT!%0ZD+(ZNJ){fm*ZVj?FQ9yOdsGZ_|$iQQ)! zB_jai8mUT!JV+X^ed?5uXPt^HpMxaRltaDP zVwsd4Of)UwM@{hEYZ6{<9Q}YfK8?ul3^Sj7gQBj8?QBA8y6WNoKr8@@@_XSIuV(Op z-lT?mU#A&rs3%^&gsW&CmRLVl*N@Mj&m_=}{x^{1pk-wG3)>8X7N~K%7JvP9$gh~i zK<^g0m(b_-eX?=?rJ(ER^bODBgYWp`z6EdF!>Vx<{W#}y<_Ph$8gtqA-Ti6vtF~gS zb?No9-h0dK*vPrXz<%>e-CS^eo6h$3v5%-exxl%#%>9PD<&hK;JYVPap3@;DIq3h$fzWtm(qMrTMpB zcJI~UHRqkh@UJr}4vNDmLEyt{I|&1s9eE|jzBx79dvWCdG4)naaYftKZg3C537!xv zxD(vn-7UDg7F2L|cL?t84#Azm-Q8WQe)ehS+)Yo$GB|i1FRpP` zD_#4jJ+HqbtX>zcGqif3`0nm5zRh#E9=b0rm=ilM`Ud!bih(u#pzrN)PN%`AY7t|b z9W%s37maf|I<}1)dhZl3?)0r!rx5#Vi1iZ0_5u7MsQ@q_Use32eRfZPUw%0nw;GS{ zm0;FgffL^BuSs>?3KPfO%(Erjl-?z@u^~n+WvY=$s_viKX&SA+2sWdQ(hG~QCRT_V zj`;b1K<~XBEh!fbbp_z(rITzY_UND{RG}lB3#|w&w`>F9cnClaf0WB2T}O;?s$vE~ zMIz~r&Do3PoquKg*FQ-YzJ2#wA|{-l*iK~F9eAkW{OYMyWf)kXeg;!CJsukrnFuSz zbw=K=9lm%2e<-L+&%+$WR9@7^GV6Awo0r~?)yhJ1@S5Pjb`kt_s-)o)#qdxT<@$7% z({jkMlk;?t2cOfH3)Lc7zrI#jIsck+u^hh))At|O>8TdBx+Jou#fO7}id9-_@u^o8 z>V&(!1)I#EBzgMl)ow zL#H7^kD#!|o|J8AnO6+nx76LEGI8XlbF!^8N{S379P#WeE&L@%qc9`fouov`YX1pV zwIofJqXI6?an^C5wnV;#PSc2Y+Q=UpO)6b})wpv!180E#E`*qHEODR=w2%uwv}21y zCawFqnp{%Xt_2%?e@Jw$Tq{+_pQ$m(+qNcVsa9F0D00ZVYuRX`wrWNz4;2rQJOCAn z;v88S2X~~5bZm0zK1lRv7E{)VWU|S+J(+?9-Jl~joD8&@f+sT zzdW)Cd5|2;4^IJx{#|6H`zXjU*uGzxadJGH(Kq4UT&XFe`&FS15!}CeLH5^UsC3Tn z52_K6vdSHP6yN$^>9@qfb6M6<#geny3KJuGzA<%76!i!O3fa~=nRyFnPRCzPBMpeL z13zKvPAvRcTDhf(qTd9G5-yI8_goa1s|%5lOA%M1DeAGZMW0(#*`z>a zSJ(8-?P+!zW4ZDhkox&_=At^~X3K_I`?Ve5=i)*QkY>*ty_b!aiF!|G}62(RHLmr6Mwo|{v zTDGk{2*YE9KoZ_Jal!hzK^G88V^k`t;1Fu|3hlr5qUD}R9Qe?ME#o~7tmTLvQj;`F zGIj_mRrB+4fi$v4QM3rM!XZ1cq*yPBd%w6~tZPTygVKi7CSyL$l`r(>u2~fA9w!E+ zV>vM4UMZFtUJi(pdwEB|;FI|a&bSQbu9wvTbW z_}c=T`bQoO9%f#qLfiEk=idkH*I5q1-k;ZR@lxJz*4;lpAHf->B*eVCUBuEZ=-zZt zJm|V5Jd*kV(&qgyGmisPRP8*-2RfXLfV-C@wfhVMc=CLZ#KvX=V9q9g!!=d)ndhtL zROW3$j=)W&OdsjLsWW z&(X*;=j8T%B^Ib4ab2gn%xp9Q>``W4ckcZY=zcs~#mn*@Zd+%sp3~slALVOab@?cW z{%C@FaeF0p+C+Nw0ge$z5LRAAkO#`id+yh;DtLw6`151~es6d_UU*zk9TE+3Eb>=M zrz+^ZY`l#flz&*j!RKbD*(gu$6%UimaWO!ZU+-g2Q`hb}jPIsxeV1Ws(Mz{$oKsxj zd~4vmC*)rt2~T+YiN;t}!?;SO+gxV*2-@T7{>p5JPZ#iLw!P}Ev(HCEzZv0rYyUBe zMFL}_(;e_=?z~II!H2|i0=2y+-q7{lw+$>YxJg)d=kc8g`K?+H@YglG^)P8S-ZE$-iD}yYmAl^=XOjc2~S# z$gK@SAf`jVdb(D@TX;hU3R1z|dY^r~`&H~TUtZ3|sr2rSN4f<%YEGj_X>K3Hx*nfi zB;Kyi(9wDKUMBQ4pR-BLQaTSnqvhxZo@Z^|HZEH$dqcF=b z;Xh|qj_>XAKOpxMpokNJLa{4Sj$Om!QEEM`vA@C@CU|hjWo8-3i&v>uLNXHotYBKD z+FoU0^Y~!zZvsV6n$fGOFfJnnlnP%6qC$iihNIs^ao`NKnPn80j-M-OGW}6hsz$;! zLzQe%&$nG9Djx-PBTk-eM$bji>VJJgNSp)73G|>%p2rDJQu?6ag~&~-*YP7qfOrp4 z0l%3r%{DZp9TP42(;PffW#F)+EgBOo1B)b{j}7B1nQ>4x&T*qqTPkwCYJ6G4 z^A>BGKN;1p+(dqHTa>2@wzl-rI1P|5T!=eewwWF`KbiXkv!aYf?=4l*-03^XY5{K} z+UeU2B~P@0EhfE)C~WZuQ{dVrS@@aqvXHmzw7}YupT~C5FEjRs!6eWLrdcyO(2oBG zbFswTP+~_MRE1CdTb!c3bxBx+Ep|*&osQi{`E1z5`xCsc22u;s33L*M%J48>?T}&# zQ@CfzuX8kM4?i4hu_WR+KFOZ60&J>=g% ziHAq)N^8_6_QTyGB>OXisLkkqHzwBcjzqf39;^R!gQhLf#I^~*v_w5p$Tg;{C@8S& z#&=JpOV<#szZ^kbp^4y2nPSeqQ0g7$F`@FoE~MiLI{{T4mip$cm#FWf* zvH8=>P`hx?Q&0BiGcSxDu*mVAqGh`9AtKP^SKR*&%aBqO*AJ#MN;1wN?U5IPA!{O6 z$OyW_wg%Cp38~KAMj&qt-}}@n&FZL94()jGe^yG6Vu!0Ad?}3`(^6BmEao;uo0bSz zAj=Y)@e)@*Mw}Y7K_Zss$8T4eRV*6k`aziB7MsVdPCq}EaV*Ppg@QZJLMXC&2F<;) zcuh8Z3ww6wFWc>ppFUB#?)#lK7?lb);^B0=rwGMzC3Lif@tdr_rswj`I>0c+@5hCf z6Z+5iWqD?sgD>rN2hz`TAKbfHOVOmSjqC9P6`%`lEck_Rin3|dmo)t@p8A}E0;t&C zA{@m=rS7bkoHNKn%)LOw9HbJ2v_h#Bl;wspyR1xO`&m;Tji*pH?TWlR&_Y^+mCzR5 z)GLcR^izI3-q(V^eMwFHLbXmkX53$S*<(*)6$$=1BH@bmCu!A0qeUwH{94!QwKBIN zQX|SNvI+g7^ha*h6U|*#aqKWdh}-Ej@=x+$VNs&>5(`I#*=;1B1C!z~S}_dT#QyS0 zV1$c=I5+Yi$!FQnFKl9?yxjGRFRjK?P3f9Qw@TW%%aS&DJ@V> zCEJH1i!VO?nZS=CNcgM3EzPcTa)=N*-OF3S9cs$8`1w|QfOsK)6gC2pck0@*nO|HA z#R$iRl7A59ldO~+qP!7>gJ|#lKiO-krG-fCv4GWn{rVYO*`b&JzY_eR2}8F1`k26t zABeGsx65*T$c{jHh0nYl=lkJ%h^R86Y#$A#!N-pMh(m-{`+dY;Rq*BdEx7OD-Vc{t z$GU$(Tv>v;8ebeqKT$f5f=XGr7hM?)Y_cYtE=v&ba`bjG)l&4%@6cKUDmLvo++T}J z6(pJiBYX(+8cOyw|a} z48A9vkBa5p-9s@P;0Fx*cboEwfv6au>2CYQ)k4eDg}|XNeirLxRwd_3w7~C-(YQxq zhnKP&oa%`1^tX%s{A%E*&6lw2HDU!V`&}3gfNfAj7wci3Yj=GU;M^Tu;C+tRd*fPx z7nR5zj};QYdA``p>-4tMshb1tEnD%U0w0`wsKK;s`W7VbomrcJeXw<&Oe4BeiqGZW zEO&kG;>&s~&rNR-dR14B+w+q|@3s!Z(3%?GE~xd;hUGAre6jl|ZuVx3h==>i|w7l^O`4;{-{@#$MSGnOa9UqhNXy7#tM_Ax)s=>2ANc^;Ldw^T+{34C6 zAGdimm*dwU;OUd$iO2hJwX4A>L&A4hM;P|HE%9h^`Mwd-yKzpHB_=o`*zy0ec;HNtfs`$M24n0hb%w2Zx2H)f*-QYAraK z2T)^-jZ6FXz8%MF`@U`4BGx$$9}t>c_e+|q*&TVt3&6?6-U*;R(4hXgH-HLq1AZI% zOYz(HR-x&bSYjMRN9^~(2YPHhgpueZ;b zsTjzP>0@X_O~ys}97fyw{s~An+{*oq%}OL1R{YWEa}_fZe95QiKg^L~N?lxY1-}Oy z1u2D;H1MdGt{-m!jM77(^T*PqU}(Scr;2!%5E-`393aDTBTD4ksAQOFl0mVusgrIU z$KxL&u&92W9wdt}pHr5*o_WdL82*EY4yA{SB>IJ( z;8ZXUDq^pute}CqIPLeKELx3KPJtjw{*1Qw0gNP+${;p69F1(uY^Q!~a3+mn2%6E! zH(k=a+vP-%u*p1eQ=)u?)4CC#Sy>ROvUP1F>+qkML?eIHiV+m{#P|0cm4Z7dnB+Z|0)G$hJqz7S#SHOA`vk zMre}GR-AXt0;fUBLx*QJGvpqHT6Crr|0I)+sU0IQs{Xi0|8!glEkV+pJ1NxmJ#*<) zT7Z%yDU*a%(838s_{sz#S(Rp>`>r-|a$iBSI{7f(llwD25_6wLAPP4`m7VdlVs zP#9`?!adB6;j0v&3B`;ek1t5{1CL&0{Q_be#N*1iUqSjkKbmFNwqU%5`?=BTnSbd( zvmH*9Z^R|I#HOD$%&Sd{0Ny0q2GT5b4oQL30Pk~d1fI}M9w_&@U-K^WK zJ4EYa+x}=UAzW!uR$Kj4Zh0<0YAd9PT~01Wp^7|O7^GUr;a4ZJ8iq)ha!aA-)~8HC z^)y+q9z(chap2>xGCK!H##rb4MO*B}BxQ7!L?_vsxE=n)s|jxZbwHSX2ap-!#bG7F z&1v{blNO`nZWqK%>YI}S5GH*8_3pC*4-uB%@ON6A8h)f-0hj#9fh(_IzU zX*t^ec*_NUaZdZIyY=!eT2M#X$92 zR{JH2Cl9Km{uzCmt8A9Tx2TW9DGs484R+J%bSlksx;{vqSrh(Nq54w0yhtpCQ}|a* zxQj4Yt8FC79QsrCA}nBy^AoeeoLAV1sq?Hkm|SLgyZe^(j1`iWmXr`H^%viRSTo695KtqLjtXY@<9Az}`DtPITZrW7D6C0<^k zW!b=yXpLdtSQSoj|J-AfnD(*SGD!$@FBKu>{q1WqSV;^7*^jt;4)MYDInTg zNP60gB@sEs&Bsk`xw+lbUT{t}-~97@b;ns-lEN`wN=wu2dI;mnZ4egl;os=3dzxF0 zU$VfKp%0$zv%A4&T43_Kyir;uZuiayD4uLaBD%|}-#?Adddfg>sMC3-%bCH()@_1l z#rGahVx#eCmHzTL#b9}nw|R#>v}YyZcMj*$)(WqmP8=#{W)le z$P4RyvnH+fhQ3^KmA`X2TgoelbCb)85wOh8xVbg{iTh@L*Koh;RBlG#Y?i>Rr`!z!M?e zu2Z(Fkhe*1Ck>ysjq2Ed&H%Tp+arP}+e7}B{&mL9$ASH9z;KgMWpm#r zzu>X~Y#?3cOxkpeRp%sMKW80!lV-nOu!dZAE#JvKjb}AIjeX?WC9I+Zy1bT*`UnPc zj)%Y>&5zv_HvH?pHBTz9kG?f$jHhhg0-Z09)@xt{z|Di)YM4%CpG}VMW0J%LgMss2 zMxRo*S7%~6PbZe{^+N*id8bGx)6w1otUT3um66rlzwz>XL2A&U>yC2Wy2}YUkH6UA zIT_6Pxti%{4Oror7OKY8UuX4wZDpkjcT$9hEuvKsgmon*RXsM#9F*-%LICwK=tZ?f_tsfXv8A7igb}U!ume9l z8-?q#JXPdT(lDZhWMl9Xvdth3qZG4t8Y9ZeZ;fZLg9yC8MqiI*Y5XyIE?i23_ZPf+aMqDmS9zs}ikaoF9(?O~NUyw`QSnTBSW@QfWzAOWi-|?K+hQRcGMn>7qM5 zgmR%d6vC#C94?B+x$l;zJW$glAQ}=Z?YcxDaI@a9fTja_7++OE(J`cogd)cD`Z)P& zuG+Ja8yhMUgZ})UE+X&11i^6?)~OVfvxbcYMfnN+F(ao?E3b&n8JQQClRo&^GL$Js)3+)9jVNMuZF#X}l{hx82G{Ze;VVr4yQJRPLkZWt^D(eT)lu*@-y~Y5G6(-Tdxph@p6>0z%fxQ!%KXG3I@SA$rDS0MH_vt${QP(zq>nW~HRiiKG^XuxHx(nX0yaU5C)+WQQa z-odJ#NKhQQg*9fWuLnt<;@GM<+gOc>7NKcK$TmrtcGpCikV>xX2ZhZvo`j*;m5NK! zKbp;GuXz^uNNe7IY#v{cSMun8Gs{@9&kb3MxvW;|c1^2TcoNVi!Rucxh>F3A$X;dS z&DQTOFr}13xfa>BfD-X3D~OZ|cq=qJ%~b4#bu}g8{4(R=n0|96y3jaz+sJ=qB^#I@ zk{$};qFSHzgC6}%gj>2S#25ij9RzFKc&6ZlE3n@JCQG>M_&&Y>ABDUkwt~D8=&w$G zUURR@hIy@ugFiIE#c;(&2iAC3__1I6kyx2{83&fx6unWrBUn1)w86c(Pi*5BaT3+! zT9gQRN%FFwh0#(z1E}H70lkm+Z@Fgk$j{<_TVp=aN7r6rKR~S8Smnn0DW|7DIKuq& z%_SvkHj6_!DidvsEodc67hO9wNjYdQs0Eke&(L3w6E)<-P4i=9iKq`7;qRSrCe(QZ zNsX?Bex{84sZj9jS7+|^QtOT)cWPrf9^^xkYHP_Z3H#1IIxocB)0w^$CgQxtLZ}4~ z=N07?S|q*h%X+#$S9WZ4gc$LvS+6^eT-XI2RkY2dq=^Mx+OdwEk!=YV#@P2{^iwR#6g#bZs8WUcMz^8`0#0@Z z<3lK3{6|p%R3zxTw|IuSJhR9OeTzw4vcXn0*-xOm!}d9RlV3?661KY0;_!&tnaJ(a^t`qeAD?lH+LUY&?8AVdW(8Xzp@&Nnh>uJZoil%->AUY95e@ zp<8e1Tt!Rq$=rNNUvK6{etMpqRWh%^e;bhPoTo--i`-kmmAj|vw#)}EOH_0Kw0&^0d!9Bi*8e;>yrw7Oc? z;?*v8M?!M1Sx&}Y|3v83Z`4%_2tZDr$0~hKq3kokE6g$LH*-ywq}t74&jMc8s*j5S zI^de2&X6h>k&78QeVvn@jCSvehR36{daajzQX<#u%1wTwgvaCN&xNUY;W-SRW69qYhj&zF{*HOGZX=cD~K+mEmVJutLc`+htk)p-~NeYNsE0?f18d0+R`i;^}TFc`zo z`8(Tv@2Dt(zw5QseW|#ZhYq56bDf1=iw^Nk`OWC_FigdenZbP@wReP&+^)Ft@Io=! zay-B4?)4<$ym;vQK5Evd4s-K1Mqs|y@?aG-zMI<#dECJD25vaF4*6p0`ug}n?hm-i z9gW;_PW{ffxdb29v)4n6jr;sGT24+;x<5f7RUtHNw0LB83RSXphcTN@FXhNdMT`_t4 zG~NDkbY}M5?ph)pC3PunPwr6Et#6s^Z;)d(rz-rhTh(lthD4Te0>+rx5=gEp8}}HO zP5M5-PS|8xsy2i*SPg|}4t|NN-)-Jebv#@=;Hm&y+rmgiJ3kFI<6QeIb}5?HEYzu} zAEp|EX&|@dT~=*8=Z#pQCA0?{oO6p7^>nN_B{?=}BnwX4S=?V;JUk)+sdck5Cdskg z-dvld@!^G4VxGf&qG}7+0ay!9981`FkQUZq|Jsi_(So?s(Jo!aWu?KWPUFT+1UUq+bh?g4)fOtYfGd})bXFB#hkaYD&AKi>w`ffF}oN9wzbSa zVhx(zx=*hTJcpb(t;pKT{ zN~?KI&w?`6UO9BHq9ok6$uAemuqOpWSdqyVoqe2^Epe(SJtmRG`}|_C{e3l{8l$cx zT8jh*EaP>XQ0d8nz21)LNu;&Vzbo0h%L}qSS-2xR|3swz!nxE4cQaK^0J7(@Iy6Mf zM{?I2Uv*)wD74gN~5J0CZ9qybq_E1}p3lF8qXxX*_cMJ&|(mdKWRY-cW_K)*>mpRil## z5jh1bXA+gommi)Ev9d@iA!i*JH73UMfK`ia;}sM9q!G;@)=}(+#xBZYMxn!RA6;51 zqhgScS8M96c+c#J@m#=0c&rDwNOY0o-S7DiHffE68_{ZG+}ZxM(H9F*Iy+&~V&#J_ zW!uDFD^ci8rgg(xkI1SR~3DHdsh>7-5+rOvcm zGoD^6nF0z*r_NNSX^np5$K7Wm;gC;I!7N|7zaiO@xd@{e9d$nH3sV8IYnE+tNA8V`Wh&vCv4i6tQL(BdYtT=a)3^lz;VXLPW4aYYm`~(TAtL{`yZ7=g? zH9NJ63;aY4)<-`@k#61~FUKmIOO0MBgf`DlWx}9An`$7>P7Sma7P-a#<2u@;6A6Dc zoD6?%#k`jU!1@>1v?_7pmEG*G+(;ak0ATIk_afrvAQL!#*;72oq$WB11V#TtF82D? zWHtvIu~|6~P%1~&b7zwJ*=^PJ_47lRfE*%#SdY}vk%J*q3x8-ow1_s%Txk)tiv&%r7F%)MRU-Njt)-v4)O%E$Tkm%@1X;^t$6 zgZ*`I5Xuzr4t-*7(D|ZuyC@*cJvztrrL+57&wXVPx7u~`{r2Hyvh2{lW6Z^t7sWn_eeiA@eFw;sTt@^X~x!j0dmFdE;H3qIX>)+$S+#W(ahfOnOgkoT%CT zV{ExaXkNP>T?MY0E-Y&Bp4ON%2-t0?$y!43Ldw|Pcpx(Zl@D3gKsDdD;-x&G)?@KC zsW0Gpjno#fN!panj;C{*_IUViS9hadeXM1fBJ6ptHB`~^`}YPv-lmkEYl!2k)Q<7~ z(4pS@3J=iq9Z%zBV|l2;IL8s@A>?Pr=*#U*2w(Fky>tF^S^!qg01&z7?C>*9Frm#m zfh&V()}}sq#g_0KjfDH=54(oIGf#%^?`08r-P7k^0(!Sy7jmlxo;kp6n&nZ(OrJ$b zU6W1lD%zCC+e~vb@9lu~qSQvw-Xz={Ovy*Jp4* z19CSy1P0W+5q{c17u{GL!(wQ;WFGc-Ia2V20P!K+hLB$VHi&{#5%|#AGG`EIrPog{ z-(?K$55W{s5O}QR-R;j=0^UH}AUT5?lOO(S>&G7esZn}`v%-5)cgwdBzn2Lzot;`M zj>Bz{$PCJUJx+GMROHf#hLNq`jrvU3`BS)hv0N zPh?L2Da6-v8al#OQ1-R4??sZ;g&X^rt(2R@%10&&o<0uwpHT6JNzimbCzR4wsilDt z8u_M*;TU{+fKtxgmOOca-Dm3Fv3pC0Vexx$W^YAE5Tv#L+SyBX;H92nuO!6k$Fr0cG`B|z7%FnGj8hSJUK)mX1P};^+gyUI#^jSEQ&d6uP|q3 zVH!eAmEVqksn{xvW;lB6gwoft;h?G!r(N718&3AX)^Rvmm!~Cm58y17imb=O%Aa)nMDecNZh0NV*l6UovDJYs$5M@$c_GPisi#8NjzE zYO%6Y3(NMii(1YlYJoogv{?(c7U_X&_4=+>V9CDCmPVIS2J0ig!=e?^YsvI;tI`aa zZa=N)m*EkhK8-s5p81;4BbwmkCqpsT}BpDNYZ!pLAK$J)t405Q=wL-wKMBaBpatr1+7#ADiBBcV%S z{pqr~!EX}c=fbIs$ymnF((za&#HluL!OY}b5ci6Z zIZO57%qk-Zzv|KmI0?g?GYi{ITk7CoSsc7IjXergT|(A@Wy%W>E{GB2LLlfP^y>yO zIwG1z)Uz1b?S*}Bp77_N^gRjEPiGLL$s30?6D~JW_LZg4gd1*()9oAnW?D=Sa*RW? zvJ(>@Le!u3vZ67!AhA3Bq8gV@64W5dM`^`2h7ur+qdd}*4>j7tkYFT25F%P#gz6bi z4*F(2??hC}ks9~I8E!_YL7p=6smOFcumJS!mqLF@ZK+}>5t+NRc$YGD0{2Fl8BXst zq0eUpJXi;|WYOsY7AY!RZ{!tbmUTaq#dtdncccZ?85vb`T?N&gcPSyMtd{yj^ zv@43@xS%lydm`m&rnHLONdEIbp(#?s7-~8Ao*Q=IX4$llgqVWyz9Hi4-|>c>aII!b zh55q}Wb+i2>FG;V8sWc{*};lYdIJ$_!mBBw54&o&IvyR)5633Cjkcxq4}+ZD+g-2E>PeQ{ zy;9ny+6g;(-f-ge8#v!zm~0s#{py-<(Q z;K7fx>sA~xlIOJJ~Ts7rg9% z-4WUCb#Gto*M%0xQtzIH_8fpbN&9Uo^ghHWW_7CFYD%J--}8~(zH2+xnKP&T0poUw z*mtQ@p>xA~=XnvG-|iCO;n(G2dA5(0txx`eK&RL7tigrDhRE3Zd;VjT9HSm!fc=EP z+@=B5=WETbSha1-DS<{#>uT1f?rF=fkQ~<;)~Sv=JiVpt?x%pD6#dpIshF(nv3I)~ z!^t8-;!eoda(*Y1*Z3&=w|V>O0nYP{n&r33SeTpy$|wVSVMycQ*>q0#7NU2dgnP?% zFWRg7CGY9v&_P$j`_|stuJ;{!_gSjUhU`T{eL3HQ&^_k!c|8YM?DV5Aw8g1$SpsnL z3h94>z*R$n$LAmbrE}1eLdLA=Rk=E(Kcw#9yXQm>I0s#z74o+FanlkG4v^M28}Szf zIoHmec0bGP3Y-&F{KtSwBdV>(sX+|=-T)nglzfWk4S(7yH**=F2Z#)F`MV-Sz(GfQ z{g04C2N&*_PibIC5woP3puO?H7lxM}hj9&fru033o4}a5R*qCT;ktrm8w}KUs99L@ z3K2He&TuK6WZ}Cyv_!%`aoT~Zg%^~5iTS3M`P0HfhR}5xAYCo%2W=*OCN2DZE9l=; z0Y=IlTb7rAz#3P2O>BUc@cR5D8J=@U+vbrQ+}`99C#IlheFILMvPxuay6aL7Yxz-mAacio`E8DFCu6vA6v5{=_1g8X$tn|0O(c|b z;pRhcEy}}O<99!}hy4LVe zqHCQ?lfKhjQZeeB#BD@|Ym1ILMB6Z=N5T51!3MeptzZU4q$Yi4E$+wNiWFhcK6NPV zSJ0h|7ymccHIGz874={Sb*cfVO&8OC46< z{Ei==<$rs9EojIp#ciV}ihmXJj#oRc+o2jH9>jNbj`~aZwM*AFU$)S%*)KjYLpdS< zl?N;7r*YTHu#VwhMSNrNG|q$xd7g7zcsiLLI`*i@d_P9vaLHA#uT;>&_AvLs#>JF0 z5%SOZs-28Df(`wMQJ8V)@o~!y7#}V-6qpTGy@X)nwiN56*CLK!fTE$r9JFBmJbhwj zF7okjbke_C`6F{)Lg;a{zq_NUBGm2v%5m%e{_gw^(626W)RgUA8Ya;2(5U}3Q;khu zVqs{TAcq<^Eq;ntBy%{>aB{3&y>v_cLlK(^&(Covww{8@jIW^*oAp>7Bw?7_uVmRY zkFz=gsepW=sJe9oW4)~dWhvEO$HA=UhNRayFSAt$2yZ-e$Q9CcT1QGh;!a-jmAVbc zRm(K|wF_m1ghAw8UmLGu_jJS=}F?o zU2;{j`py~emKV#xhY%Dj%lMbRgcp{e5uR5)z&D8~Wh)(Yk2Ha(Q-$mLt9lL}HC_{h zsY~~>lx>cdl{;>#8K&Dmg|@+9^806|x_v*}xE(=}AL6e6!lltM?}H;16~~%QJ$Xy+1rl@|N7eo#xNRTFG8YQH}Xh?o+S8l6C##ur+*;iS7O z7V$4KzC*>GFr4}C(5TB}x`Ctv!QK#|Yv4U8-LH=lHJN}1%?lEX7}M&fc8CqlMeAYM zs?R@QG(`6qwl@Kv|C|*hfY^YVClQ;?glSG0fTh z3|<`)xGEpRC2d;nYmNb41aXpjBX~nf%B#C<(l)g?^;@u{Ha$iW40Nt`b}rw0xGvV$ z8E2|H&+BMYqy+BngdXXAciU%OB{~7yzIYTIeCN~;*Z-Pxh&P=siu%}ly>z->(ho_& zEBDo6kDFcJ8*k{H7r?h+Fh`S8EhGLZtb~P~2p>4qd-S}+q3MPHVTmGsutc37mJBrs zQ4ish+$Jty1B|+7QG)|o=T{t7h=VJ8b=yH;cT|@PZ|5d2+sc6I)|)z4g5`k8Ul-T* z-E6OR4(t~(8r9AV=hkO5RehJ8wBb>rgZR&1>Sl- zFLtrLzP;_QZg@P!pvw~14CxIS_=sM>T)no3JV!Ngx$N&lD)?Q&Q&YE-`Ul(OyWR}C zkcq~{7D)A~Evfwt;122Hf28u}x7*D{$QROkQj7mNMnm+X2^iBd&mfBug@HqXh5vFSi;fkrRvG$@LweV^jDDUS| z5i}D&$7r#KmWy1Rq| z3RTkZ5@UCX4K%p(7WMibb1$2CE+-xdqrOrq{#|;p_@e}~IGMiqI7UL%6k3s3Lel-F zF?{KYn9!6W5(i%mjgVM9W(_$({zs{9z25^NyI4cUYu=vxi8>LN>2SiYrLOq{WwkfT?~4!%(1yP@Q>OqZZL z`(aQHFGcjYwWj~`T9UjAIfylnAW>16NfM`bP*z+L4^|sJEt3ixn>>MEf>qwW z`%B|eh9$?7D2~UU33$`_oGxX_R&U~TV_=RtyB)#`4;oq)WR?8=*8o@M*o(}Cjvfc| z+@^|Y6z%K_{qzc%o?V0u8$ncsWrzk`%eK`g`MA_G7d131Lx3mzc#6MWNsPjkW&fna6+r70lOlif5Y}C$62z-FKUSYRp9p zeHjWXQj@RxcX5u}jL>s#DG&y2a zRCFxuDeMdXIzpcY9XSiZ)~~D^DK;tedq_!6n{!_D|v2z|0jcGR=gW^ zjH}zWCJquz!zlb2!Tu99PIge;sA7I4aeEXuwQs^M|4Y5r^9yV#v zoEz3fJ7gC0YqY9jwX7Kh25J>xsi(#u)i2L(7D4~gn2kt7u~ zA`eE*sm8EP`5nlcbQ$jYU1C9;*Cu@?kXjWvp3Fr;{!ftTr$pi`s~Yhxd>N*%i)zrE zr#2am1iz<_J==;FeyLK|m1>J4d`&)}l4m+sC#!}Ft=2(CatULI!r^tEmO*97Dw~YP zLPM;TY}3T0r&Ph`L8{WmhkLPro_{YWkM(LcYjoya6EtnHhN7TMIAmdwKygeTildH- zp)4c|in)pEg$+SW4Te{$3c{L)S3_}46-CRuJz+0W3goIwgnj{N~o~90G`L!X=^B-t&@W2Pr6Vb1qD=2meXaHe7{{_*7i1;9# z01XoZLx1=g4i{HIT3uUj-SiLt1nFG(t~a%3$BX$oEORriy+#8jI*K=d`v*dId$dEg z&GyH=lTM3!O`V4^mCv-X)tGCi)5PJGv8-h*U&0``KLwki=mxXDya%SUJLN%b~7i0wbj9;S5 zcipbphwobV&JJX7IYYQH6jRjv%PQd1*QKvehdYLN&Fh?Vh}8AU&mEBbl2fU{@3j!% z4RJt$yd7?MU2XYjT%GMMEbXFN{2;nnoJ`iS^_@r)yOs6Y72~mK?DFiZO0l3)z05(8 z-}pICvIk9iz?@2L*4_2#@uvKd(1KD6V(DzYmJTJCxU8GytZv7?nb&A_+@i!1S z$$X;gzCenJzJda5*k&KobGfIL$O4aCLeO_1cpYG!n|!c{A?r2d)*`0}Y(CyV_Ws*x ziP8RDfo)>hVT4v}HV|BJ+CA{+&VCVS?Q{PD7OdsGy{PDmfaZ7HyMq~)O%mEeG8+gw?d6y>odjTfd(Jd*1qUV>%P zw{_~qcGmdY6V^m|8Glx|w7~g*X*m%(XUa7)R~qUT?U?6!{3AL^XE|#&7%!{88d8R^K@rtEf+jyI^bhAg+>Wth|m`g5KXBNIu<* z7$q(Wv4%CPGFfijSx~n=duTpNh}eFF)7PbGwgmwi`D=-?Mq*|beL;Rp;Mpc{gh|NejaDkTRT-D@!=$FAfAJ%^=6;KOq*f-dw%Q!?0xVkJ zg#BIlM3r<*!;sHxS1hNF2m_Pq;MP65kQA479Bs9)S>uIMA6LPxn|DlI0xDc4={0+? z90+4 z6?g`(`D6BZRHS+%CW*N-UBvrO(U#X24oAh6)O}dWzg>s_!%WoCqyZ(7Vp0mig@goKdba?{<`#{u;)A(BTQr@4;Os3RZ2^0}AaKiF? z_RtF_32I3xsB8vf(HXQT)}9nnJjS1wysa5zhIneNhpZ+^hgg3W;s(k*@7L{kh_$XA zT{}C^hlGSPhLR+dB>?493rNF@O8j%HVhN;Ux{+2L?&Yv%en24zD%BbeN-mS!a|W(4 z)DgTzz%h49swrojKvM;>>< zu8)(5Q-hIj4ATLS4-@i0kKxjo+_z^hptag#$|a4~%^z90A|gSRSN6lmhV^U)EJAK+ z7T=nm$=|?tfb^7jQI|J#p(no6E|v*@u~LVR|4v{CIIEu?)i14yVONf24yze5;{A0e z><3=?KXJCCx_T2T@;kl#nPwp<83F2Vs7UGJ&te)0-olB;#6UfY(Xw4V0ytY82Ik@T zdHcjs$uMV544(5BC^DghvVxFvUHrxE5N4DJ9tsk8HARZ6>87;}xR~S{U!|CCjzY^d z*__Zv&LuVi)3(Jy?1&gn_o5Q|Whai(2R|Au0%#853fIv{;Ha4{Qn=@(rxdJ8*BMO& z6n!L&6cZAnp;MT_a4G7af)o>{l#!@-sbo@kS`v&Xv62HBamM5Hw=zMy+m25Ds1xR` zrXUW}Mdn4x(-vz!4uc$8n%|k){(6O)y2h)DDbRG%NH}v}tPpCe!^;XM=by&;rz2q| z{(B%*VZ8{ig||6r4*>zJ=lSn9+vQ7ak64fB;^ND<)bEJ*5b+w#O0^Hkq;Q)wkM;BAr-T&=nMwtx-n_!rc; zwEh@QZ6Wg7v&6UZ-cKLX(*L}$xUHK}^%q5UWNk$HmENUCPGYAN2bb^wyB(yRtX`yFsUJ!X^5W;=;2Sz5s~r6ZzJ| z(c7Kv*h92l42j2cpb=z{EC!&uz5{AAxLqCHLgCeG$Z@^1K*rN=9{S_5Odrr8(fhQ4 zJ-nCta^FtM3VuE+pEB}>2)d-ayfFxYTbEXEtCl=?`Jah)?iE3vHa(kb$GG-~>e9+3 z)#q&&Xv(J5XV*9CXlW_@n9q0~WA`bnf|s|A(HlHO>q9v=I1yJ=mwec6WIL zj4LZWbo^jbD>ZZcELJA?ls)SCDnKh08OkjI7i^_NO~Q^bIzu_WCQnK9O+J1DE7!+N zcK+j~)iI*6z?bs`^vd?aydER`j*by30!9I>QZH8 z*S>4o^}dPhB2Dl3BpsX0_w>dD20PUMi8k=ee5Y zgiJvxIXdi}qE9CRIj`>!_V<9NdkE!a+9SlPL3tNYLp!=Ivsv<5_&~11lzZJTUGzls zKJs?BRRy`%yd|fpo{1e#Ol}wVvwk~FI4o`G9S)Y_)04N3+)xY^O^Sd*;IUC)pU>4D zWk}*|vaB&^9{z3^96lJPeak|g#55eMUnk&NR@AQ_=be`@<0BstTmS;0$J#d@hD%+yrgyky((>(g9JYV6l( z(OkDue)Z#hzudoxX&Oe>&)+MxIV1WUJi514^rIX5|IS(cwgA~2!6p>GNW#g|A$`dG zr%0uS*O; zPn6S?QOU~<5qwId8SG`$GAI_z00&3EnSS4>K0X!F2oL)}Oo#zJKT6K(kFywdWsR6AwBZ!YOGS z{29I2&C37w#w<<~PqKsand>Bx-Z*<_RHTs&uPiTK>t)2fE#xpEVj(HLuV@QImAbdu z{~Ly+u>WI6Q%s$7l%kS7;#69p88Y_*QDEF~`e!Q73~^LM_cwpDv<~~vLiTJ0B-s?9 zt-n|b-yWK9?&Be&V=h9ZyuhZnV1XN_l<;q8Ff>v5@#6%!rw*-FZZdYf=W{#BJ{QabrV6kfn6 zLhcw}7-~m9Ohq^Rv9#Wl;2wSxWD09*syZz zHsZlTeW=}D45Doj9(9L1=Jd1J+h!ZYmL^(kf4^AsYZWJ{2Z0twK56+feQ@7`pfOK> zQE73ZiE{O?#4UCz(G|%x4dta<)v%Kk=!D^&4o0(l^ATP`t%!2EsZ)fYeU}w+WCC3k zzI@a)3AOXDrX)nDyKw1vw^XGyzJ~Y4jW#8OVGaEborBNb8!^v}6TKoyMfE1taPt`p zN?R=SHqR7MX3Y*1^H%ojO|}C4g)s5thzxUdjWhg43QX+%Gsf%6CVqm}0)HL$zI9XZ zl_?vkIe4pu3uR}E}S2Jlb@~p%6{0s=-IiMLuacW`8wd`1HL^q zsyHL*=-Vyt>Oj74+b7$)x z(Cw())?ESncr#K_ivY?{+b#*?RBy zGx?_m?$@ns?RWVp`7qg==bI5f&Y^A_GgM`YwS0fP?>?*!{bH+Vd0COk+!glRK>mHJ zceV%4Q3p(E*J9xvRyC~I`-u8l+!VTGKkYjJgf0HuHiF4%SY7(jqgT&t(?qtkZU1B} z3g5(GUsZQGZzuzO?B~7$UKd7u96`r?S_c2BzKK4)K}=pD*XNLrqQJGoInk&O)BN95 z$mlr)`-$uR0rpuF0R zlnfhxBT_ezkTF(Li_obdA?Z?8l;YXGeMI|}AZ&Xi_VVt8VoABpRlg!e!c(O>@RFM= zxU$`zfwY_Qwr;wxABY*jC+zgemIA)>yo4a#*vt|WO3Rz=~ocgQ=<3P}z8Lnbskl4W2a;|?Nt^JI~qR4bk z20OA@sqO}1H?*(yPs(u7m~4t#bh@O}y)zU!HE-F*G}dZLKUJ#4f`~?V!?Kk2v|6M; zUGoswGL-7C8gOz%LRTdJtjR5Po39<2Bg%BSM5?UgV3rP5TSb^RQ)l(qleheYX;+nn z(viFSLJ>1~cO8poCdN#QbTWLV_)}F9%`Waa6U+vc<|V{)xo{7L}gg7*5a>e5e~Z3H~I26Mu50)FLtc% z>_Dp@Id>+)VsTD0_9vI^a5ZAyabbP50Z#5kPffH}=M9Rd+GPS7dD@Dfg(l&SiGQBn zKV4Aj@X+6@V^;?CP{4H$e9zRPZzi7?jH;~~G*7G18-?7y1EhXOt#Q5I9_8)5^z*gzww7XrtlHu;6izt7eZW#i^tgfr#g-_4 zf>Jj|=J|wU|Hl2oK@)>f*#;HpRov3R24{hE?i;1LC5Pp|W^Sz;H7lwLwcH_!p`}2v zF?v0oo=b22wbE2q#)2SK8#O|AD34ESr6$sp{Uzj1e(horN}C62N3}vuXz9xg+^1JDez@o&n2^tO3Q-RXHeGtxN zCxPX6Mon`n9@e`$m3rapxyE^w;2H6O&%Uij)GBMpL}s#la4gMIxb;$;jOvTa)ja&d zIBQkmL!48EdIqHiO9heXx4GW~$54lBVV4!xxw5WZJypvWBsjOOo$50a%?e4V1#|Ib zoE6>c`_$$h;`bH0XJc(^c{&r%kZW|yKK~pUXo?-yl$K-MXn^GrKWZ^7D=S_#DWjlF zRVvC%U+sPpK3Mfi3(hJHrjH~-iLV|at@eSd5ebU4UpqMkbNTD&6rQ#YS}sFS#u&szl(nUh9mw15#U$Lw}(uoVmP(V_d!T4Qwd!dtnNp^d%_ypRC+@ zq?5EBm3dgm?PcAh&f@`ey?PeFa7+>CGB=R+gSgYo$Kv<79g86c=ZOxj07tUXVC2R2 zt5MUIB|eu!Lmvo`e!S}-J?AXoy1pE&-|D*g4m$T5;t{Ig;xF{uMH15L?8v`4vE~zY zJwvBH@+WSBWs8ExqC0329ft?vs64kPYkFpt-juQ{o>AkWPY#DXd446pSs$hxlqunZ zI54xfYxSB^GaIBINN+%@D|A-BsMKZkdcUpyem!1oxdmu`SQu~#kQ1N>Uhe0>B-|M3 z-^X>W`yFI{{JeKP-=1b%*v@}E-zn?AHJZHDxn$Gu0?wKz99|tBMlvpRL-!W}zQr4% zT9#9Q3PZm`d>{QR&-Z(RUeR)C>H^J0y@FSJt3sMf~^FTMhM5 zpEm=Q$P}Y@PlFhYQLBC=kif1vAF7dqqNY(~A5&-Shc(i<=16z#OG$*LQh_$F>UI>B zL{gGJ*nO)|UzH(0%WB10{+%ITCwM$r(5{gyn3m~6BUCh=R9QPFN_9o*rGIw) zfg#w*W5VgXUEZ3POiD1hhEQ1?huV|pdP3U`tt6b)3{M>Yd6ZaLKv1ksK z7s|E8=4uKeEo6h7e5VgzEQA1+%&; zG?-vlD!p7`TxZ(+#a&m_Vw{c%S1Rg1DfZNB4@{MqliK+GI8q<2Klvac2J4@64GzUZx~Ynw$#@E=Jya6qj|H1u1L6;Y3sZFRl%E zYe%TN^3`ZRfrS_J|+hntS*elMHuG7+r0|+J1Zr2!6b>BDK;bGJ#kfAR$nPboM zMR-3Ka|+<9NT^Tk$2ZE!X$i_T%Mg)*I281xMU&*r;4~9PEKpc*8-q9mV=?*y4Y;#z z%7fuH$#GN(2{PEjZrP=O(gg~a25YFJX*lg9B<~=&21*Gz@H!s!@h70bg+gUcq*kO( zU~d{@psD>vj8qRMLiI4G!Jnp%HaO(t0s~%la3r?!Q|vl|pKKpA}{`R5&To;U6WM zlSON_YL#ZEiul*7)MFAzc$0K0B6hIA+~NfWbT>6dvBU+jope~Fa-I-SnPzTQ(j)hh zs@~TY>3f;CkKru&w+V}G-1dJQQPHT`Ht!+~VVri}$(bpF2 zMnT>6&-QaNE+$EPM2btwc%Jc$NOcN6N?U!+3T>*VZl4BZ-775!%&%C7e7JRGbY!V- zJc}fs1y!|94B6&v?~6IwG6Puxn9;N=d$nrxMYmAmS2)=hlZ>sd@-k1*Utl9us& zV1o9D``LGK>}#}c+s_ChsgtOjqoz?$`XmH1PR-?M=w5yrY%^sMR7Mia5yl)lNvAnw z6CVE0c`{m1A?WE$e3u*_hxn0w$iejkdX6mrNmzYF2$H}EdZsz;GWn<;yZj)mDv3de ziM^tY5R$q{Xeh%ZU*|2J_BAkM1aDV{6(DC3^Lo=-$mLD^lbrvk^f2cypoXKR^M3T2 z)V8uO(Rit&%1?FX;d1dw>2%<&OXx81%sPq>TqV-_Y|nOPWYpZl#WW@4ZtyYfaMoW3 zf_7=5vo;0m0a+YMg=^DL+Evp)B$szYwS6ra!0OJ!kC>?_S$WeoD^m{W++*?pS#WaH3{2gzB+% z7>B*%=;tzU>dMe%}V$&>U1k$r?q|t9?usK^5kXFN1XCB;6A0tL_%-R z2`OOWeI7dlxwj84n-Aq|ZggBUJkjenA5D`xwvA(!lf4{0X|ZTq-c#cnUY)c8Y=z&6 z(nO5)p7S0yCIe3u{TrE$H=52__sLOT0zI3I!1JaHAP~9SJ>u7Q}sczfh-h)TH z(W2zHVCk`OJ&w-m3H7$$d6@ZlbaMXRz?C*6Z4-z5F6ToUZuyTijD^>qRlWWWNU)X< zKP2?#oLK2qJ_B6KJV4S8idU+$A+oh+Y0Z0Avi`?Q0qV(v0o-`jX?=?YGi8YWwSg#~ zc+{;0sD1jooyyDc;9HTOY(Qdx&W&fbAy)J<7X5q*tbsKRfU{>DCa;NOt;nX_!gPaA z33Sr5_@SKp#OLuO=SWNZs5JQ@#}1 z_A}2^gt0A-Gc3YsArPD6&mB-=RM1L~LCHDqB1%S4A7?^t2CHlb*7Zi%j<7{7;z|I^ zYERdI_H@@3d4k70cRcYra8xc_pXoS+f0@t*I^FoF=GfB9o%2T;!TGJNvD87oO=+10 zl+TyZoQVKfUanH^-)A*nrIQ*oSx13Ns5VIoD^v)60z#q|ANW4U(!YD z)qrE4FBjls4`lBxL8V8dMITd0Lv(52P&zSA+O1W~l`tzoTaYEDTyhL92>hp%)19C) zdb%L)kx8u9T|z<^&QXXxnR-H(h-qSjNG<>1$;aA=TT2vh4~1H!0K-1PjF$C*itMsF*l zZKbSy+HWO?mhG6M{+(&{ggZGrUAC#pCBOO3JQo~J%R`?35hJZkB~DcM@nKQ~zhnE| zy;_!rWk7Dpy{zvcBMhAXfGaALaAL72DxDj*Uv*gVBTc^I>Q<3y z>_p5TyXj!Ey8TLmHc*UnQ2&B%i~~cHM>JpKqbc=?|Lf zpCU}^Wg6@3EVO=Y<=YNvVpmQ)eYw2G`vt;KHf{nu3g1PjCYZjiQ$Gi(sdCw96aHwK zv|7KiEpRYL;6B-Fm+m$(o)5azkU(KJR>3sUn96985at~z!sHZ5#3(l53Noe4;4`gG zmHuYlr?Mf2s^cdtR{1(DM=M-Df0ly!2|LK9bdx2FH<{#nelHClbFfrhT5YgHfUsQy ze7-8vIq1y>Gw?S-=~}RNLa!4KHmD{f6UIzXg{N&n68k;iF(y&p`RTm_GJW3lg3gzl zrDSud3NcYIY>1T3w<&-FVv_5GUDsZv75RMaw&onCSou9mSUEG1GAlcPO9IFkwG3G= zv1!GCXQEJ@aBb{X%fql1W0avnRA5DZj3uBCR9Zyd8)q+-`2kISX+T9sH(kIxIOD)S z@*Z%u0YASx-^gw!f$-H;fjfo-0h~`e`42? z##lDc_z04ySs3155K&069!37`9?*5?5I(X7vVnDM7stKVhVN%Y!2&T4n*#Yc#JqHO za&}>*+*-%0ECn)QecH1}I4QN7q_Icg*eZ-u|ItW3(PFyH9s!>sl0U8JuObO{az)I- zjtH2*DmfYrp5JV^3uJudG7XaN`?Toj6W0wCF4S$9^PA2s{Eb4)&}iB0Y=u~u9nPSN z6YD!ce8sv3;tnR32>TVMn)FNK(}Q}iO39M?F`~k%-*4#BlVP@)wa?2#Yi}l7q^1qL zzv(cRh#Ict?bj6~VA8*sd#XRoP_jeQZ-(%BX4vDl$W^1^&JcE{{mb~DlXeAwgQl-_ zEQE}=Ltcmpa~{ZVEXi}Xpdpk9D4`q#lK9;LHI5&TzZh`2G~&LRkd~K6^j$u@*Wo21CAx@)xc-%v_CLh zD8DnicS~-#fJENj<`J(U)Gc%|ct=gr+tCEnIfn5Ci6 zVR7+!(`o&7+6Y&~mR@w1=c&jA3mfPk*Yj?1*7bAD*!r(2R+iW2<(Q^cu(8K6ZL;U3 zPvKbdW{z-sNAGDli_Zq?Y36NT5>xagKW7th?V%z492?vH3ETkr zIjB8gO+b0_Y46?Kv3kS(Wa%m=OS%0#(Y(j2JVq}H8OuX42tJ?*a{s{k{BCz0sLoqt zsQ(iA0p8~od{w}1t%|H>^OQ;b8ke_@h7MbYEu*YQrttO~3$OiRa-*WRO*M17Uw_D+ z>>rKTs#U}8zZx>Krgav&-aUa(G+66l9{a((y?91v)iIkt9&jBi+fT2zeGc23-#h59 zpAJ1%z*C3jl$$H*!NB+rkrbbVDwElTCm41acPlOUEhSy~-JB zI`19AW9fr)bxXiY+pf`6=KWw1h}_NE2=Lgk-O+G6e7fvS&JIun^PFyUiF%$EIT8+4 z`n^fpI&i^j`=pSQx7}Cx9Eh}3gp)X*t4+NrIoiM7GXc`;hlU&-AGggP9B*fn{{?M* zM5G}BF7N2P36L8wk$Xi)_T9&~FTuW{7VmWXfayV+?~;>0y6B zWf2+q6fh8am4i8`mEU|e*QvV~^cNROlM;-YSMcGSxn3s4s-mA)bXqRJ)v}>V1L9Xx zf1PJJO+x8UR7cHYMTd!3qM=`Qor`mTlARb*Kw~~aLC)YA^G+v;7 zUq^OSAgjlO++bA?s~d`q3K|9yn8KPv!JkqHurO%*iY<^X-PM|{QmZON`%wSE9a3OQ zJHkrfRkI?1rrR|jF6cE&LoY$KhLzRvy;}~xu zrWgw18O93A!}@_LYAIg%foqppShI?*fxNWgM)mJ{9W2XcqogQFyxcY#1@X%jY82xB9sEf+ zRWf71U4D0>9b9zM$S8XVXB>u^XQqGtgJBgTPqzqJg@cbHqc2?22ZoLZGiu&A-o9HN zHvV%qgA}P=6R`%3(ns)y^}$c6!61-nmclIBCHnA_^ia>EVevFjuP>4u)Fz-c+fKn| z9r|4cS-dBDPb$VHDMV>SzF1@B!4{hX3T*_)W)JITjN^1JFPcV#{!7}i0$uvEkSqmj z9{(`=bi7${^}HM~Ny^7~lo!!UJaf^$hP&3;7dcT{tW#gC22Fj~Dk+YTQTTMt8KmTw z^-AvV|2yl|^ta}fe9UV+Rt7}p@XwYGL??CsKQoT(Zvke~QBOcK>k61@xzbfi**Hg= zH|_pgUr`Zx0+wbP!T}8#e9n^dRqgU6@>IhnJMNWqWMX?B1G>uiuU}}kT@{)~=UpdN zxi^^}dL;nze;D9vb1P;lh@g-0wq>tc_X+H4Ik=1FHkjuZZ51ul5TpqHrb!9peAfk1 zVVT5SevU8QuEQIYtxMe5nC$;N_t`-W)7bSpFWp21CkBCEs#d=5)MYI*g{)dm6Co3W z0(*J#8I`7Po{#F$s4n>giZ_e+h_zQL(ZExpy>l#EMnbze@2m4NNC*L*Tk$h!U1{`- zTN`FzeV;##>lG)E`1hAo(=~mw9pkc7m${UxS;p=7;UrRCGku+&(I0=IXPaS_eoQu< zT?f?VJSq2lQ%61m=t@p^wO0^dn!9aue%bnU7z8zUw19MA_Dmd_B7yA> zJ3XsS^x(D{UH6rFp}KGoy8&;^np)?3ff*o%N`Be_g}t$)N$op)(l^pl`5L&dlFn-G z^#FJ45p^xB{)?mR=SkbSK6W4gaK9ALg(EJxNNEZg)CA(q9G1#8Gpi(#3zB zWJaN^XYsME;&^AzzX(YPMT|&}87BG~i9jqck@ zk7a#Q^P}6cgp0K3w)*dR&mlv|?C*+t50>OQ4A|;_Y=@j(uYbmWefc2Q?68CCu<81r z{&#SqLcAVt3$imNg!&rUpax3CnPlGGB#S*XAXB$$kzS*na@9Q!yJ@hNJN%wcyXRZ z{v`Mwe6IA$+c^HL$AbGMe`ZCG4&D1-pAT!?F13=b1}LS=YVm@tH%5eaops&Za;Nmh zoxNod*s=Pi{Lr-iU6Xka*mXBzr0c^qL6;zigz%d z!>j5&dF9i9V+fE||y7MHy~%Pt}BkcLgY*B~#w_az>5Er_mxSIjHDO!hCz zKUuw1J|h!aRb?BkN2=AEwLUw|`D`n9iCL9Vzmul09ECbsc|HH>l}|=_youH>o&!1p zSC4lso7%h+Jd{6@qMIfUVo#uV&((9b&d{#r#rl{4m2#{ll8g|4k5K_17XRxUC2xop z_`HSFciTowSg73m0(7mp8Yr_owsCohs1@4v(*n@;(aBnT1=%_SjIa$u(vBhbQIXX< z0G_6_$BU<_R~8GJp#|A{U1YvW*(Eb#~Gea?YmQAU9;cD zk)vi642i=KJDJ<4?!Jd9Sm(yT);g7KQ9kevoJntXs#840mzhzJB^8`bZ=F+vmsFb ztbQ$(ki@(Qb*o>^Z-rl~p#ikVbTU}CK-TSvE&u(S_qkA2PBPZ)&j?mX=$$MAScei1 zGs z0kf~BRL#nXP(9om)rSBSFlCVZemUo^nYm7?1HUPDoj|I}dhFNlx`?ZN7LvdM#+f2| z(PVObPwa-Vh|EP@9SRyfDHN`WkT^bg>Q12igYJgI=-F;r3Fh?g%dg@`T3piDwx5wO zW7=ecdXT+@_}=nSc_>OOr!yIfY=Tl7T^IqMHdqbNHjXn(R)6p!HvKx*U((VXnc}vY zSXQ86;a41U9mAq$;fB^O(6_HcrWbwo+OnfRry7L+{&y65P?C zez$^_t>jU{36&mfQ~rs&9xWmwLPaUYMH5?7rEtq!q@#FN0gr5{AzaKeoN;rwF(eha zqDRbOQ9UcqQ8DFmWh!CAEG<`+37bLvX=e=HK>_1(hCeM&PtOy6H+h*!sF;%b=H@zZzV>H6^FVs*1 zCbFA#V4(4kqWOszvEoB_be#Qhq5fak>=`nJPb{czw`Lj&^CF0MwqC(V8GoxduKN};T)UB9OkfQSOuftkV*FU=Ky zEF8ULJ+c3*F>-^U{NUqLnNc8GYz6uuNRk@@%;x0LQPioi6{fRb&49Kz zIKVsZtpjVFbN7NceiZp>jPk=wSRK>rTC@EgL9G!ens1CirCFx^o{#2kxwDizNN()Z ztIYS38R!>u>;Nwv5S!f=wSXK;;qpG^NfO<0tB&HAPSU92@*J~~5kpo!jv)Ohj}Wy{ zI5-`QB^@SfmAfh|nkx*}(;{o-iZ8M1BHWb+k-sU;a^vFTMW<~0y507s!HgRv#<-ch ze{p)$K2c3;ACzRKiOIKHwlq_u1!fL3@B)9-J0<)KwxJ5|#+-LVm9dfkyBes%Nti`N}zb|6tpC#c_n zpwMbYy+v(%HI4M7Ry4Y7Q>tz;mWhrvA>YIuFU)UeIp{1ri6d6A21>W8%amf#K9`}) zfTcS(tfrwk{vBj(x@-r+Bnp&~G^3!IQHA39(qzD!iT7u!0i0%%O?dEs4`e#9TW&}1 z7;riMw8h6E3IXN;6dv?D0sOfSj_mraC@%~e30@=(q z=i})X5;%&ulvJ>i^XgDO0PuZO%9wj+K6Dg*3|v|a@SUuFSU>T}cT2H2B&)rXJcd~! zs9g^{bnMvb6tJeh$rYLEdRxwSSpPRLa5J!wY?vtYZ+{EiwGj8|zFW9k#Ikv!%7rWz zIXFwSeVP9?Ee8x)-Fcbv8hhwLX0)}uP8fG9Ld*Xi_Dn5^q`-_{(e%EM_ zq*acTj?RO255p>lt2wU#@7rYj-%C?MDu>wtPlM%Mzd9b!nvc$cqqW~IC+6Ki{M#q+ zDMn`d^@rhYl?{6{#1%KocN;Grtu|dpp)me}EtghcC)=o;xBGBXC1JmX`RMhYYPL8X zlq$)gCVa2czsi#*@2}UkRghg4CT7r_5?<$F+4fGcKR;9Zb^qxjlVS4%y0S=9*>cCl z{e+|cg>anb`=t!8k<0nQrsw^F2QW2?*S`sTh4(n(1lsZ&lsN?a*j7XD?5_6C@|1iT z#y=zgU9=D0zfx9?HN72mu5E7me>)zGQGOX%B<^tSKj!&&Wloj|Y$B8#_EdjqS;~k1;dJJHhh)6L4+0JW{gIFW>fQ23Y3{BE76bZ-UmqO2k!POp!X-0X&lk~k&DIG_(Uz+%bY5{?6`1D6@Hz@ z4i##rtgu(s(nBDh;Fqtw$56s|QZ#1OR9sFS5UYB^F+x+crbKZDD_^8kYWl6V-bQXB z+H*#uH<`9vt;k+)!&?U=hs%ppI*9x67dqrRLxq5Y>;MG9F`$E zpPT+KQVIsM5r_lNbhW~Malr~9uBc!w0i)d3I{QNLx37GzYq3~>vDq1-9fRq@f=VBzI0N3agxSXXP*GLv25zrtQO}{O~8OE1N!(D%ZtiXB}>9^FQiNd;h!&si^cfuKmLTAZYV2gv=zznD*T^} z2Y;i~!cKNS>y;J$O3F3-;rwQiABp5zSn9?d>%1esai&IFs55DP7Ww-HYP#xxwqr3*`JSr3LaN5$Nf86#mQqxXn3io8^{?X7NfFO)IWA0ie7 zQ_OUECYEn5y)(_Jl)7n7h49gBq~ymV-xpaqOB<%gTv4|YUks#JXr&3r?)`r5$OTx{ z)hQRKBWTZfN40-htHHnfhFg)KVPoE3hdJ56Tpv9^6w||xs#_WccZ}4lDyl+fP<1S( z&@p8Z9M30atBGGxV>A|UkV74P9Dqga?FGfpR%`UG zFerji3Ck%nTIH5Yw$WYXa6RVXED_(=dX*dgQAzqTBwKyz>2J*afs?W}Gge4p=@S?HD@RjP z8c;}TvY{ixXJX=k5*^E=MYYlWaB)_sChBF2-sv_ttGY)^lzE56Yi7kcxx`T#sv`$P zp>QfZ^U}G&vns8RX%I8orf2ha7{3F+&Ea6s3%cZlqX5hVqz+d0t#V?@5+rarbx)l* z9^Lng@l5wgscfMpRyv)tC*EujuR1ie1UPFA_{34karTD?{^+}e<}put%P>rj1)ut5 zyL4EzYQe}Q(a;{;KCBH2Q><{wi|ij9Db@tO9*N)5Sii4y@Q43|OslKlYgxmynfX!U zo_Gm}7*M)YEKJ0HZPZn<4nAg2|D_e;+hJ6n>CGGgLnGcQ1!eVOH%G1=Tmt6IK2Rcp z{a$vi>w@CJqdbNiVxmPWS-Hr}8L_P}uIo3Sslu>@m#&ePG5jfsOSp_Uxzns7(e)e_6grs&Vnm%D2Ue_Nkfd*N@utnoBHp8?`T~;NvfpE3!0A zg9D-`%FpK#wJ8pN$_|UWYxKrJ{fT#WeH`_p4E5zfg-OvA!!8y*` z6CcwHJx(#OOPy-kd$;zR1_vSd**3niXAi~jb!Xxi>7&=bz#en8zg&pVfU5^TU+Qi3 zWZsvM4!4N^5*q+)NuQ5gj@>39`AGp+bs(cHNR`36?_;pzmg^8<*HM?p)F?h--?x{T z3wPxEM_o9V*7mVY%k1WT7x3oYDQ&fmPZa%j+Z0hJF49npoLsh=Mftg*{Z%AA<3-UixGhFUSKrPAmk# ztM_C7bie-;^;rXdtVCxGD8D|2L>UD@_-q|t^Y5XQbKZ|)w)CA+3<7+n_fkLhEFEHK z?$SYEP4tduw^z#vdNt6?6E;~Z)tdhI`#g+@b-(k8(`t^FI3FVv4@kkyRXHfT>)0ga zZOIe}Nvkw!pEWSA_0ugB$ltil4`6>OC^rhQ9zg~_4bT=Zk-g49?Z8Z3+;;kp%Y3sg zuKaAk3dZ7kjatB=b zw8`*o8FnpXxIKtCT0R15m~x&@5^TxZY4W_=X1y-+h8A1BH(r_OKTmalSnK!cw6f(I z*p#c$$@hy{dF)Cdxl zIs$o;9@P4fj)A2`oi0y+nsF7YY>osq{Sds5(#{Xem3hB-Qg(WN)Qi0Z@fEN&K<4p3 zHmpZWh~{xgFg3M!I82@y`@=|6kTY}enc*hoBeHjJOGfAtJ{Rnx-)58Q9{iPCFGQ`Qs%`iVy_-$s+YH88@@}JVzZ_uATg@uv_KyhC-{lr<=i+VL(+yP_eKH2QVy99a z74mKdj(9;Rw)kzb@e_)xp-#vRf21oX1>`8s(B&A$qtwz*3GT&8Z7k->6sWa@7%UO- z957sU`WY6w^A@`g`;mg>GKGHMl+8qxVSlcH1tP2RlGFjCy5UqMECpz-{YfDs6X>-j z2jmiG6ueem2h3L=WVh@8kllb6W&aPhJ6tfz>y5h_$@6#VDx$%H;zwihuP_3_G=hpo z`$5F-nzHHkZE)dHc_*|;bLWWp%0#7DCzQW4n_lw7y-7c1`%@wVISXO25I)NyN2IQt z#Cma)Ap+|Yg7b?kuzp}wT)B1{+5s80%fDGEv`P=4#S=mMc0djEb%L$Q2sQM@Q;_sk zPFmcX5|0<)5}1Ey$i;E=yU(SvlG~?|N13yiNy5~Z?)|_z`g4bsgxVpPns90&f0C!o z2rXI1uxFzp92M>6GkklBL)4T=lx0)TfO;=&&Eq%|SgfG(v!qT#TzVBooUD|ZWBV-q zqk_hAe0U|EsX*{4@K>Vv#JPoMr-1QJxKW*C0$ERLek2#E7-uN6V(tdfmk-DdOe_u1 zc>{gyRpt9wTL->b3dX&!1iZJAkz7uF{#eH#TXz+wfa=^nbTj)BYtMunb>P9pb<$3u zXZZEo3{s&On*Cl8P({iDlHs}Yzn+xs7)hP{IEs2%1QxzY-sWM z@feQ{D6(m*+7s!XiM|d>oZvXQx8{24~-9+!)w2iub&IE(^C;o;h3u6&;glm^~0$P-HV z^8fjxA&#i9O7UCr5OItDV(-%&2fpJS_<@{6`bS8&F@fPH2<69ChM9NZzC-_&~NX#qY&*#>ygF^r2iC%7C|);)^0ZTSD=ya5_rZ{Yhs5#Rtow&x@G z>Ovil2Mjiu0e!kx3CgSRs7*e1VVe6(Tgx-HT`l9zpaBMMBaP%fR&%@f zEpLUW^*o@6TW`g!+BJ_@)zcwHwEllk1#0Xpk;XNTIxu?LeL zNDPE;y7qRf1zWjJr%f+D7NHK57j@Z4rbsK=r=Yrq1C|Y4gHdhC$q!mVOL!eSmDC5> zEzVDgIaybiJ@{tmLhn5wkM+xYeqWQvKOKhp`wxIuYwjU0=2?(3cqSw1Y+T4;ZjYy& zh_7Swd3$w>;EnGWAAow?8&cy3ZpuoU|C9a^C_b3tTNi4-8Wd{8t(KkyT+mxqB^sHu z;Wm|BvG<@3A4?oM!bC%C(HaEIXT?!n#N-Q8*2o$kw>`RC4kspnq3&N_9f zYVU71s#a)TjrfSjH^9_YJSRAEZ_40esz~pO)U4C7o$5tR;#dTa9G<4<-A_ct?1@M@ zeBO?@4M~yT23$B-2=bGE&!$Ngg~wAO(NdD`sj<&0)8u_V1eAC;Yf+2~_&(g5u{)q1 zHI*+bIBIf1qldiwST~7~n#j7%vr%7-A%dMvFrhHU6rGK|3K`7)1+w$yc*wEV};? z8(`bN5PdTw@9S_>HU3dJP4?2rv2MKobTTWTa+lM}8%E?Z>dJzeuI&hM-aK?#DeO=$=Pz*9~z5KIo-9HHis5J2GwDq^D?f6u3;$(zHJKt31t^=p3;m8Y-?J<>@h( zQYuim%xy4GIbcB|E*678=a&VIDr%-phDNFyJY2B!Z<%^e4DT^(;L9MdaMZ6W+Ncon zriwlD@))25)KWqx!a1&+=#|qS#MXWgiOA3XI4jN7yxZ0M(frTs%v1)AQlt#ajO7Ix z4s|nThElVYIPnr2e9^VtuXE4{S(Y31yh&m)=4a?8cm&Nopf^odnNT>BqQ9K1T2! zYL039MyYnWq_}DWI?Q(?52bryy_g6~vp=Vwa2C2ptz5cb{dR;!Pi* zMqL$r8LR}dAH^yNjgG7;(pGYKQ=B#nw9o1_abnc7@D3+!@fD`?@Y#yOLN>{^Ukw9OBgHuH+{Hq8dm13| zeYCW>s;uk7#yzJe1nwAl6^0|)q_=*wNk2tNUqT<^-30UW{}#ZIkl_I!0|06SldK57 zp~y@;Pjj;5c6Nht8lLi-eU1d{2W2O&YIE*#RJxS}q(AfRqJ*T$z7`x5U-Qgp=iH7~ zGCdL>0In6##N(z*K99uF1_C05%xDU6E5%?muc=L!*g$!mt3{OUM7qdn%d6J0kLBr2 z;Dt(C(JLMb)wWV;ioA#IdJ5zE3(5x}FZrKQWFm-thtsoPkUP}8SI~GgB$l{L>?13d9I}e`AjYZGrfW53M-z| zY6@OE4f{`?Qquabz1%4^jqk%<>+4%)+gitEM#^4f=AFJ>c#-=0;dkp{>R1Et zaIEKs_x*K|^%Ur(WTqbJJ^>Jr%^(n*9i5BxsBeFQ7^34=6{B+D3fJGYc#aIGvo__x zLl|<=o4lxh9EoGG-#x+ekva}=jsZ`());i1s#q^$>y zMqddyUBaI0Ib(mURB^iNn0Jl}AIhSPLbzvj-OHq0ejJ43>+8&bdE9HOi1{Bc5}Gz1 zUyZ38bj97&a5T=o_m6_WHu66c+m2cW{iL05k?*QD7RJ0V#}uA2J%=(u zdGYhnnG8ibIkpE4OgA|mUN9DEvs$KYN?8+3Vic^wngQN-f+3&}6PwgyuLLg`1Yqiz zpO;#(e4{K6N!eV`2SyNd$Sv+X{Kre3vHKd5G$z%Lhvw-U#KmMAvGNLOCchi>^S-QP1FR?aEsHhN^ns&~p^X4|hcdFeCYUW3G&{T8ik~VWT=%C&uyocp?R|RqRps@Ct_v!+0tv7Z}o%`!RhiggV!Ej9jn^ zb|y*6KLTV|AA{Vu*fXnFPQ{$FEFghq^A}4&0zyw~GDcjRp^a;ueqH7qahmu~ux{Pv z_lIFm?UQw)sdWReuo*?HKxXWub|YodgqJ+~0qGb>8VOsXTl~9|Y%rjatR|#ZHr$@K!iHi>5-VBBbIr97`sR^0C&#_!Z zwLVy>zEk2)KYxY!oqbQW9XOO|8%?nBD;>RUBDU`bYLcn^h}a@@w(Rd#qcQk&tSl2a zhw$^*Syct*uaVNSL#T!Sl5tA#yErhc0J1gOp3c7;iIKPV<*3kA`)ohFJ_** zd}HEnxSR(KAo1Fg>0IqK2S6?j#b2WPL9$awPc)bnB-Z|AsuaB3u;pvX22g3e}86(ru7AG}~m% z(}qN+Y5zN|NxBV@rj9FCA8t1#A1_oR!)r!3XR2o&0z;i~G7d9XtQY4>QVtA?QIy|h zIXSgs7d%bYA@|_RI;JD4u%e6b;!&jiZrhSdly1zE=8~nJ)*I z@_}`pnZ?|#AnK6(v2*g;#bkOU+mg+^+<{l(gip|9gF*xASQ&|>XVO{%Jm_pD+n!GsHM>LJC zCQqnG=I%^P(+rkRIwdhQ-x+^(f64tRvIom{*^Kv3Ro+>zkuJ=&et^rs6V`^yL5V^6-8wt66zf^AA7+EJs@79WlMF6#Ds8hOERUJnY+%CD>77r zqM8ZgEN>XlnLmY(JLT}&$^27MO3mU`b+Xs->!-L}45z4CDp1a9y4tGeMtOV9>mIx! zmoYz4La$O4XKyUYDEg=Y7B^vvu)^=`YQ{r;=I6ivUpW>un-Js&a~y#UKVARPQPYRu zcZZ}BV*Ll5zu*M2IAAyGkC&P|0P0E3?Wdw#7=!{*M1m$EbziXr;I%1{1pw|iQd(uH zgpImC&ik46;)e;EPB9aPQ?$GvP9&SV?#||i_tDoMKNG1GTAiYG<7G_se^WNU>UR*D006u5a`EllZb~`tKK^ z%^jZ*vF?90AB2DjMtYlUfrnBwpO^ja?wsddGL%X-?-=jn^!pqp9hdFqSYBYTf!%HA zU2GHRdf%3~^@_@9enAh;7aVa$>|N(ZlH}pytGRXd4Ckhh<8T&y{jaFgc=P?4f5_kn zkJ!dp+U8~N;df2bB;L^w3Lxt}$MuSnx5U=@hI?D*Hinu5tRH0ObMJO`?o{md?DszG zT%EYoR`+j`gWll!6*S52_i&)2fsAtdr04SimCWTd9$F4qs^LGZK2AAa>bwkVd45Kj zx+HWnyE;T#?&{}#8OA2Fw>-0{pIq+-gOJ2dP^;*({fV@!%=WTTPIQ_1? z@vjdqxB1RCJ|^74-BY@T{EiNNIf>uzhYB=4`KD{qzq>mFNirLMdK}m{uii*F4`vAb zm~1xz9yd>Jz+W~DyPf&?fFK4~WG~z<B~gkv zJYFw3)qP$g3K|c}I2oOXDr6S~1j3089FAz2-VI}AAIF$_KOD5cS=4bCzNY^^ijUtd z!~c8bzug5AWPK3qPP@Up1-RfT6nEK}yj@I!rN{I!lhS~o1WTiDsbF-dIqap+x$p>_ z>#3Ix)*YBXHYU9T7+V?L0?<4NX*F<}b3|xj7{|zVRA2YQv#<|MadZd@DMT1WGH0kv zA_m^zXXa&ty10MOmD|P`WW}eM za0W4rtdlg5i|&>nT6}UG4NDM)PMs5uzE(J0*XIGPN>lPvreC-Zh*DS`cVOEV_f*iq zBTr(Q@o1P`@f-z=>n&XxK~)Z@`egZzx}6|kdXU0WNVY_iCxy@&hRd(W1Qxh7XV0=^ z=?2L-uo_x2{njvK+fEWOVDBf>p40KfhW+rWm0DyFk}}SY6S1||J;N`{R&vId;5-^` zjN#f_q={O?vYMTgU#BS);+`F8rs0FaT*)PH6qzRb;}TofZT`VIC3~DPc_THRtm460 z@Z#H*r)0)!qEP-}LravLG-JYA`xk*_{zJ1n>TNZw=>a1+7!jIAwT?t>&pe}6Quxmf zI-iNB`Z9}cWBHaxLW@#QA$u0o&K|pE~!aCK{4)Ac%7tK7?xjvOE>DP7Bg=pOR#8; zCoe`(y22;~eEQFd7P{0VXzQ0lnY%4HTSq-3S*a#}=Ug}u3Wz;fN$9VOM#s88Z{ zewC^sZJnoJ>I%Qixk_(pdA_I9xeJ^`ZITNcP1?xO97Azr3c70SPW^>0g7bJdBPFEB z2FC6Fo?(PMg{7`O;O7yH#e^uxI3+(MFbK7^qL)r71YP4AS z;u8`Vf(cNC%mZJ51i^;l23z0~UE4Q~%+U9BA8!Gr|mMQsjC~1r6yj@+;{~%8S)nsqM3VEu*2R z^X)YFp{gx(Zn@tO^F#oXqRVIplb@;l&9(x$5mB|AvL}Lrlv$BF3Sldo;vC){$wf_L zFP+f~e(KA=?ZpRei2wMN!Yd-xR>vES<&K*Hxj{Jv2rNgtcsKrhmtb%xrn{D7 z`)dd`*l=okRm+_a@YvYR^&0Hnq`hgh?CUi?>eYV!eEo!?cV=!{Ymx)hec@^c+A&Mox-}Q3E zRU2U5J9%SowSNZXly~~$Lv4DZ?Rty&^JvG-(|wA^Sy{gjYv6fbgH6Or|F8pZ9?MfM z0!P?pB+cP%u$LJ$drIStZ!y|&Vo{%yV z@t%zv2qh%?$`cgxJ7U9mfPBTe`2uv*mBRFLD&HKWQTC?W4$kj|>t1(TeLN!u9c?tC zY}$lsVEvbf4e<5~-g*8co=|=0fL<`866$E}|#> zgI|S3p^gZbr%8^NPQzCrKwH@#SxzTZFuRNDPp+~OoVt%N`*USl5o`{CE_0;wM;+|3 zxn?XyAl1Oy55Z#jw{h*kMDS)tk%Cu@Q@m*tuE`*(qM0`SM+jwHR3fyZQO8cEuuQ&t z_0OvI--MO)HUIW-X;0>43rO7P#(+%ur!}jPJel1v98Lb&5a&O@QLP*sZ&hXjiEuCf z8Pc*utAwqvi?M%rOVo2c3b4)MWXS$*M^`fgNhULjyaLl>Ft znPmh&12Ei5N=}@dY@#a6D=5*l;Sh9+?RjM&>E(aOOnI_Qs|)AudaW$q5tlDj-2`gl z-+f~K>Cg=36Y@@xqys8kg6amtXl3&=K6LZfaU8`GAtWci9JeFTkBzwyx%4>+aty}^ zr{FWp4}^Zm%jV=lj~Y9m#Jhw!%u}Se3-@2PCW%Qy&+`q?>JokXrb~qaRiq7p+#ghB zUe4yv5qVUqhPya!8B+R_FhAA4L?1~3ZMIffsk11-~ z0U}G1bqkT!N-j$&^W{;L1Oi4=bTtz^u9Z<5{y1$yX}cpYT`5ya^H)9?%po{kjlqif z7xjiz2hG91U1-<~u&;ntaBQ~R7=twx+zBh#|3BCCPw9BxX}9p8baKtms4CurW)jwuI*-{XhAnAJRxs&HE`- z<_2AmEYsV5tx1dR4djw@yH!{h*x1G6aC*8bn}&xml8eX{H)f9otJaER3s*v$&i%j( zH}Z!#Bfv1fMW;KB;$e?hMF=EK=}Qe~`I`i3V_uH8MoIcN_ChIvjb%P;EDr_?XD9^D zEY)aR+_Z3P(Ab~0G2K+_A5GlPI0C9D6BhZ0^bmF;_e_Chb;Lq(c?l2NQFB?nFT$G8 z1K;A&W5#Ve=8r20@-go+GgWML>Bqh@hdDSX+e>leNFx$vlNNYj@nrO3S8vuKsdQs~c^E#;rV$q2=o7V@dZe@ccK zw0`jZ;CzoChaHYJJWTvhf&Gg3mH@c-ISGZ{N!(KkWDjTL->8VwSB zyyV?*Jk`eW`!fTb2OWZ(C(2BswU{rFY${t9kzu3NFjB`LTgNc!6erFEA#z2D4)1Gt zk~Kpbv=zGLeT7PrxXbH&ck}7e?qqc^81tU?GSA+Bv3B`!(b)Mk?ah#>;E*7OPvGgn zB}3idW-8T>I0!UFi-%~y#jsWv>}k(}Op%2nW5wg1d>^nii{NhNIyHKSwhksZkCvk@ zz)qO*2pd!M#8Iw0k{c7U8#z9yOvXnt+`_lU8E_RhEfp_7BMX?!!;peWKBqE_8RCUs zygC^b-U23H7ju^*=sQC$h>{yDt@kqrqe_K94+8rf<~7-(#s5?8!RjQ^&>*E(6pl{t zlkb4WM~Q2f^BT(4r~XZTj}|BJco?t)xFdd-+!3T@la9X=5RBiR13Y>b-q`_a8;QH` zo4SeL7-utEPbF*mf9>@^ac;2n`})y=MkRR#y7s2+XEoODLCZ`$$Cf7h_*0#Ck&Av^ z1P$(PZ;j?iZll=hEro+VZS(28QH`$%OrLj!eFGOJp1sm&#`*)u6@5{Hja084cuMqvW$1LjQA9Zjo6UM#1p?uyEwGZR{3^~gJ0JVjHiY-s? zn@4T;%(@M0l#Z@7|FNVc^DD=78-sSEB+tAWC$Aoit_@qTAr6`5pVNU+z#A~D6QMnUE3hxT zNxnn$ncaRMw%&z_oSfQMXW7c@smhLKn@8G*BQ@{HF8i!*7cR*+R`>gjZ=BDE{2EN| zt6hTaRUwE>y_=MOVtyiAV$@E2k* zcmyo?IT_D?YBFbzq?-i9>WT>y8pQ0iflgaLw)jUok{&tU$_(*{PD%5sX`V2K1AVfZF8({g zlT=g_AB_}?y5KAt9D5S6#<^7nUYr|QEGNvDvLTpk<&Mf3=nFAPw*?w}35zItH{Sqd zM}<->56yfdO5-`o!D%eK+8PucDyCyJyd}6f$I)q4VWf&M-_C960<98udDfT!YTnV) zQhWDjz9rPWV!qLJ7tR_Bc~u*!55#?;Wc@vV0pd3)U7{i({Lxz}S$}6G!3DYkp$EK# zx}pV7+JvJKD)KxZx6J+!ZXyf%}~7&`i=BBIIS3? zS}zfCLbPJRDqMXyi5t_#h}!!UNH%2{rM#jf9Ez8`uL{Le$wpWv<7HfNc@cE;u|pzJ zZ=|!MMbw9WA~Xuotod^Rb#lp1bL3(bd5#(lR$5&akmWp6ZUz1%O`-cDMColhNGZ+G z%`3R3(9vg3ntZ7X^YEq%q>3C7RGiQcyNXxrL1G40hC(%21g;A{)Puby9eTpFaiPRygMk2N5EuO_`+wK?XI|V_K$4cfS3KzroR~U*{#mB6R zR+E>()TtU~8BLjv?=CRgC-Mfy9Kd1tKgluTA6BTG8FsHj_QV+HvTaQLl(18zjxb}2 zRga2CD%Y&ez`+*L?!zqWvKms>{WQ2U5-dqO7S&qY;^$Dl5t$fyh>= z)C+$GXaOsn7%Nq%xwU-dk-5`n z>-DA9SVZG5UcjXi3s!FVwK?}rMrBR{Hy^@HOF>W;ZOEUu31x*CHCH4}Xl;temSt@{ z!rYIgL&zZ=;4!kJ6i>70`4=|Mw2X$VX{ZrLDo$$EPQ7jMCxVASLTH|s#<<#rS9;_P zqAaJ(VVC5eG*vHDD$Aw2x7rz;ouK6iPsGtQJxGaq{!VQPehB8d@)N2J(=YAd<~Q*B z*-H-0DY(GcL;xEpgd-E}>)(REUipK@<%j>$poMxY)33F9fuot45OsM!t&hOqH(^MJRvd>c)RaB-<4< z(ZZl&B!}_Lh1|s(D3k)B7k^;Gpx1;#70=O)>5)k7o)0K6$HyaOWgjF#kuR-bk*(8C zPBVMp-3FP`aK;zvoHdKG`5%$c$RcKBUL@-1p(wI^NHF6p?8*#lpxYLev(?IPEYV_A z^EzfdE~>hrt^8ma)lT*g&qgo#tIX9~vB|Mnf!CwBupZcE{F_0?epXt5%r;GQu8t%) zHwQI+(6kS0R`sWKqEk99T(CUnq{&zdr!SR7x@U3P@Bb7~3Us^}sD|^)t2&7F;-teaub$joH_2Z2g-BzyKwW5== zw|8G@B+bJ_L55FF@-+B$Bs9;P7~r^mR)57%cN&3B&7^zq^`}WECwXL*>i+J~3ySS} z+sVcy1pWKggT1yFvDRf(oX5@Pv4Q7?V{?Avw!r(@+12{Pge24J3vFnn)dgU?S84y% z)lHZ6W_GZC|4v_E_dMKta&URe^(cnP@sha7_c?w1KxM17rBt{1NDZISWozr0U>#&U zt#Mh%kyblaP$JlBCGv83>)qk8lC7clw{pW3FXy<{Sw5T2S5=NX zhciR%?fkys!|}wQnKm0!)~rihh}z&oYx@tI*_|!U{XqL}pE6r#Y)DW7w!y~)ti3?{ zej9IAj)Bb-uMWogbzE?upx01M7p_^h?rk0C!}64$Ccll@<7E!R%Xq!OmhI$pWd+mw zd3>jv-}yr)vVkQ3WfmxKF7+3I_Y?9X>{%rtQ{4l7Nw=#)BL8#kgzL9$P%vO~?@Vx2 z=QXn``8z1_RJU=~lDN}xi(B{686{J7nMLU1dhlw?r+X*jun>DoaIe#un9&cBsg)Ky zX5?;8hDtr11b}z`>^s-Qa_FLI={YN8fN#LD@8JGd1+>B9 zY4E$yjqQ6$+K<Q3E2B%}^J(bp|R3U_TtYmyh0 zyF7&J)XkaXmbj+zu|D{zGJNVgcW@BeP;pLv*u|{&lmx2t?`9BYNh|$LzL1MyHhicZ&v^I?<}isRKdDm8=_H{tyQ*HMX?cf_ zc`SC-anQQRzgiV}w@U+xcV8qmEQlpj!OB4~zd**6){14%mEkKaM#f-^6gD|E9p=0= zE?m7W>nOHx?oewHADaz^P)ulBboeRx1E0YF1q*U0CEmUAq7@1Mz#Xs_1NyUq7dg=a4|+7-w#B}*1%?iS{9`BQac<*yaJVdcdp6lSJrq$@OX zo2Z2QG!3aqBJ2*4CJj(g{FJm*UTZX~cG!`|0JgYbP1N2**&(;}U+t7I(kLpM($ZP? zlE(Ejh-F7JM9Zzp;g#w>J-78AUPF>FD71*ZqYhH|xJJe}<-usc@7%xeFlQUJ@|hiY zso>vmGlYdFt&!>vokD7~zHAQcOAj7J!rJ~tuwou7U1W?d4q+W|AlKkHcSaosdPf43nZW*(RGL3qmU=Aswr~P764mUgcQLV|b+p=#D1`lWXHqw<37yqKM+sYr^sQ_H`LN=Rh&hE=ewFU}C1{R>FK zY>Sh7MPk8ik^qJkF0!zWq=Zyksy#!d+06=fRebTFW5a0PahOX1kq4t)_^Nzxe*R%b zxH30Kz-vA*?s26j2nrMm_7P<)uJf#1v9VTbPe;ioRhzCLuZXky5`RHK)nFmZ02fGO zE0kK`Z_$gpX=X-q9lyx2^kv*l#?C$8job7&Al?`zJ;jyU1+@l7v%u*`^Q&t3RDdWp zfrOPVYKQhFl87dprKCe2BnD0@apI2!SUtT;!`#$tX2T`MH;Zq7L$w6iu|C+ctZs{X zdgJsVE|m=RNkeV%DoVy_h?hl)IKMWn#LHgOWHNUuiJXPHwvMR!s}7j$%22aVe^}X_ zvX}*)=O$*6jkh8PxoLm+_*I5|*K@_ERIFgXS@<{lnwt5921E#9`C^3<Znk0K z#b$_$z^LiMZlEK-s-Ag2lzcSiv$|E=%^ns^EtWheNL_v0S* z+&^Gv)t~YHp4>9ZgNx}D!?NSo?0&Clz6kAw>v&lirZ;d~fmN6k?qE2-ze^Fg-F4g` z?9P6BBwJ=m*s11q8*+WytQ9p&+0;n?sin;o_09;o3rZEdd?mazc+Naf|DENwFUyJe zSi7`x1Jv1i)dC!MPYS#}%sIC|#zLTI!2@1!E`Hai802?@)_762d~~`Grr<8QYCsdb z*5|&{bGMQjL@q#C`;C|3BkT%d-rsL(%WK|AaDw`eW1$@UPM4*Qcen{R(!=|3I3=;~ z{pPmyiq3D70`v&<7e$?qrxDbGuHZQR88pAzljxNdscOCpQgc@%%^ zF6Y@n;_*=B`(dUUH6ZK1n=Vw&=lZW0JnaGk>+h{UE1=L*{>%AvQ2%n8kfN2X)h(vF zyAZrxegs>--@gw>gZF>i^r4wBl!7s^dH|{N0Gi(}^{cZj`WqLedL$?T$QwAQesRCV z%a@DL)M!alGQ|RvHX$i+vf)aYPXhQIbvGo!o2C+K15_LJ1^z*Iq7<&tri@Z#V9Nar zOD7MIXi6(~zVNEhrlc$D(cp%Z59ek{nS?XUz&lE`QP2BW5~@Sam>J_MCd2Kj4U9z+zaaJLs_61e_BV zH7@fL4iDu2+Qu_{jArKR{FxoYoHnUg%IB+K8@sAGc+8WfdWFg* zf$D_$6St;pf7NDVSYRXk*`?rz3aW(yZPdkmEh|fLD>H~oXlmD#Ng@3=g2ry~;3*I~ z6PMBFgVsag_*P()1eS@~vKq)KL|G@*=Bo6|<&tGhDU|{eY?!`d_F1(}V({8E5li(@ z*s><~FFO3nlwpwL)+%q!Hzvcu_0H2GE_EnwZD)avjBXC%NiK*;wcwW@9Mgq6q!^uaNuHUpKYs z^a@T6Sq>elCWhmf;^$Bemxta`-FVJyn(>fiS@wgdk;x1cL+q1htWd>PQ7w3rhfDBaer+ zkOXE5@h~w?{ar{SHHDaDG&PH7Qj2!uYQpheLM%uiCSpP2w{?Jco|f%&|U ztVU?ZQEdjqBJ$+t%WV&Q%tvkg>LRDScF%_|IUNHc+XsTrpWS#+^`0Fh+Wc}WXx%=k zV9B|YG4<{;VnqR;zU!}Na|$jAH_G22z-|vVmZmxjH|KSGRrXVca*DDW?lf=0G{2Bf z88!A9kO=!8+B9(^${5P>ONjvfLsvQV52l#aqHXWAs)}Yaf`;}!R_-y6h*laRi$vg9 zVz1ru-q&iyoH0MMBFq8PW|p$U-6*DAT!@7c1tIm;3y7c__z)9gnF1dHh8Wss7e<@yWAWsltV=#b!`T!A<&>zw=xtESK|=23ugsoc^Bz_VuUuem;C6$i?=b z?eTH7+N00oXUjE3phhJK41c*MKHq+)e&~NgfuxLESfD2m?1biV@Y@1ojWTq&`*Eo9OL(leraAYuMGb zW}psd!H&z-!KN0gSrZ~^4PQ{Rb(2mak2aOIMXZW?rt5s@akbAC`XVp3=WhAHd33o> zGU$HAlb)fim!$raCI_-X_TC?S99Q7~P`%lxDr6n@_HkM_jEdmgp0Z2wuz&faQ5 zMh^#6tP{-IEcIz`j)`wT->-Q2PV6S8xYiZH&d{KltIU_1@*F;;AHc&zhair2;nI`p zkhdWh2bV$oN)V`ySqspB9qnM>4OO)(WqZ)YQ?!*YR`%c+Y1<^yop#MdoG8f5zUG0} zKy9Z0l7`E8orj}Z$SQks1*Az7TK>xHTh!(Hq8&uM=0cxPn}(+sNcs)&pq%;0qfif3 zI3yvgji9t_uI0>>udt5P!PVO|2)~am7&eg9AJ=F=$+4SBELyu zMUzZxQ2A0+R0ey|pI|;omv)BIBoP%v9qfi5f3b`Yc$WYf7=bfm zNnT;V?zA#sG*Q`SDyy}f+zWx<#6jIRhA=Z84_0xiMqK*ir)Q|;#|&SNwvqg|?Lq-I zEfp*1m&wLIRtf0Xb-&sOd|{SKv2@yEmPrKCc10G8CZxu%hFtkH;x+!BsmjIU{Al}` zF{&yu9yL0>Xp{Lm@<;6wlnMC%(q-Sw$iBCRu^ImLqDhpXBH;%9l2Q1r$hle&;6_|2 zjJs~qJx)Z%Wsl;h`I>^kOP8(&Xai3xtOBr1|L-38hZLANPxe|-ju;IUse!ya8#k7@ z+H7s)%dLb{>Ytw38Kv-pLN!H~LdEg+x~+wqVpnHd$E6`cDCSDO{h}llWNJ2#kOGhmXxYQYh1yf8SPV!mxs7S>vt+9-1(kXbCS;e2;O_^mS9{VZ1X*7%jb=*k6 z-#hJV;_K}@3hmEb&X?GyPqwp3cFhAZ73jBZ^9$_->;ZyY6SwQz88bbz`E34$kz&7* z@}&7rei;X?2U}@k>Fq)lQih(E70WRzzsrp9<<|zr4-=QrMG!sUFY5rkD@|)Y* zP>y%H;qKS}mf@7ohWjoF6dVP9bYGEwZkFu@xK>q~(44+Y7N&P{CID=EL)y|>=llFMHge|3CVuQI)-#;O9{n_uroCh;?fw^o$; z>^tpIoWN!P*EZKt5tpM8Uwv<^u@67l(}`t$Oh3RVp#j0a>x6+d4FYSsKMtO^@2*K{ z;}iv~$iQl+LoEd#$7^1I6K4-&m*-IN=3DmDwiiuK*F$vGx+K`~#=7BiAr#kr?ld${ z39iwZ=uE{iYOe7dU9VSuJ8vAhv-X!%>GPFMQulNKtA#}7J{?T~Cbh5X7xlZ@QUt6? zonybH4d$op?OzE#N4HL3>f95*8%N&Pjd!~b8jMe0{I&xK-mkHWkKL(zbv#PGrv%^a zy!qE_d>Ak8js-l@I1DS}6TXHT5Z-4ye%!&Ky{UCaf^AygtpF?MFBilRap=>&*D-|F zXA#XrcWckT^~r~lIHJ8#!P zpY8U_UHUOo=R{9V`PLhbvyM}}xc!=w+w&;YaMgzZbQ2POm}4}`9K zw>0Pd&LX`!YkjAyc%4qS*WWc=A2)K=Rql%Rtrdcr^;0$}9|sNeORX2d-k)DOlfE2- z-%o<{kh_eACr3wJHQ2wwQ8J}_?|)y{2WJ@A0Y*r3ro1fLap|k?=A@nV-|sT8ZMu%M zV=wMoA8+%g=caXAl3GUi@tJtR`(WZ1aOh)B&1W=n@g4ZTIxVW{fY|mw?w5iGVoRb; zu{sq|(_xvZZm^FnIOkDe3Sf*7pN98Cp=!Ka{G)m8bJ-k;<$zN2&!kpfe1FCWLNfRk zQqMBxtMkbkdt6xvC6@cV^pbMAXJHC8o@KftKbaPRIdw<6jDrZ7W(D19p*seL%pm}Gp#8!F?J#!;?AEa}W!^&#TT zM7|+t<*7+?NOs1@AP0g*m?gA|(1tDZPg(Qhj=$hQO%$E-6gU(k}uSIh_G zs}@!EjPax%OVk_D7tsjoMs(y46z(NBOK^#{YwjKrfkiOY33(D9Q!9+jx@S923*>IpiF^3!eN&1CDos;jq|Q&YogZ7c+}WsJa= zDP_ZrlT1JcnqquS6X3U#W0+Yds&;h>*Ce3l4hpepVQ{xlFZ5`MjhaC=D;iZ5G@wfj zgxx%im2Gswq-mg&UfAo7w;T$ux*u|2ga?z$cyZ%zHK>1({gg_&8}IzvLl*J`q@Hq{OH%2a`Q0{$G<>~@<6dc z;r#NNWVvqY=s>Tji4~v#@6TKegkNS3McO}{vR9dK@lK$%SQXrW9b@njNx6X}2OH+3 zN>wRTS%vfEx#VHj=waM8EDZBRMm;^Y3*%jBvTRUHr44dLkrV|+n>nv8zgd*&{Au~- zZtG2}mvVn`2Is=KixhD$OJk+|b))BG1E_!E z?7>9%P8-ty>#3mEhfl&s7-1*`Bn8&D{U(%TV0C(s)r-Kln0E&pM584ji#hGT+}_lD zys^KTe?+Pc=#lE#8--k1EHSMYzBFO62I&`3a7qSVIdwb+H0+PpQ`H4r}#vC5a!ky zm_WvWKNP_D6+u|wl4^~8=^~b$%vdqPI}UDGT%)+LL&;~3f~IU#m1W2+L9W-fF4K19 z-m~i`>6~kUG4hDcge9wFRBuml*+5_69K0fF+y|)h6poLbt)N`GnS4Pk^&oY`>?VKy zL1RnyNp%34tS@M2zC5#Ez!`aS2hp za;iH=!Mx>4=>CCnP09eT1z>jYt4651+}8`^fA%?a39S+g3VV$kH@2&M7SXHz<#$;GEI_p(H|L4HWaw|sV_=;3v4W}zybLk~62|*Y_*aWV@`y8z zb&CpB4&NxK9kCcHc`p^N%_jTD3S5na0=WLoL2c2cM692Wok1 zzcI?c9)G|03*(jMubIhkfUmN->jl}4zi*El1J-OCrs||I7iZ+H+_#4LZZ*JutIi;L z>x6qI_oLk+0e8!&UDGP9(c7%j6Blo%L;XoXTg}06{Wj~P^GsVJdr(eYlE-IIxc)LY zzu=@Svh(-V8AYSV*|HPRhj!QIPi3lGORIZ!ExJ3HFe-Tuk&h_KAyn zdYVN}y7G28D6yQv+S(1X&DvEF&^vA(0DMr{t?g;2z{DkwKr=%A0zG_?Z-VFX_K(E5MM7k1_{rs3!bpg4>yd!Zw z{b{KT+{hnqMm_}`esJwfem^KgOqhcZq!yF};JbB|N3>36^M$r4I(%v6Dm3`qV|FcQSOH3Piy(n8I_!P|#nh&Wu3 zkzJZC_|E66qf*Aj-P50^QQj>;tx8`U{XzTYQDi^K-Snj*s@|#RulcT$OQb|oZZd@0 zu|yw}ZW|~bA`gp+Zi~HuM+H~+B~Vwl*!W^c(EKRR+ZONWMKE)!=~_Sy-+o}YMkyeg zI5!3pBfrSJKIjn)b=LCJ;P;-dfc^ zzsU!tzkA6OzpAm=MtDZa$oxscszzi~seN`Hb)*s}Emi1`^dY}kf?*azqceV2Y=nHN$^#BeJY9U6ul^E}sUUl}jKy5zdskf6f=9FFHGB0d zptEvj-lYVRn9+0uuw8lrJj>^j^@8r+cmHqJRe)qEik7M^T+U*3kNFx6s00)n$TAT{ zvZwct36suI;alM&3CL)q2pNf~&SAsJpbm41Jdfn)R5DY_@7w!CMTaP5j9^PD3?`Ri z8TkF_+ND}oYd9hOGFgPN{^gpow8)HJALsXq%iSl$l6U{(yd0!%y&zcR#0A@>z`SZE z2|eB((Eu3*T(Qb|Ns8@$%+dS7?w|d%NY}8~cNV1nI|qu96E3oX*bG`nVXb-Jz1D&o zn8R3XfGUFkPx@J6sQoC~aEQN`Ib?vS5r5@)Egp;P{-GZeutCa5xx znovbn;kq^$W#h0XtJ6AFEd6fDqBu&|p`)mwu zYK{Nf)dQSeVFFW=DDN-5OwEhjUcTSzFZ#i}caW}g8Yre-o%XwyQ|)t&?zdfhEMxHf ztv(&>WUqv@TJeanJc}o(VV)%N9(s*0BIilAi7Z(h$nesjVG73(yN<;3AJ3pvmFc}1(xn0xLv5EZ*=TWNrm$&JxNP{KxFHxo3 zO_tN35DPb|CHqk&c(cN!{tgti!LAP#3RE}_sg$PKB2nP6r-pORIwBVY;*=&DElnxf z<;)$Y_~4X9pnMx~;x=Ag$QC@%z@88i&NF-{&Yn&BE>e>ybVii_PeEA0N~XKGk4vd6 zYOncNQ&5s_uOdHaz=`}UftOUo>0B=Ks>PeHGIUReg~0p=^w@JlP6~~<4RS1h$~kXl zLg?~|yWN}`o3+?~fIpfnf{OdXId z8cV9QwFqR?x#?^ni4)-QsF8L~yPmyPXIf0=Ti!5?)6OKT)Oy)=(MK=@$EUe?7>yv4 z@En))ELvVTcAKDQzOOgDR<&Noy&)|!ww19ecqc7wQ2{X3HEbfT!trs-y;o}vG9p`! z`*gnt5jGxuBOz(kw$2!GVPtx^6?>@vFsdGTlXp<*VEU&iP}}R4%Pxl|v8z9?vn23d zEb0Zk#UyYRc{F+1QO(%qd)q@!QstfBGPIgNA?FEUS|WBbdl`)STs~K3#dfnHo z_W^YsrX(3HwQi#~Y*k%98aHk1o1Um9rdR^)ruVLumlUZh_d#zDm4LP(E^mXsX}8Z8 zAooW(lLEDafCf`-rp>PPyf6^>G=X>HM#4BE;OKpKo*VwW<0A7TPi2zcdTwj8bryTO z$#t?21)OmJy*N&amGKk3JqVY&43D4_X13lA2PLk1#33(w8fibBs-v}SZFo(rtXaL= z{h2ZBi%{z@V?zY~9mC1egRGR80tkqfJppYi-&k#ROz$z(giD*Nrw7qS6}VOmV#-_h@>KCkt{NiEf86DexVC55^q?-p4LC1#ozFl8OLs z?-%DIwu#;@$E=s28mx|^fFMw#yz6xV37^BVS=dp17D>9sN#ei~BmT?#0!*>F95|CLz<7bOhQT z0Smoxez%MdDV0wGAtVQuuMkIX-**`KiiVjI_Q!c+COa^vrO+ES(P9hU{p_~HsG-Jw z#J^8P!t6-$0io*lS|&k^@U{H*biSj8YT?K{VYu{VWvP#wL?=Ewkd~t4qjSvbV745Qw zOrCM}jAQ|UVVlC_$8R3P;Q``2On@S%qJ{iVZjuB;W_~QX5Cghzrd~M`ADn60&x^ZX z@gs*U1gQa5ci)NrW=BMXPQ4%;&I*CIxy|@I&v2xO+Ea`f_RG+@g^gF#rU4}hCkvkrrin~VtHfS6#D?j$x zzHFlhKgrTmy2B!_2f9T+;^G?5r4LC}@p_VyHqe~QS&!&mo(^woB$*&6 z*NaAVw}Z#*jLcMo9?B9e+zwo-OBU@Ow{JB2Sgu7@{!zl0HNEkP7>74D*snm!OYc|V zA7bgF@fu_C2>TIC6rXw#HY?72qpJC08QKT4a|(fsqA-a`7mN=5gNzykC8WiJG&9XY zElg7s_yT&aeRr6D!BA`VIVdc`z6P;(Vkp?(RRc$`I>SCHDjraN-F4+JTd9~t+tSoL zcUewd0p8$WPoAef$#O!5fbno2=rCtN#t>{f7S+#$8s_L0c1`}SqjX~fGrcm4jEF7dGWfnKC3Dtua}8bma{Mzo5fY*>wC zg>2CS1zL2+iy75_a0^JwjXW#_G@ThHg`XoUosMgEd}+2@6-pECPnGK~KkmB{<1N$^!+Tsrm;3usS1CNa=YhhPVF@?W+}w~}8VtARudt(ughu2=zP^}bSw}*0 zR+316j6(_>TS00JBxaT*jSUyx~-*P3L3tl9Tk0Pz99aO5`t8W`sMJ}W-Epm^jQ0qQZo)b zwAR1ql&7>7jiO&^0y=m1@BEn=@jP`&e!~F1Un6oPyCP`suZqvwxWp5jkRMaVUEUiD zpR^1vk09hP38@g6$){qJ;EDUop(X)7=7*TCrG{mcf`dXc-9NXt{NI-F0~2fvlL~ z{CWhW7J|6$QyeaxCc7L$7Hc`vn+F?AFX+E8iOHY5-}^uZ zkLtQfLMqQt&5_6XUO?kn=%-W5`5resleO|)Z6m6$=Qro;hUW|3kp9joHV_XeFJWqP zKe0>4VXSftaP=ab^dQi2w|cj-SMkt!*vr1TdOOcK>G8TSU-iImoEBtCxW@6oa}D+0 zPsC`W<39e1o9;P&`1pRDCSBj{R{_RM+RYZP>D{n(QzbQ72h3J)+w-I0>Obhq2MS zx4p=#lT+$o#cx7nypcf6vm)_J>q^S--L=>0?%RlJVN zidN-)_qMKYedWHhzqiDDU4#7K?Oel;4yb)Zy7IjPxl4~W{ZxMk?Pfe~c!KVetf(@b zK@Z#ZMf)HK(1YNW2xUZ??o*rr)fq2Md$Z zU)JOS-dEQS>Ms`o@Zeue*DsDx>G)bP{>jS1{@?uCDewEe{2MG zAzAh>MMnTnz6P9M`#+H-CqHFD{^Irny93dVLd81x89AL6%8mb_;RvQOvtX*p+Zss7 z6DWu#FHAt^D0kSW%5?`wN}C#Dlz)8ic_|8R3KDd`PTkUc>k4E-`~74u3^XRT=P#^sTwe}(?_ zeLldUQynJLo^em8hUPFA9d=4cOsEJKDBTrR7UyzpR1BJivdE7V!no0 z^~C*9Q*s$g+yku(Vw78GchvQRlP_;Osp(+BWQ=z zxX=?W$|+Pz!qdp^+D|2syyM)RzZ4|Mhdz_x@kn}njViH7B`e$%{Z!V}nFcXB%b%$= zjGw@VBbKKwh&JhM%@Tj<7Y%kOz{x|}b6*Wi1?6LZW-KZ?73Yx4m(4{@wC*M=6z9R0 zNY*#OU{*il_`!f4!2hetRGJDAiyQZcOB%V@k<*lc<`;qmFp7$DtUYm)Fy@!%P&squ zzV?{oD>#E$Nz+lD&GcnIab#L5LDb4crw-;FL85Q|WSCqjr^P8dbxNhWVoqO3TTF!Z zYePPLl9H&Io(==|&(}6HHr#zyni{hf3OuocrGnj3_>ni0IZcrsG>6BOIPLxe)&C$d zk>TjCZ~qPWGd{Tt@%fztjVV`wRN2o-_TzL7ANT}kCQ}dgpXWY8KSY17vM)6jesv{G(dAVSW92K7zEdDIRAmZlN34!n zZ3G8fE)|#z8MGp;H8BWC_gOVeGYFMftjhP(U-B%He!zk;zsXwX4s~)pln`QRLlGPA ztF%Vb`EIo9?!%1v`=xV#*=G#>CRJ(ng-?{4mMp7Ru;wt)LX3P#VKAM`h+ZyCC|i>9 zID85v$A9<~6;<(6<%h2D?|^UQ)Hj{ATAF5{G2cQAOem#;V1`}4NU_jn@vRS@lC?vrsQw5JW8 zhFYHY=WzosvD>|__0;8dhgo7vdf?akX~lv7=v#DF`L}KVGn?g$`^U)fs>kK=Z#-?8 z9v-)=_vODH-Axr*O~+t%VR`}}_B}H#+=Cp{kc-K@%FgGGwJ2AIy#h5GdiOya+m2P& z$Kw0grS=X_&(Gdu(*h8P;iW*gPElom0Za}h`CaU^2X_By0Hbv60r`kpjqx1$O0Csc zVwlm$SIYSPPh_xPwMf5caoueqcEEn}*Aot!7C|I)6n^&XotltEc+7;^l1JOh0H>#L zPmQw@yNP>TXuf7NETIBB9-~p!n-4B9Aw12m+Z&GpEWaPP7+sG3sYH#lYwS_nPTQ;(xkvYdRXVxW=VV#+_AgacUJIJnL1F5U`m>b? zQ$O{KG`Z#d3JRvygQEk@-lxU6p)Qw|67BciE|)CcCOxNv1c8?c<0hM%UHXz(PI9?& z`sWC3VDkXXY!!H8Y2!6x48;AI@%q#-1;KN7_HTqxAFsR^9j}_t&tr+Z<(XKKtlg&dhfY?9&2+C>3vez(U% z>GvLe$l8#t;9I8y_%ANu)9~yoL)Y`|5$@7AYYYzc_ny3|YUzwr z+sj7H+IwzlM(^I|pzOvg%RdWU=XXN|hh8-N4&D!EOZr|b`_F04otKqOlN)vQ1N=*J zQZJ;BSClJYCT;Q{FNY&r$OCR-%e{&5O+x{4(1jysVR_ zyh&-nB(}O!+Vjx3MrJ00Kz> z39Np@B_hfk1~(-7sI0 zzl45HpI@-`v7Elaf0`W^G$LzX8ejC9vmbrHi3MIyPCjWJB9O_&e_dML10ER=m+ zKYk?D&hW}r6Nj$h^_WaelhDOY?ZW>t2y%4(@i3J1BNV@wGX)3=SFLC^ae5G}>u)N5 zU%C`xOq%pMJ(_?3dDXF4A$#S@Piu^73R3uyS(#Mk3^3z!dL3BBQ1ghq2aU=BIg)iY zDcBKZsk`|+X=m;Mr>x%W@on*aKhP@XGB-h%GA#yyq?)YNdeg8NKL2R3dK?{T)cu2< z2YxIwl#r<4MU)$r)!>S9Cu7@7R7eR%AaQXRbnv}O-S^M-idkM=`C}6n6dx{>w^pUC62Z_U$V@bG^WX_1;-kijaFgeglp-WV z-0M`B`gGH5Q^FFbTA=emVOjo1pt=%owJYLf)YHm?bNmleO^1>F9Hv31f*7aG;?Ij; z>~>=rK3mjm=mKrnib@gJtd;hj4yB)wJtlEwqSQ|Pz;&R%ql}T#SOK*6J6PFd*6-vz za5i~%C@l&oZS!0|Xm`s=4RNFMjS$!jP3A{Nm9VncnrKLGR~e7E5v!IXheni*Gl8?A zQsRxnOxqY#0Le?c2GWsfHid1|E{^}Gv$dp1l7eE2A#Z_ScGi@vt z(U`5Y9KMo&_p=@=OMqSJwk)Q-c^Q9ZEPvbbtbO-+r^;Y~2FatVJr|95df9wyJ~!59 zJOBEyuO{a1s}l>s^FH@O_#t6qFwIs)SbF)~oe7`5rXse%(5*$z(fqUH7dJyGvlpXJ zv@F51@F5>*{cfuET@;f58zpI+Hv!QUOLt*2&SN?Bdx%8~joq`up ze30{|<}36a_HlL^ppEUd?Q8H?>hD?RfOYbgrsitt3F-$J2ASjte>Ly)5PQ{J^H09y zh7z+XgA=K{tb2jx%oRC7-FVs-mcGkV_y)gSxEN{YSDClSUmF^2>ZS0_qARBJm*L`1 zk`Id{W=?~XO?UY{V`;w-&xMTbX~pM`pL3Z<9sCK7^PRS>_fk50iI)k^=A@xTO8-14 zRiuV0i)0dnFxob;nC&gi~JU`PBrU8U>x8 z`2*oa=69zHp|PI?n2RUNUu+FUoXZQ=Xe0wA0cOT&0;eV7OMNY^6v4~+^N}j>vDM$V zmwf4igA?qttfREaa{djoNd!A)CSb0OsxqvYYGcfnOyxQae3r&a`GKY|Um~p8LN@=? z$9jHe`K)o&>_=6%HNea&I>eJ7bS4qeoQ5~_R{ z%_J*DN(_afP)MzK_hKb=9XurI=W-hOX(58oXadOWk0yZl(p{7%0Hds%cY-|8T!L@H ze_GTI>X)T@)?kbe(JDwkgl#R}^&wk zeUmGVXe8Y>p_?-&B~7+2iY{I~aTdfEMd*VXEgoOVR-jD_FHOWqy}7AZIU}7bH7@ed zV$EXloV$!ZDPJ>aKnW>>oyBfrQEM6@+?aq$n9tr~m4d@iMyU-m9*p+yKTwECwGKku zU)iORG$ATqEHuP|p<1b;wx`X{Hn3hLiMr+><#85g{jQpVY(c9Llh9mRKp{XMF-MWq zMCK3-hu^$%{iAtLu0yy%zpuKU$5$e1@uC?4&tOU(l`zJyl!AnA3APB$M3-+ytk=mlKE~sq-!6j;=}I z=A{Q$_Zd7-M}66}$g|^q#1CA;kB}u^I|GYMYP%=s5C6&p7o{<+JP83_p2gtXQwJHB zt@qT^c){zC7{kx4;Ao!_0f6do4yI|zL!(cCd(ndElJH0GM%m? z##k8l#V9W)e%wEK50K32+DHpeCg2z=#Cjw0w6(CQbQH% z+^(CmUBI1t>5RMy<@cAQwWiIJ!=cJjK2j_D*+%$I9`tB5=q@6e&93Z=&S%ftCxPbr zSnm~pao+gZ!rCM%r|V;8+hSVNA@o!qE|#~~d8NzN^}YdbX4epYg6%JD-MaaZt~aRH zm&SA4639PyOIbAjf|ubrkI47C?kKsZna!w#T(F*Kr`N97pt!tDWvP|JArcegrPs%% zX831RXY~QJ+s#1*6U6)aRKIKQvI_*V&Dz;tz7%jO@wjMwD@^-{5Vb(gT!<3aRZGj= z!PrHhr_&qiuGZeDsP(fDkCO^w@2hhsx%KPh-s5K~^-Fr^ekvEjIwO9sIU%C+jc-XE zmRVanzqVerp|$U?k2p0?Q35;c`VyAbtmdp+ZEe5ud4MuE<%$?v7DMyaEa7clhhQFg zTt=QoBgl5Z#x9z-{AG~dh^QzRS2+1borh&WruTqF8)E>8g8uoZ`}!(wc$fM#^p=y! z3+*7^AmT*sQ~IXIJH{jaI>SAS{ePIWNyBaYeY%cJ8_Dl(Jx7qCYv9ZoMC6OZHDnAg ztLVKb0qy6cde!@{!(`E2ixE#`&F&WxgfEbVXIrhqGIa=rcwJN7(G+Rjm|pWs)(SO) zC>VWcfxdRums(Fr<}d$*E%Y*ih_#0~Y5j5&<*uC{rBU`|G3ni92lPU+FH zd)Rg`Y3UyfGL6-0-Fe_g;}*G0 z=Pi7RO|=fHf0{)$)CZ_x20_)+muVY#ty{_k9s3ZwP*(CvSJv}I3aJ7nP^nKGZC5c0 zg_q?bl-!k>{q+b@EIW{lc;`62So|Y5BCuDs2(>HJ-3u3PmH8?&fVvW$EX>`u-y+uV z8{bMLt*~1L*WB>_C!5cp>=YfV5A$||RN=>-r{hTMDVvFhOOy5AX!Er(PO&+WH6i>O) zC`fo8wPq$C+edAvB(YerQ3j{=6RQFxSIJ2RF>~}r=Pz8#O*ZEWp)O{&)q-9#Q5?Lf zXJ)Ty{$D-AIJg+P) z^i5Q*O0kfzLwacgTFNL#JSWb6)kuilk=N|*$rtL%DF|=m&i_o&B;wo=%i4_nC4~E}ku%)*9FaD_fM6gYNEL3~p~X%L1A3w-M@d7yNs z^r6x~R~f-#r$P;MmJ>K_@->}nU0OTY&#gi+X=W{HA}1{{9k(pr{!f zwNe5cwVNlcwDjqEWb9ju4dzz6@6%}w9Af<}saA(-CSm7GE)cfhDMbQC?#QSCU+q{%Js{E>WsG1{#x_ zj>`Q-l%uBhx0ykCxbci54>QiL!ctW|T$pn>Y&I1aox3ECd}+%KrJ15#l)wFir#BAC zPLA^a*IaY50s(XUKsmPI;-4d{II4ll6Vt>7-=S8#N>sPM-zWa6hj;ar`dL)~?p#(D z>m6Wk`iEkwOqAh_@@}NLf4vG;ue5B=to+viIo5B~2#spd^ zoCxOttHgMCmdw;YR>Shro-G+u!U~x3YqNGBoo4RUl)Q}p$g@7P0-hhPB&6r)0n!?hU)-tiXr-{YXvLH+MKEXAQb_wv)a_yictZbq z)2Tx8u56Wk%GTwwtjDpz&^x880Ng)EhnWFRY<|3eEZdB+UuwM&?>C0I=d^ULo(PiuYLj?Bu4waBPwfGO!l~hT zE1icaXzzpA>_EO# zkf=RK?h?cl^ftw0>PZYaQN}*6dl&SYxzBozz{~DRI5!*jeSrLfy4KHxJgDB0i0(UT z9Im@Mw;-PZkTcsS?bX-mO1+va?-fGN*vQGMt3JFNsD`jfc z{w7AP9daU2DfdYrY^WIxCpbBjpf{NWcNya-N?EW=?x8aoQhiQiBxNBhFQm1a*1P9h z78&-pX-Dv+afK-5U^D)Q%P56ssQN9DJQQl$ZN6twI?>V|!SB~UDPsvNL$zK7%*h<$ z3Te0DUulJtqrbOa)Nc$a@;?->_U{)k#*em6tJpdkZHUh1;Y>rH@W_3`^wio((2-g| zZHoV-tWY=0t{pBNS=VlqL(%`xo+$P+P${$>ZLf)1iD%a#6FI*0vym$HcMD@>{EiFM zgO^|$GMUoYu(~{*;V%f62SF#L{3UV`gmUr-j;mxP-qzDY8?c{{Ffz&CJn_w^i^Xcd zDnhhcCRp_p!lJ0Yvugp)4NN$p+X_tB)0)4fV+{DE#0$`7{RgQ8^R&T(=RzVJfwzv| zi?~yNU_;jS?}0a2zy(MV9S_aVBS6;E)Lq#T0J-7AT7my%t$g_T%{Me;g>a-yL*-mQ zJ#?F9NcIjWwK=}DiMvem9j-9g?LT48Ax_6!qIK{o4NDu%j8gANFkr2@^+-aS&rLnd zYLqI|Qk7UIQ#u-JeQzzoKBdQ9yuqYV%Nr|a($ZVml#b`96)T7XPu}tHp5X1J*U4!m1 zrdP#L+)n4uYwUP+;BkWcg%;gWoO98vf>Itq;B{^hXU2Fnk45|itvRyL2c$%m6yJgh zA!~Inoq$eR2)|mDMCEr4-XpCnY&~r&e{%5jTkWVEZsIA&VFbQgX>{mbxYSQH38e@| zaT5X3=Z_M4;QRGkQ@|-Cu3%Qqch(Vi40TYH&&~PwB}X} z{lj6W33ZIwT}N3y0`fapNF|7RK(kq=c;B-xqhvn@oY`#n!fNcK<3*B=16NFHgrdwV zFdCqL^3u+5#qO!{GDYC28lKs6%XSl*prj|pUjL<@3ROxA9mo~a6t5}N#^;4Aefqt; zFK(R8)xcbJAz_UuPyNTA(_OZfoml>+b>>1Xbkud;D4=?u^R=1etUP$u*i(UcshTV# zd~M?M??k>1_7vfW((hj~2>3aqO6NG={KNP{wPJ#_+bv3>;WUg=lf zGTfd6GP^Wh_C30udvgGKz-OXl-KF)xi~3mU#13!^dZd6ck_AruxspTOJd#^N1?l?1O0rY$vD*XsiJJ`NEvE;uki|XuJmRjT> zyFE5UKes-NV$t}|D#HY-M!n=dHsfWS*N=>2hZcV@rbqe_25B* zwED_Pz(+#Gs0%mWPtCi9Y4i5wv#BlZX6I935ct@Cuf6C4^{LIcfQH0#Cg1=xzqdKP zm_WzZZNeTt2do=R>)-m!l$8-S&yQ5mgI`u`!QLHRj+{EXiR@FZ_HpliRbBt8j;ZLn zW>zf6Ot&^J><-@k8kAW!d4S|6#lrv(5gnJfF1*JbTj@wvQhZ%!FKvLwyoWvc4fNhB zYtI#mE!Wp$z_}I}t#OdfMYm(UE}4PI`GKTy8Q8FOmh|}GZOr~6|JHCSKqBC_{Vge@ zeNpRj60?%a^5Pu(tUU)VAWQdcEU$RayV2V7V6;IO@U-d8!~D7z|rb= z5`-)O0Yv^+jkS=#1|&%Ea2JxqA`k_UAq^w)JU9h@)hydl>ZPbX-2NbpZ2%7d&sCX_ zamK$7kmN#5eYslVP@hSgX_`kn}xe4(Gkr7Di^`lU3VvASg+EqJZhW#S;lLoFy2!_k% z&eX-Sh5XbY<(f1m*W6hwuvVXlm$Fq-yQ7SW_E$mNZk@&yMdVS1fs0tg78INMz(s@w z3cVhB3c(%k6*`65@2%nU_w3k~S48E4_djxs!=Wbotc3`JMYXIsM+X8^n55a*E7eb8 zCS$o}OI}hb`jArdZ-u?h&^1bDW>vx}B8`98hxyDj=4+wSO}ayCd){W zb~I|0qOoSIC)d=l{Bfw@!wX_(v0F2qXGo;xuSIvQd4&U0Cr!?QlP8U_Mi?9oppD*TlV=W|Xtl(BNw0PAKg#J}N(C8tY;RvfIWLsiz-b2BOT0vO|xtGIKK>bN0l4F)yg7qs84nQY* z*ln2~;yG6(?QP18*NaNR*sLt$m_dHT%8qjS>g2slWGR9cqUWg}-aF`axyy>h)P^#D8!Ey@OHJ*J*{VR{f zly-&!a6INCrIYp>HVJCNUznH^nDb26{N%irCycNG)4mu3***&Ni>IN2O*~>NgvX+7 z9ND}mcVcfruW68C$d^A}d0Q4!7gXK}U{iy{w60fqmyh~t$0B~^$LGdNC?%cZ<^1n1 z$P?M$H9v}a*Yl6jvEdy1B}3;1z4H2$EZlc}sce*}e(?5jR7fgb zc|`nxY5k+9&KF)d1id=erzS}hxzH&?ejwSB{HxlNHmM;!-bSd!3NWD(LH2vkip63! zIKd`6hwVGXFTrq?CCfGDn234~E#>0UAx-|UP?<_u`2u%p{G=J^4Ko_CEtt|i(fqF* z9{>&{%f{-=v-n;5sX5;tBG2@=h~m7`M{$yvsk8Y|rivSv_gGvh`S#|vu%AjV9qKe= zDMNV~=oDu2iaUu!3~O!wHV_!am%CRmHNvEZt8D%hBv)mJW0P%a-N|Mz=l1!cHSt{_ z(cuZW2$3Ma1SUd$fBcA?SE9hv-%Y*uiGE77)VjTVEydExgk^t8`S?GO4F!8v{TNTw zk-z@Nvf1$ExN9XmT`XcrBS{7*lO{Ab zCA$`}C!xaM2N|Xdvz9w|C-J!4|8uRf(2ElV?jaeCID%|sAXUMq(Ptix@-#sX!n=?a zqNRAZ5;chkQGohch*+TohB$f&rqy>Cb1sU%zeg)?G$fKDusF_}M!adi1cag;3uU5) z9n|WJ-OI={jM$XvM#f|5OqtlVNTVvY{fr);&z51QQjhE7#>SdV_4qqHF~*)F&>7P3`b*Z5KF%856QKb;Oe@xKDDBBTk=3Co8>JG=t* z2cPO8e84OCDuz$*BHK^r&e<65A5N@`1r8#Y3?`QdeoueDMFt;k0Gn^oOgF>$?I2m2 z$ECIvEn6W`{!5-Do+fb~oB$ZNy6QnYWv`$72kS)~y6sYgqeBf2lLC~RjQ1daSNYX# zBa#nZ#tVjeyVE_kOP15D-|Cp<=JNzA@OfLcs8h3LWi#)luMTb5qrj+%Vc-JPwRfY; zcm@KFJe|iS;t@La8SAgz9Iml?3?_6iK`z$PjGIV^HMV57N?%!X>?Xse6OMY(yM~Br zN8S(KHp3X)y5IZstsOFavs}+R)-oG<;+im`n4DfY!mO>-fcLX7+E&kj%q?C?dEO2$ z8S_-XphqqqnDm;lHM}<4#&bp1a;u6cbQ{vBmDbIj4jwMVsG&S$6~eA0;%}83ZIRwG^qm= z9^SMHj@ia889JWR)PdGpVN6=jX8~bAqD&V=$3Fho^6Q8Lbtd*m9qR}Wy%voUBFMWl zfKSBwj_F;3H>!s}&!(uMW(fi>=Rr;O$$!wu7)8p;9jKs}wlc|z>_u*Hi z*X83kzRoQd4niwVTT|(+%kibC7UFfV-2@Zi<4oHle;hV?y}I{af86jw(%t=>8Yo)o(b(@GMszo7tjTCN}~dk9p|PtN|&h}*RU zR5VWVBD-u zCZTJE9-OGK`^s~PlVZVN*~b>mT9?c;U!oSw+!>_xyBGOhhHx6GIW+NTPExCZ6b)TkCn}D{ zud*-li;vW2p+B0%$0-tb2z0>-vh?Y)p=d#oUk; z`%!+qe-04_zeVt2my+AlFi%kp*HLB#d9tq~L5VfO=F`(({S@0q>{dsy3V%m@8;n#C zvyjU|&|bwmdB~~OI({ktU9(Fw@!&=UhhjLEM!U$?2WPjMBV0#2WWe|+_EyBzHLyDW z9`q%xUzg(<G=E%B5z zan|bUUM=z3#Gq(x>fWBl>JG0Q?ht{#pGz-0ox|3QiV?6-Y(fD|u<=i^DApSeBxR@Y z5Fu2tJuJrn3$GTzg!P>pe)Oq+AIIG)PE8P(*2vK1r>w<_W4Js9)CH_+#z>ED+~n`R zl29Xx{B-Hk&p1PkjCB8~CF4rs8D-t?B(m%ElCgiu^^IUT4g90VBxOn^O-^|ju6+uD zi2lKOEx+9=mwzkjEm&YW21xK0u`vApm-g9faK*0sEjOof*tIYt3E8!f$@*A z*3TRnvz#=i5@OzdnxMn6yn8xB{P=&G!be*YP{s9>u>Ct zIPjIio}&C3QG=#rI7kD z|A;E!&Dvd+=(1qXIo)v6!_YB=g@FMZPmcU`F$)dYM`*3bZ?$#TY?PwX60uJN4zhJ^) ziKNDd#hmuvyY8zwvcmD80<16UOB`fwN^J&;2{zYgS*$=GugsHVNvS$1>zNaD$%knXEs_Tjp( zAM-En$NVe#=RtUG{^;XLY#u09z2l+xX@bf|oC)9(cLNP~VR}d^G()S}LBt`}2hVoP0Z6+HAeN z=u_Kp()L`5czE8lH_d3BVBGR@-`pM3iPNckyUFPt9MW}tathNWyzCP2$pZI9ckT4e zsdad^kl+INz@4UBz>+q^`FFDjw~~WQ-rb=y{^wb2I=U-MrVA%L;Bm$q*%8zAw&v{< zQI`X8%fPFAX1$3;#2d!1swP7AS26b#qDs%(Ldu#Eh&0`u^P3Qf%;BwQh#&!>cZhl#(`4Bn86U(nx}9EO(SmrnHo;ax5P zb5UzY=R=q6p6=()E;c{C&2R7J+K$neu-@9 zyJpn@LUjWLwS{q3IRc&bZh>!$d+6`2?Pm_!vcz0y+Ms6iMZjMBfxM?(U(yzB`s-@T zD~a0!>o1#HBcA4p)`e1ZHlK}4zU?;crWoWzp65~P#MRp&Cb6aNSDhMhIqlb3^i6Gs zy2k+9a`(-#qOHy~w58;|M~=0fcEiP$`wbH6=|LtN@ID^5S%cYsUveQ^IuJkLDsZ^v z2~rR~wFAIr{6Hi8Kcc>=OS5QMwhLXhjV{}^Z5v&-jV{}^ZQHhO+vay`-?PU#FY^bi zG1rXDh|Gu*EET%*Z;%KHBE+W6O8{qm?>Euc#5do(+KjK0+jA$fgrkX^pN2Ysf=(Kc zQ*ODdUAmHla{coF8v#rE%d=o-0pTmhQDCyHv%r#J*=$<=t1{=DSsN(Z#?y!mMu?`T zHqlg)KuJellbY2Ynu-5)snPa_?wCxXIb`(@*xD%l$wzxyRDEm7VZA`|lM(fOxps#x zxh#VCxzKOe!crilLv>X0u}lrfkkt8O%%16cnkp?D8DmPSqb>~mJXj~j>BkRcb}1W1 zl$&^IVgEFS)8?Sqi3Qx=ez1DfWzX`V5pUWJs;38?p-Q%J*plpcC05lyOAw3A0#9=} zxjYePtVBlXfMR*{M-llcNgn4A{f7LMdeS17+~SRCZy+OJT;HnG)2zQMO8p zU{I=N8OS!2Fd46w6<7moa;2=>A3XNMvX>^J3$*K&nthYyV>=)0?2AIJT8-?>Hdb4u zKP5@9Nt(fKyn$&)t*=DN~M5p7cWuoqb!7<&qJ0@Kv6=1@(5Ti?W|!x zuT`t-Y8GXS;Bb&1VOkh2O?LYm?Y*u=R{=#?Xl{xn>WTltqjqSye_5@LdQtE=w*5_|rhz&_StZ>y zF!qVCLvv~n<%nn%h1sy=f|XM^0hhF2-L}lz-?(^M_(zBDwT|T$3o@)&e;xF-VnFsz z1|0I;}up%~z3ou8i9 zUj9?7QElxsU;#(Q6ezxw2ns~BL!Q=YIH*Kf^C*ehL`Tk$O|LBra!XxYj>~OYuC7`Y zkZtQmomSj20Hr%j!He|P7ur{DTqf=mr|pc!xv5x%GhSK)^hB+dsv6w5BpnE+ z9qnDTclLQ?p6n`-jK;jJ0x9!A`Lo%6k9a4&tk{3w7kaEFnBv!c z6OLSYy>-}j`(Bxs5L}eVak@W(USE4(BwXNiMz>wst>|_6tTk*H<5{lu-y|DPpWHb| z>^V6c&7k=T(p;I+dGDxfZ1}R9CJn*OyC&jQ*LU>TpD$RIyw4w%+yv1)zvk4aABVg8 z)_+H|xa5_TWX(OF$ICI-bay)T)=lfgaChfBO-kww`Z^FXy1DP<;G1Q+FKcb+bW9M& z0M2VyqTNpBaQPozqn3BRPyaSZZ9U@8FG%7}dDl)Z*s96)yfsDL_?$L3EUf2wTG`Di zXkEVIOZ}a}Z(ILc)=J7JM~k|)a_;D;@*Fjd702+{i9M9==%(!0T%b$(ihO?#e#fRn zJx=v_%BZ(hJK1_Y*+|j453zN-iYstgoxSX=nE<9z`Alm%En|$E)%WB^HangS62ra2C7OH?)A z_f~dve(nR(MRnJB(EpOqeW7w6GumG>DU3fHbf|mSe2>FPPhUOh^t?1~Qq!>i3P2oC z4~V&6ddOM7RCHW;GjB~?L|gWK3@QU4z8kNGXg7|UE!EQ|5%uoI7oTAPU4kP{ z!>n>ELz=P)gE^)9h{q-Lxkakm`6DX8(-7eLS`^>+*J?ZdWX*>cu@lN-31H2Y4-@ER z(T9ud5B#cVC!v^F`SNg&cZLN|sh4k)A03C(3KQ3}D+^RIL`ywg0+o~3xmMFOL8Q!B zwhNbkqn&FgCNxXIh#}Kf#I8-mD^IIWojOrW+pqoe9w3{BE&oq#D2#yzF;1YGeJlxs zO|QPsPb(Z)Km~Dq*yJpgmYFLs;5i~Ra}52KRH!6fqGU5qnikl}V9=WZF!ln>OD)PF z0NZ}x1cl!s*@V$Fp1%JyV3NO>o}}vvT0HK>TZSZ<1S8C&l}%v2K{!bWr%p^NhZVi) zeMuD<>!98!y(u}Td|9eWe)O*bhr|ejC6wZ1icVHV*}`WlDo~}W>l81n z<60PF9P$q0fRi^=y|Nk+X4mTRcvUHt`#m#k%vC(rXqShT%-_b#mUEhcvtP|XV-DS0 zNR5oTAyi$uWE=Zr?>`e5m!C{M$2VAj6od@?`ZBj^-|q462KxW>zotJ#bfWYQwgMwX z01-d7Tmxu~fjVx;m>=(H@FzJRs{L|=qXK{N7xkRE#+rcYJ!bheBWkz8!Z2t5{dp|{ zJ#wzbm^ASWnU;yoX$zuKnR9u-pSfr=|CvLo(yCibvIJ0vstWr|4x@Bc3L>H`m=yCl zdOdLR8FVCYB^spD(h$0nqz1V{XZx-zizC1)K)5~KLbBp`gtA(-u_}`;Mo2V2!rw)7lVS)zI{U%A#n9Ek$C2Qy?;=t;G zM|Xh{kn7aU*#6W!<(%|r7!H3?1IB#z`HBMbdRhT?(m-ZnaD$V!XrPR~mS~R}&q@@` zaUSTbn`@UCj;!UR8bmRen7PY`x8>TdLe}aN%Ll7b^U6@gQbSg8;f)yQC?83JjE1mc zYMw5xf-=K89?gFi?5Q93Fcw8BfL1Pl zJegGUV9_UEmn)E!IHKG@H_QMrlce0gPSO)4?*9?}Et?OnU_!hRPNYOsXTgA$3fbPJ zYu(Gym@Dm=Yx_@$FXRQ1FT)0;An>}WJ;?|EXw^c}FV{YV{Ozog5Oo{@ILQDF#1fU) zLP{R-xt?We^autFa+KE}jsgZOU1THjvzia63wQye!=M3trK4~|zlnMV#d!ojC4j(X zZ130eYgp8I+1{^`Vpxa%SVt0G$44eHzW*K%J^H!yqSW!<0n=9iZ_I;*?}iO~K23YX zTYRJv`oQ7SA5Q=w>Yvf7DcuF~r?wA3X6GcQ?WS8t_p%OlSL2ww+Px?KdTYh=7TE`O zrWXKihspQuiS5vO#S3%mS(4%Dsbu9t_3FL0R*6b>GOg=W7^Vlb%>wo zGtgG@<*-d++WjtiR~lV+!m~Tih41m@EywND*TMI;+&Qwte(UBOc7>MXy6$PZ%**K( zAmqXg%X1E|=DoQ2+&w8WZ*Z}>xT>hOJdeJxLO-E0c^SK%{Qqwufw1Vdf*Zhnx zyT0pw+dN$~QB!;Jn@{KRWm^Y(QMT(sXrHX4)9H%*{ma?1=6Mn|g!?w#rx$2vqPlI& z&Fh@flSTF&f_FdoPH{7+tfH2xnd=#HbL$|Hi*5M(wL-~7>%P;t75+whKdWlS%W+~l zPwJDGcmJsg&gbQ)_01mGNt|-ENlNy5-QAvkK;zT6ja5?p9zc@ndAgjQxtM$8TJ0q4V|_gH7Q)rS}0SQLaR7Yci%5ppX-U31+JtxOMygRzCB*?yAKRog3Cb0)^ zVzyr%f9(1TW%atcG+hI_R{k_=ybKqxc0W!Z9nqw`J|EfYcpv*?)NIa_+xgL_Z9(RV<$ z0DK?bY)5~fx5x5lz^W`(5DGA!1qc?;jF@qd6+X=TPv)}TGvJN#C(h9vj@U&6bZ6YlCYvHm)akx<~WZ6&=y)X#zmxhKDU6$Y0oU|##s!yU> zUR+rPi^UKx@uFp%`rsz*^7FsCOJi0gIQn$vtNsx!+pN$R#^**6fX82zX5;(kGv{~u zU1JIaqJfnPKT}2PV84>CL#OjoE<7X2mJT1;EuvssP%(zw$3{PSZAH0ZMrk6WDUkMI zH2vM;2ZgReZ+9q1MoJUDMv>-UY;Y-vJ$RGsgUMA5HghnTE0S(ivN(W?7c=NiLR}K% z%@43*qn2y1QDD0tE#$F^r|0^OP^J22_&uYlnOKo($>h-p+HXyfj@9Hs$%;8_R3riwm0CsCpm`Rhu&H-qRV5o$f8&zhjzNS_ zRIyp?1Jdy~$bse0uuEv`wJC)GkRi3F{6La_)*!27nHAa=shx+R3cB-8#6)Py{DMtq z?!RScD{IXLX2}-3S_%z}7i;Ge1SGSiDa|qY&+?{&VRcqu*Avp$bfYQs8?Xz+`dDo+ zld!bO!T;8pgzpbVDhGxzuML`25n`HI8;bLnt%HjZRjudL2E`4=i4u>v^n8kZie>vA zt5E}lLRC0Q31+S^e_&+xzs+t3fLa-lqdIPhI)SR_2NdND!LfnbF1(3-s){d}FdDe* zMM@Nrpk0?!zwXeZCZ&MueQIc7y*U+mV9v{OPb$f>LIeESO4D?4gfeH#gz7$PVTZx4 z!aoS@fw^W=W-#eljq~74pG>NnvM(YU1CAiTd~ZL|jQtDWHMmuVcwtqf{O%_<)Tez~ zoJZym3`+ad6WI7(o{k8W05sbz0S9w9Eo?U7_WK`A9t}Z?->fdQ)thGaS;O({RkV3I zWBrBDwz(u01LGI%d2IAa@LxC^dY+$49BT+A!!SuUM58G{t?_fddkUiyIm< z&YABO&DcqPTL2Z)t~TsUy*s!ZDm70fAx#^FplAjq*e4iaY0@nejWVto9M_t`Mf~5< z9S;)3;1Kti)7As{Rva$*IvMSHUi;X&;d^)k@0SM^L+|w+^}WaU`a$7%f5gy!1mGXB z*KzSFrjy=Q3WeTd!Ux~oyaCpy?H;kmBEf`)zjxFcf<wIQfM60=0(tCb%RTa0(GH*Frt&63?u5&f+E&UFkh1*lUgfOd4ClzE^qPPj*D2z zo95}z*0|SrZ)cWbVtntzx~8y?x9-oYKl|yn+^^wWPp-H3PF^#=LTP#cXda)CY}_!k zpTl?sr<#S364) zd$KdtwcD&WJ+-gsdVri$0Na1qY%oBd$s^#RmTtgzJ;Vj>(PFtc4s_}>EFduHVZ>w#xW-$A za%50BT_DZ{G!*y*ly89U-6yasjbbDFg4Wp~s-Uusl$bSNFxRct%k;|b%9gW{FB=5W zsTTSax&i$-hVl-@xsk8XD-m3A&l?^IQlwS+7v@}13UP0YfiY{>82{?g3%!3!&m*V6 zWuPEOqY7TRj79<}$eGUjOQ>f;NzXb7cBaii!Hzrk7gR(lp$bal&l|No(RrFtbXIJt zXxLG>NI;bEj}^-S8XdL)FAs&8G0AnP7nH2}mpQ@}bGu>MLTJ4_EY~xFJXDqJoJ=60 zRpY%j>%_blJ+K%Cyr#Xvf^j`6>EswF3zydlBBG_b@*#7yT)qb(*`6xuKgMUZL%z*I ztze!qkfU`;TLQmTP#g{(Ce{w&L^cRb+yDVm4ooQwD${;lWtw4il37Lpm&-P3DDhGM zVdD_@bf;p2k}MjO0Z{Bh?F>9&nQ#GhhK+H31a}5Pl+B z6)chl{aKJSbCv{ADQ9NyRn|QRxa+z$#ggk)`xJd7N^-le>SPfMUADDJrZ9(pn*6Nb z8VbR(Dh+N(M#d8?idl+l!N8!B`9zKUXF-}x94NqO6Lu1C37hddCY1txl_&JXYCz`& zcI=Evk^Lv@`qK?}mA0{((WjW2dXJNoNqrT#Q(3c7o3(!%=f0K6B#*34qceN|Rx;Bc zTTkZ^6r=Ie&}L1@)uURygXskU4v(cSLqE{Ns#1tlbJhSS_&=dRTL*m5hc@41KiL|9 z9Bof4lA%QN;oraf#H6|O*g9Z`##S^T(&1Vgtvx*o!Duju%ZLXWy*vbq!Wx&X6zsT8 zoc7_C{yV!1DVvKOGwDy)_Z?;*);CYSoA|N3hhO?w{n*-Y6Rd5A{lFa1KQzVII$1 zMWnV+`Ii9B9*7V)aLv9sP_goYW;}(Qn%88i3%tcj1PyBvQ*PtwqKEeYo$>?;qmx2? zEKDaTxZjqMC`2BFohQvO;-ZzI^k)FzQDpj?`&;P^9H5Zd_?q+v&-NDip7Z+*`~*de z_uuH5oqSYfVIHT-NUvvJbxZJ5{BF{H=g`WWjeEScqjoUrtPxN}GWQBi?UFF_X@;R| zd8}#+gR_s0gbOP6Jr?J3T_}!5GDO$x&4y%2V#{0pY0SGx*v%s{WKsSRIb{SHdC8o8 z8Lxa@=$TMoYow)$Co_&5E|0-WXEbz+`vO7n!T>{Xz@}L#c3Ay3e|%EzP=^Qo^c+;Q z%7zYsL3@HhzNJ#u_UKg{WjI^`!l0#*vdtk1Ew)tDVr}B(g%eG3RG}@QhtMdOzUI+w z^ilLbr;RfN%4NHD7Pd7>j5W!Yt&5BxGrP zb~J{De@y*Sb%ZLzS7*5rLX9TxeN%SXnA1!H?k4OrFeh&_jO;-OJCZ*g^&y}e?t>Z7 z_NQ~V$u=8+KmjudiA2;r`pq}kbBBMa)$1GjmiF|P{XTIGa9o&Z=X@QzBhz)efk*3j zJPledk}j&cti3|3(WwX2$g$r|S<0>L?wSoHy=XkAcxL+!Ijhy&J%q?@n_Sai_n%mQ zom_ZYCZlUj=vaKT(E9Gh=OktGoQCditz_Me{;Ag|8l;<%b>>pDaol{^=qlFjK6rM8 z!Ph=LmvJrsCh^@uvaAH`PE%3ueBLR<@ID0aEv?D8wpu*oSi7EmIfmkn^sBVk3SAS} z!ghHBrs27t)?G?yUxcn6ky&eSou)H-+;*$7PG}zcc!o}*eJ!VNq3(|PI=yh3M~!2? z-u8B^y+E1x12Cqme)kuyB}0bbO~{K{=TOKrLb+Ey&qc!vbnh=;NEDPZacWr z9P0($tYxv?EPc5eiN4e@yB@LiKmi!oc+^v$){85$8wV9eWv~UtqCPLS*KC%{LU8LQ zNjI)r2F_f2zCJMg3aQTr zd_7;^H;(v!Z@cgN9$eH<14hC>(4P6mHYi=w>fNsjWGvx}tEsC#58GaB?bmYT0BbTa z_+E>&A6AD37ndIX*2Ahu!fmadwfzv- zy3I{xS|O!e_1(#r&_O!S8db{|M2C5jQjKiQ+jrWvUq*~0+ojhci!YDWRnaoE-X&eb zj7SQP@4)}yZ%Zuzo3{X<7vhciy#TIt^zIr1KtaKd$3aiS>v03L^qXD-{{BGk%p)f| zinhMC*?Zg%^sfFuueSH>%@XxbG+DTiyi7Yky0X{wMfxm6QdF*1LIR2&v6~|^EKvCG z(sGjvk~%T;&cL1V);27it3ym)!#dh3r-pLq!k}=5vxd5yLn@WVDb!W4VNqj*B63Lz z*htx)@-X)8NKb8nri3!i^ee~h+G0gqb-6kmc{0fI**goGozs?4tG~OXcP7M;=3=nc z%Sm>v1#83!5=enT^-0+Sh#LLnVjv}PLyRDhn>Xie2V{{Slnc*&Y_I&Fdb)ngJP=l>q=!YGm9Xml$$I+bKV)e6=P zViF{yMAqIge;W|Db7PQ+foc_4j6fD2V}r!_CrAibdWC0dj`d;+k_~qVE9qF9U$usC z@s=J8b18#T6M-O3=MaY{z01X5hjqemjwo|r15W`nuLLIc@b<{GK~P~^xF)7ny?XRo zmt`IqsOvY+sux_BRx&57v@Hz%2g$-5dFLTXv8z9AqK?yBXBdIm?r-5J4jDqkod83m z`ut_Fj8t5A!W`(N1(jv|B(YL~%20!f-HA1dLBZx^R0<*jt9Tc@cov5eur3H;ub(H# zvT0C;$;z!hD3dfb-ics}vOu>Y0$z-jg@fE8N*z}21KOIuV)Q3|j>us&qKmR5-NMBG zuw4b=!XSj6Xs7KGW7)@(Z!~*A}6Oh~#DFXb7yv_kQD}2Kg)}qB% zi~V`Z8Q>T_-P@Iv=T+yJ4|?C`n+`xh{qx%OJCP70b^9H%5HLD*Lk$@7@gO!;nuIe< zJ6Xe$X)>glxW!a4JV~-&GGkkKC?((nWIP=_4BoovLJD)~<^%Zuws} z62(y(e!(RiX_G`+BpFg4G1>$cB4vT8uqryyA=EG6>#G(a{|gGx_vFvhJ}t={W0$dG zrW=?YePSl$3ulk8H5&e1R7kQ1JVG3NuAWrjWk|U^CGiuS_RFr1q9b!N3ncmN5CrEE+J30RulB-8ow&TJD|hWP@j zJw>e^Xotu$mBGfdQ6tJR7GDd}I@g(tH2yID>G)Tk3SB9uGa9)Qj`a9?RI|9(->)5< za=sh@aTuT(kfCrbEjEYG1w$=Qx?@G$5hV#n2~-8SVk4n5OR5uy`jNeeIi$fUf36#e zRQLzJmE4-;Q?*weAv9K>&#o(+f&*)#+>-?ce0U)N3Mm9pfjO4FdM>WLK==@DeMnhc z8VTb<3P`~M43e-&v3rh*)WV0o%NNpWzJW;Qmtgi4mV^ARVk6A+gA)FQP!J{eqIN2c z0l{8Ug*yn`#Z@DXJchQwQdy?`QgzBdDM-4aUx=bmH0r${1?}rmNZviaD~dEtGH;=c zMW&XBv`53tD>iYB(`JPswR^$1p^p*F#p8G)fv~3XqeafbV`-nMN*Ck~NA%ld>kF!N z>PUI|64tl8IzU)y)~4kn<;|A0sTvaw%81Hmac(*$?`_!yajqqZb~ zw72h<6~mlkK003K55k?F8EHWZ6cB^`h($mwVA%K876?G71QBUKAI7g255T$I=Uvfr zx{2!`DAD^Gj1D6+rSVzuE9-A)$%Lf-T-?w)uq8(CcD1ypIY;ow9_(`7r!b`!)$^JE zz8~b!Y9%}>pQ3zllKRMyD zzeb|}wW_?o@9B9zgr7pk@pxU+@5`DO?PXe2GV+sbIrGp=%MFM7KJYiW+i3`wP4hsm zC9{324ley4TkZd0ToW&2!ieaN!A^ZUgUe}NGOI8uRXtgBCWW6-VfJe z1Ae*YlFyaKYE7iSsk=qXWtr~e`#aYY(Eja`kz_lvqZ)=r)b&1}AA_2!XX|uWU@Mmc z)NZ*${~_Pdyhn-t(^U(yF~@W{y-a0)zt&7x)gS0Qpm8|vc`CsJt?>B_Hy?%k$o;ZM zYS;jm3v9N5Xf2OvAnfAr`sHW)#`$2rRPU|JiI_-L_w%Bj=h-%`%*Kb zILFuT!gurcIv~WwIr+4s6lDJ(k2y*xv=A3tXSgzHlA6H*q9Ra}GzGV1Lp`)sbJ}zX zXPkAZl_NCMM{t%2b{flt5-vgNHzXY}b8JrS5N+1rzE6ubNgiuN+GlL}iM#F~Jx$dj z^+4@yHt`2R!ab!&S0H6|LXd&()rNWR`RQG%e!R?*9kIGpcu?gzXz<}(D%C#?vgN17 zx%$IFas?7($QX#&IoHmYLu)`w2`3%dfueC-A_TnuGc@-KQ=TEChbP@wCg4ze$>6<;cWe-97k1b}fJ${pF|L{MN|zHpYzhML z564YXE$vYe5^{3^YkC~n!8o}Me|F;VV<~yGhHjiQ|CJipFlh69X;#0*6WmRTWt6~Y z&lbRX{!pr(DS_#e3*gu7`DyC6ImP!j<9`WAK-Jok)oM%tg-!j0CZd*5$#lpvgI29ZY%G_RCCm8j5Py8j2$9H%!swKVVrd}RFGLn* zM9I&T2DL1QV$Dv@?$&gE7L5-FHf7ay0ta1}nE4G)OPwEJAOM0?h!?#i+@`Y_pt~yV zZ&obBHB_ns;;s^nz_pPD!&MbuBy893_@V1BEHAlFQMFmF5{K9;C@WcEe+5a%V9!hX zI?OJh<)lZ21t-HSOvlPiZ@$cAj-uEQ#2k%I@HbY-40WcYiWU5jY1r=kXKlxn>+@HH zAmy|xV-T1iS-Shk^z%UZ$x|3Gm8(6X^QqsVDP`gDiz8HK(=3Mgt@BtVQPwC)cip!w zpx^h~^}R>sfmQepXC7G)nUQAE|&N z`D>R(`6E)psT&Mw*38(n=4I@C&!UUVfw_N@3B!yeY~sC{OLlpeEypP$Z)1L-E=f=;G+520V@Fv<0GK z7UlJs&HBPPWuQ6Ka$AU1nC1{^;xygyC{2ZXg*eh!WnL#2<^ygrx-(|5f1p#^oIe;`k z?`h8izR^$i{L0^5IdpfJ&$IrPA4oZPW6y?P*!lgOi}!&sF2Lb08L= z?RF8Ll0N=^CxWhh*C95&V?8wBd-C}?zi@VsCWn`-QU7{cMyA~{E7s%reI*s0<9UjN z9v##AoHph2c*=2MT$hxs@%G)eLHp=^xTd7KzV~je*Je-`(X4fuS%jCHvT?8k4tK5H zQ_(7LW~vn;$E&jq*kXx!JqU0l+C^ydRr(z1qWj+C&3N2-oAMsAL{~Y0^-bZp7HpCwt(6sJ&SHecAvCu!M0zExKp7v^{zZ7;p7 zJ#@C+6mNSjX_K}Z6-C&b(Ke;GKD76ApO}8jRkxYMdB42rpDiu7y&b6~x3gk(e%>2D zr!VF&XX@Atr?lQjQ@LuUz@wD`99~#>)qS59Jo#+&+#q;9CWWHA9ScB^v5)1haD#(f zdAQupLf*KlX{r_Ke6qG&o{{*z4oF^Xy)S*zzyWrL(?Rgd++FiqH#5U^7jFd|VuDRk zq5;O$noe(Ds^5FI>mxs2>{YA`wm+XetHnyu_4BB7l8BAhWBd)Be;S#~$L|Ti_66{b z@clk{$G=?o1kWr3ylGzghAWIbBqa3t%E-crC{Bzm%}B_)q}m!sQc|EXM@=C}*b9Uy z%$aMeA}?I??bqL*+~zDgfrbu~KcvZ#CX+6z8ygCh$|z+C(sag`8~Sp)~W7?Wjr{{0k4mw%Vqlb$*mdsAWODRYq3`?yu>7XkE$fZIsaTZ9>hm#oTqOUn8K?>!&gu{a!!&zy~ywta` zG2a=C**h}KfHNd)V8}3Hohq)-`gDHddX>@Oq*C}YpB|O7=yM#&Cxe3R6l1CY)Q^ZVx%E|j>q(5 zK6#jxC&eyMQ?2am^27#0Hr$k@YXSx7v06r)lajj^bt5P% zPjzv*N}njjUc)TO7(deMkuSq_(7L)U%O=gHdLY3A!?NQ(k|I4sC{V>iAsz-j zLv37qvraWuW^0H%ecaf?#w0Lz8Vf`Z!Zf9Qi?WDkMhz}<%m3)Oz{#2uH*&RzIn1!!EssFb$q6}@bHqU?r#qq`3U*7eWS=JXVO z5Q~0(cKQDNR8V#TI#YbBauxzctf$7#&XYx%lsO;{XE0PSOg=>Pl&yWyLIu^#BL|6x zPJ3SVn+G3Po!JD=#U!ljL}fX7BC-t7{vwh4syY?FP(qG9jXHG4Lfq-n%!UFS%4Ths zz_$w1{6>M{&F&{op_p|VbxAifoy@#6E%Y4A)v|X6(VB!X!Q#Mk9PhSM4k zvCxv?wH4|inECft#|WGJRwxZPw?nMzGx{sWbbH?w(Z!z_HvFt3A_24wvG^I2C!^FA z-!!PB8%6%9m>YVqTd50g0#EM$(9C_`$Bh_^$>aRZJSeLdkOx_0VJ#QXzu5M5ZI8rJ zM#U772=8rVi7!nWAQ8Kz_$rS7OnUMITAa+r^w- z9BOpNtPeh=*2#;zbNULQ`kD8EYxeDa<|u!c$bWT_Tr@|x5<84ReTKtHn6t3!u0N1pg4#8IQzvHIJcg8y(6rgk z6@bZ8b*apVWV+GHcKDLY+r$c_PnP(P6M*r++888s+Nqe{J$kl1z z=d(iNy#rN}<2rol9e`^hbaCVLQ9ZHP{BG83<8hOpPVI1G%|5QoV>h?S@)YlBY%05!=?~ zq3T1AQ$(vi+s!tmMiJ2P_P0sJ#?9gFl7ebl>N(lNIAg{Bhk*_hQ;>QiUT+<%2wlZLPh7@1&FM>Z_&f*#&M;~c7mME$DB>dmD3yBYG@4<6{&5q**%{0$J!F5N&4!6Nq3Rz3lz3$88fp5=qm?bHm z*Tr&^9w+AZYuQP%`#~;Cs$zl5w2CQA4BvO+!gTlEwWTb;?X3f!{rwW(72T5WcC*L} z#M3uugjVY37~z`XWt6nmvi6E zMCLrwc*DNmqIy3ToQ(cUBkiD;H@iiN zB{d=v-i%BXgGkz0t|{hIEB9^#uaVIhYSUruS5cjTLxXLw109a+)5$U7co-j^v{l1L zijYDhsIw;E&fg?@jq(Y0Di^vAXG6xF8xmv}bDa>Iv3_xg%btUhv5vbDD3#0Cdn-!8 zK7z*A_*)U(S5`wnj%mX@0cTDJgA|@gBQ#&LSg4X}`T4CAEMO|=^k))S{Mo5#_>%r3 z!kjeDezQo`L@MhNe`e*s_fZrdO!$N~gjRBr=K;1-c3TBZe;KdLRG3a%jL|fDQ|BWv znJm=Nd$Q;U?{tRsk4;xhK%VTr?^^ zhb{E*J#EX|#+SJP8{CzZ%5Q=JamNdQSNgMj$t0X@CG5jpy0`R`8t&)R3*#<8UH5yz ziddc&G|Fk=MhP`2&rE*K@{)d>!D-(o+b*@fhXdFCx-?~1+ zQ*lm>Xfah-CVTa{)$)}9TqbHTM`_kRDK8|a2FYo0Y$wZE0>#2S0vJR+P0;a}k20Ea zSDs67I1xqjZBG{fo-l@T)QD8(_2nJ^wL=Ziz<+(517jxe-g886TG=uWHn03oSf*OY zyjceui#rFSAe>SB@0J1uo(Rc1Ba4S~GS(xN; zRQdt6T^I1c$b0e1aDqQLw`S{73w!vd9kj|9G6=a_2=U15u*kfV-@ipz*5g4VAH3AKuwrZ1GR#-{W#T$)Qlg2S*q z^Moq#b2FUXb(OL_O>-X(GlSO12&p-*c?kGjXz2Q|*Z2WL7N(q*<^v=H$BVy9SqVr&}SroF37Q)rh?|>2}+5WB!C3uxw z!0$ron$S1vr1Nq=Ql^szM$SDDpkag{t{t_fZs7MBwh3!R=U|Y`LMBz-UDDI73Wy|N z5|T8N#GTDb_fl*z6V4OSqdR5F!i{Q{FH{ZzEh54cCJfGN(5N+G2}@E8RMF-KrHPVG zTduiuFr|gM%ZNNI#L*vxnY3tN2K_=r?~sS@R{B0T@drTZ0SNT#MXzotuxA!xxg|B9GxFp(PNx}NN>$U=N? zwJpBy7j~|{S((TIbj_?aAGvSy8 zgM5i$W(q3(NZ(8kUpF;Fyi>lrmP2~J2cO_TCnf$$7+?i@{{V&GQ2>M;Zh!zkC?O;g zNgdq=;A(%mjBoWK_=9g-G%`E}N22=s^LNYk!1ig8kNcL^HqgPa5<1Nm;Co%l>NSE0 z-qSltC`WGV{VRo6)>@pL>jn^E&0yG+fUhD+^=eMEzIVc9?z{HYG7>;7v(tILjGgtU z?DoDJQ_&WJJG#a3x$tbMlR3(=z3CHjFDaEvr{nW1F>Wz&>lpL#*8fy>+`X}>z3Dxo zF_F{qhClsY`+aQzPUAid^%+3MI{i0W8O&8)@I9*PhNBZ|(`^w^O8|N)rsMT_dfF1c zvI(rG^5%Ua3;#2=TXOqQ@;c1hp@{_ z>K^3!6?$g%=}85BK=0$uhpw~nL6ywP$7CPArknRAGvb7*~%LF`o7*|N8z-`osJ)nGu*J zUegTgMi%wVoi1gM_Xu7@_2=$VhgYes*Nk^Y=gVUC1oSw^JB{Z|yVw@F>n$EUuhZSo zMU7|5qgj5#Q&z}EKhcPTR6q$2U=j)a>-g}iWz}XoN^6o=AM<_P70vhf{%#S!~TpWqok2s_jb3MexX6I6f8JUnbk{Sm!U6LAo!$@kH( z0Lj3EGnatn_v$=ey!Z75KnpWFH!c3yxHxq`nUZ#L#FerCXV2U4Rv`*xP~ zEDVDHtbB%CGfx-FxM-}fl;Gf`%cOf`Sn^azw@Kc0o<-)!d*Yv#!gLk8(bD)4QlqhR z(~l#g&|=#5Ll}Er8zDZl#GmU1yBKJ)Hk7Sf zfCzxb8)H?VLqjUaB0*5U(dX++99BH~{zZCt0YCzb0XdWxqvAgQCxQPAoRtE!R;b%$ zaQoH}?A$T;$0g`SWm+XMV1f-9LW)9Ao06l{3oJ6axYZ!~V|V=_s&Bgsh^!44mujaA zb8^aI`A={~Y?mP^j*3wh1nM<}`hh(VPS1?0kX6@2w~%Fo&ib9$u;%(PVj^Xs%3bR@ zNtoZAbAygrjkM|X0X~z_&(=Yv-v?wPrEh;@ml%Edr zRy#*V%S}&BDB1H6oE|am!0OHCZ=ehZiC{cZ)E+0GnHn>FXB3BSAALyh zAjDAml?*aQUWn+Ef9IromYiY#@11tX^$aq*g=s2#oxhAWZpb6crm*Bd0edkhjw?|r z$teu_pK4Xnzbu!mh^im9`Tr4hmThr`U9yJY4k5S)_uvjeg1fuBJHah@aCdiihv4q+ z?(Q_u-NT%jcg~mf3-)!@UbX7E3nN$lSXQgc$)NpZ z#mCS1Xn&JsDTGkW#B?8}P_d#{U@@ef?_9FQXZB#jz%frWS_rf;A=i2sfkLeb+bWrE zh85=(=Z`&D%h!aYSw+9(y++1E5Sblw93AArygFpVOT1y1)L=%iRr#9;s3JvCO+pJ* z!g6!tk8Ga3PB#lMBPvr_nBdJWS8#ChEs{{AQyi<)Pq0G3b2H)Plvt`_#+1fqZ1yJ7 zP=HC_$9>VlMh^XnCX6Xtnyxki(_&CNAFRwm3NtfkN0UC0lEpnYtB3l67$k=tx&T$} z)%)jyD4&>g;0qcgtx7&4Z`9GkFhzcIRYm+D?o!oiV9L4qxNQd>>5%w3_M<5k#fRT| zSy|Z{9b3sVJfjkfF*IE$Rs%U#Lf|q!`_GrkTL7L9Td;%q?G$oPdLI|t>#@+x?l(kV z0stE4euIpL6KQzqMNC9-4VYO~Potlm9$?MG6 z3(oJHwlu$OgECb?yl)F|@3!w7sW^f^{kz@EZ~c63;$?{Zwl}?-r>6PAAgC@5W|b4) zy2a$1?3aI2SZDjx%-j!`SjR>ix>-Fpds_Z}7iTISzs+ci1jY6W)ftYS_LsP}{7xgS z{e$UaHcf^a3G{w>9Vdlh8?|mbBsSw9I`G@AToo^IqUQ*KEmo2hbRMJkj)c|#Kkx1f z^Fj=AtEc^FbpdNO$5YSoSlb_G6ACwP+vgM4ZpYP8w$J}!whEg1Q35+wGfSHcG8n?L zJBvX3fD>YO_p@xZ__a)Za6CZmRe>vw?cyZL#liuPxMv;f#evh~;3d}UPxc6NR~vI| z4rt=^?b4SX1lmI)(R<|ZIWy2}dpgLhX}*hn=6N1EX5wS=J|PoAdgH><_s$(oZ}#$E zZ^D_>bJ*jmf*nKq-dU6VY#h*C^X{;lN5+T?K=whxrrT+k zJW8PTdE3G3RmFwQA-yofz;?>duodTOo8@NPe?8JAd*ZoA$m_LO!=aN-`wHbfkR<2R zmsp?S1fOM99&dSV`1Sf|71wN-)pA+P{EGFyJ;p5jBs(3Xe7>tb+KYDJ9p<@sOGW$N z19|9$|7`kOuETf_GMH9Ic@6lfvOFn-ZVa^FzO&qaxg|Lf3IUUTCod=0=l4u+8}t;ohxioJ^UdXVnG z*r=iMFQ29E)v&w9cm$rxXfi|@LOKy!Kt2M~y>mTWfmuq49z$>=l?a_ZlOZlY4uSjl zqjp#-wAjhV!A%q<+rl5VAl3#9b4!xv-FZ0MB+q6rxo zANVJ)erLhMN>2aS-vP{=9OLvhe^~VW_nADl5#mGQyKfH-tDyEHq?m%oA6RPo#C!;-tnvl9$nx~-m$-Z=6iX@cb4{U1 z#n7?vB@zDedIm03%uz*Ajv;u{D9({v!!(EWf%5UZdR9ao1iA>G0M(!ZuX$)KTBW{; ztc58Y-@weaMBRCc$`*n85u=$0{OrGYv3%kxj`;8+F+K?n77MaHU+MtLkl5>S*c31d zik){5S0T~10>Zc)4T7Ir{@QnPCp${E`o_Yns@4c2U)v`MPS(+OIuy+}8mpKR=`R(Z z>{F|7+Yiqtp*8RDTUBRZg* zJLZ)t^9<$6xbNT9AGRmEU)@)A#?x^0Sx_rdnJMtK3Fd`;j*Cz5c5$H`OnCFwOjQsE z`D056rAb*{_Ep5l@Kg2+sI|YkgObu#Ly|IJ+y4=^6w*ZhI3(3+be3aM};J7t3PApQ+{7YYh z8eVdd=Y-PI+#(9;e`G+4v;8|2TK`mBe|ms|H5K^9ZM76I1M=5}c{>Kout%m(!^A|@puufK)CI+%`(H-yalD>L*dW{-+B}?>+Mq0{Sss1=W>?v z%w|#R;bj+WwG2SiIpU1<=1n|zuvrmWQbMzEO ztU2ai&T~-&V!C*=uLK!yKTr!4>UGawY)odhZeDE&EBN^wnXh~tx5$y`!=Rb>zPbDG z?q>JA2FHT;H|bL~-&)LwdDcBWEF7zSnb|b_&2P_Z{kY$os@ zR^H~K+AoKRdC04!PUh=RW6WFa930?{_b#wf0JU z49#0)6Y|&EI@{c7jU!r>McDcuLBXd2Y!Xm1J#9ODqvkg`jq6>BBr=R%W8^kfToV{%SVu-aLue+K2je@7FOWU+)slXy|E`?;XeQ1HchZo}6uhQdVX;tJ^e)-%( zzwI+p(!XD;aOVyNW`r5^fISy;4K{A$g)m-n9uLEM4H}+?R=}UmGRgzVDciaKEFKWd z`nnoDnc%@z z13XR2=wH>D#ug=2q5}@kdy=o=}P(;$4b2xB9sTsi5&08HsO%8@I{Ve4&a)6L#)ZTL;MP6)Nf1+HYL z?4Jcy$BErc1uIaWV}hShvXOI1TWbM)`3Q#s2_IuU&g`A$4qp*{vWGR}d9`2?Lf zLKKy)l#0suMQZCQ_pDn;;VIv}wx>pbf|qd|HXI&?(Mwy|Y>9-srLrpbcVAl5xIdit zjI8Ifxw*fG;|Wj?M@?(D!>qT2c@ycNtddbGjVc!u+4KYmlP{UHryj^DQnEPN%}LQ7 zOjIh88wCv}Z7@i1Z0D?(IQmn_C9t6aD8igezI`v+xFbN_U@=<}1Lh*=>Uei6*G#hFWm#UB&-J zSGLZm%if?yNvNio%)!4|i-n7C?6x&*Ssb#@niR;pR92E8`4eJnyzO}6=uZN;7q}zF za^SBIMEgJkk+Z74h5*pm03R*(|16%}1`3nVTE>6rjSR9-u^FR?F6ioAay{ze{QB9! zZ#-p7K&ZI5xTKEKwM4WE%rf{+n}KI-gcUMkpB{s0h$dda5s&n(0FiPjC&k_p{vhA8 zH|OzyPP`v}w_d9tCysKCA|WOn-%*O(;xsWwW4`K3VMrVsLZ=uJK~x~uyft28xyh1z zwT65=d(I>mM0hJ6gE{YlP5ykg2qi+xW0{tFw7%XsOu030aO`k)UG~rQP-Wbd&a!|M z7fic6(M07xB@okYQsMN-U(H0-Xgeqd4pdu30}EBZs}aT{Fmpgyxp?6b)JdZyvf>s~ zFs7TKc!{VLuA|y*pFKAPpO0$aXFmHYBzNA&sm~VN#~$*SHp^rK>&3H)9{-6M|K{!N zhn5_hm()$b+7+zJPM50;FwYmw4_tJ!<@zCTk>$55{N7b~+0E4bthS~m}9wZ04gQM-V~Uy-4nsLyswAjv7q%;o3 z9cI7V$W}XgU!Mcit>WP=@W6I<0H6F43X}y#9BD%Y^28{_fOeX>f##ngtMwwec}~0a zZ_x8iRvE=s8Lmk0R6pQZtAZ{^dw6#tzI=a2{SsvR<$J?u&jkJMN_^~!Mw|kyK8D~; z`;70k?{)TB;zrJc5YNd97(98w{4nWK&8JWLtb2iNSPc`UYRU(!A&6rbncz(D!rMHr3y*<3nP5B-|rwyqZnMN$Y0|K zT1mZd2>S@?@qUqNnvX`C>G=F7u{j|gD*Sk1_J7`fUY`(gfEbz18B}n+?z-a(d(@A9 z@dSs$DCl`_BTSOZfGOS=j!tGmj~6|>-U0*^+MQpP;Wuo`avqA5gXSB)=fM*ZqSm^z11Ppfv-nkS)|LnHO#RG#y)-CRG&$`_--u^(1 z_jZBUFedg*J7A+Jb+UY{!SSFufDq@y(gO)`!Z<8VBkBj+E0hqArZFjW^RD?)wdPlpMXujG8oyDPdTh42xI|uOk%3ZT z0O=hnaw0m67M+DqrH@-di_$D;G3q$hWL0X|#Kp#hp?G~vGz{$Fk&t+$9|;UG zYa2;S1^Bt3v?1ReALEn z`n8nE7Wc?m?-$mu=yu=b)+EeT*S>FwuqbNdk#)w{byXs zgklk)=?`+F*|2IC!c0_PI?=x~szgUt7`{n}aZ&>=ZH(;ZD5CJ|TZG;fNE0Ow>7xv} z@N7RWy;_`d(vif#>bEN0@DTmDYp$n%&3LM?(utAr4GsLmC2(h635@9Kw2Hqm7B`&| z2IZzm{-j-pxXVbYBg8XUC859?a++-<2lW;HB>R;B2*rU%kdpLRhum!HkY}Cz^%rC5 zE@tOzbv{QzXrk&yarWOW2rRAc9@!TrCV;nxOUdcN^Xqzfmvt|3OAHylOha{^O+=O(9 zs`B$$(qU;6iTJ2|vBr$D=JGOxV#Y2+y%Os-{pM5`qScO_8$WDGJmL1f2pP)Kb`f` zxObT8V7O>9ZIQ$g!C9tgQeSd5k}J=$N~zC^wc3&IW=OMH6^RlwRQI#2nY=^AI9@dk0Fz?b?a)o8{&0U6tbT zaYPG8P0S`I$*4+rtkBTCbVW=@{{)_k7ktJ<6B$u;T>bvST?J6Mtg#m_na4b)*XQEB z|7U=ALx18v7eA7inuBkmEJrJLj?B;e!_fG|M{bT>z6|A zr`czFn?bAH269Q<+E7i))IQxVjOCuF1BPQ>0+=1Z5Po`Sg8P)?zpavw6a*jE*-&|R zD>!(f#z@Rv)Htqr+-Ui&XrKXw-KK(Lx`3hU4SbrtJjykoV@J@e%8jU> z_prkK3-Q{P3-w7{F(-GI({V_qz0U&A#S5{1YrBq7CzgTt?ioq%tK{wRI3KgOrF}V{ zMW#zGpJT5@&e}8O_27F8&`L*^-#OrShtEv@N*4NJtQX*p{Fo4y_?@Vms`_QnDT>(V z_jTw4u|wD0?ApuDVEUZ7(Ar7TxZ{Hg^ZQ&2TuLpU7Z`?F`2DK%<1Jpa)%*7VpNU86 zgo4-Mn9I)gRZ++>z7E*$8o^>}gQs2xql&SW<8Gf*A&0&jFz{KaNSzBlezpPmlvl>D z;mpW=_*BYlTm0k7(RFIJBi?$O-yLML5b}OH9QynA=5jhELDX}q)9LGb=AF8Aj%W`8 z`19;u`%+l<6)QCM`-WxRO^(?=9tP8IeLni)ngL&F)#kQ2atgfzgg&eWyuVap>b5); zGT#8Rm+!KtX4WoByjyjSPOje~>pF5fl> zfr0-VAhqiKTq&#tl^5`_el%0%c$j>#!+z0{+uOu{z13>C)p!Fss@jryF>2HRLp~>l zARG(tw)TYWDUV!>$p;NCU=aDPRx9ToTl$triqe>ZL+)1dv$ z0khp!b|ruP(FNhWR|YeYEDPab>ql^P>{XR?^KLOaILI4k*xG_@*0{>ubXqGm%@XiX5% zx)<`BPP#n3&Zv2z@H+N>!9?+1q&YjES^0W3r{k(}lo&@X2CX}Hq#Pngy{ndkr)KXA zWga%N*l!7E?PO97@~??4Sqpm8R?@=j0i!wP16~2kBgLpW2QIYV`l7HtO+9ptOWGxo z#Zd})QY+L-SqUgCy3j%x{}JEeBW-yB`K8u3)g9(Y``X>K(l;sS`5E8a=}PV?bgvW-g4ERxg2XsM-a)R!}g zqNUpHIs9VSnLV=@SfeM4eb{qqrKyOI_R+x+Mq`x5K?6F$Y6oZaR$a%3{7?&6-7 z4$YlvK+KDRl9z`RXQG)`v#CIu^&F+pi6{PKVi4@2^gi=J-O4=}!{(1;Ol`kYWd3nd zc_}2ry7e*TpK|(HV*n^ zlfF4ts9sPpHkjiI%Z5PXW3gr&azP-uO;k5PrV|Y=t;;dmnzW=6R>tq(ER3;m*Yl$M z6}jlS=octgaWP&&xJ=1u$mb4YKZnrB>zcKpqf&L`b1N*MkV#XWW~(yM(8@?Zv@ZUx zha$(YfXNv6Ql1fC=IB$LRV@Ci7W<2r-ZM2Kamlb+sbmR9; zsWFm<8YU!&-f+x#Hb6^oC<^0;QKDdc-sQh%ZahL`6w2eDJE%wY(hN2s+>E6o=}CWs zJM^mmW?_f2#{aQC>8d^!Bf_~qOK$ikBG*$B{AfXDEk0q({BV)U9i z|9Rj8_A(dvPWmsuEqkDKpUCVAefv|$4YNO3dQ0*_4ubMW_<#!`%L-r#@BgGvOj74+ zp3oeuz0Gv|dk@=j+8S?l@ZauQKS#P~-MroH!U8+atZ$;7-0;00wZ8~yz5W7cbULiP zRD^xM(J1&mv6A-LPqp2-pnsA(|GsXrNF!){f_c4qn3e6!P;`uE#Y9c-DYC5Oi(L@qu;r76D+ZY^wNp9F|who zV@2zF7MA0Q$ENQO2f~+yW7+ELF?V_F7c{z%YYwvo6&gEC3o#LHAS86O4oW@ zOw`)$l;}{gbG20mr0ezfPTog&e~IknyQoTbU;n5^Dw4VPxb6iaZZzT$0r&T&SN#2E znBDap*2s@*T(_bogt|s}6}IaJa^pl_R?Sva(B8H-i);Mu(%zT#KnVx#JWs7hFEtt7 zYim)*UH8ZR0@IuO$8ys=>FYF}LOBK}0oVQ$> zQ^Iz_x3!*vFx5S&^bUl8uV7NpXU{7f@HddlmXgf8NxD*u zbUS8Y(2Ni-_=NsUC{1(u=a{>Af*nIS*ivR+Ncks4r89dz0D@S=G#2)s5scG=oI1e~ zB5^c&;pS@e&y2XUqDy1fgxrAQ8jGkuGY!QV$gnuCi2_>EgH3|p+ zDxIorT5DY>CPoaQ{HkX?o`~X7{Vs5YQQUwBAGc>AjVAy}<&0UZJmbtVi*ZlO@sHYe z6w$|}qvr^Uj$>4ns)(m$L9(3d+_7NEGGXZZie=%It<*IK|DgQO^2pN%yF7DF<>-*e5~p-r(u-mRv|cH+Jx{0Jp|cpWi=Q2HW6nNVi(3h7tloNI{1KcRxT zVEB9Vi#$2ei=s(EEz|GSno`FcxYhH#bjPZ&=dbnz2OFySqj`QI!HrtWW2k-h5j8Z# zq(xyB?8Hf`)N+TTB}|E*g&gi>$}P%4bHvGZ$oStbJjIiV(1{9Z&ck)foqy4fn23kn ze331fN*Zra>iZTrCxda5I`RZ5WH=tVEX)3`U8tK1fIXd!5k6Ook%~qF^c0)u!97@+ zK-1K1k8_ZcU+NGuX@sR|{`*?NrDrbBhw;mzB3p98d%JFnF|%eP)>dzNR4qN;qyx*6 z2v*T;24#>Fm*RfNI_V;%0TUggjbep<6-M@eI=zYHy9xc=89_GuV|ARpJCa(hbrS_E zv*b?)Zb=Vca|jb`L@cGUOtuPKLO){g9!ML^c;^8UE#{k}F4hED*r9=z{D%z$z*+@o z#}1%IiW6|Sbj^2n3g+qC04;1opD$X2KMvT>qywjttWOmyV&U5hl&8dJ6j%;awNC@8 z6#Il_nLMotMDeC*f1_8AKqxs4x4=BsjzdGWJk~-nkf{e=BZNTQsc%(ttqX7f&-*79D@HS(;0%Z!G#f7&r+a)&rKL6Wmu>gY`PzN0`}4T z1czD*xA`CPGZ?`-SE@*08k6d*5i%}7Ze@$tyPra~1;mInDn~;_2v^C=Ei`(HmT6Wc zp8iNmY~65l{&8MxlJbqLV5#hnK(+jeidZq>D3lrm1Cqt*D&iot0^c}s1ejSM>*A~dke+|$}DYeGSrNKceURgV73 z+@4<=v%}yb1J8Gn)=Rx{I-#9aCe#F17Ug?Tu!VDwd74G2=l_lqp&~MLaUWWs#W8Tl zK=Qo}Z0q}ywcWepub5RJi3sC#uJVd@XZA?)RRSKmFMP%eG;<}hG#pFF*wZvIp>HhU z?r|qUtxWKzve!8h6#R1?r1!Am|Mn!Dd6|(UMy~ORWqXDlsCojDFrZ~)wUhbK0 zHs*pbceJ0%Jw13F{4Bycd+TrJ6VIQ}^5|=`b#7<3kA5Ay!SO%SxUbMhaWeV8??JXr zCmVD=gmsem?vcprGx<$*C~EsXc2YNQ;+@z%H>)xGn{MUSPzm-fGg|e3xg)soz~yL zqnod%wl1w6<{F%pB&a)&i^)6O5^H6*Gc^Kmj9VVtRjoMm*u_ zQ*&`YHP>!xEV$$sSBVW|k@YA$`k7zjZiLV5JTi~vo-x(Wwb3(g^<-jGZ9KFZOc5#q zc-s{9epz1G&rfi`^h=B!6&y6IrTbP@5*=sOf-~e_3s_y@vzXzo1>?%9Wz5HXtjGS6 zr9hg#Wt2VswBw4j}9W)V;ohPJ+$SO*B&D{cRT~aPhyTv6mE~E!2 zCt%bwYtYCG`_T~U_2a_4Oct#+0@AIXGikr~DM!R7l1pi${;*jj3Ke0gJs%RQ8H$&# z)%iKG)}(I~R>p_hjEl}BpL*W>{RGmGuFp>pyr(@nILuHIThyt=ivvx!K@k5Wwy^vj zXWT52kL6V;y?m-pUU5EZpCsjtiBjVUG-6MIKr?maw%tHJfBHv}V_#kfOA_KE_-V|g zT|oQ9(i1e-4O@#huco*0ga# zLuEJ7tIbKn{X%j;Bt=*!Z)QJkbL6%!loCp0AWx)?j%ZID*hXh#d+4T0Nt5uVK{MA z5|Jz^MJHO7P$S_z~_6C8z*`RnQ2eC zONKS99#LbbXa9A{uKx+04t>;59z%C{(I$dSWvImpn@p2gY*;${g{B}i@(Q1jbuHx+ zlA4lR$zrS-(8dKz5wjsctA&q+!M!c_T6DxFBO=S|+y=ZT1mvzWd!S*vR-;w@`8;Q^*pANaW zH5dV4dexXN+$&2dETxUgCXI zto4}?tet1C_teTnJcel}=6CxnO~cx#6uvgdg+dP8b{ksL@gc9 zhr$*s2I$@E?exTs=cux`z$FcaUa+grvofE)u5W=$e{Ea{7sx)}Wv0e|Fqh9S_!$a` zTEe0JsHK$9ZBV*(YUi2tt&7ck#tT}@S7u4BQGvMWE!*k=HM#qa%b`~NoUpgi{owb; ze3wl17V4K+61(;nf-u4G+@9-|8;#FSrr)o7&n7aAA%dLXR~`etqcV-5i)o>o$9BH1 z#_Jx9agUEPecv6Kg9j2p&UdJ~y4zEYv!$Gl903=SLky3~HH&?J!Q&r8b)20p96j}M zUH3tZR2;|QHwMn~EErp(IZxMot34>LJ0ONjol+n2@KLwnFnGSu9pIeV%F^aa26J!A z_JmH4Utaxtm2XTt_~8{zpYO7TtNzlcva9E2n_jT9@*T*wX&~f1CJvX|@fN`h2As7k z2;4@U%=Vj3VL4C(e%~+_dm9Hu5=HL zoxpu^X!`CtM?kjPfyd6{t5Gw3{@ZLbW}i~fwwcal!!cLu_WQq&74eDq`|6dbr^o!4 z9>?XE6h5bR8I6wp7y>RFi`w4)2A5u1!KAk4cw^Yq*oV1LnJp)v%SpG-%kpf!P-df{ z!{yM9f#Y^(ZI07aAsWMPt77UKsMPgy?;SsEt(^B^7c^>hFY|8iXTe<{mWQWb@t6!3 zvo4&k!SS{^uX;S^YKTjL z+{CHL5#yKwlc8<#Mbvstrke8Y=`&HyrlGjWR}5%nrw^-4F4+=C} z!YtEG7z<%qm77N;J@(yehT6Vj2CseXr^5G~@24h=d+dH3tr@b9H&e8E`?xEMo04@l z@iuiw$R&&=qGplzxp&4h~3gkKq| zSoQMt$@QlrE0l_729pN8m6GBC{#8 zZ(*n;Xt^CjqQ>{crsMm%yy6Z{6G?ch8dXe1_5Jm1FTSrc>8NIWS)+NK&&qevGb4IT+`` zE)HhGGkPEWHDCEtQXHd4fho)>*U-GP1@o3%`0$<%c$pE zp`U7rN|l%Km?!pkAyJB|(ny5ho-e|jel7p0E9%jP^n!CCSqcq`&LmNt{#ybbYjeg= ztD%PIw6j0(2Z>(ECzBM)^O;7!n(IxGlu*h7^QY>5h6>|0m)Mwm#q|O}hZe}wYuI2Z zs^T`?GqOm5nOFQPX^ZP4r!Of#m$SS7)mH~_eCpvxF5ymdgD_m5^|3+^caS~=peL*IMAXQ$d&Bqo$iIK&S(WMS&jR#u_GfVW1 z&((UD9x%PCC{mgBr_zzO)^y-YWDz~B-4CW@6a!q23c=Wpl)tmK#X?oB5S1*hsxk8a zQ0@%$z*jdPC;p`%0_H}FU3NG40qBHK?cnWII?rlxA$CO7=IiVVX%(>kp)~8oOC6@aW?Kl z=kQE;D(it-4<=lrS1oCk5@?@OPD8AyZ4 z%%8zM;m=NB9y{R8^!w-e7FD75D^0j>#+$?9r@#U~1vW-$A&Sfq5%3q}vRmL*<7=FY zY13N$?nmCfu2Mt=v5D&F>qMvR7gx3E9CkBwV@;*nl0j45Niq@CEpkXFc9g1L5Ms4 zFDV9gElURSz3=rJH9lxO@6QGd3*NW)L|*=DUI!k%ZYu9(9GqJ~hLg~h9U7sRQ>+kg zkTa%Ap#%TRItU-w=j*`eWAdEUcyp+~U3dR;Xg0l-^KAesB&*7LfsYEiJS&rH zCmzg?2E2X~I!pagwK;(E@fW65`()qGw!$pmJ1#WtW1jB!9}gmX(_F{IUAy;~F+h-~ z#B?WMa&RaFW}n2PXCI`4ZQBSytQEOvtZk8hJysX;e7-oBeyG)2*OfLnZX>CBJjL?x zG5NhrScwI(o%YSob@qy?DIDN!5NzBi}_zLAlVl_HlHb z?T@Oltoi-8$#!F=zcsN5Ua`rnrTMpm&UMPavmD-j_=yJlBW|N<@<_ zT(*})>WH!ie9RyPQcyiiGD2w_;V!1DAXWq~==y4;F6IVW}C=R ztU$$wNgB77_4=++5vn#KjXBO@?Oujgw}QTB8&8X%F0rsGxa-touYS4*-!JDz^Il)d zz96OcD}?O8c+4q5R!6&v%}*sNE^s{t4rP1#bo?>0+KAY~_~|{S;)|&=2wCyp3v#YuTLqeu00b!6 z5XT{QQ0hhR(t2nV0vkYxGS(=Y`@w}L``A+PC_VI-lwzcsz9e`K7p2m3c>K|2DGe2jdR_;cIYYB7-@pmb7Do$OGSOt22@ZUWeP_rjhRQErH>(>DSrapwdt^@_TZLSd30IU~ z1>40_1A(Av>d}}{PSnmN%V^xPf7hu@hAV>bFeceu?bfFquINiDWLVIu-K)TNLTY-; z`KhD`eERn0dH68GG7)%82Ykx!>?h8wB+f=1B8N$jMY@b+3~{Oaf%vD;OB9XOvZ=$+ z3Dzs8`G2B~N;#!WoA)14;h7v8^lz0-r)E2dY)EOeuqds1;h-+-bh2-kp{Xb%2)xcf zd1r`g(9DM7-Ddv=_&*87arO$PArF`CW&wuUm+*9&Sw=Z{$Laq!05g{GkIX`#liYW- zAm2rQMdM-ro;cX+&P&nVo(bLee6TI~w67mPPViWW+ArVdiwQI&CVY$ve55_<6lCuM zWNy_{Ebzpi7z|ZN6Xg5X-~GLxnFNOH4=L@R)sI|}8M7A5Dii_WWN0Z<2Oy8lxs=53 zy=LX(^{%#X#GbdCL?2L=+llFYg`ZQ+lblx>%|5kEHe>x_t z-{!Fq0504vhcJsY)*1loY!WprSL|*_LuICRTqbOoeJ=LNKp*;WxeMkBzINF(}(?-v8 zz^N5{pEXjOjVV|k3??_B2E*w94~q)7JI^DVb34tZUN)g{j6&!GPhM;ZaPnlbd){c7 zlRwpaUT^OzORIC@Ayw}V>U52G^O}6NaS3j=5rNxd2c=LQck1F?f8w^&XmN#aizaKu z^4G#Odix&#zzYZi%J*OkWD;h3e>z7g$qib5>BVAzrfL;v9;4#wX#o@O>a5gmwR17( zHtM@&3+eTIbcX4+5_cZ?U62HThP_k(L-;uS^?OpWIr8AkY9NW{&GUkKuPy*}6;zlF zd&6Uq>|g-=;s0ViBkR|-(zm$uAU>X($#>neJd~-~N?89E^0@5*Y5{CTFALNo#XmT# zR(22R*)Slv#RHjrtxq=WEn8>0-v`b7{SRvVy8s$Ub>um|mjTo@+;{0bHr3SN!_niM zAy|(!;mTT{`Rxlq&@JFyui^A{7p~aBzV3uoCv+%kJKIgoySe(z?pg;hTA0Zk@n%P_ zQ~W|ADe(F%t^s0b6#npNjCDE;iRTFO11?7&Qrl$0%Ctj~NQy-ue$|+v9JHUC@Bgml#oz)e(}No+Ps0{$ zqpOzfw8lf1*{1Zon2l}DSWVK{&OBLrpL4DA<+;W`81HTMAcWcPx)b+8Y0)smKn$@g z#?T?H;G-rO85#@zo|F~nbebsq6C}*O(RO8Zf*xMqg43YZiuc*$fMc9blX{O=kiAsm z{r*llu%pjjVLb<#&yr6%)M=8wQ^ur1Ie>7uH~nBPjoA<~kO5hm6ktQzQ^4#?>c$EK zffn)`N&;Cpb%GU$J=v_$A8F#EgqFmDtagU9;ew_Q#GLA`d$N^4&zvtH7UQgk?7%f= z_mK$1_?k5~BD#BNX9iz3H4=F(C5Lnm6qN6*#9WuAavsKI&*)oriQqDwih^Z6-rIlcmR1|xN07w6{Pa7X>NROau1#O}m%UzDX z+^!V2iW5hh;L1rSVYyWaC8F|*kPu{BN#Z#(#47TH zkim&-3KsJN?b6oBAVPyuOmZ&oxL8n4{kNY%{e!IiU(78zRIJ3?dc08jZv;l*5@x8wS^ zU{pGhd`qG8bmv(|>GCY(3uyf$<_(Qo-w}yF#&)P+j_^0(tXVej!PFwE%9IA!?rOip z;+p0haX%CAHH_$N8?DOJZ3ZT5xEn@1&3KowbJV{4_4sGz>k?Rdoe|Q(0)?8`E7JL) zYG(a#{OtI{+@TvObq`Gkep?T><4)r>n%A%0XWJS$kZ#cNQ~UmB5O3}gM}-*RlbmM zDIyzo8ah(R$7dvGNVMb(--C0i3e4wQJ-eqR^+*^S*b}bGHh#eqF>|y-cg1A0OjFvl zHCLE^b>YDd69Uv@kzhA$#TpsI;8`-&=<0AyeIue-`$M=OX|gYih{D#nbKFlAVVY?! z>V3l3-RIG9+Iuow0~A?v6-9YFqo{w5HK&C%L8knpL?OKpGp!;i3ejLxZw|r^1kY}s z;2~=YBHYx}1OE+8opQsbw{d@Gm;)Wds0YvO`x7!r9zh}&JT1f1wm`ad7CnM~XY$RY z4Q(Qr(BQ7R3gyp-(YD=va5v&=rzuf|MT!RAkO=Joni2ACqdrd*=_uL|r6D{^Tykd|Du*dZGzwOjNSxVN8aw4xBAn2@h&>Jak`&CnYz#HS;?#`{hJ@<7ymM`qBKQ*ePv^6i_^X{Dp|6S^H zb`)09-nFcYQvC`5uL;+P^*ky5f&7 zJ}gf|r*vCH`}mHzu-*o5KJni5e9!;n5^eZg;!+7b2z-unUDbo4080$kqxS8N^AnN| z->yCn9hR{!^_-foe{V!zW4zVi=sT~%QW1A(`+pt{1a?n%?xa^QC3o4%zX?3oJU+11cS?U8 ztlD#|`n`|@ViU9vQbaE?RKL}9zcZov?vHlukQn&)6H3x(BGT=TtPVQZzyHM;dDR?%OeYs`1c(k`_pw|EtTwAE_ zj!N%s`-@r4u2I#a-18oOR+|(_cnYF#JMWOp1!2CwLD=*8{~`P;m8kF7Efn>0doIMw z@dLl>ud1FFFxm)TIIMg!id{^7YQ?@9+S2WPNqLc-J*|Nxc!Wya=yKVOdMGEV;e66M zYwwxexT!l2^5EQhvU+UlAQj4rRi_| zp{(Uud%a(TSSO2B&WV#4;snh;kr5(5Uqpi@3kW({8!<)OqEkYV$>=j)p6QE6=+u9L zgjJJ;%_4+PZvP$=EkIHN!M$81d8Ay?B?d@R=1-qRKFWenH>HaY5>>U-kn29>=?M{x zVNahhtcg~pQXrzE zL$9W2#vbb|@$}?VGT)X2c96q@#K;R5=Cp_Wn!A1i!qzh zKzv7zvS>wP9$3x|(llsW#@uQ0v!lr5If)C2mf8)yMqQ%kWa;5?Bg&~EDSnir-rPFv zj6Xz<5i??lK>KXD!5B!1S`yksEW(p ze!cVOY?2(8KU)DsC5Uodj5S^1w=M}hLRjq>)x6QVm}eWc#dqq8dxn|?OB{yAjNtssxzI#epDq{JQ%S7>NeC#rQ=DM(9-c( z!?0__mTVx+yS%}ON;x{X&WohWc_}#%ze5&@${0`5ldMroV)IktxlQa%R+`4IQUWSb z9S_-uaC-!kFBW8A^TW>ctC)9LTiPep&;tm}bLe$$*vhO#WoT_z&yz-fG$z`#iALN} zwkzS5EiN_u2$pH1uZn~%On*qL^7*Bn#!YOnz#E&B*1U;)))yIle5v?l05vH_d!BOv z=hZ+IzjP!+LgI}zPSz}y>jj!?Q9>M@IrXH~4jOVPCp#`_pn1ix>ETume3PA!2yZmX zJ+73~WjZcm-17w!@cl6c^Vjl>RhKh!08Z9 z2D?LJzD#?aZc0{hQn>5DJ}YQSD&RNm1P)Y3Oi0qxjWVdTsumSXD3Go~O|gd#>-6eG zHD#PB4itbTg_WAAY<@D_-P2mHmbJx5B`YVp{5y`>2ARauOw)6Dq23!MH z6Ldblujct1wFm#|Hz}`4#NYP+2Rs7^`iD*;rQPmqo;8-Xem*|v0(`9>C$jZ73MwxA zS1Qw&RuULkCoeeu_PU?E{>ei&(B<<#V0+{~QEaYT zzY4z+6tG|g#b$HnJi*(w)C1o8wecP}v6yyt1F2}E-8-)u7B4-4Z=4^`*~mf83POGz z{<)y@&tNonz5zj#<)gl*i{@Fce+^%OZQq}K3V>MfGBy~g6Sn{`5sW|98iBBe+DUd8 zvP}$J#6wB++O1|CV@>2b6@?V{3NRrk*t{W_K=ON}!Z1`3senKnn8HxpJZX(j^xY4H z?*41%C!Mw_9TTRFCrhIIJFhFYXkOEUuZWg)^GPsSGM4@OC5^?qm%^v6(8uok0Wy$4 z|KWM3FYDz%8}H-ju({6z2%FuzzUGu~Qm^k(ZgAChr^6-iRtvvT4{#rJ_lV>4eIkDz zBZ%YG6-wm3l0J>=NfF1`Ykz7F&8=!Vhkm*UpGPzw)vW~(#no>e&-1NrTRVKNBSyeK zP5?9njuI~%XwN-m(>h2&-1VUe+|RCpc5XrGn;^tjOHfBQeRVkn4s)e=5gAfHl$ zH(^87LGxAum!~jrxF3)xR%b!wFdQhM=w*;N3iv@MB0fJv8#DKihf87IZWljU8)ulc zCRMFT_Geyeo}t5As5FfSoLy%bUkRJ_`d(RsTNIlUW5GEZ%pjah3ni;y5t&jv?2cda z4CuTfuaWA6YSnV;$2I}&PP+aT6H+j9;}3|%B`tyRMo(hQa*M`3GLwl~sa3UFrH1O2 zGpP(C`2B&Y8=7<>R<9Zlu}CgU+>Z=*G`kL}O;?aZ4by_uz09x)Ks72S$94h~(M21c zLx*W6p7kbsoG4dr<))-YMIaV_389_1DUf00WxwURe`b8lRf@2z+IqTS)i!Iz6C5Ly zU8Jg2fA1s{_}lEtqnhB%2o%{gCOU(+Y=MrDp$~S|V8UG7GB2zi==la4s-sPr7@|ef z2FMcOOUxXWT%LC{E)VM^8ctHClN*sP`i}XnZW}{A5*fcZ@hBB)c;C3wAqqwpi(V{9 zY#a4Qd90BcCEGuzTF48GJp`~cHaXID4=qfoAXpo46|eTXCchERPTW;Sq<^$DN4!DH z3X{g#OfN`zgv|d8gUW~Qr7o{`@9Y1>K4|oS_c#2k`aRgLkvhGk9&R{PQTdAyWCZFg z7jplk7#1<&sGEA8-T639wh2hn0%_Nr{w4Zs=Kk0T2~)1oFvJj*=&zVuqK>Uw6IX`G z_O`cV=Nq@pTM?mcA_coFH5-0PN&*byAdO?>nDgiLZd9p=ghPxoLrp9x3p0*yK!|0h zbO(lVh6$%CdlOKNp;zil+II?;q)HAJNkkwPp#T>G#=MKNJW!bNM1ST6CUItBz36G6 zSUYxU$)0_*<5fhIQb1Yhr`e#Htu=Tm&;qv`bkSj2w<*sUruV~3Ai*zMl^opePOe$ln4yllwe&M+)!=39ARM&R`T&!>J>Hg@2#`ky;_VNrrGf-~pvsz*C z_z2oG3cdQU>J!bISG3xmSdhHrVy(rCqFKzf8zB5 z5ea@=VsPDI@w2_9cvvvRe|k=05Vk)Jky+TWZQlgI+b`K~_|H20GHGqPt->Peb1bh7 zY|ig`?+|(qX}35akcqEl^B5Gj_{j1-6}Q>ARh{L(hI<{EWz6-tY%3--6f-7G7D*Jrs-tCuJGSKq`JHsU z*XtHtLRGKOqgPjX>vm+#FFp@FSQ>zf?k?nxD}~v1-#@TE!4?8N+jSo8&=(tgw~ai_ z7=Qbpiaa#8Ix;30)~+vJd3-h}>s9=Bn z>297~mNG55zqKT) zji!Ur$13EeKds`ZZz?osP+m@xm{>6sAH51UFSt#T6fyR`Wr%qd+3&qTX)pweEXprM z9TB2ehYVF=;K6p-hAQylVE;znau@>q-enFo63z6(gKUz5v$jznPadRU@4_ehNWUy%!oVXwiy>yj?NOFo>ik3heY+}`f59&N+xmT3H4^c z$009@K_oNL=|>ab9L19N6p4|=Cq#0VhnHkiW>8Eo(FuSSnM^X&n2i3}v_o&^*_o>; zpEvt=%YM{m70RjUsxsE_WP>I9_@sn-)h8sSu}giDQ9VewA{B_XmNLo_;8JBB_f%f} z)@`#F^R@q6gNX%GvN8?t4R8UTqVh(vT2C(cdyjGy)@STHTnLX7)ttwv&TOe%!S7YRcl`k#Mo5MGvs1iia_M#V9!uXj6V2@|d zr4&d+^9?y6e&c_O8VY|9@;fk4v8}Qk$;|W}?t4SN{Zj6Szm)qup^M?`{G6dx zc+qWlUHpK5?WUGI!+Q(4EXiS8kbnuTv}!Aw7V$}wA%`~%^2Hk#GLnE{q(x!Tret~# zil(GAAM}J`RB>lW?U-WPV6ZA;FY`5WCExuj?G2)?RL^f4wi<=|;46awP8R&iQ&+aY za_CxC6*904hQtrJB{LFhy{lw7jUi|~5%`WE9q2CZ5_n6^O4rxL-<$TgRw&7LMH>V! z)@8sO>>330aAj;1!Neap+;}p=3YNf9y&YTxJ(k!X>TyzOI<^WwwU(cn-Yb~mo@>sn zs%i|CI4A=vmc~_M^TvV*b*o1d`tNeH)YQi0b_zpes^ZmsGMFpi)!}b3@`Rf>S*9ME z^b?{Qcs0J=4%$wZryylN=fCFvlo8E86pHP8n+=DUQ5}c9p1<>3Qk)vCRO=P9q#sL# z%MC!&Dci~W=DD0$B9eI(6sAE0Z6Zdfd!Q#e)vDH<9f0DnW>{QxwC}#4px~MpsH@Bc zK)-cFhbHR)C$`mNk>h2g4q3o+Q}R`+5z|3zqbD1FN&FT|HeUANtb^5|%r{*CTaS5a zy!m&Mqig6O;GiU9#PtCk1?GT50+J(*0f~a(x8ZS6LxTC?iYw*!Nz%%S7FVM2-DGc# zS&zd;TJJgKE4Q`rg45xAtnSKks2oJp~-H|U!Nu19JPPn@k7l{8@`W%>Be$A4rZ zrPbJ*;J$Hr=mB}>uGOW68C3;Gka6fxGGhf=T?I)Imh7QQ$EDU&0rWidtgb;Pq-BUz zqS7=lYO9L{=n3^cY%^>J{Quv%@rOkpnWtFrZ}?BbnpE(g(BY!xzsV;eYhH5{)B);S z)o0{ahfh&@uusuHFmb!wF%&|@pzil`aUb?Nkjqizb;Xzqa9DHTJ;O8_+)ZHi0IIEJreK+wBSs(-ODE4cE&ab<| ze+h5FU9ntI$O_&_SWJKN{kn7MGM7C&Zt&;rzFpVUhWE=(#$?_{55&`&m9UYkc|IUb`(WVAe)xS; z-sLu3XOiI8!Ml9D-#^;-xy4?}O*X!{#+g9qtR0CVX8128pV*_RbG)a^2)Kbe ziQM^c-$uUj`qrnKylEq0)8hA#?3IZ@v>r814?$4dd;e~0d)1uxrrvE?=|Q-SWd7>^ zI{Tui-^1VY=WO?ByYrvzO)ju@P;z#s#R=qsRqU_a#$E39=gy(;F8X7|;3CmSQD(<^ z_G6a+eK+iAVES*?lflyntSlcM{oQ7F*A;-RPxy17IJdgh&n^6GDEqB{kyHCJD*H*- zCUy1ilq7C*L^+aL8|bC(sXmCn=@c4ymhDlX&7#I>1ia~S%j6iK&F!~ARqu861Rn=D zYC#OG_8{VKv^Cp;&vA3_*vobqn2)aC>{{R%FiY3JyWD8*f53d%__piwhM)U98R=o* zNYSB}IG1^{GJgqA#A7>OiTr`zz9z{#wXR$ zWdCFJtif4(ElADZ;~BC^$KuS6=xw;H?bq3FyVXt0Si8@jPw0<@59l{b5SMY;=P`Wb z?7mRaHb->6>lfj8Cd4{e#A;%=xKsR<^SS|1eJ*B7$uT5lqLZhe4?hrDHNN&~x6Ij4 z7^f;ahcKCC2dJl#TW5^XStHS{{QI!apClKTxxh5!&BAt?qi<`e)8Dm9oOmr#Q81y1 z!9^@8+pB^(0iz+TQta1D9}|@*jn5p9jG_{SbC4ZQBoy^5x5%gpmW-8K!v}5&GE7Dm zOqWn$SX6K`pjh%f$PLPQ#VILGXo#vviCmv5SC@|;Xs8ZJ1}k@NDX}Y#w+1OMUCq^OyDUlF5)Y1=uj9N95oZoBAk4?XBa*2~ zwV}Rw+5$w=R`syvB+fT4aZV0-=1Yo zyhw3mwF>DFnYk@Ns8h5=vuuMSqv!jkI?W#rG{Q+@<4jXNq)wD#mEtUQha|~Q0KO9g z`u7-Drfn#5Wo)uAp8ZH7z}RfEF>~B9v6DTUmU6f0rArv-9MZ@rE*entRqhVj3d2AG8;$hwW}KaQokVT$uMGwcjbQeiE$L>N%s!bb_Dd7S$sFfpiT#jt^M0rM{n^99u3DNov=vwK(>FmPa? zC(+6a%HX>*=X^>KI1y1)CM_{pHX=%~1N2R7qgujq^^3%Kt^0@+wR{uAw7=uUEtC{l zkc;9nli}b&88_{9gccp0d=FLhJ}?@;3s`dwKgy6Zll9|4=#fr>m~2dC9gMUbMbCBy zz`MO$yBM!P>o8eS|B}scWT#SCl#Efs31D-YzF$x)zy4bBvLY|-QM}Fn2YNi-buTEt4O(nuk-u`y-Q*?sxo(0TgQ8?ZD-q}PI zFE$y4n^7}s%h`sTuv}KoQl=QLa2{b3SN#ouTxHa~#si0hg`5RfOOvU` zYT6l*7zAxrMJT@sg`@l-A|?jDV*yh`$mvG4a}JXj9c_>I6VdKf(8$nCiDGO>AApz* zrGm3MWSL=`hBK7q`lsyMojwns0s+mralMJQ)^cHmpl4f-?i=q21f~a6kEt|?B&j-; zaKnOXjdXLrf=grn$$G^iZGu=`S+og@at>vFB=p|82x}gD49;t2Vg7$l=JO7CsFQ8v zeg5Ip=ML5nqKEu{Xxa5$kk5*!xk&JEBL7K!ttFiZJsW($Q6zkk-RX9H1Aybo+~{-{ z3%*vL877a{m-o#B3&!Q`0~VmIH1BqMb>&2#?TVHc1RPeZ@%|*yB)l8B z+`~QFOl>nTdlGQ)eTG)VNb~+RxFg!O<#}1T;&hcG-uv`d z;clhs{U4Tq8K?J=U^>xt&qIFS0ko{a-Q0QCXT!Eh>Cq$ak~_Hv+aI`$w2e+<5B2XD4Tl}(E)UThg{e6_$KoEIv!ex*v$a! zNl*7#VMp&FZ!688)c;^`*8cGwr;YF-n-2QaCSBm;gu&h-e3gC~RJ#bN$bG%Ui{{4X;|%9y_hvoUllJ2(U2WG!+SS*4 zAT_M}Zx^4%nB9ukacQ8ZfDh13Xcn9gq1Dg!=smK2%QHQzDuX_*To`eAEsz<0mbPluOy0nq3>-0SRp z2i}+g0rd<+9jGGuKxo~YIwN&t=x36*qH-wxt{Qx#sgWm6K#QsWW^|{CB8e8SD%_8{1rMMHk`TzwQ9iQTswKpFLtgial&?a;J%^CMJP#r|HM zs>xgV5Q`bYrH9>YDb{C00k%aqcRI=AY>ChyjW%xHz*IDT&_XhnxR%Fw&%C{V^vX< zCQNaHv4lFAX3%-z`1;A39UZ0O3b+!hTvWzS%4`Q0+N zK}nF8ZzzW^OO%Mnr3Da;ty?2tE&VtQJaD3TWKgBKHp5c15pCqMN6xNYQ8H;HCfrvK zs9mJ2E+~=eV&JYxxxNi_MRp=BR9JsL?nrD6TEOakqzH zh=?Z5zroO-BCUEmcab`$CZpLBc6!8y(TuAiCdQ@2L#^}49gFOX|Ch~vlYOHHcYa1V zfN9da#rlO)`m+b5t8Xm%g>lz*J}h`?A?jhi{MMLlM4O{mIt!K-L$~J5B@1FdteWL# zsD9^_iex^{X@Ub;)htO7w?tB)I%V{!;cWGY$W3C)qhcZ-iFZO8#uyw^!Pu(A-S`Y@ zf?$;=Cs?L2OqGtSwazuqvbf|Mc`dPx-BFjyJn|5m#z{4(xz2RHEn;%xtD(;KBP0GI zA2UmsaEmx4uI}7&(j{tt3Bbc(`zGpK+8!xqpv@_krPZXWq}&)YFH?o~ouWBKBRQ62 zlR{1_ZA}g=oT_j|o#fYAb%;7xa-cq$#)~uB8A4cS(x7l%&N#;zR1Sx?^fW>;3oCYP zsX|kr=wQ>b46k8POdy#)UVPWMHTZX_wz&i!;q}ZEl->ZkK-HCZKi>2uqlTTKJGp9V zwV%-!G{yfd5c{7m(8Nz8{tmJKo3kF0{5bAHJFQ{b@=rpM+aEs+|IVI2;GYEgD|DEC zCA1hAgJOwFn*3~WpI^+h)788OF+1gdeB83r^R)QVObFO}s3qFD;q^MD@{{iEIsez} zp2w#6Vbb>26-qZZ??Yv(pX)Y;A<3kN(RJ`vp10h-D`NVN+Ii##Usav!a&cOo>vvmq z_f%2qy!3sPzZc}EDCFK>H$h2Pdtgt0wWOQeg+UoKE=%WrxpJxN@-lt;W`Ii6dzqDO zda%dSukJI=^%&v*`L}yAzwhJ0VwT9ZaUlN^@7-!NxVq5Y`?3JQ)aiU0?!aT7>o{25 zJF4Ha+kmI>Ppx~=9}FUU$L+4RzK7Mne3SJWVlF)vqh<@zB3kjn?c0L@2ZW~7JVo!?kI^yeNu#Tz_U83?*B z;?-|;nd}eP5fLj=>pc%XJxvHTE&naw`E_9#cryyPT)%yB8+Y?pTU6xPpW4|@w#jF| z(gxq~iVp4LuKfLGv|}6#eLKV;Y3DUE+{K`3^69z3c+9i2z1H!(tcy$u>W=lox`SJ?V{RAbQ`A5XRBD1K1UPAw){!%iyTN|`| zIsnCtRirBc!M9Gwi%lm6qUtr-R#dPlKetYb}RR1^1e0&O}s8WeAl$} zC?gm_$6$*mIy|^f&ixrnajd+@i5n}2u@nu;_5gA17Wtmu528D4Me$@O@1!R*0@(VX zm|`%XWs>pcFF=j+pxg>Vzf69+@g}J}J5pSaL$&Iv z5mc~yuZn(FJE22u^8qJ(OH)33G@|vI_^0cJbU4;h!42w4K+6&B?*a~MZ-7dc(?ET= z>FzhA@QUQPKmJUCHwIXm&iQP`>zzZrT-MvV)|!0fHG+=VIn!>!qz+ zk4rz4h&R+Ay+coZ<8|d>|9o^ZNkFt!SLT(nD&*2BnC97=CZ~kcLR4WXj8wX|?Jz#4 z_Kw5-EMmw1PnU^g-O3-@!*F%iIyT&$Y^x!CY4V6 zu^tIPAuBCXELg89mn@3>eb``$>JOFa*P(kGf%N@F@O`x=+w3b7L*3N{tIXC(tDO@! zO2qg}xt(2~n03g1!ANEr)u~mp5k{i-jlvWa7UB2b7|)i4gJdY+_bVoJ<*66xAO6&! zOG4?DRwDY63a8 zZDM7G(^Mg0;H1_eM*QHzXzfb@tQR_c!fNM6ov?m&zGBydc?KqX1}ZiBll{Y)zC-nO zAo^|BJ7kb{&YeGbNCsu}kF7u8#6N88vC(V%@`5*74@F8*OC#$xs(#-hWyJZK*QhMB zUWn>(<%UnFskt*GS|3T8N>GZTTYmYm@RA93sEx~jcR;xC%JvKr+Gp}f3;NZ)c~{Xu z7tc{)x2|~(sH%ARHQv)nCkeKIc@(0yBnh{#y>C67zoi8@^J@vA96eq>16t*Jf;ikCCFHrpEH(q!j+FN4L z#9?tlZ&lAnh1+5_^P(3)r5|&b`bK~=t$l*Xs2#x!1_Pr@`DrD*#-LpIh zMK2=9(S-jLIp@)swu>0nuVy!8EfaHRQMYTA!fcze-Fm#eDM4}fq^lh@mb9KA_=C5~ z9fL4(^s5$Ztk&2vz6vJ4MrMh4bkZ^#BRW=r#ZG>dog%|>j;lLShYO`_!lGZ8S-Nq? zl68T0j9s(q=k~rFO{5uavg`DaRa~*H2fs+oX#fq>L`eKgXQ~)NSAE)>PQRHmkGx`; zH$`R&DGxr*&*=)<58FvJ+0<@|WWd}W!9awae(HjGm3mr3d^I$)h#<4>7V8o(F(l{=^dhd)|Wcrd6HKYS3U23>QC$0OqD$XPmd0Q zw?k$aW)B2}z~{Qv8`&?g@I7J=}YyXC<5CT)MPm8N??=aAL` z>It20;qn9($>-r-xLp`_RJW?euf30$*^FX_x$La_ZRc!wFgUyeqZHGYW9|lb95#9V zPXCx4kY~Ic+lQ(zau^M$TWVE54Zs%y4hUyQKJIa%G$M^N^Dvs@$F7r6eI z{jloSF)7_;mo9jo;-UXG53J623GDjE$tB=ALW$hxHADe#6MbuIah$rigHsE2b^GvQ zBXDTo{R;0NQOkvFaN#4w_m{%H8d-tct8b92=j`0B&ueNiydIOOb2sR_Byqgzl#Ic~ zVY()%F5tI}xVFS-T;FHr@wwSf??eA`MVsbexTIjqk=r`jc{0#r%q>=5e=) zywBme=OsJG`|4}-{Oo!0YRyI6`oboqIlxyRfGy;B?!IE@;vnb~o$BwoyXwr;^L7HT zanSa8HZojM>DqLeVLUeI=y3_Zf16x+2TTYtcb}Y0^Wn`?UAhlmSO|gs7vQ3DdK+Yun;X-*g*GQiRFYSS-0eAjaCCR%f>B| zYMxMpYvoCIzBy_(NTu#I8I5ioEZRL549F5<5$-}C0Y{4Jl;I(0z#6Fc?egv z+Tx0>R1|Fhg>kT1rx1X}=<1oF^J|&H@v~qOm<4t!jGyh6GJ$2kWs2>`#|#A&7TKf%&ukO?wecKHn<>NtEF5#`A3NFj@_t!kBa9+o2S)hgnj& z)Z+)}ut#HzqP~ffNv1~TeR*XRjVeYA8BW}OkQ;cMrX9n(CW`UMoFVQ@Tkp!Fz~f6M zCH)w-R~l;>Ik4AFQ9^lhoGpZG-(4${O-9v=m95lYfD4!7V8m=kI&r~2Rf^2x!8bN9 z#+6uB+INE`n6x7}{uR%r6LtKJr@{^~d9e|lOe{Pg6LJ-$CPT^414VO`cW1N~AvQc2 zSH~mzqhtinQ&|>~Z0vkeuR{WYeeK8BgrzVo>|3hsU@QH|gi96I4PAr!)PwW#S4cfp zxkb_EgxsvNvheadqR3d)r4mU%l$LCwTh8vSxCj3?8+yiPQPo%fEzoqOOZy!xMH&e3 z7X8&2rnqUK7xZD_RF>`kJo|-gi(wvE^O)Jh`w$=tMyrFwNym|j)Ljf2|DZ`_m@TrS zt~BEkj<|KEsyqK$zxeWx$f}XRCrh)-NS6lHS_LSdWP4(e4@;|zhd~LimKvuFC)b*{ zm6#OC9#dT=B#CffTUxd6YFo>dET~Zl7%sbx=FF%L!Y-XbMuw$HX8ED9FSV;mswfy8 zHWO(~yG3zkLN{g@NmXz+C{MsrNs;KzH&~AVCGK{()4I6x(s8 z3|^zYMazYIvmz^1OgYUZagWGAG*g>>#m4cPriU`TC{rq8<*!W<9dvL_{5_&`%}mv? zEEAcU#4;j%Fb4sTf|jXQ%Q{qwx}!D}Qj>0txeS@Lu0M}B-jI*C8O=Vrj$A8#;oBM2sVWgSo0K2 z0M&bA#XpQqc_OgeT)7ja#9*?(3KZ1jJ6k#v0wRP%ZL`5wuml(>zS1Tt4X=6qxYPEl zG$LVo?Cq{?bTlnGoUyVD^xDiS0pBf@Ool{WP55o$3n8s2Wmh zxG_olLr(a5T7#on=wmAC;3x$(>1J^LWftcB_kiMl8s%uAeuM}7PpQds1&BXqJMiW9 z1N!qCk^uG3xZ)xx_AAI!nDz}6SZ?CQ+v=3@{8ehQ#K7dX^7(>h^FHxCcbU`sZoa z4_m*j;{Vd%(ua9v@O)EsYw{*3v~iuaZx>yc=gRdwUDW+6scpuL&c5$9UXuaPI7`BG zY1QY^HNSTI{om!0J+Jn939CmaS1emz$Mdw$-`Sn-YmY!tB5HoDUw4}lAp^;?9M4+mXNjNb?9aD8$s8S zpHD4xYOn9Jet53$#K6wS&1v+Gk4Jj_MKg-_ z=^W7A{}`F2@K7H$YeCtVGERu&Z4}f*<#S(pEs@Ws;#2jp(0RDPZW%I9xLn`YA2w$A zhA5cRwpDwAa`L9Z7M&O0kh5tR5@^PTp9FjFOxvIfCpckJ$Td%cS3^^KQDu2Notnsv-L=aNB9k2-DO>nKwD%hgP8{0S?E!+P34aGU=EE#xMjLO+^Ny zEZiDV@ONeF#*9ShH*X8@UAZ#ia-J2De`zT$_XYd%yro$g7Q#|v>8@_*QF3t7T!=cD zcU#ItsI+Fz1>|Mbdz@*30o z{)xL)ZE|*Y2ovL7@T;Hh{^;K?)(a3#mCMAFiW&Xaf+>_y(!j|jQ>Nn%*V?i~d>W3D z>kgMNHUy=^VKieIcL1vnMURchr?680oj`yAMk4jpsnm8C-Me*1V?aVb z2i+HHFC~X;AlS4`rIn+5tNwbE+?G}uuE4m^RBVDBf_eyrLR-!ri)9tRAy=(Tx7e{R z$s~jR>tAC@?}37f+*owcuwJ5X7gt@2u*)+I#&)e*nfMPV_9I+2ZUtS<^_pnL7XeU>{2rYYxoH2HjPgQX!TGR05y}T=a)^A#6)G^!)ec9zRC2f^z%5-LDaNyu_o+cUY zivnW)VUBRypb~ej`ge4htW)ktb?`R5DBt>}gh1X?Wk1u1@AdZaq3t-o@j56~W>WF_ zlwz2rDomP1;%v1XJU4$z8zmVq1d=Y8G?*LlLIwPQY!WLB8&(=2pBoa3+p-=0U0_`$ zd$>-RIKYOMPsVGDchvlwnoP9$5Wei>5!-F9vLp~mx3Uo(sE`ummm~R|1Fq+EFq^ne zzie_UgfO~0W727&0b2f!y}bOv6mb~dxMhb(%$y)2!K-KuEfU@G*W;%H=v)Zo@Y-i) z4cnK$8k^H<4pAlGvQ_HZ)w&l>&mq?OV1+>tl0Mh zFqajD;__fwP~#$%a{M#Qhi)SEiOA$r+N|GhM}Mz$w`AI^CA)N54ufa z%p7s3Qzyd&k68)`!{b6>_&N-^+FcGtbVVkG9mgF`F@jb(r7Inng-PJ zXswk;bvO$-ZcN_^G4Q6DSSxqiS;P7NL)2R~#TBkg!$1NgI6;Dw;OzaO_y1dnGi4Bdj;Cwb?nH94NZ%Jq8l z${XvM^+yedjggtA8tu!_23LSf&G-1pb5z`Wnh+I^#Fghm=#ow+uI7G_n}EZy?+nkV z)AB)75=y5RWD<*ad#=+#{w0Z$1H4>+j=eS|?RLGm;n<{a*3$+K(|<#Rtj_!u{&H9D zGL3iDfEBLC_v>=@dkz17zx6f1*U~oPejK!aT9R9%Y+(40$L+q#A3kT|!fVD9e%dqi)ZPa| zw4-e`w9j)s1(|t?aVYj7^7e07d;w;tuMc&*AQN`mEp0ry?r8iOGUz96(FMh4siVz@ zwC?P@?u97zq<4U{L*5<8Y!cIf_m3F@pes}{P{{u7p!Cf?1EK5kS1{Al)_C-e51ZE| zeArudj|T^~_Bo&PM~eWkOCagFa7cP>Vbh~^lc*S2#9S|8F3_Dtn|)^WS{Ip3Im8#~0U!Zp{^fZSFw3UoW{ zhl^*MRo;RtM(ppec$e5O?)lvv=N#O^C~N9g$}=({AZ~4L;Dzo~PE~u!jm3WXZNjmvrO>Fon&^qk<|XkEK+|KU&@x>P5YeE@J4UGcpK>_pTA|L{Fid< zC!21>9383zs8|nS>CfWwp^)S?H&DxM71=*7-Xd3TVP0zJmp!6w-=mU}QDmc|52v%~ z2n8*5k!hiyNE>u=d6yDn%4of1DnlWwD0S(Qjw}N_Q$9)? zWXnmCc!okL6_!KC4T^H1F@+xx=v9QbiVIVMrL>apgm_h)!=7%vxBh+A#apH4mXCS! zi;diJ)RNd+Q!B;f4Lbb;`#>=Ev`-;LVv0|mx=Q_Y5{MyLoJ zBHjF+#uO)Yn%^gFU5JjPfNt!qJ+?kgO|)X49y_p3BTy>EdMiB&x{yFx@ccA*S!!rT zq0p|+b}kxgn^%lZI#h{}LeOi&*;c6fgbKfeNwUW)1JvJBgB{#NL7~)-oGI>{A@7we~Yf zQ{-8Zr7jTSLa-hXYEn60^68izU~%T#fU+uzlyVPDWrCsNObm}w$|u1z!gH|l#K&DP zNIvT&Sdmg#gbFzuqr)5U>=}jS;g(7%B8rt=XE9gdqs_8E=;~y#dV%Gn!&HK;p0UI{ zU8L}xR6iqu_4D<+@BB`-BrzU@2={}leY>|Rl_{Tj*{cA8W|{yI3RHyW~gz`r3d_U%O3 zp%PBBjrfM~631{;M7)GQL-i{bB}8yNs$kBs8-?^t?vpBQd32`*FB;*#f3wi&%jIFp z+VT7`fi2X89;ZSao_hMF+@;e0*O+W9UD&9n6h~FHs;vrZz3^)SKb9ayPf7ybkdob( zAB~o#(ndBSc47#Mj4P7N(Bg?atA)@lD&<&?Yc$G4ew(RrEJcn*vq_fGw8`ZIP%<6Z zOyh>s+Xv$}Wapy4qte`SD)^oL&j|j{*D<8yL$7L)e9TAOf6PaC4+55V?BrZBKHOj` zgb=DglCcjrc(LaNwe$1yjPoxHDg@(2^AE>3hP$x-p|T|x9C4+2&^!Zbt)HHnmfV!< zpmVEN>R@v_%}JKBuRCkrka{Bap0?G0yKH(=QxlN&aVrDXc)2VqUD+~bR9v*La4_<_ z?>p3N`W%u99I_TJ_##LKA9m#?deDeq^nR!N*68^atEmcBd~jGiO!Lt5k3_hvKm(JDSIH(=}* z9VF0Mkh#_q(apuFoE7PH+1S!C=d5+k#%=(wJ&)z-ZW8DA_SL%W@cX8?eCN|9H>#b> zeSZF95yyEN7=@=J{1rUhhExn8cdHk|My?rggJb z+_d}1U2^Gkn9!o%bVxfF_K54Hqs#AnS+gHKJ)>RjHPkT`t(0!ln}liAf!;rw-0$1ExkIqfngs}taUra&CcY+ReIze8Hu|tvz*{xUOBNn z1iBxy?q{-n?nPiX*Zzr;+YP1xAA)O%kB+!-axM%=h4hp)9q?|x?dIp zdqM%cZthOo!y#Sk=w|w$6!t5D?R*A3TNFqW@w;6~NUu3Zr_VoB-i)mJ`=ylLoo#Rx z*4D?=@lyl*ijQH;e)Ri7Km>!8eLK+QpV?bWzj{vh>0Crvi|hOGImG@2B3%vfGdlxx zS3Vno#$B1;F!R2h%qT zo3?k!FfX`GhO0RFDM3xxx zYI&sBZW&d>Zf7gJ7jSX9|!irKs-QS9nmyQim}rZ8JG?7S#Od(FI+$x1G`hU2H7L zpH|9szG}WqF_|{EsyadZ8(9G7J1QnDRjF$SteIS*OUXT(;utWEXo)Vh$IWw2Qse zf~_ab;-gGkrdUmxh(g;~+y;-DRsAy3&81ue5*%*{W@*&}c=Oa=Bp1zrYK2ZJI>SQa zXl0VvFdKyOQy#yk<~s2{mqY#QtK}?on3XGRsHipbCWv1IIJ8uO&}DD zOuo!OZi$&+?_Op|WH~?b+1qHz=@O0g>xeILZFl+vrLWJchk{xRXJf~;L z+$Kh;^Y_XHX$qNBVRt6s%&MhUMTZEYD3MkjaEo;^S`4ZVT*0_wGt?UG6&k1I8FqdQ zaR{$VwVYQ*QABA9^m)f2DpYCE}%YTi3FVn zV<1Q+<7<(A4;0x7cxx!b7V96)dCYS=iijPds>%u z7y+#^LUA!;QIaEr^N}bjeBL_JUXm-tl5KdYo=XkSg{uuLI6G?N*xV-;a+^)o+%rzV zV%a6KiP{cBb=1_~fhtgioAqtJ(+Cp}Y^Ufp%F&;wb5x`;6NPy!7zUJeH;CL9+Vkc) zHYAj~?H+rb@oHp3a&e)3IuDLV;#J(FeB88%|5Y%ZJ(bDKk(^MgxB;Y)Cd1A;$? zUk`HCJ%3K+>m2xg=5hx+d8<%hP=FV(9U@P{gph|LB$)9&6U6UT`4(bdquSNE;bnBr zTBCnPX-??2MJ+ABcsc9okRi;db=nEySUcS$uBtuT*WdBHMCtw~jnAfjQuDs}j-~cd z(oD>z_MYs1VCD9!YhVmuA<*9X(n3m+B2akUIk`4bWY2dn+;2kv zJwxzk3snug@2b6>%KIu}T@yvTW_w%RJTCnnZExRF^N(}Z%bWPvt&gi;7vBQ<2=MnNyFR=O0xAHxLL8IVq zmKde&v?Rs01bmcbZnxvB=~!}8A22dN49vET!dtb3@pYM2k zv3F$vuh(dy68$;9oC@%Tf_P_aPH={bLymJt1YS$}s=5}U>1rIdi*|b4a&mOdZO-%v z>C)CL+lakVE?u_2x>Z~A;ShHM?y$JD-%k5hGWqmuwyUH)y#Owv=|M5;O?5ljUaBqn zZbhoqe0-W8ed|NEfM!OYk#owP#womc9ydMjwC2Sw#-7?K{)wIXZKWo+9R85E-B>HTa7h)n8{FjA+9OpAmb4 zLHpL5jfp_ghOe@$U+FsmDp7b_%2t0hut=|b(8e1c{@Ru<^!?VfeDX@xm=Y%dJwYbw zoaJo_@-;>4XD=MmO)WkCVL&5YM&N$AKJ|9moR?8na}ZC=E4|_0!CaGRnm=lo-N{ig zvyxTy=LHd&j5ZKgs+uwOmCfjN@bXUbkSuLlJYvh3hZuDNQu9-TJpHC=9kf+9lX<-I zHT$*WATI<5_cCDNYtEFSQ>EbQ*oS_|Olr_t4|jWx9YX1B#O4|SPPyIB{S{0oy9M_e z$=}A`(47OQki|tRRPBrReAk?dk^6hsC1Z}@l+&8JV)OHE8xM+H*q0~+gwTckY_MG| z>)FM)8NQHJ#h@B?Qx2s`Aq}CQ0Ck0J)y;OY%R-DsEZH|*2b85fXePx>>;L)vwFkDx zC65~h{0zd}({aEPI{blxXUKX6hh}dQ)v3n(+VF86=@on27W?oTC8m2_R!XG!RS-Qp ztK1m)Q&rZ~2G1k{frb8&&Qau`D$udWnI$}x`P1Ppn_O;URWuCtxr2}_*84^2r_ZD< zD=x}Lsqy&5hg<{BLRRLKd0Bxlhqvr$Uxs+{`@t7jH%-H%t`(Zg5{Hy>E6lW>xKs?C zzBFw6^5)-Fq8NI5o}ZrzlZ~y|I{rA^?WFu*nR}B)YtTl5pIvXvjU0e0Wj<+zinibi zcofGJ_J^)Gfun>@9`!&;+*FC5(_v18khK&8ib+v5(@4>he8uLGKjISK*Q+GIJjm9fmbK1KDHxeEiDa-z z3ldfT7AGY?6lM z-|%?b&{ekMMANL&7}4_Jcn6-{H8HgOA8W%JrQ`byikA;o`NgV; z2u7-YlElfHEt?f|NUI2QWW0ZV&T(5vt!hfqdv+fj6p@)l`jrzqfeO+YqUpu9dTh+ZE>aE(>znWoRCked<@W7uo`5Ef zIk7{P81d{bH+QV2CkagMYbZ>IKR3u0>qRfgy;x*khsl{PDUarsaAcOaV^*X=p^mg; zi5-O|_bV%0Kq*zFgta6Q^Dz%3)hW^CBpdA$hb<=m8Z83vUG9Hord{b;To3!w<-FGf zR11X0ppe57`&9QXlp0hgVJtu~=?DPu0y8zILK|p<Dd=3`c&5WQ%S<*`mrVP%U|^@P&T$C zs)nf!kw4pw@<3_yYm=t4Mzzu*dk-k)$vLDe!;#C2S|Ih8LGQ6dQB(X#I>Vt8izLiw z%N-4W#v%Kr4|k)I;xBGfH%p)>BX!%5DYKsionD{y+ol30%`R|pQ35VNvcZHE^tu>` zQ`=LUT`79Fi_Vnf!%5~yq%ZWARjW&(lo#~pVX!EyP^|)!B3Xe-dLWWKNm+K$Rw1d6 z%9466cd9=1w8hV?*lZD_)^5eBRVH#n&+BYWET(_maKb`?Ysf+rgrCuhk?UK*neU+%kA^XG*X)9dAAo&99vWobKR(a}^f0|`NWWk}RCH~tvN#1k zTsB5M1+T*cU7|S%CS&(Q!gr3miTsXipIzqN6Vv6Kmd9pu!p`+5=_$xIXeQ^Ee9t;$#HT+-)P*{AyYQdg*k#AJ^qnIp4|MN(pq{)~Y}Hx|D>Z=wF>{cRA1L3!S%@ z#7RRQ-Z%7ViC;c@yI4V1wX$K;#sVqz6B+XPor zoC`~tiZIEpuP06-qp$A{y_4m98mza({hiV19C}iC*k~=D^wY0dEQyV6k5$3%n$mK` z<{(6;VENh^XUaa_VP$??*!C>rheBo1*E)g2Ff|MmY4Vg4SC)Kcvlq#flyrXGAXxOv zMQsuO!=XAdQy6&o4cx6!L>F|1d_mFFNHUAeCu?DP3;9LQsVD1fSy`#z>>9shE?dVW zB)&3P2a@QH50%-Vq+5p*y2Z7_;?etkoPV*hZgF**1$(6|Rjc&y#XGPORC+E8zd$n7 z#3%h>PUa6{-t3`$V+Bk6-SSJJ!p^n2TsOafEL$~&u4&5F<4l^vj|sAhe=h0Jz=zY7 z{7P1-t!Q?wzE~ZunT4Xed|0Wt_^Bzbpi%0tlCg)w9*<@ea+p%KP{KG}RLPzt4WZmv z@#eUZ)DpAK2s3Tc8oJqwRd@8i$cdJ)aXRMDo-hX)iapFjoxhFus1;p)ZWRgAQ~Xo& zT#Zjy`yAb7x^aY7j2<}=Ej~VEMhgqSTYH%ssLg#P|iESG%bU=ZR zhyoETmm8x7?6C*cSCgjNTRtfnA8{#-p z4P3Fq{G~@F$Fg6|Wn`}6wri+d#42}U$qcLolI?p2OFDMF%wLfLh7fWW|JnT-b;E?0 zu5g#>D^;v5DF5p`fn7r(R5F!RPV!6eXAu`XmFQJ@qOrx~n2_)0uDzH(A+*(W3%Q zRYZ7PyGOSaHA+v)%Ve#1ol3P)1v+HMB8_rr0x39WYaK+%sVmm(D9VCr9vmwT*u-^j z-_rH9y}~8wAs5$^P+M$&M6~aV?e61^Yw^P{{759Q&DTk#@p(7hXW|Z)0 zFJ^M~wOi{FjJ#Od(xTz2PIK>pK`&w0qC?EEXaR!aUEcbb4})Qw7tx>0bqBa^9EIg&+`l4%Y{BEn)A>a*8+gLkZrfprZ!&3A0=}Th=E{`c`=d|4U zBid^@BuowieBOAu>d)dLYPyE}`Ifc-=@m7;gMeDPFCZtgK4JA5$gX}3U(}8{m{js| z859dIr+pcs@~?2&M|`To`5eAS)3d_yE#|X?$HVrdp4T<_U2^GoA4BeC%}buJ+y1&` z;_!;cG0T4QzJzz>>Sn(lJ5Jxa%r>vo%3q!mxn-~8xP zNtis@9PtH@Kc9?|3%mv4UN^1|PXy~jiZp#40$!$wRkpDq?ymQnr|Q$-b<3w}w;Nae z9gKGrx4n3KeqXA$dtyef>z9=Pc~Jka<9FJInhWoT`Hr3D9p(@5@fPK~rskD+wegm@ z(eiv7?xn?Ob306$Lhvx<(%ntUdL#z`y~X^h*E$}=_w5F=AKSUl(Ae8LogGB6ixPHU zF_tj84Dq$tsA+>TX5Q~X5Z`wQ;~VPhzt@}x9nj1NQ%6A>EA9*)n7J=LUJ-INJ=^{W z+0l>_J}11*h(7`_y1l{5VbV=Uz@8iJ)C`=i8ouY7=in4A6se1fww5WjnhGHNh zN@IC!5iOe@r9u(qOpVHL7Qb;~AfYgd7`=qHppf+w#^+aD=CaCYQ*a^E9YJ5!2KEns zVJyWztjc&spx-o-cOvqG*3%+o85}U^U$)Nn=W*mqJ_q4GFL}ddaDDcZ`SB|@A^=Te zwT|+;NvvOrDScJnTqKvF(~^qEsvX5bd8%5Tw{-cOFueIdSZvIa2wJ@BIEh$YLY`3X zU7Oy_VuQDT3Ie%2P^Fw5X00`DCbHaB_r70I$Ck>Lo)w1hcc>Us*cfvAd4+e|gsNn2 zwmER-NZ^Ht%p?Q)yvdUZd$mcy`s}RLuyrk5z;sS+QFOiC zpVL4KWj91EtUeuyb9ab`UVb>4IjPQ7D@`|PI=2dI!ei7hjfa^@sepsFNTyawM!Bq+ zJJHIM9Mz)8QSl0sWuSU?s=v&tPR%CrY#_g=BGwuQi-h3FF}wn&m^Cdu%}hWsi*Bwu zfMaIdf*0O-G@7J|uTG~q&>Ne;jKZgV5UDD9v6y`vu}mfbeM^bv8Vk7+^J7nX)rm%v z6QlgI#NMY|eb_0Uf6r^R$>tHr-rwE~8AgUBX9pCq@R&byXJ-)!V2F`NoJV5AWC;Kb z6wBNV(imX6y7g#b4HukVb=wR=LC}cWz?u4<&m;6mb%qfA-<4`d`|CQ87REXV-TeOq zyb8hgqLmw1($wQb&|-!PE#ha3`|W>{TAF_77iF68NKl8Vice9oE7JX(EwcKo_J`H) z8~a0gt|>2thQ+unMy-~&ofNkzZ_I8qmr_2`7B!Aq@Pt~GCRwOd{(0OOTDJ4V$DpRy ze)a149mu!Nrg^RG8Y}VNBvzXf0spNXcG#M|x(zMH@^IzpA7yP-45g$9L#Z}%o@(EJN6$Wu; z$DjKL&wlq~4UQ+G4A`l=-A{ef49;h}V#{q+&A>6NO0I#%9FdKR$2(DI7f&*p#~*Cn zh0jiRU@cd%jV1ItSz*>M^42j#;;B-yE&l>9+QO?)o(#ukejOBcmWHrEL%pRFGQV$= zUaH#gFxc1Tz(cJaAGx2WS{Y5*xuHhbLrvWjoqa{k&PxwnRYt*HN-&VBRv;c~A!&JR zm__~9!3daJXW!q9rT&ekFD{!C#dIsvIGg(@?Z5D{!~SuGJg-j$k^ErX=grrhV`lyf z0dbNbuWl%?FbR&NAyXRoGdRE-8U!C=mcrtT zjMxQJ+iS=@0zF4*oI09)fga*?kK(f1J6mQ`JzMvCGrkynO}F}b#oO-1EnCu7*5Z$& zx{q!Do-n-5)pJ&FRtcL1R^DA(?L6zgV-wU5U&7lzrGRo)}{86Z}|G}V)Cig-Iqlx+ioWgACcm%feicGGwT`S5f9}u+tE!(jTo~z_#+CkkyZ3Eb4F~bKq^^xz|1h|x3Z@Rp5<9}2*5;`)ay!GKuR4(gax8G^c>#ObDoNv5W z-GL?rb|BXy5J)}b$7ve~0G8fgc#cUR=89s}1)-90XSK3PpGeujz8--0-+T51Rxg<9 zl&V;GFNX79<$V?3DGg<+8P%z1MT;o3Ld~FuGfk^p=re}1Qsp^EG$e)-s?UC~V7}z$ z%`bAru(#1sFUC<|@tBV6g3`bB(J?r`CVf?)A9^VrcPTc*u=~J^BX?1%Iqg@ zUA&5>>A7e#N=udH&vA}6jk64;T((cXTpXfMe&x1Gh7Cq2T2XM3_Z>ag^Uy+b^{l|X?6GiiLljQVWw?>JAJp%9~bV&)>=N+&@t=4uPL4ebKz6yiw}|o z^w^FVDSkd|3zx;OpQ0I1o)v&;c9haA>~s<3OW$i4-f>2?Nq1YS*r8O%$fy~#!f9J z`#Nh>8irCE+MLtKS=ywmxYAi3ai(8=t0un|va2X`*0>P-rPjhwSqSN}tCB3<%TX6Kw3{y97Izw)N{;flsLuquVZExbzu{lXyQ$v>aVd2VF>2w zX|AQqNp^TOe_`O_spaO*UDhdfJFDH0V)90Vzu=0d*R@#|$_NI~ASPfYp#MeJ7xWwu zRInXAH`+?SgpDVbFVXXB?C{pGlDV^yEXiXCM3x%(SY;O?lqyoyqd-(6bAqC2!w!hV zyUa(73G$cR&EGsmUJ!GsU$=0^8xq4YFsxdj)1cajFVEMbF{QweYYHU=zem%f46{EYj{xz=Ri z7fZqAOY9w|figa7i$vH%CB-?Y&EnYnN+na8f1gTKzl4ZJ7TfX{j)ikGd|i_g`Xny$ z_o%4S6sW9OmaIJF9mf&`ogv;q-;3*N9C*HnF>CLj0*g(uw(x5FjkQt5cRedqS(C$) zY(3SrR8hI!>`A60{%qe>Ap1FK`40vaM(17$WJDFGS5?O1!Duj7jSxH{V&}2*wg7SKz_f@Y+eHZ3?ItZX$Xrm8Td9oG&-OT!n~tn{RT_f7&{fSRI?#pk#q`AH}pKU zKzlT!|73C6?-A44wWphLnRI#_{2qCFhXB<)D}_I z82);eCm<&#43-p&iD+v)Zo z`(&8)MbmP}OlD`{Zcl7`$z1@w+9ohM#7mo)f!>2bl0XmACwgw%I^hPtv-J^2URHoN z&(>LI6o!Dc!7()gd#CC>T^Cj%*Y%+5<(r7&wyZg>;b$0<9u5E>MYoE1Dt#_)p zsV-jKuT__g)rf|v0Aa(>aFN84rpN*OB}H-E^sBsFdLd~>v8s%dUyZ17cBlig5IG`k zei_m%GfgB3Mo{a(ME5*Z#DFt-1e?^t!)$7!L${)kkb*4hLL4z_nx_<8#-9uB{Pl`f zp{}Ya#|ISP+IvXAml)jmQ#=tI+3*Mh(uB)|7b8+#Oxgvh;(uR1rQo|#$n-gQ01D6Y zM`bsDPuE>CrNQ9g`#%I`ZI;eq0=dhfc*M)#;3^>Zvlnpoo;nc(03kXe1>Xs^0`5 z46LU)bg0y&V}44kEt{7_vUlyL2-dGQ`=@Ea1Tx%6kzNYDj$u*w7>!{L=C%u8LPLnL zD3x~eYAfBSuln=&ZFs1fc~+z`#e%dY6XS!$VY#k z;$W(oS4M6;j9RBwEfy(GL~Quf!2GA~t6;_@^|8=hF9HwJs7%>a)BJU&|MI(zN!g32h~{m7+SkBB1O%5V(4 zgJenz@&(JKk;)|I*8m-U#WVU(%u$hiI51_+)zY1URKm(kSyqz6lZFoAwFU)i>8r4c zFy~s^(w5oP>-!|eg8g(-QJ(cBll?nrMSgTJuHV?}Wze6LP5VyMS)MR)0U;*|zYg?l)^Odu6miS94NcsK}43*fa|hI%Ib9 ze(Fdx!7g8J$8R}Ti3S9p7R#z+?``YY@#?UeHA4>Uem&s(%nHH%tZ?kc2g(kNe<37A zm=CgBzx`sJ>>n_tA4sPS8R?In|(@FH- z+!P)y0ScYhNPWxBdy90N`z?7--4(4i_GOJr3kbZoVOLKJJX-<(c@8+X743AH-OyfY zxPQ#fyjdWxL2CYWrCyN|*V63eb4fhr#fI(mI!TUFv*Rk&gGP~2Re7(^yzJ`+eq`MF zGvZZY3+nCb*?i=UvGEwZI;U%Md@p%{0_WW4fF(BEUP6|`w{`bp^)tQt{rVBiXEW%0 zulMhz-|XG@6f31dm08mo;6xnJvJd>YW|8(HqFkqA~1hJTDwq-TJWBc6Bq< zS-Y9MD4o_J3yd9C&9Z?TjfnPrRT$G3W$$<^K3??BVE<3@hSAr0wICKR{)dxkpW}_5 zf=4gI+pc6=e)l<9RAPI&mq*8#oHnW7p8=Y7OHOJ%f3~?_m?W~ihZN1Lcc%4T?Di|< z->(jBYjodE+?qYbQ>)*Oee^&RQRhgRNIg4y0;!e0fxx}zSK6yrLIj;w(5%-+_t7A- zy8F`s2&D}e!&%+7cm&}0T6t8r4`c8IeuwWQ@qg^--P69C*k&Z??Ds*8_PRUbRSuy8 z+`DW<`2uI2AaA#j9vw&kU=S>@`oGj$IKz6$m;*`F;GwQdl1MMg%vl8##%w~4Cr$)f zPg-y2in0moJ4(UInwSu1V-9u4;pAO>v^DxB)?O0>_FSvH7-mE3L>hM`7%>vMB1^gz zJ6TiGa;ydq_9>N@s$rEkf`-Pg2z+vhq)e=&EwR)tX%;+Upt-?Twt)n2qiNh{s@!1jR&w14w zpyr=4NyTa5*SCt>Yg)?wWy5f7aX3)5l*M?o1-TRI;KKK@;YD7}xKT=&ydEvv_I{B` zT;b5UiI7AH-?<@uK`LCYm_QEyTXr#0o5b-2%E`p9#p4s|9VnbGy_#r6bVWqj#{5wg zxQu#gjrx4ccIEQD|ZAIPavEtbhQM2n60aKn36 zQG+aN-7ycJ1c<2q@Gk1m1fL-&;v!zOVnp(K_X>4UTYLsN!o$7$`ZLh>4pR$T_ zD;E|*^UrkP1Z^Cn0swN|Lhi58sU?Va8pvGnqq}nlP$;?vDG@vhP>|rNQGDtOr|?VNCn ztrmJ|8vFavy(4idT#%46o?R_rb3*-9-k{+NK66`fweb+J z6T^B|{JxWa(8iX=!2#WZm7)ZWoMufLVRU1hfw7^7Nqj>~`)ajNtFd3_#Dw6sn1qb= zC@?lkFoGIA%OT)!nDo;kO_@y=QP?t-IwAtIRz~Au93`n=-?Mw-V`g#OG@G`MxPC^H&XGhqSP1bXpEo`hf?yxHDf6}W)h z6+Ej0c(8Hk+R6UA_;W9S21S^$9&$4#z6kjb;X-csHDzlTC@&x7oIaW5MP7mUa6E+1}cu)NxFLiVDE5lpLz zZdD`#_X-iRE{Aq)nalwWA6o+Fyi&o^N8*Fr?N8aTT%u$PM_hR~Nw7Cxfbx-`0qNgF z0wkj4S(;#AhE9o^O5Ml49A8kmMslUxXFN_UF>8Oq>g{A@0~!l?^n^!pyn2})bSUFg zGAmWoMTLYh>4MQjxWrT!C5H*i@C5HM#^W%#Pc1`I^wk-dlW<5|HQ#U>iEyx}l%c|% zrdf}F{U1Q=Q86iQ81o@$v;S)`UtitKoflKW&RKi%Ir~Iy6+XR#Wm3mdbpC9q^Tj|};#t^*?L6;@H^jY<6 zgT*tM&Ts zo!7SC2w6oIORG5%pZ5t#pe61Ig?Uxuy3gGTBacy3(e}$}JEu(uW1Va(i6ih7a3#?E zuYgjfhT+=xp#G`HskCDoZ(9Fy-*qRA`|-q>cP4hGi}ywOiX50Ejml&DFwE=5aSNZ| z7VW+}#yOluDm8KaHn6g+|FfIEX+oJTTgRiMk@)q4X#ap@yW}>)v68uKDslMIe>my|0~dTiy3^aLG-;qV2lUcc(@_yQiSxG@vzoGkI(h zKjhA;NLr3Tujy9#yIrDQv(q-0v%IIMz*Y2ks$Y;Yz~zGRxN8$Cm zcbY74pz%2x+?9Fc`(FNX?K5e$Jd~1NN8Zp+IO%tP$g+yGt)a0u^d2}bAXp>o^a#)h zNeDA7n*o`cG_-ZMFx)cM9o@@npRKAge5T3q2PhaYVZODpSNw6}&g_8ywX20vj8a9! zN$$j+v;azQ%gMJz+Zvx+PWsBC7zVBJ^L({@9b`F)x=`bx4pT43{n;?%lOptR)=2a2 zVX>|pd0KQ2bRtNyqvAWtmrW45hNCcURWvlA1J9kyCQ`fe)0SgS5ad?vZO277e(}F}ve*Y+qF4Oic1Bq+1i^O;r^!}W5Z-^;)O$Yf|!IK4JSl`E}{GIW}Izt1*g(&X(btdueN=vO8OE74FaXfCw+ zr;8QaepepFVnTAa`P8LK?=#^3ArK0!S!7Q-lPy>U?UN5C6nkj9Mk4)NWAxG` zzSU~`RW$LbU(ZkPAy-R!D{p~ZAtKk@5wWDIUsa-{_b}#FV*05N#!IT= zRHh*~PPJ!kEfzI|-jiA8Gur8A?MfjiX7wVrd2s|Y~kKvnxnkHWM#MztF~`sTak{7fXF&(dznU8@d5@=dawG{l}Ts3lgn zns{7-)AcJj#IkW+Vamr0--%;vhZcvs6LWuReDhXh`e6{OP2ZnHK$#w`DC-y=5dw8^ zOG9$&n@Vd-%A}d4RjeVW#=mV+#-Am|T~J=d!ptqPsF-~-_8mt`U&|U6>Gz?jofU$I z0fss6nCxuLmvr4L`;%sCr9}qTI}YvDl>$4vY=wbFnl{8Lj&H*5%bfo^K5*lF_QZFI z7j&Vv_ebB@4|5h_RoToL1pF>J%}Rh7#()im{eb5`dKUXWINW|}8F6fRv%Ez>(0fc( z;o(}cO7*Kt`$+BQI!=ZafbYZGxLMh@&j{n%COEGP0D0loSuVCtjZxMJ@=FIR+n%AO zZF}X^G;rtWwB@uN)ppFZ{>|4AvYsn@?AT8SgW=4h%5wie1++JwXk9{;<$3r&Upxa0 z1A6v>QORMo2A4^kkIEm5INk51Qjiq9x|ne)zJoTHvtxKuj%u`Vd&Rpja&8W3omvFC z*nvv3&^C_Ue2Y>5yuK$bj^3`ue6M8}Yh*&G#=E_79bLxyXI&-V(#_7I4bVhPIcwWO zbqkz3kJ`@^(3$_mU&H`$hAmZ|PY5TL&bByTCNI7H7~Ll-pDE5*hjJVL+|<39?Av#& zw7#y=-nf3txpzEiRG9Him<71D(R@gVpXV5-7rce~!~iZWD{M}-Ee34cBamDz5=Y~? z-VK4hVoy*>E-WrNQ!HM#Y@QE7*RNfJXF6a1p3oT(*|GML77O$sqg!lBZ$$#rX6+FMv1rUTh>tL~qJeSnX zU6M9g-Pfl@#mwQ8)QygB+d~@=yR1i)IDhAX1V7{DiEfV*IKL-a zRHkg1_qiSh`p5H9s|4Mh8a(QP$G<(~v)b~^nx#g!1=x<5lisV80D2{Dw=q|ot(8Tw zbGvJ^H#esoY8y`3cm*t(&f3pdg#vdBc%LGgXOsQ6W&+;)NcbHy>@Q#6P|NaCsUXkq z0MU2A^+#sd$9L{I_QUhfG8^78Jx1MbYyx3ex%qj_l@xKvoc9;-u};Yjr+}h4vTls& z!?T#1#f|0fOS;&QiPaeX7{(RnPE4Y?>!sM3l*M}2hB_(;8H3SJ=%-aDqX8f%69 z3_oDfl_d}hB5~PGJSRN#l4{KKS`TTlqAM-e8)+0$9To%&B2rbM3m!=Y3ex72=KYa> z%~Ldsk;86hU$ryz_YnIObPIy>_;;qgUnh!cT6!LwS2xU4<|q6Xsc)(DYgQ*|hwE{c z{<&-t#FlEfN_5C@^43N!Xu88QM58oO67isnPQcoYUJXqTGYQzmQ|7BihgwK1!?e(He1(_pQjZ+3AMw0j{;ktRyinskNxT&*JakNJ`-joQBHq%lJm%1yaFdZS ztQ=RlvG}}LVYJ_#T9QNXtDc8hDeS;3hq#W-=n@B;SbzxZm}6+277Pmtp&U;rV~tTO zsv=PbBI7O#?Wv+#BeoVYwwMkz8_tpl`0(|IhmXI&uTax2gwk)EOaf_EnUQLd?xqS3 z2{Gj4Esp{kaK?EY_jU)*eCMmMpU4!>}4*8;`n&yh%TNw}usmv}g()rUJ*IM@t6 z9osP@YlGC&6!AGG!+HgIr1@;5f=1(A3e=T6-G0wmRZ?i-{>V_Zzj}reFCWSmwUQ@M zJNbZ|6(?*FVSV^E=g^`M~jqo?<~YtEb=%)k!42~@e7jz!cuOt8%|E%gU?n7BKp+r zy2rPwuR)4!v|ml#&6(|g=7h?kj-lnm`tyi&NDy#nwClNzHKdiW5FKDPCZ4so%+mi@ zwGmd}(61>)GHR71R11mnGf|sCi|JOYn2<&1kcm(i(aKU!DGYhEC#GRpRde$y~$3;#o*5D4Ck;bQe!(Vs*p$XR}1mD)EwSyC-i+0MspoDs+ zEsC7(&?e2(u$T{Yshxsq&7y5|tHN;|(l3EVq+s;-$+1QK;Z;z?Ye#BRZ@Z%=M4N(V zuuDIM7)WECW)VnfgX0jLPP}AlHpFIfjlkFCnRlk7HZXCgB$Zd;~0_v6~^}-cbB*R)>mf{un6FJB0*f*XBp!qxB@&(cDZ#wZ3d20_HpR0d3bw=cG z&7ovnZ|;{YS4dB@Ip}?U*F!{%KSYASQ6*IR;PDR|=oX}DV8>|7t4rxeUBFXW7@&J8 zBmoq7HiUfcd;a(Mi7K`2A*ykxgN(TTPbZ)QFc%iTfF^WOOZNos1>eCBUL0w!o~S&a z3G8B2w5$i6u^_ybN7OvT?B9dQbobY-dDh>%yqO^nxxhta)L%Q0fX6tzhGfy*y7T*o zP{Fv|_2)P4@{GCVWb+F>6XReb(8O3)0)=U| z76pxq1b(-SKJs$_y zjO$k)=Q=%BK0{Xj7Pt40G6j7b`@3@SK4e!VTK~LPw$%q3{SYc&MdE2ixQ8PHtDF0Y z+K?`5tV9JL*;MLyfFZm){PzXYY$D*%yFoUh)qm@jk9_ZKHzAKbV>MvayVK{T9NfN# z^JMv*&8M!<=Ppk5>ve7Zdx_itzsm=pR$c4x$m1sP$B)Zu8zSQRnzjXy&Ntp%i0b_Z zQXsAU@=oQ z*FQRuC!Q$ZskCEE&kTT~SBkapvfOYuIY@WUZ$OPX$TQE&T=z?!RPh<7a|vhPd(m71 zgx-ji`k0zciO*wjf+J&*$u>*g43=65h4eY1UcA+<`P_T6HS`z9&g4pGjFc?;n@3lvMtaN+TvMvM(8!xl{SFJcuhCCZC`xu#xnLzjd475667i|VXRhJTlEG^{w#K|``pvO7#HVE zTq>BVxD-}LOG@4GmMPqnL2iPRDsERR+Hr?vTs`H=csuo9hglBZuuAI#)6EYSoyLlq zqBltIs^Nv=d?xbwG#b9b5sT}t!Z&<1a{Xa@)5&Tjg!I26k{3UrX~E#*-tu5#H)^mS zEZylkr6{Jmzo~iC*0u4K zWMmmrBa}k~PDHD(k>Xa0C_j+f($pYWo5OlpzJ!-7shtSSbsqBCs72V4A)~#gO^@ZS zV|r>8s^BF8eRXc+)FE|O3L9#eFVoOycS?jVzAYC;k_en!(S%|@4d1R1@U_Z>kK|7A zs*%%=bRY7Ys9kGO=40Tbv}>un;YyZA;#}KoPUkWBkt3(X6e{9~at9fE+tD;SYM-Ng zfPCK!1w4{nZ30DaTmHTd0gldI^J-@Zm!dbULa>*ZLnR3g#k(ar70D#UTWx{Z>qrJd z*{J5h#3+V^Sp(DTrRDuh8(v+NJ}w7UZ-trmGeY{dDZ%6&=xI+POHd1@J(GCf#6CeG z{-e8*x;$En;K<#59&9gf0TplA+IR^NHHFXHk5x!fVXxS7#dwgAp=|hd2#~u=b!LDD zYtH*&(iwu68M&(k9no+6cu=$$jiXKpbfxT`ZGV=yv}6*E5iW5v)GJR>z<24P&kO1b zOsIz~)FS;%^~AV!=Ivx*7#IA03}yo0AMBjE@(QPR&(Xn%tYA(bzEZw7C3uXg~f z%}?ZDt+F|RqTH2p9W7bq2H`$EdTaJoWhCfdU-4(g58*mA%nKvOB1}r=rDn2EN8rj+ zXFRNNpJXv)GKj@cMm&hb)#ptt4h$A-7;iFdLlA`)!5xZ-CYjOtoMZU7A-$8y2%BV9 zsB`%9Edg^m8C|{XEU`sCM@yk4ANT2SsXL3hW>)DIt4#?;2K+|^w^DI>a&SJ9d(jtx z2@i$>erE6QoZms-OZNc_P6HLJ+NG1hoB74~j)!1b8?y||Kr zg^@aGXBJu4NYwQd|Jr z5<2q`$^E{oUQVZU5$phrYbBSux!bC*RgU%l4j|<0W3yhz-I4itK`yKC^X~FUf|?GD z`+^`8Vi*)A_(St^yQ0G%=Aj4FD>7)>d1e`l2DS|dsJ?}lg~a8=j4sdZIxI!=d3nhR zn{B{)y}TVDp5?wvVt`CghwRpzB1 zyRTx`0KF@{bE2NESLetR=-c8V-L`CgB;1#*??;q9Ona;DdwX>j6^>IEo#+m&OJDm8 zd_Y>bhL^E9L9bUnWmEC(Kl`rOkjW>W&xH*fvcow0ovOfiAhn&^+dE~V?}4`WzuGz$ z^|M607$B<`33)F=TC*EZf&f9gf)u(0h))h(nyy`6#7=F6zft2z|5H@&bPI5+eoJ8Y z!?O%N46Tay>9{2mf_%Qz|7PTUB)(i@z})e`q~k2;O#`8Z9KoRjTqY*uvMzZ#{U(rE z{a$yyFS~##B#&?JVdu^lou;;)6N3UzDN{TC<2x5_K|M8HuQA@5XpR>%2r*9n4^wqJ z9ry65%@=ZbZ<+eu3`5;!_k-`q6n%OpLpZDJRu!X`&dS>TJR*A~kIMdLZHHd?vIauN z9d!Yt32hy_il@3)#Rl4rY&$)k87&2Ivv=CB|Kh$g>afu8c!7+#AEN{7i=0S>1X5T# zS{tv#MT7i+mp{9Rzi-&jYJG^twi|yqwNFCF(R2Y%y1K9Lx_+?u0aaWMnvwm#2?cDW zS_{8(^bx29UGRqW&G3Vd-0}EfeJz?dW8V504fJ(%r#Sm2f%fiX&(D2Q4GDXYwKGw2 zq`;5v?e!;!RxI0|sAoZWAo!(kKwSye`aLc>{{8vw+spDTU}HxFl96VoW96pvg^~aM z`95#<^(jG0jn>T9DYA%s#L|~l3tD2U4Mn-F$Yvu{->*uFJCl6Uq9Yr~CEuBe7>N|Y zPN2SO0q2d3#U+_9o0sBWns=aqsh^X^k5yaA zM<|!WYcWGzjUX-Bjg$CEw-dgE{RRiIAy#(y~pj|{3HhsY6O&^YyfIi zX9UJ4Xgc;rF5do_iFW#-05UUm-62xcGjqx5<(W>gM4CDloq+He&8i-4+A37Fddb*z z)5XYN+UZ4NMkf;y)PyN+~hbV z3RpGnwja5y2XRSzXiQ)?HGCzPH~bsc8I^b{53;iDS2B}deskSoY-NIndje&kXzcxY z$!AZd8tbL{SBPscI1WRskwU(X2n9E%WpJ|mD}J)bss}aN7XD`^#xSRu>U>i`X3cCh zNn&-|Q+oQS!yj0MQ$^y|bXH4Q)IQ83AvA)L=HVK*W4_Eg`}p4k32ws1ZvGxh%*V_4 zmqUlFDv6dp;Y~+;X70+LM)fC5wv39*MpQ}V^`wc0;e>4PPQDbk;M3WlZVaZKKxFoB z?L-CvCy-KYmfD@C=Dur)aohK&n)|$GJ*W36K=Cs_q)fBri=6G(TKHnxMe+-7r6G%d zR$rK?a*s7YjCiiK8SeXE)9B(HS{=&}wFjFgW$ojl`iouANK!`Ed9;+I<8vIPY7p@c zcDq?|=tvi}Tp6sjpt{#VOCh2sDZ4UDR3)`@=qrdgUM3=+%2yS;CEX3>Rr3+q%HUeZ zI(>V1KneeFnKj_>QTOWgZLUgkhiSD$EX-}VW)xxTz9q;1CMlQ^?=;X-*IgXdlVJOr z!7$MzmNEV~;327)Fw`)7RXIml$;}F*oM8(EQwvi1Dtt5XVfJ$zqU%&gy8FaV()=cN zZl0P`=AyRBflY9oQfdm-z=!26lvBeSVKzr@XZZ&M(+^{{ay|On1Br^_gi#17rDUlP z2BZ%1Gf_6s3c`DD4$0u%jimlkW)s2GYS3EK;wEk&GX~N=t%O1#pI%zl~X3dW`w#M~lZS&YqPiX19W8khX;RQS`9T?@C;V+wu{ zo32B%-x_|nd27|5Ch6n^HQNk6mUSYy?5R-%|B(ZYD0GIp*nYr=L)*@cJQPiX5S?C1 z{xJo6g%_nG@d24&6ysYEgToq@{wFwvU!g(8E1;0=S&h#0#HO#5IG$NwHFa2ka48ex zZkw`kPaItCq5~P|QeShF^1a06^g~JujP_(LQN7BHI&AqlwJx8!-?(4}&f>ZY^ zH{DhrSUiEW>4xk8>rv!-E-kgq^eEf28yxF1*s(Oi8@ONoW9RR4?@$U}t-#$VoKE2B zBA#;3Iky|pYh0PKsIxappm$so8t<$V8Gz?$6^ZWR`mgv|ohRiH7eV;Bk#4F zXxp9F;h)1ha@^CvOZ-H=eh~F68GF!2Y3rOJgQaM;`%0pFt>Dc-jW_nrjxB-rO54V8 z;panWyQZvf&cd%p8fikVZ{~tM0mWBCRXU=V`7Td?;o1HM9=nQyhs;|<&&z9G4wSlB z12-ejKrbQB2lBw|L1tGl=ns~&XzF&*Zd2+X;FcC^%Enp0_bRd15{+oLmdIoL$VV=y zhVH}fA#FjIePl>?h3h=qJU_cfNDRx|9HPfafrgv5%5kvbUMv@A~6qv(;3b&Pc`U!1-Cufw{^&n z<96)+5ybHXxDdr}zJ{_q2HLhgWL31h{xt<%BpA(PyF+)&+Lh$}4S2BGf?LZ=-n@Pq zWx;m)oAZG`uPzFDrYe4aOV)@Neg1`YY;Z^S?(>ofd3^<7L;8+h$b41-y|vfUuiwV7 zlV4V!(bX$Gt$LHNqAmj7-<=oBav`^lcX__PFU?Yq^BLKJL2qTeqVLI7IFkKbYL=Q( z^NKQ{vfyH_o6j}p%_wjtMf@k_t_5S0E4X7Leo#q~otkk7+|a+GG)8}AvM=L{{NRIL zkZzKRREUrl`|5_c4_$x+&LKa2q%KcJq0e+mRoH9(e6(Ax*zef8mqdg3*^OYLLSCSP z?_xYDNmF+LNg7U>5GUrB`IzlWG{`D*s`++5YM!Cut{?ka=*K#g7N&SQtE-pRKZ%}F zPl5A#9ywp}>Sm0h2xa7qW)v%1?sUxg=D%n5VXOm)0<? zkPCqm)8D5*f88Fw(j_FgYj>&In{}EJz>t_Lm5ksT((d4(O5XD0?P_5%4d2`KG4dY4 z!Dy`A*F*baRgsk<`OQicOVl2rmPxVI^4#*9|AVzCJ5v0HyQlhbi``Kb?%3FxEQ`~8 zHa+2>qUR8IlZa7Sz?btvm^!m+c!9P5BPmb3#u;t*uxD1Qb%#-z{%w=uf;>|NSXg1N zx68$eAa9;X1xuX_o$rvaph=O*I0Q{(r`GcIfuio>(SS6$mMB7vX%;Re)VXZ~E`$)+ z_13FJ^e*694Q?}28>nz?ekh zg!Bf!a~l5_F%FuAd~tKps21>(PEvE(zMKAvJw6YH>I?9WuVklfh?R1r7`P)0P5)R=N0X-VEreT@m7X1 zJ@$c2D$mZ&T9f|vn6dIgj>P3^sIcFHESTI}_^q-6{RUcFCo1=Dk_^1b(6iFMapnP{ zqGm(tT+Q+>(0I0%Vu&r6dj~Lf+m5jAh`PtF4xUm+r!<49*VQOYsEhSsxRPx(nfq0q zh_=C!PQOSvJf}TlO!USnBbw)t==oA&DJo%?_#3_j7(%FGd~cdw>A($;-^7?tD3CcfIcuO;3XXgB`CkOM&RH{h0D@2>r{4?G})6Ls*Apye6UuKmt zJf_E!tfMucycToh@t86jV0nl{=FlhMHnYnkIw(+U8rUNxECrhWka@j9BiF{$glNJgH(_ z&b|9O^qBQdKMoTeCFZL;^;^|kcg@T%w*6xIGg3{`Q8bRpH1{CNGN@(6P3pJCJ}rmo zh6U-wS*W8Y^L9P;Dma-lww;G2y8-+)ZPqr8tz z0p6`4Aqy%`=mS!=9jIM{&Fom6(%cf?hPvi@_7Qyy5nGKkHTb zg#NT4@@KG41ee%rdOc!yk(X+!yJu{Itb0j#cS6`HKViMSegVC<7s!0_ciGN92~c=F zW8C}r!hK}q|B_tBmJWcNI@Usy4gb}mBRjt}yCU(~O>Q%K121_?;X-C>tyx@L15Q-f z>W_Qs{+Qh2L`{8^N!FBceD3vogpNtNo8cApIy}{(67>oAq-T$V4j#$jo%6NtgUfaG z7R!CV$2#ggBW&4G%=32`0A2bo2AR*@fV~&bARYrO-pHi=m&Q!Duf`R#V1SVAKp-1` zslEtyqBgj|eX(ba^=>~^_oI2@RJk9WaHGVxi#_mPb`!vF=Q-j1UmM<0t^nw$=Hc>k z!3UVFvx5-i`T#)l%YVZQ@Ev-??KuYm6j?myDJCx3dOPgy7hci54Q@(AnbL^+thn3O zVpzdMFI;UpC|&>-0O#RjWL?iynR#l)6miRWA=B3FZiq{#&q$0tDL~0{zvYGhX#C<@ z=FQXsNRrlTw;&n+vMw;A#B2DNztr3H@C9^uui+Ks^K4&h;2UG$X6=F2XF6v|I4x`s z0-R)K(Gk8};ONluIzOL2w+XkOaC>*(zq&qEIg@?ul2D-a{6bA{@Fx~VEndB-&vmb>I$ac(W)r0W8H~PcnW#5ac)a@+# z)D)t$zFLVuQ^eB>>)R@K`!*JK1R7MkeU*HFvu0L$kVeH7)S^e94#+vMRnL8ts37LY zX7~gmitx&B6(H$|5-3C&9{d)dQCwjs&2$jb*H@lh)sjV{>J1KNn0p=5hf|JHCP}rS zNwoQbfd!XZzHM=&KApg-fqg3m5OT(nx99P*b3cl(!rY90o$G^%pK{G>-{ zGkh1W27fd%aIl@NN8j(eDo{{SuFi1OXo=wz+X^@}u8nf;n25zg=r%+Aj%s^)ly5U4 z%qgXYIvZ|HReLUOIpklYMEnH5QhIjBP6xKa*$};Gfk8D3!Fh8Q@R`+6kylzU5B{HW z6hZ0cE9_~AXIq}T7;8D59@Ad1yc|O_EoPql(M%pv29dHAt!5lEp!xaf@gQYlMb>Zo z=%CM;TlM;z0V-!gdWM~1mZz`2^)4}2Zt&L2GVGmzj_ZvG!;4;zrgtM6uIAR4UrY{wbP4GJ`rKdXThw~+YcXQw5+Rbet*SIL9tFiy*`%8TWeC5?)a;oAGh{KZB=i;ENIUYdH1j6pRanTc?5B-68$UltyR zeIJ9n63TAu8D#%bPl*rk@kxZkIf}5WDB2N;tnMkx(aT;#HQEL$fYkr@RophA)Q8&uW zUL&8RTZ7mzB%=m@CnE%ciCy2bABj!*Xf8@z<1`T+8GkdR(m-71V~;EeAITS+j1DwC z!nIrbzmEJH^Rtm#IZ>=fn4^R=-vEJ^5SP4>kKHtt z*R4_f4)e#1{T33df73SSnehJ&NY+^Q)~&PI8#+%HdV8UropTNWQXMo>h z-NlC6%#^@dcKr}eLN#Y->d97>L+iF$tKSVSoAA{uN6bFcyGxtXZtYtygt8^(TBPCj zOh;n@x4>uTeg}N$GHbkA@OQup^&eYWeph$vOrg#dx+>72?NP5zh~9_@;xy8Wl`tk z?h(Y_aYJ|+r@Ajw7JT@l;k|x)C<$Iqx=u#AB`vgKdKx&fg%`Bo4f-ht(H0> zF2J+uw?)8k9VzfkWoW1>NUUT=&`bXg!+uP(&-Ed%c6cW%pnU^tvwG>BrEkXyXg#}W zcR`xwqG0^5+GVNZ^V`+>K5ttPm;UX@=WV`&s6g*O*CLmU*8{?BzRn|6XJz<%hY38m zeMk8#9J^lx1)Temz(dg+lg@7@cQURD4K?1q87Q0G|T_0{Hnhjv96=sZalqd^cuSG+l^WhFrh3Oqz8d3@6J7 z4jwy^obvmwYi5O*;nU8uPFWt zD>zo_(xBo6-TiZ@!c6-zl3iI*p8bzcA?fC)wST-SOhJ5x7}Pq#ro7(t80^~O60P85 zNRM34rs;U?Dv3U&?(l|87g}URrEx@-gn0C4v=h9hdvazblH&AO41}zMd>JC0V@2Yd zdTz5_Xbnn5Y}3q7Y@3H7`?yUENX{X~weMx@G9)E5vCzadrD~3uKuNz!t@58`=4?fn zx=AC85s~^Fh9=C=0j0-27J~~cg%$8NEGaUj#Bh<)p9${dIWNDF6x)9a!)+91aS4(5 zjHEVU2PCO4vEk0=&Hr1^%K`;U>j@&iuwy7PxSoiW^Ej@y*RfbjxslRqvC<9B1PPrOA^2)(oY|~!nNh>Rl#A`mL)lS z*n=kM8is^CZ-PhA9C@lr7NemuZk5$KPFwNQ8)=&Q^Cv1LnOIrqT^TDoGe+9`lZEmF zI-AzzHPdg3c;TH|;taUQ-dTZFV|HA;xXqe$<8CffVQR`4GVumPOlUiBeVUNAX(2PR ztd9gvlAuNTxmC!=Ll_3|@$Wja?|A+JHKPLItt|fNYCT8o9ej*e02^K7t zstkq)J%)R5B{hj-DceN^d*jeB@^m*k%la0K2eY&oiT&`*|1Dt?gfZ$fh7Ycuv5YIN zw)Rks`sct_bk?ZOQNRGr5&!?s7WQ4(^v3$4$F)L&a3xlV(#$`(x>)TaPgOSl%8Fxc zGjDeUTziY+nD^mtg2kf-aI!x;DdU!`II_-e_$(~~+Cw<@D zQ6%&iP0yU7ZGcm9(SxYF!1Fq5-ycxFj=OuVBiG<e6m+dQQw&Np3la;?*|e7+lYDVp9D`kR%w`w!K1=8S!{rV8Z6e2FT7Xi zrOPcA+uxwQONFfWpg3cr)`5x@!M2U7x;0};hqhOFga++9Khti9qNrd%`v_XGzQ<| z%>nG%gC4IAdBBNn$WWx-?^m+T>*s}9> za}4Tj_h!nudpe~?7+nE!dkax}g=Ee_1{&5svci`>bZ1zE8PE>|a+kb+0P+*vRzlO7 z)vi~-$GnfN``~y-CRH6ZFf<&e5I)ycI z+<;ZZbr)UZA}>I$U~beSo8VEhLlkV38Nye~;lSMln}EZJZ(gECAQyA!G|9Z+Fra#! zxv-#HfMgf20o|Wj6(dYu=q^r*pM?155T}2X7A7)sMKK%B->r8Ubf7q@6a}@aYH17` zx&DVR^SR)ZCYc#VA)e=6py2nP(e@aw4cc&OH%C&5;+#;^ z)dzMw5`muc-}mk_YMj>4EULQ}0^eb_grIg_dQJ^Gq-Lzt26Tca|FVQ6{V(ccFk$Ew#Sc*pjzH^7nue!D1ud$ zj3V)chJQ)Ai_kwn2cs}ti_J(`sW(SH?D%5={7d9l_?pc;PWz!d{YWRYKOX|R^WcxY zD&gRCb7Z|ky-0S?vuzDNao_rb)!#Xtja```3O`9`hN^iCVD20r{!5GRiry|k;=WCr z?#x7mBa}54(}Xxs5x3Nb%8lx|(!Qqdq9j*!=3K*m7}X*ZvbwW~_?k3Np@Xe}q+5Vz^Z=O{O-M*gF2 zepL4^WtTeT1U|R?fIxv#(&ZeDnnJ}ANnWu~CeP`9%8Rf>JF-Tz%QARnfsa$KN%yN=%}b!4H~Eaq(cjvY!cq) zTZ{hEiIPUmK>OC5PKo^2fBCK&%CvD%GEIx&_JxVrj#sdy8LH9;J*Yo2>{+!)) zDo1Ix`05G1%Z5eNd;=rZL&czpYLSH?6>K8!7egZR<<=G6NRt|a1}uZ=_Er>Yine@N z224xJR%Hf>3O#ws098k2PTcrs)f{Wamc9Oik?iUv;YyZud~Gil*4k9VInJ#}yN|q& z$*@CQB$RR56xK$9>dTMRm@=$VgY=AE)OERl--T~>KS(PGm~sm#B*;4vip>|pG#Mk+ z!&o^nKDU0jPNPb~C#M@(HPHBNo?+P+DAd?25DR(BX{~6I+13f1dslY3VaA0X((45o z_=Ezlib2tM^&$2?{*Tx@mO>8$Jow(EGTP%icV-;mNEejWaS{f=F2Jj48cnK$qz7G} zFFFg1`J6f4PA?ejbb>=Kd>0tTgx`Qz$~Zh72f`FdGeo@2WI??FPbr7{&@Tad4MW>~ za>Ca=MZbUOTrzhYZ})2n<}@0BM$Hq1Yz7`SE|X{Av~}$hTJSax(sPCfDBSyEirQ+U zU|-O5q72ZT{fB<@{src*82cU9bZPe-w|#_gZ7+Gc+i(7{Gw@p|vq#V8t?s?2`ti4M zCui0eEzf;=5?EX5942sD0<3d8Xh3G;ypFFl_Shj>TTv14Mc-XK-@J6_DrlPgTIc8u z^zOOEHG-_ok%1T8`T&q`+go@duK#ep2_2F7Mz-#mohr5UG;fM~S2wxhR6~xInev|A z0keQvMaOoI_plV)tfm0VBJRt;w^N{(u8c4P>P_2>o?k&+?uKy^8@}U18qI+>`lZ|Z zo7iE8b>hy}?fzZUmIklr%V<`b{(gOO6qTS#pv%gM=oY9_kPzT&cb^8h%JIkRak}20 z4W6Udc7|+C0DK%8{`~{bZd}(-sWfiuf}ijV?00U!$#qKK-?y}seSlG0YrXld;p@Nb zYV6UvT0J40o0s(yXS~&rrnQF0KbCz|Ze7l$&Uf<(t>ZO5hqhrwVVt}JUT-FkOUC^B zTj53zKQE2%A8^JT7j>h+Z!x33$gdx&`fcm#?iz8!p5B0j)~#88QkM;+2=_Um_tcqG z$hvZsF@(H>26*1MP<+YOvbtc+;x|XSBz^n?FF38|s!iebf7b08K=mp4oznnvoAMtm zTDcCdXqET^?<(MTyOhqS#0zTmxU8Tch^xp9;M_R}!beR_OHIGZ_)`-LxCUr{z9P%? zoJt~H0TbKlJeL#ua5CVnf-Ou|xCi8qgi12=XxwW3)> zDtX5`i1GNq3SmwR=z?&XBk5NHn$XpH z#XY#wCUNg2plW$D*rk0VjEdX1*RI*){|UEVAgV2*A{}<8GNl)VXRGgX={qc>$k*y1 zCKoGF(=6QnV8Qle^s`%@NFj<)H2oD>%xCf14HZr>Ra39$7hdJpIgFU`ihputOEdV5 zi{4Z&KDW>g?JVOEskoSn2;ZYLe8OWfEI%BZyd@tEyKpv^15~W=SvqvUaBcNQ*jdqC zsWPny2bGD-BCbsk3s;d_?9rXBBhU3+rM4nbj+DvDN+Kuegif5op^B3KZalNV>I}>O z*P~BT4fod$$1C3$aZTjX=%uu2)iOcyLB4k3l|JmEkpbrb zk5<&TbvaV)ZXvoGgo39qzY*9)*YIYIppL&d5|!EB9TLZ=nE4ZDmS3JYfROqRV*Is^ z0yoqVFK5f(^$$SA-T9j6O!T(xKeF%a=L!geG*WfDZitRXaEt}KlB}9yPyd)a{&aUi zcg#JZW+z_yzG;Vv9gfY$f^@vw8BVZGDU-N1ZKG}9pRZss#;wY`VM=uLO0OdI&j;ys z(4D~qpG>|=#PU{3>UblqORUvB^a~}^&@;xKNkk|sMDC6RRnmGzIwGDwWq#?K=4}Bg_--A6Y(Pok&sQowjMNDO~Uw?xz1Vz?#*eCPo*KabgHWm&>GqIc#`Ut=N z$)L$ky_s$~Q!B*0I|sB!c$gvrq@hTviXN#fi5ZTK)31ZeA2#*4`fw%_hP3imcHYUU z4w26%Cxu@q8~AO(@e$f!i=tf6gkGDn=Q6W=l2`bqIDZ2HD^6O3U(zRi^m2e9#60@> ziSw0i3~(-rL-#GH6f&)t4S39(6GErIzx)jS<_(1MEMz9*LY7)b(=EUq)pXL7MI`+6 zl%u?`NZ~7?d~S%3D(*U&9s#Z9%=s&c?#*!M*lg&eI5XpbmQ{F!*-uDrzH|er;P>uV z3d?kfF%WyJlME*^A!mzc$=aO6RtPkLGR!@vhfs+a49{1DL;@4?xqyE*I^dMXnlihj zDD>;-le;o@g%t%&P4%pNb%JQD+*YI^C%9}WM(q}xB3aE95p1rBRC!qzC2B34Yju(!2d4?zskF0d%oSDsoMdFVZePw`O)O|aFZk>ACYwALowyiZU*^TPwnko<`@?0K)_&Vu zar#})jha8!4?Xv!UwyF5)>j;H$?}WddGrQ1F7onzl8;~Y^z#Q?w8}X{b?$3FyTm&E z=KUW#{pd6JX!*6)dvK%Si{D-I$Cvb;T5x6M&GpY|+~@7PcH@Fa)kn5G@8s^Ueskst z?d=VTQ)|9?+X6e>x%K{6EI0M`xO}npOUpg9-Gaxwyvr%d4#0Bx@z0kA@$FwV zUpn~keSi7R^?7i;cJs0C-7!q>SKVrZs~$da2mjjppIoayx$N$R55ME=AFOfOE&nIXPpCmsbDPee0E1SbzU}Py5Bi$2@e_r%fA2o{C^bxzh?h|KH2{b z2WI2{S24bT|7bb2L1CY^G4ajzAF0NnCAtEO4ugJv|4Ba0fBN4(|6wMj8UvLaJ&|hl z`Sl-he(HaCf)c$#kFJ&EHizm%Da94L(*$9rHi!A?4uw~Y;UFpGVcc>nMVBv+=n&{< z%SaUgJ#!$kL3_*&n-U3kDXof1e9CAm6OQUSn@%{l@=a9?O!{R|9S zT^e*N@=zF(TnzxTc@P<5t$y4riYe0U4;wwY;{!DzI~WLrX3|x^(r8y0RO|BphrRcX zd!8)&xVZrZ!c?X=Q>GB0nN7n^o1|%***0xc5lm;Aoi=IH;Ddk+ktxa&P#HI}LAD@> zEJ2na$lgPyj2mRb+gn~92k^>`its+y@yFHAC%xLwndCf=Gsp4m@jHl;in_Y*7tFq8 zVM@uxXg-ylMKcsCa&dVa1BG&2;;VR98yQZkmu<91`9^F&1qZC5jKg>=0o77nnW;vS zYZTqcZm9?nkD9I)<`vLkfkM4RfOWBvDhZ9jxYW*>Sz)9Mf?9}41I%!Iy| zpC8DnNPsyNWl|kX_6JBi1=vKp{4du3Oq5|mx2&m^t1wd*;o&A)A64zzpyP49?CgOD zugi|!PC9raKk%!xZI**U1Dgy>n%5oyHW~L3&F|Q1pD`6j@FGdiv-Gg33zbvL0XsAJTBH+^A3j z#TaBitOhMXO$BXaj14>eQP1l5Qnm^3l}54C7TQ%rF}gxb4@RZ9-}+bTf0*1N{kO67 zcl-y;HxqeI|Lyb4e->xE`78fP7Ki`nvN-DXxM?&7I-Zpuin#_f^oQf3sv~GxRHn8+ zMd1{kuM&W6R&`Py&5yVm^kdGp%SdJSlj4ca2CnFT=11r$_ zxaaz;q;j_E+GEO1Nv<@ia!R&c>gOF>N5cw3RioJ#G-8p>S#4@6AbqVJmHd7bGT@kC z4KbK|14?_^pEvFAEgHed>H2$^flNMdwA5=nwcmSW~WWDUE=DU-bltrG1tiC zM4#8E=F|}ZwKa3Pq9YB-AWDzfG1SRLT3M)yE<*9xsMUu_Gh3lVKA>_I7W?CVA*r_- znx~ZE%BYS3m83t!1kExE3adGu-C?sCjcw7OHW+sjlW*42259CKrCeg$9BvzJqg@6S zhARx(G?+sGm`#^QnJUcS^|6e)XqaF|$`ZMzP>a-R#KL$!>WyHN8d4p-BvWQW8fMqw zD`G=s^tuR$K9+D}M&tWjL~&-hUu@LtoqjvpVtF{uo4AmY+-oB_6V-c?fNOp)Av4vk8IZPF3kE4ZTO-Xr&oY%jovR6&!#s1CXAbks zVV*h6^MBM(ID>r_`OjSb@6)jl@}F&1TJwz00RJH}*{=@(tSRQ$4e^Qp~?_84vS$MB>#{NW4p zZhP7oj+P8xKKcfKi7QY0^0m7eo1`~B`>ds(*k#r1qo;rIi_2R-IcDqgC)(Z0yHBro z?Mg47dv);Cao^n5Vt;<(_0h3AZ}HNh3(woxTJzk-Drf!ACE@EAtzUky@TKd%uy1z5 zoql!nRmmODS;8I9etYFxzWA=U^I_)0zqn%W7w=$}AWm*v`{eOkZPWPK-b>V;-C(6- zo?6FwTD*3+`TE;EdDclg-t=er$J2W@Sg_9;(ET^EwA9ndy*F9?Ab1Ii! za_!bq**p2%*Yh!z%4b%;dRK1Y!Nk@tt@hHFu<4)PJmZlUuQTpA z^o}>*`o%Jv>|3Xv+JBi1`~O(~gZ;Pp&xh#0%?{4_|4+j{3I8djMaBEv@t;Mnh)~t0 zV$%Qk^*`c=_W$`j@*h;9t%;Zjh>&QD%YT%`;XhQfrgSQTrx<<@lp-Sq6be=-mD*h2 z*QYMpiYt0Sn~>=;tnpkK^@F@)R2e2cQqxR1RWCBFOpPs9!y;(UqA-u;0eh(D4X-!l z!$>ZwsfO;Ppc-k|T+l44)!x*Wc|{b`r6d^}-F}VCc|(Iud~p`Q1q~V_fXFW89Mdo$ zcTkAk0SC4<2{a0IB{!;sj@B_sirjR=c2nn=GBrkU7A*8_7H+U@0ncd)5O^ZlYB4FS zj8hG^#AIn=lB+l-SW8XI=pc4RJYTiD5YwrSxM~w8t9g^^^rM8E4!I!;0(x)QqYEP> z>}Mu{Mlr>-7IQrntQOG%oA&}yESf=-?c_9uH?6$eEt&O_+KT%`7FH1%18j2I`q%gm zMGm`B&dp+4zt;tk3dy(9acIL717bQW`_cfirnTHu%CWA{CpvkL971)=8j$r7WJo{- zOY*qf#1f>axmpmzo<$B)t+YgThJ8yB#(g7{2_#$S_btJ$dMUA8KvYDfm8obmybSnk zJncz2QZA0=jH%_&At@jeel)hyi*8 zTvD{rl<(!H{aV#Eaj1InJzhLz8g8sfSSS;!HN`SEag*Lv`F%FEM8nad--&wudGAOBgb?dE^^kGNRV5uh_R*a6N-Nbt_*mLeQp4;Z&@a zdOzhighX`~M?^`eB!UR)eYdKmyNnEUYYwgtF^CE?QqmS@`T@@B-22|Q(B{K7R@x=rbLe)xkN-b4aRWG4J}8b zy^c__a!xJ7goKPGgeSs64M%j2)H6gEG66R6(t%m(G<0R^2uTq1iH6NOpqv+FoO3*C zh?{N}XG|GvbX_&AfhneDEB>TjEeb@7LTRf# zm^N`o9JQP*UT?x3oP+v(znx+_v)ymD{DEE#8)xiEvsLF?y)l(bvXrJMbF62M^~|xJ zIo31BdgfTqoV{--oWVbn{AVuz_o>(i`OnT5J$2}RpZ_2jf+GkFXP}S4fAGKOKN$2` z;6LfvEQW{-LVQC0bH>*9KK#v>d&T;1&f6Vdg)Fc5v)8%!`d_`e>vp+wFFvqTyMZ}( z@Qn>tTyP(|-??`M50l3sz$17xJ^dH!lE=<}eChV%*B$oYCTnPy{t;jM!mV!4-v9dZ zCv5)WW%pFrrixt2KXy&}-05Sx{@|r`?)&vnTdDL1V6Wf(W~oE>t3UtH-sk-I2b1-d zJ-qzNQ_k6%QVZ9&m#VJDe0l9J9=~)0y6cyxH19m*-qSZb^p>M0UoGDMt=!HhYmXjz z> z9nIsGdUC;<+wG>1h>Dx4z5o1mc75{9*M9KRYo5Af)#sP_=?>T2wcme^|5&R-e>(mf zMMxT7@P##Yc{_Rer0Qe8m7h8PsCAuJa=$tH`QXU>cc%BRedUe&pM4gw<{9(m-E_mz zhaAYfa^;5CaCZ#vU3a6C_r3ST=IKA^o@0ICO^#jSyJzpY5Xg7X* z+^Ijh_mC5gzW6bI`7apI15mc%08cz=EIj?Jmv1?(RXhy6>GpGe@$Q+c{m&XFZT8#Z zOZ(^c7p6a+|IV?mynOA7E$OhGUOIZ)=U>dKZ*7=+DY)(0`AZyj-WlIK_rd5j{IK~a zoCD3jde{3Gp0f76=e+h5bpQ7*wD31i{Nwe&w{KfDTItQs(mS4e;vL=Xjyz?%L!R67 zguy*O55E;0e&bFjU-I~mPAGM+dxO}R`P=pXp8x+0>c7qDe|{?VN%)VdVYc}ZKTiMb z@}H?-77#HJVA0ejAD{nxNdF&^&VK&*&nzA{)!8**X2Yfym;b1X!+$s#3=3u^2TGhJ zYK|QM>AYjcXePmGrcKCD+iMCV+J(7%1)0SqJrM5a>V304Y*l;pYK~(#Dm4+2gwN&# zG9i5tDBv;P(vv~H-Yc`&QdSv5Nxegk$k55lf@C1Pp26J;HMWN>is*3~s-_qWoW#m# zkjtP2KmrGSu*i!2EL2N|1ujc&DY*uydYv*;_Q>p15VDo3+NQHU7-=k1 za?xDc0sLT$WH=U)%we;EqaHSNimkYhn1(G7>gr#%D|isKk0WM_!lZAix>JrxKp9{E8wim?LQjgkb*g}Hj8 zP)OP-fX~bHzs7%ZRgsp(9IqeMlU)Fd;E zz^y-0jG5*KwFp%dD3Az)xIC6iArKNa7STlV4aI|1QhjQN-A+)gJ@e`zMLJI zZq2I|7@xzCxII=iU{aWL`nO$r;E#ALC*u)yBEPzghpSRbG_boU8x&fBBCx`TX&p z#oBKE%6}HC|4)wz@gYKLbOnH2woFf9ykIrRbgj~{MlB&7R%?zU#d(3BHh7$yWJ?o; z;GDF@C%M3f%!1bKGwGS<@!yZeBQBpT3FGxNd7OtOuHMqrre*=-sf;xGZ5emq45=`ZhGwSGXq@Q@LAK^A%!ER8t~+ph zaWl=JCX?=Z8Jwh=DceyLd0GWLEw1;&mRF!u{qrjLVSLggjm^ z6=MoWi{oOVWu~6kQfY+mdHIfzYud4|!rsW@nv4QD=Cq|URZp*C?TU@py4`_PkHH#| z8u$9Z*b;gTJLR>86)jVU5o{t%=a2qUQ5*x!T1`D8!Ls zn3xUyPj-Kkx zR4V0pB^|Kl^xx)S(HtzAgGF<&Xbu+r|JzVFlm1NdA7n27_i5M%`OhAi<--3y|3RTN z43i|eNIvbK@}KlS@E`ayz<*}*IRisDoWVXJ|M||>FM1&N_@O7O%F!#|4q7YpE33ix zJRx3k*(2!kg)2Mp!Y^I+)T^(5n+NXFH)p?pS0uu5r`oeBhR^ZTQ6Nx4!w9;a#@ii$^T?8eYbSiD*2_pG(WOVdiLev%d6Cw z-@ozZeP6wOP4B?#uKs%Nz>SA{?)~5ixvQW%Ht;*I*Z)U2ap(Qgr(Ji_CBXMjj27N- z{8r0NZ`<;T9k%#|e#dyZgO1;I=k<4Z?&00CTixD!SbTns$Jh7Q#UELI$F1JJd_O#Y z&>h=sb)%{-Q^LMMJQ3ah^ybGr^vZ9}+~DjlzVIfw;e|_{{MLn6Y_#JSE`H_aKOFI; zmyf#U@bUStv0E;CB++Mboo=2K7n z?fQSu|9=Mc-{$)Nd@A-y_)iCIhRu(NWk19GN1_E>ObSzR7K(m+{_`RIe?*%7{P7=Q zvPc6?s#>#a&|h5sqb&~qX(?l{8uuqEQ>u_@8Abryp5kq*+_MX1Cl%vEHY{f8P96zG z*XMhDt4q=ux#h6DCzouaK9LQ(l$%9Y#aeS@PsJjT>&h9M_VeXp9H;5LRE|1)(n{QB zIJ6l9oDe~V!oyOX0@LMM5)?9Ge#{3HKh+Bor!X?0_gO(@A==7!!%-Ep2X3qEK(Zax zg^)nn<4)udB$U!}vEbTns?sI9+0nG8n`)SnYE2SoX9tQhhE=`|PQ4f@iep`~@t{TY zbl$?CY6EW+%b?d!aRa2;LX#xOG)&h`H`!r8+I0$0tZoDge$;?{gf68ftU()AK`?@8 zHPx0Wsn``@t`+NyQq9L5AL_EaZ95h@l>2=Ri+!Nnj{imelO@$uI%%W`)@tTQ2%m50 zb+w+<$`s6jAfz-%4Ma+v7Sv(IhykM{unfiPbm|J>InbzC1+x?LXx zk#;BlX8pI8Zt)XnE?xL}=0A(G-TamREKdKQqB&9H@@O(mX93I_tCLLJ?gmD2gmf_1 zQBy-2Zi#%KgvE{~rQ3DdEZTn8{=Ot(3L9;P!D28-3C z9Md>iM8h1#>0MWW@T7o@DFtlMzNazSp2dypR%V1J0U;?u0;HXZMfo}>>!WUV+)3+N zq02Unnn;amyqv{r;8a3$J*HAM*>n@eCvpu-n?sqxC5NMoD&Wg{CSy`$++pA@2$h|x zmbW!cQ3qD4UG4Uf?tn{psuWwjQkqS=BNH-9F$>p>Da%aUE+`|6*1W)4@m~E%1$&;yEw{>MyQXc#Noun4M3fcCd1Nc*R8c` z>}*5R4BPi?tE?AnuQ1~M649qIMOG##q(Lsirl6D(PN!yb+##442N>R%7VS!Al&5nU zK@|#9Fh#W|sOUt~5!pqCaSKc`Lo`|N)?oMZeIaVwlmk-_(t>1pB}oy74G+^H@xxd>HbTdv_>H<+N zAG&>T{>cjuf94%@pS$*4cGY|JnS9(e>zh ze|li^pKNr?FSL{2y#Kt%k2oO&lIFYXzV&2Bdi%bmHoM?^TdeWo1>O&(EA}ZZi3sFA z(6&!(jNYDP?%Cwe{jv6Q?cM01N3+b5{EA=Qe%Uoox{H5u<6XTXU)tcIude^Ac}KNw z-TcHe{G}Sufe+Vj{_T3dp7)>QKijRd@1a{Qx9#D#!B_oi{kOUsRxexOz6)-B>YAIM z{mIgbbIninU8FPKwJ)9Qy;XSCZQJbg<-7e;uUTWu7ngcro70v^|7q1E6D>W-V+>UPVL-{cQSKd|7{U%u41kh^Hz(=I(Peqlf6uvhVSzOeZf%OCsnufzi` z*lhgB>X)yu@6H$FC%;`>|C+~~GtlBw2j8DlwyuWq*ZSMII$yG`~x`26V9-Zr}~`1;NV)jEHuEWNrm-uic2cc1+A zk&Vlmg)28c|EObD*n18A!j&%=5>MPcef!RRg99I)x8eEw+;sMrcVGXpd%~q}=eut| z`1;?j|M&d=e_8(x!#}A1HmCpjsn{psKVC^{xu3iGpG2%uv)2M9(EY{WKOfTn=kv*b z(Al}qhT4XO>SF7^wHJr~3?&b;M^aP4MYZ2;4hxmyTkYeQ=w25}*R544nLbvGk zrK&U>)Cn-nRoZok@@iT_rm#}2U2&T^&XHv-7f*nyJ(hUM=Ap6Bfw~ETlt=KG)G7tD zRqw@-AkZ}~o9V+0P7TYH)J!9iFWR+k7B`JdV5IfL5L;G>2u{NT}oy_Pd8A7 z6rHlPUZDjWbQDc2*Kqt6M^~}Vs8k4RScT%FKvIA{q~zs{9dW}hq)Ry&0WSjbf;41hpR;wnfF&eq@tT1oRL z>FXnIYIXaFf|$*#a!Dhpg^lUF8VM=PH}{nb=eJspu`E}6pBoE6n-`k1VnI*?AHSU~e&i3!sAw#)~p z>Czz<&O+CII-CXRHm7KvY}3KA(V)}iszatOh3#$_GaVe04S);taV| zpvlI+r2m#)#DBuS=Ra0gD1TIowf|dr#J}*L`18kq7HhltEB{%X{y##&pr!=kFp3Bi zp}5FbBaefsJk1qa8WIeMmc)(0a)UBj6*6an2+eXxbJVSaGAc|_$Wo)OTTj;~anc3y zwNVA>H+^@^)bm&?5p~22L&l4fv}cKvW`-ELWi!Mi! zN+oYnCZ>vD!$k+7<6!2`2Fz3!lqf~EbO&Z^)9;mAmF5Jud>=9=ywa}K$${C*Cy;>x zgrCmZ)NnFw)oIEMk%H^wsJ=GN)!lsFir6M>u%i?OfwVdx=t=>}tL3I-xj8HEhFCWS zAT>K-D)n?P9=)&sHWG3l$$uK}^B;z$ByVIHi$f^G9???J#icKTB&5cG-V)mF8j3NfE9Fc}m2H2BX0d!e&CBI%t=8?S{?zkb$C6}~?`9o^ zAi8N|fY~K?T9sUYs`#*@JD$k8vzgD2i5d@w`g zH|9OHI?5z{Ca4fDAb06{Gc~Gn-DZyqT39@CDYg8D2=IeNM{b|%psjQq%((f=8(>u{WC-1Oy)Dmf3Ugy-=|?8SQ_~l{3r8SFg~Ie(a{# zjuS6jxYE3v&-~s)z?U}6oW1P*FTSn4tFpq%^pEQ5Ih$T`+V>^)#A~lOeVbj@fS*4} z+G&X~cET@`!6~=ye(zD=B39V?@YUYf?98>#YhQ70csPU1Zw_Dn@%8)P zvL;;@9XdMA5PQwJ;(j3_>Jpt4;KK3cONJ3&2o24Zr%S${|D4#3zX?`C;W2j z;l5j~wA;fkNo=Kl#WzJ3c#KfR}mxbTWHm(SPXa%>7&ck(G{+ zE)`Ba`TP~$S@q5*+Sjh~qmwuL<;F6lT_CJ~v1g0^DVIO}<5zxi+=3+z`qol6zO;#> z{^sN}*|RoMH0METqy6v5|9q1^vA%xmK7YLabn>7be}AmL1+m@g8)eptxBT-%=-Sl& z`X12D-+tu6-^}0p4~Ga#Ui8Yt+yCy^la?Y6RPHAp0W9jEAJIuKmFn6;0>#6e8IXRxc{qvyZ+zv|Nrg!pSk`& z|1J9@{3nhW&G_8$A4o6-Sfr^$pw;AK^B?I$`u~V@@$<)jltiiuu(T*CX%-fj|MVAw z|Ik!FGl*+8g&QdCPSfcIP%F1&!odbw5R8Lqowp!t%yLrIMMWcvv+mIALOx0|a8!WA zl3`+0x57_-p6ktSx)oLdt5HMIpivb>#4k@Yq%{WNh}H=>iHC-R%p$~&ZJT=JWTio+ zC5}3NC{7YwkA%ET^_ng~WxaY4)hVcyit&ot?6uX1Zi&@Ik$WC($0?!|RI`QxmHK%K z8$`|iFljfS9*;pj&!+o8L9Z&H+^r9r^}MR#S#gln8ajj~?b(yca5U@%>5ODFot{7G z#H5bf7Q~@JScFZiJ)jZ?Xqq?^4mCH1WgP5UR?>}3r7PFX!n7)i-Bht5%Z6X+Bt(~I za#*?F9riG6c1n0J8DdlmFl)tsk^kfyekzSg-CivY#H86&7_Dh|h;92!(BTX_F#Aa~ zrO-AK4yCGz*rie1u4P~v9##pI0D91%gpsLuLbDx@)CNXRh%Jslhru{O`(AH42v`+V z*>bbkLYmVeL2A;X9^`?nQ02@h1~9%0@>ofy;l%g3dNvgrP_w1OV#G^&5rJ}aO6|6W zBW5HfwIQrSq#z4ao}c3NX$vMB00nhw6MsxZK`6v>L8WNEXXy%~v~i*12}+ZVY<*nM zR;7GrR3F#%@~F~AIi@&m43LBv1GPw{s-u)XOx5C+Q)%b(*f8YtM!!uWh{19#Mhfl1 zSdKWA>oyZomep3pQmHl!OP)+t1hltd$qyEzQ2WdW^IKpDzo1x?7t?U>LIckswq=O$~{sji2VR8rrW5^RF!FFIO-R*B;*UR1_G=Hm*A4sCP~Y(qV%N0HTqVV zo8%grMKzNNuEvt#^X-NMOB&m>rmV}3rZk*IBcC(%3{b9R1FI5^TC+8;rji~@ssl@n zr--B@walmkhKVu8(@X=?h%kV;iOtIn#DkMO2sbNH5#aEU2^@%N=~92(P3N_dSPaCT zo1J#aEG;2=r{rUmo?f(yT3?RJo{}{*yBnH3s@9t+x-8dILU6>&+X38e3v35s?|S#=ezmKy-=}tLY}lc2yWt zCsG|_tr0MBlS;Gg`#fJ$u|7_YYNSGR)R^T|SgSw;rjrvpo!6aUs`FUIu6b1r&DE;D z#l=uFmji5#@`YinQTFU2jz*I(9`osTzCDbZssa_ebvcI?OHphpsj!c?>TWw%0lRIY z!jyA<(xU-V9;NI&l@w*HnaUEwUc)BoVs0R`@|YG`3IjK*O-hSeoR{x(daf37`XDV~ zEu)`GrXdSZWlAClYPNqUc@$-0eLT^bsZe0Jjx&nYsGE$&vxUwxVzw|lLRG_|k!_gO zZq9Ccs5%B1vOVtlI*pa>Y+@=h&6e6prhylPRD_h20ul-pfe0HN)NadjH9&K~Xbu?7 z0i!u!GzX0S4;l(*$j>DI!RPXSpN4&q|Gcof{px3c|Bx_|fk^`TIQ@Uff8ampXMq3U z(CiHG41%RUA^+KXBk1P%AY+?a-QPaH-7~?1H!OMQb^HARIAwiI0pDI_UJrR>hb6bY za{Diyb>op&AAR>(!|)q^|E&|cyKM5qKfABJxy+y6ohXl9uROcnF|P{w&3=0P!VO+N z_`EmvJYvVuO*d_@)jq4F#gj&lY}#G-x?ApD@xgs2#&?fX3F#R<#T?u?K5(s~@8rLK z)l;vY+96&}pZfwY@BZx4_q&^|{LT~5W@m14`i{@Wr>!$dzI`%y#CY{re%RgQ=%b&% zyG(BL=nbpycHb+9e@o4~ukhkM-+1f7S2uh;_lrHBd$Mxe8i#z(yX(z6-dTFy#z!x= z`gUKr;*_;FJ>sxKDgveyg3aI-W4JHt; zj9XSP9l3xpst;{9Rq()!nx0Nt`lM?Gc~Gci8tKX)D+sQeZRclUOVrD^qpAsG6+G|F zwt=pKDRkKc+=(#3W-+g+6=624^HzW*MRl!%=dffyW4d8K3Qe(MD_lOD& zR>&!pfYmA(1KEnn{%icF(5U#d#_@fy8K9V^RK!G=JR_$o3M<9afGkE0u!4-`s8J?I zRTztN*sxO43Q=|zZ~8zog|&%QXclTnD3aM;UbY9>aM&NaX?Zp(6f3BFe@eLyq17T9 zXRQpaH0%8|)J*Dls%`^ih&L3hU>i!3F61}?ai?B`W}BuKKy0IDGhJxZZxr*Pp&__k zmwOG~GGd7wWb)=X&)Yx+V>rRDSCmq{Ox9bIwr-6_8BGxe99``;LarPWvuIgnCWesq z3#tTXCdH9dtcHbd(vwg?lS|mRJLY_^qbR3x6rK&bP_aLe5wlcMrt;v)>zXk$9z*XV>5$rL}pkow(@C*PrQL| zb+aR@OJ>tZF4e4$bcCG>LfxxlA=1wRf!()l6YizQ?OJYVgJ{Silq~g!?ZlCrMA}oP z(*P~umAcSKe2>n@4JAahRLO)4KI|Ak3IbbJ*{v7BLf1|8h#}IErbVUccqB!FtkQ+5 z*ub3F1leJ2&(0;%EhZN}1NAVx;eg3lu^L!}( zp_7l+diyZU131l5Itc=do4|Hv+AmW?A?DkB2x44>qr-@4X4)w??u~T3Jj`UIo(ucA zE@^>urY>q`0l;+Fw4;#c`;e;5HpYHWbTaipy2G@FAk`;93h5`N9>zvG$;&d{D%uuB zGjJ=JT9iJV%v@}(Vo{}TiL4J;j|_vE3ug+wnuSvxrJd(T2vaL@71Krhk>JOmo2f{R z+29?TPLGiW1+=SDCQ~X{w%=>Z)j~d{O>89{`MgAoEV?Th2uMmU*EjRMev&I2Bc+jt zVXj0q%bh|lRR9FXWvkr*Z_9MHAvBnDkZskQU5$ZrrJ!Q4sN%ty@hr&B8l*!NVlG9r zD4Y)oeGFI4Vglp~uGOuk@(>dYTO4T92n%yFJM&NIh(<~Yxs{jZ_$e;oh( zbN++kAK*XGoc`OVV$fbo-3{%vPZggaI6>ktj*&RNsC;Gv zXubFF$(kR|fBqK#AQ*-cAHYAmed@zcr_%_$Xl8HzPeIT5f86yuYZ<4naK-bZtKMAV zj1^a3@y?aL^2600DShvQmX1DFY2Ws>9cTZn?gVn~bz4_t>@sj&)0{}Px)KL9gYF$~ z9C$r90i^yO$_ecJI^L>S-94w7oN(jbcdtAbio&ZH}~0Z zZSbC#w|=wy#HC&L0QlD5|K~stxzhGaLe?{9TwPi7lzp4k!=OX%J#*P-ezx~!wfKrv zZ{KYf<;c~ob5801z6h=U*4sOrUq8a!v?ed`cGzaQZI@kk;b@6(y_z}wySLP?di30* zZa!};pZLS;p8LjQxg85cd%SVM#a~+f!0-RAdesd-IN{E# zzw$BG|6lz7e-{7z^ZFm?1N>)pbk6^O8urfu-{~Sjn&IDy6NRD|K~nM&;zSPpnGAfz zY8w}-YAhxNSfZKfEZA!aS?m2^uksQ62cL}qYtU5&odvTKF`=d+t;`;ey+y~czaC>^ ziS;J^CKTrqs`%chv?^uSs(?@yCd_+4s6bObt<__H5m{+Dwjq=Y6NdWBdmK&KLJJl8 zWrT%huQ5wgl|^3!WGPR`LAc$?H%EG-->=khQ>Z|b(tG%Zr*mbcm1m*9d}$?HZPrD& z?buMaGW%dvK>@*3QEAb+R~1~Ws+cgf;@MET?+sHBSjdhR{SdiTuUUG1_C>RxSE>B% zH7FFag%9vP=KsxFWvE5(=lZ3;WU!3T8c)V{(qSzkDAPs-Z3#fnQ^7O{M#J{7L-mVO zvTou~-qi9z;)dmXBQwa*ZN4JcV58~MLlkaHW*cKHZG=q61u+0BD&ruwW`}oSf$89X{75r(>;A zDc74l&=X6eY`a!$cXYH^DYWAVuQ;9u7fGc7nnX!06;wK8Q^HUHI=v2+k&6ghEM*0M zqUZ!i>A7}PO7)P|?C#-pwL3MtY0?Wsr-ueoI)dW~mCXteHIj52sFcb$j|D+rL+v_> z^M$rMAxdGpMRBzT3Kku=ULneP+7gBpBe4yVfsIZ9?G(+!L?dT_Yg^sV`!udVWC*gXArH% zQDCW(gRpTrM`lM=&@l|C?&S-DpOcszZ2M(^iWs{e^`lNLhYZI=$w1_KX2Rx-IMW=A z2qys%j*!&0VRyV@*eF73*{_F|37k$A)V%F7S-m8lg-7J(8m%xlbu9N|=LdHQUSFY>D1~Ehu*Xh;&h1#F&BKI1B zf9GD!D&CpSX}|p?hbYnl`jPC1{!Hc-7k8_9pZ(yA<7U08l^cRRu$@w6z<@Ji31t}H zl(Ut#N=8T)g=ROPnJwm2b5OVKY=TqieNxD*~A)DuNO@ ztk|AZqnqV$cEJd|YBZprfZMeOWl=6c6HX3+rFysQMzLr07|tdJq1rA%A%K=SzFASm zu@h9CmaNY9MjEbLP9R1-lT`}sBG;@%&M+vT6|Ip2-5xjY`w`cw7W0-k$paIYWncw^ zkoVmzWKGJ+N4Qz~FH^h2^_5V_Mg2uBet>`4pYv1{U@IWi3Wh>kKr3a# zEloqJ-NRfA?9`oZsH2%l$rLL}4bH11oeZ?FGTUMEV?;89Nf1S204|B?5>_R<1lO91 zv!I~R=uD{uMk$a<7&oW{MU8Eznb}iB-_AlKG}RkKeRiB4s%p$S6QDdwIz%diOd%5* zWpF-{i*lRPv<3Mv9XpRHTaiIU}wkUi4S*-s_&(;5YD)xc; zpLJG#zH;(^zy1fuPy|O&DDyGue@N)FSpSoTNhCd+`S>TS|5-?1{P?arT(ysR@x9k9 z++c9!MdvNK=ki~uZ}jHy)Zx;*J-G2s59~;ly@zYZZSb>IHv7i;!R3!Uz04&itoPtg z=54X!PWRq>-3=$5HUGG8k5|5UiHm+SzV_r_F0=p5n>_u<&GWWYPy6#tyKnMpOl|te zYecx#)w>=1)>ZS`d$F6Zam;!@e`1{%HoPq(r50>)-KEFueB~a$VP5%V`R?oX?*4uv z{Cc?pvG3jBfp2^bx@Z1NFGDvjc>6bxzBNwr!LIB^Z`3(a3VvH!9=Zokeq5BS<|m-&gZ z{SEmePHe7rVe#2*7kZsDe|N_Y*B)ZMF-i++>PHFhZ zU+wtX7E5f_zkAEGzcAhH#g%@uKX^Ls&)1e+xpm=zZ*5ULgL(dtCx7*)ei%=-KmLkq z$_Ql`bF8k`1C;N+{@h`&4EKNbw3p6(WgfWMp7(^uJipWJ z_BIEaYwWfA14qBG&r!?2dceYMH)faHZG|6yu=Zpd;b5wUH^l8fd3H4od5qc>=V@gw6g+M$CJ-n{SPdd0wPr{NJuF7W7hxR zfbgOEZ{p{#{zsjicL5d>VInPd{ZExz9Q`-0kVV;&tfdFSgfJ%Q5XhJW9&r;Cb=$R0 z125Pf?F$gpo^-Nl&g~ZDwyAm0aA;06HjS3>hA>EVDO)D80y{Q?7+?oJVbr}`I3x%q zmlsE}Bo0V~71KJel$c>Q>xq=fH}V1tRft?L5`zp_i%Fz39b>#M0@(uQ)to`6(+YAz zy4ex%YzM1hvFT<-vDHZ{Fhcaeegjp!Ldog%L9EL+(pAl8roA=`F+he&U@XZazRS2o ztF29)spO!(T89ekdMumnbRI5U#f(!=61S}CUmKM@-0>EK8wKA;?@&P=^ydtGhVHQG3h)2Oj+H8vXCR%6??Z8WxRHMVWr zS<%YcxnDi|%lQlDF~>1*jWN83#tjGQ4v`-kGK*^9vgWMWK(9TOY9fgVX`k>1L%Jrh z8pZQF{o|~c9el7J8qwnqSo(YlL8^QJ5@_x4KspFe7axB##d|Wj#^>bf%6q@m-2vd3 zdDvBHg|6_%6|;oKioG(-if7WnPn)j~X6bg!--MEodL78xn3)C{&R3;YkeDJnfEy`9 zh(;eed{<6D-!r)&l2>8M|M9r?1O7-#rg&!bS@h0?XSu;*emTH!dYbYeG&`Wgk!_I` zEy7%m3(hcFZzQS8dsUjIjFkq4CRfUG(pk{8kzR|kRF<^NY=j~H*Zi6{*&AQx#i=L- z%?SoIU$nCMA_S0l+CoLoib&EZhO`0KlN}5FuLb)LVNC0E%UOtX1AK%dp%_yg8_`x% zOy8AozHwWX4bsYmaFRcX8fsNPjXRgfDLq|eD90uR>v3E=Get`JAdgYHc^0FM7MmzY z0|wvu(oX|C;VO+;(osh(;I3G7yo}^DM}iDGN{+FS7ANW0u8YY0MU>lpc~V81&t1H` z7cri`kHG04xlQzYC||bSy1fegRjOqZFpC7M}gS*&|om7 z2oXNyMB;+HB`80uL9#qU+B(EdA*;A_cU+*IWnPh zO?HHy0)uATl3Tql(v*`U57mo`xi4DpAApuy=?kz56^{#lH#kMZc4Qf7k6xlaMq^RN zeI{k(DTox*Bh`+yI)JFCJvn?1mWNSpNBi!`iJ}t^l~Pve(y>OwUj5yNlC?r1kT>Mq znn+zc0Q%jZ)YCbe`f$$kTV!~IN`?0_wwl7PNNJ>>f`!}ZP8CYpXDjCrO=mFew5{ZD=#cpOcw0Rj>c|Sby03wTJ%NdNynMoLTt+x)eB+ zF6I5q0}z6XD87%)XW4;Wrx!i>3eARq_CHcJ8#=Tp0DTh2FJ0l^E<%f zAVef>V6auKO@_>M!{kn1w-MHU*M7?W&Ny%T_7EbK*WfIP=1?f^uqFXnh!u> zdZb^3iC=r_U^ZC$QPT4pkbaZn_b(PCLjU+-Rh#RD-<#ibu7<3iknIeFBHR`LE_Ey% zz3gsdwt4!uYNQD9*q5(hi_u9uU-4MvpR73 zUUH&lfQlEnk74`oR@0i+iVj<8xxKgfR`MV!Z?glD9qywcWh{?z?$3t26uFC#F^sI* zkJ;Q6%Z;ASf$LTsKws~d$v4sCu!CxK<+!>a|8v8}e)z}=$*tEdCnaZOR2z6aR4h$+ zQ)@;K>gNx`cbaeM-1HuN@2q-19KlVFy;Bc|o?)_Ep!Ed+s~LcINYcHnDNb*Nb~;b% zmMhyn15iBrE#0)4J016nm3r;8@5eK~_kCU$^J!MK0+Cyw(HJ)y-<`ou@~=fqD?aDR z&*j)zjJR5dn;OQhCa|7^{2Sl8hfe{I$GP^E8sIQD45Md|p-sm|3RoEbyVs?ER7>w^ z9B!3f-(?hm-uY?TuWirzKY+qKjlFpGtok8q*qjC|%Gyke>WhTCT#2`zMo~6MpqKFj z0tnU{>u$Ao%+K3uKd)yIp4z5Y!e7lR+NHDM!nCNE&C<)dVDHp!Pdlw z+d7%r>E-ByUiWdgGJI+#<=}TAqhx+!$K3m7KxvfbUKj+app|1PBdFp2fk;bI9_$#B z!IQv*86vopyV4npfzB!0n09>+CU2S)@}zT_bcPg_m;sREnf=@WP)ICZpSDCd@qFp3 z1QOj0*J)nHJ;rKR1V|nWKa`ozm_^>Y^H~dy=#YsHgt=o}p=hq{jhV9-H;Roa!ul-7 zNTO&8qb)a?Dn`1M;vfjNS|NT25`$0L}#TIf;pb?1sw|`Aa~m8O@jyyXCdl4am1R?^l-`xt(6Y2b zM?02BL8lZ-spv(p+PzHKlGefOo1>g36|OL5&9Zcg+9rJ|?l%>SMx~B#0A02NB)W0A zBtG&cYUzGyEogP(?j@=d8;9d-k)JeS05k%aI|q90%z|*JlyA%7iy3~z+U7~FY>L;N zkAES=eyqq|?w1{5{%hg?jv9eLC~`3Mf*lvF{BJ-4 z6P^^}s-4D=H!Y=Bq+N;AQU~gpPy*G0!Q9spvtM5wZywtRECJYQ6WO@9glLSXui$K9 zLLq9~j=}u-&yY-A&GHxDh0>g4=38$vzKT>9Zp@(O@1vG7#gbs;U?K*xA>@r*mk~vO zMqD<725aX*rA)OT`AOgwx^~m#Ul14hFHq++R&V_$tH8vRKG4kfyw{;Vr&WjW5+Lj^ z){VMtMUi0|G;Sp)ofkPMo@QvGTWnbMWa+${vz~6!{AP$$)M^g1H~W7 zw1*&0re}zaq~jmjL+lthO_2EOXiZiTGpb{`OiO=@w-yqdT23%c@{h3?+u9*E{O|s{ z&7;e_dIZBZZ1lUl=D3#ibkLq)?Dh~)6IEH^{On}h(M*=*wseXj)B&>kF{h#U;CeJk zBP{t-?St~~AhzHx0M};{z4y7mQSi9;SMeA^rr%>8sF@JuHV!d>A34fd<1e-7B2h-m zZ#AyJtX=#n=|2>HyOTT{{50#Z3B6uMm`vBS5ej6^0!`u5c&@34uK{bjLe0+qR_irbmNXY)XM}YN3c-`k1_yFC`at z&o^$aN>VNLs4Xa$CwG|{q2kTJH~|b~c7`U&YTodSr5PO3>(Iixvt%%a+3HBJLodmB z`$n@D;v5f!7I^+ms-StKD)-c}kX-(hgrUK4BlHFgzW%!d9T{&mnSceczXfIOkY*-fxUwQxivS9xTmR^?OjIcIEu; zw>}quRy}bVe&2~Zp8iX6+?)<#SVFf`u5uS8w?AngbDOws9^ocEUzmhA5w+cHSK*(0A=G8b5slx@? zEZ<5Gv|I4i;_2mlP?*+sPoZ0Dx2tQkX#um7!l*XXSNR?*O(_4Qz&4brE6zR3;yuf0odp}A$d_`N$0=W0VbY$S0 z;c-IL=e&9^W$4;2v2*3%yS(;;{^qLCQo&=c}qWw_OJo^QkK@S9#tT^&3>+VOs_SL1x>xRV(^b` zI*emqxdD2>JNUbv5=%+;G8brY^?iWb7xe0ir9zM)`Ny#NXcr`y`IvP3=d?mK03p^m-K&}i`?nRdm`jb;s;ebC|5ttzmm%COykz87!BeF@0~bQv&!+?XzA7qJ=s&rkJIVH)2c=Hqr;DSwR8zrt(=j~7#laM34Lmbv`ZA21 zmBxhGL-ufa3IjLPybrI^{Oqjhp<b?d4yoQLIqi8ns);iaA+oKJk^vY@L zp`%#-afziGeaxltZwdy+~ma3}5v*3mj z$2jJF+zbA=$qK6t{?4nTVs%BX%xbwxrc0${p-R0{pgcUjn@OeukZojjbRi47HpI2^ z*Ak}3|60P-2ae=0f~c|bVdvZ0z}zp}B%#Wc3PYSKWcFAWD$~*Mkjtkg8EDd?U;F*9 zlc1+!>wd{_{p$gKSPv94YkG7$7c)F0s^+ zw$5rY2q#FpEz06XBao?-+cO&pdb%cO z6~=I$tmIgx(?&#F0+-D6Or?)Zk56gfP}b}8aEq0xah%Ty4Bh@D(aU()trH%&h$l`E z<;(5r>4!DOr`%$PDpb|29XKn7oI@c(+cyOMsZ?%*6wZ5-mmFmmUjjbr+NCOlOb4in(2pMJ ztwO=&cvf>aZadWxqDmAd+Nr~Y)M&^dXC&M_+XOG%X6!Lb%*ugTASv_hr1TlGWjhaU zLKYhkF>)&5n3<(2cS*SOmD9+a$&nC+TDgb_Cq^Tu>IH zYF`?D6MEI8vj2eQvwTkak^S3f;U`yn39nF>Z$G(afkqX^KZaoRaS~K?58YU+Oi`6h zFq}jTgIR0|-uZDD&)V%!sfdq|Zr~QQf@gnwV#rUF!kh8X} z^oo3D@L?N5!nAVRS+aOT>GKhjYCO0hb92fcX<0IjNCRFenkN}9x&L!O+k$%t9Yk-) zTpOT0s|dg6JfGpLp4U7;UIucopdlnhuRrK7Xjk9`d{=-hVDba@Au+wD2!z*gy`W)} zMNf!n=YD%>B~OFbukQlH(7x`mbE_WuH2K_Zvf}q&v$rz=vYtov_#MnI9-Y+s{-egS zdj#`Yb&b<)R`E;Q`PdI6%xio}DaCjCL|e&mzsEQ%6p-Yr--)}$b<>7vbGs|Oej#WJ zY*`*ZgKyb-nA!=LfV$v)>&HoHR_}Q~v|8~!{B5S|TeiA$utH1s{+4iS3?O}KwPXDF z*p+7qd-B5dc7N5|@l|TOfBewC&fmasx<6OuAe9I1g`FY_Y`@*A+pT`YYZ=aw{+7Gx z^kWGYYS^*UcR%UgJ&#jI2(HdsZN4Ax2V7Ov_-($Ee6($Tk=_>0J&xY4w^N^MUax7wF8Sq^cXfQ` zL+)!W&_ik?h^8{94c=+~G|(7H@2Ctut@nM(VR03p4(|t=@5bad*WfqDe*BD5(>sp2 znvOwEQNP>nO2uJxyn5Y$y5Q@)sJ6TG$^;1IcTMR1i}{U9xoLlcdtwXJb6fM-0g=UH zZUCDL)w?bB4%T+IJJ(IkYCPUkCUU)=zJEMl5I!xt%=opfnkw9R!O(ZUN8IqY-&vem zV&y%)rMxo&CC``gpy0pDcR#FO!w|e(K4lEva2`UpHWv0icRb>#-#8uB{_@@}->Q9o znvS|`J_?FsChRcD^19~ys3CA! z8X-i$(t3W*t97IcqrYnffb@?+P<5Xh*8gcQ`on(f73GM%4xd4A75)*H7zw8QJ#8Se zyd!~ijv2pW-5?T{hx=02_s6e-Ps1g)1(E@LE?A_W$M7>xI^6{ zjgg~XB4dZ045u!>ain0BDqz1=9Pb;dTP=&l=EL2`WQlaB-97(i-l}X-5S!fKU2k@0 zNH1rl>1&FM7uK{mtP(j1&m`IM6He99P@s-xyKV5({EL3ihM+7prHOLhu2V7mn>9XeRr zVDRft-la1WSIHDjEa@5Oo&!xGNlA%j_37~AQfW;OmZ~{FAUJtufBupu=JnTdNG(S` zRrA^u_V_9NH=E8$EY09RQYY~s5nj!C3t1*Kem5bba>bgwkXAQPZhmpyg{p)0zw1XMQGwO zLQyq;N^XJ4L^HgyBsc{Hl~p98Sflut0p{F(0V3v$0?l>f%3^?{TbgdpZpHI2Svdp4*hQ>|%i zmCNw(I29ST#C4W)mlKyyY#t~|8#hFsKGfsMzYY0Do&MUSjj+f6sxSm~MNhy+>rGvS zO{L3>z-g z;z|Wv(?Yy5<^dQEey8?Nu2Th*K2^|)SG3!oyr5_8yA^^`X6R7%I{HTkp9{1KSUhBh z!bD1nT+eH573dk@6Tr_{9QI^Mp@8w$qV)azC<2El#*=n|U7CQ{2(g#TmPAe#A3K>X zRiX5qC>OgRce!fVT-^-jB zUtT;8cDb+acS{e-U$`nQ2T4uS$6&G2+MELa9*ESzaE(hbTkkz3O2-{@qsHZgI5e}$ zW!^Ew4d5(Sgih-ge;f!KC(7Vz`~>p}ac-34B9L(`^sJXTa%ivwcu&X|Q%G`~nFR(6 zE(7z`@Jt-K{Yh*aRc3H}LL@U~BU${RW$t{TSJ15Rh9zmqUSb{vx531Cp&SpAHje;K$0R7p+qRWvff~z{?C5DaHu}N`O&U@7ufHGU&MC$YpIJT zmhtt7kMPpx>Wn8=uLp4Y`vm>jO|Ih&^@+*`_b58=<>nJT_}TmBO`n`{2Q=*3>-%zE z?B}Pl?pF&M6LH$%GtC16^gqh5LRWuvR(H=fj9&CoZ@%t_P2hPv9=`&YdmgoC9pwdH zKfr2%d;L7x$Tb??AG|p`xILddt+nmlfYs?w!A&{6gU^*BKYMd3%eP;HaZ}lSx9{SF-1Qe!uQj42jkK-% zpdDA@=ejq|={xqC!oKYLP|ET7mK`Fu3Ab&r^3>D%HhoMO#QxlM06U=fR?WxQX}9RH z^72_D4WV5(Wmemh)9#qI@oUZ4>5vTg6&Li{N#lB3EdC0?2YOXxZAN|c`=rd+<>$mP z$APZtPvS!UwDMgBm%;(~UEf)M1Bp0hfAPRG+CBb@WXyY8Z>YrUKJQdtJh^ljLs}D= z(L5WoZ*4`E-tik%W3+COzY5`zf2-pLXcV;&eCSj--eu1vs0+L<=jGnkh5@?XK6&hV zJs+p%w==BxT}0Km4L|zD_F2{S9LGtw&k1+HZCM)1`TV*zVw&wq-jh z0DD)=CUPE6NY{SFNv;NHy^;ehcJ)2{M(5?QniBuxa4oG@#moD|tcLrl>mqLTM%xTy zdll$zcJlJSDJ{GXkmG0O6R4KFCmIC#!UWmt@U){4K|MgCoU?YT+Ux!q_mTnh>k0TY zp6QZ7M&0s|9kY745J-8w%Mj6gB6*dHB3j4?1jh)877=UU)Dkm@oy3A!gXbiVw%cz4!lI2D)>wb zQEXRvA$7zUPm$;j-Aq=NoQhhG>-nZY_N* zO2wgOnwfvcbr`J6(yFp-u;AE|h8G3s1yvaa-F8rE4jT!u9)1gjZ_l9Lo0Q*#qe;{# zE6z^V!+S}N<))qlz~w;yu(VfD)7->{Ut>rSY2eQ}mqt)8@PzD>$I-zqf4)M`vKI|6 zG#R;nH;rN(_HY$uzN(3h7R$BAsh0WDy6^enQ8yQ-6Zv$*oM^sLB!;1Q&R?hqL*gz( zSOskLO=cPvqro0i71oPn(-#wot8pf#QFiC6h`%f3(UBH1#eo&*h(WT%)-jha!8x>Q z#(I@Nvs;RS376hcQ2`pD6FBWLMGeXFluZd%%Vz(+bgjpQNx;`xc?9leu9Yu5Rv=VM z9w<$;T=}^GIglkw&l|r!r?LMf9fNKJ_CFp$)UUDFDN7_bl>WD&bVcdcrE;o1prDBYRfi8*u3n zxRR<~FNe09Rs^*y7}he4KZbE85y(!YXA^~_rd|klXC5fW6rm>vIIySK%sLB}Tolne z9^Df$oF-a6>&75UBX%xJG?t}JocL_wn`Qd6O}CJdPPC|mt~6>OGIbgip_PP&9F-LzLyx34ha=SEA7WgG=cA2L0zo!3U z50q4(&eUfMHeo9)rR0BD?yHg`9VTRy#^k0ndj~@nx#m^11`XJ+me!%G;?%PkW1WXG zUmb{fu}vyevn*63o7I$PM(X5F5#xtW2^NOV4?+0tKb2aeQQ;bw*hY(0iDYf{D3E#*s4|>% zrtB$XqD%WWri9y9k0NkKCJ%L;jRqBV$Si0?RH0vL(q=Xn{LcZs2Ml0)2R!DjeeUQ> ze>8$Nn}N{7UknveDE?s;~la`{8ke1Ab(>$Q#TlxYWZpBhC^T@BiVPOG*5kn6mCEn>vtd} z?f_a3>)pBtoxXpkZ+Oj`02TGuG(G0W+&QV^wclyF*>#_4uAFIax?tAyHlFjnZ+Q-T z!c+k^#al%WUSN*Zu7Yl>ygs%C+IHs}a|K>bD?`|)Gn9GkO3|>k|F-vMSGI1OHRj}Y zeaJxZoO}eu@!k-8d?D%!BJEbgpu-iVd@pcZpr>A^yUFD(a2M8Mh&?8y*6PVk^XRr2 z6QGV)+ntk(x83>K50AY0a2MwUzvHr!cg*0a^BNr^_P{d_ft^R#^|-IBt?zt14N~TF z_dX|&fgtF*3mg?<846SP@CjS0u{)e~vRwyklCN;yfuX$jyTNXgskCnK{FQ@UpYk^mqz5Tr|_+|_pP|l+vzxly> z0mHd4pJd*SPgymuhmpJgaMit!1~5QPrvn$ZPknq*)g!&1a}5`Gty2`Vgburk^4~bN zT9yyYzJ08}|0C4IH);MH_pG-5L&HKjR@X+NffJA=7uGFHF5FNOGZ@>AfLW7aR;V<=p-1boWc z{A(Dh;^9ERd7;)JiAmki9x@4o6-Lw^b?Q&I<8V0{qUk)osYyeXya;}t0)7ie^sEIm z-fc?P8nbE#m8|2LVUYs1^CdS~268~14Mx3D{z_0o(`8a;Yam)y$>`E^zqio0 zqc!#<5K_4WtpsWrh>;guBy}X55@UZ03K$lZ%P0ZYZ=95J$X=Bq7O2(0R^1&@7>Y1y z;gCEDLBUdTZ9LJ8WKM3Y$)QIzcQpVncBFob{7k||B3ZyDd20Lj_*U&bzI0U2`>?oG z?p1DG#*rx+U&zDv#de9Vg zRXj=twiy~D+&tJBdf~@xZ705rSW3^F5ZO{pSYJ`RRSX@}WKoWDP8!aUI2M*5<6e=9 zfX(rXgP`0Vfv)JdYped0K@eRU7V5}UoT7imFr2~d3^p+u(S=9yOCdp8d?zD`8nl|$^op-D9PwW*GkW{w) z#v3?4N+6%-bQsMF5dQ2^O`#9CTC$wGA+i&PF6^TlZ0xsf2Rk+qZfMeuv9byXcQSvd zulV7TdQ9eBfgZ|1L_56yI~MiDSb=^8`BW>j6&jb{L=Lc<5W6;0R&tQw?q>IZw2Clk(WLSeKdG6RKS%omcNH3sUn2uC2)4)>~ZB%2!u z*x2tG$ZiwRkc>1^4;kq1s)YtjH4Fn6T(K{)inRuz)|RD9N6gb^#5DX)sEIRvZnQ*@*=bbU(bIhow-7h(xv~xLv(wQJ{;`msyNfjKlw` zO+E@yWvX4GAZiJ-l*v+Z70db?h``TF35>;lBvhMx3#y7ToEYIQqLOa*F0afeY+7IJ zB2aRZ(m<@ha2hT%ca_GV#6ZiiWM3GKz(#x4&Q@*8^cVk*v{kOOAo--P3A(y@@H?*j z%;KvK=Nh=FOzDs>8FA=c2)vhlZjQ>P~z9m)qf$5splR#kgKrCc4{m{!J|qT zVrPntS3l#Kh2hFonvGexD?G0!t63_Ps+J@@LK2iqyL|oGMoqJEQ^BgEo7d**bl`Km zZD(UQ9M`iQMIx{a=dt#<(=wqmlY;)t{UM?$QlK`Yc2}9>R4nI!B}C~U&c-aySFT!> zGsGKW;Bl7WTb6P>9B)=?pFkQ`BFDIWZc~d=Y5!+3!W`%Y8jr+eqC! z61Wk-{wX5gO9w{z(t!`ZP!=092o`-HVKVJ8j}ixF$Bjjc-mc}}!^L(boyUgj za7+}4YI2hsuuX{H@g6SN%KcuraKm->Z$DGMs(mE(H`k4~T~yv)mI&6)zuJxqLfduI zECKI}J#}B-u?^a~6<7K7X9n{Tcz!M0=>^005UV&5S6;jJ#)7Du&ATB0fXj8uruY4j zaz&@{_WCMGijk2Au(J7f@wtx`gi&v`5j4O$(B0b)d-0dcjG^g#Uc1KUnxRszwrun5 zio><%sc0kb#XSguf!|E*A%Rpt&$BMasaF>7V-+sU_N9+vnV!)5@mD_r;s zxL(K9K6gH9MV|5ze>vLovTL9HbG<#w=<2l_KTPU2x`VCnxmh^7z_YNUN#8r>-fGtR zVlsxIw|R3;3b@$*{CyqwWy6+lH{2Ri&PfBU-)VE(Ez8?aa`=C1a{GMhj^~Wz=5QCa zJcV|4^_;R|^?clmxaqTAUoQ3>Y+fens_Oq~hq%lGe%5XHef}GMnn=v6BE5E+jo49l z1-YM)rs+AWnkOX13DbEOySR0mi?pfUk8L^q9#EsSao+W9H6B6V*>VrEs-|Vw zxf!^+;e5NCkY0ozWtF}e>9*e^I3Z-n^>L>mEYt386bE)E`F5R4d&T6g8c*a6ukX3r z9$aUPTz%xXgZ2nxZxLs{TdXYxFbseAn{?=}LHw%gwx#Q?tJJy!u)00E`$v#QAs ztE=88CBRK&wd<|gNzG>G^E?M!t4;l3tHJU6MD@nY63q76>E33;Xf+mrXKd;xaAzCj zmjMC|eg=7q139c+KSA98WuGXFdtSK0lHlt=5*2B%-$SG(y%+t^1R6o|7g;9)+oJY1 zD$bS4iWtW$ewJVOYF^aH*D`6KwuMW6zhFC65DzdaqNRj7h2H$ySn$zz)ke z`-=V<5ko{71))nBA;owx%upa~;JSz|T0_upUO2Bww3HF8nB_1<7Z_SvLfhni-wjn)dS==0af-`PE!F8G`%-wOh9$|!YE0S=s-nks8TI2Z z?DnGL(Zqb1Of5j$A_`)di}ZZeo8SyeX1JVX_pGo5UV=YWlB%aGt-2&S6AyW@DS2Xv zvhzH3qEd_8^T1_1PJ#qIhl)Y7HZ>|Aw>mazhw83Xv0Oh`g)`;fYHRw9c~Kfx|Gz!q zvum|VAo`JyHNWKEETe>R6ggAiN!F#nL*wShlHYMDD9-=gcA(rSu=LxyUA(Q4gSCDY z7H7BVFvJMHmC|O-VndZCt!!71?!UyyV~%R*x#jckg(u^6V&(^iLQLP4i##%PUSv@{Z?A@lvNT;i7ny?iHE0)c%=x;^O*VkTbyJy!}=QZA&4lS536 z@bru_{5N6^x-c09*K;;b_NwU>-Ne>!%SX3T zLyb+73PK$O96~C&IB9S!Yt<|y9M37>crvuP*Itd#Y*vE*b3iFyG}rMzn)}dOOa3|L z*VDULE4S+PUnXjp=|}%9<2)!#=PMJ1ID>n2+XXGIKkj$Ex_|l%Mp(1r=e88{$hCj$ zw|>?#lm|Mh{4G=dnAKVJR`_wN>e6b3*+_l5th*y=<96OiJL#bB`(AMoxA|V6uFm)T z_|$sLuLo%0QQxqic)0O=8m0aI4wyOa?R*-;6?mDaKGP?>+Z-e0OYZu3iRpFE?(y8n znt3|{YP>evkLB$&&cxL(0d)4)t>iZc*O>rDen5e58$BO;a~I3Le!9j7OEvFQU3uGk z6%Ux8Wk)-{?lB+S)9Z|t8ZJOE#`LZo=ha}d-`ksKXV3lcS1Q+;_32Kw?`qrgQud?< zE6KvE8b(jca%9C1=bD=u9^0&*V@HqbkwuKIysG>`(*l4y!58Adc5jZ z8_)z{HNhX<{nNJfLoUnj_N%gv@O8T1N;~W2Qflsv17?NceNPu~xO+?ks7y(Vmj-ki zCH%GxX>I?QqV#i+)a*3CK1|2#89+PUWf zTAY-?N*A|{&$1yT7>?IxI1al-cR*XafG@DF`C(GcjJ_(H()Gss9qeR?M||OTOV?yR z0UvPJZtH3C-VDg_ey>bR?S}W5)QHLD>+%GqW3m0ZSFg_Rd2u+8zbY-)yt4)fGQ;$F zK2lEOG{2+W_PRcra(lbBf4Rl3)p372zF=%#wez&%bFHd-Zv@oXFK?1ge-&-Fo_t&Z zL20ibfeQhu;OVa+Cgh>CyF3+2fpPC?3b+0zLLHN1AWI8V&f2c*mpAKe3d*x901*Xh z1^g@GbfQ1*1j#$`e}oxQD4+x=vn~w5|5dU!^Pi1mriCq4#;`TraD=2Jh7W`4PF7U? zY1*x}a2hQ>$@Xu^LfRtb&stw{gb|$Z%q6rVq+p$PT^(@*SGN&bglHRy3zIz#rgwh$ zfJ?dBlqFbMXU#W~XBAQi!ep6o+eqT*XyDUc{2R zMza(@`e$PINcLprU(yW1pT%O2L2i8SW~kzZ`u2Qfu;1svDsaUagqoz7{zC;%#Ft_T z<%~EvNaEOBNg9K~P_R@o#Guroa#0XGARZs*-crz3seV93r&T#aveSSa8fDJf zR6Dwc?R!0q^L%ORs^lAXM8CI zOGrvtx(#%4VqQCUfWUp3)>JceJLgpY)MuZ?0F5lQrxh$G>}9c4x}pNa?=zM`nqmj8 zv49+stR`oC*7099Nk*pGj?D$+rjQQbn8U?R*|Li+h9H^NJOy;;=a(wD5gtUj@+eBt z-&Chjoj$s98PP6oN>YsO9VqeTaLjTXDHS>J~-9DD>C6(Z+pc>5Icqz?| z9laXGI+{<8w1drwOACopOChWkSjweHKFMIH%JA(un6dS}-A@9-qMU!qcnapr-BobJ zTU71*3|qusrJ({} zJWI{SL%{$|g2@M8#F7l|O_T;ZIFzlr)F!3+-13*h5p`bcA<+iIq0;l@uxDIpJ^n9~SZ0*QvF#%(}pwigfgu zcFMrv`JM~ZEA;W#erg{mgXYq!?lFKcXXvUGh#z)Cdp#01oCbRH@!wvn5Qt+Zr4r#H zgS>e&xfMlY45@Lm_zmm+NgxPD#r_uOE|#y$-}xazdS7nja4cZ%Vr4Io+r+KXi&}^v zVdB0n`E;S-RD=WZuaK4issqZ0r4K=wg5niSty-nD!u(l_9)W5iA>&V-5#GW-_tD#juNDTk1_UXc=*ARA*=| zQX9X1_StwQh?^y){yK|T`j){NfiM)vQZs?MwHU~MuDWVeqLd;jX!Dz^_Sc!Z@y@Ms zrqmc*^@V6Fvo@YBX0&O)`Tseec93vp^Z!xeT+o-yH}eTW=)D;SI{0Koww>pcDw+F2 zUrHeIXVT})J2Dq*`oho9gW0sFyu2RZBYUBMp8A^g&TS6;4bZ&spSNAmCY0GC0p~%C z8DSgn5V*qsXz(z_x?E%XIA&~hpG7l4*kxW)C5Oc8^wc@c^#QZv+osZ8=KV3nvFR$% z(l1r|>3&s-ba%Yze9OKc5#!e4VSY8XP$|Ii349UsvpYF#^iAc*vIl7S`dtd2q?x&J z-}Gkk?|mGkZQgJ2=(>7hdL2ekGBUKJ`2iDd@b3HhN3L4r4le1fuz;aG_dT>L9Xs7-3xVAoKiyjvf zU|F8!%-gR|H@3~{Cb?51R>*TWOxnP6vX%o_PKaL>ORo@bDKB@sbwo^$1q%ajf?U$#Z{Q4ME;TRHFon4y`>Kk+K5wbK5r`nTmqI$BFB(ViQvmi6gA3k5Wj^Z}0DFxlO>1MO- znVQwwVj9cK4F@s9bHN;FFZ{tU7F0Fzu4B%TUqi`b=!euR>XU|jBiXyB8Z%bJnr)kB ziAG4%>Ij<^Zm+P*-wjm4ALJZ3nH;fyXEQ0P3&YL#WiN)xEE%d|NFEu58U1Uakv0E5 zPfLO{FWj9-sN&TU&f?G3C>A*`u9BzW(j4^2sfCLDeCvhb=_15~{_fyksM`#Q)Jbzz6qyt-rc*l$9%sK|xT6!rRX=%-K|zC2x2pAV7^2 zj?+xV1yztEp!_Vbn0t?3ZZgDkH3;?;_rA^y4P zrEbTxrFEnqBvMF7mX4d4nRraep@zK-m@u}U(RV7^jm89tHOb~05^5cmQlk+|iK=^@ zEOz5sGSvtNKUAY+m*>hV9q6E)%N9*aTp>7g^IyK+w(dW9Z(&xT8X-EkjZzwgE;r>E z$^TJoJWS_fXE7p0qYWIuTkS@W|4pXU5nk}cWt2|Z$?h!080A?fLk zm*mWY>geK0k(Je%iX_*DnFS3@%}PN=l5cLfzk(QEO$zzKypwSRnuQu+Q;};sqLq?R zx>+TVgmA(`hGFm6_$LO|)Gsu|0E*BSqK+M+(#;|*hx^Xp4ubSf@Tvp6ou7zl+!?F6* z%W24@vt-?_M(%Q}L@Ur;aC!9c49OQ?~VeHk*B>@Rkj8CNm z;KdaRegtLoP?~*Tk=BSrfp|cYf!sHdf*49PJdWr>4G41gXaH|yrl(k$Ff5?{BT5UA z%3PpaIU&=$i;0eU2p_t5zVba;n#jav5%(M7pU4Lphg|Au)*+7)&KdNRSA82;(L@31 zPu3;S9%X&)L*Bf_9_tq@LC8{oX9_An0+Bw#J~%!_J`rA!A@?BV$Y81N_+Do;Ieygp z(GBU;znsrnz#qACz9x4k@J!zkPEW1|cjLeA!d+IUwQ^yvvOSDYs`DMxZ=md@kNn;% zHv4=fWZcGVNf$Zs=Im-~n^J?(ZMnLU=dr$_)W4VlG366<4=W?*O-sbto8{i`4ORBE zzRbPj)$JV*6Psxj4+_{C-Y_^Vc5AofU=>)!eqK~M^>Kg_?R~{QUG7F=rSN{azlJv> z`F*}+bXWQ~d`4}1ddIc^r5*^KW-3mmvU?sKZ+YTu9;T!IKLE!-IKSK6bH>ZBc9y$- zjTIMJV%a(O+&=x*9hQ7-t(|r}x(_LOZfgBw57qazuJsDZ`q4` zm3z0}G5zHBvko|5g`LD`vyT{a{%QPkJKy=v%U5iD-jBzBY;E_QA3JSUIoVtK?4xFL z2W95%0@vA9Z>M0H59e z{v|tZyUjo3qt{vBiAu2HcIWPT^-<@)Zu6Vm`N$=Izp-=2GQ9_0*n9o%(W}2)UD|(Z z4BxlRg71B{WpwKy?n~mYi+6s!?J3I~irsO=O80(n+nGl^KX|c{XSRCx?G^8ObkC3P zn?E>#yQ;bC!n5wO3v-U!yjC(cjD9mZeze=ur5hJoWc$MT#$MYz`s7ouKe1PQoO;T8 zb*8%e-OSCKeR%RQA6&ZslGC^?uh{eB#P!#2wB-}Z0ngTs*j9Vt-iOo^UojWj^M=Jw zx%1h#)?fDKD;K#^V*Yjgf8qcC%lrrZTK^vioZ|mKiG3gbWAx=>^_N!vV~0{>ZU{P; zfz-n9&VRnK|IaUw|D-0TUIb-E1jR_1SN_wS7yiR$ht5zAOWArXp6rxjIuPQS{3r%F z6}aE*$E#jT*IiT^8CZ`SOP*Ni<$ONQa8QEGpO?r|eiG37{T7$e^?>pRO}&}t6nxYv!G4r=;_kRtcPU_)49l9D zi}*>nQ!I|_VumQ`a6i!-^!%QhRSg)aMs z3u5tjBjezuG1#)xPGQ`v#6`ViX^t=Bbw;POw60WJCX4V^Iv8+Lour4cdLVTHw%(OV zP_EEJdeH0)-9jxIRXT8nL~3y>jYqA)7|nQevVe-JoJtj&`BETvI_1tFgeyr01-fqc z2loG=)t;4T^a@T{2b%)gO%m}AuSKXeHw6~2=}D;C<3(4UmeIVw->R2Z{g)T{^13I#Y$JzRz&|-Pr<*EWyOpKspwc6^Jx>P^e z90ex8F-_irY$zq?a#BMZl?k_0V3FF`tqLV~tYt(IDpzxPKN0Uj#qv3Kb`4NG!18+jG3!d9R{f`a2Uvt5bnnvx8P?J^qc z;EISvKwmTB{TPWShKgEa+eI+duS4-Hq8Ih1(s!^3^*yOagG5l)MHvKnJzqf!eY$N& z4AFHvz!0lvr9n>fU9nN=fJiPTDc(!CoX;s*nXBiOEQZl-)pyyFX8S~16R=9PnPZTk zmh{r8Dj{(73KMGv`hbM%0Lf%4`Y>ho47gTh4XILdV{M<0VyX~Jnwd-*lao9t7IFXL}WLnQd-HbLAioBX+ z!Ct!-_5;@M^w_$_W{8I*4SO-xO=i;)W#wH&YIcN%niz2q*KH+8 zGt(?YplE~1DlMS7EGVQQtWgCTc~P^K+8`^~U-BPIWSif{f4DFCPcEX!AI^UmN&wuj z2F`tbJVt%qEa=1w)?0_q8*5-XP&r^UoN!&<;w*~stV z$*PcU;YOIDWnLPUNfyiTOgS|atF&du$WBE9xftZj34nI`CB>Cp66qG&daTd|V=1>D zZ(^mOsGt>5OxI*SuaqbgOvEv)HS&9HOBmycIDyz=&;mwnEEdNFTS{@vP;Ru!X}L@I zd0R<~BLswUYCPYI_br^sR~iafl~9n8q+Y4a_J2HaE6;-fi z!D`8Y>dB%o*|n{bJ;JM#`yYtsq+~O|UEaW(RvpaNYKc4`kbJviV}1OITAW*=1}zFLmO?+-pa1=a zz&|$q`Oo|Z$FP6rKPWV%|Mrs@IDNsh!08Jd@+JS-{I@UtQRcqJe~$Y}@d=DhCI|?T zlP@^FA+!d#+86j_#c$+4@W0TX$;3gvUj4JvPk#0YoWK$g2H_k2N6vF5VwKiB`BiYY zon~M4IB?ls(3<6wE{`2^^~*8tjN4E7Z2#o+%Rk%T*pk9mLoc+TLNSjjvfCIGwt8@hYR=^m=Ce>8$mxo%7i2rK_v=usddK z`OcAByR$0ym)4y&-7B5+uHBnBUz_C-@Ip+IjJwcRyKueFVR=kWRJ>t}zq+l7~(3eCUDZ=+qW1uk80SiAnpk9S&q z)^pRW>D33$xE)y}JiKx7$`51tMOMee-L5!ux1H`-@~B(y{Pk^zKiQgf=`}M}Cf>e$ zljJh9-fu2=>WjyI`u=A-U2@YGoM#%i)W30_ZvZz*A4J^X7VIrq+LH<3GN!%PKePFRs5r`;PO^CxA?XW|xz57qy z#dhhOz1~xoo!3o2)j#U8&FoiJ!?!zd#S<=Gy!P<4gS;5?_CjZDIA?9-=A*Az*ItjD z_VknKE%$l&!OEL6r>|$77aXwZyHC6u|C4agpB_4GgDsZ7`t`s6=1!|Hesq~zmw0B* zHFuTJ4c9;G;tOxKr#%X+c;h)I{O0aNFS$aH}U!B6Z)alT!8fZrN?U)js-U zvpx8a7g}wT1^xyd_{<3_ITvkq&#&oS8yjqCTshx1yB>bw1CMz)pkbnK$kFfsd`u`u7{(J}igZw-HfeCo3|JzSu|0$pyf6jlne+_6GXvk^! zw5Wl8A@H|W+> z)?>4!dfAtHV4_{<_mE@+Ni2ou)t>L7lPH<4^Z?l9TV1g?Y*AIRYUcc^P*9wDB9_OY zJWRHGPEs;lounH{p;4wex!7h*F3qUML-`C zAv5wq3r)9+9M&0@*|?R?Rva!?r6S*M_svAv41H%vi1l_x@gP+zvLdTWO){6|G$2iN ze*(^C(mIH`v z2dg(#JM8vzjTng|5>N1W2`Vt48{!qD0gtM9n<{WAp5o>%pD_6q_X=lX@y3+)+kbSo-p?~%IImj`@a0}J4~V^0 zZ83*U@u!3m#Goc=Al6pd1Y7-r5Mh~kv!)1eK4NMH*4B3 zQOv}P1Fgy@t04`TbrWgFu{xcBQYKY`s}3CVa{*dq!FHMH2SKel61gOl(Gz(iJ@&z2 zj*_@+B;}xSwar!mf$#Nmm`T&xh)YJbaTdXPfk$_{E{(~3&u|T_J!qBPmT4fdV!xZv ziJHYp{#a~}VJ{^B2~?qx;jsT@e$b5Q(zoRY)!OIow@NdKFjuBTk?Qb3l2PU|n>af8 z+Sb5uURe%rLNUCAgVLLIFOeu|wfjlISTGAxIO^pU)%J!jj zimg5_joxu+-$uM~%-1q7{*oXRzZR4wHcdS)?c zl{*=%;Ko@*D|S78*a|~hRFR@rP#b!n4IA}FZLAI5b}mas9T7;ng9nxHD)bA0G(Fc zp>ZG5I`Qsg?cokp&m?iZ9v`QeaVr`!q}xak1*+Rgg&Dm)#eJr@&lLBW;yzQ{XNvp$ zKVt|C{^$VcKi2;sU*|u>RQ~TLF>v~V4};SexbFY(AMw8B)|~k@{&W0KOHi=HWLBUU zjG{QXA+#pA`WO6XrElRsUjabqe;)u%P9K30m`uO~@t*j%*W#Q%}l8bAjIs5)& zp_8FI_By2W;$k<#_gvL@@U_GK@{h$=w)fd|g-!Dp|6bU4)vC37mfrBt1rG=>JALoV z*FSN^Umtw>8uAKBf{AUm#bHQiyK^(+ht}Hgods4n`_Cs|Gy}Q;)~}ksu(Q4Hj^hX3 zi;0&(;HK|6&^o&>YyTsjeDwN1Ty<4^zICo$vUAtrOFpp2;nPn1^NN2yWzV+`Jm<>b z(>FRNe41J1uH%30o&LCS-OF3o_o4P!{?Zd)TShtf_rKj^*FP+rUggre)_wnj4Usbr zxp3C`&LdTRh)gWu--TT8O{%2I9o^ zwp?OS=FXEIIBtopuHE9mQx^a63VkYJ>eG*(+vKV@KiKW{sJ#g8sDpzS(iUBK8h_4V zvtHS6HXi+c-^0h#$nF37?t^q}iQTW<=bp#ceER^Eyw)*SKlRv$?%HHC>8Z|+=UsDm z{S%d3Woh}W!=5?$f)lRaZKEBopa0(RMGLmJU*~t*Jhk`+7rpcGZrTZ#J~vqIkl3>u zto&YjNA;!ycK%~*0wIoq}%n}cUb?Q z`~M#q0R2b)gMYpM4>;xje-itT{AX@Mg0B28fo)$JHw=CJP1)wT^*_wdGO(3&8=y zGGClkQK!7T4v4B4roJc$N;6cz6wOgEx3b1+d9J9Y!xZ)T?|6ptL< zw7CZYXsRtHLCmXgrCzyEt7#_I5H&Cqz9`?xGD%gjI2Qc;pc<{0ObN1E9$3{TFVqzT z5E}+6GIPt8jJc-|%UW|ZIhE=crzwgo=ndxf7O>2GvusWdGzn@I?O#8Gbec|ojrXPg zhb|cVTF%Qi`;r}|VzE)7m2Ys(^k@?H zz*@Tm6N9{=DGh~9H^exc?WgsUf~PtqJQIuC$s&+%`0kjGA;}cPlbKR0<#!ONH?R_1 zH6Fuia+{7sK9e`mRu!BKA(@C`6j$TACAl8DW1^s)PAsK#=W|+K=1LRz@J+jKfv4Uo^xFHug)jhz(l61eAWxHM}iqRh0DA-Y>npMhuaai%v>14wt9V8nf zhEqrtBdSi;e2i}PT^Wf5QBMZCPCL<31J=P&w}!^(B*hy)fd2?{^M<43SKR9`ty0!h z-thArp~Q&auKmXREc1r*y4Cz2{xdIb)-5HKRD3`>G9m*cigL2wK`lj%fpL|uBTC)W zGjXGD1xY37k#x)g(UF`d5@Qde4OmY!3V9l)3f+lA>bHQxD3z&`9Z?xjbvdtvKAnS^ zOynyt(lF%EQDat@Nh4M_pDTm~wbz6>yOtUzY^Tb$VFm`0HO|AzvQ->x!CY{Mz8fHnPGDwyqvr4$bl9nSHod!EOJ*VEI#(rW5bXl_R4Emx*f+>wf91yp2 zp4~4SCJ{7*NT}rra#TsQ4bFu)sjl!KCs7%gYbxxxQC1beQ@Z(Xy3K-dTIM=xw-|G> z_3pUP)dz`8Ss#*W*zYHVraKCK5GvPTR#k&uNm1BtJ6_>SK)MqTiEL+FQ2xiw!tJok ze2bf9jnDIkd`*?b)VRh)pO@}5sLtHdop|E&(w(nKxe2NMTu}6{oJgc&N#4ZV$=2Hd zzPdQDda0n!eJ%sE=Jx-A$^N%HcbZO@vnEh1>2XuZ<)UKIGn;7+EKB_;L&VuuB69s? z9938pnr*UNsseQyKJ$phE~FH$S=6(7m)=n|wNzPNIh;yLLcBN(#bybiO&E+vV@aa?>Ap_rynso2|V-?a)V_YHfM$ z?Z*nr!MC4u!#<@b^}>*=?4Y|| zsjalQxA0B}l7G1l8!S6BjcmcZ=Ed5JmRDc+wU;h$zcl;Qt+LzR@Z({j18;fywX%Mr zvY9jU^7U5uY+Wsrdu-V=?D&3qshRs@D=fXjkzp|36Fa5eJv2CJiCAL29mlH| z9y$1|;`!^Jd-W~KE0_Cs-?``$cXu~^e4{rXz0O>H;mk3ou6(tA=wmZpzp9zt_NIMy zUigYL)>-kQwbNHEER=@Ve9)e;^QOyQlE44ro0+R`e)*h)wZT7DZ!C7zgMI0D)M~%s zpS@$Dx8Y}x+4rPduHW-R!dkJq#GTQj#>Lb@hp9Q~q?`{uIp-poN*cyx z#l{0VQ30D4fJIU>kOedmfSDnl7_((NYImd{MvQ!tkJc z8%(QY6NIJ$%2**vuxU+hON=ZwlDK5jEz5Dwsq|6WXnGl{>@;w+!4+&XN{(Ygtf}Uj zOnP9IxhNSm0oSD}KTQ8ET@&(tz6~l_ujh5)hA@cd6HLVMqoM9uY{jhCDA{weC7H`b zs@&v)nvLc=dWs7Aqs9p6w})ANq;)Az@gc0Q<)D$A1(U2(GUY_wgLssy6qI}kQEI)| zXrzuxzJxWiN^JyDuB;>gG#G=pRZ*N~7e%`|*OH976CqW{5ymvv;M`uJ&1aIf!(t3W zxK+<>1gc#tXt6TU>5&GI=9&qLgP5G0t27Cn>vVFwR_)8uki;NcncM}?)t)-CM9nA4 zcnD{h8ljK9OtxRiXc8CzR#;DpUfwf=2p!g(WLg)LY%$YUlcPSENMUZ9*M+f#n?x#& zWb!4~F7i>c-DXDPYOz6%fs{6AWW8!8up<|8;DOx*Bg0mHNDYuY7qO4!uejK<>kz#u z{kJdm->_ev{@XllH~(Zn^V0t(T~`+RMZwO>M?{>3kt4rKy-!cBd{9hez`jNz_2$4zwwwx}#vuoX{J1a{dSRJV^@gX6_<)S` zINV}%uk6>Ee85RisVV9>+%_|?8)s1;Cq1o03j#1|Xe1X^$QIQ6QvWR>^6hWafAhc8 ze=9O{^#|*}O(xja^xvGC3k`}UA~+4xAm1s8(hiW>a#A8BHs|d4-Q`qY>B=+a+l>^s)ddICiJsFSwqE(!Cg4 zWSm~EX0hoSTp`^|kI9tX2A%E1N34Mv&)jqjW%IRYk1nu1pDH+^wg{ zeB{}Ip`|q3gy?jmm(Lkhy`C!~4r_FY0Tv)aK^k<^9$#R}K^e$`rWPeon=S`nKq&N} zB}6Ha(&VbAma)bNOHdiwN%gzUF%$|TFsWFj3N=P;w=h{StOme^ajve5E|W9RXjG~( zOd<_JUJPuvT+n383|44koKLewvppzF$vjI`>Cj|ggCB`wJO zX~ydxd@`=r|8UvcO_bkbOUa*M4GUHtsYr8^$_Yen2^=Lc_lI8I)&WulXTkV5Y_uaa7_4FOj?iGx6 zw$<==v`3Dt^lsha&r2Jt9eLx_ecc1>|b>}ZUDfTDGpyQUZ#)`U zP%=@iXLu;%wp}YBuxM415vGxeRm?G8t~VW4RPqie55ss8X$V2auI3B?^Lu8tV{s(W z?I#cjwG$zjhPYD6$y5@dTSMYL0+U^nX)+@@(edCOg!!0eTSl`ztXB;{mE(=H=Bm9UcUFj<-y^*c$dMF4KD zEHN6Ul%pIK<;A%yk_h6vmX6g<9P>+GIK&IhmPetJZ||fehe6 zlBqNsc4H)BehEzS1un<*Io%2K&Y)5ktzyeah9aAB+N|cqJR;KvAqt$_p#Ma=OPHQR|d^2K4u0b z=|L{d!O3=E5?-_QW;y6WjUxI(_>VBx#g4eIxY%a7?Pyc{=YRN*5&rV{&pd56|KvaO z(*Gw-ie`wH`C&SHk^~TF+5v25<(Z5PDW3nWGR#G}~spBpNuMqu2)29JbveW5!cej>$JhEaP^v z0n&<@gi>ilJx>nmMZn~|reVYyV6RGhOs?S?&`{~oHC;$WImaUM?G~ox%7Uj9>oTh1 zt#qtq;Pru%Lj5q-9Re!r*BhvZ$#m~a{?ie;+PCqa{FnSkZ_wfo=0E>aMD*4EKVK^% z`oHu9(vVgIs2Np@O$uJ69dsF}N@Ja3Ima3mwNXo;qqwUG<&4g!o3%D9_HD+mf_!YS216i&DCsBh2N4l=0T%j1^d2-kdv$aMq$o0#J=eaosQgc*}sZ@v|jfQm) zbb?@L$14h71mJQm<3lBA#5A!HMM-RyKoY)y1fi36-Hw=L`7YZf9Y`p)2)0;u_+cVe z^rc=%BuZX?a)1ugt@^1>L6aA!fLvrRoh9G7}SY;)~+{% z$)=9B4Be*tr4r!fYHZ;8cA~+0bl#&Yih)+mZr;G{4q0)>hNZD7m7%!a2v%&HZwy^J zop)<}6tNN0mjT_P;8v5iBFE&L#U9+BY6>*Pd8Rne6z7@ZJX4(Kf0rRJ_@j3K`ab+; z>iO@V#=g#fZhPVNHGT&CCy~GsD2U<2ci=zp&yfEhAc7(Uge1`K$$t($=YSP%y!Oa* z7M`>HX5-h+*m?a&Up;6xb&}qH;-h>2q%5@i374+5zO#dR>()me8Q%C<{H$HKKXul6 zhwQcTox9%g;qri!q_r7dD zvPtgb^lb<2dFKVj6VV=5J{7y;rj6d7PyOhC-DYFEOTR(Rzh;r%!$+gUXQ#Ze%HsQe zaP}e3Y_s@dzu$ea1^2Ae;}y5we7|k}^1}7Eto+C5lI8AS<>qVm93M(-dHv?jiOcVM z*3$1je|Nt4_u%-aKE7_TC)(Pf^RNB*dp{okS@pd~R=ah^b=RIGT=dbt@1Om*SD3}F zUgy%x8~iE9t5>Il68FK3S^Bg0y}r}5Wj~t#lKmdE?w-BHuEGxBetc)|OV{;|`s=jP zYIh8t+hfyi`HVLfpR@1-Z?68#%a0egZLYM)ocm5_Zq`}oSDf&1xBc$v&#kl3dGFer z-rP_co!`RLuCs)HY_`L1uG_78acuRQ)wN%G`uTI-I~d**zxLcct1qqn)&=`6xz8J* zyy>~IPm|zdd!D!KC#{o^HEvn{!KDsRAHVALlTZKCTh}jk-+Yhs+K;TUv9QdRH$OS^ z;pN|1Y)QYn(b@ad7QW`H1yJktlU{zyIDhN6&gpK=Uh>k*$FKVCnn8;kF+e!2<% z=?R~#v+Yg)y8gfL|NmwFgZ_K}9|Xjw>OX%H`#$_9RPc=ai>v<`OVM2YvnC`n_UOCw zpT_?d{)5Vlfl3SoNez2m`OiExrx*$xXDAszhA4KYRm`hE%IOxoMolaXr6^ewoxa$> zi!x1F(Wn@!cqP~!rH2GN3~hww;$$u)Dnx&n8dqGl<&WtaFw8O@oz&W0ua41d7Aopp zQ^tAM;xVro(-Hwm*wL!I@COKxnu#i_t166lW?sGWO&dO#_O_$1u zP2#MAmy2Pt+Z5Vn!|YW@ajZk5wPu(Sx<qG#?_Ib5P*|PWI%_2{6QwK75epo zos4DJt}S#r%}I!#(vcV%Z#W~v;9{K0N*N=b;ln238%CLAlSRO(x^RAIfpQxUbP0qL z%%B6SBZ$q#EG6lXovWz*#pWwClcmJ1V;K{Gv!86$Rc)FuF|Uh#hz|KZtKGh517 zs?`@TN8x%Yj-yIO%VphUCQ9hNT(*l0Thb)#P6eJ>w8^deBS{=Ut)e=F2Vw9?E3_(1Jj9X$C6(NJDmxStM;dc2BD7w98+B@sC06XSbz*mX)7{c$;pCPDA>)wGbkF3NV?BDv0{bhfST3QrJ$Zi z9IX=-bi}g37+&hMg?6ss_S>;|CLN&ih$Sq~j9Ix<#A=;#s*xYonpQmuctGyvpcGxI z_KKCzZPE3CX*iN&|DYZ~jk!I5gs-^R!NdX9rqYAIWd1WR+s!}uPh(#APa$gdv!YpV z`2d^eOw!H>eJJGxNj`(Sh+ygrJI*s5(M|LjoE734D%2u_uM2g>t8_`xp+|6omx~of z2HGx3rxJ8C-RanwG1C~P%o>V_Lz%OLp>Clx5~DH{Wq^K$X#^OPu1QU`-}3XBj^Ecw z9cboqxW)vrn3+pL-Dn8rhFGS8DqxtWl&Pdz9!D~xW)IOFBjxAKf-N9fKgk75${y-4>01{`EP0vQXaQZWXg zV*<5wLrM-u#UN{c$$u=7ZGId7;lAWQxricvF#lngZxE6DHrCTDsrXp!7X|~EE2#&Iu*WuM8)CFIB0LLMo@XWI@e?%&06gnT*v#oMbgI$cS0c zO^rw@Uy7Sez--zBCy0Dm;j+C#7ADi|WCnQ+p*ku=BPLrmdwm6Ex?Zd?G#cqfhAm-; zZRmZFZ6ID-0&2#9DyD@h%vXJ$1XE~8#szw;2W2}YCo`#BqRvuD-jTe zzi#dM;X=LTm_wuIxaioNNxpI2-P6|IPlZ2xp}+6myL`CsIfKfQcdSemHl8(ySm0OE z+o#<-!#_KF%O+3ke(A2rQm@zdd1Sxor+vEgb~oO7Q zZ|wikoCVi<_Q&HtE1%eZ_P47%zs)&W`j5LTeBS%+Mw^32+%SFBKQI5x(&XdI{z^D2 zF?eqJz@B;N@)zxX*gY46`##h8X!;JHUGvVGGgg}Kjm18EchBPNOWyf-m(~8d_Vk)3-bW^PNtAcE<@R3nvBhK0T({+?;Eh*)`nzRs-qGFUPY1nx z+(oOMe)$g5mRjc6#rJroKJ&6eiI3hncdtWdeDJ%|7hi6^<2R@;v&_Ax&s^)Y7i<5z z{=e}5KSTYuss2AdiG3gbgXG&B|BK^4k=USMF;YOWp}^mr|3u%!f7o9h{}CgpK|#{o zhtlW0{zse_{*zJ4Ijm2@sXEd#iG)}NltH@4H&A92=?OT&A>+P>kz9ezkL!VxN?T=P z-07AEnuM`nLj*&^j_g5PU|Er!oSV}DDr2x*w6K!t*V_LX~q~&FqOJoSXJ4$!B z0Md~VX%j&mErm{Ul&p4he7V^u$hu?mHb9R1Mln669RW|mRl01^ov7VI1rw`hMx@hG zhFTZ#I#6|l40{+}E*q6v(^8T(SCX_+fdP1t98boO#)@J!S*b-mhKTq2ekv-4DTwSe zJD%&R`3fzLD?WyG$D-P{s8Ka%wdr;@r&Ix+>EwPG|6zxtUOztaJIt_OQAP|tt`y*O znJ0Qlv5bvkJSnBLk<2E_b+>JEUCYs_Hid{7%GBr)3RK}fIS2&4ok*w&))d8_O{GRm z9zutHyXTpdK$sAMrOW}L8AAoJsDY0`4IkHxajYYeK)={%dJUw{QUayN5rH+vR+;jH zl0eZs9G8o(Cidl!bHp4>!6PKlz4o}COqXDxrtrZ4h^s@w&2i8u8*5kM#bGOtFo+Y= zaa8K*Sv5K6Xs{t6BMjpQx|wkV34ui=Rbt8vP6kL57)Xh}V(2tW5Xs~K!YgXsWy_7I z*_!;VTtzxK)v7xASTJt5byaWUilG)^tkd?TOh*bczz}4MJ^G>mu0U#rcM_nD&{1jR# zjw@xU(^V2_tcnkewke=oMW$F&ZB6zqM1_1iZG#3m!dO_ZI7GId0SHl;IC5=Nj8EQ` zYIG}l)WNZ$rR7;iPsLgUD8>t9E>P?tLlv8?tQD2o-f(hRWxUw&bO6EH13!o*Vl~W) zs#r;^D~@8OQaQ5_J zyKSRt$4VKcL7X*ORXC1!v`#J{WJ#tpjmC5l&cd==R>jpt4Sp-NwW%Xb)Bi7JC zy2~?Ago0|J$l9#dRGMfS4p~Sx3_9(rT2(>&p9F3EHEeAAXMHTXJwb<(Y z*Yw}M!hin%(SH+5Mjlt&I4^Qh5m#76uB0@g*yl3vFptIcv}lA)AFT^vSp)_ZsGsLc zRL_sIw$$SC1Gw2m%NW)ibqu9NTj_B#ld+0eL#YsPq!vhUAu$YNDH<~JW|{y7)j%Js zxq)RQ{9@j(#$$sFqALx5By)K`a2f=jX)&xaE{P5cR)fx{R1Nc8P>p4peM;21&gL&(G)D2f<;rX=$B~-45B|v z{sT|t|9%Sl8vj{+@n?>>>}SA#NEjm^h(O@)z<NWE;0QjWme(6Mb6mnviKdJ z?7Yd6D_z@tVwV+OIOn=UU+G^JJLJRtS9@XS1=@obUwVAs=~!##0|z{F%VOg-`pWII z{=C~O`(OG{;h;Uw_g5~;{H70`wgPm?(<@GYdfx{Q*0;9~N_9& zy!gnKcb;+6^=GZezOk;AJ8G5Q2QP1sdS{jTLyN?pIDNBo@4bKLgWq^Jxh$t`G4_6E zwkxOX1s`l&;ly{h+=JL~<4ZPq`MLRS(idkB)s|mv=~w@7?nwud8{Ylu{K^_&eVO<9HQ{AG zUFiMh15a+KFFWnkyDhah-TT(v*XLx?>*zS`zIJZvHEw}=z{jQNigDWTX%AyPy9?)*pk zrv5*_NdAL~4Fj2k&&Xt4^U8medEq~W;W!Z&+L?MUiO1~%iUS>%?-Ob~LL4hLjF(VI zv*JRoH5j|m2WFaiYJuxf0b8(KnoAk=E6 zm#w3MHiYEDppYSn7)og6OkH++<%t7V&c_S%MDgS@00 zDxp!7%Xz{Rh`uO*E#1`dtib1_vRkTJe$?!DA)YkQaF~RXX4wSzMpE&lDAN=LvDsCN zm8Py??cU_=ly0Ugu|qiF;dNfeKuhrAxK@u(BGqCu-HkQTZmE<3(gjocVf=?qH*%fa znCYli)QAX`hU2bfRRVI1D;ZB~CwR`UgmGJLv`1X0&kP46y{6ghc+{_k%>Zck`o5SH z)4pI5Z4JEFY z7UN+>&b3sQEaY7e^WC8|nnaLomDNMNkW6SSR!(Fmv425OD8I}N{g4O@sGwLt-w3#S1-j9EK)0ti= zQi-@2FjhhKF*`Nj#t2i@6^JQ9jUG5C(p-U0W?BQTAt!4oWl~D06j}uGxNEj$N&~U7 zPL||msX5U=r1<}L|2GO6DwCNq;J2CoEKIohAO52*)chY#o^%|ySB;8*nyuB#<2W5Q zo0!`jce$dU;K6pjJ93H=BkF-XsA&BfVv)K^mJ;c1#hs*kaI=%f8qmP(0byH&A4e?Ovm#4Ydqa?-HQlRvJoR=L)q1Qj(@#p4Xc-xFh9c9`1MAx-itN{9undHle zK>9waM?wuNyH%B^lOQddd^A#Yx8&oks6~`3`9x_Dn=O-wrK#icEw_d0H9+k3%OTOk zK@io5M7L(x-OxacaXF#OX1y)65=oYr_;Qv@IkDQqXj94N>rf8jnu+{0r~`x8ZSu{c z3=`DX*8lCF^*;;K|1DhyMF3AybSY?vayazH zf*7~J8*)-9_-zK3NpJdoq&N*Td}k~RJWRPcGRzQzyw^!};Yum$l{%d+UUs!=hu26&-Dj? z{{?f^IrDFY4_SHMF=y1{jgD!5|Hw7#_o2fjpjWoNW~=W#xrDm@hW2;oKlJv}ho64Q zEtkEp%tlvB+ViJZko{KKcPnu9gPu8NiA(E0S@f6_p4s!zx#wJW>s#siPp;(mTxO{o zPk(5I1Gw*cy?tIg;MoVx<(@r!on`VB|E$OUa?>plEg!Jm3(s$`|68e3cKhMHUte)K zTY1%d=C%Vax#6Z?ufZSn#xLj0xp97FvD=?o<*hwuUB2HLC3@>0U48R~seMYZ2QCur(Af+ z_U`#}`&ZQ0Nxb&%-cOwTtiAZ)mEUvc=AJwAibel({AZ6JZ1UVe<;71Cq1_KX>DC|4 zJrt{thl|(uS>}~>Hrs8(Cw}nGFn#poVfL1v?t0;$_s-64^j94(z4D>8a|#z7zihvH z*etSm$!OOTW-a;12WOmq*&@HOZUM%x&#V9C?qAM+_Qjt-l@C02 zFYl_K%&y<0oKU`%d+4e6-~9beuU@g&&#*W1r{cFtf8FNgWFhEOz_(W6&ilp2^1UY( z_Ssa}?VcO15|DQv{jRyiiywSXB3}-!KINQ)m$~Hnjh`t^!erP!M{*uT2{50y&tvA4th7B86A3p%$R<$g$zCT>&eMZ7 zM7CSFf{k0CF~GZNOH8y{ML&VGa6C`8#-)@C3Y6MPb<~bk8!@IFRG~T$kllc0y<|G$ zh$X53>5z;yjZ!Kl6e~gt%V5;7A87-o61pu%>Prq1^sdga%0c2DV zx?v+Ty+x(IG@7n|z~{&@q)#)^f*r&J#=!}*rKVF=sKpXG6uO0C3J%6H4Yp_j0V)jh zCFlR7hG8i`QbZ&>;frFrs0sP7ftl5Dqui(Ka;sHQ>nTXW8sNn35EZdf(8_pRu~=DA z=_U&hCY#WEmTL9rAsP}+D-2p#Ug7Ez4#QDJ6UoqOjMEH9)RcTkkQxms1dW4`)$HNT zTpf_DeoK{yG3M0-KCZiZC$BkB%BOpY+_;k@vlgb&Ks1lP>7SX5P68>Z5FnL)wQfUcu9Y|HJ;)=n96Tc6OeYs4tO18G8fwEy zp0`1sH3_+v?dF_zABDA|SO+>)P-n0N$qT#!d74a(5>;W4g8~s&_!zDeLMc+qiZ{Y| zOtbSr7fZ4|mzh{CHbtU-3uuNZ(s3vCNmMCx1OdqoTaw!h+F`#uGSW#&E{*7vG-w-{ zcE!pz`=nfIP4Xd%7J9tY3{fD^Ws|5NIo=b8;}SAvTm+tawD| z_!^Scoq9zXCu`=oU5gaFWCMwDhD{q)S*kY(NrUjx@XP2kXYkDozL~){Gx%l(-^}2f z|9yrc3E~^cf3TVQ-&bLu;3$kxFiw8q z`9CMzwhnf}9IdES5+V(s;Rd%@->t##^_t#`0> zS6cgyTgp59q4vgQdmMYHd%|0}2iHkHe#>5WZ2oKX_Me=5#8o$~z3a;Pd#=A?heb9l zU6uYIxy<#yc-?#S{xxsAa`}C){T_4WN{6jhAa;FvqW|ak&lU&ndCN<8zp?A9zgceo zUw&_&qk^qp0j@?1CNzHN)oTv9@1$d{_t#tTt=?k$zp&_)GpFbN{VtEVjYL?_9D!d-c+9Y_b1(zq(}J zgD)K-A9CmHB`>(By9>F?FZa8_`N8oU-LV6A^|s4yoL==-^Qs3|I%|z1?mzB+`_x0% z*lo$V$+2|uVnRAo_YUIDy5KuZ55M8X@pE$J*AJh$>)vnjiyXVli|*xv!|l7zoRgWg z=cVuNb;TCT$TX3gbR zUG~OBPQn*m&`-(ZDh#!A5& zXIbm>&;L2ftVTkuhpU1%w8d1iWctx;l5jB#|(0*9spn6)daGG(Ap>6iTxaLfBGAqP=AQL4=bY{?p zFd?DPwNj!pT`S@RF5FQIk%@Gt`DuCB;+rvBtrU7f%r;dcYL~-CA=||@5>UwYs99|{ z2ou3IEnC*D5eH_ALW*KYJRk2{e->u`kE%gT zvN;ApQv*aKAvL>c({JV2^n^xJ$!=1IJITU;i|UHtwFti*bu6V?^&C~tcezS;1WBQh zsoJ^8*v)EL4^%|S9 zxOP1aA!xmgDRm3?*aaJDSTBx;MN|l+3=@varp%CBCTI4EmhbgVJdJsil-X~&4YQd- z*iugugDxG?m6koy{c_m{ShdtJnIr_Yjm~7E31S88Yh{=ms0`e2Cezz5>r7Lvi{seE zf(WBV)k>A@OxHmUH3yV|#=z_rv=Jn;qj&sh(+*rl61amZoM&AUoi z;oSS@ZnJ0O>gIaNuZ}tH;-S6x>h-0cS@V=dU+6D!*pmPC{EOQ>{De0;DB5Dh-vPvK z)=uX<-ucaj=a@U6vD7S1s9bl(yz@@~ZDZx_wZBMD+;HQ?-7Se7PQJ!C`Rta`` ze(?j;RS&iHd&+om_JhY?G&=q}kMs1Kzx|bKzh%e%pO-k?d3gWXes%8;zWe;VpD3*h zZe|{=KDN(6_piGBgD1c8$j`U>k^kIx9ENeC)0EHrxH@_|L}6Jbu|}+t0mgUGU(Ex!h&&n~ywTU33k#$IXwtItVVb z=03OH2QQwGt+k#%*=vcgi8l~>&DimNuM%~|ixRUYAL z&+L2tl3U!ZKDXr>E0(`|_j3QxZcD@N)x8~FVE=TqnZd>i=> zHchvYEZdmougt>opUT4U9}v$B^L=ti+8w>r?}1Gqowku&Fjv>Q&t{Q)hBtYQ;`$v)>N zsi8t9+YqJt?%>rHKeXCRL158a58x2~ea=al+an!^`Gl>l2 zbfe-n&Afywo}fb|UxMJ)D3vND<&jSqnnzVzReYH8fs|1ElKdx`w-H9kNP2LYTlW*%uI^nhBK{*+Ls0s{4F!1Q8Ogd&Zhgs=V zG1FIUJzs(;agc6h{9+3)DNIEi`<1MYRFi_%nAEGDM2KV4DnbBhI8}U%QC>fm#j4i; z9c*B`YB?&mhJa|13Z5TsfxcE-@(=(JZAkGCW}?h+>r*C`dmkWYH*>AB@IyIx0n3KJ1TezTdZ#8s9Aj z7MhGQKo7CFFzp(7F743i45Y{erw6djctaJmrJ!EW(jYq2jD(_+QMNop6CylhL$>Wl zCOb$w*ny;l%Cd+0=r2_9{kcy~Ow06=fTa_Z33Gjv?ByCu1YV}B0 ztK~q&0Hi&%IkS<`xH2&|DuWzd8;`mEu%}G2(=2VIlC~VCGa!u+2$zL=A=D_y5QG?$ zl9S6S5}>M(VU&V_0#3b7&nZt@WwC0HBLo$6m&tZ)i5OB!GSm&c#N;WZ+?`ZNtKgI~ zBb?FHE-*1UDW!yocK(0n|0qiOv*!OW=*Rp=VVUrA^B*?;?6z*7I=-icsG>7uyXmfz zCe31#9tm~0O9fV;($mpFsV5UeS#QctXyHJ6kT=?HyKmHFs|w1LB2t8- zXWGq{T60E0g8`j!0vEKliHpe7EuG=e2cb=ZFRkr4LnbT>cY{i|)MHx!*EG8gy5*-Pm9UWT3r;X15(LZToK`NK zjPvOl!_-C5Tb0ge=V6ZJ;e)rZZXBiA#{#Pls_yjd?F2v__E8D06Zx12{ca?(}1#$PBrTg~$`4sSmWa*GU<% zoJ%{*bQiJRGEXxzm}ds_%wV1w%rk>|W-!nHO+%3c^^N2|#7zC~tFTYumi8Zc=pQo3um?W*7sfSug^WRm)dx&d)U#`>383C zVPu!q{`peiTkdyv^ERI+3{!_5@z|Sd-?7BW>+JI3y5`OgiVv)?RBhh_9$EUz)pz{e z4|lw8HhSqBYcIZ9{i3A~V(;7Y$xV06-}~+xtLIL5eD8VKV=K)&umJvY$q&74KbU*u z`kNg7@PCf~Xpa@&TFE_t3(!Ni+gDmbt3*-BlpSyXPxjgb>+p6oHO2Y>lYAz=ciYA=)s?!J7>$wc79~_UD50vXWg^% zi#M0?d|Q56{Lno&hQd<xbQBqK5%c$itdbfx- zta{4Jj50~C>C}fgVVc9D`Dx1A%qK>4320SPLy?IygW_ZY*6S^Di1xTxtLLy`B97V} z1uq71Bj}eClB&{1Cd_qeLp;%_`5aUa8wyYfMV3vbVB@+{omTfft?x~cqWMjRVq!}(a^MI z&@U=EKeRg~v{V+lRTmMGb&HEU!o-SFEgCe?+5qo5K)P)ZBod@$eGunbRTT+Uy4Yz$ ziW-^_sY`a3S98r;!R|p>m4Hfk7-uP!}$v)8hDkw~d!= zIL~^`&RECVVi&5V#!{BD1_{#*8eV%OwKJnpcI0Ou8wjCR+T>u{?sqA+r8kqTl9IIu z?}jvA$|jNGM6GpYexwYju^(G`v%#dre$XwWyzls_I?(oqlU|o@+fc+%$xhfRTOon^ zrY<_gylWY9Cn09CVy!Cc6oSXts4(b;Ek^EJseH!hQb4CYkcVoIahgrDuZ&5$Znr}^ z{iXQNf;!?T^-nI=)3ROvGe)fa->M`2jsGORef(#k!p;BipX|cS{}DMoEVojrNy7)w zHf-vYlhP}J*GyH?{eh04S~Km2m}8GKAUIM%k3``BcKQY*(Aff`(L79Bea$cB`3Mjb z_QXo0N(^WyK{^yVDC{fcXvjcntpi06QFhC5vqz-6HIE^+1c{hVClgD#f>x!uz6ykh z=W?J+NR8IWZ^MHWTo^=&1Xt`j(_35U^rWs{Nc)5Q%a>=@}=&erHq*%e91n<%kY| zX=%NQg)S&mW+UrArhSx3gnY zf)jnVNX2}vkLi^LH(oHKDM99vjlf8ge#@ZRMYkjdYLch|S;JB#F;^)kTmnYC&bS?A z4X%n><$9$#ASulVn_kDI+OpAg*lBbKswl$oWj@PyT_W8A3UQ(*M(j8rg-IMyl3>r} zsJ;+!lN6O2hKcFA+ATh?+^HMPH5yzu$OLYjE%)S{JYk&$GR<4M~k#2zujerDLu4Evd3KQruShW-2>HWW$F-$?#5GymZ$u}|`!+sqTqfzSf=zr*c;Xn8{fd7!l^eaqI^cU^_cJAB3^1s;ZX5Zm1g`T*)y4A(a z<9{pkR=n`tN3OeKjSuU8zWl+?-0Ieg=iXX<$*T^h&tBvwi~j!Amy5eUEi(HoPQN^f zZ`rf7#G1G0_pLtf_no3X-tTADySIko`xjpM(pEk0g@f<=o|Cv?_V0gw+?nKYm#x&f z_J}!;-_)-CZ1bCMcyg%^cKZQ(|J&kQ;j-I(xQh-hx9-FDju-#n#&Z_$-oD=Eh3bH5!~D*Rd8;DT-LF0A*|b+4?v#jI-&{n;aLR{pxuwmaQ< z_YouLn!sM|s%v-HY`_!?QZwA8mEO zlPj-rUhCdhc8;EU@wK-fiVquHbI&3#-zY8$kk@C<+V8Q)+gMJq?mU6b7Msh{gFo;cq+uDJO8cjnS}{ggglKVpwp z=7$5QdC2ZNy^)}gI`yVI5BbeQJI-C^=AYiY+7j#z^D9Tb`8#s^IQH#a>%$l|Np2+<|A7p`Wk1^%=i-Xyv0%+wAod58L1&`IMJ_?5wcg;Kfc- zxow*V?j(VW&K2g~c0hZ>8;(2px(~LMxBA{jzn#121sCkvc%paNd8>SQ$(px6e95{0 zc>X`~|6eozAwQ-6+l>C_E3q%ae@3A|1m8aXlU-1h^L$+OD)Hy%Kc71P$N2W~pUU() zXtB!rah6?Z{g1y8{DQ>;G2 zVH!(&G&)XWl_sde`D!*UWy@JR!ZT#x)f-hi2lQ$aI^hynYr^^U#3T+YG8}c%>Hfqn znCW^qEQR2thtj4lb`%gsLz&CfYE*t$$`F2&>jBNSh4JpF9C~fYm#HK-8tNzsWk@-w zKu9ETE(P_#3Q7^?u$4|2#H5X}RTIos^UVf=I)E~0H4|ze@`IKuR@ESHBnl`Yjw3_W zbANH)&vEm?wvFWi>A@vAr zm3kAA^K5k(X7Y`!<9QBe4b8OE9MB4{WpZxVqicX?!1XW3e=>GZ5xX=G7m9pi&^LTH zpc@5;M=(kt!A6GWM$p)WBSUVN+dV@J>LbgjH3wQs?UzXq$g|UoSEN*fLnTv(hSfHQ z1Ovk3lSQapk}K`V^+njtN`c#KwR@VKqv9TAm8za3<-%?s$d_vQR^;F z;i~VOJ~{wnP9w`ihB>OGeNBMqF2s&?nutraX2!wP3fRn5P=Kz0lfWQSc*U1Be$XtZ zl?uW9ed=m4YDK{i1OqrTf1xIrwoSl$t$7SwLR6PL&|Dkhv3ZQrT^&F+Ml z$a2CVII`i5dk`hZLX{5(V?7yUY=UejhoEM(kw9*=UBa=!KEi1PB75lotPPq#VUQmv zaHllP467B>^N8u$NxOBgUM{th(;eSLdM0a>tEE(Dy8J;F?!+7;1PkV?(Wt9|fKGsL zbxcV~#_QsJEzN~Br^F;Pe3=U^u0zF~F6)K#yv)e*C=q2NLBsPdjkFP3pI_K6&l&Dl4$t1M5-A9#!}k`mu2%Ra!=vY4P5 z)pDn2RWl=*GI=ghDe%0kXY#csSRJ|@kg3-LqR>hXCw#}w_wB|=WCz7&KLK)pDim`} zNY_Ae6bWdKj(cpkG~vnIpvM}5+#F^JD36V)I+QIm+i`2?X0;rm*1d$o#xSb`4#Ln* zwqMn2EeW@Hy*8eKMKiEy1{Tf0q8V5;1B?Dw8H&LFY5eo=`45W!EC0b}>VIF2C4Rd2 zqlup`cH_tV=ZDIhmmIy)C-~3FUnxF8a4JFKSYp9HWOI1E#5y10lhr<*|G@u%e-I2q zsZZda-M;eWQxu7!2^>Q<|F@v$ye0Ns*3RFv$K`v!bxrlu$ImVN>5QvCSm}gES1Wb5 zTK@p|AeOmzjrSgTX}`OG-M1;6A0CpQJ?LlK>uj*ieTDT_KNt-5Om>pRlXmS;+aH~Q zEY_R-+{Jr6vgHo99Ju)gciyz)TD#9%_1wE(_|BdCb#BVf*=L9D#qZAp&%aWT?gfwW zxB1b$H8w1)E^YVyr#Ws%_x`^uvUIb5)5eJ<4qIIpU)$sCgGTFZ@WQ=IR9_fur>*tq z&hJ!z6J}?f8E?GE?q{F({u?`;dd40{hvJXm>Uj^{wfP0Ju6W|Ty}pzTMzv6e-8Bc z?`*l@e(aNTr5$>2ZgWufF<|zx?|g9YHjC_E?z~*wV)xv`-`{WY^dgxZwAqh7|KiVI zzx3oakGS%n{mwmKEWh@SO&#z+5c} z`pL!Xmi^JLe>#0h{jN=&8y9Q$bX^x>p3f~bpBP=_j=D*kH0wo zzn-}1;LOv^%fMjwmp9>38_eR_qtJc#U*`FJR?e=vOKSEb$G^YaJ5O(Pe0u--qdVPy zl(Wj5heziv_SD*@vhy;B{asqhmE@CJP`+mJ1d9STS>MkHFPP^qQd11WZW4F_vWmu-AIH=OdBV1zoJ>pnKU+_Xek_nVl0&i7$ zdr&qT4ZVbWik=utAK@FBP31L*=MsN=Q9W6(ODbGxw-Pmd`ow~U0*Y6}6t)7ZER#@J zZLBo?Xu6czN6S%-;g?I(7nIpzY9+kv*72chV-{0 z)CdfyOe5^7qTTJ+>P)++R{_D1RRo1{AZS!LZaD0~0o2H7T186fN-4`CWPZ9oI#nW5 zERX$UOZUr@s#0k4rbqOBZ2-`uVpfQvnPp;(&gelopU)NhuAg0uo6vRuH#QAC}B29(zEYK*PKzLajI@j=EwT8C57JnphF>QG$_%janrpy3IJ9 zs&)rrUz#MiV!u~}u(2bWBLo7JPT6wP6$=sEIyH)H#x8WK{XPSl=8&=N<^&pdpn=%H zlI2>Zq4?YgQerzyW3ZDB`dJmo5kp%WG&?Oz8P?4SKQFArtc+>q^SxmgONu#4FnS#v7>}nnO=FTlG~G}ICihYC@o%|lI$2=Y1;xpKtt6zz zA5{{j&+7rmNKQ(X0^&z_I#=w#lGz0_?2yM&VY^DSt!|XgGZK$A2buP$Gv-}$l!on8 zXqWSD)5bJF?+uc90qk_Sc3f1QMlvT034St4ik>6YvI(3P`zf;5bSH*WER8KnqF6Wt z9TKtVT;3Z2Nx~V*T(N+c!8#^(&8!h*q^RJ#w(q*94xpgL?xsF`457&0x>ux($iHwIxrt|b*Dld8ZIu$VHdm5IeGLPocfdE5;c zGVO;AaAX-BfP;!slxa4MU{b`AZOrW?tzN+tT*+=mDPHZ?t&Hu1DmttpiCSfxtmmc3 z@8M9?EA?V*3=o|%T@GC_n`&gIH@hYKO8ZN&A8x_Cml5$#?iEY4AYw-Q^S3gf$||2( z8e9-+zJaB|g$*?yv!7^T+-x9~oxsOzOKjVKU$5{P3?DIu0p~cTpYAuCY~)w){=gX) zJI)A8qm_r4ZY_5&QS=^KYMz(A!9=D4C#UWri0;^Ke??t6%Aw=vzNQ5p*SV4bP*V@m)TowcC-T!BoX!}XMzYM+ za+uc}R;)Z|_PVt$E0&Xb2jL;9)6c0sY7NvRKz8amed~@E}36#?fpgGC%8QC58BQsJAQL7Gxf>p)xCXBK} zkP?MTme)-lvO;Sb;4stcH2%COY7$lWK49qIQW5D5y zp)=iipY6nxhBVy>x>;}NeRI;18*l+f8?}LMA#k?=xCOt;C9-Ip7Dgi+w5URmYone* zhXxtbv0Vr#&Be9GWT=dpQkbV(tt{nEx~7sXTLjbx46M-+s(o(Kh@ghc62v551RHU! z7U889t)ta~0kXv;j^y=1ryvjIkSY(_S_y+BH$jbgU^HlTNk(aub2+rqc5({ZZzKap zL`S-tMJo*h_FMvE*mANrA(OsNS}CjMwmrn_rLz)C0F5@Q!O|0k@IEfMUEY`Qm@CZSof*6{gLh`|&J5m}!8`w#Y(e$>o2dW6 zXY@Z`iG5Q4^W6C#O5Xte4*_E+iY934-|K(i#5Ym@GyMy2940XQ3+jK4c=vT_&rOdn zJIf!m@1-{{|EEQ-U-96R-`sT#uwwr4{3Y(Y_(t!~_$jAvug}72v)0_|gLMyo@a*o~ zYtXYFo3-oh7rxruCV@;`|xLXo_F7zvwphr+3;Op z;k}=3U%C9D_aAB*55J{uak{(63hNxZ*qqVa4HjK`r#*z{@7U#y_0^5Gz3}N{x2$hk zcw&uJPh7Kn&h7WFK^}ckow|J6!xumGq|NVs$G@>L>*ytJdo=y@$>senegD#X_Py&z zS@_)e@#CJ%U9`uN?CdS){NSYdPnPFwyej|K|61*p9rxH$eZgOC3FS}wtiK_59I&i3 z>pJ(nzyA5blP;dsy62sPSFFz-f4J7`SN`X)Q0DQ69yxvT+P(fx2i`oNo^$!ldp|q0 zj;&r7|L&bXtw?WwWIW#MrJcXem)BimwUPRryDqwQ`06b;Yck7yaU46&!C)+V+ z-1>v^k`JH#Lt=R1i-%XYy5+9FtbG5EkfWYh@8;Qi-gU{7&;RO>@63AsmVZW zz_&%YHprzr7|g2$Od1!4t|huG){Vk!+#I5@-H)`VWGs0SY6>m95D z)cK%VEz&#^3LUb9X&poyRr7qeO>SGF&F|;r$78xn2l^WS@zlN5}SUg>OhcD5V zFoeCV;dcQT>S?92<;&FuHqi!JwWTTo9MDo;5_5gWtBwoogveS6n_2G*<}oy1Em0mwm02)=#XyF9k#4h z5|IP73|Rm~y4wg#MTyHM^g%wYtFc`e*yAY7z#6DSH9C=Yl|ix$joIm$#ds3qTTvwi zn`Ud6Z{|8cFp4IO_O{SWuI`9I)4x!6QMGd;XB^~3+x|G?iq z{m(*$o4+%lh3Wq$)pJ3S3cERz1FG?$f@mhhQV1OvRJxQ&pwsQ!8o*f9PnA+~w;c3^ zxWj8c2bP$DmBK3yUdop^S*KER7ASy&s#OPxL>epzm6S>cl>i}_Nfa5`w36*0`5u`D z1GP=(+^$GQlUhGl?>R%dCfQU^?*Q(QL6Tsrht>LqCI#hOH^=92u}V`B?@v8657);W ztt&{ICyLExDeNTGP|OOgo+DOMW)+wqBQ_>V+9b`$&DaR_ROlK!lA0L9L7?_3>DDM$ zH`4jYDd*T;SW9DJT5YE?9Yvv$X2}L}JyLVXdW-8hNTE|1x+$07EA4jNgL9^ZC9S}d z#0b;FVKdt{CiRKv2jgy`Pt>RH{1j9M99u9$+%wXR#K-y{OW~}~(*Lj@>wj`ALws)i z&jMKVul?UXW<|ii4g~r%olj0cP0b!nJfp*4I_F!ZED?#~$ZU11082%x7^vAsnTB(W zZ;vg8$%_KfrX4iXs}r>lPdir5ORMEZ&TzYmQ|&;hLsK;(mAW6s5NlRa)e^Ynp#1~Hehwc5UNg?l-rdH zLaN>qTP~JE2SS*1UAZ3^t!_|ERtV0kmucRKdU`EVRng3u12#c4OrQtTI+;TWq18gk zT+r{fySWCP?#ksRtEa{#EEs%kMd1Iq0O$+#f1COI_g7+{;6LjwchZ?xfBpQ2g7HLx!YPvc9Q+6V7yd(h1NaYx z5jafI7*2md{XrMv@GP?2mG5m09y~ndJ3rqo`q^PCzOa?`bmi64@XoXAZ4MIK z;#VEJZ*u1!|IBVQez41`Z=ZMN4hPOUX04dt{1E;}XFhb&-CJG3J(oD=>h1n~))o09 z^6##9+U0Yv*yrhGRz2}ocNgVx>)_LtUBSQPt`nB{!%g#Nr7pbx%60#9{O7xyKRW-# z@3Ke!@a#)|{Svqe?Xu(e=->XDe(4_b-A5+ZXWM(s`Q24>wAu4_x%-k6x$D(65B$Sh zD**@XL(0yo(W%Qll7LsZ^4xpFrGA`V<*=82?B9RUKBrxi+-<||?#k8A&s%><_^9_w z2YUedhq%s=0_#C@x=fB3n$)TVnaa(H|iVBhhJ^12Tc#+L_AJbcuN zj~x=e?Kk(Ojmdti-E!DU(bX^&Jve`@b+HdlPHp~|%g(#@svVv`@F$lYTsvd8!JghD zl5*5@Z$7>I)!Y2y)VsI8?XVZtzjK?Vv%gzn_TnG@`ZQr@Y!OrA%EI!W&!50f^VfQ@?AO9xA_+F* zOz3zb09yeiSf-wg*dol=I()eukj)h2f)&dlpc-n*f^RqS+Q={4T_zcJAf2njR>H5P z(cGW}2r^Z0m3FZMr<6&Xq*Ju3HhMV$O)G zYF91+T%k$TbjJ^*azkg@1199Fblt93R8~qPP_)^?vbp>~!t!G&D}&YHuwU%tW6sSK zIF+}%fPqT#m*YQtbKD+7hSeLHU6aN8XgWvhCDRsE=f&Np&=USaVW`$DO1YupZvm%y z<*SRz|Hs~a zhdWMP3!o1z0TD__C>KJ8-b|2W^-wL#>Xs}^E;51OqGGwpDlVe;4nq&U_d0~o!cY?+ zbOHnjy1TkJmzHQoH(e-^6#+ayCdOpJ3O3SbzW z%Igx0N1>%v^Fn#RSCnp+((n{iEh$q6PY3ac^Q}QWtfK4biF2v|V3Ndz{!Gu{PFe3S<{z>v|BU+(uvl37u^+ zg;r5?2I^REDcoo>?BI=zR7HC7%(d4{S!O0_jL(O--RZiFr^&uT2>Mj(4+@S91dUeP zl3P`4GKG_{s0q1@oozVTx;}#HXt|Mxvt?ha*U51;LA#A{zh-I0IFpM&wXb-z22{AB z)qwIrCkX%D{eS-Xtk7rn|0#nw*YX;6sonGk!%pnv1kw%Z7JQh4JRoxa)M|k(GF^MluM=~6ca{#G_ZIN z8#IO(0NEyqq$+L8RiH`H9}K!RU2)ar7(>(XsErg|DCa2^-4C)&a#SB;Ebdut z5KoU9RRBcQdyQ8skD=~e8;YqX{Sno({7_a+y7_QdS)_P{GXV!ZD z4+oNl)89z{nf?CvR}%l~Kj8b>b`XNe=M?wdhgMX4jx-O zyuR=eyXHGbuDHdf=NlW|Pg0A#c=Icd&H3c*OILm9`X{zX-F5dl>3whAYo~{wTmSIx z&n~$Ats~>`&fh=#;ps1$?|f&6A6&oO`r=dTf4s@TYYiVb>e$9$owaK}UV6{r>$MAq zyQmlB|MUG|=>yg}Iks9tr!0I-2A7{-}Xl+y!6{E?|Rc*>xkcN zF=bXf?A@o=eeT`osk2u5=?C54Mvt0^zU42fzxm~&+Z?(15m$|Jk{P>#xKL0uJnC{VO+k z_}K04K3-jWxdeD27oBkJ0e8Q;?#G_B$9LDf@bUfc-}hJM`7aX}uh+hE?xM>*|IGNZ zW48VIuijnt7G%92tp4=etFLZ~_wR7sTPxzH2*2Cn!b8q@WBqH-JO0PHgp%`jW3-%w($?ISMFNtr|8HLZpV|IzUrl@g|FMNaERMc)=YLSe zGZBT+CW==Ye}4b*{C|LV$xp>%WjgeOso@vunRFe`cM9ATnA*vB zJh00wq$yZ76sIcO*W0~}AoSTNtxAJ*QxAF!+AhakVTg`H6_yaHp%kU^WNJ?$fN+~k z3=XPM4(m4Hmetimvt*}R&N?pS%Wu|mv9MY-mn8}Gb5duQL z@wpeZpYA{T{3OmH6-jiub}kBWte7^9l4bSlUD$6+Qo2{^1W2MbU2;-j(*f!SF6(63 zs@JrLEDYe4(p0B5-nt!$%5V#Xy2o4xmYlWK@HcWQVDG51(h8MZr1hV zp2AH?sSi-D$(E<-s9!8q)h63&w?@9CLR2AFZJj5M5XKW;P%Rlc2S4a!j2 zNTtcB;MZNCqH!H?Lc%4a=Y_0-*%J~Wn(Y=C!f0*SDFt?ONK>L-$2CDW5{pgBd4wF4 zoW9wqYitET6OPv<%B(OgTWn4(X^2Ql|4aGLr}Y1^xq851vwMku^Plv$(0>+Yy7{~R zcnje_`Ih0UIZ1~{2!QDtK8f|>gca4Sq@WlQ>n6;ou)r&NHjEZzWrooDw%bjo1!87d zG~s5R2hr8?imz{qNiWN_%(aIIq)5Rp;oib)p|S?cBkI$fbO18=0n$cu)yGiHY~ znNI6SG(%NpGCIqZ0jCo;^O)7r`aL*@z+o>(Hto@rQyEvtHTtGl?X%-1M28dG zEWn+rO>&drup4$pS)l86L2Niq2pnSVs;`kAHuQ50YEV`qqm=6A#Bdc(f=iQDzQ8sr zX1c@GY$DPOQ))U)6>!Qmt%>%qY9{=5_y74P|M{Qk|I?L+J)kavN-zpJYv!6xrM{F8 z>k>(JRAkDTo+21gzLblbS)(|zLU=&9e8ZZy+jX#J*fty@0l-Afc733B#S<5Q+H~<^bgpzt9o^>UfnpO4N>LMXE>~93d+)al^vMmr|?$Y0#H9ymfv0^nc&DP zck}3x;M@R|8p4KCn6^!mIJ`CI>?wpXPJ$QbRsBe{O?C z2`Vm;IA~rC<+w=g_`9o4N&P2ySFYZeq%~GolA#lw3A23&BKZ_da4+U8^VMd*S4Zfy z9cJ(*o*?N%1zPkO{{e_zK#|b_{;AOEDyXNH47>9?TIc z%meQ35K4*LM_5LxHQ9*Tt|!i|B>?VLGW-^y8twuQi;)@vhSg0q{D4>+M!uUwlc@^T z?JbW1-*@~T&l_0mD+tg!Q-8Q+e4NNN_U1>1Zue$iX-&g6da8vx!2Fa?-RtsoFJ(@P z&xTGix(P+|zNKY4Rldz|L`xF2M^6^?NF-N!Yaq3m`bdwy&mJk4FbmZ#?3_Dlo9gdDPL zy=UxaJsm(ExpKswZk^kak&^@R4ykRP4k)Jk`|E!7U_FKIgT8a(_CDB?jN>Jg*L@^s zu8rMti)KfCQ@g6p>G^BOL5=(5R6QMk)5K+E&;5>m%XPhz!{T*zNGh3COd>sIEv zDiQB#&SGj%iYTL&FSvL{;M$=FwA<0$v|%S97+$i%am8cb#SWQ}Xvr27^d6yLU&f z=H8d4WaN&wn*C#2EZc{EOr31j-|hx<8HtQnZYStzpiq_V^W2`(PPR>%r?*EXi(EyW zQWXQwa3SaQ4e#6M-0uqSpl-OV6!4bB$4V$@{{>o{4Th5`^oE(!*FvMEuL|eu$3ldXMzXRjye7d~mXJ}VD2VC8ZXUi%Rb4WCkva0k zXNvlDIW6PTxK@_F)CbYqh`AY~Gh-4Ygm76_w;r-a9cTgSXt@>K2=0Gade!nMY$@yC z{QoXJ4Y9<>=oZWs38Y!aw`c5ADN{DnsdX!kD-sf`HYC6dz|>%nyYy%u&r^r-+KQK% zeR4Wj(5k`t>C$Wd*qZ2}t#&RM6jH*w>Q{i7M?@Uv*-nlLn=?0Nt=GXKM_rM9)gXf6 z_=(wm$rhC|lKDfNwr|_sZw_8Z#q&@6lCDcumUeByFk-y?h(ug0do~kFn=Z?z1{#IS zKn1dM27DLm`^}LYzX|@KX0=q`L?)(AhCT7k*)d?LRC4JY2~MjFbJS@Hr{pdoP3HNa z-r^HxT4DFWEAi}7wwL7kfT&rYbQUR{Z8a;Qwo(bzJ{X6yH_n>N&_ISZRfs7!pQB>=hXSr*Ezn{Wf|v8Hy~nrIfA}h~dNj z7j!(PmX8siViV&=iV=fG%}?xu&+g|F&IhEY?PraX1H*`dN5~LBM z6Z26eI1Q-U&Byj?DJiUIS$jNuh8B`<9dShmo6^b?T6y#E@FB+Gu=z-h)*Ja$Mim0E z<1lOyF67XEPw)O#DE}Pb5?@Q}r|PG+A1sFKzB#y&&Y?ccKY2l>?NGo&fH;R-2>pV~ zy*oq-s~=!W4lhm-c3M34iJgLl+D_!Lodi~WsTV^AK_@3RX+1BUFoqy*^Ufp5FG>+ra&(DA8vXQTS$E@u zf7f%(Whqh7;6*msjm_yegfIVzkqy?H)GjC*yV$Z1msz}TD%A`|Na|CdMdy}{HkxQ1 z(##us!E32vV`LVQI;|aB`kS6h)#+Y(6grh7Mz59E7q=5BG0%9Jui1>G(;r#Q|423e zK~ap3V>Xw)Cz>#(*Rc36)-_L+HAy<+j4$}8rvtoR`i$_V`?#%&vLrDURE6}lcCg&4 zeNt}B&Qn;mLB+6u_L7#4xiE=)NPE>VsMO4CVSe$ap_hm9Vt#;-+oMrRNK^Z{26Uim zV~Szhsc}Q` zdv@8e%Y-GByEBkzjJq2l^&=E%E_+)8nCrd0jK9!Jr0R}WufZ7G&J4jWOt^PY$I6S1 ze*}~;lw>Q^o4@A8nQW?OjomdPYQ*Ejvivg7M&RLeA}{1G&J!eC^TBl_tJRIKu-2)g zA~{@C)S_eW>x9$HnGQ$)Yqruvu;;#EU41;CFGO?0mg?}eM0F~oZ7P11K>X@c5q*KO zvCN`*`OXCEH2wX50l5A32U6kx=+TP)zPdE5WZ0YglgTP$Jb_?Gyg=N0Ak z@g0T789fmd9^eQ`@7XiHe45R)_p}Bn9JlPA_b^reK7H;qxkhx`f_wq2zXBl$yu(Q1jT6fpI*=ux`b=|Hy*W2IipB5Z6bRq=6 z%ii6m8xJd?N2h$CTZ#LcjkEGt&TU`^rN>ybkb`}ipV04|fBcQOZW}t4^v&a)bZc+} z&$d&H*_|0ej|mI_D}p8i*Wdw^+nRM_2Ylc21r08*{o(B#kFA*H%d4zVK<9eo>0@`p zpz?aH%heFdHaEoH^7Yn9LA}MEQ(o76%6B2brUppr-SQmjo3cu~_a+3KN9%bpeU{KL z0C##jh(6^!56cbfr83oRn8*mO3_Ndu|0Q~BnN}B{I6D9UkK@)B1UC~O#OkK`wCsDh zNa613z5URbRr398c{-+34DnCIaQxhQ3S76htZ7|X*9_?5(&4+) z?t<(|WC9Jh?koA7-Wld3m^z!+9k%#y%{iRiskWlxQ3U*!xAnR&O>S$(yZnx8_Qo|p zyC;WJJo_gLyU~yO{O%3V_N#WQdM&HBGryKfUB;HvU4Mr+Dm; zl9;FMO8mB8H;LTsnlDaKs>8Y>_1k8du-lA#HdD55x;AsP965Z>sgMEh`sQ_Fsj>wM zHG)_1n^WVHpeZAu!gYc>{SuL{-TY82_nY+n5rE+1Q5VFZ7Sc=2=?y-%iD23jauuXr z6f|+Z!@m%sP5foyH%FTY0fGxZyyjeoLdZlXSYDfhfW7AiT*wdwaY=S7##f^&(m73a zX=C{^5jJW`SX(S-HS5mmfg%Olh^+nsrE05=wpe#IA3u3eU6s4QuBI#D8tFt?q9SM^DY@OS9pg~Uy7G??-8y_ zBrmLRT@@>J@tZk?4vTG77!^#NCfR&(yc*_B-&ZPTv#115rpmGWf62F|XkjMXusX8I z=NQhy$n;57BDEW*k*b!*_~}ZNB>df36au6w;HCE34bu%_LMdlum$%oTbWSC0t{n zK`H8CgC&_r{p?drVY=-U{5u-KM|0Lc{P+`h>rEHs=Y*i~c@UNa;v-PC%8kW2XT2wRD4##^*- z{M0wNrdPkD*V})p#Yugd#!yv?5k-a7G{Pw-gi5kxIm6V206$o=nLQ3&|LeUYKpRsy z4zj(* z1zdWY?w93)914x~KR~`SAkXjD9lE;uE7-`D#!W?ZNxNaRgwkJjWTa3^JNg?zR}so) zxBpQzQXh|4l&aLtDn*>+UL zmW(mvUe{eFOumuyJycKzHMONIE8Y1(-H@-|BLs`^$boyni75B0eHM#=O7JAWNmiV2 zLU+06Wm?k->jmWn8}b^ZoAupBu8l-gb9zdB$fcTVNLi#%7j}%HEG$A4DdH?|F*_m9 z79|9}o0)801jB{*`*2$kB5#;g5rQ#MV;-zYq#05pn{7?*CDiNZ6=O_a>D2;Mv*C67#J-4MOayKj1%#N;t_S2sTF_)UH&kr7|D>cSVddq| zD}IIJSQVyx@tn-q>is_6q-{l~792=s{D7)txbrir@KCpBwh8|ezb&6``Qlzb!o?Ct zPPM-n>b#DTEfU?Ibt==WP-jC=ygRq94T**tTx=@zwzT5npW>HL-5HA(CD05%ioVlm zYRlWA=b%Zdb*M2%_+>N66&dmt}3900OI*$6kY^cI!Lz0dLI{JS0ua z;eaiXP0$#A4pA(Xj2`$#sn)jsXcgywkw19n+fIe{G{L`(O-idu+=Nd@^XGq1B$#&^bp~u$sJ>EJaYr1Zyr!Q__obL-k_Fa#K76zr$MLSJv-t=`>&B=Wf&qTp; z*r1~KQZ8|CJyJ4p;jk{5m%aM+LO@wX819UaV1c*JX^>yS4*o z>zjazoMeakZb+jd5MPsF`W>&TXeuPrv zg4OstG1r8(-q>%b2yA>eE6w~HBaDMkhVc-`!8*l;l}|dX={Pv3Wa8yhskZcPLxO^3 zqi6<7biAi!yREu7$F@ClSG?+F7!r%j96`J)1(UrXb_e(aY@n})SX0v!HeVL2|qbM8mv ziu|1C3+7HaO=WN6627&xWeER@ku+vGHYrjM3|Tdl1hQnLp$zWS6goQ0WvXzhY?@DW ze`$mv?NH;H(TtRBxYJq}=7p#h@vU)NHn!BcCtfhwVT*y+ws(3{v ze!bTSXYzM*FFd3h=-f$FCvqLRzTgx)m~xkXmkTgXa&~^2%pQ$^VQAdp-KDi!R#btL zCMpMcWYTy9d?hJKk+QA!^{z+{>hqg&3OQxdH}rkBSW+&kU_+d-a`U!q8Z?;;>gy?bi*Q{PS~e@G$dQy3g7^cahs+Q88 zo^*^CuSoOlFWQe~SKcH;ckb#mE$$3~dp1Pz21EA$00a(NYT$)y4)FK?y2>>?`%5<; zt}@Oa$8Xws)VTwI8_1E+0#`4<5JP4F1IB0t`ysa!f$0FN<2u2Pan1AIjA*;Tcjs2e zPR+;Z^*M&`G-Um$r}lM??FiI2exo*$d7SI_vbS#g+<)(Wi_iGj(U4b-Qvb|-zqkC$ zPr`XIHomxV@>#%j|4~B^oMHpt>b}MII*?-E5+0eNCRNW&`>N2l4gzHNGl=eAblGtZA#`juT-_z)HY4X^BeZ{*gQDcbn&F*1- zuUw+@?x;_Kzs30F`kwftIC@;Dt9lJ|O8(Kqm67`7r|(1RW7-kBvrD&r@q2_PHhHrR z`_d-}6yUqWK3*N^BQ_}I6EZ)_>N(zM$=%#JO3iJ3L6O;X z9nTrRyr}?I9&dT~g0voHhw!u9#%UD@OKaYGM^cxkJfB+6QEJ9lJ4$WPwv@2Viw!ov zszY9I{`w%)Y)jXb3wAPGr>3x`a1wQ&X&OBzs^@L#fObnct>@{a zmkk6Qg0u7Vt|X3hyCF)Y7mesI%$~RDLhS7}M8Mfho1Q>9Mw}dr+?xrSAFsn18kev8 zziRn+K-e*UZ$a+CX3Ii0;MGJK{f~h2UP3IgH&w#|699OtQ!CUw?9>7LUt2k28iJa; zC)Dr?p$q>IzkYx(X7~8xVY74gz!sgA?(Ok8%5FQImZV&ubEp@bdk*?^`_kq8ZpSz$odQKzukhbl>Y)z!z@M?whlt~+w1 z!~N{v&Mgt_l5J=INb66+k3_7=r{3`DeGd7e8S5m%Vf>k0VGwzVZt1hL|6GxB6gf7Chwl)udw#2P&DkA2=HN%{6CY;5@0C z+mccq !wCa$(7VT@JzEpb^bM3*Dv)N5l#knS)vs00Wmgs3zB@mFBrZMdceQPyD zVOjc+zfX3>$CFEdch2|!k-q;SUD_Ml?a#6^@bfOS%b>fWBpFOYYSX(wEfi~Ts!=JRAdrJ9b4@*Q<+58(f3J?Eb~UCOIkr#;u3|O;l%CMn3e)g zrB<^7U!cmEa*7oflC9bQ-1Gc3r?3G5{qd-Y`euk(lz;+pc9=Weo{6b11_9d5>FS7>2RRy@Z3gIFBB21W%SGXyIJAdiE}4 z=W(hkRVU$hJhtx3t{cxmkMk2kWffDOk~+j1j)Yc1FEb7#yX~ktZw3kfL1x7%+PPhGz#P6AOK;$DmoX-=35_Z$qXOu6@iB1>8YxZjgjh z@ZG?*F}N5T{1kLw^~>8quXQ)FCmquDltB!aDumH%1>PLGJr6JiuFpxAW`HJEkQ)=eljePLPL$$0`-;$4KDAvqBfIYAz_) z_px0E{2<}I^=1(8ZXZs_1-=6pb$-Q&+sTc(|=Bas2sUJF=( zGBs;YpinoDgT6DJ9>D3rE-{g1r@GfJTy1=2C;0YMCR)SdS?H}OI*0$Yq*NolXG6xF z=(48kT>u;Ox2dnLlIq>1{;cmh>AprN^*EjC%ECdBrgWq%Qz2)`e7{Tq=2Zg;weDOZdH}!Ty^N=+82GDeR-2_DGKWva5 zh4id}^O`upBe#%cAjI{3y5|W(YX08iOK~d(gqt(!ezZG>u-*5}1|$!P+=Ybr`axb7 zz(Si2`4AEW6M2gq+JtAP56+zo=7AJ0oiZYvb_-s~+sxOc!IY5KLk+_YJ$H61pxY-z zwN05SUu3#)A4JqE8=faCc~TG1l=JkqMI{kpR5DOzLz!?AuLy5bpJVdPkH-!h@!`*g z!Qqwkh5z1iUnp20nylIyFU0$bp2xv(s_4v0G8rVPFvDKcGA!WF?hHG37+G`joJ~oF z@a1^1?7QB@?IxwF!}APnJj+;OJ-*7EFx`@81C89gdGi`8zE$TZ)AnK|ySdPkLgnIw za#I>!S{N*ilTy)E=;)GG={5`w!gk+P{Kg4nipG`vC_|%>OSdLoIR8a@)rkXGV;YWw zew_1kqvC&TYhS|;O8AWRqN8znmFPDXAJA$R7L+ZRDc9#q^!}N)BhNfJ0aNdZ+c}L! z^nYql*^{tmWYjF16vRKH5lbJLi95PEgjJfh6ug3=D7sN*> zvfE%0%eVa|8ERa-H2={sB+~DXGPke9CB~Yr%II=pO_9l7B&*FfAbh&eNT2xmoB2;! zxGX=O@AD%AExl_!FH;-L=m0)M80XgP%;_8iZjV?l=ssl zJBJ=C5}h$rB2m0APDQpl-I<=z$?UJ4_-GkAt|+u)a#qFnZm8u0FDN8RuaW)^azpKO z)dLp3>MwSqc$~CS-Q#P0skFRF+HuAvSGmd;N##yWt6f7MH)~IqAEhN3_Ta1knLUyq z5oY43Zhh4Kl&5BjGZ-@Y5SFK9o7cXfN=_lC>_l-fj`(E0n?+Qo)P7E;lKh)CY_5n< z#Nso4uaShRV{VDrqqJ+fU)y9Ly?V8WKzp{TvPF zkY-$8JM}CzA~^CA`>XdR-sx|2rLOOiWTQgj)W&boeYA0+*J8>RaW&8XQGAr${=?Fj z&R?}1?GQA8BTD&McJAeng(~nBuQ5y1=W1$%=;lGry z0!|9Uwttx*uHI0^S9b4CnppZAKW~bj4NHaj!ZF+@LNE2Z_-bDv2DP~aQ zXJe3!!H?msG^Mtpw# zBy!+aR2ED4bb9VjbDQcb7b#)zYO;N3x~#_v8Y9I4t-H zLTzayiz^9L8q!!(peMvBWHic(X8$EeyWu+ikuHI2zPDc-!|ssH3|6g(bm_%0KgXSR z^m@z_^GNqP5!Q|8s`!)?4reHi{Nh%9<~-WUWh2z^#P(mnhhTh=aL_NELn!$@}r8@PmqvN-j)L>HtZrpo~yr zwOY;7L>nPNvpN)mjimR}oi#XpU(${kaKAA=afhC`bxj%`QA+S*3*mkVfbI}wA9!Sd~GceaB@cfs8j&@Sn8ZKHc> z2LyMT+L=n>j0)nJX!djhdIyfQdViEhLo^*dPd9X$g-TL8l?1KUF(b~LCxsSr#wUC1 z-aqoy#24G05F22v`~}dfb@q-)?`?wkrP$ATW%T+RaSiw)zfB>ANDDk6m&9Pd@yIR+ z*r5IS_5}r0=Ki*a0=S-_1AAP`WV7{A5v|*F%~JG$R)^P?EKJ+(?YE4Zw#kNGi`8m9 z{XLIc`ycQe;Xpz{f?k^jEh(OMk#^^uH9$ zvHX#ynuhr3eeiE6#=YIHjt0aog9~dxh|OZD2&LNg_cb8gm)eMtUp}pNjk(gqPw!GqUKDDqLyEsMg3v(ZKyPPoGWP$@U;(29<+1 zjoB6hqbXG4_n!##v@;sbu*dpEf`o(ssOrJA>-ZwR;0doB+LLVi5zGs`P;@5>wRoA2 zE9g>Mbr=0cqLb&3cDx5FI{uqOy$bUJl6POi=#|!f3>?G73Dh8$N@6WWuxwI^ z>&DvTqvy-Xvl?|wx2a;6w6O}F**H#He=5|ad2s>{RBqq|A!YCSMAN22motgw&13e9 z$X7hckXMxi-zEjjJrYqC^@jHzuDMaAnxy-g#&Gn`j-?SdXA>2q6n#;Rd_ry1xoOO- z9IM~D2(X-5cB~ms5vy5{jz%lyMtyY@E?38=bI$;)2uAQF>v@=o{8!mue2RC}!QMMwtjj z-#jYLK0`?fGTx=)F2Y~I9|Pv9HsesFtE!sk6FzufjNNHD#vA7m#gDc_XyYMX@^=bQcToobsVx;Q)tXL@q}uTe$&lnZRs`e?~t3FRilEqmKi;UKv=Z&S52w&stK91b-nL zL$^qLUuj{Fhg*^2CkY}g-Q2GY)Co#u`)JomjUs)6v^D_GGE}Ld`w?4e>43oaC$Cdk zv=JV%`FTkx2KPl6%w-o#ZkKoJ73sO(g+HI>jXOTU9-2mAAISguH1b6P#*+bo3e6D9 zJ2)!kY7Y2AsZ|)~&*2@%O;!uy2;zWDgX6ewXU-%*j15Q}x zIo(|EU+EXpO>7SNC~0b@lasFvo{Y=qjuE2Y*x4F~jiM1kc{2aRA=8|jwA~&_0wk^zjRYxT(12B})Bg4H9wMP*v zYLJ)d6jlADe2!q|e(W3!I9AxlByYJaAXlWjgb+4JhaTf}rO(%8T)E4kL3`$wys6_V zzzxt=$d&$)PQ>7|@)BlqI{CJ*rA2tn^Cx^nxvaP`#v~DaGlJ?1-l}bW&>jO0Ye)c| zizYFWu>~zcwk>01ae#f@__1W3g2qJym3u-WlvNkr;*)74c~H>^8yWs}M=d3nv3$Zb z)jW+*E;X1d7XQU)YF=%*6!BjGKYzRyD*sTq6HkB_>pcUYMRb#T+d-IvKSWV6gXG2q z?~MTb3&aHp=z#(U_M)=hNA~xWL3Djyua1}WyIx=3M}RQiOSMAQshLw+Pc^CkK1LfK zaw?1Z9*Xfbz@Cs%hNZH}@imkjcTliSj@Q+wg>5tJ!yeN6=ED&Ym;JT1hJe$9sls8e zOwJStme2Oyd8zx4fW>QMMZgv}u-^IkBHaOD3bS&;3S|6zS-W-?jly{=-)&fTLYBSu zHgS#&a6)#UxWs4lTV)YiHSySo1H4Fm)3bbcpISa5{CH%mbNRe$zflM`x|1LU=?nnK z-F~cu**31ZGi`mJw)J{r?CA0vth?;`xT&ZZa`ymMJ)?NNZ?X}s(rcMB_8GLiHmy&2 zUY=#waD)ya9Z&GwL&|;by34B+Y)`YxY!uJq(ZJYgec%kLn}+_b#R&at z$8zXLxGl5KGMfWgb`raJ&tY-><6EaKcY#t2mWXe;1iYp-#9KC>hFN7Go*mBxzB4vU z>-!mstxudD-$6|j4uYF6LrA6B?C#^+D?)8nGPlu>PS<)B;+00F_I#y+$7y@ucY-=_ zto-U(PPKxvdJnEIXOEN9^zArf+mKa{=i4h>WayCr@8sJriyj@n#H^eQE^K>2?|T%3 zPSNq$n3ALI3^WDqz8>eRTbbOhXBB+G=9BBK4ZG}Z;+NQcNbM`c=85=41qhe^5x)}q zcq`}pTf5G!wIFMPy zpp`%41k#EgG-g)r!aDle1zVZ_gM_QAnf?B(uj=yvTV;B|a@mmJW`38W9B#8BAC8CJ!cM4sGj5D& z5=XHY;;EUjX_^|VB#I;rMgAAFvaDsAgDTdcn0F~H#I=0u;!ADJS(C0(okMl*_>Hd< zDum>WJoA5ks*b5zlRWs_E|w=rRz!#N)z3u8TX*}^2HU2 z+U;`4qRfnqbmDpI#)L~sA!WaTME_Mw_I-F@ZJ)=F(F@bSt*lqbBOV#l-sRFNm2-u+%Zjh8m7x~RmMy_Hl$ofmGOPIL);3WAwq=Ku5<+3Da!&7hYOO|?Eu{!O6 zazB0igd>;$+D5#=*ioEFgT1JzA3o25MXhYF&!tK^pz@q{2^qF=KLaVMJb>FKc~=~l zLAgkCN8By~|JGQyJPNInu3pvfUKsZoC-w!f(t%<*5`M3=;}Ukl5w!J_&Cpfr%U9ZF z`qczGt!DbrPbu^|35R6k^*`plwcbAGyQk>?g6|5!v!*6}Kn@U=B>9WF<2kS&9CU+% z2p{m=<2;qK+2F3B(QMv*J8?br9PB6oEA&V#B8zX}0)_)F0FEA`0cS!R2lvMx-Jm|d zdxdxvN^Mt~ORc5VkE8myH&34VWVve7e7N|gGRdnCutu!BF`Dy8*6G&#wVwKBHO>C5 z73Ina#|#fyx+$KhG!Bxorqij1ek&jRL6jo>Yff2}Dw={)Eb^5luq2)XQl6tx*PPVbhcz6cv2euPU#f|A(X#l+4U#Yq~ht}QgGCIpZJFCYxTr4EpMN&Q0(C=r52uoz>t+C_V8Ak?uvxkLl=kh-Qqwt8$B>vek=Lqn zL(O`1!%Q{yWg)+p%!V4a$HCNDK&7qAn$n7bgZ{C9N30+{GoXD83bCw~enayBEQ8Hh z`yv3zBDV+AG*1Yece$SFXl#QTK(X&}J#L|!@~w}S!*_CSPYGtUO!+=}YP zzJ$vL11U?ik* z(lxg0`C;@J2#4Nf*D~f6vbAc@<~lyK?_DcobdEm7X9pR$<}*sK?j4~GYTK=&0`9H# zA)dlrGax>$i5zb@Lhe;h4SPqXV>;i!^d~j<^YaZ@akY5 ztIN=oDPHGi=kpTEwR2AX6yM48HBwcduMVi*`E6Kc+x4YClgM?}m+-ytJloMjgoF6G3Q#ZFF+^ z8x^0!>Tybhph$CyVXI2S13l{t-1TIVUYX@Uk2YE!yymHsVzB*`G@=~ z^Jly)0Ymtz!zyDRX+EWX(9&b_~57FLFunk1p8EHi=$VyjO3*pEcu|=|Jwm~Ww;iCUO99eE0 z{ZAf8R~#>33+B+4F8NBUDT+uAL66TrK>k;uQ|slf8SNf-maO6YNZL(c6<#9(MNM_e za9!H@+obgxYPevmiLdf>3v;1;3~yN+TpB+fC%!=bQ3`h`0W&#|Lt<0hBzA+jOTBiBKKic@Sf>FU}r2-hfreG)SLa4yo#kNZUJG*h~Usz3CHRrNYGl1%6< z%&&=YcOUss%&Up*OORtsDJGj3%0gBmO@t@br7zNZ{&Da!$*ub?M>W>wT@(oDI<06t z#54sO_M?0Le(YZHy5P6>3g6JB{dpY6GX#y5bjGT=vo6B5LS(Z1VWz+J;EzCo_-{4b zYh%YmNxVsA%1T7zuz*gJ8-dS-&|Uu|>rjiOzs2D?YyEP!>C036N+lh6sk#4;L6yy? zyDz2UPnmQRf^+~W*9~vLPvt*0dwKDPlQSZ;ZKOM2#dRf5DG0Fn_FBb*%b+RWauO#j zd_PA-3KV6+ANsU!6tG$`m01uhQ&dZ4!3q@yk-_@+2UZCTJ`#!2#h5=ZC`h<)*HYWo zIB=^W2IGhthkB4a?7ArUv#(1%H@fvuBGvVCvwXfWu8(Uz8FSIqM#|xoa5Iu!{PR7% zQimac_8xWOHe5cv>hLy;^l5FsU|xLPNmxs2W*3!&=(}g9U5WKB1gXK0Dv8Pf)qJ(b z?b5ti4=-GHCTE1-ACotUYuYoR9B{?o)<~_apYlB&{6PF8kyOl=Qy&_F`qze`D>-$j zwfAAKVEa+x&412L=#V@}>Osrg--3baD(Eyr?!d`c0wyD7jP&(N)BNRkf)(Z0HnC*d z-~6ZkZPJvXF_BWa8YJ#yt9ZpF%CC63!G)hvO?j^HaKE0An$4d-&06;%iSVfxMj)7l ze1(*kyv%19x*aHB=i5Pt$ zCrSGOd3?>antsK~fux6gbjp-|-J{EatO9OsA2VBswk@j#{HU&EX(xzdl47>pcFiD` zm!uay?@WG^+75z{qk`8aPPpwg6-|reV85=#aeTXm#Z9i9_Zw2+M&Qf9^OoB_55VVW zirUMV$)&PMQF0q}{C@q!cT^>(9_O6dDNT}2fln-uGP(@}=W=x)PordeB;CEqD?nh{ z?jL^%F-{5~+_z4Njd$PaJ{5fjC$#|sM;tr`yEpIvt0W%RI8Oo2Ff_RKClI=Im=7_-JgsJG2E^ z-+F&rzfRY=R*Q-FIkLX_SLYBi3MkKMxk_fc&G;F6OMCYMCTyFJSg2z)(pg`SwEG|n zLV&od0MGO-MaR1d+O6wp38mJXRrl!2mAED1$*NpU;j%`J{=V=-9Tg{Jo*|X#WeWZp z#Ord^4%(z>emx0SLH2r~I(KMuI(i>3SBP#o0p9E+PqhOo*``551}81Zf{@W|f_vHH z$1mPjzn1N2u05vlH5^*edQK(ABbGbkyOs5RwjNp7`~<9By59TSF)`P4`(5FURJU&* zj5ZN>Pmg7R|6TNndvA_`ydsxSrasAg*@uqAtlITt+90ZM;luTWcA-`S8#ZW1E}s`* zP<&t38kjEXnw$p%-*cT#zdwP!U6xphTbp|c+H}swMzJbu9j9$17@KD7@QKNZ-S66` z`Tt(hAyOT0IrrLF=)0fSNc1>X^sEOvW77+L+K|3*d_cO@Oi7XI8 zxu(GbAy1zC3Cym9uzjb(psgeOA?NWTlLHBdy3IWTjQc!KLBjG*CcH0CTk~9w?t!tt zCN;oZ;VMpN!nvx$3{~nj98j*d(UT%{P7l&t(m%@cf;nt_=}dw$M52Rnn4-T&XBu|) zuK6G(>0;K=ex-fN|HIe#e~3Eg|2o5_+c$R7B#mub4R>SPwryv}jqNnHZKFYB+qR8; z@;v99_x)x5g8OsNwPww%uLoGK_=itQMMmL#37!LIvaOn}@pgV0bG?ytb)Z@RcoWZo zwj!;nIl|<u!>a#>7!TC%7Cy%Pk`LaYq9k$EoVKc_(Di>IVNc?V>r z+SFkLm~y zYAfXN5H{j7FBx|@MKou)PP%+3A{-xPywrGpmOz+2`;ih$tnDcoK}{XZtLaxRu&^?MFdkX)CQdQ$xiWUx@ViP=9yT7wj`XPW}Jo7&|`8W%Q6^B*OO1#A^*6NAQM2TS^lz03 z=dkY;CkDKj2xLWRHCm*oKQR;7O}o}w$^_Hq=`Gm9nAu0Iu?b`S73+lDE9&-NP?O;X z608vW7F(05D`c0bmuV9cq?DGf9NhpRDGR;!8a5NDC3V_jp7Tjy5xY$y;gs-+^F0lp zQ(GO=SVb<0XoB#>bhSEF!So!G6%IxF?xZR-h)!KPPL(hrNm|I!BIIt@u!K?n#G2zc zoO}W<8m!tXQRWg*6ke>9Ps$i+;xm|Sipk*Eo?Se{_MPmOrb8tMCp?hE%%qJ-B-7^P zanqxu-u_VS4VXanf#KKFCPPNDg^9Cwyi>~~kr~Z~A!gNDXrgvFPU5Of;Qz!nBlZdQ z){DdunZO_PZU;j{`gSpINYXf13r;smxt=6i7g9dA(3&xF{8DJeDrvYbhJmq#O19baVet z%lb8eWdxn9yUOwwGB-3>X|l|Sioe?F!QG97k zt{H(Vz^h}xzZBW=<&R6 zu1%)D{p+rHSX{fR#)>&4vi&omzZez0;{{NVZ_jP$N61{9)OX*pcJmeG4NYlT_Y7Z> z+q7OJO%}hx2h>e*uL-SXrFe1bJ#k&vkHioe$pieP61VPNW%btGNAU)nw>*_JLww#3 z2rzN^KUf6y;NDMK&gx$qtPe2<<$y;hXMdV6G`UPt+dXd9rgUYqmHkLS>rzeXF@U|H z)x+LfVkxqvU!r_5{Ms=OWCvv7vwJk%xD*@hSGQArKX*?<}8n1E98HjS~HW7w<-iDKr`OF{os)0vEV|pJum789? z{O=g6;h*tde9Z0mYA6c8N>*!V1MI*dY*dv}Xz8FuBZs(*a7 z)<5oY|MWsxs&z(^CI0P(`s}nTZEmXJpwN_|gM49OT~u`P;z zOcWwNOcUY2611!|55-NJ2weZELJ9HXLmpNb*df>8Xi_cYbDB4s z3k2XYQ}PVU7YLqx!{lhRAjfpMF~JVW0VgXo_oqFe2+u&v`YwU+SJ)|fnF_X>uzA=KA*~sbY~QrcH7Y^B362Jkrej1ZpPUxQX5JJ#oUUz#dCOC}&BfIDOI( za0ciW+D%%fFOXjdDWQCYAR&L*aAET79Q8IYh7hjhh{bJqiH>|BRa_#IP?6}57xgU zm&t9EQfIPk(nv}_)&h_!=f;Ae7jP|6&$LxYw+xO4gPDuW+E0!USdYnn!!4%Ju_JA_rxczMwCh;LC8mfjO3VCa z|3}EmD2Kmc6Z;mG-}0fhT}z*GZMrrd8WYuwPl3@|c=(Mbq)b`h0D~VJ?w>}Dn%l7$ z?-s#y01}T%+y$1Pl~A2nF`FdRh7mRDDCMrPE%F5_KNpJshGY?Yb8;{^#zr%}xK7bp z&LoPQ@9e_hY1#sucj2@wR^Bp;G`WRq*yCJ+$bc(qQa$VRoh($k%C1SpmHz^%_QGnL zU@Y4Q_(cV}$d0p+T-@5MKc{!0$}x0NJfGO8)4BtXm*r4|S*6AQlw%Mmv={UO>7YLf zG`j`)kX_t;I*+i($Misb3U4z@6)KsWNv}J)rdBzRp^dYl2y~ixLx(^A%s_)@V*+PV)L~d@t zVPo^i%os+UgLzZGj=AVF9XNfro4hA5JSYI)mkq=Z3J_<~xj(;C#5gUemuN&Yx#IR zMd4h1wBsqm=eXWPu#4OS{Q=Q~JTAZCR|wq6Vd2 z`@OWs95=jY#S}hkoLHI{bXZDI-j%;q1_mY>NPUc+TVbro;{uVR*!Z1M(YJWJLIqxq z5&|&-w@_v7tV&PH$O;xdm8~nAAOpP?g8a3eqyD=X%v~0-G3tp|yYdp;q$#fXF;^7S&I(Q5DgM+ek^uD$^+Tw8(vU{mKlxM1_CfY&;Z-`KB9mjjAa+He?OAB-7S9xg_7 zj^B)%xKVenN5;?b`wR(KQq>wJ>`s78pTqLDh3cVF9v`*36yd)%h8bvyJUzU?lrk}v z3hi*0p2$R#?V%XaGaWITANawQ$>@v3{QC=DS!2moEFwFO*lgi~@^ldJN8X_cF*jyG z&5<9aX$)_xBUs+_8zSJThsAe3{WA#+^vb)rb>s8kgBK>Rm6(`Oj0IqSGbmxkOBeqA zOAcgQqE9|6@MnY4$(m^NABOG~T`lG(Hdd6k9#|I4ZZj ziv&G=zzBc8t?B3+Nxdf8Cwhl@!F---gh>>E7gl_yd!0I1%U;_AM*7C`{oOj6sM_qZ zvOnd^UU7dOm;Q7vVl(kx%ABD{B|P6;J{*}Gz#`I%=j_ zb9l8fYo$y4@tHDFArF`Xo>qU@<-4us&w*@<9L{yI0502IH3T1HYq4$5yF&*xAd4Wn z$rT%g)|2pX58dbG1L>@%!Id@pwyJu6hXwfGole(pC^dfL;-3R3U$bG~1>Z;z@$&P4 zbhTQIi2%<|_0dFp=u#xV-Lpn z{_8bs@`foV5C_B!5^O3_(*|xWQY5=xc^aGyGwOCgQJ};FUT1daSBF>52%Nq*pUYdB zS8}+|=rew9GS+PRZpD5bhJgrJ_m;4{jV4#3UiLj>&y6mHZGoTZHM-rUaOc3ON<25v zbutXl7j&M}cXjT=(JFM=T9wNGeyKgBX9)VcxMH58tH31+9{Y1=UB6K#m7o&B$f8d^f;JsOEzfxAWB>XjcSi5W! zy~_Gn#G4&jAcCs_8rZURpT|=*YoFi3Y=~|y$?4jb-C=2Wzi&24`#GGhqVPFN`aLxO z+E1m{(w#R3W)7Z|fh%WT$GfSF8v&Rpq9+hj)r79+zF4-y_+G7^@z*OiAjx+S(;LdW z{B6&~AjrPZ7XyUz>p|%O0keHe4-{}%1wgQYqoW436F+Ueo8NwQ*4N7yc~e&1c{!{$ zXnOA5_t)5;fX}(_w+2b40mol7gzI~|nFQ`|#lP`t zljVgmrnqQCs<0Vm;t*U0U2YpPm^w)c{%-9VEmSK>t8v$25wt=<_-aI?@$|2%zn^>( z&1SLbe>1_BHyJg31N&*Ap`}iX)%Qc&;^}~e0C|;y z_xe_)mw3s4yKS)3|`|c2F{Ykb#q>9ydyZ ze7C>wkHoYqPYS$mGtcNhPJ5W;Uc%P$?E2SV35eklxu}1`t0_7qxx`s)01JKeMABgf z9f^+hUL}k#9(hS;CK@vbGdg1F)sLaV$@FUsx%@U2)%Qt9lbncbf165&|3vN|fKlTzE36N6Yij+Dl9o+~cgs zXw)Prm~}WQO*}{XDPqcS8yBaV3Od)s>Ezt=TXdTPI52W^u$K=aHm8M3%ADu=hDdFT zISYr!MMxClz(z%?k8cTyLX<3i4W^Cvnyq8a31!L0H4)~z!?H}=b^c(Mn?cz1(3s+k zbd01mRbW%IPTCVhO9coFBP!95HNJ$#i>v{&x`kZq5q$L|+NvQ?h###iX{j-7R5u!IvKT~Pv8mX-lhP2@J`wrR0u9dsohu|+hZZJ( z_+YjgRc=7XW#z796gqi`j!|h77p8Ki<)Ky)rP7%*m5#4{YDrwNh+n)A5s(y5a%a&q zj`f)Xk}z5Yk%9yP4>^`K_)j?3L?6H58>qMDj~={LanJbS*xS?lT*|ZdI|A3nJ&d~p+tI8OVuF~pet2F8^jzsa!-Dwq+qeJ4iAd;GiNG<8P z#WE%NG!s0msntbv)WveYo1tRg9$2;E!H4`2hB5ki9&Lku{t#rOYT4$PkKmEFF?GwG zgB}T`4OgbtU;!@%Yi`VIeuGTPkr~D@DrI7+;ID1$^6F@&QyLuP(nUQJqK42gc?n9V)wXRTQOLX30zYvG*edNg7)JkZ5Z8RvK*|_s)deX zw1F44Y`Pg{_`pzmoTU^-N+TqK%%oJdM+)9*Nj#J$8Q*d`ZU6SekP@HViJjPmzoJqu zLWJ$)hqxX}bs<@FBBK4TB!ZvQvtB3*)am&5yll|y#=rizfavhR2aa22fo7+G|LWU2 z8>h|@;1DCj*s8W z-9wJIb-esW-8%PK_042nWOrkR&&r=mUh~aO!2QaaTi4#<{*5+M!@u>vM}*F>&QClL zdq)*DzHdSO1?m8FRv4qE`wBI%8F{A-0SuBSup8M$Jg{FJ>V3> z*-+6O8eUJ+3)qR*Nw{-MBHI}Lg%hC`aNTR?wh+|+^yIOZ{1@{Mh3B;K4!PAcRo|&0 z=KVksyM6@%kN$I-^#mZywfULq9;-(+=Dg<)vcX2cAK?Stz|U8z`?X#t*y}fLxYb;_ zY{&Ps*%=-bcV29H&MjI4f=VU@YW()tysKQDY(EC{cyzTKZgc1Hny0)S$EIRH^1C45 z67c)?^fJ($zSY;*m^ey#@al^as$nu$$DY?4NIImy3M>R_fy6&AUt&3ZiB@xu8%wSP zE&V=9*a4qp%EF1H3{pfX9vBCWsKmGd>(QA;`3b`tF&YTx!UfCuwFk#0RQ*WU|2@!{ zoA}-f)8^x7vl6p~>nde~HwM|&m>IMBi%I&V={^pQLxRd?u$OL6hmn6DBYM%L8mwq7 zMU|B*KevPdt1@Psalt*2qrW9w!Bw2NcTKY7z`dQHG?@Z@z==NJlCE5xQYpfARl-JX zEZeMhuFeG8mTqV+F`p#9dhSc0T}KisH0*qlF2x;e(N1Fu#25?IFu5gnwhr|nLB~OvfT^9-o!5i&(JUQW!NbjZH_lA(ZAFpM-^!1_KC(;A-iU&m zVt8tefN2RW&b}i1Tfd>l)SP=kyW7dTQ| z1|;Q}YWG(R`3M-ed7`BgpW$AT8SoEms4Ate&jzW>b}5nr`%7{O)y##oNun5?GNPF| zAPTdGqez$CexsAAj3+W3oOY4r3Wkf5NKUjVJkYSUajNOWr(^DCK;81tUP(Xl!#?l68SXGx@j(4Kc{#^Od~s7X^3zm7F4oN(&s!-C|KwK65*A*Z=plwS6t_mHQR#nX{8!|mW({S~buf{M-n zM~z6z9O6JfcRh79V$X`NvLr$gbLfIA$N$b+scqpXOp3qe)WzNJLLuC!Xw&;wHqU%N zos!e6e*WHhL<2{ypijh9+*rxpY%rMaZqA=nF$8W$4wqHc|JkNnJV8fKnKFCa6RqDZ zA)6*CB5RbL+}f0Bn7z>kdG}g^QPRnR_bTJEpey-qeGviJk}c zJ45W-pDxYqN&K$=;fP<{E^1xY&H!&reh#`SG7fVzBBfC z2YTB^QgFWPiIv!OTDH!FSf5`n4h@8)2$&~^Z~_lPhcH*GLR7i3T@QD^wD8I0XRnDI zaPNUo^W-s8HGsG6%MFU&=(cE^|!m9zP-hs|O>>OWq~{Zkc2FIpc+6?NL#GHME<#a2+4spUMixwptZVG zq){vP8`8Llm{`TJMSn2bKvJ=p@=6%XzE>eKB}Y+uvY-t+Nwfufbk`r`ee<21 zi*y_ojy#w)3*~_x+&f{;T}_n3D%;WYRbXE$+A;ZgS-Q>qh~J_khj=ThmM>g!OhuIt zykG^ZnmTTl_cz1`d0L}HMH=Ze!#OiAo8~{e1oy`S%y^;zeNMt%iFEZS;m@j z74Uy`r#XF?Fi<7mT9u=rbTEn>pr5R2KtFqoi(OV@D zk|j|z{cAFZ!+}tWy*QSvq)|p*YxmEt71QA5=Q?Ba3fu~1S$m)y3{O(Fp0b2{ffPd` zNnbeoZHSi*j$;8cB!A?sCjcCw8$v$EjKHBuFcO6at=NUk>JM)8iQ*c)2wWOn2u+au z3kIg5F}rp}aXqPG0k>b`}2Gg=`q$S^6PdvWSNC?S#q?pS1vqVW{4M|u|7l%XZ*u&kRLF+IDk!Ua+ z@HNj`O>=i7G^L3|1$|2NSu=!D;uV1Ds-bcs!Lo_^|L^eG?9UPCDzumRv+AD6#|(6p zY4P>nWA}4h0Cj`DV~fdkP$CQJ_XDrLC;;Dy!DKsb)E{$Ap-Zjo4zu%vaC#!}*CKbX*tyBf-e_VbzewdU! zOr8?ez99hDr4`&KFMQT!sSuf#o#XegbS$eX_A4;kZe7eS>$uRlFlRn6`P^5CCbhhu zxLX3A@Skti@$By}S4^TqkoiAG`~JL{95s<`f)>>9h`jf&s-G<`Ra5`G?uT0oTxS}m z>gBcV`X14%f)X7M;fbn)7$1(ddg=zGuqGG*-0s6wF??*iV;?hT;!HJ6j@I89UbQYJ zI=FoIm#)AN$T!zMC+_~ebs{9-N9*fNuCBcvzj>Gu zhN79}!6f@stpIv+j zO|q7xByB_Dh34)`&kJ!$S?tm=F|%l3+%FeaZz(6==J>&Kb|j_XjQt>9njx1WCJBztp-uQ|vK)oP0xtef zg5XAD(!}Kt&Vf@K>r4#=u9sXnWnVDrUnMn(DEO6S7)Z(mmeUYK=uF8T9s2w9YC6;R z-CyO2BvQh8+VvKwR(KFS-Dy^*d+sY#I+El-))#|m3`fGsv(;uYjZ4@OfV(E_rN${`8n_#qH{A+ z*tD4I>pF2D88BxH%ocn5&3avezJ|s4(0@DQ2nszm&Pa7T7V6nysgAs1nM|6rwinJl?h;P=7>fU_3m2_YcKvcyRl zr`?3^wn{8D8qMwN_S?ombAL-#D$3hK>QM`Fv$!-{riNfyh*%ydbHP z6*a%HrW5Ah-^#AV3_D5}QrD{z!lJYNL!m@nUL32NTCEQYD*M3`-iC=4E4E_L+gL#& zmh$5}Y(*j}WzpGfsVEwU?2@-1BjG~wwC|YEMMlES@t_b_cE>!+K6=P|A|_C6_NhB30lILuTqJXuMaXyxPh(I z>%XZJY68Rm0V`A+4!1mVla`2IFxNfgKT*8iKlhhU$6iG#Ll8j)k091Yu5{_#s^)Zs zH65!wS_|da%VF52FoKiJ?-bCUcH$Eca>#j=cNB`(-vVmT!e|)c6&_+BNGSjrFz-bl z6Dh%?Of`7ripso*F65Q|s9VkuG?}O(DKl;BX+Va5=>&vrr@ah$CRg!%hpdBUd5&>q1v;*eLF7tlz#VB!p|3G+CUiZeESzQ z?$K+GU%4Ijl7Ud~BKR$|ShFgkOXr*Fe0PMabKC&5mOrG7aa@!*jWB&EM1DAKm13SE z2m4w-t1Fd0*NM{KVm4D^YfUJM6Lz8cpkW9+`6kxG-kK<}_8i7yb~=1Z!OgK1s}A!! zeg$P(DO{4c`_e3XR5r96oO`w)KeOp6#Mg8|00;(A^t)61K44$w1+os?hzsqFDuv*GjX4w)-_43Wlz+;;qmS2&wJMU@K;m{f1 z?J)ZC!X)ff2WpaXiLI~inMq9pZO=#Z--)YmJ&`G(51!S7I9Cqf>EocL$F_?O`K|Bf zx1C|ndzG&J)^?ie74LP(!%>#kWcb?$Y1bfGQx%TZ<1w2W(4oUL1Zh3BX5}GRDc(Cc z-S=X&BpKLzc5;q)-4hEcmCpA3bf>o{So*w1wy<~Mt(~=;0^F~5cFFsE#K54eWNAJe z?u(vP-Ue-S13-2LpD@GcO*=si?tGR@^T}lpxa(eHdYx-c6(3$Xt|%JLH5H>ojNQ+D z(vvGUWoyV`j8sI8zrD%bUUs}}ojb+XHx zbd6t?=cA7!o7?V4*Lw#4v@%O=wb1u90mu00fCwjx)w<-3i@*IR*YacF3a?-7%_R~;e?Vu6W(iy_4mH zVW@&QE4oV`3~yt?j#FGtQv(GbKeW&MKNE_gJ?0>xhLvfUbg8bHa@55*i5s_?>E<2y zVm4xl#a96(i5Uqdd##UC=Cd-ErNVDel0KLF4|6Xl!YMEURHM04KN;A}slBWvq$$^{ zk!kS_OMVk{eS53iXDF`YMjIzo;*F{-Xv zlF^trC%W=Qb2w1>*`J{(?pO((_K&44Mu3#p&&&iO*{b))k3a(QYdth89;10GYBC3n zrco)kg#k7Kzd%VXxbnf6lGa>XB!aXFER1v(+6`Q0@~+AhM0(PH$&NG=%mI^df*2?J zFnd~p=N#B71e~(X$`PI+vf|NpzP*NyJdmd@l2!Y+ z^-5?G<;3bSlsL42?rUK8Y_={lS?%H#s5cAm!3bFU8}C^q*kl#7?vFrj&L? z+izq&hoXMa7r&fB>)1VW2i-Ialr?f_U7f3oLNZX4Me74+R|NZ8I!5jp5gUAp(=IhL zexj*p)Tj^?4RL*tpsB)kgqm4QxCAAH9=Uemw`d9ENQX#fiCIe+y?Qwq=uG{KnvfzR zD9EhF@-SmEToec63p~CpO*uv(5khfF>6e|=AX|gYP_hoomjeIY6q+*y=1G+`=p~d# z5=zmhzRJM@Q(~%a)%w?qaSlG%j}mVcodfbM4E8A$4hhvpfso693Fhg6B<{51QLrq&I9YGSPCJdS8Z}OtG1eZW#Erq6Btpkw-VQO& zx497Y-R;ydJJQ3xas~I$5bYb9n~_A5l5tD9+gua8w2MwPVRSvqs5W}f8K#&{(@)X} ziL#$kYqqugW>Jt54naDpDnhu}-00wF$%akZP5C~#y8=up$$rdsF+$TM4e_ZMh}Bz{ zD-UweQuXf|^tI`z!%80~6Y@yksMy4k!YZOP>*nz8>57tilX-+p4VGA91SrhB^Cy0X8NcAJlCCBv?E)RO0i| zHefz~1SkP7iv}s`r}*i7tdwP(mDB04UUW6*{Mha>@rI&*;PAxtj5PgOmfRxX2RgX5 zzs#^X_ndFQ0`#oL(k^S-Z#h;e^jA^E)ADEDQIE7 z-VeYX_g!J4^jLw$#n52^wx>9NechNQ?46`QI(3 zkNaJq&Joqp)$`lNrAxDb+u8?V`|VWuZO2EpaGN#IZ$L4eL!}-9I-upcaaMOFGNS)vC2;~)T>q*-wByr6fDdkoA6y+@)B=G4x z4fL^pYgt^|3H+P#xoFn&+pqZ@_2RYeNT9~PX?JIhe+_hD$WOADaOEVkMUqg>g3mFbji`YHt^`Oeal# zmK~Xk{8tjr2nTf#Y8$6rA32)9fk<`P?lxS<>6VTeCU>8MnbCsZJ$%ofGtyH6?pf%J z?FUs^SM7(s?hUF;x;sl}O*L!cwLs77vDc0d6t|16uJ>p>eaFj!BezLiqsT7c`@Aw$ z&PVXeF$UFD>q%|Sa$#bbv|^(c~V5ct`)1T!-)y}BmUUuUD$sGvX%@z-*NS$x`f zD5!Dsro~@~{_QaCl;L@K&4V*x70(CMZ1jPMs2T@_aR)=^?7#CYQe!kigy9o8Rj5X# zdIs{ov&)*dH(BQE*W0iOwhNLxQkcvRkV~KR2QNx<-VyxX52-a`#isJ~>xpHD$T~d= zwj<`nPN${a!|ZjYR;49|=E<%4MXNf>d4wcxs9kCp?ULiq5`Z`V>gfuLA(;G|O@wTr zJOnZ60wubct<4rE^xA+X~z+f|Vtsu85@+6*%nN}kAejlJ$BXpHhq#!O_+9YRm zvEDf|NA1>htEJqDYKbSaM!&zG7PFQDy3PEa3tuB5FV-T%(7j^Ug+a37@4wgJ z5KGputEVmGq1#diW_4m_e+8kirMXFUkFm7PIMh+AB-bz3;;jx|F=!=-eR+>iDsT{+ zFaWF+g5}dlB++l=*wfhaf{8z-&ywikNF?lNSCdwR+T@x7wL}odFwvDO~ zmvE+%zyODU5w2Jey-Mo~=)I(t`3_hJi7q0isWO2}oWkcEx2u9opiri?=8{n+#;r`r z&v_XVWVMulAS;h=wHVgGtXdz3ONBsF!AR}^FUTgEtC-XMhHG-4oyhndiYeQ~;Gd+_ z=r?s%oH+a8cIAOSC;^x;3y1MTXTt2bd+O3{%T_FuZ&W+xWQ=9qLjfnV>N4`QBMx(Om z2@WN>BtAjH`t9uy8)?vj)YYgWE=Hy27dD&;cHt@oSe(~OCF$X_9hc3&Q8{*lJz8;` z4Lv9#ShsOuL%~rcnSmV013~!`yjcxFB{8y0rG80%HpqKE8Q$97+;z|qfIr?D5DCI2 zx+9v957*BCIoy;S12Kzf}pXeQ%h} z0*=>LDMSNPJai&tq>>tGhnMQ?gbuqSG~w*rteJRLAXFuPuvTudKjyWB?xfmaY#n4K zzWbsUhx~h--HlX>y%w>ta39ZS>jXShuhf*c$jZRN!OM$`n1xQ$RJcZgA}VJ{6`)UY zYwMvTsF9jo>Ig1Qn?SFLl=HB6;tii0a`=~Ia`#7KGh)3x= ze4q|Q(YSrmzd+_=vJVs-HV2n;%st zd{};ZlCAlcU5|YGf2caA=**&RTgP@%728fKwr$(Ct%_~iwylb7+qU`N?0xP%t=*UT zFrQbOV~x?j(fgx|*)`y*RaX1$aB5}KaHBaEhF+tg0Z`M+^{e9{^+LD73Qj}(S!6wp zDZ^~@?VheR%8ajhA%h*))?=0Ng{JZA=Edvqqx+x@e(B@;@uONbRJ13v^Q@{;_H!M6 zXUp%#iB3FA6g;xJ%kem3p0=@8hp2hDT<+60_;!wb+Wn{vKBwoX>CvK>>uKtObF=}i z7aOo=cbbd$*xAa;se`Q6?Yz8=-uu0Xz}DM6Y@1Pk#IgI+>{h9ywPxFYcDt!d@eXDC zUWVdZyPbWt)_k4&^=R^*TsF$Bx!;98uR3k1&}}QOJx+14@qHwWooVm=O+B%5ne*H3 zeYV_J@JpwNWn)V@neKQD#kTw7`_gCT=D4DZ;I*Q4(xPU&y?dvYV26PCjU-sBca)OR z`gFi`4mqjknEfOhjHvf@_%5l&>#@2#qW$J-sORd}h`cTPPe7o13*m&xnG`Foj zh2}ydeLgDm?jdt<=>f~nUY}oYfKdQ_z}JrHW3FDf5Ayc{UX#N&(>J@%+!0?}Su$bx zm~>GagrDyZ_WIy=X@>`}5GY%ol&r#CZ7Ty~0rI#VWvEc{#>-Z81+DC&R>Jm6S3kbZAefD=gr){al2c37GeZ&{wyT212(?!3mv`(f)Kxz>SMTARjqxlT6-CwMo1b3#w9*Syk*lCu$}d zD*w{&(vCeZQKbWW(zr1>!uM=tyg?Wml{qKv=7 z(V+{`VP0urZ=}sIIk_se>VAkZohB&UL@{SC&3vyJa)242|F2Hz6=7(49Y_Y%{X7z<``^B!DQzeOgeX*7%L$)P&?|} z9Yz4SSX)$kSq_2+yl@Dt#>7Sp?<@Aj?_pO_Bb^e_chYb6=Zn%PvwvXwZu}{=ukljM z)>U-J3YVv)HoZQA&H- zT9(bjXM{jxnMZ$u)OgqtfBX2t9fi`x5LNFD$_)F^o)-_n|4|*%B5eL|0y|CZP7dGDj)gPxz3CgWmEj;It&Nv*F~TvpGpjiI3{fx zV<2K8w_R%`Ki#wB5jdgpzEZiNCUV0d1v$U*jD^J5;bJD-glk0=n+-K-G8c0)jkM=m z#Oh3;WTy(TvOWXBdJ|K?zVDUQ1>kt08~hWp=zHVauBIf6#S5gQ)1r4N=GK9S#WrP= zdlvIhQwF#3Ll>k#3+$vxtfZzT>CcIlPSx-|m|2@8iP|l+#8Z)RkCc3m<%=Srq2iwu zVC69!MPoFj1>&HRWP=o%c#Tv6DUI%0N?Qe2;$)mC>?;FqsD6RcT2qS=>GR}z{gQD* z7^I3TD%)mQ>vcJEaKXRl1w2Tf)^d|XFq|3EMT0Kki`B{E14cURaAQzcJN)pWwOax7&nwjlWwKx z+&_X9juPsqMOXqkBX}9%8m>@r)SoN4TIj<90jyZK%uBO2=jCg%abbKLv*9mcaMmQu zMW#ScQ~4RV^K=0orm_>j-+ZX|n_)gc1|aX1?*ZSs1Tdp!G^;Dc3wPB#_=NwEYeV93 z!>0BP2H?1(9wLX5C4`D1Q3&FXr`?7Bndbc?xANr#2mlZO1Q;O#xqW<{-bWL;bb!Pj1P!9EZg(v3wuzN_cu_#i85WC)v1uo+pU4J&sJDPfRJB^X&n8`{Yxl zT5@y?+eWed+xvgWai+KH27jwrV{A7XRy5ql?(g(B?s%V9m`pgC?f^iakFEmeudUD0 zWqhBxU7t1Ru`{h*_ww&Dq-tufyeHndzKhSl%kGOfJ`_K%WbnVoKG}K)dOi0P{Jy`w z0qrxMY~Lo)>zl+C)HPm*<>=NPQz*T8&mYeyQavvZ=(5`u%~O7cmwx{;2eNMW_IqEi zT*$S3E`|d)dc{7kAK|a{0LLnxYCLDhm!#>WW|X1d*Zw1V?oa7YdOk;|-K-kVe?t+! z2QV}(*GyVBBsVLFDSOxTZ>BYNIGP<#3Z=4sp8VBU(G(8XiM4R1T%MyHNY7;-yL!Iq z?T1aZd$B8-oR-h({gQRwQ;p!YaR+Sf&r-c^FS{E^HJ$cXUc2t@7a{6e#}|(24moYd z=a6$xzl!Q78>iS7kJ`tNptr~s#I=w0-~u>`$*@T`T6$`G(_&3u4V+~tH^f(^&Kzo|nI&%NW_l)gOha-=FVQLX~ndQ67HVH_!OwcZsNSI4$?v zwf{o9@7CcFZC*Zz86X5lBf_B@=gP}6gN=lZd~kp1|IE{0M+`gMQN1G?V4oDREH zef?S|Qv8l7?1~S*A9?0D{X*a5)PV1s2T#}meop{^?vL;08{(bB7b0^Z;7#&UkF;qn zAcXm=*G`t1X0%B1J~w{0C0*oCesam1sQ|Uu0trIur$s}aNrhp>n*&OzF9aaGl)6tc zDn+1F!jfXhnS}8VNkf0YNL?>aN;=vqfitanLd@BwSS6K}^TaHW0`kD57{9saREP9h zmNR->vSsHI(l6f0S-&rhlzc72U%zy~4f4-cpeJU}1IR%Xoe4?^yG)#x^AsI*mIi$k zf(7@8y%WvmBeajyPiy5WN|+~-b~QV}mzK`>7LC!6d~i{He2Lzt)E_76Pg%$piWm7b zODG!Tt(x*urI(m9emT7hFBq$;0=}_sy(0iY+td$wLlhCZw+~I!pUn(Qv_+_ij-88> zZsO$%&yL!LK#RzY)Cffi0}9|jyZj`@zjmpJ=ByoOr5BFMmg?#i5MYQqlH!6||(ATgavqDCfzI8#9lSv+uc%rUIQZYhgID?}(2K*gY z<%yyKmPN;%Cj;^mAH+$yK2rKL@4yZOn=rKRE|fUnuU@f$u|B};Cm7Z!%cx?@2QF|H z)8@PN)`=va>Hu0qzr;_M1y4K+nLphZ8ye{)t4dE2WrB@J1ZeAuhvFxrn{#9XTP9Gh zUscJEDiV>hMe@*@^sAR@E?AD~QlTUc^=#oFoe|g^!Mv##;s_-(7YiLl8u1cn@dxMR zaWvx{ibC1Is8;fqr^UQgH(bI+MCZ?)wnID1i^1d%FEN){-YN1b(JMy;s?u3A3-r|q z?Bpc5Q%e*zs}8p3-3$cbncg~%UApTKs~EPuv#(66+j3Xc^Qc$P5okM3I!u`a5$dxk zX)yiP$t7Bp(rsS-l`~10%4EW zmV%s%;hsN4}de=9?tapx0iNe_;Fw zM<1Rddle{5phBOwC4wF;q(N_$RM5eB|Fw?K&{XQxESy>KM%h4D2^?FRAx=LhlV9je zHlom`|8WHI?+}$Zf$;*Udc=iE9KwQJu~QND%0*J9nlONvL+#8pTmYK1*g=<~EE?Lt z)k2k$iCb?Or!>fTXqW_1y;~x8ZbKVfWZg)2uhU)*ZBc#LyG4?%$y$=m=@E=7&XXEP z1AO?%E1x+= zdIjG!R6?1mR5UPNG?xIPcud%Lo)QX9e001naZU-8eq$LwFY1^{k&bX4GY(p@a^Tnp zhjoA?bW9ai8-C$i3Tgob5Lp5Q-?(hwZSN)xO3<%krcIhkK(lR{OL9P3_$DCX`jfch zEy!7H6i%cgRVMOG{~eY9W4w)g~#5w9qhdoP-xjDXL{V_?G1K$v|nnmJm%3JUSrvp8DPkQAPDh0-grWWo+DUG;CJSTJ5@FPw`I~$7R&0t}4@26zBj&^s zWqE$&H_~$_nZO+MBFU-b+)eyXB5;QdQTo#-XMSJQ+Hbo;p?O?)?5{8;U#riffa=& z3T8dIfM*Lf%f|~HwrmT)k{QkPXW`&7`~{d8%poAA`tkt5EqR_j6z6`om|rt$hPjIX zZLc$%SQ?Obe5!Pk1d4D$fF>YN5Ksij@A3VTbL_}0l@cI0k9_v?x~-5oX*{5n>%4gU z>+bk$@8sRKR<8Ehkn3CJbl058?d*c{EV~eA!5Mb5V2@Gdg<`S2js#=G?;aLV-~_SaPM^XmBK{?5)+TM#Jy{$hlgIX&*Uf&05+HBZ8FEJTU#eFNNQFmi z{~p*DsJw!}Xdfs*v>LJTF(_;}zVI>~dc8GDZQo?Q z9FuaexSYEG0rXx+!&f-0a6Gm;wXWX2j{W6&nNR-eO=({4-QXgu_!jB)O!~I^t$Y`D zJmfqy_O3SjosXUQ^8hjiP^7HCXFET;(YqBie`)v~IJLO@z-s!q9AvAmvUy%{zYMzB zeSSOu;sJV($AHOGzFw>kqW4^b#XnOs`+Si#-(nFHb%Sm7qe*i!<^QqcRQid~M1A5@ z7qBAo!<9r{fc?2W3!Vck>Tn{%T|wbNQ?b*?Da|G%5fUy;7?Ma)u!3R>uG3`-P_>|* zl7tuC3nmv0hLpw;UbT3Ngy)8(KN6UV{KGUIX8h|P%}sPb+r>!s&o;*O)G#fKp>dBa z7%%I3;wxiKLWQ&aaWH@6?9cRuaa`$q)TXpSaTWAoP+p9Sy*k^FAQ^*(`uO4@RhFm$ z7tLY_Dn#|qTD&+}5>5iX(Uxs@ts8?|#?oLqisfJaA%`XI3=!~V3Hb`5fQpLKft-Wj z{0p^%Rg32h%D6ylY}fN>cHCvGA%`9j7Gmu<6EToHqy*1GK{cu*lU3u8bot5*38Iju z01K~cq`^O53Y=_J(TzhvbC(jJR8>bI!3a=yS23f&TU3khj_>$AhUkXE)?vJuYe$|Y z;vp`XXqh;oV;;25QcY_YWM!t|AybSAL&`mwePXyxv0MrBg8l-Oi`vv|-PSH?M4V)U zL&R2nT+Zl;Oxx`AB3DWM{ZVsr$0eEI5U|g6gvoG|Th_#EDMe^JO&QE8#x@M%!Jln2b(kS^n!5j_1ch5QsfGBxjQ>QJ;8ZLzn=m&W z*MZ%i%a1h#P&gRCn{`lWOuO>0_@}pM;K5CXTLyM#DM^1w^j`vRK?qpM7VuI@Da%`F z7H#NzqLd@m^%J-n>sQPAL*Hq}H^GKyaG$kdD$JuIFNx1~k-7j0*JB_ji7PaFrT+uF zK;KF__oe)rDV+kGiP4Hjn~ewU=zslJ7iY{1J_8KDOuGKb#YVFN=2yeg&c~IP;l!WM zfkE_)!deVhhPGW&o9C@_4B2{FyIe}5M_;QE+nw)d9F&4!rAuqu|KAtOQ zVUGM#fG;oY1qkD5)M1QHgme+r3k*&CwU~(YeweuIzYasODHoN=8Zscs$}*!$2y_#o zB{lbOl(5wUjm%>yqil$Xh`C zm@C5J%eiBwh^|uRWv0qlED-msen&gCYm-iw6uNc_f+5FCM|cXwd?LsLXHsfT{Hun0 zY@PzVL54l@F#*Kz-2zE2Iqaup9F-aCww~LN5iU?!3qqL(vB5Tl?>t*p#`A!PrQN8Q zci*g2#)*#93a8B`Vu{={3o%oAkcRvt0ikXZjSc`OpBC*|cy7d@rRixy!t zN4!MAYWx%*hhpb`6d@d(YQl*c{-etlhZ6|T|IfT~N!D+a^}cKwIe{gcjYtH1Rhp9_ zuLI6e!zCyvrV^byA0&3wu}l)Pb6Ltk<#)2?nLkXdSX!l#awE~f7bh%7hnxzKUXbUM z^zbQ7oJC9Zv%0KAxO5n$F!pf2=CCZ7x!tbX7I%%9Hf>f@GQ__hGj5p@E-EsR;j#m% zraAMY2Wj4G6EuzOMJ<{^kvxA~a7%mbmOud{6P@?gQ} z65oMSi+~=O4-$Y!h2JZJ9v47D5W^o?0*0`Brr&Q@B>sms7nJ53&`Sbnf3kYsYOJWm zcAP$=BLIf(+?v@cd0N3g8yD0zO?KE^+q@npT3OZKrp@-ZZg}3dCe$cTS87}4OlmK0 zH}rPMaO7)iTCFWwW$ZMsrwtqyXN%&uD1v_8#tZu%{uiIwY9NnAt_%XYJ!_ z8@rB&@B=JJKJHJa)eGB)eua%4(yzULEUkBHeX1pT*@tdAfN)$kPi~Ekmu98myBV_? zBYIBH=Ambe#@djJ-fvd-L4PY=`_F9Z?~m6Rxz>&Af$CP&m~5wq`<2qxc4{5IgCyGH z9M=&CWhV{0ovqf6nb&M(&HLyLRnC3-i>$^~MmMKz4X#T-?ns&$UdI${5UbmC>q+?y z99H9W`&B$o?#?CmmG+_A4wkJ=bIQhN+*eE+qV|~P$DoRD&s&I^p6iFpGHD`ctM~4^ z2bKF#wG}Sl!bk7i#{0Bo1m9ywrZkK3=DpID{ds%AExp&lr|?5{ITyhcv$C7dZDuO} zO0Cy7@=niHs}=TVDx${cm=V^Lijvy-T`&>ng_!;H_* zU^_ix<2e}L%{%Se^Em=7|8;*s=Q39vYv=MJfKA_{agalVpTi1x6-xPjM%m~}+xR>r z-U-3?djI?%`CG*PduH;pwRW%v3LsDv0f^27EWnBEhzN_u!bWkueSV(&)Kr!phflFW z!m-r&fMZd`OFA0B+vghvEtAOPMO^hi_11S)`osY(AR5VLVCIH`^G9q_d7k>LTG>O^ z;thyWGKDY{B=^x4j$x%!?j!;!@#&U>Nqz#Ml?7V<(7o`Cp^|i@EwNIL84RLgRosZO z6dgA)vV<~sGz8eFoJn+{(1>RLzZ7(gbj`5pwPS8Tb*q=>0xdSip7H*-b;w}yg6V_s ztF)Pc+_-EB`Afsv+1KdQNJQo0kS9^RD#cqBeaeu1eIl@=yd#|vcKJdQa(B_5c;zB% z1%XH2kl~r;Ylrg(iZFNs%En7jPDuN-w8>?yQ@`UOyOaehN`rd1tjo)*xYGHp1q&F* z17SV$VSfDbTs>8|Ii*OU$gEdryQapg;wia|(HIIb@~918q@Mk-`>SR16)_rxJ1Xui zcxWC3Y9s={L+>36FPUht$CNmTSp zVe;CbDHVIh_kG;!vs<`WJwX?(2@INbi2S=Z?1;05Udlg}CXfg2%F9jTbPE!%%)*V8 zsF)(cOT2yi6dq5{I5K5VkabqX95bTgsh+j6bcei9)2OfPQ=kD#lI(z(<8P|qgEIa- z1LkR&6c-wOZ-2Q=y>M7xNuu6dq2|;+>8@PRP%T~^7tSxTFRAtic-9F$>PC{#wuXxA zRl@GyQ)ic1@`jFCUs7RI93c`jT%qU=`N59^0yWFvc%Wx@n4vQvqHzP5C}*%^wcyzi z#pTMlVvPjCcj*aW&=+fnZ(!(qhYIvN8Q^V-X&-;Y2a9g|J^Ul&0<`E-?=ynX2QBgb zIvE*`|RElb}hpty8TwE}|CdTRwW=a4Q+Fz0dSZk zQG7JZ5GKFg#%Hb{A}+n5#atM38R@$O9o<1x;glJ0n=UEOo>qWrWT) zahZQ9tQ$&@v^2R`eTIJ&e2HKohCD{X^=3^KMKlF!t`_FqTY^Igh+;J$UtBRJ-SZ%50_mV~tdBSRX2m|ns1&$xjnnM@7p!4zL}E>-SN2vBoyau28; z5f^k@_fZvCcTSIB7O`t7fB=12g2I4B`PU+fi&6n2GFOXs`u}O%Oj##>$@x$bGzp)O zx#a+#U(e9r4_ikKUo5@8-=G7h&Q`L$ySae?0>GeOLL?Btf9?#xr=x@d2>3iP>(wy8 zy;oabTfI-E!R+#0DdhWFNH^>GU~XFvy$cMz^ipTGn$DuF@w!VMlt9Pxn5m?fUiPtC z(fV6BN1o#6w>;zO{w;47Joj#;^BCA(`h2`u_mvBw`w+m=>bCuUEjiOu*MB}e+`Gtl zJp1i&5|GNb?rSj-xTPnw(v`hh{ATJD3XkZ1wFZh0ANY0ie&vg=O*P|tfu70IYlhc# zby*zCbEtFG&bQ@t_fUwKxjn123dQi#nh`|nYt#WbHDpe-{lvU?W;e8 zIx~@C`n6lKHT(2=_vRHGdh?JQJ;2NT#0lNyPW^87(c^vdoth)E?Xin0_JZGi^l_v8 zI%0?G`E=y9>3KUL^|A5!I*V^a?)2=s?y@-jLzp#w=dNL2x9=&+v%3^3;qd{g4`O&c zv%BTq-c)0s*go&hxvn1s4*D4}bKj>i5igyduOn}kO#Kh3Tj^d(iB~-L!<=+=t-D8B zXl=fxK^vdh&nCaEv~D=f>LKlVp`he8u3L;Qby7T`y%2RCvQ${dx07>l-d0iFSYwU# z(m%45+<5yoneOK8PHY=u9WTbn-#Y=!KI3ztxwl!KqlJh97dE{gC29c0t^4FqwoS7Q zkB{%qbH4l!q0EQb^O0M6o|nuNC$p~OfBm#=Z` z_fm#u{RhbIp@rVf-B3lZDXl0O*36gTKRaBnIgmSC>**>zuXT{F>ki?G-wal<)Ys}B zD{jrSasnCAGBN+txB@)iW*+6e6#-04fD`I^`aVByO(2f{s@=%PeBh#?r50w)U;Mm$ zfIGfuKvR#$r&-6Mde(9E)S2Q_@DbnVkJybv{SRqw#+`~24Ar9>YVeMMOHyJ^oI0YO zL6l*cK~TFaS~P}|+Gh!?4Q~z;c9|mlguH&IABVk<9r!8{yd_JQ0fitUqupTafvk#Y z%EKl=D(O$w#;E9;EoK4JFOp(Wl^PzXHe2GWU~BCsi!D1*-60YXD2DqfL*FFW^jQou z#b~rYlH$?abHzHUq2yCkn-2sotA(&ncnPtkZW1hKe-eQs!|QCC$3WsF%+~%ftXZm! ziYm{dSa6fR@N27V1u;tp+SI@#=roP0SO#078%5+{5x)u}#sAq~hKhx#5|?KvQAjJ9 zwXshUY{JQ`u1vZhbq?L9GS!tz>I{q$L=~T_?EhvK&JtJJbb)VVlovdFY4A}W!C5w?<9tbNstNfjwJvhjl%%s9^>*6gK#8FU2^OKJDOo(vK zGcQs_Nz!V8aF$IJT-1x6Flx%T((2hzGTMI#QQTn947sEcw2*ZAOX^D(7w2%6_#1)Z z!z#LxQ@><)jKv8LR$$jGw;P0hQ@e`h2}j*`u+2i4^XZ_0jHYzt&y7oM^$0}&Vk`$v zw?z*S?7|`kZ^{!qweK*pf_|Auf<%Qq21I>3d?O}DcnwQ?+-6St{U+P|j0U{^fQv9G z=g+wDh4mN|vYbx>l3D7G;eyf}N|uW@)QJLZG2m`o73MC%>J))4U4s$T;nd8`H0F!p z4ndN{WLBPkb%G3_LlPNQEP_o(>5)hZ1~FXWaAWFS4nl+z0 z2thZyR`P>{WIRj#%v!M!nz{dMF%#|_Ss}#t`=mS*Roa?Oi4Hdqj_5BjYT}QH{DX$H zu34&pCuE1HaQ1{E9Wnij@Er*VJ9Osqg8<}j{3x~7(i;Mnw-Vn2NpD>$mdq8!i+zfB z@hS;?3w#UdaKNjYtOpfWWb?LrrlU!(7)nZ8hEyAlhE9w4q!>lVFXYgYS=)O7@X?im zm}V7!qS%H5LP~%ut6XFT@b5*Ghum3FV|x{gvU^s=;zmnShrN zhO|H!&;NzLoQ)P2zaDIwA@~P`1O5nP{r&+d0DZ(Vu3(X!lyro9?Yz#pT0hC2Pm)}d z>N>b#7oET1ObR(qEvZAPqP0_{(b6I<0@=N1TDAo7B%|AxF!eCnx*>M~30X|AV2dco zn|l9LkpTNJEJ*S1wru~MJ(kc2Yxbm(PMJ<-KO57lDa6j?ZYHKTQ=pyc9fRl<5Fa;bpzBbK1iW>z@WmV(=EQU!XckBia;5O#D6&N*}Fv-`YzXM zmvmo%(L_>8{U_9e7?4`j}N`7 zDwM9)-X%KGl~VMBBhnVVuLc=9Ub(H^0FyrtG_DV&&+cAdsdgNjnJVmdJNVb03j2M> z^^No#6-GPl*xongXI=*T)6^43c7AFi&s_SMJKFY>F<#xo+g&G0R@d!`t^-c=bS@iL zl@wk!ESi|{df6|L19tBZ&~iCld*|q>ZXN@K{%$9yGdcAe&0ah(UeO;dqg7rDdNH0j zH$88LPpd|VfC>6sU5|D#U*EA%^hrOv9j6y=FY4QVrzWeL_n~RA?Fsz4SJH`8#5J!8 zjaVhbw5VP~%ghZrt*cVGnlI0{cRzdpWl!SHeT_+M=fOWxPQUjz##&pG-lkZuJ`0k% zm1g=MZ?NCJ8UXqg-TUQDayq4)HtW`-RG!C%(5xGf)Sk5W+vs1cy#|dtxUt%tH_MwI zH#-hP$m6gdF^Ii3g)h`m&0Fh>8`#mToxQ$ej@aIHTf|nE_OqW$v8KyuPg!NTJh2*Q zSwjfhEp;>8rA}*9H}tVm`>}W)$GDVk=XNJo@6|`G8~2k7Zh*U+L`cfio5%6uwUcd% zz>!pUr?(OOY`=L;Mpm!VU%DEMtCs;<=$#g+xLMVWu`W5?HdjM8osZWSe-LF*%(5IG zD!1%URASzBEsJ&3yd6*#+D|d#-7R!eH!rg)?>>K99aG<2O(Oc;e_lDsZiT&X^Jd#%KXG+7u_^Ey*%}N)F-z zW~w8oU;{^ng%Cw>yl@Zng{YrY7@+d=E(unz0yeB9%FfM$w2JKUzS+M?G@Thpw}$=Z zs99-CMD{3$R-oF-kj-^UDFfoo4L~HaQE8OnLY!yh=P_W2gNn$tE~NA-{uH%S&V>TJ z62n7L=JUctLvLGgETCEANzr&wlKdqXM}-3QNP)a7z%q2SKaeXHg1hR-L$~Tq1tjLY zJ~$2VhU65pk>JmA?q5oc(R#xnkatQ6%1n%ng+Wf?LI$nljO9FjRqx-hT4S8nE97k& z;pCT(DxFU_9QgtIt5#eGv-hOUAYiWW-;ST5c0(v^^HcsYGLO&3eI`oX z5{PG{2l2ASp#u47uvz>N~OFDSQM9vsuq(-^5R)4CW&3T(qOsW_3t8b>`bc!5hT5A z5NRw#G*B2IA{#k>L+dEmDtii(OSy=e4qwVc6DSGL)alKgipt)Og-MH7DZ>!fBi{yl z(_h{>*Mj7m6kVC7Td!RQ70dc$=sJrkHZEK^(CyxXu4AW+D#qbIC#lz2$p{dx+A7vZ z9AX@>aKQ*oJCgS7AopPe%zB=-`bY{^m{7@!@`Ku@snqKbuNq`f!+$gjE72yrr_KS4 z(c4yU@pWjp^1|<=0j;rbKT|3oP2;y2!QlTaRk<6y_o`ePP@`ueAp={$S{^!7_QNU2 zVXxdAa1X@^Q!O+~F*VQK^eQ_?~y$~!uaS|UQ`BLmYc99X?>Bm9`)8FgPCz~NIPF-N~5+(QG-!2h7ro^Z|V ztO`&ED50<2Ha_yT$G*j0mY&Xx`7J`!`nYPb?KZx5_+)I4>rVwa74wNNfvz@EBWnD8UlszO$V=~>ZHDo>UC{rSiSPxD6*DPlb zmrEwe%qsy*KKY)nLDwD5wb2-Y=%8=~p}R-^dJ;3MNHvgZUH`VBnV@PhnMlb5%Lfky~Jk2IqjGOhswj^-QA?Lo90qL6P3xs1ct92Q+%4Qmo8rgn-S^MAu08+Wj z=gNkLylKG0bz?1m8;O)@5`*F~TZ*J&!INuSN8Ov$trQs5Il6-#|&8#c}A96cb{xszk}(iuw7IDtfUr2hS?y>mF++nEnc$zE%Z*{-3R688^sf6A?cm@9GD^g=U9RpHo+D_*!t$Juv9WvRIw-cMe4 zOeq&Q&4cN&U&s4$DGgGB&sm+n!5rORFIe12a%;2NCm|3;O6h%%OVl{yTmM;<>iFI( zq+WR~#9-^TEHuK}xo_*TF+cWhx_7tbem^^~DWD_VbUp#uvnq5LEU~okxIK^Yzif4; z@$oks&U)=N#xw{uXv2Iw;+#Lri@w$J#U#YpU(iq&(n z_j`svAv=kR{b=M9-eIWaxZ(di_NnSY)7 zQer)9UJ8B|fbrKDH^1hMTwZmf19-%>t{5CgzP!}CkE4K5FN_ES?idP#()sL+-y$5%3Oe0LbonH zsPW>EiT|w-yPBLQTq;%>ae#wm2-mS=fW;ru1v`q{WGVVQr= zf%Ni~vgPL|FtTn0eX?s4!LlY0I6Bdeyj&9rtI-z8AjE6J*xtI*V7#8|Kv~WcVmK6M zAgdHq@Z6Nle-ocif$3x+1)$w$XHBLbSdRUJDyee)5YWt8jc%g-b+6)yaoUc-EC9ji zMAR41^fC1*c25+7zF&j?ZrVL4RhD*f;$$Kd@e!m4Cm}aG&@mI2K=Yd_fAb~^np%r? zFNDOs&HyMUfvy10aDdqK9on3|U^QUbcBtxv!r|waohhQIKzc+{ELrxlbj_NlO0A(J zi7c~BBkHeVvqZZg^P@d8av_r95)>>}hv1*BQATFmWou3?yZL58vI+)CSG3UQF#coK z&s|4te7C=!6v)4;Lw3oGLTg9WGj1`4iKWuep$kjG6Xe$i7|hLot@$d|b+aatlNBP< zAu{p)B9#D&p)H<2joJq(V@`|78pp^0FEz*>MjAG3Fbyz-bmdMUx9+YGD~6FyUAM&( z3{c>e<2M45POh?EtbHl%^p5*I8pJ{K>*<{B4&U}V9dMfa4sgc=HYH~o2?nhA1>L>O z_#IocztIEcj*9_uArSeZxyXh?5Q`~O@(#Z~tzqq8D{DsSR8Ye)JC$W)P0yO;N8mz4n0${>u7Z?_r-jxT0 z8%3~|CH*fgSnM#`vzZT>`qinIfYPbZH^7<6-aggK(V744f!5oyaAC<5T-B`0%$ZO9 zEt1uAeJxWg+|%^n#}uKWc+p?TrfYWh#Y(bZW_rwGUXuF_H(unWNIeHzU3W;R0AFJ1 z)17O1v?aWg0Bbs|ya_!l35_B&$SIF2pwlzODH1+7EEIr08;Bsyf{_yLfn@qe0{ueC zRYy>!&{E=vu>7PUF+b4-yFEskx)ew=xV@&ti+SyR(ob3Cwc(rZ$7};o#?ACO{yi|F zr@MRwyYT{bC9IvV9v>Ldl8s@CiYw}-GDKY&fb&H4<{dxdTE%M_DEk{oWhuYWbklmo zHdw9@N-45q&%@!jfuW-Tze#^d%(ju&UgZ{juFN$!WC z)>4J@YbSFWp}&ab&SWq1x#O6j59EH|rf1uRUq4Tzg&q044vS35+0ychANl;pG_#V% z^kN`$T~H`Tqa%LRs{i_c>)OWSUfqLf|9yadH+(GTXFm?)an|w_qwZM^o6D`U!{oqJ zH)`>+?XhDw{bAm__1(d&1~{Nj-RkhVs-e9BABx->USP9!(1}+U;4yEP!6z%;j+Z~n z+Ua>+_bgVSdp}z)9sA}G!}++jXsq2Zk9O*h&Gmrs`brrq9tVZ2a(KDe=AY&bwDHPvQ+^p#sJkho$Fcu>Kv$;Y@-aKzJPjgF z6j&IciLhyLrc*q@kq^9fkEBse!bzS$e_C%eu0NCX8DrceBI&LWbO`Fwq*Q|x- z_wwsbgnk*_7 z(PyM6b=~rFU~MCs?d^^#xOrPWn4R?U^BA#_P0Kk_j|RHeO$dnldmQEViEq;*mTj(A zXC$|K4O5P{;rQ;RtNVPr^YifxTh?3uO$I^dqWNTc<7Ngn+i^W&pcnU1QeopZ`u6Ti zwLNm}qjkPsVLxGW_@(=$|K6|DtunJ_)o4tuW*bZQl@`eBv8#GVXqx?HeIQL~o3E?w z`)G!1CAZ7QE%~E%)w%TPM&q*JYo(jJ*X(BTWI^wckovrJuRZEuNr4c)?7=dygt*=CqRDvVzs^fmKt|=Gl?o+eG1Y^Z0-a0S%66QL!l1y{)>1Ce& zRS0sdA5FFaN^WWbb`YmJ=@hok8lsXQ_Nly90|dGgyAT0O&Y1WznZk}tjN({a6|Foc z!8L%GJl_U4Ud&A=Xw1X9>s=5%YiRr`Qhb?ePax6KYI;R6g@8V}>dvc@SL4Py({3=gdSB zHTPhv<*)vG?IokIi0V9>YE7G?&kUADPlD8mGfkwHJp@qo6sk6;K!Nr$)(Qdbe)C30 zpCsg=)rd@<*8S4Ru23xV!@H^+>AeHn9C6B~8F*Sj1Ot9!iOptMkmTdCa5Z7Ck_EZq zDV&8U`Jszqmx4LvQwa#;b@557XvswErE>%JdWskf7Uet!d8Q(|q3x%w+OPo&Ppxe=ITljER0#U`!Y)kWGdlOjLmhqd$jz~5&HzTON>ETRXN>P*L}@PV5@sR8Md@c&SCB z;N=E}f5^Pq5f7O8%nxLV$lJiSM^g`%8OG;WU`j!DU^sh(V0qGMtt5mY#LLOn!_z|I zFYEeWWq+uD;bal!^dv4<0#n<}T(E~1R=(V=slT(V==d0`=%Kpf)XiGK8t43fIuvIEF$QGKujx&Lwdw zc}!R#vaT>gUs>Yj-#igSf0E*%s2swXb0xyD2+D{_<_N5K0d6cj$J6XV&L zGFL3u@{~?KL^W#c6^c`?(P41PL_kI`-Cd9l|5DXDy3(b)-FI6Hov)e~i)lr$ACgJ( zibsblOS>PWqvc|Lq}Tty;|&pyA^_##$96jl;Paod>s044ss!)_2rxnwFroy9)$Z~Q z_P!!=(=>G5*Vk~aS`E-vr4ugzS`B9T{6 zBsCfvJ4+hRLD=*i`_U%=WuK={)J^^TB{%MyBR=Dl`I!z`-tRs)R{#az>TM=}qOTRB z(t2k<)t!6C`jY+R)2g=f12PuBbFX9M_67ed^O#)C?sK$dxS)TU`nqQ(yOj-}_bJZi zyJ^!2Tc82#l3x==XkMW-6~uw#HE7B3m2V;{~FwLGuY9iQZIK$4u>dK!b~0^YuV+ z1ON6Q*=>vIOwWSbOVDYI=jCf6@M$TR&-z5Cw$0bY4PYa;^(^EOy!_Bv`v%)J(d`22 zO=DNRpsD0-F)g_QFrYTXy{u=NY6R3h6^lJt+}4KLxhK|LOO+AR*vQA)wGK_k=G~Cy zaM>oeI-2qL^jm>@)gCE!*1C1SwRkS@Z3A+L0e+2uI6ZlQ&Ck>K-ws#1Ln>gW^WCm~ z9c@^%N^l_>@A-eqE!yBuhb!%8o6}!fD^hj8l8Jpb_IwFNX;XiPx?VT@H89?hI);8zo}(nV>AM=j9A8ZZ($ zRyS+H)N{sE$5Cn&+#hDlAeskS!Qyk-d29*=HnRKcv{B;pCU~{ihWY7T$&iO+*J8v& zF>nuY(z3KFC+1ATk7Ch$L^pV_axk4rFd|tYLgt0heZD+qP}nwmGqFu3#pa*tTtZCbsQ~ZEJnm z&pFSx&$+3K_XoV)U0q!@OR=S(Q~am(AJ?enme7Iqi~I(>GjeS-tbyPWQl;)=iCou`+bd=A!FtBIHWJOpuN z*s+z5--(Og7wfz<3i*YbAyB-rsj#&>5>%eCGG60Ut9X>3sYbR4fAw6_P3>bsXAw4U zTp0)J#zDlEMI~=h+nlHpw8B;7&1QpF6&CRZlzyA~FIK;h5C@^_l4rIP^7d9j{_;g* zR~!zv|1-!?vpBu#Zh*S+8L=}e=C}~t8v!gn3R{)E%M+_+v|1X&UJ87Rj#%kNSS>?mCO`uhmhoo z{Vl-~H4%rQEy`?*(IYBVC8Z(QB7?Me_F#UMGN@gmct}qihHEm;DBs~W9j+o7r?b$I z(v{naD7b{AotSbd;O@!PORb3wSc56>(xS6kRbVoaT8M$xC>JYqUc?B3&&;a9q3(q+ z9Qyvsv=rq^3h!`)uUPO{nd|l?8V*Jy&NT1H3Jp>Fj!;irO1TrW_R4;fV2JrFCU?J( zCGj5AQR3ATtl-A2&qXbdW+`Wl$c0gGUQ923a2>74dsS9eid^f5f9zLmQ&>qtOC zC{E(s2ScLb1l=(O2_I^)^zV5>knX=_Hor&Q__$D_nd+=GW>9G6T9(KN-g%Qo6}(zI zsr&cmA?#oc(%7SL!3jzsOc=5-Kw8)HnX&#RT2QOWBrL8jk0P9BSPyE2dj2@?{h=Y* zX*{+TvRSJzzApv2Sa$wVj6w!;3@*j|>yNX>nXft7v5YL(8C3_B_^LynQFgDZLO$I< z@_CT%%m|IQ!oNqIJ+-g&{QAn(!k~zJKB9#~R7F>Nsi~|aElIHV--uPDtn&$H}hG{TIHp5ivx^zB%Uj zjQhT8Q~zzi^cY4U|96@Fr4I44pW*@YBRu;%)r;!113mMt^Hmtypy3bJ`^jI-iFJSx z$^Efm9v$Y@lw(ql)aOBmcn9{C@O{ZG^hWLDQ9>HwM&NDfJgqcBE^J#@#t3Ar#DLSwB%jLSKZ89LOcXtKec+2>vKM83FN|-j#x#jLl^!D(!s;cIG z@$h)7eYJNOw#&8UF%7VLmzCz@9>ua5po~OGva&x97x+t@_FqI(9(Ae71ojGYGwPn z{Q`1)0kb}#-~B(iUB82rsrS!cl)W6=w!TZObpw)3cce|Xz}MN=z2qmLH|;Cb1`;~M zFPHB#;b;kPcE2ZVL&>shPtCHgH7x2(10H=TyGe;qyOdk(D`*He<}X`keoGL1Hxno#{rfJnUBFWDNhy-brVS@Xx%oaPusif-MNCny{tQfQudXEVhM zM2E1Y6pcb$7To)4UOtC{CXZJD@U`aJ+ zpID5yC}{0g+qZPgP(t;TQ#DMu?+K&WT&( zRfYe)spZ@2#~m~vhADrc)M9V(;1OW?cK3N1aAeW(>IBRv`w~_unKvC8=K%{Y_<83c ztX_Zty9e*TDO;kjP2B>ec`-k>_*34yKEY$a*>^)NX0;r z7L7cD*EyN=Os647fjuKOq2kq=QErGzI^U;fRw|yw$_7bmLN2+QdK`&L!>}1)v_+;^ z%{#=tXlhkaqr`lJrbV%s!Caba%w6IrU2l~v=tzVl zqrMz7WpH#U*&A(TPl~Jj2rnQ1s0$_JS?z~3q+}Nyb$BW_B5Qyu!I`)$9D{}pC}ltD zzfu&8WZ)T4U32Ix?G+iA0W|jsdl~;qiWbfT-s=kT>>9)O2PE8c+%Vv&Ja&UEXy6|e zv#iN_DsoX2rGhOM6zteaYTB{UAfa&zPQ==AZFBtKQzyq^UMl?EoJhmUBjfC%|0A3d zqrwU;q9Jlvv5E$C0EEG7#NQJw=wfy0oRTH@R;4lw8l7L7yoacNHq?FE9gIGFiJXFf zmg*SAbL_tKIRFW&+84}@y>+JfCioQ61W;X6A;f4ao`iF&q@l*^r-SCV#$o(}chXC) zRLcF{ACKbwGq)U!5skDeA(!2v>FSnJRSh!x9BUndiY0Q*k~~!DD8ytAH?@>r$ErUe zVb%$Twbri3w(Sahw0@`R#3HXsFP2EMc$p#ES`oSZ)YfA4G`RdgKPNgI1tDQ}m^`N_ z`T)jNKH&djmo3weh0XF|sZP84!Au?pAWD#X5BPvyMv=`wP5nji=kz1 z#t{R{doNsGs72&vBkJnzDG&lfDHlBZ>xtdZ-k!Fv^Qv|knx3KlsPnlth4*^=Eip&= zM$)+BIj)V+W$86H;M4TL^gB{v*r3(>$tmK~(ch&?ekSt+N$CDbJ5t%utE%Tn2wQ+P zqv_9#(Z{E8TgSNxxyx)K@@3EQ-{a#QqFAoCf7O!Ae%DXqAg}w1(spqHFULy&m-QZf z3aO3F-t!bEVz2udPo2AHMy*ckF2A@|A?v>0ZNymWFIBbeC?`?nPA668jxtZ<3PEr(2d8V`P}my&SEd}pys;fH%DAL$?QT}Odx3fDe4jYb@2ly9 ze8QXg=DnK3=zV@6F5s&WnQnVbAW#InIChOyY_lu-7pMXjvcvh8AWxvay#g)BM`1~ zo0oON>N~TbuK92>hP6TBJi`$P$_`dhT+wK8GU=kf3K7qZ^|&n7KDM>d$Be2ad(22af; zo*IC7Bdgm-rcH|+ufo1suU+EnJ|`arZodLu$g#8xSh4a1D z4YSUw@*g8Eo9X*v-?BSv&?_f%doDI!1F#vd0;ONSUgLz?NannKJ8m9aj6O#)uz{zV z2gNe?6{314E@s3rL9*dz$5jTssnz7}9SV9}(22D>+IrP|LEr`7-p_{mg{C%i(8cSv)Ph^FOX(VdbD}y8Ytv8f(W4v>MtTSH7*+$t=$LvHY;xTF zTpKda*-Q)Pv9<}8njR$3?+luj6=dWnwKGv_4bWb16)5iD< zLIe{mV=0p0%1BZkYtUd`=2{CLiJGh$9^sy3sWGD%1h_@z^TlMD*$fc5I@lXZx^h;U ztaxtGT-9-*?ju)}7(e(d)a`|N`~8_mY)MS1320Q20|x%hRuhSmcd7)t8dCjmp}=Dq zlFbN)U^#1!M;PR~rPyT^_?r5l9($Ap`-uk|=hn!FJjS#vSA(@SQ<-o+1^kwDBj^9bojrEm*aKK36;<&HNo z<{gZv?y>hD4?pAQk`cQ+L-11Y*=GOgsYP4R9XdM(RI6!M{muw0mLc!FEXp2F%Tk~_ z$C@PIVJhIPt!R~Y$78#-qy&-e5CP3rtJq6VEAya}r%TSd)Zj_{0yzHYQ~GQJ-6-d< znno19&pUZP7QS!Z{73_ue=l|8!br`8N3@DiAC_nnI`On^exl1;556Wj9K5p7O>8hwYOtt@zhYJITIsZVX&ZNLOW!Yp*unjT zG{+T1_)0uY3%t=D5jHf9pk1*#!EqW}`r!cD!ic{*;x#6k_sQ*v$IyZz#{(wckpO#a zMg<5wf+X`XmZOnt2&5}}%Rkkri|5PE^vVPZT}jtMR2{&4Jh>E<@XSbIZwNgm5u^14 z4S&TOFpfiekDbY)u`avv@+eTt4MnKfnzu*W-3hXvwRYtcz;jL@jcMW8z~A&B3E;Z7 zcc+k>vg)(Li$f4{w;M1sMN}uuleWps=*&bvPW~@^K!2;JPXD8xng;eJ-TDAC+%_3E zzRRk(84Kh-M{FP@umCs&n0@^NaK)U1w6V0bT4u?2??2x z{EF3ejQf~@=f-5}Albak{%C|xsgNCYz0QG(H4c3a_)Llug4^aDe}VU#c8eo&8|7zv z8CfB=J|Ge{^1aJ$n&vry=6-LZ>EnGH4ZQ*ZD0btfA_?0NyX76PY`_~`?Vl0NZEpZ* zzTWzY4cYN$Qi+Qc>H=NAMWBcsKtq6Jy>BdM4cfO=UKfRIov$GK`dZjQ4>}KXjx!HD%tCnrL z8J;^nl+oMwO|=~h(_g2x)5-c~eT?ti#d5C*(eq`~yk5=RM(uoF*5yS;y8(Q6SmCQX zr!TXZ$q{0|)SuT70k3z3ef)(TOOi|PLf%KCnA-PBeh%vQ`BiP{Nj#_Pp>@7{x55HS z(`#?dBiBZrn)XY#P4L1Ela5_A?Z9gORHMC5ePiB(kG&4Nq#41xLE5hCh6~3L;MGrb zq#GsXskfmhuiAR+L+-eX`m>VwF#>M{mr2)Y$ye&H$%zkh(i5YJJdh3BR&vO9hm^{BzNdx-w`!nGh zpIhQw7KV+JPCZ=OO7bBGa7u?nlPHy{eC2hs#Uq%)n4s4=XM<4xa;{x!NXX-ID$V&{ z2I!YqHkwnmgu-*JSg(g zj(Kv3aE@3FZlQYmY3RDuHel&;n$~T2ex5my_Z^~~Q|rYxh*a}GG~CmD{q|xyPeJR{ zWZNz|4%A4|Zhkrrk=1Fm?17N@w5#7sbaGUR6=k2Av@hWx9d;%zk_dU4bZ4+sR!B6+ zEx9?!z@u{|M=$xWxMpW-(n^73$QKl#xQ7Q~4zj_Fa1&%Bp&FN$zHZ9UASG0evv~IC z9c+2$57J4MiW6{nmI}fvgD7Vw7&dHz(6EDd%sOR2ZB7>b;I;Q4Axbb){rNLKl-<9^ zc#_7WWz*#yqP#R`wxJy_lbge^$ks#_^evDP24Qw^ZM|L(tQ8sKr%Ss$r+ zwxrd!E+FsI$|yAp_>|{!3M`^S0KM;sFz*LhA(v7h`lt6)zd&w1{EMzIj{Dphla*4+ z8fl>>c^QtOs+yvo2oxW5(oX`WT|N@}xvPbYLChXqCJn8FNWU76w?1wVRFf*&s8h{)RFMMQ zY)o$zzkVtrSD{GHbkSPjLSRji*TY+;3lB%h%G7#|PJcH*tWs)C#DQII4PAj-bdmkF z{al5yK?N&o^UnhM!gGhXwpzF2o+ag^1)L6QbP&OH8|LWas%VNVZV^=f8Wq{?S}{!= z21b+um~u4AYFTGTpx8Yusr<&LW!053T*&Obgvi<56xCtoDcOU=3gDd@_zF}9)~JTh zix6fqPyoQ3OjV>2pS>(h9W8jl`(Rg`wzmTBIe$FFyo?p?5R_C z27Fc2#8FUlX4FomiF2=bz22t6fE{}7(j20Yd>ApT_n@Tdb)Lgq0*%45sengC*EW9e z1dk=N_fd>3{zX+Wm5-B>Sjs#VSNTkmJgq28kWBEiguIq4Q3S!xM4PloG*Qacy<#x` z6Xpy&lGPEBEwBWWrYO5`_7ImL^KapQ0cZ#=S?`nu__6|u-U1%KJvYB*yx8*vv3+sY z@1a)!N5aBONS)_SYcsDi5j(VbBs`osNHmi3FtScyb%-^uw0R#VQQw>&^p_|L!n^-# zTTb8oMBbPDJkC$@tdF=^w>h~9WBBWavnb}8uSG<=KG)+;RjTcaNzLik$1(VPZGeH1 zzx!%p+m_%lcGFI74_@q&oqkQzYQ|Oz`#Ym^zmYU?{pCO$@bF;E$>?enO6r|kTK+(( z+Q9QtHnwk`AO5U|k|~hv1=IiR{_6DH@wmG{aS~D4=Z5f7fcd-Go(vA^>U9<~ki1ht`5_17kIM*n)& zMbcKRUuokC=sDv$W;XV=p1nT2{|(z-4LO!*tezdFr1AN)uy^486gR>;z}u#20^aKi zuq}OfWa3m?zqMCr?hr72@MHJTj63;7^XTGZFT6{x?c100XzeWNn;8x8n{E25u6)?K z@rh`C487g`Lfu5vMWUG9zAg^W+#TQYZ@kLwxT%8jFw~Rjg3%!G$R|zU-QF$Kc&Gby zK1hJ~vtzpRgsY0_ajs;=9N;rhYFACgd|jg4^C<9mnF8pZJ5*i@^ti42!yPB&#N2bg zJJxpPhiJU%T4gujVk3WexDwK$-AgKLg>{#v$^Gv9dVJln@M`T8<$pH{pJrQ=;!D>t zbPnA?6}09=08n}tNVa^2JY+w+a`p8O~CxTIv~{40U(fiAF$pf zVyL;yt==>O39 zi;9%J&oyANCk&s*>zz%15rRN_S2{REqs|+1!^l zMwwY%Q?gtz+i%!BRlY{g=i6;Fpeh$QvLceI`|37S{uAhTBf;v{H_cnoM=bW5qt&sB z;X0+Z?r8gM<3R&TLuVa@rguTHb8kweI#z)pNgB@UF&wdtb64nT%St1~)vpM7DYkH8XXnC}e|$dO*kqYs&?F z-VJL}R=+ZlCC7Ij;--H0O`+cj!__d-I^Dqw#!I@P64Ad%jnLweZxcPH6}rKa0AbO^ z-V}j*nsp16ip~fZ0uOf+6_0X3EySp1<3Jkxm)8kLG-=Y@4-VO9!9bce^h(YBwLoFX zh(^_42fkVt$l00j5h7TJ(u~1n_nb1Z4%!VC6JVqp4Ug{d3ubD#t0fv~O72^us#OkY zUR!FNMs$eiGHpVm6d;yYA9J{^{25B+U`d}3H@DY*>cNaGADaVX072Q^;k;Z51t(Ux z@{FOzHJWDkc!xDDG+YF=5Ei_AqKhu^6^_4^w7Mn}ur-S;_-EGko*KPJ2i2Cf1}W%1 zAhjzFR3P=)ucvXweH< z2v!P9XpWjkhX9t*F6g@96~kF9q2+kHYSU=gKUfrErj z1L7de-b?^#0_)hMSe>0*g|k=ovaRFONNP~{mv+%ks2Y0@;42V;2eECRxrI2eR{$@2 zrR0eHJ@|-nGIq?9OWng)%yAZM5vDNg@F#OSVR2eTi*Dg{Df=q?)Nv_CdNttsVAVCkswWq>N#c`#MvGM%uify$nl) zIqPM-i7uLRSjv863UaZFVzreAl!$7!tg_B{)}SCAiXvE&tqY}Sf9!BdM{j=;mb}N7 z-ghWBGp~I-#ZDcD0k0_b*~4!y5H~Ux9Tu)G=O_*L@QnI^^%@Eq{v-bq^(k3lb0YS%m#ya&_v8I3yCJXGzfv16gf*~irsQ3bud_QIXXp}MTxW# zGYwQ(_|SJ9_6oL0VWNtR+E7bf5@CrOB>n5)ykEMjxM`WjXqJ$V*U~=|i`40M+>TP+ z!M`}mj+-(aftvG-oH@`6%6l5M{GZ4qJeD{qqC7~nCQEDrP?P2^)=E~}Y0xfI!#{t* z9i7mHz~b=U(bB_9A#%8TbS8ilqS;b0GKiDo!V)yO&Y;Ri|0r&>)~iix@>bo2jpx{l zc3MuaEIh`qH`j>_*Hfrtoj(`h=Gb#-1Vz3xqEq5F&7gD5Nxxet%8WV}t(;LVPu3_} zO8C2mmyE%GsJc#bf8;**Ktcf;w8_F7;+JHej&hztw197s9kG#1DX94!MT+`Tw)s45+TfTRP`n}t6(?m?$ru((nN_^yNs%T z%YnN@$jEj!raCIBnX(M_ z9|yxRX`QFlF||96Ntn|@C#oh5lw121QnhV=E9e=pdY+EI1>KvD#E$pNMqNVd0q1K& zLA>zxnALzolPH3|b2aLnfIYDj_#5S>4a0`99zSE(PUkDn!B8*UejkFijku?pg*rli z$W};xSfH!K9p1_5Lyxl4#=1s&OkK-DZp}B>-T26^>~HHmbTm@qw~pWB+qBRkKFxRh zl=O@oXJE3CR~@g{448_v}D1BlhunSC@Mx=;(Seb8oR&=KYs8a@jqC zf1Nsk9N@>$Ov2u|pU{)1XCY{L$>|ud2lkw;eJwh@v71&jS0Fq|)OZncR1==pu-JIq zT|b|AZtuUsw&Bz}B2CRe+13695{2|p<3}~so z>YWXrV{;%+V57n0$_F(F*u-y$zF20rWqCcR(<*`*4u#(7b-Ni44JYz%1>SOf zn4OBbTClZ0IcYNj2N8u8hILsrSP|*4@I^jTeX{RWxPEw|eBC|&G>qvj@>LimKhWfp`|>>vs4k(gExK6BH+^%j z16174@EHaE<79Anx6G&}vCh(b%!f-KQiFtLG2wBiF9MsO^RLn+Nvaf7h0s~}^xUy{ z`{&ITF)>^(v;2y{#U)<8gz3P0+@kpBzM5cS*Hy)ovVkRHL1OY4Jn|%xWz?CILF`@< zKrnA<`qoq8$x4c{Uk)ic1y%DmrW>4Os(uF8n4?Hoku--5yk+W>2kNa7 ze5FO$;pq1L`L@Y}jdcB~W9GEs@;2b5bml??F`&L|W3llxI9V2bL=m0~IKLO`#p4~C zq1Kip=nhR>8S1^+jEGL>#zsWL|m^N;vZ%JRQZ_8}Q&+#$YW z9BwJN{utut=#1-lV3JvfnoGmr3U1A3tCEK%IUq10vTH^_pdlQ(sOY6}66Y{sC;x1N zO?Oz%&bIj#7=nWhU8~}88DDo8E~Gz3MLMU5A!wDZ#&&wI$j*KRVMhN9C zTAC7OV@AYvb?&2e^pgpCsW?&cp_DZ~R9&f#vj7~f=3z4oZcvqLO4gTAqEwX#!A`e{ zwN@wEL5?zW@i$c-SG##If{)rQ)5%w;vwn zyWK;OrSvSRa8U+YX>3Y?n{qxOXb3}8V!t~}529ZCe^hhRQpWJWZeqqQ#_475f~t$sjVn zV&|8edu5iJN=UU8URc)fx@>wgMf7V(H|2teSZoCK&00*`Mqy?1>;RnjF=lqZfp&(?mT231&*BYxWDfjl1p)ID|!&x zR??;+62HIj8oxyYb7)M4CT>K1#lMumdOZ05!U;e&9|r4v?K51W^xH)Y&bv=iIOJLX zU=8qw%zFuQfBZ}gCTi*e7Pmk8e3Q4@_ln#K@`4;}3X?5j2Jr^|d7RH|j?8=UrWqGt zy`w(8{T7$!=uGK$j0eqdyGh&g?&W`1b9KGBlqURfMO~=yI-qg1n`A`n2*2GmOaDN{ zK9lbWzC81&)#VwdPb`%gV~8%#;PDr&O&G8+qlStat8p3_X$ySOP6GbRAoAGH!Hf zegdb?>pCTpw|52#dTj$vk-n2CRwnz5J4UAf#q@x6%}tAG>1`}e8L z37^5e=;>ja{cADZ$Judsh#zGb}!mDsKh@xHZZ{6Czz1Rfn%M5v2kslUPmie$t@lBWY`IrB1FSPx)_H!K`NE%Confc2j(6?l{G&F3JG6+^ zragzc?)*7a;Ias0ZHT)ysj-DJq!W=2yjeCyNIQkS4BWaA+zy6Z zY(Hz#z+@Q0Zfgl1ejo)^o<{CTmZ*qV@u0fn*BA)G4ELDUz({GO+s19$k3XD$%qnPv z+k?9He89wJb|aFvWM)IZB{A0LS=bk9CP>W0vm^YHT9OiVfQG_h#>R8*Q?PUB9u3ma zEuzGdU)idZh}Dlto~J_$RvWke;sF*^6&upyyvB;&BNkZ8z6D)Y`EnOvW{dO(v`xM1 z5uHU!)acGHDhX{5B(k34FE-}xZnr%kYoEtYTkrufheIr}4f*Uo7Egi7b&lwsEeK&VcE2Fwa2Ne~ zc`yu?S_7k~d4|MGWV%MAeu z*=EBK*A*B)pdl35rP3bctO)hHJULs{ogbsa@;9Ue86}M^zIFq zXv%J&HLb7(`bPOa^TEIke8_vP0H#jCakeDNtg0a5_$I9|nQ4^{m8ji0qo7v{;3c2S zY@JCfB-?ig96uqH(BtbdDy7V82A|yFsz~6uBdVJPO^28fK7>8e$z$O&YGE&xPo*~! z(7z^QJlom|qec7jYl+yIRvF+7v}Bu|A?eaunL|qinUGF*@=ihx`C5W>coZZ|x46{9 zv4t$TIOvQf<9kT$!)!ZJeafhRIC_yl%L>W!sgmJ)hJTjiJn@rRVALm!z)`v^u87SLP3uRH-1=7#|T$^`%1gU<0fUf>Mz3Cyb|HJRZu%zAe~(bsq~ zTY{1-{~DBQ*~H2!&#Wj$G$f?_3stOP=vj>5PzLu(A$o|}s176T+;k$T#fe!mT#~L3 zAqZ7ZSi6=8O|VLftuJM|iCZPxA#)f`OFLoV8!{3!8AP8x;7fo+7gK$9ra>PfTNBS9 ztI-Bk?@Wm0_xF!B3VqInC%<8}u&wM@`5ARr7*WCxfu#(DzbfH2&I_@&`VKZ zF{9-$VD_bqoasSC?(#luD;NDTjitx`f@X?eKQQJLP^bP28Xqqrs0g|wpU`=Hz<1ic ztgogC&aUp3@4|~aVrtD0M%5b*B!MpkQpiA%x`2HaJOiF|UlOVHny|L-j?$PjdhRNz z;a1`50`uGE**ycns;O$!tvZGapCKoz1Ftu@{detsU-_5WbPjv{n6v$!wmCa^j??4t z@{Idzu5J~>&xY@(J79hPwZtvVbo*SN!_oj3`3Io61-@eXmR2!$(tFGu58Z(6C<%U- zq40ryqqXM z{p}57n_QjKjce1>6YRze@8he77k>fMjQ;uUFUPlc{4!lDr&6ZnHQn6%EB6EgK0yEJ zF`WE`d0_W_9`W|SSIL8{U%1NCU;cGl%l((Q4cPQnSN;=DX$rNyOM4&lRq6E0#BWm< zg2VbXGfZESK;bLlp%+seI(k3we=$z6@6F$j}dQMcXAs(LG9NZk>-K(!EvFSRDTRYiPx7zgC+woex zOx(O_=-_u^*$9l%Ke*l?^1s%~o2shydM-LPx;t|rd^$6~`@kL9asM;I-3R#4EkWPe z2-pv8U6t?bwq|sp^ZDv1EAlE2w60KWm9Z*FuL%NY#9KOkA2$-;c}q-Ig@#N%9Z5RHZ%yTru@ymQxgnXl# zsU;cm-|t%4b&Cv@k)Dr@2Fm3`v(L~L7@pFJY32k@2i~-ncU1~{fshiF8dXMvQD)YI zVles<&;cpmy`G>}tDVw3Xh!`GWTHhyOja#NG_`FEL8Sx*-c$c?B9EV~aixF!X%#yU z?HldAZ1**^8dhD33N&B3$@5c_YQQ)!-~+RP=7SVDiB*ri#}n*D39BdiNF=l*%E-(4b~h(u0>#Su9H3M4cL!9w-dz?e)n`xTmmd zQ0(K**HE;>dvPld$I6-K$s18#1~l4K9HWDA7ORr>*+4P&DSM=l=@oLuwfKahIoa&t30Eq4;lhWq zhcV(=gqzE2*Y@uMQ{}jA!dm|ru!Y_>NX0^fF%zY&x#YRu6&tBJ)Pam+M0}>d3j;k$ zuiJo>Lq~+%@QQ?TUju+$<6Pk6itD{Hu;FL~KxORru4{85MNUH3iog=?*-@HEK=rOO z?;=hYsqT}(Y4)R3@5DlpGvc@0@BX5(eC0AQNaA7$en?vT1{`RzoFudWa8yJGn$~Os z2WyST;C)d&q%!n=kt^yRy^=_GJ;aqq0jJG#?i7DW(hE<4TvVC-y|%`pcxA;Sd(F9g zla3n6Ux8sKWJ`JxQVS|QOdh6+#_ZwI#>)G@=%Tp-ga`)^mxupRsE88sSK;s5igSz$ zwovj=>|yQs!V+7lpdCjs)TQaeUDX@u#bMXuB}L7%q+`g|6I^SU{ZTQG(h@m`BaLh< zsqmLU;Zvs23H|}kMgN$ToIb~uBIZIUd5BHI`w7Hn1)q#!9zcbi=`dkfeE z%EGySbbVOe#JvmarZoB{VPcN{Fz9(&;#nEWKl)v7(sX5R6XWXHsz0NUszWWzGTg2y zzUwr#@CWc|#H*+1f@O=KF4-(s#j+zQ?}G?u*g@FFUW!>&jADuKEw-k!@H1sp@T4r@ zmX(NxET%Kxg%)HM=c;MQwbbCBYgI?o8t^s7B7)JCOyneGjXo65 zGw!=;y?&-N)tz$hx7 zM0%FQ3ptnwUN~`pzoeCPr>5Fz7w^BdOh#7WbE#IMZt6n@-%x1bH5wdtFsDF_PkQSa zl;(ldzbC@T_?DSKgh^S-oDbpf~Ixc>)C3xIq;acmhNY3VdDF!H4o zctOZ-J(ITskl_eMx#fvA+Zh1N0`7_ZL2roBMyQK~Qbht!KJ$3NUUs|bOZ&bq(EE0P zOUkVs$Aeo}nWDXqv%lyK%kzZZQ#OBHS^%BLVAqrCJdpxfd5a#d`mKy0AGfz3LS~4k zbA1+;#v{%b3`OPf87BTqrAy1n~pgzo7o&Rx<68%UUf`r!tOi0|CzY@(LSW?ACQ1@lk#dPHW3+sq z0*SHZgxUxEk-@}3m5{?vL5Wlx^rJ)`sHk0bviZHj?km#3@wSb>d3}@TnRBvKT#90y ztVwAQIaZc|x_V$EYNxZ69-+f4o|dID&6cbOms(k=Uv2(aj{e)RA8Z^+kjw9pVNDhz z%7*2JU#ieyj#3VC46MKPn`e{y4hr5?LQJFv4_e4tB>CZxeRHZe2BufhIvQ`{$n$$d zT#CxWCcSpZph2GjR{^e&z@WmDg))iZ2|asJF0vN88GiuGh};%$4iBVPh4h>&&pOeP zW6jhnzIBth9k(?Kah|1ca6UOaoKkA))@5l-hiRd_)XXBbaEk+rmI=b$fo5kOO@l2Q zBOQiNs#@R&e#@e{ve8H)E}~q2|BuxVh||pWplvz_c5%x8|rCH5Zc* zAxlAF|G7wEk$02uA<}S%P_$A{gVoteQu0oVJK{k@L7MHfB#lX4o9Z)a3EPC5n9>f% zLRmTglOA#t4f+=nj;N`cHm8w85Mt^X#mg9s$cae=OGafSC%c*Vpbh76qb&E7n+qJ2 z-Y<+ut-q@Jj?^Op|5}@i5!x`iB_23-o)gD>#rM<{lr#^_6=_~*d5^O|anN_WNin4e z|JcwwHmouF`~~a)Gd>W%n1B`E9ZfHuvmhlA*iQ9xslSy_>1sSam0ZNn-zoQw4KtQ< zLL!gmW(4qhRC=8BL(MA$O?=RIW{qi>U}Y#Tzh!sHvX6!+Hg|dHjL&qFW~>_IBEW|J zfzZ7ASFUMnjAcuW-FC}{(}c4b$}%o@Ps$Kl>N(TgHPns}=J{tytS=uQ}Ilj4J* zN&-Qn_tB~-)+|&KN@d6}C{QHFlsN2Cok<$DFE8y>Sc)4c@)SC8E&{E_Nyf&-Ei9wY z9|tM#ucX?OZmi~+c&&Z4(Q)?;LX!4c12n&Qmq^DuVmf)j>aiP$5fVdxPM5rKK%uASeU zbOXrCjJEqPB`LO$|6%GI+v@58g%7<+kI zG$7FJQz@snx$E92&~aqv_8!CEYjb01&$QPZfX5JXt@Rv>g`#oCa=7Mqut?>mlk2sk z^s;rH{`~#rx_hq*75Fim>AE+~hy+!7$hBIW=;(&*46a#&OGO0X}jH z^gchPnQ67AuK2tsy=;4kAMAAR0;@S!m3S9#n7t{xxw{t$m@gfcMk;eXHU@f2ZvtXp zZFFBc(hB#L^Z0L}{f{PPZa}+rh{RmSRfu22nU(Ju14>r=ojA4-ll&Ga?>P_BozVYL zBRRz_-SKEUt0ok5$92*2RpxBd@`+Nbmy#cY@hj@v#@&Od55OQ zUDo|Va0_s5(F7FqUX^V=@BVVH73*s0_wCi&`*OAto$&ijk;NT5HF9iM^}KDJZ0{Wn zzSR0<79DDgIrA8EB$2NlAt&J z2PON(QiMe(276mU;XCV~leANTwtTDb$EALgpF2-G$!~WgB4Gx6QiJ$IhhS-j?2v8z z)^2<(wrCU+f2W>Va7Q7svb!{6C%Hb|@`f9OxpC9V3uHp^MX{rpFgat!#M8;^NFmPE zn5osG2vv=pgleznix4>>=O|*9!SGrqE&5!^potP7>_T=-q2?6 zD!0-lydbg|?x5SUA}0f@1~Tdighfmm(8fQ z(ByryC_z4KN)>V8feAiHOnvKR-+vb!u$zJ zr*{f*(JH5AC!H)kw?u^uiCjH7@By>?~hCy+u)>t8MF-|%}ORESvuXK{dKyzSxP-Uf$C?-97IW;0} z5%Z(O%={H*qi)djN8_zd-W3{b8WDP#+0E!K0Q;04u?_^T>r(~c@3tyQ z`LcY7!H#l+blReKgvFUGKX5rPv2Ia@4=SK5Fa4wc0z#uZ zuLKGl`#*u+nBK?cm!1U~k;{MJt_10Iqgg5g!{KQZwJpj z4#9it72;Q*ZOJ)ukcf1_7kAs_!^xf*y;t%3(3A%8k*#d?;@4lhz>5{_0^{-m!Y8Hl zOpXEsESQu)`hF{)Z&uL4k2#JA*VLhM6fwwO?(B~4TL6EBVipG)1P z%gBTyq-urZFk$LkSC;T0lZeJJmW99!EKb={5)X<696}6Mx`~le6JyTH2Mk8%ABl9i zM;VGWG+sv0j%=A|5cZO)h?vM`4K}+v@`6+vEj3(pW?>#3AmhIf3DVAo3uO)miu5U; z_zQ^nEcjo0nRR9e^nwQKxuVHdO|pGZLH#(Qpa=>F#@GXkOIW~+A<21E(c~0KuVWUK z`r1_}qTYthgz`=3N~gokZM3FDcFW4mi-$vX*iGlhGf|0V%A=5e>~;lVW>)uwW@p?r zLoE<6`DHG}G=!{B|&kL_SqCeQzIrPI&vpu?GeM&E6N zPNC~n>Z}w zukWRIOUm($aV`I35>n_kdwIQr-PZT= z7$$ah^Qxa=cD;-lYPI7xJm};BS%M<^68-ka!&3FQjB4W)wl8-FVoX1Z<+&?Yd2Mt~ zb6vOB!#2JDg*{_)lC)pM=56m?$EW)`IV3iG-n;X90k3EHo4Wz;OWWEX-~5h5`nu^m zcK~Tyskr`4WbRHSzG^Q&td72XEH#g<%_tu>w&$xKRmecVb`#AEhzG}p7qc}uSKz4I zw^dJp_axoG?Pfjh`%P#H2#__kGyRE%p66-TRM~s-Ai>zUd5LHz;J1b`6Ewr+pAh`g z`TEEAsB81RLCMeRSZ}jyZ{As;&5h=N3U{e0RCu28l z;|fwWXL9PJc;61*Y+p{KnelvS*wFX*coo|Mu5IKL^R};D*~{xQjp?|LtP|+|=DPXc zLT|=JFPZX-zhBKO8IaB8FVkaGCx~tBQ?c$Fd_jJy#25M8(+pBLN;?stW}HhpX-%%> zzy1KkaR>mDs$%Y_s~*QC)gJM+1YiXRCC@8)uT@NX_G96z_?za(X${_dm>9o#RZ1Tb zZmg`k^qo{_!b%9&h&X%HZ`N9p>O+lNGR@JQkzOT%^AoSCvhd|zY7+TB2!cfeSg6pR5*gn%TS#?lG)SLgW;cN)z z=nrn{6XWojbf4!jZjGC+#y5`?;@=w34i7pj>}Ms7Hl>y)9_6zcHmKm$`r|?lXx6ElENQpNW-{oLLf|q^ ziFVfL8vQ;5s%tn@~!0;|(=nI9|=ZK073Rw0#r_^rA0)EKBL?V9)Im>Xu;o@ntuB&H)iK`W(7X^-tC1v*`X9d z!|Pii-)P8uF4_gzgPq1-TP(1JgjHUrb6y?a^@_kWJvz-@^Qn=ymrGm{8v7V=Pb43pD?xz8*T}8r~I;o0SNAvBBY$z^k)+loWtx`(La!j z{j-nh;#In3-}VJt!yI=6*FE{D6syis#SiB5Q?E=q9L>T9{05q!WUhWe%vYZR>L`r_ zo2#f24~* ze%nsr{pMhPV?=sknPj|Y3>)c}y#BcmGq#i+4m0 znH2*sM4V$&#D+QdhfWK<({LuFB8GUkZw&n!m2Rqev4GMlrh!Bno{Z$?X;8Kyu%1P? z@o%nmBo8##<2|S#DTn}e^uHy^p=IAxu~gZIh8Rr`OKyNj5oY&Wl z$40${aoNwu1W$ick80Zemgm%M9$(}*{hcF1&j)wBxHx1y3x95#276k6UVq0aE2)XKwy$$^c~w5o{CN|X zspdCL6Q9i2Ua#A1jwYr3Qngz?o5;`3Jf_$iCcSBKZQU(ypQE;ckFn0}Px@X)1w16b z9upL%FLE$I78{p4evK3VCP0>3eENVbMS?1awa(E;WCg%}6WcpYPg{2To0)=s&t+xa zj>ow{KZk%0yt+T++_Vavk8S(z_tk%U?sFkt@sgp ze27>FlB@_szz*|Wf<1YEpJ{ytm4og-N-_MF!gUJU>&x&TE(DI=&Oiet3053IPE$UO zc+~CU7~euz@k+_%2uv5ee&r)JlMzB<{Q-No?Y5xwt=P2s(n$M?WL%J{t;>B{154Wt zsf+&Dbs-(ji!`iY9eT;ez26CM(>>0InDs7TW|2}A7Ae+vgo`3p6`|Q`&5ikukRf%O zzMJvJ3Q^@ldJ+d!1~E6#l_Dpol z>*o00dIttI?*<$7;fS9^-xBsnph+V(Xj@GAq-+x(2H%edt$~WrNM?~~vwA*f$FyTU zQ6%RCU#1PEguT%MjaEL?AQWx!)5i8UPG!jmsW>gG+f3oSjvRuOUo2(zzr$b9tFv{n z8hbgBqEO_!Zaf0_K-5a4&QXogH`hujI(Vj~(vdC4!(*(iv>e5HWlP%N+8RYym_07= z;XmAH^IpCI^$Xflp4lRaugM_6Z+SF)dIZD~zCc8$Tv_#Yc zEq$E%*Wm_^En{bn;+Rz0XY??O^kA% zmMt4Ezr_bU-PV4V4Vw~cuu>-xWa1dSOl58Z6V_^^$k`#4lFB3_XhKhD=0&KgL`ZGq zXhnLC?YUj-ynAP==xELhF!NM~2ylCHrX{rM0>j(Dctea&s4N^6hGjaZoWZgSXqz#~ zz%`xbbevf)Q{2KS#hK9u+P-wk1vJ(~QquL+3CcF&<3ispH(1@0v86uQoggYvN_5Lg zG-NB!0s%p*>P*8>B$XNhcv4aoMqKtxxG-w^>`JyJzmO|gwE-4$Hlw_!XhtzL7&9z9 zkx={n>Pf*%8vJ&oLN%7&b4ZG=2nN?UYc!BAC@dT40C}nWNZ}E+b=` zs6fpffMZ}$n1NegZJ|=^kS>q20Uu4?g^3<({5SM)xf~*kRZu8jcbl}b+$E?ogDWb0 zlN3iH&{5Xx2`qMLAx9M1jK{-{vT<;h{LZfhR?)F2(M_|RX60u_Q6mu(+rOkA1GOg- zA!w6Nr1^i9ihZz%qW8v>QHF|kpmhV$6Y`B#`NjqobITL2gk`>)R^a_3I`pYvxh&cE zHDwpcWe#S-0}abXutJzuV7(+RASq0NM~G={EN|r%O3Owm>}J7yy)yhMY%(Z1Zf@iI zjTC*;ei3}e_|dB}tp>}`kS6}o< zdYXpKfnM&}&hKt{HFXQHFE%cL4kw$|#NLg8>eo5V!is!Ww~jYC8y6?p&eMS_pL@`k zr>lXeJMAwbo$f2)+21+%OhE*-dM-!5tS1@y9Vk6drv16Acq(;#KI<3QZuom~KC(GHk2gTu?W?r(>t9 zd)v<&FR*HeuW#?)w-lbYoGMjQ?Y2FJjsP_?AlvEeUV*1m!;RyDhx7*&4R?=xlztgI zqw7&La~nEcr@-Id4~>>-I!z_L+vPJpK2tDkoSyrK7c(1gfG9VwAC0R&Zfsj`wBCE1 z2%A6bYe5R{GgjtTw~rkkW+c>hogb?NDdv;cd#yR`wpPt|R9Pf#B)2Nw5#NJ|>$KX& ztE}x0QhPUg#)`FZ_}&GbV(?agN0aaM7im2vogqN4O}0g=Fny2fZk~CZY%iUQtG&0Wv@ShqxVzd6hF5y-NUOx z-5-y6&D!d=eeaUP>zv@St3M+=w>K@F7E5P&oKAqx zQeLm&w^m-4t>ackr+=&@C}Z6>?cN}YWZ!KqJprn`O(>tRIBFm*`oO0axR1h2s!V6ep)cl z+3zVGPQcKT|A3fQzgQGORKo4&`~M@BPY>TH6pzUJGj9O)!ylWVIWF4EB3NOEnQgm{ZTJ0V7&_xT_v5w3uWCoclYW6~~{UKTdm6X;*_?T1rN6rCs|J*`f~^JilgUNOUPJOKNPT+SBLC z=QAM`&8FL3@M|aQPEN6Ukx@3vYAAF4oO+xy<5#j(Vrnz?kff}qjfO^{n5@Xk zt6n#xN}0NlfFL zPK7=z48I}w{6Xt8(QwtENQoiHX)yjrMRpd~Rkc~HN;|v&kffbxsf8-iB5MIa;}CE7^H{VH_Ljxv}@Ay{g`xxHU@^99XmKVp?DSLtFt?SC#YChm@xK`vBF$Y zC?4HQBCMnBiXsCles&0r-~#2TM6AVQvP4n6E}mq`et+Y98sbIMLf|%4Z`iw0n~yV<7bpV825SC$SZUk*asuYhej~iy>tl33|7wLY_V%6 zOlK`Mql06z>+@veSY47M$vF@QCy-}N4}|*EmFa2+n{Vl3;>Ghz0OO=qL$G?(vJu#F z$mGc}7=Kg8;8_(RpYoFkMzVDCah0Wqkj^O}=}RcMR%?ch$wgxOyUtIHjf9lLAC;sXABvS!hKg?89yCqx?4IgEoVSI&FMttZgGI_$U9{FZ1l6 z%H*#EA(M19rDQqcvL^5PNHk{DUx`dd4QqDcf^y(z6Rbq7;b!)mD}tnB#%L@?WYg=9g-_2KW&B$lLG_A1ezV zn#B$LHu!Z+^xFHT@L~Q!vR~ORo5&(hIZARW0DH}89ZuBRu&?jn*n8abcHi`m?;^pv zae>sUI11FTf#^-b{SxRr>W=+><#e{y^J?AEKHTiQ-R7Pl_L0O*Q^jiixJ;$p<1`bd zf7!mGXw&<`dGyEGe8+i+`+7HJg2NNoOQ0EXkZE+Gw zcB~9;b+VSwJE5%qRNHdehOQ+v?e%=t{G0))WdXOZE?yqlm;HCc@n&n?7db9%oSvoJ z{XE{k?h>8Mp0u}MIlHY#{vNgi?8htlnfc!qcQg6MB%X;CyzK!KVRrSe+DFLIGOZb( zI*jfYKi*EviPiuzd&ECpcCW3W8`ZS;nvByt?-w552-Ziw+T`tjmmb}Smq?8=;P`QA z*tWKU7JwMp_x$yjkk$?|{GZo=8)oO_m|kvA3=p7GPsYb7k;vPV$g^mE zC!|(EfJei3W-HIcV(;AADlbg?lGAy(b0XlT6=&P5n~D>Q<9$h&WUJ$FTj9lxJAwDY zrYA|aony7>ew*7`*Bj8tBiBn>T0-3J$Z%4Cdeh}z?)|LqC1SQ#i8?Xkt(d`sS^cZG zcGLa!V1s0t@Aa>KHz#AR|7CF$+eDY!lq0OI$4b^9|HKU*|MRBaMYfOWb;1U*?@im( zD}%evk*)a*Ge@9*BW~;f1lH1U~{$)n<={8~(a#oiqwjY;*`DI1-om< zG!}6XsX6lqk0lFE3q=U{HAH?U{cl$6eyYC?*)V_Jp4uqI1^(Z`S1Ax@4%*N7_Jkb* z_YB95TnYAR<~ysDy$La5ix{ZFw6e%4r%1ew!F(gL@VWvhO#u}}WPCRd+HVtLtRXy^ zs^?gUU)e-T;$=T~>#~A*1ml&pY{_Kb?Mjs%8pN1lf6=wbJI4pD{D8w7sU)O|b@q~s zKM*x}Hd&)bIk)&5p<#iF52-|P@bTq@Y)0amPl;Z|Ymy#Q3z+cWF|R+%G+L3P+X)^M z&Zy?-<2oPCmqtNR>@L2@4f?j4p98zDmr^J5-4XNOQxJ1(mx>sABrVd_xXCs#+17d4Uq-!XB@%D3On2bO)(vVIXxR|S zcroYe<|XPW?@h-JxZz*)A7Ug4IT4zr=cwpePU@6T-xo+AkO=nLV3b5~b#^FgHpUi}&De=yZQwN>bG z&rl*FP*^8psB%r~9A)z9`Id0Q&%jyVD1A#YAbcv8I18lXquFJuzovNr5xx|CGo=m+ z6`a+Q*Yjv>V#aK|g*Vr&K{lO)P26d}Z zcIUNa%A>dmzv$D3Z`)QJ_(uFS#&|*0^U$ryGjst`KZ@%Rlo8gZIU}mFkn2^7S&1tN zvE!u3AvivN%Db`3$I!&vWMFo5%}5)llS;Sn%9aHzR+z)9%2G>DqSk_*{Q)x|&ZnJM zX^q8@@VIe{yhTJGNId-b-~jUZrJT08DuPL_u~)1{9q3&Zx@~kU5p3PWyW8uwiXSPo zY!%7$hMQw*(I~lt@-U>4(A^46g1grKx}uK zk!nz`$@{C~_%c(Oa*44}EfY^n-V0NzP`Xu*)R|rGk1=UKSj|tEV#S|@CWP0}_&d&& zxa9+4?RiVEs?$igkp|wO3Y?|qy>f>^Q0T5 zE_W|yWXg4G0)0ga;|_Z}zNQ5VNA6@5)}TU-Lhj>L2*?Zh}eP z)-xw^-?te`_gjgcC;PLuC3jT!P+&F%R0+l7r~qAv#z8qhHT+8_Bn1 zHZ=F`(KcP80e*a4qZr=s=j)W#4DE$Ek%gxUS`@q(^_{1pXWB@$n8+|CQpq@gyK7FR zejiH=ob?Wy)h-L{3z_x4`JRRn_#3hyWE(PY28WoL85}qk!VI;Y)wn#_ZEZFcJ-obT z{`}^7)9C9x^ObNFsGg>OoPG$qvF&tFeFNP6!*15Crh(q;dj);PfU{b*An-qxJ8g*LkBo_gUWv%tj)jqx=*k}cr7`}{~3KgUc2emua(9v(DS~B zsBEvZ!DIFOuyS_(H)=Ml*LTW!BgcQCK>Nd}^*n=f`@VlUEx5$UR+al=m86n{?{kCG zZpUPdU7~TpyQlZ_Co2=u~eC39F z@5bk#@Zn{%{d4lFw*S8IP_5D3&%|SP8;9_H^890A690^csry(M#>;VNjfBy4(3`od zqjz0fWBsK=SN^Modc!`m^R8IVedDE}wXu1NWZSe^SzqVmI4?FYuXDxHyNFmAwfi+e zbEM1X?Y3Sn0V9<&xiPLivi;Rlc-1jUVEf^;FmDPpvk!8w18q#c3G9r&as!pe;2;4E ziJLcdpztJ5=HZeODLq&Ij}w_0&>KGhm45u_te9=}s(m6?E{&2@?+N8NJN+6KV?AlgQ_p?N zRUzr8+WO*+BxKRBdB?4wIkXr1>3>SIA{Q6bNsp^r7NpQtaPiSguGwwJ9vc3Pc4`n6 zlt=qrT$C{*&t?%T8H%voEIo#u#ktNE`qDs1ZPFx79SKMUpbYvmT|75oi@!{y?x=LhWo7KL{M`*$o5ti+r2-mKYk3f!1dus@C zz``R7QVqSD0Y&Jbm2JZ1<*g-tqffLniYQJCT?@)pHlu}&9k^B0G-9z|&wY#zEtnLq za3ufOwuk+z2S!@6He2pg5N>8vR`!qj4zz z7oJCgAy#KLJS0U2T5`8^?}USGZ(0B8Y}Q~iaW2M07hA*Lk0Pn>_BziFSz~=qZh2J> z?ON5zmhop`5sU_h8(sUUx)^6Lg*eMng`;Dhjq)aqe$(?t@NVyP94E4giX3=eTTnWo zuEWEBzeY5`>^F)frpo_$V&p$Kx%}DOG-BE8NCS zw+OzVVV`F2Zcrv#g?i>*`HNgt z0Xd6ft2x-GMCi^-h>a$x#1QKb`BwOZ8?=L49~`*cDIWl~-!b z^2nED8jf&5Vi-kPFly$El|liu{?iPw!_4j-_nPNI{> zFn6q8N?PUAkVSi}Q!_2_7&Yzm)LchG!ssySl0>H$7KWshUICvwz#8Beh0tqChywSG zqR0dtIb6*sXj!TU_5!l#@9t2?;&75>W0iMKNiO|FJhgbNxvFFl*xB%CrAniPEmU8y z&@jEw&mYGombjM5Kjy#pV*OwY7A%)66lzSaS@bF)ThC@0h1F4yc$aV2YTOmi4-g!% zXqvELref2IDKnSxLJxFM!sC=2x4|I?$14T6;tps*!qs>#mI;Rz2$hw$fEDwis(__6 zy*mWK%|rSNzPq6XmrmeSPCS;WB0s1NBgP|Kl@@_pc<8oe{1B`fj6ln?P*rRWE(W8f zKlI_WKf3p+FP*q-=7C^)3$)7e+#?o z$r<$4?g1H}MttN%8^tmlnZ4(BJK~ zg_#6e5j~6)7l!krbhh!m0`{OX$D750qveRdlcW>mtNvtf`N8Wq85u^<{c?}hxS;6V z8LoT$CpbIil{3!w=nmLCu?f!Gw*Q(<^)Uz092Xb|ta}b?7 zA!$-PF*YmUtQh$?4l5blc4}Mu*cuM2=JXzd@ttS)2I;{vy_>$bC+>SZo1c7D4B)5Gu0og?~=`kh^K@9I0BhhtHUK4(mv-G)RGInDF%AiL8wn#?L6 zCil^`H0Bd#zbE<|Y!atfA4CSeg-xG4#8!a8h^bX`^RoAIxGU@nvkTxj4=F8A$91<; zo67HL*Q#0O(7WZp&gWX^{$!kgu6d)j;Z`|{!NJ{{c>8eE*-UG$5@L3Es+6=U3Wfq6RUSFYAGwz)1#k3X_SuPqAy zd&ShYPHTrQ(0%KrWy}A$u(EH1x$C*Ul-J?xezm=~+gHj~6bPo_F;JXW%~Zb-*vjv< z7a84hco|b8U>`&EB5+%1T#MPF{|Wj95{LnT^nh=rK**AwRS)ry>gQfV@)bV??20S!f5*kZS_8IK1}mBg-{tA1P%F2PLkf%GvgHMSlTe1#QvTb|t7*yA zLZ;I8L&O)*PAIn~42jl(l@47B5@(c?dgwumF98U{3|^|Kkt|tn)f5?(kOm%nnENQ_ zv!ysuOa$fmDbszwsDNW9BCwHJU{0QZBTZkjOxy?&YmC4$MMU>f``MlRY@S93$7lgt zU4_o6GE`ByVEI)UN8>De)EuF=Lhf)J?E4x+qzk@9m-Eh z)h+!5hovl4z@)-?LQpyXw&kIcBDgc&&@;1y#_(K-P>gx%l#l|MUFY;Bg*1gcRe!_+*o4S;EO!xx{NMsT`X$|78?-={MXD}U z2ApBdzn74@sb)mKC|vK1Sm+!~Rux+3oG5}PY!#FNSQ1LXENWTlD%B{GlwuWIc9B$V znCb|NE^JU1EQ%xO($xtI3&D2|Kk55jWvf(t*9$|9D3T{^1XDU~YZaE1cvYTcdni$n zdWo^{aYYKjxO4d}P3gDdN;s2cQ}{Q0K7O{F&a;ZmY-E3oREJN#Hdcq9tzZS1!B&-Y ziI1EuzjA90LpD@CGX%jTHEb#&Uatm1bsVIFU*cQp*QCp`PJoEvsZyjjGMeHsmxx82&3aAcXMY9)6A=YdaD_zU`=&ClRHVt+Zdz>N#w1g@Esa^-QmhPOm5QNm0-5OKOW72X z8;6Q2FS>N$nzHp!=`E2?=-HLgoS`^p;d?Vh5y(cOz&F8%bV@0IUH;yeK}w1Ubj&N4 z2jGdC-lF8>CP%Wnd>}t#_bYgAy>;H6_r2wFH@3c>@$diK6xX*DcyxENcl1lkoVkL{ z%ww_sgV8vMonV%o98hMYy569Owq{~s${TNsNo~w^gR4VF-*`Z2Kc2bBKv~kOLVkoq z?(oIlj7v9?E#f;Fz*r>L<-$C)=#bJ(<6a~+ZQDA_)(Da>fc;IOR@{;a{arqbPVbOC zDXDl^K*{SXC`Wi@W(yW=S)h-LMc;w`I!P+GZ_1Oyia=zlWG5vzCRHi@ee4995gM`l zEB!-!O{r?x@rQ%femb~p1KlxUkp;fb81V)v4Yil_B3cZR@^^O`uZrEK_FRUOc%KI4 z2~LTmz_ieRa5q$+(%^*w9c$(8Ht42zKg+4Lf2f6@U4x;J6^hKG|G9PR2>-F9mxgRq z0XM9K{I9r2l1By0ee5@smYCaaLPuFzuU45%6mYa_R2k3C)Pxr$rtp{Y4cfPFo?O78`V2Et=_<C(pA zxUv*HD7H#uAkeU=Q|fRWs!~t(9Epz*G`Lf7``o;A8WL|%H~mIbLI`eG2Uq730jWFX2`SXs>mOxwo0``S!v{RyZti% z#mF3;?6vgmPc(ujAJM-OAp#rt0Uyn|;*)Lcgtcaq9#g;O&Vr)66WY z_61wtg3a@3d&K&(gn#-5*Tc#awt#I`rQfB1%P#eY>l{(9$MaNFo`7SBZ=Q$2^|g8K z-FqG{U@*t1t~zB*43SYwKS( z0)Qp!k?G2fY-${(~b^gX%1KCD~g*)t1WxuV_<;H2q32dV%L72ICk8)rR6 zP9xXPQTtKTUbHM4McVhf%NN>_v2#1O`VmRq8uudnJzrH0iAyK09NxJ1*~WJGdr!uf z*wyqb`Zsp?91G+wz4LmWKlo5Qybg>LCz!}|f@<5ZwAg28nzZ{YhQiNs)*KKkY9S<1HD(guaDx?1myKieSELV82rB`C4!okJ}O`zcOulprCTSgu3th4hJ z79-w}CU145WrThY4CbP~@>H8JUi#Kf z^pt2{F@ll?d}~RHvK?1gp~e)baK!_HXa5OKi*&4@AJT6zhPmY=RV3*RR&9xsi@Hs>D43jO0-~TT@oeV(4#d-qqK!YBq^OWnpeJic$N`O4+lvgs3`8!9;dFzVjIC= zhGXZh&r*eRdK*c+W5!z8)LXf)5*e)p zv_~M*Aic@X>C_^~M-LS23p)2dw*K1t!KV~Jt%;fRfVWXaXRQ4AQOx*wCeF}u+KfB6 zZspTZ)s9Ttr6C|oMV*lIwx4!7{#k@l;5UziqxU1SEW&8VIC1#=l@l7Y^dWDd>4>ai zuR%(ho@)HSbv4b*lM6+6?(a+Kjg4hl`;r+7Vgm)}Sk)z}iW6vp$b@t^6EVC~Uz9E_ z9r;CnNYko$Vk*nMIE2oaMSofDze_XO)&g#-CI*Vq5yb%xA|(;h0;GN7dHHsZ;1cb( z5^9Dgj>A~7N(GllOR9vDlxTik0vO0DRy8c+U2W>fBSfS!$^;+ieB>Qe4-@r|L93jBSLV@N@pH!b{?AE@|`RpL91(p#o>IWo;2uCy7Kzlk#)TVBO8 z58+PGxl;Xd`MM~Hwc;<{9JV&5g*z* zh_X!F4NG?OABH40vbX=j=P=PL)xFDmYzm0KMUTjmAE;F)YCI~6*HueNTtzP(wjr2n zwh9WV8PqwHhrEV&Sy>~uO0A+6)v2s6bXuE} zC7MMdpCXdV@0lS2n|c81_4+QxT_Inqry=Wf~b0Nz>t$@S|T0&~ha&pX4X-5ftlN1@xtUF%iz_1~56z7HD`ttZ=lSHp3c zIDCQAeE!qfH1>R+B&U@7ccrn^Ia?T>o-6J=?`z470+5FR?^bp`2vI0Ec3F&?gzc;hoBY5W3@_vRpHGbXR zwmysF@EPMa8w$(iZSn!+32*8`Zk2WbfXLLUHo=bf=Kmt)9kRhl)f%(}#>+V0(AQ8y2oiXQaI|qaj z;pCoqtGUqX|Mo!w_pPT1wDDD|wOhC;7Rd@7LCw|+e5j>qdjRyNoGCgdTf4Hs{3v8` zM#_)==3o@K8?}XG73{VAXFqoSvQ#v8Up6%UqDk~=UK3*?XpI}+lttE>Y7zxrH6O~_ zL2wkak(AQmly)q(0t??hO)FcKdK}!E{VViw)Xj3bW%bMp3=gA28GQg^$s%2>_N?4< z4%(*6%A8&^JCMO3u(GWgfn>FEvKYWGt3Tq0Evk8@!;pP0M%7o8 zgWrNP+0?IUffYCl9Zb|(M5qzYIXwyBQ{tMk2~go@Z;^W$MCpP#M%@!FRyits)?!Mz zO|)>kn`cQcF&{L+3|e^BPDYh1gPj>riONGilyBU+(B}Ufk#8)saY(DsdwLsjQjbL+ zOG6UkS58@F5o`oxKAZdyH<_b&Qqq7LQ7aBgcoHuEj{JLPX`UiJuV}+6FP)N#ZOYK9 zw~x}bda;(kbcg_g=~OIXy}G43mRzKU5YDngHMo=IbaC{55%o>cl>}VY-LccL&5n(Z ztqwc3ZFg+jM#r{o+qP}qd;feh|IECcwQ8+;s+V17pN;3%$(Q|nRRfJ2%ncX%q5LS4 zVQiM$c5MZ*I|in%3B^DJcu7Ck57#!-Jt0d4i`KZs%QJwpKmwkPg928R9BTp6zH;s# zIz7{N`_-E0HDU;9dPYtM8Vxsm5xRXY<@(5{y`&&^xIS{lf)0bO)L4vWNK7#|)bkY1 z;kY4nGHC6=hv3EW6gz+;<8=cmq?kb@?mtgx9$Ti_w-f4Z>-XM zygF&kMT7R$q4_Ha5_!s`Md(6Tjl@5VD%Bg5L~BMtw7a6cfsWXXg zL?thwEegBzn`fm?yfuH`pZ`0xvoWqsW|NhYZNUAO0b{Uqe6?uI_^mDd$viW!B^+eu zmvSI7!#OX6tFqr&n*pX;8yEaZ*`_~Vq_ps}1*9&V@&N~uO67kc3YRlGS@6{lOe~XI z@dJ|$wnn53q*Mz3F548SDhJbew#8XP*^(Sxtj7y5)x(76uYxzCrdX3-XFhlyZ+hdw9U-{3L=?5BiOOtX5 zS}4aB&R1R^M^fcCaFX_}t$k zR?wpFZqL{AC(ImbO6~`>xTfS$1R3pS=Uomsbc`f&OO+WHV zE(Vy@Nx$jxcE!ni8wyWi*B9%xxf8bevuTxTjY_SRvuPw_q%aR-=kL)I1`^Mtns2MG z+rz-(!u0lenU>sFzY|}Kmd}hVQrqjgliR8z2+x)O_^QjdZWz_f#`Q5k=DOp}RVx{j z%c_98;-uNjt_gf4*K=!4tFrCvdE@3yv6ph1-sA=_mh-{E@b*NriP#$=`)~`;>%w}S zn5(%25w@+VcoMq5`)dikG|r6Mw#@HexUC-LthrBJtWd2Lxappir^fWWCa$?z&$^rC zV!U8vfNVi!-Jp8+_bIKXW;I6lI>SQ_-otr~0u$Gb=QA>X^~-Ur*j9%`K#I2YNwQqG zsfj<&(UHJb-4V|yt<1Ie`^Sp*cyx--(Lj%NIuKBk-u9yH@v(oy=)NJ|0Rm1U%01?2 z9QNL!Nla>-%2LO$4!h>pVQifYhI%#*%ZLj zg&O`r5+`x)dQAt3_nzJLXKmwHGG|tb?zMwsF70M{*K2YtI###!m6>m8RsHnR-9AxO zGpLz%s%=B#h3V=<_o}AkCUtXP^=7EgJa_GavEe{xgWOr4iKUQ>Od#N_QoyMzPTkxqRbj;Nc3*T3Z8P|J{>uZ*0g+u= zU7do*R7ot?xy+OqmIRv#`z%?Gt@O037=}c4aEKyGWPxP$+#@hRG+nkU_*gpK>tBM& zd*>QX0n9N1O|x za$=Q69#N_Lh}{sbJkndsewMQn#T}~(*SG(en2Ta!lqqQho~eN9j2Z{OLYD}{?i5&a zxa4xciei)ui%4OfjrjcU1XZIKbK>PC>hU7|k=%m7R%Bvm+pL>b47z?tBa7tk(Br!N zzJf`gRG)2-3d9KtG=MTbBaf@{c;|c|Dy9iR4_JeB+@9Fqavj4!Sw229ok5=vm$&+X zTX0XnQuQ;RyuYcLtC}1Jttw@*bSCv1W{GBC))vA*P`1Bvrqu}9oLR#FIeV!{l@xvE zqDQ!-+iOJ9+&QEy-P+r)l~K|RI+$n{ri|llS=S)u!~nx#Qe-t+lT-=>a=QhRKQ{h` z?bpz9J$6yGQiX1ba;TM2+L7oT+Ul-G`f)I9rFJV4;<*UHapCY%nfLBWQ^%H;^fwic z)I-r*0TY&dtp05Qtfp(k`%lCq%d-ryjZRQ_G4tj5G>~EEPx(2NZqD;`_w!t2FNN{p zC5xA7!=B`da8QlpFG*d%KB@MO&4hK+m3q3%i43a)RNugI*7gCWy9 z!RiuL83Q<=H%8Fj@Q%QLIic-7e*7Y1+DxTq1yd4BCFeIaR4yW+BkUbK_#sv9Jo z_o8@d-MB*Dq;xE{a=C1gNaJ8mLyNC|;n z-RRP~MKWp-W7)%3ic)mM$q`fTyjO1Rj@Sj&D9{Fz4t`OOd#Y4geeP7YUuDpmgQP=N z#n5ktO%ON=c8e&EJ`?1kjhxnZnq^=(C=+I@!;%l#&ET&;zgvXcUzSat0LftKo>ZO$ z4o`rr-tB#F&qN-=;ak;qEe(}Blj5#@eb#wTCcdhG)Q3h5mfYXUir>dwA-YQ+lRcIl zEU_`$Em@^qureN{Fx6 zz#+$YHCYS6BJ%(U+2FVqTa8`1a@FU%ez%DM*yu+gC6qyDTkOISBBhG`Bl^sl&7Hy= z@#9fuX$~my14f()CbZUf$T!aSmgtmc zR{$nzfcU%o%}LFfKnWq&MbN{J=FKZT=lWT&Mo)zNj`-`)3}?DlL~c6#XWbSX3nOoi z77kxIAiU#H7wZp;u9tHPfk}`< zMTH)-ypPXL^tRrq2TJGdp!0)SAQiF+gQjQr(&L0Y*Q=kaN!R7x4N><^hVpxBhaF#u z*E8u!&K|6m9T@+{j-I>ikU>+`Z0*e*aV}%V z#^@Xd6YbCqMbUHb&l0YRYv=;0o95UUe#qlKkA z1~fQZ818-Z-ZLcD&Kqk-te8WI1gZ!9?w<5ry~zc^#OuSw5nIJ`fq-O_p`h7fU0etf zIt=@@6Ur+jFyn;m>A{-7WMk{zR?{y#0NB$a^%@>EeK$=0Z}kKCGz&DsO=&dTz<

oJg-z}p48BcH$i zUaE>&(EOgeqBS~->RxnAM%KJ~PJWm}+pyg5UZz>5xoV*1|lqW`&eXZrT}NSR@~#Rx137MA%k~Q~z@t zfw!hhyJQ#_7x-5ipO_H;yC_;ynj$(|6goTkNVFp&Wq^8}Cq@!6cKujr9HA_wCVZh2 z6070Df~Sen0W3A9BaMUXig%3q?-Dp&-7OjzyEUFz-@Tt0ZpxQ!tg$MN_fKu%TOIOX0^-VbFxfmtL@DMeTMoju&; zK9GNL%6!?+MTFWS8IRs--p>7?QnAHfO2##C&VHWO`GdP8iJqoFu11a$auhR+A-8JH zHMxP?nJvaKTxl@hc6A0*_Mg(E1h)e_=*M-%gytAjObUy`q@0(<998GX$GK*|S2XQ8d;e^#ngNuMGwrIqAp_e$zd@2= z$2-2}G-33)stp8fB#TGq#DC;_+fiSF z6u=TBQDMEuBwb}pe(?~8l5tFDXwFx+X-c(NiVu2A?tIA{D!57ck$r@`H+Ebd^)AVl!eQX4Un-_?nQF2vBjpR4zhF#t=qqTUSWW%fa>}aLx08{dG{E4!du0 zfC^E_Mzb`|W}w_q2xht8%%(FFUryktQxNsLhWm7Y9gNMQQ|+mP^_kU3;Qt2b1q#gQ z)NR5yPyRm)b*P=0SD){)j`m%t#&uV(EJFJw+z#>3wugUmghjnrL_6d{V{Gyjpp&@!q=>OZB>${_w3GWf@BJ zW&d?-3cm^{5BBv3InQ|BIL+*wJQbCwiP5+9_I;HqR(re-k4>p@14kb>c)Ffec#t%n z{8Jv>-;8oLDH_JOA8`+Mrn%48E-Y7wTKcuzFhN_u1`zX&tQ;j#;G`KS&Fg(SF}LgT zIy+^e+PgQR#`bfO*37o<`X}Cv(}4%m++WW~3RA#k6g|VfGjLxxIhCP2IA3Jh9o`pYCe$nySV5 z*Q(CtE2k7VWao7S%<#DK$3yIm9*Sji%HQeoni-FUo6vJvm%F9v*m@UH?EZLvnJLJX z-*K4LIKAr7Ygl!5T##Nj00Hq(rjykUZZ+E+hbb&RodiE3SJWV&hEV3oG zdp^#gvGVmaOwuoiyc}Yuh|GI@7EyCQnOhC2(0r5RFJ1aj%%j7b>(EQUf1|G%0Q!5+mliGe4)k9{HA#h1#^?5vZ)R9MWMtxB;9L;M z1ccIa`I&oD1p3XW6)5`Wn^^jnF#P9?JU~7&n^>xl&w95?D$cKqFwX_1Gr{$}74`A_ zF9m%};t*+Ql5jQmJsA|i5&go?D2N)BDXd>)-3-nVwJXD7gfHaPc;M`-BVt`)v4L3| zuyDVTtY3CXjJ|M_V-}VtJCG6~NeDmT2*#J?NBh%sZ=zr&>(rQ29_%iRHUTp!wfrx` zNfLhrhGgSrvRMrArS}6lcDh7PQs`)u{ADUthWSi+3BM7rZKvdZi+h|t z_MajAYd13Jh4Kj(_FxxKLk*THVH_4Ff_EV+9YxJLk3o>YEvc#`Rh)w8#aP|stOWh^ zYZC9LObVHNm4cdS$x_sg45d#hWl2Woijexnqk5hOHE++8&^Vm8^B_}zG$K{H1-ZVR z7YR{K;7kQmg~ex^HbO?ga6xO)$oiQcNn(!+tWqlld6ls<~ zSwa{(>EcLf8@aBSvp!il*7e0aL}${dQ7Zg*jq7=$sm2t4hOLfbTNe46V&$q1F}Dh4QJTPpua7s7PvlwQrxF3f_bmHeUEjZE4Y zX+K7d(a}|DXWIWAK8dU)Nio!zrjbs1Ps}Q)Pb9@phC4c{HLnoz$TcslII0C+A%Rga zNst>U-RZ7Z)usIVp-i~>uCX!ipTNrBRg2|h-PcOln(g5$8l)6=O3ZA-#@25kiGS3q z&yPB+``xU(QiP*_}aNso_zto}ZUu1Q#oXo?OzyjVm5x@+W1e8y* z`S~0Oer%w)EgAnK7~8cZhy$l0?di=`+F#gJftbzUmzF(u02!8WnoPF7<{6?tiM#@V7ueJl>Bh@kFEK>?-9;0B|eec*K$|hCg+kz}*dSlf1 z1oDh<>`@QX8B61gM)lY(1c5rS@e4Q6`dDhmvT~Yme|EUUt)Ku)wu9o5z8{JgF*yjC zn2}E4(2|W$LfFRAP(0#c&fO^u88$3t0}di9fv`!;8HrNsE^rI5xt2@ge4e2q75_y!U&Cy9V(~b zW(URYQjo(mt91&)Elr~a;$R)DIp)llkK_!C70jU`O>6&W0NuVc)v}ykkNZ1!ol5tY7&*sM zTWQ1oIgoMF&GKP8bcc!YqWX2Oi0bpX^I)6j1h@hp+0l?j#v^ex=9sz7s$KmmeA9b7 zI8=Btkw`WS=la4|a@n*8sNj7TJ_c@JL1F5cc6c(ZyD!(YkN3OXc%Oo02j(F9eqI9P z-S?$Cq6v3gZnUagmaRTdlQbq69$q=-qwxUkZoM5B6sqoT@k28oXG14h`}iav^Rx9L zcvn~L>k^{ylOt8g^YN>@x=1_kdxERn%a2umPJ(%XlYQ3MPC%bojn}6Ez|Yfe%V3%W zzRP>iw5P)?_#j3Ic=aS8(Gs!cM1-qzlOxOby4p9wkkp0(g#8$EA;zmW>Xzj7-p*z?xOdGsyIxEGPA<*z*|`#}CGK25&Q}@K zZu$4*0s-FMP2>Zk^gvmEH48gJ{P#J>9p3Lvn`c1Pr_$3q{vWGhX`B zOD&yU7eoChp^T5cYmqv&#}+aK{x5PVHxC&p?)Ks7~ z&=(T~8h8>|1wH02nmq}yp7eOr9$3A`PRZ&2d+MqHeTPiUIJTHnFZ_9^_ma!V0~$H( z@df_LK{r7}J!APLTk&P7E`K->h|d;FQ-%%A&dND3EQLG_P*=;VlYM{3esbwDKv-Cl z6Avzkp<#W}R7#Y&Ee##xEsLzf8}*oXf^9N7P7V**Wzc`gHw|`dV+f1-S1!GVbcVpH zD6iiKfeUTfB)A_4H73|3N`h35l8vlMlO;1M-F=vc16vDsu-*!ttf^GMBzIVDn2DoK zO|pg(E@z(=^RV_$E8iGy!Y$iUwvjL5vFMoEEbQnnH0HO&Fk2?C6b0{M0!c#_&PK~1 z?lURaW()$1v5~_{A|Y3#OR(= zUG(Ty2|V0xjTx#VRZnD2U|`bh&iQRRLcUKNW~XTUH)Hw$fnTcVf-g@=X{(cK%CRp8 zhozp~a?zeyxnZGWz-ez(-(#(Ft=AqZrN7gr@lTnhg}G3d&muy`@aXq)>6$P$+9B~4 zgGXiSA3Swnecn51K1yXS`4#t4^2j?wle*1`p0eYI~zdTxl|I0?R3Y>t@CEB1A3suO@x}1}2yGgEc!MLyt(%g>s9E1NXcIk~vel_<%8`haaxpt2$(DMnaJq;7;uW%J5JZxCKu2>BlUYC(PSu>$ox zy249zR4h($9|7f^Jt(~pf1d~no zeRJGg5f*o=pY{Ea*U}%+I}-Rj0si4wSoHdkcfF^05&*6KxCSjDPuE6ja}}?muO8E8 zt(5TuA;8EX$Yc2qRlGQGl&sKNZtX)eb6Y2CDo>5BIHr$7n1%#qBm{b*93_AqP?@m& zlZZBk67@5kU4TF0_%~sV*8d>FLK8dklt<^JDXHewBIqv*pPIzR5nw_Mi!@>}H1oRY z&NN0AmIV1Klo036T1pm{j#=#H2tKpnzAnt(xTXZAjeM^|E6q$U7woJp-T32cq1IuA z(diU1ssENz$&u)#T=^zdE^`PN-F2smpH8)Mt|C8bU`RPkPQqJ4bLB?yMB=+mHcd6D zk8URl*CtXJF%l1tlG-FvWsOmk6Fo?vK38lRz2oLQ7gAc8q~I}vfc!~?rTXN!d;Bg1 zFYnlR9u@hG%jtS1>S2=Wf5ztxAxzZXjuc49^cmD0eJ2K5^8y1re$mb35C#xoy`Tut z?v4%qOx6c z+c;{ZO|2km0Kx86ZU8%%0nm)Do9R^eUekMHxn5r9f1EgVOsBaoj%ls03eDE<8Igf+ z&k{AQa%UMGiuC*?B|G?OH#DI-#oLae*yd0XouhT> zXxJl?tNWQKFWmwn(P_V!+#;&7=?XzV!fX@ZqT`)uGw<1UqNE(fpu}VgG4n|wuM3_#bhjnLL>N` za;@G(BZY1)z+V9@KNO+sMFAX^LeTs>SpL8_l1E(;nNy0rhu(vut{=MC_rf7BTiz>O zD-*iQzfz{xv_3vRceKJLsIET-Rss^;dbC$hG7@7!vcGK`mESh?`a85A&xum?{?Q?+ zYCFmPl`vi*^Fg)t6r|B~@xrg0zw+c@qNYT!y8xd0CfRC34e-DhvPMZvpTJ zw*;<@rhDFeFkI<4&)r=hy&>M%0nCGkY%h;SLU|u9eU2-)e;kf8dfl7x66Llb)*d)a zOe{s_a=mnKaI~6L>A3kkE}PsC-oz51vg>j@d-cm~z5<<~>DVJnF;>());tTye7iSh zIQeh0>2-BfwN84Wx3}|Mt~+`_)&SpQ5LWS5V1A#k={v}a?AhftRzIQhzG?yV+qVi< z{)kxDw4i3%7ibI0wIc)d760T={>Q>>$H)Yl!wLeSYX(us8Z~A+(eaz(g6k*c|E)TV zKc|j>CR_-n{7tc^NY>0&ox0b_c1*RrSpBhvDiVlv4e;ynYUgRM$wf@q^0k##%g;oAyBTuW%tNhe1RTY(`c z3PFjGlf6#C^?Iry>g>t;8%4*Z!lyr1I3%Lda|JUhQ{lrPo6v_a-@t+>gkaC(zhev= z5ua%qXO-YDAlSs_uj0qbiO>IF9wICd!%48U#K?jD@ZqpX8W3U{9e7h6IAqU$1fv@V zdsQ$H>rpwkoX*pf**~KhLe~rzovN|~oE4!jAd(&h`^*{r(yt3^TQarsf&9sZC5U3O z;P(rE!cnB(a+67pTf|D4NX;pzv}8OOpVeBNa%BSEn>BS_3yNRXY(f;H+R(mgOO&04 zF0D6@?J@9rHmxP=XB zhJb~bUqX^}wq?JFOTDTMq$R>$p_WQJ%Y4`YO=NK*brx?ws=p6>R?n2?~uU2Rg)1)mvy2&CyrJ&UT5C zYW+Fa`DPj8NSJiu*d`tTwkNEWLyUdhPf`;-Xk2EH%vZqfS0oxrcU-BwGG7H{!Yz%; z4i~ZK@}05*J*k`L7M}!tX#n@rJS1zrLXF zN<|Aga&)RH$oiT7Q{;NB8qF*lAQcM_&&A4WNr*!DAxx?PDI7&gNvX*)v9 z1wy8;&=TgzntdCT;9H!!U#-1vO&KDCsZ=@FrwCs{C(G=UQLmz64^cu?oKvP%<~Cw7 z7uDFD`m?25G6ybMHnF0VVn!VR_xzMm=yobsvhT;6Q5jQ@L370nwK8hufZzNe*WQOZ z1baA74NlXhS^mAWmN#3?qkd!Vx3;As-JB4D`p+il2nlK7sy~D4;j_XcAs3XU3Nr}j z=|X(0rDjl1lX*EHWJG^v!~8>m(=YiJr-9y~KnJJY>fO$aFB7_`K1?Ri3lb>ui3k$H zgaQT*NWw{>{JgZf&%OAHG1(72-`S~nzvtk*60D@~x;?qDYrh$IY1Xvuh*teu?(=3- za^*ee5K76pHalYn;A7OSns2r1 zENbYb`%wR54C}n)ru~)v)Ukr@hT9DQtipI%y(r>r@c?Am7(b3x5x(Aq*H_=)zR4gp^c)b;_ITbvhSGa4F3i|6(t{MAvRt+?o(0^=jB8$k#Xw7+ zp#lrPa(K}B_q&HybY8Mnc0P|L=5);P-?nSp0B_G*YBO)Iep<2bYaTq;quR;Z7FBvW z3*44lZK+ zlnPnxt?_pNfb;HjKQ@r-byaY&-f@q7w~_47>e+VEsYWCF<6&$+=5-*L zHKu1$E2zH3SF+1siRjbx;7$(NOAQF1u(Ne~mC3CF&3uCTl|femuQLcBkoe`rEfK{q z#JN@p$lqN{)Llymg63iA0|fJ>R*${CIuL*x{qq@=np{VGf|&$j!wdpZXKbMadJXA+ zK&EE=m}Tp#bcz0CvkMd5a!fFw0pt6n)iO)RbB?ZL&j>r5F;pww3}czSFDSGM8>1>_ zkG*2C{oqfidM^E2lw+aFp;?*nelDT_@np{h*6R>~5C=@?%@Mzz|iZCE5iGVWQcI;x2pJ*gL0hUjN)Dy&8QqBHd$ zhdYQgDQ5{mA~$K_RBH>@M4D6bY^07vDZW(0OzvUu%zK5i^f!FdHyG}p&vaZRoCNZ8 z@%(tET4VxXG*Y6d7K+XJ<#Mvql^pD&* z^Y2U`rxi<*f5T`F@~sEOW||?oshe9k7wDL$IvM|@GVUz$4%?T&UpD7#)@#nCB8Q2nCm)$FSL{f4weeQD zl?NxnONe66)>w{Hn*iZO2K%gaR7=7v=0!*KdP%*L=93cf%QumdU6p{@W`*>x^8UF& z*4T)l!afbj#sDPK=s8lJg4oy)HcweA&0COdD2}+5^~%@~eMa z{Q%sg%QZfhf3!BV3(0?pb0^D$5)CyIg}mdWALjz1TV{QwK@V={Jx}C`6|=0LCr&^# z-;dWBu;BlXv1GSv_ocdWwF@Zf$HY2yA8U0O;vW2=so=@%MFD+>iEmkcW*PKM%aLA1 zH&SCr3k#O{Tc=~gLFee|6AdhaUD7K6nm%!YdQQnCl%AczCryQu;it~Ix$^ibtyStI zS|!$^Fa(`Zb_-trdE*KN#zjkWRi0Shiv*=4BjFtt^=dB_D^#DNbB1~abs9_N7<@V$WetoX}#zh9k&^zjY7SOOSF!j7=DXkWYy-2v>OG`h% zYjUO!A6?APj>rQ(b(dxB7KR|w#cIGV-d9|Lk{#k+Asqt^<(Hz-vH6%@&qerCXN#bu zzkkp?{=Sx*lv{=U{GXkQPC41T?UdP?!EZT6A&y3v1XQwB2o{4`O6Jb*E(9o#$&?}_ z#vZ&dJ}V{>MAwK_lh!vQ9+}`1*m?->iqUhii`;+1@Wo0 z7PSZauRk*V#aO@CXw0eJe>m!F;E_N(Y%rs;-~`a*BIr&0GV=2zuUFva3tw-~f{0YQR~D{f$QKmOF*>phJt@_Re`k1&6xJlvtCDxApQ21M;-? zh2E5JbLab|fUd(kVyvBOE1zBNcvGrg%fLU0n&#o*SiWW$U?{tf^UA+S?M^2Eq9S#- z?+{YWwMyG{-X9h_<=FBo&-bSBXEj~>aecr@&RZO}+Yx8a$8dpXB?!y7>%v#JH65p& z=*HRS`0Z(0%ja5bR0xRN@-erC=T}kVz~wmnCPC0RK9EV*@M<7;^XcSD&-XDQCjWM) zL;v0J%zxz18!12-?ZLx zFP-NOc(S~&2z=Y$(n9sto_fJknAJS@s-W)2Fn2P$cJ!Wijsq&}*4o_8vYN7qdc4o+ zRm5kmy8s73c$2-WhDI#Tn9G+G0hg^!?sLe zIPT?>C<_0~KO{4p75*M|BIzcaN?WRA9vVk!7DWfH;xgmdcs$y`nvaY^YU$5GImU+Z zvnqe8E*mu^#K@}fD^_lox^*;o2w&}rnmdP3zp9#(E}7mN`_`Ym){}#!a^F8mQaOr& zuY3<83M(Cz!M!}y9Q?_WWkX@musv0VjpZ$3(^l1~dO`j#coF9ELQ?LITyKL@}G5u~qgIK)&Ym;ein8IVh zR_G-HF-6GQ7$}Tr)^u$@`7NIU88ikI&=jsP`!)3W!%8@bztAd>U&JJ${`gj|4&h`_ zvuE|f`K`TQ3X_J+C#`g_3)ifXWQ*~;b`?sym-g*PZEJLqlL^y>-@en{f!@M ztyZa0Lc&%kTIGdVg0t+3v0%s-u>VZIORi&4>P&_~!wJYWYStB!>O_r^x^ysbYOqv(lPX*$!iiQzT4<8$9t+g3UdvpRK2x}W;BHj4 zE2a_R?o&_*Kq4=*SfTd#QSeo!71Si!1GlKPY&>u4qQpKlOM6_Zg;P-FTAr`E3lUP} zMIZf2Kw`1xUx}vROS=5aMsIwDrp!YB;KDHTFpHPQN>Bs;uOiI>j|dt9bAEhNfoP3*i9`mT z9}3}{a`0s_ae4J2bGte)(n7RCS>&MZHCz2efO(B}#X4_1U-$u%UGn|F1Iz?0`dVek z#R?);WQ7VB6z`dm>_D!&R&iwMw$*0-`}^z2IN1v)m`UKgWu8*kl}x#^BRhX1s+`Zk zu&Ivx=IFzaw&p}du1}p<4ZdC$Sq&${sjl#5-e$qp<*{CiZk?=U>oP?#bn4(&RG)QK z!o@y62Ku3N3r-0Hi)8aRy#dGWv>J7Y9hPDwjCnp7^iv0!Yt|H&N@O@6#;6Jo4!K13 zK`A#>_Btw8R8@+oUvRSD{^HENr>mm5I6^EF$3<+|FY4hRu^Ue-B|Ql|Fxi0J zd$r7=&j>Sor|mNF8xphDVRq!t!$O;r_j;$@nM##34Nf{%y9Q2R35Ym_)ZxnFP`b5*ud`5t-VbR4{#rh>)i|0jPqgr!=k!9^L6FvZfBf;RR3T3|L;pT{ zEquR(b>#wjbWi^{pg7Tew{4AquIU8*CXic#}>Xf7jP;LMuq;u z3BAherJNhJYP7UH3m`sp3F;!^OX*fRt4 zDB~IjxP}b+=w}Hfi#(q2q2tscepMlC6~k#52S}XJ#FC@RspiuNQI?xUgsj=NBxVJx zfUVfeAR5KJ1UM(y1z0mIMf-utIQ^WdLBNH|SN4Q#!f#eC7EHb5FB+`n8uMo;`+cJL zhgt+&$ZsHu>$mw;=`V$OW$teXW#<7nDhxQ>9EQ+1xNaA1;(W%#K(4A4i8fcFntQn( zs}O}*i+N)PB@gw2RAKCZ1WjVWpXRSKcSNelmgFczx2a z#vU{K^Y!`C^pJ#OSK7gp7%_X6omr_4g3~0hYta{F#xmF!6#4Ut53q9+u>_on=5h7w zR;t5QN^y%LKbw+J#s@!}QKE6T%GJhng&{@RIi-SNsG}kZ+HVwLZO9vwVWbV=a&sj! z23HcQl8nqH$xPYhFh7ESNg*edZqb&oSi{cRR1oqg+IlQ;Q<-3~i<*btJvIrB5AYw9 zcr>xxG|5&~x&L4^O%#DkrmH%(pcYEDq$4(MGZk_WKXo=#4NYDyW#I$oD^jxfAgC*4 zaV!>eHkv(*R4H7ris5R;Ubzo|C=U0}Lgn#e5`BvMV>wnyq#XXpmRU_PaSuvs0g_?K zOxC<%e7?Nf>1ZQcvI2bhPXu;bVnK8Yt#7m-jX0pd7u$Na9A`9#sZRsW{kzPAid*h| ziD3lOae-<$g&^QHjIJ?286^fHn*7OezD!ycD!;dQnua}w@kz!SAx^P@gYp4fH`=pJ zHI^N%&@Me4LD#L;c|!osb3l%C|!AyL! zG{S+sd2J*uY0s7CzBSNj>KG=vUoMMIQIixyL@fK~Ql8XzGAIPzW`8NSZ!H&r9=Zh1 zA%+Re_n6Bu$|;9@1TrzKlxtY$=2?Pm#!Z^Wwb$w_MZn6ut6FFQrKX?CB*q_ zK*OQDZ$(c#mbnkPZ)np~g`|G-Yya|_zTDmyc&HpKYTqI|Rnr>LY}?b=?GwRP)OU=Ew`B4H+ZX4RlZD5y3BL zDv0fJ4ZLx29+@hjDHkX{A(TsFDf)j?>*(R8#p_;Di>RhK|)D;R@l4TR^%rvPid?_LMhy zj7eirI{*>7)B8ACUrnKQCU-M&yjYDufh4y*oq!pEV*%>>mQQF3)AJs0GN|j0*TmiK z$gOv7(3*Iw1exjw7>N4~Z-|O1ML3>KX!j?!2xqQbm<#^^RRzEs_@K7|>ZOkGsRPUq z?!4YIBMkiE5*N$_iOfFCrflRmkA~)T0jGGj-V>wU{yMeo-dnX}H7)BMRX^lj>#TDT z$#?d4dvC<%vKHyZ*gJ(&RA%Pl*;1EugL=!5`CcDg`mDCNPrU9I==rzzRxWO4w*grX zs@dK>+$TI{QyW($oC2T{R=4fbkHg%rH$E4R0s7!)o^405Z&%?GS&5n_%Q9$m_XFT} z9qrILz&875+`GJ#W+c`RGrdmYcW3;zdN{8ZVo>`UYP}q7!Fb9l$N$l?@T{ z-awA!rSG#&?&P{rw4p61R^Ib5uS4&>u6-Lmg~x1Ju?PI(MaS`NAv1KnbEi^A>%yNX z+kL?^vq#AnziK5HaAk_e@DaE9dgsYp+uk(yJe;jI&eB1bykT}vb75k-c?kKB6v&&RYuP-)syDZF)h8!Q)8%?@`DH-{?sKN6*QjN5alC#&mJ*__M$oCSdKto6LOl*?@(><~G+ME5PS zotz@@xt+Xjq0(I6U*BjE@g5e_O+5PJ%S6Ao#i5kn>$;RXlkJ(~xODo9*K4XvFXwT= z+q0S{tF!+CW_k`!r|KnpD^WQT8ps)sGuDXHfZ1rCyM@alk4R z91+t=+v1VUj(UF|cwW69&-U`BVyBw3HNe|T|4Sb*E1W-+uBC+V3XXNm1tUlqhbPy; zK{`rI?f_WbqqB~i@Osn8nRs~N>{i1`2LeDw8RO#jNRY-%v~mIJwPTn*GL6&{!`8as zL|05+N=2g)>SpFQfIvx&Re7kg-G{yuX7563!f$p|W&F1*rE7Q*!H^AHIf%uNtMu+U z(4K{_%_e7-&00#OFd3u+1rK^NU=yaRbk?HBpZk%c<&*Er5|O|MsWIKfQg$>#4L&_Z z6qLm26m`EkXDLg=46SrT|4KA@mhofhw&Z((?Mh2jh@uSbd>A6cIfwmvI5Fpvh{IxI zXwz|TcW`@B2@|S7^ElIyrnLN9CyF`xIeevpKuG9V5np-3Mt7zC4vGQhD9dZR3MV8bgHVoqL4f`MmHdmNws7&*l%VYeBb)3@z2npLh%oyK!M#T`#JjFHhXD;tD-Gw)z&Rhd7awO$-R1DFo zDs(BK4J76qVZ&4{$ReylRT;7ZamhWeq-iHl#A*KYPu~FqrU?&dSlTa ztT?zMX_mked^ybK2+NpzRGIXuK^C%KV_rt1XWf4aW_e0yPot;=y2&58g5mKMoJngC ziUsY=T?|v~f!!{xoD1?;DsXNshYw8db2i9sF8ImnEn*Lrrj%#QCeox1ol4M?+Qo$g zA>vf%PH8k`2Jt1I;obiZyq-BNKiHl*3I7TDhyw3Vd-fJKecZ3{Eb}+4v}fh-Ie`AZ zhNd)yYBnw?2r7T#_8A1uPVLID(g1A>u9n&jTLNN>g(*r+(IED^zmalEl3nOS$|0iC z#xIC0Emm1p_dOW?_~y_NU#m$WQ!=SaXWI{lLduho-yw);UvfI1kV{_A+wbnS9Cr_< z6$UFK>ldxa775Euf7%=ukQKhZRx|^6{CXGDi#1oMqc2Ec?TVqS5=Q04Hq9wBKnXHi zJ1406&YrB8a&Gpk`@vs^{mf2?N_R>?98pfG(i%3@jx|ERm(15jWqO272;sudzGgWW z*0aa-!5WWql2bv3#e}OLZ`{Stm+!K5SC%>&SBS8As)%2eXQGItjDl#GB`*0zDlr?z zMvb=5ol$Aov=F$@iky<~k*~!cFtd5##G0~C=g?^UaGGPZh2qJrVcB>GQaxpDuxv!H zzCPt${r%X6$RaLR5H1+mO?jK?t)3E2;LOR1%McXj~|wlBkbU9Ff0BBN3SYhgFe8BVM>!uM>#yO-(eKK_Qxb z(>AfZMP9g(9cyRb3mlIrxsHD4he_4CWH~LlK7n0lNy5UJ$dHV`QKf<+Sj^~vd%>ie z1W%ls8@!>zT={yR60WoCcXNZs zL{haGUk<9x%(}ODjfS^t?046081A1|UV7L*Z~9rZ^w@e%-*I%eJb!+yLg1>O3waJg zcmR7QT~Nyvd?JrsG>-D4XI^O<_qmp0&0I+wo@#SGCZvGxH)_R7VaK`KtD852-Pa!g zp_!p;51>Ns&2ks38*EM>h|$Mrn7sR9imv)j?8O8$bc4|Dwg`qq(EM?Kp6ffA;cCt7 zuE?>lX$(w7^4Pgt#O?kZcngjM-s{%lIh>=?b-C{rw_3leKaIk;YTNCByfPmX zzGBm`S~VYD_aiG%AWLee69&1@p2jZ+8t5SpnCtyr?>&}^BeM>se&oAZ)`M+#*Sc}C z(iFDO+x`A!B}W^ds;sZ+t(M~T@7V+@y4cSHzvrRh7B6FfjIZSt-`9ww-uskMr70~) zKai{yCa1EiN8^)@&6oYNpNDHvmJcRzkfdO6yOi{~yS=|Zm2R7E3x&>O1c=uFOs)BG zHCg_w?R9^Z%|wf*`#yQC^Z|CB?K=e3IlE5NauJ$5QOlFkb*?e~dg@rw*6)v0H9^1%6?r*)9#x(vp; z{)Ax>CdS9J#&fg|;>&ym7jq(G-Fag;lB+HBAgPZ%QEUNMlNj zd8sW9q)0psjDWZ5E=%Qy7n4C(;DUJYCOYmjO&&vBg=V_)@K*{AC{g$Ya(Dq=!6Am^Nxl+MubZ4sTW#=jXUGwl3jiI6=`;=@atUXTyuc5WNr=O7W#^AA z7h1Q*tHBIPnVoxY^;JTJOH1hNNNLerj5rg4IEv`F<(rP%ZJ4RM3!_*jG)~rjy zpoAqK&OJm)iO`D65yQfg>hM(+b-)%1tXdAS!7#=(ZgMJNO%y5)-@ksA6?F#0*;A1+ zEGS~3Y9St&jy2^Ks4&OVCAQaJEQKht5wSogotyblioD_&`3Ge-U0Ick%->p!g(=P$x_qM9^W_9sK3XALJZa=+%53u`DX3}&{&~0Nttzl2ve#@; zSW@7JYRH`^fT=9PTg<`<3cTrQ}fAv&yT8*h{~*_>Dse3|?}L&RK#u_%(FKGuE_x5!Y|^~{QpB1%!bR|o>$;x;@W zzg_5$^sNhWJHn9s$C18z+&n-^*tLTbz2TBUO~`?6D9w7x#nPz<=1sjLCGMLR%J*?> z!*bF6`!_ojIkO&VP~xXHh^c#HC-ua)NN#sl%|xg#wLkyWTHHVY9Gm^aVCjBR(v&)` zBY;`3Lk&9Ky3>H=0sn`ae#Gg0Gpj@aV}+6rm*k1Mo_-08{+L3c#Ut6KW-gVA^Hvq< zrW2Qr1p~F6I2Dm{)Ke_z7uXIYU2|VwoymS`nx$nT!^82oP|B?Iz=lzSL%3%4CQWwfeC%p zYJf5&ie#G*qW z?Q^!I#OdKgm8yi9PJ59HDu3%yp#vrZ;syGJW6ubodULLRJMEvvJ=L|j0|8bB+cck^ zO=p#2r54kbS$OOW10g1B^ALoox_nSCyuX9_mz9j^(YNO(kP!5GukE$!%LkGWK#oAh z3@Q0i>LLjik)9 z9RY=QwemeRJ!=wXy)S(f?Lq+vdh2`De^WbcV-s7ujjudLdYo4%)nbmkg+1&p8m_^# zL_3B5=J1_?(?#Mw4!T}@0ZV7lTQ~L-q%gbBQ&xQ-M)zloS-U;lbb<$DQo z0cF-+eADT?6uAD=bgcJkQIR znb3Z+f4uO3EI);;qjPGwIm^0w@yus<^ly*18CyNwAEjdc=vd&jpL}HEHIQal_}q=n zXY#lX@sMFWyLTB|FYAJDU+y`#wqFMyf6I-dxVl*Cr~Ds5=t!I{ z047~NxDA&=82@He@aFsab;R6vg(h;(t*i$EG2NAwdyAuE;3whVeY0~A69{B?#J97( z%g6LKV>i@;2$J|AGX_jJa3MJ2BhmPidO$lcLjAJ%Id(WK?dg zhVrxO!2zjMDo%I2GT?{oTYFFX*b|5TB)M)GTzEMCaR_0O*?6Hte_&uzI{s(}q|Cd* zJh?2i_}av?ra_~U1Uz%4Rp06;z7i{#vJFvr+1hODC~rn-NxGcG)DKGxCF$0ZRUsnt zI8@|R9id~2pRlCa`jZJg;{4p%QE>!2Au=?p5qVi*p^LIwlZR_gtzlAQ4$almARq3% z@@#ULXeJ-@KPTvlm+aXNCAOlfWcpCp;wx*+mE-VQvJzpOP1lK=4m5JHQ~GYNg~0c$Jm+tG^DB!JEm-*NgB+5 z#O9-6GJBH#*bi==X#FWueyegFNXcH!lKdlxo2|g30vg zL8ybWAHYA^~a4kmBkS zl@}fhb)jTDOGwR%W=YbCvw>w1+IX`BU_wPg;rtLxF_sgR9o_R@YAW7au9a%oBaQrE zkU`73xyiWngoIyFpT9uMM%}(bD{x5L&RP<@$dMi%830S17Xkl@P{H`{4}8_wB;ogd zaS*iStMKo9d3L!m@AO*dJc6~WGxgFUSEwHG6obm|%!^p&h7HLE##OZl8xBGhp2H`( zUyUOL(BCh11OH4+UEulrpI^Hi^v}_pQ!LNCxdy^%_MB6cQLBR8m;t(6*-HLzl*Cu1 zv*%&a3Br#BXD1voq zh#a#e$VWuO_X~_`XAJR2_l$U$(lK8jW+x7@qb?qcby4GJC{IeelE6O9K)LX8`Fj6+ zL%uY5@Z?i33Q+!D)Q!sen^y%GrKQK@BUuf{(LE21&hVNLtMFQZ=2Vh!4Pm&xYDA|* zdse#rt1j8^O0Y9wYGt`3iaga4BIOx$($l&h7{N7g3GUNb(l89;P}Itp;_ynC{K!QD zXKnbM0x}U@E}@fJ-Ce5_sNYCU1#Rc2ju)M(qSUKsgolMoH>p~u+ET4Mbea;yUBvxqYYaax-O_ zeI3MCN<;eCyXf!myh=dNY=(L}e3{lwZl?#qU#%nJa6$5a1bV)J_m}8rA~XY`h#&hW z%j=AZJ}59ytC#n1&Ls9FPoSn6e_QWh=<&*{tkTZ;R+KDYGAH%ARrv51HlEv_)jBBO zX+MJxj&|EDnh%lI?d}_};@H=*Z;FaX9Iq3w%BL;cUCFYV&|SH_R_MFXyPKOE>d~KTeexZ6i=t)iQqipKm38@eRa}Ex&?e%1e&c z3$a=O=x{$0<(AqGH>YIZXkA*HP9n*0S1YWo< zWi&r-#F}ou-WmGhR(sFN^ih7$xOSrX+}|#zt~+%iJR$x}THgIBDg-~0$-{+aW;Ff(qn_?;+#w~!GscJpDPu*;r11@Jj znLnMW@o940ekGbIvtI-jG_8&+x3un)*iy^4y$9~us{Wqdvh|VSIMBb&&+&D7wJUA= zsQ&`#v!$ru>4OxQ|pbrTwIt5nIA<769cAfR|) zNWrVtZDJlGs#+CPYK?e;#URX-Pm~wJX9>n>SXZrslM7JPD;65_6&aKP7@GJ3WO%p~zKf^Te9;28PN`TA8PeIwf{bd0;x+jUNWsX^$n=P;_`)XUGkP8piIU7h zd0PhlVeAk=2{^*~g&=K-6G7{U5CC~?ClS^>H_QS1Sh=a=reusnRPn#r+A_f4JbERi z)G%S*y{TbVf<&t%w8mfQSV@)Pyg&@OWoZG$27%J)P7lTc{jdTE?jWi1xglfuNURJ1 zx+s`~MG+L~v@jSEYkyef+NI+bV&`joP+}qMs=0$<9%D)%y-^ShHb(MclPnU7(VQqx z0c>4;MY81{KK1!+(F`O7WHbxB<#r#yLjQ`wAs9ZI}qY{^(Y^^%FQUUec{C7Us z9h#rLK&K(fsZXV0)9cmfR8$4z-OPz^*}=Q_aQwrzHg!1V*w|#x-tjxk=hJO26darH zA>R}D4PH#4wx(Q&stC*i20UVURc<{N7&sJes2lR3%UiQ?pV(`24sq@^OFr~6LP8WiXbn}tL0Od*L+_gU$Pgt;jS z>RCkHJ5)?N4%z=H7CXR0m@kP3Ik~Ez{mM2jyd0?OJB(lt91ct&8HuJQj3W3gkuExK z{^i3mm0lXl(nD*kpF3BE(6{a|VOnL>=9n`&&&M=6rRV1oNfKt@A&~FM^Iv5Ssnmpt zwi2l%5E^+ti({`(M)l1q2YryOD>hLM)8 z$;j|=PjX?#`v#UYODlfA%9cP|OkR4eE}qjYZ)?7zOofUMNM}CNy7Zflm84nKhlyI} z|5G!Ydyp?ZX6R2kHxB4`eJEpt`x9#IO6F7`_}m^M zD$vF$vHzNfxeBI14$iD}JTVz`=tv|cw@4|#fa}O~VHWZ+S(p3!iD}TsbY&*$qm+O? zhC1mTCSw%@B>nPthXOBo)j+^kIjrCkC2;?|T161TEB2=lHRL;4^w00#h1lVJzgVx_ z+1e#8XjuC#m8{m`nA7emW5ek11qoX-*0znitN%%=I+sk9`>>cKhxFOHC8XD5uO(Hk zcV}SR?&IC06@4?bx6{dE-?hfCX)&E_xxu$?ai`Bxp3`DbYpKVG$KhU!cf}<73U^~K zmD_nW-S_1tT5Cz;Gl(d*&2c6faY`?TFYR-atJV&<1J}{KxukY^BV@e&mzBHpujx_v zeoyD_Re1H4+uL&X;jeVW*BZU*^F}!umy?9eZePz68#dm%F&Woh$IUA);NRS`NuIN* zsoK8Q&U4RMg;d#;*Bi5S9;g0Au^!hxBs`xFF>IPvfd6So{lDZ^o!?$T6;vDTwC*6w zcI>Tp`(cjTz|s%H)WaOFde38z&Ys(s?yt`o`)t*78SCw$nZ3aBx&)*`Q1$w}guXl@ z>b)Ud=X3*>ILT*mbw!qd14^b%Pl25 zZauEEr6-8g8Q#5v>utAd9lT9V4O^k>X8VuctX`2^EsuJY_#OY~qm35de5VcEgA8Bx z*Prf}I+>kOOIuf6GEY4p!!)iy--~RRw*7_XYYTt;@7=BZ;E;yU&SM3T3)B;;^~UXr z0oJPxB5Pn zF1hwFeR@sLSxb1RdmBWDUUAqD3T>SKmFoeW zm~xf)3oT_nllgDDt|AnkC#lrBAH?G6-T}^Ycq}sSB>nzEv_p73Yt?!KPeS6$FK&0w z2M?b*FI-zyxA@NO_a-lYRf9x6L44Yvz(Ty^FP(=^FTxx5v#|L`{#`P_chDp>217D^ zETj$do$QnN)5!brCAO0uH`YWf2hq9yarL+gLl`izb>Usb7Ma8{UvccISD6GjowL#NQ#womu*VPH(p#K0U=EI z#IlHA5Uf=#nx~Y(1|F<93h}xFi~zqlc~0ryiy^9oYf0+GSe!%}H;Lg4VDdNxx_+>X zi5ZZNy|b*ZkRgqRY9wjOG{R;4lo1rUSaX+EKb8Nf@-bmXqNZaaQE?{+Me?(tK0+EN zB>od6Bn%1GW`e8uO`AH-8Q3I``FM8`M_sHiqZZC6sn+4$#v%SQp5A(ocd5bOrFPq3 zB79{eUY2LOr;xHuUSxe?6jf+DmVjpr0N*&SIY*@=9r%J|JFhB74R~9FFFr`ixRm0^p z_+^1daD10pBo)#&l~z^`;i#UE!|u{jT8C!0ZWtz5MsyaM1|X_U!s@r`HtI+H43sWr z1=IX-n6#moN)zQNlF=W0>*q{nq)5}W5Wgufpi6LV0bYre2=$j*8Px&tS~*%d`{y9H zCIwi`e6kG3xzHwJSug>52PsRIyf`V;?H+l0lS9%2<0JT2^nJlZ!dLq*Tu0v_wC*4) z33!=@Z1)M3ek`q#Nl}W^W=n$b1ziCsMfb#z40K|coKe$k>haBc$al6D7o<^jd360w zru*lEtts*sn&bqtIR3+eZn8pt9F_z97zUuLoZXW4@JJ@=5c?D?tA^FFL^e6wkD4pW z=I|b(WHwYvhr7>;nO?d{R?z7RPTg6$cYZZ?-QwLDKniv-vVQfc zF3E82ut^z>*+P9@zKrP3uu>{a5NJ^8jVwzhs1i|hrNsd!8Yoot zN)q|Q!X&l%d8tZhiMH+4rc<)%+VgkcGMEZgRgxe}$-)eY00)s8Jmkg!4!A|-0;pE! z?mT+ASL-q<6J!w|%FyTIu#W0q8*FfT(AqS5^<_PByWqzM_lhoQq{4Gc#vyR(I0@9n zD9>cUnvI&&DbOMf22J5$nlsJN_Oo)Ge|DTF6RISf>kUk`(QKFv*ljq|~DnE+MryO} zmAT?^+h6AKzUB#u-EQp1?fmf1<>9{k+BF8=dctfp&CBo=4Wk|t{A~qBH%?>8;dNdK zuua-=KRrRsHy)0;+VR|p{GA?O)V>SU(^X-A*IFQ$87)3gI@j%)BiW#3`+T{YG-CVX zsc^oEb98<4+0FmznJnfrdHFb=aXHe;x6r$DB-}R9D#v%QNwXA^+t)Gn1GmfcG#e4_ zS)Z%)GMNfIb*4FSId$gE^*)#5$UrQ??&GZsre?P#1;CI}|f_8!3eEUq)*RHJ2Pe<0FN6WjIn zxrvQqYu7W55j*oLzxG~^(=2vcz3p~*S0u;N)&Cgl(|Pwf$OXM{iDc8Wtw?3N%5|2- z#rDUxMb@s^yM+Vws`}Z`uU41mdXMXZg?0TN24;G*hdSF3$^De4BMmYO&%b({H$x`*48p;dge^Ej>P@6yv^e|TJYFA z3Ic_`BHcNBusMc+d?}vXU*t&CEEsYVva|zUV^KQW{zRq?(1d(u-i3eo_C&nHq~dVt zy2(Z;sB3=~(jbE3xon8VS_KzjnXH%NNd54Fy$RujS)!nC<;MUL>omlW((s9dJoW0C z%9L+m^-#!Fqsr05)Od+7h5A7TO*x6bzf~$-v$0GJ3H#}5^McdY$u5-088 zW|#QKx)mwvR$senyltAGyAi=y?;orJ`CSDA2k?8AAw*Eg5~*=VJg~!_+gNPhc3T>M zNL)FoglOoEIGrx91R6b^Rp{JkOYcg>Cxtgy2fnaKxnimcAN#rRx~!j2MpzswNY7zZT5AbhWFe10a8jye zC#+LYe54I^$Yf&z0*>dt&OjuU>UWTlIZYW|+l+n<0tQt|wzH<1vMA`(Bzc1_lZMJv z20KoLOp|khtT>uF^em%tcIk*hoHibXqoh!S{o4BE8P@WbVKvI~4K8G%1M=OGM<~+V zltl)Aq@1|h@`X^KN-yJU52%Q;;M->Dm^(!jVqy3xo}lJx*-e( zWgb2>$B9>3Sc}$#3I3dXO>YTf>7pyOudv+dkfnYT#b1o5N;~-%ql||(OZpuNO81lS zOO;8x$EyVG7)k}tlQRwa_Kd%qIeaw^9r2CtJ%Hk^e)EYttM^Yrbd;6GLtkdv*Q-o4 zu)v`Sr=3VB81x+teqvhqC9M-eQ(Q)F14kXVSLm;E_i3ddKw9dle~UU zcGTBc+7*b5JcJZsq%TC+BIAd?{kC{EILug>87>pTd zb6opf=fH~(@yo2ZWFYe5>y$3zfx=F4qkwKT?f_9^R zMWx@EDsdl;(jD|Iq@CysWW|E8#esbDcdAnK2uv!PAByc`{P0w`J8Zya^Q_7N>k$$4 zdc!2rWL&0MH{zMVeMaI_9?hq(C7rEC2$%0xgmfXlDR58h*UutYzol!ckG<6egV;dv zCR@O!H@pX;PolpMCrYoe$i7{l$AE_&Ke;{bhD}P9{i2u=$L6@Hf=}e&whAH_^x*;z zk`P88t15O%@Q(4CAL=fd7)?ubZ+!v*W zLOHY5cj^_fOkUX#lM-6XOtdK?S}9f0UL~4G#q#-Z%7YYv3K)!kWr7FcjMY!u(f=rG z$%e+{wOpXR8X8`FBUdTKuJ&rjd*P^9smcq~l{#)b6|OgLfGQ(pYk(A-|Hw0`%ffl} zFkGo(CedB0RKcsa=f^8H7U&--r_4dfL*y(_H0z}?bkCNSjm2C-}Sw(b&_>6we z?@6XWcT@Tq_@nfGZV;D^L4@}g(4PD+&=PIwfyzMaAb*0aB61W`5OO1-(^R-PoL$NXgl1mRP)FRm;2(n&xyRxUF ze_1u5x!$i5YvEO=@qlaZt;4I&KCa2xA+9_h@5^EzzwkgzZ`D6Qo9|}De^)(SW%IW* z?^8l)war2|b?9II#WyRtZtUw`B`?*ie<|aRyCt4EPBR!lo11ekIS(e}BgE7*o9=6O zvdPZNSD4V_i7{6h;V2iwj{&vU`&9JfC7eHUBK?)@RZRyxU@%l67bs&Hb;O1<{Vcd=x$ zwi$tz&-qy|*KxSwuP&e6)UWFkUcU23bhUQi&7*1e^L%mTHn2}_+q}zdI_7448~8d1 zUS`8`y`)6$wYuc+Y>knYNefg>Bbwpse4Mg*_TJCgR-JKcMAdtpzfSRe_BV4K#rsNT zjnu5Z1q!L=c6}V_>AjwFaJ{D3PyYvP=^Wnd=$QvWy=Xx0_tNB`sVB8+5E5VfzF--< zv$cWJ)y%XnZ#_uvoNB}u9!obZE-MF`kn4T#E_Yz>Cf6a7GDKueBA{WtcvBIg4B^I$ zSf$@%Dw@Ac5}mv;p5-sD7J2ESG!f3@h_PI4K^cU?fHAu&98~eZ9(+Ku3gr2LpJuzR z+PP$VJRsPhfGsJgpO{<)+hn63+u9~;2VuEl0XUp6K;S4pf53aR1iXD%$rjFMgPuoQ zJ2__%lHBx}Rf={Qt2r~Dm{GQZEy}qr>T=nT%JZp$Oi8@s{G*MFF@dlSONDjn=-oFa zY+T?6W6({agz)`ADY%{ngp#wZPdPkiC!I4A=@dL9aHliAf`zdj!$PdEO z50Ykuxlv@f4v@!*I49d0fey(T5?3#tUoHwzwoJc3mSG3@t>YOR7x1=3VWdQL&?1OO zD7+iKi-mu$uB{(F&7eM#B#Ds{c|@j6>I$E<=cIo6>TVkkGmi1UEb7yU$S$

8R4w zXPA-srd!CYDII-LqC7Go%n2x2fKG84j2{n^1RGmM>j@JCUpDqevL@6qCG7AjwuUw( zJsx2B=87gdf*?hGZW11%-K(W|VM~xct-Jtln_k82-%uE(mb#L}C=6%MdVy`yW)`Sh zxK04Cul(EOgrBHhb!T0;IOX^aG3QWoF7N2?u;#o%NIBy7*k;G=_$p4i!Qa+tExVSR z-vHh%NIO|aYb1dSWChuFKkF$K7fS*MO#UV;yycObnXeK%)!;-k0@_6dx=nkuoRVTT zk+}-`z~RvD+PIJ*RTaVlSa4m*-1!zhOCPtfWIKwd4}S9P@#SWSX&b)I?AfsS9`i*4 zKw>Oj+Dg(vA<+Dlgys};OE-cNPH#O65H_|8N`E%1I%q2~1r}T`dgf@?1thCA#5v_y zqYagQDN=)}P(tKk&WEU&M;N-SSfVvD3=|PGlt3|FAeWa1df!|4#*wuimpY1rx&*f8I0!la8kwjNa76*B`eQG+To6=iAv z=}^y^Q*n6CCa!?XODZRDG}Gc|C(TMkde_y2l?=pU!wteq2Mvvc`>+^ZcCh%Za;i2O zwonFN>Q33oVJW9UMl3p2QaNie_Pf#xJbT5ez$F^jCug`(Dqp?a)I~X4Wk9zJv?Tp$ z9tpH?izlv!jD3iwhVLU4I;0@o_YVeHe6WRH(H-#V-+`*X@-KmTYIb=7JF}nU7KrSd z|HSe!&44+RTv+Uw_bRR1s>xBJMD!*?g9JuWw4s&90iq7(~S>* zj#A37#zU2dT2zR67(5{aV^7t8dxDStZa=*!{n0`tZMFkh=GqAZx0%Hgpf1pbH_np|NsZs|w+c+7G-Xi@#pB&5dD>WA>OjzB{ zyJo=OnuC@e#dE4AlZ&53YVF@G*-*SJCS%Hv^dVWVC2cx}IV-{?)ab$BGCRkfa(3`d zr5TQ|>}Usautmxtx?`bRZ64tRQ(pi2EIXQ(rJ6)~qF z6Qz@>q=%{c4E%Yz0S{A^S;*t$iZ6Bq@({|Hujzwt4;qji)P7doS_}H3t(YbFb$d`8Q|(lo3Y^~mkQhz zfN^NVo4d+rwfvcU)qPTM5&}SCuX|aWIG*A>c~IlkUOKfU*?us4;_AF|xUclA)%A6X zc9kDlaj(l=N$(!%q8Yhc@@3KUHF(|k0XbFS5owJ~m*nC_a@jdrSuVoN@H`#cbzNq^ zKj;-S#*A&cEx%rC^SEyQ!c~7XYxAN)whQlW8H;?r@CEX?o?vrlb)Cm_yXg95!=@bf zKAc2k(xokLUdh#RBgw?%`S{^s<-%NyZ694YE@o2c_`2HFP7Ou6bnLvpqbGYVeOy&Z z%>bWBD>r=x+CVWL<2S31PoHlZt}$PdX>I2(Ah7BRbWw|~KJxLfe!&5(?S18t`{;a? zBa*IhI#e9VX<1%+lkBJA<8cK}EH2O>b+@w0TmNyyvVX4ges#7oJpu$qNB zZKiwftUdblzW%GU?!a;1Q$6NuyOf~faUI+3to2=&-2R-t1Xf|@uDkCA{jJf#GL%K6 z?F97t?0e=vCfrYECPo)t>#-!|a6FTmU53h~CHovVU-!1KIe(JYdbu*Y4r{r#opdjw zPIPrVpce}7?x@&)a5|mpUVmK3zWXCZqvE-luj+jwcIMxXZ}e|Hs+hUY*v?yrab4F% zHw;=}cL8@}_$;n_Zxg|tQd|Blw`v_;Nqte)&CHAB&4i;`+Ip_!7B83H*RLLzDba(fot%4kVTLxh@ULr5ol&0{yOokpHYW z?Y#x)*V23I^efBec)5Juf00;DJ)Y0O&^Mkpw4A8XE`TapK^QW+NS zwl9vD5YO`HL%B6!oTM_^V{qxKV47ppNi5!^vqefMIcas4oSOg7%9B*0@Ia-rjgnXe z93*m4C_6?H5sY9v7PBQs4}4~O)kXqVGPOXyNreu8^piOu-x8i=Z>3I~JntkA`X6qZ zqr6|*mH-!21_o}lCV@qwDf^JRahgg8+-8}iNNI+&k~v@c2-l*qEYgcaUo<861}4;^ zE!S;;bZD?69OGcz7z8BM%Bz}iT zROu4GW8&-ZJP*Gh(ZN^4=OS5|4Be+0w`*ZrjCGtGK0FOPvBxXkX9Qjurx};DTJ_x` zW(A~ol-r+5B$N>L1x2r=0Z_MAS2)c>tN_>{_lm&S4>%hXFCS)y z9taeVy>!2IG7nksZ?a)B8ZBy>)P7@ul2WKsmM;(f$)YTzG6;0)7aSO1CY8;cvek1D z^NGg_Q>J{n-w)FNroOc^4xy$NoTVa<-^}_Gwh{6}?!5Og<23%Bf@bN{^$?@C;Xg#S z_da*{6hyR6xC|hX$CN%cDX8hEU@5-gO^7l2g+_=gWy~3HNxW_ZFLduEH!^^+3|;Op zTPb-KC-#@%JULMa0*mV#W~T^l(cPu?T5D+yG%8Kk@goYW?&z;hSQ!$nwZ7j`KkHZ7 zM3%#5?-ovp>Z=Y13uHRJT`6+se$ztt;+_nX82b~hO_doZZcbm-p!2uSB*=;Lurs}d zzXXaU6-R|sa{~aqZpI0g6Mv&2zhl=8j0h9E!20 z@nX9HzZw>-!^%ZI^1}XR8AKFTNYWL{4~TR?y<$No(=Ar&;Qe64HgZVDw#@Ur3vFbY zg9ko-!A?v@w>GE6X?$X{a~QZ~Hm9~DJo2Ov2=LW&+vodf_OPueoA4~URm6y4L?LIG z1<(2IO4x_cycmCUC!29`5(Um8HBvCxln8Q?MMr@=kS9gV$zZ{jLb*W?y0ai&lq%^W zXp~&YXa`grI_m~d)pY-bdZLGZSOSs}w zii~LA097LHEBpM_S_1)Pf|wPn815Dw55b15B}@+OCrP&wGhhxp!sp!&ZL3f3g6)2i z(ZVobAt~d?A1#D}u+8&-lBn1<|3p^nu8o@}@YJlrapM4}WT}yLx_@HvWaOBCU&eh> z;pH(!@iPyIj#JDVXj_4}jE|6ee$$q@$0;Ktzw~i2jEoix+})Ri#unC}RVHGan`F#8 zje?cN_-0q4G5i1J;odKK*zt?CzWgt1-Trw0?G3xbhZaKm6I`Tzrq6fO_kfSQ=?hgM z3FCtkGv2#Ce0|#28pMQ~8;6V#fjZL@bb6Dv(75rOiZxYTgLJh7cq_orIzGE=v!$6S zjnjjvW!~h2oQ&ta)!3@L9h~8<-&WrOqa_U!r}R}h zM_^SsPxsN{pp9C4umi!Pj*a8e8jdl|JJct8m`B-yE~e+W5Zq+oHI* z#weHmiuDmCyAZz4cOni=(YBByKWDY{$aH% zrx`0YCnY;R_kP`L{mLz0VN}VBmj_j;`cl5T*{M?3wEOFiFL`)3yAzGJ&3v`E$MYY{ z+S;LgIN$Kk4ZHWu7(dw@Kl?%46j=y<9 zyRm*+^M2X$?(*JJE359ba`RE|>ht344yv@bW zvl)PQz2@6L+?~DEg|K=b4G4Q}R8@=d_}nOL;R3eVAaPhslfZoRc<$F=XKToqiT0_XLy2g2LGhq-4wwBNLpy>f5_^L zT0Ce6j!Z68H@tLN-{Dox+uVME9~?aur)~F3NgdC zaB`no{3DOCpjQNC_Pl9XOs>{XSN;**eb-f@4NcYc|5p5Y|xFl(WX&^5} z;ng}^APZb;8q&EoJ*RKHXv?(-ZN9WZpg+BCP(iF{(O<`yMaa+ZCk`t=N#bOBMq;Iu zU~>rZxHZn-cUU;p!>Wo|9(n^J{cPt`VL?>xT0ZiU(p1z^`|%Qg#W6CixHa>|jJk{q zxidxRJADpQ`>o^BTgSoCawn>I*Q6R!vj^ke6=a7n*%D@htO{k1zO>jb2g&(A#N_af zmqn5$0G}ukgM=DFhJd9Buo9|-%0m_55@>{s!G@0H@eE%FNde3*@}E(j1`eZ7B=t)6 zEJHHsOh7T_gjw?+-SH?u3m_y@IG}<*1xuw&_`j(7s;Ic4Hre0_uE8NBxVu9W+}$05 zyE`-*+}$C#yIX+Z?(Q`1uHBb^?yQ-6U%rR)aGv(s->IroRewrO@lZ`Wi?wTs_~bl< zR7we0a;&3>e&gTKrhi#Z`CF>XSzoy(;iRc3U4+G}{RwVOv4MSsBUHPLOdh=usyLn! zS+Q}x+S{R+-|nkYW%8nCtpxUsu*!wfPka)0kky34Y?c4rntJnv)UWJBn4E8G=YNTQ z@G=X?r&K1#rzGJe`$k#AZ&Ygevkl0{&(O(kefkx4f`Y}lux+$O7WG#qUW@c3+(RLb z?Ym*|%Z6-$E$e3ppbGL3dk=^#f}}`ksK9067h&Wl;*X?@w@nwX{*;o9QI;h9L-!WO z@uWoUKK%vVvdk*X%A!Zreh~rhTq0#~U#4><(*hrzWGRFC(5=lzsXE1J^55;e%P4Dj zp}7b{UA#T?uFE%UmDph)gRuc89eN?*1v;8LawzqTW9(!0_Lw<&jQaQotfHH{9Q1xv z*6NsX?4_{;p}(0FD-oS}W6w5KV&oC9YQ(4~VstYSVciBJ@eE~&cG{d08t~z=?aZHT zph?<8NQhXe;Tk?Fy@_cbIvBk%v`fMrm` z!uCHfYFPT)R;m%{9$-uBC2-CRa`=oExPvDi$1Uyy4^Gs@d`1f}B$vYYeE$JZL76#_ z{Q-luH)`w1J;>Xj@?qiS%c3Kn;F``((Zh2|R~pY=H{FNBXHY*>&v&Szt%QlO=Xt`Q z<|Y#tP4Ii$LeYgC-&y_d69xob&x<&a;Id)0%err>%fYyIfI*q>l2$yb)a&{qc;uDe zXU6Op$0~g&W%KUJo78VVqKZ?`{ji7VUikRax&P8;=iT_FZl^3{WUV_obg7b$&%?9h z@leolDSP#8PT_e14S@@ExY0D>Ro(<1&8+f$Ew|U_el|QV(NA-I6u1RD{9x8H&)YZv zAM?3A7f}^8p^g{UycN87yxuG(4st%flD=-r&DM8$8|c(d6lCLEv?l0Y{FP`vMC(7S zbbH@U+GFDJ7z-say<9>A9JPdxf9>gf`*R8ceuxykr1aj6hI)^0s3m84_L(m`(YFv6 zwFcm5)@^l{XQ+X$$8Hf|umQO0biC&NzP%rv+rB%>XZHN6|4Y|ZsNk-z2)OQij)e9$ zVom8Zqn>K-a1GN^uvbcp0PyzR z#@w#`V+`xonq7DMe?e7<(K{D1r1gLCYJRO*#Z&SgU~W4`LM;Z>v;@5J9Qz{m4m3Wf z7y^n)vNRsMmi8lRXz7A~F`+{8wSzbNzmxU0>Pqi5kxiGV48#!4_;5sjx0#i42|Urv zNn%YoQj?JrC};i>bb)k_`rG*Udsxg3MvgTlrf4NOs1ACc1y1H6aT?aX@j31n4UTnF z@vkxYSr%)8M9cwDnCyTfFZ;TNV*#hKp5nfA{TUk#YLdS$jRCUsea1)HpB2JBhts%8 z+wVUfZt@p*8QjqoK8Sk~Mzd5IYIP(E1%9~;70azT*hya$RflN_HDJwI@fN*c`lN+? zi}=Vwn<-R3tI4F|Qx#Dx=nGUxNO3PY)O(hxlfqJ@L*G}zHJ0Qo4$Btw+oU`7e>J9n z57s(I`O&PDvTlS%l%!T0FqCdb*Zlhh7OP#8#l*U9K^VCSX`%9KEW-u zI_2h~fEw;tvWUR4mP_3%7VAkJCtl{(Pl?V+XtHC{ymgINVM)PXCg=VM;Zz0*W}4_X z0ZOHHJ7sV(r7szUCQSz3;;AdymJD|lfoPO9dZG*;3ZuwczhlB@?jGGw({*_D1&E7# zgV}Y<^)!+;{V`J*&)Ut*Gj+q+sxQ!U=W_vHB1WJKcSDes7!HRly7L}Azb%E2!t`vC zD8LKO)zHG~#?ZQqRf|c&Ssn|lmUA-~YaDZLmAv|f$J25J2> zwp37|W(Vs+n}dz|#pfu&(}>k7aZt38Fvh=;J!+`oS-p)7JC6G(Sd(+Z^lBO_m>EgU zS`pqgL-|XoVFYgBH$R*EzL*iS1~W!ZNv@-ZjOsx3B9jtAki>GZz4CS8w0*d`fE8Jn z;MZ_31xkv%Q}?%S!{d}!rT19=q!k4a02KR#HZ@bu)m8K9bV1D2s34cfLZJs(&Qz=d zqsA(3#N50fipHRDqc^gE2rrZrx#2?YB%O<+hN;6XpI7F0vO7ezk#S-QfS|xfv{^;xP-^4AM znzCNi`wf)uh@sSgXsU)>%gkV-_@V+-q&@e`*r~l~%F~)uP&hRn>RhVIS zp3dD?lA=|u&e8-1YgHVEQs~$u&Eb#7zh&bWvIV)A#Z5-N(`AYm&Hq0nv6RQ*IwbcH zKrO3`E=@Ty)dwsE?gFkbKbnlOdodzJv5d6f!wRTi3*9^QqJ9^t&(!WY=+36?UI2{4YblAGsxc#t+G(XsC z#%eq7D6w84)dX}gz80J_bw9LiZHiw!Zn&c9>=gPk31n>M^PirNuk%pp-WIL|5ZVI@ zh}}V>3(-h?xs84IFY>F3?V#iheeZ{h(4~!cgr;Z`LB6*0>Q`dQs)v`=SU-=46%8Ab zuWpqlOFq9Yjt4{_4nJ!z!oBGqU*09g-!E9{a+_DgS{Rq*N9AKyDJasn;x=C}TrSm| zbJb9_uf-3V0D9e{_y|d89mj)o7p1oK1DRBnUfGS~o$lSull5pdewc1ER!7gVDw(AG zuQwYlykUB3YX6a8SIpI0)ay}!0etj+Mw5Qd2Hjq%t20cKFF$(DX>V)BYtrZe<=M`o zk1MtpUDw&JGjOvktMM<>dtZO$uGjwJ@%&#WZc2wFcoQw=I4ZXD z88@}+Z-;l6Zy!R1<7vyF!d5ST_vQ2BK6PXBVl;xTyPM@h%zq(TNNzPG{TOnaTR+tc z^xDnii2+dXw87qzCOcmrpN2%Y?fnPTmO&J zP^%J=#c^mkE%<4<60x`;u`0aCd?jHzIasApM?&1X>C&={Qvy60uX5~QC75hcex-+( zXW51Y_e>)I6U;{_mUMQOQki_K8R1Q4ky~H5HA73T_3KL9#lMs!bL%7_bJ0faV-Epg zu2B4+_r&>0i#S5TYc{FXa$)GCXqfaf#_+$|=KX0V9s8wQ7%Ehk8{;)6K*zHD7WXp3 zWfZuhuGZ9|EIOZrKKgpJ2><9r*^V~jq{>OVl*|3W5_h*cwFX65lKkJ6Iie7gyHVX?Kbh*u!ZO;da5nBY8m zJ~)*;$i-7`Q%0o^V;|P7|_tWe0Zv6%~;h~)T@jIohtWm+jUIO2}O zDTxCY`ZwxpaxH=U_brAcS04B?ajzr4^FOUD*>uvE z#Tn?O5$#ez+A68+QBy5?C=BZUF$ZFl>Si0%bLH6$WN)z&*I(Jf}oKMF05yM=Q?4ZpWMz9mV zw}0uJ+5Rjx9W5F&pel@_EY84j<7ps2BA-1fS&pR+WwtyMyiXkjVv9**r%<@!&QY2J z6)(sHBwNJIM(am@p*7~!p)o!mETxy}&eY&R&XSzqjH}yIW`wdf&gY{(4*4FcGLRuh zBc5(c1Ny5v$C7AAepQDrDHsupUKZ`4YV|^h(|3{V@hvg@^>Z9$W#YqPm?f zxhCE1IRzT?zQKa~o4<0xzpz)eC?t5n2+EySh1OPQ+TUrL@l-e$NHGkr%x&N@M2RR6 z)VG7YA`FyVgzVcCt+=nETu>jR!?f!Ye^eM4#v5ZZ_qRiZnqtU>TJ`qRg{_C>|E#ub zvTYdU(wUQ@{v?|kqnzCxX<2zA)?i80|UQ?p#Z&$CsAqZFDGRhvw2|CE;~ zW}AHeFn``d8SB%MiG%h8PggPQ;$KXwChdCU1?FZ`GRl3*xl*k_!_Ebf+ld4L6&QAy zC^P>VWabPgakjrlz})=d9zF26!7VBByE&N6mm?AK%8I<|zEYCsoB9lrcr*6~Rm~VcSXBcunN2A@RBs}$9g!!wrJkmFhJlkJ4gKq0lc_P*n(CfkmXonIdxJ1BJ+9e%)%ai{ zfumlT6rStuA(9o>jTy@IOVn0KkbSi>$Kc0H4z=m3P}kdbB5p~6@Y!;vv_+n`_NBvM+`X;Ri|%>D$a@9AZ5P_1Uh{K5 zNWkyG^(1A&pu%$;O=79rcSmdcgM)tP@v?nlHu(^P`6j)=p~jC(T)7$Ak5f7(U!P_Z zhe+<0lb5=DAFXM_J=nu;ULb)6;ac)3lS-fWm=gD3fJ3t*R=eD|y=g!_+o!6O!nmxKFAzJ1x zQypO|%)GT5JpqD`;F8DpiI$X?Ueo3FOdD{+q+^@;lJ;Jvy~PIA+{v#og)Ft3C59`erI3};2{n`N6Lp2F->K{EAN^aJC=6gJk+W4r-+Eb|^^f_(2 zw0U}nks!X^F39H6=Q#=&If&X^*VD5*OpNWeZ-PVE0%n58801&alY13N$w+)ICk^zQ zPaEjlk4FkZH9Fln8)w!oGfGHOM44Vb+SYnL{J%`#XXJap2URmygAak2F83fh6oin< zlfG?{%A={W0yy6lFsM$PWK8@k@Hh+q&23Na7!5cUSSo5H;y)JTF+ynG5VB)F(K*A% z$_FimW6s6*S;irIBW?AA!6c;RH1@_C`Ek+5y?y^i?$kJ?CY|3C zS2^FFol+Tzl>=UznkCwZw=T6gl|;+{6Bcvx_FM^l67gn5+98%HMV+X(J(OwvahNaV zhS43*t-fR>jQFzl^EOI}fySY0Er8(pn3Q1k4m%6F81L?`(^A(>SJbX!$AvmttUn2a zJ&(^IE4m;pwnQ(7#*Sjw^ak-o5sk+H48A@=q~$4&LjdOIXIq$Rs2c1Y#3jAAJla^q zB*ZNye^u$nsnVk=UD9sY$z#?M=+RMBxQ4R*mds(2&1^7<8nK9!tWv}HbFCfqqK}WW zO{@)<|Nh0h>hg;_9tjd8MU`M!oti(6sh9<^F4KE(R24ZCe9e^+H$jg|{t`Ugj1Ai= z|1;;XL1?{k=&toQ*F1mzt%X3SBj%>!)(4dzHDk)ya8neG(hEAGsIzuUG{^>T@&!W$-A1sp#WY z8oh7ozb~K|%i)M5DUh1?=44|_qyNAfpm}062^Vp)RA~+$yxIXi^P0GSKIlc4hfA_t zWt8{4;D%L3I*b)()921sgwNJV@_EzwG{y!$!5}LSc5V;IrkCcDg)qV@MzXv{Tk%r2 z_bx~Lqn{ajL8fLKrZ$j}m=NX}j4O^u!Jk)L?mVy4%yCfmYq7&L4xNPNX`ek(pjWol zMqZab)ZvjeruK%85I{7n{j*4t zu`XWGGCoBW>9sU3_QnMpWLiE)W*EXw``n7I##5qrF|DMsM~hV&h?#)a=u1!UZx+<7 z9VJhdDJo?)tgYFrsg^*ovt<*EqipkLt zM(4$>I|^$g_XvUGbki=;q#@h-N;!^^Y^(ObF&y~~+q<%}P@V6$p^+U6KL7lt2OJx0 zd6_7P$pA;@bNId;?stWSpw$y z11zJ6G7Ii#n|89?r}&Vo^tAIYq-`tIJlUUfcg=9~`RQz}e~*7=uxr;2P?&RhCC}>r zg)d1YPCpfjpCBjGR!jp`WZb}Ogf&4l8+;os1%pZXRhO}1^|NbTIJJ64%7v#caN95( zJE_2Hg9t65D3B80IFUh8sA0B_)-Qhen1Bbl&M}NDgQkZK|5m*@(f+4u@Ej`s5Aps2 zY1xkDf9;4d+Y^4ptcn}Q4bp8Km>`p0GK|9IQ8_2AbYogLSxw3Qkz-V@T1l-5GZk6j z`c$8(tMS|qfz<5*(K7;u9@tjZ22pHTRDxT{7TIzPBPm<7Xw}bF?$C@Gf}Ho`+En82 z-%&Y`lr)=stAw3}X|;yy1n}d=M9Y@3ZU_J2!>bX}nPCyn6ivk7quyp`0i1sPSi#Ep zx~ddzq{k?YF|Zt z+bPso-`5m1673g_uEkA4U!?cNn6))DpQ@h82aV2`NIH_>P3tLQ&=Rjn|2a^tZQtqS zLiR4ZLqW^U7WCFXsz7{G(7{TIoj3pbcg29uBe}}2^&I8&Qg8X?4Rkp=Nu&FT*L-}- zW}?52VbXKi<8aFTL(V;^G9aRVC+UD|S!~y!a?9*`Wnyxu3DX8_0Ljfr4SsYyKKu*U zuz}xn*{?wXg9NyIpVv7Ozugrxb~(Cv;xjoD?VxAULy^k_IrJXMGHQ?3_@~6{Fq*tKz^qbbA_i-2;aQU|X z*T%@0`}o>XlzkPw{?p~4Fz&ZeotNyHi?PlTzh7g_ha}Ctf))9MlV5Uro&vKkSKc#n zds=uN^Bhh*tEw2EN!m}qR6+o~TmOQPOm9L)kNs?K&SR<=zWsoGKI`h12g)(RDHHwn z(48CLMzhyS9UYOieRE&VRySxgm#Lw-gT3iSp}EVX=w4soWP#8?zysyiRE50Y^K%2x z=kHSD=sMNi)v*Bw@HTY`_)ff2x5?I{-Ejea3n)U>IzE`t&$=D#dI15ly!VI~_8#(T zp*+*KmMU;Zx%fRl>b0{(IDHcx7Q5Uto1{!a5XP4tdW0!kz=n_?@&;%gCslB`7~2Nb ze&%ZuxowV-{agG;dAsRBH5(WLehX?lMzgQhx;?sr)SI=t9FN(g0KYG<2mft@y5Aa( zy(M)Lhuq54O{qW%#?tnDMnmUP*I#lqSuAwJEoC_xr^+F}p>L=@BI$8Xfzu&}ObSza z9RCI?A>qd#CS?2qoSu!V3XqFf!*Ki`n7j=K?`A7&NNCq9a%wg$VW>hPrchk@M?ITz zpzLa4n8UD1Lb}N;r76KTS=RI%&h(UNz6h7XM@q4XSw5m9M#;pOZ(_W&nSc5Cb>F&F z??C>$JDv}|dfvcg(#a8%8rPc2w+CM)RF2Wa_KUy5h-|mA+P^YvXv;FG&CDe!PQ;CA zGt||pw1(3+RK@Msr7%g8pc)QLm;H7n#97PPk@LTg%wwZo5iN(Ef{IC}z)&0bi(V^H zzmPc+b8YKNy7F-(6FUbEL_f6{eO=^hERVBOuN#${s*Xd{CSH^L6`@*I$ZXOu&ORg7 zxQR$i#zw56nbJh{%zTol4gVRDdWduI8$l6EjU^6!j{Oo$0Y{@{Ss5jVSO9CxB1sWX zTV|?PUO%sBD#IgJTkDRj~-1M9|^P{xROaddG=^H>^O>BV7iJp;D3wm(`=ssI^Ani)@pkV;K}J4D}oBX-_0%9;S1fF)%-J+D_CVYRu*13P5!C3%bHx4OVVgz zv-(pvWW9>@;dP)_gJF_Y#xx3*+VcLcn74zMp44UeEuT*sWRhYo?{?ThN9}r zSH$93x+~i(@jGF7+dxWzxWL-y`dtXmuLal6+greaFjI{;WAWw8^ zsNg4)AIba1kqF}zc`nH7&1C+YMwUit%Vfn^S->k;I13weI0|Qsgz};)3^9wxIPQC2uqC&Nn+gX118Svk9sE>t&nbXT52HsSIMl>-7iNc9^C|Szl1y z128E}3xMj7J)kn=Rw;d|WD(*6D}uBu{7FTv+=+s3hZwzSK-F&9&il`1{&M}~>x`(X zDxC_oC;C^`^t-|VjGy_8D4$#DGl^{X#r%!n3W7mGc4;C-M5cpkUzP+4WKQ)eQJ%Y2 zoJDYtQ_~5Q4KbGGI{Z{h>zdTd{oTFbH=q$MR(8MFl-$DcmixoOfS@0ekhcS!@; zkzbPi=E}|HmlvG%#Gw}gmu4N-(kVVcU$pycixnjNOOE=!FzKusH~E;=u4$?k67jl{ zmB{|$GB7|a)|j55Un(q+Sc}6*Ri4Nn%tDc;gl%C?9geJK*@~_$T;E1wiimN>?!~z< z=8zbmHG-s$G0zh-7JK64EF7f*UB0Ky!r%fmbh_h%Wu1?_bw+L(jU(kZ8FHX&@xOx+ zOh7IC7pVZUJ-zUMt%m^uI&mEC>(d9-V@!gFaY3uE3IKno$R`))?)ql$t~H*Y z+jeHN-7gqk##;8M7QJtlA3_sxoBtU2*(6t`^0_o=__dA)xo5lXGi)SsY1?~Ih4~#8 z7T7(35K!FkAJ+vo^)8zvcB5|un4Puyw%d5BUlm%6{&uCp{IocSN$pbK4NScor z58$@^a5iB+qhs)R+k|*%ko)2R24+DZYv7=_0?7CR#E0hE^KGbJG~szP8v-M>K|)U` zVA3ohCfEV-v4U{zR2%}tB&E$#GZ^|BP%Z;srp&kYCm&jc|IOK`h|f7Cp#5RBhvFfl z@|ZxTFa0?@NTR=eu4IK6`|I;@iv`mjCtj$n(VQ1?h@)E)`AV3?iHG38jbs3s;$Pxl z=_W)NHtEzU)*%Vd6JOn1qQ9`ON^MIeij-!_X?*VrjNy(7Pt&cMSNFyjyC8?l4=3G^$hBFW?NhvlyDAdJ;V~!m9mQSP&;H{_cMjFO`t|s<*YaYK#gi+iNtp{i?Ui|j)Ba4fYna_LMRA?YS=#+Pa{fpWB2$6K(4-fW8Tj4M z8|OaqS%D;`gSF ziUs;qm_cOhK4{fb&&}!NP_=|0*m;9-vhYV;rf*2=PykL`YsZV;OEL=8FsK zqlU6majmc8141iWV}%fIUXNbkVd7=7y8{v&#}!;Mm_XZWLO}@X^IoFCG(Rl{=(esh&|^6%zzH ztF64BX`U7quExOU`Lim@vnfr>(F+UzT^b`OVZ#gswb`eFg=39@e#6NM=3fohzr1g0 zA~hlfdiIj!3B>!@C7_bXe$^6ko?n=83u#eKl0mW>!o(!eadlP?zhEj=#%)>;sHyBK z;=Oa=efswFh`&J9moyMb4g5?c4bW1}WIqgge0h@(cDk5#)V z|NBfi&Kom@vs4aeE&Doh!zlI<FbUNbwPag>rj=aUVZe0&PA$f?gH89!Rms#f5WQz=v^IB=l;j z)SvifOD?*{`U#1y4oBQ`Hun@#51Xha@qG7+FNzL*JYF{DPZvX6!Q;*sVVB;v1Kt-| zJ<_*DPwn=ZmyerXr>&WFVlkec*@Ro0S4T^W2JT(S>QYnQ_Scb{>(?FQlTgH*B1a4~2pD3zR<*g_p0gpi^*5;M3ht}x z*Lm6+rkF;`C4 z*+ggo*?kGt@O%CTuOQ&Jd@)0DYUg}lbh&wLa!`A4`YN#0^jelW>%ASi!G5*m1F4#m z*y7XczPv%;MeAz1-^4WlpN2NCQP$@0d#6@W>E7HMZU%+;LRi85HC$`CYc)RmRo{=fuDABv+wq?ih=<62&P5S3)k-I1A|nj z{uuJ*hX5ua5YR19un4lI`$6hp>yix*1nd$?2K*!(?4kz1AUeuHFtIdp)YsMyG2oc_c|rcfSz?M^N8pOS)M zyt^O7HpBQPNmlY}eTuG{abI|CCo8$}Ym< zL7Q}KrK}W(IZ(FQ=-*_;VZ3~LWjdflWL0>jF8rwuCy_GoNE@KYLO&w%o$W^ES-gNM zt<9=**CxYd`LQ}?49!RmXUh0; z^OvS}60hGQILQHjiX&Gg_nv7CSlTdf`&?8joRd&o$Q53V!HL-$xzqthH6v3wl`hWf zq@R`YZ3tj$BJOYPvaPqRK1GztCzi_6Vhlz8j+X8$=4L!y7NVnTV&jRbw$zKANz`45 zy_ZfrI%rG#`#}=_@t{P_S1wRtOr?s*RhJRz+AFS$$-9zM%stn0rNxfqM07=*KvoZB zsa9yMi+ti4DQAW;U0+g?2zjCD0>x*MfOO&p@A#?V$K={)p)(jGDZ?ko7o@(*f{4FF zoE!|RTQ=bA#E5aunxdZklm)sypHq@V{2o9^5l{wYK+!29)NX%GjFG}5J0kZ_55rh{ z$52{Q>jZJ~NTa+P6+>Cc232qhq~cGC`!IfV54&m}l!(efTP!7i_GB+Tsw`V-V=r1! zTDI|xzXdvxW<%I$-sB=|(F~KbynCM19&+Kd{FcQXDH#uSOwY0ITU_lhzSX_NrD%r5%;!Rj0%<(r?}UJDMy_VD(w}6J3551RV7H` zQ^Zz{XxQREMw|bcA0$zAQj3JfFHJHV&-ZU(g?0s1#cZ@|}6K)+mb+eDchIpvClXAK87dXnp9&x^z%*={}% zR>Y38)N2#T96v2DOtlP3UHMs<5es{_amBu|YT2fcurUn>hjYY8i3)F~-$)N;)DBCo z&X*$cPLKyOl+d~fxXzWmz=9}YWxS|D(or&c9&>@7BwWG z1rfNvU<$uB2cQNN*p2OkR?4Cgv`tqI>UUAc%#+g>>OiGQQ!RX7J>~518_D&>&OA#B zipoR`!dT5NB+Em&$C9^8QJM4M?;sQ(q`FlMP-jcO^I!apZR;S0EgUIV9+py6-TzV? z*O%ZWW+SJA@&^GsYFac)bj)p-C96@!w$Q-gMxbh5o(Jm-xye^lywxG$bd*^}I4vI? zm0#8$$p`8aTqfU4ck|=m7k+X&dN%R~{1#1{Y&5jX+QrWoez++&wvDZ=B%$GwG#p&otkh3p8s{@o?# zA-FOZmYUa_B)#De4_(IpjF&A^YT-PjBFK0)NUCCp19L+knZ!sya~DA-wb&2d)D9 zLbKnOR(v~V#52bW9t7{>D^mFV8sFrX7~IyH4(I<7`njG)TH6DM@2OH+1WaHax%Q`! zgn*F-UB3O4ptYJUze~A`_iCRFD{Dd>M%TAT`*|J0kq`zFojuIc52I9m%&NAr+saM2 zC*fJkz@YWH>zXlDcfOBr35)?dusbNX6TDh(PwF~INo#L)Q}G8Q(q z2iW@*kO4V+%MDosZm%qfo~UE-(BIYM>n*myECVc&0F}fd8IImsKO%Y z;8!bowTqD(4GEEV8HvPJhQ-#t4G-7C1rU{**!J0WpnTs@sM}y?9mi>9-l6)cVc&G) zVXu8P@kbmQANP`%6L)styTRlMN}mYG()=h0Cy6dSWjTLj*!)z5F-Lnva>4|9cGzjp z7^YnDEiLmC<{x9Dq$wPmk!Ty22aK|^#j~fRD2@dwwMk9Go=HO-Mc1Jp>P-YT-6c-7 zDph^rFf4;il$6N=fjC?TA}|^;^7GM=4Udl5m?+1`a~gitaW73YXo|w*f2I z_Q{H$e#$x2{=+Q2xVNN6Y30L3EAM7OjvC)Yc&SQ!{so9}4~&+&MifE3CO>mf&;z9L?6XRPlNes}2#~KdKcPc7v#9F`VfXx=KXiN*IbisIJq`9oZu~^GGD;gk7>wa7HtYF*@4n)l0+jN)7@J-U8SHf7vRU-*R7Y%iqgW3d*gh=o{n7R6o}V?rMBN zs8R2y#+fg({CPnGV@sWer$boVeAHsZ4ihJDubD7lBkHFN`GJIK4Qcpj*2023TiE!N zL-rGZm5^tR_ig_k_ndD8;h^g?w&x#FX$k4%nazYDu;Flm?2#cJ^HM9a{bax4wFy%Z zd4yn8_R8h+s*DoPb>KvbDhj@hm$FpLDLYB!M5yn>O6HaZIkfXxik?{v;_#0iWn4F6#6+lX#!6{Y+eEHi0Q7ZE{lWZdLW-VQA$vIh1PS* zzQXr!zpw=6ixrfgaeW91lz;JrAKIK5Abnaqk8>0)VOi#cWUSL+kP6%sElrNzuqWl2;jRNflwi{>9UH@eqSJA z&;|-c(0j=8om9KrRBYWN?6*hqW6<(N=z^^4t${tF<$!L9V~j}pFu7vCw}d<>%XYDM7VxhKU=Zjva~o^h zv^6KeXiU;}h}gl%NaSSm{o*OIB6j7dc7gJ7`t+j$Tm3TUkswO9ig-(Rlc}@O&9Z8P z3H)CR7q<^=|8esfNc)gLeww50&TCYI4}ZXfg9<~28>;%uA4s27rXVxjUSO4Ioc>^w zg2x#_pP%m~t>3^Zu^l<3g{_XivMk-Nl<=9E+bayU)#a9d8jRqqxnL12;gR7sQ>xUW z9bkXPFQwN=Vx{i89cO1ynFv@On|+vP>;HW8`2n4^b$*#~c%gRAO{`j~P%%nlRJKh# zudym#i#nLQP9W?!toLX~v(eal7UUc>o(3iD))5SfL#KarQm-^LouT`yHZwevtT}8- zL>f9_WtHGozu|%X^9Kw@#xIru31v<`+OL*EyY!lKr6#Z~dHQ_kUpv&|WL$e|mu!UO z3?@q$CM{XBT{dl&>fwsf$*&9XT%H_}swqT~(rBgCWZ}M;+|bZyl$x|1YuXnO$DkfX zyv;bGN}?37V8*J^CX)3@9ve~6j5y3$Vqk^wqo=9fz`gdYbYcHSQK}r>Wmu+4vn&^k z-?!jC?m50>h0H%OvP^D zgV)cwNY?VKN22VPC;hS(3%pVz_v`Rtvw z^Q0(q{QIlANDPX?C8~CcP^33l`I4YetVVHoudkwa%PmmlruBt31HpU_7(~?`CWw}@ zLuN_KH?_tgiHO{C-g8Qxf2HoJah%M?2PY_#jXS!Kvk71lHaN9pQu{`0PgA0QtEhPP z+p0_bK}<%biy~NX$$spVidIRI|7ndFObLsxEd);kOVB2?4pX8}K8z($PUWSId)iMj zqzc)1-^xo$OgMNu#DWBToTvt&u?fg6sprp02*zpreC!PU8ZH!Xx#b>9HEO5u%w(!a zuSJ=d2wmcH+8A>({2p~#{&8$2vdOB8%6D4197NVR@jAL?qGgzNCmZ(mx$xA>-{&;5 zL&DzZuu|eDfzWt&(ErBnt$vByGfRfLd59dtt`r}Hnbuf?%1Pk4@9O~Zqaxm#4%W|K z^{=zVJ2=Z)e6*9&?YM&p%wo*0MO{YwD?@%IVk9oZv`(gfov($-LtW?;E@xL7ydgIw zsEd}nY7NZ8uj1HGmu9Pjt2Ukd`o*bP(@i)(g=@|xKn}G1NhY)vnZ49T;r#KPm5>%k zRAdJ8PZ4W~*$m;s(F&e1a(p!`hd}7~h1R~?og@0Jl^my52_BXgYFOALHJ|d{%J!4{ z1MqZqM*^Jq9byV;DVGfv(pDLrFxIwo_v-47X|gSrGn8AM+v80nw(9bTDhZR)J(tgK zWFLE$|H&TtThmoYHOYwwmRUfFsBb0X6Kxv}#exjTte44c&A93x)_o&V>T^JT3Jhmx z(r6$*k)}4Fc|o;$tVQB$4$PBLqPwyDH^o4LhYnU+B%5Vu6)}YXB)l<%0EU0%CjTr- z*lmz$@mVecvy?D9V0;qlMTFEPIH(GeS=-e0u>(5o&YHtPPi9 zVt?jx@Q){L7@&**pc{`GeT2?0i|77L<$v4Vl)ojC-Y7un4JXW#;{sD%r0r6K9B zua`^|;9el7_H!)=H}HiN`u8?FV(+~9b?)8Pvw|1d6)AK8O@uJ@&F#ySR%%wq1t?PR z>IpNHr1OceHzsrQZCUW!!<#cu|5>4iq-l)gmgLjF$XXmOJ+OIb4zXSrqT9c8rd3%- zua%W)+8R7-2&y3Yox4-Bz}=Bp4J5^Ds5fjdw5&YWa4IQcGO`bIS-UcuT+)h;(i zD6eT)?!3qGT!(sETf5%4GkjrJ=)O%)(+#PDHwC#_uMKl6FlYded(((Xr&9y(wKAIP z9JExPE6o}ghFL3yhS#N@0RV6Y$-DB9#lFUGnyW_~V)TEgI>+|P!Y*4^P_gY)Y*lRA zwrv|bPQ|uu+pbh>+qSt+-oCm|pYvt@gf-VQ#+c*2x89iDoz`txO}6(tMr@s=7-&3^ zJ*>rdSZI9vCP}{)%udYRm z-k)20`>#O9Fa49Z-bpi{&KL0ap7Tp=?qRdyer{Km&Yw?lCJULdHRbm8!2cMzXRrLl zwK>3vr*ln=6cn!t+BRSs>>fXxT!CijTolN>DMex)Y!vN=Jr^=s>LVXSOcDbAL1=+d zOxfz+8G%j{_GxS5EU7bJ^Q;vms|$Cf98zWoCew-n1Oem)C5|G#JTjVL)%pD7g^0^K zGdLkdxlV%;HlunoJ{wg!;#4blpBSP=XbW(T6&2q)=(NN%3swr_D*jM->%LZNJ*FCX z7(=^=)j=&iIoxV!RIBETIHSD?hNUz;lFI&9@^uy;TnHts>hD}=e=!_!ab^hBP+@k; zxjQwCkcY(R9;3IwvvLXUVul8kB$S3-XiSoox5K!DZyw!LN|_HU60T{lVH!MatVR>Z zWlG1%Obuccm!2e(%9ah9Gt?Elr+A+OC7m=~4lZ1L1tJ=B$NTU{7~SDP28F9*D4BvR z0fLd&&Y&>|t*BbstWp}wKlwYGIHx3~N={lBJ=X+eN~JmM-c67I5MAnF({Pmizj+6R z3VN0nD;$KcarB6Lj_D71g0^}2AqhX#LS0I7)n&UZo;by#H2J5%svXN9sl3*Z8z=n< z+~y7ZPGmww)TJ92EOv%ev}F^U*)sal3W;xA(56cSw5Cg#y=r-p{4ZSAh-PfOqlofq z<`R*yO`G7bWlTB7&`7!z)us2J{+%LJ<#UR9D%%8OX&jHuGU8Fb*-$FWcFJ-3RE|Da zatJ%_JJBgK_Y*M`m(Z^*p?kA64)y3%#o89ai=jv@|s32KVE4?^qhfMO4=5kyU5Rbs4TQz8L zct-Z2jK)dC&05EBwSUp&{VOAqP*#!kOT=eco3oPoC~-!kD4x;S?IeRuAogQLA1h}= zlF%*&_?;~789eqaO$zI*yw+>=tJ7TKzM^RezAU-H^P{7Zt z!B53SA!Cj~>?S!YnCJE3d#7-Ty_wiNI!ies6_*jE7l^4PoyoxKRG}NU>Vh|EHCIAY zRT>Kdr@rg~`~1M1FMD#f-$=ZtL+x>5F26BEdNp=4$OK@Wp>@gzNsFKqNZF`*xnZKI zQn3HX)Z4wtwO1CoWIt&q3oh7ZJUX%$yBT%oAswVqjtXej4MM~Vj#v@6k~OBHHlU9_ zpDp^7Q%I{cpXD$38*&sbJg+NjiVlj6qGV+)p8t`nMh1(w4joRBB@tQt#vgKw|1b?p z&`!ehG{%Y|qnl(3-BTMgpf(_PlNv^)qTH+I5mf6ef|J3=EWlznyet}e>Xs@LK!i}n zB6e(5Pk4{hW&N9vH0(iKN0nn#@L>>lcFaVSNy5vi4I$x!ZJqnp8L}LQ z_Bzu9_L~posLneX92c;6dgM2nWkXJj5u^#k7%NyAwz0YwMZ75-H&eFp+OcO+?>5|P z@7D4@_f2QR??@EX=(=XzAaPus37TTR@R zqntv(`@fGtJFcq|_-&nw6L>dHgIjBW?@@DVwnrQ$LBjEJx98sI_d#6KtzKsP`=;ag zKe`}>fYeL(i_YG+p7(=F{lVYtJl&Hnt=H`O-p0$X3=cV6kI|FH4`5%UmLFqgo!$C8 zDcdPMM$X2Spdz{^UlYYk9@)It)u|ZW|GcX8&g8bdy;f0=kmbAFq8)Ga);>D7UUt_z z*^X-)k83eD{gzKFGq-uV$-hfD54{V$e=}tDys&wc-cx(N&n1r>Z#I%%s-);^zudA~ z(;@raus!)Vo(*=!_lCK9o#|LlYWuadcP=z9ZI<%65H>F84o=oG^5*~vkAWd|KwPF& zU~kk5&zG{pF4FthBS83&Hdn2ISA@+ARsncl{vBFD|AdThQ2M>zSI}7d^D*}<@FjL; zq7$vq+15e{+Yw9*!YPAo;)SWAS$xn(SjvTZ*wr-O=*jwzoeYJ-aGdswiGWKfPPms- zrTML;e6sD#kco*97&Z@`;qRaVFya%$TMM22AR}^9Z9UsR&NX0)$_x(UfA;YgSSWJ^r31#rOh%KWw`Ak)0 z?-pr<3!ABIErrV@%s-8gwD{;>a+G4DO6xi8JQ_D|^$gujc}|gmhA|f9YEc!9@VY2k zxO}+MpTEf50+I^2r65F!uYt!vlQ^5vMJ?V|d36Od9@T=?6i*g{Qgrp@9k;-M2o{yG zo*C1QO`Rq8xvK1?N=bt#$oK`2JTJoHxR~^LokoI?5=To)zwd}QKCp1=W+1BF1 z#|w_cL1bEG7~VC(@eJOG!M36wLZbPNoQ@);qD9C>drWwpk5pIOO6)Q7Q&8s8-(SYZ z@MOys=+jj&C!SfQe-28h@KDdfLoARo1WVwR}5P1QxSlmNjPElayd+#K9!XXThboguA z%lw7^+mU$u_^-xln=kba311KwVO7cVX{^>j!Xp)eF^nW8OSJ0=Gj5H zA`Y%ajDBQy7NWFRl#Ezq2c&5roSsikxh_sBqRB84=MAnR-Wn=#$<$sXLwSZ z-yy3@-2ZGP6f8%-&SlQcT369cq$d{=&%oJ1EB1`?s!m zQk32=i%1z^DP4QCaJL$*siVB5Ci)TRJzmd-MJ@5F3^np+iNgLNixxUZUig!*++_us5%F_Z%Au?x zd*7O7gTc}tFH%R&!6a@28&2YEQce{Fs{n2bhf9_zOO|!WKMIRf8-c9!73fll`PT~V zg4Pl8<2AcG9+CMf+ygic%&HkLr#i*jzp4}m=?^=_M41yIc77HtU;oV5Eo zZd!iFeK!EddxfpFb;CG!#bG>h_96U5d@Em*8JD(xthJwE!hVT-!aTJRg!S*2-`5B4 z^4W--m9>v+f0OKUhpMitJ=dMgAE!UYQ^ak_F55m)$N3*Vh`8w{bw4I5`?FiUV!Hvg zemg~PXFs)jTwc-1COrMF`2h?s{dytXhj(B!T|Iv%cSg52qrES-kv-`5}Fd`aaoS#M~mSr+tm?lMyes{N^uPC96{_uLYln6(5gF@c|p? z>OJ?FVE<$V7(jD84WC_~u|Ye>DbNsj?}ne&_gWdY_ilLi%>8_azYW(X?q^K)BK?is zQ~21nyLN-juVj0qK5l7>hhg<*1mLXbwl>;sYxiFKR z>%FvQ(eG?@yw&S*2ztNDXP_8yql@Wdo)7|3e>}^_*sGbWR>Qn=6%M{oU{ZCKtO zvVEOfy!6KSDfa>5FvjHhu*@HlSMEk8b&LjUpo*XEW5VgS%827M)!W>gcin+f{a~;>Pg4qw({JuXG(?vv5vYvj* z>Fdjrpsqw;bf9%?X5(uvpdQ!wtf*w~cGR1V4%|&8&&e)@>}D%%j@Qc-;ac5egvd-% zfhb$uf+KSzi{L7fb1~99XBQflN?wnjT5UAMTW=a0KeXxG-J2&8fegg3{kB46vKujtUVa|N^YgB}(--JZe{mn+AL=^1zU(3J#zYDRNCA%@sx^Ncr z9Yd`oS=GQ5>I5j~4FOut9}Rz=9m(Y3!^%WeKFiln5t>0q*+He~nw7}04|FiC(8gG& z|GA^_XSfLFk;Pgurm!RPO9#@yi*=w)W_F~@&mH{%IjvVOcbKwiUBRTlid87z!it_x zP6&pFst@z}q2mxYBesrO!FIJsH~O=a6{nb46|hs(Mt;Kjmn;T)L~6LK)v%eMm}||0 zjq*Z~clQn*8*AjCttN)K*)J`#0!BUB36*Ya@Da<@Wr$Ff$!F^>Q;_GQdH9hg6DT3oLJsr0w&fa5Cp4;m zJ8_qozsgegLlnQHsbLWZ@qqZFC1J^F-f_blp22-s&Q&}dfIlS*v0E#`rxyJ|vBSxc zKO-Lw5TwypGSaxvY~xayM;Bmc3Ju<=5)Ug7tgpzX#OSX}=TWxcFv*7y7ujLc7FyaL zAx1wA{GFcPY{-ZZmRuEM5|FP*BgV646}+$2vQ2%bSvec?yN#Fl(MBac9crTPgH&B< z&R8s0!k7L0H++DFNPB}lG4f7BOj6{E6dnIRxuFs{ISZ6%W}C{b<^(aR*ibEFw3XXF zWUoLJl}RgMsmYQY_TjltCr=nODb4mNHwyBV_aT5uc=T5~&>;6^+D0YD7vjwum`~vu zWv@XP{ocUS!h_wQOP@y99DV}xDdyL5;H70Ua#|B20NgVr#T=Uyq_%cEXgcU{v6@3< z)(bG)ga&J&Rv?pCz~QAA0n_>!+#q;gW~j#PRAM=Ikd$~<1cj_g->(#tr_Fse4#RR_$`}v#!wpgb_;0SYPoVj=)eh zIBVzAZ;+x}h9ug3$jSRe;nd4b3CstpSahSNKASHQJ0R2`NemACxnE03Kuf9v zv5$BHwb(^=+{=+MYsJXy}Fk7aJoPD z`B2K@d-@LgKoZ7lvyCt&weI;tgynTHW9O^#Z z-09nwvH>fA&D_u39CQX3dipJ;34)t`+;!h=9K81Z%;#Q?F5w9KFZp-*Vcp|F-fNuP z-+tc=XUtyTLf7}o4N-!I-Jo+?-yM?a9LM7r>W7hDo%gM^;->D2`^`BfclGo^`-A1q z^X%HoN9C^_UbnJ~IZfL~?`0vkuFuut6lOwSP0q5Nv*oPrk40;ZH&^y5uM4VwJ*gMR zD@*HBp8Yl2@8WzB06=;zq3;q(Z#UnHD^^$ULv&|r zj=n3a(X(-^*51zGPUqCtZOC`Wwx3JZNAqnVNuihXeddhh^EN2n>&EX9wChS+C;z%r zhkgDYpi+qTYu>?Nrux=1rOP{^P0NE~CXd4-@xl8rcdZo0w(%nRR6mQ){pL2GVfdu_ z=bLRN`TbLyQLnR`CH^X(+jM;0`^Y_T{{y)FNQfqMJOzAZ7(TuwTvvsi_;z9;6FWsk zWM^98!ngT)Xn8I)#+;3lpu%CzeLT7=x0zZ#-GlRA0gxdA>w|t#t)kr7kZ-1ghVL z-Eo0ToSgc_SdxW{bFo)9!C5xSA-HSy8~Q8N0fKz5x;Vok7(-4JPsvIsmAovVRh zF^fMcl6RB^kkI=X|Cqy-0Vb>Gm)CVStstpdD_RP%b_1QJZUZe1l0$s;k)8=GC@nr{ z@Q?gpSZP_PU=$RoUv&Z}`OjNm!CS(xJoarHUEpo0A($FhnfD`8K4wb<(PD4-z^Ucl z?Ql*(JhV;%BAGVQ$kp!ffs!Goz$&kwY(HSD4SocjR+W$rFZf%;pnCW_+KLi@q9~L6 zE=)<6St$zWtO!kxFsnRS&hyW>*+)@sRl#Fso|j3U2*9pa!pLJntn_4Ht-{dan)wxB zlNM|-#y%%@($oOT)QyBDcpRB!I(EpW^Q4#(iRKQv)IC)M;pQ?Q`tC}v?iA_@`)5Q% z1I)S|k7X9dV<$S3Oj%!7F63R z#YuvM;!p}-9^A<%vOGmBe=kH2l>GrMEh)|q2l`Z^Aeo0u$*0gj{Vyuhv=-CKKBU~i zzw(MCTIdc*;~(m|N7n@T$Go;I*;HqPF1iva8q1d7AM^o}yb1*-ty{_jq3=YD)8vef z>gV5`K0QSLIZ`Ys%pCL;xm_zG&v5?l@d)^KiMp29=Y zQsNjb`VgpNlZ-ubLKV>RTbAjdWngn^65m5ek~&q3A=g^)EHyeylq`h3+i>0uMu~%E z=tOLqB>y{}m+4WlL%Z+Jh@%TAn=1O?T2D>RT8ztM*?UXSo$wGPvNS91KzQ{LFFUmG z7lxO?SB-EgDSmM+O*yw#8m1fjvnfpx7v~P)MpsbDDUnjZ@=sKu))XVmt;Jk*K#gx3 zw8BU?3WYLoxPOLKj3nSEvMNTI%TE^ppRCJ>daIP623T41&(mr>I|-tzm;#w01(jSY z(BNOLxXl-Ft>|7l{}n&t|S$|NabNKB;Ga z8APa+zpZVUh?vs;GQ$h(`mDd+^q#p|Az%P{Jstxb`*_)Nn%=S*HWJp;^jlhLTukp* zwsV>`Eu$+FD83Fq2a|hkT5R^j4zrgLzsAv@Bv;2{AHTT|ME09@gz=gTjdwM%IZdX= z=ACb0ws%N`;794w0hNSp4W1J*dZ(`gu0Thn#m*ZKx9MwMGpzS7TEL{@G5(b~+t(=S zQkH9s=NIke96urfk9d#oC3EoK_T{14toBP|#O}NC!~)}<#{G*@H}AXj{eJb8RJ&eZ zIp$5B>$U~hE9%s&?O1c$&hy@Nz?0q~xzV|9>J?tM)P4wIciUTy_qR9Wi^*W!;yzTk zY!1780eoxG{=4>f1ES;;l#QhZCp3_;g0bhOT$KR;dNm( zQsWV);dR@pyLU6m^j50fn)q##L)Rk8f5hIS^7}j`r-n3-aP!xFBu6H<`aY%55Oh7g z9tV)r0uD-^Y8kqA{3ln0bA6`fQ!}6GopxSiI{*V1;*hdQ1M4XO6{x~-!T(eB^B z2>da?ZHG_9FRE{7rwjQP0Dph{C3bsOd8ze#zhlCqr^0=={Z`CkKIcwv085`P?{f_r z4DeNT>X_Q~wKRax7=Hm=%}%X!o#9hR(9LYAm{bC=e|$!W;|-<7Oep z+J^{)uykq2-U>v@|9(~R1_nb9J#foL$Dz)oNuYI|jt3Vgt8O%~`O4J|lXB*OZ@Rc2 zu#rh0&0a`EW&E~3XX6+kyKr3cBA)W7MRPWevjE1}`}Q4s+!c$96V8JBln%N=UC~c+5c_vK)=p zlsiXDz8Hqb0+Coxy^~ki|BnR{akyiSOcU-U3I>T)dA=K2cYmkVdKT**;``zv+iMbuSGmc+`U?l1ve@Ll>5lkGB zQB#k}vK24F>JI~)V1;ZRriqp=le&*48g?kYg8be;%=1e!0WZ@+mp~G6l?)OpJPQAg zIg3g;B-IYJetHC{6phdcmc)PPnMsV4vqC&It#>Ds)h0*|1=zzyHUW03hnYkq>eO&E zhjWVfE}`8SG*a0~#6d_Ca4#0bn)9$sixx-B8H(1BP=!bFSbIZ0Arb4k&Nd4d;Gpq8 zY86Sae~X=g6ZTokX*k4mR8WQ+@FL9WjDvnY)lD2i*Qt*Gq2e2hL}s~=6RMX+T!}z< z>6QtFq8XMOfb1^Vuru^wb13^7IxLC(g`-z+Rk<4eSH;S*nk3(4W^}ZjYegctDni=^ z%%g)V!@sG(?QZTDJ+2unb61=qKB4G8`h%j#Y?psUO=2iDbvjj*KAabo*x=X#tUMuz z0Zt^kNbq&3)#!Y;gyIt--~G-X6kmmJRBtrzh^X@@H`}aX@5@^bF^cCLn^Au}+T{?C zaYtch=(#4B*#(Rmf4-=SGGljhp(`ATqmp-2+wbpY8 z?7SKv{{H2>t$p038jT*L?)JIq%Flb4P~98^aDX7cGU0RDa*AC&m~QPh_4N(+wC{17 zIr)s<)X(|Y)dyg0-uKhXcl(}3uWmjeA9*ij5$1Hww~XjI+!7$_JEFZ0HEi_rcLFKY z#n~r%U_1^(JN2~e)408-j63xjS76nfE!oge~x?T=i@cZMJ)?}cP&Q}Vq+opYca?P4u+jh!v z)yGNqqAA1I7s53iSj{Wt3*U$^ysSm^{!ff1`^lxbaMIfW?14PDo9ljV>d{pmq57HL%Pv$=l_@0Y;mOm&)9G27k>n*^K=afei0q;r$-qu!L}} z5)V1GQf5%oaP&ORoe2nRGIigg^4`hZm)_GKzrCG0y58uyx2*JS8k0|2r*A@Rzkhrh zwfC7y~zwC;~B(pin$@59OnIq1IppW9nNKr9fb_w`En3Hf(Nei10Zd<(S31}f8YYu+3^ zl*yTZdVK!(vG=zd{6wC1rlEU&-2kA+nB}VN)-H67?q=X&{pX( zN|BSl4T{RshP#L?pNHZtO&KBJIxIR@88CkG%*qby3Yo4W2`Yg=tbV%5;VSlk+-spy z=r*2#k&wsk$O2TrCA|+G&>Q)v9w1NcQYtGsl+|pgWl2X=Fv;VJ=7c4XX1!GB0;~_2 zCg9Gwb`ncQm{q&NS;zPWj-n&15rXo;QCJnjtW|p1{}L5xNvbH5Wupqt2<8nj<^UxqGixY=dMtd-?6?kZ$L&R3qzZR zu_~zjW9a8{tW@dR{^?KCnX!?`SirREYLXx`ECvP8)szU|x2u8C7Z1{4M}Q2wUeAPa z%*jwL)reTu(N9fgFx*M0syMSv9#RlxdbzOU|2=0e31-V(v)u;{R)9NT8&SsRdHo0OV;d;ru_ zV$8aECbY^;!=g!jMA^Q=K$_k-zNkvSR2WRRiq|2(x)A6_ zzw+`T*6Ay_Fb>8T(UAnr6{0;EFAd5YYRit6DJy8X39+2rFl;_sqY%ShiGJv6f1yb} zT2fCGmA)B6Py>z$7}K(dU$4kzjw!fDAHO)=yvkM~!aN!zjZh=elEidlb$d0j4>R2W zHW;!~P{Iy-qCYbFsZZ_tcW}E-i|M+T57zOcU7}a09fI0spqNf5PnJs91Gx#n`DQBjjYRf@S!Sq~#<{^*bgLhz6$Y;sL#;L~ z%6xo{{2k*PljZo6A-M-DX4S0#s2mHxV$)Ef{TFe}Fi zS>)Pk&iJ&-j6{!eI1roqLq$VxP$C~dzf2Jz3E9A+EGc4(PNgpOUhp6H+~j>)xB7i>fri5e-WzX=w1Ac2JGlJ4mMA3xT1N?=Ob2sa<|>@ zHjht7Os@#@1OHUc1G?>M&y!TQH6Huuw$V?599|W}pn9R6)@~>0Z_RH@#ZlR}eT7~AwIhB~a;9z>T(0q5U)+8++DT{m++L)H zZv&5RHwSzXyS$dxr3nB#@a$C`K3D$wleX3My99{#^^<=`^uJP#m%Y!YXZ9*t+4$dj zTG_HvRqO$mF%#s|*$=x7v98m6=PRthP1+=PidwEClHteL&7D+pU8i?P!tWERp3F_W zZNG)rkqOVc1yll`i_*sBp8b#LPeejr&-QA<*F!0L9>vd~_d91AXKy(B!wd-QCJoFULvd0k3@3nN#bl`*v#a}PT;0dzbnpI|pVzLt_o%JzuA%etrOEXw zU>q~1eUi7s?}#udRgL2rahbll3sCeab{CNQXt%J$YuDJQPP*jh9>V()#J6IyCHuVD zIY|;ry2YQP!Tw0p9ME_DS<3v?A^v`m+-kAucRjqs^r1NPs4Z13EAMkT40)|@DhU9N z*Bu|*yxe{Q9Y27f=Kw|{GhnX0g-`lhu3$<9z$@P>z7`nogOCW1fQpU&7Wl}I^~=u; z*lKV5iO46rp*Wk{^AHOQs}3Y#ei&E)ip+0dl!l$9p~bDSgjxKE+lYga3NGhm3u$sv zV4d9~_jMOyB`$+gY{uhcyNQ}Nu9|_@YWaN{8~U2V*-)e-f~5y5_gG4rUJw&u5%BI|Dql}YZxT9caGPb#X}?6=}v z)!#=SHHW}G$|1~cB2kOZs*F8)6Diocc+FH^wvHuIY(HYX zTz$W2BEHJ(G-;y+Wt3~H5>uuZ&rC&?=EXH&5x3)d0PWzNK<}WqClEp_9O6x(r8umJ z@PQ>bB2GmPpQYLd5j{OYfSqDeq5N=2WO>e|X5AExor3b^PuXrzi+*at(u34NB%F1$ zn2)ZltAO}JNjj|{qGXlQK!YJMaws~SAT>`wMYzZoE~2Y$U?R(G)o&ca^k4o5X;&ht zDqX3=g^JSEYjN{ZvbAY)$0DUf_g zYqJh?Hyj!Uu8j|d?ZJibUz{Y9OcI49BC@e2oA|yX7loEsbxIv%vL07uE9_*8_FP0c zPie~uc}a94h{5fC{N^QW&IP8ngAgfH%MgiYR^G6lvr%(J_g&qnY}F5(jD)FM+w#q- zXJym2Q0GDn5)jlOGwBRQw(zTDi^Qpw883N@-OUkciBffTBcvZS zgs?$cbeZ-e8*Nae&NzD2fu^QjM4#rL@}d*qx$3~g&!R8!aLcpGWgsmav1GDMH$B=) zUns5ouRnSvg`ShpKUtW2LYt!{s8SlTs%A0HA-+~DV#kPOni7P|br4TQEaNOne>R(( zkn^JVuE(ului?4SbODm&?i+uB76E&i;c4rjXj>(5*zt8ev;3+GjaC&B6|} zpva7dEbd5EOjE!U5B>2_UI88u?~n3_IMA;XBBn8@Wm$$fJzm$o-7q`$hBjEe0|Ux+ z(FWxp->y)zUKexPm4?zllya70LeSqCnwsH_Gb1Wdk)vYZC$DfUgfE3SOj>pEu3b`b zf?N@&Y*A@~7S-5og%bFL+yX6jGUHG4y@@gd1l@(w2426cB*t|+6}-t4V>*tUEfW`m z)s}4P6VWWofWS#3=07Y!68}4Zgi$}alV}sZf+nhfzWDp|U-u`_GkLA6rRDdjI>r9v^K9sK-GCQjUq?Kj)9dS}cB+q8q;ahrU+03LcW>(xFNMAw-b10eU(dAc!o}CrMOWq5 z=9lve^)mtMdxd(@qgXGu%`#am<+u3AlbsKIsD#&lANM@I0^SYw;f77{MXU+%zNMeP z)5J3HoN?Z68axe(Z@WI1h9 z&FG`rkCW%dR(j^=0`2W}7DWBS?Vn8ARUeV-yTUP`4x;J{x;$Hn! zegSS?CbURd5hBwLLVAOjhJ$;OHx{eJxMJOzZ{4DUrPM^8NZ0WiP;oHk)l!(CiFm$B zl3t6mkEcuU+bC&f7`j3{C(E>9RU3(RF{d zjoL}PBesZZmC_hi8YtAMVqdaz#)QPC#SWqb=Cet{lw-)jud|~j8z{09aMN_Z#_gvW zD|{xb-XKa}MqBPxLwt)k`m)18r4poN%KG%+3Na!$u}$Q|N*K8!vKGF*I5!we=uL?8 zx~)39rPZd)xp%cn%|nouFh>1Z04NFr>Tr_bt!AKvdg8%9`1joh7k3dFb~RCZ|Ci4S zUaNN3dJSsD@OUmsTtN+DnsO;@a^)!4$H{;Y%p%IH3|O z*zpy}3+Jd>-^q0lyyUkaIITn}fmMqHt_#;P6Y-$YpQ$`0Dphj79U$y<5g>GQN0BtL zQwnGk!q+l#q+J_mRj{#S!_Xh0XNqV`B^L{Mgx+*wFM}3+>gSc-4!tVO-PiamP3qtJ z9&M?#t5!kM1kb>QoI18ecds5EKz<>LMf=o-cz2OwRMBTj_y>;@tEhl~H%2V_MwjkK zjKYHrCIl-4X)x2uI~7Kyr_Wds%ygS2(*v#S)Czs6}FeNY!MJil+wtVSRWNba>5g zB_+jtJ_-0t({{omMf(}F2ngiP&wBg1jA3kvdLva`)PKVw#3O(EN$rN=dvjYxWINJk z>r7D3_8V|$-rDd?tg7?ZEEhEv#X7)A25MyBvMW@x()xy=Wkj4O?2db%fJDPO@An_2 zkKw?iw50pwPjjyT-!Z@$Y$qYojiyG?3*685?tlG|R+`4FQgpI+b>zkYf7k`*rk+{L zCk(jePb7a-LLzOUN^p<3;){;ufzFk`fDz6quw(s2FR{d~%CwQM5Tlzc`rSMRUezj4 zvpj%DwR{Z{)RT1OA6$S1)@|Nw?WpDoN}>tdFkU zthr7f6MG1l@sKie%fc|%okJRqG!g`?wuww}oiiiQIgC#5;yBVLH$+ut9JU8N{D*e&4J2 zh4DmQ{^Fqzb)CVKx96iJ$o8>)8EAQ0y&!zKTU;s>N!MEP+WA@xd)0Mb?XH)4S^Ob_d$!8_B^v;{9d2pv!;=NXB@-ER{-tIfE=X$=x68WF%&Q7md$GFmX_n`m%O^B zm$$XHANuZ8*ixr^^n8Bzo%1na$NS+6Ii|hOxWEq>4wQ|GOd^Z6%Y z4S(2oD9zcd*X!E0^ePLQA<6H4v-DP5U1N77^TP4AYg=WTDOLX>hE+c#8lJo|?K;c% zVfHM7U6OH(# zjd<9-^ZL_m6WyKnZ2uj&{{nDn|J^wAHAoi)WVvx^fix6U4%okITR#d=YDlYUH0wl-ZIXeo zACNRvunU%A_w-0eD4lMI=osd*;h0K!mNs_t9HGsGeh_A4s%# z*=WmH`6d62WaRg2x zyWuEa=#*5li@Su!32)I+`-NK6O=6rDg9lTKD$tk5R9A7H$qxt-4Lwu@M*bAIL(87Z z)SUp^yx>a;1kE?DMP;a3cEI%u`Z9_E0EQ-Q8Ksy5=kQxcvu zG2=->%^GIR&ma>EFHDX+mqfcws~smpHw;YjCxkTp8t-X6_H0kEQ&Rug&9q?U96h5q|}HfDlN(X z+mm643HX;*^6aAB{0b=77xDj`NVC$%&KC;vZ8eN%W{;ks_pG-_1ia;+{uuq<7%S}%s7Dz_>ym~HjE#`H zHnf~=p>=z|N{q4Jr*gzfCzRhbry&bHS+AfHeI2CHNpGB!H=kbhA%X?wC}QPz=*f(z*Qt_EHi>0E4|GY8v%hu zxVk!}vOWKh{)a5OxqYK=x z+ZAkD9}R-!W`qy3uKg7vSG-P^Ap$+_lrvjmrW8+#^z7dG6Iy>0^{6y{22z+!KmaB( zJdv;D=nhS_PtIQjN+S7puz}#^8@UogeJ1sKj)Yn7Z2ShbSxSjc;EYaw()W=x(|-Nl zRGBUq3;9}t1sK5#6sK>nR!Q{6yO@xX&;cU;xS3RGi0UJG7^5+E%)LGN;J+uYrQ!Tp ztCv!-`7kght?ctCemCGtU7S+H&*-tU``x;i&sHHR2FwsOesm~Y{Va<|ZzbuGhwS(k zt+-f_V13g;F^vv6$uS*qKk?rJs``?Fw26H&cI$!9P7$)N(=JQg_Fj%(WHWpb`4r;c zcW^IAZPaf_|47A9MdkJ+-=+)itJWXft%jlNTsmKlCb_#l?$NsM<#SPweIDk!vchrjJ&l~{{FPs46t)OijnO3 z(6QY9dw1EcT|aKT%-6Nbkfr7_u6XtOyOF(pg4&@+Vz~PDQ)sAp3$$WhP6X5WCT!D6 zaXis=`xw6LeG*3y(Ky_oMFl zKD_r23(IA@-S2FEHftMLdTjkUM!&luE55jCPghy9Z#2CAx;9!pRoJ+5thX7pN+-LU zohs9J6xJ?VM7skkAVjGu<21>vt7BYm3f^6ulKAZBnN^u>BjK8}e_y|CPo%B4SY=vf zab9oK+e+)y*jlV3A$_*`Tv3)IPhZuZqm8@X`_!HdKZAyEePYi+P(m|OA0V!whKMVApeX5N=^{Vxz~cOVcVJP12n1U5EhsP8ShR9G)wCV=A!8|xhjP!00B`Mis#%s!rxx(g^nU?D ze+hE&z0-JuwaTD4%#@G_He)swa6>(~NQ!7T)8;HG^1rd%-bo8!=4b@zp>H|jjcR}w zH#ES9>W`Jc?-Rn1qnyDVmu6oAB0`FkgwkKoNe~0SWTa@`49asxR8LM4s1j&#U)CrI zT27e;Y=u9q2caE)(B`W}F+zi(At|6a#|aWwNgpY^r4Y@oBJMG2Gtn{vNzr4*n}2;)c+Yi5`Cpd^y+7v*FEiB-*`MSrs4s|05R&QVg0 z9y<4rkLO!V!Fza>T14WnMh|@_hSyWOeH2V1!rM1l$aqMN{bpQ;BJpaGBE=FQWKXJI?r<`} z^oK@$SfMp2U+VV;Y5{3dMVjUD?0@-b zA_2enjDczY>9n_kFVQR<7*ciTXCZ~{n$(<5KbMUT-upUZtNIyNde)VRpUD8US zkfzC#=OgA)o>Q8@YvV4iJ=XO5UZT$^hSL!#@E}gi(P;{Csn7l7uqmm1E#WT|UqN}{ z;gb?E=#(*{P9{opDe7s_jBX1n=>ub z^$>oC^#oI1fn}0vs9=**7}}4;NHuCQTo4aN(~uuLMS-O=p9}m3K{3xapuVcs8!Io| z!~!`wl4NM$$$XMDg!xTaT&pTiY@VKtvQ$lxk-l$E!hPqF@)8|WYK8y2fcEnrm)`hL z2y>o6D^6j(c3yTFWxWZa?>a1>#T^Z!jd*+(qt)#xQ%W8qyXsY|(CofLLBHwf?TUDF zZPX$S^ixXy-67&ZGDJ%(I4Sp>bfIXvVQO`(6d}?F>?P8j0yD7=mL&SHju;YK27np^3|F?kNp~GTUNKXOG?*LD_uLE-Y*3ReE*CGoOK#UzF z0P_L)0sa0(KFj&j@UCO%Y0#Jpq+j zW?k>=j~nOFj=dP{ycd)2SFUd<+F5qE=k%Rty{+6ysXjx|$)I(TUD#J7rX!|wK^d{?D5H5FVV9GNh;6H|{W1)c$E2IgaFG0c$^T&c5rTW0AQ%%#P{vdF3%`T>5F_nGP@nRwNe~X6s6MxutkL z=9lYuem(#*Fia7$zpJ{srmqeT1BfYA#-=_+icY@y%%th#&x6Rhr#=;qw_kh z-kDpLs+Z4inJ4pZ$IsBrw5-`3ojSv+-Y%fZt4Z8Tf18%6p6j!YyCtV{-6p!%<9iuW zzKy3|2>MsE#KYv(v(5NzpXWgKYChL#r}j_$hq86A`kKdhqHPe-Fz8PWX#K0VY78ac z64e&noPKFsMj}EyKY}iH!mmMOUPnN{wjfA-CMLw6Tqx7q2y4k_A@G)no4Q%DHCMrc ziX7hD;~N;ecw6x8#&_vC38J{tk(v>a)^V28H5MweajOk{eYHlM+@|DIWXxz3H2Uoc z(geud0IH*Mv7Nv219Yb=XO120;Yeom@NjW z{9sYcuY-wz2*y}sD{vgvW{W9Wty6232+%nARUo^xBd;FRAH`xP@u=1ME$&q*8YxJL zSwPxhTYv1Ef*ZJ`xWq-iRIS?Sa=|H5S*&motF%XH&jGd`r!g*ppE_Js!ZRR_>^!WFH99L?PrCI zEHiLV4@U;*cN+Hw;&>zmVs0{o6G$+oYun>ebRv!SeXF-+y&#&gxnd;0R znD74s(jEfl`Yu5I$%2zh;jC2lVC=j>2CTF<02pJl!r{U)|aMTC5{opgdgV?*K)v5WX z@1J4cqxbMHnY+@Eb9s|i{$i&27T-!*>UW@2jzGuVGRC@~xeBeIH;^RE_A35uAlK@5+;hwv=GRGyM&L&yGL z$DK2u!gnZI5EHAk+X!BeTAPwAGUfjl#U@Syrv&XtACK?H8T=dC495~dnmW{Iy>_HG zK4EQKPG?1Vmn#uJB%ve;4#AnlTq6^l!)Cy}3BILN1Nvx1MRH+pqIR;b==~qFZYMuJe*%?|1Gx1{3xipY#V7q2fB`$B2W1TB2+)SAAuzd>!8cLOIdBZMLa|v&+c^DDT4czrr~VQXHmSY+g{^l{O;L$ z?yWN-kC=}2M@hozFubB{skd+fPW+8l@5`d?to!$C;Mx0ZAQqyD`8#fTmD@~iI*6^~ zpeZ^_H_E%peU#`p>t!WY?6g9+D@OfjmqOyM-{&(%n-ROy>pW@y{kiS#k*KQaMdvz3 zlee+cdBy&iZ-uMSZiOxX$U7Z`!u9F9ix$1*q+K=(8ZYz6uW?8biqP5I>-}WlZRF&8 z2GaQq*!rvtTB48mM{i$kICpi7w|`#qK3u_>X1g7W%+(=v)at%p4y%w~&ypXd#It!< z-hH$W()qcy>vT@-9a}j)WhDaWv$*v-$%s}z?9Vcpx1N&te3o4+Czn8*5Z4$W=iM)* z6mGZrXCoc!+m%DQ|7vr`gNJ|Emilqg&RM5U=fN$V3t08G!>N-b0JxYnVGQuO8B52~ z%`Zq~;}q!HLEii3d9(k#-Fi|TN;kVE3eC4hy^!3LvFLATx3|(M(ZA`RuB-JNhBrf3 z4Tw$kx#v#y@i|4?y2tE(wy1Xc`vRPkwgq%Ck=^0Lk4%4=L+k1q`YuoDj z`RUQYS6(Ko#?5L5U!Qv&9F$(szzRJ06D;z2hx@RJqysGPuIyUB8jgP6=KbRTZ)<%< zC|+A$#C2abJp)_1;S6@m5RCnY2#c@MH;-1LuR+oKAkt-!_1j?T3&<&gVINQwggenZ zIu-!R{hNO6Di@NU!|%)^}n0t0We8~z}*=^^&xLev$t z8^YwIr3$AdIF>Eai^GaHA9~aG%rZthV$Yvz_;F@l@$wx<;o%BEY2dKq;%gl=+EWiz zs(?{n3PzpQLAE4Djha|4_?1JzgHx>kbC4i2#Sm=~WrVFf5fG7B=fXsy3d zf$@`ZCtnQZn59=RJpSkQ)SDq7>Ve$6b@i{BZ>4~s8BAx%hM_3<(L&H8{8Ch)pqA;4 z0tM$U2tDZxy-NkT%Va~5(vaF%QLEZTymgpFc>KX2HF-jn31Lp6?{^Q&6t(t0oJ38O zXJ7!8VELXm80S7_DF*kUe}&^%%c<-ARGs_$G#F58Qqp$J+s__vIV74;10ACiv>~O^ za?K&-6YjoS#Xz7o;;$6rzUm-cLB{7u!G8XTRQ3BA!BJPGf~MAWEoPrk57*gbTBkj8 zfi53bVYo>O?k?Si?>*5!U7-n+Zg4>^#I8d`9fBf z2))F(X)`Z#$T#WV7D)e^uZN&`YG7AU5GF5P&h&%;x`IBn%0NAiuC+u>!7M4=sC6{S zT3qPb_~c7g4P#yMFD8JCpPB?*5T=ukA~z6KBIwOcZ`JDCNAf?0giQ~VqtxTp|* zr>%VlZ};hS7?yUO*ighwy*hy(v0erP;r{~mMJlyrqT%J{2ugTmf8i$2Tq9%p_VZsqxq9#BTNViQ!#tN&Fy%y%2y$W z`VA*@3mdh7rO_h5`P(;X{+v5>m!(5^m%#r39OvumfttHCLVo}!n09>LWbN+07UDm+ z|5=E`6+oh9OodQ`g>@O<)dosJsP?2JWw_JkP4V4WDo9sZM5M|8UCSn{2o8#P|L$Qn z&s`>OXyVitEy8KZiZ!=mlCzgAEz#+PL8YOLpv;q+NZWgUTh$_Oz=*PSh*B2F!8@CSk=4rTllGd1xlq>OMYNEX8WITwLn` zlZaBaDY|BD%4I@gG<Lpf zCvHqOYPdu{k$8Se#eRDpNpEhojRQFpafn;`yBL z*O1X2OPa%0%4M1?5Ut<*F2murd5J<2N*?qpcVA8P>dsq+PU%gHY&A<~OuH35r)5bZ zOoIkeNP41|(y;e@Pz3M7_tmKV8j~q4!i2!%qTgcl&p}O`wTXd1F?u5GKVgMsdk7J1 z4Vz_ts}8RJUv0%ab>Cf1@;lUr?9;Re*snUrcM9;hO5=Vw{|}#v|I7La8;B3|2Ze+9 zx4}RH$jI4jF#o!8Kp*Z;v(-47x@w-cQxMe-RKV3|kX>eEReIvG3}=x;zvZPQ!>9Fo zFMCtp)%LFGK~X2%y=pbc!yAaOeC1`aYQ7OL<@GkVJqz%##xNT{lzn~O`Fz|;zdvBe zF88W_KGF8Dw%_tP&w2rV#=CGI>(ogE4ovGd?L9wj8G^Kz(z&nw9*^?b32HZQVlFht zv%9YOiaUh2J9^)@-He`xZ9bw4rwZsN34}L-2+|{EHr*zjZ2qdQKy;r4g)ENH?sk8? zHF9nPEbeJ7*cX7VpBNrm9(%X4;|^0vXC9Xi#mX-4o4O!2OaJpuDjky_E|qpY7+8)v z8kb6qN!6VW50XNU?55pa`xM)>+na9N?XNq{uY+7Et7dy|mx^~o+7dOG`^tEu^3%D&qWspUq~U147T-H@UxdUHY_)S-)@5b*}&}8p~Zum!G+Sxy$PwoxZ$wC;FOG3W&Og zAFs(-Y}>$I)bnro`%iD5>mRhAuF)r^!B=;{sq^fI5t}!M%*w2e!uBLa%?;46hxg|e zO(M_!!N5k#V4J6O%V*b&wV#jl3&>^CKB8Kb4Nl{oB63t>#V3 z`#8q7E69Jp(ZgH${c3w^+icu{aA(=|EFTDx{{XpvLcdkNfVMxN(?UVIf8I%finN7z zeWn{3z{$sKHG^D8x*#VQI|dy+yae0Q*T-#VeA- zq$FW)gAANKd#JdavkVms+t>-v8+Ez|QvUD?1?uti4AC#f*W3N7>HRH!9x0W_V7gYQ zrHhZ9Pr7wai9;Na4<^oTSQO;K)gs%0`54@|n66!Uj6R80iZ<-~O!8Xh6Zz)th{2q%sI&-$66!P}3<7<#z4wJ0 zg+;*mf6^7cXOj5F?BDgw29=gwv>2*6;VbO)Bncu_u(2|Y+Nq&i)pO=?(BYW$#p1ku z+VJEwZHMs#@~If~O}g4QXHpjHHO z%6z^-pQB|;_2FB-_qgwxZzvf>R3f7v3u+W!x+u!S zh|(r&=ZHF*rYZDLZ@^Dx9^^ynj-{V4kxvb1yUHz0lsW%q9)b(u2OUD8*er%R+j5+G zqJ+Z}i*{Kz-@XUzt&}kO3x1bs5rjpQ>qx+IV9^mz4N+98TV$x`Nl|M7t)FB+`_w}R zMSDZlg0?jXKW2RT{^L0^_xBzNq@M5wAjNF?^5F%mH|%MU{992-;Gkwju^_^|EEcjU zEPzDCM9=EBL>5T6AXqC?N@KEWM8kf8&QsP~OiW-B`T;hgUkDCm*}2l>hiKO4N1qdi z8ezFdJnACaBGgk9?~jYtgp7KrpRZN?%PYgm{LqSXf)*nuN=nEwXurq4RET2e00t5N zZ=67zSby(?8uK}hN5UM+x)DL%yi_O(se57@&!^mq!w@7|&5E7Lw{nG&^9q%SwF;qQ zIMm1jv{Q4K0~nH+3!T;eL&l{gdo_ihD@xEJ=PDtC2t!xjz^T3m{Zf}-f{lf7+=$IM zHMEE@$xVuY$4SNb>+?PSFfM({ZKMVL^&eEyf)v6P8bv(#cd7}>dCYMvzA6wI%KZ2% z^GEQR=LNu1YSI1SCLY+ICOE}}Kg@QLTc}4iPVH^tS(Nev7M+I%2Bo9AJyBtWfEwJ2 zd@Rxv8|zZ3N)5k!(&&$Pd0JqR=6+0uw?Y-$*uS-Nr8RQ@cMM|TT&vcTLWj|znf-Eq zBjW|VTCFUYp0;HBJEoANdq+{sA3qGtOMk}GJT6N0AsTy>xYr`e6{K4};IS@Dt-H=6 zTox1}%MV#1tmOX4)9;+A+K)0sMP23(Lg1m77X6ue*xIE~qT&wApOo&!N?RUpg7u4X zp$@arJv8=I)c>d760b&CSZji+xgZAVb{v{BRoOtE$io;$Rv9@zuCF2n8G_-_$_d*V z{8!R@UZ~^=e;P|3r65%X3e_{!D)^*h{3pNIF^U42ewjZT2@jq3Awp&l#a7U2u{r9{afANh*58(^RH z5rg@Yi!RZlJLBX1)=seX+3Gy3`;Z*<;{PVml(gmLe^YY@8}{_Hzn)oR=$)$Q?Q&wc ziFV9~rnkA%laAZHaSV-Rb9W_Pxl`25&^oSLew=APbt+4P*L_<&xz&0)qnv!9?J)9K zm>+Nz*4+KLQr`VB=tpHr&@s8c{XTmAve}YT;R&?wXE&uk%&Vxw^{W(A3vyT9m(>ngPpDY$@CUa zGRtGDA~?ItvXLlDyVHG3L$);?gUE|sHoN__^gP332WiO(sOEYUsLA%aYna~Qxak&5 zueYrADECl%Tc5u9I1$IK8J&sEH{zq}1F^j`;S$C9{QU6g&<60f?38ZmFo_rXVmQ}d zl)a$ZPEFEzuRr#8gR9cnO`f|r`$;DA0WVprUeD`0cL&tm68qD_p9#6VJN8PE9AyAJ zAFnjWp2q+v$mfIMCEly(52pn>=<4ph@$?U;%w$l-)t@c*Ugh*H`*WnND(jb_#}@*- z>#p=?z?tZ?g5*sE!KAW^U*1yecv2_)wJI90E@QU?$Q8BzehRw^Gr%+?E%~- zHUD&7x65c4qCJ1z=k3kAb<-P6>dWng9MnUn$p^4)+`I-%^Oe^M-h?m92>W!*w~j2f zZ>z37stW%d{R!xJzVbiLviLM_Z>;8sa`!5v0Gxq{20_)FAn5c_&}-Wo)-BO=hS^gy zJ%}nv`A6dFgX10*-Brp+IW>ktd~cs36{3|DDyI zqQ}}9RypKes1EV5EnmY|HT}{`){atzrbo-;?Ih|;P4?N6jva9(4>cjqt3@`Su^SIN z2R%j?Ah{Fvk3%N1?=EKy&zU1M^Mkm=jA@WWqm|-KZrYwJKOlU-hEAE?wOmIskf4HJ z%2fIf!)5ZFH2^=-(uQrcF`u4y>}iH+Oa4AV5eqiGG{&fHD15U;I!D<@IN@DG<2rBf z>y*af-3X#M2f>JC&oT;(JFTg)iX&a11SoOn4j3$2sY_KdmPHun&9Kjm(3^;nin%rE zPO;Q?B44nB)8k9pR10D9mSbUb*5%$qvHju)S1Y;wz1U}%f3Zx{ZJA1)zV{1`bp<}| zI|PGSZV>!8n|0B4I}_3YV=BluX+VW)nMOJOE?4k_(Yht4g~%;R(%9|4LI>6=oj6w~ zvBb~{$wOMOWc;YRRldn&oOTu26*Ki?-dLu&SQfi9vMtO{5hD4!K+4v?h2Mqe{^m`& zv?N(2c&O7M{qDqtSaLwi7h&VNd$_ZRyg-J#?O8ZGr9Zwur6wy{@f;5G2m?XL}WhvZSvE>_UWC?Hs^S@A0McH(WXdF5+; zYxxhMS>iLhf<}IpQg(I8$3j8X(g2x+ ztGe(0%CM08$g~yDAAN3HJ0|IvLRL;wq$jbVwRB@m7@~wM}mVGLb5RYqjcwTP^$>ljt9pZ5wrBlu>WmA%vkPIs-F=Aj~Z4FFezfhgQw*kf&Zc1&PNE}`A<6r z`a>*#LqONIbd~s_+(2>uzR|Bw8p5zWO@dtu#f*!^U@ziFFj;|;)Jc}Sty`d$+piP^ z@}Bx8#tL@+7UPmmuKjiVBbvPOeb@HBBj$o}aK6eF*DAVk!=^rH+_Jxpyzv4ar|#>+ zg8c;qW3-K%TIE!6X3$Ss;#2=DloG~+Mt?`5>P;QIPx#KlV^99KfUbgi$X_ELvQyu? zyW^h3L9O;n2ph}S0P63gFbRE%C&xELce)?YK&Tg_AN^)w1GngRke|nO_t&dcZqJ+V zmp%`T*VgX~D8bn`6L-MEW`gEE^>zXk?=w24W&+1adRqSE52N_^S_fQi!ftQNCFteu z+P;d`ZujR~?t9UTFGf_RX7z^WtuYc>*4z4CIZ?-G#iq>LWq4@*v6QpU(^>si&vr+8 z`eUaq-^~giv_96RmgT=^!p?CO4;_bIS=o-e(aWV3Q&mfZ!;Z#dfLCwDx~j*wvy1M% zk1+*W-X~Jmh1C0Lueauz!A&6*F6Zs3*nEVp=Z}kP(p9p9_bM%5%|aD`Pb$$yP0;(3 zJC%+>Q)uliwy|qoYwx3y-s_#+bVHVOP??_i=6z7*NN*3IvH`4YY07Pzl02^fekC{> zrKRuGAM6IHW;EkK46o-jQy%iTP~^vj@7nu4}_)p7vkwBN>%9v~Uj3 zoW~LBmOSQ}c8_n%84ju*(4Pa6*I~)&UR#liOAKhw3@$IFwgeo{SToG&L|(UW*Yx)* z3gx;tM;`B4jnnz69NfA$Z=Kz@Nz+yDBhI!{tBzdz9;2ExW7-Wb#vYyb>t3qcp67;N zzcIGE`m@I-yt-T)RtGD)bK!3(5l`!bO)_M+uG{_oOk=hg9Vowl>($%%kDo$Cq#!CQcfdcWWK+*z>3X_};{mX01jWq%Ye zfMV5e*N*}7LPmvZ3cMWEm{^NGY2kZ-M){$<_Kr1lmhE3i`Ajh*hjITP-gUHNDVjB9 zj8ogh+mDbNfjqs+6 zPRnc=_2pUo?fHUQgdE4V8Z*?{Z_}nd0A}WJiQP`Q4C7> zkSd8%p0ds8bgLV~@dcV7Z^ei)%*>&#G1RoNk40aqH0C0aK$h=O&J39&RG-)^kMp9UaA>w^R`71 zTVJOUOEe2BA$?H;UB>h-V~mt*9vcDQTR}f#z-ZtcBLUVx*O#&o{{oCAZ{^b-7%zVl zaO7;qt~kPCsWItTW6y%?NCh=3#$Cb$Zn?TAJTV}nI&+p;TTVJQL!eP>$WKR$@Panx z8y28Ui?LRsA=e-C_%;|sCMeI4Ek!2Wf0L;KQLkKlMPi}KL>ypYDV9%Q8dnPc#h;>6 z#*0$Z9bHwUtZ0q&WjK;Z(=pfJi#XtzTePyzIcBLog7ROXU*lXd3sq-aM$Wf_qON_d zigHfptxC4(a0m~r*Au3`>m@61#gF%P!8 zE0@ZoAj7vU(B8K~d-G~h&ma6J*rH9SMjZ{#Kj=t&R*kh)$t91`8AT>J_PY=wHzHIC z!XlNTg?hAz7wh)l^316kY+v0WpOipL;J!~4Xx@b>450Wm*j)g^nKnL>K?hicz-YN@ zc)PKXbz*3#0VD5-7hZUWdIctaOZ*5(sZ?C@5DqirvP$@50_2La2nPZ!Gv|799MoC+ zuv5~X{}7;k1>CI3o>1#bu_Vc@_l!c#-AJI8_mJ6N?SG~+FjdIJE`B_C+E>jEd=Og~ zqX~`^_m)7e$Y(-&8E?#{nXnI-<@H&n#a&9)rCFrpe5*xFIGrQaRBnNSp}<=jDU5S$ z7IOY`AJJtxG#o z#2@D+O9si9zX7?3!e1TmY6pz|C4M?x1`;A6dXFAZ$e+FhSbeOnw|QB-W?>>CcwFi; zm?G|Lg{b_vn<0On%`rFGGn%0`IRT6Oj14}8fXG3Mq{l-gO|kDA<1i0OMFC&VM;!E> zsZoTm?uIj&G20N2E=3%D`s8Ao*b$i&h7+LAzWnAHCfP%fJI4^GzM1)8p}h@tzDqtS zV^&N_lhIeYFNYk2(~K*XAsAm`u|N&&Kd8WJN>6{yY^a?83Z7m;oXU20_0xZwV` zUwSFhH2nR<|0^HcRxnaUU9muB2hj8X+@4)Jy#>$kb^zEx{PO_v zC(aM5N9hNmj2<~;vRZ~SK(g()R{KNTG>_L~we6;L!q!8NY7<~mH+r?g$Kxu%TDI$E zlRaBG8Q`|eeRcd%X}kIAyW};z+4wwqG}I2|<9dGjIlX#lt-EA~+_Fg9I+&m;PXw@y=-#gb4y|4ZQtR8hCG`?!` zq`~O&nr*2^f4KDDsW_^-d!J_i-<>?};k1nXXq|<0UDh zyV3#s1-#5iSzZNYKiDr-;!KI~7-H3qJ@x489u3l~+&=2o0T0FM$sc>skzYcYtG6$L z^Tq;j+zj$+HnW-YQv2p(bE@UEFtYjm95|l+R?iEZ(rJC(Jnm?jCy6$;X{WUVx<6~x z?vuc!u+sAB}3&Z`G?b06=F@hxT=NE$c=?u?z zo745@3|<$-OTWWUDw$R%U|sh$M$+3PS+cc#fkTF~Non_hOESQ->2)Dm$A9g)wY802 zr@sHmHeSM$c~aYX_n#_DV)B-3w;Y|t=2Z~uf6vZopU{1PRFMC~0H`|83k4Kf2NC}g zkv`wu3WON5!i_hCP1H1hxPPB6UIM+cy&;j8D{%0Ba7Y=E0=HM3&4A8_1g6u}6l)}4(k43Rk*n_6SjbcKppR3k{SgR7ZswX#o<6#{kYnaos zcvazS^6V)XBeV_{ZdH`ga7$m1*Qp}jEKspFF)OiUgK&Gp>y?={M+nxcRvQ^3%cLCY zUjt)Ei-09}2o%Oc6Xi?XtM``6O^gxcn)OZOnghdpM4x(^tWlV37!u2@s{O@62-Ga79uF7#i!c^}}pA97$Iwv%O76ygNj~bQ9zWLAtxH2yxe;w~#Ef^vTtXkGtcFY9kwQEA(wO1mN- zpr#}=^RgwYD%bTWyzU|+8}l8u{Ou%YK>3Q2rEK61h#`Tjv&psW5$UuTylf*X;1a6Z zbo8=ZDLFtLYYASWh!1oCBU^&|H#t%()^I0X!C0HZm%q#`;y~&sYKJVFkT?IYP&hrP zHcyA#jx|2fEk#CEGpyhMOkwFIpjWy(m|`_9okFo}tG|HZ5CFG~GCc9+ogrSu7GnBw zYzPYN@&eY2^-lsmOk>YL@ObWO`b=43;PielgrX8TOt&d4rZQnyX4H721%9U}rO!cr zR_P|uRZ;OYU7FLZ4kQGE`GN*9k|GTT5U1D?eeTUyst|o*O~%QWNefCORO_ckP1`c| zqXCHp<7CB}Id^|z75VXNKhx%7%Lu>`1be>Ie77_f-S=D<#p9w)f|QamP1Rvs7WxUq z-U~u&lxk^-#QhaVCxh$0{zF5{&tTr7a1Xq&tVGd`BN>5oAZid7f{gG`ddQ-4N3FGh z{`PU?JXkALM66J*uFi(^B%w_@Xvb=eNSt3G{%0W}3b__myc`}5R4>2S-%`1;hOjEz zG98}C-a!EEjaN0cNbN0jvX+L8_dvH(bMu39%_XoTX=7iC~maVr;OJmy&O4WIFjUaFeK z4*y!BjE9OgRq#DMv=2%ia+Ahinqksp=PZPfFgrod1*>e<!qlnsPqH-*Yj6`^YH?}UW!YPO7CNH_jVX}cm7%_b*VvXNpHUuy~{oeu# z#`^|Ze?9hjB0_%+0Qr9T6nIe}Y`BaL_j)C_JQ{*lDYG>W{geT_fMTyg&u@n0h$zS* z|2QJ75i6mq?oqNUfTzIw?N?}#;!Cs-=3`pG$EmzN^0&B^BM{kx*58%%#Yb7~*Hb!| zmG|m&zSd)k`sdZIyWm&bi|Q=F?vQ4-UR;2hQ?M~EQkJvZE>$zZaQD+rhIBLYk8X93 z_rsR#U(MqR+&1!CJR8#P*4Z9i&F;WX%^iQ=c{a_9onXyos?9H66FJxCg4ba@VYaHe zN$H~MR*9;j{_gR(O~$83&GQq^YwBuvr`vsRu&&eQNB1Sa+?-YV*i&2gaa35p;bgo@IFBdD zbQhc5&ew#7y1hK!Ri8Z`uKo9vQ~wfvo`16Q=tX0w_;_3sRJlGDNE7K4cRwLrY3nF8 zag%VICUz6N^eI~Ex^Fn&SK#@yE?g(Q?+iE{+dQ{l^AC5_86S5_zMub9x80^?w*;Eo zcwKAP7Rs($W0+^Yvuk^#54*r6tG%`W2$Z;9vYfDfxee8=g>71TKgKU?-C>^dSX{_< zKTP?j^Zf>en3g==c!APd9^O@XANF3cth^R#pZQ+)udkg?@LjJft6gtC2z+W6Y4)<6 zZC$cFF7pht)|@Zn`v>VY@^9}H3VEkHJz8GQ0i9(`Eh zaH27v^PuccQ2z_)`Y@Ye4=~^T<*`|A2AUUU*Kl=s+v(oUAVjz47+(O;f`UIqWE_nf zVHq;~$LL5V$_E1>TdhN%__8)=vUdS14={56%JU9O1D~P8Qlp=Kx*DGn(p_Hoo zasGYt8L3UEy9otLI}?WwX|%+#RAWq&E{td-hs-bn?4{$6Cxkf%K>$1z0#z#O;FY

B@r1mWeTLkC0`$2jC}j8aG?OvitOJa|3lwe zNgn#iQA3qj4QkLlSmX^+$+_4;vY{fc*6Lk3zP~-yDsN_d&kxa&l5Q+fovww@)R&qw7FC9QaPY6fg#Ds#=^|^%{&$sFioGy_ zqp?A7L<`4MTNdKsvH?0C)#pnkiZ4UVRERTSM#TZ@&XE2=N`YJ_9Wo7AnY0HU>cW`Q zB-MRp1?X{UT$>qtO$}G;uZsdEdVeTsDlrOYm}(?I5r*iWPr%RQh7>CcIxV zePt8r9#FRskWAL9(-_x5Moy$NWe&MvMTWT%$3ND!?!h4G86+g9_?Fpy4Zy7c0RepV z{J%v{)4`TOaQ&C2Ye?^rTB2GDxkrZYy_hr;QR@p2xOONJ#9;NbOf;K$u?qmb1yoq*N-u~hdGR&@|g%c&Td z4f#z8_gg7?ZBj>l0jdlED^1;FA&x^5A;^$76}1kZ^+;NPipf{34ZJW_KVgzfZZQWZ zm9$;XQqNi12|evwpP;u-N>qVOPnbzv3d4#Lf%8kvV3@8opypH4xYC7Sn1Q z=a@=&GW>kC$T(ZL?COIl(sSbeXc=+7_>I__bcigWNF`yxY4PH_%79d_OqH1WVVVNj z8;a^9l46`rR7G_+X+X^gYwGT0^v{Peb9!U{vcAdnePJUzEo$|HMF-7a!AEO4QM%kH z7G+F0Vgk*nJFK?Sg7kYj9T_&n2TWZKIO%wxchPB4{mXX@p3Zejv)=2OJ(dO04dII8 zaU-#Wmj&|ibZe1_V9r0z^ERT;P%6-+V~=9ADG`|Mt)c3Jn%)`@bup}axLJ#Pwch#S zE_B#~LvLR^^YA}|Fl`8PHzHv_i0$IXS`g>vAc<`3HUi*=?7}ZcWZZ;Tyhl;x=|m)8 zX9U)5plFLR2*a3gav5`SV`rAZOR!fU`z){z!}7?8^Rb}ixe_NH!xvjh&Xq7H4Oh`s zjbiOe*KgtIwM;yy&zGPV1su3M!BXqC$FUtH2QA6V3(s6D^~DxLBlW|6ML8JEFIt98 z7eL43fKqR>|F?kJt#{8}*%?95*g9(K{vG!nAo`h&{=)DI z7-1*=LMe4-si9DX&)|+gT0BsQZswJ$OTEDTOuS~{?7e4u84j;rh-0mr;mNsBQ|9Ul z`x_EjhD9Bd$%R9_jfa&+R?BWvM9(gdEg4zu2kqOteV>NGz9)K!vuAt^l`puMOt!wREH|$MA-yKyWU#v&fEQ@qz?GrtE%({6^=;2e2Uv$Q zrvnA7?A30kTB;-7_aoi zL{zq2V9lain*p?XpPY4f*Lt{b1Go#hw!!CZj_|&Fb74bDN4~;ruCP19gj>3xd(Zzo z{%BV>TQ+2SnG6Sf0ufi_CpJEhJDfZ&g9r$5!Cxz0 zmBY1lY9$&iRI;@5T7OVMWD_&(#0S>(OqLr4xA#1Rt(mUVFvXSSBbH({QPWkKLspvC zs{mf!sE6(Uq3WChD+{+}-Eqh1*mlRZZQHi3)v;~ccE?USwr$&7H~XA(^)lY)Q_WF- z)%ez35BWiE+_xuzUYEc1wQok$V^>=Ij?mcQSQH zg`M)JZeNUly~UGetKm$$Je)}>>3fP=sKOA+U<%H|Jy^*1;o6L%1>$;LW`kTBhZ2?H zJFgUza4C?Pv5-`XHJ)F$YQ?OIRYb}-Ptq2)N-4Hf)RHjM#~%p#snotJ^kowgOVmny zL-6N)4_JhRE`Kx3U87AVpodPiN!7f_F!19RbvQMPn9)tw(o=BW#JVIQnwI?Y-AEP{ zpm_PWVI8T#;wa|_oH?Z~IHQ$>r*Dc)$VU5Y=opmj+RVov*9NVS)6u0=>!Xq#;`}NK zjFVwfjifgP;Vr!Cazf4*31h=7${_==Lw*i`%=<%!%NbZlXKiwnyMra)Sp1aBloYK>MMj6TRzz9g=uXDzPTH&;~#4_y4`2^9j+cy9XjoL3ZDqmqjBEi~31TXeTn7SWo$A1;zM2KS%_n1|$#!e_t zf5%GCtwO`K9-PqSvNU?2{RhcAea*n=1O;*wZPBsK7FkR3p9@X2^aI6O9zunn#6teh zVMgrbHMx#;n?;+Y3Wb%y0e>#>#+E4x-}d~Qh2GdV;g)m1@;Cm~U?R4OZw6K{1r|5! zfBg6?U?b(XKLBT;_yj-+HD3R%Cgm6QgJs+e$Hm?7Gz%_0Ubryu!I@g?s=kUom;!gf)GtI=59TP^^d?}2s%61U_0d-6hn>+LE3pe`?k}_13NkF1U`Clq zoQXktE&|>D)*0dy#co`4SAMpgxYmTi6+?e~Ftsz&ZVb4JZ`AvXQpv04Bj6$S9wEQ)8?5o5sRr(&NAt$=yTRHBqzp9#f-<=@QCMLhF}bgo{U2M2JdM9yg51yMbIHD< z^Hq_OebabF(1$g0S@~We zlKD99RmEZC`7iKG(*}_OUF_Jdw;y4&_|B1(E5?fWSD{gSdu6Dow<^{1i-X{kuHI}) zSgH)lc0$OxmNL_}Mcj%c(#>h)haiuJTO}i}N2Kur>2AZv0+poYcGiR@2mYy}zpBxT z)@?_LJ!=$XkB5a)%VveJtL5he^Tq|5_pr--8p`BDL==e+#~uise~Oo&h&3!W<1QFK zx;0LW=s_9ezwjeglM?nKU2p1y}uFjDu9>}9qOG`J&|Gz~pESk6N#gg38 zJo_Tx#0Ky)xk>(I8lB%`4@w*W_5md>0WL;F^T_!D^+x`N7%speiH!O1{UV<8DQ-?@ z8L*CmljVM-|MY(8bWXSJd*rWw(Rh3iG>MPh-8PS_`O|FHM=-EM{hJ8a#7~ z^EcfQ98F|&`CWW@E?>Iyv8S%@^FQ5AySw|or|D-~>35H^&GxzfUEfJO+}?C`IHY|= zNnP)0nay1SoYPa(xJ=z`eWOYOTV9<0B1=LvZ4iS~%9ou}RLUr)1mYjZP4 znCL%Tc6U|*4aPZ-={|lmybVBLYCr>^Kobla~fC4Qm?w+ zB;9LfL}I_6kw{(7qGvP4b!`Ydwn)D6To_ocZ}f8-@3q!>zCIY;bSbx4Jnx$;^%MY= zHO=l{0sqq7Z+r|kS+7@4wm2!a-e3I3zf3ckvu3%T{eUiaY1%C|Rc`xp%XIM?Eo~#N ztBfuS? zIh?Xh;hxmz1C0M2$mF)*L8pLEl5(zhN;{-xN zF`O=2WY?X9cp9}~F|u&mR^7%_9q(W}(#BA+NX3CVR709OOYPo|a2bLNDwI-bwdj=D zrC>UqB)Ab+7wZGe&RJaam8+i>Xw5Cmyedm2w!*UlfDJ~%=ATbLT4+5+y;@Z%`xyez zJ&4LRFLlzN4g~hRjDnLLI?5UsJqD9*j6xIpsTafZ%wXp<6c~_y%++v^f)eWzT?HU$ z*#3T1gcu?A!j!2kXS{B}6JC;%Xw`;?fR$(LVpD$z&d;nhvVyk)$+HpAcLKJ?HLO>V zE|ttS$0KZ7b!QSL43U@KS@8@e3B{R6E%drIU`e>J2-+7r`E@5>x=7)v2>QdNhc^&r z*aav}UnYunDhBuYF+hhkVY(6uqS-$6O@Q1QjbOgr)7yB#miuCW9llGgG%V zhAg`Z_;O?zj51&o8KeZx!;>2a(3BQQYB+q_MdHSUVrNApWgWJ3>8VC6%KT7Kk#~}= zIDV8)P@WN=c|b!Un{Rav{B8=JSZZQQHrMIaF7z427iD;iN+f9$sVkxQ_ThubgoZbW zB%f(XQbPOlim|<`%0|w13bL|HU=6lO;*I4C$I&j172}@u`&Cm?*x(g7$MAyGY0ZNa zw$JqQj$k>#s7RrL1MW;eLf;vnC~xJ7QjEq9$0qJ}M!rx0-`K18kpEz>zJKLX#>aV< zo0N<#!4EQJ^M}YTJ6R?K!ij#t?B-!Wn)1ev;OO|y)MW6nU{+LvXS#)3@hn~biemfB zN{MuueIU&kD!{8V-j0MfGk`ON5aU5$g)`AOP3~}@UT1(Y?tBFu7^tVDS$Q=-NF}0q-Lfxlw~ugQk1(+TNn)U5@bJaK#{%Mz#LsTEt-TE&zkS^ zrVX<=8T(17F<9jRsy4d^V`JnfRoUu@icrKjjb!ARhk~`DG&Z{XZ>A{%axR5S5t(89 zg_k)l6x2ZdpB{y@OPS4NP#K);OoIQp@i@}20x z=Zpu&7PWn0Oksvhnpw;1Lu|{EpcJafi7SR|6jd-wBisiM@@B^+6&3omAEB>M-fO+_2x4(JY8kW;Rofp{q3Q#s`{V=roy$DF~HN8)iP4I6|At&vj~!vq?R zUgpOqSr*~_WsXA*3E8h0oD*K31XE$0Fk3Jwr8ozfCuWJhrb?F#p>>Nk;f*`{tkQ4v zAfs6S$@Ce=dNVgUn@6F=5lW&*f(Ba1*2h*NTxA|VpC3{<<26UeP?EeH)L({jOjEG`c|ZGv5@*CDk_hPiu48Sq+dXW$cLR&$FA~x17P0(t$1^gW zdXV&W&FSg}*1UCFp0|YRR%!NA^fxK^lC~{gsl8P^fdiojhT^r)r8qiv<)+7TZHI2# z^36b(_x<0%8=uQA-z#mWL+&I0m4@%g_ireE(W-6U2wx}jqfOi6Pdd-#X+%OdzuT*0 zVE5Ygw9l9Z-4QeVw2>Pr&njr~g!I*SevZiFrQc+_GgV&Im|--lB!Ve>~F-P4;_xu@W~y z85r39+}X|n4g}nvJG*Zm_-8dOYQtz}hA>~N=(U+cxd1Qs zBmJ75`q-JbS6?&^8=i+M)jU`n&x1Tql8ois%6u;!FJ!N2F*HVcSb#_7wcH+wU?}J= zZNB>fXv5dnFEfuAoo>^wP+PZ0Zxlb)v)a}=_uYGpLnl19eNl)2BtC$pj<%6}-&Q}5 z^sZ~3THl9@yDs}&kIn1p6)&IDIcqLwg3gC{b_5RB(a0G4rlZ*0zt08U^s7cg#pvE1 z`;vD-;&vLcJvWq}uGro4@Zgbt(|TDLkYYeww9gJ||Tp9FEe zW_v*O+3ytEK~{j)>(VPCO+7YobJKU+yYRb)RV{y?JJ&i5n2=D5oN?KT9;;|7`y!!< z0L~;JAz0{6tafPxpgi*YNu%1xu~4W!j(~N>(cq4aTasw-pj952S1shCUbihFc_Lc0 zPu?Z2wXEUkx2a5+rK$Z9b$04fuq05f)jvVk3FJ|f!I+WLqC1+W%*bVF(iwz!`-jnH zMf=MWKik@|+JsiW5PHMfS|EqQ`f^G`-oqn-;E#ul>wX;Nn`8j}cpSP}n*?NJdbobU zUKv}#FoK4#n9QirO;xOt=MS3lO&cL}6x*guoRkh|1v)Zk3!Q4Y+AO3* zWNpE<>Uo-AgetK%9=a8t)5SG`EJ|bjDS(C)Q+y7GS&>v+Z>3Y8@;?!364Q)|d8MK< z4AjP7!{m5ehpf>fBIBG|gH8L7zNp+-nq!hbo< zTWJO(*omSv>EhNeu|@SkaH_zCVx_R8L3Eo} zQk{5p(TlJGNqHVeiIdSt)+<(B4*JKy%)kJzX{(Zd?L0q`(4KSD7LoRt!Dc3B}X`-1+hfZ%LLxrrCeG3vYs}ITM?cIxTh+t{cY2Zdb zIKV@Fl`#uVaY<&WbE!w{EKM>r11*23^cIt(j{jCzkyxoHK6v5UX2_HifJhdhQo_{@ zqt!&baZr*o$5~9NNXc{%!eQ`AK!g&A4lrH{+sxTv8chh=WwUC*q-sdawo)Xc-5TUD zS`nVpVAfXpbd*W6lu*1W`;l(k!VH>_OqeJkWYDbt+VT!uv0+#S5We+X0ZGa+QPszl z+D557JJVC8%DEEl;j}-IBF~z=@(r+(ts*mL+Ul}sp#``^P1;vQ6y_LNZy<4@`b|g< zqWp&OUi5xIvtmd~6k5(vFV8PBqDdAPDGOjt4>veTrWA7B|&@j zox{XUbx|ctL$uap8GLmS(Rf6Eg(8ciNyyXB?_vzXQVoa_Zu7r{>1W7bGt~lVm}##j z7AMO;y~CK^_k3PE7o~>ea`=kSAHIbq`o6*VEXq36uIH!PxH{`X)Q;-8-fgS zha>}wgWoTRPxjx%E~qczKGa}Y{oJqiFK4Qb$q<~X*002s^Pcxxid-Al6@(4EQ}|l$ zi_(dKo=x*(Xa94#_M@pq#PtG~sgnd8pwkqd_LpPfabmc>jS2tX;p@y9GO5y*am&yc z`OjDS#OF(|aIc@A7pwr;O-2f3FF&>0FM`GW9vSquyA#vgj)y{F_nr*9&W|Sd8721Q zDCrbJwl7j6?974V%{EqmSiPH+-}N*7st0g#Ny9H+yA^P7LeO*5Tl@63lQ40}uLWF7 ze&)HAI0`e4;R5(4$F$4jbm^-8%JY5l77Wi>_sQ0$-#b^gsedn|zjlCX0J9Lcr>?zj zThyMm`TI~ETb#>f+MFEss0pNd-g~RuGJ-|b*R?*spAMW}ITCU1pg2%xll`hbw|8Hs zo&@W*1#;fxC=U$8b``Xveqc6Sb;H&=tzQiLmu5S!%Uw6sc7A2=*j{^?Wajev&KvfK z&~cP{-RL9ovS?h4i2|Qy0vpxVTn;ZYt;1k<0sJ>*<8Bs%+&S(aOqsmy%bLIS{(^dJ z=KSr(RaDeI`vfbxDLBr+j;h($XAwL0B?QA zS)bqEcg6WV2Dh_Kr*-ba@9kDiw=edsYNP0ycZKA8x<3|!TkSa<_j|HCE^6J^6?|;w zKcBbuCYrCgo7yc-#c}XnZ*uH=fd8-&`QI~hw=M}7Kx4biB1QHFBmJE3QYh@YhRW&r zmUK>EwYN8}OH(&DUmOHV=(WZ=tsGxoKBuN?w2;qY>FWia{f~1$PD9^)-aY`>z~hcL z`=3$YoAb4i4<4{QPNn#sEd1)bqPeF7Rv)c#fcsMUF8|Rp1h^qq_lM{ZlG%Rhe2ZnE zf81U`Ra!FUYASZrq?@IIlTkA8=_qs~4x5NRyR-1Gw!RA%2|4$S7LPUoHd%L`Q6 zmO;-*6q%P9p2BQQ2no#eMV3Gn*uKIL4;O+(n_~?-8yywg9=Y8WQC1QRpTzdyR(0#F zkcuR!QolI-rr%;>D8M?3zJC6z5mpiSVj_`4?(<^h&ndGi-$*q%FoB%{qjAMQYqLkNM^~sn!g$Wy6_3 z)!Ys)WeuJo^!ig7NxM>6cN9DYsyOL1D1 z6@Y6**2Q+B5Z#0ux;iyDnewNlR<$P`Xp%XUpINMhUF5B4WbzK-UsSbMq%oH*(|4wg zFj#piVL5Ncy6p&~M&riv6E>VsSUyqphlrGu?STx(&)|N$$OezvMaBxqQPt%7^h;<# z{iVKt3Pz+72Sou}M#jo5=Xg2EE(PKs@wrv(ipq2^pEB83tX)q?C@(Qfc4#5c40Hy< zV^eij2`c42-J&a~Dd_t}RVZ}9T!IDQX?3Y43KiRxZh>6Hc?xa+f_)aQF|QP=*NpV9 zA!G20_u?TkU+Zy6xfNLE;?>m0(J9E_8R|fwHYqj zA%5Gck((@s598*an#qfNV=x|x$pRgISW7AN%l`)Dz{1!MFQs;%z-0dlJ@0{NFjs+O zwhrev0j8&(9_4 z+g22aJQ4qsV>0bonqe8p3o+=PN1i){G#DrkLLp~00$0XcDm<6%QX}LjByxu2%~|Oe zxcnNSk+r_Q%DVL#Z5c4#js(+fjAcw#ao8$h*>hkk9|9`_Tih3<^J_0>o_}7 zR(2sQWh@3vvPBS`8H%H6V!Uo;=oGdsAcGA<(niz!rnARRY4#&U-#1fgjTgfbqHc%AKeS zlP$cofviAv6^L;+LN>|{vXUW|F;MJ9??lNei8M;M1hgc$*OX(GPZ-$W9I6(uga!x^ zCc43cj`EjBl|;Hp^Q>T!LMa?J31pgAl(D;;Y#=yjRqtWY&OYPbpvH7zuB5pLYPMwt>al1cTF^ktD8WQJAX{CyAu9E zX~Bn5;174B1{W;KYf7jlb>Y-kqhdpG>CFmt$x1QqAHAJPdyuuydW6C&<^Bw`Lj0qr z)aZQkcl75e@&Z8ym>j-%yEWV}9_>_2pOiNj*nm?Y>RT~ksHyU4O3KqaXIV&EcQnh7 zloaKtb!pWdQd^EhQ0s~R7dZik{#lESIkt0O44ilXy!@A_KBFwX&OcxCqsB0DgcHGi zp?yH*5`2ahVIdd(`Z#|Aavr>35a<~n^2YLbzdE;lPHSDcJS{AgKmP@;)Nks#P8Gz` zy-PTDu+mZM1K!N&H(Z{1>8l=Y{0TmIE(nhoS~o7!z7IFruJZSASRYbIALo2k_%2ev ze=71ll%rgAo8`Y-KjXrT{_C(dQ5(YOI++7(;On1#>HsgN&i1&s+?=1{b@6#mLtqj3 z(zpDkjoCJQAM!<8|^wf zfiLu5^=`j>^CI}HFBQ4(7VcAgos*T%*t?$Go(Dd($1}xqoR^p~0G8)%T8*!2C{A*ca7y0A;S{bGJ9L>3xwbyEF8h(|xwj`x^TdwW;ZKR}ibO`5F5<Us9S^V2yqVY(8SbTkAA2)LFmzxd0k zQWu>|5LPW{JRSe>7cs4*rQ#I5LJqDYIu0Kz_?IRLq#Dr=ZDc;CGp*_rOiWo}QYQEzHz_p*yd=DK zQpZ3(T*lr!&WT&MHl(n2MiQyC~l$g|E{K-iKz!9 z2~rmx5Bn1SdRIgrp-AU5WG!S_nPHac7J&0jIVR~YZeb$cn&_jU!eCM(NyL9{qC}0gwQzZaZMIjyZ3m;x|YaF4t>qP4fIvO_1I1*xvauaGU9XEq{+Qejmd<2I;XnOg90n1N?ypS5|{?97%cbn*)LCx^U95;5|#k@srN zmDhY}S4!6Eu2Y%3T>xzw3M*Rz8=gikl#MMR%}sg;SbE;W$`}x7{sijIMOfBUqs!K1Cx!Td zl|tojP5pI)o(n_|N}4V`7_|GotokeHYdPk)BG5eKn(!7Wv^BVj#LJA86lxzK)u3x z$LWaV&iFS$#bMo|1I1#2p;8ArkGhRxmQ|w}SiKB*U;gC3R{=)j2|PNnOQtps5ULvf zilaY_wyK#S<)VzcR#Gxe!|HuBVyA;yTfsjNs!y;Go3t=_?~;n~Pdf{$#1S1)S*xK^ zX0^P!(6aTS@)QCY{JV6HHCL1;L~j8(uLVky5sJt$%WQ&__AAhs)U z^G+?&my=;B5=9HrsUORH*upAETMQy!;+Q=n!m%D=*o@!%2+A2x&9o(6%8oHPY(XI_ zVe7&0AjG(Ok(303M0WT~xF}OgD*@`p1>dqax&=+e>Uopyz5*)bp4xrPyksq-yp?S#PYCC^P6xjPmJDI!r_Rk-nbqw>d6uaDI_NZ(B zc4GGa(PgGAU9fmqIZoSt3w8sEF}+2j>$^9wpUU}R59E0Mc!HSjl-BpUl%M>Kpx(;) z7S3CXRn=?={K`e5&;A^_TbDhdu-+#mpoTF48f1{)$p?D z^mg8-?tZUQ%e(+v>*tQ#+nO!&aFkl_lc344R6F0#Dd$+@!w&RqS(QHC6XhBdcF0;C zb?J-oPvhsa=wJ@-xD)5(+d z)|FSrXfQvRoaN7VBkObNPCUA<8~rJ-=SOF~WI&Ss*+w=7JNqAczq6R;BcJuJL{CFt z_S!ibf(&o_O{4dQ+lE~v{$oGm&>nns^o8a!zQ@J1+=2A9+XMTS=heU?nx-OAP`(R9nV z)@Pq{)7l=GxaeoK?S8GHv3CB-y<2^~<^DQmk05UMHkt@q%`5GKuxU6RyYH&r=C_UU zB0g^Vv^e}3+)SZ<6-D3k%Z09Zqy9^p-f3o$U8gznZFhveyKw9Esftrv^!ekf1;XBY ze`xo11?RlySto6WK%TCZ$+h=~?p}^KzwZ}+G;q5XNXWt12t4-2)*k_Mf`p6cH*jzg zyvr+E5*FC*7+nzRZvwjOfU$1__XNf)ymm4N*eHUdla)Y~Z%JjDY1OtOG%C-)b>r{{ z_i1Ai%c@ZnAlFK*W=mwuDEClJl>Lol&3aedzP`u3R|av$N{>fUCF~udbw&1;uXGeb z+snjlfHQ!X3>WbU7cF+|}47A7G)Dl}3pmHSJvtwtrGMcOE26qBD%m{rUG-}CZExw71)RDZRGHe|^@K4Z))JnLeWd>lW zq1dNSvARSj0J9f+d8jRUp8T+`^Jg*P)gEhF}_&7N*DxrJh@`5)m&ZVp6SG9&xj; z5(`i0j|%S|aQgLw%Msodn-jUlK%p(L=v-FRwpod9BRT_U@ zPmRRKKWVlS!DeXbSGaU5=C+IwBh~5+o5@APEcAgqw6z=o`7;L#j65Y+mI|2|K}fH9 zJ~?5<(!^>uZiaPm$yznSNFj*nlu(+GBqM#x#Zq0=iw6Q_(4y_7 zZ)|9PsDdtxFS&GKn#E*~SS9CNk`>n{0}??NPB~8;R%OsgT!V0L7W;mXof~K1kdiiI zqyKh_p+-%JwrTbso5wQef=2bE%bs})lVfWKpP^-^s(>irp1c7*6A+;$e5Eb|Dgj6Q zR57$~^XG2_U(9>a-z~|{P@s<_jhVA(c9vMv+8+VSGW=B&QaChAxU#IY5HC@l{qW`p zvQ#jR>kLzR+72VBX*nyZ(WfS(YJD7>%b9pgN(CrL``>uX(hCA)kjP=o<;m-y`DzQG zD-ezo4f{Xflmua_*ghb4SuTTO{jFwU89Qek<9&#!<^MUZD?vIYK_oRTW5KM7wM7{h zAeEwM@R|z9Bn~2bjnk0imqHHYTo7|sBwzK}u8)T-GT!4roK$c7@z|#QjWybZ z<_`N4Qw$CuJ%MfW9hA18)5{V;an0IM+$W+#ZWo~GxUrO;{cU!>LswXr_qg{wb=|$~ z<}6u`=cw1zY253&re{E0`;(S=Ikmf0y1Y7G7sot+oW^~*+G)Kh z;pcx;t4%(iryzM((c4xQ&UvFf~ zcnCbc;}p++xY>H0MnIIBwVg82xy+o0;l}Xd)=t}{#8w)=MQiukj7;CTbHKKWRyCW4 zcVc6`bc^1_!Tq(C-(qUcl#bIcHyJ_Cnh-yqrHkY=c)so&-j|dEveyB(&W9hP`E*;x z@vtp^_apAKog;ZPxIX*-fw!`;d%t;I&MtrJ+^w*N+CTP_$S=6Oeehp2R(|X{^=Hs8 zPHW#ppZ%J)c~&tTN3rw$h#=7`q4V?}y$3e*O`TT!J=lV^1JHZEbGmmwcHkg*JPab% zu3t7}w|ekTKR60_$Nw2JycEP$frQVylcfp5S+CFi-j7QYze>OjRR{$V2yPI%UFipl+oc$ zuf#4zAzJ-CWIRrl7=jF!f6!&zyxom{6ZQrv7DoZYF_Tuhn$ryVq=Y0HDq6*GrNshP z>R?rmV%*D$4kFNQWnW2kn!O&$YJih&by~F~-9^#SBVkxt2|D-az_!-(5V_mJ+!5|p zfc94+LAr3Ht~w12PdcukTF`jBFrg^AS? zr%kHU?Y^^OSY@0Qi_qG_I>pfxN-ipxM4IWn?Rvj2>fqTcOlYwysRSvE&Rz4e#UtmZ zote<@<2A1!b+ck2s%B^;{C6MLiycj(hXs&%S9Gxttayl{^}4b z*7fbiRayF{PJ34A6U0E##N(RU_z793C@R7;RIqxPbr;s5P!Pa8QSu_?vycbj?=X68 zs3j>}C{fN8PT-@8lB9ohtm-v>pJb=W^(wZf)cmWd`D!NMQ^(b*v=;nQJbA)-U$fPtZ zBn}>-x>6Zo%7kaCO%;mfiUv0jU+O9iF@YCDIh`Y+rC-_X%^CB@>qG&ql5qY?vyJ1- zNEC91aAhA(rTQJW{2vKr;5i8m5jdC-HaRyZIX5*-JnIg%gQZ;$W<3U6I3+U{%l@CZ zEGEc7O{kXqI|(~%-N9ewpy@P(oU;n1?EL-XxXcj@l*#mPQ1j(AY)Ik|wB{wd2+1vd zLc<9D1=x;W0vigg-nm!k~p8bdPaGC3iVr#N?k;l<|DNML0kz4R(?dXNbwIh*;!XIh9ACDG{8Kze;}Ml~5Zn^^FrtD|i3e zjdsgd!Nrtnq(t+n%sf{TVUYZ-r=7}7&PeQt4Kjy7f!fSstY{O8dcn1New69Jf1>s_ zC2&Rr%6N0mX^H!O$d)+no~>8;`%d-O@q!v)W*p2!@liYtW*vr6q{_=KEd^c^#iumg zDV&M*!s|051Orm5(9WVbotK~4fCWtKf5rpA-hfhgGWCo3{`30U-yN!tEso9`!YdjV6W@8q*O-$vi75xW?=Ppdwk^a+_YfHUd@J~BF=tMe!WC}K~= zq1&$oT^rigHJ$@i>(85VPHOK1**!dWSl0Ww9Q?i>OOV#zkm4Tp#;LhReV8xDm4T)0 zt&dx=k(#D|QpI2%&tcVo1l`LD-n#QC?#J*#I)@ci0_hwaTF0F32YGvruYT`b&%v2LxdVE?#?}{9sqOOb?~(Lm*YtNcG3jR(q=F!&D_f z4}ZtC+I9<&#&Kx$UF|h7$LDj#-NPW7JHwjBc@dW4^X?WxPY2}weMH~$CV{=i%uxQq zW2O8$t4_vkz8P`rCP#dRAo6`PiQg51v}0`uwzCVTdCV74pTORQ!N?I-X#^j%Hs-={ z39Rzd0?egDTYmL;t zrJ}{wX{vqvurN2>8sId<^o-jDB!5ZF?espILaffRH?*h6%c@(DdMv%#usIHn;X1kd z{-T>bsO3!;{ayBSvSsd7p4%O?V%HWmGvJ!<-79zN`@u)=b2Vo#y%;uvQEpwaY(>Mj&l}?Hlo{mkiL-HeA(Nov;e>urO-fLifcQ3%~ z3E)SufBu3vl}>dQ2{Svr{KYJLvQm%KIRDZ33*ZWT?f>GxB*+1Bpv0pbeThY8G1q<- zPDTRL&}ws}D8l|txqX_s!hwO|y9X-Kjg}+D7beaWE%jHR=l_NXlwhJEKusX6h|Xj= z_cjpNA+9|cP~_t+;MA>^BqnT;s?I7x_F^JQ44bdEo&u*p-e+1)E&NqONT#(bslnWs z#AxN{Tb?*<9Ckh{xLNym5_`whc#+`PVRC^)+Fzs8;PAu5jF24}Mmjnq+QlkP79p;I z&q&u=;$VKu!vu}8h#<_6Bbe~vvk!_Vlu`WKRGM&}ms*Zuyh?szkz8ExOek^BC zVhQ4=BaWdNhGNvQo9X~VI8MkJ_zEEWd5@(Hh;*cGPgn(>;mkO5xB6+6#D)c1WNnF(-W=B3MdGMxaC&IKQg=G8_WL#5h z-#TtZ3p`hC=z0RRC`rmv7=>I(RNlgQkapeXaxEu5&B>*Rj6in{i9r=?**s)8ZjEU= z_HezJ8@Q;EFIIBKGy#av19^aBo151Z|)qMx4A?5|zg&CFdr^ z2B@O6lm8B^`Dq(!ut|AbD$M`O={ul;MUrk7jCC)U(rkFKG|RbVwOK&u8O0`MaffH5 z21PqlH@M5Bxdt(3I}Cw zqTg(L*~lcB#1KoNzV<~Bn-esN-cU(WtCx&_btd^q%KmhzF!R;zHSA4_B(uUU-AFBp zwJg~o)E+I{XQ4D(y^RV8j3&#quZnU_VlpWZ-d&D7LW+b-Zx4CuR73U2v=Qkg%7kY} z44GqO!!^n1o|IHrX8Ly}D8&BHj$*8bgDicKVT!*PJ7iG)bg-G4dCnX7ObknTc1bNe zZp0~;2_Jr6FA4QE!xk{6pi8hBSGf$U^ny2@X!J}u6(!th&ImV*b_x@z9W4<=buIce z5O8RME(+DfIIcQqq6jP4rEVz~8v^Rep>ODkEBlNrmG}BbjWz#{Fm!&x{1X5!w$o34 zPXJ^FrjPUJpYZE^Ot0DL7dPQ3{5tHUUso+tHe)i#D6GZfnH|Xjm)xuDBSgd@rS7dU+P7(55qs^$9U~BmB>xGK1hfzm}TJ{=o2Yl z4F#)1Vq+l}z0zVI+{Q!V5pi&W<3GJE=kT11*w0X^$c@!cKX=OmmX};4PfJ{UgW%Ch zG3N4fKvAG$861|EBx*5HcVl?N74rH6Hm!p9SFMWPg6LA3K~L(Kr&H>+h#EOa_W?$!3;2Cd`j{UihDqUD8t zVE{wN_SDp!^E@cnZu8LSPyaGrjqhT9&pK!874FNIbWAh7_7maVPOBPAtCmTFv&+5K z;`Zd~TNSgrZCB?j?+DN1nJR()$JXzq??>B(w~o()(N%7s5taAq0RP)S$M5)y_sHq) z*WJBJabCbD5iG7Ug`M8~lDu0;^Vbp zRRJ~yg{8SZ`xoZkuqk$(mtm7j1U&p5Ut?<+#I5uW$D5UOPsf?&cnrr4&HcH+>XvD* zZ@%#JdS-Fz+qxjn)aTJ z&FApHmDcxt`uGh<$iRmJ?1{W}{eU_`6m}a z`6L_%Ix?W7fNgO|1RAZ7j#M3=FGAzS1OnR^auqS?Ubuf1gxylS0h8klU;a>F#tilF0g@B;fh63 zrcP?}LjeojMPn4MpiDFhoCt)QM7U;|lE6`-5*$gWo|g)N`Cp#YZ>}@1H4*W9hiDQ8 zT2`}p*Q&wwKvEF#aIfMbk#=!XaZqdwnzF4i!mR|$$X6{G%?dP#92(HPmL=B2vyop(t_up4L=TJ^PkonayJ0aWN1?v?$Y@(MWU(2J3s&}CS<1Y~H{v-F1Tq1kX4nQjoPv--aS&xn<=DT&QVD($RV67& z$eX$3Wd0SZQqhdXmrCRMoLR*WBAcg6@($@$74y}iHcFo()XzEv-lqc%_yzte6a{>hcg%SMMm1LddDM!c2T5%D z4qXOVGtRSdNvX=r6=jx%ca_l}wu_Q;+Hh&fweC6kVIqFqrN!Oq$T`nNtx(Qi{t(E_ zpe>%E!9vi`Y)S*C#pv+jVlG=g6pOiD|CBU&#`eLkT|vvwsUD?VIoN~y>2#R2zVL@( zD${JnT0$;!EJ~PM*guf%l;n#;yRgENS>3hYr)vRrLW+xdqEA=&iD-t3-N|3!pS!m} z4?nRc9@?vpD78nTTQ*&kN*U~Y##Z=j(JJ2Gt^kw1DpRWX{u04)dBl=m^Eq;Hj#~Z^#ycW=>vAl}v@JBa{{`UT?Um_WG20Otvk@*i z$&(RFj;F*tk&YZS+Km@KO0m43$dbz<#`)h2a+?sh(Y@n(nWmi((m+U3h?Of2=1$Dy zXkq@=n5qj%%jE{?D!~)sR_!0fd7S7)CqJ(Db%w0gc1ta}G=$94N();rj2GKQh=KsZ zSKorUD>g2$$YbA4+@aN|p;%A=n z$%Tw)rFAUm;CTGfMiT|>{TAbIh|D|vh072BrR|r zz7&X3>3M5ZMQw1)?2_tdm~x3&$ul|~eN1@Fq1wjqELxuxn4~b1LTR!~NZKW^WuUQt zjCvBshDkW8T1!w|%&R6J9@Fb{vEKjpNWY~A6UH*@ejuYNn|ptG-|IW){4)N4bvrANIl~jeE3iT+~&utsYZ&-J6GCT5s-yycHez_6Y5%W^Xkw_y}c54#7i$9Nai ztW))B9`Gf%W4w!C<2$Vrf%f}5xs;tx!{f6XeyY##V*Af--TSN@z+1s4$lG~b-Dh{1 z+|T{!B&pf&@vHY*@zwP#hwFA%xFE==^uD?*$)Oc zXaQK;!CklQk5^>*tfF#2@4qU|m-I$|e3Dgo=nfCP^cVuR0{Jze^ zW-%RCu=k@89joql>rXj)9o@48+ddzyhy3mrVh@L*)4Era3qY&Q4v;M1+As7Mx*do5 z=KZi5pSv2Ur3gcdqDFW10rsP%h;6%+(QJ2nF$J{w_ZX1iQhi;V&Em%OxFw=DO!(XY zUh=yB`SK4cdo#;-r4)K)!tWj0O!p&Hsz|PxGeJW12912ytxZY2VOttEOUUsU*1p3M#{6c?R3|nvqk8@wnRtE#8PK z7YCSeR`C$75PUMmUgnr?us_q0*8JlvJ?Kyl-vUt$u+tp-EeLrT4DZ4A*&=BIpH568 ze+f5AL2(&3C}&?iTJ)Ei9R%dFg?_`7a4hOGb}|}P9)_1V{3*C>*{VtiHXH)e*Hrq_ zNt9KsG7%7lFvnU=x@_L0IWH8o`#YDa)R6x~q%maHCK5bj@-O8da@rsRuHSYc-&M~` z!-_M*CCgZf;T!@Xolxn7mDx|I3z3wWfG-)ZNaF`^9cg2vCZZ_m(#Vpgc$~AyQbhqw z;{Cx2)o90fUdk57aGXm=f?nzfC>CS1$`NGi5MyDnk;D zBX^sE5sXxy=+mLE&Vcbg%5+IGCuzVrwTG%e`M02*u|h?~2(nD;U5M)6H_6%|35BS) zi>{V^QWpPiZ050XTuL;OZ#r`3;zgyfGE5t7kp3FSN(V=sk~T7O>6FcqZPxbH7_puj z(2c1ZJ1F~yCQUGiuXZMG(u+lMJxR0KV_N5?OME{GMHoA6&n_c#A$A=g5@wMK4E1xonWgo5_aV~Bp*{@TAE5A{Anc!T}kO!~q9 z#`8WHCLTA@tR!~V0QV63j-h>DjNZiS~^|7{lFl^)PZI~xk9h@li?irP3L(Q~pq$b`g=KSQV z04*WUO{KiZ5qnA?+ccN#(4*_NiUlW2miJ31mo)YBOUxMt1`cK89tAC8@^5M zw2Av8h=ctq1T7~Qp?s@Ch78REyg2f2WO4^1XP&^oUM{q9Kh;z%8a1tq+~uF?GgiZ$ zQAd;?u)bC-nE4%M4Rvjh#T}TIcW6avr}ie|GLXFWn>4Gfg$$z^)&ErBM<}@y;I)Y^ z>hJ=oViCny;;z*!=cU&Ps7Ae0e}y6{BEBmBluy+};iXg?S*o&Tou!STm^|d=SWY$H zH`Ks2h4~$+2xc;@(!o(98DEJc(N2ce?p%(-1y+EJu=s?~XXni2?y(X=N}qAB6;@n~ zSY>O=VkE+>`hW7!?We!eT*VLS1jT;8y#@vnGr#+FC4gNw-K^f&!r|Sefj&M;D(tfw z`H%UBeM-Co_86p%C}b2-gRLVg5dg20Ih7y5z`#%P&$KNL%zMty*G0F_s}g{W5{01B z#1N?J9@k?feA%Y{t)6ke+d=#C`$gGvwpS9U|2|@~c^SO9yXN(Z`aljvm4?9S5J$>U zjn-){9z$)}&%9tb#)nPHw)Kp-M9*FIa3jgh&niXD*X6jF`Vi#((pWOJ8meno6&gRB z_P&4 zHLYiczw&lZxi4-W1aHCo_<%dzg|05mE4N5U1kH=s+;LjRIiIwjFTN?-o^M`A$!r>L zfy)549;sX{E464zt54rB{wPluOvQq zCkH91K$!I|`&G)YVAa-(k>Kr&0=l}9Z6@;0dSa*P=9`b{FPm01(EA7IFKE+G9yaU0 z7U*l_wb3sWf*;V)^MvHyq3MJ4aeL#HIS-A~m1M2&PXmsT!P}}|`T%Qi(5(hCxnC^^ znt10Prt+o;#yaKwxYp10q-UA;X&MplrEM6vng`(&(>Vg;^yQ{Dvf<%%)e-N>!Skx( znN(Z!^vzv5*m{6!ZB69xv2iKYu%;OpCAnF|QFNA}9ZaY_>3?hsk{JAUYNU#h8=erK ziiz?VUlhX1CIIIl3U?O#N5^H}f=?MPd0z$An-OU(fvT$gyPjfzc5Lt@{9F&0Kq0An zqFazzSReS&Y*^n*`B3Jkp2nO z8EmCVz5A@Wk_%qb=}LrVfv1o~$%`!iVwLfq3ifK@MoCJIK|J?((jHG7EH|Z2FgRnz zneoIA9=(Z1F^3E(F3HxFf*EJ}ii3t?&G-l*KDfF?%_ZXVQ4(ovXv5^tTHPSBr1^8tnT5dCSKlB4Ntlv=oX(JmMt32e1UevJD`|z8xcg$Jd)<<(H`K z&eIo84-U}33%#Y#VW5{ILUY*W6S2OC%Af4mwxYS@1^J8pNp^A)=MK2g256DCD#v3I zA=H(@H~f*kB#f#|D(ua@zVqj#OC(fzl3$~6jg)TFAaCn*sO9JcZ=^}7RP2w&3!G$< zh0;MYMBe}Vr|)n~K5>|E4aV}DGXCFUOI8H9Y8FniaPT&6QJC-2arulBbsnU+6gGdb zU>jM81Aj5`;^Y$CdMaHhj~0U|C&093)9#S|kZdjhU;HHvz>9CdiMI0W3fVV?Fqla2I3knx{@9XRAIf?sQc+%@DB zRzA!e6xCHq!v4|RQ*@xrmB;XFh7wv9_EJT^a(jw3H~K#6O{@^v>5`lX=aTLbzGgW=0y=8WAl=Cx?_->htkuA(||pUL1HBhIMBheNmQla(ryi z%B4uLkdvm$xRgW(AGfE+3s;{y4hWiXlVGt(arhBy{C&X#dA1O7AAym!8m*{{HW`jp z-8>wzmqfkA;*h+*OU82XS1|g0!cQxNmbuszc<>)%*eJoyl+euD;)zb)C{pMgGv*3B zIybY)Rq#T>bP|?}A-CXSD}2iLZ-S*3k-@`ZU5EpVpqS40Xt(T29LT9yG&XivXbPM> zao5nuP!@}M7MZyQi3H`LtYVwBLWzt*8%VD}3MH_(D0>L@fRUenjOEZ)e?v1F2i6%w z_pRgLKPv3_wCpC`dRFsKy?T4{m5`IS-nHMgcXj$M2a)u{Q+T=*;};3l(2MJMm$xO2 zTr#;^=%aAOf#H->IW_(Yle948uw1~Y1$bHK34trFRGt_t&VR>3L-nNiljJ>jXTDyi z6uGEku}CQGq#sipS^4AgH@Cjk#^%I-eUg;MV=_f;_4o&3Y~ zjs&&NB48gH@I5xM1=?M}`pHEdu1^GgfIc9H%6zITBymVN-4d{@crREVEtg*YB3D3l zBZm_89h-WNWI(WqUYc3jOcVQ`1&7u-!d*!G0aFmXRq~AZPIPebAb#rU;76B4+j@ zrryZWqN@>=vcdVnu^2DA?+$|zd3((_wnLh^%PI9B0$fkFNJ>4AH0;E96L zZJR^zUIS_gRiL0MVNxcR7i(PHM{&>O>s03T#Q)02Fgt26@bcS3cQvSY=J`bqGCc$I zPJ-PqJ=Y!jq;VF~{T?&Z=5+l0HVu7?>zbZdWw~xtwP@OVTgBFZ}YH)SI_(M zaa^`-!owQip@knOqKHxK+JAn>D5nb?0huSS^@{(CaKK zzk2#iTD*|Gq*W@J-cItC%z3VWI?8H)z+Qg!TYEZx2j2Z-2E825XV#w`m#6#o%i>&v z`bbZmzF1zHo&K6faeB&jSKj-D)NB-+j_XU!O*x#Wbo&9^%UUhVNBnDsD9007yR&rk zzLVPaYEM-V-JYLURVCyf**ndj=_UAIrt8$cFk%8+-Di&u+waQ9YdQjHK40tJ~Xok zewN%uB%a+1ExL~VV-%;u_pO)30%zCL-kfa9@#dJdD6|LSX}$M2n`=#jaenKjgZ1vM zm$)MQHraLS`J{O_>(+f!sO}$K*=zeqe%ki$V_sLC2PhdipATfm*AZ29<6+b;O}?kS z#@*XhO}!oar(&`iR$=2^H#^i;6)#JEEBjl^&^i^D7AkUDH)Qwy71vxxCDhf9@UQ)! zPfy8OPFw8P?@N!N*RzRqK7)+?lWeP&SxR)59UT{LzM9)_cY*b0sQ7lDN!u^}-5b6s z&J(>}_%0u;&$eB2S9+Qz*Yk9(Mk;1Co4O)4_M0g09qzqn^fZ{uZM# zzzoM!NJoxBud1}*48&J6>I1)>nwCUm+|i^kTZ$!OdB;bi%BYs2j-7Ng#WVW_jTL zo+bd6a>@L}ai#ewBna_y+WfJ&9GYm5Edmai^!!g3*0HhGO!Rv;t1+xO%#jLmStBXu zz`wuChXpJZ7BHFE<1XJ6#y|f77H~MU#$tt&k*yN)xt409$Gm;P#NZOYLl#%Nk}$6WPqq-3Hs z7OL=niDY{}Vb|xKXnW23g2DbopO$}RlCAGVz(ip|U#90qT6XEwDtXp( zNtOj5{`>t8T6j=ZTnB5#aIq#*u`fn z7LM>PusA4?_fzeA)FUj;&BB~(9!Y312kX)Yi`F!2>4M0+gU6)*3>#hgp2RVe8~#xP^O=9=ZW0?W;Y1ZUJl z%A9)g^Wt9#OEmeT0k-+CiHiW|2FKy}^)dqwOA7l6ELj{1p8R-Cz9wRZ=Y-FK7fQT~vT+b*Dx#} zO&;C<;GEYa)b1A9R>S;(xhD2$d2i1Q8Q<&aKEVu<7q-&WXwnQ*#))~k2-SD=&O2zQ zy7;Y|&B3$(od=udu*NAk$;_PIM^m^?w zGCfanP0Jc2tMw&qS9}k zrr30?FdTuzF@3&uwRt6qKvSrpQ~?dYpDlPKbjP@ZJq4zzL=nZ?Gb%3cscS)7=LHRD+2fLZ4@y&<5 zs(Dq?`_?MMAHwnSrQAj>19T(fwx8f)`AKiORN?0)*f6l00=OOWCBOEls2$3KVtu!2 z>DJvNhsr9#583vRwmTo!^YtDjWe3p*X@O>hU00q4tqSIw-p_iS?RT~Iu1fe7VgTKC zMX&6jizT%q9Wrf(js5W$oi7l#_VGf8{fnF*6-%cVz$@ZY_`I(h*9F1;COD-rhv(Fb z^W)$?8FSNlvxxoUL;qm*9nl@f%I@<_=g11q@pSq6^C)_FyDjG?AJ}&(CzIo2<>}&c zucv)~_(MylzM&4NWu?RV@(Za`IkP$C#mT(U+x{6x?B8^Da3fpWOHYPveN1-qNAa=& zlAl!#@C>KQr}q?Oiw=IbH)~eeYI2`W+VO*%jN8WVW$fZ}<8<8jHq|R$C#a&n8Sq-f zysQn1qfQI#A^1~Zl+g|TId8gF z<4|_$VgFpa#NOVXGH$#;s2Z3EOP=qK!h0SIa~ z)2y2O{A*}G#e`7;)T%qdr5OsHFY~sc>Xi)7-zzLxqUr)ewSf6v7C(bxioud(sctz0 z#Tr35r$AU;yslg?#Db@dK4 zHzf(yat(Qd(!qv|#T*?FJ|95$kGLY6E}dfquf10p2fesU3oNsc$&j4a7FqwY`n2ew zM(ZL_sS4eUXBh`low1HMy7VPjnT~ehcXR1_eWqmNUK@1U!y8u$OL?Gd z;EmUScqZ)cX%R$T?8&?4S@B(yFgtz5#psMj7!pYok3UNb(h!g>@PmFGZ+0G2i_9>>k(^$&4`1$uSIzEIRUSTxKcf{2ZVX|AL`&=A0EYSLz`(!`x z>D4Uy(i@2D^cE5e^D$R*Q=(?r5{%swZzV&trXO-;qXHHbd=wurm4e?8oS7hRG^s|S z)3f=cuFfG7lE$(OLz?)fuzx$w;_fGYl>8hoqWJsn|MNYEb@-*V3e?2$U;MYj7ib{X z#F-?}S^L{x!7(Yyth*jO3;W?y_gH-Px>cHFchWz<)VnmAm{cNEy;SLSf*pt}BXK5s zS12DGBxos6dd4|z$-Ypt@WjUw(z0Qj9F>uZZ`R&DHwx<*FRnkZyn=K}u`MQ<$}jQ% zoNkWQ1aLt}d~dL)d0++5dOjG-JB`7kNJA)A}&fj>*0;`HT z>9&;LzL6{8hs^JZ9lqT|DTD&CBj*vNh89E@r>JULwu_K;<<_Q1G&4W#v7W&<=Z*WX zqb(FAiEDwXW&h3nP-5!7L^lZrs0yl@K#N4uw1xSs0P@|H<5lC{KXi2<%f+52B+us`5N|Ai}z|%B!98N|y zX}y-kLWYA18qOv{0!tiYSOb%Ooln!;k}$CzCQN$$L7D0VF;*H+UHRRS^oQu6Y-1YP zO52nwChxYQj?c+~V8bj~Mr3&C%}R9997%T5aI`KO6mjuZ2-uwbK%4%*eOCh_F1o>Z z>GJd7HI|X(Rps?8)ZepDHqJkTq9pLDo)_6RWaVWiXHi;L=Kq#0=Ey%vc5+LnF#E2v z5l57YxNFd>rYfkPKlkO8{dA&ZITrdq0ktBC5WX;<@;lx8<%oL$K$tPx_V*>%{0!m6 zc_Q2M1bu!xez!T#s{Ze&A5i_jXhMlO-hO@A_qu@>)9k)xRZ{)D=;&@7_aB=}dDk7b z^HQ>4Z&urdh0$+k#MEfb=X42N!CKvK%!dzl8xG^Y+~_uTitnW^pOU)WzbD3@WE@v} zE?Tx0?fz~M&6n&+{Y zn_bctx6hel2EOY8{^hu;mH$(J_uCwXE?D%cYfM!sgjaKQv@{Zz{*4!saunIc%JL#@iTC#D#9n!mtJYFI8^%~Q&+t!a+?)CsFw)>vny7;x+Qv&j1x*93gWch+4(r$9Og-Y~Y7V~J zG@R&mqi(fq?Wi}f&O0!q{qZZW4f&6OTvMS{+oS7Gx?n=;{cm+|tWZi^t#?S;+~|HTXnl$CYI0LsFT2Z`k?r&(3F zY^}#8-sN?>`q%C4#mXG_hyL~t$LWeLuR%6B0<7Lq*zT3j)FjYcbi9u48-NyWyxR-Z zjRWG>`5HjrgFvC69j9ARf;qvU-$J=%AVCB0nE9N)o<~{g`uGSWne8u-TqTc3RAe=va8%Wd zh!pe@V0%{}yEK-VvD^8*3x|-g$o=VEly{iEnydoPqy8-xxhlC7FUJH&^=GDuFCnQm!~bh-S{;?x{59n7?6VHqiT5J~+Rg z@Qg#??LJ95s^@ne(_WIXqaa-{8w48dIej~M%EzxjOQlObO;cxk$swK$k1zmbF zjt;Ksl!Xi)3yZMgl*l3I2IToeYy;>Qu7|p_v=TBiyA$6kiG^^ej=+cw_GbisvY&EU z&;JU?rI}BzVC*WC5wqSavo*Vjn4p1u6zat-H_k-wdHYi)XdjrdDQyVQvxi(OL{)>z zw_C7`W|s*+HRM`8Ujy5AJPYO_GNoXPYjyTd`i_ZC9!4ls^*u#P6{Dv_F%5SLpROG} zGcD*xsBwM$7q4p`#z0er`^l+TNMt{KKI^I0TCs@SB(rQ;2s=?@R}LKR0MjvZkC>$9r>reGR>R70-l@E+=fC-;{SMtRE51HT z0eSzV1kr;XDP|l*?Lq2V7KDox<&$a-vmQgfm4~OPP!Z zR0nU`H>)8^MD_Hm-dc;;XNAUJ%jzbj;PIl zC_a!f)fJma6>sFNbV-RAL58#3{2WExu`1hSF0f;QUCU%j7MdFqtxQ(Syw*Lmd4X_7 zb<-fQUInX+T|FUT*Kwh*Er4*|1nW%Lpy2_mARsF{nC)J(O{TTg^BcH> zuV(0aK7^X4CseeDcr})KlpTtDYRIoOA!NaN2eAe#^G?N?_Kuidg;*y}7lGn7T)6Kp za@7r%_P^s7e@3a~TN4FQ9liY(`6)jE+evBec*TG*qU~@}?opN|s7XrR!0aFuH75`d z9vy!ko$HWCl!3;gw;RH<%2ZI37cA2*m@C026=-9XF7_C$a1kd%#tLs;^BV~-Gy@zK zji_jqScFP#>_G`KIjcUK^E~bU#0s<^k1E8M01TX*1ocJ0%f6ub_D(yymUBUiI3iDnZq{MSTYjTu1nOW@8^hAqt;F*J*|Zt=)!}XPa=))rs^H! zzN2J!GtTSxc-`$N=uwd1w)RRbwaKRQ@`69JT&ago;zQql&%BK1Ip1F(Mc4K@7jT^X+Ji+Iy7<@?yrt=o40(0rCC2OS=>tzP9%d2(^uu00=;rem}3}f)o2@$KvQRneYCHmmc@KC2@Fk zS8)@x@YaT4n9gXyuOKdNmvN zb$Dr)lAA4Kt=7GoVNT(2zB%e&SK2pmYjKV7u>-AIw0oztyySuqtFMPZavq;ZPg{@t zPLKTjX-^6t!wqYv2lvPP-b7Q5O0*x>y!L#BAazjp*GijK1Y+~gyX1}*U_Z^&5$gA9 zFZp(GlMwADo+K)bT;h^pmjUaQ@W2x7Rx_huSvq0Y&k#~{L*a`E%(LRgIudu-6Q<%g zL#&V=!LnRYDvn`bB(7^DABtkrPfCH=8PKx}&1*9wA%U*sr>cb#g0XY$U- znpe4piq9EC->!$mQSTC zGqFuXb7D!C8=Qfjvs4IKc>i`j`f4%XwBoCJ#`)^ZL-i6Yl947NAvb%V7)P|*Q1z5$ zh;wZMnV=p2^^$N2RtgU4bAvOKualLijE_YpZ}U!CXOBLbiiZ3w6awrFG(hZ>#ja_^$shv113DY3`hp9njIY--J%uVTXVyx?w_)a8-3u<-G z-WEr$0zyoMHr%dPK5t=9`Xa6TXK~7%DOjr(M2KSFcT17G%>d4TpDT4^M3(4rSITmf zc$RbXc#Om?XA~i0t#?68M($J?W=QAGP5bM{7~+o;lu2<1RFntA8KVqeWA=b>J&TId zQsw@NA5*ZA>et72B%9_;@r#0xiId;+=-P)0p<4P;MS>Q=MOJxH`twMV>^;HbJYW@~!@B89nVbtU_@6jbr@YnV7;#RV7L2J6>U-cH_z!Mks6kF$dq z?cW4U+p_@w@J24?s{@>%V@Aegh|JSmJ&H!uk%=@He%*k#V7A#JK{#?)9N+peukc;2~cA7QRfo6H2e zk2cOJI{RpuY%nVD10s2RtvaPD7g9fnCGie3RG+q8`QLa!wOBDjhP29?`-RyMLUz^r z8*0d8UUa~|E<^FzqUv4~^yI~a#%w0q?)vQ53mxXQR56=O6x0b?| z^}9^U=B4CCqcHo&Zq_s?u@lnMOX6i3N!MlGO_t*$x?)HVH@lnuer%Dtj~bvTf!6}_ z66755n8JIMX_6Un!pZN^EI(`Cg;dU^KfsW^@B@^I5Aw^M17V?Z+wVe!)_Gf&+tRjkARLk_`%Ay& z=YGmfV#v!xl9|u-98Q;F_w3eWyY1hO*E#@hE5nw~3zE5XZMD&U#jT@1{ggkCTws1yo{UN$LfY8+rcvX=2> zY@CWYvO~1#Q*#}RNfJt?WHy02reW|2ixM@&#ZmH>H+UO2OonNrZluJt=4t+{9Urmr zuZ84Mkf*wqvt9hX2UkvYIF>m@Q5$2I;Qt*|xtuR?D0FSMTX@}~CH}bXJ z9Clcu1L$D^Pr1++`9&2__DdU0To_z_HNg~*%w!s$h{`8eTBfCV53#2%#mE>8*8~sc z+{jRys$%3jjf~37Zf6r!l#KhHpg#UdGA?NU6^Xta747>X9XFd3r&t!146|AMW>+qf z`ck5M-C>VJMZ9QelMN!c3y%t{(TvL-jbN96d{i!^l(xSx*G2M3d?z}ZxPCRXh zroa$t$S2nMxAs@dB}Yi(IE(dzX)`PeR0u29!uz-Ol8A9Jq>VM+CQhK}=rGSW$Z>0Q zN}5o~GNcbVt_DgBkr#`^Hoqq&hhRHffIC1Ze5*MiERRhdNfpKh{UJ>}brl?FLi_T;~UT zJ*PLjVB55*T=1ocaG}X)@oMDpzgl7shMPmXm<#8)>ObdHw8O?Fx#Rvei9O6}kH@_h zBgzcpF4Ts@Gtw1@8X7OQ6ZStasVLeX{38_$tf?d!TOla9?@$O!MAZOCwy~@y!wv{M zVyGR1l^N4#Oo~~{=AKH5f|N;aE#ob@ybkVR$C#o`wO(Hmcy+i@1s&C&cv{ zv@*#w2hInL@u^}Q*-kdEZ-S0&L|j?kg4s6~Q}&C$$dGcGVnR?x%q3mxAs^QIg=Q)j zxl%3HNwR`HgA*61pCcxjLibfFLnta~r#PoG?}Zv%vf!_L!3p(}G&0w{>OzY|@cIZzsXy zPU1JPJ2H;b@$!Vy>$@k60b=9uO4}%D+AqFAU9AEKqrmU`ysFz^XIhmlxo_wD zsw*?nC`?E9|%nyj;7b)S1b#^Eu```YLyz@nO80CC$&p z7~SU}89A+#PN%%hCCg_U_XnT1w(Y5Fp!O3L5PENX{iAV0-0Q>oi_lv!cMsI;zoH0s z+j5-tIKNok_Rh#?dO3>jiJsO|@Ky3Mh)Gb3=yEYe=NymPKYXvyYu{7_;Of49`f@kG ziP;&^NE9UpPw`ShWj$;-uoK*rJa)GqvNv(WydJ`4000OWSALN0+pFZ8PLJ{Yt!CV5 ztyjh81h@2S@7ZwlEzTJ`F)H`FP}wv(4=1YZeD!b9!@i&Y#?Sk;o;mK?ueU(|x$3U^ z#XgsT*qVX&C>CGM<{ihXD&McRpMvAC)&LCw>ps#Y|Hu0!h!~CE57BY@;^q1h zp#zf9#s!_0C-zEnxpMMCdg*jPKybh(ytbX9Nn%waQp$4N)Vb0EWYf+B;2w4Lsfu=$ zm91;^lIqE_o49W|#;9kZ-HP!v!C@mc6Ns94(WPLeScU>%0>QO99>K^cK*H+qD5m>Fl?xjA!8Wc0#9al=ljV^JGX^`iU=Oim zAQ#sb_{vF|6O1NMXkNy{U(5A2eE-v_$TmYLJ15j1tQ5Z*R>8`O?t&XBZ=l_KGr*?R zm>4xEGssYYOXw2S^S5N;qT2ADIG4H7UA8Q8I9u7KomiWBHGnSpPoeV8yXB@JlMM^n z(YZ@C69b%}#SAh8CtV9dDVsIC5_s%f>fG=>0a1t{V|jm+@`yAedfbnh=3l0XfJKiE z@lla>-RcEV(Z3@ck3soKs~#4=ba0o>Z3*xpOp60%4gSQwYRi%PG}^uq3Kv2avQ9dx z|G*;EX_B;(SEF^`QJ+6I<=2XV+oUr>e9T_@#zmT?KlX%qKU9a_;5=BXsqDMve@Db! zg%r5=)0yf!cvM{wZ?zDYP*JRCt@NUF5WHa(!pfz%fTq42PHLaAtJZ*Om#)MaLM>bR zf+T0Y27V7h41`HTT(-MSK9=QA4r~vV#B}5MVno#TNOX5eQV6+5$XP1pRI@1ckgB!1 zG<+#Z-o?H0!tF|_Ld3b%nXwW_Z1P7dA6*iYZtw%hG)YRubA7d(^l0kyLFo-l2ZCY0 zQn!y1pd6tq_&TZKlpo(Tu>Nb(yZsrem-*?Z4(FOkRHe^_^w1!Y+P7{xjX+ehc2DT2 z|B{@Hf(LIzZo-&R@}eLH-{>fF$+~uEJu?;UV6JXn#0*)L@~wqGOWK z(;AVOe>Cdev3K{ji=}koyD{66OF5_Y&WmRdj4!>3`=VnwluGV&LU8z8`S*F{0JrhW zx0>kJy8-=+Iu^x_UqKP}6+Q4W0OFE5afU^1-yWG)=Pq*YQbn+GkBBjUS1nOON)$5X z+O@KV65Q(Nj2D&#NyR?ruo;RS`xIPHL2M*R%4CrV>~pGH=#+0;7YMwgBRg0vh{)-h z#Yw#vlS;XN51f-9PbejuDN2nNCJ`%SMfHniX6W`^hlInPkqPuyjmt%`I+EFdNBlf$ z(0n6)HQle%m1?q~Bo6?fa1d#vMKk)NS8z^~Ha=74o;lkB8CnUCd5WoUwH90?X0s;r zgI`)CNfy!N5%poEp|eNzzJ_;>bR1R#iLs*W+NFP*L&?hS=gj#x!fdw4iNq2|;D}6* z1E#WkgSFcll0ZGSdi)+Nme__;wV`Zjc6-d8b##~7k{BQw*4s|G1}}>{m~IVZ!_ppv~ukt z^)kS+#+EPmGi3*1-jad0M$pv;FTT;2!%V;llI4HpfnZf0wU0jnn2=ooy8mxAuBft6 z{eXXwL!UabXNlu$sza)@)fcEz4Sm7gcV>-0(7NB_K<}w17vCZuDbHmQ3M=$?W=g4=7;yQ zG6USzTZUDilKiW+uLX{ z3d7rM>pQ^fgY_1dm? z$iO;gu=2d=Uiag8jSlD-exBf_*SVCx#6-3BvbcSeNf^ewX{jext(G93*3z8v&;&B^YUh1^me_Yt!@k<4Tx?O|Z_P_EF z_$h*>E1LI@qOzT?I1aHzhht$vAd=P zNK79MvWLXf4AXFGPtsjEPxKJ570bMOcB-8p4K7Mf`+rQGV|OOdvaLJrj&0kvZQHhO zb!^+|*tXTN?T&5Z&3m%%*<+mhrGCL0qgKs&YR-E9&N&O&u3_2kEx~2U^1nEL1Q08m zNRozpHBDKHw;tg-6#qh#CuHT8n$tK@S#DTa*f_VOA2%`A$YbT(S>1IXI zN{z*=IhGG{%fgb=8Bk5o8uE}YPQk-5-YbKWqL_@*h2x)*SaC^sgg07jdh54PWT^jx zI6$qtnlCs%5~xF~AhUV%o}#dn4X zPi|f*7A6$+02f|I(vXZN`7w%Xu1TD`KAD`7oLJ1Cfz9M5lVeyL@0Qz6`Dm@1SR}0_ z>LHP*VXADkop+A3de!cSdHePg==n9|Nt_!R_13C?9(#~g=v?eD3Tm)8okFPe?HTnP z1?RQj87sUC(qv*MNcxX6`^YtD0p&*>LV2|XlTvkzF46FzuHIG0ko?aR&lZ6|nN)Ut z>lPJ44dO=arUeS;0=*IJ`XV8HyqMqgWT>zAl!Y!{OIAmz?%2OCXqD1>l$6|_q`G3@ zJju=#Ac~dZ9zcBO5Gt3neO54Bn}oO}9I*OH`4 zCeMEEU=m_so>iK<_V|H3Td#*8cQCRZ8@{i)sMVa( zC_9=KY4#qh#A<|?9Ftse#F}fHobz-AI$$_NZ_=z?m;!<8ULJ8~ZODqGf3l2zQ=JV;z%F12Zmgdo zplxOMvrK3j^gsW;;!#OajMqN2?`Z9oy+E<(upG##`J5z$7U2{m%D9>I9%-cff=-5? z1=>sG{AwO8PJPqnkFFF9p1!g6>}E=VwgmH1<(n>)=`%naCkNH(Uj~~a*r`Hw{cda#aROh zoHM4QvP%vNqU#}SB~bD{xz;<3KA3o8IdE(95epPygp~*Tmx%=o!C3Y|1#oJhP_pHk zM^?!2k@9vqcSGuw#iBh}flU%zT$kxc?S)`uK{-hzEUMr6rQB~zb5v+_Lu!SN_VaVN znA5-K|62e7^NOg_0ptLvy#E|zZTNgzR6Y5(m;)DI2y9m%79_coC;fi{rGU{u!tZf- zz!7&yi4!hB6}W!!dvewcq3=myGv9fzq0eqgrLH~4^Z66)csD0$R>vrP8F>3xIaV=C z1Q;3%&z{6z>n%6C5tMWH{Q3vR?t{AFIBOCs;!dB_x~;P5pSY0UmibYulT`^>(*>yuH);@kb?n>nr8SUf-wtXSr>A9^| zaDt%5j)Y?%WA_T!y#D$k$k)2szvyc?3!2f}Lg#GZZ`p84{&Yc&(i!oakkU z`l!+(4nKz7TrYom@?HN)W#y*c9BbDL<3y#g;5II^Sou|k`Dn)Wr?H)>9A3p(Q!W*U zQU8&0pQeh5ks!-ei{HtZD2j+gkDFA34%mui zHP9S0Jka1U_e6@4Ghq`Y)fQz(jePXTgE{nke^B+5*2%HR*VL>qqs^_b39t}mYX%4t znG(+Kh|h@khxEUF!&jlE8S;;YQ*XaXNq;X8VK)=faH*MZiwgx(Y&0tzoq4ZM-+EEQ zpj|a+pzDydgs#GEL(nqBODj@SYuGYgevdMc>=oynnia7~g{%W({F827xha_kym6Qq zP}5(Eux2UCT{Y@uaDi{_)EYthyt2%cwi(l=s!rVg0#VS0HT~Qw@PC&fFV?;+W6;Ws z)Xk`G3zP$4OcFw1aT%?Gl|-l-O6}7vzdCCqsQ&!1^h#h1hnA4HG8uSk5mKiOfzQVwr6iR9JIyUI+Tw=b4H?5Uv)_33REY$?v zS=&i8wHc;n*r6xkfwFZ?9E%Wbt#b$f<9@^CXeCfx8`XFy0KVakH!Z6Q`0N3U z{8n3U(|4Lk5c5%EBzN50=9*xnu4O`_R1N%o?l>ex$2jJF~|_{WKn zd!)hUG-Bx^jOaoEmh59WgH6agDIl$w=;nRN1-jZUN63o}o3XXb-x`IO>b%t^PAWwv zC&sxWBejLJe`e8|^qMHQdsM7g1h}l(A&>bPu-=1UE>7j-PoULrLhtYpc#t4a^(JV& zMpGU223na`Q{)KRNx4SaNwLOLvXBsT?^80@up|&@?{w6)QVYN@ndI}-FwdM)a zs0I;>jthcirRhe50l4Tsj$n8{#GN!%3!=6-fJI;NBxXhN5BY=PUn=L!j~37Qp$e+~ zzzfIr0A3vV)k-A?&HQ&cvELcjnr^~B6>-tXJFTiAF=*Zu(^anMEB-m>{zl9I$>k;3 zgIlq81s9OvE{;a=r5G)AvV7MSQkk^suT1mvXLW=uddFl^9WFl<5B8^*vv4jE9?6Td zLBl(mQzkUy0sB*y82V?0Ktw)&-0*9O?uWBziw*g187{k8E%iuV*jcMqEe13`d6Xg7 zsVCF&%Y7|Iv7Y5{Gu@xuhg z)iWV#yXZx9S`OH3>+w)=)~iE6B!T)GmDLYj`O-#{8v37%7d#{(3%O1#a>!Ja$xVnI zy5o_OOmk(GmaGdsj27=8sdl6roanqb)GL95TYHW!Gb|^(|1A%FU4@jQzC-{Ed*F?W z6~R;fAj_~m&>tu@#29Hv8B~zp9}p36OYjKuPrwS5h!Ry81D)|*^~=TWId+>t^D>I! zIzUJ7CDx=?HxM7;N;@Y&!zy)CUf}#Ic6Z~w>lkZSq2olq@pbl^_kMqmtH+1P|Ay1YrBXAcbG3J5 z&;@9j=^Xuij>YK(GA_{cLH+@FhXq_O?gGaFtKFSzi+B4k0Wj-V?>P^15Q3x3F?Jh1YS}llm&FYHhuO69{0VnKTolY48G#a0B5*| z6ua*;>K+EL%@lP3)V1C1%>y6YaW`;U`=&a3@N-D7_fPoI+v z3;(B$T8qWH$`AfFF~4k`EDL*kauUv_Wj z<^BDaI)FC8*L&JzPQ!jJ47+~)wZS7_9BG=wg~nyWpxIrQ1>M^LMUu!vd=&$IOKQVm zX*AGXrO|7_fnm$^isnYgYydl%g1!6U5hb77?;+Km^PKYc?%kPJ$0EVDsmjykJA3%2 zXGio5t&_wjTS%M0T>(uJ#p{E8_idUS)QewDQqRpz`%guDM~ULCz={jTw5j)$>YkJE)6g3bYr zj|)ctU7yyqYr*}Tfp29`0f!9v zz|#Pp2ubsjiltQa<$z1EyZl;J%yA-+eM=5j%dR3HV6KkF6&UU-(6C}t_sN1AshVCe!GE&S}*g3=t zwxyHqXdIQokVhD5Tt625ixM>|ZEYgrNYthaJI7u$Aa9!*%QK>5xQ)ex&_KOXa4kFpR?wGt0kl5iD}3LgdLUHx`Ut zljYoZfzXK=6Y9*l5*#UH$Br)%r(@D($T2_cRHR}ngVUlFN3+#bGyX9_YC142Mc2G% zoL1i2M7K0;q~0pc_(x!xL=)S#jGRmANc_m%z{rThUr}_n2<5gDf)4e&~P;RbkhWdE+ai?^O>QjXYh+;?(y;{`2a!-ILs zGjz2CvA~EDyesHUbP}8hbRYmEq%6;yJ`iMJ1bM859tVwu2mx)zLIf590FaP46;j^o zJ9CbqzivdMZIks-tk~eYWGqy@l7R&jR*_8ivZb39E?!*e4mwyw_bhHE%2cWoY>lJf zM#RxrJ{zReDHHSTb7!nZAXRc<2Z@RHCSEm@%epg@9vz%&*p0=}KfTr$=JO^_Qk6)T zOtMIASf^4O?PO;t1E-SN<2TLet^T2>)keOHQa8Q@M!wglQLj?hC)u}GklG&VbljT; zy2co$aOOToV6-Q)gPOAh{*v*u?^mVhiJFWbRbr3#8Gu`7c)IRNkaDs*dml>5}ab8zatK)iTl1m6hP7(+3zz~v(#U*e-2*u3jwIm!?S{0A;e$Ou95 z-Fe3t{s0pwg-eN|Bm<;@T((Cp0U!R4S2pzB)~RhDHho;_BE?r z;6Nu%OFF;*4$3S++_Tf=?>o6SeuMDwj=;bN6gRuLBH-Qcjdn0t@cD;$>D8yD!NF--gi$jv z|Fs^lZp8IxjuT?MyJOLxBj-IP)#vbQsIP0-j?|H}Pt+n);PPpqF}3X2py8?l0ayi) z2y1JH(o^W4(f3|7;E&_4Uyd5(YhPJh}=?2t6Wl7|J zED&*Rnddp=;B(%vCw`uNuS`7NjM z+IC%CCsud+fCc&8-Vf^wH9k9zvu*jC*TxTXdJgL+H980#9~V^GJ>E4QE1PGzy?*KI zT*r*Jg>N5uZBsiv@8jWkz{kz$#l{od_d^7Z_hqVc9giCK4Vzn@id6q@z)Hop-0yvr z9RSCyQB!{(I(v-?eSvn1!Ljigp_cDw)lk)Tar19yjrSi@PLHquXQ|6%txa9)bVsTT z``Gc$_BoDzk;^3kgTT?IZub^)pMl4$%-t7F>?70xF!&Ydzz>AW{BF1&EeZz$ki@A+ z47tGmM)jb>VcFtZJU?R~)z{*?fPpwr$Xo!F+RXw+E7m|2Xhk>i=Aa8nr3$VAmxLWG zJ2Lf?&{-5F+uAbl5t=mYxl}hvRY-!p(UpQ)5RZQs9}U2&d-Ib$(j_@BYwjs-l(99r zIAjitw=pio4*`6!f_ABK0U+OCX>1GQ@)vT0pjoFrD{Vp;t9g(xH2qPTT>~rR51w=? zr6mlpp@mImV3MTHxT}sCT~5u?MN0VOi0bOqLxDtiixAmKysT79i8YSQp{9gBR_ zf#FtTpprvU$eTZ3WEf`5Qgqa&%cGOT6g)+0wRCx236EV*B5@38d};Rvcrt9&Izd0; zjA3dPyr7V}A`EDZSFET*wpSlb*_mc7R}izDjyK%&yxH)d4b&~;34R9QqZ zQn1RfYRQprUU ztP~>jMS_f*x6DzX9mAXv$WWaPIVxlGR`4|{Wntuqf6`xgW&eX*c1%cIV9s(=eytDE z_T?@cR>}$8Al!dq)>VON!46rj>bJrgMRY*M*tz|i*r(k_pBM?qKtLWxGcXtH1xqgc8b*$q94oY0js1u>f{E6n z8;yl*k8gEh=5^PHDWO&EoOD+Z@nD%rCVy~(&Q`I8y?v@qu2`REWV_GVGEEHzZPp%< z?hsE*-`8ui+az%n+zIrf1rvM}L0hTCxcz4kF4}a->d@Xm^1L z=1L*AYptwEt3#Pv&wvvM;|k!Fkn%Z|;%-|1q|*OqS(R>A8CAJb*`$Sp4Lf9o$g+Yd znIm4aNc<`(7h(<#W6qTIAaNzGr$|$9>{P!|C~@Yz0QO`)KUO7)iS|i+v0ANeG(661 zh~?Fk7ZxK9J$>iLdfT6ItHf!yS8l1XZQP(?j4FKh#-EX`>6uzFc!sNm6O36CKX{G! zla65q!m`Yy$;?$zXzTbgu}EkW94WmXl~+9|Ecqy`z|6)|#GO<_VV#hKvPUQd%bkY2 zpM|eXay~8*wP{2bY-XG)<>zuIBMj4P3f{mHXM#0Yavl$YJ$&?Wz2$#PZ_f8U@j1-* zJ@HeYK>D*1kjpwk`g_nFK;n%RvdWMS00kC)4FuHxrvY2xmi~+w7O?x8HR7T5dZhA6 zjdZx`JxO zSYYzy%-?>1r$JAT@6-AGpb^)5lD4nDYRljKlpD^l_Ru+bg6Af9^vLGgE4-EKT!5V(^!EO(5# z{%%_|pGpe9rq%Cw7eD7OOI6?V;5w@{*y#Z@Zr-%6M(-PB+dOw+Od9|JyEA>aVTyIQ z`jLnCwomD7-t8AN1D>ONRnuQF3^)DE(T(h7j-Gw7R~(65XTph|eSmQ@eCwx7UoAk_ zXLQG{;+r6KXt}YyT{}C2+X(Q!MT+kGSKOt*yVb7G?1lK=bDYase{y+x#Z69Tz(`dY*^?=Jr-BhWMb4|Vj+JHo$x(h zlck59h?Dm;t|dHYtvP(y&^n3;gcPW{kXf}68g^4HL|nxfMCJ6lglKwF@@2>z3AdnN zqWWcoHJPFSPEqijn9&vzD0~VO8UN#}eKCq+&aHasKBE;O-jNI@R2pt5p|Wqq%!mmC zmRuzgPAgT_933nzEWVId;_nXjP;FCef+$8#T9fDc)H8BHAH|t~zn=uZ9O~0_hd1B+ zxpUA}QL68y>GhZ&vsS@A%tRV4I*4lDe=i62L@Kxq7=5=sRmbJ!>80of@tWLc~k@{^#WLA&MKtj&xrtS26p z$a&ETri>wDO1=vxn$c9n#O%g0Oo}N7`KHOLH^V;un>SUI^}54M9qO_lUS(ahR^GBP zsfB0yPjOgnG`zKCTixRaEO?MYy@!fN$gdtEdf63nx2}(gI zT_M)zmsbSJHZjULi(}Q86OYg7VC~jC^_;aA#QYt!)E$2vR>TmVK|3Fz#%5IgSsgzF)9L1e$`MfXn1gX|fQt9^L3ot+Qf40A9 zQwnQORLP%eQ;>+{?bN^pAfw~L{&}{^kwKS8@TQ$#kWby2tJ|5-8MB{6f+NJ?5!%-` zY5iofqN8~qs1A=T`9b%S?au}qu2I1q^2TG$24l_f}Mz65kcyOtF+MLHO zt5#jE6r(lC@zUr>@ew+-dzWN8;vyO@!D5oVLff@1nYgKGbkFjrcj=@lTd~`H+6B8Vh70W`&>a7gpXoWhb;ei zi*c_(JQ#;{S`|NgCMvl~o-0&l!&VL-QA$W@@ljCwa5{GgEIKr-VN~Lk>42efb-iTt zl$$o5gs{tNp!E>Rg7)r2e4Jo!^v?ICS$4zgJrF0pIF-&W=lEybtFxC|NGiGhd2 z$<*TY{f`?RHG`0T5|CbVyLriXb0I)hr)f7kLeRID_|;k_m-hP0 z?H;|)LB4hU`u;Sq#{1skn%Dk{td6U!kL2#7C7v5A?`2!y>-zElBbtHpbp+}LxUS|2 zc%)O`G+eZ~T!n8T$auM(GyqPt%5*!QO`qU$d7V&vkbS2|4-(Z}#0fBQpZ4;du&wXv zHDv*I24wo&wl-dH{XYCK4y#np$31pXW_B$*ZnnOjAzo+$_JgAhdS~o-y4xYLcn+;x zPhj+yA5-P5?}9bfZ@xpwJW%h>$wTY%T>A6td`f(__YC|t`4hg)UuXajXxDK*>;Vr`L-aharRh5xPczXs+jF$ZHh2LC$qu$H z>t>_XtG)XfyFK+oofH>cTYzT=h4!fNJm>X9gubr5XDETzbE91WkM6f4i|x<9p@Vqg z&;lD~%ac%jp4a8`0}_0VOGKj_GB>@ZNj&wt`CGsp<#G7wQI08xdy%V#men?mKD!z_ zda>QLhxsqKx*gxgv{Ma*jsnk7uSW+CgFRnB1sFoWRjyt>x7{YnHTTQ@YpG86PK`tN zhl_8j0s7P`LGDY?2Vsx-?dSRpV2o=I$n^z82LfBZAMHCr%mBe1fo1L2=E=fWSIdR# zUiRV;@bmaFabd18?}aHGx9p;I>cF6F-mI+_c9jRkb+pc5O@^A#$xTk7tZd4qDX*>BaQU}M#)-dO zR%$|c$8*mo@?ts4M$LkORi`a&;#&*of0&YpPIUZ6-Xe=J{P`AIL8)A=cQj^wTIBpK( zNvwhxl%kxD{V@zOl*U4QOK;7N?H#H53jXNovKDr4FQPigy+%|i!f9a0tANwEg(<}$ z6S~D{g(#g}12Tt5Y$|=Uq+6kxw&9lgybg*5Pt}J6OD;{$06U;tHxgQz_yDk%X+p_D z7G0;Y1k;0}QXEeCTMZvQs$%r-90F1}iD{b}#;!X988T}q(R2Lt{ve`E!mmWX z8u>|oVDU8v1}u0fWda!hFR~9U(1^!LD7LDVOdNy>8wF(`VwK~`m*l%93NZsSTZ z#O~YVYCtPr0c36POXW|dKktPic8zcS+iP13)u<(Fm!r!)fd?}4JQUBbrW+d&?{K`d zjrDbb0cdgQEcIe_h!+vj%*VgPFv+C!`)SF8(|@p+oKid@rPc8N8snRStE18gM$<|~ z9bgSXvs{=O9$q*KS)r%$CPMxy3UNk+FTqab9APG6IaLyAod|ShFVXm*UpgHV?9qtS z(Go#w{;PQp=uNdsNi|gbH$@EcK`zhPqNIgd(6I7SLcCsS44|)zHRYyy#3O|OjrHxa zax2LrDrqRpQSC5iThPLXc1hY_fz6vTvL|h?VHRL2J*XX%4}j&C3C*0^tU2rc;3~Lqbpdyj=_7US-DP(4Ix9_ z+p>nT_<&g^yEK-KR^lC2C-`-+X;*wO;8)!fKdA`8&;_v14sK?U?z7=}$e*YU62q`IU~3Yz1>C6QASh@~(JO@e_bS*La+DQBt`b_S>Y+BepcW*%Hq(cv}XUYRg2 zRO!^Va(*U8e70B1PDr{47Biyk%G9@)ew%cC8VAyQq&8r6!nRxyXC3qZuQ*L76R zCn-IIn=@)I#JIgO-w?ST^3(CB9u6T9>%#KN8V)qR%AgD6RvOik1t4uB2yT3(BuS-t zW1E+FksqTKMxSAKv57k$4MxsNcG+i#bgWa7Bzi!Azr9id z1#?C&_9YN+Z$r@oJNq2tq_QH>h;^u`*U(iA>3D1#g$skyAmO-p)_xWbP$eStoz5}H+eNafAW)Z=S`Gb{~JrQ!=k#%dT%xr8BClY%=h1wlj zmTBx|5pD%T1x2V#XHj#N3##hmAW>xBaIqqs6H#V8P))_1Ti!5rxsU#=rnyk>8(O0&}A?_pl5)t zj-7$XU?a-7a&Uzqj}B04hSziaWl*CJ`0DlX9*L&erODCa_xNDLu&vl;>9`y}s{0&r zp3R-}zlGYY=~{rcz;jLUef-1=@K}vzfKzzWD*Tv$f0;I*r(AC8>ok7Y-TE-B-!t3Q zyE-?sHz@cPg*@MS47hmncYL%S`#sub^Sa;dHw|iYBJy%O&qECu{I>K57}96$T26j% zKQW9Sr*+yymyFx(c-d^y1V;O#Zh4*KP+aNm02R__d9HOTmYbKi>-a`*d}i={4fL-2 z>FhV2R$6#I^gYIzZupb+_OeOn^(`bS>Ss*X@m_YlzjSmMp2~Ks71uv#d~$dL7A5or zd~yNo{vQzsZ9E@IVDa82Jm+-`dhX-w5_C1dDy{P78+x(3M;Fo0g4J2i)Bb6jf4Mj} zw+pRxd4ODfQcD8L`=psBg*N=j(p0uC7U-xYW zJpijrHg_?1Q1-@WPK!wbeLr!HZL${&`*0Wcj~!|nfy99Io*w~52TcsJX}3R`S`)&u+$xSbRCyM20ILVYhr3Oiff zo;NxU)wWFsZ?pfq3peO~7kJhEnmt+Im;0I}Tu#{ghFlozzv6jy;3lwh=^J_9e?0^k z3%-|~^!Z^u1S~X~4>pPMkb7V}eR9O=r#$RRF4#O)6ra7U6Bc=Z;WN%vTo#W$$>#^5 z(JIT3{VLo`!1eMinxCEz{bj%qDPQT}jTY5(=scYg?%SYBNqQvRH31f5ShT%ne?(_6 zu1YL?p>p(xfM6rD{t>Y@*_9lM!xpb#mff0wC<|Cu={ zFB11iS2|J)FU0=FO2PXRA9v9L4Q8>4(pSCKzUuIToIb}KEAO$8&dgXKa`4J>3{3H} z7-XU@)e%-7oa{}IS%Nn{bbgvDr^Zm+&?t}+Y1Vl{-?CK1D>}J2C9F_5+!DkB)y+`5 zhn8q1D%&9_xbL5gJJr0#Y)xwSq)5pWV#t!`UTiF6p0eF~%gO zE9ClhBt>M4@iW&d9SO3Dr$(L*qacg9VxNh)HAH<&q=Op4Sl5e}woPqX5elLdQk2AM zB4~LJyztxXTs;{UIc>_BbhS#w37Lv;KF(#^yM@X}eK)3`SfBD|D>G#U)_BZ2^uG)L z&=(RZxdZ$7eY9p(kI2M)X%`h$f)^&9ieW6}DfMbt)b`2@Vq8>f^U`VuF+-u3-)qo5 zPn9RZ&5XrT^0huniW+CYvv&c%AqIux`+(l5H-Tv8?a%E%^rKIX-uYDQ8c$v83qk#X zMm8{66j&3JVEwMe^ObhlHr0}pvu3QSybO=1NZbA)b!D1;%p6X+t#}H5IeXRvWzdA8 zh;k1}1~C{TIkkZts^Wrm4x{e667Zp^uo$}+=MGYb8S=ojEcgdntVVyPIyj00Cpb#B z$qxDLM6r+pPhF(X9~ci~s4%6e>-Q5v%gQY$Mr^TiMEE$$;-axhu$y=fIaV0pE#I0< zwY4{SL*_4(W0bbgu*p<>e+d#SaOIHiM|kuwk|anWev~CSJ5p=fJ2@ zl7fWu>{f>pr`7IBHCA}et{JIj!>s8|8Fg8*@ekv+E7u$f^mxfX(h~pKNnRnaEkg;q zP8=##~XVv56(>xu8@K#hSc-x z1ci0$WLtduBrv%2F4Yw~O}v9nS4KEB@FCezWVI`-J$__xXT#^JN@0-{sdBN^vMMLX z&>c%DWoNmK{<|Mi&kiH^4p(;LAt=)9l=sjpW_2##s?P+=a%7aYHdDn7?HLyRB;vHg zOm&JcwyE%k_PC%wOZ!!`(U6%S3=UF6tx095JVCiCM7sr1{WEdY9Z7T%e>ACNt2n1f zIg}FGJa=@3r$~}Q6_O+Lm%Ma>R!F&1VQ48D?d}k%fOO&y{ZJAFlN$SEO!*d7r>SBX zu{>zMs+>FWLIt@2#lcNw?X!>V@s#g`9o*PA??t$<=@ne!X`+SyE5NU?Kev6nAg3yC zv$}wr*%H5{fV}OuG8w=JAe@khQ*IAj-VYS`yD#EPWDgYth4Rx1a8l4@&v~756b#kt z_7Xg#27G6^DEvtCGaC2k(Mbz9eE(3;PM7a#6?vmH&!@}J=v$AgQm1cPnoLff(WKEX z(FELe+~hwWcE9OVO7LoOyX3Yte4D}bdFcWkWv&I@%H`Dg@8>Vn+wCU}IMk`GT<=>p z5q^XD?K5QWdR4h?3K?|l>u~5c?=jRV^n8JRHe$rDg|7XZ*O@2qW#|QJ-~>2)z|788 zzrW(-ia7Y#9*wX39dA2Q=0{(zTS3v1L&pmT56CC&~e}U=&i$v&w2WSdCZOAUC%nr2_HHH+Ue#`4F zRY&gTxnT64V18ycH7adANW8aRRiBKn->UnOc6Lp(iG|Zgq+EOt{>NWK$8#$VJ8wXv zk1f0R#kz}qr?VYQ*V%>x|HInO4b*D)kIRN7n?5T$uS1&b9?pPFnw$3nXbc9wOX=8j zjc+ra!g1#S-lv{-V~(Ivm;k@Rw=oB11`ZF&S)T+QbWW%57!N30@0~m-I~%(ujFyKc zg}&CsNr4XMtKCbxGIp=G)`wG`yJYo;1s%Jh-L8Er4Blnk&%%pT90vZ2jx!sC@A!$k zzCU@|UH}sh$!*kthc^@rd#OI{_vK^DE}Oy|{XSExfltV1~4D}09Bq=0n_ z<$;yDzLp2*o%@Rv_KuU-7Wpnfv-Rh_9R}jdR`V)eHr4W;)@F6*$IND* zD{IWvUY=RL<@PPP^S|x8wYr-{iM8UWGZI&plf)<)3rZI89%&7XJs;$CqomDIVi zHb$V63icJDZ7R-h3eOn5vkgt&Ak2_0EmV~-muaL1W&JgZRkod!O+b@}a%?zp$@=RT z%2C0Mm(d7J73HD(;*h^}WgF-e4psyPX0Bx*Qka~@_c+L=>>BA@lQyz>1ll6~`e6l2(HxtxwWc5(xa!!J1ejq5P z-cVWLW&hi}=nPdWYvJisImwCZU+aVp_N(M%O{?QZ<3M3A*hw(kbZE-0`bVSOX$;&Q z1{FgHWtJm)gPGH%4EhE~@oQ|uIs;74&^VE_EMKH1lSYE$Mt4ZV8ttliOhGWj>q$E{ zl*)*-bj7w+7IOY1%O}Wn3%d?^L$alo%m|Q+P{Wj@1zGpgaZGT+!kuE5(v^l!{d~*0 zYs3lbe}Sb%)Ou

<&WHfsjct7lQ9l3tbaumkN zX0SbC!~(oz9A9(Z=N4q!I7rx=vY6VyeVy&v?Mx?mvwzTZ8a}7@!b2CitCjZct;Y~C z(R=N26B5Fz9VOjaJUnldw)}XR;n3>m8cw|d-0gJ}RI0gp=;PhJjfeDAgVxy(KN+Xq z#`Q=)FYjvUzOo*;ZN`JLsxPhvrqVB!eQezxo+JTwb$$gK0jFRMkkM}Q$7mf_aA=_W zBG%=a>$2IS@YUIK=j(+lDCe44C@-Nq^4;D}Z3Q2Ve;F`QJq>m-iw)G%?Rv^-G&gUi zSK2?k3kp;?_~UWWalS?LvJcku_q=ZB&GR1DEwA&2^0o*c8CxEi$H~U}X-p!0k6HT^C=hy6**|nR7}PfVub^@`LC@0A7OD9mazi`vztDd=Qh| zEVO3hL>29ynK8|n?DDY$tanDOj1E(HCw0_}V2A}bT4g$+TSRrKhCYj1F_us%^S{qH zW~u}qzB9?ZU6imUkY+2g!;HvAZ44L7c534F8Or`0FvpZg#a%NK)aUsrR$R3BLi_zu zFrZrQ--kpymkTay+YZGdp?|YNHOddR;S__*=GL)t{*nx#nH4J3hyl2ji?iBtRr5%# zAiDzN8b#`L|L|yO=F^l$#m`@Tiq^Tf8`(hqF6y7z%T$urE4Q&eHWJ2J2(yuWGdg($(RM z6cs?UpjEAOj)gf>+4;JTf8+7PnrChL01$4^Hzg}C`!F;npXyNgYbK(5W}*{gQEk@} zA@ZZt>nY*Ci#M_#GN8xc@92XOaEduaeq_Qd8Yo%2HIv#93Kc+?p>3+m!4EhhI_3J>^6~jR=t@MI4L$>-eq>jf^o@uKVAmlWbMFI5F1z z&%{J|O{C&%Kcw_+^=frJnX!ti#8}hGbp?#m8#MJX&g}IIgv@MJ2RQ_5)i^)V?@8DE zLXAhrRh2^d#$Um>(Hm~en@wCC7OD891I1KSo<6F#psO<8U^%*G)lZv&Tm#7A0TSKKM~oWy#oXoTM25|RrN_& z?yWPEnoJ%GTZ-lHK%CD+YAj5DeHdKmYILnRVp*c>gRkzo2K z@eV2EqP$mN)MdF+OGT>45Mw<{t>9De@4~7N7}dx2(UE_AwPrc@27a6Ci6RHjyrp<( z^ZawR)@6!)V_q+~t zg-5DP6CoYDtsVRRp^M`+fvSlpw8%vGG$@W5qLbDM4rS6UZZ0Z64MO*$=P@g8`q@_` zJLle;4=P&;bsd%C^U4oOdf7IIfk=d%)$HL{Z;*Jui zQtdOwzZU+CVs4?pmerp?`R4cHx*(3DEbR$p}&&XsH@a$EBfVKOw$ zoeOO;wL~*;y2H+y_#}{gaA?4mksbRM8^J9V8R~sh7C~d4S(&u6A1Oe>Ta_sOPX>$B zYF|q3FKHmjlNrUR4QC^b0i2oS*kc9d=S6xtt_!7K%4IyBt}?93y3}5DysL^qBvUka zoK;^C4A@58O*k-N)}|=QsNxCDMtaq&hY#UeD{M{6`^HI#1}r9`BWyVtuN?_nhZ2SR z-cyJOQ}7y>trve;*8F!I1qD$cMX;tqI6I+_?E`?<=~u*V|EqVHD?t}+`W4;s9rzZ! z1KJcxO-*z1PjvA{Wuc>N4 zR~DUKqb18w7O$?lz;(^Z>YB+tCr1I{+pgle4(ISwVj~vvKUaP2fEEAn?2sC^@Rma8 z%{>3+(@@?4Q+0wHijm*hBX0q{kk|dE70coCe|!O*W^Hci!bb-F(9Sd;`$O#J(>^8T zctf|V_xlczHxsvkIiAAHpp%ivG@ZVwz~k|0qpQ8Y)EHTMU5*+$e%=drq0&Yz8-=&P zxABio6F_C}pzU~G@WZz!F4yb6@-Ao%u~*00$XxG&V;e-tXv4N25Av-Bs1zsUb<`Bs z=6xNwd&?GZ#(P|RAO?>-c8|qFm~%H?B9(T7x+4}?RlH0)RF^eeeF&@Iw$LLJ6z2? zO6A@qcW2Yo5;)>reH%yw>3d6U6SNiOYLBB$wkzm9ZB&e9xE%Xp8e<mBC6|Bn59E;I3+VH=7mOjLRf;-i=WyG1;QL+96+(X~E*~*j5`90A zqY9q`M>pwWnmF&iCuMG5tXR(fO+d$zhG(p-u;G^mbE0=`PT9Gl-^i0q-Dym}YYoZi zT!w<*N0|LgS!wohg?XE_PV)JXK5bsSS^!bYdweK`(b3;;D+EU$T4kQ44gC=BK?O(i7L-T6No=HHbua-&yoDmiu*LUvZFLjTAxq7qU$J--5&C%oU zPFZLgsG&4XaG#?-igI~)=(~lwHX7CWl1_tGcR9!vRx$bGB=BUz5g>1P`S14s;<=s!j#o8cf;#f~mn$7P-Om|~%em(o-S<7N?A@P^nZ79w(K zoum!gv~NAW%%pIC>KSQS9h5>D8s=o=!NFAxsk|1hC8(y9l6L^GqJ%4!I$Bp5Tb1+k zT_QQwt()t<$7@g8t|y?$yJRubNAhE1BGYLT?2qrh$4EN(E?Z8sH6fRp$x zui{Ls=5M5dZW|8X4O0S1?OxasVx?Gl{&@orchpJfc6=De1qX^tBc z^Qo$BUevQZX!JoKpbC3QvYBKdb*(oSMq!SSI15L7!87+u+TBZ2+Q4o-NZyN6Ru(jv zbTCwV)@dQ;7 zjT8>Y;4zxf5Vt|QWq?UtXY9bZOQGx-Zg9zZ>F8@fzjL)>yE45^q4@UIA4^1)4pHJ| zu4s6fg#GW$0_N3fSu)9i8Q7}N8CCzdN78JZ=Sek1w?j!MT=*ZXHZ)zwaL0=G#oDt= zk=oS|pWrf`-1ciTu3uvHtMS4|!wyH1av5(?4R)+HasVkapZ3hK^ z)2q+v5OSR}>wb9#-cY&aSYGeByK;$le0A`7t>$48p`{%rePG2rhs=WVR(H$eg@?@#}~}|M!cyXXsC_DyDmQe;B$A7%+?uL+|72D-#LD!Q_h1;xNk7qWL+n zUmyD6al(tWipJCQjaB6w{s|8fX89 z_Faz?)Di+oa)&(%9?#A?Weu>4A92@ zlTjypz;ilcd#;hAk^2-cuG2H=h?9f!!alE%&RX3vBCl;8q_I^i5PaTUyXJ+lQ}$Y- zHMMz_X~1|fHY~jBhiK@z`_YQ5VaVU1?`=Y5;6>@RQdmjsLRhowARSt@4Ng7n|im0%3KkqO!)ywKm7Y977;m zxs-qUE<9Eaf;jI`#3T_Z6YD8z6BV|45)5X6Z8Xa?^Smtf{n6EDQGn6;d0bMW|^8o1RZ!CgaVRCc#$?1J+ME@u!-_xI+WN%mAX}V@>Q5 z*JMY_CEB&$FjiIfwFWpc`hB+^aWxceX>bM1jx;f&I}X_=WuqJ29Ee>`WCMTU zuc#s~E(59 z@OLnmfj6Re08Z+Ki;{z?Tnsb3RV#BV_jKu$l{yFCA#Y5k#@#pVvHfjX559s=OtKhR z=ZvO!J7pyi!bYaVE-Xa%9)IxK2VcHA+H~1{6c|2`1kEgn58%+*;0q(ftV!?a!JmKt8jtZndKF-A-*};^ehgN+AMR; zX{o=+tm<;tAR48!(2ocQA{w+1+V9=x%~Vv@52#e!pQS|Cvt4%$)61(%qI^sL&@5`Z z{`f*#IBYzGh%;vLpB8uT|s`k2;^qXC9rrW9F5zQI+) zg^)WL*`5o%io|It!)QQ?x=8GsZP*II?4kOQ!qVSA{7l&JmLD2p7U4V2yClp#1UT(M z;rbrBEXnY0wiIN-+gyvxci-bi`(c-CHHejc>F70(h8)!sbU%}C7Z<`Rcj-Lt*(Q=} zIMn`#L0xcN{(A5lUc31TPQc1cJcJ?ConvaWKe%)&BCkbSgrBv11(h8^HPw;G{LdKD z*}q`pve~hUAFG)XvZn#9$BVw7!F9 zYfj1%e@(KB@p1dX#NP;5e5E9%5*3kE;W988`xQB{=Pt%}BLNDzvX|CKO6rT&#!?!S z&qhLcs6g;Ez%!Kq*)Ui;D%Zr&{_sFuXpVJXCAIQPJ@}sVTj-?8J*J6Hl~;?qQ!%ze zl0t2=Vh(F4?w3v6&(mC)Vws)5f3U7|_A=l7WNBl)A{Q!@vzzmDPBZ^IVu9}-s;knO zAdamw$mSu|yO?$s_pAoJg@lR`gjf`2vR{9CLxdti#nRxQeVAM*Avz&XO@~2>5k>*v zlt>J$ihRd6SF35s)quxT6fjO6Lr&{(fAU-~d|0uUBlxe*?nLr~AiDO`kVC9hR659D z|CkdW{Gjh1D|u;nJJfU9e(!8oY8o!!u? zU3)RP`L)}rB(-uMZUjARg8wTQ2+Q1Qov(LSm;YYoBLgDufG7lsOtuXP9XOt6zALCV zAocq&kJhYzn?bfLKeeAsor->s_q@zg3&vcg2lh-$ZTdR`Ej+tlI#S6459-S?PIH^q zSB4=J&e;>xL6AO$=`{xM{sNBb7xD)j2x8sWZ>5coEFdT6y9N`@c9SPt*ZxI(aS+gZ zPOv=h?JzyC>uS%!tNmp>eD@Hl?|r^`4hX0I3?umaE|weUa`fD3?|aR?=?gw_auEHk z`O~oHU;-b~wXxWIIQK~YdiJ>Saq8)2B;X7K5XAZT56ftVl{v<110Qlv^rUG7-6%SC z08Ly1oJ$(dJhk>c6TO6OTR{oj4QzpCtvhbS!dKb3n&26%>XwPn1}A&>r?vHb0BAzU z^-@RK{h@whH(uX$mIL3Z=P>;M1rhGn_BAC;FX&bCAg-hYyu(xMoai$BQbX0aJI%9h z+ns;*xRa*TT>|KSbbW7-hG;&r_&(mH-!Eh;O#M>B$Zhj{36^#;c~2Xh!Ae>R*9fp_;`P_4{t(n;BRe2Fj9M^n96{l*|0eP@ix_#0j! z)p68-|50&EYoWv+zWrbKlxd}|ec;4Cu3SA7Nfu+9QFsT>_0ts8e-Heg209&N%U-8m zkQq;+!C)f;mNvqM2IEqK#P!TuN)Y9>%}GT~v!1E!TCV?`Cz6zSiFs#`X9-A_S2yIP zd>V2d(8Q&#)U^JtP;PFmrWdEyU8K%Xfb>b;eFR>OmV5yXFzat1+m1UR?&F}$*6^%o zK3T%=H_w2qBK<`VT(G-`N6d^L< zuM#}5(q7}SR%BAZ@LeN^7-|4237S3iv5F|WxE~(EXqx==0$1VEob04wT8MwNnr}zy zd0&M9o(wJ(khTOk}i);_)65 z`8ydBkQ#j3+*r))_8+qqQoyGxp`Wd~&WrWZ7E*-IaR21O9fzj+tKRxD!;n))BQ>HJ z2FOCtC!L*&b31m@tTzH}>@yp?va#{W9UKZr}L< zOjfQG%l4ldq!!g;JquOpzvQf6SWf1wqtm+*S{T>V62ijZvq(tDZcVshug2QO=Ai2R zq5?<10w>MM#3ijB@qzzWzO{YgRf*CU@1=7jBvM(bZkNDQMn`e99(IsOcp`UZ?^!aq9iL@i=i zwq_~T!dJY#HzwBaV%HM8XDU*zVp^+NZuyH{-w94?1~wF7ud--7nlQAk6^X<}Czu*5 zf~AbeJ-r%(`2&%BMHbOQJF>855*^?~ zyHrVCM=kS0Lq!u8WyTrY_3*)3o03#*!r)MUr?o5}1etH8<>DWB7;R$km|O#t_d4I? zP0viho@v-kpVJZDz%b)~;EHyr@vezuCk-Bt=@d9+Y7c*egTr%^Ug+M%Ub+RzRp@V*z zETW(4kyR*sMwKs$GMT?rcD$F7D70}+XVy|43Gt^et`AS6;gxkmk#!Xx2-o z4B3CV;I}8r*W~-+u3aa$7XvnTk%9Mfu=IURs)rEy`+Iwb?+A`qj zER<6C)r$9V3F5wRM5D^W`yG^LG#BZ7$@+ieWs{uqUf;6vF8@DhmG<41{F3>87~(!D zeU|3n%abg87icrzH!hM;^kmHOS^0gwU*eoDa4jIxV`|NAo9R#_Wz~Ad6DYLcANa`W zw0W3QQ@6B_NZ;P-RF(t%%Z{<$G6RCE4t_{Pw)SQR*fHjH?nHW{{eE|XJ$yfY3+i8kB|9(UNdm@sS=$~9_or!>rb?#`y!>f}b|ZnS zZ&8O%b$AbpW$|S9o&Gkd=EL(ln4MNmuHXe=-~+;-52AD=>El?P(whISSzWGS&sKc& zxDz`Fs{D?V5BJOWxPisU zai2Yz%y;Y>uB@w`!OQl)e7*4j>K!abUsSF6hFVP+JyKre4S5B1ysp43t@uE8gED|e zf9srJ2;n;QGm(yq7=Z=$n+@08O00oo<267KTOIUj+m3k97Bqq!DCDzaG+a6@cpzt?!$)lkmltf1$l z1ke(ci2Z^4!G+asrl}^VTWD&tmk~}eGwMu;rG(Z6wM4HdJwng*lFj{eq#)lgCGJs^7-2&@u0dF}CEg#bH7>wOjmLpndaSNTk&>XA z9w)svFl`=e%=JSg8|qAGUUXQVkk`aMMces}k_{*ARGp~)By|Rk{bY-SCaOo5N>^mo zO3t_#!0OA`piC>s3Zrm?yFPedkn%%21C*PRsa~G9A9sFCLpzz0LNXUFuU3<3vJl?Z zv~KNT5>vgMfNe2H3xh6MeL6b$72k5KS-lQ7g1-r!$lS4HU$Q&5Y+mYTY>`W5&Eaa^ z_%B?20(O5F)dSu78aNl$sBy7eChlX`)|5dFmc8#TXG<*ZRjy&H9&+vO*qoXA(k&8& z`rkFUtv(zyP~;!@7NDijn|Q3Gp=6?F9_144`|anH4P`Rfcj7ciM75~6790?iBjUk|^ea-H)s&bv;rD2` z3axY#wq`VwbCRrH#=P_d8HElrw!Dk%t*K$??6W@nJKrHB*#yV3$AM-V_AMCS+`3NU z4+V*>I5|(V`q#?r{UW;LUV`0N?ciS`@(0|lQ|-+z7+H&I;KV{-3VvLV7W{I#wm!=t z5uA`3p(Tr-6sxRg9TQ&(VFMenD0daBRGM(3EY~ez#as+eb`0B>KhfL!gk+>zVvX`N z=hc}y_uWpO{2=2Bn3P3SAUry#D&)0}N#@Jh(iG0|A=8jxN||L*aaQ1?vu!z%{#dNv zH0w#oGUzgbuQo)J9MhMRWd|>!Ile?>aPk=OKT9BC`ZVO!0~aZj=jRlRjC za<*u)RZ|_f&q|zWrQ^2AI*^hrMctA7P|-lGY-iSwDIXGL6*1Q!H>WS7%wI33gjh+* zIpw8WOBf-pnP|+rL*Vx{#aiwB#3i!{X6^c8r^FH|qd~zT?{2Vn81 zP{xxgv%o}y}JDamqd z8WG**{r?ldmbr&eX9}b=112zH-a7PEXeS?h_;dkx54Z&IA^(;5JcgY=5Y+IlydJ$P zuYBm(NXWZ<|FIl5)CFGN&puVz0gEdNq9?^!+*|9&jJ98K*6KVa+Q z;<5>cm;c4**hr8ya4CQgenaQ7Vg*ut4jF0>H<;(%5ISgIm}yK@ICHWjQ#tf|J!?5` zDQ6C}t_|2M#pu)fS?6igR(^elhvD$x?iAeqchrd`tMR$eYvcM|b6r@RW)fWU83jQb z9=WSGU3%GgJJCc=g|}Pj4PO2sEd5Ofc8p%8wcC+H3-o~Qa|_*zdUgh$vp&%v5s&uV zz~|gLVOa}u$N?u%fbkXbcKN4Y4zzsOF7ElXo;^)+^_LvI!|vtG;5Nx|`cgfbe;We)Y z47?JdH&OyT8EzLHr#Ug;UwHpTcLRyohogCQ2dMeh&C?A}E}KrjI{G`s%4MyZw~TCZ z^4U-BwymOf-_au~{3JCB^2ff1or`}G(@DxS=@NJ}j>k$f6D?l#<1bV38W-n}grcj65`(F*P)2v=vsw~7^=dmx zli1+hIch#GG_9I6D0CI1HXvL!(RnCha)*fvD&P=R;sBRhzZ&s;si?MQ`HZ+qD1P9B zCyNFW z$sZalQJ>9a(pdD87A)qd+AG@dWm;s8a>G9BT2o^BMq*OjDOwk{DtlHIhGEP8P&Q=K zcXWi?Yq*NI>2!l+fMcwNiW8@O;_`3T4@n$*ZwX~FkFifm2u;je5j5+xMMoS-3Hl2G zN1chBC*}d8*I#U^^K#vZO}XV15%c2cP5bc-bSCKZu?aIR6&b2}&dO$+!~QwM1goZ= z1PVj9XBUd_el75n*sQb-V5W{R3%=L3k0uF@3QS7WmfvRuq#=APb}R@abV8$;pysY* z#1bw@CNKH-HZsj{)eFyw#H2{n6FJoUZDN&uPX4er22`p;Qam@On0J16VqL5HkZUfJ z)6~V)E9c#;*B2qLJ|?%!ry?y5S1DGAJuhdWF^(B3rdey@QN2UYZn@-8Sfd#89c&tv zE7DB?voOUl(}YHMqc$k(p?$$S9+D|YJm-;@?XVLIo>}A`q*j!t;h`^l(rpuHNemhBx zJgQK2)Ok0fN7+lCm!GL?s{f$Cm9COkja!zNXXj50ERE%%+l7&h#}(M@KA{*JPhDW<$bQf>TrKOLjuM3|z7*{2~}!zl!m zFbo7z0UZvTnLJcsBK%R6q*EAoF-i6=kR~5k4T|;A^GXsD8h8SjGbHq|zA^$w{%W+Y zJ()OtEF<7|!1~?9v3{&B$k_B`$t{@cx;j?CF$9N*0G%{7uiYg;pe#IqnE)jlXgP4! z;>Ak;w8O*tK&!#2SR!a%MWR_2^vxXqPL)(c&Ia{tygR}v_<7?`{@54WNy7NIFxI86 zVb8Crq=jO7jEU$Or|EksYi9|l#{KP>bwk3z<_6}ove))A)#|gz3rBO$5^CaS$432y z6^p+U5o*)1JwlZFRZP~VPOJw>U@UX)YkV%VT=i#@`v1ufX)4r2vB)qGhQr8=lj7S& zdzXb^tccK3Uw^)V#RiW*xrs_+V@m8;TH(&z4&?2bdoJUFWmwKC` zFb?HVJj@d<9z9Vjv9*tus6U>oA~4w5+F0AVCV%cCS}B-_k&EWTmn}dqWI=TjFvj@o zju*F12%p7X@ZSMVMicvbBX|rLnRwacoe?<&;OFxkLN0$m69~|YY0$Tg{sxT%U6Y>) zzAyi<;IA=T1aElncYTW$Hy{hr)3PGzR}k5J-Q|blc^+e*!+;ATq7~2q+v}Fot9rU_ z7k1u_t21ac-NEG!eLz=19)e#r^OZ!n{Vv$zi59z3f3VP}!z^S!1`HU& z*|MyGXI_TXHm)%YR=q1HH?FJx_DAOWT6=-aFpS=GoiFv$RCsjHOSJ;;my#c|kA*!a z&#yweZnFe4YXB{q`BM^aYJtU$?T0R>4zAYQKk+L<4=#Lm`H!kw9kThZevb!vAETY| z*RewNubm?6nhLsC4OAi1mtP-a!vsGoU#@xdDX?xr^NjJqfO7x}Fv#d~qM1A}9&nn| z8g$FM-y1OWYM-HU$;#q9i3l>Fd4D1Lw}dYX8L9d0W{vdI0=vb2nr5}@CuP;19cJ7v zg|v#$qxIs>MyJk4^T!%mPoMDi$3L`e0?=4HEuF^3pLuK7Nt}U!qdK!#Us!J^LJ+%q zOidGy<(!wRuj9$P44-D$>bw+zp10AIy9^i!8|JCW7(E`_Gh&s(mgFuEi2%K= zo<%2&*L!gkfU34*sSdBheWdp_$_Arno!{Zx_{Q2^Vz&4}s};%DH`oEBVdj5g|N5y#v^_M%Zeo~5O{j&Wy9W*dH+|EeD zj{C3=K6IOgK8w6y(AlQek8mB3erE?l<}%2kVsjL^5hx~<>7NRjZL(nssoLimxb$LU zs{EW27;#r?T;&OyN=_amN^<^$>-vncFg)|Xw;=S}dR9<-aLz0=$1Nd{NTRC45*7;c zv^YfA{L`T7Tgg-eM%_o)e&pDxO?3E_tn&4U%Pmd7##Ff+-ELH+#{whFlH`=XUgib26uro?cBf>PzrGv^=Z|&ko_U-UiP*;x+5ERG zNU{5ZuMW@eu0aH!$YFVG;*9g32aK}VNthg5S&duK&4Xm)qXM@jk>O(WH$PH1LcTm=!GUnq4}3^DN|g{Th@I}<6PoH zyxtIOnqhjqC^&<(@#c!JxZc$BIPP#J^P0Bvqvc_V$zKv>iKjbQir=%R7lJ`F#@4@S z#x-D0kpoI%A&8jkeOv z^XyLqK7Hy@$cJhVUzt|JB9A|2yw7zSP_+!LTlOlj+E0gZ2HJ_I>Br@u1FMebNazIU z86cIx%idu-Lkd$`RZ}4~o}duZK$pXX$hc919HKFqa9+e%Di!k6SGGE778MuChnl^+>Eq6RcO*K=4#CPR zZ#wpQf?7&`pMP+sH98}lJfHV`7rj61kA7uvmTd?}RjtvE4JFbtX4WzJ{mDXspi6h6 zF`TLb^FT2=}mLb{;XoYR39luixv*FApAiplVzup)U<0(nj zwuGT5+t<$DY@`a2GorpHCe0YnJNlmh>U#@~nxNV5zbypvy5KAbydQsT6+G0@t&Odb zm*i`mH3P5cK7mxkx7@`Bb+3fm_C;mKQN#KJb#E&Ez~ONYuL86a7HQew@Z$^x2J&fO`mBg_E()zOqo< zv~md-h)jv}EhdzQi@{r*$zmv$%!p{@{J1lQa=v;@6Hw8K^Rr%W+0gNCgUY&6Si0N*+ zRQ=PSK#`Up$XM}1hI&&39b=hhHWwCAvE{D_%U)}QnEx}5pivPN(CghGh!<2War$X` z;u&L89{y4PNXB`ZeC?(ZYOk^82v&dLgt-0X9i#s$6+(cp^Woa%c|u@IH~(sMEdLS! zy?r7lkW|^>d}|!%4Sb#x5k9}43+x$%A`7QGxxbAy?}CKAfz4W*mJc6W@x0{O*uB8X z`6~z;k8E!E%iuUarGS@mM3KkroUZXW?SBH7$5yR9_^V;lYu(Y0FZ|0MjX?${H`km_ zWG`odbu2zdq&McHgMWv;dhAB`6?ONDy*fb-#OuEOjcn`-78`!?8+=dKAEes>|~&5vcQM)wti`MTE={L=v6r`^9r*#^RoU-P+?o>RS-hz`G@2vdLq zo*&Q-wo3Dj+8!7DE;?qOt%4}J1z&`3hcumx0^e!|tE0-%H?GRJBjwakE<3@^vD@{B zIYD|&$NYUcb`WR?nfu^T>U3xxnCzMIZtNuz&oI!@!~MYx!?0uiq&h!NIAQak7EpUz zUJiP?*Cbwde$K)GzqosC({6bCfJ+~22jZQ2GL?h^ujq!!XT1Guct0Plk6gN)3)C6# z*hPaB%ZM(!gH{v;;fXyqMRr&Mh%W;onsf$SDC+o4(T2JJP1Rkn7#S+ z7pG^hwnLDiYY1Qrpj!$?$hgk7EqJ%(K6TyLG17e@|Dumq{aDT zGz%7JL|^_1StoHlx{`khdh*s0Mac@Udn|C|FdY4EmQqpXY*r30B6FU~Dv-lp!~3(X zQ&yq_;3aBySoX`)hIEK)f13Bu?7FD#w>GuV;=rIyn;joGlNJ@0(NvhytV8J#+gl`P z*3d7*0%`o26NTQ*skY2;`B1{#0j1Z!XJSf5?9N2I(^5Za{Goc&k)Sts8;bY9pZNQm zFK;LJ=b52`(tewC8nL~CS(A`WT!r6xf~G#aTXI=RYRAB*XRWd?@~D2&kf}G@Ml7i$-jU`Xhpwsn{?Ipkq@v z?t-wc(M#RCj`3TRdUK(<@P%b;zL|a@iPjJw{%Q^w)6_ACWy{E!xW)=`sqbV{t-`nY zei%YD1mD;PJLtOVslI+PLvA%ZAE0z@O-yuLJ{wTufqvP^LgdY(M z@5icCm}JnnC+|Px!R6JxZ~U7}DIxl6onW;~R_|P2 zdCsv2VeETN&thI2?2MMoH5qN{cDxrcdMa$eS8?wM_fq$X9Xc|WH-d+LZ>`r|h@vZF z%0dZu{p0G;7;w(+HBid$wkYj#D{kvehCO=)jSrxYEBung$%Q4LHZ1xjHI_+ivmJUVcoi@YYA*>wUK7s+~#xHeh zz2!=Q5)mG?nHCtnW^Al#!M}f7f09L(38u#giUfhUREeTIo3*5bJB*=_9M2vzI@HR0 zX(f<&&e$zA$m-h?uhtcis#*Usolr9PDe>mlu>82AXPK*Dsl=WnM_xv-tGJK^d2cEz ztP{u+)8VskqB65Yx+LY5(V+Q5HI^#-5__+hph4Sya9 zFyKW*z@g4GAWK3}?q0s4S%6J97iI6x6`_PC%roI(bxf#K6`{;B40d$EvO0^gagl1w_ z)u3&90}Y1j-%T_*!|>_xG3^8gofDcld zaH5fCzN0o=CO@M+R{Nd3hx~_yQn~1{hx*q~(9yg?$3({Mr6S7AYQ#v906kZ)Gbrx_t3;%BpU|*>W&X%(^d|dO@I-xuc$Uec z4Z_VRxdJpfj?l@HF?bratQAVc?%3bsEf7VD`j%!yn8)L@7z%h9CX$UNSt;_g>inTM zzKiDW8pj5KgghwKGqyAECsY4#Ja;c2RAvFco&ptE?*W_QuU79?iFC2)R9WkYIpMm%;ngeczZ^=T*-@xRzc;8(8D8>)ezH{o*Oy+2f>z z@S$bvATr9G7b}n~}cpxvTX1 zTbygUq6u-+H226T8mX&ueSeb1+qH|0S~X;_evG)I_hcm5yvjxzLq+IkrC3(s_TX+$`4RKGkxux(x2a3X%+rviBr%xZm$ zeP(}8mp!d^yLC-;ac;3)09dtL-;a2B3v6)lJu(3=*E&X8>nogi#djL+27s&E&6)tG zrL(!kwX>h@BaX*A!f4)4!-pj52BBlR-KPq7VfP7hyqY>SBhdX;yCxKriUJf^H~c^z=XhLa%4%GU{73ALQCexW_@$yU`mE6Vko^zF9L>3P}Y) zZVAnG3&98fVK-MncJpe}uQOz|A3Mq|0 z`yK$r4!8#>(ceV2kgRwLz;id2f0BT|ZckNm*qJZG!IzqD@Uw3TYdW>y4@CE4#KK*d z{?npAkr*f_opV)#$zG5$Wzd+r3x$onh%QBZq9Th}cFxDzN0w`7cwLZ#YA=Lek|w^C zhGBq@vN`k14I8^YUk3@TP=+vL113L(oR4+xWS@m&1mAmOfXr$7JG^8*mr{!#xpdhd z4Sn&kbN_f5%K2kdahX@~L`har3fLzJ9C>xh-u9@4v4$g&u+oC{Sc?G*?W0)KRRgw)y88&{Q8bx_lQL;IPU5%T-(2Jz&w1}7&PMZ{;Z25VD+SYHMA(7D1 zAy-;c|ezg zl2lyEZslLQkkaL5p~>DJ?1oZWrF`nARkHlxLkP7VF;fuy2cK9oe=TPU-knqeC1N@z z!bk@7*Sch58|v7!&M5h}=9u%KZ*xn*rA^ge=&;a-_v(b}BB`mV$|aL;{G};5kXk?I zdFP8I)3^$o3&LtvNS6tf(~ucy%gm=|U^^>N#iX<#3gDNfko7srel&X{sfyyvH7@|u zr@^-H37KCFc7dq1`Bpfn-DLm3n;K$oEntKf@WO{@;CPD$la~FyiTs;rQ8bXqX73Z< zgNGzi@;dHXGmBL|8iiW8L4Tg0!`U(w<*5EqnZJIF8LN@*=*)ZCm+$d9m7A2eVW{FU zzfwagX@`v~5N$0}*eyyWlVnJEj&A!E7y5JY&EE+J@Tra{>^Gj- zjzsI_a$@dxPYsA77R&Y51;|zQB4k)F?PcX2Fz(m_1G%uv0sbN^k-!yMtvGl#$t-S1 zH8MRyG(%np%AAS!CM-j7wN!wcQ^##EM@Z}bHTBT5FL2PmP`W|2IT;P#pIh{n)91PxICPJ=;**_IumTV+EOX#-zx>6_oYQpak3r>RF+T!tLIJjw8 zAr4Y2EeZ(V+=?bm;e$-{%>FyT**1uAeqHfk|H%r77uGo|*uTnco^T5I3KlL9$M#i3 zkMKr<_<{$33Y$<6a&gxelZ1a;)oqZ~kydrp>MHwoe#qde3($2VNwq7h%dQb+p*x+^ ztKq;N_^GPBwefj({w!TZ&9t4DiSOi+3E*~@8SNRf$h3NPDa8-1bqM~^I!oLPc1xCu zbl*l=Ib53;v z!1D{r;&(>7-Ki>sOTIy%es*wnTmC;rkG>%KDUfI2t*Z9%#BDX-9`~-R=|FddXjSdy z9J<3lB;c`b{ifh*xBUVWr}tI|f~wc!!Gwy&{y$S2uID8Wt?p|fY1?D=>G)0VmyPhf z&d-nYB$=HEnB(iWRSws1&FY6@LtT@d{6oA4U&FOt232_9-=b-}9Od~eZ>{&&cfuU! ze#>Shx=y}FXG07#-Od!+N!h*vpGKv`fWX3zpI?APDbfT-?k>W(ExmICcEvNor$R))lMM#a`17kC7R9w+)+z6OJ{Sc z%h%4An~!)|w-o63O83J0I<@gc`4rdr@)exB0HWw#O!IHFe3K{!*iR2;M?hqEAkAk0 zGmC?_Y}-;VI0zJeMqCQh6WYn9HYD|sbWW)r8VT!UEDHhy(|33QQ2~RWqd!Zf@nQJQ znz^^$o&t3FZ8M81^>c7|clnOKOizoRDicrl!4e}IQ?lO)tguSfVwhp!5u>9gpZRuF zb5P(D5>BR+hTYlC`ZCiPvJX{Cn4t}d^CMx0t#>6wWjIbS?Dg7jR;0#j07cAO{p5c* z^((FKC zpHLVw@%RJk)uIXmi5d{?Y<>D3g+wvARBwzde&m)%ZDAzTFFCQo7Tb_wQ>$#ro{nR_ zwmld6vo`|ypn%HXb20|g_cvUm0S{5UtA#-{cTRzf$Lj~G{=^LUHuDcwa!hAVVp$*K zrya88H+BZBWKH7g9aF;Ni15OHuu8*X&pkJZdeC1a8;?$(WmV9|UyNvbsTXz>UH3pS z6NguO0)G=y=%sU{4dUwGtKc<9Uq?W)*kQ^3)oM_&5fJtIe z^CjwgLohW@;2nDKP{-#btfHh6)HE--B|`3g%Clq3tO+xjuO&+e_at!K#&f0-eKqW~ zM=huLlytl@$vN^eGQU0T6R>Oa`-T)Ee+DaQ6#8+=-{Q}5Eb#R-iVRclF!(uBRZ@zV zZHPaajONc9#4!$ z#lBLT?h%!h_s^d9)1GhX z8(W50D1;v}guxQYbVGWf2>C8Udvp4VCcF>DRi1+(JVf7o~iH1-W zo%$z?FS34%Ny9#|(Y_9rBQRfVjQL^OK4LOFqg9w{u1XvK@XQktsI`HlajsK$MCEZe zjJ@K^A3GHDX*p2_a29`#wBvR_i_kPexjfM zbhLeIs!Zc(ESeqOs3^slbRUH#JyoDZ7@nN6d)xzK!Mf$OQatKsYS~i}AMSXr?0ItL zq55;`WHZ!Zn<9GOh%0L%%9zg4k{U<=bePKzZU_PUNnd(w)+yK6+l{EAi#p|v$3XrCG=$-ugI%d=HNJ3Nh*JGla zA965tuysJH^L6uit~~t=`MhCW`OxMqsTGrNFabMelf7W3$}-@*^pi1td)FtlMOeoVlUlgtNr>7&8On@s?YVGGh6$` z&N(eRA0H%jUS^qW*VDaCxjb*~BE6rts!4b*#&@TJHa*NAd4Z0bk~ECn&JFD@6KIe* z@Geo!>TYP_-PwD!r{gG2dnd2!c7A46hZw*p6~@K$YJ_uKD&R1xeV=209O1`x)5b{% zfYf1(z1Y*S2QA98#T_C8)Y?s3xJY&Q7wB?OS}C9Fi5EIbAt?wQ^T_5(Bz`bFB~7>K|DW2eQChC%193R`s`v&4Ah|<9-)@zA^2C zk;GfE%C^PUQCl=m&uf^61+X*N{_Z9d$GID^3v#!*p>bUF`fTYv(>>tkasFGg`o1c~ zYxr-%3;D0dX!^^C>9X?fr{Vqy;bdLN&8kUv3jxqm-(zc=bL#ECPvcwQR_aT(ZMhc? zB(^>P@;f~KLxy_;LW#n$aMQh`yxky3{8PZPkH4h3fFE@PoM?9PzsYLI-a$VwC5pt^ zjv!(%fGaFcp&Kn^o-KBKz!7fdqrHb}c0Xh&M=}}Z=3YW-e3de<>OrrHBt2&^T3?7^ z$p0_-SL&kmYSkeq;)|$Wd1Jm_(RlCnY+v391_nx;-<4v9$%erO$wR?%mAW&rECW3w zP2?6|)@?=LRfr5Idye%Y&@KDBSaUUhr%mD3XQ^6$S8@4Q(1=JkHp_e%RE5hcxH&qn zfMfzI952##02&~OgzB1~ws3E(3Iz=hz^P-ga(kbtF54%Okj2X{FFch+%oeQ{gW*4Sn(>4WT`)5&r z`-_@ln09yrVk1teMSvnw!53&guA;rBy|RgfbOEnW2NdmFEi(hx{SNZNICLHf_FhjC z1O$vTxz2=T3B>Y5 z5tkCD@GFBUGWSX~wueN8R6WY4Gn{a^J~NiaCKfC7Fm79YSj+N2Y9$h3r#pukMo+W#XQTf? z7kny<3xw;6KS5L{iT-C(5!Ej(49h_HXNGG)G>@~yN7=*-vmq|8D+(fh+q6t11;I8L z$iWo;54CXu82;cj4lMr@qQl;913Z_;5_v7yr;>f931n#qBx=UQx#3E?CX)nHFY4(E z+Au#i_8%u0V>Kp`N)u>xFMk@7!MU6tBd?@A!IOt7UPSJ>V@6-lX*)O7&aJE;i16P* zB1&*=q%m40H*J{C)550-bLN<1^ixP!NQX&XDvd&w-lCl!jY89hS+0T;uhk~`@_8<~ zLr1S(2QBhC49Cp6cUZ8C#x664)E5pYe#|aIffNHHX*`FwM`i3MyPH?N)tEpqjnd5# zcE=!m6DWg!SyaAwhl+V`C5Y{}M;lvK)Ua1_hMzVC_1?wKFqc7EOkk&FYvy|#yPtra zXdz#zh-{f+F0WpV>&%n6qLzCWLhnv4e?HK!Av5{yR}QUUWUbi3_@}pdAR_tdGX=yP zcmklJ)_z?9v!3f^UuVC(Wg)2>0{h{Gna#?Fow zC(`066+knO?^F#c&!Sj_D621T*^e^ZX=;lZd|#I|aR>3|(+M_a|HR84t)a^8)38$+ z_aIRWxgjI_^J3%d*K0p9V`uB*CONFe!{PgTb+mCCoip5Ill;_dzWVMZpg=FkAO0<; z^6$L?X}ph0GYfoUUXF7_K)!0>O^B@8LT%!qs}?~-dQs@SBJw8N_*%&Vy09wK6494Q zWd5u=ab+l_Ae84U?BuJTu=gjK)Oqz+WT0bY=U_HsrQZ~EL;u{&Q;6>hJb83c)dnPz zYVwfT`}z;(rnxnTto*qwb_BwD)Kr?!rPZjVnEI(D4p9^7;Q}Rb%_Vao1^u z7$@}c6lQe*_jAsEz-klPRjUu0kJ-o4@P%?j6#7R}PiQwx;9C%kPnSI;6>MVllCBR; z)tv`VodZ9eB)?!fzkPOvxLM0{PPueQO#{x?Pa)I8*zL;$`xE! znYDUyv#u$7ZpYrbK+%5Yz0KV|TK;BU82Lad2)2C`KFo0KYx3A+${4Ef=uMoRom!87 zT4mMTyjk9+$)p|^jpDv}(6wnkl|iclKdMh_``>%Z#eOJo{TNm7W+LG2$m>nmMrW0~ zrhY^aJgIImw316>#bn#KwgFtZnG)Ny(lINYm~?)v?nZK1xki}Mxl()laQW~5K6h8& zchzi=+IAl=BsXci1T@+RaCCTPn`-iUHaOf4?_Cpa)c2HySEhMc!?@dR>H_ums?}`5 zZ>s=rgHFJ=c$6s~%VHN2lSSob&uV*!EEDf8i3k4ML39*&f*jP(3Cv48@^%G>^4Xmt zMOQuE7?-Ca0J;v^`)_qM3+yOx0Lk2j$pe!bPtB*gT~JFC#I^Ihg_P@Psw-#!*Hfn- ztH9j3@=TQ5qt3OUuRop@92SX3F~pz{80uejaclSqGOuq)wlJ~*1nLA{ zZje;ZEQsqSFCIXDE5|GB5dqd0}}8sC7ylxCzKSlw}Dy` z!rW?hh?u>C>U!s%v&rMb;z#=paZbBBKMiAZ0&x)L5*nnYVe(Yq8m!o(i-`#Aw<2=5 z`rW;zC09>i`{lcf8xw1j8Z3^;m}FTp1$%eV``$V-`sOL&8HUL}Cg$!Qc+4d07`(jYj&RS&HN{!POpwORi0*!hpND~P( zbWcnRe9iE}W>G*3ttS~@lsV7t@FM9Bz>VMtif;q?mgt;-*zZhX ztAHO$4NWC0>wJb$?GZZ#6p}zejvux3OWgF#YVI7?a}Br5EUhs7sc81q9m5F|QK&xFvN4f?=ogLQxd)%gn}x6GawkiSoe@FZu)MafUey zqspBW;<&;6@;*X(m0A<>X1k|Pvfer&#P%Q3Tj}@btLX`_YYNN?n418+nX-_A;}PQR zY^`ef6cGB15GlvN)D z)3y{hpnzObSVq}g{Y|NOW@>)^@3(Mmp3Q~YW#85N7R7L+uT@e=rhaV^QCnSNwY17| z@l<{#QRQTMO(%_7@;`hMs44hF%_O~tg|sR(G(F zi3-vw#AMZi8IHkXK3+9)8~)(NfB8Ce4+A4)-^D)9_ANb-+T3v818(a{Gv-Q@d<_CG zsYY=t?uMNWD+b&0r8*h>c`bfHTQBzURcV}3|1Ct4kBEr)_5JflQe%+1u!b~y2}3C| ze*4{OxQ(DRk&nGJ&B+-3oBTN9oW0sVK4tSJ$kJ}|E^FH6VW$Z5KFu^!Ug3J=qzG>P3P&h{`wp%_C zvhC|P#l4G~dn8i_j6AFHIX%s66cs1AJgCbeXrmdu9@ zDajI#mX7D3|EYSeM2}NH<01~Kc>d=z9d2E4%%v@Fxf7(4^qFU8x|cH(XN&YaLpd)3v-!LB;Ln;_s)DN9cQyc7od9@ zskzmSx~<<@E;7|j*>x*7p)QKyR8?wD$G_uFExt~88{I!Xs+|Nfa=fhKj3WG22lUoO zcUocX*?MevS{lf>&+WifXXtbURBWzHWZ!SU^6K2b0{ER*+8;A+Cd*XEyN*J2tN6M9 zmJ=^EZD?)B2s^*k-fuVqRxh?VFFh=ek0xkjySDeSoB^FJ!)+e#j{aV%*iEa~dth6% zt*KCwT7uK_I5v&t>zF*EVF*} zL5Zi6+%F^9GB|#6y^emIss{bKIxMbS+im)}b&9LGy}haX_dOo%>}^;yyz_2R@O0y4 zK2kP&g}2FG$K@5qrCU4OqbKsRdfM|W0c|l%+2-NBzn-&n!}EoBeeVY71?+ZF@diIU zlDusd{(0zhX${uNWE^u&Tqp4~o;#QI+)E+tusazwQFvef zp<4O0Ha0?<;e`CKS4VH-`fnt29RG7Ejq>Jj#r+%gySi-87D@2=GgxPcUy{fLuk|EQ zb)zr)S<%dOF4g1G?auPiy7@tI@7{8}b7ydr+|*aqwg&LpJ`TdvX(i}*oNf2E1M}0b z+f!-$GT3g8uCsj^!65B%(emCt*l52$wS8lCnK_tjOb3h$dw8;d0ilr1*7r>^^o)-W zkykqKu06Nco7XC&5;I)doZ*k+xLd+);k($|+AXjv8VnPzVe`$R@6LPgUyUdMvEQb=p&C%IX1R}nD#M@%#lChujdc8 zLBTEpVL`(b>5~!ZvK*LF_p+06H^yYYv{cuvMfjioCM$WNPiFE~$3+Ov2E|mx;~jJ8 zuUNC+?OPNRxrW%7I|-nDGl&x#P1uVCVDjRI3Eyh|Ed`2nD$S?V5jKlfXhg`Z{fLxg zUhtA(rvy;|^iRoq5U{6*u@bL zxj|c)Po_O;;r|y3?I|x0c_*dkGz^-M9NMf_FnwLVO*=y4Twm~{OlgL_TjhP~@C*XK zm>`$&L5dfHZv)5tH`O7j-T%9_l~H{Qd{a<2RwkS@`jlc3{dXW}xIr;ht@lRAMC4wP zHrmL)2#^y;S;ISxU7B)&L7_rtI;xZ(&}iJ2IlCfAtq%iwusbrID+~IX-X=e-*_iPY zk5vJq95ukb@Nn-trAmI$Aoc5WNALk`M8MsF`0-3e;;=M~7A4e;KZm-4L#XJdId#~v z82>j~NtaCIxHwu`DV$$L@ir0IP3xA06f~MPxse5+2l^K-6md4_xpfSg@?9-=f=27W zD@_6gB8{h%QN5bn;v16mX!lS|j*B*KHc~t7B1Vu_6B8UcQi>g79>t32uzjUJ5-4uA zG#q*%Y+R)}`?yeT+$xeVYg0Cmq^huAp6Mrwxny4K%T*G{HH-jO9ZVk-cFl27n2n`YTp=3 z_9vo5X*9(48t3y5!GT)Pl;UwoC~e%}-5)q)Hi4OeAE>c&E;?1J6hsRGmChmqD)iWZt|D{lf3!9zI4~V$?pN; zbooel&$cF&tJ}6yS4W3*I;Y$$8B{^{WtlQ-!EZA*Q`I-c-JJBi{4Y;1)g7iQ< zZRV?wKitf#^EuL-EJW*_X@4{)2Qzj1-wf6w^zbq~&*qI~ym^~v6E^d`_5!{>Zv10b zb!ZBk;t}(|Pzzc+FPK1;A@1DaXkO3aJ&g_A^oroKdW`7a|6|sA{}%qE{Z`Yo&eTSA zU2pevlIuq8a#8)YFPZr2gk02O2IhH%?{?+o)^R>-?AsOgC z8TP?Ccr@;BXq`0fv%XqePkB2Co_vUHLif_h%VIt~)TN2YJ9+DrUw1pVi|0d6IEThb ziq|pY!5Y8!>y7G$=E?jfQS;EoVMfCkipT@!9`8i!zx)wWM(69xsODx(n(hPA%?^X` z{;wL5%@}eUFP&(?(pTZDFY+fjSjb;>YCv%d-4RvGZobNso9A0%hl^3~*QA@>yBF-B zaNw%?-IM92_pPkvN0(c8dM1RyYf5Ej(?+FShl}4TJkXDONLuC%4cm3yd7EwC^M#p3_Xd7OJ*g5dd5jFuqN>}CqehCri4U8U&y4>PK{a>s|*!X zQ@nqkx&>8)W8a7zQaB1%0qAHoAUM#QktK%?NvTGi6p|kdd;P zmj6fnU$NfLY@eLuW~nn};HXxNDf$Xq zy}Vamz+ZkJOY(?+t~4-dc671+e<}wg<+PPG%zchcF#8=D6SP;du_^GA2k3NaF@~xP z^PMG$*a!PN%p`e~$s;jf41*3Wor_Xf6!e3?*9vGsBMg}Mk1|VgEZhc%+O!=$uzgd% zg#aElc)`{uFOXn(+7cA1aiQgMA1F%=OwA-KsU~)-k*067dTtU;-!ydy1VHEysQLlQ zv>wp{zCylrlA0<$bzr9ndj@{PhF(Y*)06okI$4N{g)m49+e)G3%_K$Crbs_ z4eBbosi9G!jO#p$5B?Od}8TmmUaPO(jKTyW#k;#DpS5t6bi+8 zDh~7h#4HoXRUJQJQ;@6s5*qc2VWB#f?+pA>E3;9ZN`>BY+V+*o58aX-r`lq0D{KqT zy(1uAkfHy9*ICp=QJHeXKh>L8*Ov7dxy)Xfx^g?HS{PlfR;*RtT#fL)EuyfUq>2M% z0tkve;RrIeraQV5qv}#WQdF-Oy-FqeX_g{nl4BgEuAQ!dv{OKDo`)uBW1>YdocP2H*{|Uvt3LtE?Oy|w zjE3y*fNfySW<(lG#kWI6u)i1NY0AKw^P|xsd=5fGI3<^=V@QO_FkQ~W{<{}io1O>G zmlVGBFOH&QytZihc4qCT$QiApzTrJDTAAp>81H`z?-_Uw8iu^KUp_@R@Lqi!A6n1} zEP8^5tJkvD8ZN#SjJ|ZjnF{gPO&I?o87dz}*4~<{=Q5Z^6ZtaRLx} z{793on5GJS_;G5>#!P;JBHkS(-vZsd2Q9u5PXl}sJ>qGkA%|A@p>~UnyFh5qxGP@N z>qpOq3gle(X$m6!-i(Q?ObaRWFT1bVhF&Ru?`g z(_y&En%f!2vXmK&;ldQri@{p2;zP*?z{WEUd>*f1jUh;)DlYY`6K%au!Em7A^~`{R zhW-g#lYCsbl32H*qMMs{i4HO0`8XVp}Zhwh&j z4*F-dEQEmnsjqq#_H4{fkJ*9iALp>a+T{L+@wVb}xh{G+#>QC<9n9)syT_`!G-(Q&9Yiq>pYagy``l zc(@;6{_t@Zy7ex|GW!u0n2`-~_;^Nj?e8!0JKqB;JV?9(3)7$UU;%SJyp$eUxt5g7(>;>e4r~x@tx)Ut$9{6Eox7ovW;B@NxLVMfV zVZ#d?3h2ISDo0&&S;rz>yNXVC<&{A*t-cv^uu+%$1zA{XdfLCW+;kpn*xKdPb-(<6 z4%hK4-au7zN7&7EabT*-6UK8ee{bM0)%w`-e7Fvr!?zvrtatu53OY8G)qR?_kV0fi zwn5%7&vFw#&NMz8S;~6ov*-7IB%jJi)p`d^0E1)!??=X(+VA4P;IGIxXw5tr>jt4; z=jULb$6YvHg>BcPt04POte1Ej_J>YWw%`N8Whij&L2&Zr&F$^ZBlx`1a*Bsgr^=m< zeRp=h0l(Gq@-yc;p*K_K0Mz+=k{i?GYB2A~(}C`08+xb1^W%W3Gi^r}|FzwDYW{-< zugA_`Qoi(s#f~@keeiDf>XU|vTaDWRQu7+>Mo;+IWksf)upJoVcJ5TXbn(7Bs3T+(_-WoeDKEe%|1Za_!eeq*$@Pi ztoA}<8&1=?Gdz!*3^5Du2U@|a(#ii-JGk{M|J{Nu7h_1RmF%H5m-mX_AnxN-IQ-=#VcaBF>0>iVPr%_=i)hjW)}TT@Bo0gClM=F@s}eD_hI@1R=$^Vpu%f=L z$g0a7aK?;1;8-aXz%o%A+Lv;j+h6H#vGl3#Y z%Ae8+gCzV-F&YX~^VAmgf^#DQ_+J&vw14`mSjeezNcn6z2-yUOqs!FNFDnr=@b*G|wO7of-Xu zG^{fMH2g7D?^^^Hww`f0&Tg#!YAKczvwwDeB}m1^SVH||m7&;80+A>!>v!}_w??6g zoE(c_rf5^Bf(Z(>;yYhNiWNG!_ePTXb}g^1;t}Y(U+mWuH$5&|iJU;(kSOeaB4GMO zLMER(nPo3++h`}T%zA4DuPH8W>qcTZUZK=RDqQ$)yaOx?Xle|l6=usG*)~m~b_z|f z!nB$7f|dv*xFt^fjZBQHR`E0Mu>jow%3`@#;QXEsVw2r3>kzYEWa}Q%LrKZvf&|2g zb6@hZ=pY5os3gLCM@13G&L4*Pk}SP{@&Zf>rMaaN(5rCoBZ%@G8w^mUq0#U?j2!S- zL`a#Q$`o=L6^s;rV>xeGlp=7zF`KGup;)}qDpoK@5x}@1(d4=&mI({^_@-5GKlO}9 zzH~xm(-o78BS4BzyPsi(l>QfsmW1)PeV*E}`hT(t2omxwXXn#~CSpwgF+{5ltEi1M zw(#0Wk|uHznbfPA$$vs1$>U2;aEd7%%-SQA9(QFh7V#%z(_-Hm&j)+d^l#MZUA~Wb zP+fVkdi0R>{N5k_MVlw()lwz3)?X*#+KU$Dr3MJq9!SyoN7(eNKB6H1q<8{M_0a3k zkQq^(O2+7AzA+rK6{PlGb4-6reCdr=0`*mXP*}5F2o}+yAm8L5eH+cZ{?=f$;LGCX zSq$?nX0O+$$1iBE7{yU9F9B3WF0_cmGm*m3-je96IH@Y_}^i7 zsR?G~1v6+7kJSfp(^g>l7wV4cXLuwHj z(uL9vburgUS&E1Ld>`?oP!tQ1_WzalE;-ZLLKnm z<)s-0T5nQF!zc@Ms7}#QYkpN}5hLhrGq?1E}K42mGgE0hnuJVWBlmj1#~BX5g@8yf1gb#FibvDNX9s{e>VlB^+mSZ zQoxj$9b)Wx3j++XU3-s=#Us7HkbIs!JwHBIobt9@9N^7b%xs?_TdXUf z+cIUhU$%if+PgDe#cSsNyv|GR4ow0*dg*;1>0hH@J{0bLKU))W0)yJ#3E7zdXdc(T zg0IT0w-xug*B|GTnr&N0(NsEJQyG8od2UAsl6H5$X33rxvD7A?Wm`Rocp=&HZk9y*ou<$c4PL*hRwt0gvOP7k^iS%Z(R%D*nt6H@!T09#l;- zp*=Txy~HJV-7wrf=&Wk}?YG|VSEX!ze``jA!?T??_pK5df1~o| zd^p}&rSTqIAGN9Zav!1eMbrE7^HlfIzs^e!gYL@9ZoU1bsbd}8oKBKo93tm*@)+Z(93B`|tZen1hZcL(92r zFSBRMOvh77?|a{L;Pt_-2Y>A!i87r}R$gn-lg$^vYuQ!+8KBE@i1Ojunf*t%`D9`7 zTEpJ{4AQ9mBql;-+S(`gD4PJwO%ZFCjeFZES7iW1+UuU4V{ClIVzIo{;ic5SdevIk z=r-6{+Zs%e{q&!_cXb~y4IF>~cL0iS5W?E(J|Jes$|&&iNp`ro)yMWLx_oX8(-e@u z8X}wU_93}Hb|`Ib@a48ury=vW!4T#uDZBhO>?E-~Bxg%)0n;^Vv(k__#5N=v#?P+e z%I?DObew{n@@ViPAIFI#;zu1Z^~c!xB6shp%dzz9{ZQCZ5Z#)BnL*GMD^3Y9d=+%; z<*{NSWc(M@pWVr6PAXfTW=S%&>acC_tb>NCDHHg2ZWXm`2PC0 zD^XcOA3w#*f#;E1GV88wi4sYc-=a=97@w-8MNBU*&j`z61M{0MJT=}NgLpWAr%ut> zQakBHAY};MxfEZxtd(mqqS29mLwWYE@6C<=kWEtmG_x?Ovk!*uz~DoOe%*orJ#E5? zJDqHpIhC=RL_*bZ6~jCzO$arfp>#)x%qUI^o61nmfeSg&(_lwh^!fC|G(a#&Y{6u6 ztj|WnC{-)x2u_%}{Fwr{iePS-PMbrjH)2nOu_hOgpP$qho{89FA!zXB(ZbUZowoJm zQzJElnzuFOIU~~?J&N(6?_vl^O%TRf*Vmnpg_dodXH5mS_+E-ZuH-(C%}C|q6B6>+Wd zLCjb^$-g}E!D=9(6}5@u#|m*NHm?S%nctHv3U*usXmpjaEJiF9L1g~Ss0|Wr))6?L z|4{E@Zk%83OJ_~qP?m-?t--SlBFlBG*|wjBaXwwyWA}4Z~@P=YGXpoco z{_|I`n`fwt6(t#x)s@q%f9-E>$V~SlP?%6fUa4r-Kl_Sw0|LIz9$2vf_X2T?A+p|Q zWfiJFWcx^_MN_{?KK%D6oBV8?gVSJ{tfdX(vDUbKNy_l2L1bWE16-`zMCt<6+i3oZ#88;`-4RJ=1 zG(HApWHX^O9bAKlaYBeilYJ^@$w@@C)I!{eagm@XY9gJh`m9TI3g6uz0lH&gg# z%Kpg^Btd*9`42Lc|NAEFGyDfzNXI1yz*>0@)=$vy;dHmR$UVi!NRbN>6%6`YL;9b;T^%u)3hx~E zYi)l1byqI^7JuTb9~`>o(WhSYD~OakYE)mJ|jNMm%?i6|F zy_w)V>-SG>@yGKE=k4xXwcthmk8dU$v!1*7&Q~tIhbaE$gTJ1*DSGab+q|&^HSLrm zPx*7-ul!=^i&m|izW$C&&HCALTOM>#Z~3Kfo*vCQ;=;7G&2xso^omc|)7M(sTX~yj zlGC0(ZA(1A{g1A=d)mmk}?0{LL$~xO(1$uS91(IQ_xB_Mo=f^7J*9uI?Z` zjt9bZ_dJ&U&1&mk^y~GX+V{Y#SJ?KN+JpD)^vbI{-Tp>IUVQFeb$rI7g9X3c_=2tW zK5LnEesF62{wKHH|D*M8U*plyj@vza&9ckAGvl2HXWw2#7v_JHsa$w{>YYPS`Nen6 zxHmJ$zVb3+?YYfv$yum{_)zD*tjm0UuR+oCnP^}_D4XHJmN)<{KJu%h{#)Wpd9A#_;Qie`aZ2+J@ z%zBjKmD%pFS|Ol8kB#&eP88aD$W|MC&5$v>9{8?Va8s@+^Q9&j=Xu^t#MoxnP=MsH z4p+<;*3ThckkFFdG%QeRnkeLQxQ=A)3}zrfrJw6$QbVCDsFvPN^fE({OF-?iOF%#( z**D`j(?L85f^dIO?J0EL&9Xg)xXnq;! zkjar!KzPb(ru?+diK7xT2%1GxZp0g)pHpMQM6&LXG!aUZp+iWs6)*N^%1w@1)pW%G zI(%XHHS512W=gCvL^cD$RV*Hw*`}zmsS*^1kcERd+{m?CN};KGdMO+5E-Ijnh;ehI z)F9h54OBY{TpbJxf|{?mB9o^2W5zM1agNG&pmL_A4n#@p3n|WPw2Cz%kJODynobSJ zl7k^+w*Wv<66qVU5r>xcwo^!jW?PVQywAg? z!$<|PS7-qg;$%B~pA~~)*T(asE=&6PB4IO?z(JXMax}`(9!Fyh5K7<)ucczOIwL4t zRTQzD7>t2bw^Ia(c6JnYO4WgjX49pDOQ*h${)b%@V*P&&u@vDiDhM@|U;O^^pT*g3 z{)_*Ji_`yy*9jtqw48Vk0Wy=gG*+T?lFia}dcbNKF`KWsS%;Q0FqViF?HFF*V7A$d zHR6@Vus$xvv_YRQg0V`v*8l;s(ryljer%X$vyf$XQd!y7M}jKGnGQKJ$LUIl%9;s+ zR;-k$jSZ$B7l#$kisc}N$$=t(wa2XQVPmyCsMRAX#X6aOml?#pVVMEj*{W3@+m(R@ zvv4M|u|Y$2nQ9r#5t*9FH}V}CFf^^gB4EN25`9bHJHvd!%nG5T(V~{gx=Mq!s z%enzyRM+kE^gcqI9}*RMoB%r!?({2ZQ7Hg?oAU}nwFs%zc)J^CQ$4mq`;nZg`%ynb zH)yevq_kQo7me9wWGCyiER#i=kq9sCkB~gj?yyKMOh#zdrP_F{I3`mQS4cGz?Nqy0 z2-w`j0lZ9zWGKB#aH3kwG~`q*UP%tz@;GbM0d#V+%yAMYta7O$x~>`)^oAIQ@wndN zn0%=r8?=*@^==d4^J0`s>J5;|6{^|fV5pW8BG9ZBFpI8@swU2s`)I1(L)ggj>Y`3C zYNQJVJeD+~YRj|XuHTF>vDh<*wZsswscdF6>;Oi><>3@-)RP)Cx#|6kHd01$y@I+@ z!|j$Z0TcKDNz)>|NC4VX%N$rCBRm>*94Z)60)S8HeWrlX6fl|sMpM9O3K;$GHUvqK z-%0+1PUZi;3HvPn*?NX@+qchu5DX^>kc3gSW6x`C%@plYyNiImdF!t zUwGvUPv#z7cBdD1yldN~>e!M`t+UCV>Mg-}>u!77yywN!oS!}L`}LtY&QXUZUcYAD z?T*kNSZ8bVj~icf*AdK}JIsE_zi@YH>+_$=v@YNG58`s$UVr2KbL%s;_^L-gyym=X zAOGnUdw%q!ROntZ|LDWse0ifw7M^p%%*X${%6c6^N_#x|^0~_a@^omK2X4IcvNPN* zPM-V3Inq^+KljL5)NeY^?zZdvQ#RY?k-~C^A9T(=%m3t=lizsm?)DphI+vZ>xb>cs ze|t!e|LCOEvAMV1^u(j<-8y~sA6xHDzv&0^ zc?Zn=jeZbw&G^N)S3GH(OCOWAtSxCC{P4zG-!4Bs?V`2fug>s3Y~J440>AmhWmZq^ zx5U-k{{9M}v+>XN->>c8`FwBd9aGC~_t9?N^!cam`_2l={__sUHfsgf>@t7;AWQ45`%UqgXuEiV7*ERO!C;xj6oRLQ_c-FjV{S}^5AEa&@(S#+_Xjz$61ic!6`UgCYWMgeY@^WkBM zX8c}hGE$xxlMG?^RLx3@WjT@c7$@T=OHLk4SE!g=Ry4mhrbwa)o8!Pup#V6BN&@KU z0u(B|mTMa6abTpaj-x=95u@W4mj#Qq9QL!~Km*BvIFS5&wcQ>;y;?sl)_`6z2eU+? zB{e|76RLev4=1aB+$=X!DLKNsR)`f9ok0{|XQMGgO37q~k9);_y_HM1bqDAZwV0%J zTMa)yD33}!iq#b)pB@$r$>GA30b*%Wrj%GP6tH4eABsaM-*z+k0Xiyz6k-Be!qdMV z|DkH>G-rW!w~%b7L@(X7q)tDO1g7ZMDrBM3R|p(Q(efzY3G{&nwR9;WC^$c+6g@X= z16r$=Ojor+f%GsnNpN;m0ZR;3gG1lblSQ2qsJ>8Znz`Z-rVx^4XPg|Nk3VzD?;R{CZzRgGnXF8p&6vR9m7Y~GkZtmLp_aw#!>o;?bw5K4JylELiW0Lrrk_o8 zJrw}a*2o9hQmBfBy3#k|DZ&tHt*^s>=tY{3@xS!{fpU%`#;4MSpYosJ`^SG4YrFXe z|5=>=Klv^bfjP!S8!pgOhfOr=HaN6nYOu@piWG**%CO!uHBgm12I1w}7&q*)oRv}V zng#|%tRvcCD&}e3SPoE?s@LtakeBucx%Rl_6_lPy40?Js(IgsNgAX_+7u1<*i}l5h z=Oc0*iH#VMa#^UW^avoGv64vBmq|OOak*-`)=ebFnLrzOfi%b|gpUe!WTcMa%D7Sj zlLi5%lw{g-2Ut=|bLkjB#VTN-WX1%$E{ubGk;3gZ6zQXa;#4A?^i6~0x~d`PY^a=6 zYE?TWcB(j3qRdK#99A%(*w12qn~MtFB9<$6=!R`n+kFDAcJdXKm8EegjFJ+cCTbSu z_QriQ7nY5D&=c)ia-@?LAjyP!mGzSZ1b)hYcs}(-{eLLrQ~oo##iK9Hf0*ct%esAT z`yNX1Jr|XIjPo5XhO~6mO~*|?*3^5FtBU9A(4yxHoEfp|I)asH% zDd**ri9Xrmt@;?(Vv(&h0-01~ux4i+t5U=Vj5*>3DL=5~u~D2{z!;j{T+A_>WwIiS zi82F^`EI}hq3q)WLoL&w-{nOI z%}5O?+h{>5V>8)-0V=U3%*ElXJJr5t3iC{1o+->Tg?Xkh&;Lclk89S_5_zeG<`;Fog7$YGF!LdXFLEufHb-}ei!6&PI zKL7dW@^3JTqMvR5v)ea5d<4P}7{Op@)BhIq%-Qgdx1ROEe#>t$d*f+jYt7X^{_!U5 zi%y)shw@tShMzz5NVv<2(T;b{J7%?ySKVmSt!`Rw=DfeuR_;Bx{-J-q^4-P}TWm%j z`?9sl(QEGX_FFG#ubp%2j<*A+KfKKm{nf;12E96qY>8}k!6px%a+9Jyzs;&Y`Ne71 z9+*tt*>v9C^3tEb`_e&}cjWm89(3QG%DHE4{?sxqyy^J0v+sRni@Vmj@~^+R?T$bF zeti3akCdxBPcOH^`_Dd5GY-g<*1RtG{cPxm2XA!GlJh=%<`46GX8|incfMMF`$r2- zn)llA>Pt&*H$HFQ*(-dsVCC6w`gsQx=9P>W~deD`}FMl5B*#LU+gTcDT?FGq8RepNBXNABEoo8leZ;l%yd zZTS5AKV;7R^~bFD=(Zm}cwJ`G()^`Xef_ob4!T4B)7`rO=qg)XeLbI^IiphD@7YVX zz32K$WzQ4OIC}1e7nioDRz2Z`PNx~HwK;$6y<4qy->fA!-lkLC;`r+i$h`LGCYS9t z!@cN;tCu-v?~Om$d+*mTeb-<0h^6w+$KF`>g?Z<0`)6~fs}9`n*#mcZGT*$^JhlCx?Y{qAAwD;LGU_^PN283QA{k zu;W32SyYgxwx}V4!6!SP9_-{V;6KP@1gOd=sYP8Jd?BL3$pt{M++Fk<`j6LAftc?4 zEgcN#h{}F4Dovs6vI6i$-cNl3ggA!kFq=lk!@m>G`e)Y?zIQq7B2bOh$%Gu66RD`PxGWa)_~b6kXJOz1;@mq)C`UGg@ju$ zWNJ`q4e=_3xN=qGQKiB9EvGC&rKa5(+kCc5tAQ-1y1j-14C<+50}HZfUM=?+A?TZ$ z5KCvI&|y1dwv_dPh9ibGhp&K+lWdfe=~1nn!1#PF!{+m{2k2st3WjX~B?beWQUyAj zvs0!vuqr}n0Ct;1ubHn~l}0)XIzhj#HM&I!V{&BDiAV;@ssO)e{S>HVH<&Cag_1r= zKK}g>n@TDavnVUm>GMj{4$LzAM*Cb=G6>C*2U^vW6lAM6Efmlaco@ZEH2g$aSo`l4jpu*}7 z94EAHH&KsKg)|0f-F~{$%x2?RJy&;1Dv-yVl+sd%ZL!)(q{gDcf{C%^hLtkXjXc{b zW=B#dTc#5QCn#4{!%H&xc7l=1X%}maVgUegT(xd#w#Sdsu+bQS=}h`-upeeozJFZ# zm+&g1LD-z?{qy&H;UwICVGeQ8R`VUqAujG#^C|m57AMSh$WFeV=G@{K9s*FgEqBU- zsy9?V1!aa*x`w4gw~$xkO1bUx>;S5zoXm&-c_Y`OBo0q!Dnx^hw;{Tuwh;h=xPp|< zTA;y}i|tk`EF|0@j90qdzQ7TAG-?p25p-oHRjbiWZ6MDlKUM*RC>6Cv zmg=x_R2;{9of%_MYZbMWj@E*BZah}>t~)XkSWM|OAPI32x?~LHo+R;BU3c@c3dYO6!HtRln<8s* zDko^4hFOsCl`jgj%->O7ooy8&p2@TpNqT@U()4^r(o;?GJms-8Q=lk{iKCN07sYMh z^8+^(z)EZwqXe-dE3p_~964mkvYdbw>nx(N3`gQ3I$3HEAk@S(%@?d7>BgG_t&?rn zgOEu0g`m{1x_WaUiG!hlvar?E`c2o1Iu%JSu&i&fbvR>+01cH@uiFy@sKPLfxN445 z#Bj3nj)EXg1`_NwjZCqpu%xCVLY>1J0>zo5Y#VOW!fZ2^1hkfmRk~gl94BF#FKJk# zi86M=wv3k4C*2l-kxJjF5>e<0{GbNOTREB7D zBhpJ) zto~=GE7l;t1NtA5OeBy*g7^~p9~}HQ{SW*d(Ep$?0ij@m#Idia|2gUx8zf5+|Jn-p z?|+ki^9OIQxcyRRzj?x8=OBCj<%aggr#*k=`qK~Fb?XlgBQGzp8_&38eAHd*tbNYz zKlsD-CttPjndgR=Zg}8)ao(ES9dr9$Z~kS4zYtpoH{N~th0=rjFW7m>^|e+0w93uZ zXCLg`_VoCb)m`QM2abID`p(BkZ(Cnx*7UV*S$NIfH{H3+X%B92Rc6NsI_ApDo_qGx zgI3+~yD!{r?A}oa&Dmv(m5`ccnkSM^Y<=@at0Tw%WY=4l z{qwwS>&gSCeK6~c`?%GAao)~{t@|JE|Fh{e;S*=xf0ujx?)HiIoc^1O8mnGA>xQk& z1^GGCw*IMi{2zb+*OhiV^}rR%_iwq`o`>(T=>hj$`_^VzQ4n1y<)tcIQ1>n4Sz2&!^`R48Ws6yt# zgEtC~{n5d%<17AotH*v*oL`$wg$wq)`<`VUnnhjy;R*AgjgI$(OHTXMgD2hf;g8zQ z@nN$LI&bTb+SoMujJK}YW{b@~*ibzAV(~h8$7>$g;+16={&1z-#~aOwGwVElZsx56 z?!5ocZ#EB_Q6!7wcUe#@&8Za|F^9F`5gW;)&K3Av9F^4k@3DU`2OjCL`K8JMGd)`LhvQ^KM25oZvD6K zqyA?ycMawv4Hg$${}WM*qyOR3k)~-8!BkS3Ew?K;&qPF~E6RfzB&=n;PA0`_(&}d|cG@6RFqrtT4e)9$lP))7q@;ADfn>FZlM9Z$ zI@xC`sEMgrQcwbP7>Pzv^9F-a!qM7f-ARVo?08UcYXGcO^FAVW@e!AFJ*0(339w4k zbH%JlQk8Kbs|?D8HpB>Sw@GoeVylRlYzu_Na(ig!aSFi10LyU#pKIhY-cTA1GA!2C zazelAm-JzjGy83~VprR(99L`*LVK(`?jWm}SPys01Uv?Cm<+z2{)ZKcVY{hiLx|-d zrX@KNL|e@Q-57RkwcU)z(Na(MlR~0cPNR7i;=C}dh)AzoN!9X09gwvg&5jc-w#io6 zq^Y?>qTi3DaW~>QyO>IeZZnE!JE%HL+nQQVq(G-AOrDOwV$c+m$rfNI{dy)z)q5iW z=W3Z=l(FkwHkk%J5D^HCEYk%hW|*1KfD=BWCv_&>hl_5y*A=@dJj?^}h$(g2!(=k! z^##3_L%L0yafcl)7mw*q25MIAG*NfmD4<;{u0eIQA<68(7=Z;2)7uSz?WBF56X3~B zVUucA%BE6k0ggP0gB3jH7<$-m6eGCrQ6p&bG-n9PSTbax(j!`ZxMF00q33D!$Zvp6 zAFm_ zbOSqdbG|lYDMLzRLbei$U?YX({ejSHdx}xgx)hf4QeD{2@mM*K2&xp5R06DO1HP66 zWU$W5Xlc-9gD@!d9F~j|p`32T9kSVFokjW4hNVW`~X-M~fvEgoBhfd1j;z`tvM#BzNQ zfLd1RQpoK=fC<+lr)b&vgfOy&@%OPj7B#{>)f#2!{YEn0HB}ZdfV}6T&AOK{TJcffFzm>M zb+4Bklrg&1Ed{cwrVF%1;FM!{8kZrZ2yrVTH`W_N^_C|2fULI?#ZHtPGBT3nVj&yP zN4S5z0$+u^5IA2&v^d& zLti^{%X0j>{Z8C$-H+|}4ts}sc=x04Uw)|_UO0HO^g}bZ{&V3(bjOwH6LvrJK6T@B zZh38WYxv5o_bu4!vJI|$={|4T>DNB7(z5SV);wp;^>J(aKb|&ow{_u%PqXUR7dN`_ zF8$EU*L(1X8@>cTe)`NM*;#LJcbv6VeY=fTdSt^B?s}yPeQ?4G*8$|7F9XY*aoJDa zowf7z$Lq5$xbx+uGAFEl_+iWLv&;Sq=G}GEb88X7l`p-0!4{j|QoD19tJdLnxzh1( zUFVUP-g|fHTQ5CWy8~dBxNIqX)Ak`t)$e}l#eI)o__J4qzis#WRom<~@7K@2svPe8 zc*QLvey_oqAI<)&x%BV;)BNY?yB_@UZ0c_t{N$3yj;@{j)KPaob=ccY164!H&Bedpq>2YthqQc<&F>mN@&>X|o>K=$7QZ-Ns8x-Fd6G zWbw2IJpbl*PQCOQUVBNHr|f6GBF(v5ym+Nx+NrB7slNW>i{IMmG5LbmMvd(+I(EUk z)+M{YP(7!(;%zrvQT*kKCzTS%Z-VbGzWw&Y)7b2W&n&xf{6~L!>vHhwbuM_PdCcDX z{jD?S(vRd7j#zc`+c#VP4A|yRP?VEz0YzKi+ovc$o zolOr-vL^GWRpv^1jgAi-(J$7!MUEZxKp&EWkvf8+hS^tAq0k%xLA;M;tr0V-jS7Pz zt)Y?zTMkP|ShXOFX|W*kR^J-iEu~dWH%n?v&1v!aa5D2wisL&7(5~WN`cV7%{3lZ{ zSrWt}E!9p3v9gUP)T9k%hD>1)p(u+XPSxp0UejTv7N)2Y#alz8rdx2FtEdzYR9aps z;(~6^fDwuom_j4(hEmDJlVdhCbS9AOR%oR2WC2s_G;BqvY@n5Kxoux z1F6I%x!EKzEoJE%g4skO0-<2ssAs$6I3qIVcpMw*23cgrOs|`m_(*|oHaWc~0h)x4 z)9sp0`g)<$*7;G#%BT7U*@_|AL4PvHL9aLLu?c;UK;wMC&=Qo#{esS*P%2)hHK3<( znfk=jLnqbgdJP5C?IxL~z7GG%Eef$g=3hdrj>4VfRR5n(`A_)$<3EeF-TZ_9EKdEm zY&sm&WR*9pF;J}+6mc9$G#0p7#P_;1=+q>#)f}1-G1fXEWXHf73gX3l#&U=#F4G__ zF^;H9wwbBhfWSDUJczu3YzsOuDygkOhw2cFP|eaV@0*gXW|%Y#=PZ!!HefBG48t_c zJ8Bdwx7Ab##0#w$S7||JsUxe6lvK^CF;O=Pqcnsv5Y|tm*?uE0)+)Xm4Rj&Fbg3b) zXi$FKq5D0k2V@ba0uGRhMv7!K0^P~&YBm#X!wNvA9&=dDOIEWUS+y!*#;Udp6phPr zyVOc^0j~;l9w2)v--II`hO%s~JLHHWQ6Sq&tpFD7j4Bq|YCly7Dx=sTlt1M^N;}DaY5p@=NdL}%{;MAl@ZXAu z{vZ8-M5F8iP1>_jkq}h|Q6Z}twCFKAGTR#4^(GsMQ4*@-M%1Y10u$C!1T2+%hF7%B zMxeSCOiao^q0JE8INmR2#o9;{dS;$=LCzn8VVgt;J-MC^g$#(sY)BeL@e0m2gCa&) zUb0X@Ndi#-wChW_J$Y`r&`uYq7#)sO zCr5;0mZOJRAYZNui7=@{Mb2#+@l=c8%1RU%l51{^TkE%ivdq<^YD&pb0|%i;J{zU!zEUaXEiP(f z6Ym$tF|S;(fl4KsEQg3>!UhCq{i8gssV{)52;j>3yp=a=9=@W1gNkRoD*w*IPd+B7cTtOMu%_qtb5r-_OzqoZ=@f++O*Bmww`@ zw-)|(&bbF2sJ^w^en(HcwmR2)b(wXDC$CZzE7AZ z99m|R;k(D4`s$6P-(J1pM@v0!8vL~H!dxiSjoc&iHbsMW(WS&25vvU9V{-qz!9T|6Tz3-c~>rc7l ztW%Fm0r|Jv+rGNtRnNZr;)+N0esbC&NB;az7tTf2p8onz7i|6Kk2i9r&3@>d_<5u3 z50@sz2d;S_dD5nDZJSS=^xi&4Jh1K+mtJGLciq1k^PKwe3BTQ7`s|Zt{`~zPsIQ2p z-u(6w2i~{V(PtO<8CLO(E7m8kyd&Cu&C)I#-MBfn?HWritgQ$gaO_drBToLI z`IuQNjGudbliRPl_43E>t!^8gi@k%*|Lw*nTz&rUu4d7*)_UoKh1jFv{%?J_`xDcL z2Y=%KpTz%fng5{hXZX()|Nmy}tMDHu=Y^f`o&E>n6+RM~lrOYXi@|@|pT~cM?;rmu zh2rFM;MNgi@XyN+mdh zN9i0P5MWmxi7Fytv^v5BrlT;sN@ijq;Xs6#@tXPk~t2+Gzp(*OlBStQX&?`v0R&^@&Av#`v7;Gx)ue@5UL;$dI>f3h{S4^WEhHM z$(AfjmTg&*4J6oVmMlvya*=2WJwWJ$PUyXamVt!c2{43~&_WwR3!#TVn2>h{E-yD1 z@-9Oz1l~RS`_7yhpE*9Zjm;4p%xWB?c~uhypq2Ddy6zRmFkG%$j?i{0 zdBd_TG{>ZPsn@Hfc%rC`A|cFYWUdyXBf3J2X{rk~Vw~fK0GhHY5Y3P@q8ZR2U~+Ie zm%#G42wObb7;0d?rH+Y7H$7JCP`?Zf>Tb4Fj@+&XcDZsn25hhoO>(GgTO+~mO_K-? z>hO?MOXUvIGc#1F;y18tD$~kX!>X)Bl;PU}oY5#n8jibD2xtbB8N1a&&WI?oP?`DX zxP~^vf5m@tAN2nL{~^SBn2?HQYruWvKgn0me->-H`Mdvki{U>)Jw@}CBAwM+fZ3R^ zm1(;=(E1Hl?+00;0pb;jOGj{7&|6{>l0;z?rp6UV&v?a-V%s`o)|DEH`8hNT0x7GS z_kyg$_0^Cl@{rmuIhec0z6FxSPXK57&*5|(qL5s;xe z;v|^ls%_D3_j*FMovQg`u~kddN)P9|*>2>cK9cs@vMU&9bu^uj?fKX)MYZHNV+fo$_LzsTH*rIvV5pAnBDGerb{?eT%Ra{b0C9!LR71vb3ad)8ARI<`aO$VYn<+WtyN9Zit z6`SCwnAf0uGn+uTI|j_CQ_$&lHwCJ&)^yuC!{9S_0p*D)Pc*+nDw8bJO-+VVRFMe%sX_cz(g0B@XcTXaBa>)uU^$ECtUsv2};cEA8|9Eur z-+om;{4&ga_w)9j9ZF4Lxs{*T;n?fne{%jMd--$EPc58#MUrgs!&3aLr{c%%wy=KK z(N`?Ia@zO&1En8k$CA{FI_d=_0+f5T>3l9 zZB(R}IoJNy$@#tiuwZz1`1G+C6IVX)%tdd%cO(Dxb60$0-g9rfy6)GGeB_k5&tG%t zT^p=)MsP0wfU#L~&AS@*`6KVp`M=$Ii)*(%$!s4~bPD??{?)J-#KfL}wjQ?Mv`fnfk z&uskvLdIwDpHav1(*Lag&zIMKB(IK0ii4Jv+G5myOa6cHA52=*14uEFlCs$K-^9i7 zpQdEVOe9P-u-qM*q96dHSZg&TC(qV2SmWGYp`K^d>M+N9*(^6Hv?WrrM9HC8U1(sF zdc&>ex=x4d6?Ca=k8BC(rm)VWQug6SA~s=1Oow^8KML|tx#*Z>)h&qW9xj7k+^v!d zPgW(>jCcl>Sh8f1&3XdVY%DLZ-pGqGNHUh>cEo8+i*d?{<{&*6DGVpku+y12IatAg zK|74VoX++#vI+}Rhq8epQ$`|vIxZ8#VXN35arw%SpyQ0;m0)=|RXR!4>SOI;zm=xy zv0sg{RVqn!Jj>Lxsd1$YxXt!R;0x$XxWhS!sA6qv)X^u|k*g9$LC)D#!ZYilTF$Yh zU?K~!lkftYP1S1((+wF7$a_WUU-O?_B^qZzg$x@kTV-J})I7vZNpL5`n*<#x9Vwm6 zoW(*%5-cP;5mR`Ud>Km#si~bY`>ewTQ5nE0VqjJ@rRBAme5uvs7>^VPtyvnmLC6MbP07V6 zrmAV!pd6C@hSLL)P8#hwNMPb>w-1n+97{@wt&B4v9g|(8E0;q7l=GcJ*imv;ogY_v zlem?YGJYd=6Br8EeuAbZS&1_y!x2!_Cy~_{1(Q5dk^D*^%5>jip#SOmZv&`OEY0Ts ze3kuYai*KU`%khs`9CECrcIK|h%sPCEe(TlV`yMe3qe#}ixtj7yTw#B6zQQKXt{yV zFp@=aJWckEDjJ3pw~F^su-PPS5Kwv@&SQjOTPQ}Avfc)D9q!Y9%VL_IPIIl=r0N$- zl%Y?lY?v{eTDn2jseZGo`Nc_B2LXF(8#A%WQt5)AN?xvIi5(3eHcYSYD1I&#c_35D z+Z8c3qqu5jB(TU3GB!%JD~#r&3J_!6+B97&bP~2XDCbD7SmY83Y|A}RuT3pIn}%z0 zW7zIsiqSKRIWq0GM65!2T0E{#)hwV5n`JTW>a^C>@*P)(=%8bX(@YZjjPHhuo@sQ% zF(@b_w^>N!7|iHY*2SO>(-&)`mj{M)#z!YYUdz=!@A_{Z)nDX4Df0ha|BdRpPI}Un zQNmTxM$YLV)dFF%jMHS&img!@jVfK~wQH+7YrrkYYT?lik4> z9%C@$%AD3LjH9>*=9IRV8{kD^+#I;MTnKi1XfqFBElukA80{5U2r>#eMdUElph96{ zrKOTPq60)XW>b1*t!LJHX02z|dS{OtsO5fg%BA~0@|TUCJhN*Zbv|-Y|AxmW zYu&ZeA@ffC=3joRDhJ)a+_LLDChosae)HwhOXQYMU)ujkHKF-OmVRZA)Vy=Qb;FVK z{;+2Dn@g_w*wRm|VeUdae((>r_}QsD*B4$p{Kjt{Tl$)}R(|B*>OE&w=Kg+g`o&iu zd#IK5);hO))Z@KvcRq0aU)}Z0@1L)oZtnc&1>3A=?XkE0_0DEXoqO0>=WM*~#XmS? znJ2D^bY{m!#BOlG_cqU6@c86$ectA;ZuQ<8zr+u|Vrr(+f4%elO*g;bce^!rxv#tI zD+^9s`y}lCKYN7@()X`$VOCso|DTWigLtLn<&Rkm-5qFtNsgzU9!pB?+@R;`|I&bdmXzbw(jz)Ui;<&Tkm(32bT|j zZpqa)JN?!5ZgZ;LO*R=n-q=cbonJ+J0$OnIvp+lfZ|Ky4HM%J~l>dTcBup$hi z@t=X1PW398Qma^r$HJIy14*GuIZd@lHLXTUZa5NwF$UUC*bxsW5ifaJHsbXm6NXwY zS1QL=T5SwczU=12c$iDkK#k7Ub5Pw7OVhA6@;S8{Qbbowsop3>h8?~`$IY~B6e?q) zI8ikxrTO(Jg-~rZHu6-KY{^obuYkPN zrqa`XPGU{9HZd^OjNNuw0(^+kX-DiTiVCAeL$MUvD%JA_s1LMw?8WF%K?^Oq$X7sC zjrEQ|A!fQ+vpKR?>IE4L7&0W)Zt^3w(RGMP8qIsixaSHu442VRooHBU+M;rmw3ZdY z#xUz>ab?)c5B(tDNs*1x2w+Aq`Y-1Hq)D#Eqh`*vhP6pDENLk-^j(ChVr-O;8zTgi zQ{8Tzwv?KeLA%qc-nKYKcUq;SA2on-Q&hFs>vXD~hga*Gj+wno!P6#2QBH-OlA6+mf(8l$scUG{QN50<#fS&Yuw&95Sw*{}*s3W+|7hFxufljR<(l<6)3QVid4 zM7LfsCe4nFvBGfB@tK&HIb4n@I6*=HN7CJ#K#5o@+ie9B;v%u`gf5jE;y#9z2Yh=` zDgk6p>DYiBy9Lq?XVSHjG4eveza<$C7LwV$ z#Q*Rg=&R>Hi#6T+U;mL7r~i+XiTFy|@}+8*f>T2us7PK#P!*X@vt+f4H#FP;OO?b5Q$0a+ z2Q9utjG`Pav!s_1O^)ZuQ32Lj6{(RJ3CBFpYpF7g_7M{)l(kU}#uXUT0~D!2WLhHh zL5WEt(l9R%yrR%`-D%QD8YZO$2rC3kC^dmzxt}qRuIUiXiJFSW{7lHK3?}F_ZbCKG ztjDDyZq(bko~*KvS_lE>azu>gsdlHHQR`!p==cx@ z^o9~DR8vB>>BS*|Q4Ex}hfc`l@{HT8O`W0Erofa{r_h=UN2$2()@m7}GHPg*j12h( zpnHWO*BCm+&`Ue474}KFfCkfPfr^|iU$sTva>f-GN*a^lkSP*FzE`0pHXO4tgDW5c zlm(M?vIV*9L3O=g>xMInMYC8mi$$|oG>b*ESoHtZKv5$7rSumGV)ddhIula~5zZMC02+u7~6r~K-sO(zTKi)sUwPYKf_>J?eB=G)>gPQ;-#amX@k#u7TbkKBkA3t0RZ6E_ zedjuvqb7VC|ng0KKu=Yu<{J-irN=&cEWo-0<4x-+uPW zHTHAf@BH+>&)a|2n78^3ho#?5R^DN$aF-K`>o4<{6Apd$l?!+I%LZ#)w#{XCZ2#_g zcm1jPPUfApidQW2v-!9D@knq5;+S*ZI_rCHsR!Nn&0n6F-EB_uh?6e;b#(DQ7q+h+ zmL5Lf=$?pn%e%~t9z5@+tsnixa(CYT=$6ycId@;S{$zbsR9w-vEDk{vT!TY!hv312 zySux4aCdiy;O_1OcXxO9#-Y0(=f3;K`FKBb?6H5kKi1f_X3d&aO9VY#^8rYV*y`SE znVky^?o6(47g+E2Y#9X48-^K_Ej_O}rpwH}G6By%)@hH6@Y!j3JAjU=cU?M z4kmkYcR=MNx68^%uh&AT_GQxuHvC5&&Zft5GhJ+rmdDkSm?y~eA;0$f?Jb8k5VWog zdKs>kCwBN4;MxYPw2pht6WHDwS(4wCZjakq$ULxrC$L_g?gpv&&ev?n1HEN0jKn33kA7*qi!45 zia(R_keq~de_B&-*eBVOYgL`o^$So2ESDfw#6UwI#69t}r2Po}!^RRncx{VLIttA; zE(1jJvO1i2rx9G@=vYm$j>0jMGM&2Xw=QXw+48PP{a5CoCQqka4YdGdQ2WP)r z739HZqhy}xS*SrJtc*$qL!v4rWo^k74juMEuq(?}i++VR zi~eHU0BzKvE8$uxIn;QS2|K_izh!2a4gG23dG}AaMf}L7x7>>jY21@^ zii6gtEW$`8485z2se+uaT#R#O_CTrj3+FI2-GI!xP&r)kBj#^y$$AxwQA2AjB$Vti zx}|K@exMwD1IjpK={X6@w>GFyGE-ucKrMP>WO`?AG--(SYtIy_kcM_U>K2m%k-M*# zxZs7y9R!*SSMyI-_Hj_-&xNU-&u;Y%eEWv`t<;J=J=6aHwV1J_JeTP1aWso|$hR3X z0}Bd&w2gZZJ$XR4!(urKv(hT{YE?tSEvam?l)ia0%Ktkt7ghk=YyMV5m}sY+*paBiCLnDkNY3>QH>neyo4V!oR}%3Qc6J%15}4E|egMx$PGw|Aloz9I(r zVON3(D!)#;5OP!fy!}$A8tbI&Ct(^`)ZYrZlA*=SDTag_+*Tvr8I(VunXNjjv>SXi zXHvSfD?w{#VTx{91g}?`7SK>Eg-EJ8eeCKVbZMqX<*{*wEWQYXtaZhQ6t^EqE>)Pj z2uWFQxoQx&prJiBspBgpsK^sTBiur+SIGqlW93Gl7!lZl1^Yr0l@1&C1IHOiQzbMenz0J$|<1?Ym&g zyLEkAv4Exl9Gjz~aIzOmO@_DcI#pBVv6`r@_R)WYf3Im=^iddySV$x&~Y-2(jkh;_z4 z_rTEyU&pz<-*piTg9cjpokp6~3EOYJqvd*?TeW_7m@KK?0lekTq+L^RYTtzr+uYq7 zdRtdkQimwtcmap$g6Xb(JV12)nhR_bb6Zy%Q?~AZdTR3AeB2hOtB6b8J6SjP=BmFu z(RhYvC+E0%wtaNx^@M8e2)?qrP3iK)_1DHErtJK&3%g%IT|Z7GTHZvxo*rQQk?Xz~ zL8qsr^FB4~o7W01QsX^uKS@jXqW~&jfP_8&k>1d|4>*lfzf{AkZMn09)2UwMa$W20|U)pn}r9!`tRJ=Y;<^^c1Z@6B7YYeYms2>`h}2t) zL51wFR3syOJWQ$I&Hn2|-^y?(;?d&`$4xniXhc~xG8V<9m}Eo)9}&X`%}cnUEnR5r zWz^1tgnvee8xzZZE7wYr7bcmgmoYiXWD$^S#3&}k2mb9d8^0k@B9Y(`L$vw(nUPHBcTRVSS%XM3E#0J5t9mYBh@a@K6Hw%a&a9xXpj(0U z28WA1K)8LbojDyK)y>v~3n3j>w~i???^G#YRMG90;^-wzfs`qMtn{>s=kZ8IRIJ;w zHr3*dG%y|-Wuj_1e={%YhoBLU2ebw$J4{`NCqvm0o|wcJ-A=>g7nA*d$W*ca%M}!> zjy&6wJ&tK*VayuKEp$BIjN4io8qEoTXYb~)4Y6fa4Hu>oWN#&)$=*o`D-&QdiDXia z^-NI5nvcu zpyU)t@$06{7^td5(OxkXDtQgzmaIOP?<%c^n?&SHV}a_Q2kwOo93ch% zYJ^vdmiT$-h(8zdKM&SWrXA?|KYrHYCXuAFY{CJJkRt@YiTHmg;%~8QwOd6NIf@Ke z$@G}M0p)(6^Ea-!HX}q}En+=TMI2I5HewqnvHqH1on@g)GU7h^dPF4JjKis{7s?CUa7SLT+KEU62nv8JM-FswKNgBJHejMBPE* ze3fn0jwX-Y9b8|f@cS_vkQZoFCn1mK`Dy^6xzaQqhQ|yl<;h_KX4qKkwA%;(i$XP* z5o|QIF{zng>oTqcDSAHqFCHQp8Ifyd(Z}#*nyepEy-UzGI$Zb;YK>YspKZP453>P3 zHLxsr)K4RnHiWHr1?|I}>}S*m^t>mPXkkqVUr zx<^`$co(NbQChltr}|{<@}D*c9K@)P%)7yA=#Igfl^J_wyfJ%98WUtDy*n`IoT^D{ z28%PoysE=i z*(#Y0&%J|$9)%Rc(vgUji~x^Wo)&{fPFbc0#}H*{AcnE}DJ1#lVS~f~biHPO24(ht z%i7%z3MOSZQ!#k*8tn6*VJmsI?^6fZ7ffo1K&gN}6fVCfIQTi^`uK!gip1C5#bE(! za2{JM&-=Q*j_Zw8E$|HOJ*OW0x}m=dGyzP{5%fHsr{HWS^0IQ_F*;A9OhbPVeTjh!2+8L?Mihx=v1MYku+ zY>&#zTClovfvy(>02!NYC2 z;ly3<_a&{rQ0_NRdOZ$D)eAk(h4+knSx>*;MkcZ_fIcDuSE z*Fhx%xO@Hgh_~}~hWhpgank)KJG_$(4)X2-qXkS2gFml+*kBsKRTc2_Q<$MjLho@o z8MyRMpd0LM1kM}&RHK+-UrrW)(B)X2`LI{~qKEE?X$PD=w!^KQHmQ@}Od!~=40SQ2 zV4I2h9JS%AkNeKnA4UT|9jSA9QX1x>isG4z6II1a*Z2n03OUtW>seUl;24?9>lt7R z)}t%f@KBrJfs8XTD44&slwh>gbnB#2w1~eSHPZ~6(=o^;c@+LabE>f(WJI*^UKh6F zBYs|#gW#~mjND3P1h6dJo||SO{s^>eZ!;_7ueE)?An(R1nbWaTAQ*6LCxQA{bsY4z z+MQ@h!?O58m=b!8Nf7*MB$*^pyflkDGwC>}kio8`OkH^7sQc}e{@WMY!X$_S%g469 zIrcS&>PXY4;!tX=y_R7dp<>R-0W#Re2-UyeriUod7@zrhrsO;A%#S5_-@fiDTHV&Z zqQ#he_1W}iNoPO>Xl?edstwP3!mc5Q>fjY!NhBlXyse($XI`SyYbv&z_4Z*Cb+J!D zK&zV71rCL+p-!VoQ8MvfIcSt>5S|#XWUKsHP`e~N`N`dnPT)X;L90fEZ*{OwQGdt> zTUH1EhFmCtm>7D_jV%+H;aZ~`7=}t%-;z-w5ncO7s;6cnLc_XwB*bBHoJ*TK=S$IF z#D~9B=*8K3RUS$iHQKstmCs}&Ov%}9@T^`_A73lqrPiGn6nEqwbA(L$vEGCf1|qo$ zL<68^L}C(e+N825cx@+sd zCXU{>N(KFcw1Sa-?Rz%PMg+Un*kx}bcz}K#K+N?ibds|AzWo2Sv`(XSob$~*0)LGR zdyC(cn+538*oD-SP}4Zr!lRZV<|a*dl+8;b5C@y4j%8j(W-a51QIs882PA%rT`vY? zl6Bge(^K3#q>EQ5X3=HDD5N-HXC`3e!#1DgY7*nXospzvaqAQHSf?~6+Rw3X7N8?L z4C|WVk{@;CpJ`Q4gfN#q>p^@l4R6J8bw`3gCamKbHx9ys$_|h&{$hI$#2FHg8+Zkl(-M^L^13)b5M}qp`ekltl&St23x&XFWXjm<#m)7b8bOjh_mu@m#+$+ zgt!nC_P+%c<$dGcFJdj(2_7B=j+#)j1vbR3T26fvB$*lLS;pgOb0V5;~hxh-dz z((bR@wyCUBAS#ln8Ujn})L6(ZAkP+l@rDSSL@^3Wicg0H!!5zKB{n#!o|`Tqid2?y zpOvu^l7wD2r`PDW%*UHcv|v9HnrpyP7$1iQ5&c%14o{Noko{-3I!PX(P%{twWWUqK zT4swXp;27L7k&rLu;H32o>2rW(ONA+4kgJ5jQm>icX0OJMsE8`Cv&NmW1&XR!E0q` z=gdlY&z$ymXe~QWlQ|Q%@PEsj{!fKul25B^wodSKNOau$%q~2D6NvtTCKNA$FCHPU z437C=eUpb1G5Em`c%C^GMCt*YkEb#7+CPIBc=_wHy~eQ7dR+!QN(Fs4cEu;KYXsi! z4*+O79)k(e)4V<_wk^&x-Ula74NMH~rY-dz%pHITW6p4UZrd#Q70X`FeYZ{lVE^wK z{<`;%19`0zOkMgPHC3(`Ctv^jWO;wik>Q{f^w~@13T=881S&NihIgu3h~FmZ0aO z!k@x!^*^R3+sehurq=qDO)~=L&+s;!>j@r?AfeN&Fz;tgH}T6uBp!3{T!&i6%Br)c za=s@RkN48U+Gl7%tvem4c>g0b_id92M5|-=_LjSeC7$D?wnv@bfjX;q5`QFU56xg+;+wIWK9NOZVms>vov7vgtj}zPZ?7y`F1OB*-P|Nq( zd)!C328egJwtDO8-RBoPgE&gFqmHZWvy+_}-$A^tQm$F)fU8 za^P#ajq1DVs61}#1EcdJ-c-S-GuK!zyO{&`cvf+n0j;nuV)5Jdk#6Abkk<})t9u2R z^K2hD=Ab=lx6_-|1ahoxzui1r`yBu=)Y1IvLwA%9O z+TWlY(+ifmeGe;=zb2-b)U@LG@F&>m-Q~U-xBw5lfbFNjqyoo+Y-rQ}i?){7#>E#t zOCRt_$@ugh&0~||_vOIS|4d{*$>X4D@4-YR`6840i(c-i1Hr&rHTZVq<)bAk{=^49 z=3rpQV$7S~;G+e+t(%Of`l5hkefFMO@2B_0ZSou7!KmhmMJ zHREaD(594V>?d0yLma0h(ZUs1gqEzRZO9B6j$!lF%RUZ?h}Xdk?Vc-Ij(b5}NTLuJcdnXt8>qP%Q_-MpRkHnU&Him_0WtS85Lm3#vZ-7L z5_+9A@%o7uQrS8P5{Gl`sgIBj8qvz?1?I}Uzoj@xDLcc8Hp`H-`(VVN>I(;Z%Qx+2 zrM~pcnMiL=Vllvl*wr<&ALm&TrD|Ti=G0tM7bZ)?VhD5 zY|2oKq4}us4Z>y*ilv*Eo&h>c2}GsyHsX)D+P66YlMkXS5=Y%i-Mj#Tr+2D(+Fgnr zXpu02U=v0ZnW_$zW)2UDA%sNhqewAS0$D9%$z62x#!_-R{Eb2g`4k~qc@=W*uQJ3o zMWG}o|IAvTRA@@Io66gi>Zl)n6t{>Mqz6-|1ywKpvMt84n5APc=)hj_z#gh_V6gc~ z*Lio(CYOv z6SYskV2nDIma6oniUt3aR3*D|lW(_S59s~iFBCVL z^88hpX-U(h!tl3Tt(UmC3uf>OX@Nvv|9Vg)57kCH- z;lX-kEb1@f7`=4KKAS0RIt&a+K`>BtY98z3g&Oiyg5%(^@X6b}&n2q_FuhT(`~xx7 z|AX7v5;vaGhhK)cXl*HZe*sPr<{9qcca5 zIiZqi*%=s;jUjf~87~Y8h81?c$Eb$Ul2jYyW+mBQiX0L3Oq`eWf@nmmQ%S~*C$6!- z;Us;ri)@A{Tse<%tXfs6tmnit*XS0uYAMEoUxQ1K(sE(^;kfyiSfvdaeO2t6YZ&El zg&Hn>G7C4XiMCI2u93z#tg_ttd6R{R&1B1MhHI|o$^R>BcYg4Z=oz0)Zjt#jxF`J1 z5zPI5B1ruyflA7FWkVTYzPJ3K2Izl;y`aCyhXzaj$Pr?BV0)X1n9J7xci?U(aD-+0 z{9dpFygju(7W8_G3?l@*WpdoVOvFh)WteyoO!j)z_R`}r@|krva{c0bUGiZ1^B%v< zB>(J}HoNNF%AmRFZfCYNvGeD##QfOy?(xam|8Zl<_jx*e<34xbd#B5U2LWH>P(Ux} zK#2Dmbc?8ceMc>OrF(a!b@Y^X?J~4B3S|SzZj{r0&pfd|as#{SZW(S!b8WjUxH5SG zi)wWr8v$toq%UWlf~(Is(^j?H^|WZ)P20R{n*`FEuD|b}7IwURmMB*~GQ8(=)VDiF zTsQI@)@b23F|%8as9sCad`-I3;wdd92+SA4mgzT}w=6q})_ZI_&Xwc3yq*nW z-edh)dowTpu<*P9S8}UZ##hi@r=Q_&G)|mSzq;YCF*O9jZu0Phc$D_$LsaHwvM_wx3`;L3EohJ^O#0aGVN5jPnlil-v!w+ zdcKW6t81OzYEvDBXcx^~6SigYuJ9B6p-$_wXKEe~LL+<(GA*0h?&f#jwI3D9_VV@J zwj63#->#KG)pc511liO3ZKpaj^(}YYMY29LCru*M&a44@lZBa`kW_!2{!h9{3wN< z@(wj$K2)C5w)v0SCRm1}>1qP%3n19|=(Y(a-2+KfH+E2{q9}a{Q5=(Y>5ko41-4)a zlW)q=U{-Fv+H>W4s;iq_(l7~IrEF=wDkg^Dm%I{xH_^$4Wf{}DV|l7ETwqM>e4r8D znK$#b3A_d>{swd+!#z3_R_G5AX9LJ`*ly2whyjwF3HeP&ccY6hfm}u~=oJG^c{vEA zw(Y*rk}Y8oTQV%l=wHIC%*84dR4#=IC5#=7A=teT=!0ZL%D>vQvrxQl$BUBAutqt$ zo*Tul)wtWVV8|^Y;$G++#!^Tj?xqGFqm0TMLM%d!V6jZAD`_x4E-GMGX6DM|NB+Y# zF48b3EkVSAhCQjTN|&P5vzz^O=&MQiZdrD=>o3t4<2U7pD=|!Gm?Mjhk5oNwag159&`p|4c4q^FL&vz^loMJiF&bQrVe%#3qgI@AKr7L{$weC(j#fp? zv|W2TaEO-E$k`XkT00VDxLUyiFGZ^xTOwx^Tl&awyNn&OhN(c7@drnQU2b*bnPiK# z+Z;=#_#Wx$a??{$tXmm+Ag!73IwU`Kv*^spIOpOn9J?O0lOZoo(*UO^FXGQjZPc5w zg|3_$4)&7Ccx09F=L!=x+>X6j7bDNpIt;p?MqC{OYx)Q%Dh{W2{!Ilox9Z}8J!Z4B zY(+AXW=d|kq35vQ)`1UX;g@@7q+6UwCOu(NtXkFF7R^5(X!BM^EIR{JPvs=-m+=&q zBb(QI8(I+<5$g*-1cNm;YT#A{ztn>}pRfgQi68z~61DX|u@i> zX@Od4lg!-|XR+z{35+I5$r%We>G003#=;XJ7KyGfjVv5wie~UFm@(8!iA>KB_;FWm z)q0brCfZb$juBS<;nCkbzM_BIw0^iWl>ar=pKKVdC_7SZSa0?u?vNoijJq$@7w$h) zrFw!J6PXOTw~w%J@e(0`*Z)`^yLP6Ha*V6Wl^wOl!Etkl&HoDNqR{q zD_#(Ttu^FYLx#&HNWz=A!NAJ-MQ;=a^~VDlS__Y=kb0w%j$FT9Rb~Q3Xg4AZ^0;v0 z*2R!1x-&t6pdAah#V;OaCUcAdT7W?bQzIEIvhXm|-z&GVYh06*BJvdue4RmPekCF< zEpK*q>rX14k#$-SKnx}a@9~Yln1BtjAKx7RiZKKzkvt03=J}ZkmROcR)Dd~gp@`;Z zWGq`X^*bur3ez-4WNc2}i0{walmrb)jS;PcTErj2cTk=9aQuRuoocg+WO&p~-{ z;({~pkw9Ag-p7w=WfwPQE7w2xBJXm7_Hf2OGuoFVxLz2wtjLM7YYQZC%TWF&mm$Sy`iao`;7!dNCJ>n0s#Tpxi zxf-!-AFJTkwYEYP5yqGT&3`T!>q=&33FBW?oC}53)bLFwp5GlRv_o~dv}ak3;4Pk# zO03T1hVS1nys4_v%&*Lsea-$`M*P12cxx{Oe>{VN^1)+%w`d>mnN#3bVYsH}mE7Pb zz5A!Q4|DC;@JDq9zeztiknk&vr1>s#bi4`Nzxe9in7=3jhe^!>YknZ-H?%-Q%Twcz z#tj_c{Wsjeg){aDVQpaRtg{68vAfmhY|G2}`|Fp8p+ZM#kOipdLrvy5@FS z-%bB@Lz};I*`*Uc*TbXX7S>zy)#%l{HMi}i)n4zuVdvzg-S|eGa~sie_XBGO?_)1j zwzE?`KxCyd&-J2~N%Mx64)226y!K^lC5}vg)_u)(0te|%8Sw32n}=T0iF(2Uf*ZV0o*)a!)5h$PxwI_0J+U0`90_A3As@9Ex@99ji;6T zZKKO9k;a~LPN^~Bz{99bXoLTH~UQYrF* zxme4DANH z_w^p;u2}E)WXdN^*Rzvj#!hbxw*@4|KgJQj*UwenRVKS0)2_Y8!~R#V%xbo5peO5} z*`bqO)%SzeJU+{jUYF~i_eDvqIx#S)jWu0YEArhheX$+ci4Fb6=vzS4lRnD=@8z&5lV7s7d4}%F?Q+AbeNQOp z1Lxgl_5gm0zxCG%Q@2A}Z&yP5{g$pDn%>KA!$*v5-jMc6=jl%EZW|(f@T

LH?8 zSW=5t;eOR>+tFeY=cSIQozL-sIlq3*X7q<(Ef{Sdd@>;j_5pH10n@>Kv;PCweyuMt zI9Nq^A1B9{itV-~fNeobxjECGjFCf_K6Mud_>=K=TWd1Td+21hO%j(v(sWp6-TRsDy)Dnvb*+$x$-xOv%k z<&~0dv4;8cH{1Gtd5!a+T1VugC z(u{mwSjAZ2Ukk-TEVMG$Ev?w(*&A;e)WHCjU5`xgsu}w`F|RsB^XY}A_=^EfWz>D} zYAH0iVhDcLbu&F192|Xhd`Wogt7k$@98B$jOeqxgLO}9jv=~-Xi4*6NIbwZ2yOQBp z6M81u_^ksiN&P$tB+t=(wOZ250wITs6W_E6mKS;fEe@wb_{2+QE@!_Y1qzZ|$Nut_ zXV~8=ggEblaYt_m%w2SWSYAboTNi<>eOf7=D-LN}3W~a#jT zgd}K^kTDcu$=F$3c7p(=GIM(_$H7WJUI(T|(6C$C!qSYeZRJ2K)!~9z5}plh7GVX$(Lgf$Zb6VK4gZl;H~rWW6e;ajfFP*ZYib=`=;y zEfeON&nzz|3Z|4bWK}Dqz%r(i(xzXGb0u5Y#lSw}d{CQG)3#CjwNMojyU|ZlwkAf5 za9W?9mdRsEXU77)p@Y^WD0ai;=y=oG22$T^rg31)c(~l!-}f5KaES6L0-B_acMehV zTY+o@PZNXJ>d4Aav41z`FG2B;C&D#r6!TE!rkz9ca}Y%sK(!}wm3efij<`sPN*B$v z4M9N_kHlV%4yn~MtTxRtWI=>kLSsb;m02~b{*YfrFIftvUXyHxXM_DZW8N_)Q9_Gg zK5`dsG+z=E*`V2=v0|U#jf5+YB?y_&^i>5W-?sASWm=(4hk3LFE+JJ3+3!b-MN1TK z?{W2Y_HgxJ9nbJ)SkFav49HU%0z>x5{pfWXOA*o`m?r9TTuu@a$}L+=HXDwDrlNk~ z>N33&s%U7}ANBN>*$ejAuLuweKbPs)8&eaguUOWH;0tDoCRD>^o^2H*G*fIwCcMTG z7(6iZDw9d+w?eZ_6A*ZfEdN5`Q>i@gB*6HgHX`s_x(JX>I)Q;pQB*r>R_N*$Of_Ig z0k^zX9^T|r$QhG~D4`!Q(;tkc*lE~S>1@t$?jX-3gPL->zvU>)Cb7LCq6swy%~4y-cZRqQrveuanx-t;`HRvivZc6kmyT3?%63P25-C{z9Q0DTgo(#a zQUxP8H!@P#-!tY6wpv$}RJ^m&AbOH1sQLdEaDMa4llNH#__fdPcJ0Q`kLu#)!p}~V z)AKVF3oH`I9KMSyBfJX!&$FL0SOoNb;V1D`=o>;mOXNrJqu@x5+ralM!NxmQc%7%~ zl%4h6oKhrS7xisguGZ#l=d7A(UqIyf(ax4fN|d~~T@Pt9uuK1Y?~|ANN-gMqDrcP( zCztDG`e~@reJiB%RbHOSo~YfYh6w1C;o;T2zBa}8W^@p%eJN7!e3IK`@z{Fp6Qjd^ z!yZx}w_^Z`$hvXf$-Q2t`|jlH;coGKuon}{caElyUgK+X61B5&+Hj^N$a@}pbJg&f zEwl8}I{h)eg1QO*M+`TS_W(2|NUJ!EUHv%9(>b|MQDYg)Bc}Lp+asE|Y2V3t3EU}c z&yt6XHC2wI{|V06Leo3rf>(0R%S~S)bf0tF4wRkd@v3&k(S6=L4kOH#^abf(RJVTw za7|kCdoG`C+_XdO`{ld$#pQJ!>g$4?$L-bDov3$@Zp*}vkY1Kjr_kkr^wjr)TMNCm z#idI2ekTIw*Ib|XNpYHe#N-Uy3ut%vhvB@15KZRik2JJu?;<<`i*MNbcW9iYM$WS zt!ci?D&=FH$HR9t*Vr|`HQsc2tNui-dKLNB??APH*>s2v_-xj?lK> zEYo+LtK69HT`T~AeRft3z1G=m;d5{9IQ#QP>B}ZvCs>B>EWVO49ef(Q54!OS(Z=?F zLg{__2Lh9Tz*#5Yzr?Iy^JPDQq({kfzu}mVzSoZ>FlOa&Q`^txNqk~=5E`Nc@j7_w zwd?bB+yaeU%90vN zaY|VR3g&NS1x4s37qrlh<(#YKyl$7#32-{5SDx?>c;&FpJp2%SzPcmQ9&PIQB~CPK z$jugk9KmFB6&4)7{SB)QO;zE(IhL`Rl2c9zNz6AY)M3TTiE#w*z%BDJf5X(xgX804 zIIL)3t^XM=!|tF&i|M2(OwUQwj#fxr8V2 zA`;aeWnC+o39biOKIuypRgwiV&P7ViiG`Ax5^ZD0Q-bvc;b_hq&J9aemLkQm!MjG{!hNFZSaocq$#>}?MAnjsC5y}QG zp!0EQVClw}iMTD7*A>(<=DBN%|NYgOin;qusXwXRJ{^4N`jv8~_0Fs#-vx5MPOKoC z)U{n0)``}*&5|alsgKW6mDVmK;Vbl1ardlIg`Nch>Dpz?D5E~E%HZ#D>m~mTch%*^ z3_;xL~sZtHfk2;ZPI`GpH@g*OLBN943HagVB~%YB~Zv;tx0iZEGFYXLv8<^ zLEI=ekFB)DLJ~>Cf2UFt37q-J3mxM1_#03T@plX!jxi?@0%Wsp&2%WhUxZtB3d`Gaiqt_K~QR z1d_j)GgCDzAW%Y}l(Dy}c*ofZ!q*`x;C}r4fbGI~h}BUKg^(CLP3NdYoLKS? zldyS7vK2Ubed;lfH_p&(YtTdcwCers^rWeeKD1D4CgC#hFK1H)3&6rjRjQgol;tQb zd9lufeC-=Qpsp>cXvb*Mtz;_@HcnC%83M6AUzN4Gjkj8)Jl4vb#e370yjwhscE6>> z2r7+gjf(2;V-c^a*pIv{6+E3}6N&6B z_g>F7=e=Dm^+WF4#TB&z-5y_vDOZU2PHw}N-&pJKT=xf7d2npguX8;dbv)h++~);5 z1$ZP1xZbaPRx&!9rL+b2iFyH@VL5sK+^_BO1P27%yLT_e%s-a--rGEWy$@alcW(PV z#;T%5`;~u5>0aCVyFzBsS<^B}@UGJnSJ&UKOS*qN(jo(VC=>g4-V2aes;w*2S zE6lp6|KRIpdX{eg!^;QWx*gJW-{$A@dEI1-YH6O{;qTn!a@#QaC!MhU6I5`2b&=Cb;(;f(l>7k!}lo^iiX8 zRx};@y24`hZ$CCBa)Gyo;`Uy9aL*G9{SPDC`Q~t?dd?uCPM?FtJ8SixpYF^zCl`FG z*j!38dCmvrPg~XGJ?;b$zk3_wd>49+a-g4gPGcXq57?$V_N}vW_Mt%cJEfyI$71%3 z-pZW~pi$deMo(AZ?W8P|Z^oJx;Q2F%#LFk@#(>MO4lEe{=`RKj0B!r30l|%$d4qli z9Y2Kx$?|orfTjEil~DBRXGI#1f8%ZhKLPg&a4J}rT|L!xn2{$guB8NieHpuuxz;L= zCDWD5fXhrGkD_+=*T}Wt8-~(IXuhxFk3m!#8b=4mP-31Km(Ru+5wLYkr5iLISE)r_3h?M= zDL1vD+(EhUq?TIJo|RFWNinX>R+bjS8(&-+eT)`Zr%ypDFH>G@RM9v&@}`P2kr2-t z3v6~{;dKyK%@;xYtr7%>Ol_MGu6O3dy(G1cL258G{3DitF_GiVf$>1Lf-jMU#%29S zqS%C@vnMlff24d9KsbaTy6f?*j?GA;lkd!wmroP?On94=*%v3i48 z)_I3AUAkz`1_~YN;Hiv1Td|}9>>okZnKC6Y#v@M{1}>_QbUCyH-%J|hEY=k@JkA!L z1-bgz;UU^Wbpnxo2JBlK*81@;Cy->DtP~VAL$w_hrP3 zXO)CBtwSzYn1#m9TQn8N6P285FeCSo?L|ja*0X(A3;dpqa_W?GPM*RkkE*n#g+=tB ztCzp-q)!-_s2(pFLATB(SY93}CQAsT^i$D^LI_}lf~7eaPL>e~%}USK?m49LH9b%5 z)rp+mEwkKCT_Oyti%*tCFZF5MRFe>by!Efxna~U)odD->^I+6@&%O`-C*Qq;7n{+G zSZ@#^G^+`IZ3KHC=Ikk52uizcehm4gmVvWqqZ(p@w=yAJ+UWJ{?r0=cvxvn0(%Km! zMnaQw(XtmSW)SXM^{h_tI6=ZbHsmauNR<0eg@QRdzJEC*(&KFUntr zCtAKSmC&1PP-fZqWeze`V+t{uDQkjHL6EN3;9``yP|dn`^`C+BD2-;J=dUjCm0ea6 zuttW0Z>qW;WR-Sm4tpkaTW45WR1+m>;YtA>v)4~FRTPn8rmwnkQ*$Z9;v6Ty?c}4V z+;P-1-yNaP)28SKj7vzR#&Ij185a@I!cxVVn^rN)ggGU_>cpgTr(Fz+?mrlF1Kc6qqTzWXc24V)Tc6IQwvQW#?92q_Iz zMB!E!S;?1%eA#!V{}ryBZd1mb>j-T$FQ@!_d+ulTBA&^r0>dna*tbqv(Nl~ToeL)= z)>AbAw{(t#O75-!tp9^$-=z7amaYMElyxN;n-j0xM`D3J4Un%6HMoX-I8a_hsi|>Xw}9@wIY)HblGM%;UMqI z^+q{U1h$dcV3v+I@Z+cNF^PrhBA#BORn7Trk}slEB3mXs$peHU3pd^_`TqWQWUqPh zil&Dk+%H`Sp7aI3H){Hw2o7dj=R$&kAn1Ql?@-fxc*Mpav@hTou!3{|_!q+Gs8EhH z&jmCCi-YuD<9sZJW9RDuYSXUaGoJ9!Ps!Es2zgr)hj!cpw!Xq1bA1QSJN5RORRZF+ zyawLgI}Zz<;_O%D-?vt-{dOnedq!(-A9~`()9f2p&dwd}yPH?GD?coe_k0g|Ly)dhJ>g{r>{&)Mf$Nn@sZf`x$3+dc7zuwJ@r~BDwxVVC6J+yHGTjsc4<6776vUP%&M^&$X z{#^2}e#~p{aOZoAHXKa5>-1ho_IB;3&1B6msp|p6pER}oYJH|*_lTSHx3em{U#=vd z)_3^cE}PA>`+Z-x-kG|#dqcV}Yq%zOuN=>8fLhJ7PcXk z9)8yhACYNsMW+MHB*c7Yhs}BPHLe%1&O5I}osZuq1ic4A)KzVMZ}-|vtH7!^9JR8` zRBykz%*&3694Fq6X(uReo+D(!UBeb4S}dpe$y zZnHMB-`6F@YrV(h^k4RRthev`RNFB!{=E_Gygcx9o}Ka5dfx=9wtQ^Kg0Z0KE)51x za{ds$j-wId@hy0Nz*qolnb4oN&Vqnop$~n;6Y%6Pc*evB9W1G8IRgA_YbOu$*Y1rP zgbpi0yuHC^-s#|%JVCHw>HI#}Ygst;4@jPcjy?kH5EGhNBJSCfZz@)`k`5umut79h zxEvlvK$c`CEvcYtGV{<7pP_arw>*EIziK1Fm`OwvYqQuO2cs@2g{@d!A{)?`SnaDN zvFB09*HmiovnWeM@kC~vv%sZOXJ%PA*;an{%TjH>OXaMD)NmUk&VZ#kA^|^yfFaQs+wVnIgc_Kmg{Jvt4CJ`?twM(v`%5sAA% z4)_r1r~aJ-SI&NVBm+x^3l`0@H8VDz+p2|f>NfqWkY=9}&9>!IV2cnsH+**8TI}+< zb;a;vDv?sydaCbR71Dn#O1PcM;EWfb)^B9^P-w)A>)9K#=>G7i@YKY{mJF

!Y#eK!R7A#_pp5ziR`1TPrx0Ox|zF8_gD zp3hAjGA2Ok68SwRB4%(#oQz^A!#AD^N}ERGa~2KOd693ifWiPhds500IDj0(7kphG z4PtaP#wJ-4D~?KjZm6G~Y7sWl_|e*Dk;?dK>*z`mbFq4uC_eP+2YSTT9GX~DDI?{+ zq*3s|2!RHIAQICktwD&*zyF7-bL_4IYPWXK*o|$gv6H4rW81c!#!edBwr$(C)!26S z-fy1goN>l@zpS6I<~`S%_cgZ;x>&ZFgOk|4n7dF+a&d~hR+YaTsW39@^UP>8@bgSd zGKkKKeQV&KY-fu?2HF%aAiWU|3aiH4!j3gCy}1@qaQUg*^3!lUWt+4A)rE9$$oj)p znM79iD4Co&)qK;IG-8KCr@^?_qqpH0j94B!%3?5GCS`)<3qAS!MUb8O9Z`rBCb}}B zB>ZzQPD(AK+(D*}kw<{TH7{@2lxYmrE)ifp13H@v8U`j(f%ZR%?PN;8B@Zw1BsE0i zuR2t1BWOhstxC0zJj+A{+H&S`0~tk~pz-Mk;c~Kz;L{P0M^yM-HV#x!=Elm%$l8S? zt6$hl&Qol>zq2bwv%%Gnoso|FM{$`ZR$R-QYDZ9O?YRtR3{whst3;iH5s76-OjaaM zC~(N`*qnM2=HohlBl~v7!BJ(J>PgFkRKlZ^*_J*L$5{}y_baGjg~-$}&+^aU<&?IV zI&7TiC&L)V@=nnnH=DhVjT{5(j~@uo?KRbT&E7xJx5v~LEWkyj>DVzf!CWg8F;dZ& znxvLl4J{iemEdYhVH?6x-Ezbt>2y>xn@mpX0|r_TEl0j*Zd>)9{hNkIXoE76s%+Dy zjI2;VuOBe^KQh?=Fv8pbAOv9vlk!Jmi)Y|XqlVv&P$vDS=9j2W5hRd652D_&e8Onr z0m6z%z6U8@CO-S|-HrI%*b%ba;M(?c!purm!eqCcR%v8?H8HCRyyR;~M;0E;_~TIaiYyzQvp&CF zm&#hq)0*32Q5qu7^br!q8PcoK?e#=hD{va?=V{aqxDh&<9F55Xfc^~XK6`lie&l7_ z`PALMGtqaqT?@b1hwnIezs_KOY(s@AU}uHjNYQI2F6x7Wy@VY-)Gh zpPs^2+=DXE&)90e^2;CkX-74$(_>2~o=VlKRd>qXnbY4GydDZUve`=SygZh)^ zjIr6B1H?TZBZj@7fPhtk#((#%8{5iBt!^HBmM_?26}!6q0-v|4JKLuN4xYoUb^?cP zzWsWY(|&YMqs%?LFWI$vEfU(xeDUq#j{2T^mG*r?`khaQ`wywn_8JdO)Yq?9YF=4` z1dU|Ads`1Enl5+7_&tK#cg0~dx}Ep8ktod%%{=Z9FIDyN+}ofDqE-Q~9q$7IquS=zwKopJ1f`Ept`F-=<<1;lOP>oZB)rC|;SOu4S|9{{k_^P9 zAYw%LG*4NU9de7TDs3cNhSu@U1dmUYsU#~UMN`0P%YM_$*V2J~CR~$V4B?E%V`JW$ z0!M>YN>%D2gs&r62*FmXG-0VLy?-gJV}fHY0jp6pBcvJdR`3lbM}|n}lLTXn2{*pHF}V z1La?aeJfVhr^V*9jFzLAdFC`rGC7>2n57XHkYE05KCJ{Ay8J7KLsa$JL6Kkx1}~<9 zW9n}sUV0&dd{}BE_|G`|B&5q+bq~+{ZoUr-p*O+~R?hR z${2~IsKYECq~Z$0N}EFl2f}@x=8duixl2PD&&(KG=0Z~DnI#S``QJ#Wb)$X5MiaGp z?#;(Q*y<=pWP`LeYDr$328T?dCcY-aU*%*0Z*u9(jfo{g5?fQ|4BUaN5NaHAc9O)$ zqa3iz_*UgV8u8;V4HlN?8&WTj!-nVAt~28OQ@8T4G1yDTG{6ff3kl$?80<21-9-;o zX(e1c^>i&(8tHz-OOeyYk^|U_2NMIy>ZO7%{^~?4?9+nJO9IWL~} z6*(Ad(d29j+^j_kGaaRlYeK*&cVm&^)mbOqpXy`P@+erCqIHFwG(nSOT0}yolo6Wc zfOjIUA3ld=I8|ZukE>g&kdycsMw8DT^Mmwsu@DRDWw=hA7Mds6r~}Gff#i;Wb$BU< zmUkG7Kd?-XVUd0HX?~x5mkY7ajqMf(5flF=v#%GAoaZr(p1Ui+>oEW}h z!~0)cxM-_VLd}LqT0->PG#;2S+5~fyyeJJ*P&!~2IN=B60qpWqEu4-0)bXK-@6JO0 zT8V5o>hL#HMoJAt`^GeG^7WX+-eLZHl*KW%%xfE|{EDOcPROXlD<%!6s(T^3R@eXB z@ptJg0D3N!t_05QJKA@W!nq%omIH9mhU-Bc8Y1~Aj zEx$B8ib9JGIAE+ib&xHZmBIGN!!Y7j!Ms^&VU)Tg;;fWFR$Vs@!)r@s77{4qVAJbW z4lHM?&NT#-a5IROtnG_EMN~b99(aopTPTVBN}d~WDmZ?(-9@ha#j#6=M!QjrBcr~p z*s2|}(FoWztF~B)_}}AH$bb|!oGBRyIlBY$!MeBsP`6&y5eH_rOmf7a&^7F zeRahgWHXI)4ec)Aw=3KGanZS|Z>qTH+td9*2{V=MZnj{}pSeN1b6ZU9mgTj9l&Vsr zcaR3Ovfg#OV7pM{>q__Zi6vj0?S9dE{)-Q4dLL=!A`*NX9YL`d`bb`_=>(lKa?RA< z@mby!e$bcX@ZJ`2toA%2fxLQ!K=YH4o7o-B4#-yr+NPHy1Cu}ry4lbDrJygv7`c)K z!&&;Wbz$M0Za<~_26qeO;1s-e{loT-b6q|^&?ych@An$HaK5?aHHG&=8RmrI-RiZI zp-%z4C39Rh({D3Se#JKQNEAr9=yG3MUyY6>2=?;1_;Zo6g&B4O1TLche{LNXwAX^Z z3~Y#(@1NtH)rZRNh3?ya@|^asEo8zrJ1VaWR%ZVD2YhIup5@Q;$i(&~Wc@9>QW4)K zzmv(*o{zr``=QM!NGI|DFFZ(hhA zH`t=*%UJ1@XuV4Q zpU@HFK&p^CV7EjmEF?mcJpMZ^a1BWAH}*-)llk`f78^H3Q6FjTmzVDCB?&0)q5u{m z;&Lxzeyg+}XKYU)hA0&CUnF6JO{{B^68>KHGe(q3NEK%i z*FAc}fZ>iovFtStLIx7K*3wakFHK|EE^qG~r&^t1AT^000`t;v!QZ*Cfyb0?swq9C z(kh{^CvU%}@F}PY?1!=~Y^>-Sr`WXt;*+WgZwx|p9$ynR94@E$Oj|i@NklS&4y7o9 z5o`MR-5J%w%Ysg#Eo5}bmT>{Yp$T7uBu53=1@E-dFoTJsu?lS`0qfPv!S}1M=9Xbr zjl+7CPScmipA)g-2AF+)Nkq+}LRWXy@Uhqki#qbQ+#>v&Q!?=;yorek0RmZ)LlR{{ zNj%tWqb}*jEMZ}|4Qr4iNr*lZZ$kM>rkC)-Y8RC2eNb8Ka6;SUcu@vQix7wIs-j{I z8kK71p_cV>DgD8?Z*F8NuI;!Gz#l_=03%x?WTkaA+dN!$4LY7B4Y^F(6elS2pPQr@ zN$-E$lWH2F$*r^YSchP3)6T9@Z*Pf|4OMslb={G`M_AB{7zvceA6pC&8>3@8Rh5V1 z8VDVd%w;6?q1jx>MGiT`M%CmDcF3BclHP8o%$FG4UJR^ErMzs&gC4?-sE*Rc&IiljeZCRf6xG^J| z(r~ur;$P=c68Wwrngq!>pu&Q{e*RAbf?Vfd#Hz;s$io}>XZ z-^OKn&b>c;IQg%AjRlQKvx3CyoG5Dq;4j7SY2@2~jD6phbYF^hB7^lLfHK7mJmbbR z>+>fhlxg1c&cXlSD34Zo5^gkegD%jtTdhKafpCbYgu-Hy%>YC&;UT3H46TcQhj8Hb3^+!>9{NH)#w}ws`L96A$;!k&TW8rHGPHQm*)U+_21eAU?g@9{v~g&I7RBK0+$0AI`-zP`zLVZdL% zR2J2t{t%V>-SOP7?yCpNg7%i!q#l3@8)1+;=jZ!+T2OuPu-kc%3A6KUd&=ha^r+x% z0pX}L4XU|NjcCjB<1I*br~Gtvrgx7I#h^D>pI?LDJTdH=_l)-Ge`#2b}YzR$zrxOpp`WbN0tE7vSad^!du5bGY=CUH7pV0cbA#HuK zal%`Bdd9^Xwt13Ww=Z2v47T$zHjcmT{b+{ik`6=6>z=&3^Z6L6zkR*~VD3Dkq8{PW zQ(bJe!j%VF%y4d>h9-nqBjFG4#F^ zPiEWwM_b!dZ=>7k-Pg`{zK6={3(`8@-izC>Y&y)i6CtGvSiX(a_X(({NfZZh>QPL$5H@0EWry$(3-dertYgLa@gBh|Z| z+k8&h);3C~i&-~&A1)IoZ5pJnnGO~pk1u=QUV~>;vkN=;biFnH?7qnB9@>s?TvR{Z zKd;(0%mhqiS9mX@WHHw`I@?AQ>H&HDw2nAmHal}#ZZF9>-}gTceJtBX@bKMNJM9(+ zwU3K?*AG4>`Csp8VLFAp%vXWi2r=2MZ+lyW@*Q^R(X&}E{~Lt@zyLqKr1fD}F!M?B zb98D^>VrH~nPC{HJe9)2vnglhG(SH2l8cfKdT4(nw!H7xt$>>S1)M&ur@ zl@RlKSPn(dAU$4!8?{*`TvC0H$BRh(he1CCpM{FCgAKQS-OS5gJ|sCBF+QNNZ0ITa zSp16s7NCKR@6S+p*aU-}l~l>=T7lY7wVUb2n^0V)nASo$h13OIo=$dn_uEJ7oZfVc z4!XN1u=7m<=Esly_`J~l=(MUqH+tA`R`Pk$Y}K}`1$#Q(I%W@=1p8BTG)s1p#=-L| z&w=|EUYmMMuq+Q<54y3yog!#B*}7d(n{W&=iz4fUDP%2=u;h+_SvRLeWF*-zml7Nl z9f6r}OE;xUNE5oxqz6B4vbkowQx26@^#Ibf(u1iaOldiu+t4#Bj&jGkwTto`)?mCm zr6iBy)f_G30`#RhvOi+N%)%RZ5F+y>Xg3@eF+;r5D$8MH3B z1=g=zAU_n&Rl00*qeQaree2q;&9mAKGy85g_KD+rN@dkIDEJ@MX zNyK(v&{RdDUG4Whqcq(U7$Y@`lnEl8or-mA1kHE+1G8bAqNpt8nc`cQPy&-fMewO6 zq%Oe>5|iGgS)?Hcl}aq@AdI-1Br3aX!gIwb8ulc51BO+y0{H`>b5q-zGFrpKLZiZ448Cj_&Ce<`_Z>I?F9~9) zC9k!WBQP7vl=3$+0Xu^##-{Lc6TWYO#wqdV-&_S& zPrdZ0x9OD?nCPq_H0)OtiY~twjUX3fXr%h*r~Z!qfk!R)Ro)X%$@xwL5(ZrgvB@8` z&HDRY2t5XihnN}PIoFOKh{;1&Ght5=G>5NEf5`eCk6qEma}4t$;e5iR#`EOshBt`f zCGzxIL|tf(+Q{PCT)N^^aN(J=3qK}uY86@FgGCl)-5gOR*p*xnq+prLZI&6+valSd zlgzFy-h(OPRf%+{{GdHXwfA4*AZHuL!sKCe1-Ifwt&b9u;cl3RYlz4m`a$c~DdID5 z_j|xiIeZP8!_*>zVAlrOM+jW`z$$B2GyK@^A9zT&qR*@ahHL zBBthFTK0QS*1K+{=~8nfixq#f|2u%>*nx4cN@qf+mw;XK`Y#%r(V{rR2fsCc8yY6e+qk_%5JEge_1lzvYt>O2tcoMVg&A!JD>)3kf1h1cyBc3SP z&x^S+H-6{xFS_g=7ygX{-Cwu2<4J36Yp&kYQYzZ@gy|sHGyf}n>J5h$(&I`l|GD>m zOY}+C`!;zFk)PlC==J-4$fT_^@{`;Lj^~>!^r)Tw8{lduhbyORlj@|ZVdi700folg zJ#*Llw8VY5xfK-N`b4*@bFddleDS%q$rYL1Wubkyzdh6AT*{%&@*w?xgwibUhl1?|87V8sl{pBCXa5uqoK!HJJW- zLMHIIp-V)M@dQ;z_5!a;eO(52QgMZNZsOn8Uakk!Jl!9JFn6(-yr;L`9_<->rJlM8 z-;g+m-8U4q9QzyAqHB{I!T`rzs@B`p#F{Q3Qk2Wrh~KCm`5#^C8g2i?c8sH|-J$e6 z|D?XujyZSM)Q?oO-gHlH>$hLkom`_lf2_D2?EXqMQm=L%U#ZP$(>geBU(Nn}&k({T za@`!XCTKHQ{xS;}a9mHK=W&rWzUTfvZkdfIsa)%pK_xG;M(N#Hg7@7P!*A|6oxcr( zKy&gpR2~CZbzP0!B3o zfc7Ts0*Of-p;@He<18W71V_$0?>E-c*dwwT1KZQ&~0Ih0fGZQJ?}J(V=ieFlv~Af6KV-NJF7Ex%|NR)bSp#b`!mOY z4I|T|fg7vblV_Y@vmm$xX|Y^0q@)wwXxcc~hQz2IGoo2#|1PJvm-wqWtU`5)29qFy zeE3&HSXntH`5#jT*5DB?E_9*fU|yv;dLBLds-LH zQKSXwVpNf^gxSpSs4dx;K#VEYzd5$6BLU8F+BHV1$i!LJ~%GTfZ+cKSLM|@qhwPLx8 zNxZNgbFSG@LJeu9(sc7qCQZEO>nMiO_r{84B)M)Sus zJX{F5>Y&x%bA+cRGxod~aq}i`(qf3Lm^G-VaUM6n0#(;wTSt|x3qL#%8urU)#MM_y zO19Xa!|bE?EBy0sHW$P&{}oIIX(qf0DNV>EYbhpLr2SluD|Fi#@_HLfxg#BfkC;Nu zN^?n0u@v`Ayuz(pULl!Lj6g+a#oStr*PFnuj4sQR0sD52=#V+q)S;U-QjswjSzh!l z97Ch#-BM*pvqzPUoVdZ|0^vX zWN7$HQXBVE58uSm-#d@uQS0$VK#~Z!`QXi{Uq$sz&`}QX*BV4}DK^#N{s|_fWK8sIM>92z6KP5Wc0HiV@&N1`dWOi9&>@k4(|Ox?g& zh{|NT3|X|ovM4X9R&v(`B-f?C3kLOpQLvCR?&$Qpv7!Dy@A=bEmN-9!fNb$jr{Yh3 z)}QNsOEx9>@t0h7P+4Mvw~MjLNcw)onvazg);(krrcF#hVHf zeuhc0E{#zLuLk_Q;Xe(0dSba)=8PR}XO zu}Lx{%#>PY$5FY2Hkd27X{K#i^nE_=;-@dg#I`q67{)L0K!c|E;3p#fr=st0vD+Q$ zO>Hz$qi5_pNa#A`)X|9SP8l{m%8Z;3?O1sQ0>i^rJU;NkxHt!!lGYd{=t8y!9U90m zg9_u=Bkhv%GO+>-+IYwlq&JE--4uU4;U>XkQxT-HijG-_d1z`%5Ul$LV>sw+R>`{_~M(HV8rg^{GS3x$>jLIj84n zq0mmeR)<8l{d_~e!f#XH^#q1N>w4-){&nZ$CR+eh?-O=4+RV_lsf}ObwI$Um1eh3B z{Cv)CzKSe;xo|Fu<}|xOkXv&gG=4+B?gZpqWtxB9QFoWF=mS1;n%?6d!Yhxb@q0eA z1>nPopRYD!dp_11bGi}RPV>ZPyRAc_-HNVkykfVRa-9pkXR%*`zJSnzr2@}=z)a#S z-_Pg;+0B}#4fM({a+k7Pmh&h63J}}QZ#w7$lR27NT$PG%jZ23N6NanW{V8^Z_dQts zT2nyq>TUYmK5;>pKD+6Nd9~~KXgcO@#V^VV`2JB0hyeh4H~a!s#jy3>MzPh$IKG~~ z9USDmF8@~d&{Vfg7xQ(wKHhZKW3O1*$Sz^>hCez90Ck zjUs#8O+e!x`+-GuuXFQ;%kk>> z|BCLL_d5#j7oo^$88UMHIpIC_i_c021vM@MPUMD-lDQ>fcF6Qj-xMpk zO;Q>(6S~3NRL*p#NB%zOTKEmFSPA~2oF%y6NZ4$SexGbbHl72VM%wLt@eM`#h?dy~ zg<}4+EHv!4TzI?Dr2_FiNRHGt>Y^bnL5D{=oGe$Slvmu@lxGp~)TO$(4h&nWf+%0P zbBolYVP;7yfqBIOrkICH7w33GPE2B-oM-u8IIj^&9aU(MV+7HdYxLzXC{ zk>+1}iXF1gcq)!sW!hSLNIE}~T?u%crie<}17r9vW3`osuG!gW(I_vP6re;YvyU|~ zYUC<|#mHRi(x1Oo0W3em^a+fp{RoY^=Pl+yf4@(Hs;v8GtN&*i=)amf@T1(Afvc_@ z?x(sp<=EkR&Rm~YauXs_C!C3)m@rYea+7-c!V>Cml2QFIVmIA}%b6I-2Z_>ZnUOCn z`A@dzMfQaAB2QO3*hFD)b?v6lNS!Y6QtolKeqbUT%Y@U#Yh1 zDJGI?^^^z@#^WsvnkkH2>kz-j!SY2Q@?Y@MNKt?Jqk2-42F#I)CUo)d z2|(+O-R^8#Z@b=f{C<((H7C9TEc)3`GDmq80%5Nr@G$2Wk%Sktg1~B?8v;%zTqEK9 zf51enyHJV4XO)iA6B8fLc}DJlnnnYW&u*5KK$%ku zrcxhuCyFJ{r5sI^UR*TB#a&wU{Ke|4;7OlY<$b0hd^MIzw{vCBy);^Jp&NKASmO-A zAdv#654%!pyn6u(xsu|41<3b-BYq~#zx@n>iQ$%LueA|_fRhb}C?jfk53c1LyL{gG z2#HN(FqCVReVHH6%X*ee9AP9DnKoXCX7OD!cRz3xqExHlB?XBS%1vmkPH1PqH5(RI zFJ*{B0=%R5-t#4p$Pi~%G7%3g6D*sZMSbR~znfu3AFMIExyn&}EPmvvO*^JCsF3L7 zYj*rZ@;7W&8!XN!e2T_kjA`dBXK(HjUFe8Cn&4hZ)k^rWllMjC*?pD#v( zXr1uJ-)F6~8y(FrQSaJCkwIat+6WQ0`n7f^=_U|8jJK3p@7Rh*b3|k)o(&NwPuvov z5l>tG?Jw@IWFlTRt+Or$2AnN-s3o-sa(TyaG=4#md~O1~cQ3_rpjn3Pdd#qybLg*A zMnSbr76oTB?pef>^nHG|Ec4KZDTf@;awrK!yXZZ!Hx=l`bZzu)_KIH83-IxV5}|;@ zna%X=755dTo#LJtVn`yGO!(aSKDSWqi%at0z6AwC__-o@V$1*2Ou%!;1Xux6)BJB@ zw(TfYU+^to#IJcg2>oMWx7gj|rfeoQRNKC7wf?}KDJtdS^St$VH)Sl7$Yn*LTzm?V4DibdqRdQ2z8 z@6zeI@~4eO`qcMgsj;W~vHVo$Zh)iQwnorv9qL5SdoxCU%4hG5UjCBv5xw<{u!C_F zak;T^*mOnc@2lVzKhr?0y-s(j6__)Yr@r5B-j91{&sm+f(*cPevpjP=`zz|LAL!G* z1?;)7Tj#u+lLrL9^=*;YXc(5R&0fDR5OP6my!f$RbT2d)VvjHD#VAj1x#GG36GyVs9vJleevKw9D~zq!axTc1tjUyzSxJs$Qqln$wJM4|}G-x{u~b8lgY8zOcmIZfmvL?)G=b z3*FRNrkp%(FNAJ@_w#?h?W?{1#q{=mTz@E6DiBwLVn0E>>0cYZ7a+(0w)b4-VL=oS zZXO9}xe^2ouSfZvjZ$GsMbHaGe1`r3a?lq5l8;7yk6+v$Fp^H2@iin z+;$wHfs|(^Tg}q=zRDhHNCqb+8ZTig5#N#~Ngbe}wU7!O$~h$=V=$URmQFgkXuI-4 z?XtjD86xw2&xHkxd-k+B_}BKuG38KyM0H@i(|53Nd3d8VacMk zKSnBS{$fr+{B+<)yPcL&sBR9^%(oXCuVasHy>Cb(*KA*bF~zZ0mPrx)UYDwr0ZEuI zjym;?f^%GfMxiMzP#K@4J_JrCSNYs6<|-D!YF*A<2gM#4-L=6qS!>&7RJM~q(E(O_ zFp)9>A=(?l8Eobhvlj;>sjj13i&d6zv>a$dQK2|uulAa{fj*VN0v24^G0yH(D8WYXH{L9s?2_j6lHu6EP)k@9bxV_HE* z%~kyx)$`GegH_bt6Ue+^-=ueNhzj;8=#UnQ(bNk_!D)TafQi~gZyHG)Koq8yuo4Z| zP|#;INT$d0)4aYVv-g46@;@b0=ulOxSwRR83X)CGjAd*!?nxBMHJ!-fZpDV$vT(6$V9qO zWq1<}6K!AdCMv3F!nGol7_kt%yOU8qTsTz0F#9CXn^NSOlH&*RBecZ%wHZqXq;gJA zyp`tz(YO`HO^WAI6b2I}0|ud_NOdoM1!3^8FZ>*&EQAY0dB;SOfjLkr*qwJs7n}6q zSsb=9DX|;AlBB}t{8o{ut{Pf>C)W|{GDRZtn)Xd)&Lo>*P;TAUoRBHE;<2AebGa<^ zmx~vVB!Zp zh<1eiY4}Y(^flCw!+q;!r|o#l z*%@3u|2Y#JpOI!427V)@nxDpOG}w2Rpcc81l%i4Z)uwM5PO?fRJ4|f0h}1`3T!mV` z@E9ZEa!JiiebuT%E5BHDR)*x&=Mtw^SRzU%cDU(Qvu72~FiFD5UbitFgPdo)do78T zFoQjww^BC=ZSJD|bUgOcKpGly>uT7lJ4%hC31^iJdep_0wA6FGO~REm>zf5XK|{Dn zRjiG8WhtSp5?-J!Z7JWG%Qv+z69X>0AuILHZOXx@qx#x6ygXI+i$-`b8Z1!84G$}e z07=w*j+|XYHqWh*PvMbd5XNOoQcN^wTy5N2AUl1t)oxKWcGh;2|41qn!*KBSU z@jYEwi0$+QUIH3SH6lI{n*G8+f`7t5IucMBAchJ;g7SgrAmJ1+AR8f1 za3ThDd~PCWO2FF7E8C}4fB)%2+I}=Mdr$xKs?~fJu>VYkjohR5xmT)P-Ed<3as6kr zlU|)`4OPb%@?#(APJCt8t8fa6-WKqzJ(nC?-7NGJnYa*?*&B5A@&5ASP2#t4uq5|R_VZSIrmioA@5Q|J z*3DW^`??7xt@z``gy!OLjXbC){4(;c{VVqugNi z1KIbTl8?oFJu ze=_trJGpxKK9PNPk)t5U{ZYL^bs18~cR%^Tr|115&-wAhv)iP<4*Z;~^>H5*asM~1 zZ~wYKa*^Y)8!m72FzJQDDEPKC(YvnK{qbHa_JTD$7R*YQ|97~O3fe^+%X-^~Tw_H(JsW2>!oJ;*#4 zJW*v504um(&h+UYe0|=PJ@214S3hoVy>@-wYX{ITAo^Eh+wAw@H|zMay@2)B_71LA zHOpC@>ifU1?SRpbcBy#?IXkb9L7Z)SDFx` zZjbS6Kwzi42HA~o^ISN2N3}m@9pyQPj1ZFe-ToBL*iIDE+-hB}tx37(=t2ZQ3}dv85X+G?KDl}e?# z84fTeYzwMuPUJW{i&!CS0tl}gRsRma^ebF8o;G`r|%GkM#bQ+e+DioGl zKFX*eIf#m0!>wI46HyJg<4>UgffjO?N_Gh>@0TumvYxixh{i37WpiXvY2EQR>36X6 z5!dWknKBXjO&}Dhpk@AW_RK=P1ZHk4mD*w$%f#IZ`)BH4-2&vJDbhO`L1N(EH9z|>w1ng7 z?N_b73x{9}Ir}P?4NuF)Z$kQO;W_h8qH*sH@b1+cE0AwU+7Sn zA7M!clD(zP)zFnM7f8jcB`_+ueae8gtQCT4uHdQQ4E*%K42Gl5W-&6B@+Kvcs!=GO zDvCFyk>^ZEmjaiwKOJ{5_ny>||NJ*t^9CrcinhOI6QwbC!D!GozXPFUnF?UY+pJ5V zPZWq9tCfi0RzO%0gqUP!3qr)=NRrZ{27rebcbclJcP8otsf?<1C{aiLP8;JAQxnub{KLN&P{ZhG z1ati~>BM}aGVL_NjQE6S9YeiB2-%W>qcS{}V=J7oS z%Vf!!FnmA9*$0E*W2f{GG!i|~iR?$kWBdzpkWJqC3@^tGJt~W9mahjGJya zqo5WIs8V$hs>G44&lTxD{5hn7a?ZJF1NVSbtsQG-FptQP5%8O>&H@^1y04(Nh;*!% z;0q4=`8BwW`1PfK?xq^;`AQ4HUvpig^xoxOMXVOXZ^z!{Cibd$Ll|Soko<@l{1Igb zXA5h0izcY~koY$1Hzf2U!f0>wc9uy0{gyWF*H07P7DkZvob%@kQ>RV2R)hE!H?IZ{ zAdmcFwMD+i8o1!xDtMjAmDRYJj=$mQRh)c`I*s13n$vtYuYLvC%++)0c|9~M{l%=` zQ10^vo^9Qe!ha|`&`G3w+`PEs@ia$0<4L&ws@=JDf4$thv*u{{gjemwLg_BCi0yVGeT!S2rv1 z!x`)>o{wtQld8Abovt0i6C0oql;@m%wB9?#oJe;Q$3k}NcC~!%O2=Emcc2bZ?v zSuOGXW;2(_jL&__M0Lo)x2h$F;5iw*$*#XSJ=JyhdVT53@Z#kXa6SrR_FMFQYd*32 zbD&KOkCI(u>v>kcd&Bs$Wt%C`67Bdo6>#xmw0WG(Ov5$2z$w6G6y^0 zGxjz58ZEcSg5>H&zXsI%4)S9Jz9GI7zZ!pOrkhuW{W$G{EXpE0v=oe%KG*hX6*IbL-#>$T#JsW8sT3q%8<_0XCuMA#fP?CGOa zl&~vflXhMOxw^iGWki7mstXV)Q7Lw=t)OVJRS27Hht6r90l5D3(4yF=?c&iFWGMeBj zsizw{B4FEeFl(!Dc%$$%%)X%6<*im5l7FQ8lTQP%~x9OnUU)x?o@Y=dyhYb`dL?&q5ZF z7hLq9sqOE8&3eIlhDH*GPZR!JZG&=>V79}#W|>6rw?Y+#S7VJ}^@9a*so+dD@l3^> zKU)D$_mk%BbrmN`($d9D(dk~u9C2Y@95?9fJ9)sj%qdZebezY1a2AFne51-`6KftC z9th=>n5GGv723IR8@i~3Y%M7iX~Xi#XXs_4;zToDe?@55?7wTs*%glC(Dq63^?j~l z*(8Sur`+I!Xt^|b?6Ovt+HTV5xz5s_j=^LC4Eu>Vd9FV5^f5_UdE^HjO25&E6O8&* zM&(8o!txWp@dY^i3ctnR1Gi3LH|XS0Y=s_|ObESjB@s`}41tdrk|-oa)`FS~Z2r_Z zm$D5+99>WtTf*g_BrmVA$A!b@>h|4xamGp{Qk6(?0H?`6GOmX^$onOyQhO>o&64}# zkUWI`Cey7N-r?h$^)FBui*{KjezbU~jMlos5LuTP1x%V`!n8r%vGVP-&-mE(bG;2esK#oa;P0C)kK@v?tGeeeDTr(D)D!R%{{3EBq zaYz&6FDYbuT+86OPz>op3z9NQH}1N(w#7Y_R2%6p@Dws?aT+U?4@1bp^1mgKnA7hH zFJ2*z8p0n>PFsN?S{B0+rKA-eoIl#&%feJW%Z4aXC|QV%EviG#>R1N??Jg_cabZTJlj=iC0Zd$5I^>XP>oTfkZ?c(_g};)1CIGa` z30*wdwG|B%>CF<0=;&xU5adPc;ExQ0%|`M^>EI90uVi3wI?VPcbw}}1Cz}`~qJ+_c z{gYgDv0f{#I1$nYj^nk8hM)A5qL=lCIJ`{2YpJpiH8I*e3sgyw=Z&-A+dkH7AcPK-CUd-yGq&QB&#bmw3E!BJ_S066ZS{CXDTJzScR|{{Y?IvObub_L_CI_lw0Y^|WtvegN^- zUQ=vec}BC>zNzzFIBXA_E8j4G3+Yd{Cu~qW2b!+vdWJ;KsP?Ho@qxa`KOcY%{5Ti4 z8(qIuwqECJxtk}VP50)}RG)N#hrI`1(99O5y1iHH*B_(W78gAj_6|{3<0MbLgZ%M= zu#var6@JiU?1`^-7jF4y5wn0##-FB#+7-}cH?)+O;qw}wnx|T(yRqd?$yYya(^tWX zr%CUD8+R=4xFt4|>(I&wwGPr}mqY`-F3V@X)x$$(*8{NiT35^Oy$j*vq?(5qN5_|; zJNtRiJ`zqWPK_Ca0u2zyk&eiVyOe{0P$+Q+WrRp;UyMb46X1$pBC zQFV^(nMGZ;uGpxc;-q5RwpFohI~CiuZQHh0v2ELVo|CuxobKyhWTrp4`-%!ul8$OR`1JJVm2ybU}zlsm~Zs(!;Tuqn~yJ9eDQ8S zcdpVNRg*m)LnvLq2LY?yvh*39`OM`t7VeZ)^&q+o4)^t1mvUsW@onX;Pv^gNHxQS$? zzv2@A z`Z1J0Df-{}!mt&R5eFG2k9n7`!0+3Ll4#Woc`z?J9T6zrM6m;L6pXPsHOAj%+Y1#) z7HW)svc=phwrU=>%c;h8lww zVnKa^uRNh`#hi51e7YZ26=shBA3|LUs1^O*m@*DxTj;8hSkuIUg&Rzl44LaYMMuSj zNA=GshT6_De#FN~lIho{CiN+5+L=0)9gIXr=rBZCEUpSbz*gRq_E{s!np>aC;o~!s zh7;~-vJ;11IroHDsH`e9NHp#|;WXF8-`880;O`A4Ey?F&FPtLaK~SVxQc^1^!XCBo z3N97aXLQ7$v6=$0kKgPz~1-P$WbKBuY^l@V8BodojhxrkyhRJ0D8 zvB`0 z?2HGU5sqo|5>>=f)2v>$EcHQ#I#M7Q;N|)|Qw5U@fjJcy(Mcv4+vImsYFZe2V*NRT zISx-AwF8ryOed++dEbPt;II4+4*bk6wUnQTg&S1~m!&1w?#9%{!4rqfWXH0p2Kg-W z5nD-MNghNSyHIO2%;gAiIcW&z=3LPOXJ<@QyFwl6=q3ZH50XU4UE0Ir$lAin$S`*r z?WirnzhTLW`(yk z!h}ve_sd-Lc%So=QlftbKJn+rIq}H?l>nIl@dw2LjAh{AzI++5h2zVwith+4D5r?9 zb%)jr^(#;B8AqnCM9~JzKLF9#MUtAbxw1ur#K`A2MnBUA-n)AKwk(EaOtfr+K&5sI zWqDd8W@nU2LVL+~sZ7~Gt5hIt31<-V2(8Ez7NCx|44t|Sq~U-f8#&xs)D>!BH2Un= z?pOl(9~n9Y{3FBoNhfccu?7QEcq1zZG8e6kWL&_g!`=_ssNtXlSR3(B_X6BvF+a1F zji>U?Dhu7(KqTJPu><{#pf8f`y?qdqHI@4K$<}k?;vg2m@@bYy+koZ(5o&e{V*I%B z71Cv@;|)rBn~x<1Vlomk=pkD&1=>mCFqgTrV=*IIdBJkT`6eA2+aX#0g$q+I!cs7Z zVLX!38NYOWbf|015gCOxECv>^5YxUnc+3nCVPGe`AceW)A^(sJF!XyrIpb^ENDlz) z%=+3RhY*4m$ITA-<^hL%=Scm4yT}0w&~gK}Cx`r_Huj)z(`%<6mpOKRp4Y&MjSXvW zcf+l#<<;||E#E>u-zyUIwslj_d(8@W+-9RVe?QxOo{TWuw6Yqn%W-{;9bAZ*r`rbS>kywp0+`poyT$AO%L$~{lH6<^bXAGw{hs}fc7bZS!ORk+p zRLu>~IiG2+x4+7*W;Jcx{?tugdgr=*(bLz|_k;8eR|1AhEeST;o<}BVrv^e*(;N5M z6RCN;KA=q5W~aZdwglRQ+UC?x`d)loEp1Cd0I3*s>d|fofx8%MP&0L!H?vDG+{T5` z<2!ck_Bgj-yF&=EEWAGdo@2fbM` z(;o*0E3V7lVOx7&$?Ti=-4Ae`MFeka2M_q;)iSm|=g}h?aJg=&v{O145e2|b6Wzw0 zUaoeiTczU}Pt|MNyM@z$omzWfr4>etylt-6V_jt!Qnq;P)Rn^5e@*98+W`E(L1tfp z^n-j*KtU&(%>7=EPx1Lv(Qdmsi_2$?kN-$+Z!tj2giFTN1N;8*6C)Go^~{l+!W=w9 zvgVqVAUitfIv}K-r@B88&iBhXSmxgnSZ{v>Iuug6^G`ZsW}6^t(<&y#pg4*o$y_Q} zVesf|Ke;|EP6KA>KUT26vuh6F&KwI@7bl&$P^silu=XRCA|VFlSh9sg@d$}$qAi~o z569!G(%04L*vJeB;r{$CLWqR7nZ%EB5fu@Z-9yt!sq>)FaN? zU#Qv0=SfAE(DxBP`5@;a7$jO1F_m3Uh4R<*mn>%pdH<0YwiG)X>rCbk$~9wKgeWd- zv`GGWQkQmoijW}2r2;+2q|MYdOgd{bipo`9%FALZjiqrIA;y7LwJ48TAZ#=+&{l)S zU{wf<`7S!yDKtT=u7LktVZIl6mz#A_F1(nFRwSCbeaj)_@l9^JW(X#OyQSFgh(zj`efEzwIF9*Mty|~ zc2X5O(;G`>hR5AcMS}E0<37$XuqHCm`UC$8BPVDk@H@?zv>X`oP#S)krHjQh$iPFE zdz*BrL5Y}4pC#nDE*8pn2ZWOgi@Z!y1zfA)IFw}`e#Q_kXVDpS$fI$FYFT=#ZvC*P zRC#G1Zv8+a|Cl-a#ra9Db*vK6awO#m@LG$cc$y`J4dz9zopUy-CBNu8K@#?J$;BWk zTeQ5KrLhx8qYnL0FbdkCuRk=z5;${Q&SK8vbvu8IYP4pLsj49pKj{w^fib}E#0)`F z`Fss`BK{}UL+!N2;8;6xDYTH+dD|P*L^)Il^?(MYG_f ze5whV2EmilCc{aD;*Vb;Qp{Pl93TXW93sCyRQmcsqyC=nOPHTw(O5)NMhPSvwUfYygaBWTZ}m*fbaQu3*a zXBk)xz?eX_4&{84+AN8<({Gt9qbmLwWc3|&KuVPJt(+IVL8`T8%~2cxH zG$+QY0N2B=^ec-TJT)b*Tx{2Tl0T=D4(vOWDzus~?XJI=h0yc0ELWVy6e|V=S?r9( zI7=vmY~#(fs{L7iqUNKWUd5$OsQdtHWSyB_slZGPq5evUA1r@|7GAg5p6y7Ow`3`u zY38m7^N{@sH6KQ?mYByK&x=k2Uk5r@>ks`?@oXDh<`=kn38ly4!pJm-qO~TbYKc6j z?K-8QF#OW*tg{xagNk$aU~Hao!XA7O!w_o75O}o@i3%GkNv4nhCD0YCn_`7dFG zU1Z&cmEYiJf}gkC!Ka&r-W9SJGx= z;O%{R}{yk z|8k=G?w`+B_qv3do?{cE>x7g@=-8fUGns_st%5|KR5ABxqOGQGnop%wfF4x`mlB0diqgH$|b6+k|;rK4C3x3G&eBeGsKBc_x zwc44r_yETaY`vYENUt|Hl?X23>5-3z)ViMg5C5i4Db#i|pkCfCZ%_8M>i+$-IvIPJ zqS8pcwA^alA+>^*_V6i1?HDWOI3@Dcyz z{;4mM(e$|-@h*5N9DMjIU!0kXJD1j+WbAD;SNv5u_z1RG!K$TbFg6vdd0;?Ezq(k4 zj1lbE(~=Lzcy#HVh+Ps9DY^vPSc{Z>S2jgVMS2EXTu~iF=j|MsiQ=hxOxQ)nq6t+Y z(N8ha#PW)1*rNiGxWXq8`5&@9APuaA2`Za&W8{+MCeqladiFOGD6J!*Gb{pR2M4fv}h074U|j5 z%vvX0q65<|)F>IKTYV%bKcQAN3RJEiCp%biGjtJK@fyQ5g5Tpr?|I>H{vZ>)LF|bB zEC^j;?$?)jY$(nMD0wif+&J*_(3tV<2k>k6Mzbg9RHLHhOi2qh#8H@94~E#YPqnlm zYNYTcEi0A zoyJf=1m2o2@lxV{C}A6Qn@3y6+Y?tTl85FjXsvilt{px34*@#byZ&Gyc^g{VeZ5Fs zhMFhG1x^YhDkCR}YOv`{z9U7o2o`yZ(Z9onq6wW6H^D9nR(Zo-wk;(3zyMuV0iv`jw|7YoaKpO)Hm7BXd9;!(Y&7(yN_L)tgN|XvkY%Vg6v7s9z zO4jb47E+K*Kh(k^hEaLDOiPM}fk%u?*=BQuBoa3j0tpCEm!dcd(z+}nA!T3YH5o!r zccx0n3>VQr9|c`N4@b)m4g?V){{-hMpJyUW3N_{%91*ZOeBI2mUXp&g=Me5M$eGzg ziw}Y;KkJfk4)sWi&i7FyZH}Ni8Pqo2tZ$MaX(Lp(j+V*uPjX4b(DX@|L>G!KMX#<{ zR18v$r)=FH8@|t*S_mqROf)!kX;ds%S6<+#F#MBX7w!H-KI9QOY9z2<9oZxLkc87B zv4;_}$Rg#ADLAMl%mvP}ryPz=^kcJ#`4a6&N`_5Ha| zCNSIGWIhj1N~0K?-?PKbq1RL@OXjan4cG&3jc| zmI<%qT)>_3h_fjD+u7cXE%J}%m@5ea0d8xEV~J*2lQVFt7;kwN10?@vX$99z6gafy zyQLX4lMkH<8c&)P`J^{Pv7{KK<%{Q;B@DUKpe`JIfy5#5Itr6%HyrdoKa0_62OhdS z3s8bJWRzDjIVR_7f&F9;1wyb!GT5th0RR8nY-6djfJOFXg#1Qp5V_Ayf9dT-```fH zO>S2MeE`CJ9N`LR5JI{B-%9k&3Y7ia<>#aFpc^2+%(t6;_FJkH+34Dk1nvcEkX z``Tux?cEJRQ1w1bXhrgQICbhZRQ<*c1vu!Bt6waj!&XFG1rre4szd`h=gyQA@WK3_)zf)@if zdU>)sPP|jTLDqqES65wE*Q3|G+waq(WW^dQo*P>`-^J0!!28S@-Yc~?u$PZDs_<^L zYXTmH>(!eC3{}9jiZ7pGH1kFE+T!p^_n&p+n@*q`$oBeZ#@{hpr`cW)qhSF9$WjaL`AKGA5m>fB2#*0&dm-}@pfUk?Q|E&jW$*S0=OuXkM`jOgLh zAF0Ln@g6DQwk`Sh+I0x2w{_BK(ZRFy`fo1XwqySm{#!`;rH?+^_A;7cnBMMOZjR6| zU;CZdx1}2ogzV1uT0|||x@-CExo57ULyR1+(}r5$UPs}{Rk`}C>&tpf<>u^8RyB{0 z?E8#6eQnE>QtOhPj|Qhlbmq5BTZ?MCBYs+TL8eCpesEqkwx zl^S)2R_-XP)kQ7pgOi>*@0&#(z0NCo-;Vq1*TdH3HNZ*i^=j|SbztneBG*;n6EGgA z2YS()&kO)g*3Az3Qhm8C0w?ZrEnd|#pw|ojRt1lno$%k0-{szae*#w%V|AtMWQ~-* z-DI(K9G|5u8K($it{>C>6^BU)aL$gd)mim2EepwcK7O7KYN=wU=2Kz3xRk96#091G zphXVG-8##fVH*?U!V}C1#*NId%zpF~woU^IZUcj4yo}5atcIJvJ4tva{>sebbs}q@ zfmh?^R~UQ;UX_ba688kt1CLm09s`V~EB|?pSNQTW_m*&J<%8A36W6$`B#63)^z zj2`=_x%|Jc`0Y6lHw6Nt9&pOt0@a@|oH|Oh;G@Y(+;$#7BYWS#yM zsUwYx4c8n&vu)tXsc9^j&l#{JJssze4MjLlGMe--UDs9ov3SWa7t5Rh6A?uz^csNIZy-HaaZyGuB>Cdk z1|ra|P|Gk3`hG`%@@nyc8dX=v1fS%(xL-(&Rq6`qj8rQ6+I`t1bV}ZTrh_S~v5!9M zH-8YiE)pgE)L3i)6HegXN+CeRPUO4rNYtErTwHbh({W=Vpup55H};{!jkPWsypJAa zXVMQ_R>s49f7-%|dn_rr7dBo*Whh4^r5`L4r=e_%I4!R8`z9%$k&e3Dw0M&c&aqgj zr2g{}rFocz&0kAb6dNf5D*^kL7B4py*%?gviq(N37%4U*E?E2`Ze;U3vZ25l;a#8L zouC*hu^3&7CWrQMnrYbHf-eC%SVp~~*Fe0u6cZfjg=% zP#t{s{gJ|2w*#pQKXO}>F)y;wBHW?zL|hiXC$1GsmS$W0oejF5qG3m24%Rrw#vo)# zK?N61Vte6?1<7R&b;X^vhp|gBq`pR6oi7SQsCtiFn?jUD7V0brBWvmnLWRNXI554E zHD4B=RE@Ts3Q}c4GG|+uE32?HmfX&RQ7#sWnZZG%T5p`pfF&;%Em)OdFvfyOA`}Wg z)KvVJ{3vF=_J?+$DwAqi5Q5^2gJC{Yq{4trq97MyL*Wp`LSlzk@i^vg+p@GjB`RVF z7E|76uur|!-{>=$ss@BW<^rDiW^JsCsjz_mFC+DN!vvl`N16cq&HUE;J%^j|^-EV>(w3UyW%CL zS>e34Ca*J9*URgzVVZ5kJ-gZTP&L^L++g%~rep)F< z3U9D?b6OreIJG{1PV{XCRAlmbzG1~q`BuE|QvdC~mp)v6Sz5Ort=)PE&AxVXYyL8Q z%851I>X~j_v3Wb!;m6MEex|qOT-I@)S!c&>-otO)q0I5KZ8(uaeY=p}YM*D<>_kHB zJr7u+6Gr0mqC8`KS>15BFLQDABJ%Pex6Ibdd3{ZcO--YI+nSZPZGR|HyVB#ZPTu>; z@Amgii;d5Ci``DEj_z|}+l=RaCO31HdW>wQb9Be~JsqR!<*-$r;|#N+UH-9}6_`d} z%ccondUN>DoAy;r`w&oC|C@~mcpMm?tm!#}Gid7Yc;Y(AvA<$}+3^|#EmRywK` zT$bQn=b?DL4q&aWrQg}1)^rJVdTBeE=e_Rk=~$*}TxmnozDvDk*K@mK&kRiM_NFAj zZC|)^@}sTgyRW;l-E#gwwOjk@;?IWRC!ku)^wet~mR<3FXmg(h4B67t;8!z-v#r(ZtJ{kcdvcDbg}T@d73^iOjdc%y8x~c6` zT=)A$@6r^_%UV18<%CWfmC46&25r!bqF%R6WQn(Qs~%?aIB8QGFt>CLP4tiKSHe?< z8quY3FU!!oknl@c#;o(bPDAr)u`!Qa<1pk@>|{C!=_=Sx6?Rbwr8x*=5R(RV(HKVs zV>Kdbl6Q)+(puUL6{nWqNH93~;vYJS$OE>MA(&!rtb<`g|LXU2#~)C(32>teKO}6& zEbuSQUdyTwFh#>|Yx)+n>kkuzf6wlQ5P~P$qu7hIP-`f2CRaP565l|=E}XRQr=2`0 zri2E8B$-4eoKl;o+fjNKVLzLrl-=4YR}~#N1hq=%fqOim#8U7tXn zQzXJFBvE}&19rC|C57>o17heHe#rj*_G!n;l#=#H8FnjT;}z;G31WtwDQBT*ysUZ2 zou@RY>p*@96<8TGqlIBPt6M1(a?d9m{xDZpmX|9zz}~!Jpsk8$&oX5RAjuUIu|M62 zwq2zb4Y%DeeP9%h<_W_ztwc{s*0hIVXUJQkgz9c8aXm+Xz&+8Pq!dQPIYx z8jPDg$L%zh}5YpANCJzyS_tMj`ZrtVFC1`B&kTl z%zJndSqU!)1oTXcLp=8Ef{ij=tmse{*hEc}K2|Q%f+VPr6gDv@UT?)ekrbC9l$ziN z&YWhLoK%==ECCLLP|Mv!+t!>xq4!53h#)SsT}ZMmK!BI;E4Nca7jtQ`A~*ehrl* z76~QoesN@H5*el}Hi={B5{V@ijq5B3W6H?L#y2kMOrmSj0wF}6+CRYspLGL3nE)pN zr)vJW+OLzZKC>q-H=HLfGZ&8}7Wb05vz@aK44Xs8-k{JZIj2zg%Q!*^?VQk|!g?f- z#z>AV64dz|D5r@6x%&|FKO21%Oeatgt<;Pfq$Ww0%s~~37sZC0QJ2$uKagT)vt|hP z_z!ozfs|y%qtn3zj|7_3$u3I`nwE5nm8EtS5R%o36muzk2NxTp4yu^Pzo04YD??b9cx z79pPufOVr6^CbKK9>5RC0OVDSd0*2V;8%JS()+B&%I1YP0FWpv{M}c(0R8^Wr}$t8 zj(dT8l1HMPO%1H8<~9K~!ufk@d)CTheO@+4kDW2Jzow6U%yRAe)Z}|zRyqPd9%{Ag zR}68!o{p*I){kdc>D;;+zx)@rvxaREcDU}SESt&MJ>9R{|B=~6rQ@-??Us@IxD7nO z;p+h}5B{0D&Yr1CI6k&(@wp~{6b$Y-EE42m^|T+@oDg`OzFtgr>8r5ukbMpKEYkPT z(KTwlzt?6v&T#g+xgDVobT+K_K;gRq?R2@V8dvnVU7BkV42xP<-wFq3y>5}(KQhx_ zXDcrmZj!#_+`Pt}maTK|ubfI_?f75T6YCILw|1Vld0c>7++`rQE8OzBo-5L2#~M() z-Af?ki`QL;@Imgk+_7@D_NzC(O6Hq&57?){52HE?P|U~m3-dvpWNTC#~IHU&po-_cD>J*v89t+C(&SKJ2*Lfq%(PaP%R4ju<(<$6j8}3i#^>h}%*xT>L@ zj$yD1K-G9j3F%dLdPn~RM{U!4e8#Htx>@NdJ~`IShhRTVx~IeaV|y!xlVZ)bVdsHf zyW>jrh2Z%?cE-bUnpxh9+UXwW0?%3#l}?<0LKFl{0ID;LJKIDJ=5QyExJD+P#U zt7{Uflxb|HI%lJh%3KSm5=S7SkC?9Fd?sl=!?+KpN%G*82#%u@jdV^*baXo{wphP? zve$MTQbtI0o7VUIjqGA6WHqpBf_%+R^-J;@Z0E`u0Td(2)_g4I$ReZ?c@uTt%y$0m|xC=#CGjV-cy!v>p>^pQF-Snby7 z#r@+&X>0DS^nJvo2~f%W>+g24d{M!3H*|Gcj3c7jJlAc(hJxZODKG(V3Ep`c7^I}$5NJ) zSOr&>`lckm3h&#pf-&c6mE9}B9x=$2`{{5YO4v!4QZ%s(T}#Lv4Fh5c8?F}^BuWOI z14_hXGArNL7`dXzop>e;hP`2zu zi5j|k-+2QiecwLK;%(W1-*DM8pwfiAOO=4?-T-o5n!zM2HYwc%OmvIhL`F?6LMb2p zq=ha6wR*H4dWqPmk})O)arG$2wCb;_q>n952(lri^$12rkWEL&Y zkCz%pRYw3fFK9MsTr972U1SAaKk5VxYW{7)l`@^qO`5|hQ@kOUsmsKmh~+|7_7If> z;tye#VWFNSq=`Tr3V)=4M=I07LX$V>rd&G87Uf9-?mYPos;+2`e~Jb0L+0jsDFcu` zdVmtHF`sDwrDmxK@l+QuzKWWS(4!9)f$}X01s}cQ2!~#29Frm#WXUm8N5r(6fi%?` z*$xYGSV>GgXb97v?aC^^jqGv=EPp*73nt7n(cNK~r$emp(Fg#`jIu*OU- z>2M$AnlVh2lDk;!xu{iVNrgIWw`Th_tJp{F+jZcISa>M!fGI0?zu%WWnUzI<%(Vl_ ztQXAAMS9iomCzZG0>K&+$4JXA<~`)HhLWqQR7!)ZGL$EHxRS3JAo}Wwwa&uT5fA6& zOdtu3Qnb8ADX_JNmMUP!I+VqsJ_5JhjvtZiRUbp!`>M`SIBt1ue|*R5WW{R+2{lT| z*crfQlR?cnvMADKkLD2%u;f&!T=uJUXPv3sQR{~>g+t<*NjG|yLEjIpduC}crvv`| z-{Y$mA6m$`Ck_xeUGvScI0ytdjb6OS^!xxMP77d>L>mx{`Z58J`Cl>me4#M~8yFG< z@8nPUp@_1HPx3yl*uKg=Pf#9a(t#@GTj;r0xQ|<w-1Xj`P+JN^3q^_qlSzp&> z&Au}$UiXCz93Ia#RdRH8?c!ID>$b^s?->#;D^m=l&XX;ty){pMXFHGH3p=iBf%CnE zoA+g1aR~OWcl=qv0z$8^hmKWuE`CaHYu#nxWe7KXZ=?PU^)${lhhy!%tFI6~M^6hN zUA)`nd8^mmWrsA!?Jk(LryOFnq;lI~W=*`N(+Z^h;clv>6bonrT+=_|Rn@)@h0D=I z;IzBq%(OMR?s-_L_1#~)SpGx5!=2T-zxGZzCJeW{ZhO7)5bN#)R|U3|8WBR~y&Uqb zgg1IU?*n4ok)vQMfv!Niw`9E@LqL0B?T_G%6wR*zo#{^bPCL@$E`;letJ30%R^5|J zd%$f-b&v0j*hZ}I}gdePOgwNle@ zaQmRU%$C)-7;C$I{+P+$`Q(uAePPE=FpIO5%0EUs-pa%13rHt@SXyzk<8N5s5}&^4 z_JDEOxS^BTC2cPDahst_?d9Y+&WU8xI`}u@fuXz5@ljr_26L+B^VGN#-&yVW_0N;9 z?u#DCwIfsW7Hzn2@m!={E{#=d1A-n(;Fhet z;OZWC1UYOcvojQ_nW4ty0ewic0FNu2 zCHC&8)OBaCel}q0_Y15a20=~!$vdiI3_cgsvl!YoWsMJpO}4naQH&M}{fA0(fcd8U ziIi~5Y)W;P1~V$c-J4gZfhQ9`Din9N2h~A2E$deG;#Lbpp`f6&N!GsBvo6q zk52-*RyX)r_>@TEpW1EeW;h2>B=Rj~=G&}^xjD~7nqf{3zRU1GaWgZxS>Pmo@kj=_ zGrnU?N~1Q4aaw_W&Ky{XycHEOyJGYBsgX)^=wsIS2wfI9p-Ekb*bQdkHf9+__VFP& zeIgQ8_FOk2x^T2?;3aBxNn^z4sDUvP1}Q{+_<~6q>TKpkJ96w#wt2s%Bg*O>P%7WS z|9syhQmhaPu>0jSWto0e^IVp|&+LExYooA=(o#@oIx|S# zgzoFpj5Kq@Egr+Afl{~bwLS?iM5sOOxTN?KMb2lOf3W~+E!4Q%F+T%8+9Ll zdfjKj9Ou4F-7j)511W0cPvHSEOxTGvx7z+la?(bb3S1pH_CmR(VcN2!Nn=<33V5vn zd7{+pbew9DkgV>kD!BlP8pi_3V9t_RUR8YH17p_hpteT*{>Wl}y=n!kqbRwaHR8a} z)w92ZoHZ-;lw123%3z=kIyHj>NB_`1#lP5d%=jvRNa0;K{5-NT{4Kz_@o(Mzn0w}Z zav0Ao8c<9S(00g}I1-QyMM+G`FTst9(p6g+PeEoe(^WAS2*z#|l&+FC3@jN6GYu<0 zY(Gn4sZOWj^M|^I&Y!G~FP6h3pRjOLQR(QxmSOP3)j+^1OTkqd2*r{fmWJ54wxp3O z{4%To^^}~4PLrXg2oqehih6YjSPXsq4Tc4PzTBg;MMA^7HLLNDB3kCL;26NZis8DV ziUzghVrJJQ`E97QR9GIQR^b-SG$m(xEF}~bHk-lRtB%A0@AsvER9_}zqexix6WjUJ zFgei0%`fCix1Kk>J=9bzDc>2sOgC68VwJ^%Wq~d!L$#9)-cdlp<*GbdW_KNV#xUSt zOzGw7ND!z*n6OI#HnR5YT(;O!mPwArar*xpZ@rwzL4Cb(fW&ki;0MhJ)Yr*ur5=SZ z03fW71x;?x6X^vH?C%W&Fh3v#hqFNXez$37bvsUb_B408Y)0Pk;)M2=T&*{cTJu=* zG(W7!fr)=KeNzpyjpo~vo%lCihaywB-lnrLv`$`jI{m#}TCZ@VZ(Odau74pudOdfmo`y?jcxcWEFzo8|OF3CT>cnr(+iz_tagWzR1vb7e34FWldkF zHU9KDFuVZlj+K1A&rIS!JWj{D67-bb$#NsYHGA51E$My!!@DkIcZfgQDBbq5z224; zTdw?8S_>p3F84PzC}};1vR)(C`pJRO5VI|xR|~uE?y{RJ`}g))Zg(sBt1#jfZLb+O z`|IJ-?bi89Gk{J1yLQtiO0Alm)_rh?>wx5^q+(1?>5}q8KPkc6 zIJWeLXN1AtaVS2$tqX?w8-O?2j=pDDw^KLS>*>1K|D=a2dzL`$Z5SZ0XA|9VMY_zN zG_B`+N=KdFyY;pg2=s8jYu2NnzSi{qeEP9i!U8D4B zwtPMd8+x9nHoGHwGdqB$)E1rRX7NI;{K%L0i(KFK2Wo!V+>RP0j@#DBt=^@T+#V%2 zz;Yx($8C=L-a=&U?F<$__q{lOyFqTd-rDX3H}lCR^k+%KpyvwE^8t8r$!~ug2w=Vd z=8nIT01_pIJ&vSL_%U-A>tMI!O##FNJHC8PK>3r&6MpYD!^E(>rl0=D7)!qEk^B6E zbZLvfA(xGRM#f=d|2PY}M9P3g!$M3T8i@gI(eRAJdLwQIb1ce%)M1U#a&3fpDhUa# zWJxlt+{Cn{b{UL{5MZZlX;fdMi=7mM4y9yT4t`cYxrASLO0=eDruj)KHO6Jx6EW1F z5$u&rkkBImTdz?T;l~)DutN73l1_rvvS_*)t@+hObl;+5F7 zNBN9n87EKO6?Y^V^h4QMY9$d;B}6}=iPM*<{7Iu$Wq*N7i{5pEP)RL2>6+^c)SOvA zkOuyOL$Hc?8#G

KZ;>c!r5 z1M{3P&yMS#_?lojrV?ezIlMrd!)%{tF*!kBhw`pBF0E1kUC*TghHAFOU@8EahKVdV zu+|$d!hBx{4!<9)NaxPCQXq{Kkib@(;I(l1cVG&Lmnj@~v!S~+D|dYAU6$iMO79FpGT@;OWqx0*51`=2RIRtI z)R85Q6A-2g7Y^1Aq>sU(q(uBlrbGF6w4LG7`5de$5dyX$y1$xfU$KB3(Q<*1W8}+K zqr%;wkVdX^VD1{lt%UZprz!x8vi1>tH7!ZeCIG2g6Olq0zK}aQsb;qKhM#7(iGRX3 z@8!#Eul?@sE0m1W%24QVfQ_H>ev6I&M(?<EYc$4yd+iHz#JahcL+PC zer~WqVw+<0d&A%<1nI18Y_LE}^l5E&-HYBEDK zu0)RzOoNVG#5%%5i9?y8sUL2!0WMa@etYXhTm|=6*ZQl&ySh|Ml_=iaXnUF@M%i9v zv5wF>rpYl{36r#XOmVg&I1d7?#l|GU%IjZ>@nn_8n24UXjWov4z^=Z6;pP$6VY ztyj`_n6DEGml@%u+uM`l61(<2@)z3TT7w)s1(IzMB_nE6cqWH-pz*!JYS_ z0RIbbyXeY9)_#|KlgTF+*Y$T6=L?lq&6oL0&Gz1^k5bz9PGA<-3yxC@&+T}2%eHeP zF&(#2u9{Exf&vshh~D3~_#2wehj;1h`in{V8vZpHGmPGo=Ik1u^mQWwlNbK0=Kcnp zfepOj8~b(I%o~*13p)P4N91;!_Oup>rN=Qb&P=2H-Ubh?p;=uQw|)C^)i>JhBCf%# zEnD8Axm`W4UPenFxk1luhkqkpFhB0EUvhYWUAcgxIsQ)?R=XRx`(CfhvP@mAhvHs7 z5kBv?+m1nuP4E4`CyBjoy8)b)yq)v8EqY*6Q{QD{+#7aSYPt5~m3CjPUnd{rIe_dH zc5SP4m*t$!jmfF&NSmA%-`76{#pK{N$Ba(GS3Y>IJOb<>JQuNomhr zrdq3)QBCZ-?*!{fHvixLT%=*4yCJ)5VCh$H%g3Il-sAn1-QWeC0bb8|J$dhQSl3SE z4yl^&?NxN_R)uCq;?}v4NvQC$yRhC>i&f20ZfNQkR>O$XTs#K8>ll{2cH@WB2R`U0 zS@*O=RsV&K?Mw2^GEeXYolppVj@)+U`*&>PuHohi2mg6FLnOl|uy2PSRQ)fz6wI zZq?p*HP8Av`4zsJ=1=yT9kZoE`7R*#&(({g|M}m&MOyR?%wPM=oi+9X1@@a~idB8j zm7$$&6cyZx5*F)XulNT-pMmw?Bk007=25|nHDA;t8&id^QEfD!LHAshKG(Y4aGpq| z_Alu9HI_5NGTsPFSnAGmea(JF!O`f=Fna&r^M^)k2TjCqf72`U2igUT6(2teLWQ=?GKk57hRd;X#~l&e=m;Xp3AUr6H2S$9}TvZPQRyNgy`GE1(pXo}F4oqxw( zk@_+40#m$jE9!eGs;l2lS{qr>HWX&8LBGExw>}aL8N5{DCUD*j!|f_u&-2IlFD{}f zsOArFan3ruq{>3C;xy6Sdx@}B9~U7*F>tv7g~hCbbh*ppytGHFfQ!X7`-#B(OUqvd z8Th{~JH$#n#d<1BCTYd>lS34#DLocaaiXk<+EXqM5l~d;JEraH78HaLtF074&z64e zoc^FqrSjzhQbH>&z_w=`xk9NI??8doBu^%{E9}rjdRI`GX+u63g_2hAViHe2O<_hW z$&J@6GW@~;^Z7>SNCZ+Eui}7dz zUjCoJ4EG+aJW1&<$M)JZIxytG?Z36P!1+xAREk`Sd_&g9m81{9wmuhk@yXl+8m%{qx*~m`W?-urA-6hm_B9; zHf;fW`~wA#KuS(qRGgB?iAAs`MmVYgiQUQaCLxL@^>YNrH^otW z?!W}2xE`oh!cJu5VG*S+77Yk!_UwixNm2SeKGhsD4`~ZW=GI_|rp>J6U`=o84ct-` z6^w?lBDnB53L45`%l5T9Znxh*LS~6gEaR$UIk++IE4Z`gBwdZmpVYC;&dDhDkHo6X ziqJ;o)9RzxLl58wurx^pGD+1T$wWB%%u^7+O7g(BKxaLceukjhgHJY~#y1>aFB|T3tW_kYW>Iz6 zV9H^Oh+k?w)ttoNvk!{WkszY|tv5UIwb!)xQ3`zZ>i;Zzw|jc|60djq9DUABM?Ks5 zIw5%4_4B2NZl!qI?O;*_kti*3NbWL1FFv+Ux~gRLk92^EuI^xeg67N3mhpB1C6#cs zY?Xeh$W7``f)`_C!gqSYj2q1OXT{kb=KNiso)Jz(se{X4lX72V-I$94#c*C?W}BOm zF#{Q2_46q~LejKGi8B5v4n&cbmF8|Me{BqcBc~CakkQGyMM)0!mBd^hA7&U$LavHV zxmFE=1E!GVynaEBk#HI$0V)pDkYd_#+~@x=^_6XLMP0I3aCg_>5G=TKaM$4O?k<7G zHMlzjcX#*T?i$?Pq3K~}p8MYUQh(s=z1LY)YgMJ!cxtJ{%59=?eEitAHs`rp^FLq9 zNY0EQ9x1xpBrb@#)wV)c@oq6zg+{Q%!jz)1#G$xY$sX3_H(-%&o^d)qgR_tEwDQ-S}Exlv%P9#tLyp_BpLkt zZ5v_tg+HeE_`)K_^Zl$J_rhg*{gtS=c_0ICKd1Fw?T-4XZISlugNDz$#O4qP_UEW7 ziOCGB3ZC$NEZ!Ukr~+$84-9-RuZPAN4Q*&y^6$FcK!J;!-5qDv0L`-#i&~#%uYHH@ zm&fYtuGp@jc>PIzk8AI9_AS59uGcC311$>h%}#smvY9t^yY=oLtso)OkA3@_{7Zsu zpJuk>E%#TI?s`O?3%TZfGgoyK@tyk_bpd4*r(6cMByYDt)!=k{Y@ZPt2?)@2k zN%kq_-Z}`l^y@{DHSY6kh?AQ7u$@QT(~Y!*^IUPqM*Zj zHf}A>6AaGP*$@5rbx;28De{i@_)exe2>qKP0~>~L3hu$tfLLAk9k{xgIt{^Y;1j^$ z(IwzGYyp@#34WIwroAB}Wpw`3mR(-)mVjG!gZ^r^^#80}Fy4)&S#Th%Sdh8g{9M(nn*hFZqbYCD>85ls+dszqCkX}47H z3=b0K<-b*V?bB4Ft$;FrqSN!B+}IUtAts%hHEP+PzmIaMcoohypXu|IMONxghMP4k zm*2X@$SJ!CLeJ4uKbL31>l&w1$QG~uBI*@jq8s@d%fBJTgum$S$C`XEK*?VDZJEzl zFpMEt9n~t5+~9c0ngoHYK9u!3l)f`FSJPk2lP11}AL9r)9#LzSzf;AI5_&bvDmzrz zcg7T|P7@6YYx-8WL5he|atX1?JfA*27>cKBtK|Gso3!9du|U=KtS|~XOp8bm)>2c^ zOTn|r7W;Ns94*Wl+YGy>niD3?6GpuTO%ZdbI7`aT@%9DytA*5Z)jG&7Oe_J}MI?dwW;pb%BOBFF# znUIaW%9yH3TwAIvQ)*EfYuHGlV|jKV0xB2Fng1e0@)^Q)vJAjdHissoKOoTj4f+@N z{^`{WZ28bRH7M3xlAhMhZWs>&KIO*hlD_x9PXF1o|2P3e&4I%z?wUyz@8+?g9Sv7| z@zp0YoA|aFPdPXoWh4IhQBy}tBHN-hB&3q{J=BXzo+uA6J?d})?4LJUB}Stuk?v>I zcfGOP2KR}|d93jN_Hq?YH9~9XMYiOVn*2dnVV;l!@iJD%j*0O=jA#>%;r(eeAcItr zMCli40w|cNIxE?ZvsFbC(FCK)szGuYdan?escud)4iqniO6UpLj@HgOMjDpzkh=T` z33V$A^C1+n)_@JS^RenuIsQxkJ6dUppybWFh=ZNHosVAl_o*xl5~0eV`cGdr{)t|Q zv~8oCkl=32Wsh92PBwD_))do&ur5s z&I3os7AAfVG;cqVMNiw19RTj%KB(qQ4^7?_DP9aerr-Xz;yxKoQ6*AUd>xfmYf7*p zv%}6x(V5XHfS0p@7!7nQ%e)KsD-dE|Bo*f^#Kk)Z$n*G}ab6OaN9~_3!#QvB^z+M7 zlOE5(ASxq6fKYa`|5qFw&aX@|h1+C>DkLsE{T1vw<;CId+>(bbtY6#Te+<2XVn&iV zBsRpXvMmdrfA5cUBf*QVOme}A$^Uez&PcOMLl>2FEDK!=^0pM@t}a3_F8|A0R0SW2 z7%NQ_(tYiRy_pM${AT@lf0t}o)M21W7yMSHzl^w2C3?fG`I3G|0C!F4V2F7guV;?+Awd?{eT~{ z%aLnnJP$q=aLD%9c)!TcCNok;n{J2kW#rox^D9`)-EeZm_ZjHoKYZ*TEn?xZOeD)` zU7G~FyhMfBA#AxUU)pSb*c_}bq5_`tP&juFUzdxp6uS5Jb@ne}cs+r@!$k*^Sl+6E zSG@Zx{o0j)H@jtN~$5eZ_tG)Ft?{f!_6TR46a6^r&AKr{z!|s$1Nz=-KqUn@e8Z58sU8+ZmB%0rn-ff=9pEKm)9Axpf zT-}^k(Av!cyY6PzD}Eh3SbjznpX_?P^Xjr5JsyQlcY>ZTzgq8i-*qJt!EH7_XSxKE zc+}-&+(r973LY2!TRb%$ANI)!zv?*RnjyFw!RXQrYR0`^QnsR$Y z$v=WN)rd%cjk5qj$(w20U7A0?(d&L+`L%U??{fIrP_JzO8dln5=V;I04><>`6E%Q> zo4C&>8XCffwthnn%cL81jPCD*r!6hfivLnp-E3}p96>BuU~tFlT`mZ2>b(P8=;XQd zd2DZT1J_PEKJEb9S)`BSFH31)c(7AX$ z`&UFjn199@PVaO4tj>%5?yETj;i&z&iXa0g(=@MkBCtGmRD3UmD6x{KSDGq^7=YC0 z-@>ktIM|B1CI!zS@+Jpe7|nDHZO#}X+8mE%^MZfL&NHf^H_)gmQGxm5&eG?LM2S+p zIIo2F?^F6?BUQmQMWxNxTs9$8qQ)A26Vy_?k1QPfH2!>=6&7wv7En#Pg~1Z_4pN8x zI*O#r!SbcQQK)JKdM1Q#GCv$bxLwZ}R*MpaLXDeJpgx1S1m0%lB% zDw=ijgx*RkcqPSfUSV^HK{*@J)Pn*4TcVO}StZ-U$?^Om1|{y=G~ENsJmdJZ*hYg* zDA=jptvk&oG|IaIa;s;V392p;XUfu_z1VZI4&oX0?0`Q*hhfCmM_Z$Ws(l@spkfu* z*(w|2qC6Yctxp<_t-^p%ZA2`e<+n`C!D7a2ZPFJyBTQ~583kT>(cD*5)7zr+QXMI` zv$`LxChhXy@u68PEGa5y;v<*XF9%t07tQPbnWtm##CU7z&AiH~(1x0QmyCIu>L$!ey%Ly%i(Voll_7;B%ZLj8F*yfaXnMg4v|9S1nXPH0%ACLYQqtacO*;6Yv z+jF&6n2R5NvY@%ofaoKZ518hucCc-G)31YfeuPGdoLj|APy*H>km;L7{U zdz*dd(xCrvkm*^mzxaRg4IWQK&Wd)c{gSk9B!+ueXugJ3&SAf7 z{C!?*NWovKc{@$>B8A2~pYQy8h=j1!@}Ev}B-IhDXJyX9Re1b__;fU^fc*DwBi6Qx zl19>#sSRd5ht05Gc&raz>qyv4%rPxE#0ek9$V<(IeSr zO0XL}V<>Y0Zfb+3;APp@>`CN}wYC_U-{jxE^C_fxhY{U2 z^#{ZhrGo!?Ks-OP~yfG)b;uO)*N zO^eLj?z;8JtM}WqD3(+WKPSD*=0vUqZtW?p$Ki4B9x#FrdOU(bca4Q$cTFYmEoJXf z_aKJ(cNF^m?A_r-+vaJQ!!um4p!s}9v(Ir|)Ku5w1Qv^iB6yFxTac_==ylR?@vuAl z#UaQ0Xvqh#i9PCW-Q=?6XO)RJwYA)NR2==~>parp*PaKTX~|;E`XO`H;1ofDIyqju~d}$ciP#yI+$JoF`LR+Mk6jiWu#C zZXLp=4Zii981JXYcDIgh9(4<9%Io<+oANNiSbt~%g!TMSWOr{aA` z-lH!!eH;dRZWdp2NrAua8m6^D^))1Q(;)7wo`p@Fz>*le?Twh6)NYdQ`e!p6$Ol=2 zrS3Px$K(15NFv+Y;|Dk+7w6wwa#h z2>n*j@<&{*K%3J8*bCId4+f_~9s>@+zw*F}gt?#OrR^~AJ~sp@sSj+cAe6wG`MW=M z44mH+C+sM$wGtkXrJCg4-?JQ-KXmkZ1?RUIdru}5R^Hf8&Jl1?m=HIQ$lUj9Q}0>u zK6l&1nBq!7jwG@y*mQfHL7pPJ9qO7LV6-I*&oEmkX%oGolcqIK$b-w0N`w4zIUV`^ z$2-Un_YfXr6MkD%Xh|F zVU`G|RnU>VfbT9UG8m#$PiN(~F~f|xwo)Vg_SpzWrg3LWxxFA$K12M!i3W0yC^R*i^f_LMB2D!*g?d*$9uoBaY)#bPg#YQl8#l#43*T0lPaJC z$=7hkICo0drzAr%QVS2NRoVE4R>oUS6lfrEN_REJCmQwf>7;_9vP)AiA=+Rv2Q@iu zI9F0eswel!%h3P+s#%MWHKaDT5k^v=`k5KyBg!j{7FOhkLWWJDHdxin3_W0ltWCey8gdK5D!0-^yMddXs;rDMk%7%xO*`V05jO6h>qv%| z@rVjhJ+oVBOj~VmRWuMNzZol@o2=kA$2>~n2 zbeFw!EE$TSr>$Qf_HpC;*a`ZU!r<<&!tz@>3284~kPv&)?DnZLDn0fJ70x5yMr`qd z`PuR0l&iQYPj2Npr@rg8RA7nKK`+@z`O+=WYDW#S@k0NG%|h`=3@9`&?3B7eW&Rhj z=m0O0Y0XV!gvv-T6j3fN=q6UUW~?OogMM0j7pCUvbdrIU33eqeQ=tg+)Lp=|usJzK zyPg$~GOwDyiqD7<*;DCqww^fMP5J`9D$tBuyp-G;yBxy(+ldkCSumfrRi0jcc3@?l zlcu6FsB}$ix5M%oN%2&&G3FPIi1bJb@ivGgL{ia7g&Z&4QWvsv|(5{dd z62C<2id!xi?vbkrKXci&y~_1i#$t43{`k8=_KMUt+*;a_0eqhRBiEo_w~T6CAM_jm zuZhTWVOnv`6SA|KaYTVbm%5`a+5#ABMw))+#a& zp;fSS2r)?W=BtFY4NfH^Ls5}TnZ zm}8o_JO*#NM6P4U(|nVB163Q%tPED>)e6!1LV#&2p+SW*rJCZ1ZUM1z5EK)x zBRMC>a8q~uRI{h{zwqaAvtZ~vEmH5R7?;lr`%v66319HUzMK&7e!BV>{yr?=pz zeDFhP5>~l`0(;&AbDfEyP%Bq6ZS8<-U1Nhc%Wu zdLf#B7xqf(7$q&pHzTAT>!6@m>vdDLT47cA^0q8vg+smNWfQRs#RVVn_w~Enc_IvBC$#;In7nR zMGi19Bb~MiO9sHRmflLpN*0vw-?w@uG%k|Hc&6-)irdVU6eazW&aURpfr3Fjjjon8 ze|_=Z9@`ts=lwv%=qOYOlD#^-{G^SyqlGE8UqKfrOQ9wb6m6-d6jExyiH!(3y zQDkZgjo0DTUTL0LRu)!V3I>GYEt zTMCC{LClJkfYEO~@T8OL^ZM+fjBo%=c5Pk`D^VubX8u2b7wa4!-jOuHCLou2=gtMN__cMWx zt%He0Jb|bF+4-|Sf^a1)UEH9#wv$h}ILB>DHtJ}pLr@PiU_+D)h4MCT7*?d-$IXp~ zb>O)uKc!`ka}d3**!?)N-Eq*yakX{w$E?TWEhtuZD1UWmr9ttfPXefO7UK1`-7|aL z39Y}BB0atCak62&>wC1}P4k@W5z5UBn7U~E=d!JTskkgSaru!QeW?#hZd24BNagl^ zX^+YrCjq~Mp88m7ZpSwjMpBNKr$@UzkIpJ$h^{&C-aY5}?>>#ls$NRCm#TOTR((t! zM%D1%)V#BOMpBDc?#o*?T<;vVa8vR>T4n8@;HLQ=mEJB2mIbQc=L}*_-Y+&bj~qz4 zuy3Qz&;+l?)nYrq5nU5^4%(-+7tP&%bvWSlhiw@&IET%{4i9(mYZws+%T~`|9UQU8 z)hj^AX$o_EYe+w#iWD>Z>2Scu?tPe`hV3R=ERoWqH}#x%zsBRC z`v6)&(FgYh!XLBIhutsZ$w1c)gV;`NSU=z-);-D_fa_`1Vaw%K`is)rMUgy=_sQ&i$=@`J^xq?}}?fNPDA-1!vk;6^&Rr7e3Hf7Gwb%3}3 z;w21~_xxCG%B$7KyRC6mz9akjRCb;gb;SwiouRY&p36b#I@@mA2^LMzW6HxohskSA z)A2NP{rp6){>eqB%LCNI4F*mWPUEP=zX3;p2lExTOmQL zCij=7=_eESM>D6JT-=vn#L18)s9_MjEME8jH=O_xR ze*={IX%HqowzO#>Y?E#qQK5(fT{7ZgJoE4Ra;*U(!PQ-zc>1`#l*$wo8pkh=+JAXy ze%xf&?xvZyz)2Jyp%K|G)u1}b8OwHgGRe#0NRHf@p(4vr#!I!*=58ZqZ}Jq)YqsweusQsFJ6Q9J^gTj zaLoVGRR=rfah!C8UM=lju2fTbFkWBY%=w@=2M=B5w1uzk>e`h<4|`K?KI+-}kA;eg zaJX`>sV;NoTs)){=f65!T(eq5&bXZKz2pr9a;3%y^wA7$t{nyCAafueaT9|AUJCK# zq?QwGZ$0eu$!X8Qmkh^MDYKu>dTuK9nvI(2toLj`2O`N~Ov+%+25`v+3nG@_DFY`N zM1&Yh%bd7HkjV#Ol_C^xVa<|IoYDVyeck(v?G{$;o;OKSDYDQQ{?fT%97Or=_bahg z@IXd<6+u z9A1PR9cSr`E+Mx+=I1DBD1LJz1M`k9EUc9{)yP8aZ;wiBT-M|mQ?+@H)Bw#2uAh#A z9F;b$xfxzwVY~6<&`sJDQIwnIg6?(Bgk|e-0!h#XxF#6ec?Z99p|Hxs#)_?4)(eHK z6-|JqPUsTYwD`j~kbrG+}KQaOkJyyrxXWMyJ`KA>Eq!x$k` zp_v+3p1jkRvrY#`R}}J~tr^9Ul2(3zr8pjkJ2NMupZ-#v+-$6VsUo9VNWR&U@6@0X z*wx8$y!VH6))yzF(~p6{e2*q*1WU2$^e3)8#9DB_wy-Q4^3i`Ub?=dsREq~d=SM0) zL5k2q!$3E;!(jbLvBl9zFq3UQFoH_49hFZo`%Kg}glA5I6uCn8mizkC?0LXq}J<=5Nsk!I^TU1e}z!WKS9G|E<#1a2QSaT9m zOP)^`hTB8Jwp?*nb*7HA>0@rPAXH)`(Eb5Ou}&hzc-ZE>7%Tb8!(Z(A=U*X68<##7 zQ#wMPyUf0r&DVaOfJ?HE=W0N_bR-2P3R#LAD_mXyVb?b5>{K&IveyaFV!3MlAds5R z88uuWK;1BxH~1Z63V)5H=nNM=CMt~?$_;G8t%-FNPu>c& zq((1!^QF?8-e}d7ws6PlgoyzaQq;OcO34E71px&?;+hk$N(7MtQV?DRgg&T)rVEz=Wie_$+a`d?cm)zxEa4rGOt5*(Z&tRVljF!%Q$}oT=9Nl?+9eZE-Y-wkmYr zWig0$HpRF%hsx`%+esiq^C2q>zC;^^s0dy=5@TXf7mOLPmsFIdM(D+rjm240yCGFF zx?xlZ8x70FnL@Fx;M1Mf+Ra6ORjHJ}SI;aR8DdyV7VQ*&o+PE?>z*6Mr<*4!$o6hx zEBhYCs$u3to<}#GZ=er1rvMfcb;lo0hAC!F_2*qjyayuo~J*8io0PypoLjs z5_uwjZG8YdvZ=aII~$MAM`p%J4czqaCLThAzEqhQZ2Fe)YIF(Y0-n(?3v0*=xN7G7FVW`W(MA-w*KVi5=h2XCvFh-0AXy<9=LTgAA=_k#9WNA|g= zx;>(N8FYGHMc;=PaSt^_$$Z{hzu0tbruRIUyMlVr+(pSY-M}Ru_wzrq=DE_rBit=p zmsM2uzQ?z;m#r*sedo!TpVrk8y!@$>veF3MHM!#>F+@M9~n z1++LDRs-s8+pW3B>R#^V`gMEY!)0op;Ra?#L-|%Q2xs89C%&%V?RZBEL;xF3e-6a~ z-|uspZsUgZjjpy)R#uRne5Hal0D^ zH#k4ukHXXs6#GWEC%cW)ZK(wA!rjzARtc8veJyV5D!|U7!*&k7%bBv(*=u{9F9*w8 zK$j6&^$T0~Ei8+kx@E>Ep#%mE?Nu0Ld0F}jd!^_JRne)_jj!(_zd0_+T`c3EomdoKJ z!j<1)Gl#;TNv0^G=T5P?!7O12}`DdF8Jj^#U!jKIoDDxrjjdq{2cY_+R>V^8rCI;(%s8uK08DJft_705HRY>QZR(R~6?8S|ED~Gk zUX)X%hWV7nWTROQ0So?UwK?jOdwUaxN=tT$qi`3007^j$1;&k$-YB>u%=y_=*5V|I zYBBPv|5FuaN@Gve^BM541`Qr@BBF{qXtND&CnDFdqB3EJ6DP_1eo}Ll# z-T0bU#xRaG(SC|0!q^T)Wf)V)eP^gdDE3C=FXxmHZ%HNQ8sE!XCP1wKxsQ;2r)~0+ z^Pw0KhE1u(6fu~TNoSu~*vZ$nv5YfEHS?R8f>1AR_{iYY$Nfb4GG5!GPFRGRO1|fpkyA|_RL@q=o}?-o(3vGU;j(krN~(K zlIxcG9R2V=cH#d3QS;z1hZ~fsmeT&eP?5Irq;qYsZOV@R6k?H$d0u#Wi-00Do+Hvy`^iZ4`PWqzw0 zj<;!7N>Bw@lk5N$63pdwoG9cDYQafX6N309doX^OXIBhK$b;n56LXpi40? z9u$}=9+6Kau~@&&z*?%teqi60+kZ+AD@M_4g%oaz%_M>CZ5H`G5A_PxHdM^51z?U; zsurGUxjw>4Ms#3X+&{0}rAH71MX>1oMHLpRiEJ7EZ=xy2A3`xs4ks#65}3(A21k7s zO|kqx@0;OP9|qG;7B*x!*h;_2gAOz9NcM48i7CT{L@ zXA|7?y_tfUNryJB4Y|BPL8RYk zBroWfrb~O9N)SVWn;)w^s*hDY+3_R9y>Y=v(OLd-)!<{h{#4YWVU}6ygzr_Kn1^yz3pFi+FKpX;#WMMk4$R(+(AXvpog=kT#t2$A4iW= z-Qe3YJf3C2PVgF9CujvNw59So$jc|EZOKH4tAo#Q?fTsW&8xI!%)Iy8-PY!%2VfLQUK(}3LYCKV$qH5bRWtEe->cD&vBA2=f1iQ;8Q@*(WLKU*Ib9#>6+%v^ zZtEZqy+;nmmw}rifvNWsli8MMQSBQCckI+o`kS2tklSzOXx|pC=SS2lds7n5Z%LQh zi8_A&1o4=(W;%U=E-TJQ9@{0$J?DXp+iez6SKBw)$xA*)HOU{%OC28e^)gpC7mVB_ zl2spjjP{w_sl?4KS~f+1tFEc;Ew!^AKV3Wdc8|G?r+^-P50Hh0pwk^>Dsxv)`#9Da z5cqM>puRoD%f15jE1krlso%xn-MRCH=7{tjyOr4u)A3JF?c1h_I{#V9wq8Wn{VSsn z6ZhMVfkV%UgODzmY#3a#0*nJ*fT2swZvj17H(u`}qQlvTv~EN%+Hcch#-5rgC1gtc z3q5v!L1^HUUxDD#6NfzTkGcCwhO#K@J~P~9;PcQ;ZZlNzJEQ}uWS-rpeK6tzt)O+9 zGl6jcET zS!PI5H?szY1}rMkUS-?#>%8n5zJPy0?aQ|za@_*12z~19fu*n7Vh%-u%GZ@7;xwSDDu)#D>r|UEJ<~$RK=zqsbJ1h9Y*vvH?9k?_y)rav zU3!G`Dbdta_F~vYgd`=6DfF&g2#c)cG{i~P^LIH*4h{cWRgTUOCl4B2DdN#}Ajv)P zpNHPVXxiiAgi9n{ODsc?v&|a!TSez?O4UXAjU^?+BmspJ7ka|sS-s?>AJU{a{X`N)&v8r9DK6(;0RXcS%CAM3=& ziAY-f5?Xy33zeVm>6YrSB9S(Ztt_-@u`5kgGv{X4pQrU*<0+d-HaKobMHik{_qU5( z(AO%MoyI)>BNHAuM{+q0kzgt{%_(iGHJ3=@K?@{LJQf-v3HGr;_4p{UCQ=pQhMD?E z!yB_B=Td{SzIb#07gcG-;BU-|*a?Gh;=lfy z?-q5< znZRd73#WGrVrP2vBDxxAW^5(?ibrwEzqedj&Q?*%x#<1Pt0X-WmiB$P*Th5-|a(c)9rVnQ(dv45b{xJefZc& z^-oG88Y9ZYa;}**D6%+;p7^CKBd`&!EcRUzui>@i1??^#jE#@@Ht{hqOg0U!yD+L5 zH4pP2jq&kx%v+Tnmrhtr!q$S<;g&UpJ5A&CuaapkFz@&dlbQ09 z^wB3G3rBryYS1{r>+hMEYqnfzLMCVkoOEbXWMga1!U zGU1saB$khFJ|RhW}R& zxU+orw8pDkZ|?X7A4}|5K)yx?ybi^&I%Z2&sVyFSub_dkOi+F27CWu2fJ2L5j2G`q zRdi5T8&!?A(>T(VFS!5w@NS7C#j_w~)s(SYuWdKUPO<&hGN;G*3Q%Y_Aet-UO6x7l zBBibNrB89&%XhiQwzV(fOqciQUe)~sqzFU;zUPnlU$?E3J+fqj&O%NwdhYAxw4 zck|1aKFWLUZs~SY>;F!OSXQl)Wj!>FECF6taedr1q$f}6m|V}wPx)vdi;9I5@GjuY z?-(%uo4hR)z7WRt<{IdO!d{(HP8-! zOY(@ERR<-LrnJXk+gtbG3OXJX(c>$8@)r z&krMFbugZq^YDg(_UqPS>Z*1>`fbB%>gvMlZp((aex3se|Ls}&B;z9eF`*(b9i=Yn ztii(L`KBP1v>yHaap_IqcK<+fvYXJ$>j65FWwJZwW!^cHxT9Z`F0Yp?w-Ep`qBEHyqt2S79QFC6ndOwd}=$r#+j4tM)-BLa&@Ya%m?8- zbc1K~_{D|0Y;$e12{@V&GN^`U@5}vr@=4+SF~8%=YYY?Ub=3<%qeaWE*Rfmv`Lwy) z0X7E#@xeXXV91}xa-fzP%U`762>gYh9;b(GV<%;k%NRkyiIcMF%TJ^7&lSwfBfzfb z>l`h6L#atXYwHKqw-|7%Fhdj_u3W}qr=JQZnZHpvX_|m8o_T4WS*fB)L?VC29 zA~5w-mJ9OQAR{?KR4bWh_^5H#1UZJU+`_C_FoDug){5I?^$=$8EXvcWqD9c5hD#Ty zjM?lLK^W}Nb zTuZ`{ZWK;s%)oyz9h19f`ifPs$UrnMyk2d!3bhks>)g)gd{76iveIki;#!hziRG&9 zE)g_H4m~tUq4{$tzyFc(CC~m(#Gh5z4&S7mqCSWp8FEtl4d#OJ%KZ%G7)rx*$wL&! zCA-GU=Xrks_9!Z&-OH{o$hzapO)0@j%?DIpScK<#@tGcb(!keW6X}d?0R~s0dF09A z!lKjTzNsgM?lsj~#X4h-@KLIZQ>FVblM>b#7``@=vWc-hbJV|KL`-qKOD{I58 z_f?XYq^!a=l!7or5Axig9DZ9jW?SALyY}S775SGhXIlGt%fUfuPuyx@y5f?Ajk|kf z&7~=qu}HaUiiwzeON7aK0{~-0QpO95ZNonXDw1-Hlk!IC)bV~`xA7@!%MC6SNAa+Q z68pe35UZXY*a@jE;4>W5UP}=du_>SwICp<%x(muda4M=Fq$S8Zb#&#ei7aDEEgD8- zzeG}NB4_yXMIqP-+Me1;NUuCL3ORTUA=7xp8z`a@k@s6JcMcgs=o021L`9*q@2Cvx zMeV}9+e_3lTB5e=5#Sn3KNw1^?=BRw0&ciO=_&hY(ERjy`SdGC29Fkfj?gXO>QE8V z(J*mr-b+%XmPuV;sCeXwEr>62ow9XDa60|wc4PYS6=T6BnwW@}vm~h!1rbvH&psuT zlAoHK74`D4H54V4xoj~d4QG8qva_#0(rftSPK;)`tBYEnvUJE#Z_1RBs8DO1Ja^_V zrHC7onxdNSuB*qNlveY5>}a^Dwvww{O%LBbiEtl33)isA`>wX5)%B-Cls&}i% z2FOhZ&bwvr2HKCZe911}F$ss--*L^fYgzn?fj)|xOrq*2z|6ja&qdj^9$a*CA3FE_ zpTFlE@=(G&Gn!UOA^}1Yxs})#ONvd@Duq}r8R{vveAap~{jXxm^7OcS;^rvQVwIJ* zk?ZHpsuQut_AAjcwuM@o!kQETp%@wTag+TZ73EU`D~fE(0kKF-ZRd72?3WbjHkC|L z3h%azZ!KSINk-Z-j?H1|M;5;;5xnWrQV>#=hj>@2f9?>_aPCQGO!Hgr zi~2kMPw2RnX)GmI2(M;_4;|5DvH)f*FPT)wEX(8!-PVY)kkK8Za0 z|6t;I_miUjyZmWp`tk85OF;INYw_4&3aSYJ8=`Y%fBX8VbqkEEDFE+0-xC;y_X0}5 zS#1aJaHw@;J}2Q{mM_14Yq;@|?doA|>9>n*+3LDKyf81gf_2F1-eyU!`gk-w9U16w zzq*`puin_H>uP~tw$TDNJ>vRI=A7SEEx*3YA8oX1+>N2c?SD$J`kFUku}pxq+h;Rt zeuSBuy^)-)hHlwTf8a!>$HZnyweZz#12tODWtQZ}?bcJXZXDpfDKqoxw}N?!Mb7p| zN>QxV?gXQT)_WNHeVj?HHegoP2LVTcB2Pu@e)mz-mzzdI{Y)+g zI^^$-VMrQ!AD>M>(Qw$TLr;0`^BY;W?|`+1!+R7*Ab%Y{S2x{Tg_K>UY zd^!Shy07PVp2SF!^y~-Vbth^WKkYeW+(VsFE884w@PSvzUCA*??#YqF;NrK;sAuTH_La zPz(FV#0QnH3OLuH5d6bfGPalnFPSeY8(hE?1IBi#OnOMJ)p$DISV5Hb$KENOMjKWu zOC=^U(hLkT@>@}X%Nm8@oyNA_^zQgq=%P?U@u20@8(j9!Qwf`3KvcQ$OQFxG^@zsk zKZwuiGt;C;hP+r0CrIKmrTA}N;Z{7II8g~9{+_b|aI44&%Xj)^1WHNv&|V&NMBY`j zW^M(RrCs$SF$b;)l_Gi+%YPP~=62cRHO~1r^HWMud+ps-ZzVYAE5C**EkkZN*Co~R zvXrnn6?Rbbji7s$l)J*3!4mTBJqFt-h~>Iw`q?scOA1GDDarwafBzil)I#?EQS}&P z-@R#JTf^$R`&IFPq~yCyyEK5voFP1e!KImv0@L!3S>PPcHp7zqco0pedY;%7gUEgaYDd^A&$&7X|A7BDO=uM)LC0gJ8nNt?`KpF_=rOQk1^1c4#mC z5MLPPBPwP!743MG&hKrdC-}}=&&@@){9o;GCYF7*o!cy>kngCP5`ROBmIme&rk@foRU#zfub$xCbY zE@9_se#>(mAvS&}-_tOPbSXyipZ*p9p4;=8;&<`c6PIzFPy>nv4}nWX``aLkca;18 z;igA`g+nJ`sxjdzXsqtfT&SEw8SOG+_Q${6bIg}^s{uf7i&x0M=q4@dDCadnwZXfnP9>>O{i+qJS=$6ZTyR#dkE;0d;tW?xP87gh>q~v zthkeRk>A;i0TZtEppzxSBa-~(onoCz9pnjwHMYD3+F`4mtDa?B|6AXf5dpG-V10d8 ztf65Z1=#rSlv%pn%ajs`n*?us`%Ws932<@-bi#?P@e%<}9A+^IGoHFFE>3Xeh#wGP zHtf{v>Gg&RfJ)?~0M5Qi35xXUx0sYtX+6`O6bWAI@Rk?MUit@CIwx^eh&v&uM=@x| zo!}6&FtvOYd9+a7(Hfk&2d=qLDWSiw^u{9OW#&<{$=ctp{Zp=Nc39UVm1usuxanN9 zdl?Cwrip8cFH8(tp%t$qm7z#zi&P#VXx$7clxPqs!K$iMZ!*MZv}UgzlHmS1^|>eVcRXFWCM7R$P>f7kP9AF56|)k1PJuG#;}5L7 zfGl3A0^v`|JxkbF^XvZu=1ezFZ-D!=V*m#T*qwF523~bnJK8t!efS9S$Ip=Iqu+0M zMtf!XB(FcIY+)tL5d>n|&l*ka`Rcg6+r6&uBV!ZdreJW@&-mE$JXF%%^eAi-e8m^G zb=yKkvVW8NKIG|HF#^0k74ccOj5^P-0lfA4rP=|(ed|;Fu5VX@A8XI=05WIX$HDAr z@Z|_&%WFraOW5*H#Wt_Ti^mR-H3*BFQ{!b;B07r2w=n!YB-7{K1nsKHaqr8)slv(j zcGfy+yHx`(8gcW+6xqh4TT17{OTqA(>@?VY8$}&_!H7ol1m4=z>3nj%JyApBd;d2( za7KJTQiOyDXv6Rk^7FWCZjfDCJWn^+Bld`0G@|M$mV$`Z8Lw=Jhm% zNWX0ZoB-Y*0|+Lqz2@*DsoQS2Y-kfc^;X1^{JMjhD?is+zs7ig0+%$D&&9~rc(dFc z-nF|wl62TdZaf+Qex3U0fS!030~a@57@vBmjcOnqZ} zol)Cntj26?G)@{@jcwbu(YUc~+jgVIwr!hx@5wXs&OGzwI_@8EAM0A{WFPN&#N`Gj zt>Dhv<-rQ{^O|4y3Ub%U{d9TblCz=w+39tXQjO8~FtU^PIBu5q*)m#3+~>{Bee5n0BK}{g8erG%-=!2 z++QTJLL=J0D+hgGT=n@va4rWxJ6x~}o2lQH6u%TCY(F#=6Be{xmDw=ZQ*uX*`ii`R1kUC5{i}}geMzq~ z1G9k$x~N%r z?^neq@4xrLU^UUkNBs~wn&!g0os}TAKmq9Huey;^FmTuo+*58(FyM6 zERi)QEjui?o@gl6c!onKxp29d2{pO$I*%m(2262xKgIfg+lE}}s!7@>Cur5?!>GPT;aC^E2Wc%!U-OQ>4sC9w}>q;R9+}>4Qb6m)MiA zlgK-dU367BhC4?-vd)Lj_Dc;} z$u;wcnB_eY@b>~3hFU+jUJ%Ij?z0t3t7yi-*2J_N&K2V;mpjqM<9~^2%)cRMxmZKu zac0&?>nEg_X5wm~F~#bN8}eebNoqi)5OE=bQzY_N*UZ`bz`YE+Lgs~O6WK0b*{?x9 zn0;q?td#2zHq#XH<7BXeuT2{F!6kD3fjIec@mp!(7m}?hm2N?V`@1d?CA$aMvhO^~ zfcV7pfIl|zcyu+lUDR(Z!cZAUv|pq?`B;Ml5X?26*>u{)G69Ez`;x^fU#s~k?$cr} zUZ2uqGGagb@X+)0`9LFhaiz3;L2p;#Q1sL%j-JF-Jvx$mBAJ-fXU$tWsNO>tS zLcDg!YDp-^c|(aeb&?BcsZ7)qGF{W)Nw5=T4E%W05(chDD&!Bx%4>0LzRCBg;+5IA zgcH>et}W|}tFuXaIj$7a7!kUau?RQV$|uFf`Jq7h#ylb1cBKR(rg9HWm^$aciIS$G z-cXb&$K>(HN+&6#sw2(8cEdm3fkVjqBzvOH%ann}kaE$x;D<2@+RSr95nI$QqC@>T zw4)j^XBHV_n$#bz;nZ<6F1to^(1!{S|ZPTy!_L_=V@Ex zLgt2;v1Q1^e&t2)>Y86+?L6(ofX64)g;O7>&{mx%Y;dRFyhZ#MzovIPaV4kWh6r}m z0!D_gjNtbDO2RG#tgj?;rbnyeN(1NfHH^FKEBY+}-bJQPV%g-|ba^$|w#%s02Jzd! zqWNQLz1t$2ye&)B`0K`%bOM&Jb-uGV*mE?7uI0)lgMTKaH+ueG~+0#D?HoxCROI&1o3mW+mrK~*3i_c%xLBc z5y+Jt@M@qRZ!-g@frWEz2)I4mL@Uex+FB0=IGcUeS79zI+boyq%I_N{KQ&uuHyhOcoN?_;2EccI7#wmf~NGH#(it)u_zy4B7 zb<|>p^s3(OZjMq;eY!r6nc$D(#7K8+jYiY`sJJc_CMe&#qB`15Eku;jE?Aj#MU}9& z7?(oFJ?;+MscRxs8XTPGnzEqcMkM%k$3-yQ)4O*5_=X@91tFL$xmt4$RcVaWmsJ-` zpM_$Rl5o1#tvD{u@smZTSp|1l)@y!xG+vny)xJ#C!wdd4(rHaNQMQ)Nmh(V%DIzqL zJE8JcY*+8!rG}4H#?S_0A*)zFB)seCPd&v7H9{o@Lobh_nOyuy;D7z!0q>4SbIc^^-vYLSF;_*=GA)ZzQzS;x?Or?&oOAFt!82;6{ z;+4}B6)BQ$xt7&KF!+X1W}?YAUzSQ2zj6Ckn2xhOE~^tXU)zWUPm%<7Hk``-_7%Kh zDm(#K%w|PKnbaBVe%ZD%RDgOzMt1Q}ih0uq%&2Axm-nhmj&hQ)a5zO~^x7@@B|{Vj zE=w(8uf{q}wc&(F?9;L*<35y?7AHTF3GkZt9Hs3Q8+#oB%RspK-fzr7v5J}Mc6d(> z878EaHl{*dYIxWteFVr&nY@?SHRWpa^sv>*@4Y0ZjY;HLHDte)9Xr)8=K1(J zHu*#;wkFGK=nM{f(R5TFY-m6#e~#FZL;iEyI}}WE$o)T6)L(s&KtT~ccqjT|LLQ{U z#s$t1$IJ@EUm*v|%Z=fzx{Svm^&2$oHW7C;MTaSf2|1@f7Hm397K#afF4e}*{@t5o zR7|y{(5fC&j~=%hb{RH;Bxw6t3J!zLEo`V48B)nsy)UP6T44XPfIHD3dCQUSOLv6_ z17m8PP1|}Xu5V8Rp+7^nK5APo-J_qi2uC3&2Pa%lOU_(O=QVD>(%igo@!;5ikL^fF z3>GYpcM?vK<|x}U%TeRrNWf0xKrxd0-C_cZC_0EEO%f+79~wu6=toCF_JnCCh4?@) z87!)(k=P%@TrxV&qzg|^dx^FC;@E5A&TDrh9&yYzGN=^#)L{TIVI$OO~_nkidT5T_ozEL1?3 z7Y(C!w_ziCs7C=O*gBI6QjmEsANjCqHB7onNN4x~u4GsLK04)6V?EQ1`0HT+UXO;t zO|$ZkuG+;yQaK3(?xNYZ`$w5E8x?K=vR$IQN+7s?h18JjC z9*o${A<0x!=@pj2obe#I$TQHOxz;M(q_pC+O20JVf55OivHapIvEGNRQ918DRVJ(< zX{R*il}dJ4U^0hhW@iuqlm8vj0i1>up#cm4*xU}#2kXBPfW%pI?qyc8ELmwYgsE>%y1x z13mGB+6@7^KRChdR^ zl_{I!A{|=+0h5(1CIOQk0Oy7^IG@kQ(~G}-6nm_|$IJ`pu=u&-nYcB;V_9iphbQpx zdj4a2!&Civ*v>zW7%)V9BX~H#{X8|4bGLSFj_(n>oZAyG)!XuZ#hI4dtnL@NW^wed zSAw5^Z0O?(HdBJXWj(gTU=nb*L!|dmVD@da0kc)`)6jJ#Go{5mL8A_|XfyjSi<7Ct zE$LKDGT!(^y`+cWrdpH@Ea}dT8D0-#LB0LfMYnIeVViDaE0vt?KI@ z(4N2V^Sqdo6FS6wL%k?ty15_3LgBugI(UtV{HC#90N7a2wh?4GIoG1Q>WXq2CQjA7 zgPjbnc&E*IL$P}~AI8_L>T4TrjN>EiE(4yPM-guqzokAXKNM~;`RwiXSh>_uKX()X zmcRO`J+>8)v)Vp-KDN411Ma&1c*~X1o1q|bZtho@0Ds%}9EsurHSEsXb%^Mty39b{ zjK;k$e_?K_dve+q85M|}o>=0l->2nuy5C;kM!t51PNC|Nn~*8nFNA0WvcKG59XGZzJeN*I~wo_3%KqdZW7H>O06a;b?XP^uN< z4}v6gyVW0p$aH{`l3AfxY1pF#ZgGOG)RlAFx_oSkR0z7OTnPS=Kn%J15E-7`DuDn+D zbcl*twp0~eYt}PO@!*phR}RKXg5qbhu{)!7YKutc%oNm2qS$DXYH6Yp<5o4vLS^(I z!~EoXEcV%}LY(^Yl5oYAMTb>)a-`#?)TPH)R!b?ZAJiv5$h6uBkzkxw=iYMFtBR~E zQ6#rfmG+Hztf=rUagk@c$(swrOJ^^k)G{50gl!C0O^c5Tbh#ys)tp1t^OsW*#0z4i z;AXAYCUL4k>a>p?1I$C2joA_|-YOGG@3Xb4yp&UQ6G26;@9vDH{59%{`3V`s$3i$` zqCAnY0BtPE=0`jQqZ$s{vRARglH0;fc*@G}CjOk@9`r+@gz+K28uiIK57TX8!h;<{ zkk_SZGBqxQ`Un(wrc9G!*So_5o%l{wCkVx=4=p>5F?#IPGY@I1v_*U{_y((T@SuVe zS1w}df)3->!5HR*TSjrG!WzoGxHmj7e+>Vnhdt1=#gwv#qt~5_&y^gMKPr&A^Gp@b$%69YKBa)rj z;%)Tic0b0{F|ik$5&M(e)t@M_;9Q+BCC#!jM$xQOM|wO5ur)Wy55e3=gk|uJHOW}g z#c~kgd>YSEn}QQYVDtARom~{cCB;H|m<`V1F>*+7J-&;qtyb-)*#5D`zQkr;X1v$! z)5cro(h`R*FFn)6!=ZH&wTVZT^sQDb9_=oDfgV7G#Z(!n& zB>s>Xj5t))23_&`0zg>N+5CGTm`$k!48*Z?2~j#zLXlBNHrpO4uk*i!Df#IPzt(MY zHGCBnE5sk{FvttiQ~+#jHmQ~l{Et@thGmQ?-JTdZ z&!0}&LSh;$M`cSTBXtZK`Xb{o_(L(bKMX06YXw=bSN3#4aD>O`jC7RXY#M0Q$`!hk zAB(PS6m)@ErQXBt6LiQ?O4vDwY%5jB8^dT(Q7zuK9gStC`9Z4R@7~LGV1rZ-vCtuz z&qOuN6&ZbG6Bf(AE;k5veo%fZ?rV|31&OWI75ys`ZRKQo#r!?47I2|uzGDaeB0h`A!aO@#0Ey9164?DkudmY*5U9-ebkMqN3__8Vo@8wXxQlF>c=RdDLoqLFfx{1qPMvprJhbX$|0PE|_ zlWk(+fJ69;YP8S8&POQ43^IH?u|QFYVA%KbhTTpmj90)M1kv@R7Nd)@{_^>L9@Pd5t^;+gU=*7;tv$ z@x1BBxwnGDz*Xq`JD?9$MAowKcD9L82^I>XvRC}qx;(GyYq=I98B zs4~}E5x8@{Ieb#+1f(L#FYk;uE6{_?J9yI$Fqo|SkZQRFy1j5fu{{o&o(pev0#Lpm zmpT6RTDP;cY)vQl5+UPJLo_H1pLXjX%78inb0^u{T$$IInr7{UkZu)w5 zZ&iyq_yya!eC!hLQp2L90ZVU7dS*6w)nt+FFY`a$D213{84{9ryk*+R*6MVGdN2cf za)N$IHMq!_dhOXs1YE3KH?487bOE~&n3(N%aZPM*@8uL9F3I<19z)Wa0kxv|N4=># ze8PIc5Enhh2`WF8KiQ~bAG#f8(FSc^ubqPHFVZ^6M;dIz;Pw}O zl?|#ftI<#v3yrrMrCDXT*nX7?WjRIo^;bnB4wvQ-7)`X$h1`(>i(T8M;Z-N7YTqF%3U2l_5=Q( zWlELvxOLfsFsn%xDSA1NzLMTN2{qB#2}x)O#uA?nSmu#rVb0l4kCsWX$HCg~MsjYK z3Z9CW&rl+AaWV}5Xx*Pgh{ziIQ7@wDM8r-Sq$`-Luu*^5wr(INCdUbzj~pfX^%_%e ziKQZQ>K4bHddOJNdG89)mds{w=MnpvDN~xExO)_K?yizptyJf)R5H?&mySeY>pj6mxK4& zI6t&D?<5M=e!hA<9(C~_DZDA_z2@?-cg#zF&JY+(h2&)^{A4COQ&!yrdokFwni3k& zue5zwjVlXwIVW`I^XmQoc06^jI30T15*Ro?vc<(| zZ?&d7Q?*bWhwh#I&sq;H9OkGz9{#eb7Br3ONQp5`G97KVz-1qk>fT-B$!Sv%eTT;lxieN3AO3f>f+Z^h!X0X-lq@OsAL1 z9>lYVIRPz6XnsMC=t{4*`;Jvphy-DwSZF=t>Bz&ik2W%BH8RMgvOOw_+)xD0@0?!l1hW>z zp+eK$CUeAU`%`{Nwvmct<&`l;n(1uAX&{A1oLI>4+--|0TVR&76X{OsM zmP55~Xj?jT;Z&OBZp_P_A;7?;ho~kInFxV5ETUyU@0&bvxZt$Ogb3V#9{DeJ{lC9J zE=a<{_g@SB=Lg7_@+t}Fa=OsR^C5U6$koa0M-_@XdU8vA|3xc*&j?bX07o;J4Up$E zT_fHCbzQ}FpN5F202!S&La7aWv3~|^D``u;f+$V|sGf{b@VOH8)S(|FI^eR)qKST6yW zIrtj69=rQ>NN3b1eu`B3|LOvOzx&CL!ihC@xb1GL(k-5Sul_ytJ{jYfHb8`BsfyVOu=UW)F-LAS%&;{4c zqjtR_%yj)^d)-p#6nGruJl-Va zeE`=s`rL0H_yP|@)8VdlA7hmld@oTwyfHh3PHS4*hw10bANFn6nTrYdlk1>%EJnV^ z;Fq?s9uKoS2@BiD;F(hp@i3@v2k0>LAK`Sd9~$Tk&J7NjJa)6P5@0A$x_{Q~y7&3` zumVB@ngR0eIcEY~9le2$5gZ4~lT4K$&94}9>C`Dv@}atKVi<*zim(U(?alswBJSy7 zjV-zAMvYQh>EFL^j7E=$2WYtA#p2rZ<`UB;=@WER61Iu|!q0hj@Dju3abrdF<4hADFs@B>pw6@^fF3n$({VBL znMG?C?iGJTt^SGrKIb_k)SFlmp$b((I~I?wWkP}kpF2Y$UM>-DQnt@(5+I)!uHzSmU=H`beL12%#QZ87tHdbFY zs9w_mH`R>pk-1n4!B+ARq2j|TPxA2?m>Tnfzm&Ut zyIQR0;ZWSCm4WKnKrr}FdKv>FJmr7OG0H+OziKub9}2SWiYwZ;4)b5 z!u)}HFr~jkl}isr-)kS%H07w2I5+`Pl#GVTnHN+(xQe#>Xot&4zHk;io}n`09Mvh_ zB^)Z3QWyw^OJpJnmG;85fqRdC7QAWAq~ZxVW2C$0p;MA)m43M>)={X@MNhiNJtXz? z4pKRCic^vQwnT9jXR=twRqF2+OQOMof$m3ur$)j0BgUU&jRp+aRb9Wvq{#7G=G>!z;^ADh`%!ghhP~We#?c3gB6}YdW2eR@+`}A>O2z*2x;NU z`fDtyxS%!!!OF9Y?)dKyt${J9O{!n_RB#OB4r=2|swjHPwrYX&ik9t+5bxPO&Jv0h zmZ%BSu)?QgY7VPSCaKa^%G?c7u83B?GIt(E_u^WTX{7WuG+U%37$(_kaY#8 z#^EvjsZu0}$a}tqmc4V%B`czwoH=uHw|5qLL)L~Y*xGoOH3JQ0 zSAFy(swXxvc*3(}=E#s{iDv)G79x!@aJX8Vn@J@}Qqm=#2JzeLtd%K-VVbP*w>&Y| zzp61T10HS}1f{QG1kd4Kh4GkF9gR~Qk}9GQQUi-5wt?9fvf6ki6T=YvwTLwZ=h=W-mt0^e%c%p&I*9>l#z zcZBhs91UG20Zx)+_INgI*F#`Gi5=7e5(0$=7-A0ZD%{Rw*S+5=#fOxZ{SKNv&V%RI zAZ* zt0gsgU+af9Vz0|b4+s7Fohmv|<`I)%K)BtdO~AuzM%?!iKF9km8+`$Rht}V{v^zeC zjMvO<&BMZdhIyW)Re+wH%wm#pkEI^cVOFh>JwXJ$|R(y|>-L5@d0{;p6Op~Kb@}D)Y$LQF%4&{sxIRa7_ z5o`!`6cOPa=s4wDLcH05Rm_z-s2dY20C&D@Rt8i^-tYb$sg!0|IPh zX-u~wv>*p%Wsd}TX!Qzg<-lLR!b=4pNMlQ3n)TsfznPWHwek99WHB%9^p4CYPjRAd z(+_GnzB{Cs{P5cQ25vQe^pnKA&6&MUpIxpa=*bf|8&hCEi!A4dOpGq}=SI}HRf+l! z;i+CEy!%H%T6Bn8eypr%U(&$V(vzKNuQi0SaARNBbiO=jyS|i#!q8Cl^OUo1au$P$ zp9Xc{BPAUQ-8-_Wg&~NPCFP+zGwGpcBZx&$v4vQeMxgt zEljP@+Hw}+sfktyg&Cnyq7g~PRg3tc-!~iqs-=i)v2h*n4Z7n{6f9uT5PBA7ICw}b z>+}ufgcvnqq->5*$lNuoG10A*W%CE-r*dUO^vjYY9<^!2=*!5vZPdW~v74E((5x1k z(xtt`)E<7+YBMxJi_1{@{i!m7MkQTrxU3Kzrral$uvF`0hj^$V$&!H_JdeNW)MvKYPWVyv3B*ALM)7Kn*8?fy*^V@2w>bG^-6U}TI*Twp9P!a(Y^F0e)CubQ$jGX1Pa=77;}Fk!oE z%%C;&{#p6My&!?4izr*}zD1g|`W2lYmnGO8GX;&rs?`OJuQDlvG1FP3MG2Q$hf0mC z3YW9~$+QSIu|eh6J=YIJu|g(H^0Z~XgiEwcxk~bUqk20=6eC3{#mE$49a-}S$H*W& zV1A-2k0buer987Ucahc-VTQv|p)@izS$uWskh?ZGD{X;x4syAuA9eVVsmdgYKI`yF z+0CBVl)H+)e+c`}3UsAQD+s}TdQ0QtFF}@CaX8FRnCx~8oo0kP=k-};acMOK)XAm6 zekev)n-n2Z9zB&Sk=J%O+}S@7v}h|%{cPFc&;oIaLK>#uN_A|i)TU}Sq;Sa%-(@ZV z>bmJ47|S5iZmN)k#T+fi&y9WK2=zgQ7UFlCj@|Zh(W#MV3`Xg6q;(|}mc~NetAgLF zCvdSwhwiuz9xke^In(C+m_<%)7o+q=^U_qQ>>}sUN$|qO-cqrYd+sRL3szL4Ze}F# zI;y%TU9Bq?cFxS{VSoRmL3|5DN`O|XFp%;|F)v`YjD4Vy2zDBcTmQz{jj1{kYzYzX z7-<4mOKaGpc7-j3M^Kw@HEv7-exyL%*EeQ%C^yR}0d4DFn8B(kyBr&ai zXCR-NGR$WZhiipovU%sBn>Ph~EJb14q^b$%Fms1mLz=_hKOvZ2FrRTII2UV_4$@A1 zyg!<2b9J{m8|hxA1&Qb2J}kyh-QuPdo|-y~DEaavfUhDfXTioOmlD(8MmZ{8MYP2JCZ03+r#&8HNBOb!vO(!R(rCPs^hJ|iARVf z6y7J}r7M+b3O%rpL?-B#f>7-a<>}1iRdfbcn8=lh~FD zbV6s9Hwo(4k7xJ)s*41X3Sow+EM!3fFF%RlKFdCdFKyyMq9kyV`QM>L446SDTn>Hb zasJ~w@Odp;71ZK0j7ad$Gb`3LT(|D4cGr~`0qr?l6RUu~-sfE}-L6jw8jZl#8jVqP zlNUkcd}yBcOMwfA4BMTjFTD9i40e&p?`(kh^EUC|liQ(XV*=Rj{$#>Lc(<~^=zT;u z!FRtD85yYaaH8+EA2qbGvJFM_`#MptPD{|X!(hvGR(%BEb%N8TO_(RBcYizEvq6npbb9t;WWKBb9>;j8h*-~gVIgY zOn}2p%4Jpz{tDMw0`Mok!~4~Kx z=d8jA-t-37YI%^|m5*GPcXk~<=jEtdh7BUL?xnZeuA6IAEQ3Bk>p=G!Y_7Jp zb(P&(%?$0;=W|v`(s7T^OWTUU$vc)lx5aXu{kGrpriT6xTfj%m%vx#FC%Gu77gA%B z*@L`!`q#U~BPebkv{DB|;b;P#Xw3IY0%sKQ2k$wVKoa@fnu_$Qub*#%q<=vZfSumJ zH^C{Xh-0$AQmXC&24i5H2!k|G!Nf59mxMLND=j_SsWZl3#JbrEVPyoRS%fLfOv%(y zagjQ0GQ>G>eExVzn?s5-@3s5%7Tx5s&cS^2Fy$hoy(6gE<>und`sA>iTRx4*5S9(2 zsq($!QBz%}EZ3qRCE4CemL=Q~LEoA5SR#G(#GKg4jaeZO0phKt%x~UFb>{s1Y2!nw z6m81i(g@J?-1ay80*eL{PF#YE)xO`o^{a0 z@Q-OYVxbYk_)oXy9Y#sip|EazbQ8XCb+@@|9SUg=73-Z*wMAd4ut3v>@Kn?m^_9bj zm1mj`Y7hFvyzSJ=+GBoUV#^}sd4zV6pBq{E8Tz@B%Wz{gVT~n-2t2!NqOAi?R#p7) z9kDb@j8erR`rqo12GsqbjLJ1n7_{#!ZPsVBZC9NmpwtO0QbbC!^TWUr3r(mlCRB^K zmcQubtJE3N4VYErpDC55A=qgF75%zaGB6_eh)5Lgg=Sw-N zgyqYNq(WS*%lURT+arFW3DZsOu|UKo8`j5ox5@VMHL?Y(wv1{7(I<*omMr15^Ists zi-nr3Q5~&cPno_hVBFx+TfZzI&%qfuQ;5hJz?uJR4HR>6G;i4{ccg=yk4T1tAtH#M zI!YB`ojZQN=AGH<5}H|hTq*6n8YiMf<8@ZZOW;I8Xu@5u;xK4uDwK}~Mu)*P{S;|O z%S+FzPdCTFen3X=9_^kH#WhKfy|0_5nl1H1?+DG*QCRoasdo?=xM3%SJ8GTU zl4$K}U`TbYY&vpLAbin+kc=?hS%Z>L^OW&-6}^U$L#aXgrfx%=%5kB4@S0&Y-7jaD zUu8yIgvj3mSw@2uYm;#YloIzf>`h;~iM>DKiI$U3P-8i>G3x^|1f)&~_2`q$yyr`# z(L-{@LF_iQBSKEfb{x>XacPg+l6&!{NJU+g=)c(8a?Y0a&r2ZSyX^xE-VDM{xzy2Wv2)P69B^fMc72y+oqevh^; z$?#7kbTlT4?Qc$NLgL8SZH!QrvuP|YBWKTIqa#&~QJQ4Gz>QskAzQX}AK}KmjTjIk zsCv_+Bv_bmg)B8FS9|>%PrEq!JietLckaeLavI7lI3y7nabJ*4PyI`@0yz>*k^ZG& zm0W8aWv(G~C^Ey*j&xAbl4*G;dN0nnr0TCIj&!W?hN@;Y6rEQdqv#ck9SgURjCi&t zlMpGdt!7aOOAzmwE7A1}L~n8qDiT!4uC>i<%F(fG<1FIEWc~F2jL$qi4i{Yn~z!wf6E`nCe{a!Z?7>A0Fkxx;Fs zmN!?3w#ansS&LC+(l~Q+_)S$$;k?iwde0#i^Ku!)_eK%c#LEk0w9lDW8`f^ zX4w7r12sm^_kHwVd&)T3<0`HmFq}60R-<;d-S1k`dft}-l^WGehbZ=S$V9mo#CIIZ zo`-Ar=7i2$GF|g$!^Hh{T+%v5;rv8CnSIBBWgtGz34nFdN*%B3GWMa~2lkBs=e2a3GT03A`L5~yz}}Kog>pUL<+Kgm*X7V~Z(RjFQ)bZdxX-|(U;mD< zvu(Z*Q|o_=^oDwHDN6pn72LLdIdK13L`My@7l{i^I_Gq_olilD?bZ7PfPduOozzrH z^wi%ZG(AeyDha$?KYvb5^EuRAj7%L+NsM{a-oI}sJ*0IB7V7%~gmuo#c9Op5aDpx$ zJTz@GVCPZV6}~G_^!dHAD%jcGxbrp{zI1G?(C_ljQy28j5gFE8$?369wHMNlI+d%_y#yJxCWK_K>}cpeclIbSOA_0fRhIW z%d&?xd(9*S>@}vb$iFc1OJMo=n{4=y)f5PPI)}cU_HTL&OB~{4Ds5z~W^*PmX+P~~ zIMljHA@Tew_ACozf$Gnqme$>mOq(|=bM-Z%5 zPpFUJFT!(fJ?^T0qm9jUl7mr>U7T`_p{g}A6Nfmn-6V%uD;=QbYa$jyqKKEK(GDdm znrWYcKRy5IH?ldz_bxeYfBG(I+R5KBqGKYJ%uIk8GBmqaIqXDU3+-NsCR^PcBok^x z8JF%f5w#U9#Op@~{S6(>^^F5H=EE<1zaU79Jjt0ClZu~9vD=wbvfq(v%aST4LYvZ- zo;*u6J>guq!(hg}rQ4hXBbF6Pk-zy1!FR+ZAS_h#!NkY>_1>#x-(Q~@_|;{DOXA0j zcaBaS7RxlGl;wd}l3XUd<%{9Y>g{a`p%!PRovbf2>&b$Car7KwM2$-MmunqPZfm(q zQ4hN;&RlAQNr7CLVeaA&%gJiacT7HJ=;Y2A?PcLjf9qANv|y2i0g{4RHOEpO!~M!b zF;Ck`6P>7N3Q;})3p_JdnOu?( z_zAR;R~5%gnoU9r7z~RQ3AOF!R7nLhAQOT0IIz-$Y6AqthN1SogveFFt(TNpvyY8R zE$VKIRIur5Y*Gk_r8%rW={d(cj7BEkV#t1L)PtG&h}YU4B`Px6q73U&I{>;aK(eFj zVwn}7hX#<){|DfI^f}2-9b~)07yZb$eK#H6#b-fTo5Gu0s6^htHAnZIPTUF_PEGVq zoL2i+oQNaaJX=2O)w7p=%Z#f*?feTen&x-4YKiIJAFe~u#{X;`?Mrbgq-#o3p;v?Z zov8CN9VL|?>iN|0qDQ<*%&1bPNB=;>m$Raa@;0m4w|cheH$oO1P1u(Vox&MRrA4|~ zVx}o4Rj!*yV;*`=*%k;<|1@VJ@-q2e0N(p8HKSTH!P%b{ldG4(JxdZ2{>_%vCOO@x zTGP>RQM|=p3$Zw;81oKw-fH8qz*gSOS*U~gcvrr$#&cM@F(oE3dZC{JqWD&+F9||U zw9$$;W7)`(eaJ38pRh~>4 zdOZ{gPAx44FU>~KYjU8v3eQTbT?5DcO`eJtL)B$cB;4Bb7xqA+UQ&xvgBV*CiBa+Us=H-(G@ zB}@8|T-|BeNqjHn_UQ2Tvm66jzc^-&D!c6#B@0-OM-q4!DP z6S@8bAb&-VjRo9(<)9QBMw5(U!jOJ(+73gn(66!fh_A0@L6&mFsj-PxY6m$A~0z8jaiepaz(!#l~dThd*>#u?Rjo-sB@k@ zKk&ouD(LD@X(Lp`un_FIcWX*Zc25G433vdqn4j0f1@l@AquM>tRjdG|Te&?qj7ft0 z9|r+RpwIp67k6-C9-HeH4W$V|uj~FZUI|`ezf%W?$sF&BbiKl!3HqDLCn7B}rzqRJ zuGQdf7r4G@^R)Ou(d+jm=aek-uWpDK{KkwnJd3N>cc+eNhY**HGUZDAk)`3FgE7klXl|{ z+uYyENze)IKPcB`z}D{&UDs0P`1a7;TMis#2m;Lp zU26gS`?T!ibTubBk$&t&Z?M#(PeZ5Rj(E)^ED3Q>xkxsh$NK|c4Brsp znEoQptudoLuZaP>B8G#~kWQ@k>38wTrh)D}HV$(I&SvE}03D1dtW$c6Ka$8Sl-i~bhGZatx zPkHXhnh4LC8jrN*scKF_k;tGoA)8bF@xH6HbnAe*YGnzlTSFy$527WKAr>O5GRlk= z`7)jIQ!Q)aNaZzNp`90--3wK|aSU625(z{WUIaYfAmXk-VZj{5nd+PLFiE7YP4Oyy zPK#D$$e3vYi3_2+8Q)N|*}sDp(;@^{{B~s0D{mJ*B$WDXg*VFvMt6Yo=1jZ@X$+iX zf-5u@E>$oO7Q0bjB!;PtCgFpm8{YPBwrJ=j{~Arp`!!$oioufZVOoUgxW6xRN$#d=(rrM8lLi`<4;{VQWo& z^lYg!K)N@+nLAkQe0wPQE-VZ8xw&yY>yR2Qc~|WBui)qs@MOPt=vNe~JM9VKzi|z)CXf7TqKNZCAlac#e^BZmvmeoXJurtSs&H z$+3geBKuP=JjF=z)<0Z|ZQQVMk&<7NFywy`^-Y0s1?;vBnzTt8wPC}?Xl&cIZQE*W zTNB&1ZQHgznas_9@44rHSx@_Ue|xRHkgjBCT?)B?pp;EKP!j!^PCPkk&^Uv~`lDPk z>Mnq$>^H9T#8N$iNzD<{7ybfW(w)!NSj?u=Mh|ViGG-vu+)u}Xq4OxIH8XM|$3Q9{ z3dX8^e$I%#`0Y!i77Oo0$wrWc)p1gomZ2U-pXE>36U2Cxd_K*z;Ai^}+4SQ7M5?!j zKN3_+vNQBad-9He?~a);A5UF#CUKIfX7#e+8_3RQ+8Y39=g8`Ge`5-iQE_ipl3(X; zOy=^fS}f8TbexpmA^o8Y>A!IIKPobjx2EeI=<}}ACTm>At;y~-B3oi`Wke=v^aW?^ z+Tpmu?xmh;NDE&p*PPzNt?r?aHt3Vg=f-R6&*3lNa1%JORXq~8QHyu^J-d~C#>Jhm zQHptU7y~uL@(78nP@b&_s^{Yr?grROGrY|PTnqsh&^DT1+JnSdAWXaken-{i>=Rmg)J(6!0 z3@Ni>hy)nS{(5of+5drkvZe!Lcq=CxQS;9@wh6B3Td}NCmsVC27HqnG&VK>S{DYtH z;L~&VA_cns^aShs?aGsDgS9*aVs#R=cUf$=*vu~CLr$Gy6 zeBD7+ulvrhv}|ncD{<}A*RdGgjzE3SY`N~{x}&lIhh_7_V_G)-PFNas?+*>%l@DNd zaDJuks$EmdRoL)$^YP&V`gMC-DbtGC*1FX3bNMV5Nld56ZHlL&%1ufY@Mq&XB*Cw^g>zCrN=X) zCywK6Z#kOH_Th&ue%Im_5^pnD7H{a;>w5YC{@GjBOHqhL8&UHKcQ*+>nTNo$|6*Sy zd8-xlMs<(>@%RE7i9j62(=``mxa}+SZF{KVmf`gUI5u=s*V^9P&95e?dYwJ}l;PT| zT~q~r_vq72$?|>G^t1)pHGIGUt>5RV8nam0Kl5(+i{YH0C5|Tz@6EL%$t{Nm|EZ4F z3B>B|^6JLPSC7Ge9euBc_X=Ei&`Zp zu|^6sLRoQYa-0cQGgG3FY^NDtRjPl~C6|qQ$zds3&b1VgdIqw7`R9}&Tuy{<|Ef>P z87YCXIx0)n9LpUZqJ~{WM3;}WVj(Ub9`()AsjwCv?f!ck{}HhZ)5VvlfiJ;nRa>%Y ztzO+Mqx~g0Yz}>e*dB_%)k06dkz^Q=c4E>r{@g_TStCA}TOM`cH`U7)yDP#L79HQ& zC5NNB5xE*rQzPxkrF#B69$vIqD3VUk;o)9@agPgS8Hv_$7WJ2P-FS{0CFe6E!V6csV)mKw0Kr#-XI-L9_zpk z+741}b_ZoCu;{-34^=zY-j5CezeP)vE`7PP6+*85E9@w9fc~X;UfD079qCX%z5Nauf1%vTsaOBRF-SA15LBqRkf z5JZhYj3V7*6%5vptJa-Hk}L99m9%;x4TQ+eB8{t%?bpe(NTO^1#0^!p`%=iT2ss+1 z$k&9San=)dK59bIYtCXk*eE~Xg$3S4Pgcu#`MkTOHspH%1%pfQQrq74JM4c#UVnbD z`aT2PX2uv*q!3q=M z>iZHUpT{Yd1Y9Jf{{cY=&v%KfGiEnRKn8@P$0^iYDmj^OoG1o~s<%Q6t$OD{ z(y!K8qg*87zgD|09>jDGG3!r^6Ie*Y`%AtFfr-6S0mtxXafFhmKEFi`)VOj%;)>#J z4tyygZ&bSp?%z3&D7*1~oS4K!xhfI_Q)pA|?<0DH*<_8A8clhrN|m$M#Y2D7b5c>i zBF6W-RH^D2Z&eQoWfP>?ILu5Jumf=R#CQaAOA&YSpeF7_zcE++R%t)%@rX2Khfi7v zuG$SQq5R&PRwBb$F*Yj1v#O*nldGxGR3s7`5AXL+;sh10{g=iJPHAv$C&AY-`Sw(C zWlfC*n8sg3MoF26A)QwF-_3vN+R2G3QK;v|3w;-3z6mz`MQBvFiGVrjH~U`z4+ZBS zzcoGp(mspD;y>l&)sJVYI@_g=v;>@7#T65UdyZ(9xbi{x<#$}Ye(oXeA+uAv;Pi{M`NN(Rg77wppx6klMwA!}gHLZOQk(PO{Yvv+EvuZtteV;v_X2Y}@U5-PyC9QGI~&+}Sk--3+Bc5# zs=;Z!rcU#vYZ+||-u<4=y!xPwXN__?R_`MS+w9Jb(euljCH0=Tb*{EsDEK9{H*7a9 z-$oL|kB{gWukCF!(;qr-YmF+rSx+__$6KG>VRQXcw(vXCHfFpoD;n+F^jmvU%%lM;rB5n@HJhm>aklemUBS%jcg0gdg$EKi`(3eraq8!u=CYUn=q~5Y3=%*2$6G^R^x}t7IMun2wJ{ za%f0Gdx^997ys~*3+Z%cl!^KmvxMyX^r%|q@7DBt@IxWDTR^19Psq6W?|Wi(6t99* zj0#%MpeYvzWh4+H?@Fq$m?%I?+jS^DFDj%??~&~7 ziFORrDkY6jC{@3|KW&(?T;aDyK-Vy7;_M5zo1r!Q1FdiVMclr!7Shn?537Jgm;7aK zAg6voUV6o!!D#Aw4z=%>3~7?sXfmg9-(w#;y-IQX^DM9->Escr)g|NE^S_OQ{LdN` zjawFSZ^W*Fe`#}HyWq-FV~aJvw*1BVqk4^@VA2>m^9L>Rj~>$~b5|z#fY??`I+~a| zDP)Bv`i0zpW!$D#gXJekClt-Q13M?XK%h^}iGfJsEK-d~*a<|vAjJ7aG*P-}TCjnc z^4HyK0oNEYGz_kEkt@`vc)cI#or=oZ~7bah*KwEUz3Xvmc)vXc& zYo4!`2rGypBeUnE3u5@_r$(sd2jdG^(QjUpm?VGaeZoKZ>~4=>+IZ&$Q~Z?x;b+70 ztBciYm3~j$6cHa(_`Bjb0(YG}*Rnd0Riza^rf>g8V~#Ba@A;=Q^ViXD@~CTzO#WEJ zaSf;%koc#3O19rCdK_(tj3X7;CKu!7zh2)fH|aMj&_kyGTfW-k*KxMOo@`Hzdb~U> zwSW<@_i991(MqO7%%7!`yU-{*^)P3hEiS3$-nHD1{{FUU)0i`CZHzfeBD=d5ORLnz z7EPkX6D?ABx)CbvET6UXTTYKLX@gFhMbf(v7HuURFlsKITz>p0-xP`Z6M}XukXqGI zC4-D=1rwVR@ylX=Ht!8F#C;j41YIvVMm4;J6uYn{Mn3mzvC{+=LpVa?F4ORdO5;4n zoKj=9!2G-$YzZkl-TWVuBQO9w;+6c?@Q#0H2&Q->w~GUXM3=^!M_Uu6;IcaAYF`+# z%)F_3e}G-__|H!{P6G%JhzIg66ur~PCCvM%qrJ6))bUM<`=vNEFIw{!$Ax6(i6hgw zS=i%7pM&$XZD5#}%JPWT%@9lFt7ji}a+UAPDP}P5`n3#Zupw|QCU)I9r7YxTi|Qx?g{lxZ4_Mnrj z91L7Qvt}H)qU$3oB}Vc4dBos6;FrhoqgKNpJYE0-eQ1A^qrNrzYt_)4qlM+{rXLqgJO7GDH>Z6J8yy*42OY2QI}E^oDu;^C>yo0I&G4}IDScWZ~VXR@$k z0B$#!yjJ%k_iuLGZe{k_2-S(R-qJ@*y{VK8n?5lAIMewU@a$Cw?=y+~h*i>JiC%WEu z87m(jK087^GtTX;GxmLKSa%{JizHnxWJBR;BFIA?usacm-(RLxD}txSH|(%%`ir6_O-xSPl+0T)L*sXVfpC zdRAE5dc0KA^s924j$e1PPiH>fzxk*dz}CMZ=?b!}IESqVpW8USd0$(zXL#*(fOM)a z8;odur(Pv9;AuSVhq)2oPxqR;>pnM;sjtqbI~;F+PQUqbtG3yN86$cUg|1;(+1)Jl zBV}`6?l@Pk`CR4SlTj)AKFmb@rk>2UeGk**-l2VW+z z8}y!qMD0E3!MYcNZ?_Q_L)~?q4WFK{+Tr}JPnFebYu}AKwI%K?+x~P=2^?nS$p`!X z0)zWMp!NX|pN75v_kTAg*_K6QyXB2njlw3la7ExH`|KI0&{fJnTd>ulGSidAOoP*Fr(=K#r!seo(H#-9dJ;;l-AA5<8U1H2# z0sDc{K$U9upGi}3b2eU!b@jJIIi_vDn%o>CEE%x{XzpD?q8f6A!5Vei_VBf_MyrxE z@qaqyy`_R`hU}$GOi}N4N{h^XjdY__kEDyah|iAn$%A7h#r64ha-ks$bQ4d11YGSg zVuqxMdnHhw83=x@|E2#YoTCM$$F&@vg}sD#{L_R5_U%%raO;s_l3xN_B{lKupU_Mx zg`BlP%L-V;plltdb1Wf|xLG$n2&f3X9*8s>l*WmHzxgEUqjSb|>Jk+E+>;rRg^hDR zmN0O`LvdFy(Hd%tl+#d^Nb4c?AeC$`yhh&v8_;EF?)4?(uPv+t6AV#)L`8=S-lW?K z;v|%L>hl+Gn4HK0tj4F@1{+ECsU@tl{_sLVMTCZWogvM4E=m4o9lx%+uTaYCg|0i{e5-&`Zq!J*}9RJENVjl>hPjr{q^!*FmnU?7 z9&^drF^N#qNMne&LEMPRU$1@lCOR4Ey^VtsQk_P>a52s}#+hM0a4ff9=31p-N--^P z3Ei2{n%rzrmifV+I_Fnj!>I+{pLsh}lW?7BNa6{|bM+$PRadbs8CiBtnD#EG%OSX=k!oYtxzaV2E;mZZZ;gGhFHlucjti z^Rm}i;rS0@(=IBQ#n!+574$=JETQBs6l4nE=Sf=f7hyH|G7qyV_5ek1&O$XP(}{Bg zFEy-BShtp^pxjEv>dkNTLk?rGBsGH3hhE)G%+7Vr#NS{6cFcca-;g~{?_oerEOF6e zP|lG&|3NW{lEVQ;T=sg0bPl8SDU`2VK8wtszgyGhh_76+0RqMP2NmRe!M;j~<67V{ zgI23nZHPqN5dF8QH+|w5qOlS~id=LyWX5$h2@1JSE zPX+pA_@jSVspaHDP%&s~0J_v%lC;QI8c^aVTMytUO%W~>#o%nUFPh_XMt`_y`f2#p z)4)X2CYnWP*^K1hAL~;vzUMRUHJ36kB2FyUQ#`kji=PP+3bFMZi+MtkbVidt>8V({ z6R~v0KYs=zB0;RWW+cVLPGRG+kuA^Bt&yW;(XNko%DW_3&>yeP;}}ofYEM80nY8TG z=y3<|HB+2c^rjRdNpxb?Y{lYOxk@9z6pXkZ3>S3(EpMxVCR`;0ANH4oqOw0th*hz) zJR2$ynG4|@`Zocw+IXM4bQ!+}#syO8T}>c+L#Bc`QEa(Kt1f>5(_wV^-|(2zi-O(x zIkhi4s2X_z`XPYG`mF{Ap&giLdgsVIDG1{5q^d-VaI@S3ri?PCgGW3iK8{YMh5WJ6 z99bg2xnfR-^jNB-k^oJ6bo&qmSqe$^Z}JQLu^BEwZGfgyA3<_*%w72jvzZ46Lg+t- zw->tzCjup$sOeDOjNYciN{10-l{<8L3vOm>)=*-Sw(jb7T?D6j=@s9vFc_A$rfyP7&11D zbH6k>=pEro>pj4=cGY5Q<*@T&YJd!IT*3~*SW@=_E>6*~UeOS)bK7rTt8jail`Ma} zjjh|BT}5};_pkA`wY^lhzr|7Eyty4kbJNnh!unsPthm@sKinN09JPTAv#O!+*Vhi{oJY(% z&!QW%*O`uq&Dd<*l(4F0Gkw##-Mtdy9}(}S5f_!q6V0T)8hqMo9UPtQ+ac5LemFuOkd^*Gz z>dJ%ixpGKBcl)8M8uV1WBr(m~rRC%|>D=_L0z_Qy01o`zs7D7aZc^dejiL_B@}qnR z+aCJbfqj`iz@8x3pbr^PGdmcpwPtz?a8ar4vI2sMrN~K*l?*KH!w%7Vd_S%}c$ZQp zd`;|Gp&}MnpDlhQpl|r5!|(B``N_;%AYOU2%ri?je?4IM+r74bOM`>SFC2P+I$8)F zNtu@_exTNeQAoX8KxGwRB{O~sCpxrHuu(^b#_!bLik#~96~&2;1eV`yrXU>TWNjs0 zW-%;4IJ|E&gRov`Q4noc8X?OVpkqDptwa|#BJPOI1&)tWWY*r)UOjM>hn)4EsPw$J zRf#k>?+@kiuF#N`O*#uhsr-V3Ao8-47zN)DRD7ZV9MorUY@H9SYKqKmLrh+=WjnLs z(t_p*=FtJ*Kst$tRG9ZPgIO%+sDQKEkHTK7$V6f&1OaVOmog`qx5f-vz>0YIv7lOK zUCT=msVzdagZ1yo9KQFVPIAmF2TlfNLSNv_TNAIzT+}m^ z3>t8$a#Fw7ppVD~8^O5l5;9D*lTsDA6aSExkw4?2BJq<}C{6I7BF;vtMlfe~&INTqtE&BRhF&RkY zHp6NziQfbfymN0+4w!6$MZ>qag*X|JbDZe49;-GYq+PUJIF+K*JMEQgrlT@|YY}p+ z=xsJ8rYiV{qwvqJw{j?V(c)`8kl_!dT4Z94zxohvJx1|B3q3j0ES|iaNMLA=iaG>I z5S4SNKGv*XbkaPtd}=?XzmCD_TY`|r2roW~u% zSG5IKpw1GWhrj$kWjv<4d>+}zuPrK#^3ho`643Gz1>0%p$Y2pQu<#xr+D+Oy19T2AS$#y%;lB6z_fJiwX-7R%w#_>3;q12RJZ2cRO;NOY%@S<#QTqpj)dRlx8V%*m`Z8e z*A=0Gh*l0WCW%V@He)&w`vc>%4YLvWmKm%R;mRF@Y||R#zi-kE(!=_>+;9ei2vj;` zurs(7ev2a79R(?x%73{}ncCe==!WV(yUkDx=VoSV$J`ZVPqF&R9|Zb_GfvZw6-*YU zW&XhkhezQVuM!y3AIfXjjVcuhs1Ir7&ETL<>d*cUfVR!ZVG?x3z-jB?T}SiJC9C;q z^{YqUZg3BsL@qQx(L?cP=ZWom$Oq&LQsm4x0RrftPYv>Q6u<0zpSII?@Oj|ia||%R zwF=e6<8^jIW(Ub3q(Z}UYy)^vOuGUGS?Uz9cHjO!j-b+MJb+urZ(jVHV!7>Q6!BZ8 zuG)O7^`XA2O6Pel|5?Xtk#)NBwXBKf`VIg6;snhR%k-4Q*2}&72a?WfdQfgZ(w19D z0*m%_8Ekc{`|=`w`>t4*>mBU#)fCr(&-13?vrnbHn$Ig)w&wG1&9)RSXI8t#AJg*1 zOfIdJm5EhrR)h5~DN(Z>%BmgS4#zB}IQ5w|6HQbAr@=g6r6ZI(QE%m&zjI&nVKsNn zkmooetMw*$z%3)BxY+A5C`!t-n93J8+^2DU@p9G7(&3iX*#N&0r0NB#8Ds(I%&K|E zUC+CAL2|ujfx0L_N8g>peB;0sEvu-{T}RjV8NY2jJcp-fWC1VlTeezwTx}yolD>a| z?So5OI4^HlAnhma`^BI|%PLJ!)XVSw!>+EyDuR`@H_c`YU#G#t7(8Xq7Kat!-4RI9 zc9ZFct@k>~+7VT!PfOiJ;qbdbHOaN|Lh(n9<8x#=hW16(eUrQ4e!Y#lPj__`t=F_q zhb#2MI+d=ERR+aV)9d+TUD|l{`v<;+stOC6$$N{(;U8Y@ySesjHOtdt8TaSLAKQ*w zfG#WAV1T`Vi~b(ud#|VEu~ijr$9C{zrEG`ed{yIy@vzV1+PV5cJZP)yxD`+o%8S>! znYWA&zD!xxTJDcI!{Oq7PN#ym)w`Sd*LWlBsKn0=ljHW=WW74x|4ZhsoO9ZCQf13!16DXZW2i8WspV9s}_qheJ0BK z{3?1sQmchVE>iV6*%;LEfA>nnAx`uOl^L1n)38z&V_}Q6bg3M}2CM!}ERva?D!^u0 zN)q8&%35KYRjzsJ*(p_53*hUF$NIJ71y$}^Al|HoNX`kJ_kB0K?ci{dK`RWkAUOvT zNj8x9f=MBm`j=9z_VZhRd}*>BVOXv`q_n?(K(st0)G0y_BE!7zly7SI5@90>q5mQe zr8Hdl7OvD96c6>U#6K5Nefro(7P)Nj>=FD2E@=x!u@nc&(SmBSbzj(!U>}pqG6+m& zEm$R)Zpp(n^i*Jm4Gk&~%fsl%9}GhckzEVmL46l-qm-N$F(><^#9w}PX_|6Y2>rCk z9O4+Ok##p@|Jr=>1=kaqJ&XKnf;^_pSfFwqK5Q41a#>!vzPaKp7mOGyQR5I7u2~0b;(XO@*Ov{i$Hlx;eeGWuEb#Ul7{Do#9p_F7;_h zF{UJ9Kej|gh(dASTw-*n;b8GRcHa8PQc5>aZ`mxerYz~F!k?`EHXJxNt$)c6{@dTv zLd*NEGl|i#|`Uf*I&i63+$K2ei1EEdb|*)G&8NX%R8gU26DR`D$egGxa)D3%8Uak$_A>KM&Fp1*UU4 zG93g8n+e@d`yt;aKvU`u-cjE`UZ8AiiV6CPufyo}DEM{V-wv$E&6YeD)<^w7tuoo0 zBh`$`K=I|EK(jaJJAYu+45TvJXd>)JDDF_1REAm4GL{Ox1tdA*@6FuYJ!sZSI-;Nq zXo~oVVKjp60=TzW@+Wd3EKB8}@0$&#{MsVFVa-%7^{&YMTg@j1^i~PU4wa;Ll^R9X z+!Myn1iz90RJ5DRiY`RFY-(4*5iyRSHaDb~X7%0-l@>`NcE5l=l@O_8WQQC$4W2(7 zE6v&SOh$C8&)&S+2~Iq7Vi0nTt@O;(O(#%dza2|FpY*jb%da>$3@~pNgUd!6BFQRV zw8AM$ZTm*9u|D?02=-i-j5I+wk$jmbwa;zgOdTT2VlC4MPRmHl4OT*R6;;UeKuKlN z>E3WQs(>Du!EuW5nCrg)F8&?fyMQt0dvpf&qWPq}j>l)`HV+4qxf(ewle~o`ry04rJpB=l`+w~ZMGuC(EMtgdf#7<}IIGzH+t9c_x+Ls8}IxUJ49gxUS>3CD|^}~ zPObc{>2D3sE_aus0p5zbG1;lZZ1z<4quOmJ83Nx&C>6J}I7Q!Du(PMG^H>J#w$H0f zGj7LMkm&T^Yz-|YJWr%WpOyp9>P+{AhAta;f#gfwyY|B-5BmD;RoV)Ujyv50-Y3E3 zisuCtSf1LjHC}MnUsN+a%e~D zt?EAKXrG%!RoT`M@58hq2Oz%l77A@8cumuCtA3plcwobO*yKpsY)zC6I*RaK;JwFq zj##gn^F40leDXQI08Dc>J8w<7R){_8PIo*Gbe#e=>fRiyX`Z5A*KCv7=REYcCt2K% zdJZWy-CaAxaLWT)MYCUDZ_fU@u6kb{_+rj}Ebw51yWJkQ#msEp!Ce1gy|GOt3n>*J zntc=7q59}H>1ttz@v@h^g`dZEI%U>(X7%(B>UvP&7UVJ5>GRYI`KKNQnoQvbsCVhc zMDQI*Em)B0jr`MLwh(H(qTA178i>T>z%CMraw*V_Gki96o4g=lBz3r&k zDe=RsMR0=^llz-m;e~-28y0!PNE2s26Hgfv3<@{Pi9$8^oa3c_k0ms9fjwiDp#)0I9RG%GU=*3*W@Fx+~kU-&D$_Xl+Uoh5QMdE2q7;-oM zWkhp91Ro+`E~{@}apKM9$X6&7suii(HD*t+3=Rd-sQQPqE&;7A%0lhRILlZCxe3kw zL4`nlmm5&I1>ECj)69s6FWd?gF)_90*O2~3(4mTq(4s$Vv+Fct*^H#0T5@mCO_fW) zJmkVa&rDPbgNE91W>mHqAw>;NvRR+hr(T{gr(=hyjL|yPfqm~&p$XDKoYIoeOSBB)%6E}w$jU{%FqcKM z#i6nkr1Mz3DH<+1rFYWHB~c>wsrr?c-qf8LF-*){5o`t^P)5RuAE!{MV&8-Tr7__C&C=^ree#8jht zE#nYWpq!jffG*5E_$!<{8z$Hxwd{}nT7Lq+MY;vqj@(WG;=EX0TwcVWe3yFFufboz zyG{|8jl_M~MKe}_evc|dmR~)xA`T+x+Wbfv>>Eg=l$iFB`bC!wLwxMM6erEe-@ss4T<>2#eTNIMb=2lB%sja!V-= zq3#39fDz`9a5;-$YW+A03<{-;n+qEpCMP_i`e2?BBQ7(4mNtIzUkd0IQ4bbqII~#| zQ4PgHRZKD$h|0FY5a^6DF+q%GG9<8kU0+Rvngy3M@-3WGBg^!P$q57^i1zP# z92ZJR?7y+uw?gpfqj^?fw{6GHcS>YK6NvpdpYR)9g;P&IA`g?AmeCccZ;Fe^%$wyq zvly3euT=0yKT_~GDlv`z|8UG(lZz?kO9%={)dT~%)`mgHkF!|3FV8?Ee||RpKlM7d z6rY6l&l{4=PbLB60n)pxk8_xJWvW@v4Jv$3o|^*j@cE-NPlt84 z?h<2+?$aG5e$`ki6>h_pM4XG`YX=%&uiL)I))(_P=^KK1YY>$;__ zUU45-m!)-AG&+h?k%dXs~^Tq)JT80@eL-j(MM*V{uE zRYk*c(m5{VMN2PM&k)kmwwCQS5^T4Q+r84~+=ouUa{I{;zD?6h(@NXA_LIk(DC@x9 z5}X(H$0WX`>2>>=s*F203)Hh@Qq0rbFB1ag>(=-X6%xH1!wvyjtFi?=0nhM#I#*nJ z9LStlGE!b2k3?N|ev*BP2EQA^>h>I#CNpq1eLjMXx3~{)B)hs#_r@z)KcugDof@0o zu5WLW7aN&XX)l^Vw>yW;7Zyw@+&@}&MA zLLPIrN~;ZOR=Wth|6zo_K>ztshrbREK@w&GeNtKVjmafsirt^J!_*~Uwog^LK2_ET zSQk69iam!l{yitU=yWKtgjI>_&~J<&N)@O1PNKI!sJ;Az(tOT za>;tK@h;Y152uIe5EC!@9EKd5pR}&%iYY;q(c2ffu`m{IY_?z!rj9+8-coFObG zjn}X+OW~I=@v%`I zl#$UiM|MPOt}VrOH+oKD(YEU%!4(Civ7^b}hRiBY z1m2-gOz7VqOh1?yUcbXC!?SlSV+;o_SMYm?OV&1ATW$pomb%I9S;!Y*9&Zc~FmQLJ z|Fw(qKoqF6p!fmVij4wt{785jTOmhNKh&bgs;pIKZf;apxIci9OxwvPgKN8C|8h-+LWrkOUx>eDRbAosw6eF+u>51 z;QX{j&Xg>OW1z)AwwSSC>~Y(mmYNJ!sFW?Lr=k_tFB>OOafz)IKn%zg?BE#tNw?O&nRsDC&GryCbAC#PaYY1=-^|y%TSl~qPd*_?2*@+WR*b2CQ z33*V>DD7tam=~UD^L^0wKSx%LJ422RDydtu^l}{ zoN8Zc{HkH}SFeepVLq;X8tMVFa>LfbeL$jigWp^r)j=Hz$y$E2*G?K%D`V<@QcyweVw$)9%}*}12dILYyYB$L@*vh) z)tY-D!;{$#p``=+^1K7u>w&xrOXH|o8`JMj(AbygmaYQg`fLsJL;^-#+$PIOY9fqzX?OyK zoK=!JXJX-hpWLD+3lboeF_}Zx{<@|wN|8o+P?w8Uv-+jCUZ^VDFq9uZ`i;2(<4+G0 zAvAR_(7d~R+%ArChnYxby2vAU%Xvn>%BauUj&ICeeGK8%yrfWmu+|`rg0PFXtjACA z=4(L4uh*K5a%W5D+Vu(dvW?R|gesO-R7LCG{-uUa|FC26qNZ$C;j)k)l^{thvU!c3A56q#icVuxc-{jX&Ff5l@Ez>GZj-S&R^QyzXW{D7MD{s20f&*160 zW3Cy-or5oUHB%Hd*@uSTk6WgbWRWw6=+cEKBJ<)VcOG+{dG`_)Kf1sK;3!{Yg#Ngg z+vzF*@HBxfe0Jnw+yu-vdu&Q}S-a0&-NkZ!FwE+GFwrdN04C8bxwbphFYd0{FMOs3 zy{ECh?;QY}Kx?O>mu)i&5${hLN5h^QcU<*Lgw<~If1e1BE}tSyZMpaK&N5yCB)#^F z`Y4d>L)5AM0?@lv+i%k_Qr7O*)w}CgG>UDz*lJGNCWd+m%Qw3>!;5K}L8`1Kwz|i= zgMDcJiWsFjjmJ$JF{*aaZ11~N_#bbuwpTarh_v3$&Bb-i*G}7@JDU!3?Tk+9#u-ab ztWRTfg5{7cuh&d8?RD7p`#q5>eAVUy9I(`xHA5JN7i5Ci?M3goJ?4Q?b@R|wdG#lT z2Dsni0CU;jsJM;5vSvHX-56xU{m$8J6s%a%UX1qkKA zPVUGy2Nv|rqsfnD+b|%98?g!d1k}Wi6A7i;4BP8Qm5)2oCb$!QygtnnVNfom`|b(p zGzXPsH+qy?-tn})o$Y!%yLuWIQPmCtNmkhbbN7rND^oF8Sshhv>V||fu5Z20{w+5Y zchzR0_KK3-=6Xo# z+wthJ)b8Hg>0`6G&1(d9r>d-z;_%%IGv#fVo9o`NUY(0>ey6&r3%hDxU5w~X!)X~k8hDcgnN)vh zNOrtlplmrlL7gMucRkhRH+i|vA4=kX>|K~H`zC(iUxRt0z~J`x`Q)*={4C7S{u7SDmVUx?8)rqveuFqdjI^< zE4&_NQatx@!X!)&-h@9HbB8@=`ZZ7mnj7dU>(oi4e? zUl>EoAZt(tAV^MFD5g6Mb(QJ`#5cXxmGm~Gegbd&_wreyz7L_Nvvvuw_#?3rb@N<(Y||A- z<9CvD`X5amt<>oAtN&DgNYc~cJhbSeo09&75${33Us1|F;0S`r5-rKg+NJIa5`6qV zcP_5RYJK9Kgx!xQj>H}iOqHd+!|OReCgp)S$)S`K$E)G>t|&EDSdPHyYky~}ip;Pp zO7*S2yZlSV4*6DWT1$W3%HIfcd{iM$$opSx>F6-ZiT7(3|HAJNgV)XPEz->HPZAY( z#)!2u#!4U%!XN}A_8sQRA8!9}kMRr42T)PMa7xVcX%^y`!i%+4jq4YcE*8u0G}b6} zLN;<5+O3^^u_-Db!33C-Ykd{SlKGmXr_1MW?`WnEvuU*=+&CY;=7EI!5{f?8VpFU} zw>SCgY+(a|?ld{Aj`@lsRIZ>#oMtm#0z^-WmC&XhZcTTf7kn+Wh$_=a<|2B9w(!qt z)kJPsuTCu0FXilpX4)P#O31ETo2J1Nck1_2`YCCm$WRyu#Be8E#!YLeDp}qt^%L|K zvA1SboPPQVl!8E^oQGLMqII`b+7 z)bEa!^oQqId|&n1`-)`((%AknsrCI_j$Ut3+;Ju#^Ut@U)*_{Bso%nN+Z1igjppTo zba}XLEDZj;#mC$=cl{J?(Ov?ID%yx1G$?_LMMOu$E$QNd^ z!h3|wvdUx($#2x+6$DGQQcQnpb@mbGo4}vE2xv(Da9~NJEk9_m=zEn(u!LhqjbboV zu_g0}iX`K&UBgOL;HI4y8|WhWA*h*bP;3R65Qx?m)D%-*DPG2Av@UI#TFErzy`Do% zn36WhXh#j-t43qW#v3MPphujpA(j#HFfX0y!-Kwi(;cji3IF?o455Alur;O9 zr8yc}kJqn?5oq(E?yJ|~B{G446)asS5R8IF3}u9jmVrya<3{ zH4f@9*CSVr54N&*ff1vo$_YN0K@B;l{7rA)g{PMs9xpO;0~s-i!oOwdFE0uw!l1#& zAVY&JO36tf%MWdaWLJjIiM*gc&-G0-Nv6~AE0N2bxS$xChz7(upo!86H6ja-HqC%A zqp6nI5TV?>y!5M|Hb6-{chi1&V5Sn*L8jmbaphNBfr>T_fx_=$($Mg(6J=UxO8(O( zZ8fLLtzL!({8rdzO~J}g$7E_-*^_#N3^w0E8i`?tUdHMExblNe3l=fR9o%XD3LXoK z0z)#ES`n(;&O$kk9gM@A{{`@O>yNWn40y9awKn{@aoBq1e(&-Mc>tbSshEx> zf2BCJG zh3Lp;TGs=#h0)R>o?c*|J}6(_%o`)@;9RyZ_~~K2HiR=JkC4F=@D^rK#D~IzrTb)pgBbiG2UL3(3(>RPAxn zXUK}6tE0_*a2|t5vj*NUdg;7yE${yv4S5-)nyJRCzg_J1)=LO@>KbU>5js~L_jT*b zD&NrLj^p(hXMKKI>R@)^-rL$mJIY$-KD2Fn{7t5{x_Y+d?9yu4VZuGasfs&|R}Yjf zu6}x>a?L6T+UqX+SZ9>=kz4g{0R=DNP33xeKe{+Zc&qq&KP#%JU-S}tz9?EcpW5HZU@Qy zAD+&!G173^+Oaj^#1l_!qhovGWMbRaBoo`VZQHgzvCWS9%{lKr`%C?Te!A{eRqI+E z&evxx9PSf-F1yRaRgf)Sm*E9ZJBld+iV>N9A?#BgA?k+?Thm2)apbntDn~kT`dd_HS2b7 zHfj}=RMq? zYrI5&g|i&z^;?C_S&ge3tmK}@0g4u{6Nw$Y$EbyE&Fj>ts$V_bbIkZVu4{l+5a4Ti z@Baqsb=n6V&k2Zpq9&EGiw7}oeFEwdoxd?#kQydQ08Bm=kV1(oKu;!9pgxLb_^E0! zmJSreRM3JEHaVz-Ao8MdT-JE8<@e7>)!xU}WI}iLLe_7V1u&J!^f}L1wTU?TNEC$- zD*@I`(dQ!U$9tivl(3b`#4$r!UY02F2uy026U2QDZo~EkESS&@{uoxxqd#mDxP;<; zeN-6DpuIQinE)gQasI^;0~|Y1B+Nm$-VrnE>ZF|A4k;tulS z@ROwKRbvFx%YypIS#Q2C8tzf^s)XB*D=nn*kGjB2d6LTJ=fY=LCV>eKo-IykAbV3OItG?bm}yid?n^}CnCqge z*mqyvg{@k++ZM}n#rn&gJAQo%5?=dj1yE>TjE=AGdyE;GBeb5I55b&p8fK`!aIO58 zWRoP*TJ!3+1B37LCiWaC%S|-Ijb!XQa3;PQ<>{|%&_CL|Q;_fmmfaJXcUxEf4*!YK zpB+7W9C4ssu*P$3!he#PEXK{xqED0jg>?tg_UoeW>(2&>{kgbo}TWZn~CyeB*$Ho`S^} zKs&!w6x*ERpQm?z17&p?(OhZWK7&%tgnmul60B>nOdZ6JaY#yeP0ezJCz|>Ks;qCS zr&P{?)GEv!3vjSyao3b$TQ$qSu<)%OnERHN`b5pw7d!#rEDQz1LHTr z#Cj0w&Y+e4#vHy};vNq-_TN3I(J9j>l@L|)n%RQ%L5+w9EuO0YInF+)rmEg1T{76i z+p|PFXva2+pXq5e@SCmroK`>5U}-$Mvg6XqY&tp zq+CL`OG`i`|1qr3DC#t*RCn@G2Q%E3Tj48V7;`sOd3+PyYM`;)gI0?mPQG00S|^?( zWR4~fPYX62PJH+DFm4dHW08g@deAzgw=$+m@8D=Q5hxgNQ(vN*eGaMe=fmW>s?UvScju)#{52R%Mv1Y5jC zDOy29j1aiao zT|SO4Jv)Ai=)>@MA!Q0mAml$ip`Ri~4f3*NIUb-K5n{&fyYr6gHOd|ZZ;#I@{A+Ee z#$}JY`U*~L>=Ye4hkvtOD*(F{H|)zEzOL(JABJRKhlT37m}+0>kKnsy@g45!hS{+) zIXfN0OE1^%Gg|%Ad>2lE+iDvHAN!o`g^aENI+xR^h%RH_=O@k`J?Fzf*DN|7%kHuZ z`uXQ8s4mA^ zt_h!Bv0^S-mZ3Xrfdvb;FDAgjVTMhsD}1}1_YSNakJ8)uYFHb0{llzv57^%k#K6UG zDOqn*bHlVneyw}m#Ffc@$A=Pa&(}KCdC@w~`x4VO|DIPPKEyZs$>ignyCk+>_9lpa z8aE4=nLTDPYeHq1_vkJN&qn^A_v0QbA-D?-}Mm)*V%zb4;7ZJBhd_mh+wqR)}T z%Lm=MVle;weJ$DmQ2~DjV|)v<`5ZuQ1MLC) zT0XU(zUHi?G-_6oWm*|oPXWt*=RU8kF4)a@9_=H~&lVP=!;?t$@`5e_CCUNw^Q|~*dvPIkyT(9s-Y@9(43;Os;?LN2vCmOvk0=-(gl1! zrIK~S4U5Q~%jAdXXoYLG)QTMnNb(&zG9-63*gY|Isc+$j|H?E0;M;Jrotl+d_($L_gk1^H^4~X4 zr3#cJM=c!q;APWq1lbEPmH$faX_DRSlNjO&`KmcgNS5)KQHPe42+?T&KF$D92Q0`a zAxD5L){AGaY)B8j&9ogv=wQR0zO z$JO6UzoVFh5*r2h7ue8Hm4pUom|LIM!5| zXapMjm~yhz1Uo~k?gH)9{}3qt!@#2aB#4AJtJb_g;(Jx|s;!ZCSBT5HP`4!)m=rsD z^X7=~N*{ZTY~w^g&Yxk>q$3HpA1LQv%@Zi^#hpdY2ciySMvwD3=9kZy1EQOCzQ+M+ z#=hFU`@3DlA;ifM{-d<*R!GjLBbAlrGV9Y4xq%GN;24NReNNY+yTy=!mLccJ*2;%% zm|VR(FGxg!3D=MMBUH?9|Lf2@Az;w)*D$HaDh5wJ50h7Dn)8SVZ_2T9+p4uf{HPm` zN`-2lEcF0ffURa4%&g72Bj?Y(?>PQ#x!Tqw9!8atl|_$dko^r3N6yM}@$z|#ZfvVf zm!7MZ(NobR!@|*n;{HX(Hbi#4i_*6a{8mPFr|5l+{p-Jq)b|#-7~u)W`cpj2MY!9X=ACktJ3@(3_m^EaFG*Hjv=~ri0eE9Sk~B9ktdRr6wQyzzeWHzSdQV* ze@*MK_cd9FgxmKQf0YU3INM-R!qp{Hhl}ZRNj16#^r8PAefv94Y;q6D8$?BO-oPOC zfTtB*jl(~Kw}^-W^Hid=`YTJQV*3fAjlSG}kd2$}FtS{dM&uDG=)i}b)Sv=VXlRuo zi90IId}tU>b=I_4GgYntS7DUJK7gm0o=g=ioy8(ycvv6X_Ml9fo;A(1$eCO3VGxD+ zK!!k?)^qw=A;VNgieL;QqDhi!!3f_%orMiSqYC6e=n!pp^kVwoas=qk`+nD>3wG7; zGPC)*bG+~sa=jbPYj=D7OpFu)kC)*B`TFZC%!~8${uaVMrw61@9%V=_W;AN{kh5R? zy1mEvdyZ$#_vBTba%S6a^HkxtW1ov%X4~=p&Zg1r9a#w6V^M3%l?K};aKlZ{x34Y9 z4V$rO2ck~`+vhM{rbKV;FAPx<(m{6vqp02DOJGyr zj44(}3w^=o1b7(-YwylkL7d!3p!hx#-5hx>%2}?;$#i*57U0um1IKT+U8aHhEiD}0 zCj(b4p>C);K5;GTd?#0kdtT}S&xFsD64`6cS@>V=^KgGF%GC$>JVVO3?X#!wq+r*5 zt2`gIa-quA*2a;+|9&PDX7~Qm@mBp*z`L`F*=}gv?ix;rYcTRmGU=+S<+@5u7=xk;$#x=U}lrcJqW z-2K4cjsfykcUVjbcz7O*EbrcTw+VRS2zXf8U%V#Nx9&jNC0+ltc3GJk*a19kO264S zFC-9O*l!@3Wj1|2Y{Kekg+11QklQ9bHwb-KZB^}O?ssc;YG;FE=s~WEz~7H!BFz^c zXT#5&-5|xiVrA3)Ck)OV*6UTsfs_~?-^<^Oue)**bX{9cg&o(n=QcNY#D32hS1O>| z9XhYIr;bX8EzhyKcT??8E|<3#T6KqrEStP1JmT(_7u^><4OFFtHW*=8rX#S(Fxn zR?bsQ29IH}?dz?^&Ht}>K~q4$NhavM145VLhkbqc zTzK>PB=ZKommozfQ8LuA8)HK;mV#~&6G28P9f|uP3+Z^K4*`;3uZ?V@r_~0^MV%{S ztxy%%EbZYTkQ+C_?t-P*wu)rYP4jKOL5FGf*f5l?ksNXBi`R<1TmgA7-#v!{a606Q zv6~9t$$ynLr|I(wwo~m`*J7T$Ys=KaSeZli@S8@cybtwkPzY8TRbbZXgVx ziI7SU9zSg+IS7K0v?q+>_|<$~&hDldu~eKwo55wPU!ZJ`6(-LQK5k+5HzX}S{k|iZ z?PdB8Csli^RH zajhbNK|60mj<((qwyj!a=zc9Y#nP#MaD^vf4bi+ov)DZOfD|hFMJS@&G#3dB=JMzw zoW``}SQu`fywX}3l0a>EA>eP)C7p^Bm(tTY9=DA&vW=n~HFkdF{g5j!c)~rvD8J3h>oW5$Y*&f$h1S$n>Zc*3v44Q z6)cK8TE_SK28X;OV7U0UPvQRD*ZUZY^a)M?UqpyiZyugl^U5EB(DmR0i zW27v1lS+IzI6h+EdTJ9*z1DTgkI@y)0VXcuuPiI6Y0gn4n?>Aap1nlegK}K>a$K50 z&iwfO^eLEih~kA+(>?TXoLz9#iG{&yrPysri4)9zE=Y7Q&HkL&^le7zCTW4VQW`SW zz&KVyWXRS<@OlJt_#-Z`g;NArEAtAaYorGGuw|OeWV;NmtVLNXxFpuK3#Q~VXXC_T z-)_v=Ainf|Z?Ix*7R#R=;@}%wV6?FYnDwd-#@t4LW2_$)eN04A&>pR%lyEW}%HNlv zHPdBPwkH!O{LMmsb^c`)y9FJCei|kN$w7Hvn_%UbKLUMzm{z_HtqR)sC@+ORK1auI zNLKuacnkJc=#Tc4qvdyn>8Z*k9LmNascPB=)nE@6StnM~arzV0+{WRj$7d)M7Yu!un=pp{BYLubIQ@oYGJTtp%~)~=`9wVh zeJmK_Uu0|e%yGhn` zV73R5Sh@hYMjBleNwf8$a}eq!%TI|=p)M#mMK_QNV3ZhXv;nmd$~LB>R>i>=3(a9^5i zL^9;jadCKFC1LpIntAbfT+9odIE^4pMupnOQe+yIqe;Q4;zaCH+Cyxm1y>_`Dq5IS z`}*wt1(X5r0ua2>Ec$KIeJ&Db>OTck9c&2qn)QV=dk5@Dzg2<=92S>xK94_OL*U~B zB=H8i|AKPARL+T8ub=&2;S$0O(vzAKK#!JdMBwspzl-Nra_6)GZStqKrc$)_n{rY#u$y|v^REVPjpYKcYxylvmOlk+d8#Hj1)Q{(I3d8i{>`q;N z^Dz4}-i^Uy=o9t2O~&T;<<<1?@x_zOei|evSBu{iE-hi}l(oSIs~UG*L#W3Y?MUY5 z`!6q@o{1Q>(ud@at?`eAR+B63Q_B4(xm+_f?PuxpGuRj(J2^|B=Clu|%qB8b;6~+J zz3Ft8cx+&yeZmRyy=&SbGl(BqX>8zRWHeuDn zf0HVc-7jw$8*%M=zf3cV{G4sS=*io!-SAB3F?@L;@XV;%9a0@+)#-Y- zH$#N#C-Uj^Dq)wM=5bZ4N6-8A(A3i5;N?&?C$+I@SBc!+yy7S^>H8VJW7o7$U~<|& zu08HfucwCMLes@p7_jA38O1C2LTX7iq zD761T{LI$=-C7U+6}e?eOMbm=yPw10vp8ZVkk;<|l+j-e82Q8Q_Ee9PXqp53yw(Nq zaN3(=!TG5_Rn3vLFu~@PtO#wt>@n$gf@(OHB|c+4z3@L**PAUnxe zht2j$J-GfoQDG(%1Qd9i36SLk-Q>7~ze_+s(#@~Sug(6cR;PcqS*#dfD8skO?APkk zFtpjc^{JXI*^5L~3vU16V0t3mY4XE+Ws-fK=@*GlC=NKr(9XoRMQ9NqD?rt9^xoX}YleR0^%%*;Kiyy$n6}vAnV7PP(9?B03|{v5RHH zb&PV$*h{QbCp6X|Cn^bjE?QrCKUN$=`7Ww@v&pehwUI=yLI`V9-96{r$D ztR;KAbW5<5ZHfVNSOTrlZ)dCSIO=&iQ*te7?Gsc?NOb31$r3EwmUaF2Qy_6roX5o% zTH>V)Wb9G=5%fh?iM%seXa~Q~D#=I}zt7JJ5pz^tPIvTF5vkQ343{KQYISwgACb(E zye+fjpE?!iXq>9-?+xV3SM?V*=y&Uoq6$B^Eh~!63MQxE!JR!vhVoQFl_>xh7*|vw zq{u^xH}91zoL2fCQ8r6{dIz5S^p`I9q{~3-f%fj41ix1Do)kRxrJb?2LrT@D|3;WyUl_Uml$!j;GX+ zO!3Palia!-zay!_^~dF7I#kR&@Mm zZw6I6>+6n8*2#JeL+n}(w^Ewbbr>2l?Z;_ouXwcf8BUYkrr$lRx^@@>=sIUBS6cLZ zKlCb>KMuqHL8B76Etsg&-B;|qaek)pd`)pQ@PZ|HjNjvs&7&u7{|kE3!ra@`JrMLi@S%`>&wTHpETx0(_eDjU!=ddxUm zf{B+M+Cx$ZN1PW<&&PYpzZk%#%grL0RcFHjByCOG(B;Uu_Eo#ghR*R2tevk9WZLWL z9fd)ODp6<(pTit?k2N1J(8Rakf6>c;JCb{>Uq0&>P|JLGILLh~4#xNTuBR_N8~#upTDkaqf$L1Wt3&Y*^1a6-eiyHG&szG{b>fN7oHnA)hE3rX=twO=Z=9~NReu|DNZuOzlAuyicFRR2CKlf^0Rie;| z5Ej8wWPHGpb2GkHZIZ#{%=@vv{o+Ci|6A_+8+5A`d7wti zWj!ZV6B}Bu1c6|YbE#g{jQR%IQ)FH}dq7u*#x{&?piIwN#3Ee4V?PR4Yn@=RbQ)bK zptDJCd2r2z0T(O?vOie)R!7mc~5+>cJSob^Sm*YV3A24SoMr(M| zC9Fo31WSo6Qzb0t`fXfkWopO{;X3U-2dHagOjP*;Ypl~~e9Ib~Uj5BSu$c1bhiUyu z^?2wi*0ZK8apqE$pWp_(vRmPQG6Ov5aaz7swB!8^Z|?!BE4s?Sg0|LEv1jO{qY5-3k+ zlnt_)n$kZ#{2|_*Fv0UszD&2*hMM!DtW_?+u(}+@9M!Uk(xHwAWlDa<$+}q8AXt2j z=*2Xiz=`a~3EZP=K-Oqzwp@av#*Fg>f~*t$5{;{(FO*W6S_yM$s9N39y)!p`%a|d? zv@muhwm~I?F?5qL`D?+K5iXI6P4q;UnXrjE(jLoL*q{tuGVIj9R2q{kvC1;3bcjF_ zS?4?YI>J0eKjm7vNvBp&;)TIbX)q-l5?-MaKHFpIW>~v>dAz*6m=2+M7x<70mrE=` z6pJl?Zf9gR_+~aKG8!T283_?iycoWmvVaPyh`5_e0i8)=w&InC3ajFJDVtCq5A|TZ zcKTw6Ian}tE}W7LxrKJ+u3tJRD%k@R@je1v^gANH1sZ~Ok5_jffXrjeC10o+QQ!DH+Hqky-(h*$53J4e-3sQ}=P@v!_L5m(;DllUyjZkgNM3 zRi1*;CX^}Chwe-F?8qN4wI&Ag(lcm}N0QS`dwEi9Eb%@t{lS7+(<-+aWusB&`*wNm zdGQR}Yy3mO*y2@>UP`2JRboDf>%#Qjrq$f6p>yX-lB5Frw+~O195HI8Z_;!^+cp`_3YAyb4li|W?@Q*M|ljggL6JN+S0f&o+-;!oDXG{{Hr;2 zfCw|P`X-G&C96jf9&TBwl$2+C`tUE{)g*2X?ps>je~SfZOA)EBC*g}Ub^-Fizijxt zUql3)e+k}@-XG{g)KL9Be?kAg1n=sX;DyT!Fh>x9-=lqPCVF>Cxx9X!F73JRzqJFKxbBkE7XY|b zwV*=m0CL+eg;sR$DtJ-^KKco-89Apn9~Ymd9_AH5cLy?@J29OuJ-j>IcbyfCIZkg& zRQzpk!pAnVUA}>+x*B&)KDai=AA{?!C5-GbUDe&K;W7A5wmqiXnfEI_2B3o?;%(2{ z0aQMUnYMq7BZPn%Gu_umQake(AuEB$O)Owhvx{E4K~K;%&!N%9c7)l-QS#Q#dNsh) z5p>ejF~JKGU$wZF+aa>^fx0`-2laPe?)*MdysgCa;JcgbxVm52aapfK-4;R-@B>A; z`Tpx=C2sKb-D?A?5|?uC#DYY5O;X%Xx-M;B*1Wtv-sk$X-FA5E?b<#UmnS-y#NPjv zJh@-qoTKg4JU6Fs^{zYI9%GEy)JL3ia**p~Z?;{i-ET86jYQ>EEM?@{Ul~nUjU#B* zbGIE$zM=5oe9Vcvv;5)j-ELhKcS7;Ki{(!_PF~uS@q2i({WvG?db(&!(c!g=OX>uK z5(B#K<+>1$wmGyo4TwKd27F)NoYeHr89y@Qbxk^Y_&;0BFotm>uIm<+y}#OTqQ}|q zC}E4kU%of{OR+;uTP<1-y|33#I;e{Z-KTql2~M1HozH#S$okuv_{4ytGVSNBWxzGl zU0VXDZ%#T+b<}f2hs}(S_m-pC=4ZolW|BO>fq=daNKoBF+q@-1%k+QU_t?+=p#ivK zIt}usy{!1c>L^K`dZmDDd`WC&muTzI&GH$q0Xf&8h_iTHNe=rrJ?rs=$RlJ0l5@U$0aRX1g;*Kr(C``0#%g<^@SQ2RffVSbXH9WDUCTl)zy{Tcd4i3 z*g&6hu6O82BOK5{fA%_b#TJB0_(=a;U~`feFhOChhmmqzJYF{#IE&es3dqW+-r-|E z8-P@^EP`iHpI*@ST#ewdcQeOztX6{PR8h7JD^L!&kWeH{h##tsCFR=bJKw8aci?H2 zcPsf_ynM}bYRi77q`G?$Dl*TMCoT7FG%l?${6?1-cPy|J7G+hoX&hQ-m`OsaE~DaW zzoVJrQM~eq@ll++9)+&O`Yk_HTbT?T;v*b^raColyxN#EQxbo>UR0!Y&Byu;V)b+3`&11timCrQFBZr zndpCN*7K%3KmHg-uZ?0Sfj0-QF2^kbPK{YK0XKI$*YiL)7NYncVkF6;Lj~6@)F-B zTe(R~g+2J{RO)|MJGa}$rFT0S;PqD2)4h$^l8&HK?Q8v5@K;+3_ra{8nnjPx?DlHd zyM-n`?YOb03)D}K+RqeS)mc4HTi889e91N3SLqO?%+IHS^5<1r|5K1*^Yja(gy(2^ z2mLu<3V0;08eq{o0W3t{*L>aw0sr~?$-zDQjl)v4Aax~@MlKhkCqt`21wtVCdzWE7 zpRw0Ts9lct#-JuVqeSxO9?QkCL(XZG8OHHFP9VhqMbV?x$oCNJr7u1q2OD;{g5 zYf-l5ML%MwG!Lu@=FR5R%2AcBcyC#}KQ?*7MoMJ2Kd97B%o zD2-#YmK4J&(YlPTQE>%n(7BvBSZBJbT~+As`|yu~7c#?CIis^&?NT%~qCX3^a7c5? z>`G0kx}=0u7%snV8{n%m2`GOSA)cxN{M+JB-wJsKRjGu}0%0(kwv_z1x;(NB$>1Z+ zP!Oi{=a8`ful(m3pW9$|M|FY5 zFFAKNab}P%e@l-=LiQms`@i|_``+izj`im=f zAPFzA7ph0iBU8)ynHO;biT9a7M9lHl8sIVAB)jXS7#8@fP)*E&{~_pg92Vi%_BnKZ z#kxM~;W5Hb1b9@C(QT)Y1boCPe|(_N*jW*;^qf7*&@TJVR#8>8uhL%jFsOn4^-&3E zn8k?b;tBZNbVbm8?5}WaJY8A&HawhG&;!Re*T+YQnoc!mo~O5M3O3JXv0@H&*Z0d0 zBsxG04S(b+)dA)ou(C&I5!;&}*z2kny>0gAY2Q1X4cr+DqRm6X&f0Cx1Hi0B3FtF8 zB3XVN;9l80ZeW+yazoq<413yMwgSE6FZtcoS!&OF3~V=3Q8c&juWjG-O1J_%Z|5L^ zzmjO$Ubg&Z`FyBuiELW{RU8^erT7^b+a2AI}RfjW+2P8kuG(h+dsX!k*y$lzf;ns{S;oAHjk*0 z=JoxewKRztpL2y2?XH;Yos&tiD~&yM3EP{3km&ZEwY@Z%Xswsljj|#=o}zby$BU-| ztHNpz$(`e1Wa4x5%*S_aeAEQu&S$$}5Y;URZ~+)SUIeAxg6xWXut4AyQs-|eAY>&V zdA@8)nq!D27znue3fPeV^(C!lR_oEG<}-eI*T(}6{AlCyEFG=KkI!478=4qmD?*bk z+T`2jaW{z6qu|tynH9&W5Dp#)1Eg@>C`pIJG{oi|qsBrb*hpA1y_vFG4G|y|3;!lC zWfTZW61A&R7&{#n(;mJ@sVAc9{W69lU=Jt+8E@c&eXIT|W%=NpsENb&7 zLPC+^w7BMShz3(8!vPF#CwS7KWpPD(B{Z}3;&}{fm?+Kf1Hx*!(;pUv4TtVXjT-rj z5h1?pfq#dL$3!e<1mE1-C1-LU6rDxcqoLS(3Z*N5@u zh~Kq^#-or>;t>2@GZA_5>OV22jIt~@9hfNqSFW=qdSm*H-OH$iicLe#mUJi>?xy;N zeFnrtAzXhBU%fuj`tW58@m|iY&j(wOS|CbZ*8DTVa9BNcVLc(_QLI<=bE+)(6$v%pws z;|@a$I1So@WCOBenG{2j@WOE$$4FX{L&=hGgsU9fq-9|Ix1v(6@O;{!zszh9dA)*; zB}ePtC_f(`h2ZKPDQ0PO#Na6DzY#cmuG|va`cBu>y(*9-%Z5r>4EuG@d^OyKDZsm# z&>1My6_Vqx8Z?pw*qIE6%JjD`2x?O)mI~;uxV6j0vjI_dTbvG6%JT*G0$s zK<3r*m8teLv^C#3f3S6-UvkqzNpy>~@Lk&rBe>96D#cDgSKr&h7?=B)RL>H-917BG zmk3&e{&E*>nnXZ$SU3Bt6c?*fN=3}FmuZyl6;Fh8(VZJth{iBQv}s(p$7lU*<5I1S z3(H}cWn)xaa^<&l{fiEbIb6Mo%wI=-Vmzy^8K#(Tm|q--TW6UPER-q3RD9ADeqzit zraDM@WROqA&?CQg?5v`&8QQZ$hp zw@4F7eY9}z5B3J8AVmQfa!ZtomSWfqsN*w+jw*|h2NdXg23R1%^Uedo-I~pSyp;sF z{@rI%;b=uU0In>WI;+@ZSFVyEv9W*Y7Svb_J-NR!DJm)Htzh-Th|}bg6p(+XMGAqt zVaq?h5Tg9Cm2O+XOid+)L|dP=t5M3Ko$DV9$zQU&T}#;1nHhHlepjffHvFd_dEhfQ zxVJV1W8FOtjJh6{^8H68PwH0WrEnKoive{S)t(XoT;&KY7mp>bf0(j{055I^B{!hT zRN3lRou-vNloF>n`cnPLBGj)g2YlNl&$LXj5)s(NjK&D&HtEG_h$c!BPCOujNgh0Q zQwISGb2NUWV-S=E!$4Z4;4cHt@9}WI4}*)?!ge$9pLnP0aGKxH;LK&Weju0!$)4h^ ztcbhToi(;v((sbZ8OKoUlhXGF2}flcWaA#C{kH)1))kRR{zvD|{72_PK3_?`f5}{O zCG>39FyM&UXB8-RM+}r_K+tdC`3YWJlMK2XZ?j{Rpj6Dt6VmUvf>*bcA)R`XHs}0}-KGofRhzM+swYA?0iQ5$zp!Fi( zY--~rkdFU2v!ngZxaIu@)2sEiIwbq+p`djS%wlAGcM01+ZCH`+OaXYN;p}u(I~>j^ zdh_N#|KPDPx0_+5?CpY@q%=kJP zJg(-S$TGh6y1#%CT_e%_z|#qijkm-;Y&*M_J!Kq_;ng2o!;uKvoyWgoi3vx1tUUU( zR&vG*E4CY{{IBDC?0%YegNV9(pYvALuZpea9cN-8;Py!z{jA z*XM((Qw_iy{r4oJ16#jS}ITj{2Qa+A)M5`8lQO5_1JN7eD=s- z7<5L-hSYhQokrAqKa<9*OMRXU3CXM*b>DGAeX3bAEqUhbe5-!6%W~`M!3E_Eg0A&H zTW~=jwRQCyVjf=UlCj(|#SB&dZv6)F(X=crT(^Qo2d z?J1Qp+D$<2uua2!EZIe7Mq%z=m^INYWdvhfyvQiSl%;TpMJ8Zj*?wod-YTg&sf zPXwdH9BR35J1viQ*sVb_oGBW$h_0G|XP6C17hqmdeZuL(r7lf@Vbdh0wPs1G7h^Fk z`6G>MC-tFkuXfhP?Lt@A$()G5smk#Oo^;9sI3|%-KrFqxQL7w+QgxPHqrIBkk+xJ} zUh2gv+63veew1~|KliH7LaPjw4*EW#90Kfe?0@*~iSXKWKZ-*fh=|6jvN`HItiM?_ zJ4J~y|4EQbmSXD?HWEyn?Y2y$2|$iVK~NtlG6y@D*cu$9*T|ML)=nIo3;0``uYFFj zx8BNDPCjm}_gIuWbWF`=?)oTR0dO5>-Z+PM=tzOUtKPApvZ04V4$D;~N}+6AF8BUg zZ=9&4Cr72d+vU8XzJCo-pwn$XcL9jXAc=>`KN~1Uof=TN?YqVjDg!@nyK^{HW_OKo zlFlL*5Iv{~Av6>O@1Rn#O9<<(z@2NJP?rR^nRv^C3RO4^RUkM|XYZ^ji95qkD$nYa{k(qvy z_O@DCenbjG=CKcs0N@5i(2U{CX`*#nD8=Hq zfsah4iO1p(pDV@O)Z z2Hh|LJvFvi0Z|x&XmsDe2uuM19ZqD5X4M)Bxl$+7*hzy7MTji;O|(X~J^>s0_*9GE zYDlwjUd}QWwUH9RAn6;crpcOQuu~)s$CeKGIj*xhgK>I#Q~`263Ui>pv{t}aW1};r z7|Pn9yK?y~Zm-pG2OQ1HCenA4PT_W&6&7)r3R7c7lE0?Sq#hze74TRqCH^M)EkO3r-w{Uqg<_)PCTf9T>!HL7oT(m9XcA*kEWu%qX*>fpB1x!X5N zBlr7&rqXk{=6)te^*sF8aCv#w-s+sJ{@rjp$YEuNarFuA)1R>yRG}w+UH`d}l6}8& z*7>1^S7mnfIM2$+L!8xeSuP>rrPq9jQuEt$5BFlb&>ociob{H%ucl|9{!jQZ``EYj zJv=7I?MR>Bn*Kg$Z0F#(nyQ5dRLeiz{pPRj_jYVX`4vj(ww<-1)8T-1B)TC|I zkkCQ&nUbZx3RJh+emv2-zUDp7tMGlg_!6}d#dbaZzF&$n$HygWDdzWC%dTEa_uw=!ITIU{`2#w>)vgh zgfHwjcGfw6;ldk#A)(`OLeEx-FL}={u%_gq192bVcG1Preh{^#yLr&RY&+m}HO{Bq zW^q@&47>wfGU1UIef>ZhLBart=L&iEQa503~_xGltIX^v#NtN?KU zt;&`lb@|V}cE*`4r)fO(5964Y8a|(qEWcaca<4i5rUePwtmhFg?6>=^8h)S8HAKex zD^=cnL;(DM&Zn*p{W8ix_y2o41+D#zx6|s61Gd%IiS_L zP3E}M91(6^eNf#O%CpsRp3p;A2I|c^tdJMaAIFpVK!S;9Ob|T0?89JoQ4(I>JRx%P z-(I`SHx%YSd`jc<$Xvmi^agV$f|jC$t#llJ&=><$aQwweYdm3Sh5{-& ztg$fFHkJ=Gks)ufGgxHfub+n_C)9~3Oofs`Fo6KT@+76SjM zh5p=BM@RtIwuK(A{bh90%Y;#W%GLN4)8?A{hM_CSULFe8JV$zGL=FJ;MuDTeR$`Vk zsc{z$zO$J=jWwjG&ejS2RhySb(v=T$Rsqk12-Eu!jpTb)(->W~$ zRUw@$Y1E<^8W)b8;v7j3N=6Jf!Ke{TE8e_k$F{@u^-~$~hfh0+l8y@QJN!p;&V|V; zeOiFNendt`m)>OEj4br~Z?!^YW3{4ZmR++pUHZjQI-idD5g3eZ2>}VxSR*^OGi!;a zJW-ix_wKu$bM>Ux!z3_A;R6=<-#zYGz#>Q~5p#}E!iDV=yz#f06f#!FkVWXs`JZrQ zper=IkXTkErGCprh2u!Me214YZuDe$m}5_pohnr2FI-nx`rM&=ek=W_zn!OU26aCW z3x5Td)nZw|8Q`!|syo%20QRv75YHsde`ldU8;#0}s3ad4A*1a{nZ=%n9L6Hk?TqD4 zMGy7y{IZb^$587FmzVl`sMb!;AyvQftFBuq_ia$|PpBaUJUh5*0qa_}_B4xhy=F|R z_7(Q%?B*Zi2b8!7Uxa~(^(w=y-#6ha~`Pm*YP;PH6ql463O)x5+D5{GrGT3*Wh zl5O*x>#0`X35p>J_xFxNokaN`z|aIH#yn{Q#6{NlWtI5_-wFy*fBf7!?UL4fFrNkB z&X<#``|DZ4k@BQJzKlq zv#LDxIV@a72r`AOcNN!d(*AELJy{_{ug#u;7oPKgv2iUa*?Jn$%CJmr60t04l2rKu zs=^}zly)sTbd&-X{(^&gR6e=MivuYtM64ATDGttjlv;uvI^@v*BkG#p>Hwg2EiRj@ zmbGl#wryiscdcdHwr$t4?OL{Re>uzyyzuD;e*Gkj5B{4lJ{Q`4@)ZOV-H;%R z)Z5JbieuUpdhnbBSR<5Lr}g#Ne&p`dGM{f2*I_GeZNHwYIo0;|8+z(LWwq|^#oG5g zOr&=IVenpAt}QFJsLCqf01WlD0II>xWt!ZcwGDr$d1uKF?!l#E(7so-XK@8B`=t{|5M zzyDk}Aq4pGJ}x)db&GcUeAJ`*t9x6v@^n&_^WmbvLlL%HTB!Wk1SZg-=gkyoKVm59)Hp`VRBPtsAM@thAX*VFw9~x`n)x`5X-CuQ-LDAZ-1gd~ zgo88Wlk3a%Kbc8odK_U(;fZWNhKmH3M8|S=UG*t2dB5GcC%k(1)jM4~PXxRQ91A_S z8i1T1KpTuuIj03$-C<6R8~CkvsQkURI9s?l{tiQxZHw8R*Md&@z|E)?!IRbnx|3wy; zC%<(se&W<5?VKJ(5^b}~iDQ78P%CH#I0s;s;3}E0$IM`C#a#q+eCBtWhQsf&ilt@s zw{#`dKtu~_tMnhCm2_cMHM3Tn6E0Zb{5YJe8&?#s-$%4r!hH3*Xvx4}D=M!Sf9>X; zvq^lZfPTOaGPUJso)t4gIZI)4z+%LL5MHcdn2M~Szmz?Lnp zMg|`v`$IVfubBeYT1YYrXM;#v6ACNDt6sKM6jz2SJ15lrw(8sAPeaYWf4*%W%OcqE z#;qQ`{exhxb{jvowWzbG3DIs z{%5XeMVUShR&}oMxp2!lssy~0@yc{%SybL!-ajB+Q6}5pfczzCs^Moe;A{ZS!+Jmo z(eG#s>E!tg0}lFPGQ_AtYgN@qnO1Z6%x>8w4p*KpEqoGMPm4Y{h2zmlRmsp31jbpbV;*5>pT_r9)*BNp`~??k2^1AR7&V84 zLY*%ISc1q1IRxf+$S5>Vh&kiNGBUD!3i9ecEyEb?dD6TbmB+^7^m+$!SXicR7aMDS zwY>HwTg0LsBHWnNZuk&e4a>uDE)!=eM2wnJ9KA;LnLExPu8w(!`S$e7f$K)_k5RXK z)c-X53Xx5>yj!YGy_yM64i1Uh&0;1ZFR;MD6dJdV#xo8xlrB|12=uB4MGR`f5+*qi z%<~58|BMSCz=H93kzX`}{1KxXrsse|M21GWR+c=$s`=Dr9=2Tn3)-Z{@KykAu=x*+ zRfs4_b`$1d|7?6^kk5`M1hT9h9YJxW2hoKmEHB-xv8M7J)s)r3oU)>?%Ou|qC#+c( zHS$Ww^fAph=@kwr1%hym@7S$&$b~;>F(qp(6D2m>J5dsIV;V%Z;$7p^Nh+VUIp0*; z#myPuOM)TK0-v?-Z)fi$jQiLTGgw;m($fy&;@q6e$V02?tVbkyO-~YnDpAs%6o$nN zqR+cn2wZ#AmUSp=Q||&WrO^$;70vN4NFD(_BEJ!gQD=@pys$ zQ?f8=9C)o0MVgHWm<@&GjtGQ_5~$3{Nm=xo`SyHP3e?zUn?K^bn6w&#>(_rVbN9Dr zX&!~ubN5rjXWd=+4Vz0UO2v-Aq!#{SRC>T`t}Ham=j-iIWX;1CmrLPiSe7(zmIvCh zaQ`i0{mbLtOQ#k{8zQlgOpjHinuefkFAS3{pG#J+(u_`9>>8nXW22QsN1P>J8Y-7cUW-&zxjc^nDv^!DkhuDBHg)8ib*~_ z<$43(7orzMMxY)=0*N{GVMe6l5E3YbOBv=oF5LwFHk&|`1InacFc8+pC@8*fsJ6y)g$F)A<+e53hG?mf53f^yayTM#RP-^j{MG3W6|N|RoEe& zKu-C`7h-TxuV#DudSI`08*=;d#m`PCmy_n>gX;pPPCpqRFhg^wXD2wC%c!FZwBl(y zeAXA=THAfmC4jnPm%mK3k&D>d`&6|Q(illw*8O(K^+BfMd)cjEd3|>q#FYh@2J!U- z+w-vTO;CFY&_B@v~E_e7G zOBuDx$4C++jsg;3uIM{d|G_a(J#J3&r>-}2gK z!RbnNEXZSP%5wnK=DIZnywS;3!{y5kj4oc@d@O8C_1(ujkrCbO6-Isi`e6Unp?)Q# zFhpqGNBLX{w-pM&Ueydo4mkHQW4}Zx%n{lNc+$ht^L}4H{)!gLUvJC&wiT;2maE?- z(Q}>R5SF<@dCm7)BIgtjzA44l;<;GdYE^ekzZ@#yhRaC_8y zBWj!lFudM+<4(Vv;=l>E?ayeU{M{M{X9lctALg96ysu-d{Sdp> zUBK=tKZ;j2?>f3yd`atPwoY~e+PCSoZhz)dUkAMBchXsrxDUM2CQEth5UqM!U7Zkx zEv$50j#sB$MN?w{P&fO`!vQbdhBpO_g3%z>4AxOEdLL`dq=?rHMnyoi{YEgxc0A&&`1>Cxikt~M z_s`^y4+X?3Lk8NqwQG^+fd@EuWSE1PK>Chv6&*MgT`cj1j@;cz!_=v?6SQTxli=)q zpYqk}V%o4iabuQG;#aS!Gt~qvO)XC z7gJrFFY`as!-_L0J5^hLsvGYYe)iT`SX6y7QZSnkqtv~{DR=N{0`B*WM2Z9QY5QuD&^R4=`X@5=JM^4X z3$gXZ{ltpTt665axw&FgvkU&n z$>Y)}l#pZ$*C}#eD)T13ncv@DN3K#-vc11gjRCe?|54@I^T-1fVY~EMiCtd4$W{tW zJ80-hjyna*lroQtT&`1Sk#%`lTScvwO2j$)*f87AGbaqWu-GY_LB>&>n?;%ZU7bcQ zQL9UfmabfJ`LYR7+?B==CSO4vqvpV*Lj=UvnK+iF(@U#~!!Ah74uFHF8>~p=90-tz zQ(X)Ajp|^gY#T{&cqnU293B^-Q)Zm9b>y4Oykt^2B@>Oz6A3}zWiKr3uufjiZCyIA zt(Y+Jn^ZDHp&K|y(*j4HM}-{Hjl3=YbVjsrHNFqaWIwiQgIyYQop=X69OvrT ztl_qr#BeoR5puZ0RvdQKa^y)s{MQ8Mk;JX~3YQ?9phH`pk{Tb4)g*!Msq$$87Oa+; z;$Jvvxt(5aS60O+j<12SvS2L3`!&~gj>gbu;D=~1*B(<735c&fv@K6i!8~~8N_(%WKpqOV>63|=OaJ7VxDO(>KVaQW1NTx9{3_WX=i$Ij(pPqj&4iwclb+}-{a{1{x+vu#M)>%O@K357v}U$HZ&8z z5$IvO4?g`hLD?vr{8jsBf;@C?$XZy2#~&v6#$4r`R z@fS3F_aBIS3Q{y)(uZy8d=yG(jF4^L>l7Y!aSjW(aW>G@oU!NgUQLzm*6ys@B=<$@0j9Qbkd1*(;X<`U4d*7DJafm)K_I zJ3mY3BoZmZU6A8opJ>FIg1-z;6nAhq5}eWwqg>jrP*G*o{v}ve?J)E`*xjAHw+j>_ zrRQqIDP1=Wq`)`k)$3rh<83VYzj5odU$}K2Tn~cFtp>ly?j=47NeKl!eKi7nphnNL zEB3L=fZtw8uwGMNNnA|n#~I>Z?;@W7d^VsgPk`@HArSl?CZz=yQxACQuZ*1# zQaF_YJ09L|COgvFf1F1K$YuK}d;;4{lG5}_#zs&%SC{u;458mfz`xtl*TiBi{eb=c zbS`4&zH6WGWhJ|7vUmgxvt!@&5`ImyD#+#Jay$o@ zpIXOrI(fM59T3#c#h}rCSHuzfrf@wv;RG7PRH_Cpziki;*SbkEUuyw6W&QjU^`6$j zR=r69O;<*pwMg5%?pw`QYt;Am%Sxzj0WQZTY3S9BgLkp-9{c;tJeJoyQ~SZxGf;-z z_0L3H+F8DLLhhg$4+D>>k0V{J8Xn#!t`(r69^Csxu3`Jr3Y_KB+u9JI;~-|O7 zDdyH_R8GmEY1`}kXMOdh9L=f8c^exEpb+>zPtmxs9?K*`k|=OR_3w?(q0IcQGRa8$ zKFQ$;gxv`3HO3R_xiw{^L-FpMs*$35Hq@HxTB;RO%bO28mpUT(D3rYq!@kzvjquGe zbY<**FYm7QuybmhX8gJAGj9Oso}>J^qGPsUz`2)wW0)bjNe+al-jU8m@&U)x0Dh zDlOAuAH>jVUM^_G^xs$Tbjkv`&VuC4i`|pHL}ksL6c6x9j-hd@?)nJF6bGnRQ(wl% z9>}WOGQ*PA@=%6$|NU}n4<+Y=oOJ(sS%%b)5QiloqA}j*xW7JjDv2o z@--@@#y12}VU6aiM6~fphqbM$xP@CeugE4VMEL^K8aVpWjKijC>EHLAyh6u=#SwxD zQk3P40}6(r$^cv~UzU8ALcf1}u!iYRrmR=t(RFy1tbL;mK6P3_eCoXjs5-?Mv3TM| z6YBLxsk*8yct!4Ly9(2y>qPltig<{Uc6q6dIztiy_@mMca~VzJ77b^p2hM2Ga00q2 zv;6AI_$lWjC`@8rHKW*l>h(h_?Za3#@*=~gBnd6~H6hX5Z?5#m4r6rVDd~3@qTw_AX^5}!1hTEC_FJiP zb<(ktqK$#kol`yMntkY&qn6usl02cdrH^h@Tvd_Zs0My9_)11w^#>R&OKDgoQbafEZ-tX>5%WFO3FJGJW(sNEK}a$e^LG?78jHV9Kku+*V|9qvIwb{m z9d%$hklI6VL!&!Br7{@G4=t(UkKtFie9N|g$tSdOF_>zplx$h77*b(fVHTF$hMRUdF@S*7p|Ikf)M1~D z{rA_>i((A5QJ%F~DR1GS;&K*ax@gOan5f2W=1ixcicHc47$~4Y=e)E_TsFCn2CGc5 zgSqPH(Y`1?v`90e2R*d0`$!49W}HcLa=v}n^o!4*`)#zdS83BGzuv8rN3%}q+uxGX zG#nuzuD{kHhp}|i1hNiubwKI=KcWG+G$8|sgQ|%VuU%C|R z06boh;K*lU<2w^b%>M%fB?kXGXM~%`41)PMt~)%=A#&&%hYOwd_U#n9uXOA=r*yh< zV(h=t?e+%O1PoLIo!D0WYT=}uAj{2023t3g1JHZdxLXY+9-rWUiuuoYB6Lh$tbG1w-T z-28A>POEb-_Juqn_K8tub7Q?1^vD2L%k~bMX+ZG+y^Q~>D0S-m`>}j@P3+SLrB&5% zZCAVd20lEF%z7Ee*dUzIbnU1o^D)JT4x__riMG@SOgk#h&n z>#JTKryVO|p5q~8CY^JoWB=^Rx`aH)2}#s4#0;3)VJE~1LF2o`iIDyhU3W% zznv@kO{LWAq({V`wS;V*S5L!y4LraP`_l-90M`#k!n~0wBk$^|>DB!Dtx#NjZeX{+ zlCM`}+-eL{Yu#@fcN!2PZZ{Qi^RqrYWU-iI$?rAr8)@9T zGVDLWIg4Gjail~=nzc&(g=wOpf-oxeUC^!M6~0hU`C+ZyvSEC3^c_-x=?T5V{O@zz z7LZhpOV1!D+lZFzi!>xFc_H@^`_c&8>+bs$L#*%>ZIk>H>w@Os zj-@?N?}^7)LE&~e65b&UBM8X?XmxQo!FT%V1g&ZBc@F-dh3qeCMt z`=54&@T*6@Q&PYFW8omtu-C%Gfig$UQMo9~0yBIb&k;Idb7wO}bd+6!WHOa#;361Fz8K;?qW-^N($hUE+MFl|r=i)5!ZdEY&|^>=FQR8mM!O>Zn- zd+WEQK6Y%uNv2{9^Ori{7pngaEP*)#AH~_gyPmmoAbvlQKTGOR=D}a1isX6`jT9r4 z5Go!|;XiBO>Clj8{YNwJ=gK?fiCi#Cf6J&V<4a^T%r9Ig%WQI3id;7SWQW{IP%>fS zf8-A#RXCe;E-o;aq1>B{|J$8|lwb;rJ!h1IgX1ciJFVhNnF4A)Wca{>dQfh9W}apB zGBU!{_v4mVR<>`S3I~o|gl7nbWdRkZJ+*EuWQCEaj;;-I$Q(Rw6JCzFaqFISWy(P3 zcUcXJdduaQitbG}b*3oQxjH_wk}v$@rw{~XFN*H`?3C)H!c6CP zI3(6=`@?g$kWwecz3@Z%+GjEJ-$!W@qy8jlTIkAKjWPc1p#2_y5R)SOTJ%s4mX1gZ z7MuWtfv>MN_=N<&sD!k6RF&`_GU%3lOmQ{bY-qkrlK zJ(MUg;8|4RSvMycmhYHUG;b$;)56|vsAjZS#;UO|GEOgVcjKGf(`-kx;;m+0*`p#G zpfqqF?Tab5gW!iL3`F$&w>-^!SFv+~k48=LkUMk|o}g z2mZD?RqK1#9i+#{SmloAimkFJ{t*sS!(-V>fJ6^z`kE^w($LeFjr}gU{AJBlmR&9ozz5gHmPGFV;SD0q!^P1Dv$7jYhgUjol z-KEQ|T4tI`?M`>1WIuV;4MNBpn?>W+)ut5x}qp}(k2C6S_IP1nK^Q|t!))S7Sh z%A_}{L(7#+E0gY14*&BaG62Bsc_MMxYUpE9naag|e*1ZKFUos5J#Mcmr-Nd1F@<=6 z18g&b@8O4tLLIa|{v9)XN9d*8s6sB65taO2TU`<Q~&FhC>;k^LmGO_e^VA-QL=tOND+p^r30c1#oCJ@EaeB zYqueC+0v+H86UygFLvZ_zx^=Q0@DMdEC)%D4XRbEk;FdxM4}dKA@g<7HCO zuUq{K+b4Xj)$wgoOEfdHPD1WJ(kDJ9)4%4PgIxu z$6T1q|J0Rle|bh#vYcOECB@%>X^0UVBJ_f?pC>1C)t0D{=46q!U@;75^`#Os*9v$J{1T1YvGePNPo=i$gQAr*U6#EQ+iVlNV;y;E2PRUYe_C& zT{9&ZeC5EJ=QUZ1XZU(`PLa+6F*d(`>Z5#R0mqPD@ksD!NhC$##vlFsgN{aZzR)4r zLw}h`tAL-6QKY0;JB~9N7CkW&qD>~m52HvU|J3^87)NA~Y zJhE&ut#&oyr`~WLR-3@jxVu{tcJ!#a*nM-`-wEr)FRHd26BuL(Wp{vTB2hX5BJO zRMQ~lCP!iev^_<>R1SRKsT5m<|2-wiM(pd~`YZaNu4LKQr(^hU^6#{twzgTS#Tojj zytFfRP}XuY>p?2CcXXT*R9jgT%Ms}%_M-mIzx4)X3>kd(RcmZf9K5s%TC6bYc^!b^ z`Xp!ZvR@Vv#MoB2&;`XKycys;31ad&u(W8&YXojEb;}mr4KIutd}fOfe{0F>GYd_r z!;+WA7I{N>c4>y%hdtBKVg%ruRW{&##gddJh{ZH0U}c+x6OGk;kTjD0wxqf0F@~k9 zZXk*VRRobfRF7r~J*ZI#NhYUDxivNU6rAavqjQ}8KV$9rTA1Yl421fHGYW7%x&GLx zTl?s(B@^5g+NeURc0XFV7GnN%LrTQ`J-#J*_>`I(!oR~&(PRxvLw^)}>?rO$k4A#O z{rHdqCr2u6bIFQq`v_^jDZJojGU>fLybw48&Q(Bt3yNM*yrqpBBq;`0oxzuknfI63 zyRA%m-P9#avhS)rm&-jQ1Onp;AI!Gg&=%eeOb?X1N?WKCX><G=8v?%I#YJ6tR zMi>Cgg_?S8V5vKjX+1OI*JsTUKc`2Dnj9_iTnbd9rz7LqVy0F5@a2dXR1%(swvSqm z&He752RARcT>9NFi-$V~2b(}3H!xr9Zi~Ya1moA~wiI-Kyt$pnSmuDNc;&A2GHs?u zB>w&nRf_m^{u%(9y&d!g`aIH{z`P56O3W{P`p4v6TDR^G8dj!#fqyC;-{QD;Ai8dz3)+mKKTM9AW$p&LC^6{g(KX0?~d&) zHICWzx=lCYjM@y}v&w#h&?NZq>X?|7gCNzRX)Gbu=;e9uh3mxV4;|;GW$b#fUCr;6 zZ9ssISuEcXQ5(J&SA{0@e1td2!4*WePb^vCMfsBb`*2-T`Ls0A0~ zcX~PP^BPXF^<;3_e$9`@=)L}U;#IwE;49hM%f+Q*>Pfge8wrfbzhLv-p7*w10eZH{ z?!2}+fBo#eLgBx)Jzgr5SKXQ?HUxExZSxxAZfX3M1Gs&^&jB}U?_iC;xHq|2n3#T#nVR6lY@O7Iw#kUqN#N`;F!x~Lz4UGBKKBRv zPXRWjHSuB?Ac>2}I~)lLKSL;mLlcTi9V%*|&7yh~F~3H9gF}(@G{XtbW~mKLtfjBI zf=iu?=z@FlL@xrM+(P;?$dLJ$nJSQ5s}z5lN`+mOXF_hc2Q;7(@oJ33YECxTZSWa5r;*G<`si}Q^XPflug^S z)T>3YTPn@0m*-SnT=4E>r-vS8Q!L%$io!Tyk>*+CGnO_Nn`{)yruc^?x{a;;xS5&~ zQ%*Z{RXqF3l#+z8r_&Wnc4833dQ@###Wf{VzE>Qk8Cy#H=+h_p_IAjLZFQHw6~E~s z##Z7zQevC!F+UN*M~Ys+L0U&O8<&R`UNBy=`{hM)_01JDh1^Y-Ls>iL^&5|clVUKoS(E!fD!Uua9gCFu{U!P|LlXZ2(x|%6dO)I3t zoyv(mCmDye-dbL`#s-Umeu15|l)?_GX&YX;Y1yg(qEL-Mi7g++RC?PH3 zk9oymE~9>mw@z_&478PaRZVp|v=O=ZQ`&HeefjH6x={_JXO^fJ@3wB=QfVF68lYAF zcTc4bR~)B+%NoHdX~Ag2c`qSoyP6&&(U6^hhCJR4sWqV~Tj+xSL#8=lA(%joG7^?p zS@aa;kTol=>BKGlA~QfAND%#($h+b!O-GCsuUZ0FXqqdw3)^qU(Y`?^tBO1zi@XLa z-rrZWHyJrmZ|(cdjoUqn_Y`($Wy}8H&7vvh_#EDHO>>)_Es7r1jZcDgUYZq|6<1AI zAfC>jp$uL9M@vLfo`ooBYURPb4CfLgy#tGidf5$+I#EP64ahl0;J+-VZkeT4j>E;b+xiQTFK7e{1=#a!L_AG zig_=|#yan_ct6{qMfl<}oCW*CDW7{Azhw7UUz;km^Bt#y3s31^0_%}Kbd1b+nLI3| zw)kCW2g<`|sBbtE5xPS^nk&k)qB#oTliz3*U|nme`Bg}%ONAqFj0luaWS9(Qt1xh}AUR-$b?=-&?pr3d? zGdiunf%(CG05oU`m)}(NOzYsw`DM#kBNiv*K)<((MaImX9G<(j4|=Jr#|tIRZeWMu z6V=0Qdu4JA|K)4%LCedabM!v3!NK60XTZznpO2x_wo4qSWHp?50T@Is1y}j}CAMSj z6neWUxCT8uTEwOS_R%wmI$pEkoSZL}P~Ns0j{iticUQctB50r5?1Q{}-$5l-{FCEA zKpT_)B&prT^U+8a=Fa00W9hcX0<4@pXfNgJO;d4wCuO_mqzOA#_xzSf!qeh2O#Eg% z;C^@k?i_dx2kNQ6WLe>F9|0awsfhI;_fuaL$V9t{j`w_V8}dPUyqTFrT0cK6HqGI{Uf^JUdJ`b~zEGHh_0 zrM_}pU%zNR>pOEbjCLl=t$3ec)zoj7pjO=+JHc&6W^O|>G~dc{f&OK`yrbAL;D5YS z9mjS9nRW~u58-n9b61p#z)$~lJG*`kN&0SMY&NdyB_eZrpM1h%!P~Op5l_d5RSzL2 zXJ(Bo!%iFT;AW!^n>l)5h1xFMTeaVICcwVxZIJw`K+(Mq@mddDc3u0%u={*TIC0^A z7V*zzg2lD_wv)rgtF!1Xr^!r0a)<^ zzO27j;%=Ryj?{GAv7M7-yxr8iZNF`3EIt4g4?W1#{WAfR4{2J^}C0mnD4v z;XO~%CzA9f%bsIQ7M))pr}@%saA8TWH)v3a!s%#T06n>D{`aerjmZ0m@t?L_T7vnc zN@@PdhQ6{1W+Y`ca?Qi3j?>fC(ex-1qx=n93E7~D`qg&BVf&b;+6b~iO4?^e~M!X zLXHpUfoVIWDSVdbly%Dz)F}N@U{9n<Wwl^_#?*<~YMddFwFGmvfJM$%)+u#$4M$$$EW@DqBb0;Z;AJ z;YKJ@qSUW-$Yly-;KO(7Ey_1eb27t7+ZCG@7)o-lI8A{D)_XEu{0@#lb?q#jwBve1 z-Us`hKph1(A z6e~gsra}r#es^PMh?TVYuI!3kJ**-Ssn~{5sJm2c?tatu>XeURG(MIlG2r{I*gvLiFq_fo7(tMC0; zm*6Lbr(BqHN6-eK2!}46#E_MNGv>P2&rQc{Tn(7UDV;zGH5;tX|fGud-fV?yrT4K zn?BSo#tUEc9a6;4OxSMaraKA}G=J1D2cul#Etfb6mfB3#A?HW-o2VZ)&1Wfh=1OR1 zw)F_A_{)2-zu;vtNozF z;#_DaV-pgptWN4_jGDR>9`JT;U&5O#9aK3ol*uo~s4TwmST09cR$KqyI01ir-d!V_ zkI=L&@EhG;B1jFAas4Oh4apZN6X@WZnSG(>ffFH$a1mw^G@~Yv)ePGV?@W|h5)DFIe<&;nwJEE?6(`8ORLMOWHEza9o zpZigX@te8C%UZyIwl1&r^WQ^Vfj^%n9)Zs+zr3Fs!9C;KHAsY7TN>IOvp{ud8lIW%*sVjnA;0F^ z?J&~BNxv^eB>7}YQT@hlmAJ3Hrsql-P{9SjY~L0Jp~h9i^X!dP^M+Lvq1E?0-$a3@ z;jG9@y-3fCx9-rLcG2Mup&szziqfPXGq4_&WOMh|-BL6ms8sDDt=h=9Fzh* zr>nJE=gH+eJ=(0z z72FkTZ@Pcn5uD>+%6+RQzb4sC!7eE+R1);%e||>?Za%m6Dlgmq#F0wXx#&oIIm(9X z0d0{WbMc);3-RA{f&_rkMq8k9D1xcnjFE?HaDKam>cUa?$7|0(b~=C!^eNEjwFCzW z9lqy&LfrrQ<{~&)!tJ!Z=4zXIi(B%kjbRD_z+9&b)8H4$S5&g{J@tpb;YEyfVCzpH zq8cV>x|fOH1K=>!4I)leC2oe}dWsZX+7Ef|ffQCC>J3o)~(7r2GO7kE}qb~Yio zW25+Q*LXg{tTo{`Z#8XRoY{QVuRVwamGolz=!c}`bu2!Yn>m_16|?!L3F1{7bp?Ia zMrHm76BcwTTaE=S`gFY6LRhDPC0)Kl6pjJAC62GQ4gMTjZ1X08*_`7ABUpCL+j$6L z-dan@1?eVTvb}MOltgBM+GLq2_6HYXSXh6fw51~=P-Y0-pkXh+iKYznJO9vwLHUVA z$+S?kFj(6c`H|Fq(mq|!hw5`YZK>z$586*VZp9bz$Mv*CS8~+xKuLPyFzqaHtYyHG(n*= zEjzz@?J8LEexfrpx_!seq&=SylrP`TwAzTn%sgz@-4nkmA`lg(S(N1MH~VhFGsY~s zULf+c@l8IH5>TKO#JMxb%E>Y_YWy;vl{=r$`@LN67fxX9!6T)HR=^pd@(mALRV}<; zs74ei!q|HX9-;nhpk$EaZvBg{1WsQabtR$ECF>Ie- z++@eNd`ln_xE5?qy~F>1iJZsaFz>=-4qZ1bmOxcuzTout5mtsSbMhfbrUPm2Y&t6! zvM66;I%kH?EJ|cMW+L`@B%-9EDkCf9c5Pq?CNAEK>dt;Tt!-+bjNWa8L7`DB9NG3Y z)(Iz<4B@vO=Vq6FnFDlH=|TB?W)p*a-Lh1eUJ^)FI{6?)>Z*wHEcVd@il|XHS)v*( zL?}#{do^jOPEZntu4U!~P>%Lnl6#NX0fmX`7!c!^l78(fG4f@K0i{L$a#JzOVhDk$ zxaZB^Vc{fW;W|Ba{v{8xKrSdX8f^2%c=eynZj8tj!Ma>Cl+iSa=N^bGn&oAZoQQnk zE2wln{u%YRDhVNpk{XKh8uoi~S?a@^%CZCUxO4@=e^&-vCCd9`pUl9tVLES(XMnue zkK;nCeYFqjRKEt$G2jdi?!EFJ+So;ZGC_Xv?uIrJyZB4m_bpZq_Po45w;_1u3OkVs z%nKLv$jt~*ZgJsRy0G z$vA}tnKys=Vu{Q;*d&F(sz;*v6E<_1rTI+t2YPIU_u5&EogtuwWV7mil6U5R#yb-V zmRNZ3JYe*{+2m89{T0B=%_p>FJ9ml@|Ndn_C=`tL8G(KC`P-$D#ek05V}AIQP^GEW zTFq?RPPgOk19R?D6FGfcfYtuqr94s&&3E&u`Yy3u?~aM|O6_-{%lH@c<#JEJC_P-R zvK7N^2Oxb7uft0vY<8kg=C_vYr%6O6rrP!mr=OF}^G2;3FPt~^xn9&xuXn8^m4Yn^ zH@4N) zWfJ0#=JQS@0o@jd{mb^_k=+8~-o~0zmTyDQr?G&hD0(~0H~{u9C2KwJm=w6_R+kH_ zE(-Qz_c(n2nu2otEUxlv4eK7s>EA7KJ3(R~G5#a|UJ%{+DdC03O1y7Q*QM|Emdm5y zh*8(xWg;#o&sFu}#C@yp!vz#4zxxhbZjbAJHCKe8&cVr<5uho{Z`OVAxCgn%9YtU> z@Qtl!!$PlHbH{B#Ex`4~0S;8X)^QxBhN^4c`mB{H(AgRmSh)jQd5gN}jJ#L6etoT( z$oi;c!`WD0?<q0f9w<~@qwid zd%Qv9!x$Ul60suUntIA$7Tms1P761)xqeYT#kir;UaG->R{w$s=)8{2j!Hk&j_ zqsF#v+qP}noFsGdJLivc^WN;6nR%W)@7`;z?`KJ5NF%H7StU<{GtA4;Ci+Am<8bcM zr6@2P#o>}zr|r}!p_r!ol;<{9h?FlCm(5Qo+Rj3$B7RsAA5A>LoM5q1G{P+@4RhXT z);6Yuqtb21D*u_gfYL1rVT)Krin4Isp4~SpQ?W^J?DhCor&Ma)7NC=KiOL*XFV-D- z!VxEoJ%?pHBFTy)5Z{9d-nuGhlz}X}kuvm3f~Y^jZtbijRSZqG{y`#+v<%$8u-ak$4+ zT9fv2=V1xTZ4ezwFkF+SbhMcSC+uk1D1JY)34y6b?iJDG#Zc znYcx)BgTJCk;?I>*AhXVO2F@L-Gy=lWpd`vXx+V^^+Nv-#5o0`!Nx#{+-qBU2uSUK zLqxY${qb(BP_{6!oAdiIBNiXGpLy+xJ9o)Gs*Qyl-c_ppdkMuq-mFDgV(L=)DDCw=H+prBD@iLl^MRdI=rlzQyRa{vi(yIT^u-)(&Y57;_sJ0 zHEFR@gHb5{!X>LWeA<=-jngpU?1OslIyHupkr{K_VzwTqFnWcEOyfco=J}w4_*Pji=;+gWD-N^t8yHO_jIver?iScQQ8Cf8ja_c7^z_VF z!gU4yLSGFgfhv`w3)0ODl3-`SV^+;W>cl(;{}!Qfpp;~@;OrJ-**ME3FVcF+$*pAB zutvO?76VhZ!(-47ZL&z|$}{Iczpnaby3N8yEUNsN8f;JgAS~=MW4j_ETJ=>EhQ)7rKrtszQHx}l5EAl)Hizd)|#p8tb z^nZ^b!SCU@2VXC#1OJIBqkYAc^OHQUmcE2ysmLCwaN^zRUBUlcM*p7ACP%V@^^pCg z8J=!UP~3l=s%?3)gSO>4wxH;2?`uoft2uS|bLkOy>IH5-y^kLbzOqh7Y;PO;Tn|wZ z*k$f@B?Y;8x=;Hi30`U>>%N~grx2a%WE*F1cc8tWb0k-GeS$x4zxMfIVFL8VxR`=U zk@adW^{caLRgQZIlAH~;uGdHN_SZE!9@jq|YCuVN;)^PR9oKiWJi`O?@Qm7R0$gU% z^~o#2vqVVqkZuKbl6&oLdvwLp$eli6ea)FOeDd-E3HoXYD^HY2-0bGHHL3%TWU zHR_DCZZ~US>u>BCL9pxrqO^NO)_+^2!_uw2lV2umqV*WdbC&l$zPQiPF=(m1Ip3mK z?-@4mdLvq`MAEs)5%+(Ly!kxibel1lX#Tx(@Ff|;=%@1MjEz!Kg0&uX^?S&wrQqtny3_PZ|I6n>`Z;lgOkGV*i3j|mc5>fU=~zs@H~ zwB7nxY{mJb{OhE49R!vGoZgRubvQP>x1u@y9arJ?Kc4onvK_ZM#DRYd^y_9>u8C^* z;sy1tYwZO~v$a}`TFsulXAn>#VPXsLB{u~cYC$EYdg(?I-3Id zNIz^{7m%;L_E*IOh#$oG=VN>3|CzP7MAZX{HTJq63Z$MBl93S7`k1d@!DOprkPq1h zbfTv7kpNq4s;rjc7YMB2GgP%LzF_hYVwJWQQLO}wo#oGa0v#uXoDHhE+nNg=;niKn z<~4cLMT=BlsVewa|2tnLd?RYCBR&1Op>87-mMIf*jk%zXP%Fpm>5>_QDX@iF+A!Jv z-qcx+Rednsa~PhWIcLFn&}EYTsopbCdcG}U6tR5`l9E5dtu0I33DI`r=MV*@y*iBQ ztP0PW_!mXWaldKd>=-5+PlQ-D28voDM96tFE6vy{Ks>jMbS3=gxlg)O*B&~@M2!CD zFBX)!vrxmrbPWs4%2UVYgwrwOylHxXqe$qyW?+gQvSoX)i<14Zj33Pd3u|&3ZkUny z-#0@!aldNH1B)a%rC7G14(>ijVeDipHUnCv5S8ggD0V~ZqXb4R(7ZeX>84boiQiE@ znm!dnFsX87fnDzv7pWYT@$N-|GIT`2I_E2{h5EWydrZ=%QhBj+Pfk=nV8d#!#`uBt z+aEXlyg4e_g3y|(>KK;%<9$=K@n0xNi_*iVHkt!=BOuGJC0@JkjliRQZf|GD+Hbqvkv<7ra!6v1b1PXopUr&C5P(A z4@(>u<&&>RMYgULSLh+s%%#FkVpHno9Oa=2#4|GFlP(l?)g5_G{1%`gDbmFUn^CmY zh^DvLFFy>o0SHg83pQ8zn*t|-`d8uUE^SFlR-_Buz3$`Ig^OMl1rq{|N;yrqnZPkf z8`Ft|lNKj+EV&Hy+VE*#soTc>AECGwB-j1>e;C(as}-q}i=}9YsR|r5_r#FRk&gKQ zD!!_S1Fj-MvOmn4lg>;f4qJ}-0F77XOrF6Sm4&Z#ZHVolGG`A#60*pb%Rn2Y%lOk}@J^Kuqs)`+*YZHadTI+nj3wf4+^xJwi4AHC z1nLZR@9(BFbK380%a!b70y-IYzKwI%2OoJV?lZL*$i!?t>8^?4hsw!SVCY3jg*C_0 z6l2v?{ZL9qDUPLS>7-@F>Sx*j6sI_AtPsy4#lxJK@~>?9CdbgfGoG$s2=!#~UASnq zvZftLeIr9PE>@JuKTjD6s#WOpcA6$d2Pq}7$``Uy7smRf0n{G6vcsxaFlOzhs>6Wz z$xkX^_eVVF-QumA=9HAZhsVrs!h$BGTs*Gyxj`ECq(HnoJsQ%Swxu<}?mK&w45~GW zC}N>kDQnfc=-hFs63XMJCh>$0#%r5fkw78%+x) zd~bmza}^mnSq+ikJeDR?vYiqWvBM3fGm)-Ar4OsUZ)osl;a-%ytVj`qevKDOYyvFz zSDJVu82!DTb!5lXuDFZP%zRGoadO_mt!acknSSjdN57>fVQTZJk40BUjOU9c`mC_? zCfU>%%%OT4&{G;>su8)ggjvG^AEX3LkfE&mDd~So$OPo&NBtCdpp~AcSeYBC+Ofuh z@?AYF7>!YmErIY{RqYmwjF(VyGE0Fs>&=z@0k>%J|4G7M;_xRHWO(j^$f@AXf1mup zlh+4%8+3yVu@UCk{t5jjef$O6gx2~>K#^G*A9)tV{Kt-c*)U-g@P0jz2L*aF^5eg3 zk?nc$!X_{K`K&Lc1A6Rr*6Q5(n;Bf+=5{>Vwv*EFU8j&0){*(h++R;`t$N{P0bd?% zv%u#W#0jl4W7lIRJCTRWIT8O`=!bJ91LKdROz+di2tN0R+w-OA?)TqBciVbz-6y?pJxC1f0*4`CHu2X`Raku8U@jzN8-2ULyXpoLOCCz#oeI zx0j`DC!xy~_x>yG$SupGbw)dNB;P`P!N9>+zt_+Iv6^eZv76(_mxYYun6ykU`o)7* zG?G98GXkCvB!{sILmD`u`lMfnZWh4;i9~IH?9<@~*WuKIyz83{eCD0@oMQEQYjCe> zU;gl~I$xUd-uV|#*x_dc`csX2SDODl`notOIzYGt@O%n3TjpvwY{^kXS)RaXn{ z9(-ge8*KG+U*rx88y1^60ka(Y3@^Js->Wr#wx5N(3CFSdj|029jjp`6xA)GLvofD4 z-wIsj=Baun7?=0EIyV)TR=;@`c->y6BfGzE%<_KPMu=*tTyOVw)WhQYtOd0*Vn+sF zSG)|MO7cCPfOivI>W|vq5cns{HtPeWpX@CdFC=ZQ8g?mhU;2KGC}$ovH)2)zES4(R zJ)t~55R_vze>*+&v(33pO*~|5yWIWmZSXfzp6|2oR@f%PXSZC^B}xChWN-l@hEUf(RH{Bs7ONGV+9?$TaDpR)IWSs*gMr}yFxuIZtOG{R}8 zD~d-VZ|V2pAAxf%Y0GnVu4%)0EZ_dTuE9iCqAch*(WKLHOEK=Y%RtkoFjdfj zLyYF&)k-l|CAD;C%~NFh2mPp=<`_7orOnPDS!EowO~ubwxaCsSOY3};{eGwsV%0(U zN2sa4$=J=xDIWjQs3h97^3r7F4%?V#`V>7%lo0IC#WiVG-Ryp@I^iHR=TIt41&_H~<1VZU!mj{U3nM|8P*FVSPLcYENp3}C*6G}*xthSvSBNpYO3zg zVKiO*&Ch|rU?XD|XS6C29bu-Ll%G<j`Cb<&A9~=R?KFRuqb6?M3kj+8-M%oz zQR8M`X(;)PM{sKW7TtPJx)P6=M)+IMoiLyvgxx@u`v-{(H(6nc3qMhbmE4s@ zNGqWFFeT132!)+gj`L@piRd30t)KM&Lelo1Wq$U+%x7d&9qcPvjJVWyp^&S}u^uYP zK*XD)F8X4mCiqsXo(~<29E--|3Fjf6@&o3MN>D5l8&M`OB!7iqt~VAbypW~z3(9{? z1E2ii>q`2jUZ>l?>b0NVEy9x0L3i1EaTy@8hBS!0rDdB4_wx7O0;twx@B?Le-%bvfx# z^3HUNl^Ru-b`ho8uCzX7(ko0kRkc&U;ldYoU>i2kiAQ^v%wp5wKWP?fwo zQkq0jS*c}M%M4so!tJYQQnU+@a>cx2<%TYQvWClM*o9+IQh^*PR`H0k9zj`rcYpE+ z4!>nnoPo^Irl%jY)f)9t7d1hL1&23fQxmA+#)i_c{) z&?U-CxO!6yr}(S{qI@@fQG%wEOl-hb00wi}p%?GbTOR3BGA5>bLKG$fup0t$#ta8w zY^*nb$GAgPF?sLq%Xn^=GU4{6$xBwRIAOXtMiAB-CNYbWx!ITuSE$rb6$=w%Jf6^6 z{9)oKX{Vh{h)*&Ouv^?CEx=0_E>uO0gT!_Ho^D-VU+i%a9KIGpN28gG=K{8%S&o=5 zGkE2qqV{k0)GK;-4s&CaH7FJ=)uhgr8Z!-Hv`x=y@nf$Rrh6+{aSG08d zHFawilU>*%$NrJ%527@~B?VIG203=XALozlqYR5F&;J_7{t# zk8AFyKr)RK1A&be!)3(f_T8L)nOV_kIl^cEp$*3!<;BHMhu0sBEzwBGD;II)L|Xrx z)LSgJn*rO#@u&OVPm6kkD(<+Gq7wx;BwcLR z%;Ip$!ui#J&^^6-dQQ0a`LOQm*D~ZPX=AXmyBBm|__qGGTYW>NH)4C7^%Uy)!fIon z#(Rmh)5Rc|+#ce6@j9Iie7|gew{ijcR{E-IHvk#dp1*Pz9^UP)>wd_eB-*eY#`_Fa z9mnUz8y`m))d0^^eYxG}%(tvBI>dYNZRdKoQA)Z%o(>%h=GvyX}r zy)^q6oLsW%^jSc3|9qIOHuLuq0`aCZyo^iB7EWp2LN7Khr9Ce;;|w#?>KH5hU5L>8DUO$O$a{i5Lht!x788g zGiv;;hK8D82Lg2I8>YPdzn!O7&X^v`vLt&_rDO=*5SXk`5ZkbNk-^ zU^)wQQh%^CM4lvJ9^D`JreGoc9=gO_pCCQxpw};AWEdb6e*uR*RjfzGvBRX7jQ0>8L6`JPNt(OOW6oAPV) zBB-S~4n-`az)7#-Nee`oNja<9T{=IZ6?So1+%4)tCKy%srl!D$<9tC}tnOIlr0!_Ru z=Yu-bu1w0thjnA7a3QNgFj9)wFP}7Nj>{n6a zJuD!~MN?>5d{~9!7&6ck{D((3<%p5LGKrW|%+Ka_y~eQoPpLX4gp!z2E0Pg!G+0!J zrCyz!%o1T0^-N;<kEntfU@Q ziV}X4`dhyRuj>9Ptiy~d1lm^V3%wPh#F5RrQ_6?ILOPw@Qy0s#_Y6jGovpZ4*|db1 zJ^m@x%y{UF-WR-B|IGgs{TuAH*T8)&m~95qiaR{I{;VhevU!UZze<6)W2nI?y4K0R z(Hutn;T9nvbUm$MK}GY)AZ%FtCVqa|gwmLgt9EWgSekm)vK~?1L4IbIP|N}*mJUnt z1mVPXQftmDA4SQxSb2y)R_Yo`k0qy_8JLtT6Ggd1xgNt@uueeFZZ+pxmt##E5D{E5 z6le%00?-&e!o`s<{K2A!QVyO%(bF_JLY8iSe_5IeD3K8idJtMFWl4ogZ-nBBp`Q60 zE|zNrZ%n!Q)F>3(=O*X;lM;@=OPj)J1A7*Vdl5V7lxg-naWz3j+X)b!xQFn)1PTG| zWyS%66DR#w%gh7H8nJO4dxaQQoHlb*QFz`u49ka1^Q>LIRtr;bpv!g@R3$pBDRpMm zeeF-1gZ57{+0~n%cWCcrfAe~$jcFm!h2X=V;Xg^O9$OlRwWs5X^~vz&vUbWRVVjtO zI!?Y6wnHrzq%;2YIHOj42lx9(n!ko+0^6aqgw7~)B`q~M!d3`-l(NDZbkkkHtjL3* zl5>9KtAhRL+@!nTV*0K#hkjU|Z@kx(j`$U6uUT~_(d_zHU|A@Kp(3u{D~f~nEz(#R zL9+_0JWYReA04yc!>+;Z)7$e zQot^MjhF&eN-m-}KlzUOGCc+Q8a>^Qe~D>oaMrGYMc2W)qXrB%c zn=9*{l;0SmKkuXMc`_B%1wX`g=O%On*B&2|8_(SBL5Gc4{A)a)L)`@i-5lEcDR^N| zIQJf&;~I>sXTWIj**Ob>=b1H|kEI&yIcfz)Mfot-ezx>c!U!PpqqJAE! zRBE}x*Yahjt5MRuny;y^jLQCLjSPN9Cq0xNDEFSoNLW8%pT%F?a>r~T=(pKnms7qJ zpVWC3&1iS0w_m#L=QzuL3|?4$Q9BW|Es9m?U!V3`$ldi6qQlv7Q{+95H+3!Ob*cA- z#Zo{1X8xh3&*QlT8*SIryT5+rG_vOIe=MXjSnc(gBiif#ESr@H+N$~_h)siwDm)~RT#@y9FL^XivF+Wn@V zn>V)nTu)65yf0TTep3}S>G`LYH+Q;K0+YMQ+DEnTo7Ono&yp{<+X|ue4Z2^7uP%!- zg8>amE}Fc$4u{9rTJA4$hfVND2K=Ciw?GDfcG+U*@N1v^cAK$k_hIb0#_Ok7_xoVt zxr>|QwE$D+B!x!B&06{vMgBOn`*ov?-5?OD^L{1jN^rlAablYBEbA$P@$)6&l`+ey z9(F6D(4iFHK=(X1Ty%1h4~CBn0NlX4~z6qJQ#|=n?r~IDa7H?{2B?*N9F;AeyCEm)-C-$ z6w}lNv1C%XNBrPbG3L3Zbo*iiAhWeYYep^Bl{9#8GUl43GW4Tu7`!uIToaAUN3?zp z0EFh{L?W&?%G)H|>2Qf@=E#9aFtGFlHIHX(n)Gz$)#p;-Orvx5{{Jjat4#CaDv7x* zpPt!<=g#)YQM4gTxpQk-nD^N!rv^^|@ zg53)|KIR4b`%9-5VEGG}9B+RHACdr=J?gCz2dp`0lYmSMxZtTB$)yGGX-jdb`u;I? zOqbSkW|DyRm`NmW!jwCbPKMH{i;AS4TJ-7%uW2p>%FHrHM{Qm!=VMXI0d z?RttO>X}YuBMDKleDnyZ`tq}|OgQV8sO(5171!wAgFZsS63r^MV25AjUE)wplSzC) zrIxHxgfhS)3Li?t0iM3Vuq!lsF4BE&u+r)s$_&6B9TCTmuh(p|f`gwL0|$eE!TYI3V5$vl1v*%|ixtypJ}Fo&uP#PRSs=H!fbaK& z?rNW$wABH9akz;m&NZTk12f4Z6j$;b3_K)D+JInJu{ z?BFrk;ZUBM@EBy`+0tgxAV=xiiq#Euvb5`O!0gCUv0tOoh?{pj+}ue3pgfrt%PMGR zmS;~Wl_PHkiRBJQ!d@bZ7K2Q`Q_hqDjux{>DE%7y6;ioeS%zWHJnX9ZBySiO*5XHf zf#_8`Mcz7+jg-3Tm^CgQ#;SHNy+RKxR%0a`?2Bi0Zk~xidhs0P2F-}DIuQFQ-gn(^ z!yl$vLTyCu=;HYDLnL)E9=U<&N#%1jkJO(LYtvdr^VwYckMw&+q)5%ptMeQK0isjs`ZxoB6YF$d4G>cC@% z={zqSE$0;fbfJwv*uLDTSyx;V#c0{G$;633z~HpEvxN>>gf`krRNV-y1IMhr)lm|Q zvIPK>sT(is)tDC{8d;)BS_2y!BC5myb?~z5pxe-YhOV+B&&#&%DlrZ2#uNV_DLrPE z<~6lg=u|1IK+Rp--v3+o+@p-zNjyJSeF2WHa3bWdJOS?Arjh`?QmG5>&S61Dw zyAdWPB@YnXC@FYrOZMQBg|xP8lClAzqqvGH+m)O$akspMRY$wiKLgmZUP7aoPbqS= zw`C850S@|gQza`tU!m&Koi8#9HbhqdBbr50g!4_T(7G@ip6rK^Nxjm++nLb79Ax@9 zP*(~&U#kMwSf=Y*J@BWDVw>@KsxrO;rI9YSx)XSXJR(G|)o+NvIvNaNE)5pX0*=5} z0Likmc`V~$VjFj|xwA-d9Qwi;7gfRhJYXcMeU>-~)kVkY7G3NcEZ@mJVCNqkWD`bH1Fhf7v?1iiC3IpOI%zr+_=Brhi`My^Fh$Bgp$!f`(=J9tj9^ zzmi2fZl4JSyBIf2 zw;Flvg!Ep_`J4bj2J-fu=dX17{>H}($>nq)kM;EFO^3jc<21y@m`;^ zJM8WJ6x!vRZUk9lM77`k0OB+6$hy1FaMbxy zorT;Lq+mDu=efl0zysOyrei^d^<3kW=SzWIvLNW+F|@dm%Jt(h5kK9> zii(ZEV@BH%mVUc;`oyp3&xf+i-zrsYpTGAF-i{E@`Cm?)q2b$2@`E!ce78N%DqKCU zN-;ifpxeJF>D`5G+0*zZ{NIQk`^+P%)^8(qs^4(csQ{q2sqv4~32(Qy*p%+K@_BaL zamJ7G>gt;Fua3$KzuiSUw99Ir%es^C&?&NK54eqo!}MhTySus5KIG|N3_klY-Rwzo zpAVIdL@PM6)vNo>Yk8c6U1J8Hfd+PWLlT$k%{;DKiOBe;6)ruV7juH$hKZMiz8HYC(QS}L(6py5A`d#<#EFM`4 z1OYzxCDH=vmq0sp%e`imtz6Isb#Fweg~LtrsONhZeS*(YR6xgp`x!QIkzp*o2z9k+fOP}}$Hgd|&GwEpi zcA?0apotR<9TXUr7^7alY=)~+f!&B$)zA4x(4g<`^kKWezz(Z@XEANT2;IVHGU*!bvV&=Kc7#6H=J65iU-_*Nbsc4PCb5q{ipgowcF1Am+_k9kT%UtFQu{tE z!T}kLkQZ6n`EiLhGy2-2TktfAUf#cx_$02We-PgQR`@1`6y0($t2O61>>cU~hATqr z-xMXsIOu~)^|#q%LckvfQ_SMB?8NpF#!BlQ$a2j5nAGcNq=^DMRkmuz1q{6&z2|hFCcCYZ`EAtWw7es!FFD zTdhgsq#rxHY2hr?ZC6y0)eU0=*P_8QvE^XWf<00A6c$nW2{Pqj*@;J-FE-9S^@h{okTz;lyZf=^=NF z+3}v!ekL5lv2jPulpWkT5Ear=2$f>ma91k-Nukv#QQeunm;J zNPt!oCsc#_st%)=KWW(H3dFM#geXxDL+9=$kNzzGv>4$oo;2Q~8QM}dJDn+|k9Ufs9=(OSuH!4OP4QM8-h*s)^7wyfJ zAwn;kLJ4fcsSg3)4KLcXOr)n#P+7w4Ea%3(q^K8+yO(XP_2b6!Q%TItQyj+RW6M@G zAPX_oRb2VXIlPL#J&dK6a{p{RLy}C?#;KGI@mqHJD>h*RxlA#OvcGtjqlQFT^3_5r zTE^K%jAf-Si#0$3KGLaLwlN)SBF^FpX`!Pga4tU5002g^6a*2gzvqyu1XZnQ42sm6 z7Rl<{l^v^?{v33F3!rNg8U9tKuEavQpHcFR*ax5{n<2t!B;{icziAkQF>bqRIi*gj z87fKAfUX~>j?;6*o(!}mF(^SuXToZa)jUs9R9fI+AmMfAn!(4O{5|_$<6|0|I;1yS z29(MR0{+0ce$3uWvo{8Lf=FP{C}8j@1O{FOvEOMPvLE)i<@>mvlz`m~D>;r6yI3Dq zQNlNsR0`xoTjj7DgXVx{IB4LamUj* z79p4ZTS^r2>g|T>^T(T+zm9XI1v2+pX)!XdK>O3@@^!uUwAOv`cDq?=@V-HYa_Q$= z7ZHBj`f}tYk=JD`tN%mu-%sgYcA=g#>z;1_*5$lY zKCM14W_a%;9gtsN%V6WVNyG2f!?&Zad(?l%bC-7h(wzsvmH+0rIP?b-oSb(vMVEy3Zp@9(Zp@G^nS9(ZpS zc`H4w$Gkj|_xd{R-!~4Zb_CpYy*^N1HST~PmYwU_-upJgmXr4O-fC9|!xB3x$&Tee z$q3!1P)C!m#FF%Anj>7M>J4@b!utGAsWZExH^ z4oByQzm`{ZKmIb!%v2D#O|&8K>qH#<;0*MCnJjt$Qb&U#~oF@f{Y~VQxOfPq3_umMdfhyx zD8A=^{2f2Ke}F*!AKN$2Z^+CVpx3a-=siISiN2oc3=nZ0jTA ze=O))Fe3B!;xz1nVfR-N@ZujM7P;AIyvOPM0NS~5w&#Pm;90A*h{5Hm-qP`a4R zH(@_VEzE_ben~puL>7&IdqB)9 zR8OGEalyi~J88W2aIUKUXE4?h7e~?63uoA3AMSv1E8xBo``d=L@Vm!n{OE~WDKb*c z8aW=6r$X#q=T-_Hf`|Oy(HiDU^b}?DJ+^+NWk(ikuzRU-X;)`G#2+2tF@$&?WmLC- zHs(bgQ3F}r!|)`Wo5^pydm9`o&h@^Ga5us_b`nbqtd{?jdYPvVZqcBEd!$ZVB*-YC zor=q}$$E_>bQ5}AD=0NA?#*c%JZF9{()?{mpwY<0t~bS5=v8X6OmgK70Apc~vp$14 zboHgar!j!`hG1c)pE6_cJi&f2m4QS}RdiU4<4)T_tA>{k0dQ21`%)EwQx@`CrxqXD z7SU*U*L%*@DO;N^LWa|>9m>a(hn%YZGK7!qQMMW`71AakO&1=YM0u2e7lPqlt{C~z zvW#{|Gkp3BVWs}@%M^IuL*acLMxl#p8HH|KdEahicxeI&W%Gly^8T+mAoj66=VKw) zcgma!p1`JpU87sBbFC)IkY1+#rv=HR(5V-YDB)VFN`_uv_=~2fuiTM}9*c&?ZBc)m z@Cc)98FB*ci}kk6szb3d9bIQv6MNu`+@E#_cAm_Yk!1*O1?$-_Wks24Pq+FL?x|x< zQ|gu;3Dn*Eon_`P4KyRH1hR*ftHj=5#s6=$aJB^-UxHB8>lu zj<@pcF;Og8gOQuProyt+o`{UiqH1t%N+)UHkx%R&1}34G5xAG3c72uHuUH|2se@zm2i)N*}UYKe`o6JC^yg%-HXn+#euQ>Ea)Q{u87(^{n>wmltM@#^3qxu8j!;}d13_`g+sxOwhni6bEp zwODQs+ixTCJ8!Z+uY2{99xPcjeU2gn@Gsrw`mX)1BJvTlxo@eSGg|?t-wzq9b+P?P zd=KGtvfZZjlQ-+hzW&CWj`j7P!?$79xBV{woCDopoD@*-M7$>h#WuVK2vx0<(=&%s zgEWM%kL5Ls*Q<9qmL9Ll<2XEZpsnqfcZDj?i>YbBE#PI{J!9+h>g(x!bY@wzp7($O z=+|exz2Cit1~=8qs&kjyvq1%XwYHnp)7_Lvs~Zj)*WlJ z^`oO4lc4)aMNr4Pm9G2dLU#Jvdu2|L(cZbo{GOA)&gV+q9W-cQ0@?`+o&O@aRQj%Z zKC;(M>*o?Qj(bGkKLZE3Wh+-sm+ZHcUT*c|oE&O&U6x;m!*#O3(G`4xT3mV!y79B? zYuFggQ>@Jg|#|dCP>^mKwIf@VS>aRgZ@~1jjc1{SQ6y;#IZ<25ZA8(Bcn+|h4 z-S6k>%~$s`YO){Z#qU4d!#A&W9cM5uDEpW%g8e_wg0k1W2VJ{mKxc}daoeWy2G=>b zzAKzd-A`?u-Szvf&_67${SUHivOW9Wzk7E&EXd&boP)m~wto&jg5=*p$UtO?iA>Nv z5iZf7KQ1M9qCg2~y?Dugrg?r+EPG5F=kw-szcU-8D&YM&FBe`BFnY1>yOXrw|A*o> z+vhiYU&3N|;yrCObYnQ-q4hA@(B zLKOXEr!gb2S>`NE9z8>AWJOKdV=o>V$U_=d!g19o)mGfNvLfZ!vO1}+^brM7_TfQ) z!Enp@34O$bWdALhcMVCSOl7b|x_bvz`%_aB^CeOB1wm^QOi8l#?4d^eX0h z(ZL0aS4XePYq0%!`o?E^gG|nsa634u72^vqUp)AR^S)6F+mHDis z&@Yls5WJ62;(zJ=qE&2G&p{|>T={1B-K?F>(ngmt+el7fYS}Z<{SDBFmGoUOv@ixX z<;v?4POH*=A%`j5ZU4?tdm!{tOwNRq2`Ej{R25;`wv0};L7pKmMKbxdcr%(;{O>?0 z#^sc{6BCaCUk>xmSIXo6zVL!>lL|hE55yL6M$AgVV(Ji6bChaAOzlL-Su%ncq=Fq8 zBMPbXyEm(3TKyIYIY?Vs?Ruw}NVz&8+{xPs(ffZQH9S;kA%7*Qt@=t$jg-^fFse1j z5Mr%Ie-@b|&)3MbUM4M>66fvAd&M8UsnU;s?@;_vPh*%ttI?QuJ^&F)Nxxj{3_-Du z?LbC3XaRvri&)|a&_;)KRD>Hptx|RFWM-9s&$n9n%Dnd|lJTsM=elKt&}ug`!#4uf z8=#Cxjpz|!rTPBm^b(8FE8}62`mjhPqKeGC!R)qmBtU6b>Z@1Rm|>xs)CDa~=E>cf z8yJ~{rIPd03(cTniOO-`s1#)#IX9WJcILwU=u~a{g$0&wIhhpQSHN`9aV}VtaPAWW za=3m|pvf(bz80j=i+5AVzc+fh#kyb2L6=ZPTj=4_LOD3PiEt zO@ve>7uc2jDABOSQJF47e&9<$w$7t#rUdVL`R&H$I1^~XES?-Avw6vjBZTYdnHN&q zHJ;`;)_1=T;2ayD*X3CLm8Yx42*qY`JV?Y_lfwdpY&AYF1p|$nO{Z8R%o|Qi8o)77=36Iz zFfY+0Fg8(SJ;C+8w0h~TpXs74m-R}%jK4-+ri6NV%*V8azjftWb8wZGPg2nNf%SjJ zy`X;%c8DMC2Xyv22uMEU{c-%_xzq>h0L7rlqi~7ko+5v>bAFNUZfS0a(25ijddyWm z$=;^>soxgQ+RpmS68Cem4W0|vSs8tST_3c^3>|m((N&IDcCwqD3O>F0!P~l_!^M)@ zwwYdgXVBY3YU-@bUhk`iKN0*~?{qFGrlzMhfqyT5wgn+Ax5EEOUcbF-UJ{uGzCGLP zc%1ErY7lLi2D8@dWOA*Y_1d?G+Pbaz1~V}7=<^&_9AD-v0Y!JQm+``Z-orwU3dk3abc1W0P?3}^bby7zohhvnoAoEqBr}yY%=*(AC;RIgRX|XkaZ&W z<$Wr-Gu~~VNse&=pWErG?)SF{f8XgJ{$)U*fuG3X!BjG+VY|}(Q=&`1qrl7QVWI=L zi=qDEddoTJ5gm%`b1pkch1CA+tugr=e|dFZgZ0d}TaYfFsQxz2b7~rtsIPsTy00;; zz;%-JYwKmGZrDUJTZij%FFzxA$>3iZk;9fSm2ShXybc$9fGC#f>b35sg5J%}`1wW) zJ1Eh&N!xd@v#vFN^U$FEJ%ixu7#v`qU13AB3v%mLG8^>T$p|`g-qV08-%R_Q<1Q`q zYsjmCf3COD*WRV;PWLnWd`hj>a{yK`cC>+b@XVUu&jsF~#;&$4wY)F9k7%%}c((3C z8TGq{KH#$jOa;AKsq8x)_Ql6zbUywo3U>txnOFq97Y|9^5>20#T|u)^y`cjY9B+*_ zD!|5V3Epl#<2$lJY+u{gM8UN3-w1A$thBTAhom+d2)168(Lm1AaOsBMF6kYjfL)gP zT!JKj_HmUwmQH31vsi!)+Z)Xa<}cc!RH{vhm?;;%$al8n1U#pz@Wk}a5eDo4B}1kK zsmI&1gmGgzyC)`jsCsT15^zrRLDb9#+E(&~+!E3|F0y}7+TY8E(I<*{|E~W6gU93a z(KI1<&3Nf7Qg&zQ9PIAc!Vnr4J#!gWvg;NxAx9$>#dOPzqoo>*yjVWXD8FY27>$=# zxU_U&onO|b)y08_9dvC#Iwax2TxMccSJoGdzr+?TEbGe(agy^M2mnaVr69o;)MzId znsSI7$py zB0vgvPd+K9REWnURPB!BP!>Xm&oQF!=MBn<3m}>hgaR<&6TujVNr#1!66|c4i{x1u z(5YK!_oP#1;)3efaGt|exfH!3X9%N4hZKpWLhzgL<+I&}?2;O7E>SfTrQ*jL(!SWp zBSQ1i&U)ZwlB!Ar3@EpFaqN>wI~kDbWk;%+raeq0;Xkt;^EuQfA|?HBq%}Si=kZzt zkHHOH=ghdHXT4I*Nlc}XCSpT$>{jm@m|fzT(_}OfjOoZi+0n1yv30}o90YN8!xibJ z_>jzP&rrPM&2E{J=lLyaC8JUx4a;eED@eY-Rgpxr|UrUqhC@pNIGf2 zzlcVP`HWUG^;=Xg`DPM5QaS6l+b zomEq0J5gFmGqC=7haYpAJT-=;re|_I3pqJvu78p+4%c1BkCfU)3cX&vie=I$!bH?) zsw|-fiy@KY0@Oos9S7yVNTasn&OizHu?J#EYbJu+QYmEwTw2~q$6w^fYLPN9v#BtN zbJ+Hwd^i@QU8d{{IC{7C1urQsp`km7FxBRh za2MX#l_qK+JVw%u=PH`isH|RoYdTxhm#5pQ>9yIY5au+@qZ*9vgh!GW5x0Ku{j%(r zX8>PyV??CVW6lVt2%F|IC51sxJipUz7qz}wxISiX1S=S*l4Wt|o7U%bAvX%2`KwPd zUNNY!-p>;Eja{HH_5T3GKs&#%$B90f*wa)?t+i7Fjnk-lv&itXmm8W>my8V6qV(}J zGw{-3$LpsHHNMVp({6%Hb9)LDLo>JNCzU~u$VHSCg@1MDEXL5>TF|{x4ViO1E5%NyVF#!&oN=4 z<_3L4^=B)(V!73>8Kh#DNpqPZf|GOo;O4Ms4vXfnXby|!u;{ZnP;Bu5;GaVOA?Eh~ zK8f*O|GD6y!+=kL|KKo=<1h++nEr3rr_p~1oJub~$Nr=CfBXJ=YaRS7{D^qOHuIm^ z6d~vT=9Mc?o1V1cN;j@~`WV>n$J|{TUiZ!2=3l0f^Tqt^;=ZgFF?vDQoR?`rqG`sjH^t+>-qZdtJL5qIw_AH3!7Gv7Op zx$nV+8!R~E#!}7MCHvOuH=JbczBAT4=77z)Ti5vVxcB<6qmvF>d!OTv-Q?CQF4*m< zEiT^nye)zHVfTHxbk1r&KYi~PfA+gOl;5p!`Xl@9xpmMv<)sA+H+*x4Z*9Hlk--Iz zqMNTuulL%nXTY03-M25gW|?n41e~_~efM6m=XZYn@@m(7eeY|2d*W@IgZFH+%=*GPtcJG=k*!7bi+^*1n3 zK7?QNM1Jdy$J$MZk`r}Zy7Vw>e_UwQTV=Wn^_#C^iyPj5Y7|IBI2J-OD89{XZp z{>sblywNgeJ%1dz{mcIG%7e}p0$N%6@(u33=B)#7 z`u%l>-TzEQy7WVw|AYOf{Rc_E*MHLRT>Sqe#z*m=fnLVUY)9ycu^D$UTnzMg* zKK%JV^823u^I7yCSkiP@*0RYgjb2j!DKCNlux=~P_!+7sNlcpQb@~_pmYRHZBu)9C z?=`u!S#A`tzTZ(Peq^`^IEuswE6@Utx~el(YGI6!RG@UgSvD9ox?C4Pag9xPiK?k* zv38oIom96_L`qVPD2)4FK8I#7Q)_mex<%rknFcYvX-A1KaiZLo1gQXMfuhN zotMe3>v&R!zTh_|e zY&7hE9oofPbj23kv6#-QFqbLw`9Y1GTD5-EVH^51X@dL!P4{bchNH{<@~}UpfuQYI z`Ce4FY|3JhiCE@(V!1C$rBbCLh^=}J_1xT`!#5zlkE1>{Ey`7I9M^o_R(vk10rg5+ zwRC~TYlA+WcSDva^`TKX=y)Byo}HvCRzp{716%Eo!O&8W*?iU`G%F0slavV!XA?=8 za6*}=vA7)=a6ak{n>Ih2kHz}9Fpjf)Ap=L#Dk2r=u)%kNtk6l4QI$;Fl_1GT6b}sg zm3}d2<6%lcq*UVIaz>cian})?;n?H)rD-$}Ds&%96ZvK>6L?*+J?&IrC7X>!y%_<` zakW@BWG*A~v*Z_5D|VO!werXDpZwwwJLUc%#P%Iup3c?(yz4*6XU~6@Xu0_>|B;vE z{GUP{ocblv%M^P+qKSpr%0OeyrgHh&E5VEpOIWvzs}Nr;CT=4=?s;Tjbf}7)YowyY zma6T3N)J<+K|4&BW)I>ZE#{{wrC%7qW2of2b`vpTYs3y+sxfTF0#~31mY4410Ya6V z5IYESzDRb=UR&)ILm<$NK|qXIO%(=>4%Kx>Ak?bX?TTTU`5>>4GEIVOno-k42NXUG z$WfbCktTr@Fl;=u%RtA+Y9q)pvc_2DoB9B0fkc+zlnjcoO}d(z#eB9JPltXfr~7bV zI^_h`LbQqDY>-b)RiHBQEVgBmwX)mJ4V1PPBC3qEQ&lCBtdO&f5$}dPtMmesr(iq023;9gQ~W&htNNpcsaKD*b1!|Ia5f-s?ZNf9<9N zKL!3nQM0!&i4q^efAD|upY*4|f2i60!O7YC@JIBYLysYr+j#YjH+{A6w>#-a*b|=K z>jH7D7gu(E_sAaKLy^~R+-3fQPrme*;cXki%e?r?CcE!?+lHTeDRt!T+ZV3oHe7TO zpWknA@-LCbdhDWWe|KN+nA8<#Em-ei*u3H77uHzo;ZvVFw%dGU7qfH2S-0JL^>Qco z-;9Z)jy>lN;GiAu-RZJrPRsEhL}6rYqlb%y;iNvR?n%1M|1~)(+XXawjZu zTlyYf`pS0yhrROvcbvNRJ)xt}LLh`5AXEWXw?xZGmTk$hY|EBp$&e7aNVeo6$&zK6 zKJ*ewr~!rygkC}jCDchMp$3K?`V1|B07HjB0z6N+yxau1VMre3-Lt;=j^{f*WACxn zUR!JZ&VQ`~PG8`(uPmQkId=2I<}Nx*NoRLmf178H{dMlyrS5mb1*^9%J>W+)a?B0e z-?iU&lzUK)0q#Be?G5LxI_DK_we2^5ZvN8a)ZDpnayg~^{K2>1a{Tt%VJNrD!f*SR z@AL45f8O*z#DC&9&~Lx--QDlseVya~+&NKh?6=%vPey{hG<&zpUm_1zyV z-Tpeb<~rA2yJNWKk#`Dj-FD5llfT<$jZ1G>b#(EK@QFL_b;~~Wm!vnN8>;UfefQ7a zJ2u>w-I99p^y=@9eDa4oZFmAK5&U2dGy5g zZuix&*rBKId-M#ZPSAFj}_K%ltyz?)9w=;7h^BrvyiCF1`g>z=Vn)%5(T+7<@v|YOEf8(^lneg?s zpPrWej`zK@*F5|A!d~~vXC1xYlLzp3zVzUVMdZK@cfIGp+U3{IoBz{27yOI;|3Uo! z^7Vg9A~W&-^RUmtf5y#xLjTIm|G|o^5{s-f5!uG4pZ`<%*!e$SMgD^q<;9PS3zPbi z@*ibM^gn!Gl*lxp_=8bf$WkH$q;WG2pmgk5V$Ucy#%-kPwd-a&!JtjLQLLLnStWwS zSBGq6p+S-A$+YEp6(bQ_g=#Sg5De>!qj;Qzk#^j!4$Dq2p~9_6og&f+Pe*vq5X+E{ zm8nFME>m1oGabI*Hb?RxTX&TPfW}Z2uPA;MtS8F-yeWXZt9Ls|Qw#{PpDlF)iC~(| zTt^Zu#AjWt1944mXh4}#E$D{|Fz&V`LJAUvT+mJFDw-Ol{YXP?v^beA5z1zI9zW(x zEDu#HcFJib&0(kof}KtYMuOrvU|h}(zzk7yIvtiMhV5p?1MA752T_S~Mv!cjf;z2M zl&zZdn9l@8KfpVj+=^vmnqfg%6{wB!!N13UgmH->>zy(~w1*xVjf&+l=)g{+mPW}j z1&2B;jhv)NA&oAbw^OT-X>b;x>J8#s8b*=eRT=F|gARbDTR+XdY( zTUn6vUTt|qDx-Nm{-%zHdtlY=2+ zB{BtJy4kc*IydA}X|~uc>4`3nkBVf1%44s&98;c`|31|gF z`ook@we!VFHb>T_Fb+5+&Wj@=t;gMN%5Sjgj@j=3AeN#>fnMqjusDqBn(72h^#-VQV)oL?i_82n-aBzsgb)0qc=}cM5dmQb<)HkP8=^fZ~?B}l$s@KOek3Q50++j_^Oat0DK zy7tKFxpFmSw}>F6$3wU-tA3gvSBg{t;N*gnPib68wdA&Ib(@A`lWxFc8J$nLB@T<( z!60aoj3w3G4$R@iP|jsxvosoI>6V5AO|`_~jZp|zCwU(co#~+=lsjTusn+cdW2JiK zMs8Ret9^>CwuS1r*wnH{G~H#kgimyw1Yq7siilBiw2|X7UZ?29u3yxcQmH-44>Jsr z!!u$AcU8-V6}6E@(sJMIOju)_Q$xn81GTnjAR-^3ajiYU2Lyx-a|xRvdjwxiN+V25 z$oZ7p&IxYl4^S^-Vs?2H=QJjQKyhaD&kX9BK|M35X9o4mpq~E)hGH1;W#m5uG*kck zJnW{J3U>vd!uh{D^2E|x_#rOgLYr`>Z7GY?qB}xAKfpOEFj{^f^1n(cf>ToHTo%^{tmb z`nykTv(V$Rufwp`}1J0IHZuGLc5@TvWP*}n*$-~XM| zd&X~0IHG>`DW?f{<0r-2oWA~PJHO*>+`RXkch7spb>?UmT3< zTL~MVU9(UAR^bZoh*^8@BD_3nt+nnvYR8?Q;1+%T$47VGz<_-=I_Ng#)*GDcp4;A$ z+3IEbgo_S%ai`zR-7L8Axp^UT>dvRV&|iD}V`0m;*IRC_dAB#-m+roIt#84{RNvV8 zfZKF(tDU>%if`Qe@bzmDuWa|yb1Uw!?w&z*_Z^qkUpi;g=MK2^qT_ck-^tGV z7yJK%`2QvB|2D(_KNtHf{3j{JA^(-r|KJ5S4NvpVShO4CPtSiocK%QEtH*zw#RJJP zkrna6lJ|epmxTW?CC=?&Nx3C8i$P%LFd!}t#ZGzTQw`lBr-@@2jyg&h4QOf-b|Wk1 zEED26E~RnUP#uSGUSOe~(-Da=l5-KH2|!)G1F9S+lynNs+D*OTj`M1wgZ9R{*o^9M zy`^W_QoGRZ1y#z^3Y?C%v_`sMgmIefmjGI$)Ks9fZKhkV7Co0`=t>rq3r(=dgOdsp z!ii))>lNE<3U(Q{Eiim8g?sY2Z;5Kb1%Vuh1SJp6geqoA;6xBJ{Z_Sr z4$2~1D#+ykpA7q5#y9eXekR>)b{V9lNo|1aPz4lMJglC=prpf#Zl+w(%^1Q524AVP zvSO^&sK8FBm6D<1kVQ>`_E-zj1-`16A_Cwv@ZatKri`jNl&WS+pc>VLawAkVsN5(t z2E?$JawvS1ldXZ~>oh{AVZLgN8fhM8P;uOlYNHrH*}7P>Cmo~Q7^pc$|mgYAXR{&Vb00`xlUAWq=RuY)te^oPNUh9;iOp^ zu_elFvP~#xN?j@sL8gM03PZoajMJl())JGcVoFG+VL*uV9+)pjlMa;B^%jRDTtCD{ zc50APNzdrUMFMkME}yHknggbo;0j_1^nXLce6uxEGyIVMpkF=yvqZOCo3}3>t$tH{gt#$%$Lv)#E`%GCG zTO7mKm8^nRtRm6}$80OkQGP#UxwfSYvMSN$3t5(%Zn;j}VAFI6WOCBjGE+={P-^jE zmLBHfNjz#SK|{!)N4o0Ay6kXxpXfws-cvJ zRhmzd10xFwfkfJYPUF&8X|TQC5VR*w-6637*&Rz_Q;8DIA{b{t8Nl+Xj_TVfVU!&g znrX%&GUCw7;4niInK(q`XplL{!KQET_U^rDc>$2;f#>7LpR0IA%11 zBpJj~`=fkR!z48-RJ*FlI-vsEQ9(m!5~YULM4y08u`7g7twSesK)K(`$-TCpjJ~-3 zZ~wr5{xkjGrs;}~x|N!y7wVI!f!NKV@1}i&OihHkn9DKKBPiQ+*;I811EYM3CwdvX ztMf$^D;s*N&~63gA|qz|zFa5}5ZRFLG6w@42oVRdto(qCCb?ygcDZP*2Hxzb9wW7)ZLg3W{b+ zIkzphGC8~(q$Aa7xlo0MVovIdPDeso>IlqY4Jq3sO7bYt?KMFWrVyzYMZjRFXB*R~ zl#^Q^f;tGV*@)Vb@=>c{*o|RHAG$s>C}mPJx}X_YGy{ufV9^XLnt?@MO+zs(`K9DP zGyQ))7yAhRnYH#eb{Ku({0D*H#b1&T`DyyUCI5;4kY7CiK_C=QCNVsT;-8WK9Q)Io zg0(KQg?CoRuDs{6U+!*+H+?TU=Yg=br}nEA{kwj2NB9VF=A74m_~@Rq_W1qggXLd1 z@!l6Un5|v%^Yk1N%I&-*vc+ExJ#~ftLHBHS#SRa@dgrD;x%!-y9y@r)14Wix>FkX! z{Ns(YkG=eu!#0|K+`<=sc<9Q9ud3E}Zra=9S07@Y>p(XD`UTq$%6tFy;jSajx}C3| z{J^H`x9|ANQv2VsH*nUitu>C{<@*P(`rM81(Zrtcb!R*!|LUO^MYeu;_=oHt4|x4g zt9*Cz%0}~RzzLIg|9a>4@4Wr9+94+}Pt8sof6>0j?Y8xn@+2hBaOf_--nM-gd+A?(v&!Cke(nC>?KA(4 zS?}KS_&4_6a{IroIeV!W?mPX8El_LI^R?o7#bdzh&bTeV%aysOziHompz-cK4_^Dq zuCKqlDgQ>(DDAk%S^hKg&;G%Ummj&(8%XDjtIe&{li<|y?H{l5{(Z*pUTyvQPW7^z z?>n@&?2pzv_S)0PU!{L7uk@{5uQ*XZ`_coBeFNVsZ~pq$Z+~N(#v`}?X7rb1c7NvC z>n?uW?8#|JGQN{%?&UJ&`7vu8;^zgQ^cruR@EfMB_N?)h9yQ z&&5%VP&9$5b6PzKcPz7;X%A&rZZ-QbMKrCFSku&mlxlfJpKm}D1MoU#yW#4}*ehfR zuZfJMMv1l>!xlrrS~Wer9nd+pSmitep5#rX7>K1&qr`YwdU4sHM&oOE}ErqLucE0wbEvzTBU_2yRo4X?Q#}%=qlu>m;{8J8RDe@jaR$H zLTs@eu&C7A5u6$Joh+KfQUwpQ(!~;!(7fTGP$;4KVJ0bc#8|1eCrBM=Sy_q!6~%-r z4454irk{>y1sRp1hL-7dQ)M;Lhx`&o7g07%RAqOZAv(N5T8dya15*LYoKXMw_zz>( z!VX=KT6WDvs9sOOHD0U~CWX#eow|NlceG-bg+K-B>umQ4BW_UkH&lx^XgQpI@Y7!1R?q?E0!xUNa4L~O5s7Mngf`s zTW@v{z7dl?)E~p6#9-3N!I4%RM*^qh@F?FZwe%pci{2zIsxpaEUAdaG4Tf!ZS~;L2 zlTF^!#6)JGWD>j&#~n7`^F|4S)^LenEMr`YOb1npxM>a3#vm$-nwr%*#ZI{(R zc2Z(9$U2f6n@Gzg4KzWB)_=DD8%)z>%d=T)`<;2tJafO!~5YdRc9^Zl}r`WY2N-aok1+n@S98U&KE~ut_s^Zl^CJJJhn7VSZoVV)$ zLAAztO)-Z^hF4NjB&cI5;qlF)sxwTSt_dhynbc7y>*c%F*v*NtT}oPoN#Dl_Gg})1 zU(D5^uVMgCl7rSB$e52xAFgn3N$Xm8+p38QG<*4v8Y@b)#HYDbhpOH^LMW z)}@A!3?V4pY+N7E z-DWDfhUIl5G$|d7MiB-ktWL?YXxX*^rldAvBw?ZkJ@$G{+CU3Np#T+Rm$A7xH2Sh; zJE8)Wvr5;gux2k`%+nkgaXmV6(QyZ;bF|G*L^?NY^{u)iLq4RIgT7tp<(hrD0@afa zl1pSsZA22iEH37tb{P}O1YtFrVqBlzZa{Eb@H=|1Zc?Lx9#GN@=b7O=Gn{9J^UQFb z8P4e8Xym;+ql|xr4y}Hi5?mCwYmv7ImpvT?6 z!VjK2_k^vsed__?rzdSberK<*!Q$)}UYHZFed+h<-`~HT4A?gTzRnLP1o+fdSZ(!i7n6FV2xMbcvRI7{PnHYAK%(Cwd!#T zr}tG0zy8EtZttG3y3%XRi5Jg3;hJwhaq=H-dh^c<)?KjNCA<8G_)q>$9;XVw+2qkn zuAjH>%Qs)}>}G4sI_|;h@pE_F^=D7_y9**?j5 zef^J@UA)|Vhd=Rjqr%Uh?XEx0gIaM6~KPtAXdA3Oi&tH^)Q!bC@le@nZqCFMWXlIVZ3Y={d<8c}$9JW9dl zG-Du2iM%Q|6S+>4Q&q@;&0w4W^#N()>8Pr3s3qv}NX^242?S2)i=a4?1OW2-}=j9HbMtO)X z#{j3n0a*Y|M5B@eA(au}4o~za{bF7(_geWd3uju9*R2^Af(;0@UN20BRDVbWmWidu z=mcmQS)reCyJAogxN6Q}v}DU|)1?BO@0S}G4VJk4B$C-iL7Mai836**v0hVBU7VcM zs}cct;W$R3WMP^`dS*H3&^DAFPq#}CEIZR@IHXCEP{sElM<`)}&dKnguII~)-Vq3F z#8-e~Yy5A{{}G1miRSVtRTC7x5Z2m0+#0eesS6FwLITbW8cMF9CLmsB+)C5d$YFtq zab3vr1CJk}z(C}yd@$@6JL~`)2o1H5B`Xux(;|>#npGynD*}&}NT4TuS z^fI*4O}84=Y7MC6%<8Z_@sikx%m);l8J0&mvjB^+iKugvMBe+kt7nmX;hj3ot(nUdP0^eom3_$^(ysXY(vRvDO4wV zIz4D71}(6k^hCPhJ5-y6Fo~oKsWc}^c`d^-KuH`sJXB^WGA$8?lZ3reE<;UXGJ~~8 z^ne;9P#;X^(is#IBpRtecB>vt*m{qwF?=mi03bf8Te-4=X&_-_`Oz4y1t6IOB}+v$ zLtr>a5rkf1x_dlJj7#|d)!KZDY$$~>$|GF^=#+F{Vk992j(fv)35j}gRm)*znXY1J zM-%&IqE&?$&62WRu9%e+OIOBJ*3ru`N6DcLkWG#^>5lIVKIA`Qa_Y{Xz<=o8hx~_| z(9Hoe{3!onbv|Fy+U>f=3~LoUtZC9G#%DUE2>|7x^?GV7qFq0mY7{_wm|>(`=+&%5 zp_g}xEu(3b^gcA|72;H(m8U5x;ex|vs0~mb_G6%u#cQ<7C;T*$Nif zjVx(&T`wb8V5XYIlbl=EgwRSVuBfm+HI7Bmf`QOWHL5O?K$@9il+$9$50jwb%EYig zDcUt^R4!{MB-Qy*rOyT_0~WQUD$oU_sv|6wCV^5X8#dD#BA|JcMhLqYW@}=mq?HJk z94CySB^KPq;;}{pBSkpPB;~cHJ})*KQeVnKvI`_hzG#S2XiJJy#q?HH8_eLF8GJK? zZ)Wh#48EDcH#7F%48<_&OUZv`>VKb$eU$&~ddL&T7teoSG&%K53d28*{)hS}{zH8U z_z#RDC_+wMnfi?U=l5&e_~345Fz>AU(hA>@fBw{6KU!&{(=Xn1sr{ERHa+xa|Glrh z{ReBsy`H@I)#opK+I)I}fpeD+sK5MX`}Q9${==`@H`TBC&N-R$k8idfS^j(P?Xk(_2#{2F5Gjg@cYNE zyvJkSH?RKMjmvDc*H)XYx#hLb?E!HQANlfczP8PgukN$xsqt#({bAOor@ZybMe9iq zu5$B!xBtBI&$a-f^9iGrK%>!pmPjC;t|-Ib3-8!Sh~E9zFl$ zZU003XL4CSv1rvl+_T$?XT5Po`i#kq@C}<>*}rs#UG#Q%zfsS zlXrjh*y6_aj%#eX>#jTefO~o6)tKn?6W85$z4gj3Jh$vpKN_vF$6oh6b@oqQ7;bve zgM|0+QeD z+&tIYVSnqfdwY-ECLO!-qKo&D>wEUjx%PzQ1t5dXhm{SQ8) z|M{Zqv+y5<2m|7)Hvfm8=B7Melp9cyr9Zv?r}(k+f4W~i{*#^*7S|VL2P()*tp9PA zg#RFRu2S|C+~f=jj%{`bxP_(^j(w{$G!o4WK5j>1S*1&yF4amQk0VpzqLJ?T0bqh!mc9Mj{3`rjEX<3nLb<4a^r&Y@64`ZU< zl=OUqD3h#b#tkXo>;#!G0k9-(hE_X8qcw;TGdw3#T(z7XVtz@`v_S}k%`#EwahcHU zc|&zl#1Lw_dxTUaU8-zJ&NH_s2m8e;Y%9?K? z`Os?{6=}exrM@KQ8KXpq8I#IKRvQorjMqdwlObw?B2DmKQYd6|1B@R*0wel019uDJ@t@Tk$ z_uBNZ#tU7})jc;?iU-o5hWnwI@JoOW5gL-d3kb-R`yNCNIdA|C z#$;C~tPZDGZU>XgdLyZ5ykEf-PXUsZp5G|vQn(qhRI#5etBHD0=Kmf254SkPM*kRM z%jHfM`~->R|E~Jt-}n#y)#E=)blm)%|18P;pIlzavl5uEfdqi*fygsr-tX4rTGvw@ zQyNkUWaJu9gVY4KJt;TJD8dA01!PUG;aDRSL%PM3+#d88k^z$GFyAh-BAvr3o!AWr z2@&FloqjIe7<2gqEF~K0a;Z~P*krvHqrtkK7=yz|iqko2I8I5GwwUgW@Io#YG?Z!-TdgW3*hkBL;fS#4E-tjPo>SvpWN0B_@usWAE)=>iB`%ec|s+dEa4;Co-i0Vy^JVQ zEDZ$&b%t>&o9$3YK&Wum5hGM}4FgTp!>S>-84a!>NTLd=i3w55Yq3O)JMCc#=n@Ie zH04CUJ}&xbjCKW4OHLhD>o?1w3YqLc@x!!T#QVcRGd;c3qZ}zUDoDO3$y%^Y2-oxQh+D43awO^X<0lqZqG?n%=O;dfg)T(sZESZ$EEk8$9lS6^ef>Biy#~6^{ z$9PY$=w?JD(a0$ZsXkchltnRuJNb4*hBC$WTdfd{6XqxrSM`$HtR}#YmP44P5UKzt z1{16r@}%xDR3w01Ivb>;QjL)Cfc5Hr7&pLHCB#eGgiVX84vp$%(hMC{3o7+0$^pbo zU$+@xGy{xgfYA&vngK@te;c}Z{P+J`{PQXJ5BksiXZp99`rqea(ClRvK(m*=`9uD* zgLL}S^B?{Q|C#f-;u8d?2#mron8XQuEBHImh9BUQwLhN!;QtN(AQ*;YAHhGnf9}gC zD2zmsFiLLqFG0_VN#dsUCfon%%BX$HP`p(>@#KTgUNig3?@|8cvj*@HKM*eL{OJ40 z-P>$dJU)F@cb$W-dF;yesz)u?c~LMY_}A=+;R_GyV@&DFPOF4inl%V-3vBf>y5qNz2@|9M!Rp=IADcMUbFs?1Btey zUyR+3J=1#Xlpo&l-0JIYyyJ~4;I-dn;|)3TvP&kb?Dh5>pZ)D63*KM;kbO5o_uXv6 zm$+50K7979jPzXPr90>C@%?L#{r1YwE%>vUUg^y{z!hKo^Yh=^YuSrx+#>FH?i)Wl za=Rz@UT3cP=5uSEcjimSynoWt<3{w#CV$Ew^5jJ~zkkg|fmQ)F_yF{zq0~Qt9`pmy zvkkQM>`j8!Fxakd^jeKUe;D{irymTrtG9xwI|SX~V)k>;ve=rVMIT3i_IYSC@UIKi z@=upJVeMnTmh8Sa|G*#Lv+ebjAFp)LuLjp`G8(Q-FNw7`I$TZ zEM9T`lbfEE|7G!=SN?dP`TAAI+9@tf98FT8d!hMs-TkA8XE zp@;AAfM0uK)?ZfK!Xuaa-qzn$Um-4AX~E6ar;OmFg0bFs;!tnl?&*z9>f*e1E+gY)Q; za{RH`wGQ9X=e)Gp|G5AE7XSa>;-Al?|AA)s&*x(QDwmBHH>C0Z`*4b& z+#QMOPs(L`?3Xf^EyxZcP8yInp|PTDEgr~S7a8Zn{H^i{{0E+{0Ml4GjZX8^s4$`9 z0xQ9V%wX~Nu)lvVJuYSjkyV4nsR^C?U{$(IcU2h>%VL!N00{9c?Xr4x>@FrN^CZK#}kPzR9zx zvQ*DzpufFng^_F30^I0zp;l%34`m4jL|efNwuDcYJ}$BfQm8oN=~7xBEK?LSP&Zs$ zbE;QW$EZ$UXqv}LmH+-3@I3R;c~9y8Dnya=;^$MA@VBB=JJkI0kgA*QKx%?{yMfnz zKn+=5gosjmsPuy<9H3F(L1ir(`9wOZX<~y(my4sGpwX;T_TUDrw{wJ^v)Nt?$+j>C z@EQy_CI-R4qRT@V_53>B7`tkwU*pPEw#9>8r-FrX47L2Jw;F9$t!43kR0QpwmK*dZ zKz*7g;W@P6$2Q#P$8B7xXDX>KksUEMAyp{3q*ZE8q<8y%VO%bY6MUjVLNQK|qmC5C z9U!RWn+0Y#%Dc^uh~(6Cdl00R0m(Ow6d^bbq6O+2>o`F&tBjj?q5(36QZXvyQXmi$ zYYY&*ay65h5K<;rZ^J{)baJvbmXlU?@y|^hB=Zo8307H@GNWY!rIIpcGm((4--zoK?%H3!5ph z8TO)FD%%MqZkQvx1W%J@maW&+4vO-j8#NlaY@>x&QEk*@EwF=6T^VvB2OjvEoP=E% zYBwk?jI(3UGq~|sYZ@S#?n!Djth5l8jFLRp#4y+BCE#*JXf&)Y0Mnz2o7ae9-$3}D z!t^CV{5ML4iN9%ojDHBPHaX}yGwkPYWx)cgK%dBd*e_+Na7mAv57`gABw@DS#M`FQ z3wz8k1vJaPj!t|Wt-NR-NO6-{RwZNK5-8H&nwI%bti8C46W@=3=fhDg@S4o#zlA-14riB_BSQbT;Y zU?bCO0|Q|&9+caYayt!?y3~PswyHS-s+u?$*2?xcpF&g#(<|HOn(w7Ps!d3jL>fs=7mn#w zII3rrus(IHPm0mN^j(t;UnvDi|t~M@55KmB% zY2cF{(kXy^wldIxL59JE)ChqqPSiK#)PPG1VKjzyG=Vz|*6n6&tysrck|c*wF+-rH zUN1WxW8@3SK*A!xXA_KG!$t@#191-JD z+eY(csfUR;}41;c59{iXp;52KOXQi^V32ItJ+oEe-mgL7tZ&J50(vA^5m z>iL&Z|AWuye?AxcsQ%~Z8`iw-i`V}w761_hMnRvV{~Hedqy7hhz6AQ8=^GOWfYZ}_XrZ`k9?TMk165K zpWzpLYq^7ef6e>zAAh>B7d7YU=Z-u3x~nh7*ZJX*^Y==hE^Ntvd%@QhowwsH&-dEK zj(41~<~a}V`^eh+Z+PCbTfg)x;g(A--{Ly3w$3)j{<|%E-!rrBnYG{VpL^-3v-Vh8 zynfbRd*Ac&3Y+KF+wRIuE_2oH;1~HXB%6H&1{0z8%hD@KaWPWVwKR z`xZk12d!ncy!?^}cH@YrPdIK4y45*956v)rXahZSw_brZ(s-+lgv`nkt^XWROwo36KX ze*43I_~OEAR=Dcd;H&)mul|eu|3Uo!g7rVhNBIu{&BXuD!#<1t$EtL?&L=b{`V#AZ zimWmzOf0m(il4Us8w`ja*Z<9CzIyr}ek@KJ$YKs8vP;_kO{SMb|1+3=Rw*4CMzvgx zjBL9DfGHLRRX+gJuq(u=VltWclUdK^ON~T}=?3J8kx5xMa0ON^osOkJJzE?_dJS)c z)W~ZCLM<5^t-Mf6O!DPif7G=qV&2jU94rXD!o(dl!|`K`?9iIRYf6pMeKOtGQ_Xt2 z9raWPs7{Os6S6g^lQ+PeSsq1B$=7TYL!pXk!E&|-i^FPJ&JH>z*H)^29~EmdCl8{r zGYkt5zz1rPv;7t!*Ab?`S96Bi1UrR7IH;Bel<5h!Ti!8CIdT!I=zr6`~>gZ6!} zjX_Qch+E(^*S81{=g7daP2B($h#NpySqw%hjZUzsUxK9~sx*cW+K+NgF6Y@ymm&f= z)5wHC(Q}!9Pydq&{k|}<1k=pv6qhG^Jc{6=S5v4|JC_hL<7&5>3Iko_Ygn%dl}oJE z#i&M@ou+cG$N)vO(yRov)=(i7Qz_d`NI^-jrzt&soK>jUtC$_H(CYd+)n!V$VW?WpuhjK{8RrcyE}ZW-}N zecTAV!N4D9OEl1|%Z&~qx|}_k7(DIadej_L9Z6I$vJW-tEx3%Pai!y#Oajj5dv!)A za%p(bO-dkXXJsHYz{Zk?WOEXnt)PiWOABe8NlGXj1j$N~G@Q~HG7{rvn(@Lxh3T0r z;dpvWNjblmrI{eChqNI2OKt)2sDZL_3Rv|&DzjuTxc+m~#0piy24qDrEQW{7eJ?c!NZ zNC}mAAhVSMF^FBaN)P3t#y1OqQ&*6d=qLLU2RFterJUeVUhh>%iLoWCUQn_%40K!p zbt6-bz%*6S8;ua329;X1twj*PmJ3;Y(oW=aQa8((J;b!54A~m$nNh*7(o)f6v)lmX zU^f|uX&YtesLE&ck;wFu2?zFpyh2kd+Vb-%E_qA`4`4a&Gr5*-Bl!u!QhqU%vOJ#$ zYy1QR11JZ9GL)g(buFfHOtl9fe9xx^HZ_|3-}yhHm>zsm|2OnQ{m=9!A^g<(pT)4~ zlg9c0AE)!-cn75zsiJ0_hQ#+RJK11V2JAJ%w4iaVbSW9Dr6Hk00W$=|m`-)aNvLkZ zjbS<=7*xfKWCtua;!)maK$W?FqyF<=YJmHo6fZW^VS%IIl(F)3mbNJyqBm(R)}t|36X6$m*Y?G`vL zrNeSJRm4ds5j2xowIix!F=6CdnQ>#wi?y;ZMPT;4dTpp$LeiND{(7BmcQgJGbV% z!!Lepk6-`p$+;!}-p0=1@Aq4@ta`wPS5&_){rTz*-oLl9>!WinT)+9y!IM+S!;jwQ z#hWjz4KMuld->hgJ;hq|v+K@0b>SVuYi}4X($C!M&Z`c5?ORVAG~WNu8-_o6zsp=- zyW`f4*1qic(w@=kk+;FIx5tk^w$kIvN3Y-W+AY~rzkchxYps9M286%ipO)F9?Ex3w zDO`ET?{ZtMIscK9-hcUo(o-iNe8Ex|?odaTyZw|S-+baIaGz6`-Ez-e&uU!zr-Kf= zrC2}h*{7bW5(|EjeIm8m@~3QLJ!jpp`<9O$`tFlgt@t#Ro4eW_^Ok>yJ>*Z)Y3nXK zSg}{ycd4K3ef`tw%BgdMyGDoohxpI;6AzvC*p>Tkl-&*}GHdMm{suRm^^kV|X=7{i z>x=KrercE6fAHcBC#2^5?CI|vz4m0svyckpWqwmkp7lWu$M$O|@FdG;#L zjhe4AE4{VTX|Q+uv1>okcwon;m)?8n9~`^;xm!H(<24TX<;HitdiQ$sXRZ3}g|97t z(@nv=^^)G>znzt3*S{a%d$lu9dg8sccZl6N=u($#u?Kj@hT9&p&(}{{?zCl}FTHp6 z>W?=sSZC2{a~?eW%|*xUzR$6zzJ1F<&W5)k=ALFZxz(<#lGmPa$&<7Gy65Y!EzBSI z{Gax{_fJo(fj;oitJoV`Z@A7w3l2+?cP@MWH}Ab{`)gmGvyS#|!d_85^p*WCU3H7q z&ffSgt$Nwc|6>1t5dXhm{sR*qNcA|pJV~Zs`pPv7G zT>rPPB>!0~SAvUFy<>YF0JpB&Bn_K1Xl&c|jM><>?Z)PeZQHif*tQzm#@u<&T4$}j zzl^_dUt^31^~`Df^i-gidssTUx=Z7H#2wBw{DpB6A9;H}O*F}99A`@qvWu0${+mbFpm?$-<&%~GoE*0QUzAnKN{hYZ17>%C z9?kd=XBjG#&<`6JIvSEynRNwn9h=O7*q<7#E*+@_b*jOT*UI@{seXSF39BOJhs%tG zWK-6C^aQBX9fkpoL%O{Jpgr>)rER+&YPmT8js+JLav-6le6Q&k!Iu93F6BWTH&};@YNi0-a_pJ&EevY|SW-G;WR~&j+o?i^{_? z`>)QJ46n92j9!@2U>S)v>tqaxseHK(g%)jJ2%})EtsGsS5#x`x_uRZ+^5#&22=fwM z?SeyX;*=x(autu!98#*~6y6ag&j=&ZW}W*QBa3&S1f8r34;r~Gp*})tt~c|DOv0+* zjD3}&pes-5mYm#cnJVY)F9?zvZmeSb63k{^a%RlcPy@LqChV%bdNv6#XN~a{>hvm6 zL(S|)((T>*5zO4x=2a?2uwSGq>GCqg^2DBro4>XA62--Jld%G#m+V^oSfb?1On>|% zEffk0*EE4a0}AbJ{{sNe!U`4uK`Vk^3QQK4zo35rulxVK>wjT4fF?h;n8U;k+!#Au zwD1kWM0+4U+^0Dpm1uuytS+8*6`>%l8tQl7;GAQ}g~O1@@4nOxJR=g`1omGFUC_1l zU{UQhMQk@#l%?>_E||^xxc;2(MSK#eJ|&SFqzbC@`W`a|r{N<4`W0IEPZ>TKf-c{% z`^b6qpJ5Rx!t1h!Ld&ed|5Bn&-^u{tLv?~eu!9Td*w*+~nxyrWPDnebIFzX8R$cKV z+BMozCm@-1WvFCYq#jPQ)9eKJsHve8ov!U$jP~~R0 z8Gk#UBCyP2FAmcp+#rZMT$su(YDd%j6JrW@=fk;j8Lpijcje-*d=;waJ;mO0rWXf!zerV1%z3 z19+NK8ni+#A(IK@x#WE|Je9iwT_J+fW_@yu?p-{d5pNu73>FbOtOa!Z1X(b@~YxYRLEx$mQm>6qR6{~0Wuhh5L<=2 z#E}X_$jKJuM^tq(K_iBeCQ3A?>4hD^3xz7dlW};9H1jYP|0Eg~(`y%NlNCIEB_n<0 zZ7c+%TG3n(GQ!lTODN2PdRJglO$mXMl_SS5oM=fdxZo=%>n|UMC5mT79jyn*d#mmuU#6=+iHE z7PKfVW&lyj1?y!xaIfM?Yj|qKI%S&wv$W%B`#w1squc3aQL8FL@6Yu6-Lz`YTgtgc zN|*TN`;bZkpRMkn*_zAko6M{1%^pb&vHat1XBRcwn?quKW8c2 zjxO&rT?e_7ip1A*n%|o5EzCBwm6!GOyxiNQThf|lB>`<<&u4kdY*(7@Re|`j+2^$0 zj~gXNe|d20<|+V}S+DjuoW^?-TRZ^!A+(+jqt7#OKG)eVXWE2B}fA%QG;=C4Pq>oY&_X|wVsY4iEK34+I=*cc9a-Z zYPBG^9y=GQAI9L9s}xL75Q2#vcp{4Hil=um-}_rrFSP$B)mNMfm)(%(Rwl`M`}Crd zZ`-ufGP%3AE9UJ&S_G`O{dVijwINon>^yC%H*>>E zaieEnEuoi-q1oH|Z)pWA9MK3VIUeIyPgQRvMH-;l{!Rx}IN7WBmQ=I8BbzO1K;y|I^Eh9iGn$V_fD#y{6lXWJ72o>{w@_Mm1!+|={HnUio!y3SOF!|`Tt#`&9_x`ER5 zE3}>V<+73`PsT_3Mck`OGK%NQpI z%8rE(Ut=GODUifT7;ZR9kyMYa@rE%O1Wfv9V^J+CwJzlQIRGN&mWg)V9A5FDQiWNJ zlEMuV&GZeHZz+83GAu^rdy*9uaz*@fIko%CF4&v3F*UG>qtX1&sBc>siZwxM%xXG(=C3P~moWcvVlXrY0UMmH`F z`njOSBN91f#6e^ngJ$ij!godL-cjvFy_8?yidEV-kl51qDt;KRi!r;1-*?oJXP=Y_ z)hUvPdgpO=V^14xm?F{DY4rPFFfNawda$8GhJlSPim3?y6h|}W)UOJP{Zj54P?iZu zo8&_!ABl5I05zB3Mrn_)FVyL!QXT6ju`Ht@NvV&0I6%8&lcnaV7szKUbhEI*nL=cz z#q+itBAs&WftlMQA*#*74S|B&!e^BSa34^sNMTS4(qMT5(Dv*1xl#l0qy-^3Y;`HW z=g71ifG)8#E8zGs?(&#>mbw#|&DaR*Rpk56l$FR4pT)BDSV=<@k~E67HXfW0${+3M7 z<3*8>Ec(-cg$f{@_)lT5)ZC>ZC@hJe*?dr4lb-Cn8}e1e0tQ{vQfeG}QFio)w7cI_ znU18(T_^RiHehq?EKt6TJFYWzQ~_7qUm5%nmm>csYOD2p6&y_p0;_(WW_V>>Ce%J! zDT$eQJZwQ=ZBp|HMoC=a==uk~f^s+oDTO)Fw5cNUkigIdm>` zS~vBGJL?W}T;&#(Cwa665n9XZd2U3hLMFM@#%-us!)5zk4)l+xxG}VCGx(?xmu^eAOdOg zizaGG#f(h5WHIRz@;oTjq8DD>Tg`VrFst1*W!0X5KHneeItOqZdEwCChU6oq{1`-Z z3N_^NH7Zjo?{6eBgo^t9pd+3J=gpoi?p)T!LqJPdCAvv)>lfx`Ib}6sUtx0j2tc4H zVq&UF=CMfCPQS>spaK)EI+m;YX#qVb!NuY-moSuMAaXc86Xo@ z=rV^mq-~7M#CK^%f43s(xX?eC@{3qm6SyMFpH!f^tdFFHnpF-bi`ev#wqS-WNIg#k zW0)lhaY=MFGS~TyUSA6E7yYHq`ak0yv?w4C|04K`$X^F~@{VM9oj!9~?mC9v0icEn zq6X|8b6gYbLmvYuVPfn&V*R==UUE97vdM9MPcIRZ={^3F_fvLuUJVCc3zLO zG589_MmUv@!|t;(viyH?gt7jKzQ?TNwivhcz=Yz1?heQSU3an=YcuW3d|*8-AO47X zjpN8?dW{J!2YP_D+;!XgVv@Coub$8m0#iQkCYYSg?K&+6$9@^;7L0_W?w0+bNpp82 z#;*7DmOo})T@SW)@KF$Io>fR@Z`%q!xv0!%YqvACn%DiNO~A^@ z;TMF%oW!BYvfJ;Uw#G81eJ@smQ}9T9z_(jhI4@pReB^4HmRLTmGCm%sei6K1eA&Yv zPS-rEeRtw_4W@_sypQY#9nZG!uIpl~KVBW|Z-||jD4_A1jueu9umh}Yy_1uAE|b%= zR7xhcb>9|G${i;+5Ib*Amb1TKHqWJX==h8;O#_M~vbxYp+PskeKGbn05i9J{r@DMM&Wi3>Q%r8)%zc!Gi|2v*%+O4PI+64*=`IPXp{QkstWB|lnVK_K0smK%c3 zl;}Tz_B(*Vp`8qtra?#)!{AHKH3$QQbyPk`NCV7S^wZJ=A*UR^$DoRcM1}9e{FZKN zFT4OhEIm@ZNX)HgBj=OABC`9=#jJ=!+FO|K?wv5gx;~qnmLgThh<1iL_*?Q3es$ra zkd#G|PBXM!B1VA&`iE_BlDc|#qw}XbgYNlG8k-lrU>8|K25B7NyfDS z*iYlUSeb8(yttN!y?y<}OV(DSLRm57_OcR-$}JHi^(013*ePx>+rO=fZn`cjs&ctm z`vm2Xjpv}Sv3`Hreh#F}Mfs=B60SZW1fJ&W=Z8g==xF@Bbs6RmAUETJh&fY5F7fZs z5kJcdmcJR$R)Hi*yD^Sf3r5wYe-zkiz_C!Uv|yL$pd();;jN^4HrcG8(d}Wgr|LQ~ zTlfZh2hljhng+gt1r`n_7@14&+tj4&Dxy~22)^{k z`LD7O8D?IT6mXwHpP*80T?5D?u36fG`e}edvq93(H#9eKRiZj_T}kH zki>M$gHw;(#vLkCzy?Ihma3A|bBF}wA@tLX{~DIyq?0E^JhlIxpwlcZs-wdvGV~}p zC@OViI~TX~Sd@N*QqZMtesvl9t@aw_lLCG!n^s*bKZYNd^CqXVU#@omI6wL%soOKl zw>t%dUjvVP`D>t|->n2&8JzGNvdRNvrN&(=R>~zI)Sc^6%bt*=kNnN+))#0){eB58 zGv34p9TF9s-02tpZe~q7`O9Y68*$L6d;vG0%A_U#A<&q>m4YNhi3g^csI&_|u`?FU zp_{O24cxI($BA%lP??lE{3p768%3xXjXI}VtuW?ipXJiPU*WG0)Q9r3QAzp{{CB7S%O{q8s8^#2au;V;~N zeBqYqzi|7E*manQv-uU+oeKk*k0jBz^TpeHy?5wOqUUKdFVTL^Fkfj9*J(9N-5p|& z(M<*ZBk`9o0lL@5wevCv@gy{6m895CFS~%D^C)tG>y&2HouJcgN$|xBbkL#N;VtfT z8rQ`SZu1n+_R!U+6?RBlDo@dMtauUg z<;2lyadi0XkIEflx?A$W(Gt&y;{|uT8qj^7#Fsa169tDq@)5ka3o@DVeeUO*v%2yT zI}Ku~w%hbYy*omzX+O!6@vYxb=$h+b=;?V9WI3|9ss!F+=zck(hBLW1&1W087E^3% zdOmS(pUsZt5Vt)hH|=~bxAy^;V^5Q9CP&*uIMpueMNLy1r=2Y09mR{2?AjKebfJGS zE)K-q#;@!jMaMTAeL)e>wp_l`qqSTX38DZDwde5~T@Ty`0Q0hk(G@V|m+2*~shT7^yY1?(12?(E~hpPkJz`?lX9Pu34WA zxB_g}#kZ)so4EAermJXFdGeh8c|c!yUDiK& z{nyS5w&a@;2HGBfM*sW;>=SW)F5m${M4;nE)Q3g-Lif~xjJq2_G1q%{Iohd7Cl1{* zMtjRWjh_ix<)45pO2S(_%h(HnpK>NTgfikUH&&%(s$Q9cWula<8LLFVQ1XOJs!5m< z2?XNvT9Y`%4j(JV<58x_dorNi5KGZBj5$-Warl68KePB|EuBSf-UI3E6WKuckWkSi zB9BU|9whbvY9}3~cYUaXqYRC?p+2e46?MNk<^(+`JP)5aL-u zF}@oS+7;_58Q<8Ne!Uu;4Asvf=~hEw$={H<@Yye4%!P}-B4nzT8G(|ICWMuX(FX8B-B>ji#jQTxC_tE=3n(|kg1iwA=`ya-P^fo&tL{fT$zg* z0|v@m)8`dCPgXo6nt`H}N>@>ZxcE?n^HYl9)&nzd-|XJ7!5;*x>~5LW1%Edki6GS5 ztXfZ2p@+RcmlzTv>!aBRm7SRWrgOQIiu(7b?6Q>Xdud|2=1Q25N%tr#Py**)V&>Mf zFL~{D@uwE6Zlp*z@!wCk3!KkMU$OsQbA8__8dyJk=eV>EVKd#7kb6rU-91^yEF5T- zBRS3my;A>q6P>gEb70abe{_7$O`4Nl$jz}vlxawgrmUBQf(Syb&`yC0Gq1sCT5a5x z?g(^k7IE8jHppGLODY_Kr&A6qyf#%)ZqrpuI!@*H(TBrCI^x4~coR(iX2=xLFhi-! z@%%G<9s#2XrSSmnU4kWybL&QieigkAQ;FXBHgG?;+yuv+0cBp(6wrUiKEr_1s51AG zD$~4UP))5mB3Ou7-#&~QX+6oFC^3rG%PPoSkUrs}F^&mHzvm%D!_>v4MQ?+4`5T2{^q%rOru?Et9LKA5 zh{I>gS&xP@hy@fL54w7_bDneUat!zx-6A# zmz>w^I{27u>yYTTk6JgC?ZGBxAG7}H4K_r)}4bw_p_99Ck`#*v5d zw#!BHiW{v7BjL3?DB{afxJ4Uluw(+T^4Vf)#9sT55+Y>gLz2Qt_ruKNygOwELH)b0Q%N% z{*8P}nC7)#eLLE?TPv8UJow4ElHT5b`$JXBzNPHbaOv#Yp8(|271FR=v*h_!Of@X~ zdf(00&u50_>TwG8=VA_@XUqQP@Z{^CXj3#Ow&D%y6~(~+sQ97VW3Wb-)YlDDw|XfZ(e?y#4U9V}*?Afcih2&D%{#7&%Vs>zzWSzG((kt~vr^k_XXqI<>1o{E zo_NQs>Q||iIeleXI=$sw*LsW*WYe?xJdVFbuk_UJWtEipG&kSQ&~*6Tt3H+M0X#q_ zJtNaPcectO_JbY&JU5-D$^Tm2Z^Zz5`V&CppftXA{dEjLIwHVP^`hH^!{^=%NWbPB zY{u^UQaSSAb<_CL5gv@Sd~%=9gYR{vU~sxs^|dU&q%0F~UkKN^4|?R#a~nMfXE&;u zM&G0GY}PL6y0!Q)8GVpE{&BomU6q;U-YHEx+p6EM=CS?!h`P67$Z8eeODa(6X~XBb z>>|7Mr}1L`C@*>RvRgzv%xv1VnNeY&_Z)fiHNbqoG3KA^5O%u zqLdW5y5Bs*Tk#HmK`NB2#A`?$|7h^IEeWTv-44y>_=2^|3C(n)K zn_#Cwm%E2vHEuIg`DIay1B{M%q36wqX+W{U(3TnbM-CqcqX^-}IVK8Ixn^e^=U|J+ zkT!72c*&mr{bWWKKsI#l%1pn1Vhh-IL#;i#^MDl*8*q-nHLD~=f`zT41CgO(} ze2!RXG&D8%J1^8r6(4Nqz;DYg1wMa*4kw7R1oa|TiN4s_ZD?Lza4)I*4Qh;%;94D> zDI6ut1$l%bztoadi1sTEE0+IXz=S+ZZosMfs5zZ z&`|k|X6cyxhFYot&n){4ob^qo_RWhcG1u6Wk}*!;TCgS%=OBcsICoqF&pzbE7TQ1D zKhwnvt?7<<09EYbCr)87?MQTO7>cxtK7|t6`s98XcH+Jz2X&w%8#{6PSHnCTFe2k; zUc|4`u&Gfhibd9scnP&L%<#ptE>mwLWfV(f>p*0rzv*Baw@%@zB}iDB5N$t2v>c{( z-YY2#4W-07JeK7(${*~iLFm%x%F{V3((g=f({r>OpzEBX6VL#KQuoTQB4a$T?=`DW zh13UaL<>=3E?7T_2{Xb)ajF#Ss+2t?%c9Z8Fd@@T`<{T6zpxGsx|dMWH%B=2!5P_S zoU3Q5hJV)tVs?e;tKH$vU9!iAq)RqvaIIRnN=jD)b$iZM8^8Sure{(nY*%a)$0J;C ze2+K^OGOu6?e$*+gZ`4^QfiS?vXaqgZ_#j^=3lNAF6NIKM~_GvmTO+17gX`nFZi(= zmWpxyEjQRwgY#li_?^e5$|PK^fB#*!l#R7oC<%&6)Q;8YBz7P~BosI_oEKn;AVw_T zD2Rcg5YFsrh`X$h$O22vpDhg|qea3R@W4r{XsJjf9zrMU+y&+zKG0vAnnKOgVh8Tk zFwq-Nv=Foea{XxeN{Rj|nCGa&{T56}B%Oq*lbz=0Xq961YyHO z>;fb}{^XCK?wA`GF~YbiJi-b-i6b%f0sZUFE$iv45q1;Nnfi-B4L+Kh1vG z8R*4X&boCtO7xu4ZgQO1OW9hczOtzH(R|%%Wqm51Qn{)<0!ZjOoL1n_yPM4)v%7Wj zo6UbWn)~fMDZPWYC0oP$GL<3ss^7NgF|Ve51?Mxww!)qO_36?p<(AVtJ#Cl6W1JGi zLC59T!BdP`cChGvCbLE}Vbl8QJ<_PrVspRDw(M~N-&8+bouIZ6>+{r<5N5KBmHBuS z3|!j!EE5jrc(=K9W7}nz7S5T<@*UoH;aKNv(K{KClY99Co4NHz>uvw+6Vu~;n!f1g z*3+kTfuB0gRBP_jo6@Ju=iU0l%2V|Dp7rj%Mo9?6$IAyDqTPk>>7w0DPmGTD^rQH1 z&o$SU_bk`z8neH4bb6j!PA7Cn*(=+gRYr%?x{v7<*{S!>11v2Sbn~59J}xzgYMy5C zZ_RIYH@A~MC%GCab?cwZ?!BkeIv30DIJIuRPp{l|xSoHN{%LgZf)sC;T7L3f3SDtq zEy~#Ofndfzb}nh2Tt3^+h3AleWb-_S=S=WlEqul${L86qdA$v#->^F3qNu3x{WEWJ zmh(z+J?Yt^zNF{dr-f*J*W0F*&1KPMB0Y@9_5Scx8*j(vB7Qir8LdO&He&QN)oOVN zTVZGR;c*i|p=wy|#rb)Uhmphju?xYCXy-W1WrZ?NbBCerv+{C$o1uNr zb_cq;0fnl8Z1O?VPb}S0AZ5qe=}-VW$e&sD$5fDWY@E|I$5Rf&1t{U==0y$}t%^F` z#7SbPoW2UAobm0F+tF|FDb{6$ti*Vl)WcIG zw5w5_k~%9wNR@{f7a(}T%lldQ`pJ|Y3~pP zB~)VETCQAZ4GQ5QdQ_KDVhS;zNOZ|x3dVWCh#1yBZoX58hz^^f823TxyiCNMem3-m}{fLeDL_=ulYgJ4G znT|Z}QJDB>k6XfI$jv229MW>;z&YmiahN&##9Cx7vKiEw{d?8^X&{wRtnK2T%?P)% zP4?&ipp*s;5BxI%>214-@0kMx>+AK|pgcYacsH|n1r-wV8Ij|_%GUdRPyc0QK{iKa zFXOcGdmaz&N-FMA09GON$h*75V-qDsHJ|9z)wpQx5Zie}Sb3{-QS60S{$FoMY?G#{ z-rqmy4A)$YG6$#~u*-Bsn~>{y3uvb<%zT9X?79L*@tphVB5{hWOl#u}0*P2iP4@Dq zgo4vGZfi-|JeUiayx9$*78_T6MXCKoA?l$C%;ud;l*>bMDEhq8tfx`dT&m#e7V4u2 zG(}JuF_z6UH2H#(XOB{BvPL+TW~t{6ArYqe=$J_H1u<8gGNq373Stfu^D7R11tNp~ zD`K)h^-Ws=N1_xJX#~w^Mrw^YD-Fqoy_0Ih0c+-v#UW%YF^^2e5ecNydi5^_dDC8E zMQ}16XuBHpIDO=sT>h!0#4#4f9=?=+<2eE3qf25)z&1#e|oIfG;ssZ<(x{6Z8-*~35qi1Wsnbimj7-vjps>_jf!05 zz<3P06X>xAiP4 zf2d0F-&B2(*;^Y0xr6!)BEd&*Cc(b2O7uDCJ44_H+BtsKlmHK&wL1Zn*vkHX`OYun zkLdm$b>_>Q&aK&cmsPRZ_WEw)>QJ*$>2>Xpq-Kimc2M)Q7^C%Aa<$btNYrDe)2M%u z<9z9Jv|!TAt&!F^S2Y~HwEpSmp~ZE6FXz~Wc&~gonxe;lIKPURSwF2qq3w8jmxJ#z z?tZ3oJK?C+*+`JGmc?nvbC_h31Lkk^GyTz{qMiNuuHe)0GiMSg$65ChF{gXe4iQb= zX`r3(x{%7`=IDM!Qj>i@o^#$lFU4^Fx}$TlrIEvYhuFsKVWO1wbeQP9MJ2cX&+Tb7 zoZI7e^PA&zrcH{;5z%S6S@*|Deg=-&kgAvAVwWk@JV8g9^Y{->-U-~%tR@eOwRrC% z84|S~7vC&Rw&v65^(ikmg?sgzuaj`rAT-mE1<+J^PzECJn@!zPC_PdjU<&6sa zO`R?kh6`M^VgA<_oUedwbw|IqokBkTtrtG)29CC)6zkhhmWqpGz0QHF1>?^exf-Y4 zeqfIB;rYig+A+HC=3Ddg#>2ALP2G=O;1lBW5Wxb{B z|LYn&{fZc5`0L2`Q}|2&BsUqg+eD!A!J(e$&Nwh9NWReH4$7JM+EqtE&+jGNV=$1h`R6Xpj8OB%&X9&$MFoaW|BOZ!X~?n>TU7byiK?C;E-2GL7&42N zZDyVt!zf!axyPz>6)%~qWSA#6H853?4*G#vJ=~MS#7nGIORIB~V4wy_HYaFQC>&;V zN#HUNqG%;zj+Qm*m+w@(cof>f*E{rJ8Bl(+L7a5(60{TDq{Qa4;E zCsR`4hcuCxEfsQPg+miJsUj&{fPs1p{nM=tevTP%-h^7Yj<4#QuCvfA+T2a_s0?D>k9%dmxH&Bvoyy)^DBRXBDr zGOQa)E+C$zAl`GPH8?BlgQ*Fyux31$CjUj(LMXGJ9%ZWaZG=2Jnwdml)^RhQ-6!TO zOLv``%DU_P@Z6S-t~M(!_eq6sPWFYHKf=W#tfub4;3u{VEsVf!?V=h`N73}wSqMke zy<5brH+^&TPudMl2sPiZ^}|0hvY@W=1%cUmiINIYG?X=N<#<2&2hCPqxL6OoJ`%zM zoWugStY;Yd#HQbBEzq?SECt#^6{71@9WX$6QWTio1i_5F5S`wL`#58qsKWDT;v|7? zixFoYjj%ovqKu>Y6HD$Nd2CeXYt-ttGsqnDRNO+bQT1gz&dJ~9z4Z4rGoxG&c9K)$RCgDa7w7t z@mV$Q5O2^qacjs~7Ah}NE2=x(#3@TJ&)PPu7q#W#ryF;vqHw!l7%~aqETE{6rk}9M zH}f%PdbL9{bAw0igs2Zb$l}$Yk%C!}?R!Y!Lt`}0Ks%||#P<%VCC(@K=~Y|Ob%Q@H zW|t-IQUWAAWExm&xsPi{3NJ9J-EL#|>m2Hp4R<6q^UvbTP>4=`=mfEYecw;aWyl{n zzI(OHCt>cYDF>;(Z2118&ANyJEcd*`1iYD9r@Hy zBE5LQk3|s5%Ck5AY3-4r-jk41Hr{2I$m0{lsWd2;z(-6ra+Rx1n;0e$hVUrY<+-%h z`yaAk#+oqGCBu+xma4&Y2+FDzrt^;ARN~;oSq`LhxWpHtak7ebQbq||5guuxEf3^Y zD!_#B%Ac4cY@E8);a4)+WFJad;uc_oQ71skmo{jWrkqeFZ{9&Rq&4OjGnwytms1+2 zNwCQc`ZrsiUXKXhX(EWB49Jf5=f~A5*FYz6rUrn2nY;29fTza4{No(wD^E#soR1xU z5eNl4gvmHp`0I(6^XrB>ciS-viqSA)qTY4bQZ`5yW-(WVRjs?A&lgCPti)&(q8h{I zJR%9@5N5*mr~U81)Z;)xCGm~@WchlIr2gQD=@K+Ff zePLjNC4z_@Zna*gkwY(i86=C(J`$MuBNsz9H!^F7yvmg&XIMq)0yow=H29w?mR`bu4mEJCgj-0#;~cM zGH&Z`Iv3Y-2H-u&qL8!Td$2z%e|&pN<>A7i({S2-6K5Ib{YERG>&>|l%6SvtSA%{j z`zON*c*tM3WYpq)eRvvUcl&rA%HV6s?2Jr?3u0EUA@Y3f4;@o^jS3S^jcPk@wFd-O*!w9cU^hT^irZ99$8h7X8T0+)kEPXvMIgpK{R%R**Zt@{-&4=i+QXE$*&`0n_OV61 zbxm}+;YZBKM)y;uRgBL|tTa%~+Lf1_j@N2WJ@iP-&o^6JCuVzdjV$$LS@T~YnxG{el>{v~l>N*Bc? zORqbnwcC;T_UMh__7*y!?KSXG>~>FKpQw4$ zYSa1rF9A{a!GE6zkk+5sG*wuW2J(#ofp+fz*I$JcNXH`YApS4)Q%-Y9$Z5>wJ7Q*C zc^GDdL^2)mm$tE9Zw+)bd<>9KW$%mB#xv_boO_LF`}&&+q)ahp1qE`9C1%?ytLMs~ zL5IwaM5SlZYWyxJP_8UAJ~yS9$uxyLfF@3uZr7CE<3V4tbQ^4)OSV84TSw+NZgTpT zD4$83x>M<2F1juWVHA(n5`d8wv|%CQu0$zHH2s^R*MN08Q~_=>uV6YIUV^JO;oJ<8 z5WR-ux*MH9AUX7Vo57U-s0U_)wGQJ~oPT<8k#SFe2++}eA@V1Xh^hRCSUpNbh_Pd~@nmJTp!9;Ft0cjQIyzIxJ@xgv5TN{0?K=F!Wj4 z)1QI@P()W9FLF|nW>Tc7k7CS6)T)$hZEK~08rl?74|S0#hS)`fX(YD@cnqfS%6--l zbzuULW|{EV&~v!|5^>r-M`(_18ZVMC9<^h1C;7ss~F!etPD!|XWX!8)sb<}3yW`vEp zig-|*7;cJq*09KRt_GTl(TU4G+~JigT(ua;#E5t;THKKVBdLpdXG|6^P}=9vVdNhz zS8GRxq0!WLdE_w!z=ijm#JXmhv%scXwEN#HdtTkRKm$ImhXYC=s=t~Aa3~p^pgW_- zoFWa|&tczs>3NX2aq9}1o z+?Mo@TvZ|@ro(s}X*<>NARHPNcBBg?9lA-bHrXDcP4bM! z*et)W3J}-5ldWP0<(2p-#l%k)Lcul^8OT-I%=6L`Pi3e?Rf#5)=g{LQ*Q%5k)%L6< zl}%ESq}L>VFP%~wIj6d+R+5d=70iPfy0ZA8k;IIn<|X8#g*z?g?;JTQirU=I*D0)y z?`L$OOsFo3RW4xmo+xrH$uhC7E!}RiBS~?e&eMt|0dsOdaeq0VRXziKF9C)U(0cy> zzXMZ13hNgciLMacrxP)<87nhr<+_z*Nty+w<+j|lD}CN<3}k$zxI^N6yh?fBWZ;1o z&FEh>k_JkJxeJ3KX(QCOkV&r)()Kv=VE(fKOQSc6>mxiN2G1r1w)O+Wu!cmvu4Bmb za}B#5@IuDRbQGL|ka$E17eJQ)TVfe*C~;^u(q8NjZQGTU9dKAlh?W_Nz(H5U+Cq_T zi@!MTf6F}L6COmNFUgFH7R;Mz0tU6Zq6u5P+Nq9{ys7~bE2ZH>`OZX(McBFHV6GGh zZX-8I?xT@mPDIx2FU6;URGpa&qYw>Kl<2$y7yO}!Z_nQCr`1}DKV7P!d z=lh>aa>~~wx$Q0dN6E+0M`*7^te-s+dAC1E9v}iDvbTH}kP_T({#+;c{Ijyw^$~Z< zfUo6rRl;8ln0-HvVyn?7!ATY~qt)fzn`&Z@@kH!;1-o8S?XcZ`6+Lg%!0~lH{R!Z? zlnZHp{+FSrXL{S$!N=wK`QtG2SMlaMPZ~uBG~H;W)t}uHp7I3t zG>;N7TQ;Ln8$15`pATmV1nNo|#V$S#_D)s_XG@uP_o7d61n;MPCw9!xWgRaR#;zWR z_0roqpo2*o=_O6Zvr=J1yDeR<>vL)jfYV?zG}V;9uebU7+oRML=L`8!&CTiEfymKy<+p+@y|&8oSFL6BwYGs`TJm>$ zhu#V|k5iiagsdEY7Qc_!^*qlcUo-zsR7te&aVH)7-$y>9HQS0VcleZrKle*dj)Q(Y zYV*D>cjZsR1iTj%K)DX$+ani5o{#vEy|-=dlZR#TD_I7$(d?c-zFwP&cc$I$ zS8(IjFB=55*qgV<5D_lhKKt1}N?GWAZH9%nCnwjRXYkZu{7)vkYIW$-c%HBvms#9E z=`UYJ3LpZ0kg!*u@6dMUmk4V3nf>z@CHM04>KVSy*mQD zvHHDtt?Fn7H9bv`1zi;AUK66J6svJ-ylp17Vn#sBD7X_$>caecprGw{szsr7e@H56 zL=|82h~rq=_)X11YPQzsIGm6wB$qZvNQ=J~fs|l^a&_%8IVu-W@QU^g{uzZ8DuV4; zi?QY;M?b@rS#r?sbe9tI&U=?5CCHK_M6IGn5)|Q);5`eax{&>8qE#!dWj4s(!=NE& z!L=D>vI*i?sgg4ImHjuTrzFU7WlMeoC5tqP*LRWpY}QJCqzk7;+p1w9qSY!xj=Ig! zE8rHtq4i`&-VvudNdikCMq_GC+f0XG1TUdTsu#bo)pmQTKjFM#NpUNNf$5 z>Y&XVE>Z?61IcqFC6u@1{%8v|zpzHk9w_z!i8VEzdW}WxOTqn)5|kyFQ!hzAM3Ct) zJ(h^j*sM`clhuT0Wm5%=oS95ln6mQjB7o7`mwCc2EQaZ_2zvtjK+BLtj9F3^nD!!D zaiU>6mX&Iff#ld7EBs#u zlvR^`EF(btjc-h*wkfX4?UYc+Dqwp+p_2g4o@@(^x;$cemp2<~%@UyM5>I-3tDI

hkT))$RWfZE)Ai_38Y6VA-2{-&}$m5bdJl9U@30{S!dtREp-(FK&QQ zyHcKSZbMnn2wP@VQuIB0W<-^0{ghp!gBX%hEg9#iXx|5Llou~&D499`^%^1=G>V`uhIZpxjdi5hyd)~-A%sw5pe8v)*Ezn}u2M`V ziPBs2Y7HGjgx2B5@rw$;UztXxEw^8G^Ez)xtWj%${Gi_RO^UN-NfIz99dd+)Vimoe zRu8Y-pideBq-1;U{LGLDue?+FoPXQ!6N;%mmz|~{S`WVlN)<-Ry`46zkcb= zEJXxxHsT&XoB-FHBK>hqi2lmwZS3qRTW{nXt~hloQpph!>4+lo&6ehJ$yitd3V~N& zMy;wIA$)vE1WKCqS|UAaFZnp$b_&-;+M~TXKXcZ}Fn@tS%1hqO&m3A#IZ3Sf8-Ch%$v>!TXv6*`Z6`v*g&H9YHTW>!4oB2=6%G$B!)r0wUN{ za3b9GORKyiGzJCJ%*tBkXIL)K-lSf-!_rGkruWJJA?hr<;*6Fk4Mc$8?j9hxy9EgZ zcemi~u8otR!QI{6X$bD_?(Q_&K=*Lh+`02*ulEO>^`28zyPjQqcdJRVa0+1cc~jNc zOy)nVI*HvZ)%R(t8{=C&Hw%@|MNy4g+e-JjN;}Rki;LE1GrpntCf(I;cr`t;Mh0Az zIvUrx8Oeeg3wJ0U`fgV%R@(@=kbxjoX(TtT7Z-jL<6HLKYluiR-CPHByTevxLoA*T z3s|@p&9+AqZ;D=S-9Z2L3BEd_TCSS3yQlD%>DY;__N-0QQ!7mlh9gv7v!2i)8qIM( z@O6BoM^^jk3|=ze4XNj@j8Nq zC;6U3gJZNVheZ^C^!M`&XE{!r?nK>PQf4*kDn3l95KAkaC$0UfX)O3OKp^S+N5hBK zw?N%ix1o)?3ing*nzPmqO)G9$Bu(uCT_o$xptLvQb~yeO-CHxb#&h$fEWcZUl8M%b zU^9s0LjsF__hp&Kht~VSN-oJ*V?5%v=u^g3KgdYI&}8R+G~QBp>=uMpAk)voBkhO4 zuQ)%0V>zMcWv;6+GVn2V#uNvOL$=ZecW=$S=9+wXoNg;5v5 zq4VrUwr1UCXt8Y?Xd~zkIc51?V%xF%{D(=?_m|l#9_-^>N_HA}PCl5S2Cq7JOl0kw z+rI^i9Nv@Caqjc;Bs@DflGb)+Cc&eYmK^@Q2PS(y=qX5{gMs@hn!~?+DZzL-6w-+& z=ye+NAbYg3TuECpkqKF?rX}kVJ&Tb#vIQ>|g!hJbPxD(|R_44MhMi=k0I5@iOhG+F z-3HLuL;H&Fs{RA%Xq)b{DDbZ$NAHkMD3lrM3xsaJ2b+D6zk@y-3@%Z36-<4ZMTT7M zO4x7mQ1?7V^tbdu$g#Gf)`J?@uPk~g(~~N4xJ;+}wa!4MHP<+h53w~cRkhB<1hfr% z0J&IpTh!4+?;Jn0x1q;f(d4t|;#O~*^Qu{cVvH*l`?_Ydzy!K&O1YfgXzZXPxZTQLB)kmd&KuG zS2*=*a7qa}ExWcg{IF_s7TuQE%HMA%8Z#ZSRvg5g+1KcfFGkMG=7qh};}gS!W`fWteVP~C zFIGNGa07q5L4lu%rCcB)-CJ!?tfo;Vq^>E>knSI~#W*Iv*&5~K|5RHp++rp;!*)=* zACreKZL^Vt=Vr(+aQqqDbIoR^nI|uxe`M?*LOVZ zzdvLWQ|>sT#q><|IOZzlQP>HNoT?aNLz8u4=<^wn?1mjQnI;PJ%M*IowGG3_yH>2Op zM4@ylt{&`XN}r4Tv3+0H2Dzn()Z9fKZ*%(4$DayV`_CWC19%FP*awyBxWpQw@l`3S z=o8Y_Ef(?^(HqUw`v0s1awdP06(pLMB;T5FRn4WWrJCV}RqGED)y(sb7NtU4m99!5 zIFsf_Qb1tO>5a-gy^i^ln`%vHS8>od`z3Xmm(jf=jlSOkhPpD}tyS$~M?SI#`!Wp4 z&y6^VDA%U=e!H!b;)T4#s8bAGm=EUb1E)U>t*q)-`bPb!;cnTk>PdRZ;=H6}nw*^C zA0^{{wwkI?hhR`gg(aj*6WKXiBB*0C(w`CAXW6sl4S10mV`LQPnDR2O>GcKmz zoIQTRB!;vwwZ(;JvYQuUn(EyION=czddJ`N^&?Yssb5P=T?wEhw-7c|P|=!(+)T`* zqBbFJdzglOY+H$V1r)D*BxD$&m1~gObGR80D_BlERx^PG!H~I-QqW4Psr{<|5s_a{ z&iw)cq~^Q?P>H7vT1I$x$;u;F27YBymHdE~i9B!Rmu{X_xoqw6d*wdk!hba>-o&a_ zx}%kiv9O{GVP3L;TLLdFhT~^j`UtguR|HsstWrLMUJx_4tS~LnL7-4_A4oa2$Hf2l zE6FGL3#*du?R^qBVx@KRzE$crk^cMX2zCN zQoZm+EH4T>Ae|0tu#zrQ_ui9vcUz^F>4w)D^-b=2&(xK1iXD}ILd=P#=lfU6oUw50 zR)fzG1w-@a00h&&NS|t>d@pLC9BI%X6E~juGTt`z|3&X*sF~cm>)Ro;@aPuMmH2S; znuAv@v>OHWg(!a3ar`U@Yc>lNhQfzK=%Db1A8!Hd2racz^ z{qcE%Gg9Ddxrpb3@=lQYX<*wE;+X@5J#g&L+1tA&mu|j*!rfP+H%`*k-NA!48&Uv1 zrk!iMU|mfpolj4m!=3|=%|uZy2dSceih~|`wI={#pKKpgH!UyU-LSkqD?Xjp9wrO$n z2CK8=c<%STm@C>sPG&e1!S``2WR09|n=SStx5YVjhCV0XZaUYlvQpZHmTx8Qlc_X2 zU59df9Xb;1g-v5O+(n+lhM1{Z=S~$j>PDgmn7X`fs;9O!PF_*S8n`>~o+jgKX3lkn zNS>leR>nM54orKTFH9U)`SG!uM3wI#cXW=A;4FYYFGK2LbNOXgKmSIN1yAq3RHej&{w{($ZE1TBm1tyDYkwgsvVZ>AO9~ zZFv=UZ;C5^f5dCyc{y=FGwgbs6%QTLxXRP4*)K}z_KBW=*aTZFA5?chvIY9Ef*gdi zz-QG^^H%^T6j}lT{EdA^%g)Y#c1JyE-vU^sj}_wvxsmL>k)MST7nfUZuTz?gSpTY4xO~M zRb=SVsGGLPvgDWKvpYqe8Qg8YQG-_Rsa9VNfl;4qiJqXSS<%|$B5Xo%iFWE-7_;6K z-UQ_W14^6KB>JrH^5wksFBtPC)GvI@ABZAMEoSFvf^gYgnG;TKy2_$NEd$x1;9x5XT%N6zF}MBF{D&MMQa<;PEfu zHm<}MXo|*6WJwOdJ%x0LZsls2O7kFZH`^#vuu42`fz^Tvxtr2xvOL0GgptY*?|_Ac zpt#lZk93toC~C>s-z4S}K!S`W|w0*C< zrzwK@s>g(~HgM-i2+vh8EtT#|FtD#NBC+9^iz?uWwqQdQA$uKByf~~zaVz7WUHPG0 zBW$cy0Ktif4d}`sIhXnmF+EjQrSJD$eP#}K!*ilp2^Pa8LAoU?mBGWzw}jE##QS-@4{gj{IaK#OK|1ts2<3QwF*BYCA8u1Y4SlWjFK~;+_|A;P@44W zBAnA=`}*&>js({HmY?0r^i%4cwR169>60;fSZ9lTOY^(fhdE_86C+aU5-b zU^k6a2}NM#l9z}@9~!;3i{ZpCagxLt@X*EO1WuEA{-UyCb+DEW_Y zphhH}W4|>cx(9MwR$p2>=EcEDsdBg#pHV!aAMOSV;$09nw4qL9N@SmlP##kj1~ z@6VgxdK5_ej8WnlDAKfrG93hETpDQ+%`wO}^k}D53KbvS(L=IKNB6L`G0>xIw~Zrh zq8O5r_X58JJX6Dy1rm_?=`px($e?{7QgQ2XX;5H)kfp$*s_6}N z9IK?e?Mdi`lWg@UoyT4;=uyH$_-2TM+jkq~#ObWP+nLN(M?m z-eI2BN9J|5TSMl4NQg!Zdv4bSkVZ(g@wJ%x?Ag`Qn{buKV$gL)w?2D3wY93ICDPE# z{diR?X*9JpBmfYFH0%OtMfmiOBu)z9X&2qks>4aW!4yjl&dMkKYc6lSP0RM@!wF&fv?8&8pX3+78m!!(Db?*jw2Hl=C2QW?x7t)Ejae{II$gHA2Bd z40zB->*9^=a;v(^x!+q=sd0S~$rzC)mhC4Dh(}Xs0 z{&6Q5y6{{&-RQ@|q)MxPODi}kOz$wEfqV~-x2)BnV?x6WS}Dr*<5cw~<3 zeBKDVz3duns#jgc_NzA*Yp?hoW?ue!UFJ00gag)hin5^e_KgBBhq9Xbz84=r8a{V1 zW-)#yYgZGGHNJ0sW|z8VMGiu|t4ED*_9Fc%SNwf|$MX8yiru~~*Gur6Cc9xA#$_t?v`K-EZ>m!KS*gAPrRL{^9h`5;wXSn^wJtB(Ie^7w@M6H+pZ1!^Y1W41duX z)Lk5-4+CB7t-i#FAv`p6KNtsH(LHq7@?*fk1N=hHF9rSqlC{l~KFr-(B zidcocc}0^Jv0}T^TT2F?{P&X|ZO`h4{nl`Q(s-lBZ96`zlCvYloRJMtJTPXa@#V&UID2BB>w5zaqm_F=S z+KbXmYbv1BmMnLJ{6&+Z?m~gxO)`7dt4%<9Z?&|#BFU;3RwZt3nHlGs`?s)X14Y}Q zPn9H&%vfkNI_}oS_vUKnD!$*B5%`ef%LAgZ%MA(4?D%oM1uzsu<7x)baqMX&#@$ur zYga2p$cOp1FC89`*IU&aB(0^v8a~#?rQiVu3Q~J-BZe$i61{sp5l-Xt4!`&xJG=y;3zmFy8}Z$ zV9j$@XqjmYT99DT@S_<%e&2^yX;P~Z$}eJz=en`2Hu`h#J;bftk@?w4QBled7s)1o z=>SY__uRQC(=VFIJM3D1z%@@eP?v1pt}QuJ!j(@PW?u$hFmalT^kX}~PQIXVVN4OG zHV@Nvm1e}>U_y?D$rdIqRE;H7O%nW9maE4W$dp2>^*0MWq?am6Pq7YDfkB*1QcVX& z$35qZ^XxfXpnTry< zu&MjB7~Fa1(uY?^P*0VvH$;ed1K^R2D{mNZBGRA$nu35tvf)3zf&#zig#7Ss-e72Z zCg08bvzk>kh~nkWllK?Ke0!k~mPVZOI$Z)mwLUGP#H7Nk=%76fQ|t#9m#*sA$K{Y) zIO&Pz5q6xg+I<{g@hPkhRe#}RV#;sjsN+wn0qaVH7D8LK>im0HMMmmmq4`@Zu0LwH ze(6z5XhKr&N8WGpf2j%=&S*;-FToc-cy=%18$WNu46A{E?FSE5{zU z^q91F<&-^Eu^FtKle@`e#9^i7|Ku17MHz53jk_Z=W`;bPHO9W6fv-Q>I zG_{|6Zyny?pJ|~KxUf(PHf&0cZ=#erGXPTCYL7EmhSY9A*GvC95)-8LQuN+LHhey^ zBP&S}lUi9aJY#V=zawnT@A6n6q^-Q3WCuA2+?>n4b-(V9;AnK+x9esz>7&`wt#@tp zy%4+fKRy`j{z2Q)yEttk9kcD+#nqj^THQf$EGhVD(K+UxrP|QF1(x&=z9(z5?8~~A zzj9v!pO9^NT5rxu8FXG)ug+|(-1MrW1yw8P*FM2okTzZ9b^BiG)^NV3V^~W$&>0>I zdHL^UsS2Mn0_JKwcp)cf&0Af~{X77ly|^tj)zv&TntxBF2acM0B_Sr(B2V0XnMp7?FtaH;d)PFCTyrz-Z`Z`^-AVl0n^1!rGIbBi5N z4_=EUzWb2{#Ui_t0>_AxL01*aGelmpG>YzD*19?dG};_UJZ4cU9y2YNJuMTGth)tH zhlnnnuR31VRlB~fYy2cV>LwsTeBNj}5ziK}*%G(m0rJ~Vc8u$SXo`L28N%7g)?L>0 zJ1#m-5eDxP6ceVN7*bbHfzkdgM@`Ld6=%)h%>+Q3GoED&PgnEo!da<+prJ_6rt#a$ zW9w;LIJf>e?HK@C^voi))s5Wk6+C#@61)3>2dPG@#dGJ*i% z^x3+7^N_6pi}>tk`H^ANK=+J!qN1h+DvyzCR=EIWknkp{NW4dF`3Wpk@B|uO&ipDD-jBUkdRDLhs4! zjb3Td_^XrZd)UtD*(Q-FSQE`CVm`I$u+W))6VMoS(yhuLvE62oQxtx0=bB=pD!_K7O$)rxvz^g-8od5IJ z=fT9!1v1U~8WmMC5`WbvqY~t(N?a2Ikw5x#s!YQsDxUZL98(;17Mn5Xpy#m=xHmc1DL zH^qVjn?BAxw$js}Vf1%{G!fEjpgJca{!Rcf_P46^{=y4(l2CcNXbdV23i9eBjtdnT z+(w-ZYm-dF7!@}nk_W*p$D-60mr&RdBW)OKY&&5gq9=S3WX=i&w3&9+N?%f_5pF-S z$st+svLLtFxgxLe1weEBn&C_Y>75(a0)0Z-5s_i!lkUpr87JLtUNtjt(#N7})nVZv zOmFgyN1`z+E?47~!L!v);+3|;`$xzZZB3|Krs4cHLOvQ?yXhEMm%>1Ef~cC3&SV~e z2t=6iRUFlDQ7$)RnY*bC#(8n0O&NQfkZV(0{4;tk@<+%+aJwW6_xr+7>C}yI%LHR~^*YLlA#ayekbs0uGaI0P@)2=U=$*minx(D}q|_ zZJ38R!?{UJc?DsX4@tS>&%D|MZs;?m<>TMhGIYW$qrcT@H0nYU(O_5ajePer_TOK< zab9$q&xNmK$5)VsT!&X#s8K@f5%g8@2p0CeHT^-Bo%;9q!8bfcFIae-_1y0fR`&nC zJ%8SjBE4`g)ALfP1|_q8REluWZn%%e=b>DvZxX{_PBRip!ud`&<-<$W?2LQ-zCoCR zMgVJk2I-f@d-iWr{PZl0n8?<#PNHRGcidcSJtx8GnLaSA@?B-4jNQi}SB9~0iU9Mn>5ln%%=e8csp zOVcv_QirLRO#=9urUG|)h*Z*eOSaH)ena!e7EjOaYo1GB8OhvX+6{mHl;I(Tcjfx#PumH6ba)T8 z^^R>n%Y1?;FJ-p>4Ql`!UQao((C2K~uAe#Hm*HpVcqHzOx5w7qt$vzs ztJEw$N9PMuKu;*r#e#6_Vg7aPGyEk){A@{pq%OH*T>%f^xyk2Y&^3AgXbaw@i@k`r z-pr^o6}-FuPl2$FZmz4pev`t6deHVA?$3@pqI>=xZfnF1fEDJJ zq-5OpXm6JC{@1LB_T8=M_nABNM-6064>FZ9Cmad2L{Me)7jtx;xzA}lhgLxd=q+51 zOCEFfp)Btp&%_s#$!zwPS_lERYFfT$}~TQ|$dYP<9(4xAtg8V>DT{-nHNf~U4jHtS`vrcW`w zmB?nCzv;CF1->BZm~TgM5Id|9VtP|yxOsDZDDt^;WjCS-_?*;uq+_pJHJqnlmhP)f zOkh_Qe~+wK`r!GQ!J`b$?nb9NWh9EJZHo#+ss6axG+GI6Dxj5^EcO>;oB2~Q^z#DU)3Td+AxzUloF~F#HvX!{FdF}^?^AAH)d6*pap)6)d9M{`yJ~cwtVl~ ze)~G#@3dFSjCLB?&(O__huwS)QiL+zDGG4Ix97!zC^qNv%*i`cOxQ>TX(o%&V zuK)IZSSPRbd4gL60@Ia+$}{#bdFMhZ|uYbBWIKJ&lAHXTo zZ_JwfUVWtMXR-WkMk}riQCeQ?^i2})0L;&u3bu00NAr^GowJQ|I>inkkY7^)yyvGDqvF#1)l**@`a0GYP!K*m?PB!*TPQP*`b>8xZ< z!$9QXe<&a$$^-QZqCl=#XL|h9gJOFg+UC$*-YxuoTho3$Kp{u#&JRp-_fPF2=Qz1L zcskIDlKfAQ59W{|umj5CI9#q^e3ElQu@d)5f9@ico*FH$*4i--c$&29%akV~ z*Lts4W0qu(IXBG=SC3?mWY}Ux*aPh7?_Fd_@LK}Z6as<-i#0GK@9~QHE`lB4Gn>!* zw!jx>Eq2nE0$1yi4!Y3ahLC*-*?bE=u}cqi_?vCgV^>$-0z<>thdvxbex}DkdlrX> zi6)LEVArnGrWwn*VNC43>al{NhW}q4c3Bpbs&yF>zlXFZf^Yzq2zcd=t%UTow=`~U-=yrLilwX8i zD;NT$5i~lDR;V+MG?rRTZ7xz|E5W;ChJT^2uU-1xJzce{9A_e}DtX715?8gC@kIMM z{*V#V39@bu!P~}$mNOtk!hH^lU4E!-uLR%~DtsXIa`ieGi{|@OA3o)MT{ROJ33zOG zQFxmXibhEhv58!zzN&PcIX&B~L-ZsX%V}Fkf@gYkK1iE5GHkEo^u-q3)}IuR`ON<) z_*PXix#s45>fz8~dLypk@3i2-{kEygV<*i0kE`v%ea(!eoyrb$M4R1ek~MH2KDSoc z-eclG+6eXFcTjWDB z>*%wh7$0lOmhK$OcAis?I2*jWX4z)U3$><#cNv%}QB2M@|)8 zY5P$*731Dd*XQzM+9;9Z%dN%pJ(8I=Xtx#8~X-}GnTl&d! zw?L=NtGH$DC<*tL=ZzJ{X(ZwH{IaTIQoSEIOv=(ri`XjJ*8Csq)$_E(-vKV?Q4O6! zqN2jFKQiINQ3^0H_y`{*4;qD|%islhQ%n#ngqzRD2ivb{$~r0qChEDLQ@w+~mq}A_218?VPu+`6mw~z8;Mx>e{}`1d zHQi?y_-ON!;zr)%6LTaOqsPcv@uJ)lwOirFT_!rS%S<5uM7Z34afK%(6c1>e$)1Vw z(aPgHlgrGW_*$9lqT??^isAH!yh0(F-Zj_BjX3SE?O=nv6;hGUgoZNK3k~8n`Le_{ zdkKX`0pg0iTX|GkD|gaMLIir4&RmswMYMAP!jg@$NJ$BB`b78BBz{L8DIR`qQoU>@ z>6lmh_vYYiZX(kkM5qaQ{4%9FUnBIZE8WG;md-ZL55c zDiLqvn~cTiUQl=pv-V+y1f6xWQ8($;Obp;bFGX_j4fRalEOy@KxM%O+{Y+?I1tyBK z@j?XG_ahZgkx*`qvbtU_IaEZN`Hu;IDixz%Z40#Mcr3$hthwZ4diCU*!CnQKDGR7c zbH%_-^lwpAH5U0miBk&4V>6csuJh7rZN$z%`9HoCJyOc*b&<_qG}h4dPGu1DlhWb{ z?`62YewG1i(X5~jf2J>7@Hr6F`to8vTiG<`O+UC|q#RXT#i?T5AOAI$A!z8-ZeS;$ zlBAel0+sbgbhWme3~oey{7AZT5SHtTyjRS$LkKgw`UZAL-Ln%zbQnIH%#<_BlsB9FIL+j)3!+$mC%j)@Lo9+NA7^xxUqQcK^D-oXz6ir(xoK9l(K@tBHp z`t@|=Oo;z}ekkgA<%I&?j*!Zr4`>k3z&rq{Dwk>X&=kGcPN%}GpLjI=KKY9&MrWw_ z#H`jOrAe4cUm;gr1W7r!q+`CkwWB>;%0Fi90waB+g-k1K{yj!4gGL&xcA*#h+$c{}HRm-U^F=I7NOMCd zU4?>k{phfNjTxsjPjy10M$*_te7do0rN+^X@3e$in?m%N{d|?wPfX`~`%NMk$IKv! z4^rX9i`8>|xF<=Ca^*3uoQ3^&X9^4^iuL_UbIbAQM}$$>AOjVRF@o;dNq#N@M*-Jr z`o&)N>|vuOU*1Z(K=K=dG<>(hzoSH0Dk`7)bLgGqaH7-kb`mkM_b?2^8C<+XT{Ji? ze*9PNx^wgJvkkt!!KXz+{Rl4hATFt12hZ|mbRy%gKRcVA@Y-?&Z(ulGd%Gnp>vO6ryX8C7HOB0Q3h(f4bLKw!9XbK=-bU$8F{ls(Ue2bx zPygc9YCO-Qd$TKn+)wnkLwzyt#7%}p{he%gGvKVw%Y_SUM`8VrNtw%1$785X3wS#) z%Xw>aCvPY3E=~7jy$;}c(s5PuJfD+%$^@Esemv2g?3U-X%Y5t8e|2$K5Yaj;-fVcO z5{8D2dXRRy8B%&ndYLUvOg&#-b`xHB+%X+mU!VbghQ3*J2X3z3RSb!^tmVPK-5g%Z zELGO7E}nJPJ;Zi*E#CXXgF!wXdaTe^h-E|cWK7C>g1)%r#7ofYkTv8mVDoY#`hg$Z z;!$O%??DM!u0Gnh&8XP4*KfFp)Q!pEe}OF7OjFhPX$gAS+#Fc)Jh2zj<6IV_)UXi$5^g!&SpqJ-6*Y|PjG*xgh_r4lxj&DQh1INkb2se7oL!v0T0vy- zs&_gY_C@isI+iXg+QX+rYJ3iaUPWd7Yx_nu9mKQmgE#!&cKENzo)2r7y{$I|d`SIH z(nVT+mLbTG?-gcd9BIw?PT0?%NfMT@>9L_mK-cu~%%Gqi>q3cIQ5; z92X7t{^x(!KSO3m5;Wr(eC;k69-dA%Xlt6zrxdhU+D%vXnpba5xF)@Q-3~7B796rV z*AQ!xXm_2%JN-$inOt5mmYmPdpBx6EQXpu)CNw$~1Z64m!-ZOPbWZs%oOVl_@M$}e zi`z3k&x<`xbqhj|7>-36ma>?b5o8oh3xKr{6XqzWT{zN1QR@*IinJcP~urdrE&6YcLm1CJuw{@aGO2D5?!(Cy*d1L z?>jB1H7FK{P>K_0>ClLfna$}3hY^Qr!w?7*ex9;AgsUfpSFCeZ1gFO&pwtq;c-vU7 z`IlfcN_nB$31r1D$%vkKGZW!5(c8t?4V-C;F1dsw%1X*53@aJX(3iI{HX{XpC9Dh3$<)9o?ZZT{0)fklpy=@5LEfpU<`SFz`%>RX2( zp@XwFDlg&G3tO|JTaZVbu@zV@6{s5yWLsm(Y+^G0YwS( zlt`Xj#$?VHO=ebH@XT%C+bACutF?rL7iY}hFw<+}e2=C;dR(ynL?1>vk%#lwLSr~K z&Qh44^5`6lbuxvXp+?OjDir+_+ifiE5Z!{X`l`0n9nBR0u6f(D15`T|1o+4!RE0#3 zt2p{SWt8GC8*BYauY}renAO6}mw7b~iWHu=ekc6t1Kw49A0b}ND`n|#W67rrCH~AT zvtsb9jP*SMN}nSWt;%UN8JOs6w@WvO4mWmrFI0%LP1%I2ES@n8!nGo}E7L0t%AeV=+hpXhJV3qGRO4@&pwmr6>RANP{cDj*^F8qt`6Lv701r>?4w zE%9|IxdW*1I>v=k^nnf1^x53(VVVU^VqZX%R4J(#A;?76=N3rTB*`VAe}Ymt3(?SA zdvRnbSorBWLlnp%-Kz0B$*iNU?M$Z4CFM;r zny!A2q#ztI|I9p&3Y%I#_#w6ScCs?#o?&CgcA)qzh`$%^_bAaqvB~{UovK*cPX)_a ziRi6y3H?s#)X&Asvy|U|{PL8DE>HVMuzuYY~vdO708gT53(+tJyzpUmHV*jcpow4k%(mI4x} za7bj*2ZP9N*Dm~rsqiiU`{hgLtuxeZ8&}q(&8;swFB2q7!sneA!mY+>uS*(!KC@bW z4o^`n9+~syio)RIJk2cMwaAq%w>gFz^=I_47v6X36=)6}K3irA zc9w&NKn9QX%O#(S$9vT)K?_i{;dPA8*>AHhkICZ59$k@^heOB(06ft5qUSlOn<1fC zRlnfwlMY|GvYevCy+ZHido@i0b%pL84}$z%CJi;Wr+BS1K$~Ykw}TTjTiI`XO9!=!#As(0wfkP_oo$WQh=R_&A{Wz3CdYF&V~Ex>nY;VxgOw_ zMYl7=*KT8+XiRQ)s@mz_6%Qidp4~OCb?4dR@GhZc^RawA=4gF!&3w=1LFeYEqk4Di znY4DKU;~HQzk(I2S<+JPAjZ-OJmLmH9M2_L;7YpN1u#pZ2A|I=-+Cslwp^xH-?o2K zar@r($;Uk3)Zvl&x;{)&Lnoe~mJle~3)<}s*x_mY+2Q>dGD0}+WF<}*QlK1hnD7ZG z*7^ABB{lD?@G%e|s3sRm-tfjp`9f1{TJ%1DwJ>@u>7Sur85I+%!P_tO^+v8espihY z{_U=e{v~S#w;-R_UGmzN>L-s4=UyC}jpKo&rrRufmTai1lw6?iq-1E`ArcOZM#Mq; zwrgwkdSt|$a5aytScl_6him-_CxPcF{l6Jwg zyvGMlG7iz^9IIs6J>hhg(a#dHAE%aefExjHrDpA&(^0+aAF<7K+Z9wMg62yZV7b&{ z-TEfNRB$UOLxrVN=(C!45_O4JYWOW-i$M8G1GUxMrNKB3f{wk$EkVtC-RUK?KVW*0 zzEoqHewW8e$$a{}ID*TlmM6w=WE%9KHIDA4wVU2rSqz^3DEDlZC<-2S)v|Um#`<=O z0eya@)ji4*o86IsBSc}4=#J%;k^C7rr$UI?A(_C*ufKRwT03_U9UZh~1S-C)pvyT? z>%&GtEGlG0isCd~OJiAd~H z%YR2J5U;>&saTt@QC=vkkEs}OEifjjaGipl6dxQQ1<*e1wcw!$E5#n zYy$8y^>R9kOLl$*;W$fjN(qFl07{); z_sTbe{2j*X@J5x260RnaS0&D`MVnZ4oyF~x(u)1i0wLkQzB)L1Q@Gmd7q)4%Qv^O& zt4@GSHI+_(s~KOEu3d2t(C|#cH2(=Tud9r%K%6)CVlLlStMo2V*c!LyWaMr*z&4HZ z)O0`-4PBt6P-f((njBvto+DTYL~x+-o@>jZwY|PADo&=)+%$c-LJ*CuKz0U=?T?ho#*5-C4(Z=t?2$*AY-#PbIn=Nw`HsF zxD{zb^xOoFkS!+z4*w@z_3z#&<9BbA?SH*dQ)gTJY>zpQWTws9srMguA*W;o?Va=6c>vQ$i(@De_+0gfv zQ~?_Mi;mdy+ov8LvgW2bqh}kb36UM}Mh@T!Oa}DaB(0f@j1hj!BzfNuIZi?Kwqvnr zcuVmEK-fAy^4y3lx4Rv!lmKiRK*CQKv6rhSi2~3@N&mVMW`ptk2GDy?a<=H7fZ-;1 zm1$9D={_0oNQ!=L2To{E^g3Sk+SOe$kI{MryWGw`lw>~i7*w>d@LIJ1a~7_$Tl$)= zfNw*p+0T6f4t8(h<6~Uohsq1(^nk+8y|kirJ(S*ow_jG1{}F}T`fUPhQi;}GXL@=}lOCVo z7sIm!g4$m4%#N!3B^R|!Ko$O=OVnLIsTx22TC4X6WzamTh42F3*+2i&Op6pRd6Cx= z8{3A#CQ!vtQ;wjy!*2Ojb{mAFgv9ILK?S5=61DxN7iV$9%<-8e?r>)f>RT`$5&OEo z`M9a=0F~NW1J#{DT<`NdJ`veM?uiy?bKxg-p$BLW(0iO60YwQg_mA_cq}UVSy_g@M zy3q|3lYk1jkdE!V9y?mPo|5-%wGG!nlW8_ zr(2n|{jblUrOv0(31LCV_0{Dg(V=3j$n$2;RnlX9=#j_s&i`#ML$#rz6t0)AIZ&nd zJ33*K%KM7pNJMqSvV^)Dc1+s>eDZc=_`Z)YZ72lY!88*Ur3@A~-O|>AmN7;_S=Y}g zRJok74}${7ZPat^yrVl8h_5fcFZMNGq9MDK%4tdbJ?&CeTBQr(XsU}lh)@dT;S58x zoM)t{>a|r>V|NQUX^dc1Sd$C9PU7sDeMW~x!jDOsLjg)nSDsnux9e5!OV;E3Bjz9O z;T$`FFEY}Ftq`6jq`8}?PE7h#%6txYVS6EkbsYya3PzzrABmlf-HhvzKDNo|4NZx ziTJobW&&>7x;)IQ&Hb|pm}d6;Vi|r1jve(EC-;E0qDg=F7o8c6NM=h}ieC&!eYe5n znLX@>S0bUN(J-sft5Eef8s4#Dx846g0Fyv$zo@cT6Vtw4z~eEtR_C=K)#n7?(ady< zt1+Gm_yJ7{dauQj%-ENGW(1i+I_vusm2^!o*BK>?9^35{`$I($u`bxG=}DqHP|KAV zjR>9%UClu9}n7GzCpGq zuTJs|Hx_a>+yly@jx?x(j#mUz)0G$;5A3>~$-;=*8rQ89=JoYftSReIES>-rCJ`v? zIH#AyTu00i-~b@)p;@fcBd!vFWRWLKHs0z~RUz(y=71qNIv+M#a58NO_(bE1(5T?y zox$3N-$wNAs|&KE-0~z*eN*$Yb?i$MuX&PNZ%U-rz3d8S9tsQis;UJH2Hmhf7 zQ`IaX>2*elLdD5DDxvo90%`{>QOV|kuF(^^Eo9_Fwv3L4buU?F`^^kI*(EEZW%*Iu z8jZm+8_TrE<35Dt9kw*K$e>c-Lai*ofL;-6A}N&XC|>LfgjXq66Rw|kW3+7(-F#Ng z)$mLv6Nhu-Y+R=ME{mi>CM_o1fQcD-7^s4|0@^g~lu>KpX1OZ26B(;m?GMtKe!~mP zP?$(|HQK;abyTH!OM*wWie;zSDi>y}o(7P08OxC@EmLhqD)C66o{1H5Ay&tmMl6#@ zHMVajr7_GTC9I)kD>;>q6R}3*fVm=%v|T{z^y;mcMuZ6X4gVR59Qu9z-}G!!|sXAtH43{}7M4|yfw=Fy4 z>7Y}Tomj@mfR2OnNQ}%mKojkT8biS)TZ6M;&qxVYj6kEEu9whle@yZ% zN(+0AKVrZVDFtKP9%ng+C4rJV3`JY0RBV#1OI`30sIGnpd<(p zMB>Nxe>?N&^a&U2e8HZB2kiQK=}(Wp_MW}Y`QnTnX6-iLLRar$9JJiYN4$N(HZxCH z`l;#Mt+%|kQH?0tc%xM>(h4!eQd>P-nxP)N=x}9uv3ssO@mzD2KfHMDp0S0i(_h~GzTbc9UL0Jq)rQX=xY3O> zrT2DNanaOH`8Ds5FJ57;ZQo_Uh-*m1^p#v8@^N**k8rx#C?T&cyy6B1b>7DJn z#)*9o-E3h&IqZ+0d^~fw+$Y}cA5^X`?fK-a6Ti54S^A-k_E@<7*XgfaeLQ{2X6rq1 z%p!M9J7ijPjJ2LgJa+%4`@Zwxv7af~J3s$?4f*JG4_@2ejum_EX@ADyWmm^Gf-jtZ zsn<7Hc=gS9zrA@`9oD(|@_FCh^ZvI7d!8P{D)2rAR{0B>iAEN zE`g#oc`&6rKfL}Y_g(XUewF+OldKLRSu&WT&;;T| zMQ9|Gs|4+(!zZlbD8rqb~Y-h_Y@ z-p_^Ep)(0COjgB)xT;V^FV(FGVFj#N6}!YnWyUR3i5goLnPQ*}OPxu89Wi2z>yA=D zTJOSymTBcmRsu^SX0d^f5k}NhP;#Y&lF1tm)mC}Ap>uT42EArIHPCZNTQ9eoehy9n z0wWQ0-G&X27&1msbt6}o&72b8T#AB>=qF^a8_?a*P{uDfhD){B`zM+&?UrP8s9Z>f@5R*;aS zmW{_q*8oJGmTIH84zp>goak3PG1*C@gGvt6txOf*g&VRj?Zp(ubE z-9R8Spn#FtqIyh6;YV?UN5ysl>9AI#9WjMK?4Y>>Wc3sbj5i!Z>NkbTFqx?hnqZrX zw~!29QEh-53Wd5iEXFN~ucEkLqD?3($UlYu@Uva)=B>*jy> zPi{`;|A<1R)Q$o*LuLWd#R^Ebq<3RPRkrntS&GFZ(n|(BU!??kU?<$6ozGB4WibNx%Zw^9OMr!VO?FMA+O}ATkDF)~@`P9>8!*V*?Z?jAl!;+(BENg{ud$O0^O1!`{3z%B7C?oD+UZ-5N z0=kKI?Q#hXM!6xF%O*Ua+(LA5P_fDi!HaspvvG}Ujf+LP3>HiAZm~w{LvqMfOde{c zK|Rz1xLb80P%6gqGN(g8J6oz$QABHJhpDL5q)1k7b)0_7D@uiw9gA`T#0=Acs8y&z zKO%8R27Q;72(PLnn&?;oMAXcwDY!ZWjH-wBw za1DcKU`$vIndFck*;F#q!6Z~o1C3sxjTj8wuNL4KRA(Th$$E*nla0g4I+jZfd_8Yr zW;%}t{b7{R;}ly_YD#Pf7ODb|m4ODBq{(X7ic>+iT=t#fm>u9I(NCJ$LR~Dwda6V= zqjWkyC^TcSPGU@%9nJ3)nrItpcl89Io48o;6tti21W3g$!eU!&!-iR5xVmcdI zdaBVFR-p>rvYG|UwZe9ZNw&KC?7-dSO%eO3~Z zk6yRHj?zI}zkmPsXPoCxUn%=gupPhr_#}J#(+?LHKm7B{{5u{pmF3r7?awP7yx>Zo ziOZH- z`R%0--*oI=_k=sOR^9pNJ-1(XldX4|f8K|0SaA8^uFsCXWaXJl9TGmd%sxx)_WK8K zSp3BgR@nbJeLL_kvu3OUg2-A8!)2eB*@?vfcCfg`Z1*O3Y7UVUVhGp=rJvD4aXZFl#*yZ-)`MWQd3*@UNFdS=tbf>mGo z;;tR28Ltoz^bXyITJ^T)Z+@u89dORSiU0iefpZ_6$C~-fof1H<}Cc`OMkih zmB)_1{I|(1c2M_!CAIS*%4vA}uJvDjV#_=Czx#n|d-cD3Fn|sMOsqQX#vR~eiZ`^+Sn#6#J4BX$lzXtU)q!8`dK|lld(8_E?5*E_-$m1JTzuLe z=fC{(Yf3LIlYQ#B>sH+3+HDtK)K=)NSJ79z_B?N$#MUqU>G36Zn(^%2d)=L_K78D| zl|v3x_DAM-{s3+8^sINka4N?i^YB(@ZT;y=l5`Dy@94f|gtI=oY>8D*yq;Kv{Al-G z@1MT!KXX~L(uVnkw-J(w(ij_ZFqbHaaU6LOHOBu2E*K@A@p06J&}P(=H+WIA5WYDvp8 z+T#+|&$X+GLg<@dt&Qt+1~p|fkKvX!BBf%8#jSLh^oIFz0E8tgBQPD8>Kmn!Du=xk z#tg^RsyFr>E<`e&4y~5jm0}`~(ZvLt?RjBul*4>JmMz%2s{x~`oAgZ>t2O#)mmmUT zSm-fYS{-#uKA9`zm>kqA%1|X9gep3T?vhzmu^1{6YF$w5ay&q!5f9C0DX^w?V=YPw z!ErU-^WBEn0egHPi?RhphTisUo%8}xF6%JkTEZw3w)D{GVnEkZ8n7--!e~NFw6aD{ z5p}3wq0NcaQK`hZWDIgO-7-cQ*h(AmTBd8sE*SU1$!>)Kl?Fz}c=*%!5ARD!gx70^ zC~7%^rL+NCOPSe-$Gt2VhB{#sx+)>#YTj*8ssJ+n5Yg(DMp>w~NLU8Mf)63>!hr3U zTB9KDxpCJws3Nb$5h>A?@I=)e#Vegk-D-NnQYGL=b+9Ng1T-pl8tqXC;67V|#|f&- zs*R4;ZfMmElS_jwTFVTSx;qv*zRhzbkuJyEeFgP{PPygTWp2ouDXk<4fSM^bAa#hv zimK4^JtAHYV*{fV$do$n<%ki(HVC`VI#}T2;~K0ZMbK8#Nri(z(^I-bpqPnc1IF$^ z^-jN5rL zo0nqUF0D8ul`Q4BpH%ha({GJO*w}`I0-rb1Xp^($$RwKa zO3iaR4Z#9H+^f_Dt^zSpD;CxIbXZo^iSvyhS9eErCt*iP9P_{;gjYqaXRA4*hh-A_ z$Q?HvECPXalZ2V3GGZ+_PxS#nkVucC2)ht(!wF^U|fp#HO>=jGdj+1JdDu`Bw zS|MVtQnnY_cQtyMulMhl5=gqQ zrErj!uymy~^h7Q{sEx>>D`p#1HDJjp^fQHirqIt6`k6vMQ|RZvUl8>FdHc5?z<-c$ z@t>*u-_Il9ZquFxcbn(-Z}`uq@<&gPPW~4EIqql0CouNa@EkCaz~RLD6NOmyYkacY zck`eB-TnE&A&Ep+SvJEhnJt+dC4W; zI{d@iSD*K&%^uinuT!#j?Ua6M!Fe`4fG%F)`n?TK;vd|>Cx%Nb@Zxg&-g5aqdFrfd zQp=Cun{~nl^PhBHLB0ETr>^kZnT==HHGjL&yz#@3#piB5NUrq3h0Qk)O;6kJp~Dw? zI=;&qJ8X0An(`CO-bXJnA9a^{BlrdH**nX`j6G#Cz|pzsE5%tKJol?RLn^-a_PO ztKF`?e&~F!zJV@r@h)E+re6i0@%A~3ZM^#}@?$q`HvKW;VDjN`i)Y60hST3aZ}s1K z%008RBUWDgYtX}h)IWe8yu;8(2(sHeSU>|+Ux8S zJ$|?I&MVtyjyYqCXYYPw1Es#rwfjx0Tz$YRFQO|o4*kn+wMQ3w=;<3r-K$oZ{!n}E z$5VUUbj8CL?epeR-kIbYkBJPtKah87dyTh+|b-n66_bZ-(;C>reA3;`rCDnzb{`NBK<#03^P`p!dMduEq6Kc8{@8@HaY z^&iguYyMs5nghD63qQDF%j4hK<+i<~$^{SJx$e#j?6e?jzp?h*{4M)#e$79%|F8W2 z|6Ba?1NhIk=l_6H{Xc&e`Bwq$cy>b?FZaI!TECEJDERmCANm&=&`L@Nks=b5q7F8R zJ!c1Tx|r&G6T}t2hyNgx6`&PbVUS6XI-0z|SfXV}Qr+2KL;vWIaFqQT-v~5Skadm)zk1PPN~x74sNS`~W^wY1%Ivpb zm9WYChD3{;>_K%bjXU9FDb25!DT*v;2eW(2=w-E|l_xJW31;Qu|K5XiI+gxbzdz>x zCZh;)_V=k)_N&B{rQmJGZB|S1a>X>8o($(ZKpZA(1)s67T+~$2#3;d+AVKbP4Jv^W zlgJqv*yU`Yozd*5WC*AVw_VAi72It`hR)U}@hCOwfT+T9rmU5;dc9K|*J62W*a)>o zCC|}R-!D;!of2TRpmkY3Zjktp4Zy(ZO1_jH02CC*+v#SPW9R_vi&WK+z?SL6z`96| zbdL{MXqZ*|{f<`6u&`Q-*{tg*sGoABs$fSp5QMG|wI@H>tWc&y&MT4sbte!B~zni~^9Af(4yquj8eq}A(;(n%sN(2Yc|ZWVKa zodD|u*G-5yEAAHdo~1h3xGPB9GXm~+;E~$3Yq^p`S?}9%A^#M zo}HZh$Mga<`Z~QZF|j%@yRA;SI0-Bf3{3~RHL%JxkQg?qDptpJo{RS+8n4C1VFWi> zo*$O&q2UZu&2gp7XEOCFFe>nxDqtx^EcS_dlrKn}UkLK;Oimf6O}g)uxq_vu-N^|C zCQ?gi!?+#9eGY01a^7#I05>HE#31MNTG_0g;s!-^fT0aGD|i+bQy7IC4kWz7p|Pw; z;(QR%O2TZlbFo&69d|Ii4kU3}Z{c{kl#J_!-l5||$0SY*x;>VIv zYS{3C?<H!SL#Z;UE=MX`t1Qs7Q1w{j43i*{E-{X*q$!Q@Cb}UcBCf;$fjGfd!`< zuzs=UbYt;xO7FDUai*HdMJT}IU9mKPvb|DN#qtuzo z7k-r+l;{%lz3hknMdl0V^s4!W{UCGVW?S`irk9`@7OPW$48@69s%cb(lw9vJN-di< zDBI2$!z{tmw2S8|zm9i7K%Q;f<4EyxumsZoirf z8o|iU(0Qpuno`=&fKIytHagt`pKp7Gb{;axuHw;(R2!3hfN!(#2plp2)gEVxa!uFr z`3e!{d6dSwdWxXCt+7!MvU#Yc$!KnXXpYbjhQ=7LiZv{Pf!rXBGDfHEedA^!bX1|g z$IUWd9cP1Y6)16{G2dOflVyC7?DG^Y&t^Gsbn>s5icx$SYfr9P>+fv=GbgrC0Be;D zsL$^A1}FW0;>>ll+pERlOk&&!$E|*{f+498P*ZXw_UuYC*%JuO=@^NmjTG}Wk5==2 zEtaediE?5n*gdX+!(J*zq~&5s!R^4w6+2@n2Be`uHylbrmI6C!w+;6_wu9E(QaQ{K z8M+lDRizzjt$`JY)hv_Nv!b3=t!_5175k{j_JLyA?VJL~`F8z}{2H{=f4=?)1(SGUq8UWuU)TR6z<;R!fqwz@KPU_*2?$Bz$d9c5 zxqA6CUmZMr_C>cpw8ZbOz2;o-_cz{r<*Zd!eEk+;*-s9>c)<@|-xAt?{v~d{b?14e zoxkvWXKiuoqo*zV`=uT`aH-GVKKG&bw|{qmcUD=mdCMN#UHf=2&ztA&vg~Jv`y0*> zK7M1r*VfkR@@s-XMA544e-9tBaKRxj2Wln4!ef!ez$<;SD zpZAnCu7>{D$gX_m9s4G>x^VL^Z+&Z#^LO~`U3(w19x(4==PWvcPFw%RE!YKKS>qG< zFCQHD>Xzq54{v>4vV0h{?|XN9bM0_ExZ-62wd~-;=k*J=-QwR=|D&vW{Y#s)AK8wa zPh9Px1D`nJ?$v=6ce#G94Yid&eE+JoSN`&W&iYq-M+bxclZ0pI&yS zT~B@d$nuvPiEnJW-Y2^}zUMP9x2v1#w`oPWd#G~POMl+|g^Lz@^qI9Uy717(S+9Tm zz&x!5qGyZ~UOxS98TYz7own9;m!G}RpYw+takM1M{NA8+(YqHNH}?VZt`By$9c(lI zI!ENQFD;7QYJXC=WRaa-T0Q;X1)o2%)U)n8^DcVeUAG*2sJq1qM>{Ha|8AdIi;Q!} zow4L*dmPg~JHORC_soCBkxT7_?!3o~b5p{tx`^{%=$B-+mtXG4(%1!!AU>y7@m* zPLVOmDnX*ffIqPQ2LZ(I?EjYe_0|8#lR&nLOyY4cN7v`D{wE^mr2Yq%%33qXl_&=7 z;02DgfvDM}vkg@4R)>Qu!bU^REVyEjsSjescHP!1={%E1?UG!sXHbvma4MwweohG> zC9RJKE}+<>>X7c6*?gD`N!iFLIYgpHP){yl#4w7RsZ=7Q6D3DV=wL^Z#Q_TOft?I( z-8JjO9DqAG)AWNO?2ovpoOJRvHwBBD)j}Cf7D`}2sCm@5?ZhhGv>q$u!=f7}B8QAO z39I7C z*^a4|bf8iYf8zWf(xs$~8pINk=R37#(rq;cqBFLXrcV^=xD_+3ZXeR?RfB0lj3P5U zp~QNFtUO8>H8>8K4xSqkp4zA(ExB%*C|pg4x!N!YCy{I-r`M>CPxVI@Luzp+!K?fz zRwf!f$}Q0B{CJ-6A~p8PgdXV3!a<+U;{)r7thBv?9~375nWp3K*TRl#=1Vu=*p^02@?DWNKOFr_}%CW+V1-?(bZztf={DDsT8} zuK$^n>*j9^XioaSWyY?paDgb-`v5uOim4*Z7x-SM5yX{Nvlux^Q&W+C1&JvtS`w;# zA;lN7NGy*Bm1?(A&&Rtlx9rxnj9&-TQL562AsEUUR8`N)39cM=@_i;#91QRz$QPU# zmxD5uI?@}C!&p~DsfwG_tVX(k`bw`2SiO2etI9A%A-ou)Rcw%?1jlYw39P2~?4*|) z*AkN3MyWUk+M+FmTVt{ z`Y<3u1=5rn>9E@@3|zXZkLYnD?b%#uh;!9Svmc51G?(k=n;2J}c-=;q!ZMi1PPE^s zrm_RT>Q1a^BwIg!a51E*2f^IEH}=^ZR!m1305NkSiKNxP{^h@MF1dM}t0s+w<$$xgc zbe}(kmwt99^vZ89+w9FNh%e($EkD|rpLXn()81~MxXmnT|K*z>P5Ug?JgU8&eBxpI z?XJJ~6nf;$FP3;}`1Cc`hl~E<@ipG-rukXGO6Dii*Vx?pP5IjOPd{#%dlubg*Xyo( zcGl9!d#h}7O?v*|!SelcKR;J}sRM4`{iEd%E`7YWy2%6batqK~?)=z>Z~4sC3vW;V zuKe;`n;gH-YRzXC_{;6}1s_{nz2hKn<~qrx9=YM*>r&cZPp$5Am9+yi>#e;HS!Az! z*4Y2fCC|F;N#^aQbimQlx~1W)i)PkuzqNN?>Z;EW0-9@;UH1RvCHS?``*&X`?QzpF z+g9$@w?5?BEiZlb4r$l%UvA%WopTQSa@Sbv-^73B-^K47^{NQJr=9isGRnQl1s*+R z*AEWg@r`qiDKDaKeD%?PS$~1k)~~%xmKS;IrA;>7;raPaSs31Ix6;S+BiG3%uJXMTCcO~T_3-S_@@jh$BBG4tjf=U%_Wc}rz) z`Dli6@o{rKy8d}@qHizpn_>OE8Gk)uft7EMjnBV$iB0s+4(?pU>^c9XpWb=novZEs z;F(7}KVSd1du{XDrRGrG@VDzezMOXFZ8tukZ4UHLSbgc2_7Cp(c(mL>`*#nq>~rXc zpPRx|F`Ie$D@;QRMDA+<|KqHqKAb_t=0x` zEk!zdQnri9oCoWp5w0NaP%rpqv*4uq^;|>9CQwao)mw=ik;8KB$zf79tX4fPmDV#r zxjQkwu_rd;ZoU-eOMaPT2qrJ)8j>3;T1>9dBzqJW>3o$8QJraWISn$DR9m(S@~{B| zkf(-$L=-VnV%i;PTyGCX0ULUqYPLfrIu%kaf}1z0dCPpNniU+ERAqC(^wj7!V)y5KNj-PfA6p^;B}ek+i%pg+;gOfGPM zZafEdT&^W})<_woy%FBfjNW9sVoE<`+^82H)gT2A+T#dHV{$Dv9>%@8R`J+D6OX6z zz~uDeKaKye2s%;Ov6H4;RG}pqOSS399#$MiE6_=#ib*)66-Njf)zp|Z9Ocu)f@#4$ zxtAfvjtjW1Xcf?Qln?r#%$i)QDL@7Wn@9~W1f8^&78~hNl4hM|DuE01AjlSp8WY;N z3W`RyrU6m~FDHFIhZI;SUX?=Mjc0PUM;GdKwXbtR+sY?8;4or@BCY5(3$G{HM2{?o zsj=*nRRxHt#i$JT;*GpqNy!*OaDl}RMO$dva7pNrtrQ)j%A*3G=OcGm!@XL=O?BBM zs}{x(h~q$mA134JIPE}eKNImj1J->?%?WMOo9Ig}PUC2&SgT^*sL&cfbRvn=R1V^k zR8SI={AdJ#Io?xqeOH`#!e+dzm?cW~_@C7OEj!!AhTPw|*eZeMle%SS z!w+~amdFONfX50-M@qAu$yLz|kS+>XoP;`Q-?BoC9~hNU#;h1A-XseF+!3|(coLN7 z!(n2`b?YP55OSQz291^%OOLQIlIdzda?omrV89o_UPTm86&a;N*v2b#j8@ZS8?vLk zn$J0ITgdoWv(%RRYL!itCkLR*VcE+9wTYQCv9X^`HVlLa^<<`|E7g#!%M~k1@OVCE zSbD3FF}+g41mgl$#zt+luGpo<a&ZILPJTcD$_WO_AbBPY2R*zzpn{RF zRkT4&r`qZQjR5UY;HbRmjy70oeCqdU>v9+4jy znF_D!NQEtl%~UD?$2K5pN)=>>RJ}tmq$O9=)qbEi8!3-QCRZ)ltbk0esg76|^8`i8 zx)x|Ch*^+0HrJ5`i2{&KSm5L-$cRT=CBwGZpsz#7phL!kAzo>gQj{Z>1u3tHvvH77 zXKKTNoa>k(VzWf1>H9#j11jSNo^&~(!j2s*GsStPIL{R4nc_TCoM(#j{C5e0Cg5Kp z|G}sFzx^!oZT@rQhsUe`dH#bz7z8313MGF4|AGI3{~*5r{(~U|fxysLZ{SDqpJRC@ zdBmT#+w&RW>Z`U}Z`R%GuJh;hxjo{u)_>An>*mj&eC+r$zl8n7U0WKj?ef49-K$T& z?8-MkdnI`5l0SaB^ICTjtL0x?k*P_$u6o4{d+uR<`s5yazPXE8+U2ch<~rc+^>_aB zDSfg+4Hy&xxfY+_Fl#IobkfPfcy3#o2kb&Ry+Q|)hTWDOA4!9 zbJR*ppSQQm%`WkK=brAXl&3y>9Of&$#vBy}+gJe`1RTwpUk7&3FAw`rhR( zJbCp6FJ9+d`}Pwq-?=!?ir1X<#!@Zr<6s=R!}>3@67bgpZVgN+b>%9 z26GFy_F?0Jg?dc7r_L?Ucl$as?)z}9FMt2U`L}Ft-MHqBZ?E-K{K|cldoJH|^KlVlowW+@10lnS!wk>Q@Ll-{PbzcTk{>Oy!XVq zn_j-?&f5OsX|KI_>%Xx7ul@foZvGFLfT#Tb&mljC|CkcpFaPT1|3D&5j&lkb<&;kJ z!}*W(UHnJ-_3@ulC@IWj>7_|%-I-JVlb#d)gXc}hugJda6Lzl^=PSUlB8EYV(A{KI zZlwA;*m0ALR~;F4&ByyWMd$^L&AX6URJB&NSIIYojL~6u#p-zZHirVmB0s2zQYw+5 zRNpFT)F>8q;$BALONHL3(=6K{n_!Jlg^W;dYQ-=}mL!Ubg)rPATSy2PO3}}RVIf(r%Y-p<$%a|Tfpm-=M_5PC^MiUwr3*?+!n!dagXhwX8ZOr( zrHCh0aa6X0v|B3V1`scIbY)zx73;V{XRN+!_J-X7-y87^rWMdi6nA?bQ0AG!Pn`eb zW?{aX?FAi~wexaJL?Z?pSL%>j?3ym#&UUe860GTR56j6(B2zLAzFGAPc2&)}tsEwhrWvcaRhQyYgP~IGnNHjV z;!&|C)75Ti=-0@0Rc6)th;Zb8_xv9tKCTndRC@5&%YWwRy7?RbvF2p{k2_LKD_=4v z9x@wi!>)}7P*e3{9EtXEss$xcL~s#`ZszI|*Nd`ssN0Gq{hsH<8NMi0d-+(Ajv|Jt z!;?MWC42;_34DM>!+5zkPT^_G4>MgS?59mv?Z^WGkNO%B#Q5aMa|Ur$OM#=NI;g5q zO$10J-HnxVw2s7_RJX6x?HD@@6|$li8eYOoTSVI9Z6;|~oI^%_NA9mYw56uONJj!K+W5SggW zv}piqV@Zn5_ga}W!wl+Lu@{u!0_<1BMx)xy_YIzi1gVRsdPuTAZk8)huaYkLnKGP# z7*uiru-m3ehMboJ;y*V3$0GZ)`A?kqr}KYo+ZF>_O5l-ZQccdx%B>ibl?FgirY)`0 z=g<~6F5rC9r085;c2YGp?4UUdX||FsgT)=S%_NGG(?y-gu5|6<2vtX{Hp~G`E*=f* zgLp0~I6;^qsU|$T4lCP%T&gfKCtf>33rWK4ptgPHW61Jto8rBP?WX-zFdg0>+Bp z$aPW$VwfZicd{cgAJIlf<;xIFhpEUbIFwz>2O3|=mLk;>Gh?BQ+nP2g6;kpP>X|}4 zQ>bSO^-Q6jDb(}dF9@1Iev$lV>hs?}i+r2^T)fTZr~U%?PXb0z9K#^=2k;-{m&ktz zlz?yq!J!|?fBv{2Fdkp?#!c&vPg(Y&=WuJK@kjgpW}BVW;@ww2vM!d{@5P@|gw>}9j|^5hcgM}Id25I3_t|Ed{qSXXzu&uatvE7$Md##Z{Wmi{ z0uI{!pm|??VX1pA+x?hFwmH&#o_p$eJAU%HYpi|66HjcW&$Fv@@xz@r^`|yJa_`4J zelc~*iCZt2PA@U-qV@J(PCRV;{hoSssk1)b?9zKLJ@RmD`F$=vBD-L1>3J4CD8;8g z|6s#=HeCwQK3j&$-9pcZUZ^}U>)!h1Pd>NU67O@4y8n~)7j|FoKyX!Q1#j-_-n;9O zb?R%G(`S}GbWYv)*m)n_kv{y)xzmNiiIeu<Ym83EAuS=Y| z!u4kyypNqbUfbirqYlcJA3pP}vH5oDc5su@6)y%iEwOXBy|eUtcH&HMx!ZSH5MJr( zeQwk*{9=o_Hahv3qi;EPzghb|_rY>2e7Sey<@;CR-aUGo9j&)7S$HdZK6TS2KA}Gj z=ACQW!MiWHVX*PZpYLRyPbL0j0#@B1iU=En|>}9*GAHICf8=p~Izk1tV zFX_OkyUtqe;@vl1a7N|8Cs)=^Mn0aWe&M2UbNaR$jgNp2ehip@TYA<;w_d&U`S%{! zzu>_eR$BC_ZJ&>}x^Iwrsc`=E=Zf$a2a+!?UnwriQ#XG${op&!TWq=Ceg;IZ-oEDn z7cTVX)%=NDJ+<|A8(Pa9rH`e5VgFzI|6gGLx2gKipGAHQ|LF%YD*ipm$zL%4k*wKc ze8jP6wf^Nm?!WP$=)Z;kAfhFLUo|9BR(;vDcFx+-P0NXGiQm=t;lQ;P#l$gD$T zaoFK#Ldz;qGSf_o*$!6}FdR=KovNs$hfLGsvt2Le2T z6eT#>wc=H9-~_D7xZWRx2YdQpx|;33=v#!75F ziO(wOd{lv&bYJ(is@0~sUV|86obFpZ*8$u4UaebF23}j8s6urF%P^tZ?P`rE071Vz zG6#OE*4F(*yQ$P$s7zsLq^|`|y`IE63}exSMl%ED9ZGFMOpri&Y*MZnZnYz@1;8jU z>`&uAX{p)N(M;9rF&)UxBw8(2PB2}%T*#NIL^Bpc9gkBAifu~))MN7<6Km$kwr^ur zvE3vArU~;nT4R03fxD@iACYvUnk*6{MJ_kAY784>dVh*! zwz?hy&;n}k+@pC=jM4d3*h?<>Jq2fcDF0~|EDbuz(ETkRT^w6qDr#eHk+nW4v zzTAP5dIKnXMur@>#%MXkBVGn%J3`s0xc~0{Z@r8a2dDVYH~c6174n}sxo-Z(f1)|z zKUH{?&&u644FkLlRrRi^g9xS@V^UWU3m%kYfom3$n4`FCbz-+M7ZJEn^@>r=ZRDhK zH%-QLqnlDt5M@J z*{UtrY0?%$4xlO+*D%RWJCZsY*UlBYYLLX-szA_59vrZNCc9%N*8$`Fu!WZCCjVkq}L?V?Z>ajLM$cP}axK&!Xf}JONw3N*GUans% z$LdtTB$>EbH2@vUC($gX!5ye3I)biN3cosINFO4POeEAOxDo6W47{a3T3<9 za<9#C*42$A_tpD5J@t=QB|2L^u%Jcoara1)4<|-(m2m?7x#>a7) zK8M2F4lyZLT=$y|X zxQaG4#;`+P)0$qj7651iwfe;Ynxc!A2GMFf-cO9;QYjHD4l1^6535O{(hI$MnTcC* zRb|`FAStBc3?C3pq*(?=1-UB5Y%Hp^ETh5~B~R^)@@0rhLS71zK*mbO2yzM* zO~IlmSTqHTreM(&Ec#Unf+o;kB>$QE{P)iy-{wE}-}J_6|9Sp{!!VivVTeF}0RKV% zf&ZYt0RDp`= zENbsZZrSnOPt|qK*yiY0FTL+|qBKvlw)K5`;*Xk#-gs>9if8|N+2Pl3_OAD0W24O% zKX!#RulQtZZl&wkqqY~WoqpGo+?B8OYgakerJnmk}F(nTyog)(CK&n-rVfuU9O&4dZqJ3XNM!^s+OL;B;jhJohr^od@?urd{v8t^fzj*fRC> z4zpI;=C!?-IQHoJQ)iVsz&mU9FyiWE*4pN?oiRXs?9kn?xjs5$<@Hzj-O1|Bd+&9? zZvNhT_y4lg`p@q^J$B<|A8b9}`Ohq-ym!`yPv3+8>8c&-AHMk9Vjr%}UA`KLt!ykh zoVn2h553gc_o5Y_W9a+W{@~%)Ub}Sl$DdzhM*$HYzA(q^I$o1}_}WFuV`u31$LOn% z+WeDEm;B_Z^`^~p%Ae_nFFE7rM^|6+rrvc2KC|T~|HA&i_W!@Y{%=$Be|{GEG5lvN z#xt2;9shwvdh*vIVTtaHe=z@%zH|Oh;n&B1s^iHrXNS;}Ws7slf8;sgKWVQK#yfs` zoH1)WB@+}dN^*ji=VF>nr~|L7AY2d=sO&JFtb$(7?SXI(PD`NXhB-K8m2#qs7t3W^ z4)lVMEs7z)ZjPmn3U6UI}!DDxG-6+GMMvJXlqnP#Je+q2{WRURG;S5I}k@YlDSk zOYRuX|6%Vvz-1?^{eR$4BZzbmDGI2^Ad_TL>B+QAW|B;1Qf2}O$z)Pzl4+UD3~;53 z$e~LWq*tkeRB6(bj&xDHzyYb!yYinSm+MvFF9-Zl?%nHo_Sw&~_u2Ej`=OnX^lxXUHAT zVFFz&HCq7B)!Uzt|LBbXl}kR}v*}ugjCyL|`(e~038=3&CaNHTIzn_Au9MD}uzDww zdW{M)9>YsjN)RZxE8WieDuLB7#TZBs7kgM90pw=B_dpzn?;jlmC zC!Mj0xm2Upv58z8P#cOHDE(H;hh&!y!YP>#)Zq{==oRG4lh*Dgh! zeyk2rY=>-lwD0aT(gJS(?Mi=0Kq^$zkW^a^TqsTIQeNm;!3a}qD~Fm!7r@e8Kj~JXB9=pZ zKHnE+tWs@bbjDWWV2H;VSpT&MGW$D>^ zPHb1_IL{pCnd3ZjoM(>n%yFLoU6w`(>~qO~(sT8{Ps85Nf1ce2JLq%3e{hmY!ze<0 z6#j#K9{CTM#wZe{2;yV%pR0(!{N{G|`CFF6x4#>^eUqOZ{Poe2E4}j0UVHvzNiX&0 zHt6LmoVHORey+9KDZkzEj?LXaymZRwThHvg{vikYnO*RmA9?$tZ$7v?dQ-*Ual1p0 z+wHBDcPigbJ*Bjj=O4cJp56_Zs2zIb+Z+8!3x7D;`{wr1HoE3TPyO(w8<{;`uAg!J zsr(T;Zg}hO&mJDP#;%;X%D%Upy5@q_3-|52qK_EQZF$OHn`1(mP&*tJ?^E6EitO#> z*T3?Yd#tt2ykqlCue_96)?+;;QI7jFFG%L`Y?op9ibPrRh< zy!=i(8cRL;-M7|zAmc4t+!g+b^|J-FT`w3fk^SoS`~Ufmmw5LMgulFW;=2DP{xkXW zJ50Mwabb7zPKYje?tU02hZ|0jGyMvkIsKSaQ@F1k^dlKHkk6VG@0$i;_@G5ar(a% zOH@I(HBAuvW4y`NQh=$~OH3vSbD_#ZDC0#rj+|H!Dg|gE(YiL6F3RXE(N9k&UD_79 z*u*z^O6=;Bat7n15g-sCI1y0>8~X03oa<{t!7rCdk(1iG#!yB{X;%Hzl)+Ug!g^+{ zRpeUTD&*waZf?ke1t3ed+X|QpV0X}-C0ss{&*anT_E7QBK&mDJUl^3NHq@dyh-SPj|%{mOB)pIpxY(Ta! zZZsNsD6H{>D`>4EI0f1*kosi&hZ6}I$>Tj&4bUW^(OlgiHK9FfSiR}g7?o;RnAfu% z5s_;{0~u9o64S5oqF=E{bZRI-D;^N>SXOf*T&Q!Y8tjd&dYOVEUkfl4R~4)_p`*M% z*2=mcp}kmXQbk%zfg?gtil7FBEujr7Tr&@r6;$f66I9N4v#GGU9ggZQtf|S0MB2&3ei|Exu(aM^|(d@`@_#o{SVkX`3Rc2C_ z;h0w&@c`;)rGcH)-3gzmi0)Jd{6XK!2xb?`R+2_rcG4onBm}I*H0qH7H7XOM*urdi z*y^_Vp+2Zb2?@2S0V>m6OEd?7+( zXIC0zOXPH-REQBlL7m{%u#g%yWQGm7Y%JDLnF9h<-=$(Rn_?ILl%Su$svs5g^fOvU4nV%@mIOb2-b z$}u>qaX6dlTcn`Fk<+WiBi}P>+7KTq0*c{^*|MGdgiL@e>krxmE+==oK0Gc?b8bsk zJ04wwxOCXpWUV)vbc_BZp#!R7=a?>RIbduXv074FUZexVFfLVKj;@UJg2oNeJkE4M zs6dA`5b2;`CZ^DQ!R$Z`-szs-lg`PuUyB2B_1oW@A# zBk&*mpZE{M^@6f92rN@9cNh+E1JXKmF&Q zM0@<=$-DP}zkgR@-3!h-c63{~@)NI~y1_Yn(|f#q3UK$OJWlui0T^;mpSm zhmTwBp4txoCjPVbTdU=7Jovs=n>73z*E#dj1qZCx@8k~jpI_&KH=uCSn_%$AORlu~ zsns7S^jhxAcV_pSWLA60e%PQM1xzWOt*PPe&&)fXQ%?~`{^<#H? z__VFA+4`-uHlQC*|4zPrE%TS*(bvw4*Sc#fEVKKOt2(1S>-R4_XTho0{V_cG{#C)< zz|B{Gt9Qg@PhRk6WA`1OUi#2YGT%OWiyJP&e*GH#@(a`|&&Eq0|3vM8->mZ!bhRVH z<~6$=VBL62dh__v4L4n|@H@hR^tKN+4mkeY?SFXiYd<>b%$Fu7|BLhgZv6j@^*`90 z{^zr@kHLR(*{0n_J|y}5{PLglEH{ODxq%AV+(+;KCVb%hAN7mJf11$KWf3LQ4W9`Ez;Aeyfn2jDQ;iw7vj$r&x)SSJCMvQc(Gx0?W1F;y zH|cuTQlmaa4m`L4dDW>>FQ6G0z^o?M$;dH`wFbFnjjPLT2(_p*GA$EghfStnq!VhR zS*(_(a=$R!<{&klHVg{Vn-MC4fZMcqw?d?Je$)&~v|+k%Ytn2Zj8bit>*el15vx;Q z;UT9L6Wz|lZG%W+U~SpL!df7X0XVCSCRwjPw7Qlc0DqPR$Wb|+hjkE69V=`=(01Xzc zx4mpeGx0L)cc3&?ZCIR9Hql9k2Bvru{$%{8-0f(A5S2;}#(B7wVHF|tT!{-Mb2v#i ztNj$z*9^n1rhHW!4rPpOWss3K%l*MV1Jgirm>-0csDljXs_f8HxUvq1nLg7dk%-MI zshNMqG@BN4Lu;%x$w9e3Or%DRR|Tn1Y$-s-%UCW2mBMT)n>PXpWCXSr7+E?}dCbdK z@QGLGt97bWmu+}Rg;vu|$YO_R4l2Wjt1tc+|AD`F{AaPQo4@m)#hL%Z(}X@YD}8xom^Ub`9$2}G)b$sfI6L5_4Fvqi7j4D`L@)6 z{f6nG8i{I3n{E}W8q-cEg0H+#9p)alt1rJv$3tJC8OHX!w491xXAd(&gE0-MkqYB%en_bXTPqjUY8-TjVjF-Ep3romWCzN7`kxk` zPd-fl!@b9UB%h%_BLAtmMftM)>f`3fEr%^p4FTL`2YGj5 z7lrCLl4EQ#%3vI$qEVd3>PR_@^r}vy=vY&|5~qa8uv>+2Qskuu=}q!|)B)&DzF?Dm zu+m8PrV?5}pn84Ej2j)R7t1z9l}UujIi0eK=X*xJGgcG5FS-_z){3b(jk3UC5M&~Q z;Oh)iw^BCdYxR*BDjZhH4Pe{UW>GDfmgS(r3L#N|yWMGs^_vb`6bpEYAWfhqA);O4 z5fZ5~Y{%}1=}es-2OS)g91ua#0n!xYyf1+!}KUO zGD(J^3?a|sq-XJ9A1aYZtB@MYx;di6=IpBMXR%rIjh$u~a#DwzJrITUI-Lb#XHM@k z2aM)`(Ht6IaRj2$ACv!_bm^*Z-TLAQ*R223YuCazOC7%EUSIn8aa+~H%eG3xC+YXw{vR>$hA=nSaTKk0elYm$#1H z(lAa*e*fB8?0-DSXq&Ze_#@3d^wTT8cS$Psm6xpMwyz4UqWY~9clyCO?XNs|@H**B zS3LNJ^t!>Vf7yA*1J6I1!&jVY0G1WNf8IyB z@VIYo_V5!|oV@;{8*O`#@T+ak{L}nHcRId%;J)f=>C1nR+F4y^vu`X!y7_~+Rp!&r zt*|fj@I~LER{YEU>utXNe(QeezRnHTY^81a%k#3=ANEr-~9UH`74Ig^D>s2tmtOpBFaU`8R^hww}`spSQ<--sQhmK%D* zW-*6joD~{mmGnFL77#_#>L=qrnT|N>WMC)jloX4e5EHdl%%{w#Bu~4fV-IjeGKP9Y zsbtbA2E7rN#wMK_WLLCwJ1G``d@IK)(`m8HN^B6ql@8x6N={T#va`2Z?Tm3FUo@$V z!Ab0tv8}i^9GbF>VG_p4=u|cUNH#}awo5X_z85#f&4Pf*W)tiMIxLZO?jjeYC0UoPHLL8 zq=L+dL648yNp0Bm$*P5D;}Huqf>OzWalR|2G$?N7yVL6I!PEI9{3o+$=F8|G=Kth4 zRPUtc_|F%a|18dR^LPHUIP-r>91PiIL6*w{0EY9`nmL%dITi6y1XSQmoTC}Hly^rw z+P9Gyt_^85<%JDW#GPv0L>MFLv{kqsXbxur)q1I`xz(s+u$4Yu74p*}8;%qq(h{m_ z);&5w+)^a%lK-Cn!}GZhoBuh16S_~d22kIq6~c~~4kvxB#Yz1smbT*#)Et%bvr}jCC{zP- zLscRZ)M}X}5h|!j+nMBZ$;4;u9OQM=crdjqDXOU(T{p-VX~*}{PRE2bvte5aDVLIh#I<2P-r{!q6G(Z88 z@+W<`NV)k@rixLM6do6yumUzyRYfXmN>-7vT)kq-yl$s8ykAN?l!3xFl*I^$Mm#`r zjDRTThZH~UFasjd!U$0kmF-Mb7&EiF$;P4%R}@I?%B`#ls-RD#GlPyAbf}Oi4glE^ zH63%ThBwd?OibbwHW>^w-7J^fE-M8}F3-*$c$o5BTemsPGlzNRFwY$3nZrE)M=gyK z2M`W_1pY&Q9{CTBV^n&!ChTMKpF>yN>Syy; zIQQ5Cm9;{oAHFajI?Z``uk@CO-T*$f)7GnP{@u3^|J@U-owamy!^@{t;dB48_K`PV z;9haBXYcp$vD>duS@p`*pE_)^_tWQHchLQB-Sf8fn0Vu*zufhRXNWD&5Wz!FyKR#b z-2>3q79txT^YjmXz4WhNx#RM$ow3;&%2rSQ_OA~b&%OQId*0s4T=JQ_E?WZl)lqlf zwcKAXId{dCy1)7D!t%CTPt(``IN58H<~xUOU0mbH*G6amXx_Kfb$7e!w0-V;arEq~ zM^1pt|GMj)%WOL>-~JcmR&GLV_>}Enb-X0+9bEt#-*jN zzh%=mx}NvVOE)?zePMICa8GUbKYl$fS6}Powg7tPlzZo$ea_YUZ1!^-o_AMjr{h-I z>x7q%yxoQ$z85~>z{A!%{^i^5JNE|Z&C>V!``!4hD|S2gz7r3tYye)5AN=Zea^fzCazw(RAzSjD~3Ohah<^R~s*wTGvp^N%|#_{r+Gt+4#{aQjMLb1$4Mvv9>t z)0Z#!diUr5;{3lG|372?1LN=KKXd&5Q?ZZ3e`HzDH@|T6e^B0UV!R*x?GLj*GXD`j zaQ=_}1>`@FkZmNqTucN%x48VrS)BPl8O|=~g>rQ|$(K@YP8$R5Nup2{Tqdds(QnJ3 zhIiOrB^R~el7h|h4>g8+Is=lkBsNdY_Rktht+9oGlp% z6R<9ZGeWviF$p9OlWN#4EOLabCJ5MI+Ei*}3G9^v-hah(yEcP81sFGFC99r|r7)^a)ri?g(FqVbh-kpt^ds%8L8v!9_`a_n~;*2bAU z!L*G*k*W=?4B|3UC5b52WSL5kxUoFwPs?t}Er7GEE*VpLuE+vmV}#*yr;v{ao%FCL zOQ``FR!o+&`a#Ro%bhk>8HY~A;{v0RE45R?psoz35t#|ACEQH|q>bsHjQ`}uJ-T3F zdYmQ529fS_I+rHsZUWT@1%z$uLZu%nkn1tFK6}Q2>DCw;$3m5rlTmKU#z4W#)h(%o zh~y|U_M9FaQE|3nx3o-)foDl5S4UgzLTiAO$Xaz48gO@tss&qBTQb9`cpfl4&r-YP znmLGvN=s{NQ+_z?=4hxSGq{FF25FRQoHObQ<_HA~b<}Ni!Er@QC5`dSbpwE`R%1h_ zHPV`$^ATB)u%XZ%%Bs)|3Ozf>6o*MDGhH*=A5Y*utM;o&0aP)loyn%ru+{+z>6%=m zeA6h_S*}dga|X-A^*AipP}_|>B5X9Ky+UZWMHr^kR*@*9g%T^X1QeEB6%v46p(l83 zD(a{*1{L9`%9>$49(*GHv#5?Z%KSr!l^}i4o#Q|6@gL-i$A1>#j zXuUS9bODNS#YrS6V^5!YDl@@FD%R;1H>S+K+)ebF<-4jij)vWFK7?2oQIt&2cPs<8 zhY4M60bnzgZ^C0e!wzftqGpxQPTwYlfj7l%q?KgtZ{4o9ly~lqR`Nl`*KUuouCJsa|8uJ6ve;f1j-Z2OM znf-`0lS{E9g)GjTssoB>quuJ4T9t^Oy?wbx)G25_#$?hZHL&u@cnqW*uRRJ{r8ZG< zYi`jR)Y9ZcR$0!7iejmw(z5Sx)|i9`0)v~`j^L;3`k>wETX2hM=L$ej6Ub5M4-zTp zqO}6jw_25H8j5S>mL%0Rs#>G_hVO`o-ABQCf2tHId0gY5(KOd(>P-YlF;c3)nM^qC zsEm;omD1RZs&FVLUD<7EMKeYHgH0Kv zKuk+XTO`Uf=r`JN#^wlB=MB8yRGTA6^sG9>xW$MXx0p_f?7$j5Et?Q9z_2VKbx zy`TS#FF9(x&z}EKP&$o~1V*ACf&Wnd#D9p-0so<30;7mDf_z;5v+qk6T=LzWp(ifB z`oPMY+upkK^v|y>v)&5qPHSJDetrF?pI-3Hx*)pOVLv?YzI}EXufE@z7auP@@#O8V zOQ#&Z)9DZGwT3$cR$P9?YcKo$W0w^lEBxT11NIh^i_Y6*vzt4=y?o;v-(2pI?Y2AR z>{FBre)KClw_O?^{^Ez1?6JVS(>cjMpU%EYY+Vh4h?Yq}6GFPVk+mCp7kDa|Ax0bzXx2s;fdbx$h zZ5uC$U;E}0cWrSKa?b0*wvEd9|E~UT`=7t^nQt94|IQ`8eAqfi-BR7*NNq=De88T! zZ*lRhze8?5Y1!(2M?CbKt1meBHSO{74%_#;ODoS@$L_Vf{rc5QJiF@AyKi#C!HqYU zI*giEIQHrnN95VZo_CtOntt(;D?fF{ix-^u*qiIOdsp4|@MiEaXPv#~jXPieonNeW z`_0?l@Z8HMKKzb%*J0BozdY~pyWap$LLPbgsykD=eR$zc~Nz#{bWl{}Au%{{};I`kzn5J`VqBW=Cl83#b1<#jJ$#Sp^eh=U)!w z{yYEq!1+I4K>icVmc6L=TXXgyEiV5F7DxZnC%Ss4ZX4v3lw?oV2Y}_0(s*nby2pbn9NW0pqYo4#%}{pykt*24K~3s8duLY_`QE zm2NV`HI53nYEGzit9A)W+6BSW)BRe5&es(g=~ZA+LmVoh`gqw@2q3B?a_o&jic7-{ zb2Rglz``9*%a@CGD}y^3W>7HoDD<+1g=Cu`R*4Huw`$>BSk37f6|id=woT(>ZJ3Dh zz{Bj0+Ta;pvqK}!p-qu3K^nqg8Nk1L86}Ncf{`ObzC2AwDgqUhUt`BFEs{623JU(FzNspa}vv? zoZ-a4(lvi<=$`K(CRWR#Qz~0XA+0z=7oZX57#S6$XB!WP#VHPw`NVGZKn=)a?t~!y zyv-6}NRllyPTJX0u`M~CQLm-OGMX3=l|e=jiw9DJ#+m`fA+-t45@~vtfdV5fQtRVR z2AUQPHt80}j>Q>CR_VE=z-EMeqmHr|FE<&DRv24qIY!cE1fr%1gx|GH4+xc#?)O+j z#JO%|JjrFNY1fNC$$W`iX;FwB7yco{>NThs&&~h&BJ-ccxo-Z>e->;0Pv3&-CINEQ z1PB^xjVtQ9%C;D5*qVerpO1A~OY)W*#5ms^su=DLb1@|;(4b5bDXW<7x5A1u#44ky z1V~MOq-(7#GSKl_$}_9!LYo;m<4#Rc2^VZ;Ff?p}EisY^bkH1h6b)61P=!Fc9YpA7XnPd}EteGxfb7YQfA$4^) z2FL;BZmLa+Opaz3VI(;^%aq+Pz=qNsY+U&;w}Vu zP|+|QS~Pn7YBcT@>bS#A2}p{oYOY@<+K`$;sBUWn=U^rnHp@_@+iT_{Y{H@Obarh6 zWF?c&Quep^P<*@hhpJP8&e1c#UiBUL)LNGS35=jct2xDph9e##!{=FhXw-LdbjZ-4KglXtk`+2?P2 zuC@0{n>@SR(|=g|;Ng$v6?eJf&Z`&fa^Wu0kp=6A@iz~8e(P&DeS_NXl#4fe9XZ_Gao%ERa^1& zOaHXbBX_(|JoOlhKVpUX2Osdr+4V0!wC>XTT(|i-uiZdwxA~u*m>`dTmtXR=-4|Sa z|9aWDv(0qL%0pYNyn5hk$Lw0z*ZxCLIpl=xpFL~0FW>PFw#j)%Bgg;l#07s`=d%2Y z&#ipxz58#ZUi6UhhvSx;_cXS?`it!!XP){)e8K|M(XYSyCHcU+U!8Zu)8`&RZoT=&-sZQSvHGp}jpaSV zZ>_uJt9Ku}#eK)E`&@sY4S%s(bo%(kg(tRte#qX}?{eCzZ!frDhrwf4ta#g!$L$u~ z^XfZadg`1z&Sj5B)@`nV-@GZ(-srBUFRniG^hHp8>M8jG>OEj$yDnu;eKiSV^?kdQO@-!afrxGH}(#u)C zX7Wt%UcOfQ5dMSCR)E&CaxOi~M-yR6PlT)l3+-sp*U-OzEjJePQR3*(I5VZWcURSr z>9#5Ze3egf?*gG>mhNU7+PJ%jteBm)%U6p@j{e*C*eu=V%{1>+kvuf}JkDq7+M*W% z7&_uJ5Z1N|`oO3=PEEsnz6K?wckxX*o2g1>ArJlSMQe<#YXaQtw4qjQ_JgvN26$h= z#6^WjUxD~+4ihH9c(#<*yUXPHJk*XC)tF384GeAeLbJS8s{PMBC>ELb^S<1F6`n|X z(f2b>>2F1-#46R?KEjP{4@83k#3q^q(5WaArifY;(Kb%=B7`LLBu$n5QD+poPz9@Y zm5xIXGa-hlZh>!=dACvzvB(*BA*b5`MmU074zJiKRh;EIlr1)Vlw%oiDh-RZ=x02eTaR}Hf_NH42!jQ! zTaFE@(kP_l5sIhc4m+V@ubkAvZd;K=0G0U4a2%PP2=9%&xP_EVg_lEjJQmDMpNtSf zWAy-ONOr#2YfzHa^#|EX7zL$Kf=5yYz=#P4wyj39FN7ZFCPX!{P05rohtM>#ndXf` zN{3{n%!Of{%eoaaoxna-n`SkSn%EH#CbKt9qM2wsb10dvyjy(yTW*?TWIDU3IQh?& zgiP{oC1Lh+Wgv%6GOcqH7f0>3&Oar!qX;_li0pOH}%NK#0bOX z%8{N(g{I+*VxS#W%i|G-ShINGS2`}|HOd9m<4hCx3VkFNM!MUQ1D!6!Ehe^8ZdaHT zj6?z%vD5_}6zDjx>hYDDO<8bGrAK{4R+@b{$F__Xp;aIm<#o5|OMPaNRrOpEPLq77 zv?i%xHC1R=8bHMN`&dz(=ultEYaoK9Qhj66VVFM6wW-j-OcdG*8|6kt z?~8b$OrjibaBG0JG7>}S(#8ZhXtA)tct(_X!&5NioH3|bI#BJ5J zJ2f%e>J>UQ$YK4V2}WTpmZH!F5f;_jyoLja->sJ-lu1n{qEUt`dP&m<7}2P7CavZmpDLGwm`^pwgP=|m zO@+=`J+#AEkTcfDQ#%^cBeXJxCmBJnfjK6a0^LTY+lIyyP5Q4e3(eju|3kuTw)wXb zA?rv9pTV6)E!}|k^>i!E-gmmkX0p;E$df{6|ME1F$sj7)(BQ-@D6u(nwD)2*@Bu-a zVX`_t2nWtcqcd=)8)WECGtnGMl#C7@(WE|e2skWJ>g*Q>242G}p=w+NTUgL5W}6LI z)$&+xf?1;Lw&RpiozyC=KuocWQsxP=XKSrdsy^g|auKF^KsQIlq#_OCafLG*MI$9P z9UX5Qa;Mg7*X`IAOeU9whAB_)kbGAjHW~%TMO(Qb;V8P+1Q<_*6{_KAR%Uj=2%blh zSS!;F$+{9M13uxaW*;mU6NqlcV{R0R&_t4zhA*cvwcdkxfEXn?q3%cSIEtHksg$Hm zU+@P5v<0bosgr?q0dX5mb#KDz%0M++riiFc8BzT+_&VG2isd7a_U1j&Rb{0rT2eiEn@G@ z?%C<8(_Lo&-E{J-jVN@L4AmFw^=PrK+^`K-Hde0i-q_xaP&3s(Q- zJNs~FeOuh}SN_&|`F9&`D{2qyaO+nR@GryBd276R^{OjxaPT=>yn4eX#`7nvwb2=w zTd#TWuCF|>O8tskFFA3auiyCC(hDBE<@$ZDKKb^INb@Q7vY%};MV z&mFQxcr$ag{kq8ioAf`sUVhP6cA0nHzQ1|7a#-t^(ZVe@T16D^Sow|D+~*grdFp=8 z?)w_B;UUj0_4c`|ufFF{dpN!J3OE1s@-JUqzu;TvUbaj2KfXPE>f)o-BTp$U(R%*1 zH@4MJTje{)laKDq{dpe0=GF&aM?B2^bcY?!>OFDJF6VBraC8}S|MuodxjVMG`<3#u z6a8B6@iTt)NO`H#P7N;FeEq+se|P=be|*z_{lEwNKVD&1g@5suW%kYwuDz99XN?^W zIYqtbt;?d{e<|A?#f@VQd~D+bHv0Y>ub%bgV|Q8Or~8wathmuGxAxZg=5$Ztpi%M0 z9Zx*C_3CB6*vI<*ntPuw{ruU=QiqFgef1Q2wZki`-#}HLyy?pAge%o`U;5MPyZ?*x z|8D&MjP*b0`}xn@{I^fXK92s!N84HY!}!nVR{w(uSvui;e!|NE@)7kvD8PSU|2OLk zsQ-Zl*+~o82Fx#R|2Hv9FOL2vt1&WRwDXQUVq0~B%mO3AK{5(g)hg8}E0U!a&SBEX zDaiTBq-`3BTcuGY-%Imhe=tPwvX&o1f*DbMJS?grF9C!brh=f(XL4Qu1x*zzH3*LK zr!{qm7`mPFOLa>oa3P&R6D#lZTT*S7kt;7s9Jnmu+Wz z7Uc}sBV9Z};!9-~m1Q=%!5AIRz_)BmvJ=5R8E2BU7u z=`y+*7P}-ifCy${MRlYu;KOuD_39-UsTl~Y4}%c`;?pFZtMlneN&>82562?Y>)^Sn zRc}CpNxP3kF+?D#Nu>h~hm0<;)105`<=y-hfg zIc_?`5$Mwf6#Ao1tHcjlLf9WiPPx|31=2vnVqxU>@~MHY(sZUcahpxRk*xqODd}v5 z%TT(WD7AuIM;o6+|C9gQ{2%ZiLagf=tUOmwd{6(A{^IF>7VEnCI|Ev*{%@!zjysLk zz_0-{9AN&S$aI}fDH+sLHA;e8K)ycu=)^ste%+-fI$C zmnVQ)daO5vu7ecD{bbF}5=`(e7u)mfO@_k@icMjEoT} z5D)?odIg2-6$f>ld{6(=;PZ_S)Bj}O)BjYmH2#tGKZWW0`@g-%j(~q22=qZZA9+Y% z<4LoxI}?=z*+P^_3y7c*4K}^8Jnts9g1Ey*wwLLH zLt;#nMtYWr^Kb*745Vh_H2YZsV3LXC3tlE}U`4hF4|*`hHVwHnXqD?hBbbK6L^ZJ3 zFBN-U4=J?UwG^0+h$aJ9HMK&i!0dMp!X{=BL}JLP@>ozDR+qZ=K;tR_r-gy3ne9s2 zPBK`pha~A?jVyP{T~z0?C5>hhU}QJ)?1UQS(EuItVFrpbArk9mT=sCH%LSPcH?FkN zeu2X%wl&re*2M>4%1f|jjhqrT&^Fs8tfBPiI2wo|*e+6aM<&@SLz-3BE?b1DviZI` zD2Sb;V&t`kCn!;4_5e256K;+R&2gbQE;Pr5=D5)R5lf>a{CVU*I5b!P`!wwR{O9`7 z5vPCV{0D^)5`!TU#-NYDf8c-OKjdf6e^3a;(r|!Gc8ka9wUK{)FmFu3i>Sg3Y@hc0CKf?Ov8gG8-EdQP#eKWpldUmFe{pG_8 zp1gMXi*Ed7`K7gQJ$SFu_3NE^!U;b*f%$eDIqf&Q-2mQoUGDL#9!Gnd%{%K2VX(J; z{-N7n0G;*S-S1qwefs`?zV3w${tTb8?+a%hdc#i+4UgD+Y>%#(uiUlu8><|--SgkL zbc4fy{np*)?gy8@`B3Z9)3&m9E?mK_^xS%fA32}ApS{N)|r{A*ISnGz|8v0FZ+k5_-_z$(_6Pw%xKD@~$#v?~%7w#ebbi?N!LpOTMV!w6K z*O@1;+&NYH<$jebqT-qJw)p``!yj@4DZ)zrK2h@h>*wZvI_y{voU0 zdx`C=vEnbUX~>s<`-Vq;zRmpdD(~EM?Dr;*{b{)keth~Fe_e6^_OnMXD8BrS`R^=e z;@egqzw31Vof~#pUAx6y`MZDl+1EBd;)oQ#-eJJ%2RJ_w*(KOpI=3%((u(=?Uw5w) zE41%DXxCfq(fs)@4$j!_t9x&~`mxLs`isY3@~79Y$A6@4+`Hgh>Re;vH<$Xuk@tS- zxS!tp{g;1UM2oq><)`%mhfY5Hl2 zk62rFNNvznd?AsEfe)vLA7Ne9c3&;4KjsJtHoxUbOUK-H46ZJGff~9g=*zWEwBZ$ zV1G&#)Iv5c*znMxRT@V^(Mw^8oCyo`fa&)0jZP!q%F5}E6W0KutLqKVO)_2w6-!7i zC=q(fDY+y;6^x3(RhVKJ^r$F97gaHXk&%|NlJUg!Ep;$U>Z(BW|FL%;(2i5*qJZf| z^fL6`L4dj}Q6o#1EZb@>av>Dil4V(zElaj!i%^pQfzSz%0HK6lLP_XD2rYp?sG$Zz zCxI}5(8BLI6FO6i35ez9M89 zYa*)oi0=+D)MNRaTOUpIW~WL8qj8T364tom_*f1j!-N!R!4xTcauWw&|Ra;6XLBcC(Ynmn50V9s2K3+;U`8Wm`H7fCCrfqiz zI6QG=P;H`cCjNK#{~1tr3Y@F|_Eq+uMVW5?;XjK~|4nREs+|FrH<27b1g(~UQjwo^ ztfa^(Mz!x@BdVVfiKeH^bxSMeF{E5Hd!)ja)j}J}mern`;U|0qA_5NNjIf<+V^dG; zYgB%e7VTC@q)V1C=x|=n?tf@7g&>v3GgylqPSUx&V>T+LIaL+A949J(^BEINYC^q9 zLqnv)q4IQ!z%|P1a_p3;!LwT}7qm3NrKg>7M0@oCQ_e;)J$vBlLk)@mA>{eaaCTF~ zqN3-j8Q-PaRjll%r=5hH+Nm%xKItLfj+)Ju3D=l8egK zJnGcam13uu)Kaw7>Nck(ttVyclSZkb4{;H9QEAex;BhJ&q}9ZcOY$(}fNrB;1YMkA zGw%QE{y$x2_@Vzm)c?Kz4`YO2nkeNay_Du8(4FrNwzdL5y zd3ss{92Tp!5Ztka98#I3GujXGI@ha>kiOEMwp+auKuXGuW2{=WTE52TJ0qo1gsY@FA!~-&bK6r+bp*_>hFp78v&Y?Wx(bW+I2=Z* zKXSoV0;EaEFZP>bhZg*jA^D?z85gV!lki&JCp#nx*>vbJH7*M?VuDJX)`4gVqMHg= zr1aq!FsQKF1w}TUZ-pg((i&Py#3u>r5Y$MD`@9)6h8j|gQ?*KqA2t}pCFN!sDzIK< zsuycEFrJ384yOzd)ruVs<0fIhO$d!XDU(rHsb|1KzA&-ptY^-8=B#JVdgiQW&U*g$ z28L7Um(qXc>c4$1@lpSI{?KiX`x5vMg%UVUQV8`4{0IFK`VTT2*f>tpMCw!e&lRiQ z^Tb7W+?Tuft}VKkx9(Xhd2)?%YC(iM)yr<#@wrECTzCAe`=~wd;cJ#X?)UDYd+auk z_})tIh1*{_eB!i?oy;1>#kY&zlFuds?8HaSm%shgehZ7wEqh(?=-bgbw;uG=W`9{& zIFDQ5`UAXcUma}y*riW5zjxx--kxvVU;N7!>2uHNA3oiB)0ZFEt^4Y(PtBWu;!{qq z`Rr*gk*~)`GJEp#s|$zCP5mVva~C^!3G@W#^^0El>GAoEpWc1>J@y<7%@PXww zc~B?+yf8WUf*-GV!4f>P!WDO{fAZPq9rEnI$$t*p@8w_LYHxA$#jo77_jRpZ&)fdZ zODXwb5~| zx!WQ2gRg%0`={-()ysE=Z`_~T>QCzylNFyja*1zS2ma-k2l(q(SN!0p7oMr@F|TZRxRhvG0~glSAiPwSV!2!{-vWs{I9AA|na-L7O?_ zVfg{~qSE2dTluHy72Na=Hai91WrG5y4!~37LXqH{T1_VJg?Gt_gDU8;4GjiomD`bz z;x}*vcw40ja!ijXyK)3~0njggO%hdU9?`5OmAmPJW)`ypjn=R%>xe`DlrQRE93(VR zoGDjrY;{p@h}-fjf{?<=Uoz+hEfPMKF7nKWO;@=hnQm!(OsMsmbKBCY`H$Za;#IdVL1q- zxo}yeSH1+k18TZlQPA$(eRC##i4u?}g9Fa$`|u0&TH!ebm$Ml3wQdW@;*KPDL7u>M zdXcf3*7?K10S;P=SW)O@GW)KR7>_u2jw_&-!o$@ z*sfJ`N^N|_snJfe$h$J#=J@faqWagMrPUam;1b<%v6`tf8H}}NC`*@)e+N-!se%c_p;NhnlMo%P7*ukaD}f5r7wW0GWQ#9uyqRzuwDL>T zKEgoSYH%vDj8>O_w5S*cbiV6L$lh zM%Z|AtAdP`Mv4cF0WopBQ4H58s;Q4Ui8A3&V;Cnm87p3r>{e0XoWI!$B_)6;%P-2X zg^=YG7*#7)N2*0^e`^6=;Os!cvN>MxOB>kx++a6(5rAXY`VsJHwTHM=Q5!PR5xzVwG7xtDfI4S*0T5LQsqzoB&1$@hPCR7T$y5$w)6HAeOvuzuNLGYN28sZy>;beH^IWU9p9gAcJDS5GF_ zCnHCtr(I3@Ae2{dfkvNJss@cg`16_(ZMfVsJ^Griul0_1-e%Bvz)KXaim(*C_V3519{YjON9+=JDP zc!GRrKP;-ieMcB1pY!2#0HUm$fj3l9G>#w>XbE3PaL;Gy&a@#cSo-_7OfspI*94IB zy!+EchR0*ytjg8p(-LRHLpA>XX3NLR6RN)Z7&4Q<)kBb1R?QTXBC*#F9D#nPQSv%m zadpT0RMcv7jk(L>)x;?TZfDbM>yVFIKFITm>I{49XXl~C z)!Oq}lT<{en{)X}+s?QkiLUjL&5H1?14+w#J7;rOh0m4>H}(|cpMK@^ESJ72-OD*0 z!qrXio}wlQM9WMZPUJLv^~b9CEz9@9csrU}z>U=7Eb~mDVJf;wYkcE5of;CA$YWDu zNw9tiqsj37^hvRW@VarN+9TivXw$Z}eAJx`_P+dU1885%PGYxT`_)kXXz(KMf@%41 zvH3R130IM|@;F+lU})8r=qt|jA@}>{;OM-}{i8k3zY0Yn7lNhDH%5b^rsTKr-e1?QO-m3R+xZpaU7Y}8t zbp`<5Ywdj*1DO|9g;h0EEA|hG?x4Qi|6$oO@MAWJ{Ro^b>x}?Tt&HqOxQ~^9F?0i` zGBWCmDwvN=+QYo;gW})m!6!Zs@6-X_%PFFV6hCE7BTj{9^D@9U4Gc3gO2yF)wChz% zSU)6-D8Jdd$qTa%!Q{i8EVO2)SF*ck+qcQ}%|wuB9N_=V<4o6k(BTVlESaAa`*^Jp zf?*{!YV8#5Yo5bN6L*VCEz-`k8=9>jNAa|65|$~nbSvvIBP5)zY}T!ypjv=(en4S( zi;;&=&c!fR7cHsJF~>L@e1N6+vzPM&hhDuV6bp}Yz=>_~5=C;4785Pbj=JHel4#35 zX)6bG3F%UXHEH$Nf&LzrvVpk03ciU@9UjYvS>p8x7x9!UcgT2%1?w+df5ZIUbXZ0- z>AzBc(JmfTv{7EnFp9!XK0p1I$pytklxCnZd{@fm+#`VdOISWFa#BC)jReE$E8W{t*WYjj57jLMgc3h^ch)tmlXvaCsX% z>3GkaoB_vX-~8$ew3!R%b>1KX&sihNh`4Pa}Z0Um|XDybD?Y*wAKw{nx?-sE|>40a& zIvNmpuw4a5+jZR6-@y@Z$gP^y{U5u$>vMkR=Ce4xm+oYjV^$7h}AKE|rZLx5{X_^wqIjO^__} z)4BB30{g$Jetq4U{<7Ps#O#y?tv<~9z0otkyXTQj(A1Ait1z2tx-4xjoi!6L?xS<2 zIQU<1p@cu8{B{N*E5kPY1{KNuw!*Jv7i9@TWa~m1LdESY78Y#%vV%2bjUJ#UbE2wM zMGPa^uPWWN$=Rm38NTmICeD9Kg``!L@S4a|nkY6^n|BIgF7RX|HRI3P$&Q{e8|KAVf~S+K^5d0n8yg^%wV{BzQ!n3lt^3^3JYo3fCxeIXipgD6g!_{*+i63I z$xn+uD4vycM>ML^jShK>%VlvKHU6t@fsKJ57Gu)L^abrypB)-uNUo5Rxw~eqSP?&# z`5wt%*Z?G>8t5yd#0)c02K6#47u9Pj^*ZW>M5~qx^z{PtLQgdP?Q!J=q>@nvT+?%7 zgA9I5jv)c(arXZPuqJ&(~_?yPp` z-;?A61RIZUxB_l{B%O)+lmL>B^}mu)`X*!dnae8#9d*}E)f(-`E$S&7F%7;?Di4EO zsZ&>Fg5Ka`rKi$aWw_3M$+3;+fS0j%P{YIqD8D~KauRV=*Z%jEN_lKP=BD6r@(9M+ z_XT}}x>k2X&nc&91Ct5Gqv{K$hqK)J!2qYbijXQ@_m85-bDxEqJ40bNu>Msysu3J@ zw3PYn6PVf zaSBi~Myn~XET8=bVX(rYcUVvkXwG_%Z<_Sl|447tYiF*~c!o(>Q{tL>4RD)#)U8&3 zNe7SD^#bm)If6P{_uZ`HuDE#^c(QJ<-Ekx!svUbdg9(XXu6pVgckup9 zXaE=pi3&qzRnmK|pb>pP@-)lZi`4>)zsdFgVO;Nt1H;M9(zN}4)C{LZTkB^2|g&Sa}T@vE8Cs>z1qc3n3 zH<9PPUiQl$x$c0j`?RC=r}53bCI??<(D8WWc==dUX8n@(5YxkWYjpPbEVaHC;4{y* z+4A)6F7)^U)&+r$Kj8esT3#ItmAvu6Ba!k+Zz-t7fUplq+6dJay`KG*w0q3A=y&E< z@UY%%`H}Fh?ROi+1AC(Qc=0N55o0)*bfo9}yQ2VyzN90>~vJ8zahmEXruTf!Q)&d{zajzP&NY}!bu@T=F)L`U8=@IT+Yf}59hu_EnF+KNP~=o4Y8KAuh^ZpB!oXdCNP@@}(s7q` zl;t)WLSz)kH!rcOt=0`t18O1G;xk6qt)6EgIdd=-mqO~t?M#>b34Hn$OV?S&ImSo; z{j$WAsDxXk#YnY@I`Bv zsMplfEB`*%n9(EpqC`;1wI&@U<`y5+7=342D@Jn_?mrKC>N!JZ%I6qU%{ar z1-NIdVQt0Liuo5-yxGO88Jv#@HKJjAENjMc5{-yhmexo*JrU{l2dargeyi>N;YpNrm?E%6M|J$8 z{&Zm)K`svoX-;U}BP#jnk*^hT$iHaqZhvqYL z@*7j@L$%d?zDUwy=gSKQoifgv8(DLa?+Rk&WZI@QS@X`*w6;KIjLv6bVBq~8w;EI`Gc~C;i-{N~qm-2vw-8SAJD8NF zu$d+XvrRWjre($KoGSmjn#x^jFzdoCW7gCv&vZ?xd5dUmiJUX9hY=eL6(i@XX{j}j znR%4uVd(z@CLw1d9&zta&3pMi^{IIuvR7v}jSV5eFG@-*7(F+N+rs_HGl1ijGfCBN ze|=@ZEi~)Kn?ckL02ePJt9bq_0e1JXs^YGuI|vZ)Oh5DO67FNd*SGt7F}LA{(VzYA zHz)^>(u>?tAyEPzT}@ellZsJUhYej|7+=k4;(X&6P4(vc$DZbLqqm~_&2G=s#x>{N z_&{S?d*^~8%4$wSPe<2^+roR+oBi)|K8vr2?n1Arm;g1p%9eV-=xP6GNF}Ia%>DU8 z)y%lL-f0GdeoIRiv|(1wV>vb9;IawYBVcCwv`|y3{XUU5On>V0!O8IdxDAN_pKOfT z4A}y6+D60q9Y7%2fOz7rqnd-I)!kVAtSy$ll_T5MxpMxF$LVit*QiJBPnngV6z!`^ z?)0FmjC_0F^T(#mx({A{5+Jtsfkucy1DLklgFCBZ%WAARyUS~*YXQ)?pv$9Ybuh8~ z;_9b=S9VF>6|BMg!resJ=}8Iv<>}y=8ObdGrZsDMGVt)+I5YSXwam?TG-Ai~z5z4a z@3H@Plc3nP{?gO(#Yt+UdCB|eR`-MQYfC>40J3-@dYHzB%Y5rsZnCc#(>Wsv6MWoFJcbFWY~Bug zk+1i83A;n}@r&P0EX2)zKWm_Ao_MYH?RtM^qbGFS{!{8TxqcM=)S1k8(YA>^E8YPl z5qudx41o7qUd^0DK&|9yN8qsn3hOoYf8F4mTK+i1^nIJY;C@5hboK1{7#tmZOXuMB zomK68y3kCgzv6PZu*h0g@Fx6NJ_0+ufDwhjP=Nb))YP;waJJ+p)zWHux}4CvgDmKh zQ}_E4^VSz?6fcFrdEhC{Ie^f6T4mB1@GO_H46KGT064A1?RVn*Hke0;VuAptS0Th! zClC4fXUt4Vk$^8|UItsT^- zaIQHp*+R2L#}>`baoyFb*kniOYima%W4(UELfNkb)o*efyoP__E|n%Z$FLTmGYI!$ zqk<*>U_1ZA3T0_wh+{sv@YiOoS6dFGlLHDx*;X46LW9s|=EAhQ`mH`k;Ai+S4L5_CO{l*=%a$|ed^knJbQrIctd0^zbedUQy<}_-LcH&nd9+Az zYtH;BGAf<3(ci-u`Tvrgod>Ld$ze_}NX%xE3SBxwX01f@t^3wyUNNbWM}PKf zm4k#Jf&+QA%ALMQdQL7f&TdI9>iU;^3DAFO-(2#Dn`mKvw@G=|4SbyM}|IR z@C%aTHky@J##*?UYnkOh?w&@vWmWL&o<=s;i5p6y82iz7tAcYTq<*}OmJv>beL~bR z8cirjYHt;TKAE*X02{qc6OS|zVUdXU`P%~PR>f46*|(=Z#eFz|I4ip{65>k-8F0u{*a!Mml+<3V&*wcCX!KKfjNMdRRO8*K%CW+3O;yN# zHb9!XC|DkhZZ}8n;AtgE1)fI}HDPLCQ$_ytRp6wq)Way`z+nGpV4{Q=j>4zz(LZ_^ zDS=os{;mZdP8_*lv(Et~dQql3q9HW)k_}#-BjNuf*ahiA(y5mzz-u%P;D1E!RNg%} z)>b?HQN=dL*$>feHAbR*w14Cm_~hvl zLn10wn?Ci*sSi`sVy<%%dAH$Gy-5?Od9y` z9m|0yMEz`~N?*zsV&yo<3cunQHKycK6G5uIuL|%*>SJSY>;mhv)Yy&58^NGZ92$agG@3O25rrRJq|vTG|`Auo}E@evul7>s;p zUqLwuvt$ay#d9kdN`r0n&;bbX;A)VtRam~zB%rq|8$6PjdTGR!52>xkkxmkIS4PPB z#dl_W=V2w}kHnpSmx>OLY&F>S`1zyw_wop&1Th5vLQYyRf)ELB-*~9ykvAb~yMPH6 z9W*`%eyIGK2?uGge%|~ArxpF|Up3aVJ8d;MIcml?QEi*=k;Vph3v^7%YRHi<1@LA9 zbCcn&xna>_MbQmj9zX+p>G~N}Yk}iByOKl*DfKf;84P3>$6-~bzNmgu zg>fqkvE5F^)ZD8=nyT??q@FAVLGgk93AqPPewz#f7I*pmqc3`FX;LgRf!g({eWvCp z(TCTT{|8JsZ_yvZx3VX~%j=-6BlJ%~hS&W_H*5zR(PWXargRIBypY^>y`bKH%3&l) zS`2a}{I>+q-FWGi&x+n$>&F^uwZ|C25uj!w>h*F;z-5O1tno=k-^8T)(sMeW`uME_ zbdTqCzR=pWxH&Z`9gkZr(5ecQ7_ z=#lT$UvfMsv}vJluAx!jt-BIu3+{x;1oT)MkB_?f(D3l2H@0?LSK`>r;ZO>N>r(A; zWw19YYhSJ~rSaIWIrA&AG4E5iG|2%g-9MHsF`b z&N1GxbvHCwf$`4YZV&L+&j-!a1_C(EyVOsM4Q8nClQwso%f^{I1T#@nn$c&FxOEHp zi>o^a9>pLGfm_K%m}f@!^~NQ*&oA?GDQS2=uE>3s@pLBm+cf0F*t7oa2G}k-t?qDaROGo?-X{+ zOwu3s#_#~1WWaNnHp0f$PF#r*kUod7KmS&%Z$2ij?$zN~Hc$NRqQ~~49-xO(l6l#7 zjj~Dj`aGK`W7hN>@@#d1*y{W#Vo2j6lzH>^I2`dfe(N39_aZ#q=}k;Arm0KKSNM-Z zSA?^0j&DJiGQU}a?u}vAL+xj7>lTdb4GMY2eb_pD1$#5ySiKMZ*vP#}JOjs%<9GnO z)^5%f@8jR5x{kr*&hMI2fP#~Az8sZaQnseyBfx3IuJGg+I@Dlms&7XR60Xx^5G!~C z4d1yFR_?XrSO)QjK3J&~4{9ekdmwwf4u8bhcKUH+QuHC8zxHc(1jE0I8gQFp{YDZ& zaI98n@ufUpf+6F4a3t4PvF>lq{{?M}!WKsH8o*TS^Q>)#$k1!z%!B`{NT5s|zMGBO zk&aH0#*O9t38B+3#-lwCg_7TB-Z3Y!If;n>M0$xXeM5x*VBi-&al!4$UwzBGR>b4x zlka5NmqBu+x}`C;;{FFNt!7Q9tWkgeQlVPrCaZasDy;lXrzMk1vC2;)C~- z_}K!HN({q$(?5t{jfTLJIl~WuF}?8m$8TA%b=z#ToyY&zOp2S1J{;Yc4A(Z>N9h+A zyl}8BsLv*2fUAR$+_YV9Oi3OWX{4Tg9-;0^m1f?;ZqR7ioE+wF#r{A2+WD`sq-RJ* zO=$#B=-e@;VN*FGGCj5x89|=G=;#?CI8p^?=1vFa980z+oSf;X&f-c1H zt(uh}TiRA-PFbUel-e35qNB0qSX(|oP0&1?Lw-%Rs`ICS*k2fTnYx&PR8|hgY!s-U z-Qe1ToTb^K)}oryq`!LR~3(t0q;0W`xUq1~mgj8c;gT`FB z2n(?Jl6vVH>=tw^C69|=>-GE8@N+Si?$vY52P^F(V5xH#@I1Bu zc~ptu*m&;);1q(RIrbB4ii>V&U`!c1sy;(Q^9@E=oElha(1P$jn}X>~ zy|fmqsS<6c&t_Kqmw}-e`OnDaN&5tm>tFt+LnK--Vq^1G$0S;qRLSxJZCJhZWD0ad zFyp4rztb3LOCg*2Px09=u^Qt>VRqwT1GzSa;a+Z<18;bAATg`9wuAB%!};V9@?=uf zCKuDJT0C3EVt7vwu0fna zV^)P)uuG3PIuW@~(@MlKBPZ6`d@&(@SP{v{&PfuD&e)k&U0{W8!x(cik*!cS&Low9 z5o48xCYB}gu0T{+a7}yQLNC0?8`u}AD&2zwWb{uk;RPtxz|PBnOfv;iUN84+aF?< zs5+QE;!c8bRg@yUvE}(u)2SS@aZskp9OX^)zI;x7egwb$75shjPm<|~b$(SybXoKU zRbeTL(vJtAl<9hQ(eksTKc^(Sgn!{HdoA_tOV(-=FjtY5uEJqpfCc`l7^ZF4zo&{4BMOLku9re;n384~7sMP=WE9$F5hX7}X%vhSilhZIu00qITF^s!>Y! zjzy>4z!nXJlFO(cDhvg}REgf)DF5kgtL%6?YZjK z&1xBkYqLh(a>VIa<z zf4r3@xO(mlr#^36yICXZ=+7S(!JX2zx?5;^o1to|F3|Vr$J^4bIWq7nm~09?x_o^> z5hgMOJiSF{t?)gfZqF_NPHJht_n1Lj3Y8}g}OH96uTPkJ(jj! zlM@Y>??5}bXW1PqGWXKBgmpI;OA>4E&+7x7E%|>w7K^Vu)}14^ECk0tjDv`V%}}~5 z7f8NJN@zlD3|OyKJimXkt{eE3D!Qm~%Po^TdE=!1&G3V0^Jufn<$yZ5=|GHFAJDdk zFRbOcNi{5A9<}OT{rkH7j5&4dEXm#dlZ7v+8=u9SN2;SsBAB7hvfRGko?Ugkt;_6X zZ~Oy^h>^TJdc{93jGcSksW5lGZR0-?_YU37<%nIh_c^6TDj38GT`uD~rwb>ARC)TG zNiuhwXCPj+x>fcxFNT7zd*q58 zXW?(e3Wgm68xADZA8sv-dkb3?o$36xx;rn3t#2<46Ujn@>w@Lp?hoXE+8LNO!xeAm zrcesp%bN~g*R#VN5LD9x6W{qxewOz0(HyhKZH!kFW?ecnh{I?1c2aqc+=2hmBpcjy z0A^kWTmzKBcK>yW$sPo>4)D#qp1wq{Cn}}RVFZ<H3;^6G+qEAbe_Rqq)^kFkE z<&WY98qgfey9yJ0ZLq~RF~)x5ZkpeD^U~^ZQq_G1rp_M;UrrjJM~3q~Cj*^#NQ=fS z$u)^oR5|%s(S@1Fv#N*X@Q_6bw+DZbo*_&3vwiLkIFFW)#iT0eO~rC5x#?D9Ihq-> zoitHW!W+kB&%-X%U{W=BI#hhxWGocAS4bUObh=VW5HE8wmNCl*11XT{fQ8JuGrAjC zhj*qEHf00LvZ!>c2}gM<(#(M`=tlnMEEj6d^)o7Ht!kB}d#xBaXMHG`@paNDk{`BH zvkaT#)IB*2${&j?p<#K9E}<^Gns9No8AOr;zc|Jph%wv9LXxTUK(cQ(bNi$Ys>ip-uMC&$-6xCHOr`UP_ zQh}T%tbBYbrXn2}+=p%k0XPs;-QC#NapntgWJjJnM zook*1oDfZKOH%)lqb9Df*lPczvV0~(C=-)+vt&!V zCosr7aV4voUEHbB#Y(kiV6kkRf12jdW!jEGGSyOJK#3LUFEd|-wc>J*M%xP_JPXz{zQ)+OK3f^dR!V{(}1Q zYbrVRR*`n`(WZ1X1MHpnUq|Lo*8SAL=r?&uw=R?utUqASP)7c36~%=s$<$Hy&R)yp zjjJfOoRjZ`DrwVXo)(BU$8tz%l2OuhvoTmHM*gs)=k>eIb>hpM3XKuh*vMfv{_Jt< z5EZFURIzM4x2om3Y{JTm)v9HY8PvjKC`H2h2cJ7%8tGRr{p(=3=+_|qbSAOPv2kY@ zk4XYYn`8Cg)?XbI1$+TvnMT%2Vzbg;29YJM(jE73u=UN8@J9RE*@zdPafmVqCWtx$0SLSagItjvEK5DM#BD$ij9Vo5zaA{ zF!iqchNV=dBXNd|7YQ3a(gu{SjCTfRDp1TT5y(cya7@IAiqj@X#3Br5@`OAHtoz&G zVMvDYg(ehKrS#yVBe&E^z|G|u(1iEtiJcz1dK%%h60y;mdov>!)O zuLn&_t7lc3XZ#jRtB1{ZfV;cH>sx28*E@mtO@8LV$Rlo{6Zv=M^bQPLuU&}b3&2`x zTc*nmySlkSe#f4HCdqY=iY6m0Zgl5OYdq{=b+0VRCa8{o%jfX#CifKI^9OaZj?DyA z6&SA#cry&Q_2*pksr4vpGgC)bI+~+y2eSdT0VeKzq5e_OZlAGZ4#5I%EvsqpVaeO! zU=By?*vg%D>XP4~cuRqJ%X8$yu$nPy-DN&^OYc4C?wV3Yl5pqS$rI}OFVMuAz7(UQ z+>XteL#y~sRWAyErq`*v0t=w+C{lM*c-bqAUBmM^_NfuHl9>Fyp#8AAoxJo4(7#Fs zKrpq`zYn$>X1|?nb=;<3Hg|;_eh#X-J`LLW-dt6J8@oC->XIw#$KSp`Cb{1INwiDW zU1>R7YijrI?NK?+`>ecBddSGEe!hXzJntBA@CC11pKSqqvL6MDn$GFwMUs;|hin&U z3|cqTGvDlAW!)Ye+{P3)n`QU2TeC>2&2>0=00ULKM6wsYSNs;6iyQWD4wVlLclIwY zg2{~S;?J}dLN~*@+`$Iyq<2TmzH3+69@`c1p3Ec^!!LpgfZHGE$AwYtAEWX1DD{yz zUXBwacI|r;Pv#Bf*1Da~`%P0v;bVGxc0Malk9_aznztdF9esbDhXCI8o{OufL|(h; zmr*@^=^Gff4_|6#Ty-&_c8{SHe06Ov4UB4JCtJa~3z$#3fQcpgv9#)czVBnYSAX2j zvd=;DH~a#x+e1QNz!=!@_XoGjC(q(yfATD3KDiDFkPLMDI%S)Cnl}sJI5Zb(0n>o% zz>1fj3Pgu2c|+?`CM81+X8~|7ev>T(|EA9{_+8&t0$cl+e?3I28}`M&HW>+3*h9;H z+4sIMF=;W+uQcAxbdL8Um!LN$A5;kqB1Y zum?YED`yY-r8y5rov5sW(Y7X3VcIR{?}E86wsUmk%ONfLVT?q>CuAaqGKgm|9*XeN zf~JSV86B6Yhw5w{^Rsg6YBjAfMG9HI;EfU9z8I{Q8`mKu@qXd#TORexr9vJGNZ|g3 zIWoFH=jr|kT1sU+?EmF(+WU@`c3(e_MqCsoQZ0t%!`K%*6G{nzG}|(DC`>rKB*n(* zUkG89PP$A<0Fw>u)94uvXs`aIQ5(-ujuy=c#1H+2oYfzs_i5n3A8jSwcApPhoPRwx zO+z1)>!^qhblXliD-13v)vl(RE9>PUMTe=2);w0w$)AzYPermeVGnus`-)x0%TDp` zW*_%kYP``?!t*i9zRZ=s3b$8v1Hn1J`$%p$!^nhXSd(_l&8iWtc?0^pA3|g#jS^?6 zXtCy89UAX;dIpCvIo;Z{tbq97CdF1=nuPPY#%c!1gDxfWK@VxTjKsj~7g2{}b6z_< z@6RU;d;dUH?LPwHr*XYD0_feR^Y^oR7;9Fv$Z2t74Gdp(^;^lTJ-LnSx-Eyyx-feJ zQ5IAivA&~(9q)r(AKru)0DD5~F8^dc@6K>B1{$BajgJjLk)a@1yWr%o>s?Yi0VLcq zJ8!x0z*HIGr>APA(gEt*#*f+zUcgS^k zT4rUNbKO!mzjm zkAzC8k(|D25nZ=Lu}ECx$|G{-uQ@a>s95Z?cjyJF>sA`9!tc^)V2)PlglKj2-YZ8) z-WMd+MW&!TB9&1428+}0L0fYfRmD%Qe2wcX_s(iu@h#Nn5=R*|E8(CbD)Pqm2;3K%*Gl2E&4m+f z&na+Wn~hR(M->wrP-16~%qmYVyaq`Wu@wyqN!kR${v^-aGXAJZjmmXGVAfhR>J8C0 z%%eoWJ1e|5qA_rawT>v? z+ppyM7ywx&C9ZQ70C^li;A4uB5|JmQ!vWz1{{BOJ}rN0Uw9X;8dVC>xa?WLq)z^Q{LrNDIkUT+_iUxCFW8T0 zxe0`23)kg57mIR}L<4H@?3}*xIhbj}GVuP0X&_z$K)CKM zxL?Hi?tn6r95P;yi4;Yi8agKNhKO#*S=S6TGrI20;3BtlE;4beL9ZjlSFwVwe+E^n zGaK%qWRG6>+(y!tssW>dX9Y|u+8-GcZmS+$H>U7e|1t?d|2D~A<`jtm#*yyNdy#@m zyr|9o0A^0WPVG`PCHTA+ls2^p$7}~m-`OQVTf20-==`93626IQlGYY z^mU7bs&01(D%AA83j>scv50j5z|S7=ozV$*U)PI(+z>#MuM5ZHIv#4}pR%s=%%}DH zOWi9*=i5v#+g4w*?4u^oCL(pH1IY$K)!Q`e5SlRGSuM=zPDm^DeRKw(-(2&-`z8li zFyQ-C`Gm^cM)48P`6PT3hm9gIvvNMGX%ADSwS)S03EU`?wSPOk9{nuA=y*(PezHqW z@NLNfUbw!qEeYSvXMX5^j&PWY&7})<48|S27V>Z0i~=RAJwMEcD)JbXt)Dgwn%}vn zD!P(f*4?>5cd+y#^zFZ&-hzEzCH97@c|I&`E`e`MlJ<^T0w0H5k%$0caQ$3Ld2~;W z&(6}-eHY-Cik~o9$L?m$zGe3k5!C$qsEJE!uH^#u`SL^4bGybv$Gz?#e$Aj`)6>i6 z{J#=JFxg;fpMHS(R>prn{EEnNR{I{jg1Zr(c3yCiW8)U7tHDK|lN`c^BH+?-gH|lr z4Cpa4E9H+NeJt?E0SqHI44n4g%x;N}R9N_G#73(XaeYw@t5~tN#vQJ{+Nxwq)gn0= z=(j3eqvblI1>Nt+ToNJ$qmkRjjNHRxA`$y4EuT2j)% ziw%gtS6vP4#V#uC+D0>`?N4XMv`ATX4`VIZazm!!(HsH!h#JvE`a+F=h!xuA=?(~y zDD$$EVzMq&^~%AKS(~h0D(dOfxQw#rlM<3K5~JOwaN>{Xbx*~F6A)5yXpto2S-A*80(I;-5dCC0yo+IYhf7#=1?jyT%-)O`K36af z3YTRT%jO5BN6h+F8X#RA1)*j*QWiJj8dIqVgS9%XGZ#zQo{ym+E|uY4IOi{>;(}I7E8f@Qxk> zOxv$8s>Uw3C%k0_){faZyaEA9-@v9Oxj8A=1QUs0swfYC)~X_vW62l|{0uu5-y^J6 z^Wn?Um8t#3p=<6t3+r45@2VT%#FhIw6U_7_(p*G@-7m#D|3xQhVW==r$EFTb0dJa2 z54jJ8muTmnt+L36iWNRVXVk&bnrPN+MuMNsK|&$^2tq01XIUSHyf9}!dVs&gSNy54 z7q;bnDVhjZPUAdfV%@Xb7E*=+!O(F>q^M9A_WEx$$Vhl~M4_cwdnV_kv{3~jxj3Z| zfsrl&O25^1fg0(T*rIB3rXy)WlW&yTsFi8qI4KIq(1UZ}nMu=Og&miNoPfK0Oqjo`Q1vY0M$cjejAVvdOT8>>Q$9@8RS}ogOYTjmC=q(a&WF^J&T}MV1-kcBK{xts!Mw zsbZI-ei5Be!Y2aAsf$&^xnfd&u2)&L=WdH)EEdET@wJOHtL3K`J z-R^k`IsrvHLMck~M6X>b*(>&b5I4Yiw}ndwCmsJ0Z;(K=XA4v2XWnCU5Kf}d+Dffqo?$WQ@&8~|m;>t#Fez-< z3z(jIM&$s4r?_WxI&gh3R=r~Rg&wl)!cX44o_q!Y3LuG>&!Yo^|5t`EQI<};cH;U; zYVW$$qqiyHThzb5{@k*^1J}5HpJ}8?(NIi|&B5gN8SaaT4p%iRzR}l96Ph6M6J8T z5o6_-;33UL6K+0>mhtuoKQE1p58xl*ezt6cyTh~CZ*@!NCiLgJ>*Kv6K_Hj&_Q#Rx zs?F`hkCXSMsMIDqun zs7!7Lwx<`AsttXcpaJUXKG73^Kk+^0@e1Us_Z2d11IVacVWE0Oq*(Y^Jv~zdKwr+4 z;ua#(2Hskm`Wj7GulYW`r%3o4JUB(%d7Ig_LE(YkauOUe#rw1=FVwu9dZF=$eRbc8 zdi}Y$NuX=iz~=nV)TF`N`9!jz!^Bwins!^v#zSYMb$9gSa#zFR#<1=Wr^SM%$y!OF z+VeHtCaU6ouZrm%4Nv=^YtWsG`2q6gg+XK3<0)gjX7$HI(1zC{FQdWDA!Wq^E+B3F zcAj@?^Wzd0ml0n;S!;igKy%GS+4Tea8k-t-vh6&m@Jc9(|D-TrCZ67lqz=iodxE;M z?))IxyZuG_Dx(7|jo@|~Z7*Q}joNTuc)W@2WulbP8^kBdJ2mKJ@CyW2 z$H=?z%CST5;}71RBkvylH<~vW=#~(1A{|BB&C8PlW|9}Rwxb;Ub# zs$5xJ=q-eEdwQjuS;R6I@qGzqDAtlF)rt&a4(gF7nDUrgq9-IU5ahH_g+cFT*u}pBpToH67zB`UvE{QW5$Xxet8&kb##`ctM&7nRHe=k*y~F* zh8Vy+jIvpEiy@;+x|!yO6E*_NG$wBp==*RGYoT1k>Q z6Aaje(HlWpXB%vo)9YjlN0tr1gwkY0!3+!6fRJenT>N2>&chTm;=u_e_A}_adVMr~ zS%x*%y>E-sS&2NHF=ei(NhAv%o>&;sPY#_#o^GkA9pe?MR;6G$vv|SA+!xLwy;3)A zWLHPWZbd4$I@(3dx$_kNX=TlDL29Ikc6HJ84~!p0eDN>*+BMo*wm;EncxW-KsI6lK z?L93UuoHpY8-_1Lo08W7oeVJdu@dftzy_1`;^`n4##VHEI%6o7W$7?j>pF z1tHi;-6a`nw2ycBruY*HZBP|3(|JSbv}s`(etFxTAzZ!0IEm^khCj+0C?c$m4Xo+0CEX%*}Ku@kE0oN`ONA0N-Tm+4A3#s<~8 zMjbwu#k|{~>UMZZ{Z7q%wV3VT>@4|=gU!fy?YK1QO?uJp81g#UyDjt zC+S!n+twG`wr$(&*tTuk9ox2T=R4Wwod4f9^P)zLQ8zVe)qK}l^I^CUMBpT$6e=llgIG83x^lM;4{v(p~v5_Js83b2vH>P$40FQKd+!Ar@JNk)z^ANl5f$xLdA3A2~j%MRBg1^FMh*On6H@dA_PhY-Fb} znG=xS;|3TG;$aJwatsp20yuabMmVSLLx%v?E_}Xr6>W4m7|FvbtHtWuJ+sVj@E)S( z;zAyxQ$>-ID2)r0-Oy~95)RxX>BV^QaZ@cSrGmQsO8jSEE|yC?1XXm9kc1F*ddtg( z(bq8OkDzf@_!40a@NjaD#(<#>A^47Y{WarIunL(Xxu%ogp==gv6$7N(K6<#~v)A%9 zN4RD!u(`j*A`^r)B>r>2ot8m{5Y~?VG2{HNK91?c;e^ z7?|Ic?Rl6U5pKER`6DyU@p1a-Ai~jgOOW?E>#}2{{F&ElrM{%g;mzae>4u2=0D( z6yP4B?k+FFWi9@(tpN z>(EEk<84tj)pb2|-9^jW{Gj`+X251YHGbapIGFDk<1DdavSs{$aLNHAsuHjs=La+-ZCvWrZwc; zx@_NtvG`u{-2H2HdD73I^}4WTyBS7L>9Q2RG;0};BzgaEC&N|O{DP|i%I*PM?0`9G zZ#lMw-brux_4?6@+ih?7Zs{+(^{Rdjl%K}uzIJ?H8;{!#+kM~HJxcdacLz9{n*1IC zlwAam06|VbEsSb&SbSREtp}*zykXr{jD%f=YRHgH1W_6W>HBv;3yS)>;chccN1#ZI zop}BqlPIaOs_{t+d#&mx1XnF^A*zWN?$xS;f@)o>e`-CfwHhWl#SN<-YE^u8vQ}hH z)w0hLhe~1m3XdSfL7b`S-ThL@5RD5XszwyUM_|$yBi%9R@hH(hkwv<>5h)~DKZjMfd9b3d zwT@Y`&S<%oxw)&=woT4HCKew|yCaKnf4&HW=4hK|QVbDw_Rxw7CKK1ZSbm!rVDg<-EQgG z{k^z!ai~-CObTOqv3;9N_mYyu*-wh-HJ)7VF*!m@#2GVY)H$=P!-MuE!D0TIs6Ro; zh6A9BV*W)ZIH#rtiu@`c8@i~&O|A^7EGN3opq}ZK^|;OJ z3dA=^EDd0CjLcaA4sLh7vrna zU}|^v91WJ_vjmK0(cDvQhUG(Au5KNq4taXBIExj_DzqU@9!PXtW!|gLl5MMAyDoOH z5d)U=jS7BYXUIuyAO=E_ln8k%M{=H20aGgT;xB%Sp%8F^U!b*OvP4GjZ4|K*(hT*b%~{Y|}$l9XmvGEf_&MqC*^#kRSl!(O-7RE&w&JPZm2XT=MzcQoM zPKvy>g9y07gtaW`yZj_bhJHas-7<5_Wd;if>Om_Abt_w-f9hKd+IN{9pq>dx@@eHy z*cBCyVfFp|CxSUb=qB9|7`8?<%3WxT47+80>?dOMka$*0zfdB`wqRq*;fVamRfV=i zVM~eAnv0)ojr2?2< zP0*LUemFN0`PrXYFgICA=Q;U{>E^_uMRkF+DSSrY$0+8@Dz$lGQ@&;7xwfj=dQrG4 z`yY7 z$qAr0%4Ne>!;|2K3(y_-XUDvR-#&=ACkWUJ+ykt%e0K=I`{*6ME}m2$a!Tek0gfKq z>)&vR?SobIF}kh&r3;>y`NdW^r<=9wTHZxX+TO9_iI7NwCnZzPRsKKz_WGREFv^o(>wUSt4npoGuTjf zbEk{u=@rfduWKs0YZPCWzJ~pA;E?ufpYjWl%bWNrcqVuw&lL067Vg7r>nMV!{Z9Hr zpk!OFM`Y#V0;wAQ$qP7POlFJUEc)Eku+(|Z3|zEC@_kD5Tt@nQmgV`F{oM>e23)>A zj@csL5H43go}Z1QSLbkgIzH_pC9fZq&U#O4y#?IlKMcdkYI=2T0^0jqZ+Z`tGE@OK z$%Z;!mP=5!U)`NoV^GU=1JzY8w$#pV-=lC-+&dpovR+>!S>g95Jy!P1m5)enkI`AS z9IyXUOm(})Z1y-Uzbqb9osO-KKV4qoY$)QnuHW~NdzIqU zvNM$YhIF@F0H0064U3Y`f=Dax!91#(u3H(B*=+_M=;t#$OPqHpb7cVSMxTAhV><7Z zZdYq}=dX0*@og@0-uFq(qbH;;llf1Tz~_$3o!c_5>$`94Dl%8$lXT9QZQIFgPsdF_ z1>QH^beR3wpAC5u%I9@LbaoZW_Hzd}4eD!+?<#B1G~4HxX&LW@-{q04rLkF8zo^J{ z+hS9)Mr(gldakES-J_{fd|c<~(X1iEH-5j`Lu%zp$hocrU&A)61P$=6#^0xp ztAQ#XSFf_h9;M8L!)wITt#D@mUEcRB(w@;%nB_NtB{8$afE^9^L3@QT^Awi2JP9cJ z^PAg;k@~<~OglL=__0L4#tvxX^}@d>Zoes)JX%#$cx0IpE6+fhubMlAE6MM?x-A#I z3Ij-#l;Sxbv)QnY+OU{=aehh#f5pz*5of_eD33lUJX)Dj&z_>?qFPfaGKm=JsM?K) ziLHngP;d_vutz@ZJ&{8x@75)vFU)@QfFa9GONT_x)j-mO_)G9exY zyIO1DBtQHCf6F6vJq!M$ZYcyWe-dNaPU?}i^3(>d#3=ElcjDLUCl<`{vt~9I`80r6 z8eh^*TAG}GL3&0o&`*GC?03}E;L)VS^6AkoV)cAD%`Y_pI%2(Cbkl{JHek%UorE%k zEI&yMU15-qf6hW5PToI-nR8{Z@EbuTio$mbXlIV%GbO=VAsGJ6EYfB}cyhfVm&uV^ zH6DTu2h4JfKk0F0;1P+?47h~9^Hj4Jgon+~a`S&Hb=Qo)W^$IJ1zB|1sQ8hRCnRSy zcVyWYsN=CT{xGL%Q({PQg%S#Uh8eXxaSA>s0!fHmi$4m!8N^&@K+}%F>_p5xGzo5q z>>lV1E99|xj;ohf851c^Z=&MOx&LJskES6O8ZS;U#jc1DZFqqnY-n>0KhSBd~EunnSHV`E!zHbpv{5#@wXWc zQ!x#+91IsOa>X6*0@%_M%<|!EwijpD0P4M(?@HeB21(Oju=c7 zNz}#vB8{jM&GPXVmpP|9dcZmLSOLf$N$QCBDkxaf+G=*Fp?e+osFV<~b`7N!ir6;@ z23=&6-V&qTVu@&^%2o6Ch}|yhXr!JG`7qv|OfR&>Y&c%fsh6ZVd#y1>_*F~94+BaZ zn1W8E46o$g-KiO)IrZ6b)plqwIKIZHGdKE~v7($IwvKyV(3O0lO)@dHx%@?OsB4^%6#vN=T+SF(x#G4yW zDW5!}MZ!=P#dTLWU(qKw0UaNLkwqz$7hKAi#>;kznt#J6B+8Fk z4UDLB7gMgU_QW!2QKiw61c7p#2M_$X9vH+$>LVzr<54Mv>D!FUp7(sPr4kihQX%#F(|=8SZz!WrI*ge+4)eVt{&A^^lV` z?dwbQpSpTk?YnuPxdXTt9XRb7O!;QOuAczJafamo66e;O089a$Gw}Q0Q#QKTnn*x1V=*Ug)+B1FTfuJ_9i6*Asikh%>tvdY@4;EjJ1 z{kESkjT?vgRX&|mIa_~PZiOX39pVt4KF%dNIv-NtTI`Ri-0B?gola{INo^}=n}BfV zHu#@On|hbuWa^s&+(>kn0D4R+5;S+niiQWkL8>L;S@S!vHFb+X9! z`DrbphQ;$LJR_69+L8X<_7UHHwq&;}`xwdZ-%3)_HV^Z2zdAa?u?_G0-F!u8A@Vwn z*OBrIEEGbs`qAz#P08imfaTQNRzG^B^CDDJLUZv}x8XX{H2d8!ezhp@ZjHpmmSt+& ztzUMjG28pJ-;@^;k_tf5bN7ZlIG*F%r>v^u zajBSLJ=cD-|7e2V+#%=_pE;n-X*s}RS@Qmrmf_P##nEPRex0(^?$m+~JP7rAzc^6v z<&@&ExKDc4(~V)f>QPWT-?T>3eRa}|WmB#cm4zA_ z6WS#q9@-aApN)Ep$IRbQ2eZHe!cP?kdZ-YNq>>PbXCq>)IV_tmEZb3+fP#H>Vo`^tZx~nxA43fv7|ab}_6*bC84pLhgNP5xLQB*0 zqE)QEo2-nj_q3*k;`+?(E%XN$A)=@oIMS|FfNt<0l8N`2lab&DM=@+ks_W25FB$G* z#|8&umDE=+xqNb$=s$M>mHbgXxUW0y%WlCaE}^BKxJKiad7<)N7Jz7CW>J_RB z2CI!S<}|*k(+dg{8ZYzIC^VP<$=A=^b|shyXFxsCC=OGZvlAIA1iyR%)&FNl7Dk~T zG`eSmWf>AiTSQhQ(?^RQ^#{7&8y|dALivp3-2wtSLn35UeV}omo?>L*a%aX)yg?61 zzEf=mIbb_S=LNIh%9Lve^dRi;v}3lMD9|U8Rf7Vu_KijYHp7kt%am^p&cc2Ik-vt5 zRB-*&6uv|>g#=VMR^-AM&I`uMZc}YkFG@x&c#h~NIZKtuPvZsRREdg@T&CReCa?D3 zR7we%Sc0s|-)=_8#0~CD40ido$;`hCSH{eW6ObR#;NZPVDoFH9f-L@HSAEOB2L(QT z)!d-L=i`tpFqQ1%pH}0JNX|wjFpt~fq9LQLi3VpX?`Vnxk|wYMX2go5Op%#G!dbOX z7Vp9M_Q&;Q?u5uwMI!6X-DNxm`+p9;&@(aYqT15`fi+;UoFKl#1&~p~tHreOqt0=Z z9HRQSvi$0FYU2-!u8|1>oh5hOfDs*3%NsziXiTvZuezE!b0&4^GKOJ4^23cstu0-f z{3Q-1$5NU53c~;Qx9B-vR~;{f$vN`I_q>R8{xgxZp6G81C{;`KY2x|r+~)MEB{Qo4 z*tp53ADva=n2{iP&2eEKW`2X>ZR(cE`>duYdM%t?6+ag!nNI!`V9h$$8+NSGh$KKV zW5kbUvx2SCi^mp``H{E_$(`V)* z>sldj{1NS(JEQg1jP;nC499t){vAiHC)wt@_S!ylgL>m9xKXH!(p2B*afB#waev-<8oSmj?+_1owa3!Q!Dkd zbbFRX=H*rA-P*Ctgp|_*tSQBoaZA*_u1xW17QZW5rvcHjTTPe5V|)J5VLu@$JELjy zcF^R@w_ykwy4Ad<10{wYOW)mh;~KhhDSW6(`*mWrkh@_1MrvIT*F2f9eEm$|bTb=c z{2wjFrOQy^#cy(90T55r+qK%r!1wB)CCHeq~ zX^Qn#BB>gMANc!lDS6rf1nMm)X6Hnl`k5#Q$r*yx>Li_3oLj>~k|1O8NN=d;Mo6XL z?>ss~B^XE$sD6x6Dy)>FS`~=E!+1^*X)|NbBz14wkgSUrj1>xt=DnE+^Hm_=iyXKZ zR3>_C3V8fbD1?+7)sKdg7L`<|nC^Ql4}jHa=3&S*UlT7?XhTkg5ue1CS*Cu1n5(7K zHXVs})OXgBb>kqYY-QcTGaBTKJ2xzV7fUD9sW;?^BX3P0<{*7_n72ML)Y8Yr3^nra z3zX>MlM!*7yo~&TT+bISVWgIqc)38pRti5qfHA7rRvsX~m>wsRUmp~C;NXLbu^TJX zC&4dEHlv^~CBlR2w~O<_@@dK_#R-i_8azc$P9n{7Ho^>Yw3t^3FEK}8sR4gVp`!{R zUnC_7=8}F8H80;RPV!F$S?q6>eMphD0>h46B?Sxxz_*T@Z+);&N=~#L!q`y*XMd}{+1!YqUWkcu-q0QTpv_$tEZT7u3V?Ns#rG{S zM8)_lp?7WWnfAWY?Al^g8YFPA5&8jw6!R3Lv?lLl)QDo^W*E(S6gP%#euP5mkudoZ zdf@#@tu~n*)@7o6NzBuDE~3z>$+&AlH2W?6q#43%dvrX^)A{#nW-SA-_)`2!la!}m zXyS9*@jv!-58@{0ltgXP>5quH10O)1+E@)gvds%(d}O|mG(urfq@?fXA`W8uzSyYp zZ0fFql|uhu*y^9uuz!MRcANPqIS_-i8mlcg#mc9%9mKYfM?H+6byRY8h%WcTl$3K^$+A$c`WQ+AcJe{8ajO?Q%4RqN++pofRpV8tIzMcPI)@tl-%f3x z@>p3b#F9Swk3_E~P1VrwHL?%?fyF9;kXy~ky#Beo&}9ra?!TNMoZ@-$%O@$u>F0&^ zY+Mq-&`P%+w0f+9J;HJn+ILPt!4Vc77%Xm!f! zADPwpy*9I=-}xx%u^~#%o)x0!VFm(O8Grjxjg($Kl$G4*UvTr(b-A!!6JJ7O*V=g$G-4yKlXiADw~>T0~jzu`^e&}z9I%RhH9R=8}GUq`StPi^cR zzti5G{8^(d!FzT&98n#F>n`bHvTWng;dQ(xun}zQ(rI&bJRH zHh1gDXg|#shkV)*S_H2y6|X&Po4sajQ&uj&u<15!H}{-Ny4=ofYOGopc%80WTnnPy zD=M#mXCEA^v|N`e0lIFpjFz7V z|IfJkuJ}SfG&};BzV4$MYxV$-0R`Cq>AEr>*WG+L&p2fN^fd>LdS873wuOOdq^=xj8XjtNbI_^G{V))@m*wW^J``y!#5z{VAE3uZ!dRDzCL9i0 zU3+UvkuzRRNkgFNc*KXW^NX7MdYStMYkvOOYeNwOkgDe{XId2sVoSM+5(u!#D-Qz3a3KLQXy9BEH8lfpyv>C^8 zPAWJKaLGFwskP%tyID^5O26dzT1Y131xjaXq!U^4EC89y@1Q;6HUUkoPJl?ZFsQ~F z?mWn*HZG9I$Zvve$aQBlUdqf;G@l7>)^HX><&Mz=<&0#O1Sx^@0L}wPwyME@{!q6U z1S_E>thXC&rau3{nR%`bq~Jr5X7Gtcr(PR-~2g!|_cM5`O2P zxM_xo=1J|PB?d5~eCo8DG-l)nvJc5{K;BAVVxm>D@0zz3kj}_gt}f9ZH2e@re>EUH zbcG#-Rg8e@UW#AGgBxO;!-x$RP!^T1RwJyfNAPrM|I;6T#(&woTv@imP7PX{et0hz zYx{!1j6v0AL-tp~ty|?%QzM~nGCaFEgj1HpLkT^MoMm&WIYXevh`^iy3!FHY70WB4 zwA>-srkBycqcT?Fkef+#wvi~epi)g5jk_VID)`1N);>)?%a74Nzl?LY!2{RMK56cr zgeYf`Ot@zTG)gD;Oyqlz$s_5`Qa%$4?F36a*rkYPwCpo4^(@6A$TC>HXcyH_WMxQU z0lbnP*z~0-c@#`{laqK?224yv?eY5xWCl;F?m%EK$FS=Nkc*2#BjXz~6O|E(rkvk8 zzIhwm9iE4h&AGVewGlin@%AqYCLTmslZ%yLUh_-*rPe4)ucuwgSgGsZYd3hj!C+OP z-)4qwh%E&HomUHTa-=BsS3qC4GR})8ws(rT6O?rQG0uQK8e{ZK1mxgY5F$+6U$*hR z7UjWR#Y9Ai5%*B66H`SvOE{w|mlKAd+7yNJyDwCdjE$myF_OKLAYL3tW>|ych%mxf zvD+LS&n|o>zv6)cUUf*|`PpeK|3snX zn!@wlhL?L$@(8f`n$kIPVY_I0b~nvpKMz2N;kBRst>XD|$8^l=G-ZjMMM2G=s&iS^ z6~p0DLxwbR0o*YezW#h^NMQr&RmD+Pe?|MtsBeH^EeI8~RL4IK9kjvhSe z3|rbPRL>{BH_n=rWa^(kG(SsTU&@|q;_+!%OlP~Y*Pa~o1%H9*q;^GmzfO(`if%`i zWb1k_S4_7ZhFwue);y0@OX4|h8)tmp3~p|9yvFB0`(27a zt-g7Z>3Z&@e+^x?KDi%re<+NOR&vXJu6(}M@BN28{k=WC5!C?OK-W@jYt?v5IQ*sV z`Pv+4LgRTG7=y!cKKT7agG+=QuBX3QD%hWoW3GUW?t3v_Jimy}`+IbtSJ(S8I^Y2B zM^eLccZ+lHSkp;fV78@=<9d9IA{+2-g+)bi+Q@Wrm1@KB80E>sJf=j)z1Y3h!SU|U zJB91utSLFU#SO55*Wr1EkGHnhioMe&n#1^9Df#bq)Ro4w$A|WLwg{>)C8uK?T?d#m z2n5ywbD7S2KL2BXb8J8sX6Z)sd%C`uwgES%&$SnAH!06K)0@EI@6K!t-0>bP?J#q; zBHVXpb}e85sAjEjcD~8iYe;k~N(5f|U{#|X{w_ViIMke_vMN7#SSiA?%2egV$`iYw zLw~^TRvL~_!7u|RcEYS?kqLXC#ZeBLro<{Jz|pZ`Rj2F|Dd&@qw{#;DIJ%C8kC32J zMX~s(z?cxd>BTzR90t#ex5QGHp0uh1VfJibw6lxAV^-&t_wT7yr$!U(6Eb|bx`x>@ z%AkNFuFT$g@4d@~mR4ZHNC9C!ZHm640&)f)>6LvK0W{{Xkkb9#B}mXBjU%X`yhT5_ zOZl}CgmNbI4Z%&Q5zB9h@>C(_lv!kN8U#OK&bYA#_SC!?hkD&>iG347#EYNA+S^mo zZ~t;xF1b;;4gy=l+G*kn-~I;vg1jV}Sb^NJdY3$|$higxV4JsNn#wU(3`Ha;2?xzEYSa%TJ9<}B=#Lh2V~~J!M_~l-k*iZlY^7e_gh4V@ zn-NJVGh$Yj={pJF=NYm`6OM5Zyl_kf0qQqOfl&QE)Mp6z-$LD{Mk9v5g%f;{T$qG} zhCc9)uL3x#C_$i0gK{=4yR*zBtm_nvwrCjKC$JWds8m4^W=&IScbr~$HfRqn+Ipb| zbm1bp!@eu8e_T$0ihnN`?vmN|0Xc6-cboVBcNFRh09Ox;Nu*|_Ay2q!cG8P=NNn^= z-z;RFObhAUYjiYFw8+g3K4ax6WGH9I#3Rh8YBEPq*y~oV$pufNeXU$27xNoqOyo6t zJ}HH8g~Kg?w|`{}jV`C&9E4H^$Yb?I$vCf!w!AukhGsDAVl7(DS7ZPEd5rR-;P76? zCQ+*1`J35AjQ!|?*AzEVC|h_(F>$&>8dtiff(5Hs+5TsS=bprbSG=R;G9|T5?tpa}QfZmq z!Yxcl=>y;~Cw^j9R|zQSeFor&2|-)&O--F@yUNwxZ}Xpw`Tk0@fE?f3RD9Lkt3fIh z%$I2>le%T)L{~N!$KTfF8WuRR8nDWlVA4v zW6GI+mL|Hq$bsZ6g2p-(3W39x(jI1st2+})OpI7u?t)8M_ql>Y_g_6J#sP-CpFt9% z0peTtzwll59RCbG(g)1hYI~nqOnomSRC7eXKz_@B*!b&%@2Kp);K;Nh__1lWahlGQ z0Qs{01yZ6e67n*gf{A10(!GU&Gc)G?a&0cqHSj8gih8B;va=1<*>eU3^aI>X6HNar_dOMP7{XpupHMkzz<1I$)6e7XIlGsfXMETY zxkTaw@dL>hq+7agA`jX(k8uY&WB@h!BmAr3`E8ne6Hr-q_j|eW{jPqU#&tj9y#~nF z!|Z-DDzpD^X#?>5bzG2=?E~CNi0-+1;L&CGbhj3~X-<$4NFSy(WCLuu$=E$|S{~O{ ztPLWf~)c1BTTh<(M zl6-1KoQ6@5ss%2ZPOhE4B12t1%X0CW?(}16aEzQ#HVJxK%4$T=iA+)v)7qJKpO} z6pD+tXNl;s^wi4nWWkVP^L{4Jx@`{N{gH;Q6<9Zn$0?uYxHmOU>vY}O<(h3sHW3_! zF!iB$dZDNSa2>_2Ub#PDk=c5^JpN~@#4pxm_#Ip$I}PIko#QUqiBZeexvSdzBx2eI zsH&Yb9=*5mv5jz5<-WS`RMBw0Id_)X=1bM)FkeFQT$*#8>i8_xVeyC*D}3^VFu&va zc!_#{Vn6llaaL{drLBCkvKStcj@G_#Ub@(P->+)c*lX?Cxa+sJ%skV5u{^BiVN+Ih zZ*zUFYVm~1rcAotI!a_|dSV(9jdHYIc?vb%ddZ-Rw)}s^mtfHJlZ*oe*c0}o{9zie zFLK~&^T|eCgH{Zq4KnV2_41#|s4L*U*YigS3(vx9MqGy(EgIT_FD0A;upq>Il_gFi z5EF)I=w^+NE1{Qg9)c)zslGhpFqbvM;g1SUJL#GvJBiJk>SN}$QHFx zC_jMZ;0~33;h(ZFUc3y)XmC2!al1>yylp6nHe-01R(B4@t-4^{>VPdlS;Rkr2 zy?TD(lZY}rG>UdcgBM-^F&1g`U&2U&F5UO6v^bf|g4ETeZ> z%%fKnE@~((UqJ3F%egN>w|Qbyz$wxs|6f%FgCwGLfxiA$-tBygHU>6*h0@-rKs}F9 zGnb5@-(Inc;!D`a&;-H^(k)Uhv-Us6iv;+OcL|UG(V!mv9*UpSa<|cK1&P#S{+@F5)}y%2a%C4hc9R!b1T%1s%|~vJf@;u z3%MF(2D8}8Hsv_u2c_ZOy>P^lCyhiyzsuRm)+NqN+OE#Z&yp-x&KE9Bc#g=QkBpt? zzlh18O<&ll)%T#l4UQv;^P=CrVq@|?P`F( zUDV*yo}jgsnTKO16+9m2)pw=i+HHCC&3>nzWJE5xzJ<^Kf>|G0-FhvO)SB~Gp?LzS zc{;1~TqDGS^I#&=jn`~@(<(hT=!Qs|*MLalXL*DNEJz$ zKe~11G=}TRKOPmFa-<;{)~ZfE{b3?QFfhaiw8-cj1lv`tEDIFoYWnOp{D%B(n1sR6 zlm1x2DHwx?R>wyfmZzat@v1H0;6pm~{j!%VvG8UBaP8{nh%rT5BdNEtH#639WV2Sz z`kg*V;$>01*{d8%D+pk!;z+LtN}!B@Ym*KvI;3jTd*x+1Ypc|(cW$O3SI(AX`Xq*6 zg9?^>JJHozp!Rb8ko3Cq%J(#v*pIqrH+iTr};|S z76KSqAz=)^jp;2nR8vJrOOg#3$=WE*ButtxA{wR{-A8bxES-5x)pBK^+T_{5pnqB; z{Nt!Wo6#^O_bjwDrG#KNPSrbUlyu=6@W&C-p{0>lY~toWnCPS`4{SvVQ3*cwqd)OT z3c+vu8(tKelou0CDfG)&G$X{BK8H1W5W~ zQUxBPnBza>q%?;1%lZR<(x-*YgWpZR$iB^=0EmMWQ6=PFL?3eQeHt%^QqFaG9o}tw znxEP{bxpJ2wOEjRAA+Zvk+x3Jz8)qXOKj_hZKyWAIJ`DETy5T$>OFg!K0co-T_@4* zb=!P0wlh6%r0KTWb|RqOMXeK0ao-gu){Y$ko6p18IFPn*k*Ak7?a%V=efJAp$F^NJ znxQ@rCl_8PQMxNkyhgQ?kM}+IlSWl*=!k1ok8i&{Jx!-P9~VNGn()G1wB@+JLO#Dw zN=@Hck`-XLbx)HBpUA%cPCUoFUn;;MX&kK@vuRp*RNEzPRr?R@tbJhQ{Is3-fq{ymOnj)7Wdg=-WHMIwuM#FViI)S z_WF#IS3S0O#*@H;LUmS;Z#Q#BNL5~aU0G1o zI!Cu9FRNN26vm!fC4-T66`H8F;* zP>$}c&eR5Q5@EQv6D~CaKU4Io+dZ)D!q2j5Q-{pg^~`RZ$)|Ssxp;g_nd|!i>v4G* zIL|Md^RV%B&P!-xf1wK0HJqfIJ+@ZDQ={c<0S4MA# zv)#J99NGe2{{#Bg0CQ(T7ko1`fv;hWF?)cQLcyOv`^RlGp2#T5YVLO#y1us@q)p&4 zVAeNQ9Wi>!!BNO1WyM!Rvi>Wy2~wb>*!8azo8~anKBwGu)0n;Io_;RuX<+3rB1M75 zLuOy0q4I)3tWl73dl@?aKVyk%1)3uZK9a7fLXO#4jM-UZ(QGxtvFMms+MW|0zb&d zk}$jiQht@J}H(z0eZJ`*U&HPs+qH`V}AMoxFf04bEi^x_8Y63Cw){uO9a zeS%ApFRv~jB<43N34`@mS9;4EW_G5XIvS}&S~8|PYng$@$ zuzX{&n3E}f>>Hs8{3Yn%{--f5fG6G*U5Hs8Fo^_~hB|0Lg`EyYzi+@7M*q8rz3jEx z24P;iN+%6kBmjYC=n4vRU!owhk}4& z-M(Y7pRdA@XMjrS-X9}sACXI@s_wy1VWvimGp_IbIOXPDzn6y(d8fw zXTd{%8YYz&3vo$x>r(g6>wD*~8S!8be2Srj)Z0VZ{cm zp2V}GR54>%8lxti5*PGWk#91H&EjD;CtLIDH}gce2$h$JN2|egc_}1^&oM`gBm0f3 zjai=PC-uIAM=D@Y7rSwsOs2z8@)JRGDZ9HED@rIprDbD0gCtD2 z5#u-*!+1>lB6CF0RDWgMW&@SjiyH^On9k*{pYh?`eEC~Rs-U2#`w2^gJXzx)lh$Ib zS$~BDc8oQS%KjM&aYngXg0E4ID=Hh7-ccCESE?vepu`&g-DnP`KY(0|JUuJWhV?tD zQ}$F!PG#+~Qu{3OJd2oZaZ##(7h61DC+ev+Stv?$XPhv{Jf>@x z!_bgbvr#Pawci8;8f2VW11J?+?7RB0Z$y z3}6><@ct3{@%)a2_={dVmLAb};my`mt1Iexh7E7!-O8g+h05y`;;;yC^;scpnUSp8 z=KOlN&G{T_+YP~e|De#gzSJ7ppYZLai5VrTLDCr)a&SF;CD9Z#iM7Y@1J?dfaXSIE+@8M4()0 zKTl_Mm$&Owb@t0Ik1w4v9gZIvKJQp{S6vUS@!7pTMYr5wm7WhrynE^{ly#SzKR)lb zJH2x@dKP>OLtVR#?p;~GC*&&dy!jzmH$HH88>v)#`Z*6G;adE9Ge0p>a^NYG4jNE&ww!bjDZ}foA!_>~xvng4$)WrBY)xMXj9r!+TFN--bORaZ{ zmM&_q(7SP#Q=F7t!$&F7Xtmhg1vy+>UlHQCECA1m3QVRc-zUk6YNxLl$NGs)`wKU8 z$d%_T+YfT!K{wJw#Uq{OX;JW#%y!V8qD=;l^B`TUG23^ZAX`}$`qr_U=ErVQRz^ov zZU1$hqQdY&j^=ehkOqNDCMi?k0h?fXbI@MyaRyejJd{{{H|4gUk|3rz4v z>jOx z|3PHwC;(5XN8j)fo~Q<7^z1b>E$)Lsk$S<5QJKvLXoV{|!?0g0*KPpGWi!OnuAQWq&;f**??6`RR(pbK>pJcJ8r_|Qfp)> zOsp}}&%GG4v%)$Dw6mgZ`Djc6Pms+}O7rMKaQ~P1fZiGfVM|bJ(})**1nhn{Z@xzO zWH4NIr5cSEMg*-odY!&kRcjPeCZh$U1B?%vjpZhT)}GrZ%sMx~3qDD1s%P~21zl*I_NI?g5Q zCq9frufWHPlg3ib5G9&`Hnqa-O_a`-yKeE9OofE1%xPBzbaKGaY=M17l_!=q6^~qC z)6YTl&>7Ez5=*2{EEvj#cQA28Rk7Kha=G*(BUhLbIP7&99w?+OgzPf0x1Z~*=^Qlq zNFlrFlGHZb=sUqOgUpH#L5>F?2Zywq-={xW>`qR2W}K1XjsmL~yqv=i8h>Ii-Km@raa4hfeD+Q|zEywI= zhRTHa`K5KIrCV2m19x0}Z_>PZ+#-D_Pyd-&bnG`~+99W85|eB(N2t5TlRcXq9C}a)FjozB1i+C z!onjJ>OC|isG7f*?KiS>5M@|sQ*B(XVbLDoLl^ED7he24(f$2(nC!$tRVU-S`wkOi zH{}q7##c4z3A4uFxQxdRF&NWH|EO0{_5mfYLKX^3GB$=}S#l}GJz9SLj(Va6Z@%cS z4hLmo<)^zb;&^NurlFsmn>4OetDO`N+Z~?SPXSD8l`!<8^dShI(+@Q?1&=8Tn}cTF5c@%%4}ZOpA%i7}5&|oJR=p-< z;kSNaU*RT`x3$&n-sZUbVMH$iP-`(Z%6bqY8yiq=H=oyVoyFbr<)VYv5748nyr$vX zvHST&Z{RyMmb=eT+Ah(madq3*??rh7-o%Txrd$Z~n5 zoA4Z@DXuhWCg=hoi!MuCVkqHEwQjICi>7KA-|4*t6|sDUL@soTsq>>-jL@Q?WHrQ` zbz=xgSvh9=$1&w4yqS)g3y`qa5-wo?qORx?m&N-r(pY{*<(RB%Nb~ve_}{Yn@}zf6 zGAu}$8oT@vjE8{VLNym_1h&zGHldcg+CH zKA-f$B}tO`F1HI8fC>GsXHY90>ia$FlD2(UN^@!oQW>JF{7&mViJsWce`y%`+-?#n z{&att`B{E5vv!MxW7p}ltr{HfIWUnswRJn-&g}e`e8#HVWi9x~hCXWMWBbyUt1@TLAf6Qi~Wb)f;-tH-tm2xzVC^520l6|}4ELp9t4A#U637+Cpu?kotmz6bUh zuK2!1ZxH+6@h4BlUy6I4Gfy#T_+OR~ZCg5=zIQj^H-GoI3c^t01?MH_E-?H2Ten@M zW@`H_yxW-Re-r8W&avkS{PYAnPd|jDGCvRTcT%8A?jY9H`kEvobMx+2ZSlX~ykQ&t z0sK305$<_-h29WyIrWN-NX-F))TnnFKLI$@zxU(bu|}o`P<`V&IC!hxnICdpkA%HG zw632uUW%D>8itCGMSI>VdUkJ;8G&XhK5d;EJ%m?a&Z|0lSlBE7)fMcRm#$E`uRr&t zucrK#+d$=>4z6bZP9wSXkA5#Pt?%77`qy2@JXQH&JUoaSX}@*WB9j<;W0@*Ulf9fj zA}R7+*Qt4~o%Wi2JP$GV=U(^ILu6udeLNt5lDWSay&)ff0H?X{#$b}#6M;|z*B7o< ze=vp5Ll^KKjRpZ5x>?K_t%xgEjhrCf*1?e>>G-OaME zmvV|-&-EBe+Ti%NYXNZOMC1A3v(^&`iw9f|+XEWCC8+gWPd)FNH(YUW9%ei5b{oj? ztZi5HMs4XCt|)!$NvmQH!m(?8#cL(v1}9&2M|OdCqQSWxua1o*(?ejT0zXW!ij9u* zeQpa_iC1TkGh$me$%g9F;^2GoAq)=x2%gz~z0gle)amFd`dBbP2cuomLLUv|4Sa`? z*Hsr_6vbzXPKC9RaGNR*e1OJ`Xci-=Qa1~e>Izq zTE~O^qTv~lFClHr+SHbpn(Ec5J<%eGOhGv>IU}Fdkw=M;C=ow5bNEeo292>$B@ud* zXiXdo5V}pV`(1km2AW*>N9d^vvL|HeoLLi;*&kn+dDWK5I+ZyHSNJ||CmS{i!7%K3 zU*<&EUQsU*O$ss#TIq2!SsH!TL}H9*B*XdSw2SAO9J7!-WwcP8u%#d|5&k60MZr;& zGz4f4khKTjLA_@9eTfsF+TIkMK)GgVaMaRrS`KwP9tBQPWHZ1R&b?6><;J>I^NPh1 zhmi+TWK63o_E>n0Hth#mIAJmiYy6KkI7?98ksIfXQm5uZ_Ih#_1Ugv_wuzK;hj)U*%3qnH=Pql_aB9V(N0@Hv zABLvfXf=f;odI%+)a10cCVqA+VYp;CHqnO7D~t+jgVI(KWXmr}f@iDy4kV6yyj8Y1 zCnc7rn)GzfYB+U8^3BO~yA8jR5g6j>5<3XO3ctW-PEHnl-XbyyQwgN>!WEJLVcNm9&8<0=Amz9eCMo7gz;m7<0Pg z2J0k%fD&vg8WYchvQT*ju*e$8z1@?#WvcaKF6vDo8K%K`IIRFrE~LwZD4gpC&&p2! zt`xJ|NE!c*cpKu8YF8G(EoWJhz=Qqj^ex~FZn7U!s)I2`F<2MBfEQ5#dPvmyZ$yPkX4VC{{N_h^+5=`63>l1p zGtW%0T+N2{t>}asZw-_&9#6tT6h^=;wFY>qIQYj0WCGX^)Ee~zNsqU2%G)CvEhJ-l zt{PjiWU?Y5m<|u)f_gz#Pc+c(pkEWRic^w@q7az}au_g8JSvX&1m*B3*{RE#T&qX` zU6K%TCf%)E*=mwm4v@jPiV`G6Jl|a;Nn^p5f8Ko1!utCGp1L|=^FQ9j)pu-Ul7F_^2s z!hj6Dd3Gs5*Tw%=z_0`nV5RdJ;YSjPk)3N{T!B{b4E1~-D1{ee-SO11=UABEPBY!G zXBqbWxHFd~mlPLD&6+U88A7r(i2K(vFjZ;!RT4$WqFI$YSlKi`HKbe_uG zJTT`xA7q>aaqg@F+RhF+O`(`T3vWOd+t<=_l79kln;t1z(pTD7#q@nfmZ-0w_Cc)S z=b6vt5Xb5p`?t2)te!J|xha0oQ|J5rZ)j%2hHJX*)|QFuZYj{5xS{=4L;pao&uvZd zwRU~SQZn$TUt)+-ZpT9P(4izjR;Kqwbz>-jUE`&u(qpc!dnxkSN_WQwUgnPXC$@Y? zh>zy!p>X^Zv9{f_@pI2c|LMpktmk7;k2&i#J>@NIAtz^B9-aB!E0USTw3=xGMzf=#sBD}-QFg`^)IDaT; zIXq^y-fOJvc>Znyd!iBuuTLJJT$i|vBwh=+?=gFTh*HCHMq$_7A7|n?9V3g06B6T^uG?9D8;LQyo_U$J8}I zpTmK}YtY|+Q~s@+UY*sQOX7&YXMN{mEXTKx1*Ig#w>dy$A+osc?%spsOzO(J*zV?a z&vW8~BNF%e$FzZw{-ynq6|=$fXYTe&6wqghOZy4<_rnMi47PeW&izMn5Bdl$isuEt zNURIXI#B~}axcKSe?8pG`z>+qoI0LP<(;r%i0KzlgeDYl1e2nt5;{sI-L~b5BhYZ6Q4otSB&^xW)s^iZ&(Ujt{Z2v17%t*z z0IX0RU?x9dxK>0*BT1aDwjr^=Fi9p__Tl@0!s!D|MxQbozOiGXrxcK_y9{fKpB_*A z+4PVyTvgdxHy$@*H9&&Z=Kf0Ko6sksXn1gNnzKP2Q>5b@dd8d)wgLPNP1hT+msyQ#mv#kwqi0GCMK`=elN?iFRW- zHDeCPPDT*&tyZz=O5zObpN<=psqXi?7t!GOxr)AD&5t7)!Uv6!4!OTTo&PF0OA^O6 z-*1krKZu&M z=wC@=Vil8agyI0*DW+V<;iwlYRS_WT43)#iynVG*j_hb#fmDb!TJ#j)|Z{eVLS3TQhm9rR1tqE2(dL z={G%Q-d!>0VN=O$Vps_LQkT^NKtugK)%_@^-2bT8E^#s2gb>t7LJ1xX4d~hZ)}%dH z%Im;^XiNkfad@h1%>kk@$ZU~K7UP2fbm=`IZiNR==*|$7%Tf#W${mU+agO~WvGveU z>R+Q|dc7AxcEz8@JbR{S=rEJK@_yl(z4Mh}$^W_tTb`h=vcSlZozGF5rLkCImz?ha z@%jTU_ci$T;%p6j=!8~UENsoL^w%60DN4P3ziYWNNplE#*vm&+PDFXm0*075sn}YQ zc)AT!)d&nFJl!gBFN9F1P1}0IKbqpNc5&FcT^W7R1X!hKF)+GZMDc~bNCX^Mv;0gmV4CM>XP-dz@#=gs*C$ zD)t&EWX?kgov!1I&dD=WNG}eU4m=|KUpWEGi#wkH2?IWEUPBkm zUjdJgw762FHfTm5@h^OC)eN`ea#olh&w~da$o{&kG<*l8I!f&~?Y6Cd&KO96lZTTU zu-Edjjy=vgd#TZ%YthU3O4q<671-SPs_l{3VnvSjU996A;c-FlHN0H#qkq>=5OU6I{DG$EG?M%>A2d^w6`Ij1X^StqVNv1 zf%+3cZ>Za)J(qYB52&Ce_n8LfAy~}%Fyfx02!ua)TH;!_`OYtc;umjU;QT!EXSimU z-|W%TO`5WIF4C*JNhAkK_N8_`Lh+_L#1BHip!HlxaMgA+F=*2gkt@1p+R$l_POsMO zPF2`vyG^G1S!|ac_Sz%(Q)|rqFeZ(8r@9ai3yS*g-9)0n)m)?)Mnb)A=(yeO) zzmqjj%-GF)+ZT+K?uT%3f=qqz(oO5~`sqJ{D{aQ7&czUF!nVs2tE;}I<7(2(9>Ifo zKPCgO;w=PN0k?jBAI6?{>y@kbrpL8u$@6Vo2jBi%J%+oB)MH`Io?1$mB0Azy1TMN(FcntF4CpHr<0UsWDc^%kO&pKx{B31hY`mW zUI~2Y2_fav5ICOwJt5F?X9O>XiP4)ZApeaGao3Q411_^!u~dD?pdE^GuXDnaB8JgM zk_!@a_(LvgyNu4M@>tZ;`Z25{6rw?I*lI*TqomqAC6QXToIj@v>u#%+b^>oS66cc9 zSe<^$(*04au}G611U@EBHFF_p+kOY0LdY<`3T~k7Fv>zU@*xDD3XKJ86z!48nnLhW z)ei%a!D!6k-h@!5 zIl2uwVlZM>am#0N*H=K`FOgJGW!cE&;bre5>!eA*5L%4-#x@KhHM7`trmjo&ZC8Z? z1Z!kkmZkWvdpc9zPwHb=n-q5ooxn*9Vyl@XO7pR;9Bs+-SzyA-%++Gbb5(FzFS7-# zI|Wn}L6I}*U%Z{F(hO%v($c5_9)`%~QwjDfOaREtl+;`rQJwpS)+}%``phHom0@4H z%D@1Q1(F%QB*n^WA>WVG!DK793_Wwv>s(9YM9)$@OJFKwC?~51ZWJdkL465*dIg8d z(4vUDXNu;J{QHv)2ZfK zOh!%3mGw&2WGQsgvDyI^63&ZFxwNEdeKS`6x;1k#CCOlx{Vb=IiIVvFS4^T);wU*L z$ALca7k<2{Y?LdsLXLUG0HK5KKk3@XznY)fSBN=bk98*QP{u^tHnc?fh@bH(x%spH zm15?hA+kO8aBk&c=t$ew_tt#kKP@n+Z2fDc4@nI62Rn3O_=+=z<=e9!);03Fl?7wGCP zWO_zY`nX~AUV87js}XBAkeSK-K0%n@pN!M<^!Zt3aqG|LAJu*|QkZZNQbNnm5zRFCR`OR|NUs%>a{7-Lao2&aty+ znioT++&OM08ZwXDdUOmkq&Z*5Z%WCsKvYiCH-#pZjE}Y>>0-jn^^HF6;_H6g&z%a= zZ+Vhx3I_t&pMOR9qi^BmB?;jo+?Y*K3W?>T+6X&Ob#z1u zU;SlEY@oR`6Tk?KEGdg^L%(!Bm{S`W-6E<4&RI9_2V`5reVgDywbL(|UC3DStut3~>zT@zRlFU_OZ6ZyTkhDs>YAC;{ChI1Z z?C7#E6;!6;u}bZCze&A%<3EgevoU%QRxTn$1^taWkDe^jSd?b~WCXixIQsPdPWj`e zUOlTQH69OLrI17>~hG;$BzI2gn-PW~O8WhhuYZ;H?7HF(;>yxCin~QgIRfzd-lQj+%A~C&< zYYENn-H?$e|rPeuEr)vKxFKeE0~ z;m!W9fJ0gUkMC;QVC0eioNnSD`(7P~2P*Auu4}{Yh#u|%2wl9ge{`{g!>+wZ2_imAf$x2?@O$t z`RoL0b<3xNN3dm){8&>HJcrz>-{9&sz({POwPyB`n0b83<9K)FF5*1VIiKSxEt+Zc zy1=v|{5E93B=j&kFvO1Xx3tuu=TH>!u^WVQla52;G3ebhcNLN=5wm@~E>67G2p&C2 z0RIJ3v$qLa#ZNojrNPg+olp;@I> zY&pr#D?BL@=d1MGcE>-{U6~}1iDL@Kxt<>#6AlUtey0|m^+tRT+nn7mN4qvhR>vP_ z=~B@~In6`$a@7yF_U9ZsycdgD6~(To`k;I*rVJyzU!{g!kY1y_K!FP%dfCFv?e2pt z+v#rcal~rm7W=4|!YlA@@Ca~8&oYGkdCEw@L`uBtU;3p7Z`elbZ0GfmJMqq20s7mT z8H(2%hjjbnd*L;L64)E`@YwKw2M*xvS4W!rKoF4B*8y})Juf5+YOUDi9o&0AR?`F9 zGbri(7D%>&H}JfjSpw>rlaO?PW1n)hz|o&Dpd8BjMsv+;CK(X-&pBT0psmP`zk^)mRPUe&lDNkNvAJhFxIu_r8&{KV#G+ShP2;@SGe9 zO_0*4#^z9ESk)wtj$gM^OD>pf{&7vFoubuX?7A*TEEz$Jeuw)`gErI3d%(HTGSpzH zo*j*O_bLzC%B&7j-8S&%=B&p#ex#HmpcPbm zL=Dm)RbaV)XZP=GJU7)^k`#gJCx?p6lihK@ZI1|s&of2y69~u?6Y=6KF>c`HW%9Bp z5L>=gPDw=f-@KT3(T|`G`#P&S32(fY*Xd#Qf)e#*?3dZk`^)H@eno2)R zIk+944MD9#HD6!vmw|c(yGM>NO%iWlQnzl&ic6Ywh`7~&Fj|cPHmEssz+fx-*NhZ_ zcECY{qzBhY-9=MGp97lw13;l@Aa7;PN3HGeqgir)09&zY8E?fZhV(IkN1E6WgM-I@ ziI|GSCR`TF{};Dz^llomKAJq6GtCIgEY_g<^dJuqz&U>i5&KuV7NT`T zbx@^u99ahb(RT%>{%+kos?+Z*S!uyH2Q8Sg~3(3E)(J|4+Q&(bC_@Z7@5 zLt;6KY7x)Yu2OGSeR{aAfP9d=G&?S3dD_h;fxbvb>kCv3Hy&Rh69DWE&Xt%pjobi_ z{H*=Z3o(0? zGzk)z>UzHuGTehoL{hW=s533{e#P!|fxz*q&8I_R8jY51U6wOzB;%B!(`>BKV9a%s zx)5pV<;okh+(Q=2F%88i*el8?7M-uI%Nb@%R}_*eLa)!b_83utHHp*bRexRlk~jrb zbHu?$iyWvpO>D`d`QwwJHmdn^*-X+mc8imJ{D_UL{-#p9CFHzK_e-}^^A-6^I`MVJ*r!onmH2=O(BnJl9{laU5`hC+6LGkENV`cM9sJ1!2VM(5!_xQq-F^h;HC90tOXGrnf4J^3Y7sGaAK82F zwl4R8E(ta&g_d4+DMv2B|5D1}t9_0KG6kJ)QAxIaiEbh+t_8188#m4kd=p>aO@?c= z);uS|jJzv~JN4Fug$3>w2aW~sE`ItyLx9_@Qs3mg4eEV-*Snmzm#II_TA4RvFH`lq z#ssZ=P5!)DO<7>W{B9hR?a`}nYm&KOBD{-qZxOmkHZmN`bw546a&VN-v~uV^h4H+6 zZjN@?w%Ydd6z<+)q%JiQxIy&EuD?NL1`+*R^w+9z*r)8{_5H|}!p!lyyN9iL0ddkB zfp5Kgy#LC*w#r;QE)dK3w=evmCh_vCe0b_O$gpqW|A;te-ZX7@<+Bnuq_PFItgX70 zp6YZ8rKj&~9p`O4fn!!G-mMYuBND;IAC2q#Aojx>@TK8dtMH7yH z!|v5gwNlS|+qAp~=v9$f2!#3ks$0p7yW;|C=FV+=m2DMresr%qs9p7oh5Yap_b(-C zU5(8_Lh12~RQF1sw@JNf=IGwpz;UQ^v!;Lf8_7MMdv}OKGO97&1GK2Tq8h%t3b|n1 zHLiaGciw<^KJk(tqF}Pm{A9oHmxa%Y znY-Lg?YYA>uaiCKn(m^HyP4zC#``43C4p3u`*NEc{P2P;7+m5M+mzXw#Ae@ogV`;F za|^f`W08`P66++_p*fa733YSaT6itW4r1DyGCLov#8y9&UP|%6h9CH`n9zH^rI)Fb z>cXlv&6*M1&>fmg>|{s#U0I7&&<|y@N_4d3j(mQ4)%i zm9RIWQ8+UvFx6~IV3#}*5|d%(Q|QcYROpx8Ebr@~?S; z<4@6B5~*hWQN@1#&9G{@vA<}t-Jr#=s=h9*BAH#3k?A-qBD#WT13C~UvF;~8cUh-F}X}WVHpBy2 z25_=u8wkhsEj9wKIn5{*mOhf)_q{}PmjQ7YyOndZ{UMUyiy15#0IUe^B_}n zS#8=RIHrXhKi>+gZ{le&AugGtbP7A?QK3%pEmX~_uB*)C$WdWfFB(OFIt z39|@}=b1Q&*;wrrZ==GJ1X;EA1c*qWBvRuhm^ctXV|rB%NR#GSWW$kBtRI9l7l2DWn~LT3mAQk zNx=`bZ!YN+@0gOo3)jFe*fkLomWDO$Fj6~>Qm0(#;2G6k^2a~Y#rmeUYEIX6NLZSp^NnBiGJglo;_R5oIETdBDwv+xAKgA)&4elI$S>1&wkHSl|3Y26QPI6P}&=M}#JZPySL&^`uk8HchVDHmB3Dmu0!3v7FV< zUzi4nC{<9At=24#!(BX(B{nb3V=|uQ3}7soV$t$Dwd7ohI2ZTJbP$aH#73x7HHpHU z!aiIO(P~_<2dL7*cvw}?Kg^d!AcDRc<^6W%qcM3=)E8lU2}%onwYKZGOhdS!qS+!W zk^Eb?40X}25O|bjHSP7^at!nocZPdWe?=AG20zI(p}x+e`;^SB0al-8|?Ca zxi3n-Z_l(>DFx6IXuP)p{Y^J^p!x}7USRnP(C|UV`omeuj*@d5J;w{s`2emfXnDVO zY;ii{^thJd)^i9+&X2yo)v+@CC-{0<++DwUn`-d(x8J>`>!gNr`{U9}YdW_luzNi? zx9ffS`YP?^wqLHNbzH~R_i)HeY5n~@EXD7m#cJY(`|8ah6S&uWE}!(BYwPb(E!er~ zutnI=drHlFFVN@WrSs-N>d$X`M<(1$zxj-HnBAo)w~H?RTK7M+IewGJ89m)z;L_nv zyMNSsC$QYb-L69i50|xhm8F9Iy~e4n4tm#}Gs0a9cs8YNo`p}7wmuxSf6k50KA8xA zyxzE(KKg1<85_Z9QWh(IubU6=!k5kxN2OZ&t{2eBJ}IwwkEP^2O<*R^tB;Xu?&krN z=Y1_=d+waBrS-$-lclAn9+WCbTY+05K=XN4V$%EmRV%jtX}v<`3Pb0``04UKKXP?; ze1H2Y9FG9wppwK${$m$i>FRuec=`Fm$ns$jns|j{8#)Qp_Aq6dOc$A z*U@cj;m+6W#*Q%u$1E|XE>4avYT)W?u2;hco!ff#ipC6Mi{tdaV>mg3imhNmKUn|W z;9}aJ*9I>>%!0cWM4stSQ>E3#TMwh7zO@-5&`C7n_U2pM)#q~FpO!Vj z8NtkTvlon{Mi{-?>;q@FJ+k+}7@#-~p7p z3`;YdeDS&`&R_HAtEJ;z6bO)My443r6PSL{dMA-j%##|ZvRN;}-Q_1E{mq$X#rz^B zV06aUz2!-Lrk%mFB#S#O#EoCDqHbl4O2S1ivEW7}t35ccz5>q|e9t3AKs#RJX$Cz@ zkWDPQrY~%!yoF+L#k&>7_uF*Pc#&>lW-Jh=Pwlo@T>Is>F;?~ImW}l zPz6zyjj#}Z#GwgQWd=MMMAUk&#Cj@pj*`D$qfS|KkkPv{u_mf>bfEi~Om(UawQ&F< zHVwg_mc08m3Fj#ZHa(=IM0##YA5b5IZA|vT{b1f=w zFy&dGj}lPYLs$@Y>s7_dacC=9XIGWEPhAZ<(mpTBOqTPEihIqSMpw5Clb?of07_SB z;B9jZAj^6qFqB#kThA*W!W%KRg0etF){Tk?khNSiW=RDev=XfV$t4Cj}Pn@w#`fgG54Pf zzKu*DZ_i|B$|z2c@$S66f#4Vdd(+Co*}?-7ju+qdYlb;79=I5KO*ThqFGZ7rVFnOH zPWtN9na!}Ec4cXyBrwF*iyj1Yxp6m0&6ujcL$b@9J1df!m12j)p&y8$7S7Gut>BAv zEwG{GD55)IYX!I0zAV=~f1sEt_MC{Ln=#u|04ZOv1_#aTV|V z%uTE?;}}V9nOu5ZXjG0dc)A+|vlIyunZlm!AlGl{Dn4Md4}MtL<1pQlc-2#`bpQEi zlvtSBc^@%^0MkOX3E;|S_!q-L8I-NXh$056hKR|~1tLQc!y?N{B%xDFHUHVS#bB=R zaQ2$?AY#R0mu_CRN{1h&3fYF6l@y>2e`pe(b5XFFm$pS>l3g;)B$c97TY-_DM^q5B z_T~*O=68y~8W$J5=IFH48l>7UAcc)=yiCB}T8G~aB!XySL>RMC;t;B8K2PsNvjLnmd z1e`SK9xvdvuUuK_%6bhx@QjcdXyO-s4Whu$HjN?ZSc`!?5Z9PNgq~Z-Zeoz471X)C zF&W0g@F*Km4xA3VggU|W?h4eJW+M`euUeG;vw>W1!l!i@u#0Pt3XQB-(pYe)1Q;w9 z4IJe)Qw(s!BwqM8d*GuyFz)8mAjCqS!AKvB_PsUCM9$eXFX6@L3C-%+GSt!X|Cf(_ zJ%}(2BUy0z%iA?`k>5PfK^VB=^8xxu6oDt~gUjj{4gphq^a10T1Hlw5xIbvJ`e$eU zlMwP^Q~oh)cy90>CdKV_u#tW!>3Q{H7UpGrngG1(lEZL3cr1!tKRz4J!U48wy2qZ+ ztiOIFGWq+bmp=MgL|R>MT0{4C=6e4t(OIYAK@A~`xZ@2b|nfJ|hSBIL|`*ZMpx$@!c^-^8@sjVS}-9^#-1Ch{=9XjWp zw2mEmj#2MYypNh+a9BREF0Mn6(``PF{5=`KkD6FJBb~q9o?F~8FL~TGwS>Yiy`Gw@ zMRrj7sihClYTN>1NW6;wz&%^OVmrYLl>-wFRT`pmj z`&Jn8^Mg@V%VIpqg(q{{Jj(Gh@Xr~9Z!`7E<-<|cOXNxn-&wdp;o6(s%eaOx|5NW% z_gQsqU!|}i`p3O6R!V9S`r}U{{`+io!@in}( zM#ONXYvDxTk?>k=4%ms+abm%BPGmglPtnH!V>sBYNPxWtS+ryAw4`iT8ZzNi0WDkw z6!k0H@Mf)!@Kk7poq08{xkhos2Zs)f4>F3$mPnS<6;LyNr)<{MoKmpFch4J38P};% zb&M(0G?=+_PM2a=ERFy5{bwAN1VOBX1ht(iW13hnnLryES|Xaf+u&^M5H4H^#u9D{Y}<#TT_pT|VwEO$Gx6%}!7Y!>T2~IRX>bg{>%DtaAmc5wDH~pJm~Pa`=s4 zu9I^c0lMYIi$jUxclWOBOAnsuboBvjHiUY+k&sN$G&-b&pM_GE5eaePyXvA}kP@$K zJ~7S`V;-q$VbU$uUPTw;+fDlo(0te&%{D4OI1Ch$#33&fDpW}aXgANS#)iuf;%KWM zUf!t}a7@F|%BV`18cbl~#T#Ksg3}CdW+^)iJQj3)z z$$x1=OXL~Gk<%AU8MTYIV)rHVWL&2kBCiT1-(`^}zM!9&)0r*e@AbNUGys^ffst}BBlKOJnNVTK6Gnk>tKCi`hiZ0NJgBY<$^Z*Ma;Z0 zLGy)SC3&RX@58r%6m?g_jOtG){t`O|`3x4FU4f&s0(^s18jXlU+SnqX0GZo?f7IW$XI$rVFB-CFs&xHK8SQpif~yDddG%Ge zW~9C>e}|~*ruCNfM&8zI95ZgYKfwkGVV2urqnn?BYEKbU+)*U~zk0)C*^ONMW?)G7iLa z8BDT2O(|kIje^INEUCF%C{LG;Gjztc1e?ET>(Q`sZhPK^ac^c~qs6v_U<hTQZM_i8I zKnm=~mv$Lni+z>-KX2Ua)7!Luj!!8ohG)jj+=icAk;i^1OZ!JskK1%T{E6}vVV@Sz z@f4~aDCF3&<=35u&%uQi*9#ZWfaN?wi@B`Ca~-gj8S8zoQSh-l)(LC{{`85ymLk{& zo(o+Yxt(mzHHY@f?*AH-+QK88PDyQ`y9 z_|UiR0uN`V+_YYXJvwV!%H1BhAK$D8_)U`cHKmKsG#w+i4hA2jYCEPoyPy$;ih7*2 zpEh}!Yu-AgxS3HL^lWn67Gkc2)_5NScWONP-F-+NgAbK>{MPPP7Kve$0LuJ??yvrn z9$^CYXRstpJyUd<57EGKFi*4E1ji4-`qyAbqq{wJ;mwmrd!wDFfNO)-2gh3G+S(^3 zf4gf8Cbxma$~P6;%&;E3nx>nK54zgTKc|MU`bBY>_FdfF3+{T=4aolQ{R)~)MC+@2 zP3}27F6RVShNRnXBh-)l5A_y?gmkIE^H7W9KYo@ z9<+9?lQF$B%mVvKiOfC^8%kM!ZeGUPC;aYW>fe{&1#7yQz_*YSg*!pv1Hj8a6;~d6 z{#M<p@H&n|o3oLWZhql}TG>yEK49OACO)Km6|9E*K6^D z+HYjbt3U7f!IO@!C;T^5!3J!_I>LI_dV|5S+l2ytpgYIKK!R&tpMiBT%;P4mEu?-Cx2{kw)#$x$utsEHkq-R@}q6>%eEACis~CRG3FNAI)Lz zd<^{H)$)Q6^aQ-GFPVS|8oOvsLPYpr~_ zG$z5{Paqp3~fqdL15i9!S8Jq4n(23O4yrcNYEgW8LC_Ev*!QVP729Q~$sLTi> z+JLi+6=UrZx_@How|bv2YL5O-8FsN!gd~uPGTw9iN7QtPcVpb#U_`Auy^fAbwd|Ty zBXXC}D0X7uAFS3+BvhIB{aMXaC{D7_z^lCVm#iD%JXM-qN@dN3DNCc8MFFbO^ewxD z+q-&&IBn>2szSgbXSm`tHdM!|1qLOCf>KdU@9~!b!u}9lco{x;6PCJja>eq1#CcWUvTi`8P14z$JI+slHySEmN?l7%g(MTdOsH`Q(-DD2zPsz2K$Jg36> zr!rOq5!bS8l6Qw>H4{*cBy;(=A-tP1*~=xtt!CKm{e zInDv`z_@P5Hx?7pYljfD-zGr!9TT5Iw3YbV_nmPM(D%$AV$^Yrf$`4Pzy8v)+^gcx z{vWE&`91FV+xCr}G)ZH&v28U;)7Z9c+qP}nwv)!j#J0_uo9}tfx#!+r)?YBs?9Y4c zyhNZ_9j5|7%Bo(G%~ZS2M$W*Ch=QqwDzW4&;11;9`C8FU}PEa zO2Jm7;H%W-$Br0Kr%R_+RF%4kwTc!~Xq#$P>V@>l*hb1%7JvKGn9H_-FB@7mWV-1E zl^SA`d@R&V6G}=dXE3fxGScG4FeKqZ!FI-EVadElOP#Pb%)O(s{>B-IU{tzmXxn0Z+KsBxgJ_}scyL*OwekSefzKx6pT0gCc zyzidcwo%}FyuP&`Zlf-@)NsEu9xgsdDem#O?(2T;PFD{#;!UpUF0^A=t-n0R zrfhq4(;(CWJ4B#XHZKsDy;?ld9JYk{Ojb5gcuwXT%ZfXB__}Y}YBza0fd?eLg!HsJ zb8Zi`y>0_j@0iO*vAUL_Bz1RRELOMe{RyDgb#Zj&Qvq@{QDqvb86_&=JPh z+^42Xrqg`QH(UAH6Qf^2cKU3N>kHB6qvK{GtRtIyAo8;~Lyr^C9_w>w@>mvV;(8sq zJtpumH16A8;r4EO?A6J7{I=<;(cZN;omec>d6JT%=Nn=88V-NPV)gWLxA=&I+k6DGdzmD9A`9#Vm_AwgZ&zNO z=XN+Z*B^5D2wS@#ai2?AwJ%M3oXyB)_l|5>UVH3}NcOaw`gOIjcIbEAswkm` zx^Gd`AODtHh;S++R9rTfCcA{^)2=M{-6u{8RmQIjLe}XYYcaHtuhBuJhKL1?2q_v| z>a#Q6a;G1;-XL=dZc{iTQ=Kz|ELY8UWEw<4&pVhtYem_E)MykH)S!ZXQt5M&*0oT1r=4y?HZWUI_mS<#tXfr)Yg1;Sg!#g-so^-7*WuSoC=)aB_AxM@X^@oPeTxsI* zR?2$z$chlXQ_Wcl3rsEf?5GH~L`&vhDq1jM2t}R~%Gj)!t|WS4je@l6Wz8IZgbfaD z(u2w%68?`ffDE@?r*U6YCCPUpO_^cA3Zu}$)0hyfG0MVIxv0xFae9MZ5Q*13N_g z0=KF&zA0uMubH5)BqC9Y#WD4u#4wX{UOL))O4Z!LEy?IK>{U>FV;FzB{9f z1!J~kzd^_5b;GL+E(T)`$qi19x?+f@oFhJRs^oA>>rfaOx0K@hJ?J@2bYml#$nfE&o>hCNDX zOUtaea|n=!)vpak((h7wcUauxB&Lnd*4gOMXr?vdijsz{5^O0 z9i_2sIu>pr^6bNp^;3564M;Nt^PTrA@xVw(nDrXo`N>l&9Kkkz$`t zyJCnhN9lLL2q;uM4IplSC`xFBB{u&HzVB`yH;zOgRjBFHDP;jpCatx`RzhTsy?%&k zph)!#Uaek{jCJ{PCF=(Vl|f+>w~jWUh7eUHL{RmtR3};?HBuR$}v|q|;F$-U)PzAe`Dvg%#pez6{UCF>-6@)-$GOjY#%!W)e|xg>v(0JT5^$KH`fo88zP-_>;nup- zYMztU^*r5F*XNk&tlCny_lL(2|A|Gc?t38=UhNnA8vwwnd6l-D(RNuiJD0XS`BiDv z6Y~V*vkcPhy$sgN4gvi$f8KU{ZSj}eI;H*2{PfzrZ<96il*%o(Fl-p>u3z{1ZdsHj zJ>#{Lc0A2%O81eJEF0MKv{!#W^9oEiW!ct~@$B~4nxGM=6lmR@?YT?l^LZTahq3B` ze?8k5wR(8y_XX_kO-p0>o{tzx2$Kj8NX+8W>5b3%LKF8`}r{(f*uV+2Xy8 zx_{BWNml9H8+dgk+5;U_xVpaVzdsvGlWF2K8y zDXgl-3zV7O<8+#p_Z=R~@Ao`gbghx1Tb}Rmn)tpKZjB^5K9*DHwjM1m6F)Vvp4`sz zri*>mPvaIpm|Pls9(Ouhfi_AI^=}o23%jB8tnBaZpZ_2TKle$Nuio){MI?FjmbCL8 z2=_;1b2%Lf(N{hOarXh+#w=%F|5GM(t49r~r^2@o*X>TrOrAQoe~qu`pL1IDc02y9 zBk17kxQ|}|T(8{j*syfvlhC(iFuU1~KsM9n!GPKgtdEv$uW!sfjdnBFR!{Ri10B6w z_ForVqWhp;E+CAo7c*#G>SG3Lo<9H_xyALaEfOQrftrvsKekJVy^%2!4iR@euV{xeyo z`vSBoZH?W68cEd3kQ1iici6Bwu;$HAAf5|{SDm-R zD~G(vD9c2tQ8`g;Dz#P~Q1mE%L9KGHJOC--fo#k6v>InYR-E2()PsFa->_{i_aU}_r*alScA zk~kC9IfO%8jdzX*`oaV+fx)P+z|c`;oXyk_$Se5^E?)9qaPdVD)oC>&ANXJd6?hJf zY?3$v#JUhU!PuDC0JEH96`)5NQ7{RCpk22p*u^|SP!wDJNB45UMnaV_Qc}mskzc}Q zGPzxQkyu3_`Cv-w7+-!znDhbYVu4@GCnUD#^ z5+y|NOAUUCE|D@%)vM8ka-<_3D>&s4sioX1e5vA*mp){H2PD;qk@iqn)%DB!;81>1 zR{TQV-RcJg5=pV2J=jvmVKwos@m}SB@4NjE6);9>^ACe!^{3>OFCH4{rR&sK^hAgY z89y^JsbU9~hY0N+KOm*k?a^AOiw@26w!`7|l7!AN)#7mKjPs~?=nKL-;$}n#ix$7t zZNR4Tv@A#d$6VfN*#B~uD_-hBVJ;CmRUj#zX@R#HgZq9kP}=t^-w7CscW6N29}#oh zg=1ty2^ut%Au|A2u#WtX2pj?0I{8*pgPvoVuH`U^fy>{b{b58EmnmmUZ!dWW0mV$v z%J_(q$sVh)eqH|4^CV#Yv&`w{#>J==JXyp)H*fXcq~?NnIJ2jn&+?DOjC&ILoF+!_ zr_%WwX(EKne#g%U1tX^IHE@QE^A*lFXrPBNAyn6G5k^v1Bho@$Ct8$T9iI09#5$>x z&l;frtuJWGfI~Y|_d6Mk;vhK(Nw$TsSv_^DeY-adXncV_DgLuP{OMAa&_SVJjk|Vk z*Ko}(GOtvLA4g2ykV0>A=vVdpD{NpEd3fjbM<)GOBxO~RPrkb2Pp-$!lUHRZS5|~R8^-H))uAnF zEq7oZkWQeUTB96*>o!3zk3)>l%Si6k^Np;Ht~HYSwC}2#cQuJ-BM0YcEM67Q^~u)B zo@tk-V#@eP zlmdMDblm=oY#ebZCCZ;7;%lwhDjBtM>z^<+UJ)plOc!a{9@${aEdepwsi1Y`E-g zQ8+rz&hPQO(=5|<zdSZ*^ZF9eRPV!;dT)|xAr{6{XF<( zGdsodgNhe?Pium#o_5IukX1<&&NsbA-c55}M-@1GPR86u>0B&rJQeMxY&fjUeY{&S z1}nMtRtBJh5036+C+1E~t&|ZYu(VsB-A<*SG~TZ)8N7B+Y6W~iNMHS1zHSdSt-$)X zOv{*a-iDh^2$k1Yh4;Oc9^lQHWNq84%y#!f@kU1_LDMJQ7LD_@f2OFV6(0V5MUhw8 z<`%^T%U1VjO0JP=uRxMUNSu%zdNl06c6i+_yb zDoTmolNv@n-<(p(LYU3B5|^E!gB88Ad6AxhbP>D}-^$Wck}uv%cW+0{2_#( zkbe>(-GC;vOC68kr{z!+KOB*sG)4V`D>uiJ{-%Im}`cL8& z#cyX`!JP)`6qOJ_14-GE(U9%zx32U z>J{eCJp%J3IR0X^)JoNou;OMA7jXDxlqUm}mafU9H3-+bFkFQUNSnzNPVJ7wN~vNu(C`21%t*p#m~R7>l)|>D zkrwr;Pl9KvP9j#B!Q)~#ioMg$UaBPc`&7j#Jx7eMVzY9OK-&LYsQ|{85G2kp4q~SU zZGP8uwlwoJ>AW!nrF%VoA;$mj^hGoLd1j0-_tibs{N3tIW|k)A1X)o`w#ln9*A(0s zEdll7$r4Vz;TJxeqP;SkAf@h7#0g_UA#zw0?+Ta(T!d=8ji`ih2^{Xe5TNyiHpl9> zNfK)wt%h8N1JfWmSF_*BudGQweGfS&T#?OcQF?I5??+9z_=9^~0%cLuU)YQ~1@0=U zpH>GA1Ok~>*qqrl##$qy@DRMj2<x|UVZ7IGN$-PeWS7 zz&AR>z{!wpy$;)EwXpiUl)*?dtC(J*gu6^~h7H>5UmagNgUbN*XiQLN$c zOL~%kEcegbx?=A|ApD2bP=WuD#N*X|{BES=S}eUGI{Vu1zB9j|_>-YUzOmfld>-Q` zy!Z2!*0eO%DaaT}h-_rga!+4k$bJWYT$>X4zS*Cp^O;0%=^nv2eqL+4j~;E8<#_F@yz~C4$*}&4 z7QG}r_trn8gey10=yHLw3k7&>J`bYT zw`LT2VDV$~pl?)-881#R@aAQ*IakhOV>jLX+$G&`hS-+e)${!XNtfSz=J+kurWLK@ zIkJ?XWps0;%N_7=sC|#Y4caAn`seGRn znKq=?8s=Y>Lmd0-R%Wk~jWoHR7qzkLdtHr51U~J6vc^v?HaM;ET;EUVb-dQ@o`J5w z+O+l67Pj}AM%|5*%$X`DE63y!^qX-}`g93Ek&U+fU}uh?k?A;dC$LuMFiMR#&3)5% z?;=_IGMCu13}_Ghi9O?g=VTrN&FGtrn+}0pdzsJ z(U)464`eRoR$f;IJ^K*HB6%iol&}c0|Dhx3MH#mdlKq!1ALW4!X~EHXh0v6HDPQ`Z zTLMAl7`s(cP!wcgcAM}zx?(w}oQ&d`sD*l@l<5E@iT34;Rdzv?S+%G9W8d+Jgg@7y z8WVbDR-t@IbefYAEl7`!wnxbEtJt-aNu&r5Lh%pEXXd{~`7I9P#g(eOZ{S~fAShhT zFd&lYoV;Vc!vwlI5kJhNI5aVj0T*M=AT1tA=#qdnFGg`1g`gAAS(ksx>@* zxd&bIfb(b=cZ`pJSbm2@Co+2XX5hfK=?TLVDQ_J`%dC_{cy^p8zU&*ocL$~<`` zIT{S1_ERp%!S_)b zcrp?l<0Yde`sLSc4Ni#{F!G67vl@%bJAO||fQlS2w!wd#`elpj-l_6iIDn+Q;|IhA z=NR*A{`yhARvew0S7L=C_EYUNs061cUQH@u3RLAi)cc0=v2>qHmSF>2_Z^p10+k-B zM(hWyT0{M2Ic~=xSy^@{0!WZXng~Hp={Ts#HvV0i8!1-Og!VKOoq4v1)ca-j6c_owArTl&ry|SkF*xh#3D&PeY4xc3%cn z#^nr(&r}$?54&lg0$&Z=b!t|ct+9j4;!&gQCo)dz_3WSD%2OJPG@N&oL7bL*D*@9^ zdV-}3iGCUCzin}$#*1JM)F%9rmX(v2o!FCzIcme2zEfE@#gTH43H2&n3%iNb386Gu zS8(w8`lwkhe{-N^bz|23_Ig@=5ob+HL$?8isN1T-3hiK zQlVX(N~DUk1U}LeCY5SuWLN;Iyzd1#*~Wu@FM@JF)vHr+7y|K=L%3@pw?fsN-CxCQ z-!A>IxQn(c9+&=HtQ2TzUXoSKG0wH{HYN?f%Z!Csp<|n@IfvY8sJm$0C%{S4|B{k@ zun#|kh7iq<2>cD-&8Q$bTyT)QK`ZhYzJdMMgRrF42vW?mp|dP1W9BA~$!bl8N0)$t zpfp9=G9wl?U1R)LgFSWei%~a#gM0}QBNQ1B3g6tNBjV4A&^-Txydok+68Ucu9PZ~S z;I?5QTt5l=5>p^ZvPT8qA5+Yzn0M2rQN%&Pwm_UL``XlRRk?pTtaWXnE2foN z7GTulq}t5?iq!jcO5g55>Q@TM?SDLFmhI0|`Y#Jv{MVm=pv0ll+uQ?z7Zf1b4H4Q1 zC8yv|xEGeUnfM7Sdyu=pr}2IiL4%x2qouDJXN>0K9@g6mE#GxkWesD@I{z^p4+!VD z1VC{a=V`{gwm_9jon@@m^A`V-f33Bo?Qwri9@}-oN67u8dA~_FDy!8tH*Csr)$vh* zwY_mac6*Al^)9*Ttp{*V_4VVKsPS=6*96I;Y~7q`*v{}Al|1O$Z13K*fL3L5cvaf3 z#tfs6RRUYp&IVmoKy2mRiN2L~YjAiUz+eIG`dCr8_r#m~^$o_8ocku9_l9%8b+_v) z(UrP-mq(Pg@MZTM!ip9<=-*$^ze*>w%iEouKwTf-VCyaJ=YQH)64#(o%^J1GqkrqK zCrelDKy8B0twtE&Qy4^zfc3Wa^4l$qYizPE1L*A1+l*Ls=^@;Nnr1YFvx>1XQ7&9p?J@M|4YcsV9Yrz@V1b|K7gA4IHA zYu!dz=A09FtADEQ98P%MUlzmP%WfWYRpKEKy4ycqYdh_GUK4iIo^<=z-gC5aZ+DpW zDiU@Yl`dWD*3sHuXqx`_1=Zc5Z)Q2@{=d$rYLaJmb=%(rChxJ& z=O8bPPncs&oY|lechB(8(f^ptXa6!;MSodUT5FPsk$|l#yX_?1l?YaLT?e3dD7!Uj@p)GWfB=^B`h0qgn`O5rzn+n zsAE_ZHe=DD%{>;$1lSfUb2Yzz4jQFK=L=R9Oog4bPM`sBA#?~Ny!b(5`|T=(Sa$~N zR!t*JTht=SI>>k{-7<~a)S}=gdXT4xhs@iif2-AqJJ=^u(QE{>iUPoXC%wUOEhukB z{T^(-U{sX})dBO500Fz`cw;53zpVwCLqRB}?p=bofSAFJZq58L}zGIf6^l zs%>?Ps1%I%m_G?SRv~`?(M%FE(J*#0j47oNBF>=@p%_dqc4DL`kAY}}5;x#B%RK4T zyOd<79>Pf(Z?-N*N}{d=hwU;e_Q!wxG5m*Ahe#tYeY9SkQE46c?xI}{gwut*b=>vR zSW95Li6-2AjCOx0oy>GtAnx|GosbfBk%p7=pO^&b_11C^QnGTPUKQJYTCg-5lE871 zf~=KGjW8UO-)}NHK-FVk$6sS}CLhO@7Xp&Zn;%oYDMdip`pL4uaM*Zk#6Pf5yWxTr zajwNpaxLH$YGu)0gYW<&lJ7~g*iKLlSU4e31!5S*Foj_@$~<+DWIKA?bIo7NKP;0> zlhV1eCj1WVny6E)S@y96RXpQ2oEFPhD6A_N8s`S%AWps;ZcIsv&QrHO=nK9ZKa(Dwu}CC1jS0e3ntN^uel%%KgR_?C}VlX|z~y03Bv z3W&*T6D-jR`g_*2-bXx)omS&=3vAjht^9PNEb0@)fx>r$jx?z=`@eDmI#20~2d#YE zQ+-g}#sUN5Szdj6;-Ie^A8dEMQ#vjUL4XQ}KW7x{-UGfepF*#YWO|(Od6-ahec^O* zkGqfjdx_UTN01;829$>#qL{mryV-LyNFj#y(>_V4<)v3>rg&Q&)URuH6+GTg!`J&7 zf|t{FYJ6sb*99!B#H#Un7MWn1@jj@A>b}Sa7rFAraJ{cwI+8G<6IqtGI z^!f}@#RyOK^=yCwNpzlFOw%0y$T-hJoCJ-aR}y(Zcdt9vS~s230j~r+JU$(fJDye= z=|Lg}c1NhPS8t84mfDV+4yo5Z2^sC)%_M{tAE;c9#X}g`fNkQz$XF5`H}Ut&O+0Jo z<&?@Ck0rzY!)h!Ux0@{@rKdvVy;JFJw->^beW$*DIYXke_k3>C{CLPwc8n{E+QQG>cC)H)Mxo*iM#=h=0)k@(L3XT8Ar&D5=@M1fj? z$QKoNS&z=nsnS@=8ppBVXTtj(hu#igovw`+K<81Lqx<-fuKq!W;wtCm3&!5OvhSH2 z+xvXddhPr2%{$YzTa}~xy8UTj#bx8@qj;K!_vgXFF?p`eb5t(yY`)QVI_rJEGTJ%D zc-Sz-+h51NaogRJ+;#JOuGH7z@n9$PN}#{}wr6Q(>)Fq+7rLuv3o+~VfB>aCG&fTF zq32R_iHE~ert{IYbsAucbXX@T({nDf`$D7JV{iN_8%lV{&^a|j$er@J3-SPgoIgOm z69ORDuOBEA2v1`AYZ=FM32I4+#v&^^1+> z9kdo!a3ZoTn_1jzBLN^xkJ^3UR0%R^J(A%bb^tH?$3B3Z)-*#5u}K$_vnY~p)0rBS ztnaWf@7($$^J&%wO>Hd`NIoXDa7KA7&S%+Im<_M@PU3&`$!^%VFhf?kNeHnU#fLAN zF?Gb_uXxe?Zg3!u$PIaJC`Td15^984PV-vLEdYM7TLdVQ2vf2C<;`&rawsTVrCuN| zD$->YA&38pRK7({N|>muL{E}kL#sT6ZxiKUU;8bpN-A(tzKhr)uxR_A(T^ZYc!F`` zj{rce(+IF=F%M(VNG%eUbXt}w7#@4UxMX2JJOc8>>0g9BSL#rkIfx-5MMK%iune<{ z-FS>zR(`l@1*aH%Wrnyz=QMfDp8@BW)`aZJyfPtnY$=v>k)jXlr5qZaSJUguO0xwy z+1zBo)R^yvx>&5hnz~w%!#6{udiku_k#acbrEdFh@(Oja8*aT`U7-`mp+D{t&TfU{ zvT`NW%kebFL+;eKJs7znDXCgi%2Ke1FuxMZP*3AGnGUQr`3p`!pYDJMO= zbA25cNBssp%X1$^%hqF%04RmRCJONc_=F#(?1C9pOW1Vlv<`(v%QnSfGMy4^_h!Bc z_rnTWGz&dUs2v7Ia>Qnt&8$1Fnqmb>GT6dG1k4AJGo=ZMEvhnp7WfY$Y{zgWwDvfJ zr*3(`|CDaqjh0*Lzi0_X`psINSc4nL*?x~8U2m|GY$26Qk)ot;Fcwca{565;4VzDz z|13lNlN8cT7>Vp5Vb=2`2+iXpPEObH-tL}^@tHX;w$F1WXVft#-FKR6d3jCa{kRz` zm6=L_?r20m&n!T~ftxXS-ATCWr$#Os4}3)w9k9l_5>#gWw)8XIR7r|^W(TB zFKZsFL-}P+;T~gyT5GZR$nZU#RwC_j)XON$JRhQ*tS{k5hL|)n@AO*_3oCJZ*_aUc z)2bKA@jzhy>MuGzLe^v|f9HK6(ZO&VT~n516D83*I^xnM5k}c`GaUu$>c0#$s3Hq> z5kZ@Z#!~;J&AJz=A&UR{!vZ6`_l%_o56%=imC2(9g@YS>(a=(7CW!#r)hoZ&)`sfG~8eL1I z!7%b6d?lx7A)7qQr#2Kr2ZqV_K$DuX2Zzl%fw4-iBAC2|3Tvg#;hTL%gqfP;&N#+Q zi;v?J{g&z>G}#tKI2wpt&ILMw&MPZ{2}!S5W5w@38mop1cw=$flm+)X@!_4^wtf0c6%{v1AQlS=i9QaS*%6wALwMa`JBr{<{i zlR*cNz<1HFZXvqTv?L{V;^PR5=^$CID0;mZrKU|s}4qPC@ zQIHe+@Lf`7M1~PoaY^4*tM){(Wb-kk`UwAe@^<=v1$1;fclD}T4-Cz!1idPZP@MbL z_&y#?_Vxlz+0nm4mx@CJbI*Ohzf`J$gwbGQ_E?2{rr&b!w|E}wEX$T$cyCHHw|Er_ zx8E*pYD-*SF6UoY=rMFJ=w6lfhZ1Es^rELV7;GO(S#&rJ>IsgC*g7mgt`g7LFxsut z?>sW8+}|*IdRHQ_<`q0=E>pYSUNyJ3jm}}%H*L$CS3rO<*=>&lR0wzDPlXm!P1Ys>glS;dP;^JCdC*Jk6jx^bG{ z2UJ?41K;*>DLKvmh3&RsBJyDEc#LZ#?iIuOl-no3C@iDB2~spRYX_-D6BJxd^=-d$}^5 z?#J0cr`OBo{@hELnqH4|q?A=MwM$(MkYiu@!IbI-moJc<=F)yj!PVGykmmWS2?P{n zaGmI%>QAqv`+P~M)%6*|WT*<>ylcGmJb`QFcb&oAM3RM5!Pw%z%-$}-@-_60emkro zia~lCmt05i@YMAZ{%o?Q|00%?*r=aXOZ!!ijMBdVxn}QTd#^!<#iLj4AU_s*eC;eB zJ>U#K=YBdF+f8OI!N?^<=_y0E^GHr@%~#SXQ^2#K0@r&i^7Fn!vhAEt zNZc||l>M_U{)#Q5dTCJuaWVjAP1rW7g;n>ghfsZ@F;9-e<42 zBP+GQQh%{>)}N(oX7!Ww2A{I&+DUJ@yb+jO%OwX%$?%6@k>DYG--+dBKfX0qm~-DT z77a0zcT@$4``4qxHQfCE&76o-WV_{`Wx%5B@FjilseTAdW0yO z;70_X6!=e6Q)2HURg)-%5`vv(gr+3(+dMgH{YV~1HHZml$@nJj8i0CPQp!l2J6&h& zsKgAh93Vj-Pgp|n*u%*#$`x1UJcpTxAva7WC^1&V=(DDh1_oi&kjI!tjI)#)8T|3D z*r<#13Ol)?_Js;Y1iGvQy2b?6p*T@FppR}$NAV<-e4rW4UIWZ)am@RxBAvd#B46_t zjXpN=ddke;V9542PY*pTxZnl0Mq-r$g^aXiE!0ZxC`}7RI}IxX>R-{{Tz~w??CF1{ zs$i)Wvt}Hu&_JIEhhPcizzd-b-B+)vU886JXN*CDM;&M`Klvjxx}XB3@^|y5?0Qw| zX=@c@qDYC>-(dtTh}cD+dc^_wVj;n@&WG7}#Q6xi%$ah4evWM;201K51h`VOhGK?x z#5}k?f3>hVcF9q&xnxF%^Uf)Rf$0WL1^ zY30zEDSDNo4<7DGQTzOhii&)e63qr;upUV5s@0*`OP6{nsOCE>uUYkt+W?x;=?)nbPK@5Ryk3;+}=dkk$6QeX)|2 zOd2e>7kjpy*nF`?w7-9l0Rk2tw+NFx|IDvoEz5#b0vQ=>t=vrp%6YsWQTzgb$)|ki z@KXD}!7k)biCC->u{62|lv;`h|K@B@jlZW8tOAI@Tp~hJm{JZkEy>L5h~{{sgxWW> z>^!Am&K8RxAR_%ufcI&^5VH9CO8m{Sz{Qg*S==O48&bh9gq0B@`E19}cSVzJM5`iT zfxxLU-WO*R`L`ENMvGC31xZS7T&jxHI)PexH+*k3VyIt+>2|?PFL9%ZCUBp&K=V>4 z6hDyw@m~=+v3e=T`G7)k`%;t>XoWXn(AY@9-&4ju$pOjH)twuc7z}@ZN>T=21BQ8B@SypM)$= zBs3d}!+SsUxT(pNfr`+*p-BL^YpI##yf_x^T*G~yf6BZPbgq4KFa@LQGSAT)-|e{~ zbzbL~dQmOEaaW;B&~NK?H{w}q_c3$gjIzPodOCCUcF*C%2Nbvp-bt49YFpA<+NNvX zP@u`N*?PXPh|P7r`N$;dz9)FxyVP0RZ};&Wyx(rODj$_?2SyCbyq+?rRzIA#Zt-45 zMV4hdOypki+S}iB3iO3arA7L5ZXh74x}EgX$*lgV*}NNPBf0Ow;Lsf4ZbRMZL+pLb z>)tFrX1FFq>;kLxxP-^o<~C~{>8Q1JonN-?ZMy!d^LB_OsN?-eY@LOQt##A(>ULd} zT~)acObDv=n75@kJD8uU(`@n7f6q+mJ?^v2`oIjFa_M>kyyLCcy4`S~h}dlG$~j~z zFMmDJ!Pg1)QnWwf@LISZ+XsSUv%!FF@8~w1G=SZh1smTF3V7>4$kFy{EX>t9iU_pXxcz5y*`=D=d2Z31@HuyQPV_o$ zwy;L@cJI;|VX(9*enCVj4JQxfP4&ESTB&FwN_9LOL(uf5`9^BpUY#Ht#t(#3O*U(<%p4 zGO5o=EZNu+4;dKyIZ6*4m(S)PHw11q%_5!!c4?Mze=IC7=oAcnC%~e!TQe`|z*e!W|Fhv_@jF0aw&lEipyI|#(7TQ=rYYxE_R z-X(l+yYVbLNJ6f7f?K5_W$GWLNZ>(tPH3t{xRHi#kyc-PRB~ln><)SMOttBuiZUI% zmILbF*zLcRowz6sL+z@`-VRm#pJ?US*VFaY=j}~-A1wKjMJS4LA>j=Cyh5)bg^~pk ztPLRT5OK>L6yVLeg3EbTTz;kOTp-(|4a*16;9!ivxkx=0ZPbOee5jp zVG8SEOX&QiT83C4e6ag>9ij1af@1S&IJ$VH5Xe4c*j zSAMLIaV#EAbP(t?;5rW=#*V3!;rkSMLLH0!Fnx#xLOk!dI8OWaOamJ!C#JSPP35P3 zC+;8dWzMv69sIRA)GOGyNj35+JP_^MAUw2qvg04siO2NKYgEn1b?n0$NB-5V#=tZ? z7$T+`AR8pbEJIb9(_lP$nNym7rk#z4_f=kgHxYE*lb@A^b`>XY!)T@;Lq_`6_&d|wr8&VsFgT=aNmz`I z5~g(q zDJe8g)VoP3SSPNZXU@bw8IT07KrBfw!Edpz^`Ig}t9p*kns3{dVaz;uWMzEsp854@ z(was|;a+se6M;d$+JlNZ1hv5=+(|1j$2pnk#?Yk>4>Xo4Gy?nk>KD@WHHUtKS3WvO z6da!yZ~aLbNs*`Ck*;8#-4p}^_tK%1t)N#`g)!`6a81m^>mXYd^eVUTw~(0s=s8!a zV}yxSa9Ai`yd=zQWX^#rWhs+|AP5gwh(LsP^G3r?M8=3U=D#}P8`@{suZjSg3}@v1JpR#v|Yy5O~Fae|Gyu!Kx=BW|}ZBK<%V zd&0d-;mPFOKfjeY3)b8$W9)kY@<0CaPAbXR0@nClePqmc0AxkNzot#JKnwGY8azE} zYfloeLKvmU!-unPBKt$8_6QG0Vx}=p|BsA-SQ)_udlP^xE1+FToUh_W`@;nl&<@Rx zz*qAKYlK(HSDjepi2&kXrba9wUm4IVK>7O8=`RrQaeus7ljD1Ow^Gy0-2({do#(j* zUM{KlSg-ZEv0ncIitKA1d%qtZ+xFPwoxN`3&vCy67~8I%CGWFu^>0|-7k@i@_;~)9 z$OW(6G`qugayq|xm-YF$ql<7F*3zpAo2b&x%-ZuSRt+wdC$UXLOEzF;#wgSL@v~7IJb%?Xj=*QC6))vl> z&&|TG3v;X2ROKr%Ti}|f)XflyiX!X4*x-ulA)t-%z~6V+`4Sm*eh{;8VP z{#YV_BZ{Tl{QfY^xAvAD<+fs@y45?R>sL6fYw_57<$TT*s&&lQebqRM?+9gw3|io6 z1(*r8&1lN>5~ATSXOAUKsWNg!2b_Z=lmFV+%NkWjT$$0 z(%8nvw%s_5HclElY1G)ZZKsWG+qSiP^PGF`Iro?MpRn_t&(6GN(eori>nUtW+pf+2 zVz*jL!%qXz_ao@ckD3G&_IH&3@~LmHdK09z_2aIe+pqoBLds5^04EDA+wl0~69Wpq zss@t*P5{nFe!jGO&d*AJYW}KT*c<^`^_xw2sT3^mjBi&yhCciT{Ax|gS-rv&rc}Tb zOc7us+Qu|%3%(?diEzp^e24?@76h%A2-q^r?%&5$d6BjVdAW^s~V`dAg3t&w8cI!Uy$mcRcAT zH|O8#`G8dh4J@tKe3sz|Gd*C9SpV zwKK^%=ClK$%BgN$?O85uw^$|+Ax`tmhX8>D)v|IMY!vJ}_DnU~f`{hv`hg)@Gp19E`Sr$2rH*!!NCPUsgtMEMI)b={ zB|9(j(JPO-?Hz+YMqcfL{OF&>uv6@5HHiEHY;QXb1&-pc$ql8UyvbB&rSYT>aN`zt zTq>EGrDaG%oG`cH-S*pI>I$g(1jL@%+9-T0&H2vF_Q)^w z@gphnu@1W3ytJtQ)Wc5-U+Po?2gNW)n;-+n7x>EWxJ)f-%FhOse(P= z^e;XWyt}03EwL0_V0Sw{PzgBq2LP;7cyM?H+GCOhlkgf4mv}4;5eTynIZ*WB(yusa z?ZWMueWfz5X3@ByJO3x$>|bn^aLmpW9m`mfALg@pX-S#EU2Gvn5+p1XeQH%aJ;v5R z%l8KXPbN&Xh=o!$U&7U{NXwXC!ooivWpFp7JmauqFPDAi&Q-E*mrSr4YZO%BM7LuOs>n6f1X^X zV%{CQ7Vr5Xe>F-eF?5NU_QTQ?c{JL2j^^xYS54tuoKwg6sPYo<*s8LT_G9A}&`o6V z!j1A}L>l)D=0m=~^3dutLq!rml%X5BmPf#|vSS}XilK3iT zykGZTbK(<2aSs9eehXmA^L@4VF!%o3e_kKnx)mfw#$CSWwEGfOCahHly0Q`|g1n^} zxg3;qwy0RWrD4Y|C2|J=_eQd7(W)T_r!VN%525>o21kQ|lsAZmWym26C;N%XK{PAE z7YN7S)y87pk}RY&b@(z0{6(maG9;&>Ez|}eFjw#4wd3RukWjNuu2IGq9(3Ej^BfASDp_()2H(9>fIHE)1-FiQGR;{d4XKuHw1#ae$YTezv%##u-4uYzE zq#aUxx7U9dw(S%PboOh)ufKx2TYjvpZkM~i5%e@~R!I>zkD^VkzijZQ^i+DS+)w|A zO7^@>eNAgw?|LVg`>`Tr=+h5AArZWa8KanjUy=m8f*id7@1sdJ#LVF1m;~;HZEIe&Y#a7Vp`MNX#}nroVU2?K3BE_6wr8YPcyik0pH$#3w~esxWOdZeEj5^ zL^;kMKSP5WC&|_}8xEM6{FT<81{11Ndp1abAK1^+4mma$<}FW?r@m)Qmw{5;186I6 z6YQ6u4~p}T7UqVxfvX=yj67K^f3_YcNDQCxHBY--PpT6-)Vh!^L35Z}YhiB#!#aoA zVM+$w4;2J49u{Ip1J^GLTiWDam!UOTjn6AbM6YMj3m+uBd+{k~8}I&7+yXXhIa@vs zkMPVj-6s-N57D?ajhg98yTl&nyGffHM}MJnUTPP-Y5i=T<`oW_>Q{ac6?QkQ)YA}l zKaU~F%Jqjjka zw@egoToZe-|##Xc*BrJwVg z%;w(2;E^K~*7wyHG_s_JG66X>%9a2hH?WM*gkSpSujEbqN=*8@W#Ac8Jy<$&7tjf} z6t*WhZ|feY+a)#cU;hQwYp*u(*-5E}J5AnKyKy#sXNgZ|O2N5Ly=%dwmfAAhPT+(R zi_c04mQhJ7!nP#x#UHAfVTQ}LexrfUYIwKnaQ>uT$AkPkBgPK2tBFG1ZSQzYQR%)& zX#xf1N{SiexmIq>Bu>5TLaEJox6V2t{`Pn12=labH&N~_ECDXEcpjyr5MiR(KBhxn z->e)Q#~epdbbK0ULVpX|iALBKo?dvcozM$q{B!)gi^$<00+vy;DMxtahVUI%Ow`JA)#UaXng#q{z}P5X{#8>ELD~ zR}>KrM+9d-z9eRc`55(=P2yI9WzIJAl>=PxWi|fFER(8Ou9s&};bBPY#{|;;h@q^& zlZKpnlxdRJ(Z-=U(7x2VgGOihSt5Tct2F+L=`xm94ikzk;pDeQU8by!@o+y?jS3r| z>pVf6EXA?JLTQBLoQnDKR0_SYx@j#kSqg3Fu5!Sm?OX+aAidK%N_xtxKl%r(r*v7D?svraMs>8;FT$@QcVcP|{DNY2H zpMI3h2fiWY=%x4>W`lk`yU{uIf#OIt0P@wCrvn{HgX81J10X69pK09B^OI^KHGWqH zx>GUD4as_Vv>Jy_%xfokWK@o_sF1?Nk&9!s_%>szyXm6rUjUiGZ2D7LQplEtlXhoS zv0G{en^i+?Riy=zG_b@oc%E?oj;!26nrFICzra+>W5g7r{6JxxqvT%A2mYe1;VAKE zv+A0(V0Aw)6=SSmt|7U}AJ`JwQhPZGy3)CoY=dt~vxf+b2QR)=-*H;YLlzlBoPJ}? z5Z?zy$A9=H2-Jo@g-sw}9;*pY+7H z_oo!L&$s4-E`R{|Kc07D92AQT!h44YpT3~+W=wn&#iYFRcmuD$7GB%fCqN7HdAr*yOs{CwHu)x7{%3-l-I?ui?^_MXXIU%>L|1|TEC$- zns*Z)?~~QT1TDBFdxymgcpz*SxHp|<0^pRg^>EmvY54vx=b}=59biU7T%-z zi^a{m>M^nd_!S~U9=D_f&8^qXk1cB_Kf#~O7k@l9#tgkoi^hOsgl^YN{Gjt}jUR72 z)N?*D*}{X}1k4^=w0ijb>TcfUE4p{bZ|<*-fb5oA)D+^H%*ZN_Ggt1j!;i3ckQM+w z1Iw%LZHj4myO-Zh@6G4td9OxX&BkD(^A6FuX%Vsn*c#tueyHZr?2$6$^obHI}RiPSApS8Q!gKrZ@`z^2>Yxic-Oe!@4NfY zyUz9&%<3e3KNmcDzz!8lzVG`o^zZNO*guwidV#HTS={zFT|W0uJsnRw6`Nh2&U<%q zT3sCv_E&4>c~9W2U2xBupU?_8Eb|O}SM;A3XX~Pk$oQHp@GuZR2@^JM%xa(gE#|%K z!>{`fCMmLlvlE_NBjkjTz{w80m~EhvNTr2mJ8Qj zHVjTaJg#B1hx2J7jj;!_pN-EhRKS2l_Rx|8(K3kS;7Z(-Az>+kz%S_Ombsa9<9Z|)nRgc|9|DK-ftiqCOxU#~k$ zV^-;|zg&F~!w}~(*%o8IT`BgwhniYvYqCmS=K^DzDRWRED?(}_{5tMkPE-!jOFjX^bOxh61pN{D-H+S6eZ;NY^APrv<;0I3vw!q`yedhD?dau zzOR@{W7x7@SNGIXfFdk;&~=tMq##b`YJOljsR<`cEr9H4#cd+v!-#0cDE|vG$Jwj& zxtZh&;&C5s#nHBzn;ED@<`Rr$@;64*mhxTfH=`m$oPqT3kFBPb=cb1o2^}D4%x_=f z1WXa{BRQ15k(&dd&n-gwOVx4QstsyKSBySs`?vL|LbW#2Jq&kJ-9z?w8gsF5iS{sK zY@P8Gtir`ZEpC0P{tBe)6)8q;%6V~xnayY!_zpJ&)t-4g`zbZsc zG+8U##UnHoV-%JX3oC0Dh&@i_-hUUX) zuH<5ev9Wf#{3!%vaa$d4nbzI;uRwX}it6z2#9Y2A55mQVg^2iyMx?^D=e<-BsxCyD zmtyQSpwDi48H4b2_2O|!y(d7o-B21Q7iK7nbmt*1klxT~(U{X97 z=ZMlLpXM4A3PU7`Y$5eoPv8Yzh|Ckad}*xCpd2q@*kZ!Z@}3@1=j(#O{#Lsl|4t~& z);M{%C%?dm4Mi|5yO3C}IR1BfX@E@wW7YYQ-4gKsojou=3lv#*JVo&Es}CZkQvGma+}DgnRizke1b+@FK4YDhEh2PtrO zZ0w!c&2xmhUJoocf9+e{)?H=KQF4Pf4BxIqyFlBfG(znOqk>LTdTWGr%ZGXw9)ztU zDD>;~pQR_;w)e8OLlbVIS5WfazqytVCkmsjvn%a?kZ9{BbI?HEk7>ZAkJdvUboEwx z=QEnpy2}<<+FbG)mC&rWMFl6f&)Wigk)7r?;ODEBq3`GcbGTQtP%L<_XwCI;hN2Uk z+A}Me^0>6cAc$wUx)o#4;{&BS6S4#~(>(i`o5+)_88R1#PA--wroA z7+cd)-S7M=XK1^-pVNcFXEhA65`VJlT*#pGRsyp@e9}nYe znq7|Y#&?*^zcgK!c-*cUHifS11&wzeg8bey22QHDJ1kf10MCr8It3q{Z|CtHLOxUb z)kOCEQbMm@@V-aqKE=$yh8xqZ<;Qxp0>1iz6FDZog~bYx(OK0ZNBlNTT3A9u&YDNr zRV8@-U?b_V>tbT^^okWJ0)rApYA;5Jkil^mwrbC$%u;-jXB#eG?@a=XU@rR1eo(XrJ336u9=6vWBr9hyG?UUcOR9brYgj z;GO}n-`$J-v;N0akIkp=E#qX7d2WA+c|f0&kEBIpOs;xvc$+GD1Uq)Sf%fWa6HU;0 zIp0n{jqmZN@nwT|d?>4cQ4EQLAE1LQlxm*_-Z0iNsXF<68N|QjD>wZTzg$xBQvgGz z2U`nC4c9u-*M9YT(;F270R4Ai!U4RR@G04ai>Wz2 zeK3U@!Ns3G%?e@8H)Vp!T9f7|IkMFve{^+BC%C>S$q8YRxaK9=VO!6ylG3SDp_On& zv!sdvX1#Hh*^~0ZRszX!m;SQl!1RR*|FpSr$$+0}zO%)_%kh*f2*jq7K5xd+^TtLDZ72 zENc-i0;%?Z#Zzr=v~eE>_vI=0w)7(4f+_dgjHRLrV8id$HVVP8e0fwyz}zD-7+Xy0 zP=YLG+mpiFy<|bfA7w>7BoRF{o}n?54tEtl?2Fak6KKsIjq`xCK&Xd;FNG-LG9;0* z-Eooq)B_j>VUZWIGKBY8$;!B7708|%>0jVl$I-%cGNH+{ku7BkbhgO?IUCG+)VNBD zOt=ShB|<9U@(<}s*M}0w44HQg%MX*zX?d7XNaGO8WeIxA8?M=y_|Q=_m(i9q) zeXRDEz}8G>hvaorq#LO-jFtI@R67i+*V1}qX1IBfOS=Yea1Fq_H5hB{>%v6yw5C|J z>(`kdDxjKrD%CEy70-O*2i#eO#hTNF+#fW6NFNE<)iM_;G%8M*zQawN{cnD=&QLqVueJSX+C zi+qiolEwpSJXMK9w60Jca9Yvv5$CIIwL*;ZgSCb&FRcPbSQ_RZCJB?P66`;qEK=+; zAIO?xssFNG)}=v}IT7>h-bFy;Pl#w*d8kz;!ozTv zN$bR*ryEa*W<;Mu5VqKQaa6X+IxAOW?{VV z56V|%&RWk79rY{}MYVhd?*zwulqA-Um%L8d&b~K*-&>A8@nYVj>;GzprD}i41~R38 zhf+a|pu`QZTULZtaSp_76cQ>k;o_k_%O|WTo0+FWvrb5izmSBkpEl*k64#nj?v3dr z99fmnbzp7b6}6#eLCFl)Yarvr#TCO&K95a!lOUthj{ij8IcIX4Ot3y%MVwFLm7Zy+ zb{{PZcBoLcmpP$Jt1C-?2H`2j3b2-_dsk|fXW=bq=?7G))&9}cs|wG`ug8?hEESu3 zuKM3?h|9STyFm;<6iP%pO4&pe*C!x(MqMlndMKJ0Q86`}2!30JcG8}YkpF|}B(BVP z``9ZR7pUh5UuC=xNox6~PBv<$-EqnrUB7wSf?zmNgsh@;-<->(H)vbTO*TF8xbTky zn_p^r=OvGwDHWzW#jeU1;P@yUyRV$FVID8}O@=IZKkk3?|7*L~}%^lo6c z$fi_Dplua(s{@$Rgac@=74#Xn)uS2uDMk2p+rVABuGkgHh8S0MAUBf?D+5OUwBscxDtQ?9LE$>)w zaG#wazs$s?DsZpcRzT-;ze&X~ORuFAK6zQR zI9O5`=C$l~Yn@}~I4zjAg}mdrZPfl!^`(g&hCe{;v4NDxHAYalt)_Hy-ap3UW=i zOH+Okw4VTj)z-|}o2g4c&MNrm>=+Q7*{IUSFwuP)c?wv}e@0tV5|M!YB#pOE`tW|yoq8YOR2fW86A`s3_q{Wg~ZRnNMQmBm9f7!Fei zsj;pXE5l8^Rdp~7{66iCwVOI3)kKuA!RH`kKn z0>UmI*)1FvuTo;CEnw}aZ z5u>Ken&sc?PiSh*BtC*MTbUorF&(Tt{B~lyXtnZ%67_`^;qYxmCgsBOhGniOv@Z_M zwcVi`>9In?pJi15e+^(xQBfdy?)Y1;~F5q3tE7TN3B5KS3FXL|}*gNYpV3nNF z^T~(42gmI|Z8EdPt|&tE%>GoPFc8nnQ!LhL7Z_>mNIrWF*3EBHoMQTyuG=6!QEp;Y zFuRz^6*g;JHKWRpkB{wtm}?a=udIZmT#$5Mk)YU~CAZ$YO}hjcxe&;bOc-xdtE-8` zhOhoD$bn)EEuQbvk+TRALAqKcwKSkAhMaS|qPUP(yE&-&1~F-u-cFf1P#I6y96#m8 zjSw&RY%#*PN%TOv5+T_i5mRe7_75vfQfa`96(uYmzwOf(73#cGZ8T-Wqa@1@Vjdew81eFwtMax^u1S6iCsbB5Zb>s%M`H z5=Dk;0|Q;o_g!6}E7R@NAJt1Iody~@5Ac|inFwU41i^!r{e;p9a!vuFwDC}K_vVRa&Y>ErL()bGU z2nzHt6vBfJtIDI;8nlP>*g+%k4H`LcLl^iM8paXM^W|~>WXUb_3UD~R42{FAYt(Cu ze$DPOvi>*@w??smBR=JNeVPA0WD#s_^My)9MM}!8=Axw5AN@w!>NKwsBHe60=o{r2 zCgBL*CwqQU{*{Gt3d1ZIt0@s11%+17QI57~25*&k=HNY(bnQFq7oUx%08Ra-ZP|q3 za%9~d7~Nav@ZclqmI%r+mySH?zQWjq%HQVfUvwJ2EfA>dp)d4}A`C_F~^ztX*;!A|`@p`BSB4gE|v zi#Xu-$sh-uOlqlDP*%?YJTR$JF>uh+m7ZW()*=N%i{o68Hm zEbl=Be&1j7^rMUL=QlgqBz*1+%pmhO1t7>Mqh+GSuW9OxpUH0>8rP1k^Ri2BN$=_t z?6^s{j{YLp{e-6C*t4PJ8zb=cJi@Nk1FHCOjxW@9zIGG%smi}@M$;%=pVDy!ORL)_ znY1>8NN&!V3H%JIe5Q?CfNk^p|Gsya@6>)QwwWHVKgo2ZdA{~t#%=LB+==1(y}uJa z_b1~q?$&!+9W?l-UR(d4E!oW^cz3@ZrV?ka$I9`;*8x=PO*7)wI#y(^C+ zkp@km1e(g`x4tv=3xj^a7(+xM({ZAPTke##t2epxr(Mh=L5C4en$6C~5fBM#x939w z)B5FK5~7cw0#Ff1&D(y{{^|VvmiO+pgrwt!yTpJ^`|a;Xva}z-Zz7KBbi_x|_o+L{ zaK-8`w%+%#>Zq=lZ6f_kIHRpr*3C-xE6^3OYGG7UGidYA(D~EsN6mTjA14x>O1v!| zU7=8I6ZU1^ecQXV5mtL}rs3=Pm}a|gn^v16H~628efv{Z?MKrT@OD)~F7p<|wFg@R za?t5b%J%SFpbuHfQ2>KRePSGIHqR#2ctKeOlQmtAubw!MmtBkQk3NniAB(Htt}(xl zAg>{)Y4(q)C4)=ZN`?wVyTq-Bvd7MTu~QrS%RXwjS?_yl+`o$ICK;8; z?=BW%#DN@6+gNhHpY4BFY9l}i+-Q+?&r-b3*8+^G!CedZcKf2RYECl0!mmpXj?7cID z>>{NY8bx*4Zrcgat~Q z{0D?ewS*OR>1k>yUF_qh2i0$fg0AZ5QrQ?I3`aJOZs%qdoV?hMPFtq)o980BFtB11 z2Wi=ZKU>dM;qqG4#Bg#Mx@YQsGyF|N9u<|+kEr}LpxZrw2g6Jikf3z?6*81ZOgVeJ zC^FNA+Zcz8wr-9^^lR;`_*vu&nvJ>>qLry(w1cYrPQjFovnU=W3%BLern$vWuCGg6 zRo>WruXqJhw5e))4g45z)85N(p4N&&G?{a2_0M<|_i(H=x_fv76v z1|#Szr8VYWV)SV6R)N;FYRY@Gx##(eiaEU@4$E_PJ#ma2Ynqnx;on=wMaxtP%rOBl z&Iz5$45jLx)0R#;*aS%XGhnx%it91+n@1O z6ibMmohD7J7t^Rhh-R(O(J&rP?l>9$<{-htJ|JqZ9-QzG#$7*1uF_gAPa@fDC0?V-y8Hk*Qg1#MZzpP>*V2pOsY5D!ELWP>r<%Np zNENJjoHgxB{r<}Xkt_z5IKci8w6~I$rBhSsRXz1F-Zpf5fpfqC*Jn}>Aa*e;3pO_m zt8STXJDH`L&o7MXgLOjq*+#qt6Uh-TZCr?!RF*CQqro>-gk)Z@X&iU@l~w+?+Fi0) z;>u`k_Bk2`Ep_QPyH*-S2;jWpKU-H-)ph&Z_ZBWZ?_Ge*`;Tm}=EWaM;q#Qy5B-Eu zD`g=w=a|p-ZDe>1J_n zSQ$>fFC=nsXYIE;ibeatCSoZ2Enn@tcm^ALFr_H?y9iFaS^qhGpi`dFv=%0^ZGu(6 z4@QW4;z#L7mGO+yaxdF04c4G_z$&B~sPk!>Jt+wSR=PTd%wx+-vcDt?$wT=TpvbDP zh>yvR3Cku@BubhxijH!eEb#r-pFE1nXK_5$sUK|;>lCP-5sR%VF)&0A@`n5Q@DiRj zli!#z_ce0w8t*e2nf<>f?ZzGYFX=n~34s00Z)^0q6TA+Nl#2aaoa!~grywPS3uoQ| zJa4_A!31tWf&+}dk+HypP1hU)xYG;lo(#ZMZEJE!ge{}=VZcVPSOxC&J`!%CruJ(A z8t&_J?9h+c8jsg1PHV62Cq~ByB0pWPj}k4tm0y;(VG_7slk{?Fsyj}yG)N3QyPm2& zy=xBn&lr40B*to7pQ##J+PhxXxiYF+HX^z8VfAOW+&X)n`lD$KG}=KkLl#{f^K^HY zY*X)Z1Grl^^ymE>2Ps;<=f_CduYVOkw=*thpt_#nmQu?*cP5%TnAZY)UGmyC!w0P@ z=!Zh45~mEFrU!sLcM%Wv!ykr%>Fq}tXRAS50(rlB;`RFQjGCMeEgo z{U+%8!dXtxXaRZ&@KS7$0#CAb;&}WV_G9BVd=n@I-Zllz%(CkhW{WTnF9lJgj^Tby zRz(G_C-R+WyQ5uKz5xaAx@Q-N))0QQpQqr~?ArU-+>QJ&XgI-?V&Hk3k^4d*)a+~5 zK-JRyvMK09pwpvZ=rXLYv+1d1a!ZyDr_d`{I_C<^?lbNUey1VvTTSd_&8F_UI|D?&lz~SQpbM;<(|>YT zv|_q!L&!4(Q{u(MSvP04l-rGsQ5<|#dJ&b4xp6Ad3=~uvAVkDF3I1_rg+Q-0i>e(s zYiL)v>VK#K&4~r~po<+f+I@*()k&p!lNpFqkZETko{yueJ6AtTRlUH5A0nQks3p^P ziA_3r4lM~p(D3oxHrCGgjf{c#9V)2ZT*h+8?cXWan#%qj3WvJER;GnxH~mABc=Al3 zq(XE9lu^A?F}0X&{gn#GBs>R@-jS-L5197NLf0sb)28*1zS9~Jqo8ok{7*&tad3$W zFh3QGl#QtU0-cDRS7CB4Pe9qJelNvkioGnj63=6TqkX{za=rmwuf!UfGMAU76x+1w z%6Z}I*V*0uvlk_xtuyJGX@YT$<%5F0l3IdUN~l%!zHUS`&MYDiA(tn`ub)rt>1(nP zpP=ts6LxlMH+52}U)Ys8%=h=G$Jd-{ax@pZfMF!$Ed{-~vO}lgLWO0h^%(qgl7jZ* zpTWOfJ&o9-1CdFoyL{0K-c0nI*$g7fS752~xX1K~D5v+AL&mTJBgV=nPc9Z&oEpB! z4&}pVyAkWs-aq?ywa-7q;ec%$(VcCpDtx#An~Sf3bJ0Fp#u(#O;{^u>-~?{N7?X z03Uv>)%FWtycNzhA$x>J6v>BN(B~2YQ&l>oDGo6idupT}sE0;E|LK@k#XS5|ET;L| z<>@gjrVN;7h`CyP^UoCyGHHoiidM;uf(KHgL`R9{Rbd7B<1m)@wsWdo@v1MoVj4MV zpXL&c7I<{eUbR%#qkV4=;PokFKJr4Qlhz4ia(1B&VZ-Cv@}D&U6c!8v#ly8noqsLl zdTp1M6sp+B|5VmNgOK<>kKT%ewmvziT*%S>nlCWT4j->jzp*!fkNT6QE3xV#GRL`cC1V3Z%NJN zTuIo!<9NPCl%1Ylq>wK{2cmOW4SFy=BX|Gdly#@wZG9=9W#IN$UwlTiOAyIFTCO{L zg$P~XOLACek%Q&E;KcM1lHIRt{!5F%F>K!PB1CtO82HKH=%AqYL zHb+2SE7Dg+%;@|=9}<_S5GY+jm|E5uLWh+?n8qWGL(@$dphC$RIJ$i55&|@A*>e%i zuFJ=xPye6uiuMfw4t+}o9ANnf?vB3k0Kfd~xLCRJ2N&jH!I^$T@cArXc1MDOFcE&| z&k=y>KY5?0EAFjF=MS?dfR6`JSisW^Co_2Rf-XnOi{Owow0XXlQ9Eeq9Szyju; zP2&~4cw9fqi`HwXGO;IL_ZlRN51`u1$s=mZy0_^=rfK!_gd|PRTgNLgVAF2$isGPF z!M%umi5G~VFGXy88Jl@|gBC*n66gX+pVgvLvHn0ZTH&;Gx*Z+MTvICp= zExrM|p7Ph21Ydou&kW*|uxWay%?rjwiQ2Fzngs^%*}g2pDOFQVVz08LdVE%4lxn7zeVbRb z4a*KQp$N51ST;6+vY3Z@U1=p|9~8{g$**NPq&g+3)aOIfKMN1*eS_=mM973YiTHYJ zneRe13cmJamxoU<@inh3)|wSM!q6qY@f>L5mxWQYpbTXWPyb5ua` zX@yfXF5S*Sk(Ycc3X!VfQ+k73P~K)Nmo zS~v3~&|u_5Ooor+?gGZ_xX@nFtX^AuLz6ZKRgf|oiJ|7KQiO)Hc+6wBHhn7kz3w;y zVpNKgF;D|B8IPMm_k%5dV0)0;2c%aXiS>p3sK@6NfRE<~ez)xYd~kl5@_qo<`S2su zW1}xX{FAAzRZFFWR}XWO(;@q=IUkT{A|e>x`XS#lS)?$Tf=|I|9i$9pjlyn7i7LCG zuNWL5u+1jRMt|qQP1@jHsvC~L5#iCc7zsN{yErCF^k>~xd3wE0IPTk$wP-cLwC&38 z(z;MD|1z%o?;FGm)(qy#q!FdR4><8!tG3s9^b*(;w0}1Bi>&`_Cb#Ffx1!QK>&jaJ zen;h#g)(QOq1={4y0Oi)e62f4Lf^bn{w<&6`ImH*UbFzND9D#xDZmHOnqwd!F?6?G zH7-O%4vN9hidAERM3K*XQcliP;h@!|MF{UnFQ7tKERA&!6=89B@_UH!Lb^1JBAlGX zt!q)?Epl!^ee%`e3j|nl%J1#%HRpv7JaPT2`(m*{Q!tW7@8oeh;b(e%gji2h3bwwu z$h=j`b5!#8?Gs-UC^Ol%cEXbpoGQi8B-ys(tbRz+t140neh% z1gjU}LO0Z@$eGa0j08rTXu5-COiEBz|EMWoY(VWFLr>$*P2A+_S+7>d&gMhRKHvzH zk7BH*czdL~l?=BlLUSPR7Mj6yIUy1)%jU;CGOm-ba3oRBs6!K|7qV20^GrqE{qK1{ zLWKze*Ss9bJ)_-zVn2)3{$o@JA>4l)J32hU9{C;uGRlsKyvD_H?sE3JHG~4xNMTGI z=wOSDe~JBMbcj}ZF+1?P1YCo+Nxn&dM{ex-eb1CgLJ^=OSXi2Nz+VI#n!RtX8R|{#ME?}{I+#y{bn0Yd^JP@<#ZTAqpv;|h8*L3#+%55ulJ}uhGRo^AMoyV^MeM4NueWwn#vK#*1 z&=|U=e7HSLW`Uf}?U?=UZ>YVh@B7zR&=SJobLGY=SU(K5y3bp(uU*Kx4(Hwwrnrf@ zK+h>uM<1E3?;CeJ6zS?G7Z)|)l_46zy5J|d!|Y?`p~@ygcL->hlK1=Jr<1m$%I8}u z=1iWW8`H@xhsCm~b;kuO_ey`CFM`O@AJF%tIigd8+manMn2T^b#lCH76)qnl%ginB z4z*=!NF^;|$0(qt4~FJ7I+{3|uA2@q?y)NO_iP-W!}OReCy$3kFjTg|{*6@jaSdp@ zZO8bnvf*;X`LL74Q+Ums4E*uEjSyGsXr{1rm_ z@iIPn3v40c^*ZVDzpZrV7P9^ur1vN^i>Sm9mF;rE*}~wtDrWQJt+)BizV56TV72Kr z{cq{YWvn@iJ?7Qng(Pe3Sev`1b=|}4*85_?HF&lrWX&_eRJbU%%0+0wpyc zyf5UV*(~W93Wresl|3g=Ih)$6(e96D&Tz!sO?qH@4BlU^}&HS84U=tP-`401iN7AXF|0@GchblG7 zsQik;h27!D$pFn6sb2~&(CYY$-tx)CvP$#U@0TBUypjv5S9(5+_`lBQn(TF)LW zo48iq{1nkbRJV&6RUa}|Mh;8m1NdBtB;)Iru`9focVovu0#su2D@hhOV-?KQsU#&@ zsZ(EDH(@%6jJIJjZB;vCL?pWiv}hA*RO8ENL)XUc%HrXkbJhW0(oX&qb08Fzy&YL~= zmyoYPzNlo0Dl{wFzG?cdyi8bG0CNE)pII3#(V7+9AaHb$V8!0|O^5%CRJTYgMI&`^ zIWCtyo(ou;tbrO!r)nt$`dYED-n;|lFh8F$LC#J`O&9K>aj+ILxwI@L@1y#LdFzL3 z_))h%H4pM`xBL#O*aY0WJCQj0rle1uTM7V--PWCd7BE;i4-Z2)Ienit@1{I+!Mqf9 z7-Eu!9jsEPE!8L2<28l&a}39{PhDm*x+qqcNuZFEB>jvZ?oNwInjRjZi^^^&J6gid zXnx-W>hPifO(y)&eh`M$uJQ07i7pmbJq{wfPZv2g41KZQHhaa{kOeGizpUp6l=8TWi11 zel~FKFX>?#GRE|uk)3~u{vJ`;Pcq)}2VC6WixzQTCQBD9+tw5y3x*1c9sbE_)=`9T z5G#Rd%4WzBDEnj7G6uhK3HPH)M8s$l>HIe>apnxpDHSJjmRJN5PHbfVRl3S(XabwX zKihKTa;`C|DCAKV<#>LKWE!GX*~F*9C!h~T>TX-lT$5;*N<(gT}Fn>uvmj7 z3JD|Pvf+pu^E__^Ioy5utmN@)RLyZtKu54fG!Z(#4yQTkmj#DQlO1{Pkv+1YqchbY z3mCY(s-dsM@?0xKkFhk*r$2bZHaS?-Kv8XG-8eJT5AA5*ihBY;b#JWRQo(#L0 zgn6jT{~AMSSa}z@0Q7T!5_1m-SQS0J2y!^*cfG;_eZJvC$_7xx7Acp3x<1Xljz4^X z2oJcWAi-J|83GF|$Q~o$^e=iGPg>8DoQK>f{aD_X3CRxjyq=Tbn8(X4sRoONMT9r^gh8{B|9;*M&!%uG*R(2ZvWm4qe;ztUCMZ<$<|X<&l8U%)ejI0q=L!8B@b? zDg>(Igsz!QrSCY8r?zi5db9=I-PLjLOXoEfzsmvRW#KctKZYC7+Fx(=yHqzjx`!%y z_&&B`wmGdd6Evwj{oKa&vu~WAtAFW#$ewM+(RJ-ji&vNEwp?RhnX%irobd`Cf4r17 z*h}g-thB4+e2ken%ln2w_~CyEv*x5l)UTX4TV^${C%hhgja>Mfn@Q1HR*VBG(lmFn zE{9tWT0K$xmjPH-hmK}0`{|~Z z58d7DIXrEeyN6#f%Ltrn{140DMcY=U^epmpwO)((={rl?SGS-ixoq=XW7q3^AAVbl zQX?lVBea>%?w@t&DtWs<9Q_TezCBP}{4$a6W}M2#QrSDKxdQ06ALM*CuaR+`LR?+72T;!93i;fRf_2IB#*>KU0R)v+*veIuZ}$FjI`604qwu`Vpbx zcnIfuB7|%Pi30_)Ea#uB1eT+TU(48^i^uo(pjx)!q(;aK_83q1pG^=jSr0ci5^bwVFzt{$Azqn8dzWiC6!Ow%2e$*G7G%pXK~}93@q85omoHq@Yg&?u9xg&k z+AojIt0jj`#yR(@ROuI+ASQ?zf9Dv~=U@CzW}sWsp^3N}nE`f-#gr+=lvj zLZbT5;#Ub41Z973CansQP!-(VrW0AO&z`?=NEj2RWDHpd6*`e{UCF%f;rRk+22cf} z{L~GfqzVw7u;KAj12MmSE`lbOo$lEoGV|`Y?=oqR2}a??;CEnyWP(xxwN{Oj;jKJl zc+zD4*=#4DWhW%er?}*XpO(w@S_q)pbo~AouukUNs2z&B2}O|}V-T0LNP)RmIABn$ zcmrLVHVRL{O>^Il1}`nk8TKb7ckTWJC9we;azPf3H?<_nmjL2U1XF#ol)TMhO)bfU zEUH+m$YpK>&O3fmmESVCxacsv>dg!`R=HhZICYtnNuv&jG(c&4Ox~eRkpQyVUsbck zUug3|V(`s#V*xor5g{Ow<(!MvrBnk^J?7uq0~v*68;V9`BIzFzcZR^e!CH~?q`E|w zWGrg3zU+Q+;*w*szL~rkk$_S-kMd1291YR=SNOp;S!1kANN9i7aSN-arBYfSH4yQS ziJho3z|8a+pxE7Xq39o=5=6L*GpwZP9O2R*^s3lonMyYKA|{ zP!b2)vacI|@McmUuSHm~%gWiC6)zgmGz*BAvs;Mrre2kY@7`*TMR_7gaDH0spd>1- z(VDfV*pwx*)n)I0$7Dn1SV+g8vyr_P9SuHjIt^W_Vk;Mv9cDxicBV1V}og9Jc3{5S6Z017a9e26emzM`PE^E&Ak&@99-V%k|3Vf(T) zIZfjc8|}$b-V^oLdYMeYpR2!{9Hyo+QGxf!4D4{*deXY-MQxzAn}KE1%6C|s-1s}* z)6LujdZXT%dPAsG>DUQHm|od^+Qmkn@_l%uMhH0J?(?p?YFm~*w#D9f`N(Ln(|67X zHm^TtbZpozW%}wop@((d++zLf+)v}cT?IAK)~s1b6Rq~Et(uP#x$nQ8(>d3Y^1B^& zG!3Sj9S4iE!gpH)k;i5zuQ(b~o&r3^FJjz3PNY8gZcc}Ot#1S8$c`h!Z0fh6G`V=L z;-K}M*&FB|l7MNk*8)?Xw&T!+(E4kilCS>gW>s#*w|mN;k}YCyWj&i0g?YfwnIyor z-)+^no5vN_3HBqta{}#CXPZb%9LM3*(kR+TVxrbt?V6-C@7t}sefwvwaBJ3eo9ndx zwXGd+#IouaJ}-Z@PU8lxcyjd?)aFNRkaLNh&wJZgg?0~cD;2ww$Hy<>WW!gD0l)p| zZ0NS;k9kh#k)phwZ}aWZl5+qlzI3kBJY|+GkM(;KgKG~zTxyqL9eb@WH?>~tG*`y= z8pAvq1i5VQiRopmOLy>ZK+`T;W%}U;{ZgIx7vh)qox~oRp0~R}@jvc(pr!0%e1Pwu zL$5IWvYy|?H;+SH^Pc;GLGPhnLl#zTYOY8^*^ zU!K$fFJpY-7v2WWv~Ht1&sPuc2zk%OJJBt%=eBbcw6PmLpo%n~-477UC&(KJ4W2Ol zD*q!p0<=B!LiI^Z-Kvz~bN%tv7-<=J92@-f@iNWN3%Yzi;ZK*K&P%3|tpVrk`Mf_w zUXz~!7+WWaE$-81;w>)_?SbucL=M7bTr9&>ubBwC@3;xaF|T%F9#%SKQm#rw&=18R zNhPh;$;;M@s7Y!IH*eRI=|CAsyOzvGzv&WF841%TQ0@eQUz~^)5^+&W1tHa#N&TQt zA+|PfyJPMAeN&s@AJ#4X{0m*6NiS8>eMooItiF>$5{=0!c`8|RqT=9tA44I<(GZ7_ z*-HJ2jf+*A3;qvf2POkitZ0}&@Td*AD=LBUVaB6Y3ZmZ?A0QDu%pQv^u*Mxy;dPY+Y~pKi`<-TQf_hu#0sQ>92)}Av~23K>S-})!Zr1z zVvrh3jt6k2t#4Ts^&8xjT&rBu}KpnBn){J{fxH00b917T%*Vfk1&WA75+shHx{{Mh2Z>{ zDueMouxQnaBUo(TDpxYPLnni#994G8K=1bmGG4x7{$x{<63L1ncL3w1Vv$xTN8iX> z3Jp=pfJW8yMv^mJ))IicN(vNrQ4^w1*OyO5?SOWl;{+ zFuy~pF9{|JS-UPGEefgihDjIr!uEpG7$$fSo4icNPoyWyDJe39$VOgAlQqtfNlEF@ zHu4e6b7sMC-7nl|vpGy8Q>e^-qRcX$a3BhU)vZ*%V14y*#W;yMw|&cyF|~LmH32Ss+*wyVJdwCI$~CLZW)aV<{UsRUqCFQEZVYG?LD1*b zk%+&@7=NDNrC#-t)4h0_ayM$U8m&|=L$;|#*L%Q`znW4CQ-0=$U}4lR!kLv6q=-*f z08`xJDRcGLBF@wcexZP*F1lRxhX~Ddqc=pbJGX{Lm1M$Xw4!9Be|c`G64=8j{thU^!Z4oEQXy@+GwnR^ni8uFOx?W<=;-3!5ECsF@(Tb!sM)P_#(n zg`os5jvrRMjEjTk87Rr8ONcC+Mo=b0|5j1PGW+3a5F|PcI&c|d5Cuk0pSUiY)$h}% zKgiKE9-`hr9C@#Cg65I>^MD;QJ>v6!Jy!4!rd|->c`6vNIj7MlS~*(f)CdY)!3~)z zxTt3|)V+a3sKnyp;wg4JFiy*&i*~g5;iSa#V=j9?7(~7<4z*lmv!zM0uT5HvqJ%NI zdT3m(u@y6mjU$MPZFu#%4H49cTHvs72e=Kyj}0=jkT_8iGMNs|Y&0;iw(&n3VDtWA zXX`qa2WJustmkVnt{lDx&y_)&2FA=0=V2dnz(i&S{vxS08T;q#v*l043-eH>)TIA+ zZK5=ZE|m9N%9CY@@j#MCQHNU*|aJ|tuZf)+L+pWiLf4&lZ_1 zYg2E%WqYmBU;BQ19;11=%ztF;hE(YK&1;&29wsZ?uwFwuX()^oUesIHlxf`q zai8a7dHkNAQgLeT>%rEwx?cQlF`{YSM}5f6T$fWlweMo+^lh^_fUVsHk4e>M9s||* z)y*E`?E-zzt6%$#AvMx=ZoQArxhwla>RY=T1H!*M1cguRsn@`SY zna=}p_Vn3r$Io&;rcY}8y6=-Ax9=xM^%dP6yFucqc8C#*7Aad)iZe+i!PwmR~XNyVPxcAZQ zA~%lXVg!AU*TvgV`!u~RgQm8eI6vT4C$pUXWk{U6mWkWd5xRX*+Jcz~%|jyRQ3e|9fZCMBe=}PHR8Xed*f!oMgv@=T*Ke zEa&~YCx0$5NmPC1Tld?yojz9j#$Lm$8e7ok#Ai?!$>HJ+*+MZii0*76>%?$iKpWi*NIFOvnB@ zrpM`4K8J2|gTO<2?8e%{SE@g1ezk#)_%8uR{2R~H02GOZ5lgPkbcsyvp3kH_dXVG; zQ5nMWx@s#p`T7>51!T3L$;C+X9vy{&t-63|JH9~?p_wR9GRMffty`nIjW8&7U3jo6 zSRAWHDnC?b`vl=G3T(j} zb6~^JRjUSf86ksc8-J-#`P8g^sX#a(U`s6(41JM~%3#h1Mcj-?V>*pvoeMHG)Fr0D zk&A`n>tx38IJ>xbR3OtK4*(AY0*_4W+V;>87ggG4Z{)3U`4KPC>V2~)DL7$6 zo!Pgtc=I{}b8DkMkr0_S9CRyxI=4HuNLp7^#GXhKk358?U$K657%t*w z;gwnq%G6_Wxx$Kx<(L)yjUE0ChKh8{pl!{l$;TTJ!4$2U&V_OE%0uruFoM5Cu2eQ~ zH0ysSX2M<-^8;^I^(QChQFvc1jLAVnf&U$a-q0SSo{y4rL+bS0v}w^s4tSyeh)&O zSpV{B#wUN?>-5X}G5>wj##f={+Wjv7_gR<0wTCfvS1??KQ5j@G2uLPI&ZI+M-#;Zo zY&-*6Uhv1~R%NIryvp>;4g&#+@Y>}oA{EerIu=Dm7#7@GvBOX<^kw8jvN~oi@V3eA zE|HY3@50gJl;sNjz|vU-sq}d4gB>lpsVLOKsB<?Sh?sWb`8fh=6Mv>B2hmNh-3Ni!#xRp{}cy6-4lh*T$;>=<_xvj$0U`XuAD zf4{AMU|h4jpC+oYzA*OHr-+zFLt-{Y#p3dbbdt=w8e=keWKXaU>ir^%WFt3uLpCp6 z<1JQo5-7K8W7U*e68{ce#}&?O=j>Um(4x>R=pqzMsf9OF>p zIefwJ+*G{&I^g7#n`%d&75Z&B=%96>7D>Lr5bC;Rw^3Z|hddbJQHmHcPcq9q=7D3R zBZnTwN|0R>sVb+&2<%}*O%s`$%7C|x72MKkW3`81?#bhMvf#IP)x!73Y?7ljmULPn zT-LZ1QxR+U!8J&!mfv-QtW0f$BF2=Z>@LniYZb#9@l8oVk=D`RV;Bsc!3Cmix(DQN zdX;O2Kape^DG!~56iCi_12Gtd2nH4ns}|4Rt*8kw7<45QQ033ST`cA-Jm*B`fL4wS zsnLzb47ISNVMRW!@i#$im4kOHmF;5Uq;Cb~%7!F8QDkDFc{}1P3I>Fw+Nwx0J+!T- zVhUG#lahE<9`({iLn(ZQL_)T28z|C;->6Bl3%-P4`w=IZp6 zr9sF>|7GX_PNM5?3Fy9;Rh_lqv_{^3W@dO(Y12Eti@k3d)7|e3iR*g|ZVoT&aS!Nu zWSAouU3b_+p!r=-xIdi&8ZS3D8;+~%=9uVn+IFzet73CMMwBZs%&%?-)U>x>-;Pqu z&dhtL@t*EumOd9_OYj}n*BoENZ7a&Entwe1%*MW`aCXNR5mzVI*Z6FQK+pEQ$z-^!pRXvQyd!f?`$+~i9KI(mW zDgJ(@UULF!f859(eCA_ze{UAwG=<;L&wf&HU$t-kgwA$7Z|ke4jzQP8iqftDzH0XC zu4Bq|sMQ?(3Zf`__36FCDJM&hxCNy00RB+PEgnA62(M z-=rpGW$`{Mxd0)Y$DwP!zN)3>wI9{uQ-!S1vHv0SE7~B+u1%wafklyEB<4jHAljbV zx7@asS>cHe_g$S;blxa<@s}GL8nKR-Q&j&!COB7JMD{)}L(Gfso~$ovq2MB;i4sp3)vcTgVuehbs9D6ej{pq3i))l8Ef~XeX%ej z)k<@eE;ll!7mMHqzkXa;S8EgVNuy;cxJ0)yTti3KJ(8p|ib{BukzpiDTm~PbzQYtl zXD-||S^la z|8L&K7~@Vc%}1tk87{NxA>kaG-wE}kD&=U}c-y*;vrND ze|lrb;BCGoc6eg3+E!=OXQB;Ubj&ft&UF5dj@z%Ab2A5RNya6C!Ep-x zOUhJj2@b5CXW4?Qr=O4Tr0(3r)uXKKgo=X@tJ3X`|0p7uMvTibn(-PU)TBzqk}OI{EcHMoE39^9Cqo5cZl}NVtSeYTO{I#e_F3Oq z^mi9vGv%34!5nkA(82>n_v4NK{5D-V4Gn-4HDbXKw9+f^lJ%hBxa0|!R->#+Gp-a7 zLYN#$yoMp7Vo#!eJ!Sf1_;>vk`YXbF251C1@#XD{E|3l8;DX`S)2nMD{N<>| zdK6_~LxAJ|;%dAw5i^c*y81SNx$35%5~4zV#cZTwd`dz_2)8Z~shSd%WrSzsJ1VtI zL=!B&iUO@bk#X0No+ixLF-I9NS|3(sOSX=eIVsb{{;M`n8QV0BL)FM*2g5 z8Ndzx1NRO;W%xe<6sX%8ug`Tq>KeZsx6ep^kNtZ5F2GeMHOR&N9PzCu)%U#g{Zr|} z`z=GhyK(3#Dyzn>F}y+Rd<|l{)eiqW_Q;OAQ!IaCYI<|TulAK5{fj>2w&S@Ce-yva zPvv$+P|!9zhLGcRUrfQ%cu5ap>oUyeZL!mB-7n(*?gtomxcZL%js0~w9sSbnMZQ`K z*9S1#fz_kA^Aw{V4`{T1Ze^~DTjrr~KLqbtIq`Q-UF&SRpMAapINWLO)N(GP>unqk z%d5fbQ+XM5gy?l!Y>h9|cg+X3@HcGXt7%t#^l`U{NJ~V#S+Dd}+~-5kcs`$(IhXI(N$Bf4jQP)7o!`A1rT`W- z_6q>El%|YlDeJmfv)(bGRGYcd)>y5BIHzUA8F9ZaC_D@ z99?6d{J>~T2k7bw8Ro528u}H8Z4ap33?08*KMSwXeOa(Juk;#g`#Hr~;=ZINJ@Gcb z)x&S8)8Tpe(=S-#eC*B{9sfPyc2~G#daE=?YHGE+%--z`8=KbTn#KP3T$_K(dMct} zTgxk`SDs5cuRW-FwH}?{KCkY5?iiG9NuH;D_%F=8=OLF=j=#(0xagfO62sgTuNx6? z5V?(l28x%pxi@(noV0JoKYM7=DYynJ( z(yEjmG?GLdF?P(4h=aaT%;pigTo>nh4wK8jeaF@jMr2kVklAA-F_231KMKJ^c*ko)zjoBpnPf+aDrD4aVv`pcstDTSLugrtO# zT92o6-UL?tUA8+H#2`tFNKr$0*lGv`JD8dUg`0D?DLERO|$Bo>A0Dg|Nw8SWrHrn1t?o#V+)kj%5T{yBZycdUB{Wk)P&gDoG5-1 zuwrOs=tzzK`<_j_<}bxbx%M+tbUmhn0i8VyQCD0l`jo;DPdy=&zR?waA%-o*^<7d` zLe5KqVd&9tRam?Xl7Zq*mSK}n>{4K+LTRzPuVD0= z*JS>p4$AOB0Gj)yW`Ul*)L3tzn@B=aGRgUxBmw*s$<@Pit3YxxBZ65>m4$nfoW@bN z;+cDuVLFn9h+rk-W^7XNoMOvDGPjjmV|~;LVS+SS2<$MZ7lK?;R+oWb3-FVM*gtGLe$b0x5C58rX|77Au*{ag$4^1d>>2T zJ9~uCNTd=Z9@0Y5gOh=vH=p~8xhkgmg{L^l^kZj}LaDbA_eo-UlsrZW^2bG~7$okd zXvOzseBs@hM$5i(ZXnjt46;nMWh|ZhV0)Hjtbb*Uqvip~_`16vw`3|fU>^4GB%;@~ zEMx_`mXY>V;v(&MzGf<|_MmJ%E$law6V_loA=n%RVFcRX8KLW(05I5Kl7BOyxzot0 zlVtzsAYLgtobXSMk)QDkvG)r5tc0&hJ$t&^~k`aShy%AdO)0X7(>A z_D#QseTy<^l0T=Fg48#t#&9D~j~!w05g*HeE@sU-(w)3pSYN+`{uGlxlzxLQgQ6ioz;) zL>0KRuH-;U1-o!TUkYv9@JXbx6z<0#5kf?g`9}6KUKynWN-os8%bY2XDMSi*e{?<5 zPjCH_?0Yn5c{cwD0d?MDk0`_L+yN$^ zfPj|8v6C!%XF&7!);IvkN4ylti7$zk5+Hc=U$wf z@-t#Qvbp}U*Le_k=rPD>J0|YAj~Zdyrvx{UU;p-7*M?RL|5I?90AW|Xw;fW{CI2g>CP5kcMlzUj9yJ0l;iX$O1-$uy(bUwsp`^J_|k}xUrN>89*k8jG>``%Bs zj-4vw*vzJ>tSoeMMRYLgF3|2@`z}a)=dF(}`K6kocmHkLyDam$veh&#kQzwyYI&nb-T(e+%Wib)Ik&ypcg1P?BKX70b-QP$KJ0VF z`|bu|i}#v){4xPxa{SfUeDrh-s-=4yQw`fj$##83#-@8b@=DYH>|5I$uI2)kF@M(Y zfmbPiHrGAnviaSdqOxy3+~oNl5BTZ>ZynQY-Ijr~Sw~!HIc#h8!|2+_bS=kJ?!M@} zHcPWfwER3@jSX$ukRc6&#!o%AVej~zFB#iv>J(j0K~9@ihx2Zp-kaws>nc`Li!Hp3 zlSu9$JBQf%^%!l?VSSaJ50lmP(iK+T>s7psoPld$l9?YBUI>M zTv>jWbmdB!Lvu}(yLkQa`nz<4p2`+lU#^vlcf=ZloVk|(LO+S7)M4@R_oEz|BuZClJ@jwC zaMHra%+R!z(neI2Jn~E7=YL_a3^)DjC-u+tTRUy#2^RCNKL^0*I3v~=o$O_$FG9nh z&nmk+WzZf{=1QxHlFMiN5zUfiu9=73zS*2nBv!zqQ5h_$b@r_@9XbpVTRij>Z3O%; z+^z`0{c3Wta3g_Gh3K7I`c|?30HS+blTV0GX0psidy^e9EZW0p@U$PPd0UW7!M7Dk`)QD zk&#tOVn^dI@|J?(zns5vw+ZQzERLnX9L4A2nBkzHU}@(7Y)j# zMB(>M0K5~j{-G)(mCKKBOLxH zK=^$~wXliU;Xxl}2vaGGkSsoP4jfk2!C;>0)=p4PW(PRdk6wapDFGVu$`|T39C- z5(>R4jOsNEnN>&ZE~-Js+3$HUDj~-%LJra5)g}yElEsg9upbx%WJ;^GiPNfw@SD=b zE2mB7=dY#gSIDrfBEf~+OhO$xaLj%fq=kkZTW}6b=81+~x#U5=83Y&MYtn{8xHyJP zihmY$()?Wv)WMEBG$SJqLf)K^Dzh3ZJW&}#NG^`9wfbk$s7N^awG4BZCDxdv08>(b43+kAGJG*u>kK zm%nf*uj^BMDnCzr*7pI)({~)-zU(Y#9J+%8h^87qZclp}bh*z1bT9ete15!LverwL z+yGxc%O2S!?w9-ydEhBp58w5rdE)YqI9;8lA| zx5N5$%c{#|5AXq@$LsRX_S{sb^_B&Uc}Rs+g|5$N)l$d3eTV-V@KX9M?z*uL6Jax+ z!+RNjfc)|v*iqwU+4eK7%ah-sN?CrBpeVt*ADTY(3#e`6fdftS0Ee8sM4Hxt(DP@! z8z^c;=OtV{V1YRThf4<}X14cQvx6UpbrmYTuG7*_1bg3y1pajc^4n6|>(`dI>9>CK zEe@vpA8m$Pwr*}YfMI88-RE;(^(~heYItNQdL9g#D!}vHF3~_e{TF6deE9T_f7r(I zyuG;BY#u#oRX6O-KNkg&)1l{W-6o(p-p3%sq{)2jUTMn%K7n41&y&>EcTxSv*F7uN zQ9{!?Pk611isutsyP7YnPp(gwld{j|LIq&*`rB1HM<^JsMW>k33e`VO8m+Wojc(A zQ|HYnuKh%A=fU0&?&loN@z1l>Z5q&6E`8k9mVL=$p5Jpym|mMfNzr6-_n2-PS+=dd zZS`!c!+Y;e{P0!X6|X_V>pI~;eGxl42x$4An7jS&)BZ%}14K21ew!y^D&gMkdJK}8 zAA=iWrkY?@dw2yND^G*UeBM7w>UIcaiY*_5&C%LF#q}{jw-@md*tBynFR+ww(8zy^ z*IZ1_b5r(JA(nWk^x3*nCs!<;=kj3866<6Ui{ZYf++yL>d4)Eei7?z$mBPmiLoryT zQ&F8UZtws5!#`Hs8W|ISn=X|)mYqv)_#H11rF1+A27jzdMF_8Uj6mXDN);oyk&eN# zw$9wEdg-qy~V^a-!Jjx%P|U*BnYs6 z?oF}8n=zNRQq>%tIQdv+5iHzaWAi!*BXxh(s@HuPlano2{A2L-_?jhrG<)7{F-QfA!Ldp+@Y zphaJ#b3w?#q+(-f-{|7FM5#HIg0vE;r8~c|6Xh?{p#0k^#MWd1&v05%6{j`4$dZ~n zYsxN%{l;nj#(~UR+?UD>>#PwHO4~ck8rSR@1sw%To;GvyBg>JN8=^Q1LM(zP<~gLg z{BYi`8}1=XM(YaOR!zQxie=J*u{M7wX2@U# zXS_~O8irx6(W>Noy&~rCa^IzNK0`?;ytO}vCm!SlQlhoXOD}AtMfXn{KcXOw-8I`% zc3*zySfqgUg;C^o6vKfn?kS=MHJbJiryz-E?}u_szodzOBkE_nnLFx%NND1+{4pYlSq>^^t-e>#84 zx9QR&LgtOl(IDn`5_wLxiuJ=nm?z*Jo1PfN(^F+sS086FP@Wt*GU8)!EZo0C)a8__ zzq2aDNj9z$4Eb*;q6pg~K6iv@f8DBSPBCd4r92Ph%CuxIU#iPSCGQ5Ps)WFE?_snWVZ79jjm88IF$#v zJBV5}@?{vnGG&2axvXBsNKN>J+y^=>|C^Mdn@@cC!}xDQP|7~;dynRnJ8lxIY7k-h zuOenCOw!`uM;$uhZ?)IqshVKo`o{^uboHli;=X%+%yKXz!y(k~Gq+L<( zSVMnQlW*U%?F09dFJrUv;ddj#5|KKgEU0=N*0E`+&C3_}@Qm zJHC21wj>wO)=#G@@_KGlgYvpQUpmOGyP9^HwRzt@z38iW&oj1)dcC+?_*dRz#hWj^ z5sJ}$L1Xwlo(e|S>T#BV71y21krkZ}QRI3(J7?4YGJt!WzR~Q<3ojdfWW;QVn5?i0|dRFlRdF<^v8gEV1t} zJz(a`{`~cXucvwAPQ8bL`ud;C>_WHir!nmd1D8tkV7hW^$Yb76-%H$ql21YA!`UVZ zKO02dPnI}}$q$f=WD^dY?cmjw^a zTCsV{)c%I4T;7qMy+cCIq-eN|JNxpI6 zcTFheh&Tt>WfF}byDS2Z`>7V)pN-0yBC@)SW1rel^+YsygrMI#<9#-S$0n_YVg%0B znFQ&LDM=Fl{6+W2U*)xE6s#ES8(lFfBT@BGv>AiiyZ`;Jg+>^D#llB@&+nJHVB$mZ z2^;!}5r}{)A&IWV5FgZFq^r2$1{s+mgn?YZU_5r`Se6LnTxO1V-Q7{v#hSR6o`Im5R{%Kfsnj9H(m=VC4 zmKPQBPZyc1f`2RAFM$(yrkY|YVD--3azn`=nyXw3O9UN#+S6!Xj{!4y`{RJnpJ;E> zeKhQ#o4gQCP{|C{vQ~g<;{v>anl8KT4pb?2F!v1M=)7bdDXNB88X3pI5fNYo3mYwk z_MZmnnY#A(9=-grBu1IQ%T|b&{`i(cA7c4i*=okh^LD}fMXM~l<03cK9JNFt&fP{< zKKaAFXhxK1B)UEi?LHZHW!qS=o;AZCBNpvEzn!>6U9@u?hZZKA3k~5VFrY4rZ1M|Q zD-$fy`e~RVwGDEn(5nQMsO~%=;**ImEajjKi|4~{7Ihkus@+c|`{stKqhj9OBrSIQ zg2`zr)uE|BzyuYFmqu0F2Tj_4gRRa30k;BQZW@qH7^b5?PnHwO4Jp|-naqL^d-gYZI8n=w z$8yyU0Ande8iP&8SR5miZjn_c=Cp$uX$kJbJryC05m%m*7{~!jB1UGGUNCg2VuNW( zxTjEF{`iyRcs`}@TL)=L5G(dZxI$#())Y8NqKuGLk2brOL<2Q>WnGoj2#MHzH_=n# zEuz#>A(ie$DJF*XPF48X0n;yO_;WJs%n%;`FY~2gVDLzaV5JyFhQ&^!wnKSnx>8HQ zdIXXQx0^cw}bAUB(HPG9y8~h(dh*n-%J9+(p(yz64 z1~O!yMCQ*IvdU$-E4}nV{mXh*ay59=cAMy&*9B}V`?)QkS>qvfw|LidJ_{dgEacP_ zoPXF^@8xpms>uf(KlLnwX1i-_S_m7a|LGjI)23^aar4xjcuL2%_<^8qqX$!UcD=FF z`p@>&a}Iq$uP*^n^$olH)xDnwKws$N?QRT}j>?C3U=1n%#_ihkR9WTQ5Z3nJV9jD>KwZ_)nG{z%D9DnutXia*$$8EA_5s=!fH+c}5 z;B`2Ku;p=CM&6^pTK?cc?t7eR_TJwwzj>Mo#N+pB)2{Bey|<<3JqoMQ!)ltYp>F~{ zU+KM1j!)f911cV*taF`!#@;z@&rhFp%em|}m#v_B?kR8cuAhDng)I~gFF)ULUxHfj zVdwAhEOj~$gVOTXUawQS%}LTWv~-Ry4zD=q?;YOLq&a~N`6Y7NNBM(M4O@DS_r|HK zM;Z5N=^NU)aA=d2OY5#-r0)#?r^^oO?zY()yv~D3gJs%nF4tFGJ$}cYifL{07z)5< zY}8oEY$Nb(a9sG=w(haqUfi6&W1Y$Qh~Hgv=53$me8hAbc%E<$EMnmr^zQFCUZc+A zCiJ~Xxp;nBx$3j6>9)IVSU}d_ETRW}Fdu`&Z$a2AAlsvl|M>lWgJxF=1pUrGpsCk? zB{#HL#*+Dce%gPOV;~^Q%GTRV)mgbs@}$U#rkQ z>Io)N3!@G$%$2GpA{mNX3Kp#Si~sbMEq`te2wh}y%9w8YfSiVf*^*u!w{y*wks%SV zWV>V|Z5j?$b*ab8G$onyb*+?R@uCXFnrfu7)TFGQmF)Xcz64Io&=$5QCRMUEO21t$Ba_pnQ_<&R? zlJ2shL^jy`m*R}DmAJqW@>o3JdD{wyCsas(CYi=07zoXTQ>8`TAs)>{U8A6cWm96X{e6Coiye^Jv6Lj@r0LFW^Kg!;&f++LoWqaFLCB0jc@dx?A)^80yDs zV(B5JDp*Jur*r%?ho=;!371)QG*=16k!rsnK8J*cWxXuzpbvxTmnLohtAs#R!3e23 zP1zDF7mPLK=3}VbB6jS2mROsYWUpYW5Q74~Yg+_&IY^OYCgvAyK=Z$v#RXAgi+B3I ziN&tK)J(7^ty-nhDD-G`1#90 z;I}&78XV2EfJD}tmUMuI?~KH-k~0_+nb>qiHxdz4C!SI-K_)b1$8bV1@D3ZB$&pQ>#1QK^Dp*zZ~td(D(o z*`gtVE2zUZ@I|zaP~k;dBRBh=D5lmqR_eH;2~kWzO4Y*YPMd_^t712*hH!`7l44OY zAA8w)&n}T5#{yv%hPu_%s>GCQQ(>l8mO)o}7k*f!pe#!PY5~%ev-QNw!Tw(2N}z&R zMPm}-pnKL87MCPT75QeQplY8O6J6;a^Y-9(h$*}z#mc3XLW16kYN-L+xx$)r-WgoV zXf-hj)-Hug!%2~0qm^)UyzTFvCP4||DjKlL5~e6fBISRve;SdU!z3%z zz&oZ7gGWfVa=j28K2;BlAXY{17LFh%OG#uVDT8W434r!p7&H~AN>;5&`*|C=O$d2F zAXp*HTOn@SWB8otG;VWLjS3fdJ8J@IMb`W6^6;PcEVfk=4!M*7^8wbp1wD;JKn3KP zmep}~9_~qoWA1<9ZHGg=fuGEVtVd%V*1yxe zhMpdH@)P#=Iity$9WKCU+e-C9w%d_&oQ^5zwd5mi=ab>KZe-^bU@Q-Gn$W&(_tf{i z1Hw1##!TyM>00_6P`gAVF}5BIR>gUD{&5BNg{g5pLe({H%*EMx!#w8%$?ZJKyXiUY zTme4pRM(>BK&*9vxXCEkNrN z_4b-?(eYy^!q)SV02dxG(AEPHKJmh1(=slL9W+tna_T(q`WUBo2&@Jw=gV!M?jd98 ze+JPqWPSkU`Mv*zbk{%BGU`1(>gzu}v~}n{AJ;Cve`CybiTY5dz|(EtA#@tb*~IK? zn(4~bHja4CL?-yNMEi)hN}n~8w*5g)wdFOk@74JVT*J>{)pMQM;^4Qrj-lO~5Q5os zd4z^3=g_%Z7X#dg@t9@gB?`HQl)YY^@zMYhM;Q?Rfy{p3^BUjLyfZ{}p0uK{Av>lmM8l2$25JD+$o}PAm0e z`3-rRnx=nEP6tS(|B?MaN^JUnHpAOi{MSI_qBKmOuVYpd2b6%>xZk?`Pf?XZudtNH zKjX|uvt5rsGpSIAd|kAZ4TG8r#X?%Usf@l*_q5qY^n@8u$Ahc>bSGh*tdbgl zA>dFt7P^8P>>42-+-l2S-h6%{rqX_ac#%<>ebLIbBqqs8`rWCmFni@$++AI6@+s0m66qOMc6;Q*ghB3F}#DH6hD#1q++5~Y%U+|v1zUtz##cwVrPoY|Uw zSx`TW#G>0e1eRa<@9diev!tbrYSLRIFA)x$(SeJ6vO?}&q|}l`Ki@**k`}`xw#_%g z3(J%dv_MmN3NY$8DzrQmn@uF9cGX*1>YC^cK1oO2o|Jop$8E2u<_YeaTKIUKPYh|2C57M$--z%QI{CN;RIu3h@Cv}inLTou?^(1N~38Q zse^(QXk~@fu*0Pwv6f&&*{4|hJRw4YjfSS0Vk+&@U5I0_4sB*=I0eDk;}d3MC*TKA z+t4r8((NI5?matiq|QgF-@;Y#ap&vXv0^sT2bf+}1M?`{#a)E#>QAkCi+X7b8;U zXP|O|V|Z%?c37qRD?^(6?rS|Zus~En>)wD;ttEK{?eQ<C=R~<+~?$LwhSd17&XFfu!ZV?zj4Qrj2%}>C~5{GO^&0TNf`8-Xsw2VWBAO&27&1+LA z`Y}BrB&lrJq+Q6qVT^3*Bcc`7{CB9d27#d1NuAP*f2UyM?i7C`;e`wMq9~?Z1wzjL z!p6NBZcLEEM&j|5a!9a>!*6L#5h*9cg1hiDYNwDXwRmWlV|6lF$kU*0RM){Vs-JP? zYx{4&MTg^|7?x1&9Hx_;7?O*_j=)>q3FwR2w5_qzRxA&K2T7&B+rOZiznX>GoBb~U zXTG%AulCuQlP@Q;J^+Sv>}#&5)=0n^%MUNJVYQm@W2Si?FcX6X3I=6Arrg5`3H%BW zAd8-ZY=r9MYrGcsu3s8ZTo*C)XW2Bt0JQTPfSPhudX0tG-+2gs0st zA2BUg9xERWxmL%q;A>Hg$ay<2XvTaW)5bS5Z90&4+E3k@VY<(S&$n+Mf4TfFq~o@& zs+!~yQW-vNfSrV!udA_lO!ik%MPldMq%V_3Y~9l3QY5LuTm&X=vqQ!T4)Fo#ojON5yB80_H*Byr<%`4VaBb*+@a9gf?5%UQ=SV z7cc{!W%#e!_)`X++>kY(osAja7NN2nz-a`xPRD&%9|Zn(_Zvc5r<&i}+4aw&G-S@& z`<3T2U8klnH~w4Ak3!1jn`f_-tvKzA5Z&E1em%h~w;c^TuP6)T&#_cH6w$uIIOdmMnYE~_x znp}17XUzY)&cT@@W)jl9kU0(jI)*mR-T0jM@5FW5MNSempWk}cggf7`@fpr0MmvHu z-ROAZEOcL=Q{y<6fd}o!>@)gx(`JO<3HUt4-`WN*(Wf_TPUghyZL_kG2p`bB=cW=s zu0Rkk5Cl5P1GRk>#~r@$&qjm%$PfIae2buvEJHy}oQg!^Z;*7}!(j`&$M_kasaJ=O z*31kW-=}G5_+(!Z8IHWOZ^!cX`0pO!|Irkg%tFDOBp*Nxv5-uvdm;dlK1O;>h4?nI zG}x$QM#lEV)k|n4TMEIl2W6QF0~7)zpK)~&J`hZXZa3K}F)1<*cR-9YWV+J=oYF$| zvyay4riu4~`jEwmybMTtH5pZJPnD))cy`Xrtkgb(9CS&kBBW^{K%n$dveLr1!+>)^ zDGxwUR0QPfja+t$I>K5y6A&b$AL!soJr&20bWk79tu-q>JWC^|n*}Vi+@~D}J#kWD zD22$|h?xTqf<{!F`aosX^E>>(n{Xd%SVP8FblO$g7ATR|kf(4^5Ocev2qmTzE{^=JF&r! zBte@-kfEcHmsK;(5iC!H8ZL4o5-5Qq4 z8!0_T5{}0s+Z!TRmn%`88Ofq1yz~wZIiw(qaSA=(z-5pw3I3+DTQ=XEhV$JEhfc|r zOL9WeCiyH5fiIW3m$!*Lz-e)?(IoT-x89|Il8I_&u)(apa!hd6Ckr=D{re+_$d%l%bQ>KrqI(goG(i3x5g7O-VyN9DP@F7CzXrLi#7w*su+oY8Z9gE|BMMQlnD$l!z zlfC_jIrskd?c!HT1Lk6cN1q9m2)w6vG(q|g~gr&eNKMzsEmau|msiu6H(49!&opJY^nV+n?agBC)r zznVr)tOZx%*MpRhiwkhV=nAx-K8rO_>g6Dbk~J@OGo%=!m2A1F+`3q`>0|K74v~Fk zZ7W;(Dq6&ZCyKlwhoX+Yg%(c|r0w_qEz82{MagJawo4G!H?qk-F0~g+U{w4Vpj*8m zv<6}5iT@_`UcR#etvq8*L`V9S0)Fj`b`6E-TJbgKxf}NXU1Cxi%U6l>bU}dqYEWrP zms+1J!r6wBlxyMYRuCd-lx;zCB!%GEC0UhmI+4=-ZLOF$5Ur#c(ooYst8qZC z5b}IWggLt1BXJStz!x5Y0^r&_GZYxdnj^tj@eF!T9v$#kQqc9459;dm?qY(_?#M|sG0;3<5De2NN=t%`AW@- zhwnP**KL+8nTs;gQ6m^vp+$QBgP1*=aK@TvxH_p*1%f$WRMRiH!Nk=O%Kc!d>~P7~ zWO22ufNK}j)GEys0f-nXww3gij3wH=+4>9Vk60Y+_hSRk9u_wmi9^pi_bmL|i;{%zw|)DZsN& zD!ayl?K7A$iE!#pvZnafLn-5W>eSIitr%Ip$7qXh}Jh)O~h*K^8ORxx!gdv%3(!&{>L$t*f zCR?*_9Sc(|TBqMG=SSY4=L7)G-YVTp*!REQrf6+@IZS7!npBEx>U z@H>@Y?}*r-NYE5*ZB3~A)R~QM4joa8T|l!!1ao>mVK{%27=G-p22DH*1*@^p{{cvS zByj7&-Uxuq)Bt)(iI!gm=`_9p`GM;fexp4*q*RfHhaeqLkPt`-Bh{fr{F!0^kqH3@1Qo#=6yVlg7))jYkQiKq3hT_1=-wrM6Yd;{e+*8w{)Ou#aBne zvnqvwGiu$ZX~pa(pv?OH%I$gQZgOov)=M?C%PQ-@)zjkS4Y||(No{0X$BME2Yz-Ts zMep|WT^k$pxLMN|G0M*0BTV1fJ}1Sf}0fp#QR9g z?426|;HpMKq> ztCvX9`lfXQv{s@Yw{g;!4eQi>seANgxn8M$#E%1OYgf@8Zu-u>?Jb4)1kFSB$a-zl z^7Fd8=lbHvx(>T`=KHrP_$31GK({ziwYBF-gq3u!YqztPn#s<00HDUF%V}ya3)^o~ z%Q??2&ZFmLg2T6=|I*Fx_B=rSGH%jrMzg>Dq2|Vqs@t=7I4T!3fjwPG=Xz#HN$8o^ zG7vgZQ`8%xI?XlS=1tJ3=`+L4x9Udvv^Ll&t;h2c3V8P3l-PVfuCKLy25LW|G0x}# zkLFF9Qnoq08b9OQ+|8yfQ#7q@{EAv9jn_%Udw_axPr}o!M-|fSzNa-Ysc!w8;=E41 zwduCU^w0flQG`?M)9#qt2kj7k_45%u+1|&WAS$5W6kz98{@IVz?A)(A@lN#I@135E z-sj`o&s}VA!u8t`?oUAW6F*b0kJVQbmp(u~J6ncuoOSFd|LmbI{)ykw$?)9oUQGIa zcJ^?Xx0@ao5*$YlxgO?f-5vI6E@A3;!I4}Q10X^lk7~I{UT>%>cmZ%_tDoHihlyf- zQW<5J2_8;Rfr(cpBY2nE>NRP~O3RE7K@wmQ87?u(cqFQw$3cd%`fiUvT`y`T{ewJ} zrBpaSROxF|q>DelpKe8iNoUEI5)t@g6pt>$S8Vl2mT`Y?kW%oZ#g#&6QU%qF83~O> zBUN8Cj#p&j1*u?5y_7uYhSZkN%B)y#N+~<>BWZ_&}@ppT%Eu?w$MLX8Gn16**;$&wi|CF4g{T?ybg(KC&|7V}k&RZ?&@WW~`YlSmT#nW|HmjcN?t%91Fs z)fL*6s|AZ}X!C4Wd6AEmOX{Eu5VOQHO$BM%a_U65LS#tQNwXOjK=eICgK|L5LD!-C z;$OxBJIC*NA)0nTLji;ZP)t>3Mz~u#F)5gbTlN^Gd&fpTjS8)>AbJPO?E};tlp-6F zSH9*27Nr>_hu{KaZrWZZbqAmF&!_i_@~on7rHHBsxhHFH-*)WpY*j8=wf>sZK!jc+ zr}X_Y`-i1RNW-M}Rbbr$!zH6*OD0||qy5bpzV~EzmJA%G@CeUvKS8VSjfnz#5>XSE zRuo(|wL11PT(@&wY~N7}K3pY|_83zsuE9wiQi_VtWy!TCp*-9`@F#rXy40Bhe>@o( zLA|d91^EnRXKSQ_6C!#_XM*+Env=PLElQmNl$d)U=75M20XAgZ}U9d#+<3O<-{Jh}mRr%#O+ODbhqxpiB z#!-lLp$vW6|4e0pSrjz`3UkT|YAW?JJKn*85jjGPorT71303_hpq_2v#uhrv%)#Qn z08~fD5Z|*e22Eaqe8>-yfX+8~uVXu4pgzgWKsfk-FCn0JM+8Jn9GI_&5!jOt%I^7i zRwryG9mihLckh``KO5R3p{`85J{d|~}8*WgqejMeR_}PAO ze)~Xc-?`11WnX`EzshBJn{&C(QM|*Witd-^^RjyR=_cQ^S0+!trFYy+@5W8j^8T~} zx=oi=>%2^DS>f9Y?Z|UKPNeL1?g6|TCkpE}ETh%xGQCi4)TXw2^kCb$yT`8Xd=>(* zZSy+!B=oOuxe1DucE@P#KUG*1JqmiW{U9Ib``AwR$HlU2fjQVM8w%VL+{^eJ!)4VP zYZv9>>_hAx&P#5~xees-$VUrGB600T7k?A=-?!8bzN|s&M(JMszrR?T)QJP=Ng9o;9%dk3!ybkcx z;|L~fMk}Tx&3uM zeb)kN?E+O-_;`Kx80EY@W`unK&okRIsAVWfCdmz-X%z^m*oyrg`+>{R~QI^#ZQ_B7=EAGIiuLeL|~xZ7kZs3 zd-k*TLjb@qj4W)b&M{5PG5iI213Ulpz43!@PqzGHH+(u*U9DIO@Mj1};yF{&kPa^- z-cUx$YN*mmLEojQT{-*|!Tp|8O%*%QX?PeJK@lY1(-1#`2WuS-*7>X0q8tg@5ktnM zQe65-h;~6l6s9y2R`!r3{OUU`;=*GfG@Gnbk>zrd1x8FP?_YEo2-vAe_Sxa&O=c@T zxaIZ5@}I*!fPnMAPhTW zuLu4$WR6J&-BR^mJw-h4T~Q;^|cNr=6tSw@V za@fFi$AWoQ%jnleH7o)$RKCpM-q( zPra!sQ4`XCCS{X^Du1PK%Rl1~3=RnkkM||7f0v_@y#Vx**qTYNq7;A<&~w z;~|Wv&fQItb_O0Q?9-TKh$1B9qX~It<5S+Yxqw-3i{G&ER4xIC%J$dKpX7cnIKn zf|D4@^;F48G+LLL6zeF_HWNRrg;kGe!Zq2(^L4FUJ56fRR@#cqNnDdInle4z|PfA3A$y9Uvx1Z@Sj1Ery2wEgf1n{8Zt5-{P>>pW;PiOOXm~qk333>tsTpZk^F&B)6z!01p*eve{#~I&{pfzh7!!yY zq)J65PVe>MPm(S8;8H%t&GUk~!t2#a9yl8@X4b1w(t_3TDr`+#)@``n@#Z?CQ$wP& zOT#rsCzxIq7vy^TmP9ByN@#zaXlyy2eo=B6x9LfExa1ANtHq`s-9d6(TtZHfShz(m z{*#)SSrA@Up&Wp`nGlE;-}9%WPR!PDQo0`G4IsJ?qs8pKxekSB75xqdV)uhvM^5P-$LL6%zq}GFOq&Z~T zRv#$0ETCExfb9|nL#3x!iBdYh~rQhgsN%vSON&k@x9X^+F4*2SDX`listRGVA#O)#s`1r_%MgLeXH7vuL;<7UNQ;w_An_&1}rrCis$ z(HT@VC{iMhamQ3i&7*GC%*O0dm_-AtLLEj9tMh&`%J6iIC6*8u1_h5TbaYD-HeU8w zMY7QZtNa*Zi{L$t!z_{Zw6ZV)BJD>UVrf?r1@^(iPepd!(78}W$%E!%>GfIadcJFP zfK>H0iNQRfg_$p65vS#k$;&e)6w)F+FCmj(p(}K3MQXMcN5_ewDnzY`6G_w(HY8Xn z)a*YLPCIybQ&9!;mPwoK)TMY4s9@p?7l`^?e-34-F(aCee@l8_RX~@nP9@BOyvT!qXJH z?x$lVlCInQ95zEY8n@5KAlH^Bx!2h%oaqleYTo|ih{eb4lW`}%X?3OT0-6l9LV z$k5RzxsvO9KJTY(cH6t$bfWXi^W40n%jtyeQtMc;r>*ok3MocBM4C_QPnmu#e%JFd z+zH)=#!FDYmi+KbjT4T;eINeLFTG1RP&#j@J-wJ8tKZ|{xpsB^wGzLNJE;GHyOSBD z$!+T~@p|<9Z_GXFn-;yUndB(dE94}wEg~5vuQk6 z7{yV8*c|=r>eea7Z(oIZ($VkhS42(_nl8J@Upg^>FtZWK`+So$&QvwyrX95X9RBJy zf3$o<2w2PPz^-Xe_e1o(#l6Gcs6~Iaj=6S^6P540XZ6eE0UiU+ zlHB5@g8Im3cb2!T?xUMC=S*D~@^sDe4)k8%p0XNiJk8gNc2J%bW}K6U^gmb} z9-X~n27n_>>AEp4NmfZeP^&H zx|~M1g1Q(spEi4P{L4A))jx>xJ9hlr~?{hx&9Os#}6S*D-0EiUiHv)X%1nihSfLhS?hy22Mn3sGlUi{3?l~OY+ zgi{(>j}jSg_<<*H^0xyIgbWF+45&@=W-^mkpLv$PcAsUMaw!d>|A?`0$3g}ap>FYu zEjLIBVJsU=WFyehmlc_Jjs*1X_6#|G+0t#~Rn%k#BqS-Kq|hv#l_$6Jz!o8@*Ln=Dg)cH zcGUH@Fi z0av@ZDxEVpOQE|6%RF+4V1g(~&UcnNm4adZ`(7n<28J4gGG}PgXq_^?IgDgMJe3&| zRbfo?VXqBZMvUa}nSzh`<#%OekyvRHb=ni!rn7&F5-ruELL}OB!m`mqhEjyLkfUU1 z@q}&5D-U^}vvnB(vKtk#2Wrp;wGxuNe{|Sxuj8)~6nfMev{Fdet6wXqA{J!-vHh#` ztf@_987qeMH!0v4qmgPef^&#~_ZFTsulHnBscXF=s)=7}15a{&;>lY21P@T@44RA}2$2vxRMDeA|_xk!XgOf6|uEZq0x$Cn!~zA?ubx3NgC z5Qv?}UhS8O80*MZA3e)(QNTOFr>I<%X=9an=_-w}|$+0|y|0kuYQM4i_ zMXwoM3dNRF@NI@5TS>j)fV0?7peK{O%HlI{NXtHsU0b5Z3aI5K7+jKcWl-1 zmIiutKH#UANIQk373GVsoI{ebq_G;6fV)V!E1dqL;UW-v)w^0l_iFq_FNURb`Km?(J| z(HX3C%z`iFPc>B1h`&E(d*O#r7sDMK;i7{|&!taB-X@ZXFre{xLm-76l zY%>a5^^$3lwUCp+1w&`*Z^JR9jb>v^x|pv-&2OkR@Z0?9{$ITHi*NyY44M}ihhoHp zp@`^mQFjc*@2^g=f=U=oe_VBH z8w_O0A8L4_jq}xU$Bah7_cv}lqjT;afFZ3me&nr&!lsZ^_AlF=6FU+tPL7QN5Fb-e zSKT0!_0kX{sZBdi-IXp8bB=+Sk*v6AG>1qJbHQ@(I2&onx{MOVqRim$!B-HS*mw<+Ye3t2`&fvIeTT1p966|QjhzK`T# zxlg7f)DDfL^md+&S*6sCsWs*5MPkT20**)u+&@B*chzbHR>ugYy{HpV4H%f2 zKS+gu{)8EvLena+c-d@*7D!~5Tx5%$?5 z+e!6Z8M1av$+G51$9ce1+Q-Ipt-Vip>lW(B3~FwhQw63y%u3`7r}@iATDSGho-^fA zuGZI#t=GG=vs|{oN^UnuRGhK0s?>rb9@n)_Xf{jB*k)vni=B3~M#nW=`AVFIFXZ3cQOC9NTu3qy+ zO4?2Lb(dRpkDAM(YOOhk*6G++PFbPX&Fii_Wlqx$mvmPHh`R$buJfa2Pg0!6L`vMn8A^v{N)U4dET%JG2Zqt8`+$j;88$d(b%>9Gt(jeX%X|} z`Zw?G_DQ|EGP~`b6vm#$-dBU4A9O&d&~~H`n%IT`sk|Sk`pMYet~+~exqnPC>URN? zvS`dVZ)Xvz=p2|cN$o$6v>#X*KDTnjfik}>-yUJaKMkuf?{~Qg;d?qR#G`6E68vV5 zy!bc$`l_!U*lDjzY8__Hylj8;hY5u|M3mSIaRAb{{w$sWp*4(3O6)e4caG$(^}X`` zjH0jXyjFVl!MlL8_PRPGjMjcSA@?xP{K;Z;9}u3%`2@-mGCT|2z<<;HnC5&r?y%0) z{pf!J#eIT)e#jp;0Ct!gUi`XKUg3eH$05ErfZc1*APb224ZUV=5VRAp3A)caJ9&*0 z1Koa7@+UO1lf6BQ7@e&94Yu78^649RS4cc-z;r|z(@DFCbcfD&%4y{eM~P++8lSw*Y=Sv- z-*q5Pml-bQsC>EP`7Ij0988s3&s$Wx*ak*Y;hV}~;<65-)TeNB9BkDq;91bmKGaz5 zj>sm1v5e7>!kkCkZ#3BQiKbUwgjv0EF4!b;;NY>C0;2+f^WnjjprK-AR#r|k^rWO7 zhF*qN3~d%loEfNy(rQ+Tj#vW!7n3STvdp_V)v>Wu|H9Lf2>-;gHB_nD1dn<#fL3XY zZjdb;HuNf*-$YB&_4Jov!nHAL-g!UI)EcplKVoM1I1>~2pxll1v!AgO5rnfy9WAP5 z%hsetldtH}u45^xbm^H{EAgtdBqaE~Xn2*&5TAQt+Y!#@>jZz0vV-d8H@I}l=Ap7U8nxQAYWP9cq zK(-KK7AtZ5L_}#=ImilemG`gkZr9vz@RbPb(!f7`lW~SbWrdBxKyv?6jw0~=yI|07 zh8NkO{Cl1RqYHF59n1tot)jC`7_5s}eDemn6nx_?!|`#*aAAqmXs~vH1516WQYp@p zgCI-jsKNQw{cu<4I4yR$$I_)l`$p?Z={v}omiAGX!Q?xmP>xww9w-M6i{D+%yAlc` zCsuMwlu&33Uuk6+{E~H!&pS$V(&ZsD(}8dHJkpdF@7VU`JlTalCLC^iS4DU=wMY5ARMrrE@-Dx+x5>nrksMYVE7$(XE zVoO4GbS$Q$;3V{o+6+Zc8Y7eB*}KX{LY8CyI4xQ(ri6z4KNT3{wq&q|@c44B@|Aeg z5G#mBm=m*H{c+A@-zA0xHsLo08f=Rfguv`V2Twm?p0gAc=fN2HncdF&=JJukznVW=G~c3o3sbKZ8gL++Jgfk(U;=k zZ5A;aQ4?}Xzujh-Rn&@Tv~a#I`gs~H0}6rmDe?gE2g^I@kD1A!$2{P}jITqlAA4|C zmajvgqPhQ%^mDGHXw$%Nh;mhOxGcYj4ZQy-)rm-wClqHWMInuz4SrwDv!d?Ca2u~~ z4^GM+pC$Pfap&26hHh3hyJAY`Dvm=O>07i#5D_a24W+j0_?wX3dQC`4-3vGBf=0D< zeL?$Mt-FUmN7SQ0rB`A|j8~WIrnwIX-dRaIR$BUCJoSJ%%+PPB z85PG_)?y@q0ogUji27LBVb_k#eKR$B(+;6ps^-YdDN$Ub%t~kY^9G&Ym$Z^~y9u81 zDDw(sF|g47>yXZSC12Xqlzi1!fP$eR13l)4mPGWQFNXEqU~v&YG|A{7 zo%sxB{}&XIPx^>v`DV65fUbWvJX@4#g9hvW!lR!m5l)~lBY={{3;1F?XbuRA*j@v9 z?ebH>P4Q%D;C-NdIXu7e8O0ZVb3Tyyse(AYJ^(ZuyfvN96s|M(S(|MaS|hd}3rpe1 z0b|@!%ADTY2~OSKyLOjF2%ma>&%Hr<8}<#=C%QP?cSteaKTBKIPjqaB@0V?lJ6#rs zE~&B0XL#K%b3Z^&`-+FGYtHv;^tYW|SIhxh1EV_rg%Chc{1|`?} zbwJ#Zyj>Gu3_sO(^NRoTaH_}WIMwK^yT_)bjC&^%n`allwyUcvY;&5T;$&XWml8eC`;ZRm+vSEdcgK_#-%h}j{g%(0>;&&F zLDLQ$}Kk-Rhv^2MW=-WoPT z1XA0tdX4)LTKp8$0b)^ZpspLuM7PY$^R)ye@Yw@rkmvn~G>b|TDN03U^R&OBLWlhj zk?@ppor`Bw3@Nr4I{b&fYZ>GaCclwUoh>+pKdQjP1JHugP5j@2f+c978js}94Z2K{ ze$I!W#o49?7cBh3vlXC05S>XPZ!b~js!2t+QYtf|q*zduCRfa)jv=olUtF(2PBr6e z3Xa`pVvtNCSVpg24K=gED#;;EqC$_{X0;r~(EPeGCS09Jb`tJwrRp3yx9`MRlcNg9 zn2i~@Hxn8%Z%7@LMLR+vBC-{T; zT*MoLc$R6oRM2y%D^zofz)Gb!&g-cvyQi?nVF^)1&Xe#O$%KXZQ>|&%5WuT6 zNAj)Iq23Z$#+Q}^?ECTdq%?!U_n(WUaR^rW&7`(HjnnPp{*+{=UGbcVJy9fID8z?H z@Y34IgkeU4i~9;wTUL{uz`xm%BU!lf)O0L}JZPsM5NRl|IKN`vQ9|400x+qqT zSbz?d7D_B}P5Y8nSoJnKCiya4;F)Vmd6c8QlV(C4RSx7VY^8r-CdjwT)u}`S*OC^@ zxNv8mxCT}_OLc$3scl+YLd6oC@b(^Xnq@Ng(cz|v%rhkQNmxS7uG|p<{oZ>5K&eKe z$^1JAAm7jgUQaHBvl%lKS_Nl}x*$;H>3vcdSKcv&(HhCXYV9dNfQ`a42#Xt$^qz!8 znYKg=9djxTr~9l}9QHQhg_%O{9fg+Kx(TP&npVK!KqHJm#Cj&RUBMH@PIJj2Z2oh!w`m)akP!{$5@qco; zD?rH_@Su5MQjYI4aHb5f>kqPleeswk{j-X(X}7Q3rAw~LDZ9w>S~Dc=I*OGhgvy466qYK>mCbYG{)lY({u?#g z3|u<&D^k)wX-e@bSl3;LbzxNyex2lZ4}XvFJ#1rPdsi_XN2=mz&~>9!!p=1NlmCk> zQH?&;W?kvr7*n=ah?4)&GI!MAA6!GmXmyin@c;&OO}dJ5I`W3*%FEAAZDYk@Xrcn* zISgJr%(H8q4-d3%t6)PImC92Mdrwuu=JXVrI#p*v^R4K&(f;bhiI(Urn zN_oR8&s~u^J6yy$(*($ym4ki@3pna*0kN%SxQa`n>p5?ZqmLus+BNpGHEzL%NtOwo z|H6YlT3&XYA0dDeVk#HpgMX(9!d1c627bMLAtjB;5{V7>rC*Vs34uvKf>-3gLYzo% z=AL)j_ZiHOF6UXVw6uD8{f$sZimnZ0#-!Vx;PAG_-n0%W5_?V?AZKcNu^Ee&3M%$(XN-wvw zXDA@d?sXkkI=2;+TGkCm2UrxH`FW@JK}q(pZe{)V%C`MpcOyrQz@&Tajekww{&g95 zuxTXQjrg06PnO@c=S|r;S@(A6Vo?i^_bJwiD`SswN0ObbJht@>Py6-BVFZF5kOL6n z(Mpc(S(FOtbM{*99H}7|g;yw=e4j``E4O5ow zW^$jh_NL?hdOsBOZ}9t_#stOE$Mg5y?A$SK{Ole%``G$8Iatv(UEw$uoAKWB3 zY)E#b;F#;xQIa*mS-Hu4nF`4=4k<}akr;V4Ih(WO^6)mPNmq#BMzdU zuqH}ggCv^D#Oi8Zz>|SiZNmLd!I#P?wSc;Kt}gCKBJ8esh3eF?`7dfKc|0|qnuX$n zw_m*r&ji9j6zwalTVZR5rBCHQAg!SY_Sm{ATG+Jaj5j=+;z zarDEv!>swHw^2D>uVn5}%OC2kVn|s0xMaODb1mi=jtyPe2o>|1 z<}AOrnaxQMwc42(4R6UR7F46kI9#F}2RAD^x5NqMl2oMzgG`guKr~O`Z&^$CEK7ga zvPm(C5MkvmJ6@a$6Zx3-W*@B!y^ZR%W6Hzk> znclv9cGslls>#1QBs-#r<@4a>_sMLSA`@u3W@s2NHpo9QJe6lnaH=hSO;!FqaYQy1 zbPM_S zhRu?zOlt+`XIZAud z;9<4;uia#f0UeJ`?I=4Re!S5bLD<~i!=^_&Rij>`0%Fenn0weI__*NT@_rSC6lV-L zNAdq->YU#ykGrqmOikvb$xU`mO~%Q#ZQHhO+qP}nO}6V~<2>EhSI;l|`~&B@-k-hp zTCc@jC>rfimCF%nLV_TI@sVdf9}WCYjGI zp|Mbxz`E%eNN8!T`6~`0g6QQpcAjeNu4f89MR3V(kr?;4&RQlp!eIg=;eCqjScND# z`bk(}wW-*{Yq7?;fXshL8WKdzB#E_WO#pr(PdMwn*<= z`a9AuYBtX+Qdr4?Eu=((&YTaT*5j~>IGpFN?v0n7i+-I?$Ke@&2kVjbo;sVZ`+Bb# zSckisrS_sm(g*+Mt5Xf}p?*CV#8_@;*VQ(rw{Dl=?n7>}imTc_mR_|24~Uz_e4qK3 zb*kHvgNjaP=j2?7HRulMNVE3%3%&jc zobd)6?@~{D%(Oq=%zNMOlW)IVs~0e@boyK+^eeDLZMv{%_*m^x#4BubYHL~k7-u42 za~sg9whwd#;rM9S%}LxLxls4wOjOq$r`dRRo>t5ix6nKHwQ*i_^>y*Rq)*_lpQ5P& zKqfL-BHOPKR@LgagHqHJ@6W%YHLrkE?NFw7Ra+hQbwa>3y(h2Qst*rL%{`oloU9se z_d#H~O;+o}$hcq12J7185Z>!y))uzmm!Lh9X(#=Vm~{|9K<@n`DR%M2z$?OIx^r)+ z;gx**@rFr8n>_o(paYEB+V;agr6%7*W~0vG!Qv_NQ&MpJisJ<9T&H1PDdYp#k0mQT1h}Z9r3>l-zxp)ZM{)p+(Rx%-EQtbSkdu(en7#SKX4})ee!@rhPzF?3?Bk;fbAmP z?_&W>oLZhocr6ZtNg`LN8V)gwdE}i>LFXWX7m&w45JJ}1lPdi6q~5&$k@W1d4Zo@b ziF)Isd_0o-Bu06=fnGXa002=CpYayp@11-?+V;rCYYaQh~!p? zqbh^hMfMBo7L568&7=@gGB!?|@+0zSsxTYjY87gxL%bWO`45Q5X*qT)@`pKhmu@E3L6h;|>Yz^_C z7AAwD#GCtPLQ)evek{cTocyG$zd|?yv1AEzgX)>?Y(X7ILI7_a>55vrYH(k8Mw}%V z$vbbgWc)W|#zM&=0~}xOvD}h3}sSNkc9sgoYJU-p%Ov1l>iWx?8 z^w6b}QLw!57>x27ha>2crAeJU7rqA2HV=)hVN!SET!BgOnE8BV|3)FzY7v8^I5~y- zj9VDYWzpeuJDkyyEcgL{9d@VqD{NgFlF}*%EClNk$N|p-c-}OZ+5Ahf-Z_C8Q2w4RgivFsS+LbdroqA$#B&n9k|Kkk%i)Q zDLF3>jpg{gDgso~&)gD%4l&*=m#Z#)wRK$SHF&lZ&m1}Fw z7T9b|xh2-r)u2mB}nXPrS^av6*KmFj)ZxrerN z`KfQr(b2`4JhgVi1-h66x%h|4b!&=n{v4-|=dfFs6jlOb1x2$Ngt95%DWC4NPaDk!;cu03_eP6d3pS21-|t zF5NkEISq1Ba}%m(uhg21NewW#OcM(O{lT9})lUm`n`ItRgGDan#t-tuZhrJwpMLQG!obfO?me5lFNtG?Pr|~lgpcHxv^i!`K9{j6Q zxR4)}GLJVyC1g2{SLi5>Z2WkxPNz}D{uk82>Xs zT7J5sM_;e#^~K9}3rfyI4oQw;OY1l|5Y5wf;CP-$CQL z+q`S@S$oc(@|_$Y^@;NDK73{QpGi#B=j%GPviGeP^V)0VQZ>)#3_0B{-CvRC{fy;! zfSb+0cGk_P=Q_yoBShQVy-1-&jz#~eSL)1**N7etSsXHc9(_+v)nj@3HNU>T${B0ql9L z>T$%Fol$*5lCk;GI`l&I_HnWq)&j4Q<1iJoX6qT@x1wZP@A3`cF$Qm-cz2YHCjEY z2$JwQ-{>Q_KGxaE@jeRzR+*h!FEk~zLFEf8oOWF+I{dn|9S0g2+jW2s)0Tyqm>}bbG1& zP8sn0iEJtYN!9bg0O|d|F0~)$AeQt0T2iqZ8A_f4?sC%N=Z6d*6Bekw=zt(k;CoI# z(tiq*m)CM|MZIr1Q#C+!$HPAE&&UgT))E6nae)!`+065*-x7-1J- z%?&-&7EO@`jY}A-_D4-+4SuqPj3iMhO67V_3%6oW^7hVN=q{4r9!C;UvM>c_mcjsG z1luD9L$xl8cY6oWnsA;nMj`qX0#x@cu!I#Y|4dAC5&8zOqZR@CNV!XS3sYA(%{9|u zKS)e0!u}bca>0kG{~Om6owi8n@`ZQT!=a%x>pq2dXY=)Y$sdF%zJOzI&tq=p>JYf>#reX8EOAg zXuf8PYCIuGL%QT&VO&m#@oZKiB$Svgtx+#d__crfIU^(X9DU>z@_wx)Gs0GpLgvx^2Rwry=aM;#tca}wX_KP^ zuE!YL^en$eCc?E?v3j{P6ML45xIr4Bs44=Z0LPfVqrPB4{1+cwu=R?2`c!FutQ5Of#z1fyN6O0 zDOI05Co3{>l1qrwEj!<*-l0N?h=4p0l6hgwRu(&d)e>DkK5&#Ycix=wku8btnx7k8kWUBw8D;Tu2dpUfFG_8&ObTJq zuw=x(_yG0Z_e_|7R5{;0)K?hEPBlFiEsIZUf3_5RDM`jeSq~0;h(cEKmT`2~_$l;A z7n@e_QkI2n+upW)Q~WV!34O@OOrWTss*Km%fTvTr?C^~>wf;w6zzA9{p}yYYRN|TW zg&;yeW4|Acp}GNc2EB2JDBU;$vGy*)A6%K&K3`+hiBQ+B?c6Co^*>^{DOTisZK5dH zH(%@N<@Ob5QVG=3|BNd7Eh9c#$~=|hH$3u{cu-=_u5K=OR;ylfir$!UdL=&^l<|B) zF*@s;u0vvqaQ8*ajc`6y5tSIf6|2D^lUX~FkuJ<_MkG?L5xJ4OTb3vrU-Tu1VJ)+U zFkJj>^I4WzSC%QC0a4Scd9xp><9y$kqtP#9g=*sCQ8q~Nq(0wrGACPX#R}-3fknLa z#@-zZk-W~WU|9N)mTEs@elB>2&*8EGVDDDlxsin^CGEU&X-7D&Is(*7hyts`z5nV( zWJOK}X7@eyhH)0l$C^u`B2}m9cPs(r|Mcz3}%sn;oNtQXoOog;hMu^ zs-lWg2xp227tZavW0FmsTarYzXf(oH#5M5LTx#i;AeR3XfWM?*5UHOo^i9`2f#HAI zpPpmbw#VNrZ#UnNg8OXK17#sTe|`$Q{|99U4(fwOBO*j2j;%QXl;pVF8(g1fT-}dq z)pRL)+h6HiHIBZ)U0mOCt$*6}(^w`c>0fesZ4CN=Wh$M19>!$6$P zQoPm079IP95(0LIs)#Gs{p)_%N$^EuoYOmP?+bg@PPY#;8{mevdsxJgX6vX@5>8gY z=W9iWbzqCT>%P+EP1d^E2u;`fSPd{j`{m?r?V}2cp3|ZwVg|62e;%@m>P(&GafAg~ zduTBwMfW>8EywHNdcgVhjcYz$hR1$3`C}vfBLTv( z+xrHGos&bYs?AeIe@P+JSOrqY+t-u231qjrF-q2XJgWlE>ZldB?WK#*HR0*eNs`o21Z<|{_`@lMXK$D`MCMQp1K+9 z2nL*MTQ@^zAGy24;RHfmKgdU9ShU8W-l9orAmUIfY%a>jv5AFm2o@(mzTPZny1GbIQqtiOiUz?z5R!QO`8kN#(C}$0=3Rx z(4gmgJ|Nx*uA9Sg--t@vh$@ZSq5FM7hi7)6|nL{Qy&Ez@}7&Z;tXbV_G|4HRoUVS@IzlIB%-s37&KEJA_v?~@ofgaE?DOukmN#%NRdb+i6ARX`THlgi1V>m z4(ch%qc#lJF$@rcZ&2Rf2cDYiD@^>1&cr_rl8g|4!0v6;7Vs!4hi7flR}&z|{T)CF zL2HUPMJ*aQ$)Z7qhxmal-5c~>XjY&)(|FOkCH&A{AstFQFjnG^R_*e<;9Wb46ytrCox>(y+0OzSz4>krU7myDo?_Y&TW%!)x-v(yTz zLok`UGR3;38RWDyRz>?-={}2vWyw4^9P|osaty5!aqsb(a@x^fH(+yOWPHWt|9(QW zsa6$6RefVDRtVr&w`-5pTShMOH4_&zfUAl|@MB=Ar~dQB6QP_USr3KBvV*f^ zoxGD~qC2VE9?V(>bIR~;UnpyV6ol-1&*cjCAdAZ@H}- z_{}}pRF6SqGVgfNNb{G82p~N^M=QH5&uzvP=H+dbn%V}G){yYWT{znK-E@2FU z$AhE$UMLq&X1$}d4@(e=vYpUrt~dJRe$WUsybBzjQ{7?Nvujh{&xpg~yI*AZPGX*b zn}s<7mXHqXoFC;7zw(q=*q`wIY>|AGj2t5nHVbBr)-lzgm18R#LaahV1Wzf`tz-08 zKQt^hIN$1bJ<0I`9@ShR-JuN@ zOi0#IN^8g@ukJKKoK34_!CS-feVz7C!p*8!9Nn9up!y*fK-#id{3P+=qY`ipudwec_{bAuHzu^EN@gK_R2 zMcmzQ6z7c4KiHBItu($}U@qTOflbtP%e{ot#^D_O%J6<^<+5}kk|RaxL?yISPwpRj zOPP^ymcI{U291?OW9rc|Dw=I`iT(!hXR;|b=`R;j%1}o6@^a#H2?cDZn!;=p>Vz&J zRL=d9&AOQ_p&o+q=TB9eB5SKz2zN-fHHIkMCU!LT!Na9G2p7*cZ*`So=%uA$(_f&TYDR9 zfGT6tpb)F*wTn%+n5~_>bM=>kPse-lewpSDuWcw9jnC|Lh$mlgoes~rrDV<9NtKoj ztLzHt?nm|eW7C?L%P**L#pDX7Lx}mp%N-{UUg_p1t4S1qb}jvBoS27*Uh}a|BwFYF zc4B({i%RWXFLHez(QJg#y;sW4Y1uVfgQ$39Y47lr#KA6L=N!7?fVy;Cs2{S@Nx5rN zVfCVUb9ss;sB${58Lp`6UgNl%a(S>=p{f5^Q~4Xc>AJ$2f4*Ee-FBPmqVhacWpU`; z{a%)m<#pO6W7$6b^DBm>g9U%vAj)yP}8xKpI&x^ zzw!JKb?k?<1*}F=^W1LemIG1FE*@HRz3ffBWjpm-b!2^v&aiI1Jv(?iPD-C=dmZZc z;B`K4AyQ|(H2}6-j{Qf5f{2y7!+4&OF{Ldsy(ZQYqLN>i=z82vj(|8Jz!DnJeNBt2 zZW7*~msBVYxWY#xy4H+$TP@oRgY4~_P}j6Y%84p*g7Fq<&qt0_8@#3$%9;1iP$5jY z89}FUQ!X)l zY;8WHb{)!HeOB3i<$lf^G1G8gaVOA$|NQ=COh12h5TEe#$(l~t-pN`=0z5`Ce+8e7 zZFJa=;Z{I^Tab$<2lVNp>944Whwze5oII;*J14#H5x`@7j}cn2@v zH&$PyN>&gMw(EQlnPA-;u2}qBDP)MglkhoNA|Kf%##H4~A$8cQV;Or$!$s7>oXTnyASjY~7HujULR~y7Ei9hJNiL9@ zp%H5_ColvOn#C8Vb*~kAE}9KC(P>xCq7acs**7Vtf(7U|y)a*aRADETMPd5pv7pRF z@r>eq<0v|c9D~or9ug_p_O+P;WYU=`I9F8AE#?WB2gLiOs7n!2hbVNg)<5)TXV2Wy zG2#e+m@GmABZ#LE&H@;IL|0__@%PKORred2U+AfCEnk)vP?k~l`ohAnaQLPFxg(=I zyXTvP`ur5R#84|TA31-YG zaSDoi#*LMB(17>+orUIG3)(~nL|hKH<5#>T_rI-B^q?=e8vugI67B_tB^yjJd6IcS z`Hxaj*4W>g7MSUs$0E$U&lY`Yn7N@Q3P`qcq^ll4S<4 z;NWM^cpZJc&f8Xt3zmJSzLT=0IC7aPuX#c$7p2=a3$VezapwraXr+|;h!TDLW&ow3fU1TD@sSx87d)CEkB%hrGco0 zk$$^vyf}3ml$*p2wda#JB4avDBm|?Vn8zcQECA8I5`7iKLgAjGK|4uOrBF;6W}o6%BK#L3ySj5b>wj3838o(JPeHd4(%s|7507y z@XyHkd_EsUJbsM51z3$KVE_tTw&2XOatC>~X{W=*)C^B!D3!gIgCni8pg-n@)R>q5|RyRE-0B35R* zRJ$3*j4m^oWlrA1&lhZOhv#G&W4FH`HdE~EzZ?|JWmj{UkVtJFvZhrVuu(IFmc(|vCh zx9PL*MtGfPDTkBY(TA%V;IS^$77_h&zAmG4KZ~^O9NsE73)llHNd0nT}({s58 z=y*#2R{`zlXoGwrKp@cV3}^!s;IrkE`&GzX6$zs3%bEn)zV7t+uyM;mi_gIK91NUt z8|O*d{>X?HTuRTG&HHX3v`|<*U6MHy&v7X64wZ@jO59&;CC_k_ktj<^C=Ma z>r;&pQQQN61*Gt4DxIghqEZs@jH-9SGxY^6@D~1(Y03UzCMC(eX8q{UGc^zN*o7-!)qUs#Zof5MaA!eEln^2~6jmHE|9a2hmi?on;3cTkUCkx(_8wCz zVLkqKdpp3BC#ePW;%V~Pvxg=&1M*&@`mB;YRQ4~AP&Z+B6O}sF2p%gZ+NUFWSXEANac`44uE8}uVLi&B5rYy1}OZ!fuS-KXc zuOU5*#e=DbP#Ic;GbYw&H|`Rv&l3;|uEMk^}(tf$Q22)Gr4sJXDS>Q$c9*ht=~kXfx-FLVic zm0(GyDMy~7`fKC!a|;AZg1nirx7}^d1j6a{g8jh#PinA_#B^lUHK6fLCOJ!n`6#Dk z(eOC3f-?@G*^?%uu$C4~FRx00c)o~oL>CK0^q=}wYiV-%j(O_EdgnhUucn#kY7L9f zkXfC_XrZMrtX_qQUtT2G-;7Clgk^dbgN|j=U;+LLMx|iA9L16_TH=++0`^#ENIS)%IS2;N##hy))`6~H^7}SOyAgSq9mUzynJir7&twaV zdezhScE$TJa20azmP;)o_^eWHuAwd83G*zpfs)pKVXo7G-2IK$HA znl^P`0XkVWCkZR!Pnhtk+G}_(p+z8z^Up|b0m5nyO@ykk`u@AA~54EXW-qPHGyI_<5EaBh4pg9g% zt6^@TW|ErKCMW*ekfvt(S$ta73VvFB`=9F5ChY9r+CQ?D9O2s$zxuWl?s08Nq$r?$ z=P%v+=R(B&;UN=K!NLkPp%>7LtscYttwla8sZr!n!>f_7*i-TY%x04uS|jV1A?7`E zr-GUzSkRcv`dx_#*u{(g0q1Sm_zmln4T^0+SST)kpDqc(m`-INkV0i3*JOgEr`ob8M>@phL=4TCFlQR5 ztng9`bu=ud0@nZ?El0wDCdI>Qz8sbZQ|31qIp+M^@OPnpe)!+Sd6E%oV}xQYI68~M zy_j&~KZLw2vJ%;h2b{eB`Yi0_#KdX76OpB|x`qBaT9D&QDA$tq?UZkjXWB7dD=_z> zKN2UVk+_X7h!D!_U-azlhx@?pgUtFJh%nL4I5kb9Q@NIob^kVyInSr*G5d{}R%#BV zrcC~KxZongg*rSOKP)(Il1NAJN$5x6#AFmn&` zq~5>#04Tk7W`MqaAp#R9Lh~7J0Z*XZ9l!%f7mg2vr4|Pld+^bfiS!Z3}3PvF{~&A<&Y%FY5TLk7yh0kawDv_|*a${>8|C zHEWU0aq*;PkQ0*tXa-#mL!RtD>9n7vmDIF~idR2Ux8!t*u25(-f5g3Gd&E>fKg4Hf zw~nZdbTyyHZ>prUxkm{lQ+G8@sUIvKL!D1&cpOJOWje)ne|0Ed>`!&uFL(&|rfag)eb+o8v=?42QP&h{VUv zz@f_G(Uf@SHDl|B$9R3u`>G$NPr(Nu0d;5_UfFB65s9VbD$6n~`+7L8|1C$c+AK#A zcpXh3sTJBK=7JK1SU3m}Sh`ihPy!sASZ;Kl`nvHZ zjjjQjkA#$DOKz|IJ{th+)!VGuZ8o))r_x;>(@g=Zsz;noR0ii$J9Svf##UC#UVw;} zKJCM9iZ&=`7zDb0wHd^`{|^xFt}3!-0aQ?CnDzF>igA7O5o`*CF^4%S0eyyl00?`1 zc3*8?U1~rjC@{@GZY5z3ti1bPeISChV?PN>H*Ac^*qP`}oOM;M_wr}U zk@&*U!1Xkbypo&jY6_#>r(0=Qb$QrtxtoVmG>c>j+j3D$ync+Cvlo0; z!n6Svg79}vv}NNP(+SM4=1D}!Vu`~3fona5c(vonoQSt4!gpG>@15F?-MIhi z4NBkApA=@3%cT=ejz@?g$*e7%ScQd1I&h=}@D;+&ov?R_3*#w>Wy&Wk#Vr-AA&wt_ zHT=0z*n>W&E{NZF_@ge2HR|w8X(B)`cTJWIugAETpCF* zg$^WHcw9hGB30n$)(e2i4{W;evG`~?c*ouseF;IPX3GEbnfc@0rt*)s$(s+xf%BaU zxO(iv_U)ATP@ETa5iA&Ss-nzP$;TSWJb!`gY0;Yg%1????Q^85^b(}I!nnzod@xq7 zLbm)}=VTv>eb5P3M+7eUJO=}VrZxbdG92c|>i!CwX#+NMki#PRXoh z1V=tPxYmTRk$74d?{qL-ipr5Ly<)YW&?p4MX__{w(4FQ>28Q6uqO8)a8)py#4Zjad z+WknC?;~Sm-ZA7VBl++{p`gWM(s)E=yW8IJ=6pCQ0^^zC5MH9r?cqdi7Xm zdR=qoqK#OH;_ku8o^wqw7^6G<qzSlB{sb}gK?#(Cl`O4$X zGpWi8Y}ov7Z{6?XUB~MA%q@#hu~}LSvZ>ml(#!!A_U%w2EU_}r*mG4BCaMb0B;u1~ z#kh{PZ#zSg45DcDj*8|FaH?GSe{|@n-|=G zAn#Zd%>8C@VCSt54=ET`Dnqre=j&iY{$C=@E&iA<2}CnvVQb= z5a&Yn1eooqY+bOUMgp{}y924J8J}9aE<>u>C|^pXP+Mramyo7a;e0^N0Y_WUuXdbS z4FelW)vh~!Lt7qBD^fXYZ4MvY^az0wkEb*~@94)8Di>YrSc2qrejBS@-9wumsy$vl zr%J7)I_Tw`xZSIG)Lof9JFgQhYfMff5?LX;w4nM^2-mA#h4Qz0YM|^V&+}Q=+os2a zcT7*S`BgM0rVXxfO*7~#O|54420W6v`n(@G&*}iJFJdI&JePVOJH3w$6xGPNbXcE) zf6*gpD_xVWf!qz!ue<0oDal-34>1_D-&^2Ukd|SOCO3Di)80?D&bw+a z>&QP|_bTQPoHIRIwO=5#?V6~OxL#VQK@|Tg?9OrKWo9-P~;s6CS4bWE4`|?&4R1XTH3BPOnk@Hd*8YI@ze1?Nd+L9Y>k@GoGgpAhUOn z%p1}>JE-sGO9-%vtl0-d)rAsovxE2`lp(pd4&x5J;it$f+SVZ!Lg)RGZfF1Ibgf=N!mv@A^}Ak>q4GHXrv)SA zT$$(q(N@q;XsU)bMOu8}hsfkT(FrGb!kEOH2xI=%m6~Q9D`=$WleTbEn^f(=iU7WGjK;q9eeeN{(gd&QOy& z_X6_Ab*mn2B9t=b@`O#kEi^^(%x>!3^Y5NJkq`3>#H#{djg#ToaYXSG7^XzIawqTtM%GSCKOxPsFs6b+WbohPjR+=my=0{F{!RiotK(=S!StS|D9r; zqUp6ub3rUPz;QOH4T9a!D1U8e*F7TU142%$*<7k=5n|M{Y%Y`JhboJn(2d|2{>z6j ztdcyuFkBcN>!1mTCCHKzeFva(a?-LwI`7}R>6uXl!0dIV1EmfZ4z(g)nrCVg=kuBr4Aat z+)U^TQUx<%T9|U9))EebG)TJv|3uAnIju3vXu_$jAQ;s7@H0ZTbdbT3*?FGb zSp^D;5x+(YGf$AMvFZcyryl?IA^*X)o|ErA+|iT&bz~{*=gvKmd&4!_%%4kLmWfRw zxM`^%9u*z$$c*q%uBk)KY!xc0V0(dhtL>&(?Ef>9UjZ*A_{3fjMIny#L7%r-7&Rxm|@BPW*CImsvTDdw^ZZhm3b$-4g%aZuAyMY$CseQ_}) zu1m#u4@}N`ZrEm2b&dd=GwK7WxctS(t#8?Khj{(qcQ~K znalBs;RR$O$�_$Xi{##pwPV?WmS5qU0Awy^-LtKOoAJ%YmW(q-;CG4(d+0JM9i) zowx0a@z@Vm>s4pFWFd2ECcwmYb0Og{^cOq#6v122%1|%}#s||LC{s8@leuY?&rm!Q zz~n2Jr@DObSYVnXjPx}Ov#d*1qJoZmHB!-^?UZs?_8+pPQ-H*dN|jn*#E2*DSvBxX zkd$e+4Kp5bM5**UbypLU_E`o#O*;3pIu@g1Tjc;FH7H>drHo(kBT?w+qAZX%vv|nv zIaiBKX6?I*lCZT!QNcY35j9r`#QfD(f-IS$`n)55FqG_UI)7cpmMpPu8DO5E@X2pG zv8VsdM1D;E--rb9Aj1b?ii6V1Kwe*q@2A5>IFyg~M~ls-k0?aoALvZ!(3%~QSk(n|TdS)kFljSjL{#`95oZylgL{4!dly4ZZ~ zhsOj#ac^~~<90i0ITuvSA9t~P2vs!ST`*yA>#d3?cNl}Zw%-r2r1s~+-h1=V-N&j@ zT0f>dcS}p?R=Xs<^y!+{<~(LN9;+hKh+Y1f-W)2IDlMlwAb-38K*m5FZ?~H*pKOnj zHi-?V9oP`fjzQt=E4uCxJI_1dnIL zS9DIRMLrvv7hBpNQ&)&u^e)>zWdz%8uXsJ>z~A1r-cAw6E`YZqol5VoTfg~1n*=vb z51CcmKadOS`}0TDqZWabwnOip$mZJ?+!K#SuYJm;`|#Vy=6wgiCZcKEGH|;TR4KA` zf2$Pxwdz^c6H@}V)0$&()EPzaNpenJ*LM)8Hkic{MZTn<}rfqBbe=ce0JW`v{Gk* z@4V!2@jKMv(pjL21ZwtNZw(Oei1{LO*>Ma|=9-$wdwFTgorgOEy!w1LK}!WGIg zZ(_wE7#_ihrDGgVS1(BWz38PmyXX21Y2$rZ4)f99MICRA+eV{0-wDUbV__E@{t3=W z-PQS$lbHz<;I!3?tO)WxYDS7iO^8j0pjIy#NsUz>Qs+;)Fcg*zE`Yj+Vxa2c&l$@Q zVcO&iEd4wSc%Q`mesc1bXjE8Ow})V~7O(7Ba|elPL+_38qY@J0Ncc`v{5fva<# zP8rduA6f%dzwT|nLwy2YX1;G)e}4Vt{O>_%5#L$lZ|$?b$D3CmLlvv0`x4j8)HaoC zNT1OL{ryq8JjU3qb#ccNg*FHwVH|`_)ml(o1|Q&FL6D}2Dw=#7=8LMeI(Qi$&>__x zmMm<~BHEPZJn~p^>zePhW+s0UsLglY=hclT&)h*^0!O1a(OWuqd|RG`&Vl*|+Zhfu zpIAA=w!{SKMUVI3Rj}Tdtvoku|JF2dRNYqW!^-Zvk)UnU+%y8eCUlWxpXr-o^;XV5o;1lis&$w~?Wym#2#7T1@-Q%7P1^(* z6aI73c4cBcNG=@@jhfOYP4NI0ONObW(a@H~N71rE*V({u;__7RpKjafisIbyph}QP z>0RX=>1V>Y_Ypu|QbFegupo9f^La=A1pfWgO(2(kAit6gX4AY)wrH@FB0(_5D!ScP z2eMsD@+koE-yggg!3O1MK95tbV8@CfM769`V_XWti(i4*FiGkbljQO839+HDFjDgM z+u%RDE0fH%OZU)_aPC`K#C*kzw(B0gDJ1d_@~LACy&$R_mCS&3YN0~at=m`f!^yuA zH-SlhFSU71-)1;ZgdnXgWy2jt=OQ5^S(PR>qX{w=VW=EPl?(0nw)YPTB7|ze!K=!= z8)iU0YqB#-r?7qbUEQ?whq7(eK6hR?u?$iXX>x91;T+wO!m=+QQYAEl(5TH{_^HpD zeXyLjNn5l`j088M*ji0YiPBMnHhN;TQeOInLNrMhJ?dA3?qjO(4E|SuBoU7UJZi)& zA-gUgi#q*($E%MI;jeI-#7}|AMNoItjT@-V`_if`sQ2q3_P535?+ynMf(`(KU+XX$ zn-{{baQ^3&`y2xn0h2U<@=<5QrTa`}E5ugs%zTvXOfDv*@fZe&=qZhMJW zG`)L;2!NST)$R60YeW(BZqu$o+^mk#s&l?q-9A$rY9YYz%ZmQvn#O&Pj4ivj8v+o+ zTbIYxF@0vnx?55aJ-%IxjoahzQiriP6|eUUm#wY8<+NSL5x@e1#_1E9hX`^NFN2}U zN`g!Yp6hFmWG|bm%#NAuI-1XuF*O&YHO$V>Yq#~BVDHHT9nCw)|AfPK5i(@x)*R|g zk~to0TXZa~9lRXXO1Hb$9Wr>lcWTZ&Y@(@rHoyabIzE?9&0MqFYs)(!^lxs)69iuO zw>3U43+CkXew%GQ%|K}l2^X&BW9^!%hmAK4E;kKBLm$@*^x@YP?H<3@XDt_=)@|+- z#ti)Cxz!N@813xUr^|vz(B($pP4mmSR|;;G8jNy!$2-%Cn+>}Co9A_j>YI_*NY=8p zdji3SQ^5-U%ONGf)~Ak4)-$8$(#*0O@tPgyQzS9VB%VWAV)xERLS2!|s&|8mw2x;+ zQU7hZjEw}3{dF+T=jV{nF@y?kGcf-%Q$X7N<-NdO;-yMR#w*0b_A=tJ&1!R!W2bAU zh(25Da=zy@GQ?Tu(ci7d)hM}nTMegP$Nj?x8}wB%2JZERY~KU5Fm*?RATD^vyr14h zYMB*Nbz~YVMpd42ozy8uP_VXxaF7Vf(UwQ^H zm8k-eZ5s>x&9@ZA3+vc%j<9gKxJbh54dZS@+bG2Xp?-F?hVr)ZOj;s2qwlxRV7dQ~ zsc#C8Ea0;3j+2gU+fK)}ZQC}g)3I&aPQ~bSl8$ZLwo^C%%)N8xWk1x@c{pF~v({cf zFDHBuCLl{rjK?PPYBy%Pm9keEX_&MD7N*)OHoD8s`Jiz{h#D!RMQDxU-wN!iq3aOM>6x6T0@tV-8PN)6O>Af=A~n#st_x5L%N7ADfg>L>x3?z7>D z;axjO(C08T_E3Iq1hGfpb<}TEJaNdLVUD1T{C1(deZcQOj0o*Fo(yKVf7S0EbN&rI z{k;g}`dMH&8_M{P215Fzl_7W6Zyo9N81b%obV+# zTqyvh|5r!Ow@wJ$)-i$gc%Wa$(#eZTuP(A1^WY47s0afIWAr-9#Ssb}PVzjIm=-#v z;*oh3BX~FL3~@GRL~7|vfN18kKa+Kc1yjz2yroP64MYulX>mQ@ zWBmfI=;8NDbq?0Y;*GQwcFFyC4^9T*0!{@==hi9C{zs?GIfc`|>5dh`2GHJ#Mr)yQ zO)(b4P?7M@)664Bos-m>uJn_P*Ev$SC9I%WQ1Q_c{Ll#irolhT&ckvM@W%Ky^?Ut4 zYxf51Sy5RfJ98+gec&669)xG_d0eF*jS; zINFEEZRQL$;G^oT-lU;mI3nr7t5fzmwu|E{TE?T7&z4--HS3t+E$^FjM#qRL_(eL+ zk~I-x2jzn6(0~w?3W_B88abJVabz0U92?ZI7CdGIKTv98q%w~yd8*7Uu7AsPE8wbGomEM?t2yR<`vH=|Y3P5ssi2_TYySl|7 z@Xr-*83PY1jC+}|_wI&xLM>utfS|Aao%2$3VAcjV(M?(&&b~#Hxb_7pqaT_)s zC}?B8{@x+=W=z35pg|{Swjz(K5GPd$EoAE!U#+o8OTM@0L%$7373*R|BJUJeR@a$` z2>*$kM%;J$jr71F&mLG_TZx8;!#e=`(FJ)~;4b-!fXEEIYo!Ai<6XIV)W$5C2O#zCq4r zI{&y9)3e)0(pWE(R#b^CZ-xrys)enEV~>w*lI?%SU9acYzGc+=4El1hTL^$YE~2O2 zrhYs@Lw_87g#C3w9aPRP?D-AK|4{^zLxS!nhJoy@1u=gZ_H>Z-fW~C;+1l?Fr-)o< zRuqXIW^{*DkW%Wj??$=_+n>0O_*DS6mF-tGPCNgG^17Ec&pxgrIs=^lT=eQ3NzMD_ zTwCwEZ0dM|-Z7G%-o`~o0e80;z5X7PBbxUbd`7*Wc^>UIw-l$g`d4aao3_V@w#6-a zulKLKA4dqLTdp3hOV1W>07Sos-*;&^R}E`ZeF*VD18uopw=(%WefL&-O|~$}_1?E~ z&xM5;+gQydL$gPTrCfqgove+zw&PQx3#W7LBaEf>&QZPQU0p600QalHJEMZ&WvJxJ zQJkLzNRV%#6G&sJ>&rnm)$pOHh|@ThbBe9dlUoGy6YlOmVM*rjJ(O5{FWd| z8@!>zlKp18eD~3BegVqM+IvS`yBzTn_a*=0m38qQjZGbHTq@m!P@#%a=Iti7k+1y=;9s z&ll<~fxIPZg~kiMO#6qu&mBPwp_Y|c{d+$R+SFWY914R>Tan8Jov&JzrYJ+`R41lJ zXnZ+Ho2(CYVfUx9(8aKtO-}O=q)_P=p%54*xy?pyx}&yVRc0A#=pub_d?scoepGT2 z)V#ZEGwDKO1tK3mFNYK%IeYs8(hR;P>-_oU!St2TUCee)#%tQv;8k9 zaB+?Nh|-xYu%2`mE|~p4GAXFhRN?|*7mS>WrdIWv1KHF6hLgj^D3rI_)3QPn)Fsrb z=vTzOaMvi$lQ0Y7Ae?KAq}V9&sF!H{B0QntTsf9~sHcooHE%bI&R&sF?baw622#80C$Iwhm^Ik>$#&3ZXf~eTQ` z-M5o;&R{Q?e>@QCwYkAO2%$q<4j5EPBTNpmKurAiK`Lq?(MAHm381TI( z4_iXHKX}=I15@wNFaHDm9GVXGvASQ;PL9 zBNQQESaC&E0>#2`wZP}bG+^lwb{ILNRbxUEZK8ir;8OeSe;eoQC|%x_aj(#>vif;8 zWIiHHBe3Cl7OgX3T>Upw#EPY;Qi!_25(p<1_&_&-3|(CC$0v1_z*d1~7LGSOV)kGYziPDCVwG72?@tWm9{#vS#{RhTIlWZ+jF>PhnQNYcf3yklZRS6NXq zROIrN0Y4FRcCU2&ioKJw0TT#{6}}uJ)InmM%F%h5hq?a?i>CmKvFyY0yZMRWKvReen5)9x7TjrR`K#;-7TZyW$4u z0g;aYzFsYaA60+if6)Quuryg%3RK-9Th{tXMAanSHJw&-Do@b=ag@v}ijb*HS!|sC zw3`zln>mY-4ML3qGZG(yTT$Z=n@-TDYsO|+ap9qlL3IXli1acMf6$qu(>O`PSPUVxiJ9yZ{3Atg)*}&vD|Yzj71Sp) z^`4IZqif&>hzeDZOvspyCQHKGC7Frg+tN(A}q~0+Ja|o^j$pPbuj9?KsdjH+p<5 z&j$&myL(3RzG|Hgn(*d2L-+hx}`LulG(d_w7?L@FEq!*E(MpQ2*dS zB-nf$l69uyc{51VxpTw#xb5I*_YeiV`S1iB2!|WEFKIr#?7<;{-qV=!0w$uCx>1yd z#G>@Z99!>Au|C~)@oz>s@G^L%>kI=9^rr|)H(Dln^Y9bw7^qoqca+sFr=Vo^R^71P_N@1N{Ri!BgfG0=`a)-;dG<*KY+4y&qQI z%B$da5C-OSm-#nrn}XSaj@?Q#z7M0=LQ zZ@ssqyE9#Z#}A+(TdILG)2bF+_YRWghQ}T1d!yo~+{zz;^II+l(->0?zmr#lv@a|9 z@-EW*aocKK9M473xMUPx`{JFTblQ}^$7RlwMyR-?G3b^azMzIt%i)r@l_ z!fxW%F+!r=oB!gM0VH}~abjQF_TMw^C)sQaC2YXaD}Xt{nVF76p9T!86jSix~jwo&&hY}sr6P@I+3VL z{eF;6l?t@?SGh0IXo-zdH=DO^+)zRCpn z;dv(r&uvpg;t5}jH67S$HRt>dS|r_A`u4dyR$LMo(@R%(@8K%bq@mQzzy0OKaOAln z=)xPzQOmWJF;f`wfvwUbZ8Ppqt|ACRF{#eJgcqChbjcXL*|DG=p#jGzyAwJ_(z*Ou zag@jseWZ@k*HO9S%7VpAn4|FP#BV{;HsR-Qn=ZQYBFyT}5E7~-h&sd3uZ&i@L19Zh z1~mzmtw^%K!s7gECbW&ZrcXR^XcDfkyRPTTe=Dg#+VLNNTRB{_>k)DnrEg+oJGq|b zyf!jP9oaFN)-%5wA*Y7unQV~diXZ&ixoMRppd8t=z+@If-KiXR)HkbKnT@hEW~@$@ z&E}a<1|eeN`{8M%?Zsm$lXXat>F`l2WGad=sxXiWi_xh(k+~5n9JHGDzWu3($QhF? zKnxx9aUWkb=@w=Ovs3zAOgnZL0h_HdWD`Z8#Gi#gtuz<$Q?aUH$?QI}>{|)_KkW;x zR#JV=NK65mu!jT+3U#fBAs8rJ@xh3lK$Y-JZJ-{8I2!D_nrd`TG8c83Gx5w(aQ&v@ zZa;RIFv^{L9S*SJ_x4UVX^^?Ejp4(33r388$J&jyNRu73tyNM->djv_%wZ#`1zPr9 zxS40lCBPdr=*40Ykks)4v0m3mnulwFj@r7vE*1t&y6p*VJSHQV@C~UuvWz{{K7uK! zG+ovW%4+&C^g#O0v79I^S$PJy^@6o(dDbe&c0quyHy;pR(c3Bxr^<4-WdhR7-$Sl}>=QHB)(q2MZ7d$m_9QeQn1 z4=ZVnnxkVMT`xy#clh-|^(*TuLH}Si7{$zXouGe@^#|)WiIW#LbTy`N!zq_H|0Nj++a#JImH8U=z`w%k2(& zI<)uN+n5-y#DaXT)HLu^xYa|?^ei7F@S2o$1Q}gCmEWUe71YI4)yN) zvamKAuljE{&WL1c+%bK2D{S3iyqj91^UmGhQO5V4{JS2WS}_UrNZKAI9uQYAE;OGR zS~8zDEqb-x>$n`XPe;o>r5K#?-bvf1p0$o*@6t9N)6q;{(<6Fbl%Hj)a$Vv8gSKG@ ztH1??&AH9TOx_mlO0yal4&cGAVvl>jg72kdPs2-qZ?)f^0Tbh#{W5iU+m)CzJIRh_#~Fz#CI!KpP<)s1y7?U zd|SPaz#YtOp?2x3WwA;BE%b~lpy~PiIX1_kId47S0M~gzV=zd;-}2#%$S1DtrYGiV z&#>EXuPk;vw=LZ7!~V&jv*cx1R4~*1T06|oMdW6Bv6jK_WXW;uu)z`#E5K}9ftAJB#;zV&u1Q$yg=W{*l+pa}fTv$s;c4cCnPY>9y!n3A~`Q z)N3C#NfU7YsEW&N(lhXl+&r2Hi+kPdqa$)ZmWlfnrU&d}rQ_%E>~7sUsOv;o+n*?k z+jM?viq*YJJxZ(GwA{Rvxq3RPoXYk2?Q{m)$^Wt^=wCmAx|UbJ|GHd_#mN7F1g-xz zPP63y{Q3fI=RL~g(6-Z+lKYIJX6RdggqG#^+;*^Gmose$+W%k@czHXZTiX^F>^Q#f z?74phv41l8o%K#U|2JKX?oucoFtRK5qXwi^kbisE4wZ43v;4&wGp&P;I*$d1-}!Wn zj+N?xkPmsMzn_s(rrFzIgpI9H^Y=_5A&FU0L=GT=;Ol>Xw}f`loJ`3w^;eQpcvj|0 z$=ENaRAZuep(KZ+cY=SK{A^J>R}*IwDbH?a@O!6Cb*ki-Ug6ex{7Eby4!1WyZ4CFQ&6$JVk8U}v zOGTtH%RP(USppj}VQi}Ua*W^nbhYX{#X2?W-&Gg?aYtH>B3gyJ*?Bn+$?P;@v}9^< z*&)o)&?L;3j11JsGmBltBxUoJ-?OLT2nq z6bxA@FvdEuHn$ZhFEo&dn1$|jtRcBAUWzmh>noq#oa4iy zw40a~GBdT#HT=p7bdUudLS=@Sq8I{_rRVGIW-(+UFKC47h&j#SqVbe1)o@otvF`pU z*D)868!{HDq2O3`OPT%&7`h9ik%ZTM#U6JrCdO|YBv$(tMLR;0K>v$xL(ba*3b9C{ zaO!Ydxe%IiLulA-UnE;&->;+ek(Z`r-EM%P`QO(a+)KpEJegT~{agg3{&6qs4kKsugqu~ z^$sBnISU}fTAp19;xPpbc}H$3+`;VmU;{(r8akWx`K)u+ux=?KMSsF}BbJE{MLw+*Ti4rs0%u6?)L@5e~pn5oK-?cP$RNL=K!-6$ixM<89O#&IZ#2arNI) zuop`kaH{)I!ulCz8%Tm`tP0}D4mi>0l6_CWHB&#QqVLB4XS_2J!i1uJA=h!g&o^D1 zyr;a|ktL>&yeA@ zyUC-Va}bkqwbm}W^*R3Y{o`N}ycKV)hA)!n?IS9xuDtUD(^c?sjE%|XV=`#z=X0)A zXMZLrto!YoYc>y7m?EtFeWH?R*f+3h2Ur+ltdT_el}2@X)eUmp|Jb!_L`1F%AX1gm zHhp1(CudVbl+tizj)Nydrr)^m7`eE11kq-Qi_8LC+exqP=v# zv){{M^s?>*SKvJ!)@OPEv~L&0F|b&6x9{n<@Ejl5DstY-POnULea;H-o;$}s?%=R( zd>HV6z@yuO1rFo#NPB;-3GTFQ)4qIe9o+4>u03HI*z^TWeXN8of5w5%=Lf>Bt{U!3 zo|>5hfTF(*4IaV)7H>Tvj6OO!-oEe4CVTFH$FA3NciYR({)Q*g6@+uNy0<$D=y6(n zzulta)TdZY!R@V6!Tm`G=BG$|%&POdBTc=l5iAP?E?A9K-^(i9iRb6PYlx^%`rEnp zjZs@;8v`|W<2C0W=9e`=oHn&SQ=+}zdkwym06#I zU2JEC=7ej1e7t5; zYgDhC8@>!mF9Q^D-A~izlP+&%OxI1OtpYbQ6r6lV%L7w{P4P=t$cx%GMF~C^L>dMG ztxpopNX+Otzms^4PXue(SHJ_ zK7;&5J{_ms-a(A3TsK51Nq9+h>BpZ=AC{XY_~a|JtQ<3MfP90mCR^K7gbZUUw8FxrmKJ!i zXx;&pO}tuI^ikU$XP=w9vN47-?c>EC(KF7RW3US2!Fhdog-q&^VaN{nN7s{K*6ade z1X2MkNnCA;d(t58M)1Lfaz6JZ9Arpsa9mY>qVfoxk_?%o2QxA|c00@~*&4GRgam^k z!_+^+QyN-U+u9#44(L45TON`@CbhfT-o=|r9bnUT+cJd|j}nD!LLIQQf+o<`cJNF3 zu^w;Lsbi0#7S&MJ)R6A+ZreV}TCg)Vy%44bK~ms8oY!5BLad{%Txm{k4K zG=4|E^vr^?{b&Pb`f}!b$qgSt^;xoF4B_y(5b~DAQM!#_GcekP^2Z(LO#*nnIcAgZlS$G&`YN3+;AU|SleDR{)sv(!AICOW6K!8jG}6B7S}6;s6vK|Ay4k1O zpCHI%&C&qXs+1T|&rLlzhHYu!vXxTyg(6Wk{-KqJGkJS8?28JK<~qG7!|(#tar#({ls=j z8a}sOAi1}Hr@G?;(SSt58JeTC9Xmd!jy{9FTHP#rLbH0`rrzg4I}z#GZvJ(-SKtV2 zTUqtwO9VIE)9S#klKZhj*vbc!63avfsg%x)%b!V>g$0S><~6y$>AS7vO){lDX~l(v zilQt2Yz)WgX+BOPhMmduJ)~4_A>s#)$gP`nY~1mXT)!5)Z1d@{UNG^n;Pl z*}utC;3gm7bJ1gUR_0tS{^`jCQpYBasu%qm!JI=@L#I$#pRdESE3oMkb@^M>VFgA3 zUp*vJFe`&F79q?iGC@h9QQ%WG#;Hywqb#p*NGGmS(wV#|9q)zW;rvsX_^rYQOt?uX z7=37WpjsZm^u-Kzr0TpJoyE*V?w%N5V!m7+`6U!Vo*%79B3Es=!&U=TzQ*x&g?)7Y z7fL7vZ;7!H?B~%ZS%fyI>Wej92b9*1Mr4J4t^kgS!<;8xyUq;KC?9$tIDE#9Y|3Nq z_})8lxxvuZA8y8c@`-X!2pXzgD9NB zwf+_ZQ9tgCCIF*71-*A8#koD%mIkh?9ps4M+&Gb*%-6CCzLrA{Hmwmg*wOFfRtUk7 zLv93B!nlejCT7gcCcY+p z#0@3B3`$Wg^Oy9>kD(EgwQ*(Z@Aj?ln6as2#;m3C9ZF7#Uh6^ON^%|DZJhKJ7tB{x zURo`I^~M8xs1pA^DjIq&)T3*wDA`z(_n(KY)rQr+A)zsljl~RDgJ*K)|Nj9pQQ zq&;dxnWzbr&+H@xfX^?Mm$r;fPaK{4Z-@T~A z9DwCsQ-+E?{D5J1kF#g0+TP=&y+37DZ0qAXNZlRtk7r-9fh29uz?>)j6B)!!yUA&7 z$C2avAU0ikKg`G2*PiZIcgu6Xz8=Rbr}-#fBFSuboSuo4AbAgM%dC&HGjl?}cEIxK zZ9)`Ny?8*JtLKQGy~8%kSSkSI_>d&68MNC`uGebXvw4ZnRHp|L1DaJd_4N( zTc-7W*?joX;`J)(>I$N@|EJ=cMyTx&^rqo=e~4AS7$-N6%aCg0k1Qz&0GvHPci!AAm4f^t zO?F?EI+x`De=18Mp;lnD!-4~EKM#0S?JCsHr`i&9g|h~Z7DnszbZ|1{FStF9`93N9 zrL0UEQ~f5x5p5N%ek#AYVFXHkss*{^0_V{k+2--x7(eokev(2Zc1JDPd`OSJZ@~$L z(Bk?k6X6=mm2(%)8gbXF_2l9>P1Wjp5#Tii@}?hdwBl?J#^G$N+_kDaMvWD)ML6i2 zuwe&a_)9-yf;T#dpZ46ei4R&RsS?|^tc#6Lq@`#7uB##Vp)@L)uH0f2UjhW?Oe!CrnEn+?l zzal~Bt1K>wtkFGfy~%s;;sDh@Ad$30cEbI<5EQfkW#sJ~0^ZA*1s?#xE>v3yNyce8 z-}Vq|VUYDJ(h|wlO|w3n3psH;3!E9S6O;VnWUcl@ayhi9mI4!Dn6P+^Sln!DRFbZi z!l9T?F_RHl`zrp(u6F5Wv(s?ZAvPjP{{>#Q&7S;ZXFGD1~G}7KC zOi`#aE^<9HN3DX1(!c@p(QS_Rv@O>fKN$*!Q^8LRD^vsrd>BYwW?O<@KK6@RxfYpe zUv9HQsj z@M4o{L?gcx`opj466IU$!f8;h zq1qfj_mH+nq4BB=?ZlU_pdm2}UI-@+d_8I+!qT%+*m0W5R=S;JIM{T!SPpzNeaY3F zmS&}0qm^)*Ws&LLo&9f-o46gfDJOIEjac8`M7G&^q5GL-Fkb&|RmnHhwUKZ7%_LC_ zZNvS+BxS5B5*G^x%1T7H4{##?F5JL~inohXgYF)nR_7}H3)l<62~sPqfeYhc7F<~h zanqmi1@R6{h+?Me3vUHQNL13%<4@?Fd`>d$5vdyEt5UQ-P0>+BMjE}iJ%q&}vO64> zaV=R6eknv=h!Bfthm=rM5e1Cf) zB9~5tfJ%b6<#-Q!C3!^(F@^{gL4QT~IBM6X`rJ?5G>O`}Mvq{)`PT6VmWWx%<~nL3 zE$d-q%JKD{$u;g>)$`$Er)u+M8_BkdNnf+W@u29>j5iI^Q@!HQ(ciw>sVZl?$1hl_mbxK3A@d&JXp+AJF(6&tFYZ zo+sa*K*b!E3sj1%Qya{kFSkvWlb;WJn!WI+Lse(=@Jt-0XRhIfRX7`)<8b}Rt9`!u_b|LHO}&nnIF=FwY`-)9MvcT<0P==SP)ECAZ+ z%-3+vP`I$m80vpjcK@!LIr^3Xrn>kg2NL0Z4<>Na4+_jf$;zC#-FV?A2;+&Jon_R#k` z>BGEI*Yy3^q(ZA=avyy4Woqse^<2_BZ~XBWT0!SIxgAhL;QxG~=QCCKneqW@dIs?y zeWio#3eMetc&)bv0PFB(2LQLPMuWs%v9Ca7=|{hFkj8W4tDwi}7am@p4-1jXpr>3} ze}9c*6Z}jfaYAX-kzv_`vtS{(`xa3~tG8YlmA+DE+(DcYN@(5OtwEZR0yQEQhEZ-% zVBX%})(@1`$Y=JEC>iL=j(SzD{N@y5lPy&+NuEg4_0NQjfg9i zb}`SuKX(TF6DWg9Ky_t#M*4Hu1`OF_>?Fc51&zC1jp<>ac*A5)44tIdtg3X=)0uS! zTShKR%A5zz;0j4h1nEJ?$4>qMAs775WBKenC2R*q)PzeRPj)(_pOh4gxwtm&zO&*3 zdFZt>yL5$;=Cs^6K3go7FNT4QD9NuBYCECQDxH~muslzdqAuI(5VfC;(R|>kHyv1R zFanuA+a?<)`9QPH@nGW~*1sVr2fV+&Ep|H|30mt<>0r;=Sw_iKZm;-|!dFXCxiSES zp_M~K{c<=HMQ9;Q?<;XN&ucevlq;9aP>{L4MPLM3RIG`0Y*a*egV~m#jWZ`ybNF~i zVeWcpKSoO9F^E0ZFPl=uk|zUgGBRJ$gbwJX5Pxyf{7|6Pw2_USy`-@2se#vHT4Hf; zAH=Z_x^(+Xo*aVf%o^KWD9*vl5XN?DBOgv1{2Pp%8>$9sg#rSyqDm|rOSF#iafL;3 z1_3U@HJDzlP>Qw6Z$r`gAfh&eqC?x}=O!}BJ)w}Z4oM9j`h0vOXEG-IX8o{+Qd2Z+ zs_dAB%PCzurq#&waI8Grk!#{6{D;cwW1~{3IXL@V;3!T5CJP023mT=?m`TWd>nezW zi)jD~gl*F4CqY$u26}G=eK}930Ef11FP)%q#SbEb<5C+Dr8rfv>Gb%BO^E%~Ad`6;KJqedSyOC1K~8-yUl}Qy(Q>}w#ISZS5M$jt6sob2ZiW+5;Kvt|$i}Y9 zdsCD(`(1ZS^yvypxIq7?`JiH3*a!pwxz`1+5Xv;}GJJ@i;QEu-C5n+HRH>QWRS1|< zp@2PmG_YZJ!qsTv20ak1Dmr}s!hH(Yl!2AXCr7uGIfW=){{|kZ^CmIFKBy7cD+x@Q z8^Ib$3v!fpSpwv~MC5Q2firL~7`jJ+||5tVg~T}pUjuA zH3dkEKZ|GGfoA`L#!?Fgd@>amhfF!tDaFHw&o;)jn2tF*96Ez1pR$tbN6Bf0)a($N zafwp$%a8vYOQF6&(u85L)TzMR6mm4!Fz%mue{U3SheK-93#R7LQwTx7^8T_a#C?d3 zIca$%%H6AQ^k@ptvWNyP_zhY3K&0WS8?$Uh|1CzncA&{|h$){Zhva5nw|&uu9fqEp zWV_(|{{u9GFn9x6dcWg%hyM8e#b-Yd^&~-Ev|po5=l+;@SqHSxJGzYgBMRsP#DWxF zAV`SOWmM2Zkni3t?X4!Jp3M%Jo`~K7H%PyCkl!IcR}Odu{ep>i$OBOa{(-3O-ygfS zt9NQTSufT+c>UtCEH8hbcWT&#XmYk+#Vh9V`sDaJ>ia9$<6P7ec0axVtTq`Q9{t_= zxVXN|Hx!;Lf3=?PJHPYn};WXdznL9yn4MYrv(d3TLp$|6J(bB6XS$aT7&_< z()*#ZvAuTE_ZvtCn~#C5SnpmQtUWNueK`QGA5{#!bG5pL^!Tzp0mI6&>mB#1X?o02 zetxE?&kM@lTR=>R+K=a)d8#_r08j@)C=-)wA8MU_>ttl>$LAChIU%`V7r@x#ig!xu zCepKx?uz~AN$DJ@?O0)~cT)u^WC?Ba*dA7|0eC-?O=a2Rep3N>HHsSO zL*Jmc0M+!n*~c=5Cg0}6s-}RJthdprV2Yuz@paRPGc5n3nD(6c_N=<+zUr|@aYE3= z=#_d4kNKhDrjAdXdK_|URn6@?_>X|*i!8}l4{?u`qyDp{0;C^A0vp_>P_B0~d0qT6 zf~8EpA38)1Po*D!$!;ayad<6I%lNDWjIy0Rq9LJtdwQ0p6b1I}dbGK{$_(FG^*i3S zw{p92oBGeBZXbr8c#S@KH(fEV?6b1F{|HnG3ZA9JEdq>M%VKqmMm~t9E*@t~6$v_C z{UtxgK0&R|AW$mcQxOyx!E_0Nl0O0jP+fpB$0Y7HvoA3|m-IY}_m!AT{TDtRGl=%} zG#XFJ^M?bmxkP9*W-4BE_2szprnW{6cLcBJQH)Ze6LU2AsNzj{5?O7CZ7#d6i~%46 zPI_hsBlQAig1L7~Npos9P1SD=&shmOUsu$jH0%YdekFXKGm9q#cINTGEm*1h%_u5T? z=+!wMY-Yl+Yc?8j56sNWeq5Pmh!%~Drt+$ih!wVn!9kZtgicN%T@z|qvN~GxhN(`MgjV9WVk@^b|rdraQHSiD5yyT|q7FAq3^HR6Blvm*mB0kKSAk>yG{wS=6o z3eNI8Aqcp*e_6Ge7qvXWRwk;~k7LAzp{edR$zzWSoE0tY5Q6?Sro~F28N7N_k{AJHA=+a21U@knj!9HG0EFtGrfaONH1ZPnmIevgrM5A$KPUbdWc1gn3#z*yJ=*N8fhmIUSu?9y&0JzTI% zj%zszE8vdw#NQPa89UE;H{vXHgzxS#GhOT(mZul=Wi7+Bc8gBU(F zMj!raHb>VkRgj09GV5HR#Xc8MpcJ*92QeZ^XJKUD!<$_moWJJjD&s}rlYX$k5l;TVb{v-E1T?A_M7J$`UF_a>9uz62K| zV=i78%a7xjsg8*BD!RFv*H=CNsvzayF+@&qgQEB_!?v^!E>J-yNUrKI$h)3c6`DT9 z=us(6G00zfUIhk6-B7?Yarsf@ zB`vi5HX0X_FzQ7IzS*%Jr4Ay3OC=!M4&pOD+WLG)5~VVYRWXTix(`&wQgPX))Ycf5 z8#EueQeGCco-a&+kaLo+gSSE20)3=lY4ej{qCqgTAtIgKZ9;QLtqN^XTd z`tijhwj%l8eI77{R`drf{IsozqLL&N)IS4WG)dNVZD-cSDN@%oY%XSH12*fx-QF$~ z^-cEh1amjEjt}mkuyWgHZPO4p0f(v3S8FD7A)r6KCe>Sd_Yqa^{%?5t4OmSZHr9S& zTw%NwPuY)`YsUco=F6HmzmD;C=<}CPjiZg%b;zqOKhvE}#UOr zGw~|=>(LMH8%wMjz@baiQEsll?e>`>->dZViai$KZYvYi^qFfr(QVCim9PNN;5pv0 z=X!qGU0Z)J%+o13a{!$%CB{l zjelv?T@_uCemX8zb^pa2Z0FJ=e!m5#TnU^vAb5VIvn()35<1J+FV?-3TxH_>Pgk2d zuI!K8x4aOfeSYAzx&jHfx^deds<}K~C#ne=f-Ie>m==4=-KLWi85(Bu80{@uH(YkW zkH;KzUeSC~)Z<>n*1oDs@LhLe*rryW%->!Wrvgp_XHN6Ko;YV3J6Pd4SskV7H>3hMv}h zdS!iS0u=cDX6zBrltEVE)^nKqY z>=HXR!S;=NbH}t!ipzLjH5?bWOxA-KW4i0o26L)0ev;aWQ(@u9Ah{YD^(YQC;`G&y z1ZmPBjMP3~qRH9qTHtHi3A}K$s*~4(>q_;;1YHp0vvlV7Nm`A}F83%>J23}-2Xf|O$HugDxJ7K#GbbN8+=PJ^QLvXz=61gv`##jS zggTqA+q>lN5ivB!^c661&RhR_9Mcmy3TsGucJ}wc#nGy8a|=_#9QN|hKaQ`$HKr>o zsl#N<2yPnz8cc<9%#Jfc?r19o+l2>uYel}0Fq3bkb|s<~$xnmWHrv2>>a`VxiWuJJ z3^8aoc&}J3;I+;)&O--2JI4h(0I59d_&Hp~8X?C_&sxhs<@x&p982?_%q9e`j!$R;0VgfjAVYyr6-w9n_; z|0W#1PfUF}zC_rY@!HkWaC~FIvdO>dzetw*qtoxUK+9BUmKXK!#ZR32-W-DD49G4U zSPXrpqCG72vpP@?flxQd2S+KrvUIEvHSt3x|MalU)9!{ViE;e<^Z9X>Db=M*+Z$&}wP70*}3@fm9UT8ZqM6Igf7^j+c z)_bx!Orxkqzrh`0)WP2m2qVMxJIo^U6$TAGoM6 z8gW}BS~7YTGn-272wfn_;`Mj@%1X7Ot44CYb1d{eaoTi(BV|h|l1xa`%lV|uv?%wu z#9+kqCO97k)^c4F%NVHDfWuh zE@;oDOohL2|6&)4^N2B6J_2kB`IZ^Zbvh!zA9(!}MkalPgM=i-LpC$-S2Cu7r;EH- zGTWFu2GPU5nh1kzEyW5h6)?!90_@oWs7@VhgQ{3)J;a2~od6$W!absiZ*QdCL~)vb1Tj$ zs3b`zkm;IooFFD}MzU>d7BiD6_nE;~Xu+KMzXSLYy2tSm^pJP(@V4zX+jGJ%zft!U z#18@_Qb?BgjgmudWI+KbCRcX8#}7J zw!ZGZVkX$QpE0A}9;W-+i@2OpjWg$`v*q?O_SZH!cB0?=c|zN}b$GtrvaptC?e=4i z=V^^PSJ&kD(lx_rNI7Md-NtPoV5G9OK1*M8B@5#ED?vj>+c+WhtuHA{$Gz=-WOoBQ zBkbpEt@c*$-8?bI=F{dwp`YhYQ=GZp-4-4+K@Y>_%Q8Xq=j&C7nT^9f81?4uIZ(?p zin(R;BqFPp|2bLSY*G)}{d2XlfV^yks(9(ovaxULstw|&XG0@mt&YxpVs|Y6=jP5$ zHTuhbCi5_43myH(_kO*21tYH8f~DQ!-6@AwZRMzpd}+EQ&VzB8!)s)iAe-lBp2qbV zY|B-}2mSN=OAfS}wj7UTT)!B-?~M@DI{Nx))s~A}Gr?z&_e1BhwNoeTRsHyFZM9U- zt;qg`54vPt$Du`BwMH|>IdA)GH)5Bg=X*)8{VhGPVapbyyM9uuHU6f3!b!UJHjPtV zr}y-pz^<;Y>0r{ucJ-oYBSt>A@jZt=*YzQEM6S}hYX$n8j{p6%QJ()|SzhNLhrh!a zxK*hgML*MuCbzZYDn_gGu5IV#QED9dnpfo}SPxw3h~sNto*N*?LiX{k-@oG8C4|@C z&j?x4IQIX%%1&F(jmn zeLs)S<@HLBYFL(+A#ML)ys~ZFznXzWvy#uUWU4i6?K(`9ypdAjFynQpF?pmo6k^)k z#;#Y-7-Ei#;z^Q8n|7!&8?TXvV{bvgY}r^!BpVJy=me08(G+>;Qi(>(j_IP92yZc{ zA}t|EwG~o@j_+FU%xrVk$svhCnpqJO#)VSTArT9iXPqVrOGe_SUpunsB1$%RVCeHmVdm1Tgf;lAb?uyEjP<*ld*;u>D zc%zSGa;Bp)NRH{yX^^A-dq1!T(6SJ2oncOtYrAeLq+2diC0||VmoGY0e|&d>J~_}) z5tT!z#cCPZ(p3JMuV|hOsb7Bf-5@d*kWdUQU zbW&gLDidj6y;ZvhF)AfFor=k`U0rzCAVm(s_u$DXg(h|Zg1nhY(Nea8tEE>g)b|i> zYXE1JRzbuv#UNC#7T}V1L_SutXhm8g1a<+k>Oj7eED1d{ELM}(uk9m7P3hc&TWC|W zh=ME|Fky*)iFTmo0ijs4jk>BuF~8WvbaumKFnn4UU4;D_xCD^TF>F{(rUbmPeJQ7> z8DXJ)5e%H^t)k$ZRUxFSEm{{L`*Z~*E~Pj4XG^wYdj@$}5LHXDmItA_uq~S+s7w zMpc;1X|GT(Q zMIx?TD9BRZh|<@mMaK9r6AhEpySniY`CMjR8l+SeA z{at`>k$ggyR08VAqvV1EiA7DK>@GW4HByEO+cA^Qp<0^X(uRyKmnfxP3C}WFT-l*E zNv=b4w5HivU?31^!4BK}Pl$GD2x=^!aa`yUd1xkmCcvhdb!g(}0C@vuL`*T^M6ysG z*~BZ-I-yOjL^bS9!oB>3% zz!3Xmp0rpRz3)lw(U!+h@cSy8`KO%LX&I?oHBI*u`D}JfobQMCN!cu3txnw<(Lu<9 zT$rk>D2CQAo=Z9F*3LNY9;cf}<|+Ntgt!DwE8NHa!0P2^z5C{KdeoW?H*1vhtLyDn zp?`S5Z-VAfwBy6qrFgC9fT4PhB)(BscfR|AT4%}9im&Z;nfi0bSL`M`zg;(Ydx)Ed z{aAZ{^>y%Ex7)SPH352?mET9betIX)=!L{3XI75OW1v%3YX~=P`!vC8w;7>bwuk=P zNaIq7x$Vm?>RAmUK+|A5uQvW|Cn%>@E4t%s7t3$;`7~vj!z6{;mebF*X{3C|5Sr&9 z-(_yXoM$UO*YE6Zo8WEKI96M!(zbcdzEbpZ^l8;Hqq?CHSpC&FP_?MfeH6eO_I!)!a#}Ow+X5 z{Hy^Xc$9aZa$?gx`s6)Aa*}&n%!JPc&KJ{V-@f3ab?{5#`|diPUlUnEf5PfbzHdrD zE0g#3ToF%P)%A33Bxbzn_cQ?g(1E?jA9)993&4ym;QjYLz0WU_rFOZ4zvGQRKHVaC zZu`g#_wDg>^ot3&>*xJNET7YhEfE9Om!8DXSSJ7+ND^*D z5wTrS^H~z|f<(;iQo0}!*Ob49CxtyLEd{4y?rF(}cVn%ziHHSU#ft%-lmP;!gd4TP zrt^&}dB!8LNEx<=?aH%r(-D?KCqkofsm8Mbk!gY4rjfW&D7(x=02zh!zG4=18_Z|w zqhEtFCCU9oxKW9oaK0sTOrY|;Ug?E7(|29Vv*i;6)$#}^Mk#rD9du$G!^7~WM&nTp2YHy_+@Bl<+#wl5t(zaMeL;xD-E?W&@GkC+odKuKfq za7Tlba#v_>X^>pj>#!vvZNfssEXYT{1cMd|R}m+aeA#TcKf)FZpc0M=7Y&K3by; z)DWBD%5$G4N!H6p-N*?hSX6N^ILB_Ef1nEqrvbRbKh~8!Q~G)A1dQpIk_nEy+X~+2Pc1B%W^K z=(34^&#=swfZOp0A%m1ZLqt|MHRIB)q$kT7YqRnarF>cpJWfQNKU>7>q!e5&(!Q{# zb)rEGGR(c20BF^(gJ#MtEn6>M#eiA-N*W+h&c)PXMu1&qI_C(X5xa+(1HY_N@SUMGVK$LGVjHEdl#X5-J ztU6S?V)(m(*PUrrz@M&!3g%2i<5G%6kQT40P=ZZfv2c@?eSa+Lt@Et(lB`h8+ z1ECIjG-JwB>`G*$4C7oT`;mYx7b7dw$cVd`)B_$M#$*)ce!vu;J2lH$mvL&rwf);` z9~q=1xFa26wS+iJ=T}&MzZo|L@!!Lq;uv21%4On~HG^oWY=#3NQ8va3fT?WIeiU!f z02ti9;~y$c2?z8IF@#8hEE{3zX0l6Ax_^Pm)WVr(gJ=bK(FX~W#4fFuqS%d%5wfu ziB17R5L+M_RV5O-n6h9iP!MnmJhoT>3Nr!tAYr z0r#jJJDxDgCu28QjT5Kg)lx3cHP_-eJ&L@51sq1}qROflz>$NImJG@fMZ@iRREq{(J9$$Oy9bt4eJh>uvHx^oMss8w$ z)4s&GtzI_AwDf*`hCH=9E#fQ#0RVbkNgk)mgsFkwUs>iE7(lLUukjZ3BiD3kTElIY zW16pQw5w11&1ytVFJOpzn@9hcl=LR!+Gi{?o$k?wCPwV_t=#)igq*MIy$!z4S%Q@e zugSP)orjA>0xbaP6rXVjX&R!w){A^8K?}sqE3^+1Kd>XdML;mB^geo4gnPVLy9GMIuULfdZS!T44Bh zZe01N6G!Ise!1Avy;7Yzh_mqYTn|eG)M+f6jJct=M4*`*&09?Ug2Q;EQ7j}HjTvqc zsjHJCEbh|;GN(y6*<6+ZQv7Xsm6ElQPf?+R5D{HI2d@R|WvAN-~>Q>9}i@6+MGmTr-xaZ0doR`B{S_GFvB#xDXw>tiq7SzYJyBHs`_H8OMn@ zYL#;Wa8ibs{_qsc&T*6?gZfue*)B0FK+_^Z+y1s&@&ceky$*#_X4noBc$gBa)0Rv~ zrP%%ulY~MGb2q}g_f1Quu=&BD&}P^6B;bteG*r@9F(>WBG}n-&lyx?UZ>3uHS1O3l zE^!Hh-ps2D>>V|K9Ptv)(xL~Mxl9V_Y6mPz$^KaWK(=l(AA22Y@!%F45V)h92#Wgk> zHk)id(7#gDjMMKtS#e4meM`3Bq@@%$) zQ;8pn2d=V{4?2@P8VJ>(=E&vK#!j}WLA`lXaZ4I`lo^;zSX3LsCv_#B)_JSt#w$_4 zzy2$tcA*w1IZAi&+pshZGc6BR$AxD-TZ6z%F74ps82QjEhF(%>gddkE`nM`Yo>6OX z=}TYb*s&GJEWxThtu9cB`6Jo>jB3}(M(FIfKehXm1l4i^OGW{iP-XzCuoA)-;Jp_O ztE}|-TWd!z`0trFJ~sXKUT+9&S0a9)BlFmU)j4Y@Ss~;!+9bqyEwm|0QW_2%oVcc( zyph_Vu(M{C#f~89NFEPGD_FFBS{{@SAh{$FF~lnpuivgX?~s*xvZT_SdgKC}mE8^I zv6ThELI^)U7*d=q|6;K<;mWmMxZ>L$Ovpeq`m0ye9V(HoUa`D`50!Qh)4871iy0Y& zCN!}qj~x)w(cx$UR91XbseY8LjJMF{%FkbV6ChDJpr0*zcvFeBdWjmXjG2!tdJ~vD zR#5$%m%_{Y}wM(1>w2Phd2 zbOg43zk@vDZ8>}tr4ACm<9mrn@IM2#NHVdt6sc4ZT$YAC%vEYu4jqgo99eay|BSRT z;l4aN^G^0B$4ff<4B_6C6ZdJg_d7{8a9}ftVTESK&O398w^(87 zLK#*nov95c>;)N0Nxjz$8mL*yqzr(~TopP9Gz4K*xWJV@~$yTw*u_V(w0nXTfLj^cGhfMcey-GPi|TTjiR?Sck{0&Zkb&cZ;}(N zk@TLgY7bp;cXYjF?Tc3&%w1=Ho>hM14&}e@v$Q2}^e-vrpWNMR-=*1ml{(OTKQAur z+QT$HcTOj&{qDM!^|=?@*n5jvo>!B+vhaJXOs~he1|A#ZG~R+d7WNmYzOz~yy%>J?HFR6ft48gf4216y`=Y6 zlxtsF?+C1WbJ(UgTrNP=i#jQFK$)`CkH!Yqo?mK!%#A>T=rUp+C zcJytx?bKdtwyoWVs@XrUc2?Q>>>rY@yIlmfw{M5hfH$+{@Y{2}!03=#PQwg#f8^U;*%XFI@_4>;3Fz_;sGN#D7aT^XnGXh*Ntew!uMv=QKD(_!{@m)CvM z*W7Ps-kRrERR8oChx@#Ruo3D~r&rP5Aco7Ait>z4zGzaC!XExv+I@+IVJ!hX|G029!I zfhU=IkCwd6mYDmg{%Dx~Q)q#nrUC_BNFg`>%(PX(Ms=F9PKtk^{c`#eP^e7AW`Tf& zJ?ukuswRt3mS81_6Rk$73x!>$R~R&04fX-BU3jYX6$+LkeM`{lvkmq7z5&m+^J^r^ zJXmuz0`w-!=(3Ro&1w`VI5oe@?|yPrPly%;>=p|KTR1ThmN(S~&VT6KzFLW%F2yh% zt}3b02DS49H@W~^^u|Bf@e#QR;#%NRst60MFr3_&hFE#Q_MHn1RJM5vlddQ@NI@ty zB`C68S>iceM-3LG;rUz;ESR(TNOIXAv$qp@%#XLzE4f!?+$hwmct3+mN zGGx0;T8zSJaIqK&PLOQ~bvBzo+mEnn=#*4TkFn%hggJ{&!BDms)iAgNZ8R1*FBObx z*dvA{hQw;4hSG-30;o{l`J)pZ6)@+XRSIK96^eKOrnnjpFQHIr3Xurc)BvI0R6)$x zgm)3nAdjsQI>FpQTVdp;T9gfp>0foWz_yJtMsP(_%Q1-ZW5tbJlfRErq1NwG<{QCK z4iVxo?UXE}aFk0?SdB20>BQkW-SC(Y0saUIv5fV$m7J4o99TyHOw0I4l{f2 zq!MG(=|bt68Gq}>6KGA<$5T%Y7Lf8XD$v-1!Tgd#<>9eZQz)e}99%9-Y_%!6mxg1g zCM04~GE@_3XMLMg$goSRq&Pfcl)genB5e?8SUOq~mVU#OoCFVkRn?7%Uel62@I1`F68f{qjEHtn6)dw;{N%zS21HB;`D$|1Jrldp0;rW3b>wO+36)+m z#C1z1L@2g2%J5;R0Y}{e%VI}wnwS!&Q!zOOa&n^h;CoSCP8qqawVIPcM%98uVfszn z14=Ixyv9NVWUHxR^lA#ILck*poApR%h*IFJdp}!Q#aV}% z+b;y_MWw}*2BUE$F-TVCaM++WBNkzmCj0zk%U$dukm|r>sfkaNgtO6v*bCDg{M7o> zB>_X4u-^$HG~**9K}I1qC5h-oaTOAnH)X>toRq_3FbZYERuNG6!KByFS->axkK=7- zpzM4mxLEWP(XwqZ2GV7MQY^?yij6jg1OJ(T`Zk2oE`L|2s?^dl z!{S4T;i0mm0_tp14Y>qVS{924G(#ShzydllZRB7#sY??<2hdy;R?T^>Os#^zt{kfV zhI9$FdHb2N`JboMo7faXgK!Wo>pcVlRY&ZOKD2bo#zixBDgh8oHARmEk5M_kYd|>_+RVgsWNM#>sz0 z*-!>4;#6tgQJ^Cw>fXOs8x|rer5Lh`{b(i`H+bI~g!huGru(T@OTrS7<(`9|e`^Y45Zv8@@Y9@?0eywVc zjq2&^kFa<4Y%*t8tt$XL0KVq3isgAkIDmZcGw1v&IB%l2{nT*1bmsDz`=of2j{h+C zZZGQd>8?<&gD&mEV08|lZQC=N6k|oO!tpf0tDeVwrRxaKmF~sUc0zkzrcUpCWBZyy z=W|_W-17dg&>GHN`~lgC6-D=c7wfm;^=gHveGoYrb46ze&u3h{nCE+?cR0p+t#e*K zh_Pz(*lnlpl_b5a;arMZ<8F2CmVr}3@HtwHe{0J_(Ku-)U41{3+1qn(3miuK?g|Cr z@+?Pq()JiB#~@+%dIq@AB?7BI%vXnFGS+F{&v0!Zzj6;spYb2ZZ5!#^&H_JcHQhF; zU#MN*nH%@Bg_qmSIxi7*B3kIIH$EX6=aB=Z+zz=|_e+e?o3}dLw$*bz3m5n*qPLum zpzqJ#O;!3lAU+HRyT3ZV{XFn+4t~>Z89L9pdy}^_IIXy}yP&rh=xUYYWs{SI)|IJo zRe@IhK1!fn&bbPvUQSdacmvM+cr947pLxdm~i@iyC$#2?#JWS-k(q4Hr;Vul_&Wq&aeAYcuHS* zeR-{8zjH@ ziL-%h#lZXSmDXK;F%&yhU&s6H9Z781hy?#ba>^t2WBzYpRsJ}=%^UxCwKLQ!H%RJo z7JQYr5PX>yI1FuL!*o;)9X*U51~Xg4GND|Io=4KCE=*~e4XY?p8Q*npNmDNOj*Qrw zBh+M zK_zK$YN--8cuSK+NeC9x$imOUi-LK8$)#-9RyO>)nycP__ItbUn?4)4;7F>_r?WP< zCY4^c7lXVV3r$*?V7iBNsiY%_;}+oj<2Q9ZQCh61q~i?gCm;DMqt@y6`fF+@QN@G5`twrZvTRqaBO~lE9)LKY1;5TLin_3Hzub^eveRrMzt22 zmh5^>9HmyN7GA2szG=7CZ=@PbQ-SQ}`G7DB0jFeFoy6&(6QyY9KBiVBo=kmq2QhJE)c4gqb+PAA}0_d^Gd1 zh9sy#UGyS!GC#$jHbM>9fy7|*;q$q5Vah_q-e4BU3@i`o1v?6 zZmbKxBRRIv5}e8ZRf?^$&&pL}vhO0V|1vHc1TmeryIa(ezS5|uELA?ekg!r5_8v4& zpqgtO`+FRE8b49^TCrlFRGmr|WZ!8%kE-tSfZivj;XO`&Wc(2Eo zc0Sji!HZwO*Fc~@Kkrwgz$k$KWjgQ#XtHS7s)wcNK?&)M6o)H4{5St!p^`iv3R^*W z$OnfkEGMa6>InoMf>$cWXCULnT!RmK^DrNC6wos8({Nfv;97cSwaHgfSwm~0}Cy(oX11CHrm#~FJ(%Gu_T_aE0x5Q8ZEQeQ!G zi@+YlZ(2O3`F4~tKM$~95JFrr`9^GzVB@Y)t0j7Q&V;wIcHp$zr z+7CNxb)NQY*7B;q9r%l?cYdU(w<_Xq?*~4|QJeeSu5dxwbjSp3fO=dUY*0nzdGx(; zZ?hV&`KVv`t#U7ij*f}@{F>B03&F@;{lX06yXafo>V7PQ$G50^5}r0Qb2}BjUfzR- zWv65Ba;(I9=J%;&dVdX3A5!CYUJ}Fku+-b{V|}8rfyyD(eV*m&KZUmL+)ViRtj+EO zSkhN}8d=;9|MYNZx}DuS>VDUv$5jw%i=- zl~%KRsU0(2hLY0tt9d4GTU2k`eAylHb6+=OI!~e#L@ihO;q<&TRsLlz+)vlN9zX484^Xg|L6{^xSMxa1x@ zt4@?uJyfuapVa^kEhW$2bTeE_IYIAqvVp~&?e&Gl?OWCDr*qNP z9Ov!P_OB}rJ*WL#xH>3lw07?F>oC*c=pifD`}!nEee*opczkv;dm+-AL z;j55jaDM%Rsrn@wCFS-|mPPhr2>)bYjLH1Igaokc17SL8G8&yw6B`NaGelBwOr#?{ zLLE+2AiZn%#>FxqVT^R3jVUxKmLWXNuEh}YJ22!UT#oP_fZkMtmrIdWEyr9cY|%s) zEd1-jS{KV)D1+2|9F=O$l!~~7QtrKl$fcD%BLj^CE~|(|MGJU>Bd%YgJ|9d!XuZS? z4Oip0TU3}4%yI!A{A64IJ4mSh`%JSovzn`BC~ z@rZXmuUME$erFsXH%6dbml}?Ykm1vR94Xm);Fhe!F93{yAX+1|f(X&cH<)$etCKCq zg<0o=7)mfumwJ(~8z`Mm#Nr~VhLPhS7zSIP5|bogCXxA74KqzV6$uPG%1A2_vW z`B9c{27fxp&IM@Rv*F3t0HNFMQL?HhQV)6QI>A+ZiSRN z1PG{X3Q4Ax?duVUSK0=&`+`wZS>9N|B|?6dqm`k>Rt4 z1vV%VAK$&cqCibb{=~ma41Zu1rUxP1`hp--QWhm`p^i6f^=Fv&v(b+v$fb$)0~RZ0 zJkvo}n65L1p){*^6n`hCaFO51k_v_0dIO4+gfzz@W&2Ifcf;l83N`B0zp<)vAsM*# z77+L#oGqDjMzRZr?$RJm?kr=25RmXgEeQ)S^^xN;S+Etfoq-OEE$aaCL}w=5^ZrW| zKx+G@LooU>L-%svgV?a7POCycftKPS~f zSyg%FmmJTKX7&<{=bNk)UlS=7A$SA!Wh?1R-#AVy>NbMQp|q;tihYsH_Jyi(Q{FvW z6L3pozUu_eK(rkkeQMcvh%*+dd#sprnDWXh%iCs~##4t!jXjBIMQq#usCK|QF9>S> zVPV2`u0rM!1|ium`Rr#P)IMp;AJLQoSooTg94x5S(+7g7qs)a2lyO@x2rwy6JE4cyu>d6>jSAH>r+m>1NV}uyIAs_{2 zcz(Tm)zjbSc~wiNeIeiEL1c;?+fCWc0fT^;ukt9PWYk0g588KmKAyFB%wDz3Y@N^j z(95LsE6309o86=0%#$7=Cyj{Qt!7sl&Fiaf`t1wTPr!3a>1n=?q+@pd&r{*F+?GLK zX&Vo~27F>Sw=Ji`h{tH5{N~MZGjr1Y-kj;p#^s5H+8#!$+`3&Fs~`NA_p95ohu6e@ zoQ8AQKEc*mWb+co5adJi)#q@?IbPSpgnUokDXLek!RPl+&7+5+B{(Y zkBh}o^T_9|L{39q(_ZY>6sF6LB(|DrpT0A0y06oL?_TR;n)lSr-NHhE9Pd#H##7#>aT8tdvF*_c2BJH# ztlek-Flc3tH_X-S^KL=VlSmZ#{PYpz4M;!c#>I;_oX{0Q{2yScskCMe!y{$ z{))WT4zPY#JKI1$e5$YGvpb1#+X^`1?W_j1d0l96)4LtIdjI-rH{RAHLhMP&o2qp? z1fTszCC}(yih066DqaOf?Id|dJG~TBJ9e6GZ5_Opc3Eie5nQ}ZguK`g>bI@k7aMf)bNu8FFDn8gqRJ0cdOdpM-%~#WCi?|`K%<|My*y)ozwCeu z7{S1UUzSzmkD2s`${{?N)*xm3&yd8qWo|hPDZ)d^Y*(q6@FeZNwjz6q4S8&$e5Z*H zzhc!5!iy!gpCE##Q_lX#0>Bwn#<3n#83n8yQthe5m>3eQtCk`nSYX-UzzT+nlNG}{ zt2zE04H7E%Ly=_2vMeZ-?LzjQp+G2BP;WLZpSj)!^ZoGhB+WKSR0wG(M8`p8s2(0s z-ZHo|Zz>a+HeMu&DKZifZWw_iTwpNtxMNJgH{rIe-@bqg!e*8=6kgxMX>itX+7Rl(Ir8app<)bb3`UG z&HrL#&5a1O|7Te~DIiX&UfImCTDka_>QWKRAd4v(*(L2ZU5iN=SxS1ZVpxxhxUi~X zOcRZ$Dg2+?W+GbN1xHH7FlUg=xg4kd9OV=U2fTEGM|!}%)>sIfaJq$*3^(#m$y&~T zZq4aB!m<+JsAi3lZ4tREY{-*8jqEYxv3d4E(BN>yOH*#zCiP2}$wY+DX-^94p<5atm;H_*IUhGge zf#txk90H?JAg+;k117BU<1qaT;=}wtKfLq*q!;nnze%>?}+44=ZPQNaT zE(epOo?~$2?voJKJWQ-HM~cWHM^ZvK-pVaA_3DumAFlC^;qXWtBn}29rBpe6yPy%g zaVS8xf@*1BZOew@QjBuzPe>P0C~b|lMGESrLsj8ndXGTy$3NOi2!;b(LF@TL5R*H_ zsvW2rma3R^f6EoL*5oH#u?lBcz$xKajj~mNBp#Hs6x~u{N5a@V55q~FFFca~zaUx} zn|zGrr!_iwRH0rRW^|Y{E}*%o?jk<9R9)PlXUl(rXroV?Wo7({1M;N4*@QZL)IDQP zTCxe5dIEQ={I}=QzvVTlWqFO{3=}IFWy#Yd<2A_=fyGqEl%cl8Mix8+2|3C`F$auu z?^)nH64QR|IdHdUhd)uYq=yKYpsjg$KH34Q&%S(F`Q|e&vVx^zvL;x5M|cxhBbDH< zq2vW8PU6#%7=iJr)-0Ts?Ase4G!|;da;D3!b{1UhX+}|mi!fGdQ9wsxs6o*8NH<>} zkf=oOSty83{EzU@8%m+EQuT)anrn0FmAnoM%|HS>CaEF&)xKHebNfH*V2E)09J!cC za5WurChIsVLTB9t8_t}{n0RYI>t)S~X~$(78?39MtxoDjFo@EsN=9sFG-?bNYZy`$ z+s?a6g_;|}I61XxZc$Db+ih!$rd%vB9~DI;3oglGBF%L(z%9%LS8X*$>uibBvl}17WCCj%P z@Jsx5z9{@)Ur9rTxIsiPUo9Wzv0Prqcx(LIHybNleqNUYPTM&>z+DVH&rM}*o2DnT z{dYj?VdtQJPH*tthp@R`>uWanmFGptc%Ea{R{Qn7-}>t;#uN~c+j=#s`;ByJ_49lZ z!=YKTF&ugukvHlJGQ zfv>$CWIXGTbhkaQB3gf*Vcp?&d4178*bi6I98M{_z1?q^)^dIA9b(j8b}j?_w05iD zk8s@%hO_v0C%K6<*Y4$p6GrlQscG6z^53t0hOfNSH+9<`jc-Rj-4*^P&{ z_pz(jW)hyv-NPN7*X-wIqI4^de`)D`*Ve1&P3a0EFH~9B`-#zU+tF9gp+x0=P_#*uFItKy7^b#Yo5W8_5K_lpNGeNP%X!6 zm6scr(>B6V&k@GL>oL9pCu8rAhG}%1O=g?zoUg8T7ww4&(oa(VD8y9(sjaUWa_Qds z{c5kSwjm$wJ#IeV;mNg;+u_t~7x`0Op^eKW@z0l$VDD>9_K9K9*c<1Y~7Du zUAN0!ZX5drW4G;QDi0>t_a1@^_anY#y53vxwBD|ap8ZUxluq%?`|FEFoxNs zg5K2ud`X%<=KXhjzV}5v+VVPwUq{nw3ip@AdR*NI+?0xD8R`()K>c7SuBtLD#6;Pl znx%?Rn{#Y{CIoSYBVxlFa^Lq(fAd8?@|@aXAt8!0+P09()PZG=wm8X`NZVo!DlM8j zg^vVY7g|hnJrs^9K_FdVL6lZm7+XL)qH|NDRTSy=uV$Il514sNM8^hK071ye3Qc9z zzvmO7db?O-+1j76s~qB;I}-L@oU72mO=1)Qb{GbzvP)~l*$6J0Ov$@{iHt?He=b&W zL_CPP2RbyGFNEjDGx(73UZDpkECZxn6D!%p zzz&K`T33a;xt7ciRZ@PES6(@j-3Eh4YHdAn%VauGNl}lJ*DIfY_|>nCUCz91yvHhc?}Z{RkXx)=enfa3Oex>OrP8 zLF$NXxh;EIko5QZ16(`~%x)XHtIjtrMgz>SK`2wk$q1XMjtD~H)OtC5qKGa&;2I9! z*we7nutCl*uL0`!yFmpnWEz)TNCErqaVcTcE^qO)%=(# zPB7{b#6A)cigIkj%;<7WRnZDKL)=XwjgOehb^BsyrZW|z?5rdR4@zbl^rl{rYB52^ z<)Bi(gx6RTro~!fo-_GIRO%@DW3f6i8`f>=mx7&mN2&JO>!1=r<703NRW$4>Q%w$x zq`Y;osZK%4#c)s4l~!X9Ed%Y;&OkMs@z_Bzs_8aHR6Hk=aoTe;{C(;)Djmg^@YdU8DuUs4@<1ORsJ*d6tY>rLa2DehO~t2`Hx?jJlIS z7pnC}r1k&nvlKAUh%beU&>}YDp5!QLXHDIK7&!U|YTTkrO|}drSZE{>l)URyT&B`5 zof*OKCmR+s5rn5+E`f|2L|f>fxlfQL)-BwzK5p&RT@@gq07`nkXt^lc`M9Cbpe=1-|oLOne+Km);K&_%53-3(hG7oURL8r@#&4bU9>Anp3PIlt1iFQ^)Xd- zPsDDV^*@Mq&*U+4u_I5{z1@#Z$Jpk%x5vb@qNSI>`_G?mtJv3cOu85=Pp5D7* zEt~suoXpHuSH*iw1XBQ)QhuKMY5Fb?V6%!{qpv@GfT`3 z-);E^aM;T-BSSo!jLv%=KCM?2z2$A^QnU8sD;vXBrmABAn~3fG^_=eGJ2F+}a2Ha$ z(fr(?bJ^6}Hd@`6eUp}??saQw@-pTl!lLk8e#G8p@-Z`VF$m8cc9rL9R_nc$+Pc>7-@9`-f30a971Knz^l37>hj+f!`utt} z837QU zD92hm>F(4`+=4#kjtQPWKk_PqvwjqAx!c9M)p7T5b7~G4$l1@c8!(!%bIX&`@BCpU zY{$iJ!`@NtDKdc+OKbPC%)Yh#ABi{AYcTJQB(f8 zLpwqPeLMO%{+8V6Z^=ECsR;rBEQ7qEzwzgMD{i)JLUw}r9_>g?(_cAo`|h@cDyINk zds6nj*Pm&&sJMx4Vm*oBU>?h^pMIAq z$G?jCofuPXAPMra44}_GMIylyZPpkw7AVj~bnQR%&rFG8wXRjE5SeR0QDLQ9!JAJ1 zRheM2a&Jk*Cx4Cow;F^wZ75u`9ek;!BKM24my+ZSvS{|=zDLC>nI~Iv!Czu3fK2zy zKvigVZ z2RZ6*EK+;|_9$y>4KxjC21aOH|3CSG>p5`d-UkF!CC(2zr0s=ml< z3h)giBX~tTG;U4^nmdu4*;!l9Ul?asgjXx!=W;DgjA!DDyXk_DiAjx_%wcB8|I0%@MaKBvF`bd{*5~MI^fZJ~K;QXT%G@r9vVR{BnHM5GC7nP&`vu=)w$*cDt z?Ouh%lQeyb0whcgW~mOFc=xbCv*ae{#e7dDl*QU`&An=+5G{I;mX#OFHkQBz+EJ+A zIPgP5R`-@xM69c_wfV<9Ke(?kiJADBDmBCo?3Sg|!rC~Msm=N_A9&7kpPZ6XFE2va zDPuueeqSQhr<+)UI9uiu<)kU|4kSNKgD7Z`89ERhI5{O#salqND>TQmt2=0tN3 zlWa%orGdvRsNbJg45X&@r@OS=l%;5j5sqkcwC;5mh=9`-a>vD}gs~h`C|fH^K@YT1 zJbje@b09gTO@`#*fzLREBbFyhzC^fL3_bvp$_$==i1r%cOWy2p?y2AwCe_x3ap zmzt0oQ5oQKo!e1rL~FbIlaH^CvWQV`PblBEOiA?|!knS;t1=^_N=VE}9rb3P7lG4w zDgqIYF*tGSS2lj#FZvbgy0({IjPqaBBe#SiTW?462M-Fd^B6A79{yKSVo( zzY(#t&5){6`QIS*HSN2`5hKlpFiH)$>qtD()?lY4jjed0M&ClQ;X_3!mJIqsz-i-a zB-VtN5aeUgiG2;053R`!MEh$lFZC*0pG)(^Hso8fI)nKJ6to!y`vG(9d;Q{=Zi!LT zE5JU)uvg6|Y`glAo3Ak7HQl3>pEMu}kn{X=gu*U#82Jq}B4rrx#T4)F^zn;nbM28J zSPcXx&Vu@i4q5|x83@ReKtm{CbL{&;^B;T6h0sy9YF!ul$Sc%B<4+L1*SL67wXFKS z+R7Ms*fL+%H>xP~bc3chLhz@#ua|qao=yT?_EUmUH1%Vrd5`>?`=^%2t2!OeHkX-l z-FGdncf20}J};n^+61n&?uGFgyXLpX{({?l`X`aQ^**eh zOUQZbR?fDSKK_ub0J=%gtLy+jv0ryL{?l1`@h}4~OmCmWEvfh1zXme#wm-ZHc6m

D$Y{ zqaC@`g}0o!(<>J(cS`?K_t{mh-QbM_8+(FKKt!`!y(3-mz|_utv_6I&d zrqV9;`)#=h52XTAk0n|m4#BO(OFPcPVC@C-vu#M=(gBK3TlpsX%t>n(&Z6rnsF=DB|&?_ zG>~*OJwzfw16qq<$;jl3NTxilk&{NcMNfl6n^#z(tQB%PrdRNcmxQgbmLdzHH9~6a zIAE$yG%=G-ABb!<_6ZQ1X9ZN!I1!yBV9<>1m0BaQLn5uY;;gH z;VPd^4g^2y>l3Rb(nvf5*OK2*U=*BKb zisf34N_Ph1X4rMI1210zVk^gX$ojA!l3-Pjyc*HSWjbzv=fZ9y#?5|L&rmLDwoB;% z32I8*jC-Ie#6D9@m8yaZ)J!lXsC#!a;);nuPa(iQo^OKF6|AZC0EfJO z3_{I%P##$zoq!-yax-qKA2?*ghen1J0AthQrw$6M<|j%tB2$HwkAPXWUWn=w2)1;q zX{rOJ7*b;3wOB5sYYjM?YoTVcRAMaF0$4)INovyQViTm)o1mhfa&4r^aYkd@u1$)z z(%{BcfgEL9JmM1rPb2wo)C;hBgkY^01|lrqsuXyyP{G=;Ba6HgHA*G9SRL6~yILQ> z5al#54T10>Wa|S5N_pvkfZ}4@X>=;t3gCtLc35aoSu^j71F_vLkpVRhd;v{Ykr?(= zoUM?K*c$p(Fsueuo++ZnkhjnnXI0yn0Nt=5wlJ|wbfr)Ek0hnOsQ(X*e#(C&jvjt# z{=>yzT-NP#+xL_MMJz`?mPqAoD;y-6p2s9BnI1uP@)e@zYEZK%vrIg4(jJf@rjxL5 zKrI|~`8ou$jb2J+m@+rO85gc{Wwp^RxV>nUBebaQcBgLK_1vLW!h00c$OV7^nn*j@ zloDK!p}|y%=dCt`dAH%t@A0(c6ks3`^xarOaTS8O$?-d1f%r4Ca}^JpVflC9wb3 z_~%RTAM`Wz-=LZLKi`N!doTVtwD)2+f69Nh)^@%6kC%Uj|D5=Z;uC~`k|Ye{$>}dS z8{P=o;1hhZ=I8St>_6cj1j8ZXGx%rMZ+!R^f=~!Spv3I|5%e59Ysc5C=dN=n@zX!d zzI7w#7jM4zn~R>Cz19h@oz=iUS^+!rr62un%NtHy_WU{V4Tn9t%vQwncISZQ&)@99 z1a#wmcmI6J#!tQPpE~cay=zxGXmxJQ!|9ceQiXFbUGu|RmRbDOxmP~?D3hPF{vwC} z{*5OxYjyj3&U*CdOPh;7_~OQw?BHBSytC>`r@j5y;=3<7x#LXun6<&5oifKd{DW5) z`@ubDUit+gSVn={wR|Nh)f?m6VJ-+u7J*WH)5zqG&EZTDVnpRwBI z+h4Joy}p0&rN@47@`20^mvL7 zP}}ISYp;IfjspsRePyR5-#C8L)o;D!p-(_h3S$2Y=s`aLJ#(Nf_TFS*hl4Gl_Q7zDTZe-j?&2#rr4kbn!uN zm+xF5O^numdd`hU+)`S>zaq6M*nIb#EnC>(_hZY<-SXWXx7c~72ci9U$z0dn@8PxP zudv}Og?A2Eof?oIzj^-cKiI&nyuG~nx73Nwt^4l9y}``}H@?m!>y4Wbu3cx|Byebn?v`9(}>158cuH`MzsB zbvi7p_usDnzx)6HxA^CO=07O$8U6#$=s&*^`=5f`$%5o$@Sl^D1HC%2^20AkPIkC& zWsobkXiU~JaGsN<0iH6M26k16@jeag)Gy#a&~yZt$!RHc8n{MsOiyG^kL0$$;5O_Z zx24AUv>!QTXw1fR_LEUr8r?2wfK-&C)F(hF!_hs?GRD0HWTo0^yHYU|rRcxkCvbFI zs-lupMAFdodYtBHb-@b(4DCxSgtzN_IjoqDqZ)WiQlTjK3BD0Iwy0G3H1ziuRT-^p z$Z)OGhHQ2EL`^{fsbxif@B5?a3x*8K6K^~niv7tjB`FQHhYP-QTs2Bw#hAX(G{9BV z|9lKG87A`?y;ti0Ca9A1g8Nw~_xEI#$Bo>aGH63VMb9>whS6hcfEG@}HLW3|*>RS` zWJ9e|x*g=JC`An;#wb!aRCPs%bAnB!5GyKBH4`s}wZ4^O+gx0(C}OUl1C>#kgXw{RK+ZU+(@{!iCotccBnBqT zmMH}(rPFw9Vp=uXWJ+w)7}=uHkcCl}k*&Uz0f-8tJ3%gK6?Kth`n7_GhdAmA92#qQ zqlQ#6rX6%e*{Rn(!Q_fo%5n#WgceMtQI|?Gkd3FIZc_;Gf!!&A6;SH9Mv}~%d|GFX zL095nEJ1Q=MZ`N^##PEhR)&*BDJ{X3S|>=10CB{!8L(6K1v#lF#$_t&G~2_DiGv(O zRb(F>gB+Z;8zPz?riC0kD?dnioG9_dnJdu)rHIx@-Ua%HYuVYH+>sf3VQgN9r+M(ANQYNJ3hFC&RW z4{A0VMpMn3`EJcZFtFAtX5sFz(8ak*14~4T;-%Vl3o|%0k2z6!(qM$3gAQ5%Q%_2+ z?J_l)p-R=RJQ>%@NG9FXF|IC9s4_Apxm2f#1p`A?qiWu)8Fi4svwFKtlBFmGu+fBb z+C&K?^LD0U>RiQvG`*E57(zl>P(iMdz-3>Ft8$NntE~)-<{MPTp@v=^tH>k`6x%37 zslAr=shfqv$oL{Ro3j3%OB5UhlsLqh&W{DHdmM;f(7Go4AD<+F-1*j%$6m_cQv_H($y48}N8^*NV zqPs+{M}(kns;-3NRcoXL31re5iJoWWy&&7mCYl=3wg6D_JJU#(k)u(BXm)}#L#hHN z6V2&trRfpKX6M7^9f!L_iKmmduXK?}Vck5%(3)@7BYGY%@ z@6bxRMdQ=8+#NVdqlL(^;BY)fhhk7Cn5=oFA zO~!uY(%FJ%j1oL(XEn_Wd9H{mY&}XVTraY76H{{Yjs^t2<4^xim6C~iNpIC{pKs!b zHHKcf)n#W`&x2XodyNu%Q1fwjg`{ zE!6+uvsd2u{aJSd@(aflmfqv^4WI4&OZ7k7p4#m`_3`4J6+U`gJN74udyiY@ zkjnczo^#00uG-)iM{RuKx_WCP=#=Y$u6e<3^hs~Mc-kW`+!3rPN$I!uJOBC99$b6( z-S1^CIRB#awHG(rbfaHxy3#cpZhiPG8y+?1;1BOVZRf`pS?1|E{JewmcRlc<<+|pO3A+?luY7hN>ibgw%v{Nt|hAs4N5*F#Tj z{eJ&~mrt;7__g=Y(TD55JrC{O_2kvBJh0@Fhv%+-K-}+map${|PyKZNW3N=nhxGgQ zx$&kWZ(jOT?uws(u+rkKU5@-%>z(lY*7x6?*uKpV;#S8Q= zG$gfZ=$F+0K!EhQ_20gW`X5+o>6ol}(_^78oc>4V=!Mb$WIM4c_r^F;PGG~jFdYG$ z=)$$2H8R~a7^m5h4%ZtH*BZeis#xm7RXCRN12gQpZ8J&L6+_I%VO$+bW4k%-wo+Lj z-|vL6l&~hrgw{eR+Qdb=BMrMgX4$^q>m*<>B71l)$+rrQ+%QeN9O((KBBi?Bj#X^~ zDW{1e6(%W^2W7O>jw`X{B3`pZq2y$MOk+1gMCA_F4?Nm0!*H|Que1u4#xy)^1rXJj zfx3gIsw1OXXEe#~dRaX5tU%?3USDoyGKnU_Vi}I9)1^eq5L>!dB}zIqkg94uO@f+X z0Av7DDVt6;BD}^~873=*0^C3+lW>p_gR)g?75xg2)=9C3Aw!Yi+Y`DVq5Yv&D`!P0 z4UFpG*VO-{k<>`4)8)dLXw^m_TJP7A;Aq%^g^r$=6RvDALaQ;sBFAc}BhK!&bA?RZ zN1%L5)NBukvQ>_eliXPBNq%=6KzapC;x6kH(>$1G(Ug_#8Kp@-h6D*~a=HHWluhhb zqE~Ur;dlT8pxB3tR!}G=`{RC`iAbcBO{0ZjLsv%yc4YXYY^xSp8q!3yJUVjiL0Wc; zXnDZ0ZMc+g138hUDykEEjjoq68(cVndTP0g$UFt|{&?gh(mmQ0Dx)}0WiucLxt7yx z=^++&lR~D$0io3rK(Rp^wmi0a<7U&K$Cx+tRkjhpm}izlIP@~DPFt|Nwv%NG13YC# zHJNG0UB5XUL69mp5W3k(CmY>Hzm(00sF9=SuciN4kUJc)|KwszjuZ%A;9~!Gp!)A$P@MbQbrkI3Zq9h^_7MzA(Ea^Fp z!%8_!77}sGiurg5R&>W6%lT2FsErHt8U)0RQaaC+JMGZyKsKZ#^vtLPCg94DDb}%i zw_udYbQKAb3PPr{<3d%JvIaQTA%kWLiH7-q*t-w#*QvU3;4H5Y_7>zi5xCS#vj@mX zlQwBqo3v?@fXJDXIfYZj$2a67H$PNTRc8 zwhC9uDR1OyW2uS?<|Lhs5XGn!fDsJ`5Zd>k5G;0RG6yoSHjCD7(-SZ}HwZgQ*0c=+ zE)Y@B?6xLBJ&l%(QD-uq<_i?h0ns$YHyKRq zRof;NHpe2k9S02775O+TOtG>+$8@hgq9~(?Pgwxf zr>e{@6-^p?nB1V^Dy zrT@Tl^M9X2`Jn$CxaM=~{pbCMgt1wRKxb{^Blr*WSN`+C1wfy?|BxsMW9aPZpY@*~ zo^jxJoQHn);2$IP`Tg!}tfYSR<<(C-_-V>;bXR-p7Z}+6 zzI^s~*E=tJ^M0y!B9|4;yl~zgCm!{)?||A~+z<9#VTV2LII4p__0@x}y6Dyg4_&a= z=2yY<&lnZ&_|e+V(S^nro7?<2_mhM7hfkXCZ~1gdTzmbOj;p+M%@-cI^QBd9`ofxf zw7{#|FI@q?`Mcje2duN}*{5yuBkFtK_?@xgM#$Tp`pu6Xaoon6Eqy`$%r&pL{&jb> zRQcXj2F`bnIP2Lf?|fnYQ{ukA-G0qS3+J^DI{v}qpV<9Rd#Dem-KRX~o4cj9TIZdE zUwwJWr*G}teodnzJoFUu#y0n1*FDZ3xZPUJ^;`c-{b#8c@H37^k6PWl_U66zeK~vd zw(D)S)rpOBFQK-(`{`f*_>p<7yY@Tw@aNb4&Pnr*TI0kYZxF1r%d)qx_4Y&OEVt}E z(d4?XF16vxXFb2}yW75S#g2zxa`)}ol-{{$$zLD2Fl28#^7;KA@)vIKz2zU-dRg$aXp74qc=bysfCnF=9eLT+ zE6v+VUiXp9ANlEPy_@12PC9$nU4Rw1LKpekOoxkCE_ndny@uAoMd-4B2>_5cc*#BoP{(mCnpYfkghYW%bTmSQ^ z^&fOL22EtwoIUc3;Xi*f|6A>|=ReL=Da%utRc9YXU0nb9=!4qXn6{h~+qFPQ^;lxq zm$YmdkjIe5ScyiMl!JGqbeG4xl*(~V?2n~Xx;Yp?4HfT@UYw<9DV5jqRS$#3kW(50 zRZu{Ht0wuR*zYhD0oS7x9A$H0rbG^FG%SZ+7PY!iO{CIjFsh1U0gMMo%b;szW-RyV zf?RI^2tFE{?kH;@1H0}QrUKWm%4xUI>Unuv33-he>G^WU1B(n@sP$6=UCc~`d@w4? zwl#qnV5(~UUKS~+QUpdtbs~1;45o{GuP)o2V!DR*kTf=E2Bi|L`dW(>d_7BA{?s>k zQ0==W!1n?nqffG(ZgxzJ@VbG>g2($4$r@IhU577sCW4E4H8M{V(6pLq#EMBoMIEvV zzS(a#fPPEEKA!(%ld^01O_9%+l6;M*)h*dJOZuekWN~)P)pB(>KY_}TF;F9+ALP#_J9GzzGaUM3hK8&tS*pXz{Pkt5ZRnK><6MJBUmB@P-yto)Toh#GB}rr z<$A5dmi=~))Ocfuj-M4f=@;#?ICr?N|khHlo~q)IAjmLRQMh5{Pxft_Wt`JOX?y8(-J8MB1z&d2c|aZ!k!aDNeETYMl&bNSys!~U~a z-OYdd&*J2N6F7vz`D(UJ7XZ#l8QFBI?;{2{3Yu8MHo`Ji5adRW&WA)Yq$eUI*({MJ ztuWSlY94jEQ7X?=w1LwvGXQ}$0v#7(9xiw}NvUIPz0=VfFe4Q5O@tJg63*GZls7?w zZVzE}l#i3fXgu<|ZlGpMBcPChYfiH)%>r|}ZM$kWZt25mx}Krqc2w$h8X~eNk65~z zl$1owfZd=m=(uQV0wr8L6-B^`qZZsSc+Te1-GIx;Q>w1^ke)0$*+STa@*D;u6;-oR zU`r2EL7joxL%$%)Hq3TGhy&6iwSl+#LldlEgqgseYZ#@mll9ZxzQXlmxudlxdI*CJ zNFTGD07WCmw8=7NkDa8_jQ~tynF3TFI>rC;pFp1VQXjJaPvw38DZ3f@Bm2*y#X=vp zRtWfqi-rEqen7Tfo&wISN?h#%DhuI%??kE z+LJNk+oYb8N9mwm2?=0iS^cbU+IF|Wr>2z*WYUtr5h<~&)~!sRlFTS)6h&@O0J$38 zXG~E+RFIa!PQ7mR`T=07m42UOITp)|iX+5qIk^I?m9>iBXel*RLepfBN@MA~Z^1fO zg%NuqNmE-8X5)S>1HnM2XbjzYuI5$I9*Ce;+-i}+s1??{SQ8rq9qxr#zwNNZxhapQcAEuqV?msC9AmBls!@5QROS-J&0*0T7R_PN92U)C(f_W3;3)j5 z^q;x?A3l-tLI1gWn>DWe6!;GbV>ph1B>oZn2mUMnAwC8ELqP;dQYZ{j|D^w%viF8J z9K6h+1#S|4W$?x=(-Z8|wxQ2j@e42ReCVGZ{(bWN^E>Uo!`m+rgH7&#F0=A?{`kdR zS3LURN7hqrTdT6*t>5gu%+G(aOp-fuvvs#_Fa3=6_I@{FCm!|!_w-fg-}0@Ozp?xm z-tykb3a20Y)0xKlJ$} zmfha8hR-~8)rJFb-$l{{|NN@m3ueueaR6!eyw;Xef)Um zZ+6OST>6dg?6~W58(x0nwe?$p;pV5W^1>6;*=y}aPaeJTlxtT9cJ4oR=q6u$=)1_5 zYoik`{>E0<-c#OX-}%2;>uXQ7ZccNV^=^IW;rrSLqQCytW0$ipeLXz&7dwAxm;L;o zp+|qsdvU{K4q1AK<(5S5zZ9x`==J|z{QnR85BkCVe{f5w%`~RSd zo1e~xmJ^xH#vk2(-2W~9gUYTBE3O_FSaWgxC%+i}!)kWQ8WMx%P&MFULG0xKG&Inp zpGXc~g{M_c%MHCsTUG=G*T;evM|#Ka@JUXH1aPci6JiKEP~I!BAT>L%CpdsV$Z_M& z(3iy?LBSI<=E@lF zNH+v1k7~KppxY;DRZGi|h6NN|5~^WbMKH9bX?Y@TDyUVR>O-SbNSAY*o(8(TP}guB z2V0$rNwMm_wmrq^IGLDy->7F)hHOxvBP4}sgn|W%DC(JH#Q3`25ENiE2)vKy zKVnfbTbv68ZlJlkzp6l+Bh`H5-mDt6Jv4As>A6p?MZfo^*OuY^%Pp* z0nWiiBJLHcmM<4Aa+(nxJw46ks#Xe*i=!m1N+=#vNUo*Zf-EDW9@3GU%Gj3c?Urnd z0DR#6&8q9JrI6Kpc~ItpLM}Bal4`X>;BHdo&`F2uj=8|?8o}&@(Qa31F|2}T z0kYY&t^A;g4eS9{kTMxOn=aKGnOQ?96v~l+Fjg~PXB0;XXD6ml3Y}q(w3vt-Ohv8K ziGXNO)0)G^kQ<^^S;z7Qq@|FI{Bisz_vih8QhyO*eI{(Qley`^|L;E^o&)aF>pzRr z-Tb%zxQny@kI(i!5Ui=0DnR;ieVQ<{FD2b0%AxDAMOln$S=?3Hl%&W>Rc;VTq*FuP z%1KzZ;P)_TT#CekN%v~h2v93&Bp-B;iD%{1?1+QST2&#Z4XW6*un0=D6kHjA#Zg=^ zxQdO{l`iX&A{!u-3D@f|4?ux6osMI6G7vN;XK4}A@w$XrNSYa{g~uaX>9*p;%(W!V z45E%W>J4ViykBf9rsZVN5>P6rND< z<~p@Zsu$?f6f>2y0PosDjRX{i^*dgJ8wKF|{$t8H^TYgyecykIERBC;|KXAkuK#&| zKOo?*Hw5}y&Z8m)qbNh#z{(S7bm?*kP|2AQiGS&&`{z+92Z6tAd(Ak0X15+Fdj*9D&0q*R?St@ za+!fB5f@XPPB5Hxl#@asp+KB5x_nDXK_gMXQJVA(pcj?Z#;Divd(&Be4R=4zu#EHiuYerUzey&3cEJVz*9G(a zTGXlg`0RoQguaoGq=X6te=a*ofcuTHgM>l@LDFDu(ECB$&KVuuG;6kOY`&jMi6@)y zbjh=>C4_fBO>g9=;JLrB^jsr`^w!Mm|>md%FliPoo{TTSMr=GV- zVP(k5bpX)JHzuhf^y)9YxNezMfT17C=U2qq7Vvt*Ak@3MXr12h{JUoE^RYKjXBZ%5 zf5uQ%V$UfM3LKeVM$F&seQuVG|K||~Tmc`+L@1wpTxxu@)?X6!viQMlG z;DY1>0?tG8Q<+ad7t9Fzl^VUw)Lj#HP|XDhBkKd zo!8EFsZ0JC(0#?|YYcO~cIsd^c;`NWR8!MPr6+buz@*{2SsBMpI zl&{C(dZA|7GT-MeW#+y1{^Eg&|6z1vi8J!W|Ao&EFx!1srSHjmsOZwcF8DMdgSX?; zr}MJ;P$HTCwh}c9d`+NxnZT*bZM_jmQ#cYGeB!yrvp-(mr%w z4RO}}drFYG%K<11r|Y{K0+vn`x6YFQs|IhEqKfi0o);tleqm5lC&2Ti_EyYkJ>Q_Y zn5vb_Ji>9x@F3ccBb8A1xoXnd^XeDc^8+3czwO0{_eHlubsLq}A!j`Iy=WcyWglF| z1m4gC%_^3Du!10^Wq6-5b-^JFGGnZGu8iJ&pAT+Q?~!2aY#!K+Br`QxJJoVW+`}0t zX^`_I7`snh-8Ai6!+sU1AcP$_jWZaeU+Y4hMzg0xLA1IsoOe+nD(xsmn`5n2#A19H z;lWemWDVgOk(P&gUK~~WXp#TLX1{Iy#sy)y>Dw3?H^|DpD>co_S9S z`Lwc8!!~h!me=wOx+F@JK@#_#WYtu+zby*`5VcLd@rgI7H&Hm`hq$2xkec8RJ`l^}DF<0RLJ=jIpwdZO6|`Ubvq~ zqhh*~r|jv;PV|@AN-eXRS~7iYs0tWCIaMv6N2;kXrSe#KNuxr9;(qktH{G|Lq=j;s znWF%ooq&YTilW!>eAodc)2D%@o|J;6gINL#s8Zgua+Oi*|7G2$CVnX)sS^nPaEqE! zJ9W+_nzgYE^)1nR)SFQE)=7hn6j)R^q5A`o^39#u#LmiG-JEb&kxsF|#anJ% z+Vn9$y_r}Ef=1=lcQ$mc)ux5q#8C`)HZmyYIVO${bL#B6d4A|d+V^i$9K|w_v~wz@ z3~|&v>1`9#E7rDL<>4(5Ss6cqD@eoN5u#PdiTk%RR;T{%TpU3X(WIJEEgs1fr@i7D zR$8I?!o{b0%UGM!)=!3scNuBCv!M&~^LVhbF*~G>zC|U37~k*Yf~QMD#6iiFV1E#2 zTD;Dc(yB|s{Mn;@+fs9BYQ-u>lD}|cl*Y={pD@xXvSd>D?>d;L$`a97F3EP&4K8en z(lP$)-xFfjxa_|;~Q1jFJ{O#M*CyU{T9zeG_K_sX+PBCeRE=Cmm8s$(K^_0t( zO?fF?tARt!Pb9&Ym0x^N%8Sr29F;FIkR`Zh`)k$;rXc*?Phx>q)rk2F5IV^oYLHb& zraqe@)9zNW#o;Ys(j*sA(yXH*bEad5>M&Qr>aH%+nYe)izXh_I`eNT?FegHNBd^~; zg9MN9TSEp1^~^o8RM8@{;AG=N;6l zt@WGF+6lNwS~T=KS(z^0UdX@5`%F_BzYyHGU0(HIxIIZgCTuzDyuaJnt|e@=wjM;g z#%8S7Onu+-#_Dlj=oaifN`*3enM8JYB5q!Qj?im(GJiaiO+@}Uht2jW@w5TO8}d|i zAx@@a_V|LPQ!Gd|EYnf>cuf(9T02z z;%j?$)qB@yUd{xP1(tO`pgQV*<4X`oHN0QuKfdW)r5UnXBO_YBk5BVnGk?i_$UX6Y zmN)OrHt6}aWpuMc^suqKZrH79xc|@|6aT(B`O@t(Ss20h*6EXp(d!8$3|19*h(MhB_4|>{HF#raB zG`3A1-DVV?FIC$bt1}L_PB$@3y*c(*pyV>9?aQ|(iRM*KeJZd6^m-9Hml5}SL9^oA z2p&E-WciW;$@l6ao@Qg~b_sM--7!?N0khY!QzYRDKFl3$F45?+4w0qnPbTsP_F{nr z!`^m|_rX*uARI6WzATad@iVwTr8tJVme1#OSMr(Y$nhHdp#4ZB=aE}+e^SX4b0K)X z{~E7i8+)YihfTt}>Rdq#y8LC|VDL;N*=eq-EyBeBZJ--Ik2zTlWEZlgg z&FSiSMb5$%jeO^qbX~us)}Y`-ysS50#qvKa=NL+Un`z2uHrBOFF!_On;E6DmD)0MD-`?AD&TPgl-Y8BP_3cqj=RQ ztB}E9u;1HLvro&O*03jKZ`^|0O~X!8aDyCO5J_>J#wCpx`B{SOLY7?Z9c;L-KBsAy zT`LqMgdoO{R93yoApWmSHoa1)(So*86z#7XE2_;rjfup+A-($%_qfdo+C3T7ZK8=jhp{gAL6Uc z!_kl$qL%8{=|pe+S%Gs2`6I{q=<$70_Oh>;d|naKq<-o*;;6e1MH{t3Zj11^3`1pR zh%@1zPxP4^P&jJ}yJ2NmHASs1OGGgZkh7m&$>8>tjn!WjM~b0%p^;3Gt|V9ku6~?R zcpy2{!D8=MC7yiSS%|1la78Z9fOf1FO`yMm$v+j?AxwnQGDO_kpBh?AzH(&`9;j|2 zRmrWcq9eEKQIiP8^@a{q{;{)ce%tbAM!2oCA=tHF?Uv75D1X|s;LxDrO;d-`K7Mgi z2`Sb#qdaYs%McH`85T#7w?yg5a4c;evi#eGXEGxOIai<@nIlIV2HJS&1%`n?Z0~!$ z8u4HXFc24=Vl~ioax$cw^{$oqEPmKe9aM3b;4^nqx8zg^j-@#z_C2i#g(MqmJhr39 zk}uLIQ6J?hlxCkojgQ^iuSTusdT=Uf2kn_HU$!&!T8OA@I8+hH^;7xbaEP~*C}~yV zU^^qhmhu?j%jq;|OnKgC9{0h*nRh9KazP!3Da)%s$~8ll5k!+yAmhuy`88J^SE_T% zFH3(bm-tzz_{5vfAw zR8YPKF~gb?^#}azy(cdWQ$Uxv>b z^om+{tM}Z8b{S1O*0{8&hl$&x#YiHvP=r}fz8%5dsg|lx-Q3Jv#RXLyOo8WwGT4c*UtSpulyu^uGI7H z9RhZ<@=N0UE=ty74{%QMeP;+C2w@mm`@B*KT=P2*PH*&G&T)IWs=RIq(nA-Gqt^Bd za$or0w__BYTD!jV07oBJEcxE%T+>l3xBn1m`<_hCl%5Zi2zUb7IT?0ubguqZE#o!J znh5$D)i5N&bNGJUPGBh5QPj{eWw@P#d5_3#2139%fjmbA0n_Ub-VeC7r+R5SABixY zdd^QrjC$9G=YmywE(0U*tDyC&lj^%;9zexx9%z7@)7Ns1oro{*9ioI32LEY@lTg9X zlfoI~da|&^;AqC#>+Cmc(t=Hq&M(POi$c#`ZAl&+u zELjd*d>D%%8rKJfG|vL}-bQn(>v|a-C5It_Qwa)?Fa>W|3AXnSXQxR~zbpdG?reg~fZ7j4VI@D?>1Qjm^VKyC^}zF3 zqXCyZS!ug*I|pS-<}zunU$AbiOXe>Xj^x%=r8xv~OGo`U^skKB$!IjAZ5a7$*vkeT z1h0x3qdB?AbtAG!*uRzV8ABK#R~R3pBt~-mJE*CwN*ze36aINQ0@-aNvS#2+Y+8b3 z1N)ckQ5=r`+p`ffB86h4_oqQrUYnV5fFI#v$0oHH!h%y()MD;wtV(ZYmP(IhZf(}+ z#Hs{<%9f&%?qPs7sI_0o{6gHOCm@O3XHcJ*;K6|SK9(Vu<7}_g>LsZ@N~|}&xTn1F@!oP1q`9mEwA{pDbDq(MRX<5JMer z9)k>;lDP_bj^@yIeku1;GG-=V$l9I|h!ZBFGQtVe z;IR+f(oWa~?)1@(p{(8t^<%54{EmVck`tF&9OS_kb*mX+5tgWu^2+o;Ym(VeuGgav zD)Mi4lyce`>o5NePj2>L=V;bYp%VM$FBfjaR^I-D77IO^~J+>AQdG1NiO;<3gW=rQ0Vu43+YLoz`8L-A@Nt1m3 zw0Z3W2)KFQs(wy}SN}5^re6UGs>W5p<+jB|1ct;+MLI@fXcMZ`27A7jo}oH7PDi;5 zsxp#L{AQOB@5-Q?eotUgFQ*zTAQh$gJtGV;2pNRp)?QE7`HdR~iHBh!<$lWTa|xnzBRaL~`(#X%e>k?)Gk@bHGtVVH3CZIy#yws(l@>aLl0pb_Y)nt7 zIZ4<>2TO!5C{o+}K{1H9#=@f@DMMQc3^ppYg|NVxg^vA>|5spZmL1N&%Azz?r8J#7 zCu`SDs6~c65wSaA73P36S>}zIpSP;M-@L55;mZoMD&$owf770+^xIqr zV2$Sf;JfIL30`&z_ai5gbjx`RHNhpOQF2U8a_AHB)#G$QD=B;@$Re0eiNRpwA9gS2 zG9MNTnXpV%+cX<<%P-R&_+sz7Sq-_Y(-D~88^Z`6+ufUse*E|UcbQD#T-T$%LJ{~@O*0)b`xGU%(3f<|Ygb2#h@cjJ+ zXxVsgZE5&)4fAnws+gi^gkQ{zJxq-*o&Ytc*~ip9N@WYS2fyWiu=2uv7`?X=2;7|? zpa&0fiSNRLNFMb@;x+VKa?h$R7<-q*B^}+&Jh1?I-3N}%aa>t=QcEB53Z`yeC^*xzn@aKWh&-G~UaTynY_N*bd2~AN#;~B)$=z_pG~_RH3f%28aP%0%n>XK$ zbTU41xK2n<+5wlCDz2@Tv5spzZqO7j;=zwpGhTS-Fmv6SCk$OA;D2G0a{vSXxL*GY zt;a)*y3AOl9RrKONhSkPk2>A=zNW_&(5f%!rDFMJFa^@(9a?gHG99ec{*n8XrqQ~! zAKh)ReSMcp#M=UXTCRE+N$fB64*+Ws54d{vRyc90l_s@%Urq1$dlI!I zRP7mIKyTu*nJzVzLQi=x9I}m&leAyQYH^s}ry46w;i@R_n|L$TOWq9F&ADN`=l_6B z?KJ81t9X10*8(*dfU`Hm`LltICJklgPi$sWxaul`g)Ij(K^-+P)PZ}>h2Qi1A<`UXPV;NyNYIUV{ zeJ_5>H#kzFVZ+9{2Mso}$N#)>mr(<7+h{k+6TNFyQHCcH{=9LVu5vd|s|__JjB^~a zBpkLCR184YSaa~`snV){tE+o2g~J&kPF>N?U?rQl=BCwaf%YIw$Bw>=U*!8&>TNy* zf!Z&-$eewnwp`0;MQYl#g47(8rYMYyCW0|5SLPKJjKR7%pllxM;?5$=l2uZa$aF@M zFfg^robc1Z&QyIW>B^;3^l)+5p*D@B#y8EeFGQI44rR_Q$wbzuC}}*_3%QOui@jg= zOM5x6+-)R(3Rf+Yv4`{R^+ec~L$!2GJo$4RHQYCJBmZ+M?jW%1+T2x4lbU0rn9GEY z@8<-1w5fWeDy3xkC%@u(NfRQ(+%0#t9R%cKGVrO<3G0~;yOi*tS{N?`*6aHh%oH(xB)hL1J zud3_%>_PQX@ZYX77N`W0vxI&etoT!pOi!3IsilYVgJH(WL~k;9E_*w+-$i}H^-WsO z`dAd9@y3E-;(%_s;a=D}{X{ys<7d#@!$$!N;H~g^(4Y1M0jssjYsbG}_Pg+u&!qR7{zgGi%G&vr52J&m(tefg-)Wo608q%k+++=s71*og&*6@?cSitg8GIN1j9m(4(rVNuTB6mGEA@|p%3DX6&Tzk0p(IHKU0Qjp^m4X~b+7KN ze2*T@7nhQ?>(isit2<#V<2|{-=MEPdx^nOCKk^g}nQqf})Hg4>*G|m!O3dsRY)OAd z-n8ow7rtON{Rn_d8xT=-PJ+Ps4iz?r3A1G<6REu%U4fv1xvrMoRMKGae5F#jJQJ8B z|86a13J{`=v9LAv8|WpnNaS+pAVRfhf6qTb@{)8t#J{H3S%Cal&JzGPm!1$Yp4B&y zWg`6wG+q{$ES+C#%#r@-i(xzaZuY{&gj=o3%J$a+wxIiT*vRJ5e-1_f`-zn$>!2R} zDCtZ?*;V&R4;_F;N-;zGO%Yy|GTt~&7k^eDP69KCUfy#OG9-Bu-N3pP20j1Lr`bCi zUq)mRh8v%0SVD%n1+`r-ZR8P!V&Q-fT2jVvj588j>1|3)Se-+{R*#Mfz)owXBSCIn zS;BGYp`!ec!DOP?KuX$e99yMAxk$7!a_HY;G+g3WrR+)%IrC|ml3@g3VWu<&4VoNG zjh>~3CB3}Vf)?{cXws@(2~(_Ih1ol#K`Br34>KEWArUpfgGRXVjxL%e9-Os-QKRMB zVqnwUq~=#g4?N`=t2RrYo=6RoVEP6cCJK&CUzYDIU+UDN)n#Zci^?(F|52`qoy$vw z;%igP^=P5g*hz)AFW{q33(x;oEZc~=KxhBiI_nku->tKk;sJiJGdM^nGF19&R&#p5 zrQoaK+bqmtuipX)GKgBhb_yHL?;E(iaEI3)@6_RlE~Ggi;6b(3z;i16f_C5|`lU;WS905YNO)gvyGytk6y6xxXlK)%@1`>$RWA?vu4&*0ZpFlY$ozFmW~o?a-bT<+ehz~!uSmxHwi?n&A&yA->NwYt|i2mYO;i2`rU zt&9Lqz$|8GU9CQNiYPLjNSsjs90gJj_-9=+8Sr{kaMwI<5W%`}$q7ad5XvVscoXri z;hf>M>Sc9o_l0m8TKxBvedT@c`@)$9Uc$+)6QZ1r%Ox0E-u44@OuiVk@Ex^768SvM zI|>3PMGH4tyDsK96*{S02lVL}H3d)Sl2--%IzM944ZN>4IB&q$Sb6PUtCz=8cb6N; z|9U)MhGl(UUg7igLDLL5ZLs`2pmPW&0awqfO4FceOnlv)!XvM-mpH?NT;8{$D7%UufDSkR?;j-s2s0vhDmb_Kp08N^ z>3*}~a8D!SRryB)%aqazMb4cWtzMP{z9c1IB^Xl=M}M>6f&zat4X#xQMN$^>Kh#C1=Mwg~S`Bztrr{WxXatguTOo_yEE6n`O zRFAP;%qNgqB2YnhOKhM6*YLMHF-8DBc>HhQ-1m?;1q@q>Udh!M(GnABD>ILUGYvXq z7fM?)xHESfDUq~r)5)O1KUCVGgqf)6-$W7SHcc#9hO@WSuqwW9)n8TUkKw&y~g@Wtx%B(PLFiSt>%^OtXmALgxscDkW%d zNHnPE?n3p`sZD-ufiAe1mg73J0oThaD(xHIdgzi>j$U{lCyEr)X*JZ=t zG6s=$Ng!OzxvB=`n}fA;YLETEL0D8%9n4%VWbGP(q)=m>PA%fL!0-*?A~AdnTmOiI zm=ZeztSC7FT2fH48l6~%W_sd3t2fbYtJr&UiI_H){IoBd%GezF*6$TrA<1@lXS!^e zb=tXq=Oye*Ra>gLV#v{2QgA1!#pAA=RBm=r3}*r80`_0i4)-3v2(y^An35|rXNyV6ChVW@r`26?NLV)lVcxfG_En&Pa=!RVBzsmlavFys=2 z<$Q)tRY*|Q{&rPJypWFxfe2FwLmWfFK3U48b8v1+la$f@Wc)10-cJX9QVVj-rwEoUtKw(9(44fj0pGNsCyj$e48 zP#oEEi)Y(G&Agl}CN~lHkS8Qcwq=~WT(QJhnTdMKL5XY)X+r{$cyz=~NR!e?;c}(T zJI!(R++(dYI7-KkeXNvpy}>}`&j{**o z!pB+9d6?p!{jY!rf_I0?76OQ!96&e8)I^W@t&ZsWaXJ?=DOdHa^Wz^*n{^XM3*jB40mLQC+=t zTN3hw{{p42RHom2WG_HdU3nL{pQOjFAKu1lyuZN#b9cu%4FgV2V7i)o-qzh40HFP# zrJDfY0$wY);J%a0h3=;1n!C5^XvP1*HQoO2*@S1UXEy%HO%v!Zt;YwlV%MwYi2@5# z-DfzoWWc&d?j~IJ6&P3~;@*pKeAT-MUq<6dRKLX0M`N4kM%Xj@aN;nr1E|5kq;Cs2 zporIfJ#6iHAAncPdnwA6$reBlc=ge}g;dtqz(&qY-H|ihol5A*jf0{4Qu!hwA){@ryoY?7K>IDzl z`UH`g`@7j1k2->mBk$_Y937lrT3`IVbO9+xH#%=orbIl?(PV-F!tE8n(=fD2%`VsZ z#vN0c*=w&C$2uhgLA!BR|#p7BYt z%dJUIt$;V(!kZrda~eyG`*gx@`&U~d(-X_drpc~`T38!39Z9TQq^(9E-h9Ec{Ws6; z`xq>L9z9R#mfI=)_xI5rw?zo}*Us8L!s+e$4ox0m6{0UQJ-eqD4xQ(Z^4A;3q4G_! zwSv2@sj3>>*Si!*D#oWVFZNHj%A*92N3D78$fr(aBAmSkUAlZ$%V+^^L%>d-e|NIQ zY26oxjgEZ2t4!S;094MrCYOu9nwojwWC|I&rBz>s?eiN0a6lXwYz-E^MSe$S`E<^s z?q^?-&vZ0i8e2eAcyzVj=^B4#Cyf!g1Cj50M*}()|D?mN~3rb&{ za6{j>%QvjtY5qO6L%H)Xvkq|EXRbL{0MX`UFiLb#WIXyXB! znu}5$`-Gwy7pKbrp;>2f`h9H6+0UHcFnjc`vFZ$Ckk0#=qDifP=NPmJMpPnlmP|&a z$JvX%3*a2?-eI#E-+=2qcbw~z%@6u;8va~%zaT7JQeHO6FOthICN7hb*)NpZuTxsD zBZxh3!$t<$K^+Ft;{*o=+M#?~lYQQnJ-*@oFxZ~03UoS5y?fsb$Pt|JPU35?>s$r; z)n0I9o6k>SIuD)|qc2IL(+WR$C4HSEA>Y%(BjhYJpqdH&I6I6%*b)I1B{C-c@Yf>#?=a zHE0i8Vj66lBi0NP*C;S3DxOKDe;BapGEyk~qux!}nkc3xL}@NHC_k=2(wGe4s^cie z+`!hN*PM>y54CRnF?&p#>zk9y;#Ql6{6MlysuJQmkE~K5hlb)-e=&%dSr+2k(I4;i z4b|r=vL>bTkzAcxxe3A2lyvglyMBH;I!vO1=0%H!mw0rJoDG5!$p(!8qby_`WujAF zrOuNMW2xR;))JN-i)^h&b;SlX$tK8pEbpz4eFE!AMzN(v`#iHG@4o_02|_(=T@2V= z1NPRL`c4F-sC#tTWIJvL7^TQ0e@n~r@twi?T!dqIB+3~|U=txVECp`>0DAS)s-qH? zIpE!uRs2U;V6h<4ul={G*$ z2YFwgjU{wK>t0d>x2*UW&nc}W_^c=uft_FPv_~9k(-+8Ypl3bf2hT-Ui_mMFciVTq z+Uoh46(V2PL;5s7d?WaJUPIJPQ1t_Rao+;G5^!0aW$b!}3HbDGG`P9C*Em8%Px#(0 z`Rn98i{kY50Vgz`SGPk06aXV%ChI~#6oX=WB10nYwjlSx@HlGk2Ex`wU2lYAn|+fu zqruBk@38Ea|JQy4;BoIpz@MGmE@ZDgXWPyDbH^K7dnEyD05_fLIl;S4^N4tG#|e=k zw{8DofY&Q&{Jw3q?{$srZdv67&dy?5$xw4K;(<83iw)TEIz$xF=x<-eyRQU^{zW$CW5yqfPZ?2{l(txfmA3V?Vs5!C+ z@ZuZT`2&pk9FYA4uCx4r2NfL`sLZ|2yeU5386&j&Q%~sKQvhKAc3|aR9}w9re?nKt z6d%0abA;LJWdWn+)!^wozR51!eeJ2_}GP-VLe#v0Zk`g5ZC$^IDrDprBD|zNMDbY5 zh$quX6(PTq%#bM}!3F0$M=p3wN4a`>a+rCt$?ye3*?CT{nP69`bj_v_7$kQ~vfrfl zc?NnaBC7eW3?mlX0OeBCks0EoQT2Ihx@;Z7XZW>)6s7@ciJ+wLst;q>Rq#NTCO z)QXy9B;&(w;z3R$Nxw;clJF<8HH7mw3Q0=za8!ONsapaw=t8pihm3m*qiCPXiNJ6& zBe+u9l}uO_&})no39w>Yb~z_{Hpq9U9aGhqaAR5hAqy&=P?r(nuN@|1)l{aSwEEFL zjvbrfFnVYK>Ou~3h_*)LQRp>a#dWB&@xY^LlTBC?pm`>am*r#^!VM16iuUocI7VG^ z=EOT5IOl?pE_GDf@QWwoj;x|4_=ynyu5~Y}k-*NpEIq2>AO!fCfUf+P2zkCj0oqhM za@{w1s*UhwL_h#n$rwYqBnfiS$@pIrWRZ2zAO2mG-r9=#6e$9sBNg?Um8@qmBAX{~ zHPZe?l@2qMl9US%Nm06xB6OD1`os*0L}qHw<)1$#My-pM&k&csGhca#LMj`z+PATD z)}mLR(p}>DYk)b~O)rus?7*#xA28tSw^=?0_WW054#g<}in;41;Zj)>Tx^NB@RGjo z`!6x_DQ9MXjPV>ghH1jhQ^kcIO0=I%w zN_)kNToaEiwMiF6x>PTvvx%fdjDBz!81#wDs4&6DHRIl4l(A5GoS3$wqLB%-puwdT zJK9Xp%>ISP=uI$)SMq>veXGzIVzTx1+AP5V5NXX%BC27G0a~J+OpmX^YdK%|DU6M(}$8g`iLe|6uJc`218>*S7xlvia<7 zn%(SC=mDg0J6V|!Cju38tUZ<0-d*Q*GQ71ui>}(&A9+o){xhuZnvciI`gqmf(c7I# zj`R6Qb5-y^tU=blxK1{FyNFFS?aj}wcA8NM=pFz#9Y7*&+dS%k=0}Dl9-@IUy%ViW zYx}g;>8c7BOq0E=Fik-lGyEPeGT!m}$GVT>Z}oJm0T=W8t_upD_)eg8z?IkbKHW`3 zK4^aV9h%djZ8N?OHW8RUK5h8x4ANV{KU4qg_8q>?Yx>(ZXweTj;MZ0?e2xFThGpL4 zSZWn`|5>mVIbQIWZ!5o-Wv1$NK_z+j&P|-&`*|;0tDtB6F_VF=EB}mOd)tG}sM)1ATlz z#$uFReB7o9UUpnz1gynHflBRtX9aApI#c}i^NSc9NIh3?)=pt!F1vxY7qrON$@g0) z@rrdm6Cc?<^@}{5dL8d*lh?XlFF^-!{wI&egmesTM{kQc-50{~I}H>4J0~EP98qwb z10irdi>OC)M$l;)9#G4n?T!)RYf-4V&0`{X-IwhlOUMQMlgzYwaQy<;itoA)=HIlphE2p zc@pGjWE^*IOQ|Ya=z0nmJQ)vwRlU{{131ca2+^ferPePuv=`Yk|mK^oD%M6yz<8;@F)FL=`B}LlZB4s4AzEDoVPlu-Yi;GgiF}*d;?22pd##=#NrcGOw!N z$@N5y9uyz|>{)TnzAm!B${nKGhfvL8=N=tDxE;z8`Lts zWQA~*UY!Q*uT~B*jO9f6eDVaN0n;-nrcwX}ru$=yb#zS+L5s`&luxZZvwA#)U3D7` z=_%S(e<-udv|(DOXDV|z6i_3$JR^O%&9 zfNX>-9`m7^GwPpj`HNIxBGX8R#S>RaZatlQb6hcgqhNAIRrNs`L1?tIiJB}#l9eQC z|70Sk(z@5MywSKeL$CJ=ia8pg+O*wdKQsp5Ey!(J^A<2Pcg3*(TX^d3< zy&-o|Rt`h9k@0J3r|XOTKa=>zGIq_l-- zfkOFU0MRbF8-Au*kOG6rFI8-63T&P&80sRW%e_pSp4eqfnQwQoh?BdnXGaWSA(~BU=+o zn)Rn_&knJhX;)DJ%9Z@X=jXd9UfC{KuO}%E<>JcW=<}8Uyi1e8eXRkad$PSD+gRhBG~w*l@}K} z)O~UHH49#wn}W$H-uWRzrracnq)YQEbgI%7@j{;LY9gViyDWn>q}ns6?h1hrMzAI2 zN}hyRM2=p%Ceq4M{fwf{Nmo1$%~%JiuH)L(F{zp3mPf?KTC=BC7;YkKkL|%`y(rOq zh6RkU@i3VdYpN8AwD&}XxRTqMvF!Bnkt@jU8kB5fWwZ>*(y>l%li^rg z(jx7Et%8*^vWNwiNN9cY6IK<9L_lHuqnBCcPf?8VL0hqe~}K%aus` zn*Nfvdip%!r}HfZfA|47u|s;TL7DCE?Ql?o-+l-D1mn|hiv3gUa!UYB{OkoE_)o1r z;@oumJc_%<>6?B6uR6~oiEf?&tqx3#N9r)`eqK5(h>k>~8D2x4B-(;3EK7>gX zd9@UozU^aJ@UVHXh5ebY+-C}ksv8huTG8ck;yvleu-%h=`_KCsaKU6*+h}$kJ&maY zG;&H#F4c_Oum>97CwFJU7-&!WL-9Q7WOnj8KK8|;n^@qTv zpjKN?hlYdCcdS(w41SnZnL`El3FebvxF)Y;EaZ#O4jK$m5}7T?i}Z1Gm^ zjP_N7E7t4TVCUI}z|$O*?_ERsF}^Pd$eD@d);}FHOE7rZhW(dBkw0MmX!_*1>vn+X zZ$4xFgWuvMaFF7dZPgh`U@t3{BW=~5=njZcD_9|J_kJu1@|Gn8eDwF$G6rn!y?}OC zYz@9P&TxlJbLKk^BX4V;tVPUhy};duj{dXJGTr&uMB<}L)ev-thT?F>LT-gNWw6>Uy|_RQ$MB0 zaWF9k%o?wT*yc5lRFrkAai3%|5FrmW&-A#fI>i#v0O@8r9Mb2FCA-?6N!OpwmI>b% z^Mm+XJC1jlKMVCgHTz72{RRUTUbww{b2OZM6#-{%6pVrM5u-jqQ~MT(TW>(y?vZwr$(CZCf4NwyjRmv2B|j^PHQRJM+$$ z_3R(8pIy6Z)vEekz|7~7P|Q5xpMwasl>yy^MO}+-mRd58k8&wD4X&*;%%hfSlUbUj z(V&uBS*v5E9}&rlUKu8AL(1k=pV~%IlSF^P`(0XL&qLm1+@H1#!)Ta@1sWBaRVf@r z0&BwprQy9~c!Zk%vNh&*UsR`bsH8Dp*+ntw#Eh%<>AX$4%^duM2#wjj`0PrZfI_t* zn8^q+l(&J!D9Rvk1eP|`W$2+jrt!c^(LA>H*GHr>8EHXf0NqT!fIg7pL8L-IL#|mQ83|_*z1B8f)&}GFv#SG6Qg`7*q2;7$T9yaLO1g z@~P?8ernR$?bxX~Y024XEdd*G{~ougxn*#=ABf7cBHE19goM#ro*S1dBaO;wvc>o> zT4UufsowgsQ@kzKftX-{Q(*_=T#msLN3A!JZU6G-SA=*)~G{Qp4 zKt>0~A9j?9&!DnF^Jm)AG;uJg(v3XRP*2yYQwz|ld;dOC z&eZ|3paH(6Hv&KUm;lFJi1mBX7Lv5%n~IHJB5@GB{)qlya(P2DMZ z|7PIK?GZk@Kc*~Rnjj(O!za5c$w@Gb$8_SX!?K%afPG+7StwpX3{Qnsil$I2NG>d| z5PVL})UsYGXRo8lg~mTvwCW8puk@!BA{7?r=EN+66!zM3J3yaukCe@8Pqt?Qf%a#w z`P*sUwSd0KHAQMmdmrU%P=d*rJ0I&Shk5$3!#Yl>J)Ryd${}`|D>^bq?{FXqG0@tz zWoh(Ip%dJcL*>7dRv;RH>t8Dy4;2HB=llMe2Q0nMwFaSGGh9q_CNlnzQneT*niTOO zTe8#Bh!PTDV+$K>FiUSh{KZ4^3%f{O<8`zR7xOS-|HLgJT~Ai>jD#d1svvJQMz1@77)W2!PXW-@jMDmOM7aWP@rgt7hi zFJLc~*b@Yl-AL03yjTiKU?wGFltiP7qL0(=L$fVU{h4PMy%KKO;)&%Ll@_SlQra z28)@wpey|I?9s{`-AoH|kqQQo4^dUtA)=QW{#IyDw5JCDCO&`sg(PGbYbm?t5Z^C6 zJEOIdX_otc;}#&eIM?0;fXu4>Z)$!S@XUW-{}S-bJqcXa4r=YqI0`zjRxl`PrLB_>#1BU@=|v)5A{P&4EGI`YunhC#Rpv zP4CVr6FuT6(f&Ws^)#9@CaJA3$HXpBX?S^4?{o(1R4x`6vyK$45iZ#hVpuTe= z4yV>@$i?BdpYrQKCc(FZ%h~hoWu%v7H{d0qeaB^`NaN!X%p=c$({Nd%Zc|*~;`(id z+kTv^+o7lPLzu$O=_#u=Mjf?)0N~t;cM-7VZ}QsH{oAZ?WcRJpX(nXUp@~%Hpc>!p zAg{l1?c+xGj$*R6qtLfJVBcWYr>*5mE$2#ZMVa||MQ=O?s!PHGVta--(^R0 zU-~S(I-v2GwwXJdW{_Ypx?HHsI@O0KFQ{O#bb;3^IAc7?7XLd(&xb8N)17LV1h{xS=zC5AWa&O7qxr%DWF!<_PL|?l` z7}af>x}?edN(LCLOc6X!sRiUlrvF|uKAV--@@QTS=-UzQl%&t?9X*MeZQSMFYq{(V zLGU?`7k)|~v%3_4&+}Zgg3RUKZCo$s*yYCATGe+5QbDJwiS^nhyXm)!xPJC|p7}ZB zbv%C=zvZ#XfzflEMKbfcj?88Z#Ne3CZ`exMHRya4J7$vBMxBjM=6EPr0+Bn2MINVAF7xMmxYqP96gNRs>Z){&E>hzV+36w?8i%1{ zX@4Rx8xD3@YUYA`bea)hpvtvo8uNTd$ti5Ooj|%zWD9yZSY=PqZ|qW#O;D zjWsMWt=Sfsh+1@EgP+Fau~sS^8LG-UXOMzi*Q)|W5`se2<{R{AXQ$w;WZB-Q8!gyq zc&*Y|BL(M~$mgaCq?+qYp}r~zDV2*E+HlO6lMzs(VS?-(DASo$!otdusv~6G*Gj?1 z@}l+f!fedxVdv#nh_s*bsL=>#$4|l(vB^z@DoyAX@_z7>#fB!@{nTe9OMNV0DI=m) z_m+)w=Z*{7SXrDW-3({Rl;;p|HD;moN!*&M0&6-Xi9_E@n0BSMZO%0I2Az1yVG<=| z*mY0}`eE+Owjz~@#uI~+syYkDTfsBEZi33Tbzpc>zv%oUa366tM3f4R7&94taH)XK z&~2zpnHIei=8GQr5w+TwJ-QCHn>``Dxs~VuH4*W*)P{PX_9E?{8rGc07NopMcL~YH zH?(Ku!OkB3x9*1k)#7yun`Xd+!IOaO>vlCTv%K`A|I0%EPYr`4e*Ud^T-HwzeIlI3 zV3nbDp;t{Ay*tcr!BcApJC@gh%jw!T7*JRdQ|3~>Q;d(f0~gU*BqQYb^?)iDuArmF4?;0W*lZay2x zmT|GV7m1Z0WHymd-Vab9QzO^$`ln&B@sOg$~dp16;^r3lPqazq% z_)jWz8vQDWFNbLR#hr{P&~`FtK1EDqo^|= zVz0S1Wrol=?aWx!Zn2gts{~_dXza(>lw~JO3gv_FWY@+Ohc8GMCWO4~=jbsOeqG*U z5rU?=wjQcqOuGj;k}LH-sQLP@c$?Q+{AZj3PXrh5+9v~kogKdCKiUHG>&<*O0%o+0 zJKx*CD?_0vB%?$7LxBUpJ%KTfTYVre7=8k zGU@huzJHKnu3wW008fdF>b=Jlhwn+Z+WoJ`>M#ba6KJD*?RfsT$92h>=I=JXS7$lPegPoSlMHx1dtChczV;<*0v47y3ZZ!YRUg~{(9#r1|zV&myn_gM|hmIxv7y;$Hocm;pFdl>XI_)}TP6wIW(b$fo zc#GEdfcKmkIRpZ)X?hHMYhS@$?}zDGeBYN70g73F!!Qf^PAbRL=9kS&iP>9~-G_4= z2i~JVwR)`^=r6&WQnKehx1iM7U8mIpy$#5S(wR~Z?YrI)4L+lpLX9uq`Q}-@GpnP) zbcU#eeRaQExTB{ReC|Ukyg4qoqlu-{`R42Rz3RM_k4+31Om_Zvm~I!F6I zyAeG1-jew6v9Inz3%n@(_Wu6a0|XI@eweg&sq4EtD<3~k50{Zc20?v3mmr(~kHapY zE8yFn+%J&bl$*_+q*BFL{9S}l+A{8A@1$9?yj;af52Dt@z3->bz?r6+%Pc!NI3S!-zemvdY1{2o=bM&t%AAOm@&x#8NnKtUK$dR*|Mk z9_H>e?7o+G=-4sRvA$+ZDFsuWOS`(DhGoq2YVs!G$!$K*r0!~lLoc2O=sFr9*xdlAlI=L&LWvd`O z4F*bxJ;;M*n{vdRe8hK7@iXZAh^3M8WlM<@=2dAf%J&_U7lEm%DnV0(Zf@j>L$*Gfe?NnU=}8mgZJSvY(kKq53gj zhBEs2Kr&)kQcA^V4N+E6YLuEEY_{W(X^j`E($FRPg1DgFB{$t7^_4X>y*kyKfno zJnBRyd2u9&)wV^YCHYcKs(gCrUoFIW9XJ6?o>hM|oU{BxQihh zoTjEKI`_#MiSv^>!sW4NhJ9JM2(4fw2xpCyY0!cfT0-}TdZ(g&`mm?@2>kn;Ao^d} zjGtBOKTf>mTi>KI!WtEUJpcz;U^2i#%jqQU%^5(#_$*Kj1Ik~|c*YXkd2{9jReSaZ zjqBuBSED{GkAwIIzwRQj?H<@Ql2u(o?Ih9wOH`cd`n%S}d=^|Ln(|$l-1M&Olp`z2 zsBGFghWuK!?w6~bkYSROfK(~<2-UK9_I-hTNv6Eh+DWYv=m=8QUJrD8BKqm zoE9`y&f?vu<(nF`Y3=#{8v%a=7stL0VUhpe5VjFe=QYIrmii z24HddqD&HpI*9qQXb+*@6zHE)=Ydz~c&&(e**YkoJKZdIbhY1p_J`T2bm|q6-@R{& znBn|_Ok#F|_kTDZ@%>1Ocor$vo9N%zWBMrL+UX8++pj%`HaP4AwhnIEuXFPqZW=#| zBXAoZ7Id!a+qSpLaBjTrZe(~AuI~@H80tFxfb%rBTGF_*{guDQt5cjZy!0mo0(%4y~?rC+YdmhYrE~FvoCCm2l z%oKy?Z0&0E(Aj_Ic0cGlHjASvl&jaSaa}6L>77tD@HL-7$Y(?MKY!d@(YnpLyan97 z#UXT9PRrRVGZXN)nRva7C~OE+;yoTTt@7P1?%>@TyU=6Zx}8f@_d5&O$Fb!FrvV3b zHUY-fS2!;Y9ql?@WD0s8XAbRNmK_TUVsUTNGvzJG(iTbO9KLVAOLx~ynN;Zpwrd;3ipP@7*B&AH1~!zNrE^Tu<694uPvo05o7`;C9PB*VpcUeFKwi z+z&E)T*wPm`f7l~`PTw79y0;bT<{FXqOw!VBu+b@6nPZDbJa&~*r+gAy=wN9LC)Rt zv>$vZYDrYl8ZF8UAXu!wV1vfTlnn@C59&521JA1%?n_zMFGWICMhAt*ag5PuR8}0T z>OrAa++o)yNuJc#{`@kNZ1xHly)VtQWglYWvc4Dv$wXkT*@6F{3qf@eH+{xUD-G=$ zJ`Pgev1H!Yq)MG@K`=8!JknN9Zcufnez6*+>=vV$RaWb)Ylz0V2h;dRholGB;#nv!nbKZ(w<{W8yquy{9Bz&f}7h_hx=!^PN-d9$zWy^CxW8FO%? z$s`L0Jt*5d{5q>dW`DS895IT)UMEWm^Zg2F1?n)m(2?8EzR!MRY{1K>MP6E#!uQLR z&WIC@*J~*OukGYiK(={bu*$X=c_R}YeCYR!Y4Z1ZllR2raHOmk{Axn+lBuE%hG3uI zKPr6Frd0dxg?!a_LADBM$?(f`%4VS?lg=HoqdeJ=%4bfrBCr1B6rcR^jP!m?cwbkT7Y*z0k^V_$?!N3Rk2nDAL@B2{tXN30hLP(ymM#Ex05riH^nM zceP@@xa?HQe77>ZUjto*aUp0TRhwu{8m(7(XEbOOznU@aqVl$<_D#@Hx_cHPHRq+I zqi#^9I~FRmvTRB=1h1ag?ZISVV{sN6ZuT6jRx-5OD2f|)YgwT>53}9loLE3?<0W!a z1ez#w*~1N8SSdxbKpB;!E+-pRUP-5fS$3;;zS*ztW%7Hz;uNyMM!*E{N;7}<449_W z{3UNBeHN0rt~$kudW?!xmSQE_gEYI`g_~1w&3!?I)tYh+Mwn!09F=w!#0P4^$ z2X*x5xR|`gmAnbFsAfyT-y&3@;8JVLSu6!`GO@;MrB<`0pcdha-WCXVasLQ{e@^~c zaBqsY=M9@2OTkFcws}p`Oz_Ua;mB&`tC*chHL*}B^(4M1jGjm}4?){G_bSE8x675( zIN5I*LdaV48@VZVD;G(5*HDX<=RTwqaZt8fEKt^4WV~H)4H=n(#8sg!5>!p3(yjI~ z!;0#*5N?w;au20Fp)SYj_A6fIxfcH!rvhFDR*#$K0?l9lCHh$by)H9QUI6H?2tQE} zMTM=7V!j~1z88i4UckX5R;eWLC$ozHcrV|{R(*PQ5AM$)oEh8o@?QSaS_ydG>tVI_ zPDS3sj+ZO01#%ny7TW$yjlXZh+L1vY+zqKi7}(Q~r;;<{hhvW(M5uH}lP2&j%}*zK>yJAO8Mizj5nN7J@e(9E9ul z_sWO!c0HFNA)c$I+mil4?l=*j7+vSDDjdCl*w2i zz4C#6{bqpkcY@{uefF;REkfN6&_jWsQ1u3A*?Neu9Z;>ebbRCU0)N&n@Ds9?B27S; z2w{Wb<8SG*j5@FN`WC~C!Rv}!0`F)mWSN&=}S)IYse-2$E&pu+2!_F zSHg5U@CimH{`;nirOCs0FYtD;JSd>AvUQBzrS6+CmwSlhE5CHK^ugCjAEVrOzmM~vr}>`OI5N1Nk0!eY|Go|uAF#3oUgpME z^L_s=ui|x{B_Pz3Y=kIWJpeW@!Vm*D30(gB6!aCY2OgqM^=}j~x0)SSrP)D;4Cq^F0n7D? zZy4UD%P<*S2PUI*kE5+NGPt>3*Vv{p>4z`s_4dNLA4i4d^bb=Lr~l)=F8hLfkNx(D zJ>`GzqcuJuX;w2O0pA3dD$^$qE;+>%`~5c{`E&PQzQ5|ld|^uV_-OaH^Lm{3O<_z6 z`y93^7u8rH%t;dk73WL?t4-EjH<`Rj*f>P$C%N`=R0>+Mk+yP zxo;PU|%0g5hziJ-K*eL&6+L1VGEpQ^TnS;{c zxM64hFeNi0wi(&6HZl;qT(GyDDd(INL`&-r=E^jkA}S6}{e=rY>?S z$v!3eN3M8v>p@QZ^k%`%R4JK5r{H*zY#C@+{px3^MtF%94JyK*k(QD!)s#tQ5SDE~ zB4ZR|d0~#$?`%6a!dQ@^m1BuqeS_@?!F9q zxoWh|qbj8-qVOUYGSFXr%3lh9!F9pm{^;u5gGtgKYP%A&8adXc zX-ekNzOpIYHnK=CF?EoBfb_X@CmgJDRtZb$?>`fUjPt>1>S$^L=#oync(I;ER_4@F z{i_ub$_}!OND<{&1U6ML z1xm);+%;{X+A|gW71-aw_liynl&(SQ;*-iku;``swPhS+2=^)VdjgrA`);5BJ6xLZy(^?|IJplav8n zxl=zM&c~@poIm<2)~2PtF4`EygpqIlo0ysCqj9!BLTUUlLhsjp3~ACbx-BwI)ETsY zy3%IX;c%e*3RzU7a5sXPFg)l$=IjGcSKdZU5JAM`Y!xO}>sF4oGPl`w?VW}D;AcJ_-nK z?0#SRC6VK!IJcXN@+fe?c89>mk46JiDL2|eYa59}jBW~E9Yg7F5`E&G7s{3eNBi#t z5F0jUY<=AW6)3f43!|*hdd)yxx=NiP0etp``hf$9s@Se{WAMOcLf4YfQ3golvm^S zUvD!h)6a+U>W4qXFx$gXQApe9WpR3K)uLPn*YW4KzRPXbYhk>CXG%q`0kC~vS9z` z&i5};p!WS>QNd)EEYFYS;b;`!B5Y zLONVZr89UpmGe5k>W3V+%ZHA(WA}g!(6vBObo2He*$H%=#nL^C_`7}N+DyMJ4Nj*| z%IJTVx8CZyhKxp~>+=@0Pf>Yn*6+aaf!yz#C^)$OdmlcmM7ZI+xS`uM@JPShdB^GY zJz^d?f1E!#fHY`?rL=#H;2PEI8EJe|nH})woURQ3?w8yD+t>c9eTix!`$5YV9)zeWLBt!dA^=4n|B=yJi`d%KJ!sq&%z7)3gn9i<7<8L=2w~y0^NQ%j7k)=HGtH^QnBt z$Fl~0`5te%&II^(g3nWciI0AdrJMH5QaA)Z<pnkEyOAtf@?Nc)#BHM~tN>RLN6weQ#zJ)g#<*tP z%o?r>-a{(Rk;h8ndQ~+_`jRQgvKSys9U70U;LNmgGYJ-|o(m#K%&CLBS*Z^3$*VduotICny#Utor!(6mW2v_tu9b;8m=b|xs%Tj8zWw;iCi|~fI#L3*E$n#ICO;)f z#4<%wCaH1Mh-24UNR4G_^>Uk#K~L30ZM3=(j2?SyOgK%&2PE1b;s%ufigGY&ZFzD( z=+(%!d=pACV;*P91u>e&FJUq@Tf!&<>7S-tA!v}PX*N$GRG=IXB?578N^zj($^r6> z5Kdba;jt$XzJ6;sfl|gR71G<69kTRC8&;E5|41U3ovDna&-faMxv8AVi}BHeYEXq` z&1p@&j5MtbTW)oVg``Dr*9d4%hO5k92aZvZaniE=(Ho1CH0GhC4k7p;u9tNJH)0M| zv;QeZ!VOa^qfYxn&F7}9i;ug*o16FL?GcF$vvd=qd3@L-8w!53Ys9{rEJ^i+_9>CkosVe-r0+4e1)=u+Z_uSkGbMlf&)pL%gAuwJb$EoDA>ts- zk2A8|!l6kL&YE|mZ3-Vr?ir7&!%Pbt`D7_{givdFV`9q5xN5YhG#_D-$uRCM7@hF6 zpPX_-)$Vc+)+{z*k?^D6QCv0F&jp8`yf_%HJSxTO)KS{!AZ(a&*C3foHQcNtU35(& zZa)M<@oHISOd9k4HM7y7v}%q{$S+z}*Mh5RUM|A_WS>xO7fX=soIt%Ss%B{%f4R(M z0tfNy)Nr#gP9LxsJ!s9d? zp_Lz5Pk%^BvyvAmrs89T4oVglT|1i1Z^LV~TO1xJ{S zD$z`H3(yCk$t`~YUU}WfK0+Z}u%gH<87r7NgDcu(lc`i1?d0!3#R>r&l#$yP^g*si-s&{DER{|M1;${zU< zB+MeIDeP8@9_&>v$t3EPB7Q(mDpp!RFNR)nQbK*tWSVNWL9xghe z5~Y~Ls1*{(C~7;gn3zJuSTtGxGamaL3BjM2AM-Px`WZ}p7XsW38W7*^zaS+jp@X47 z|L|{q=a2s*c$|D8zzrb+k8sL)w*_+T@6((d)yo+8c+3u*(!Hu_vMV?Uq;6PWn=nZB zv_Sy&T*_y@*6G@BA}q@dI!-5gEw3Tn$78bVXLCB*-#--lUb|YKF;;eNZt_WYfL6yn z0QmA5pgjfJDMB}6muJ3Ob3I?%?7^b@lE#j$QX5 z|LScUU@vx%FG7IhvM{|*>_%j#@d-Y&HqUFXlkWjX;l#_M{y>+#8F^@Dz`^3(erV`|0oTL;A*XVYm9b-o?E@ulHzv?z97;x(}M4TYc>+ z{}Z6LHLg#_q1ac^>$qoeZQ6bJrUpSrpvSfNVFmcWcSbHCu=2ihH&d$6X>cQa3ou?r z;dcNIW|*{T(YUw*pSLxJGz{KDZ;o|x?yBX&9U>5HS>D!h9BjM#992%@ZyaVYQ*J-^ zk7>%`d0vL{9UkXv9s0eFP4@6454+GnQ1t^wvh8<|{#ou#OW;a`!91da)?Av#HQtdgFJR(!M?{+M{&YJ94aCp_d z%L6Pg4<6)w+!dgLJz6aC-KUTUuKSLqAo=O-K6Yv$fkPj_!&ji$2f{to*RJ_{fIrdq z%@x6Nj%0HGV!>JUrNAAl1(+H=7?rrur@}kJVpIDWgXqD9;a8PDVpAfUvhIL4D&125rZ z_(-P8mGkt;z=>F>c|h6xIDW8JIz{=?D9RLYOglorPyD?Z2&sO>L=ePNW{W2S^&cbq zjpajo0*TD#s^iMNP#8o>#%HLALussmw;rYoMn?i$(o)T?3C+c25y$(d-d(hvCPhfb zdLs7^;a;|r&a}pB-g3;V&@5PZ&Pu9l%T)E>VZ8CKLv`-Bx_b7h9#D4Db_ceYPGl@k zQVVgf+LZem=De_D_>^;JsYS>IrC!A%moVH683{(py$&VYQ}3hUps6%!jF0<<83{TP zycA7-(bNK!f(L9`!>FhewrKnTfX~=Wu`M(bl$n2^HFVSvMC_!YPdJ;X#j1`c+(4 zXl_ACaW^OyjoeEoxkEN&Og&nuN};kOyY|8eCM)&pJay55L?Bj|c%nHVV(@5hX5uT5 zG2LW#X_89R*2v4kq7p2nL}xpexJQ!{uS3xUu9(zV&qRd9E}2?IIG8hI+6|9061kj= z%{2tyxWy=wU=(I4SGtBCN!mQuyer}q_tdQYU_avV3v$1NIDru=j3I|U=-(Ik9R1q8 z>xZsC7-nE%`PxPQKzMz6$S2FP{(fp9HEP>6Cbu)kz9UirpD2?bgo>Qz0mWK&T#bJd zhl)LrCXLNFB0V1?>rA3b4U>d~{JBo-S4co{EDqu@xvn|=1FBM8P!9TH65X=V8R2l_ zD+xs5F9h;^0p1aWsY*JeWi6&ClBtaaF>NZ0!;i&oTA2JGE{9){SQ7dDs$^R*m2jI26NstviR{ zQq{IA(kN})R9B|LOEfyR?ChraE1|9Eb_a<#;`-I4T_iTnD<GH*i;?&*}g|fwJzI`F14MRNI5V& zX$?ewSVmyfsPbv4{j%GVV(-@K)gES?-_w#-$?lY%Kc{}HDL6u{s#*%&3Y?H3Bw!QQ zD*08R-8tEo*%I{!ub3;8bCG5(WO-xww}WC07NecU&=0sWnqDR4_z|%B7L5DszG)78w@d zUgrN900y|wf&MH2*lZ2Z59u%&u(BxnNUvoo2$Fx@`aRvsGc?sh+LOlBz@a9nxcW6Kcecv>8) zMN9NLeew4je4XVYV9aET2?%)9zP$i!F9iY~o73U_0GSfCsgq;poGlxnzF6<;C?oF+ z2)9n-c|JG0y*^;(mq(j_UAif5`5Z3&>UO_twpOOu^*Scn>8o~}!#a-_1Nv;AVA^+| zgGu)J;6WJH&IOPuGA12-LHIuW@Aktwb+Bh=w}G|e#akS^o0f+h`Y9gX_bD+RnUhZ^ zUu_@52^yZK={jZ({Z=dH3OSgy2dVOc^t+j7`W-Q@7Z8`g<0b<=h0mRUQ=bH0FSDKi zXJ^>>evcV5ndvT{&b@2C0N*X@0Th|~$8t!6Gd&-2FS%!r{B~fC^R`awI|>1Aj^|bJ zaotl73Xp`0_hEB(_hI8Ks}ung;d5VSw$|wOr5UZi^|_j$ujk4|BmYa?%<6#G@GqKyq4FgtsjS2~D$8DIcH{X1o&6nHz+(Q3+ zmzp}o@4A^L=`oQYu&(auIyt0vS*!{xF2NX6yY+pyD8Fr5*|gAxc{~dL^WHD%da~7X z<=l?jvhl`X>-A)q-24a@SI%H}+h8xQWbb)gg^=p<)ak;oRoS+#@?Zh0qMO^&s+ zNH#U}6ssI4TggbR?t5meQqw{%R{cTbT4 z#IS800dvJhHN+n>RVF%#7;X+*m7*djPD}t_9D1XUVhc25c3l~w@^32d)Xyx+(n(QJ z@Mx_DgVAPrC_LCP=jNTFzg$&2Ae$M8RX;0EIP@x2D}RBKdq&mN|2hg)hvmIqofbw8 zmk6{YqTi}=^U*HNl__Vn_<;dw?2$u;qEFzgV`l^YQ;b57?(j@<>Nl2xe0qkc$kAQX zk7^{wIf=T3bX3~5MXo}_C%B?7flXkorEDY;SF`)8+jBly=6|7W52+FQP3EE$rwWUX zGkS%EO!AmHY7(AyUl1XHiggC1!Y-glzZ92wmMup^A^0oV742WJ>`z^roasN{$GJ`RWueCUob?h)PDIV6o<1IjaO<5mk>Fp z+-r;~qnsAj_?J?Jf-q1Rd~1rd+YXUDn!n`GKi0$hEh$%aiRB*rG7(>6$w{fqi_PFV zJ54Ma=4+E3>&PqHo?p@e-|fRL&G!Bv;H5AFMJ0vjA`h*^RN{$>j#0{jiQW7rLl3@srjv>44G49;NDT;8{_ADI_i>PU zo9Fv*hI<-F;ZH))Ga-doWyn9!$d*yWX`3~Lgce&}=GUfMd#xuPG=taBJc6p-n z@$i2M`J>!Tn$K-=vmorgbI*xTv1;r8Iz1V%18BY-n#J#5S@;&!N8a12V^%98rnCD; zJ`{MRZ`)stDD;G{xNQ=S(>LrwCJFi<2Uzm?_DdGq{JnBR82s-4`MvmdYcc^J5`zm<>irpf^ttVZkUT;(OLT3xl0qZ7qh#Ji5nNoOO8yAU8-sUy`Rh1V0b>f;~hOLz_EL_q|py=HzO znKMJ|_hi;UFB|<4NtH!J#Z|Iu9P#bHdT#Ni7j$t|CAt>X1iN&lmoKi>FW481n_@=! zc>+ngD=N~lH>brwQ1zwU&q?d51LnwUys2J(ph^|fX2)stX7*=PEx5u4s#yESU&7ON zRpJpUTNS$#aZ&VK@TfKl^bM`r{kYT={I)Js)dlM?dcDcxA^9*FkNtVz}XKvoBuRh<~HzDvC<zRj)Nm!VbpCMH**~`kqpUcFs3{5?QmbjqK~DP@msEQtKDqVUWI8#E zqUi~;N|y6uzXjV^5GJ4bIMF}Ui9+B2)lbq9vpQl? zwfjd!sEi5aDsJMsZ@0d*xp3R7z!tDp-vi<}^DE#RQXl_AWt&9p*ke-cJzk~hkJ)|@ zCulU+2%tvzt;v|%!Hw3`U}pI--ops(f;aNgsQOqDp;@>D#ad%)Tp4RR(=LgbC{ls8 zg(RAWU$zW!b3+eOU+{dX&e16@BBZcmwdGN%GoNr)M7B!x(Hy6Mj>bAc$tfPYZWd`4 zY@}J!@k+QZKJ_iob+~oOO~jp)B%Mq2f?tk138=djM{7I~SEocL4up9kJ!7@bQ3_ju z?#Xh=#qyLYCRf@LnHc5P1V-XD{0#$*aiUs}5>9?bQwiq@8XDOdNR-9{s}w56&&)a# zY~F_95fK=Iz1A17dBWbF;w)qKYOUZHsbPv!O{*fkLtVahyOUm)UE)+UD|h&^WS-(u zMsH~7JNH-wx$k@l__zf;2rL5Q{+T5qf?!IsUot{In`Ot3?fjZOqpwfN{vy`=8*Rra zh2T?)j)tJ+jQE0GtlueP(QFot^!JT;^%Ml@MU>pm#hF2pYaMq3W5d)h@kOM&9CflV zgCUZPO$_~y{Y2!(_>W`OzIAxy_+6WHE;NWNCD3Olifv56Y2U&TB4jJHAtvw>#$H1N zoD6d&=Te49s41MaLug*{ao-x#S|oNW*lhMWgAG8s64TGZcF8|x}S>0!EF`( zwM&6-@YyWhdmXCvzj^~rs1Ko--3dGSV!QdcKw>ATD)J_Yjv9>S>6vl{i?C?3{xjYU zI1z(Ct>0&--ghyW`OgIq07`48-{|@~N1vE8xM=R1wZ3uuKcc=VypFK#x^ZKhZDXTB zqaE9}ZCj0P+qSinHny!D+i8sb<^BKf`recKWaeNF=9)F@eilB2eLi{Ycjm}^=KtVr z$4Ajam;VNMdVGUVyJuNP1L)EVvj_e zDK5MY%6S}SBHLQO2gV4kHFAJHem9YHoa{G!kT17w06KW;DI5CtYYy2y)425NF9TKW z*Ny;k>)nsaI5}yWM}IJDe|bFr@cTgzZtRUN;(TA`<$uha zgoPsoZu&jnU+KNu?bHtU=4e{7 zHtAcl!k7CH!j1P2)iRv*8h55KJwE#r-}GY%pH+L`neM$&?>YC)n_BkO?aeZhb)z=S zX~*(j@+toJM)zg2tB=%e()ydXXY-M9KCdbCVcVAheK(|3@0aErQoV~DeZa@2EK~2x z?p~;TcK1^iyXK56yJ8SCbqA;Cic5Oa8ky@gtd%Od z)w@{jVECAN&yRonC8 zl&<&c9_QNq!q9a*eA#>YEv(M>&G&Jd&uova)%&D1r(o~UKKnCA*gEKb3Q*QE4pDPj z1n|8~sj1a;znueg|HlBV-wO7T0=IpB>3Y&XN$a!*(Q-vy4mdw@Hd1veRJHcYr=KCn zuM_;F&jVKM(4yyL*T}WV?>2b{%~0ItiAm#Xq9z_2nq@yi7s<2z$R90TKhKXOlrxE9 zz8YMm&W&c^*-IW?RGRw^ogq@hI8F5$9~Z-=6`mjiEYc9esq2tMK(nk*7hH>hUMt6Q z>4KyfgTd!SKw?sMF-u2;bsAIqo+^F|^yAc~>Gz{v_pJeidTi1D`ohpm(78al<^r5z z_Cb-_Gpwy86jhTr?TjW^#GBBju@85@+Z`#lu2xn4O8ApLk-T)3hzz%~8-GqAZ9*l| z1hsmx(})%{PuQ4eupb`*Z1}p9q*7s@Mq66hexI;3L79?p6bs*=4);~?WJaQeJW3(N zqQa_V;fNXGvdPCDYr&v}SOb54vOhaU-P)!g5Xlwxf++su@l);`0O9tx zR;u(`%Pio@vGAw~Cu%|5i9}Iw?P^>CO9KmzLz(1sTZeRb$D#Nbp2!eVD9I>*oY*n` zT&sj5mAz?@Ks}PV#Qy#)eZ!b4iSfWlh=M8!2D9$jfXgLW1Vn;EzE1r|rb+F~Efx_) zwAjjt`$TkZt&sy}tH|O(>7y;F^||8q*7Rd0DgR7 zcHG;2B~6?JDY9>7QDZyZS>L&G!h;Hf=WJb>17*0WAGVzYBqjI@F?E1ir_5&u4s)izzGHSqr<>)Zb!Yp2LNC{(vO3Oh10!vdm~f0TPtMKGJ6 zz?;nCGrW&T9HEIP)z_uxzLb1ioTjo3ZgoSAW~-IRF5R6AbLHpcsa zI=x3)1)95XY+J8au##A0Ad=53*-%jDi!7FKdiCt>Uz^y&A&WoG_$?3$u{)}#UooO! z+$~V0Jif5wrBAjxdAKipr&<`9@&*dhSTwiCqFaortK!vCCtpOBCgI;D0HJ8x!EFg4kXtv*m=1lDF3d?6;-6XAO)h^36>}Ytd8jC@Zw` z*r-Mwb9T_;iM&ww7;y|;;_nPu$&Vo!Q5vv7wkePTwC43Jd~%=hDUDYU=-j)dpPsU8bO=2o?{9HnQ;-C}dY zYaSStU_W~afb5bO&X+At6f66tt03OZhBU}Lo1l~r!`#mZ8pEtrZ^_9wr^pf=nr=bd z=2~wEsn(b{h4)LR6T;FTLEV8a#_>`@a~)%wVC(1o?*OO43MuHzg8!N=fqTMlB*C8k zxnA>WR{$&_#>#@fBmPEU($lIV02crIBv!=V74z5Wf~&k<+k?lWq&A=H7p2Fyk9<;I z;Bxjj2iNK3hN>DpN%x&(iR;mu<D&K!>cG$Y%Gah6OlLQm$i-CXdVtm z4V4=3k? zoj5@CDf)o~*oa^%PSdvnU6DSG_meuW&kd%93>$!WpC+L`+8@MT8Qu3aw}B_Keb!4I z+k|mUIyd_VN&Z}i75z(G;M7GNpH~8R!#y~riyPei_#d^J4ttI6B)zM(XFaW8V6X3c zJ+7Pdo6}Vm2XK7r;rjKXek+A^qy17R=fEo_)C zp~lC6SL`>Nr-)87U_LQ59Jr3cIPwsP%eJ8%cQWAwr1U9Jz z9#(rW1V3-@thWk*+r^Aq0NtMNi@4LC#UUh&AIB~qJyFw|r7r7^gd)AG*SGq-Z+BgY zO?_>xop${H{v_P#vt7#Qxc!li?|JOgRs+3=oYx$WaMt#bY`u8D>Z)rP|9ennd0X39 zCmoV|zP9xHTWgL!JoRcZEQzwyv<1p-#- z#w&?;pOCnNCO=Cm%6Rl1Ut(~J8CUM!q$#hohg!yaZik3P-do4(wp8#V(tI2aX+9LoP7xW2_&;G7g;p6FdWK;6%wB%^g?kqhz?WKod^fj15*eN15w^e*!DQ}UEn17E9Lbr z^T9IDMbE%dVZda#Cqg*|9W+%MreTqOJwxe2qCvItpL}}#fK#*1^msVpIG8Ak-^Vbz z9A(rwD|ls4YEFG>CC5;?c~WD^VrmYsuyY?wuwrCqoyN8;@Ld zzk>TSmqhp|A?9eWOk~K2<6cbBPq#5ZR_5M6TvV6_U0fH=%=@=S%uMYFAWrxXm^~~; zJQ`tL8)FNDgzMQ+gt;JzE^SFY*-;qr$-R{adU#SOJ~G`%Sj!fW@kJoUN0Os=XsZ5Cr|LI zG#vEYvRQ-b4C?z#`=_VW9xKo^F3h47ND`dIAJA<85V^mabz)qLP%xzfReG_Dat95y zXtd=BjcSgI*@W7vBp(7uO>7AcGhteh%Cl3KL4g;b;KgQqq0!@D(Q1DNE z2YU}GBSVu%=NvGyJnf%qQK@+jSiwlqEH&y%-2OAene`=EneOvcZRQ`E4acU>ko>M6 zA*8lmss6Y}5_c`OiV>M8rkc%dY+akU+^?}4;^yyELYlAya*YY>w%9?DG!f`xIlKR0 zrDV2)`Dj!^$SG#|snHKubVtH;9nqe=TFj6Wb^3N;SfnYw1P>7+yzWwg&t69mre zO2Rl=xl|+u!xh=3%e3T3A)YS{cZOpy_!>OEetZ$a@4}N}__Opw6#H+3MwZMPqggV8 z%A$}4jq00ZJT=0PGSf&mCEB#m;5z0-wb}|C3)U<|SRYnNxB!hITl~^uF-5V#RCYxb zYQqktrhNHiLE~ta4g!4x+pbuSBo$$o<2MZ^4qECoNhejH23&jSyqx&2mge-;VMqFR zKCt0f)Vp|+W%rOH>8pIwCBtnV`EvuYOgxPV#LE%?#rj9aFG+WZWo#@(IbOCwum0+ zdMmmgz#qym%>M7lXz(D*^M9T;e?g5k^gjboi~PT}F%+-G3F6>1VYdEMMI-O^j zAI?L#h}6{K@z8QccoBQ+0)#=x3)C&vpB7w6Ddn zZ#&rIx$x6){ctn6IMjAqiajN5J>$E3SUDP*AJ=}nd{4TJUiw&kX`A$$@bi8K_&PK| zUjmm7sK6gnzIuFnwc7IM!1ibUy_7snPw}v~rEc~TxL5}Ny*SQp7EgW~Jr$nocKf(1 zp7%KMtNN>JgM*x|j{CU5t4PKS(OSry)@9bge&;I679j>0Y}R{Jjg<`LtJ*XP_4H_vrP zGpxrU?)C}dD$nuO)BDoJc6SqZYC@;CKaOV;8=T~?2BZE#`0&|Duu8W`894>I_5(b{bnKl_@jXC!jyu0NJ`Gq}FOhaQ zUosL!(z6{M@Q}V>-xR8DJX`oL?kx#DYPR>=FY~$vamIEYcP5d_Gj;ua)wXGn_x?xJ za^CTp*SNtxoTk5K)Z%Tjn;h(XHN?|>Ga`?|wU={cwf8SHFDCf&_%`FinEp2J zpZ|2EwxaF+!H1mMxj%c8QAiP$l=I8V`hwUkd5eYeW#YsFj(Olq*{eJQEPn=!by05` zjQdBHF9W~pwm#qEU>V9=)ltvW!f(-|TBie1|7aA3m!f|s9qOjAIzE?!Z$D35=~-MN zy_kK!0g{wTd)FhzJ`Wp*8^7dC`(&%Xw>3vT`&+8U>NQ&xx~|44)3Zb+Zdy(e&Qxeo zDj0{kLxj< zOJ(yvwP#)oK|H{pvQ!A?4x~!Xh#-@ilfEi>L(J zb>^Enwb$YL!dm4*t}+!j?rtN zS(7TU)Yu~Z#hpNUOG17^SWM!@&&GbcMogDPuJ4j!CEphll*EeHo#Y6XFZ8IsW?4ca zS(U5WQ0HcqxzxduQxwS3hzYd(Wao?DDAyB)^O`j1;w#%C8>HN_`@ueLOf@;t9?PzU zTs)_;9bvt8OC~J`2;mZ)r&x{8P?=z81Q7qkVGv_=`BsW+`ZsTh^&DLDs}ZsWsu;wv zFE9WXy*NA;lbJ(sL)=1&SDi?OM-KYC=Qk?_7nGnx&m&>UI~sUjaF~+r)gu+%C}2uH z7N169pqVorh2M!Z+P#FR*(%K(s7D|M!yHL4RQjdUlF7eYJyUnRyGBrVnC4D4cU&vDgdf1_DZGZqd0)~hC9Gl&FAOVxO_*F61F+jm4 zpjzkt8=A6JyB@)#GK94RtuRkvhDnyL^9Uz#xO|dKX^Qc)UCPiMg!u9=(`5U&tN;tt zq{w;eQbeyN(GD@WS9cs@$SKpC!^1X9rI9aa8<`~d$BTdy+`e{IWE3s z%wX0pufhXsk>7@u0=koZI0Hz|u*J8RLY=OKNOI>~QHElcMi9FwkS>LK#Gv+gza-1-k_@!YzSs(7402dBS&;8Pbgr zfpE_8$4YuSwPiVSFnD_-3R5ck|;UlO6$G$CNa*3G0e~oU%|iV);i~MM0P@y&JP|^Q5^wcu#H0H~uva zkUtTPf3YYNgxdHCXonbvHehHBiuw@zTTRYGqus)*2s0VXZdQKMczpVoK5iX@B!5)+ z56!|M#%}^eL=a=9I7#}@RA!+>3lHb7jTO>oe}}yNh+E~biuZeB)nj#af+=i8VzTLH zgLy!!P?V&g+PS0>dOyAX0A7(%+MEvy+vHG8;HXi&di97MOk>r6$S9UD{d~rg59_rq z4-6CuxkRw7(Ps8#E2V8W+P?2kg?S?`#x&m`wHP0#@96z1;cWQkI;dW$L~Xw9nNuMg zd+HEKgk1`G>@Tfcj%)~#xbI#KxGqpdvCU$NW{Gsm2KBRxWOB!=Xg}P;nr%8U)Rsye z$(CWLn}SQvHYqpkwOh!nWjZUw{B?2@O7Jx^|8Km2exhN#(Jp~ydNVb_uiuBLPW>YZ zE!6ejvCF{);V0|?iDYjX_W<%I&U?Uq8nOUaw}renMvfnZFUOah#Ey5kflm-$fInDV z?yu82430s_vQyf~>@jZv>iOIi&d)z?dMvQOrM7B5d%l?N4tRiHb~u9+Ih8Ckg939>wD~;Yf0M)8To|S-$7(-%%}SyxXtD zRQ;5`ZTAL*cL{jigez*2OXR$nmK5T-^0K;5Pvhv>rlLF7+a?7zJMU9AfwtV0c)MJe z=Bwk)K06#9;$nHdq={ASfL1M0t5k8l@4q*6uZhQV>idbk zYiaD$_z!dQ2xm^jH}&5ChI+f8XrA$m^E=I6?0NY$v7@Y>{YL6Zb=?MPd)~QudR+kH zR_jmeI<`wHc&%OF?x-lITbMvc{OhovMy`@;ZV4<ivK9UyuGl*YXSCiGScXqoG~}u(4x~V#kd;0hVvbnZHVG?xAf>!q{kD2hHQ>k8s%{ zxcqIo{-Z2J1_URexd2z&KzIKI*}mTx7&WnkfeB~QYHYE-SJ42c|~jl6MoP=}GT97oxhPxB_k zEAz`7bsB+F2IP8FHUXQ&(5T2Q=$h0n0W323slrA&I`+5sZUI|M2kFnh{6`q}G47vA zJ<*9IGKXiTr zEsQSQ1{tG4D*=M0st_`_X6HhwZqF?Y*7Td>njD=SagBVYgDR|M3EB5eeo~a5aTh~S z4Di2vE7Nx+%>tqNqtAt8>dxs7HL4tZ*KeIls0neLfNq&i&w8=*p|z?Ng|xa3qH|)< z!}S=3=L1?5*>q6-j(J8AU+{4w!>N&oMFi2X>=#3uS>S1Yq}gJVmnE`)8s%%}6aj0VSqDKxy^Gm<+- zt{(p?aT~5|wZ344-dCY;m=R0Y*8xK%Hrzb+(J$-jfY}l{{*^6&B`RJL@n#C!k>7Iq zWQ9s7M>_*bv}qI4<)j>7vs`p53JgW0Yh=pWPuMa^TqC|Jc*0P=`=m*J4b~1Hx3K2o z3r9$VZi%JaFM9YxBT7^h+OEav{56MAV?F?b@{lK zE+nA@K&+^SAiX)_=q#7x(LmE{r15)gzvAWFgPmf%vo!^z;1I{-Lt}JXnYt@KN)nm` zSoN5nI+U>RO_s>WG5JKq=HE+|tA009yC)_J%=+3Y-e_$>RGU@cwJK_=mfeU`~ThZadUIa8cvlX)mbN_dM)!~GM{)bmWEKPDC zGZxh7^aJU!{ae_}rynYi#l#C;cm~h_p8kyU@V?{#ygVys0Xmg1Uj}=sNbYC;PS;t= zk@#HcLa)NV+)XX}>^=0OZ0@&elYrjaOD-At^|j2-6c~J+gPQEvrZul3tnISq`6f4> zlzhSLVpKj)XRi128&Rmwe$D5uRMiUJ&29suO@~{qPes;BnXRjkMlCf}k6Tpd-PSL` zC8y4QT`%+gALH*#(|VRMbmPO9?Y8fs`k&hHq{CN$jBOj3N1Md)0=7&a(zbhXalQ6+ zo%kNx&i^8eN0;|CQMz`e7I4N?WkXZvjUs&KB2d<)CvbDGQpaXxByAyV9|qF$c+ct6~q$GG?2VBO6H{_>BH<$ZKN z+T{M_U19(3v~_d=z`c6f*s9ZYt}-Nj9=fGt?Dle6k)+yupM3p8XBM)avdruLw*G@L z>VVDO?#sd-uFI@clN^^*%!U665hmzyjg^YHuABO)X^U^Q zoVbmpp=w?KAQV^5<0JnaMm<*@BcCpBb+O>aPrq{do zw63rD5N*xabs565%x~MW>3=`BR(A+mKR(u7(KkhW) zp38aTnpqrbo7+HxpOc$XowhzZxSFPcen+bMega+x;jjALN9ntmuLN{DuEFUmte>&w zqrPeR&Utd<;&trL0{R_2o8$6vt*aL!!=JIA56gBd2KU3HyesMN3-4zWs}H2|m88R9 zrYH#;N}AdWfcK#_z|V^UTs zP|V4Z7&*x)^D`&8B-AX>q=tee8`G4g9r-IT-Z`=~ocY$JR_%7R_!I#mgN8MK5SiGR zNap$MyDY7f{$X*K@ycTP_>exn4_W>@M482WQTWq zTA*0;lJv}NH^812>!w<HIofBvjsz0xx*?2b}xCLxJvZz-`|RceMNi;?sKZmLfD0FBny2w z1OzsM@R>AiflnQheGMh(cIpD@GJk+5TPDm@>u&3UbtvuqwGfmoiaZuF)k;0sDtjKm zjz7gJXxZ{HgRR>FeN@KM)-bXO`W?RIgsja=OX8~%d1TTUOX&vEs0j}ku>Pxjs%PIn z-^gD$5Xc@5Dc6q&`c!3NewC{!yDunXy=cz48vdqPtM-G4EMu!aYN1dj{YF$P{FHCS zVy!(3l}wxvXE!}^TZIOOTW9?b9Wg_tNs3^r##M|rU*;7jL;;LaCI+Sw=j=dnqk!t- zM{h%Hx(1eBm_M=J;(ojNboCF$hrHgd*r$~HJc_JOVfM6zWScYQ#Bxo|k zjN}@0CDj(Rjjyl{QSLD5S571nV-%AnWR^0BG!rhXfy4-vu{5k>sv!ySv{j}7G;M{v zCdq`WdWrQx5Mg8_)hhM1T8Vo$Aq78~B#M36|1kGf1oznd8!}@?zD7`m=z?+Zf`(F} zs#Gb}HXE1d$%zs7QeFuE9TW(KdvC)Bm@V+By0ZbAY zt|{eq3iQi8E`y}Jb%2$V^g%Za?~$?Al3A3{R+Qy9IgvssX6KnejYf&#@JdJFa`-DE zZ7XvSe%h|gN#BTg(D|!7CqWqUj#bCa0ucp67Q+g$WD!F@1c5p{!7fU;v9%BaA1U(8 z^ZT;aIRKMcjmn>DqOoQ0qbb~zf6?Cw>}#LrZ)BbKE#D#qDK1inCI9x8T6X!H?OYfU zh~ri3c&>x7<~w``R_FGL9Tm~!g+(R7(m1TB0v9%(z~)uBhg0&ySERY&10f!PSK`q{ zSpHl|t(fG^2=uRVo&9plMqKL?%Bci$w<1i6>{uGoP#L1K%X^C12vi-=Q&NRE?A(}$ z1JQ!S&P@fP>hwwk1_gUn@af1;LX0EKC@jC(BBC{Je(Q*kFUC)MDaqli8#w7CfB_Ge zY+H_}T0|VS)Zdc@4361_F%7Du(IP*s*QSzoiMA26>xs6Ssr1^ZHh*WVC60l@$EL?Q zGt$S*5JDCOm|jc}tZ%5EOplM0$;{shHnQ(c5Bnz?VvB(ftFOPTFZeZU?sM`Pkt&Ln z-Pt_UGfZYoLd9!p&+pmNvkmcUkgQ=An<2Oqw8_w&MD*mPYZ91_WPX}fHSd{8z1z(j z&27deR=vpJR?WgwYW_^QTzHS8Yl+YtIr99Yo|$^pj6Xk<pk0!G?H{f}nhe zjZaAoa0};QHtN05ag(vHdc0MOuUl7VTOIDg%jVSTIB_tSij?~t*#dYUw{h8bKMl{H z;l04}&ttFb0SF%0tOJ@pXI-{C#__cJnO+V?O|2^fye_vggySy!T?VfsS5iq^9=VN7 z557Ae3iS!j4O;WvU;b^nlADgc^ao#dF>0Pn9PtzAxg4G_fw&%>%wN0WQ$8Gq$Ne?# zi7)OaA4X!9S8bA->afLHnzp($J|=yeQhjU>lD1ynE0kGj{AD{jlGQDudk@9$9vZDpb6Y4W#{nJ z*X!;0*JE8>I_lV8>!ZG^&i^&^SH*&zx-A!H)!OpZoBZpv-Sqj*j&l?OyM4~67AG;! z(WZDT?fSquwjJWsTB(sdsUhr&9`>ofS&^n{z zU<4H)Q12~^5O+(#&%Iw)tw#4-X`Y5*muuSlojkzPQfy~=*e;2CzfAioPwWA3JjfSj zUhR3JJ^pqseB6>0)YI}74PatEi}O~1L$N>BqX7AyMD}W2H+t6b``w^l^j{yj@i|XD zd*`?=ylh|Dk+pZN9JxO^+a?gl0>0)&sGLhrY^jOE*^jd#4UBHg?B&Bis z8U;yDq@{KG%I{weUyeMLDcgIKQsioz_TM7Boy$VrHy3fdUnJ218gIJ+!0W8dy7t%H zpq=q0ovY*@D4T8m*UPcs-UIN}rvEn6=d$M&?2ZAB1phP~t$sUxGe4DQ&&botJH)=o z`n=e);ZFAUA)JUMgKcJc{O|WeMd`$Eocaf zgSDJJQ!Tqx_<4O=p;H%(16OGvhmp(4PCDbVsWw8pAj$H;1%F`Nz#}mvFkcU)aMUl> zCO$SO)%9BfqrYEJvQH+rs%(YQG#M|LA)?_B6&fwgVmPI{-ewVbNm1+zn~64lrCh+I zppXP*DAs&sG9m)IjEO;St_;iUS9pwV^Ip?x7mOUC5>6?XvedAR8RzHA(E zp~CE1I-ix3Z|NX`uLB3C6xE7*v->M?K-NP!hUtj*J^WGVB%(l@w#4}&6H2JBpv$*B zqV2tQww=M+Tvv>m&dd9JNvYcyJ&YP-!EX-3-!7YB8*zUZ=OQRmgYMZBO0wuXa#`gT zMGVNu5&L-)t5bs43{(o7p2#oLM%*~{Cui~};)ay#oF%{Kck54(16eZAG;(cdRDjiN z#DmZyyhwvJZgOX`CLD?j&wiN+(%A_S*yLse+?q7SvP|%q4Rj5e3K9)gs7zc^frLK= zl0+fmP?UT-w65<&%{QnkeVb>5L(qq-#0mtADGxZa>?kzv)&yq>T9hf+QYfJj>6j&9 z@&Y{bBZdZDiiq8{3`>RPoSc&{G|(^6IArJYzxNq-#CY*nlMyW_uqKZ-{gSMS7Bl5f zPU1$ydIiQxkFaw{rSQ<_TH@o~*}fe$y$_<_xu2+#Cc`fL``A7D2zq~dGw&(QoPIZF z1z5KJC@v~qRB4bIhW1%d_!oaJphg`bBP?2OmGJKkg+ku6KbY-AwK2r7Db;czL9Hk< zmfHmXfSi2KbsjxQ05AXdpWwsj^H7z&xf3#(tPY*DWbuv$5G97ixS%nS4fZn;BCD4w z8g^H|`-Vgr#o|&^GQ>Y?=&e>lU7)bB(^zVjMSK-!Q*-te{%Uigm5f+xovc&?{a3xn z<1x)L6{*kqtr(*e#|EUYjS=Avl>+X4CQ2v9Dy5lXw+Yhuo~iw-{DT6ccB&NKPz*AX z-C9niBvZ_lhv`aU`|J?;-bIFMC%yOx&G9+?(Zbaz(}%h1NaU0RkRzo2w%BWLS6sLJoAYcEs$yNT+`>F z@rY&8r394bs{QqgKTay~8l^4TtNf&+Ei$DURk-^;3oh1twb5LR$14iTe5lSe*oc0T{C4HquVvP7e-_C==%+9 z+`1klaPcuAoN)MZUxMY}6G2i?W11eT>uu$zq_Zj2`DCTUFh+)7Q7? z5T2^D+HP8M{tjr8njD}GDf&hwE5)y05jBaU%RJwb%G}WORc?uWp6LLpHYm`r1aBK> zWduV8z=JL!3nN5_71knTd@i?bG*m9XKHdB-^WQOy3-v95v=D4Cy8rJ3z{a==wkK6w4ta$WPq)UfXLdePL@(V=^;?n9^b zqd6mbT6)J!cgYO{xN)?5`Re&Zw8=@l?&iAtp4(bSwQ`fdlEv>gC}^>Axcg zXUe&1co~bBwMCdyGV(NFjjQESMi&PV@3wyLXIyzm8%T`HoK9c=_*jb?d(7H0BJF*; ziHP#?lH#k$b>AnUdPCQLNt5puWF#Q6=DQhTfSbsC9YU}NR}V26>+2UDLCWjapT)lB zu-}>cALh~9wQh^kZGZ*6Y<;_cURnB2m%CvbjaxjZ(fdE*xb`Y|rn&N)51aulc0e%= zJ}>sWjn{4T;d7^d4c>@U8$E}i(xB@pS;CzpVljV@rx0gQ`r}O1@Kx7+V-|6b$DW~C z*toj>(Z}BX9)HI(-~#X_u8qoAv(ODM|`_KKX%wDxiGux_;a8gbNt%6b#{R7)I22cF@F6rzuU-dn~_Yi)%+MeldN6dWF_sXK^M>jEO^`JsLuYXzV@E*U+Mo5(Dy>e^C za&OUH%TL&0+B2dk#9iL+bT2HhNXZ-6ko-EuLxsyv%+S3Wda}-$`F!{koTt-q;_$X# z5HJ^|O` z;|*@PIzPp+%+6)4y!km>)>EJu=_SV}oAh|oi4#UHSWK{j{KY_dQ0u$6!^ww$WtNm) z--M50dJOH~@?9xEczls<<5#hp7XLe$R(TyDb7qRO!Ob%1F5Ynl2$mOi;@(aTui zp`fSi=qtVKK)(!gaaX8**g=ITvn}cwNmi{wNnp+PUPZ4-flfjj{b~#|GiN@PF6F~` zen#ag@npUah3*224dnNGB4&qp|n{k>KfrM8{ z0vf^@J#o_;kslf3lp_Ku;o2JB1S(uLh7$w0$`%Lkk}ygEnO?}q<$L0Z#K8uO<7)+4 z)e5=F<{}w(%qqP~0UPiqL-0o5kN=hjEu!b+9(YC05Om2jfliM-d3IW;Q)SyQ83gT` z@#|AhmodpWsudLsO4EOj{RpWR7^e6w?yUx2pU{|~7KT^p;;|ts-aVf`C&5Cx z>!j6^uMp3aDy_>BJqL-!)uT#Vs?&mgTX6cN-)BkkkWz@q4X-NoJjDR|73Uq)KK;@w zx&bO#W~4^iIJxux81`?RjhpsAw61*K@ZWuwZ2E?qxa zW|H+qKL)1)Lv6a~Cx?~!pDTK7KuNBy}P0~Lk2L-R1yC~HE7R+0FY#*9B&$Ti27 zl(9okPb6v>?i|_cJj5_!cTS6yPs#;7!|_76<{1hd*msRO;|Yr^amcXm7I}4?1iMk; z_zHLbT$o7EsD;>8RsZ}6U&N*OwMMC;^bUpUraFTJ`&D)h4^Ma#`Bk8cpZX6y@3FH^ z5&R%jk3QD1oND}W5?d=)Q%V~uH;}5kZZ&bYgLwn zhVMgt}DyGKvuQ~dJs4H9JjAK^3z3Q1S8r9=W*c%y+CF|zxV+6FcK=h` zn@u`PaCtKPlkr(vRTpe$XtQJMvlcZ`b{TUR7?;_`A8ntdFMGC?_x6N7o9Q?)I8;fc z652bT=nZJ?uY2gKX?#I;7{>z>*Dvld5c_-@quA?g3i?!8RlWnr9u>uiNs-qW~X zofKl*SC9DZt?tt%C3Lgdk*Cx4Ha3V4*X=zq-D)FExXEolUxJ%+{yK{iCE5n^ytR+C z?~dXR@&C*j+vUAos+k5HBxhU^`&0Rq0F@koJ}ZKIY3A}q74X5DYIOayUEo{Lj8 z$A?wRZEl@=k>eo#I&OQMo(I#s9^Vsu#Jb)OU2`S_(wDzIU`ud??N94H%?hi->sz&^ z1no;7yAwoIE><=E4aZUKP`1gc#n(6tJD7hKWv!YZRzVGKpleiBZ zb?tY%{+k9<(ro6XU4$%A6CcbCYxn?=_xR<#zwX7mh0_!d&XQks<-9Bj!x&zIWZK(EnjQ+up#wukyFjQ{aqR@SEJO{!Lyx|Ifubjg^mp zcd9(QZ;gcoPMII2_kdBR$Gp!MK%UpN!x3k)Eb8tIF#3tUC>W2|!SQ1^-6m#;QiMYE zWJJNge(7Eo!k))C>#0)ixoP8Ix9=?&)+CTQ5*8wAfXHPQ$`HgFs^&FhuSCitSm0IR zR62MI);)y24aGE?;o+q_6_@jJoWLk=?u0`5OB?hTK!^BgyC{QjAM@G2w~Z(9aPEhBXk`0#dfD z@OU1E3aGc}tVlctdFQICKdMUF4SQ{rV-!V+Dm1<=hViwZV43!CN@eKIp-_(uX%Xd_ z^90;oocePMC=t5O=ZF;PmiNIJr-!yQt5X3ZMinp;PiM7k2YlTq+s~VQ7~OWmm1I(d zatcW-43ESULhB|605%~lMGn!eC>rHi6wq{VJt z+i2Dru1}3Uboo63MZcItox(W2q8v(R`Gp8fcKJh>F)QX=OMHPZZ~n911`eCUd^DyF zH7a%*0jg}+m$f}IhG)UhL7JW*wMCYzKn>5K0(D5wl3fvFu4jffs{6JN`|VHMWnR2m>Sf;e;CV#$FaBTy zC{KRENp{{(9=sq3^~+U)livYUrlXB~qm^h|Ws!K?5j$FRr)9)l8CVqrDYV+ml`&a4 zo%DhlxQ0QkCphB1juP%-PCUpa%9sn$+%Q~WB@tMbGvA6b25k^_O*o{mefr?%RJr>q zk!!S1715PWPvlULFkq%sUg43BnbAx{iz>>L%D(rSaSZ8BqrXLCQZ#CjBnqPzZx$cB zMdl1xSb4Zo1z%-#&pWJqo1=>o7_H;LBun`k#vXd=I)4Ev+33orjLYg#dl5ik8$W(% zfgr{8O?q}OaPyREZ7&gzonVu40gi}%DA-YMC@?VI;x`E!3460!-J@m<)lQ^fuX-)4 z)3BY&t->%)kq={nMx(jX)(!L+X6rKMERMD0)5z>Het_m?DY8HCH1$J@CrSbSHW^h<}h z74#IqQmXyMQJ_{?jFJ7O*FB<9Em)m7`}Z~{trzjr<3;50v>1Qy-O8EY>kP3x%_07Oi$E|Fp?R2xLty% z#TS<*BK|H5L|BjD!sBaCVrQkpFul^uW zpIQGcUmKWhxNQJeq_Rq4U#}pT^BnFNKrV#NESR_gc+697vmmZBhge?b^OfA zt72?7zjrrhXgSnnuulR_%H04jmOOUaJ(ujxw!R&{%U-T{UfsE^`ZwVIvAyiwiG^C; z0WdPTqSrssu9ul}W_a4eWCb}hy`M4sVtT$CcYnD<=b7Amcsg=#zx>jEJ;o}}@3Q`0 zrR#a-Wlhv|ozxTuG``t!E8|rG`Cf=}roW#4$gB3-e(*0?20pu7%SUlbZ$N-Q`c%cr z_-=vDZzO#(K6tY)AD{aCX$Tu4(zXoym?=VU$hrctrK1ddg%v z4qJ=&_S+MtUHb0C{!{DnZM>OE>yyurp8Ub-ahr z%DfrodVGnRRV~|W+w@=a-(A+%b?S$C%x0@%?g#GFpHINBp84xwqUc^HOzAx=iWBu5 zdlr>FuHW@(cOK<7{;8Diao)G0GL*i0W%gg!RR}Na(YyMVkZ;RsnkqK?{k#f} z|E6URZ2t^~TLIgC^4+e8PriGNz-{L{2z!9K>~ExLnABJ!xBrjx5)AwP=}59Y^}h0J z9SJ#V0u%n!|6oJe7AY{6N+pi#fSh^?;(+=}p;fbx>1$^7E|9jT7#>yrT^drGB;0Xk z?pH@4B^RrbjxNofQ2ODiK?{nf-}m1q9@3BmNt6qY(V1xz<(RV~odw6T^uU?ngl@zv zg|Il)YnF{m~&1B&L^18_W0Dv`fxtQZvB>!(eaHHPJQDc_4 zD{}-V#w3&wSu8m>ft_{HVxJggSiCVd4emlN1Sg7d_9oIbz@$qe+e}g(DuKLc$(tKO z`s-G8`f4}eGDR{fU$XM+tef`#F!hbybwFLWNux$hV<(NBG`4Nqw%OQe+}O5l+qP}n z=iKw$@!sdXU)I>aV9&AEl&LZqhFV{^`hDC_4DQQbH?X*fcHgW)5lJr z8%+@R$@2n{H;ISb@{Te}6&(e$%2nF63P+3J)~Pu}1*S2u>(UQGe?n5IgkX^^DCJkj zS=ygk@Q9gUb*spty44G&MTdtW8~m%B_c8ftjwXoD2IjVZ=Cp(p?qq|R5$(j8Ar6=V zIq0>(l1pAtL0{S3e;3@`H|hqwWXM3Ne{@9S->7Iy+~FP38@+;jJC+%%(qo;_3nKGt zQI0`rPDtT$-#N#^M+dZ+Z!fK;#tW$rJR_@^Qkz{at(s4K9l* zmyw(XM!85iq&qHbx>@mZ^iwg?;d;)MSAUY?-Od_N)~IvllLFbt z7TDrO&!j8h5>~0eJkF6`x}uuTSW4OeS>(1yWc^F9c|oR6hFW(Xwo~n2MuJj>a(_Cn zIrUBOT0D{(nB)K=MDx2{I)Q{@lHC&X;o?S4Wtl{L6=pfdD$U7nkQ}eeu0s(&^^3`B z)fPO4mMf6j)?jvMqR(Vd{paS4JM}aew2u{9nPy26Ezy8v)e?3%+%_S{kRF2ZTP7+{Og0EBiSh8F9WZTbyJ(OEicmkcf>G23+?mE00oO*fZdU=fxyLN zFUu>!-Zy^A;5anV{xSPq{#X82q|dJpq=?+_A$e#b0B2y^ReU5v>mioM)F!1bHzQ~tIYaNHJ2>G>bc=oQRWqXFXoyNS|1w+HmD_Exmm5D{ZqLFu{-YJX<96GcPV$St=ON6gN*M~k_KpX=*ywyVVD6Now?0 zPq(5sQxEd3cYmGbHeQww{I3WPa~U7r*IH)QPj#B#<|s-)TcXDy$^Fzu+k(b!3`l8p zWA3MOhV&r!fTZC#jWQ;U#C5Ce^iVYtsmG9co3X>-{w5vvw}D>g*?)M(oZfSvjY8*X z{p{q3kE^|QH4hZmd7}(i05ojAsaJaJzfqX%^f*8JPJQudn0-{ucsuAdj&08}!rMMn zxU!e)GIYn&bT$pzy)gJ(K_A1)*ECJ6vtM8HIWK9x!erf+Y1+KMuH-l9iO6jj*1u+c zr07@=H&1kV%(*eEX9(K)d~k)~-CtYMr~qfPzb1WFuf%nWT4LKTqQ727`8o%gtPcrR zZ$4$s(6adenbN*@!G8S2ygiSmetI8YLr3Rl8TQ>a)D3-4GnJ=)^|U|*w~ev*8#MRS zuh}2-Y0mHNIetDj)u(^^MOUs)X}xzP8)975w94F==>V=nWb)g-2QJ zcV6sUeqYHiSC5k;1yJ&O*K4Tu8_BeGUmL1S7rHJ-8!*4PcR0+eeD(}JDsr}VmCxS( z-!=JbCgsUbxa0xojtmS0T2LuWmUQO}&Vdj%UP%k*B*~7pq+zEKi2Hd2IQYNxE=rzv zd*so=ng!n%Om+{bU=^7r*ptYTluP--wqD^ErN1oXSnymqlBaOPwo$ZN4z~O1%z5y8 z5TymY8uGzZIMRs}uYyhb5AAx9y3II=RAPr=c(9n4j$qp&F(^{@#}L{CHVhra~k31mFZmBY2zg$Y30DOIPk`atlNh3Yzcyd>Q+tyqSM9p2GE*}U|YN-)y*jbH@C>o?#w~@2(c*@mig`b^db`@E}LLmf-Smm z;375pUwVi55V3X>`RG&f1^kJnf1q+o)-X;}ouJ89iV}^wC3!iplydTQdJZ=j$*#rg z-zOzE?eG6TzR7g2jDNl6V>^4_4Of7q23XkwtH*EZ#9N-u&-yxGmPA>N6 zx68O?WhKDtqsP*PToWB*0lT@cz1!e$qb6PH-y%~IxR!4_2Z=GG&!#6=0i z;6BtECy-O%O15$S#0tE9a0@GI<|H~5NE($%bIIEwM1XNX%0;Xa8_*&kf)li1Q+8;M zyFf=FVF!Jc(}T)+ij2n#3Z$HGOmlc##9X5pbH5TdzVr$VY6j6W~qSmfWBN1g%}N$3~0itNUP&jl%60V z`PE22#AO*frVvGR*k_ku{VoF#YCp2M$uC|c`x+0FF#GLEGiR#o*WH1Nh`LW7@Id1K^ooVLlhoU6Un{dG}{ zHjcS$ifo6sT0P|=Kh~mths#4Hc!%39;fvsLQ7f>EJv%7v;>gsnV6!@66P{-E!n010 z@?Gdksn`aY%y%ZrSQs=YI*T7Hd$3T~{iHbkX8)}albvhnhb(NkRd@MtmnRZ#(|7$N zkWfM5d-4upA&(XnskRN_;vC9?7)o=oY(1;@e~-rh_k8@H%W?ec|93gAQseZRA@m0- z{Ejh_JkNMVx@7KWReK7@sNQ)5XN2%d(^+FQrHQF?qX0}JAc-lbUJJuKT4)t zj1p2n8+;dMt^V^RPf_D} zGE%Z&PoI_b2J#Mf7>nByI(|W)75`QoY>q+_+fN!bummt}HZU47 zfJf6_+rDp%yMZs&&8s6Bm0jl>6SU5VP2v~3#)QZxwAz_(33Q?7$`$%eJB(G>=ViEz z86XwqGvVD4RE+mm^ZSAq|B`H%OCIaVnW`I|cnWVWuY14fsLx$s$0qPFV+D`*8v}^eOJSb zVXmS5Tm~@EI=$+%N!q=iUeaM~-9IlzgweWOW~^$B{8-`Ioey(=TU+z8Z+Z#irZ3WU z*oM97>AdmH=xl3gU&NoGy~|Lp;qofm;#+svkvIQ*yy7;`>DrXb$pmP8S&smB?tw2? z{QC1i#Pt8U9TTn@h@ZxSNJpv-E!rY&NzN>MKVhIC;O14{{hRt+)Q7_pkq0J8M>&pj&mp)nVZ;xtGbD36+RlMY&fGv%D=x6~cH z!_v&fi#iEMG&O3i9%6q>Foap6EEvSdi6k_ZlfsH}-72arCiGz5j?m-?0&QwH@y4aA zT-H9k&^DoQTi7eXq?UL_IGIsuVIKQv+WZDXNUZ z<4&rfSneeRe_86GNieVCiF5t9foI?BR4n@V9^HynUWhc3rEnQ+tXL9h2=?f zYE|S;K1ZdZCR_?6qj-vrxu+MacEA4$nfT)21;vKpkPIsRz;j;zdEq6dGoIpIm!=l? zgZfFMh#YO6vt&K_vwzmyP{;tyz3>n`bY)485^AZ?0vno=a_TU58+X)$e$r6JK$PX% z$C#V$MH`NEvk5%HSYu9Dghxyu3k7skcg6u6nXJMv*5JMb(uKdqv=x+9!UX#7$q3?L z7N>*40r@WKvErp~Fs+!Z*f4M(o|F(AR8rK|p~l2&k7JZMwrI@2ZGe5c!M@QRO^o`7 z{RaDI-22R@3~SB@5=a}h90s+FVh|$PH0+Nin_HMbWM!J{==ElJETwY+;Nu^Uz- z)pn6LPi){yG)U)A;I2v))8Dx^DYaL^u<3B;5dBl8HJHq7x*rQ8)oZ1>faFOF>s`j>;#kbF^U8M3IWl4Iav zh(@o{s6jmCKc+&HKY6LeaOLz;dO{AP<*bX0C^1(GEnf6R-?U2XNU2A2`4KMb2$ONq zmf%{Ieq;^uah|%)DHbP<`K$8dwMbGFxW{W&C>v~oDJB@=4uQ*zvz3zu|M-aFI+dGZ zCY_OQG%N|jp(PC~w2AKe-HT&JCYmVPqCg!T>Q=s$K!%n!jsw2y@=kxSFje^%aRZjO zPcD6WadoV5yf8sv^B+cm5dWN|t3*n(IMG7IGqYCR+7Puv-VS}dz>>k6o6~%YrfTAT zXVQY_UxYsr6=_4~9!5q2pO2jU3)9S3JpVHu^a;O90)BtNWNZUJ==UQ54FlEIn=hbk zHI&RSYEUBh{RAKk0Q-UolSC1Z$GV^SI@y0B;PonNb6(cJjbE~z@O3{@wSMaHRYCqi zQ~71!*>l-IW1PWI|Kf~WoV`QYwZK=F1wVnQ?KQ2<#C4X=Ek|hI4Y)$O>eOlDIN`lt z+Ni-NXg|&NO3Ge!-ST4SlS|eUdFl9O^_|(U#&^~%cDmEJguD5%b4!lH9eA*#Ti!li zv(5jN<+X-S-)VagHmOg*|M1kXvU*nMYR=i%CP4|*iELWR-Z0oZlwPU;H8+^PZ%R+| z9Ev=Ll2nalO1o{k@`iIDwEZzQKBCj}dvZ_E?{x1go~iWSdyso-d}-!BC%WoAk!zs$ zI9qRc=6e}G`cY~BKCE|hW2RF#K{b0nH{Njlht1>lFzMU#62*@#G60M7A!{U(e2?oe zK8TIA>~Vh?F`qZ}8$;LAGnfe4#mp5gyedB@yKtT^`?z)+sAF*>{a{Y%srP)_4;S^j zyXTt|eRVj~#NB$F^Q6!pWnVO{)-&870eWbj_r=~ox!2lhxUFP0Z@h&D`aaK8x7N3w z;jeQ)*V#8uzhbo+Y*fi>89#umKh49}^XCQP7;6`8t~G6cw%@0`{Cq|uMpT#oc=egS z+|m1*)J$x*As+kvnY9|(O6>0Fe5?0b+N^lqe3y%9^L!=_@cnJ2=Xwe=a`_DQK5`5D zxWH;@oT{Y zp+rOjD%DiK67A5=tluod3*qU=34a8RWOKy06wUO^&Kv)!_uI_B)KVda1$HqmOp}oS zo<+ReZ`c?p2W&$PaSDiZ>?A~QjhJvUbTSD;Lj=WI7f@tGNOItS%zhq zctz_1I#bGwNo+?vX?AdfBK47W)gi^Wf|h7%g>l=mg<^=z|F{#}c&=Y3|0z?}SpI0R zI&^wt5(wrh$nQFDwOdiD2_tk_%a|td%xZ;E2rbHI>cFI~k11@=%Yw zlqLl79Z^bsDggG4U>0Xl%QAysq>C3vs)#iQ7Q|)3I?9Zv!KS!WNXf&B)k>8WJchBb zIF+2gH|nSj(mb3V%^G zPk1X`HuyFbwUMpfe4|ZNee!KkORk`|H+yPDG5o7AeP_|GNhuXoH2gQXE4&x3YJF&Y2&RGGGF6~}bTE#Yy)BM!jFQxz@g!dLXqk>7@I zex=C)VGeL|MdhIlnET)gKr-PfEtP#A`+@k#3w~Z=4eOymh?J#(=%r9%I05xjO57!O z<}WM^Njl_AwCj&Vs~?&%;sa{LkukrtsM$bO)MqS$NyxYX`ZoKpEDMvzA(c=8ih=mA zMrA0k3i-OGprC4^T@Ku##(`unItXH0<9I4CQzDxbv4{Xxr895q-=tawuJOyme|dg* z!`zLSIM3dFWJ;Hf=IQO;48QMW zb4s_st|&zz6RUUBYcVs@EY)~LWRAaQ*>$fmL?FgM3+CY+Izs(*;M6B9if9rnwu?Ly ziIYCr(6#z2Sebm>@O?Y~wq562Uo}y>5DD{`HjcPaHSL&j#YBw%Y>RjJ#ZsVDJt9Uy z@lsfjlh~d07sye*^2=FC0(~`@NsG1q}XnJxf{2e1=GqRl;K{ht#aL_g3g(BZMsX?EennnSjK3*ct!p|C1(v?RfNk z06-ud|5J1yEfl0o&I9!M&4QFt4v@0(Xs~go?6*0r04De4V?U19qlV{>^QbL%P2gq= zg9l~DVK)r#oM%(V-kXcL>KeE2us%ufz^M~sXpRYDfb(v;e z!<-Ru`^!vE+X>RAi;9|Y{rh#-lO4m7ouy|&Mm$mv= z9B%Wi;T5^kVr(zpUqi#Kpox#F1TEJFI+WKxFO>jL!EKKQpw@TwLz@m9?-@YTG5IwF zMMGHkvblxPW(Bm?YvAX6tiyHVe;SXjYwPFvK*G#qejs-mD>&Be{6Lh(9m!YkTJ~ve z-dF$?g`a%wZ;wpAKCM49d0LC~yuS)zUUdOAXOzHF-I<=6rf_lRr4YiIAil3dccx>oD8{Q<96^-~F0 zMJ6wPqrIO=L)ZnY=QHgJbsY4(m67E)HJA72!HiH>J>0M7Qo6_MDwqP9-!#){t-FP1 zo3FELr$U;#!_MvY{8o8G-{(i2_OqB`kM+n??K0EJRQJ()QXhrilfqlez#OOfKW4qx z!|Nfqn$G(5Dsk`l^bRvG1_tN+mLZZXabM?2y@@L(FZsLWDuUJ%q_CZ@%@KgpN?ZlL z2MbO${lF*87@c^BuE*3RR6mG5uW{VQ2%{|d1Ao&sxVg-YSuv$v4Q{_ht?WTXp^HR^ z&hM?hKZx$vHY($4d2$conZuN&ig}E&ZZgy%-*r8Jo@d(Q_6ei|`t1OOf9c;6a&Tq= zdm=$~5F@0J{qJ{g@_Km`Z!YY~Xs}=l+T_}NPWXC6dj{Sgj{%VRw~s^*c~soZ=fCq1#xLP3ebE0vMW zMdC#N22_Vd`?;)ZjeRC?gQktW!D@2~#$<$1loZ-Mltm|s-e#(jjJSN>pyLshX-}5GNb{8{NTsJp z%$I_*iru%fqeM?=-Wb=)n_KEw`vJEU;Jx(A_U8bkO7E#gP4Q+ruS%&Ea^IO)cuOBG z<~+Wmg@vn*RpYmoznHxd$T1Yfcw#|61XOqTTE!$1qEZeYnJSkZO*9DJ)}%tmB7V~k z7&pR*@fNDasknZZqkE%@By;B6?rozc0{1RFx_DC(bSojC>@%_QO&RJXKpQ^LvRFY8 z%o@kWckthp3XgtpblPNfPEe`di@@(!koH%5((TL`r>xetLyCI-d%SNZhX&`J4qCc zmY6gmLve&C;l`oyYmmc6R+YO7gLxOzNH4cAW(&aNx2|;@8*{ce*cln zfp3JsVri^6cI94$VN^Kun>i*D7Oy1{13x)Trp7+N4ff~d;OsBt5~;fbML{;fX`EQ` zA)S_#2};H9ArN%9Ldq=;3X_aef>Zu7&^CpQWsf^IzkSgqmg>=ol#?4xyp(cIe_NRA z{6jtXY}K%A5C&(f1lPBauT}fGbgt`Q5Jwi;*xpvAb5;<9(fi~n1H)9<2eM4fDsBNH zSTe8yvA{$Xs)UbZfN|~BjOPHj{tDi8#$)J*4ZmhmhK7HmCIPw(X+XY4mFX>qND+c! z6uRV0FnSLTyh+2j)e(Iq5=-I`r#qPZZ%)X{bJ7_U@|se+;xboZ@}0XPw{Tob+Jq-E z9vIUIjSw^&aw9QR&vVm=uzLY!SJu(`zCvgZ3&Woy-U0Jj@fpml4O1Fe=cr`zCZd0_ z6TbxU%i!yFt|Oa_EJpRHz-2kSG-_lU%~;_VD+43KhC=603RL(7`~!F^0R$PZ^1mZ-bpcLUM14l|O^+2qF$P>qh= zLvhi_mgw`EZ`}p`x=~-)*+9@q^|oz|^_?{Oe)rPb%d%%Y_v^NM+DXd`;pbPt+n2NU z=4Ze|L(cQ(iJg)e4{Hkhx5q)BWWJ+iW_ixIuQtzshC8W?OptFzd-qGm^Ej@|wWjkq zO*onVwO?A#=O8F0Nj94xXI1C8?e(%p2RH)5W2p9UmvPNt+c{;?bi{_9myo>m(&s*- zeKAZ{^%BGCrgfZ##rav*rk&k%4wn!O&n)L_conjp*)=-nW%Ek&y=V6lII`^%#x18C zIZ%v2gf^x=V7eE3ac+d;G1<*R-JP*T;x4bZ)!0wdILz9+j>Pf~{r16w`S<4M9p)!$a7I zz1wX`O;6jM?L_rE@b!dZx884rU!RC`_~MHDI&pxLqx)Fd+5E=w*|taf2rOU~SOyUR zf7LlgZ3a?}tvu?zuSKg1){N}`AS}UTy54*^rP1SVWiF`v&5lPHqrP^X(8TBQ8YDi$ z{racKdGtBf*6Z4O7%x-j@)%M7>&Y@w&!bwooAqHjnqq2^-Rm=JZj7Qko7)MZT&oi8&2j7{Qa0Iq)VmsCRf$(&#qo1ziWSF*Fr_;gA@n>*d%C@QiusJY_h!wA%?0lYV!G zUje{9=D)u=$??19r+U5lgvm}9S-1msU;!8Xx;b+DKW<=DqS`eolo-5auh%~ekE>17 zAtxH49$X;yjjkh$d7xA3j!&$UYMyhhAzz)UseNsQ^ZWc7YTi;nft@RS!1(~br}Yzk zuG3!MJ4sw@x5l~y*3<2c$##{^>13b zrmnRK>FvlUNljr!raV%vAH{tkP~3CJ#85YCh#AJA?;K>B;gBpbX#TatJ+o$Fhu^1^ zZao73NYv2RiJ_##H+g3!_sg&zi}UJAxpNG*N>iw3G*z_2ws(ECfGiVTJSbO_{sggI^pJEZV09ntW`jh?T0ZJKR)(YLDnoK= zdEcn2q7`OpXIXyo7Ujwl94-n(>(W0T8X9bDUE5}Zz6`0SamopFD+T#%PfT*ncovTE z2@{G(%x87*A_g`R=0YB#o>A4F2n4``^`RImsIxgb7xNAo+shUAUWbMOn=_Wy%5}8n z%=d@Ay9YZ_LfNJO;o`43YCGFfJWqd-od#lEU zq@+C2rNSm+l9NsCwt6*^t3pw1NGm&EGlY)Mhs2EqOCT6k(X(u%A>v8OU1@Ydv5lf? zEWsoTsx%GvuxZ^AWUiuKg5!WYLz^h@t{hR@toTU;xogx!ZB&;rAUhXLLXRLRHiit0H87 zkRbn5$Ry{q9x4T^B+alnVit}XQE@1sR%@L45kVm)BEc?CVWn4$8W&lvYR-z1E(#SK z|EgY)89TbSmy>qV0kz;5?gAikI^jA-iW z#JE*bg@6w#)*Di?f_JYNlZ3J(Z{u3MA=YJ9FBOoG-CGMZ?xSCYK@rY0p(AkHg3PKn z6>r%P6)d|$#v;F9LREE4c8dsa=f_&&E{>7)LAaG}5(^aJDiW*GgsAt8eI6E(|0SM< z@x4t<3eQV)rxX*~Df8b^J^Q#%UF0g(s!0vYICWWV@P|XW$>aByO59#j5u*HA1ZBmn z??Hi(`CyAX0+E8m zXqYD{jqCSgB=zV#HPeS8P#4Sc3N|T)sZpiy5fK?}W2tScb+6r>m7V?C$t}|V6sMX0 z&j83H1cUkged4FG0m*B*vGuEgoVb4&9w17Ag37<)iWMJoR)8`^#QdG_gm_ZIKSO;J z-g6@5yR2t0)qL&Zni?*|F|&G(2JUGNcz0SS4xcxGgF#%{bdG&6H-z_fo$IQRd+t}= zvVbJ@K64})TQ%2Z9Ucz6Z*rF}k(=z7 zTb*m@_rlZmEydMosJ6`$bdxcd-K__k@ajHZPxHJL0ME2Ed)(No*V9Z?ejV?;61S;N z$2&j^Mzhzbnmg3h0i{pV3ZSoToeZd2x(lhLJoaByM9YUlTbmg0bNpDy&$ zMfvVMwdb(W)Ov@QvE%cUwt?s2a1mgOqyf$haOltUbN>Qms;^|gm<8@szh4}9Sbw#+ zP4=B@ztA-tlu2(o9NjLaY>%bFRMo#K4TaDTVsahi)BNcE7;y3p!uCt=*fimM?|yx~ zULU}O_S5`Ku#Q=6LU>K#VR^umuil23;kvKQ*>v9+87@AUqW60eGWY(l{mEA`_2?EX z$8WKnG?*6#e}j*~;C=8lm$h;QNOoZNV`$zgx;12u)4cgCZ@TD8xdPI>HLNvMe=Nbu z6K}Y%%RTO_$$N|dBR0kCu3g|^-KCGp;YZ5!dPyp= z$f%Ux@-uJzT6*#J{Lu2kum3Fe(_;IG@puYpdwB7pb%p~hKIGu}Pw6o@BKn^B>{;@6 zwKm*$qAq`gJpgO&fFGb7(|F*o-N!fkovBy#bH8`k9(nI6%tgP}Cw>P_VqrZa1HJej zkdMm!zNZ8r4pZVQHy;0kLE~!%^Tj~0J2l&q-H=g1N@8B7z=~2IagM9t`q^ z1ed}`uu9O%P`dMF<6tO(3UY3H-uahq!4A77#JwB8%TyM=Wo%r7lp53b1Se3&}w z9#1!fuO@cImJAMO=X8m|q-buFH>6k-B<;YdnW3UhH|s8u$HG<*G5?dXH6>RWPmyd9 z2T3i8<+xCYtVZ3xUF{J~SZQmIw44;H#V$=Kgf^T~oGp=wFVt&^N#bc(antGuIuWNO zD&5ZH&Sg<#Jy;nmIJ~#_$7<0@m?kCb+-VJL!`k)dJ7GkIr%|`5q0fwGBn*EmvrRbi? zmTjR37B_^4Gq1^sTxwM!e~}v5=-cT!#5a^L1CF@aTJh#dv=!+IDz%rtV#vp#F7!^n zj8Hm|nJt#9V)#r-oZS15saR*djI7rEioeYNJ5GT80^d(T7y8xzT<96QFZpAyoE8T_ zR%Qb#O2mSn&$6E|@7zF1Kae6V&jBY;@G>J4=)CyRv%ymTy!puB$I`T5->K>ic;C@; z7&F=|8jo@%T>B_!+4daKeK>k8@Unw=_bZ#x+I!Q_>_q(c`Snl{m7`~oCVIVdx2jyd zpyqL~bwEQw*EEict52;1m_+@cB_l{nrvKP#xK5(csXtjb+2i*!d8RTan^WHQy<1LU z_;R@s_RP70o#8Xw33}PFWd6#c$mwu+daB;=81{VWe${k6)6~8u>vX^b?%~jQzu(El ze(h(YYTNt1qZ%%2vCr@zfNGJ+T8*RO2~rdEFS7|XX&t?+9xrm;`sepU z#b+uR9@g8YgtOnu9Im$rJ6Zn_`$#*$q#)D34#c$3UR-^c-)teqv^%BT_6`wv8Z~?^ z_Z(MwrECIUn?jHPTY!d70IuGH9^gCzK=IP&#h`QAH&gw`hxu_|AMhs#F|5U_I~Z^r zT|wY^a2G2_42ajJ-Y(|WsPJ09ujmWwd7o|f<2qbuxc*o&-s<{Pm(x5h-sai$KO)pS zzngH6Y395Uc7M~K{OoLoYF!oGpl@&o=fbb~x8mj3eF@MHIm_tRb<++1Fu8K~_4z<< zc+IGm#(z}V9}-IMGAuBq_dfdZ)G4gr=0s!Q8b{FM>F{(;^2~eczm;>%#IWsyG52Xw zyICzyn1fd1!{YdHpL48db#tOOm*WL+tLg3@wYJZG9qvd0u?kWjRqv5&;wdd&`|B-c zIuCO1#h7Z99!S-(IewedE4uHimi+wQLmhnjCydvHN9@{_&LdiD_wUaC{5XI>9AJ+< zP_TRdGw1Am=Emfc27ub+Y4;x6!XLYuUMw`G z;0jq4(>q#AWn6Y1?DlTR_EQQCZ1_u{Oya6Cx7Tsp3UtZ?S`Mq_c0#t*i!YH&jFZGi znKPBsNz2SXLjo-Dx8E^i&CyQ)QSV)mG}H*bgA;;Z zvNXS+n~QR!QLt-O+?SkJN@P&1R}Doh0w&zLb7EYY&ss)_i?)U)M;ur_K}E5I<1}Q# z9RokVxWF!#BIEWusgC&X`X!kXjw*R%G#?y`tAr}*mtHOv_zfv{Yc^5^Y{2FH0GK!h z<9kb5MGoy(gD95(rt4t!IIvxUNoEhBy6IAV&_V^lE|*}Z9Ab;^2kNxBc4bh9e)2n*PdSwa?DfRZuyfq-Eb zRy`CYQ5cWPG}o__lnB@|lI1Uz%cl-v*5r6IWx)@Cgrxy~g%Ow|vm0+GqY}AK9#@P< zc4Q!4wI(M+%=)iU4s?C#m{6fP7mp}&*@<(r;XnFzjA=1>M4Z3mW4|~iL_a?P_OllG zzPhPX=MOVLNhg-is;{sQC-Auy7^ekS$#xKDj_X;E)B>w~2McSPfe)s{s_j$;$0r6? zpHt0T#1hfsqTmpz5&Y&`L-BYT5l4-tD;z1yO1LtqbtvhOD;3n<4~|E~QdGY{9AU?d z8%h>ZUb@scXPXd$H}m?`z4wF`UjSXdjG>L#U#_k?cDHVtFPYI90@i2;X-TOVzUL?e zQ$)H_&aNP4YK>B$azHRSY)M>ch`{j}W|w_qsA9fpdlJvdxO{JA`hB#ZF}ZKIcPf#l znpFmoDTc8=NG%QyU5M5(bJ6w>EQX**?1c-FkOOy>4DIWi;cr)97o7i*$Yfbb`w{u% zG967tazUAwrP{Z4lQGd`dQ3**xxFm0Zf=n4J#-fhhWbRx5vN@Ce{;J2^ZL}s{tgcO z`9*;!cLVgHIFJSuFuY6I0{=sQ|C2zLfD7CMT`O;Q-jLowy0w^HECdn*)5weAfE3h~3wgB;#1zoT`HVf!VpsJ!QurbxY)qD4Zf3|`meeY zLi?TeE7`DVno76%goYpXn;cs2u_<&uJCZd89a&!w4JkZ6bBp-!giCc?C$>$?F(mfL zX9G?4oh~~Ke{Gle30zK@CVU*OJCk;_fo)&*E&svW1+Q(ym*-2}SU)jZ>6y+Br6rEf zF5FIL_s>!7)&@iOVZeLDOiwoQbB|w>>UHWwwP&AN4t)gh{EU~PhueJ^W+LnN_E`ez z+tEs=^FfB&+iur`FPrt#i@paS_!_|P^={za#qV(8{9@Doc`XTVuFc-*2E=tfCTm?f z*<6sR>E7pB>Ez6Od5mt;|JsXY4RM!~)9>87M5N#POz3C&*K^7=qVu(Gwqf6JQxL|C zTfJ`6v-9>EGBm9TWcu-WCEBs`7VmoPLHYdGR)n7HT{Rl;3 z7_;elECxCNfUE$&89RXxHJ64HE`#!?h%DNq zh=LSk^0IpT+cXF6vd5^*3k|BVQXsQsY|ZaBB7TCu5>X*%|sb>m0xlnXx~E7j`_SW+4? zJk;i@1Jrm^2s}loc*k1s*4+$#(D5QDjD} ze}g8Y)O^UY8Nfg07(&JyavsNHqAjf_LZE0xe=aX@qbKywLNIlMV$rm%lapAB$)5b@ z0G}J~*td8eKV$LLe90)5Lntd^$TAD16wV2gVneSw5tpZD3f<;kbM&g!eo>6pS+vlp z0H*acEmCa~&mv4yCizR46P`*&D%yL@?t8APDs6(`_q7P&=E*1;#U+Q^;np2BCgKqV z9dsjsLzqnUM> z$UPK9>7BBJ6C6~6DnjL)0yLx$zx_>8?jlYSNR2nBV4;J|ym-dl7qKA4wP5XwMkOiG zx6XG73qa@tXCkUG-{asG94$-vH`W%+KMb{69xc+4;LP>rNhTY8k0r!X*eOP4G&D_A znDv`Z=wvPw0a9W!<1e_{S&ZOh(Za8omHRhCR0=HE;6DMb2}H{{p(M%iUlFvf5%FPW z<3^}PQ2~^-joMy_Jd6rytX@-sQ zJLkAQR5mB$^u5i)bY0pnpuW`z1Ilo$!cw8x%K{-$yAC)SlScpha@Y*`d7m&sa`>+J zRr*HKO|b+-rEjk+3$n6wdE?$@;^e3g7t_Eo_Tv?xhR%<#Wx&G~&gc}1?ldVv=y!<d~0I7?7aRw^IIi(SU11B+U5n}d}?h&jDwar0I#%*C*)aWhZj=m~pg4yXMgip~b# zBhHU))Nzs@+D!DWO}Nt3Dk@uLlkD7aNcij&3*1sG?k(zIAU78u@uQ9F(FTR&M`I*~ z!Hl)rv(Wk?jC%AF6ZM@Qm5^H!(4Y;O zi3Mq?<&3^@Y0))^CjW>p=7|iexDOpO#OHCkIa);eeBGyXWXX`LSM%+bhDni8J|JX65rcZ;@B*g$0eF7lCGAE zN>u_~Z_fLY8#MlXx2S9Gi@pW6Q1$!jo9)c*k8_GD*_eS}fHQI5WiFF#hb*LPKI56D z{vmtar_Yw1?T2Bqg$W%e;pa0p70cEzvr|8RAVO_DXhm!E0d zwvFj&+qP{^we9Yiwr$(CZQHhO)%Fwrjg8%XbEEG40Ch4?p8REZ%TlZF)~Si*VewPz z>-Hu8Fwe^Zj4z+*sIhOI7lZFB-_%4l-U~5bxQA=|=*~mC9*0kGc880!s8>B7V?0nZXh-L9dvr#_*q>o*L&i?m)4z$;I!7_y)!TeJS2g$Y9}?cr zY3fIOwXuy6d^42Eo9`!f>#%Lvj9t5)ltO{bN}db3^jV(59*Y_b_a{@s^i97$2cE7O z-oDdsUGHPK(Q2^G746T`?LK#F@~!Fex)|-}{^0=WsHB^%565=*WMg098e-CDWe!oce`S*L7lK_JMN-sdGTeWDBUy$OhCwA_)eRB^sA>%FOHPfZpmSG} zxDXp{kZ8=HgO?%*_DCibIw<#Wb>Mj_m7}u)@HrDN#6&sR0grnwoc>J@u?nN7_-dEW zqYi}D=;YOgc^Z0b9s(ll_FO+rX&82s7a)X2ain6Q(4RsT1NxlH<6}&;C*((vD~~kk zP28I{%yA@#$LmoGU~t-8AulAoQTk9y=VJs zh!?Tfs zRtPw)3MJVpji{yOB&M#G+$C^-ddLU0l<6r9x%cDVmVvL6N(P_9C%}Z`Ct6`S(AWlZ zSg~!WHLL8x1T14(Y$I9s!q3tX#c&KGf%e8)#3mvAQ*V^Z*E$7PBCIw!cc_eGZ-Bh z*gWQ3F*6A9*-?@VV;_iRvLiGP1}KaI!3^%0D|q*Ag*)EIc&Gm;ei>9Vkoc5!n?#@l z_geEkdPn@&zt0BO0vx@|cMut3?4k1qoJSz_2^%CRtb@*>+hd5p_7jl68X+cF4OrG2 zZ#3uO&0EYC&Oku=>-{LhT9jFDFmkI)sX&;820^=^+XzV%tk$e810i({6X~Na?B;kI zt~4Xoh1EhPCerXP9#Yd4aj0XVa^x zlToYf!^grs0vTA_a;b|}^(uWMaz(3gGY&8^$!mVe zR(Cf3GvOO8VNc`u>=eZ|%EVS@V-gNQ*aBmBHZ=PVP}C;wTCW(Byv6@7s>`PalvwGT zCzATDxN_f$8*HzB>I3`|?g5K301NO11xkMY_@vAfv$Hsh9Rjuj@jRsMOE)nG<-Sz^ zOc{3jocED>3>PHx|Ma}ulnn~6n9yt9_4e#GF(+Jk>n|*zP2zs&QO?qJnc^+qa=r_a zCb*rUoEdfM(0*NdPcK}rZgB*L`#S7McI#YKMPC*#^W@cxt)26RQtE5pQMNZM^L;e5 zXZbC-`|{m{GGB3C6sejeE@`|6&>mMhP}E+NOkcLbetyl3Ux{~r4y=y(7k?eb-6wBd z%lIyD#O_5tGw>hR=^pJwvtj62wj&NNZ%1C6>U=FBJ63JprTQZz6L6eV)iO?z*n+Z+zlCyF;JmyPG{> zwHQauZhMQt-kFBnEnw!$dHIbEFxvu@2STg4f) z3hZWV`T6bOUyh&oKA#jXtsgg^Jb{y+wr6@Sv(R^j$=)t&QJwg5UVm;Aliga_uDAT< zI1Gp*Hv}{d|F|)FRGTlSx2{rUle%sstaw(o201@Q96cp}Tx8`F=b)tw(UOZH<oz4cz?zT7Ce#K99@ax{3cM^%VxZ!Dk-+#)VK$N_v!SAQ$^+Z7=xtd|S%@t!AOb zAN@ht?RHy*J>uU1d6mzWDou6Duy+6tvwH_bFDVKj-Pg&NnUF6t#_$F~&6UcEay^3@z8w^KqTEpFsyzk= zm7WuUb9_($k9^!ePhKrJQZaX}T)QkMK!S;`;jRPP&Q4PiQnqCU71w2v5Pm#0#4@py zC9k#A$@qt0VwQw+kby)|XQ@+>(F{TSq$^~d{7L{Cs1prVuUtT}U1EP63cPk|S7JO~ zWU1Qv8VB-Sycic%#77BN08SDbOTPVvd1&cFlM)yz#xI-t0=maFv_IjxBZq%VYzp%g zC%B!e*d?esb4J6wJENOs1S@S$L)#2w<5D+rQe%erWPQfJY{{S-9*OQmv;W1nWH@J{ zChsKa7+a9XWleIWA(ZRv`2G}k{X)L0S*2t@rJH>*&?OT!8L6Fyg6>7!@ z?G&li!ob-krbnzE5ZA>59flZ6_7t!k$!8?yAlwYG9|)epRrFeD^JjcPLL72FJm%zjzeD z%e3skcufM~jT1&l6KCGjk5(cp$9x`qj?q1>u=(A_luBlmM#>FisBqZ)j+!{NeADs-a}VWLL^$W%(Tq96_5_0#;e*0{yO`Eh;E0Owd3AX_9fc+ivuS zE4-gSw>idM`+Vc#eOG{y@b7RMIHw0SXiaBYjGKjP`%e7I;01pz*lGlSD%K0-{-Rh7 zjhj{Jnvdn}9D;Yw52U8iMHFa)K9ue+)h0v0HclZf0I*5EqU5mG%jB&!GB=hY!cd6y z8ggkiQN(Mp__gbDOsM~=m=!3yg6eG${F!y2QM#g{RB4l$e<=rD68t@vVEz%d3AX~dXyPm0Q{h7y2O93!a7 z22P=E!Af1INwpMA4+eWomSqVkUl9jR`jBdB2f`n&PO30U83DQAZx+$pD@E3UUjf}x zyjQI%m|*k+>L38zKVE58hB!e&U0X&glx(QnTw1G)Yec0@)iKSZsMP%bJdS~50wE8G z^S=Lqy5et5fqxjAUbb!XeF?vW1)$P`l!?BkKPf+5zx;i#zx-u*Z>iYOQ;2V}-=`}U z3d_*G)vXb+zY~G2V;1)^~a@ zh5OMy;cJ^zO8!cIuPcwW#CM*CX*t}=`dKppJ}#%jcs0(~O4qGSbv@%-^=$XcTy_4H zs@tX4Z`O#0uMM&DOg6!W;Uzv_wzRFwBh$w#B+#oCo}HimIe8kjaB<1)IhONFYVF&i zZ2k;PzR=SV<7so)sjbGlWN<+Rwo99R=eOtIj4TNn7Cx^x92WN*9yb)#>7~?Pzxzth z*WFmcu7{P&=82a@a#}t;rERlp&#Rd|M&|Q~$SI6+hOY6obv=)D_4Dv^i~DF~7xY_TQ+I9N#!#xQyyvaCjq5S_T~J?g zDjWM_mGd_la%{WNHV(29r`!)}+@qhfv`^;fZCZg}T`q0FtlFiqJib+iOrj~Ku(s&s4i@JK@)B8C>n_uUvFkR{1o0F8R zS6c4puGJjxY0O~+w+jf`dfh)eK%QoV2I-PQD?2lU_Gkc|hXy2FB@o3yF7vK@>J9Din?1$dfC+4L0UEKIo6(O%{ ze`b;%i@V1C*Z<6HegA%L7fl0SZHBt{_|q6i1_^b)@wS|16guW-@pi$X-MK&kpyx+1 zu0t(?J-&UP^0#?BprH1dE#FA6ngJMuHt)=`u6g$sn#xOD}jHR@c|2*p;MxU(3w z_B2W4M!{(2QmP40IhdzONyCO1I}_3 zXc|*pdL=!)xnar*bWX}8GN9jnofZ9VVJ!((;Qx7Sg$@1&u$4Gmwa3U?Edbb^6|BfQ zQG~E3a`*k*OgP(YF&I_yn4_Vv0uYi{GTzTee@$;_|XVbdCdqzYX zTUtqw@~BVY%(@SG57tk8xKIGnK*`s9iV3pAC=ofxsQpC|;= zD4$j?)UfzaryiTF3MkC;332~{6k8Q~#taS0Pv$fg|GeeVV!E=CdiuXXaS3FUwKyY0 zZK$GRiq+_cBQuveIf=1L8o&J#DB2V7W=0e6j6;Kdj8;k&6i}k)kAuXpO*L=QoV0)w zQ;1s^iK$9VRStTMO+~g#Nzx@GNcsIC;?$HjZID4V1;fM;9Y1AKGX#rpLWmtBU^I7Z zjTsq{`i)y^N08_UaEw6`gQvJ!xQx;TJPyR^7PRT{md2Sx!JhdA9ij+mPlb4}PJH8n ze@@;sj6Qt=SHEmou|c#8PrdsI>w$D5O3d57IpEOsrG};X3oTLf2x~vk<%YBtEKk{z zO0-(yp#ZE^$3+IDr%N;!5;BW^DrM||oP=U#g=pguKk}vqijeud#Z(x2l_ATz{=Q#l z3TDXcVicnfIMx~r+E%#gm0eoKX`dOo0?_@F(I-KaY9n$`hWjvSu|l|5ho*3f9*cOX zs0y{oE^B3$!K|&@Le|-(2Q@!6mFt{0dn$>_C5Hk42VT`6@TD$_*hd0H+c*!AGtOh~ zpwDsr9jL^mB~z!o0TZ(b+mnALsCr20Ro*)dwR11T5OX{K@u{>sFNUD@EPOB+dXdnW zg*2lkST}i+n6ywyjf>7v<&)F2C=>0xi4@6Ig?3^6 zUOFFr-><*!`4@n)W0M?<^Y^VxN(GYsS7`OD8kO)dYB{iBleoH@RPeN>KaBEj zOO}qIWr#hCMkOR!u4^0`!yK+S|2 zVpAikbRr&yICLdkN0xH&0QOB6WLP*&PR2l$MM~qS#>y@h27)wpkn^=iFyc)}^M5*- z#>mx}6bVOZwty0AYE&8S6-+oic5&yvwPrz_E9RTZ%Q7uJ&MI|cB&?Hf{-Nk0p&I@% z666mJZNE?e$qC{&m_)CPLG1J>R=73|2fK-v={$l)4S``KNf7+_TN4KRD1%CWcl7s; z;9{0K_On)e8A;mQkMp;{Qt8Q|{aRiO>f%BORR(C1|Jxq^Hj4T8{vn-wi>lIpWa+_| zIv}3gF!I6k6+cu8gdm8Z9oWbBlG=ax5YcbW8}SA1gD>}eTru0mhQ~>BdsSOtC59X@ z!X2pmX>8#%Dc)DX>SIX}$h`u;#FHV6e$lf(1vTA*qG|e^9)o?xb6xYK+Izd(_c+~T4ayXuL9kFu$ zTI=qjY;!5cjOOUkzTNnAaXZPkm~FixVXk$*)?v0CrgfFEetMtgkXe7~y#J<5`WtH+ z40#_*Qht0Wm}HJsrMt3s9j5SkG85nd!&f0c9>PH7HZV6zzox<*34ELfkFK8S-rJ4U zS5IbcD=jZU$*cJ-`ZI1XXgztouGu=HvsIdWANzO-^o?6N8(bHcxHCK^A_vu+#+6gL z_J@bB?$$G#UR>X&#~vcYn*^gd4|+k(u5X`$Z66W531j)}nyz%bA9=%%VHovSwyk5y ztF;~;EPuZ)+SW~LxfG*587}EMsTbPK5N<*C7XmrlTx*?~cM3s;+}{cZgrcX@+mGtl zvlg|?;*H$*O}7uHUME>GGdzJ|z8$ZZ^3}TRUbh3Atp~y*M$%PPhONVI&(`c6H#oah zvJ>W%ouuj`-Ox{UqtS@o->c+uCBw67SN-^xg%4wk`B$<$@AZfT9GMyRQ~l{yH^Yrv z@-}+g)IhB-tozGJsp7o!toz`J{&aqiz6yS3ZtvedUV-~n+W+`p*l=4q9?wvMDSSN- zkh42qKRB~D@9)yv8NOEIU?cY(^?~pYB1N`%VqY#>oU~%`<6r-~Nj>-NDg&-Ryz+04 z{*RHMuw_NVsI*!mF0vB>F|#MbTP?Ds&oh1(ry+!kDsX zqv|s^JUa|(DaI_$5FJDuetqVTm4@_U%2qZ4k;?#nm|j67VN=H67j5$9k9EI(NtR(f z{mEyyIFC2d5hx2~uzHV^LrAs%VYgic)J9gIwI?-}38F^IEd<+?XqFMPoTLAJb(Shu zCMRf(L5)VU2?IX_+O4E&C$bAC?T->wtY&Cn1!r1=Y_=knlJW36j35MWyx9UN!|t?) z(E>HyI>@bh^4^G#Iq^BvIWKZFe|N@Tu*>!bd{IU62M@?w$t={M6rQc=EI^mPsMYz;>r|wyrrkOjU zYnhAKYe$D(aR)2fV(Co3J#zXWe_C`Ni`hvpNQ)?uQWj#!&4dFF>;+fFx-xytD)^d&=&6PH*fsU1INXL-8irPS! z3fBU4-6on>NTx-pRT=Ct%F@E&Q<%|(%Xx0XA+w;Ut&Ejj9FutF4=jh4ex_f2i;$>= z*ybed*EA*m@?aB*@20ReMZ^9k2uktpE$Hb*EKx?Gkj$vRbZHGyQ7sI#GVlkK@MV(+ zzi}aGebtdrBo2;PD@SKA8igpx!TSWe6E0|p$4xXu+c6iXi9a5eYDNk@jNJ%Cf< z5UNLmjDC9YXBdbSJca!@#mYIZ;U_ALCWD_2b%Q;Z2yn8G0(MA>e-!|Q9uW$4q{SNt zuvAv-qB7^VU7Cg&%B@W zmc!!+&ZQ*V%d{o`D$o0~Y5kF_oRsic=%bcE72}~Z85IkojRaunPYdZapTrZC2~(M= zc?m;FVJpnQT(V&P%*5l9VyWr5vULzSMNIIe}OZE-lyE0|&=`?=MU#!g)NxMVy2`ZISBa z#R>e}=(@p1HQNh;!CBOjl{B%fBX+e7+5hJPe_1&jY9OMf@4t$^2O z#Q!KDegaT}${a~w-_rV-2}Jr%9ScAO^??cHjC>PVQKP(e?)d2&=V~_-^?07!Hr09D z-y@efRk%dc-rqZ$bLyrWcaIo+Kk6}J?#W4dqyuf(g~ zKPr~qCS~P+-pnWS8h2_EE?#RL1+_|FXlyRG?ljkLd02}bQr5fh*cLAL#UE8Rd>PHI zhVyz(r?o{V`NZ;vQD*1H`WVXL^$q8>oQHS4eRK5m1f^uNiIdfGOS zHvy1*`ZmQAuk3{P#k@_Q_w$4quf5^fvC-4taB1n}HUTcauT3TCclphS1?S~0!-zh0 z1aIe~N%hLk1vXc`jn;=JOLHsN!>!_Q=4;*0uBWuCM8jLsqB;>vvdH3lp9_oXA3&2%%q&PPH$YzFu1(sq2eU6*Ty z_WO+qK=8&Ju-278Axe1}7)+!!2PIZ7=H z$BO4Tf!8L)+Osi0MwZeIW56F;K$plEg6*p{$$1>`>B|MhkHW;>$tHQj6kga+E5hYE!G*nLnk!p0y;qFyF_lzl_M%A1omG3Gz(;{wAOGyVZ{!!nl=R zJxKC%Dt@TQCd#lUsTfEEF++?>ae7Zkfe(&K#S%xE5Y4=+R>$t|=@14cI{jvnfVBuo z9ODZUFOb1z^2upv6;teok)Sj!?sWk>WR75d$dQ^R03m10rYF0MA&d+|=s)ya^lHvH zbJZ-O2TnSVV~mNkphkeo5HR zTsDZ$uKtxmGz)0I;>St9WO5?~T$9_X-Ufd)!U64 z98l@5jcE!}^2plDf$z!nM~&97K%?fQh?bnufL{r5X_%IDkh`j)K#!l!ARDo0jSLer zT@pw<^qTWv4I0xi@y~sWxQ)>0;6fjE8PoYwwaw^5E>`@9h#r@(L)?x zP>`^uai>g{c)jEl-u>r4szjB7zY&UPW~pkWVNrW)JlkFSanU~qJj zBtRk{7raAB znMM_#>go5WeXO{O0SICX0atg-Mf-W;&i%61dBh49q30U&gyQTNZo znkuD>A3+?P#Ob`H%TsrtFpjWN`6~2ILBtr%G^Z8cUdPajM*o<@P7k7ZqkVL_$_+zm z4~K4<;}7Im_`FOBlQh-@hWA#eYDY~%aOEhi)1yTmdQ}#USjSkU6WaZe;GkAws(f?~ z=wT^q5zw5jt3%IL0=?`C7ZU|25hWo*G9qt{Y4(5|gLSP^Qb!MfLduEt(22BalcG_K z2PZ0q7BNz^9euVxRCv`pN$W3p>vqO4ayjA*>Hy|IyCS41w7yg!4q#$X+`w}@kgRCW zcRR>C4LD)T+pzTf7l>p}@^cq@kM;nFlzqTY^}xHsPlils4>H^(^flcZ3{+eG+NIaH zdQxTQ*$-8=ZP_1S&vQl~;B^{mYo&mQz`T&(G%P5YlKtXu1~!0H1#gsf;=-p$5x+uFXh4c zpst$VSTKUM6T)}C_?C|%+A7VvutVbxEAN~u4*Krp$y8cG@0z=@@sF))MteWk_dCz5 zj!)J3EYJPMZagQ3depC#S#5#s z^*oM)W%E;ShneC@nfO<}pGD3!IVNN5m+&J#fo9pXU?^Yu>U3pY2iFXEg)1cgb`vInV8_+S`2Uq#H~6kbCRwT{UMo!1_BH zem=Kxi$iZr{ryjJT6PAv2gc-3*efoiZS&gl$lciTPU}rR<8Koj_>dIr&REdqb^f6J z+;;Fv+uY62@t}Tly}Z5??d#?AF623tT0PnI_2J9+hV)o(DcAY}C!^^ldil|rz2&x5 zeulI9R9a4tb9td^5rX>=bH3}Ag$=~ZY0ui5ph`>L6 z?plbV(!&@`KuB$}ulYFBF5;IkT13a6MgTJ5rS+9siMDc<9VQh(p*8R;h_`DqS1JX&6oS`QOh8*~c2 zF^exKMM2(f$<~5_fr(rtfeSMyiyo&|C{`y%2#eQK?fL1YYq4j9cPyP7S2WC963{H% zA?YkIOM@adH0z9X6r?sZg-L~fEoj!LMrad#85##6ov)Hw>ZB4MjI2w)x{n3MiW34Ovp@oK8+b87v;mh~tf=?rQ8sRD zE!BylfXlEP-QR%}mHr6;g@>;3FM6!@2LU|ml)wT-%)8bHB|3CDDq*r%bQZ0|mujW5 zF1E&yP+tJsqg14Z7~|EcMYAQ7qM6!%5NDovk|}1$aYE4sbn{qnLH1sem6h`<4qtQn37tujAs1h)_nOU z)wUICWSa`8L#4&c=)d^D7keNfU4@U{7vlUY2QV0gg7&EVHk)q#Ew9d|=XlZiJ;G$F zsyflTbgeATyKkO0(oE0LKtR1-Mjzi}(Z^3#O(o)oFk`P^qXzz@J+^q@yI`y%DM$qK zY8&w}7WG)T2bZz~XVPdSO*g_VG7>zOu>4(M?dp38N>(4IEC&xsRQsVa+HLVb4ol`*vT^0bGx$PC@gnkW+g1MB&fkY|Divp3j-(-uejF zu+`a4^{qp9;oCL$6YbSqH%Iz(9B#l*`Hts7^Jc1R-@V&qeYZ1!w0;(zAuhhLb?5$3 zaXj~i;Zr=mM`g2eHEUFh$9%H?WZ3yO^L|^Vt(yzKNxL)u4$5!`^L|2bw-!0?Gl zonL$wclMPs%WabLX{ggC!{tRvJlogS?Jo7e2a=HLqN6!=9n101Iat2pV+OMP%Ic8e z8y#wD<97HUegT>MCumFx@;no^Ioo%lqBr|O-*O&XMtd!kVKqkIF(rw^HqFJe@rBv zz=9N0GQnz7(P!g6iqku$@kl--p0%_;>jiMB;+|+W&M{qbANy?~2G>>*c%uy`A3UkG%n{0GdIE2(Z_7Ohn&@ zCjn9Q$-a!S^J!M^7kV!Knei|8D3<*!NNm&3b<|*`&T+2QqJtJvE`zQ$TpO#;PeT{Q zZVqU%E2PzeNp%ob9xs$KWX!sGx8Ym`OEH96R%9@T^56ykt)yy?b4om(qEfCp)r3^d zCgnT?C+cZjl7)Qs^*7ZmF;szxWG1PP?+1>9Xk>(1WMw;+4K=pYiQ14yW%jrWOL9_x zJ+WNDYbeWjENI2rSaD;P_3fy^NvarsE=WaRt{Cm=eTzq>mYo(FPt@@tfVrno3ahXe zB^Fi|BLdZCGq6V^l~g9XG`7=+QPxZTB%%#9jkJO!oWFq2ojxp3zi@M<=qxP&p#6 z!q_iSCts&XMAUrFBK?kpBd}MZ+rK=lZzKZUT?!kE9q@0Hjf;z&fXnSbji$f~$3tPH z&WQ6&h-9snid%;HG6PIlbjidsF2_`nlo28F-y~?OUNf~4K6x+7mPCys&h_A)cN10< z7U+c~1Z;Cgijp;^rE1W)dblcGM6oVO(kV5y4_fTslLEXVse*QB!k>_%1-kIqi>~7< zD>NElY%~bEhARRr9Yd7kGGccZ4S$z(B4tX=u&!?f#^hQ3tA3%>v!&AoWpah9cS8Vk zF`j_fK6OBOymF?_(v)4`9U<|@?rpXx7l7}G|5nt#9w~bY98b@7&f|yEy(D+81BDVa zI6{Pfmtxcyy)K4h6it(VRhC`36^XumBQclK+&6yt%)^ScUkQ)qTmk%7nwMMzDrqkF zMPZMb^A91Mz=5^GCgkrCbMGGB8o)gyr-($yFWkrvzef)1G_Ypqw3cpsnlQNb3(T+r(0h|Gti4GffTt%88rjk<8t7ShUV6u{>MNom$ zs&V!S5rS}7)+rjy<*XhYrNW@qzsGF@T~ zJ1GS>0oauEb!1#U9J6HNr6BZ838U~AL%8_kq`H&ih;-2SaDr57W;-!}<2Ur*YRn5@ zNlMOv>K=0X)l4GzCBdRJ7ek;E5R)9xoqxl-e`g_7 z8Y_s!$cZ^F4gV&W3D`^s(qIttmhZ@Jt@XS}Dv@aM%eU`0vo${z@boon2;Ad8=Ow0p+5G-| zyUidV2pu4?BLdQ|;0F6bIm1PGo4v>%4m8Nl;r|8VyZm5oI8OrSA0h%m(Vg+N;rq@g z?-SN~CQfDI3Tqyz-5hKi#qROszxS`5-^KE3!2I#C^9X6(;g;4`|MD63PX3MX!=-*( z*WA|Wet++Fo?zq4*1W^_F8y6xUP=8V7{7_cd4}zHvc>UhH@Sg*6NjtrJ-+#R+n)Pv zV7{u=yjd6m@}gGe>2S`>vKxWEdDC%ry#6WUv!!t-jdrTdq`#1>Twi1DKJ3GW9f^BU zp6j3fb)z}L>-y&UcczcllioIPc%luitjgzxn^ygGookw)W4}`S(s6nUHp>0z^W9I` z1w9Yl=V@r462qkpm=<^*bvhjQ%eXB=d`MyFnZT>f-@cRNYv3`i2XvNC~ z^6K{mV5Tl0Hm`dy_rtoc{c-9wU+46Dx-BX%@SGh%F%Gk;^-A0KZCH_eYV32v%LZ)A z{;rB&x7ic6R;Av3G*a8u2+_7-qtf*t0yc@~j^lL8f9hk=QQFC;brz`8J`Fz4PV>>& z&-i#1#m&fOd#|eJ>6+P`wBXZha6NSA>ToA}&eQz>e$V#tIW#(6&FA7TTfy3NR+#0n zH_EGCAB1bv2^vx?zqHM@^|pWiUR8gF@_gZ?aq5bRf14b?>}xFk5r(O?@jU^ayWh9{ z>_n%N>uj2qd}5WZa(t{ZuVA}eJWa(P)SvP^{9JkL%RdHsXaaMOt2hl!_~%#m(!kHJ zfG;pWo;T;KyY}tPuR!CA{A#4`(9dY^{fA@P1z+J^-+g{q=98iiV6&k28Vw2T)5u(tBLd<8!|HXzK&F`+mx5Tu%-;2|13>p}BFydWO_FMMt+78B{eCE?yU zF~7tz#t*%$FaGU#ZRdaTmVO7p3*se|lL4u9C`@-IFcad+51%T|H$>h>;FlmXBT)hK!-EXPC8H_2 z8*cIxlm*9<6en9Cmj9Ujfj}YU1G!^~4vpn{jUgg7(#Z`8+z?*~EmA&=SfXER16^-y z;BAemQy6B$>?6xc;#;WiQAch-<+Us#`&O;-s94KT`1oZU6Oz>^c<&!3bB!GP6mO#B zi?uu$@_UO}nK#aSh3MebA?&R!rS}TzNlKbgQpkGU)gF}{`13DDu`K@_^0ujw9m3^^ z`ckM?>~X>uhv2iGxLFl)#{*3&Su1ip48&Dan-#Z@_vGeEo4{(Y*bE>}ghUX{E0bi_ zK|8b0)d8e7L}{#a&~*kde@w>oRBv)yz|HSEk>^Jan7tL4;iHlr0;=u=ly2@sm;MH& z{AE-2he_zG?bsk2`X$S~xu#HJ3==7kH?roBbCiTDV@SqTfhJF`Q}3TH0BeJwyNO@q zVBbXX@XHT7Id~8Qur882Bl^I$MV9t!m-e(LCsA>fq{p5d7v@n(RlCIeUp0vZzw$H; zd?<%DERJgXv)L1UxdJbCW@UVzUEU2~vYXOe)XHle%g=kB9f#;Y=ZL3JRCazMR zd2FH}SPO+Jmg{+_4?g9(T=@y=ki|~AySfp}s;LqyRXRlHOW zgA#2K{F^;fW?}C;*+F_#>F6=KJtD}|dcxeQBRJtZ# zhzvEV(~XFRN<^(Cg^I?-_^VF>R3Sy7Wu~06fmI#=Q)|`5GzP-K%P@rLk8es0Xlj3j zPth?X%C4$Ko{ngMR=dgYd47}xcI%76l`NiMy8_^`_HR}PI93FNfUgynXeWB|fL1Bk zy%NZDu0`zEhi5!lEgBh`XWJuDE zJSH3-GowZ>v{jd}`5Cgc^BL%32Jq5|;bcn(PK^Bdv@z3#G~6rBr5g31CfrD(Vx&;lcx2#v-yq{0RnuS7LX>K#LJl(qV=Cc3mg>^EYVjh$f4X>6LHcMGLf zF&qA^jtm5|{tCY@D#30z>P_VeS4;nqn6g2UEQcvlA>2%Z?N^K)UNWR@$A8%NZ&iG3 zluWuPfk*vNxN9(cFfK_f5}-ptWw`*Bp%_)D3>WTqh|_!Kg1?_*l1H^>jAXsw&P-4q zs7j!MgNAcI&YL&>h?lFAKN9;}buQsfWMfJNmgklY^rI1#u!K4)}%WtHafo^$Zz?fU$qUEy`^2g$y*m$a-N z%Ky2R{d<_+b80m_du7Wq0Wz68GrZeHlRP3*yH2l+Pm|N|KARUK(fmAv%WhDe<(T$4^G+!}xc{{F?&4M-`NZ+XlhGNz z;TgKgJ@z2qls zTP@FrN0bh3@BEOX>59j{dSCk)+*P|i$awKEQp)c;W}3D6^{xan!sX1HztNNb%qOed@z zv=IYFD9Z;ExIyXO9n;FU*VpV4ToY_{oJBb!RIp}iM}6Mvvv=9oUaSo-sE&qr<9A5R*&Ce(hxpYh2PyahCB*O(gL z2gf(-f2}B|^SBMz`gX6tGBQ6;_f$Z>qyI6pbpU+?X z5+GS+z}L!^BAjR|a~4%!TMWRb z0xCSa-&bg79-tA%ClBuml)suER)+kVZ}sJI-r>)D|9;`i@EnMs1h~h=2AV<;A_MI_xadOvcu=KxyGObU2LGRwPqc0j^Y~KnNNpGIKuat5L*Fu0fFVv!E+@b+N}0oEIoNR2QQilVkb&Mif=-g z78)iBL}dz;Wo(fi3!%xu#;mht5jc-QJyg`4Wk_;1DNzv_c!~QWbYrw3^0XQd4X|Sz z5CW$T;2=zN*edI{KknQ9U^#ReES zq$>e*N@Hk{Y>5P?O)=S5^rR}njChcGn=G~p8HJ={7i`{6nj}z))TH&EyHI9R2OR#L z!XVowa6^N6M-#kZ8m@v7i!u%Vt$>}!S+5lZMhD{Fyn`~DgY1MqG7&({vTZ;LLQDOX zgJbGv*hqf62~uv}Zaf1fj&7+y1;T`tXsL-a79f~5Mzva(QI<5UNTHTYyh^O0J1*#v zF~y08PvfLWh*RkBzo`0#@JgVq*`TBD*tTsaCpJ2^)3I&awr$(C?WB{AZRh-Xy7zmN zHQmG7wW?NC=0)3|B6WLOF8C&7xlA}I+PLb+BxX@U+bebAo<`h1mA9@RN5N7$t6WZ*jiE9Ezyn^~} z^HObpI!jE{bClfIf;Vma_EIux|DA7xo$MKwqL72GD~+Lw$6L{m{~7fF)V@|BPkL|z z))me3vm7!9WjLa4jR-DPGJek)RtrHnXmZasIBkJ57aOwP39;?sUeC=I;AcA@UtLsF+Y+A$glnf%Q>Z`Cpkl2||JqQn9`yHuG+iKWq> z6f#@8lF=~Qq~C-aDG2SrqjAbpa6VGFTPRBA*@E*IxKsf>x_4`W^#WU_xm}haidjr- z24qngy}5EoI61fKUCvx8?lf&sF>SOmT;pbJX@fQxgyA|*QiZo}UH#g} z+$XytD-!zIxPRP*BZ#Q#^KGdMjZ;Rot604woLv2DR=?noIrqhnf4q$yHrs^-H83D zL}J;`e~{kDS0%{i+K~A&{IqxVn*C39c*S_icM zXe}tx;Kt1hOce@RCR*thEt)^5JY}$Rn4+RL`JiMwBoS1Z3(@JBjkq>jG9U~k+KEtz zm4m^<(FGLfp?*4XXR=kg>AF-n)Zh@nSt_#56nB@cO*?c!D-M@{9dcLb4e=HKeZ&pN zTiFgsiUv0@S&E4;<4>Hegj;x`jK+~Vl{i;;wSgLJ!WU0(Z_}-iFe5^`QK_tr!Eou5 zwtPbs$q0~8LNxzLEGt+<751QKg!wQHo(IhP!U>Td2KJ!6D}T0bK-%i&0|M?i3>!G!ACC@V@KbvE} zv9c-Sd-)cb!l$J9`IHM(oJ3gR&uz1sMOifixF2N==VzvNG|&WW1mM*EcD2o#_xVir zY|%m2wF(`a1?*4c0#ElFU3P6pETuJBandjvT;=e;gr1fM8(gGE49=Wv5oR>Po`X}GJc@6p1#IKa`x z*2X9BcB(VQ`@CiQj3)PEf-H#Bx17zj!{M4D27mYU&JtlY8ZK1>_?YXI(&5G6_}t9U z5#-^V?nuC0e%Gh*e$>KmwlV*qX9}>N#J+;Ts4m;`ax9F#ay^*hQEM~($}W9>zjS-@ z`DK#hdX!zRd)v&_+j$k_S(|gaHbMtHQo8msd;`$S>D^v!r?$O(Oxo&b*5bp;@cg@F zs}V!cGH~~PN*-RLTbMb&isHY!@cNs6LgA=(WNOQ7`-!2aQHSpN0t4m!_X{`&^j&@2 z&6B^+9a0A7+75pOzS%mXn=~&W)BtBW<)zEaB5scUexJSt|BTC~ zC89{xwS(Sl3AO`8DP=^KB8rsCnhS^xU82@R{19mwtB9Mk(C=`QCXmq-;}Sa*Z;aP} zHVaf+25e0#dSwV1A@fQM-F?E_DC!XT54j~vJ7sX^J<^I3_opP{T8zt8C?VYWR0S;- zfRFnWGyO*K=s_GNU6e+^N*LKx&L4n`QWscLptyDrAP-+Q?Afp~V9sWtSP-@LFccU# z%CoGi!CoYnW>Oi_ik1SmAVraFBrsCU0UMU~>NgYT7GUebJ^xFs6gwVlpjfwotRr%f zCP`t2Hr}A$c(nrABT1@^iYclLKc{9FBctVm? zo=*$n{Tgf1m;__xF=YHmt59)54HazqQDY&f>Crh^&yswa<}8tb-&v}GvRT_He8hvk z0rOFQ+&{r~j-hj5o3Z0j7}l~f?-bj^!kxP7GWb>J!Uay@RNN5}{|dxrqe7QboL?cy zM*_y&Ml}--rwW*hIIuIvXyH=q@6&02``LPamXa>UX@WbVE*TeUEch8>x&GwO{q3>N zzKrAGO*vKxO9n@pGX2QOGL9WsMFEW`Z!wsXwaCVdBc&c{F=$hANf@b zx}sbQl+BUlP41G=Gqzu@U2Rj1@qyB(ug}=yF8X2FD+W-b=*_ll-qbB(`k)AQ%_;6| z@N*s$qfEUT-8iHtGCZX!Kg=S@Aw>goHQ0-oHX;a9eyNfP5u=ThzP?@X_it?c-)#5k z6=E2eoks_F4e^B@Lc25%+MI@)%rm9j2g>1LG=I2LWu&o4swo=q;-Aodn!F`Jg1eQ# z3ymB4j;%IIt(k?X?8vUd0_fRcpLFNyWn@G7ompG4i(!me5s1gmes zstDDY*#e2G(ElL%G^bXLCTPt@$f6&)Oo+>H(I6S*;8qM!lQ6hdhZ-m@Dg=6JJn*B5 zn0_CPd7Q_AZsqw5Mgn&vm=HasB09)QEz*m74;B4U{I-PKZ_P_KvMK(g{?ed!1Cqy2 ziiUetC~acY2K_8(_~ibqSCU}W7YADTCi%P<=9l0+1?N2QcD1jU&1w+plsi+30`l+! z6a803l&i>4B$-6pN#9?>3TJ90e8E%D%$gfCmoX5#0P`Z{A43~~atRiSMOQ2^bB8*s z=VoG6AT)?7C&PxiX3rC%h&Ga5du`x?!+Ri3CqMEAD}FCjRQ+Y)qdfm3AWVx4BXj1` zl&6C|o?{zf)hO(VH;Ds}I)m-(-jgT~Z>;8UIRqV+s%asE$1X$~Sv;=Et8>&L1v{A$ zSR&p&IK{b1s|A-%KM|5rN#Z>yo!Jh_VNo(h#KH_lc)TXLTpxkUDaFB>8Dm^JOvxs9 zf^{24X;x(U?ZiKlMnq$OXCuR;PUs8tSf&|aHirW9APrQn8$@feh`baut2b%2Zo#a4 z^-!N-F6J#fQOYv?|MUajP6Nb`?tg&r@;BSvh;OT$-M!D7_a1=r>u*Ik#W!Q`+ZFy2 z&imm%WRUgZ@YT4R@!6TPaab%{DUSb(&oRDXt*hNpZ_{DfT}@Y$`=McYC1r<;u07dn zqpG;Je?Jmv|JA&D%P_KwWb1L^KLP4`;jrWxo}8QAo8vqYANp~yWBJuSL|2axM!WSOs(-A3V zEBvEWS0k(C-z-?|E!__n+@+~-}>l)W8rw0qKx*d(!-IHGZFJj&sDYFsk z&YpIqgN5E+_uZ^Z%SD>d?t1XH4e#{#ne_VQ+L-RcjiZ{_?7NCJ_@}h);c>O>57(!o zKk^GZ@5e_jZTlb2HtS=6$2&mP>j4KPVVeD>*jA?aj>n30Cf~EvXXX)LF}L02z3^o4 zc*o-`lV`T$HCQ14ZFZz}oS<#($nz_Ki@|>WsS%%;UbFL`cH`iq)`yRti{sxEJcNh# z+^c8(%kJbDX%+nTi{kSc?#I#dkGpKg8n@4SYx(cH#E%V8=^o1K1K?|*V~V=nu>WL8 zv#<%k`9Sl#xD4SvTcz+8y_e6vk;Ju2`fc!2{>tYse(MXzRejR$z1k-^_0rxg_W4?L z-gZTlZl2~zy2nD7?$;`lHjCGiz$^Fj&&g+>@0V0Ju8Ik67mnWP2zEd6u82~zT@{47 z;d92CcP-LEW`^_^KJn{;rUjG+#KcK_`%Rs1%JK%1_C&fppelf%e)GCnT?S?I( zfR`@1hZu9^gq9oYnXS2CL348jnHzeu z<&CD#v|XfD%{@#;9sIK68NdrOXllZ5#tn>lp5&^Hh@fH!H)yb0i<4sYw<_m$U%O@B zI9dAxZvcg~J2pnYA5bDZEF@i6r;uW(O!kkbx_IYX zIO!$lztAv}A}_d^26oHHjX5=|qW(iLFiJmjg=2JJhP1dS7H0{VuxZZ+0$ z62IxA8+d7d)1hKTLlRz?LHGB=hAj!u9_?{Pj282XtBhLk*!FWxh4qE+u@%=2`kG;% zREkBRgyAFWR{{EnHS0P>^LN6eHS^&iev&5V$6XLD8)y>q6%oN%Vuk*!lWDXuaOXro zO{Og-hE2n(agdUzjD67=wuMBHzI@$2cSA**#0`LvZ2BjcufQfsZSdnq8%L$an%P zFG2dRre41Iv>U~|O=B5|zg{5F7-IxQe2L<_stP+1f*(!(L+^{_?LQKI;kQI@WPn;* z;Xfiah}{=8>Sj!5^>?AqxHCHTp3f~Vq(hcIH|oWX7t?}w*HwQbZb7745_Lb@z*Yd` zZw6suusVjsID7I>Uag7n?A!4~>m6*X!z0KiyP;TQt|L51$a8!3EgJ6g~!M z5j9X3VN~GG{f4So!jte;*mtb1QfHk!HSQ=2aR*3`eBh_hkYM*m@p*7QA;Su_iQuFt z;V}%n(bXw}UO?)IQZdvlz(n95?YMSt%Jn54m{Igw8a9Lm5Dup}(H7(vggy~r`aAZb@`{uLg)nkTD4 z?f-+~Um*)p=$)l6NqxO>X+k*qbIX{C`rxgM5+-@Pu@OhTRt9<9u$*R2r&<3t0>f6+ zt6MplN}>$Zp4`gPY5Mm9F=xYsXfJx0RZ!tU-;F*~ttw?yq#cvLz@ui|xxsYMjGM{? zBX>wj;Th_0c}aabt~9F!!QU>DmOs&D`wOVlSs@}z^yg7&-+*(B(62ssx&IGs(|9r& zyq`ay0%3lTAmRdlz5>R2ZwdZ&9s@AB(?R()ru6bbwsLsb)oqg92W92q=1yB>O}}@$ zz2*=2-DmA8Egi19caW{!cYl3zP6~Od4bFindzS7D?YEq(y=kj(G;!RTAjAf=emH)bUh%c+ar++ zic$5rx2E^?c}v%w?~FQitB#zo@7oEDZ7PA!`#|AyuDgfRda|_6{RXrAu2-TbYWsVD zr7bE3Zr!8N1riPKM_&tdA!}ga&YI~=_9U(Ej6TMn_U4#u?|yW#TCUH}-K&P(Y4rBb z$o3H%UoRI3Th;ek9)Zo8bFvMS^j$(ITlYKD1YI{D@3UTKuQ< z7{Prmugg~haj?J7*Vc$8w;w0q)ULlu3lkj)-nai)4ztTq#GYNuZ#|pd9@Bf@tZFeF z;5NP`Y-W#s90UlX86=*M9}@7GHzz-3C4%Q}-uox7a--^*qgXx6WSKMQb`2FvGpHJH z;BLLA?#!ZR`k+4cCw3y>)_R|uhiYVUAM-&sjP9ng#dNa(E~Fj5sI%OZ&*r&GZEiWv z(nP#RKdqcDAJx`dZ#+FO?~kwF&exmwa!|%dT-@HnrEB?2QhB5vQ+w=yz9+z5%dbG< zZ&P}>{43CQ@C)TjiH>IL1Zvcm&>x*qFojS-b*^^IcO-Y(_ksWym=24CLTi4PPaK&B zWch~P#1mG*u+=hsWy`>9uLce2QvW=?Gv`FX;0nKxar?Xs+*ZeQe3As!HS;&?DE2AJ z<2;B_SZv{)x_c6ZUvsKebWT`+BQSkYTFqa}_UR&<#-6Cx$*^Mdp(J$+L+J~Q)yWog z$fF{FyD;|cvhQGLGwRC;%6{lU2?#5^#uwChjCZ;9#1Zp|Lh(zm(pJVI4eL0RSCta# ze8{6d%@TEG7=V14MTz#PHU89UBY5A0i9jY%RS_1&Ns)PG0Vn2sl{R^2cgx_W!qRMD z7_JfV@{AY~xzns(4_*nq4mF|GG#9f z@2H>Dd4ZH;#MT6fiXL?ydhZ0 zXj>)vf_c`Qd8{1!MvXLJl&{-|X?#pZ?CY$X!j=_?Vsgyt2=b#D^q54pl^@{+`jG0B zfK<6vf@`NyB#P9uF*lm(9oif=rE)Jk`?giG=tkX?NJqw*9E=YAl;;9>2w#?=> z?JiMO%+#WJu+-tkpa^FTiUL-?)lWe_=CC!9ieeS5bPtEMS?1=@XeNKsNxwOxdZ+2lGarx%FBPFCoXem%4WjB9wh!jq>K__xICrg zp(gAy#Gt8XO6ea7Q>z?30TEfCU$=mS#U`@Cs2oF@7t#ScV?iSg-7FvjEtG1W8<xUm?m5^3AbC2sCD)6)>Hna$!2c=elcS$1KecB zOpFIH5*x7w&7j=QiUwg4X(Y#~Sp80YUt7w`CTK-vT;e=s-Q=+Zh24^|`4%b4EfS5r z3=Lf5_naS;3ltUNsArjL{+IF6RzCDlLjBIFagYbNEeopf<(M{Y$@# z$sdVR#1)`NHq2zCGYaIvku`#lof*vzb-?baP4rczoMSQS<)Rqv7LpigE7Nr?wMlOM zR13RwqNQ{w(*}5z(oBEe%NXQPO|b;Ke`Uf3&RtUg1^;swCKLns>)GdP#~Bk(8sruH zLGZBqGV8hnV#e&15H>o`8R8A`bzgbtvh(N{?P5Ef_Bgkd=;Qe!wf5^})AG{&_~XEk zLhoj?)7RlSlY-xOum0W2W2LI|TI=gLRond*`}pgqL%3z*I81{Aw{r-y)57N9>a^`} z7{8V+h3i7&cI&J}EBj?gSe~}!sn}MhZL+eq+FkxC-ty)T!7jUdAAxO__f^PoRr6p& zC+?@X@iBL?T7yHH}~B%^W>M1)3Vh3kdL)?>yI*J_dLTeU2f^w=eW=B72n#KBB${e|1g>% z7_sDaox1|Kf9#v#eY@}()QjEtNXth$TB+=;-w2h@(w2dc``SODj4v{te5cT~LrJ(as-Wmj; z$%1w~VY*Scb5lLrXJrYAaF8cbS$wnZXWhM&O?J4hKW2FDcf=~o<(~*T4H!#Ide;YX zf{$Z&HmI3^C6gRHRx{7D?WboGRN>bv#F-UA;}E4X&VUYhVH0yNUxJ)fhnYYm8ZrZVZ#d-PdKi*{ydD z*i*dS-m~5{xLh=!-Yo>wGvQwQi9J6h-g3Dki8LjoVxIZ z1uPeJC|3Czd7XXW(WT_LHGDk?YzHC%!-2rt+_R$J^s?999_^8;Koo`q;Df&Ou*RZ_ zhi24>@URh*_ADr4d@b>aKs^aZ`h`KMJ;0eR+Ht|I-SEphrv)PMAqQ|GMUDA&uZDkw@+ne&wx zLZy3rufT*>A3=@N%2ipsGo}xQ1b$g#8)DT*7me~CqiAHhSggme3uedF>gyw0M*RfG z!4)~^Z{t6K7e=!S6JpFWb7huYrJ&t1hy0=VQz6_52@LYH9^S=1b`_;ckCGdlU#tR4 zLyB}5Hei{P{1@06Mg=e*novV6A0DtLC8^mOE?3Qs8m`TiS+bNdPvg#}E0IJc!EnYH zp5Mj{!$JuqOsh8uj~2)%oHyL;IjF1@a3Kj|fzo?s8K&zHD%EMMmX7G23n@kfzMg%t-?hQwsGRYTU;-qoI77cdj;DR^n>%XZfosF75D zgaQo5Ae-XO!B7%&P0+7`XQYN_?cFTQBcfCH0$f9?rsw_Y8bE(&!dMFw$jcI{j$k|S z>6B|7h2}hK`CdE#6don^Kui{zbkdwNxeu$5F89QY z__<`}A#71Jl-MsYGa9CV25L$iS!ceGL|GQVg*zwIh^r9}gY9muR3qyEEscmNYq?F$ zX`UIlFF@YpL-bcgW6&m6Ht*=4WO=33UavQhBmN2F4FU7(n*k*mud*tSq*_OyhyH=E z?U*2pO|MQ;H!}+Mi4@Z(Tfu6bJDAK6V*{nwltOM<`_pe2F5~L9TPoq4fQUF|gON}Y z$F?li$3aAuX+Lj5U9te)sH9}{OZdRPfak}AO0Ak@?4xl6T&9Q7{vM+Cl%)*M?zjS4 za#gcc$PgQmf7$}$kd_?+i^fFY7WQfTb`FA{qRo_XlgZQsypT%$JSpTWso-&jcK+Wr zvETmTx~(gamVyH@ns`u$)7ogL8bnI9`S74ibQNkc4%ym5lYYkVr$PF;Q?Wnobz1Tr z78qjR7Xfq*ryb!Bzx?B(xT(gCxsQhEmhi^#L40~M&68oG;mUcxtF5F8rzV=o6Yq+| zilP5{a~IF3&qh5?{bziXa=;Gs44 z&@pEFes1uLrzgI8l;g>#BOhZ%4)7-Ce7&Md@l3$=>+R{XHtVDRyEpI}XtEost8P1U zq2glGMM0k0{gH-;bN>0k`v7LRf;Vw`d~>~<_>t3==j~uxSZRyR!1O%BcjXy^x3${4 z-d^dHa$nQ)<_YMw%N-7(KN4_ zY3uw_nd(>g%SEXnm9n%Og1~bH`#nd~EXzLFc64|5(;wXUAH-Mc=g!r3w%ioCn(lF@ zC0_48_t#KYOJ*qG+k?3S4{(WwKVnAv`Qfv*<18%u>jC|~dXe^a_Y#naYxm0S8kf4G z{q9K6d$M(m&^ht`*pPbJv3USc_YUTnrR=iX1K-TCf2A?4s_T3%6zAwA*8FfizVcGL zE7@s{*|?uSwAG?pbNM>>C$=@AWu2vWUJs#mhLZ!heg~A|TcF~*a{{EXyrA?9tI5bu zYAzuhk9Is$yOSF}Smbx=joc^ME+JOkpzvF#{z&Ug?|5%t5?nP+rmI~fZM)8H4`si? zReDxA3}Cfte_VO&^4t|)ZlA9b;rOOR&UX8ZTAL!bZmIIW&#+u$S$lb2ZYh-w_qNJk z)=#%;(%sHzrmI?KXQOXv`T|!YtDU_rwE*gwzHhGt)-0x#gTrXKHG18r%$8PdYFG7* z-P_-v!S&Ug)tv2j)rTD&)9&VT`LD8>ug(MD!3$93|KKSKus7*x_9Zr#K1Ol3?TtX4 zwlg2|J`7V0IR8d)()bDWb@VE)0XxhL=vL;Tr`P;MXp;D1kv;jDCv$p$G%?g=_zN{0 zyxb|R!l_X*v;bAGKE#@>C7@0Day}%1jRy_DN8*{qgUpL8lru}X(`66NvB$u`9Ody3q4*nR3iY{ zKNwBe#gRDQqilsmd0RYV+@P|61a!Nx;fS(|l!^EJ-ihBRxzSuP;U2taG{z%w06OPI z#qTNxHIsp;g#krjn<^fqI7>#=Q-_|KxLpo`facUjHlgwnM(Mf91l%G7o%6(4W5G!b z7lCwLlVoAjpd2IEA!erB-2I}VI%6$Wq>kO}CoxrAGy0&RY*(mSG|@Sy2v&t=OX$2+ z3g{GrDv$((wVbqUATAE2SY|uyvB9r-0wU-Nk}llrA&`1oh7*o%R2Z#O3mO*m4+U4s z$&!<5VrK}5@!ey%XkJ}B^knx{-?Zar*5dR{Gx@|sP@vPBks%>E6bvGR6fSeT_wbN6 z9L%W~H4{1~;p$Ww3~0@Uup-eruSlI#K}i~ES$PTZA4vAh8ZE;e2l19D3-aM%M9|8OXPN*vlI1u-o;=ZrM|qmcKRl zESlNr*48kp~(?cV;_;9%^@h)rD+kh9kcGx4AEw$AC!IWv_j}TtU#f z+$x(}+&s9{2kH-Yqn5`tshoH5GnCk1h^uK z!ni{+p@NFwo?v#>CK%;1OOzlm%r=#KAm(;Po(sx6KHC!y9?4#@Nz!zRKWV~^<69IL z|FUDxyW!`e65BvyYEalJz%LV|r~qU+(=%+{&9js?xkE^c6U6NA5Sjj&R3utG8sW=G zftOUSW>_T&AXR}CEpB%uG<%h8<_p%%P;LK)jHktSdnhT*QhqB z!~WLiyh@NyKMVeVoGMfBJ#^_dKV0tsFM)5fy=K5xCNX1Xfd%u%81zU8=(FXG;Q%c4 z=DNH|(EwNdZt<0EH|BBdKY-}9sFeCenMj+%N#};5fOy>*aIqZ|tD1BbZvqMreV!IR zx;pE8;k7b)5)Wsyl*+)04N0_c?Am*Sand@-b+Y!0vB7&HL@{OVathfF-1TAV)C;aM z1vB9q3Y096r%*RMCP=(;tP}56;boL|xo+K*Gq*k1Xmi*&kcuD8;-bEWX!?Z$YT}X< z3wSIFftA*tLeyh*a>$1nks}f`0tI&ejFF1yxOHQmqv^FLL4}x>_kWSYYZT|LLHsh( zD8OOOg+CbJv?E!W^zUKHar)=yd^e4oZAKPhlJU^#)p6bIjVi&WQOHJ2w>XCN8{reI z-y1U0q|WR=u%`JEE;a`)+jCOzd0Phn44-cC zyiDzEecFyu18fLy%hUAOH&+I$RXr8GJUO)HJda%hUh3^fNBTRaAuOlXft#W1wws5e zYPh!-FuT6brooBR*$shu_+1b2PyW6huJ#v0N=L@cN^0uM?k~am^@rCRPx>zz@Sl5; z{~)(sU9oUHFMtgBzUnN+X08W!0v=N|R?<2OGym+n8a0D2R<@|unUkEh%ZrxFkKs<>>& zl^DL`*E5X?GWald0bSQUO5rkF^F7hkOz&pE?c4fN?P*+xJ7flbj%AzmhtO7CtR1EG z_pa$Lx9Q5+Tz370WOSM=Shn z*3FlTDZ$%T`K|_|#wOtPD-ihLItm=U1y(-g%74?;?_9{#C1ay5<`J z3z%NFQm0jm^PThEn|;Uyd!N3~ePZp7ksi|s8hGupxmf%<&Y$l2x<$E{IMk)6sD!bl{D5`T zAJQ`*FBo^ZrMDbABJaoNkTY$?|3KRgGkSP!l(ey|6u+U)Xmr_%> z0L_S3R&l%+tAvRvz#VYHNmhr4oW5lwvj4+v&XE*$V}_l7XWeFwRzxb^nUbBGRt!d4 z_zAWFH;q)b5=*R1Aw|#(O0K}F6(Pp@6^O1mw;Z{6L!JxCs3_0>N=6zue2~;~R3`Pf)Znl2jDut3t z3BcmFD7m0&GM6#nGLuu(bLE7MCllWUMv$yBFdM)q*-BcDdZ#>ntZ${P+K zDzQO4S1N=UEP&(Qh}(U+b=S+ASI z67Ag?xlkV}a1s5{glMJOXvO-~dJTNScmzZ?0dcIID}+Ghu<%Ek%?vP|!xiwD+EvjN z6Y=!HAXFNZ@1x@t56Pzgrq!4!sgv5Tw2el+F$FlM)uFO%D^$?AD9Gl%l*{Z^3OSo+ zfRp+wzzZpobY&BJ9(rL{D3h-nh%$<0C?#6s)|gg|Yk!~iM+dWOWA-DN$_XUpLd)#N zfQdm=(Hpc!3WE!qPWjpgc;6K2S5xpN@|5J znCXE*LR-hF$Pa2}`u4@c7Pe6c#3-jA8KbUlRjBR|#L zfa7F2&NDzsOFy~ZVdMg?^8obsjc#PlmRtnY&Z~>H_^xd?A9oCV_80R{;51*a-{w`H zqf5tL=V9@jS=!E10&+Fl=db$2Ra@8f+`U#^=eKt6lJE20=bFnWQ49vxu`D!t#q?^9 zD%zg)cvI$g+RvTH&F(Jo!{cisifO7{W&}BWl}_W&|2fa=|3WnD4 z@p%}r%Lp{nT*tnWQiu(bSksm*(Q=AAHJx+3kCU4|IN#=Lxdk1Jul5N&r>UHG07kW= zYkupd4~|Hq%geZ2u`9be5c@cv&#`pc=z8m`^d2GOzVp@38M zmhbh}HOhWJmnf%oE>5uZc_FV@YvVr596O!Ec3p~7YU@VRYpJ1PyBo!Q9Y~?KV;=6f zqT_yCJ&TgF>Cu4yvQ;=};}Hr#mE(3^ex4&JT_H8hv4Y_ zIL4T56YzrH@)=Yyx!vu~>p2TwT97ZAv7H4Rr(C-DxZ0rTSWi!SJ`*_YGpKej?Hrlc zy$o#?4$oiXe|lS2La~SFY2Gt(WO?s^*B+(xxNROIw59T!;&_i%xSD&NaFycjdr0fP zis){+RVzKWz1Qv9BY1A^S6)8izwX&RVQ*!@-4r5pF-v9NE&Qnj5x;8RtimbM>U?;T z$NzwDq;qyVeA#$BpW;X2d%unW#vTCGE&#uO0-J!Oru)Fu`EOj6Bn%XJ#!&+XqL#dx z=4%Iwl1BprzXCsi2Y~5V1TqW^{!r0PAe;s%FkD!;$d0R=ZT?#lQs7QL1I;61e8Q|S zS;|*=;6fgrOixL`q;LwumhgtB|7XNKFGfi59cTq2C-&MVJjSeXVf7Fp7nfhpI{3y>MaLKT#$WWf2?>m7*!2Q6N;Z@uz{> zJ~qAaf-$0qOR<$-07)cxVEH2BszHPyKa46ETb~o@^h@5vOSfPGjm94c@NYj9<8sP} zV53&#WKmE)S&z=m*jdp^E&7K`fYRbd-T-TQ9TFTln4HTW&Rna2OAmZ2O%RnyN8{R^ zzmZ;S8m9UBagWhRxlC9H7R0vune>-#?YV}M*>T5>Xc=L#j*N64Zjw_ z7zYEDtNxl`cjb>08c3EcU#5_R2vpcBj9Vt=q3(AR3%|S;#QsS)K!wlK){Moj-(o-O zYm1~>_aads;u!|z^e(F78e$eIw+!FUS|wX^Az#E+AFffGYIPHHHR`r>*DUy9n2@l*s43ZOg$&v3Rhiy2GHg&Q8SR;r z4wAq`eUcn>eRpYKQh>xr9VaR%8WR1jXtqP@R?F;Teryb__-e<#BaSB1$!>6RozeN|K!bd z21WwUifxw^Y-b#oc+r6|u*^{B0-cNzvO1#|w2G?bFrMB#DE|TVcJw++EX$Vrg3v%| zz&<4+sV&&aeJvpX^N$cCwm_F{_2$fEnxn6yd;~(iSiO8t1=^liO?gE{T7>N;a!}iv zHzFu6)1sXIs!0@tyiJU2AheoZdX;=zq+zx-JphF~nAI9fly$6+b%XCa} zMktH5d%>-Mk_`u9N^xDvu1Hmgn$DKjV9TUhS->802Bu;wc{12#`6N~VQ5FT3SHkYl zCJ95Pa;YzZ=>nZL&z~tv5@Nlc*hr*Si9k)$q6GIj^J8fKC-XvVH{r3zqd3@6RF-#?RLMAy6|oEAhqn8|J9lc=^InET;ie@OR9Qxq=Z#s;c+rM~Sj zx+I$F8*q+?2J~EtpdFhP+>3F^K#JD&A72zRCeZTZWceLvsH{C>>vgs+qTW$#8QB$m z7{eAFBt%X#2*OO8*n7by#l+F4jHjRmg-AwF2V$zE9^R`8NsQX%P}Cs97kZ;9h8kBbt!l5L}XOvs&9hTh`8+%IrCR z1d%@93QGBmPf21hCJIp}DWKkET@sovPxICeTg;#_wKOXz@lbHrueu2-`qu$gK{`>! ze@FTgg9T>N+y5e~Z@Z}r{Fi{SiTA5-l}rAocs^=M2LHtDbMDgWtgj*!?g$g7Bq?Cm z*T-RSqxo-R>?PT!Ss+@XXU+3@u`k?K&y{TH6t_(>%HUCm+LkkeSyj`qY`U6n)3!#h zr_uX7ig<3Dpsl4Q|Ea9^E**JklfZErio9&Kz0Y9=ip%G+Ghp+J+pL>wc3R`fT>n%S zzr)I@zk6*3dmmZr^69Om*t5%adYAY0Uj~Do?+~Ok?R|erD(~&q%uMiKk67B*#CLSu zx>2ak>ll#OYr6$`3Ig1EE?=2RE}vq&?nipB7Z986L$x&(4a>#ru8yU@=TqFk{(|lS zsH=lQ3ZT>Ky6M+TMyL;b_Q$~Ou1{i7;`(v!dSea0=ZgbC+q&!EE-9y<)LyOQnjQ9-?6(G%-nS!4lQiI=5zn}B~9vhvVEPl+>+fC{|kE7*tvydUvHB#|>-PY57|AhlO8l-k%Mp@PL7LrOTR;hIk zVru2QCMM2@Nv7xfzQuB_?A!AYfurqyKFNdYA_QD7oGsI3^c+%pLGI^?K#J!M)n>GpO7&V_fkP*F*4Q-(?7&U)NMG4|t zfA7l-LQnw>*c)fw*pHxV%U#U=-MFDD2lZ*3yg=E>^skXMcWM9&TxOAkPAXGy+3ex& zQ3QJyd~u110-_>5gwlF{CA5BPRT8SD%P*61T~p@4qJQ^`cL zq(hI;A5~Ha^nGlV^G&qXY0B&Df0ghnWf^yIEKfy(iWk9Iqp=kWa`vLV9P&~XQ6Q}U zt*NS0A__3fXBLgZhLl#ApwXc>mZa5G>WhJS%Uzg6n6Sps#fL)(BfE1qc$_v>_$71O zAY0e5D*6*MF=4-qWs>6dawITPh~I~gQ#RbAjMNgBWnRZCrWxS~b;q1C0T735oKJ+D zXtkKRQv4u^MQbqcRHvG0T#9Q;IQM_i$^;PP0+oP~Hxqm73%k^{AM#phv`M1>-3gx% zX9HO<8)^~}@v3IPb@NsJp#}eBssqqJlzLnFX$8Xm+;|m>&5qeHDJ^s8f`{+0^86PQ z!Iob99@0lDA)yB4-d79fNJMaBhhLrADanq(<{$>e6b%{sPoXCFhF2SYo1OJ8NfEaw zsI~e#{Yon7Rm;ciLB20qLm{ zgu7mbtI~Yh)M0ntVs5I**}c*xnRSgivSON@#pylVH}GuXm%&Q4x5O#s)BzW%hFeZ3 zXdjH70EhqZ0h5jp`Y2dJy);p_yZ^&qo+qB~5|10qj!;>u@`tV3_=gk!(mm&hX2tJX z&Ou{SRzC+k3Wi}mM!lKR3DT^ z6Y_$s>)~+S&J~Og^E|q!HL>P`==^x1!*Y{7SP}?$tGu9w1Wu{E=7->#FK$@y$Nam*fB>x1^n`s#c4Ov=w z3NSuO4d4hHCOH39EzX)g?h=W<8T%IHwc=1v$O^$$aX{D=BiUA%rgYN_gv!QYx6qeq z(U_+%fjd%1u!Pef3;!Ly%7cXa|C{#u`ci%Cv-jSW&9C391*DuG3)1?f6mgjA;e75Hr(J;r%7P;#sM5RyDctRy_OU^j`z0rPx zAoBT z|50OWe<$E>K~Sycp%N{`^W*i9VApQy;P?~6YZMva_A)hsu**eRku3MY1>9+g?cy_? z{NvxP`ms2fy3_02>Z5af)vWeMDO0C+oVha_I8Sw~>o~PPdGMa?_=NVHm92gd_W6;G zzxj1q=;Ji}v8=o8$@NyxbKU#gHb~$dy~eZF;cVEn9(x7Yc0XxLBX??c7zvkbsR$FOv+5Gajp2_Z}^;q~M$ZoB8N%Ao}7p?&w@LWf^cpc6xbNK2% zmazh>1_3u?hwbZXHeLFmO6*%kgWEanN;~^cxgMR`;$BTuVR&wjw)B9HCIDYE9mg}J z-OlW2EGJ!IY3C7F%)4J9GpY!ilH+=T{JCASoHQhFj>+UPm{}AZ2jcq(P|NGwi-Vf6?HJ@gxel@52boV(| zg%7q3AuDF)_6=w87xY-eX2|}Y?u9p<`nGPye6PKh6KwAzt=4}zpLYYhXWCXioVG?z zs(j9vJF=LqmED^7tC`%JrdF~(x3>{!p6`%DdA_!+-6po4|Cdt6zgYPCF*OLJFaBiy zDvZM__PPHk)u&l+aay zBjZ_oRKkKbP>DWZ80c$muyRR+W+(k@M|B~IWc5TSqzw@QvD|ASyJSB)qz^B&8n%!! za4W)7l*fe1MUFB9eo*9rAj(0gPN)t3A+6GJ94@gj|1`vIvQ7jgesNWff;5=8>Qx}S zO4sR;e<-CK|4kGO1Kl`(X~UNj)!`_9v8GFN0=?uFNRc0|l_Gbjsa=;)&O!?Lt-B?v zV0@}Y!s$C?tc^FJK?{O#$;3;;Shrs5T8rO2&YB}5+tGafwk6XO9fzDsm{$<-;zSfq z#FiFSX{%QVMNE_biNs(hF(oH0ou;@<%LUI)LX1C3;NC!S|*(A zkp37~C0UfoDbb;hdSFrO%vNSM6&vpUic!OhrdF(&4=fj|&aV6cXWg6jXAN=OD2KA~Ofr?ez^rh1 zw<}-^4pM~%I$?;pziclSEU27o;kE=}l?urURIUirbJd1pZJ%ULjXWWh?w&J)j`~~O z>Y?6+Gon|eG#Ae_qR>uQ#gZ&kkl;cERor!nFLmnCU#w;%J-88!49P8SjKU%ezFr0F zkMxZ|JY30qD(t2b?flt>qIU%Q3;kRK7z;RJ1E zoDCsvT-FZUaS&~JX)KWNm{Y`&J_g!I3UG2--?HS_4e>C~7lOw@nP-^~dz$@USU+Kf zCF+U!3Yy6R-W)Z`zt1q*e}1LZYy%{~W%n&$#KOMe_nUMkfBc5uaMC@?)R4rNllK{f zmR5&8&L5^DsY^is&JEsccDXtR`|y2n`Kv#uz?;>O*hf3Br~GTbhhcb)3@=ze)|SEW z8vd^*%E}sk>*$smmZoU;7e7llv&hRH2p%bV;7H|eL*$O$#{eyzrXj-fG=#AGMya~) z0mg5?_Zxh=Q2ejWbnI@2N$j21vEZE@(}f-Sh8H+;vNWU%b#*Swllcv98`lr#E#egq z>(n)On+31_M&%V{99_iXb?( zHR}%S+%A(x_j&dnf%)rLrDyupV-1_=_vZJ#nw(YFQ~OAC+Ew#nQ}oE0c{Yt_wwoh% zb%5E-WBGCN(Q(VY`Bmpi7Ik%xhtEON%5~%6H}103Ew4S30M7OKd`Iia@tY_28lFAw zyO8ZH>>l>)dm>TwTaAz(f^O>JsyAGuSw7bTk;n0q<3He@yAm>d`zpmd0jW=fZk#UL zbd#Ix@Y&ZtQ@^ehnw~!ttEPlcLu0qwr?z(OcX(f0qVEFS;rv*<@xBMR;_vPvYw)`~ zp3vF(UHe_HS;i;2J0Cu<2p-aTompZ9h_b9hx4XK+JkG}eAdnu?XoR`JI&w!`u!B~l9 z{;}^Y$EG9J&z-a5!ViI_DYY5My?5ZfUCa2kE48)&-@5m2{li$lPKeGk=AIkZP|EBa4GCLfoFZOQ!QM!~UwPnBg%C8accnfwQHdOx-`-bqf_Voks zjm12l);+vk4;;v-=u?0j(L4Me4Fs)OD3|eOHEJ~QGMpR#LZcql{gLAbmthr_ySue~Lf`UpiKsDu9BuTm(IAUAwc(|G3g zrKj0y`2|yNg|bH|M#zIQ2}_pwrguylH&;f4^x%qQ!?(BuMp?f2L=7wh0`()CjdOL_ zisLuEK74j1x0XqCt>By^*jb8|hs(U&{nuHCg!s*wCnd|FeJxWS|4^(rWonU(%jJs~X!v4dX4VU8qhJQB2x$r4#ssRThrkigxPs&g+V+C+ zgQD3JB~fj{$O6lUGc1~Uu_U>Y54xqBY?txM24R@xS{$4A42nC9fuwg3>QdJxBh8|H zma1lEJi;a`Dwshkr99mAf6ej3;D`$4iOEdaJ}W~(A&E9ORez4m#*@ZDz!Wc!xJATn zi-dNG!*mD|^$ofh+ipH`1zsX=w9bcxPn8EQ`JKD!6wu)CFI_$s39A(9r*2N#0%Bgq^cQSdU7H%k;p$E_m5wuA-cX1_>D*eo~0 zT^P}yqo5SJ^5R|Qv+Guny#uUOiz&h~qtWbcA$}D$3PwmDg;-WW6QT^>vkYgF+9pwm zb|+;mj>QdBN6&1l?(nDz3V%~W)Xf3yvftVKg zK@fVq+MwnoHwPAHikNfxrr}nkV3$v6q=L)V9N#%;PWK+y>d1^f~8H;PeZNS@cF+K+_R%5M-|ffS}+La{1@=0HgcSqaO8 z*qk#;l=@{^(Jw}}&1|Gk&OrR@U#r@$`m@#Ij5R`86`{iGlL9uqnMHC4zfDSG8Y2ZO z2*C?KyD}AuZJaZmKNL3%*=dxw>G`>sZ~q(8pJG{Izgq5RPTu5^M)*~MKZu#n0s3M= zehlZZ{~#mrzk0qJ#3!=%^?aH?nZF@?pnv=@ zUR9ssU#KK6<;9dIy5X<=+@N3Xcs0k@g?m=@9Ky%x+OA4{g7Q6$aS!ZFHnwY75R^_@ z)^P6%ZD!2jZ$!oeAl%r{`wG~W%2sP0OzL&+t}55?(|Mn7R(E=w;~jjq?8MJ#9IYaE zH(ZB|QR8=As)gmQ&;86; zKl>g8zkzFKt!B^rJ8Imfy()AxJkHbf$DGzJr5TSrRen&@TI|@4Q=jXp^<;6L7xRlR zX8WyRBKsbU{F*Emc)r`EOE#~&uWw_^y%JKlkJH##&{P27^V~dy{m#@^CO|Dj?c=+> z4LimeEyd?-U>p>ZadrEx)qS=8uG4sRN1pwKTjw=ik=d=nYt=SK5AYfvxMz|+zV>!; zDehc%jl^|fV|y>2$yE(&-eK7wBvP#YTa?r-QlIF?@(Je_K7q({I^W$U$dQOe5#eMB+wG4AV4A&I6Y`m3U z0`z$9C4c(w7Z)_0w@k}rXhvLRi@xGe1e2-LSJ=$jwnvbb=!igIA!n~JW1L|+NP#A$%ufi= zHl<3^)we(|q7pUp!ke#&TD+A&8Hr#Yv`A z-18^C!?X}65GKUBTbM*CI_HHo(?v4)AVgJEYMv=2H`Z_#L)Nktk;+8IPKphm(!g0L zO0)fwj7Llq1t#v2YP~K&9Es5ORr^aMg+`bXjpV_Hn^Ou+3%N2&#kQN(?q*Qpw$1Fv z-wHEabC=>j_fttYh$=%@>LHTC(U+&%P|T-|lqsTA$V|U3Pti{O^Mi-T48hvrlp$5 zwar;`DVZ#ZN{}EIVx41CJWAB{Q!Dx*Evz(Daef+(>$oAht^b59 zk1U0_x`2#>>Y#-S`45}mbY`n1E9OL%8TJRrRHSpK3iwEagQ~{*4k3115V~YaRZhJ4 zEe1>!6oK;SWFVE+It)-&Z*f?w#KIV-H0tmw7}7*K_)U-Bt%Ar=%!H}pN}0&;q)uaU z@{$z!FrgL<1dw?;#3?jlmqmpM^^zIMo8Ow2t}=qe2B||7$$v04=i~jBkU55@7f@!1 zi8+GZw4!j@dMT_%I~k#zf&!8#PaOAuefD^kv@�WkHP?Q*a`qVL9mouVT>xOQDN zCj|!ua;&}N&QtvDqiJ+=RS_u${Z8`{8hBtfY&5k?jO36WV}sn#3V&B%xRjSRVQGWM zx_=d_r8Qt0F-X=WT&9EuNV`$wjxxqC+L#2K-t3O8R=_l??NLcWHKCT`J8D!59Sn0g zlt{vZ4T(@&HbPpAnFdK+oY@9kulkS{LgFb{Kg#~WFk=mgeTi3k#7b`;#X@y6Qj;91 zAkQXA#$c7I*2Jk-t=f_@O2JDaw24|Tlx%}yK}s%3xU3yJ-9*lZiwWZD4jGp;(lD1= z{hl&I?oh26lWc_FHwup#tzUZh^uw$m(28UR<+OOh%62Q%hjEcLpuq=&bQM#Sar>rUEIBu>@t0^4x0XD`J1kT~Y=s$---ZNLPHZNLej%xP&=X#Ro#d z2b4}`jUR(`^7t-1!mnIOCgvc{FQ}(gkbBz>C4AH;G)L&7C``ihQ&0xTJXAWuHwes( z#n+W95pUw;5%bK+CcVTgDP2Cr;d;;{sS26S6V-Dn1SFW^S`f&(8J3fY9u!bweknlh zx+91s9lu#ocV5&>jIsRuJ5k_aAyFh zBmu^>-uRg+U_gFP1(2}Y3Pj52H!Lwn0*U0^J?Ota(jERUbA%no+nMT}i{K~LYpM4w zYoMjiq@(!^?^QK1b}GJPwcpTEW%uiGjXTd-@7$)iIe^>u(f*{X4bpR5HF@Xyv(l4W zuVV?XrfiWpb%)V9aVdoV?OznXUh|}0>F3Ia>CRj8(?35_AD36?#LAhK33odIOmtko z9poKvlDdAvk*pP6ywxY#f0O;Ep-b!RdExAO(smA$WL2Sp7biHb6Gvy))f)~o_`VZu z7Pl?(8itw0caT(-_#PkNE<5COpA2A-?lpC%!xL3qFIjiWkvm^cmD9|RsPq_A=FwyV zb{&r=kl$`t1+sJ@xsS8q{Nr+NoYWqt1D@wR-Tfasmp)5to*&1T&lrDSY)_hXw;$}+ z&5MaoyPlN!UffrJvm1biO*HQe1YGYkrrSbydp`5&2=&uc+s{d3Yo4~X&$!D;?wg=0 zx2%?VDrwx-_khd`zbRAfshwl=P_7A@*EhhF?`bat0@@$h)GHj|o^{LRUA6b+lmfKIwbAuQ^pK^ z-`7L=ZVYqY&ZfsIB_!}Q+!}%RIMx|Y4=ML?dked&hUy&1D7f=E*;m|=%59Qd7}FyU zI2n9`jO2fs&S1Z`-RdIa*0IclWKzd#p7%L+H}otwR@Z$`olacOB5th0({e7x@1)6o zJxghL0s=0!AZrf}mlzDZ6rsA1y`TxgmP{8^Z8Ymi+ayy&Bx$tkZ6s3;i6%mNI{N)5MU3$NB0#cJDs0a^~X_!kpK)?{T?D2MCw~>N^7wz<{40 z?0>R&ftQux^z*=lYgCmpZFV4BYC9KI109dD98qo!kevIgX92j7Gya!DS**pdu7Ti_ zKUXIR;$`STu}9%gg^vD%57>T#in9`_KT?vtIr);7_rD;9`Afp(wE2Fuj4BlD0S&q{ zS!nEIT3*OlPBSGVXVTh};~=>ntzRKLGa!2HV;daRrAgIGQ1zVQRZ@@jeCHHNk*I9F=Ryv6wX#Qzr%Ux zG#>RiG_>*6&Aa6_*-a>1sWv`m-0(w#U){la; zJ~RqKTd#f>K~=;eWy+p?JuxNac4p1X7Z|XadIrp|@Q*7f4^(allb{QEWx=U5YGR?{ zv~puX!HFR$DhY1qB^!dx=w!}%OJ-!8DsU~+PE9O0{c$Qu6Y5D9gt}VGkn$_sLM-Ap z%P*0T5T_7I_f-_l)QF-j>DUHF{%M5;6+@Lv1nPj5gP#KIwktvmiX(KesuHR-0yKj` zNv6y7lx=BLZD!U5ZnB{!N`hN|B%8-iTW66o(KzgWw&4k&B!%c$ztM)p&6$a@c$B9; z$Mdm?nW9#&3gwLHaX`7$xx%juaaU#a|v*@Tw=YqHD#mNW{Eh zPlUTUGD;&E+lnS0GZJkD#XgVtGcl0H8nafJg-f)ps)KI8(~Q$R3U?_Kqy-a+As6+V zlLio2=zN-=0BbM5?~&p`v(w)Xm_PZS0&^h2KZsk|xlx1Av*4>MRUsxPgb=HGi7r{O zyJlyWCKbaVkh_>Dl7o15XKS$_3vd{UVBja&h~Aq7O?6mwJs0c1#pq|N6vMOH?DKf8 zqvLW4njEL?5pFE=HSCB5^4t^`7>zg0TFtg?&DOg>2Zow$i5=LcGogdxXbDj$yW_q; zp5BBt%@!)|dR2sRWlhj7m!=hwNA%swNP(3W4N>hZtuipmPUQwcug zy)LI><^KAtyl9!)z7Uc)I`|5!p4m|9@}kv6+OE|pIA%uXG!5FwKt;S;tUUTw#cJ*A zXV`BINHG0B$VHMU6O6pzMoS_|V(QN4CTUlidRWxtpbOM1jd@xrX@5{@j9{E;v~q0G zGDx#D`_um?0JnR0fj&QGzt=m~?t6L?Uj71kHU^q%wgBI}g0To!;_%n^9}(m0=Np2g zfF;z_?rP6-?nuklOMR-k#y*-^BrBayyr%p1WsiqPIe#>u>7&q`&uO`Erswv6&Sw!H z-U7c_8DIN_?yX>pfBWdd)NWkA-E{o*5n?2#ZfE&a_cSP{>oLBg*7vLf&*M6mt?O$L z;nI_eF2{9KwUVzB+v!NUxQ&~S(Q7Z2{$z#cDkC&LsD@F^`^eUC*d}r`H-6YAkx-RsA(_TeFLv`<{7< zij8}yT4VX$mzc7~*K1qt{P3mcbIS#sN{i#wV_@#gZ-3?_xId}#dmYdJE5^IqXRWmJ znmb%HR^tK2i07|I19%!9w&4+c8n5B$^D<3Rx7_ZTaecGV@q50jfJWe7*Xex(9aYL6 z&#V3WRo5L?yr7_^Cy!m8p0C4jXL=pSLgVvTUSQ$-{5usje<7&n%hA*mL-)IzX}iz|ZkIGC9Q65$l4e_e;HppA6Bn zZX!h|OzR)0*{Au;l3!0h<{&=&bamZ?`xP&4*A@4(k3*lT`gQHW8vCbVs5Beine!!gx-eSFHQ%d0T+sv* zH@)+Exw9Tz?%Oov#sxC2`w%I5*AwKuel@V?7+B-|g?)?gZEl?nd`ccfzr{BZN%-Pl z%ljC9llP>lThuTy|GH{lm^tMiC{GMCDmoPz;luZpw$q1U`+iYWPQwVW2p9 z7!DpF%Agd~S3V?h%~C(wvgKyFX%Dx~(nk?zPsM_-r;4sojlb2-%SI+DR_ISf3pZIs zOT)xhu(yV}73J`TlYv;O;gE`&bAuio3<&eoN zBqkUGaWAcD-)}IIWp*;t_pe&cnEpP?mXgX$?H~z3T6zL2<3JL}sED1EXpyASK!ZeF zup)~gHyB0+UH{@QQjqCECtBKul&u<7qBiESy8#_I>qBlGYp%1l>W%9;Lw+V{#4=?p zY;|OMxOtVnSyUGdD3G^_x7g5vavkHp#1^G74+<6GFFv?eiyP&?1DU#t60(;KRh#RX z?bE?qm>Q+vHJq7@&?l+2N)*7s|6o4(m~te1kJir#@(D<#5LwqWoaz)OwAFhRyrFR6$>v- zXk3L+AIW&CRI5iM`%V0+Ah$0RRQQIqJea7|hWsF~fLZjY z)h@+Y?8iXHTf}1#v4xaI;KG;a1fqJGjBVK#7tlILP#KXZC#-LTkN8mpG#~tw^~w&s zDdXD!-j@SE7JLWo{{m@N3y+n7l4$?ZSZ%@0f^nqUL!e=u{t7b=<;?#b{?YxL@lSq# za#&R|S;lud#9lNmh>B96RiSn!u7D6+YL*F`T)%}K?($=nTtcAoXxoE^#i&dN`Xz(c z?Jf#Vygo}vaUKP>UEls6(F%)bO-=b%qdfI#xFna&M!0`^s3hlxqEz(YSo~3i3PMN> zgN#IhI&_(zirJWDfTFF}X7bNq7iTh8bl4i>eUTP=7qN0GkV-m?C1s1m3Sr5=9aqB%An@FxMo=EcK5+mbo`(oM)42zWN?*(~} zu0`>Vz8zE6a>(O(`PWPfl!|UmIM$$4dWmCZ-TZgFSdA_oI0-&gG%B8rAWfmcDT%)w zMSd2bJ;tl_fQs)L?8kJv5C^%AbK*jN{7Efa6>^j^@wOpTph_&yq{bp9$B2#KG1M3` zL(2iDP{zSttIiW=!9%D|NNh6Sb}7SAV1-djKUb(8N=l$(K9g9F6P=?uDlIv3;5x4O zjnAMdgV+Z~VWsO-;GmQxIO4l(Ez}7OMa#f%=vmFOn+eTDxps=P0(B-!XY;3slW~}o zI)o@a=Ik#vksZ5ZnFQ%soH-D9nVUgN8G;Dk;_ z;yV8LHt3^kd)NxSt+|gs~hr_dFux}uF&3eeDfSsqR;Z8 ze>p2wN6`aZZoeb&xy5>4y?@5)alKreOm_q0Lfu=BI;mrQ0xN9l_lBJx-($BK8!jry z?R*~E4$&fQz5FPyzvky5X#=WnpYBriT6d;XbIthN)=?q(e8;?wM)p6^bZv4k`*(<_ z?Q7xO#>DvPuU=Mz__r?0L;;;2!!_4UC^iBDs>e1JslK7Zln4YfbdYazvF}B7Rcf+;n&UHdHSCapwKUS`d z&yy%wSh@rELCBogJMkoy6NT$r`z1Z>bzZ2Yn&s7k+wybAL>`ENeQ^_JuzRxbuJ_tI z40%4oPE|_d>i$Z^)wNPZU*kEQt49p%g!DLwb`L4#|A>6dd42huYUaCHRz7}v=5d;0 z+)J=-l-F|Zh;81y3YM1Z`ASB>o*7hnn+@8LO5rYPT@eFx@9u6}lH+z9JWX7zd%tCs zdPxVMZ#hpsn4BcL;-Tp4KE07Qmv>9Yz@JxpV0cetL-L%{ZukVej+qo^Z@0Tor-&Qh z->3F8AwJKgnaj6uua%awRxS_O+!%&x;S>xVI3cH?k!B}+eimXTv53@0v%m10#;93S{$ zoK{iNN7-q6EoY-voSBSA)$+_grCE1Uo{6V7in-n}GbMxq!Ycx^p5P;v{4$ax{NeyI zrG=Y3UWiBkQw_9@Si<`FYFCuM$mu~;sE8TGrLB@bX(N>?R>szKlTXdk;&)I&f`39p zRhsN4u7l$sCyP~p#OP9N<%EnWBxL9F{Km>QV}m9q)Hd$JxNOWwgNpfCuWH7+`sWO^ zH>zjxmEYAsh58|s)~V!+8fm?CHVrOao$tcpS;{~*AR;Nl;8gD&9&`Yh~4V^}M?@X|B4O#ea)e`xZ{aZ+c$%q<^d|99{8Upn zif#oTm7Tbj9oxj1NFdx`7j}VNGHgv7p^ZBo!;4Xcg2r^m-LX5SS*~Jq(Gj<4(s|Ap zu;c_Ab;2o`RqL`>DGyf~d%DPBDBkFsG)J&0phD|F#1N8z=72$dKR(HW z%pFh!7Y@HG+yVV^otI%qZ5xMCwbRp__pYy($X(S~j$fCq{hE-KtAftrrJvv(HwUM1 zHFd?d`aXLd*1WZc3G!R6!5(kA2s=*CSiw862-KhZSNgV%Q7z{P@_aW}N7b#C=fv(2@}9o8ne-hN9G)xO0CU zk?%auADY$`S)(Ag?>WMAUu}EFTfZCjmC##N*G=!dK2gVY9Ti`%Mt@4yjpJ53vA&m+ zC?5RmX?dFY-lfX&+-u(&*H&jok6kt3^X2I|_T^_m>$rMxJqCiNdvDxj#>nfQCu6(Y zKh=ft+zf7Qw>E#Ck(y8HpVaP9Rr;RfmF8@?d|{H?xKsf>9wta#%)eiG=RNFusq5_D z^{_Lu-`P{Bv^bBW+4Uf~ymq5Ypv$&t6-)OAjCZy}pYDx(D(}huc@DxA5#GyCwDCy@ z$lJ};&@(2DYiaE@bH_H9hg;9**U=l$`U^Nb1rRp>^89aPh4?5PD?KcKk+0aduLhDR zrH&k8<%TVo-En@JzX3)7eC2;Kjniq3f2{(UbqRpCzmS`m0_tFN5qZjK+qd-46++;e z4r9a%h4h*u-O5Qvy+ko&jaS5+2#1OWf9@wivF2IZ4OOc#S&+xgKD5i zTLjQa9$~1Xq9_Zt&IOyaW;-&o#=@NmatBL6aXa@w5tKItGDM?4Alkj2=7DYS7;d*1sDcwW9$aNs~yB3w1~5Irx?C>2Dggog^Z9~O?4(|X%2|n8rY~W zN|vjK((H_jplx90xv7k)-(p(|Jv@FLDKffKX8DL1^p-e ziZB3TX~dDAp`tV;_q$STAzb-F)+yYG)nJpbY;aP`tD^icymQdops$9)Gg=BWDC(aX z5g{-5ZiG-QiMxqaf!Ydey=MGSh0)PvIIO#ZLj)|VAiE+Zt)m&%LuBEZ$MJ?tndQzB zxmpjjOfnw3^6wFt>s1q0tM@J#zQEh=NKU$|2SHuS4G7+GNLs3)m#J3O3z>w9O(?A( zv+x=!|M4Yoc-vjGZHdz{mfyxOCRA>fw)f$x7jL4dBT)oM^{-E(7)kLcR;y_xPhpPT zA>gjCX=t9hR$M=Ju5N^7D#hjU;I$Rfn;_t+uv?;wM z+#;~Dm?lk-%N2`$8Z2dLqBWdKw+O~1@U5T7=_!SGO)lcSt9VzOX2vi-%eBH$>IF3@ zi?vM1jtHR%VjH??`(YL_8n8@irJ{SASdK9qYSQUiWft!Wk&r!G=bh>~vQxM;{;`Tn z5vxJ|sE7eO^azw6@KE|A{xHdmh^4;asZmj;MjiL7IVBJb!Y)OliMC}t=#*f9QRZhd zYn{wLCel30UUn}uK4*j-Z~w*Pm)V#%8aLU8YEl1YHi9> zQg!$;_^_Z9A(0l3z`!9^sKOXF_?AcF-zm8KH?P;+0o1clw#DB+c0n#7?rvDpN_l>@gTxR<_orJXZP?Pf%M|us5`BQ7J)9I5Qi_7Ae}G z!SX)=I26#g`X4-<0e(sCH+&U#KV3k7%Qh2W#EY5Rg~}Z7ydyldd<6;q=NWjwfCQHC zciDQ;0^NE1*58qe<2nht)8^pR24FAmiLUOYToZP~nMr>{HT+h@daIDL{n z`{nB}CQSWlGL1VU17pv`zjL{AK2rYJ+!puM7m;~!*W1yt`Eu{P12_p&mHXVv=Vs0E z^DZ6Mt6k+>>I$?3rFhex6gwl-dx|?u>&{X-_>6p?K7E>S*}-n(srKH z8}w7iSB-QcZLHH9Uth=wS{EVOxoPi%pwW*j5r7g5en6+sST$htv-g)>6;3r`Cvv24xK$)jECdHPh|hCG)ct&`uo zleN0}YxFbV%U1==3q9?nJ5?R?9oRyNV; zn+930>|i$+AA6m+=mVTLbYsGR{|{N)-vM89A1!P5fbN7BqA%s_<+;6)>W^zyvsHZ$a_!5fpl1-_U1*cmtV@zz}2`+h6==@d2g$g#D!;twYMn8!t zfN=4Evp55BGz^{$R$>@)9;k$r1Zzq}tXzvlTtaiADMB7j|axivpL#~Nj3kkJ*n{lOpg-FcFQzhjyw6bkU)gGeRQ4*6X_F{@i88( z*RTB5UIu!1Lzb|-zyHsJvMRYui$dgKxJ}|?`yW=?p{l1^Bgw`=X=c}FmkPB=DB_B! z4T^?rNjEdrx7H=Z2dbTLA$%LMJ`xB1HI>3$ml$dmS*r4T9XLr!)1e^ErlsA!Q}AQm zE@{H5MGFQHq-418c&x!c*761pS!AxDMN?`M`3sygG>UKlcPFo?n+a8gpkCoa^ts4^E*C@|^G#qTsx#F~qThPo}~w*(u7T{?=;FQ99Vk=@%A zwF_c~87UM3iG~GP^Gs~W-&VNxo(lB1WIiB7s)ed!@x;X<9$CF

fb`2GCeHCf?)A zks?iKYkHt*KmV-Uqfq5w1@TynR&dM#-A{U0j~K{4HG!|dFJ(Ny`-gb|9&7F!LL-4C z+t|!sx}^KzU`uEVHq|E50Rkk%)iSNJNGTn3u`vd#sC6ykL|9+Z-44Uabpy6h$$C8z zA;y*D@BN#fRXIN&B43%3VwV&{mG3;22P*>YT*p;b4h&@rAP}jZN*@JxXjTfv(3)hS zru;>5rcJ~-b@DL$EnaMXm9tCFLq%3Xul{o}K`v>JR$|ATF*&yBv&{?|PBLEvEp_Is zO(L%~B%Y+wayO%m@dwL3CV6E@{EfL65}X5pU^ zq(H(t(rVd|HNB@Y1yLPYUd&(}UNHLe6dACfsLNzzVSaYfUaSOniK+ryIhG`8#tlY7 zMIc2SJ?66M=zJtG22y+_Fqte-eK&N{^Jxp537iBNC#FEL?8X_c%CJ{rE0n0C9N}eU zGqsOAhr7{2?rXFg6-EaX$WUvFTDh)uYZgWsa#Uj~&py!_2;72;V9Q#I#8~a;1+e{7 zi=jF*WwCbABqy6f;hPf}s6k-Xqf#Xb^V`WPna@(HsGZb+P_jcZ$5L5IOEU9I&?2mS z%Z4fL6)VTqGEsuVzETO?5?W}HagYhgb}I4|qT|1F<|94FP{42Q3mb2OMLb4g5`E!I zk&2aa;z*pYkR6!XQ-wr(vnkomn00b4yCb#xE7(3SOn@he3eqMODe{**Evtk^jj3qa zgT&LrT}I$1+kF_+`t)C{pyn~aB4cL#i3eQszwEpsd_2A* zL?Ds`3Q&A-ew_ICUrUwdH1atwe^utZ$lWiWA-(WM;`?5Fr1IzN?r^iXf6vifzuasx z*F?3fTHX3y)6=?ay+U^Exu)92D2w~uB)N{)xNWs}G`-$jcHrKNSk9evw_J}w{EL^q ziqG*n`#V&v^_ftq-f=sSNY{QHcrqTE`-E&$IBmGIb2S&srgQYJJ;QlOx$WZ@&EHi{ z+j*myyal!Q>j&HaMQ2iSh*uNM}h1ZGrQpe;~H&ydF`3@-)r?tpj6|dC- z^6^Miuj3Q){bTRyjfncoG{<=@Yd~FlyVFhgAf9ssVBg`{vS)7l`0FT%+rGp5b)aG8 zGbx4&p{B_WQ2vb0?R2fLPlcH6&W^)1m|pHow`R1L{Vh2fSGu$I*9|(eeC=I#U*f0h9BK|y)mq0r7el}7 z(k9a~o-X7(AxhY6>zP_!{s>Lc+be`St68)Mrk(?9UV-ON_;(FoKZF}zft6wO`~0%F z2f=`P!B@B^{5CZ_08^5<5$c8W_sT)+=ZW@r(K>DZ923Uhf!D@nKxZOTi3;MkQr3)A@*Sb!Lhgxu+D-2-JX&>Zjt3Y! zQtUQWTw>l?__s4DAfcLs2|YSW&OFrqE$yq8^+#2L6OOSMaA{IXsWPMBfcu#g8~|-q zxQfkwpEzeyLgv=dTh{k#+($o9Z^m_+522|>tZO~@S6(WeN0sKpf{T4zZS&{Kat2=n zH!JZh0W}+z)3{wU$d&XXuvWL1TKxms@`wstJ~^?Vs-9$Smt4QbN7C{=ydO^h~Knju!2*<8-M- zfPLYYFq^8z7G=lo85q$l^zN)9Ft)zsE3SjoF9C)8E8r znpdcNs}u2+F+&sv!8U}bOu^lYDpROr;3a_(=$)8A%81$+r4UNn_D20V!3wVq2o$Mv z8WN~Ka`VQ5ZL}hIVJKWEbgC{nLY*6pipL{>4V3{@h^(*f)6^EmD8;AKM$*cG7S7g~ z|B4uly>}9LRyr!Pa`vI4d*~Hnn&j{UPcM-{^KG!oq1-L)aO z(~ooCxaWSEzhIA5dsfw~s*liRx}$|o#5aA)&KXc-{uHTO2IlWGegi%O8}?=aXAq;o zyyrMt4(F^|CGNWXx9`A9;U3!BO3kF12=$tsBKq<4_>rChel4G%)&z$=GK|Mr6hg@YCxZA91^R5c)*UZ5D2rI#+^ z3156th!d=$$ne<35_GUrw+Sm)nB+kFhiI=&R!`}<&$3udN@?DF3Ods*Ukl-X$I4?~ zkKu0C381kX@|MzX@phC(xkI%Lp)wD4*)&s#|4!m$Tr?i zAsVmuyXcPBxrm0tpW6mt#6wo&l<3R;omUvZV{>GyjrxHT+|i)~R6PU(R=Ow}DxoDd zTXbDuj}czF{SEsb7qUsupL^9593V55FLp$%U89w_jF114CpgAH*Xx_-hfx@`tSry*DvGFHe9yob(%;ByxY0l`6X{_*J1&w1}%9VZvNEBq!Q@veCt?`?WomjgVuSu zzQ+tMDHqa*$lsTYvKsij1io#yA5@=6?%KGPRw6|o@*a9(ViFpkWR}jarn4(r@7JR<RgpXi***l5q#ArRoZYh_y^#0?ms~vn~KC8FrKNCHyoE z6H{k^VZc4J&eDPoK%j>!;$_8&p^_h1AP+U&hBeQW4OD6zRx+qD&hAKZYIO1TPU(NCgSCX%BxyS78_!;!ZG?mGD?Ca^a2xA0m9opxlN(bS-~ zwUx)^tQ_gw>3-D|V8S*cB8O>(7!?(KPYkt6D5-A%v}Bp6p;hYh;0kj(gq%K+8|}av zikWewRAsxdm47rp!Px8>uK&y6KpyzSiu-N8{s3l7WyRgT82xAQt~Z=OAmwzrp-MRn z*&NOMXN+#`FLOu;&jVJ1w{IlU)FSJ{l4jk6cTf4bS#6GwmfyZb9?HgyE?j5#)3_T3 z1mMXt&`02&=N{m4lEaiX8Dqq94%m~QARh>3FQNz?tFhA!nxQHn<0%t*G)|o7b4+Zb zqIznslGefNWGK@mu%D|dj}O8Ku|#;5W$ubuCLiDTD|-?=P-fd$CvA=oeBG##d7%C- z^l5)GofOSf^bWm(BSP0$4Bo)_oe(ne1lT)vn6+`>Ky3Vv8~It``a|viFeCe(0)~T% zwW!LJU?P@6WgC&h3HG1A7Ar-9Xja+G7bSAw*a_LswYljOO=^f8Q(RLEq?xhZeX6BO zY@6r+MDEkQmIPE#bEUs->3Ak9*s6as2+(tCrWOmmCT)m!$We?J&!#_>`rK9h4GR7~ zpPf$ugL%7`*9EOLnZ{F?%>tR8{;WJ|D|+jad`tvEG+t zbdC~mr_jTrFvdOoz#9Io-K-*`CFQeg(?ntxhF^MN;uO(i(WT9do2*5?Wq;;IyK$}< zq-L+W?#qhuw;Cp@h>L)&a)CuoQ-5!cTc%iW5wh|GSh87Mt*UB}c;TVDjdrO>;1>}?EZ&JkuVNYxVl7EIWvKlT0&`)%uZ(C3)<2Uz z4@QYlGRZVW|B$NI-5ER)sn@{gJkH-7>&;e4;=`He>X^=5i6L~9_BTkfgz2$$$ zF~rf3?P=nc)Y%_8xYPv342lY94>7x(`vd(ik{|ib+%L7w-`yT^6l`4>J;x_&PimPx_Oomv9&|5s>tC)(lSwwu9>W+I zb6#gjQ)i}D)ZQmSOLDoog;t$4@^Q}JdEY0Pug@mOj~Ca;s)l;oUuPoy0kr;`{Ynf zZE?H7crA1uDKuCz@qj$RNoe1nGa0#ad^U+* zUdN_1{1p5T#BMh)xD?%gY&NLtA8?)wZ$=V4d=a*e!)#dF z&#P~A^*11oW;~AfbX2V0-vw;nIQ=WCLF<7U*?;tCUhQ9t&NkOho477kio3>7Z1jBp z>K|i-33(b4T$28uKkDJ-a&+SZ@(g7SiCpwe3+AuA;b`+ zQi`<@^HUAgY^HcfKJq>Qnp!SN1f(q`XDrdAr0)nDpfZfOp-NY=x_DbUJ|HxjfmlX+9`%f`dpc(J&&kYdfkU6T>cU zVos^p0u%F3V;PFL)OaOZPm=K4#^&B$RZ;gVk}D%hC&RMQcA zbjSOYYlojUpsEK8_!Pfd1a+7o^xuhYa7hMN@#3$3Tr%- zE>yocJ%wU)Mxl;b4V*22YlYoQEZ4xy9nzMkwJ)r){`xb>o-4>5Zn#l}o?c^5(`NM>mSFimS`3%DIAtRNus0Aj68}@i*P0p z4ww+>Y!k8O*XgdBL)Dnw&tPko=4=HVjfgQ5T674CIpTZW(i`$ED#dsJj#dPW1%6_Q zx1w;eDFMVsa)Z-b_3*1l=U)`zCnz=v?zSN^(k zOiT;tv~fe23#4S%byzm%#}0~Gn~P-*uxgE?srNq9K*2^A^$W-mKeS~lMy;1wDOoAb*i?vEK%OQeqjT!vwA4CPqLRd7a zHgXG3D8x$l8E#sL%Q(S!9QJ))4g}V36%rh7>lXM{My33@kBou)=E@{VMf`Al2ns^s zr9qIwZuF^MpGht!`7F%NpX2kDcskgF5%%jCx)CRgvmEEGO{WBkjU;_lAA>afyQ-l; z-|tCvTJUlR|A{KUDM5I0?=TGEw_>a>zeN>O?9vXP=u&;$g?LDi7E+fd^ZT5BQ@ptQ z9G1>tCBy1fFz!_}@!;sVM-(zdB9K=PXL}_L-#xL5Lho7sa9$x#`7)DW#fKHbWwdyy zgY9igAj`E8g!KJjh-IkaHa~g4tf)%S(T|HI_CR#r4%Rkbt`t+3ENEE`3z0eTm;St> zvL--|%a0sjX*yF-p0r0|*RmsSq{=y6=Rp3oGyYLZ7{;W~VaUE-P~4HG|10RSknG3N z7Xn-K2#qk~`Kp)+<53df2#csBt-}nn-2WSp!Jh3~o*AH{<^S@~9{&8#S4)=wUfI8v z1XIF~A8x7J4<7pYgNKgAL>KA#eE-2imlOKy@jKl49ICbe;L>#fcT*j$v}i)TX{`LV zB|7(fFY<@u06_C-gal-}rg{nJeJ$YHY|*u(?a;bVvlifOEMQqpoDaIt&3KIPAbDS{ z-Ryq%bu79VlL1-UyTQ0<`aW7eboUDRoyUgdfF>8#ir2O*SpCi>9Cr@6Sb555Ayy9p zn`|v0tnXBi;oZBri>$`yLkIuPUD&1d=A*EVjT9a8IZ~##9rvxqIG8EnR$eQar+tkF zPv81BW4kk}BXC-tw^6dT&w7=_8_(SUX{5Zys8@mNCDQo2Z?cn>=IkLM3$Y?K_ z+GsveLa0&`IHZU4(eku8O!+vVIdmubHvb89+@3r9xdF=4JJ@{ENpqIjD#~d%+|eLS ze)~XRbKHPe5!~#DnFk!Nlj0-RHi`SrANm<8e6}(qs!M!N%gpy6G#`_IE|*6i4a5Pz zmd9yb3tEWU1NiZX&1V{e%QvYq))%;tb$*1p8ozSBf&v&^x)dj!^tswa&eiI?%6#}Z zP^uJc+tmrn^~~;c`IH;ldcSIURmo*?H`dj7GL_7%uV>uIWB&+#LwkpLn#@wrWh2wL z;@)h1-}CTCvjvSJUPz!FTu3h{{CV30llJP}@}-L!Z;3}$klZv=W>)1uYiKKa->ZTOrmZvj1~RCqSG57tQ9iTPgZ zf`?e&wwd_!kF-xM4?~G@^(=Nu;yVuQ+qV4IK#{%9&>h6^19mr1E3)LLcs^(JT!S6c zNi>BktkvoYmpQ+XV14NzEy*&g(%9RV?NAbh7b==RPE`?AMV_dts3=rqpZ$@?Ocft9 z%L@y8+(bPs=4L3(nIe^>)D9x58mX>`DK+kIjy!ZUEuWIT&yT7bir;PT$3-J`Q2K)e&`5=X!3{yd|^n0 zBU=Ln4Q{v;Q(?Zn^&UR-avPOh;Mbir7yWDh>=)Q4P#{A1#r*!NUCsDadg#Qg2r{(k z7bYN|9ko~XAqG(qKB)Vyb12$pmV=ZIC&pYKm7B zEia%AWFjvJ#Wb`+WEK{k!W><41g>w%1@wdxj!t9%CcSbSr}%87I4>V_;*N;RkmXcU z$LXNB7*u5)$wIh?=dVM-!_bA)&wkY^+|;u*(c2>K=aDEy6v!jzV&|9}-k{_j9q;DY z`QR_{kGk(aW`s4t(nVGcVPx3lk^xFVm)96pS|hRW){^Xu7*aptWV}ULj;xJv%{cr^ zBNB*v(;{UnVqw0IIwkop-iDRPj(pu{5wo)IV7bno9<%sou4QpBa(hXiqzt%_zj?R1 z9+Klgp+AV?LTZMV``b*z{VjtE#tR$`H#@-)7RQ&~FZ3-ksqk=zUQZN>8W&+i-N?`k z5ziPiJ^h%f&`M)c^>==uurHe}mYv+U0}<51_89A_5s!Flt|TjG#Udufh4*+HvP`}= zvpOxXM>~6>xaTH9T@A(Gzhp%UM}+kOm=mh0DcuL`-qZ!{Pem_kErw0%lb8Ov-Fz-M0H*hFkk0b3-2M}*nbbMo+gT9YjO@&dljRL#8P_X5j2rXC%9$kSAfDzgyOI_iYPevexg|VN zK!)@9ANx|qC6}+79{c(#a%U_2ea&O&Y<^r{S7a(yoSMnp8h`#(4m&{#WkcsWw~i1S z94(JgcGkUEB8>5d<)Un#R{q1Gim+C#E(({tACf9$T{se`+=pb@8lN0WElu)7CMnrO zcuee%S3IcKHhtfus@WXXmrX?}qThpL)cPgF%w-?j^yeencu>FQOEKHnBk8k372CS; zOI)EMbe{P&)=zdR*XO&pKPbMU+cn4FI;s>KBs}g_^90c@XEY ze4RPYw#&4uWO6Bc0OHSICRyZTswtV;)3e9v7_ahcaD0!lcvkv9ib6Z(QO*&I zN*pV`IF|022?}aaHWruBCd%rvQ*JmJM*fuiQcz9sG?Vn0J_x^PbZL@P7kRf%0p( zwiF`#pL{W~mvD%$2T0Ds?j8H1Sc)p&$|DdE42g$q1CBL%fWufp33NgJp*KL544+$> zl$cG}$$O8Ed%nE@y9Lsm$2o%wj}>|Zav9XEWu7Iz>u{lyqSRdAgMh>4frDy|&5|hc z;8>08F@a3Y?28gg&f8-v(8JB8WD77WOY90!@p%Gz?xwAQoXMIde}vh3-hpj!*40YD z8f}jAdi$(zF<}k;+>QF3SBKPbU+g_t49;?{{dTkl^Ypz41#M;)5y1DAD2G6sMXSjJ zi<}#=gM}=I*DG(0x8qQ`3hdZrtRI^f0MF~o{-Eo zR?la#wi`J2j9XQHaUZqWo_5g^uDvTEVA}-Y(a38)`MP%Qe#*Dj?eTZBLkh6 zx*tn308Z)Y)B?}YSXWKl;?|$K{$>m5$Lj-KQrz^3_&nC1CS(+R-gg__3m!TS3cv!$ zHyX8nX4<;FjjLOa?yMj5o{MBIUN%dwo@z;N!6Vej+_@h|OYaMn-T4N0_kqJdx^?Ya zR#wj+mhfEg8@%-(2gvg4+a18Jv$!zU#sQ?YCDzF9=AFcsDLsN!v#|}0oQD^oC3z6a z)ari98ye6weRDrM#RK%b@dTcf@gW8+wz{v_Y%M^p_qQ8v;8_>kvwUJdLJ^lAj=mVo zDAf9z*f@v1?xc|}z2E&r5QOvz-D|Z&IyUYFJtHV-6ulCdLMDZT^M(?a#X@(ZiRaK>ob{6(g4S7F%`6qTQ#>TLf`!AqAO zB`c$IgCx$zhF8&>|qsw8C6b`#IF~(_j zlOEEBVRbeiIHTZC%|KUH%Dbf(Ri^=cD_WDS4y2XfT76hUKQ$u3P%0*cat(|Rrb@M3(Yk?Z0tJpJ%TF zr9fjwpywBavZ!Etf-##<+_N11gd+{?`jwU-C?(m!SY_{?YwMPC5ouwMFZ##MdPo?7 zi8I0N_C@m8BXx|Z;At}F4+!3WIO~=h??$e*DyvAfxQF;21Fk;GesFC5gTQqI#`pQi zIP12sHJ(-hbU%#ZB;hi|P%*XKG`UyxzK7(%FB(edEj9%!p_&ht>t#z`lNqX@^b;sE zq@eyoOc{V7i;@1KT{hio+Ge^Jt>Bju{IX&&SG&%PCk2V&DYAFuAeXQa* z_!Q_&@PP|{K9q#C9a$?~c+9mfBT6$tv9a=7GE_Yu0|4jL53l;UBAPZU0im)WetxH3 zNJ^8qjw^^0%GUavj4>GhYfbWwls#2={f2S5dG(Lgmc&}#HX~^#;WB8{eMDwt%CCE`i!cDyPu7!!f_<>k)k#%6S)S(faSLl z`QLNpkq1u6kn^j8o7Ki9{f_~kxoZ5B-&$oKjox_lMkJ%afZ(`Cv>ZuTh$gzd(^)U5 zJGZKJ+TYsFJMrrk1P#DA6@ve+(AwQZqm zl!bj{QT`@wTM#;zkm@eHZ7WWw9_Te#;q0 zuv5d_#R?6ARTpyRX}rqm160SapcgWF3-OsU|2v)m^NNpKlYqQa0B@*Y@jGG2cooDC z14YpA1i2SBmH*-+$@Au(;0*kR0pSBj!C_(bv(x=TXOrL7`9TXOhyzkmH@yltb}o+-GGNEP59Z6AM3<;jFvFvtpj&gNg}DSbJg<39LQ4K=FlRn5 z@Sw6r*QxhEEi)*K{K*^6Q8}qLq%K#NX`s9FDAwn(4r8=GC!rG#tK=_PLR~kf4d+}V zv}lZW&(9ul07%NB0%}QDeJ{R^K{E#M<>pMNVd^|7$7MkWt()fMQ67-(;@}mt0Eq&s z!*zc+=x*2(IWLz(8&^4OS`uwG9SI)$P1>ki@|XB_6Su(Lkf;}Xubz5F+r?>hzpH;q ztxxx89)d0XIkfgkqg`yK=EYnx*~xd2m2*ImV1<1B0n>?WlJ>FtHB$-u;6{=e!S zxek`LAtkiURNg(RrwciKZL7H@lGT^fvwI7NgAn_}-lL24(*_|lUbDti#4{q_+v+2{ zEK(QJmj1>tQ6965RtRQUYe=e~^*gzP8)}!muTUmJFsqdu;wHBTJ6yKf`!7o%r1j3vkc*Y^Ed)_Tn$Pjb6J+A&`mJo0E^W z7AyfbLCIjYR)Fvmwy-}M%hW5-Bw>aprF zXK1=H>QaC7gkTKzNVqHrK1#LyegK@G^~oT-FW5l-%?1MRRso%^+ix}yLx{q;nAVaP z1ooswG?-MsLn*tobfJN_oZ#2yEt=aWZh^P%$|CP57;K&#`0~PkBKJ3dMAB!7jKA~z ziw&U{;7x>r%7ULw06(>|uU=n@p=ADZRMF+0-{69nD_EOY0l=WqYVFQU~3J5q01nI@ww{Q2i^wC<89N2ONE9^I2Z`i`%w*kq_ z*`fKDw$mXs(^tcj^payFjZY12Qj9^ao$GAR=E4h+I9vplevYeIA2**nXko@*Yvwt0 zb<8tY14>?5DsT+rB>Mc#X0ZZM(;OlhIJtl4#4-z;s7T(k*Y#DJh}6y_Q7+e}iXg-B zQIe;X2ornB$vNtX8gda?m4EFi*SxlkOT|(JqhKhQk*$QDYX8NLKuo&Mmlr|8{N>I$ zv1=_*MdhQ&pvFpJE&~VBw8ey4rf$kkA+Pf;o%`zj)_#J-#haswzJ4#x^jp68bKpyC zOnuRCED|#>H*%ebG&R=3!I#hboE$`k;JRK-7Oa`i35+|z@Zr3+#1vRH+O@+hmiMq( zm&(o}+Z-dBIp5W)*jr|d;YMI`tjera8)CTYARX{ z0>5*uyLV;E1V;%hK#@*z<+;(vkCqW`kPm(tD?#P9Eryyn6dsOCs^87GY9sGyRw~Eg zSNugWiv>sE#HdF4th_@0vwgj&ab&ZO8-1_K@Zhr=hZC7Ca<+q(QU5SU^G*nco-gkc8DH2i0PK4Ig};Ix4%hVv7cr5{FEKB#OQd4 zgFSYyhdE_H5ln@As%NMf?DEPXwXTHdt71<$naQO9@qpqz*<*Q50esp-3>^hEO@?0- zP4dr4Gx=o}Nz!?QbfsG1Hqwd(f;zolMKkB3-^GN(W$}-X@ENCf6_Hkbr=i0fHUAR+ z!E+4-VNR4?Kk@#nw%r=XHRXw4PtdlexPz)`K>T}=s0AzOG1z4*If0f2BbRm$u%fR^ zhLF8-TjCJgVBSF=K|zlB@={!0MS104+@Oc$feEA3IVVf(Dj56LZ7WqNCw1EWp$pFM zq-EO>;9G)%3N&#fl%Uh!Z@OTYZ>iiH94NDsJr*ubAeHhbJ-)q_3VYUAj$o%!oo|?6 zq)#ob>R*R4-q8zpFwsx2G)05b14Rou~6oV>SEnG zQGeB{6*iOh%|A~k_7A?k&qdKtRr3&d8&s*^dd?&L^Wzo>RIRaU-?2+S+xqSZ=>T%Z z>9`JU3OGD8xLV)rxY&2PMosKgZ@!O+6V^75Tj6#(ZJRF%HIsYJmI8UN5L~A4@?vtD zEkz(#X9~hrH=!xDz}?-Ek*NMG1tip+3n6et8VTg2D(AApGGhn3%wqDf*!QE*>F z`7GTf?$2{zKi>=Fex_UVf*Wm90J8bY(t7Ms|L|%`3>JOcO*0T=XuH=&xOm+c^*B*u zk?Op?7-an5LVT8cDCG$4VatS@jTaydmiF6D<|ZSsMyo`JopV9md@ImvogK7?^SXL` z^A@I)=FnW{P1(LGPMeFq@nZN~QUtu2|C{B$X$AZ5L|}2eCU4c}MQ9V|!q$w_h1C0L zb_H#!hA4|SD6r)XjCA(88}n-uLuUd%^>DH4BhWI?C-3>~AWql&WmTioy?0I{=Zf}y zg|fSCqf4S<-h0iSlx+&3wu-|6+|9exxyb8D{c=DYKPy-Eibut&f%KqTx59%ebTEEH zx^Cpth3`M4<68!Qjx2|A0u9@*RH8JET?mJ6m1Td0yM89)BikHs zhW@aUPVUY6mVs$XD(bpSg(9B*nMkbe;P({w!rJVsBGw zG^Uw$6BQ9@3LZ;EyrxC1a&B1Pi6D&n{?9ZG)C7{?Wfkh`+Sakns zyV0a-0M~CT1QA4E&~|}$m7S@RT5Y=ED$`ZCEN-l5_9B>v{p=)wIzdn^&p@+Kxi2s` zw7e?;%Mk939=IyUGqA8M1~(;p^Rtl&Wkwudp{08M7UoK6@vLk{7~KYTc1hZw$dpMM z-rA40L5X?$Q?RsUOBQOUH@^VrJClHNdI0X39+8n>hA9e%)jvJ|%qtIx;CHellU~Dg zm|<={;(XZvE=KPb=+v>Kng!)KzvPR!Ay^#p)6!3+=i(HBE%v^UyI5i6F0Z1<(Phya#(+h}JRmI`Q zlI8T*cDvpCcmUT-9iVl&iwBu@!Nh9*TSM7{QB<8E5&4)(2N*R(eDW<9#Dy+8PpJOZSA8 z_|3@<81$>xx>QZir_r{8I%7MC9M^g(TpEf=6nft-#O8b+QFS+ed(XROq8CSGi z9NV>BDGkoeg!UNelT*ppSg1D47Jef+H)(e3=*S{|eyNAm+jx4FjMW~B%3rn$Q{igU zm){;ym%g}_lyOr0vQ{im&kYc+PMI`aU`jf4IYBy7+JgcUaFs+o7jv2Rv75)X^)_v1j|Yi_d4|v$2|%1ZtDC0^oZSwvxJu=i&$mfNvlmX3b_BUUHU}M znqQKugaM-&;XOb!6Imro0sVxX6QL*QY^fo89AF>#_y?}fjp-Lzur0f#s?Jk9*+Fs| z4pE4_g^x0E=m}A#ooi&mQr5O=>kLvRe?b7t-iOSk%oUCoN0<@x)5T=5Jj8a%q(Ld( z))gU|1eGx`eCf25@)sB?Z-0QhsG(vRKBhbvHBkSz#zVQf2zMLZ(2-hc?oEbnsmW)& z-1zn1rxYeBJ=Q|(TSU_l{>gUp@y=tB{U?M7W5iH}tkg6+{cuWb2wIW4%#T=n%2^)dfr@!xR-C@5gNUAWE5c>WK$ zSq{-0OkMJOdQXDEphyW)qPjbIhkXl%7#egzipgN8oxVsUC_LnaT`r?6I}8MG>YpgY zK@*Y+IH-XSo?Rx@U5w89b)tY;|Fm6vb=V)G&T>})k9XNNTQ4g%V=P|dv!If0w*fiY z3$OK*4pR-FO$;o_N$qEY8&KMPmq*fsLN$htkjtiejvjC;lV_5-kpSIOS4bRPz)hq49R1GwVSD{C7fI!<^&)aNK3HsG#5S=4=7; z)9s1*;pJ?waxxZV*V3KbZ5?%gPW`ZMgksoNdCzyy)2!ZcC?Heqd9KF@a0TCwJ@~sU zyiy)ceVDZOX4WqC_;>!Pv}Txq>Yc4;crH4DN;)0(X^p9u`z+n=7eO~pX3G8t>kIN* zC+CAota=~JCTW-bMRSnm+f{4qhp#g3>Dl~JQ|F?wmqx(AZ2;#e&o2c1(mU>#BJ2ihN>t&Tig4X=mRr{GvfOxG;q6Qw=K3Us58 z#q4*JB{0-Tx@PtSu+R27bMu%4Kj{0PPUUsIw>g0C((EQHCpR2}*S7S5_oS>kLT&3( z4xR1by}$IxN7=wlR+=UKnvJKyVAhMCfkp8$@LkcV^@A^Pr>#4K2eQZyx>kSK>V7@E zf%uMHfF~p*F1a8bI#{IZM=1dPyReC;t!~#5@)zG5AI3Z<$f}Ll#TozO+0oRiPQd&9 zw1@th`I;L70Q8g>3qjk3q=5mX9`94*Pyd6+uR}d2_1Ddn5ctaI?{dfG5uBfm$n+cM^lnS{$sjpPyiyqV~lWsk2AZdZF6hcMrqe@qJgy}D{ zWi1Fixh0Eke>1MwHK(>ZUWyTIHZbC-+WP89yT#Gg89{bpRJ0Wj{Wb95kG3p+$u(Yx zi`U}BfD$@VPAFd$54?UR{wzE5bv^|qT=t-IRj?t-?{#$v%uPIsfIz1bT?(ewC+n)L z^L}g7{8e5=l*r$>QqYSC_#!YV{tGQW+3>VXUl0i%E%#3e<}8NzdywZ96;vZdC@(DZ zG?aVrUbVn(jy69DW587D>u zKV|;l?S^Xo8M`(cJsHtLCKgPSPz|HI1wXDCKGRX68x^}V7A%jZ8uM!Ex$)>h($`c12^GUMGuWBzqn!<8(p72V$%~Kvws&&su@|bI;cC(C(o-F)6O>!QU z6n2a_I53egx##uhDld)?GBo?kcH{k%K14x>^ELB%YFCzv^m)qk1AymHvf#s$JiUaW z#cFa(k2A|#Pf?UbZ6+`nmC*ATR~T{zefc?=iYx4sW~oj8()rhtdfIi@#$}rV4I4-h z(uFj+xhPKfx%d}OJF5A)0%s_6AFNjF0ug`D5)7Jz)~(bnFa|5x;T5|HVnlPGN~mZe zY+KLa^}Al>C&n{Md2*nD?(Da0RP{P&(J8g@4iQQUN+Rl15N){lWSaR|h#29@7h_kJ zVI#YOWXHYRnbBe{>WVTWdkdn+j=n{D$kl2tCR=OTI=_tsm@*hfa7PsfP+`GFjp}EX z1~5f08I>>cAi#Va!xemPMud+-Y`4!!miE!>Cw?~B8i>HSF!iPpBtH;K95z3d|=4diQ;e%XSIaTZ$*t&td}#*2md72kSCK4*d) z=9^^M@;6jf892NKMG$EiN6s%YPrNLwkzt{nS@P;H6(Dg%njZhgNbVK)u0-?5Hs?7W zsm&wCiDCqFQ@Dm+TMBe$G$gPnkK!rc_&K%`4kJA_U&?;ye$$a5+{94?&DXCmHIRa zI6C@ix!YJ|?8>&t+q@XqU!hm5EUG@=hoGk34`MNk9z=+9*PEltls#{hClLRs5xV#` z=gs4e`1Qld!c6hTF`r6qr2AWkvZg@ItGh~4Fj=;QOQ--_<)oY|vC+(i!$gR4k@LUf zCU5nFS2uvVFu48z+yA_6z4 zbp(j~GmDCw3*)?;giGGII_qu&D*=+JjLuZ-L9Z7ZoMWgF+wX%>HD24jXV~3WLnyIr zS8bC!WqI%CW*vFYG$Mj86KN!qm=?N?59?rVe?0^95(L)gE9~0C1ua^vq%i?t*G0rq ztH6CU-@Qkcz(w=yX!odX!*fS--)6YFDe22*P|n>~4cgU7`p1hv}7r-2Mg1LCR&Z;QSSR1y30$unEW znSVK$9uw~#o7YEn(@(V|j;MEjwB^?v5SsrT(|*re+}1+}?Yfif>AjD-4Uykl;SySQ#|_19hm1qx zHkwTLD=hFmZc6Jqo$wxR3Fx_5A<*e{_cmjK3kftTc|m9-(Xp!iwIETm^-y3J1^9L} z;BlMQ?JVm8$ObaI4lwHYLvq(ETpSEs2di#!+kE@xP`zo{+YWK#h}>oFChoECbR0y1 zps${{3AN9ZrriViz7l^_l;@#6DyX)Uc_-?NlnTz9OWQPXeO6y=mEF7Yhsb_uh_rV z+@@i2bzGJV>dADbz}mF0%0a6n4lY$cjPCRk91$er)!to}d9Pgs!*C{uDIj@vcCO7xnLt3bwO# z%Y2G+r*Hs%)O@0Rob-a9&ZL5I#XJ!W(u6PBuZE?($Ld@}aq+x*YsyAt=+z7{FMeoB zY#%zWZBx2mC+5U9an36(D|7#>B@_aFvFSxotkGo64AIT1(E+idIX&21p4jDZkJi0t|CZ>NuL!?tIYE$IYh9f zLWCSct0>oS06SP-lZ`fdn5HzWk46vPr{P=SXzF51F@Zq3DnpS76C8e%?z}3#@ZTm~ z%)@t`jFVjcAic!nHWRGA*8m=X!TXO$xvO&%%tc}D;HOC)2PxC4MJq$;oL5jNf z2^Xe|@fbxOO^YwbdHmCo?Q*p`k5uT>GUJggLLU=a1(kP(D!^HkhbbjGpoOmdLPfDL z%>hajyD(`^(x6P!WqNAR*kd102>_>{Qh_)y_PcjSzpd}^jwHmw#cqz|_G|TO@ly6A z--EZ7`M&~!&pE{xMt1JW4o%`}l;}EksjRIwd;X=dv|*tl z7?He=P_E_i-dXkwm313uIs<}{y+j(YjBXhbFYh7D2OUUU@-2zxoY9}xY7XfG|MC4u z0J*m=K=E==EqL>-kOGyCAg>A^!C(B4vgF2JO2*3~nc27pF+tRbCr*Ed66vYA3OPuQ zC7wiiNTTH&B!AbfidDT*MR7kDE1p0vOqNSgxbm&o5mskk4D;3WaWfjRs(p2-TSreO zQkGs6iDw_f7yo7B2jnMjSr+HRjB?zDAr`mSY|^L5K^=XL2`R-_Wm&5V7OMP4p++Y> zBQ5i5Miy<7X4saLvGtc=EDs`3P+Hm(b9g>%&i))H)2dtv{3E4mJs69N$)}F{M8-aA z`iWx!su6xGX(uF6l{x0@t^<(=N0pR#DNr|GqN;{E%w(xbIvE#BDGAfJ4y8T?-uxli zv{r+0ZI9tVW2QHr>0nk%??S?}GMj5KACZlV217%M#`s1kD@W0DYMf3lCilO3_5Uc> z{}HY6o~)mz{y(353eX@SwZA=hK?^J?{Dp2+B}}xBsQK~H!OHM zB)a5<-UQTr_LjT59GBY5I&WSvdlg9ecBc&{><{bA*owzZ&d%D z?y-iw($Ot_@WBP2lFBQ#?LF^$I338JLDu z-zEM$JztR-pEw=xy?{c8p{E}oh1JH3f>QqaC^EN!`CLj#%%qh5X1b4=_2fgE-`xqd z`{STMCFm^i_H0V;U&F(E#pV0!pcaoVk6?5<=vtul=NYk}N8Ccq@=4@HN78Pjgs#); zghF2P#)MAJ%lca@xbCd#GS3fqHT>2xLh3lo5%&EGJTVD!K3K{tySwp!Pk(=G<#&0| zJL-b#V1}HxzW^FCA9o9A9n1v%o(M|ZTADY#H;5iE)E*uIIu^O=S}nKw7ipE3T^AdRwhq6*K+poQz)f$? z(Xxq$)LupR;nmPe7|ZKDfEYsB4`E#cepiN|WW0OQyaO@723L886#tK@Zwjt7+=87r z6FU=4GO=xIGO=yjwr$(C?TKwW6Jy6tcJ|G=x9XhxvL62DzpB60y}El9C`T#(@P)I^ znYsg&GyB=E-(Kt1q_?EocU4U`KjyQ zMrZ#&Xs4{N?Cu>upOyl?E%ZX9pf5|(#)YWc-*K9^816caXftE4H2V1P-c>j3mrGDB zh2ejLhWKG=sUdS2r+FiqzJqN1&)%?R9~Y9_8tIoMBr#Mt+yq()4*)IBnB{w)CC5QM zbP9|=Kd!8M^K3F6nGojYSvM4Ub^@_*^Q_ghD^3)Ram73#{CfUMjA9O)7}u+$!j;65 zKb^CbAk8v%bp8rO6u~H4Wa%l=*&S(^!#I78g`0}PYLQ`Ti+#7PxD6Xdp==d`X-}%! zc$}mVfqg!co>i6(nU0V!O5=NQPPvA5;ao_I18sl`T=XPj-5#3iFajw-lRcNMfA@E< z=5tn=Zy@c*-BZ?ngV-gUfdhHEx9?>uS$i#>>^ZhVB9u_fLb(4cWO6rg(pJ)Lau*I`a7b{g*Iojh+Se)(L|rV6pvXsHF+aT$$9 zn(^ZDU(!WNuitj0CEqqB>d6oY7tv*|TM^-o-WtvNlZ#V{QVg6h`xJlb4`#1^Z&HV( zu#myd0_et*wh$f2UW3&RA4zZ^V_)RPK8~HK=VvPIIyIzF@H$nYM&b_>F<(3}4Pt-HfO zHOZawwB(aF(=k|N)v0(QJ^9pxv+ACckBDFb?SgdxZ^WB-E}f}DVc9bIVY|u!5&n7G zy+K)GqbH6BC&9G;7HYo)=5)DsSQ!4`17{V+INc`3yE2+vC(*(Au9>G31^wn9f61cgzhxCy*J1BEF|ODwrr z&KJKks8mUFYOLrJ1z%{B&{;@^tX8q&v`z-%%IS|&2s0L}u-w7QJdxW_8Q^+gF=fov z-qN`vMCsP9O@6uNCf(TTbq->j$6=io%BL2?Rh}CZHv^$+(N%h~lNOiD%hyoW|1^tI z1tnMJb5#CL%@wQ?+-Nd~pfPy8#a00UuAe}(x=}SD?EY`^sPN5uTDv>uMq&2EwnD5G7NgLvcrXGJmIl?_p%6HO61=Fway!5bx7v^3Kn- zj}%E5t6b!~a?xDu3Mjitz?Atjz}j2{LH_&jvh;YB+W>j+Eju6U0Jo%7BLV?~^cHbl_BN%5M+!wZq;M_QpRcfIRH?J=J`mKEkAh7{N%W4i|wiKp2q37l$k& z3@h<($Qcgg4B|2?p{w1puYv*eZGYwjRn~Y|8YR8Q@p$emxRvc{eP&T`za#p+w!W_t3Fp^$4TZXu6d6a(6K&AZ?j51Kb)Sw-T$L_%5@QW z3=6aE+ci>pN^)-BIW>Yu~fm1rEZ^?r{13{%|;NsIkP; zeP(qWM>cpEd4KY?EeiTs)Y|K~>C{$v$FbYB{Hk@?tqUv>(EF^>>gzgT<|%wJ@yZog zyB^qWTk$yVSZ>|9?A-l4FXX`HWA*|ZsQK=jehP|tc#uwUS-fg&7Eg3#*XDHNfA~9# zu}x(AxYtj2n|!&YWXihTpA*q-PO4heup0k-0xp5WU);N!& z74)y}jQM5aZQuOX^@J1ASsgy@C$lc26Fw5UE&Y2fLhzM#v*q7!frxJH7wZ5RyR9d_ zi_xy0_4J-|g*K1`PD%~>o|P*;@2{TG6knySto|Jx-@KKhbFU&q>QdLWTDMyLoQ_IR zk4U7{PGYvp0OBzi55Sq<{SkQMCdL4yeIK$JA3xim-uU%Mg1mjO?!r+H+^bHZCzxW$ zaT!iZfq3cje*c&W`Dm@$d6>LE(R(`BJh^u6H?r#W=;<4RddF`8^)h@5s|Ma>m!!>Z z#N~aw@5b55^0sX6j2ChA-u0+Vl|AJ--5K<4JA_p=hji^ao>n*gy&UHFAmwV+1B>f> z==Zsnuo2~RzI3x~x3~u8UiUm@8}xq4je=lqK~hhIu)y>;yEW+#5b;LeKY?3+;iE4? z*!aK#t?awJYL)lOo88{%JMshDL*CN^8l~u*SD`#Ru570FUkNjv|+O0kYpPd zxHtlNP3xr?Svn!2S9r{xW;*g;?*-9J%f{;yhu*mhB+_1-U**e*J-AjUour#>XG{5` zhhV*PEki(%n3|6X7GltpMaPy+`S9max*|}LH!C!~G67u?ZQ)T0vm|a` zXc-1$-az_$g{edafRuY%SrHI3M!Y$DhcVn}X;E*_^H zsrrbxcq5Dx=?6)VYh!YFVCDQ(X#MvTsR#?#v9q37S;RuehOdaT#GhYD6V7OccIgbw z5(}&%KP#QYqri*Hi7E2=!xswVs|pPiDM-rICnVyF-#q&jngh-{0f8sSZCpvT0ItAi<_wZ@cQz%d#}ObWo94X7KJxB;IB@1=Ol); z(!hD3NE{MZpf>PspN$HlVLCG*uujRfW~=6k=U0j$#W!wC$6IvwkLR!J7nQ@}L@>t9 zMMVGUj6Fw&OuZ&u7yc&C7Fz&6?i=vb?oC3o%v_Tn&$gskruTqysU4sZEJqE6cit`y$Y3pNiH zwlWx*gjiwO!F;Jrf3pR#|2t{%pov2un>!op9CNIguW`SJtg59w#B^9@!cTVy6<4j) z60!QJci&0uFp{?8Hcwu8+6$@*wK`UQy928k9oSh$8Hq2Dm zv<>mGz{7NEZqaPSF0}GPEy@4|3Goy0c}wa+tfeY0ew0Xir6dBCN+nTa3=?WrSPj&$ z?#L&r+9<~6keDc_^g5SJ`I|MZR9JUa53A2ZSWQ~w*yWIKAG z!QRZzq)ZLaJMqRJ;K{a*>FnnnFieyw9#RSN7Uu)z9qvsIPELq2ws`DIu+5SME*7Y1 z%-S|DCZ+AP?2Kqp=zS%#*1SCgp3HpA$a-bFjij7(`#k+dCagcPm;`#jpC;GjeZ&~t zU^Cp@_s>4<`WbmmKgy2fH4SLYv~c|FdZg0owYus%?R}*HG>l4WO=8hil1r28T#&1%fk^do z>JlLG+ddp2aMLpC*=48!nm?Z};&r!v>^k!Jzx?bSOek1l3c$wk*3Iw}EA1Fcwcs@q;CDV6* zf`!qut&I4|@HT-A(yBcg-G?B?6te2ry#5}4Ex9<^4>bGZlQYT;z*`*-J%<;5JKml# zALA9DT~7Bl2=>aSlTfXl3B=zH2Y(pa_ky>wcz}C#avv{}Zhk$9JJMUm_FD~ZbpjW@ zp83~Z7Yk-R-lLhwIekk~czWz0e=l2$%bugfq?jEIpPdq#oVFo7*>vEQ=}Gp}DBHEi zY3Cz7k7pj@sZ6TpaSmQ8|3%97$?huGSux4y+XmZ7-(wg|tdrWwzM9(iRU-OB>@C;1 z#lKAO>^8u?lTn){%ROED?7M0BSv}`xImt9_uZ#||mYbMm-%Q=NGoxK~uOi>B)~Qzk zjSGsGP?&SMzDM`a>MI|xyTLLB?Ezk=*CIW4JA;ocoj$J5#3m#i(4keGj>BjE{heM| z$6G|0ms+oaw#P7pC&>B34+YeB2^6@Q`pjdf0@8d24VsF24}f9n>45$wt7rJu4N7K% zs=sVgAePUfqXG+XUY`!6&h$?Rx>OLSAChnWOYg>D}vf?nGcnh6I@-zanR@Qgd9{5P7C(;tnP zm`cOpnvt~!i%|ONCbUaYBp8o^dffeN0{oAx`#-?wpbb$-aj~0%nFWM zs$7_1g|dMpx|N)0SE`#&l$R*h3q@JMT2*jo+@;uop60A&9Xb_YtTD#lqbGlnE_4cG zgT{h#7-UhO6-nrE6y1`{Ai1p(NN6a92`Ktkt$Q!^AaT4v= z`Sj?RwJ8%HO$kFU9d!z+Xj{=l+9cVvjkc_be=E@pQXBJp*I~GG>HqLP0U7%X=_Z8= zkBz&J-3W_WIIp2fAPo*1AB%5q3r%$BgSWi@;DhOs4JoO315=KNJf+!I2mxAwk zM#6>-M*HFEZswl$ZVL`cz9p|aqiePD!RAD&v2pk5Yv#9UVUjS_FY_%|H14+j(AWtj z1Bd&O>92E4Jz7FSPO6h=tM1{lB#NZFq#H0btRflLm4c)U>6c~zF^vBptEO$rEnKm_ z*mmn0VCi?@4^tY^R;!1hLM~f2uJk4}F+2rkI8h28+K?Yc+tzpr3ab9GsM|p+k?@Q+NX&> zvDVEO$(tvZ+H5u#H>P#X z*1$={YFG@HEncW*ajh~>kk2Hkc4q@oRcBEm$^V-4Ue+_!P?j1G4kjm|OvVe)lWxRE zdh{2EGi#J^q-blVj>azd<~`geF=ZYV@ltIZ7>c1%7b!qA7OS$(Q5BvQkuk}vOw9<2 z-h<0aM|<%(GK()(ss+Lo30`WvdN*z_KL(2`I$KgRd0CY2)V-DbDjKXEIs8y)4Oo%P z5Y|D###I+BSN$o4P}0olBBb$K@I@>=oCkr+*-O751?yj=K52w-{1`cRj^!>Jni0DK zaYN=N80lu^7}g?#&$$2!o^o$FC=6QQkubgNh~XxWcu}LhZc}Z01@Q%DoF{`Gao$~V z3XW)td?MMbopy$8E5TAf+!#l_j&tf;Gu4TAEX3o3;PmYQtk7QkX%iiJ`QbY2i5zY5 zH5UOQ4Q!8N-_usA?i6Dyz-!{|!)Vz`%>!ykGs<>+Y_!_lTeChWpA)na{;%PynoG;L8%h zE#@(3&+kN_!tSdG8AZmRqM{35q<72Dw&Yq17_kFJq3b;AdyuCyezRm_L@OZL%JWc} zMxTKw5J+LRr^e^BQgyQ1@DE@G82y>Tf3(E$MZ~Tdg!MX2MFO$?NNu~P2-A4X@~m9t zBnb`fbA7K?bf{1C5ZSK!>(cKhtR{18YB)5>QBt|8Uk7V)WA(KBCVhUcdl8fg3h4qm(bs;#-I?$l`BPsz1rJDzWP^!5w>G?QI*J_#_WyF6>$*X4S> zH378vc^_ud^t8{8xa0^0E^5*U-3^kS*p8XHGB>xqe9ss7Z_5_dbS|>9e^@3KPq(n(gObI`AF~3+G4W{QOWIky6Zyf zzRH!!-Fh4Js^uKrybM^N%Cf$HVD|euge%GQId%T(DbBMC;4w?>@m%J+h9|C# zT^}>cpb8b((|Rcjg3GXt26}j?tB~=TyBXDM){Fz4*I6}Yo;+ia(!x1+q|Qa?RBmuh zXK%q{zMmO0EoYWDe$$7uC41DoboPo!tX5WL=fQDdkyNKdQ|MF{eDA67QpNx{|BSQz z9ujbGPX~jDhnR8hCW+XeaT>|nj25UJF#^HNhJ!F*%|(a9iTSQDZR8TN*AR&|o)qzc%(^$8PYXe}zR;d;Vz{G02T}!Zgj7BcG~= zU|&weQ&;4}IU)#v=MA@PLHX71%!s^n8v%#w(W-dUv9**!hoX9JRsD+`dj@p-Y5EzL z07l|<2X*$iYlEmDU(BE_@`3a|Ti9*M|48VruwWgQJY6qw9xopP) zS)7$Tm_sc2GU{;amGQY7kipbT42ha+(e|aV zNf4yfM`OaoK@AbiBG5tY92N$KhUrPp%D-B?S*}-baY=F8(Na@nq0LRuj^>C&D-0f{ z{w-xytNirzNm^ieBswp-BO42?YQ(cpNyD^3romuNQdP_F#NYe77Gk6Sl|u3zsrJ+& z2064lR!c)3H@KsKc65*l&@z^~ABx0QAFj=EY2LVlQNuXNDULdgD34BLB0$YPV)D7j z3a=RO^84P8Id2A(;OSlZ67oqxzqJaevb}(o1}-Hh5jZ3C%PTe_Z54k76)Z4? zl$@>*iat-#C7fKz6fn#gvz2~oSfm?d!yc9~_Dwp6+TC8V7QSF;|0P(~!^c>ku>^@6 zTRrr`09Tjy^}qG7SAQ-(qx*+Gf5A~%0_Z8e|)(bC1G_^9Lv`q3YrhUdf3J>#41{CO$4D)@HDXztO4++$yir<;REKiGb&U_36v1nrGa$?_(Of=bq4cs0=zyv2SH=CTG}( z``;&?sf|tdyR@>r*Ec*P_pY|9&4Ymh(8rPyGSFanI&Bw3^%1a3@bbyj2NbuTt)0<% zU+tMuS*exU&E(RLI`BL^liIvLTaiTm`6M16#NK?8C1C&gZ>#NHMP^Un*k%#{n|-&s z3)-(fK%%XF9-TmqFbUgN^x}V2zrD%%*>yd)(lAYT%4KB@oX_F`a9pebe7pgZ{M}a# zW~!Tjm8RS+;~jo@Y2d zZ?U6<6*=__Q-~`ww466bpshU>f&2aoWB`lPDsrr^-L^&-z5DGl*CwsU;X5|1?*!(< zW)_D4@20@V)O{_g*^Gus!}b*jK$xcQ3yi{S^|{_rnsIk+xzE$Dr3?1cI6haa^Ew}0 z&F$FDdhh-GOo5s9IzLX)({+k*-LRS>%fhEDNLMy{_nE@|`~h5k(ye^v;|9u|dPFD9OyL{c2V94Iy<+ z70Snf^YRT28A*{qatf&gY&6ZV^yFyt2veDsQ}M6)oNq~68E|3c1}2%H_RWZG!vJ?$+L;E6hG=f!+imBGXNhf zvm({=s5)<~C4`d52MJ>{bM9A7aCL=;G!~y+Rg)O6_@3m}PYWy=rSK(Mdy%Z4#fqfy zY%pM%1~A$^X_q3}`O7+b2-ca2?)b^jV!Df2`Z5f1L+!Z)A`OHx%zO+{ZG0TI|0r=OLTIM8o}{BpdCJ%v=rg?;nRWVq6*$Y*~sNn?nduw2!3h zWdkXl$&sCcQx7^bHLWtWU)xg|{@77L(iiJWoC?u^=MYGat`e!xipTH zY4;uiHnkFvtT{Y?86N6E6*QE;tMEQvm`Ve!NsbGvh}5POB9>TB>$--OQ$3H40#|WT z9IT5(=~MV^oO$%`vSE5U!UR;E1`0aXZxQ_g;W<$ywjwlz6}Sg=%y(Pc{AG#e;iU;G zHoB8diHs`bZ>|`fLR*S&&Ozk3j>OcFgLMt9>FVjaJ$*8D!j40ci=X$v$GqQO%m0bh zCVm9Px9FBpazdxCfE7a{d1Z(V9KBm)<01;i<2Pp)ZcdrJwi9W7N3~V1>KIoxousnl zRd}o64StHDQT1%x zv{@OREj7uA(na}TEO6%phg~r`$TH>85snVe9I0gHenT`dyYCzT@aw|HCDg{E4GC=J zEmv9tajBdSYS*O1slk6lXfr8Pw}!lh{epscdp2Vv3Z> zP*q23kQA978wFB)HhrYPEptr46?lHUT4cuj&ByRd05uCd=7rGl>zxXGP&oOTM`&`M zz?5LkyuJ$Oh53t$Vs=Zk$@x<=U!jeVZsUn4g)NGEGTNw}RSdK$R}h13sUVhT)4WMG z9i~`t6qnv9&BB6hUbb!LPdoV1?=FRJjSYIb9&(VSg(se=8p_+Cl@tcQaBEJ)ITtJn z6SWh!STw>x`6xnZHYOG?S__{JR8F`5Ot!{QAj?20aVX)MQG-5$%Rcw_fcUkYn85I` z?VZKqoHl9fY>E=%Kg1H5VI#XOZa>mCqQIjf`_H#vcM4|Nvj-y|&9+f#JY(7uA+|h8 zu};fiDqsl*IoO-E76Mb?%ut*gOia|$TFvW+jv;eUB}VY0VF;pPG}lt0a;|H3^}n*U z0HrwzG{Eu$a-Sw>G(osoA(~P96tjBxXyD#IQ_Pvq) zgt2r0z-1?HE!N$H2vE-$g9uj^d7PYyCc*0N-Ak-3RoV(e(XuccItP z^-1I^ol}3)=KP7xTCT^9m7K2gk>@5s=MwJi1cPqR2lf8TxYeVYo1bG_jPKXk(tYaT zHU4$iKcT5VtF#`U1jF+{4(q09N##eBI*IC}@zo}~7U0Xtby6@lpUO(~(w}OCjmO>hCaBaGy?Ul)c05 zf3CYX&z~*oYU&q+R=d5^pAM;cm`|GHK=$|W^tCS7Syx*siSNFMjK9d127qW2Ng zgwbs;gDY=wf8=Prb`P$1oOXS$X?q_h~!DPeUFw+07fHeq47u z%2#G_e56a8!$xvBUgzAa)_3=9Pk385OOaaFy>DbJNm|>Tw@1%9?CsAZcZzkEX`Oz( zPHjog-1h?l8ml!KQ5;_Kxd_%;+$~S{VRpWK4q~^3MXu+(K4-XPIq6vr1O0kN zdQY7|Q1f?hEkiD!uve;!92MlxmkrF^&x0IPpF_G$g2#=;m0xAKcSF5>S?Jspd=0ZK zc=#Vxgt|RS{|Na(d50i7FA#@wC+K7|(r?5sT7o9RZ}%9aEG%Sz%3mu;R)XdI8zcnk zyCp0^{NBK-lBE<+^tJcqf59($rMZik@Ce%v#OZVVnB+UbJoLQ+s8)D|((kUKS#;&; z*|r@m|JJfQ&4&wuRfip*(wK_<$KX^itw`d3u(FWQZ&O9^2~I=u8#r(0ht0FGZ3^8j ze?x%Y#+^x*ru+Rs6HysUwJjc8ESi2nF-a#@Q8r@pC7u0Z0&^rWsLY;yLS*HOUuaR} zC-JYfcz}0=B32wHU1EVE>(|z`S=QFL1J5{OcHol;w67p15tkJ{2v~4gKAk8yq0vmfE0e-3t9jmBBb=aKT0aRNXRVf;=iA5Qn;&<7{?-hoNG7I7 zGd&ebX0<{o9ugg8{;!sm>NzoSp$y%L<8tR#W?6@hLS5W;+L0>L^ruAs4Mn9S>4L+Q z&79`ow#0ghLi*SPG3rX17KE%~FI_`kS$J^CA}(xebKxjiR(Gm}`*lrtqUc{ou>%Ib z$3{ikW2S3vqUTek=EWR=T1%s&c2ELPmZev1mb=Nfe@rO*0gJXm>M}i!=CA zh&6wV^ta8?tR7>ynkRFy!2{}Gkquah!X?g7W>oPZj1%Y@+jIyj<{Ao_cA32zxUIS$ z!^vEy6W>}9^nd@ zrmQ+_*|5b3lE(EN8#FC3G{O5*FMM@yQ@auHA%}fQG$dUSCaMcCWY6S(l_QK6IX7(l z6Yiuws9v|l9Up^-v2MHW%1?kG;!!dPHCkE80$MZUBEaD5(YC!rTtx8+**O;2jW^cu zEElW>9f;CpSh~UgmXT0sP%Y5OKmCCoYo&IWsc^v|_Gp@gLGbr-L1tC%S#dj9kI=;X zr_>0X>P2W0_kQz&VZ5zriUFYjly_6~WvrmTzUBJoH9YqhL;%9Q_iewN-Xa59E|6tGFAaYP8woR_YFIc;^8|L* zc8&NhDcWjOwfPr$fi-L#3}tHEc6Y2TBaIC0n_}0t?UypEbv=K(=V7wwUJrJB!=$PN zfDadweU0lVKG)kkdZleF)D-xR3s`_@!u9dpn?r!=_sVD5=TE!#iNwjCmfg&o9V>cZ z&`oQQTXw@^0mF>?dC>+u_LVx9*JD=2sGP3nSa0jbrB~i-$;-UzV-D|&av&*+*EIhA|e^JPY5bveN;f?$-;Yl24&-+g&OK+p5ZFWdLu z=7(~%WcW8m(SQa-K(bYqEw!9K$xxG^~Wg4 z@uWj5NDbd<(xDEdKk0O>eH9^-w~OQ_-Q&^f?A?8oH%DV|{1TPBFniAbiGCz*e^rz9 zOY3U7(cYmbug>quP8ZmoV72WE47;E8bRPFfUp@Iu9#JjFcfUQ0D?#RT&vQ%dz8n!b zO^f|JD)9gYB=z&7+Tk!HvC>b{1QQZHlP6hQNOvf z50K1|z=6Plw5GVLvO=m<>W5X7!_p7Ldcr^gHwXS&t#@u|5tevK6qBFPz1TH)}$ecBNUv_ zddFnNl)e^xV~KW=XdZ#6Rij*?3r(bjbJ3$HlqubAs9OxF6xdataGFo@dl}A@oh+VN zaUWp1-aL}XQXs-H_D`kQf2hGoOVEYaA`27oLK<^uyjSx_qQZJPGB^|~oa7o*Sh<4R zBv}!08>W*w+rLt?WymRbP1ec-90>7(qHLqGZqvMdqv%v~8=}GmPNjnL8crVCLTwq< z^YHNn?G*!3g*quHZ!|Bg3$M3)a|oG2jqvkGRd!zG0(4D^7)YODsO8CCcooM|u>+Ls z`g1y&IVi_ug@wmpF6S-obld@?6`1h4Wl&N=08?03NMkCcOQ?7s95)I;Lmw^1o1D)v zS++sv9KqdJKFTYkA=t6UmQU3&BQ&spIa*2sW)H1l4H>1Nc;vBA^Ni=fx9Hn4K@!?n zsFrv}k18ZHVzaJn3kG|MC06wWVi(7g@+6#>Pd>b1LbR06fJ@aY_n4X%qB&>3RrCY~ zlTfYNAK`6w<4uPyeY0fh+t>OO)9*-zP^Q9jYPSt18Yg#1G=?6=@66dM1eOPv=0;k)(FqL3v_@gv3x zKwrhyZ>Vk=LqSZ^%$(AkbtOgMn%oqoO{=y21Z%_kE{^+aymukf*`LwibhuPkzuC0Y zJW1a|u}IMcOIn=GG#%!b_ElAOomFNP8;fQQDmqX#C50e^;h%a>E>v*zTHSeWWRg3j zm;#Ry)u@Hf`9!j4M?SgN3MYF>BIBc8e*+{(I4fF7wd8jaDT$CXY5S;$#I|C5fEjP93^mqG-ftqR?^%h=}6*9pA>2oz-ki z-n(n@tiO{jRk+a>9?Eo8CO~YHSQ2TVc6y9DJg|>Zz_Y5$EJLTBKUfP|Tc#_tZtVD7 zgV-N6eC9vxobMMu^ZaM`zBb^P*{{UXTVMPBll-1K4Gmd@d13OEmQT^yHv+GPxRy%8 zve!=RE|P=?AS;imm@3R1EW)vvbsa2OyZ1LXDbdORMLLu01hzao$h{vIG|E4P?Tez( ze-M&J6h|ATE+fLSCpvw*q__`W3@$2N858pyb@1V}!sw9*>esX%da9NjC>yY(l*Lu( z+Hi?(95?&J=Jd@)gOA}G^f4|Ve__HjhUxn7sGRDQY&#K`gd;ykRSq%Uxz{G2te)5Y zra*GZDZ^6!XuDLtP7_#R2M0kyBL*}Wx7w71O(`eECdP&QRn1|$uUxw>Rf!sqMAH24 z*JC%ptVyzMA?_|on>3}0e9mH6c-l2lgqNeWD-%FuKFn}TrJdr9kVBahYTJq)&JW;S zoMHLzxWC4yykj`YV|XOQAN<_$lZVav5B!2}d5t&y?MdVO_=aq{fIE$TVKu2Pf^i^5-`Mzd$avw-KX6xii%zc zbLlVHpSyEbfkaNTKf8`2`v@7*Z*L?yX5Rs`Cs*!+^AvoFKtO^YZ`sQtpV;Qd$H3GC zvSb*2&(c{*7XQmO;a*VNhX)ArHNA~P=drR-q^{p$xy zR*hG`;|0fO{be`LUpIIT{gumQG?-e?z{a(t7QBYdBP*r5b1%J-y{xgleZN|HiqEUg z&A7e^z8~u!pUcQrJ%YU%i^LF+m3f8 zDd3a6*LBw__g)Z*oykgM>I>({A!t&7CQ#sw=kpbRd|u$=W=F~H%MfO8uUW+|>t|WT z=`$Q%EQjabwuDf3?}&{shRhdfAncsZw7idjkTad-gw?u(QK=8dq(L27juj zXtVb%w9NFzb+<0op28U#mVkiWqlBgW_O;wx6wmUp!{?UHFiMmL_ZbkmkABnrcyv}-jxU9M2I_iKoRlwVB(Rx3X z0q zECu*IZ3*zX?B(%2%gGU>bGrp!H!7{>hsh8;4M0gG$pz)*da2}Anz+<3&Q~4HFZnH* z;TW8oUHC2*3i8hwf0Hy7pi2Av(~|sIXDLyPMIS2edYm+2asCYo)32bs>rYMU872Dxs;4imZO0z8IQpiOj&QN=ku}&Nf z>J6W7R%$P?=Ef4M!ViU#JPqdLY?RE+(jDrTBJ3BQDWw66xrNOWL*=<;VGH5u(JbZp zY>Nnjh|H1}2y$>-yUykj^>mbCZ)DMvL$0pzMUF&4p=?7Ijp9cBo<*5vWS*{;Q@`}{ zC{MBEQ(S(b$S?c*XxM8imB`{wt0w+D>0pDlPNw4x*M#~izXFDmEGLSPkE=EXZd7G( zAr4C9BdadzGPHUrrzn_kC-+EaJ6dzBwoN2K7gq@N4KMsw2TPg?u3bUw1`jDcL6l)w z9H3Fk6YiH+&QW_|MW2HQ)FDvAW0Nc@ljUP!wdMVR&Z8w@QLaG22K#9Wj&wfQi)b`R zZv$O~frQ%gx0tmRpEkD{6&tUm0YCFMWvHMSiA(u2O*=LmFd>4y@tZO3xqJX^c~*Iu zN8#y3j&EcmhMwDiVJbZ;q6qF14+;UBO{Q#fB#t^@6syFeHsk6H!+)efEfMk$B~&`$ zS~T%^&J^W5JiJD-M01D(W(3b$G1`rLpCQRpv1RIC*-AlS_i>!RME!F%D0ltUnXMHP zCd8#wq)eBN=KbZ>2iSw)J10T)M93A|@DkxN^wet_>vunXO$w{(KoG~*mH}#`eghoD zVqioXQ^iXmq~)1~#UP4%jF^X6N3S)! zk3bGk7i2(!brcGfAb|e^m+i;TRAe6SWw>{&(4b4*{{d$cS}ggRz>AyeDH9yg>DiNr zjW3!l9)q9?9!e5;u)v)Wlp);VL(>WH6L7h_ra(`AO&z`#6nHC zNrUqU!XL-{L5U+YFcBs;J|054UFj*_g1#QCul5K0uSqbo$aA>+xjGT?Fw&p#KnqyT zQ%U~yYmACs1cWHK@@T|vJU7YcB6mko$SKI(APnMwto_p`1d5^&;^IIT48g9Xs->@vLW{B#>&O? zeAwTXXK(2Q97_gEk~g~j5e_5N_L%c5(b>Bk7Bs=dVo6Aq^k)|S=&yXab@s}!zb=tN zVPDIyhq_^kELGt**$vXFUL89!YOysd>LFc8_i;s>&a=^Lh&=?M~QW?JRa_mT?1chnqIY!AMF~Rongh>pgK}QYzwE4P((J~qHjo{M%j$XY0 z;yt$p5DZ!AyI*g@i#2E#I5-Nu>kC2#AN&z4z0LlT_5>o@+x;pD+-3hJL%=VL0vqgK zQO682`($1kM800E0CXJJ$@yQVMat2-4Z*n0{IrYPvYDz+9$eYDCjK&4`6cV-D5nqZ z=8o@#&ApxfZQ(pX$5nUlOfqCf5xTTHgS}PxoaB1%*)OuO z*Jbmp~^jdDs=Y|ZWKY3pN(U|fReiFX{ zLuMu)-){-6(dt^C?9(1?ajeH|eP`g?g4`9Qe2bzW2vo0o*d};^mX(c8Zz?};LMSr^v2DNZ9L2tNmPF3`{>2ZP56z-eVV&+CG# zY`bB>bCzKZls`Os*5kPX)}(f0_wmxZEZcRn|D1N4r`*PW^Bh*!{kJyEyWRa{&SiD` z-Q0GBM9vVV^V#O!K81y&{jK@yrV_I6l#i{W_vokZK8}};-|drH*reV4#>(Dfmkwj` zGp`G%%S_<*?J7*CC%~2X=DkI39;E;AFOnb|^SIep@luAq%VTqIc=1`Uex7gB)@^`k zRmai$w()%+qYR!VyWnH+1eEjvBFF}@Y=iEnhXfWu=w=71$6g#Dien4tqchW~QRRo_ zH@}y?FLk0f?7eT;nv_zS)|pIRz4$XPWL00`&2LEfhcJo}8=N(;G3gphc;XcA=R$bOXZunuwD zc8QQfz@w@PZ>g=*f?GL1o@!AS@b>Mk<;{;0 z)_e~~b-ZDFf>OYk8EK`d^hzDt;>eo(XN7dyS=bw6`d7R!qt0qVHIJBQB&n-+5B%!5 zCA@yrKTaI=Ak`GosEEo1`Yd~6KPkA6p=$%6xph}*vXb3i!)tbOk)BM+u#$d=ltdZpSAoq+pYw`xGM?m@#EyzucVe`3SkJeq2bYs}L8cFOaMDjk^y5Ug zV0~BLzLkfCEUApltkk&NdY>z8d|EPuD{YXjf&W zAWjG+qly4iQBI9K(_L(HYFIqw(y1lgr;T!!Dl#U67n*MV?o{N^mxckGHRT?lBChlZ zO}O}#ee#Q@KNwfoSN``$k_jXD&AExJ7EG%xTvD(Bf;Y zNTPN@wy&x9f0+8F=tu*$$(ac!=ESybXX0dH+t$SHWTJ^Rv2EM7ZQJa))0=O1zy0^- zxp=R-`@E;?JXQ5n(OG!6`bews&aE)M^T;nhRIS`^W;MkFj)^A+TLgNNYnN2v9eZVkFThV8xL z##B$V!XT4IJzH)IPpxa?VM4GpS?Q^jcb(%*?VZ8*Kt=9Fg5jRr8ktS8&80fyiF}NY zwRt?0n87X!D>IX~9r7=uOfAykJ>;@$rlYtk{abCmN%&W-7oo>}tcV$#7l*aSQewv0 z11i-m(`xzu8`0f}7y(`BA8ef;Pf-IFAd6nU#l|j(kHBJOSV&`(m%|STUzpEREGaax zQHNH@`>!eL^{UU%^MBUWgr3nzuRhr!|{%J!C<=T7`n^RZv`GR-pa!4ADn;(k)SI zeGLEWVlqH`=vvDU2YU@X267k^NSV9!TLvX*p{K3!a0pgh|B zOi)+Tt<$lCMu$7aRS1vJ+Rd(i*P+v*rcGv{U+W9e?ebRVzEuHWjYFaOeHM?;HcsEJ zvtD7gTGOc!N{IK=-|T2cM4A8c<;qod%VqHQfXFns9CSRqo|wcB?cp8xTv2boe)Yj{ zbm6%8n+e%om#3DiYoIil=;l?SDj!C}?&bOAUSI32ZngsA@9fXzyJbSp!`k9nGijG$U%#$O>V$JE->5ZW+|CR9@XakbUjD(_3GydG#LE@f?`HC3HCTf}F*1ywpqbT9M7)vJ;4@ zvHiF_E=|{+lHq#urs2-$C&GWy;+x%a`T9#=;E7@X<>#vdztDYhAfkiE&gK)cc2&)m zps#H;QI<$nZ-@Ia;Zkh~_mNqpV=K08k~NThGcUen zfTqM4Ib(sfHD)d9Ci@vTY8Kb>T>J&Ew${$wYd8jONp3M?d z>q(J(J|jF$d;TI%Y%2+oqU0%6BLsB3Le2vnTON6y*xf@`iu^ze|I+pfDJN3i5uHfU z$kMFwXNZ_F$QP;aa{RV!mu~cM#?eP75(x(a65%~gVoB}snTTu*{>~$FQfxS_-+1-Z zCl)23l_ON@kmC=rak=P}S#eyYLuiRX0a3EKnN3Q?T&ib=IKTd4<}6Y-3>y!V^nNLQ zMwc^-d((8iT?8DU=28k#ngTvT*ZW<7H;|$YQYyX}c8pmT{^yHDr z&}hlqNX1LzU+`QJXIDxJ;M&)Rv!VR4MwaCytusAj!#{`=rWy(OQR0>lEti4-qsUx| zjMy&zWSXX zSG`0giG3Uc|4|3GaLGoEEkXG#ey?ml@9M`qrqaKasui0<+(ydzc(mRXf^X3hsEcvS z19(w0f9Zb8q`juFt4oI?+QkA@HgaqWXj6%Y6{OVse=D61jmk6Tc-1Cb<)RHcHrR!zDJc%huzr-y!)|zD0iq`7P=!N-7A_joJhbW8@g@HZ%<0O`aBXD`N9seA@tWxS z>xvbOR??M}9VrPhtXP05pMqJ2dXHG?A1zp`KI}zA_RVh{Mp4HzZa>`&wFXahB@~DI z^|fSTD6N@K-SOSy#~&nGNf)dT+roM(k%b{~!<5$wa~oD6(tHPkqg;}YBUG*@ja4XH zBzTFQn;6aU97~ELx{@Qc}E!1g8`8HIqqu=HQ4oFD#94B&K)0(P6p3<}(w}}14xqcb|vLO1s zq2AK*R7iF8FydM7?z_3DI3SMglF zKD`#rlQp$9wc?=1ef(Ii9^|&>dX-9KzSVVA#K**Ef0(cC?K7R7>HTzlJneU%I|sdf zd6T|7W^0^%-10WLwdg$Md#H3;?QVX~1a#Xz86Ys=k25gydE7kSXr3|`+B~d^;p~1% zUdH(2+RS5in5}oSS6&@TCFnQ>S@_wT+`R^<+B7QHi?(<=@A7f~Ty3jcAi7SR&N7~d zk%ev_bdCvGp3ux2=iOVawi6lsjHbtEiuH8f;O~w*x1QCWZa4r9&yMGg$FmXFS)eNg zbH5g#0ujm&rtI!_OCXkc;$u2J3qXIW%P@a-t9c@&dlK;RBMnrXAUG3~(LASB-#)x_ zmEL+Tk-s-Lf%GV2qx<{pV_NWe!j;O(!XOs&itk3Dxe_d=!0rAWvufpLI3`!(M{|4;s$58w6}dOxLvSDx#bNveS|5){VMx$Ga6R)5il9HwhxH8(gk zMsOSOy3GgHdVV{kX!`-H2aUn{sXot=z9^KyAtGabr^F{!?9V4<#{H`9Sw@7u> zKVk7oDQ|%`)|11k-%A9fOe~pE$0#daQWY6LOhj6>3`uos-74}`D2)(Su?utitbuYO zvxKFGfitI7a&ZDu3Qn29)0UJSI#wh&c4J8zTMfL7Rv9$nksD;U@r_aEcqH)S)-1MU zMw2PK3D--A$qQixbcwk9$zrByv6`+HqhYjdF1G%ujOr`VM4@~+&e1FY6c-V7QfrXR z@uQ8Kj0)u-B0M*)`iiU=u7R3q5opRVSS}E2+a|Gq28WNp85VAg8QZ1?g`!ks10@!* zYrU$FP!b=Ve1DyvmgJ=nj=N`HQtw0jN|6fI zGxN$Qc?)~6?t!ZHX6&m!a@pf06!3}dcyt=PIqJM>YYeK=!%0j#uNpA46ti|jm*ViW&Fq-gm1 z4QVCG6cg=Ro#|-OBK%mk>HRfXH&yshnmB&8eDB5IW!otUS@KN(inMGbTlosRQtKUGm zTFIr38+CtgPVqQGB0;*_S_wN3M`2vBX=84~-dqnZ#;P{itnHjM3ll2#kt-|uci2_M zJYMxmBrH?R$G9-;GwqpOO8qq1@;JQ&bY`2>0OZ9^KX3ZELDSlmecniZ(@Neoh_O)# zdoK&`ebx3Ht;Q}13836bkP)p#yJ=g#R#h%Ayi=N?*OZF!imV|3M}%=v9+p|o)c-0d zNYh=j1SU#*JviK0I*6`zDZCv*gp+bpoew2mt4wD~o3%Pvrk`S>rxzzaR8La$wWplE#y|zzT zfF$hG$%N+8Ze|wAT%|GmeL+>gN;3>Q1SbZghNAeqXc&k<&&CguTc;XztTH+TOPNP>(~iP2{cWD=RC&!e$`yv)ZbY+$Nw{490-{ovK_uW zIJ`_xd~9p53SJ4#u}~Fu`+-OOJ>Uim5oCS4z{21?p_%1tAsp-wW^B3Qp6RFTatBYp zk`GT{Aab%_BR?++k-*MD;+D5(;Id!S`#Z%kqw_;Hqv!SMCtpnf;InF+obr1gEdoBR zSMfP+B@A!04pqH4SFIX1_k+l)-yNT>L5GWlb1|FY8&0p`2TVFlS-@p{(QT8g9(*Ci zDZdF!d0xLTRsefVVG*DlGaQ@`uQ_1AR+ICW&*yB-dI z4P?*Pt@@Q=dmmzN$;-6Fx0r3Vrvkd^<}1OA$D3OC;|s^T>Ftw^E`|MxS=?k_@WnQf z`(^cW^76+=#`P7apl$nMwZLoaJr}m|^>k&0$4uza;OA$}1PmlNS1+_JJ9J2LJAkr% zZk&#Cs0dTskNvQ2f?rpK2r9CD2cK_>47Pml0c!wtZF3@i?=4&X zGWYA9BMJvi$&g1aGvIj4=FQ?~7|-d+U-}aFF6Y>eTidgn&bag{!TY2=CkKW%!;hm- z^^SMsXR~x)0Qg$pD@kt~-tVZC?y=Rd(EjeH^Xg(%OH0RM@0*cKMR#WRNy9zi_Duuu zSg)nX>p&sd&z10Q&bxkjGp|EFgXb}}^Xg+TCTnd2U`%(YXBU;2?0pxf^QaNc|8RCa zt+$uB1Qp8AeMV%k@w*#qEq(iC;(FQ3di&Rk%9TQ9M{m>d?h`)C_3h==%HwlqHh7#2 z>z%~=Olj1+dBeGL&)T`E^+r-w|9x-Te7gz!2v}ts?QB-P-+Mh69x8M-DNI-%B-BjO zIXzx=26tUvI>6%j9KD07KLDG+?VX2-m+We*cfJp@pNGaE9rq6^3gyCDMHtH+pq_ol9%Bda|Wcz4<|3vsR|C_7g|RR*O~rP1CH82Y6I22~}MJQOF6 z2<;MM!?A4d@4j#mYBZZbM>f;Hcl+)fBROSR&QMcqw5X9@=Au4a`7EduUc%opQ;H;w zV!5$8_LBQDF;-@{f}{r==yEJ!x#VMTOy{G~Gd+f^=f}9NV~#rH8<$_y#tPBZoF^3d zqaQ@eg`b>Kjgo657&`DvQ~PR;c!H$X^Wk8K znfu|$kSf#8(Zya?3K9IbM4pyW9dgxXR-$^*Uhbd$xEVYwtFTC=8P^)_%!e{?yAIL+ z#9jAqbQrVVKyKJ}T{&!W6nzPIytLVCv$N{37|=Mgn$a?QO2VscX1+F~$TJtW6cNAV zNoU@B4JK}e431+l(6Ox4Uo>-%rT&Y%kCAaBC2*G7BHCHP>Qz61m;L@`FnmEX%FO-atlz^rDPM{FANtW!`*Zujo(W zZDkWF`w%f4m%)F>ks%pkajo)yLOfIMXPwktGa|1@^;z|%&72Q8f6gYQO#F3XrQt;X zk|~SAKyC8_#ZJ_mEzEz(TF)SwrFkUkTNVp0>?Ecgd25bB($|0De8kZ1gYz z@sLT=1PnihEVOPc6t_zSQ*H8J`kU-op*LiWg@UsQ{k`T@zz?%ht+NQkaPnR$OXJaTORuMvFS_*fKMxe#KEk6#g9&L2{ZdX*!ma z(RgWOYK(HZ^(w{v20Vx zhd|UZwoI>3oG0PsNnF35vI{<%SUk9Jh4hSnMgJ)z z(aK>`d<{k(87kPcW~0`}i{3ZZlw?a;L_Yf^MN8a*7t^9jcd)424R;s5`OoA5Ts(1P%FpPR1~vr`17!FExG}^r0*+RsQRn02=q({0PCHku1)}I4 zZ%9_e?bzicgF@(P^{T&UpA@H8X6=yfqb%v^C0a`mj4686YhJ%hV53PuW>9%?Y9glN z5Rue@rm%a-hoo`!7)&4-R{r(|P-_`EjMM}w&ddc%Gg8qxQR6iPSilF@Y2Z8?Gtj+` z`sHf@HYsoiWb4D|0{9Vc6T-6pSm(|Dmd}2rVwY_dRS%UG^tU80sKmfj z5=pR)O7kdz&(ohAMCgO~Xj!8U$o=-=C)MuM{#IGTV=Oo zgp=Fgu3lnZ#^U~a{|js7in*pmi0l81j|gal-fcOs$Y)V_SNQF3@F`=Az$4-f5r*VE zcakV;_O;Lr*9_nWgTFHh^#VQv%(FZ5lhyI^Jptf7%X6JQBIsKJ5C+s*NW693u5Sw% z=$wTJy_*~o{5yW!JUP)S-fGmHVRmNT+Pb)!u&Chc=yH7sNNXHWDO_Zv+47n_ zStinbJZXdJXt)o3%KF*lO-10SQbQjwfzh@AWwe9Y6M{s679c@p2c9Wu^~y+}0`wKNDL|OFp$5u45u?T1H*mjRS_gNLF5U zusZ6q^^X1Bv(}ui1|0~nFTkRAK`*l1CSa4|%FK1-?SniMkIOaprIv)Q=+?);YoeFt zglPx+cTT@PXQ6?nwGRiX!Xy2LA#Zn}dZ(b53vfROIoZD2&9-JZa9<6XuiT{{N3y%! zISrD_@47?sEku?=7ldki&{`r(ub>p~NHV;@R9BlCRlAZb?WU&0~{$8w3 zq5CKbr!23c+f6NbX;z)&!X3x3{e~bd~q4M;a)-OB+ z!mZ0s+ls~f4Y)kjuMCOxC6z0zgcpAoS-DD>O|z4BjOma`<-zBMrYTODwrBqRRrCvR z023d1Zs;Wv>Ky0Xj@ht=HY>L?=!N+kri=~61glv_LW1eBAaa)W*@Fr-MA0rsSQWeR%f@aXsl8{=_e{DLwMQzB_RSG6qt z^%??r5%;ttPJj6^q89q-#f&f<=qMxt%#PiMXoZMia{en<9yaN{R?}M2BA}Pe+{iMk z5*slzu;=$1e%047CijofZ?=)R38w5<^KKN2cxcL=DK<2TEu|<|iUWVXCSMI3k3Le# zm!Ib*DiW*Kv|-Ed|#ZMlp=HGQsG zt@hoDRI4P0pk<&)tt(x@!pn@9r^-x=55F*1o-OEJ3DM>cVzrUBNaQ12M``H1t?%oh zG%=4gq}q&OsuC~B{?5Gg z=^5o(CG8~s+3cbI=twY79%CNUFn%^CESeAaz0YmDWdVcZNHznUOA9{*E&*fcb3_yJ zW}|&p!*db@%W!-=zD$!caKMA88mWyqE7Wfkk?KrJu|AD{$r$B&Kjp=7b&=m1QH@VM zWiA&`+pGO0Wa+t4eikb6iS)=M&gHsrpU&lr5HTII(|TKR=D~z7*NewVYpF)n;FhRZ`uyALXGg&b{rB{;Y1=_w`xSHzin=H)>Z38Ex5r)Ao zSA#NF4*6vmA;GOWWAyL@a)tCAfs#&Ou`ECYD{E@cJYw!GW7Wz#BZZ4qX2Q%$Lll!) z-Kk0~K#5q(%wy#wLMe7KkOre#E?asp3(Er4)4y;PHn1fCT~>tj?*&Pg!l0$L%jyj!jS&b#7zimqWJbh+kMw`g%?vgflYLu|brP@@lJdi(}{c_VZN*tWWn_4}Py2L6LxVgWu8wXbN ze~K@m9ERs68l4CRR}!|ZnAPu7N9L~EaBi1(Cyd=)AE%d0x<()77L{$cCV0zN+n0yH zDSfYcp(fVi?Am)Roc*$&z&A!MAh-2%bLKXWg}ZgCK_;;N1&^_I_v+lhc>=Bc-DL|t zwBom8EBNN(r&s&6^Q?eFwckmqP$nqi)!D}4^bPPkWo5QWfuN?ZUuVO0A6UQC`uc#p z^?~^)4Elc2pSi_Pzw)^0{^7Ab6{?r&`Dpi2y{!}F8!hk>YWvvOJioln|yu?}DPnJ|2)FVD!6|xW;|BCX;Kw$|Th`V7q#(#^agj60DnTd>$Zm z@tYS&P>hk75FZcP=Ly*-D-JqnxH_dUsD)N-U+l+MnRzl$^?H_XI@7C^aD>eix?=n^ zt)ipaaZ0NC>(4s3CzHU4j3P9Np|pq(-&$lH7b2bCSs^;`b)6K47TF@GuVx(Cb)H>< z5qHtm0FRFteql#seNS3c_HaMaN@lQZWbPGZ%2@zP&00*5ktFr2l@-G5)8-7BQ&O&t zOQ}TgLu~YL&w*?vn1ovxOO(2#2-vXl3+Y{-Wqeip01}gs?rn;0}tSuESMoYTJ> z*mExYHda()JrwaxW3~wz{7P0eK187ke`33JFk(M%F~C$ClcI^D9|%CI{$Y=N&i3~A z6L^82@0Pf>^^aEtFQq@if) zvVX79#ee3!_@|@B$wgZrI)r_SE|415h-TybHRe)LU!DdVkX-GSWDV7YoeF(ua^=nS>+tG3DB8sin#=dY828*y74q&4@+5WuG# zqk|-0E3_T5QL@E*&_%m5ZD=^~5ep<@k8_%)XkV205@8dZjK4_B!C#65{i1@Bmw#ct zu!iDThi#zGM+$*fq*gX%kw7DZjNa^J_j;5TyKa`z5)waP_yrfASB#)jQYMcP!Jutd z@h=BX&0;{*Jf(o7$9(}dK-P866k#c5DI;8~2COGGew;XP)0ItR9J3 z?vylPI)7|9w5xMNN)yX?qLcSWIoTPUEt_x~NKwDw%2Mg8I&uz&#cCu?l6Y`oSrPYd0jMCh9q4Eu2(KhRZ;c4Bu2ZrsiIF?BYt(lx@{ ztb+_AjtgzHWrb|A)jpuSKzlLtF;`|q{kNl7wAK38e&D!%gR=~mi>Wui>1Qj8^*f?1 zKKCn%4WbcKL)!_{UYCJb3y6LX zn}~#M#!u56OWfWZgySUq8g{a zOs)EI-_^fvcbpV8`1_&t^LYAQL|vX_tDbJu)ca%7p&@W zh0o9~fX7&DLTCEB`!N$g@Y{R;T3Y)$osWC)LPc_`0Hf|6>@D-l=sGy>eRa{le#_UM z&q(s2a_aGE^J%lwLElf`iH995V`k<6f0F9Gx>L1ozhwp_V+1e809?HUzzZ(1YZTm)**t9?qw&+buc(=v<~e{TzIfQ%D$rw514etXpB@%g|jtW;+H; z-hyqOvH_Q1h+p8r|H5v+Om`A!DHHs45RT~fw`Yr2oRczZtb#-uUis6vQax<|*5BMxIVKH=y6;*KD-M16T_@k`pkNExSFQ&= zvu2$L*jRyMPGz50Stp*yZ@-&gpk=NY^mT{3WH(c^iahuSHjtu)UX5O-7&Ei z9$2qhCxWQdv=OMa*+{2pMgG$=pir-r@k`Q-J?d(~aR~9g#)U|J|5BwJZDv%S8;K5~ ztbB&Z^9-C~%&-Z>uV(ZdCDnGU!*TY4h$8S26Z3m}w}k*FHKR??&RmEH@9p^r4el?+3=&$p-L?7f@VS@MEfW$PB!xDJX{s*#R( zITXKOJ{`eTVV~SRt$Ck-6;nawLbqAdKT|$03aHYt9q2W`3QJW&UcIY3o-d)S=AWh~ zY7LjCiHRo=K{T(%YQ#!GSmp#>0E2KAD7rGHU{Pew?1~br%VZl@H8-M2LlJXE!$FJU z@zdCO^Y`3im`to0VyGQc7+S_2W@-*E?ylZQvvy|75<9C|2XQids_|%;)lm5uf(?6svSjQ* zRV;f?7F+46>xhk+)=FrIXxKeL^F$PDhHiCfe#3~o?SSLGZS?|4_+85?gJBT-KM-Zf zn0?Z}=h(ng-CR|}i)ht_NDTI~@BKzxs|v4XG8>*EqZ|7VpRsnZ;TaXcPR1P&)J2 zN+C&}gg*A8#n0y7i`!-ZxIS)oVITc~g||>z25RW!pfIRTfFK8_#Y_+)1eAes3j2of z!M8pab_}3YQu&A*i`6lYTBDjd^DctvUqt?{6)OatUos4c9nrdva{u68{T<4izMG9} zx``cT`Uq)V8_r8M7bKNDBm6CbimP6_Sj$CgK3;bIL0v`eU6~t@GVJBouxrxotjT6BaB`Z2C7*T-w*_ufS>-|I*03PH%ac` zN=0764;}M&?fmlRmdF*H(W4H*IoZnL`QDmkdc2!euT0{vcGe$kWtYw-O^_L5@CQlZpy9Swj@r+k^ zf=7X+GSjwAHlKQ)SecFl{dY_}2Yvl{!Zi=*Nd${rypt9z>im9 z8~k@E)q7>#5cFVUf%rm}?PvNSgzKHrau{}P;B!y%daA+TOtIFDCFpx~Z*zFuCHU5H z=D6*EX-^!<*3HeIUcrR%AMOCPrT8Zo|1kvzr~NOz34_`dAR4PSnQ0AY3l^_;~py zV4T(XUawHyIX*2Pz|~<>Ns+vQ@-nIX+0VG|a$ar0!{p$y^A@8AT()RR0q%URyc40T z32s|TT9+5je+QfRk5PTVQz4Re4bbkRbwP9!+D@mgO|JpIuc*#kX#gp=;AVB5r=D)T zuJh93HW)_V{b_g5O;~3e@wr?-8M5A(2r7u(Bgrh$Rn@MlWrhC8eBNdgDCe9?1r%WF^f;`PZ@&N@W^c*({mxG`@UdDv z{Io~~!@DVfKr<=;FEAyq>rj`2UA^9uA;|J_(86JLabr{v2r@cqSX?V5+u8z^lp}XF zc5d`DmEmpGjZIE>nrmuodw|fBRgs3aKPFzlO7Gyd^KKEgV?bBc?e#PANNMLnv8|$? zGYAHa`WVb^#=QFpx-(#*4>l0Oo~TTLQ-s$Cj5awqY|SZwQOc_2^bT><_)`BfEDsoV zB;hqE(_X0_N*FE2m=K@oZ`Sz(KU&7M6EU%l``c=xV94P2?4JiN0S|$FIkC=qztj9$ zZ%fw3u?sRphkYr{Fmkf8n2<*_+1ba-%7f;{LQl;<8vr4B-3SCv`hM&+-nWwDCi&xU z<&TqWPFUFT9UdT*rUx-MWYW+{uuXAx%HX->y7Y-ccB=g%yL})VNs?K>ws@1vE?4yb zbI0I#V4|AC)fa?`96w01MSN!>H}_d^ySs=Q=^v1&Uf$R;gEAY=_Z`lITVyQlV23=G zs8~6GXO5sP%F{6^kP;rPo5cJ;XRw2!k7nJ0SE)#?(B%&v%qFqSEA+3U;F7$7N#3t0 z22~&FP$ikP+PijvM^w2f=_7-pHVf1+g>j1(BDMZAXCnazf*Q*SeJ!INsgWlA6fh5H z1+%5DJ&BUhIqKCwlHgnhDWSGzRCE#7RC za9o)H=4)h>wH|q{f00U+2m|B~=|kBCfXR;q03O>X+)~LiGWq;(xD}AdRsIF|uYn4J zK_&&rfHtb|uAgfl1tB-I`|K1pP%fWYoG~JDE>3h2_q$D`;cfHB?xSWehSm&&#J?&w z5{9G(^)AN8@1CsqHo__Bcf9tLY6Wn#mSZI2er@@62hZ0tlGb~tXj`(T0=u0 z*5<)V{awT@t2Va{`RbFx;pCGYe36CM29bx+uiY!0>ccixYdj0r$So#oxH+m!O5&`P z%E_u7Xf`0GZcRRBCtM*<8)#(5KPJ}}Xpd9={m<;OlVMXp6gkAjn{`2Svp6JMaR)_Wsh53@VfqkiAbbetzi`{(+~D9vrmi1koi?_{i^_D&zXZ?ry|v7*r-e< zp88d$Tt(C?i5GPtetp~|e($7Fru7TwiwoUXVhIRzUPb9~KCLy>6fxzPg_(;(k1ose zpDk#?zFjQTW^|}2r_ACK)He3o<0t4b8MS#hbZP%@ygJ}82l=vrVA58>Z?r?h?-t38 z*IJJ~)!P7O?4R?nX=6K|`tHi7zRL{zRf#W2~0~L{%_55s@!*$atyoQe2 z>Fz?)&QRrX%{aK>j8f9h^(VXgR#&;0B*FW`@2jrrPQXiGA{7#}zL43?J0o5BdjGgv zwt#m;3usMRgW}J;ev4P?R~J6e*uyM9KHk^jy3gBTdb6m0Z+vI>;cA#hL;rbhi0jHj z#eQ=#YtvzTJjwI;S#pV~qj{3U9j%^e9Z2eTOP4JPnflMX-sbaQRj*yhX(Zcwdr(2} z(D&@jtorP_?RtFJq2t*m^r~s89cFW{m@@~-&;HS)l;|MZ>WSp2N%AiFa%=NF`Ff-N zv<*3Ro?`}##a{yHR{ z#`cGDv-8s@(k`9rc@D5bcz^u3u4uZHDZX~wly7CIy6kn9a|dA(u055(G;3ZD+MqRO zQ&UazdtcIVeb!?oU*6qsPicEOzF#|NayB2iU2bpC2-Gk0Zf_gT&ogdp!=l)b)jO;!k9+TxVs9$Z@-RN|ITm0TsGj_`tkCh2nv6uqK?17gr zg-R7pz-;s2OFA5I2$)-oO5^nr2u`K^9h~9-aDk@$`12`s)PY^PT|dZ_DK!5&?>t-< z4T|&q?=A>-EvR$^m?k?9Z6x3rVS2?k6k~J9EGA-0NDiEAT*#sg3TPa}Nvtxbh-odL z)T1O#BOW&94D+tN@hjAt$RI@peIOE$(0+WdwE;Q7A*%qTaw zq>?{qM$F}LEQL=egu8FzG_$q~EYhU@S<5UH5@J|?3(7}6+o90hrYG7)$+_~_`A-u~ z8db=x)z%imtjtvz4=`(C`eYb1s$)Iz{_@7*^#wzZ9?%-WnZl50I<<-6 zXquiYl8Kf_p_Lb@O zeKXT2$>G1yQWg!eCYNYw(GdSBpCP#TAj)r#732mf#S)o@E~H1hd_u}H!7ZoKGs?a! zmGV$B-lWtm+uYePbA89p?QhM)jg!k`rpP!iPPMrdAlHq<{+hIWGRKiL=I+#BQrs`? zoq^(M&D@~F6HzituuW5H1$VGUL!K&gQuTQ|G++*kRAV$*q;r+SJe2PzKwYohO)nBA zU%4QTE?Qr%Xb)q}O(MP*!XmxI8;t_Jc=b0wft_j*#h(ayTr0>?*$hn%{l`W%`#@RW zU&_ovsZQ+N-&E(G2r$x6i`Bb8FVfY@pJsGs0R-^SR9|pWhx~C1w9(O%d678*Y7`INM_Mtl- zd#K+Fj`DdX7!vbMQ&kVi^P5fr77!3yW6lu$l<76Sno>|ubCQo=$&e&AMq;|t%VoIj0*T|?njZqIbbheT1%N6l@is8s((Wqg5O zf%ywJZ_vIbwfMe& zIgL&41=@oF-1c?A+Sx1POFsx~?;Lb?wbG`V3G*_x zB%#U=JT>hTA+jt4!C63LOg8xC;y<_xdBFl70u-4ta>CHnV8M}CPg}KGXXVDf4Po_v zhu)^a$yXJqYA7aZ{<5%Bf>P59tDt2pSVrj+s^a~#NG0AVUw3&tEexqqW>T3pF6SRg zc723bj60tm=c2S3BD`hN{oyTjq$Ssgp=xzXm=01jDTCT#%2q)jItQ~B0}iHoMNc#d zyJEinCB-5?nMUwk4JYUa?n255yE0@-(Cv&1{bvMyJfcQ*VYzkfYR{Z$QOccjqv|?7 zQVD+uT%d@MWui+L+?w6D5z{v%9wh{9WOHtMv-3t4!KS@a3w`AD+6egvT_y6eEL?L< zR>SvzgTxDo($v&gxUF+Ge|cAUo&Yf&J2eIt4-rf2-vN=bhgG`B`h1fvd-SMA}s?jXRp6X9Bxt9b5f`mU&L}(ju1Gpu6_!NA7yda8ePeBGwNwQZA5fAtNmO#NCmuuBx*bvIzFuF7&zX-hV94RPopjm zhQzzMD{9NV#}C}^t35wruI+x$9W5q&60CeXy+p$cDhgpt<=3Fg)?Zb@mz6}W<q0(4 zvtG|c4~rK3b)!qwwqWhct!#_y7T5gb=hDWr``IV@{?Osy!rC%>8{FzJJe+qQ zhym2P4>xtc%;@TB?N`bsZ{1+wZM%8g^~^!g2>|q*JcgXxE8mXH>!SNRt0HG~Nm)Gyc?<-x4<@z039XpG7SqGfeppUlmW)Isph;0M#>|)mI4%*e^ zQidy&oANZmz$H@mV_z|d;KM1wXTD1|m`dpRHGNs2A)$F{zZjoQR*-@Bqj&Ns`(sZb zOYm?nn;46~75g<*!)xk^iNDS5ew$N}K^wDeCmxgY=k&_K#W@jp)y86rI|oVlzJAsH z#If;+NnZ}+8ST2Vf0NNH&-0ku?e{#vhgVs*a#(#;w@|55mg{+X=)EoE;X2;gw0>ML zInDIpH5nS?X{F%%HopwsZ~Z^!s_mXvhyU!lX`j1pjMQD$8;y`6_~=!^JgxW-zgko= z&nea=IN`+K5ij}iN)3>cVR(&gVU($J*_ zR4O1y-AwjeRJqo*W9uV==0YLr6DB!U8IPs@#9EadnF@18XxH0I=r#+DAbO&WXp3TU zsvve~tHh^iEw$OzoZ@cENCXVi+2q&?TUG(#aC)xW=&t7M$_1>iCdIyRsBz7 zf#A{TFDk;kA_66n=EYky`D9Qtv3w64(s? z68&n+Ae3o7n}D5u+b;Svr(TrBmOqQZd`H9K)3|n>ajHK$*{o4gPr;TuQ$2Xl31dIu zu^Vd|CyAYu2#zcJQC1YyfJ8>T?bj0Bs#UatnUSb{k-AtR80vTewR^2{+EUpc};4$Uf=W(pAo zUL9y$0r=dZ%U}UVEyyhXDq)bAE7~d4pNKqa4Oj<=j0Wn)KS;jj-W;s#3^5uip_ zt~Ox%i@Wl<+yLxZOY9|d0jmk+_mU6p^mB0WIx4a~Yic62$j)Sm8lJ>cF_21-XR>}< zQOr024e%9u1*%6eSMifhnc@^7EW-Iw9Q{@`O6o(EMyaZR!Z|B?!39e`dClyUKCj{f zN<>Hi5-4oB9QGPWLm^87y{RRrJWYWXLzSj}Pc- zl)ql=XCF_HSH~;`bP&zwh8*=#55e=9)qiTJyBHdH^tqHa2 z%NGs~yGu-kNQBW@xfxPpiBx5ckaeuu6Kq*FvM7lWh``~@bBxeW$ceb2F5u-a(S2%i z<3OhsFT)s|vFOL-8Y(H7E*h)X0q<(@aRwkbqCpX_NZNqjRQ*ONWv<4AYveS1AX+{t8QD zHTJV>B}g@wxb_Ugud(inE7#E|F`LWn8W+hCwW5#5x&!BK^2==$s8mzeG8D{You$|P z!?^fANWX&u2>~2@KD2!Y8ZiRS`RqK30RyUx3Z69XDi$>)@PMB`tI;;4?dBZ=faAFW z>^FOG{=y?}A0p^FcbAVv7vPG|(kma(3mD`xf3>s)FnPbMI#q?rK?3vT_|mpYX`3uj z&F_W$@wEeNr8&JL_%M9*s@kaCF&kBgx~6TlzTE4)zOW!@>i3*Kko{Ed6nkEvs8&5l zyiae?snttmyPpiVq1`NeXcK!g5a9rHVGdndvCYxXr9kV{(HNAn8Wg2 z1N2(A@FKl$81!U!XgbQ;99dk~<>>TGPLJ@pEM7qHDiddzE(b0P_GwR4`f@uAszVh> zUb};S#ZIuMvuW7mEcw3l*$;1Iqe7?(dv3q?9tBUm?qsE`?r%M$EZTS(E@yV|ep!Ci z!}#?NoNHc~tTFX`q!QJ|cIR7xrna5+wR`+LyUA}OytO;mTUEB2$2Y3~xZUP+Ts;eY+%B4Lc$y|VcW~p= zeTT2-hOj;kjX!TzUMV1RT*I2D0y!-=KhHhn?I2s8V*zdp_E^iRJ0_y;iY`S%PjIxY zP9K#WlMW}V z*>0DagMP>OZA`N5y36B{DoTLOT~REL^H}Ed_to1)PUo?WXa3BWS<5}hN6q&ZYj4$i zr1p;boW@rQ%~H;^k9QTqndXYxW!#Z&cja-7FSujxeClyd`+fbPbWKjjiz1&I&BHR? zPMP(cw{N`)Jvad5!B^lDfbcML@{W)c@;&6s&&=caeL{tibHN7#{TuH423UBYdPLLv zR?#PS`^$v14_KK0?~s-p1RQedbU-nzGw%hp)aRk>bIv^atJ}Qh`(l957hs|rO^5UL zM(3kn65@NyQrGRQS9Aq86+eDnKd*}JRiJ&!R1u~|n?}}gGh;Z$qWn@CPyp7Glilq? z!>lPJkt>FbKOP)AUkad#9RJRtmLNp4N=VYWFNiANRUXZiigxpoGfLQtyORtTX8?+d z`|D|TFjXIhluWQR@?oCsc&S6mHcH6Txy4u)KQ1iQ0(U}H#2~f+(()&&6};k+qOK2k zjgqBwf7j1{0jD{Jxm>#m6>JHfq)oW9+NF>-?dRYhIBqVIN^;LlaKgfc+G|xV&EGn5a<9r~RmTz$=v7twsZnCYB=1rL2rHnw5x2_<5RI+@nvzs86GF7ExNcq0g^eIxN@bA>7*2zR zj{uXxMLtkaSqy|;*&j5w_{S1xSMYeeBVGpkA37 zy#fwsYAr@lgS(xCVb(mX+?Aqw~Cued_UN_q^qPyQ4M=W;^&sk6v}v$0381+VtA)GnbwebKg{*y3GhXqRRoMsM|DPl z=8LV@qgc)7S;2yct=9{sGYYNeQz#%nF&K?)<7gE5Q!e2cg9547B-ilqA6~F`QePev zg*fiV-Mp^>({J2FvY8+4jypR#E6S`^Lqk&AE}_=+;DP!T1I%1H-g;(5ylgmQq;f&o zYG$up0YnqorL0e=eK6?QG>Jfo$&|rk%sYk@(U^lS+0rI|`4Ljzv!x3DxJ#3m8TpB` zGK;MBE#kIP+Ae|xM_drtKy5j(leV#IPdrPmj5u@>! z3FC0W2ZRNtsabof-H5eLu~X{F6b+5|CU%yst`QG}ZCFde% zfj$Y-lroPr10|vHVY-ARIx$fMqvouhoD~}hQhq5fzFD3Y9`ad$KB)c_l}0l)JW(E( zxuv`c)qxEdZS#m#v^mQ#T&I!o(PJUmNrDCTU(9|dAhF8!uW-u;@i?92% z>}Ri#K_f0MkuJ_K0`~Gk#wsyAGONrbIo`_RCs2xXrdZAHz?Mo8`o`p+5O(s>myk>R zEt-9^;ETM7^}mNw-kWkzn2x&&Rl!YqTSob{0T7Rc@Q84-mSY5w%Nc?z)(wpEy+Ngx z;h;xDP+OFeVV0?fGf0o7`sQdUCjTG0AN}=bRT%&fM5YhE-EntgpE)=y*&W-e_<+!U zeaH~``VQj+O_`v*C1zqZhTK*Uil) zpC%1Go%Thdk*{X7O1F_IS>DFUg6x78z!}p%RJ{%y-+ucK&vk zTg990HIHvkR|~-P1W@UAP#&4(d}-~d_PKlCQPSzuZpX9P{SZi`ON9NLHBjB=v$I1k zau;Tr;=BJjv0|)i19)_x)%Lg zmyPJ{{LpRnF$P_IM0jfW*V-e7?RcMU`?-6oDU;Db?sB3|rqkU}_jnX;`#o|Ugjdm zu=`^^Q?@F0xW~)u0&5m$&C^zgw+kTMZ=%|z%WGLsv>uy5rCqy(6@BwH@CHbI1sJdR zesF#Hnq2t$FdXQP0m}Z`e=T4p`367uek%YblTDv3w#G~+0P%?ct~WkwHxnwJhHSLC z;0b{GEhhCK#6n536+W6EF#6um&CUmnUuF&3^Fff8%c+8O!$E zlB&vaY14oxh-HQ&goR((+{l!e}QdLY$YkQ=j$CRb{sY_;u2aFKIjY!wOWl$2#b zi)w*Swem~(_eijRm)7ZrnY`F@KQQD^8~onh-T{UFKd}rj!;{`f3af)8&K{I*M9kV( zDIDQsN$J_0IasepI@k$`Nq=sgwn`A`Y0QHuGX+NQ`9+!4lqta)2@MmOtK<$sbQs%^ z76f~NS6RF&(G`UT=*2T=W1vb&i(XSI>#gWU<;zWh5jPYwjW>a#VjsYPVLjzx20YDyC8X0UGoTdHnYV;0 z9Nc%0$BYV#-ok;|HX3aOk~M%Q(> z0Txv9bg=$S0p2)I0MwHT4}9MZ^!lv(>?}JBonwRezwn?m5l8O{WTpNVF1SJzRjXUX z4B&@y>1$>+a^OiDc&5ER`Pq09nrGnD&OmU8VC_kP*;&w}6om*g6{$LR}gaJfpPRU)k74U$z^9H{dQ+tzvE4(a4(E=BRuC^D*9 zL=f}5t%(7Mgr%DrJe;=z>`-ng@TwlC^loeF!#YbEkrz21Ma6h6&p*BOG)m?+dNQUe zN`?eZh4w_$-7F3ftMEw%;^pX0N`5G#0J5XT*>kvjIpx{QT;53*N#uD5o;=0)ivV^? zlLa0as7T7IfiI;A{_@~l77qZ}16GitbB^B#|r%MDlxaKyiTt1(@!%;X@1=j{OGq$HOy8M09ubs}^eFxR3bJ zdnM8Nwj~}C_$R=iq+rEnjtzxOlAQkq00qdvZcQ;@x8cNBcks0kfbD@%JDhsW2P#B; zi-k^B=6lU|t2*rq8AeDCEkXbdIQe#b2j7W{@xGt*oN+U1X`0sYy@TEQ zL6@^`KTVJyBmD)aXfYWz?;RXmhbo?cv_l5>pBp9xR#va zF>ES`;Wqr&z1Hm<+~u*f7ygHKhTD$yJ9CBC15fj8N|{cxv&r%8wBZuvnWww{N%6$S zZnwJx&wGiExcaUmQ`fDd#pA2{(?h`Cr zy<@vW727L`h0EOuD6_qOv^iI`?S2~A39dL&UiQ;TT`9Zw0{|S zd0SX78d24`?30dZ3)Xm&Dyn-FXtG;7I{uxq^`mY1cAh|__n)n7gD1`MRdu(1&dp!X zn`V7PIDU!FwwwOb<$4wMUA>Lho?f%w(aq{QF;+QVFN*Pc4kp1&eL1U$-7u<{N;Ey$ za&SK}^-n8fTXwrTk@Uf;p#ywt4pF^$UzRsj^Vk)@AiNJaWY%y|fB!G7e$4D#0GKoZ zS1=fW2!K-r5AS#TTkO9uS|+ruekG+L-}R)Ao|(g8-xXhpwwg=;K4Ar5rCW1pR>36i z)3j6W``}3c*s1Y;l1muLo+1NHgMN1~Y~kq<+OP>cV^|!u3TR0T9s>onN1)h)6}_qV zy!Lm9Mj9KKJLYH>D!y95)VReU7ymHIunKj^QOxq?%Ml8}Ir?_UAy3Xx99Rn;nWFAF0xS-Pj3 z{E74`%dlY{2J?#O%b%TO%qmegTTX_=y;8K{oe_uD?}CtwxoXj*d|i2XWIoPq19|8B68oErIN(jf;hfQ$WxkSY>o=jTMj`9mWmG+j>RY^_x{ z`pjR$BFAROWOvzY*qG#Ku36qtId@ZPSj_xDu8lJnzff0?2p=^XUp5d8sz9j{db+sE z-BS)(Io_9hTxZMUJ^ixE#;OkF6&8q z9&MIB!GBsBI;dBsNh^~LqRqeD zvV?iKlnBdno($ur>m=@S?$+&he?)u3+F-0P>Il}(*=XIMrsu)G$td1ec0cwXitQ-} zG|PSY&LbrX*3vJ`KvBe%owc*q9W?8ZHvJQBWSFH4H*TYESWSs;jl)sqM>SgtHG+Xv zFT*mb%VLqvxC+s!KGqUXBraAtmfEb!2-(aaWofNezO)}cW!1tdj&>P(BJ3q9Y14;t zQ0T_A1QC2j9;AM3t1N7{Mx)_OiH5l>-DmO{7V!8?GkgQ)Ch&%_XA+N;1W|AY<^)f{ zVJ*h#OAI70l&+PSOSYLW5nOp%<(_|$)C#8$@{;)%6+LSSM-sNInFwon;%}ge9In+M zj2=cZYcyQ>(B$DKvzSpH7*^B{MzS-INV#)24h^JQEZvcvw=cg9O+z&r<@Z~%7|SY` z5yxR&wg0bD)d{z}sJX_eQQvWC)uCj=G}8t5e*tg?G7$Gev6IWbAAg6*zD^|e1|fR9 z0RHj`e&T8Qdp`_2y7P+gb@YJ{MRzLLxXb;K^D)zxbqKhRGwgooGMdH6k#B!o(gp3f z(d)X;Mvd%{0@SW-dE(d=G%Q)UEPq|_PR=xSO@i@Q8Jg;jHY5M+k;MEOvzTkS5z7!Y@4CrbYk5u^p z_L)R|Z#+e}n^z#N+tzt@R$n&xblp!TW^#H00P9dITex3~JP{u$E;mzLL^E0Lr#uz7 z9hdrDFwNN7uN8(j7rJg^IVq+NyWmc>5{6AJ)0vk}LvTF+JJ$rrB8L~+_0IzpEFVL8&kC~YC6!Kcz`d~RHDS-&CFesroUMk( z3CxYA#`bxfBH;E=8Swm>(^B1jZC2i1;^1QHz(IKm=^|&mJ=VrUm4-awr2kC~p<>=z4 z1Iz8CaG|fuRkzWe`?Z6-45aW4n7uT1N$YU<>G zbm}C)V?6~^s<5SekJ3mm`UNsP5Pw?4T-2sO@sm@z&XVJ{QpNg{y)cL|#W=bWuD!Z) zLNK~T?i5-`oOu{MH)KYJP8G(Y9|3JCTGa4x?w*7)Majz&WU+DAF*rz=(0}a? z1bUJS<*VqCK#Z6K1MOVXkA(DKjbb$?$0rkjGGJU*Qsy-NeQ1){!+>>g@fP`n$dLGGheYbt zV^aHs0chu>JM2>WvRxt(_|f`_DXWg9I1p;d1}cZHI72dx^-B@2_8iPPFYTbwbO=Ta z*DjwVrKvq3Au8}SgWo$zFcb-iR9nEp2}p?W>`KjJWmy(=jjRj|8MJ;N=JPDD3XHu@ z&T(@UIveL|d4$IrT9LP{D$2%!Fp|*n$si$J4A~b{7!*rWCAaXy^g!5#(%sXcB&~fC zIKYyPW8EaFukdhit~RA1B_dlPVS z*~^iJ(c+VxCnM5K(#+(-Sf&?py@ZCWs33v)GDTv9jZEn-Sc?vw^d(Km?J(D>oBCs13e^Y;ss71i8R%In5RKk=qCFm zM5;je1(|rtkzyhDYyVjkja9QA4wFXXYGlnUg3oJmqjTt%nuWVoFnXOzcg;fj@*y+=N=mGgR`pVDT2U~{6&l6fW5l|~6$ z?uZh{!~n4cw2C-C77uL*p>rCZ!kt(+1pVZIm0A^*hNp=+Q28yQ4eBu5weKf{1ZB=S z-&O3FDYc2hRr<$)?PsX*r3(b^8B1#k(c|dfEFew`*KHR9>6s&-c zMCRTds!j9gU_xfU&v+B&MnZO}4(EjAJiDaodyh&8j&_U$Bf1$fRw!lx2yi&ckgM8% zc*#W2Eoc7-64OC1lwX||Q|0P{p4X#c$xqa~B@toC!L_`z>d(hZGk}a(SCBF7`{ml6 z{W9;b;-}d#4by2)>$nM`9m3=giQLU2@a*(GK60;qduX3Y&w6ShQ1{ zoG>e3#U-bZL)2m%fJ;&}D8}%@_VfzlttruvLW+y_KpjZ%q`0VgeqmZ=p0Q+T2Uu@7 zv9e{!kap`YU<=>dOVm6!OoiwQXW{Q(g{wRIYt8`7$Tf+{^V;1-e39Nt0_k#CW^BL-wOSj{T7#3m<8&EbQ2e=xaGyb>~>$ZFO-qXGb z?%_QmGU=eQ@pygq-uB<#GQ4j7!%eO`9bN5y(8{9Xf?Lw8mcsSbyVF%y#X#4NrR)CC zRPFisSI_yrNcdUc1orhM)zj;|zO}eMU_(^)(sSCpjH?>&#(>uew5L*Tsw-Hr~FPqv5C_vj!Ib))2+pW^~ z=&^PW@7b89uEyo$!8FIyJ8F&hhbb0-x6L?lh|YUg=_Zctdh6z{E8DUm)Ang(rAIeW zruEz4a>!7pYoFYq&GCBm@QOhXcR}NO&eq1~R6VpacJ4ws*5g1mQioH+3!eANrhXyu zWSFhW8_J^>_g$ofyM|XJr)Q^n;>w4hV??v%S}pBi77PL#nWg&uNObK&w%cswpy6Sr z)t}>t^wxN{YI9nXE1kn~KvU~^RNvLdvgx(lc!#pvbx)$i^ln=kVY~huL{iH!`)hL_ zORMXmV`HcLOw!f1dD(!9nE$Tj3Gea-yIt7$VncReXXoqo0GF3aQTsStv&Dx@>*~&z z9RNTE^jHB10L=gd&WGfNJ3u7*&$YL=N#5hVX##*Dsp#I9w>e1~`&Rk0b;b2vK(@a^ z4-mZ~grQY-!VuGHeYaf*zQ+rd{4n2eSO{P#Q&VWqEM?M1j+Hl}9(HQUhajYR@~WQP zAi{MW$5hH>Pa-~{XdWyuEKR=VXFrn3|2x74r*z(?NBv8XTp9bm7COBwVU&tNyibXY z*qMmyN@Ku;Wktb~g-Mx$le&VRW2F>kTTQ7LWBiF*q`)s``Yt7+gv?Nm?zqsVA#-{x zofM{jwH1-s5ozH(+EDxSA%UTYQ<(H`pcdZ-H6|@P4vM>;R!Cb)T9y9$C}v~FQ5KS( zdR-nGff$e^nDlMrlEF-96sLLUnG*xf@f|4aJyDIqji?0hZImUci$ZadJtp-KN7uok z;xNB}=T@D*#+{N7ar(_JN5R@<&|m(39+LiI%*8P$@1Ris;gfNIcneSoG(vePEz+=@ zl=+Z2zoE41I4OtYU+6LZ=njQV?AIWi2SwQ92_Sh2NfV-SsR==7+n>HE(t&1?K7$Pl z=XzGw2NC!Og9t3*H!VgfwdHX?2BkuS3Y{>|j0}Pa;S?YiD8X?rkA7es9LXc{F>4{c zJecE*TAm2fIk7A!GwFnPSj~(zA5!_UNd|RK?6Bne{McK+F*lzo5p)jxn7_`9$y#Gj zSV<6nG$(s6nv|F1M|{#4Lwxdf!`uU|APO4O`}@n|XWr9fipMh&QXB+xqgd2Q;su#A zpiY*V9TW`fIIj$)$D4UZA*tk6VKUvq$>9&YBI!J^Z3_Pq%`8`amd+{qrN4qM3${Z9 z@5|YVHw(CC&Ft|7aG~go4C@B3KxHmmtvL?XH2jaITnCW)Lpm8#6$SI7u`a?w@)xld zWn$_CSH+yeu%x4Pi2Ux)=9RHS*EmJN%v*TNC_U1yuVQWo+MuL>twHD~O?FW76RATw zXV3z@h-MJG^$05wIm=Q%Koq+wPe5%J7lP1_*-tVrz<<79vdG(k!QNz0iVXE5)R{=g z7E32qD=ZI?R0kh>5hpBZ;pu@hc1BI0Pl6pjW`ER<{h58Xk{FB4PcsAuSpv=df~k_p z#!Zn-RvF4fB&T`iD9EHl9H>2Qw^rRvmO?MSO;C)DP-hP;6W59?+GxMl9oy?8CH##<-fRZMqwwX~xo8x7`d}dNV_v-FXc4OKIHn zx69(C@8l(UV%l{{(Aws1&zI=jAU1&GYh=^~Z7~Fd*K#0N7UsTp()a>IIGL>Sj66OH z)tidsynQpdP0z}7NuMwKycpRh$vQgsx5j87{dI=40v>+*xD3UwbLC!I+Vj?hL#J9Z zqjHak8#E`5e6NY+wn`g4AYix%lu|B>D8zD$_cCyO1!%nEf?r_oDO>>okeJHQ-Z7c( zi4_qnW0>Cg47e)kq!A`wM5>Z$N_=LhoXONvnKFNF8X<{oCep+~3MAkF)+rQlk>JPu(TZw z$jt}g>-6NpE|nzftv8FN$SEC%#@Ppdi^E1yP|Bh-Uq4?2Y%lzR+PnWohZ7ea&Fmk1 z4)&R$fn23Vn=+XDF97oVY0Q3oFFoL42bjzNy2I|E01Rkrw#jFyH++!rM4&*TU!p7f#pK)IRc2W!(0Tqmy@X0D@iLU;Gt zJza2sQJO!DqF$cU&OOh>DzZkayK$$xH{SIhkCyGz7aqr+siSU~?#6BJqrdNDj{U*m zsN}zP{gVM1?$4*^8=1}%`PovF`ro^t@D~%w~mueZhKY+Vy zk|&N(Z2OO^51-nlnHsgDpU`u>PI}+3z!psF+8M=-O&8M+!{(bKQRbX4wbP%=H;@rTZ270HC`AOg!Vkz7+x{pZ}xE z^z8FBX4^34+ygz;RR4tFtWg`8^ni=oxV~e2LA>)F@Kv*-{rOFrVPR;#cki3~GtD(u zdMfje;l}+jSd%s9;Q}KDj<@DAv1UobEO=;CvWnYS1n_cQUHJTLl52U26%^a9paxQcNQRmhLbW)cZTZ!AG6R}sgQA7j#J=k0aM zf;CFMWveNK^Nx!Ml>A~>YZ!hp>1HI+=Ug{&OfO!<36O{1^JkfRkhtjhc|LKz91$AXPY2`e4Xs~ex5&KDU`z`328nH;dF!qj&Cd(2UNsj{D4 zhth+coXs4|iZj?L70&@#?w(9$DjQP0pggZYrp-Ec_7|w5K~HY9Ti_rB_U28V1Yb7E zNbXLwf*becV+M_E8f+%?GshR%0q_^)I{cyy>vV!Jl`>97Ky`~TQ?QuUI(~bYeum(@ zT(T3}A`;X=9>XSrrVh>4ZRtNt4}Q$3d}2Wev3b1<(t*bk9E0QU7a?*3V$mVgR$Wrh zg>)S2NV*|^&OGpecvCl~o}{rzX0TR^0g;brFAwhE-p$EtTUbe60%o-imB{SIojus$ z2)RhJC3-C+=%X^Ri8BR(2e%edWWwGguJ$O&pU3yf7t0;Q^=Zr!)T$_^?3i4u(%>Jm zzzn687UQ4EmCNVBm&wvN2{{zaejR4XaOmD!qA*=x8VpH>z$NC1*O8V)*f%ZgLMv1x zknAEo<|Q`KvoQ>DRElSEGTypEJxl0)1Mt056L!3?2TGK*k^)6=);|_ zOh~X_AJbTq>O2RMCz3d=*qt}8glXd`iU`SDLh(oh12vytXwROF)Rl>^)gyYQL)Pp8 z_YJ#4COmWz3P%NMRLOo=<)p$q=dxWNlLl28kLXDR`Fl`hFBx>hJn` zEMe2(K*n>>8QMYh+BIZaDc}Q?WHsHVL9m6HCO5F1AI;Arwva*$dkIhiKuB3!lf3{e ze69L2?oZ-8xPO&&=CWen#zqW$In$fgQ!9)K#fQNbmXD2mIVd}5>q!)A(>OV(@Qye( z>$^l7BrPlF%+F@=J?m>S!k`Vys~5>rEcBO7qP$(pjY6h_5)mf=F;b*9VcOgLjkt$BIo=S|E6>xCb^u;!esZ3WO+(50%A}-KS^$>(!f+Q zg?%vIqnp}ZdkSa6ejS}HjuiwYeAn57qT-Om%9qe2bnWjyS}eB~#_~zV8S01s!Y3Il z>_AV(H`4}S4+bOWG3UwWCFcD{c5cU~@yiu|XL?2WX8Tz?{fYXbJp~Fv`u&XY4!G=? zgSzN;z45W#T=BeYErJI;+(~Np%s8A7ujdV^sj06W?6#3*e_p}4l-snfW7OE7(%Blj zP*y)(ar}`@;nX|mdL0u+@UeUI^!d05f;^tR*i-A+WNZZxxA9c9gY8lFFzbFCG6QaV>2ZIU)}`$=P^^2OU) zPzT2C;~ej-D%Q}0kMO#+Npjug*!f9;MeP{YdAL>beVDe_GM|0E$@UWJo7DE{IaeO4 z^>$7=VdZ<(;JfV|Kg2oIcSI$|X5+o)sCwx(kMLc4)$=2BT{f?{#{ToXTUyzXn*NCH znuIWAtNG_Ru%vm}a};m8^Xm8YUcJNxGxFeZez?0$@@MBG3n%&PC^gIJjU`m)0pfPI z;dnr`x-PS00;WTI;ceN+mAg%*^MjSlnyd5DAC7K2cHQXBGveaJg?XgoE4TY?qU7Xy ziKB>#H70B!4o94Gq?*zLj`k{KOJc{%wHNFg{>jjCzc^cO6+krpv0($AsUq) zoU_E|UU+491s2Wzrz|@|1H37L6Uj2AV=6R!RY&Y1_KFJ(Kq9rulaAJT;dYDkOPF&) z&X7(hu8Y@E8AU3F8mu4{C}<;s9I-NFa@B$iU(k7^D4AnRSP8H$AxUiLMO5uXs@k)a z3;n;vB+B}eDnL^tEGa}pyawtb!nD&6Z(9{{M54=g6A*Qp<#?_o7pzESE|O$d|5{&0 zF@*q^9<;7lg)5BD1z=)LOnCrZtG`3WZ=NmwLQ!=9SHQgzuP$w_ZLL5ZaG;tq;8Li zh=y@SY@Fbhi{^h1iBYWPVkCVfa2iXrb=fq4oXSX80l|Tbwj#jIQ>YkXkh*U&eFhJX z2m-e;9TZ?N-TZ5!vR6PHR$1q93|l6?(KIH#RW*V<7%?)~Nj!>FzbZYFCOfr(yI6@! zjAyikrV}G|jB-}E^1XMkZ9mueWFwwa{O({w--T|-h^ZLI$y|Xju@wU@Af&e` zW59gh=ujSs>gST3fo5Koa{~)O&t6W-vlBJ&bNO|5_6HmSC_C%pE=3wlLv&36>S_N& zzJDUtG6NNKt6SBlWX8MgaGLS5fH%0wfWgWjJ8N)8h0t?D#KE$ zUOaIeD$khq8w|QCo|lJR{BYs8p)Q?UeZr{@u3aCLAm>A#Ptm?ic5+vvOy|rf0`(q$ zFrk>t#L%(955f>3s-FOcYZ9J2kSTfpiTx3?$U!q{cprJ%;g1*QZ2^SAcz^+6sOa2g z;}27tp*@zx&E#gOORIiKh!74tlPj40*%$Gi1rB0`XDJ4;LD$4LiVl@-WWfh!TOtiD zwUje1RKj{M*2Y>DuG1cZ$Uup=Rtn8Fupcb`!tE{BC?a6(U+#5+WEYn8Adl}gNweRN zNGCh2FLj2>w`e-^kSI*TRq*f6N)r~9B z6d{VJu}(JJUK0jasn{Z|bbnw04TadaM5Lin4Y|vs02b=*pJjHYrD??s*TJ<5vhDDy zG19vr9q+VRn{S2_fjxpl)ig6^-iGl^q)ES|5e@826= z(RkDDSDi<)+iv|?RR3HrA2bvB6l9POE^OBhyIXA2K8D|KQnHWO)-OMsbUoa>pSO8j zw;qfC-0(T|eCzL7OLC)L+uvZN(ztvokRAKdUE5zsNCkp3U0_h<*r%s*ndq2)81waZ zsp=xSct2HrxNbZKQr&zlyYyLFsy45Fg!?}auzjQVer&%4KG9CeEpHZ#MYgL}-`>`ZiuT{x~?+_Lhbaz7}R!wcoCXZgK?CGjAM5t4y)7$oNY^Aq*6;`GyEif z7N>pam`7U=mb84+zs+`gWm7$C*aUj}x>?Kbm`5+o5VnaQbo2eAKS?jiQJ?NPd6`pp zy=*_xnYd~loJsxoy5GnivJ)u;%Hm&h~{9oF=G#cD`?l2`{h0)dTCnbIuT+0;C>aPl2?$<;MPu+50Pq2>pP~aMI-zy!$t6s-ef_Tp z^>W`#lfU)XV%YuV$IwVo222DYkkN7egpVhkr62iMgl@N*qm@+g3&L=qF96SxV8}6~ zmn$4$mXE+|6A8-k#2{GBR>GD4QYYi=X02?ZFjS%}T(ue)MPU9&~VCQR~Ezp+Xa?x7vl|7@*+G1jR}ng;d{J4%QczdHbQ^m)g6{} zkTt3kK|n>qV41AcLjj*pTSL)=jU)GnljhW_-!;4e3r>m<`&F#JUP&l1XS1hAWp0Oj z9c7`eSrbo zZ4d;5@6SS9CvuLW60mBJ6D~X8KYv*AtpJAKKyo5jG0oz4-gqmULlEv94MP`>E^h== z2IZ|GMwO?A8-yP;HZop(*h*qmG3ZLhgY)wtGjosGVhAT6CPJsmZJzz-wqz#d8HDqZ ztwVP`n6!zr-*g;w6K_<3d#!e?yzexMVRi z85G6ea*hlxIOsqmiYcr0y2f-1()A$VFK9@!C^c$PJs)K0ilS+9uDQR>+Y)e0Wl6Cj zgT#MU>Ifm9GKUBi>lI0d_COMqGxBmWpy;)MZW(6T5V;f?=BHd#9Njx3eBc2TG^GI6 zy&t-Tz8^*9BkBAu$;OhPW%_=9oB2z_g7@+BS-tVCd0^tfYBepV`dteJ^}57Us!)!W z_Kk@Z6?5r?_G&+k zFosqQ$LF%hMMQrr1d>#QNeJ4H@-uRNXt)S!&&G!c<{b*4H>RWUBogGj@a~w8v#Wx`PF3Xv$zWNh9vJ?JZ29^db>dcD)&s+!&bHjKA!X}mCtljIJsv*FjIqe znFfKX@x}|E9c<$blB{Q>UQ}txb5VnKCUaN*^?o;qsYjOPB0rUwQ9X1nXb~i3mx;B; zG-yfaq|j4X73!NWU09Ld+37B+}rs)5~xQ7m_() zR26{Y%X7P=EDVUefoGo2XzBf;%xiS!vgetD6_XGja4C&$1-3HulJht2ijzBM%Sue@ z%+MnL3*EyY1Ec@(UOfZ8|Kq(H**w?Yop`~66`=s`vqS$r`4;?+2H@*<1N6xMqA-ic z5AyxgC*pqI)qfN&>s*{P-i#VO{YG8@R|nyA5~x36$QAq ztAKPVNT+lw-2+HScb9Z`=O8Hz-QC^NFm%Jv-QC>{bJ*{B_gd$CeEz_5t@}zQvsI$D z+fhh{fLgv<8}w4YwIx9(VQuZcJ>ZSfM;d4X#!6DHdO8c@(!1OjgK7)aKKO>R39U%3(e|B8y&s`~(OoX|&^mmOOS*jAVeg=3W+$ zQ)}L9K60X#%~rE7)|)Ofee^tz7E#6p?|K0g^QdwuR^ zlIwHP)`*&t#5?w8znic;_4%MF&Ak?(vu4bygdmh8XaI9O)ES?dxc}31B19I%K)Lck z64qtXN`40k8i06|;ffON}pKpFP{d9L?2}TASq6Xk5jjF}qE9!?<@= z1^q-^942It$ce~pY)s1-_m1&0NyX(lzfr^-3Aq<7BGnfDINF9KWk-;c`5~592v4V3 z8uiDO*3veMem_>uX^+_kyH0PIhGIHX4!M>3+Fy;WFFptyyF#pV`%MIoEM~q;753)q zQ0d12sj-vz5{K1-g&bLflBcEx1tNx@Am%t2hxf`Ux;eIo7yGT5XVHIuWJ;Ci#yLVb zwQijK9&{c7_$U|JQpjN^@tP3TPd4<47esiGBB^j76$pIUdl!g3%<6TXFS%ryLFpoK zlob*OB|9S804$jSjJl9Nr|D>`FPs>z6t9Jxvdc8}PN^0HL=M1p0io5t=cVl?nCYeO zNnu8ZyhfrGD0Wh}WUAa1QYd7LO3_&N`BCCz`YF=n#fJ;>5~K-$?uVHg_(N+C*sXFy zmB#`Y2c-l^VQNZa@=kTyzZcKvx=PZ8X{J^zJPL{>;gfQ;m_}X~R+8^DkqmbV)LUZO zEOgb-1&h)D#z>Z;gOEWo19_ z`q!}?6lonq!w^teiI9==vx-(5$68>d{L1P9K75k+vpw=oIM?guK&BV-I-z%2L-P|r z9Mk{!uqJ|#YVB6Gv4un2XGN#yZE zma?;vTAXK540MuKMQJ*G5*d=@Y+W6r?E%1MW5vd$B&Y#r4QfpH9HiH%lqYDS zAyr>%14QP!lKBx;APMA@?+jL4uF|lx$Q$5pjPJsyW(jKjT?RiFwU2@CmunmuqU1EY zWE#88G$&K7%~YLaD!c4boq_x&B$`h7ypYQYRCpgLBd^x@q8qNn%{t_;Z@9Rk&iXf(EX6Ti%11bH>H{Zaf z3rFK3{!s53myW)uXzZM4xb4+z)E9C-?s0<`KD~X~U==b4lbdiN{A2t;rI2^T#b3*znL{2JcYiW)+p{Aeyjg zY6*yCu;Rx1jC#d)X<_S=ubxT-Y=y?M>`fU}ldMd?h>&Gd{zfCnaM+?@^+NZ(*)7!gX$8G#cK+$#eOXY>EoaAmzJy*z;}l;S%hPRtt+&g?k;_2dKwB-v z+r#_N)b$3%exclh*>x5=u>N%r$LzGamxs^fo*byuY~MTvUgVpXMO!D@C0%|Vy|O$P z93Edjm6tZ4(Q!Dacn3ipt8?&~Dk&|K+sU5Ooeg8%ZdD_698HTbHEmSe zx(a3dAqQx5HL<1bx1TewcNHgT zU9ug6e2*DYUL&=5_|9>kGa9Fb@6(f7Yt34_#=KhN$=BL%y9vjV&jinh!RPvCb49iS zuZeC|fYVOEN#mLJeY)dt{YvWa&@HUGz-ejMN5IMnZik1>=;)fL9Q5n)={f(!pq)Jb z$pwu*x5K#$^IH$fKxKe6c>fl{@7!2BGRnmgYaMF4VbRJ#b*>0!aME<^*o$Rhu9( z{`iQ|F7z@$nlne11o@$&xczgg{wE{aj7np|^!M(Nt5S3MqFkP-c;NzGxoc%(GM7}z z3W@8)G#IaXxk9CYYHO+iukxKSF5whXV-={1UAf(X>4#RVGzPjUy z;nl2gd55CI{)Ppl3?5pLza^<^H7Gh&eAk(xg4$gV#GD;gy&*DHn)RV2`v94!7DffA%p*YN^WW@=!jKjwT4NlwP&!2V)E;L> z;0%q=xOMn3)({=qW%{uSm{*Pd*7ML%+3bcjhC;Fe2uUIZE5p4+ zo@rD9+fNSNsw9FqcGcn@f4;|o%|s(LX|$G&-J)IQDT8(I7g-8+dGRg z`$xECF1GL&g~hHj6O}qc1PsH^#c&vc<}kacLJRI$SfR-6+-!5Fuc?(gqcbv*U~Bf> zFKw#P$_eIQxTrtRm!WWre9>CHbdFB~5wC}(B{=%032|9r^Loa+y8rt_Q|~yRLT0HH zvK9G#YdM-piV7gKS&gV&XrbMWYbtHh@}VN!F#W)*L^v|c%hZ=!=7*`1 z(z&ugGu_n8pzI7MjS^GCmq?C}F?5_(qhn-$*HLN(n$XyHybth<5@@f;dwAnw*1ku4 zmrjG{FgFrSxvz~4Bs906wfy6MACulMLaaYB{U`b7U-aldC|E}3en+_KP+7U>>qiW1 zXxo!rId_U=;*x=tVq@q9EEV4KXZr1C)a>JaKZAEFPB$ZXfpU~PdY2$I@>V;Bh=xEf z9?aCPIS4T?Q_0LwWv}252cagPO-Z^oOuDt0qtgEg>Glc5e4l-Y5~jvWTRr0LDqk$1 z{HZ#Lm?PTrC#|V+EJehy7Lk*(*S1jr<~za(cIqSL?$B8F%;+;dE91Q>f;VrHaxFRT zv&T$$YJk*&sw2ms=!V>v96d#=Ic*B#c$j!aNh1W4`Wa@ViWS9m^834p!jI5!(z1)M=9nZ3IIP{aJ=XM_5)yapUYpDk0=NdHZ^6-I?Qf*kMY}X0=ymPaYgA) zlMho&0dv|_M|?g$k0B?fkDJ6txVFdTB?g@&9X1IO5s|v39vkB8BrPe#$Q?5{p^g}C z%&k|daMfo{+C|ABy3WCmmAA@vpdf!@H9_Z`H0X`SV_*{L!(=ldbi-Hsz*cWLp65}r z%TKOlCu-Zf0Knlpe{jXsE z^^?Zs5TCr)r}vY1*C1=bf_UGbfq@~z=}AO0RN$t-rtekV=d}>^>3RJJ__TdLmc`Ak z=|_{pE^!j~W~r%r_h(CPOHg+nd;OBr)I+Oe&ubtv1-lcJR?8j3~;t|&eT3BN3$+ULP$q-zNwNpg^Q~mi8b%w8PgZZ z!&h3wiWC<1jc8DKDShgsR>0hN$u47Gb#%cCzplm!B6`Q+yr2zw?E+9StunD9R$tBm z4W>W>vMhi~z00#r3ju~?EE%3I?eJt~%Fy^b7@ldpT=h78KB6qZl^wsiUd{rh#`kl; zh9g)K@w3+56MiG6jA(XR#H6*5fb z(*YJse#C$;j+3Im&%^I-@u)-CFJvTGUt&qG{Xm98QWCexG26oeQih+oN~`UNbiG)t z4w}w|l}Bot!!t$>Fy-1lGz!M@gP$pKs{5p7Y53_VkyZe8RFpUg!Xcs9Y6+1rtyMu5 zs-7#Jj)^BPP$4_Owo&w)Fm$x=BhL^XEjX%J`(Wpqi=K?IOuaSdUL5{!_C1o2`}E7g zICxQwC8|uMJ=81}F@$t6B7tgVSM0&Q{bc+*vW3>5PUc=(zVvyc0j<7>rkDz6A^+4RM~Lfl{et{1?=GD- zv2klO6N9s8xaP3wKt%UU7xHg{KQM#B*-`|U*{13&j@Ilm(o!6gFEZ_Wb-dylnay0a zF`QTf*W97=+9LmgIbb3P90V2`q`h%v5-w1MLR`2H3Uc68=pc$KowBMHv9kt9alvu9 zianN$8uGgcS9LLYO`elq9;Nc+>YOx!#cEQR74{2Z3zcDSY3JvPO6Ll`%t*f5!pyCe zJh|{6cj@|`=oXj?cUbZ337y=*{gTl=zm~)e&t|Z)mmfb0g$gkm)}lrt z!sKjwOi3y2GUi&S;S)}?>oWRH?7bw@VumS(i>ajiX zip;Ipq>UtyTrI7bPUlY)8@onaKF(U%9YR25S{=dnb$oGnKkdT_CRxw#jI)8|eP&9E zEQ;Rx1}61tgvy9>r1ux%xoimNn-e?z6s<=w!~t z-XS9OGOD7CRL;ru3KX$xj8;9es=EHc!J;(ohSh)8>r^Qev0AB^0LS z)3XrZYrkE3RmE+vDu7!2OYW zWQw3;dG%$AJd^j{_PDLraTPrVarF;KkM(?wjLiQs(PuJInfAKUPO@6|aiN z-W%*OGzh5Xm-I~da{Zao?6SU_Y91e(MDO}>>EPhit+};rPUJAl8@QVET(nv}`3gEw z@w%R0UUMA4BD{USjOlKxRQ27jch;d->GQzL)cZ3p^;0daGrxq)Rp>1T%i@(`z$!hW z=U_CY6F|dbyI(UYv!jaxH>*v;BWU-o*{cfRbA3vBQVUnV7SrH8JG|faymL(RYJGU_ zea&*ud^akM?rwEaL2RdY>1tC zd>``aTit)3`L<*;z}UPC3ORQg5hH}|9|wU-lh*Gp@^Wza!Mk>@I!{x|=p-JKN&}>< zvbu=qMR^j(6c*~5ty>}U#7|fY?q=I*^A+XZm-ra`MpYXr+X%M$uWMo%OJP?6(7;=O zJ`_6iuuobH4URn^faA!iG&!285A|yr?Uybw>+&a?ROS^wGm526@jP{z0 zrLM>4(ACZ%ylEchJ<3zT3!bFmOh#SHwn6*a1@U++rp{Tx8=U3 zPM)~M1wK|3;P*Q%kG(KXXFAInsenb?W<&9m*Yp0SRiob~oUb30an|o$-;!#3-WqH3 zSg(!n#Q?AE+Z3e)Nrz$LWfb$V$>Y3--{fT^`~*kB>g95GrKV+grD;eTYAe-5t~6r_wio=qx5F)(OzN!g3wD zb+sps1_n3+W+>?>`8mez-%~>e@Fu&)p6DtR)lt6^|D3)pjp$iqwB_tU4 zgMXAP8-sU08l}?3j{V$j**X%`{HX*V`ZY{oIP0-AC)4OVSddZt7bq^Fvpg}iEwIwP zSxVnol|xP?(@su_xFw5W{>Z{R5KT3`QtYcW*#i0Z><|%(K~tVY8)cVYSci%$cg|dc zv8F|)II3;j1Sw5q+m5TFZ22^Zd))GcsfF4|LYAB;4#5VgHPp2!$!X(nQq`OQydl&B|bR~!6GPlL1Jg-Oe zMMgISYB>d6hS)q6$d=D<%dc9ik+j$T1>CW4X0=X3H}mJV-`;mQI% z*^%L7M&8fd$;gv@MVDZ|KlHUoLd4Q#onmx7cM4Nv4$`C3yNZ<@GftcN344p;|Kvvt zzh=zL8c@0xeiD#1+Mclgz-Q5)sC{*U{F5yJZ@OaiEmQtU@*o6&U;C08 zY7s$UL^feulZEAH(gtc|I1@S>BGWMV(`X|(J0~Mf4EEJA+6+tlxQ~>*BPz70Ij$(y zw;`+Wg$S$kxX8Bc3M?o;Sp@z$+Cv}(&N;NxV#7o-&FB;Lo-kH}6&NBw*|b{#^Nl)F zJ4*+3T9*;ifOo^4fG=J6w68YYR(juedbrUy!M!8H_8d1bQwAELiQ&uy2nhZJg}Ub@ zr=^8X=3N!Kc+W(ww!&@Q|TH*tMyAE zwzEGYKBMLrhSLSjV9VT)7uEv;n#LV6|34C3U#kb{0g?=5d$wVIyZ2ZKxdz&vre9sN z2)|*-#vleyP~L_<0^nY_9sv)yXnsny6iiZMm4SZ$l0+%NS>(I?8PEVil#w_qnIGfUV zmdB&Pkly&Zl=Vgx_zAM!macP^*puY`_?S>hD>%V-p#Xj!Z0RQ4z+Z2BJav5x z|IWqANZh=d8<)`#bOFuxI-gh1M%3rm+-^W^ZYx%c9?*aLRL{%%YtHiqQRlZw%64ya zgv%>eV75x1M{Vg7m$6uFZUn&PX~zl=_a+i>C?itPmR`_#XOiXB7~wc<#uc!5T0ZLQ z`=Hg&Gn?l62O>@SLg-P(cbVjSB$NVleUtZnWvdvGtnxjUfJ_I8ab@Fbm0a~;UA=Ne z@;pUGBn(t8T1%)8%r{A{J4Hn_^6%vM$OA85K>g!q-nX;h(>lGSSSyB2hH|tjX}#+U z?P&zktn`+d9Q~e-`{gmL@r=g($|E=WvW|aTuDTaTU(`J$Dx9p{Lb`1kvTo4D)Q(~CUU<>Q8dOrX{4 z&kmPoj;ildVdraY;=Af`gpoQ8_Db&KOGy>?FCJZ-AumrY)6sUgl`Go|70aMDpKE0a zjVdDh^|+>#{)?_)^<31e-layf6RQ**xY%s}pj%WiN zhJooXu=s{*->yw$Cp~|Y&yuKy$kN$<(&#Ur+5N0cy!3s$JBJDFQLl1dK{E381I4n; ztT+3`ORph8LU;;snjVw>KfbNb1j3l8LN?*D$r#CkI6F4%g^(sPJcQUay6WT#7^5^9 zE@jP3GV;iPRJ<1i$99(2hR?$xz z;02uF6`Q({9C6&_Bcgk)IA{Nvnql!0$ARPq!Nie_uP6!F1d8hZERe%vcgL-<0rQ?c z#<8bc!01x`=rs-Ls<-82y3^3g;P$OQSPJg*xX9;X&K>nFl2IYESBYzx6oqIDm+I~w zFk2kweTkNA#2S!UPGq=yo^H|1^uMy_^jZuY);t@GSvtgFmvNI}BasmgsKGVioB4ot zZK`&pdW-lwgo>fxOA)hx;1^N%VoQozsY$M6SAvd=e40te@&z@V#&x_-l!KBo+mPy( zw^)Xdk9xpIEJuOWKpBp`CzZi?>+sLesAp(6VY=*S5MsyhBLJml_5}l~iJ8*(H;fxk zB7)yy>H}XKLI!%djAA5yMuMe6AuK#5sE|P;kNe2rW2_N!x$%KX+evpp`>c77caGo& z@++Ra#fK@hZ8ByREIT3`;&vqyEK@wQrlX0iL0-`r*w#curB7v)?E7*EXrT`DTC-}Y z@CEhJtYoN8dY-NrHS9qgSJjpEHuZ6+0rs4}bP8CAR#YvloKFrN5!KtC8g;>kOA7<1 z)g~yGU#q($B?nFVLII&Pakh=dH^GnSKiO^_<~c`OXef-*RBKJXqJHb^OKA^7`c8u# z!>(xo`a~wqmQ#lPvpzG>#5n%5eHG%eOaY=L9h16M+!9;?HTx0!gi;&C;u90vk8OiR zdt#iCuhc>k4X}Ln9B-gw=(YOoI!-Zk{KF0s?(g7NB=M^=^IR`Aoe zWa7$%1%}g^r+_)K@JR;=IZyiz?Z1pFySt`*Q6E*=KE8Te=3dDPu>EGN+>=x-PJ?*V zBH5xUqbByT<$othrX|FP&oTOAi((;ZQe-Qlrv~%X9GVm1!LHmOp%{b$=KWEkPHgbo ztj>a7qCSinHkh7be^Bk~S)Hnz9XW zdNGTHj$CE|g?o^8AVWZ<|1#rm-t$i^@4q~a*aVz-F5KPFD-dz#ogDvVX-XT4nKc5u ztGSxJpZGZpfDP3jz|_@=aNp>fP8~qS0NXxerCF^%g1g%W)~*B|sdtX~vdSx4X?<5L zy^NC(*0dU(9$Cxy-L1AS)Dyv~6b+Z1Hz?pX?)Kxl+se}_uPHd(szq)m+1n_6^(eB) z_Hzk+@X6Gv{>vuu{7LIf-f|(dbt(Z=dCS@{Y&^?$v3j?u{>pYSTJVB4ri(0N6PlIv4%1c(=W25pe*3R!K;W!bz*Yjr3J`L4a~ss>s(1PY zwIK`3++*PI3!0_uarLBfP=?*wS=y=o+WP{e*Y)GoXvmrSKyE~W*1U)NT@&A(yTdy~ zqPy?j_G=RxT)*1#8+S;YbHDHw-Hq=7CXUTp&5ydC63R}TPi=O=1dSEM=Z=$`UN5_I zgq6!%;iqG`4FKoqx8rqc7D0ROE!q2C3=BDze+a~n{q+M(uJ>ALsPpA3(1VtF82vJ$ z>fJjQj3^KDzFqm%8$F)Nv-ZtC8hxknuN@g~D%;8WfQjdA0x%p`tD`ZBhuPxxeETu+ zYa5m)jgI38pWC|AYJ=VN>bFiZyy$kz(J_nT#Mr)I7`qh!)ToU^_$CmA18;8}(ezN-ypu$muO)1q;TT$V4@(OW(@P`oi_4BFZ|2UNlu|^GWoRcTw z4K$n?va+7Bv{>~Nm0=(0{Edd7jF*EUOxt57O|_~95%m8!?V1~0-;zfrCM{y@A5TNV z;^Oi3OKMQMuG-{qAPhz9Rg9u+e}B!=rKt6uHLr4E#e@mjtOV~b{3-HcUP1>s>?>p$ zPDSZ?tGbErvy@8xwrP~ke-LU7*tgPJDIGS+vWCNHKaGFT?M=q<4E-I*gFy<>*tIY?wlS)FD=^$1LqGzAMh?LIY|tnm53ia%qgR( zrsLpRmj4~0BDnCHN;=;DJ5A0{$npuzR%dI`rSCc{j15CXNcN?Ei<5&jRK*vMa0W64 ziHJ+~7c6xeJDL1p?i?Q63#aT}z0|1fr9GaaN-N9JOv_RWRQR0QI*}!S5c>1mPv@{G z0{EOu@41m2V{JTx3cYz3+G-(cI-sxW`!`QN*FuqV z;xgpCG^PsT1>KjcrByVPeqzXF-7d`JnAS?e-&kzXot?%bqSKQ&_1DFU`%tzZU0T_7 zNFov*cKdBphBu2`6md+xis;n^N{X7l*{}2W0`@%|diyXAW5Ypuku~H$crr-rQtBgb z?k9tEFe=xl@x!A2+F@SED|vbRkL^F%Ptjz;w0U=7YG5O;(BF`>-sBEF1DVCgQ?7V=)!KU@A@_=3*S# z{I^pBuez*BYUq19i_{f2qs#W6XgXtVEm4?uEy~<@y#rPEsHwpBiIw{hD!Rb_a8^mH z!puW2rfe!RgV+e8X6zzjW!ZOAnTmSbM9j6jBIB$;-cE_Xj)Unl5%7(bO9Ff$TZ+n9g`3qwwbXQEJUPu5tF0g%CUe(dpN|l23#%C< zUHr%$qOd_*I2pw9#BcOJY$&Itz@O{50SNxDi`N;YGHI*%7TOtgxW@5F@lgp5^eBho zf4-$r$swfavctnA%Z$URb%SxvKH2l}A>SxcDX!8gcv6QgmV`%Fs(o+AR}QX-N;UXC zHf68HZX<7Wgd_wKNN0A9Zz3(a*8O#u(=w4if>_wHF@m3IbC8^ui0SaRC7)$(m6C5x z7yYvTGeh06^M?y!WAnNQ3qKhP*JO}G@R%%bALeNT+W6UL58_fYF*!7LCHzSW3euqB zSl845YB|N-76jUF*4S**g~k3@Yb3jU54AgHW8~>Pfovi6dzfQH-6=o0p{c=G2k*M{ z$Sm+#=j7*0QT^~`8S!J^HR+cW;)7rQqMP!2fP?i5(k;+FfHHUzF{r5c-2^75xBWyY zA9Vlt^t2)AmL9$Ol;{FMkO_AQr{Us12>+?vHMR_>)qB2D&bn0tgBQJi_XN0V+N}o6 zUyW&*-{5*gs51jDt)yQbH`5~JNj$a+^ogB1mDb&j17^8ea()PyLL1dxW>39ciV9d( z1)Uy=^{rkm3yh-Z&ae74w@8`2ZumOA+MP#j(0wj^wcB2|hRo7m)+m6yZ>O@a`uf-V z*VO8!oNdNs8O-{xtJl!#sVKQ+f)1y~Idlx&mzVA+osPNwqp#O;t7g{#>)Np@bf5EK zs?68N+RL*S*(GHb=n>;qMbhYi8+6tsZ+n&@YJDf--dD@ZK8Njm<)Seua2dFb(5QO> zLaTb2m75qFb$Ro?z8u$yd2zhWYOB7RZdk5Ez0x{(SF3%w`A-yF>W)^qY@t8B$CoFd z{5AQGZ0YXc73Z}JyiRytOUo&*bJ;$M-g44X%jJH%d4lv@4tcku zW%%J%mNEM-PC`yEpPoP~JiNOFRCa?I@k7MGhe?|CyH~7CK@Wq7xJv$~XWaZdenE|M zk~87c(ra75c~su69rtmV)3bc#>z3ZVZR0I`h+U)M>BF)bpKTv_-{*7{s{QpbLMV z?s|g0-wM*D@L@16Sy;C|YCA@%+rKt_0wXF1jQefzFXBd4-;kh|$@^d7!T z*3(gYfZ2C-QIggEPwjWHG@eeBL@1js*&9~MtO^!K3E2kbkjbbP$?OMuLKVk`zGg*E zkV787ItF9Of^#hTiK86Ao|Yj(r85UKOwr9MLw;^HwN0*bDAF{AD@Hbg@O794BB^wa zTu?3{=JRhgc_Bq!3R;MzhYSa{iayV7JS!$}Jmpkv(Jv}GHt~LFHq7V5;?h2{_QHMG%9VE>DqHbEsC>p;B~2mR08&-O`3MaS``%21U}}acq3p6VnGdR{HWaz z*f}BfS^_ubMe|8I3zu!b3T(9Y($NhNeOl3KO_}F|3)2CePwd>cqezZ9GQIVnP(6nEAH$$l}OW<9MI|R*Ic9AJ3G*ItF6j#d#M#i6zp2r?Tc`kf6| zAs?tv)u|}A^NHNr46GYQluO5H(EW$YHbkcR6aB8?((zmjb#B*h5++oUR_O&>Vg;?= zETwJ(hLjOcWU0BjglrRE>?W{wdzyRa}5;lBX3DW66cT z*o5hCDm&HCS9&;%i|W$97j?pFgxq}j2^wDs!gUW3tCQ%Hd&r`tup*1Kc4#?E8NUV{ z1{c+~kWq08lpiy0)M+#%NQ26Wm;RQdNXeC$Ytov9r0a166mqG=3zsi=LlOpS6bMjj z3FfWwp6V1oJwIZ1I=)o*6_k1NXdgwz(CZGf*OS}sEbU5Bj}%G649=Fw%#OqVF!IuE z;^rYwlqI5yX?fAms#9lNVj-=`EQ8vuE`4- zc2rGWLy-R}5zoMX!vs;ls!r+N!KR2^Xh54@vcj*0-{iG21%6~jLU&kKJJfN}ADY?) zNy+!n+SiC(2kZ-x=O%T)Q+?5sh!a;|x*N&0${fW@E8W|^aM%db6^B30YE>Y)VHt1m zm;@9@7VhGV?_c4W1wUX*Avia#qkMD|sd;s1F*VixxJCB9uJxnj=r6CRIdTZX6E?|h zQSE9Aw#1`?*s^8LSVDQ}AZI{08Lp$yFa+H8JGHl%5Kntff;*^2U-y&oObh}caBFOXUBGM2eTuLtXvZ9kEUisJX(io=aa+d7? zYX)+5_=@FMR^^)CN~uzM-{~Y(tI{JrhR=JdC1=f9vegHgO3!|m%{48g> zjQWM3nD&yme}Z4{K#thfRp>LA&gR3|zg!+Q_JOcHjY%SgR3kAcdN9^PQVbOHV&!@L zf1KAZ_7O?#msA@7Yz{9R#PD9h6zFeY53v0LUZ@2769u;12A+s-*puDRxAnI3m<;m6 zODd9;t6bTxj`XXQ%yH(s*EV{)sbj#ChNXi;2~*`p)}*VBK}E&g=SJVVq@ah}YYcwq zvQ@=f1X9X#3h}XgtdIm2-PG0>dCAZMa{N zA(Q^39(if;xWOe--y504!{F*BYJ6GL!y}<@eyLDEDAN6IDKGJ1Tlr-x;A>XXHo zQN{AS_U-5_GgR!cJE+5T1`Ff$jAl=hMfW-nbeeVMOMf0&+2S$2d!}(WbIwxt+P+*% zGrsIK{;JO%%X5)i(9t|QKR9(RpVsQ|VmuCjp0Vp}107bE8<}|YwnhfRx#n#Jyt^Wz z)?3;x_XN!bP*z>>!L?Yg4pC_B?YDq5Xt|eb)%A=dpQk!>ZwwZ|df_>dBWF|&yf>53xVqQ*&a<7n+k0J`@o`?yR3MzEX7ERy!q~7>I$rTX7$4^z z(^gm)Ts5tOlp`C_TeRYnfCjJbRqN}IBUPlCG%O7-2_wqSq_u8GbIMf$VflT;Ttusm zxX{0spbnwyKrBy|jt9@r9v6)r0a-ECdyZf;&SvM^ubGJGtG5ZTzV}O82)ZqJ&?Ul? z#I_#XZ7w+Ow^ zXuhNF1}ue?e36ZCrkZYYg@ovbk(EYCj%B8KCb=xcIM;TL5_PFxl1Lo*!=3IDohYx? zvkKY~)W?oP?h^_XWQ0PIS|#^E3~p9pTdWBoxxw!N($LW z8%D9Y$ zN;NyJi*7)OJig*#N?qO}TxM(Z8!!B8u!x=Nazg zAwd1sl5gp0rZX2Hhfv?f4hVD<4K8>nQSq*3{;Yegyf4W zlK9uatDT3%O%-QssC`fMF^;7Y3dF3bmjclz@=(C{D-T-d2mq6npGxpJ3!S-LLn0JV z7MqrFcmtEGuoqysXXrJJV{f)yc0Ne zC!;se+!3p8F)Slk*}B)EJ#tYt^uGpdN|bN4qD6BwR{X*emWbS<6%&UHL0z3T#w(rY zU+XOEiM`+GJYlGKjSi=}omm}G+(Nm&W=1lBp2}nJqcCU~468)>dA&#_ z!^#3%cThZ^3Z(?S+i~$@h6R#|H*(I@-@Gdyde!5kAm*a2ulAf|*?WVIg37pjxy4^# z=Lw7wE}e6Eg6K3WEj^JBQLpu4Ok`V@94%dzZ3ku}b;AlXf~SRB&^NZ2(xOC59{-HI z2hM8%;-<}a2#2f}nZ+UNRHMX4+_9T;e*KOawgG8J2nkCoe7QfAl)rpLif&b7F zO6B+$IdPEoE#Z^l{<^7~J8;&GA98lY#=n$Ih1mP5W$Zj53J3Om`H7TCYg}uoeDGH* z;V9}>Dl+Q|pDO_&SEc!@dP)mEjk0mJteJmlYJ@8T*OU~2u9!ql?qf7|5l0xqz4*xt z!foBQhGjy!g+~<{wm=hp9h|K2G2ZfBS?)Y-0l!)?$I@`qPx<9rRODu) zA1zj`KB;B9#+ij9m}ZBJN@F_nY@7iR&LkXf%lMJPj^4S=&WkkNm$< z@1q-MdS{363&JzY8yhb4{rc^BDQaF91`>)xVIDAojA%nADE|Oip(t?ib+XrA=;llQR)q+CJT5pniSkTaXFhP|BWO8GFdJw=Z7tw1y za*pbm>&)aWa1ws#KSi;*3a=iFTbfQHMtvY$tA8{BfR7O`rnu6iJ8Ff2ZB+gYk^C-2 zs_X5htAJ4kJ@96Ry0w?0902%OWcPYjmM~4aa>KQ2cLuyN_yD#)k5^vf_kfh4>$M!e zT*TvY>D&(#>3JLN18j}ll(RZq^(=z04%aviG}krn{Hg2~>T)WYdm_1jM$>#adQUEU zj9zU;^R3Xq%l2cI+XWz8K?DZ>>mi#I+BqO|&GE-+yR;tkJ??btCc|)E?s`D&wtmZh z+1=780$Ge|Z|FB!KED{*jhfoOOVZ!F>0@rbo2acMvUU$|IFLTt;c7nrYrcGZFK9YTh%Ugdvooa(d@OBV z`xLSk3WTOZHV0Cd6F9wh{Z#c^EQ1cuiViz;&iYJxW+!~k-8X{VDt*+i`9=$()@&or zOyy5KkK{3YHe4M-Xw-E#+l}rX4v*AfABh=`bz83mXsoMGJQ}6V1TL_zZRVhN%{{Q7J;1QQH8-=1^GfLbEfll|xClA!=yJLR0C4|9MRW8b^r}}v zF_@QGl_u!1QW&V;dFW2kQQ*ouCew}dGcKP>3R_VO`|mhMdk z-!u~G!(tvh2DRuPMs@s=!jOZebyD}&L_^%zzqa$3)W*RS$m0wOACJMs#zjl~f{5lM z5-8@Msz=1Vh_H(ugXcDBj3|tUn}cJS{^h6?ho|LEoP}y6prX__MMr6V?MH|%qIPA- zPj=+DfEDwfwO)nXYx!GqI9Cfg`O{|x*y|Sg-&pn?{z`iK%6inORQ)-Qb@?drQ`Zm6 zyuF1oH1q6rc-3MQ7jZrR6akSBkh+t7e_?Vqg?wzW=POKh^Djizq5*d{fyBEm+`={( z!n{q$0bxY9|`eJ$v^_AdiXf1wW^88We3bl-7Jtk)pnI1KuA-x-dqtDLh zmEx}l1v86>HT{JBtoes6r<-`!678DcsT z_rF{;sr#QP#!onAp61lw0zOYrE8YGdroOSul0aLs3thHt+eVjd+qP}nwrzFUwyiGP z#+kZr&D=L%_7BLFD(BlVxmXOz;aeP!&3ZMYgL0jU{PwXt1pm=D197VFMxI zq%B+&WVY~xq9`5XFOxZS0Yhq&74ueML2)Ql*F>UM1z;oEph>lTg{7=R(1^hV?JyXp zMbC6&7{U=yQm8f6SV4kYH9$V(az~4q>iC}N<>NroCx(!nG6O2aBFN>bS>YidWdK>4OEn1SrV6%B^euz{CuB3cZ^7dZVb;(p-Phuti-8xKNFTBeYV~6>=74NunTUNjZmIVz@=c{?M5*VA74L2X5)( z>YIRWGB)#&`OSBjIshXh`Mew_f`iy#kWV?BI)?+64Ys?CaO-jbqkFO7$E8$)3qI%M zy&%dV$3)!2Ndt?zGCP7%7DuHB7ol!ly~?|bawH6gKtEN8Ir?x;*|~ZnTaBey0X%0- z_{JNC)dnq;LEo&Y!c)Tp1Ue$P=_Vzl3o`&&Bp8#3-%9)rXmG>dvrRG^e9fSRz!G1_ zUXTyXUuhj$Y33o(YBXLqoJgh7+DSE$D6N)%roh&8CAe%fgGxsI`6tORS(K+RQOf_b z@3;5y`fU>+I5Fwzm3!eRTT4C8nHrn>!TItq>BFy>btJ0N#y9~3UIau_|BFB1y-S!K zOJoOqr1}@zWO+g?0w+EU6lyX>K{x$kozsSI>6O`k$BEx?pZ(|N8UN|y_wFhq-x>dh z+|Jf})(bwAq#%Z@zFzS+H~<|W;rs9{B-5=Q9LRVG{W`mY-}U?qj^`mTvtr@oBs96 zJ;(_i{^sKi`eN20%M8Ec{Ovgp?(2$JF8g$cZdw=M@i@+!#%t403f@)2*SnrTZQK1O zuzm!uSO2A%R0Zex8329AKdYkmwkWq+n1bASq2o2h^rPWge7MeN`Q>v&YT3$kkjZi7h!M*3`^V*(GEoUX4erW&)}}Txxt8=8nuf>1 z={30CtL2hq=GtYN#_KnP^G@J6#Mw?AI^UOwNn@Z@H>oil{M{n|Z)g#3Q;h_Wshc|KEG z09T&?if_NgZ=w7=9)Q^fpf~j{?^R9*jpLA84G?tH;!NYP^eEB>n z($)?zk<(au$9GToEXzq43Cy4ghom1OX(&(u1MO4Qgg63QuZEHPYA#EIvPh%@lU>6% zwAC8PFdaR+$T5IPV{+z60aJlSjmO16W?9q^b!UQf7As=ngG&}Q+>6WK`ICO?+o>WU zNx0&otl~6pym=(v4GtUQSb{24;TjAdZU0YIa6tOQ-y9=c=ATC^B$6ky>+jfQ?C9cm zM&cw7su?v6N_uk%R}4*O@+v2ml4QlwrF-?3aY^D|HO-l9X)!9T+E$9&!drN#ika(C zrM3wS^N*sPE9CdZsh3Oh)kl)e;sPd%fka%#-g2zJmI_a8r{apI{0l-<4U%h>vK0=_ zE2u_EN_6|kCm?>@OmG>PBkm3OWQSb3m8#tFGG)k=zW|C){LV=F6NcSsIPVD-i%M}Z zMvACTwthZw&CzNBiG5{E?ZWFP7i_;h z&y>6W$+vqlz;qh@?bjDnviFc=&r%e5LEJHo{6~SyrgfS>9OT*q|2T z(x1B;O2oV<_Xew#CL(A}AsBm`;p$@C>F8&vNX|p1<8t0ADXOanBwAs;B7ZPO@+c5` zbskizHh{cWF3aSDF=Lhar(|(2-H@f{-{6x3K06gco=x(Rb(nDm4MD#Frv}wryRkL~ z<3cgkZ+xU|&0{2cc1SgLpv@N2}sCKtWr4_Vb5fc0AZe$aW&6Vb5bd;WQ)-g|#Xz@$O$D;I%-RMrOe z6O6Yfg{xr=pR1d>v}W2hjys4-u8go)9@H=Ri|~|<(6Uag`{rCU;>DPVE)>&%sN*{r zY5($}t~nPV6*AJ%G;Fl2MK8-Xz(bi+RdJa{+KIRyhN6Iz^l4L3g0kq?!Ed*QspreP z$W&}%oq#d#4sg+4v?VhqzNr$SsB#15(E`H$s}v-jFb%oRq>F=!sFeq*Uo-0F`6uoQ z>vo9z>o51EvvQD)t9fPK>Ctq81xkr*v=r#Z)k)f_g#RGb6W?y-{a2DQJS<|&8M$w;6q_N zY+aIR7{(h&7z|~}B+d})q_B8DhQuEKqf5XP(;Z`JX&sQI!Ho(eycVhFXU%a6UNpE! zXGVoVj*tvWDHbd&y#p5@%*|q6;b|!(S=Q(BV*Xd@xm4<0UtGM$R`223{?9eNR7O34&pBCPvAx3=-s& zCbt2iLJqpen3)vEDUP~dYdGz@+j?F?wo?rcfBGOxY2gu`kM`_K@^G{yWQY30GZhcg zQk)L)+qFT0i5P~|C{Z>tCB12q3vynXaM5Z|pj+#D$%tfoNZtCpjkr^revb?+{R=n+ zaYLw+k|i=>CwHXKf+q97<6Vz~A^X+!efIGUUT^Xzt0{Z(+U2mV&kq7clp#H^eD)`x zQ|l+7Q&i>)Sm^NNV;0p;>J6Wt9TDrCu9xp0!u9^6-poecTJYD-!6yI9J!P70|L;xQ z_J7}6ArXsy&kt#?seaA_x9sh1bzT2D(ELh#Ub8lDy4RrNs$D+}Z}^c}Pjs%XdD1vOVz2Mo@Vm|KhIQ03lr%nty*i5m z2Hg&)ZFG4TxGI}29K;~YwvhA4KfAxaTdM5ffz}M6XYbjxzx+ckrVqg7E$8+<*Dp=-d}0ncBWaicnALnjOTot@PZFZCC3)PT+l~K8BlI zd5-?!vS|>%ZZ2@|7))QZxbo}2Y&h6i=N)GML_EK(Er+kST|NeJ_xO#gUGXo3KIm;d zC92KlH9ex8!_R2kS$LW8U|MnkpX5w3}z2(yq94503S2dPePU zrqy_kKd{l{{4R1x;W*wNUu-r1bqKLf_HekLSLUcW$l0jk>seIQ+`6>j|1G|mikfo9`ALX zqz3vm^L!sn*X6ctPNkXVxE=cVX&S8m{wb~ae{dV*D+y>jd)V#yAGlo|e6P642JA7B zi+I#9r3{u7(Vy~<0q_77(j-@dj~%GTQBjBdV}(zC)NVB5mM!L*|l>@mK5_ zh%?!#ZmIfBWo2J(0Ry%l>^yL{7T=;drtQJhnK0=gbNk=U~Xwj(6!i=o4BqHdhQ#F|xu)40% z?;PMOu2~pd{Np|WQjEe#@aG|4sF_ZqW*D*!2Xi!MVOQg93b8JJ3^kCvh-HqSCfnNY zFz_y2ufX@hA~Z*tLK-s5WogYuNyhEErWQes^ZkOH4Bmz5;_Vcfkxn*r zRL?-x{sDuEZMZ3wXdI%z_%~|yWdR)){M_k%X9c)Pk_5$JgFH4Q3{fL6(MpAy33Sn; zjg}z1U?GXi&X&gatw;ohQPYRCF4|>SGN!*0GAOWGCzaZSrCTNKhvg1iw0XvuVVf4j zEV|UdgMlQTLB*(tGW(a$HOUo+u)_X=KtW&ly27AoMv$4B=_jvXAV!O&>x`c^s8m)A zGHu@agHbvo&}ta{nU^b*DqOfm@ZjW4Dc7>;y)^nAC*zJ1Bt)d%FoCpF7Dy3frOr%= zx}ItQ(h!*8IK_^lT(4ili}y%$BJ~<~s{mmCmp5Ql1>1Hx3sDEK(F$%9E867+XcYe^ z4_g3@bc*dukOj@fQF{`}Uk9^+px;IZ^y|zTw zy2!Xh`2xcyG8c+O(H7y#q~DUE7|s*+OsCP?)m9;{yvyas;Am;Lq-togHu93J!k01`zqq|E)=8Blzb5$7mq|$;SvnO z7+`=Mk`-vq63oC*0|JG`)BMd5(0Licp5DC$jyE|n@!(F0G~{Bc2PminI1%Rs#jIJu zOncMmZz0=8#%!q+HGQ@BLdo(6N}MYQO~&Ffa9sx%%%1!XO5!g3#3Qi14FDCsjo&AL z8*uPXE1|z~kpG0r&c(coCXu9LF~VDFQ=Kmqn$p4}&7la81ZvZh7z;+i-4Sax6=Cl^Ny1ZP{?pmxX~1E25FXwipuUnKBIysww}ft^=7fC?<{<>Rr6Dabv;>GnAQF zS7ZufF_o?=wg4wtvl40Cib>d7TP$z=sW#h0$)%BsoJ0G?mQ8Z$iZ6kDRYAbjV6qv> znlYOOuD=%`(nt{dLCK3#=3In3VcT|bl!&IW4Bc&LhX6;=7wFlt@BfIxf|dGv-ME>6 z`_8+TS(;!w6G_dTWzV<}Er4S~dBZ|w0$RHi<;$A*$<;x+)4)>s^8nCAZP0F(yokK2_2_7*?<^hSU1 zmZ#FT+UMY#xdqgaBHD;S!nX%N0vPriv)l4ZL`V=$Tw78D0Dm{#oMxw7Z(?6<#cO?* zJv8+jJ#MEJ&vu=jX^xZQ@$g6pKuSJyI1YnN9854rS<58fWCf5 zo3ZbBtmnjbKxgVm(&TyYdVD&4)bKUg*LrM|U5I8~-!t3XCsn12EsW7l)_TwQxXomL zTqf3aPVy;vpH^TWo_e-Xg*R^{wciTC(aVX$s(hG-i z)X(}%ic8(irw<_h?{n*yB^&v#~GW4@}jQJ^Y*jF_7}EO zs-BL<*{ue=ZvAZbVgGv%I-g5!<2gQ^2fI7H&$q|V6Oz&6v8}M;E6;nZ!fwm#evdwq zUE7O3@A^0I1~}S*UQKWL#&Q!F{XA0erfWRH;_uZ@>z&a<<-R0~_q#RQ$FC7eBL%!q zG*#_5{93uE_w^j-q{nZhd24GIt95d`t~Z0vIdJLwf}`N6UySCC{d-g%qsw_~2XAXX zCkMA>RJM27^wn#_a4|BK1b#zy*_7Y&QPB2%RvlKy^>v@q`uQOJnp4$w+WcR{eW3i> z)pzIm_QO5kzsqYN!8p6o1hi>#q_~aT3r7@3e2aYa7W`DQdhB-|^DA+(!%HCJ<$6}B z`_8}j7W|-Z5hINj!@{K;DV!{+*&W#x$XB|;2p^(GQ0T6`@%-FKOvLWAs-rc61JFjz zOO()BDU%Tfs6ylPh_Iwo>SJ|5T=C%=kYlz?LZr1Dup2>~p#l|Dieog`xiA{8ulj6a z3PEK!M?Z_D?fj(SllRDZf-MTFqX%ZquLNs|vpH8w9t_oqa6UYD$F_Y?NQGt1VLAm2 zx$Te%`LP6$NpJ~NmiJ}d^cz&H(a_379fp)2S&~FH?BjXKIK|ERpJ? z<3rLhqme6EPfg({>Cy=p3oqbHeFS;AHaKA z@NQ$XN9n{_z-NaqzO#VFUHQ+5bW}k^@0EQL(#2cW8p!+8#6Y_&!hoH@>CLj4YfCW7 z63Tn~YL6DFs(=Qqp+z=KDbG2Rshp}L2B9RJTaw}pqM(9?tM*@5Eqj-VrN^rhX<$BO z9_eS}t};ui>{qxJR*Es?P?-COV?2jGi`Tovznw&JcGOH z0`RW^Y)q(J>^gvl27veR&VJj9ADYeoWO9laxh{@kb3hUqU@=5tt<;H|&QhLCCu@f$ zIn-7=6Ln8mC9%b!1!~slLwICgBvXK^6(rMG#b7gCti%RxGq~VK(h7{DwIe zZA3)wp_SQ4@l|dElkHTOtoM|u8pFvzxHW80tgRBN$h>Nh&jh0q--%KBsq->tK~^PF zvSMAIsb{Q+J&ol!Rj>)1o%BT`)>p9%B-%7jP?ZVN5+*lB(yW7=GabfsVO6gZj>leg z?-pL!K)HCdLQcn)Jr@QF5~A9U84A$2X@wbRKJ#}ZCRDTTk0F5q1;IOaPWd5k#|9l^Bf1(cEbEM zQ%u2gtUwP%X|TugAt@pcJ1s^?zij;{w)#24ci{e(ga4Varf#2xcKO4*$cU4Hxcv`* z!kI<4^$;{}K`L93pnOWnud2fgNpf&Si78>KBZ<0w3CdKnNnIqE^~$6pgE1@8^I#wj z2r&^RW{9Zj`AM?Sp5XAu;-tD0ELV@Ac5yOxIMBc7Wp8{bjthlW(NPJeZpnyCxtibp z4ax|V0|bg0UFjEdIV4^yOyI-dpSP{`HE9S#_v18gP!wb>qJg3i@#HRTglyZKg3LTos#e9`@E9e_wT&WMp0X} z>qr-}T9?^0`i=Tm_XB;Gv&t%#t>-hNpZ{}aT8~fMs%Fzl9!f0tcfu~s%SZ^lw)>`| zA7E0o>6+KJl=Y-MwVOab~f3d9n}4%fS5 z>TgU2H}SWvKA^|LOur0|#MsqyG8(o&cXPgu2U2`p-+Za@y#OC|eEv9{L-XjSU~N5s z>!-HT!YniE#5Z2f=azIsgJE^btZp8`C-6_4Q_qBgh)=Iwn z?6cf83OQU{jF}qV4q$DBT(9@#C%){6@qD(v=V%gs+QID0q6u7Y=isU{P50ls|MwaA z`ENVAPGfs1ukJ^==M96e?iW43ip?fFzD7rf0DmN4w;AC5gRB++faZwbKYoHT)6U(N_q+||M769#PSRA4qo@^te%>{I z$xSZ6oQK4Li^PeAhBgzR|AVr^?1S$jA-1jLs4Er|ztOFKnNQz|7va8J2=q}7TpSuy zv5i17f*cD6^^=eh8!J=Gp^p|q5D~Bi_>}HgSp2RkHaTbQlXb#LsvafKn~gfquE?@+ zBQT?CB3-Oebg^D1t*d4YiRBm0X^2Wej?bHQg+`kkwzWk`0UG=ll}QaF(^lw`McE}m zAYB7>?9sJG?R*cTWa`w6!5C!F&umG@PQ_r-JY#0eAh^}%A8=TXYx<{PojS34O*BZ8 z6t3HT=&{R_ci>A_c0!#^9gCshpi^O0cp;ZG!jS3PB)d|P#u_*&th zFhO!j<{u@P)$(wqacbPQJ4@yWv+c|niiV@3N?JL(e~ETwjlTdT=YDI5`t3SmFjfu? zOxcpRkMU<^YlMYTv@6gW>s4-2#O=q+i48_=nMVxFgpF9F#B57PK|NWl{#4tf0vMJf zV|`Exk}HG|P9Haf}uq;3iJmSe&7eDVSX*1DuUAk|52n@&qK0!R71( zAD)WIAq7!prKy|NGUVbM=AifDU>S*-)mo+=2o5^s{mwXSrB3U?TK^_Ne$haPNE$YU zKpC(3-~>?Mt@P!u*Ts@eL0pv9v1z^M{X*~k$0d2-rYXf{itANdCWRtj&-k|R$3aRPQ?;u*qbl5-bi&V)N@og~v zVizI#C*(~XVd8<7atuAYBqn1B*hpJLG!Ye{uGy1@hKT~ys0b`?@y&!Ik?-0y3;4fe z<_wT%&LH2q;*`bP1CGvnF5N3&bZ)byDVmu|)fs4EjXk>+hmjWoYfB>6Aq|#=OZR>? z#3sYoTN`iFox_6}a1z5imoEt!aO^`z&%jh^CtnUw7D_)+FC)Sufzm95Oi(BiMdkxl ziNtMUol-+muuVur&>F)ujQ{<+R$a)bf*+JHD|3Gki^h>tY98I>5SDszYtOUvVB85m zW~oMVo+Q{X#F4|of@qnaA`^z(CUAr}?F=$X87sp`esb0@#zahYRmSX~of8gPsLZVM zCl^LNw6ObFZ3l3L|8?S54%j4+&9KPtS5@~Sc_C<3K%w^3P+`spFUL}>-AOZ9f`LVv zhGyco58GC*TR{khv;~bs4jQg3L5AxyrNy4`%s*>|qJ#y#YM>OMnn#axr#hxpYAjvB zjhq<9s5*S3)2!OW0+=Jz z9e~+Yrk_LY1^%t(E$uBnu$Tf%MsWQPUwr-_zBpT$0jV&5_9d^#@2P*l!|ml{3zXMs z%aPyHd-dhpcc7*>>qVFCAp6+b`+)a^tCOkh>unx>r2t>=GI?B;+s5_IW0h3(?da&2 z?_q$Ql2zRulV|_M&L#6|!zpeU8lZ{W_pjq7#~Xs}$~ZQCn&RLGyJ^Y;s5CU zZr_*FNd4ND_Ir8CUq^V$uI^MmW&>WVzyX(EL9wZ3c8NMK@MVE_;Eo5u2V1DRF-z<8 zHEkCbVcEWoo}aKUs52Vp;ixknm*W|6+0Q=_EIsZcI=#BbXFjq5t{rcLH!}y)R(0ES zZ-ZH05m|PO`f}SZ&yOx+UN@wxp?Nbk?`39W*fd?*jOni#;47Nm(<-s=1@4zBRX?sh zVpE;Q>)3&fkTkk&^Zv@J8oq-)?zAhOub`ye@auGLYOlehG#!`YC}_1Qe5V`Sc~^4N zl{Nc-=e=w6YRC1G)oTp9544ZKh8@D$Y~tsW-R^~KOt-w(lfl`n20o^@ZK$oMi=3SM z6;Ipdm1BB*Mb5YOFg7aNHHK*X9c^`wyEij=`Xx6FF9zMVkG0&K(Lh@K&o7~eRo}1O z89>}W0Q(hx-U7hp{WGu5>=XR^0J7&;Y`6VAPkd!TA=gT#dqJ=HM=7v-z>lh)DUR%+ z2z?~-fbactn`L)ZX2E}REa1*;zO^Qrz58WK41XlD2LpjkWZQiqb*|l>sWt;Lx zclYxw-NHq4LfU)9MEa!#pxjy$Sm=dn7|n?a;$MctroC2BMwLKCsp_p@Yh$vDLbTIb zl!nTpP}ZunW;xPLaizo*Q__*!BuryYAq}j~3l@C=j}pI;pvIpeC=o$qZjFFhI#MLp zrjC$ZJ^z7e=wf;xsf>E?Z`Tl6G{9z&Hs;*(jKlgbq}}7kf+2}^X1Xv_FqX5bM2%rg zjV(IfugwH%)?KbNE)-`Wrwi9y56i4EQdv|0zZ^!7vCT{3QvsdUZ?n}$t5r{o@0Sx? zOc!3l`XG@TNYVarEGH4{xMYiVtN<~Yd^2dvJyjM;AA_1UE>>)W z8K8NU#t!XJM=J3g4^&rX5VClysjzEGPb#3xe!Nh0(#N9gifg0txA`bsQU+I`okz5x z=awFGi6!8Ga1u;k1-D=|h?BG=p3Zl1#0ioaL(f6LIED)!n0%I8eT0 zFj%}0`EB;m>!JMz^YjsI-)+tBr(5x-L*iBhvPqnkT4BNb98a7mK3$W3Nx2DCU%Du( zG8y|#VnxWRT)ix+bwR-jW9f82L+x5RQ-A^zEa1_I3AxXQ1tUm_ow1d=Uw^4g+R3^_ zYg!^fM!dc7s-?TUlnevm{g#5cM^a`w1?=LSaC44H2>mcHn9W75iT4*Jckwi<%}DZK zqShRDhtM%)ozOf4sO+J^1g+F?{wT6IhxCA8tr>cUfMxPbUxj5;a9`h_X)Jw?&`Zhf&TbioMB3)t0PPRt=fBF3jxzlp#U!8i6LWmLNpHIxpm;cT3hmIjQK1 zlRe}nJ>d?n3?q!BOBy5>kd+`FSPd(avKWBkC1;*-L7xB0+OyXk_Mn*f>;Ah*m?VYZ z!@iGXi(?TQgO&O)`kuqJAe9i51SdQ&Jbyj&&ueWa4D26eC}bAA=f()d(3?&&?j=PW zRdke=4OR#TbCn!x^@0p3rCH$N|hk5-V=n#|Hya{w150IrV>q315={;PLj z)5j>Qa3weHd-l3ut7?Y{aPAMj?x!H=*4?j0@EN|xK=4?-OE$9)SUf-u|An}@LCtHU z9R1hD;O@n~R96H0dl)o^G8J;V(zO-s|p~#OnsfdwgN$t7gZuzinL;rLEmuKK=x9sNUHA$ILCs9zAco+01w^+|@_0l^acO!Rpuh%!a*0Cu>Q zwW4i*{oG*n^K-81&ei4F+kM|Jy|8(+jlO(%e&6em!*5uOv1)>ze`p|9<+qC&ezCnq zzN)O_L)ZDN&O4v9aXDZcSZ7}Gc`t;9tDEuNWAv?i`D<^| z*ova2?YcKd|NYveyZ*8|d-=6da$|d^`Z%FlH}xryD%1UoH`U8B3*@OqukdBNCa^}Y z{VA~j?AYt$k&fGMXOs8fGUW}PO?wRk3%u8})90?`Cc9yIQLq1V^#8u6`v3I4z%w$1 z7w-TU7kdKe|S)ZTh6}}$VZJzGOXd0Zi^HtJ>GLu%u`46n{ zq*8m8#!R%d(3PA|p=)MZSx+lxEvtq2vpQOS)LGm@k>6NsIv@)d^%S0+KN;^sp_Bxg z;^6Vh(j}iAk@BqND&6`-$lsMltVJgxi0K{l;+WD-zx~R9&|=i4S!0sOdFE-fC6>c5 zOuk=$y2zh~>540dbky6<9AqKgyv=3|vO{{q#!7oimLYp_W4a*8Dq6;N&Z*kEH5-yx z_Y#XrAwmcWR=N`xTwqRw`%g!)3_<&;vZCw?Ba~n=n@J_h0tQ^ATR4RPM}GDVWlt8) zva>*CDz&L2dQ+KbB0{j0-~&n6-hw{DpidV&4x(WKa9v) zj=)3233Dx63!sxv3chP$G??MuT#erI=9sCGPvh@d zitxhJE3?8a1glo0Y9ew{OM9RRcN&uriOV-*b$4Su#!e7iU~Z=zFbE6jI93ZEDx59`7k&aEjNip=t5qEEbR-SQN`B zdK7>i4k^e!O&TFBX36J;PAmg)Q9Akbs|L#!KTkklMr-2Q7`JRlj^0F~Kq|Hvl!V7J z*#cn$E7yp(c*2fanS}Xt_;(VV{=~CeGQSz%;V&eG&KVk`Oa@Rc(#G7MwGyqMRL|WW zS+|wI1*m#Jgmzc55*hJGh9Y<9g*U(?B|6$t(V#rhQ8b2YCq~188TMSK2?n(k1)vI9 zvIA#Sc;){UEYlKKJI|he>Hrph(HtV6M2S=+G219H#S1>83s+v?xpH3cHsmZuYE1vph;GFki5$90WwadjHu3} z&DlTw5Aj^JYrP4Vky|JwgYo_9ifI+J9J5#%CX{<>;?l{L;HuP^-Qgwp!D!T-5 z`iJ-zzHsqiR zeo8lcGr`qBLqBb%c%ERG(1_ff41Ev3^ZxTgGUQ(=9aIX`Zu~pcQ*!2?P0vuw*JAst z1{h2zwC}_#KztY4d9!A?qLE=d(Dg>VI_Hfw1ST*E$yYF&)%1m+3e}9x5{r|xxVF+J zsp5F}&N&WQYFCz8Rw#^q=ZwhGwlK|5u4qQes|(~Y$%-~!yc-Z!Y^xISG+3BAiX=4# zHCnh_=9zNX3__NcrMRFWP{L`vrO?r$Tqe}|34^?fMn!>jYxt^vRlRJKex zSocSG_(BI|d$O)urz#|9S4p*D7@;Zp_sV|@nX6hVOLXQsH)60PTgsmH6Kq9Gg(qDa z!qQ^EeJn>-nlN=I=E@!)^o>*2TOi%qw+6Zp5zDGBExV)Fh)RDKRzKSs2sY zy)3&zG5>H>9!UyjiTLW+6?YYIla~A?v1%V@zKr{OYF`m8%QeShHRFE=ULFnxkPr5S zU;Ux;*MF994ZvVG-^s0A&o{V$eWbAbEA*oualT(IAfUhw%fEDoFEpM(lmPVe?U(Zi zQkeY8ZXYzA&i9d?-RBT7yIt$Z#ly`;h?dW^i(c1j$b+nBmCKjNruFS!s#bI^fY|$j z>*m_k_x8Y!2xyIL+dvu%Fr@p zYKJlDKF`cOlcB(4xDv-K7TBvp{P9}a*7f+V;HBF#T@Xgy*3@Wn_D3idtBYNzEY~w zd&^O>ZKPhsb9`usONTd};o0Utzc-upxSH8~?m9hITItqz@ya8`r|RHwEovUiPELmAs{c9dWe4chkz3s^5wSPX=IGX2m5y-wkKinrm z{q4N|65HYNJk74_c~^%QD9i0Sy)d2s_nWS)y3qEd&hNt4%ZAY^EQ+n`p-v6A1ow7D zWw$EN>k9HiyPn}KtxR@@zU@ns`x-Ej3*P&6Yre?7%D-15&0W1M~636b4d; z6A$n*cxHUSTZ4THNUMGOzV64w|J-~7D0~7!FZ}djzJEqB0@(UShh1U*Rl?U5vEt zEA0RxDz6mOL6{!`46?^p7pb3$#}1arabC9ZH)Q#cQFGFZl$_;3MwQ0?jBvel@jyD* zKh^MDXZayT!Do)@FYX__G~ud@+F~UJ+b8Go8Pf?gLu%YaLK}+EK}C^L?ubm&BHvC` zww!*Z{gkl06 z%DZ|b+ejh{4&gpSaf9yoOowqD499QXB!`_q*62aPMqPO=LZOp$B%DGU_`1xbE+tFn zr(B2;7!>wP2;uEu9;C`(ed9ttgnL1P-={;UhY`6`6(r(8Jur?%fvzztSNr5dtL#qd&E{S&emLIebz&TR-$QwE&5cw@U8 zRb?6sK-z2y%Y{R%>yTV%>q0!`2c*n$Za3Q0oZ|=xak+;_X^d zeb$K!)Yj-!=_Lx3v2q&JYFDGaH(`#)3F4hS!6qh4>0iHPj&wo_>#cc-vxNA6t0`n- zHXb0%4Czdcr!oI!G`<)c8+^bVn%SVyj)>81<3ok}bOod6yen5$J4`J~z2#dVl4K3F zk|t>yJD8!6yR(iOFJ>Avm6e7x4W(9mv!qu!hsdemwEIifS4y#MD5)LtW80hh@a;r* zALfHjsId+^Cu!%aZRom2V`Ym_@{q+fjq;$u!;E3Do{S-xvmhn+ZrfGm<1?j&8@x38 z(Jr+7NV`xX$h2cW%D+d8z<-`8$ynUEAK&D^VG?$SOW7m?kXR%o0jLE^uf!4{u&a`e zza0C0P|Hc_pKGgL>4Nv`&eXhE&+)c3f?W17VK}UF6K6>DuvqcB(fUfK)FXI;KK^)91NM#|t0xQB@tl3Rzn(*3K5@ChT|1tcoJ)=@%YI@Q|6#4%48Ive+C2@ z?W7~UYs5zcGip%~(3L3EuF<4&6dIzbT=_F#oP2*wI@Uy#kAdDqmMW2Gi;BHC!*Wiu zEHBdk9iJ~S(f++L-$6oi|If(O+0~x@MSGh^5~08mS~&j0kH7wh9~TjnKndyj18AF! zK3Lm$PjaEgCaVn7{Tj>B>aynRQgEF#YUSE1edGUpDxkM^vReMEc-KPMINI6GD=S&k zD$h&xCUbv`GD(ly za5&4J{;?O^g6Tzd^5qzU`~7$Ht0L(#BMVo{+oA!w736v;{K4+?i%+ZW?+lt<$cJ8< zmMb!w)39tEuk*NT7?GCs$JBTTaa*FQ?mLcWo(n$Cr{NL)%;&=(%XQswUPjkVd`21I zHFVH*O7C@UHqHBR*nKlN!sXoD5#~XvztF^XYp5ca=Bgbsj%P zsFnAzhB;N|zP%sM%wcuQtG4w`R&A>t(6fwdfFy?L+p2*14mH=8-f*sN=4;P9I41Db#>nl9ChV8 z%y9`u_e=GC?69fZisZiNLTBf3J${#LzN<5>eKa@X)7^SaM^zg%<*S+McB~<%<3?ka zyP)qGFz9ai{=Z`CA6?hKq;F=Q@1NhoZ)5-?Pug&=(+NPj8%6j&*`A7es3#vF4Dk9a z3mw;nPUW;98vQvm&lA1LB@LXFRuG2^wrzR@;jR$kA`BfXM*>d_BSE4W{v=9fg>+LA1CsZOX=o|V=_D@Als8zGev2h<^}Lo!S?uM&lk(uP?v>a1d|SKgqS zSCOm|Rc8@yR}yd%lhDlto485vrx4Byg7x<)u+M#1!jN1PsM=68fb3T|j@KR|o9kMi znU{rg8a9viAKC3lR)ia9&X7Y(dklsB#OnGK6gH|*li5yHs38O8g$zO^^lLpy!CSA61 zh#$tP_X-HJW*6GL7V;@5#w(7XdE#sgF4<|QE!F5rN`xYKt<=uM)93+}?6RFg+mp@j ziOKMtqM0G!R}Ft2JxQdJ>Wwr6l5La@3RA>AZ8~yhDUG8P?@P}UQFcJ(m#kMtx|N}y z+;f@RompAWgO@{VRZC5MC|ZDt_N06y+(3q?F%csON*t7^Wwn>UVp@SoHdz0z|8o(L zxC2!|Y)>vSO7@A# zbcf&?ouZFHzNN_${|MC;uh4k0UO*Vbr;(QJze*WVQKKuGVerBf7jjwbS+&Z~N{`|F zGx_Y9Ynjc_n1FX_;yQgGr4hX)SGFBW_ZDk>D`Zo^C)QF1coNDu9XW6yS#DN-mK~}c zkl&@4|0sstL3*OeynL9Op9C~qWaJLSkOa$^U{S79I-O7FQ1!4vicLC(qjUN<5-Q6C z34{w_xTISab9(AN+#%0eI&e$0DGeQh1wDe3p`vlHlo~1*O*&QcgQ*m;B!c>CGJPYR z{VVXz$yx;AzWof)h=i`125444*8Iqj(%w-3Vq!JeZWPWy*9NQf>2xq;H_~;$>ivs&ctnYM(+hu7u8&+KCjMX_oM1;yrs}9I zd!mm9CP#c+MEyWuP`w&d)l>Y^x&Tx?(o?@M4uWv)mK=vb6NBpAA9zQ_h&CRt^Y13- z#tj+Lq`>9I2E$>nAFc?!OPdpM6;uc$8wDvW*08}~*ph@~o?J6RS>%MWTZP1X;-GRF zPn%e2q<#Trs@igy#QOY%yegh-VugauUqOD6tSg`;xfM)ShYoaf8geO>*%r(c4B|ov zCIhQM5Q`?-ifUm+%qJM)Hh-O2J?r+|zhIf6J}v};BQ;udfle5fa0aGBU+7}pH9*K` zbkLvDzqXVWhR77*-2?diXLtUtmM!w9cZ^qSJ5X<@`ziiwm-9Sm`j+2Y&Q)*K zR_h`Gdra%tI*qVc&hR z*N&i0FRyb^@;fhb+Y4~GG6^z6M5-=BrCulB&$z^;hL|^b5g7uLJ6rvlvM`~x-&Igi& zfin4}+pFed_lb6e^TR#QEXRk<1GMfY*Lzf>%4M*?%~DRgZAZ50`fWRAlm5l{={l$G z+qs2&hsSXpxAv6gbvV~<=Y4A>}LXrSfl=*G))crb0ZQbWg} zD$38R@MR5dUhyC4!PU##G$#7BZFkEd7=N#2Pw}qjnv2@&ba!o+?>Bc1IbieKiO4*P z+F8s`*WxIpqRs5;k*9T2qz&KG{TTA!9b5=a`d6As^kvgHDISk_?^%~uE7x@pv8~R@ zvfGZp$Ba}M14{xP=Y5+`%r_5rXEzx3{NIcSC!nTP7WaL}6j3+j&6hw=Ay z&i`TRo5Je~v~FXzVPo628r!yQJ58F#cGB3|VPo62ZQI$&{&Vj=-+%7Qcw294ePhiz z2d23EoyMC6;y}sUHyM+04LkKyxj>ugyS||4`S9TvNc`hfJTr`6du@erJ}=?BEZ2^| zJ~EaI;%b?;;?o0`0qejywv%XzDJ2EqetJc>^9V;;IZ%b@;@^EMtbotmX}3*LjzaY|?^c(6#bvCA zMNM1A(*`-e$>jO-+RLgYr}sT@o$00Y9#r!RTL1Z#N;(@*at(U5*fYG%^~rSqxZeB_ z{1>lmDy=M7AxUL8A3$k%CAi)H9jp`#Na>~r zzX2G62w}!UaHt7tnl0i^>>!M?aq4D4`0(Q!vpOZzs#sOl;sT_ul`qg1mSp6Ut|Rv` z#x~ROD_zOj$eg)5Wn(C*oS5N37os!{Ntdmt3Y92bT41YJk>@Y8tl=!{e6J!_jDfTH zI-MR%iG$Im{4nvP?J~g?!Er_W7kqGl3Tt8Ggj1>P6l99pl(+jdz(g&^DeN))R%T4* zXZO9(*a+fLhLX+d5O&f*q#-C6jn2E;(zQT`x(N4DB(z3WwGqpn+Nw2sPQpbODWfez zQ=$NS$gct!4z%=2lmTnQauNFm4x#w1xon|Ag~G-~U+H466@tv2XMCYU4F8EQOZW8I znmQ)BgZ(U~+=X^INtPtuG|X7Q&_;cp`G+ga(2&6iRt3717IrjyQ?e3s%+mO1a%uR! zTU+J3LVfnw1D%a9zA6mdfsJ-s+MK!$91b^ve$=9_fqED@CzDH&Ao;j?J1SMN7Uh^U zEazpQ1G0@c^tTe5*%A~8PG0p*i+hPxdaV59iTA~}RW-@NqRMm)3e6zBmBzM3y`*41 z`hl2w5j=Hm<+B0ox#SC0pL{{Axph!A6rBi$PZKx^-y5~Wc^$)l}dmj!y_DEpRehO&$ z33brJ1Nd>DE3RYn^Er34plCI4);h4#9*M0GDgFdd7Vg1PsYf2FjW&)sUl2y~tJ|mv zg0b3VmpFp^fjF_%19k61hX>Zg%MoDG*WaZN3*H@Dk2YQjHd{yu7=EkQ3PBmZWtU2z)oM2##5@Gxq1W6M>9j@(j=t!w@973Ns2 zIr=bcEaBimCqFU%+y}=xPrJPYkrR&gWK_guY*+@aX7KoRPL$@hb}o=xvq_Q5gKV7J z4F~>q*;Q*z4@yR*2oXnvf&ZE2_#E1Aq7VzziF=kJ9+$eq4soN>-9H^sIFQ@GVxU*K z|La&vrC=k5#J2C_A5U-yqZW5A7p-O>!OKx|L{94jB}F+u{ZNbvY6T4_kq?51C+DV) zKksqw{mMZjQA?1FgOGQ`@T9@XwFhnV4-LkyQf!C*b5>$?Gvw{my~M^nSbhZ~#ZFBo z>O0_6(xz%$K8HP~vc8#bw8s{WNY80mS{Y z z7Lf8Nu)Y^DEZ zako?-jx(Oy=>=K~V%)mCHb@AD* zXjj4s6{O#baz4jH0$4uW0kdGK&ccGVKh;(e<^)uZgdA{=5jc(XyF1U- z9e=)=m3k_a1$xFvo84`PGD=QoZZe!liA+O4helOZ;rI5v;0N{vq1rqpzSsg z@Z&@9WWiJ6801L$i2-tU?eshMT?R2=rj*x2^P*zFer9})*4MYWyrctz<$apNSpPt} z9a5kBWBmqj$NXz!9^S*I_5o#Jt8VndlX9wRk&slxG3-AEfI=F*HsW$YpX9a@D4Q}5 zd?dOfBz}=Uq{F4~RHyNVA4jCX)G2Zq@XR-VC^LyF==ju_^hzsUrMv|nDuxQ@V|!Nq zq#w|tS6Y=zq${nh)XNo0kt4w^0iU848WfYLS=NzAbil-@)lT-}KsnqiWAM;j?U@c1 zg@6qy2}*gjqmygg3no7wgh7L*fh_wTzx#I@i8YJIqSatLi4vzdb(9qz9$Ye7jc!p! zDPQqiOP&5GsO3)_Za!)AJi?&IZU=k|nO`!%H+G68G*P5acnjjyn2hZL+Cq((gO+>* zN%I&MDQeYk_!-@$i6f_lg9w-8yD02Pz&TLyt^WI1@HjFD*6p}Fqp>>ukZggx@Uo<` z03!-O%_SJMY+&+YKvSesrt~0T=eA5A*T~xD0Nf{s?H}r4zgyiz1HyL_B9j&a7x69o zXRURpa${J9hkHm#j+y*{->;|_6#OfxLY=AjT;Sq%YS2wJv)^hkFf@WTm1>nDo9B9rRq z;9kurrNr`PMH^HKF=LY~MzI?g5p4G&C8f=orRKnrlvt<*QerkX;AjBq%t8~OlMlf{ z57~dLyAPjx&;M_B-U!$em#)tt6Ya#LZ&;tfmLlfiRm&h=Rz-u8eCW*==o^?3;fM%d zfWQ(HAhGm(gI^3k_z8&StE{F%S8a{JbdnGSkFr+;JSKiUtZS`R^~0fw&J-XhM-}pw z|I8N@SQF!F(=@ZBC!6YH-<}g=H{2Jowju$YmswyNPLJi{B&L+oL2>}=@$XO$5HjP4 zK+cvo;jo(G2Eic3L9u%j3{`s27q5YC!EB6?hf#8Bm#dP2KI(#JRi~=KPgh|kn=aCx zSdY_>=ZS`HxInU9#6OZ6{)e=rMS(Y0gEZS7l9R?bKA3~ej_HhqT%;k&ZuB=5!;IT| zOnzd9jK#iKeXtV^Vv*0jNi1GSgu}O#g(d|}S0PU2s2CO8qMw#eEm+d&0SAI-$DgL~ zr=w|aaW|{QLIJ*1GlC67ys%t|V5KP12=iwgyzsmn)B6PE=CvzD;q_z|GpGHS*J$bj zVig)IlK6Eg$AAG8&ZJAqv2ZbhT9#IrbF^e8O&j4d3ODwYWnwBM8{yvlV1Bc|a^@Q$ zko9VSczGQh8sQqI)BTZw329>pGw~){3K+4KawU3e9u;W@we~Tig$BGu36`s7h5-#2 z63p+Jrp1C6R#nNu?on>5bnG_@NX%%R25NvMw$+}+m^zDjv;y_L0pc;A$KM)0_~+*1 z2}TWFAPDrKdsS6z_j_TfpVm&uF>sc}%x ztF9IMbAdnZIZIrK145#tX_F#l#R;iBAY2yYn^fT<%f|j@H|1Ktr~emXnP4Q0w&g*> zrO%+Qh?fG8-s6J&So5_Ywn#q8H`O0+i=ROs*&yQWE|3xS9}|?=B*Q|`dKBN~7lj^d zxHEYV=)I+JUEI3vn|^P9y)0bHD>Bton$mBR1@849GVvF5``<3Nch+u(MlpeeJw78P zr+!pN7znue?pE3xwkd2JWLJ2sdS=%@>j5)dHPY+HJMNjdZy!=pN2mFY9wxMH+v(=U zfeurwk8=#oogZ_HX%|ihiPQE@z(HcK39@ed0CGdm(QG_Huh`EpoG;(+e(aloBcThZ zn5e4d*!db+Q|Dz=2YP=%e;*xD*U)2m%ID>YDC|P*;cG=exCx z*KWf{a4Avi-`}wUHmt6lzE5I;TAb06?}p#XQ~iYYv)f)Qf%`Fdar!>1iZ%YW*F6*+>ezYk6-UVIza>O=Rbm-@3(d@A4I^H#ms8oMnA6h*~-n2Uxfdb{omil zH8z1%Hdmdw9Zmxg_l|=8 zpLLzG-7B3fm~K_jLPv*VBfOpdV{vKSf9^dGJ$Ss;bSGB>COMc?iZ-_~5xe=Ej|@r$ zic}p5f89*eVL7(#N{%idXAOvS;Qrfp=0TAS`R#3|}9|)C= zM=xAe)!hdc>q}FL*YL%&3r?Y9@;=chzuoIKGXWK(#OoA~#rmqXHEv-vlNh9=9H4!(kIBlQ@wEJUn#3wd#uiePx5Z3l0+K`OC{tZ*KxF8;dhqFQF#R}}5eZn>+I7%#GA(OUWfOTPbFjQoj-$VuNwUV;T zC7ZBVufV7-nCx$fW6|P>9Jhb-ZpNwua(VJ&4y|gZ0~+?H?`J<`2X~KFlC+ssWUsK| zP90B_Dy*}<8*O8eshb!_w#bYRzf8Tkh{;X)T=KXYUm(L`9eV|YwAWd>u(w3DVyH6- z*Qr7be>0MVQtvElxDqq8L8Ph`$7OlYoEB@M3-gmRnZUul{UXQxZ$&xYZ0u{OpA#Bq zCX-ApVi64Yszk?LY=6}TBzV8;_|a$*22Zl+QBjkgTe|jlpgoLHKtQ=*kX(}SGCjyo zKTEDg;}#*Dp3Ou-Z=9#Xb_Q#X-hEJFsHP?%v2Qd(=C2~9L`0~gBk^*e(FKhv;il@w znl1te7%!5>X7K-}%LpO(QzgloOp&W5zl(%&oF$UM&nOkmd8p7^DFr|^GzPNbVyJ&< z0#koPCvM_DI6efJ3Z8>7{{>-d$PH4P-bXMp*IqWp3hu_&t+079%bDCW05#`Qyi^B6qqgVonz}(L<1% z_O28HIN|DGEJB!R%zc&;&^WUD-;*@i9tXIu+^j;~?J-pnl_o2KC~=6h?Kr+s5j2LM ztK*W)+I7Rqz4&w+$XMy2vq;4Jtar}M)m4WuCfSphnUCzOf1;5Y) zKNf;|{=f$(6vfVpMC!U@iYiV?3r%YXsEFr_-KZ6ZlV`nwi)Xnprt0PLaY|@*0?cqF z{aSMYcvnG?&nvXUC$!ETTVoPRECwW7)W02nCZVv7q`gg_Ab#FseC+)0c7%IIt}O#= ze7AwY?c1o`OyKTowyLIEe8TsZ~jjW!h*QPd4DI)uLMnI98 zII5N4`yE1_N=3SR5pAqrj1kWbJPc1sfL3=ek)tb|?rgzG$rrj+t(i5(M{#uFJT#3i zBe3_8U!(a=FY_cLJc=(=KpJxg_xCq)W>hy`iVzlEbheyt(Cq1D3zvCuy=4qXDqpfJ z4p%eiYHlOOUT!bwz%htLMovA$1TbKY#rhS>qHR_=JLt#p3Q89yLU0~6XP>hRQ z>f7iN@g!ClB*SpsC=%OJ22J=A856|aB3Rw|yanu&JDnYv<*T0PzR&WWhCg?g+~=B~gf!qc zo|-7UGV~gvICT&BHNi4a6Zbi2Td~!CyF~Un667vl$Duu38rfU|#_0z)+QaY(U# z^*oc}%IIhOZ2MrRr&ZB)5WTjg_;E0@Xn&cE4C&on-0pbcrV9Lhe`2vThfIi@(>YE# zoQ6r*M$x^j!)52YP~n-?8s&T8Qoo@Y;5)GK7E;sgDPp^c(|I1p@7oSmaK#%?h@AbX zU`^yQTv3>N`BXRnG*{H~T_5E5c-7~sd-6Ys-Pk~O(0cDG^$>UtB%|u#^p)?i{Hkng zoi{N%?F*{Fqjwf`S|F&uUIEq7c^Ev#pLjB5v8)7i*87Kha;{i|12-hF1Omp8>bLlB zx-SLmJ%TOJ`+PGUU+*n7*6u&$pA3BOW;Q1e({%mEQ=T)smo2DV5Pj;e^mk$TQhzyq zggw0(U#52Yo9pFmJl%QpZ&x++m4xt=T9t18xLD=3n6m9&bsh{_Y6E>FrM(>PtY9r| z#b(j`3-Er+>2u%XxqM%4eUr4j^uS+vJ-lcSmUk4(sZ>^~D`!wf3}`q~z+e z_%1HTjXAamc=-Z1q~j_SC)e+*=p3~WyB}T$|H^wfA-8Jt->#0KChgzOFSj#x9p~Hl z#7Ty&Q}A6Ab??CML@JvP!OI0~(I9U5@3nq^?^plX1zG)aR+(LvIO;&=Zy+LC89!n?(RrBMN6 zp>5GeT2?LvecynBW8~X<#u6%QC0!!`r-|oIRhhP5F|XXk!pORivR~9o0A*1_k+y77 zsf>!9G1I=J3Nxa0Lb(R6dr$=@Bn-x+ zvG?5cb9q9q$&uG)3 zzY9rhPhkCW%m+%uua2*Zl*m>pc>P1^<=$MlW;B)CfblBI^(c-~75796@su%VoidZd zJmVu-m1z$rak$9%tP#>++jpV3-J);XwD$r`r->z>9!>)-?pqUIAlg$-c zQ5L^%x)cTrrPs}jzhVP^)HSm22&LnOo1?I&;U03Y^kXXbt)QN$L<_1BYO=RFxH~nl75n8gW(AxY8q#@4Z>>Gjp#rZG*#UH(MKhpF zI0hM?^qQTxVwFxviRm41N@6ra?egwZ<+qVof10gvpSA5^|rc%$lNJIzA4_Q&4-8{Mcq4oc^#RpXp6| zQ@o5i4*2vI0%XH`_QW!KMs#LdNVN~539Sd!KlB4MVFC-{s6!s>8NZf!UP)9 zLE1;sg>o*zLv`sRx32XNSMb|doL@2~%Y?y&6^$EvphN>soJsXYb;JtmYCoHKtAc^S+Fz1_{ zx6;nIL-f{aX9D^jgRLKA^Cw9N%FP=9DGgbwt#0|;cFfg5ydETSkGkPYWKx3&sbtcf zml+|*X>J$FGHrw$iV-7?0jhtZMI>nXL}8Lyf3eH3vUZ)@wi2V9(SdI782HCGQysA=>ijQ`p_ zVC(Ol?LULjY-AzM@I81jQC6LG(UU<;6- zF9+1|M4SCp%}}@3Z4SZpD(GaHvBfHA@MEG2x?Pv3@@Iwe%j@F)pkbAu-q`_|9HEzfP$l*6U~ujBdSzzNgA^@%x|wyxfMu2fF% z%R)ZIzptomF6|?iZAPkv15@L+x`u9<8$he_s%m=2`@QjWZ`tC{mOFdC2`#4E9z@vc z2l8LQ^m9AkJ6_*nPs6wpTr-x0wR2hX0UgV7XQp1e zG@gbJTSWhSK`*Kd601-~ z$t~`e)mnW9(XYJ{i7K^Cfl*d?*T5X+WsRB$asD2PT|@W)Sg9rW=Oc=$YV)DsgkAh` z%cx~A1&BG2w{qh|W=o7E!gWckWl%7Oi>3eSVM=wHjN`MTr_wLrlD>iNa~6THZTqIH zwBfg-Ric9LA<+=@=u*ylUVJMS_9&csP2oh~B!QkyKw{r^h7$6FLGcZzJ-Sc0*VdxI zz;)-hmd(I8f@rzc)-^1R!C(m>H5GIBJCC`-@0_VWQf*l{t{luZ(JX}Zfa##k^AuJ1_hk{`}5X+QPH2xYxbpE7_k5uIfvg<}HrzsZA z+gG8O8~R4(bGCBH#YZ#3^rX|Ey^l&-jI^FW(+BqG_=>C#&1$ZsN3C9Jc;D~40ahoEr$uqKbr?|M#M8p%N==k^W_^_ zn&F|A?LRtJ$+bai-19x-b2Ia#-n8y96NG6V?b>b&?C0_Wnm-s355nZwFran@+$GHx zQElDU&Uy-Vxs+6uhs&wy#UEYLcEjMm%1`iqc}UTeE!B@9pehEV&NNWLS*7klX;d5= zSI*);zM;#GvZJHZ2elc@xC@1=eh;}tC6UAPjx4X#WN@f)Ae{LL$7Yc9cV-oB<3 zrd)+KWMPnr!g$~o-?1Jovsw-nBeO)zbnIgGn^^@$aYjAne6b>V6LLc#I-ygJ`z7uv z0R3dk@-r#?Qyaw9Cd~;6Ro0JyGb7@BMg$lMfs$iycX7|!C#{3DwxPnn06S)3CS&?qgDM+tky zpNlE)P*78^wGWdCx7vqK0FP8IoV_2AF19Gn;OxVWaL7kJ(n$zbE$_glM3n$bf?8r@eAFgK?{l*Zm=2KE-`Cs7e!p2SjI=msXbb_Ac z2e3XYqqe);-oIEBN{pB}M2Y)#@vDN457gWB3q*qQN5~mUboc8*yU(?dz3CC6>GE*7 z{J>;z2IJo|E%4IfsgRh_yzPATL`2vu|1tx=Wvxi`8S$P8JH`8Wo5bX0S$hBCN@UnF z#nF$U;M8khqup{{nOkvO=_&S}Kfe9*Zgg#ePb2^&DBd2oIX=Z+f0>k5TYKpPtDX}AR{wq( z*mGqHE@ShzE=i>9=Yr)(U;gTmS^nuZki}tfU5{|L6_vKc33e^J^>+Wfv~@HcCh$6d z81Nd@InEa$X-Vcw@ILTo0$2Cj5tCHc8%^i#28W24eqx(7#y#oT)NSJXJl7|5=S|r? z)&@Is#J%V0>xh6&=Fbn3wgaRvdsqLrJyGP9gA0MB)`yH^zW0rm(>bQ;Z5q32FQ=tN zHqVt44&xd@hHTw)Cuf1(^fcD&%~XLenmB5ZrW zrea=x61jcFfE*s+)Rw>`M#q^mvE!l#gBNJ2oI;rlD)4Ccbnut=VNNT4Z)V3$+3YJj zLhxZpzrTo8WJz(UNUP+Lj%6&mFBD0-(fuuwh|1zJ`fV0m)Cc>U+4hdKs>@cyPl;tu&ahIWzl#j4t~sLLstb@t2S7PM(PdYd#oL z)8|u(0QFO7P<#RtwfH#Neay5`iuyMg_ z3zSsl8C=ZS8pVTi>8t{QGvIj7yu#ZP=Bwm0lMlVbIckU|-C!B4C3k=Nddy_2^Be%! ztu!R2Ug;eX;tXpILWm13wAVPNc@7V_Ez00oC);PBC8#o~ymz^k@gq}1`WAbVX--ON zGpP?i_Wg@dqSOmTFzxN7pM=Ju3FiXwFs*t)S1RqT2)tAebhL^tOK_s7;OeBCt0?_} z1R+f9J*Ghomx~C4WjUqJ6m4a4++ujinDN}QoJyd?DtTTDuD%<(90#EVfH67wy*0R( z40B5YAz#ysxIV?^-=qfVSW|tX4%K=#?lRcyfttolfeqqK9TI}MF{>Dx&Ocmtky1l; z$>7oE7YRWAnUe>;l$oiBNI9-~5s4%tDmp|pMumXAO(>pF`fQc5_#Og-!5|yw9ByNq zI1?B15D6#8&O(74EO^Yp++*Fc#DEUNrd^}8fO5kdH=KK@kk3W^p$_BKc}k1m85(Bv z;b;BFHt#pb1H^gX=xs}oc5?BND@YiNVp1ZTbY0nOZZ?CFnOfr4A8et^BIPkmXV}PS zw{SVF89ZFA0b@H;T4WYlv{@8Qcm$P3$+GY8<%_E6j1urjGk}Ee+)+m|jV)mHW<fJ8u+HKk~UaD9?+`pH97aZVuBoPe?h%h>&*Tn2r88T^cY%sn#?{HNr5_Xp_X zSa2Q`)0Cb!zl@Ddbo3XVsi9a*L>9g15F+(FDeGK4LWd47y%CqMlG(0q=ZTym>1j_v zwJNbCp4xo=wGB>Vl2Hfl^qX}G3DH%12LdtY{*V!l7+w|sK9;UYlLkit`F>ohOYXke zYE;&UExU2AMjI^#*WL>m=UUnBao* zh4_^w6bCEJ#^xEQhMO-+D`@Np92EOZpA^Pj|#qf zUvej?SQC`!J;VJ^qPwr1uymwYDW>zEHyco^*JnTMw6E`WX54pov+ha%`a^Hq>-O2B zXZ~j-=W*>gY2EDmc#;ioh0^+0jcYycL-f1DxY!)YhVBhB&{?r%?EB{B`}W^pBEAbw zizE(AJ?}|g#A88Ine$0~)9s;DMM7T?)j0p!R@tw~*i7)vZ37p8?{IY~mf+gU!9ENV z{>{#utbg5_{?tVFa<^S)yTY&MIdwucF1;}Wr^zMR>xQG={>!F-B>vm%)|$?L_t5Q* zUHkV$lPwIsn&+j*m44%snM_()2957gRLfouRL%LNKbwi#*Dq~FkO`i)WcFLTed;=I zZoc}F{1HD+A5wB!Uak&=M{sUKzRs(u+SfIU!`J;eujwdb?|S}O+Sxk!u8Yg1=Rb9xYamd@)Nz@>kkh-=VmbV5 z+2Of39+6JOA5hXUpc9N_|MbaQVduXZ6Xkg=cv(%s*kL=()4gWD?pw2Ed{`W3@Q#Jd zq<07W*uco)ehhDqUEB6+^m<9Zz6Oo_v7gTIb#ZQeP1|g`nPT|aqzGChv;1-Ghs!$k z)1%ok;N?`hLM>3R`e}#}-9L`cp!05E=6zB>H>Vi{)NgKUcLff0dmrR$EAsAn@Kv?# zMvO^cYtAlp(b0O6YqVON-^pSb(p;lmF18+9j!*IDLucK-tLI>P=w@Z@VLc$0O3!O%*G>o7yjdfg@O#mV&Rr1(2I2Cez za3x%sOx)s@I7T-=zD5S8ZtcNEsH@xqvdO0Ohs-r)#9kf-X`>%ebwo?zczi*A^D3@P z#lM7@+niKMT=&uqJW4BF49O6D$QhBG&^jF0@&z@PR9S)_jJy$Ir0}}pfuxi$Wf;-5 zIn&Q~j25zfI1X5CIY$i$UBgn&u-FKr;djhARTO0w7-=Fa>a_T&)Cpx8f#ax4@z%*b z89%3z#k-hD1grH027n5C$F;Z-s@Q0Yn# zua%kliJGsR2Gwc2E_D{e?6D(|)nTTDWlLaUzmu$bSV;}i!V-`$AeH9rxndUIC>5gg zdgU5jvo-XIp6Pi=*OOu|F<@{cis_6xZ^C3@*jpT)67umyR#GAj=R7o4dg`6)QQzJMl>u4HBV z3d1W}xyMJ(Jc?|U;A!jhdr$vowX-_jUVS3Z zZ2R}U8^HY1b9{{8kac;C1T_>N7tS_7nI)V{snMXYh37GXOpASI-gWrm!CPs&h6y zUHDJ>iiV?R3I`O9;mOd%b6$rm%{ld`!yA`%(N`_0L@>cK zpfzff#_M!{2jENK`&d`f5;?6v^214n{4~JZE;vtKR??3BGOqo*c&4r{M|8=>tf|8&4W9ek&@U6}D9w5f*|7>V%Uo_+{UN zDH`Is-m8R5b)zgUF^r=^7jxcdeVp!*^Irg+2cj-`&VAV?0$wckqCV#ApO^27Xd&=u>A3S>ESu}vkY!O z1RB+grf%#t(QRKb#Tx?mJLEkKo~+y_pQ>yV4zdi(El(u_ z*B1QO{(gkF1zwl8juQ}spO+mK)dKIc_8PkTE3Q-RZb3)F0bPEJlZ>~quZ_*dpG);= z2Cr9|L$?04?-$24AGfxpUAG73!;U`h)q;Gxu*U)eA3u2Ray$(;E`vNVK|6=qp4Msh ze;7gq+qY`yO7)%!lNw{vRu4LLIp63uwWa%_NK6Qu>*rl!eQ z0`Ky)n{y)p_W>Rs%CEr58&gdKm6GOb7_E%H`d~a~@^#6U%DuUilvylw}-EU*l_Jsj59w4{6sn9H@8^83UUFJ`+SZs?31`Qk4D{`)|7B>_s9}F}F^Q^h?yWaw&(m@z!xp%jEC$05iZp zRXZo>)+;ImhNXhg$G{mgDj^D^a~_yG6VinA1Fc2Miy}*xkO(v~tLn5yUbE&im^$op zjPUWjRwTnY3{k}eJ_UqxkHDvH&(BgQCp*rRGL{%)vh_l@`J!wKA;4kv-v<%ALhiI^ zjxpLcNE;iu%jiHG>n#o-0P!2-^&bR>1ibp@9gl&UlmP7bs#_+M@{BnRDcyZ&WrZKCKCYKE{Wgs0XdZP!ALH1(EhMibsRn6)X>>huqh z2~}~I+H>pX4nIgf8RE2zW>ZPcB}VUst*y%mXKw3}@?x~$r(Or+pj(_;SJw4pX-&Nx z`|g!R7#?{IV=*%szbedrq>k-s9q%~wyQbYGR&kamUqL}f4S@-75???Lb(2`2Tt$C! zo_Ku7j3l+P$uI{FvSv9cv3mbcfo491&>8U}%WTRw8j0F6-F_=FWgNC7J4-3HbW$DH z_oDH@81NYHep=LT-<&tj$k9ae%@tzue+WHff4x4#5QA7_s~(w5Ec_;M=Y@83hEj1O z26|6a#xpF#u`{LU%Ke_hW+dsU139K;_L$6d;hJ2-gFB#ClSRC;)WfL!#;5r>wFPEYDy9Yj2n~9d{=WzmL0NXO?ZK9s0 zgjX(J#FD;UrX0T5h9z^^t01ALF;1VK4!}gVB=-%%^7awes zU!mk|G~huEsqB^FYG0k!Th-dGq#tB2-4J9)MNOBwJR_ z^sML@PR;Q~dc`Vjf|ea?iRQ_X{GT!!95N$hWXNI%NZg|jzah|5&Dk%DHu9zV)jaLo zbc{o83C6AC7v0h+RaV=U=%hmM7165b7YLovNy|sw)20gjapM_y28|^MF7YCNbK`VP zA7^-vF*b(4GyHz#-?Tn>4cr!LGs(Hc@nQrlp{wcI?--R!R0t7~05WD^+$$5L5{lvE zzSI|MbSL(3w!Ztur4(?dB++%Vl>tp8JeNZANbLU$58b@AApiH~ng=3?VbE3pv)S8c zm?L@KuT*Z>HOpJF&#%bKw!U)VPsC5xIW9zMY_WW1XjN+HB;6i7q4SS8P~~Uw=Y8|# zc8S5K{r&WUp&&=BG^w=FXw6Y>E?0o-M^y?JA!rm{vm5kzDhZ@@MyMOxjfoVZgI z@TzB)l6xX39dJ;x6UgXBr6FRb2dK zzq3fO=^aP!_i?9U8P=$>eCa(_N?5dHzHr_vVihQxmdsQNesTt)D7Wv(;1WdHjDiDD>q8hZ?84eza;0T5D`dFpL+nJ(IU>N>Py5dE6YHr@mtdn?*?PMu#@`}YIA24$}{KGR|IE)7}HPJxh4`+K3ls+Wu|IXxow_4KLvCg zg+VjXVLh_k&8`dQ4O$=DVy@cF zx|h=en^&T|KflUKY3QA&V)T!$Mkhf;zRv{DobH^_xvUTv=F@eSh}ZxIZFBXe0}9zx zv+wJ2$l6VIfhi>nI0;7tQNmvsI9}8@~LFwdy{%U+$62 zwr9@VKbV{C201#zOSI56CF6zVL<`gPeGA?C_nG>*XnStBdE>8&sWKqb;^epMltd|} z4Y-8RQ$-E=R}b%%$^|XQGRjK$%cnLodnE|)N)n1aR6`Qyf?0X3FwWG3cs z2&US4Ki0Te02y%0!7MfU$j0zu+%hB7a1vmMAeS~3o1;b%tVWC|N{PP*XO#?@XDC%!`e}rhh$cM-9j@`B9W2zx%|ikhH=aXZWYwQJO+uS?J@XglQz~ zMlr07NQ`!%ZQ!Yl8qHCuEw=p7Pf zP!mtPz=_d_mDlQ*W`z=l#=#5MlDtW^$U8(;;uPszu1<|)WuHneFY7f6+s|33P)Fxf zGv|?=6pzswWXV29>9||PqBIZ2 zxwnvE%6^Z7zGvJVfskX;WXN1STfhrlfCx>C2Fw)JWn-R0Rj=o>Ij2?C>1SV`5L$$a zBhZmYkSF42$ny+ZQ!7E;Yw_S~Ih(K4`U-H7A%)rxJrP(MxmS$372srePfBT{5a`kgmoME#t1Pa)U@Lr2cS%;a8uEz_R0KJ{!$&!V&A*2m zVmrKVPyHGg%(nS0?mC&a$yHSRV3dgKRIEnLv3mt~^Utg^`)(ug&;~!OMJw*U;zMM8 zl8sVq<(m#&x?QXE@LXORR1Cbf2Q4{`*{(sJWFbEsvws}ZEBZw27(8G>)-1!=0N0o} znSz*nM8Yq*?4Pl~dXj`29-}Ei=ZR(K)`An_hFP&Rgq@Y}<{#1@i8c(zbbkTx97*H1 zc8RfW0r4VKhkJjoDc95sHJv2LBSL;rEBr$TH-0<|hwv*hvYMzxAN^ZK79moa`!FXb z!%=Th9LDDm<7`(otprbb9_!3R4zF`xw`xr9gPnlv+M_gvdf24gb1;UT5j~fLFZjF4 z%@JkhhcTAUR*UxO(qLfx{*8t*zPL>ao@q?^N<#H_(poTPw_HRB_GYW?T9e|8+-66u z)SvL(5|NXz|3lO_f7b!E%{FP$G)-ePw%yolY&W(}Z09tMoyN9p+qP}nI_KQH-@W(! zetFjZ1NK_8XU{w{XcEBK)6e-hp?b+@{xew_XRP!JE_U==0D63c)@@E}C;$>mUJ%33 zfN&0Sy`y87<(MsNZ^ajA&|dr-#7_Q@Vq*BH!nce{1EhtSc^a6gbN2@;H3pi-uPj+} zk|atF{YDjo>Oeh3#vkOJi!T@WWatR!guTgC!@f&Cu#Dhk8vsnk@)0G^kIRZzHk?A4 zsH0e7oF?kf8>z;~CpTU`ypc6!jTrzcMX+YD7L^*Dvj{xflL1l1vHG7Z;+07y%w-B! zUGLGTN&^J!x$6Bwanu7+J*>+|xvi9A%8+=EVPKaDa2}IMOX>^!YLWKOxJl00QD_G! zi&Li%=}wAaxM7t(%Yc4<^$J}trgQ3?Ly_c=D;uaLQP5g2V%TD(jZcRA7TOcS`G7X7 zh-N5A^yCr?r`g0scnzbQ$_1d)k2z3fVQ}+;2a*q_SG%;}&YXg|S4wxOyy z^Ksv!T)S}SrC`$47ktyRikwpyy6l4NbTFQ(on3)078gKxwz}P$j&}`xqFhP82jATv zHW=*t*EBW{bzm#?Z7~^j2I51}GZ_in_F?JDJqL8{tgAr_+m?9uKPWhKC)di59cG zmtBdfjVB?yrZMzE%57RVVEYUY&R_|3rgWpGas|50WZdtpGq?aiM)5oGOn0z2E$XgHpwAQbVGz6UB-R@?}Y&?J` zWcR^6Y1-wG!@E7qDgO7&J9+P!C5XtyW6xw7;msvrz}5CK%`U6!!E;HsrT?J^Rs3#h zPi2Y!&~HzH>o^o033yqp4e0w}$E0ipI)Jy0TRYV8gp_vUEKTxk2fj*3fUomE>v#N6E)3%n-1_bTPHjFPn!n73_y+#v?YB?E} zkEh%wRUqyYt#H=7Yab3yqa`=r+PS_vbE)ZP!PQ_?$HiCMNhHDF zR&7@VjeDLy-tV)bAPOJF7#R@J+>g7L^6_wxdDFNBu2LiZ5U^@`S<8TsQL9NBJjX<* z%_NOMEWbd!Zh@&i^BrW~vVGoe4!1xo0sn!Q=o1{WgQQViaS0zri!tf)B0mBAootn= zZQBNg)(@fa>20uISO)d-a9^uH*=pcH{_kPQVu+$=uI50DaO3Jk{sralEUoZq7!CS; zmcngp@SpNFv4JIJep-V2)+odW?VJ$Bl6l3sYk3%~HwP^Sd+2mp6fsYuTV0rA41E0) zv@fAvTp8-#^dV~~Yh_Ej-b^b2X9w-tmj?%cQhy00T0 zIPKE>vkFBgmlu;)%tDuH>aC0uSW_seGDS%p9qdyoQzMzPBTGBL2lsUBh~vT{CJb2k z)%lHEfVeH?vRc(DIwPL2H8Iq&0op`M5+VJUOJRZ`Vost`&~F);Ad#7~eUX~LM=Q&C zI-W>p64-dSFX_z1)PGX>xUfx2E~lAD83_XRY8Yfz>e(j;92?@~{FuZ34iJ~ps0eac z#{Y7qZt5-hL;C$Ivs&nLkXb-J%5;z7`OriJZJgf%pqVCd&YrnQ*0UjVeKJa{bupsY zHz%4}iXHW{v(ykzHtYjB;yR;PWtPx`^Qf#Tvl*%8=dUhiXs&sxU*Bue zzbTRhG>pc;I#+4d@ek4*t*1h>x{@;Z1bT{C&!m2+)K9@zK`gz3wr1Y5 z22udvDhR!Nasy_1^exC&*92DxX*8DopW}%VqC(Vd$}jwSa*nb*YtAhCIhq`8m+tIf zmXXe7Qr32?M%{`PQAg>ra<)`Vq0@LrORlgTcpY=0zq4f*#DXK78<~9Zo^oHwsq$wF zzW6W`8Hgs1B2W}zW2T{^#T-Z?`)v{r)wi;7k$bz(4-*?u72tLZYlPqS7h{W3!;Ps< z2%+h;m>P=<6Vcd05!6R0vrcj-lcJ0eBb9`S-+PXH>$|(9j#|G*2}&y!aVD-|5G6zD z*$wKO?nuPpknk-)VGHRlXKO9Q`(!l2K<#2aKg$<@?JNzOkSl~L1&OWmGhPNq4Gnq<6!um6rqhYIytQL-aql_I+^=CVeRrybi@icN`WG4C*^d|qo@iN9B<<@EfM zg9LGNOcrM90-%F@H%9iSr+#!^O}kdP=B)rr`S1-9lk}KG$vKERmVRHxEU5VYRB^*t z3#27>eyEJ0Fjz^JLum=^N<|05cvz=mC_GFd-6>pO9pNXz(Cg}%plIwR<^OY@D@b)= zbT?6*-Y*WVWLBJ;=m&eY{6G25RkdH#1_+od(`(hL`NM{^ybB21FsoB)XbavlPlhvS zsNrK~1|uW=FtG`0wV&AiRNZFDOt6Z+m?a>~n3Q0IwUWpZA+aHf&N2W00ZGFZ@7Hty=XE*mace+)g2H8M`be+P3e*)Wy!pAA2lXZc*LYeQI^62{uK zySgSh;IbNbIt8=#CO!578yEpp$oFnC7y7`$n6BpqDrMbE|3iki2Z;A0`ex_UIG1S& zt6rzo+gKB-?eB`(d)g5}Mj*ritbe7W$+ob#U7Os z-u2>Xv$aRqa*gTsrV$3*IGtvH)T#hqzxOn-5^XbiTRmUeA%SNwk2T+wW%yFO?t_Mw z+6_WMko|L?d-dpP4SYq<>lRUUUxem=T)uhX<8F&o;Z_W7FJruVx339pY0<0Z@2-bc zlkYPM9LxgVyTN5skQ@2c^hcW_dXEF?t0E??n|7-{l|_MvVPw1KF?l4Ht98t!5yFOha&oP0UWn9k-hQwb zN%toI2y=N}Xuk1yxBqI@;W5A2MG@H7p;9T>oaBC)(Uqakb;0v+&RfanxK_Z?VITP- zs1KOTgE+qf(I8zP_FGjj@;BkRhpo=U$ExS(jgMODD;-c%AgqT`=FT44+^?>DNWceG z2VJE@;*;O!osMDK3wlL7YTl`I=phad)oIgO7K-7uDUG`t{WUN!?1}pYrqPM41Vl zus_fPwqE`d2|t}rh^lP7!76PwU>{mhDl%Rut2VZzC5FAgN;BDQWZ-_` zGM^KPj`iuWL|UiSIPOCmfBc41jk+(ZU=#J~FI~J~sao>a6+Vg5rW-5`79IODs^%b@ z+gq(lxBHJUXNv0^x@<@ttQhfXpZtQ8j(UNgt4I@w z`lI9RJ2b^+xMQDH#P?p@ff$0mics|yiJO2b^nh2e!HLl&DSi)#^C_R8vRiY^4iiJr}u zaWstyO!`fenX+wUvRT6wzUut?+|Zga zP%i8RAU}K&$rw>zTdCR>Yzfr%7k>G`Ut~C4PfsiRe;>&W{1DCZ60?7hfN*p(-obpW z@+W^nLG}Sv$_Yt{uhUWQx#W?medjEwlMfH`sz5Z<-waW4KJ=V~$Q2gQbGl7XnA$FG zXoh;Fr!?QYMQiC9#&gCs<^CqYwrVcuc202dB_mLNMw!_8XDct}TK8iuMQ^}grrc5^ zO}HgLav&9P{~y$PF-#cKvrR)K%7XMa$NujsQ&i#Zu;a$|d@ELE_)sUuaj-1QVCXx9MM!ds)rCc@OXn4@yeU+90{ z;M9DRr)M|KgUQxd2`Df0JPn`uvlJ47a2NPL*ehtz`7;Mi zOwO7!*)YyVCME{Z$1#1EEmfABMXaPdFkyR)92Am)I1i)!V?2G6vRWuV1s++=hBD=+yuH2l6RD4U^ ziS7}n3o~KluY`NGp3Xq~waP$ISd}+5T3o#2MV-A$9f9=T@#VzddXvDPqL=X#n zhlwEA+^ORiNc%HQd2uMxO;)0=hZmplSHmKOu;?^B2#;g=n{Ru% z5=+?Esl1guj}HiqsZNnKvq;@i{f!!PX#yT=g@UaTb{L{pOKTG3~+0-}y9t zzrPMyz1X@Cl)qfq(qn~;To!t5NVT)OJ)#S4p2z4u!c0;f>3SZsKT*V$5pE@H>3g(1 z3Fwge9M`#Zu*TIuuA3I_>_N5YQJxnw58E$sUZUi6A(2U%k0 zNxp=FJ5g%N*i?K*oEcvveX;}iVDKNS{BPTd0#3ULm&O!O8El=eXuI1Djk)F(WsghW zi`A8b&nMga(?;qH-?ws~tg4_Stf`M&%ZxyVcYV25?aU6{z;|CnNVi$?3;+6Pv~w;3omgd%@u9}Zx*-Y_qfuErn0Hg{6H>qRNvkuB(WJ2JOP zU)Sznk>h01?`_i;uN~=SNac+Pi_zz<%U1K!_LV#e8~jm1CG`#|1i^tK?tq0Lh?ONI z4AOs^tq4kgwc9d+pkgr|Vsp^aENsiXD%`JpNTN^g5;>xo|F%m4>1p$Si~(~8Zi%$7 zQwef7AHWgTC3DsWXriAi%0fNON}?if^NHhAR7r(`8c6Y+*lX5udFttZ%BE18fwWe~ z*N_TTTkpy7%o|b@Zb78o@*qik>7y|tGO`<%!arnfSLTixwz*2j$NX*le@5Zi4ZO34 znFFY;?#Tfq_$wvkqpDG#M>8`;S%+2i^S{&2NS3;ERTzd!r~V8frtR^Cy4%f+m-pOo zg~xm$7d-yvE?u>~i}GOo8T(oG3styD7sqi315-L%n#HPNelzc(6(O&Df`!@iD2#3T zIJOv*!sE6BCm=Uegowm(4=KB0TX_a2AwF!4nOKBzE;~kpI{7-k`nM~$?hwV|&8%kO zihM8IqL^w(dRlrsZaYFW00Otz1;}E%DqSl3=qTN5x@chB{o}*-6NHgmw#AMYX z4G%fHuzZYavkS7DuxX!NPRD4&kFXO(`mI?j_G3c1ptbT$(iynQb#Qu0nrG}xc4ZNz zsl2{w!-v!sKJ>f7|2i?ETN?1m6|hDD#Z=9C@)S@|=^`JuK0wVs+G8*^;Gw3E7xdT; zURxQ&{W)>?GC}qiHU%AF^gu?J0`rdw0`HP_(_A03W)ul>wWhrM!?i7#>&V21Yhv`BaWPlcY z4_>h2`f+pLH&yFxC6>yP0eM_IKq<_@OlLoCgVL;9n!4ri=foq$sN%&o$P#c}2-40x zrv4)X^7;1rZ2~A55&`X)^<#KWCqq60zk_4n_;)gOfKWl7RLO6*Pg~X@%fD)7SC-Y- zn#ee3{)VV)QkFYVV;HOG(%w?AXJwpDMya#%O2SX(`xIrKv5U6!Z&L*Qh*RU<<&_FYU(nM0&LX>TTwS5s@vVD%KG+|_D34N; z1)o0#G?UCBEk>8rWDIxNXIy~q;`Pgb;sBM#1(tOKV*^!7osAU_51v@TF+^?bu-2?9 zWX@49`^ISlIF{S>hM<0ptPVO~b4B>Be6q(Qe&`dQ>W=M?EL&L9%O8|2u%veUkTU zCxXZSsh5}$I1n7HwaauJZ0ZI|;`>YnJGKckIQT`Nu{_!?-U?&I) zc6(~gsUPq-EAQCU&(wZPTHCnWY1fcnz1YJ;=5brQ5b&0Nc_FDtD|xeps99akUR8NK z*E&5BcDld$C{%g4J|TxDJ&JMgylj{p?7=#z>yK`DY)H6f;kT}fb9N$W5P9CuA2I1% z!f9uEf4=;{aQz$ z=b@7_-g0btl6SD^IoD-6=QLHjwZ2;uzSueMaS%}#G$lY6a+JyAwYM%arr){9gtYb& z&}6p`iF$eZp85M=IMS};@}_T#IXf11;L;|JKKga zmWc!XH)B)V@!LZ^ij$DhUSpJPNcha4GrG)wva}8e-0u2n#BO-*ACdzcn z6s=&<1f@zHonnKnIp`?L#oPYjxDH9qrvjMn(mAdCjE+(32#{PfH4+)pb>m+_-}P83L7*)r`a)g4G*bL=%bZTLCn$`rfxlg zX=mwToLZGW+G)SgC@BR?UYtW~Ww1Z|QFcyx`4iuybgwA=WP~Tqz$Laowo93uKQd*- zW%aLT5yS2V?E`U#*nqz75YU%P05*TV3H6Hl&R4Zq9?^J&_O&7wAKsaHsH?IA2=Sl5 zR+=OhC29Bs=gLjO0%qJ>^oQ6Lyg{Wz`h}nLn%|!tId9#o@Y51n*|NDCiCx$zP~Sc+ zoUjFJ8GrJU^e040HH)(D2JqFOW9>9p2@edn8u1f`qifHKk3d_)S~?m|G-<6>o){1? zD~~pv$e^w3OMAWKuMk(espf}62%X+Q? zsv0TeV!!u zldBhV=&cIEnzZJ?cx#%PR*%MY)@<*q9qNrqtNY6NGk6|G>V$`p2Npd)h@J7< zSn4p#E%VSpgp@W*HPotxhfvr&OX4w1T(O;%E~@-|(8b@eI__qodE>P11TDfL>-L}c zcu_e>j_@?ygPx=dHe$^QG*HGa7_2Q?U#9Mr#eA8E`(vlX_WD1a9#d#PI+;f9=UDgG zk)~o&ttgd6D7bKi;Lrcm@(fb9xz z3bg<9);;aJ&5MDy>s1mk=U*_tzz;>n|IIIm5}cXCO(#-2>x_ublQy5mk8e9h!G4P* z9zInoC^O%XryX&lpSTZR4iF*RJY#l&eW>l!n?V$(cLIcHOMR(Yu@ni`RFvoN8x}VR zf`Knc#d>bucK%hgaAKb3J?^jqA4sDUXaR?_8F(rxvlGdcWq4|#YvGP+d!2)L|D3;Q zU3RKSF*6OIGZN56vvQoV$}2q}woR+;?ZL)-1h{f*IPGLZ(|OR(q41!MoTTs>%}vY?~8OI$fX!I+b+FyuR3ew{?$Lm_YwjUx$WZy^p>_Bl@eG{Et$ z3SC}C`S)jstI}YQY{n?MXv`I>au?bd;@C;|^~VkpB&*F@*qM}i-rzOl@Svc1zE@Jld6&@w?6de_-C+p^medGV&L z>w0^YxeD^A&l703yO*&!k-hCxo5tbI65u+q_nGnsyWfObb-uo@ryX7Z-ETs+^nuP7 zBpoeu59b4d{J!tEz90f7g|@D9-Nr3ZuYYaL%h$VYZee9IKJMK#XYH+pFE>|{F9UyD zI0>BRn3#%sdOrJaEP-!E+V~T+eKzeT-WeyM&Jq(29-*T7%>thkw65CGKN3Nz@eU`w zZeLBKm-hn@9UhitY&QVfc4@(lzHW4O4dB}@AaIlMhZ<5FaPdw%mC8V-f~TwP=|oV# zc&O!vU`<}@3X*o*4}C-%kLNJB^lPwgm;0{7_7u_b#f}f~aoW^`l?=W_$p$0j}$-V)C_HGG4UIaz2j0;f06We41W(&Y`=!o3`xwZKZkOafIaLLEX0ko5Qsk?_7AqUUI~=^aGUb=-Tn4^X`(Jsw1#TS17(YcMq;J1F zC3;*8cDVW{>d^57@jI@8Ha{ZJnt)fC>`7*ESN`ULclEx#v4U+N&b58lH~Y3L28S~P zysc%cyj_NOIk=4Hx#P~IbpFO6ge5z#J3!JFpJogH_r|T)-k!`QkV8evIMg0UPf2h& z2ba%%rS#hHt*aA0{q5Kv5z@#35OnEQPb)AZV7p7bo0M*^+dJ6bMysau zZ%>`ndE6#cqPX_Ly3(Q6fh%ciT|S%9m%RIa8;e}`$J}oGAD-|N&IkXZE#D0G|sW6jQoimm{xDSP%n{r9iu;BE>nsx}9F%h1KpX0Sg>j3Yl5h2Is0Mevpxz|9 zfBW0gVtjGw5q5^`5&C2RwH)!foJG*`r)<~4NVnSR_0T@Oehs$7@!19kYT?d+SPvKC z>eywuI8gJRu#s?ogCkBsJeLBFNBM~MC#A7q%2ejyOGS(z4`>H9z1}<75H}y_{N425 zW394eTYaj*W3*=dCyh}@=OkGuXXV77`>GNlpFcCFIl^l0#gGTWu$Lr$q%@>teCKN0 zM5Xf(5%D}P{((~>u5E(>Gto3!qSd7oEGjDbr{ZHZH941d2}3tbC%l0tTl@#tXR|ZC z`QZV0^N9F0W>n5_5o3dUT!75Qf`4js>pP6gtt_GiZGuvnlCd}AiYRU2Y2Q~?oTg(V z{#y!JS6Uun&B!nNSl;v&T9~X$qxZyhtT%vsln53fBFBH8gqCvr^wfL*VwWXJ)miz! zrkb@$erqXLltxJ`h|@}UWl`C(|4lbAq8JU`qE-G8s+UBKW&P8ap`P}nR3v*(ehO9W zpEXq*w|n}ZK#M=fDkw5hq-yp>ixp9rsP6`7)h!`PrGJt~u;MURT*>Gdm-{6Dpgz+* zBRAR8G0Q@9-A&QyC*|#68E>1>|4TbhEKBRD1tzK0i{#f_u#nd0!_6@ry4}Y5Pm`8^Y2VSPEH-62LBIUw;XO> zM$l(VB_2&{6>^IcB*02Z#8NauZvH{)rh9o#UZ>8{J#-2~^p}&#ViL*uuc&^qwK_6| zu~4bzWS#4-2_)gFUP$Bc7x6|v6-nSnBi4mPe&Q8Svo$)S&<{dmD)d+9U2aOTtus1=|lgIs1q-g0jrhIIf>i%Ob|5#+nR#`i4S! zSiJHD-Q*>1o-q&*X*~_=8!#d;U0g4lM_f zcs(_HF7PYZw7#1OYHL+TLp^0Y?KG5}5}NCJj3d9iHTpawS6y)JnM)9KY#yYDs`J<+ zsG?7vH*TK`J|F>~3cUQc1Rb|i5^e~l;DRf>=ly!id(T-P+u0X)b&tuI02iJ!fQRwN zrw&J?=G3M^wYRRm3vc)=FHx;4heeM9`#v%|o1EzjW49D5j?=NgvQDhZ=A9WCysa(p zMG`{Qh0moQtKJHv*kI~7F}kS}W22wfhL5P@=rIdq*)}$YjL(!_Ke{^A;W@~`xlWhH zO2~Ige15Rf1ZoA%Z*9h_pH(y(TyooW_}rJ-omOqQZ3=T{cpiKCf2h0T>qjG(>n(Rn zPUaiFHhaoPDT85Eke5kVB3&2I*paSpY~4fM)5YaQlGYt3vOvJd0-{^n?b53w-Z`kd z(ka^eYvL_W@oAoE|*{XQre+$FkNqSl0SlO!z_i)7J&B z3Yef!hB0xP;v|~_IEp+q4w$Xt?_c~4iCulzf5t>i4^z+@tZn0x1Cj`+W7yNKKNVr| zW^yo9_njV{=&*1l}_G`K`r~xmz&$5CN19D5~e>gpAVo!jT{xS zi8kpUJ9Q_H_llEdaJ1%AaL(Te< zTXiVNAS5>*E`_QD{aMPz5lQycGAngFb8;VQ<*I^MQm%N94M~2Q_ClsC_!1y?P@n35iiNNn0kyKxod3_2DJl7M%3>bM zDUg1PcHxiVK=+_M5D>UE`dyr6(ZQx_zR7z_c}CTD*nG^9ba8gXq;kc0nSQ>KtT?kF z4Y4tD2AvvC)dQ=Fx%j+5PMqaTw4bmMvb6|2qbpU|FT4X{eXOc(++_`<0zOXdT!ya2 z;jl$833SRUu(AwULLh-sZuiyP!xfL*w9d9oFK%Kzwlv^`xxnqrlj;B@=h`2jmZ1ymV zlQxp)sY*Wm{aba;k5qJHfKj;{uF?>@ro;`crg+^gyw_|o&Rvv^Q^UD~UHZceuw$Q_-+;AIF7_RVjWSMN zY^kL)%@*ZzjdjSU06$$8=K*F*6B<@_=_Fw+27s;6EIOSoHR`K%_O?2=v{D?@o?3q_ z+BfT-3@*Uz5FSkT;lChEtH5(k4M?N{@{d{C(N>S+Js{@?Klx*A=Zfv^ZnNt zx)!vKu%)C0GvRM^Eld_+`Vm4q+2&t%l3zxkC4&0=fAi59RL3g2n`}xs9h06b_w#LwORx^DjvBGvD*ZqBzMPRe-qW;eJ9$z0>SxpdO(B~ zxk3#UV)R#~#3ajHuVY)|jbWmL^=ikdN$)V;3;cSXQ?%aP(rbN# zXAC+zTRYd{H}lZPYi}GF(9rLABv9D6+r>iW(-!azJyH%!)IE6Ca2jc<=3L)BJepa( z^k1Y@n6GNRtT;ns`g=sQQS5Y=(bYM-a*_H0WkX_3@8CeUD>fv}O9Pu8DM1Up<~L2= z^}97qzUonx1Hm*7kL%coM#36Jf++dWCXjvMMlSq?ExR}M*f%t%cF@vUbE zrWu^(_tB7Ir=u2N^Q{}Ot*-e{sp#B$`1CSr@G5$9Z+~%|pR?5t^ntGL^_^Ev$eAko zH(ay)$8P2VkhX@*>7&jbf`$VGDr`wFI|87EirpkyU6a;X&cVFsAfe-HHvoc@pdf(wr$^hMI$h%iJ%$6Z_^PWe7O&fW=0zr(cz_sgUHM6XZRF@+!K?>wnmn9i2`j=hW z$y@%jZT7=S-d(%sEZ@NwH+A#Q7jMHQ`y*B)lBCs>*n&kpV4JCiH(+z|3_`ADo^pL? zu(+U5@eIBx@v`frc6b?cKI3!h5hQ?Q^+W6oK}{!jz|PDM&y<3O81;LbI%FckJqQ`5 z5EniI2Pg#*78nDPf_al6#x=w9KBC@yE+gS?VC350V1HQLoN&aBT(Zm~wUEqBi%)8G zm2Q+HjWafFx*GUJ;eZ^T$1`JfJP`s`k|T=#dMnvuW0wf@d(Utta!+EbF&BgPi~NLU81aOD_1|-42547FJhjSVrvp&uS zzyEO1qk?{25iUk!o47Ac()eEM5ACVmmCY4Kp2gw(~_CG199OlCeF^48M_CBTJ1zyxJE;^_7CQ9-EcMIvl-7)<8}ugD(`^8M&Z}7_6Z@*ao;2&X0<+u&Dw_;BX*q2cWrrF~^bRBR z2~muh3o+*sID1z~Q||V^^2gPB#fagWoAQ*`<#CP0&4J|K$aye$25h;fOao&T#PcXc zxpI3{2B4Ld@w4?7k^ywN!M{htcq~?)Oq_SpaMT@25=+%l+F=n)s)QN`_fRlsRB{gt zDHG(Sg&CC!;DqF}%Ud;Pt#*pDwy#mnD7K-mM(X>pS~p;r+*;tp$*H2EdP0@ZD?W%i zeUeU9zr~jl(?7m!BE{)AE*&?;-`^bA>Bt~_}uWpc}fT^F-x;$^7~AW2Or z7O$o~5T{oZVyWg#-PUC+y(KgK&eD3Z%0r!3(o1YTf+F`S-ix^UV7u982v6j;P;A?f zi_2KnXaDuPOZ{5^5SbKF9UJrk3@7rFXbFp@MzFM|^B|8@f_+Zr)i3p`(Wi22_{`To zDC0lBI1+R~?^9v_t+x;xK%^oI5=ll{%b!5}J-oDCqJ+r3xj8#DBH?7 zqWt}whTR}S0E@C=DlM6(jnG;1Y6qDEg16>@c^mG@vaFFt-(7dm(kLB8C)5#9<3Gpz zs!^?4D}iC7)PS|@KNcE;7fozplMlNiWHLW3Ekmv~nJD`;QogV32<6x(E7vsQJsg;< z!`Say8b|P0%C9Qv@wuCfs}>`QR^1@`K}o$B8y9fz7+Jl<>|Z-4`}RBPL9Br8*f1bs z+LI~E5^a(?ht+*kg{xaNG7)YjkIPwA8Mh2kaV(ye`!jAXEq}~!KnNUxKF38hj1gQM?TY1;1mxBE#nFtLlr_Fg<4J{~1X` zL-&(Dx5wso+s22gAm-=p(a^H>dhusp4 zAjIXh1#iu4y`NtG9FRF%tGU8&Vy~WcYO)*i3MO=4JH6V%kvXzy9nmKgI19sJ4XeVa z%Jf(#Gl$#A4g7l)VYqDPIUmM9iy3U%I493 zNVKHb*+9Okx9uJh9L=$^CWUZz6jY!kA}yQg8*P;xf-iQ1&8hR}jxfsI4~{NKsWr%faB2 zMVkKmupd+UP28;Vl7N@*Cg2?$i>Kl9A92>p@T@*qyV7;{^Mjh8z|Lq#rVQwE19`4( zsjB&+fD^pFmF9JhY>uHIV80<)d4CJ*%6xxUYMD$nZE z-q)%cqax&z0PWpeUDl4v{IGjntU5|}9?aq#o?3aEOsmu+b32GA4z8>|FB3G{!--q* zCzD@7UbYEWYxEPx({DQ)Qh!+YC|P16DhFLUJloVE^X<+Ttv|^FtDRT>rd)xp>ow{c z657KBo)kj<>ZJS{0ly;M~_efZm7U)_+ zA^&Iii^wV(QFH=w6LRQ2@qD_OMVxVTbbcV&11J|BH;}XZcR?Z#CsHh;_Ls!$?(j2`u`jAKcWEi?rbr^t?x$8n^PqsNe{`N5iKoc_fq$YTo(Ea3cyH2bfStw2WU z)GqO8<>-l;xV$}|Z}ZM`V+mw_xgLM@6F-~x%a8E&(~8M}c%V#@ zTBTfd;%CJ2T$KyiFTxaImg&{1%5_QwiFolr#hC@!q*A#buCHCuE+Q=&Vp-8R+ag{A zJR0S+c&idDZNxcZ0qNTdaYyk|N8fKn|-| zqjX~V@a;Yc*R@AZ!FSq+nx(zh4OM)Op^ogUA^vp^Ttx~-&FoFuvXB9jyFW*JJ>CRZ?7hFWZue=kS$W|T3g*E3eYmtKX->|eTxXI#e z3%f~6kc+ERAXX7Xn@0mx8@Agq{%6>z99e_Ao@yw~ zJk<(-{;33OY2s~xGLw`|4jP3rPMCodGsZbca#)iAx#t2 z;Y%bojsluRm2TKWV`ko%JRZsz>V^&K@0_HkiEp$XQpv$6Ej;wsC9<*_B4P0-I@}wi zR^n^_=2oN_iX6YGVtakosycwuy}qxtJIv$j-H&wcj5dp9(6BVWUC!r`q{J2d%VMoj zt}vJ}IGls9kodctHts%ODu2)s!QwuKm{a%l(Vg#JjbYYtLPyxqQM_fY@9g7JjGK9o z1}}v7R*#=m(8gkT$t??G(qz@j!3<;ge{9tFRmw56dTSCW-sNEpbRAKDMZ6Y!me*=O zd48MH-~F?eHH8ljx%S`Mbnd;iBCKEInZ=n8?*ebQUHZHfEo;7;&0?l`S0B!u&sEuW zjr>fz@H+e^abZ6oFK9lQUs)ggI5}kZFs{6@aHandC}UgWctoxWo=H0*e4Q@`ban0I zY<0K}UH&WDHd{YQywy{!Q**R(V+`TtM)X`!5+LR zMO_^VGtV9eIdK}`19YnMHqKjo7pX={@C`mE@G?k4t!eYHnOpGvLcsjSPOtqmyi4cR z4jA?L?ho8K?D9N3k$a8aYJ7jx;IHp-4L;`x-h6~}6LgwWkg@Y-g>3WK@y$vR1PS_% zjDm#=D0s}V=dZ5ybzT&nAi=K?iaVmO5DN&Wdm;D;p#~TTA&x2e(dGK#sInZ#I)GEw zDYnSsiGS;Iay%Zo%c?SjG&SR3B`c?!d&bne{|Cjvtg~N9&QoGgLNV8isHvkl<%)71;L zWL?eLfbjYFj|d2M$wg~fTvE!_PDIH%5l86;GV~`1!(bgEX9Jjd0pt`+LiC}OmhpK6LNYr>6>?NxLSx8F# zJl9H$nrfKo8VL?aMOn3=ScRTAu?()Rj9{TDh?p$JAO?k;!ZP4AZf=5+D$oD!%!NmTZ8qzDrW`@fCu($SkP!s!3LEGDf=&V*2pbvZ)FtkAS|+CJVHL1cXwMxm3yEGG?XCPUNsEC0a_| zkWw%V%4QyOdv;?oESeJ!G_cwTDvn~%_5q=v?-o0iL=Ufbl39%CfmI1E!csnMc5xvG zR|dKRTOEgLl$&L_t}0b1#0et@r4#yy9tYDe=(jzJw_1?R4LMy$f*d_v+Qnj6G~{p) zPxu7bju4xnu`yc|Tx$BM!bphxYByoASrQmJQdpjJYyA|(^;uc>jE*7{t9DPpiaj#S zbxbx)Rx1O!AuA;{UvvG~AG8xCq2ghsywL$P8_yDA)+8#m;vkoiH7y$|Qz6b{MRR&- zTB^*9*)#zSEVl#|xB@TJR-WmbFq@w)kTMQnxnZl@EBBjRO{RUglP&G=&vJ<~2xkW2 z%pjZ@gfoM1W)RMQq@e`$)#N`j`M)p3KEi*xYdx+m^X2m&6ee*J#&P&F%>SYOf&ai? zKL0^clA0b6iGGIuZ#SRq6|tY+`P55)*swP5i0^D4v@bnp`^x6I_O1DA4`24BJUe+| z-MhPwv~N6d=Oxcw`|;rsN3BqNC}gfA8H`fAPKC zKF7}*o_odlE0(^`fyAtvMoTOeo!{T**9%TtAAW7#Y-yz{sN=Rh|C^Bx50kqea`V3X zpYifJm;b={7iwg zo^$LOmyBmUe8RVaO)vQi_Wd~*9lG-O_no)P_fF7`JM_wxX5V<>io`0Evdpd9y!ZAY z`)zal8G9eOV%Ir)qsP}vIrqGqTJHDrz%}`ADBIok(Cmr+ik-ah{k8tx{AaB8*4f20wPn>N~vqtUSB7dgsoaE`IQ> zc74O*3%8tk(>ini+V323s>YX|Y@9f}{LnX?4G!tP_rb%DowMWKH*EjS>YUZDzG96n z68tqAys_k?0`zA0dYubi;yZtE-yZFkU}m+y4)f(w2>d9}fJ^1pfP zv9lZJY%^!+_PrZzasi60=HQaBcZNeXmA5_F8ZM z!Gd-8Hhyv|G(_|9~Ay*{m;z&w=cy01^zRnN!=-a z?dpF(iD_c_N^ctYvDjziKiJ3fAMXlM=QPe3u_Ucaw9?d!E;*h^EyAuSNx>hhY=_PHy-brJYP?yK-A3I= zP=S>~5QI(~JR;tFSDY3%KQwb0XgFc$d zVTcx0YE7Vs_ApfFrD%(Zq1s^5;#H$)*9a<*OF02c6mvwW#YuU~>VO;-=>~@nZJ8Bf zuG<(6U;>an-~68>fQlnF3WNfhaTAtruzocSrkYTYZ+mr^#fyc0xo$DJn&eRVVLuVV zg6PkYU}G>Czyo0qf-!nV6gU3L4}o-J~^5!s=Lu%ikbb*N0X;TF3|!gypT-bk6A zWAkQf?BpVfW3hn;C-MN+AGLEL&1k8h#TCddrVGW-QU8-!m|qO#zvDj%ztKv}c`)qM{9eY)Vvg(@e89o4Sk za61~c0)(y%NL_|TT`NkWe3^^#awkSC9$?ZU))|%3O@nT#V5gU==PP2|3F>I2*X{5l z9;DhqwL!UQ(rO#iXwK2KGL7kEb{N&X0uP8(#vh|)82g|3KWNzar1~G$SXBR$mZmG_ zv+*C1?fs7}_%khA?X!JPB>EpW8=(VC&Aw3i; zQwOfqn6QPW^RAw6>6BL=bt$Q66cSd^*2pqP+NzV!Ry`45x)aD5bvUO}u(UBfReblGf@HrI*?^q(uuyUEy7up%uZ!Lb09;T2)JID*gTpE1F?NGpuNa70s}s8CLY4 zVCcWU{O42o4~}8~i~pbt`40-u%>VvE4E)j3XMsOj>Zt$WKbyfD?Op!}|2grC1t=&; zkvM^p7(wA%LK}k{{ulpQ=VSTL-0Zp+iR8IeCN5popYD9M&gkJ#O1eWJh#m@2fT7RzVF7`1NxcU zWcRys++Fi@_i1yR>lggu$J*}?dg+`8&)V?Hn{V(gT6Ndk*WPRX)?@ySC$75XtzC_m|C9{@U8O`^4sRH#+*Z?6}GURr0m--(0W} za-@C6Q@^_A{JFs~4;?*c_dgi&t*>7H^I7jcy5^&qo!7l_31CZmt)ph&;hi#mY58S; zT%UF9oOD0@#Y2DFVWW%2SbqN8VC7q!i!Ly3-}w2Lu4&x;V(;C3?|N;&+!25JX>+A# z-ciBp=HBy*{SVm!n3DUJetf4{1>!*Nzs?tCy zUex=cIbCb26><>ME5yyNlhEZTuT4TQ3TVmINp74@<3>v-vCen`>ysSPMO9!>o8VBH zDfQfBEy={pNXq3a(LJLxzf~~Mpv+V=f+N4@0 zluFZ(yA_myMTtqH38mN0r=uTUS4u~x+TS`x!LaIVjK{US|PT0W%%RYEJN zMmK6l6WUIcI=Y|lWCP9_=(aKF4=dng+(4u;Ya?7P%V?s|*JOOsC!H!7$Y8ny^s})} zl*P_4CRnmrs|kE8al$+JkeSP`jC*G*0sEGxiddcf4jWgusc#t9|t@l3N#PpU>M?ev;z zHY`$lHB1;*Npcee8U;ZwTeUkvp_t0cginKBMaUIR4F$OA72uS%l_R|_qvhykR?eZ5 zW&dXn^Hn9NM)5L6oCcn zO&H-i7+MqwTLZ1EjOs|MO^q~>#Ox{=OTAXvLcLnDRRt2HRwY<59h+EKoivE{ScMsz zth0(^cgM9_0vyqDFCEl1tHuNZu9-Qql9EXs@$7o4HUScT4hbB$*_`-DiBL2)^?BYe zXVVMiHTZjZb2yN~w7Tm| z=mAr#gQV(WMW1PDdf=sM6>m^s-Lf1+32fpD6A)yGsuzyPM15#_X zMLEI>LyMo3Bh3Go{B~$273SR3f46UAN~wkI+tAdW!F0v|~@X0rK_q<3I8uVxgO)Qnsjf%MQZ+%gB2BvE!$Dz2M3U$NOnI|i}>>gH3` z32d5*Su_!l*4#*G`L^0@YZ(E9P@XKNONu#Y+q}aPF+wCViS%^&vh@^cc|bg_Xiyds zl4zUk<>Xq0DHAxItX6bc&2wl!>!nQ|_R*f>_aMBlJ58cmgGziZla|cT0Rgf|$OTNT z+f!eYZ?m0b2Ba!QcT}z8e5+ft*-WL6MO;Gl)6+d8bw#C;mU6aEO{T6!@i_nv;4apW zvRO3EHcEJXECijVrnmBTk1;AEgy;_Ip^5}euAk14Mk>)n#3no(gdpegBNhYdF_Oho zX}d4Gau}Lp8wVj5@8(>|!@wa|(Q|BvZ%Q*YK{K3ZhV#sDo*B+F!+HLr4JE;^Sp5(B zU-N%v@_%25eYE~(rzIC${pHvHU=WCb5Q0<4r`G?F;6K#=AYV2BnjSv95dKV8G5+ZQ zXumnPwlCZK(E0KCed#Zo5yJAXZ20YSmN}_#%N9#)^rEut>pwgD@&((yF}VV!mf8BG zvw!368a$ksf5q9+{4G{`*YR&Z?(|(Y-L;}75=*Um$r;CeYn6w#Ub}Sm+D{I?^V3}p zJNEkbfB*9LR=#$}t*_ktpaXug$Jx^A{p+fKdwYpx%1b}IOnmB7Th&fo@!HE1-2Rs? zb>k-YzPk0FHa+ged;WAl=I9MNb6=gmr#fq|4X%0igH6{y4e8&|bxu2TZFe{N*x6fC z%iX=}tw*o3!v(($f4S_EmyWleoj6r}FLQV5&$k_M?18Jv?!J3%3c%fm3m2?h+&~C6 z+~mdwezNZmZnf95uKn4zcb1od)9bzYon4+4xATs8gm5a?}5K$FFIoG{%4b={q z_i*7@cFVVJdic%zj>$PMgO{H4=+#HvdI56F_`pLK%sTD7+^mLrp}gISn?F9Mbx)1} z-oN3l_%F*{yTtj=>~s9@e%1KJ%3Hqk>^;ZcJLlf}-mmdT)b*9GwobqO*5vCuJ+VY#dtA&QZ~i7WQU2M+zbLM zO7+@(Anvw@RM}Ijx>ODPW-B9?M-w6vGA*L*n{grSJGfZUrYpl9!`Uu^)~z0tH+Uzo zog|ta15K%l^G4N_K+H+SQ~{fQd6Xxej)5s4LraJ}EF_XurJFCbvn-EDX{Kn^*)Ck+ zw2?T@16U_(St-2BnNhb_k7;@68frFgDP}4%Ts$phNl95lg3~ejL(m zC@$4aK&p?LY#uMP#wlKrGd|pRGYJGDQ9GE7>TJarNux^6B#pBTm zo^XwH46xznssBmU0n@CqDrmo|80o50@CL1PZ{Tu$JXIX@1T1A{nh(iDai~Rhb0Z*1W}~v zT8EF@O$%xS#d;D($qbN53?)VMq+C0hVBmmMSiujiY*k5)AwzMcF%|n=O_NxuoJuGn z$HQrp8T1^upH)D8x(-ChjY)oFMJ!e`CpA+8vz*+{B?-cmQ-)au$1sPMy9R@48LZF? zQJ3udttQ=eH8#T2Hee;5M0CC&8H0Nc;2fpTR=@BmSMdig*qtX8ON2YkbErvi{HI-bQ*V%$Z4x27+N_H{dRQ1eM&J8fxsRgD_F-SIcBFY|9y>Y-9`B;WVOZ@G+?C^~eq3q0IM% zh{_d^dRj}ErLmOkH0Ux(25JHbur6oI<+h=XMo5{{q5)jaAe|UiF|Ajaj5S!+*g9s# zK{;}I1mt!6hTWH1g$5O8Yvnpn>g8=Trn`PqEw<9I$c{o-afETdFlq%sNTvC9V2tEe zkqYUM@X`fVq54QAC3l3j>m(^a8n;ruZ6Lf1wUTBX?Rzw94z0+Ppa~3$d?pz9)f@x& z2JKY4Q0~G>Wm0U9l+M_xj_61Q8nQgZ<$`Q4l38$iuLhqWvy8T=|63@f@y}fUQ~YOR zeSnW?+Np3h%8Hqh5|XA+H0_4o!%WD~T$T29va5ui>W@qv=h9*&2iV!3XcWP|nIT%7 zlj~JR+8`cIO5(`K=CUjZxda+IWSyZCicjS#u&!yA;uRWU3r@;j56EPV^r&8E3(TlH zD63#S(#j)HOpHPZN)DOWl6&>!K9R{ z56}`;ghm3A9Yo8y7-x>RAIO=(*fLZyKATQmYQHD ze#i0h87S9-?KT-?tJ9?p76`Ko;U+S}e`fg44F8$oKQsJihX4F08%jc7P5y(-=SK!z+TT%BMf5Nk8J~ZpF;sGli zvbFTon@<_`jRSkvS01}`-N7GbzkJ-9xBAM9#XPE`DHE z5?b}X`ybwT{o)dje|x>d*HFM;4A}23alrWpuSz_-m-3@q*;T*2<)fF}_^b1uynUVf zmIjD%^zP$z^T=Jre>eZx?&!7mTzRKGo}8Rjc|P~u6;HTur^gn+CvJPy?po;&=!2^q zIInj6#>3JkH@-glt^U(Q{mx~&cjw=|=#&jlNX*{#wiCiD)75(QarS@bic91bH(c-a<(#(~YoTlIaP)159bbMa5SM)tXkGDQ z>PLV0CAseUq#Ix_pkZ^qLD| z>4xOhC+$6NLwWul$3(|3c>J5+MBf*8Jteb#*7_6e}jdZ*`~ zUG|4()-%rOYu>qq`}7<8J-(ECTiIBAQ*#1@D3T)qdXktn5$ zm2n>{3eC1+P+B_K6w0nDz(QkCOy;FbxvSabK}NJYfLrxQ*)h_Zu9QJNNV00%NhQMx z-K7+?4$+jHENdeHADbY9*>J}s4AZH*YLrWiC*q_6bZRAK`oAan?lA1g6K_I^X|ot7 zx~z|l9WY%TG%~2yBFcplYI@38Le(V7caw}NmdgW|o(8*>qT*WMu->E5qR!WOL{KW= zG|)^o#wr3<-FWP4@DLP{V$278qi-2bKI6HO*~ccN0_dM_{*MO~13B;2tHnyw7JNo6 z)kb2;kh*QSnxer{IXBRmu#{DJmapZ92@6W$<$*=lORY+8(reZ|fa1fPGYuyvhAIsh zCl>`dvz=sd2Wtw`$F%~O%MQy7m}!YzyD?q1u@RL#ryf)hCU(OL0u(T_;#D&Q2r{l@ zs$RC&bVwZovruf6I1^U~S*H%x#4)B=qLodN83_+3mQoWd{D>_u0No7pp24MXLTB8N zQ#=HbnPI6t$W`mvGUgWtRypreVJ=-ZjDjYi1FcvbXGdwa*zB4f3iPM);f6?|PYM~Y z)HH_}f{Iix%wk@)>E<=GinE*%Bo*8(cDiIQqRa54q92(7}o*X z&ZppknuZ&Gi8W=CZ3v;sSdDZg5$LIE4Ta2fGN;zEoI)j{ z8CH9g9eci#)ys4{s1f|oqT^bH92ruDGJ~<-Vl16bEBV-Hne=+%on*Caeu;>Lg% zcCZjKM{+%&92M_I1U;Z_(91Gh4i?8#m()qQ4c4N3Do74UZosN)$`}fi5y(sr5dlbK zYSj{1WJM@FCdqN$F498M5@`u+WhZH>kp|07)>o3XSl|b)I#%#bnW*Gzh+Z2hhy=Kz zNtLx~d+a4MNqXW4QmK#~x5qt}!F(Z0QLNW8N0EgV^F*drlvoPHhIytCm?gjLlx=_* zH$4ej*mn4ci} zC9@>PI44sV7?v7N5{=o)A&Xl2QsP z5yh%%s;L1;xkj~R6^v#UgQR9HRgv3Lw?8c7z$m~%P#U-MP`ft~A+@3E1*u_$d^^U= z5rIrUo7Bd#C+;mD&vZnPERO>}Q7k%&?ys_Vb@^C<%Wx`Oi%Mw=cv#%71?R`mT3=`TPfm5dua? z3L-w8|G@vif6ywAmRatsLF_txIYra68=yY`V#r z@34P;?DQXer*_MQP&@adA3mbpyXQ&c3&6mtnPU4Sa^2A*^Y=Lg*mZ|Ze|_vF_EA4t zV%|v)oN>wWcWjo}V7Jv*JNyak;ltlv|NLi{I)u9ZNB-}-+SS|KdEhUOT)S=_-8=2^ z-!o7Aa@!B~T5flG!M-bM_uUWe|*Z^Gv3>E=kVbcgs_#J}Bg=DbJQ<2U|YqCeSx@4vn<|G>wa`|h^yhI=I*{K>T& z|7qS5^H;lNd;a=)Kf2CLUuOMqEBGQ_SRwz!oqt+#cdzwb;pfU~?L+tUHn^|4-0QEr zb@7_H?;U>8TT2vIy7qy4JImwmF2Cg6E8g_vovk-7?e05W<<`yfJKJ3;>~ikp@xNBD zSmUVY?w<8>Vy)hs?>K*QWhpH@u5Lsn3=nPzs|%M*3M5pYvN9NgUD`I`vaw|v?-FPgy}MkYP~QMk~LQx0fnI6jN(j7%a7aY)NvR|VHjCR zHJuUL1xZZk886*-Ng|dBwky zKtjTTz5-L@Vw)&26gP3q={jH_9P3Yt7Du*hg;AV=0i?9FM;lIMIOaM!<=4s$WAr)r zkGL?O7^VMCUbQYuc0K{G|EJ{>r@94x{rJyfxtc}%XRJtHH34t#(9Elo4u>PDeZ#Ik^F(LUFe{u3;k8rFsrN4krDoVddHY(sU6H z&13|#ra&XXl*b8&fClx9kE4`7(JXo@J}DSCqk8Dr;WQHS;Yryra}&@g$&>>KZZ9T> zd{%{pJ}+gPbUkMHe4=cXMIy-5vW?+5t?PCVjwCoQ4GB6`_sv0Vf=pc_$H6*~!xCz$ z9cQgY{0Fu}^^@lRaMeZge+m*i`ON&s{|Nv2U-N)~e;f$(+2;YJdM0930bj|3RNsQq zHVbviXs(%WFk_pRi>Yd2qWJVsL=B2bDN1XCjyXcI%Rv-yvXoU>R!8aq(CrRW5}5J= zzv(s!*Fpu~Oh~$z9l&O_=D5vFRIZ7j=4FJTk`Frp9$`jFby`t#&}9_@=qt4*A&gud zZi}I4@nTJ$KL4;DLxs3va)qL+BZ1V6d6+K9m=?r!(jLS}-0rvh1Z4VvHxXO0Sj4AK zN>w?LX&bdsP*dcPM;S^k80s+Kt8KrKLWbk1*P;b7MC!S)t~C=3Qu=hSM^aZJMjd+7;{pVcf@p@9oEY+nQnubq;5{{Fxk|ts)ux7Ku*JQebm9S zIm))$gZd0Cnt??#uxJJr&A_4=SoD9;P!joS@}HUc-(QG*l>c10+Pd18&wmIAK`DxY z;m=V2gZu;k!M=R{Lm((hQUry6hW>AdLS=H}b?*GbS>HS2iRyiGq%|Ku27B(hH)owb zd$nzr+J4^d!$%hEt}a(Ne($4R{HA{69OmVNX6;QUmUtBKfAWy`$7NS!XZ`Hk@1Fb0 zb4}~+edZ4C09HTvBq5r2@LL-UANk;bTTlL0v~qQstKKCrF=fNA?K6kY@ww{0UdhTs&-*fh@%A0GgcX9IKb4zz^^6cC#k6P}E zxo0eqUuEBQHXHAF!C!ySx#6_KoMZpI@5{V)$2AWw&&9+x^M9k%PyN<#^Ch^I zmVBOnd!O}=yKCuPc0cvI&E2*V7wnQa^NgLOJx@F`CH}E>p51@xj1}ko?4}$4vfML= ztcsq!;E2o%+Z|qbZPsgV?|aN|d+)s7@xQ)v>78ErN&B+WQ?u^> z^9lEhn?UIC<@l-Sp~J_g+_TIT>vd-rcYA!9>bmV6*Sl)%%s<`#AL{>?&3}-O>HkK| z=>HdC{|f&ZHKV%ywd?-|7Z?_u{*D&*Li>#TC;oW;Q~UbypO}sFjDZy@!elY)f8xdB zKX$;8IlZUp_3k7d8r4yLQ~+YB5#wlq+|$Gf=zHZJBHVV$wX{ zl^b0(QK;pLQI!z0k4HmiL@KSDkbqaK+$Fi*2o-SPo<&r=HZjEzV3sVSJbPSyxOfrFtaWI}G7*%ydIE#RTezn95 zIy8pUjkq+d5Y3ctGkG5Z$;Rib|DkPQl5&t#wmi}JTBgO6!9>Bb%avL>6jJR-WHVkF zcbY;0u6h&9SM(q(S95uORHZW`o3+vjpx3U(6;5s0b=%ItTDf0njr|D9AQ`dK($oQD zWdphb4Fow&Wtn2FFor6*RDn!be!ZE~6F^W9WYEPe*OtP3x*c`flX4&$-^$JH$2Kk?$otWQH|r){w!mCgX5mZT}ZtGgQEG813pg8_~O$$TOl zjLU_-UC9>20G13=N*Z~(j9JY9OkxJobd-F+YvlATR%+K|s^=h% zT??zdy2F->^<09h1S1KyCVscqaIsD(RWlPfpT>bP(1YI(fXhN-wzJ>$A)kp!+C5uT`Um88tRYgl@`qxOub(KN8=*dPPYJ}&sbg0 z*S!Wi_1@-)BD#hv$(fEo2f2tyy1dwQNd~bkwScrzwZWui^Q2#BiA5>RrUif%jlN$d z!>@up3s9Q23fhOCcCxTlKx&@HN+0z627g4^%qTgq4z(xz7_r_l@sI9ZP9 zRt&sLG9A7}l=B%o&2&=|n;KL3t}d!lJZRb-rQM_~A9Z?t4fn{ttrbeS811z=z^f%y z1NJxpR=qfz5W>7SP9_GHv{}9uKfnYERe>(p`|AGJDUjhC@5ikT& zFhzYj|GDacC3l5xJn6Cp_Z8w5E_i*T*+)FM)%ftba=^**R;Pb&-@D$q=ICDHJMkvS zVTb?iyj70ad5fRz_?zLZUp(^M4(;u(SnmD1mR@I_xl7!)2fooC#Yf31u*1uhr?~qr zeEz0mPrb=D-hWy+5V~$>5s2>IJu0klkfXo&93+o zAFlpjYX9&5`SLX$-5)bnyX3_aHhW{wdB>(VUgtY^?Yh!4Zrjn$ zhaL5|?26}tzj;4+To~Va#P_c;fB#rjTHva9g@BQUq!PxG$`>xVs za{WKAI{(}|wj6A?!%E+2X!8&waSC;*#mxk6!Q63-5mX_V-t-{P_FOqrxrQ zoO9U^?KM|BAj3I#%wivTQ-A5G^Pap+ITO3}v^y@iWbaeyB%)-#PIEWPRb~!~8Y& zdtF%Jr4xU4-z`V4x8_kBY^Q_Q-@E~W{nP#bq5gl_{O4o(zd_K9{(lknukar*9%G45 z7*O%mvllqx>%I8NX=l$0UfDaSZ`{%>FIhB znzJ1MueZ|m#H21lgQi^dqj~~Xjbx$D6T_Gvc6>A*wX&qBaEjY1%0v+>rsz(?=i(Mc zqk)?OxKrUHGC^u(b zob%%B+WuLZ?|A0pnXy8xU!c)+05>sxOpf?k+s&2yE);YHx>GIdl@?-BUW8$UO_)HX zTIeUSbd*X3hA`=*aJko!$>d-NJGJVl5HXHhNaRzga7b|Z!0NW8EL^FzJhouBi*mIF zhykn>`jD127`j`mNUd0Dcbb|0Kr(Yh#Wm>Jv z051>mtffR*B?g6<4TLtG?xqNx#4)s>g^ZUBo8yi;v};kI=}arnCAwtD@TA8T>S`qi z7*-dxZ9N=UvZxhXg5bE0mZrMBYN^cQBao-4V2~M5EW#%vxsVy!P1)uN$n7dkhZQ*h z;@pN*vD7$cCoAn*wq5RM|K#~^ldk1w{tjOMcdH#L9RdE~@t^q$HJ|ezXntgNm?c*8EJyA5{s3aub7r z51ELch5)2hWP6#6gQ9UakUO?r9l3G_NyQN2CHh((v2*1dQSlU~skH?T4C%<%c(z>x zjRIK8X|$cDiMKj+o)q;FV<^c%+({DVuv~G69VzMKL(I#?HIEkSlHPO8 zl14!SR0H&^PW1$<&czeHR+lqXxt52OEZ)WPR+O&jg@Ph=R49?)TjNBU5v?I-xECOlLpeCf{2&U=0trIq9O)7n|MevEV z0uS+4dMYiH=J7S(&8q+E`EPP+FpvKv!vB5#n?6iUMkO>$PD29(RVrvzu9TZ7HsSSj zOG${3-B4Hq6+k;Xjb;U=3P7yrkNY-K8?*;mO7!cscAMm;XCVl%L8Y9KL=&+Z21BRD z3vA4L=}7J7u`1g#jb7-c06SGz6ReqZ;}m7pSggeGc2#bT)wD1k>sT@jN*tzQXn^$X zqSJG5RfHpj>zHh!CR7v}z$|~#%492@5tR0Wpvp}jrWH%IxQJv?!G_gIHY%Yt1kT6| zLE)_&ANKQ}kmV<1Hyn*QfHa{Ikz;!Oe%P}T7BdQJY(vC@WW>v3Y5H_}w>IG2imXf7 zR$R|`oZPnjw5AKScHHDgK(?Kf1&r^cU04_lvmTKjrD}@lr|ee0(d_wUEj5{8Ju|Fl zhV{&_o*C9N!+QSR4JEPfC;yrG{`a?HU*JC`u|xmt{*k8ix$@!pJ{y$Reea}WjHi3&?(xZG%U}f@y!er)#mzWw#S^*n z7JYuQf8yL@fAX_~@mZ%|53G0h_!#2jM-I67mFt$z{bzQU54U*c)h*oHui=-z=B0zR zz0R%vbdhp)5(wf6Dv+;Qavd;jF(trK@Wv~}x+|2X@j$`j9@ zcm4XmXl%d2!>2``9JBXA|EvFhrvKkH|M{}{Z!`U$-->+={?n(ORuKH)=D(qGC!Lf# zG^7+u|7iaY{N?<|`N8p@9IH+fTy^@}oXGRn{{zn#|1k$0MslSJL#Kv8A%&3LQWq$I zD%395wKUer=mXA(^EiT6IGljHJ%^}gFd3@n$4q;gXeufrI%9U43(}m}g39GwGl2pu zObT@vkz}K42Qr*<>ciq#$RwIN>=SJaL#Sq+g%U82HnSIjBzTVSKCstA(p6y)G&s60t*2Q zRoPmJC#xZ%QVc$Pyo89kSZBF||eZAKHVa<8CKIXBI4UJ>E!{tzvsaso+7Nx^LK z^%@@m13zo@tyoM*TF}Csw1`AOI?5LOcEu^l>HueXdCRjO>7{3p+UBMmh4X86zN{3rRt<3IBiYCh*b@O-sd_PaDh zg=0*Wnn15a)u(SC_P)u=qzpuA$XKd}WC4?9+( zTTE+BEeUj;n$b$KAWJ5c1{mv5#~Ii1g2502wpK&*a?vuH%y3||@`Pq`NPx%~u9`9;Bsig6n@Won)_J`w z^`{CR*2)l2oVcx^+B4V~=2BU!s;4YCmn$eS^s?bnyCQ}#> zF@BiUyO3Lta%Hbuu4<#mL??_LQ$~kiN~vnT5NK$>sRIy!dLk3{lB|+fN7GBFk`+pGD79%#u_Y)Ldt0clMYx*2Ot6kYQ1z!tujgpk$^@vQ> zH8^dj`Z}Mas9w9Q;Iv(KyP>HI3Qkl=gTe;RXgn$M=_U;bEleIJm`ahOpwws}&A_4= zSTqBRW?<0_ESiBu{|5~v@$V)7fuWiD-?w33fQZ&8?{D&e4G)Y0^Kd}D?{~P{8 zd;q~fKEL<;he|>)g-|f{56pji@!FmDLmwM&zUhZ+U$MgLds^-5eB6%Of`X%UavdUhdc>&OdnR?elv-y6Se%umAqzAMUXKV(R`+9eX@D!rQ_=-EA9Q{pI*LY^58YbQ$kXH z0V*uG{dMmie%3Xo;lJ7Al(`pQb>KNmzI86Q`?5P9zTE4}?{ta$;%&)~XPvz9ihFj? zXmM*@bH_G6pMIKHOS<#Q6*p&}I^gEaHTN#N>@R-)+S6-Ya$f8H#f2Bv*zuQp#5XZl zo$#;bKeKv^Etg;8o+DP+Z|+CG-{9vfytTmXd*AfZxofHKU3ZgBruix4WyXT_EtW&pp__U87 zS^3q|7r%AR#~6@5Cb`F8B<@E;yds__r5{|C*nrRcN$H$@ft2l-F(%lQxd1LQwlM2Xc&u1KTv zx&J3QU;M}B2-6ChezF-eku-!th1LPBIxckT6RhQg99}ktXxmrGPO&Br4LO)*izT6u zEtf1QJ?`S1+OXPQS}Mt0kZehDNg#2c9ckLw7W;Bc59(@<)9_TY>be6S6dSr}iZ!&= zv{jE{noQCip_)9g9W&EQ5Iw8Wl?@+2^TQgGfX#7Tz`UF|a>ND(^O~m^g+!yyNRU$2 zIJ!O}p<3EJE>NrBR09a9Vm8F6K?JRDGBNNWHzz2zH32vKRoE(I->>XqoG7V8Plj?huBQfEA5 zh}*o{V+kW`VwT+v$cc!W`?Q3AY%L)MvZGlpH55yx2bB1ga+M2RRpZ;ID!#xQmPqv-)y64+JMsawxRbX zJstN2%c+&(VcNq+Nx0le4~T-CsJ5YTHIPHbVJtw4$JwwP49r3>oaW0G+X`)sYNV?p z4+)zR466CKn8{?sJk~3V{am%ixuzl3a;n4WO*{`I{85Te=t&zkJ4(uo34w#F9^;`& zrB&}Tq2g;;okZKBDj_^8D(#Hja8s!q$K?~DHS_>*oJzIRc43qnW`Z_{9+OhYEsd0YAvQZ&;%q`XjMs|BikgMY&I!TNEO_c(nt;UfA0LZ zJ_iaJY=-~*konL2gqqL!PjbHcf68vB#&)cp3K@XZhS70zT=!_u>^oSeC#CWR<~7iQ zD2<>>j0H-js*VY5qSLLMLk#eiUC5GRtDqxEImrOzG+^XLI9DrJz^R{ z!EX<>l9Wn1^*+QBh}MMIG9OG_g>TE0C564dU={#(Vxc7?Jt&3$>iKVf)&DbJ^WPZQ zQA=I4Fbu;+)5Tmrof1{8Fd3nU1P=i?WrThK#i9mUgN+fR;bb!}It(A@S(d3HjwdD( zU`?$DbdM>w1w|}RXwcIedA4t)Tg>zUD&lBVkmZ1I>r^6V>SH6@M7s0{>=*J`j)%H& zBI69J$fT8yr)jbVdQd-VCNp(`5wj%#Yk5OOqnifbtE4h%p%mjWqcWYKWmH0BL?sIY zvXSwnho(szoPf4ihj5I0z#L-}osLo)X8O$?-d1f%r4Ca}^JpWFHlEinc=k4;rzMB6K-$VX0{XxOg+x#Es|2ZV{s(sXh%lz57 zmtE0XlU{%E!#;g#kI8fJI-8!p>3e4_amz|KJr(wf?yF zF{x)adHVM!e^`0toFi{y-@R}@XYNN!Ep+6GtKJ+hdHBKtv-U@u+`j!Q2Vec@%P&0w zZTI0$D}d4IM;xsqqTKAYV=&E zJrDML8RpsNqu|h43vXTg)oT}851;wgoo`>iUVZL!uLzsnLI3%qtB(EPv5WZEpXDz< zqmI0E`L=s~d^@;Ow77Hfaa+99d-V_KZf_s?>MgH}vGCd(zh7`ir@6%g`cYdxxZRI) zYoB>tZ}An{r1>J3*_4DQwzMb=E?8Az3UN~b=bqN+$p42 zUSjnPH&YMW;>ufQ@2NgpDxbaa+wgj~J@w3C?k6Xz&)&TC+VI!&|IhUQJLW$SfqjAh zBxm^lw_;z1|EQ^&`@`%1!4#H;lvsw9xR(3}`494chW`{x6D3wZo2R4{=8OLz^TmJQ zPLom;FOyB>>VCPxOh4O204*gNy+S3^X;u=9q*O#uA+qqqZ}}D6&*#-5hPB!q3RhA( zSco_xl<)*))bdKy^-{2^0%W$4ZgHql)4W_ds5hVl*HXFzdqSFWZ(JehG6~hVY_=j# zuo9o7i(?r?RU?Qj7Zqum0uWM#aw#6+OfFgN_aH0Xp8mt~IMbb|DTkGKrUtjkW`uKr zDQh9ff~1k`sODgpv`C500JX9b^y@7<@{v-nZZxRK0jt#xYFA3eG}wb#tCUEi==3(V zq*5L;41x>&k%8AbY)`b386Y!Fa;U)93A5QZg&?QIA>|mEA(4(pLUqI^@*>x>OI)&I zM{LWLW4=+SMq#Gf4if#Q#{j}N+y6rXe6m4jlwkzsS~;X#?bWnVSCk``&cTUsi%2EZ zqSGJZFk4PS)lu4uYj_Z_RA*4kmD`o+=t8UvG2jx9;3V56)n#u?Wqaa6R5**wOm2@vBV zV~l!!Zxlks5!uB_A@Di`9d%qBwKS3Sdt#;H!13la!8 zk)*0nMe~{dU`Uh#9xTX1znmy=rDCHy34prix~i_R?kG~I{&>)FgKxlpSg1HpUVDEf zuQ{bc!ZZBmbN++;@c7Ssg__U#4>Di;rvc?buRf^NMm0bcN||b82Qb4asFY*Hh#n{- zf=N!KNFL*ZQO|P9BArV*R<~2D_Va=fh#(;slxC+}cSb;|%+}F#m1LkW999aWUW71$ zI!>0eeG|vDnD#BxwbrwAw^dkg?v$MjRsYH(3fj~U8)fMh-w9O%&7FT*?b(@ z{7C9nHJzUZ#!(T{48qn1My(w~N(L^*8Ig{Zgywq&9y1Ow=4hwbD@lgW_c;`#$|B*n zYJ6Xq*wDxb6{R{!i7nF>`GD%+9mTFBy18DZC@SN;SxEYT)^eM5C8YHn-OiK5h)0u{ zN-+amEy_KiWa44U<@>By85+%IrQzb;b~e#O{Cqtrj>rlNs2$hKgi192nlcOgH)oHg z*%@UE6FQUTv7DlJ8nv3KV7L}KzFtTq8EMFYFp3YG?xYmuvwpwV>h%>r0pO5b)9@7K zdMQhuqy~Ab)Q}OYg>+r8t#!F>QTDr4%VdWWtlp?2?Oe<5ceFO1>d zunH1`Bo|sB56AW>qqN4oimjxC!q91e=CD+434z3j7^{Pcspj_hdO^#pSz!REQkiNw z5$I@j-fB)Sf5W#^$6_LB? za#0<2+`Mb};)p8f6;DW@;b;cY%pjT>L^FeEW)RH`qM5OOlA$E|{p3G0`+vR_`y&4d za*g(P&VQ)sJ%FMVj6v{M^B?kW_z(G=^B)RAVG2RvBt?8R|G5V}=&l!+X*`7-v~IB7 zi_Ztp1%F)h!8Ko=wb~*3?78Mn?DMN!edQfjJhGohTzvH83cp;@*De9>aQ)L~ z>~Yjjw>lec?Xj3SYf10P9oA=VS!%&;OB)?yt`{Ce9VebgU-;Y`haU7gZ0tI?j!vAr zdfvQkr~95fbM;yGpZ%Bn=iqhwm%yXzg0l}h`OkfS^xBr|JlAl~B5s_!Rq^Fh z{_~Rh`m?WH_02Vv1=hRoC+}@I`=JleqbtWVn=^A7vmRXg%W#}jUB%9elRIse_kiE%{E(|IqTgY-+o;1r;Gpi3H!?W*Szq_vzy*? z{2RMHvec6AAGY^B!4szxu3Al8@t$XY)|~z9DSPhWu6FA+^p7?>({0~SdvUnT1slJ2 z{gsVEu~6r5{_=g7qdF%%ho_!-^(8~Ql)hA6Q?TEAxqRyhYdpAbVug2pyZsT{t-I>} zvp37^zI1D^k5`o4JND7Ni6(u8#+r_m8yVTM z*Bgo&V(Ph?X~7C#?zn zs*F=Zno83>i>XypE`tvJsKyQZDT##rJd8JmK0%UtPy>eFjQ=EoxRC0zQ-6qa8d0$D zYL2qpn(3P!JrY7M#QiGk)S7OX$>vDftRft*rCceUX3LJiuv!^tH$`bkcpl;=QE;Fp zgX#MmnS|~qLbf+F2RSCgE4>VyOA2VQ9MOcA8unTvzh2eSu)uWy&1s}6Xe|pS>3&9P zkPy^H+F%&LV=fpAhFBbB@M60PkB647wCXG^X~jl^D~~7GSgLhp0B@vimKc|ZqTeRs z0Xzh~UXEjgVz*gHIvEsfV#b)wF+}9W0}U+aTm70)%h-vcU}>mL0i2l={le7K;9Q)O zym8&AMr3I+!ip6?=vVDN+RUfmRHvTS3a~7B)j_+QC3^+5+{au@XMj;uP}*SEpOB)_ z>~{rEYuVqRFq!yl|4;j`-NNMenE%XAsQH}#pz|ZMR!#~K z9cweG@fe8F!36gL(xqJ8V9E(p45s1B1#-)c$~#)0KRFP(zzAYrgk-^tYptB|cS zy5{6ewgO~ZdY>tF(W*uXWfYEaWn!iVvR1Bv@x&e#sB*%SWFi{Kl#{SCVyjf3Dmdbm z86jr|c^`m;e#~{pyb?phZY5QXEfmf3$dIfgx~WX2L$-W^Nt8P&xYdG67V1hE2*a3N zmx{f>&^@5+wGbN1gB+sev*;umYF$Wajy2feoq7ezM-z+JCc^@gPj#`_s;a8g2`eJf zvf4}+6g+@%SUAYwMEdjopXuG0|9ks?QsL+QKaQNrSwfLEfN2B>Y8BY2C8Y@{9Sp@1klZjX;C%6#LmX&b(|E-ca z1CV9_(hNYF0Z20dX$BzuTNz4H-%tKCv;XH?u`lwUvle};@;%@`6hfddL?Yx@^B?MO z_z(5n^PlOn;z<&s2T zZ?|1#4fVMPUpZ3P_tWtA{C&qS{-gd)v#O_^n|fmVr%znTI`q9WcG~^)eP4X{$z^Zt z-hszU&NkAHvA`de+X?(rYIzN7n6>h=G) z=d|?>bpKR-XU%1vzj?IU`;Q*jzvq-C*Z%#vZ?3n*Ta$&CGj_P)4r>3Tv-^7ZL7zOf z=YPyubwNeE_AjYJR@?pdCzn6izvgUv*HfeuF8STFzdiJX6<1&SIHG^|(>uO@u{Arm z_-EU#0Pgj>WA8m-?*rea&Ura{w!Y5|{k4=o?emv2H$4B*Ggi6s_0{sxmHV|GIce)n z!+#S0N!=&Oo8EQjZcD5t9=l?oufE(>o%V`v?yEjjIK`Sg@j&m!El-|PJ%;O z?Y7x#;OS{>t5;Wl=#JkW{VtRK7+&wSt)6Q{%aCUsbKkiim^-h()>^wPx8hT`wocfo z6uo@KBL#EGZSLCaQN1$j#W(2t@HtnZ>trt7|JUVRq%CdR~%R{OcAo_;`Vj?|c8b)gSu3dqQ~HMn1RlK-(=h`|J7tXZrtL^B?p}_zygz|KEmv z9sc96DUSL=q3V0if4ZR(r$eQa#*|q2%B9@@U6aH9@9>{)ti)<0vu2!|zx_YheDR;I z*r-f1M`%2x6LHAdgput7uHWIjE*SO;Ibzrxt7wJJq`qxb>rgMOzJN&shp1=KMVr!Z=W9n7ZKD5W(<#87thaFiGNe2cG-iV-Xk z1xGfKYTvY=hOEJU2G0mu2oPklTbAlsDa?A^Vl^6wJ&R8oB`sm64bUIKg;0PZbKvH6 zf#&Mjx}F{rEyl0gkf>l466jYGU8E*Rj$q=2@~GE#TP3EQ>M&K-p$g~unnNr5YdWo@IpEy9d)9XWK)M__8f~WGb(+iSxzE0#aZaKlH za$o`Kr1W6GHqG(4HY5jW%|QA(2u?rMQT;9pL{#5qT++)j9g?mgxn8@YDs7D}cddrr z<^5E0Ac|8L$M8IumWMLeY8%qXRSSbsX*A%IK$GcClA~6)Iu-_ADhgyU8+Qn%XpRe* zz?LuvE-D;SQc9D6qno_f!REP_W0VuFAz_IufMxsc12CUgjnx163G38g*|4kHiw#9*n|FAz46W za$G}_1e@}^WbBLstuF_lVKAYt!KBeHd1RdGR#;;jf~f#IhMp4x%6bf3HF2r%qZ=_m>NZ?gqM>GNKC3V zBoI8z>RL`7fxPiB&0{jnG=^ETQYd!i1VWBQmJQm4);P-pRN9YJTvW08X*-o3Q{F(X52n%G>GXrKub1ozMR!p}ZlUP{?-Y|jvC?O!7X@b- z5Q@m0+=~Z|Am8#>hMhX2HY%k9rID*Zfe8lrSS*NnEzf9%+vz}+G@Y>lNS)z4Gn{9J z^UQFb8O}4qd1maZ4E@*RpReRUIEMW#|3Q;8^WVM|gJvy!J~V5gqyHcO*+e^V@jrZl z|NQjZ1t=&Cp%jHd6ahn=Bzoh z*f%df{qmRY&fR^Ib>ojV8j_C`9y(pTHmiASRyPoSalkUSAAQC(i@kKg+Z(*Jzz3_G z`RPj^h^PJK)^#T@&!tK~zwQ0~UqQ~KUisrsx7hR5$&S)K`|fwf3M&<_`{;?M-@rFr z^2I;Dv&9}cKi*=!O{L$N_+uM2wp!e}1 zOgQ_!_0L1G*$>?R^6G0%=05(+V`u%Uv*%6xYnz^Qv9-|^AFX}xVb>pZ<7sPd*?sMa zd)~k3=H8#yJLz2iQ{>}Y!I$2>X~*k+v+PHkiHDy4U-)M^XqmskKVO1)3ZeGmI<>+f zyUpHs|7Cyj_-=>au-M%%ZUeV=dhDhL-??Dn1E4=zg@+cHyS;N=ocJBJ{;TVkPiKx> zs3g37{jZlu{c$5R`}2>U{$Q=!pSMT1?0)qp@ew=K?mYZFtGe@>Tc0sp`M6u(y{>=3 zoHKvhSgVyC?6%FWM_+Zq;-B2T7q;+4Bz?f|a$4&OvA**e`#4&0-y=3U_LsBaN9jdx z+V|PDCfb4@*EdmCiHoG*`K+yWt@p`ER`b=#J0a)cYN`&avd=x!te+bW;mG z_@v!#x%mC%Pg4Hy!TSgL+vd%Gf&Zibdi?X%`+uOnfcR(`~QP| zeSUP{>z@7dqXS>}?4KVUn0NN+SumwYWAh4=)3X~g1ATt>N@1Gs)~ljluW0V{fgB;N zOrN_x)@>TfO)oz{7lhAJs{fHuG5?)W<>`3^6LpaKEV~lbfsw^>X@A%rgG`E+Ap^;& zLm(X`<4&JqR8O989hUBk`3&bw#J*%C`&5lB^+hpRR4t3kV0B*PoF3h+Qz6<>n4B^Y zqiH%?@2W9^dWfakWGuv`E+T8~aVx^AG!iGlzRLIm-pfnr!LS^(P&*nFYWYqsOC=&w zEdkYh$#H8|R!{JL8WJaTClA*O{ahsE!gO(nriymiu*!w{xFz*4l^WF54h>29Y?$uD z3XcI+mFZ~}6l_BzR!{k2veVZyiGbw1NwJi+CJ9{d(&1Pp`t?Fu?La||tfaH4Zk+RL zAs_JoKhW}~05&$Y;fTjSz^BPT)-#X-9?%`3h91c#LtQ(>qQm38?Dh&pIOu^OpD&C=Vc zVul+@#p>AZLz&UgL44lKO0hU*`%NSv5ZpCg^YWtIH z-r>1yQB6B)jl&UVpp%jr>jft0b6!iqQb8yN1}d=Nm>qRIxPvKxNaG{FV-ye+iHilb z%!qMT9a!aRnC>!ZiG!dV?iPn&xj;rG5^D0P1eRlnK=x!fr}7;@B8r{d^h0Ek4=0nP zZRa$t(N6~BG23q8b)#UFZBPlaoZ6gJa%Flde+5wr#7>KDTgh}a1?ZZeN=2sUg_c*N|`-buN*-wcyVquOpxh@RFfU?n4n9EHjxM_8|!(?-6X>5rO`Cv_7H zrBZo-Ruf(-Gobqd4(m8;gT^?e5{OT$h>2Dkh&%8SZdtY4R8Pz&O-P9H7Fu;Mek!~v zi=cr?NKVuaH_x)Q&0VXabj19W;kYBq`J?EdfmWaJr$> z#0cOr3Cb>X+|TQag(AcMz51d;eC&4Ad}8 z4Rk@7{+-Sz%<0d+imJe06)L&Oh|ydd)opy7lRbrKptPNJTZ6G2IjriV#X3U`gf@}w zG}_&`(SsWR#n;+c2hF;@$S}wprB?GXF%D{?TqgP@yxtg7m6VS{U<2-!^F*xyIgnlF z6XROk?{y0eAO~gac&vjGfppms$TYLHc0M(AFeu=N^q9}Jf_%a3;fR7a>8M?YvTn#U zctaBKA{!-ipbDnzq~FY>?IMyQT|KjzZ zZFkPAyI=j`@yfoJ9lFY_wXX-?IaUzguB`UNY3FY+H#6t9PtDU_Uvr_Gv0pXjKDo)Y z4?Vnf_1ME6J#FRtes|+q_dfRGgZM(5B(FL7GV3(zg`IDnTmH$*y%pxXKU~M#a?{;@ zam5LZKQD6kUb|g?!JAhcgRS_%N+*tvIB%KwPsz?wdtbcINzm-)pE!8oJ)TspBR0G2 zfDI;#jdJfly80ZXeADCaZu!g_yFEPTqCba!V2wG?zfyVe(G6DrC-wiVwzyTlbLUkq zKIoIHKKjKLw=J}5@~5{h`4GBs^XyG;*nOu1s{K2U+;MgE{q3)P++X&sU6jrDy6)2L zPQUBqQxBjfi!^E{6+gJ=h5L$Y-yJV-cWV!5k;l>YhXni4$%`)bYj9KO?q3~z+vCL} z&yoMM^NrBer{1|*gFjiFyVe;`KY8@IKDUH%#BPljZure(mA6)1_S8MMlaAVa4Rx&z zk&QRp(|MI&jQh(POeB%KBw-?_2t8-hkH`^oyUD|EEyUqOTN2f7Fjpydd}W{Qook|IYh=;4k$5Krl<#JGWo2_pq$q&QXVXPs^e@3p%Yf?&PL*vOEYX$DEFW>(=wDbA$>x0FmUyjrO1 z&ZJSND^b;x9S@BGYGlbwJuYs+3_6#0V^RYy@-( zwLF^K(4?f-V6#-oHDM;F zjfHT;TV|M37WXbR)B2&P~>rl!x3E!S`vl#Dj)j{>*DCx->b_dq_c z4^%<4T>=D01&~WBwV~9jLjurF&{`%*wiu+D(J(Qnc8I#hSVI$PNEu6^=Yf|pSE}ZV zm~J6u#i)%u2x8I>&R8MdY63$~Mgz-(M?TzVxE4Q(s8K~>^P{Sh;A=q&CupqLvSsIz%-J0l{Rxq#!O}eQv{r}31s%awyQO)G}7gUab?of z+C6+ybvtB_53z_YB|8wKs2%_{5@r_a6ywND<*Ge7<%!}qs3+p{_>V9BmAv{2l55ZK zpU?Y$upeIk&wPcN|HpskM`rC|J?px14%0{!z!-4k8A%1UCd15l&>VAOtA}zhrCUaj z<{7o2C7EKDP6v5M5J%If6^thkl`Bz(DQZ)F9_lQ^HN-krX>+ZKUy|sWoStf6wp9_~ zR)`LAFcnczCT=KcBxR3e&&o9A{4lm$TXrW9kW`J7E)<42#T_@DI8mAO3KJAoxFD;- zK~dBVy{<%()+M?qE@^Z=k&@wDrGr*Xzmgn4K(1e{jKkb$LTOGGqMB$n9|=e?a7;v- z5ZO52;TkDYVB6F*IZG2m%Be{m!ibW2%Qq(m2}HP`426noMPR;2AZ$KrNZpRq9q4dQ z>`uibWNZ-3gK1YsDvhLE%xke^3wU>uE(LW%1~?CP$=-lOJ|D9=2}7y#_xgYI&-;H= znZ_-ar6s@$O=uq4Nr3Y((BEhAy-riCruC*Sm4+pe*9Z$^tqxZKYzuDWK$wzout_Kq zq}rpgr}flozuvBrQM+F1S?#nz+N@L}k`2bE(;Yt#Cvz#G-L7G2K;aTuu@!4Aql)wc zJwcEOo5P?E$PDUQ+wgD?PYa-$3CBUh_KR8yG+@!kr}1AK_ByHvs30#(YD9DgHHb=P zCLFDMRSl`uizY8~jiEwBQYziSp_Wlkf|P84w4asmcn}OKUbElk55?NvBP&RZA89Nl@8w`}Our>u)?SM)5;S$>}4aAPq zK}YtyjdL+R=9H2&(%PQuPtasyY*i-02+`9*VnWrGbRVrH3Ns_#X3)+I+L=K+GiYZ9 z?abIeW+(-JANdak&FugFR_u%X=bhEY@ORIDk_a`uH6a4RzMB8Qf6ado=)31XNi0d> zM3PKmU(J6G0}|Qe=Ku+!e$)0p-u|`2x4Z7=J6wCpulNUcJAUImmRP0T*zSX!q64pZ z%z6Iuk2b6uPS0{zc^Ri4eCyo{KRE59%f#)EU-9ULH@If$mU`*4?QJhUeh>Vp>sMLf z!d;g+^q^HwJm<|l&;HY=6X3_R!kF z^d}$JKe%}j;p1y}d3&Xcc1gT@_FWJ4K6!-OX7l>48=i3EMWKFWB zTb^r{5+~L+-lH1tz3Dm2uYdjdo89qJVeYlt-8A>qH~-_PrQfJ7czO8!fg1 zwe8dE-G98s9CY20`gYo_tG{&zq((0qYt+49&+Dt+g!8I z?i+U1^4yD_Ub?a-ea!w>&J92O{oSWPi*9=F*7)k+vA}VqlTVww;-BYi`|%=&tlN40 zjNks~lH+gM_<-9JtMre0r}ew9=l`GS|98xPlJFPjzri#5|E<{9;Ximp2VXkH{(H@T zCNirhbMsJ5QU1!M-2YvZi@uEi#PSbt{@c7_lf5FZ=#fKU zp4kcAZZ?NA2H;JEI-b!L)X@7`-Rv>Co#CZXI2a}bD=H1LXp%@}MJ90E5>#TyPF2v6 zoYWMwAf0ms7s#-DQAhb|ljx5!p(_uZRxQApLQB-bHk@MJyj!$v($-PS%vSt*leN+b zDp|_NeqO;*0|>{uoi&SQmd`4JAS+x-sx}kZNu@ec%k3IbCp>OY*ODn>1XDg!lvCrb zUE|easg29Bp8*)z8gq5s&_L5KqcyDE(tOF|48@ytI%95v)Up@@B9;{7OT3!Lhql|2 zRl8KI#~v7u`T)~Oa|uKVNF4UNrO;|QS-~-@J<}u!t71@v6x7ueb(+ydBPRoP2feTf z^#x}@gQZ$vx3pq(?qPB%yIR=_@f;y0n@Fb7sw?$DRuY_+C<;Bo zv7vsw9UD64t03*!<3d`f0ZzLiN6m3LHAwrKh>E<~@VNZ+8e}UZ4s~QN3P+7HEv5fI z_U=2}d9r*QI8!jl5@hcU1)DuUMw>KE(k5w}v`GpGNz*hKtS0D$P#`BuOHv*Qt&G;a527~`;YgW>%Dq<+Kl_@^L);8-?fl4eS>#u z$;6FgycOFrU7$b!mdnL*XOfewIys)Zx``nk}S8Htl3`ZXuI}L=?=>u{e{Obt~;Lnw;SsMF|Hamlg_YQ1@bd z9E++tghrvRPFo`&!gx>{&Yc`WKpW+(P8yZ+C)oc(zn5Mo|D0aod>rRLY%|w?;i9AD ziOHAGe->(}dEbAg3zKG{!8mSfxM2j{5b!zQE{elpANC}dtz?GPJejAeZdqr`FwH7- zI+fC)SS!?V9Zma^Shh*MXFw)VnnH%*0l7-u(0$o+G~OLI0tmC+oD)`~wiMC@7_A!9 zC@+(Ro@MF`%;b5U<*Y0O5oW-Jc_PCA_{8Aj>@bY#VPY}`9~p}3z#q-JHFn^mV1XmJ zzELmL+pxGLi8;xEij(g=Q)Ggwn4ABOYKoc11MhVx| zl?WucK~rj_BMfOPaijcRpR%b{DAtrZ1o-mYP*w$tfmNP6*OVvgeM%M38kDb0q={UQ z>v2Da1+LL8iPbt0YGVs@q_GOdRyb&PGe9`WjCwKLHQx6h5KNSR*Z+s8OKyjhC4m@|^)h7-Mc7K%Y+ezy=18rQl}?Ldn$=|1!}SEsl*c)-05sTf zlD0}^kgPDa8FeMXut$z8#*-RW?P4J;PYT)T0JPf>DUDkpqtnBlM!okTae$Bb6lfz2 zSW{a$IyCF94O69x-cZb0JzSZ&HmYz!Xq{FeJwovRBa^QFfl10|)4k$lWf!07OaRhqC^q65t1QS1yx^H-)|lOEu6)R^j{oVR zw>}2%!fYNMvF;YjmM%$*=a%5V{p*LWxAr{i;TL{{|8(Wsx90D^Gu-&;MfI^-hJ%XHooP6!&rOc z?gM8|zIyPYuRpiMU)H*RjVBk`b%$&H$If{ge(RCvZ2$C6$$xUcy!5vG+I&S_bG^s! z&AD4%OW$$VH^wJ1PaX+$pSbpogDzfX9sMU~PKEK!{NE98w-Z(|Pu+6mqrSWNQHNZ+ z->%%UXAOP1d<6T-V_$#$-YaKc-EZ>D>Bj0yUB4c(!en~<8@r8nU*w!WEK%vLu)|s3 zd49UWB5&{U+F56uP+#Mh3l?L4vBMbtT6EqOYwq^&f};<)V%_@BPo*9*56(UD&F!@_ z3pbwP?s@V`UpwA-^1`|Bqyb4KAOF4gJ(E-smSzj(KeL7MpMh%+@k()|`k8JCHE6kJF~HDmPUj|Z zdWh-W#KH4wK}h*%YB<%fIOQe0!Qd0o$)I6($eB$g=h>ZlisgpsESJryFah8ry*}x( zb$%jvwp_tVK^DcPP`8+GWl+&=djs9l&>(9TtVjv_9jjQDOtB4Xy;7wys*C}(-|@P7 zwbMlyLoNHtkm)rkz8#BL3ycM?m172^FoYYqo*+~)w%=4cQwk5eWL&FLQYC98{!6xZw8ta+|71RNgEowe6u6`2# z$;AN1&d6eWsOe2s5Ev$IK<#SMFWDqU382MPNmSHezUP&7k}Y@1GTLIu{;*uM z6i7h96)?xON3*)+h8S7I10kYdBkOPj)dBl~i4_M8$?HIQf6(R3;&=p3LxRGy_@I-` zmK{K=nj_!s)pe;n$Ow+&c5o+$OC!=9#F|26d8ft`xk@I5yR-EiEiP!)NUFELUSJEdNEJT8C%Y0IS=I*tu3sOl9riSQOU zcI!Y=&A_Rs*T-$oiNHGLx2M@pu#T8{ue|2C_)q?m&5+%}{QjRWv;Qp2Q1ib3%oZli zx;Wl0<8miTl?0#$NxdgM?=fv z3Qasw#%v}BwE)#p)r83lF5EY{K3_(%amUXOO|z*9RSO*HM%aL@GBT!mGbI9hao>07 z{*Z=@UXQ>=J)m9px&td1wxfd4k_0GQ((AnxG$A=`*mcuk1~`Y7YUAM~9L6e-1?55- zwA@kNpG`7klmo(`9mT}lIpmoR%hq^%=z3+VJpXJ zyFp>tMu$jEn*~FdRXnnuVQ?ZUDkC1ELz#55v89_yGt_M-9QCn=9htRMJmj)0jXT1 zve`IpT2O9O$<=ap+sO_rre|mLQnv5w<4(~O1h2=|Tf?TMWbCQlP?Wd{_oHcpYyl9F zOI&y|XhPFs%%xCs-g)MoXWn_{ooC*8=ACCgJ`gB{d@=n8o?rj_EaHRygI>7Zt)IXD zASg-V1c;L8fA$~b3+O*MOi?I|;2&ZC&wlKJ>t4#HHxm!7wEIRcw0`*Tk5;_t-nb(%iFZS4W-YZyP$>)BhFP*9Fzu84Qul?q` zXRq_vEBP&caMtUa-hIr`!aBgJdnzkDwsLvry^ZI#DcG-+x7&Qp^*3)w;gU7#w#Qj- zmvM0AL3ix6?7rD+Up{W~;~h8L;I1PMIq3Hb$nqxR%eZ^4{QI7_9k%1EM_+r_P0!?> z7_asHqrbE6N_(7V-m=_xHs0u0%iDXacW?XdB5zt2vce-jynUD7E_GD#`g@!`_qxzL zW8bI9z0SwrHD&O7+wVO(?edi_SfaMy8#laj`Ks`igFpWHD{oeB{{1)LeXSe*xc=?e zzU}_neBo2_pTgOdAFj?wuVnu6z=_0HFW7B~Ux1gE8xL;!@WC7YYzgAY;D!nDm+})& zo`2~*-`efShaTOdy2yQ{O~10q%E$cZ`o#-}#n-NS;RFgfeGoql=eeWx6l{rfqwciQbwF5Rf?`{FKp?sxEO)Tz65;$K}LJ^04k?>>U= zd*yMf-ZHrR59@AxMR~v3Ei1V@oF#qj+!qczefvu@hnuTvi$7O;cF(h3zSLS(dgRQf zmw#hd^QJ!9BMy0ESX_ODmun}zdi>EpId#kCF5etP7j8BBebqQ_$F)wO)yd${uO@39 z*j|o1>aL59_|xN;9lGce^;efT&BK2ryl~4}Thip!XJ8FLfAdMbI<|JaoK|F6lVAMQV2!uoG%6_pudZhl@x zC3>O!CtWE2>Ed}LA7K_4rqC#h7eZ-h0$dc;oH3R+su?E{MX6*=#(5(Sr$*5Wl}eQM z4Zns9;7D`AYJN7!SfYzY*4!D-!!V0vfSL+bHKbJ$@=8jC*(t?0CLLQ2AhS3(kr711 za@wq@?t{ArcXxNU;O_433=*8d-R5y`o%hcB)3s~=T(xWW>i*1< z)|qU!p0#u8u+yFQBv@Qj8e{$3*jE!V#B9{ee+T_pVHjBZIgW*o z)aIK|ewtkjTkZUKix`zyp8f#gT(v7F7Gr5_6nSibvF}%lpbYGdYFH?@Uz+p^-|E-$ zi>t~NUe&*S*Q|ih=t87@?DOPvB$J{wt=EG5BOEa$M4=5QegA{)Q8e07@sf>&D-G3w zZa#yW+wJfZc4bG!w)%?7BYpfHwHV5gsuF=wR62ci3*{hW&Y2^V1V8jD;Xop4}bCZ zg=#RCgAY{k;R-hJG56&E&9?KwH$;6%x;Q^HOU%OO%;ds zxLyhP%@l3A&ArJlsyy1wW2C zDnohv)xrBq9*t*=w}EvVEbeF0L@EbR_skZwp;B7=vKWw?c{dbRf0`Y_8lI&5i-)cc zi=VWi-6)cMbUK5tk*R{rR*?$hZ?IC&CI{S9R?bnQI+Fcq9rJ=ru(Ik&IMT?}!o{r3 z%=ap-0czC{Q64&b-TjdIt$69CM&9wv=$EM48G?QX{ZWj71VPM>q!awHks9#f!OP{d zLdu)LSm6Z?=79BcEOI#|~7ZN}f{S~FqERE;1iwI+;C@)n(ci7=}*5U@C>Ga38S6~TAt zPSq$@Db{Mq<)Av!laR3V6q)fd?doVsmH6Euz`<+p(Q1&P-B(wE;sOcx7D6r}x7`fO&QO@hyO?46+ctw(oUNde zn|5=&(W)U}JA3i3Rjd_z=8w7A{e-NWt~wS4zT3tBuMiPYDZ;-Sy`V7nd^~Cm!o82I z?;X1c_<@Cp;U&V_YIi=n>z%ijJj{2Qsq6G+an~_cu>mY5 ztb=t&|I>L;)x}Rm&^AwSRcm0dzlyD{`O2T}>5x4|c6T?@1Af!v*xksIqHVcZ+aRnT z9gqcHd=F=^a~qbTKUsIFb^|#?o6c7(G^Tzo>!&hv2IW=uASxaCKh}i&fPI&h z4)NXXlDlU&TlzT9=6LazPh!I^H`L?AYy zkHR(n+2&u&o27=>imnJD$JQuRAYxgyY z)0@VHrlp}S&41~A?{93U;QTsqJcZ9*1Z=OgpREP9`34``Z&&TkUBR`N+7Fv@vEfd& z7aSdDWtez-%U^sVpE^bS-bU{c)L({S?TAL`otAR&tK0LR8s-@Q24}qo9Gy=YE-XNO zBcPA|Te-@Hk_kuy zP~vyB@T)75UEdT0@^gBLZ}}aHvQ^luGtqvXxm7y7@p3nwU&+_~gNO4WosEb~g}9kF zA&Q>QsOvsueQ$}b)^}%af5_O+@mXugY5OCw{=5Po^l+gw^g_)b4I<5b*=M8iyTu;` z@^8O`W8c7HRbcj9ut4Gy=f}d=Tm9?LIrgtMT(N4_I5k-55$yljT)P;u!INF0vNxh8 z7o7fk{m&?^iXSW-Z3OPsIV=at1T3NpF?if@9JloSxK_pDsrE%opa>f#6=xsuFT_;9 zJT`@uf|Bz-9JS?rR!S=@z#(eY@GL(A4t#G^fh@!exlVrFPW0d ziR2te9Y^Y{%!^a3s&@g(hc2{@p}kasW>dcw$*jIL5!2a8t8C(w8SURqh&uIJ)XZ(vrfSRK=qu~AT zBDY~^hI!Nm^|%u4%xR{$*rd;83SzioMF{i$m#L8G8{v{e1^WtKncp#L1H9!?2(LQptDvW1N+yyTg2%ixAB?_@K!64KrIVab*{T@g{ zeuP4C8yRC@2G&Z;KlA}ZVpB{R#lS`1T%eXO$Uy{X0##`k*;q3>gG*OiH-_t!4d=sd zEA*NwkZk-9seWx-Fp9O1i6)3?Kn0*ck%UpZqvf$U0MUf&m!a_3EuIl!Mt2$=(3Y>>rFPIuyP7ErCe;61|3 z>!Dg8IR8y)j`-K4#rN^TQ(7y}#$s0|eMT%1w6F~CvKE{mi@U|5HIfYFQi$oGAErm9 zopkKh>Dk}s!qo$p=>Vf#nd>XYOTm}po zerpcHkXm`oq>GWNlwTOqla@^9l@t|W8OEw~W$L?XzmGYqDfpzVJxX~jVu$w+f6w>I z8do81EO>^>J~8Q7B9Yc9{@7Tn(`n+3BTse}SJWG-?eG^kPjj`Ze9tFfB52X3{wdDX zq{~g)>)|vTIbtbZ0@tKEgB0N)6J$kdFDo_M$bPm&pbpoI$S!AE1gAiK&&!b^RMQn3;Qrv${h`# zv>DH1;VWy*=e_+zKg}VUzC_3vDe$2EzXiM}NOc~0B5?cO^Z6so1D}I$Y_WYH-$K1> zy^w`>KgUy)2ZoP8@6R^{s2Bs=8{KzA??>~2M6hn|7Ny3I=L|~{05@a@4!dW#&6~o~ zefB*D4`7C$z)Qz4dnUkjXeVfYS&Kq$g~zuOB%SH3ZaAZTnCkUzSbk8ec~{gx^s+HO z0yZn}kMBWt?Jn=0lz%*TyZPPGxBRh$-~O)F!et%pv*FiK=XZE8LjXhIZlcM3#Lm2Z zpS8>;1AZWXEh@~kt9=?j#m=#OKiz`f=C&+M^lM+KG0*}`bWZ|<#Km7tpNnT!Zp{G?hIcgdNH)V-h-x}&hP|Q zh?ZvDQ1(t<&x;K{UWi9jKib#M*Or=}J&o-?4wh;@#-nL?>z~w^?8iT1f!9C0W^4S~ zuU6@h+b=&S*7^5EofU?7uft&$bxzhEm{C3Fy_*(Wr}Ov7i_Sq;I}QM{`o>$OhCK@3 z6)3d>AL@xTGS{J>;qD#T`!!&nMHlpN`X$M$@1XYWzL&?O(BssYhG7QeyW=SvbD8zH zKO`~CR!h&N{ZC?yg27g7bBWKWW#d81^u(p9^!c4$)Bp!$KTJ*oaE0-?5(}+vJ*3!@ z+bI3rTaFF*xYO!rVc#&nAFAPd2Hh`DXT$pube*n?9sH{OrEPwxYTDs&+3WHMA3njZ zbvM45fnxXi+MmHu>(RFqvp(tfZfLG`#Q#>mX4F-ibG_Pvu#p?b1=nt$`6}OW6O#z& zdS;N&ceq9~cz*c|zp7~6$mw~6uDvSVt~<7ymSWy3X{iEVUx5AofoHtHGog!qfk&@k zZ;ES&w-MYM{kMSN3Wj!YXG;p_t3)oSF~VCE9Pn}ZqyUH3HN8o;5{m5zMrl<1SU{Jg zIWxPR%F)ed0f|mY;QrLfFD_xHxxa@;U#BBEJD}LF32hXd0<2hB%Ac4{rG#s%58qbO za!E$Rvi&9LRF+EMPK62t+~&{O&)>y9e)G03nwXepEJZPQl05Y6yKO9nJg(JIR(PkXG%oFP-vdK* zP6qxMt=pethbVg#Mf=yQgdZ#Jgy1IqFnLpsf>E#5%dSt)QoWDVvRS=Z45>+^1rjv` zvXY{j=#YrhPe)tIB|+Sy--E|6AuDDdp@-3yn%V9r)Kf@kBk4WpbPyW`poY|ya5FP0 zm4{k&r%Zn(YY|gUW`{P%;<5-Uu?eb?Ihnj@&Ymw()z}tkM+^T(ay4Tf$-J;XHcs9y z3t!Y$L1n^!+Z5%YaVpNiagZur7=sw%WZiPl!VsN|?cJ+N8Pt>e9Zqq4|6G#B^c+w? zg+)Y3(5fZ*haUw+qD`CTEDDbjw@=XEoPukmJoLAo32O);zGGL8{N#@lGvU_!RmtK_ zjDO8%lG>1!!3jUE_G{24LkN^7PssCf>=ZTYweA`X9e6{aXqMl;|1oi?*2_nB{XALJ#jF@*~yzTJtyw``#OjG6mMd`+3ma`&K2Rg!q zN7815Is_)bG|{qIrzbI$Kn3PI1}`&FeH+iKojw`*NnqbQFC_>IL+GSUU52jj|;g{|w^0Od-7*$Fr@8 z?pDGAbcDE-t+K~4R({)4w_sSRqr-NWOd&N0Qvmu7Dj1fm7c! z2L^Rdn4y50u4Ou6<@v%lsSA0*Zik^f4D|y_46*?2M(39^ot7Yt9+&6zOWN+u6gWM6 zS!n#q0!x@EacdDp~>+w=LkIUMRx;3s? z(Z~-pX?j35B(QEI0<`tf{287F-gz~D+YQPj1a)|U>Kt2jLD_FZ90Y%#%YiYeaHf_fimz8dw$8pdY zsQ~yytA)rr`4J8rMWzK>zO3=PtTqSMA19;m*J=1}9nZ56uB}zL4=uU9-A|$XBjk;G z{@C}E0^5&K-wAbWdQM9V%=xyC1kV^eOlNa+DS?MP;m+G;#%73u_#21VBWt_XpkLoE zwlAU;wp$L}c!2s26B8&D7uyE~L;A!$o(D8%cGuZJgS%TN`nKnUVmo@UOY;K|9_aC0 zZVTRvw{<$WtnxfZ8ycYRbn@ht(RX?Kcs1blUTxpsRl|Nh_~T}0LhZ%=z@zOQ;Tweu z^9pKoelLmC@3|?DZjndvd}>#_$mH{TFkK1#Mby?pn!^6!{s-;kcnJ0nsg*AyM{}b9f+=o3l;4?m~P<^*8l|M0kSydTp+;8U-bVX*L zbq_U?AdZ&mtRjEUftQWMv-J8A+pz6UeFMFMyNn}na_uv$EN$`ShbD*w>Zp>g)h0|1 za$J)CY*MaUf_F`g7V)XA+u{(r*2ZrIlxsQliyiv;xy&`v@;poFVH_sb3`it$12*p=6nb6g~+``#iOh zl$r-;M66na$*NHIXC*D;o5{PM;LkECp}xhwwu#0a`BJs&0<)!(;sn>FGN^wn`;2(Kvu}quaWf{KnhQ%1c>uF@cA0NRop%N{NvEiCXSD%NaRGpNgs`~3! zGXB#jmW>C@%3u9jWJeKJGjpZ<1sFj)@f4|wJ%uxqFP495QsxI#V_cG`)!|GNriWcR zYwjb$C%-omh*U$WlvGbTU-GiH-F~0@lxEb5DB;{R_b^k@Cq{$tG;fiHjKE~M2+6{&e! zoGvDD=1`UG>HDq4B~;?zxYq*3~svcBA=n`J!d7oj4)gs!{_<3GO#@Z`awkoQy@ zY_{vOn~&w`UgFqjeCmnoHgF)uRnH0y#{e7dEtVXx0jf%O8H|-rn89{)?OZhxQ9Nl# zV(D|*Sp-2;EE%w_c0o9CNap^$?2reRtMq-v`U@B6s)KCto_3PfLS;O%L&HrDc+net z+~tSKW#5matHkrvbZOAE(*Y3Kx*WvPOIA}>p;HCs&*_phOHryBZh0PX|6hp(e@i0i zPWuS_G>`Vdx)uVrxdbLpe?UE<1P|Z@kTPE9zK1?xgM~hK#(l(y!IE*kao}?S2>>Wd zp~~^H8sD~M!qttB)V6gg@<6luO~Rm~R|hqDhTrY8gI_16c)kA})80T#H?JM_aRZ?f zQd7SyO(Dqd=)1pR&7d>zcXi^`_qXwMoz^y8>+zjWE#-dkeQ1y{&=aYsZV-D+O0Hcs zu3H*kk;ne$3VaXg@QopQJ*D5~S@s0_m;~IdiUB=}-}?_^e|(hMiZ5lJzMMVH1O?V? zpREY^KAZClNnDmieS8ESdSHX@kNID-Ub8o>o-3ufy+=fJ?jQO4&UvrS2;{SJigi_9 z583fAx^G)Fx-6&On?Z#3mG#=5n*{t-EK4;D5&HQ)$ z-~O(AUc2wb4$Vt*x;}FMeo!9*dc1Fze(G5!esRmX!hevP=(0OH!2S$A@e2n&zlu-D zPOp0fwlJ*!h6eBbLMex5&~1@L+dRh>u%zuCZhMy*Vq@qw3$^pzzoG*^y*~@+p0z|@ zk9%Gw)1+(wF0EfR${D^e3br zM`TaeVdN&!q*H3U(Sb-RkL$N@?R!b3JxyRH83I;KaJ+T%)=m){A=!3&UTa@LCHS4# z72AYw8PM>0VjIH;jlOOS-~iG)~J;PM%;Y;bRKpHIX8V zLxO0mxFeZ;YMHJ2ZAWAf+PSH%nu9S3T zw=C~@E=Mti%3hs&L$ZmoT7${hZNrX;fDWZ9QoTsf zlFn=qx8;t9212D5G*uZo&-lksJVQC&7(FC_ zhJU50lr%Ai*p+uTEMzRYUAgV6`LToQNkFtPoq?HkdPH`iDFM#oS469J`4W=Qu#8b3 z>&cBIXiPCxGVU;ysZ+=JhEmokWuerJO!NKd*{B-=$czL$ONcGv#ez!Df|$x7n%m^L*1M8M3|Q7G)eJEXmo@uGDkGdE@cr~p@;9#=Z8%e_O3ITh zVHN)yA*cRc0X$dnZec~`)~X{#(Dq=qddz4DL$>7QIlw3QLkA_AU!HuXIT1rbtZWZ8 zaW|!)2#)rv1uM*hOYgWdk`12+u)@IzE0{e+9}SEmQ?DO^w2SN$%FU;f($uh@Nx(|A zcST>vIJJtaVcEZ|?M9sp7i%#pH^e8{DQ5_JeHA-flg3vlG0Kur%eN+hVOwncf#}R! z9_FBzR1&XCC8s9Zw_h|0JIorzO}F-$ZOn?BpjrtsWb5EKe&nUB5;q1WRVz_ZLaW4? zcBqLoOPVi7BD(XQwn!Z8RcR^ZF@`pW6ysEMSTGQo{97jr&?+o$%AArtud~RNjc#MA z=yP-eng+>sv!;xz(gW{or9$ncBb-zN6QKUC55vdn)>lY|9H}oCd=OBnL#S zrc=6bElxq5UAyN1G845>gHboJZj>87!=FcwoG{zi@E6vrbO;a;^l4^iUGtT#TA+HD zLQ0m55O00VLMy|sFJHhIqu@&cHhtPOgcAX?KFnL(j0HwF!07#lsSoZM`#s+3;+I*^ z%TPnByB>`Ds)u&;zs6A+C8rqvX^7O~c4f>{@IV69Gk9Lm18O%j)ydNCSJ$6^cOMJ1 z{b%Dbsg(4kWxgIF9$pBgK1%(7wqP#AV5<7-gIoNntz%6 zt&8OmSA>Q_@{h6ol#6yJqfBoN5cl;q&vQ{92u^|xKKj$1JM;?qu9d>?A4;50Z>Et-4L$aKh3z~;CZ;J zS5hjU{E5QWq~Z~vfO)0gnB0c)D4-BcrlKMn`gyUYjOYGaz`KG}H~+I*KJ)uzqRjej zx1Ej4{ZH3*2=iz9`lbA{>;CI`LV0+8o!PVtL50ulDEowJ&l?sWsok)@%$O z=J=@q&&vd){M5aG(lI@@w{P)NrpKH4L$#gPn1!9SZ(R@1c6>JpEpHs3n%cj78fMsQ zZs7fxHW$$HumN9l+dT95yS2XG5hTZ}K+j2=7!i;CdvS_iXnXTQH{j8H)Q#toAGnn+ zx#4Btu-x*hljZz2)6+BRGT!ay{bDZQakA9lRS9yK$bU66Xkc>tj7!?OE9N|%~#q20z<7VVdE17WXR>yiL zHW($>@AhKXAouxU`Z^@lu1-Ab!sULUl&GUG_Ybz8*T-qgmg_W%oxttx<=FDyNR*(0m&`oyt={{A7eDCT zj-vhe`KIiiY4Tj325O0PR)0D@;%?|RgOE$Bx=+P;E*d75-w}MDX9GjG7&(QEkog|J z8ZmZew3{a;YHaT$%cM6wuHHQmoV-`!pP1|WPPwgYe^9wc_Yl0kJ+E}uAH2AoJ6(VM zIE+N$cbVjq*pA=uER06p{?}*xPlRy2iAmhFE$FM5AvCWk`(ifDM{14K41Ag#z zRC&_P?4}>tO+N@Mgk1wxh{CW&4b9Z5NaG@yKV6I)D&ry)IhkW~(Y{DkDE_X5^GecF18lev%t(IXqV%Wk zP%F83RQl{(s@9(lzpNDjrC;o)3EIjBN2!eA$@XAe^3Wb{v{2D2L$uEq%}}KV)C@Pn z_W$VCT05o6Y@8OU3REo)ldJzyF1}pks=VmXt(7-4K{~dFMzwy@DzxiD49UGIX&6)o)Uc34O#SPE@D*Wvi5wviP`O#Igjr~>u zbvyy_eYjx|e!BYdV`u&8Zwm@BTEr3&8J9TtBt-bNu(aJJ<+!0WT>sFj>6v1G3hXB4 zFSM6ruw*20Ks-jO3di>x6|28SbZk-<^BfDba9ki)oai^@JVxlGFYT*}mo2nb7cJiv zS@)%we^o}S6DpA{&!1y)Vo)SYh0>5wn^Hm>l`QK`J$y&L6e}Jt`ewf`j5UBS=dEbH zBz|ue4;r9NhzoY8XW364#li2O6TT=0#8W^neMquYkcV(mn8JWrie!>dEa5;D!hM#NC?*f;vC{G8sxxsi=pVAg*!+9HSj*Fd-My&O8 z97SE0UKXTK(mB9t6oM^{#zI74!C-4K@{d`S8Qg!OiL_6N{7}S+uu2#siHt{O^4JuG zxQtGoi~tH|F8n)t_22}l#SnY;gAM?Hk~tsGS$m=44GwuWRSs>qQ1BGHcq`n>xp00U zw2(yH_yI1L{J2y!^(zyZMq0_@j0Br3i$y)!k~Z#Nm5Faxc~-I^E(id%A?e`QD5Ko6 zCkVQg$e)tJ_njxh=-S`O;nN+|8WEJgrm_tRFCrABEIJhnZk_Kpm`CYGsyG^iJ+=#S5OFTfHQ>;Rjk&n$3AMBGsg4;$6 zYn$aCN6PTTxiYc&f?1q?Xye7~{PW)XPMaXed{(szO3jigLZv>M!gkHyd~iggo2w%5 zo3zxiE=f3MjzYPS;$&)J5k)hISuo?Ps5op8MW+b&VY~NcX1$6exDIlR1rsLSOcmD7 zQ`ynqXjT9vP6Fd$-{-7gB#Q@4VCpojS@P8&C^Ux&$f}6Sd~0cn4>WCv_e0F1N$b?y ztgmq_C9|1e<;X}=#5M$%l(m>L#d)Pmy7IB1zVTS%;@G_2UM--J3z7I8^kSPBH z|NhGz(T`F|s|zG=7;xM5$X+0RxtA_@r#LoiozHk{qV*6x)?@4eA5=F(%~11kuhA($ z-#&trad)3c=;d<)1T-Iuj7}}V$$9qiJrcIo)KfiUI6u=};!avxgGos2Jo{6@ zDIG^i1cdLAU>(EKSIGPRdlViJ*3}G>>oo`adKuc*^Km#fKNBz7J~G#SZz2Ox&W*)k zrVN7~Fke%U0>QQ0J=b*l{hkzCKDKSo-{qp`L;G~?UtL$14>B!X&pnSscJsfcOg8<^ zuVV(!ZneOUInRry>QsHFjl@e$hu|r&@A=mGZI8QWpV&%sjld%-$yg16?#9ajxdhO2 zJv=q}iEjF3+>X180HE7H19X_V4^DLRIGS9k;WJq?U4HrWBy->~c(7dZ%PeVYfbY?{ zidUOfY(5rfIM*Wg zZ9Z1ppnsV761n{rYMm_5o#L#nv#Ed9Up>+j)f)3R-E#>clV|vW3w5i|dCclj`n%@` z7e0S2;F&WZy3WqFt@(Y}E=N~J-^*M0l;4hAqx952FPaBD(RdHXQ-gKR3O0v?jFQvjz;DLZGT|qj z>iP;hj^8BY=dUUaRh$ZIF}KT#Tmdf$dA2xPcj5HAc$4=2_`+f~)Zdfl2ti5>#(|P> zWWdv$_U?}?b|~DvFTI^1*60W(kEAsf{$oTp>uH#2`KGu}y)pxyC*g5s(1O!94p)}O zn*GzN({C@6tPxRWCJAq?ld(F_1q%C6=eI0`GNs8v6p<=gFv3{!C1lkyN>*5$28?R-^}@BE7Ls(C)+*J9WQMZKsag^0YW^Q49}8bX-eVZ& zp5vA56N_M^sS@w|YI0(zgDg|wxH;0U9ypKvt2Z~l+04_X(e0$yYejnwp+;{A7GbF! zbrD{nm*>_}bD1WjPuZiM{uzp+gj-W8O1?^%r5T&g3s9xZptc^5M$zPN24UkkG+u+K0bri|{} zp>X>m@+d7$f-0J+b#AX;+T#mYw(+yg%9aQr9zB9TWh=A)kAhqmdoq)G8uM@K2Ie~xMg$r!{&!da)Nr^QWfI_vC~T4*uQtlGuJw0 zC=(VgR_K1$8jI&7t5DgMJw>RyOw<@hQ#PwLF>-Rf!i`;FRZyUG&*bkIY&fSe&hbCC z{#K5Ob;TOv;`PM{+=OSz-bE-ROXci;NoU^u&bPibo~gER+MAL2>zc*kGQeYuX0b+< zNNp5ZW)#U~G*YKh5X?79ZLnHqFb4k2^WXEAg=a=6^Y&Z6o;=^~Ug*exIgRca~}O1CwBH25$e$yX?i3Z2 z8nF!C5+kK`rZf=$V!<$#DEB0-FT|h#G3D&X z|3Dd-qBN+DhH2U@M?Cj;t|1fBVn>em|A|!3aRce57*5?-*%8B!>+Vx!JeDQwOlhRZ zp)&xGT8T8GF&P9w-nF)wqI?Q^XT$}lC0WXDsH|~!L-$Q%rA74-+rn|teES9tSGC44yra_dC z4L^3>9N^v4pk!d4*csq0PX2^Id?7a7p3C^ zWJp--a;`C<*&`;0@AE^g?-tN$EtS@235cB%73DL-BdR&ed)94j$9LEV*W+REHp~=R z+XiJ&bFd>pzj|JUu&i@gm;0l6g1l$_WvqCv3+1%ujrD1xa@ym)R)ELt-p*U&WeFB; z)A2=9$7jmq7HMYd-tx}PtGfA84_n|h%ku%Uw#Rjy&`WZJs7cQ_)0A-Q>=_iJU*|yK zwGOOSY0-LnzK!LvYAxJ!V&A&|7;5P}NM4ZFe(q}_)Hxx0?tfO@KQZXk^(ktdPl@F7 z9cb8JBJ{dAJ8$;__&&Sb-Ozxecwb^(aBud21~;D|FCP){lH8NpxbwVMZ|u^?arL=?%?rw2JY+3 zwb|paNG*@2jg503zl@#x6YPZE!@>#;1AW)NP*2yc-L=zn}iv@r#GTluIGbS z_V&h>wUgniw#Bg#z1vM!xNU8nS#DNnec)_BM?Jazrs>AU%7!i9;p}U|ZLRM4JVLkI zHF9v*%`0#H2cYn1vbOtXYVHj4xR=M*`6*!f1BI8<69C-o)HqMYy5eo|emQy&%jgHE zbk^A~FGOB~OPe-d+?>5x83p{!0U@vi)&;k0VB6XY=hhT{rBuM^(VI|zc*lw0MUS7-sk5koab~eAdvW= zgs^oY48|?~I1+9Vp&@X1BmP)$>n=ms5|y>Ed0G`Y5*T!uyZ>C8&Bj6h(;;z<8wz7P%CZv-^cYcNT6VSR2#$I!%yUWN-WGuWhh|%| zqAfZQ;&cjELynu9RamMHS&d`A_vrXC_q=oFi!!)pp|=)r+kNKnT5gVe)Pr3o~jy+Cedo zXRD-26Z&hIvD`OpGPM(H=nR`S+r~dk?L#os>;?6cl4pIo4Z!$e_hIZ`)H#;B0Y!6D z>yj;01tpLs=!bt55#(>D!pGGs?3=05ETHX_tyU}(Eop64I$UJ%jD7hj zn_jV6?dcG_vxd&$YD|OYC99L2{L9PP%1AZI0=;w|0=Y2?H+hfNxc?q_EELXDhSFv`y>S)yLNKwaBYjw>N4kMp2fmCsW8x#u$<5(8WSC=-4$EnsHJc+SnDc;vit1wk{|l%?G!TSy$vd01b_-Szk0v zelGG0kj$17$JDbvmvz#+UY3jrE{1UiV|K-|{drT|~FY@{r(FYZZn1%?r-{um`qImSK{O2Ko@xM{9Nqi5+ueAAcv( z_)T$B6q{SchO+X$#y|SsY5-iCYUOWTB!b620MD<+43+BRQ)ldvV5on0?)7T;saio} zsp}9&RQ>*{>+zMQ%88yWp%Z2C-{a(&#)k>EM=)lI9H0gC>{xjaWlp)uL;vjt93vMa zBT)osiut{6; z(JlM4E)2_w&BzsDr6Evq5Tu|_xaM27XcyOO+n`yxJY+S!Gb$wCG9LZ5GPuT(oYSsb zsiF~Fs%1<1!S*$@Qfx}bvV#%8awF<>UmXw_mEO?n5M9e6qRqj|aml3szLFI}_ zwg2Q%<^PqdDcVf(Z?ZAc6y0GXZ1Izxmumi9ALSM@&sISKS`b>E(}FZ%go6tsHA}nR z#Q|Eg`l)J=67{&|l&_YGgq$LcpiQZbQ;muko-!oy&q2Zw?jRn)1Ri)7Hw6n^YbTwz}hMtuVrGjs12;)l=CtI)_uiG3az=QUY)H@pkbje>+;JT=WtV;> zE5Vvao2^L4C$lSon!c2rwQ(C{-yJ?cW;o??J*NMsfNzmPKi(nk<~{;@R{R)oawk3! zd!%*ivBdnYl&4+4*O`@&Ogrz1*SDk5nG{7voDjt@l6h2dTUa}Y>c<#x)pg&;?F>Ya zQZ5I?)CZ;PBsY_6-<1UPY;AKqy_PF5&~?EejqvZ%&W_4sTWrUHMyj0`X2S!`X-c_W z(JUO~L&+@%-$|bY(S`nFC;?05?k)ZMlp(%t*ZVCG!}H2({0fKH)n8k}_4hCKz+79X z50`8mDS_?9P0EJJtsb1qx-B66nth8z&-?Omi-4|Q7}49X+)Cd5UH7^f+uu1}yWrPB z=;rQ=7#R*(gKnyhliVhv&bo<@$M5EElH3>LM-S1P(+b_4py;0U!{er&#{(ZiD(Mxl z=+Uos5V z_Cm{bV&1r&PW4ZxC)Z^9L$f|cBU0_!Kxz8M#d<6H4!6T?8vyqUJaC-$Tc=BnE)2vv z*gtVv$7#gt5_ocP7R{Cs?sQbKmAdGoum6I%SA1)yb2^j@avn**z0NQ|c1tfw=`@Lb zj@5IM^!2{XDdp?jlgDqJ;pLJH<>-0K_Q~NioSF~@B&XJF%JYkEUgjsOZ@qN0wQ$yZ zuk#v$L^5aO7;a0jMa&7VE2pMcEe(E0Hhgrm`X1dOeI)R$_#OIMb@k{Sg;4%SZbfn&~Kly-E!V;IK~zx8u4rOoF;b5Yp?HzP{13Im8q!)hh=oZrtCTo zj2Pvuao_BT+Y8`e>lU6NG_e(0Dwybxbya4=RaQ_qd5;iaPj%csz75tM7YGw#L zQ{eOOlMtJz@*zM@wFSHKW09XsY7J~e?=EA*u6_KoxQIh1b{PvWK8wnd?S}1ffO4Jt z)g26_(I;RNaP}VSmAlR7vXhwe+EI$^J@4fAxEL_Mp-MiD)y5`kg6ZvgVao*F<#pj{ z+MH93ADmZ{8rlGT|7>IV&~k=eDKkJa!Pq+@FORh`l{Y^dHWvg%*Qt+ECBIqL91tRW z2U}i{ZP<$kw+1Mr-@9rItYD032^-0W(^;Iumq$29ip{z z^~9!0Ba5A!M8e|gqjMg!!{s*{3L+{h-X?VRwMWtwkkL9!Fv-u# z?gRvUm8MLjB1>o!G}9!rdgs(38AA~Vv1)j6pTMD)KxvN*=o6`?6=P2-=6_R0{Irm+ z8A{3-%0KB45_#dO4q>VxDwlkVY2XGqiGB_FMoPzv&iS&<_CGGR#yEJU?Yz)a-? zw`8Eqm&p*DSTxdL-}z??1G5ZRBTThWSAovylrf70kg zF!yB9rLz^<#_;;&U*x)+Yp`XlnEp9BU|r3p>D+O$8#M1xL>qM#u~b;prp5GNpj=2q(!Dzwh^6$}qYJ32Da` zQlhlMq;kpj@9*=diQ-*(^SWG>u-}rY$swRCqtb1^{t%AzK+BacP-v)iZ?215DfHWO zS)o*uS=Z&i-m-tqe;)k6X31?WQ$f1A(7koI4Q=c{*1||Qm5b<$Jo)C&BQ6*ylBL4j z7Q;4;1BywmNT)X&(_fo?U9#dSPCgDmVun(!JvJS`CT=xUz8Sr#GQ`^vbY-oJWmFAF?eCL8QOX~U(o5m49kLKq(ia^k74LwL zx?K}kq7;EDYP(RNIz^;dg!ZDe{7`KrHuArg#KJXM(@v= z7GX#|O;!}ve9P{kraRt^;S88X>H(9$hCC&k>a_x$l{b>0~(<5f8(lxvLNi)J-W90&J7zp-}8 zeVOHWep<*6eD6nXX%)NI>(reW2o1TeQ2utxXMW z_krT9==xRD?a!q8F$?@D-op}2@PHSb_I2L2<@2Vp^B0?UG#H(SJ%?2jn-JX=&t$`4 z#imX7<6uTU+f4i_RcmRKb?f5l4-ED!!1=7C_3oW)sq><(6V}snuuW2+W9>m&FaM=( z5xe5yxqMo~I90XK#JQ7Qmi~$M>0z-axud(f@hGb2wLKHqSbYF?T&Wt~2(@V>_B_q+ zegSz}=XY0l3@EVK?m-1(uiZ0o)ie!PpZ=DmY{zfz_IR%x=c7c<_AzqvxX0A>+M8sZ z<~AJFOwx7-p5kkEIX(DedjoZqAXX3y;;m;G)A4oA?&HW0@b}?W*ISkUj@ypthy3T* z@O0l6LRa%=XsFJI7rT6uCH5L|^XRr+KDA&39fLTv_aoAy$1^-Oa9!vh5ATz@Fu1O; zEp(g5!hJlD`HmYgHOf6LpqsoF4x;dDJ(B4et5v^sw=D@g&H}RU_GjCev^slp`p)OpeI5B0$97@W^$VGEnk&q+ z2u>Myxwe-QBZdyIH_Uqo(q{W)WO>HTyrxgh%HVbz?756j~zth3pIgJ568Qti7{8bs7!A z*m$2;%5s3WqafKXAkMo^u>TaeU+W!0zeZIGp^P5aJ_l5T(+kYyLl@CzXK$jFAy&B% z&%dB%u#XmqGqmt_wSPb~@i(>^B)hq~mlT6CtnATD{lu9*k0h}SG{!ul@=5UFZoh?F z)6Z2zGH_T+87E@jStO|SvwseI!WqkCTH$Vqi0fnxrD#73hMPb)%9|#%4Kk$Y`W#|*X=p7*` zzrvkb)y$D`$Ex7I3opRIa9Z;m;UL*Zrb$Z1`kpXMBe`GZ1}L81S#sr($zgk1WH?1o z&Q$y)q@7Nk-}}?VZb1JXi9R6060vN!7*0-Cc%4L|eoQNle)dA2YIqYVD$KthdU7ELw(@O!Z+CS;__ zZQ?Q%9v4VwYIgH%rp06uianQdG*@rA2w_;5R=hpJ3exe8-5WrZCq=B=<{#s$u7fxy(Yt@_=(BkHlZIHM448B`~a)_x_@lW^qyIlb(_4 zyKxaDeU~rt8)*C*r-^jxJ;gv*DposQL?2IKNU?C9X-;#wTje{h$fO+#%vy`mrko{L zq|B)c7Y;=T;T}EO3%n0d92=4%8YbB`UDv~B$K@rGVJKr=j9tPhQ_ZIwSztx`mxjD4 z(L*4{>iKymQ7k4iX=1cp537)D{xya<9Ur0!YObR^3J|S=V0Bc3H7N%_WkjvlbFaJ} z3;uIC7jxSMvi@+`?M0=1srm73!ktskkRr(HdC!uDDJH`hA3DWBL~fFIv2ODFs^1EA zpw#q{``@Y+lQs=?CX-CTq_G}KW}@;2wy+MpDy?GUYNarKUFl(EY? zvKSOZr|~t^R4G{$Yp{&PECC^BEOG^*-WEG}t3L~j65m!no$|2WQYC6c+Qq9d*nC&f z3y{L$|KcUUd88@htw#M6BhO&#g#v?GogjNC8F7iJM_lhkS<@jE$^2{c^hvH5Uv*em zKZCCLx3uzK4?S;=UMWQSvBthX7@>HdO4Vsb6e$Ey($=_CaVZK=DI-TeAqnE1-d^Fv zb-4T2<+Y*4MzM>l{y-XfS8uo$b4&U1S@CbXX|AwzM-!L)#E%5U)E?PM?wJhe{}vFF zIoB5-5>Rl)I%JpC?D_-y>{7Dup7pZR#T?N6R=gRM(|6WF@ki^gTaY5y?^bRT*19=zU3k<3rhvUh57 zL|mJA8%dSx_+4jjEK+C7zSm2&46b1sV7y#ynON<7%zx9#kmYsPOqcuBdG*=;a&|YG zv%R?1v1NGj{{5$^m)reywf)>_do`q8d*5NB>=(}icstRjdvpIDKX{`33gI9u`5&E3 zndK?{N_48rP2qPtNEGnGYgv3%_zELre>&wI8UW2@>>tczy&^qG3X4y?{Gg4RCUn?&X85HX*74Z zYRPjMR31BXrRvY*XRUzVdePe7Z^CpdY(c`m8C;z>wzHdoG}WCqYY2hehKKV@>vzG& znGa`zzt75(RJ<-dfaN}1Phpz&E_3K!?=Q9MRn60qfK{vK?rq!I)EAw{ZNi8KIG}(u z)3(m_oEz1q)0PdEmK$*Ho4|YIo=Ttr7<^#y4REV)-3uV}hwS~wZhl!XZm^vD##JjzAnKUzjZZ1z+opBCAE-P?x|yACSF zH0GI=4WwIbE72}7b6(b5{AHHWGYXu(3tBvj9;l#H_7FunqtKRG%6OoL<$0uTAY?|e z^FJ?x?$8<2tlPw-wCpF$RcszttQ$E?$}n-qB%2eGsi~jhQletBcCSKt@Typ)4QO;6 zWng2aXEcOM)LA)wAfb}dKwQY=IE)gJ=fiQK@h6+j9rcqcn>b_3YP7;T$>&BR`1Oc% zT2>?FI1inBMK$R?T#nqz!7ARUNJAa$o2d{rAbC)N5-yoT3MdPu9(S)N4(FX1`+{ps6?iRb=s`w-C)t z`kkMz-C$BCow~hX93hIbK7BTa!X}guQed1ycn3{&T4yQuEmEV&&5!x%C~0RUbIg5M ziI!iIceU1Tf1DOBYNo?ewj3FFe&Q-mx`KYrQd~Ca^g|QtQ5}-wFN;|l_YJzmIJHR? zhG_mOG|a7(BFSV9g+FXjlHVl@xamtOhL2a5t94)oP~6*Qq9OH(|3bAmR$eU15o?|) zs9?!a2aSnXa`n{=>XnjAL!|FQWL*QNXc9uUFvGNG2nYt?|GpLJFm6e4_D>|izh>NsCi zkC?Q`UOLjmBgFFW)4HGfm#W8de&T_2MdV9dC-G9udwrS-xx|ifguHldSJh$W>D1kk z=C9gKztcCPbn)IE>3>Kz#YlcDAz$}%%uNpqipt_ z(HNtRmTQfFnfT2wt86fT*cs@3Lv(zWeg4w3tb9YLU)^d4_lMLI)t7(`x_ltS0Z>~W z{WB1_`*gCpkUyTQ&WNz|y9T4wo(3G+kY1K2f0h^9o9HbQCyI7&ST$ql4` zMV!CZhZ;OtIAT_lmi|i$FIQ+ol|Bn%PtRx8Ab1k5k}g|l&^n~8=QiRC9T)p4+Va9> zvX-dNXl;Lrw-;MGD;B|`LH36P7KmFl_c`Iz@Weki{6&}z%iYUu%`x)yubgP=)DaR0@ev*Tay?Teo|Fp&45bm># zkKpB3;J3g+5*)F=NFY;)V3#jgxIp}ikS)@iDTMo;Sk`MT|@R(W~* z*u2o`m?Pc$^gMa{gurK-vC;i$Lv?A@@HPIM<|-FxuRdz(Yp~Ya-P3b=x35h1p<)|bc%fh$2`;s@YTKn16&C2w&zq-@su+45KoVV&W(<+M# z0l<24dDjzP40V2_OYF#PA4;a$syEnqf_<&7U4>XpbW7kmBH6BZ-{lBw4*IQIyQgpt zxft2Lzt<5st351-%k+6H*VV9irn70e>G8=p+lH)w*1df~!AbNJ7jaTkKc%M(r@c3GJ$@1fQ{fS%6;0euHZuc;6~o&g7pjo{y_ui$Ts@ z$4S?yfX#M>!sJm)2 zPdMe~G>=$O{j>)onFYGA;LPY8tY^BaFLpnnanbF5>F@yC9Zy#)2gG+ZUf^+Bfk%fR z>$i~mC*qe6OFXCE=KopZXpmFo-o9W4^X?X~e|RVhFeA`7J3jgpa0~Zw7R){dl>H0+ zdfvmp2XT#kr_v#ZAbbwJLSo%TMJh(747MdJg7H;`CQ2g6{nc-0&eGT+XP(CJdzX$4 zXH*^4QIV08m&Z?KOniVc*F?N-$3wr`rpY!4%Cf{#c|(Ig`@sn|ocD7q-6Bc475=0c zK&9-kB1L?iP>WW*YUQeURAS0W6e0DkLM{2XS5DahAq8gSIkF!zE=v!&d6^wrNyz*c zB(v$O(ST?a!s0EF9`Pn(A$vWHenX43iDZw-&odb;n5D{0CG1>y(ve9zjr$oAWy+*t z$o{pJWhtqZV!dM0Mm%x2r;aDh>)HqeSOXc#Gkz$vH-EV|?KF#irRk4Y$n{~gUocxU zGsIePCP=_ooPz8+_c_gU@}<@n+ZoDm&-pC+8GONx&yXEoM(V!^wd?>^+mM2}3~J@> z5*fuoiNSwjpT8K8G0@_x<7Y)6j7ja(XpKME#?=w3mCrbRT8QBhut&!!6cOe?ZH%2! z7-C6JqV08LW$^!_sfcSoB4?*uq2{@imJsyI{b_>A*llN4o`AP$aga7; zW&(?JEN=fT#+v3)f(^5*Kdf~5AI5IN&vNp^&IkyqnfY3PFB4KQ6%PJ;=wAt$5K)xXA)#xn-jtOg*6_A8g<~|DLu{dqZ zMRC9}4T(09=kSk?(*{1UK;rIS&JxyE&<_;UlySO5dy}xePwA(~pnnlRH?XhQ@c_wOdLMQJXek2lJA`qsZ~gC6rPA7ciy^Q~Y@ zbgonbKZ%DyWf*!u+{kHRQuX)X&jm*V%sB~)TwP`plFD?kz?Q6*${GSiWAe|WyUKU| z?+qF#UxJ?^p?1UP{stVv;8*0MchRftB}Lu|Qe6fzmi^8VnN4Lr3U(#40PbAieHr~V zSE7?*MIpCTv1~^kKTGq~Dy>c^aZWG)n-NR~@!DXX0(}x{@j3yp>k6h+EQ9WI5XWV` zQlXyF4euDP>TyhYc>ez^`2jj9#{AlC|}&ccuugH{+W$8@Ez z!Fj>tVWMWMN4s{;*dm5>-#@De7?XC7g_Ssg&X6D^NV%|L8 zXy>+l0;Q1bvA>U=_k{@}j}|-0R0j#M0Y;A?VZD9BVR#^>{^t2-$9kf#LhFhnOsgbb z;OlEAX)m);(J5?g7W1JL^%ryANEKgW6iY+1+6!(w^9^~$Bq)~`iR75FOu=-*p#6*m z8mwD{V-hvze@Ka>CbS!<10e%e^M@>QXO6W|MW)8hWogEQ>?c3sYvysRup-SvB)7=p z2h3qh9S{9@e>NINomz-33 zt8GB`wS(B#wz8SZtq*k5#EvFBCN}L=)ok0IpvL^`vnz13XIb>t%i#gNnYxNLWTm*| z)nc<|cW9k}b1D;{WBa%DvAOg3IeF!cskz!=&O-B@p&57uP}`e6$LqD$bt3l2;oz~1 zk8nPZmgxrPEUg_^c2vLYQ)H<-S-63%U8?F8JmR7Er4Qe?o!?&ZImJ~88{R;hywu!tIuwl-*5~IZ8?__!wdkxVG z&b;Qc&IA#!9y}~2>?^LvG*>*o`xO&-^&zVgJS98KqT^Q+LUybG)kLU#=h?1jL*;4Z zd>LIWI5$C01Igi+{Y)FUJjYjbvYRJW7Tt`Hj_xfe3#muWr!6CwvxM{`tL{bR`S$7d zlMaXI-Q_oX7qIdj%9eb0md~?mcXfBINORZmrA3y*HR3U0JZQ9bn6NX&-M72P3rxl9 zWz%V}-FE)UIaCartm~recCY#^&1F(ynsMc*$Msa3wop1~6=s-NV|zcQeTnEDl)CfH zLwEDfb|VtUs{#0I(z|;bt@Dg7+w#4e5CX7)yym>wH~_o7C@h(dU3sxVPv8;J15XIyCGhZ^?l`3p+Kf2B1%z=pAvpB8}{LXn%=a<1uq3 zg39QpdXg*3%pkv)c!gM`Kx2|k_`?p3F~oiqkC@R1cytO@qcu9JIyuae&q}^S;xPHJ zP{kxpzDy!jqF)5|)FUO_F-BC}|K8bWPm)Ll1QyV&52_6(hzo}()r`7xgdu&FxIw3E zC=*7fJ}!i^IU*NCpZS!}W8KzgMo2eU>p2j!AGbapEhNfP|2c#|w8!SU>y!tnCsJ~i z6c@F8WgfC!GKsOp%cm$u6=j2uUMXE9g!xgZ5@J46BJ-kv7)_RL)(CR8P}`04{(TF| zWv`N9{sB6DABI~HN+AyAZdtThd9@QkI(z-DK}fAGC&dk2wYorADf2VD-*w`?NDCqS z;Q}q^)IKz3KU5iNrh*%RUl23kEk^_9KwVlk&R9+~=XJS9_laeL#GvO)6VM4^?<9AW9weeKG#^?F_ z%aiO4c;*v0o1^`jZ4~(IJZ`Ur*Y?PK`42u|SFPCGA!%!hT}0UM;;BH(@}QXUNLgBf zSjHHT^|;ALV)8xba9lh8>IU~~J^3=#uw2_CQx${*??uUrG5RI@0uau!*zxgp&G6KB`T$>hT5e=of4VlF5KP8)8B@zssI!pJKoqhxK|#j zmgNdpaCHjDukM(zVU+QP%JN~XsW{~6Aa@Ur3Uklm&_J<57V}&)xLD>!j#q~TI| z8#XMsc#XLf$Cx}zXs!DEdVV%ZFXP8;a53aP{H*&Y$j@dsgYKzt7lUbBtK8qE$2fnz z^l@DnNqJ(gz;}>F+VqcA+$e0RJIcSZn&@U29H;=ws*-&5X*qN16E%q$dI^Kjpt;Q0 zE1cB4;dz|2QV%F{N6Dc4kw3rb{X_rlwP7OVePaGGWQzVd^|nzWy0ke&oUy1Z)tGm= zfC{nPgoMAyaelFr4~BAI0bphVou|kege-|UiSfff?#F<8BTF7teGKxgQUAHDpwjSg z0hh#~Q9M430xf$%e~qG*S!vLp6t|i@E(&SuN4Zbu%7S`7Xl5KY6pLMP@G0itL)u~( zk^b2;m~r+u3B}MFnXoA4(w1ub3%14uj_#!p4`Rrn(!KkRqYl)Js9=m;G_n&;)nw<5 z91~zo>dpSQU{~#;J`Fw)J2FC^)f=9H)7#I-*Z&vVQalfzKnWNE0aiTTgWo=|-a*tD z>0W`J5pOmCPkZ2S_kH`5OBMHPiN!_#)9YPxb*sblSaezO4jrHUOrq-h(}p64A6ECC z(9@5*Qte7)lyQ)wv?GvH7C3aa?WGMQ3p4j%;iU}U_S0I}IAuGI-Mqef&)PV)J$S;F z^?WOMg{wK&9JT5 zN>7e80o_CFOdw0qi#<3MFi_@YEV!<`;rQCSrxM6_j|Up6qRaf#a~%8iO8pFOZ?QPT zC#q%JXr2Efv?+MX+RJT{L1t1F;wo>wipk;5=rE7fuH|&}{Ok_y@Xs=jAEQVo+Bapo zXx`ul{jPesSB)Xua+L{5+PJeVbH!?NTfHo!GxT%F?*2$+1Tnr|g}P*eX7ILoU|6yC zpSxcU2XiuIz0MP~Z!9;s3ECg9e^;$RjKjMghKI#mDptKN68vr6p7QAk>Nm1{RtV>^ z-3%XjzX4uGe-nR!fa`UgriZV2z-x_L?s_nHhF%Q(_3J#(Z`H&FS*^!O)tfZcFGB*F zT@9X~rAw8T75>Ap?2YDO?qmK9#M@vZ*BkJ07brP>nEqw6kG6cae}OagP*qdo1q`dH zUAH;ieLs2Wf>2gI*iY4^S802l8jX^?=^aTd@Ob{J%CFPqQ91tgcZa*ON4Edu3$QrD zep|eFqut#q@(#J0$YmgvYOQ(u{{OeM+0P&M`_>`H_2$_FJ|Ssp_mKW4i1{YSFP+x9+yUrnF4cEou`v;zXCK@Pdif#S{G_ch126r3&?%q{w)SSMFTN8w&@&isGd$F7*;IYn%S-g(jSb=O#y?Cnk*Y5o5H@KO} zpWj=tv=qc1-)l~#;A$=cK!Ou64V3$4i%16jxN|f@j`Rb~?X0u?Pb;MB5`y=P`sqeIqdwP3 zS*AXYT$nsa^k)b4M?rsNv2^E(SnJ`WN+Ngd1Blb`-t*q3No779M=CXmHE%a?#}cLVhd}8vIe;#a)~GH9-L?{HFD8~j6pLYuFb?q#ech&U z6AQy9JE-Pg(TsaZMSDhWf3VC+m;K2G#@RJm#XinjLdBA67pB^hgZMbAPVL_ZAMR!N zFef--m=q&ssBfIrM_u`C_*mxiO9@Yrw&f_b@*)Gh*QLc@wfOMh4r_B*K<-6yi1Orm z&~>JtWa`z?;zv;@jc7Gy3PWz?o)Sr|^UKuCb7U4Te*})n)vRePJ;E$0!}U8y{~}wT zM=U~z7R|?4Xs>U%PhIo@7JuYWm4fjZk`UwZ(oD$0;T6-0+y&DzKR0|Y!mM0DO%ca1 z9{O1kiCA!rTu)J0fgmC(p9^I$RHu6>#jruFnZ;#iD#OS*q!-#?(8Kt!#}jvJ@688) zhlV{bESOBdHo?4TY-G4Rw4Vd>IH)slry|D+t@&wxMye6ImT!Runz`jYL_EQM$)q1)HJn%DXH~+OMy~!S*{9R-#)zL*DNCri zk6)U~;y7?IZ%Ks<*2m!OC7{j^hLPt_zNLDq#>=q~No$}7(Hkn!V?)iC%$%dsM&do42zOU71Pa`^+CR9rFN2*KS>Ux$sHQ#Dcn-3Ryqj*3u`?XnAv>r2 zm@e5mZC6q2>|pN`&E$;+OZ&5F;uTA>s(hO}5ZQD=^gs)^kvGHPRyS$L{eFrMykJo7 zk=1^G3g_Y?5DoD1aOiGt@_cO~wBdW$xqRl*>pmt1t%dD|&exY0r)rXV=(sPodJw3c z5;jpay;O1{wNHG1(Az1TJs-B_hvaIHU^1yWBiq$Z-USZpszVL{jCSL+E*Q(!qWE~6 z6*?L@LF-I2HpGSh1&Fnt|-H_Y@{1;l=xKHDxydBhBZ({=vPuB`TioBYiufg?H( zdWNo_T0f=U*0((maDQWz;dg)sZs7>(z0II+%*?5bo$i)-on^LPF6N`L+om(QUUr+i zzIVP1XOqM{Cu=%`H+R8S$7`DJJH9Zg*A2%E`!5F$o>Eb|u|VKw4>(EP?t6JAqKwX~ zHs$C}YarpWyL*2%2y@IbqSN{MWTM=;Uae5?gQu|{&9L(`M zmz!;Cu+7$6JJWS*C}7rN+S}nbnB;88>lR?3ENr`> z+wJ-=$ZIsIyz`MCbg@j_`GzOb?mGNth5r~$wM15psH$_{N7otIv~@d`{(;qd@2hFq zeMln%tiJg0f__*pogxqV14kjyb;E#dK7wq|73k>eJj`1|^}fjQ2FPhK&@o zM2Yo$H1&sq{E)R=NrIp+%IWr*<6R4MD$&5B~tqqs;4i?Fvb3<+&GGZ)C_WLz{-t0QHY z3L?R0whXxcjjjEXf06HN!nv}UP=P;f2P*yIWpOf-`S!}&9=KQ}gUk39@Xb)R^k z=P&#wD4Yl8^SH3Q+HeN%@55Km=3Es1Phy zMe5MGmT=H}(I9DI>oGTcQ1cV>>s5&!4>BB4)38%LkBseL2mvA+JyMAm59Ft>fG(rT z&un_th*fu_#4}oxv_`S9sW+i%oW|d<8F3EQG!)Vec2Ej!O@j%CZTz9QM406qGbs{o zSl37zhNz{TN>lX+a~AUtsKuI|?SHtu=W*7YHdG}E1(M0cB5U%yucFbW#eoCszJu=9XW_RN0N&%~rqFPE5AhO(F)(GtumwbL)-!9ISfR2_(d@ePod z9M>pJfC_FwOhZEqO%#L`cJz-gvZo%Cj@wUBFhk{>mC2n@9jEz;xUO7B6$eZF30fY_ z35%1(9i72VMz(RZOC@sxRs}CiT=lOzce|<#oOf$%i)bUaCMR!g&z%(=%;AJL6!mSV zcQ<98;!ol;F9#$}x>ng(R&wkmpReFj@OsEnYM#I`;6qZuAESqGw*NG(H+cc-+t03l z&WiB}Ry0oljbfD~vj2j_hqUo7L_|`ucp3^EYm!3VptSc2!&Yv3j3cJKV@*+Foe{q> z_?xTlA?>JTjRamU#aJh|S_TCNM5xPx08dlUYj$UAz=luxGalCgs8l7ISer=<>v0sC zgK{eFPQs9y>La4 z6l$STzLaNF1N3E{?B-{s3XSnEwyzJaZ4xg%`wRM-vTROubYCQr|182tU2{evY|6}s zdfR+%=rrU~X2@MW;1{%hRHrzU8G<(6D4p-vhtXn;3Ey`g5Iv>ee+x?={nD0rlEf|% z{-B3#TC^yBFwk-*4{D}n*M`p~txtuNK`0$kJ7P1hRC<^xRj6cTHC|_Ek&BKWsRBWO zj4`dYaH@p{Wk!V7I^xtvz5Lm0=+U79v39Zi_#~kgR>G+TC`@y$OudjmI0r+o=}IU0A}X=Gr;Jp z4UO2$cvuWore1VSBb0x&@1F@JK%~yO;24U>LH@z0j5iWn^cX=9fvKE_Y#wRZ8VvKN zw?R@uEist8MP88APN6EEW}CU5%*I{9`W^s-Zh|v~)Ss%y#foGSv^&9^fvagK_|Eh? zc>rL&?XDgWnDW`ll&J6W2K)bFjxhLwfSx_+69*abVLmxO2Eg-a-%|S(?M%l)95x7^ z6Xs=JSErj(+xG%xK?ldO5oog3Z{X5sh-o?2BhysJwhGw6ABTbvzx+qoS) z#KiEH&ME62u(!=y)3ywUA3sh|o7B|hw)%F$@bpr3zTD~#=CAZtEM80&lc~-;#@u!DlgZ93nE9-tBkX_&VOodmD?#fMoOOY&i=py9bvg8py@U zeTn9@+evG>ET9f_rF>5Nc+Rx(;?m7$u^oJdZRv5!=<_o9;kHi!?$4U9)Xr5GPE8n` zmOwU@P76>zn&wZ!OWT~?z_Ix1Q`_~eD=UwJC(@^v_3Ezn<@AjrAmr#SF@adCZrlq$ zgUci_e7f7o!KiUQIcVAyjP0>JzYaNT$|v41^U(F?t=4fEXFaBOzFIy-s)lUvPBu5F&Og;XJD%*?RtKMNWzL}dY zXPq~UEsHX@48LmT?|3}>XvX=v2fd$!?-_ab&5i2w%djo)!z&v+Otis$7U}tbuh(z8 z>-XPy54PB#Z>R`zA!AjQ?H88S?$3jL)77EYni4)Hh1;W&y53B`$*I-rTZ#=Uf{n@{C+5R5sTfg zYw3Egr)vrEDS_y^fWNWCL++hcv3CKMQK_CEa044=2o2MS*J&e`Cs}syqx&yOq3 z6v(`!Ea;JTU>Fpm%k=@M#DLVs%i}3l$gG&>xfKI4yM7=Tev$Y#5!83~DrYVn!gZEd z|5!!O8E0jvMUjq^Fp0EDo3z8%P>>%f-nbEiOfE`p--svsS=92tLH;`e-r!wZ7y@hLWFoL4DWqxG6)}#KWUbzG;yfp)KijmZ{!9gMNuQIj?O| zA*_QsF2F3%wQ9(`u+JCkG|oSeMlGc#)g53wX1KX*@DI=KSBbuKrg(CAs{#uQjaHs~ zIa2SJ5Or|^E5}CK^rXJBs(VnBma}bzamph~&=0FXl0tnNIA(Q91phD%xP3gf3uPnx zvnVGDS{3H8$+SQo;Uukq=Mhq9^+cg4)3&<-a(mJ}@)H8=&wa`J0HhhtUb}qN{o1(X zs#Ioz+Ze9BO&qBeOL zIQi(ef2&Oss0Q%JaE*ze!3d#!%#x*&Uuv?J@R^Gx>n4(@C`#B!rSVD>49DsdR1{Uo zd7@okGqR;yoYP}2$}G%WnWR&tIu&Lw9D52VlB#MIqgNC0e3kl>;;_%q z+5HWT*VjM5_bg}Y?Fdyd{JeR#T+c>M;r?p>Z@;k@6{?=xBt=lltqQh*_VB5MXlpd$)Ci(BegF@N1g`n=KfxFhe7Btb1pVI}k#!-Y zf@rk(^2!jjS3oPwtynkk+nvUNl@f5p8TcH*=`Hy>-ABMqeEUJseThC|Bk9dk@ka#GF!AdUn<~C1k2vB~3mLQYTNnQkhh|cwGx+O)=BL(7H8AR%wPKxUiWsnR z9_(9e2tWAm(py`ljZ*pZ*HWp;3d#j>`3v$jjY{sLRC^6%qt@(c+Wya6rW*Oq5`*>< z_HpQb1x7p?F7#!w`;tmClZ9pz7Vv9-tP1+<4W!gSL(Fk^*08?=q~?{GW6Ga{CPnHi zPKIjW7uJ*bdkI?JbYB63Id5jK0QD0xu)nSPsp8AGbXM#ICt!!srmrmawNxKrIbKo< zQFW{FM_<)oNVyo*UmTMo8s*V2MYo9Y3C2Kt=POwP9{Z?Ll}74KCkiE^e&3?!mIVi0 zZwZOZWe(y|M~!%#ft8?i2a%v%NCIx(ukS)ZoevML!SME+Fk4!7kMkwKfT^#MVUL8vceu-w^BF651nGK`u&PLP(Y>5j%p zK^i}eU7YfF#2T?)L<+;#P-<>V!&R{`Wc@uyKc(RlwoHD-wt8I}+RtV><2&r=D1R}%JQel< zE%z@A>{c9mKU{zs#bdIe3ySKpD_es*?3u$xCr%w; z-?2~Y6WrQ&xIPnr;{nrixAhbM{^7*h*tK=X%TFq+_S<;4%T?X;&EL*jd%c^@tvAtQ z>;vnvjWYaqV~HqSlLE%uH>JlNm`@v3ch<-M__O|IdAK%qCcms-FZ+CiPiFBx9SkOQ zIfGVxxGXNyiMtNk{dv1x2K^<8!T!n|YtE2EZ|BuDpY7+gHDx$M>vi|Qu|m$O+EZ^2 zL+_`x(dG)bsYl4Oo_IGsvco1d+=yTuX zX?lES0L(bEX}BVmwd`;|dQ|0G)jfN0ac*Ay{$n#nqh{3rSRi z8tl)A0XZFfY!fJ=Sn9JPrc3Tc;D-IBSQ?MO6Lw!H(hOgurV{pEpvLO@rCED>jFo$h z-T%ih4JFmP<^EHDV&Y{du zA*~*aJY%1KA}N+c9wXAw&j6DLoDjue+(Qwm$*lzFQ`6TlCR+nj`HB!u3q~E(rDUBG zoN2bByx=4w)p4=#`0=M}^W_N=q|twMV?e|`epSr}o@R~L$<5l`UwVFwQIa%i=Uc7i z6J|+eDR0?ykmcZa|1M%v)&2vHTK^7o$C@%y{x!yviNW!JK-NT{ZnqzVhn8_jt8XC3 zGBdkSY6U~P{IS-WWP*e>_(PhENBv)MA!3%juU~?14??Ce^yD~F0Gcj|JCWkqsbi?H z{3K0jBG#DGU#Q;$mfZr*8qV`SMoW{YEOvb-p>&|^hG9sTX>&ukJB@Q`F}^S=j-kv4 zY1L~Ua^W?GHU5%4&C5L52`S=Y~eH^kp8lLygGH0%xSr--c} zg!r2H4H7YiUL&8n3xJIJ1njI2`(T}wyoNw>zLM3WY~11UhVAg3Lzjf3a8omdK(VPH zAX+LZ7S2A9jx{Wfok?kr&03N3CQ>%0APy*r4~Ku2c~Ty(eyEEe{v;}5AHy-5P$AgE zKAQANAB1LQpst+Kv~`2s11Z;6ntSmqxw6!@H_DIa zub&fhu%N%z%Jm<+{0R8(ljW=WstXo_U*;~M{m7zNpB|(L;n=^bUi{GuujyZW^AwF3 zk+JAuJ7*i9_#&ayiep%~RP$Y)h$({EfyWlL=AqQZDvHGou1xI@l>siuv07ewB#~f6 z?u2C#DO|fv+-XKcg}OFW#~BAVYnG;0tW^GT6e*Mh1W2?#|&u7M9tq(mPVGv>Z0QLzx}x<{Px4tnnl|MP4vlCcOC|Le^X?I7E=O+ zvK}GeGBMV;m7&$JlpSAMAV#9z9=Kq()DML)i0Are^j%>o{)}H zcllT|OoHwwY_o8uSPdZCw$zW(2LP@wlLL@0L?9Pr)vFWj;qjgrgVK&IaX{{*{#EuY z`{mpFe;)OJhxdysotB4Owg^XiJ|6^Mm34P5HBOfM5eEP-oF}d8sh%0J0Xzby1fUw# zSIq!n(LBrbaN_R-X*O4H;KlGwMeR-y==fIC`Bl-Z>GrC$x`2_}Iq+F^(yV!M>!FP< ztMmF{A?^`*gFoBNxmo@9L_2z?fU6;){!-mIK?6$LK%mPV^{=dYkh?dd`|(8YQS+up z&kz9jx(3W~--xeKUfFSUOMH>A{T9S8t3{aVW$fm3zY@vV@tD_r4O!}^=C@ea!~(9f z9?oxbU2TX~>3X?7reRO#gPnIQzEw4iZ-(AfSKyQmU7&c_`Uamd`x;X8fQNqtD+{UhjMG zXlL=jWOnCm-TV4$ml7~szMl! z>ON1567)TW%^n{BR;cc?ZS+9RT*3D&!MFS*Su(wSH^i17T?s|ROqd=wbXTOPI}!?7 z83K+%<>?ZgFux!&r7&~gZ?1$%PO^BJ5Vt(_09yI#!kbQOCbkEhs;|&Ohd?jxh4fCD z#(pSA(eL+Va;9|F3IBQpXDlhzw`yBurfiDR5XfRg^?jS^a?+wNe$Ms$96RI-U@kHI z8CwFiN!l-mDPL?(q#*N?Z1m^kmrG6R6~x#JwI$8KiZIIj+7FWWdSnPfTUlbws(t-W zJX{UYvuA$38*3^&hIlBB1^8!Lis60Z)OWp z=W!EXyJQE@b)CvXQD>Z>FX3Tz&E@-xHp{8I#t<_V{tr>#6kJ)jZ5?&cF*`=bw(X8> z+eXK`W81cEqdT^3+t%KH&R_T3`!Z|2eydj1x5k(Q!*+d(E9jZo13{NfYh6j`A+$zN*r(M@1sxycdARyqN+4HGRf8vdM zCSgZ)G0n^29p2#Y(WEBqUge zOEs3`y5h>9eB|k0v54W$cr-$g%9aYla1i{C&{Cf75wm5k7t-$rBrSX4fhV#)ZVT)Q z?zYB)=oXajQ9*yPB+NUd*+O&>zFVt7rX?kal0LM#uN+}lE^sJMhEu60G?77T{#$6d2F2%gQ8TKg?kj%A>fi_npcV-Z&l^M*7%IzJB|fD2;&dSmd)J_5-g zN1~_K(eJ0oSY-eTt9A%=m#E^(1;e>@~F zLV+nBS>m8BYArbTH>I)-ahFY`xR~U+RFng||OGIh4{s@%@y#`SkQr{^!1-k z@mi=pfFHay+Qxt!`)OZS&~U1@d1mo^G5RwgujSeLUilM%3QDKzT=(acXl0smp8kO( z*qtcwfYb7Dk#X5RUgDs2J=r{^1^m~U!{=6vSaWI;X~(E?ufKJM@>wTmzi}6qdzA8- zW2oYC-RZUj?hQKBsHSwT)jb6oKIpw~4laHAnzRZU@OvI-I4S$Ixq7wpx3;3a9OvJ3 zV!l3e@ZJHFuQqpjGywe9Tp!oYeyuNqb4!f&0>9IVAkQcG4_B`b7<7AkLKuqFvz|F# zE5BMSZ{ObktxdPG=>q`k)qvl&PxkJ>$T#uW7zLisDHkHa%h*hUSPI6s``SqrLhZZ3 z-wGSHqbBXF?wg>%P=}8FCB);BTyO9B@%iCux2vhYm&p43$9L~7+lI`>w|60-7w?@> zFjZYiy`S?6luKTX&hzpA<(a>N!YM$<=M9Yi0B?%I(>~{S0OOukVo-2k8)2xgJTMTn zy(=iu_uO>Kgpl?hf|(Hm#GEm)Qhnz86W#RfVnx<{js!)W0BzA)G32`l$rz1R_-#Vi z8ZFi^fpl`H9>Y3Ek<4$QQ%(1LEJ^cC`7;F)T!=EbZyaFlh{?plW`7XykSxcGaL${J zSqIgPX385iOCwk6`o~tSL#O1D1g0!$xC6Y=vyBQ!62B=ka5Q)u`=_Gi6mj}2H$OmY zTZ?Ozs+_hq`>VJ5MAREekC_jLmmK$D8eG6@HK?Jymfx2Se9{aDuI1?=SBt5RmfVZC z@DbN@5peKQm?UZCr>eD6O_ieGq~Sm%N|`{Y%`{b*hpMBF__lxKLggKkDYHP%+$y8< z;N{B|GpWypP{3t}XVnx!1*qy)i9S)dVuy7zqtYa*iuD@zgk1^DS4lAH-k#Ye`a?MzoUoe(w&=2VhVsqBvDfTcw$ z*CJGDr*R5VkX{koJZT<fbm>JiTW%=@?33@BOMl^#-(b^PoKyk>l^B?o_OG2u02K7HW zx&j7|Z-Iag@1O$W{QeA_cWIP6}l6SD}%k}L_fT_7@FY} z_(Qyonf}xA=&T?BRV0guojh~jTQqCWr-%h^Oss_VJUv8hs;yc8kL<1#jfRzZIMNqkD~m0{yZ!P>)6 zJ(CbdHXBxI6dAqq=-y0}O9jJ@YZb5G5LGjLHC zf6#6r#%I7bbeb;MCd8?!&}wZtm)S1EM`%wx4jy6iiWdaxGvnGELRb-@=9v(FrnyO^ z)IY@BR&u|nOrWUXRNpmaMo0C_CzcYsQMoJ7r5Z%wbTK&oiL~#R=R_Yew~s2T3)iZN zG+(SgQdQkjcW!V-2vu(i$KgZawFeQGLrq=^ zO!u>7N&bnoa%>55StW@jY#u^vo>ccZdX;m~ejFZO-h$29yhs+bi`B2lcG1WO5K3_sl@v(~3%Kpp1+1oN&$VsH+0XQ$r?QDCR8a)1d91*o<-0nHni_CrA zhm1x{g^1nkbcASmoVzKQ)dHmVZWy-pYOI@NtsM_xZgCr?Px@J9r?)-4K63DtH%;PW zaTz}^uK&me=shJ}=2q$6xH?BZ8i3a8-@ED`mDSnK6^*NVdyV+OyHEK*a|*TVX29>U ziwfO`2UmDHTzgv@43{6bJN-o4MoZ5Cx5XBR9+>;{+Pe4O&-yO6v`B*Q8h{?qPeSce z^PS+<2*3&@*XP)U*AIbjO<2kLS|5Sc+g+DMoH^|n9?#xHAFiF;l08pPm8DhPAAp@) z%)CP&9LNV^?-b;bXs6C^Si0NYTHCZ}6l#C>PQKjjSoCGbnGLOA?DaC(A9*LD)%Cox zTW?nPI!>TW^^w`W+_=1}I@Is#ujnMWmy!Rc|GK`qkPQ%CR!%wwdhO&^y5w|H%s6;B ztZOXy*vVh2DjC!>wUL=+zpo$0cAITIrxZTv?e4&&(&+bW3d5K^wR3B%U-~ajYhShj zc_g3N_&*C;uOu2xjc36^r(X1*TilR6Ez*6}JESR3^cZ)ix_}}4?zO#7Cm-h?=Y6Gw zx{Z#?SI}-ZWIi8u!#!zy&&s{`>&2;x-Ews%$&-ZdKpXF?kIljO&f~1Qj)tj2hoxh| zW}DMJ&K8C2yT0{tT^T-h(4X~d{+nIFBy~O0$$3KFoYbRF#tYE5H&AaBKp+$J)wcye zfyg-pJtePL+~s~l9NYW={I-TUiep>PMaygINteHb5bGbbikilP?9qrSjnNGp$0p)- z-ur^jx?nyV;g|x=B!f4-^|i4fNItXm05;d1$e7QnEUtP@!Kd0<15^0lUBA-|+2|0#O zrw%%C4TD#cT>`IM+E0c_lE zo4ud_qnTD{uuZugYYq^o=T(|b)g7a5XR$m&ko1S8p`r@UG8u0U5{cl*W)F1^{Y6os zyP1qDRB4lV*aZDNK7mcsCa1M{C;vN%=72;s#Kmm3+=#k<_Ry6#M5QKHoJ4`!-}YZN zhk~k*5PfJ}R0D<)S%cmx9*t>O;9D6~$>vlZPKl()FNv`IC%k?ZqXhNRqgWW#*rnBo z%7|u$8TnT0iZST)hFp8KTZtHU8lUPwg^ur=P$tNi5)q_hO6ubD2AI(K1ut3b4^&Ex zv{oYEdrx&WgJ~LgOIi+p=7J*(8gWUbnUw7lap93f!rf35cI#59ZM3Pk|NI@If|Bf4 zFOU`CHcaa~G$q0?_B+DWD|DIzEVKi$sJ?lA6?M$qBg2M; zF5-`HmMuEfx4i6o=z8NQF-q{hlwEIrMd$eZLQ>z+{P`uvj;Ti}eV9fTMzVS@IeCqs zAiLvPx?rSJFC4jae1rty4nDBFpXwHP1T&UQm;qptw&gOY#ijz5zcUk(Y%F}@DVV+T zV2YhpRA25BlKXWG*JFeR(wI0D2ggi~^88Eipn9LxAP1f2U(l{k)c63No}p)L60(|J;q z>@;Z@nl!{L=>urooT^R_m8IiyTPftG1az&H-B)PRwGm(!QAkvPD_{#xCE<()6a=tmMJY2` z{)6}z2qkkAD61_6fJ4mP6=2=42zj4y%*DB4?f32R4e6iZWCp>In%@Dws7w#w^rVsF z&2la%FrOO#pCJZ?AS(zaq{shNP%0|O2!pb28d^wDL9cTGO<~&pqrQpsZM_v)`?)!H zc-*{I&{q$O&m6~dy)%~kD(i7+a{GPG>b$mhXqR&7nt#qO({JCq7kKEtljVE0YS+D0 zg@`3s@4Qd@I~QPn$E+2N%x#0Y{{{nM``!F+Q6@W-5TpUz>W}5n-@2S2&(Z%R-(p(A~W2NuiiBW5?!kD9(Auz`E4@_`stcTUDaV0kjA#XQf?Ky^!^TV9x?j?u;4xo z)_a?)7(BmTwRV0+4)6bJNxBkE*?u;C%*mdL>D%0;&#B&B&M)QRz5mhMb29bg^Gcz% z)@714Rp9Nt8g%odCVBCDvVhmtrgx{iaYcu>t6P^v32@@8<&<^+^-F1iMYfy|34_Ki_dj zoOMiB*%?H(-+}gm7MyKIX`v35>>L~SE8>JNpNz@P+q5|@(}{v`xoeKg6P2lm*XyQr zA8$W$Zk4;%nf#P7`6&H!WAUuihBETRN`91-I^l z9|eR6eJmQsk?x*!ZmmBXiW%6jUZ*xzBXhke6+HwHKOE(r9ZCs+5l@kUzc+8QTpVZ! zJyr;M)t1{mu^QaZ6mH`0^>wbFCavE8*zU$kX7vDjBsq!Np27t$p?e!PSD#A_K8@c& zqMx9Sd%#ZYJrP9aEU5Nh&oAI~5qHh6yHc}dDbHL}Kd{9*Z&vOVSe;`w_ zIXxgI{--fye}=n#;edyXC@`8v-5Al7Dvmw;3Xwu{wpJZHt0bSp_&D)YmhUWMl`JKi zQs75pvTKyGyWyg?ar4i|hD2+YMQjp@RA~>=Iz7tq9A>Lbp;Cxlemyc)Bm94LqORXv zW5!73dj-oy>)@CVZChCj_Q*t+_v&JeJk%!^^OY&Vartx_!O|{{128gXJ7wpqDf-AH zgT(XKS~Ez+?xCPq>#43pP5sIwx(3%pI7Bp?&zx|+mrGfr5tCPrEJk>gQMPuCM~%B#YD^~ zR|uhwA6aehTD)y;+x|mukZYROlS$-cRYfZs&^P^vpkbgW#HbTKUUUj3QlFXFDYAWm zVp}>uSzyj@K%>4Oma90f?53ERrfBObCoY+!n>6Y~-d#_pa~b4Yi3aLcpd`jAxw8&Vw*Gfjt@Tl0;c z!7A1!!pYqYJ(lH1g(q2B48*K9XQBfX895G=z8tb$OCy(V&{nBaNYZBQe5WZY5y`kT zqgBv-+*xkQPBDnDgl4UY9A-z6;pVZXvb2)HMP$mG&c$3uc5}Zt*_t)TZ zj0S|B2d<>MOd>7GMI=}(55I~rS$9<`ILq76^He!ZgLha9qe$4L8t^H2`^Cu2&>#bc zq~|Se=z?8KGHBcvc`!`u$L3(N#Aih#evZ0w!@t;9uAHAZ*0YO@l~{`OTkFk*9&SAZ zoyCj^f5oyzWqyzLA4nJeik;)>7TK_GEu4`e{Y3xhF?HlrrY@S}OmxO3B7+x-MvFUd!M6F@I_5lv4K-96)nVux zd3wR7Y}BJ>UGzfS3{DA72TRCXwJajOnHRrsLF63DP9!1>=DA-5kuoNp2qHO4`-*}} z^BsyTc8n5U#i(>Z)-FG5mqp0)#7z#)7HhvZFdH!x^o;(e2L&YjUl|!6!1un^KoImd zA0r|kMf%^Da%=~%CwQ_v4RD0|tH_lcAP56$&j$>pEZ2B^>f7i#-s{&=Jcrk;d(To1 zWVZtEC3G&`xt*cvVWh=()h}XXkmSp?1O?H@0l#A#SAZ`M10^#2+1s?FN>*b z_Z5#CpQBi>xw@a zmp=|F0)NDA2TcnG^wL3V!ON!Jxlu+x>y0}5VHole5k(- z$UcV)kNkckyR3URzn&AJ*EsGQ_4?V3i7Eg%Er;+9G0=_o$npPIjcO0flFKu&Cz~uzs?pf zmsX0JlsY-zudn$)0OUJJ=;cc`hWRBML;mg^ z|3E!;#hC_5YE(;#ZT`}P`p5&({a8T$y}ln7!hmqiw3zJv_TYWNU6ETN1e#}WKh}gn zWkDlM&DH=OA==cWQ3*W_CCYCp_io%-TVEb59OHQd+GwTe#p)mnw6YRam%xd>;1Z-p zgJ+S<>+@ZB99RaKMzdc^$>mB)%lrLsvu9lPk`AE2=?ZVI!y5`fC&sKMr}3S_$IN3l~AV)kg2!><>M4lKT^>&bn$V_md(HKHzxP&y-8QSDT=3 z^$9!jQ9mJ?LbTuJw-Iur4Vc6&X}_(eVnfECSNooM$5(_vu9+YjmptN*gj9`FdCu+U zHKn13MV??p8oSOlS_JV0#XnTZ#)TEbgA+yQnDf7e8Dm1DcCfRlOiFRF@XwtDmd6}X z7?2D3kUgCs2?jQ`(-83V!lA8A5ar)OmiI_yt$$qx(HfeA7w(8*aX3#pd!_AFOJ79$ zFrWN#RyC7muUa~%Dh^_0K*SI_e05qN9(0!=7nMwrP+z(A)?&HR(wx1H5ie&P=n!;@ zqhdyS%QF6PUtBaujF(L#2=@~l$K1L=FJynBw+)26z&w9by7LHV)!b`M z0?|$UXMYX%qhjLdkCjF#jq0&BJ=ixF>bZL;&A=dC{Qv0ll{X}G5z)c5qP&#B>B{HV zE3IC6t{cN!gmu(I9MU65P>7|#*nd!T^Q`>ztR-k1b<(n8agqjKcV&mPxr`T_yZg2* z1=TFDT`qyKp~|m6!5X4T%Ob}k-`8pQP$ zPU!+dCHlQ;0rOcjJGf|h+b6UhI|y`2(Wekm`-&w$)Uo9~`IV#6Wl6V#D)qiO%w>W` z%ht?T45n3F-hOvavRzZ2%!Wird6qxUyvj!OVIu%f5K&CSj~gPU7ovAilfSHAQuVS- zHNpzZ3BCjFpvTFgwGX80V%N1!N+L>$#=V;5iA&!v`d8CH zbj@lcsg9(P=f^iPjaKQ1*^xY^zt{z6SRr8+f#@Q5)?y6&rl)DkX-X`Ft2~BHa+(|} zp1C$Z@RNq;{KmrIA(5xZi|g?3b<0%O#oG5Q?oxQA;g;IIEjeb&A5|A!-%N zD1#MJ2VJGe1T#UzpaDQ#Z7zt6B#g`n1H|_UKuV|u{%uTLmv{Q!ek`!E4;-`6$my8Z ziF9xs_P*EH$XYc9x=*Lww{Y*@^=D;z&q*J|B-1kI0V*vR<&4uPfeyiT{C z?U6?xcBM_^|~TTo=08^8dos>$Z;H z{8sRWi7*TvcVd6&+`**Uxvk1en#OwH+uKgcJ*u^CJYHS*IG(9lvv$8k+?%`E``zUv zBCq?30@or->-7n+i#=|7ujD*D;+j_$K-9Y#tp*pKSuD7ol;?s38=GmdwiD0$3KDr zZ?AH>xPteQFu7iz*)}wpd`&ts?s{}w1n)p!&P|Tzi+wURt-V35(j+7a`>x{-JNq~0 zA6JeOpR1e>1i8$|AK6J-Kej*KFl~UZwY!MCqLr7fcjT1Y4?BpG+uXY5<>VUmTvB4iu+p2c%Lyz05AX6@T$@Zt^S?SQ1B}xqR`(@ho!iiz8!7A+fOOhRq6#-i5 zuE|R2A`=ylX2B~Nf@X%Mq2l{wk=z2ym+^h#l~J*HlCDC&~<-oo9D z6918BzBrGBrRcTpC~cKjL2NQ^7tpZF5_gK#9)!?XO;!<2qnMA}qElqzZb<1m|2;DY zwge@n9PQV@suM2 z5mGYjad?9|M5wI+z8e?V@nrncm6bpGBXep@5$+Pvb6SePnUo_q?&4Y)8`eJffx_6P z(H4bET%S5uB6?ks42ox;>4`ok?_9G$xrjAikZ@zVnwWof$6U~* z5ia9vg!LM<-sm$zq3${OUFsM}s$Zyj?J~fYyhUU@tL}Z9MsB_0~^+NznTB=q866D3cnaf3bEL z7A!OPvlty6=I7MGYvxFrR3zsRZ+1bWP`f12?<#U!m8dwcUwdLQO$hDg&6csQV&J|8 z-cjKd(|7O+VTZS7@MxXlVW&*s2JEDQuP(D*E{u$Xkm9@8WNcEN>xp3ejM>FtA}A@3 zGX3sIB4N{DGIyyQh{$@l21_zu0F?|uoazvo{j0X3?5}%;#|GXBEUG1jzLcm+tM5Xv zjYu)}j5Q4IDu$M0QeG^%4Lf|rqa~KwpL(LF^l)}2Z>WTeN^uhB6@U|n2+h26ixTtx zoimE@j-LehbekK@WBsLjn*BFYC9`+fvV=hkzxAgXzY0%wyC*H%w2+KHXy@nZNwhG$ z+zx6j2dv9iqh?wW!9j@1qmvSQwpg{F#O#<_Qq-Rq?Y}&5;e_K6d(4S7#=F1F@(^t& z4$+;JaKwufFmCFs!|Mq=$Yadc6LtzL(Jy4Y1mKdg`R1<&_T%&a!NJNyORLh-5T}>S z>BSGwbDg=OWhHDx8D~EC`+Ci$h^nDnlfg$uK04kIMx>*=jY=kEYO%Cy*0A zpow@tU}^seVhP&vh9if9?S_J7Pa=zh^Upu(?0-J0P6hM#=Nt3>UCVBBMf7`8Q-kN- zGIyK*UA0bHJ)4@KzGCJGMwpe&*{<2Pz}GvC1Z?yC8z$FcL;>LWRS>iZ0P-J$>Q>KC zRKwzlDyZvfB-9jsoI;f$l9j^3k#|B>mT;U#4^vZ9FH6XMt%z5DVt0HPYGJ!7&RDg{P&2WqYs)CY87;=CzZR^-=WzE=HfouSHj5>&7&aObLsMD{{3JGIE7i+YSY9>>- z39tnzbM`lUv`p3?3KPEqLRvcCBW(D)$&hNULoEnj2k>e?tp}4k#y+m669H*_enW?) zexQlB^k9Qt*IClYYCRPJ81U~zR|&KIcLjv{Jgd5Hg#)%Z*ydgx98*J zdY>H7yh(I4vH1cwHS>gXb@yVh{>>%uSd`6V*1={;IJbq8!6^BrX!yX*N( z4{wxSca9078!Me$dP;IWwPDxi09~#VJ~_I`v>t~6YjT%fU+I&j97J9oy^;!A=QZnq z4~M(lNkT5SQin-?+eM94MW56)>sU-e!3fqKz%I!@g3u~{i$U%EOpPs%9cmjrCT)jx za)Yk(Hp~{#dWnXuznvZErReb5!2Z$fNC2Q?GFYnKa~$>=JNHt&9NG?S-v)BK|J66_ z_A$3RHmmWze0**#xPBYlcbULc2g>Q{JZ5h)@ShiK3wE!A-v`K7omLv0Z}I9)aJyG}!@%i#n;$nu^#b)yyPifm?|5`R{|O!hC+EH# zJ<;mHd_TO2Hn6|BXy!GQ*5P}2>Pk)dxIDwFzI)k;-%st$)PeJR`R7v0s<4{d>7pBV za}bxvvV7SwwR3i#qutL7$#?#`&aw6qWOxp|71VlOgG`#{01A$P3|c@ws-V`@`|X~% z7djv*R*3&|^F5Jj6<3+14gAz!DPL)jl)xOI=;Di&vHg~kKtt#JlZGJ!L>74<_?fXz z#w%W_N#BN`b<%<84{@M87k{EeEj%>2E2K)#AXm|#@+c!5SivzVJQ8||n%t_!3>&A4 zUYj!KE|kpgofT3tH4&I3rvv$InU^s0CoU<=CQN!vMni{Yft6*;cyztk)j|b-18yI8 zyX=Cnjp{5^g%VSf4>fdFn2U3;U#Dp+jo4T!c^grXJ#(hBj-nh{*4aoMDt|@*U;05I zU)Hrv6Pb(8HwIBLL{5Ko8>m*bd~?Kca@hiAbh*Iq!))-fafI>e{w^gQ(y;CMDpUQV zWyCAVR@Jb9++|j(5JpF6WAwbHl+u~ac0}Vw?Wbt| zR>Wh;Mq!Dnh;w3{%(QIEk9aPYvQ|l~>5_bvR=yzVE!$oV+2@ zeP7g{R#CZm{@1sZU>+EST8V2>aM*^-BoT``LY&O3%EnHeN{sIS<@LSkfm(-6f=2)w zS($2GW$lpKYIc?G>;zZWHbS}r5^)hrQT8`9f-<4TJY?J?XQF`K<=5d^I|gQ^F<(;_ zs0s%MgyI8iDo$-pktC=%PnT&VhGN#SP=@ul8Z+HFNyJx%XSC(c$HHT1EO|L6(I3I% zrxKM6vR#Yf!lc{5F%}N2p|6Gt_>Nehh~2s%u%jdL4AhI67cPXg{H@0(jY%ii8oTRA zie{)up1r?g%Z%g&+?Pau+j31~KYvjj1H*|%g^AXN6HRZ4YY8=VZBT-6}rRreh*x@MY z+e6zG&cgkKwu$xa0)K=3Vd7SNRk-hJBC=+V_YM2Ep~9Lt!gaH`z*!jK!WkkV!@8(n zg^XG$4sy_3+1asYt*MH>aWFZ&aJp5_l)^muhBH_<7gCz@T0|)|mVbxdM1^HEg!T`* zLOe<8j&ioOY*jk8CW%sgWtT+Fz()^lG8(IHLQldzB?w$af|>=%A*sMoe}q(mV;BZbl&N#lR-+DzXQ#)oPN-A7-@4mDKyQ>()$$i8yr0N_)lEF=y<$;&-l!VXo zTXDlxvfeXQLbFUTlRVQ^_Y?m+J`9lX|Mp}6S-+wU;lq*NV||l4HZ=MGmKg<9K|+G! zAkK^24;awhXXpS5E(vwO2L{k(VAJMO9e~pP81|mh?pd68_3}Aes_%{AJJ8S@p>kQ$ z1u}oX?74TD{8Z2E9pLFScs)5&aOdzdF>ok+T;6y~T00-$#L_vZoaXafbxv%|^>Vs9 zYu#=;Y5jFN6FSxLY5iJ14)uK3sgV8gUqiMy~$&=^SC6Tejj^ekvvO&sHSx&t#;fvNO3vpEY<6r zGo6A5ym|s9dwI(0%}=M#ZJQ@ySA;b-X+`vVaSqf>TzY}H`o3JCG5DxyBqmarbp zldC}{dnnB0u?@LSs`uj0fufp=Rbd?EN=_>4jsR|)2O#gegi2WwYm=dwmv0CSoRwKp zazO$K*W~W*o3S>0{7h-DlTiu!*#kcA_)Sn?bx{!8H9sGQ$V;!fevi*m)1BgcQ z`4X<*YSvVHc}BE^Sj$PLgq+^Fh26bw{}l7k2;6mS&g_RyBG@9Qc~$(o<)4VcAOB8o zV#}@0R~ALhhL%RhMANe4>{1ltMW*UxLzeEs!ly?SOd}$rS+bZBlmH(>GLB&SGqbf> z$^s#r;lfi9y!z}+wmkjHLX(x4XHZ|hPI!dconO*{Ea0@SxF;x9YGGi641HJ3ilwB4 zioPF(08dr~D!B?-EVmMbxBks%wWU~=@u3JsmBO}HdvJmbOyw)DTlU*1i88aCMn$<_ z0o(16D(ZVWj9IIGmq?~#x=bChA5UWaHqU`LTYwnG(44_${jRP=xYTKxCpP&e zgmaq5kA13YAYmxlN)vASYKjd;7)rAlgMVJEUlwNFI~#0O%8@71Q`%t1f{!ttw^giH zpBPwe49Z`et-d`EiC<)D!EEpU;zr#iy|7Q9bdR)y`tn_#GL#yyj8Av z5{F!VA(=sAy;ng0X8wk;*I^JetdFvBq@Uj$eaxC3Puf}Y*0H7x8PNC{D5ljRlP2&7I>>{*;zL03E(Qk?kryd^vY+Mt6NBK1h?WJScH<vLtCuIJ$|UqvtW5A^%#RLO@0MJx-W>x+Y&8yF8}IEfjFj@ck;ivO?4YWAiJA(K1f&Ovi-W2e~gTM3`PrV;U5;W?B z^_kgzy~S)EMEFofE!IanB`ky!e1DCHgeehtf{hw0AA@ITQ4g;sD5X5wRl%TNaV^cq z)F~J7PoUSC#N+JJXBHA=IVRB76b+#~m2WItCSRBdTS@xAEQ+ozahEr6IABep6lZOs z%bmnZ_~TBq&%^!tRLk0SA~mI>=^BvP)yU>Ub8V5_uojB*|6uV8HZ{vT5fxxwtkTnW z%E29)+2_W1tN)d0`gi^;f)=(o)1Xi##fVGdy=bJ!Z=&S0$6CWkwa>7O7+oif%aoqv zTZf=TT;!;*|H_{+#-E82euiU+6o)D73cd)wBHtcb4>fVH1jg>!+4n8c5`?Fr>b9$)wR@KDgo!uOKY#)vq7q5Y8=+0<$WIk`{tE6Z95bJ2c+&ZzQ2e+@XW4db}o7T(a*Z#npjn_+( z4jNTLO>g6Ed->%yI>`@e?_=MSA&p6#k?!@+Lce5Npv+Lu(Q9a~w;JzBU2)uI?C0hK zUgn2gcd|a$8z;=vIxyOifZ@KQ{-Ab??`oiM%J;qX)MIfl^gY)HjjpRs*J3j}W)+CM zUbU?C+#0LV3mP9sTDt`jb@gsLN!ssBZnC?KMgPwIkiYpliX70SyNRpo68ywm;o|Q3 z5~=$Lsr$3kMA>zJv3UO6pmQZh5U@vc5&c`A8(zSqa+9ddqf*lE^QFAk&;Hy@p+(;l z)HTJa0ldoK@Y~~_e}2!j_e}H{itKIsC~{R>H6PV+*Ef>iQ-YQF`Ho{D^%XdAz znKft-JVtJ~$kg7_KlBVQ=s1Aabli=0UVHgQ1EB?HuRTDUo!8!x)ux=UdiPcQsoJHU z5ABr~z^DD*X<*%bbRZx3$7%5YT)z*Wf{n)@AFW%hkJ9y&_SxkrfO3LeUc%%6D<;Vs z^(V}$!M>oB#nIcKmDOKhuJ}EX=~qqD+>opTF8ZqB*x_7qcq(<`pLDiwGT6T_)TN_Y zAS>b+gPW1o?MB<p#!w*-VeryQ)1COjw0g=f_ zh?5L6jqJW1Zi0h8HaMe(B`u}EuP3!ytz21#o+>&dczL&>L@oTG=m%tQ%!0j#cF+81 ziFblwxuzk!XWCq_e7QtQBu(V&_bIX$M`e0Pdk*u{KE@a}3^wdqzG8nP9DFU}J#SL} z=+<>*9%l(H=jqh@Lr(0{VuOY zl4=Ww#jnHqU%PHvkS9sD@UNBHSv&T`mP~CpJpcL)OSAFSFsN}|O!pNlK2j8B~^5=Ng3jaFh8o20783(Qh4LxDwz zl4x6`(?PUXw*3XGMqjqbgN7s*@_QXUvQ-KE(6GJld~YF@3Bf*4nNuN?zQbSLdbABu z@!Mz>oE*hC8|u)AZ~&1pG3&jatl7+La=yMbFGdg>;@=^bQx434N7Zu4hy5UCZ)`m9 z7PM9KmYhJQSd3xY3PtF1_in`KPKXL_iD9x~=Hv8zMtSY z57c~C(~4*teMRhZnq70jP>^ZcSiq;?Bj8tU33qbd>OJ7AX6WwmK36=$`s=BI%E~?N zQ4Ge)NXvrfTU-5>@QJzNuQH)hwctT-mYgfII{CF=8AQanImLVl$8I|P!D`j*IFsgY zqQE$RwBbIJKTJH*LaR=^iLxdFp~G5A)Z+Cx?2~2w2&QRcQa=+e#qu_5Ma?Rdvk>r< z8dXo+Mg2CWA>3jMZD38#T_gKgJhK;XnSR{V^`mm@o=zbo<;$hSyH2p8LpNop_WBpV zZ8AI<>YJqF?jV@>;je4{W#zJF<)@oNYuV8O0A~Bm!%(T~+@sG*x;A7~BD@$2aYTQUSbV^oG zQqe%lNT>)G(m&Lyr!y@Iw!$hY7#l9un)*s64IjBB+7%3zeKvUXdM{IV=o`jIC|ZkV zIQh;sDwCZdt4xR|)c?1R?czAZjORk?6}C3ebqpFqi(2zTXj!SEf{mX-*n(xW3BBLS zi%p)iel*1L7XmMb0o@-xr?R3U!d#q@8uLf(%?2AtE7_Z zD1$p&MWuG@7>#q~&|~HivV@+55oglsZxf~!GjKZlj5Wp-$|wqv_IGq z8+1^oj)vvPoy@Nst^Y15$3K~@(|S+ZD?7#G4ulI;C2>O&1vg<8LXrg7M2xl`1faI8 zRT&3Ut6P+$SM>+fA8^ozn0gtZyAFv^BB~T&rwOS+nXR(A!4W+TL)Irp8@37Q0HF(e1KiysHxj4VTO8FJxNUsnU`%&YvwV^XD$gWS) z_%wctR6Bm{_uRFM)?diTHQRB$nu#<~%P#QHyzN*`TjOINi|F9HyCJAop6m7fcR%=W zZYEIvIs~Q#G1upPwAcX}=`PMd*LQyZ9HjXU9OHCw1AW+>@pgHv@f7Nzwt>Li!(Wn{_Obd_&Clp z-Tw9ZNJyN<|0#KDd|b|6v+a{{y+NfSyVcOPgiw;Q!+*Pd5V`QQ1DeiK;@$KdM4rfr zDZi<3-R`=gFjXdMy|`Wpf)st>Z>;iNcdoE?Tefihkn}n>O|iY%`x$fDcdD~=3Tk@x_SllCmjl`b1i1QGX7O=W@3{SV$?&$(F`4ee zPW;?Y<9mAAX*HGFJw&G35!;&>Rk8huX%NS*{FCXm_osG#xx=r5=sVf4M??)Warfp{ zhW5*_%`qQnMCU^IiSKqM&G6*1y456zdmR0~x%*>;>hmIuduE1dTIc9;cGr z>@%lskW63VG;4>h%;T04S`nBmA z7GNss@q+rurzK1*6h!JBbKIz(eXGa*(}#Wa1;Ub<9GDmkkA1iTx1_JA?Y}=+CCoaa zH2EqZ&)wi!(Cfj$mxPFwAi6{=njEZ|%MjZtDSqd1WVVV3BlgCp9Xx$3Uf;vJKxRtJ{;+!zLpKkNzgZ`usa>ZF862Cap(sw-o= zmzBJGltp6N1~k%AV9)ojau{gq)rsj3qF7K9w{Z1nSeTRvp%3`Vbd%gNCgY|MljH?Y zv-F}~aD?*;GLS6M8_dN3VqdV#V!|%lLske6-SL0I=4XIAELd;z8tscu1;qKuJj+L!4_Q! z42hN6y(lKb^Q9{Pt#v;E4s9&0h)Ll7zP83aJ3$t%y2cc|3J;2mT4M-(^{I8NU1hM+ zIfrv>eVeL$DTd1IM2eJb9sCKOCuyMD6zd`F^pX?01sh<5hqU!am+a@yuIS)k;pr=o z#>xMPMX}7w|MNuJv}P1W3FA7ZDFqKEy;$@xndx^k&c;VxtXQQxx@y>rk6F16MHUuM z#y)PJ=;Z9UXV|0+e|+fH%L=Y+HUbWgq!k^_dFLOw1Uc}BC2ck8ossn(vfo>Sarq-n zA@}E_B(C+X{3fMD##Pe3VA?#-0*tk|08)EX>BToON*Mter-P-ER^IG%?QV+bb;zH6 zQePy_shAB{_Ts2)5`ANunSuMG{WQ$f_gsI$BphRScV(mwg)VYh6*^{wM)@=61JadV zq+rH{;^SfjuHeVNlv&BN_Dewxqp51p+w{jI_1MjqiNBtJ zUPSr0KdVzpd@AcDOXx}*l@upZB3tJgjC#e^ELNgvm;2c=dKGA1Q`s`E=pS;RC-37v z$v_plw#0Ec#<@EYS?No?9&6f!QoJ&<<;hy{*J>6ldA}KI#fl*6Qkj}?7w|e@CJLj1 zt(QFV7ZD2f;9wg2CNtS^Zt3~p{|4IPerL<=g*dGxnL{e2{hQSG87g7$JLAZGdU5Lx z&9oxPLe}riA>&JN5rm*IYldCdOd}CWt3noBvTo-Iks<6hO8Qu6ILHQ@mep$bEU`%V zf?Q3_dMYqujF}tq+C@VYChs4 zYBZiW)~`4K>FsAv!*AX6CM@**%)tL4ok(%4O%yUxl6{;=+=E*JHNA<(fC9N95nW1R zi^+`(CV4JWZe4(OI@O9siep%tF>h^-EnxD=Bf~jc<2dbq$J$Ft@3*^(695;|Of|^+ z+pRvxouvCN{|j!-68o{OkOTljuYiNE#rE}Uv5lG|56VScU-8ZdWj1|unEIXvX6fA* z?CGOgMIJ94xL{AMy=q*~X|3ozHO`r%MqFRFjPE~dchI*?$pE-Nsh(}D_3Uv62wfnlS38y-^oKx*qSz?Dl8asVtu+QHwH$=gkAf!1Dvd${uY%N^qazI@3y;vd}+T7;tY$tAh zpbN1oB5Gd|or&@F>3uj%fBVm^_F0E49W)-c(!&Mn+jrpncpFxsTY0Ya%vQgg>T&X^ zox~sEe;t;cD9Y}+X$je%KD8whX6$-iY60$jm~PRbv;o(Yp4Q&7-FXS`7i9o^*JCnj zTsHTL0UC$RCAymKU0tZ%o&~V~_@aFu{imk0TE>x|r+gz;Z#g?aFOxboZgrl#PrZT> zJ&nT#=b!dX;#23-fc@cpCfgn%uj8SR`-)DVYv>mxIosW?I=XOd!eJ?0l$qL63+Jt%9`p#k2`qh?XDVzwn4I;ou|7;y-U8%=a}t6)vepw zGfh}ssao+P6yNKZ9p0x@#}vKYK18PXKD-Trp68ro4TD4R*%lYT%f%g~qpc^i``+z& zW5G*?E6>05|3%(*(8v8Npe*e=a|)y<;)MkgMAn1nF9!QOdqd?{YRR9M?xV8DeNlRo zJ1h8Fci&#+C_*GKDL->T8~ItF1kJ`z+e_6RrUMK2#q_|o-ZQme_gr>{M@j>ue~F9L zN?sIC0c?1OB_`65K~8Oq=Ekj(u4&SLPQ+R)7uK1JmHOlt+tno|$OV3oESdAB=!Z#^ z1z|t*o(zJgicty`^;9xK!Pcq>qRaZbz|%)tVXFB}`xx41of* zad3WK6`w^TD0j&7tB}P-!?(qMcd}Q0kg7cz+k$|l{p}40pVUnAZp?dxZ!DwmBl7!F z-QQ?fLv?V5-s-iy1%D;uMfr1&2{8Qb9jpXx?Y;4AK?RvX)r$RYU6rszKwK#`RlhXj zB7X9yv=uqT4Ll_)G7;yG+Tnj}vJM<&um1yai?e_UK8C$+3pCViC4~xiiaf}D9_1Phvx|B#KQ`_~93kt1os$;=KErWgc zlo8EJE25l33zhHS8P;+>>G>FmklY-3m2=JmrIOFGl2s%i0OTTI1T?Ua$=^Y zwielFA=MRz8zQ&BPir$U?)TF&EDk%=eNV(HQ7d}mC%T!m^s5BY!BsteXI{1cV^glcrz?f2@4iNZYb8NrZ<~JGoql? zLG_^NF9zRMwG`E5Jj`UP{Bw4EI>l`XXn11%@3`;bunYW;T)wv%&@#&uRIPH6>;JWrNlJ!xLkcelax_!_iMV9dOZlyWz z+Q+>Eb2$)%2mDAIs_}ZwzxTP5a((4}ZoSx>j%rhjPIF!0bUapI=p_)2Ejsj90#+{yc{akn5c1oq*NUF_#Er+&39Cd5VLJv7P4>in-!3B zR5To-lzi1$0bhn=Ku#h0*QU=_pv7B9UG8_cH}{9=6=I*)AVB3;(IQ9p9LG%8S@uhO zK?goj6+zqBa*wV{op<-+M>7+{r`g&3xu`R6(=|JyIph7t>pVlkeP{p+JNid5;HnR{ zb{vkiq4P3dO|K*l9yfWkFejGKc*vQ#@8JTK9)q09K z&VF^V%>vr;ef1mXa5MOv*9WNSJY8=1=pa6C&Fug$>>7od-3WOuCi%{R#PZMI8TmuF z?6NR*gHYnHHJ^JEY}B-(vaZ*!!reE1^~_k$@ICbVcVu#{*#tOt?o0vh!gXYI4y$>S zw|BFyr@VDvKl3I&Pb%+OgYb8h1{a9E(=_H}T=>k^PAYpoUh@NXM048C9`5gWvBG(O zJ$;os5byOOF7r7xVYYPGR2}<%ehj!)F97Dt*eU-q_# zubsE~_vgNZNo6!f%WM_m)cP#jV<_xiZACQRR{j#vzDao64Fwq{tTN18lHi8Q*?@m9 zFGNzw*$?*K8-3NO8Lv4a|8CAjcssC2d}IXt+v0JPQ~ywe_0p{y4REEQGq;lx`=T5r z73g`hWycI5Fpt2acs|Ct2@}*MK^SV`zi10IV$+Ai<^Op3Xr$h&$W#8t zq=46`?o>JCx#UB^t!TB1L1>sdye9bBH?MbJfn2yb-NZ4~c6Jr8iUo7ZrAudavaK@< zTC-OSWpmH9u!2RgH6MVv5KWJ;QwA3Jg3MM<;`dw%&WNq)P;9XUgV<*(G(W!4NJoRN3$tWG{p82(HX~+18g#J%jK7|me>CpFEx#U7)i8Ev-%>Xm(F{dB` zCF#EL`p0zb3y}eR9=(GFc0EQV#h*49qd3C&aoM<#Yv}_Bn87HD)=_fioqTxe3=zR3 zdYQ3l1~A`Gss$Gv4qd{`4h7oE`wH^p0{L}9J(xLQe$bOCo)s#PK3cS-6X6T;h_5wL zmlx?Wgjjgh2s#a$xUAN=sY;j&u*?Ne;94}h>93QL`c3sJ{W=M!%_s|&%(|4ocyxU5 z-N%0Ljd=N@nU!Pn17g;6Uwy5kZY|IL(@;$RKx`G4x@9BZS1LVbLI=TYzyQ7*F}UBgke<4&Ek?a)qSQ z^-1h1{~duX{VFtcl~kNF^_@V+Y|%lN0@XP3dSS(ZR`LS-tl(AZI`DA1q?`Jnzse&n z8Pk(8p>s%sGDBQBQqGFnQdLTrHF`^sCf_|0P$s?wo&{7=!KiTZJ^De-l%_ETtdy*2 z#%HXyjpi`7=~80*3sPAA(VdZ<`TAb!kEtS3oa9N1o3zVY4_x_S=o6MkFfwV{acQQS z#Mvu@TG=w@zQ}lThZFHPxf>GDYoL!^FMu=fJyqoDAcCZ#RV?p21=05(MCh1Q3UFe6 z#!2uBl4M1y>qAn)12endlj2EAC)|&Y7(A3oLY_d8FSIL2%r;5t7FfEl?thM{=srg;x9De*%cUt zu$Xj;3Y7ef%t8QD^rF~c9yZnb+Zl$$Ql)IK7C`H6SkG>;kZOW*(t1>Hj6w7p(jUhj zY+-m~3F0#TyGUbfqb)9)a*VixRmFf{*%D%h|JrQ_MMb>hoDo;zEkqFSy2!bF&d9B4 zmDzH*$$v+;sz2F-+Jf(YZo2=Wnyo(f>N!NE}t$vr`Yf0dE+LCNm)v+?5Mcw22>|4ZqTrYF<>v`E25Xax=%bhM6s`U!Lcft3TB?-M4pqZ!fn{cCNR*V|dRdZSJv`|BRU>Ay1>{9bakN zTVBi_VsF4@^r*sF?{B}9IA6IJI6l~00(Q3TE*nxnE*9^5a@kpq7jh|l=Yy^&fS$Iy zw*=0Ok!aiE74?u`4m}mqsU4f~x!W&O=2f*{e~iEz!B{SXtLXQ{6pcNgZKeG#en_X+ z$x%@iQMcKbnfS86JN0Ci7pvpABx1=WtD^Q^HnX8WW4mX}_bAgmTfXhzs@>^>^m+!h^9&KT0)XE$ zpV_hmxzFuM)V#ugpCh5|yBu%iUI+R7>1;Cc6>7HTU~$<1{Co?z=DXia64#EfcDPeI z?yeQQj_t{G@|x)RDv{k9ySCxEy*y3Ew)NRvKUP+%u=W~b0CdMXqh6zxT-?2Q+A^qo z% zrWOlYANtZsF}~EweSmpi$+emckhG|57{!Kvk@ z-g!en$Wy*S@$~3aAwD@oR;LMHc=OVJRoS9Bqxlz1McWZM_Tjfp%<;?l-XROwkXUMA zeMt?3A3|2e+k!)Abd4+;M(Zh3QCRyHC|b&2&dQZC4#5iCW)m9=lAV>;@Bk;W5s9eK z&)8W{2>BwI^n@|&kbT;;(V@b{!BvMMY2_1-e~nOy1NKA*_T5t;I?y-&Z>BZXR$QPcT& z9|nH%aX5gD-hSIg?dYnks57iiVSq|yGc#VBZ=`75CWl|+Kou{0iVcVmE-P8|ut*$x z7)6+qqiqAvrOmMf$-z^9msrYNmyNE9c{flYfPxxSbYkB~#i{a(X4C9HOys2DT#|@x zzCpMu7GQy`6S+8k&jK5LK{+zH3_swgRnWvn#!$-3Q@oU^r%+5}#Sl%N_sF9Q3YCPl zkYhYrWn^&__DteHb>S5#F>vEH9%m0n-X62)E^jkRo;P1*``vZ1Hy{~MCz;FPh@CHw zfH_3C=7P$(Nh%bT9>qT!=V``iyiOF#eqU|6{2&b=gR8c2-wdR4!l~LR#2c{Tj-QOA znmNc$%TMe@Sfa5-MZAL>ZP2tem@vw)GW|_y6*WT1rtsD!A%fRd*RL4VH;YFHKNG-; z$(lOl5=br;J%mE8zCgPMZ81LC^s@g0oQYW{JpYlYyC1^I~ zAa&_3DNLnJ;KiF$DJ7SWk%z4pMvK$vPR1!uK#gN&?J_j*D_5AH_2IE4L}?YNBO6t* zlnsjUS+Enj1&*Pphg2abr_xx#DV2C|a~<}wLUzpCP*?F^nFeUWJ0OZyF-OrF`}8Uo z)5aY)*tF+A26LTrLN#z%EbB~;%fS#P$Pc{@&J6nHTux-GM33o@7;7luNs_|HWX50r zPPa)7pyc^EO1c^Io$!D*sZ->nt?W+`B7&sGj}Zu53TzJ|MfzTiVsiF8IKnaZW@7<^ z*hR4b4j2Ooc51=QB2{U~krEU&@R6X&-qKN(zkA$iMTSlep&W+{in zC_{xrq0hF;lO?05`w1r}#TY_<%f#zT;M2sT7zb%KvwbfHk07zKUagLLwfTpA&?!Vi zzuUN>;|Xj#M(^}B|6_txQWA{bdPAur5>#?3Zzux`Ow!(J?b9?P3%z1(8@*VbYNu}j| z%Q)m$R-s(S(IWsXgs{u^`ld(MqdUFhvkO3%()ksy$oT8_*HpEkBh^TvMBV{b) z+T;4M2lHj@a+SA(@RL|BN96gdgWxZ*bBlM^{mJH%>IYCxd?Jguj_QIhN7Yq*e+wAS z`K?ErX+d3oAth!f5@1tyxS|d8quPFbPjjtqA|mRdB=(6*^EAI6`f@M-t%&x(A-?QX zW^Q@@Alz4q$hhXJ)F`>OlYUbG8Yfo~x1Gy$aLBb0)9HHLP5ILC*B&8r65o&NelW!7 zyfM2->Suvw0CWR%UuoZ7P`6Mu)lY*ny383&@)dgbXX&oJyt-fyHQm4ty34oy*Y~65 z1GTQtS~}acEf2>PchoAzf<0XN_p2;AIa~Mli$h&=BKOlU*Y>MBsp{5>rfGhvGSn*I z;!p|TtpGS{c$M+|#yOMOFn53N!XzWdccI1k`T1Nh;o5Q5ro|LU>~nL_F|_j31OMwO z8mQ)Jm-0mThTgOBUNh(doB1(XE^g~HX0r48h*weRyur9p)3Us!Md<4ITnTKw@95d_ z7`vs=>b2c^IdMJK{iFtE7)}iDeKe)$cFgnPXZi#acD@XpJK*bXz8t!rBG$S}Rq%yf z{=N2^P$*z{0`6V`csyn%C|;5PK(&qE`_Qg!RN9EHk6x9Xt~9_=z4upX)d^Kk z-3X}nMK2Zv3VA(deLLf-(HWe`t z6_&y@6pUN>zBb)YTJtgYnGoTJiru<&vX8LY=i5*dl!D^5Y^mpV+H2bN^z|~S?Md%I zXmrH#Pf>Khq=|Whu==)%F0gOP6T+L)eCqZ0cjj!|VY^q;bLAPr;EmQ5sZb zU;t_`h);t?Bn?mb%=H-8vNJVMiBdK|!ze-w-Zvqk;ugq4N5vvaKNb~r)|#4I6#v_0LYq`t2^ZRq+QTe4j3g9FK1_uNhBC>K zjSfSi4jlFuu?Yg2n%W;^_ApJ|rJ>zWCGYZdMl@sz=`g=o7s}7Z;DEzXY3(5b*FOYJ zXv75*hiP(13qE{5Bgl*ro3ofFjUjT92&D%XB{ysXRk8oI*~Pm>*BD1Msn@VqFwEFS z(*;RfVV`8H`I(LX6p}}U8Sns zGa#Q(CNmNAe^<~F<5%aIW=0|0@S9V^ha#k~GL6rv|Nhe=2E8^l+oiq|468j%!gNarR1|&={i3n^;80>U)XmNDn?a5(35$~G(bqDa+Ql4p}1pL-> z4-VjCDon>(g@u&Sqy@bF8s-`U@dXf<3Br`nnx58jvub9^CbpFGLqO-}3P4xP zmcENLF_sOs!f+%7i;=>JJdm@Qqkz?`;u#Z0_$Or!i6=;=tX=70Hs_oGo*+OZpCnyR zu=ecfk2xUeDuhq_(`BGVH5KETG9-PbCI96cNkQR=RatyYL2+eiG_#5Yr70!!YQ-MkhYCFp<)`l+Wer-3(UsSHY>+&3Wnco+#a*=e1laC~ z@ERrIGN_T+4#uCD&sbCtcEf+y7~?d3w^`*m*U;CehtZ@;8h$NCQ}Zuh=M;n=kS;ab zS8Y*G#}jPIQyzq}Rvkc_P+Lrki+Cf1JEu9!7MI@=9Kle^*0qTYAOAj!p0m`ITJw0o zc7mZAaqn4M>_SV<@pS{k160>TPSJ)lY#B^2*rN+aq3^g9npq^%@WW8I)GQT$ELO#v zS)Y-)D}c@QR{hB9Wj}=2Z>C0cCrOHP>Jv{AVi)}ziT5p zfLzRLV5y1~+++`>Wx~md$%C*X+D2Y2Tl}SL>YYsfLHWqj`_M4ugEywKrWi&tR4Jc& z(Av2?s1j3&T~@im{_qzsvh_#VUS$>wi+r+QQut1+IF>>bxYUe^PN*{vVM|an#F8t` zaA-MA{xoTm0@di5oguv;D5mQ@(j&7SD+CpT#g94<3eMWke-^1!qkeGKYAoKGeInUN z3Mw>$T*}5lsUTQa=$g5aS-|hhdTpC0e8QLaybbY@GuFQONEwI-*_r5>12pGHLe%14 z7Z>kY^W=?&rXkg|QumN{D!HpvBV44!OoVMs{wHH*NU*2SU4*tY5B6AVPr6XqI+UG- zv4CW`#P?mqS?oOdAl-jaJV`=#i6-22U>A&<)gCabHH&13}K{L2_k_^t6LE z7W-dU-iYr)U~k(L!UrsMRT70pa zuer}yRo%a?-y(PI;}bX#qjP<{q#MB?dYmID%#b!fJ72Dxk1IG(e2Ts_=`&}oLOtN>Wr z={q#pEdMw* z#w<4xt1dI0*KC(P&##i|uP>X=3YezfD;)lP^NjiQS_#gv@}S|j9Kby3(Xk)z6R!`A5piscyOy zvAe+J?K}0(|4nusl$y{mybsK&Ve7Cv9T`F0@%~VFZnAX&fmlHxoMVvmGw4HiFJlpu zD4$mhTzu;>h73~`4qGM*lP%Dz`J^KLIDR9(EKvg$7?tpwKz`HV)~)@ty|3wm_!xL- z-aO^$UOIR6D1zZAFM0?=O;y77XDm6bQ~Q@MErnZpSUtop-^PP8>$6d&u=LY-UB5}z zPATM@Y;_XX&$NrTDY1NkCeqwr{iGw#^6C?G$eiF3qzVQyN>5T4>Q+-8 zAA9yfWEKLGQyQ#9m!EUmKp(pli?!-^W-(<}n)PFA{4fp5!gNWpNr|l;*=2F+NA|e- zD^?tiXq$-byfSq3la(#K)9{bjzps@iCStPD_GC;+(*jB*JnoBDI0xkY9mX6wrP4gH ze6!r_`cha$GC*SqA?U!XS!g_K?KPlOOWQTTxPfZNNQn-=>vu8+;XFI5p)xm*`)-+IoY)z>rmSHSu@Ltor^OR+HxZb@z?1_Nw-vjtYGKb zJb>6AjIhh^D#R1+f0JZ2FMhBHLOQBY%YZj^MyON#q#pS_KD4S?clkJf`pqAz)6xZ9 zg+5Fkcg7M1x_ON`tC?q1ro1Q;zuiZYCYb^30R?BP$TQx#!|hxMs9>4 zevsMFHFW}3Hk*2=_`BI!%AAM^*SK6&lg&5S;7E-AtjtubLu<rqfVrE3t#id`h8-v}Jg(1IG{uoD$s(BRS{@IV8 zjp?*Wl2KnXsi%``Wn(Z5$oH=`36?dAsEwBctI{NAHu+oh%Oy12xm=54;SgQzGM8E} z0KL4r<&`#sS)x%RZZS5Y;ukN}y>a!_oApqVf3I4qeUp)7L79}`Bb`(6GOOgP$LvHT zq;ecap*->8M59i~I=3Kl;;uZqfv<8UXBx|4uRv9m3mkQnY0ttd0AeY}R_Mfu@ zeyt8AQb1-gSfs&FAnXnDD zD>RVd_aXXaRYf7nv$DdKm#fT|e0|5XW*Q&=|8V*U=|y`PIR%_Ny!Tv_b)Nuut?HI- zeV{&t|8T(%poRN3fqFq_0Du?x?Bd_xKhzRJXp&w{pv+c~4pj5_HL=!N^GvmO-n-pl z;&?P__Wdv4vx~cMasKdYk5}i8>jd7{y_diU-{$8@Ou0_E?R{)hzR$(LS1E&2%oRA|%yzjm0OV}WC=_RDs?wlA;(la^EK1^~G^1$zi# z&R0JF?iOY!0Vl*1V1+;_Mg1J#olOWTUQK;7->^2K~;2ScwuiH`5zdr@sF@WZK1I{b{cozUfWe z9sQoBOyV{6pKI$uE7u78bps}&hMXnYJ;wL;EoD)ZGgDUD3{>Ukmo1|D6BK$^-$vt@ zWQcwRWzFfDC!Kq0Ril0GD(*Ed#6M>t5OibDB|nA^ku2~o`v#JoPHXn z&7Z&I#cVo17Kl00JyOH#*n~)7K_|CARt8n9KO82vh#D5QU1k>IS?D)zt9LsjBJO7qmgT5a#l3MesvP z$IZ6@`D&~Q$xY@DP1s!cg$NPVam!E zlvK`Hq5mWlEIBg%$Xga3{1!4(whrOTUvUM$+<5dI@T0bMg+<|VL86o!Zd1hPRGhM+ ziwSzw<}4B0SHKSZyG~sNb=gjelBGMn+WSbs|KT(R}uJ$R^gv(#wsI?E)jZe zm_@58-dT;oc9&nwPG4Ya2PY=V2Bq-hsww=^3&Pq`7#`=lcKubNb|_s60jFG$alNip z-M#~3j)i(b8Ce~V3B-&9)rmbVL=wd4;=(T?MRo%7z*)FjDdEKI$PQi3GAiH`R94}c z4LD)sA-~A)#B#?z=E#mJr)frg3#rlw-EMUp2bCN~3hGvv@8m66LZyBeR6{O__{t=+ zWnp!5N|%3=4+u9X$>|uLZx#h4jcAh0-h;sAernRAZiN*?Dsk77BYlzjbzT!ykNuQ) z3~%tjl2-s(0si-s(^o*w`%KC*=)(ff9`1EkW<{b~90J6utsk>(ifEPR!&S)59d zz#}r6_-3MPBJ$vIQJh+(VeEAh_s^iX#DOM;8B&k2;-4r7ln3|RTXdmd{pryJmgR)T ze`Z#8^`m35`03mo%JZn?^+GfGxqdT;(gbSzL`FG^#K%JM=*MlL#Z%-al;ftY#{Z;>?7#KUyX{}Gc}yM+9Q9@4#ldFroU7%zL55Yi?T zpYmMk*#jh;((hy&IpYk8hFCiE!|HE|buM_7c8c<2s)6uG8`kt?iGzY*(l|K8;|00W zHA(5YqEPZP^5AVO-HV1vC#)Zp@NW z7O;xx6b&MaRG0dFhhoarxY3Vj*=Cm}U6Yu1xuOVSNdL0ZbB}36vA$u+4$9+F2BiPw z_`xH3oQich%LluXC>@F^luXJJg(7^yQ_30Dy(+=_UHW-a=E1EdBa{0XuJdye`reFN@1 zqw787>|a+^zYe^k#)}+bg9)y#+z=m#p8#;+cj3VIN7deEHq$aH>rGwn*>z)Tc#mdH zUDsc-pKCO)9ztw;lTS8%^SMtY&JTPM6R-B(*;dnToV>Hut$Rg5-S1gHT)@nI zylePz6X}}G>ps(jDm$qQsam#D6PCg?-}#KZ?GfO;H+R-GTJKohZCKG`oKgnAGRALb>t zw+?elQ)t;jx>}w1S`l3j01dj$#Nz=dyz`<_U) z&}Q4Wh_+4B7$H*{te+2qJK8ss@n`pH&DmTBN3Q(3k3)3WdY>0`9NfUu%StsH&#V2) zrzghUy|dtr=xadR+Y3hw#q)`9i>}KS(Mm6|&dWN?@_Wx3s1IW%eQs^v?X*zzsqHZA z*|f@g2Dlqnvh6LT|9&1OWz!M0lFE?mj?=?}1Gpbd8_t?^xbALw7LBp#*b$7-tL60E zl*~ZS0h=He=>gq@JeZo+{3G7fJL==pUA;dtXq=kc&g`Ei?u@=>HjT2>)6U=r_B$VE zvQJ3ow4Cf;x~2ducAfQr2l>tcRLiaV60a|)%N)ymMr$R>SaI9mHoCl?zI5oIG?1?u z=oR(exA?fn8*nT0Q9>r-af!%O?sM^p0dIqsbn=UGUT?!UA9Mhyy}`%??T;(%=!uDP zA~WTJL=X=Ex(kkBs{KSIX>20ySTV3jXj*^METc8~P_iEKN#Slae;7}4Y|j~)q~dU< z2YuEm3Q5v*#mWXmBAc^Z3E1&-P)wh;3fQQd^sxM1NzLQV+KpA0A5RFO~~iKlcy@iD3eA?6=OV_ zPG^h`iLGPjCu?PfrI1QVHZ&n8k@B2w-3WxD4ot+j7~H<gWE4jS1YlFh2SQgV1>zQ z&Xy}4O`0_9?E@JD?6H}Sk03RNnbZh6hp0M)$w_~3fzg2pivtOeEloz#0&Mg`2ui8) z)57xZ-1&|hMScbA7s8qA7KtILOyS8K2!zsc_hS~<*CVS3XbZ&%l%+P)VtCD8!Ioz_ zg$zhQn^Tr#A13DSFd{%PN}1Dcq0*|Wl}#8I`v<_oUpyK2BL0bgx`Dximba&+dt|lR z=gkJ~7p75i0k>~@K8`28at8j3shY8DmZnA3QX!OT4DAASX=Tn*-HW7z8Q1Y5VpC0D zvCAbB+)Xvii-AIU`X$Nnf@3rh@S(GN!sRK1?F_XLORNvfL&JFt z50_rN%T6jN;zser-}9B*75xc0q#rZ*bJV=hg-8%_{$OOq+;IrI*6L?dhlw@+ zv4j##PLO9{6wNfawQfu^KNq5_u=lb>dgk_t)&E_B;Z_aF9JpnPmYZ|SJuRXGpjb*D z9G&B?AK5rHXb}FZOI4!0KsJec3`Kn8NTBFIsmYF#rc8mVE;K*ASH2+WC|o+ADlU{H ze^xsdCplBj1 zE1n`bHSsS1I~K(TZ7Kjt{x7ybo_1VVG$+!q6r;rLuh_7)^?-K z#5HsJrHFv{1lz8Yxm=1d)fAn(vmyYJipaD=s5fPffbEgl$ZpCmHHjyI_D{Q_xK&zO zqq#t=!o{3bvj}PkxLwIwgZk#ycXZAs~Q?h znswNAiGfDPr#npDYgFUtBi4{i8f_fjv;8CV^^cSlw#|Jcas(f9d%ilK>)QwakU7&` z=SljQs&#F>%Hi%~v|BGQ&!>5Rb#0n55!H&6sDe~Lk-n3ay)~7LDiL&@PanZ$mPbJQ zG`)MO>Gpp$8Izr4TYMAk`ZN2ZWO9J_rmD$_tFjWG=3R!#*MJt^mRV%pDRl!rt6>V> z6(9rW#%s0fitldeMp9MFs4x@gGTUruWU&>Ra>-{clQ}*k> zy{^s)8*lFvxs9DT5S(YuC(V1Dy0`mM6lZcAtscKwk2urnbC}GNx0d_<#ZFek34_4i zSkbkH`F_w9*X8La)pcd;#{vcFRmYkKohj$`WgW8V3?H5bsB%be^)(N(MQ5)V<2v2@ zEuEM=ren{K4CTdW3mENf`e>-u6{|<(P4hqs3K3@NKB-5X;TlKDWe$Cl|RjrAD6?&*lq3(lrOWY1Me%07wvbZEw)5ewX0$+M78gFOpT!K z3HBqQJ(lyFwiUw=L@i&BtC0+y!OoVkNpIb*+bhqp78`)$a`XAM$2jk~?pLMu+X!*@ z8W1$|0TO;k{q=R75FX;Z%?V4x7tx!~JrTbE-0O|P*YWHK#@3tyZhfC}a{d72zTzqQ zJ?N<~1!$RKL4#iqds`}3#dgRaHS!l=xSmwfC)#E{CcAM7@9 zpoN8}wu>rb&i}P(b=A1mV z?ekk$$V6^Cb=PsRSoZ7FsLYcvBN7y?jt|1O{~7&wzx*gcxN*>x4+b|_CX+ICi27L6 zXpggvHxji<7^luh;A5aYPhC9gW-B zM%r#))7=W$xWeqnIx7ojeptCLrGBv zA&8yZVRIoFkvBhd?Q+&$_}G3#Z;_Q&s{%#1aDq{}-_yhB3>aYNMON}s_}X;S=|@n+ z8o%BdK0?xSbb-DyHNv*1ZNG7$cHHpYrN z#ODnKF4cU@kk#Tr7Q88iLz(hqWz-Ma(|@E10?r-<7bTo|njF@oqgVG<3C{%dRHu%V zyDKSXe-<a9d?qAJMP%FZQHhO+wRy&$F`l0osMnW*hzNw z$v?)u=e*2^^}NQYuWHt;g29eHqAnW;*VAmxcux^9-}NEGf$?FPp_U}Rn{EiL!ATRV>2ZB=xj67D_m+ayF^2-s4= z;`+$wlen7GhxN9~+taR;%My*jph1Da76C*)l;$%}La=eNZM zY2rf|M{WWi%QA>#A)1@pt<|dpgl+JK-e}A3W)I2+WLbf#~`9C zJBtug#CHc!Q1E^FTLQ2H6bhbNU$#8@1rWKdml(WrG>#GyV^R=wV%}!f*|`SWEG_NF z4sCMmv4Gms70`tg+^a&!hU$*#A)z!y89vfJGTr%;YGJ{=VGy_s*#N62mCM z4m7Lo%TxnmSXV5mLI}j!#Q!nYz5zOQmmQ5$EPDQR|SHELEJ6#duiUO>|5x z2fHZn2SyB;S`B6~H?d0&7=>;Q*-$7pZmzxJIUO}FzN2|r(+r+Bx#PG_rYEyurAHUq%crbY@Ho&6-s zP4{`BK=1pz8pGQmv(NFC1BS&C2DX_2aQKV#>hyHiwJzgY>#r=g8)alHy}0HO|Sd~U;o z)HZ?s?9<7wJE!aCCp4XaeX)%h&6A=*`tHXMC(4{50oUP)Z2iH_jkh%himCAv;71F5 z?T+ur|B_y*0)txutgIQ(j)X57NNBIu^yBatG(?;$Hq?$FBaQQx^$7vIxg)?s-{&Q6 z*RuR}5%34c!~)2C4dpx>IS8 zJ~>lVEw-bqk7~bBCKjNqw%lW5?newu!Jk3+hPqf4kG|5Cn+w@1_6+?vMF*?4nUn2oRtB9a#HG7gywnCxRot9GL1%^bnGvT@D3 zz>*ffHApgZkz+{zK@Bt|O)lP7uO<>1r~3xIPMc1C(8?NW%53~Zym4jW%{D7X2HUmz zhef?I^fXQyDMm#EBS0Ov!;I6f(dpMCNn%}{XuE8PRiuvQ zx2z#4Hh)Na;$ftH>Z)y*Y7ebjviU&PzCq8X>G-Dtq6XG={?~}B3~*#Iq7XXOc9i9y zF=(|LtPn>>Z9Iu^v?g?+c0TiC40czwM_z5+4EiV;dXp$fHAU2=f>@Ls*GmL1mW7b{ z_Ts0+QSA4j2IHM*acqW@l?O8Jkjln!M!HHF@1wCZs*q6d@>a_Mv@*qtwIrFRRNJy8 z3sgkQRGdZ16$)V2n)opf$})YJBuQ1`A~C-q0N7N zbN|BNkdWWX$FA9F$tSA^{{W9Z2Sf>xhb3M`g+X((%nzc#JT^5dPnOyuxY%`3|6HPe zuzTyfyH@o^umL6M7yLk9Sa=BFf62csI}w0yUh=&b_y-O^nxsgzt{qoHK@xQR_L2&o zY}t^vaIT8QpPx#-Dax!Joyh!djoy$Fv@$++6-rP%^2s)Fr?zrX3H%nC3CBV; zS+bQgLCRDQ^}d;N>-6PTp1R!QNw5@^O{#xNcrFqk^i9}_kHS^Db*Flm82ZPRe~Lrw zFJivXR+&4DWkd-25~q=ovd>q?Q^u9=a4A4%`3)Pajtk{ZN~qu zN-8io)f=aks1|ZKFaM~=QV#=8W+bBho}H>V7OHEk2b+ zmFk_V7~+Aa4QN$*XSz8%sB_7w1m?wZqy%a^q4I>Q_Pv#^CEAEFlSa{tEtK8$uXJSX z)Va{{xR&@R$r{l%#kkT2OPrYh8=sg^;f7z7SW2!B^v=Hz|G5A>I+|tr;>4s%;1Xr( z2*Lg>AVbixz!=hvfYc9)?>YT@i(hgxKhK|*1bR-;nSy`Qd7b@7d;6H02ZLYNEpN+1 z5{*O7$7TGJdCkl9c!2jqp^0+BXWHfq!MmMfnS`8SMr6B@E(=8 z^xfBDEBW3Yk1OME@Ba0R);w37z56{aZ0~7YZ8z5RKoOniICO}kMGP*WU)(<2Zi7^(i3w57w zL{<~(L`aiss+kDGZ)EgCQ4xv=)|>KRV$+nu0gjq-nD- zORh+9lDZ5RfL(y;L9AgFa@Q1=_Ks2wPV={E2e&N+tcfL0;bNdv$ZUnWE(1BV*|d}l zN_=VOTA_jRm80xa*>Vga7*$63GmdBV!YAQ`8Yg9^mTu~JH% zyOMDd2R!>)pm=4Px=L&^q^L^1s|<5Y!`_haycUCE)>Hegt7Y%zcM44`Qh2_9CSm5b zDWR2mlV<&_oJqm9(y_jBFpR;9BTu4hu@sB_e?-Big{saUV~5typl7SA!+i`{hBN zNt+Xs#P?eWPtin#wNA1D-pscTomd`rOh{CQ`bQ+9zEe|(Zf8ocqrqefNxGA&a;7$@ z(17qlgl~z%C7z42Ra~l^=AnnuCdC>Z8O#U3X?RtvTX$6S92#=_o91QDRN#gSRUSok z_drsBG4YQPyPd8@FuVG2B_ zPKW0fp)PSW8?|DyZG%jvy92RO`=d{DI zuSk@I4g6nfOb19*fDfegr{>rN6ogq0(uuc&mBb0YSO2oZ*mnG_z=Ne8@M~nx{5|fp zh2sOY9@F2tUXHXOLb`_2oEyGbE;21`nQ2&(U_lp#5hMQN$E)QzbbcqHEFK=VkoDz& zEujbs!^7|Fz0u#7zfZ^Fl>MPqYx~skAfPV! zGR#u^k?%|!*oD(ib|F80%5JA)gC}WE6%=A9(s0X20g4K83o4cW%=wpHZsyMjjy<_} z-f}p0BiX^aKtPO_V3MhCdtP(xId5O#Oa+S>QoDAI7}i*jh~J;c%sX*_OvY$fqkRy* z<*ruQF51P)>ZgsWtIkr&j1(W=S-&zd5Bp^b4C{qWALE4!G3h^g3+E&fetcksrwE}2 znmq)p=f5M7$<|~zTzo}O_3Q zuxYe##);+^mBGg>XyV)_DR0l5_@u>B%}at6?6|gq!^wcwor~YK80D*Kz_1d03)Jk6 zz89sI3m%C}-$A2tAnuP-2Ksof3;I;_JIQ({;k5phEt|6$Yx#Mdi0(f|5nK^UOd(Qn z`Fcg1L?yiJEQ)$YjOJ7FlvWcqPv-z6-?>lUYp)3IyYBV!grLhIQYv=|Zl#10CnEYl*( ztMq@zCj(^ou7Eh`@1L^(5b(>Y45Z+(xMK151pOsUB2)w)RQVF6U%xbmw=YpT991%j zPG`<(qTYVf zs0w_8ckeK7Jd--%b3MSjqi&hS;D7sbv_eDIb7b3CRM$6U*Y}E->2>vtUrqLA`)0M{rIvrZlh5!TMu*iF8uy6nQpU_T@eI+%F*;OY1&>h zt@|b$IZY=ppZXECY@UDuIsc9!Ya0VTj|dNQT~86aZJst-mzessq1A3@0Z_VE04Jbw zRJ~za`*eP@h$a2aw7@G{;A!#K{gg~C!Ha+nXqF=9g~RpE1_}5Dz&p9@1rA*oZH@j1 z)=dhr;Xb+M)4i9Oi{mkaEatSnB7TpqFuwDKNF7H@dmU>E0uOnwr$A5AJ7=FbWOxmBd-z+Z#;1 zcJ*Q9G_Ti|S$hBb$To`^|MO>o{NwAph^li5`!y-NX299Vg$!Qr);U(|fdgQ?GChy? z;w}cM!?UXl^tu?)1zE?Z-+dI#*Q)=}^BT#AsQYlE!y0j5GqdV;UB$xic7)CIR_5o; z-?i^!!Ph$vud&6Q=QCKUv-$j$8xn8~B3KXj$M75wvUm0Y@*Co~BS_rKIZppU2|{^K z5WT3!n*96maI*49a47JO^s(?jKo%#}j3?6^9SQ&SHUtMKv}rgBbF4ASvP zeJfFGE%!&YcYCU@DEI?w1|38_@48%L7TTW<;51R|tVKPX^Q}57YcI7skq-N{BAMKY z2hn&OFJaokSs5>W`Ue|6BcgRulh_(21X?ccLQ`s=d%SUcaiYa`xH4D-x?sS4RjJ=r z?&6zT-gj=wg%Xp*JS_3#q6z+*2VE{pZ0($X2sJmw4~$goq%A9zW-#=NVbPF_gDIY| zCt8L-vW9DO0%3-2^(DjU2Jjw!(!+_9;cG(CQIt&=Q<`m-V_?FF4rGjFx@*_``%UTS z>plQ+RYBmxd8nuo=sJ(?EZF4xg;A7hZ0UYulBc_5*<8agY11UC@g-V37#gIv^3L0+|ht6uIA!_6m8$=h8kvMWL z1~eO^e=P&d6*hu$1g>aNgk(zN%oJJQEQZNMqq7gR8<*6Mtp66jpNop}v=ovTqYCf* z*bti=qf|;M%5aC@{m|~bVa;JTU`TE6W}1O#2RA~r3o6{HOM_`NK;HvbIhvzhvhC`~ z!Z{6tQ%gDZZ;NaL>r=TT`<`4?#uKX`2#{aGi}gN|uK4Tbf>y_Ny02fi6{HM?E9hRrJC4F)JnBHAo^CV^!^{6aLX4{L<_vi*0FI`qy( z#mIsRkXv@~trA7%2_#ghw5DPW3)r@*WE4g2)QMTzEoHf{R@U@+{!0J^6b@kdlVmC% z9a6EG7t{xtdiDGm@ja;tDeeFP{ZBN~nhydw#6}en7wX+iq9|1(asvVmM1J!q1V5 z^hroq1Wt|%riMJ3m&byg%Dv(px6r`g*WVRcW?t25B0hqxx_{`gwQW>Y*MA!z_>uMR z3M)>UDu+~;k6bzN#j6dX;Leb$YJc6_uQ?c^q=s1|VyA}TD1&_{2RR%AmE5iIl(Z0z zWf@O~^?Y@w(+9rk)taUp)<%lMzfaVfHV=+sO@r}S*r^koR@8d#WzJ=+-XTp zU8q>~RWo!DS*po`%_Nmxi#Y0-DgHaf7?~R~@h-58G|M)4;hDuw;Qz*dW-H|{2At^+ zdif82N7q5M_X+(0%2do@Xrkvfi=blv&`%L^qu31XV}qj4llrRB+8rXRi|`@nWUdIBc&8v$qN?1_Z2(JElq}aQ{1X zsq35DbnM@`r-vz^ibSCF>AbK}2M(C>dn$6s^^)qIl&i}@sFMWo=~_Rj4a;2fxfZl= ztnPP*+-zK2ZPmVd&NcaGuO2sMdiaL2nyyurk?F8B{o_X{^RV~ZE-ZLdEba`wN>C(MII&PV>1T0!;0$2{< zjBZ>U0!~`cWttMU4p*@y=*g}XXd6M~CtGcU7x}tgH~9IqOe*U(6*?n($$i^{y!Z8C z^lz7yD*2xe=v{cYmtGgg8~AQ#*%SZ{zVYga?;WepIM(FpEq~;(A-ZwC{e9* zP}LxzFB3DjKFLOoYHF(mlkv{HYmqXPv~N@NQS}t0xNN2bv?vWt@s?Azgx{!*%-l&3v9c)8OnQ=RlGP5T)U?s@R>GsFIZ`VT$VX1H zq;4W|a7K)TSNsNQlV(s-g0y+0-Nu+$x81q(+3I4CA-Z`))_T$m#dkqzhSAPD6X^(i ziK^bADoZefo!Zv*Ptvf}=`vA{=L&3a<<9QhM2VshN!_*DGbhyhnwKes@)b(d?HO2U zkJh~m;$HPu6S_`c&!i{i)XuH8IiqEvE_>d>)@&HbS|DE~rO|>x9@@ucjZ7i_!`k&Kg3<-f|^)K61VZGC4}cIIP9x5!p7< zzbT&}#va`?oM^?x&X#!u#*lIn@}_Z|Xv;!V_Fo`avvRngCGm33A9E;_Bn*RPo#}2h zOSX}HK`U(9EJ@>V_8B=kp?RBQRIcbztsp!Z?FDe|iWJVqtmw0rA!)^ZJa$tU;jL-R zH|@IcAmKKf-7DdexiL>bIlW?ie<)nSDC?qQAs95dZ(g~yiVe}^YxzMDT*P8{^@N6R z->$~cpB(IDfKvsVZP|r1u~mD0Kc?0oDV5Jpo=617ocwqhU~MR3I21op8`J<0jPh3Dz0p6cYg8yxTL+BNO3QYIjEm1Y98^ntAKPXF2e&FiarHn$? z7&UHVwF$4{BZ4QgsOm12)`|{XP8Jx3 z8dL1=aLnn4CK)*?mKBjR8$VxMNx|hCkau=uz-`rZn78KA&uO9(P1XJ}m6Pi9x z{a`o|0NUuB6hCQ zFjn13v6kJ5CKAeDzc>1mP-@h^b+^Vy5^I$`xC%LZH%yB&);-qh)>n{9O=-6}uH;sp5<3$}}Lv^rKWItjg$y-l|?_H3u{?1U9V z&SdWY1`JU&D$?vShHQRltZ>4v^I6?PmyuRBX`F`Ye1tKAavZQiF&(03lips5)5Nzl3Ko^6&aTUIG6?8? zdbn0Un-JRA33x!iKutGj-QmOCX@Ab+sCyyT4S0?{S@8@3ZXE=`tfv~;7pUHsPb03~ z6Fbd-Om2FL@F?nl4&EqaDL)EU6wwvaZ97RPofB!Rw3*H7H%)aKziO||79zIEQ(*C! z7ypUKeE%j4kE~rT0^jp>fZcJMxA)n8BL|KN-JX)&v~tf4@&vpl=ACr4yo~zXU~V6< zcX}oJI9F{ye@dPBF~x=+pz6YyHe1N7Tu`)h)hh&Swc zZNip&s&oUZ1H6pK5daaVxkCrDZ;<}6J#S|a=6d%qrS)fPWgz1nvNo(%a|6$HxluZ`PS-ZC9aNCi?Mh8D6~0MwOg`|D{avs`r#95z z>7n|hX6W;?pwAyPq3~UJ?KM~gtqb4tvWmvm;VoeEb?=Bf<}zRgmt)8Kx-_EOWk)D-^6;#D=*K*al}}uPfD`aEbshxWXZg?F0gZ`mPwd$_F?}!T z(Gd)M7Au#$yDez5>#w>tGg%ZlZM-b2g#in9Coel(uX3Mi?p07bJ;$WU4T4{3?e|RBf*Iu!QapYbU#C)v-r`=+zhFP zSMPFzY!DPXaKHL`^LjOlv(n%cl)B1a_0k$Gz2F)-bos8hL z7*ac(duEt)S{hC~a_5D1@$A#9Iwp&YXzk>}nv>s8%us6lNdUWI z>3grLN8_)&kW}*&(sy&haQ|6WvF3_XplPmZ^P=F-{$NU|Qi*V-Tx7K8@3O9my}009 zjf(^&6wS*izev~EAZSlBwl&#U(8V}ZDIFarpjdug9_v8l6|EirHi4)Zt_n@vBSJg% zD*_1E;?%1kOrn|UlVDdT*_OaCV*mIhlY<3ey8ovZ5wY1D*Lrer8JVWyoKp>pN>gbH zfrlNE~T+_JH)$O z_$UHOfM8q@My%MF=@(aM2DxtGIT;o076*&|>G#_VJM{_SEDVU?Uu(!(H3)7kL$7!m zuE7Pgrgr#&J_DhaZ&!^o8cl1z^7?T@G!s!9mr_#U#3$QP8vTgQQLVBGe(vFvp+~sZ zhQ`}@k)|1gt!RUXk#*{J&X(NDB5+K;a_kBK02TciKp3x@5mO0Z@cl$Uo2p?!&EVG` z)+AVa%<>t+5IN-@(E~nH%7oS?_s1a$5?oy(2diazy?8=Y?Z>FLFq8<3Wd03m1>DfG zlsz>g$~|?#7$Kw@EVJa|DKm``ciGmUc(yBg$#R5_=uRY# z-Ds7MWs8bSS0?)qVUp59s4@(V4;Th=;Wu(c0@BN0hX_2sxqiiQLYs;Ek5-$*^YTd{ zK^CNyJVaHLjSJ3DqEjw3(3S7rs(&xb3wbu%hB(9bcx04c$ zx{ok6$@$q>go0=lq=~y9tLcEv_7l>V45{R>Uc#5Wsa&AaR|(YC{D}=p6t(||10(>s zo&+enz<|4l>-{$no#}YXa6KPGNF~Z$u<`wdyr*z>;ddj;foG;0gbNd56;z{3sGC3M zoaUm>O`@{SvorWEzeTC`UL%nP-yU$<;*R@kpN;Wjn+`(5K^svAX^5cVg|bZv6;U!s z=wi=0aj97*JMQj#1&YiyNZv`3x|xnS9F?Z&j4!7C8T8>=!p)S84~8kvQA#569wA8fKZx_qlnQM~=Yvg&d2l2U(Xqs~MJQuTrjAq~-6dfWbq7 z1wh};&}S;>>%dQH_hmNV6K#t$v2Gqj2T=Hkc>M$*g%y%YlYi&DLq7&JJ1p6B@pkXT z;L^Fy5+UK;zDsFsyxmPNufJyIs;9@KJ9z&MI`i<4r+r-A*U$xAv$b6_80fCw=9WI~ zUtVl;6*&(eT%*Dpc*&eh#k_P?>uOrmu)Vx_9>9bG)qC;3@93p-TQBoX(jfgL@J!}; z?ZxBoG(48zVDR6bps@3qoxAC6nc>+ebLhAre<_jB;Jf}LYh7)AenFafOZM1AnO9E8 zz|~r{8ZQGik9)sNCoKcl3ifkvy1S@bmi`9t`nB=l>(=t0G@7;fpB&TVImJdKWHwyn zdAMEooHAtN2jRb6%Cn^BIvt?d%sLw|*Ty<)FgzP}z4Ye!-(8)|cnUO34al&*czacS zQZY0U@VEGXO#G!;`AqY+C=u9O$#*_s`odo=uK*0-;q+0O7T~-?Lw|=$=W`Ml=Bg9E z^N3DIAMkg_!cjss*z0{6^fp8$W9xCPPO-|egtx4>hxJg+X3^a{ZPcYNlkY_Rw$fLv zC-5FDlcpIG=TW!qYvk7BB7Cup&P~yhD-!S18a=&r*s*a#v((|$XOZvc!Qqg;kg#Kv zi><-;a4CVw>oGX+j{sBa9W&kIBQaXJDE?X13c)dXTIDmogYXT^9-%vy=K!j$6RyY$9r<@ z1j<5uf?@Q2c7CsHNzU1{jwY2rV9iI*uT@W2Q zP~^YdP1SjP3M_$cvO&K3AP!$`P#^p|_eUA#Wb5O>fq-&!d|5BMQikbW-B>{6?1{ig zLITM5nT^d}=)DgGo*gv$lBB9XEZ(r0lM)whgPJ5YdqmOu~u*EpAY~YI(}4avS|Y zOcfGA=VAJXitC87(O1~Dxy5fcJ3Vq0O}a1u0L&T;e>O2saT$U{{K%VbblEbdq}u#j zC5vL~cr30K&AAr}pDN^hV`qmldV^~N!MRChC50&A%k+6bv>*Yi=7!{QGvfu3QUPpQ zW=8FgMM4?Wsp9l84{Ho%sVFK7>kC0-od{%s8|*Oe9deg&RIt?8V>V_I>BUJ!%pmDXECk|#r zLrP19C85WZq+zCbW!7(GV8=P5wf@*QgU2pAKO)s=6DA!>v*b4z=OKr@CH9PU90L=aAt<5}$dRHHT%hcM@y^M?%xK(f#;*>x-%u z$Oj1)fhs__xtKKJ0`lsDUjJ%RHR0X3qq9v3Vftgl2P=2=Hzvv?n2j|ETWx~QewyO^ z*r+oLQAKc87Wx&`%{X?a(#5+~x>#(`kVV3-Rt~0CN7YiT&Jfj%6Qq+!#Jo~8p-a6} zDn_p4HVRd`y+rNKhTAzPZV+Cxthra@#JuO?-EjfNZH#loUG_|)ti^!9>TZZZO?-{i zSfLt;`EEZ?rCKz>Dd=j&DQQzGLkOO|U!|8`Z{-R0L%GPi+I8Y9sFiIajdIZXXDE7j z+G&n5K~_)YI=1;=%>{_x@ed*YkTbn)et8WlldyNN@9yiF2OpEV{iYITB0}Fyv-N;E zrX()357;-YLa`DiE8II3VMl|PUzc9D=3X)Vs*hY`iSsU1nq@uD6z5wgKiL`nei?uV z@}&Y1!S3e+kmBWE0^a3+_1wjf*-|jq6Rj6H5Z4A%5bn*G&`MwjxwBWgdBZ%J){dRB_xMM{G1K$rce*P!i(KbvbKK~%c!4Q!nKC#mm(aDFxDub&QLgm) zWF-I^_HwXo7|DmG(C@oWWmy4N=Q|m=!UP-$Q;fs+UFCG#u$NsqS)jkar=1D&hKZkQ{e&)YgKzRZJ1_bg$JeT?HEH3W_1UOza0NG1T@?NEe`nMlWnCFw* zagaAV-aA_t`fUeKG5NLjes9WK7Wu%nQUN}%2(Jl+V|(nG_T%IekATa+Bxyd+8Zrz` zPbv(g0=$O~NL3v9ESeszj^4&IHwJ6g&jVFEem?hMF4y`uHwx`dNuD6+o69E50MpDc zg)N7WGH)3Ehx;7A9iQ9IHl34H2d|i}!)3ehGo-SCwGM?N_Xc;}Og@kFT!(hn7J!#b z^}|#eOn2t2UHyz#wjk;}&+)G7K{L|wjxnfbl*i$wx(Q&)`aU!o@Sbf3Z&S;u|2DKO z-L%qU8c}j!w9sI{ZL+<^GpmycZ+<^_)`!RU^!sihSvuluW7^N>sYl)ay|QVU%gO5` z%p=|&#E=65yn*^+1A4`QNZf9brB9%)dWIu`2eg#G0SbzU-3<%aroDvqZUGrVc0|K+ zJ;yN4%)ID6@}Ca5%v%<-&)u(RH!)FtWAX-CCz8Q5pqnTmwtM9Y1++2avEs`syF3_ zi-YKxjXw=cRf|t3_)YVHtkM&R{iO5vVzWv^?xKhhSH@ne=ip?ar=eMc^}A~cDng{e{~LQbiaLInL}`-#<`Z$|63%-&O8<)JJBS<{avo>N2-O`gBw8)*Lt#Tyjv*p42+RxbcIL!WqYc zbu>+Y@jww@*L`Q&W$F90XlJ8PAIt2DAN}>Ib?)IUd3^s4&E3xFV>z>GBeTXFixz#K z%lg+pOi4v9NWA?C-@V94@=N2nxY>;L3>A?&giPn%ComVFxW^mH7m20SI>8&fapf>G zsacOz>D^_BYX*I_ZYB?0+t`9y8Z&K0!R#4(;7&>p$!r} zb)`e3qQ8mih|efNHFX)HVI+O1Bvb2x`%Sz-$2nMdWYmd_@UF#?DU-^pR!&7b$p-C} zdZlEXhO4ojRs9tD?0G)_*bci*ROnn8LmW6m`rA~at$YgWL}|qN)b6tk?0NE4!Jc2A zAP7WQCxT3~yWlm*kgD?%k;$Q}r~%=7Y}0F<_d87`izmD>L`scTqyP%5GuM=b`$t@7 z-6@DpauEnDKDw<){SvLS^tG$OOxW zOiTvGjI`7O|9uNWI>cgtvHXUIP!L|h88=ca5XrQm#Kdy09S1!qCWjmNFM};nw#-3o z!=CPnNQ^9V)QE)M5E7HjTboK2#a2)vzC@5cRn{jyVNR7VUr-y;=q0FnePqyBP??K( zfqYFpEW`@-fU^CVGWuW{_xHL9H<^1RFsB=T>0)N<3+LdA?~B z)y>$TnETN1kBX0FY(xSpueYkyn^$UHW1zKrio?7sN^t2m`^4^A79Yqq1x}>@8e_LI z{d!H$jM$T_Elp{YY8pp%RCGgpFTnjTD8QLnrqUZWJjfV*I@n78cEPYM)xM!!rR{W| zv(k#N(iE3WF+xj4Zr{IS-cG$hnnG{-B$=q3m2h=7O+s)r9?f%D=7NmIw2Iflyi%8b zQO=I>=e}XANZQ&2+o5}?WVdF?x&F4jgug>DrPEfdAM8IKDTdSu)VyRR%8V19aFefK z7mS6k6@d|Akr2fUvPk%SgMa9c_lj%6g6Glj-S99~k)&_!NX~N9vRFV=8X;_}@8nbd z@u4coP7aW0+6^RT*4pBai^gnOvC3R)_-j#|3(Y=o#3l2B*qHal7?>Zyq?MVrS+$8! z2OT({Qve{b<$~VjFAXjNj;Ggm*9ioHNKqzZs^xP2 zULcMipWl{2q=rA_cS)bV$UE=jt$I*GKHA0cqNqC@|&HINK%o)PgEDWLs5%Kjl_bakiO z{X}cB+H3GkK%m5tu;mj?V#oEx{U+ce=yR3Zfsv=@eLVs`xBCM~kfre`ZK3b~kBbtJ zy^*(RRiN;?PAb~VN8#0~AV>8ku;Pbu}(cy=v z`Lt-mpmXxOCqF>69q{A4E&*WC+jNyzqDOEU74zx4;D+!0aQ?`yAjR<&ZCozJ0lc?7 z--OZ8;H_Wmt;0OI^w`KxEK1;htLS0pv2IP`J_NTG%n&pwRCYT6;)m5I||sBha^~2r+njElu_4zym&*03Q%n{YSEqY8o8eY_7uC zj^`74twC9v9$P&T7r^IvkY_;tIsQv+a7X&g%!g5f0PV{huWfRl9`L1&fzNDE2b2G8 zzN62_=1S}uOPB9u`#@pT;@A82jr~@!HgNLW-$7z8TE}6xy8|0rfdg)j(bTbYetwskdXAUa<(8Q0*Cg*V0)IPtcYUL{CJVZTX>p#B z7yN*~j?e*w4Qq#MHUT|zuycr+9X&1hJnxoAKbu`28f0dP*fUy8yhs>&)cl@}w+j%i zj*}gDO=EHi+JP1xzm(5t>+;zjrY%O`Z$R}=zI*p#D_-sw34PlDkSZu3@*!Z?3J9XV zyjTRq5((@D2!#|9*aMN&C8O$7l1!v*1`KLGC4K>SDnJdp00=74FT1)Xs12}U_{~2f zk2X~e6%FTm=-(+$x)u?6NM=oa+2Qt8vOV%mcONch_zOd7V#dTV#5XqM;KImF1)-Vm zR*ogIb3>H?do#+#5LKDjPOws`3}yL48MMWz))skG71eYN9KY~i64sful)sMuO$&*v zWY^ng8E-jamF_208j6%%;Ou&urkGCiT2_kkRW&P;^s^ErSvlBJmuf$9wjlqri(PWr zRlSvxxeAQ9bf=PXR;p5Q0Q+N0J}$h1%mXF4tGZJYo!cEQS|Q4DSrGecV=vGQO*THR ziVm~3xTv!r=x7LRT8PB&HzYY)XIT88?7T>Fi)}^ZEtk#th<4%e+c4|*7DcLSd8jVt z%R*(ESj{LaCt8>mD`A{+ewgAuEuaD#p%Bx}xfdmsiavcVwuoQ7IBKCSD&3?!Sy*Lw z=CEwWd{^|Z`BSVW!l_ot66)3-QB{I(>MqQI!a6uVn2e}-Q>8lv*R5H&=;MXLYc>{# z*xZ6xQsJc0tazD-8w;n>)}Af@gtmBt{ix32K+HaCpD}f#MmmXtjzkbruT>|HT}8@9 zTT^2~+Y4W_CtGpB?V;vO*>c*P6^qQ~2=wo?Yjg1%u|AqI?a8P2@@L2v90;9{l#UX` zLF92q!54wz$dq@qigh1XtsE$eUUTZ3-S9FLp1blNO%Z>R!kPJzqnvA>%3?h-f92bB zeN6168!JBCn2G?wzXAsP%{);OGwaGX#pZ`se=A%Zq;ax^FmlhkD2!?ilw(uwpBjdo8Avu6aV@0k0v@+G>8 zy+*AQRS9bl*>q86_bRiuneyyRK4@9+q2|Z9IWiJ03n9#(Theo!q~fuijgNegKIq|U z3RJ+;6HNcpZs{huqXMZxPk>K6+F9;^HXN_GyYlqZh;E{Z zi>mb>w)XgK2NSKzL=<@U7MA!@e1ft(B}p;M7nex&!eP}K2(@uATnI`#M=@|__*lv( zof>}nMqwT%!_rpL#9eIsuT>cvJb3}mA~8`Ga#f{j(_E5?1UphG1(*^NkM?ed6nO@> zrD6!)k}HvAMXIyACM_u(A3x=Yc3i=eX^M$uwplW-1p0z>Ut)NQF3fKq`Bc#!=CU~N z_Jr)H9Nh%S{7Oq%R{9{bmOXQ=c<{20f2^2U$HEJ`mRay}E(HV)C|LJj`uLFR=S^3A zz>$E11cAdF@F5>Env^kCFzGP;f#5Lz6$$Y5sp2M2w6r-*urCLs3##p!ihB|8nF6kS z_$FsZTj=&Je5?EQuzo%J;eLEXQ`-6-_M;lI+W%?u*{sXHajo#&X+M{ykMCsLu_1(i z)92{EPTj{dA?DHtbYJG-085bJ16<=cLfU9-TYehd0#y1%++O1LSWZ%xwSBk6IIcV&9wb0di@9@| zFtq-au0z;5`B3&fSDQojeV*5yWWn$jb^dlG?jJQsdEKi%;#T5U6@3m1dME7*VXt8{ z`UciOgcUDmQa{hV*yQq%!jUiuh&t1icgqp(i%XfD#|M=yAcoIt&c@B^>yOK_WT1Wb zKTp7lP0~wV=gR$*6mEXohMk^kj72Zm*IBsIdu>CX?{cq2Uj2!DnM2D_)9j|3w}1BG zti!MF#7(E;qkl|&+V5P3XKZQUwl(`cf8*ty3=-GN@yvT3f~LBir~d)hKq$ZV zHODRd^c$mDEADvrz0~a91}nX=(i!OaJAc4#dCH7mz4Xg_c07H<{$J08H@Re~LsuF; z{rcv6balemIC$VctR1fC+ImpCa*t-a7%ApR3CSpT=A#c@h5GptSWQX#1)(*h4P>ZLK3 z0t@|Qg&-wejkO9Nt8uT235a8(`FeUl8C*m}d9|D=l+kf-T$_-7a>Qq=LO#p`wF21f zTip;>ETNGvOT$cdzz5?|37a(JJcRAFcmbz{$SvV%H3VN#vC2K7d*vXbGmIe^ZL za)jK{p`bY)pcrfTHKN!Xd1TP`#BxB=ZV9!Dq@2WCiHI4tEI9T@cGWZU0~Yt%A`pM0 z`9CxSXa?6dc#Rn<1KhE=dITy(9Pb65*A0en4~ih2CHcVte6Bgkxtv^w(Zjasj%y6Hv-?75vmvc}+jJLO5?c$A$w zm;H=Z1~Sd4T*ijO!f-h8s5s{0cn~l)r)3$1tGT|d^~+r%>c<^58jQY$$VSk^DVifHY(YKCy8Z=&RJ>7 zLCkW#(*Xiojm2I+ZWJAg7Ruqk9T&dk`9FBGN`uq<=QI9;{`mOM0=b&c_)okbGV2g7 zf=))+H8?|use*MHkhmU*`POS_Znmk)A+cbC$$tdh$mo_pP)`N zr{J1YsWghQ1h7;SMiYfr5+#S-EMz8yQXjO&YI+hVt$bkw3T3=s4#67iLyE-+dM2L^ zE5fjxNEHyPPzG$lLZW`8R|i!dACN_}#br^UsnoJmgLi5WH>Q(=bgtaXGrrjB)gR1O` zeFK;CwYs5q8Nic^MW69ve)PS~|M`dhZwoU2hczY>s0QT7kr8-h0Y!MCDl`5t3SfF%zBSLFa zMH+Q|u-9%ldOs&t1%m66DI)S+Coto3ovkJKT%(^X>K&j0PbN%$oGhS9%!WiO?bses zsChh>nmV$ro*w4P_Ix`!4KX_)izCd9Qu{{3i(`FiGJQg?%~yLH~*W zP~SiQNuoHGq!J`TemVcS`Poxe+4HgU@9@umY}>(;dp*C1wcciHQQ_NH95VOVI6&rz z$83M&l{&!|EVSiAM_zNoQ$JbzH-G*OwZ}HEo_xWS#hWLucarS}h-MU?8nLoPS3wAqZ z|A6ETPgXCu>9|ub*=5yxH~8dZOTE|o&0eon@44sEbM`p%VR_RNQ`fxum*wAh@XQ%Y zobmDA=dU+tta9MCC(Jqe-g9p^FMsr* z*-P9{-udCChd(l7ze;-#{rnrpzsj9-@P&2(dGwsbqoWUxeC?;*<&-P-+2Hj9D)C|7 zTh0GCeBK|ozgv*&bofjwedP7Ts_(3RuK2SOKvgWR9TzBV6 z_Yf~0x5ojyKC*f8s!RS_zu>5I2O&Ra{?By% z&v#;9ga1SsbKLWObn}03DJ3I?2|W_q+4w8+pYiAOALPf!e>6H4Qx-OLEiiF`=KsvU z1`Cjw>=`iuq9eFB?By#BEz6{J9WYo7ZD>U(!h3FVWNvi z1`NwQ1jj?(*7SmdkAIOQ6nN4Lx>K<*TUWT29aQ>g*D4A<$gFis^kC8# z)pVyZ&X@6;lrzd%muE_NMfbu7_?}!1F~iN)rt)?_?6$T(PR8 z*jC(U5K|kvwMwy!u478ORS#C=#;pGmY+p1{=5m1+hah`8xlS8RFNe=^9CTmV##4Nj( zVTYj_b|zM8q>HTDOS3IvVA@kOgf_>nUerc%fs3@==3n6LgW(FD#eH2AVmny zZ?75s!~CC!Bddt~1?83hZYjbaDgRjzSMwSF883*;w#tF5bU-0lNv422$Ja!#mLp=n z-f&q}H=J>$>P!@6SaxU?A14OQF6b0t67!IHU}c3IMWYg_HCuWuAT(esu~0KIniVY) zvpn9?IceOn2O}&?6-r8jDdfgn7dIgt4)e^gQo(4k)@%lr%1dyTx61%*_H&6mtm7>$ zAyXr_%k))_ChA&hrV9BgD~W!wv!RtliqoL?pkqX?Do zB7znhVzB`gP_=1~Ds6>{vh6kx+cZLqhrAV5ysG33tFq=hVp^^;g%ZHkkg&sy@$_dh zI~h!E=`WC3_P^%;G(-k%@{@n%KZRy9bnARNtn#rdcvJrS^RoW`uRmvFVEKTp$Vk1J zn-n=J?Mznmp5{>#pO;AV8=7@?bN;k&bqU^zLG9gkR!=|x7Bs+i~TkUa! z8kh=8O2bHLMai}{CC=a&EBE*TQ_^}}lg|m9J7Vb}(;5#s*C7eGjt{G8(suz&(3-G9 zC%{BIN~?jWB(?e|H|i4g7SSz8>d+gcDcv7hu|e2Ph_T1faEvtddYn&2Jjet2PE$$K zV$qxox#W}pg#Ad5%cB957l~%NmDD^arDiO=oTv^_H3vm0zgyCb95O87xnSG|>K!Xg zjoCt3=Vc6zO@o?DxtBp#tMXbeTT(o(*Guq{Jg%~|+O-I(12v^+$oY;uhLaV3YAYuz zXv?Pu>70hN5m%SLNq^31gfoqBrV-9G!kI=m(+KDPrV-fx{s5q_#eb;j{NHzB|H^;V zT-VF1tt=eO>h$u8&R)%ESMrT#v9-z)lyU2(-_kK~Vk^t4rGY;otRdq4j8rOUs5*IDa* zu=6=ruD7su(b2(gZ{ruegQj0 zbyesm!>8BU?9OYq+T^NzKjEU zvq*S?8^q{9x<#)%zdoYAd`v_nn^} z0OgJwY~I2X`yDoC>C-=aVJZA1`;;}_+Wp;i@1tJ&*(ZD6!k#9db<@_FSLXcjmItKK za?cnCvcJYF-xB{(-rr{S=Fgs$e)yvIS9{L??VH;#x7UYrR-d`WAFN#}yA!_~mv7nU z#CiE^(HYn&_ieb!s>h%I;05oYrF*ZLeed}*SNmu=@Q~H7+2dyJxhvi+Tz1pRHazFr zd-vaZkEfq@ui5n~bm`WwPCWOdyM1t>UEbQ^x<^jC;N6FfGiF_V(~|dIH@@=XQy<;! z@4q~Q+dp{n_Q|D7MOQ3w!j11P|I)=*{_%iAZ#!kZL(2O$W?W(1b;^;NzT?t+ti0!= z#DVY6-E2Sfyp2ZNJ^9=g`+S&K{8!GFqbo1&H|M=`!_4gmk34jkSKj@x-~Z(9how2c zzWU13mcHQQ^AEY};}-wi1`Bl_dl4r#{L6;w+2V}bULPFZys@z2+t9L)9`p6i|EK!@ zeb@is=)czgO!xo%PVDROAH@Jo_D5I$LljanUTEvs{92f=$bTmPcleKmNm>&vw5@mn z`Ojp5_|I4>*@WIh{9&!_mq(MHAXb2g<6}1=4mE^Vg<7RO*3xaRY^Qn29g-T(Yf>*R z8@f>)_0qX<#_FYul_A;Cak`X42DAbg9oK3idZtrR;h3uUVN`4Ow3Y(qdrUSQPUP}1 zw9H{xmu(_f&|71pT}$yuYzA(MLlqH7O@)^Zt&1fmnJIEel@esOf*WW;i_^_!R_wAB zs9LTiakz;PQcDB1oL`iwfaw;h#gS12kd~{K>5kZHy5)31WXq*?Qm1ugUC^#*R zD~MH0AIALxG?emA8m4-R#KPl#s$Z)hK-EyH3A_3A+|YKbudnb@J<$+Rm-Poy0{uE}9%==Po5STx4@o|2!sJ%k)` z1tv#ib2`$NoE$sys6^3^m_V+U5>P89M0KHzZ-VxYEE z_CluBMdjvrU<$*W->+u~CuEQkmenT{33dZ0Q!U7XN>)IPrOj^GO(H3vQckP9B1bxE zL>0XpHvM7AuU9C`ODY^R9uebwP|7$;3qg1euSvXa37IB?=Gjp#tW^S_4pC~Mm7CNw zs;Oxii%HYs>Ok1m*Yr&tfOO-d!?Ud9}OX<2jtUJGkwD^abm z9okgJgvl{xqX}0OAw#eZ9Zo8-NES_@IV_RoNGkb|T@o4;K_am{!IOEQWrSl_*4)x( zGK=6N^NZ?#xXx$wKdd;lW4;>y$#c&C)Yc97qP}jQ1M_X)W+p7ayy%*ROuJKJ#DW}>lZxtS`C>cE3_3MXEyJ#h$L0`7 zNPbiA_r+XGtgsojCX`z&*-4Zp9@v6HBcE@QU?b!ip@$j@QcXv3HL1v9Z~kZ|xUNM2 z7zJT2VdGw|ndQwmk4I>~3Kbd_+fG9r&Oqs`Sc_tb849+6){_EUOb?r-f{qYrVTcI; zu7|2!M-qde&h|=BMkCXexKhtWr3Bra@-gbr+4z=w@K=x6=CHjsHgDYeCzoz<@dF>s zJ7t^ROh-BRsy}^FoA=>aGcMk)@!%p$%sbf6&36Z&U#-ZY<@axuc7e(Em!-*u~S z_lKK3@ecXHV9xvJK7IO;uf75$F4}d4eb)Q{zx({hk5rfc*-4q@cgo!N)=c64gL+p# ze%JfX%r_3beA(p>dh*7#7LJzs%W=2=ZT3Mow0|?}kzH=uXd%0^)M<}`ack-G_B(F8 zEC&Zm&G}^2w}hGF6XPwmhp(vZcJ@iTZgJz^57~g+>b~M%x43|gF1qZ|eNH&x?8WXm z`Nh;Z8{V|)xaJ+I9I&i;@0Il3FD}Ktz7S)r$TU`0#Hm^RgE(x9R_rI=u|7Fj-wB;-}d)0WRft)<3-qF}}w9aUe zU4C}PPWtejuD8hbzcptaF8{_K0+ru9z5MaF?s`J-##xVx7w>b(4JTIL`{<?8f=HrC;Gdb52VZ*PCNxubm7Pf`zG`0Qf*b~AqQ zyZT%5dg^{}?|toH`wdUJ`MJjN-t8Nro8QcCx5%FQX74|8@y>hen;*3QZMWV$XR`2$ z7j4SDd;X%8wY-_Hri7!f?!LPCvPZnFYG3dCf2#lAH~&FChyS3{`u|!#wMdF)! z(4}%o9`ndTPvVAvIgy~4vkRb}(~8+%mLH~tQa9i2)?6Lqb&cy(pgbnYRYzkQI;=5u z*R&jp53N)a?`si&`}AbeGn;(Ms-(?{Z$-SCN6{q2QxyhNID8~oo>&Rcx`Emh<*QcQ zR$ZywY{FczZ_xlh$tHS)D)cBO@+<9LohRx7O^G1HjMAiMNNN{s*INQo$>)QnFzKSG zUQobBlIcO(qz3|KFU7YSqz9IyVqT`f7%I4E7ga(f(dbirjzkk#bYSC3s*Ln8tzsF4 zVlpum{XkAK%cvpH#`nN^utnn_3?PlHaWUM+UG-(qIzJUO6SFJ-g9DCZv%wunOFeq(KQ%^HV32N85cq zRBDZp%%^;nPRB}HZ1rS;V(UP+Tob5b&w*-mVU!x1S$rgpe5l_gV749817k3W89!)e zTRp$-B@wr4SyHJKBVHWvj@t&PhTPA=N~`OqX_d-ziK*?@=}P4x$#G2&`9HsZom_@;!rpc2Y8)#dI?I2@zzkTY62o;TexW^8tH~akX&k#?j(hb zE5^f$o6!?dN3cT|%?y>SX(cQm*&jh5l^!)y88}DaeBHp?<5~#X8k*PB9>F9Bo;adh z$F7?VG?D6v37SNj0g|u`yBTx<5-uvT;U&TeQOwrLt|lABZ@_=p`SX8<|1ke2vMkIh zegR(pcgq=0>Gc=p41civXTe;}XZ#0V5SjHRX&bFGILzTWAhb(Sn&!Jkv6@ap*<6MW zyR8}~vv#svQ-W$<$mJru&!|M$X@d&Y=mg0!?a81*dlc0&0Nja)mNtO;3Lds&ksHu8 zrr*-j9PZdXWeB-d9&0Ab)oR!s=vYCd?Xt^e@V-mciIT|ifB^G@OvdqBSU_17&m8AU zyq8Fh=@N*WSV1MaQ{s~(rX;0QW(FEr=xcdT(p??Qjhh&&14(V1pTKb@HbgOytRky- z`jU;Prsy=o#we%5CNi9IBMcO@eOOEu+K?4{5vf;+Zo27Kf!2_=c~MUJ=_F-0`vRgm z8Xn2Uz@2*dtf(zEo2qfWhMA@4a56L|Zq}orp$BL43Tw)F2Qa!q$L&jZqqeDZ%u`{J;DQnq8m=RtD?+QF}+rRn%N{aZ1y4rOpo(Z-iMKz4Gki5mI6a@ zI?*%QeYrje0I~U;NF1A`xDl9223Ja)%^Sj?++?I2HF5BQQ8vrYH0PP-Jky+Kn)6I^ zo@vhW?`#A{{4n_sGM)eXF6>|V&+$$6rXK+RNhSz_Kwt{_a{fd76aPtm|NLj_pOZL- zC&|Q@^PfX!U;5|t&+kgUzR|3s4&6jrjl5ymx6^bksGfP!^8I-iKeyTrEVNR$cI-Xd zweEk+$M)WCXL{Y_N6YW^`U`XJ+|YmPou%(g3))sM-ulj;oR606zIf`&Z!Eg<&Bl() zNbha1X{;}~#ZtR&c*Gr-9d%jsw=<4dYLP!5wAA{?Ec+kN&D(GLhwb+keslHR{rwK{ zu6{(g@Z6tV-m*XV_=I(reg3i~cCOWSn7h)NTU~R@8^V+8ezNWc^{tOg+Q39ctq4&-Z!q9u~W$3+z zHk6@5fY1p8{50!ICyzXmnXbawdKw-f}>c78n=@*VUYlq+7eg4tALhCI0 zj*9RvD0KI4V8uDElDgZ7?v$jaMR&%b;1*mDbB z^U#gcKhHOhxo+zt&9^SPEq}#E;R=Z@ z8&BW9>EkEuw8p8YT(tGa=dWkKaB2DB&mTMN@k{o(>pXJ$g3IFMDIdP`>#eR|@z_)L zcwJc^Q0@#)zTnvJxBkD-|DT%wfM2cu22R!g{88-t@E))L39g z%{0-j8GYE#YNNW)Ys5NP*&pMo!IFJsSh5)3ESNQ1%k%=18`SGjLLz{8c9`^YLY^5` z83XIc0yK!~#e5dQ!-5$@TP#PTl|&(yR^t@RAxKt9p^TduL!1&$TtpYh>8){*On0kA z2~|#c*Ck4SHk*X<1rDP2$s<>wl2JEnt=B#{!Bm*vGvy*?f(bfPc{xJRn1B^S4 z>-kPfwxn)+;z33|x|(2R-VC^g6GoChX6qVe7SfeO#!~XtrqfFG$h=*(>wc_-D?lxu zgNq11=*ddnkd$=Hw#BmMWQSoZW#VW!80iJK%!Q06m&`KNHWR#M^gt%xN<#gNt^i1= zm8&|9vTTW}7yU-l&Xpl^(Cjtc9&EL}#xR$Od`hs@Q4MZ;qjnhyA~-@|rK!5js10<$ zA{R>vDGhI=DZ{kfgqi{gDi4>y`lu0$V|X9w$r?d9bcJMn0nOGJYuv&!klPeea24p* zwO-6tsGtb3QpM|6#@!ZKa$9B$uM=`535$(q?aT0sJR9PhJPHzmr#64eHudEb*7jf97Ya`I7%Y^Hu+?Z=!Wb zEF(rw255Q27{i``4T_aw#|@y#lN2R6LLjO|cFmr8Mqg zfnN$s4FK48;G5qi?h>x_|)HFJ=_o2e9mreh^= z%qy1GMF1#~o7@fFAJlCemY`g#D0^|*8?Y@qs`P23Br^!nrjVA-v`1ivkwCvN3R-Y2 z344AjnFm}wR`0neLOc8zN4hrKM2fKxiYJ?d)txN&PBhVI&+iupgK@VI;fZbrfh(G& z*SQ)?lnKD(46p2fm1-8tS&__6cC~`TqJ|?EjbdAxhm)f&WEL5`+QU^i?#Y-sD5S!Q zl+o2tO9R6)O}f>x;eMI_1G=FUeG~r?zvMrCjvjnx{=?1d^FuS@yf4I2YF?Y4|JG~Z z9|T(ndkq{87<0@f3auns@X!$lmJPd~%PUmC~6`Pc&7MvKY1H`buUDH;GJUm{5R9%`p017T1$; zaGs{BIniwlD60kg4cd=9lqoBN0hx>UTpY>NG9wbJ6Y=DLU>l;M_yOSd!-_AB{CG28 z@mRd>fLSyam62X|)THY*e}GV#L|UNjfP=t%CrB5=F__vXZV@QNv+e zNrt;gCa@;UKo8IwgO!v-DlKYcVnAxDtv6h2RPNz}s8kb+_8Y;twuvHnzrv1#Vw=|69-Y*L@e+ zaj)j?_gxo5?-pL4J^fJmh#BN_i5FI?EC^;=OD%HO-#!W1HI{_=TOY{IPM_*_w^_nC z``|lISKhyO`QoKVr}oB_YY#s60>nHwYvt>W|X#3%7uP?Ii ztar{k%R2?$Wi=^r$&61DBzy`H&s z*?xyWmSm?70)P*vyZXjNkDv8&;`M1$=`yY0}GP@~HzBP01(hEJb z@H*$2_lJA2|0Mo%;;UzEdYNB3Y0ehNoFlIR&-=q}``r2XT`x9ny5r{6-#>TztM|pP zJMuS=KQ(>BI}Uqh_OzK-oHg#eyHfbzt@~_~ql(+SvE+iQ-pJg3G;y}I#&ht3yhNmv9R-QE$o$(l9K6b)E z@t1`ol8>JKr?a0q=?{-ti$A^9YsnKX+w+N~kNrzpDSUeKO3&_m&-vS5ds~0oi+5Ok z_7zn$vFLg$-0-L4HoovB>)Pq3hL^`TM`mthAOH4&Gv0mp&I9-URq+ivZ?aIH|%ua9Tz+`XW2RBNW5du)T$?4^Xollt#!a1Z>@(ipM1ad|Aqel)cglW zzS{q1O83G4_j4kDmQSIiKMA%0HlvYnpa)3~ABGBi%|o=#Las*I89iiaXUAP%sy2_Ix;5rwMKt9X!jIc zHrrwo?vM=%&sK(9zoHFuh@mP#Jl@OVg2_@YZwf}Pg4RoY64cDR&_tafVGBt!A7djM zOvXD!wa^;SX$mf?@oY$zvKih7(#0Mk>pmmKlO&#uvV)=)A{sckl0;j^C?1Rz^GPTr zWrvNH0heLYaYaL|3gBpf@>OF5u%ldAW%~+9gKe4^XPQ)Q!05kS36>I|Bof5U zVi@z`HdGxA9jt>{EuKoX2Sh!Z%)IJAN*DnGbP>G3g_RPIW6ZcDchinD<}oZ03=3sR z&DxMa4hUIu8Y7~a^Q@+#`whX4*;H{d>EnYO01AatvCa4JoKVha&9a)-lQDK!ANP_D z!;b54)o3Iltql(PGSRM7)p(il>Yh`Em5NH#IY6lAIVRg_55%H81mmT~0I`%zJgy`x z%B~KDajQv^1GLx6jjEz-<`YyEE!zXns;MJVm3;t4>tQmBrUIHmxg^`H7BXUq<*4>J z!wA)p)T#xL+p$MD-4V4+ag_IqcClTN#X=&R8;wRlwG5Fm*3Zcutj|TNl{PE&AHaX| z^Wupk`tRg5X!P9vH?&v#zZOsAn`P{m$A9K)tND`u!1E)sEdjMGER@qNjsie1SLWe# z(A0%N#kEs7Ob28?a#(>tO$_Q}aS<9=q&Wgh3aB$R-7td~4k!I`z!XJq0OU~CE)jIE zfcb5Q3ZrVS>Y!vMDnxl^lxq(|9dG4RTD1nI9b}NKW|Ky~kQZDbQ=;uSf&eX%7gS2f zmV{I(1+jzn0PmV9pYzhmDqb{)HIbN%qLwHMVOdM0S$r@kS0bj@cAY3zGP?lL8<=7Q zQBXDvgf`aVR9rUr$glWydB~YcNiWq<0vamGuG7j&de}wUaa%%+g2s@d*#nf3Soh#! zn#Yi`nyJuZQ`5!Jt4elvgn;1ywd7HH)O16>C8(iIq+K~B`3%`l&?K0KhCnVo?sIY< zk9{e#uou?8ss3B4{AK+&fn&$tng8^^!hilpJviVW3&MT(dT`W$L%Sm25>5$EW-&Bd zKoe99)~gyXX04HG7K228GAkNUP;SRu!t*Cvpwp5}x?CR-ay`w^xhzBhR=J!f)N$M> z6zd6W?D#~IF;G!2k@;3_oH9LytAdSSvPYPDU)7>U1F~YpLSNEYUrU!Az@%enu|y4P zHeDlye6EbPbGcy(l1mWj4@J+7#mDLRxE^%CIE*LKP+4jSF^Py9gDg4DQ~@7q2SEe! z)gV_;Vm*1x=G)mq)`#_Y-y}DHLEm`b9;MQPktV{JSy!GmtyD>a6sA7LXX-%Fw~sZ*&J;v&%M*2>tp z7uKOzE*QiIQ?O_X7EQsTDOfZGi>6@F|3bqM;^)bKkg53Jk6~ZsKeOMCgrA=Oz#xv{ zI7q_yxAPz3@AwY^fzpUa0;R(;^ocegv|y?e-Wf$7^kcF`XfdTj1OO*Fdg+=ma} zBz5r9oOs1i2ki1{?ulcs-|Th}Id`MIFTduK9e=Z~?SFhp;<2r+d11L*PycNDWAd#+1v^KN+8l84NKrf;|H`CG_WX-Dh^y|&x~JIVWAcG`INEw)^#d;dY3 zp`UMX<|6w%jxNjZjUMYhztIjaZg4{Sq4U~Dp1cf&ZuW1r9iQ5MpBF!{7dT+IyH}aE z-X_boRy{*wE4LqpUU}W;{o4+|;>cg8mpbW~+0)m;uD14@^)!3`+cOW{`r=vBt~+FI zV#Bi@JzhHZnKl1O{Acma#mBZ5p1ZAg+D58ezf-d`_o_F%3)`I^v#1E=%vVZx5)hI`=89I{WdJdd3CsZFbvliDecm-Ew&u zJ#v44s}o-RboIL*hTe$ZbH$(cx%ilM<}AL~A;PWCuYdGD*%R-5^mzK*GlsjKpEzoU zy3KTI|HBV>^^=+O2CG*y@1C*KoyT4L_`x?Fc~gftb<^K2^U?cPd){dGljhF8inxE* z!d@S2z3uNmC1+k5!*1Vx*#&>~w|myPc8SXty7zaFnQ!i~Ab9-n#l5e*;IHXFA>VKP zf1&?BHUB}rrvBSh|F<8-z7PKav0``l4FSrZG5-m0j1?!b~-XBLu0)~ezwt|FZ&l*W`SIQ?zC=DwGuAi^~cvvXNaBJA;APus|N=_=4 z&WRHTIGbo11tmpPyzID|#^O0P!^53cxdpme39gw+iDB@x4RB$fg`0T8$8tiP=0L7z zTTCmSCRw`ZSbnZsNlp%l=#5^i$M-3x0B46o7Plc^X$q5*0CGPp|HlBzF{y@=6_Zpo zyM{Edk}1c!oZ+XHFhk?Ua5V1~?qa=bQk`+r&$i`MEz7ILHkV`tRH=$U2vLJ}r;Q8g zVis++-LBEfje?|Q)oU?DYYzJHkr^>07W7q;#S49{J{ByK5F52Z#qG5upd%pN+MvS; zMy}nm$Ni!=3>Ct`J2c1GjM#3Wnl$PJLs=#KVqBN?oY#ghS98lq)`SWYkZ$)TPgNGB z;|9?{MkPB*CcsixltrswXpzmPBp?NXFs*h2=Xy>PZ#IR%pPY3yS5OcX1854ZwJLNg zRc)xPPBI&In^ZQiOr(fKRn_o{JA7< z;V9cgN{ni&iIN>JHtT#JZ+JuxF3~nvZw~lOY=9LcCnyYf7Zh@tPNXm;0(7ZHJXh-j z-oQ`OwWwY$6%wgTwcqSE%|LUy3eC87rV^)+ut%A)hNki%j}@artpc$M4G$waPy@vS z#)WaH_+VA#vlz;b0?ub5we6>woRl489cZY7S*gWPxms6j`URR&Emi6Ck~G^JgH0<3 zq&+Dxc~={&d6ncvB2_dqBv@i6+hWq|XksE&OALmZ78p*s-YOP^7{_H3JQpfiF30v< zfZm9jkhavY#s`otn7ww?Zd5=i$gnI?wL+`{ zjLTAE%#X&2|LXr^hsrnAe`C2X^M4W?6MSd>qklF3=fCU00smMK?rS&?ZKc^{aoB8E zX=zks?R0fm$|UosLMfgGps18fcFz6Gc&mx5RF?SAPyq+R@^F%${39lFq)1jC9GA+^*UTTa2hZ)Y-jOi+7~8U zU#cBe+Yw^wT(7MA{iIz%c|g&uUMeeBix{540->+l-FdeUm(H)gb9MCi zUi7I~ef;(VyWG9Uj`y#*mwv<3&X)ha&hfuFV3)(E50*J)$t5>@;k6UqefFJMr?0qk z|1EZt)262}a@Xb+_bmTOaLFDEyz}Ajr}YlJXP^7sM+ z{`Mqhq4&39_J47$_b*=Or9a1ZJ!QR{PT6?7;)}=Kw)Av&4Sv}T7G3fBTX!xlF!QY5 z5;v`r-TCg5UJK_OaNW|k|KaM?Zbxh#d**;uS6U|~;g>4?wg24SY}T9ph&+9@#Wwx0 zd0_6Snah6Ac=DO@lE|@Z=Iv@B=-zkbZlzmp-hPoiPrrJT-9LDI-v_o^XZu%v_3VA& zK?g1RBA=T3>*xMi{AbO%{0;}HSKPcu@__~29nQY>jgpElb?(Tzxv$HCE$`j7 z)5_41`y9OV`nxT+#}OwhH{Pr2jp>hWef=@No^#xGSHnksyj(VVbcJhXENuomCJR^m zFl6K%_-#k;Fmu7@-NlR7esbQ>J!hd?xtHG9{V;a7lZ-uXk*?f()-IQCqOFEr zGg|D*eZzYfzvPflmOA0txsM80@z-y?(?VF1xhaf`3}im@f6)2j zKYqU9c(w9?NK)fG9UoTsY8&V!G`N@XN38d@n;;^BDQ&vSre@KA=&Ny9A7Cp#T6V6`SEQnu6R7rMC|DX3~j(-U!x zZAV@K>QciV#9~;tUS^ew&E$Ycj>NcJmh>@~iiNeH*%($*grW~=ilx(t&*I`BWetW+ zIZGtVwIPw9C&z{2MORlkwUhvGqjD}~2o|E1NwAZy(Eh;I6G@%sh6zhAc422AWMMT# z5YX)~NR*BZDiBNwoEs+!vTOrn6*78^)6d1mhM_WbFxzQT7%}wH?E>bGTTRjJ_Vkh4 zuQ(I$)wersOfG_BzLW^4UcbNqjUSZ%LyJJOh6I6t6Ray@#ayTDw#o%76_=jG$^glg7qwCSEcWxMBeY*G<88h8t<69)#*yZ88(pez#(HQNRu& zNi@q^g<(c1xk<6zo*dVhj3Os6I#CQ8iK-6Zjk({r&*F6*+BDOvZ- z_;4UtOw194tjIZCle8fTQ=MEaHX3!Ypqc@a?W`l`J1*#@F)&7&k`TrqoN6?R^&He~ znb`~}k1DDj%L!@$<0(1k+l69}C%kH>=;bm%uGJ@0yO^@t!*Wg>E5jH(K-xr|E;^OI zZ?wTdUcseWp&Pg5hL?SOJ(flsA9)O2jF<6T^j1;xLXM`q%HTx`TXR| zIs%Ae(b7ak9$udK!qDLesAbd5v)(MzDPc5qsm5 zPvw(NKHKC6esLJjTYSx2knWPUkZ1B9ZWtxI7LT zaJr$oMUp^hgfF?}%DCK#lHEMkVN5;D8QGv!Xr{Vu8={9mvs+fXeBb-8Hf#T~`fnWV z&Er4u@c&!?jVjf~wLS#*5(A;Ym;yBs?pAl4*JI7XI3D-B~?7A-JVQ_aUG=Xk_gcA zo=rqo(%U2_Cxdj-ry0JWS4jloWu+h*jKL~!v5^F`3BSS!x>NKLd9+oohkdY@q<~s1 z0oKapR!NGgDO}6f<5siIxJfvn*JHNN814`>>+u>dkX>72>3ElLt6bECzQIbQ>lJLRY6KL`qglNo^_-y#2p{0II6{q+0?AqWtGAOeHGo&TKnM*V>^ z_IvxOLm#&{y!P{h?_2G-5BB}HSsT16@4fY&GtSJdbE12fb;gG7ro{*M`t?!R?4=i) z{n)OT+<(KKkJNTJd!gqa{Dhc$;dY5#U)W;p%in(fig178qphEOsJu6L(YdqkT>IeF zw!QhCoo{%e^5#{$?wNo4GTv$~3vBS#!%x1mlmBNKKYi7u_oTdg+jpHW=kBJLUH*kt z?%&|`RU6m;?y8;sMz2~(wS_q!u8VixKGc0_?=9~;_><{3Zg;^^Bwrq_a^^PfeYF|; zW-i_3tbaTHfVb&IroAk`y44%)L-6v_&z<~@2c0Tpe(TDfX;O<)-`>ps-;y>#>eQP1+MVBwV|A1fdTH(|a=03R6 zQ?B*w3)??;;75nQyXC8=Bhxm2d|Gj<2cG-=(^njL+kP)^u-~yC4~|{syr(let+`n9 zpf~^hpj9^7efD~9R*u5Yzjw=X-dS9E;?3Cye_Uf$wYR_j`s0?~a*4ZE+-R*cZ#ure z`Wo*n@7e#Xq1>s-9-!G~-OUw7VZ=%4Gy$FF+khQ%&3-Z_0wWm;nWMRs_4TK7_M zjlsq*{`rm-j=i2Fe{=0Qv1P)U>s->f@XpT<`OWedJXkBel3sJ;LzT&s&lyiI+}dQn z57#*Q@!dYTec2DzTkmf-Z8`Ut#r^V<5AJsUT8rF%#svo~a_2VqX(!Y+o_qY6ubueB zwl}_T=*g=u@ESE|)#Pg5Z~cFv|35YV`MUaVQ~Lj-*!SQ+!(58ahrhV|pNNyoA>U*t zpN;RD|AT!!|M>;he~ZNN#1{`arX0;@{tq@^{HL8v<{K~*^D|JZ+=fbBAqaqcnoJDl zy&)bB`H0u@tji%yjvCkWFr9%!t`80zu{6w9leKJm%5asH}RNNABZEAW{Yu}QrZA0)gryl z_vwUX$LyTd?74|tRcL0VK`DhM%NS#Mqgt_B7<=xhI%Hf6D#;0l$2z@cp5q1pSCzqm z?iQQia3nU;wRT-Ghep+C4QhhzQK1Y;Xi<$gDp_V4$zBWVCTc~Rw4sUui3D5#YPi@> zwUddU0vaqixw@2J9%W0gSK%{6PDoagOjz+oX+NTq606l+kK-FofM;1v?DM(-s6QB*<3SiL*Rx$0IxHlcP|<6_IOrC9BPd?szoz+IG=4M}|But35lJBW+yo z^-2IWU>bVgN_&>0kV1W!b8rrU`F7y1csnkf(wIghVnuyC?ICBUNwfzE|wPCP`wooFeQj-Nj(P%L8h;D z5^5LVG`(bSYMU04`J6lKtLcF(zZ)k;u@qjzh+Y)4+KqHTWCF3`*qw^k75&;Mqd|Qc4U(kq z#hqS5%6CT^2n<-pOIMi)2{XC~R?LK&f_n9&LMI_SEm*XqmQ!R~FdJc8C^4eO4@PN( z3F01%RXbU+3s8=ejdi3R)}-2Dz8i1TidbVaZeDi8WOYb~0pE%Zb;7~LalYXuJ0&DR zdu24F##&O(KKzzXRiGLq93 zb8HT=lHQamx~Ip55$M;8K3gadF*iURtBYc(vWhlJUH z0S9TQoT({Uju%XwV|!iUyY1sNwrwYklP1kdqsF#v+pDo{+qTu%c4OPdI{EK&&ffdY zbIlJhuQ}#Do^g-git7@d+M9h=eP}0&iUnfYGIl9FazH0Eu4)bmenDXTs7Zn;sk`f7 zXszH;h+^nIL$gFi7mq=t4KE81{Sl@75)*+dObtpz=l~a3LzHQprVf)TE!;tHdHK9N zV0YZsq!N`sfeGm@KLVN7c4nT<+k}#APqOM?La+PUvDyy#chh=u9%X!oB!@nK{iAl3 zdOY;!+%z`?D6%A%u)M-_>NjyDt6P&A=?sZV>(|lrL$Q7s)CbLn#ONWFW2QMdToz$F(EP+;TcOj zrZ%tjJ>5;~TvEREC>~=GPA>~I+?F+$&YI_PDOGhBx3g@dPBuIFL2A0!Zr9N%h?AF- zAv&t9zRT<>s|N{_%kMImuI61#$fMQw*Zl{gSH z7Hd=YZQnj4t!~F%;xeqP0A`)1O;|IE^@@gT$mZy3kH=q@a0ZvdEVd4rpJ(r`EnSU! zL1$Zzw9fk_i_0BuESgGf1hUAw-lmgFz-G`3XX`y+JE!IsKf-(4<2At{Z^KrbK~2PE zR>Qztgx8bq%k~!lV>Rph!N$dsdnn(VzW4P@s1%A~?PeCor#{Jq0 zC+BrV)(&v@Z$bqJ$u7gm>U2_R*DKMj!|`C4<);OX_2X#8=JQZIjjg~@aZeq}SQd9o z&-IwwACwwRHm~PjN9>z-Bw0NhKQ@wRv(>qy1bh;mprQV9K_-uxG`zd{&Gb_#h^r=GDe)78`&jkwfB9N5+NpN3vMnc5R^qk}64&E(YLXZ@DoRd1Rpc)TB$g%`zK+&5<{Y%4X6E?0 zlB+D8xu6{=D$qO}z2coAVg7I64k}hAvB1bI)G1E7LwyQ!$492Qp&(UdTkd?F(+zz8 zwn4p^p`}nTIh}5S5jBZIu7LG?SMnUCq=3@=JQW$YI+> zS3ueIzPf6|Jf5qTI3LZyY1tZ27)|3ZayuxxSrT(uqNjD^@3`*2e&Iuerd}b*P?&H{ zxe=%{?3pje%_XYD%FyO)u^_Dqxosu|8!luE_DXIu*Pkc`@YF&~>lCv81;rMX;?p=u za2X%g0pJpkpeYiRc?%C;Drc7~M_7c08Izn~U{F_FTm%Q5JXEBtYLO&~{0AWBBLX~= zY1ZTM38l?4M4}1V(EC)5>QfyVYn*h((lZ1+xRAA6w!5SxwLsQP$J=#$qitY zs@A8<9lCMBrO_oyGTxXB>DM9@kOh>vd#Pa^K`T6#1$a7+ckmj@VFuqtp3yA^yZjJn zDb(2qXDkJC4TS=vWrcWo(S($h7>Jn?={>LJ5&PWxzw% zf0UeVfZ*X&Q;iQYg#34bBQ?BjOnIpCdWkNO-DTD5DJC2IWjJ%$aY%PuqF8%3qsv0Y z=}hM3d&idbu;x_Oxn;Wm+a?f^oiUsJ#^sIXAURW~@mY|1QH{$#KOsDyf3jdUlk%nQ zzwx0tZrOq||4{40xLU~XIy9oST&(2E9-F{0@{LB)QbCn#A{c?M=6fa(IUz#klNDLy zP@jsCF#8uNS8-mZRY5=_eZZ^YhDx#}SeH*yE(l>^NH~y%pCvSHoEHu24Cj3VQ?i01 z84U{fS4+peCQrqEN~c2!2CK?yWSHPnI)@3#GlYELU6W0yp+Q|~#RD1BV4zi*@&`Q_ zNt%tCBFdNPq&S?)HE>OXM?ujF-3orkc;|7Q3!+`Qa;4&TP_LTCL~Z;4E-P)~7zFlW z*mzZ^_|wo*u7=Z_EhEWFv`T~~Z@Zs{tiE$v;oM2ov9Vq*q6VbGq#N*0u-t##aP}aN z;_uV{Ws&#r_sd@&rGnUBIIuu(tmhRk0MEuTOMuVk*Rs|3xKwF^W34-&{58ofa61Pd zOh%Su5bc`~={?^)i1+nyUe}ZEV~yO)*0&GZ6*!0xBe1aA(qn%&=Tz#48PKPao{@0?$Y1S}*Q$XY8M~_TqUY6@*NQ3U`)jqc>5;e;6FW%@Z zc>eYYh@37uyQk|0l-!(24RZCn85LPxY+Zq_2{fSBJxd=_jP2^?+>bk(qf@MQJ{ymP zZ#*`yNxyqUvyb(zVUHiEniEi{U)HfT_L6_+RO;4EU#v6NTb=glY_1qHJ3nn+;yImM zL}$1TvyEqZfVGT7qwGI&GXtOdXk>q$9W)#gI@q2JG$r$UPU*KX34mx0K)HV=F6T|hIY^FUX4VPW4yj&D?X`&RV}#YZHzIQQg7d>;?(( zCmx)?-M^LA2MzC*^=Mt&NoXA4$39W|$#^u6X+l*p0PXn*lpQp^jEvX?{?Z4`iAIj}+OAW`e>%>kloNt9F!| z?Su>-H_Y3OTj0R;*&R^xYm_I+9u-RHq20p#Rm}l-0o+yhd3UC6DnH}?#D6vDQW-8# zcF|>JA*D69DGy5;Ga(F?j21H)5E#?SW-JfN%o&!{4j;o(g5Ugx&X#WMk3u$Z?5l!i*(5BQ z-GW@yL0;07%lznGmvBZNJUtr5ZzjwBt(6H-UAaQ@Y4*1nbZY+Zng0y5F=eeB6%=37 z&@IcI7oZ$%{lDMDo{Xsim<#ZV@?b|fa<^;KLm~}26ru)bQILKtx)&%_ ztS4snTQ6+)-enLYHX8+Q zs3 zc9f-DKqglnIbEQ~ z*Xz`@_>KcgBT2g`(rFJal1{Ec{B!zkg3=N1dvai(dKtH}bDBvJ;);WmM>9P#JTx;P z`N#LOMxyB`v;F!sCJ)7~c$ZAsZaIi71tdD&a3+q>Y|=-bdP5~Kc!Gk|uR8X2@DqLV za&rZb)Tvj?^n@;5{dQd9g%^W-1T1j!4BEt`zTT>RM4|C0A>pGy<1{+%axNk}O8!O$ zDWNQ}VXUIO&=*aEg~bn%yn{xv0EP-M0DeJ}C!tV96qH#@2JYF>fk2RwFai;xiJaZz znNCQaM~TAq5vMo-2ZMnpV|em9DS#YD>0mp#q?-qnfen62&{}EkY?!mm$>4dM z5d!Hy$z&MRWS5yn`4|*2XzAcP@(XyZKbA{FbVc+fgFqKhPEQ4hOYZ|1?^uYX^w53L zsxyqo8&zi@%gn{P(6BlJ=?JZKWpA?JC)5Zdp^}Ivm%aE(5m+DbLyNxc#x)3izE#D| zN}oFiJKtb1Z6fhcSphNCFqlfRIWhh^8D#KiBzU-QbWvd_cf3V|nc-hB=4*UK=q7J! zLb@R22wvz!wj|>pq}E3H(W0SMk5;;Fflm2H(wAriV~v$NyypLcD1qA7oHzuJyehqr z!bk`5=HH?MW33zF=S7EplIm?YDB^^%!L=S7YfoT}2e^0Y|8>tMS4zm^JhcF<%ddrv z8laZ5vt37W)3-Y`W+WCF;?q7UX&4DES-F4z*2tJ@UHBuw98rmUNz!$^O;s2XwH}_k z)w_g#++@kFAvsA>_9ln!lYJ0a{5*~MpHCYo1yMLJhX&MFvI_(R`y_$RWf)W5@vd{A z!U}L@Dbcs4fVseJz=+&5kopdHNCJYQ2NL9Qd}qVmuHD6p26R0XkjiS@n_w_p)~z4p zJ<5DNvS=Bw1oD}$<)=4q3x#w?;M$QabUoGK!Ml1Jt?6yGQ?xA;g35)LwH=l?W0*j_ zmTw|jQgV~;ElV0|Tb0_+qe2WDzB7?F%X}uwXVd&Ahg&wzr!~O4467QAM?VUZz*};U zo!7H}_2ZIi#JM7GTWZf6_4BTJHXCY>lEBvK$1|CA<3|{hi{>#+?VUmEy@25|n#Yg( zhX-I!@-*Z7lEW~Lox9Z5_R5XR73;>L>BpNdaAiLbX=hT6Hc`xKW2w{X%m<~b&hhFk ziMv_Xzm2oJv+X%!K;v-?h4^_&^kT}t0^mC{rKQ(^#pPyZG``S=qlZo0z7Km=m91%h zfTRmt(1L!Uxykw1;z{a0Njtx|*gOo$@t2U_?OnQKz-;zBj1A}%p6dE&II5K?$#S`I z4HG8Wd}B8?&TRi9TFqZj_u9dtd$&}B-SZIZRpY7eyz1KH=?`e1=RHYA5#a09IKD*4 z_I$5t=|+d<(|&7N^Xwp$khsR&T6*)s2m4;QjqiyVldJ#h$HKkPrxH_z9Ue zg9&;G`_JN2#NhTOOAP3Gl8xWtSkQ0u@7E1<2=Eh(L_P((o<*_|H374U^aJ9ewx}3-qtCE@)yg{rA)<;8@ zMP>%J#8i9eRj{nkQ%%){_DOS8DP+P`el%FJR{Y7J2M`At`)nRSRUd8#d*4~mbkom&hSrZ4kkBQYevNAl4gZTGw_S)cjc&Q&MU3^$R zZh0H!#i5J}ULu99vE|J-QlLDD1RmzSIMYC0jbnX(AAK;vs50qEg4rqwfe!Xg(O>Vz zUb;9fKf;tL()CB=e)2rbva2KSbQ~DYL4AB!umT0?NF;y|2Wvy_LCT%TCHw{(uU@`8 z^z?>nFGGA~s!VwUjw4u=>hIy5H*~0!OcNg2&uUd7oK)Y8Nm#B8Dsq?9ifHEm29AnU zJN$4We|+10DMg@ToM#=lkeWleyrJJs?iZ`dM~6fo7o32M)fSO)!`9q`%eDloW@@p) zkWUFo@*v(1Q6WBfw6kbv9INMx(an!q@*9f~4ga!L?I3d@w!(Rg3%VpzR(Hhpt7Tre zJxVd?aXfmHz%AXH?UJG>T#LC8Pu^6ySGN42P`&|PSrWN^&}v_fOw5SpW7W-ubsUj{|Ye5P|`Zo()3mA)Kxyp-3B}90nS#BA}CKSrA_a z!5#uX?V}KRNt20g43lD|Nq($>zu^F#XEQF&b_INms9QLlBM2#UA~m9klq{V`BuF;+ z0{NS8c`h0*tpzz#vmz^#n$5$!e)6wybyn=ZsUqLMSP=vJ>KnN1AC8je0l3K&81%YB z1RvRE=I1 zyCsP$u+K2)-Ui6frw#*m!&siDxxYA`y0JGy2TLPJ7jv!sqD`i0-`A0H7tq-V)2y2h zOlOM@$jG>de7SUFpv)V7`tSBXw_2=7hdTvk!g)}Y(Z4vB%dIPVU{ZU36JI{{DOlzR zH!WeLa#UoB@37C$kT}R^)v2r0R>CjY`_;5-A?@|OdJj1Rm%Dt?opa0Jx*I~7U6H!i zyO>vcTmSFmLvC2lpkb$AJu*Xu^TOrBMeW)l9ct66nD>I2S5h7xLOq_J>^;Vx&BGT% zZv4VX2Vb7;Jf4$<^{mvHC7$wloGLU;$$~=ak#A<07urDzcPjs=mGFz*m_lX2f2p)o zxgwc$=(Nk62Iudyolv4DomAr8^%@svgdVLqiWkaA+53y-4S6-ui@@j#gnZ^IPtZlO z2RRgfpTZnU`^%$*djyI#pnbplYOhv)zZ$Nsxy>1m*8X_^3SsL*iRgzxB|krY0%+ga z_W^JaL7}6Ovfg|kUf(c9C0U8S+Q&!g=pSbvdt5wiF5^UpdYc|Qm!GgPgDvgl$32Y) zK2kN;At@;ypzvXb<)yaRrBZjp4KI&G@9=nUwR_0Y?Cg&5X&USv<& zx^F}AiA>K8=eTWkaP-^~lT>GVzLm#J3*5%IvG8q{EmnM5WVo~8pDX;_JMW<R;r?_S$>)~oIKI}gH;iKdSu(Jzk$&Fxk=qeo3%uU0?fxz4dfl|isIGfF zk(;hBpD&TwayW2{R^sY8StLqfBJ`l_)ouZv+y`W@9)0Mjz3S}y)%E@}UcUa!4J!rc+SthFAjSOnn5=eVs z(R7@GUyq)i<@_Vk z;cVAy!|@#HB0XGwui13B#3}8sR96vBb$xi(Uzu?_0(6w?w+qL+zcl<$6?lEgJplbO zCdxY{;FNh1L5)E+T^Qj|SEfgN-W&#~e#CDv@3L*iI7DUH;wR+t<_rhK z){BI-fG^_+*%wt@956 zQm)=vDe>X5|7qxWhB4WHN*A+kdCdpjItPcM>h%8n5VfN93Pcj zJ!F9Eaq6T$*Rej-90?n8Szg^~4CG9o&a4>$qH)an9_3F7O(8$GGWr-+37Ran?dG#% zNYZTgWc*;ZLhP{0oy8#iUaOSA4DXXH34y zs)0cZhx&v6Dsu&Ma&+aGG9Tk!0rmSXfn?rN?oTWHb+aCGpg-APZeFH^WH=GtX>@5p zbY|(5qo=Y+r{Hiz5`9J!7jr8!vWSJm^pB&zxR;6@so5T8BAe2{tAb6+*W=(lhnr#d z9LV&noVEB9QRyiKh1!y{EDHIgA*K*01O|KMSC?cum{!S6S~R<7@33^JBFT^jbt?CZ z6kh~%%J6xecYk~I687S1DSHT^m`M<}w3 zb2rGqv9BVE-mB0<4C(L-219NlV-3&2r>XX+Fk`NPUtq)gEGey}83)$-fyY!NpE)>guX{I4Hzo?z{T;-h-4&84DVX}k-by^n5XZ~k$7c%& z`r%hLM%6|-=C}$54QA51DRNRc18sp#Ih@2I)lk{e3#5kTx`X~qkaPPy>hSqYPXwwWN9ZHCwL(vJ#6|V#&q}5o-V@5DcwTJ zgGL)#B*v5%fmA@NG;!03kp`b;9$<`v_iHe=X4}*}C0-O0wGd9$RZGM5^mHf6xr!j( zgS9-;BN)XbjKh&NeO|q!FzvgAJTiYv_u!1k%q+yD3-my+6&G3ci}qG+7@f0A{vbwEtZ< zvvZh%dE)n)LpnEDUH`i3G>)QL!kgAI=-7DDJPPvK{At@FrS|i*7)5pMOpW0Db76`` z@7+>o^ZIcj#7+Blv}Q}kGGGfl2etiv?Z&GPc$L-lR}+Oe3+MrQ6@UIvh`H!Fr;|Gj zK4WoQbduBK+q2Z|`dm)Y>(mqLd|k}4n?H)xx^&-l!8s23G>LnqbNeDAe=ZsccpBrG zhj6N{<^qRZ$2p_D+_yTGefFRG4BVJ*N=yzfZkN{zLae@!OtYMKZ_&#;ll{Rg5H&Te zBG2<)ms_qOTbDnMf@SvYMuCs_yYsH3p!OrI2EOI11}jk9Fe0!CDY@sC21gh0KKj9( z(NCimTH||}LZFRkv!~Z=Qz2E^{Tv4nz8uqSUNn@letv{K+e+2N`}a~#LA>r2gEal; z)BR0TOYe2T1$H?xs#?H1X)oFHb=uB0o&Up3_5QItA!KAnk{$Wu`B=rZ8&%h|_xxob zEF;rn+{(nh0#d4HbMGc2N7n<(J`L{!$yD1>;*;Dl3R+~?d|<9CP?Sa#T}4efgZ%vQt^~ z$aA~@JO9DeI|?-T-Ucg&y;y@fjp6I|k2pgogHNbF8L~#xWGNhl#Pf`T6JBlV-SY`# z_5ym_1O)&$fu!y~KtP-umv`7%RJF4Am3LU?`}(+*`M5IRHt-mbz;aI#_jdClCl@vt z&Y7%^r#13vmk@NDV{7ooNueopxKf!Y(kaV92fTbRRN+iLZw1@)fRsfMmC;}{zR!6A z{vz7IH;{|%S)S!gx%eLgfwab?yM$~d&CCdACS|PLeHSrA3oP6)7F`jM98@>8AS!KK) zb5}6X8rK^%N+nRX+esSDAsohIhd403{zN+^gb9PE*)@VfMj->-N!je_4QA>vqW8hS z)=wO?ltN!cT0+88CSWj44%*`sevRqNArHib9EC^&7;>uxdi^rv16ThkV_nKKFBiyH zY}NkkvwOVnKEyB0I7xIt!6vVXy|^i)@=CK`xeR|nw~*73Rfhvx|E1p?DyE^dh?r`M zg!6aNRpvzQ)SRrZ!T2|8DfIvXo>gwJ#5!D2r$|QnSOh(n^lva-^S&^!O6L&?;{nU5 zv6B}?Do5k`!3TT)+J_Ysl};1NFIJbMS7E$}=i*Ll_05Ht`Z$D8`S->Kc=BRuMNxEo z)8cA60myt|`uQm={q}wu=ipL|&nY`fL-j-eKhjSjc;F%bwExWE!(kG8ar$ zs9eejB&U~V8l>#{R8CrFiVXyCkOM|pUyxC5=t!CBBm%{>`i0`qD`g>t9CgVo{IzpR z%Yvi~`eM+o+#4^|FR(@W5F5}My>xxv#9$_?5696)7CmheeL!c+uGJ%qpK zZjc1_gI_7Sb}cqp^i7yRtW|BdUP<`RAngQ8E&Wk!qif7#OSak7k1Id(r?!5;JAOb8p17{tX;aZkOgB1KtM54QVefd%uUn_?C>c>TLnae;RXNt3)src{D= zCYVII1~ws8uEF2HN^SCL(Mj6#zHQomSQQyuAsH}PK5uzKY@RLd*dcoeuUY#wkK!z| z|2ckqa(>7BFnFDI2IX8)3LF7GBV)L_U*4WbAVg?W2Uv06Ex!O2lfc?99sUOO)(A%^ z>Zf-BFsmo%and=eKTZ!ZYkB&2Fyy4>X*bMy)YU#_#CPk}`PM_lLdfRc}60nFZDB+*NP(JVLvW^H{`@`3}lQ-`Aawgh-Wr1Afc`Z*;jxI;11f;WI zuRyM#m$YR&_p!xw<_;prN;gr{8y7pCuA$1i-;s_2x;|6xyNq6^uMv}5z)eRt6*-^x zPo>Y7l}J%nz`h!AqrQd2WrE<@;YCNc^(-v{;C?W$`tM<_Wgjqm&>*{9qj~Q4G1YlN z@_WL|Kg2gLM|H*R5*a6}#mVvA`~t)6=wBQT;3D(W)n#gYGAlU+XxRn4`yx899B**Z z>3Yh$KiXDI`5r8!G>k;B=r!C;&nuWVAQAJqL*K@VM)Td>_apzF-pqTNX_B(`e%vF_ zX=MKS)HrbB=Ied#5JA#u;_#lb2LufONLn#`tdrhU-@kuM%e4GEMCl+5&f1-tU<4i+ zIw5B|X##t`{t<_}J~oX4dPG0oSd2(2qHB0Oa$26otL~5Wp16Zwe711AI!CZL(gDU@ zTLM5}tolJA5mtZCK|Kw1%7(I6;#$0Wk?(c%-J|=Jnbu{~B!=9-*O~U7Sv8%j$ic+B zC2biUgM_n`mD9BX_ya)C`@l1StT$KiTtW6saP7PX&X5&Ok8CiJ<#=SCiO);B>eLOfmRAg-Qq_H&nOA zUc>bQNp2aKI!h0oAANplEA|de#ORag7;NS(CdKcBb8LUhmz>5+NfgmjCC$K!*Untc zJJ5tw$wUL`YWpIUNw^!na52ejLJ6QhAdD@<8X?04O=OzFa>R>MNz zTmdtuQlQ&vka7lO#CCA`H(=#Om%22Opk3$&Cfx?co{ZKr#Rp09r!I_%nd-M8$sFS_ zT8w~ey3Hvxi8y{M;j@oQ@`yY18l*)t=_@2MPJ_X3P5XAz*r2}VX*LIA=O}@tJi~vaH2N zuDEKt;3zo_1zNsnp?dtW0g_V05cf@v+%itULQkQZ%*BnHMkC2A1KlW0N9!$be%oi^f5ZMCRgM(eR#h{)$KgdkXdUWZAA z(&exEwFf8_nEhSJom^aD%?w2F{Z{rQM;5C9q2!`JBg+V&RYUt*EGJ zQZ50_U+1{u1mBwF=rh55f`K$aRcHowm-v6S5$Bv0&`M$@#7q+GY`uh>_p=IQev8IK z7u>Hlr5P|rR*Bd!7>uOgb()sHi#!d*UrmDwTzXE5Z`}!hIZTJNdgo*%(zgonCdEm% z1`{6KD3F?){((sfF9>4<3+T)yJmj@gFIqFTL+5)zj-IE_!qW7q4hxmovNNhagY|4j zTsKfJMP~QV&Pc}{`id5Tx$q>f|Ip_AYyr6&g?+Gr6tJJ=8hQuxjsZc_n-BeCIo*h~ zVRJd%XGc;OznM>n2y&&$Bb?-c14k;7#u=t%_+jM?F%O0@^zd-z{G5A!v$;Q$D94yY z9L}&b^Vg%rQ`m$doxmAYrlWE51zYfv#E`s>O$*B~l@cVnX;Cz01>eZo#}*yo-A|ud5Mi!x)V&c=kfLpX6SnI4Xr%Wc0(_Ski-y`G?Wge5|Q% zRB)9%I*lys6!-Z(6y2Q+De6kJd6BuQ&7b4eA0x*b@$`!sV(g7W6x3RV5NwPuw}sn> z(!c23ZA-Y5h8$Mdv(lA>z%rqk=#wgvydHd^Pk+xpvfBXu*KzaGD}Nqx0+`PMeai0M zeKt(m%*g`4KxC}AFZa8G-D|*F;2p{PmlmT78AJvOJ_D|Ec%#m8ZK@f1xZZx=?`45J zc9?y3R0^8ddzIT*P^HosL`V!6~s`c5mODPVVF`+SatRa)2-M9TyJGDt7NL z9BA!qE}>hj949? zU5%`oyq}>+UDkEneZ{P*^4T}x_XJ7xY}O6M3*7Ur7sJm`(x@A<^3Qhj7Uwuw22eh`jd?Hs!ONkr#+`jfEIuk zl=ZV&&!gYt$@+N$nPBvj^)jk&Ytm+E)ztAJfZ)n&D_hRGb)O_f<3}^#l`@0ZI!CFR z-(e4HYjQ{GE9!kwVJl|$Hj~i+avXejVrhSPrBZvIPd~eSe(YrWJ@;ZI#A56E_OnGV z<3i6#%c|Dpj$}b;ysB#~O^vYA<7D*3i{EKs)2jfs+Wz9E!X?GGp+UoL^TG~OF8gMb zi(tJ>I4NrJ^>)evXBO7mefLc5bLT|OuFbp|VbcY)v5=AL`GEw>=rZl~8{jloN5e&& zOWjm-mGxlYJfs5qLDzRHWB>A1U2eOGLz4Y^%RBx`&dK7|vfzH%caw8<<BYIq0v zJOPD^zx-mo8_st##_R0`oR6;=7tM=}wq8lDJ>eX<210rT4g=TZ^VD#0)PK+qARGW@ zgkI#PrQD!UggF_Pr&cbyD_R-^iDZx**}4p- zMmfa&=LgfbYkg|=h2!TOocb{ldtH!BGEI@~ns4fKFP>9HB$yU)F_XgfpS(^Cw7`IFGT_lrEFTh6#khc9YsoP-MA5xmHSLxz8>F!N9-l>RBsIdM;b!B!D!I~|9{ zm>sU>z9pDj#x@sI~zeS@tvt;fiQcAVo{<`VGtWy z@w>rkCyTaWmz!MaC#bbB zr9oL?jFRw8%R!sw-xg_X{qmE!E~2=}Fai8j#t;JI;CqyD{T}>Efwy4>1=?q~uGdJf zJthJdAg-x*DbGo^CG{*_BkgU#Ow2S8+p=8a>*;UdD)^e6DEy_EDgff%ud-HTG^= zd`>j0pRpIOKcW^d6O*M#y?puCwoaU4s6X|?iEk<{reZ?tCAk9x6katHD%OJZ11T3D zv$K%Wp}Bw-1GIF}r0ZQh`zdenQL~riFO0_I@5Yv*g+_&h48I)9=%HcJXDXJf>PeR1 z+F~&+vvq~rN7Ou$Ad^Y)+Fv{GPp z5J^D$2>SU?6i&rd;PVTn3ny5SUKoQ_R9+lkgpHSXSx+)HU?;YWji^skOyM%pt=6-N zo4)#1AQ$pyO{g-}uKqdjtXY0a2;U@oJ+S?5E{;V{)$|~y;ff&6w63Zg+rqBVyhpjg(!4VKG)i0w!w7{g{?+D(0?T z%D%vLR1UnX(#S1B7%lsUX&}+*3Hdyu&<2c7o?(!njc9#)sd%|ZY)gd0oP|n#03tY_ z^AHUJha@;XzR^MTMyYT*Dwmhvp)&4-TSTr{*@p6LU%6wPGd)&QAZb=LJN=WtX<>sA zAR8alh$W*n`#%RzLZ9}t|DMFy^W&-`box!MrS*J%s|OUz6R3m>rMRH>hVlt{PvUqA zBov0*ulP8U8=|>rLGd)6+}c!qUDt`w@$-?+dA+gyY#^BYcURtUh>db_)%wKBJMnS? zxa50iZn~e3-myB9Q+%q98)JER!%NxXvKqJq$my5_G|XP4w2t#ydf(2DcL_KR(~!6< zXV@8YRWm=DI&VY&ZZYltdBuN#CXNDXW(KXy{_V6$`LtQqdsN+z2Yl`qrk(Y4p1y5x zQ-i=_)(m0oA{@atXTL=butF^^1yc{B@ti0?!>Z z#I2fo`<*RzTb`SbPB}oYrFs(<*#!;n8C)#oDo)L@xV_&(?& zL@nE8(YJ7I?Q1Lg@a}2s>Em)iG=pHn!TX_0RFzhgl-(WFsl!)s$Jgl=+rQB@)_2A9 z_Sj$ZeolOU)o}S^cS(b!+hd0%=5-?;@HV(BHO1r65E0!z`4aFv9n;co6egwCD7*Re zK_%N`yM<*+pYjtVTRZ8Mk=^j`-)m*x^((t?$23d|mZ5z^*BgNE14<{tlKmuxI|_O8 zCXs>*0Kb;s{SN_*UG))g^XqnX^|R*0?ai#KeX+UZTY+9R!$-K@tAO()cjQ_6Z@q^d za$xTj|49i=}-P9_4_{jFtwgPc)Yo5i0-J zgfR&-Z(|ZKf+PV|T0!1e$cYEAEi3=kk*52Lbq`s zS>ZI%5)K>=v4{YIgLu*(OHdX13@GDo z3+X=ubvE{NGLeL%ICNMtXv-w%?OyC@#9fR>t*ApEX}>E`6IP`CIX}`2@=LwEaYo#y z++yjYJyIw8SMC=6GXgtL5>>?`4y_%n*qML2Sd04K-K*`m3p`x`C;da;CM|TmYdUo8 z)VKa;g@6h^Cc@urVYFI{Z=XDL#?UQj;boHK^K;=3@Uj%1J*#3t-fh1yg<@Ir!j0_( zLvYQgdcKdDl6Ga1>`+O3t1O(Ebe-)B9sF&<&cYr1xblT6Jb%?4s>Dm^{3m8y5N4Ld z8q3ryL&k2sIKqaMJj$4mrzMX}A7yE+BF90d=REgqFGaDge18{SovE~4{aVv!a-3FG z3v#3quz*QIb$m!k4U=gm^3Huta@g=`7Y3B5F{!e}DtQ7iUXwfz9{~_J7r&m|^Im&S zzM|`|i_Hp=e*~9q$tW--4Pfw8?n@Jz>pQh#LeV0N^%DlrZAZxC{Er;TekH4TfBVX7 z;_!B;%OIBW_hKpfBiEE!QPxX_dZwgmG zKX#|Vpir*(=3F1Xi_NG|O`+I?qA0YsEYq|rsHC*ox^ffhhYm&8b9(YZ&cV!{rTxb_ zk}w7dKI^fDIQax zSYU%>U3$aFF4Lg4Gb;XR8ic-Z_*%$nj^qT5-3Mh`$`MZssh^iyBn7VgxGl?{A6B1w zHYf=}p!krBmDe1rqUpdQod#JCZdthD+A5pB;7VipFX&qpY^r2jbXcN_Ev2V7I0dZDL=8Y+Q|*3o|Ll`Zv| zFWY2W$d5V>vU$tcyPUzpOa8a5yyo$_4k;W)QvAi+IRkEqdT#HbOf z;X}f6zcdiZDasMu<0lZUgW6LjwL2${WlHsy3= z>ohf7z`O1^Y%PCL^K{dsW!pZ{e#$n|fwSbsSmpU3wfMecRRy}7_Pv=EzNBjr$n<{N z-0Ex_rdk@3WAPY0$FYN%(kvJBaU3>}qH57}njF;oc>wiV_s@JoryAh(wIwXK*)Cz* zptI4{!egO&(_QstY?G+AeU2q|pYs8K9tCabwVhSh{BvJ39qj4632`|juX;PO$z|yo z)qM}9>Bc96t-g<;vE#L`5lty#?tc0^uKN0MaNiv9d2++ufpbxm)hKzGU(({Wdp+C) z+gw-;Jkq+&DF8kWbha?J9z_GPfFnPTSQiXRh~5UqOUh_)BdUJxJy^4CkW7UU10kj` z`_~cf5?Da4vx_xrR+pkjz|`$eXTL{Mxhf?+&zIk6XZ2QHwHpaQ4^D6BuBlB%w9C(m z;b5;#vx!3Dl4P&#*bwASyACU^uV(D4X{k&KZKvG2X?Azl{-a9(s29?<6MEEey%Ng7 zDyMcl$<5|t1+u|(n!mE{J!)ybhSBrRadD3%uo`%qY{owQmp#Wq^6i`#$PnxM8L1VM zEi>)u&E50-NHrc4oyMMC1h{XB@Gnryo-B-KUsz~@%|ur+f5=;&_BH*GvE@tY`IzIj z+uXZK5Kb}T8{A3btNnf7+~Hp3(^it>g;BRf^I@L7i(5*=hjq1U_3ytZYC)HnhXd_5U3ldSFGV;(M+x{X=<(PX7ak2R=*`7y) z3ou*HYw?q1FgEG_(U5jPSF!M|g(E1Q{$s$B-wJ0MV&@n=!G+Lf25XyIw=zm^wz`*I zp%OqB9UhGQxdd0HY%6PLlVy6h;dt+qTOIci36RDYjm(q`CS*DId)k zj=iM-ry5h|fLcSX_G+PD0|Zs zt^mpeFTu?5%NviVwV^%7qQr}hTU}2!e{dCz zl{hlv>*4y0It*7CIX8Gu4S>Ha8mv z3eE4t6}b*ms7{Fwsnm?WaM+CZXeI>WRMm~qc}ji}VlwSaW8aY)m7uoKDTr01mSfYI z4O@+e#g%VmU_$2Gq6!L>>6GwPYq)o^HKxsCm>|^+Hu)28)3`ZRa9Oa0q2!wMOi0mj za`6hSOf-^n(@N);m^1^#Zj-64;16IXr9X{IhykXoGFiIg;2PjA65X{rST-J<0NgcU z#o-mvY~n2y5b>x?!GD4_n%KNsPPM@><0tTwnMmp~w+Mk2*^o>zC%sW|72bFC zeRxYgsChLmghW@t)5vl(91C9vtG)Vgcw1hZeLI$eP`cENu|^f@^Obt7)^gCM6`iia z!Y5f0K?4K6J77VZ8YmOwby8vZMTylCTMiQ&|3nhfp_)1kP$KZVS(Zg>>CX}uRH{#v z(EDfD4)-@t$T?@?i;O2?T_R#do%N<)`G4Wy{zuUv`ciP?>EpmPxzM%nabEvO^M9mc zm)t@O{D@EK_zzhjSOo!&90mml{~r8g>@*NJ-ce_2%-N#A{4_Che=W29?$dg<_$<&* zH^h`~>^)@+JW3n;70mCm?1Ia`&SVsL+Lh3McY);pVLAIv-@!A*L+8=WVT^z8`f6a^ z;A(9UH5g90D>$moYxB4qxVGi^ciX3IQI`SGeAxSEr`htjtH#L?b7J6Te(ZRbH{iX^ z+vuz_hpP*eH(?J~JB)b)w~H)70?toC{@{N|w4Rr%1A5kV=v5R}7fnb4 z;8F_jK-Tw|9(8!*7Kx|QzBN7tV_~2DQ_h){eQU4b&oHkuVfC8Jf%RlEA>i|H_4{=n z=vz#_%loH(JkWCo;gMDLbblpebL8+ZY={3Cz;m$ZD{L5a?oiab@;!mEZJ4(q@M6vf zJgj-%!Ys<{4|-W5)bDc{dcOw0b&L}*>@EcU?mDc)0VfMQriQHvxs)7N+qa|V`|grU zgWCOW;X8sYKI-!L^*gkD0XW3_X^gqTVOd zG8R{|ScLr#aD!j&mFod#i{i~0vtwy>4SqU(uRd30CE+)>yz6QH!rhP6G>8oSy$kKy zIdj+U>$^WK8+gFiao=8FNEYL-4gEkzJr@sa{u#cuUB&|bzXD$S$sF!pbg#8DK&+mV zAp$26Ex}!nkToYQ&wmtax6$>2sn zA(J|8e2B&b%Rlx`DG>voT0(qd?YmJB0^5s1|Ms6Z$6i&^QhZ5!Zq#yp z#`qekmUvW>4HnV9CZj~iX)%v+XRBW-b}Hu#mgymjr_oCK-*+o%(^0&L5UVH;w}72h z`gF5*O$rMXa+YWdqy5!Txk3)GKQ|vNQ6tV_@{6f?dr}EjrttL~;Gz3ywGaXz6uV7^ zhpSmrMNEe)k(l)zO5uaxZbt2v6*ap>gH^6unI?%_N9ngm#_4L#RM}A7%QO-z%Of+F z{UN?k^t0ua z_Esb#)XpK-s9JaH*h;#S<3r~7=llR7BR=^HT6Z-Oy;?L7L#FA({AFZXy7>=|7AftQ z^Jtvh1md*U22z+qLl%RT{ec-bhFLSiisK;7vMLoLGUbZLov0;w7O!#r4-Us<1q=p< z0@ZUEEQ-843@5usVggPbuHxim0Sn5;DF~b&k`GpZNkqHi`J$9IJ4(3)2-kZv*l9bs ze3@Ue-!jm9nEZy;UeireG$lpH3EDQSB$59R3C1buwHdTKWKbQeNz~9)EJw2Z zK4i`=KE$zzFkB?cDLlE>X){um`0N9&C#L7%mhkv_ zQ1a)7X#3a;#bZH4mL2X3dN->rSL-i|Dm8>(XBg0tv!&|}e5bVIu_J`~SB0#+t6h3E z0PMc?dTFj?kN4S;QJ`%8g$NVtHY!b>s{Gfc?{MZKM5HKcQt=3-+4W_ovPd&wuM%*w z77P=1vbG4rK{d-ZC@q)!JhlruG74vZ=QTSWVD=%MAr1`<&&;M9qyx@Q1 zY>xba(k&kEJ{em;YARmO{8>6D`@|?dLWu=6RTsHR3W+02opWacIEHtr+fytQYvMn9 z&7JkvDBo6ymnZ#}6i|neA)AkN5t18r9=o1kLkmfgSeNAvG58k637 ze1n|d%`>dy(P1OBkccuT?pn;dwJF3#*SgVS?(5YVabHvt4H_ALr9Rg^1-}=7?k^vL z%`u3HF%OEu9$#4Nbk+xD6&Nd13nAt;;#7*v$Lu+>6*>foOL%hJZEFwis%;lln>)kZND;GqbcIZy5DkLWd<^+JDZ=!KeB8WZywwr!^+*Ne@U z6;HIeFlW#ywL)TUDU?W;89GcC8e;v~OLNKX=<$O+f5OKe?v|({M$b;)zDcZP(TS+K zuhB&A!d%*CS5x@r$hMk&W?~?YBCiPL(}S>TzK*vf9%eP;^xdOI68fAblY0GUOc>l+ zh6Hn&zZP|@K%c(S@P-CC+NEnhhoj_@)_>t)7ZYC&$O?onFap0bf4Z{n$IkJ=H~!CL zFcP9L!wC3r1DnB>pT6wfe~w02b46ss3qScbo(}XFnP3zs_|2j~2;5e~^73vzTb9w# zdkHw`_?QsyF$|vl$G@&j)_c}__%dkecD=ciy=L$+Morf18R>BsCcJ$`;63qZ9QZa9 zm9GOzLuXc>^#k9GW*B-t)#(C%caT=1?sk3D0gbj=ZW6}ew5^Y6c8tFXpBDqKjqFxY zV}ScJ#**IF-6JQx<5vn~=FXoZxR9w74RhNzoQI$B5xRdwaDp}?X@#@f=d3pnm~c_T zy^5F9G8MLW%TGPq@6ocY%<~$JTs6QY$3j^zoCYhXs-Ro7deOkLT@Wi=Nkw8Kjn7((*dApCYfD9_vD)Ee!%oUDf%Crnq+?X*;HBUGb%B3l z^~rYcveXkU02?osuags6EWvjvuW>lSx}fR=rERA^hR>(5fKk3##WVkg?Iz$AeBQ~9 zWpMMKy{X=C1HY34>8lZd;QfrJRW0bm(idklC<1S(!dduW`JM%Ij#;vcq6K)r901^u z^(t}u|4n<(^BNxCKql35uXufS-kA5|Km9$^0eXczCT%+wV#xQS`1t*;=GnF6#Nk<;qBZ`(|7*7<{XIwA(T_0Z-!jvSm-||F0@%_i1`6 z$F%|sY7e{im!VxQEiK#Y0^cv zHWsaXH&LcUl$-XA!=$%b*09o%z8z#esa=6VQNq1zCuT^eN}pGn9xzD`=uetnI50?+fP+`cP84;RZh*YbBOq0|Ji z@6sNADNVLm^ldJcj*CpQqo-aRqtaI{n~Jt$(zU>l+bdN?fzctcW0$go(60TZjYU+> zRqIC8%2T;zvT{sQNy_<-8fLeJs(#6Vg`YDw_$#-fo325R3L-FZn6qAu14$~1=)FCQ zl+&RJz+#=un<_JMkeSTGrwK{qn<=Ai%WpV7%0ppQH~38*AMR`N4r8fq(+bOjy-!=t zSR~rin+jghnXPtZshzs{!0O)pUtn7wtBEX&IcsIr~qcBQ|yP*qK_x)sz0BGJk-| zWdh)?0|0h}Nuqx2+PWNY-*%zz3p(xILthQXb^4E2yFOH^yVa2*1i7i%I0c31rEyKY z9H8(-j~{kW7FnszG#z_)puqSZx>UZz&^ z<2KJQUwzP8ga|pQ*j!?#x>a{@U@$Q_+;n2=kdKNu!?~pu#W`H5cA?F1x(G4&7iMCL zOMeg(tKa^(dmDk09(N{zj+d6=2cV(IDTur^#mVao-|t^*%6>K?&U6PMlv7m52|E@v z8+@BpdFg>r&aoeKac;xCYwl6g0FML`lIl+ya-(WDr@+h9{N)5mJUCqT`Ko|y3vXh5oR?FzSp%6wTq93eLEu(Rn+8c zm8OOiaMGdVwlV)z@Zi}#8dlOcLqHXyXhlRtcgEFnlt_0t+N{>Txov<+Ks0(qnVF52 z5@|paB7!{P)Tc#Fq9Sd{!`3O6k3cU;<-{*$5SOii>D?_}Pk=$lIsb|wKh}JnzN|9R z3xf(BV8Ma9W}_9E0vFr0?wOX z2`HN+UsE3S?FKbcX|IrRag^9>>Cx&K1-{bRa(L=jTKWBV`S?Fy#{+__7hpbcKpFTi z{?j!mY-kC%+n)mQZ1fS}ay=UVvJ1M8G4Ah6x#I=%p7y|EV~f#3iK)WSR4Nu`{hb46 zfNMb!pfDgZSOotg@E#qhh!t%JKlbm5_Whi|dG)*A95El+I`Aqc{Vjs?Wn0{u`%zh| zGegLtpv0?t+u-~LfC<0Q1L!qt+}0fj9Tlb=3woV7T3@(qL23&WygcePQ_Mm&?C+0A|=a?T|+=Mz2-@XAH=K}36nHF4MM-ncgVus|L zd!K9Ag?)I|8v=ii!A~SmfDQIAE@r&ZUv8o=S&R;vFM}R)3U=M~ZpPAEw2jVwUOtH~ z8!GcZRC{XefRfW@JDqRw#<-pG9<{dx7%%fT9@59Pd=Gx2j(10HX+1UWlxvri1f59tF>$-=>|tC(ku zx0mdz#{XWz@`JB3@JN?l4& z?)bRReFEUv(3j*|g(n3b%4~7By)IBX-1_QDOZimkZ`?Tr#Ax7Tr z?0b5fPHJDrExCkEfV>P&&pA*3tm%&j?w9hMNN!`CW3JTo-tgb!pvk&V75x|7K`a1p z!4Vid^>M!f+{L)q{eY(~zXy9`8J`Ll1c?OR2n!bqdGM0|S?e$T+ZLP&+wiBH22;KS zvnCAFKA@Xcn}zifR?_G+1}IGcUBKd!_A-TJ@Ep9p7Fq;t?0tb8i59Tk#DdRvv$0+g z`L+4(a7j=^-P{=m-{tpu+nt7>e$9~-XWgMP@GE}~Zbgtc6Gt}(rBYr{2(z^?Ll#JS zbmRk!qn-rv5S4gRE6`N-%}{r*wnC_kmI#x@2|dTpfQ5`^I1&#sqx3Cu(qi|>z*R|R zZV5}S#L<-?4lhkt%y7^_z-f!Lt>nD0ZhZS{m{wv+lMkViS?w9R?rAs>^`vWsd6)gQ z+X7x;l?atJ%caX89H#U~avL@_O-cUo)M!AI;xTXOawTMAt%d5;6#c1G6P|aNlsM*6 zph7kI*VV^Bt#YW0GlJ8H(ytszz{sMC}ZeedBX%%|~64!{p7V zY`7(f?9EGg%xuQfep0R$@dec_xG#dq{GUml_;k6^as@;G;9?|E72-O0sd;U-$}U;8 z*=DD1P}^>nIwqGZE`~5}_?LuS2nwL!SWqC)hKBx8N$fL@L?K`cn!9~I@HYI_>oOQ~ z+dmgr@18F_>zQAn=oWk(bUpVPLd;Ha8I0AOSC_b~?mC}M zdVW^1MJwJd2g0Rln-2d>9C1x;7zFA@`+7$=S+Pt5hBg|^@5S$iUGrsoP%MM)h``ta z4Rb#AI{Wf(Tzr5^mJqu{DVhb>UF7 zMe3Q3rFF>kSD0}`uyCT6&qJ;bci-jl|vU}DvD z_9!KwY@uM4N^i{2xsu$cfKJsE8a`7Yyy-J!QOZ&s`b$C9ldn$hX<1gSrhav@#yjR2 zuSr&9O3=h9Lza|ugM!{cKoeEPD78pql|lkB?qNyww2Ar1&f9>zgD`#XKJxJSVZkti zW5OvQ0Nn9B?09Fo=XEm*P&QaDgYyZld+mIWN;SaPG^Y}+YEp|!A~cDmmnb6hcN>VK z_o#wz0eVr{wvK4!+ikhexy}7MVzXOkPJqTrimDUMB#QY=Y9r|(73Un}Xk4fT4Ey?D zyc#AT=5-(LnTOt%>o5uD#%4bjC;M11!~#AT!>2sqCSD!$XJyrS+A2a;DPv3LbB;8E zDCua!#{Y>pJkfIj?EZ?4C?UfxYFt#YUsc-)T0sx26>R>hJuD3fG#M7rXBnpc;+gZW zbgxP`5x!Z+(G0J*6WA5O*tQ%wYVK z2=*78weL!vLMS2^^Kzw&M!ift4^oYQG>*SuTc&GK{eC6;&9+=JL-kZ;j#9M z@&ugtS3+wopv(=ceMug)YvE7TrHFkqF+tVTWIDBk3o8M@h$q|jM4?ymWJAP9aP}lF zFdmgw|EVl1PS4X9^4VGj4sm#fPS-lLX~uPwtJ+K5)=wZ%{ATdO5O%1})`sBVBCsJz z35(9hZ}oxyeb%iJ_giAj8d$r1mF?c3QKfCq{Bw9CGDT{>Fkg`-URj~rNgbYT810|> znT3L?S7i36It>x3X;W$z+>fjrt(iv4R^Me?8~Vlf)XFh~_-YD$}lSS{33#{7i|BE0(R{bN|Lrs}l6`IY@tw$w(jr1kR^hX8#Kx zFPYH8gDhr1bh+s@Z~*l|*rRX)__mj(AL3E?aEKyA1amsj0*DS51bH6pMhhqEejV~+ z1MxN`^cyXBYi~@R%UFLm;ATX2?X!vS-#gfEJR=`$CGYQ+cf}8GTcTStUh2F^h!~xH zebmnAS`DqP_uu%ujZ6&W_T5h{OetSBIOhJy^$+$xx#r$A+i-Ula(!H-RvvH-e}@B2 z%esR3T=0Ge7Iw`vD+mA6KR5C!=zZI~%vm`zsVMXEad~XhI&l~<;dJPW)84tY18c(v zzNf{va`xB-k%3{JLiq~}+)~bifQ_7d@WSr*4943>AsJ}vdr=I)mwv2ZpVh~hzLsSs zdjp?QZH^00-3OX~sT9=akv1pTZF@{aJZaJlc&xVEDW?m9uC}~8pKfx%-K!~c z&cVv024Qq$Qo;{6UGM|XgL>R#zJL2`_T`D&mRIFTU2nb(yA0=DAqIJ!md)+9jT?1n z#s}K0cs>J8Yt5a&znOwJJG*Dqy2hV{_n&Jn-qL_WKqI~G*N19*fX{ujF~2jXoY4nJ zussk2aK|+s?$3FhJOp?zWBVL&8uC00Jykz5Ri;1UUG;-%8vt4Ykh%;l=l93gZCAVp zp1a%cA8kfm3PERbAHUU|b?iJ2>>jA|ET=1Wb}Ua9=DY$O$~c+Vy&NC2{Xrkb%BTst zWZOPzaRoZQScZmgKmN@IKa7+Zy;|IZ$!9Z3DQz%C zspL;@2L&0T`SBXC?FiWYEchZg7n0+d6Bn-vyftLshyeZ`c(y7_)*vyno z3N@OoVZJ%3U{Clx=@CDwL2HrPu{~#@QeUi$M>JIf;gd$D*xmOaMBUhoY|@a6(`OQ) z5Mp&YnMKJbxoFXoL{x4zFQc;+C#85s#5z|vzZ2!W4`Pgy=tdk+V?Bho^UzLN71c}x z;)_U|&&Jp4Nq_N=3pk5_%DDU{I#A3nCyP+H*QiO2OrD~bZ$WQoBB}%M9%(i`g7MD` zgQQsw$BuKfm(ePgLv^k2`2%NLDW=+zrIpgG&%CM;)@Y^FBs^r{I`oe<_2CUlIYS}| z?qtGZ{^{O>hmzW0YR=xP`iqAlR%oWETU#t!HTt@l07|xb=IkAcBP&n(nx0HQfRsoN z!K9!byoG_GLRJ8io88iqZj5(n(3Hw&E_^OJJo!~5%0PSS(M8KWf|B1ZBkRdQ&*C3x z{vl=l#QFDmn<=|e1jVKNhhIKS+-F0nM50o$bK$N#Bep&o4ihGe(n#X?_5RIxw1N{X zwI78lwfML=v*KgzWkS zRv6UW-$(E((?U^*gwu!Mdog?g_cWGXWM(+w${-pw&d;^ zBCQ}yH+P2s9B_`+e6^Kdvf(@xExxX-+wwXiMCUea5U*(y`0vMr<;t%ZFrS%*0+Q{} z)|=^@z8r@18l9l^DJ(v~mi^`GE36SIC9? ziee;95_WAHsfM8C78&{T_Ow&*Vz$n>ch$|+ zX^ewkW9r0Z2ZI64r!c#y)I*1z@J}cIsD+e+O_`n&Hv8GU$&?VcsTJMs?@CqmdP)Kd z`Zp}!^p@VN!MDFKxDEmD(dp21;5+v1QaGM_thy=jiy-6jfNnYSXYK~2>rG17x z29W<#w86}+X;`}|T^^(kJx&T?nUiH8a2DFnar-90S%uP6dkzOHu!Yra=nsf$%|dAR zL`2!BC-9!!X!?P{>1oD+Gpq`c5e?G`jkR5jl4eCvRhjV-)S!3$yQFcVEoS(aVU2f~ zlS<9!@aW{BR?Ayioo6%nY5;u;iAD~SL`I8BW_|&Mx~I-@mKLUQ|4PW=t$m9*m%g7| zl|W;Yas33qj}~Qf)ThGAPvV1&J=R(mrCqa`WJLZ>hjF8k`JhrIzGh;haJs?FMQs3= z9-*dH{;i7je2TY@C-;nxy+iF0vaf(sCBC3XM6!|drjA;$O? z1lE~)7f=9yCT!uqkl|;7|1kPMW)=j#ZowzJDS%Mf5%_!mOos6LJI0U;HpmA212h`! zRxt3X4Ez{k4L2n#0dMWZr3Bpp&i#QWp%hvvYk;u#vYRJU7EJ3abAb;{YZv=^kGoKP z@XPY=8rq&b|6|{+fOBW`fv1&@c*D0p@(udOIYgq|7ygewHk`ln3+bkO)(nexCi6cG zkrYeEy>kh_UarLN?f3*<_GR?nzC8ngHF;0Us{kJ_LC=fLb4RbglUpxScXO%v0!>{G z?!M>sOFJ*4=4-p18?*f5dAooeABSX?E5GxlU4g%Ub54ib9zhTDlGgb*bp>h4{D-5H zO%ce?{uh7N68x_>h6_4_qoR`ArrG2BoVMD6yd_0-6a3A3?h_crx2{8$@PzsoHukQE z;Ttec{dFC?+I9dwTi3*15igs9>p#wcer0Rgf_q(fUfqwNx77%y&!Es(_>6%);X`40 zqsDi1EzqoNLW9>u*POuZWDWN}=70}-hL4*lsP~7@0RUvIX#yq;8ikitk2VUK<;qzR3rn?f8Lh(T)5jdF31K zCkd{mk-t;Zh3w!ymIg8e|>YHx?I~YC-L?XfeOUqAWP_HInZWkd?Fz!Lhi}I?1 z?}a!acAzWJni<^_OVqZ|-MA^?RCr?Gne1`uSQrT%8Hw{5giduv6wsi9jj)m`NN#?AnFFhBg=)oAV%$AAE=#E;-<%qoCbV%r zjwvR3*+))mLU#h<7a!60D*be*8N3ytVuWEz1tc*n9K|-=SBG*mt}-c37n+GgZ75dg zh0!l&sW9WxFn^%pDt( zu+NQ(Q4?wNQ$<-OXCY1XOl3+?93UNbOtDF<`-xc?ZH$x6Za=AYEEIW@tS&(%*Fo-d zL|?_;RL(h4+{dNzt^wS=BQc3gF2}K{%_5_j$sVWFTX?o}r8CZ`M)f$Hu&kX>u!70G zoSn%=3Ww*BK_fC(ssCnmF%d##i%BS<;V*z>!E!r7KvTBCanke z0$C+HVUg5Q0r|130teM$j2==^!l8ZN>ad(WfVIAY6K&tlptkU8IU+}=3bzoB$6UGu z293ec{ESj$bJ!2aU)mUO*`{G z_YMjReEqOaO3!`<(&(nLp5s|_!Y7%zNN7QLEH)e!y3FUt`#h-}NX>GI?G9x65`MUMueTvPU}G^m~Ce#K-2n5G3j67~4^HL?!68@}R1X?;gWEVCr`zYqo>YI35MOgbP=RR77G}O)$ z08VWPQ+Az*>7ZZ^x|!t zKdrHw<;aPhM_> z(LwYztSVm944LC^^7_A%XiIm+4)(~;m~|$HAsc`KfppXP5snYxnxEg?(V0w3W>zDe z-gikjjlVoXD&Fv;hPE*f&c6P3u`-&4H!|_+$ukgMz{uj3)8pZ;azSKJ zkh*Mw!}_-=;4QXTAxGs^}I@ZjzVhA(~={Ws`x9eeENLBc(E^I_W!{f z83!v0i2My5ZuS}+_&FMbTDC(+jov?i@R718<1Uy(LYtpCNl#=5AD>53vc!}V#0Y_{ z;EN8X{;fzrwExBXIKatxtHy@xZs(=GU^@VJz~{;Tn%RFi;@vYr&*9NCe@P28BlxVG zu<BV?b_BDeOkI25CdBJG_2JdO%@FxJpEK?NukO=ky7gI_W+rO3*81F{ zg+3147E_c3!FVs5(yL?z!T(6K2YNznD{SHmHIx`G?cXPI%(rE-@4x^4QZy(i> zS)4yc)J~^p>i6fEeGl92@i?464(Nn+o}O2hGIma5KYLPwz3LsF%RLZW4)y)}eJ4D7 zdRP5S^GKAtfJk0I2IhCWBgNA+ym;`rEZ4I^FP4y@e--?*&T;Gt%QoevMV{xAp+o!P zmy}`d=>GQMMdMfT*X$fpAM?nD;4`9z5F+Mvw+Nz+SCHPEfXA|^b!-Aq_O&NtyS+GQ z`LyOTsOuwYoLV3J0U*-S=Y4l_o^mu6Y+LZLiCRJ{85sCmosytnEaZ%J8x@xZJ}3E` z-Qe8#RIYzDFf_ZtPsY3gerR=BpKQo&q2^WF32=JHGwQ#8SwVZ>-fc(QW#ig_0*!fn z_JrvIn>e|4o?qYrG)h7KTU&DcI|jT*xqw|3-6xdOn-;dIAn)5iGJ{)qqCEGJ1^-=_ z;x2-R3-5wIb)Dnfp(Ug}W@V4FK6@!M;NTJP+*Yv4%cnxK9`FHX9HY4@kf@x6`X`P? z3x;~1GwA2aFd{50Tt69qDA*XdF9-)?u7Y_iHB>xgT#o9;i&wzYxD&yVZPOaH-!uhe z+;Kt&X_zM=c{HiEA}iAAS=E2+=ZbphwHPgnQ?v*#ZHA#Kvf*%0Y<4C{Q032mm7p)z z>f2Mt<$aWg;4I6QkooFP5Pi94!h5Bzq-D05y?cFL$zuo48AE~-ro~0&UzvbEf?(m< zlYs79a-?7laS&Y{F(a6Zu-qVlzms0*p_Ml;SSh@E#I{q&(v;OMr<>Kjszo~sY0tJoy7eOUdNx-%)@JwS~UW z8g3P-R%l0)ZD%25OQVR6kmE&gdce0_yVf~7GD0L5^+yZdqN)hx*OJzfMyY7}7Yi9> z-Ms0L5*3xZG%4z=Q9>F_2%|MuI=Nr2$lUbM1zHlQEFACaGHrk6?O=-bVu@3+;Wh^G z8&kA4O$xPI!a4a@)Ph-Ye)x4+K&>Db3Bdw!m zkDKxS$#Tq0Byg6y3pjiw86@Xvu%_0E$vWxlRWHM224aJTnE`~c=U{B34O5lr8E4d> zETFaOe~8$+oz}En`@}QSh>clGjzUC5b66JMH7*K?al6LC(12M%AE$Lmomg(hRI@3A zBgG23S_d{XJl1R{97)FDTIahp`!|)NYQYL9v=t>+fm2&OUT2wTD%w7ksxJtUictjE zPKR6hOsUJ{GiVn`S;}2*NGnowLX1!j)EO-}`650}29hb?>ld)L#NaA%J!+GjG;3^? z>dM3Ai(1rvhw#sckR<(*IR0LL*pb<#9fDTk7ELBUHbk2CDyvSc14Gp6OHyraA{y4C zq%^vn+T^dAL~CPOQPege#k)3gsj3dsZK9AMZ3c+p`?}|6QT_wPu#c*ZdNI|@b8YA> z3sH(NLbiV#?TrbBOy7r+LxIV@nIaX^Cx;GYv7Tjs%<3D*>Iphxi{x`4nC`}1dAj0} z%yw@>WH8v9XMVs0G*ZX47jIO9{tGuQ$928Hi>Z)YWfT)&#*h8`p(ap)sS(RCX-Jfp z{*f-|Pqa%5^G2WQHbfgHSNS03=IrYx0IAYF6#$tjYgpP%I^;FtG5OR@f@^K}v!(`T zU@=0ZbaFvY#ayNu%D$_xP#0Eh6hD<(K@&&mD3A8jn(G-_WE|YSKZZoWtJJb|s%Tl>m=Bb5#9+WlsiXUC#ZJ z`F51snH*jTDimtZhHv7f?qUk)DoAGuGXL`au z%3JXL{I}q9tsf|cfh4wZOE3_4QnZ1*Ma->tUWr;Sa5lkot#}>q?QQG40rbQ_(m%!1 z!{qvhb1Fn147Kq#-`5=jw5WQVhcCRVaxU8Ka-7gF=s{fw2oCMn0__xB3*AfW8@zmU zOPnV;qI*AY?Pta$2;St!Y55#@f0$i=oIa#H^Bi3w2lpRz1osZxO~JWT-Rw_-NE#vl zoWlG4o)4kNAo~(A^XrX%?^Afdoz24|G;?2YQyE%&f0FTDMTcPXnECs~z%yw_p!w30 zR_{fwxUzBM4*hy_Luhc|>v)eE_#60?i)-hqhN$69E4XdxiEqERCS06|A9xoq^Sr@nytsS$X!BjDa+GU4LQ$kEz4%u>xMu>*RiZ z4Q=aaLQrW+s2dyzzY{Phs{hpPd>G{4-?6zc{-GJ@%V1vjF7?QbM5DiP+}eQE11$7B zTVfILovE<~xV_6gYNm%w=NNH-+d=2tj*Vj-17-tNb#C3>>sL`<^|$jM{B^bi$vbE^ z2Hf4&>ML?T)O7ovCiSgpKtWUw8+e)~d0|>G2V3>RJ{?OGrJmPb&PMHjoc~V0 zhhf0o!q*pYR_tf7b#`XL1&bkY4&aRRMa|cgtTo|W_!LYGcKxQR>q8rngbdg z+}#rpOpE?4a(!DTWfUPNgN1+lkIVR9#G8eV$%)_hDfnSlY717`G&m;Z@t{;I%oJK~ z{O}nmuc*ZAJA^ir20~aX00gxT)Z~UJWJ+gqx++w?!kXI#l&~U)l*LH^wsJ|pN&~EC zhO-1hUD6*)M@s~{^AUymS%^BLeu2vf*c_6r85sopx($16ctmQVRYpQttp<%5D@9bh z2iibB+H{^QnPms;w$p%$Nm>!0`U)7^55nO&ans@o@n4b7`eg3xLj(V2>V>ZOcG*{W+^A zqb^+k*fg#-SUaxNLwg9mw>sf(xf>x_dm?#lv1 zf~z>`v=rSWZcd!4Fb#ja@WY!_S-nyZ`PVO;0wQXgh%sh;x*pL6nN*ua(UbU<6hJdW zn+I9KrI@B%H+Dd2-;ht}h&d)6BM+D7S5ziC+rv~0=0b^x3klO$X$+>7I0^yRNB|vvX5iqIl~^4oMaf=jM}PsY z2%IO39GwbhRZ0WremlMSwpO1?t3DrB;hXL->o28!zb|B!zY$Il-o9SQ8A!#S2NKmO z$v|2aejS#TPcg7w`-FYFZp+V@B{AItm;pke5?`#yaXu^z9?*xRXuRbs?Ow>6&}d_M6qGdXyXI!3=aJY(Ts0qAg>EIpqP3^`y2Ji-s?4&-9U%LvnDCZ$${oK_^)fokaQ zlwGKpwxy_LvXdn34Uc!YXj_i9t8o%|Kg5tv@k{GGzSU!-7eStK*8JcZnrd6%sUd=3 zS@I1kUd~I#aIexxZ+UH36FGEf%ewqG-nrr3B#`10CiEN6#S}M#+D`FWvAAk2yHOLC z7B!}r zL)f>z!BWhev>xDv$;?kmW<1OUgg&CIcs9OJQmsl_cDY|I3J z&yX2guIRh%Tr-oU7Gk#q*Og6sdHiFqW!a3b&~Iy3c4zBcJ1RvhiMr{Gic<)wjf-C3 z^w!*e0i6EB^aO7y`0p!lV9qRHJ{av|JIp&61PU`jfWgH0iA8oPe1bP0e3XAmjQHbl z`~=)C9Gw3EL?$!bx%cup&fl%=Tw0lb^d@{ZQqw;Jk+l2VjM;nn*^PcaM2g~P@$~Zb zeZ|^w>$;@h^?BM4L+>{49E=B14~;lb$2cNKBlaml}?h(XGscL_u_KM z(uF{i6YrS9GePfzhE~tgd(U#nxcZM}$D4RN&vjcHV!{_}m(cBRo6p@n7;DU3Y2GtC z_DKrDN(^CZerLK_1=HUvhw!S$+8r!G<)1 z{=IK8El&NQHY&fZUEhm>E1o{@wXhh?p!=SV>t3_6l!BXk{=ViJrbpu|pLfo=y0_^z z7}tMov)m2+WISKb>pQnQ2D(2YKLx6O`NlU`!SVL|KHxST5a#ien#z}n`h2ihM<89 z$Cb<53exrKWaqkp!=7<-e9R321mi5I{WzTg#bNsqaKT< z?e_Twoj2=o=f>Bn-QXhx7q?k18V3|WbA7y!|AXe`WpGlke+8M-)1#;S;HLb2j&Ko6 z6GQj$n7#lwW#GfC37b5j&!abIK=lD3KqW8eZeBCEJ@xs)5-+L7I>TsR6-S`SW8YK$ z(tGO1XoKc+(4W^;bMBA*x0#L&+m@F${nidr-~G8$uZn)=U1hVadhZ)vLHqHXgdRhH z$7l>ltaa+Gz{zr%8g+b(JP6}nFvD|Sfjf>^;rc+wlTZE}Y4RAuZqtUdSZ&rmtyLk?f#XaS z=P#c{*^)iIWMH!9+4rB8qfd#oP1%V|t;p&b3w6JYa+FSs3XtKW6_4p~eyEU;!XaIE z_={ADe@FI*&BEG7%!G_TD{+gt>vJghlg1uNZGF;@FR#;pNTDmFU)PKsEn&#?lZx+P zQ%Gf%$OXZc*9#7>#e-3#u5z01n|>&UUbSxg^^{AdqHki&N`+x7ATdX?NNqx?PqgIJ zk_6&S<53v)3$0hBE6F9f4iRRW14X7h+62CIIM)a|A7>>2oeEY&UFbMQMDZ+v9;@AO zI#O0~&1wl8>*A#{EwU2LT{Ea))3jp{G-<)g z6mOrOaZUIQMq}ZNyk@s<`jTPet{vypfyrWxTUd08^HHS=HMV`KnL53)$6a7*Xx*2| z@RzS^=woO|ry+#t>#pkNR<30cH&$cpY85MW&wLgf<{zNSQI$5x$m5u}?sBg(HZzfp zcpb8~6y0(och;{3?ryMS4x^r22aR2j5|zCG7@{&Ko;DAq6%7_{5i_xd7RF52smQ_a z+aJr^U*>G7tKdst8E0K2xr$`7G@<>zdjD146W$*JIk!v-M`))w@^`(0oUh-N@BZBv zNb1?`Jd?So4l!!j%Llp^dz2?5pjdVzwa*LC{x%v|nzpF6Oh77C!OKEg%TC=YT&LwT zk7ME#<+aNY>0LL!Uqu*`JEe6>hm;MMD>LPnB@m)2;Ty(N!%M1;u%fz{Fv-m-cB7tB z^r<#HYq49p3iqkEL?lo~As2UC4(a73p4E$%3a=wa(#z9mWu=+)hQl%oz3u!yx@F$8 zCf`^7y;#8SOy9`>_rsJn{!yW86Vi$h#a*RO@QYm0S83C!N_0&#J_d1>)b7#6=~<3m zfpV`q3jnj2L0_hOs1(HLOmz7_Y+{wurehrcP;$w`uS@5slNKv@XSL~&&~3PqvbhK_ z8Z1X8)aJG_5br_kF5hudyP?>#%|b|FIO|kXt3J6Gb9^=GGfyP;`8?R6KRnnDob^c^ zcUeQlPhrp?#T9Equj)e%68@5Xh`A|Qc(>F@Ryu2B#5~0LQfTjsGn?i7FRt*=d~ZC$ zT1kU*v&3$4bUdpV8lEOPQlsL26x5DN~>PKlAzf6)v7iPSIYT1g{(+lytBPZG=}c=F*IoY71FuHYtxn^nDJ*{H^=uep(GH!A{X@^iB> zA)4JtnLSR5#tl~TrkB2If*qYr#?Qu#fX4Z*2rgu1H~y*|Rk)6W#+3T3RX{%T|AglMk(}Sy&{2l_GeQ54sj~`-GupN_ z2^Ju@dlKB;r2_x-a|QQ~TVP`TAE^t*X^)d}EFg zH2y9&N-W@ zIzJP$xwg3#zSLDa?oiN)yg~lzzO4wLxcS%~B zY`dU)8``Sjcs&?k>ANK9oGLv(KNk?F7FPB#rsx4%w=R4>vu-wkzU_IOPHaZSC~bM8 zDW@8 zOVE?qf$a{<@aEcZ#)`q^O_-P4eqN8Gh&WoOQtNk~V9K5ZZX?(hHN5 zTY!hfSf|?cD7eadBI!_-d?j&X>z(ut+1|-q=8^l^%bULW@_0uGS9YD~E$P~F8R%v| z?;`;*`|fK8n7ZCNu?>V04GvZdCU*f8pk{^yq^C+I&_}-L$ma zt6N@&$EM1`9oJ~y0Vx|UYx--|k8c;U=0dGI$2WwB=e%_1yaGb?_c!M>z?R;K!_M}N zphL(${YL9c6%F~Rjn`A)b_8HKuG22-0)5jF?Pcb;`1QH!)Xx+0w&M`=Go@+grxk$z zHLbmB^oP0bL&j*`;Uoe8;FA@^Ell0%T94SozXfCb&lp|%60ukhhP-*=_@Yr!-|g|l zKXOL-bz*Xh*X`tzos#Xt-mKL=b41_cm>%F*}Gen z=zhH=V4pZ1@0XF_bWO9dHrnfr`w?04>OcL0nOINlm9cm3IFHa0y|*-)JrD^u_o)}{ zgKUMOyyMrtz{L3HxXrAxE;5y*^to}-=n}^SWw&pQ@oZ9mEl`d$yb!+al~gh7xZ0>! zq&fnbmojlo3~A#XzDV2T**`E<4Kcsb7+6*Um02Rn&R9dnT%Ih-_T7>dWZ7mhGW zV_EVBC2dO4jJ2(k{;eysY?}Ioie3EM2uJSr#3DXF>1!s+ieuDA`kXRIC=smmGKGXq z*M9UmcMz2o^$s%hg5GqEJfxoEEnOALU93Sq7=Mg5EC z{2X$Qv#^@0gP5nqONxr&z#Tk{oXql4uWB!Y*)u8cD=gyZ3AfN2UatBgwt%486viI; zi%^<*$-O=xCz=7b(K7rD!zx%eg(6FTjRo~qG}c8da!4~6@5Z=RIY*%$ZWfWGb5dD+ zgV?;c^c3xWr7DIU4mUsc53m^hFI*un=~QMm3$ZqaM$~z77$lm~T8cs0@DoH5i&; z1rq8%InXUp{v%R+PuKJ@A}LrWKzci;w>-mR*Ts+FYU~UUQ8(Xl37F3Rz2fmbcz1-7 z$EH!@y8waeT0yG=ktQ1dS^r2Fy;yEydADAiD@sD%(yf&d;erz?TUt@4)9~22`dHdC z5qDTQ*4CA2DA$M$Fx+~#R4rRn85{4LcRqJ;D{vykD{O;6yi8DfLs2$+ zC2ev77A5ueMp`(pE-hOfx%f`OZN6Da0*wNYpJw?X(JFYjWOBAgRr(}JIZ2|9k==6E z8IWK2uL;2+b@m)HZC++j22XuGoQldMmMOiUI~TcLh8kUMP?Icjus2f8Tb^i2M$1-KzJu(RmK40kVP2SFmj4{1Yh%jW1BLd)eb5oSB|H2pAS=P`f9g<3!CIvKwhHbdo+kcOPk zFlhwidSu?8Oc5&cILamkraJzO|98BilMsXedtO5yL6CRnX`ea!yU={;)0ZF&g!cUU zOoK!qA}j&rc{O-Ne0m4HeaaudI^Ybxv)|~=e=StjqwnmruDGhzrQ?tsn6uF%e7gk} zYMzO2HmDkB7N)D88&d>-hy4AeC!59Ud6jE$j+k`}YQG5F37jKehF;+3APqIIcY(dE zHyd{My}KM%dr%aBhvqL?v?A{!Nm!XbOaM<@UqI+bqx{XFl065d6&UbUsc;JK;FKCU_iUu)R&hswuapfDgo%Uz8!~7ea6%Ei*zU1T4(;e=za8u0oVj(HupI{Hm(6(cn-T2 z!*}OE#US;A2<8D99SsL#0@=RTH)Fc>V8_ur)X_F*;c1lQjt<^1$fcr~Wz93A*d05a zf!x>i-)%FxsHfk`DU1F=8|)PLw~!_1a0(m-z3u|5-|L@V*Jo>%djEi26qD`3nBLfp zcD*b{Aik+~?j-m0$<_5@J?P$_`SCDy?Xol-cePEqpH?%2mz%qOmx?J86`!?FMMZS( zGl|p*{X4IYBkg`0*=c|46b1Rsm=1@ekhr{dX)tNt4TCRRs6EDc?yEn=v^3jc={Js< zMc8}X5KpbQmfyS_j`K_c&+`Gc`b1Ukw|?!uyOEt_(cF71uNQhedXBf}F-)@A^?g>) z4|YU$kdv$P0R`wnU$MUXrXs$*zWWG8<6XVEauzwM@tUtvf(MJqHEfCo7@DKkQ$WSZ^A*m2ps5dmA%Lh`Bh@brybcL3~Yy{=;hMWRDAJ8>VUI(E3(>gw**6$!oPbx?Q23}u{*w?}*`;on!*wpA1C!tdt^bI- zNIMEE*|JGQ-N{6MLd%~YyL6Q|VX;zV_{x^Y^af*gNU5RwS`IUku_#VNVAy7Mwzdp? z#7~E??ZZ5K`M@(=uZ;gtVvTn3?zPyM3i~d?=7C_P*qT-KmeZcxMJ?Wi`dP!MCzCI4 zwx^E{Lr*xTye02x)ELYP#<#k!xLJ<6G?EF1Q&!&b6Tu0AyRNrvTDj{@GPjAMi{g@B zaSIZ{g2(ZWrKmK_WZ=3>&BW<7jpioNYLta~f5it9C_5G_xw1M$swmx*V-4d6;gPdT z;l{%{ei_iFCc^z_R0KOxe3RpYNbubVk#Jssf-4St5G_NVwU3IgK7+hn1pC}E%Hel@ z7e~g{rwrT3-+mNKl))uo5;ivBYW~g6RxEQi^zvvwQ|%b>kLa=wCB+k%w;YkhU{$Tu zb>J9ppXaCxUUGR-?Aa%jdBg`9ZD3o4C6t?fJyhCdS(b!QBudb)I}z#4UgkcgrtKL| zC-~IKve$63<(bK<4ybr8$8)yNB*GNvmQ8ci>C$?xGzCxew$8&}^dU=~?%Eg-o33PX zaeeku!8Q^XS;n$|W_s68YNHLR+mT~WXTKC#;2B(Hab`F-=$nOTS_~kUM>(15(re`R zmP|xA;+Q!p7YZFG(X$KL$WoN_J7lBQ{1#P(M@=FHUErkh&s!}(`reU7dV=HODRA>4 z=l0#S7t!#a`}XSnzWp#?6)rVGaH@d%i|7k4bDgjpJFS7j7sb3NFZl+iCuzBi)D>&o z-`XovCVF925U)Sda+Gc0a6tE#_G!E!Wf@wRk7lrA`p9HK&1966BvXW)Yln>QaUHSsq+eC;Z{=H-iNv{u?6vj!R8 zb@aEY+;qYsmU-43kJ>aX#h>z#Q5wS0koRD6 zPFfiw+#2GNe;&oD?w|caz~C6aVgsEnawaj(KQ+mVJhhU8OW+U$nPxvIvwM}SOpfBBBPD`16ITytDnG#ct}-&buGepwq0g zGRNEf7)-*~KG#DInIuG4^rNkUJ_-Q~mS-VA{A}pI1Mdn)%3GM*P$p>0&7wdxF=vWx z)~!Orf-xBU6#u0o=;h?JIjeKWtURZEA#h*ex1Z}NJ%e6jY14!;*y`$G-E9WVJG1?! zRIxI)^I`cVrk=q z1M;!UxBJT*Vy3qp{l{Y-gVYFg&z%e9!H(k@9*OqoCLLfz-@7l0#XW^Z+wU6m<~zdm zh8?qhREw?Nd7G+{6u_3-<-K%6Gq_s`e6xkz<6pMBq<91Gk0dq#Hf`fU?=6N3*`3Bw z_Igdq2jSRcV5-iHj<=nNrc!Wu_AQCuv~>!|P3v;ibxGL%)SKs3?fTF_Z|9^jxv9S% z`~sOoe`WIWs+_ogx~RrGdko!_rm<}v$pd>o<$Jq>>=MXbwaxuVckkEQ^})3DKL2_v zrvR@lYvlY7nHl87WF>}`jb4YBe(xdOFwS~OqOquz7 zgr?y-b{+obMf)Yr?pLqw1s(6}kPsB{sTo4y^E3&?%xq05y<)3w`D9=~2^D$Qla1mC zr%J58d{4q5XNzQ&q07zC_AHrDV^^;l@JFDYBEVv}vuqQvj$UwznQj-NLrttbJebM0 zJQz$^S4x#piX@Cmr-1#Y`J>Iuo-&d3H^BtPz@IvC(U5^M33GVv1V!f%{_@EUV;wSf zdfqC^Cc{*z3hTBle%J3B6VgHoA&^)p4uZ)m3&h)#lBvIGt2O&tcH=(@M~qu6Ehh9} zn5O!T=%@5xVd)YD&=7GV;4Ax7dm6%&xs+KVS(_3|^2nx$-c2BTw`jDBwv~UxR;;Fo z)rcwuDHjVrVw+L2C5HO1P4sys!TV| z6JhsTRI{H(hNlvlbdBhC+AOQS(&*#f#_!8{Sdx?b&=n^EQ!^=~2@k{3HrH&bkUKvk z2F(g=5!`=$hAU2T?YRj|bP)^b6dSN|O!#;E9~iYY`K;ZnjM~v!PsU3Z5L#35^)Dgk>E0xexUFYvoDigPfDWde3Li~F;j^zz7`C(s({%SN3I68HhT|bpw z-)^3>mzHsv_3}3U;628dkC-wlN<1xS+o`O zV%X*k0$d=kJDpdNK}N`v@(0^=?$wW<*2lM1$QAfhl;>wZtDchYz2>+dL6eni)&IV) zFJYenWEu7lP}2s>^frv*11#Y5Qlw)) zO`zITQtY?z&#H}hs3ay>v|OYqY5uP5e4lO!7bbRa{#? zdZy-DH1n}aznQ$(yChJ5bCs{AqiWG9W-3K6x#~%bmj^|2$@=E=j$v?_YZhI{YjeF= z2LH}iU!M)fI87ubIpYx_BBl||qB}&iO+0S;z|ECWqY+&|!Yf5tyRdC!w|wc17Q%^@ zP4OeUWYCwcY)6kw&fB!F`jEE(KN)+|q&5{^LdrE!T}Z?{Hga~6G;l$BCUc^*nik)z zV3<-bf}lNH=FYP~7hA4tW!mOziZP!duah}rtc;vGb>%Nj7Tn&E5)3meuU@%~o7{!0 zR!tHHSg|>HPqK)ET8saVBWyv|&rpwNML%KagJERzi{f#nWEnXubcBL8I_T3Y*)wRH zTnzdZgJ2|x_XE@#%D3zDGM`kX^VYt02|TDaFsSN$trd_-F>rlewa$D-bjT98*pBh_ zte2d^TPiOo-|%^&M$}z@8AJttWA=MPw#(Sh%YjNmw$EO3-fk3!3@bHaHggxW+^uJp zD;un8iyN!-%dgw&W*gVj0XSW+|Ma>7FWl~|ayAZMBs(2evWv4l7O8HQAWrva_g94n z>JMjBDl>%WzTPRum*D$!XOI)k?EuT>9b$o}3rdJ!F+r+3JEqw6If#LJ^v-3h@* z-_%*(P4qhC&=CYZOM^hhL)FF%XEK(dj%#}L1BHiKARby*GQI6Hkl$f3wCW$Q%Bi~D zx6&2Rc)$fb_qo0@zdsgsS*S~iw2RbuK0cT1{q-7j|#s^I%XXzZB;DjK<}ngU;Zho>v`Uc{qzQH9x5^r zRqKPU>TF{+{)C}-?Zt)mKTa`pazCyu*jz3OT!N1p41E6;(=0QPIc;$8_&^6<6a}xJ zj=>jCaZkr{DCi_@lkh5jyQC?4hevmQ@lAG}wmGMhHs=kCs96gaLWbbRYMm}PgUPdL zK4>jz;9cz8B#BJMM)PBM@xYqFntR6ih4!2(8RDjg>2+K%u0f~OgKLwQ%-K7d|DgDG zvF)Pl%jt6ySgs-b6eam;px^K3?$Jlo?7RIY1hpT8#UMu8&cUh(4M-!-}5>pXLH)WGo*ouae{w zXR!WUF+;wd3CVIS>F8h2Aylclr3##tOe=P>rE)h!6^S$iFQ&{wu^>v1mcu)%bOnU( zMifE0`4MouT)Cg<6w@$!xn)#SOt$HW7DgA8BSNoAG>KN>$wuSZjZrBrVu?pACXYk9 zTku|@e7Z7lNjW|`rb!YYlA53}eM|chOj-RIg=CV87fj_Ke3`h$G(W^Z0aO|ZsZ+xA zcibXSlG&EYELD{Zs{L#&qz<#6y!j79nkBqMD5>RRx~fiNm&B1o_N8$}yte8>5^OOd zE%`W*v3m@mpnH;=L4N9#Iyt!fd3=a8e|ChK?|6e2DeL=5fM}LfZ1^hWNZCW z2r6%-^!MDol|Os;R&vQ{0bCuzy|R_c#FWEnCg${RYpS$zq&Li$Q&OAX6a7|;RVt>{ zI;p|iqF)RVPH1`PA_=n_YNamwfT6()&j_Qnm%@oJocDuqDGmJ|JF@gxf)~ zY!q^T*pJW;g8Z_74tP08?~~-ph0oE&U%+cnrfrePlBI*60nlB*7R?ke*{alY3^-kg zRDU0(pIE07J8^J6`{0#XH%XgHtzCHcHQ zX-gutYdWs&-*_m~S&oe2Kf2&*L)K2yoB^7hEOK7zCJAImKP2?)^~lt&RZnGu2iM2c zBo-JAqa?8tNV)jFOB>btBmDRRG`kMj*5-Qq1&HC!|x8Xr>Jok-&YV9dQe^|LWN}@1{m~gMh9~iL>ulD{%xi1(cuTPb#~rT z{B;h6spJush8N`07$)jw$tQCT>u|1?se~FFIGAm8ORBsnuz`6xC62lbl_z}0x@@%k zKg;u++_-uEU;s$=us?A2$%vshXz83%{tR;_&`#5K<=dn8h0pDy6Wp!Pk1HX_s*RcW zufY6&rRG-v@B3p|^BEm(@(?Ntybh_-n} zepy5`l3(r1PJw#;EjCXxnRL$E3H5`4^U)H-<$`*sYHYphxtt-hYZ7?+} z9~G_b-zzT9(*(<iwP0gE~d6uizJ#tagW^kyS0WTkky*JdJ zW!?T-S^&_tB3y`H0(jtF-&(r;*=!5dcpl_2%K<_@6y@c#wRGLwgXv!lqr@N1IxIa- z#t<2wPpLC}?=C31oX1zItDl;wZ~BW;1W~elp}h=CKG#l$jY4=*Il+q?Pw6*Kl7gRY zZ#b;_G#XtpQZxiO==lWry3LxIneH+x`xZ zo92B=OqOSK>q}+Sf^c;|u;C&z8>6~me-Z4pBS|dyJhvMIku%4?|400$#`hp?AwU>{ z7GLdkaCq=w9)16ek0xyWmebkvcsj=Na{D~A!MR*nyVhpV_TCJluc=g-*|7g`>EW6t zxyZX449}7QUVo8g5j3_2Yu(M0Yo&C74xtl|P|O$fL~rkR(YOn8C`NcW1f*8@ZuTCc z0tow#uT-m^zGl?~K79f#3%pFxT)vXWE#|h`a`y|cHzmFYaTea>u$@2Xu}>%@cIX9i zh%iOdf7i4raEsuc=a)!E9;KAFa#fC~KgZKHmn`F=N8fKsRok#iP%p?kfg=z;Cz@-T zRk4y2`2|g%l}rZ3^R^<9O0Wb=}E9zY9Z;$*issyV47;|pQ8gqU~W@= zBGSQ#KiuyIE{3Ta)Bv?#qkkng1C*F$AJ$cE0#g$)^esw*@|aW zpp?ckH4%iq2t`F8`B`yLf`*cO$c(M*^mEjWw}87@QB5Z3JDFp&#xX`IS7j>!zoB!Q zjkI;f#4C>DM2p4|EUFm$&?hSVZI|Q+Io}Jl5r($tlHJ;*vB+*td3YT0P|6*NRg?LW zWhR}BnZIAuV=Iz+0%{S^Bhs`OEWMB6NRn$gso7N+o4yE%jwLcHUi#SgKCfZiTqEGe z9Wj>@$3fl4-N&ZPoG`<6j5Uu?(S(m|4MYAsg*as>-dW#ksSOQ9=MktW5?|E?12Z_{ z$#&_}mG;Ahn3d|~ijy6Ur$<677OaMX6i`0ic%dz%ZC4QO1f>17EfzNV9_dQcWqveF z>ypYGw)RJZ{0m3=(5G^9|Kk$d=3k{*^P_y-y`JpH&11|0*u(cF3zjs}VZDSI5`i`& z_vQ|s%Q*_9G-;^e`|kxw8Q5w~UakJA3q*4msoWX$$>YbHI*H+(Yb=AsQ&6@e>avb?TgHI&0-q0aTnstxD<8isJJwPy7gA4Q=SRA;`zfDF zYrt(2>Rum7YRhsF0ZOIzZs>4B5sxUgO%~r)$$jrdt^0`3fU-`B|bgu?iYT254b#@M| z*4+`@9><>i-vQiv#E6DIr9cw;YTj3Pak8PW525VczR5bDFY3>Fpr?S0n_^+Nk+s*u zRCIi$=~fm#jL?4=nP8IDPwQ8pH}iA%+Z>=E1hIE3CLMTCMK*Pa@lhgf9dwW*P#Hvd zqdX(@7VokaMZRI(^Cxt(+4tpj_6f9XdAdgSF(%?W_*7J2A=FuBgYnp#0a5Pnr)lI;cyVE}iw;#+Htn6vH z>o)K*RMT)r6VUVe4>53C&E~Fs z1kv)=|3t?9l`5pS{oZ>Lx+~G2_fna$0qug#_BD+`RgrajVmIC7_mWq*c~_TG)mxZ2#YSU+-Jt_xY-j{#@B3WFY&!ko8x z{<>D{JTAAwHC<0N0ZvxUHCDzzV=H?NclWJEQU8+HAS+D0eKG5pFJ-s0*TtIly7e0< zU|+`v(g!cUW)7Y=(k8txB=b+R?%DB8(3?(AXk74EmiufJI=FG2h{5jhrYRVuGPvEQ z>&!WxbIgv7-}HJwlDzW})|?A^Uq95NqhOcS65+d`7zogHckqr0U0}%s-jOBE*$H1h z4Qc2<9l%$wZbZ26-(5w@qQ5}5pP>Iau}gP=X}}A5X6WG*@I`45beltkBm=#~PMnKl zKj$gB+yMl|93p7u5-R1|+StXUUpa%OY@g+_8^Ei#beCst zivbVbm-ZX{SALgol{$!<9S;qJe_W8Zt*J~dHkq>Fz-b_0L7(0u{fBU3l9irT^x(5DWI=RKO6f!wqrCeUd}lzje8gJJyq z);k>bYMED6%_UGuEoYyhQGYGLjDkGJ2bEZueE2Qn93`rA##LbDG!Sc*APjsF4flh{TVg#Z%7rg00MC zSGVbGZ`^N1N~}*ritL!3{Scg*CQ3qSyoQn*lfD-PlPkc}Ks1e+KR>sc`@$$m6FupB9iebaUxcN)^=yK+nQHc(D4W=T7jPN%16D<@Hp}os_l(px zPn0S;)hG!q#PabQ91*ma0sS0zIV+h!vR*<>XI`f_+Oa0bE^haKFzOYC^y=y#8!X0b z8=~7MLVCH_?TR%*jnYn&sTYT-kbsGE-kSBB;{ruQrCwz!TqXw?-({8Qg=bRJ9SzsN zQmLaOcE!8Ba1U|kQ!3mNY|E+_m>lZ$IY>&;E#Q`&U1uqaF%W0M;<(0Sn2j&~MmDvJ zz2DK!jnE5XcGq^spDBTZ*R^N`WcAe7U^F4!^iQ^S^$p zkZS-a`Nid>2nxUF_TWnfn!9-YgZyLZJKx$(GtgaqkIA&I^sIjB50t|vGW^4`8%(Pj zM#t*FPCxqGunEmV_usP>B`E_~oZ0dNkvap$6-yXv=ksLh z;i@o^YT8J1>aJ#c6cHCoHl48%2nr%Uo=TSSzp`MQnDHoIU8s`7NuawHhcM78smOJA zsLA-}D*ro`*es*6m}&5$=PQ_1*FUrl0hIl`%T{3X^Q8XSM_GKW=Qw+ruxhdxH&<2F zXUzH0r)j2C-Ks|YH!`Ml!meRCK*Xv=k$|*3r)j%&1xKq>33XHjMAb0JX{FI(md_zX zL^8+Qtx?Cu!FE_XhV*QL?FAW2k_r4F-4MX7kfJtP{&k_lu|RQSV` znhFCBCuoG>^M)5gj;5^i_QuVh{5P}5^LS43YqRb1p@+zY*3!si{z|HUU0;7!#=$g& zRxA=E zSAF7n^f}pQIL9ATv<2F<1Z9Wj+ET8p$ye(RJ70n?`fD??SBb=g;SAaKx$9cvG@4|C zWel;fla%`O{QY~q5EyBx>c1i%d(3k*`23Z`IaXH#L>9ktVzzt^Tg>HNkQSKxX#LG% z5Ut#{Nhq>~Zkkw*o-)(ri`nA&9s7^XtmG1-nHYZ4k>&)^*2FBCzsOv{a(z>%5ytBc z0yZImZ~3w1WkN94-{0XZa)L~#OGqAea%Zbr*TljoMjA~}uLaC;hiZdamPrvh11e|g zfl+(~0qevkn-Q3!XQ^z7N_~(TLxd?dxuNhx%1EtFh!xlL_8b-tP8?Zu-9-n=MEmsr z4&Yh0)7DTO1TnK3`lK|tb^&^E(PpdGN7n?bL7o z;kW%7eF65acG@yE@}c*dpTQtI|JTtl(_7l{Qk`kt4AQX{+9KUL1+R}*$AbMlfDYiH z<`ccnV{ye4h0V8QSgVw2kkIb_5Fn@l-SZ|pWf47ovZiZyOj3Ap_5N%ura8$Jz5N?x zqYngl@V+?YUV95zKoj1cHn3~vdpJ>}@nQ45Ig-DB>ghTK)h%vDWq}$zntN6agwAFw zbM;c|n{eEs$@l^UH-$|)W(Tcp-F8U(_h)L+p+qBrcZUYFZy6`RuIIw~VHQ1m-MTc_ zJ1cA5_TC6@QkTJ%oEPUpBEj~H$Fi5zoI!E|5-YUkcXwSx)pX9|n7Uktj+S>npUwTU zIJm{vv7@?ar;R4s&bA^(7u&}9TG>5Yn6`kX`Yxe(^Km?=db6WvXR#@0%Jy*!Ii>|9 zydQ1<=EijGd$I<~b)ZV4>~p zPdT*bM;i=sY1Ai9DA@~$tH8YiiV1Lh1Aq6s$c7IM2%Z-YHnBVbCcl18-U&K3B*Od{ zuWY@GIX*qyP<8Ope=;(#E-v>g@gYh=je3bDwJ@ttdmw6Yke}5xr$)(mgON51oX3#` z1%(s`#6Dh+q5drW7b~gboy&95J!N;`ctA6Jw0;21vG=Q4Vlx5`5lVNQVm!5oeuh8Ik zYLBd{It0vS*fh$IINiVVXmJ}=ddAtrG$cHnC^HJtMxt)5ID%h%8~UDdiPiZVUHC_- zO!=lq9J1mCw>SZl7SVieSwC-p2re-tPvGAHD{ zD!-cEWWCz#sTQfiquKgHzTW|Y321q}K1|8cAzAT@3rC~u=Q6V+(czi14$QXw=7@r` zH_ur4vmHlyVcM-}8dak`)Ok@s_pu{8$=QRuGNCrMPz#~qtLkp*de~MY0yECD<4&7j z^&H8Vsnh_gYhMRj(+iIE^Ep*f+^;sDw;FDKl#_E2AtMck+JcrOwAXl!$vTQosY+!+2ExJ&?g)g zd|W$J{q`wdrN_}SF9)k3dXgzs4{MqbfrK8FDjioxIZXAdQc8suJBeGPK7Pb0)}Zzs zH3FObC$a)G+5;IPSSEs*WxFp+S~IE;-JXIla9rMG=dBNP%RfO#m! zPVCQve_{3u&@b;vyg7y1R*)rNa@qK7H?l`L4Sg#KqH2j2OCr0t^3wD#_Jz6?=?#K~ zIz2I2`b>DVj}{2YN~k&BX7qOw7z(7(ft?-4Km3^I>2i^^<3!u82~xf|&9f@~j?(!c zd1EAQkAj1P;n-Oy!_|Rl=xad3Qn+EB|A?vKTU1#iE|A);E~(E-kCU~JH2 z|JI>(s${w*6KIvIDlKH}$;2`;fh@`c7|!#IIQqK!3BKX03ETie;6es`g;iN)JWk`j zA7XQ5*}27Y&0%t;h%zJLdFshGN)E@=lLqEtt6(#8cC`7yH07v5N<$OgYg)o?5AsrZ ziGT>2^GF8oxyX2tlP=U%yoJIqFBhRv zj^KBH#kDiXLFWQgHFXo}T7iCLclg{P#&#H1$%<-FWp>Msx3{iD$VCB9%ky{r%g;Zb zNUqI2Rb|ffv6<6z>8Rrbc~ZPBDKt)vKgn>)b~Z$#4t@aG@bJsW#8QjbBVz2M4IiZA zBAKzW3)G4-*X26O{*-OZ91iD;oVE-j!JlB3>%kZd4a!u-D0CvsXK+SR=R?zX3VV$-Uv5Uy^8o6|4f?Gjej|kA1SRH0WbTf z<VPZC5xLE zW1-1!sR0KUFWWVOgCe9zZfc^GOuTU*WgJ5F_jj%I()b!Y*|t?>iTN)XWqOlCd5g{8 z2mc)qY=q<>;cN&882T=A+CSv@u(l;B{m zNuI0U4r{ij9)|^A>LnRFc57tug_;z9rav-+uG1Zm=5Udw{x^^l&L8qEBStR4|$2hv~R- z(I|c@gAYBI5UWE;JYTKwc?`U6C27c9HVk<- zTHgEs0FQ-s{H*IWf6&npR}3E`u=O88fUw>gMMU0U1doyxY>*lFO{o;pa zCLR5klYf5K)0j6b0ve>9`%C?RjjokB?@WgkOu!u3TB;A)+X@0=b(>>@MWJi>BL|OQ z{b047r*E)Ezz%}e^Lk$dO%?=~LI`(t|CwChi>z^s++F|097+xCc@S)Q+Mt=za~M;M zfu3f&3-iyPXyHBIS);!`-Y^;Ho}Nur#|!NoGvzQz;e+-l z!VO5jTGh_&E8_xu$4A zQ_Jy(i7RUM+t!jV9^A33h0Ys;OTA_mk4o>@J=SEJ&AAhoR-Y1?3_9Akfa05$m!TRP zH`^}=1wWhGPOhVxd~NqNGM)!xBoY5dbyt2tzeRgr?;C=m8+VXHE&1NGZ>0sGlF^=_ ziv8&b5iZzXF%WD}J#-%63HezslFi)z8h`I9>k65Q&*@R2q<+ckaro&%t#nSmAl{ot zR}LfiDKmHPk$TVz5*zPWS+)3#U7@4a&@1(gvzcMluJ2-xRv(4SO_S-DsGb4=y!7K= z3>Y6i4UICP8k!J`LQ_u{911$My5cA+g={<>s)1NhSteR~GI~)ehQ)|Ty@0yPOuAj+ zH3X-0TS-F}o&ClD@gB?U%KOj_&5F+_;-lz>4QZ#(D?2r3_cT_pvq3kkL4QdzGAA%R zM>V@6vDtqbCr%czb71;t^!`vR)OFHTZH%{Q=@^igW!z;QF!CGa9!u6tTBLTSa$7Xex`Rz2o%Dxvx6?8e#{v?M zIzjGr&#O6%>X=#lv6*GjfOb+X4gM;2B^yboTLHb6>E92AQq!3WVz`9n)C*RvsxCr! zHYSN$bFNukpZ^*~VcIke%l@EXz?pXot(qT`W5C8Pa9dDs-?fq2o0CwfGW{}fG8Sco zRL1#Jouy#oMip)~tB6wc8$CDmE*svg$Xukcka|8nDH{`wn9ki-rp4!7LHu7-$jvn# z(@Cw6@pzR9bgJ$xXAWK-SC=ttK0cRHBlGp{@;07<8S431+Xaqg#(c;+OKm2KFB879g}Q=k@#Sh;lr}}R zWx5fflbd>w{9kd}cFP43o zW)hfe_aC^uQ^;=?bqHUuuPB91>Ce2h$8V%k;yxOT7jsLy!uD**RG?I20P{3&-RRt# zsOUtkW5OBJQ`k>oU0{TK?dhUw1H-Ot9~6-P)zftL{rX-_=NzRFg{f4qm%wM@yz))< zXDVYZFm;cO)r1|HBtbjSemiKe{`lrsG@dkpu%eL_ziy5-b^67o0&6z*!htfUyuM0t znoIQ4D3;2>$p`&>6Jm`(4`zuTSePP;G5Yk*R`>jqFRWIWJXcl}=s()cWEgc3}ax_yo`<+j_<7inDdLr2??i0wzfpKo7Myy9#) z##`+1t;Z{&E@7riEZY`e&aue{mCmJ`|vSyOaZ}Z zUD3HRuhJbs9RV?_OGG5UWLo9eU#NQL-N2h}r>mj=#E86tL)kVj04$Xf z55ith5e$rh?>K{-VsGfLijaSCJpN+^w7-8nu2UlX2X@CWd!EhAxqBZ&PVb&)PLP3X z_stCRV*;cN2SIi&!>}NkrPtSu94{ve-^=?Ps7Vw{XUkC6n(o_duzSV*zkMS2PKSqZ zfo_BL!n!+59@6&x2X*L8{(?Qg@c9^3Q5X`%rKr<#T-}Esvl6N2f#lcz8iZ;G^mE_N zeOm&!m7i99LjyZ_-;5p`m`(ZqtC4>h+Gu~R#20KF8$Q^*62 z!akkP8^|={WVg8v46*^=RfXOH1g+!#^Li4{X}}#`%t~5OdaM z%5xr;S6Bco9<%=S>|A?K?`ZfK5Hd`&bo~(hAmDs@ z&mN^Q?|a{AzTl0o=Wz3s_RhP{JU5ePsvaDl^B2fHTnaWWS1uoRo_Ss!r)cm90X})& zwsmWbU}6?H?u*K7|W*YA0?2=X+sxOzU;UN!Ric;6Q+@8`M3l?AYSnh2(||E*=FaW)s4Z$=CgbK9S{9ehTrvS z*4u@VE4szDmi0YwxwE={|C}Ky2fW)D>ZRd3al|a_6e`d18j;g!dQ&J=)uj&JN&{5X z)WokmI5>qOa(C`U-(Y$R-pz_xgWdZrw>id`TYTy{hUM`{ZpKiXwt3b$o-bf|A0XLK zo?WQqIpEjDIV2$`21-8Y0f1ohlpnQo(LO&uD}GzFNvux#6_*U&eF9AEWxdjD0|Fok zH*w#sok23wDvMA`*?j=BJq~dKo7pM0o4QP~Sda1tmhfk>zVdrUterM1vNCj>v`o3@ z`oFy=pXtBi#8J;P*1G&TubIWM{yIJkH^hd>!L0*#BGXzdE4E4_nr!TA9Cj;SPI%ig zJn@SRem6wrvM|Z6bRhh-LM2!e#WYHFKhj~nb`&A@k3@}?B0{iwB~y|7P?fP8tnN+P zj$e74L}VO}4l1%+ekqd$?6+auqpCbKMxg+y4@|f)F4W0ySbW0?crh;da@=2QWw_P7 zD;d)>Fxl35o-03Prs{6)%Z5+N5jTxJ3e!gNJMt63xca7-hg&x5Rkx@qVZV80_i1MZ z3bOx3SZrFeT1-YUqe_wV;uHMx1$DI1nrV#ao>HYj@Oug%77F)W)3ngS4ul*OEsLlp zhJZ>Qx#sngC!}n?B(h$GO9n>7&6s9krER5gFnBc6hmW?lbQ|M z_up5TYD(IcP)c|-UOd{Tpx#{&`}zMc^;J=E1X{MZTS7>1g1Zyk-Q8V+yE_fR-QC^Y z-QC?G5ZoP_270)&-n#RC_D6l!s#E)%EfZNh;~L&|Hm*qP6i~~8KS&@k7_bWk)8op& z93|6iKZ==-e^10nmTer7sX@>x4@;8i!LBS^i|ITh-f^`u+h^-vUxGm>;|qhTG&**u zDfz2nG|qfnpC-C&hS$=afP0kX^HUWOf2Lk)9=)ST4Yfju8G7*%Z3c2M0>+VGWl|D1 zdW8~;d6k}Wu}_fOXj!31m7&5Sd$@o}C}Y@RA2PmIZOW03QpQr$N|$WE8nMlzEhZH*%3Mo=O%?) zX^4V5XW^L2&13T3s!Du?%VQ*5?5z83Z$k^y0c9x@qN|Aw>1lM|on?8##{bZeSH&pF z&)7oEsA3|P>~Xa)S4FYSMntq2SbvAh&L45>kP}D6No|N8!cSS0CO+D?V*N8On;zc) zO-cokB%mK~57o7{=6mE?*}TORY|trHD)kI+rAmm9b3sMi=x~_K-DoWLOUKq_2GV^>M3bSZtH3 zBQUo95Ype_g(#qnKku$~MMc*~0(Uwem^Vuoe4yFP=zS_}2D($s&>7!%kO%6UO0)v^ z$x);JZYzPVL{pvERDo2eRd_&UW}S*_T6?cJtc-F4K?RTQKPElcJd-M={HrMyhvxRbC;9*lcaN4!$6<~(am&drt z3_DmI;>a@LMk^^L?Xjzc_^fjLA>K*P>^=yadZj1+hfd2!S_)Cf)Zdn_ZpS(3gx?3l znc=~!-+yjry5f(xVI1=42}*Cx{XYOd1RTc2mV&1MAD~b6d!H+)b37X<;05lF^C28H zI_Z7@h_hkX(Ty1O|1!L68L`#xnk_GC0N&>Ya1Z-~y# z-V8i@7t6E!ksmZ`!1?+Y(^LlM>4M1`QMZ@7+4g0k^qlF-r<3zFwA8A$dz=ZJ7){@U ztx9nK*GUbsI+r$&%X9ZZb}e{^e|`6{fVKzRTDx*qDA#Pw2%e;E-D37Q8qJhu56V6v zY%+SfCCX}4zFM*0a`>91H)Zki2S9OiMMfQU{T>^Db{Vxy76g1?1Y2ijRQFA zhko@~N}rv$!g*YDI2$&T;oIW*c5CoD>H4~=(DAekezmoYZy=?!Z+|OarZ43o?DDh> zhCegldY$OB52Q#X^a4lsa?N;jJS}w4R^1O(J>ktkR$sgMJr9}lJYUE6UgZ0>Ew~3< z`?+x(rVsY)OjiN-%MDUFIxLSztz)YjS88|wj(wi=eQk! zf%ZoYAOg3m^GdTP(8yKg_RA15a;taM%`q&k&n0CiAA-Scs0dh5-~x#JQ)*Wc+xEev zvHL9^nXGkA^Vzy}$MaC^GtgxIw3Qz)+z^=^$WZgPKP0oWdk;2y1DCy1hIUN@{*#@V zAN9N^kXN;4dB=b_5nBuPHiKOdUk;^e=4c? zW19x!_eyr70~Wu|-7?uK_PFDl`QMz;nLXi5azlv&GqQ&bC5&H~wu~ea7McGMTQ}G# z;T$U=f5mF+H>%K4$5%PW6s*nhN7Ij#aVX?Uu4cdqLoD{9*G@gu*2OoG9kK5Cll?%e zWxa+p?K8>Zi5XDvsY{6v%L`Wfhm=#6MBzbfOO2)c_!=^6G@+`l$X0XMuzW@)2OG!=i&k(GDyx(_R_dMXOgMoVg^<(k-+!{!=w4kF%?=y>-v} zxa&^=yuAUJKJ9I@jHLO91=`uOA~WceOiTY-U&mMUGKHE|jo&YbhcgnyJ$P5mP=*UvJGQGO)UJHz!#Q-QlDZ zH^{Q=201FWIWN6Bc=BDaX^7)kSa~=F*K)YxHH)Sz>}sjVwFZZ72dIu60?1Z9GXH6p z^{K;O6-A{r(lKMwhjl9h=$<#9FZJafgrxUXo$9y0LcWzYkmX{lfHCwZ znU=CXdn0r{?rV<0K0fc}?-jvO1E8=n9XSa3NpjRZ`YMbYyW*sTEP0k< z=6Hf166{|POsICpIHmoRlRK5z4$ha=Evs5+om@GYl9ln8zAoRfat%r@5VD4~SrL;T zR#3Wm(D%KZ4WU>BOR2_IE|>`8!t8}*g~zbA0$I$bZ5SXLa5?O_gk7!7oyZItE~#>E zExn^!snOY^szPHVM2y0of|X>x4|A>>iO3^`m&qu()~LcjA!lk&N1P0(hc`RH7!R`@ zV$cUe@uA6W>qZuDyJ%xMjx!fKlA@9HvO(>M@3>IdE

657U>iIPBaJdElr2XY0JY za|WiklfBD%r}W4Kzv&5Z{>{Z3=zjKdfSrcLB*1`c;#1W_$PQ0nPdVQfw+Rf6`4OJK zZ6=dwWX4{Wh7}h(qPNN<8bLtPqbUL3?Nu1-wjmf=`KSUBbrO6L}CF2sU_)`r760-{jyggn#Kw-f1e(BGRHGw^cyE;1knO8VefSdN&e=4 z)S$AV?a`X<_jCcx+nr7Zl_y_AkLjmvdf)bk=-h2rFk&50nfc_ zyF03Dy)fR>n)X`~ccMdc-tQtP;Rdp6FSEe^^1bozM?O9`&+8`>hsp15I`7Gay}*0q z8SkT*yVuz2o`_!d_kG&T?8ch~Tem4c)9A%#JiE6E-$@o8#>N-?Lo};aP|c@Rmo%j| zw+l32&fjtbHWKu7-Z_@~=<9xDg7~|+9p}2? z?eD2So7XvBx6!soV|-sScvd<8J(TW9-t6Wto9b_2?Se>ZE~@~qU(QO|J*=*4b2?6z zI>V4Rd$&`^?dmQW81+sb?JTN|xAz?W@~PkxqB4`5x|8}gWqg&1$uYXG-1wguseh5UUv{|~b+DKr z^dD#%y_dWSB}gKScAmK=%;Y~HqYh7un^|>h1X#zn>*t2AT-en|ykqj@Jo*`L}`mHEm z+*+8pWG-(f$|`Az-~i6b_?Hbc{#gsd7m-HHDLyB~nMyX4A;)ITlk(x3X*`@lSV2t5 zf=cMdVkBku#DC81ei5j^p^|6@Sd%|}ca3G+;RuL~&pz?xs3nb68VeB#=WbSY2%>9! zSA&Db#%@tUo~pH0Kl%O&aUz9(iPClxYPfaj^JJysDNm@{kI&L{kx4R9R_7%V{)zY| zTzq%{)Qz=5hGR%B^AnG8U@@u`TQua3&gg?p^ow00=r&PzU5)T2sJ}YyH_J`f{7*eK z4kM2mJ4&vT1!U24g$rEz!yg2)MCx=YmT|K5^dN5XM3(g5RuezFHOlwDpdpZ4{uGN) z{uale*TF$hzECXf{k+$H+Yak<`;nas{bqs}XskA8whD^paKS^lWt0!mD{OpCZ3`15aa@$E8 z$J9Ul#D?XKiB?B@d`z1wJy7XaB8uPw7Bj*Z3H8J|vTE4D{;=4Rpm>VTCKh5S^<~6F;EH&&F}c1n99{;Dtf+Ls!nq_>qTSREQqCAlH(p zN)Wz0&6?jQi2XMB_)<}d5Vx%8zx&&}Szq+Oc zf;3BlS;J5McpmlNL3EsiFs47kx{(4`t(f8EDzxS%_Vv`C+x*ObqEDxLCRPZ28k~;q#bA602v%nBV-|`hKFWrVHQHXT>qmo z1ob}RUyDS}Mnp&P&#?fh>IFQmzP8Ge&am7*6yj@q|H)m9zIE+xe%{gG0UI2heXg>{b8Rt^sB-x{h+i>S~RvCEcl z;Uy`=G9-unof5^j;vb*NQVRB<{%RijvoT@euvNk&%M8%y_>;QmvVi2It&<}YbWJz7 zI)h4d63CGx!^rQNj%QeA>F%fg3vc$g*fHa_qFV&P9H zVyYM5=Tsj6gw^f>sKOwq)5!V&1s}%@S8uFIrl9BSrrZ9J<@D>SOYkB5txM+u@;j)N z|EL_w^=?N;WH$Q-U%&T==3@GyvM=xA?e{tA^?0?b z+DRM7cb5#hR-E0&xx;=>$Cxt&41o9N*6xdp=vrR$ZPQ#{P<^)hn&ItrcilzK`o0x9 zeWUwFT<0OZ8;?lO?-`@Xl$JI^1K`JbYwjSS6Up0sZhg6lRs+~ow{BTm`#c|!K5_1y(LQ0MZk(oN?&tw-PJ&JL$M0)EJ7>q=-cO&b z>2L3P#{fyB(v(%t2j|W$UsvA#8UkOZ?RL9K)-K?2yxxADOG)_Jn0VTIbvV=RH2SMmA5=_QJ5+J3 z|J0{&&FkkSVit<*w%+K2vEku0i>|E++`wYjepMK7x{<;&0G*leR5^nx=o_@xT}>c=gE1D9dXdg#la9A z52~s!lo@TX;&|$L^4IZVh~RUV!iZ25N)@jKbT2JhDPX%)3<6&_zQdRYTUJZ;Kv;}t z>-;H;ehZ>d%lrjtm#_;e{+z^nTLeX-g|dHvS=qxv({jylj4@R=l4_=>oS73JC1kf_ z0o#^*F?{I=Y?ih9o=xj8^G_!KM%8xVN~DTp2{S3?;c~&c8o9EZlSAo;wVIV_W}Rdv zuQ~b5D07SwsE)yJ+NkRp7SQjEhXPS>H&~ScQi=q!)S^nWUf-@b@K9@o8~-ZS6ci^7 zMp0yyIwu-^MGbRXt4t~7vxWIVD_(y96#VmCNGvVdRI0##0&DKv>%RG%47iEIkk0{5)+j}>AJ5tI zO}TKaZzX%OCuR60J32^;zluyTQ$5=auTELD@EHD`ncD_WHo-!!=CSq?3}=iGiP7jC zN(4fGo4(Ht*0$n*BC;?VxahM$Hy0L2J`Lmgsb(xi#M&IvHxi67Noh=8a5<8vnJddp zXH>$qO0&@x1JcQmRLiiv6Bsh?1m&gYb-nycA=0VdOs%hB!5`YCW(m z9fvW4sCtPajqBq<{TC$T_sRqQ(^clLV*Lkvf}-tK!mB)0EOjNGJ-Ri==SF_q)rgWY z6HCllXLptoMn*~q!EK5Z+S5~EnCoOJW1pSaa8t_M=o}*`l;BQKFJii30Jx|SYz}Uf zMgDS@L5|`zZ5cq1eg>U-i#Uljdgz00TE(AJbO=yZ>Mn9NAqfqz z(mN%$RdGe2bFifxeY8sYUCv^cdS6JQBqv7xbqR|bTEoAJddm*7ReIFfmV`jEWM~hxH*On)4k~*U<6gtCq#)msJ9U= z$5mhD@RdrjB41fnKnJgM#I{Ql0qCYlBh-%FOp>4^o@O%|!qG=6SdMzf{Fy95%u$dQ zvz{=*#hxjqS}1VOlcBgOGiI^kWmaweUpNMU`W)T_76CWw@4dCgJ{tfu-S=Sw-^-7{ z0IFb87%1YoV-WfWBAB?>4cssI74i#GE|4wvS|D}Ne7SaAPmibZc6f|9)!zGq+&(*H z<(S}gE2GoC10J|KJT}-hA5*z6!G8*=VduOTTisdPbNW!s|MK^nH=5UIO|$3hn=t^Q zjHvy*%j5|A_|j(v)P85{Cev*ny!@jZG%vHGy|*z`j?dDK!C}97{V0}sSsnBCrLwzw zil}A%5v20Ek{q)^ptnTS8e9GDvxuAnvxWumnAmr68Zq;I4$<%fF3P2>m3t_iJ{n}V zIa-=>bQ?76`uX<{{riX)9uefn@d%2zWCuOSNeq2E~{4)SNk5oSa?^^+Wn|GT; zTp?uwU|{iZk(m0~2d5`nh)k1wY= ze44alRRGjvPSn41#b&p!`Q6gH+cz(NJ>T|tjydM<*i@!-UF>ph@iH6*;o92)&(L!j z>7sdi$HYBwRnHD#qt&64O>-*Zymmlwu@*PvX4^OT+Q_2^20-iVVV%p|}?*DKqd2=}QJ+Hq4 zoAkbWE2S{T6KsvZ4a;V*Q$fPCo z`ppF#HleuhCaP&!O9XiRZBIQ-{P5{V)#>q3#}Gj5YQ6Z82__l_*KPv%E5VyKZ(!+> zAGf(FfibS2Na2Hql(eq8Q^d5T`rlD zZ*6r@^{37#UR#7FNg85Naow*4Rry;cflfoM+B{0M`F*wxos;H#)epm|2vXC(aDhhj ztJ-sa5NO)Ot4IFnGZaHJ%vX;w$O*X=FW8wDNT(%aMyL(nX*w@uJ$Q-cD@zvhHLga4 z(}g!V{~`LepvD>8sNzNfC0td==O~@Q8zfvmD5jS@%i~kI=inL~5AVS?TtTfPFQe!5 z+tIEvJ#;WlwTwAS7;6r;swYd@f`sZ^{^y;q^N}M?6_-neh4-A1DCy_o9Gx70=kPq8 zQ%|{!Utq+Sp*n8yOW6WM&=GH}HORtF_teeV&NbsON_8Fub*E~h0WF5sG3HqnH{C;| zL*l0%7nM>nu3f~X%XVtO!6Yyi%B7TS<3~r;p9tt)wOD+U{nV`v_8B)Rtn0|CF%fxI zJ?UFrcFWg8rZ5~hI|N6{Jg2A)7^j{hRN4g04QS@%NLELk1lw?V+<%TU)E%Y)6^*_v zTLTr2amqC9#@H`(q!ve#qGf3C(1~%%)ZH0Jo$>ZUw<~hBqLbQh6 z&?5;}2Ph%T{ct>IvZEx*1kc4zuv7;fi74x3aYnj$-$sPf4IF-Qt^PQM5xa zW$Rizm!l>BG$tgltTTEP#5-<f-OlFx;}%|MWr0t_*Wf}}PQ9HiDXHepPPT;qyj;5^%$PK^H=G+RL-^??Rn>##F4TEq^R-)Wh$L z_|I}Y>CJ^+gk2&j zs1g3laK2>hVsIG?L^Ii#DXmto`4e3QdA^(mlPu|pX(?JJ8oX<7`6N~{6-YRKDxM2L z(YrgI+3K@#JOrsZu6ctMSXxky+J53Fs#CsH?L=wuLL;Vb+RRENh(Ry=wI?yhWza|h zQZ{L91wT|oj<;qbA#b;Q>4tur~xK0Z-+C-;<*hK(o^_7Y#$7d=*39h)F(< z=??fI;xhm!`{b)Xkwh@U$e8c$-_60+LtNVgDy`Y|3%EMDZdZkHn;x&G-1X|a(0ZpE zji-}DXIG%cEU)(vM%!@%2T>_+5b%c^?b|AB@);o`FVS}Q8EUBw3%8etify^Tr2&tK zPV2)$LU;47zU46AG5F;pn|%kAEV6T7e2%W|y87hjeZ^vaNUt8Qp?MvboAsGNd1k5a zbdo}J70~6d5b~kJ>#~Y<{GP{-pniJsB>L|xbQ+UL=V+kDQyvuNxk>Q4c+9cmQOGyT zr52vN#WOXF#!1ci7rtZOK)g8lB0J?ns=HymfU?%%(Rq}2Zs#HaeMRq9PSER>x1ZN6 zHdWpiXZ!Z_7dq!-&pDxYKHwI)m97^w-alhsJ4xp}Le8PT@^K2iN28E3qfHLD|75Bw z+Q;a2rmc-%d`rC<^wiq^a!`&1UhW83mlBbWn(JhO9gu+msavERn~v_MJJrBa5^w8| zThixGHMF1KPAj@k%k3n5Yl>gpD9_nbYZn56_jrwf0Dgz&4TVdMo5zJ0go zn%bnpURl@whPM zd+ol?x;wBu2|p$Zwcl>{N>9$=KD`U)0xu5(p0^9Hx67QXxmG z#+m21d?TX&UIIl`r>(4h_>%iTbkO)-`Z|42q&6y=95`H_jDYO^f!^ToC}4?L5h4kD z(ekH0coa=)T(C01EXSF&{1e9o_O4lS_%<1gu@wYh*mAizpx}Z zhT|YJ`sWQC9mWa|^Py+LpUy8z=PKJZS+@0y#xTv%Ur&DwbFZACQB02&MGZAWd1b`` z%QZ|&zMPGT;LlaFuiNZ9QsW^tFd^N}F^{wJqv_~&Zc8>Vro)+G#p6SZ_k0)Lz6+B? z`bBH^O}s7l*&%Ni0*_j@I^N5xqTiSBvQDI2mSgdWjIZdGX~$?F;WP!eiV~(`GN>n> zg~~=V?AEecy#R8U+Mk#4-V#w(Swx6Qq)}fH3AKsrv<^qLEr+>(4I6Uuu;#SCT8gF; zB!3`@mdFfO1%qI4_LeIPF_g0`qGBR+weYRLu^>s%i7dckdUn(l`hHj%YW>nr2jAkW zs!Ue;5|-MWRAj}bNKmk&p^$lt(9fa-6ax(msaXUwQaW?)Z-J;2HieRKTE3!9*5y|D z=I+i-tclx+qRheTK~Y%7u-NS-c4RMU|7ibQGug?Xamd(hOE>>)3?5o)i)c`5IV#E2 zT0497NX9>6p&^PCqI({1f+@3uVihKYg5Fd!^TXf1aAB?z2yTaA(~VnkEm=$*{NU8P z9BcZ!a%)sM*H?;_p;CRN35j1oZc3voQ$A^g{QEwC@<~oB_T8$yAY{BvE?9-84;dlJ zdH~Hln!qXyb&xZ-D6-nC6vc%VL;v?gQ3571nr0RHr6bVbbMbM;8o!(Um>c^J4;lf^ z4$%Ml{i4#+1IzN;GKMM@6Wm zNtVSjb!BOW4tX-o32x1!y&_-Bw5r%Zrh!YLWAfR=Pm}z}?=Bn3gi*vtGwmQBgh8_2F;uSNhT2xqj0^BZDb{xV#XQKO zsXpNrZ2RqD4?9cYTiHgVhp3M$RX3uOHDAyh~5a%KCMikGY$+;-!QqIr2`^klM`yXlKM z{f3M}w+LhSc1KI7?<2&Dr%Ys=C&>-rxc`PjAd{QCcIZxjDp#ZxJ4qu*+w_+wZ+2g( zhDH02W0iJslAP<>8Rl6MmW3C8l{E3{ubA30w6QvX87G*U5@ivnK=(D}W}WBiC?Si> zjiYW-JdG{vs*296VWl=#*7J9w6_YL)e^Z=*t4G9nG&a@!>q=~*;aRlsTU#VDI((r_ z7sA=_gxaN(Thu#+5y>rPhR0tEHR0=}ymUZ6&9*U>ptLMh>|N#4dO*8jqNucaX;@DYTLGV?mS%GT%mqZez-y*?6rB(RrpV{-91 zUdN^;{V~X3-!VT#K5KG*&V4>YkQE-9LXOV=B&?w7PSC4!(0NQJgy&w8`z-g~wyOq_ z0f{bA1rX!&aGK8!50V$9P!4|r;hOx>k!9CW7L?A&?}<3P$)D|%Cy+4NZ@y}kl_m3PmL zqOaWt4C?Fu26N0TqjeAI`CL;LvD)pDdw8dFK{`BcEpqtTyBD@CjIS)*$MAt3xX_!? zHe52BS2vE$gNbTDtLM2JG<6JMd2U~yJ03$UZr1BFa&_RpS9{qdba_ocqzQxZ@s-2! zE3HarRUj336kt{YrhGFW{7mDs4zTu_0H9?A*5LL$XdyLuU8j{!Uw40eMlOLqT4#BI z8nijRvtKjo7eh6E6`QnVF`Zzl)%I>FThG1&TW5T)#!UMq6u>)p3e}B|mfpLsdnK*> z481MuxS4zox8dc!gbOQOkI}=iue8iuCmiTAz9&rAY0f(aRdo+WyA4n2-Vb&orl56& zE%0J7hX?3x5WvpZI&ijs^n+o>7o6|Rv-K)N=xXZnfmloDQ1ff7l;J&#}PD?ZLW7e%AH>)#EB^~P%|4u^?n_)44PoNC|V_nyDG7s7!F>l=vO1s=vWg+uObJxTfy1y)@`YS!hpk1MI#^s!wjnj@R)Vnt^jVw8Mx8UlM!bO2%|)M)#zqQT_i;W`h&q z@o`B{<8?6Lvv5+p^|~_WU1kNRz8gIP?}{qr!-5P|EF&MBoc!Wm5K5M<%C@k-29Naz z2-<(k9JZ@iVuyqJJUiwYs2E{BWnlgqMv0Wn95N;~wd^9=^Zd=3sQS-qm>sLq_IOPe zu?&@7==%cGCT%dY}ZV=CW!2mSe5l|1i{X3!W}cst@i~$8 z%9th<&e{^>wYJ-kspiOZ{%CjPs>xtVV`EEId|jDv5t@FKgJr)UBSfdQQi1U0{W>Zf zDhm&D78Fn1F%)D8{myc_N=A}RDpB?AP^?yo(0)OVP0h^{&{DO0Ly_GxvbFNxLWs$7;Tx~<2XzJQGKrY&XHFx3OqP7z=> zG0(w%{ncYy16&JC2fCtI7`Y+72{Gfg3D@}ke%8=Y-WQ4Ef%vt0Y>cXpL zj(U{O72%ttT^&hNsYCXmY1+G2HlP0Z?e@1f-0VzIuStpU{IT5Rrn-&Ljh3`=8`VtR z1~JICZQc6T7w{({griY8#(CL`A2X#1YA(o(qE+=~AYRF#UXd$zP4Wb{_jCfyzvCH7o>JRAhd4nqd?>^=)yi zfuOjcplA-&T2IPK9#d`}PCQQiQ_f%d6@nH2&NgV=BO!ZsU5F3wkFQLugsw`4{8vw= zKav&t!{3?(MahI>&P6m8&5x*%)l0E@GGOrqW*$ijnNKZ-p%7v$3cnqQ{i@OWgJGd< zQU$LkpfinT?Wu%+*rB#frK*N!4zJu(P+pyG-&e#X`lU;ljc$JcCJQK#B5O);?Sp8R zOP--skp6!_0N`NCdX0U^UBB<`&A7D$b17LF8hlnGa>5O8hAA(7Zi*if!9qQL;C{ug z!b(U1U_>z2Sv0{6lLFQ(;Nb9L1hDab$5WCA%&%X79N3V_x*q=_HOhZK@xep?__tdI zeDZ3**lO+w+Rs%F)X+WZMh@64uy*70Xv9;GINE7s_E~hgZ_NSBJC525(s!ubjyN=% z#&kM^w&NFjA767n5E$@Pze4G4==?Tg_v&HJ((>AI_%+Q`@(%GGL!QN6JSAfDhrCyL*?( zI^PaWaBX%$HaPOIwcDQZq-%m=GskDptD6+94S?rRN$`W`clo3|J%7`-h`rt}fU;5S zQ5ItTvE!OR@6%Ir5Sv@2o>J5Mx?lgY6}igy5|pa@cBK>h@=-qI3|0nnnat#(X*un9 z2L77a5_}y8g)%hm9rbSXtt-jtiSRZ(eV&0t-}YLe-?{?*9L{lCyq@IjZ93*<&a{v9 zy!MJ|FFei@K7;sorRRvECPPb!npEwIF;jfAyZT?o_i1Mg3g7nYdw2hC?)th$x?jAk z$USp;-0hvl?f|Ep&fq{(ddGJ%tDJ2%O`lWUivDbj2Dt&Q$EOANMTG^^w)LIC6T^d4a7!u|ok`Xspug=)ct z3bv~6rJ&iSDs6}KXaOb zeWE6#)`u{{wuid7VfTeTW9|{Ay?i;GnrfMUq)W8w_Y(O1y=A4FaaCqc>ru@n+!4#O z)P#+ZIu&(F3rKb`{UJ9OmK}Mg%3x7z6$(4(of)8Dy_9gyOUep^ucqkT#bPRqPrI_n z`&l@$H03?DkH1oGLJt+OKo;8Ml<}l%^J5nseu#dJ@2fpU^^Tj4NM<9nc$;H^8MLWO zqjU+srE;Xf7MLr^hsA~-FL}XVso03dJ;$PAJ6<|9Doi3!Nx-E{QEy?f_%$Ub(bm@o z8A^_3Mdi_R;Xcx!0kg%p3YLS&yTYJf^&y8o&pC~Js2lxjS`lW_mM+Bog_W6)6|+*_ zH7KgoB$}>;$!x6@Z`!Okp|%kvZg|1rt0Aw6vPiVDb~R_IDXmEh>#v45v;iPROsKCP zSxm=IcoWC?%e*fm%fun4D4{Cf5xn2o)@$2Ht;eK{dd)0sU!KQwF&4N`~sP z9>(D7)TV&eO9+x2B^8MWWvOo<&><~tC?&b1MfGWJ;?%E?A2DcGQR@`Ah4jqVlJJ^2 zeUOTm;B@gTxG2OIQ&Kpfk|jauEEp)A|H>-Ag+rZ2Us`prL*W@1o3Omk0|kzDgEiI( zk}d#!=ip6tisAA&pa0HVoirw%q}M2Vg5oGDEy7Uc>hLRN*T_GK7a|H&RnQE^$o#M8+{TS*oGh!-r!&}uDqfke<&g7J zt*jY#PRWx}R5zf-=uCOj@m+_{hW_BK%b&EUa>3tdw#3ssLiZHJnJ!z84Lc~>Vs=+V zOH|DT7{|?g^K?5|E=mcjj~FtOG_NQc@qv(HK846PC5^85%|%Vg>SFdMb>XOv20j*p z8-hpnce2X{Ep-@4#AV0u*N3)b9FGaZEjje%h&^ca#b&H#jEQtQRB5}CfcY*Zip&ZO zx2b)>qN$#%;Axb=7#$TPENFr4N_7M#m@f?>X?j0PwQ(zx4##(Az~kZz0^DFqOkZ8_ zKg9Hg>2eqNIvb0E)t?HX+PgA6D-+49U z{zSJ?SP>4y4>4V}!G=h$s%YXCOH+uvt{ZNJb^4%vqw$=ffa>`S!eFOB(i?y=#$CK4 zEl^Wvl!8^Y4X}tkhp|oxtMG4Utu5Ha`v#;+wP!tu8}+KdLeOpIua?QS;}q*)r4=n4 zj#g{VAvxoc2=tO&ugW7|XnZMSEmKGITHtUV-bupVgI=XqAqy!M$)CG%Xp6|y%Cr2n z@#p)V19{ZBDWq%@XuZ?<_fh*0e>KV{RoZ0ODa*xA&TsrQftAY4BQRw9 zN=xl(WBOp%vx#|-{;Oxp@SL9R^#g28>HIy;4ASzya0*!N`*^?H$l1CB5C_yVw3pcA*STX9lxACTKv3 z<5-T}UC=g9X;;^hRw&k0$M02BeUOvdLf90%!l7U0&9E_e&t;1+Kyl+V_`;)QP&A`h$ z!slp)l$aJYMuPUqYz+vIoy+2ixs|g$4!_UM8@1O-eLK$zr(N?_v|_+sYNWyq-_>@O9z%sGH{f(Bx7yhwj5=pc^h>)Bd7&PW_rMqfgkD^T_#m zPG^4?nA?7Qkuh$gQexHzffsbKb6(?hL&38RHkg#yZGQ-(t@V0uV(SKFYiv8zb&8qo zC~qA`wvEO;r@C=kcdZOAU=@qCcmm6#n69hg4b0rr8b`yQvDYXr>D~37h86{Z8KI$% zhYVy-DlPo_oQ9#3j2nANy_Qdl4w>v^}( zY?Qwl!NO+rkw!J^R8GHIbYhhW28{mopx=K*d5Ky5jn_h`xZ!X4?0{kCrP(O^k~AN% zX%{m|v7w5w8KEhg!5klnB<_tMVTjypH6p7Hui7cru2S9dN>56biMw9b%Gr~lS{yMb z<*B4_s)Y>6B~VdZ9KiSFg|qn0kSHr5Fh!wR+g}F?2l}M?YbQ?#yfAS={5{4mHh7jRt4gT1s4%TSPHy)9N?Bn8t@G9WJOhZ0cpN4Abg5Kl8QRzOE~9gnD# zb`MpWKD#vs)2MyDaC|5Sa?@tiX!CL^nr2>(3GHdAgv$=$4l15y{d5@98I{F3MVe8h zUF;{m$yD+L`d0#hQZk5XEP4j~{{#zJEKs$9-xl^K7Dvj`EZBB0W5$(dr(4PB zS<{m&!x@%M%y@%&oEp#eAy(1;WMt1z`}MKU8+RzDB@O3IGOR$S8L6EFY zHtN>NY&gVh>Qk?XwG$*J8_VLVv>WBdri#?x3cuw^RH+n&)QebDw=MTaa8-(>nc=Lk zL1zCZDLh5Psk3)T*usf5OJHKpmV#I04JrR=^(|5`>afgcoP{zu9ory(u_FhOdJ}6i z$8K-^Ta^Tk032~*l*%;QuYHnIO)B;=`Lt*2zjf=dUnjA(3eDDzI)A$}34!SSz9u3~ zC=x&uEpht@tcFH3iF@kL7EHcys?Ex6ufZ4RrT$GqOZ$QviA5P@R`5fOP_i+Sk@QZ zEDR;C<8xO$)9OQph_FzWO>mw%@wrZ^OLs3#eH-{9Hm5Bn(TYL7ogyBB=pSv?@?*`4 zVz*L8*G<%V+LD<(SXN`C@H6w-G2D>dOE;(fOrL4rD@XsBFJS_HnOLoPK~VbZ`%<68 zWZ5?1pI}WDZRT0oyI<+8Iu6V&r!Ev{rj)wItS(&r3)8y#snYZUXF}7eb|^*XT?Zij z)E{ESB62cFSgI_{i^iDcE z^w14>?Z)v$zaBC|PYkoQmi2gBvJCT zwaX`zC<Bq_$ctH!d87(XtMAazd5f3_e*^v{TU=G z&bJ ze_nJv!+%hPnM$7vIy%gr-XxmYd`Ul>Ty3%QDM#1)R|V{Pt)Blbap6769!n6neUx80 z+s@JZI5_3C{am)U|M9Cj8Mj-42P$%XAM!`9!<7B3lYF`dD2~!LZO89pXLs9o+Mv31 z@uA^O~W+qN60v2CNVcapuo{LebyIp^lN zc(32J<~PsGGvj)qHE~s6eq;2s)}?TSGvnbdXxC-o!S8w1>p|S0<1To+ir};9-(O`B z8Moaya*N_oH_)cDzeIp{xlG^du^70d$Hmv`vt#Z-bc0}(VUuod-*PnvYyVjEvCUhc zvu1h6Tm$BLUX99{A$hnXIw1m0BI*3|UfA=g!M5|esL){t^YZfEpCWJ6ToO5hWMpg< z9I`InuOAQ$-A-C<>VYgDMn;Ky^0 zkA^S{c1p8UgXU=8^wB+!H1$r8G@UjfGiR(C50Qg-X^R0>k z4Rh|7yPxZrL`oJKETL!+=tP?}X0^O;Yp%J=P!~^gHuhrl1r8hX4uO(5Hn+}%Kk3!Z z?qs8ro0^@0OU9mbe2@k5D>1ri6_B1CG@ReWkV_e3Ig;!p;J({$Mm28vlP*$ChE$Qm ztt(ZKm6e`rm9tt7AT{!q@SzJxH4&2fSKI^A2}#REk*(;s$~C= zlHCs>bb^I_?s^EW(^1*z)O8cOYix$DFkGsumX2~Wxk0H0j5McOMZ!nQw9DtC@04FJ z*Ld@^t}`BU|NkJ$<70sUe)97Fc(qMGz1pl6d9z^PM>r`NM3E$Vu;30LU*QD>^r@0Z z1mH%f(1`o?f_0zwooxt%xBc$Tr%;#;fZ29&+eT;4b^cx|-jL585~Fu;uox6s* zBEAn`sf|IeR$uk449c4QMojAku^;Kp*#5NT76r-cXY{{J+GYpvW>Th&4^&Zvt#e%e zGN5LS?09=t<(To-s`cpe272wkCN$T7ZSA^CWd8SbTII4XqdcR#v+-7Y&9qce+k779 ztfAYT<+pqwQ}$_u=u&}cu3Y&jv! z7*rRyU4QLI%WB&B7%T|}W(n=QKJ%sh3t#R8KJba#fD_)U7QJqCaJrqRBjft+Z_sZL zT-x}a^LwzjE)xtyZ+dX_>Vf3fTiutn^y(Tu=6NJja(VAVcsNsCkMSe$ef$ScD;h#| z?jtEU*DiOKV2k>G=`JxBf6OhvIcz@C<1Pd~uuvq}pbIRVcSnMn6$3UHet`f5V?riM zgM&j}gjN8kb5lX&HvRkTQ6EVl3_vT`_kJ3z<%l~xDez~!8u}Z;64D-@+P~{(bOGOZQNUtx!}=U(oh9b5g{Z+ z{!WS6cYy)~$~g~4tn$UdkjgNs9eY-2ltAig>}5FX%o-n~9|4#i`Mks2qe+IHtf{;$ zRwjyxWh$E1u59u}{a-jjrtd-^VP1_i+8l=uCVw$&$`1W5p%Ez59h6@(+`)}=T&d(r z4ij%R(&vPKt&m68MKJUwEB`B583~^RW5$UNyWA8(8}o-)8=1|yQjx?{eLRqHWNcqu z-91B?C7h;o*{|C+&fI>#eL-ZR1Km_fc7H(s5GO|2)T5A{_4^0fB0)rZ?jjb#Ic9a_ zU>T5eOGLB${4l#X?&}Bhg^=z9V~8`aVY+Jp%g`ToHMxl5lND*`S}00gd1vWDNNIVu z)w-k2=E))_Efo$7)`Mi|umF0IUj?=t;!=T7p~ozcKJBq{)}<;|%ENzHC{rt!2YpZX zj(Qg#ycuZK@38Pgs}YlEe+G<88Mo>_pO@Uyuq{(~E^>88ECmP86%Ss7m0b+f$CHLy z1FB=tH4EVcBQ%?sEt<-L&Qs?U+h2 zYb7P~?t#1Oafh8ybX%*rXJ82^_-c|)nkvf+U6LtNGR1r#^b!Qjb2_^ou-Q)g{q(ub z90fuCkH}4}pU$!&=Za5k@+pq+LFZ?b1l29E6s9|Hi3bz&Goa(8S+@R>{EPA%8E;)} zOzN@B1Tr{7b7sLY{l`y~gx}s3F`dFJ_ZJzdjBPfBv=Zx>jLl9s4=v!h9=QqeFW`eSO!u7>dBkv zyftNn$q%*ins(9+jq|42A{}30EfqxE<0u~Gzu2(D8G03-&i1qFI;q?2Sw-q41UNtV zH2!raPsED{XKT?!hT>Jx1VI%gA4;{rJ=jndP9PnK)Yjmp3^m(uua#=~X$m9ADWy;W zS4X;-mNBXkjSyhU<#!3oR1%fa38b~K1B7Kh-%sTa{+V)x<@_%epariTK&5DEJsy<~ z%)fG2vlDX2>5qG%)i`m!gVu~|x%bxExMOEO#eK;>dC0M3{KsTwZfJ7ZkE)YG#eqn|82wjfH)8Q{Sg-?j;5$u#RxfV?$TR8$nQl`|Q z&>`g#U0yT$CknZ&K1AilE+S!cTrqO8bBx2AbABO)b`#Pz&so%Mes=*mAy3gRl(U`5 zs-j2)f8F)`2@5++ifN)1p5?a`G&Tv6jcmk>X$|j;BEy$35p+}9wI!`WK@QShS{~A3 zY{$4r!Va;$h%HIr&xR9o#bsL|gu=lU39bX=SACb>xA}7F@p_m# zdK|qTp&4NF33~OQp8!k0T0@?zGD?DXIxC)^Zr{Z@TlZJ3GzW4o{NF}43QVUwrhU5K zZ&cq##CCk{LoWdr^rLlM0RJ_i?3=M3iO{rd?`;7T0Hh$O9g<2S7c`CVTQ8C>P)02>alyQK(PFr^;~ZfCJVic0t7w z@7`I7-kaoC5}`shJ%d^ZTz(8LM+6;3GhWpVuRl@v{jXnj{NDQFtVo`^3|49tH9GEl z4K}-$nxd|K|D|Q*y-R$Yuq^VLM=f#r;z>Mt?b6=Z9B!`&e_ny@Cm63VIdv>;Ieu>hiw6i)5=75Kb2Hh1nuY=Ei_81P z#~imOUngK$6wHpGyW7njq<;O(n7>WZraN=C_c}g~ZM%%7uWj9B+*^b{O#O^p6en#i z?WSMEBb3WVt4#CMJLObQC5rCN(lEld=5?ZhZR45v^Oy$cruXb+oz4GOD07~-dgD$E zU$uvoNtFzWz*$K~^M29A{Pk7nWp*9G%qD8?gX+U!XJ6G0NlM=9wUEKX>Dq<)9a;Nb zULUXqqyG_>Pr&;fBQ0}H0H=0qyHl6%DscF=>tALUgZKITKHEQh9}u11`YX8Y9ZdU% z0x`1!_SL?vdx^`D@V#+45lT;YHzcz=Fa|bU01{E2NnSp`DgXRa{Cow*Gc{@GQw1e4 zq=2J+%400a>JS+Um)fL$k<1DIjGKhtP_xh+m%aI`si=wpKOAd|Dc6w7F|5@U**W|B zGFa3ff5b6&I!cvt=XV6BZn|o~q~@;&ZQ*>*a-#^;=`bWSZFh@>W17UR&IouptC5gb zE1}yxahFAuY7wI~xIs5q-i#=1;18CKj z&k`h@&JY+67->#&$K1cq4>U4zjE3(HuL{f1`*Wt&0ZbZngN$7<2hiQ@DyX)hFne~b+{3K}SW?M;>W$IqKYZyk(6;3TLs zMxfdesVc{p@wAQ|K1#>qd;F-Fg(--It~aZ=OuLiXpE0M@S@Z$6 zXTmJq(&YYV51jL+ph3dtDK(fx(JRQ8T@xs^-L?{*_rVv^=r4^Dm2xAIZ%}C5lp{^ z3&zZ&P8l3f0_R-EQZAgAa-MFpRmPg3z8yrc!UMl*G3|1XmgX3x+V5hpBJX8x+)=X# z7}=<|B}5H65&fp5j@c7;T0UiWW2D$nmcB*Pz_#gDJVh3TFLL&d;2K$TS0V9o9?scq zmZVkXkU%C#fRc2!gF~k>n4tNI{+&%}^a8W}i|w#(I;Bb7I->WHl|&xPRQ=3uXgB^d zL2`bUw7e508WfD!Qg!F=bB!N8u*hBF>u#i`)!d;hj+X74L*4QXGijqzHbYO5NNr!W zJ0dsb8noH(%Iru9&7BFWi`DZEKQL*d>2o*Rjx2|!#ZCNeO%V%KGoYdQ_~OLwHQE1X zJoIrnqJP)|XWlPPdR<8 z_DOY`2g9Sr=i8-ssQ)C#cQ#Tcc1wNZqZdPF*y(sE>YC?Gp-IkwLC8D9^9q|f;WR3) zuD*Z8qx%jAtS3~y$ZHJim4nmT=TMS#wWB^!>ouTq;Rm=)1^u|l?VQ`!GXPTf277Y) z?xH9#Zvv+Ia;Q=G@4X%(b?O@BL;jTEfQ}ke{CyUB+mznwPV3xGalKtWMuC5|=&yYS z@VNXvv@VAB>-535yeS^UJU6>-?m_7sZKG-7N%TWM*I~EeuDoBThj>N>KeDozH0}2| zQgSr(J?dxVvjmg;_G&rAsr~N<#Q3(`9ka}Gy&lq&>fYmk3N@|Hoy?xIIu;;v1K_Mg z+yZk=-YdDAnCB}W{gw+6@Vp2i*2i>M?WU}Hex|nLu-5IG=T_5Q#3B4^Gi>d(@2ZRe z&)wVMR3CV4Z(^rq;UJv2V=@qhq+JX+5LQP>Pew1`y>XVd(^$i~TJSPPhQsV@8%29J zt*>C2gvI$fCD7b@-nj1kP-CF$B}A1ay?t| zj_{-d=1l zx-fU|<{$OGMP0u;-d9~irt;TcH!Z2o?R!Kgx)D zB)D9%_+?GoUrc}szyc73-xaWrY`~|_y(n_#a!$qQ^RVnQJnUBdV5EArII{_jbK-bh zTciK0B0lLOTVoCaB~g`NAY z9mz1>wqH#mFH>ud{xyfVKk&oJFwNC^Ko=R55?& z*13gkx=XY#H=|ORe-6qBLVmt^|15WFA-;E^Uss8$QIPYwN*yzVTF;Vj=B`ryXcl5c zteYDnm6XR{EtcSe?-|^^0=63m>3PQtv#TcF%ha+`kVuvE@duZdB@*RKOVzGv2@02|D7l$niB`kCGa(?Xu*5{sij|DMHwshI z?>J1Pgzpsdg&{5D7_&HIFxixRPbD3nj4MARu&FL(dCk9HI@}dC3@z;H-pN4 zOUmXfB(9|Vk@~`*0t)39ME45XVIbV!B;oA?SICg#Ctad}o3a|9=06<6xS1g<8}3li zst`=HjipWdAq(g_t3uK7Jsx|}Sp4$p+WGU&`>4ckfPgU=H6MTfGN|QRsJ{0C{dp~-?nxe=J zYY#s^YuidmvMVl-@?%%vSyUT35vygt+pgOn7UwcHXBBbdwaBo@e#U=K0=w~J8x>gt z7&-U&P2>v~%I;oU8= zXX)E_;2+|9U2yc==kjdf^IQW8z3=V$geQ!*r^>XChjWaU4`Ofk6NEIq3zV+ymxcBg zC;c_xZ!G_(RJS#bewCe}`v~FMyY%L`UNcjj`+dnsqtMl%BWm^!B z*ZZ}Gcr$_*TyGcmF)=RDi(Yd##Jj`xSEu(EJ0}C@)q7M!e~OI%!_U*(%UtifivF4D zcKg;jk}Zv1*MW#Kkn!GBqN9dci-Tb6rn*Jb36unKIu7X0@amYNR`YUH=TN`he~ofS z!294l@C>r8+U+00#g@k_^mTOG*285}LnvSO$7zG0>)?V6li=MKXl{Oby9U!16+mv! z?Q6{2l7?a?;NK*cKJ$lVR1vrc)U?4o<_Bn)FuZjc4H#-gVKA&)-`l^m4~ne=zlRza z3qh zWFHQn4&0hx1@;6w4l^%2_{<&&;x>=@E@1i zX7s>ZhXT)N8PDE-oc=050fJM<0p|STN+rp)o#UuVv?3^2aOHn_*C!iabCDyPN*&}L zZ^!!QlzWqN#%M4WiHZ?}SNK3m{B|*ss#rQ{ zwX!EBtFr$+HcO+}lbZHCmkh@iDEjc5UE`XbR6};Zmg85}pkP3oGM!y+p;n zvlmwCy?P2USAA_#MJ$VHd8i1!xuN;*87Rlop-@|n2&pQjbTq?eL~;9P1VXL;M*D{B z&RiO7sX{JEmX4ATB%%*^J2tJV9Dtm)u|Gd$V`lX3D&lW>tQ*9dO!}C@p5na@gm zEajbCS>+Yy#MdfOLkRgoOv{p0VG-rsU!p=a{bw+M_N*Wve;BR6U4>ZY{0sTw0E>+X z%wO}%Wk>bHf04Y;7JI%u+>X#O4rI*&ti|6PV9>Y6W)QioTBy+Tgo8DIAmx)qV=PEV zUNXpq6dGe{%T~zZ>>G*In$Fr1Zt!ay_e(h}7Scgwhru02Bw7OvBks+6s0?Y{t5!)j z-1?H}xK%T}e8K+-ip$z)ZQAYzcV7#=d^U=wT339M-~1BmCato1e*VzQ@_ zW)$R-$kC8or1p;3`u3*JcyezYR-8iea;u4759 z_{YV^4vZF90Q^@GYyxg`@4|Ae(gsAEc{dGl+#5nxk-t*?kzLhpsZ9ArpN2P^ih!~Xw{nWFGig;!Zsbev%*y&sS@4|Cun$F^r~-9 zEE=Mv-(k^*VWK9hD@33}M116yA-WW!=w%USfBo%n;H_4J`C64`CEOf=iJ_w$sno!& z?iWUfaocRAdXJfhuB$w4bIjrxe%wrGGfP8(nkdr3$MIX7G(QbB=nS!|Lwzx{EF_cY zzTDzh{(Qsa52SD8%6CQ+vDDV_q*&o+k}!6I7-&#t-rNcT_ls=*J3e>F$KuV>te<`o+2vWBOV^{8h3A9a zy`+xlX*2BrHV)|gSS&W+PLLku&}W;}N9giG_VUAr|6z7rhhS>d189F$xRp8K_m~LV zM#xCBjsgNzp%CA!jstie{&9frR(|FRTtD_)cfJF0V!O;E&ZGDHdKvj$7cN^KO>g(Y z0iHWHD+X=5eVsbGK1*wQ$EP{4n~g(j9(iq3Ee31|7Q_vXF+c0<{@q%8&Ed@OI=wbs z^*N># z7`tv_be_F!G)CU9Q#3T6fDeZ?X?$l!c3C)p0VWT1=krt?KfuxO3{l@xF^-;wjzvvMNYS#FU1$t4--?F4&UGOL6KMR&-z{9mo{eNercP7>)a<{_!>rrd zd=GYb1vjmN?Y6-}37?EsLQeSdrvkU&0x0Qs3^GIaiUqYDVDk;Ii*ipQ`9cU($P^0^ z;X_Z?|NfuiryJ$hI30}fzol5ELn;C>v5k3m<{Hf`)aO7KWpZ+Mjf{4 zp!~9#JXK7`-*#CVcNtNKj<5a!b!mfUF1N*qqIFfg0FtK&Lh}nI&b%d6D!kLUNn~20 zbd+R?Jc>t#lobS58C-^9PVGOJ5;Rx@G3gZL?zO-{D=XoEdU(a;bOI_u;)oRPYZlB;QQ;0G9$V?>Ng2Jt!eUt1UcPA~{P_1~{Z-v?6GRawAM~ckd3Ok@K zRa5eVs6xn|Y?AyffUG9(}n~=~8Idtb@c@bSh;Lh)HKNT-nhx z^#GBJ$%xw4WxX8Fz8|cDjl7WU3Dg{270Ka#%xTvFDGioC*HMEy#XnE$3cg^X#aFLE z?eQ5CPhL>;pu3hH%xyv@Q<5uW7}sn;NBB!ja@G)68*VdfG@$Dg&Iay}1;ZPnxu+37 znY)-^WXKF?k_M!61qSc;CPWCw##x!gqer39nfwE8; zel6Lf@pQ|>Kzjum_YRoo8HnhSpDfJ9opTOT_-346{K7BU8dexM&e3Qy>UT`-0vO>X zxoX`Y;A`N938glEhF7bNT82SMoY%|S1VX8>9xc5Z#zmQaZ#Yn{Aymo z&i2-{-Oh2_EXDLMRurHf*$7zPIc9(8r4gf zjpZvrwBGWwWU*4wgE#(ogd}cC2t1Yh*X(}ULg|=cp7#VEyc`Q~hEskS%;M z5zBA4pCy0whl8vKtF`bwqTxz@5#t@Pz^#m0nqhMUZ~xzliO;eL@b(|6{iZXa`wxI% z!b?8*o#l0lD(@?p><4_QQ|5rsI^Z|phU9SJnFO(rEHcOv^VJf})8sC7qM0pJ)OwTK z&r#KDjk4=dyV>sErSar-;eGtFf-)2_$(*Fqy6zGRtjY4T00%ocKI0tSM32ub>s^30 zo&fYv(-(_%ptFfIA(#2DC&_jGZSHSTU+=5-<{bQ7`cwDSn5#Q>yV~jkavB!|d_1^r zd*9CWEJ&JnE9#i_$S#{f1&<4n_j<{ zvp1%+kAaPF-@V0@x~_}T!FdCU6}>R9p;7k@kZYO88|~==xTT>qM|P6!_RKh1eRFv~ z_;Lh9hJ8OPli0armfzk6m$iuPjBUM#UbF$7KDo4q&wIAV%$7&hD8S>@rK|^=@$wz4 z0|GaH1{W5C30MK(8ESNJB>16;b{(|2^cj;`Mmw_!<3RfTld8spJ>JV8rDVV25Fk@A z>3yIyeu}iQq_umZ!DkHdIz;+P4`GNbSdg~G?sZC3WyQ)$w)RbH*!}|1& zB@B4lKDvQXbN*|vlZDHeROV}vy7}(cq19tvsnm(q*MG@OD@tOjk)&LE)@CrJtZHuY zo{Xta@Q+5T=eWMPsgPcZ`3JVlb3~9|74Z@()lK2q`Z6)s)npyTe)T3Cv+Qw7dayI^N%SV#S7MTaHs%ib)tz3^8 zUo@gL6Nda0(d1z3%nAIH>BN-FdZd1=unszfgowe?%q^vOcwLHJbsDQY`diNRcIUwfG#l9g@0{5nhpyPq6Bt-hoRZV+m%%$S@g2RKl78b z)W}b~#G+=pjo0Jv1+i++bNq?E0)fp*i#BB~&QQ={$g?K+RGIHGS;V zGwsE#y#n)|Kd3?fgQtzEA3KRbc{RwY8lo@({e$*S%H^WAkShATPrM-TgremO52ghGxZ6ep0 zlspw<$vYWTA73EOGh3`bvN~9V6C+;KXS$RBsp8yR`!fvLVk;lbi+A)--hMuORyImf z>vsiQi;H4!|(QQC_%Z)J8>#tyIQq&U&^Gs?YyZ7d2ZLMrjY1({dogv^1rqlrXtev11-{j})5K z%74~MgMyu)q>%)nUCUA`@Q-&bY*?l~D_*21e;qmEd^WL#`F?$dk-2Kya%w2~k7u=? zLlPK8Yqx|5wsL3DT%G52@$(h)Dn4T;@?mdyP=9v_#WSdypa+?^vONU?- zS=gp}mv2?wNXc6CQL^fDd7kAY=reG`lO!h|j(WK(p*uQ;ebx6_4CEfk6Ie&!N(?(7 zxlt=$M2jYWcPOz$CSGky9_l3wWz_3s?v{ROg(}>IRl{cyo1_1X2FHTf)b)DpPZ3f<$ZkWyRVQ63rc|6B$`<}HA zwrMvz=C~2B-n{c2rl4>jgZ!^-Z~(Ws-CYLVm!3tB#2x#3w^w>$pS@BaDXqK*vd43w z*Y<0C7HLb@1SZRoQO~`{%MJqg+kLly9ycJD!~1@U&(PAa0hsBo%kJ9zGRdHqLhr8l zu?XpcF9$^On3r^=o3!p$!q!~X+dax5!2=KF$^=g%Z`};OcGBl9emb`(D*=-PY}XA>z>UZ3}QN&s^KIoRwzY+q%an z11if8N3dORSA0UPmdZrpImDA z4Dwja?M>YL>wx_X(AM|(H>U&B{#fb2?>zcSK+?M)Eg|5&f^1WFA5cG`B*O>(R0@Uc zz+^&0|Jj+m{n|IUC84qVyEOBOo$PJ5gQ3kalF>I#7l7ISHb5Cuylt1_pu_fPYV(3c zKC7Dw-HDK98wiFV*PAnS0|s&GUvpEol?y&|_Q$eQ}Ni)@P&SisTdHq<1Grs6GDwoV}c z_|?GSx1Ntt0~3nAY%2->>o5xs?iBqfQNJH|EwMd+15Q@JXk#{cNw07|q?vP{>#{xN zo3|k!w#0Bkl~n#=l)v9NkAJN>#AD?5$*|yBsbR>h-}ku^2qHm83H~L^KgBArgY?X` z%hTpNK73ha7~6SbGMxzi9;!%|(+dB`{Q}73#+yy@%JEwS`ldKhlyViaq{&9)r!h+s zFSW^pkepfao8pDQ6;BRjmna6$c=~l>;A2C>HMM7|wGROqa{aI1*CD;ft#nq&;6FX-Z9*g>0 zX#RYW=hyT2hji9>Bd*5=MVEEN)skWnj;RXOCfGtOD}GYlFH?&Q_(yl9hj9%3PMOlF zkFH&3G#_XSu+Vis%NvP!^Ht(+&3l&_g?$x8ZK;*uzYS&vP*^!a&Lj2cGAmljIsH+l zk=J2#)0H$2{Zk8r=wL2EW~6|i*D?dV`MzTc%%O^Qhbz*6yko74JTK=*KXabBZW|ev zFR=Hhs?TXqMrL{{t4ROLnH{Z)5RGiw`g1A`o!^$SgiJ@|URY)v>E0@j;7z4^{YM6# z-b`1!QsXBZP_VTuB7B{W(lGoUo_QeeTnl|qwk8AdAIBVyL`<6i!h2d)XJ=ws#*5ke;y zIR^A7zACIanP>JrZRhr579^!p6`~@IcxhFD_aL&;tRx{Jf%TTwGR;V#p-D$6n>th< zf4#--rpg4Sb%{NT{VUpv+PNr2jt&{GtIiKSjC?~LYHPwQEO^FP|^JgwZ=#pHgfw1e~-+5E&PAR zEdY|bVx|~8xdXoW`{^>K)_2^|{@e%0(>&?JazOQedWy?Gne6)~7AJoHhFSLQpUDGY zei?Zi*o~1jq?WJMk;dml@{7xt_nMWS`V(WYuQ6$RuFkhSW{}F zsw48zydKth7O)e_hh*AI>pFaPxbhgodLgkG-cHd ztli~DnYVc-tef8>pMah;ubcmc0IF&ri zQb3(JWcK$?ib2_+ZJM_)S_1MhZ}i^4TJ&c2vQWHV_uM@&D|GwD-hDMQX=`*Y%Umc1E?He)Gyic+PtjMqho4=QeSddGmc=weBOZ>k4h>Z2-dZ zV8l;DVfy3IhJfkqJ??tbf~2^^W`qYg8%1nQ=(%dLOpqnu@rdrd#CHAG@9KS;ckTaH za?-kSpmgwuvS$i~`<9?hBI~(U=tTbf#-bPWxDd{jD>TLbJ~hz_`bg`2w%82?u~BE= z=UiWUk1#RU3E3EL9Ix7?ZMgKi+^_+D^)$KbIgaB?fHFU(3p_SkUjGh{PU8do_V6vP zdP*E&0edTK;XRJP>E-P*--8q`Vo*N`m!9t}g2&bKKZDQ5OqdJc?Q#D{+b3&30(3n& z!8&x=?u~D}(Gvr6)MBwy-9cbR@Mj|2j^o3pMDgiy@YBEpCT%>62fowQL7GAEUMRv9Yh;^jNK`A+zPMsRLS0&U}15& zVPl7MF-TioIupmP?M%;lf*%J73AaZ5IFHS8rAgAYKU%}d*@K50qj4#xuEy(8xB?l- zQoWHF|KU`Jv5y09tIZ9Sln6CJUu>~pSlGO>rOp!djnYglvHrAOTo!rTdG*%A|_hjttXbb_qsIoZMv{4;FCe%(&xO#%O4ecsSS6n_1>14IhJMRLctPex(Xt|9cT!y!j`6M=-{NF5Oq^y47r(wq>?!ucV5P`H#uB~@W z=7qCS_@&Zk6XsNHwJxl8slAMCn^w~~MbAo|ELA%@(<5c4G9`i9JbE{3CAI+3p{i8q z$z9V(d`bJ40j8r7_`eWl5X#}v>ZfB^L(J^=OTK=pr;?Op-%;s)wByGas-rmIo`s-{ z&@SVMw^}!t$SF=}H)%sEZ~vgWbDeDgVl--SN|^Xd&K$Xv#K9^f|BZ`QALjCE+)H)| z4!Qr_ZI5&0j#l`txOFj*x~}I65l}upf529VUjp303V}fIN7=|XXg}Hy3FcK%fL*Q%=Z?4yEryz#EAtx#rFiP<(^jRH|2@blHGV&c^iq{WO>dO60;tEoRFN>08q zxAReg9J-_;Y5Z|5Ou9$s_kvaFIcVhLtLCt)6PsRSHwYe6x-M31>(OLCmg6PHQp;Fb zti5rW-8m{t9#{oNVTn_XGFDg^T=_c1%g_zK!Z!`5_;kr&rb=&!yP}mWQF7QIwox17 zmqdXgjwM^&=FtmK|7qkH6&K``BrKGLUgfHYXJDrV?EZ^FRIxi6szT!M>WnKvDR*IK z@<_5Zj(7VilWDq&F@N$e;5ApbeAUv2nlzCTA+m0k_JNPc;A=Xb7?ckb<1h4CY#K>9 z)Xr&I<$6-~WU(CMp1R6l6Py)cdOlZFAe)J<9g7N}LUZ6}R?=Bjx)r{ndx|nJV8r8l z+Hl@~3nT=F<^=cwjCh1R|IfJAdFQd&>-eMfB2lm)6{06R{f6Xz$l!k;GMLt1{OhM7 z#q$ptT(e#~r5}C=AgZQ5Z_|Gbt`>Ug^pRokac##$Ywzv$9DXJK#Dsujd%ey@+%~fT z(0_h>BnG@h?pLANKZGn~`|g^1>hj+{X;g1mhHzT(Gp+v92f3e*gLTj@+^?2US5D`V z@3-vS-Y)nFS=!z*^RwR6& z`i&cBJ33z6xSY+l*~)wBt$RUz>xQH*7H)}6=c1Lrps~X^fcJLyj%C))GTrm&~XI4Z*tG6lkGYGV@P%S&eOcVxvTc^6#f=Xm-{{X1;^VG|skl zgY2%;b!N!P;a#lYueR%fQH72_Lv4Lr);^Z6wt!S&4I&leN*(4-j`f?NSNE-hu{n3Z zs%qDrLAao8;RYl{sO0VSx%J;2r$DC(pj}yUfl>fQ8WbpJlt2b@?VDC1*kiJ>J;Noaz=We-s zciq$W4-7E*j6gmByY`X3RT?U>mIUV%OMScd97Y)bn# zplW2)Gx*^!Uw0cYk%vOck|?v_`0(i=d=?XqJf0H7ramBb{=WDz9e*XDQ)+ zSiwNx%lo&_Pns72L`Vz~eXRU;M`hAo-%bv=ey?3n3!Y-}6k}=eQc|A#o8vcXS*JDa zNJBH9DrN?2Lg9Sz!zaMDhl2CfrpQ&w1|~VxM9GimkxA=|lyCQby(|r)G#W=eF*jc?`jXqk>*Q}3zhci@&Pmve&ESm=j=>B8J&7#$5qs{pH6txpm|gkX>J zP3y4CPUdQcBL>w`xvF8JX++&i9zYL_>;m)ykgkZZr(Ql<@@qqYG$e2d(oBRMW{Lg$ zAJ@4{b*aL2)Hm&$8-?ljp1FeCK!pwE){F(dLDj5@KYDZ@;S)vaivd|>&EIFrH9AsH z2AySsQj706YqQ1be`Q&zGC&E$=+&KZuE}a!Nhz!2uKmi@l=e)$T=$>dfm36eBo_x{ ze7UJ(j0x(poaa}PVl8H*Swt4D5W$o}{^c8ajsgl!WbbGloWKs2n_yJ>Q=(3oJ4Z8Y zj&vvC{maD%e;$Rs%t#ETbgI*@iY$VHA3J4Vt)6WXRw>~4P|%Ay@lB+jH-i4(V4)RU zgwiKeboP;>Xd^9blG2*7h`{H;V+2%$}R&0=SFv;=z3yHYlsmz5?U5v!7 zhj{OyJ_(+Uv(-c=+|$u0zl96Y(!v?}`swJrjj^_PEu{&Dw)x1d?1`3UZ=Y6AJ;xKo zUdIa{h+xW#!FZP+ZbQ7()uy*jX-DUcG;f<|go zaKkXF*_~FLR{JwP9t-m94Iou*`oz=5j3^lxEX=g3eX~DyKe=9ha1uAqvBgtB7fUX% zeVLPXKh>qL4yln?-1o9RVi1UILOj`d6Fc|pzptpN8-4#yqE(ESWapX>$8Gbt|V8&5o`Bwb8nx|K%7FhQtCD!Om-NHwIh0=76BBtH4$U+ZV7P zFr(%k2(DXr5L($w3YXV5-*R2_K8PTgT6r!dIMm~NoL)7v_zt>l1ZbPJQ+2QST#cr4 z3z|-P`8v6_9B|9OUFhN3*O}cF)GH)2c~!XgmksZ%2|U&}KVft6pFGRiLx=*H{+yOR z<}$eZw8&N1mNMwKz1}_!SiD(QK40Z3*#B`nn!M*oL~M zQz}fh*IO*Fm#$Wa_g&8WMT^f|8nSw)a?5Sn7K&TPQz>@TAPK$p(f;M8ug-q^BV!{0 zMA4(yddnb@=V`M(y45|JWby)txv8qJd&9>SlWle0@O0q3@x)w-9sL#Z)T6NJ?K-Ft zy<#0tWzTEmq z1Eg~5gCDZ^Kb{(mqbopLz;S0L3Rl~{hlFK$-vDafThCHP0%gQqKXh%Fb=o_Qx*iU%n-FwxxCo!#a! zB^5GU2coVZT45aP5H@f+fu_{I%e!X z4w_lAfET2LgeRw%Y29{Cj0mWRN_tVaoB1U15Ngi`bXO~%Ty`V4pP6+k9&At*`q{?V zdXqXPO|yeaEqM>fVVY4r6+J&Cq9z_tM)!$U8D^eqHyt~OSO1!-;58r?#YFhEVaZO| z1R7f|e^-XZsdGpw>FKA`aJaickkrj$z{0G!Y_pa9vaZg;f*_B@Ca!S$po*MRY>wb1 zSAj>V#X?R0{ww$ws7Bp5iet_SXO`>7B(*8ubm*ruR00t^0)9jFQS@L24H}M~aT~XS zWT}l$(AFz-xL>oD&|&;g&We869=lp;%Q#o86Yk4$3$lmrve_I+;}*1QR}xNiAfpen zcq-8qwbIs4gXv@H9N5_=OVI0CO5Z8jp04hwc-l>%Ek}uB&Cn-S1p9Ny*XSc=W2<)* z=_nLMi^_tW{(aTXrrZ%}8p@Te*1o~q6mQd)iA}>d6isb1m}^y?wdm;}PiBwRCpkix z8CN7l#cj>`>poLA;|E7p&>}x}Uyx=NhQ1THhmQ!O7$T2$L8~IOVj60*z^>G_iP}iZ zEc<%Ew%asRDMB?wqpg{v+h1vsS))jzHm*yjGbkJkL)d3ek>-aJm?vxU+{O|^*rZ<; z!r4x?5KxqMhdxpnj^h1o=SMc4xN=sowM2Ope}>iq)Uqh-dX{#4>4=*L^W{;X=%yhh z0f~vU@ymshw!FC5r1iorsan}@vQ62M7jYs#*xb3Izh(Kn&uIp^`EmN{{Os;0N2d(p z%=;kLC-tA@=JQPVKXSORaCRR)D#M-7_)V+PK1FazqG*qKg z?8>B4WrR{tRP1cp9IUd!df*BNs)*<>!#i%`TfD>c3k%U-JmxB`Vq0KTckts|`G&S3 zS{7I;s8AXcg=nQc(}TH83#24zu_3A3vs_6(!1^T3xJvfFQHPbkjh!1#-1+ztZYN8N3@GLKg%F0gm1B8Idh_@Dc}44W8LwTF7!ktGX}<=!{Fp* zh2y)#pFyh;5669tgq{J``pb}mE}J_ERqL=xyTG13a52El&+H=`%cSWyrK$rgU4#-9TT{s?sY>#$7QWy; zq!;ejh)KKjVx7O5na`YpF)X|ENu?5wa8We!gW?=#G5rGD&W z1PQ9jg#(rrY6SmcIo8G~%pw{3z17D#SPBvuqp0~b_GO5enWyK1V42Hiv7T(!WJ@v9 zKjt^fCbt3PnMBY9W=kR8l0h3$eKMAH{13(Y^tNJt@G6#>)t@CQbzB8ZV$k3YE?F)j zkkt5SDa^6(E`~lUvM=~faCACFG{NQ9GB$)^MIvcS*baHiXK{s0#aJZ#QXmc?8ns_r zb=f^&sM$BW{v|38-Jz^#rLKIQ1ox{wJSSy-x8djaP!BHRV2p{EpFo=GJBXQEBxGB#qGv{tbz*LSg>@&EtA|HEh->wcjO@@x+wvj75~ zM2CjY09oCSk$YWlFC_SbKk@xozq}NKgs|?>KtlV;D8lRt*`x?zAE=J!BPf@B>dI#s zpEa-Mtn((W?#=o$Wg$Mp_(hlyh1I7;XQrQ>i{SU#1DYi*x6!Ri$gTly`}>LqO|}=1 zUW%;LJ*)ja!`50zBI_6uYqR`l?+zLFf*3-w)xp>E>$d94M_HMWv&-h@;lANRlBOjQ zl6BC?crnSISqD@0ifg~e%t8;GEc|Y9Xb+OmFqq&dS zjdiMv*IBdiIs`X*<9Fq7cdO|aId?5*r=C{8ABz=>H3FNaGZ433)8QHOR z^||_ye(Sc&U0dgs_bISdP#Jkz0|=)fgbyAk2(NBj@b6{5;@sRaE~Q9r^#n(i+jKD0 zJuE~`TB_OiO3Ykax@!KIVs1I4881o2uAL~9!fVE)MG`k@A@e(i@)43$% zQ4XWt;=DFgUtJTO(Y=>91wq?`B*EE8uK{i6@N@bTevnV78O+phh#;!e}-m z35zk-+-Vu84w;Mm(F#5~a|cHkVC5?B%36Rw(K9JSnuDr)$-P-OvN(cURW0#xv<=n9 zEKdA(Ke_Uk=QmoNFEZjqIA-7?{i%-3OZhF;|4ZtE(zAHB(hsbu#AoBSFB?16kRjh% zVvWA>8{ykrUN5&yq%QIP&mn@}Ck_*{uudgADoM0l@Cl_dcD5`yw@h2A^xtAt?jn_| z%cZ7%qT%Ieu(deK*1DA%M;NCVzNjvg)-i6)uuXhEIlu>) znkt(YI(+&|MA!dkBrx_XYd=jt4o;CS#V~w8Ohk$FRMzYt#r<25Z)(8X=Xg`IPoAiJ z8PXbS+WAPuXT|P>KZKojhTB7?R`Aj9Lxwo8On6^KLJv_8*@u&up z4@3jL?FIIIN<6-shZI=m9AYnc`>k3W>=)zwJx(Fype!wRf_w(l)>^mmZOv4z zl*7W#gq14t-EHGwy6v)X4JwSDPiw+;w=H{|j<0M1Uw|=T>_K)>&yDX=6XloII*9!w zVZTV~GmMsrL`BcwuDCEp3_J%-K%HKhYOPr>(Datb_v=zvJ`ZzPNw^xw_eYaA4>#&0 zZOS)%m^kXgW`0M-zoR0ku~6%!Nw^Nz)~>_CXaN_KLFSseh%Pe}>(TS3)PH z$vQ2J9MU?dp5U?~Tqa8t4!A@6#1XN^DQ07MDopY<=AK~*NxdtWlU0X+x{<4I3dqX; zhl;BD5g_}13c#@}eI|iuC9v?@?&XVyls`?PBgM4d%-ib3`~Pmk94=4bVJTOduHoP3 zj7}}ez$o=pW|DfS7ZI3R1h0-UQ|NC=XWP~4OZmwd9u_}ujL6GV?sa4I=Y3hbR z>R!9aRC%8Rm%}#YTsVJc@V8z|3r!NLRHfQJTq#sTdg=aoyp#h%mx|^=I`tuGH0)Q~ z&ZQlznF%4nlt@qO*{i%FiUzrVKr7K1F8;6CCXPfkYf_4g3z4-Jc=AXCc)BZ|#)HCz1sS z<)Exx?8o-$X9_L~cH~Zk^ygL^Govu7WESL3uDZwwS?-2!T*u!JVt%o^_)(P)C=uV+M zQ-RzR2P#lxA<-h(TZazI`C99e)N_1!ZCXfyq#7F-=3`ZcM1B4f#z4qLEH-~H=0OojOBfR`nVfYw+q%a0HOBQYY~1;=_%+W^Odz(opwI4m~$ z&j~97riYX?$2(VpKx#0`;I9;wHCti)Jwh1GvpMHi>~S0#N&y6^04;*F#@zoF$h@D* zwZ_M_^G9$ev$6LCAdVCG(sW<=3Y>8Infp0(=UV6rBH8;9H!`1mDMT44h9J^MDe>kE z;Wf*yzuGd-UuqV(N;%_Bao-$s-|`s`(qL@gvCZ%0=kI1bcR$(X?(DWTTR1qvOWwLI z&kVC50(WXGwF(VZbe$RiK>r-SzidLwxHAiI>-sGGu&#!LUv=PQxPjE*ZQc)!U#srk z?$+%TE^2Ok)V=4e7`j>x%?7GfkefbkWCk@f^ZpF(?H({+-i;w|@hDd(RLj1Pt~_jK zc*@!4Bcnc_i6mCkO{~Ljy&tNho!1{p5D?vb>6}HjxQMH~==OD5cvqNNrxTh5fd93h zO22lxj;`4I)Jt7HUK%~>LTBeOGuqF;odhgp3Un=PUKIANE-ECYJMaDA=Gk9;K0E4c z11`c}xi9BO>(+0j9C4St&xYGWp8al&%cppsGo2s*fCd2N5U6zSk!)|smu)b-yT|Xr zb9|s(*WIlY)6>+fy^YCb{0}!3w^oxb*JFFT_M3f>ug${a%59pNfyW*?xPnH0-KExc zQscvZ+)cmoyi6+ZcAZ@j4S7GCEI)HE^6eVWUee6=d777r5(OjZdpy3*I$oXoW*b+n z>3Kw>U2ZzTTRcYM8l2UNJ$QR|UsfJyMyg|(uNoE#O$I_J0X)7 zn+C7ob<5(+n)UVeC~$mr-5H@b@c(t>3!(jCAjHpN5Aq@1VIgF*fr>8;;*SjHLUFr> z%E93>*&Bdeg?kdZSJ%7j)Hkog6KZ_zv67oS5J2Y%|9jt%>3UWXAvtSrOSsNSY{law zdQ52fXSC+n9Ini-smh+T4fhXNV=f^{qqnJ^3MwHNP5W+A`EL2M|3Ehr zZ*Yd~v1QBt8qBRGL;VTlV&8%s8y8Le>9Ldx6F6CrE2|P|m48Ux_XU&ubz?*?chX8N zqJsZBAG}L6n`;@vce_11KlFTjsSkn1;A0>kYSVr<;4mqg0U z;4f@_2)=&)lC^O^+c(z%v_5?1Xtk2YC7eI?8DYyoY2=ZbF9hoPyXS0K7-)n=MsRcA7~ zn|AU8t1Rl_e?`8q@rHy7_S$gqDD5?d?vY_D)_TDJ$wOFhKVs6#b}kGtrir9X$6*`T zB!n6H2}Kk?nbKqoqoZcdwEmRZo**sc5=(c?L_8EDYRBL#Yp^J$HfL0z@la+v4P4BW zkK;2MaitZ5Aw#P7v0N7piXd^(`>_$GDQ)vN-vz-0);&)oqo4;tXAD@u01}BSqH!_^ z`W+;Fm$P*5=SePIdEbD9N}Iph*cP^lN1MjBc=ipuuXItd!aCp0SNOi<*FXZ&yZUl} zV$;+f#=Im2Mu~jG&m+1fxC1foe~Yq8DnCLX|B!)@P*C?>wkq_byZJ{axy@GCka|OU z1?GL{Bzacopfze*BFpq0z}r)<_~e29$vPoC5XJ9Y8C84w`^w2&o-#?(ty1g9FdxZo z38^Sia*=pnTduGw(a@q#%vcj82y0tzb;TdoD)Wb``|RK-&)>kNMWRuC`4P9WN;`%d zhRRdYlE6<)1s3F0xJq(l*;S~ltz`R9?Nq_3`tzfu@{HkBtIK0J19VwbFLX#Y>UbrS zVvap)lIqcM+Bi6s-ksAoo@t9l!<;{1HKQ6b>|iTECI5tHlfp~i#P6}yxr~05QkXbo z9OOB|2g2j5{=BZTa-X~5kl_zd%|a*Ync$4yZD2B8`%z`i<9{Od(vod&O^LM>l4&VW zmSE*Gkax>^s_?0x`p`(^h`w%)ZH?FG&^E(rgH2kjKl-IRS9boT;SNyOD|G}Z8LX%o z0keZsAO#{gPs1>NI3NL1!^2BB_Oy_H82mX%F5P;#nAK=9aO=JC{wtDa&sl%b*eXSr zIg3%1LoQmfqUlDQZ`A44psnOMDR#PoZ>rV`heb8ns3@1B_$A@aWYh&+&eD?Ebj*G| z_UcBX;hV_@P~%l0a$9+FLAOzH@DJQIshls0tWM@mx0K3ahhT2BWa5p$(3^8gp5m(z zmC_prQnRgak4YdBK9orpAvzT9DB`&?MoTFskvmDxMr$S7t_93a+*2A>tD4)e9xtt~ z_|34CX>T>feoN!BOajgtqV=4uH_VXJp<2e>IPftRg&mh)t=bS67e&SE zHuqqwj+mjq5&OkS-KlX=66R#pBI&MOn(&4<((^`M;&m3pl9|{3#tHv#0h8eK1bK75 zTRgmlFq?X>18%L|>>#)A@WDoe`Idn>;8qCf|0I7UUkS0W-Bmas^q&AOh2RYwW{A+j z!Yh5pt2BfJx@=i9^&y)__7F_LWdW5H<0+Cw-kr(H$JQrs<>gaiH&76FO6!r@a)Uor zkmjta`~4}BfmzTz^4$AeUhq8`t*P7qtIHu1be%hZzhv8)_pSnIRN1`jzDBry1rdL~ z(%pHZiEaxAOnKhS9Qg7cHBrF+ev(m%ZIQYrOjp zgXi_lo0zW)Y-`)N7j=DQ@Pys7GUJVqwwc-2D}IY?T>bUH7ID4D`BpUMT1>AYflEiL zo4vIs95ey%XZjnu^lBgYntr?`yY3-{YF$Qs=X|fKKafccwUZr)d?z1YLEbTZ z<}3ldRxQ3Aru~9Fl699Ql4XT%4-mUTC%=0(HZGLH%gFxByFQ)1OHWvLyURGy<8Ow< zLJjZJPQ$ZwfajXYOlHzuxm4DlyG|in=TW9TvqPd@0lrl^!L#e+{Kjfer`BD;7c%av zm*oeBH_y4>N=J~88_4(r$vNf}BvlY{fsFTY%au?ZGyB^1L9Vd4XSC@c*grM|THYPd`aqWhe>=W|mXp>qclL#&8V-c!!6}spFKYWQE%+^uVb3RSl za=lQyJ8`Pn!JNKr2fF#lv}E-_m#`*f(XU?drxRxcEpN}q?Gjfl!xUh9qD97G^CaL#q}LmhJLjsd3Fx_%sOK;hVGW5gLipTA%}oUBR!B%t zL0<4BUSZuII3-|S#(9~rP&6JLvlAnw-QRZJE*irWfFXAv(TaxZLGsC}2@m_bCv|?+ z5xg(26S8a-4OVYojLqSWZY`Daw4yZ1bs$4CGPd;uNU%{~tsSNkQ4Sli#JlPaFl$L_ zqUq0Px-P=4LT>#s0Z-9|7jjB!z#T#!kjn%IDhl!s2^F*cqEK5`_>5AR$-J*fMVM6g zH;;3y>;QgFzcAy31v{66bG$G|df^nLOYuFFqVf_gREfLkB|mQLQM}1A#aQk;hF}tz zSC2UHJS8Jru>)S^iWxtCUA!Ha6z(Zc1Z|AlJyvaQUZOK}*KnyTu=UxT_0X|668K3e2weA%%a> zcrspbeb=M(lQw}G`>BLoXGpISV6jNHcpNRuz1E< z!`EdP5s~3Pq%?+dw#ubqSwWQSM$E}W2onDyllIY{sl)2YY0c;ih^_JmSQ1h}UlCRP zFnDQ;Y1D;2X*VfWP(54yvUjqH$>PhDCb=46$1_AOeb|P&qV7+18H;>%R3b;l5ZE>R z89rjERcZ1rfHJ=$%7}(UED*-l+p@2*x*HRM|294E6@WjNXl#)dtn90vFw$~a5auVM zu3e^txn_qhy(%0-Mis*)ITxKmG?X_~oC)dYC3!~E$!ImfSpaC0R6|5Gw@J`GzuX&6 zsoy5XO&s+j(EX-s+#4YcmWLjcnn*Pq9pg#=tD25;8*yMdnk6iMbNHL3%2I1(OwOlG zYH-ph9W70Zg?t`y6zi3q?@o(KVbL|uYKRk2CcwttxM8nBD*nXJ4maITH+w#9=d+Vc zqHf`8MxZ?3?Pv5ft;%Uh_=->p(#)XOIEw-KpcL~_oBo1vV^<_rHe-)Sn`3s6Z&hp+ zuceVWA}OW0IoYkYW@SS1lU1XsykA)}5)`_*}EfB!@yT;x9nO@1y?mmK7#^O$5n_8_H2zlMhKNXpNV_#An){eCpg zal`PR)(AlPssZ)&dMry9Sl1Z-R`nC?;{yLJ5JZ^b>FOfL*Z&=LKea$K(>o-6VBbRi zlH&KHe+D0c1AJlML;Sy{o}CbnOHYGbXf{vQ z*Y{#b+i+`Jbvp+i268_Y)7yC0miJp_0HEIV>0|pEa8hQ?4Cw+1dk=0#ci2`0L?^f1 z45)O=HTpu153e>_UNEMaq$(W;9s4It=EA9ts5rsnw=W)#>)iufGWx4L)`MmrlSa%E?k_C(U9MLR?#EBp_i*oQP`!QkVi)Q* zb?8S!czM_)e(YN0w?{q>ai3h-UDnZ9c8ffEXU~4!R4_cf^s(oIwYCAB9!AGA{M@EvDc$?k%+L&zE|h+mCk)xE&rtCebb$ zkd5qQ{@V?E0q=3iF?Q_tgEQ`@&g*k{Ynx6zkM3c4fKxgNq3=Pn{ab+NK(2j`j z9nl3;7$kfCUGx1^$mSly^--+&;-PoXIQ08B@MQ>I;Lj$y(DF&k6{CjsNp9ql{$K{G``f{Pv~Tu2#I^}?^dWt*A(jPu z=8q~}Ip76Qb`XG^s=ehpd}YMqK6@WR1ewW8rNp79d$z1?`}q-b9S3R2Ku#mpl1D=1 z`L5yQ6ip8$scZO;JViyAUmkWeu&VT)BmG~cJmsuS8z%p+vP`yd8yu8R8Y~q~o7t+E z9V*5X)I{8WJ;@qi0|VZ_7f>r!E12?Y&S9}24T~#1T6WRw!nBxUW;Q5)!8b-K-9J}X z%SPCz3{(6hEE-n;iut8coMSpX>musq(zGZCtInJ(!hYcdb1`rs-96;yWFtl@(RFE7 zH0TQupMI9bq+N;;9h)XNK}4D%{1jP=ARo!MuslKvs#Q5VyfD`=LRJ*a=ON@c4CXoI z!7Jg5Nyz#cyALZ$=M6VX8t|R)D z^Zcle)r_YhA;3CDg40jExiU$$opBLMl{UtEkgh18BBN@%kgt-*2lx|P##P7AMW0|_ za)W1Y|H%P~Yr|7BA(Z~Fx}_{zO$B3%BLzN|4qP0%Zn7LEUjIs1=O`jkMH=H- zehlIOj||miL+{dbl>!X59{qe{6@1Zf);t?&z@Sur98$9xeLQPj@D$fv-b~e_aL|a6 zXCrCgGZVGzsThigG9J3(#=m@B$$V!vQP8j2GPRG5L%Y%MYSitn(MKEK1Kh&2;|X1D z;t~6N7Z_wE^47xx=_#RMgxJ0nX&X=bFPy+j^j7#ru@4B9LI{*FsRY?|Aa}8lZ37{Q zRzcw*1wbe@ha zR)DIZRGJtyC%dGmAZ2P7u@n@aD7|byQPWQDH$%(z*!;Jqm8k|kVug9f1-C@+9(V-G zJqb!nBQvgnPbA?+-y2+w4>1gjlqOH(C%!S}+bEO@i%;7>zFPWB`-O`$UqrA_2B0!@ zDdx#lrl-AF=FXDm%MbRk&9y2utt!>-T(?{B`*d!gYZa z)U{SAl99c=aXDd3-||$T0{Tw)vt^eyyJ%Y$J1@~#gi%9E59Ra$ltr8rPW&0S!nkjL zn{O-Fqju{nlKen0XM`lwMuaK* zY^Zoj5e!Ff5k`0f+=5ep<0n-7PX!-_00k|#atlY5ape@$UA-Wl9On&XISQ78_DE!{ zXX#dwHO4Z<+;?qY;@k2sg*dqWXDIYmx-F&%75y>RGChhW*tK$ydG) zgIVohP+)~HzBJpUVM<;{m0#mOxNRrmlk4ZSfCVK5yu+_^z<5#X5suFcs#c7gO6+9N zqWDz2M%Ci{PU6WeC99Zm(&DkuG2%HtTmwmk7rbd=Ob4y&F1|S*8x@M}P}?rcdc^$B zpZZ2-QE9R0Y5t!AR)Lo{GLZWi_&!3q{@pl2cp)oyXm1~CwwE=dkL>gFmybLC?vIOV z@W-cIX{;e>4Dc6_&?^x@{VH|Ie#`pRnakj|d5zKi<&Nf9-J?-$@QT=dIg_B{ZKKuF z9@5?6`U2xl;sPYU9}*(-LxZ@Bn%Tf0u`>Pn1JtDzq1^{_-F&;8~1DV@_^Gp zG1iM~5{~MX!x`7b6!)7TA@x2Y%T?%NF6;6L&P z)xAGHX*p|jI*yXOH8XkNz&fu*GPj>k{7#m68UAk3<#X6E=_X{f7U15E25x=<{;35u zrGuR|^3gWmTQU!^J02Ic4_3!}=j@*Ey6(YSUX~QD?YBj! zNj7-8MjSK)8k{=5t`{b+*tY6bGwVg_)iJraA6THBxAe=sVlQqUM>yMegZgH&K5*Oy zk7=BMgDzY~k1Ot|b-QpH9HD1s{ubw}t=*e;+8%wIcN7DivsyJ`8~vO2q0Cpw;w;e6 zliYydET18m%eoRg9hn@o``*{uzd17z|H^dw24MjMR={`C?_1{o>nLMG9G%7Co>!lN zF4VX|znZx8M!2$PKImk(BrQ*z=MeMq=?PE|yT_9Y`fImH_`Z-Jokl`>k+RV&=RDzf z*$fBNbc)A2re=5I;8NUNZ!o^Mh^-x?xNtAgL{J}s@>{u}R0Iv2x8A5YcB^gpFdA{&m; zb9R$I1JT{8#R{e)iin;47k+QP~ma>2L(A8E55+R}++rhRpfV2ZB@?6k?S}9{AAJL#;w> z)Pz}C?gF!aNu}&Sd8npxNu~`nz^T*B&DXc)r8Q#dV@SP!MK1GbT`!cH(L4>dDOItR zEd0S-tQnCk8F+>xDr`-!kJeNvPRSrT4@@6mDfEy;`;I~_m>Xj~=JDe}Hvc?@PpFK+ z7-KDx1*pUu8u^_Ho`VO8>lCHKGC1DRNR=$@8R!fK(%b_mCZyAIesFDo*&oqmLh*gx z-z;L2(xTtswG&vZwHPNHWSl-^9Vv*pnm`K!Z{ zfE>z)=v~?N9Nmr+JIF>gB3)vnNdGn?mHw(el1UX+FUUZ`{yV3gTDhzCi6Xrd8prvk zo~8Wl2*b(xnHte8y4|l$k20 z{y_ss!9`Yz0X8`z+tDQr`sN`u#Lyc}QE(MZHJy2h&MMk^*0F*GvT?uBZVS>W8~k_lr7<8PEk@{OI=QobFrWw~L0z>&oh6LW_ngvVFsX^0@zuRUa2gpAjE1Q({yZKcOFapPxvy2oZM?`O`RdR>UF73Y98 zQ|`;o5;;I%RIkYqF7e+2K|{&t>kb14h}9nf0Azc6;Jf2Nc%R4dM-r@I*3bQl$L#lj z{%%ijKpeY5KmiNVhk$i9KsMOzyEaFyzwX_d4lwy~^(1I(-C-e=K+o%n$#ZA;lKF5m*>b&cMWvc=>)8j-3e$v z*_<=Uyhi2K0qR-NsAzx(?O)mZJ@~Ms6v^LrH9m%0cw5{I?k65Gwhm+_W?y+f2Z#Jn zYrh@x@pXMQY$b|%9f~II0JS>S;tDq0?11W%_zIpKF1y)^nYthO?W_O5H1@4?GYf%I4Z=!cu2xOP*@gaC zfb*>@mSoUE#vwT)HOYFni$<;RzD@HeUKNqufMq=XF5hMFtZhGgdiP=ekTT8YdByIf zex$_hE(0=@~&q`j$NSA#uxK zaZ1X5Y)igUYaprJx)C|PGkf!@=T2pH!RxZY`tV)IwxQa~?5BJD(y7kHb)1mtv_ z9dx;U1Th)+4aChx{&EA?XMOBg)j_;b&HxzLOpNOalUVr@=MXsNI7lGRg2ItueR}q) zXKD1$IDP1k_v!qnsHr9Vni!>N)n1FtU%4v64nLxP^4YA4R-w)oZnnr-R;V%D7Y3)+ zk&ahmxh}$5mG#!>3j3+K#4#r2>5opKD%H+SHmOAVryQP3W*7K0QsGipVci&UmH*Nb zqZxYpdmRo(TJ~;Cb^Oz6)Cwouv6pL9x*J9*SSH;tU7j7M;;>Yf@&yD_lrQtSkS5=q&u?Wz7OYjqiAD`2nALdBiKW#raf6e_44x zBRn0|4JGOCDx|0gY+JehPCX6ve+!c?7z1(eWqGB$C@!V~i(#N}XV{3jI2vujHM+IhT+l9$VyfxtP(xkzfVTbDsJwr<*Ge-7Jvp(_ zJA@09*xvN~Q@=d~{XWRnR^xx|AC?W*_ozEn>(`Iv&Wbn#;TnJCTLyQc@;Im8k0%@l zP_&6yb@jWz24~`v#uF8+$S$6KVn1f&6i8qP&w$&Ty9i&_jHQ!dnnUCBAhC&*Fu-}f_g20>0GGA zp&X*$jHxoT9^Zys0Zs-fG3)1ul=Q`ub4_?l&?~Ablnl^ zT7vgfSk#!YFw0kZF=lWnxUFGOsPOr|ZjJ$r-nYP2V2jw7ZdO$h3}y87*;PUkms9rg zD*Z=jdEymPo?dGoHnE%wUzUGk?*Et+(K1Kw(>`2nd@7q(9h#mSf+GX}a>0 zZKI13bI6Qr@{`y*d-C8YL-0OxPIxt(u_Nk##JZu+H#yN0=0iuS*C{6NHaaoer^6IW zr`fiA`Z*ba;r^4UPDZ&*#o>vLRk~dL_;!$otF*MlC6jy$j?s7GAe~O+8;bw8BJ{jH z{F91Em>^NEJq6YIp%+Rcc^cvb`B$!9#Y{5O`wiV{n4{t@QMWnERjW8f8mhc1i5sFK zAgFF*=lk6R8}Ppc(APt^TYe%`eN#5X} zKa^`e;y3EAUqU`cvxGcHh^@0F`YsF5ly7@`BaGP_moWj49p?e|7qw9H_FjMbv)8?y zE}&-g^B+%DEs_l>$khE0 za(7KDd2Emj=lR$DMgwCsO>BXB2UpLHEfUW`phgyVaSISnCu{zP*$wuU&U4-wpz}~? zhSh>Q`;qz898`(z*40^mhO9t>b>ZKl7E$Z*G_LLOLfCuSX19oGdsS;cd|K(hzqENh9ZaKJbJNBwc>UWb(pp7G zbI;rrtP>5-0O@$>-xyVm*^CAFhPoPbZ}(l;dmkBJ z;g4G;ew}ZCmdZ+I($haLE(g;<-tv1bA-`<>%`Qc}&6H8khE0w>&1WUoQJz zRO%ZT4Z_>&yqqMu8=SVxJgil#WY{x8Hu=gU$8Zg4C~{4TQ@ty?dxanqzrVs zj{HeFry3u1Kt&-Z&+`E?4*eR**hzxqy4k|lj;+LAId_c4$ip?Qsd{rIXZnJI0o*6{miN1_5Ef-?%B zelY!T_Wqo!A1DtD^KHm`Lixi7^of_s(e_Dvch)|SaJ2b}@6x-s|3)hTvO2J7yGTnw z`9DN`Q*Daby+qP}n_BY>uXV%=8^H8s~R_!|bYy|2j z<#U`7$`UbmsV7zFtbz&6)*MsW85}?>!XQI0{kDlmA$B_?VobZ76bvF>h2OPGsC9O) zJmDHx5>Gq#K3hFu%>j=X+{M#O*VQCf5OttPNiAz!ib2OKL`F&pQ- zm`<4F8_)1v*%vI(EyG86v-0x{u?JX6)^+a4#~}=r<$_DpO7)jNWFmdEPs=0%IM+bN zmnsGl)qwG$`-Xnu*{xm|>eSB*ZBsAtV1?RT(C5vo0loY61zG2wk_b zJP=x}M@hX>y3;$A0xjVE_0MM`X;FY3C5_v!W(%j;mZVy@v2hHc$h_D z>MmA+#*ZfJ#Be@$5G2uzIL*OHX!chq&dHA`OrWgw?w9_dzk7xH(I|_Fn7Y>W??Tu* z1jUIX*fOGESIPqZBrHepsNx_W)6%?wbSO{{6SJ2~pUcQkNO`#jbc(kvm_fe*1sG}5 zU&>Q+zy7E|VId(puv0{_!WMxJHOnQDa~`4YDog=$r!1q)o5>kbq8>FJW`Jb6>~NY$ z40){s`h5vXp1=#09f4u7Gi@QtBJCWvLHdi|b?k8J_~^9{s!7S>WYjH%KFb&H*G{4V z$BOo974oUeNOjyq^hVn%T36cBdqVRUuNM{junCnDp&msmd~>IMpsl|f%5ASbXqe~g(pUJ-X%s#B zNN5c;u@JMZyHlHP^7jHMxg*h^+_+?hP3t$gd2ts{sWPj|9&|btNoD;cv+lTZ;iQTq z6@ZYg4+PJwN`jFXKT!Rcf$a~q!Zqnt@dYO7gyJ&^9Fut_^93gJ3=<{>BbZV`$z&^J zc868LwE7n%q_uHWa3KWGuk3-Bh@Kcw0=DxM`?t=T3-{@_gSKpP^Z1vo51%LRo`X)y zQi={GlTD385KFhFin`CB@<6X8NoWrV7E5>K(K~BiMiKRm;D$1*GR{hnrc9M*#nfrI zjcj^cNPQF>R!5OE%w09I+DasrDWB$=l{*91^hM+vt)y1|ls`-3`tYO@e)`scp1)+% z*wdAJlm9!04PaLQ3_#M_-*g2?S_5yuqaT%bw?MrWX1c$a*D;Sj?}je};E;C|_(%1_5SbE=Z zSY!P+23w1D!&y|@1u*uI;pQvb+oUKEz4xZ4N7^xmH0)yrY6Ze4i1*>!l~u-O4N$!i z1A-{B)cBrq&vh+JdsuLivo^>jqvd;Xw2f6V!7E$kIVtjyZBE_2{Onotu{i|0>}x<} zk)rJDLaZhB*RjZJGyy||K!FQI)#VvB6<2lQnT?r+Yg(-NEGjXTAC*4d(>cJ=H@yG=btlg4qmI&jL--Z1BTa=Q28f4Q+JOjXl<0y{$D z%Iw>9FZ<6{=bMuQu;6j9N?Of%-}KP3^}N!vvDdtF*+iKvlLadR^>wK8<{yH{ebwk% z!|i$Ie5_r684&vBc(W-A{Jpw!9GLWsI?*$3xwzI%*1a2{vc3BxJL&3NwS>~d`c!() zy;=-^9MGMzmwCJ6nFqDRI?IRJUWNX`vwzp%<+f|WbAb(020H1Vk~2O{QtouWU*}DH zJxOR^d*#qFoW|1CK|$qMte;5Of;`~S9T zm^OxPQ>}tKf3LOZ)A>7c7v%?A?9($x!TNLMG-kI{b4ty<*7QK4KV}qFuaRS$$q=PF z(owM>A4(mCk_n0$0pl0%dp;U{;M{lDv4m;T*Oq`M%W)lzN|AAr6vvX z39wcq4RM_VxV3|GZE05J#&vqmznx68ByG?q3KDZn#c~xYKQd5~!5X0H!3q2DYf-4K z zhX=4Z-#=veq^*&pE@KqZ&G{tUXOY=qrrgsIZYZ7Tq$CA9 zp_nS1ArWG+L!=T08K_Nml}^W{B1QgSQ6XDne59sW-f0lXCOJ(LLp}!$9EEW_G#HV= zM>-DqFvPbL##ypd9Ej)EmiZQZlegG)(O-TEdi>q{XTSvPp^F2M{LdLU5BRglk4`$} zkpMGqe5=(#!{V>tI{(l=HmRFJ#=e-lYfped&F=6MPoATxQSKj>)v9RuSu%DbX0ftd zRvgzu$D2om5hwh#Pv7{m3Vpl~blv z6)|}`I?@K{ehCR|$Wa@)-uw2XN4QjRPos^*3hO@D)b0}m&msH6JehW*{3r*^q(#cq zX3oCU=m~6QAxDV;h+y|d{AEvJl9Z4Nhxq;@lT>SYGwdp3X5E@lV@9EdCl?M`RZfzU zhb}VWkH)QNFgR>V%Gd#%V)-wF7 zZv0Cr@1y%lave6-u}~|ur8IT3rL~UX7|cL|A|)u6U*?!S=G-54tbDN*NIcX2V&}7fT(2W>I9(quiVDxTiLbF0EdtUc@>Xzs|B=ZDkirJuh~M&jR^D{G z0lPm%_J4*2&YFH8-pK-WSHRWVlrNG`E|!F6!?&92d69HDrPFzcR&@ip^}uxd=DT!m z!q#nRX^v`6+Loz)K(NK@a#dPYTf*%kjQE(Vevmar=jqAvM&0qTZ@37j$M@o|Z+^;- z>B33&MsD33dk1g!+C@N;uBELP(TdxZj_GvF&BkNW^fc#{8_4n1-K96LWcSjyqRqty?gwl^&k9 z39K7k6>p3)-w~~c?4c-Y1aIfGFHXd31lz9%_Q8%AT<5;ICRp@OpN^jI+u7YS*c6|e zR^BhWzk5TfG+KKBmdl#PS*9*D+|Q`a{aq1(IA5RGhmUWInP?}Ot{-}R#w}gWZ<`CM zp4QUsZh)@y>JNO=uV*0a?sPfS4B)rqd~MT?ciglBZ|`IkK%o++=)ccRQC1G~t+$oL z13`e(ayw%8-yP?*xDxJWT)R7Cs;rLOy1^LQI#)OMX-!Vtwx{ge_8k>g+8@_k?@=FD z9rv_b_96Fu|6F@KrYw8Dj>bKcX4D;D2HbdBS5`g0^(DD{ws^9hJuYuY(JuidT33Vz*Nm95v!6em3zH{(kM@gaOz^Hvt)t-zUk&D<{^mxa6I~Cu|xR?v6!FAM-f7}sg~O% zEBGQcqkPW~RZcwPQv~7(BoXc+_VQ#>CT$`Or*)8dnL6Dx7MP?&&}d3-TtzKvtNJ4{ z&g*-I#4(vW%!|8N>R~t*y0S&H-luaEAz2KCpGgcq=oldmh+;Toig)l6!L^3q#{)i` zT8dl-J^syKBpI#agBNei?ys9M#Im)IEki5|(=pP5BmncpzzHXWOEEXz8cz)P%d{Ih zqDfhMP4cGf|DsjHhU4Zk#dS>Br{%nTs(w&OraMvQegw{wTVol0GY8 zk6iwIroVYWZEu!BH-U%w%Lpo&F`j(MYk^8igFi>wld;9^kA@izCh?G$mg^o;rV?kl zJcwv!!moJ)++PD>aYlrBLQBI~#8fZAr$1uM6VW~LLqz{oFXov>|H#9PzWlI}wtPX7 zy=#vW67AGkUhtX_QZq1-&_ua)^7z5}PrqswO^+*sHUg~iw~MjsCir1HX*$HHf#D`o z+F<0^U9KF%R6QIF#ROfs4L#;cY4(PbFns=`Pgi`!QkE8kC}B)K*$osDp{CNi? z_;Kk0kVo6f-^Ccu0O;>LfUL;GuUBAT&CVCp=lk0X5j@a%gxLPa96i{;K9Ufax7M=0ZD%b{s`Cg^e{G$xI;Eto#e`vL750b<`0}SJhfjRTPiXH@>;6n;WCrwNnC1G;Bv8xhM184 zX+a}rHas~-Y5E5!)N#fHlF ze4|CTnWJq!4RZDC;NmTTg!utw<*e9yv)M|KOe%%pYUCR@=ngcNXG1pWjIlxd)PXGpa_V$Ec(HV~z32(1#*Uk?nfo#Rc^L7UwIs ziRXz`vpF^ic`H#L;KLo=)@=;hd_-rU*m+a*6N-->7*zNqap|u6bOstp3zZX@oJq`= zk%lP>H8CyS(xgi$z-%GxtRT=G;xR7Ubt z^>FayLb-N^G8{@`Z?|9~D3m+MUq&&*f&=Sg=7m#EOZK-5^+40^oPsKz2<<)psN9t2 z=^$U^?#*z_R6b1p?-&LUVDkI?=Qn!T(G>&wjeMS7x5j|0EmkNWe`qiAVZ&F*Cpn<6 z+Y2z3iwQ@&`3?VJ1z_Lp)aAPEW%M1E;W6iZA$o4z`8MXXznU-DxNcoCL4-X4dMjnK zI(LD&rR3V}$K50SqQz9Ko9(ui?~6$p)l}1KXUnW7)Gyb_DbY2X?|Zu2)%6#&O-oY} z_bU-48C&}`-;+F!?YhI;T-&aA+)vNxi=E>`9ZY=yQ8rS6>y9iy|*A7M% zz_nmTj>r2%OpfC-o-OSIaNX2#+{IG$vaLA{^mg4e>anfy=(jO-H02hdM%e7Z{5;xQbX2`r>D~td za2Z5YhfJ1~jJtgq?2GcZ+nqTS0WW^`-Eq+tm~U5Ohr!qR!|h~phuuHet4n&{49|Im zc&3xRt{hK;j1x#ieEa(xUN=z9{iuW%I$fXd(*nf4m+sSk6Z40xZS{Av!+NMeR*XuQ zKX75h#LAQS%@5W_jofqZZ?hAR57VHvc65vRlVA_ zI^Mevrq|vBwmEb+tT!K5(mkG!`-0ac5)U@*#&x7N8hK7j60|&DQ5~v)s|ZyBAAIK* z8(*=*k|$S$&c3$$_^z4_$uG3q+42=IjKiX*o-y67BgCEWfv$?3+ZAIS*=k*91L|kK zt37Xxk7|eMLpJk;F93^c25+U?)MiJ^>QUI9tFIjo)61l=_c!k(K(`sNn^OzGVaWjW zgaX?cO-Yg>zgMPx(WfQp=X6#xI{@w<0KJ?`UfrH=-XfBaWK7EBR23o_j4|I@;rkr@ zisRKS7)8u}5l>7xG2$uE_8ZxOLY7nk6TYHJk;xRhN>*`T`&u2fy7|i#5soxo@|Efz zT#Q=*b!*vPgk?U3v07d5-LTD{1~haf7KCCV#g&mtb$kabs0?e1r6tM|0dbf4C3xvtNsRgS%fOON&O=xkD&@!rx%TRJ z4r{tVftkOO#5_*SW~pfYB!s^gEd&n4^9Bu{B8{S>xDv`J9a;j9e9YHXMTyq( zVM~IBI>KzIDA1=Jx1>U1pSd(x0a7Y|Y3A8dN&2NOSy7G&N^tm}Rp3++w|ydIiKNQ@ z;kg%HA{yl6kz11|#W-16Vca9roM8=X@lzV>yCS>gu9k^{)t(wv zwOjg5@$BOtsT8W>Gb7OUeHG78@*?a&;SMXw^~|1H~fkBE_cg;aM=C zibFq!mYR3UMF~X*6!C45S5tGwt@7X}_%{CunqNZe7)r>#<^GN%dA67-bjK`t9hyft!Qxy{4Y&9OiGRAG^#elb)Bx&aKz`~nHgAByE_#8Sm(Fv*P61|sClzcXsr zN@|rn2H(Jj3ycTISo@W#@&cG56gMTHHljpSu0(< zCYIrjPLJH}kYceqJt~wTdUje=YVtS@Iv~`YDqu$fy_cX(KmU!=6fVunSuRX$H;cG{ zm6gZ2)Lq7=gDDhAG*@PoJ|GB1;9SWuvw9#=!hD&JKg-Jg8{fQZQq-IUgqY%u2~Y<- z3j8DG$vNlU5ApWFOw(9Bfht0OetT>Dlyd!{rB|1@#84+ijzQe^djp4dlW=Kr0jqs_ zsREbi#j*erLZ%=xnVykUxe?WZWQ|4>S9$1{9G)>J#JDhy1j}y*vnA9i9ie3f{+!`Z zd<)AyH!??zdo1k>CrbQOnk2Z;!z1(Nz+HcRup*~0Q}A|`C@3@sCch4&o)OXfNhvfM zJmg(Hr0@V8>AXFXN2+K#)XQ|Kdg#DI(9s`wgw%!UZnX1xzerq=8^>AF|G_9x3KMBR zda!^7F9=<*Y_#dVr<&w+pYhtGQw&1G>BS!bGbPkQP^L6V6 zw_EtTd_Xk~#j5t5l9QKYPTizMkxCM``Q1QvC$y&JEZ|t73<_3uyYBEeIgfYDd#v$O zk85vT%+1Sq6**x4T)bc=N-`}aT9=0#0+{mTlv}&C@!&hc>+SdKWSWy>OZWL4 z^OhoV9#tXh`+WZCnQ)N#LeqZX7t(Q~x}$T%WOn3@@BeIYt4ox!-L#hBx!JU(ZfeEb zWkTOj{}LnPb<yh10Nl<JHBBtZhA~s zIlrF-Z#;!K_mAv6jiYp}-S1@aJyzc@3PNnUw~=4EmvoD~UWD(<;_teuT)b7-Bivup z7@UsAh_H|^wHn^z2yi*ub=<0&nc~H{!?p>7u{y(6BLGp6A7I854C}(^MDN_!l=^mmw6s7f41z+Jq zh%=@TS}SgiCb$yy+nI#FUkb z{qoSlUq}(`I%u#tMO*NVp&nYO2A`Oqf?L z6Et{f1b(Rp$YoMuv~JfL!G&Owfu|=#&nMuI6sJlVks~k4qgaKuh({p7{R;eH zk!)Fr1A`v+ss?l!oknC{i8~)%#*NopbQrK99scOs&U_XCdE-O*tK+6rWaaS@krtvd14%RP+eP{Wg zw0-uEkdJ>0dN^D6T}{5vm=p+!Y*Nt$nrOaeXTll^JBJ$pV+H zc;Z|vWngbCC(>$fE~E?t9*;4xHp*4xgMjfd#R}Wsy31L7Vec&H&TqfW#idIrm&y;R zqJHnj>{61(ck_!dw2OhqjXW$OO3THNNid_K%9dI8d1PUCWx8>XD}k`|Fo*T@H+*}u zzF7<&C<%(itzWD7wSrq!B>jG_aMk-itXuY5N>Zx^c6kw70Du5eGzM|*F~z^2c?W4! zl|~1ROsSMgYanc!lL(XH+#0y+Kz%8~{1PX*0(Y4Nwk z{yE*sX@xZ}g=23}+H;po_m08oxY87Q8N(CD^I+wdsqn?jQiiK7e#e+QmVgN7t1)^B^THV_b_-}{9fT$&$S9hwa&WX);W!cL1VVc91 zME4q+o&|r&tkwne6Pt%q?j5hr<}G;1?e8g!`3l<%-0$%uSK5a6qABSj&b^$?)^YoS zFjX~A$sZf2G^x(`;jRcr|A-WCq(N;TY9z>A_+gi17HXY4!JdoRFcKSF?J8TuHI%jY0jY+4xxV9Tr zVI=F`Al)=+Hn76VYPqkG-elK5Dpc$M=9_k?tytHN+S`&e3qDfT>=&B4JrBovG_<@& z-HxN_J_n>lD{ButaJU~&VL90@eCb}EQ&iM$>K7C-v>pqzWm}J1WO?^$d|i*Td)z%! zw>TL;v4%U1d!BMRMn0G2D<(hsxb9Y1X}J`2p z&5XxauThV~MXdWRFflt`uM!nr2X~SwT^ z3nayY?XfgYD4B*EU3EN9nphdptHr2T8qH$+hM={3UK@`j%N9y|aeK|>(}{T$)$wL{ z;&|8sW~YXBBrb}RPD-M|VH{6*ltvTRYPQjTI$&BCoDhTLjKvV^?V2;j)8aY9M)>g< z)tgQ+FqG;#~HLIVn z4I5D%OVv-o7wjyYc6sn)&OlXhDb1qKF=Ky9N2WvGHaQ?#w%Zttj1~^A)KeoEH$)Zt z6Vd4`OyFbRx^$TQ#$ATPO2SDICbo(pJBUnozEvQ2^)$TqE&C1`_H$Vph&vV{0E+P! zq?zw4emh1bSOxm}h7x*G5e@ES|N^T}* zFYWnohtsd1?{AkTwV)-5jVyxyGO-~fT@raPQ-pS=##t`#`VkBXp8TUg-sY5v{|DO;nA=i=5RtB zlv%bEyL*=o^guBMQn`5H9>bmt%4R5bRlovzMIF6#qDNi=!g#=@jJ>dJx}@WppG`{^ zG@+|y*ifrjJN7dNN0m~X4T5o--=Gp?A7`Yj)W&a=!*;I11tYSpig3IHGn4=YV^3mq zaL7pAa()?9=2iaR84vT)`lXF_*^)6(Y=dx@E@p7|`-MwHjLw?pq3{!T4L<47BU|FX zb3mQq8PDJJk*(+%-RFz<3!(3SvVc4}fUU@x=Fc|QPzk9K+)0csSJ0%4Q82-CZXuV| zg75YT&|M4Re!hJ3nk{}de)G0{1F8UJMnh?w#|!7aWCRs}H{Ev-5WptV=|Y10a-*Y& z0Q#i}Q^1k~dzH$f4m=@B0T!zq*IB3n?_@5v<^p)?rJscH<*ikAk@3pkTF9F^AH>qr^rHVs{fh(&93aZhfZ3`Xs@NaiQylClW&#VbR`A zdZh#J0*Q2VbbGI!n|ij{2{_G06lQpo<&ZLv#T3FK8g*+qX3fTBDmNVt+XSSENM@>m zMDnT30SIt89BM^<$X|hq_zq zqUd4TcFNuJrog7lDk4GWYX}Il_Aa}iF+1+VFQGR8_NUYMl^;|$x1U>kfjzu9T-i*8aGt~>r~YRTi&!hY!7Kyo2H2C`bZgu&x?epV5!%^b zdP$+O9K&u`A)NQecko$Wj*o3Fc;dVCx7RhhoOZJ}uQhAjHvVC~W2D&FyF6_QviR<2 z?)W_P+I9xp`Xcor7{;W4uxMh3OJWId%^>u|b_19oGwwqDq*Cd3c?5vw(3b+1lp z0DEm$K5xL1Y3r7rv%-NDcdI5?A3yPtZOE#xF4Ai+5Uzt3s=rUiG8NYe-GD$znw_V7 z<88IQX!u86jhC#($GcaVnIao5y|(#>0(S=Af3KV0oLQ|S*G-F5z;nfRc}wQK3Ax%; zqpoiIJ&5o9_2jK&r`&D*~w zidMJ=cFf!uZnrd9@45j4H*P7}Zr=(e1opG-zS{fZ_sfr(RVgYRpPsDbR0OA)r#AMN zUvC#J??>3Jo(rzcJ)qZ`wD_KT^1xcu6Q2~^uTFQNKt!l-pYPAGW2IX~p8ujp2&_yPpd_Vm{?bDnI=;(({$Kf7iHfMC%ih4)CDFTV zr`Y#_#Bl!#k#%bN){G=iTsfNm=;DI|bjBjNchlyRBYz9mJk{S!l=<9bTGhSal!LlO zLb3u0Z;n5UP6NsC5_-MElb@^7VDRD24p>dRr7LoFR(Hn598zgE<+(~FF28Lr0@#P? zNUBj0u@;>RBON{_wHFfFGtfvHCeEi2nixi#F^b^EZ~bhPg^kiyzH$ zir>FRT}(5n0V=6DHIJ{QxY$6T-IB2uCPbLSL_ zThZ*n+*qPWxOl-IS?(19vfS11c0X(gyrTG{b(EHQbA>AOUnwN*sTA&~W`By0av7L} zgrTLOAGj1T;H`EMzT&T114#JUpcem!d%uz&OO8jSY#D2%X)Vt@XH`W1nS?w}swO|R z)Nod<>OW6cz8Y?3%!T(X1&y!b*lokkL^tf&C+FNNRgw9!{^Um^C)QuT^^a3T-5LMf zuuX$SvjvOofK|hwK{t1fX)SRwEzB+1HJy)F_eSWgwC>|Dy zVq8gVg-}K>o59^CX3~NyQVK{9&N#v?mx78ZNI+4}MPXxund^XEXCwg8w;uKb5H#c~ zRs$-Cp_tQu0kF0VE-H-n`p?c44D?Bp>m)K+YBD4C--j-dGw=%ZB+((en`&pyOz)~8C8g;0B|!BN5V!x2S9QWUe8R<7ll zsH7h}0uLNZd8G#nu?5{T(`77wfx!welkK%H``1eGW0x8Xftp2GLs|2r$W9gh{3Acy zPpCV-pUzBFxmqgKN_UV(lNI|aL@~J;E|lIMVq767BNDl`;QRy2RSONFtcQ`4&9RE7 z3V^uqZ3bu&o7@NT@9!foz8{Z1e7)psF-uOcJXeuNg$XRXb(k;tUXjrc3IZCxNG^25 zA}NEI&d8E5K{x3|o)(_0vJp|6cFk&s2Dimhu_)iL^_L>`_BvAX6UfSI)v?*tSN@p9 z$pv^)kOXI$p0VHddRiWou99ZKZ|mx&wx%5Y;miaDG% zGD(cK%o6XqG4=O=z!ewrQz|H?z>yoo22-&{4uZCa&`+&yxS9n+&ZAN-l4sYpaOyJn zjg2F?Aj=9_&%s_e+t=+_kri)s)b{>@Tvq#b-=ibD3%vE!-0k&FLUMg+=Ic{ay>52uzflu z#Q~$T;b1rC8MSuNzL`v6QP-A%byV^Gz{tpKKe(_(a*VK~4WoA4>8POX2zI;jT!%vZ zI(lMlb!_?zXk8@U5}kfuTBkx7St*j;I=E!@y*q9})U}CNI{CcDyz9TQw(m{jyzE#{ zeoXjho8!~}jCift<$e20m&*k{kD6~tLsy{!%0QqS;N}p+yxA_p5K1371~)lerk9+QGK1x z!uh<;IMH=U?piBq!FB$?uh?b)1ZSkGbk@~BCv9}K%tavvL0P$dm4{?Ok%G7 z*GQ#3e;O1|5nHY)nJ5`p#R3-&AW;r7%}_{GhIudSyql=N#lF{6I9^Ls zZoHp%#&SlwmA@>fDAzSIz&;7p;X&qd+AcQ_Q@oAC?tsV zz29kb7U{>s&O;7dFJ!*qgn1x#6XSq{>_p&R={#&_UV=d_vW}CHxMb6a0&xN!3z}~E zhnFeQ&o5w>%5WJALSrYY?1h=V(jVo5=9L>rxok!bg!E_bX34ev#uOL(<|Oz%j|KSL zXzNwIc6z`dMcSim;SbvME%>)@xaENV4N%Z(`!Qg;C>-xL#Dz0Ue!4$s==& zC}FhfLGkWLd-pX1G(wywr%XSbp~zrxBo3OC$koLQC8Yy$a4MHNo!JZ}Cw{-5G^(Z@ zcs5#~SfOCB#>8_0lzM@3P}3}Fbv*OXc`<*q`oJpYY`|2I;$k6+xP=}MRo2MJ6wY`z03mW>>YsyCpWm=6za+)K6jy%r z)B^)I1^;j0CX;0o7^yWQTE|)8k3wiuF$9NCT+Qo}gZ-a~%Dfl`Z_!%W9?JTgFKwfj z#7&STNc7AIL`C$2FBHlS{`Bc*Y!m6GwHliT_}pO4Fi+f`Bpp zvpNZvpp;{+)NW6k;Yd|PHttAi0v68o^k9J|@gUfeMF2}mtb{UdIV%vw7k@h+P`fBS55YN3!jc7Jm_v8Zgg zLt^2CcmIuNn-8(Ygx;TgWy~x{zO^iu4}YpZbH43>8Ne#WweQ#rkssDuwN#N|x{U(Y z;{Ey0Qvv$(3U5$6tkMJt4EIr65s2mp8LU4xailakL1$b>fr0H5U~(-BLJks)`~oPZ z^=`(;KD24fH5stM?P&sPrO+6`0jr0ZaBR$~KU!tPZT;GEF_bYe z1sd3{YlC`cv?$6LsWH1FSv!&oMH~=pT!Q7(%z}CH`eKcZEsFTZet1w=@+GQcgsdl? zvxae`rY0c3KUue7lyLFjtQ<&i3fEy(P5oXHh?>U0!RAbmA+J;lw%{X7A?>13S?u@w z*{IONeTFEQf@n5kVaSA65H2qk1N8>OaA{v=68KEkrP3l%uUKf<+QqQ@Y9-)0Au;;9 zuQrwjyqGDoDO>#_?SDs!I7^MR#t;gpvDX-x)&Vo*WgJhfd6~U zcNDny5)ujSvmqS3ntsfbah9ZTn(=r|dru@2N$#WLY=f(tduuX3+G$*b^OeUD+@{IB8Kc z0DxV8uhAxt9m=x%G`0D9GG_a(S3THvycW9i)@V`NI`(#M-L#!IFT`{`zGgTSi7pdx zzXhbYyNxIlbUcK$s2sYE5Og?XNMFAmPdVDsq^2e)A+~zrK^3^RemM8%#F!0LTOG zvN`SguqLMFvUR>+KB$|e$hM#MntIN9lekxOPO4dTKBn;dimPsJ;4kgSI>#tVF8L1A zEoq+SeXhQ)H=QC(VI?DIwSXyWiCZn+u^n!q)Ll20A-T3Xci$~(cu6=iYG08200iC_ z#6!uHf*0PW1dQh%o4avZ9WIOQ%qkbpw?);Nmy>GGmEeiYPPIGR+Zlv0v;gLs3Y8v5 zm8b6;0IG*s$Hc_Zkgl&~{YbTGR@*mzMi1Zv#qKq|U}pP3wBXHgTm2$CMAZ;d(${Wg z{AKr|rgb{4fLT}TLsaz1mXo;YAzMBEv+VBsVAypV^NQ|f2Jwuy);NE&?@1ek zFMhA+^va2?vo?gTOBUj`PC2~52Z8e4?h8hmJr7V<=JGW|eg$CJ_>X1*W|Vlr<|Ovm zJn=FYk76WovCsiSiP!&3@J%HyWC)>5EKr*#S|C@Ro^ZSm zs$Ayrg4FuQA8yfI9M$W9;bs&oO1NeUl#EDVNnRJ(l_cf#H)@$4m<`4XTFYg(!AoK_ z=3PcntKT>sSKZdhVqcxf! zEM5B0mw<&;sdAIknz9Qm8A(u))T6l>&5em=&g0J+SA{!K;Z3-*tM1O#8DKVvtIvFl z2frA5bS1`+mdRUh{kw%bKgVjMb#lopmG zQ?^?)zr)J?x_Og@7fW|Xcw%C^j6bj$CSL<(p5vhC;LJ;+Pr*BM(3`k*;>09OO~;u> zzIsX5w%OMxwJL2x-4*}aK2Kp_9aUXlR8KT$NL0TjPO0rTm7M0570J|pbX>|2>S0#A z5^gmlWfdWI5KLYIk-HwdtJTf=5DZ5i;v@4bxT`$T5(_IpB{NznZTKxbevohtHSOBZ z?^p9Ve|Z)mH`^G?JKU};bp@7e9*uHEOKGxvYNG)*yn=z)m^J|v&Kkl_>fuNh10$Vt zl59GrWsAZA+y&ffn$!=ez~$Nj40_o{cv``R>YMpkkvjnyOXu|fZT>kJ>O*y2xp;H@ zzs*qcNfCR=-0`hxp6Otp4iZ1T3KMC>x%1ZSaNK_aX08DuZUM?cre7z-K=rK8cZ1k} zpqfA}k$$ywU!8;F)M$VJHGUm>Zp4uU7cBFrwlbe(-XV^L%TyIf306Q2pKdRn09!k+ z0-j{(4UxZQU+ss%WE%yjhX|6veBTb4;c5}`w4;2@ks4Uepz)WR86Vv$1 z1kM~nPVBHV%RrAj#*|bAfur*ow zv;POJX1CQKXc-Ho+tN$`I$`p>-Wt5YQqV%S5V&v{Kc)KW=`nL#$;%xVrvXV`EUbo8 z4^^Z57IxI6fE;V<&zTNIkl2w+68~N3G#ervwL%kzPfU0mEqX!(j#+R^sf@&0-N*wkh2De%6||bW2wwGOf~1weNk%} zvhQV5^pTK_$7w(F4?*KFo^sYe=%-hf7bjZR&* z7yUzP5@ORW(?VS*U85ClJ%!p7+dWCfLan$BhqHbyE(`I18RaD#nW1>@0p$6UQReAT6Cs6Mw({j4_~zBI6WDH& z5=*+=g(W#-Wx*uLpn+zHhP-&XzW+niIkwjsu3I}sqsB&K8;xz-HfLkIv6{@-wr!h@ zoiw)1`DU-<-D`gt$MXxGabG%zW?rlE-MTvLn4D~S;!Jb9Mf3d80;8CfuX$n1d}quz zPbZ5%_~=TMF^c4@F=d5P7`k4*I(~nxB8QxBtjNJ4lCF(gGrng_I}yMv8;RE zi5Wt%Wq8yD>2Arm>bU7`Y1X{v<@eAnYr*6{$0nN)vvn0Wo1nlW zwS9)+xzAD+;L7#vVKjrO`}T5MbNlj&t|2b-b!%d}V(7iSZLp()AM`)%>9}r_HdwXO zsS(AHPp5a4j&t$Av*hfEnfHc{Lt|Ys-O8t7JIaw9a^l*aPT2uZNZ90~(e;Cqi4U`h z96q;VH&;NMD?q>^0?AL1?h~uSiL&QSQL|-6%MtjN{QLk|Ugyfe^S+s9KA#;y(R$qR zZCN*6>;U+w1JKm2k5^k3cQYeTvp7S)H_9UVfpVX3h8F_A+dR(rpM=qWB z-gJ9B=W}va4?_fNo`=`5FL-(KU+1QXdv0IPj=DelifZWH&nesrs2}4z;drjL4k~tw z&XJ#Wy|XOg118`=|f%=N~?#EP4vyC%8LnFH8}Uq{0KK@Wx08N z0?|f7y9qLLxk$s|Nqb|t9H9_o`~*q!n4Q6=GK`u=LbEi5jv`gbJn{yQzT+xmbtx7v z(HP0#LC7}*3yU;Vr=`##$7>IHf{}>^`RmC*uYswQg3!vKG%t-=txDR6SaI@e5reXf z2O?2OgT-7E2NS8p6O5@??96@r`U|r}ykj|96G~itaX^S5s3IqWs&ASS7DEizM1_40&9eX36r zW~CSw%$s*otFRCdn_3CW5;v<4s*EMaDi*zF33lz#6>eWJ67o3EZ=Thl6-K8=MaC(p zHUn=973u~YD6e_IsI*r75M+YP!X49BF84H=mC%zM>!_xNh8-8PEy^kR}KIG{=f z4brd?sq9lRQ6}R8L~Q1GLJKE4eiS8$Zj3(IAVb|y2HE(mYPSE@g-7RZ7Ili0rF4RW zW8-8n$)BHeOwR`+H4Q|rQNw@HDOTC@ekKVHYs<9D=bJ2={}q~}rcGm+b}tq2j2OMQ zr=X3elBTw4{7oLF6!*r5X(zR=G4Z0#Axgb`(*Fyz6J88EnDToWWa}KtD*GnL2huLg zv&aJpMWI>zVAdu&I5$qbVHNs$Pue=tWKYPrh8+CYvxi}bzdzo7BnqZ3GhM!b9)65M zbJ175sNfuI-nw3FMdHU69VD*$R0)1TJQEVF%TlG;8ArR(wFVMOm|wKQZELUQt7ydX z_*mT@qABH44HBzDWNB|>zPQl%*e_)yyrHT**`|XX5;hAJbwcDn21NJ5jRw27m_^#e z8Z_Y~tE~wKzbSE%m<<>a9cv*x_T0Lr6Z;mVH0R4;*5}h5CFlN*eeb7r%3{-ftX-K@ zv5`JZjSk=}OyH7I3{BN*P(mIyC83f`1w;3X%w-r0UuVdi_Y#pi+OGsx;7Q57hY{;T z#81s;Gpf)_G%eE5r-b1bIaEu$_G&VnAHOaQBRT!t&&J_#7G1 z7IR*RqP{GK?8dAPt|HK`KN+zOI7-=|$}?wGNtXt7Xy~e3_nK*wmD@=)?_~IJUfg74 z|GH)UD|7HIoi+P+7pZ%65lI!Jy2oh%Io|a5-y|Zr`c&!^w;7Wu$`lSaTqoy}D!1mH zxn^||uhrntV75*k9)s*DSt@R;2UTjPDwuVI?bD<~h;5(wCOmt`8RlD+lQ9mINUw#i zV`W8Ay*vi~y-r#7cjE6BK2S)VF7pXISuje+7%vj@6H=W-9yGG~{03Ez`lhAV#zXPL zUH8-(B=I6OoW-xxCrph`-E46BEoHQ1oknDp=261gLzi>(IgwK%?4BDR>ED8w<4 zu;dMetM{W8XIhSX{-1m@Ve`fM3w~JId|v6&;^giR94Kk-vSw%p)YgYKo_?EuigtPP*dx%#K{n4`d7QO8+U^&R|9j=Z>UufA=LFx~ZJ z`hCb}H@pn%3LH+lae3dT^C}4X#q0rgE|Hkh+&@2}42uBIJ5g!qd(Qrkm)<>MOhKA} z85#c8)rRXR+sf+#K>@cl zfAw_(0B`eyG~R~oe(q~qRfb#qfRSaVnQB2$$l2ef;G8JB4UcO|NJ;qg89UIc)0rV2 z|9cBUP0y$DZGId|_mJ(QX4k{ui%d+mX=b%($5h(qdd6q#Zv0n7;v4*%pzptFSqF^l zu#c0(;gP#W)lY%Abtj&uK}JaeU&2=&w;`sh^_`?P*iG<9&$Ci_O@^9mM@F)i@~f7q zGByhXpOvtU$}IGjG+zC-ZP(?GhanQzaqF#%68PCF3qv|Lr!+Not`M!JO>=gJG# zs+TtZOZAaPhVg|9(o%NaebZSbGhki(0+cfhy7B^XA!h4Z2$XI< z9&)HBut?H42J9*Ve7|ToJuCj1#F-$oRcWH`f59gVc!px2z^}8b% zx<7rUv4UK4id4U_|Au3j>GDsOE(A zuw-27Ab+bBrz_4wYjNXc#^NLkUQ zO=hDO902ydQ~H;_P_0?x3~5b?4nW=;uX%TBK$}D09*-7V)Ea8LyQZoJCtC+W2s{jv?_ z30ws2fEW@&;3?NFaXUDUNd$DpVl*W8BKTOiGX7kAW(XJEs@&jNDd~YLaj?x4-$3$a zvNqijdW^^r&Mo8UcUHJ(&(48-?oNGVH1T%&0;BFVggXsN#0nnhgM2dy0xH>d05XB1 zM8j9CZ{nTN9Q98Rr93?_qQ~GmovE~6?enMRp*mDXH;y(xr{PT|<(t^X4CrT7lYZgI z(&-^Ehz?UTXXeMG;5reI2mwlM&@hY#cn(+EW=F@?xRbeVfn2u98O#~_GvSg|?CL|E z2I3CQd(iB3kw#qVV_bK7VMCbeD?3hv>MRaRGSFz4$NG(7oToG3<&559{sr2%{C zWYj4x+)W!SQM8va?B60WIw@pC(UDkbU@M02eh;*E30KYRhi*tU2LF)*cNqD#CU-j{U=m?b}VDvCB1HjCq!bT+N~69y385Sw4jZQ~*KYI0om! ztJg%za602bg_M9D(wenyC{FWOq=wY6UY16tU)~R0;f{qkv$5~wHdKgo_VB-7&YGAnxb$v_p9dpcU-7W z_Fcj!=Fb1I?HzotT%Xg&G)j=EY3ptT50->U;69`Ovm|>?u_=W<;qrcwi|?(5Hyfen z*Z0@!@~}?I>b5C>ACIQ@MGPdfONl$4ZabU5UQWxd$6;8_=gocvt?q^Qr$r6_ukY9M z`v;a)wWqpQ3)mg^vsu}1`-LS69iD5V-tSK9u!;8*Et!wQ!QK~q{=llkEZ;tfuRO(@ zll{}4wfWD*doHdFj*ORFJl+p%{dbs8lnzG6nW!^Er{mB#fw;hB0!w}>W$&81@i4_I z=iBZQ;`@cz5!pVIWrLQZuq>pl?-|-Y%N;X4MxT_L3U8YdRGIDrFwO$m_MJEH@{(B= zpA>F?n(nTMUtZQvjaxd;iQ8{=*UvlpP^S}42)T9*YkEEk3j9C*eXRv9_{YX=KddW?t>fU`YK3+i>XcGA~k_pH&PO#Av&;6|Vuw%z`_ z0r&3qpT=SLYv11$+)9y~@!ZL`WlZ(n=@{Yb+L{zCZX(t>Unq&y+FNy=UOVp3nt5e@ z8aG*F&;;!lVRH_m@VsMQ22F9b-^1M3?5z7+-}>83dfH1r2LrFH)s|NuEbNvRkBE4W z`oFeOE(#8uQ~aC`8BqkeL4kYK8BG=5&+-dPTtA-((sZ8Y456>4wraV~06b2QOT8!f z8(y3GikCm!EPFcU->Wz~FB^#i`$CR4W}|wynW$^Dc(8q4m;A;oi8oL3m+ZON!*SaV z;{04!-M1ySbv&mfCb(q>vpbF`_Gzwzr?8qp{&=9Cy9dFqU!jlY!S+o~x)AO&%CtX8 zn!ExLLU<;2aLtL}DE1r5`@mfeAE5&4&Y0;Bt--r5^4Be~AyO1ayB;EIm!E&Gro1FI zSYK*UM%vh72|dtl^E)Z6^5!vFxFu|00OvwFc!_ysQZAlPSU-ES?hP%ZMjjMi)XM>B zz@ZK_w44o%paI^G{obSc8@_%?aGc^XmT>IXIzD=4l??~gA|LWvNJAHHLR8v3op_P& ze{3TRR>#Zms@x?tXeC_;sg;@g6won#?~K}Z6fw@-hC;3Zte?qPD+Ha74|yB-ak#35MBOpi(otPF=dR&-&O?akHyKU$B)xXBu_L2 zEyBF|iA<)8a?ZO;)(Mm5VN$iJDgI{jQ-hc13pKN9+nX?NUB)Y|U8lHMV9v0d7m2;u z`v(Wn4`}|BgkUwT-b2=bAinxurF8zRV2ICEkjv5*90G;zIx!#&5jIqKd@mYP(jix} za8Aov>~`md3k)P!M5tJejtG)B!6-52F;xFh=G|ANrHoxmShRL!=hsh6%`~?8K0hbj z6)YB#EB4QGToKZ&h3bTifGsisQ~3`&r``S{_U|U-J#ux`q1fp{PNZLKQD5W!t zw3{vTA1>~ZMPuckJZPV$>zlHWx%pt8rwwU;k zCt2143H8L^$ARC};Or_ju0`CA5t;21s+RBHQybQ8GGd(c`O|>sl*@9@!XddXI@MmI>z8Q-vcB2A}A)xSWW`A6o!*Klsx$yI?~NVa@G>YcvJOoAh39<4(E)1v(Tf-g*rLO8RjHSBkic(z>%u)LA#{=| zL!+a`R&2SokWA(Zx{aFo$>9fQo7t-m5_HN0Nlca61a@@~ERxExUr6c6T9@WA^or1o zb#Y;R+R&jSDr<7RHvhz^*lEGQa16}ybnbziKTr;idgv$XFGWBR zVlsSPIr`9)w8)H`GnB_ziIzrVg8BBrA#86x`5=}Q&h*zGT6NY`2zK5v#84~OE%VXv z1qpo|RLHsOhFG8ma7wJ0kSa_En|0IAD5;TLa5vb?_U{pU3qF9-z8C$M*4Qt%5F5^O z;fQ|=sJjc30y`n{YqaTZ?r>{)`ed*n7BO<6Kzvo3vuLq2dn$q(b|K+~UgIDP0W8*o za429s$sCJperUU;rwHdPEo?1uk>_?Vk9Zuh6bDO2$QteZ)7cLoI6>1ti*R-%NfQ}c zE*0De`6wi6$TT12h9(HzyCAjZAWNHrGUveJTB~nS|6h(lc3-gJr+NQk0nkTP;>_EO zY6xc9SEUOVP4Y*&udL>g_}1_p_U-Z`j6^vhv(b(IbMXtqEou4d0iEvbxFtII`2`b} zpQ@_y`Crx^gVFpf+d_NX76*21u{&Tr*8jShkjn|J+c{aGgw{Kic#9Eqf(!HfMP{j9 zecN01j-Qir=a0L#Evx*GpI&$Ov*zaT%;0nI_%wa1~gc<|4Q(LOWC9lg9gl(VOYV(@6b%%^D=f?=DOJBCz z(bxI0J&@OQ$Jab~HQsC4V43G^>_9Ut)t-wB#fS%mZ}yMFCy8Rzo*M*QAGQWs0lorQaD;e*Q6s%4JLZ^d_AL~(yl6_D?eA?Q9uh_ajWa)N)_{zQa6P+ZlqWm;0%-srO{ z+>?#o7FXY+^Kv~*v+G#FP*PjM*K>8)K-6Ut(=!xnu%q{qt^Y|+_}MVzs;xOm*kWa*wfJ6(7S|K)TIEq^rp|G7PB6 z*cb1_F7fY{3pZll& zB(CwJ%1C;!F|l?gI(X7~Sv$6PA|3-wu*>@na z>9}x;$_HU{x0EslT-xGUd|M^NK8O~~{@|Ujoyhs5T970`@L^R6hq!G!qT^^ePxez6 zdl3nQz8VyO1&Q{_awnNl4pWGzqt3JZWHcx54g?yA;4GO!fYA}QNXL_EGzIfjM@=c0 z-y0so2U5{CiVr=qJZZoLXU>s|!vhakiO$U#0>_sf? zMT4&fg<^j{fOWO_lU3=g@leZJQ`#18LNoGKDwK7Tg?{Cf+DTgY+P0bbuLlVYysw(j zc>3`(w-_|9W3k}deuW`dfWwsyGS%!)P0YbNQoMYU?&1yCy5NLkWL zP`6~i?UHmjh=TF0D^@Cwb-GFC3fS{Y_g75N^+wh7a>p8ZX$ELr56FjSfzMW27SfLs zzk0;C|p{JGFpXa_2I96XU_UQWVJa&xkt`L+ABkrFiDBC zcuu}H{aBgLaZ2gLT`%6^B;L8ANvkzmhF#XaarI!!fig-*I}|f6-(I=+f+gGfAk8-V zO^G0eUKSiOJbEKgduARlrWtY_;!TQ7`Hu<9+QopWDh%bU055g%WTrt_mR{TZ$x=_> zXQt{j+X3JI2?#{*k@@QPIoEM)aZd9Y+9Su3{P$(Mr(d=U`m$Z} zT`htE)O*`X5Vyq{8-ReQ=h5`(gqQFBzOJME2?fRPK>Q#z$-$|5d*JB1&vwME|B-qx#QavH@V2fG@{ zK_9qsI+_{1ZT@>n#&(Mnl%?z4pQUqoTBIpuZzQ|9jB~dY z+TPn1gKpx+hmDrDqNmoQQtWuouWQlli!tH-HI$7N1j%wlmS{ zXS3_bo1VWw*CwkjKzH)8d4=#Kj%j1}UKCKt?>}Z9$2YXyaQjhX_n30VmHp$=|0?^8 zh|Req`C-^K%)oI!Q-0~ET|*I5510E3E0-P#%ALQrL&b7~b4vT$Xb&R5*ZSfepZDr! zw2dK%=Q!z&%iH|L+;FAacax_wj0tpELvfLPwWZFOC?s*|o{>UPAW88Dc z50~<(fqzpAU#~Oh!6hC>(?QPM=!w3Zw_#hg=`v!E3B1s|EZP~T}@gLyNFNHZGhC7YvuY}8*rw_vP5bE*+jq;6%$>0Fq&y$ zeQ%{j_ebbBgm4qh*KZ?tRv22A(xrA2Wz4B7L>sN&VhvjNFGNQgPV}e(ZndMvS{!@R zczr*)s{#Z=O2dy*)#D~#HJJwTu8Sae-vat=A2y@0^@edwQUJU7x!NL!CSH6AAkQJDNA44{1{j}tGj zh28vzxaS|-aqT3LJ+Se)kGvI@3eL0d>Sl{l5(=w1GI^q01wgPF=~DDt^17HD)rFD6_O4Jc$QZd&lD& zJN>1*7nkNRhpM8iFc-2rj=(91VzdHg|84L-FyJ3Gm)|ekohjKWmIXYy1a=^Xt{Rvt{y&R;@|{+vZ6i&)4ytnAWs z{JFA-x=1Y7aVf*xp;mZa%u6GGMhpUj=b=Sh%Nq!b&~pRhk^)#E>lU!|HD{dfFOum2 ziExT~Dc7ug!X+yEn|K@*DqNwsM>-INj!z;vj(fq;(WA-@t)HBdNGy@k@+=?C@}q_( zPHg(w^T20fVUcJrNcana9D#7_XKv%tBvtnnsBy(W&^_^TPGdLIO-{cEs7yxgIpmYf z*Xt3bf^h|rF?1GT`tzlJCG$J&fE2`S;F1tb?fg_YG87w{zPNGWB9^v6`^~t04zf>;G!e zh$|Yc>cvU$;@La1$7zOGxfEO@>U5!Q>$-y$F6K&?XgSN9_sS`!PcJ-%S;j^wCDUyB z?BJAWtubD?Ig1jE0xPj#Ut1yF-*WXK28%Uucx>=mVBCsMcaz|->N7dv&!-^zqg@Na z8z33=qqJkUgjzTLoVia5C)IG15|TTj!oi+?Cw_7ss8gJiXczn!WduV*;ae#Z36)f4 zjfe@Oq)BsXCeSz98Njou63lj;%EOsNM1m=vN7Dd782he42QR-mllUR`f08tV%|`_C zdqol806p1%RlSM@jyJf;av*#J6ADRJ025%%RFF%hx%3fKJbc zr!B9O0QJkl{I^QZJL1y`}BD ztCmY%=V`u6Ad26}dHLsIOz>%MT7|%s-KM911Yt{;f6AGLmhC0$Q+DHubO{!Umqg#= z=25okQ8$Y{?9r}mvY&4l;Rw@o$4%xG@tS!Jw_;KS)$IV#pcOO>ycO&g$5I@>B2jjW z+I&K`OOib2h%1`@>7D+U$G&#qDxYGh%LLSRZMb6CvhJ?ef#bdu+LHA$>dAc=8U~P; zH*~DnzmOGhq^&)KmD@{PcUr)!vq$E!oF94IGV6$XbPr!oUiDn+mIO^_*Y#ahFgr8W5@M=ke=edAu+1IlwDVF61eVO+y>4<3Ut^_5kkk92T@IJ8atR=OM z*yl(;jPWyNUMWR?0IfTht;3fdL zgb^?BzFsWt0+G)TYBNT#NQ#l{J$q+18(90syx4I?+S{Ya84PQxLl`9RUYS&5mA|P% zMdA=i?MF!>V02W6r_kp9c{lx>8Zq%xplfAGtr(sYUW|%DmChY&PiYCn`8s}8CZ-dn zE`AxCh*q0(Q6bRXrCua?2rzme#|h}vL7f$=6TF@m$u;W2fb??UwY?SU2T6RQgF$@@ zWrwy-HCG!~CS-}=l=y|09g$&_zbV`?go<1O-N-eKC}W0AS2E8qmMGpMVp&E?3ibd_ zeHJN<$MK`Fy>mV9{hMr|&94?9t(9YRM9JC-W2hA-;?TQUYALifK9iBrOp;MKID|H1 z8FrtSRDh}R_gJ3Dt&}z|@I3fdVLTRX5fNVkYUAFJ{hw17rN+t^G9nJg(ghx&m|$2b zy%y9DrqKsTUm=b1Nx%cW`4gqUlp1!GR-J^Q8=Naw<7^RAvtrf45hJaLqQ37}%j>W#$L$gA7)sH^WNl{p7dP@V`2G4nx4vIrOmi=SNc_Nh zX!;UKa3#$OiUkqfR8w`>kj@fJ+9B4Y(mJcH9n&sGGRLuMg+XVxQcjz4J=xY&`55{* zuyYtC7Ry<$_7VhkBZIU<-YK`=3W#^f;@084`L@;X=r8rU} zC8>_ZYQlI_jy20}{M>{sFEZeQ#QgP56}4LH$~3*CY>)fFRKSm#| zu6OsYs|<=@TUko2rdKzdyH~aMyY2xMpSA_IshY(mBcpqM1dv5Ggysg z)fIC=>=+8eQmT@R(-&4A4fh-Ko66YUhl&RNzD+Bnq*}&)dowL1qR0dSqyx?a|6ELA zyaBBdOBCUV$|9@Ckl3&(CM^W}dVd%&wr{zsRGA4olbm=0C1N3$C?w5BrnHDIOQuBn zw!p0ihSO?6xmIY&rz5;%o`nO&sErj1z(S#BUv4+=RR47wbnZBw|5Opkb#u z;Lhn}3D!dYBcnpIoOqk>mC1I~qs1k|@5$VDt9$PotY7WZ#R%d3w1y(_5g<*cvTitd z!l3ObkC({h2y3585zw)hgQAz;GK+MU)oVOc9+kGOLFUSpXg#l-fDfXoWpZ=@c252s%|#{ zJSpt}=NKi4pGHdD1Twc)eHP zj%Tn}rdekQAD2{W^!)#20{tk@8)JP(b`$}Q%hT&s3h(4zr;qPbNpXG+Vt$>vSgjv7 zgIGs3^-KEh48CrU1qC(LRQ?^~7B!m-TFKr*Nv-(9Y#O}X9DA!UYcwUqf+oSsJ8e;$ zz6sa2Crq1EC4yf2pPp*k>VrWc&I!}Wzd z#nve8qpr_RKZiYOucWtL;%$_7ubU>t&DS=}YG0c%q-nmL%tP@W|Cg2RtJXnh+l$6U zRj0AF{b;J!24sDkyA)!6`#8EK)mQJL=~UOXs_CSrDS!!x&iJ**|8-_r3lt2h0FeMe zg8%7Nt4G+^_WHm61IgK)mAN<_`$(IdHFnoTFp$?F+$yZi93mi49>{>MFpi+dGG9YJ z=kqJTjzonyWnj>BAB&Rlq^c5|{#mlV3Hl`iv=T#`Xj`jM#;GVg03Q@{sF7+LsZy{OV%(Wo zPNFBNPoyJu1hW^O)}aMb-{*p;LQbK@0P4|dHKdJa)|~L>WGoP7Zhhvm2%Kc!%$v7> zPN_`qqFGwWv#M@fM~S?(s=HZZ=$Kghl@HLVj{f7Ltr7rlVoXNNhZOBKoq#0ENMqqd>6UxFPhx805+E(o{ zrjqs*s;1S*x--E@erDi!xp7Ob-B?To4wLc>Uq}9nmQ)WEl~5nKE-=x@!wN>V@N^kg zgR1ErTGSc2cbE#_6Z2Z6e!^;&|1O4CuM_I*7pGC4WEj;CtO0iV8DFNCi|G5pK{OSYsp-O*FJp8acu^;DnnaKQ@$s$7t%P4! zFgX~t=P3w?DF5Xe$UmqSZlUZ{k6TVa5{w=TbDJ0!eZ%GNpWFYHsaCYW4ACJ&3XNu5 z#fZ+&X@5`1bZ(Np!WCno^Xru7H*L5nd4Ms)V%(yKoGB}*c0j2c&5sx{)7<6?mMVLA zS9bZIj(lm>Iv%qk%#>p|ak6ysF7~{^N9N2V zP7%UIHbN&_$`mjM1}%SkO-_v3yZ?nV4Pb3;pZe_?v`a|P@ zrY^r%T@fzL*yIe6onb_77WvSclvVatFwQsv5=?1dOoWipU*UwO08alre1xqY1n_mB z*NND>&8!bVUEHEKvNNCB%#%KXM~K+gsV`w4jg%Kc=%6M@Hc$;D-F;A-`J%kfTH3s} zl98%h9rhsEv=De>E~kwS#iZJeQ~$W7N_r9*TmuUU?&j=(9(U5{KB@#AmgwIcL^8X9 zGf8#j18-ksI`VHY_&UWBGq&o4(nJjAMrF>1~zAd$z60v-*gU1OZ_A7OZ%E z7&vi~(U7c3*bGpD0?`tZ&G5)NFR2yRf0T_8DoH}m*%V#ikgk|6(5DW_37fw=)dz&J zkaOl@q~J=QMCUcO_mZGqEqqTIEgQ=#=@Tw0f;VC%S{*|aL+#9gvL!QTKE$mmC?nq_ zUcC|K`wbDPV5|}69w^gEU7=#kDn@0!mM|)<`nU>BTr(>C0=+fxH)KqS3%&()^Cb+{ zSo%jkor44GzYcTMQN{pb3XPoivxeeS8r+yrd**?J&^VdU*PcNOv&`f1%CW#Z0&{g9J>Eia^LDckc=wPvuX6wR` z)j~u0x!H8%1ay{FKbdHxP%xBMWno14=UEn($d5_Ntz!!aN{WJ&^M-iYQTBx>kYl;C z?O5@aTwe=*^i8yR@C~<;BoUAbASIWJCm|T~om<8D#f-9}GFDKeG0rREz>%OpjqmUN z{X>uFQ$IN2Ku3ezei0j!Dkr)$X^iL8sDgYa!(v$WyG^77S;NfcmUH4dvkvi}X+B=; zka3f)6WdE5rj(EVKAD2`f&E2Qs;RCdcwF3CfrmS5q@A+(aY9K zrmL4m`C3f=z!km&Zq;nI|H>WcOhgFe3-)UBwGqDP&+PHPZx>Ij#v`<_&v}1NZ}R7x ztFO1qh=0fLpgwZ39VqA@-@Cax!5g;(-z{IU-)1bq;Xu3Hcj9-i<^F8Dr*CJyOSI%Yptas9_(ne1zix=;wAH+&X6ueR^JeqGY;KU4^I z%$+r$&EUuK9_*YC*8cIpU)KPhy$K?F6LE_->k=$r)9O3Y0|FC z=hu7;VY>4o^dB91-o^@X;Lm20m^94uGW-}%OzcWNb_-?j~1{)U(IqP28lX`Hef<-Q(v&Qx?$OpGU{@aF?xSpYvJ#yFu5x z^$5XpnASPm@qo_DrE7L4Z?gCMimxW`$sU>Du|OLQi~S4!{1U9@l|8Y~*v<=Av7y`O z2ip_qqJ88>60}?VOkq2I#iu?q)#Gs4-C=ikO4WegrTI4R-?T0LFL{Cg?5E_6z(=KE zW`ELGJopV8Qzys8W>^8#6@lXdEZqeQZ&fAFktP82vN}0?C398BF|p)nVz~OUO!7(YpBsr@BuubA71|YH- zE!ThBRd4;}kid3D#s*|dT~|Y!Sp?+5Qfb7-+Dmc!grnr>L`~X5FCdlEpqblki|n2g zP=cH@9<2Lu-;7ch4ZV7sBs%i)2NaLA5Jn0L__tH`y`;Q69PMr+!~vBdkzNBGN}DmA zA2Nggm}&Rxk{62dOnw}vEDV>@dv7{+{FPRfXoIxE9aA;?>e|scAuca^^hWDQ@MrCw zOK^zCJ2A$~qAB^PjWmEyJmaKIpJg>)p)=r0bDn|$6=4t3v#xLLX-*3x(_|d>2fZnW zybynna*D9e;^oky<*LbstAn4d=uEgtc&0Y#>YGAE8y6K7CrY&I*YVO{HBwZ_&bty9 zGE~pBXyzkxG53E8wbX<${_+UroZyXGi<>6!$F8c*3sqWB#@AYG2Gf$(6Dadku zH7WRD^fJ%tLDC)?afh@rY%{zkQ2PI#m3fq>gVNSU>!3(sQDPD+V{=XLNEalAC_M97 z$^-au;X2?IFi$RXN5}@|sOc&DNUf-u(;YBKymKj3S!aJMHQ0|bnd z8-9%w!20+xWlGbPm|FK+Dy&N66ZdpuwXLN;~Ssx&e}!pHKm z^z=ke`4OnoH=%TEdF&@|keGifxju5GTFS8^9DYg;TK3y&aZ;Pxe9UNu>K?su&-@Sm zyY^S*OZ#19<2Y;Z4`5&w_~k;sG;b~XR5aBu{>a(}7Pj(;B8k3|^Z}S5Sw4}a@@`%S z4r<6M1aWQwxF!`&2>hW+`6C%dXvj9NV~_&DEt|A^ePa}&-C;eQA$5|3gH*1jHCiV7{F4go*eRsxhs$P&<67vHPHw|DWa? z4N=G64(m%sh22J!6+`6`nSHXQw6YX@JCLaB>iI!r^qHCqx6#+;cahq!^VhoOXn%4j zj}=?IAkkF%^=p@?4(IPhaC9)RAq3cjX~Z}>ciXCLek7pk(zz%_&t-JUa3#q60-BiR z<4I{$W!8@qid3iLF@SAK_@|=cb)h1^q-(+_+EMfl|HLZCf>u8#TC6DP3l$yO1)gJ# z2_2JQtdL?Y%QB)_Jd-LVSm`I+o{Z)oCL;Gg-au%ol1oC$uZO;=Y~J8b*Q|-k0OorQ+9h4gUybzgZWdE<+6B9$-g9O1o z5I(kSCVPFN|dH%%$+M053pI$#?%Bbqz zV8ymiw^V#Ja{d_54tsQZmp}XToCUi3+zR}Ce`7s=d&(NVaD0k)r*E0`lx4cP*<_lk zEfi$*c0C+@s#*V4<9yiJyvW_;JdGJURKB*`Otmqu}8D_i1!<&1zz5SY^#LP zciHX&m&Uqq=>U({jM$l}f;(+hEkAeMI-bvYZ^{7KuL_)RB^{q`yf0sqR$)OvkMmW7 zZO_hzxn2D=OwGGp6h1Puq36}Vf+g<)?+M)9v7p=E|q}k_qI%;5`w=g}uGDvtro8 zdX%o{=O%gjyn%0d;bXP<;_T2kf@Z1zT7hryS}EZC&@=P@i2A1B%))Kkbka#Wwr!(h z+qUieQOCAzvpcqJ+qP{x|INPV)IKk>R;}l+YSfr>K>P2@*R_6I&1*0IJFO3l*LivA zE$>9Np3k2`W2q*`?<2}Eso=@*BE%Dg(!#5s?;RI~1enH@Ryg&T_3J-M80VfM^>@O)?zYwM}xcbtS z9p_r`e2Ty9a^I(ypL_#-JwCU8A{`ger+$7EnjGf?*D7idI7vJ2$6`Rv5s^R`L(v4 zRSV2m1Qw|aT{*B)jex}=>BS`37S;CDnijrYHi%AYfI0QQO)Hre!KLP3<>&TJfq6Fk z5KtVwGay>1RF!`VP<~VWGaxyI>k)#9uWizRDK#XTXDq-jUb8=lCTQRf9eciH&--^ztg5taHg6mzv1ZiHa41Y(#!XTvHs7*dJB!K5mi9wWYgP{74{ZvBtUE6GJM6>kS0<}G`r zsrPqa#?itb*Z^CB7nVHLLI@L;dnpWfRGqbuNvvS;xGBG#N1@6Lt6l~ZE z4V1NPTEL7L*mIzZ#kzoJg%uHcD&8CcHT1ZaNBk6uDcyxA+ez{Xaq1L1x6jN3N@K+g zWf3cUH5!$-$z53n-6#kfrZkDO3Y{CGPEUET{W{s9wK#J^axLXe_)nt;MW!^C7nSzI zhBNvtK}8$_STG6`RA1OQ@MO$_V)7Ni$CP^?m zN)nSZ{N@!{zQ-Q*4t(?&!vd4@D*VBpTi~Q@_=wqplH)3-Y{EZrbHr|BsBD{wx@G}O z&X5zob@MM+J8K5GRM4>vR(fW*gOgMe$1r!GG?*d`P^6B;7Gd|+zumhr(NMg}SQ^xv zKZwE#+-o<5945ek7jjVvVa)BtxWZ1*g}Ng+mdg^~wxGVBNGw(Pny4P8VW8At_yeIqEP z7cXK-Q8-ox!asH@scz+&d6O-NPCuxpVx6W5=M>qJs~4RiptYgmqd+w(7Qw}#grzf{ zaxH=B{~fRL2%rJJSzpZFU(*Q4`j5HG6foO0J)faLN)}9#eLu54T!8+-?`SpfD}K_b zo?Muj1v{V%kW*Q2zoeC0AH>QL=KPP5xx-a64UA z&#b?{_~hTbUg!)|oh}=Y=Eb4&kk*F@=8tASpnq|yBs<=)U*)b}mfkGP;Va8Fz6ic; z7T@%2UYUD}J=+9IcD}TqWU$|J(>br0?Q`3Czfe8Tu*dK@p7K`d*$+;koa1#}A_cN; z@gJr%Px)T&vZ`}5AK-S6^gS=-ZoGaq;-}Ald>THzWzyH*60@RDxj&*A&bHqsHhQb9E^5uawh7>4zWR_>@4vimmLOd>5|=s)9A<3>Q!7w% zj8i)A=UXw~o=xpO4CeR^W`+BP7v7hBfF~$&2u~_0KGw1F%YqgC@|v%w7}Yt>$M=qA zxi@q3kUY1yhmctHPwrOfQCY(L;VZAQU;%Ge1}KZ?}(Xy<8=tcT%}EQRckPx@Xeeohsvf^=Ce<@AfBOWwxJn zu@60-AMtisUDZ4Hd#WEydmg2mea#6^>%A2@Z?m!=7f5dde49RfaJGOCm7#jIL++=~ z+d!w;Sc2~TWV)o_17(7)s|?P2?yv3Kjcq*y(5^uAZ|!P!qIG!8vV0n zzrdn!;*294PN<^Ju1As)MKPnj^VPE2Roq1YzUT139-V&Tscd- zEDsC>8k6qFKeuX04A~#Fh$z&weGy8LwT8`p3y3Ng=HMKf&UHpmVpruPln;UJ4m0$RvPAO zTt<)mj;rx<2gpUj*r#IvvK5O|pTW!k0ohp@fJd)Vm_iK&GQ!3!hJnBayQ9I`g?T#e z8^5D76nxAC=h4Zeb{%x;dPzCoB+z_D8^OLt5GnUg*zCTfyj>%J z`24y@A44>cQr5zmW-r(ovhZ1n{8HPGv|^#8T51)Py>(9f>;|oVB(ztg3uYdPdFSLF zj-2VVY_G%+O{%-0d@jPp1~pu^8UJgHfWHLJnV*Vy=I!|hAd){%MzR~QJ#fk0P)z`d zO8<^D6!a(?FG{K*45vZITB#QgoHC45h&ibu4V3A8Vjl+vj?cpdp9toxdj5!TbmqJi z0=@P<_F|WOkE$2EPQRa)RJ~X?;O`>fZskX>>$ zY}1<2wpTVPSW*dT{S_A{wkM^WNDrO>$G#bg1twY~p}Ki7;QTvb6JesPDwdV{@o%vU zPWW$`mwbD98AAZxbXW>UAF@>OhQV99Mz%@`NSL*L4l1hlk_yQr_#;bi;rXSadEdce z(*%>{5>Bv2_iA&G9E4NGDckPjLWTl7ilPF3s6Zjq5lPEdWW|8MxM`bIsh;tm9*a|` z>5A-v179(gMX{Qt;A5J^nzAV2yy&HMNPJKfk%|8YW$|+&J=+Ds8wZ`4)h8P%a|g6P zzS#q2%GB>70zqEUx==lmDoXUMzMn2VfCE0G- zM7JPqn{qP|`{ryr^A(+TKmjQ?0@;twfu_2NKbX%>6vPqxdjE9s)ldvZ4eJ*5d>G^U zKy?MN`%_km=cDbTi86nvJ^qgBQ7*hdEZL(bmBP;<^^_ri`Hg(#&dKR_;NtSDs83H? z3UVL2^bh$m?bApMEdp(70T<;~>Y1z*Z>6Mu-swNa_>Kj5bP^VVO+jwWk{%W&Uprs|WhU z5flRv=g)olMZ5-mU9!Dx(lu|s0tqEKMEe-C-dw)3O=o=#EPCG&0`h;w2Phr5T7bAd z5HT+}Z`D_A+0LVVx3u!<+2%g70UfW4m~%f_XB6PqD!R>{2KJ9wl&i-+kggg0x9(1> zDWvs2{yn@@KGRNLzKtxks?&FzWsftQWEtkvZ%krrxqU4{UO67!Xub}v;=FvAv6}#! zwzSNFd+B)FoGzVk2w9z{OhZ}8%*8w|?_<6zA6Mq`wtVlij&^`ZV@O)ynecesGVffs z`K+cZFKQKj^v)T|^aRJFhik_+(E(Aefaeu+Ga`MX=$ko?E%*IO^7NPYU5c0cseWgB z-Rlna;<8K6^`_ytXRO9PDDUIm#4WPj4?AAQh9$SXPGe{1Wp`I=P9*gYy0@33rD*oe z)}am>_Ls&;8})X{SKdFTmgXr>?w`l6(Jtxtc8>((D+Z93aF z`;~7mJ%W!xey5}ORo4q7WJmDF(QM>%$MGg>(o19ZSHrDQu8m{wRV;2x>BmcCzBGM{ z+iHH3N5@mSv~8E;HRrhGaHr#!W-)JUc0&5=pSEwO!NO&^?oDq#U+XZF6ms&!FloZsz~K&{j6ZcbU;0+<|f z@CBvL@V2a;EsJoMo3(ul6#deldH0>EUIj8=0{JCAV7|bZT9KiE2Oks}8M%GdF@rRq zkv`(U@UAIe@(cMHUm3s|*~!ZSnLPDs zq-|)n-=4#dqg1hHpD}fbGzgF4UNhi?!=ITPvuV?hv&C=;hgieFebu_X;TNckW+rSq zzA5G@lnU*-y+1J(EJIpUcAj{~zCbWJ1&m(kDLZak#le_L4(9r04@hQX`($e~~hJYJ`2xgT|HU^D^p zf&6dk$eQRTBS&Z1{%H)*`w583Z&!_l4kYSKIf!4#(KG(&{z^pf_4s1eFFcY4h98al zCe$&+3=97ap#qtLV^$K54jo8CCvMWf?0161m5qa6xsGw}q>S~rjL0!p!50%7jSzAD zowXlns%{kt%lAX2o0v%<$}D?JMam=;oZ-${yFL8C5_iM9iL=8*~GSbAp^Gk9ENTZIwzW z6~U+x@hnwLtu z^E@rvr1H3@JjV1Izgf1;po`#WhEK>R;nU1HYrWSwUjepIuS#H4*B*bmNE7MqkV-l$ z&>nZEvq&efXh;Z4N!mJ(@Zcm9#l1-b%TGA*@xbrefH!d5$Rd3z4-f7H-s3P0DIAyP z$v{djFghO+FZc@&qUdTITD7&6H$O4adi&M zA4P0avBlDbgOlhpN)bgyIraK}Oew!2IBl)o3)fJhvtPvOH4fqUNQsn;Q*7mooKz6@ zMm>*^25iAnbY^)p&WO|QoUQBw+R-^2GAWR>a}yzwB?+lvVv|!XE6+-DkXQOR6j=J3JnBp`qG1PM8v*?b6XbC0+|Eiys0$bC2AtSo0t#wU`LK%q zT*hD%o`JNKu2NZXG_plZ2?@VjpcN5oRJsndsR)#%H4YHYvtvNn+rApmWVL7iZ}>_f zBEIcEp&0^HZ`sQW|iCdqDyPzsc~qmjjx@hd53*m9 z?9~yg+{V8Mt$3{4gXPn?+>wpl zye4i4M^3yzPNx@cQ#+AZHaj#^%VkGTG%b|9+jrD(`Oc zKBKqaLEZg`3<>Y5b^ExJ1(%a4ZmX{En;6NiBgA)>=t$odiP!bo?v5kY&He24w3EDy zWBXq0ZKr?n(9P3yhSj4<^4Ns(V3q0vfJXv;m7#=Ce5GPY)g;rys)}kfZtGTe#@Q%GNt$Mtgh2l{;?X*ejCc~JVVo- z>zUL#mh#NfoHj4l>HOtiztweLdq3@Fd)eLTq}Otr+)Z`u@e*B@{V`swP2Y5c`@D3C z;PYHMzMSjc8#O(pcX!-Q%k5$CxK5wmIATShw(T|7dGK$O&i>mY2oZu|>$4JaD_2bG zwDYE|_tIB)ujgBB1O&+DZUD`T85;9}Q;zKPj_?kb3{B~*lAxY(YKaQWcJeo%nef2Ebr{%PWDYt!xte9OHXrE6?(_xNcrulX!3UjwoyRp5D z&pTsEx_|=}Pk(za?K;IiUlZz6y>3I^xA>c#iKMeXZoO}b7F(q?2$+ViUy__DTnAg% zFVDA~w==tQ{}+hA?wvoki>7_w|34WX?f3j*XQ6yUdY30l6{q3EtNNw#fcHu9$k3gv+rAYXY~C-nN9`%RG?m+3TBZ{^5hCrgvFHxiIMSecOqpfg<6u9uleOK z-0u$!E^=Q_j2ZKia+Vnlr8(j>x=D$@ZqY+c41=b%9ZNBR*18rUi6Y>`Z3vo#N0 zcMfjZq6(vhhFZt1$iLkveVU?&7oe2-K**rlgqkfYff}p=n-|9d>I&dXR#Kfqey=hl z*U>{5r;;wQ|D{!E;dJ-uy|2%&x)96e=t6BS$}Qs{W4 zb%Cgc_Bf*wi%Djw*xbdMur?wUqVdmY%fp(M--5&&lFqMYD2(0ez-DWRo%=&I>lvlR z8Ow5sR-SSW_r~QvT*-17QhA3-v*;}&sK$-6SLb9|;W{1JJ@I->^s92nVKiF$C+Zts z2ON5=nHP`H0m=BDMw1f_fnAkzNkeR9X-b1M*jLeyKO!@zd&5zx0dhZ;g9z1(i!9-biyjl8iLG_ehyO4*_^Zfa;n1y6 zq5Xq3U$83THR5H;72|G76B)*bns4BhQWPFfF;X=nX~K2lQp_ZPz@8f=1i|dJ;MWXP zR&xPa`VeZBafrYvWpOl|+U#VF2-{g7pCt?_F=NZQhTt>h|STHeI-3`j% z`@-d@@t$AwiY&M*Q3>L8CDkYDk{1)&HX&EB3dqDzP>xQT}BsQ9n4w>sNDxhYJ_O4E~JW4WktjAZHvy+;(Uc zTcJFd@23T{8aHTM*7AhH{X!O5*MO==>(o&8FvP9HB?!$z#7>%I+d*tE9 ze}Ku$!W1&FaMf(#BSs~bPw`p@94S=nP$A+TQm|1jcc%56@MW^O2ig2s6#*F~_CLH0 zFDCh^Nj;-m@?9{_stAj%MdcKtS(bugQ;Fpa`Ks3jwltibBKY)LBGOC@f&yoKAcpy3 zcL{t#c>i7y0JT|Iuw~m3`;>FRl?q+@4-W-BR)h}hBQXcka_HT)x~KbCwEo<{E@Fe6 zdL)R{$^AI4=~QQ^L6SSIJ8_ZITpk;SJLjU&iOquS9@p%EVED zB*X71^5&K%LmNQTX8fKs-t+sHQF#z1k2EPHbfyi6S9%dNB2M&IpnrnIRKpn+rZ1b< zCFG2=>0ljU4e?P$H5mFStz)z@3114ZzBeLMjVx3lgXAI+iuRO6`k6S_lPcw6JqAd@ z_)*1(eaj2iJm!_xBcn*2GHyeC<`@ojqHHv4vkQoNQZ3J|c!Gv132qn{n>{}?8d1j* z1NCyHHTV&fY(qXtYPc5YfR^MURF(%&fv9^-iA#6Mu{{32@t+NIpHI?PViq587c#v1 zZ94mLI!5Q4;O>e*2Ppg`@80yS@x3E3`R2D`LR6Ujh`&C+7tDL5ned#xtNI_eJ%zrt zvvmlyz{c~lSm5H?^Beis9OUd^_}y3N#Wm3TSa@mGHdp!UsA1xAY7EEvPfdrcaVqa4&CsW``ZU^%%zFl=O42(ljCq{{B;@5 zt5#<-eY&cahbG4>4v*r@EuTU6yPzWmSAhN#v(NHVnH>YKBZ268D!Qj2Q>CfujcaM!e%qA)6wawj&|AMopJ8aKc zF|;3ETE{=%`XkMduSK+X8WukGa} zr-|z;HZeNQk9Wy^SO2y?(ILzRn)B=4PHH|j9$nV2jPVm#-;Ws`f1X|==ygr&?2ib` z^ISZ+-_@r2xV(6JoxKFR>Pu>Q-aEUl>_m-*T-&aYhKZ)8KaN5d>vZ%t!s!25{KU|& zHM3Ad$k6n(x-!Gj?VOr=UofYCp0!iI@u|J4gRx2Tu_*0i+sbQo`TOUyp8+msvdGZ%OJ9RyR+NvJBr8JXDH;rU7PRZqIVDSy5Whfy3701KGwE#*i;)|x3kfE z&LtG@bwJ3)bTHrC&s_Ia!}wX-b z1F_O*p)gw!dGedrD*}uD7jupWMk9P-M$Ra=S?z_Q2GWf}QHJn(JivjsSWD1JMnDo+No7S&%AqROT!u1KXm=uz4LFrK3Z&j+_rhR+c{EA}(qf)w>#|BEv1k z^?MPM?LaQgHd%lL>HX*F;hAt(r69dVM81l0I?LpAY<;bF-t3QY+g5~HHFBlFs%=+5 zx{Kk=85^m#RcQ@B;5!K!yeu37G$k;~;ukZhP#DD24?T|3LU8g}r!vDP+MUXv z;bxOwF@q$$6tvXSgAJL^^7LeCb#g418On$GekX94biT_c34@Q%DIn1g7^%N%WRk|P z!M!cXc+WK(1Br(j6%XF%T9bFkFL8C;v*r;F|JXAU*}~+WYNW{mthk%lM_vdTPqm2w9Zr z8shEijt~JtKZxdt%RooVbA}pWT$Y#niS)u&S#03I5%1@MIp&gx|GIM1E5x;L>cCsO zN>EuE=JQY9si569l zl{sBinq`!rvB$dY?@++p;^kZZB6Y`vp1JKfJ>dKj3XO8qS z!^n!b1fB#1vw^~tqEDfO4yh|^X{S!txS&PI1&3-7g8NT`w4n8@bv`^XVdCGN#q&e> zOzM$`h4INKkl7^{;o2n-&};_P#|4VLS(YY zZZV)y+L@W8z6v87X2wr@ff859Xko7VzD+&wy(=^ zGLX(H+XQFIr1H~5n65RYMjp0+Dmf!7S2hg+2qOo13|Ed?D}+ZlsY*Z_*2kc0SwtJa z(q@%O+4A9tqOnXI4DI@1*iYl03($cblJ&)`A}LO@Xe3^+wD8C|HW-^pHuGWr(FG@_ zMRTZC;yMU~zC6b4PKxJtuec8VDe$-PfWyMow0V96QX<@ShGml~?m{+UCWe<82tpJhyfjlqwhi z*j2r}aoKgXz1g<&Guz$s^LWm+`7WM$<}|Erj^gBYISp%;<8?(etUi_FEwA08Twi>~ zZrDSWcn{dK>!cr~yjTQ#+h)76$kM&8MwWXuO)|uOH$%+Z^6Z=l({H}cqfK>Lw~H_N z9DEF?@E9&ZnLAgB5@-`Q<4@;wKurer(blb}SoUB_yhr(12MYy%%1ckezII!M&f z9#HtU{(*P24(>(fDCul!IybsG+g)9ZN;u1A5HcwJZ1d}|j|cygQO=bv65 z!OyYlZr+X06N}m(9iL-p4`|H|Uo~5cmCt^T0n%4}3#Kv45LV}0>RPnTi(ti-qqa}s z{|Jb#>YjxlZR>9y-)zr29(L~Dsv&%FC$l=YnJNm7T zx1YAxkJo6n*39Qo_&kK$KgZVLb(3|CF7ePk%+~L*A-mjPRhKJT>>P)mSL)$?-$!|y zIt`K+dtEVjVRgv6t=-ZtW>*udUUpvitJHkXV%tNHfy7q2_csv5pAPfTf}hKHI8_m! z)}i8C?yqSJl^DF8F|J2+7?t)Xn>1I?5Wu60QS96-h$m?T_W#vsH2_IxzlB<`^2a~| z;-hWf04EPj=k8O#2!ij3wJZT5G(m9bRbV$c3%~ArDGiy! z0Q?Qgp&jC3k1p@LhlKBz-vaiKq$XHXszN`if-1Iu@1BXi*}|PuU|pDI>vC5D4xMFc z7l7JcG#SlH>G{gc&`9GY6z@a-@z{YJ%;6RB6!Agc2J|Xu1b)N+zk*sBSzUQIOxT zkwv8sT9%{)4G^c>_-ie`$gCGc&yck|o``WKT(_400IF?mnjJ0(m#EYsA&dImA@*eM zcICOfQVf-%z-hG90_Bit5dG5& z?((^eHq&V{f;UeoA<=rhwI?Uf@4fS_yRcp$L*+mYemN95O9+{mk2TpUqtI<2LPgw; zGp)?&7g3;D2JT+0g~WY@((nW{wA$01pyM9cCh1~{tF}q9>zy(COr@k_$qtlJfgIOq zP4=V;7no%MS|ROkCSGlU3Wwj~hY4!o%r8E%Ak<~)NVRVz%a?2+SY<@e-Za#6yrZmR zlO`L^JW+ilqm1GMzzm6S{oSk5{uTU~^oPza?$|O=kbooK z*E5eAO&fI8>^v6<5SKD&-#Qq|m=c(nIkE7rf|=2nR_qDl!xc4DJFxfQb~#cV^pkSky>;>v9V;@P5yyV4)fz&vTK17MS&>uslM@gmp_U# zS&yR9_a?WXbZ*fS_`PS{%gq5!sF!|!?R?7(!039S%ntJfk@L>gvPl&D&kom0W%?#n z-r{CQG@bhBZmj_U@-1D-G8XO{hXrPI%jdHlLd((sX4T4MtKT~~30%&bf03Pr_hI=g z1Bn(ZR^@c8B8huN@=GWb&@db=ICX1g(heVpdyi$(q<_|?JorVak4Tbb4z)&Uj1pII zVylUF7G0{!aK|&q9-f0P3&N0TjhzJKN>Vu&nTV2&mBl)*RdM?*)R7hsdx&ibR|0Bx zqJ$a9Pb8`3>iQ@JGpmw~iaW46m-#wtwF}3#)L;l&eCh zO4%)nWYJZy`S_V9iSal?4a>u2peImOJ*y?#PQ>6P#k|6p9-je$j(k(=n)yko(rH}L zqVpOo{~ZtAl)u7W?BAxHfVl*uU1$7{stl;#5R7O7E%qx)VAk%LU@!LrQvc>FQN#c_ z6bW_cn?%RF-PD}RUs>Ok4$*x)WuN!M;ML4mGRyH)bgmZyABV`6eTpV|Q_N_lcGtMu zyD5;hs~>+gPWc>9obkB4R$udpdLMtVyKeP;y*wRmvzcXgin(sel56`mG=H}`y;xqu zoN>msUeh^krgwYTj-D6V95>AQG2O2;m)}s2S9TJ0+B|g~=CqJ{AGde6ST19rpVKwp zz%bxyc^%x&V|06-7nTj%K4hqFyEPi8!?10gmAuQR@w(2>vWb5vb?&zn%54#DP}jbc zPG5YT2`y)g^S2I3vR})Sa3>5KX4<)`-X`}ibDaiM(r>ug!i1CC!URY{rypM!_P{I}l#OwugAO?Ip(EBUes zfAtq8OWyZLf;UxoK@d?BjqMKvN?VMXPEe^d}F$e`Sr*BxBo^S8`$Mdk1Ti5(`l|h!{E3b2yF1FrJwY1yq`i9vo|9pM!Yz{&HJ@O$C5 ze$Ca}4un4kgV}MD`X5z&?%Vwreho&{pMf&Dz^B0fbV@f$3EM#PvjPP<1hd}gg|bF{ zmOuGNmfsMb=g)yd>B{#i{z5HT$n~?|jG4*zbGr`NtR#FFq&y^J))~ct3g*C?r)ICg zKY3AzY9D~MK=bbt_1t9;S_5}fgd#QX!))}Z+;-+-(8$hc2a8qn3Kp}OJI?RNb-Z5H zqTO)Rvh;ck!5|>1j_Fb6A_1z7dDKXmwGNWomcGd-EBv8q72>zf4V?1xE-WMANs5v* zYyhBqd=yhHE6jd4_+VjR5o`{cwvCG20{v;Na)MNhM5=h$Kl~gviJ^{a2#i{(d<#=h zM%}s*6IscDhg;AXs{gExI*P_d?DvLJtKBM6OsfkH&2wl1Y>X_Yc|u}M`j0+aeu34n zQH1uHnyCX1f2$s?Rq97=5uN*;+U$XMZwAzc8clFPbCqhut|`t2Evq_m8jz)DZXg9r z9QtWggcCk$p`aD5>!%OioVXCU;~bUDg6@nlV303sN?b0WiZrsn2LflZEb=Uy$v6|= zj}+NHU*CoM(5P}y*r+E+2@nT!IxW90X>WGIGMez+n1-(BJZJfDZbZqV(RNu3&7o%j zTcDbYS^-+KNSKC`3Jx4k7Jd!IvV=_>mLO>z3a6oB1iW6aE+OE?M>itaXX^;Zzr1wN z1C$1swU_n~Rj$DE`QLY)X-jXQWt`n(ZAmB1OwgnyC}}u&!n8k|omE z5Cjzmj|PTyXmTn|h#HT1p1NSoz2Li{3&XYCbcjL9kV_0jxM4!85daN9Op$ys9%D%Z z)%f`*TeQMNwcd?1F!>@z(K_UtE=%Pyz=b^eN>sD((4ut_b$%7o!Kpd8pZu3EoA}IC zWK+l_1wl4xq5LG=~lvV9GPt-(K^<@tR_L+{xeY2BJm|; zWU2%8nuUw`R$QQIlE|`V^K$G+aK98RER%?KCE+cXI&{)1BN_@}w9J(lgM-EaD6)6` zu$e|y-YqC=4U`~(BJzy_RRdHHc@WRC>sHA$;Z;FghEr6|LZSqeVJpPULc)`&jwvN5 zs%>UclvTI;jEsIl|JISn!Fn^%Ks6{fuBU->^7J}JiKczI) zP1LISW=W8Xq)P`zFO=w}IRU5{0mYJXP@Bli6)I&|B`2_bgoZ+(=!$>1ua74;2;3x^4l33n+VPsxdk4twC~xRgoZ zmPQbHSpRvA%rk}mAXB3T&yD9Wu%?*t(Z3!^3TPZV^cqZ4$6rvQDw8A;EVNe*!;+L)&(a2bck2a0?3bW(Z)T-P zhuZUjvGI0|F*eFsMrobGUuuRx!Mexdn23(kCH3^2fEz2M0+L}j54fy_{2y_drrZd1 z#?SYC>aq+#?f*RsGX7=cHCM8opPyi!BcU&ebu9miaJQ-x5_nn24{;t1xjLl)dWBzJy+;{BROTB7tKUyI0 za!q$<-fU#pa9bQtwA=n%Ka=d{I=xzD-*7o^OSNTcyFcl-)q07*$X&HPlJe!VtF)Tp zyj{b=ht~sM+HG-B?B_Z@+ob9(wx6dp7Yw>+JS(GdxL#i{OP`%zu-kP2zm_|^^Z$g@ zKS1VIxXg5YcTB_Ay=^5k$E>u}j@#L3TgHBC5hAaB*gGHn83??NN?4v}z+yTs!buSF z%#tx$b-Enl#g}BdKHsv;&AK$&1d7GFi>h_t+yLQ)dQ9>j-pVHd^8sYG!;#-NX!aW- zn{kXP{)_E1{+$Z6obAWH^``CvEhW$M7@QFEEPku%FDNU;%H_k)T#x3$GT(K#QEmNA zS?zo37pI3sW?$0{*B_2Sacaq3#&9%y`x(^vhO^ZjLMWd1UEnaU%T2j! zcFjjZcRB@u$FIhPB4+-Sm2E7BhFFe=3u6Y7s*L8Tty!T;arjR6V?38iU6=cR7`C3< z_UhSh0*C)*ne0A%nr+aP*nDp*(W)`Go6phBzwQ<`9YUu+-U+rp+%}U>*FrP9?91;4 zD3-Efxg$4gXI$F5KhIbtyxT9;({G);clo=!lh3*zT)KS*ji&W$za|}z{>P})0L;_B z1VYGP|Bo&@_o_tI`r}{ymoe#_dT76Jl^;>_43jYhsPhewe2uQx9sm0n8bo4_j$RkC`Nm^@?42k%B@NUJ<8c>Q1|V|rM)S4rqBuxTKo#U z8^K)04vCG5Zb}?Ypw%q$gO11iDW(adrB&~LY|1c9>GC)1;El-+{%z1KF>F3YKPek~ zSiDmRWO1G6S~~clgl(dnp7BCdk6@^rzOvp2a`IoI)+*wF5@$N4fDN_zLtAMO_tos& z3LG!{^&%@&)qC^;=|ucy9(a!~{gX)hEaqT(0c3&+AK-3KheG*|xofq~vn_4r-X=?+ zx1!uqcGyMxuQIA(*@nR1DA*m@sJS+>MA=h|ZQ=BIU9d%^HiB`dQbM;IjvH_E1vkxk zM6$CLP}H;xUT3RHtt#8aA&}eeWwj-U3>H0Qw1;fPpo%~Kpwo(F>5qV76zgqFHAv^u zRU9Jh0cT>NiUs9t2n`8j5gu%3Qi}XH0UCN2-Ey@gDMQX8BM!p9I@`(>YFrqC_NRWEjs=G-e+kvUjLYOM{O7J;nE$R>a5TzLoPTIQ z4B0QZ(|QGMY-QEVAKnb|lBEUnw8xB9F}zSA4#F}Khh9QSp>}yF8PzB?8hgOx1Ymf zYu3W24Kq-ME3sM;@kmMzr9?MBFs|8Ut&$zDbrQ2F)D^hbnl;HTNa07O1i~Sdvk+XA zgGY*r2zPfWBA-ir>H~^!E27AJ992Iv5Ogg>sa#3X@P5cF};n27#$Z5gyZ~Sye2%M};B)ssQeQrIlWN zgwY?N|Ky%~@bSPJj!1|$a22mf;2>PtPdURrTi$LT)1*PmwQ1O4^a!jNRW!$!Po-s9k8;9VpcJd^9&P7v#&yjA8! ztNLv!8GceS@~ z4HOW#;)&qaeCh}!7(-WJgGyo=M>V+YO|f3ZUb;!3RSpT|F_o?}9YxPaB%G*GUo{N@ zHI1!9CKPb|J5gi4>IqH>ckbI)-3nX>O)dI^^_+A3D0RnGow!_kaR2Gk<&o3OKh3SiLnrl4ezUgsQ zy3UasnqX`Wu{WdQfu_}jU0 zAfH~>brJ9zhdWc}+VScVSbdt#uI2Uqh@UJU>u*SPd{Cxv!MWYQoxUcT(SBw=R`Z$h zBxgz!I8W)EnqHMn+pU9Wo#!L;My}etOy=q@uf6dYPYFkRKBtJW;|6EdtV%oTcY5zr zox7Fiek_%WE4R)+dwue|@EMVrO~%S=zAZj(pI1F>6%EHMw;p^N%jq5|*k|$G%}Y0K zTRTofdFN{SIE4(pr-N5_)V+94z=#@$ zk+pMrMEab%mUke`C(!>D0ou0}h$A9*27E>W!ULf^+$Mmdlfd32mmli);4+ddUG|jE z+g1)M>i4<1dO&v8>8QgF*il6^O&K6UliLTyQn6QMBDFg>VvH6n)q${I#cUwx3X^FW zQ_Z>Vs_ZTk7h|?zptQkah+WLD!rpM&Le}xMmMDp2GqX4e)Ofea+w%TjajLOn#Fi8% z$m!Tni)q-kz|2lid@%aCJVefaRoD}0Ut>~@B)k+UM>`oWgoGl&J;0Vr`?u`; zF=Pf~a~?|G9jPcdZ&ho}M&at151si3`OiTcSxe4u6}1p&fiQbck~f{rUo8SPO-nAY zp`*g}UIpw{gmQIlA=w}8lrvV* zXPQFb^CEHMl;KG`jSVi~P#5SX>O)To76k&i%K5}wW_9SO!`wQ=BWn2`=@FV4dSD{n z2N^=r!5UMOR)xP;8zL7?s53+^90C4HdcOjbU`m* zGs%S+@@9g}t8vYj&!fjg&pR2d$VZ55%PRgo$JU{jmoG`O{>i#kw?>?Sp71F1!xc3z z%hjz~ZwEq2s4O-7meS^w&BRHFk}WK?Ev)DPQizAn;+wg@inY!?Ag_R2G!HiHTcjW$ z{)lNLe{#b%mxZo29de0%L;n!hT>;wAeg<}UXqjnbT>zWHfQ0X}ERw_BO5RYN0Vj3dtGE)wu1PIN#B}1k|+e+Ao!w%l5 z6FEBzX0roN4sgPT5^_}UxJmVVFXM`FV%_Lp-SWvOLUR(%WF?an%0HLT%gR9h!X7$# zXbnVcwv-nWwSu=uQs9XXE8$IZvuMHH{}?BwgJp=hmq9g!Mj5kkH~sbRp>~(*m&)jB zWnEgyodpH`(*mmB4u^z;zr}CiDVx|%5$}muW#K4FvUyZ}6T(JS1S*bH#B+nhnD%5! z1eegusXUWCxw;Ebo2jejNrz2clX{W#@KB-k+&k6%Pcb-0+XrH{bvIbet)h$KQGXeFIwAiEft7*K4F;z+6L zLQ=Mw%uo_#!ywfI(`b=Ql*FoTXkeHzojzyVw8^W!6z`cMrmxfktvd10!U2M!#s_T* z^BZ+=BCkQrA!>BHDDJ9Qvs5JPl3r+nwTZJY&3UF7#9`K_%9I?hlu)Ia#U~y$I4_A7 z^{P0r|ASb*gpXR9BY|4!M<^0QD4O~g{6Ej^ zfBzY)?9%wfZX2(EcWKJL&+c^FayM_g!#-25%YL|^u-|LHgM+ApI{n_YPecNB;-PL|wKj4PsajOBlNYsKU7tFB^e(A0!U(Gzb z%dGHeCkjhD5PL6(&U<0iC!e|TCVGz*@RM%3RX}q)U$Nx|zu4_h^wrES)|h@dZ8zrL zw%_^#?|J;KKixUw*`GfTYag%m=H5qD?pyD#Tb;DUGWm;V9JTpn$6XVetM9wp(@Pw( z+w|XbZdumY=#`6JzUMD@?7r%4{t-J$4?Q}yHsd?xKfmRc-+r5^xaA4lX+J!kKUV>E+eceb$(+-gN#ici8{ZB_22rzF*sBnN^p#_SYM} z9If;2b?(Zi%-YX<5Sg{~yYpvVcHoM~PdP4p>1lSssgJL=lX~I)+pV$Nl{YPDXMbVN zzeYWI4!hS=w_f$>ysO_>_T*wecFe_RzmQB^qkeLSPKMspBllV2Q0tioMti;8nS1*6 zyZrgit&e|W*-d}3-IU~c*PK7+?vRVFP zmwxry$)|nz$d+rbw9BWrymRZOM{o6te$V`7aO~W}U!4+R`v6Nkdg4C*lndeyY;pc4 z)9#;g^o%Xo!;V|r{r`pj|Iq#);w$F=O!_~+m-u)14~XR2ou3^4!Ih{mRu^KMDD$uS zfAFv5KWg$P#(x^2oM0e1Vvvb{ab@x5|KN+oe;lh!-3+enHXGP%{FSMQ8Mt#uxrVQBJDs$MdtdgLBJFc-WkNOWD$y&=rmx_9v-tG zOBz;9kM@m3w&CkgCke(3Bf}S}j2Q_?yypg*5sOrxt%VHk!Ntg=d_#>@Jis-~RIXp^ z*a`#dUPokpVNO6hDB zfWyRqQJbw6S}%2jLNLsxWjY>D`Fs&)8BF1sp3x@kWg?x_xPl2adY0*9u3OE7 zN!kQ@Qs2P4q0$z)2H7e(DKRAqgd6X;ks=mHQbys%3YKb=!Ft}ui+w!B4*fJTX05oD zh*2IuW=%3quy9fFv{rrMxXR1yx8Oh0!cyQU{txm>H0^+$fIR=oC>Kk-Y|;0jL%@wm~bEEsfN;;aW+#jbXMqE@>6L#`H^ht)W$Q4B@2uAk1BKHZ_R%yU*Z2j;)~G_ zu0Q4qalndNsTzr^bfbkPBZAJSTf9RX9du+dRBX_7$C#05(mI*NgOOt6Eu|;O=?pQU z*+iK^8vvTBXl==bTBSrbCzWy-lQE&F-EjP}2s^E)lg$1D=zG>I2R* z6}N_HBP})pB$_HoEo6v0qk1Rji<6vZlJiV*o=MI#$$2I@&;P<8;Qw*_^Nsw6!0|8f zA9&LL^SuN#ZK(^PX+JyWKl#t*3yRo3SJt8ZPy2oW3I>w|M&T4jAn=y(2GB46AOBhV zEBO!n5BLYhfAH}?6IV}?C`w>7LVPp+IpQsSaMSOlTke1Q^=T_S(3=0owS&X=oVDWn zd!Mk)t8av>c0UImK4+_6ZDecH*4yGt=cQYYJ%7rU7a#uD?-jH5;cZH4D{_M`j zPu%4~d*{Ix;nj(`?|7GfQaGq_!=_7|vi$|gdpA0azu7!xjZcri$iDx^t7GKt+sBVw z0bG%~l2EsO`_?x%lJ{;*iBCCak1IEOY?<93@@n_Ia@g$6rCH~t@40p<8Aci}b#mC4PCtyDP-DczLfUR=E?j-&=t0^|RTvwN5(Z zsC#E(>G$5;zWmmbNB6cFee%SrD01CP?o z)~+9He&f@>nmX=XwdTh&L-_L-2M}=mUT;^f8a>oqZpByM*m0Lr7Vy0znBUG_?@zlu_tcAAZ_nQxBObVE z;u`mD^zPMOH@fRSKH9GHi-$k^+l5r#rVKc6M&43E~$C<+_2@X{f z!otQp3%`aY^0u`- zdv9kjCEtLQwy(Q&OGp>(PPMBS^=88UhgNffl$T3V=&dV$pCKj^4 zERZd8MN(T2N_c-^CBf;}g;Y&0s!6z%Ze)rvC!0uS&>-z3&3sQgUg?E+ z-3R|cUh&F+tWA~(zfo@OA7_bhagQ2c(OL7amIRqhoUEFq1dk_KQ4m7_q69QAV+FB5 zcgkVS%V0DPakgug;>9{z&9qpS&DJwSn9GpDC{gRD+pR&z&X-9FBqY=UV%4fo)mlTr zBH18q$=TK*WYJhXT>`O$Tt!06PgK=Pt0HiWGcbe#DKkR9r#FE4DEj^+j7d3+k`L$R*^ItKhezit;P@@0|K1vA{i2@ ziC}>%WU9JA`Xds}w!M^|%EbF+!!}4Uuj`S@Pb{7Zp$*CGIAdzEMhXdr2a1D!p^}M8 zi%Np(LPyrulmx}h7xHVdEEe(-^Y`{`a@<*nZ(n)t7hsTgQ3ftNxv$L3Q}D%%+rVrGbn71M_E@j*W$4=tu- za)#M2Q)QWG1E>Loij@v>ej5UfSgfuU8ijF;qg10^&0&?86P8B^29h~W1RLe7gJPtm zwEVy-adxKF17uE!s}(7%^y`RSc6zYG`t6h$#99F&#{8m)ESxNb@U@%}>nHi9%#7+% zw}tzIq2?vpU4Q`5CZX!-Ufl~Mx*kIuca-!{+G&m3R7VxbTtAI7aj?ha%Q4QWFksvE zN_+?hl{(Mlm5GDiXsHnrA11Bh*n_@}Hc#T4NqjSjZzl20B)*x%H~(vcfT16y|A(0L z|9mg;W&cmSi!J>l@c&QSz1E4GAC7A=> zz51TxmpUWuukvR5qobr9_Is?j<;Am|(uYXt#_DZ{-nhk0hduJ^O&%ZL7XDS);LI19 z_ox#JZ(sZ8&yL;r{K0k}P zV4b5LJnt^<$?mar{f)I>J)@J`=jA^>SGx7pqqf^@=|3OjF1V}u{->)5!Pz6NBb}PI&#Z*>i^m4%&Gg+jQRFKqu%Q;-`V?cgWt}7 zq3=%H8rpSB=cYP2pSb?W+vW(Tif?**Ui@5nwGCEyZnH->#Gl&UzU!l;%lTIwz2IaJ8$_VZia&m-vvIczjg5a#}$=}4&VRemo{7X+Dn$5a_927b3b|G#`C7G zb<(mkRqE!&-Tz@A=1s$v`+Rlh2q`=8H*czfFQ78*Gh8^Dm@T$=7 zbp$kIgm%YBc}^~=w(%6omCby$&7f9(+;Bazh*JHKBk74G8N+>6FAi0tAJ0a4Ad+-8 zaQq;zuwZb>}_qMA^zq83V{avg_gwqEJ0d7PsXvAT@+F|XQfYoOy~J8Y>Y1A$-d z`gOzuvrMijyRq>IvB*lRH-tL1V$Bh7RS?WxUA8pCjdjsn&2E7OC^N{nBhAJv9B?Y> zalO#QIj&dExNSd$<)X4RvLjV8S%Nhu@?CVQ>B1Z6ps^DB6QHN`@yJn_oKVJkn#qFuqXsvgF2IA@u)~TKLUPBi8%B|K>`VmmuE3?(1f+q5 z8af`fXj+3YfPw;nGjr)-rS7 zPOW&#sEk<^fUopBiEIk(W%MDBSF@#F3H@&8|FC=tjM&NfKa2c7Ut44Rk@|lY_o(?# z{4_u6Jl z#6(Q#~@6~b~pbf`;7EHTByX(7lxmB8wNIQo6%^WpKRpJI+v%B(ujp}iq zYWq#Yt!TNXlU0X(S@F0k1ejtYp3dtKS*lgLg90hb^M58p0cVw0#GqFCU3!V+OOAVYSQ@vi03B{%`AVzID zWjlsB8j&Vd>=k)3kLN61t+s&_*9HqtqAvb$^MC#eK>BYQdGaJOXfd5+Y0!`3#bz2* z)U=c9F+9L@4AXQV6R)Zu-YxW~Ue2qNcB~n~YFEZPsq#>1lND^_cy-gUZKKKz%fujP zBebaF857WxxuMfHonC9;_2WIBg2z&fgY`shTqj&8uVf6kP#(c8vPIObnwl_Fqe#+9 z5oX(bvKavkLbW2;QnXMj+fad#3}c-2hR`q<^AxsdWTilE=o2s4i9;Hv<|Y){PQ~3; zBICOn7}bEd8fYm6MhGdNX&2i;Gel4s6SO#5=Gs(`^qsWTFk?B(mGxW_Bs^&xZwpCW zi}Rf_l|lfwCAB!I+O3v`eIiF?MlsHbg{D6kF-Eq)Xk4lt`prsm+_8xgnsQj1Zw6yp zL~T}@WJQy#Xp$98vZ6^=G|7touLJ@A&l`aLE&ek(|KWRyFY})hADmwQ;rR~&Q8Yvl z5Ji16|M^D)5QRWLJpVz6iIq%~1Py;P|2g{B#s#Zgr{y-;ZP)47UA*<4RB_!SwwdXl zyTTi*9kKE@t9)|PAtz(2y#0i5+Fu@Mu6IEAVe`^kXR((LpN)NR9K+pNo|c+X+HiGZ z{n+l0%=qM#BcGjfQZ#t%{rk?pboG-TKli-p`>wU+-dnT&Ofx@c_}Fmw=0?`WFU>uC z`YSg~Tjr=*PuypT%}#vOo4&Ms^|~#8y^Bvy9$(q1u;;qa)X&MAK6qn?H&5M?p8L0- zZMozM=a6S^uh;gL?!`N1({oo@^2rsQ>C=G)Z*Bh4@I~V8b)LKC z!*f3WPWjI=D<1sU;!E2fxTU+ovsZyH={wzdMDguoA3pB$?c5ufb=Ev%m2-|;Wud(uNI zA3b%a!{Y}Y5S)9~$Kri|KK|w4z|VjFdg`>F)i#)O*No!k&38(7T=e2!H#qb}{mpms z*Fg7S$d$bfPhMotyhuc0W=CdQPN?;Qyd5p~C89GyIat>cL zNVtHPs8Z9^YIu~aWDyU`hdQVhF$Nwp@g@#1G+eZ8g`!(TLCiUIiVszYC+)76>7|f9 zWr9epl;T=SkO+99GwQ+((e!fFlx0NStOo)yO6^xt9S<$V2e8rcll6o((h;~=t)_#V zCJzZ7n5EK^JoMT2X?oB8nz<#^_ZwkOgae~8!x#q-r>cucWTQqGc zh}F4-m8o!G0u#Womh>^T$T$LDsb<}dJdiqAtA)0ddYT8y`CK1%x{f6(o`<^?wGFXK zTFdcJvMqq-uoZOd1e?c0NtY6tdQ5a^n~kTao@yt=uA2ioBg++Y^-a5 z6<-^vB9&DbJ5ZI0bTgUNdkvWe!2<4q6BjtB!(*)bNOaOSDF%Op6*<*-}h*e2eG@K!q)Nl}2E?c7m^@YW2WI z^zU~54_k^8e)end`v0}Mp_<_EpC12NtfOWT{~0Zg%ytRW&QqgCH-@qR+aKzFsHF!! zGAyXB-xv<@woR$vI90?Pq|h1WTe?3Q|Gb~3$sQ-WX-lR8n}&dhhqyQ6rnx{5($^GQ-i@+6Ei*wFilvhwvb}e zQZyzK!LXq+Xd9Q3eWhQ=+)*M3bPsP-d6)LRIIN~iaty4%QBF0Mdr?xT{AB;lo~&L-Rs&+!)yGSR7VaLQd6sFqjM`wl2Z~Bvfbh zV!s^3T4_a99XBJ!LN7pUn=yn!i7jNZwWes7DsH(*m8EJ3D|s3f4XREva;gCXl2EsL z1yJax=^Rlg6GExnwZKFk_3~Q3hq1|$2j_~Z8j1uy?@-E^571=4)AF(g>eL1-F!9h( ziE*hRtwYrsBsg{@lZ`YZ6YE))UBU-Q(5-4JnV~H+G#OKEReDa@WAPd%47_fC1Zd5Y zT;)6U0P3oV5j?aMCN8BDEM)hkq&19Ul&9K(nBxk5NrcI4sm6zyd>F=zX38H06c7cG z+QFobIQFP+EI%&G0?veLXWVu)xWl>Cl$W(-WIPFrCSlPeESiKxldxzK7X5^SfRP_1 z{~@8t`rr2vU*-fW{0I3b{saH;{0E)*8zyiJ#lM;VJaXib zGyk^EX9ls8J?F(;QeM_|5{g*!R=sN5F{OT9am@9vWxo|`0gR+Y-MkM@m^c)^~X=%emm-}l@6cURs7A&leT~I)n(Jy>^blEtJ~S@ zYnc+Y!e5@ea^9AY!0(?v_2{SHlP_CtUi-Y{)tflm9~^FY6m-GtPnKGcUVzWr0Jc8}Lhx-0SK&d+#}A`c_xvSBKZwZo};hr(w!+@r%#$UiH_#Yrps#y}ftSmN@au z>5reb%@b#zR$*`Gqz>2|O=k|+eYy2c;E%lUJLNw!AN~Duw$T3V-?m)+ftyb~fBV0l zHsicCAN_ea`&jz5D_=c@z)19<$t!PYZSK5 zj#+)X+;hvn_vUNBU+%kS%DY#qAClMeTVE#q{=N%7p1Jw}qmNI}nz!w7 z9Pk&f^Ov2B8_pU0;n>VGPv27B@b%1_PZx!&P99x!|v^7Y}%Ft;iig060*Cz78RNijITOA(j^)m^~sMSy)@vZzn3=O0j zDaRCwd0EFT%Yn3nj19x@cjEa8_@-Y65Jt34m! zy$+^jeVnmKQS@|QvW&7*hP1I-3(Km6!XyiiJ8;!bvm>gC80A3b6p_rd5R6xAP!F)< zaVx{8DLo#~wSBQEA>D*prMN22W{Jv>=;~Frg4g@D&@aS5N?@06H6Ev<1qlG z_7tzuEN5C#+G3K~LD}i1Tf>SahS{c3AJPmOD|Y*`6N@m=HsVm*&Zko(AJnLHrU@1S z4xd;xEmkgDrAmZ^oZ^i}uFF%ys*&*tGe&V`r3I<&COy_^IT{R*$VqEpKQpm^QbSY( z+;%*vy0o0A6Y)fIXwx0#JD&f;dL13hPR{@NJO2?zKRy1lSVzqw{xe>zF>6)6H?eo< zdahmvq%z{s)flMuWD)Eqd)-35X`xbpv2u{8ScO8nlpoM+NVQlv7$u^5HwA$iDn7Bb zYkVuxfMl@-vKh6jvU~yUrYW}-YcvPFaWrB|ExG2#Ic-#kP`p>nM?xFd@iI{>WLvRj za-rQ%8Uae&rSkm_C6;0cLPt5!$&8g0S%ld-&52TuDl21Bf|38xG#sL_ESH%$%Q+jZM?u}#xhb$Q8+C!nBN>nRBhajEt(-vt~9a+*+5o?dw3_)=O zGr;^<7iiSug_cop(=0L;5+kG$NrWF8mFZC`SxXeEFfZ1|kzdsydMMDHUcSzt8Kao( zLv^ibX7hk&+6df9snicQ|K}h4KZ`T}C*Ddl&={cC2A)F&1l98SQA5_7z6vT_Di+2H ze#5NQ>xsH;=(L*VYeG{t26l(fBMp~x`V_A8vT?v=m3}#@2yP~bGE~%tO(ivqxH`ij zI%t&{vzcsl5F~2Zv4JMYxUXA57juRv)X@vsx&wqIn_B2Zg9S%rlC(BZ3Zfgvf_OGj zYY5o5l_|E#5}fNLAS^qG`k|j{NG7jS$y&8kD+mDAw@c+7-^Tk!XtXn67S9s#qMmnp zFvc3JISNCI5na6Jv#w70701l7vMMIBy=D_p7#zq7FoUet7=*XbXbVEpGk8 zX8Y$i^#Atm3&Rh4eDLh^*Iqqs&S%tdH_U(K^4wE}vrgD!*>jeD**S35lJk~bV*Y>J zeE))t2QTLyKI>p;bJbGz+HbGpAJ~@p#WUv`SBx&b{x#zIO=dlB+^UsTY@S_i} zSm(_2wx`gZ;CjC}czkdEUH#X@j3aM(a)EirCG)>i{zIL1OGRy7bH!E{8TNIL zf3U%c*Pir?S5JJb`pNuf?pQxO>!v@>{rJX1?!0E3SMts2Ph`7u8@udCPCNdYKhH1N z%FnucU-7u~QfgiGwBD7m+5FqZv$DgR=3II84Dj09rd{#;2hR+)Snu-kst@%$*L{wC zvhz_>uP&{25pwk#EA6%S84t`$ZCcppmnUwt-tGq?TdlDB0Uz!7$tao$riMz`&<;+5+k^{b=jym`~@!eQV8+dTD{bbxhn{_I0m_|tMz4tjyy z^FKaWd-fh@{e1b0HXomIC%WX@rRAP|;$Umjvo2eUKJu|QI`fyewtC2^{xW^byIVZ; z@si0yrV7VCwaLubUE5WjKVotB{}=lI1M?r4_;UX@cvAnrm-u)150Uqp!=If0CsLw` zoGmX$N?!QJq1=D3$wgnyf9#(e|4}CHUycM!p14$Hyjc7vT1@{BP5Maz(?dIzEq5KV zz|{b>-;3Evy;CW`U8z+XwaaoIZX@M zIt%xJd|JoAKBT~X4-f11fCXzYn$0M%-olWHyjM&3T~w>0HBWTY20HOww2J4QQdMya zak5PUu_~2Lwo^)1DHDcV=P8UZ>1Lq^CvqlL1f6`jK|pmx=WB6i3P3a0G!vMhj{w zW#N1Rpp|gZ2p_e^F``gc3w;rake$jvas zaNMlt2Yg{bvo@Im6g`KFW28iuV*H3pB1tmSRb$}9Z{0yWw;t;c!fY`Z2+0~8fzOW`AxtPZN~5P-Tegod?Jif>^3WIF*60LkLt8+1~? zpT#8rc(9Wq;*JufNY{(*_|23`$Z8GARmoVmTvhvwkO*80FY_n`wFt4;jcK zrDFK<1TdTOEyf#u~YwSq9;V8>8$#__o*ftXd z3BqkkC1c#}*O7j;P6~-m2oL3vSskcI+G+q4@NJcKK_S1uc z)oW%a(s9Dg4?1Kl7tg7kXoxDq9%KY8UM%2EfHq1AtvDD|AeVQV*Z>!jx+$?rzMmXd z2c}aPl1Sk8h`}JO+x>2HQ1pe&s4WZ=SgF`nI3U?&iVPuRTviboEyG*kx0=s3iEt(n z&LqN_L^zWOXAc+j#%!jIkAsUUhPktO~3v0ea>dq{LMbA zTifu@SKeM%ob}v=TWf80`@(})Y*^jwcDi!$OmUUJmexCHYW}l9=jLsICzyG_NB5kx z+nLM!#}QR4_LmDTd1SdWmRNh+4}P=1q$8KQYwUU8{hJ?hQ}f9Wx1KfogbiO9U7h;m z&}BA$m;dV)_vdb%UYvK_uD~V7PJ7>3aa!k!->*O$J8t>N%IB}N{)xcF`mv{e_|OK( ziHdsvhPk7!y!_&|_kOZCuX55m0-|hnZttzZE>rH_m3@#{>7!Z3`Q~@Ze-g{R^f~kR zRkIe{HGkuG^YkSA!q$ zjjeahKRNx(I|O8}W@7neHYE?f|FIR1`gHrN_xbaZ>7_p^iT7T2j^u2-#mx_AZd&Pq zr*>?-`-gkQcTb%5+q-{t#toGxn00>l=hht?9<}wHGd4csmV?$XcWV5(I9q&lZAEa* z+$kF#cMO8ytM9SR!Jln-Wa6Hy9_LffEbjjQLjQkg{||i_o<{|5hwOL-z8 zea(Q1A20ublxX1`oX$j!%0T}j|AD@m|G+;z{`1A9F62KlvY7k_S}gw4fhoq%G`J$H zds#ayW|?>!u%vziv@w?Ih@Myr>Io52U1GpArMfwy^aco*OsOt*1&AmF&d>?HG!%Mh z(9#&9JER4mLzlZ*UmVj6oof=RZS$^_#>t4Ug#?!z4&oS#3r;!c#N+y?BUH0!r4qJt zmf08UVm1byfB6(LSxrH-YSgJY$Q;bKh;MZ3v%$bL;1OQzQ>GUIm4NmlaR5#%~# zC~<1r=?;(m^j~wBHHyNaWGq3q1}b6~b4vL?N`L<(Kz;2Kh%Pm~P z%h_UCO6hEg@)?^bhXgO+#C*LY^l$V<61Jb z>qf2M$AtPY*)mJLcuxZ&k&Ttz1|FNpLd{IYYKmF{8N?`99H0 z30MQICFEFD=l!;Zhf=Lv1&~p>YIHkz#1U;PW2Hurm-!a{AAVtdG0gpgye2DHX)wuu z7V)3)PmljB)={&F|3Hg1X019TJQKF+)iDh~p;oXP*+I)E2E{?bv^+#*Ydk3GXq`#6 z1tycRMtG%!Asv<0+jc3Ag^Gy4E?P--`g9*~1heHSCff?hl$uiz)r68|fk^R4UXsgo z2CYz~7*{WvR9_xDDYRcpg%pY>lw2^TJ^=^n#2d3;EwD<6NK|ID-lwBkn;co>t-Q}>W|Z%jGzCSF{fK;#ImaFxZ5UawQeNj9vuKwmf|8E6oy_RO!PPzi`5y& z6{=-|Fcc8c2L={$TF$mY)<79C;oD#b@AwHs>VQV3>;s*!MYZb1>>!B4tyHE*`a}}W z#4%>#=T;CXM@V(e*GE}JYZ)1+0D*cg-DWjp4CZZICE7rUmfICPId02gI?h;;K(rW9 zQcSr%95ExFmyuLhBNK`$Ru~5+QsTH0ABL$$x2xA%8Nviocx&A6=8a*zoM5Y|n%nE- ztawiy)rTcj^xDHVnQyvaQTO`!4&{(}xG=HD;}hFK0R^wq2eP$Nre9=4t~y40NzHZM{6CEj8T_T70dMt92sD!$hju)?ls6TMexn#3otMBrBR^MU$*(k`+y| zqW=pq@$mHHA9?AIYizsDL-|i@w_bF{IkAJQ$A7vr`^WcYojm;%^w4GZT(WoO znx8EH`P=WV3!Qi9yH9Sk%=Xt^-kp77j5%+|<#)M!i|ULE?tSsxU7xs%ekUqid%iXQ z^or*_bzyDU{b#*uxKr-iXNQN6UU9Fx$Q>^H-5WbzvG3Bi-MkrkF@x@Y^T{9FboM7N zJXe2V?RDm_vTowH%ni`P{*$Y1UVNwe-YLgjc0E@yc7{?(6&?!W2Q zJ6_rCjSF7Vgg0l*61*GC@qwQl{n{!w?mymc>K2FPCq%=?dw)PkB5(dvE0Z znHw*&^nS%#)_+C2;;<|3xN8r2*L$&lf4e$T)@_O#vjSe_*iz|eiH~QU$$1XYhs;(vW3- z^4jh%QwN=UP3p=$&k(+IQ}dQxXYI1gvui+0k^aHAZyGXJUsZZyO(NqQn%e$>BRAOM zy;*1TPrR|OFRjx!?8ser-1EWP?%VeRQ@P>2BMUd5eEh7JPu**!&dJ2vhaFqm8UDdO z4_4m2fBR#DjUKsuargg6@&D`gAMjKBXFC3WCF`H@9~DuG=C`i?2V69afv4ycPf1^N z{tx(n$A7xuR4$H8y%xw~`VY8R{sSghs!bQitprvmH(jhgFe*S(E_<1Aznte0i#8p; z+IAr_>)G|PlMMYw8Pl*nY5e5>%BsvTPxs#XvM6R$hHADvxr*?l_H*&k{uPa zCyA0a>6eCiRAwgpuM~OaRT`?GGL2@_L;(%CsGjQKBSleVLB^Ydbkk}By+SsZ)5SW;#{(T# zov}rhZC%sJVWU<__>^FF(qmk0*6XEmzHIkHgHM}~w-PCxqKs^+i*i`Mz{V54leSZ3PSA>Q+{k3h!)B7}(;;3SmQfJ)9I~l)0o|(W z79~`xLfCSW>14m*H*2w*t0dEv#2Cu6wPu*HIzAmaZEvW+SqV>|jbcAf7k#Q6NdT9v z+lme^>P!?B*>MMokRh9E<*RXk`mSO2GFb=%HD}1dQmK?s zE@$nqozTklAWl^!PxvzPf5=7ie}cc8|3fNixH6pfpO5`#^6m4V#X4#}_8)Mu>VHO+ zv^<`)Q;^dDhW!eTvbJ2I*g%W)1P*4?ZdjeM+&h8P^jDl&wes7tsN zQNcFi;@IA!I!7-v_#S~n`1Se@6K5SW2$dTHP`a2S84;OJOCt72T=VOi;!i6ZN;CyW7M**K4 z^o+WnCff>7vnOxv zA5OG1>0_|X7)i@jSUOEj6t1UaVz=Pd-C|$tU;sHv&>77_)K13@3I?xmsg4vn?2y!H zP3VhK7>AJ5X}7YqN&&1z5mf0Et&r=3rKGO8Bp`Nhf(p7~$0&{|M3g7(R*iBdwjIYA z86-%h+DbOK9)cGQj!9Jlut^p=3Yi>oR>fgkC}0&B)tQu2VJ=zHI3({2!boZv5FBV@ zs#7vzo{{s?#7U@qyTN8FWKbr&ViaZ4Dwir&M}S|hj#CaprMg7eu63Jb6jh6(DrD06 zOo!BckdA{s77qPng)e6-QgQ z(M>R#PNDGU`w#jL{)2q|{)1sKn1ZmW&-3T|&+Nu?FTee|ciqnCy}fXWU)I$G^>p#F z^iO`a`;I4Gp==JG@!atb-;2HZ=IVQ`x7i!(zXmssFiv{(u;Z-gZpOHN&(8PGTJhyo z$shml((F=C{SImWeCc}+Kk53n0?WGd_S_8dsxzYx?>}`8 zc_Fdka&MpT!==t#N!n)TUo5-atEU|E>N!2&fe-gteY1sEZoO2sy7%>~-Z*19evj+V zr!RZrwR&U+_&yB zYoyPQ&J7MbdYONz|D3Y%7UyQqso(PZH&0)he>q>f?DoS}q48Z33+_1OwsZe@-K@$Z z%RIXJYd0?3^0f`0-t;fWZg&6Ae|w6t{=x+t4OTmP=@*Gjgah~^f0|`(`_*A{j{3vn z;%*zyTJLZPQJDy5q|8=AJ(|tfO~&VAmV- zFWj*8UYl(BlKjqtYj1eK4dkndcB)~Lmcu7k%FDQT4^G{~f2-WW)J zHjGN$L>MGUMHvQ~+et;@s9dx2btH>mS#|`(QpI^M&Nqvf)~Mg1>hmu@e) zYn4B7YAfMcQzsBa(G>82n^a0Mvx@&>6b&^Dqbj`Z7l34}84ZQRkr_%j)KxWg*KNv* ze#dW(y-^mdhg%nckpJtA>9CQ9ONC8?M`2`<8M3aIzs>B&MIcn*U8#baoF?6_us%kV zFF7%s8lhSY5q%`V-uLWQ{e#9>)ry?!qY%0dn%r8x%&+`Mo3l>x{unqs*L&+Ew>rx& z|H`V6CtuihdiKghl&{i~gXEQ&3Gl2-c!hQgl?qbm7dHlw*dRPJA?50jTcflCqDh9x z?m!??M1MujYsam*%WyTfSITQ0u&~?f|KK7cUtn}9pE1h975XxQ)Ke$|zI0WBa1b!q z@!~3e=@3mz@&LZId(ZYoR2p7?TuL*VkwxSLl>> zGFTh}i#6Y~3?~fSvm@^x+$>r+y1a;UwXwY+OX?#jv}HC8Zli)p4A`49SOK88Nz^lhM7ZhTnwa8KK)!RHeW6qAPkAgU_aEnp1ba z{_3kaxrpDvOVt(l=@uY6$Wg%lsi*e1Aoc^Z6eAUj%;K5x^548(6(834ml!117GD6g z4D}2D*8==R!puG4nE?>{p%57K8KT2-5>i+w0whWs#*BJ<+i`{e5b7<)@0rhjRfY>I zf;3Th7Q@E?wW+MQI-eE)cR_6Yl*Yqq`T!oEZw7${4oaDX=U?tX5aAp~uq~NPmX|5W z%y^j54H^R;No<~Ayle(CVq zBP_)0v*rhSSq;m-U-d7UM7&AHxIOQcczf-w-ORw>S=~tOaAas-yfd?T-}koti@3wye2L_0e6F`JPQ$$-0>9pHpw7`#j?01>nD!sb(tTd>FD zOfNw36}u$-Wj}4MKB!0A`DSQ@o+CG$fSdB=65c2CB-5qt?)$ds=6PJurAygrlOzb% zCnFQEWiYM%>b=VKdd9B8Z4h=GqqF_c`~`uV+4g>PqkV@to!zxCw;c3DW76fY!+Wz> z-Q(W#_K-}FQm}kD$Ufh*`N8mgIl~+WOmDfhcY2_!Hs?XSYG39y$?_iB24p&3*#i}T zg0iNa9xE?9yw+hI2Y{Dp0^6Xi{C9rM5>Bx4I)<*Zo96AOaQ2t}5w@VFVnIjo!5d!^7n)a#12p{_crP6os&9P zL>`x_1~#v=b=Z*t4;9VdcBQ{vOz~bLQb4)hR$Z1GO`48#nir!bFQ58C3PL*8w5&Ba zeZK0Z91uO+-c%ey;Im&r8bAHm8ABvzE`izJF9;oUUEh4Kf>)pu;G6Gd|25$5BSl4G;;K^PaW|5cE8Xh}8xoqlii-(({l zmL&8SE7<;U57$cVI;jabhcycP+ZXQ0NxsljbqXhzZDFcOn^{hRj&uzj5HmoNJ>je( z7l(`@J@PX~C<-2D2o=o6L&sa`s*50;Kx03+oT$8HYe5S!03Y*^}+NHV8Tk(L>Tm@rf{ zU!NLE+%X6?)nSF-g05KmaSAZV!~L^fYpNPws?@OWE67~LBVVzh|A!S$CD=ocd#&j~ zg*xZ7z&Wm(gj(mZ034Sc!uM6-iQo0dVPv8d37Z-DeHQ^#{ggj=ldFR-CO8wDf^A%F=M{l9cg!k^Lq_3u zT~n5k_%uEex7xuHH zNgXDHQDL**Hk-1|rNSg$#>yD*&M2BvZm|upF;6Z#A@&*d zU9O6gK(mNPR(A4(hau>>m_kjkzX{Hu`hWS_YfzgM|M?LinprM5q`CNv9fo_>6#m`C zpo2rVH$W?AFU#8yQl-Ju5Q!-xicIGV${g&y2sM3|o?v>*nCClh--NaH>Ryce&@Ta{ivo~QeMQaCv zXc&4gR4_z`*^iGxIwWb2*R5^kmfGuL0dt=Rhgl_-6MM3hAHZW2L6himHmRgpVie^q zj>J8uf*IGRx23d`XV7gcv*BaKvo=}y)66-qK30!c{zL61T{@h#Qj?7U%Z+zxIds%M zP=0I>O1Ki^B8YxS3S!KzVk57fCmCbHusdfTsXkAQ9M9La+F-$vU&ovypAr#Ojfa~J zuvNZhBqEJ#1X)MqZ?-sD#1oGam$;OYP$pN&?D$L8`47=>tO7UTzRJJ-dv`w8|Eeqg zPh#=tW1FXYoN>l~`uMr?ua0kzA3(0-mjCbskj3~juSgh43+~koH2muGsjb=ZssEWO zQzG|sfN#fVx-J!BJ%|4N;CGHDqnq>b5SBwO=#T)96y1n7LUK#<iZNFgzg*d3yVDGHdc_FCtm(i++NesMF=fW4bjp4RCKwXx-!Hkb`Kv`95#V zaGcVJxPIL+fjn|qKQAF7{<*cM~oXuqv5_OIJaehr6jiP|dTeqn2?{vAEAHfBX@-CY%HYz!SXhqZ9!gue> ze$oxmlcO5kLD+Ch`Dqba#o#Hcx@!r%J@458z8m!GbUFH=PiHq>JiuD>-KAA*Gd61g z{QzZF$H2=0WMHAIyyvtZu<3TUrQpP*z5z%T_@eFcL|tR7qxSyN!mrS7KK)uxy3PBL z9psU>16bOV>{-8;Npspbc!SUOuzHbQfm^tl>H1mg)3f~x z>W0*+<6inN{t4?1J39vv$3C{rbFpNFkE`uP)vF@?SWo%2*Q*ic$7RyW^=KBONeaZA zJmIx+=i~Cur#zd!`Or&$j^7m$$wFmz>w>%c&G$LN2|I&*t@O%BO-+ z+-WuI;?{+C_N=$PXk7Y+|0dv%u`e54^Y5-R`bEwyVYm?w^5^o~jM8-T>ECdXqWCZW zuY@m0;M?<)4=OrFrh6)*jf=syIxSF~AsNVlh8#zvK+*5WD6X%9T^Zqf5^SsaO%jrA zij%^9aIg}M4cfFtdhGc2vXv5Z%iPwEa%gglhy3ZLz-&ZO3>05ZY~>=l?*tW8>}gD$ z^yTCm;>5eWlggc-hNbD=bkKmtm55eK5ipu|kPE)DP0AlEs|pu!2m5hOWT2OySZ<9= za%f!i2V;SFFD~EMO!1c~RF{w?Pxu>n~-M{PUl3 z9&e?qET(A|Nu!Yb!XrXK$FMRKr|w6`s$%5lPQU+BJ`R`S?wZvbB%ReA7a|vDm91ql zA^8o6GhhrWwpqw4m`Si#;1uVPujcW}n-rAuvjoqT&PIiM`W9knLC(5S)jTNY1ml#$ zJ@y;6FNES%gvyEz@Sw3-i06s<7f6sXnGbTK(3YU*VWfw0jIJlhs5a&s^I7h71qKxw z^%}d*QR!9*H<7#7Vi#RuY@3ppF48iqizaov#m@e=HjZTUw-){rgLNi~YO{FG8|y~~ zD=_zirE6WR{7rj=*aF-2uR;K&t>kh@byp!?A_t}&sEZ~!S_E(CRK#W z{xFE*_;iSE_R6uoS;6Kp#2l7RKux4{pO->wIMROGQLXf+%wp;OGhIV|QGdN~zrysS zt69`sl3sNVc&kigORGG6iXWFVMJTLOtWscZ-m8(AAgtDMi@RR+-ddQZaqM+zZ~z$( z9kI+6bLx^HCSzzb{qt|GEW&#;(s~D@=2U-f`82GBUp#X;ViLytltXp1VcepjPegxz zSGjZ0UW7syasGILSzJRb|E$PI{Y5M4@hsoTZW#OEWm4hhZ7AG;WDW> z(Cn7Mex0blWpkqU59FR4Q~u%2s0G9)SReja*;|i{2=>-Do*Lt}14sI+68Cb?40u$E`D;w>6m^=zy+W2YKU*#KDfq;v!@s z5om|krf_!)GK~~;mqL)knfS(n>2gOkZ&v4Mm;DC zHA)h7*7-_>6$KLAq}0FCXzrg;f0iT^owuz+koFN6J;+Qs`I^Rk#x zsyyQkz~tBZDkmiv30M59X2*Px<#4mPSFFRM$#-{Xb=|7>Q1$cF1<|j?%J917q5p*K z%GxZ)A;o+Bd}H$cC>(HA)z!7t39rMP%&E7=j5)a~l1axe)!k9}c6$k%UC33UxIiS52Ov&&)#6xvs)_9I3 z^Jj2-pdPH_^Jg}k^ep2=oZUSJ9S#tckp*r)+OP4D-+WNmm27>sig*mi6J;0gL) zydJ?%8$GtQkIom$4va4|JU_&5Pbb*i_by4tVN+V~`#-C-uJ`}CI~1}1>yBESvAFU! zu3Z=1zggilJ;Fz2==AEhspdQ@Z1}egXvO{~S~M}oUkR$|&9lkEc1Z7~f52Vjl_H&E zf26zv*n9rl<+eC;2>-%sy=H_`fjaz{moJB@ImHv`nTb^_IhagQs89{-UqH>lP&{WIyDaVf(Q5)=w^V@;2l zsV+TOgFuao9U&uH?7&=V*%e$gzp>aqpWB>DC<8=PAL_c8C5!bh{zV$B;rHi!>#6;i#OmHgW*HUgU_wT_=m5cNVweC+L+JutPD+YBf=9`u7sY0kjKmh=*mZp)msT89K;X>jAn^Z<elUgM#iYAoS6nwzDEDB|l__a{!3$_Pe%S3px2 z5+1eQaj1qE^dFAn5niEb0nv#++!?oUS#U_2MA_Awt4pSZ60GkkqL=sPrQy;Shn3tB zNlZSdb#lq}^PgEb!Mb>nHNo&8I=gde+5tMd{x;;QRF#E;0X#(CDUvD{KrrE}`^*ry z4T(cw6)Q5Yny7=8PGp2Q{>&MRhzX1FtQdqkqLUL6%|CphF`C}dLSD#nQp+|fqxpOl z6+8NXi6FaE2#BB5y-p>A7g2?K^W?*Va5M1ADGR)?d$*o_;2_$i8SsrWG*i_}m>O)E zWOqJRK=$%PJet`?pl8OXiCuJh%qNsuCgVlP&ukPbyc;;l-qx|Pw#vZ?G%BV_D+};3 zJC46WwrndV6A&bdL+yOokE+>0V{){8b=p{V?bsTBW+;CVRd#5$WsLbgH8YY~Xu6rx z5W%HU2aNIIO(<%##xF#ciOr1{2TCar#5f!)1&$$@Pn91W-wQxIpHpv92N*F<@1m(z zHc6z#v)&1$SCLp&naA7{kUKFOM*I9zOn{aZ06iDF!)hTbR|1cM@)MTMSKwX9U#_BCmOx(&&2!(G7bQ$JSu28|s0=}Sd@sEy19$fak_?6;{e+I0`-wnMNZ0qp z&T!S23OBjQy6jg6j)G;Ju@RO2Q)5W&ryzzPsM2`5$~p;42}c@-{?;YznVr&P6iBU6 z@#-JtYnW2*^Tap*5fzlB;JyXvnQEn3Ozg-H!tAa_E-duD%9jUuVK}=yD7D;8Ml&sN&TQ`EiSvfi^(33&l^U zckVBcxSFodjm3hH`Zc&nf28}j4`xasoesFR{rX$#3%tg$cS$^_u|7$%>dy=3K74-F zkhSNPnyD>7%!F0r&>Az%A@vb?rN@P2PJNi|hDgtc)l+=d_U0qRG57GxN;`sX({k4YKd((mfA?j^O3m$XSqe?bCh(N$=qRR5SmPjZ z2hU;dC}h2`X!EgT`h{S_<=9RGPh=8LYjw-^0)nuz_3L1D1{%;u9s|7NZn>fFZaVka zT00Jt?J5bzji1147+2x`GNt48kU36*oi?*}9bIbCa)0^C8n6-klHfxXvRLUsSU_3Dw>5)~l|3&Xy~*+OK#Fx+G~_o@R1mJG22d zUuvvP_x!grCA-twDfFL{d4MYC@vRo?_5m}*afT%yhttWO1((dF*E;9k@}n1Tm%EIb zP9vVr`>v6u>W+Ber{9ZplNI3fUyPTK`|0jtH031!g+G6e`|^v9yZKbkmnUF{*ZZ3F zU>R~~NtXL-|3T8_CV9=cz@u5i?I`102HdmcF*9We-BLX3#-7u{6(Yud({q55!Pk-Y zcx*~&G?RhQ;n`*M;%<_L>GQfld4TGDUD>$xRFyQD5u+bk?W(R5HA#%Mqb;)<~#WcE6u?!O&FV+Eo$Vyx)8S@V)H!=m8nR zfk5N0H_#`3;3+>6r1T5$Lt^>lJ*IxtC$&e~6@Pu|d}v0@)njKe@L%rfWB#^DXMcaE zmJUl|-WcjtOhV^<2>=lnG)KyoCTA_y^p^ek=}r;qYwhIge?NTg*Am=lmt0f|Nh0uJ zQrTi&ADhZ<)Hzm*t#(3m9g0Btn4+MvovojaupzD)WFVTx{1Rzj6b2+;z{s*dhIXVl zy!(R7unTbIc<2ccgzUxkfIO`t$t&BRwoQE6Hu(V((<|?E3^hmfINMTXx2>gr;G0HO zq50ze>gx9!;EZ~Zp`_?$y$ncooNW}sh3=OQN-Bz*YQ~9%lT#c=sC$e#!um2Z%>{?6mC_+C$wcq6w)P&;zBAb zV$F}5^P;%vIPjlxR(-rP27zUn)MT-XiycVw9NUNJ*||dIai2+w$9?)TH`rnICCZA@uBoy`^>}6BtszIa_o~0+8W+t^%V-y148Y6~ z8k`Sj#UPy>lXXF&8H6H+ahn7uUNV}@*=tp&O_|Wm6>PEc;`7$yhf#vaR40~{Dj9#- z>6xcK9wnM*NP&S<$R!0+2Z|#lU`ghY?PR=nx*j79<;TtEsu4u(mS<(KTs10HHQg68 zz#GLWjW3CBT2fQ>it4FdH(rQml6nYoDJnvpsVfCSdrRHYP76H6qa{v(vfI%@)-4?T zyi)A{X+r^}hzS21Bow;-N*+pts|`BKvY4ArZe%{mzI+U`J*#(VLrs4bM|w~g-K5B| z&Qv3EWM5%E>UOq2+&4xAmfR%2mzUQ9>B_V0GXeNdAK>;iK)cRI{N}Qklt|RgbH$&7 z`z>&r1Pl)Gn)}Agq%*ktgi0nJ`Wv^6H8tWH!~5oLvl|u}G+$}9s7gvS#Z9W*{+?Wy zgMi@voj4N$F|KlJ$e@EQkeYVg{1B;yBNd5aNJgA{C=F5Gs9$&_YDC389IJk5#JKUR zUTyf|Z<)WrzaffMGc0UKwsqw|(zndmfylt6lZPV^IlsN;Vu*phT7N)b zddNXOhV*{4I1_fj6!IA!-uQvH5n0TUpf3q=l5GP$qi~~&G=hCXrAD@4M7+q^n+(21 zfPS@h<}JneN&9aJA~o@hWZy%JqZVe{;2Jh@Ts}^vUDI3l)@CV*Dt~Ve>S6`Mdd*D1{Fit`R4$ zV)|_&a)0ZUh4~C}_3pGsla~Ckr#1}^VvA0R7sneJ@JwfI6afgJgIW<4K6+0tK^}?M z%{)bVwn3c+)R&BeRtc8*@K^(1{Nu${o5HCCCv&g*5>$j+msE6Y+{pQ$2g{rbiTVnI z;qSO2L%yd-hD*W1h`V`Hc|-Z48Ma!|GM$1&^2ha8@o*-)n&{)B2lnm1A$N0=oYd&? zA6WxPPvI0(Uo(kLxW72gm+5FRY3leIxy|XoTKdD*u!|IjTy>w(I^_(Y!GF5Dr4_cB zpuN+^g3%-LS5TMcr**kV$Vb(&-pIt>%UB9$h9}#aOHpjBxYEWeP@#=%RnhF+itff{xq~;B5bs2 zZ@wSjl#wS`(~I#r8!e39U)dO;8?FL@UCp zppfY{{g;QE9{ZU=_>FDPi8_?}uLBdEj*`y(c?WKr787-VR!g(Pzptz-9k=V|wvj8q za%EEfQ#bJSnce2Tv%NE+hvv6qsnv2Rwf z!05;tS}w<-^!@ zoV90Qn$u%uqkJ$%y@J604Z?$GOXF&@D28+2v%MUT-(Y#`4V6CgPRV``0+yZA^CTcU zq{i~nWw%~=W#gFMG%9K;>)Xz~ct1jSYBQ(xC&#I`LB27^F|u|_`CnEXvZn*MEvs`f>Gcxr$m5O2k-hpjo{__Gyxt_kch=RG;bnVt^^pcd{r}bT7e0JOU$W-wKHc$8GmF4eXbEZWjdPz(WuXSz~A)<4u@~{C3>R*FdAz}XOtti@8$rC zRf7m|AvgV*0`s9-N4PT?1Fm5O-G*$CB_^7LzAy#t28lx%+pxP5u8niM;Y`4UK*r_r zH?jF_pn4cZgyn$vC{nR^Hcq3AoMOu|_Jw!yy5E+$+{4iOkfu^Bgq1R>Z(7z35;Ujbzr?__PT_cM=ZVcI6)MymH3kbf;txTLAc&RFp05Ie0YQ?`(tu3O1On*^D35@H5#A_^vWMabiB6zgu8t&d@oiG>Pnu0T^NUv zP-z@Tmx4=dR@r~FbQvpi3Cd3Ya^XNTe)ud7i#;HaOQLx}toj0eWXqW@r*gLORKAHR zPibBnhp{cJn0QSv#f%k65(H{UFx)Ak&Ay{r;Xt55@3oK*FOXu%u`HW2`<;h14{P5{ z3oVxV?~k{1D;Nst7EiigzhQRh5u)~O6)+Zb?JHZYQfQV@p0bbH>{vB0>%B`9#0C&r zPbu<25iNhfe$X!ec5t1JWF~c^f*;>f55>yTjC1Vw?A{bE_Y}~Ox7&O?WIU*|@0r(= zLSVr9MBex@%*H%E7KxHz%PDhzr;6?XTz}(NLY1WWoH4C=%W<}$Qn)nP#`QM1@WHq# zefxG1WHNG#GjAp0!IktQKsi!J@u*Gh%B8~Nh>&m1YT%%W2v=-RJYf&fLlLNBmfVy4 zoZ&u_nYf)m*(6&O?G9rDFu}IAry%Ybm#+&|XTZHk8BTztn&}n8dGN`ZQashI<53h8>PEq{8?Y-z8OPVctz_p?XAo1Ia^zUI zyj50Hc&$7-fFCT;AWi;j9M$*Zq4;|so*uPf3?1%fGk-DhlXW)ZK$wdJhF}eqThlZU zTh;GCAu~_{tOU+OF)!lGKb;4pRhYzDx@!d9S&o7E$$C5FR#T&*f&}GE+PcsTA_=Dq zVvh8;@ED~gO(>~Pk_TFAA?BOFGFz! z(U;(Sm!!r7XCq3=q76y+g`7`8dW$Nk%AT>b6GHJ270NMXaO+$sF$H`kI99nSScuSl z)#J{XFBI=`I22P~i)>W>W9q_VSjNfc;6ul$dc1H70c5JCLUOcCrnSn6cw`{Cnkd(G z=N!^^`235SO(~?(GuF~r84OKpdE>@UmvRZ`zcecg4Fn?|Ak{93!77T3+9o=P~rK8-O(K3BJA7|3=Z(7rN$>Uj8X@}RoOvu}5 zqN}l?ADuGWafx^4k}D@fMV(-npzSacEJY8YkU*N?YeVt#c&Vq&@iV2LGX^O683MSN zG(G-guWISLGQmk{eYmjMX=36h?6wEa>F^p$KLmowX#U%A33Ew#Uf!}Bs+cL*@o|1? z+D##~C2V;`+p(JdnrPSpa$SSD6}iZ+yH~evyw|Wr1I`F*)SL!haw*Ur)} zBZxhnZgy`pPiZNlM-$13&tJA>_!11)@3R{WbWI1ax60i3A068TDK+)|DlwW4=C%DW z&;CiytL9rmvR^+qE}l%HRrgnXta`c?KOdKip)`F~Zo#J}? zPl&L~N`B>17v?!5qrKUWMAQ+Ktq*7#T1@5dH}h1JflJLu{zTIukHXuMAYD>oiV78P zGt0C7(Z?spPUD%dI50+(!q6(kG!K`AQ&<~$+Kh@}4!`DyOJdGa+3Oh9q#zVF*!YDd zUuYjf+8oc6v*le$cr#-^ok6B{VnC^R0r%d*sBKS?GZ56BuPJ5?EGTE%s49n0mJ zABQGLjPiy%ln~*wxpmx_jFiwKRY>#XF?+F{h{lr+zQf58gH{Wu4@O`vlLUignY%P( zsWf&JB}WH4^=|vJfzvHDu1K0L<6z3q#iJMUY*t;0)YhO;AJA8K;jtp=^<+TJFJ!0p z-BQ9EPZNg3G5L$WSO_D+XSs6UrZ+0nC6~~iU`p`-(P$)} zkU1>o$(uInb|_}5rxpI=vDaib88J#SNk+#?&NP)4W6Zch5hqub-sr#>qmM&21;>;t zbyR_3AB?0F^TB!|5uY8TR$Y!NAV3)W>Ca!}Cs9p7ys{g4_q>YPf!6IQRhborJO2{_ z^u(b*lYbRcv&~orB&5m&=FkG{yHb_QhlHV`2g%~GqpIDom{~SMm z53YqHP>n~dw{7o-M}Pgsh@D7ODk6}w?4SKrI!;8OI&RY8xA)gR#Y(0;v-H$B`Oj$l zkC6j?xdyRl|MP?}LiNHdFpAQ&LM}lJXY{lSfxDY`5G7dY;{C#WKBeiC;0+JF+pu2Cy!~d(UeNAYDB}L zeKp;J0R+-Eg;C$qIMmLv5%|C@V}B?V)!HFsJe02^wMa>cdVZSDuXH1y3MgT=tP-H8rY>L9Q9}1Z89bB5K;OOxXVF- z;w=#*J2=eM*-#niPKI)*IdmXh)s%1^c${%xTi?9uYT$5jn&TPDd|>LtgIbhENE5FyUFI?+q%wkCO5Tz)jH{B{Ol+FlAWhk; zUQX_+GkaD#?-^ui1P?Exye4SaAhG#}lLW5aZM7d462oXiQ75gi zvTtz>ruc>0me80rcL8aMWlXe{@l4@OrGPrF)bK?NnSN1ntCOMe5Q9=>+?gH^S-f*z z0rxZzbq!9tLI7U}D%ehy1?oUp<04o^{II`Xe!RpM_8)W^)rh~!i+SQ|{)9Hc5*NHJ z&%OU*Y;kd#NxIwr!dC(Y%qIZ1_fzq^X}$yWLcd7(dN}mC>ONe#;YR`|Rb$C`Cwb!c z+4(^aR?_Va^g}`tinWCF=il*(?(m%Wo9t>YI`BGCam72+!Hs|V;x%d`bM52t(hs$* zZSW=BWmkmX152=N4D(|1UBc=~YI6W%@uyFxyf%CQZvp*6H2f?(ugHy#UM6eXN__;L zFDJ0xDnS?PlTe=CMSV^T?>jn1_|N4|h@C2*Q@HHeUR%dw`0o6CZT(8wUCbVqu0E|} zPJl~W`I}oh1|M8R=WC$T7Mm^8Wz{U_U6oo7KReG=OU9&TzB^*Wu55$YN6F_?uq?ys zVcvs{#HLrrS^f;3Z7;m+=E1y1Xwn0@-hfawUZ{ojXMxT*;JW=VbJ03u(^Zj<}wxLRV!-zjqESft{ zhxolI+aww{&@owbJm1-`R$eADO5#$o?N%mQ2qG#I+w=kghC__mOj$Q4j(2)?AaMC6 zx7au|y*>sObeg&n_O7mTWeNDazJXaY9R?jw1U=V3ACFG5NMWFI97D8v?s_Ss0(Nw+ zZ~)Qh>J11zRI=9ZKf5OcaS0m?Jzhd~RvjWZ@0u>~nNPqz?)kGm7v(EJnzXX*>AxbOQLm;Rr$`b*Mk{ChFyjVe!Z zRV2khXVGV0_915sII`{ams>_FWQ!*qjA=oa&t{{Z($F)IwxI5Wxyij-hzzG6%uC*_|m@K9ut2}1b zMgX4IYk%L7vw?TTd~LXNN=&Iiyg*dCM4+poeJD9u-1R_RzrDyp0l=3lm?P`RutWpf zCCa=d3Gt8kl5$L4mmZ9H$Di0tGL$6sDh{-QpGu)@8xv#=L+&JDPt5STqqWI&fx)r6 zn>;F%nHUQK15AV=s3)Wx~IKqh`9+~4~?xGT|ofqK7q*cZmYYOnOG%6W#@t%-# zT#y-x@^}s0;G!$S;&20&NsA4yr5lxUszgp(DhhtX+QsNhthjdPReDgSVG*EV zk6-~|=ZdPmfYiz{{5u`n_mG6P1DX^E-CUKQ_}f&O9e-ufu*v2;fFvD)I4Dv1B>LTGKDTH&9EO}gL8s$q@W8Hhdl&SRA;dN}od;x`)U=`9{ z24-FzYa&$jK8>v2^wjXYXGcHcxoB*mPStT`hoth~r{CVfBwYW5(th%dz;Xc|d|wbG z1jG8gKlRJ>5=DV@0Y~uwx@QE`hfkA4K*=LcFUh3T4gOc^r-@#2I>Z+$om4u0qehu{ zJHyMpCQdJ$CPrK{4g`+LhFV9JFxiw6?JRnnxz=OgaqR&@yJOp^g?hOH3z1ZgM7Ssg z;eMEAEErx{l=AQy%AEZDlfSTBS+I#+f$_!&-5*7)k{lGxg?e=&E$dLWBLCMP(`v4v zVG2oeQo5U%M8#JRS`~v_Y2vCA*tv>y_Q*@9n#&Aq>zr0_2nq3}8yv$!fn*5*v>Euf zRg70+U;^@ojT%f3%1C4r#OiozL;>6n>|sO+_#0z_66Zou3QeYsaHbqd4ING!Q|$fF zSy|}=Ysj%Ev);?*27>ve;HHvS1~_?Yv#J;Qwz|~%him37RqXdDESZK8G6~u4z$;7M zN+ox-EMk!Pn85OR!^Q8H6Qp-t@j+?Ea7!qyj{+YJ*!1Bk{!TGO;cxS2fF2J!mGObm zMtAy5lyo|iADlSS18iFmWLx!pwB@*6Oc%Xnok!#(wM2)f`O)t2HuvIUR*H<~W|l>k zP?ZPdu%i6jv`+JD3dN;h>I;;!?&G14xk)9F!aF(Ri60-;dC;6|F@sVmaCN__J3LEP z317GoSgbeXDhSW5I08qhcaw-}&WSo_!`B;0IXSoH^zw#};~Uj4mB)HdLtvKAC_=pz z%zH)sM+JhS)34_3kyr*`KF&pBX;#i1e{%?5DL4!sE%zU3%efHdtckl9h%$Q$-18=_q z@~}i>9~Wm|-M@)pLq4&D+dhnVC32Ypzs@f{O=bduvP`x;=eHuFYr5ZOZhShoO5a#d3%uH)n;agf58L~*@S1C;lMhO5kB=s&7&pD^ zJjtxr<*T#>hRwV5dFqF1H_PPDm%r+`*ZkRbV`S)~Pv$A_;ft9(b=SS~Kc^%ZF{Ts<#iwq}OGd-YK@Xfr*WpmMLt9W$$sV zlvVwq#mybd0lvmNp_I+P_;s>WA6KKSh#!r>{V&9;){&h9(v>yzo{LE3K}M#V1irg3 z!Ih7rOn^#S!w1HNPsvxq<2pa*FSlOFjhUfkjptk0lk80ny|tXGHqqm_rcv3LBgD6b zV~t7mmq6)C<u46^End>Q;*Bh9C&d%YoEm$(8<~dYlebr?<$J8&_LHUo5_0`OV|EfDE z3z%~PBz*rsysvoy>M8>Dxqv=|cQ&uG;SJvxTm=_Ewx=S!hnYSp<-k?;$DG%R&y&Bd zUzFKE*fR(zrsDGbpobjSypNK#2GFJ<1L&$lrvsRE6+Hwh0MmlXgCiZGnx5r@Cly>s zJ*Ykw+iu8=9M?Xr_CmW)6D5x_;RXdk2#Q+i5{;bt;GQR6O1^!f*d)592hy}A9!FO*PBL%)mT*L{V{B+M6Yrm zn=764q0b7lAikBm&PoHi29pNLd_Cw7tHo+@j8!F=xv1(whKcocOf9tyDk^`P>t>Q=as2Y<+RFdyVrlLa> z@cLko?VLbL6HxdHNxIXZp<9(t1F&V4p&*qRl0=1TXvF#O;cbgI#NLrPWK2W~MZ}!O zez9vJT?WzRDl*rJHt36hQHi4U+2^VhC-x_ZMkl~3ufs5R$q;L0j<2MtRs-sO{TXs5 zpfn}_7d>B%=xVoPGNt-Bj<792OF!nnR(-yRx~5JciyQ>wheg^%UMhy`IKc)&NmRyx z$4)*<+v;3}h=ewbII#r>R-y)99pOJ$6OR{y7G&SMqOOonvea4IPYPe7d5Y<|UYhb- zeJoqOLkyS6DVNS2yJ~Cp)RXwKNv}!yVmUy(3V#Lgdr*jcCKqyCNnMcQCl+q<&Sk$^ z<;aV9uv{?IFBCDEPb6uZ*m#UWwN#j>8i@u?7eC-2%7{-G@K9k2xVCYX(dZ1;4SIdR zq=Jc~Tg`rsom8n&E?aDGjG^R#hu@$N9ru?J3Sl!6Mk-!z7OQrx*C3d4C5lzaNRhV= zsVvRW&9^VML_#fOBDKo1fCe41Hr*gln0WVZa*=d6U$6L79!3i++Gf!c?dW;toOLNm zCO$I{cNw}t8kt7c2M5!*kd`V&6g6jLh|;*TKMsGgfv=e4R5xKuh#8L%)2AkZW2XAj zweJ9eUul(Pf>p~aHP7e^%L2jCgpA-bxnEzrN`;66BWxr0XMoOPw3+od|c{T7T1i+AYGiKAc-qaQCa zSB@HGmr1fSwx>Mlhs?(+2?ZN-r9>2kWWqZIVCT8rA>D{#M91fQ^Vp35m&?<$(@S<3 zSn*Sg)?OHCP3#F?%b-xRQ_jv)Ju40mp35|fRg(b!_PqeNEqH>*dC3#Mrsa@^I5H!h zi)BmQgY~pnY%-_7OX0vO{Y&q03^}9j%iBgvn%i1o;|{NR|X(OLD3PX7S?{I&L& za+bXc=DFcA8OR83u)j)aw|c_$cIg(g`8yRtrtG}DXMUf2nE5<= zpK>LUBYSz11yFW;(0L3qvl8Ug&rr<<=`*1sdj9G4Vje_O}|f z48F@1b~EaC_sULBpXU>LpL=7umz|H3%W|tGsT+;2?#H8|AEhgRqtm67P1mCpq%@aP zhdzNEt%Kb_#Lnvk6+PX<;qe2^=a#1aR{qE2Lm3CVRQwwOpGc$U&Rh1~`ScBIgzdWC z-s!B=qn)70wO-(19jaRDa4E>>i}*Om$dLAr;A|VzhZ5?8W}VEHXMaeZtL->wY{3+> zvd=L8;=}m@14zxKqlIWaPwjZ&Z}@lMN8#6gAD+3{X#F~Sy69%s+dNFNa=sVh=}?*{ zMc3Qk)ml`VgRk3h)YzEPJEQwN9(wb7b@T!-+9H4Hc8jO%7q`_~eFJ#_LHRQvvYu0c zQD-1XcYo)OklxOOLZIV8puWFZ-=qQ~nGY8b0tEMK2Q~RQ14*6WiDx*8L?VyO^FN_= zsX%9g;Chm1f3~!jXT%`e0|M9t;eY>q`8DRvrz%C>AgBVb&WfkP{!yllk#}#;OHddw zz&w?wNMrS079V|wM{tN>SfJoSG$*Doa`keq6JX;!WKh3OgE3A)a%6y(p#AUQ!4ejS zQc8@!%>1v>%cd&N93f_fc8zw8*|%Ok!*?8Ai^I?!>QgFk%Ps3gJjLIG{>msXXdQiy zu3@FZENWEe7JQN_bN8!h#zak{F#+&93*+PpSC1jw;c|(EviO7!b$G*;oachJUe-wK z9hnlw@(csJ5sG_3njM+nH5pKp-sMCx8T{%p9u_0B@h#g;_w#kk zk6w;RE+1XIu=AcnEmH9+zn#w53^@HCTQ5K0+ow zebnHZj(>b!A9zkaV*Za`6E1>6+r&W39)H+e7Qv*9X53K02o)g~Eh!?#bwqZYFnURW z^$3BqU&MGv_SX-UgjeHA0n;s4QpvL|Z9G$}5Zdq9oy$0d`(grgvPs6L*_-18sQmLkhPoxt5p*%gDW`@m%v~-$gVyX zW?HWHz)!Ze!F1x?8Pp01WPQ7Pn-QjG|Jui+o5pt0pj(=i;^@vi3T`l(ugZt9C0BcR9}LDHBQ;UhUhl;6ET*>XwrcCFT^@S>-vOYTO$Z@nQE{qqzsG~CpjQjaV`0b+)aa1P zhcMD()Z6FeRr-UWBsIzAaVlER131c)Dk_-jDM~bM7T<6nHM3a;8~n#cVMQOH64ORt z`bY9zIcm}rTA1Td>Y!hwY7*h_jN-zjqJ96-wPcbN1~5z3OV>wB%JiX+JMs}y<)|pn zYQ{eO*)qU&+Ri_+G;HsGHRbE2LgY(2{AOLh|8hAtG^%=u<8R)!u}Lriy@ zi-nl{N;^-tp}s5dkbd$9AP&gw-sQVm6+7RU1Ozj4&jmvYe@Am1_x7*OUXcgsQ8~G;NL}7T-w7?3^NAR4F^p!c%bI__L`XxJ??=NWlb5kaZVO!A(lg35j^~ zp51CB+G(I?(e%~p7i~pcqAz+I7QNw1hV07pgD52WsRW0ypyfWA+EHPg)fUf7H$g$FVP>N_%zMM+k}Wjy%2mXnTq*}cVU|K zzX2bF2b=Ud^GN9J3Hl#k=lhIZZQJwWm(DGL`kqX5S{{G<1Qhv<1nCQOfsi3W2AKGs z?)7d2Lecwr`Ryk%`L0fN0!(Zt`5b!M*Eo3i(3xYme2)_{t(~6^7#Vtw4wlUa7IL(% zu8|OXjgxa#X0p-o1PeK#l=(Wd}&8r_8V<0^#Cc9 z64PRNxy5d|)!U?Y-n+XtO~C-KD*gEC0oxR2*4<<1xOjKNwlBxA*Sw9~AM0Qbz8)_( zxf((lj^%Hz-($mZ~ZW! zir@3|=G9R0Y+;VFHm6O=ZmMx-?L22cADZuZ4}%AQxYpTzdI_*w+if+=?R^Ms)eYkJ zn#m-b_NjP&SM2pB(7q~;eCCFKHy`+fE){6o13phG0bI7XjRDW(ncE;WojXpSGfp1w zrX?Os#+I7^fnG$tvuRY*PwQrPz>=@SCpK&9>*E0X&KNrX_G9W~=gpMX`>;lCwz}3M z>nVym5+gr{&uYe^h1L#&P6H!k@Lpyt;r;d`xv%Gq<%b?$Cvc*DvmuhO@dFS${|8{1 z`E0MMzKsyCt9!7t4ixXFWK(;4xY~fgy?$QcA>?{nL(T2!Ib83Iu^mIVG%JwHp86pj zX}&Q2_M*4cbsxOjE>{^$8*#;l=?e7A0r}a3-u3|kqmKZ)oj;#EzystVeh@lt5~v*r zPOJU)@W9wGGPpDA7svQQcsOz*pw#@f_&}-@Y}XX`0wRJt5*UzeA3$?ng$psLI*Gok zOZh(Os>hN%9W=AV6;11fJZ}Vzm0*cPoqN89BW&O;QwkScrjp3Q$1zfx&>mi!8th5| z(M%!8^JD>Ufg@zHgkg#0*as&rqQSqj{akkK+c;jI95>h*3CQ)HLBFdkpJMtAZ>xU@VW8zH;rd3U>p3MpR|0HSur3TlFxkg^qRXmaQ zh!W*t4!mg-xh;kZe(T}BJFzrkti#PB)k_3zV6cu8zL4j=%Cu6P}b3B7i zU8-H>o@I;bcZcGn_&0(z&1SjCHh&igtz{U5#Z}%aq3W1Zb?x}OEN`ktX3EfVU9HSr z;Q~uVaMoxw&knmq|BfnnD5;q%vW_ERL+yeHRnW%k%qL)o`9tok8AtVE@DaHGC31cL zpWGF~pqSza;YT{!u#udY|E5Y%`XL%ki)tb_MeAECZz5TF%$b?5HgdPgM1E(%{3oD; ziYmi>Hn zA3p)M0XE%l4BhdG_c&zYA4Dc?|AtlM7a|dH;9&mjp1&~2O zK~unrjj!yxCep!;y$e>QfVGmq5+s;aV3f+?<`I)W z6_K>2$Dc;HH|NY2ORFh5z?);WWbTTUH2AL_*p}Jr9SH-m+aI^@0>i-n2PPjy5ZZ2owuCGl?Nh*2S0rlur{Z3_L;8MIsLW8w%gkUAG?G6LsR-p>eL-hPPJ&B;C~U@rkn;* z!_M;qV_UHV9A<_;cAXBt^!3|NGN;$UaV+b~F77qdvs&*%$#2uE?)@%${v@|+T%I*6 zq}m-a(0=m?zU#75b#bf5#e!AM`SF=Yr_O72BST6sIrr8{T;MZfY2qmrn zQgz1)oSU9IXqfh^rd@YE(Y*ukg#<~P$LDUf4`p%3(zy)*#H~WF>>sitb)IfJ8LMhO zptm!25qVB4&ZBH#8a}e$@M;pt-}Zd0 z_UXEvAIbar`Ub7{oC=$wFSlW`7VDb!a`|hL!GC)tLu=FC31Rc9I+mXg0eFC+6@338 zzJ1_8`Qi!$XpK_i_9$%l(LY4()LQ92p4MDIlx~iT9tU)8HZMV`;WuwS!SR3uWJJMBHfb@%KNhB?_+O(glk45V^%WVTTsOG zn{R~9`JW>uJYcCdEgEpN#v$l!TaM7*f&<7mnt+N z5PkCn%cO}OYY4&8Pe~b26uawC@19l;_yYZz5NC~=Wbg&ypnId@CiHwOnQ|^G%TZj| zHEl*VtO-2K^F%v_En1W2pui&htrSTDZ+;cd9KjZrr9Pz|4ktRC&lG~Xk&eO~9!Q2U zfDjZ$R5wq#Kp(iIB3aykm>$g|F=i$1&vnfWaFCDm%2w@JD;GSo9B^bQqzV%f1s{q( zIr2>WnJU@RX-Oya*v7T62@GL1*5yscR&Uzs?>iw-V$? zOyEK({WFlODSJqNDHA55Mw!${F)j%nA1UCzwG%V~c`r3EW!#N|uC!Grn>siu>`0Dg z!R{eI{mZys`%i~Xfth)^SoQCyQCGvx*BR^&z-*UgqOwjA6S^occzJUy1p6^}U4q;r)pu`y2E8OkA`< zyCU+Ha*dv$jslgU>So;tjezAb)(%=4#^$tga1Q6Nvh*{g8E;hgztx0qwR|;k`N%C0 zf!|pbd$lXatG3eRzufV*4&I;*ow6K)xI;lfTJWUWN2{O7!kNzTlCw=Ps}^C(b%;t| ztpq<0loiHl_e2D!Vu{-Qp|SakVMdvha4A9o-h6u3X0+-<>?Z2ZNurKHV962#kw*^Y znG4y{ea|eHqn52{bXSP0EnAi`bKWIrGA1h-2nY}HTFvdh=vFqE>5v+27!cHfMT`>8 zvoo_6RL)(~WTv+)Ya)&A^h&{I-V)nXACVwSaikWWG?GYA7x>5Sj-n{%Hl zHRg5WOydpIKP%WWX})Y`Zjo=sRR- zCO+yFt5d-WD>50qld!Lq6U6JoS}}%(r)d+BF7|o->E~?>ls}9j4#F*UMvxg}Rju32 z41@cslitEE{uw&VgjHgW_vQ&A1`YXzed%Bc zwA>xYnEzCn$&L-J7)iy(N0jkMm3}V`t;t`4=UuiPZ^# zo$GG48pvTe(@ovGwVXQD{yuk7;~l*{(EH*xQ+0bHy&p2Dn_K;SLC){)pWS|>`6BQf z1lTZ{;jis|80D zgqfZF{`^$n#tcBgoI-WeBihGx5Nhj6O>@rcpyM-C-|x!ARnK&;7&9BNq8G*B_plqf zt?_vb$D!%m%y*pil=|DvuNdC;zTjitNv=32r+uR1<7R*}m+v4Q`UVdzRp-2FfHhU% zZOxZ)`*|9&@`W)APx0wm;Gs#yEZ3+D2%L5~DO)Fe$F1_-GVw~s?0G=+^EH{NuIXJ& zIH}>NEL#5%sQWn9a_zWJ->4Aqur)XVoxFiUp9x?8d_t#BgLcHf6mO#Wus1cZ{tby{ zWKEu`UgZ3ctmQGb1OHfQwEq;|tjQE0%!NM*Ig; zFPRboq1wV%Kj<(fd3Za zLmVtsp^KTVt3%*&o}uW5r!bHR{8sy5@grgjG0Y6dp^yvgfus~^RqDHBj1eA@^%E9`s}40>8*0@d znvHW5#H4zK5e@rbXOmuvQ$33^tw)?-!?XXL1A^Zwy;@Xa|ePwA32* zv!q}=5f{kejWvd;nm^O5)Pm3m%w`G1J#5*d1)&uClFJ07eq6#}r_>Fa&&#xvrp=VP z5EOt-V5fk0(Tf-cCUkRU20YD~1M|K`8`rMvi>t5Fmp;}Q_GKS_V>DFn3~%t^*Px?u zwNnJEz&D(y-6ijwNKG%xis-7@NPo{#&%ha#7AK8T{-;LiUV@+cSC*YNLAoHVf?TT0 za@1WP!@me8h763x1TymWYlR^5A}wkmm+-4UdQtJ~ zR2MAS2oX;kU9OON5{&mvMWIJ;GWAF_v6_>cHpf^8=jP8=Nn|Qr^9?7Ycwv=Nfv-E79_nTAFzU?1qkVh8LzbBW5H{b|bP=Y<(5JjxN~e>aOxrQ-!Hemx!=mjR0TVa zxHJ%yD}&C!43!J1zGk&7#Uj%Tqb$L>R_yMp4R~o*eyv4pE;cw*g=Dv_GKdHc$1rWx zvc&7nSp4S9(ac|XJI6Z9fG0*+>Y0`4`2Xt6SG=IBc)@azG>EwL1=JJ!`u7XhxE*ii z=MEx1D<>8?P%7NN0EE6{f+Rn0fg*cY>4HE1lJso*#qezS9BdUL_1K7cFNJ*cI{bM` za@twDJEZsRz{Z~8dI!kp@}K-mJ$1p<@Bs{6>%C;7$LQ&D8%AQz^j^NQyKP#JytsBA zA>CAc9BYQ!woGzYbi?^QYK&AdZ@fLwsQEbJ^zLu4cERm5A$A`%v)|~R7mT#F`^5Tu zeB|7@KO}1)wYZ7jqxYK$85J_KJtA}-uEMv|Qx-5eIX~;& zex6H4giHB&q{+#)2FB8-_V~84-5S2PubE%hZhX3Ihtuvntiie2KA#Uo&+*gJJ8Xby z?eyFSyx6qN>Ed>1iL3G5X1~w;K6!iFINtiB-A?OICeU>)do;DcsQq{(P}BJk@&)5w zSbEYUtUK2vb-nqk-uX5>7PCJtU0=8(2_2_`o7I3!2N6E1 zI$q^lYvS8IyFQ1ht#l339h^CtA4` zM(qs0tJ6(is4ieg3iIY;B$u#f&XDGQS~K>#b9t^8aJx@Gt!}$wcCAud+ueK`UW(UP z_W*kM1m&)RY`!G#3koO%R0LV@uk_2x4IFd$k zc2Xpx*9LKVe|fyll-g**h-IC0qQ8`e%ooAuT{>}OmvWl5TW|!I8s>3^TVma=HxM>O*LmW)lEoqUJItha|d`NP#cG*;ZheSW4-*B6kwVD1t*I%c1%9F58Y%EXe1 zO@;EX)%P6I3$jB?=RU0cZ*~w>$7~;6bJS4$iVybrI{30OW=#VkV9+k2^*iOb@|0^W zh4IN(%c9@ys9-Gy&1Iv5|3Ko!Zy;m0z@-!O2;xBM5nRY-fz8LSIrXc}&rC`sk z0OLSyx0+s4-D1DdXr4bek*D0jPH-IJfDSe?APb)?$tT_*-G#)oP6bFMjH7*JB(dl zMZnxy&{66KzvK!_hhU6C;DeOzuBnsc{D||C@-gHj&2gd4x%bPPMvaVS=H- z)g)JLX;;!LN+cE+#gCL&m=?^{{GX$EDz+x&1XBSmxx)*(KhoaA@XSenltXy-DBex* zl8SN&?V%3i56I6*a!Ps6TRgy2s#Xe9@}1=w@m=n*Wm^;k#eSEF9UriOY=w?4&&?X+ z_=62|92swl(c!5$6aP!8TDo{!*--s5Dq+hzKoYYeS)qNIUKXMOPCl`Oya-oO@o)mY zNwpC+sz0y};=cTc?P)tQus`x|Ttg|q5P`f(~4@RQpzw>h@9N$#H z4p|G&j$hs_Xcj1OJiRZdJnHMSi zVxcyV4(qoax&HErxSl<37*UZ2#2| z{;`p!5Ck0fOlh>ctjs4|pLwwR2;2)3rUJ=)Q);12>f*{~Wp(9yXpj>UbaShFWulu^NXu4pe66&i_osG zZKf#}^^_SNY440-*_xgMRzAOfQ#&8}IcE;}BZ@`#662R9?iD(EXs$$}_Yag)Ut7!H zvQhGN{qXlP$X4;}Ek`meEO<>s-ZYf&=A;+-&Ln%VThmQX(poeB4bI+@Wb*FgdiQzPFZ*_uiH{xQ>;4fwLxGqe;;+=3&-^_YRsAmz3b5nb`!2Jw^Bk&I z-88^>EqUECdgIFHRzEQfX}8nC<@DU;X6MEKz{YoTZ)5rr`+_@vP&>(O{P`?-2o`$D zS?F|}lADrDozfqstrn>YVu-DG<~(y!H-9G(JB`)fhfFP>f_?0?c-KdCfTgTy>#D5;twSwH z)m>$ullUXOt@rInT~88s*LquK)(_e5NRFFbzn{HK0*kjUjs6i5dT;r$ww<=Lf7qOH z`Z=Bvw)%eDlL9#ETiX{ZVgt(ctOs+P`iQ-3JDy&~s`IC~J zSHV{upO(8nDyw{WSfRJ79_BX_Z99RDV~TcoJ(SI>jlEnS1Xug1tvXh36Ej*Pa;{N&uN+blE0ZiD8_+8Vy&R@!dBeoD>z zt=Wig-M?R%z$*rBZSR>=A4V#_lB$LTrz317OQq&ji9=-jmu}KrT zwd<=iJp+Wp02M#q)od+(ta(~H*F_`Dt@pc~nD+fA{Fg4fXYfj!_6Mg}UcmLtzm1)4 zkpD=E%*=lqsk}8nt!EFp|M7E`V8w(F#8*HFsYaP`d|0DxOS2a z3o1*=e-}%uJ5`0|gi|OVhhvW+ZUkuHX{2(Du{-B4hvP5CbNGGY`Ub0~ntQ;rX1{abhwJIu^IawCXDfp);4J?Hu z)YnWBqk7%Xz>oy&i$d!~7N+zIL&yfxaZ?c#!9FDT{xU1`5L$-=6s`LR?;wsjYpVjJ zPvUi&^@A?8S~djeNx?J@Je6hzL$)U&=uldPl_>x5|0yd&Z+2BM=V7|+eJ?o{k+3TQ z2r-W~J_-FQldqaq=4M_xjQkyB_q${ua!6Zq0ryRVCmFVO%Ks~n!JiZ^t_ zDj0+uS)^_ZbT57@$^}$`Nfl(;wR1*cl$&wXxq>Ntm;pn`6d#x12=L7AntJqC$#C zK3U&)UV%~=8bm8Nw?H-lpge&uQgvCeX#fZr&IJ_99VFZ#iX{OBbzT5YF@IJLAs)RU z#-rmlXB;U!UhO@qMW(eB1wj^Z;8_w+QO27qsNVh){)lC6GWCjg`x}i&+-ZLv1GNKj zY6JJLRMB7EJy^&`>a~Bm+mb78O%Y`%87m0At)>Xd$Wc5I+D3%s92yu`r>x`b& zr^3bAm<|&ypi&xWgF;VnQjOdzKbJUNK{b|WCaNr@h+2=M31JVvP;va0hN~bQH*!@F zPIgbHi$H^&Ud9A$%XBMpH628BH1D~AD&c4H;#QhuEs%(UFo{YE;>rskNe$Zy*FUeg zDYoBQkP&uWKpdJlln7~%){rbss5pJ5HOQ8XF7n0WG)ex6d-ZF@A09W&9cBHNnqaAC z0%!+X@axG0+DVW6c_mK6_?5lAI1*bvm+JDq8#dwTuZ$sTlV+(_8M28m;p=m1+*w>e z+9|RgRcRnb)WxwOX~GhYD8yL-R--&8D>nX6x#MEi55-?_9=0`!!=ZdXTpW)G_iaUdz{tI6O%Q}MT2c@;I;^uEU(#M0qVDE` z&0K0i>o_2)<@Qj@F8hUBFA32azuZ?y&p0Y5Qn54;f;fvgWE~3&m&_ovHgza?T1@lC z#`gqWoO&}?FLdar#15T0`*5YbAT1#x8!pYlDeRQ~-Mt_cl}U zWu~nP+#v~n?vD7CZ1W*dG9~rh+06p4&eu9^TNgLyk6GoiJdS$^40U^?Z-U0FR$9D` zYY$o-bHM|uJ>|SpIy2r!a&AN;7k!_H$$7~2*03@*^ln_v1B_gw{JQT9&6-Sk;RrqG zo`$nlz9%Ren@8-V(CNH>9|?e2cZKRUqkDEBjS*wOwbJ?}`2=%^S1NkeRBs=`v%jkMl@wZo>ng z!<*mT%>At+s9!+uFHa??gY2r#@AI;Xl7FMA^ZY6o&tY7S_dF!C8TVOc)UIo4yUqH0 z8a3&KrWjV+S-8XXcBZALaar+nqrTK2$9Fkk;+pORC}cEI zqOGc9Z&+SmsdhJU1K;b*^lQcTd9;zHZroB)+rX^u91WSVwFjbd+P;Lwu6+10flf|9 zppnl9yGK6}N$3BFUcC!}2Tm$zkW--JYVtmdozDyuT=s-bW!tAc0G(e}&+n>qbU*=iMEjXUJGYZ{VfUQQV}7(a>nW z(u{6u!tGx(#&ac?N);3_Rpu|IV(j`_67SQxs(vRt%@7?Nljrlp{HdR^*ceC$yL|F9 z8mW51SC{<{{(b45p3ZkKrE);~(kjek9Krw_$zsIg%C@tGXVg9Z?@ zP#T%Hrc&6(j_(hVNqwXU^Nz~h)~oJ{y?Y^oL|QAJ6(uW@r!5Y)sVpAQd-8sU47XHT zY|-FqNJIrOXwBRcq@d%*iK@(E)g%s*)hyEG5h&4j%bv^AE74;%W&?v*&ppaj>41Kh zTW)O!i|tIFFgniP^IvfA>N*YuziFs8nvA7bR|*m}&|{AM9%>+Gl|1c6wIuo)xJK$; z3F1eVI)#8C4npL9WN|}!x#i;o<4=qG!);dUH_ST2y1hQHd2_ER(0g-l9-|}}6QhF(q0o6E-YJ`Sqf|kDD4|RWjc|W@pZ$BLmTMr+RjmH`iOz8gB{r+h!*xay#JOR*Mr;^cer*kgLqVJEE zhI*<>chR1i3jl^;6(9`5fiIrlZX(}@GAE9u?nP11n1+~hT^0OxfvPtgC$Xkx1t}Ca zM9Z!q9DG;S|5lnvi0fM)nL^9mB8kQKL)l4vC|ytjAMbBazN|PDmjk6tr*M%@jztj~ zm5Hk1+{+LR!*{Vnr$2ygV=7}omH-kH6tsUFe}bun^~c}N%<=k_YNA$ED@hPobz2zj z<4gt>v?Bp+H(-v#)6`c{0}aIaL5eGvEM(~`oeN+_xY%_+?jZ%s{qhSQ(icK>UsvIPJnc>Fo zGFyz#J%7pKPW`zO3SFUt=&rprmx=bO(7+7bLOiwj-4H|zqx?kTQs%hBX4RU3w4WB1hs8Wj~dn?oP zyG8y=gr)D_KzbM0GFSr2Al=XA&MH?{DL;U{xTm%YlDMBd7fk^{3 z8}vc8KPr`MICmjrYdD952Ze1jj}CQp7yD_n>wfg04$rlz<9=s2Yw6%si-W8Bp%yBg zuFUPc__t8DJ1l=e6JtW&_Fof~YAKuBdPF7Uy0C}rou|8i;rzEOF-u)V$qn1??d+n= zDw{)^H;YQ~iD$vGpfVe?VehCVb%VIbBj;hM2J#lYfh*>8GJF&&h3C4E^(qNS_`I?8y zVWzp1gsPgjdq!fLTNJ5$gWdTqcpIl#|2I4c6z;*i+Dw9k!q+}?Ym0q;flfYGG$;Jv z?)^sLCHr84i1pGyf&QQbkcjWXH_?8gE+R0P0Q>tt-)8Ru@im`tZ6|L0s678UWE<7` zuUynz^}f7JtdNY{;%td?_}*^9#qwGtZ`JrozUJ7!JoqsP#&);OH@03qvS@U0cTS2^ zc7t%6K+8C<7Ps+3UOVq+G$UOuLqA`vBaoum`R|V}9hROk>ji#wUGO&SIm!|GEGj5H zjq<##n~WUC_YpF@eKg2r`Rp_dk^8y7Qe%Ga9X>m;Lz9bXRVOdD_4?>)Wo=Ka?Hthh z^v}e}Ho17weq65Xbw61<*ITs)Ps?pm+^;O{iqUzEoS;l~v)#FzJ;?Fk`1QX1c1x1k z(`#n)@P+$3KU6#Ebv#7H?Q(n&V7Tb2n~xX)T81XpcK5U?WT8f+#n#e17dosy>9f6T$V{O zw~n6>WChOm4_XZnSDk}Twl&4qfO|`b+!O2im7Rn>zGp*-+Two2ZX5TtRh~eOURwSh z@w-bEF-&@&u>kq&#=q)X_{$mP-s^P6Ry~{<~Ej;U6pc38X)UYn8J|suPbIwx=s+=cO~AU*o7)E zf#i~t`HOR&C?tw4i(jO{#5rGSkYE(r#i7!*$Tj)`iEi~>)FK1J2@NCaJF&cHgiRZL z0p-zVN~$INP*#!ZyZsKyx_rB?&|k-DQ@MfiL!lq*k%sHvw9_T>e-F{5I&v%jo)5QT zK7uWFaqu+8!&L?{NO40hx!~gPR zPMDwPvV&0SottTWpyseKg-(aCZY+_mC_CA(PO>sp%9gGqed@6Uv{LLQ(1WwOG;&+Y zupWJ*3#AXP>(D9V!g2j5SWKmq=u99;FHVp-6WXYmH5s)`<)TK7z7_i!cV5PN9@B)v zb1#BNjDmfaxy2D7d_7q}__foIrLWE$S-kn%6v7V$NNZZQTDC4*9h^{le@jPh5>|_K zGRV|qso~?RqAjd(_i0+rhXd&zs07w*v9IA|ITH_6yHg!hA@iR3c&oNdNE{WasnJ49 zui2aSG3AQXJZ+XFOPyQ?rsTmu?R+Iir=j7nJ1f?}M#bC|NYsJ?q7}ARU5KJ~;^fAs zp2!MqE0|wY^Hy3dU`W;@`ilzcSg2ijErn<(QYK||5lXyMvlSvH&2g6>F5iCI4<{+4 zHB#7%W4qTZLxUPmKy|Wt%$JwG`;>12qi&2Kv;2|_(18FPs_DmV5ww`g@KGbZf2OfV zgpjwca7RAF2RPObrFNkWh9w;1*}tB$v_GNDIdu-NxN-vx)ZM~1<)x7{9p?ol^3(x;DO))ZIo3%?tQH}nbf+Jt% zEhLC8ycSi@44Sl!?ME3zG)t;gxcknq2=)t=e-Bf)&-oMnx;Uq-<+Md0W2(ajCRPr` z#$m9gR+Pdb9Fp9%MMB!a)dSWww9 zTYoTQ!9w~k08KNo1bqa(u#Dvt_sYR<5uK|x{ej+c74B3>;VRav*?VlnNpXqfgCLKH zw2@S81hn=A2P+3|2xo&5pTvC%)yLKFSQY<>QkFl8Ya}$&I6`1hisS}L%SgZrnL)}J zjVa=NZ`-m>9CC$T^lo3jKu=QDG@wN#b9~S!mWY-*s7i_0*N@N$_V?H4Yxp3Z%9B~Q zTh@?;Ea)nW@mvT?s*^8O5=p)mmX*JdHnD&(gAa}LNu$U&gsL{y--oToC%_m0Ghrh({faY0M;QYzo6kn9k7=+C+^$_e`Hy{Z5M=0QhAR9c9bTH$A!87En0-K2rsn{NM0tXUFy3hX-Kx z{CV@0WY_(4cWOF@Ij;qnAc(nyCm(-YMt&{LzyytXKLEjrsRBf>lE%F2L6cV5T{s;F zUJHd&#ko39oS1~K>khR9fYI28&drGtF8MR~XUP;}ZXTn%Ir?Dd*hP#DKB-7L$Uaz2* z(>bkf#}S0cTJD>+>Behdr;P+fr)|Tlr&kwB&Sz=&j^0U;k1RJ}Jln4QY!Lb+Yk_qv zInxd%)Zumd0dvD;r7)K3l8fqP&Neh!77+U`=d4+#jCWU9$)PvmXBplLIGPE~z1>U9 zy z&d}-F*KKUL{A8J9O~pSru?N%#%{ko(Mh$d9{I?~RwXj`5cjZ2c8cXN*Z?n*iGS=&4 ziu|D#bie0w)BcuP;eC?n73SCLnJA*BVdr%lvtCep-7;RAn&mf<#;NP!Q`_jP#Adf15UT3kr--|4KMdgm z?JrR(1%TV8>0NOo`;@)GCl_ zl)!@D;mzioz}RH5teJ0ax?W+L#JTXBT$eoXfK#*16y>|2;x^Sn_WRj)*dis2r3F4T zo7tzFdGt)58Z)Ek$EE zYAqI!NG7-;<@HR}0b9c``7B-fd-U@QEE$Dr#taiC=6d9srlre*tCF6J&|%jwh)~7- zaZ;9G)vcP{<>}&MgEy5ia%I`dyjUd7H4`b1B?RZBYN+q(35Yn5gA||Eh*TBcv2qW9 zyS7=oIP5|t{5z=uyhLG&IcLf}cUtnb0D@F6m3n?W7mK7JqAi#UgI-D{ME^VIPR`Q; zi_r_QgULL@`0$)WEA|yE@$#IbAW6I;$B5K1C55eI>3+&aj4Fg+u^?q-l)l~skUX{j z)ds4Bg(|id4vAvdp zRcu#Kv2B}mVzXlBbZ&Rw{`+M;?591xvGUCR>>e1%uq`ZgfMwPfoM9P za$xuZ`2A#8(6`nQ;Ylhpl(6%E_c+UEzXJPUJyWgN6Q$fyEf>B_48TRC7EAR+r8Eh( zOD-2fK#g~@_gB|Q9JUP(iu-Ngb0O6rTw~~!Z4;;3YzHQc!$fW!hq_fLnA_BS_Ln@P zj+d^A(0u;cR>%{3^K}8{2a!zEnB*LQ0`W-8$|erGap)=ySh<>U9qYh8#cp%UA_Ov5 zoF)c+xi9oTE)Y6NPVYRk#j0F6Ktqm<3IR?))3p2S+6Hx1IQ=!mNokon&XI>`%~`7lKCf%e}q6GPkgY8XU?>)n?>`-2Ia?X+iT>OHdw2* z;t=gWE+UieNrt9zl;?Fab%G6?HSyX~y%;xo>D1Qd>fzqG*l}T!7I;Ciff3Yh&g+ar z>R+X#;IU)`dPmz(Sht>K<2HJBeg!5(v2wm_1 z$sXs@6sTmS+(t2!Y30PUi2`Ix5D!fNDlx500M;bpG=@iPSc-{U8bd@WbD1=XVZRZ^ zUXwtVIUi}mcK)2Cj)cqym;geI0$0Iw$RCx*Y>*l%Xp2+5gtb1&){)=2A$z3F1mgIdmp_y^z4wIk{L_lelA9ZMi<%8txltEj72cow zWm`5Fh~L1n8W$3lBcG}bG>F+i2pHGic(6*eW6yNkijQ=r4c#X1D}PZ>VF=;YgHl<~ zw@_x?DNV}LG>Qx$rFFt8o*5vAE3aaW=g%Y9=kM4ovCTHje5S)}sVv{fXL)aA8D+0p zIG>z3zC#@scPS06a*mc-3*n8R?aByHF2r{uYiVC2LT=&CK*Qptt7@BlU>W+V@M-fZ zCabeYN2b9PD%EN$ih{@!Ov>FLR3NxOF_0~Z?(7)O9n)OJCCH!x45jsHKf~=ln6&H*Xv%|}q zeVlnU(s(~!!hL+1>hU5^LMbG(i|->L6*yo_B2 z&oe{2-?I6_1rj$AtKa+iQNxUV16Hv?0l5a_{oDKPP=iBze~; zOnmN#*UcTFyZ?5h7`XjeI_u3O`~U=E?1Bbf^_NBP=JM?}-Y{Yi>a(JB-}Zt%?e{U6F2UDfwB{j)qa%q$nY$2)P(w>{(q zy(3V!T9@w$4y|s3aO)x9C06g~>gMtg;N!M;HKVn4>O%XzQcp;C{siXw@L%{4A<7c~ zTP%Zn(jFY1W+pQQB$@M6@{c#p0Dsu*D2K9{8(Ps47*7CW7SG6vj87pgHOgPnFAXLr5{Qis-m*2&Y$-uI7PI1rl~(9I)W<*M(N#n=vYz5- zmP0JAk8rsX}M2L zk1Qz{VxbMrk{8c^bJjzhfpLcQ*!>e1S9&VD1=D^Ibkv`#8DD_46l`33{1T<9G1z_R z3UfE>V3cGk>9raODZX>2whT8V&LCk@I6|!V#nPW0+!q*>M<9f#hF(>K@bv*UQbnCr zdnR=ZSOB6$1qtEY#){YQ-Fo`Wr_Sec#0hKsYWHh1I}kOTZ@}gUjYwA-S_ysAAmWXG zK~tm6;Koyy&_n`R|FrGE)mPX&17(xJSdw+&aW64qj2s=iQL#n$`(y>&tS|Yf!o6;D9L0g^a(uDW zEA3N!YyO9h?YoL+NwPNkTlU>J*zPsLxhBH*@pB)mG*jV?QtKBJJj`BiYSutEJ01jy z1{AJ|abfIuNa;f=;AQ$PC}|^zN+4!IxFmr(GQ$db z)Qm=Se9yH~SZTmI>SU$Nlvqp=l(ayYo-d2Z?7Z2k`rFN#+KVhv{+L>i!GcqS96t^p zoobd!2(heA$NcrCF1O4Eoo5Vl{nr9k)53!60Fjb|u!Ji!a`d}Aje#A!dbmWCmB;U} zJ}5=V1j!YPWt*TZF(&5|tAr!HF$oDwp<|G7-a7-kOy#10%2gCbMki6gkBNW`~7<5#7$>|^8zh(o@9 ziZHkGuT1*7J}g2tS2k+7!g$mKp^Hf? znFpuWWh{}15S_m;#2mg<^tOsTeo>rmCFI-o^=N{Nv_vS|>W`T1uIctQ(FVh-;9rC% zBR1P0*GfL2s)52~1g-E>Ot&&q4PH&&ndIL%N_@m|@RyRpXHcfa8Jn^z6OZDtI0@Uq zVNa zIY=1m+YZ$;`DqU^co#6sc?I|u*^B*CG=VV@?9wlyqZwZu2RM3f+A^5|>%evUY{EGJ zvewPl=5a?T8Q+*YJtj88Te5FRZgzAeKF%xox2%6Rk9WSd`?s0^dtJ|}YO=t8!#C{y zsO(Lm`E~i)H7&&1;5BYKXI=D)rQ5cnjq1K)l11c#Yd?v7%SVtxt4s3pqh8Zte4MxC zGcrIEzH|AzKH*jaxEU6Hals`QbW?#z;BH{JRP^w?xyd<|cl(5MGa~^=ng06<8xQKZ z`B-O+_wj7}ygK-M8b9?0r+XmrmOMO~A$j`gq3hrDmOTKCT94cvJ}%=X4jNk8uDfIX zo5V{5z!4>fYzzLN_~$W3`D}Zind+yPJp#^-oxwj76rNgS7m~)YgZ}y z&3Df2>4pDKIyK=S|CK^xezy}_w_Z;;rmpN8eNd+2x9@%y)-w#D^e8_jP$k-RDH z*Le9y|AM-v&E&<{zhQ1DzWU`Z6e4Y1tu=$o5!fr^&Crq~bpH6*hKY}Rey!is=x-)* zZNUrZ)~?&yx808t37Y`CtbW`!XB>5Vy|@462{&U-=!&!Sj9q;=o&t z;QW7OxBmaup1^L6{v-aUK4rLm)9d%2h#aZvRCW_|pQ)1TBL&XzYXG@5S2yEVeIxwf4$e^L~n zz{~NA6_4k9MPGByDZm>&osZ$4ZVOF0Mn=rntP!LMiBexgA_|9j{gpH;U7~}>T?$h3 z9HM0x4Vb0LZ zb^BJ?7?J*qA-+A?+DZ5Hh&4GaQq(>J*#+sxxJY6RQ*nPnN|sB{dMHI-_3x87Vd3q+cYQGxwLiJF!F?!Qr)wOVdVxID{or&d18k_;?;|a zST)LYQ7c8k6^tLVvy+$4<)gTd6_8Sf4VR&*ZMCuAzmh3XB{C=)TqUvQtYEl6AAiB zV*;5_z3aqmfMmy8;boUwLm9oxKOPQf;xg)h-@M!#gY};MDkar zNFyrDN(Ya4ytP{;qdCq}1!wt9|#bsZizDWNV@Ha+18qVs-D|%*|6R-9g}g z@Xaukr+`omY`evUhL78=kI%2`zaVVU&SccQvN-!=Vbh#m3T&2y*>W!?fL9i-{N zA|nY@b~GWgXCA^)!XFClgnAf4+9a#z`FrP#q=m0RgLIiFh43?qfG42dJY`JupfQ7y zZRDd>S)I4k2wUGTzh$u<1y*-G3Zd^TcHFINs>raSwp7R12I`CZKuwuR7+erTk$Z~j zI0}54F@_Nn&;}}maTRGZ>Qz`x?`P;kS zZ>oAn!y=G*S1rAnl?fT;_UaRNOykUog!h|{^SeF;O7Gx|Z23>d#eb-J(N0A1OVG*z zXl(eYdmjO5bB_JVK0g(V!t1_P3y}X-{Vn4;U+Ltv*N0xa99}Wam#|g`5D-U{$k_=6s%z{PS`z7LU6OG^95+y^S%|`tmQHR%HA}vUz+iL z{&ANgr=frNPe#SNy6YY06{Og;eGRy3KeH}7Nq;{K=z&PbqE&O(zMb5OFE6U?wwl_T z0es=#BM8?tF>t@xb)n30Kefa3aV$~zbhbFyPv+2hZ8PAjI~kAPYFdqjb?WhcJD1q3 z2Kcx7{9~}Nt2>sV)aCWtE`=@IIPV~II>1N12DoB!dyJ`VX@5+;_rv<#_l7;v)t_dK zm@|5vO6~;gG5R~eJ>V_q=XKL+{CYfn*~DMbThhA8;EaFy2RH>x^mw@#soj)RrNqJ* zd2O8Y4eGs}4owT(D6DL{9C=?Y%ggHN;-Pxey`MJUX^(YIeA2r~2H19gK=QEu`|t0f z*H3w6jKGi4XOGE^SI_;&J~0J>$8TNhF014^wFj4STR0aBn+M1W(6|Ondcdt~;^F%d zK7IW>+pV6*AsPOU7mEA5EjL+LU_X9JuK#}hj6vH*Ml>HBB>;F{g0BDf#rM8YMxFm~ zd!xqlM>YT3PF22%SPR&%9U^}@q6$~U#J=hW^c=ipF+LlSxA3?h5~p8yF0XG#Qf7BY ztW8a?;cgKw?RlIx2xzZfgPq>MrSGuMuJ4@Ra$~^;60aU_u!Vbz|2o`1W`deZ1IJRK z{W-eNp8?wzuQMK(Z+W7XOtX_Eq+%mtC6~g_$gPSW3m54x&EMLb4Hd#$jY!hQAqr9V zzFug=+)0jCNM%k`a`5ISQkB>o5Ts4vq9w@I6D!#x&RGv0!VLT&Zsj+?dzxQt43q*P zrxxc>`HExTt)17|YoL!ulLzi7aa+Vxb@NT`##PET=&_&v@?AfXLszZDw6V{14&btm zqDsP5uL_pM!u;OMW}7cfQ^E=i^~f}7I3B}NA{6DvZ$Y&=6c-iiPMLXBw&gPS{o=UF zL${}Ekf${eD`Bi_wTmB3_d~gbb=C%we?sFl`MtY;|K}P6bh`SIMTG#&|fovBa21tD$~m^ zg20>9H%i2R3t{VMqU8w^^eg2nbCYE1F^NKmA%5=WK}{lcgiXVR3lo?|6VsfLIHHHA zal~;_unj5@YWN%%a9Sf0MR;dr4R_^3qf(|Z{lc}>@TB;6dq}@#Oee%}6%>d*w;gw? zDWI29q{B0MA#$J&f}&b(q-GlaaICU68s+|G*XqL`?o#(9+Oi|ht=&|P zUSU_j{zo?N*YEZk!q|nGi^F&!V(J)bdtuf*_EYzTffpi9eRST&pGNdTMilE%OGe8u zk@+j4hPGt4f_(N%yVf~{>)O$e<%yd&+$Bo1bIPRFVSSBD1i&U)gbqgrIgcmPb@7n( z#w}>(PV58~LM#s)Ax-+bqU%vwB$u?ImXz9UfUa2}*b)3w{}s4!XYq&txX#<}I0C@4 zFZt{Ow);cY+{L#M5wK0OoxUgB*OR@XQt?9RMrXRWFZMPjvc{Hv&t_2J(NzrBMnA2h?C54gj&2Un1 zao<6gQ^o#+L@FG(G_{yo^G!j737*TxNmh)xShh5h1<$gec%&jozi3{&*$zcX;o-Fn zBYHJLGo2h?v_ElhRFj)(6b)d+4)G9Ep~PA0R%Bfoo+K-Up)NVVOhL7aLH)h9g0Ah5(0JseHu?QSAvBG~zl}w8bU)o59SK~YnQXot{M}hUJbap3dA~%yEk5GD&U{_Y@V`IVU~C?OMdnnu zVEpudmQnEEYqWfZPX~ebWm^ZGHV?AikDHblxje@}*(dz8jQ-Q}pmB$$Ar1q#j}i); z&W~gDiLHOm-mUxO3N>#J;}*G&`)(~4H+SE0qjjJ;yPSv~R^tsoX5ku{-h_AZhm8K9 zr(yEXP0mMQdN&{On{180yQ#PgN+qvXe)s;-=Xe9F1 zR=v}8{CsOXRv)K*-CKGtf&E4n_#gj-a4#w^>TK?U&n`C~V;5*CeYvhWY4ZU2J#h`w zRxVdhdj{ZaJ#bF4I^SXAN_pPxat>ymPr!Ts7uZ+IL}a;3?L&9GR@bRF9$FlQ%VU4X zm4f$@lN|e>ab8aGXEj<6uo7ssIh}Kr6V*L^AFY2zl16#zj|A?9vmV{`ea;ld>l2s;e`#%iAi|oq8To_QNB=j*b;2}V>kSYX2*vgI zY@uLFvq#RLeOAQk^iUX9q{+8K_*%EU;x7=xtQ6SD}^&WIX|S|5gxOC zI{sZQ`M*BB9xPbX&Abf=AA$ux%}F3@D@-zk0c2b~0&sm!x_A&6)QeSJFe-L^a{RRm6M&Jtd%i3h$W;#xxJiU)(^(&7_{&=h9_O& zkVU8*)$qTreZ`GG`Nhc=YXx`jnZ&AuzsnMp^KFkKEvV9K*|7?OJ893Bn4*p5FM(++ z_3~LM|HwtuJHd3_5Ef}nk_Kdx)wuPVewy&fXO5;YtWx?)l|D|ui65!-HL%D!C~A&I zr+!NQSzDO|rO$rI!~o97Z8*Nqp4_`d!Jw!NL@iZylqQ|eo|d*E-nQsSa& z_GbnaMT=qcSotyKj@sC%+zOH$nrT^}T1__N(rjlEC#;dWk#LjBslqn!Z|+y;?ocih zuhqn=CZ;U46er?irC<6D-}yAu=Eb{{mdKn|F~7@&P%n*uD*v*h+lD+if0N~aurnV_ zDGn2>OZ>L-b0P|hWk~wn2qO@I1T}+$@HKmd@ith>EBmLdhiw6O%8bQgzIA|Jud#}n zV*mG;oVa`{d($1K4P0e1Xy}lT5azH*R>(xAr+k(}l#TJVCYDu87;`#_3B&>iqfm4N5HOF9B;X6En-`g|4TcUVbu^k{af+EmafGpJ@LdHmZ(X- zMi2KEpPV-vLpmlf9oL}Ge;@jOE2$swtgya6@^F;0^0w9Nz=hUOw#EOs!u6k#aUcf8 zB#>h2#Fp_GQ5uS9K~9Lo#x;k&7wd1#aaswSTT8)wE{kHnB0V~-Yqo|^h1Si>o+{^` ze+Wv(rwc~$6RcF*cT%m3TIE^*QWDuS9EQi8YQ7AJZ znAg_!;=;)=sbG~lf`}*%_kq5%!XQO z&)my?LC}#c20oAw(81LZ5;9IIvP z{Fe?o1o`dC%mqqIINU)BoZ!?jLNmUvu`2y+rxBsK@@8BG{0oWSeld9KsUFahoSZGI zmeQ1@ zjt~P{Wyxkv5_1G-ZS595@5=S-|0kWb=w6UG@%nmlK3F@zkDsI9*O|q(7ac`#tl(UR zf;%==;Af}%@6&k>Uzn9uPll(vSi4O}zvu*RXyq5XKQvL%=230&;hj>RQ^;v7U)ezpCG zD(eKV5?_i0lP(`CVklJ2*uNa(;@T?+RDcYBH(lXSUilw8&mbQ1xxQ9z=)RtbIcT~Z zw6IAz^}Tb{bMSHPGWiaxXUPjotK`fN3sw_^_9qgg(>A{_WRe!MJHj zjGB9)Tfe<7!u|E{!$)^pJ_9G2DNEvYIJuq%hBTg>?laG{PjzH++nyG9{Tr3eQb`$& zkMOO)67Q6&*j{g`e_>>1+RS9G*^jwy(!pj^+^40lN!NYIdM*=EF7`jtcb0XYch5Yk zblV>O;af)|emt3wKCX(y=K_Z(de;37pnPY29GBD>yt54+f(Y@uSJ`LuRsC+qUG%$k zUN-l_FaL1V4N7>wIody82h%>l`LE%BZY}tAxN#i-T+QPz3IJA*#m*xKquWZiD*<5JfjyU@ zyvtdv2EZ-6tbv!I$FG|O%zaSO#nAQaO_NmT> zG-id0mMN$q)VtgXHS)G{lV5Gyf4T$Z9kA3wC{~%}5-h^(8ZJX@k+TNd``K9_wK1uO zz9i~O?X=5<)FggdWVrR-KtNGQb_=yN?OLMVS_8E$QAvi_nuv2Vi42`k5$t*d)ax}P zS-o2DnoKvQ(rwt=BjZot%sU`9E)EmLM;H~DF)o46Kz8tU#rJ1IcMe6Uey*Gj z|FPMu6--EN$HYMUbIDdqj|Q1W@G14QXO64avYdpMg%!mW^&&#Nd7v@5UbS{nxq>S@ zYK=Ozi7b+k#jqrGh*bL*SEv#F_K@rv{WD%KCbaZ%v5G6yfM}>q6-y=CW~`m#*Dvm=E9Gh2sO;~DQQv;RU_pDNaZ?j zz1Em8)7TgO1Wg$Z4ntnv<7!zxoHoe z3%3^>6;7M4yTfhpVJFNZ>myq{TNzrG)OmseNM@LQGZRvj*vCmtE6BNaHU8!G2UYj} z`Y8KXIV?x5lL7kv<^T@t{*)Fds!UOSKr+hy3RPrhrg2Rs8}TxcL$f@RWp7{Qi3}lpYUf*X7gO$V-z3+HHlptG^G~fQR}wtfS%%%r2Qn$nU(TrG zSj;ZODLI*%^vo&FhSQbEcPPu0D!z;vrO#nWvZWTj3ZBHSsVDFzHaL*Zwn^u4NVm^ed@ zS_^TlY_d}4=`(Gpsesvt#O!X=fv0cqk;0(nKZ1q35V!pm-_^ecP`gJry|gC15BhKK z48C-}IN08!ffJ);Z&KgOKCqtwOz#J0eM)Q_`v?Kl3pL5IrVO#mkx3HNr;B4$0`Qfj zCVi2DMY0_ISs4P^Zc6m51;Zp)$Y^7-O$SMtk?Vp|5o1z0mSVtEVIrTDv^hl@qLZ7t zvY2rd&(jmV$zc4#HR^+bhY$yKpvv@@Dk&3^Uv58%fTmST-;`NZB1a#w{J%=&=t}2D zJ54enS&%u5i7r95)DgvHW1xKV5V zg%n5O?st`%N_T|w_ZVx$y4{f)H3WP#g2AuL`ymOk5`t#J2UFIFlZUk3+dCOrM;UIp z|5Lz$h!PPFMPNfBu21B3`w#Nc^V;3NJ8XU~Bt;crAqlTyz9L^Ueu#W(rIQ0Ce~Mrf zGk-R{c#Z2zIe^%q4gYKNU@}ZCyU2518{Ovtu}yvZv%G_?4x6K3>yZ!3yx?Wc{V|in z=IWIr|EFE^tXeJW#{)E*Gu@UA_8#qr_<7*_{*lKy_1pEEM>+Ck*T?eCRyu$4zo)0~ z+dHK0FH>FbGMFs`>lchQx5L04=8EW&jt7DLDHR2(%a1sPc1(i1eZ!-sE4}@g7Ja|{ z8?P}t4~uU+;0^kb1@JbY85PgD5zflAca%o zsV{gcr^VAu`^WstsY12RQxN^TKInLnb%EGSAT#`ZK?_DP$W6`Ap zm@GAG();PVV$b<})jcKGd(*~cn}7NcVTY&Rkwb4=OFFpdqhZ;BvGZnRB+phot$<;} z_s>~wdr*eQd3YJ1{#7}7AzzN~>gJvi=nLKAJ1p<8T%AWnxz!%0r)j-LJEQ#^hlcmT z*&|R^AI9-ml*eFUn)c4xvpxEu^<_};a(wOsbUo$Qo-$JAN@A2@^qo?8q$iF18lcejxt&j;u^_re@<%MT@!`NPoJen@M z6_4+GFdEcfM$Le3J3Nrrk@WvdJs&lk_Dn5<-?Z0z_5ekfmT#bmPe~OPC)p8}Vx{WN zr|fFf;#J{__XyxT4NYE#Accf3^Qn+VuK(nn18;_KAaNT7PF9*+RS{n8@=bAn!E{su z6Dz#xD9x#mm%7$$0vdYqSlv-{^Zp{Czdv~TatdU$tdTTOq+9N|H5Vx#EGXb ztEwV(O5e?d^~jnGWG)jYk6_B8|2<{%Hf!}$5$SH@saFs*dS@e${VQor@{12OUCc?$ z5qBf#gyi0wCNJ7KjQSN)G0-YAbm}|3dX8|}(h+L~6}I~Bu@Kn-EO*8PcBnmX{QuKuT!r}K9NKxl7^ZDK^!7aMGUKXI`4fIf>c1qp8zsF zDF{naya94s%($U$_fl}DaL)LwB75t_SL?K2fjtk)G7@iiSdIQg9VJH66;)7}LP+r! zwe$Qr2Dnh&G(flSTPdy(9>#l8ioD=^T5iK)WTw#RbPmQP9+g+X;S6#?tH zg5uPDoIqQHbQI>Sx_5s&aEp(`m+QX>V691iWdp!RgJ_L8GdM6^)EpLvO6b0O*t`IV zs3a^T5lOSOB3!p)U0#`Eij#izT-ftRRkC}RED|wq38F83;*2M@0z4XN!l;JvS5a)j zfZ(4d8m!vxNe865cw)e~UqCnp3nZMn%u9B}ZTcPi!c`HaHa&bH z!7^>Ur1#Ov&j>V~Fc*p{m<;26i#?~RfMv)(28erwyR1Z$59|L_xr*6VjEAFSfcHF5 zUo-`(%Fx#pGRpJ9Yvnm+Lq0C`W%`okVfka_s5% zd{ZrwW&Y6?aeVgkw4qwESlFzP4U23u04K2r2gkSb3007VzXijF4zmJ+V3 zID~kY6K+aq+S|ds{~l|w*c&DGd+qxcj8J=Ce6&%=H)LsF;PIjgh6cKXS$-nLom1P{ zQ=Lkp4Mtx&o{E?xS_K=5v^8a?ts)wJL0Ji}X4QCXwt#N=vbgjZeK0}PGDO{HqOWb0 z#$BP$O4XRy7MnOl=#teafgBf{*(*L_?5p0Cno2ST2gVt&Sz3}>E<_wC@%4LGc81(a zXSbo+wI86eSbC94k0m5%W9)bvVtNHm*e#!=^t!=;$5X09)vHyCKHID>GS zA;iyGZUJ-u)`10sW+3+gIkgY&{`SfR_9_EEks1hqrHZ~K4$rdv`mp^BkirKOce{Q- zDm=0@mcQ#nJ=uP+f?EJC)HzY5Qjrp8mE?@B51|fP2 zcUZ3X{{1#@E#LE$iT%cNyB27WhIcXTw1#E9(QSQiCiF_ceQWs@9l7nNz=q}vri6ZB zlREd#_M^NTxP2Gi0_43f1ixZ<&*|R{a-2eNR9L;~<4wzbZy2dvx38+= zZ1Z%v4oLsA5YNB(_aN>Jqo#T5y92HV!~LLxLz{%x_R~WpeDPJD+isqp_lskd1AR|L zOXlm!6#&Pl^}7EUH$L0xBQ`6~|N0Vl$^S04=yD{}BD?)sIjhTKO=$$r^D)i;1Nk8_ zwU*DnZ#~`5qvdQ%-S1(0dBoo$W3OiiT-X=S%8GQ?HLp;r&&qGria{YJgAl`4qU;(%3ZcqHL z-Zk$lXNmnX7W(~L5eVtLx78E-kUdV8J4@)G!Q2)O8QQHoLfnPp{u~Js052lVT-Xdq zo~~t#yJfoL(R7mMFp|szv=EM>^ZRy{daLVYXhfd>G>ZNm%|p}S=zxRk9+XGdF*oN@ z19+a3XwAv(ZU!!jVD56(2E4sBS;TFbb$6f3+(SO*H9Tl<;CXl*O>b}<&eIC`o@7+j zCi8XPYP?|1{C;?MD?ok_D155oJoG)=KdRNc@2<4%0k(}A z^i1kG(BGzyD`nMq&oQsm{CNL&K6m5d2e_&nk=LBR1t)&^L%;S+O@g0|&k1(`6=~9U z-R^I&=*Pm73vVGBym{OyuRYGrqm;LKwOen5N=t%?m&G9`>qF#wfKk-zJfU{j)COVU zxTxkZBpk&g21p@+u*TK01Lh3r^wVNe2^xzsNZ$O>>;f}6wKDX0#qh)mCD$J7zF#&e zK;KN$hVeR_FQMj@oYcvYe!vhj?qM}bH#$o6a5;Ecw+Ty{^gRlmHKoi7ag=Iu#2^g% z(iJ-wUle0D1enr9i=NoVupKfP1XYd`Pd&fzEy-xnN7j zadiKJyRIjF?PAZTC(K_TfwO*}>LXvg_sa-@VWHv}uX^Jji}2N85)3wBalf4_cQf@{1y6PPrO9-HHbg*m0pzRzNa9E{P)jCpW!{ z{Z4#lNjkE7|Mpq5lKaQ@cayJ6NqGTZ$qW`ieAen;VcH z3@Rx!a(*l{L=bxEkA}v#hIvAHh)t|WEMr8fkV`M5Eb)AZEHo~S7M2XA4MVcsUZ6^?94WZ4+CsFs=H&gC zJF6}{otG&^l%T}uV98?LvKlX`AyWvSQ0{PBS7c@{Y7!;+um8X-A6G(qsseTGo5uuh zR3nuC`_l|+TjtOktQKm<=jFsHsj2iL7>g*YejTH@e3!<)S|e=Hhy+w&z9#y2*eJf~ z#Bmhzifhim)aQ56>uBgjJ8T$Q^j9Ez5z$ z4is&hi}A9yR9VP#Hf*;{EhMRxLDFR}@xid{U8?+1#I3j-q6(!EQV{fN)RTdCSZF=i zf=d!iL!3TsgL3ghYi9a|Pr{N|h)J@7f-F#)gfezOTOcRF%QIhLeVi<+v6Gz|D;Y%< zxBcg$D(|y%lC+v@Y6^@=3E_`q_iUQS!fauPAH^}1zLQd@bt;@P83j{Nwqcp$Lr{Bs zNH)<$NqV)7w`;0xIAW=AwJG?>PG5adL+ex^It!*el*KUKZ(e%d6+UijPr%|h44`ik zPV+2UK6n$7V^9KI?DGkq;}ei+nPrwyVk>12#Q*|*&ra(knAAS7`E_LaQv*i z3U{=zREqudPB~`U+x$V(tQg|akf_&^|1}vQ8kAt~M5lO0;pzVO{D?-|Ia_kkWiJLD zDwYguwTp-Qyg7L+AXc|{gNjI!9|kQ>TdI7ho9-l|P88|O@>Qs~oJ|xz7gFVgnBezA z^t`cuQ})m-SqMREQ#e=Uri0^RITh^H_8WDcjM2=7T9S~G5by*`)995sgHTN=?v+;c zY>O?62!(n|VwG`ltF|aT31M`Q=Y})&R z`^Wq^R#VFN)tgY?tB*7u@bt9DYoMFwy+*r2q9deH zqA#fjJ_Bs=Z{mIQ9eyzm5C47hDc8Al{&%zgG9vL>^62}`rTdTJ1oBG9I|%b?lj{V} zZwCwgg(b?9^g4bCMaH0P3xxt;&fBXHew>sC;XX<%^U}g34 zBedFt!29X*mOQhqaYkEHfA}$*>_1N6vPF-4a}@njf2#nfA#iX8J{C7{@Y(KhQ<7ZE zGlGIHTu!{f${!-SK<~OO-Vs7an~J(4k=wLQc^$iwJnxpRsZPh~_y_B)=D)-_7vMXd ztBzVa(EEUQ{9Aebt#~}19Z}C3S?8SBY1s(=g{_T)iek=m zF;WhG@9ET@;(@6}S_QyUKuhlJsmATukC|5R^`gt;hhKOyfsXG$7D2Wzm=R<3rqe^e z(+afHq+rKD&^9yd-TfXu@uq^ry6SWh^Nr2Y7kFOTxN7r0Z68>uLe=j1vlnD0 z5qYresm141RrJt#A_1)1W~{Bb9|^DJ9o2ho4`1oA?Rc!EBzV3+d#(A{5vi)~oVH)h zYs4SIg&kXR*YR+4KJ{o3@Vep%$9q0yJ^tIrj!f_W_k^-Gr>#2e~oFV zmN$SbRC+Bir)%U>d~)@{lKPx{wBpQYNp)$=Aw)E5z0>cGZk=k>CYr@e`d>sP8&++C>cqCEB@xe5 zac?8$0ZQrIk4gO^u@3V#IFj$9QcWq?+_vSPtA&*fX3F1hr4cD<@_#W%InQ7e?Ei2Y zpQY+gWFwVvbtV}^r-OBC_?0TOZBD~YWx|kK^|e08S&6cuaWON4Y&<3te(D61+R6@9 z3Oy02Q*_}BmVL1g=YT*f*tNwdY>x{SuIftNlSp+cH#4#82jkD1R@HINGAG_KYo`$j z!-mz0Z^pTJhjlIpQpMM|N0A80ALC=_w0ic?>q&EJfbsSiohV68GOGIhIiTw=4o(c%e?%WEBeMMj`Bq^PCb z>k~w7XeM(-3FN4+fH@(y|AXKtULUjH7mW_o~wK{AvX+zi=^G;GF4(!oR%+decI zF;g|y(+t)LqJPbYFmvp2Dw$GMy%U z%0sha>~L2++Ax~<7${b(ioRYa9ig;yS7jlcl|klA+|fOuG>z8^(ZDaK!pZkE^~!W2 zLhjpK!c`Zl4eZII;q&<^X2C%<@~5KR<_hz009!^J{=Ir(c<~JLkzdDWvn8v!)Dl>Wv={rFFDl97P;+7`2iihr@xm$s z^NLQVlu<>s<(xE0b*FC7F)b4g>VKw{#RDyElIO6-+~3t%nu}Tsw@=hFCR_$JP1{oo z_AA|K*`&K;BVA=C!!mBZF+gJI85#y1m4(+X{ekE2q70H%K%LWH{GD1BR9HM`pCBWD z1#!exTD;eUdUTx_o4*9dOcIFli>^4u8Ko(y$(TNrw7d*Aw3tZbJHv{NndEp$LwO)Y zL8Qu!b46~F$qNU5iz_oj@eqgMk`;~eys$i>h?T0F1=kG1QN|7*Yqmw$?WAKa7#UII zW9E9s;)W1G48Q@VWLE*-hGKd4)>{O_(zy)!-{xsey$;TeJk3ZM&qm-SNN4bMPkt3w^+V1&`A=KkR__RBn7p1Gvwk+Gu^fH~af6RXck_ z)5Fhfx|_kn0E5>4D^nWZy}2IpvvA+KM{~>P@R7fKRgc3RX9Dx~fTo*3Myl#D{w19c zo}1xm33n!h*DpNskoo67bmLCX-E_NkWohSCS7~nW z;(eFiapJbv2e;h6)_>xk)xmH69sc*f0ozJgMoxtTcsPz$2d+ODDPdxV3rw=*kjMumRV|Tj~Ui-$bH@&X?Zk=e)?`?PW zd*fdm29M_V-#Gv5b>CQV^}+hpj3chQ?ws}M&Cdzfyes{!3pZM7v)R`!Wj?sd3RgdL z>m48V2M_q0aPR*5<)h~uyyA)T?>QrwLkzf+f4lWtAHIHUcU9rV&G}RHyT3X2iTVC3 zZ@+2GrXQO3yZtWbuAP73wi`TFc~p3~H(GP$wKj_8{rJxCz%#%*-dJh#Ys7WGxyku& zK70Rd^%qw7KREx3^#A`D|9m$8fl`0Re^U62{(mv{nfzx_gQDU8Y*6G6bX(BOPl;i> zU(Fa+prdMTVJ zG|X5pijXfeFxSgU&5YFMMNomK=(5xj@+G0q zOon0B>y@fOraa+At8378FfCWri8`?Lk;Te+rq%A&1JA9uDU=xmW{U_XK&H_Ht8~3$ z>pbI$BxW-)SL4VsHyrj^-H@gqT5_{GASL=FZ%Y<5 zj;EK|cQXCF)#J6i(1MHEj5h#XA`TO|iq1@fHlsq(E>8Q+4r>gn9jEJ0pF)%+$=Y-i zQ`v}K#QtPZU6hQZNG&24#jKN0IFTQvjm*YFX|? zsYDA&Pc)%Uj~XDPasi#R>LV@3vq&m;`^LQ*^t*nm0g?gTBo z-Kp@Do^r%`k*^@SpW!IGnl?M*D%xULkI}k*76v+Q1{+~^oT`bSj~YH@@ASXLs-MMw zGK=beLhf(mRY4@E^+^x&-!et`>2llsYNiO6)YSlsea+`h36fFd5R-Azd7f@=dT9`ye!|NLjf8iMrn?d5wNGgjEpjxoN{62rUX2 zi-c(D8O;swUWS+?gSwWtEo~S;mgo&IHVW(Y}l0B!XO;iiUKj> zWYTL#bvHjfvK3mECb9<*iYnLxQVI)^Dq3WV6y&Zys*Y>8jp!9sNmZDRy@()t^J`Sm{#3Z)SwJ>3vL{;~nk^zv~CL^8eSo!n~SAFE(@Xn{CeDalTSMD!xHkf-~_{xjl+&_JS zc5b=8d*gufz>C(ueCO5;M_MaA zpE+}nLpEP8Z5(#mUw^T}dAm$5I&k{~cRuckt#@C=+iSVoHWBAOv)tRltnMGLxpw`_ zzxDi5o4>HvHM51_h|TtR_{VdOJ9(G0kN!sC{xe>^=BV#qyvMeiU$fID3uhm7$^BP< z_xT%cI<1diRLl*-t?W%NW1l(y+Lxp)ckf?xnrNkdyz=cgF6sIINdLd&`X31Ug!w-+ z{O1d?f296LMQn)plo!;$y7fO}zTJsKT`C`^*{R8ul`5X#-b{LqRPk9 zN3aC-Ka1|c61ZpW=kasuOBfXg&pD{mG@gECcD$ZCc6>j4|I=?rWW zOgMJJR4t1HJfzZuFc}K(@%S|UXnQTus9LgK6yQc+sAO+Y0z`**Dzt}}^So8@rqL?scf6umu<;3} zu#^I}+h%$i)|Ly;R(6xE3`Uwd#dS(?3GZ=UEt%JOyeaAF z5fV(IbR$t1lU`B`P?jztajBeYp@Tw#ljt7Ob^u~g2RhZJS|Y;OomxN_``toOl8JGc z&Luenj|yIk;Y%$(G}Vb-cI9dhr^6yzq&HBS}bC0p!c*Q zfya7?wYy0wTkgq2v(pu9x~+neq4>^( z<@&DE=Bn+2Uv4C`j9V*?;B=o=QB&3|k019^gHe#8>98k909zPw$qbbq84*&hYqC*v z{6ZqvZ0fZ^E@cc92BZ+7PNccSgspi|eL(iLNtdE|)I~}PyiClh zf|9_jTsW-8NKa0SjWowK`xKajl~&Kqr?f(|)FEot^r*2mT>~=NY$k4mmY%jU)r3{7 z<+|m6BA1w0gx7<=ng3Ie8bqTxGyi9C{SW%}tN&RdSM%TeXGvt%lU2Aj?)Q0*W`P0G zD)$LWC=w&hAE>xzlAZ%|opj3^n=Jzt(|nYI>Wva7cUw?N)5q9^i5sbwHN*{Z>S7>I zs#@bhkuFtg=|K=y3cf~j&1~N9nl2A#As00m5qI+qD>PVB@=9@&)|*6%P`fPI5P;IK zB2*bSF#-LMW`>D2W{P~l%S}2~5|xsI+jfc-+K5V2O=_oFULzW!!+O^qcIBp9FG2uQ zYKJ+xs>YH{f;v~08_8}etM?N&6(XHZ+L3zBPzJ5UcqG;Bu_Gslh)afUBGZadb?5`d zZn5ZeGwm|MXVQ#jYNCxQsj=6D$Q(|_YSPRjqRk8@X05@RMG_w8UDJ{LNk!=i2uT4- zCdh(D*@70!?8KjL=}(c_%zw}Sv3M$FGn0?k{|L4{>Nc6&$YjRdVsGldKM4=~7oV?C z-5fyCy}Ux#xd~s-!rg&Gwed+kCsU>!6dRFc^cx7qluDs5ady^gBt}#5R9M%pCo*PV zb1k6nM2;Xsf;nA71ywC0#pE-Mk$}o&B3Y=kG@~1gy-K#=;e@H=_yk&&dUho?DoIdp z*k!|#!s-ch*uJM1h=PauNro$C>C@5ex+d3jAs`Df$|&OQG!VfHIb{s zqz3q{G}0p|JPN!3@keAMpxVVIUGA%6+|Z45BG+v>eWu^6vdyks^hl^`Rs_{^!cq!M zWX3=o)tbE~rVw;dOcTYYN?6dp7A<*CQ9~AuZ`A=$k=}3y0UczVdpI`5PVRX<>w|wk@ zS$BicxvPHr*}0pX?%A|8k#Yt@&5Ju?>G9dE-r&P7eFa z)4y5jt&3jXb%pzXAYXU>8Hc`k@xE*JR($-re<}ZI+_p(;a-Vqn-lspi+U3u`|Kkge zdU^G^w?4xjvGHY_thcEYRzxw^texP2x<_0_T{_w~_ z-QR6x1-)C(z2rwuc-U1R-lgv;+(6(;?%ajHEME27b>|=O$oz)}>fMv>y!@H? zCbz%!)cu=||Ma8H-ac~HuJ;^%@L9V%-`{4VKR&zQ-M`#B`-?wjPnL}&E>i?Dx$|Fn(RbG~l#fB3Pe zc4EFQO{VedbP2~kSJ5`)Wxbj?FbiR! zHXe6V`T(E{h}5NwWWyA}q3Pg$c>Y+%6?vNlhbG$bgNvL994=|eqih*Vu!Rok5mF9i8*X}{=M{yLSeg># zVh;=IgRRlg>h zmXQu*MH+)#y(;we5TFP@>85LT0ZG-Pu3(hL%%InbGWwt^YR#U;m|ezm)LI8A$r2cd zO^34j3W8(?PA(yLWFSjf2r{8tJwZrU2QjQ@Sh<}HSR_EiGBtL4YK4lLDO+r}##sx@ zpn7(~8%c->n{e9ISU`?z8M$Z@ek6Mdry$8n5%FcM)*q26G(G60p*E3Em_AK);Lz{K z5^HO|4yuhpxlPCM0C36`$E;(RMb<PAr#imfJ6%t8rLPo!f@g2s5)FSsKz zoy=-lIoYgNO3k`4vH&Y^=@d8?$~C-AO=MR~H{*Yz{wKdEzZfZhBd;~wNVjJCzx@~g z(W0**|5*}OvzY&kmqcbq_^6T!Q3;frEkH@MXr_jWu~_I?LqDqMa;pGWV>vErR#&iS znv??>R;q<^Zz!PsM2J^$sXw4BxCNE!NuZN9a}8f{5Zw<76rofxrRA}xU}gP$zA6v( z?pP{DShXzY`aIo~v7*3*Ae#}2RWd10Riq-?JV=QGJ3r8H_18_?DC z$fqE+Yw{hTX<<~xQRy_@@@+k*Qq@2jTR@>gMrsb$5f?GahNumsteqQ~l3mu>xTbwR+V6$X96FgLY;D{{6Ek#4ftVTwW-rz=T7uaUf2aPT&76*WGo4T~I; zPzMqzjO3{{TVAPx6G_~b$0Ay3;Vdtu{Y+)*jCz%5=+!C!S87{zc|hg{jV{9`5YV3x zG$>G|^1vCntpY^Ui{&`&SAt|d>za8qg|=FHsCX?UnC|!nFyOplrQkHu2tO70QX5WW zGx=I+Fue_2$EoLNfk4YBoglH8@Oz4Zd$h=a`T+OHW>TmQff%w2Sc(k?ZZFnx)U=Y6 zfwY7E2vn2YP))OpLI*<7GGk}tSCEQWD|o3=s@kS&Jk%|FKqB;HJL>Y|j-2c^vnkD~ z*;aSD(S6GmsBEzu)fFN@>gd=VXz7CCQL>&MXpm9wlJ&tbJHv`*SkVkCnqfsVtZ0T6 z{W}_*zk->DI2?fB?l)_8c;%}<^;f19(gb(Xs3L-@~!uJXgT z9)0!0cMkjcoYfmkJ3DQ&(>1`V4{bDF@zE`R|J*}IEwH6S?knDLgNB@f<)6IaJ9F3D z@Ehg{+Z=hrrUx0wAL_6DOg;LDb)PxmgQx9t&cAYn-R3N{;yNdfuibmu56*l3rP+59 z=k2xBtQC@T&knuQ>fhaQ);nA8dhh#(zklINd%tno4Vurt^{C|CN&bM`Gra49z4zYe&g8$8|9p>0Qn#(ve&g+n zvzPsTj}LDjKgJ!Ocg7vG^?#{9);0Hf%-F)?Bmp%Wj8r?Jy+5A#;SzhxkM#e`=06|n{|1BL4FCT^>>uGjW5MV$U%UFB z3E$=+QROEh-T9pJf28=6`Onv|{%0Z~!bF>1ZWR@mto|onBL3s$T@f=$f~xk5aN-N-j8ek#CYE#KxxqfD*gG%ej8RQeS&%GEv0Y-1*; z=JGBJR9e}>$k%;ioNJ~vmn#^(Hp4eCY{HnGwwctJpx7lUbW0i+Ou0SD1))ZCdgV%t zwCj8-0gQd$HL+TXGm7bsz+({6qgmZ-M{uuLS3SD~wm5JatfMk3>z@{o{mv`2C_>{Ga9HpK7i`Od~)O@I+GR^wkZL&g@}pRv<0Ik+3i!DHZg^^ zl2Dv+p#`M=x%!_9AVf|aVttXUNTS8iIWgU6#xQ^=5| zfRrYAsl-ipPl?O{WRNnT4BkjtM0wN}Vkej+;|ZT9*?zHC$xlRgdNfDI?TNp!zvMG5d;fLwSQ^*Hon=wel_Q5}a#wi;%-V=7hX z6roN>M-a0vRR(P-(^5M9Yzioo3Nh*R(*-sNP(LH(p*mB8IJ~J5cFXTGcBN0345yvy z2l)<>G|_RnRMA8l>nLF@$mxJvONmgbqMi62`X(%-w zdJ^RhljR;LbR|>C1%6tlJ7^Uscio~~r&<(*HKr z=ac%sDPXUk$ftT%ucYcZypM;X*R!gng30klHJgJ;wAu}AYeG}W5rFYrhQf46D)l-+ zt)Ay6uw@O0E|PGVAW7yMxja|r3S2GU&36<*cKRu;(y8DPCN(g!T>w&iTVMtqSIZ|R zl7e88Nl$-IV7*$A4N@7V!eUh?F|bM&<{?EcUF@V?t!Kn#wKL35r8omrn4r>u;kKP& z^ClyQ?M66V-GI$osYcTQn@u`G@kC4O+6@fO)v*?rW>QUQGAXp(5{@7MR%{@{?${n> zIK>fg1B;PrO)wp&+ftammTM>L*}~8$=sc2@%t}8Z8DH;*xx9fka~9PFV3VN6ilkZ- zr|kN2jP-{`-xRY`AqbfOry2!54&+R0hV#sDo*B+F!+B;n&kX1JcQy=xznc7K=Kb$4 z#6HG<4mQxI5B>7_4+;|mjHfXS`fUCK{~iB9zI^_JrqeKrr_#{p7yxvLJas^zL=6WrN1W;8hp?Wu0>Whu?({ z-hZ8ImVW4o7hmX|e(lqWd6k=)Lk~TmW}MvM4|-?Ly=!gtgC@T!>YsIV<3HXF zUc5HB%f&DJtbOL8TfF|8SF6jcdhF>}JOu3BWOKm%x9#>iZ~%Jc8@ct%8=!;zS2+1y zO5W@a_VRDGPdIM%Z4Nu)!P`IF?!jO5NNvN_p>r-z?*GaeSG2tk&bYr?Z2u^?)QYI&i_=*B`LyFP?g3 zy9;i2u6=vEXT#mrs~`T`KV5S4qqqKH{yL8mFUBX`_iWTW5?kh6A<6BO+wkb6*PgZM z)(cnNY6ES#3m@Km)5__)-Ld>JSJRuqt=)e2Aa(F*v-u5QEZlk6GM5CiwBIg!_5$mC z`0kzmvhb$gyt(x+mOt<~kncVNuNdk>mH6#_SM-)STH5QwBc9u1*SpZ`7e19c&w9-N zal=0K(haVB?cm{0-v9YpE73o={;$`*a{wnivH8#UI%II>6^FgHW%bF!jxv`&?b-*{ z|HH2?+w+3v^WQpco^#2qtFK)M-d^VD@%@5%Rb_>h|9tCe`y7Aq{Cie^{hsGjyPSUa zNn7_uOM3o4(*G};|9~Iw{|4eS`u|1PKfr%j!4Z1V*N*>yB3*?)de2(@Xeh(y;Xjj4 z=0DKaj{gWMk4*0YEUMKMuPhP&nJf|iAyRhImNC~H3sPoO&r)GA1wdM{IiW(KH1Wpi zLc&d^@+~2(4|5|=6h=d-IclW!M&HinY1k&?NzhNW=}Il#jB9b8(V9TNA9pO)PUN|6 zvf6?NT91juM%QgvV;n|Wg~+u0QAtd}MxmbXB_vbn#a=AKX(!8NDz!EM+dk9GH1cCq zR0OxukK#64>=(sB%B+~05;u61=@~InEhBMpRLl~xk!48-GSZY@ntmkE#D#LLQ1sF1 z&kqk{T3`$!wTuc4xq+2OY@eGjyql<(izpq6iK?fu`3^A+16?2Fky=v)?3@htMYs*) zY5*r9g0rGZvR*(rI-O57t(rlEMMN^lLNqF}XilbF(Gf+ij2L7uF^pqi5dBm2KSiL{ zX<1}FRH15?lk;$`P!Y#PzHC&&V#ZS`1fJ*?D!X8nRKf_8%Ofx*S+tr`xg?wkFK&t^v>*GSM}(B=o2+ZalWFTt&3N#}v? zpjd@H(G&v6YUuSrp(rL~*4C3$!77ny37<^J31XmP;Esnr?zT2QM-)ZVSe>ind9E!C2aIZR5l6GcN$p%B;Q;|N< zO!o&B0$@qmleUueQo#}N zq>I*D3WkS<7z4F}LRW&ol2F7=G-=T;(LG)ff=&ma$Ick?B(>!m*+|d%P+~+GMZ42$ zrZr1%g9==-Q9vt^49@j=*B7#glLTQ0oUTkF6HGgo6&bQ>Pvo{anDmAzv7B|AJuo|f zni4X0vaM$1X+Qz@%#kSd48EA4an#SWixVzpRFtZ<&>D;6Auwxj0qv&TS}9DaMnTRO zM3xw&AX8?WeZa0ZS;XvWr#r$W)XM)eofA~d%f-2g%-SXogMloW20jS9uqILPrtu~D*fmZUX=ZaWuaHrKDEssK?(LB1(R zn$uTXpq*hcCe!S-SzB=g3r|sME76%ACyeIGjWil@aLU$rhYGc1)d}TM3&^1kp~kh4 z>u@QoE%pm|8}11Rt`^g2yi+is#E`}(W}PAkblefRd>zEhRG%9Tm5zck2|yPO2;s<7 zl5_BZ4>m+1U1*zB6ZeuPZS(?t6kx49Emz%1t1Q*Rst=d&LC?~}jM2@;ERaw~M2kvQ z%56M05w?RdL`w+TQVZ{AqJ}ecr3yX6erDLu4Evd3KQruShW-4z8-^fXP5y(;zW!J0JCnQi z^WS^f(8-NT^eHQBvH9-rK5_N-+wX47Ir9Vc(Kr8Nv+uvGDkuGP-zQ($X2)ak)VhCo z<%pB-*=e0)YwJ&*IimFE+77FoKYPRK^*1ha&6C2@w`q5tdiO57*pEGY%hiy%bLbj&%C#K&m!B+NcyjlVecst%<9{jt$#41A?|*p2cPjTAcjPXdbL0TL^NBN~AME^- zPV+wD=Qlil%y%w)Sy=bxl~!4B%iHreI;Zr&?}i42G>*7``!$?x&No)xe%=|o-9C3W zxv<88*B#f}=+5>sXFqY?9aq*iIRC)LPY&UKapflap7P!W( zEnZ@u|IJ5GI?|$Dn{)*YJj;vGm z|K4T~5Zi=5W4GRIaMG3Ye%RPl`Q{Tp+45Tt9K!#sdgNbba|i9OoOi@a%L*6%VsGuF z4b)ZEU()mck^X<#{0D2EHVN_*aw5{z&s+Zkej@)7 zzJB#T)60yevG_E|ts+Y}{|8(m{xcXQ%bF-^kQWv^ZYPI2Ch>A>7Oi_A;h8&YB4l-$_jtI#_VI%^rN}hw`f zY!}0PSz|+@TJA#(nMuMuD4D}D8IzE@e!DpKjCR#FNCQ^fL2?3A4Jg$O8>Ui{`oRdM z*hXv64xNc#R?U{4k{v{Cdr2?DgT+=`L8f0_cEe#fD)$tUK>p|Ie^7u#bv46x z2N}pwI8}fOW38x*nKII?bw(8zWB9z5P@#IqvT|b*WT9Rat@fw7EcwHFWYqyMG-$FU zFbQaS(h^udZy^d*o5r`@VWH8ZJg;XM&>*sq#(*9;8dK5;&i8A5r9A{h3L&|m znofFd6jK8u&Z9=?x{ZmV=EG`*9=HPG1rtA|QMptq(k48YN#{+Bfde?7lSY6bnQ__9 zcEQ*sDy*gGMu-_&J|EVicHT{P6Jew6NnHVsuv)8|Ag~H86SPDdc*v6_(*hdW7?EKp zDzhyYOzJkvGg*t4mMF1ZUq^t4UzvR_z(C0*n1DC$Ej<78-^|*^j<^g2CQxg0z|f|tzubnk!i7P$+j%p zvMpJXLoW$1^xh$KLJu7Rgx-57q4ypjp~C>5hkLo-O(1`mkW0Du-D}OPca7(jeRR&* zTYEqL?K8KY7-jy>z1rR+HJaf+U+^FB$H#x>Db#$yf53ThvrZvahDtBY^MeLJI{iVf zL{xL*X2k`^Elvw@CM}9laZqgbmGn4En2q|Rl1y4wqFRTmkcVb;Hnb}0sMHA@pd<77 zfX;VYtPZkO5^wr&+3Ndwy=G_N$ykjz9m()G)PNn?DH6q8+JS~6EpUciCzJ9!z)*~| z{>Zl>IZ4=>n(Cq&#Dfyswu^aDg-R4y?++8y#75d~745Y9Ns=sJZW~q9iDu9oU}+Lk z34DDb=h6eJLr5cVf{8<=GGHob0(9$8R?edkoHWw)(I7}w%aNPT>IDs=#1xaR0I=-V zhl*0Caw)`D9c)lYh$DlMY_1dpURQ)#Wj_seNOz1Ei&j3*i}Wy+Y**oGqEQP*FaTDS zcDlf-`WJ2%?uWI1*8hzye$oF;k(l@!^B@09{O7;*g9HAtA>23b2babI+3Etk5sj3w za?07HUG(g{XqpC=}QprAx$I872aD+K?a@sjdnI*f=CYuK1%3)(gmOZi4oPX zN*q=mu_OVbjbh43r`aClcQhK$7R$XX+e9zw{}3n) zrw|mvzn=eK|GIx{&>&K2 z@ZZ`bXfe0kkP7rgc8B|p?wz2?4C4q55dqyLzFwzbcl3#~Ufdm--U^DVver+>I@ znOlEK-FC|JcbI#qR`Y=K-hX({JDsLo9kn4c=h);B1PG%&iOB{v&1lPcoRN{XX=Z!4rt~v(o^WJEp|a%& zikpy9YqayRIO-<^B!`h1ZV<6H3_z{e?b(ba;zpRYFsl-x?Rs*+!Z2Fb*oYGHEGAVr z*QJwTF|uEf;n}Kx>sb<=fS_d}K5gEq(La4jOZSOAZ0}&nhDLy zr>7Smvr&-9dodRw9YoGnd_7A{niHPwlanMMv^8>6R6S{&H*BI(N{S;aXqrXKj;&6A zx_3)PIB;SN^J;^nQIOhls*$iAdyr~33Pf54vN>5DI&KEFR0yO99;$$$8MW``>@;uov8&)gdu2GFr8W(d$XVMCMy_8`6m_>n9vtU&-99YD}jtcf@ zzU-P!Vc4O<2}BS!DWE~CAGQi9s3ZC!L5Xm^n&TnSrOTKri5(!PkWr0vxvCV>j31I+ z&DOz?8G5aFn4$4B=;Tu4PD^wq7?#s=9UcTH4r#XiRE2@!P5~$-sD5SYR@H1!DRB@# zi8Dk{lSsHfaf^IGRg+Oy?ub~r*F>-snr;&HW{TInSWHK-#-xCp*`Rtol1`;1U7+e= zB4@RtCQFR%cHf#{4m>WTbe<9!1>tHH6ECHz5ZM~UM$JY`)A0kDrlNwwW3MXD-qM=*%!-gh^xzxldW~GSc)jHxv zLmJ5SD=lrv8V#*5!02Mrq++m;L0oCl3bS0N*s2bjdN-ld&18TyI!vamTQ|T5fj4OJ>#>XxgC0(MJ z?;;N1R^_Pd4_dxQHUe3)3my{m8{Kl7%OnU(^je6RsEjN52p`L(B+c@2LT>f+iNK|4 z3-9@WB95q9r|Wa9K{~~}LO`ydktAPtEGTjZBSGyNS*2AcnUR21W8SpAyyJBmGni)v z^UPqL8O$?-d1f%r|0Tmw{D;VYFmR^+_np|6_|Lwx*1Pug@1Oq=7?Hx@6!uNd|G|HN z{Acdl6Db@fzMlW=+KG;T?()NyTKx~}f3nwRhqs?rZu-gocVEcAaLr=(KC=BQvrm0- zIA`6R$8WE-#`e!)A8od!ml`w7yW49|-ohWX=cl)L|LA*%+<5t~ zxkK?y<$Z5Db?@EY$StvPGhTKFQvUOSyWaUBDV%>&t}~;bl&ORl-1*kpS3R))0bA_*q3O&f4%@>QH#_3N$GR8nd-F@q zA-nSzd~{uB#oX&Ry|eTI=kM|88)R{-g;rl>&K){={9EsCGzW$cy!DMGa_s3h{PL|g z*ElZDt>NFiswTcO%3QlAH2-`LfinM-B@cXe+1~iQ#eZ_F-`Qh~O z#~;7Jh4&n`yGY!8*_!KS_fF7aaL&Rp@Y{XQzKomosL^|E!@G95a(;Ljru)Gz^ItSR zwzu2`53TUb2fbT&UHq8faXvbBk2N;C{}Oha&96WG&O`t3?lJf8u<9WX-{0MQ>suDy z>ByBAW$lL^zqfJ!PU0CG?6CO##JukR&;9@R&40e4{~H9)`2X+1{uTa1$~mg=qtpMO zGEHHUBVh7G_@??F_^bJk`=jGO3SFFg{!cvpGq30W!1Kg^K(SryGmO+Np~9%%tjJl# z0EU=RulBgEl&``yL2yAa>5h6zv(goZ4K^eKf~S*s4JP5bRptE#SL7SzPPS{f0g+5( zvOwsRviXKls`lWVkjeT3t}^Iq=|a)#)Jo+F&veQXm8>;tq3DRp^zw$`wqb&GnQFc; z(LtbL;010nt_{MD*~^G2Jx76Tzf#i7Y^P*|^;&|IMr|?)#YiohVEs02#Wf?_%V9w| z@4*<*Q#!>-2_F=U@uaLLO_Ax2+CtD(IJDQ5Nu^kXCV5yEdkh%FZr$r-JVa5949vQ! z9=8$zi1rjr_LHsGKdO2i+=*gmutML4`7ISbd(X6mTzU_7jNMXhvA2 zt0pug%euu(wKW1l1#S40SMjTj?2yGqMX(T7$9doDXd}5h za{3dT3dS8-?+;yoF#<7dD>YFkT6vL~Sd~ujZ|?twJABWcsU3d7f8ZY<|Cy&y^9BEb z=f%zXeWc!%;c3oOr~wA&mlKu_bMe>;T5Qj(mz(uwzEYdyi*mAU7r-2ej53)43gtv$ zXpf3Xt=~zAyuo(c1daeMqBCNl=4yPR0i_iTYZ_5VC@G1|@=Pxsw#P%GL1g{9)z36* zB?=K#&erQT$2cjy9LW?Pkvt&q<$fwFJ4PZ&l1N{HrQ85cP5;g%X{Jo6)wEi()#li>(oUx# z=cNITs#Y%UWNW2-GY%5WCF5K zBa)e1wQrPcp~RN*7};gLZW&iowd_!G6M!BMMt+~SJbl9Iq}2w6DoR+{TrvuX>3@TV zqRq-ZmA6esVt5bgS~XJ-L$_zOgt~1hz@Vi;*`X!UW?5jm!(mw~YR{ z!VMybeVP9x|JvQ>`{zF-f?zO~B9L#u ze^URze^TE+{~@syiGn1Fq2HkY+wb0RXQ4kmGk+Yh{U*Sbs{X(R`}+23yI!*NU$k|u z-1+L&jyUF#{a)MY<>j@Dw|Qi~Pu4tO&12qL`q`5!_x$S2XGf?0a+xJBI&O{2{<@BN z|CByzFLLt}cRok1)46NIC$2hotqZ;Ao^3vRaNV7^zS}r_xqEks z_j?%MM@MgaYuD44zGBY1`>poz-3J=4p1$n()3es=EWLB)xhu2wPJ>@IkKU2`fL`>4 zpUn4o_13p4)!s=a(W7pgCwWHT5+{VrR@WQ1xqR^9{d+LValDBN0 z++_UJzm@+Sv;FnEe0n83--eq$2yeXpqjwC~eHDJ~uh!AP9jBc+--&}u#U(QSv!|WB z?pm{r*Vc&R!<<#Z8&-8Ly4N{u@ms;;cRGT;;l*EHU;c2zyEdbQwSM-Ep;C`T|9{{7=d1d^ z&Gi5LPV8UcKRKbChpRt2{)0)n6w9;#D|F|Zp8tbG(yxA3qc)ln$~cYmfuZ=e$vO1l*ot3q?;P* zEld&GNu-nGBPAN4 z3pqBUL*yi>CkQm-BsAqFl z+l5lrbo{v@qcRm-=4B6S1-+mp0amw^hg`T^!lfbAFAvC3j^ycN!DNOtJnvQm+H&g{ zF7UAn37Qqbp`{mUBQ|g2RHEk7K<3+>|1$&%bTT#yY(Lqm=E{yWPCD7Vm&67mu~^TR z#=MtpnG-$}G=fei#xh7L#Z+QBNjE#aUZWuiK)qRu5{d%*{R*tBgD5YE-az)meo#xM zLs-vu5N>b27YdXi5JN`EO=PUZZ z<=7&~{j>IDonvriVYjWjJMOrnjyq1rwr$(C?H${;I<~EjZM$Rb*x38zJLlH9b?eru zdTae&Kh}Kb9Ai8)6TEU3@m*KM&*$AdS7-|B)3-|TAx~txqJ^410F9VGIR98AHs^D2 z0v+40K^PPnR8i(+QV%gQ5IIOji6JAq*T6Z?%WE-QpU%1})saY7B8{hjP+4#D_y8;E zp{v@WjYt*ckz+VK!yY`n#Uma3Juu_9XoLuas9z#WRuPqjoILhmkDbTGD!dWIBcpl zeO#2Q^Jl3i>ITx<8Uri-7d}f;J_|eF!Nm_~v4BY@$tAjYjzex*-tb+dOl(1`h_Ftv z4rK?XO^f*xcWO_Ii{h^;skk-sjF!COsV;mmPbzp!B#cm`u8<1X7CE>0weZPrw)0OM~8{PFeC`O>k{14CT1W@pg@@C+GpLqui zlDn9AKTd1)DFIx)!$1+C_YJydqXialHB_0(}J74BPg(_Z^8ez{d{8Zh+FxAH{~1Ix~+9vg|^My%5`HeUfsSl zv(0nV;;}}{CY8;5Jn1{Hu3g)!-@VrgFf{A!*+I-g4YSc%;p1{hDh0JbaqLiU5LSP@ z%azZ6Jg0Qd@VGB8dGkIzQ=IcUEiDb7xdSu#h_f5dfa1Dq+=f@cKWTQWmqYTg+g{b1 zNr0Yp#na9>0I9pJ<880Cmj^tuH%*}d16Q)c=%#TPJ4JzI zFPqm~(=r^x-TTysKho`Rl-M~v7lRe21L&lXTl?3<+RArn@14L+a~n3&)+pbFyREe5 zB5RyCEy!POL9KU7`MjQO?S`WZ81&%=ZMx+{9cde{G%rxwdC%Kn)i|tT5Kcx;ZV*R&X}g!1{i3+|-$_P`%Uf$I3g%rW^3O+Y!@G;(j)~qU*lH>a6C4!gr(Q zIpN;&bFv-K1EdGvKOAq@(l-JTk@FlE#@~9YcI|0g&hL(C>LwHRJ98R$I6V@C0p0yo z4Lr4PU}rGc_Y;7524-^x&A1zV4vT-QspP!RJpcyK*V84?pq1`l*$??o)NctxKI(4> z6$&#ft!!nkL>V*1K|#}5pi-m&Vu`@I3f0N7qm_=;pC@uWdKk$%ie>p|v9&8c!h5(6 z2@B&t6iUB)+98*Zkcp;rtdZiWt*ND>S&U`#K@PG6$NTgAQ!<{tAoAlDJ&-oR!;TS? z46E~+uC@@-ku9fNvlQj5RPSr>fr$N{s&D6M#hU}O?{of=GeJiFQ!J z>5{ZiuEbn3OhplU+rUDD!9iwtD5c4sBbk-FTUfFCkkbF<1bWJ)QLFXdPUC^PlbLrqRr>5ml^l)Ag>9ES>!8+0q2FJlAY*rz*A&IxIxz{OKw+-HJ<{BwJIJ zIm2B!N%irR$tp7DcOfO%(To>^yCUXf*(r4DKa)LpTb9hWjKgIfkS6*6{Idt$bYi6X zKf!CpUAic@Xzi%}YQzXP^L25lKayl3Q3@4S$cJc*S(QDP%UO0+)?usyHGZN_RcRAZ zVE9X4~Kg_l$j7b3sl+7Y<8eoUxk!z@@yJwVc4Rkpem|Bj?&HFn*JNSRn`6i zdy`Uj!Wo;nP;Aptktj@KSh*D%Deqt*;qIKRYEt20aSgjK$DaFd*#_$RFP@q3GU*D5 zLR3MAPQ+fLBPgr2)=dv|G24K=fSl zf|%_ro~Z)jiYNl>uW@?R;Idy5KSNN2U}GyyC3vK%zDgWJ#+;xb%@TOUd`&XxkgU~Q zX^_-8_$?~NOu3Im4KYz(qJ(;;j-#TFtNFsjT(qkQDLzG{I8TdR@g)LDQiOII-6Cyl zY20Abkf;HQ!elcQb-Uh};(i@UY#QcNsM|*NbzzFXMcZzU89QF4?F$KHf}v9rn134# zyt?PVTL#l!$fAT~aOLT7t_aOamC^_rAj+k#<84CrL!uTda8_fPlI?z1iVluxu~7`F z*r8_+XS+0`j?5tK@3TvEg|0f>)UaSx@ER33$~S28@1UMD9kTrUuW-LZ zmr_TP;QGY5OV+Rs6zthd0<(azt73O~@ac^hX<3QOAJ@9ZFeH;+9EG3^p9lo4Rp&{DOP* zO`U}a+Z-XSpyYFr51d8n?FTWQI#n?w#{$^)|D6Q?9#Fjfj{^JIvPOKitl1u8N?8E# zJ4_&Iwn%AZz`GYn_|xM|)C&MX6#R^oO=FYt;{~tTSL$wS9`0?h-#qDDV?Di(clqS- zZ;k0UD?3L}>pj@>07!GMS2PLv{8n{1` z%b6;`_91Sr_iAJ%*yNef7woZwucmb<@m5Toh|85n(|j&{;Tyv|!?zneornuIoL1uZ zJ^z=6ltbuoM89IXr=6OCtTEgDZ<9ja1qo&JK}fhXLRNMk@}Vgwswe;CTxFwI+aD5;BC5;j-bu`*d2C0-u$ccbY`jz zwNiVO_a^YrP@Vg^w&42S)z5WRZziwpOnk0N--cvL>tBkyJ`YeHV1~unmKyq~YqBxD zCQk>>O6wbN%K=Z0Z2KMR@9`hg@b0|p4*{&?X&%yID9qs}^l@hZdrsP$55Zrs|M<#l z{F|ng1MQyZ>o+fscawaP=>){J-sj};?UhalU8U`X>^NSoaS+MqsEH?S z&lS2MK>UBCYQo7-^Z0BEm(jSS0ZPSJL%Fbo0&y~oN-R?4ed_xcOq?NoS85ly-(}7c> zoDxWq;nFNzRH~kF&dg@89`hSy3{fdv0g5PM5nm5e{%kzd`2jr+F;31}P*ZUzX82Rk z*7kzIv%NoxCpKIo`NsndlRqrQmYn&ow8m;;Y)oRT0Yzt69NjNqw^u?`O4x+SRpFj^ zCg^DW$`B&uG?_oY4lRAH#x$-P`D|n(wJJ&mejHHG<}a6X8}s!&kF9>mgtAwn?dMTE z4wF%y2u`3l_)yW!pFfm}bm1UJddWp0PYT8tbwde8uOVgCGn=<+`RV#4cT9yf@7ob4jX6+;aF zG$_4;G%Trr-@e6Imcw%Q|5_@PRwzW%PAW;CShJn4 zhD&gT>JJX-cg$vCg}igUPQbAq@XML2nN^tnbsj*A`~B~2o+tc&L|GfX%?kn1s8Ee; z^iUdvI@r_3auBRFvU2ona}3pvM7oV@Rq}ZfpQ-e7o2L1ijptr@wW9lK`O3mn;qhvO z*|>$L*>U{K55f>2tlU7V$o1TO$8YhS}}gOl|f)8Yr_y1YMi!ad3?q_N%PJD z&Q}ulL*n>+WlbG2bSb7=l@j7KgYQxndwswn+nx#XKit#-^IEtxY3EU zHHVL0Qqo^=hANcK%(Nlg7i%PI)CSPy2RB~x#nNmyGViluI@0I`Se5?r#Gm{KL8-h= zEq6T#LzDe0g<}dwb!L}qb4<fHXCsQnSnpV%sn%w8c?wZxp z8hRG!T0GWwC}3o&i2hv-7rXVZHB%@{q8GDjOe;qecQs=Y8^<6iR`#{)Q2X)t)1BN& z;I5k?Ay-B?PNP4+KHdt)R_l1!Uk(juHO~aG;Z*7MS4tSq$o-js)`3wkwH{{;h1_O{ zNm^b z#KW(!S?N>dnDj-8BXo?2J*yc0cKMa8-8#6Y$pHyu(BT5VrYW}!e|jep|7L=jzzK5U z^(!H1`^xWjHOl%S6 zAPX~;DTKm|dO*^@RWJwWMGF*UyvqLx(#V|y`%pk%_Vj7)UN$0u=s}JDrq8b=d?LVj zPg~#6(TU-bMHqe(&Bo+6_pyS4z*V0cQDNS=-ywX#w|S?fd44|GA_fPzyLrMpKF=l8 zExLv&;x$^&U9@(*g`J((({3AJ8%=4yJBgcc{_qJN-zON8f45|{U2g3I`n^6$rS4j= zTj!Y$z&w1nLcirmJw_e71^vsm$DQrqGUl|kj{&rqE}u8tZHE9547+XD_~QuSJc$_yr$tY5Z--7@6L>N)36&+tqZ)_EU$0esFkd76nIi@-ty|w zyf#z6=eL46E03I%ejo}%;b%|lwm8Axez}x))iU{TT>EQBvik>5oBWiVT@zJC7P$Ke zrjelSY6(jo9l661Yi-LL^pr-!l*SpRgQrXN;lv(=N6%ISKwu8-3w0wOkex9wUu8MY0}si-{gn(;aKkrx2&UeR{m z|EpbokIfDAWNec-J#b#-q;TBe?ffT;>(g{@>5f;w5!Lu~=-zRcZ|-c)_Z}PharzTH z{)WWiJ=Dpsv!nG9`7%_g*ZsDycUtT^&3#~TW5fbUBms}UoHO?>1jJZwVu2C<4ewt)9zcB{TTcZ<&`dD@O^c1PA|CU ztwx9awxv5u|3UNtU;v(Z0D}jfkIx_Y%K;Z)wvRMy&|S{z%5B~ZeDWq>Ci^W$ZEO)N zd2|6{U^dS%WAG%N;)Q@o&PHOI!n9WEcoA*Uc(wv5BLvW!kAvUgPrJdxJv~3Uu4`jI zq6#3uXREzGxft9pzE>N~7jdv#Lzf!27PCALtxl}7FxIFw_%-WXmtZ+TiRJdVyXx30 z*YV`|`OgQ>IM;$xy^6ui597+t)YMk|cb+)pCzi{Cs5Aj8sFZb{GYq>T-Cson9iu(V zWr%HBes1;)Gf`v}aodEfX)TG2S$!@SI_MviaT_imD~55*zU?8O?!GD&Dbred3q!FBLCZ zYpxZ=^rF@11NplefttVs-7#l3cpQdq6I!b*2tjE#CBasC!F*jh_reG^T~q~LyhM^?!eU8aBg*YI;0GO)!Yfo-;6-Cv zqd=|YNA&UiIgL>X9x=)^{Q@Whq3tv(rHiK@+Ot5;_WIG%>gO20?g9-=bfskfbk7$+5OU*bB7Vw?jV8 z6JYhwch^@!#~SaL@z2{q>C+EqvwMF1bGt1|Es+W=w38|@*;FxF=Tz79B zN(d>)289uSnb?`k81xWCF&r(!Ll!Md9MO671-}YyMy?;UORIw1L&)P4b{N|(fOo*Bh$yQ{kU^k#N8~AS0x5w7}yKb{hSkPg14MV`hT=P z4t{|~;z;E&?%-|2AmNok&Tk=!nJCd<;z|ito+hpQ{Pn{)$U40OC5>MvH|!9T9-R1) zy;2Xq4)iUIOR&5bqG*;b{N<+>Nd*slXj!TuMnRn2wb=FXpPxUv+HSqByR7{Yf?znd zOKjj_^JdbxYRFxqmKn5Lw!MaG-KLH%>E-GE`5ag9+*^_VW#|`6KN4jViGnWCQc@$isAp0@X9qAd27pIp=QEble>y@oeeH~>~zBzrd^jAq_CRp`fH?1MNWn5EH z2pc1jK9Q=xxQ*F?wvbv|7 z_TeeMeAFq4;ylK3*QSZ+wb)6T!XP`=_N%eyr$3-_Yro5fcSYqi% z%Ib|heO?2wt5Hw%7ayY*Or*l`G zGJR$5DAP4~n{$?^-P1YD4B)Z&bNCOkby<~P`=Gq5d5?QT?*;PZc0fE2%|2h(>#XAK ziuJ8RzlQ5#OPDbWr2W8O9X9Q;A5E?1Yx=bG=zTx8l4*Y-nWE2mvfs<&wm8mC(>}*` z#bIviE^50W;~Zi>S{%X8`*cJ{{eBeT`~151M*A>Naz+01HV_jwGnNg8ejQC5gj!S+ zl+bZ{=piPEIyjJWrlK6037s zy&dqK-{S1vUrx0z_NVwH(w%|(+ImuipiBLy&J!o|kC|94)2j)!j<>cSbqU?i0a5xr zcUQ67cJ-Uh$nuw32a7PGsGS}o?yoDk4{vi-JF9&Z=PAe9sn51Aahsk1D>J~G*7XX| zezWKl-+3r=q|58R_OX)ZdJLLA*XaX3thRy%zNY(vZDy3=2;)PZ#ma4yFbDLRl+4j6iOR3S{l~rlMjxo11-l5Him!sF42dI3 zb}iRq#_txvwwJu=Ve}=)?Tp)%<+_S{!xGYT`yh@l->8fdl1tl)cDalqSA4&U5BjCE zH0nr2!~aa3;BpliI}DrZ4<-*S;B5G-h|*N8HfuZPZ;e&lV=;(b8QVPW5+6*%KZNSj zvJvb{6)B;6l~t@$JH)2KFO_9vat~1hJd8B^Yt?G`g&N`7uY?nhE5jtjhJ`$M*T|tW z7;CsNSAOwr$`8vBPNrt11FjXxxlro{O^Ge#48Kwp&r69bk z{HXPsNuhC?f+k)f)J)~s2c)?q>PnqtSv-npYdJa`)mMQWMWQ(yBi4HRLt@!@gMy&^ z?NQ2~(JZJc#PZAQP-Mu(%$t{7B&lwMez_Mwr}@BG?>n>F^cX+_QTpiG#N4V13JxYtL2yQAS(NV$G%b zQsvVtv}M4bR=>5{FjbLcj_pM<%-TqSxZDhXOiFb$Kmv;^df6Hg7cs;wfate`S+r-% z@L@!@VG8wJ>nVP6_PHL!`PJrm_yu+kpEAz7{0H*m{sMSXx$K1=#7uA30<8Nx%i`_9 zjQxe?Z)IRm@%b5Kb@MITDXvb>h48)ur_X30#HhQCyBAWgb8U=EWxQm+GbD zm2_8pYswna7;3bAg=gp1jd>a4cWlhKjsn@&Br9qK%B=}BLP3dPJ0YecoJkO|jW5)3 zrQOJ2Eo@$|?-oX^ri>h^+X7F~A)JqwR1<+-g%>}!zt|#k$pr$F|EW-A%tTk=ZLrM0 z(EVg1u4nsgN*PIhivAO86g4hN=?5i@!9bRTL<`SZfoeum!!yg}GPI5QZkviE`+_a4 z#gq8{WPX2!uf@+H8bgZtATj?#vg9unc4BS{^0WzJh0>qi+w5o$2rKQvgovarE<7X+ z3Z>+K@u4`7s!c?Kwz9!=!ldnLtTA6Ca*Qwd#LOXTB|MzCHPOlf^cuztSp~%lRxmb< zX*63Q8TD0VSwkDKi?VODm*(R$RxROSySMvp*Bq++jkzEMJ(a~{XbPf--71V6RHVu^ zG{Q{VRM;FCs#F}9+fUI1i3XGx%4|x%ntwrJaxEozGJz0!H>;&8X)Lrd>9-#^HAk67 z=+6-3V1_k^{x|t68>|~@Jd2zJ&S!q;z3T571eno3dTfEdUK4(!P^1a@^}KRNctZG$ zeE)Gr2r0&ZF8&J^$jy@ z`4nG2|E-qTTpdfIM9=eenwPJ`{RS$IDJ)L!`50Kk{jj7wlEt471_r|W_h-P^T3xlN z@V#VNr+#bccpcEJCGdQ*Z`Ha_PeQ}8bD3~`y81YQn`(vh`vr7gHWYuMMwILHOgUH& zi$8#w(RI>vxu-g|xjSa|d)hE{Yd76EHnTm>PSSO;HgvhaigDgJieU$~p3?Qz9cX>R9@@w8?4qZM=XoE=%9*hZ9)obo^7jma+UGLUvbDc&H<$M*jyJ1MYX94P|oF$q3XXF21M&3`Ev>Jgipz3$? zf3(X*L!zy_EZZo5-wt|{$DUWZy|OotV(lk4Y1+~b|b_LYaZl>7NCTUP6d z^HlvM{tu?>Qe3;q8lR0Q_-W1C*C;~2ie z?>Mda`W|oqB6Jf_|cr+`8{x>{J!vP zYinx9mfm+)_>H#Z1?{-TAeHEZoXWY&CS2d_hJ*;=N{@!hs3&5hT~t4}899w{ILV z%Tb<^8Ar5;m|qj^LXo{YwoHn(3Un&!-RO@|qYa=Ty03^;B;~J3m1ihMDipA#d~K?l zxO2Ex@W0ow)R=t@hGI>lSA-~CDJvvnw1$?#m^3#277-#-wqV=C@8VQ&t}2@|{_NX< zODw_7Pn2n5ANcx3{>({gNMz^9Dj6z4gS*oIkbyKKRtuPRV+Q9M<5z!1cAjDLZ9k-k zSqx$D`qmjk{SZeX1Cq{k?odJ$%kRwoS~EYc23~;5)RE)m`c}Po9epE6maq& zKo9HO(IiK-#Gdz(@slg=`K!33Lzr?6Yf>;1=FX;ehvYO>H#Q5RG-F21L6r1W4Z^wd zr7H78Af+IPkqj~nPBimC2jxqSp{ztOl5%O{2j6@(xwvrF_^xV>aZ#pdNkoGR0eV|L zkL4=fx*@Jn)RimV;6;`#iq)5oZ;R7SA`~*}xWx=79VCeK(Mv?SuFTonxCbTY)nur` z4eIP;lH<&zD;J(kHH*Jj<+331|hW`)OxB839Sdaoy>+;?UQH`HQMsnJ5CnQ9^=K-WNnrP&f`3fmn* z(=B{LgQ5jXcHa<;g9(c-1pgV)hW&cWd*J;tLmJO+W1x}##L3+G`EWn3b{z8@gC29U zaOaw^VF&DXt(401q|w{#l9=V&R`5b%oaExe`ur^`ha?3NbqZIT5XbUdppeuI!sZjK zY6DuQ5)qGov~Eis3&{sS$D<1El^K;Ahu2eZ_E9Zq+XXpNR`2|jJSsE55vCq>%`D?X zNQj(~zg7%uDrFRDA}LCR^FqYV#IcNEg_0n{^=AzCA{X^KE45@RFe3;CB$+X9mx7cN zm^{NWG^_i}FW+8xaGvw-(o=2L9TTk+IjO8Xaw5lMVZNAFKcpIrV(U`AbuQuEx zlorWGHgfpuEDfi6^49{E4=L?;RKneAy}7bS<(R^F1w0gQ1dG5BDNY)3IoV+I@9iv; z?&rb4jadG8qHZOrm;{+t?q$YKro+8tEbDs~N?{PnqGY}r<~(%P7)9`Kg=FT9EE4jm zo7~qZ8TmUAl7Tn}lOKyCQ+5j_)?~Fsqh$1`30|#5LpZx7<~ioeo@W2|*yo1|AlZ=t z|22OC_ryL|fs1zZi2!HwWw;647)!Y4uma=7pPD0}b-{#owpF!XvJ zz*lb9R{v?wyMm{@bigvFyN>H{HUvA*&yCY%XOPF!$FSfv+4xi1j#U*260MNUvF=I;qp+u@BA@$#dZMzTy^#9%ka)_UET|+B(NcT zxJ^icclUFB!eT$?YaUcv&pPoN+35ruQfyBpAA?0P^1R-nX)j?P=Fiv3%FVa4(m^4W zSAYjw?j(0J|DmUCYgQTlyN|5*JQ^rY>Ob>zcZ3ElKhkIjA5Tbn3EqJ*u6cTU$5(LP z+b%~sCml)P+rNSH0~Rhdy%V7@UG?Xi>)Tna>g~_{7%d!Ux7&Y?Yua}+5ua>$T?vf0 z{T8}Qi*j{uib_{x^7MKQZ;$rR0mUHaaXJ1j;KhU2vLZ4)Z=8?s8+ERY?)~59nAbey zt5@7w-}h+cv|vsOh} z-S2&3<4rw}SIf8ESe@@YR=WH~cU=x9ulcyXvdZyi{W7het313{efwCO^Gvoo0bx~C zmGf2QMysG|_w)Lj0HfUm9T>F!QbZ`Ja({&dZ!GvfZQBdH(Ru`msgQ zi*yn)RByY9uz~(@>?(L8N*$Sg^XjWt1g_nxpr6SW)Q4#<)!B?K@apz#ih4+XggcsG zc>DSJkM5(m5`7ob=Hb$K7~$4iBjI%CS)esiC&uPMv}+-I3!l~VjS+RW>p;0Y(FRX_ z-8q=>1(5KD{Eqz@PPhZF`~Zi5(MhSkCjb^u0L~xgTG_V|2Mwb#GnqbuU`f6mKu^dM zSf+D9$@HjNjy;R)<>i%l~)eDF&Yn^Wp1T>h%1YK|CErTJISa5zumd=>7QIOC#q z8&%zCj6oqygan*8S>N&_+1qlrxl(fM8j^$hSXEmh<trRN z%zlO1e7zitv574U2#psc-Fl3WYlmN&=s`-o<6&dKwHz!wv4~d*$bi8XI}genk%mqn z@??qg&~+qU4Oo-mc1>WkS}2frn|~mm#C%B%AMBRm4Ov`hme(4BEjy!8sZ47onkX0i zjG>0Ob@Khx(oz3zN@%3=XJn~qRRD28q{M3r(@?)6(X>bM5o503|01muT#78Abh2dB zqDa}CZAQC?UAwtN5uZ07!>8&-)}9i%VC-kGV3GtS7#1FliiP-H$#0P$b-~mipGg-x z>jbfV2O-(*H)*n7D_YE~)vRNq3OTFn@40l!m!jFIbx!S5Z()Le_qiKn>m~mnG8Eg_ zCZT1yz8IH%!^U4%y2JUGwj0P^;od|fG}o3-@)g(RyRH`gl2oKkdQfmVWA*9aSAnsr zrn?4?45q4aw4=e9LYIORS&wasNfr4a@*K6O-2^WPf_7Dt;h{C~wQHAeGI>-61B2md;6{Tf#7{gfW~8A$RE zF$|-MiA|*b6&WLFNpyh79&zEG(7>qR-`&$Js}PQl?=z(!=9kBp8KIO+`40-sbQW9> z44vGLplrLp0&9O30{7u$I}>waJ%&$E)Vfg>RFWC99ORN9aY+YNMl1(!Wu}K13d5d5 ze55Li_w%&g@mxtZ3$!_&75L8fz3>Xdn zMJO#ZaLGyI2&6s?x@B0#%NJ)3khVAwuuL(aFq=%Bi7U$p*i>M$J3pgf6?LRdJE_7q zluIUK!#S)%mw{05+C|8WQ^~!-}WOGZ;n{XrGpxAH@rOD~^o*j-*o5 zTrzpbwOoiQ?HCcriH%w~FAO2@v(B<2r^%^A>1-jNveT5j9IsRNghp=QtMl-g*BL?Yzd+F| z{$~ngL`dUNEDmrGC<>e(wGD7c78}b5`xyXg1iu^RG(w95okz9e2tkvm++dSahd;d+ z&q-Hlgr4_P^SUEI&PjZq1NWoqg50{j7w*96IDpsnjN9wOrt%76u6!kZ&*LC+O`Fdf zB4CT>;5Le_J>Q~O_jNNSHQU(-%#OT$cF`s5+B-s!bN9Vd**#5n{HyESPU`A;m$CaZ zS*Tw9(|G0d*tBjGH%8Cl{ZmUXcx8q=>Z(ERU#_j5*X~~(tKxCXjSGjHuj;<l~26W z3A}kSGUv@cZtJ4@hFP_2<;FBPfOq{i(c3*ijXe%{{Tc6$$7z^8@V(VJb+XE_&&YnudCma%QVR}Dao0J&T6!+JY&Tb3fu+j?0iQeB zxz9pP+1ied4)!=J-w$k@solK@jepF%TfFJY0iFuA-sVQw)*h;`^g-tzaXIbuZcR=; z?`iKPR|Fpip72LoO4L5b!{WSN>`y>iHZNcVq3`pq>C@Kj_4avY?eCm4FbdcJ*jS@| z-C8`!{lxK7kc5Tz2^B7vw$AZ9!3p`hT$|&O4H}i#H{2FiK+m;|nu3^yY@;_5mgV(;I;W zch~Otqo_c*U`rVfr(1ivvge~$WEB_LDh^u#(a@3Je6S4v4q(?l2aHaAs$n$wX>&{r z;Q=%2w%zd;N+TK7)&z~E6OyP-3Vh4=e|4ljTRIc&&XbIoDpZ-V#%@&2U2Q&1E)HWw zIXVyvGeNCLAVlxCbWabq6}xmRiKagAkDmDzs|GClt)3^>o@l+NxK}_cuMBjev%ggk zC()p!U`d%p5komZ&ZzswMYA;Uv6&8`!AcWXMfCfh2ghOr(bD*>p;F9PuC)xsn%r9w z_-Y$=PIA>Ap{y&zurih11ZGODJ&AFF%s=klkBYXmGCGg!uVJ%_<*vurS%GiiuEO*e zw|E`hr*a(I&O|zKO}j`}Ya6n(ei1ArCILq6ABR5ZO~L~~2&w3hTw#r;c*LyKO`>JK zH3{=hlqME3TxP{V778Kjk`4Fn3xAhQ zD|N!YAQz$GAUTB_ACt^lZ#5-4M9oBb5fPRjffFvo`A|ke>xwcEu@z2}D7wb8mCr?d zm)BxEYytt~wp7Xq&@lz{4tn&0`H}Mi(A|D~r1i1zDu)&5!n}*5(0`peXne_AKiW4 zA#@?OHmp3_QZgk$jd_0&ow`+`4KmP@9zVi}PTNYxT#wyKMKHBe2@P7nmxPc@F)yhZ zRpJ3BiM)6@;;&395WO*ki04}=tK}Cf$?p+XH4~xVStWlk#YdT8S{@4Zp@(o zZk8o@xGsK$c~CTZu&tam6SXkAiR}#M6)Cll3{S2jdkI)0Df*h#EK-yO#bqNLt5p1T zft_PEcGG*(>tGG86mQM$ih zKJq;f!bUCu*ugQDfHQuy-|$?_Gb85jBYLZz4t>Xl34Q5I{Wn%=>L*mp1PsZGb4opy zYFkq5d8Cd~uF%O6$uAsG7D8B;R4nt~lO0C}k4{Jb5h zFz5=VhdWA`+%>ykplZXC!S<Q?{8j znxny-`rqS&5b4`UPXpl4h>$AWkgH3<^1`7I!0vmjmU09qD z%I{(l7yNHCrqZQ$8_XV0gXhy)dnt|TJI~1c+P;5%-izK^HVvjZ-H+_}TtH~*JWB+d zt^-}V2h^9ZhWj&;4u6`a|9La@{nhrlo~0(tX@0C&UhBU-*IDCxA24!W71{dC z(k2)LTOoB1*RHTg70+GqaR5KMQ@JjlVJ%W-ZX&|Fy4HjBNt_aW95wRE3rX|o}145eqbbDo5!h-@l;!mClZkVIyrSc9(ZFL&x^{Mx*LC+4-uml2JP z%l>w2(CH%Qi*_ne#yRemdLFmipYGaMx+U$sAXYzNb_ul}3h!xcalF_IpFt-WTIZD< zcmgj{?x&8ZqJJdD)AnVt7+@GzbBty zY#q9?Z@it4!(YkcOV90k>ozzJ_PK1>2&35I+rEkwCe*Hb7nk|ygAaz;Uh{r%9y#7@ z5(9=#EoVQKPSANg4UZg(`D5tI{hohA9+-(b&bwcf#A_IcN-L@DQ378VH}52~?;LGI zSkHuTclB;@dzX9DxaW~od57OjZ_mSN-t-I=GDDro@A66$Hl1Ubdn~{#gRc4RLf0{7 zbOD)5GEDtkGiBtV`Awk z0}JGx^AFkYytfu=4@Y6Z{qCS?i3dT@CWC(&aOG5}VpHWwLT_0umNcWIxZ)?KtqHaZ zk3&q$Kj@GK!60cNu{cFi8a8LUiwFwB>weEPXwis}Y@YdU8GAw@p(PL?hINbsB(H8s zrh_@A8EMXx^DRoQQZrV7FA|A0%bfY~H#*+OQ%U^qdsE)nBIU9hb`AIMZx*<;$?!Jc z)J0`mNElb{byKhoG1sgS?t+Nu7V{y^KC(Z9CELYRS{nHK?O$^$5WEZ{VB&T5n$YVK zCk$)&PMURw)tOmUzu3kTOu5v^HJVbDY+igCaS9B5<_-_}_RhL6-QO=*AS`TjhX;Sy z^+VAllJOQdMJaq=lqt$#mJ*S+o${eC2tLJGm0Kjod~4#YFE9(OPzkD0hd4W=cLh;E zpcm*VM+UQ~g)nom3QXjn7J5k0@iu^rQmLzDmYQlE5k<3-BZ~d~ zE#coSgf^|`LDMms=6I9Jlk^2iVBRDE{tle1H*$z)Ih6~3Sp?+U=YeTd%K!5gBH3t1 z@K4r)v8BRPCr~!1$eJAw&nW4Lm?~ z*{Ig8e7A+j*P+F-vzI^>rg=4J3^Tn(_OhFBeMj#HC$%}jq@VKtih=?x3o4Q{WziJZ z=~`*j-E^6XzIGDV0h593H>6la3I)108pTXM?}mOBXHS>K!eVDpp&Mq1MJ9)@q1&i% zmuJrgE17ZOL2z1Fu%zRqpKJJ7rspIFld_2`!2qM*ooJCF-Dp$7l-eEj>4^Mdpzp53 zTdi0nCF1_oAwm>bJW8W=(E5#EEZlq+sH;mbBmV=T_V_P3zgNy<0Hzs%PPH2Lm$|k- zWG0mGC|sCU9Y01qVXoHK#$l~opqa_UE^qh0<41@!^10rj^IsfDCw)(cqe5V%67knF z!{#)=ub+k=pEV?@kTOb;^-kX2jTRc2o=@NWZe3tzerCXb)%1ItdLgJxiX|#o`kURP z>G?OF=K9~ps^Y1~I$;F<#E0@d6V`Cg+Y52z`LKdRsv@LHCur4`LouJyv^u;q^Wyt9K>#${66go0(8hEN`o!(#8cwFef?Y# zyBdf{L0AK{ty@+_yV&1m)I1Np%F%ywINX?7_wIem<-VPtI3#Jot$i9NZ1KG)tt5DT zj)W(8--?yL^nG9}#RDyx%3sy@M>vB8^yFbTblyjb)!SaUuX@|=3brFV{lHhodslCG zbwde>&g+eDJ#cPz2XY^v3hDRTqmR@re14-5eLaS&%?Z6tc0Zt5DL6W8bC%)K=U&q# zY~FZ3YekwR0f{hSHRe*Z>P64cJ=io) zk`Mxn`YGNXuX=aI0b9~ExsD_oK93dm&;IJGSZv!*X`T4KGvYHJH$A6B-aX*afl8lZ zkTO^E0ASV&0`w*jZ05AI~*<`lu%N{-1}S#h^@ZwtO@{LR~g2nKIF+_y_j2H<*^ zGm2TE_U-XigI_gm6;^(3!wqHj^{4V}{GK12+y6?_6uGZwPp7v_n=gBH-c~OI{$;Oh zpS2bVRy(@xvOkUei=a4s-sd7}Je5cTT9v&MW#P9Zd3f0_Q#k5e7ZNJ^KWy6$axr!s zm6+#sdM|FK8kW31K1u!in@8jTzVE1V5V(IYi39CKP1dzdxoFyV8Q--1mHF4eMBM7g z>wiH}$Zd)xWnK(jJn_H-&R z*z$jX=ARuiu#>`UH%_1*)wQdK9*ole~mne~v* z;L(DQGNh=BaspdeLGrBW1p5de`y3-hsL*ebAT=2)vBZ$p<#U|pv1HLS5AFDsyYx_D zmPCrgDK;E=`LN0~LMScTq^$24{f8cKSqbB`n1P?eN02FS=P z=Nd6vw>Irk7y;g}CDfTkYO|#p$Q0fm#?G?!A3MDW2_BOQ8P!lcjhI%AG&c)agG)WdzMBbi>NsqbzrbezNLqF zbDz3c2xMEYu}(+pPsqksmYFrI&wS0*|1m;P*enoho#<1luDmR5)t*wYN|Xq%7a?Uw zv-)?dlEEpr+(jv3m{vq)7Ad4LW#&r=)3J~?6l_v^rEPJZqhfu;5DapG(^IU)Q6Y1s zuWH%f)D#kARio7N&dPF2(=15bR*hR&xzf2m5bg1Q(IgUzUCb)uv)GFpL+}OzNLZ8{ z2!0yKlQ`V!(x4SN1^QszPI#<5vqnL03-5YA;Gp>Jb&%Vm7J_+SlAto6LN7 zwl0oM|9S{tJb$cAs0g=LucFRPaJwACXyc0BFM~*59L%2Wz)mh0W*Z?8qq~TO-o{5* za8n>kn?j8F8cV1_fr%s|)1WE6$6aF~>#iRBMUTZv&WfW(dRs{fBZBVG0$1ZZVhw(V zpKW$)*SSjFT8wLZJVJVJ{BN->oax6Yd%kTA`~JjH4kTLi?aX0>91_(bzBx@ku)GWk zJn+4b$KWl{KCnSedT>_|tX;11Pyy~oNV334EDWi~YwpU27(&d!7a>@$3eCTzlkB7~11@94DQrRlC7BHV zg>hHvw?dk>a+3@g%uzHRDmpfK@>`wy?b}km=PzYc6n&RzEW$JrQ))2QoSLwst((JQ z3ak>!@Q8{@={_tuEcu_?r=C%HdRpRu04xZM$j3h}9O~lE$Ya*kK`s(hMA(bcRrt{i zK3nBokR6x5qcv$CcqFpEcV1CfnMf+$rV;E|;0JL&`O2;5EPUZmHBOiAnE|~#>~1xK zBf!PwV0V!2-;94ahWm>hE?7~fg~=5vat`0W#*|)YWZ)SzAhjTB08C@i8V1TqRymdm zOOL3j29YqQOG$d`+T`n26DN6c6*lUzy;(&e7KP(to{hLa<#`5KSgJOL_f;W!wsIl) zI*#o3xvPiW=^E{l@qtax-$k4=qEM zKufQiqFV+ZZ~<&~u@hp@JorjzsP7e}<8#oJbRrP3#(Det0wy3zWBfGADtb%d^7aJv zGU2_@yVLi*`}FZ-i3$n&g6zu%>$+}AR`nZ60Fk{UlQ$ol<&FEpbUQ10Sjnr=ob=Uw zLwB_wzdR2FEd>CB`<)?8j@l>3UC56gnhjYFgnE!{Jy5GXZ14M{mj1*Oj`foo4}IX5 z-R<^6R$#}vYTfReV;!KX2YmPDXyA5QaA1ofREqM#cic*R)i@IMc)Y7?KDs<}mHqZO z6Zo<2SwF40W4s;wtbGh`-xPJr@0{g1M64v_cfWNyyXCdWXXxiJsNdw9^N==ZxMhub zdDeEnQn%XiSY}z>(CZ4!I$X}>|0v8+uyXW!mO-dZB;K%mm^AR+Tk_qtF%$j%N22(?0}*b4lRUxRnlg0HoSR0YF7Ls^vzRY)ZE1Z?t6m|79~K$vr%!>u z>i+Fl;D2p#Dj`#jUYtb%(H8#Y_^6uBG@_z2z_ zo3>;-I<}fLNTz)6BRL#|+`V7o0?!+z)TywQV<`GYqpm`i?b`tXedolEV8)J-{Wyoa zkHf#i)C6vUv?yT{M~~{cl`Vohk%oXhjFYWmy^krH>!gz4I1MI0$NwH`xtu}xoLS($ z*jLAoG8JgHmQSE~%Iy~=WrrQTe9J4sJIehVXc4gTrWnDpf6$DCo$)9xgEbKtAM#02 zCQvnL%@J`b5k8%f#>R7yjE$)UH~F=ys?!-!rL~;ZV*|eH%V>qJrB#%|56ytlQ+;sAyBZ+5jiATKR(n-`R zG9y3ADH)otBY?b$Bt6s_IK%PfX3W2$sf*=a&&V$no(iRr@V#o!DXblIjA+@Uf21ks zd`)PLSCIZ^D^oxmYiUrUjUTk_)3QnZ1%5lrBtoUx7>hH}I<2IslNiCgtRR|-mH+zA zn#1gG(2Sc`^P&hfUCu8IpP=vCiOJ>W`RJSz;W*ZMF`NhzV|SAF*iZBg+jDLM_LfI7d|6s=`jm*{_l_J|p^&NL^W?$hd$V@ktADtbo>Zh3Jh98sBi$rrCR0`t} z7)q=#*DwB5lKt3_fUH4KMuMNd3=OV~{whvW!l0zzs@~Z7w|);Z$9N_G59#N36oh)> zgIKje(}DOK3&VCh0xk@$#D&e!`Cu-0`U{e`mV5D7Fco37jog}w8RngGZ_Qs7rJA+- zFV!t3T_*KL;Vm-1X%&!S?PmN0W8nTSC*jT6qCEYQhw13$sb+8H4>LBM8m4MikvE4c zGYqe&Sai+!s>29%Olo|&$X)r3R1PjWeg+AGZ*m#6ZSiWjr#vwsES5S_C%OKkSt51R zrJpJ@(<-1r<-mn|V(73yn1+*2#cNfbhY`_<7b6*Ff=caicP0=(1%9(R>Eloh;5DO4 znJ6b2f<0W);;?&XgCe|IGKvChfUPXZF zM(te86s{)}cn;U7`YYQ^sF1kdEXh`CPSFxNPya=`Pv^R=)UN!@fp-ylI+1q3USzHq zOXvVfLd0A7r%#VsAqhEMg_ir8yd8_C_4$@?P?)f%98dUkK_!zFMoup0WP}`Q=sFR5 zNPvL-WiV$-EJ*`yXOfO05f?R+8$rsfjq*&H3hka~PsVbnj0Z=_We{{3=|HVZO2KaU zov|_}P_Jk;emyqbMlt_q>XI|nNyi#(2k+!zD#}xeMfP$y~2PEzQ9U5Nujsao9l+qnh0G~anFsa((tp~A*q8&~yq z;JNQ*7?WPZ6G3S(zwcjklpGJT-gWs^A)lvV&l~sgxcRua4AbpXD^#J`*S+6^;R3n5 z`Hj`hcX-MvV8a%UoP~f|h$yq+Wml4)u zhWFF?zO|yKF3YjUxM9n{U)g<^AHm>PUeIfZ;*9UXMevQehK-@q6KJ-2%g=gxG0gYVJ6S@QeW9XU!eK*F~0xo+tnxDF;B=3vv?T#tatRA=L zkzGSyuR&E!V$aXpWGz8M@Ti{dbJf{xeSa@93Tp}a@O9AL6x8IqIzn=kowJ;AsPk5J zNa8a17`znHQUuJ$c715k6ZuXoUZgzWDQYHbmM+F!W!j8)N9`bxp{7qZzSJ#|N*kZj80E*z6u4_p5)8BbthhP-lQ(F`T zuND@G{e9COux{<|4h;o;AN3JpwXOdH7C-Pj?8a+@!8!+hcX`eu4wilHFW^0jlO)*= z%S`@Ia3Lr-pcb6m>;AB76p=t#68R0Y>^P#?>0x&+&}1)wac<98fc^{(N5n59=VU$ux{X4OZ6di2NjbTJyxL|spvcfeGN~C! z*jOfGC4B<*=sbJV+_cORAu)$en2kX%jo21hJtEn-4kFlnqiz^imiUw}$3W?+1Af5` zA`#8?ggwTUWd|=3Pv_By^4QJCEW}n+3Gc9f1+_#zQTiL|1@3lz2o|I&flP>`5T+cy zu!8Yx;(5B-%FTm>tGN578BxUrGK%LGa%dc6WnBogq~Z|!cu=e0dC4~u=3_m@vML?? zpV_I&loQ2BDOxI{f-bKSx4N z{e!4ZJBcDJX3?m14d-~}@$e=eAgMfi*toEJp#o{bG;|TJD*YjrTogkzjCmW>0408# z91S5Fg+M6Zmo-#8JBl;1aD4>)_OnI{K~*LcH)=Dtp8ZnpoGYmC>ytA(ZT0?)yj@|s zIu95(4*8`CerB8D9BU53MFt@*8F^^s243pdr|*k0#{>a#ll+zi(%8?0YWM?WN!6NC z%QA+z#>w+E{UpLiVS~m~nkC#Egh%pH%>FYKo&)W&WpM2*2ME{SvLmfUOG`y5*fL86 zM%+>=R!4YsI(5HnXw+!JBt>hB!}OBOtF1@$ZM-?Ec+UNFZUThoy`#MUFENYK$!yIz z<=!Y(1FeBj@k7``_iXHba~RsuWw3T#W>J9EvMBk=S0yV{f(0kYI7BT=P(vYRNeA2W zE$BE>X(Wa|1!`^s=Q7T2Ay_YU54YhmQBFM5Via{czZ8aTxk#!7|CqmU^!w&2D=rT5 zI5o<7Ga-)`JWgfkd~rpx0C^#QnnW19D2L3t!+LW|HRQzl3OBg~OX#bGEQe7kwIncK zmFZ8UVc1+UGP7y=?dWo1atc9v*-JI8GC8Yx`DtZ!%@1)vMtoO0mSx;L0Zq zLqa!-l`-dQmOat$`>Tuc8BMb6f)lIyT;rKHRr8{07XpRA*LkyG`l*jLyRMzDUMlhhdK0dXeofZ}OL8d-oiYY? z#hb$(v{N{wm&J69zfWm@tcCnr=$GBfC>Ajy0g59P2P6Cb6^ zPIex7cedUQjR6HL+ScqTE$7T&EGrtjU@~{H#RF%XZ)5OdNY~sym-)(}4xixFjq&Wl zMz+c~ktU&P>_&qqH`*oSve2dv?dA60_~ zNLYQvs>e~vNTkm(DrN^Ox<_fLd1~E{6Zl57QRMZ=pl!5EGse9Vr;sQ`LxalK#YCEB z*e?11x8Uc&eJ%UsV1xgggT)2&cxeY~S*oc+74Y1(_0YdQAHB_8HLz%dTA7^*qyC06uj%rYH*dwP0%W;&;A3A9D8EMsz*% zoZleWI|$xewA1$JB=^ASJx`Rh_E=ss_bGcq0Y)fdw_V2vXM7(Ax|V8kTdD!weAs@s zA)8pA$;5P{UFw10Rk~VP>5oJy3SY*qL#aJ$s+fov8SGQA({1C-K5;!CBS)XtK~)Cd zV@(UjKnXqy_~ZiSat!j8fPz>fh|9|=YAHvm+kN7bfQ1ogg5k1^so9iuk=@=6^t$nv zP1xL0AZ*-i@I-wf$!Q@50TIf?Wouin1*;5Ib6jnnDz;Rrz(=vuFWL{)x}0ktxr-}( zw?!zLMEs94EVcyR;I2uuSv~N($1QQ&!7*P=E55hnbKCDp$PoRB_{V5}# z<;{Mr_pC*mgZGrOY|rCr*fwOXBl{Mepx%qdS+J1Oh;EkM3!P=jjH|BTVxH^h!f3!F zxzDsYzP&RG*SkB|F^fOYld%&8d_99d6X@&o?%t>K@k_sMhqU*JX_n!s$=USUHW2V2 z`{G5e7x(V!-yURroX72555bF5cOP#V7`9gYl5S^9*8?LHx4%d!eq+ZY~&@GX`oZ8BPf zp_ij;HFT{9?=s%iEVD^B%>uWUDo^TqV$+tzIyHqpSyvox9LgBK$!voi8#j`+1` z1Yrq5$w+CUQG&q-J^_S~Mj0KZd$h#AFtL_P3{!`rJ}oytOG9}f>qGB(2QbcAmQN-a z@-Iu)AvDKulD<$VB`K;I2FYSX6DK9rj=*yx#Prk}w#E2MpxXZ+sng%^)Xj_J10Xi*lpkW%|RF2fu^W zp{0G3YeRk&YK7{W0O9{~+1G!afBS;A>Ca%hKaH0cRKmZrO4pK0f!TEZo!=}cKxD2e zzCX3;n_eA+5fdM@E1E>12tIy`iU(f^rHXT+aPo@ygaN8KZ-sJd1nLCKBzlrPg-b?EeM9_rVQeM%9&662WEg&9nOrLihV+S%_~_3>4h zAv3U$)3IywzrXIJh0++#=SU{W(eSJjzin6UBwF@LLyo(V5~dxfi1Z(*5T8ym2aWBp z=hTs(l{43Dj8Hp@W4ftR1# zfHKpcPYiOIgah9NEyR>Qbz#EAWsu2O;%!$m-}bd`sJY5lmxC-qOdD`M&05YZm~*i= zR4NQ62W$xKVAmTm@!sbf|7qiw)Y57Mw_1T$2v;HRw+(os`H*ZDQyWRNPpWw`CrldVWd(?2e7&?H+GS8teXQDcZE(w&2r~bJQhPfvx`3 zzFP-SCrL){`>p{m!a{~Yuw8ZHSMlloC9cYgfslYXI?-;og_$p7xzOy~rn_(kQfg8C z`$v8ATmD8+*$`H(0-HRKnF}cmouIjgGY{_Yn~u?ONA>AExdM3xQQl>ni+3dB32N(F z=(#aE#9Oo(l;ke5v(}`X8X}eo63pY)2Qw-|OxCFg1V!5w_iD;%5=1512s3DJA#L(q-4>dZ_?bEn)lC9Ng5S;w@oWG=_+fF zrQbf&E)c))f0F5^S8Yr^&$Tbx>2i^_*w+`&9 zBNMz7I+lv%H~nnBL8{**Nnk}mpUoG%9%$tCc?4fTEr(A11od(18K$Q*SnGAjrQ6%F zl*;h$2H}jXd2sgK|D+WgzRU1M4LnZfp&tZ#J<{!e^SpiaDni?GGg#i>wpaO-HW|-Lw zZ@RB)TNHWi2ya$eJ#oSqxBEaFT_`@EZMJ_?Be!qTV^2Hn3Kouuzf}`dB&)1B$xCP0ws*Jc2)L%h z*7w~pcQvff?QVU380g07FbmP_QvqkVUj8c>HRwCo;(4gDto3Scf8)UJ>8cGBKe}>o zd`sKR6?*DO^3?nIVZqLSH@JV)vMZ=XPakkwW2xt|o-~=QIIH_!IH~b*Spa~>wr`U< zIov+jMpooB;v(uE4zO}`c^f`GJhJtbIS05%<#ybQ5F1oFyf17<33V)L)3CSA68V0n z9D7y01hC!)SX>Tp-WEFehM}Z;dV<%_PxT)L%ohw?)AVSx&an^MR%H_=aO(&XxNdV~ z8GUy>nY!flpU$*q44oHUus?_j4fI^4otdb20G?Dm6I+eXShxKCx1n?&2frpG04N)0 z>x;48727=rh41RO*RSw_Q*qCIk1v2e*SC+)ZQHuHiP@^8hn@Fv6QND3h^9KE(?5=g z|06rTcyr`_*9K?wfKP2BzypDi!`6x(eeR&7smH4Fqkwx$I8e~%)tC#GD|Xy}Bi0;@ zbihr}6Qp6>`rz{0Kj}-zS0vU)Cq4uuLKlG zxXcc@4q0wXI!U5giTPDJV2(z(_;B^uxheRhNud;q{YrUrauxdh=Q2so*D$tYy<(Nl zY#Y)yGir5jE?9}J>-N@+v@)BB;c~TJ8~A7P@ZUOe zqLOfM(XN6Y2hGrE1}ohWWAfG3={r`tAl30W<9^uyBFSffwsi29a~7LeDZcG-t(S8b z^PxYqi_RuQ)$}Z5!Zppy5Ikg)9B?H(4Cr1|h#;XQz*%gVsNa(o+Jo&Hc*kgr z$B5mv0xY;R^1KW>av|=DFE|Rdz8t}qr_itDrP3xRhfZ^kLo;{bH(!cWxZw0OmLiM4 zz{eMGSUt#21s)1@fT^B8w|-oH$Ff_T_5tI-^>=NvfmoGGeiuToq9xii)mW^oW|-@& zzjO)c`e6^2+b@=gj*e;>j|lZ>M3ONallh!M@+QmkDpl2lpE5kxusyGz}_pJH>(LHEuAps$c5*~ z-+(X@3!z%8BtrimYW?OkD8b?oSf@xrnyWx^wQK z_OGXUz5WTO1WY6*B3I-T6jyZn7IO z_;?%)`D8WMck4`viH5gNEtGKu_>MRvP0RKNaMXm52GW9u(9=Su7Qh6U^eVHUR+>i5 zf2RWD6a<4QDi+g=B5LbsB9w5ycET_CX#PmD(5vEf!4Sw=G@YJFYe*HCSoDKAJ(KIX z ztm3J^8efPS#c{tjCdVLx1wcCwAVVkv?t@9M-P7I~*BRHGs?|k{tzAIJtzz%4F0Hkm z!sJ{8>URsxiMsd%RqT%M>z<;&%9{~a>$23!iHM$kiSqS=O9G1CA)kypgD84m=Q z2+pj@jH5{;GWX_U@%&rxn%rQF=2SAKoRlXfJ-r;Bn@E=*AR8+&tKgLxX})to0O_xv ztsrW3%QvJ4R2ukxOM3rsK#?I=qLE~YHf?D?68>XxFGnM-ol;S=L>XPYXst8=`qnoc?2i%fL*BCB zQXt3~Knx4mn(Uhv6o4axjW9v|xchLOcn)lz^*(HXdEpuEJs2tD>be>cAU5;_cI^uO z%f;7NQtZ6A8`dDq33#d+G5p*_D&_kOuH67QzJv*I@}BGa0cYx3I|3F5vPuD}`?Gw7 zVY#3s4*VQ&ivIR(-9MP_1?`Qs(ZGifE_+5 zLZ&vuPLG{ig*D|q-?FRO03mLvjVG8%y~d2bQ%+lgO}(pT*YoN4=o@cEv3jBk3?%~dcMb5o$r|z(t~%_#Ec`{`GJIy_^GOky z6%zLLVF8^8+{{97-F8i?j~=h~J{%;GbEIIP5qe2GZnP!#9XXUjY=mi9 z>1krx0)k&H1=~M_?qiA z>jxHB?fO=?8GywA2f%Yl7(v_0%gzRd0L7V})7#ta44J`td&Av5;2R9V1xFr#qV(Is z-KgE&j3V*+2cl72O0B{3ka=fW9cZ;^N6*E;_G2cBDFxKLW*BF~&$n)kc;x}`mTLxt za?uBZFlFVhw3{0YiE#K$97BiqyQH znc+WG%|#dyxwHDTNf!;c1L*?W!RZ)#!LFJ>veVj~z=pbzFyxP_(cXV^zXPAvu!(s8 zy_nweq*u2Ttgi-j*vgvqhm0DiTdFQ+D#O|=-y1y#>*Xd{-0DYN=;NjOWFQJxee7C_ zfz4TmK1R*T#hJ7&l|H6+sU%gT%FB&baAah{F&Ar-XcDlNphrlgh9z2OkSUco(Z6|} zv5PpZg>a8fo9kLpE#y!Z|1MFPk=oQycl_bCTp_oNe(-Ki2E%Ox$0%B|@x9KKGRJ9| zF;S9#ns%^qZF0D}=H5ob!$x!=I&z)!Sj?CpctF^#Ne@DmAzwa*)ihnghFP1=%imRW zEeH$g-y8aIr)*}){tcQ z=qb-fM)^|mIFE;>j9$$YS=`i%IE*rAWG^rNhO8fW7|+6qmBNXw8=(|0|8j|*bdR)h zC-M!JeP|5{O`sPkQs7URR3O5yz}s@OQ1naLBf1-sxeVoPh*rzf2-JbnXH zMC|{Xkc(Yn`25{^8XVgbxm3{Peq@~9+DNCx-t2(jVc|MAX(w3S_-YfKC`LUwX$ML;ao1mYqLq4 zI-vk~(j)Eqla>3KUwfb_lVYH9r6~!kq)anC0nhM5H47HElWNohqn#c!ZXb_@jss(Nlw%Nge?)4pj^31L@(9%ERe?nWqySTVD1j^5_;-0 zRp99R-V&kTw_ldW;%q06V;fP`a#A|u5ZzRs^wZP(z6iG=_DhdNcZ1W~JY zJ{k+}*xH~}%X=wJb=^R@JnK&-KHm0YDTDl}5qeUQ-@F=W=)nR~i6}&ejXjpEo0=xH zsT->qygZj(c&T*kBaxn)(fsB2g&{K>vq-mKR$ub*(h! z&c#T!{i6g(5tF&gvUm?DcU$LFWQOg@Zx-fyGH%5i-)v%(lq*7+-NKBy6FwRZ=g7 zRl^G``(~GNb>oz&7i^EhizUfX09~~9=({(I_WdmP-i1f%{x&QANLIWgL~a^&VoF0G z5D1rN$1pEZDYeG07IXF)Y{TW>rK4%7Fdnf;=K6DD#wcYK>wmIl`9B4u$W8#$7yc&H zbbGP_7L0oS`;q6$-4IsKcPs>APG2bmML@GV zIgW;Y_s~^&oOO0WdrPxj`&DTwbbVx2mRoN}pKjP-Tg9#Wy<`0Dm4K7q#=vUAn@zhX z+npYt@g{_)!`MJ9p}=*cV^GS$N|wOK3f?U}H2g!ZpVkyG0P?w4_HF*htX@0NG;8}P zq|NXd^bl3!d}}f)09s-T-0`z*^xap?69A@lx!?NT^H}9XwRXMlm2A+Jrdqsk+oG6{ z%7h9AzSI~5*ferHFQ4xEUD>=mE%v=dzmH7J>ib+(PD{<&Z9N`I#C3D}Jo|z?>S}rx z?@UgIKa>ydh8W}Q>VcCexhWgQJMWwN5H&r|SY@|uk1N~5nq2`MAoF*$xz4z>mk*w{ zmm1G&cCC|lP2c&1$k&s>Nx^!cci`j9F7Pk5VkdYv6Wnw~C>7{<*Y~91{rGk#PgnQw zs$$5O+)XQJ=nppjh>*I~KTKv@nQ{!+X&x60^b%%zxkO6M^!zvmna`c?tjEPmIW+!V z$F|q!emi}$pLl^^UhaE;?_#8udokDfJ z^|eov_POi#x~qh(%MAEnw~&|Ku4{pZJ&amjKbpH|;0yEO?(d)AT4F)K^eI;#o-d%l z|5I?}eXR)C@({M4b*#PR2gRr>(rmdrwGr=#L#_CYc{jPNYG#M^`6~do4(`%!z&&-> zP_&vFrW*o6t=fBiQm8%{ZY(kz77+`V@--Z26Z*>krH#AMYyl0~GX(Dts+W zC`2$hYC75|jw$@fMbU2^TW_0%QRW%!hb<-av)XLTi*)^ARi~=jQg~@u(q!m$*yZm! zu((_Z&HQ8`u>i_VoGSNFn;2a}ZlX=4%&{24kqdM9WW&U1LCt6jaEb%hqG{jR%B1OE zoCC5E7{tx%(sAj?nkqX~CGQC4ikmg&g$t`8P3WLzBLETII2M3>B&q0qE`LnUR4%N0 zhd!Ab*Jx4shctZtlv{$2d3@=Hx>>)3Smn@&-vTPU0h;t`x-_?Pp{M{+l)qm3M0ef$ z4}=#fL?f(koH=vu@}-eUwc=7v1rnuNNsh>3`oCx`P@b(?lr7aAo?FE_5=@+n<2t%I za#bElP`D?`Ho%tO+_I24-DwXa9TeNkr|YG)v$m(KVL1GYer#4+e5!xTGkiFVR4NPO zLiWY!+)T=HZ*W2pj>1AGP$IB&$xz`FQ7M8_X#Ofb373SKX-=P5a3zjN%2=1<_g-k2 zrk|w*#coT$mm;N>vg8gwzCz zQqAeOUYulF%do#`1q)t(R($6KephPTV$XqDG{az;hOW_$zVFwVQjqkfL+J2g_z8!E zOvfveNtI%d_XFm)t!8Ef%Vn@jWzZKl=;-(Iyd>^V4^EoG8|HHLm%l@9VZh?CQ{QdI zl}RfOg1mkQ5iTE+Z4w5Rh{)xwAti`KRdI)f!2*}fgq&(}zSMZUpDnx_Nep?O-TC=A z?_Y4gUvNMZPNWy#eI)-3LXL_%`1Vcmy?!fQ&MQw$-%lnM-#8a}X=) zNmzC9eSrWUp9D(HzPr1y$R7+9nydy|Z+opDE;L&3ndd(}4of$QvGSEQkgq~fB$%NQ zacw42)X8#Kb(7kHVrDJ~LzL1w8wVpHX z<^N1~r)V;LeG;vjUN(|Din7`X=l}cI{AZ|J#Yb%rAwkzYqaWE_K(#>+`rK@t;AG;L zzRCy7VN9s0O@EVzWRw7eCheZ^S^6~d*r_V2V~JZUt>$oZX6$LV<&5vie+r0+lOU`& z9mMwX@nX3kcqY{6E7EiR@af_;VA%#Ko{-lcm>+mgeDq%@1r|u9%x8x{OK{jq&%e%? zHXTn(=LplhS2P!8KR)-r_m0=Kex_c7vAVVIO>ZGwy59|d4( zBF}BK{3j`(n=90NGy4Ev*8A^B2cP(UMu4x+_*zHvcKvaKST9wtVMe46X63f8=~6dN zzZcM5*7^1*u!*uooQ)*}I-7s#?!4ZQBJL?_KkT~f?z+#Yvv2e9nfA>6nC_s``!}ks zwfmCzbYc%|19mK;41X$6%KC=lIDwcjw-?(Tck^Z4z_UqPJ;;xf$E3e( zfw4C&Cl6WOEn6qIyP#lCE<@uY`-whol#chU$-FzxKEPFr0isS9QN6Y8W=v7jMaT}< zY5=&B%@BalvSDLV_cqkqcWvMTTqU~p4~z+{0yE#D+7fo{av=*~KBsZ6@@;tg4(GH1 zt}g<&Jl}e_N}~PGMt8j3>o^S8P7^3qB-mz0R?D6?jIpyHF`cgYXsPs-g{uO!09Dwx z|F8qx#@%5)nR)fp0MC}&UXM9GrW()zA*hy*(e(n(+4q>r5x8Ff= z1W;u+j>G^r8DE&Zth$F&1JP?=XT~=L>)G4oh+oGK$}H1fXV`A-yXMii&}Hr4T6&md z_-t?eosS6qExyH2tOz=fA4Tuhex&UZ%x?qW3SQ3M`#Md!1Wp9*(#6PEjI7h?VZ1JUcnDNbvX_~z3wk5 zgAUjVLQjgL^fq9y?+3UW2=l%N5}MNkw#^m;=|GV1%Rc*LL`vX;cNFR-0?MbUbxoit z*D)xLqvLh(^X2=uxYqu_2wW031lY79R|hxSSO^lHbN@Z_36AJ83`_}r0FO8^R88gaxXyf=ExN3@J=Zn`c#!#X^Tpv5b>Jp1*F@q@=4ATexaEupVZO3 zX7kFn;ha+wWtU-eua591o5%JbI-xoyO6U z>1gXnW)`ByGE&vMET`yoo?o z);Y&x_pfNjH%ss^Z+5bHXv@(i=|EnCId-uVB?a>i>ZHNH(6s-Ic%lkSdQ+kIO?roA zVCSYXI*m0X3{t*U3}!CW@1jTsaEfJwRL4zq(o8S8SfgGogy%?A@oJ^a>rfJz^7JLB zQ~g563QZbfjLrBh=Hn9=HEe_Gy@*A;a#@IeQm8gKjiPg?cJy3{K4=*l(6M>Zq16}N zk%Tx`BN6h2c+-V3iMZ;At(Sl7+@Ef}YB)a{8Vv?)I=Y(ZOvShk%C(hwG(j14`tK86 zXj?wQbd+9%X+U9Np5 zbXWLC+fX#Jv)*W5_ZULpf-{*?rw*s}WTncir53X*$vNX1B{VnZ4xuwxW36|#;Z27~ zK}~2^$p;sArVtk$kr0)HHgVCOo$oMy60WsijhR4QmqeO`qb!!AXq?>60;bU*!Iq-u z~ZV+FsrilLg^}Lrg`@gO{Qtl5|O8HsHM0)yh2wowbw1hJ(#ufYl4P;BZR`x=u5%oJx!tN$iio79d{G zA|c}UXoY!6v!qjN(yG)SF+<^hrs(jXV6a*=g|8>%&6qtTk<6qGh|(;!En+N=*lc*MWK^Onp(^a`5ZX>?k>xg0$QcEzZzx$1BrwLy@h{KZN@@Sv@u-4m56YB~U{QPG1N9 z+pYB(+-_T|=J(%Myvba1`c>JkFEUBK zFM;o~kE>i6eY26ej!S#8zN}du1U@Akd4wZ@z!e`wea{bj9y& zp5GhfEt}^$AmGS&_h9~~MiM)as>6aj@FjYh*#8|gzuCf2+g;vmeB0hf$kFTkl#}*; zfgdw6%cygEzmV|aezLouPuFuVmQuD7=+Y*;Yv3QZTm7<7>|!Ue`$2hwSKji(vYxhc zZP0Qq%Tx{8Chh@@NdUkugX$Weo@+dV{kud6`6@*-cMB`;2%(uUpe@vVJ|SSI5+5L=GQ1y zH2r2^AXav;#Cm!V4I(s6UZJ>B3v^9(2FrzT%f3`n@85IN4sGjX%%IspcTCIp%t*5F z`qOb>Vt+w!B&NpTw;1>c7CiPjX=iwOQ^T0waHppq*+%$dkWG1m27C3>S! zg|eN6e{`3~Khr}^pd7=NKdiWaKG4s=0@dcB`sI=-`jM4mGtkkV9@X^506DzmA*D23 zJq8Rz*KRzza}$3Ip+hW`Z{VAF8nwwvF~?NtzR(v_P%bl|NB1X3gtF33H0JL%56YTB@VZX=bf+u*wmF(a>gF7sn3YU&SEG@^3jy8w^mRVC3~JtqXd z>3AkAk~kezNUvJ5CTsWy3 z@;>z(2+!b%nn2h(xzU#Pj(0}{Ak4@8+bk&(2g0YnW-{}oB5se#%7-E8DzPvPX2nS?q7o|3lR` zMQ0YZO?EoAla7;)ZQC8&wr#6p+qP}nNyoNrC+|D?{+ad7%*|eBor`^S&Z=GY)UNW+ zP;gs>AZ=2@6qnFtEluEU8bKvn*oU>r51v=ofBxqb$rcFbu8^3ZY9;*)`wKhvPaZwu zB;z8f(m>mxvt)&~;8EJlpLljtjtQZSBFT}TnoG_*(JYFI8S1Qde@tQoC7rjFK;m(Y z$)+7*HPe7W|4=^)pMm2snAgCIa;gGjEzT&$a1Qxv73J@*G{^8*giB5AN{uDY z&Mcq0==3U^3T)2>iKFwM;+COXArl zihn?k5_1YcJpRA)?(fMrups1M40Fzp!T$Q~X12)ZpP%d7$lea{^DC4P>F*HcA&5`c zcewQ-|Le&OKS>x81B~LY_d7u2$?M|N*CqR|lbi2DaPM~0)E33X8bJrBrjdjxo7JIJKbN?i+U-W?8NAk(_=FQvAh8bS>6#KQ+ zK=%b&29oFg2lIB{)=lRFeg&QHr6uO~RrnytZSOL-A=BW*6wI2Y znzw0(P{>(Z=c5g?ZkPG!O2F~GOYFAG&eO8rbIi{1&P`HJGcbgu!@gu17CWmR(?=wa164URW?jivA@(T3$n1y@> z3JO4FL;`a~Kh!=)E#1!kqdP;!t24&4da^Yi_RF2}FCf0;PJHu}lBYB48JO7_P!c*# zz^rrp=ct{=-}KBa;cxr=xdG)0k*9!M0jO67^gs_Orc9{nJ1E`DP}yY`zY(mkrfIDf1k2)Qte<%X`r@KJxfb>0p>45~y}Rc!pM4~qnAd2; zUoJ6b5hGBGbnZOk>{2<)gjG6?gewe5e^H##g_Rtt>i*656|YOQ*FNowyR z)Qmd2AVF;{dsiUe2cw`>vmE#v2bPknS_Z`XzWlTFr~F|V^F>4oPOzymLnqbG{06nL z5}GZ%c%q@jP9^6mtA(Ed&rCULqK>keHAVC2B`Om8zixFLq26#Ax&7<4?JG^zL5Vyx zcNf~O?sd4wFuP^VemSD2;L2`V(r4_}W2nJZqaB{Jq6#phtxbb_z!N!9gxt}tp1lP} zG2NT%9R z8ssFiQiY9cBmtit^>M-AFa{NLgfbo z9H&>u&MNz6!IjcpW3#mIbdLn5lPCOUcxo5xM_Zn)1&Wri2Ju%&Yv{qH@ungeu<cJiIz^9DiiCS~MkbD@e56CH2z^xG`r z+;eJnCM_-jsv;Y_96B81N>GcOA^R4`IwD=i$j_CSN+^7!Ow-UQ7z66?()-_d6w`N| zF)&0nDz*YR!ufq#A)fJFFL;mr>i;C*0R40lYy*;|1tm)$oMR=JJ)Qlj1v?58Q1XZ7 zk}1@jtfS<^4JVaz9w<+Pr$8+rGL4>nXWB6C^>=DBnLAidQx~=jcQ6fMvL&ze!hMv^Zw4+1*td(~6kZr1bo%1wUpF36bpBoFs#{BYobznNmy|e*uI$ z3(UYkQ+Tw|fMI+uSyiplbgF0d(ki4nY2&NB9Br>F+Jyve{BY3|x2WNXPjke|)^8s) z(YiMk4w(h>Z{s9}i=st1v?y~mk!`?)NOqT6T%q7U5~RYJ=J{b;ll4%E4rP@KCff%l zf6Zn}?Qksx(wRP8Cb7nB)qrqFwu0a;1}K!ly6}E=>!Rk6QuG6m=%AEjgT%|g{2;00 zG_x3w|GNO_S#ZUBzg6gO`kUT__&(d5x#|A(AGj4A_=TWE_zkx~fJ7itZZA-tf#)L# z3GMj~;B=+o$)NtweeGImTQ`saiRZNgKFR-^-7V7Zt9roYcziUc&DzF%=VAGsoY%(2 z9e56j>oPp2#S^4^H+a!-qwBXSIjh$kdEDLkzIVYji0R6gsS)p*3mkS{cvtaj^N>;S zdqi2=vhV(E_T&9%enaeTUwSxi(duPdqj}mcj_&Rq>_PLs0K6N&9pwJ1egrTXmAZ&N zgpRo(sJpq?biiaD3}0O>V(2Z8vi5#h;@a>E$$A>3mn3IlM0= zZu-86spm9s05yO|2Y#;tHK51U@uLM~4_WqpmPdHzTkAVw=PH|CyL&a1ds}A<+UMJC z_Uwjnq0T@`%}vT#O-G@&Fk_744dC$;2H@)r$ z|7<@O#TT}r)%#;D^5)v#QuJO!Tzz)Oz+26IW0?()vs`?QO|PqsYkt7T#pA3M!QEu7 zb=%C|GbPUE(-g#!TB^@m><(Zp8?6VVb<(kw{w}l`(OSx@Hbd*eKS;LC?dg8fD(rjb z^(r?2Z{;=%FbprPctzvCs2jTECw#mQG@ApU1EKFto9~Ms2$VG$Zj3Jy*RmcHm;FHb zH~o6NpLPzxQCD*iB6-bzn_!Il^@-l+Dqv(ekH!4y)^ zt<62&a!sY#SN1`1n1yR%<{C#^O722I(YuuAA*eA?^5JOA|6vUx>nr*zK;(p=e%TbK z$RKYt#PDQI)zEE9oEvc^kIj0%P`-9+Ek1=#*djXOPy~T&nk@G80|`61qtNV6)&y)4 z7E;kFK8((41Kg@(#Fto7Z8L9$@NfCXI4Yzi zJ=$~U5!57Qm@(~)TE*?`k1Ll7GTit}yfD!$Xvc6>TE&+uvunLZ=@|aYfr(AvM~9i| zr!M@Fdx{!o$oX$YYmPT2dY1=BhQO(U)xy4rL@MMwn3F_V`ed8pD#MguCExO4kZH!l zfcrG&X@^>lC@y2Je5}YMs$tvUx)PZZ@jxW*pH?2fOZONd**u1!K^fJiC7^F!e<)wd z^eJxTeGq{$cM-P1m*mbeHdTm{sn-UAg4+z^N{8My?ZACkM-HmvWv@E$+=&^X{3{fy zMidsqI=L<9W>^=k;bAzUC{?QA7*6=Z%DFK=ZWwVvy+&aN5u9JdO&o-^kzS|rBM(jP z*g;%sMUVvgiYq0<61e?t*D%@&li1EW7z_aQd;2tt56Sp`qLWO+yG6!(kJdFBlJVz5 zb@q|KN`)*(iiDe@McWl))QOR97J#b?58gNJHTXv*vf{v_R*m_moQkcHWoiGtOys9^ zKm39;|A0)P4QHVx+tN9Xn7kR8SdGDlZu8V+yI>x?mSs_CB-R*q{4`U|gh`?zX9sA~ zszJbFR9&H&e2gUIfkK>s_G)W~B0~S?#J{IRIt9fEO^4O#MQeyF|10gqj4>2a*CVRk z!3A6RaQzrNm_lU%gC*qOdx;WR|BTQjWgH7qsieYxTOGF{9%QUttWf--wm{vmK}`U& zw=_b5aF71;E0Ds_cz>n6EGfh?cvW;Bv^Rp~QoYrhD>Vh~6&$*|?t;FnT#ylAlmXzk00zhFCp|4BREj3Vy;6u{m88q7`W< zw$lBFemYN1&3=$CWCcWf&2I^f_6)kwYf{BRD0VDwb{U4f0!IUGNEPbTf=jyN8`0agsoueb1ZOpqwj{Z65Ps= zL%aVS&%dT@)s=gkC)>X$S9_PKkYx&JdmxfWu<{y%mI{TTtscZuTKF^NjUU}{_pZX zvhv5btjzPjW##u-C%K)MzHeMzyett=_%+BM0MyqL01`pNkeJ=b`gQ?vdlskNc)K)P z0&46YZoG}|2t@NM@sww>Z~^Y&Qq{sUJ$z08!Ba-F6Sr5@y-n(ro9erQ&yPyj*0L!r zM7o#b6}#^nwd-!%mu=X?4|kNu}xh@5p&5IdYIFY}sJvT%o4)OMRku8E)DA)pg@ zrSP=+uJ%^ycTeZlui^#|Y*>PydEBz;?@sZ&jknokZ+Tqh&z|h^eM#(RQy3)pko?kDpc6>l6e|>^kC=@^x5~}i`@hf20hzvA+W8)b8QW_&+D{u- zc0QMaWL+Nv<{!0mfV7W7=HN)gOFL(N?=>g0DrP(I%cA034wKds{Ezo{y*0z(PcFpl zuVXdW@iCn1_;+)7((4QelE?@P%ZQoC;QLmTLBDG6 z2yEE;P0;NFKxhkq0+EOO1|rad>+;qXK|Km-i<0$bAl0tx<(vz269d7xwFePfmA|7* z&1G|ck;8kA1xE}YG?UyH56IsM6k**S%{ikWf+F872&_Po58GDbx4nU}Y$*B(xVu1B zD5pO%kd0*QpGfHjOC!SSWZ}!1^QIadh%MWT2v#qbVKBJ#i)G41@TvXO@|O8EDbX7T zsnmX#R}=&ijh!_yYP~U2Ak%`kTufosZcT4rsVFX$^%Kd3WJ>OYsm9c#M2D7jx*%%2 zsDf;scAPlMgvU9s{hUL20=WY5C(hAm7B>ZK$~6(!ENH-p)%hRjbJ?EbvU{X+Gf;(6 z#czplAzMci>MX-`owD_n1pi&RVv`xZl zky?h1^6xSI;HIRTNeARM32S?3fj`(vLWZ}~V8;bn zXw(a#A;omG5VWvBrG$rR*hQ>N0&rH5*UO&=p^3#!%O#Kdr2ia>xxmO{#~D8>6;dtI zXM&a6t543L*^fb`EtfG2cu5mYy3Gml%-kDohKe^@I4y!9*JQwLQ2P8-Z@NfE;ZTc- z3&d+G4^X+dmEEG_%;B6mwA2H^0-~#e4(i8$F zRvwn%7{?0O7)dAc8Au`0ow4pO;*^b(EPK!|k{QDUrQ`b(&ix5mSi4`v9EOz(SB zz=R>Cl9J0rC8Mm+te3Y;9t#%{cyzn!B*$fNM4*<;;6Rgp_^MfsR~#ZlcpyMUe38|( z;CAMoSo&-mZ!H)V% zxn7zZ(#eHkS%*A1GT6C=X-UY%uvt{AB9O8x|0u*Ko9cv`lD#EL7j>d3leh^^#2!~I zT3?bfSLLe}c+L-OdAIv&+geWO_{|;}zm>{CW7&xU&i!_;Pv{n(lZ#XYH6Q^#zD!s? zS-7=|*>FUZ8=&H^kIH?aik^gbJlA2x1g4j#z@3&2vCL56gVbjY@VztWp>OL`f7-4Fuh7o)@_6CI6)%P=Z_&C_N4?St!ph5btHyc3ykaS4 z$UJbQXg!6RA`a65oT)NH+kr@S8Ul1YJt@pF=uooT-%&}{Wu2ZP`+PN|;_oz=`p!hy z*jO1!Fbc-L4k3<;G-F&AosqnB2qRAXb{dS z-f>u^Mce@tcKg1juAg^yUS=ry_EOunAN%KC)&u4tbH2Vtu;yoDxo$+x@&~WmZxI|C z_0|wSeYZVS022=}THtT%de6Uljd1$Ro!@4OZzQ?V}#wG9x zQedJ#X2+~|k?+s~ldo~gw6^=x?kV@pCI9PbV#F-_VdaG2?Rv-8`(}SS6@Oxw+qGuX z{bjT!%d9t0r)P_JAyRM9cK%Qb-#5qG65vs~^*+$KoFUiiE7i3+o~(x7=9$yB(*H5F z^Yr@_2a&dSpRH2mdYYi;%kkqn!71~ir?HEq`fe2VTKC1L3P^AHz0%E?C5gW**~}C?Xwo%9X%U>0sZHG z&$?}Bm;HH1XLbFgX)K@TlqL77pW>6*wez)y0r{7eIOhkw$BI?&+wiy-@M)Pprz6_! zmUHs+b${jmht+4`oAi3`E`OtkNF~Q-!xhj-767OPyKZPx)_uzac6o(Zs#HR;64eDdIAfn4_GwR#b!4duJ&_BL=8|N)}_Gy!=j` zv2>`vJgz{KFe~w%JueD^GJwpMRV-vI1XWv4qX(_7x^@j+QczRtIIy51Es|p8xzb{c z{`=OnAKLBMDWrJIkrSd=V06Z3Hs@Qj2hW`D+rj>0!l4p>vCCFC0Mz5zVXm$$=-_;) zTGhTe%|xWCBpiDxka8PYm}uvWi_$`VzP*65O-$^Edni=CBYS!2Tmt>#Cz>iliQqRUwN$k13a zSK*~|^X`jl@J!Rupev+f2~W@3kfRNPN{omncgv(K4X9*KK(HyeYRt`tL9&N~;Ng+zQL#3V^2@=0s|99J$>Ko42>EY4u-l;QqGt}26K zEJu{`?d8&kRG1R>mPm8S027~b)_S_I;aPc^)RrMh&Jnmx{E?@bK^|@8+=89CWbyZ< zPPUvM?P{%(>nA9q5ymoApgh)58^e-i(l4$0(lF+U2u(?{TR8bqY7^c24jqDKAz2#> z-$p$06cV{YU3{nH6i#^}hK;DSKwE#&u6E{F2x9?@9mrtT-LKufdnu-2bpvddV~!voY;>l8OAEZ2no$(a?>oG!`fv zw+AFL4k?=cFhq>D{T6YpOSTJ*9%dCC(Boc!RSRY4vLp*3ih&Jv=r9(7%255qW-1}# zUxbC)g=u!p8Dh0IXIX(6uA!othGUq`{->pN8IjmcaxGLgPzh)lAeM}vFs{Wvm6rUa z+2MO{5)(xlPID4L1}T$d&I6^U!_h$^D;=2+L z!G(qZy<2tF5nS->tqU@hCx69ivEhxV{BhJc9$STmU9I*^J4%%i{O77<2c2U@AA^c& zf2R!{yP{G8rEDIQ+P*>5Zbj&OVbSJoJk+H$wg6}HlOhqCN~nVIsK3ba|+$*OH< zx*eH%adC*j*O&wo2ivaAy}))uuqgbqRc`J3YnCdRsJqS z#$A>YVKZ-?<|@Z{AdQzqt1T~C?>VPh{R0NIMLM1)$w(AF;1d{(%&J!QM8kVFIjAXr zl}5#w5&aK*)p6mKL?yM{myWrK#d&?&y$Qj+SWz)FVP8eRuUh?dvu~E0tq6 z5iw=ab*3ffYZ6qPeOA|I(rU-|eDi~CwYKAUBztMr>$D%7U>C#Pp))e3XRmdna`FUq zfvwA}zPm>AWVh08^T-Wxu+oPAB%qpI*X_;X1azbO_T1uPhO1qP^C6vCmG68SHPtv) z$7rTtqq}7ky_ff>r@AG#`Mc7cwqe7i*F%fTW_D#}=h4zIn47s5xS*P=#>U7E;@vF4|Bp27`uoyuOo{1uy{4m_AuRlhEGTGqJh?~GW% zZ{DUP$M5hqmHkn@v0*hszLE8Qy?63sR;OzrSkBvfQwTBJ;dKHh$73NdbQpi<-Qh6B zX&bNS<6edUX^L8H2bkiI$Lq7`5b){?X@1^)^0>n9^5KTC{kLGjth#&gl3zKdp#60+)Cm)} z)yK4#emnE5`m29_Fk_1YpR(pIjA!z*`TXT7sAwSC=lZ3T7mMpCBJYTdloYhgp0 z-{U#N%(vs=wc~ksYCE!*^qZvw!LXFb4f`^OPy> z*L}QDY66?vmF5X4%lCOa5?T|-Z5PUUX_oqNBA=@5@_1tM$!% zeV_R@OJ4&-!L^erl~ zY9U<^prL6`<$q%bMJnQ{M31EkXcB%p#vF$BP>{ttG^m&zRE*4j;S&;@|C;Q>*ra}! z2U~g*38=wV0J&%n51Ee9=eBZI7Zs`I&^y`dtBsMSCgD~3{%e0}2vn>jr{@`j6RVsgM4int zd4jWp-}k>8dMdKczN^aF35%uLra~;#DYMVA!xk@-E_hBMtt*Tz8as?tv z6FMSh%cte+(gG1IQ=aDbN+5B44jb(d_Jh zD^Yqm4hK0Vtzt&qgZvi_{}+b}ktL%%2rQc@2COKSS`Y|3+Bua5SZ90AI8j@_ z$uyJ7EzGd4k3Y!I#eh2b(#Gx|QJv1+awp6TkRFaD2{=YJn+~XALy$gZS_2*C-6~(s;$}HN-Qff2V}0hy{mGyfu~7OC;PJMl&6X znMCCn9wL6x34)EHX!#5PnQ5RfHM0^RT46~AwL#yn=)yb|E<+! z-$-9y*l`W$@lA{$G#-IbgjbUcrZRI`grZ#kknXKHu})Bi03*NiphfP8knGTir-dpC`&pufbKKfvi2p znOvk_q4z8$L^xPuSj5SvVcsfLgJb79i94<8|8Iqs)rK81@X&)<4SUU4d#$4iS6Oj9HW+%)|C2zh=+| z(;L8#kAW!s-|l9aBcLzb2N#etQo8DW;ejAc018PIRpPVrO>STB74h-=6&M&JZhs%i z{nqD+KjMn-;U(%yQH%OP`_xwDw)XZ%#;&-}dFm2i*=p2x?grLh}#qVz?&s(MupkY6JYY*j7)Qjio8;n)ozofVdjp#Nm>UXL- zhWS<9P-m;`Uy#*odoM4IblVK#Pi8vqvw9b0bv{;dyILXdPd&F{=cb>x;y*SrwX*Dm zKhSN9OA&i7R<*WXT-%9Xo=uL$msIS!E~={mEH(?6nzJ;W$IoBQ+q|sxTUiztO|{0r zPl!d?gv#sYLmadDS=y%Gj6%;nZmEzf{{Q%Op8DQ0BjvKXmOU=MbJb1?qC;_PySK?8 zXV=f5@9t((PmSpnTiV$S$nc$QeKff1zTnKFU8Xxe$4_dta$A18yUUe#FB0w4U2~OGmBzHhW8b zSU3Fb{g5A}Gdl#eq=?)vVd)QEfZj(Se=`6wXCC;e{Csnp%O)CitCs~Z<7uUcMH-J6 zFzKxYKz@+{n2-Ge-U+-=I7LV(dIzLjLX*^P3Jr-Hm z<(~aOw&l8>j4Oq8)|RVEmgwvcXrrj-erVS@1;`w2tF0AiBk8+geOAl*6-*citzVQf zdgm6xncylijstV4gn^oKCl#63S=q@VHHIMkrYyE1T#Z%*dVa_7Fj^FG<(Da3*sb=? z7?kVMl$d14aBw?Ma?~6iDLf*LOr3+e!ue63vZHoRro z79T~I#T1LxV(r#Ta!rXy95kltBr51>q{x*??YvC9TDeeKg3Gt%IIId^4k%HmymfhU z3I{@oiBExvCXbEM#vUn3iFV?;X#?xj zlg#~`mlY#~Vc^k+F5ir5UHnN?@6Z**HmZ_fL)9kf%;nLm`v}FC8j93{T-!vYIkwD{ zXY3C3Z-yI;%u2R1rD7d4A)k1go;=ee)-tM}(S#^RG()y|Z1HnZ-8xoE2K+CM4Ea`> za-Xa#Q!p82NoYgbWd@&4^x$2YRuC>Rxzq2(VF;tvIfw=Lp&5fK`LJRb-D;%LySkka z#X5uqUcz_-cTfdqIXJ4sV8qih^XMiJ{MSUFb^WQic?miQ_Of)x{Iq?I^3``-^Ef%I z>_FBfiNAkb0x65~II%^`mB}uV1`y<(z|*$JVevh}%Z3q(=XKrT<7SE-qsaPp@__%r zWohbw|J1vE&6uI-ii|h#66T-OMx2~lk|ZVW0J^35D9b#_ut?mkWc-dQk)pvI%ZTea z>Ex8_ooByWu&#B3Hg3=mEMA^sv~V$z(1Gs;n&c9G6qGr-byzY9#jd+280o7fEh4`XKF0exauw|40$S|W{&}Ucj53-<=KXREc12)OF|u3lUCDp zC@{pobIph`y((3F1=u@tlBwU z#I#{;^O$40>uB5t~DkrifUACFzLv7R`jeK4kKEvV?4l z08Ml&T7#k*3JbmG*|NGAb-wK~v4>-UatX(X$FvQ!=0tp?yxef+CdCq%eP>9y@g~Ex z_09k)2r-G0P6BhCt)Mg!Wo@hn4U6UAc^mFNS$wvks8W@A1iDOp0i`O-a0CDcel+nv z;4Alkz}Mrx`egg_>R@?ZvoyX*- zA-5-y)Q;6+wCr z4LW5iPL%>6GwA^b?488)5l$8}|BSN9#v?)C_0s`qQ4;O$TQ;4#R;LM90gT4v@sMg4 z?tdsNANN%>5fXgpcgzH(i50cm{V5}M*fSzTe&#WkQ64EWO_K{oSQu#*%YtR43PcJw zI)XKXKHW-ApCTGxm#y-R_Il z(d3hJ1LnUqo{1QW9RCTB`J{>78S^_^!Bg@DQV^0`-YJIA{)P${(?lMrFZtz|YtA}v z4m-8PxCy4gW;|bQtU7}p!6NtC-GpeyNc@YG$sU~ItM1*7BJQc)IiCerd5evC7aJV2 zdUV2>i*pJg2n-|E4AR++LIweI4^p&M<6xsfp(Rp5s__F#aRkH|Y#EEM_+6wwN}HMT4=zZ5S*lPU_Dpe;W;F5s zQGpIlqV}YD>L_ipd7&|C*5zMZ70Waq67iyaho%VE&9Och)=8xRg@saOCXG}FUpQv# z%!E2LI+Ac}v==I3Wz+WxY*!qQhImq#0Q7>o3JgzpA{G2ms$pe_U(1dM5Y#Zmk}G$a z8k2HvHj9*z8KC2&9W_DGIiW#S8$*Tl-w{fy|7ud}6)hL(By_CdK(=&KvF2r(lC9&+ zwGlH7sop>x!|uMt>=3;(pc1aKL{R2F|HG@?>wmF#^|MVQbWa$S%C%Dj7VKL%Y3$?r zd!o4{*{py)G$IjD7feQQv*uuLo{WPgiHKfDCerR67_Iijf`ZOdm`VS1&x?GDqtdEx zd1fj<<)qO)JEUTwT>l=J_8f}m_wSFHXJHo(v5WIeP{`4bzO4MgYc;Q&#e74Z!WDR1^qCx zOU-t6Y_p8C?HLuA&BMG9`%zVF-&~f;LPKn}_kVS{s#5M#Oy}RVhf2N-%3a~)#dv*m zj6Equ8_PWGunB^98}GoPlP4f0r+3DODnKbqYvt-A#RZfsli6I1?k{>q$xmvmE>q>U z0slGgX0pyB-!7T>tpcKirUE7KlnZC1$v?>`tlQh>q zb#!hhe4`7B^-2^>!OLL*;L?a62F*jHTuYJ-XZly;W&!AV`{U|0dS~dtWqBn!Sd~IW zKSm4*H(AI4Ix{UMQ?`llaBfZb>sHH`MHpt-_{x1mt(KZ8mq1eeg&-_d%`LzF} z&U756bmdjTF^hJRzR#nSWft)uy#{O`$p74MyC=XM1SA9VZj%5f;*9pW!LyJr8s;PX zZ?jF1vMT&v*g(#+QE&-`w6MwgJ63Glpt{HTrB!X^WtZMTqakh)52ddwiK6T!9&V}?w2 zF+6mg7uq$p@^`#dOjxSfyp?Fwq?`iw39Pvv?j~LJ?3cuIZE}+BXk733)6D2R6V|Q^ zgH+X*y`fVPGo$2zUq5RN91U^ zjY2DBInIiL*F-TtNAW`We0D1P`soRr3w`girYkO9fN^WPUCGZ{#7`4u7h5e?I|vxF zP}NHa9+j?dLZvHqJ?9hD7{D(AxQ7V9c<$Bfg^5>sVvEf75I*}?`MskVWbO7l#M7|& zMQ-D;Y_b}qOXnyeuVcU^dG^z6+x;dWUW=faLPP!u80wb-nfitK`2cTk7C(bpdDXRg zCl`7$<+)!WTB_5z2eCyiRw?Z}wY^e-)Aa$U&eg-=UE#MqW*acI+iBUp*}0lXZWtJT+X~y;Yo#$DXgo#!xWmzv$8gIOl-c=wCD-Ez%zpSdzF=<#EW|&xrIubP zZS5X1oA$h=J>6@;R=GZytG#~8@O7T#E#3Guxg0cedZdciejM6$R==E?#`^kR@}AwQ9yiP< zGRtbXc51-(G`z>JMg)E2Y7O(9)&lvnfdBKIUiiiNRRbYVp?HpfesCYM--dmG_*uZs zZY%eU8~A}1O43!X*)6sFT3o4fmB5{TK*DIEf9*)=lm|%e>-48MqJJ%9=Y1;%i6ap6 zBZJ*#cPIO!s~i+~y?G*o_v(1fhKNq~aAJdT z=@gK=J)){zk!+clBFrNwq>WsuOPEYD=ftW+4K^H?Yb)*;PJz%wkUA$zfBxBqRM}AP z*aNT3WU5n7+NRTrjC_T$5Q9&Tsg=L^^C&7!NoV8_753)zpE#;~(r)mVJY)rQBgaFH ztPs$o(0X6OqN0f6RbA;pQl=b}bxIbU_zQ57D92*g9}c1tk?jmSF-sQWs0(k}IPo@> zYSEw`bwZsK=a^|Cyep1<*LiV49D~e}!nI@ZCK%^xJO+!n=iq39BtKuOh16t=&DVlo zQHDT7(JYfJp~r{ihY}*;N?{oXbE_)Hjw0GKSQbTMPcg+%6ch(7qY1=+Q(H&`Cv$`k zy^bqEnI}};q2v~TTGD->3R>7QF^NuqaI&v{l|)1VmF)hQr%>eKn?l-WLpN+ODT<`& zR$vOV1Wre4Mn!f?Hb^t^W;#*1HruGJvy~+|9%=I>9!nPc7B5JH1jWdSn2WlJQmCG? z4I0KylM@$Y`mf`&m+U(?Q!jA}LKLd*B=3i3X^vEw43aOUEnH|7wtwXD6pmQeleUw+_L$VN&2jHSSIb|uIv%t}d zs@lv(n~?kRV`?(}4W)r^;nvMRZ-yJfE7{Le+U;nPOBI))WMlDi!IbY%Db}eOLG$@T z`G*=cjlXCcY1(%UNdATX!WBr2o4(J#b7s52KfAgAsmt2e)p`7Jj53ZgY}QcDbQ$+| zCD;1gp0IuT4tX+|{BiHD_3v4L5HY#sG?}z`Nzd9FrosDx({SmJ&|v{VQyr zFdGs^Uvk>4pk&OAC4@Spj;y}HR&>~_OoerX4A3M6Ak~ghCaOy3o?^Fj|;Kp zz-Nz9{jm5hXl)$P*QKk+E^e}$B#k&uy>3k}KoP7LLpW}E0O^^ZHRE&U-%>;>>h#1w z8Vg51I6l1S)ole*Yf!>1s#h|^Wr27Ai#>V~hx8NU0woC2>ixgGE~Ylno}%qf4dgmMpYlMX6x0r4CmZ zN$z~oO%@&`*~zH_+k5e@x@c)@52UJDVl8SCXXqX~DAFYXF@hHh|0^(DkD`YmrB1tL zkXT5f$^cz9zn`Jsi9Y-K1h<#MtqU3*n>mN%lHlI8Jjq@`1)rC1lo6GUTE5w~N@=E~ zs&pQy<7fjl&D&x$kp7@q@k6zZ1NcLI@=8kqe*^ zqi_WJu>a_|eQU;FJNJ+7n0YMLwbF5O^IOP-_|k~IVlsQq^-KO5+@ZtbtvGsnkS(Ue z%XvMnU&(oy3##OS_vyL#J}P)kLA!Z3O^0~(wv#g)EW^6;JO;U zwf%e@Sn>JAZ!o$OvWho)qwyUyf%r9irKY<#Q0m&0+fmgpSh2$YmDl9o_+ZJt**Mh# z$#Y$GH!AJjN=+3Tn0q;P*|oH6H+BG8L_6zyIe&G3Hx~nF8HYF3^HcV@idN-6T$i~jLUI-NLUU{G zo^x~j*Qm|9TW2=BYCb;JdY_Ftc~#$Di%iUFIj_#db=N&(y*9|(Lvur_y0)jbQgyuI zG1D$1XSHuPAD^+S$t`z}*zwS}^Rs6!8e@1#Sb6X6yzWK0y*oC1Kzh#xQ!hKG73H#B z{})r|6kSQ!b?c;)bUNzT?%1|%?bx<$b!^+VZQHi(j-7q-opb(g{5NaVsN1Sh^If&( zdgd&HC%4Di1rx3J10Zef`XAN)*hS4+jkfz?l?c#bW%(dR_vK^$$-YJ>`s!t_Uy81o z$a5nS8PDslI;7T#pU{l%!;R|fcVJqpL2%B_J+KG}EPLd8S$PLaf8*2bFL&mEgMhWt z4;rZPoSH9FB-?a5{p*`VMT?iu2R@H~Q*Sv>bh1Dq`67u;Yf(X^zcBYjz_gB^_qP#e zd&GJd=I$s0Q3haKzgT)%dtM~?^tC+ckQ}3UtrDD^im8hxtCbi04rDKLF zQ|ID+1V{uaaP>M|rAT#Zn06P-1Vro9TBER-6+Gq7^c`APi5(<(6NwCC(2C4BWIwA^ zSg^^Iwc(h(Ll>4r|D>I3G=gDJW8pt`j3FSd3m0P=|Jbs2vF1$1C_!u>j^t=mQ;;^A zm5vN#$akJU@GvQL2@}ZcOJ_imf8$jF={TyFOmxSnG1x5UX3cZ`$*4H5S%v?IlTGHY82t%6q8<#kYMM7S zk2L%3wQy7x561L6|CeN0pXFw(HECX8%`gauK57^t#VN+LDkb6CFtsvET)5WaMHVyN zv$UKMNwNZxM&^+~i<(|v=3=&ROn~ex2^>Fz`>(3TGRf`?kb8G4HGS?>E7M!64coBx z{9Fyum|&Y4tQj?u(i;-Rb$YxN=gm1r>U9YAdC@%^o5I+C^5o9rF5`crjziBWFhy?( zYv<-J^hoyhUKuD^Dgsl(L~jL?T(7z_sYgcmiAl5y=giTn{@74-_i0kRLmt8zI&NM3 ztGGsewi?SA$DUpQM*6zH<-E3Ae2w`Yk4!Z`O4CRlIvm?Yf>F*%9G5RKqBiMOu?T+< zS`*i4IWHb*m(JyKI1rR%(q5pHC2xZ9EHs7Tutb_I6SuKL{(vQh0wm#+5k}X^C$Q;} zW}J*y>XJE2*d|eBbKM>yDFhq>Qv36_bI+MEh~v(jFc5xw`1SuYhZg+zvYJFWTzc&^ zRya=t5P(9Nr$i%*1J$NFiL{yPPcL4@VIHC^vm~$Cmn}6X)PryJ`b{zZcjx57EI{&9 ze1T$3d+^@j%EJT&{>6WatQQ4vA|{IZ_=94Sw9dcaDL2*6pTBYm9WlD;Vw2ovKZ-c= zR-}}<)?wUikX@u%;^#lN+&TGbxsWx`EIbo~cni39odScX3=RUPEZJ|CN`d?1&L4Vm z;hkb2!^xTNakAUH$|pP@I&4uH5=RP5UP28}%$M~SKg6g_1ho>)qkhxMt(g$YR`3Ms zXd|x5sT!*;fHFU@p-$2)KppA +Y2{;)xRuBBY0cRH>~qvKZ)3z+F(t`=2m0JWAf zO}i>I;JbAe!+J70dvijSkhv~ZgJNI`geHCaDa;AODi#cxG^d4p(*mkBpE=Eb5>J$c`kgCs3RcJK zJ|g~GseKVYM#7B7BiVtv{hcDC(ZHMH2Qjc|l+`ECjCjq)eq^2#~)Z zWr;?a?i~_^c?A8pBd)vyCk4JV&kzdh%%zEvjLS%-e8u0QK;9G;SxhhF5XO+{f;Ez& znrX7KYeW?Wa+P9J7a z%c?hfcH;3FCw%Sic4|afy>I9uuDeEdo;$t64t`#wl6`s)#Vo&?rQ8j@^{;HU=^3`D zn$R(vylvgQ?5>h+r#3CBxNg0~>~PnAT(V^QcD%2F$z^ujv`;)_irIL6+&$KAd`txl zTP{Lh;0&ZTG<&&5DK>vh>8^C&&Y`o-rs_H`$W6IRAM$O8^t{qPcv(MwzW0i>(YP$$ zZ@+v#KBQH6cTU2bLCU@_d^VtYdd}ghxZBhS@wGR23`V3}cWtWQWIwCA4#2C9WxEfX zr2)x-6f`+>JdX2^VnF|{e|fGu6tt=DZZ{>-Ypy$}CAN1DMU+~c{@uQc z(RFQ*X>PtkGunh!)O3s>&+k=GZ*u!69v_Nb_m~t|ZoA2(QE0g+aeS@M|6`ir)qeS) zeQTwO;eLMwBmd2_Xt_P-{WwQ*BoZ^q^5pUHihTq8HZRC-$`abXFJ(tSd1|{}kTn=~ zT(NlFH+h}d*2(C;8r+Da=?t=YhxXxqEHS(8X6e=581(tKco}H18Cq z=@|NYD2dT=yO7X?h^cxQGFG+P**MIa(Y?x6X1}<(!E1c_|L(FaAmnH87vF9o5Xf-3 zv&&cHMW!n8x&H#sjK1>kDaH3I`*G*tU&br^!}niLBt9rF2{T5e#BZtQb6nBmMM~Jx z+hpwE?z@ZR%eS;I#&Q829)l^prcgs(xPagsETvrryBD9Gf^YO9B64~y#Z`>eXy|RR zG^$}BZSCHcaas~2CuoOlP3R)ol@)M-LM@8S=dlWRsLp1T?mH53uH;rJvG^lV7b=3fEPSSE5BFWz*!A9KOvSBhhna`mQkMLpJlU=vqv3( zhzV=8zPt!PK~$nqx+F0NmP-@GXs*l}6|7M8f~JYyiDAKv6l(6L>@+K(8Jla=fvLMP z{{yBkodacp=r6WjT{@;H7|2;@<@|Vr$}0ZfUtr2O+tjDG^r{nVZ8{WbQ_aD<^vOTR z0Gh$AK00Gb^V-x!Mq;H&Au@hn0-wGBYd_nG-;hZ9ed3Xqty|F0p&?|G=}M>P0mAbq z4E4}xLY|v!0F$=ib~{^Q2#wHzIF(UYDE{Y>V7$dOi+1UFSOD}rxbU*!mI;r7r96$h z9?I;mCa|Ib7?WX^U}N4?w};HxMkD&@pZwq@Qe(5KB!5Fo3IT!s2e~28HfZ@o>Gzgr zE|ZCGokqWF>o#0E%oU{AP~{OE_Hr?!0Q?h8T+JKF3wk9KCQNCW=B@U1%%uqe9$II1 zxPQbS?1Lzdx&+gr`i_wH(V(N01hGmCEGpq@k8pUz4@FEj_2vbmSp-{D=Q-s`xu%z) zChOCnsh{iX-qgk%oJhq7phoU)^Vj7KImV?x3~?gjQ3p}hc@QkhOHHL&M|x_2V_s!I z3g4kFlZzl(D@owDuS~dy`-@3eb&C57c{(M7W;o9vGki{l9klS<98Rm)y&q@SoGig6 zUYXmn<>XT8995}h4bWPG>L_p{m%>eoz*(ix5GYBpI3gvBO!WUnArWTJvmv_Co<&#O z7`Z_|Mz!;dR{2Aejjw;((_6)~#y@kkn?f=uo-~tDJ-* zoPb}^a}$VT)r&$<45%&;Q{}406H==tog)00L?uxXQPLIh&=E&^zfkJ4wg=@%#~C3x z+E+>!3>@~2%oFQ`F%dD#rtI7q2!AFnkl&y2hVRWHRJ|}%P=y{CK-pa^<=K)GKFoaa zndN$E0`b>h@xO?QU&o?fS-+TGuz=rNe*(Qd&;eiYsWnF8&1iG6AxCQcve2ue=+e1Y zk+Xmy9OK<+z^Na>fhn}!TBTY%od=I9HcSEKnrnpxZl!CxMt5py{)Y1mG% zxqiPp!(;!#K`}E#&cs)4V5K6)&3<~Mhanbj)fkIy%A2KepBG3J<; z6PR7*3K*ry!yq&T&N-XaTfF+OF-B@+7Ms(@VWWvMlvTNhBc>GknJ3u)Qmr@X&KiO~ zM4?Lm-;?c!9X)nXAkHiNPucIeHp;iD42ny$=i}Q!h9il9;jgzN1_T4b00q8{-T{W} zKgsCH!+h9)X>%PGMQ8ZjJ5W8&x)7LFLK^dI{yx4x4(Q|SYw>*w3`>1 z0z3OGG&8v!Zo_q~toW!T&wl6q30^VaVc4G!(* zH|*>jerup7dc%$$UAy)3mP^}vyJ9oDL(kDg2VKv=58qYqi6rEJ3s#*wu+Q40>Bt;9 zo9#~5BQBc?IH^M#Q>En9o6a4&$CvaBo7w|wU~BtMM?=TPj)=3ab%Y!(9c{hc29Ty6 z)AjvfKJTQm;ZP*Piua3OgSflYaXkJCV+ofb#;HZyChm&uCFU;2T9?nfPh^KTU`l(B z&TVosjY~vMzOIn6# z)3P6}_;wd6aPOB*-x$JN-i=oe$k0{f+}??CS<6kWwj^|38a>1gu&zE!n4am<@p%p$ zGicVlkFe-A`8Q0nUw3icgnUt+3>R$J;9k3q_g(lr#M|A@!)SlbTbt5&-C&v8ylggX z6yurWeoabd?AXn9xyp6meV+EWtnwW9Lh76@No7#G-s9q5+uvSAY(2kIYLVHxKj`^B z51H!re3qY)6|TqmvhS_9x*R`$_?`iMExy3Kvw+f%|F;$1gQAG@yrV$Prg&yF5Z)(q@A0RfF_0k{d=kn*pR zQ;*Ql8_WlR>yd3xJVCz%aBW~I41X06RE;B&oqubnG9r+TXk z1*6gZVr&fwdH0Pxcq)UUNc6#-cT=HSYb=n6?43&$k??8*kiprDCwK%PG$ zE+b7$jf{!PMbsi18*F+iwmS)|6@nQ@oOmFdEUQNpv%20e;wX^oQ)edT)=aSG@m z{-CcolAkEEWSv6NuRB3jhS@sevVG!3!ZMdk=KxVIL>B3d$VGjz24_~LWA{I%Mp$V$ zr%bXu``f!JgDd83>tJ0hr@CJ9E(5Q*6I(gWy80TW{G#L-LYsqb)&l%<`h@pPj zk<4>)pkKW*X;5NOk5VL5Sa%Q%$moP6HZCJ(3S;^N)Wy!VNkO4;NJiQV$W&=2!{tF< zJ@gpFhy({rVRZ#zx5At;_h^4QgreodFz60giV{sU)U+;TWb4M|qf~y&_AA-=P2BRI z?z>M+x=wJvzm53zxs=W4%Q?=*>!!$#4he^5Um(Y zRhoTvB8HiJahx%v&kog{)O{OX|VH`yv%Tafqn0U&U|RG z+`r7Y`D|8h{N}+#EYCJl@~fP^gH5^iAR^*tfFPV)Mu>6+D^{Z16Cj8X4|M%-(pk3V zRJD_+vpfj97I%Ou7F7V?nWc4`uw4{r=nd`FW93QbrP?|wVIsZ^hY};l(#!Wb^kNMa zXJDy3{vdVhYK8 zz7&lb8LZE@2aoL})ci`0_~YlA%Db>(y^LLA)O_|X^n9Zgg z&iapy>gCE(%X_Gp6sA8Jk|69ENJk2+U*Caove`>5kHEZ#@BamUatAx(zUR6tKrc@| zf?e!P*2Gi0s(SpI1zfP^KMT3!c$2JL$$2qYRq=GlG^x#X$*B|h-10>CvFb&OPvj?M zfeKJyO%a9Is7Aj?8xHAt%M*U3Q!6mQOrGcqEMgW2!S^?BScsywr-J}!Y3SWSP2$-L zBO~2nG4r#y^Nn9uL84(o^Mr6q>69#VXo4i$i`$e1DNAjpIOHZ>At|~L3!0&WIVpic#FW{`=DO0SC}0n;!xt$+6oS?wahL@S(OyRB z`?JB2crxp?|2srzWr^N((xyb=Byu7igf@<0ERP)}X$&qoIpUSo4`82lI#J=j1pg^? zjI2*}viSZ9n*a`(t9!kiNncK!F{Gf9^*>{5`)rD7rXlyQ3^=mb95P_qIq(%2 z1SSdZKSnZ!HB@?WeuAg156D;auYk{oj}U%jgkQ*ZNN+Y@_s>bPt>>BVa{AG3aRBsp zgNHz;UQRBV_kRN?H(L9hx%h(#^)meY*|HufD%V_w*HXLt%wqN%6TpKq@!ELi}+aIvhOL>xgyO-_5 z^rhUo@0kAsnYGEg+jWZbaWBQzMEB-+o%L=ZCEM}5&Ggh^(a}Ncdw$#Q4%xl&Gp4fZ z_21@*?atHG$@97t=Eqr~kY)wrbd#$9npV&xb?fNn8@)`(|c} z3UkEn-0cOtM{UpUi~PScMLFG)mR`p+^!E{JhuyOVo6N5B06N=w?SFrxvTLd&HXGjC zdaAb@mjPs%50exhO&xfi7oHcFIb6HRobwvy2Vf%}hDjxV6XqwB{>n|aI?cWPzm|8V z?rS6Q>t3wRHw4()W;63PbmqJJT4F!o9^ELZ}?9Jp$@%897$BYqziwpDGX!PiH zpKs3VHU~`rQK5W|TJ)%L(a{Ooxq)A<7o1%NI}buurH|ODAZ1AsY-92s%PcNX&C+Dd zVtZPANsvf@eu+MsWk5lJS*l2fhaRMh5H-uB-q@cAG0J#Qt7jo)c+FxckW}9hc15fc ze$KmpB3?bTnuuo-j-yDeya*+-K3t}E=*2&q0$UA09xTp=S1d}DI;uyLKl!se?2(_Z zZ1~+Rf9_V8lJMMuTQdfA!9S6F?SKI)&>^7eHC zo0FXb)|uBB=3XG8zn%6Z6irE*nVS%(DpR)gcgm5jqYxU~d_CeoB@GTUvza zc+eLCO&wgyc}xLTiZXL)@-MIzm63#&*6j4MA_URwNf~TnP!0xhJ%*|4wK8%2gf@Wm zQfYQk-KUFCU6Q5JxFmJ~&B7P;xKMJ9I^5JpiYSxpNx29B0Vr}rTT z&d7~3YWx!~9&+R=fsHAW!$?bG5&?_lVJjZ|g}J)CScPiK5zsy}dil(7;|XGI{6Tm2 z>M_a!6Z>us$>&e@@TLr>0JIT9NpkvPm8oJ%X|-!C-YV20X}n+J13?%QRi7glJ)bw- z{5#b%(qKVe)|VFkXP%D$#-tm=PYu{BVX!*AJ(?_`AUvXPeiX%P@K#W&39A{E;IPQ! zuNqY3E(CrJ=;KtBt<%E_n@+kT6dLq8=4%VY^}TYl7MMKIc*;8)Tk(1)#9)JE`J|U} zaZ-Io2{7ek!Hl$S|JXF)NigjpXsTS?RoR5th`RbXEaNJ?>tGqj&Dt(~+`^1cBP`24 zb>13D0r*-qR_WiOOWm6T6iIpS4Ae}~Vn*1D^ud+jW&EfMUVjKMY0$BgiNGt~H3V~B zg8v@>!2(mt9P6IUJC$dH!>RJ)GCt_WZ;DC^_MS!U-V5kM{pwW6tTC;q~zv=IsEU zR~1l}*z~Mtt>^&7PSew(4qP(3OFI5h-r$=krQCE1Mcp9rMMH` z<*7T{b?G|t-trtKLbqf0Mscz8_v1XEs;c1=^P6jo@A-^*&F)MC%kG5G1=|(GPyWNo znL;RmMxB;Y#lEOrBAG;8#j#*U{zo31kSTdypbqjm|F0~Nfmu%i1P`-3pDb<_@+L%F-Gn+S4}$&PwiKaIf}>b7x+((Zw4e@KjUO|?Z2wmE02IqH|>x& zRMt;>GACNy33sz5VqTY}%VO5i+i>dT8G! z&-Hdyv4Qv5Hh6rlF1xF*9yf<;8Zl_Po`(=z6~6u2t`zpJ&Nr0+ZP^nvsh(X!cs`f4 zriEEkTf~Zjssz>SuTx|$+`CI;_{j^r+u^uV$&IQQf6vLUE5`*n&hxB;k{VuM6cycI zjHku&(4$-5Q?vTPD|!s)t7P%(i1iJFYnN9-wa3*)N6%aT?Zl1C=%@0Lmi|fX*pw~b;dxt_<`cmJ{uj%^6^m^{(YEHz-Xp%} z+cOh6@B`lGYgWS2=b^7-1<5&+NFHb;DUB=L!?}YZknN_M)LY4v|R`iW{z{AH6K}LX1b}tykeHiKTwquaBUdT z?zed`_gh#hxFaO^CzGNKV##^gxI;w3wxBO;=fDJVP-Deei!Rb5jwp{jWjrd8!O{ln zJQ*=#vV^I3&K+gXB&#^T!0NYBp#w8wQBPON5KMs%2?d*4@ZXCK~yHiiBT^7-~|{TG3S)UtWxgpt1hC?o;za!j4*s{e3wLh2K|W9L>2siPjkGu zfw`Su@!%g~hA@Y=1Z*SZA}>`!$OEjgMPYXoDHr)1xDIkbu;$=n*a4Yiz;_yvb4(t4 zeSyT3-~wrv{y1cW(L7U^3vJwZRJv31{&}L6=ckpd5u-3I)f-rUZYg=f8^s@5h!k`I z@ag0>N05KE$D5@*+BV4d0IL`*m=wiLGWq>Y;I}P`;A2ev%xjI@Pg=qy zseDzmH~?u_a(Wdp*ix{2w}M$bXIyZ|Ajl~kjD(2;Xh3<~<*7_HVP3S-Rf`Bm;ymZH z953zTAO_9}(hsb9d-KERc^+wa^?AxvSkfOpM3tB{IVqg1Q!AXm6k;&Fi$puxiB_j5 zRe!F@k{oE@^=oLe>!w(m{hl<8VkL~EGNT6hHAAZ$R=J#uOCK=nf1)7369jdJH-R~T zn1SsgBDDmSeV7nd=RdwCFBej}%qEg!UjgSQ<l7*nZ4QZB@Yc3LV)O7RDFkkvi%bB0)7eU+anE#ql|Q~`+imLygyg?c+5%Gbk|8w zx?i1k9ZYty$u8sFE(lFBHMbSLXVB2~96gO^nX+DYy2*RJB;s@ z4!AvNJjWY;3LTn@Y2A*Nzw0{OznPYL24zV5?(2be16E%qn@YLXCk#q%9H-+hcONxgHx&3pH9$U3L{$&8#tQ#6+E_K8pABT95NAr$aW++=_4K0bS@q2Nw)BW?RpvV z(pwrhe{ZT)xHZ>p5OP&m@lfRJ;N_5F?c(xPx254|!)JCR$H#uwzRVlJ3FM0a?z8~C z`d)2kl|D~g8Na}Q3IL>xGvMh5WD+wb;z&R7Gjnat8Q(1W`%Fv?aK@LUE@5JEHLmen zQ)j>NV0h%1QcHt*gNE^3mqrbkNT-R~?c0{B2aU9Yk^+g~jwB65gUWn!1MdlmXg0@f ztyprz1k2XR@oS)Shg~{Sk_>818Al+Sl6JYqO7z7tzbV-P$KV^Y7J{r~w>~xb&-!YW zho7-Bbs7RPZ9b{Uk*r#if72MU_1pD&>jV`=1hw@r;H*6J~y;d4xxalNmRy zNwcY5-6^cX0rZPUxDJq%@D>B}@oXFY6_92~H*v6cUs3S-M4DAqzA;6T&6=Nhm(65Q zzt^1xDQlpDyoe-9U@$V7nYRb(92kx{`1|(l7&m8KKYRk*V zR`yYdd+Ei>go3|Sb=Y#{uT`Ek{JK99=qg(UuuJdMngyG(@>j7m;k zb|fK4R?L#j(1Z|vE);)oLaF1B*n?F;gi4(WhLA8eZy=B%yd~Wn_x9DJnjpy_nMq<} zVM<|c=3fAkKXa;EytJv?52|4Vn6tHnwH-$Xr@#Da1l!_FO1l2?E_at4LlU7VNSwL4 z&ye;37%>@U_N$XF0~o4H_N=H-vwqMHX#zU5c5r>+elDuk()Hror>a?4M;6`#wttL& z$QeV08}I)WIJtGxV+#fBR92*+6_M}fVh82MU+i_2LMV0cXjei|w4`H&3W*Gkkp2#WnaD*`H5d4^1^v@`F!FWh z`qfslzYoFd{G;U?XZ=m*HH}OD57?UK8*Gg}+|7kH1Rfv^vJ(02G<$hf(i)=>uPJB@ zGyzvx$g3d@yT*{SH?K(TH!$zAP?;!2T{)1npB=nVtDq{12f+<@!N;o=P8X?nF%2Dr zkw}+BNe!lM^gu?~kCBe`7#hKi=)mwO)r5r@v98%CQ5w_>?e&?&` z>w62uSE^OGLxIZ3)23(n$PWL3#ru~!IPy7wbs3*Z83nTig$PiQ<^=0^&r(Ov>>yph zKXx5^syY}iFU&AIT(Bp9bm{gh7+15L1!4ILooBA8NT5gX4lA+@tP`A=KZrcuy#J(5 zXN6557*il!r33{x89QM&J+Bg>Xf)M=stajxEHuziBw&u*;A3_6#@Ww-O!K_25ZCmF z@H3|}A)-aO61MwUs}ic9f{>yNJ*HW@_GR-KjURr@95EgW&?l1$Ta_u~JSFFN?lUf`H~PW-7m-fg zYtc>z5aE_x@DI62@94LzetpZT&&?N;`rIx14O|G~e4KOn6?-`{||XZ6j6F98b1Zr^gCe9#2*lG07~C-uMih z`aRN|%Fe+ffylBgCv~r+obFF5JB=1$-j`sfT}rW=&MET-lbP)kvJLOXZ4ajJOw%q* z>|rHR*J7kmL>gk=T=JiZw<*Jq99}<0w+o#ojpI*Se&gHOaPsf_x*%v{; zhfOf>eEf#jeK$)ki$|{g1AbA_QO7FVRSWo9V%e0{{$5Gb)3`4|$9>n*G54yPSvwQ( z-1X2ab!}_oW!Hh;qYOM#EZK5<(S%nDBP(I~K5qlbo10yMVxCivbQ}g}a67`+>&Le} zSMseVWF6)OgYhRfz{5OC?%MmcnJ$kHnfsRR-J6rC9(@X+-%(q@ddMNxoQdhmgX>P~ zW9i%Q3SN7nv%%h$wa%tshU1j;>KUD_eCqpnT2+Th_3P!0&6lOi$rT@`N!4JnX1D!n z(Q3%i`sc{k<#ony5mzW3b;Fv&>=j%X?j&F8=L|!jQ(u~Db*J>qd#=j};ARNV_ptIZ z?)mRhRWXg@N04PAz6X%p)pT#pIa;^N{`lC|Vr67`9Y`l|~-S%SOXxI#au3$9qg@LZBhrJzMKID~G(#-In_HH2Eoi8aT5L zeD?mrhL%|ZdddB#VTH&`IE?v5bdfULiGQC{SK}bRJJwyg2mCX!6`*N+z=B~I;(k1< zgp1fW+WH&6DTi+~%%iz~C!%8c&q}d69*y9va|d1V8xAh^Cg05MU;SuL!Hk zNhzG0=xS*=FkA0ETXkTQHf+3QjAV@^_XAgUEVQ6;8qP9+IOeBIw>J4RYK2UR_xeeu z7st`b+us}Fw)h`#Z$dDZE|hzAoA{b~L~-EUKYk`4sDe(&*GHegGAuXYw43hN>2y$$ zD>H0ZMk9t#7!V2=^&2&nB!^hfpub`GZ%pyJk#@PRR~4 zog++&SRnXN>z5i_jlPN%tH&j3H5!^pg=` zPO@$@3a-O|O=zE1ylEmcipbb_GcZ0YH<8K|f)ZI>UFiDR4{d}65NlFG&hV3M2v3My zCE$>`eE%#c5KFPLTx}*?T$F;fPMVe9JdG&cfki|L*Lw2|j06K__cxVzVS37eXwQ#e zikdB1MP*}*ebRBbbu`eZp!#g0|Nd|n)*XvxZE|BLzf$meSgLsrou%`nXp8}- z&J3^%g=LooMAZuMLe&=HnpJ58>wbboR&7R0q3!8X>q7K&KZ?WI@)hd8?h{b!Wg2`- zgWY{Pf4X~p`+XmC#z=DKl|E;_A=f_tfm}=d2Xc*GHieaGp;V?o8DURO|GOwP5U{=a zj7lV(E19$?TpA!`fEFfaP+1KwO+WTGm3k&RoknP%fgB^CpiyaM-h@DAnOy8#iSepX zTV{|_4a??4)F@t3^^W)tI6d3t!-aJ=YtS9J&Y+Su>VBlYI&_NZn{4?7*dy~!`7)+8 zxibdQMv&ohYcQLjwg6aBXrmdYDw!JRsKuC70)-_io#I3bAeQ~y^)@pa9VE4BokpeE(w&@yM)5bWyqbq1);Q#LAa5Njv#MRj8;!f5g9Rh*-QvN>UjH1m4kV9x-roViM) z^v4ZJh6p_wXtM+Pa#}#tdMTb1Lwx%AK!Dclu~=6n%W0oze?_v#SgYo5NUZ|pBh+}D z!{8tLO`CwG5JnLA5R!_-8V=)r;Xpy=*S$83L%=Iiu!f99J#-^c%rEF5z)+GMI;QY% zGH@t*{3X%scrdM~a@Iw`q)~?hMBD@kcG#oltmY#D$J8dnJ~y*M%4!4D4K=hy!N4go z9f^<;06PBM2GI6BLa~x*i1U9H!@XXp{qNRxb@6M*m4Ww$j|^V1!x#9~kV`fCR}o~c zW)2wg!UoLi_67ROCkBqPiz?_|@vVG16t!(!+CNUAy3#cR6>D_6)1A-EZMVHI1LSh-XW*VQy%#wi z48wVW4~PzTpT4h7C>xe*74C$sx9M!ZLFnA=eN9eQ8l)_2SMaUQpRb=TyQGjhvL7cu zBlw&@2{*1>ZzROt7@nq<}?{q_ObbNFTThWj?)*nZH zLd)*VWE;l~8{Lju70*^LmviIE8%Cg$zDNB`oDI!BK5Gj(yiZZCPg^6)1`oEbJ173n z%irdE$c&DOhLuT9pOP5-*O$%px0)_Q8^mkno6TUOXRi0S`xbRCuc_*rP2YL@2`v_? zXJ++{kJG*P82lFK_0Gdh)a;zkQRN63IvdV|g9hMBiL&X?@_sMpl$$6>udrq=rqV8ohh^SD$OHQMcv&e!J(7UyHc z-S?m4u}BE5wTSFAi`xzKh^@NKqKcVu;&Qew-Sj%ei{;z3aW2!#r|I&U z>)HkA#r=C%?XKGk^cs(=dJhW|o2{knPVbqoN~vnD&sHup=PzG0V9)d0_f&*$XXQoi zW2BTz@?b;-xPU=D`V*px5sCBR)bb7fZs_a2-~!0h=H)@|!Z`c4&>Qg`NboJf&3%oJ z9xJtZ;Nl|ym58fXkj*ogsp$Bn4KMU@SB}|c!RkM4&IM-Zl0y=I6A@!&sfWmNb^Zqb zbkLA=(-;mul=TbF{z=>}R3tRc!6xV0ipO0^DiBXdX6`&+7IR;nRv?ah*$ZuKiW4T8 zXTc>J)P$04FDi@2Xy~`X|At9z`3#3;Q&Fe#yL`F4a}~eIxux_;sevncW%n<0c(7OK zO64j!89`^l>58Q>fIJ=q`)PKuH@A-TfEh7H)j$QWK57afW;gHY z2&H@SLqb?zPtm1{&&BN3hfc@7SDoS+avt4^dv9&Hsl-Na-bDWxinHy=M>Gt&5n zn`M6kf>p?w80usgj%Ny5Tva&{arS~j1haA9s$`uC(|~_OVui}UtzTi)VMp%K9kyod zg&txEfg38Sk(Uywl!<(u27!4JWOkUOZDi#xQ+HNUFE+2qp{2-WL{E=G4gWclL2EoX zo)bLGe(@&-chUkRU~Bv^USZ7?n_oh1!e6( zD9$e>U{282eNjdu^;l$>^*T5bDCy3_B;zy3_Q6$g;LHS@>zKU0~i zATuQKSj2^Q$HZGa5Y3=J_o=W*AnF_L^dL;YaaQX%FdPF2fu$Q@1fP}eX;_Dp{i-UB z6mez~ZPDTeIC=GkxDc#yD$<1#1(tiLQ(Rl^*`k{YwUb)j3{L(A*!_fJs^h)GLv4=ju~9t(g4|bZ9WAG-v&r zC)l!~_fsLuQ7bLMQ+e1vd>m~Q8ucVVGyb}WYDqyUa=q=G zc>X8KpA<`I5ahDZiCdwuNGyoj3I}`W@n`d?VD7>QCb=Sv(n4 zBkHB)6|a(XaD($rl+>%Y4xFXoKI3zY_$~i~_e!2BZ#W9W$DTC@L_ zQ{Z_o)ZMr6zWk5y%F%erzrR1@W2AdAQiSGr2Lofj13kn){&Q;pUF%n%Z`50kZcS@n zO%1zq7+3MuqT4~?Q28jN5@{1Hlnui}OC?+i-rzI7tPKPu%k|Nd~B# z)-&|GUP6z@)avg!?*b-Z{THRFRo(TvEAR}yqS4p!UFRm}DBER@QB~JY|EXGeCe7Tt z(e)T)H?F5Ap0_Gp*L}#Hscgwd1MZl|$Lp~+fH&Q7UP8?9*)-ZgwMqA#-hJ>f;~E_Q zYw~9iZp_C~T2Cln=exsQ#l-cGBHy}$V|08+1CY-2u@d;7cprLEI30sh6*a#9AS$YR z9y?#Z^Bg{#_Mk#K)pk`=zbd*y9p|Jnc2RfAfu|`z=hus3NKb9oJQaTHRH)!12Dp_sJ#ZY{rK5Ad{)#Xko?Ew-?;#I@4qHa(={onGlVuben z8EwqT%=<%BMv1nv_?F8V1NQCf11fyxyVff*x6A69YS#PN9%L)Ncn^AWCT=a|>m_HM z`AKG{u>OHa7BFWBc+>F(3G4*+Dn90Xk2T~zOwA0(zGAArN*EF`h`!Wwu4GMKSUw>? z{{S&z`1;>+e#1l7n%Vgeapp*TsIQj2}?+PKG-Z|4tu}LXi^WY*t-oT^o26sGFGK8y5Tqs$lLbvx2zxo1{#+P5jGnV z1hA3&WHl$B81*ZW!Qv$F4x2>kl_nd@1?nN zCZ^@HCB_p2Ci4fxXFBL%2@CSa^6gQ|>f8Pd)(rp>3zP7m@3Ij%nPZDT38>D?gyV99 zZ6s8ssjSdoBqA}OH2m?R8Yf$oF@@`d!-J?`uiOft*Dx7OwihM~iY4NJY>z^I(}4s3Ke3wK*$6psk|F3Hz3ARYgC1-}QCpO*B#PM+XF=!$T}}K0Z<4$nr{bL7 z%P69((0CQ%4|!=RqA}-ZeryT>;QCMk+G&h;TPhU5ly*~eAGObq7fnSiiqfg4mh(X= zFVaa^dhafiAZp+EBL(pQI}8q|}5a$DcZf zhRS1p?`-&s7>BILl+%qbaV-_{$c_Ftv_El2e)w>uXyWmBor`_xds4ok#?bI+JeM6+ z-f%g~ALc}8c}gT$#{RIe@5lbE*pvufVVE8zIc3GTChu63ZlMkVdvVXhiG^m@Gk3uy zs{6Qyw04fnIjfYBszyGHg16$JwB<;tAxfo+)t)nHe5VwHCs{>Wnj}N2oghFC7STBd zS56X36|IRN35uXHwPB(Wj~={c??n*RLp(_u74+5M=iWW*dk5T5x6O%}k$@{LbQdoU zbx59|7k7=dUkFo+9OP=Jr&ZeoxgN9x4S&d_hK~xYp1mNDXPs_G?N@Z_8fFFQP%8@- ztsXC2TJ{^T)1M9effwi;_WuebOdAq3{cpUFrgM_wU0rs6-=(-dDN z@yCF()-NeafI`Tv3Q?BB2&P7y*vx`*^_;>OYsN^p3U*na@lGI46>%ugJeRDr*rs1F zVA@|s8oO%piev9W2 z!cC#V=;x%IOFy!ziO&&p%H^wIA!N`%{tr>#_+MwZ1=}=i8l$nDG&Y(vwr$&Xc5EAs zZ8Uac@7T8Oon+sf-@W&oFZ1F31K#z_teIIf%4}riGx)s$m{0_s+d1E1N2S zOWzrgP&mhXzVoHh{^_*az1DZFg32}OiHO&FozLUppn3C!yg>}<>YGv;e+L4G_tUQF z)1T@I@u`W=`=-Cl`{_1?ueff$rf(kfbKgzF`ZbJ;`CRU(SVs&pun=xs2Xj|uf$TP) zq1M6XwYeSLb!)jC4acy@F9WZlc@p zRdHO``;Ae6CvAN{a(DFT&vi#`*lU<~t<%8Ccvn}JcORpErZmITydWs|cj0}=jX(`( z^>d9|54n{7c-n}FBX5~AEq2LsH#zRM`d*EP)ctTXvBygEzJEn$YM#@!U%r-eC**a< z%F$`uC4aTz<90<=JK=X+Cok7?`6u_^b4_VGFx~kPXF|aC1lj)YAM4s>=OgpxH4m3N z!r?7H373CwzVaDqbCe!Br{6~L<_uSK*LKK3Jj z^TMdDj1aqfFBf0}5kDwQe5(EVr23!hBP;;0p*u`-rY~Zvv~iuU>%Q__F0S_LgJd__ z_lLkv@O9wclFxnSKjq!!65xxU*$1U9+)+Au!dE@gL zM>Oz5;N}`#PVaJlBLweIlJieJ3xQAFrF}EFzr=n=-sWR?X-VHz@d#{w1NMH(1wMfT zN?*Y~RC@x~L@7bxH^-kYDPzNbLx0TjcbBffLB93iH@Gvv5VTF=dBHBZuhzibR^6vX zs(I900f{KtS`Y2V+zHF7_sP9d8p71c){ujW zS`NL72W6@!i%GhiOX$kB{m@2Dd{8`!5@Nwj1FAG7$nB{IDJPN0R^*m+PVJb{vL#8^ zw|_DaPha%X%RLqlX7N;Q|G+S50*7JsDAl81q$p{u<+KM`JVvb+jL?q5Y8L3pnFX>g zmnRYS!XK0(!+-Y+5`2rK zkGC`ESDd&QPjSPAZ=7+MUh-1)2aCM}&?NI#lO0NUf3Ios&dd!F{3S)aog|cW5S);1 zoD~)>f+IW=EJMpoO1m&BM<8TxFJD!#s1(D^bLkLl+OzAq6y&!~-QZEOE50zniIEN_ zXVU09)Tz>~j)&(UA9b^y*bik!V9OI+jSXN@5CZipp-0_S1zZ>VrJ1AVQDw@680O6enlImQ}=*vJ1#%8i_G28X{zY!vD zIT?D9_W*ueWkEA)Ve*v4?_y(EBhBVZlyM#DshIdtFag|b=!^$WY=3Mw}#Dulo@uLxr=r4*dTkyv;PG(x<98xO}nEX4y~ zDi0M(Y{zPRs+;#dOwDVG-pKGeAFC3+>@)g=8 z=KJ-yKHW!=3e2K-*G38I-fjcwscgq;P(6Rpk3;dS*|f_D3ZEOlqwoMr#4QxwO2Ms= z5icxYnxFT%sqxsp`Cz!*hY!Pj=&*l-3SNR&xr{NB3wqzBzMKd`Th1Xs1=uJ;PTJ7(??35sc?kHap5#QVK=-(VuW_#jr87Ae!c z7oVVhIGnyZTtU->GsxX)o6p987(Nm-A zsp~;KzvVEQ9)jmV!}^5B6tD0lR?JnSK_e!yUNr=~=-Z^xQEOvjyInE3ROmQ6RkAi( z*%e^&yUhO}28jFy2D|{(Uy)-C!IuKme5&BP?C9rcim51|hR>qFyLnWLA7DBf_yYWM z^+Q1co75q>KmjV!{+lhv)^^XE`6T0gE`S~!PbfG$=sn3q{Y zzr813Uur)K8j^al9elup=6Jb(e8%k4hc918U(5-vs=NmLqSyuTyLu^_g=~B@%V>VdOFi$`WYT*EoD1-V{gXz3$zSj|DiB`B}EyzL8AXtvLYi zmpUIdqMr0z-5;m!wT2{-36W}^K&yZoAni@cM+~6*i+i4MA?7BZ;mvNylWpgfR6_&Yv;2Ym7d#NY}UJP+Ge}` zMeDx^-|fc!oL>k0epwT*z}m-oVc2!hwb6UO^3f$fh`XM&$4T?z5UVDJ@KZZp>inF4 zS@>ROQdu=E3yhr0r{`Hyt@iS#lT%lKyGqlk_d5b@-MN26&`#b&38zZZf&b)2ORbi2L>~OU!=f-#QR%su$0@Mh1POI>aV~+$Vi_{0Odc1DJhbB z3Pjp-A~Up~EE)OBhI>Ndgy9HLGH5-S@k~D`{l>6Bam-)%bMJq2-y_dVL#@)^*zpd&7b&d1}G*YzZ<&=&Q^Ypc<%FNEKkC3(V7ZfNSw{;jL$Y490luM zaLVAOrkkMUElikO&Vxq^(7@TE2Pe>3cU-FR)?Xio*WcWrumv+&K^$5I*%cRal(>+cs(_BC8K1DLs+@ zcu2t}kQ*k+VFT)9Oz|&6y zmEpBu$S?_xEuo0?j3%RZy%nXu9zC!#D^->I?}i1x3r#{;?=Vb@Xn(~y3h@PMxyAnB z3xSZHV;4k6JNMT#07&U**WqO3eTVcCoCS%RTyOoNniVEPHi1s&ydPNpOTeSwwE7G-2c7)e}}W`<}blrd8g z(^>i5tyb&IzhrEOyOuShSfPp`#F0h_)!hQ7pO)NGmnsJXo+N%;wJ>w8Z}owihPtq7 z-EMxBP#>qGHKAfO)|`#G6PRwBKch5k#V~s2(Pwi=Q%KD&K?yb1%v=#+!gU`+S`^Et zaJK)d5{XMEN2wN+ZB`NeU013OM+cIOWDE9!6ynaNK)C`&4iO6br{s*4>cwfQmdu*U zDIR;aK{51>>nBaejNr^#paH*(Iaq_4p0Kf8%OQT$ul>A5WLNhi2B-O7a=XaTBet;^kZDJ!jf&7P%!BrR5$EiQU*pEO1tI@ zF&5*3wV{wy@@qfI)>ZVKMQ6^HAS%2X$toRdzu(HYtm^u8b0IanQuu5^djoPEh^eN( z?EV%hyPhP>f$gXxpuX0j`f9>{;i_2zA+$cP_4vkuFNL_Fkg1Jm>86++gp5!pUR~sF zYyOO!QEh}1jO)tt8Bial-jNGn_?~JgapW;V0){+7VjA)d=tXqA>HC5|?}rsPg0r?J zUmODn4~&QQkBDQ;G9RFmO2{A2beT6Dl)Ajsaqi?6?Mg5^W>f=5qh$5?K7hqI&u>Un zh8$GiV-H_M8*|*}_~va974e;=REF&(>EYR0g?fSxD=h10DIxlc?klM7o%=bo3dJ$Y z#1zjR!cAb%&e)~m13La#P}Vaf|NIAo5yr=jrn$g@{)?T4$I<@^hdSr1G|#_5=|YIA z_dDMaCk*`hUq?dk<$X{p2`6+7{Sxdb@kpy)#{$(bSqHfihB{rw!|0e~CcF+Lk59x^Y849d>ATxD zVjp~FFd9M8s#}Up$$H)6=`P|4#=GtNFX@pgLI2r|u-X@{4$O<4lN{y5F<;^m&Th(Ob2= zlupz7&fO8A>re{oW+q^V{%%w|g4fUcv^KZVA^`FEe>c;5qaHj+fM%C?XZ>=xbg5N zB@cMr94-%9=LT@UACLjOK%TWSyzh%gEmGklTfpcI{?gVr?;hH#)sCCi1&*ALll-;B zBe^WhUu(+-b94oBhv0YZYOv3R%^di}KfdEvHFS3EtNLnd zUb)pd-1d6}X)hZ=N{rn@Iq$Bi*&V~VQ_JeD&#Ar~ng^5phuxs5>Vy6#jn|zH;Ff8B z250px#>+4PLskTh^u=8t8USzNZ7<)vWhu*Zy5q5XiSO>3r!<%MVn~L?vDa#e5bE77 z!k9tl{L_fo zz1ThSa)jN{{SqB!9e2@y=DnC3y9Qo#E{A zegL-K0r8B-;2@b#+1==k>OtV(&z3D90{rH12G}KKm82RDspopp0zaGrqW@tnftLl^ zUx^aR^AahIcRg5h89`SWIctv~)P)y)Ybr8cbz`a2mCu%^5Xg$=%a~+8i`pmgG z1&-i}D%>*J%Bnm~RjE0Vq`nuOuG+&>jzc;bB)K1FznW5~u9Hk~;}J{a4qrX1@?D@r ziqCD@m$pr7@Dv)b*viGmfNP{%58Cll_jNxQNM$;&Xmq4$qk_dCqR&!ccFCPjm!!zP z5^^VQ;~12isDG!anw*nb4W<5tE#Vb3$%>f&Pc^t8(KLnRr=v;Q*CLxy$ZEg(jVL9T z5;{S@#Y69U9foUGS9u`UUcgTJc3rMv8-@}}xlo766IyCjyBdR0lK*?mr|mYrm%L}6 z^#X&mt}S}WzK$W%C3_T+M660k{TU)rIrBs=!{GH7UeuuORE;Wop+EUqLuv^EPTs|< zNh0Q$9X&swNTrQ`W+ z6Fs^DMXJurGts!G3R7Q1o)p<6V<>`ZReRF$uQ#$iUIT~1P`FgH-q6HIZrIKtb1n+v zz^M!2RKrunR5@wu1T`q#wxjjWqXh)f;+saoh{1~yXWnFDpNSOQ#j02~+c&d#)Zb{( z!D7>6tAv}hxHL=(nQ-<#L9axq+S>wCy0SA+B^J?3l>ztXm&o0+bTlZ%cs33TS zU$0DCw&;``o;d!}+3zm{vo05t&-@+P zA5~-FM3kfw{$9fVX1xfCu1+HovdF^(w3=)|PHUBGY6K}KyYZGD?PDMjyW3=|a}%Rt z)`<4l=|aUaszMpqx;j6Y$%qg+D-*1SPC=D7mf5^4*Fi=~9@*(&?+Db>gm#ri!|q}; zCf!s#xu&&S6{JTp;yNCm&2WTOb}dgK>(p13pC(o){YAw#Y~;T?)EHvUDlA7WQx7!z z>o4rcPi&#jEZq3MoF~tqLFZIdZcuY3n{-LXwN_~vizr2;-4!Lk3@T!Z6~SoNVpeix zxrjroV_ORmQ-wy5PX`msUd|h5hnS`+Fj4zzrkm1zKLZ$jg#;MB%Rjfh=GHQiY;WOx z^&J(=30y!Fo1QL#(TEaW=_Cnb5gutHon}T|V@3CBlS`` z)~eFL6}d@EWh3chGZ>3s((IiuG=nn*NHf0|!^9^v8pX5cdyR{g+DoFU<}cC|{&tWS50EmKzF^ zXcBQVLj(oZXH|-b@=w!~G#F0VW7zU7WUhZb;V$=~a*8m*Bhe11Dms&@PaHw}fxBu! zNVJO)F>de+AHGcKjQjygwI8K9qZ}brxrkMi=YIfJhmjK!5CQ+&y(xe1xia$E1jup! z%mjbx@1gNb5qsZhExKm`c|>_&6eyf9W(<kvV6KupQ8-S^K_o`@F|mqj6P~)XaCVz@94rx#m<1`x$rj$w~#h z%xq=!w6dq{SG%WW?kq&-1FFXcchf80lbqo#2taCSvtwpckh@Xjei+tdXJO-v8dfpSQgx6C z=gMP(^X3YIwha(HXXUn30N^(j016ts*S^i>k6s7&p{cuGX}cYsaRP3aKCEG5Ycp6s zXnaP?iR{*NcJA+;;+i;fAJ=bqYiGMn)hG0Fd{4T}8DMzjdvb{LC@%AB*8!{fZ<)?# z;`*TbPwBmKvg>`Cox&AFK-g`Sn=%Z`h=+RYSENcnfi6ewfUplL`1`gw@ZOlY2;`J8#%;m7^X29=Ar}G5*GUE!PyY-`M1yrN`dR~pZ z*e2-fTMA5T^WH1WYAV)qZ1!=y5+(%fh3=t)Q-19|Su^_GdDER|`d*C)Y;+tP4coY_ zzCnXJZ(n@J2_rWhr%aDAzt=I=fgC^HzyBbpZK=BhSH6LrLCDYapGgJq1yuxK7?6p` zhXr2v?Bq0Mg&EutqyPedul8!s7ax%CuWwY0h3Gwfk;0VoA$PeB`ETYJvEI=$56l`> z78?EZQD#3z4y-7F9+Zgr5#&0Il-8CJSQAcUN#VU(_VbmYWQ|K<2rRJQ97b}kK=92do9Y8m7L_73TAXj)oqeJIOu4aqW>9mYYviVokuA7EZdc83ralj zN}^!;S59$k;_h%IH8iNlyJw*iWv_dDoNAkxt^<0sJ?uh+@5rC98D zFp-sn#=t-p`d1}o*1R4hY8YlVS74DiV8`?|0M$(D<95pbBx0mEEYom$bTAIW6Og(r z2VyIaA_1Eke$OlXB8XFsuiqegpsi=a51yn=`mREcK|y)SC7OMu{#tG{ics{~z2|md zRC(pNLdqvJjPm<~3HFulp^Q`o|+$3M)gGF+72O>)t?(Figz`V=#baIXorlfaCDl$XNz9Acyed%cm>%6pRiEyIQe zI=NGv!*(OESryh6aG-$_RN}3J$!O*qM{4wK1D5A&v3~@L+Oi+#2EmXs`FMRH0=o(( z1&POdEYiW7iYayoA_J~!<}bl!Z+xO5wgQuSNF?mWj*Iq{C+)8Y&SkS!LpG`NS%NhQ z58HMU<;4Y-H2A_Ot%E2mMNr(f;aH*f*lN;>zaczY7@pkE5XRw@2db9 zC#&b`&n_Xe_ZDy$5z4hZVgRkfPaAc7-K!e|hBa(X#6K#Qzi_|X^=!BWwayyDBjVzl z6QC--_~DPRf3NzQ_LcRlguFEywu9$b*=)=ir*v*fkcrLeU5CHw(5gla#fS{T%JrX- zSQUAjPGRg9W=2X0?jT%I9}djI5T5-;I%w9U@lnMvKapc4ZMRgHN~c;RtY~M+@4xF-7ZgJq!cOJ|tw~ej~<- zisxv0#p3D#gz3j@Q3}LfX8($Wrv8c>r`+273GMi^XkF$wAdz-#I4aclCp#5}LT&Pn zr`DOETjw6yA4_=2VxX-P9nN2+X?>a0TGw#; z!Fbu7(}_IJ=v&74$NA}pIU(WN>e`K_YeI^9xlVgV_t^c!%)DPM|KzXr5gFgYQ+@}& zmt)=Uu~sV`^4!i_RPI`qE4r})9tksQhMp(W1f9;kvqZ7_Cpmtv!(lRK_#o|4fxS)J zfpIl}NjUdR_tE+D2Zy#C;NWu59Yrq}lDxF@Zntv{0D7VayRmk^8tQA9e=vW5giD95 z?#%xP5jtHJEa}zbx=+XQo_7Mcd|nSKPpNE~S1#q?QU+(n}2mat`+p`1vq>zgzF7K(Yr}Hg4Sn7l7I~BR>;7vnLKr8T@wjSFP zGSMHSO-*g5qX6L1i!qlS&^fVCEwJUa&iDLM{j`32dI!sTHC$%P*nMyh zc~r}3UKwXUTR<~8ske31uKbUi(f+;V!p+At;VgS{)8}|dI5+SRobevMslKlB{T54? z-^(;?utpQy>A7;rl8eu`w~U4Sew;~jH~M*Y3bePF<@pblmpxZ=H#zAMP`9;t?;o?} z_td^esD8yauJ00KolMpI?s3U}h3~U2_BYn&>BUq17KMV}cVjE*Fxpl?51gO9RgC5K z0Z0J@0^R|XSKv3co2zH!kpssA^(8QD&hobJC|7u9OWxIqz@GgBQONtlOPq3K_iCK@ zq6f*ld8fk1+$i~pV29!TwNAQoQL_DjhJk`*2F{|&vxX*8?|%5C#zO$pjW~whLSJIW zg*r~lX6@e)Eu7J7r3LFlCHCyPNE(yeC9QO^^ZkfjM~x4|~3IvO;J z9P2Bt%D{F|q>`xgoiZZDt<_pr2yWtvE!Ad;j##I)DfaJ>KIfXli1M808i?|U`m-d8~w z!7QQE3 zWl0pmX^15xWF*kT+}hx!{!=WLh`FdTsMFQJMTUpYjeEkw0kWOci>SdsAd4T8Y0PQJ|;_ zgZB#2Uoa5dL%HsLc!-gWQ*8aaBCWFdl`rRhPf$2dGuLp^gv#MgaCWr4-mc6*3y-2x zid&g!&69`?q`!GQ5go;_s?ne4bSVt%V z*CL+DgcbulQw%`_y0!+od1QG66r-hNP~9sz+Kk_d;4~7SL1x16S?JaX`?g4cGTfT< z2|>C<41%qHilSprN&1(cC zepn(6F#P54E_lTN$%n7sq$mLrb~%kXl4lwJg%<%l?0`3x zci0?0FoN?q<201jIQg&3Y99&jO`PD_;Q za-FNaCL7>pV zz9ldpDA04U8Daa#P-b40%x9S9{iqPj{Z?XL+rvwe?J)&?nO?QW+H=>?t~nD2Oc_6Sl}<7ISSn^CUe0Y6v9*`43su%r=L zuD`A%niDk4cPTGOcwXFz65A#PU3I%k`=*%21E;jCH=M7eYa061YX3D2+rQj125D~z zn|&z-c6;b_Za=+HMTYfo8^_SKi~xBpJ;n^8E;7c|BkVi?&t58R7b%C&quzR4wl7g7 z7cTuf^)YJW*#r0oHh=rY?PYUgI`0c#fszN+{2IoHw7HqSW3-1Ac#n^O)BTsbnMKpN zTy`~$$Jr=;zVjaj9b^H>VdjrXr*Fecb~WCUe%5OIt5x-fhj_KkD`z(cW(54^^@G$0 zm*`5~iJ;48t41K+hPpi8Ddqzw@WZltp`P_|?Qu`|M{YZ~U~~+6^f@=VQhv1ud$aYC z^r#j*l)Uxx1r(>Q_4XCr0ayOK<5k>z;}*``)U6F1%*xSaR*BBz{g=FBS8#Yz%QZ&Y z8*4v@G0J(#!()@MANdEbN2xe6|NYHl*wu#LrvY$qjWPh?Km-U33bcOAbw_gCdhEYw;a6DSe;1F{?eG!bZ5B2|no70<*tETb5qjj+ zE%!}g^`9%K9FCl8M3-T=V& z@Pi|M-jC~@qBFYwWc&jb`Fi3MWjFeVummAnBQ9I47wx+9`7*{IQep1N#O*K525hUs?lwzSY#T?W zET%9IETP3g>lS(5HOY2M$zoKT)EU{)sx_3S0XfdY;RDY2bm>reI}U>kD#t3tX!gx4 z4-i(3Xbv(mb%Vhyb}Tr2DaYDDuVr62PF&!)BSJaqmkP+aNM?07K8Zh7F{GQ_t}BQV z%a!WZS0mbFg-uEfQF$0+j!Nm?W8P(lP0V2MX9CdBwL%hwpl9=zmfi(_&@#_FC}8ha z!JDZ9wa|wFh5S#@*NQ}!6|_V|>kvh+WOD0_It0q!oc(6pJ({x91Puz36;+63c6x{V zwddMDeo#AFykeNfj%(dWFlK+ z+ZA~IP7hofF;)Bw-bnE5I=_mX+lr(qAXm=Y>5)nbO1Kd6zle4*ubd*S1n5I2ivGh+ z!4peWhKoBRBiFHdYkko@`L0L=PSt~?P+tuV|LLp#l`$1*Nu1QGtTljQHmgtU` zXO{({zz}iZ#Cn4mDqD*u0~39kSi-<#kwd09crBAn!WENcurV@)GTCtKH=T?L8Z>T*Hme>U4N4z5e z^UJG5VMT;tm%`*)u#M>+Um`+iij!KgDz(&Jfq;`x$?os$eCiI<8oGru4wS$Uo3_pG zY~IPyPhs_uL9XAW^2=$Mf*V~5$k^vH$H)sc#F_JiMG_}WrG8?a`YWDwcyC>RKgKYHS4C$HuPF}{F!Bo zyAu2dm7R(g=9mMW*79^^u{^w~f50e_sWO_ZMe1V~^GibP{606whJ(tg_JGD*P+PT1 zk@fX&)FlMYx)jjWQ&e3c{}V|bj=bTMMD^^}ScLc6BL9ZPWT2Nm zH@c9fpDkMELlQn!>SBd{1+%tl)?T9$i%JV#W(tPfs??ypDulXk=`t=aV(~xlrqdBn zsxCzhYj%)H*mr^$NHm%&Fz*7&Xxf#edJU29sb=Xf#RetmG8+s22jJvhxcjsdfut?) zd(r^sduh{C+w>QeGe7{j{>eg=V~H48TMd&1QB=@Py?b4eB#>+CgAWi zoDwX)2O(D{J)dnuz4mHy&X`k1Ax~{Q-;VW|6O@{ohCoEaDzXzbG<+& z$K3mekVO2)saU!E&8@HB=xkU0qPPrS`oyy?HakwGirW!y9%=p#sva`%Xc%?uDc-V! zGh@;mr+LjY-5+W;jaR3}v)kt{i3nUiZlnnxkXqmQYrEbwAH&0lxBwY6jJ7%TEh9NN z$(vm#gSvX~&?aO0$dFfjPCdF;tv!$XazruB9wu!u!MaXZ9~fel0OA0;WmT9G1EDhq=Xg>fV-eKEvgsX}}(v zy`@cVuwTh_S^Ep>aCh@e)37eVnthNbK-(|j3^{pYAy>fh>cAY|#pJwRSuTeRP``xO zaoN)+X&ueM6xn6X|b+H%w+S{xh$hDu@e_k`6$nB`T z1a`TO{Y^s&t8TAqA3-{+{s?GxbUi&)^i)%9zc@f7WSx>AvU=k0GM(|wE^g~Hzhltd zYi{~~)YT6B6835z0X`Cl7<~gP5A^H_gjlQ-fKN|*@})$C8iZpP_+EU^dIGjC1$sVv zGHGoo_9a5Q*XJ2bz(k)~acS;l@eYQb+&GRLg!V#-^b-W5QTlQ#HD#DmRhkj=vgnG^ zk~{l^WK$BtkF!170s4b=wcscjH7TeQDIAp!S9xVu4v_$%u$jZi3ds1-RN1*|DsEaDtJZx*V^Fa1;N8%4OH4iyB)S2P>)cwBP!8wNt^ z8uOyh!t0v{h>gionr@=OaY#<}i2&R%1&SXy?{nx;r$uFpl5sadd}+7*S!HYJyACvb=)LMus>c>trn&~J@6sIu?U zGY52_q>9ED%^TcV!k#M>D+%b2JXN4~0Qd!^NO%Yzzx}0cVKttu?dZbJf%00>Lr9v- zcHtxAz!0L}I}r&~#`aJcp2trS?@ZjFqt>_^=$r{r>a zHLg39wNdNH!2j7{z>+OG%C>iubdZi`hHa!${!m_^P3ZDk&Y?lhZY+T)RKRWr!6Ue| zry(QAbu_2D% zMZfwpn8VUf(lu<@skn(pMq)`eD+Xq#TDtv}j1|gLq;9oCXt3oyNo3ZSiHepDkQ_pX zZ{pZaa_HfnFAn@6{P*2ZRw567AkCQ|XR5p^eFyyj4d=NlVf)C{4||4Y{PBDhPF9+} zS>+I-Mls5iUF>K$hP1X-)t9(g^jE4AHSMlzHTENS?aTpnYXbezJg(fZ?qBW2;g#Ne zoIh%qo*hi2b+}^d(k^tM~YS9=rWWP@%Fi9okar0hTIbl6tkil-wDM*OyD zI0{Adn4pVxRHeNXqi+1SFs<`sM-tWW(+t8TTN;z69XGxps^TE-Asu_xEY&<{{lapQ zoZG?pNf39h7opfRQt>5b`u9)Pomq_5b!ycIc%za>87?{h z1Mq!s_yFSsVEXePmvjUWko1`Y#O68+f{&hZ$;AxxKZ5<@KL3D#TcTa_C!()VJvu8? zn|)8$x&0e0?vr-zayv19cW$~%&(pk)gVB!!yx%IN8QA5yi3RS+u6rqfJ|Ci>pbbJ@ zb4~1wry7={y*1IDKO6arTOZvRP4{B8$>mx4>lgT?E=$Zo#}|l%el8)^SS>weA$R&3 zj%NZgfbIJyWGM#U!5rTC53luWU~ekXCMP=|co0%x@_eoYIDyY+-MB$vec9q}XZbex zu-WF?FUrrg+muqWwiMS-$KST&VN;E1m%sGZ*mW4i+T3joq1Sf%Mgh2-sVElnQuJI>cbW@KvXtUT+f=PKP@UypD8HfHg_ z{>o^h`_uPJI7$G^d)fJm*SXZS#e55{hUHL37f|^r5PM1cI*rVvT>x{txIwq7YnQDf z)}X4p0kJp&?+xZdB>P{U=M77GZ9Df2?eA|-{A*Wp#&+6vNSLfype@a1t2L^}E~gpp zji*g$)Vq}L{MwV9*Xit!6Bm&~=GmY$)=gg%+=fA%yAODNC9bnh&7Kb9HZoA3)ZAru z{meJ<8W-0KV@jmXzg=ycI{=^if9@PPCp=h?YxKUOKk9F7i!Gnj0lcR^KGWW%J)S%C zx$8b}N640V{K1`I{@cU$BUo|!3H*m4LsmDP)8rta)vO&q=MfxU zec#qj3G0VJ2L0t1u<8f6?H%^@2lyY=9atU}91CXaaGiTzc##(xJqwrWK<`OQ_!Nkz zTR_0tT5wz@V}2y-4PaYiTWApw^kWS02RF0eoS)9KxYO4CtuBDp|2s_=_2#LtC4P#I zO5BRkJY|+CX_BC?^bef+S%x7xwLr{x6=|ZA?kw_IwQ8bm&9==wh*Gpg;{*KR7Ha~? z0-DZjmRTiP@ecfpJoG|ZVssj@da(x;UB|o56G3AkGi#i_ob*K{-1OyYE8IPo`n**M zln6EUZ!>{$Zmmuoy10VG|0q|r#Kg}HtI{ro`^9MWP}bwX%_!=)=gcer(c06CIA=5lO9f$=qXkPyIPeuX_3;;1&4{Ec_KR z#NE(!WT&rnLjm{EVORf5Iz))|`%VKD%?nQumtY~5l&c}aLRNXiq%(~nJXxhAu+Z z3-L{K#jOgF(02!M!g!ZoSPqnUK#mKM9C4D?G-=*Z3zhHI+`}h-Yc>b8(-~Zjcf*f0 ze)(IJ+pSup$}C!XO7N~hf8SFfOv8OoO|ybCz?;c5&kl{Ht z>wnp|sU0?Z30+gEb7@PlR&oQuKFgnu-}Af<->+gX2ThoOb8FvWU;aB_8x`IGTt&Y} ztP0?vG4sBovS9s~H2b?!F(NrUpv*)gB_=OhD#H+jZAP;}!^=*3g^Pd(Ed9*6&Wng% znRnHk4t`0Lz1R7}FrZzm#}=>AOca=%Af5i=h}K|*O`jq?X{ND!SpQRD`q*R<-v}a${B^3=mMqpR+8cX}T!&T)ky%0ANRu*==cQYD@0xtrM6*=k z+s_(Z>PTi{+ql0HoP9>&U!HcERHm&(Q-{fEepD*i1l_WmGk1};0-hzIqg4h692qP+)H{brv zd%a9|4^G;WYNY~-+YQ+YL3*M0OC%J#oWn*vUV$#*)PA)~nq}RFQG>QEQcSBJwOIpn zY2+zeRxfXPv|&>yy8cw+bA;nLJS9`TP=aj}-9A+Mq@ov&ees@LFqR?1{ZB~X4crQ0 zMw{3q(SpLF`>kZZ{gIg3bQ&Ck_M<;v&QBM3vR_j&J}lG;r`W97dNi_Tcf`dz%OV^^ z%LO$Q(ks;;Es&#Bw3vTm%t;zP+Zqn^C>qEgUXHe2QsO5?Dy8n*l2(&4f7QS+*s|6q1$>RtM%!If~`CFoU4oUBRI{tr6g^)z8N zUWvea@7Nk2hrQ))NJ^%iYlO3$UdhWMjXfie$N4EcxEqnFI=rv{E;jvj#i@8ujgYT? zExOB0Zi9rt_F)y{Aha)%m#}Wl!pv;(qqg>X|6KHz`6zZ}35XB(8QW#xx~_(;HPP3o zeq*|$Np3ej)vxi21l;!g@ZA0jWYGM&zFV+UYMx9a;MRX4k94U;renCUWd4)os`l8B zYF*{MvEh&h_R^;}L7E@?!prgc^E$K4mNR=`rdFFr>1EPiTyw(KIkDNAyXG9A{>j!_&%Q18Df2`75o&WVo#rpIEwnss^0+MgMAL!UxRnOLyU^8f^fkGBp zA@r=yt22S?me;t~%Fn{Dn{MfFq4D@XOEV#zU`WPfF!70o6InxcU!11csYA*4pf zxXihs_UI{f9ZI{RTpCrX^S0npZxjTYdu9aLR6`}=OQ|@ZRb#4~SqffVFz**J) zh3neYs><7=cn(9No`C52Jl@n>lczXIQ*VfmaYea|iJ*=G=VcJf*h(PA@kKMD%eL{XAz8NP4-hp2Ok&MZ*2b*E!@Y}*~%b~?6g+w7=g+qP}n zwrwZ>e{;sUd!LsYW4*42RjX>w`PEZ9IIgWKFC*5PN7u6D(M38@f=yRuK`9uD+xr{R z?5hD_;im+LIcBcv$S7cNP@6jbSO zu%j{~#0C&8CN8pOg+dXbQ7G;8r&6h$7`J%Ww4e)43f+Iwt?0cz9eR1hQKI6`M2V5+ zbhQla^QLk) z;Phjtsrmf#H#B%8|h zVQrljsiBKF{OmsgF3~E+WX3MgLYr?~!9Q%!kPzbe*k5Xr8*upuAqJC!GEqhjQuA+( zD1-63y&U?Pt~M;N;CUgkDLQDzMt1t;J5^N!{;mcKi&M%pAia)CG+oG`ypCCJI z9%7#o@(aD@#jTh(YLyn^aRgBcu-_nuIHv5w6&XQ?bc?~iqctzk7RJfb9#VUd9rOW=vLg3XssS?mjvit52a* z9)YLZ5*DcMMP&>*>I-Mda&_Te0c}r8gt#MFdw&NY3PGTqaL?0T09%0O?UNDwvwq_; z4-@P5y+Bpm>yO3Ik9!`@nn#1;Dg-h_=@w=o@P?-B!1%UcoP&p?A1_`C6gQ`xNl<6j zFv&C`sC%?Qt_dbEpj;CD$Xw8Rgr4CLXzB(m#{1Uf)h<#7GSi+OJsg7`-)XOW`ZDX> zjyCtMfn;WqLPTzG^isw6DnSL8)xQIwq~! z-EzxtjN>WPX zai1zwQ=sWED%H-DvR4-p{G$@dpj;z8N)S4PMK2KwoH@y!DeBCTBgy|;0EpmXyFD_% zv`@fI4r%uuzj$@WQCryOCjb;_j5HmLVt%FPnc$P)3liMV7Z_mhQw*6h^%MWaZ@MEB zoMCPMh@FrBRzbq=s$t1)O>+`(e1*5A=|G0Y{SuK{cQ1MlAyWAS?l{ZHCfD^ejhI2u!`1nixpKYv5UP}Q^*w2; zleqvB#68WftvXq}+903KdNe+E<@dnbATe;8uA9`nd1_qthM0@_eHQHS*SOq5SzQo) zPN*Dg3wGS5nar%&zWgzs+YiTwblY6}Cd}woJ}xrYw*|T}{Z89xO0qj&f#DSD2VU0txM$r0a!a8@6Yy4gz4l~>5qP*;x)Z}UJzS~6(%;~T|-T$^M+;Vwk>nZCnB7hQx7E@n-ax z9%|cQxq&_7K>ikB?k)QlWacE0U-T0PP*Aeo75a_`9^u;tK=FN(U31)qM+S#ib34a6rYLNdzbcKw~r${tAgsS9`hCqIkMd@51TrcR{*6l5(od0_AdZplSn z=;5LwUB$>`dUV@mX`H@c<#j0T7Wn}JhOkPkV3?82L@P+17gq9QiGMgGz2=y%xrw+6 zuioC9`^+f$1c-Ll>U44D_Fy(Ly9Nm@nSliM#zCUpy@#^0yW8K$X>%xJR^DDD-UYe| z%}lA2-qiRYOXaSm2uABuMKTt-6Gy(Wl=LE7XtMVK|I*m9X{Ly5z9sLxV!*=ZR=oRqlRMx7i?*itIlONP20}63V|(kSaU$_yB#Ru zFsfCEI{u(?X7oH78JxIFMv*nWr~qTF<-7}O{E>Ar^$~KNp^)LlPsJMqY#RfChyi@i z!qxT-gm4k{CfTlefilVr^3dqiBWQ1Y>%z}b)dl-LX5tBpR{VCuwR+3GtbND+>t*?w# zM5JE```3UGC5S0HYP~L<_tx3`@6xTvFb!0D{^*(^kpXF9u7R?YqT)b5Q^vxUb~kgp zrYDF(cxp~GT$xHOSYq6iW-khVuiv~LK0HL*x5!plguQ9})l&0CarYm!m%uo0-1W?e5x3zD{_BP{K;W|xHUwbW+Lh(Oidw40x4%Y?x`fVS%OKAC6|;pB`On9TotB8 zb?PDn8dd2JV+EtJ+(azl>bHYq>(Jybx5%EaH1F7na2&x@)#5kcw z%9!Cpd<;d5xj80c-f3*`B(g*&1Xs?9Fy$zCcFAe-nKOz*v1PuqDj<584GInB- zS|*3q9E)R18HNsJ^iFu_bk3WB(-J${UF_QIGMkH~(lfnZA-Uk^*3_e7wZ4aJ1y-_S zYtB+VHHL&xN)j}Tgk|*~N7UA_K)GVA-#(;#iux53_M)x&jFYWDU$Wxaagmx7DgI1E zL2`l+CmM8cia_$RagXsNOfvtsJmmbs6#OLqf=vJRR!Qz>0GuYfN=AHrfr9q9fqBO9 z{(vUnuW#4#?YAmS86^z%lbrBV?_(w;lE-6g>P$zj>n5EaJV&-?x=|?%cm{e?%%1Jr zmyx7%oQGmF*>jSa)nR7sGQi<>s>4kvVK7$$C@m zmUK(pfL_0dapEVzx`WoDyFX4CXOfL$`+1BsFMfe9EaGP4J{%o0_hPSL2FiGvWVb<=j^A5$%wcGYSn zZ*`Ny<(c!5fe0LkKm?uGw8)9HcHwW_I0=hjzWC_!zVJe{W?Fx_`Q4*>+@Jkr_})3>s|?hL zxv*WjUc|>#pybC45}t#qj#_q}J_x z(uM(a0f!s4alHyRGm2Spx}?I$l~!x|n0!M2U(d2FP_SDA2ru@Zwe%v+m&m@F8;~OY z%$kzBC>%cP)8`wv$p!>D(#r#iEQPo9hFSU=l62Sug6I>0>eTbc0;<=ohQI$ZdZvVY z2rx}HX=drF=7B><3ERLJF;*anLf244J2%Hz#abdzO+|+(NUD`P5cDIJg{<4Vo*ExP z#Lk@K(%&Ew5gZVe1}DbjuTlRysJX)@6aLQxd8f;C!TY{B7Z2pF6|hR&O# z`^g4>1m6kjq?k$V!X04H-`C5?J=T5_4Z~z~YF%bz-yUb~Hjs>~Db*P#nkHklN%V)l z?8i}{BF$hcwpxo!9L4-n`|{mWF)ebD9CgIWm^C&XRP{;9k)smU2VTL6MIuAfRbqBv zy2%fKARyuVrwU5Sx3|a4Q8Vn3OlcB1kA$Q%1)=ZHJTAq;?`yD#)CjYBO4|A=+p;W| zLB*fr0*V{<0q*51)rn)anU~Q=_;Q$UrX8^sNO<3r>I1HX4!Lf#kmdU&HYF5*1fCs~47HCY7TFaE>S7{48naHHP zQnC_*%~s}*V#@xgqzZIaqarp!yV*tg@Z(ghaEX&OmC~0IAyPDS(qYyL(x!mHY7hK7 zmS`c(w-TQ!n1t%@$!NEx$_$!8^8Jn6Px`q7v*xfapL+0H2|s2?b0O3w=A{uLh&&oo z?+MvKL#-2xGD?$0At@wE5_3r~{{|J-p{4)sjbN8w8z2qb0}yo`b3d1IoPD4E<6pa7 zIpK$GTJ*l+KNZ>nQjyw6ihzeRID?oP5*zmkX5$Z$lh+L^$n!=(gA z9j|7^{h2ossh)Eih1is%fN>AIsijuve@IlJhX^smR)nx8CbHKz`K4%*$5TF1UZotp zqN$(0tK>@0N;`2@E1=fvE{z9)w^bMaBQI8Jz%;5I-QZ89NEu#RX{=n5K&_0%BW>v% zeGqbzf4XD-9ob;7Cg@a$QK&U(M|d(6n8UcG5^)?!6~AbcIrbXU2XV_MlYdB)*je^#+!}%URb#oC)cP+ zd7`CBoTJrAYIJK!W;_vV_E>3JXh>rAV^P!GW>#iX1Wt*X~bL zIk)KwP!l5+LR`Iy%u9nK7rj#EK#mls(jnr=*8Z+r9Wbt*pC*U&pb#_-fYYQ_R{R3! z|3WqQFmx$b49O2AU6A~3V-oD^G$~ICS5@AzWnHuuAxOG|pzgP55+6~)hMOyKAjC%4 z+kXD2<(@+f(TSgH@*8jOOpcxCnUO=MKqfe;3-#!@T-L|1my}yU#$`U?nc0H>{|b;Q z0BKCG7%1>Rim>RnBCNZ5zE$--<4X2|Wd;idzT$uR#eetS(eK_H9uAH>f&wM?X$9nT zZy2ytj)tS}K701MY;yB6i##HD8%WwRGwtC{f9?&o#ZA>5Y7L>rGjT_y)t< z$N>YU?)zk>1uQ;?&CP9BUj?GL>jdjlokF}=t6X>qZ zjK+DpI6jZ}@mfr`r#_83uyx6d-tT$%{2@gWIw+*;L(Tbsf}_+4Ql~ zvT4^MoYJQ2?t4(?S5&uj-FE)d`ek7cr!|4!hR1*Ky9qO{XgsW)z*MNq6Zn)luHTUQ z3A$}(;avYdaRV$^@#|a9>8y9u`d(LCO>Lcrhb40YN6nUfjIK=nbsO+ny?q?>y^l;z zaJy|YSSz5}ns=r2m@hR%ymZ&@AXQ{JKN_~sdL9>0pRU1(_v)9euUDE9Ja(RHkFBzsOs{d>b;l_kH%?gh zUayPlva>ZB{HEQl9{S5qATcE28gG7YUjlGG z`ys@G2ag>7?U)z6m*c{d&gl=AY@aL?2u*U?#DVH$S+Qu`N%mhmB=P79L%G(2?L*B! z>LoDd68Vg@{xF}yqbQaJcqsZCl##M+3XBR}S-0nu7yLvYhp)s^K4<(XgThu2^jjA% zh6+31iw?BUy5xk^7&}B6iy6)!*!{|qK{28`c^L;Ook6`2i<2O^FZ-4nm0v&BU*$_d5e%WvRlaD>fl7f@ z5RhW2iMBG&`n^?|mYwLI}t#R}P<#y9^x2jX`T zYmv?wC6ShFfhvuXpjR$_>J;$?=7qBhOdmX`>`2)xdf`1LZE(2sLy{*n_E4J`r-DDx zKk>$bq2DZ`?{KvHjN4&G3Y0IL^-E>sS%ULe{cK`puuJ)yR-~fk{L_U6*fG)bS@F<~ z;~FGYv0Tx^RsVP%`y5Dk=>%AL52Iw_6J=ueM$<=HU?5Uf0u?3P%DLi{X`K!cCQOhp zb5U3u%}3A=@Q+cS5EjVD!4^@h!V{dP6sYT&Y}=?=u%!iQwFcsOA4?4pC!B>OB|dsv zmy@f)HQ_dnSeWM)`&Nese%Ce)!pu)!;vE+oH0TvI90>A_m5d*qHR?(uYHsPS@9iC9 z5|T)$iFT;#yYK}oW}-t^$?x*_bD#7K9r;1kB=C^^asoVL0|)hZfEtxW$GpHkbc#ti zrDBlhJzJlMWq(64HR4}4>XNa;hT$jVZ`32Psqr$rG0eHCcn?pcR>FI<&&Gqwhn=LX3m{RR<>-&Xb!OB)SY2NP~h7Q~oLu7uk#(S6yU8?D6=ZHOpPUObD9AHv~m zNp@Y;oMGTpiiWuVV}SnQAzdEFL>soW_~W9)CX0xK>r`ZI4-ARiM+67rDljgs>y~ZI z-zJ2*C@A;(pZl-BlX5#Gv=yH@Cq1HZZw4nlXpb-Fezf#4euluiog01`>W0>nJ`e)u ziwytAuq1kwzg4=F&5*%ZCuC4oEsKSGHY-+03-?T4h2T=Mkr4gae@h+%w?VQjg;?5h z(VqJAOJ2yC^qwXI=BEJ1G>wkae zpk?K33X`FJQ_N{et=pvTml3X(ltWaka~=Cdf?>MXimAWlsR%*5-AJ@fD?nB^p9Nv4 z%{l^~e<^ce7+v>4Vrbcpmr#fVfgX59c%brT*o~eLi>scijU2FcZ-FAQDjh`5W{g@o zkIi97+p(m-dq!2fFxP%?eCZ~__NT>MA;gr)9OrEr%*3dHtqLSWZtX@B=DYBJLf$jwp9p@z*_?s=Z-B>t%ljk_fPaRc;EbOm^s51wJF5LPQ!?Mn zo5Bab=~N~RSny-Zar;E;|M)y0_?FyDZFoe;d4u|@G& z0n&JRL;Jx%f=J)zKAi$zvr7Ki@eA7mrQYQ?#3thrJ76&?jjy{uh&!Gl=S4qk`Bhe8 zzW1hIN7C$>*<2hY{PyU1ye+q*4Qi|IUuNYyeor&ATVd9umA6e^`zd-J&4<~}16(DE z&#Tw?*0&TM8)|g0JpdS-pxqu!T<;P z3H-U~9nNOZ9s(&4wV(H*!~FcVd4R^A4`>LG2v!IE zw{IglY2UJ3%T+oBp68IK8{jf62n(2cd=9$|c*oIZx|1 zu5BmjWIz^edf=>m5PXf+daL8b!OHscSP8->i7l;-S8MDp1?@ z3bbg9dCYO^&gBEt=qcp1uFw* zri6D~u(snkQ#~!y&(O?+vG?fIsvgQ!p5Urov?77ghNY8+Q;_XXtprDd;cY5)GJgp=7TwwygYpa4nf&iR7U}@F;o6&mrQt;CqM}Ut zMFSftm5cP7)`0*sbR%^Nf7+3dr>d=wvp7@`iS=Nx+R{ZpaZqG2+_0(oa~owOrNfHO6|jWm z@FfaJN2pIrS*q2XsD~57467}k1ysJ_xUxvdNQ@`0COzb6eS{1}&dWz@R2Pkld718| zh?CnszT=oC@X{peI7Lgk!cI-9NF(Vs>4B5KV4Rtby~;KVai1S7%+4LL^0|>1hwl_s z5lfMb8z`c}H1$a|!={bSdc_2#?gXc(lSNQukl+Gj9_y!!->t`wEE~z?>v@^Q&1&Je z!S;Rql&jhQCWC+n_ENH3iNw!QdM2t~B(7!3@qdA>(~so#FX#)ks&d#e|z> z4cwP5Qy6`NsmIse~Qm1!ui)LKLVF1eyAMP zapa6&a^LGI+f=olaA%gz+lbQUWw(BFPp)nuW{NMJHC-~ss)c*AbW zLRNOlryw@p2escJyrxfO-Ea10n#d?v6@+F+(|uJJDB0f!W+X%o#aay0tQcOUE8GKp?hA{|rCLJPE9%L1_GE5<8qKKQpT1O5q<%%R69wks5?C=kiSpu#M zzLXCeQUKBBWMt8}S1=A90*_O;gRW5ZG#3l!0{RJxYT)-J{M)RA^RnTBk+76XP_dYF z$S+$=q~0-fZjc8tmeD!7QX07h4m+*9G=li#ev`<%km@hL8~sn zs%V`m3Lz?WmT8)9`E`i8fM4J)-wBV?H1mJULz@i;xG(*MUvJxupC9#=&lA6RWlu}< zrkNfvh~$@;B3OX$+3C4JME5zGRr|N$ar=~zym4D|Vd@{^2Jm<}<+u%hKQ^;@ z+`YN}8mhO`9qep7{4(27^37F(at)yG`WRRA7_XS4KskMLf-d5VM+hw-j zyKd`P@wWpL7_O+c-;T(>1Jv~s0~9m-Uqd9h124K4@dT!*g zJPclu>i1~y1*d@hXrhpMf zns>jsQ5RWTw}F)0N~tCFW;U^L91e)B+mgdxJ9tcnBll zE2aCKFR;tb_PdOwvE}g|$>CuJjy)V#b*mi2xhx&E_+E!!2dH%#%e+Reyj^W=__Vcc zYchnOxy)SnwjNvPzLK0AKc`(>m+~>MdWU4Rc-=24`66C56MHgO0vk+Z?F`o{18u0|!oe z+@JUn*pJ9y4^Z&5J0EtoJs>0Rh8}FWDZVzz0fXZ%+8AIlK4bAnI!vDUeHCMZ z9Rh4sq`;Jrs+BVowfZE68%gD1)S-a?GMT4l2)^FkN>eT-w(+MqQWdAo(B*zEBNRt9 zg&J0IEM20KaT=v!15~i1lz;i@4}3V@KMU|Ja}ixE!I%TYauNPw>2C;(N8;|HLL;d8 z0^k#>Qt-8*W*hF+%aMNVVji(MDFhPtpAb( zDa2Z-NFeT38zhqdraOuTwaI+Ts9Kn1jw$wpODc3Pfa@NG61;?sS${sThprq{^TMWN1r4?VNQxXR59lt@NIdKUSx`V)+ibY94Rd z1`H0h~&MNGzdIWHqy zr4%Ro#Jv@=5b#d65xbp^HkZvx$%!sk*t$VZsuh_xqicao&Uc=ah>{=_5plM;0TC=6 zLG_c)Oaf~D$|=%)L*Ik_?w>_K?T6p}{r5ZjnG(tG@D=k6a?;b67UM_oYk-}mU`;6J zqM}u~jIAwC3nMFvJ8(%(!Q9KU3Hc2zC6l~%#dfb2HB2}D?^v!P&i#=md6<(JM9t66 z$lf-H?FYdUHFLJY^hEnda1p-&{{7iYVgMk1=w3nM|q z#+f9RD(X~R7>-awDQ~?@%2~`3m7|Nfr8#8v4+t5)ge|21Es^RbY5G$@42ht7OvFr(D3Eva|wS14CWRWZ? zU^8j@%CS_hz{Ebg+QyZ`2~2zVPkGx}wTF54en;eK0lru?zI?=FdE0f&Z2LjMfjU5u zK)n`x=WZx~eSBU(BB*$wUzjC)p}@?DO81)AU8{GRmd&RXmrhZ?(XGad?3bSPwzrM3 zxfR}*uPr-nbNhbp;xhV&Tep7#?`{ScnV$_Fh0nX!WhMlfZdV)PRZQ#pdq`fXZn_!M zRSgb%-4l5&?3SpiUZEPV;|6Be_ZMb0-bbxnZk(<~kU3u6Ezbq_!`!5oF{+kZgFPN4 zjxTn;PP^$70M)N~&x|1q{_fLt?l$)0nV@O{?K#zu(7gpf^eA4dDb|yvf9tkGqUl_d{}Xs zRwr*6mZ#4&hh=DJ*#h2(>vY?H(E$anUsJl|du+mFyS?WRn-6=PIe9|Tvz4-dvv?nB z1%4Gk>zDg}P+!-l7ohvT!v+n;m9fqTSWV{R1jh7Hdf!CLqyI+^M*yc0nSsaS%~}FM z$IVm%WTdX2A$}T3GN)4;t7_*fo%huoRm)BLxbv9W3-v3-*Ly%pz)sKW$CDq!*4?q{ zeTLTQa>R8^GWSxA-_^w%#Y=awOqS0yTR|5a|M9pUZ+r3kHxSKTEpFX$4_^G5jlaPh zZMTh8?E@g}$Ny23<@dgS9E0b%Lo%ZMMBTN94}0Ck;4+}L@_x29L;vy;RMY-=o^Y-0 zI?r{Hsn)!@i?g%A|GCxgL!FUXH_`d!1{e+<=Uj!|i;w#p3=v@ciUb5@bfbyrXLP4mxm-jE(U)$_|`TSXqoQIAfkpr9sL6B*X)5b8|X$z5%oo6MO>YR(z(W}Zi z&DnyH)k=gW@RRoB5anQ|*kVc21fsLb)g@9Kg#?LuSq6_HNM_WuU^3KoJ(K^H91s_* zC-9`yz&eK0Cn@IVuw&*~yMZ{1r0k0HN2ak*XzCP6M>ZQ2ReerbApP{7Cxn(e^ zs6}L9g&e-zrcepxzw%Vd4RW5iCO*(x_%wvKYpSN+6=k>ercp6YiMCwK z#Sy+e&a9uuj@n_W1A{b)Mv-w%)*axfMKZ}h5)>6kW1E*sU|ZElw1lk}EhwRJ*Aj7ep(tW%0bpsQ@QrN5 z4y{n|NE)U}Ccc;Ohvmg(eVAFQkwa{`iOzI6V`(}q8={r^lP&RMJuiS9v82k-!_7Cl zn{S%y&_m9UrseiS&e?wOT0n^N`cxIPRe?FJ!pv?_u;t9Cm#=4c^FxoCd0aTt}_ zsc19+6AP=reLP9}%0V>@_DDnEG$B9n%D9+F0lyrrPA?zEaBATjGg9!IUZe|-(Xs+U zv{VVY&j?MHA`ulcP~vPecX-vJh;vFfL8=_I^=dseS0h`I%n*H;r!;5E6g(QK9YLM` zmeBJ2d{G`cRr-auoA{WK7WWCy`ZT#-i9Z@N&gNY|TpFV<@oH2vld?@SHl_lFt)vi4 zUO8MlPn;t-#bTG97n4&ez5Eceb~%y=oeJ?semYrj_^vagQBM|}qd5;P2QRJ}ji8@; z2A$>BW^5h|Dd)Y4Nk3<;m|H7?a_N!DJOd$*f2#Go!9n5O+7|FZ5B4t~?!D|E@hSAF z=Rce(XcdM3{x%n>kfZe8ZK}SsWTa;~Hs!<4nRzz$!WlKv7BT;{1}#h23M6OCbr>5Mkd(bFUK?DNa_<{!6coOKcOs|C=nj)` zsmn&sEX=ZTO3F^ar%s0_9g4M2)kSShjAf}XDIvU|n^j4Wf;5a*VCO)hG6`xY1 z39@)Ey@v6%V%AqX3mA(j)=wA` z`zro{_$dzv@_PmdD>e}Qn*w-U7JQwQZ*1e{+C-tvzcZ3++J+FNn^iwpLO&s z?|2)Pn4muAC+r!uysyu313$;;T7X)2^E3pTSGQIO;MoDkZ5RZ9K-I7T&(j(7Jg>d% zHF{@>@GG3>gY$U%QkT?-1VhvENPZrkjdE{o7=v_foWP6~yl>5{263879?{%~_2KZ$ z%J<`vV8{7ud>1xDbPl^CyZKxTk*`*tiqVP2^+Ug*CnT(<+!kM!p2x$Jq;E^epul)ZG3VgxexJu_TO1m zQUSESPDWvmH`E-`m~(VSG(5V5JKrX`9&_xzhVLdxGKkpEE9yJG9vN`59v{zUKJy!` zeai+qK6KpI(K~>L6c@mw;S$%)_Y?}>r;xJvd0~O z!jKG=r9c zfCjz|{$#jav;NhRg|=O?SBS7uYKU>RA#s9VUh68-yFoeD3?1z38C zl}M6~6)wRlfL_h(r1}XZ6U!NnUW+f_q|m`6)QiGe?744|k-~8&Lm^O@uIv9; z<47@fV-y8kL!m_ky3rR&fRIh{+bB1$sIxCo98KgDQ_ zTNr|9gD8_%R9aRZ9Yrq@D>8iJrM~S8RQ{dCmFfV}4AId#@#F%UB3h9A3p#L(z{P#n- zuacWub#P<$?@9B&G*x~RRm{<{4___k5}w?anaVqc%=cz5uJgstIn6bWG18TXBj(Zb z(u#*Cp^Ac6E`@^At+;wtDW{;r992#XD9eZr{L5q@)lGRBb*?~YWTNN7P7=;GP=psG zZ~$S-E_N!;tV)Kf=bii$k{q5J6~yLHzHC>L9(Nf-p(EPM6}wsalQOL)S&OMsENAVD zAGiy>@)O4+Zn#U$A&I zjP_;HrGsuc6hEUo2dSh?)gTw zA1C2MIl|4C)h3Fo;(#yD5ZaVTg!7&4dy%#Vvfww{_SGX_(6!^2 z&F3{XBlv|FGVn`?5GvHW5lHy$KpQl>;YS50p$tY@9l6bcW#@HSAp`pBxEvDKz21T- z89W_EXVv&Q3>@pwFcj4^w6{FUw+!3)8HV@N@P8k+v~I-UZG9ZwLePoT$>M&!$>{Ok zamC?zf30Zjd? zhVS-e$kO_HFRZ)Q?YV=VVdwX1vmXe1aMS`|ZGL;Xsov^f?><_2;XG)xDYmNY8m69) z`?!8bv5NL^v#SM@+POcUKk4-NqN}*kki7z==<(czm1vq(veDN@IZb}&n>`NdFR3W9 z-ChOLv}%xCnPR%G`mfw*wwylMp^KDxfYCi99z8sFN8Vl(W%nNx_}7~r_eb2D z-A{Ji@59G>T*2LdqJ@vse?30;i|ms{cG@YeuQiCB&`nGo+rBw3!}Q`9Jfd4HYjNhApQw(zqS>`Tu`%Z3moy zPWuI&T>E`|Z;ki)V)U?Xcc?OZbqVzI8k>=qaZxhbnff{d(?e{$ zqs!bry2Ca~CBe@>j=)_83&$MQ+5815v@ly5E)}TX2W;i=BC#kUBVe{&vm6{wi=&(q zBIdi(h#U!%n8|HpLZv*b`YSYiNmF|lY2%xem6_IS%b_)gmc2Sj4QscrJzZNgDjg22 zUEtKB0i>v-$qTY8fpXAErRdXMLFotzAVpD(9Hq%pVr4w^4@~o8va7Z;R3-9eSy<>nP_4slAaAqr@vY= z>FvKy{}#E6$XEJOmA|T{O$Y_TO6%)WbR`}QR)-9<;VYy>Na9ZybA!k(28Bu|Js{;A zYlKLD{Jd@=(rSUO%|vJo#X#_CQpnvyMr=t~g9^_;L+xc`RZcGx;>3fmkR>sATSNV7 z$p$X}t+y1;r~rD*d>m9y<5jk;V3 zp)8N7>eVA}xkbcE9Fn7Q&?&%$4eM&MmHlR(4MQCS`;ywez3|8X8@@wRTnR$d2!Tdl zBb$&+jCwyc7;-7ua#gVDPP$9I>~vt6Y$Yj-Vo(wwPG~VbY3R>Rt!c6_=|qmC;W0?{ zu;8ijuQGq6B~8;*!8+l}Jk#DMhioF(+JpR$Q{bBY?r53LFHHZ6*3u~dK-T9a%xa9k z?&@~z*dzgLf<$p6oYu)JM;0N&VrcDIwt0pnffHYMr8YvY2oM3I|PNpm>MbXF*!#40A|M|gW? zNe5Rt`CB+TlUP4$j%vqx9&Ntw9e!KlX{k}u6r6iYRZ3%=fo<0nx=eVOv<6ZoE2*&> zE!~BlzqqP3C>o?&?T=&A&*FS|<^=YUEQ{P`*s8qs0GzMx4Y@U15=HV2=2KMyRIa9f z5T3uQ&rLIM<0Qer*v?|XHeJi0R*9G}=1;=4RR*yk7^JQd3PPmu#$nBa;(><`XLvg0<#?IXOwRTaA} z-!5cK4X5s#?{lkgw)Mx3WAbMlVBmmyMt$U|-|7OExS(lHb*JZT6$RkB3VZVZ0J}g$ zzis>0MpwMD;vvJQ&U$U5A6|aE{Pmljd-k}E@BRt9p7-EYH=nTKh5X}>uYBV4_3ZZ7 zJcr!(!c)0@@4V}y#Yb1T zW4T-MKfZ$7-#yCz?!8wWac%OI?Y8;Nq1tlK#c$7l?bZidPn`2ZyS>k`OTN0zsVnSu z%DxvKc)-@XA9vz+Upv?O#;rR&bSkvvd6i>tyZNqL)^yY5K6w5W-!N|Z=6>H=Rl4`B z!}kB?-K#&o(O$Pbwn^p4?Y@5Smi0|v{;}`kM?at3_=n%^aqVLVA9mT}Pk;ZrcV6eO zcj*nNF5LFQ>uarg54hcx4@p-YIxjGZ@aPR!`0E+Bow(0}1t%W1-+s$nw@1BkZsn$p zUSLmreTUTBFTZ&1;?DnfqT5b&(cd3 z<`WD0nEnHPp#KP8xbxqzcOI3?>L4%C&|=pAfQ#inv!pH_lq|=n8PkfKXBx5w0wrin z6v7eDP6~0$^Zb&XDMppDr-??=?xkXJBoDR7iwIRuH5H+!GlEZb-ns23bW*M;0KGKd z_Uz%HUCRYB?~%p;kwhIwpjMMkky(l~Rlmh+9U?!Lp-Ce*c4F7gkg+rNyd0fL0fj7I zL}N^qCuXJz>P?;J$`BDz zCR?=oG6`VmLSLGgO_rh&pKv&&6!zO=G^$SdNhQvrcI;Igw;>5MVNZ${I}pA&woopX_=p^|9Q`UK6H!lbL&5g zx757nKj7ko*)dY7vud45dx-#4thfMoanfjwksh4u2n1S6+yPmK3CNPlrXBQasj#aJ zO^T$4NoYtD&?=VCkfr zg+vpK<-AsM2bNaPvcgaiY_$j^)y7aMMtPUi;9-RkQeH6=_YDz}n&S#P#T~3}vqQVu zEU-1cg5`Y*okfJIY4x&GhRKtFKEms>=-R3)^}J|^xk;<%3RIsP7IdC~v4%pWm|ne$ z7xT1VqKi==DXp?dN)skl!y1JH2-JjJtI|>sp(NDMP!rk-!;PmZJJd3;8`2*VW;6eJ{#%D*V5^Y4-+y?^ z^802X@9TwWzcQGu-ygK=|L#YdqwAhn2bu!yw=iTD2FY%gY&-pQE6gUtei%4*LkXpP zfJg(E&-$^N>ZWx<91r9E&}=pa@vzADIzWY_i$$x~uq(rkFlyGLaaE!$t~{ZO>gXdY2=jsVn_Qe$kdtL9*(n2@PJ-0r{IOPnK|Il`GE zoH@doBb+(H`9Ilk3j2Ke&)oeFpGteb|NLO>XR@EY|G+ST&ISa8e~kNouz&O)4E*f< z2S!N{ry!ifKiYpT-(dO_zwpWxHh<%_%t{BHlk1;bx~$vBD$i`VU>_E{k4#be|o6q@R{WSZ>$M$`h`^wUEl=&`&Rdf_xOda8(tf`?^!n@mt^RZ6PWPDe=f8GJ z^28Ote~^`LIBi4q(L0Vkw7tcJ`_&Ixv$?%=!87wu`Q@pLzVg(uAr&C4!--YiB`!aYy!fw6UoO0MRR6V`_r*6}bGwtC z+EqL6x#u?B$DIf6T^*KoxNWzWulViH&)M#=O%6YJp9PP<@%#a|U%7CX+jFDG_gk*} zO1pK`jlhxhL!a1wiBqyKDM#;?e69YIh4(*r!!_sbu+dY{=?1puZu@^(z30363%>c% zt?Rz9@?PRL*|YCG>PLq>yy)DmH(cFV;)=zc|L?~C&$|8xh2MYv8!;FEKaKXU_>aN$ zJmN#Xp#J&wpQ#|xF_)F0ckMn z$x1+U)Fxu2inDZ$6@bhqJO2#?#*8P7#C)n@Geaw$m^g1&E5oQNTWL%fHku=qYRrav zCFi1+k}p-U5k2vYOega3;jmpD189b<56Wq;MVAZWfG~}qttR?_CP=ytj;D2t#{07@ zdyJSpwc5|+nzfed3uP~Cj=QR%AOLDoP*uuNl^B*&9W_qtIm0fxXgQBFT<9s)QZ&|^ zG@k{Faj_tE8MTL}`js${c*wR2J)qn+?S97}b8)2}a#E+-CIWC&DWnN}giCpyN;5KB zAdMPbqc|!HvSoQfcC6H^a~`8nr>nky00-6pyX0@3PtO4(<)ybqBo3+Rvig;Ay2W=i0W}$wzCZz2Dy#EJ{ln<-_$@Si= z|H*K(5%cl~)>jk9=bh;H2HbT5!343u; zMbJ7^XNG(}Ds_Tlp$3V=UcSdyS=Ch%bqo$&%fTuFNLHhfk~dNfz^frB?9wDp>4w$m z_sCLI#d3mE63JS|VQWKFaCkAD>rGV!izC)b>N%ZgyK%a1t0Q#^a7hOa`%s|}J0xSu zrd}f~XG#`r!;ryT#;ZgwqoX3`lsXbREj4qp)NSVMG@V1-any`~Fkkgb^|3IZIC~G2Qnj)VW`q|iY zn06``u#+jFeEQGa{@{PD;qJ_r6o5fDmJvtK^ifAD|uALz699|Xp65Tz*m zWBAWCl`GC#Vaan|onAlO>w#t8-f+1S4?l^yb>TA?KX&o_?XEuHiS@2L;Oxs+zwE%* zSK8YD!QNYK@#{;f^=DNt!u!?Ec;k~jceQYpLsz0k@iEU_yw47|lneh>|2bT6CWr0t=i8PlTsHuYJ8Q+W zU$yT!ZNYiZ-**3-zqppa;xfeg>TgEgR{?6v7e z_mET#?<_p$M0mfiXTNvdx)*#0IPY)I9vl96aLGpdUZC8$vi|KAHmAR`)Tz5J`OpLR zzGmHgfAcHr+-Lkryx`*RbZ`E_%h$YpEhn_mtq*)Su4>a}F79^2l$;3okz2ethAnn;7GJ@ywX~@=Y1} zkiC~>Z`x|*uZG`yGyCXat1pWkxZ!^DZdmzn_pO7+-#qqr-jc=U>f4Z|jk<^a_3hh# z|C{yBS@7VRn>QAB{=XalKWqPiKEQwG>OVh~_OJNQupdsd@7t*Qy!%hgCv40+GQ>+d z_%Zzl{@>$2y;&DTRFG!BFP{Ivi{(G=IFpze-ByZ-P&3Lw0ro2Zt2U)D>(PY3%LAAT z^KqNWwnnumCD$C-MzUHOLD{BfK!G*wp7_NYg2*JrQfyQGKLMqikpfEsN9(HN44P_Lf!41a~ zN+@S4dMLCDlU$i}`WmU>1tVXs$gVoHxV#2>RU{E*KRqGs|Bt=*fOed^+P~>V^j-o3 zgpMF;whAp+#g=SKmTbwAMT;!kvgIP#vL(wvfC-(zP!n2cAwVD#S|Fi!LhrqYPC`ux zEtJng-g*BC<%J0e<;&e`-8F07<&n>kb)Iwg{`ovx?3sXDPv`x(W7}!INpzijqJuR0 zL?Wz^eL0gTx5~0%Dg(1a;;P-i3oJNj#AP({kp`xDok0Vr;X2+ajCuvSs>DsbGw#zB zP95Y537zY^wN@@AM(tRpaxkZk@*0$(rY~d=zRP!p!*-<%)W4Mf8^Z$ArwTN)E>`t9 zD=+eXK}`i}ek;Wf5WCDxEVSS9>$at+ZMWiwos17inFb9}UTu)6 zr|SZoY7T=z(Hw|yww#0&unYDIv6phN5H?bFx1WUho}yLUmaMiCW0V{Nek#O_k()?1 zs})d>_DEfIyF6NSGI`F*_H)%@^o1UbNia|+@c9moMgK4JgR2ZLbqKzim0P@X>B#aF? zFC{x;PlX5Ac#!T-Wg`~^lv9N#`&2`7~#m(u&GVWS4K+*DLy9kEQcI&2Y2mk;7Z)@sHDnO0m% zD-T!)NYGr`Yie!H_K;DhD9bvY6d@2ZU9(1K(p_GN$GN;n*L_t=*~w@o!x(6cWg9fhd$2Q=ejh7Lf|88#rHYZ#`g*UH zLYtlgNDW#>KrkH8jg(xGv&2A(`$7guS4io*6 zRmbW&P-Q)})-yzTzRbeY&+4=K|FHA>|0t2j;9r>k$p4qE+o!bep>y3H3PNUD%^zLXhI9YFm%n=onCPbzEJNY_Q8ho^%yOxoq{+2rnTj$r zBaRrDO6e3aW(=oVO*pt|pq)BhGkG`PZ`XlFYor-v!Q|kQl0xCEqSZ4E*^R~gGJ;8xO9_>3lqdX}LCT$BAm>QQCatoQ zVS84|OHl?mf$3367-P)XrOg4Rp?ycq_LB)lEBH^6jjy6qy# zHrIv4bQyPNIL{2{nc+M$oM(pf%y6Fn=D;c98_9o=nf?!7Nqmz3JoMa-SAYHd2O}tq zBGDxE1^WLG-$4E|9aI9r@#GiaKfiqOhQm%fY{?}K+4jj5@3jwmcPT`8{rgXbf2QQ; zpe5E_`t8ME{w@Fdk#kr1Ugz$oFKiup?h2_jpW5Tce?9jH`|b3TLzIWkTxqetgHo?R%|#7B^nqS#6*G zW~X60zOnmvc6#smCHT`HEZ%glw*PVupYrl@J6yN6#NDv|pSIefbI)Zb>CdXadF~N@ z%Pn?1ky-P}7p~p-jtv%0Z?xV4EARH<@7LlFxp?!Roql&>d10Aby8Jaiyk#fil*3%= z>B_kWOm5spIP`)oo1FBAP5*ZC-yHf??T)oK-0#fFi!W^b(ka{5H~W72*gr0GoogL` z`fY>0c^UdfY3GMIaL!|ouDj;%w%zX@;hBc~qr=#3Z%D6s|0%br!~g82$#&<41E&$9us~v=&v)|x@yU%;@h9|k3Zu|AAdr~J>FZ{)w+`TvLNIZPkfm?F# z{`TtPl7BdFmtS70YA?OJNWEfD{4Q-m|- zoM9o4REk2-gwU=H=w>NaU1U^-F`}Fh;jC&Db&{XZEX@@fPE8D0$}@_c6q=TMs6^X! zeAtbWF4?F{^=|9~d{&}7X29kYKjoq!7gl30JrIWtC`=Az2u+ig>1doACnL$Dk(dl~ zC9(&LG+DOUYGVjUBAX&Al}v%rdo9(lly03s`9`ip*$&K)yW7IJ+Qkmhun42sXVC# zlU%J4rvs^6>=a<9HXgc!kwy}LDm$*|NNUj*EAFu0t7?jn>&b(Fz@!T4fngrZYD`?u z4LT8zv01c~NjT^vnbH%TDou-k0wX18nl6udyDyBot(pf*gzQ7TtV21D%XG&K9XPC# z;ULaPS9QHmPB#Z>yqkwQH9e$&qGmRm{T5Qw3=it+T{a6fW4H(E=s@#LzYpchNomNG zC@WNbzpUC6W{rDbf)~s|LV;bN4?`WdHK>~X9y&<{XvIh3iN_7nvekt_vym^A3LZ+7 z5V7iYD!izrI$_Yww@6LzH_AjC$cLkXIHq~g%oOUF&}i}C=u7Y)dY-(Fz<-k0hzH4d zhX2gxKjUv7|5>1|Wr{mIs=u`5?IF?#2Vi#m01?? zvfMzcQ(B~Flx!(8Ax1=&CO9>h8$cwP;{h(2!?0{;D8Jkp4M9e-!bHD6 zE)7k@LI~MT>#fcNvBUx}s@nskq{22eizJC6b zOycCcxBepMe}4P7yY`-4obzyU^%I|a?5)L?uN?YAVbNRmtL}C`ciGQdtL)rb+_~oW zTixcau;`BOWzM?4`0h{7&6UMDSEsjK{pb@O-RzRi=qe%}6>+v`ARKVXPVZd*;AYU9+6s@@ zPm5Lse&>T&5xYvZ30wRawy16P+{_KdZ))$h3PI_$1(dVdA$ zOXh#J$6qfTF(LNb4Uhr%;x8Tul@&+(Y`fU-jC~ef!n)v!Mbn3D`MSQ|y>HxKF*e#` zopqA8zIWoT$Z0DaddW%0e*bND*1pwuPJQCN2c`A~&)xaLv-kgL-}Bes^8I4zgUK1- zW-q3fyIbl$4ZfB>_@(U^$v<%X2lpc1SvBHA(|4A&^`5%v)By_2fUW%7>cta zg|2tobr2XpECZ`(KM-8Rg90KY*8;{$(UoeWl;LTRud@hK9>g-9A69rpEOWUMjJJI{ zqgoOs*8$;6o&TXb044_mv{I((93@Un7#2b|EoO6s6gSu&B(!S~X)vR%lZ4Z55;sdN zs5Ssmuk8ns(^k?spyy-58s_p)tpWy#FHh|zs2iqgWs1iY|f7KeS%7iC-TRE&07moQHdoO-iEr4en=D3B7K(_xDu!&Hs1 zLnGD5!JtJ>I-rxG0X@qNkxXEt%9r3jxq0=(G4oIShZr#OXUXe-TRpL$ zYVo&^|18i}GoSw?7D#5X9#6KCbRju$fw)%ps9LEBRVP-MZ6|~-7r6YukL9u;6@%Cv zrdxg3(N(WCk?VAjMJH0OUIS~$V5;<*2$1k3mCzlPue7>DwXK&uOpqddU?H7BI35wx zl~_#H4BRbx-LBgkXFxS3Q40=VGlmVsCHPT+S0F}}tY?OsGJ!m;8qo3&@BPL;1 zD`6wS6$7xSa=HPVR4qwmB(M=mQLZSCvLaAr&~ZsJa^?A$9rYsXv;5!E+I;`Fg2=^R znEwnv!GHe24-WXaA>0D^!G)1U*?<+4%SBTtF&1BBP0~sRjhL$@)ls52eNi$2TS(vc z2gESrA$T%IJBeNkX{re&nGIos3IWJUQH^$38D+^>=L}XKpiXOIm2+0Y?&5ii(`$r~ zD-6c1@c^qNLMFisvKhkYn1i-pma~AGMrssOnWzEP;wAy=F!Ioh+ls0gxDDZC-)0Lo z-)>af5r$W4bOqCEVi07iI9bM{b^tU)T366KQcGu@Cf#wT`Y`Nf{jf$#MGI>&EzD~v zW4zd=8$wjXZKKx6<65bm8U?M1IO+na6gd*|$|#3KaGX+Ysti}nh^f*n8rFu$IFWaU z5u?fkR4piIE+eIIP>%Z~i5gH>s^oyQTaKKfmBkGxJ#?Fi8CWy}i)LWa3@n;~MKiGI z|A&E7)Hjp=pfmNquOdFlfA$8~UFGZNKRAje5;%ra#OL!L>SO#T@%8f`oFH%lp(v90 zeEzdvcfW<+JM7(4ZomA!wcj&tdFG)@mI^L;n5ve7{eMlK@zc3~xODeNcD!u+jTXA? zf|qYv`ov!x32b@7`X?{(3;nv{eXno*$in-dsa^g2AiwrQ%@6K>$cFfn@0@Y!kC!_2>|;0G?4gSeIgq%ym4Mz{W$D{y zEqum32R(oD2BVvoDQup(s`B)q$QwU?_J+l*gEw6Dya)ch=YQ6C>7DrfUANrlHwWGG zm${eE*=OzW=!ZyZjdn7(`899e`snfDT}!0SyPh+6)_Cb^dG{C9oqoqIt-dhptnT@n z?q*&-mp<*32ZB@1)_-!|jpuvIZEsswidQsuetM0c%_&~~J?{S9Ub%Vo9(n8P4_#s` zbq2KV?YlV3?zq$Uu3r6)!JMmZMXtE~s-JE2=Ka+fVSdJ5Fu{yp`*`Bi-1@bB7vJ?Bq~z|k!#&u> zbAGbPQbz>a-M`T6Tk%&Gbp3y%|6e!%!9MB#hR*2!R}%jU|EX~Fko(s0AEcnBU}<6_ z(xmc5`A_mw`H%GN^M8|EVLD6&6(^OXv|#6dk_*ItdWh%yi8|(EdTE#|miU4q0w4x< zJvZI+MZPV=o~|ZHuih9_@xagN8agTDN+k>vdPRoqw^Tf#LPphBrDi_e*Cj4Hy#SpX zr+KUAG`xTqdv4PNhm|oH2lPaiS%siXB|)b2bOviT!M<#%t$9XtNP9pE`E;e=04x{f zEhp8b35yhzK+c6^Cq-B6UN!z3%Yel})Yry&>OI6xswqDUGvC}1NA7BRs z927)G=-_#WVfB(S>ql#HkLI#E8H_67j|eVnu$8mQ*zug0PPWR58owKpKi< zyqqP?2CfIaOdfK`PCoJ&+sVO2oXIo^waRlTT*5dTQ9BAY>83QW95>>sECpH(sC+5@ zlj;FsDM`d>wnbEmIx3-FqfSrQxXWV$9ICe{tK(_B(h|b{5Od2GG!5BHWh~zfM;%IN zGJvU%x*0BLj+-sf_M@h!lA1@23ULF+lXPkNQDog=QY)pwprPf9sk{|r(<~E88IJ0u z#WIkCgcMv53Z@^3r4$jh$*|IgyY_&!aivim_9M{_+J>6;YIv6gr*~4Qkg1*zQXUPC zl_AjcX%f%sWY|G+lfXl;Oesf_m?#($XI4sx-flw$8OAA7aBGNy76x)p%H(=x$+3&_ zs0K7ElHVv6lW2A9wxZNDWv=37jd7T0$m_#YI6w^*1SLYI{BA+-So|ay=E9~>E5H<3 z%|rm0@pIK2CC3@5J~DGiZe;Oag8!sH@_)nsNnTYot3osUXFmU#eEay%0&O+(`A>3z z&i{}B=KCYqRSF$oAZjj0DoV@Bv7=(c$fjHM7*tpk;Yv{=GY&)$*3vu#S3xO`1u+>> zjWQqk;55nV3=61H66drCH)DOQCXs*ZEnK@XGKX&N5tG?Rsk7~hoj z;-DLom1bHUQ-ib%6f2%7mNOl$SkBTS3}(d0@o=RimM1D(vvn=gPIK-g%qSQ#W^!C7 z>W+(IHBO|8aLy}Z0LGH}d`iy^4QSY}VFWWYQaXw9g+bU*1YxMrqD^Or#IP*&3PQ8W zH=$uB)9o2mb=c-Z3K-NNA{~&HWP)vd5RO8;&a_ZcG;=ac22L_8jw0HuXX=p&#wEI1 zWv6mpDKa*k3w(6k08$c0mJ4dL_rLvroT&U+{%@Q(|NIXrvi&d2f2yB6|MUO+;DC=C z!hMQ}%Q77)87u0ga3){(N4ZcWxj-Q;ADgP9J`Ph66oiOkw1p}SriazA?hiZ7cBATy z@q%e4di^$8hg1!$6P1#!)$FmvxNM4qu{16My(~KF1d73?v(Ttf<+IgsYLJXFM#|Si zs+h;&4la)CX*%JMjMzfURjf0em%!tRHsRJe07ZJSB6c+mDe@t~rJGKxTL=9>C9(<@ zjS}QIC1=ZZ!KPd!nRU9=VYNm!^JBsgB!coJpp>uWbW-UF4F@qmG}A&laX~6ExF+|8 z{brP}GHqL7xH#X7dS+x)lLIfMwrZ_%#-RsQ2dGyqqm_ZmlQ!EGS{C7Ab)o1b8(Atw zBm#2iG6*6av)d?En|fh_j%_VfgXQWB=9$4fGni)v^UPqL8O-zF6#semx6kK4crx*E z{)1sN{eQlafM+jyCOmtQ!~U25tgr0-BJ&CUbNp8eP%tu)BygNaz$CIcG7Dbk@BC-A zPvbxT?EZ$J=+{kurh_MmB$dPwg!+8?bJF(3w;x{#%?k${c3QmgalukAopR@_U2ofI zi-TNk%YFBH^RjsB8?Sk+ep2qbvk%<;>C=9%uX*~VC#-$go(J6i@UgGJqBjd)bJdCR z%xcuDe|-Mn-IiI+U*V=59zBm~DmfrrAV0Z7TyZ`+5rP(|8SZ}N4o{Cmf+qYc&I{AEf@!UJ}tvxOPD;w>4 z=DoX~b)LA1zZ~}B=*Ir0@Bd|ov!7q)WnhIpD_0!7DTyzelz(vI%5(PWF7d`G_&o=` zxB>O&XAelc_E!6-+=i8N{KvY5y;ncuZM=KP;M_A#JdhFn6%RRP^A*-tzq|cf%{y=V zJN;P^UjAeB=Tq2@diA6G{NY66RO(KA{XI8Wd5yz=H21CBE|_)aj{&ef-zRS-&?xpgZ%l{GnV6)>2+6xy5cmL(`Yad+tzVkj@W}o1( z*IN5ua`igDI_wzZgr6G5;!oax^Xj?9_J8fq`|WlSonN{5*b}dR_%mXO#MO5_ho8Ud z6U1tZ9C6~U=Tsh8bF%{f>TWCDKf3;ySNAz#k7cgy9xI$MOMm(P@h>l1<-y*rAHH|j z%}2@c%75$cyw?-sgV%rV^@kQZ`GBP-YYB^A*#3P1(_g;zj={6bZgf72UANp1uR18$ zVuSCk9gKB+`;-9?+WZc{7!9JqL8VIN)R!BM?D!X z%9gbWr%tE9{e23lD5s$5z|zgo?k4?;%9W;>$KMm*D9TPpFcG*~vo`%#EGiM_d~~54 zz@~-;bKcxCorJ)3MwJOS6q(@f7mcE}mKjg~)4Yqqj)s=qnvwNueA~&f+;pnK1Sqh| zyh0=@O_XRlY+o!UBL45xiDl_>w%RLp>@LzVGo9&$w0U`}GY=*S)9KC2Ux6=@z)tg5 zUg~0cSI`hx*0XBP@a&xFHS6^R&T zHc7UUm^d8Pj#65Z2YIeObl{{5zy%QLw(?ESs^iHn8s+6siy+Napc2~GQQ8t>+Vyq5 z={Pij^k_0$@~26o_bzcZXaP;4}%edg_SJDk(LH^nAfAxT0K< zT_KBrebDUn>xtHQ80u!RB~GMnCN)B%3CDJA$UD-_Lt_Bqxt4hBi`Mvt$-V zPz+|XWSdgLayD)g4L|Axg_>O=kw!*tb+L#XsDY9N;L1?!)O1IWB%Ek@|5pP0dD4o{ zs~ZlPf09-S3lrcB`}v<5q41e!f97p7-^{w<0&O#YXFv0{*pl$^1x)|X0+v(ro)g7m zK3dE|A+jeiMHJ;Y(VNf!fk>#mMmKP{mE_R(nnNNF3FjYu*a;nVKpovR4JV;?@_sf1#IoLsC%z1EhFOWFQc9${q2}e<{HWG5OtCl2Mn>3Hyk?sk z5j7KRxuDd@#BOmU4TXvUcoJHt@~%GW=~YjOQ#z83!(64vXR}_RKavHWD*C;A-m*u1 zDMpZ(5W;$_b2(uoM<^EpnC5vMB$S{=$tY&+R57mkR4X~uMWfa)rT8!!Hp6gORUmef zbX#C!+>UxB$*GW;V#+95K&IwrZYojBzfr?;PF^$ z5cC2x({DOrYmf<~2%$8F$k}?(6H|kR)^o~HoiZ6VPM4dFvZK=Zwmph%)z9@gAnyyr zgs%)D#dCeu4NZten&Xz<3lxd38>4zWYK$DE%u5j7vuQF>aJfEAChe{n*KM#ODpZ_F3&VLfTT9K5)(_ z_|FMnEka44D49e^l1Sq4=E!>Rx_{?CtA9HG`6mE`!e4v)p9DIue+h=5FqZs$0CaY1 z*F7(ff8LsN#CwMy^2miR{p7ffZ#!(U501&saW@}4X>5|ee{OHvW7dCjc3aE8e~)(g zm4!_=_|XmP)^9tZ_C_vu7P;OQA0D{QS?52U-+%Jww}1PmjSuBE`^_`oyZN+@zGcUgU*XDX|=fH$xFKD_VG zcDVkT@T%Ka%gf+^$sL?3lwzy0+U6 z)mcZr_UPMZ-U7XS>gL!FzJK09d%m^KZ(qA~0RYfWzdHBvE1NI8FBMnmT)G{)A^qgf zufP8WeC1>QI#!?EYu$tQ{Ly-ocURk}b?G60n)9neE_n8^eXa{OPu=m*eXBgP_mzLz z_``iKBQoEuesBo!(rL^Fuin1)pRc;Ia@M8ga|Cj?cdy-H#Y;9NURS@n{1T5}4845% zQv24IG`<(_)L-Z({f0#@xW1HnYR^X>-sumIuP3!r?|t{RZFV~P@^!8#FNC)4I%}_! zz{#dJxPLpkc*;@h>|cL=;XN*WVu=lo`uQ2w(vP0;{-ygIHFtUG)-Cp0=!IpUK7S8> z)ti?%Wsj@&I!fJm_R)vjaV;|Jt#bdpSCG4Cg+D)W$laH>4}>3i~oExvtx-BVre2q(xd{<>w`1R2rZFz=4XV(&)`21@QG~LO?_rV^4>q3eVRXY z;9s5l{HX)~>fGl~9hf)w0;`P+tb<8vWnMPi5NUY+-1X8l`8AE~(A10m^gJO(?-mZ+M^h7F`6R!{<)8k3F!Dm}Sq>S@^`3nFZb zW1`W}Gbz6)xiH^qO-Jly(CP$gg$&6Aj5Q(p2|%X`jYhpjX<(_FE9Jl*OimEKEtCt2 zq*PPh04ihohDB5dlFeyQHBwPb=we#jWhSF8g9FYu?o1S$PNdspyUR8w89EL{HYrEl zvfRx|5^G7MUo#0(YIb!tmmV}6fr7i~WP0EaMF`*^W*k7F0u8lD$>(u3A&p81p(E2r zp@M$o6ceQD97nX21Gv7fq|BmN>B0ys!U=mZRgtEf~BigTQBBZ zJ}hWybDCJr`?`zccN=oM#PCkFXNo9S#OpTK*QTGs-;0x~NOPZ6oc!d9{OITam#X+_ z0|*8Rn}ex(zm6w7ZpiCd5VK^JuVp7n!tCYv$Z9reZWuN=azu$^iIUPDLn&t34MB+T z087XCq@7pP*bkIKqe;4>;h;Ghx0saC;`n5&S~U0iLhN9g;Je{ z3UG1Nb-Y@xrU|7QqUuwv@o_JZv!fDJL=eL4HM<4W&nM!ViH?S*?`YFhm@&bGT2c5! z5$Fd6HY0)_XbijMezVJ$pA1K)z5@aB-&p&*#c*=bKr4T+posn7`M2 z(PCptVVF!orAL`~`a}i|prI)tl&z-n`BrW?tT9wfwwf?l@~LXSVN}W!IcsEVC79)8 zGaI-2nL%?LNHyQcRnj#yO#->dfw(r}na!$LkYfaeY67m)<=XtTIii9G5_F25MA{bOor3DqV*msF3!3bYyan)J{^2l|ac@5fD=y1z=}ft!i0a zt3q8UGYWjhpqXZoEV-j5nFYE$-85)-x-K=TR__oH3^fp6A$!?sdsMV~)%0XkjlB%y z(tUnCRA=)pW~GMK0|naWa{0 zM+lW}I{K*4m8!hp(2kmI8v+5qLn%#Y+GKvQQJ>J}XB8WZ&PVcFr&%(Rt<*=hZU7@P z-n?@?Q1s8fZl7oCwtx`HDAy+4idKXK+?PWt-x=t&TEE`!s{kYqhDEpG7uCpYDj8L2 zA@#uJA+epX8^bO^j5>XyX`?PtFA{uWMDcYHt<;^dV~mXam;^>FNu)>?<5`4uiZoKI zL+o&nkGgIllNwDYtTc(nh>7aix(`K&D;AodX7spBBUu^eVgVSHicB?Tvl=+b^%CtS zLMSOs%o&|ju7g;eQ0OMRNUgzwt!9TWvE_~ndYpqsLOo|ionQ>`-4We#?REv{qJk*P zvOq+bqPWq}X{kfIZ8#XjD2SBmxxK0ZN}M#{TKOo@7?YmFx&q|)RRvC@Vq4+J3e*#8n5lX z@e9vv(cbWhrJ#dbCz$sSe|)3?-2LRjPcWf9* z6aTdT#(N)fi6EQ-SSQ`R@LLb9e8w`1{`Jv4Z(I1)CHCED-D`VK-*ot<@9(dEP$d$`qV zd++dkwB&c-A3f1JXxU?bf#0`RZM|KNSmCMrUpuf#UQ*ilPZXcs_7@jlGi&R$mQL-u z#j`5#;=@1hta0wzCtq?Adg>k*FSEwRM=rCMb=rm>u7AMqUh(96_Zu$yfd1#7JF$T>jSrWcbR>*Z@<6p{Xe;2{~ou~QYRd>>Ge0fa^0LoNq*h;%1X5RSuZ}z z{xzs?yvz30J-@d&{x^ED<5#`=oqM2JbI%zUwVjW8{iiowde16O6BcgWWX?U}xGm0EJAcPEYiS3bwZww1|Bv+l>-K+xKhA%!=?iA`|Eq|9 z#sAI2y6yUB6ez#B{%_NqlS_!KJuavk{Du7A=JB6T^?xgW`~2S~A|kp%qQIu203spZByEU*6$i;HXG1Go4H*w`$%asdwQ6lUUeb+u;#vhpTdg`tkHL6gzoC>R>tFGu5i^L;;jfg;G zG^g{^9&>F^gqN0O&08>!HIKE|YN!R^ZHDLXFSi=NhM{#?VhD4xM02~O-&zmLj=H0O`c$)t8#)NDfN2y*3-ptW!D}GaK z0D}zU5?MRnmBy8dx-iB|BXp#MNr{R>&V?3++6wWfuqanc45!aOYI$iBw$=^diXY38 z%V9d>HdN77t=W_ZsB{;u4!8?&ktQxP>fYe0wodSZ_;4PR#z%<>B0XNPvN{d8TCQ*= zQFOetowC`n5H&NBaRt(3*l#0r|LTU~p$C&6m?Pm!9ZQnoyky`@wLFBYgEAj^_0Sz6Wll?u zi?{GAISFGnD<6fYM&mCci6@!NaV3SEbsIp;Z-gP8zgKwEECYU&yNF%7R*Nje?#-DuY$p5UPFU+pN4YL*t@g+Ge|+2>!T$GF zf9VmL;&>Va;Pb_DvW~WT!r*JX;`<$!@=5(2U#0l`x_CXl-Ms%IuXDZ6;YNVlc6I4( zu)Uw{tKmWWaPn}H+k8VW@OI_PWA8@qa6enI<=kiAi%sviptC6*@!z7(KMisotY zU;LAv-nEbqD1VQ&*Y!8Z+%4X^h9Lt6oYf2PgRvZaey2V2yiKb2yT)Z#>n7{Lh8?jr zEqDEYp06-2!6EePpZ{{k+n&D*?#H{_0hTc}_?|D32JUZ&vs&$qb24>EeL6R>i*eoI z*R&)A%pYkXBF|i&-xhISR`)XCeYUv6#WBy$cV#KOzLwL|-SOsC-`J&qIsxBq^ixX< zKHV2>(*?^YG=>^RX{|7Q-|N&S;_4KjK1HJw5EsWDSH5)Jb9IJDwAXxe88&v8KtU46 z@9_?C?x{!qBhK4;x(~l)V`4BfuDj(pm8Q>a)>Xs36^4Pp&hOq!=HKhy(S-pA_d|=T zflIK=4Xr(1bt91N4tC%pivQ`<>s<@B^Gjd>SeFIdU88tIN`_uXHGi>{P+lsiRTkgP9HCUkoeJrUymV+pvPoCa#_*^d@Ta0T*Ud^MLZk$?uus*I z@?((m!Dvx!@U&br zVrlZmpZrcnaYAB^^+k2diG8$nd6~ILf>~~;-Rf9BwP(hKEIkZ5;RV%w7 z6Jn9dFIOVeyb~M~aaI(elV@fdv$UFF6qsY_=!etUD2I`j%&ZEfO&TChh*Uy+bVxfd zDNq7uEMyq+Pe%w)^`%lg|)(9ukL z*krIg6wt4TFS8<&Uaq0IPQh9s@rq^%wZiR7SN(eakTzg!F|*I4j0F`<-@Z*qx(lwqXE zkH~@)g(TjJCs!sWuyYcAoe5o=Zp-QW^6U^yk+sS-#iV2-pJg70sL}}??{@@tD5lfT zx)kD4g2E6Nu}NfFK?IZ<6Oy`3Uy0|MKN?nX4GaVRP7mi1zmM|{*@#Ry{YrB=^MLs~ z{9jFiI@8}@H+`gxm_*te?Cd2vA}B(rPGy3w*t9zdBHGg-q_RdQOU)rB>7@H^9hf8h ze^!S_17KCA$|b!2WN1=cYEo6w=kwv3Cw(zYv;jW7d%=G6nS$l1WSFg5h}4#BMJa`t z>ft{Zrw@75sEky4wWrNseF%RUZ_AAfddV{RfYVb^CtO!V6rcrRfpa{}A)&H$aHxBM z=#&-MNk~A;)m&)t+&|9bD^1;d7AhbMjuuP24T{>6PoT?0D}KYQ2l1Z*WL?`bS14v1 z%*UwppDOc4#+85;VVcED4D3v`Ns}XlIUDlGNN^o3uE3;UX7IZR%R|#93P(!i6E9KhNis2zIbce` zlWbczXVuK7#gvh!%S~*Bh7r;oyP#J1g*Djgap6ptZTCkBN*8d`L_5?O2ij#|UccrVJk{ZfGu2$I)pb|cRLz=FEg7M~83qUIH|D{_ z#SJH){v}Ytcx;@eB%`K1KZft0;xmrPwt1IRZ4y&tR5Vv=UQN{tWyp)f(2(mCb5Wp< zYBAr=R~`hYcZDSlBT*4@E}2VcVWrOv@#pNH$y+a6gbbDcvoyWPUDNpHtu*RM@Q^W% zy+vk_V}z|l7{T|h1-UYtsOg3K{Lq@=DPx<2tAiK$A}9vJ|IGhuowI;IpYAWTw?Sfj zpFR{=lLg#Vg)7|WO+9h^`~1e<$o_J$AR?*Phd0D`rY{k{tHH zg`y}#+txv{lh4~%z>eo-XHN2(??>m9P*z>f77j&9Y{!wI?b8&*4h|5r>tG!|<@8!a zKBMXM_yxcB-(XY!s&*M|^ZK?7m;BrQg`|6#%8P%B{zrILt4<@Ydz8WKwrKjM-xVMg^Pq7Zf&V80 zN3Of`iGslE?f?(L?X~am9*e=|+WM4NDw%)%p?6!YMwOas&KJYd+W#G+UkLqWx zYi|=uo5@)%Prt~AhRkSgcW%dp>8hRIv~(Gs|BD__{p%o_&Ma=V-TnEa7cloFu0~vw>%>0m>%Q;;an|Sv&N=iOvikHHnso%gj z61XdSAUNC{^;h*)R!nK&+(U94cva{Y{47gx{;<@QcM^t)NV0O$Y}5S?)QnQ^Trffw zwQYUEyzaMS+r$}`qDI>vC|~#m0iIbeeZ)>$$W+N9Ouhx@RI8q#V=)4uY&dGes8^oW zFNUu`NvPql=}?G7UJ#UC3)ZUx5@zbw`DXxPt%|30ahzhRyAlp4@O;hl<=SY2E1*II zClm@3#s>ys76$^NCAY|G*_l{6W|38Dnf2YBO>S#KLJ7i*;ElNM4Li2&O#(HB7SFdvw?)G4p?h88D~*T zlUjnz&0In@9b{`Fk9d&*VU|A-FY9NU3tAY5kHq|ooGCO2ZKy(>SMzs8Gu_0vnlvy$ zPZCoy53bWAFNIvo+H8M1ns8Re{PYaddO0Bheb{gt0b1H~%3$ZM&2 z2_M?(k9=_Xc*5RXY6Y`7+CBd-XtU*gSDLU`y^+ZT7*lsF4^larUS;CkD1%VJUQ z{9K4B?$v3pkiVIEW(jW9?gAv!FcY5uf#$&vgEfEbynn!8C)~<|(!jrhBGu72EF?Gn zj`$*WK63gv$|*MlWoXjCvDhCuQw3u2WjwF??D7{FrQ*J@>?gwY=z%L4bE zG9Fx|uhQmGk#{5J2#j+xPzJ|be=`a~Q-N7jW*9RY3sxSq5`L($1d*9&XB#j7#9?j* zXRhR8=B~|Ai@fqO*R*HV`Q5&ia7uNFD20ZZWLqL1w>VR*N5w>HQmzE*9t?LNHo{1s z;fj_mDlAtfS_mFSXHNOFSg#h`&BXdNF!4juQFpR+H~uI+wTihXLFpOqr)?=wEgF&( zQQG)1IZ}F7^m62gxmZJO3LsPs7JwgtD2X%23~;JtVT0hDHZoR68pf1WW6`P@d^!|w zTcD53T|I4p7Z8xEVCBCl@2u6%oME1&eVF?1_@n>_|Ggs%957!6_C~%I17-1-3_dym z6l^TY4lv}%(f#~8{`L0xz+y(y5F|_h_~*&(znXV9f%dQZ4FMsz%)gOh@*z=p^8liSuQ?dcqu1}~l&y|#PNsRDbp+sfnQ~nzdH&e#*=*`@ zAN`ry@`HUk?CXBsLpwCmzWz|{Xgn||2?KWLu$)vJaCm;L9RE8a5JdO1+hUvH z8BC#<=JOa%;`>T2a;L^~duk1%?L25iWFzpsiNvAT_3J~6sJ%ZB8$$UDbDZktT+}C}Zh6ztb3e33>-u-Qi!SNn^0wboArIT*Sw-fi z}m{F=8updZe3tha&F&^^{RR9!uU#V{j4C=4sybtP1CDnuzE`gsET7zW4{UvviWZ&o$or&cAnIlD!hfkWa#yrPf5|vh?61fPfUA&gSZL}|nFsndUcQ~B zXM5H2+MczfCL%^k3a8xHAYnehXV6I5CA0BP*&g9h)$EZhC`*$JS58c^PQ?htI@7Q- z{UGbrgDI2CB)$+YA)kXW1F@)BsctpwDzF5x_*>DK;w)5>%aj08G7vPM?y?>zF6HX* zFRs`Jy_i}t^ba>oggP8fozUyG@q5hy*iPNh(POrZ@h1 zSe2~|uZm2(#_)}6N_~dn2hKT?jE4U5P_^;jn5+eoI#dTa^;ga7W-Tk>Dnyg=Ucs0u zw5*X*!S+}v#43jwj=s#S^*?U=bb)O@1xv*{%w~x|mTor_!ziz$*r$)++LQ2OP1{hg zI`;pfv}nW5K7h$PP%fEN`lyZl6(731=vP&xDa!m~Y8eAN#aV}dR%ZV9%*iWp(nCu# zl)7X@mCX6IJx^$>Vi~i|aDsqsbGLpANz9Pk{ZKdrZ+>P;7I8W#$&9>(65+Gp*i^=a zgVX_sUYiVGE?C?S&iYAwWYXNT8XQ`>E&2zUt*ELsCIO6CU&^fXXLt~1FA+L#2{%@x zu*j-U?TQ08v}R>IS*!Kr+7#wcdgLDQ!|Mo4Bb_y~8zg^F6}zgOng~g45i5gOD)Qrc zX^x~i-EUP2-ao9A{)rV2>j)c(I#LYyBAjz@(1Ao#?J&#CL)l3XRUHgXZjv((d5T|Q zkKeZRDHFFVhhCu1@x~sYM-4;F*RzFUStqh zdp1lK-O9BWh`^ayq%054iWJSv{d>OnvlUfs`fLYotd*5gQacJ(E@234h1f-N- z-t-d%oWSj#yk9a09L4$T9@rTewy4R54_lJ*m`f=?CXy4PeRPx{_hRGXc6wV2#{A3h-q1)lR}xufKQO*ASr$WxTvFkKnjewRl2cCA57 z_5M6gro=fhO?A{{qzGGgT$M127(lMsR$YTqZMTtD#$GfoQhV-Tr)QVm5|?dUW}N$3 z#t@Jp)uW8L+2J+xCz=V`YrQ!bn|R_G*0eUn4JRiyMi`gbMvl0FbJ;})zrhmp#7Pgs z!iCaWx$60{K=%}`k(onbLDrAZ!fK*6UU)e;nVBj6wR7oP=yaqakS87``3IKfv=s{z z-5yyXw!jF2<*PXHR+KNnfjXOrgVzKXM^-n(ZaD|5?6WM`xadWuu=G!P3-<`dcxLid z(3JPVt`j>cv^!Q;xgO-0OkDhiD5O0!2_jhDF>Km9se+bpzIa1MkqNH9xn>!eAH_eT zXw3}EJk{}k$5(Jr(4BoLa4HuF_!hMRCsPEutskp50#HH)oU(<77`FtUd7l(dPalZF zB}m+2LsW;bm%xtJ1>Ubn_Zbj7&x5BMyWT4V@9ggT1?!!b1vLz{IG@j0n8!8WS>5Ix z75i3>&3(WmL)YS_=vP%n_h)e2%+^{@59k<&K+(~e+@FI$XK4l8Pvy7MnqgD+6$Y&% z-CK!wm=k(`fcx`?#n5BP%fI^Ngx9)C2EF&uyuK>iz6oo<4Z-7S=crV*HL1I zLC&q)akRuruQ>|IxD7*I;tuSWJdppT@0qWzVPR%9TXV<1siaNcx+3p+W*aDCL>6jr zAH9js^SM%!3~BV>@)V$=;92&OG&P5PD&y98-gXPcsc00P|8Sm+gY!9C*X)4b1RGZ>+=Fs0i^cM&F$E(R!v4A+k4#D z-)HaRLavB{-r!?P&3@xD&U+eg6j)~Kr{2Dz;(RTJKymFMpUA)ynqqYrThWsD_gY{- zxD9xJyfJEPy?R3b&}RCW#lW{;NP+J1<)01w&sKY^EE^~?ef&RhEI_Qko<_HH7eIA0 za_O{;3b3p{+ID{P5B|FfFM0NxZvs7yG+q0I+By)3d>nUuo!j(ID%Jh(1MS*(_thkCBr zFK4M!g#UP*eDV+eNpc8+aTPa48-zfohfYbiX_EzTLOa?g$IOgIN0ja3Hw|^5A%|cj zIRc>$OPdmcR2_oCM7Kg%nK&YM<%L-G!#k`5{ZrG-D+IHY8U!{~{{2kYSi17VvVo%^ zXn<+dmOtom zDtG?3xn#_>CrwU7B;S4zI&2&b#op3n3zu}DpQ>yzB#`kqAL-oLBH4&MnDCbpY>jIU zu_|Pkyf!6|s8&)om0;^<;|5z;ZxF(;QdV%LdKR|Az#yg@YRA8ziKE;FTy~cNB+{)6 z*o;mik|g!f7-)fnXl}xlPPpV|lUP=Y7-HQ^sQXiyOW@w*!!r;Q7_ZOszLsx33(U9? z_}ez?kAC_e0Nw@X2AYRQ|0*~+OQr?|ud;#(2IH`Di^4_iNL*`dFa8}+J*o`a_~V#~ zA6=@WOhK%gf8LQh>o|$mCPa7G&NTD~H&qEshgU=99P$1|?%dc$LO2_4$;Aj8_vR9& z;%xkxn^8JAG|?WUQqI0;>xMYWuG|>HUv0XI)(x^G3Mb?=LwH%#gtd_@^@+JC zvIUs>_x_XyAqbQAX*)V9vIcn1{Q&fz0*}~AJ$sub!xdme+RTeb-L-D4psU72L00^F z#yEz5D3!7#;9SxPmYru4}Db@4{^`3PI4p*^p|)l}Vd0S-J(`tn`uu*gkiszdMFPiy z9$tF3dL^wnc3F1$BeKK^k0*(?u=hI`PCmGrj-iy-&L0^6RkJM+iy#oEKNz%0^sD>o{~Pg?`o^@Z?g6 z6eK4IrO{{6Uo~ep8g)sV>fV&NcAO%r)~?}*i4L@mWLnA?%@zem9<5NZ!;hJUh%;>y zAIb`i1+6P*R?hg~GNXI;3Q0QQkl8r%rkK@+v@OP?VaCwT%U9us-fA`MgWP+lPNa#J z&g0RH{IQbgFe-dbo*~6o)%sZ_4=t0U9;&4hiaFh8*{CbYWU_N4vxT68jwvV~yzT(! zCY*CjQ=`jT8fvvXggSd9Zdy^B!b~Tye5;HkonqEtfgbh0<4YwtDB}OZ?(P4;?pMyo z{x|AUN+Xj7mfbS!3jE#qKxBG2^9Otd@0&ylBZG|!?D*G0e03)~KI)yw`FBksKCgrM z0G7P31%Nfmw_#oMeTS9i>{VCLbzN;Kn?JP9zE=1NboG$Y`7O=_d=-)Xe4k7?t^rFt z`bxdK$+oq69(V^QIbZY?wY?r6)K)&icbO@xRM}l3U$X*yFP+yfVujlHeO>OZcFuPP zT{5i-fTKy84+&hK%Z6!;8$O?sJ-RS`57^}DY`*(Adq6voFFBCr@D?j!`FEi zHOhKlx0<@KzqJ~IcjNz+YS654A>cHb+mUhGM(62}EPmbZM`D3dpcI&D5 zsZ+zRnN+)7V~n9o{w84bnm3KtZ*K}WqwnE8NuJBhW!vd>KP=bTTh<8b3_R4DJmT26-oS7( z@PafN(%bQ{*h3o%@$RDwWcb(n9&z7j6zt<-{?WnrvMuJZJ7VB7=i^aeagxU0X&nQL zuVdb~T@zN*-#Viuz**lkQ5AO3*JX9VGSl@wShFL$-i5f06f) z0sxt@1$;~S`(2>5$V-IU>-yne$`YcNcw*j*<-WPda4IlH0VtdLJJIFpsG9=OU)M zas*TRw)|qGJZ_yhT1?ZY1O#b$BCy&92fjSk^QXg~zB|yeM=DwJd&O$rSOI zrYA1D1Ie#+sc_RdpImI#y^I2VX(!QI>!e)p!>FfXLQ!7!>n81XSoZox}CJWT@1E0U3K63mfM!az`8t~B; zRg&o2_t3$Wa&t1D;)xgRPz1Z4U3+3xf%d z5Y1sc*-Su7vaFcY?FOjpuj`sdS?N%FVW)kFceIbr6l+HA9f-?5ln7!Lth8OfjEV*1bXs5Cs zK8sxAR-@STEP`Md-PtLtVtS(mg(J|JW$M=jtR_4>#(5DAD_zrwZL&1yy z>13T`nW0RabG@DFa@B&ul#sLdN#f&r^>9gxjgVWZq+{%(4KQPAb^Cp%sb=-xy68y% z>Y4lZia7zTXK>}rmC1M%*Kvu z<7PTDl#rRR!Lx@P5mbV%^LG@|e%gW7XI30|U~d&{XP5|ts;Z-f5F&Bb7!&VfL8@WH zJmA8D09>X^bFNY&Q_LzO**&4OF;hzN<`4(eq0Tw_eQ3lb$~1L0rK3W}qEs@MVD|OO zP;S${jyU6kK4 zpeI)vJ(!}2{pZ9ca`AS_kY}X66VuisbS69XP>q|r*-jbDb|&HZH)WNlKX|8h;gdqWty_D@YL{-fZS zRiDm|zeHxwbyDY3zO@E-Z?5e2`hZ6ob0!X6J}Lhb?=D^6>$mmSuu=ZLe^L}Vo@4hq z7>GJ|%^pWGy-iniW%hjLExvVjxZaPs8v98x=vr?KFugbAY1tlI_*GL|2j86cU+E^k z?+aDbPoA0SYX4KTvO1?7$gN;~Ex#)@0{$ln|Mh!fBOrVkg>4(~Wk&xwphn&2{2CGO zaIlXS7`*U?c;i2ma8iC885e1S7EaQ_gY_r0BwL+^a~ zd6U?-Q&zvFp37nm@J-WuJd9!>s*T89^SF_iTeR1+oC!5Ikjc44a+2$--w&hM0>f_v zQuSxc_+9J2465JQFzK;%ZNWI}>i|Y5Mpx|}FUep5;zVZdv0noDo(&*s}_=e9cF zwa~><`wl9*#kS9$?&*f<^V=8Mj`_z8UKV)UnuE{@aP$pm{gS7U3k)V~dix(owZHOJ zd$sSyGf;N97@p>{o51{~w;Y(CcP+3p2oNCPAgSD?HV8;r0C_{~{7%L_m(tD6fg|DC z4P7(~JIx~dL3}C{1rCX&&JdjBSHf!>#i^RyzlJ*+NnLLY30J5e_S7KyGHEd%D~m=C zV-h+ZmOKkO0`>d%D%_M!+n+-Rf7Nm(@k7?AEq03j7D>pWuRr6*+P=vb!$Zo9l+mVP zGkcNA?vN%}NL0+C7vOea6QuibuuJ)IZJlsi>2F|871VVmOpB$1ccPPNG*VFa(g-1h z>}V#Y8}#NZ0csM_MCO^0~$3j{S@>{P++_`T7ac^NeNdOW6*XLTMkErD#VujLoHs>&|bUNuEpHT_YiIS zrKSfie!h(6fXB3Zf>OA8F20zjbiWSaHHVfQ#@GBDDq+E@=UTk9NW}iJ0fW4m^wyu8AC;;;R?PA4%szqCF%$m zcx$B%1)QG1l`D9zI%-RF#+*ZFB4}rRJyN~R1e`$9Xs|dpIM~7p>L~5*O~qH)nictz zC&iRu8;QhBxvXc%)_9J9%Rl%{eo?7T4e25{nxoSsNtO{*1B>|8suc0$5G1k$9TtkV zBChjeu1>zcPswsqinRGbqj{262yY52R2S)$^f98^8Jc>bW^@d2oxcfh1Sw%;Ub-DH z;Ua2B9jFyAG3^5s!XTZ7_)92OsI-ZZO&g$obW4$i{5vCR4hH?EOPDGLo_e=(6Ym>54EFKr7s`P$Ul?pz|&me zV^mFZ@87*OoXdNfFBC%dsA`F-CWhUDs99_6VbH$bUS$M337V8zr+Uh1H{ zz_NdG-0b@v>;nR5kb~K_mOx%cmQe-qOQ4_Dnf9;0D?_S8yP(4^=NW;y?zStZ@UW5k zFNMT-UB3mG-{kRJ4l;Pl-5yFr!=+n{lOU@5A3Q{_)8T~Rr2}bFRSap8uwCfWaH{`>6=#*b2Vty-5CPZmU786r_ zkhZI{czW!2NFtw-;8tCN=`obHHVv13I@kM=R3e-xjiPQ^%vfTj!Vuf6&BdZvikB-q zY8c#BoDkJiqhxhl6|g2uM4a_%Bu5e6PBVl&hb4)vC6~^gS~qNxKeaJi4fub?2t{yE zg?%9qiIKPK>qYHbb2hJHB^*0uj--cQDKAyNy1{qk!wU zFl(3N-T0QXIIs$tR`ZP9Ix^i>?c?}5v^>jK?ZIu7=VIl(cQ7`MUzz7`_2KydAV_)E zaR%n3W;qY3^YFeO^wfPCIcz2DJC#MRpA)t5J071wX7qi$%`^C!e+C066~x{5SG#Ou$T-XdxXCj4yDo)! zd`{?qe2!h4;nVcm=ZP%xo`6p%+RJuPyN1o>864pDm%aBBL>vBe&E0L&F3QKVyO+u1 z!RC1sse~2e(9DjN0>Nhz&+6LT=ejeZz0c`!AE(WWWAikA(N0g(6vMXA#<$GUValoN z6}H2RyzO$*SgH3ljpwY zUZ;7~jA-}A!0)&OFV5gV&7p@bkATaO*UpZVs=3TIW@m)FbAXYhML7~cIW3aiTs^atO4R37lK zHcO+I+5b>z-MZVr-Z$Q1VMxdR`EVlY3S(=^u3>oo1nFtA>vapqpyfod=VQs-uEX+x zpyqLFvW{1vKh4|r|Dx~3H86Dg8u-?^Z*ZHZU2AHhyweE~h{!}$WUH7e%AVy*{^(mh ztOo*L6%cdWQ$v|=nlu@|!PTZ$KqEE?5nSK3|haKNasigHTL&P(M{2Fum3o{i^Ae^Ngg)Dra3{_@~H$7 z&5w)f+h+FvkFy-kmf18(ELK# zWb^tHRH}6cjz!W4-nsJ!JHl8k8TXHBOX|h|KzV?TDrP1t@CRlsm?h^PMrb?XfC!Ux zBMDWNV2n2T(wh(EYxl<8JyiI3EDuX?qfx$E7G7muBvzflae!M+urzTQA_XYCtVgJG zBPycyP(iq8f_gu*ZZbZn>z^N3iqMNfwRVR4inFF@PP$-@$h&<@ZvxpM<<()KHGTQhs3A7kCQP066BVM5_mJzZ7d++iH(pD%ZwMVB%%}K!74L>6hw;NE-_R5R@cpG5+Kq^BGHkQ{Ix zB;_+y4oTIRJm!qae+Y@USliT%vDcG2m9kqTI$HjjTTe)feg~H~358H(#Bm)Yqo8t* zoZM%e(6JQ|2kFe;^`KH@`Ge7%F3V0yX1T25>pIxd%^IY`S7I_9t@*S30D0@I5tAIH z*)oEUF>uqM5SYbT2h^ec67foDgujfIZ{=GEvELSl5rC_2g zSVOZc0Vv!?{|+n__PboVF9FdO;S;VsW=xlo3^JyP8AGjfC9q4^jCTj0omCw@|Eucq zW7Lw5U9fk>X6d$6-D$&ybBxuSYe#NZeOmM>erC5(yD~}ytCBfLk1WJdVmyemz=8`5 ziMSIg*0dnwEJn;uQC-R`9`?cZPgB(C6ez4K6Z9_^S_+O$lVx;mC$*_YIZI{fOpla- zK(h%%ILaBeUt<;<6=St3u$V{+45~jl_cGE9=2F`2<6-|6EQ?qL}q&ATl!pi zkj?U8&?NA+9GQhG)rQH2W><-YClc*iRFSo-ssSuS~enX)3X$BA zPr~HBnfCb!tT6PS_j`x_#-X@$Hotp>g-oOG^>6{8;N<$8X#p-)bzbT=LujgF zTetsSTQjJ48?}#Z9%eWBuj<}^wmj1k_@B{m^zjS3Ohdp@cxx8)%ug+;&no%Fu5gQA*|%d<}VKCEPEnZWD5AZnK9 zo`K>?T;oxl+YkQh6lY=-um1YO+Ra_(_~%y!-6~4vXy%u&#Ff*cGvd|9qjTR__p_?o zlW!&LRpVT3h;1<_z4!G|_S~D?T@XoJx3#6&`b#cwDAf6+_kG{M?W^s5cH?B{X)s5j z&;Kyed6loGNd(w-LI-&5%*qz$12#4ej_>wVDbo1QX`Y|<*) z^%?xmf%pILy?GUz{T!Cjq5U{%F+fcNJVlTI6*lQkKY^S;|E(`j|43l||Ic`}O-XHi zFFqk>(#TY=n8PPzlD@^}*Rl`9`@fD_`8Nbv-zuY7|AJ=U``pf`?v@k?{>UYiAOEaT=+Xv8nA z?Mhdn{-TZyWv=`s7n^m*DhAbJ$Dy%SD@8nGlP)z@G)!Zq0z8+$&HqfE3Q0WIZ79;H zn_4zpe(ZMVJZceTsl%5Mya043>@PZqPdyePxTlwuCTTf#DOlJRR3jJDu_}Qv%&S4e0 zifDOP5&~#CVshV~7K2cTNz2W)GD9E?RPj1ZaLKTH`8VX`+NBAylTt*`SW9=Ai8tb& zLM-CojH6k<7c|ZVci)Xz`voVG<_B|CmkCCO|TOD??-646cDP`nbF z$td6x)wD7(XIt{U!V5w}mhRp*-Z17>9Ym)K zsK=>e>TA<$6{@l;I@KWM>h|2Y8>w#sC&0)3ee);(1K0-ug=+iVH}D=LefWR9{0Di- zE(^Dn9eOh-;7floH0w4lyLe|0j$bXYnj@AbSGO=0Em3iR(rQF8dkQ9oH`wB&NY5R> zxatbe6)0x!uB4NaX^CJ8$s0-9QB#UEtmoY8R-my}I&m?p4%~bAg226Ba$2AnWBdv# zHb2zLkmgX9V`B`KB#n~Nm;S3uB`g+5sj9Nbj^$cbT)a`Y*4?Uk z!xAM4-4?s^&^cC^?e!V8ShMhl8#KyjfsZO@zYxEZs!OsvqD> zq>xgYL=-0Mdzq{Jjk~YkxJxROz#3CX`mGQ;AN`W}2bj6XS!dWn+3p!?fUEdr zUV^H3J3p9DK;kzDw+}O40KcNY?DIa)#!EC1bUd3_p8MX*obf#idH8luBmg!YYO(Ko z=Nvaq&j+`gI=$`*{_`^Zg;jV>=fXJGJ{D3P`92G!|A(t@imo&4x^0rSNn;yL(%7~e z+qP|EH*Rd(Mq}HyZF@&M$v*kVf6n)fac;xX>kN#SW);u?td#1w0GxzaF60+;JxlmInNT2_o`asacxwWS6+XM zu~%x+@)?J|3a@$TwX2|WCHWl?>~^ibt-rmR^MMtyD`{4wsRrT10+s&TFsktHqH;cSs3)Y8E#AFm%BGIoOeu{ zXQtApQ|+0?O}?MgI-OnN@jFcB*JJ`u&KdB5p-A*5kkha4FA=s)+kDpl7jDr&-Ty;z zrS|l1b7Iwdrp(bhwspWlcRmbiV@Z--8=wu5RDbW!>P5hF3*e030vV~kjVo<4eu+_2xuUoO__Uc00 zXTqZFUYRWSQof~L>O%buhm1dI&@5gAD_!XiW{;t{pu0x!t(BV>Co&(DTBw#+kCR+U z)ekOtQ*9-x?HYeoxuEf}MD-UV*AZrHL~ba9oyHZXqNo?4PE(_uhQGK7?Ru4CToE@^ zG^6mRGJR=i0~TbZ=g?=Y2D+A5Y6h~EN-5% za@UD_kM4+p7fU=^;F^;Pz0>1}iK(H{n59!`>7-G3&>x8+n|X&>619t5)vAN=Fk4uy z))l%$m|vMRjWK&emb0 zdXG63K2wcaiNZ3T5VNh{rjgTPj*XD1^v604^gJxC7R+Q3Q|>8Z2HSf6VyZK5*T(Kx z`qT9#SPifEG=QZ&oAXo3{2$Oo{si65g$Bsw@hs}#kUxL0EEWIVMQ+jszcc=|$`5nG z>5`3{A2e##b5Asz6V3JNqP51rvG?ALW*$T-XHWjOH}ds+@>=DJUF8s6`*)UoLteQ> zCmSl�bNBPB$CG^5QtgB$YWPbwov_)3lows%Pfw=po&o^EanLT3D!MiZ;=_r3&Ha z4qBHjEtq9Ci3O`o?4t&DBvx$ED5+|4s8S9_j&$XrOV6k?9KKA}qWyNwurvhB)T6C& z1x~bOnDHxDsEG?$DeSW;E+UTb09!YWBru-jrUk)*sLOO&edO~?NBpbL{- zM@hpfLl8$O%`yL!sb7_uzcf3LV2Et**E~;a%>M6Kef~@h0DqbhtHH5fZ^P~ZGpp~P zaald>bY8d}>m<-`F<_gP%|?q`v=8S6bvR1Sa1^SqWXjl5wtp)jY97IF=7;h?qJ!%f zXz}ikeZUc&aROC1$tc6z$0ehZCQbKZo3~9T?*6;!;Cgje_lS+RqB$uz6*%PwN_%JE z+Mfa0MFN<~+XqA|uDyNkW~RH>S9eV$d5(}clJr*J@)OjxU$XbSr31b3A6_$$F{`S^ zrdQ8r>4MK&3%0l2)%iW{YwUZw=c~K@JdUd1HrX|uYq)S;I<@H!uewi?rMNZ@Umj24 zYU++ZHM##TKGoHr-l~``7a)mv6DAL^2g7Zz9j@DVXtbG*UFWEpbgT7@^>`8E+UKN} zuh|R!ZHJ=yb~Y0&y6e4&L$Adu2`T1X@^&Z1CLi3Jhj&$f%W~YOje)3ppS<{lRpWaU zw9hbON0j!&tLN*mZ!7nF?vAMc7?yKol;t(x`6Lwx{20mtAJ}IL9B@R?It{;=`#pf4 z&AB{Q0ed;}y;)U9Z?bQTQtoV+z7CTF(^kjLJf__gF`vc|J{Oo(6PpW&46P4Vy*NL2q`O0?Y1e=ErP$o*>lI77VNIbpx&U zS+nUb7jiz`T?+Y{hSG;RezorU%|&P%aG%<%bhA#|QG|SD}t@YL&PA4kr)z&$SdH^6qT#lfj)pRzy!j9Yh_XziHvs7#hrX&6q$ z;Za9lO?B<%OR)a!{JZ#He|hxI&1pLc)@L42I^eXY+w1b4f#6xa#`mKL>b_c+?ulG# z`B!2Zs@2h&ZE*0he!F6NnWOchjRs5j)&!9gnNXJJrPjj5gwEE)C3I^1gCh>mT@@X) zt(rJAq5X>rzBPu1TC#zUS^rFBm6elP*>1GhaMS`)xlPi6HzMk-SQJ%E8R69v8DA+) zg`iBFHlhiZ)YRfo3;7@)V>H4ephV@DvTJ4WuM~q^b-d?T5>=Na<;>Y%KWb5O$f*92 z%jihU7W=Ur2IiS30xNm!T?H80gV>XlCMc<+h328W6pQtG>-lP!gS~w-(IX+uBQ;=U zov%u@`!|@aSuiFtWr*4ENX>BJtpg?Ot+**;^9`Y#ip=LCrI6_j=TM~dP!@)U>M-Zjx?;qSNlGN=MQuY8e1rv$VL)P*{)_-|wiO~E^D zrR_@9rl(D_>Y!jF_7dFryz7Gs11o&b7uXQkhY8)k-$Kg3fQwD{hW&*_N(V0#Q_4IM zVQEUlQjWGNv(Y*m%{rSj_9m0@WRr2(_`{&78K|Im!4n9`A3^>z){y=R!tyY#Cu~6q zBH+IEgs0o8lrKo+H`pGn=2e>3AE}2G=UnFYIrsOgJT=EGIurB_-Kd2Oypa=y&q6f6z6iy^D3XJ|%R)Vrx1?uXm5od)okN|F#uNgzFL#-kl8 ze-v^Ol0OQ@j|C;-SqsXJVXH!#ouD!#*jCS|j{dcSO)^{;1I1yCFiH#`p3c}BpRra; z1#qf~;|!nj^q*NQK>N=v^jHNd{BHP88cA1m}!*j zRH+w?U1md_UX@{zz5nxP)eJ@EEQ$$^S}T>j(ve}iI)kKIv=JXhP6yU1CX!Y?S=>xTKb`gB*;n7lF%3Km7=P zS#UT9uuWrQu`PZfI!d4Z^r5TakO|bm7Wl`~yYt~V8xdwsC1}R2;5l-&##lb z^?K9;AtqvjR9lrO<#R+V!Ib$lT1gEK{?1~4jfC2^KgqnHh?02re<)?`FzIoO2{#?@ z#OENFc|}?lLCBEWtP4i+=TNaWrmFGL2}9#1MGf)8sMK$I!J4ihO`~huggh6r46cC@ zyC)-KqbmX*1f)74z$Sb-O6QkgS|Fx{!o=5Pm;o+|EcyTg?yTtgR0|GF`t)#AHZNEc z*B8G6_4F~_(dK%x?Xx5?76$hFy%}(!*-imP<|gyrw|)QYd?1zbSRsrB>(NMj9BPys zK@b|1l`wwcD4G(2HS*6CYaK?qR~POvWJhZCAcGkL?7AAc-L#G6u^ywJbs=Z!flUR0 zoP!8|1=&!Ns4@(?aUmr&&WrYB*uLE=d8LaM{TU|1V#4d#npj;}$$;14`b)d=Ss;bkf3QkD!x5_c z8ZmB^SYnUz%8-WUzhTjzpY`ZsY01V1d`0}hFd2wk+Yd&FQBIpy%(w?P(kE`iQweMX|Tmc`n zw3B^v{~bm|zu%=}K^V+!ZTEcdg$Zm@{aS2h+~i`3@@kO1QY!xP|U z5J8Y7Mt%<)qJZ@s=Zgh+s@k2d^ZVPeEx>1_+IwiIppQTF4R^(S>sH(56=A3E(0$!5 zWf2jd{QbJ7Wl(dsioxD{nI#HKfYY4xJyL(G`+$M45y{KFVR5j+-fPiW;B99SLthU# zw^<~6l;xu7o$|s_9^}vbowt9&mam+tm8}*EVXryCR#b!{>M}+k30+b)$FG z-gaL$$vvW{0BQTS9=N;$#5p@W+TNzTE{<$!IW97tOxfmt!D|K^0hPO+UJcK?JcR|g z9B!gWkI`fJy{h`0p@{$sk{ouLA6rxH8Ug||HH0pw&RF1+_YyaO^X7-?yF)QVz%yJY zI6-^wkN8;;9S6xVzOL5OpN#2j`p#t5r#D@<6)S1)v~@Sn!$1VY*L}naVXfQ3VdrLD zuUD3lHSx=vsV&@Is|TFsrl*c>XkGV~*A+w`qAewxQEJVWlhfYWSuezzgjMUZ}H-8~4%p$}-z@p&2> zX6JK0K7QQ1&L6&XPHA(AO8y6;GJkihV$-e7@WX6*ouQ-7$Z?!-x6>4OKX~l|)1aT( z`t9Os3ov_jIW1mK$X;)oZ+(~F(C2(LylfMBx_Q5Gk zpPmH)1NW~+ugjMo(-Z7UqW8*h)AEz2=I!AAK_US7_d3*){iY=VN^9G7gV+8q6+303## z-+s3$0fk+;wOnomN-NFseD;bT{&KosBJc_zLx%ktwZcTCXd^J#p|myfwtkl+R&bc} z(=7D=9#Okv4*aGGSQ|;AWc(>{AJW2cJu|kFl{nYfaJoeIm?>Ug!5wgt1fk8 z9m4F~>8(c(tqwrZ>)^~&>pD4zj?m{v+O2fh|fz{KX(sjwW#XeREmChb}Y%hNC` z2}{6g6S0A8iWJ6g2wCeiirAtF8dB`qFBN@R&8%4o;lE7vL}Uw=PmWxkrNWOVP#m@%@E6h{!j^tiGWCDr4Yov6Ae92{T(#`7vwa z^gEFT2V=xd+AxXUP;qsP2_|GQjQ$|dz$*3MFja|N3sbCU1wEIQn8fr$xDiJzHj6`6 z;evYNpV5c;D&92ZZ#2p$EaaNMX8pny)9B~rObu|SYRPh~QH>&)#!MCGWpS%M6e9L)NsqF$WmRTf!t*EP%Vp%*b$#u(B2G(e2udjhDy|* z#ccG-Zaa%(T=h{p`t~3s!$$p`StS1^nnY{E|aH48JJ#&)~O( zp+qQr2q!Wm!cPgBIL;~R(^?~QN8)Qvvg&gLY1d_OsX<;+S0$zah)&+p5s{9KvUXXC zY3NHM)`_&LX#41(SwU23s^n`99(bgs1jQWMLFI}*qZT;zO);#4VZoKl9*ox5Y@fV$ z0A_Cxzcn}qc2Wknd_eU3`c=v~hWt}*01FzxAG4g}M=KAtux%fHnQf#}g;k*Ifh7-8 z#P6okubsHc%HG1oYLu!AYZH-qiA-WMz)ad^iQH54akoE@0mw`!1TyEb$Y?t**cMC) zvL3^PO$qdw)w#)wvnYj{?%(~-vDRStOhf9pA@0yJSqPX4CHqclJ%T09W%a&i@N+z( zx2i2ekN%EE$8;%Gv0b1mRMd`nEBnQsWTbJq{H0ms><3*EwO83DO_7f#(|K?JBN|1$ zsd)AGZ-be?TE`MyvS1V9s~q#xvtya2Ort&u10wxxnCkk?pwbr50+Z6RcNfN41QrP6 z9IQC+2Fn&6v(mr`GX%}1?c^>N^i*Mt~yTzo!6MNW91^1VKa+x5IJ zwC?pbPnY4I-7fRyqucj_WQT)8lldH*yVW8Xsy#jyu{xgL$WJ|-PVMQtF6#ovLoaW# ztl3{#KE@vdhGRc=3b%dko4yI?xEsH1u21s;3h5jN>^6t;+A{%D%2=xu;L8W;I%j## zgE-gpdnBZM=%wxVc4zkIBg}1``@=Vegbm(vtZwc7iIii3=0pDDuEz(ic6`56Gv{eM zf)@0@+XnmUdP~0TE{HzVt|LSC_~G`QTi?d2#iuX^CZ^o4N%fJsZV3ci-&Y(BQ$DCE z_*;fED!|Miz4GDEOzm%19qKh}FL1z|EIH6Q^rO|fj{C5e{ku(y^VVeL>(1TFy?nBs z=57Aa^)%>SbwzaBzgfV&Mmr$tJHX=$5$)4h)80IdCz6fZ%A7RpGf`XyN0-&1YVyk= zf;ka4AP2#o7s#>R1!BCqsC{*7+~+iUc@dz`IwWjfJQ7G;+HmZB(qBG2ufn6x={|bv z-g>x;@P0SFf6liT=sJd-Te?tMHqrNVL-cuYTh?Fl-OIzW+cca<^Xdk$X@cbL%YgQN zVt$^7A?1|~S8vB|=R`X;ErXKsEfd61Rq8HV+b{m6tY;gGtDXYBPI$*d`|=*9-t|rs zxlqui0;Sqj=ue&A_RPkE7YG;Az{p36zxX$5gi=Vh};Yps6_h%1xg=fyX!m zhxLo7E*Sh59I+1IF9svAYJ)GOalj$q1vut%ME+g4Gkslf?_FgAr57PpE%hDFyZPPi z=lbgM&HTtc1YLa)V<`e_7C;_xAmBl}%nijx7D*v%lTW1^Hvu7m+ZgG@b9Kn}J3Cy{ zPi6K_qQIc{g_%;Ag{Su8mvW%Eg6iNdV{kK!-CyL`Ra(5bRI9` zzMZn#7`YT>4oNu$o8adaprp$zu&_bUEKo)g1Q~F_c*(h=Yl&eq7NN#|=)40oaIj~! z8r7%Kt!mA+>AoSZhsiX zfyLfMqa13@GSs(CRrV1+TJaA)(XFOifDY3_lBQ&zn3_oaLuD;9R@GQ?YS=6+>Id`u zSrmrq(oMR+Q;@Hfan_ewaZ8=F66Lkd94c8Oq_HVggSTVislphj=BpzPsZB{KLQD0f ziTXj=Cv~)ZtS7}uc*c4Od4Li|ihUGoPT1|JMojugrV7Cs7Mdg^Qy3bJKM@<8RNy}d zGaYOfbQ%n*gHlMuf&r5ueH(C28@4?2q`XDVBaxe3%gm=2=2NZqiL^7Hf7QT6nIU>e zkeE{kd?{yOgHs?esmXnC+9-UCbF8kJw=MOet22o->8pmCV4MDY=<6SX0g=jWnfv7Y zMGLn?k3VXWyoxnV(j?mo6;5sH&ij~}_9g3v(jo+5J-pCJ>uSCIG_Eu9u9@65jR$&U z6=6Z;&OHrNrt6tg%zEt_Q&G?c{)C}u+rKh2mJ*7MI89iGGG9sEeg;%!_m-Ud=}s6r zP41~SaD87>tu2u^iNqX(BnG+W!AAv3S;UgDN~L;TXm+@Y3*cu zbb_qAu>xd>7tdKeOZ_3-CHP(*xQ$r`mM5PU{mOIb+j5p?QS^OJMTw5sK#WcN5M|-m zrZESm68-G!5i42_4FrzL(A!7t@d&wTjI5W+U1_{h>|7io4#Br7V%O-i;3T8`A>~R; zwZYMW38Bv%z@E=w(JyU37ssKxwQ&Zxf>c7ca&c3DX_}_-qQ%pc|Gt!SLhR9>$1Dha z>Nsy;`n85AN&Z3ZnnSecI`ioKyqDzqC9Y%g+ouWrkgWQj1eI~>s9Z=t zM83m|O?t`e=U2C7!iax(B(u$fd!z#!DJRxVu;4(ka}K>`QNGM2;$R2W(rn3{2{B~q?So@QC*{~5;u zzOjsVi=Q^E`)&qPp9O#%0BPO*7K9|LjLy$O{PT7G9r^_eoQK&C?m?E>r;JAab$j}8 zUt;Z7zjJ3x50mo-ntqq9H@_ycttAIPZC>$qx4`)g$X4`}L33+Y`o8HSuA~vwIKKK^ zO>=-{_#nD5p6AE#>;-vSgzRf*KKzn?+AjgZ*DN}&P>?3LJg35)r(X=J#4EpTdpp=Y z4UBDXwsTxuIWlngGmO6ZrUWvK^ZFh0L2svIHD5GB%S?HiZW2sy47Ym$3G_9LLahsy z=)^nU(m%tRK_xtZ8SuHDb>EHdLX&&*aZLu`yfn&wi@)38UV!iAO);bE^_fk)GKcS| z+s*HzWZP?;BS+`9MSVF`{=*wzbpVv|2 z8}hb3Y<}wQZXc5}FS)+^KFM+Q@nHzyd>R>>UBWsOsET@&6}X$EP}|~cq^jK?y-ZkY zH}+ZWwUz?_N6-dya+1aTJE&wS_^Lh`M#$)$N=Foo#V9c6V+tk*7KNPrd z&mpjveO#q@+9<3&>wnjcS$mAEQhyHtrLcrAUw$U5t6hMfZSED$Cx?k-wgv?EVyOQ{Z{i)5zdtem4E!>FFS!Ap zgOz9aDtnUm)1FA^Ej}@Il;lM|c6PPe|DW3Yk+Q#zA=&!3@)swS(UjL{sFc5jS&(d! z6=RIHK;Bkb*LTDaGURbz z%cCqp)l8JHNjz4`@IO%9%1xT#lgY*8reO|O7Qc~TsgR0itezA;kPG8gNfxV-iJ1~& z8PE{lcxzHg|8S_)TAR>4Q^vyO!&bD^k-5$do<{lGj~o(K4f#O zgJ>j=t#Nazn=cX_SsroJwacIqCHdK2iOE>3B_D0X(`F7l8r7E zHPzINv~dCy){R1GtW`-~sob}Q!)9~-XD*DWBRF9Q_`7c+$>XOT8AYicU;c*kQ-$jg z6aJ9>N&?$BV?vO5jz(W?M$;D0WI?{P@-ycOceX)tlD4pTw|!B#;`%&O>#LX-L(;dZ z$O>!nxt?{!IhK+H^yIQ%i$bkDb#!a4OajuSmGZxFmKp2HagC{bU^u)W#lGN1n8UNu zAqI!18N;fDTu9}7=8FgKvb`SPtffnQW%+#2iGYQ={XXg?%8o?9l9*%@Mkb>>2#D38 zoY1U4y+_!-(ve0D|JWvHhF7A0)cRG?-lfav?M6|P&s{u1kWTF~Y?ilJYFbq|WL7ML zouc_CEM!%!d$2VNcN$7I%G6=fTE~D)zR0dU=#R1jg>w1R zXBe7xghrOGok6>jjMb!U_!kv(UxJor>=QWw&!X9VY#%1-hTRPYs&iR~fho|X+zwu& zhVg5<+}hHdY;|69TP<_3XWUew0~>`EwGqcokNfjl&o5;sr8Cy3uw{kG0Ft|R9jgQ5 z9TkWMxoOMC&QelT6}Sm+a$Th$l6l)7P(s18`TODfGji%Y81^a0z7_s`*0zeIOKnwL^*ELH&`3U?7!xkk)*yj-VOj-vARQ`eKWTFSv5? zZ-0xK``w5vSS?v5RJ~N(luGVMa409+498JK7NNB^7f3<}&F1{(XH?_z#Vs|Dl*ob^ z2bNZ3J(*yib!4PhW!S_=U?~*7Uj}1uV%lz&3&wGZN}=lJqZK4$wR7Q#kn~Ue43zmk zzSgS9p3wiL0ZTOMm6J~hWQ8>CxkouuDb;;_x@sse<;oo$-~xqsZ&bm3DPD)p0g684 zI`uP{za4=RbHtZV$m1wPRiF7wVovgsJItOKrx{8v+KI#L^D|L2kIAA5dZ)qG$W|wG zrqaY2_|FD%zf2YC@T_nKTLo{DyPBkYskcrP=FCE~S{wOZGL&30=0(Sq$DF`o$=~ch zqiZWLXtpL5yaQebn0>O|#81}idGW4{8?gy6@G#SgMGhy)=>^OHZi&1;F*zKJLEJK`eN`u=!P@P4_a$uordmq^_hEi>-`QE z{k*3AASzumyr1#DjR3=4Rh z(dA&^JgL;y+ZHNx6I@M!_16FA!s$K=rQZr9eksezybpezj_bdl_G+n>++Uc?j_hc> z=2!CU(|jG-xBr^mb>#_kIhjMC?=pE}*&n_>{WXrX`?(=4hI$UL-In6Iz)ciOOcUb!Dvi6&?Qp0bug_+Q{JQV8_H_5v z3rLOo9oco!cgb&;#3O}6oveD@q$;Jkt=GeOQdcb^X5}SgWVUrveuVGg`3}J4FsjC& zF-)t!xz^rxK(&$6#C0)Mw7vT9S_1a#OOEOGB7a+IY`1TEvahD~aYplen2BcSdU-Bb z@AR-ftLg6EWkMPn8mISdYaBR_X!`)8fU%mvvEVf@be1GU{VjML8ypQ5q-!hm-8}1d z{Fi^sB>KcS2;{eZZ$2FcO)pn}toQLf|4!3#^h=k=oCOqrLUaNCrm-~w6`52)o|-{A zS|s#eow>oN%5-T_DiyYWZR?b?lI({8z>Wn+%>tHMsVPB`+BitZPUgg86mrv)v+ULK z;vLi;sc6-U7CO;_?`EyLLxxR4jk9`Lb92I5MI{&v>q@<_Ygd|eWIF^dGi4Ewt4jtk z)gvN5RRh{Fa*8Q5q^;(@8sB{Y zC>L)mc}qh|b;Ag;Ds{9+g^v7!Wuw5rkV%-tSl4oem2LA_{G!H9aB-pwNH=<6hf;t_ zG*<}H$WUSSwB@(ScYds)RK~L8Gubw}B-}xWZHBa$g|EL9tFKEfgGKQc6_Z6D$W0nm z3iC$zk^T6=qY#>;l*UYiN0X)eyS`&%zmcopb*odYPAKQu(HiYQ)Ej^ACBlh5+w(L} z0w9;8cetsOety}-(3^Vj%C-l#e+{1bcU4g3)b_nyQce<$bmClUmojEVBkY(g*k00U zHtE1Yi)j8|)t4yv%Ad*1_)k{-J%L|YGteX@sl!Uwe#7T)=9WOxtBcXCyQeC~gjL`s zN4(=|C*x%w1%J^SeTJRJ3Ny<==kchJT7i|kKk*27(i%xcg$17V)OIkJHd#BZkNl89 z8a-M~PpbY?l>fbu`L_anq7_iCOv{2%Ruwr z3_Al-yUDncwaxZ8^J-m(sq_zS0!-C4R)9@}g9a<<@|}6^vfJV@SItrr;(gX| z(sY&sE{}SeYpE| zGxy(F{FUP`Y^ovl(~>d28y9HNL{pcs;$#0&MLZ?J1r8e}+DH9k`t<-rOu!^HKiXDe z%sJi_;!q!z`z=EY^l37W(ovwI=nyfh*VTd47&8bd9!yep3VT%HvA8!S6D{5047G5b zt?reJ%eP|F%9IQ8!B6CrwsD5HlX?4RcJd=uhK0)!{{e_}-ko>avg;?DdMFOQ6ex1a zp7xakmpNYsH}3wKUSm8-2;gO8X~$cs4L-D<%oUNQ=ahY#S^54=@=naGJ_iAT=eu^a zPBQO^UX*)R=xE3;Tol}yT;x)YG*27Y;&C!mnP5GhT-1DJloAQ~3mIu)j)9PW zoMFn?Kz%QZ)*Dm~kn?mhEkC@tM%t)X$sr`dL5Xg5OO*ORc3;c45CW%J%!^?4z^C}1Y~;{3>SI7XJDT}#jgzU`&CZ`M@ya~UeLNs*D`(Hz@CfkYJXPS>bE>?)%mdT#b!D{@MgG4%y8yNsir;j;xN<2D!k8f|l zG@`;}-0ek+|M9C5gGjpN4nu}?BbE5w%QzL&V59Tys7%={1cv9`6Zk6$j{2?Uz-D?Llbb3s zzwYC;LB7Wh(3bv2$1SG!weM6&OOfKxWNhu-xwVSB=rj*#K_rQzX?ah3iqCjHYU%a% zXwkSAgXrdw;R9ImEH`ZH{HmF<;WX^`2n6ZmT5VoQmXwX-Hyjdbhd1iuKO|IKx1PrP zx^aO~Z%;gVw(p={g9+5RY+j(JVf6f-?6)^^x2U%69|obXwmdX=EfauEE;*d7&bKeu zd`^>@?)rg%mq0Q%ery@r-JIKs_GQj@#?R-@$4=C}U;XA3XzStrJ^P`$<-VyO?$SKq zQ<1%`ZNI&^dwui7utMcCyTv?W+xlh2u=i|=*QkK*v;eG?0~*NW;LvosDTz{F?=2&G zs>%90KN?Tg#{y`g(<0y45ojv8ULrrB-ap+m zg!wIS-LZBgu=NrjP;~KN87WS~Iai?=>uj``5q69xf0@~;XevU_f&#}#?26iZs~Q-zXh zPW6s7K|E1G-s9p|KWNf3>??I?qDvyA#fL$NNKIBj4kq*VrUkH1V2;?KtC8tliOG<7 zW@cm3@YNTN%Pjrvcd;Wm^^cP6x3tW4P$N?xDcod&O@&u$5R<`EW$T5+QACHunQSOet>RCLW3^7V60RiScb6uf6{ z9_k2ww1F3=eB7TA)Rw^)#0K`{*P^AVc1ZYEW}RA#^ryeuG8Sob75iIfXnF$#7tRp4 zv5Tl2{~~1>VaLk#$}>S=Cr|h&mcB*@_;ZO^-zjkozLaj%p_V~v6lvvMTGbu2pMFVq zYt)K5rq*P(Dk5-BOpVkOdsf~03NEjHZaT3}NouA+9`W!JCZeNU1NT_9<9XTD5z$L4TUbD(P!eAF zk*7}N%PxbCg7785#Mxt(hHaX+WQ!8UtJDF|r{Nh&UR0zR!y1^>FJWnx=FhCef4)>T z3i%3}SgFz2$$h46-|`q0X9PMYpJFH5VQ_V)8@lS2e6OTO8fmIR{)-hdFO0XhL##k# znNDB-I|I?7n$Wyn))POD4J$#6dl6`bF?{_3`bcvgOu z78VbcVnFG9W9h?GwsTi09Q81r#yZJ{=R!qKFmshSRID;;aMg&HwU{|#a=K6n!I5!+ zufmhRC04LdF<%mfY;&klAV8RvDUo;zRiH{w)U38y7B#B8ky1zJPD0-f_0Zjq2$Ydz z4K-c#cf{K9non&UciB7--^|^lL?bIB=-smT{ouu{j(#65pDA_RDn>7mqE#&QK?@{P3!YSarE9T z<)yXKBp-n=nEGM(L#}Ni5fxtYDNDHgGPH1GIWBvH*8Qgwc>-yXf^x1+z;2PyH@neP z4f&N8a+(6oqcqd({|<1FP~WrqEZ{Q~=zsC{-MqT%;QQyP7a4a@0w(y!-RBk>j0N_` z>IUax2cf|*-+%o~V-m;rIzJ)sXt)x5+GZs=Fu-tkM= zO@_L-&gyuO8tTf(^4T+Kghp|_$J2v{Mf&Hi`>zi)9x8wJ@`N`fHuZZr@K_y(x3kZ? z0I!X_`{-12j;1IDaM5^|zAe7gDT+#{`_Xgk#&_>;f1&nQPWXw-cof0S(>54*l9jhS zo$kG8FSQOf0+&pu0fw^g^H`caT`RhOY(v?-PTiBdZ|tnA^FH(yDe~%F=JQqa9Ih5T z;@dm#zcywO>XbWg=Gc)%XQOF&ch%kjx4rL2H>X<93Enf#t9c;16~LNd44Z9xr=a&F z)~Pv*2lOTJC9Y>*Is-37R%0cwNA7B2jh~?g^lMP*Y5(a z#*Y0w>|J-w!vgnL30Q(W2l`&(+C?b>py)XoBxCnwdx5>M*WE1Np!y^M&haYeRd#V3 zzZ=Bi&vs!qL$`;c@55ICgpa+q@|CByUZ-a~7fes;*Bviw9{|9~CC<}qc<74$LYe&se+Ov3;;Fl+{RcfQU> zb0T%uVyXvx)=5@Fy#h21+tvTCn92?;B%lRG$i4(W7DWPv0aBR@_g!}HfR^90=Ik!j zu!pM;=0Kw7{WtS?@Y*6EW8y81zVbae$LVi8Z9KT=lj%a0=Y$QX;V!$nxMyBv*!4qt z8E{n(P<1FkpDP$N-PLMHsg|4+N;Zn=P)~7wtBkx$syhwH!X2Hmp_VL2I~4C%VI7@e z6*Mbuk_i`;F7JQW>5ptAM;DUBqHb{QH5Y%c%~pbzVLladOB;#TXgo)hq1hx%6PE1t z60~NmA9Y-KWRzw%6|iP}6cl?Eso*1oOXY^CGbNBKE#*5sJ1q=e2(;XpxX>9Bn=@e& zB7!K+(kNUnmBNTL5B{j-PgGLI@MqJ=H8XSnS5}eWMvqUCy8c%gM{T-s=&P#rDr~4( z3nzk0q*k?7>9Z-CynIl=IUAnSEWCMLwT{899>j%L=BcR)ufRQoxH~#A&p)nFQLFN` zKh7*XeH+JjIW91ihV%a6zm&*fT=z6RF{LH@;g`u&n5;a`41WJE+++~flp31dm|^D& zAEwxCSQ1sDf*prw+Eo_Iz$?f%UsH2jDD}cz`ic4*?Kp{v1l{zwU zSaEUGQ`A$zd51d})}Oy8eV=<9EdymVUn;oRgi(egLqQm?ZvOOV99Mc;G#jE>u1{~$ z9&driSGsxwEqN%Zf~B1w<*KE{?aHx(A*4u&;zA5+KdM;ch1Co-BYw(qhA3KXloivl zsgWv77rx3mr!qs(#r+yNu>3IxtNe|QqgbPF`J4dpY(Ll~ZcHLqQHck2L;ig1C&^#M zW@{x+a%wr-e>1Cyu0_G z3-69-o0;Z4XY=J48uld=1}4g&Fb!Wa^{s~tTb&cxB6jhmor&tE+w;> z6O^ynXsl&HNfeh3QH-)Ez5#`edWj;-g%`0r2?{Gyh;H$(Kl3ZNjNb@sj%f5C5sZ~a z6w>fh^gX=N2(YYMWdf3tNPc=-A!Ea@8`j#5?~EJeq1F3yUrM@&sEv7jWv3Q3yEv+} zq+p~|L%fx$Pd8@yWeGo&fcS;Iz=50EtdkXP5!H&@lADxl+ZZ4A&Ng=JcmC$V&}CRJ zG4&Y-T(})tu@RdWROf;TG_8W^@3Apf9#NW#WG5+&;MHnki=cx<+{}%}zk3T3kKqbaI9ai*mmwEkh5(w!cEaA3AcJrZs|Za};%63K_@Kh?W3Q_q2Dd?-bp&>c~B{ zR$hknKWRH_HD@S<{hDbl8RJJOWoHS>Y}joKieZFQ@F?qic$*AKS#Yf?IV?$ev*;FZ zhOnCw3j-Cyi#cP1D3tRwYNiW!)@ql_6$%R3Z7`{wiodz=RBIpPD$YAmKWNZl+!tt- zY?H=*A^MA29JF7oJW^;-k0T@L!)q0TPrb;IM5|lhDpmyDLt3jxRj&p3sS<0IaVl7+ zfe)HfxcDpCo;}ttSF=JDJpqw!n82SQ4eB$oIa8I-D^(nTz)i6)8Hr;6#_IJ`n^}=n z{+3dKR{UL=dhbKCL|T!)uxhnBkzkobt`eWihdoObaQ_vxH2=M2wr0&pnl?Zzz(dS( zB1N39n_{wqfA2}0z;cpgs@S`JW50 z@#h72svO_pWA8JDGvo(ui39qJ3z+z05D+_fEr1=3!a|i9H1fG`jsUyuxmFQD3v8Z5 zngiaKn)PM2Q@Brd_vGNN0HZ6V()LaV)HW|v@@Y??q~*@tpSOuoH5z97#^8sWyR66U zS`mF+y9nj0?zhzW-ca`58Y#j~mr&?OPcLBSTn#T^?ql>W;~LOA1T8Zz4zYEU2-+{X zrqy-WW9t^Z3Ek$|FPhty<2`F|-pWtWdoLANYxCaX-uAf|qwBD{np4Q7AaZMEZ+V8dPtG=5ZEW}{_#+z&%E4}y?QNon6dmaSrwiE_PJ3rds_d4}cYwJP%L9=(@& zo9CK8a$2RmWx`$K@h+~PA4XjhVapTVy-lg>vzdo>Up(Eo9@pGetlMjX zj`SmgQ}nxTu4%wWQAlzf=Px(;$M$1aZ9{cDww`lSG--2pxCV;=Vgt@#Ul8Z3gDa`%(DJlv8OH#$%V!9cl4sFed*hO9b+X#+FFlb9A2 z{rB3*7wVOS@0e*-#1v)oj8?P0hzzB9dD2ma2o*SG*riK&k{MIvkS9NIV63pPiQ>%l zenF3Sj`V6U41UKgoVrk@WanYkiFFfWi@q{7h9O|qt^Vje z{Xbm2V{m1G)+XFBI_jun+qRRAopfy5)`@M~w%M_5+qQWocfN1lJ2ih+ovQtB*Qr{2 zJrv2J_E##}yVYanwPqQM-E?)|Ch1|bK6J=UD|;N1VBHIquP1I88dRYBaWD(MEHL%E z1hhu2H9Zn%go-pRJ`NP>Gt^)xD_%ag$3*e;`GgPuFjytDzc6n#H<*kw_i|LJT}O|y zOg5ZuNlEeTxD2SGrUs-P{Zw+Z4)((R47_>!|D;xAy8J-(!v8?d1Q81+lV$B`eg^2F zJ)l)^ejCF@4``|Lwq2>{Q`h4Wn95xm_umU5S1!vyyXD7<1#L##ie%?2&AIFfUv@&@fjgbt&O zD|9OL*`$32wvu*}CWt>FOS5EJvpJ&Pih2otYY50smrzlmwY)R-KcM|f-81VtDlV$t zj=;hb>hW#}UDpfyjv+tam9*rjbXvt3-AOOOV*BCINZ=@1*00W}(oA)VY}-EoJ>D|T zCVWqFK4zG|Mt$rhg=lQHA!AIfWSkjH%(WdB0y=}GI?S+yifP+}xQAZw9&N6gWyb}3 zo-2cRKv7zhZm9o%_fMGAomldSr+!$xOb`7 z{}P+er}~nuFva6a53{o`+s}jAelb(Pao{@lb!XGO$xuvkjg{+e#Y(Ug(BZz}sUTbD z?vvl%+&FW5T8Fdy(B;5Ty7ar3{YXZp%_X5iVrPxB>m z3nIE!h(*VOE}f1Oyc2p~vX1AqhUF>Z%%xAuISls%_xn_fTyzXg!*y3{T*qA%HXqrS zF%*f%Z4EWg+f7x|_1cH`@|2*Iqz2YvhERIAopAAqMX`imo}p3uC3{M zN!R_vo9l+&X4f|9j^Oj>Zp$RO&AQznKGm`Je*4uWxor{fsplG@o|^uBYH=Vl!^i3A zTZYB$w7iD3`N?PSj;&-`-8A|7NZajsTXbH9b(QGp1uz)h8pJ;QoR|C9T+&c&!ngV7 zad9YopZw_3h1TYBiM{1!RF(DAqw@aPd60HpvpA>fVK7eq>>;b&@UgTNk`mpepYb#n zv+44<<+`)&Q+0cs5Y2sa_8kX(&c|wNcllK^{i{X`PxI|@H<~`v2fl4rcAMY)uCG~B zYbfizp#p!?L$%WVK&pH5beP-L(MxXC;mT5~^RXwUT5^+D-M%--5%**=$0`ORrMru? z>E3y~Q_i~hPXa%l^9h+0B%)RO+1kyj)aO~iGrRl#2!3@#@6`^qSQDUQceLQ1?nUtR zszsH<;&hpNJ?s4`DN5z817568fu51tJi=pZcB2o%do^8vbGzbYfg0^4~Tgwvd8K;@egxKYc!h4V#eEMsv45kF!*nb%fR1 zq%?Ti%@E1Qm23|m`6~!v)Y3kUJwkcB18nG#!u5cju}AZYxG}0kRDVHLIyL2Ok#h$y zK{A%nLwYh*Q{DPOLyDMs8@5 z;veKLWlGp8GvRAZA*kB62)W7XJDCoCP_V0vD~laz_9iA^s?B2BNzjVI!qebqjis!i zlqi1+Q7zjv){<5V<1N~mEuBYhg|<(?yC6DopKvd)$Y1?OCmNDGEJ=_iegT-0YoPYGuxcWDtOl?B5a;@VTM{D2Xi@6j%qT)!b? z>GK1*2p^Eke^mS)^Q|%%uQ&R3RgWU|BwLNwTdmg9u7W}`Jvb0H%G2Qr;X`N52w(fj zgP~{$jU#cvvHoNJ$8JjsLMJ^^wBh-rQ8|d;Fcnu>W&6I~eed0o_D3{!m5|kfqdcfO zGoETtyw?~bZH#UltsSjai)gbscno~OsfXlLf0gp#k_Dvqk!+0Wv=P#I99L?! zp4f?8{JU?rz<)yoB6u+tH4?l^N9p|U1y(LgVIl_&rx7~lj8jIh;%6WG4ZeM^%1-KQ z$PL#I`|sv%V8geLnxE%;%@>*E0dpgiP14TR6Dl*Sjp8{8#P$gDPP{$T#$7ISf~<2D zRw8dn{!+CdMW%)es6h_HAyvk$a;0L*Yx{t|g({|2j}4B;>t22p&Az{%t?>=4)m&*38PVAF3Cb9&dSZh zgp#6B_|0kjh7*~L0arCMK4;^*b!N~-nRJ^GL&a3M6r2JdQ*MJJ17AG4a}u3CBE=X> zpJcI$UN6lu#4-#Ri`5f4j)e=6_wyAlvMO5^tA{L35S;sQ!h*^TK8Ly>f`TWS4hofC zmLaUmI9BC>2dla1MUIA8nzuN%KM-1hIH;O--)#(?Z`RCl!4=(&H)_{a9N1#-IZ7xZENE}o{y}FkVQDxRqp2o=I zRZ$e5vVs0a8cZEf+*5I-f`m3yp`1olI1vPd3ZhmjFUC39Y#3V!sJJm`Wo5EmTSy6j_8TVu~3z@56G!Meglg735!$ptGPcdKe{C5DspkS1? z<$!5d!27Dm>DTE|sTvOQ54;z|sGgs)!699uK=!ko52*L6&k$c2tYYy%UyZ7TT$<&rQ2ifM4e_Z-#fr)zzkH z027gVj=pb-3v_sWv;JCGH=o+(Q#ZLX+~poC zMzryie%mRr`Dd0eUj6yH#oysMWkAlucQ3i$scoaZSNX~QCG6#Oa{*SeMAv$7vukt1;r_foeZgwGjeqU<;dQgwdnu=z2i)}y0e*KY?;A6_xSJJa+|mE@m~ywxx{pAq zUB=UdSY_d|XhH#UIWDf=yXfG1Hg!BzZZUQ6Kd%MQYu`@cv%R~$^KS*>Yj`+y&i7wF z5jSf-ejRQaD*^(ad5=aKp1%(3ueA?wgSu{(b?w=!J#K}Ex7|-cY`;52o}Z$7ge&${ zzc$tm+sISkkuR=&_oM$^#IswHdq_JO3$mGZojVC7cUp? zx7D0qhXDGq{TWbHdKhSH_(A<8+(L@=*87S`)4|2^2rQjw zj;lH4UjgC(&E?Rwst+_~iJk!c=%av*=H+PakwW5Bl*Ush4L_S7+WkS$f%xlon{wro z5(<=x{nBhSA8LwE)p0pQl^iN8vo`L>aV9$foEL-tn zk2h0q6gE98k(QZoJAhWVz<_J|&f1x09TdRatS~R0Z)`siIc-10i2{SRKqW(=tg>S{ zD@Gm!5f=r~g(bJoHELKi;+BZ^W+a&}O;U05%3nt-oucH>UjZXtlmy*kzsLW*vs)Ou zD=k~olx45UJXb~_VRTESTxTIutq`%7D1&L;hSev$ekS_@&2l%3aedrFH{T2;P$jKq zO)RJE5!#PfC_%=+C?TOPEv58^S{=16qce=bD5?n!$Ees#A^I9PKUu~Rj4F>?+h+tt zh7B<)AF(FVR3RvImc~+WrcQQYY*tE_=v9_{vREl;oiEyYl^C9EDupa-dWi>>i?*75 zz)G+BG?AFeGzPk5QLgs;DsQzC+VmCKqT~?)efZW_?DJ}5{AtWtP8w<`S4dBt;B5U< zg>jKoza(Z|Ng+o7N8^tqWf;8jLKv0-w}O@8w_;$L!lgkn;NRHM1FSJKaZRwsj})w^ zB+*J(cTAi1!VstREPx}BeSajqSCH)8CshVyu-2+`xt5>YdhOge zVL85=cxH{Fat3B=@nTYum$GaM=^UDJEZi?rI+p$0fj@eYJFPr=kI+7S7FIH4$(2TG zJrdZXuU`w~p<*x%8uJ<9@Z<^NbyPtL!c(!Z5OQzL>MiGCDxmqkzWB9QE7t^CdEAek zCAe)5E0aOy47%`4f>KMX`VHy37fwuqsIZ1)%e7_I8W}TTUc`eX_5_u1_2v9Sa}s5s z@cQM;lIbLssNn$)68ny5jK}6^RTEO1c^fDZA~oQP1Ry_!t%#mPS>bO4h?mV+!xtI1 z_3m)3lnV!SS2X}zl4Y76QC$C0l2f>35;ccR3ed#*X;+;UAAL) zIsSb;8%}8_w(kca*Q^NJOi*2WTC_e6HBH-;nn-Bgct$ZEcedr0(%Dm~^KoxtcCAwK z=l80g*bAWtT(I$LI}VoEil%HGwc_R+E_ZlJvGKZ|%cyL9XDVl}*_9o(0PT_t>G{0s zNa-bgP5E7hvMdo@!+}nBlo6T>j>lehkC~oDC7J#7t^22cYhG?YV?Eh@_FrQ*fwL>& z$&ywtyJJ$-{NE4M`Ek2n`zBMepXMqbO>G3M<9Ps2e~!25J`VlGYDtg3medU2ReM&~ ztNy(}$W49j(3JF5Jua-b_|$Ig57Y782Tb-Q$-aCZvg15l$ZBeL_Ue6pep9qnQZXNg zMN)XJwyy)7*^5hS@1N@j5wh;4Q#U4fo~Kbu-xZF@$XlDcRoZXMynruBjdz@*Y3{ykep4RHeO&fW7~rlpbxxJPCM>nJK>gMqZrqj! z+$o;x)*_uQkEfWJ4PrYse*-yZ=;eNe%bm?}wy>x&g)#U-)W>k0IB|Pco zY+p3GO|$2O(-F#@+cPhWn&#eDR0 z1I1iu-OdzC_`rVZ4t&|Zd^?!dUFN(co-|ff{H+$Lcu+}wQyW-BCIy%hP!iM04$}*5 z&fV$>$i=)H;^f1;_*v~MD`$G)h(;*d6;UJVM4uU^aOdb4umrs8=bVsH6R%p-Q6pKK z=c)w6>#i+|V`UJGh$5t^Tu_eQbD5|FWHe@+Xk9v#Q1W#k)`G!qxzc`&Z&uHmQzgN1 zCk-ze^#77d%dulw2e&4V=ly$?!bH5#yWm57h*1=t1vX>51e^r_hfFn}n=aV! zD7ocWX0rl8E$kN-8;;PxI3F~I3GT?PrV2lwtu#xWOTk*}GTE12yH5SXaN@ZHPfOxN zy(nEfX{}#G^+9{xPeJPhvzjvv8m4@jterD`GAw(R&JW3gl5)_6t1BJCpE1XX3n$|n zTccK|g~+8|XH<+iUu;E12wxjvF7(Gp*O2$HgZl#f`(pd}FxgC-KBU$TruRU`RN zJHZO3Ur?Cp>+=(!fk`DzT>2WD?g9VgfA*@^_g+=zaNrKmAx>j&|DmC9AY`I7Am3j* zz{5PYTUes<7DV{xX(D}bbPY__JPC|&0@+M-zbxHAm7r-knJjIF=|>Qn$zwFzf=^{ z;0C4Ng3)FDYopK$S}o;7qHv{XijQvnQ%*2&YtE!No%JFa!^MaM5fB>BSwaC#*2M+N*Bm@LDtknYv(bIJcA?~#x*s-V0O92I?u+mnOCg0lPACNT5k5)?LAk3zHn+P`NZ`37>v1Go$@@%rXX z0Mq;!px(#BKxysIg?Q;W)JU(WCtE1G?n$F1W4TN_`?EIE<3zfD$Nji5s}_S$`EqF$ zZH5T##z8}(8R*+!_}eKlU;kEzr>|Pqj#iJ8H?H@7$9#u%DoHL^WqLZD!?WpRaC}&} zXVuGI*j0-8c$}V(R4&(e>6v1580;S;T?6+<-mACVfZC(PbUBYDn}`&j2E$-aj=G%Y zM>3ZDN*-qYVmTlExG&Aqw4Iadh?7(`9|?xZ|E507I;t+8_|Ew}uE?(J$#F2JR<3ly zzKzD$J|I4(cZns4+rvH)-RCiuk!0schRJl}rGah-KvowpBX zgoJ7L=QwH??@P=*anRNmzdc>P)Z36EmsXPq+%Qc9P7k`!PT&@{s~3;ydnfujKhN_F z|EKPkI)uh+&dc#nJ1C94LMSoU&r3f{e7;+{hi111H%Ffg*EdkFO^}@A!(HPJ@6;~% zZM8M$4nsU`n+7DMHdO`m{CCA|=PA#t$J6*FQV(_5SFXJqo2P#hXIV3{ zUK`=6+|KMXwpcA=j_LTWoZaeZbKGwaR8l!#RJ&S0Zw?~lc!8tD?BX5XFF6?_r|T$) z^eBHEldv_GFn?couNB`T9M3r8uZ4N;@1BP^>b+0@CiKj9yJ7aEQDJp?d5E{3Ncc+M z;NMTH~0e)ZCMWF5ZbK>vew4%79pbxr)4RZF_bh%=A8w0;m z_X;2o`bEp;jI6tnP~rLd!g99?40zT_|Ic|xxAQru1;NYZ+8!juK%eNl)*g%!OA%JX z?b_Iy3atubRllh6sn{o$-0p7Sx;jwB^6W_~7$iRZM!osobyW5YNXjkg(5oZbYsx3( zRUaxFsMv4dSie>g8y=;SrCbFo|RAA=GVx~x4^X{DH@ad zEIM=}wlUqX!uL2lobjw#%k2c#H#6vzgJ1rhjXjAhvSU(`nM$pxUJ+HVJ1?}aRSFvu zn-czHq|tlB{9JjN-j%miJcO$N#E^7zKE!$y^~?<0bd2rSU{>q))wkDiGQw;F?<~Qo z?3h&1TGJV|Rg>C8QgTMZ*^YD@(RZ#kkoDDOKA5RA6~S9F_@}#qQ~PUvis3yjA#Br{ z2q;(@A~pJ!+}LPKg#Z@i5>vOppgud}ZwX4P)8g@qoXB@#OZW~TvJ#P_F3@d1uP znQ5eQ$;o+AE@Lng?1&>%!cTv;I=>FXn zQ_W#5MLS{G9Y^9WO~Hss9i*k7CcHt2v#lAoC(5w2s<{-&tAQlOptb6DZ5j=94B$F6 z*j_=n7+wV@Kgtv{tyCgS979(((>1DG&(-6Z?vaNN3iI(7bGbA@f5J~)6rPu_gxG7> z&M5>%{lPK~0M~m~WFvMGhpyzrLt%6eCWhfaf(28yJq*&H4JVuGu}D+s;53)g%Mdiq zQ`EZ%w^;pC0TUPpOD>FimuqDoI2dX`fJ9zlQKA|-A|HjSGQasZ8=~;sw(MS2Vk>@=GR!Ua}jK2&^=cla(7-{ALEM9reJcA~u`?Jm9h z*g(*oDT2{xS$175>DKogeX7wD#z~NJJD?LJm2r--2s#qMJ5oma4jV(cNUp?Q%wewK zNIunq)GN=72QjFhxYrsS{tfM+wiA^`+^6#;pdB+-FB2(xho6Fuw@w>(v?!jI=cSlc zaoC5Mst?OXMw?In$@~I-Ozc1C@3+TRS@$y+EGW1Ew|LETafTqB;RHcSq=tEKOeCim zyGXf36L-;l{tCq>Loykz@-L9zoilfh`G)Y}bt=b{0vD?KC{;4Flw6q)1hCb~gP~%pa9qI+ z!e!6_qFo43k4}CU@@3J1q3Ya8x5e3Y0q6=YOpjo5K7@jc=r*5!Hxq%znt-A{)7_Tr zz1mU=vTn@nmoowbFR33yb!pO6VIoXvk!ngKf8mD9Fv|r0^oyYt+)PW|Y+tgIQGun( z`(~z?|I|*WaS2waI`mL$Te2YuoHbKsOaE12#}Q{^TCY!GX;QyN(21I9;g>gW{6?}U z`{aj3r&tuvB&kWX#|0y?uLzDCpw6XwrN%^iu9e4xpdCFYUHR7*jof5S;>g3iRVJY@ zW7w}O3DpwS3v4jbY)-@;LV5u;eCAvmq|hU(J(jG|DV}9j#dc#-%8eQA#k`9`u04w& zWt2c5xaP&IY8&yMw`up>j*%+GtATijl0@v)5B_;Pt;`lXlK0~GMsNux=$Nns2dW1= z-?priFNd)K7M=bt^UzC+eAB$N!l7B|Vez6+1vrE-!4jxNp~PEzf0*F&4ndHR_eeBRz|3$z5_pj}BL86)Gx-Tf=l5;>;((UV8&Z_06{g|sR zP*{-!R*B_{^$buqyUgOhzA1m46+NKL*)VtbojqXvGi6H>yW{hua~a?8bx~#I?dtdrzpAmiO~lC= zYIWDPZLC3rSsKi3+?-C#=5rZ*F*n1f7as( zLPL)3ex9}Mo4IG!Wz3rM)aq9Py|(K{o$Wu5MN<6Dv_X|^s-S5tcBNKh7;~WdQ~O?T zMRnI=&T`p>!-#W@b;DMCcOoL6d);F*_YF86?v%!B(6IPXb5`#;({Lxi) z&VC^h-iH*&L-TSE^UND~dn*{?^|8d|ss*RjJm%N*t`oL`D9iiW?p%h=KWeMmdGqPK zL}6Bv<#4k;ZDs!~3S4^2NgE&Rz~erS%5mMs;P03)ki+fNt!eabvVY0e+~U?;+wDBB zQdjU^miuxU9F^Ow*D^m6{;dmqIz98b{&;;bm9yw}zRChbzld#d*j-fyJaK$zc<*y| zYdPk)8AJ#;o8@EZ;byS~2!@-z=bJXgQ`H17|g z8>zg#&ubgv-7Jz7TcYR&p8s`(+Hg;0+#kCfG}QfaVtIK;K3-Zk{KE1~S@wAU(vIOc zoS^;O20oQLvz%X|up`lPJT3z=33FUtE^GLoBW~Y56W9Q+!KSut8moKd?)+RwdHXTz z*Og#8tL`O_8~frOSyg_E)WWynM{ov9pY&Tg+ke_}m4j+i0OeU}oF8?>rhHAiq7iRj z0CZsY`IoJ(-4`OuCI9x=i|QGmoR?(wqxTUYY}{O%3kjLBSN5@Exd?=w{k;rK^l^LS zzxD4Q;iS=B_+9s9+G|=14M^ofzOxCDiLrtzK{2DzOSA-=H0c#^Yu`M!j8?)yz4uO3 zTwv>C-4yMC4>uQ9D6LG&N~e6Zf=NFAw{nET65=^nEu#cOkmZ!|D7|xHPPo0R4;lrT zJ4xY^A0x{PL6~%%BFdK|@Tkskabz{Y~-~dM2|3)A)iPUM^SH9>Qujb z*7++u^YzRNwU9s`86d~zxpMKa?Q#QU&u2P@H`czeD?KerW$f5@hT>a&ec zlCVC`VZsS6B4sods8xz-G|B8=a13jpRWU5QVwe=8$j2O=K0MhI3SdB7N~IRvP3wwz!ztk;K6c*2?}SS3N>cX_32MUE9;3%2vKF( z&sCmKSV53G{87FMBzWj2u!VcX!^Hl#T$sQ#4`&zp%Wm-`rNK>^J(GX|^M^sNWHE?- zoSJ-)u)rta2nuvGe8S7sAY$$VUs669gi@%FY<#BnU!Y{}+Mz9;OS*a38 zJ>-=Ave%8cJMcsd2#wfM6=&MZd~=oZsPfsB`fvlSbN2T#g8}Z`fZYCvm1o~@Evz6V zM@7N;+Jp=b@-dgIZO^ZmB1_H|zRo|bwO>$QyNf`YImLV6r|I|kPVjqxrnpW!{}0F{ zEcK%x&!SZ;>xQVJatF0)LslM$O8XWGdv0I7LO%}X!XZy!v$16ST%Np5J+wvZ>Mb-< zh<&oDl2Lm?d32e-geB>6Z;-%c;XV}`jnhhckkiP&ku@%e;_!Y4qH?l#o-G5Wo5BN- zeh->8wgt3y3grN;QijA3RuxP3IhUgR8MhSH5VdmN`r>?b`RUmJP}#e`gskQgX}{QP zK+u*$h60`l6pY`3Flv@)iOCZZlOV)IMdOQg4E&hSletcJUJB6w-ice7QJLZU zZu}DUoT-#5Dy$DHXuCJha{ms0q>mi8BgZ%~l49yKLY zA&(Dapq%ipSd`FN2RHB-|E-&L?v)?DZmklm|A+EO@_EXbWEEO78GI$nSzUnaxUEwJ z3NK+2fgoi}an~)DLP4el?5F|!{@vf9Pz$T7^B?Ad`eaTCikfIslmSU>^epf=zb|E@ zq&WU2Uo;E(NF&%aRL#SW*IF8sXPAKtN)Eo{YC%Fmm#?;2B~QXOWpd6P((sol1<5W? z3HRF*rYJ!Qm$8#AD9X`E%6FZ>jc9SF;UP8>Y(~uWqz?8IsX7#2#nLTncx^yHfweH$ ze@X);4n+^c(~%%lutZ5y(aXOXAe>bN;h?e7ztT~Lx%p0$;-`n3c5ve`WHP^G_-}p=7ysO+d2DNm%MG(VK3LB_n_WMcgRB3QHR71h|GU6U-JKV zd~?oWJ^$gH`GD`5m^sfmo;TZ4-!S+LL$JYj0mqB#JK~4jm$1(_R&GclIFBKepj!Z3 z|5IVrwNEBjG`;%tYH8cC+lGe6v$bX%mc-WaHNEzW{UIkw_SLPV1mG>QCWdJ)NaFBe#VzfDvHoO(LubGjgx>%M((95=n;XU)+vX?d1Cw*_e5E^ghv zgQsM=pO!}@vG2pN0p>rh{6enS9KV|Be}`?urMx)avUBTp`>+GY9#_emIlpe9syDMf zUi!|VOzGPOynCbQCje%v*r!V8{GSiQ64&wN4IkS_i3d>6+VzimH#vY0Bhri43^w-= z-M@0iEk59xo|9M+qllMUwIjUQoq&(K$@fB?ZKmf5+Nk4c-p_2_9t}Wd zZ=J*QrtpQei}u^3)GONkG0$tk9{e&}G#XTpYAIr~=f_|}b34Ay-r@XI4X@H_TQ>i5 zDPl{_=O6ChohQ2$E}P<^E!pn<9}SKb)+0Gy_aHG|Zgu|_bXC(jzZ5mCoA#Sjjo91* zxb~ipi?{yOcb`}Cipins=vddhLh0N;y>mBCO=P)!xz!oU?#j0NT*c_}x?O@@wV6Mb zH(rAEI9Rf^-pg{{e{mil*zza4reI&ROi=UON8n*;_tFlWE&N8$xC)+SISZ6>S0JV>42x%;QO^C0dg~^| zBpC8<9*1>C!frWjp0Z1bO^I!lKHu+opyc?~mNhebFW;hiJN`G;4yw=)vsClK@!zbd zpQ2=*zXT>N=AtwMo^*RT6GOWK%hUp<$-;GLmRF(Lx6NgLqLj_PF;^dplH|HwIy-UA z`NyOk4GD{+q0LDXbDeQGA(`cufFnwvIn`wCjFk&|;EGkrpe#}y0gJhjynTbXOXQR3q5pQFwZW5WP%WIu4dtg#vn~S=m z%2&myRtf~@NMxEl)`23DLlB_sNV7tdIQqL-rY2qrz{vT-6E9!0i9jcQ#3hcwlhg$y zz8fkK=*e5KI+Q6?jXVEoG67|%{uRp~c#A~3*b^0A8z(`aIi~h&zKVGzPNsF;C!s2I5RF_3vgiK zc(OSEF(Vn%sby;M`IT=g4Xoi~9+b1oo$~1Sv59Y0rUJ-=>?N{#9sNay4fMpE7^Hq^6JuGGEPgUyX`Z*@D9`cqPj6H-QtI3vw zX{feBR{#^bV2J+s0!iqoNLlS9>7pvu;hW_fvPiaws8@}n?%X}?lGTj5#KB}rMmu|t z6nOa*|0sW9v=f;~L!dFBIU2qZvl4GBD3A}|*4XFDLTD@APk52LiV)Op10@CfiC}4e zQz~!1XkJh1o19MZa3~PEQ@`iVTgG67`yHJ(tXw24TTZhuPQEW0&Z0kMtyedn7|etZ zNr)L%6+BnB1G?Jmj#}>S))i+23Fbd~ro=q!Iy_X%Vzg#l36G-kAallC0%MwPSNuQY z%M=0m_1gBwGyUuI!|V3<+3^qP)&BZ725|g!ziPrDYsez&(*z{=E+SfRz2b)sMCK6E z>kYh&Kc+PwsblP_XIM%4`-NmvRx+((nsOtI8Kos>pl^5^#-frx@?Uy z`_xTu{G47lTTQvvFj!4kUVA?&(e3QjIDc$XNe3*`rMaG|cD0*cCnVtWzP@hS?}eKt zd)`%*sPOpu7+0mNRV}@AvE%a`x6=AG6m`rDDoxYAuND2ivcKI<_IZBOp6Xo5e9XW+ z-p=oA-HTt)b`8YdYM+()0~q{U0Cw&1mEI83W|f8}w{dfIkI+T_elYvIq2t+A(%Ert z-G8oq_ArRDOG!R49}f83d<{t*zGylE3&^nDu`?L|u3 zYG`;{{j}(}trk@e|~u9N+4x$y;^D6@8=0#hbv}eg!^y z2R(r5Yp>{e3V%ZTJZN%q-qX_R{R;m79Kdh*aIapU(@q~im7(rEesB!^u@ozLAHXM6 zilO5-b)AYMb-VnKGy1Lh{DN}*niergh&?!KooLo~uNVJf{&riLhpW@?@xUEMm`O&# ziU)&$)GVGBF@_+W$8UYF$PJEJrrhXk$pz!JYG-cPlClJ?oFyhA1ySszJWES`6W`}| zQi|g!KcpB!+UaQbp%A3?gLk4-vva0d)mWVi77M&tSuFVeIp_F_LUJ$VQs{!Tzl0lobS{b;Ra8l{f_tI`HrXZHWA(^atLMjR11!qaO3pb0MwZ1h zX!IX7nh{p)g{n)65+#l=9D*ob2;)#;)W7RBwqzYJ{@ht}(GqiVxQt12#hsYJtxw4u z0t!UhbDVyBWGn*Jd=)HaA6M?eO&of}I%!VXYsrjYFz_3Kw^1yu8HNno@q^I#lf>&$ z00Sn-E)?SjJ$TSOJCLkM%glZVhv}q_eW*!^>g*^iHpP4BMS~CpX^mJQnuBq$0cV{3 z=wzS4h5Pj$S4#pdzUx^E+B?jL21Vd$Sq6r&f70yPDY+zx&&4)9*x)$& zD50#Kj1q%ohRQVbp(tARY?^dIXF<3F*EZt|&RvG&oW@DCf3~-(f@GEHf+K34&baj1S#`Mi};q7gt#oq?T z962uh9_?Kt_sB*_qFk_Q|LIHDzWSSpsW8vRTO_A^K|b=QLA*!AJt6L*rFk3=&A&(d z{Dk`4eVrzvW&QbST2GFQB0I$ZtjsNjKe>Uu*1(xKFMG4ra`hP zKl+acco}rk$TAwgNEzs67zc-0j8TEKa1Z!-fm_n4h92x-k=a5DxoCnVxpZY-6LeHY zpo<(8q&Gv@X{*LDTz3Q{7&lmezsiy&8v!BS8fDB||H!mKcG0iPp0EHDIvS)dvx8q# zAm?ej$}dQ_(lx3u{ucbgA%a9XR`rL1bRZ|eJ)Y@m(qgC*=1nuIt7RM{y~TnotCbL# z0nM9N7|tsA9eV;Nr7n52%3~(sb7{FaF@D+PB}4&xu|fLiLqz-IXMonHzBhc)^mInu zX@JPoYt369h^|ZZ^l<=Zzw{yaDj9Y_+&ce1dGnIR2TYh^UhFc zP@n_d0ZZS(3D02xY#GXE`_KXGR^d*vbJ-XpWh-Y~Lr*K0&>mY1N0^`^M!fXkX@P;b zk_Q><1L%|@oC{MqqBiQ~QKJgLYSm9}H~6{^c7^yIN8mKhEK>0=Hv>_XGHtI7^TOzC zEVP3)O(M@&E5qIMj&^=%QmK z@TR@qPn}jj{s25wEaQJ2I|5tx7WWGVsB0hbR)w}tn^O3#bZ*|a*I#k3yMA<6+_!vP zl)Mb;tX^l5((B-IJnRQ#^Vw&#;B|xA=3sQT;TBKTIi$7Vw|llhJ<;ei0V{{2-qgRV zMuU{1-BsEz3m0?TP{4r1#jHI&9`}-HcIb-?cs3TBMcZ z!0|jL^U8iTGC7LK@D$5#TAOlx{ErO#>vln*yVJaEHRGvgLSEQ&R1{d3}k`t$$l^IlKL3H)bhWx9;|8NsgXA3xlR*sQeVF`Gn_d zCk^1fAH1A4-%-(3`^0lePW)Lyo<6kR_IP~R^n{S{dG}F~OoR7&@5$D!f7B78ebbA~ z4hQt;yBfaeUU^i7tw^hIooWM?UgoTh@dIlo=R)w-xDSJ|vF~gCM7y009`AMBaTlgs z@<+>>SlP{_u~&Z?a@HLML1k-q>YcMW51O>_yIdYtee!D`>Np3bfIc7mKDPNMYJW%6 zIH5hrN{^0UiS_t7ThM~>FJLRu7SO_dezi@CSaWfP8^!yuBDJ}Rbxq$e>A|nL=jQnO zb6IWS8QAaw)c%HEApY|Yyw}78`U6+gSKuG<(}BzN5 znc0Jw=?@q5l`nxG(zrq zj9t^sAtpJ5(PUS6)Q%N{<^6C#Sc}HNzoI><3hbU{l%S3@`~U>DUgqedsv_s=`W7KM98I zQ}G0KVi!@RYlM@z>zGp4$~65#MGiz1+)5<4AT;FT!DlKAF9vE~OiIvG2x%+|Hn-$0 ze)%P`IJ6cQmR3S7tvV=6Ftj5j!EoC)NiOcig1MLESc9yvR{#lr*lko45lsd|Ld;m` zb1KP>$h3rzK$O?~?UP0i*OV8v<6Z4%!lla>>PXs^<_~z9aNy_s!4o|-=pjdiOq)n5 zyi|aSYn9)1rE(!H!unU4(nt?IrepAcf;oRLJvvgWBsOWmfMYDr7ri`8D|s0On&$+C zQLzGMw4Nn83&yY6ctd8rEIBoIE=km8qZ~cKyjUPQPNTgK$$}=)OQ5V{VrEJXj!SZ| zDc1f}$Ir$PUStAxDmJKStF$Mn05#cpMsmn?L}3gowG%XT>Og%`$Pa|*wK2N!jT4jD z3G!eqvk0Pa?io3mT{hznXUYWY*q;HSN35)edZS6@+Jn~hvDe7pKmmU1Jwe9V{$bqK zgTEsZV#VElK!z)2H~2vSbj_&(SJGGf{^D24B_`cX4*e$c$JX0){(m+vxlSRIl!wJ2 z<3S!HnPG0)56f0eQQjd2EE2W*a+FY2_>kwH4BCG@Dz~mwFlV67<4%_r6pJD-JebcI zC{`;YMc^3*^{ncgB@>u9GWvPzWsqdsnMFG!8Vu)27BJwAB*ciZ@K<=W@K0DKqTeM= z&I~P$8jJ;kLtt13kp~FOqQ?^I<1Llz4aI2`Nh8nIj1U*et=q3%2Ng0Gyg{kei!=1! z`eiH1$u@5nl#d>zx5({D#YpT5V3q!`Ekmmz*my$Z>(=JMCX*noEU#e z>yMOKAtcIEETZ%lNo+cSkr#EsDFdi-ky3FGAy;f(x|N#E@lB`8! zOj_AsA{2^YK0}koJ1rdyEAyc^;SfjR@_Ch3Q*;!_B+j5q6*Jum*ffI>y`g(4pR5PW zoFWQsK!0DkN~41O_0oGXC+n(WSQr-t0+%(>&-4J8ojb|sJGj)T<49NzC*ioNXsryX zLh&Sqe}ZAb5ObIm{}25O%zz5h+ZF@%5}J7cuh%hhp7DXJS5wuWFg~zsS%4SQ;=zC8UduQk5J3!6-_!SD@ zegH-7^I?9Q$8H<`YQro3E9R#oHyxg^1Yo`k7P6mGkkE ztBU`ayaKhgpAy3&N$Axsi?4BGblQ$#B4C>YBRup z+4&rh>G(YAQvY1Xlil{p05B+iF7m1Bc#oDn*Eo+y>gIU9{7UhDn~&hr_&)A^o|?yj z|BI<}3a%_rzW&6vlZkC(V%xTDJ2~NGVmq1Gwv)-kwl%SBo%7{>5BL6Gx^~rm-BrDN z_3Gc!`?RVXx#`L?>JIPo9uGy4UD>YRu=^8}%M38vu3X;2VeG2&M5w=AXHOS6s?fO7 zz8HvL-n?&fTUPA79c7!~f4sTQnS(bUhD3A!$TnkJ*WY12@FBYKi)PCcdaIvJ#J-`3;;)z^gW#`<5Cw*kItE5#MBdPLTYv#Eb#d(_3V}FvtO~X-M&+hXW0JIuLWCIeKVfrMzmg>tpDHc`vCR1Q@RgoV*_G= zXyb(^Uy_iox4#ed`Y0 zjr}<|0)DJ8ARwY@-ii}z&V3{hbLn;OsUpL>GKPw*sZgw%p)ud{h-;fL7jd$3Re4|_ zCfCB5Fv;ybwL?HM(jpuaFw#>W5h%E!KH_65xrZ}diqtsLaGhDZ%!~Y>ojh;el?sWm z?dcCf^Va>_RYRI^D;_~r*)Vf_7HeW+Uj_rYmc+o4J>>UNer!(5zM+bbpTR;As14($ z2u`ofLM@Jl!xhc?I1v6(eDJK+zj96%2gFS zX-dX~5e~frQ3L64!XkF;&AO?aMwgkEiXFlJroZne6Tt^27o3qFNOq0l+zfO{?vX-=KlXx~PUy|AfL;3b|ds z;&gVf-%x-9_jwY!wqH-pG$z==8{2=VheSG~1<%`K%A!sMNR*3VhS0dSLBiGr;pnhE;Wzx7 z69Fwi9IQe2sHN6T{5Ick_!MlzGePKttGBcuZ1|fG1TUHTeYkCzuYZlYk zkjj?y`sW9S?&5<@cfC9(iMhaCFc}e7LW4R^v^ zB=#~CCjtqxM8#rue)PDELKZp_E|#yb-l=>J>p!|FB#Zj9{bBPQbL13*ta=#T{LXjb z-3f{;jx-vnM=Xx0u-xMr_6h^@1FQ)|OHyg8Ka)jfiP9mfY8L4|evc=k{+6no}Kw;T=U6YTF*= zDE`eSNY+%j$wnRfrX$0End(T-86eTT+j#M)MrS$}v*RSH-5{*+6W3HvlokdfQXDQf z@FsEV-dx++ClU30flmd$kd{vT4yz`ao>OCqkrR?=dXFV$wKh!6yjT;0F0&Bb*>O?Y zt>8LB{vYku&sxiUCS@WoRj%;}pUG*i2HVmVmWB{$ElDw+bM#rrnxh!J_soX8{}s?> zsBqGb0w~yO8PpqjD*^gJ8L+^*(+eV@kn9&v3hR^nRJyzVfB`;z!sKo*VM3bm0GEJn zSO3IZd(0HQ?Fb#3far^k*%uAR!P6+&Q}0AVaBtc&bFd?*`}NbDu_YrUrH#840hi?xVGY0!L zuZXa`W&*ryPChmOk4@=uJ@2bK-+PycFP~d`AC-td?IZbG{d-zh5zZaFCrw0Muf^hc zZA@HV-k;mD)!wZ)_NTwD^JqF$<^=6*>?Udgw>P~m*$n}JYYD?`%(W)>XsQd)K4Tm0 zW;?Cs#}N4ZRYdyo`&K5(=G!hCwdd6^w=LG-5`tV#(?jdb06o*&6=~T@nvikFqvGm8 z#ne#CiNWs9k8GN1~S<2ml+)#2SFvAlGvfFkHwRpSJ( z2oB)(xlG|k)+zI!&a2&F)-oFGH4ZjF7POMtmzw?S6_*|rD|Ef!^O<8c12hn6cbpI~ zGO}ubvZcOqyVsN>Za-~}zUaAC^343a5`6|*6zn(v{u0$Oc-<>K13U{RP3h{X8ejBg zp0vF0<_QgX>_8u+iQLa0ls)&$pZmK){yFdaNE_An{GLEnVnP=e=aawjF+{H?N_rIp z-MxRI{I*|S*1a6vE_YGpH|i}e;t-;by)UyZdu|HfSMk%$1?8>zY9!+V+n;ayiQa2n z_Dh^V#><-Lj6RWFPxlY=*TGsfPE7RyK2=Rb8UR{C|67PAr8S3_#Uickk4@H5xO9+Z z`n%@m!wY3d5zfw+iVjH5*g5{si0$x>5*IiJusj3wCf?4xC~?>R*?x8a5j&EtZE}q5 zo3c&^8i0cPCIM7?&-I{e2a!Anc|m68yuLSL@7@n9+ z(D-3+C646kawqXrT8<@)ZzjRi{C&t(E7P|sM@FdSE%0YFYSD$xV8HmCr}%*lA5JyP zY`GRRZkg}OE$quV>RkTaoP$lB3QSL1b;9o_4U$R;;<2oKZRtRVuV$SJo5*XY#F-Q@x?2&_d! zp=Ci?pnBmSD-G>}4vo2R^H#hR>eDuw9lYb|KR3(O{)B#u|HEqX3|^jhzo*hPJuoLc zo1>|GY!C?h;H$D=Lm|-|DsA3Lnl;F>hSeo8-`Zlnv+MR#M+&1w+=F8eRgX(5*SD`u zqoZ)Hc4BZ4+8ZJfoSg9?3-};YHYQK3um&tvdW3eaNw7MHGdg;Uw4bRwF11QQg3Km? z$zP@^IwASmEM99g(%=Y7j6T?AWd{!z+hvV%C`chxXBC&<<cwAX?Bqwn(_J}0PW`AU*Q*yWClf<5n%mBk)cr0KM6kFlH4XPorq&C_B zd@#Sv7(IqU0DDO{{U1V`8g-o@%e$v!%b9TxW(&_5PzC>!Rf+dA5UH6L9=bF(BZwRih-_#y@UlPaKE`)6w85HMCz)LHs8%~M zb}x2bHMgE`Wy_W1AUm(Xl;+j>L(h5UAc6O{o||@Kp?n=2Lmja)E8o>ZSBs@cNCq1w zq{i~Z_MdTz-e?@=BAz(YX0|dONkMErq#5*>XP**uOJ~I6=oie601l~bp;gzjQ>WjB zb?g)iIfjo(ExpjaP5@U^O#0h7ME*?MTw0v1_E?Y#mRWA6F|{A#u!>)7fu>c}kPLy> zU7963O=P`u!#|x-<&ZlUK}GIMG!_*;#ij4mAMo7M?xk+ih}cucbN?$KfY}@P&DKL+ z=4W4D;#U{$Fll%f{P^m*L#T)&$~hnSk3uhAvw$R-UxO@BWWDQvz|Xx4XRmeL$H%-r z*U7t??p~1QP{(y``{b0|wM&1eTe{v^6b4;3vDUZ_) z{pH1ozX|LXnAoTDdAQN~7aMqRSS0&)wJynL$jUf&L=5_-3 zuMmz68RF#el>=VwrH+XHUEjSY z+ePT>@|-+$AYA#pidNt(hD|2zzE;@~-0#Mzggafn14Und7t>W~dVrcDZr}og-}4zOKBsy7uwUZk2w^+Lh;P zFUzn)|7%|72w!}?4dD7gC?ZYqM9&+4jb9O6%D z^zWs-XdY$(9v|RIHu9EKcah(sTV7JSK%1dOtes~&r^j680M5*o{k=tCAF!_RkaODa z?Cw}=>t&IWIQzd{_-zR2bQ1#tkniW+5*zKm2HyqT=V>>`DmT*KXWjW9mTrQ2s3QD3 zK>jG_fW5s37Eb9HPJ6*~K*H-?-Zl+fY`DMTX{CL!+vc}M_8@#SiPCFo>(=aY)E~9u zT|f$}n4VG_VR`DU2I#?{>LWTxhv%O|uDQ{ClvRc33qP9So>>1}BDXlMM&|!=zt`T$ zIr99)h+EBN3Xi+y5setSvek~Un#R3Mu|hl&s3PfGfPLr4!CnUHOC^JM%gOVkt(;?W=(fun#arUTm|O~O4Pn~$+!z{b;NBSfU5X0s z+Ja`5k+KNQz9GEdZhKXO@IS#b3!B}^|KW#Rgq{9s=#S#QF)k>DCUqL-K`m0RtK7@s zsn}yg7U5NiiG>rBURe|_fHt}ccK*mH=xV;A%PY~i^4!qIg zAyuCGWuicUh1t(2>bO6)kPDLB`vf`p#VN=p6aI`W5xSg9Sk6?;$M9>BD=<`%CS4+! z1c=OWF}2#(8KHoJbmg?yY7haCd)H$$MXDt8EpO(N`VIIx24AtX0K31H1D7kST-uV~@X&+v#}S0g zMAeTeaDUW8k1i#*%+_^9NrTDx2-*R~FAz6WWH|`ptAcdOu(~MgSuOuCctbkv zgOuppw>wwC3M?~&)8nR>RqUGW!4z#)XGj%pg43~I_Or_Q#cqc119tVHfkSUwluI)IBF<%xJe!p=6CzO+$`f<_z<#5gxNrEIG3Mkg%)E;ezX^R| zC0buhR?osQA)3Clcx|Dpl9Pf#`G+oxBJA3<6i>M105xzd1x>;ggLe zqe2(`dWCVU!$y@E230gi?1gniPjQ85XczGK2%re7<=u7S*8fTTbY3WJx^?P1x<9|JHY5LjXgEb zvAKUN`olQ74QGd<(*b}%?Mm;Pt{cd}@C!@rGhNlOaX%v9ed1lW*!4cMZSZ5S?By=II2zzz z>~a~f)Yi!-d!6HQrkATV{b_uAAK&iWFO}hu*UoQf83_@;`ItMg9dO$aZ)i}+b^Z$U zL@-^sU2O#B#B+7E`JK4*8JK8Yz8uy38zy$}*@5Y*MlA`k`&ywZd7)sN*9tkYzAlw< zt$7{KgMloHTPv9}TJ`)2DNd-S%{qfy^k4tZ_SBr%iMO4adl2{`ECzMPN8`qHB|aKGcW z%n$x>x+0suX+yS)^$k4Tv0;t8E4O=<_SGuVtybrjyMw?{;Ih1IA0_ZrG5Z~^@jBD5 zW@Ynobt0w)*u3|~yolUydwkJw_haJId5JN;?{)w|d2cVafI6?|-@d_&F0iPJp1>fZ zQ8RXSWV9;K>0>X%%4ACR`q|tnJC738x}+^HXi;fJ5A+cJmEG~Q2OJ=OP@9>}?4a%? zR*PrK29CA*{l1_6c~zkGW@oG=RmH3*SA&qA)zl-m0;|0s8v&n|VR0 zUCbGKt_8xNvtyH4963xY2ltkO@{O*9roRwnrN_CL4!&7lUZgg_Gr;Uu!>vt6JAa@V zLcC$9Tdo|lWrU_f*Fh1DtERlKDJEN?XjT)3(YFd2^3;G&l=g_;FHD>@>(f0slH4@T zYWlY&YYj7HD0>E`S#qEhZ>zjNd+Yxz$ zO#Pf>fAxE0(piRBKJUEiuSpuT^wgwC=d2nWf(ls*WI0MLT%L^3$kfW;wkhx>Dr@m- zE+Mj(-5>dxw(`X}Ea0MQvWrL|lg*^cPAQlf;2Mh@^faq(7RfbBHI9bm2RU(bNfx8Q zDN#QZC|qQ*%VZoisvx#HuQ|>F+R!Y>`E{(i!cF6?)5gnfc?R3rgY+u&F`*ky5L{CR zZbe#`9tS#8?Qw(QH?Ty|(nL7AqyI#4rcB1q%W5_QlEoa{EOcN}N2kR3$L7J}xT zKUB^ZlaaP>ZEM!s7Z)2CFzzs*pu>DSRBFDyL`*46C6ibR6*?>YxbG<0DeEA+lT70_%#C;uNuh4V z2@nzf7*b4Otk`!HjO2k5#klzEtPR5(>dY`)B0F$VK1gC=HV)ggu;iMFK&`+)xMB_C z-Y-6Fvu`*>A;R^YZ^$GH$K?m)nDsZzjlkLsoLiYr@;4nCA@x_58h4IPQw3RxIP;3- zhgJ+5=0LX5nHgyaPon8S76*ZTg6;MXt153_x7)853}D}zX7T^dsRCpCZ9Lh@YJj;z(#svF(U9VTjO-_6N{ zOx^=aW42vtvewY({3Poo15NuqVHk*P3QQQUjqokIMg_NB=xkx3X=j?Tl%k3OpR zS$bNt<&JjY49Ew9rzlQT#RzEG5RRx_7E^-Y^-01>`0ynRsjv=i^9ff(SGe9H86@J% zE61of6o#U`cmA|E*5#DRow|_EcXGx-bj`skub=+9<}<|vmc92y+Bp3NQTzpYfw%_T!aw*Ag=Sb{y#-h9L16M;RvF=<{#E^?87vI8ISHppIWQ-Vtd&Kv zQM!<8l0`wL>H&XycK^=8kHJ~TiJ?k_Ua>&ZkLHlWQ~P=Cl-7J#9Af_5qf+-igXBm` zjEL2?buP>sk&wE7mI-&rQA9CywE?a0;NiBM8nbTQUh)xpQh{8xfbAqZ1b^n0xhbw8h@7QOGfS4l@DvW%mD;`@R5F*w_DzwLqbr(U%ZV&Up93SizUNOkn~m zRw~4LQS}+|!S|Kt9RQL^;^FFvm0@^Y0=w5&rI`nw3i&0WFu4?HtdEyS^M3 zT1r00>965Nub1y_aCr=XbH*9MIUo0IjG0c~<+2l#KG4h6TtmFm_2)t6=L))0C!C(o zn3UC_o*Q89$3e#1*9xsEJ-cN_bLBeF$|1bvSI0_X&EA4M$hggZpR+m zh=eQb=>(&ln--6DC~kkwrqk1jI&c5?!m-bj5tJR?kw6bvAp$@cpnda8!Rxx%8Si_V zy{sb)eAMkxc>3J})-&Be|J`$|69(Ws`nrpU-~h$%x&&+@+PU(QyXbl#KNg*To8T)G zYIN`^fi>-X-ik=^`~I6s-)8+Gv12~1gELj}@fIc!k(%lx;GRi%z3m(9yPt9I z`Qu>xOJ1%Hb!c6upCQcPBVMzdHcQ6X6zXoCVRQ2&n{IN_@r(bLvRxr3__~uLJS7!4ks+k4k>Jo&@1ZD{Jp%pP_1+K%h(v*+qlSwu97k>ohH zK-Y^U%q3{7Qp&OEu*(sB-MMROS$|mIaWZ+jU?;DL;c*cwIeK%%(eHLs33&JPxOlVB z)RFq&4@^ic7y7)4q+HQ?`c>k!X4itF$z1Jxwg6}^e!sf-%3gLTbBJH{-z{=NBJTA$ zrcN{b@z}4B6KLGL?}0GCLBu!ArT;XPXa5G*iuUkXc%=He8d5iCznmFh2iwR;pG zqUziG0h7%PIxT)B;uL9O+1_(Sl;l$%g`ko#Z&0nw6|?Cu%I~BApVq5e>FUkU`0^sh zNXm4Tv{hx+!nrDQrOP29fGsO%=>|%Sr35vyhDlQ3E}UJ81n}T1BH|gdHL%s=d2%rLh_z6@^URGk{VsxHD$lIZ z7M1kjB`5o!D05GCDX49-54~QRET$BXT8GYZ#C)1?S!pvCt@Gl=LS9ydpnOtQU~+ZA zkHGBOsQ5v)pb+FwwL>>lBBJ8;k@zEKc!*0l3{m@G9V{}wLOhz{KJjmf0*^gag$OyJ z@TD#Z*DqN=^V{xu>VWESuO#)=1y-B#*7w!EGa;LN%ln)lb5d};_P|y_YdS@rn6Ta1 z$naJ9^8C5EH&(iKJtkKYy@S>3A(y`|g;kI?TOXH&A>2zWg7Atmy zf9=c0XIB*!!%7X7CS6sh(G=29`DEajuzW2_4Ux{!NwnBQQcro9#A5#h+T^Gq{YLTO zNsG!7NP0tuov>VL!!y?(mJ8PJuQ3$lbDVSO;3u-f%9m)?nKx#IS1Kh~|E0Pf3mF}o ztu9~2GEBW266EnIxnqY~t>~Og%6Zio`u59KS7&re^p7yfS|w%y?*MJ&&xv60-1jf& z7dty+q5?4VZX9HB9=W3h%FL@cas%}rQBQX2l2N`bC4BkDNW9Uid1a@DngS$(75G)W z&M#XBSOtF*7M}W>u3nEMM@p66s=~vWri#g0u9clP(>3INPgp9uwjfz2=+xnnFbBtJ zfTbAKK0IP!fnBa>hWEf*el^{|dVkCxKt`whN>TdRE=dJj1B)3EFga(9PutTrb3|8ylH)?y2P=#xUQ>8>@^0TdrS{~)bWEHG4XUCRwF^v-OwhL&O6lhh0w%1KSFKEN) zeWtGrq*wXNYmeiP+O}~D+rGaPai)c`GYR%J3RQ?vo+9qA;Nt^uoC=q+qyl=lxWfl& zxtPu{EyVHq>=cju;+RIbP7M-2uq-?o0|(T{s@&C6o2l)3mM2?W4dJyk<$)n}mL7WH zEc`eYYvrkgunKh^5}~ZwSjelzijWn!#x2Ywh&AukiAP;db4>2al>TFIdbHLJU;3@; zFkd=yj#4iZE;2b6LMXDHA-Oo3*Ua&9exjB!-+$pyY)MgK26&zVlj5`a3r8-+ObLv# zValsm)DFBCkGKmIEcpql4RrBdhlQBVm!+up)_vy2N$E*)l)o9)Sk`f)G4LvNelt}0 z>dCfl^qM)ls*t1NLxz#%(QwmSz{JH0nxnF7bA(F#uYic-PU+XZ763`?=YXBTmqO5Y z-}AXHz}Kj{uZ*sMj*0wrjid}X{vuH90AOKWH%gK^XV$g`F2sIQo85$h+*vGq(Jn$Lm=SHYI+FYsq{*w=4K441v6T|DJYl zz4D0z+)w->`no>@PLQt+n(lN7K6Xu4hITf3teJYx|56_)u0PT!zPvQ(UHgIpjAek+ z7LI}#`e!v=TE6Oi!9GB-v))*zoG)ng-SGeppJ@q7T&F9@VXtc0_m98pwF>4wT>UK+YO9On2_~m&BdS2m=F!&$FF5Ut7-GgJ} zg&lPt3WY#thf`dBB!TgFz#1S%cm0a&b01i98kk~ZTUD;}&2(L@`_#LX{*U8i^OEKd z1+UsZkRYE-I+Nnt(kJnxktI>rM#GH$%iiA!DC(Z(W$3=Y_b4o0TW`|~4|E%bu9J!J zj5v;sBkzwTPX+4vmY-kZ!1KdbH1Th?w!0{A*MQ*MuG=fGzWnb<%!f>GFIauu$FbWQ z8NlT&q0fT^_NOiP=ph`=i>|Nyj|s}=rvhg)FhG~LrT0GAXW$C%X5g450u?QjIqWNyPT^Yq7$XhEOBwHe|7ozez^ z8)aXk-Q&&v35hzvo{7AldONEIkDU|S^R?hg{4Vjg6DTUewbO&EjrZ>#|Dkd?fLP*N(C?-yP3c3y7^$4(DBWMl6W^?< zY!4N86Opfr(=MZ9q}XwyV<#z>Me^H^hIR^(f zlpUU#4S~cs71VQVHKYA5iL`Y%q7nEO^u$uX_pQAMr&FMdb{K;Z-xG>AI4-M5ei={t zu-xV~(ZI1eK{Bc#1h%HwG?%#bO@>KX&y#V95{iU`ssc`IPl9D4$Z!rpRV13&7##oM z{?&ACrjq{{L6CPk7Gl~RTC_I*oXzSM{&e)v9P%VrH?gcmrZn#-e~|-cr6flVkg!jx zSwCl{xIhqr%cdw%UUOciuGFWLG5Ii%dBJYavj%Qat|2y+H(1w6sk(gxg|hzU`VwSW ziJ$&tl?E&HOnmZwEOgJgO?vA?o(+kYPcMo<^Cqok9av4h~YBH)}z2LKV+M zWiF9X`mDc2o)}t>Nki#8Obs8#OfZ(RAb;XHn^OfhoMm?ZP+!v6AvlGANeD9rPM|#2 z+;zTbJ%Eo0OSy&xuUK585FSalUQUvq;n9Y**rfLOh6J@iP%Z^;8#h(nlfgY1kGA=} z!?7|PRWT(#YsuVFSh64-wy4vPtqFeH$pf7PBUBQCPE@!M-qpMe6YDHgb6vXP#~8kP zb;CSMQhw&GFWbm^^)BUYT86{T6h-jar+phMTGK!?+nMUO;XQ2gUju&u-Jp$~MbM-c zh`UqZ6Do5thgIbl8uB!0$!`sJ!XE4QL(GIa4O<78BRjC_KVnnUTCNqErlW{Zg1PW> z;vKS<{qBo&D5^D4v#|EO@y2)G;CZ5gMfG8{r|=G9I*+B7Sa4GoFn=E(b zyj~n$*3F+%mN)s-3Qo}|bF=ar!v9r+zjR?xHgqs>kJ*VJnxW=Vbv&TsUOxq3a-O9*uxa&;DggfK#sD1d7+X>6Pk$cf`Kq z>i&sVeBj8jPhjx2w`aAnbZR1^dSMB4r>QK`)+!4Qc-p72! zu~C+;@5&I-Z?`1BUEO2kbfmxuA&*N_0)w_&`pKUWJN=~kc@$S)mbwgW zuDcpsCLNAHyo-M?1&^KwLo{d%m0jiBFABf_8jqluoqUd!n1N#k(YxuOgJLbM7D3Dh zw;lZema0J5k8#JoK-UtCx}Q}uWuC8Nz#0c^RYQH2mcN}>KPLn|S38<&-?7mbXegc9AFe@z+-0V0OCp9iD5$g{1`FE_|}rI}R0lCKOydW#w(tHRJ;3V3rrSjJwT{@dQGKku9v~9;*W#*O=NoJ0>`(ih0Q&?e+>K8t5?1tm+md>wQ=Dy|2L%$?TRuxx&uaujfEQwK;PDU$#PT2N>z|jMcN9^Q7x@nm z)v(rEJlhPw6_C66^zOh~{Q&`T>CGOywDMqXU}eq>MabOi4yz?Ct)9W?oKJs`#|1Z% zwsd$S4ixjfuDdwDSAzkrxq&_wg8@&QLP8$K+Z{M5rmExGzi_pV9Hh6=)n<>64e6EK zRyxPuA9X8)J|n&}(JO$ieU05ud|J3{f|%U$N~8d(ge5>ezNAy1XkrQGPn}W<%NlIK zDck$e9c}s1j&vA@gKU3EW@y>{alF%W0oPRdkF~)%2P0A{ByFB z>eK}0?2(Pu*bhPFsyy%+jK3?9w51>s2mx70$@pmJ2AU+$ty$&cOS}g05b9%|Ju;|# zwQ$RyA-QRjlG}DPjJaUtL_cq>SI-9JJ2&Yo7R>qaIC)*#j4E4PeIl+_(49-AYQ&ZVE`f zvy{@`8$t<88h7rpWtSqp)nfWS@vP)QhCaguKPTB>y|T$aweAD5e42sn6I&y2e33>lb;X z3v&Nk*6y))&HkV-7qO@P5Tm89%LRo#@idys$Q7kD&jy~NTeB-GUKQuxq*(t#;~=5t+;n^d>-TO|^_>0k=PTD~9NS=5nN zg=R@Ne&Z#3a2F6rko7pW*qkaVTu+OV z)?&qnLTFOM&6zFhvsEm<(cS71uMV`qJq z@Jo(POBTuAPWnL-jOitlu7*z=*}jpE?ptXRt@kZ#85ZVV7Ne52Bw<9Q!tr-5JXur~ zOHs(CH(Z?lc8$|rPH9U!gGg3Ys1#00_zcV&eD)*h;)0(Qf|gxvh`&gVTX|rScox)@pT(Q$9-=(~(}< z^+WTf$)A(;@hPxh`Q(BUG@svY2IW(JnIUs@@vb7D1wzQx=WG_W0IluiNLJh-=|qO0 zEY&BDM*|m!H`KpIg<36l^aK=0_i;8#ONLX?14;t+TK0Y3|5Ntmpo2ws0zXlr0=|%$ znL40%D(L2C(RdL*X77Da4d@H&wD|s?_rYQ;QKl@i0T!Pq@Ly%d@GA;&M5!M)g+c~? z0};Al3V8mq@;sH;XHmDC^>c;bbwIN0IKFjJ0pP3I%bumRc9*K(Ox^afX9sH)5C5!1 zB=6N4XwefLn01-g=SS@SxwNGPyo`i_r2jPeBzEu`Ktk#DzYSg&jL1HnCv&=T>*q>m zXn9WR+VtFjx2yBBB+@@ziM?m$InF@Q`u$1j@hs)U1ZcYn88Y-=zs1Q5J-cpp;(G<^ z2z4|z;@l^-!P7OgHKK4_^SuYbF#Eo9!w|ZOT76DAQ7hT+1bp;VeQ!289BmT(ybM`x zVg@FxeT2w?A5+id1<%8^GS~?M2`&~Gk8+07mHgz2ve(oQp zeJqvsZC(x>BlDQ85eogl^>LCK$U$MkcjWV%!MGOq(4xQShVZ^_K{1l?eEi1Z>s|9=MC$G{Qrrxm6s8Jq`3n{+Uz@l zyfD@!oSQAvYcH}VSz~mQu6_*u1Ju`y?t4!{eg_5pGBdS+ek0_Khkb;^k$C^x_+i1m zd>q~Da@*$NH~@bUvCa9spHs_YHOzq6vf*a0=M()UfmfH;J8sV_cA-))C(nD?Q)?Ih zC;D@%Z|G2+-^@{yWlvy#mlWIZ0FIz?_NPpHh~IP5?hihNE5ONf)2-Y#&t5A*o*6mn4Zo1>O!R^1&^DY0m9J%W^gVTk5 zufBtG{{JtLcL1#nCqbg0DE$9lC7)RYA^K^Ee{5fZLKTzyv?nJwGWZArdftdxKknZ0 z&YtUl)XSnOX#1xH!{K)yU(>}q;?X|ALQhU~s+lq_>r~*T zNXpacdTqNiQ>MQ*MT#rq*fb%8jZjn*uf@o(zG9Pn^0~M4EZP+$0_ZHSLDWc!O698= zlXm6MCCOrZ_RHcUj~ooqIFtrs#*s3*L>y4MDH;?T9wVQ!Ys~IashIzC87{cw;GBdp zN@){iTAw)8!h(1@ku1}J; zqGJrs&X@1R!q25Sq=YjxKt}z{5H7&MV@y{(l7^cVa#?$Rm`MM z-E4|DJn%cpBsj?v95ZRcxR6u)yZa~<%dTButYk8;9Uj(3>38N_@)OjT3*hS)L-zze zfv6oqjK++RfL+ExG>wdsGPY`LwW&jTI!&UtROgq}yh(*BTX?64hx~l112q+&y`UC! z4$<7-*sFZw*H_0;m2F5`NX1Tvke6>vdN(}%A|l^?N@q!3vG*tNI%_Px<6a3D4B7A~ z*U;i~C%Q$36ltw74Ty21k=YV%)pde%*VE8ebFd(|u!RPLTZ{^;T68gyKVr%tj*vk9 z(a@4Xz2q<@9+1ye41w_J1jwy1V(9Bk&`oh`U$uomQCQ%!h6mdyo17HDLsEF2Oc zC#-#eN+~aM4)#33O`J9GKnQj*vsT?#Kn3r|MSoM41<>XF8}ZA#7U(}aY0%5eN7x#d zp&DPlLGhs}M0o>xN>&V+8VbH+8QyA*%6x%Ejt#wj*6h1_UMinuC$!39el5ooy!b24 zZ<iJ?XISXZ70GKzMIndW+JYpQAu#U_>v20h$_)2MMg3^ZENE5#P4=)0_+KIdpUZA#k0jd{|H<~+X~PG{q} zRaQSms4L<)k0UHi6yq-JCKqUoP3~XcK109dB_?;AonqYlNq)f!LhV)%Ka(CAWO=64 zuT9Rf3H#`5e;c{B5{Q+$(G%2naY4$U2c z#Cd57-Ja#u{80NzDvILGs^;&b;Qsg=spVVv2Np27^-p1G@tKK zg;}H+96}+8T;<%ohi;g%Nu@#T+f>1DXeMTn?SO8bP6l)o>smNQ$*d>5Nft>1@PpD zD|C9AtF(&WecV0-;D+g_{+!&_GJHFDb%4_l5;=qR`}=#($x-_x$ZOdrx#xD-YN8L%+$FnQdg( z;{p9J7~HqxT`-aNIgy?H`zfV;5)G!?d&kD=!+)(Ujwr7M4Dbd4Y;1ixS5SJ1jUeu1 z?Vh?&Xw~5kyno})dzrg;s&(%4UV~|gZmSh^ruDib(0WKu-ijvfFsVyt+PED&kI370 zUJS8IQ#6tv$(FL8Uwt`gLg`)gexb3cYknVd8RgW|XWXv?kOaI8GPV7&s;m<=1+%E@Y1V9Hw*I#Iy_jSEJz4vxcz(0_k z8@(bM30(F3^!Vs(V(I~I8f`wMNb`de`AsZj?>x;LbO|H@`*ojpYT(Y#_$&k4);Z~~ z-rvs*06%Q|mnyG$%IchfzgHe|_q}ul?ny>dRtziqa!2bS#n zZ3qQy7j8Ou84=W~Wj?OH?#AD(T;94}H_JU6IgG(9Zh*RH=2!x8yvZ8g8`7OXp+oWB zpl1{#Re^m7xw~}9xx6jC)u*8vr!xWfO;Lc&g@E5OW%Sb2${nBm!ziiH8RtjO^u`6t zZuNE`0i_eq-qz=}wt|68p4OS0*Y+Xu(cu8HFW@>geZ%>^gF0@FpyU!q`{F5&u=l|A z`g;?)$3>#i@hgY{2$%puV7$nK+MH}Y*nwiw`S)?R+9FMhO4cw=_f&6^2|B4?*}U3q4M$?j%qYVWn0k|to;k} zUFO_a94**b4Dzx3p^luS1CLtl;<)<#o%wG0jc zTXIBS8gtHh*w93+kPh?GQ+GM&n4^I>=UQ*#c|{`A!ik;TJwl#F!m$S)Rc{c!%+;HZ%N2yQu2Bx!4Z z&ch_5u7~|skChnLP0H2D_}By_T<3u%SJb}@VB+@} zmIYAGG5n9A}!}$*7ZQnGB@8eSVp)V-i16ipXKBF+iYm5x03y z#pJN+Ne4O5R-t?wMEBzy38|ECTqME}o!BLfQV5bQ*b*&57f)AiB{y&K{EKt9L@H#R zO*=yb=^a`j?m_^DnRNbhwmsw8>fiP^227uJ{NfRoT+UR60W3OEC5=!rY_G0jjsM5g zS^mWla9KKp1PBBtIKhIuJB_=$ySqCy65O4}-QC^Y-7UDgTQ9RaJMVnCe?k4~R-JS1 zbMh$y(9UZq4i#8nDBFI)!0;tb%5%d8E1*iEmRR5mW=NIN*lkS0VM+F@uQMgRHBQgL*rJQSpvF$>)fFc63 z`8BUw7S=nN@p~;2RLe{;%yw%${zA(5o*)>66*;g6$X6$QsRnE68YKMIEok#y34p9X zcx3qtyK2UsCqA$p6EgE3_X?k{?Pz zz>2=gr8i8^d}4<_7;d^ALgBo99XmCVwv07HFTF{sct+)m&1ycmqn;vq?>?2WKNjf^ zNNLpCxNza3jH>!^hrSUPqkO(wgF&K~T?fpOb5hPIcR_r}g~D{cx4()o?b^RfSg9f_ zC^yCvTX`z^et0WB;?(k<3B3ETDtuqO6eQ2GG5YH@S&A76QyeYdqPLnNZ<<=5Lo1*W z`TLuuIyaAbl6j{R98+9gof3ng02A-}$-3^eS`KirZ%oSZ9lwZohQ@I2r^0xi3(t3>0Gq3Ybwd{EcX` z#mz&Y3Y(rcDd*HWUuHP5{|s;!>{sE=)DI@lkH^4%(YHh92;gBi-4>7>H&`Bp-~OiS z74gRQv(otcTQHG5GrYX{*=;4b#T4>(RPugosrmdG5UFYRnyvhVm$YUG>dJ6Ddy0U3 zglRm?;<~p#@aMu;wBdO+_z9leM~DAloVJ{uuE+x}%GsEy3xqtf}eH1?G2#YoFnuE`sCbiqkP!$sFB^ z^N%-E=ZkyK11r0o&1+ju933~B4!e>8)r$tby8~h}T)SaFkmuwNnaziPsK6$@*M^sF z$QM$XIP5L2qtGiAAo!SYs?u&rnySkFI`6_gI_$#mjjrb2m3kdWad)R7xxu`;%l$HA zEYk{xrn0#)Wb4>ry2QKwXlv7I0dhURHZ6J{fUPUm9I=y#yba6dpEEUg}Ayp8Y zQo%#XvTx@fWi}lb4fjL9=3Zec7HSV%X1-!#5@4b}Bspks_Xr9L-geGp-^Hh|B z_8aSmMVjc&+kaiuKIWhjXuI~0C8OXD+AX6^jnTm_^~Wo?%umLMcbumRHyznUS8Ue@ z*MO%huic0FeqU=zf$=w%$l|eR3oGU3b^Y=nXkAHU@bdAJXB5(G1 zKU_%KXBLO95Fj5(`$cI>f6XCl@06MA$Iz!-KL1z6alZIaj|t<^s-5)2g(p622a|DZ zqeT2?aN=;C^miM0Ow{TbSdvg1HPs>}+n$D?{Da457@EU-4QMP@wY4D}dW{h54Hd#+ zWyl&u!!}55%0s5&DT?lTf?+L_7<)K-!e4jgsrZG3kutHS1KcK0?lmd+RDaOmv;!)J z1`@3Doxf(?trjH6VTyZa+cXJClM{V2cyu(D7?BO(H%yUFjAhDKoDsuN<|s!eW!)&C zPr*k(;Z9^LcH)o;012Q&-A(NQenQ9miz&Y+=~M}FFaD=k;82Ccm8ZpP=HbGD;qrt) zns#3uS2#N`EEaFmwSPkxAu*wWL}Z>F4fQ)oi3}#7&Ld{D=iWt|Obz<9J z!FJ5ne8)x_XRsBGsK3TY%@dH>f2lPv@)6k)k*Vb{lNRn;eZ>%({rGtp)(?FT@Ojsr zwPan0xnFS{K>P%GzC2H%(6HdY$hQA6XXPLCA$kY_Ib}dk`+T2dlWUenyDl_~f}AI$ zuUx==GAYrmq>M{Bo{NAT>tkkh67IxOeq&rKK2gyV#Y}=|_p$#{IQLP{QNHI0OJ`@I z^UE7;sI;+gzB>P>N{0Z}x3&Qn3EQZ3dxaRYQDhG7p)x7>V$QzRCIfPF? z9#XmjR$S0sf^ejrzK$(<5|iUap%tPmD7@n;{F|=-95(hT?ctm5o% zU*=`nFyUr}B8|*NUm7<`LMenF0&vLAoeR}5C4DRv^mZlw3R8J9t+r#`e0)O1y75dc z^IxXeKrSL!D8{(}f9j^>8f2O6n_;yZ^9f7xihmiYdP2vv+q zCycNCX{BMP^{tEnG74U>gWr@Aml}Q4U0mLva@7Q{M$h;=|7c)wg~bLGeV9px>7x7p z8oOQJ{XT#|i0Psme5;4I%kYrsm+0^1Z^3jMKsoZr9{L}#^lw|A&m@A#|L_bzXOgrD{BSw0W957+zcZQdvsEupopg7ac|XOi$A8#SUej)v<<-0d-gP{t ze{ZjusvFbodL`U4OkSIP-{naAvYxXu$klb-LE~a*+eO~`@O*jhwwJCM)#*j@vYp|1 z|GG(=WxqTkdbzZAO@~8bNqfSRp)KxqUAYCQx!HfI+z77!Zt268+J040m+9`{c(ll| z?LNm+`LxS1WYc9-$|TWa>#7F_G$mqKQAR<#?cLs||)He>78 zi%F;4y4OI0a75bMc|yd0R$r=JY1p}1?`tPEU4S0c0C2(e=6F&($yL_9YV!vBUemzX z7Wr8r?&1nC@_}@Vo$z+K?vq`$(uJ4N>TVo;yMN0=&^n(N zT!35RJPAv)(X#7)b!|Dt(7i`kE@&T|P0Oe+ZXN>xbk9wvS+;8FJWVAHJBFZxb%wg? z|LIUwEv!Cmlex$qa9&zH5HuU3E>}BUrEayn&vKjs8kQtqd2c;!C)YPZoIhTMJ71Hp z9~i^4+QL8nxnc)rwh?#qGIE*p-V|csJ!}V<(sF@4{$UYW@WSA`U!QdOyiYow%4WFk zl9DNvMZdcz+BCnuxH@#{T-M4mg25ngmlN0zumhMrdk5%>d0~S~9D8G4TA!oQ#9e5T z&asKetnW}?WN&Id^6Yfkz~X-zzX7Xdlb1o>uW|Q4$)s|yraT?|?K8TSTt;c3rqwb9 zD{bzb-`_xkzb_e#ni5&z_A;z28hOBFHj!CLrMl8_Y`tRt0T$*0c> zBi~yiY!wYCuCj4MVrrG_O*{8l)yn9#K3|J^OJ<7;R+{yL#6UB@2(ALn_5-*=b}>dg z4k+^PC(1^|S(49&@I5aB^2+_%-U0!;2H~zx*c?C8D2Gsg$zgx{wLrm-zr|ogL$Ii$^+|V*;!9IHhlhh8eDRX53|kfz+U5mqS`s zj-sgW>!etPUeGErX`+@%T&lzb=~|e3rKwq>QqVk=R~^?w21KRPxk=k#-^!0o|8mcVi=_^ zgXPck%FGlM>F3YB`^lJqk$OJrU69Yf{i%ZvrhR~0m}3wZ6g&fE3-X@SgxF!J8XKzq zQ#IzZ2M%5$nbPm-XXFiwhqK&*6yERHBFV${4KtWnBf`vB?B7KzjICKh-@A>y2&v`d zrIb0fc?_J0MiwB_NxWt+DPRbF$G?`vMAs|acIT$qlj0WP^fdM+9VE%21V?8-dyK{jBjDICC6 z7T9g`De*pwMAL%zF3U)KmYV&>dvOA0Ln{%QdpPu~D;ioF6QEGe;K&Utx!A{eTa{7{ zIwPB;EvAfxQ{FbF>TY&L%W$5^egX*!W^wSv7i$ERx;gvIzAr36Y(T)tCM80xF%geo zjEc4#8iAs0Zo$h`D^@Mi;*ud2T$nVrWc}kCX|IxD+fVdS#`A>KKrL$a$Pfw6NE_vT z@|J>yHV4G;@K_G%WPdqpBW`yM!IR}|1_e!SzGwL?EJx{J9BjeOQr9A=&6*Jn3e6K7 z?NZv5coQGF@tMUGePLQbUzxf|XE!gC>GpE@!mgv*~por(Hb z!!x3xQzOqBZOosIwMfTsKHeHb(83*b@dHl0yI&GU?r-$q9>LLIp;$dI8Q2_n1Rx0= z^rV)A{u7=O!$b7X>Dw~8LP?Q6(IM*#aqZ~i z>yNKQN(lGUw4(+7o9qU4Ojy8gI23IeqS~BRPGP%R@}(u#@lk$6v=ON+9H2X5={j74 zdHGaTs8rwNUNfanpi1a7^a;sA_ASsg&?PfS?ah9zbysd1g;Y4#NjdZ(x6@n z{y>LcB`c%XBvKSMx-Gj7VAZZ>b*^ zFH>jFTNo(#_gP$Uo?N=0%r7JBj97!UDwN}JN^C5^Z+goNu<#J&ha7Z+4OCI zsmt}g^lUiBf zh^BwGM%WwtI9x z7R}Vw9~ipOetu^8-R2X3H|0tFK9L;Nvdl6Qe?CXMxijx-)6grbyYi@fIsw=Y?!E4v zFIdU4PT_WzJWmP_*(d^hcCg4oX7OuVP{W9 zIUNJYMdfy!-g}IPrc++8WNe!)&kjJ%uV8hR-{}pPm7svivkI@Hb__`Hd)gLoq1}DV zc_Jarec?lQLF z@yL<3adi~nSn$p!i&y^+PXX$9y)3(I86(BPzjLw48r8{=L{#%*KPcK-e~b~PJ2lO) zzob2+>302=?EO5IjPJB89o!(pV>Ce1_@cw@RRvt4jJ{OWZhl$|{^_#vhWvtG&}X}3 z`_%I~7R$yA#2>kB(z(yD#NcU~Oc%{K6TCgd1E1b5ICrXhowRsPVQtm8T)sASR)gWw zG9HdBhrAx+$HBk@Fx?6e$*u9@a4bxA7vR$-%+}@d!F1cknivOyr_q$)%>nb_9|A(} zSnlxCGAWg@lK{)pLy~)dX_V*afdi2aG(U3T5CUw7U8ok67;KE9j-*(4(&u`lun>#W zl+Sq0|7612_u*pp&|1^ET?Ii7OuMUq?%4lv);dpei~b)y$j?SCyN!-`5fZH zR2YJ+k+tdbSh7LH0JeGiPWoS0tzP>+1OoAFsb=OB(!gS_es9bO zXk*;7rb6v_hY0iyXknNDs&9YcsC8|fyG2N8(XpXIpXHe;zFOOc8#arc?254XBw{kKfh0u^HGyx>VB>Xk_LOxd461Ay7@ygNEkN3GRlN zRZ43YdWyG-jr5AXvjN_743nM-I)cEdI-d(Ibc0q09ZY@;6M=Um-J_%H^2c^ zXszYC84mIrYBwn$(bG&b;2UQ=rby4o4fW7aI_uHEZo0`rzKns|RWU`vm{^TMI3+Dk zVsB7NARd9Cn8o@~O^I@EyFChAd}~5#{(wc~?YzO}L$3%?0n*s<^^6g0j;2^ru?A@W?Oul1{R{kpG-tVM?cBBiof^hQ_}oHZ(bGL3S-@WHU~S(rDmBPk+8h!#XCMK5oP z>9@LhtnM2$CC|)2$V}I%F^3EPXMjBe_-d*O!ANz7KwTlPexQu5by`;W%l<1OtRa0| zVX>?NIN&`E+^q`%2D!`Ai_5{hxNm`P6;HZbT5G4EaJ)}v+<~76=)>Bw^{2c0;H~N> z8}ma*;Pc()66hLM*6HJF8~(K8g6Af(?;@Lx?D$h*_1M4E)QTGi7)NSnjmeWfYqz#) zU;7ULJ{BU4O$lG_bioXl!!4pTj#J{$T6gOOpQ^Dzb%EH&`qqd4bMHsjSMbvd37JwF z#(C3}LyM>E%Y*rtc5AO@5%+ZG*$m{?KS@b|&px~@t(@!Yzz2r*eXsea_j|5hrGum^ z`Ym~$^)~8d%+giz4{!%0YUN|Mdk6$vxtd1WuD#@s>F_RWm4s$G4+uA9HNPuk6@9ZqI$XG9{6CGNb=S1qpQUA4rzU9q zz~vn+ZOsTXk@q$nr~b;nPm{1tThkD;bZ(*#SeiN`Y2JszE$G^t59rWs^=|=P+t(dW z1<8QtW;k?SpS1RY%*@t#d*Fswhx8*r|K$Q2F?4E_qy(hZ~kJivg=g= zabwC~$5Rh0m~1DfCV3XMogTI}mqFm3AGU}()U;l+9B*g4Z}<2-$L*VSwzf};P_mb9 z+Y?p%Tfn!MimB&oZMp%^Gm|BicH<)9!!GxumfMFml0%kC%@_}e(k{DAo=dwbTGzgG z)W%L*nsE`&EnihP!!lGIkK+^5%HT@yghY6y#3RsWjtm3_kArnx-Vr|-KA6(LT`^D0 zAMvHX(no;HM?TK)hXI4!q3H>7B^rI7tGD}8c0T!(o#UvfmEFZkI3+c}ke{maPX)^4 zsW$RZQkQ^`W6(y@mpu>xy2CR>mg%f;=2t~0R{W)ZxR;Y>_yL3hzd+)Qw~ay0{YkYV zp_nov6zYGW7}xojV1Lvzrg!u05~*R}Qk{hkbgrf{3bau-SkP;byF}PmreYFdd06Xz zi7wX>R1U|oPv0RCj>65h#SWy{q$fauRcL2qtrgan%ka%;7yU$g&6J*sa}T}?Wuh%W zsfX~`p^dO}=MbTjwh_^r_h!hmnWJ^A3nhs3iPbn5S;i3B;l~aNS^Hv{b*$!FY7}P1 z*3;{vJ96atHG{gzn^AxIw#K`JSBB(yME%-p?(^k9lRU-?oK0j6g6A%PSUAa!Pr@tE z5^yUxhw6k@SAuK^^s)Jh21o;=`61*Y8vQvhDlEo(ol7Vhyde)>5dGC)6~=zR?#{$! z;*L$aU=y6xZ^L5(ZG^TsA<6`I(b`I9f9lAG&4HLpz@aT+8tCTJB?7M}Vq zxx_%OVxf+P)+}YN{xGFLWzFC=eg3;hWJ1!y8-W~iSd)H0Drg^Xlqyd>rT<&2FCV0^ zvYF4a!~#KiH=FrS5SH`4$oKT5T_~uh3g!iwzLwG{`{Qou2IYW^@wdHH7eIUw+=G$c z0<4G3-nfqX4j~}#n-k39nw9|)UNKyDfleIWU#&n%iYxll*$6%FAjkfB==UxE^{#x? zbfl7=GmahbQ#6|Q`~WnO)j#1Vxi3spkg0ag_7lyY7+V zrV$2WjZ1&&Q|H=33bFMHb)^aOr3S>5MuJI;7Z^#}0n(3tN(`mjAl|j<`y3~zTq+|I{56oSULj>EosiPx%X~TS&$)!_onjI{G9L3G z`v^As)aO-42|BcH814a*vxt*Ws8HFcjn*-HDOu{sWd4baKPS?n1~Fru-(jrKpf<3V z?nk}rKCwlLTGSSq5h`ip+89pGTP!RF5n9iLLO&ksy^4Mn8^#Rda84#`XT5)BNB-Cb)YNm z15)t+E!}zG=n}7YfAS^398EYD=py%e`4Iq40~37iT=CuIaY@2!<_C_~srCt<<~3u< zsn>#o-{c#P*JVQ19E4qyc!z$y>HC(SEgFRfRbIyLLM`BWX<&oE`Cvz9ivxJ^{CDR} zm$lQ$t8CiV^TE2ejC723W2)eq4ibn z+RsLFo@L&h5qC$*F1LqP)s`jK7O&1K@52uKjvDjRY&aPJ5ibhR_?veVqx!!GyXT6< zj#Rm=wzk)K98UuP*T>Ub^TJd{(>d*}PnNw4FK1J(w@3Zl0!RFGBMYoyo z_Ca11-=&>J-K1&>)#rH5XBSy>tKn6|Hn|TYYt3!|@XJB7Lc`7V8bR>*Zq%}gz_bDl z;CdUs$v@p@TlE<8a)l+i4Y;{Q#B*Da!^LH7DNhCL1#MI=?@a+0w^n=#E;nCRH#Ua4 zc-$`MBRAb+DsAgW;+Hazs4MX{y-o(G7S|TIU$CFlG{DetYjse26!l zIq5&0-Vs{jHk`4#(k}SizXCe9o=3RBC&Zfx=Pa4tj{|Kan{^I^JP~&FxhkX;49Zr~!nwODMrly}QB}R-d$2qcSoI+y-RP?Zsz^U#EQ>m1 z)X!b_7_|h=`sC%}NjOy)=xX$Q5~kyk866-1r2$SRz3|X9(iVsv;x$^ZLFX50V|_C4 z6;f>=6m}36k%`5;n6h9+YO+|TUL8uj$_^(&_K!5NSXEnlmEhzcLpla?BdbWKz@M*b zZ29vlfMhxedlsY;gd?a4Oa|^h!g8@R7{+ihzhH($3YQ3W6yhrwcElixOzgj+^6*pr zK^3MoM?VA^pyJBdQ|0IrF(FeyQ7+a-uK$Hh%^CrwaMKsVI+6E$T5?#V-#KSAXT~FL zh4PrC%KiA2#?pg}dfwR0^5ci8=9JNFj11GwSD2>!At3(d1^61{dLNO>K;&za%#+E~ zpza!&ua@dT#-1oNDwbnBx3bU#SXbdca5rV2Zd4|Ox#c3qAu`Ns8HnlQ=eFC?AXt;0kP@m z;ErIKy>F6C=IYC%nu$CCOol#@$MsNt!MYr*_Juk*qa&;mXU#_~n#!PAAQlOX|0V-jo zMK$OH%9JD=rA03+*z-~?v^{|$%TQ||d!-A|&rHh490E~xG^Bf!l^@jk#C+^5u^aqk ziq~-_{0%J@by^lheDp~~eiY6)X6xDN10(s?s&ol))D@?h@Moe6e8GiLVkI6v!-uEFrwkV79ae z-Yfi=x2^{ul~QOUQp~SG2hC17q~4g+m)YW7n1T@(JQv z*TX6{(}DG$EYvuD%>zsXZcSVX%F=}xdzs>|_Ud>C@%?ldXlvy9P{(c!7V=ZB`2-ia zB0ghN7LXu2-bC#d_Ky|F&ker(U0#P#>)j&4< z8AErB=eC*qs77iCvuND>{imP#muvgKZ{`o$KHr=KM#qw{Hq*rGXfYlLm(X~EmIj5z zN=HBrW99q8Y5NJ=H~zaHimo&m!~=d6*vb2F z`E?S}B%hMt$V zCRdkWK5mZu#<)Ard)UBsst*%oKJ#r44=tW=O2D%!EbF%ToPy4->x^wdPkiSWCfnal z3o>05PQaJ8dxS2xc;YDFeUx$Q)ES6lZ>Vfj!TrUp`C+j1)T-stJ<)PArR`>Il{@3%#L-Wu3S6 z-8VgbS+~@w>!bHaFb(&4jWC;%%pC%|%MeS*_h6e)@IU+q*lod+tVJ%T$3s=7Np(`6 zb)GiIe%p!9Ti%@vMPU7{ZNR5{i@CC`Lgc0Ldf*4}dPM_YWK3v2iB!BQv`-|J@w(j9 zb*(-Pk&(e+bf#Oi4~RVSd<;5-54P+)ssas4&d-76b~tXg0k7{C(P^sO2b;Py_f68e ztA-ttlWr~z&t0chK6`y#D_&E3%a)m3+e2v?&aRdlx0^cgUuG_+bPY?+ZQVUy9c2ji zO)&~EI$U=URcJOS<`6sKbr#iaPhA^3&Yh2IwmK7!d0_wo+B}z6@96E12tMm1WIWe` z-naEx8uwuZuxr}Q``D^9Kx+SweURl=8E=etWy|eOk?tzl8`s>gJlCq%8fiL$PBw5a zQ{{T)y(YNg@WF%QW5#}}qZQ?(1)4kK^}GAgTL;?fSNC8Rl@7$N%a6Q*V1%X5A5$dV zRnC!(%TA-?H1i-;XRt zr8ukrxgO2eVg0>0W$b4twSN?rtFvh8FL55I!%{^x9O_- z9S?<>j?7sb>9l~=l%8v$1W6C6`XLI^JQD?yY_lbkhsPMqy*h8BlcUsszD`sKg(vlM zRLrmYZ|p}+vo#w(8R`Fh=a(+C6i6K4AH=Nl{)AMkwIyGyJrnBeI-wN}HwVOc4n|a1%6o!isdT7vBtBky>B)pl7~S@zd;RhOdJC@nI!PbHf&5#hTWWxE(o0-@|I9sq$Ts zc{!YnVhNBdKH|>;)UP0d z+W*?Db62` z%O{tBH_>jQA9q^Pp^^D>Ajgbt*?cv0D8r$&Fv`)n4`EIS|DUs7od50j`ON3!SjC|$ zeij_^T?qAn)q1?*>d^hr(S&W%h(et9ShTf1?6n>;W`Aik!oF<2$_S2PHuER-%!)wl z8H2HNjlrV)W(CY&u-1rpD>ky-p^WQy%~tpc3;&FyW*EOQIW0o_p(y^@<~_V6*dR@F zp@-pu?NgmKF(ln^<%YaO-UyRwBu_TxTCu>eiXQjROole7qBZJ)jrkE|ZbJIYv;qXL zO_}!{O-cUPqG7R0EeSz6*jidXjx+XrTBa@Af+qi`J*>dqNuqdFGCo9#`mh6u1hr6B zD|oHzY3gteEM0OJEbO!6ym64Skl!2_7{Cdkq0Fjn6(q>kf2Jcyf?H0W3=wh$XOGoL zD$j59i#=zkqa08I)B2N8$9ANer3oOQA`2dkYqDwt(jLyX9JVwp&Z zZ`?~YCrQdAeLC7Xvx)Wv)6_xMC36K|Lt>QSoO4`g!lgXz;$TPo&r$<@A6{Ul5rVig z{}tGGN5&ESc21}_nwMl9?q&+NI6@?gv{y-u3SAlVH>oj05C89R1hhvYe_puDT6x9) ze6xjs(`&rW_a#4LP=tDC0c(z8VK0{-f*)z0mIVZu&lZsFG4diFCw^bjsR{Rh}j>TQ>v|Q1v5C7v~K%Xz1WtCnarCTCm|<&R1+Ot z2e{8=T)GbZCSbJvrOh4+f+n*|D zwSy}MOm!O4Zx6Tdp}N#-Yu&O^E3iyIFG@EF>&07mC= z*Q5>Sa}3FT&=$Y0zO4_iwKvdKtGZ9~8eVnWn&hs=_5JLri<&e#*;U;*{=WlJXD?aN z$KasxPha*AZzNbR`>RWr%RL~ZcM+v!bn0#8FCYh;4_E~5Rq2A+I7WIM7XBKo^(T;g ze(Qbuu~W|yU8DIHk-Qu|YO3?ZkT49>BC{5@O3ngsQl1`re8`HDug*E_lxo=4{3Yl; zDuY7#r!Vw243)plekGHJ`>Wob@cpvPPS1lY=ShG5E4G$O?5s`ovw1N;9c$)ThcfFD zt2ots8%yhFkXg-0a+sR-9YX_+pE@4{l>7KiyOC4_Z0n%~Dtf3<%n~>6Mit38+C25( z0367Vl=-I)wHJz49%(~OVFm*^rV4RdC=y#$kdkwp=&q8W3x zJcX?A6aQr*nuP?A{E8%z>PTRN9|9k3z=4Q_=C4&l3`!0bxXE3+9Vjz`HkLd}bS}uM zap}wx06>*^^Ef%dZZMu78E=aqq3a}k-sEU)N0b9L%#=M7IUl89VmE@k#Xb^ zCrC~FBVhP!Rpo=xui-}+y@@%B$NE!=VJO2)0Z;EWV{Jdt12Y=@Ed##2p0@-!LEMeH zFkW1sBsVE;R!m}hL1YBw8R2hodCkJU1s3r<5no0GyC_yI@#LcYj|qe{^HKQTnA7C( zoHNQ&-s?7LJRugKLJXJT*9nl{Q9V?I47*AMgoY}vOneDNqm!^{xds*!(|>JLRMxA) z%<)X(k7zL8|9G(Cbn5SjgG(0J|DGVf>y7eghsF}_ipt>XmFS2nDhP7YugNdU;234s zaB%H#dFO=YQR|3FsfoazyF?u}#C_t{j0N`LXm!akZVJeyh#Z+0ay>#pP|vXCf=K`? zzul0d`U0tCa>O=PHYEYKRO4a^k96lYK1)Wv0(xcmVBsMZ@#bV-y?j-sjmjm<5;rWI zQD$a)1^a})+v7sz0Z5$6Z`0kxwbC&mzB9DU+!mwi^HI(k~kb9Yb-}-3yFcp94T3F|WKMF;0 z#bX&vHS}6FY17LX$9nhAMp%uS(YLDeQ|H*kb#|&+jw)`9C|&;(uAd|Almoj1sTEbT zTn>A$0U__yK%o;$t%5V|l^&Bu8J}3;wK@Afj9K53+GDz=R#tVwbi73wyiiGC>X%N9 z-3XJLxGCpo>45tCRE@du@57h6vucz{?){oXxU!VEhwxE#u9#>BokuM0rspHe+rN-%{+3kl+_90VWkp7N9mzKM!Gm-sj>xQ6hEe| z#_pJi;i&H|&D{hhsRjH>DczfV8EjaHat7(~;3K~-hgP82uz21VPUS{uNieyn+6!g# zhFXLv!n(H~=6J;h{I8ht|4kk567y%ztIh$ZS8luLh|;@!WUv}Ka4SAVs?mT^sQ z+};5AlswjBb2qLwbJg*FxJ>SBj1RQw zT0r4tQl}m6C-Xms9eM1cJmW`s)i{?Xz`NN2Z2joG zcN=MqyfK-F$yh<^~e7EK6c5s#exI2V*S>rcmBW_}O`5 zS(K?$Cp52)i(r@qtr+Mlo$wik874|--9qtDFwsD1ktBo}cv_IC4becCr=8nF23TW; za*hf@MC3Lwi??(mp&E&&bvw-dA;?>}f8oIVlVMXph&-Va5CUKDh13CgN6QC-mG8wo-ez6GC9o#|;BU`pB8^{Y2_itKRM0sW?Bjs{o?SyA-b~vTqSc#MuFeSXK zN|lTdDyyY4vB^TUQGfKrL0E+ixSN;11Ztoq*J`uoThJ((<$wqRDVnDqoyw0~S50z6 z_bejCd0b$N*^8Y;BYAa*iuly@ii!`VS$GYVIDPV1#P!vK@n&hnq9m<~B#@ugB<}rf zGPhxW=S9bS%~f)1v|X^`u=ka#{N!b7)TS&78MMS<=k89~b;9_>=s@m%-ud*zj5Kq4 zc0K_<`)mHkan+1t<{GV&XJQRDB+vKDk&3Wn{>Ao6KNmfkP42|8Dd41m*AnATVMLBL z;byWz%Y5CuY{h5aholiG@&lRkXRP^GMnA_s6}F{gY-H0I0`&(oMNqRz%cSwDI~Uy} zatrcb{g4!Ia+JDCjq0`rTEC=SdDm`8t60VgP~zWlIhrLhq$HWL?3g@d`n;%;%#p}& zK@<|jfv_o8E?AL+yZj`y>2{fKW=d0ED9?&u$T#@ZHxbE!+t}j7G$5J_32Z^1(r2@TQuGYWEN}mesg6F|Tc{{*TuzoJ$dl4N&*of*e zZFT-VFZhD58+uB)l(L{wd-8BaBgVYGuG&COgd>X;yCaG@mB1u$KSZY@o!AZbF6R$u zRYRF>uaJoYQEX-V52QJ2!h+)Say6`7iMnx54X2B`nbKbekE-?Y(+&dT27it69~0F6 z$R$xGN^(Wq#}H;c%s(gtCfW;<@;u#`%ss6O6!EBVp-ib>s*5>F%;zLpJ5|e2q>&^T z2qJ1Onir`Bv=GgjhPgv9@C3$9Dn7t{o8Hh;GKt~4$&*2}1Ra!Lp~P$n^hoF8#7W~z zMtsE>Nk)tqM~p~EjE;oWMk%w=C}xE`pi77GDCcM3#J(`u)-Oh2?ht2(nIh2><#uAj{VqWu^sT)f|X& zD&!aBLmJI`VT_q=;6`CLG8TJ8>735GdvnYB&s$3P#o4dZ7OY4z3i4*Wc# z$~zCd>e|Q04Xi=Dn);pfvVh9OpC%;!bL%C`f0D@+W_*q;edBO5fUeQzdncEMV0pUh z1{<(r6@P}u7H}K9qys!o8rui0+S}Ulw1V;O+Ay>lE_jkRJYNZAbvs-rSN3c3{2jYi zJ+J!vGA};Gm5T{n|>-QLIAcX67snkJWIHQqY`++KsSDj#E7 z_cKGTT_$B5Ek&E|*Pb8#o~|8DjaQR~vYEH}Zf4-YK#7k8;|nv}`xo_1wzmgz@cqqmhNHIA?|Cnld*N**!!-A zYjqoU&Gn09nEC9~?>PYKc<>i6xV#A=znNIWh+&vob*avSzP&e|Z>*k(#uEM@k_$tE{ z%5(Vg{T0`hDtUFk3WvAlelXd`9P%uCfzIn?%`}VkvSO00_Uu--|UO0z4r~Obmi$P2Uv3>UZDow{5$!d2e>l$gzBccGkdNq@4r8o}nGs3TF$23L2VD zq=;{zi)&wcNrp?-*eTEk`1KSG3D{|`~;6kb`dZQ(c_+wR!5I_TJTI=1ajN8Pb) z+u5;g+qSK}Z_a%<=VgBNv|iTw)~r!A$3JekpPF8l0s|hmaJKnwYPR0@bYZu;pVOe4 zQ>P~MtnFqyJ&G_pUbYC5(mDWT@cZTk7tBVYBLnsGC>W-2H(X zQ>6kSQ!VuGJ+wb;sD-3YqZ|4kTKd;Pn}NoeV4=1vm?|Ak$G3FsgS-;_`Q5~+-6|QR zEa@b?6k@=-ROfmjqO{G89|LE35_>2-QagijOI0Js7+45#oIN+xqSD(J1vvVnR3;&u zj@-7%u!xPbGm{DCajZ5Dp9P;-leJ-Un*Y-BcjJ#~+&i${G_DJ?@W(ccJc@AuYu>(! zaXalE>9Dp`XYxY0S%spN96(hnC>K>;y0rQzC@~QaOCXmZh(=fTp4W(neUM@MEb*L8 zJRF0IO9j;y#YYLrX22-HHkLe^$?;Soy~NmW;8&D2O12ly9^&|!in@&1-oy8I`u@eA z8F91#?1l*RO%!@OZQmntggLN6y@ui}m<$d{$Ko`oWN1Y~JS4s(6|J6cib{PPiy}r< zI&;u<0@ZnkYie~nBFvS0z5r;%jowCSA8j={UNSc2K_*QR(# z3-%?0&cfVkY{jaTEh@~tbSsur9?Pn$GO!L!Yksp~#!VEI_*igNYIxiY;pfpX_+esQ zm%~VvrhV~)uze$HFSiusvQ$urja@kyL$Na$Fec`h;Z(ZDY{=DSe)Y(1mNd)pxuPmp z&-BXC#&ejO*1v{gRo0P&64P;iA^(_B|7ST?uO^n1=g*`*8%Y)9&54A!&lm@J=}tBh ztQ2{=s8dtivl%^#RScIEm{x}nt3@`tcs}TEV83wdO9>PYQ!sUo_@GV(F?ED$v+h}Z z9_NIv1CLz{oupInf8FZbJ3XUmhumxXeBUWoK6Q^rRyrj&sEe$Xma&Ejj?a3nBjy^i zMiODRf&SZ^rLh=1BV&ahA#W&E)TGR9$?;F_r%R919%NH=0nT9P*Jfbf$R)B@bSqo? z;MRa6f8DnZ8K=_}KgG)kie2yDQeyBP)zk#~UW{B0z!5Bwly-zB39PSeBsM;eFDdfP zI7&(Y%Hivfhy%WdL5DTp0M*z#-z+Ike4j2Z?Lnls3Op`75|?Z8=mtWKovb!fq4_T& z^TE%;zNPb!tAWvVK76Hciyk>?Vl5dN8{~4xl^O&XSO|BBXUI7F9^S<#7=0Q>M`+E; z;|!;6wVFw}Wty_rO)KpSHIAy?8Kd=QU86v`_fb>aIhYwM8LRw_OQtPJHJ`F2$xCvL z#OHno>ZDzhq8@y7{t3v;0WXG((A-orO6)_P#%LQP3NGiSnN+Xbj6qRp`tFK5M_b*W9JGnI#{N zTwT@ZJE&;<3E!UBD$J2SDSzvf75^|>u8xHk9C@@hHRA{CEzWmZVrMv992Wk4@w(sB z__LL0lm9KBl8EqO!WNIh*YDF4=>qMbXRAn*CD29lsYloA>N1Fh=g$s@82f>66{vSN zpcIrR1p6qA7=lhAZv^$lJl5$e)aXZ^j4XJ!2wo-EZfANZQd3f4IwQFX-TiT?R_}4wX z9UngN3v`b+dDv21)XUZ)J+G@O{z?|S3RP{;+z|3M!kc;h6e+2`J@6ZD@rg|7E+Miv z6RdyM&**SjCf{!NnEIry7CbILR9FL+rfhxAoxzg$_c9F&Sm`~#tN+VFR-pX&rpx8X z9dWbn5Rke0oaED-<>LHOLUt^P-i?=;FuH`8aE>&h*L`PMX`wU)QU|G7)i;pLbd zC76T{n6>>OwCHEIFTYd?wcb;b=|3?yZU4Ie$rN66+a%m|SYgQTP~^k4&Fe9$5%6}{ z{BfK@9E-x_GfS)pvX_k#ynQOTV|MuFXyNZQea+3qHiIBYf6Go4fL+W}M7ZaSS6-$|{@G;WK^TM=ul#6*enZZN>x#}_%KD*sBg zWg4(>EdM9s9}_qKnyb!IY71l8MrR9S;E$@rx;in?XqX_=S=#&7k#&{txX2VG?zCY( z^cNS#gpKiegOx8)o_c)lG8J}>2d2%@<$Fj-{Kj;jj=Tp|D=i~OQsoXmlM1J2+uUz8 zw_mKMh%}F3SS6?RKM~1m)nH%*4lx!%YT&Rp)`3c(2l%g=0b1ptNh`XNb-}?gwhAxdubd1tJ~KY3P(|3My(w_!%AZUt%SRnjK0CVU%SH>lZ z5=C#;o|dg+q+dJBk!7;-v4GX?YaG+Iq$T>!gbWz;Z=V~7Q8P@}E(k{!RgA(uAax5I zMr{4ph~CLs{g+t$U`;N*_fW6>>q>_@0ukB*%4{^<*4ZF#5<2o{A$Wqi*#e^_S$@g4 za&6nlioEDDsbW~g5jnqd4*04-?77G(Ele9ecQqr-&5XIwGAUEze?XaV-DhE$oUFceVgw z)s3s3(TupnK$@S5X(?=P=u4mzJXx7Qy)F?gc3JytlBa06_OfIgKN3hT>`#kCJP=A) z+v24FAEB~97|I*p4t4N0iP=c4y4|C1;7L3wMKM+B(N~Le+w%s59IL<$Ccks0$nMwb zAE-K&!uFRR!McK%CW>pFQsecQtUInaItu1QR49WbXbs}7quHds&$KTJBOnvng zjI-U#jII8{O1v%Z!&TXyH9zmD(>m{YJ1F55MHhsGONvIg;wP z#Sx`OgoyMsW8 z-ptx(wIToWrE_n#NA_pZ4L5h?&9G|8JITwUJhH#-Ws0QXn(bOTe*G| zsr}QnBxJJrnWW-qKZVeDGxT}F?`d`JV=Sv=T4d_UeqzJ#K^^D1^K*5a?Yzcg$Y@}Y zTW=Wjy>s_Y=J*9ip~e16rOIu!)g{1Zyp8$l*mC__?*+P+O1Q&dlz+y(zPd(&=?de@J4{A}_{Y#X|o^X&T2GBnyYYzTs_-Q`0|Q!$zQk41;=68i#7ytH)&y@z|%Kk8=XbBMI;O&wCQB z^j3>jouI>?&Gq7++t{DT$%PEa&7qv8Y^yc2RN*;OMAg9?y zQ=!FkyhzA1sx(Yhl??}{aEL$IWILwsdb^r{?d}8*M`R|jRfHEq z>4rw|@CK)x41rw}NzpVV%ZA0T95UOE%J923qvdLZZ4Is(;(+>&WC`kzvzEIW*DkeH z)qZrOwK^pAA|M6trqpIYeE7Ev>IglM1@(Kw$+>59Fuht#zgDHHLQ-HZZ7@0I50*ix zk|9*7y^Rr)=6-mszDd{FzmD6mtKZTN@INVpzlB>BWS6k|{XXt(Q{?$kqvn9W2US#t zKbl}23N6@W(;v8GS~)aO?jcH+z?7h>hbN}4dEVzoi}QrQP7;*~AN~zD_g}x&P(#vp zgu20{iOO2@NER=VYwh_yN;a;AyaW*7OyTr{0>%cy^D#Jy(ne|Hs`VF+Jg z2ProP4{6jy4i=T-E?CcCn#~;)S}J4&Z{5+O7xuZTUnv!p!%7IoamZRW!<8PC))3q& z(fx9cE8OWy+sWw(V2c32lfPg0Ra89b+*N`Yo^oO~=sq^yrsEkoBR(zaDU95eGTVqo z?4IYiVAX7lt7kFx8p}o9)F?mbxRyo$e;3nLF^PL1b&3~ky{N3^c&hi(2PH&MFd{}| zdCAPkNLgxSDF)b-3zUA`3)Y5klt@#v1o!k%*%!|1GpeI6sEqz)Ghri@cB!0^D3*ik z{7RfWGX9;jH&kmyV;?1z4^B8_875NrHw@BD#h#mk5Gt_|+g(`)q=*qZB1x`@RhFW;#q#FNaMPxD6FP0uzAJ}mXLp2gtW^{A|OIT zDHQEeJ;R={o*ZeSC5LHE)<|2R9>o5UtCl?WJgiSW^r-X2B(7hTD!&IfGhx!)t$()A38cy8-@K!Y2lBA#N%DMDk3jAih@LLNJSB= z`LG&y$df!GV~T3%fl4_VbufZ6bERx| zMnYC4s7*;)3XGX%+1f{G|1GbIgqYF(U+otFnl51z+7T|XWAnG}oZbphf(pe$q_*12 zc}IDB1_t%#K!QYA@k5m3#eti^hHJ`Zp}MV#?m~t2a|LtZx46zOz*>Qgu!>Nx{wa*v zR*nYfkjo|Ui|iq(-OhL2(|_hbaM0y))#BIm{@ikflGm}@mjm2sF|DFHeev7I{m?-YqhL;`tQ(DJ=IHv^e|22DP z+w7vhOxNow#u(cBp85-~GZXpV08TWEF!zp-^)JKvQ!7vez@KuUmka7uf?GLq(&#UM48(0NwP zR|a~^oJz`d6Yw0?uyOOX26*;54Df9FywvxI(#X`@$$#a}xeI&0TYNqmJ8|A|gT3nA zbU8*s2{?aUWPUq5ylmxW@LR7_RPY&@qT~#P$QkG1R>y z?9N967Zk&j`*D9R%pM@a4wwCvS-Un|1(Ft;2>5l1a3b6(Cy=n95MhPHtdTqt5KnnW zVxxE3Ub=qdRBSU+&6*(M38tVR*;*d!#*3h~D1^ZZ$;5d@PZ=SudRWIrsgL0Dw|Yy2 zFy9WFw$Uz3oy{6;Fj2JzGti0CkOA5hoxGQnG4Zabt)|J3Ro7%aQpM=hTIQ-OK_HHu zboxhrBP@HUsFinD+U`n+10)6|Vb1{WB?4xsnhOQ`yk9CUqTb-N3C8y@bO__`ax|k7xfb7x zM&@bh`R$7xCGzgvweZh?xJp>eHp)rJD-nE)0KDejY$jR^Va|JNvYb9i@j~3B3Ch0+ ztJs59_BL~M;&eHPA((0SvPOBQ({d;n;8IOI)qg|2&l5h;vrZ?kgKJ(csSe?av4yfD z4rLiLCV9HgA{2{fvRiI)Y;u|PVbvasQz%u82{o0<8x|+cE>yxl`3P9Qt+K7BetWc+ zpj(Na1*4Tezt4}v$~Tza^Lf-^8gX~FHv}6pZik|46)NDq2%bLC_tc8FO+|(Z1+ z=}A6=Oo>%BCmV9BKW`hDu{T9HbpBI8SPb44zU&+F*yzkmZ?p-Kg*0ZWccH$f7OGl- z*M?{5T$Na{s7?NJp)_7Y1d+Sq4Vas9B`^QOQMK;yO%5Q+&7oL5uS5R|1xzqlFkrX- z$O576_nPvogY4?Q918;fL5!H!fhfLoF)hh;*zE5H8URZ0V;hWjN7BC8eChM>BAZ5* zDLd7+BE%|QDP`0A6~A67M~0w4sR&p4@Gl(sLhDXl*@HVv<40JjoUb1&V{2o~ zvvW4Ix`cRhaI4P20o@{ac#yLQ`uwLgBw9Ep4YR1X(oezMO`8(=K|)go>T$77m}t#~ z@Sj7SFhL?|Z9QC+JUMfcm_O;*0~@q0Sz@W9ec0mj(u@sZF#%UNE|z8MRnJ3IrD`&b z+qLADq=U4EQ%yy1xcPQtk1XsG9hIU-f&hca9~P0LsHSZ_Ewi!K3HBII!%VUS8KFM*4P6VCiptH4}?-(x16y_IQy|B$ACllv~E(HIyBdVUpl)%z@E z$#}wkpH`DOPF@Kp{E4*R(%8pzh7;Bh@iy4YyF(7)0mFzIjPm52&vUVokI+P?koZM% zO%+wP)G3NbOspX*L!FU)DI|2EFqjyUkdT7814{{yTA}4M6R;^_uVb`k6rO29RFF_k zzgaX-sc!zOG*+(#3EpO{Yom~at*xO1IV-CI`y>}#sOmOhrAnt=+iM%)uxq?QQzDT0 zlL~i$I#_by!#x^?^LM`b3KnMRwntVxH{+~XDZgdi>r$Dl82mYy^sD*VINR0s^`%@qiD~_mkhoj`G9>Td_f7t zn3zaHgL-s$$_ab=_Qc;%y4m<)Q}VfHv*|m2cmHev$3yICyj2hOyumxTH$*STw{2i^ zzxY)CxfhHPDAv__lfu0HafdW*+jjitJSTo@eW&)+Zr-rcY0TaQ#O8YtT#*IKr1kuA zNwUJ~|8mIvtVb*G>JgLqApQ_~w{cZf!tJ+{bzVeH(!K*^eC~c(A-R2u!bLb>0-4BG zUDhvFHDx&%T#;QbnNbW zzijt!;f2+UU`FOuzf*ORk2x&ZYT$>jU&x0`wvPfZJ_D!AdHl@g3pUc|AONgp7UaBM zqCfHDZhL%L?;vmf1aFyCH(cj<+nw8?-!XZO;zHAW^S*1iN8bGMVsU?bh6Jn*2;K5O z3kZ2;qXLAkrSn2aKEsB$)*mWKw(D=%Yc}o)9FqF|o$e60h1+MVeSG(m9wSf)JNggU zTqoB{G%peDK@CVKdiSu;o&{t@Ibe3cO}FfiT?FO}ME&NQnG!?4^KsqI`elc!8X>n4 zG2LoDP$6ergn#n~^AYh)X48>=k7_4Y9dpny{M_>1{LCe=w!aMluw$*PVqZTO3II62W`iIa+*L&By%9UFH5Q_9w;2777A4ru=_#n z1^N+68!@&RqYq;LbOeT@YZW0?oBfncT) zhkF0Qoydsfj5}AE&EE{9r}329Q4H8JZAR+4(r3i*7er zxBp0A7!|a+UwFmZX{49%6Sd|z4K~P79wjp5L|8*!WamRcD)JSzdYb2Fw$!=*YOyQ? z2Sm`x!RI=LVthh+n)!42@Qe#}D9ZK4rnwOOjlM_Amk7!&3ReB|{8JcM+pFdRLt={f zbIcru2#s`7G;7&gqj=@6P&7xez00)s4s7}k$y`ZP&qa-ECiBmfTwo9sL^>+mk{hE( zzAVl*{+#f3oI&*^~I81(;qT3?uv zK_I(6o4G^def+*Fk_3#XJx39OWgR8^d>0n=rLzG0Ecp1 z-zTe%$e)eGx!lARSYAb_HRThY)_Mt5^5BNgGAVLXWn27y0MY#f3q`CP&MoXbMRYKg zHkK#7Vlf(OKfANk;RWumBJ@>`6B+9r%+X3L-OVA-nM^1|g|f9=?NJSNrWjLLHg6PZz(RviaA6O&>D0pm@SJLX$wD@@(}Qbl<|rrn|zFt zvsL6Fk{dT1R~WGX%8Xk>!=>5pN>2 zEMiJXc_fTIGi^@_rST95vspH4nFuNk;d2a1d+l+6_d_|mA>~Ll)UrY?7{-*Pw4@FzJ&}K*<%>Q2jiJ2T>^c~Lym`?}1xDLU7 z9>)@FYrVPb2qUuHV@?QQk`#alfGEHqf8-BXNvS`gPKkd&lR$QdNx`QQn1HQkz@owW zyH9(U+kMnkhnr+~m*-{F^OuF^`~-3iXL9v*5XnIIWxna2A7p8fBK-I|kK$7Re4Ok8 z$=f7ortsb>7=<|`Gq)Vy5M8zVm(-Yy|5!5LF9^@L#K;6~7EST(5MRaO)XWjRX_mbP zyxQGYEPqSU1eLaB_wuQgIBn4r0@v=CqrEo;3?%#@_2G*amMrah1+M`;5!h z=>ldu*J`Kwr#`q80qm{#3-{i!lq|OrP`=j2%{zgR+pC)k7w|P{msvy5GiS}q!mr^@ zG_(8lG-XNplGDTObkV{7<6f-CB**7)gyh2%q)E~StQoi@h`%ZrHn20m70_iW1PJBm zc$$~EnqMF8O`WJuce^jkd<~p8VJWox*F?Gdo*(MoUvG6^lA%-`X89G>&wji-w1#!N z?0FoSgjLlW)*ia?qs(b;JdJ@1``%||BwI7v>3=l!r`=4u)NI**K6WR74&NksDzaS{ zmAfBr#6p}~?rPj84ZRK=Igt= z>T$`ha~bZJA_(wXcE`zLzfKhEViUaO*Y$6InJ4eM4QpR&eJ;A-a&R#5y{?6xvqs>0 zoAXzcD%lFyQ!UV~(RMuZp3bftW@0|xfnD~QH9Ss|1o)ojW^K)BxD5tv`95h*6RuDg z-Uv^91PB8ImViM4wIG5&Q(seNCLi>``CG|3oEp%2wGU0aI!p|$_o4$i6O;NPe$cQ#MQi zt0KwM@7kwYXqV0gEQD^hicIa`ihuUQrQ;wVScVGKMxXhei;Hyfu<^}0jc|60V@1!U zV@`M^gb398g|aQ=vWTs-3e)k$X(<<<)BX@*fDt}6ap?E;LMXnnD%_h45qV3;xz(Fb zjvT(xWMwEUu%L<};bZH%R;B%zRieYMMRR8%E`1p6f|CdqjK=o^hm(*ex00JnB^+i@ z!O8>(RIB&cCaO~hxzbPZJImCuCeKy+itQ1Avj9y$w_(6G?1HgX$eoy$(@jm4Tx#23 zW2o!mQpi`6B|P){mBHWz7!T;EP73AO&fLpGmaF%5b}TJ6+B)=3Wicd&?&TZ ztfi$HiqS*M^YxY{2_$k|{*kS?b=v5*Dl3!y$u@|ULUe>TU+twD4aQB6X02aOJ9C{g z_9;UT43cl)R4`}LPzFcJoP#t~V^^(`;i!sLGbnf*hzLZcCgsYoE>Ss*-Fv^`X~Z{a z{mI4)RiR5$gupr2XZ%w|WZLLXf9fB4p%v%LKoX3Z9bzzKK1(c_yPoA~OWgg96FBn# z+8&lO63dTt0OJ8>XiqvSe8Z+W0NzJ+ES#Nf_?8u!`!_OsH6?3Yk)+x7kICw58X)ye z&PRS#Z_Ay>?jkCBRQhAiSD$^|`~N(Nh%c~LJd3O=|3QmD8XL_uxFe_VmF7=B+wc7v z)SESD`#o4}glFrEb$C%lm?~ry^RCd>BX!xZ^r=7O+}cV4$^TT4vtR!ynNyi$;f!~P z4v*4U&ap&Q&Si9xD)f!Zm5jE^E zZK#;Vm@`na6ZSg_^`ro+?3wTo?0J9^^2>0jBS?&edR;1m4Q3s32@B>MN(Du4+(Qm4(GOvNT`BgK!e z2S<;zN>|0=MNyM#sPJ1&nK62+T_4J?A;PuJRv*`@5US3o)o_doou7?~pJ2m7@PMBQ zNd8kM9-~0&l$R*dYv&Cnj54n$`}=^&b7uBhmIU{%J!FY5)0#v}k!j*GG6170KLxEc zCMlVojJIBhSrWp-#JQ4RqSYyYwfHr+c=)e6t?U*9t(ppspy*7UYY_Wb< zmHhVF-JMszLl>aL@r>`>!1cjq{9~^b`hMvvE?|7ir$49LmpB}YiRU=FqFLKSywYnF zq0d{G*DIpw88jLL$QsEItb5d%7WP_!R~$mIed-U<6d)(|y?QnD_NyY{fTz#$e}|ME z57W46KZ1|E26v_=&Ug>xz_BpHH{VBW2PZv@cQHy%ywCqxJqo!qjC^!THoB z5q!mK9dT0??j}{@e9`K$(K6>qZrA*(5Hx6|yPd-Gx^8DR1mRPBzl$^>$ypBWTO`SAzsn}Smz{-Q}hGIyUN2(aOqPxFncyF-7chvh@J38P8ATNBw*=x)am9J=rr)aLL!{P3wQI4`4rdFk0fhkl5L8 zpX9xzUS_wba?AG{K2KSI3Cr##xZRreSOdhan@m+N+=q4DJKHy3s1FB#o(_vEvfHOGgAG3R?anj1>ze7EOs;O)Ki9jvC)>F*X#)PxiC>r)qX_7l*?2Bir+aK^@~7Q;>es897pfZF zZ@~ncRGuN9P}(~AFzZ9BUV`^cF8#x`s@Pl>_9~89M4tOdQnZCYXDe4@ZF1YS#rJ=L zP@zQ^yy7HFlKR(#nWA4okl)y)$VH*;>CJ(Ol&Ci74HNQ;G<`#GnxRqc}G++c2X zh00>uxK8u5YMsnXVb_W$MS9udU)4)l*0|EQ2e%uH!7|C?rJ@+lSD@a1B!$J`zvn{9 z3&|mz2I2tEB0p71wiXRLJ@omL!T8L_isvyPP|#vGJvT4d6?*f!@modGsODS6JgI~< zzjY$fT(dq{qpCu$ZS5mRk~>6A=<$Lrd5W2w`0&{X8SAs~t(DG0rA-OhVLu`|ByP+MLH%5d?si`_0h8xu3f&0%<^MvoVoUGrc zPgc{$YhuRHS!fzvE}gS&^Whc<#gL<@6(RyJ4Dz4%R5s+6-F*Iv1|e%#)jCFc26BH> zdDI{&Ea|#X1Y?CS6+ugyK;$F+8j2e)pLM-qGBxqb8b2OtTw8i&)2!wqYcaq*CaM}= z%bU4U?GML${{2e_Hvyh_9jnM7XR5=9((>;55@g;UI(IAdy#p9_iN|!8a}aSXEZexi z@I+!N-N%p_Soal1bjcJC_HV;u)|Z&P0h{pfz16=YmR=H0;ZY0xh!@VuF5sj|MO{4y z@b-wWNq0L}m{#YrF4*jU2Ac1j{idIn2UFa|lD*(}-n#8A=B|%@^#d4d) zf9eR;Fn`bI2$h6Oa;>k2b480wWNkHgTX^f1&ioo%%Y6yB01Yj@+Q-qV`19uA#VZ7! z;Yss~m3EeLsZq<5+?r!2raMqEkTxQqRlZ@V?>j@UsF2Gr&7!T%wtlruRQWtng$dNQvV)3!~f+}!;?=$somI4(VenmzwUJ%7o;u)#d=R|CH{Rb>9bYWJ}3PmLtEO_VM9k&8D#WCoO<6)L~?ImM2P!VL6w`hegmapk9 znV2*BSaP66ex8&JaVWvqtY4P0z_ii~R*v*X#^n!pdsbJ3T=~9rPAoi{UX#M+q`KwQvrQ{r&Sl6IDH5&}xtMDz2A{&oFVcKY6IBAGnXg z2VZs;An%upn$*#ImR4e-do=)grNQYXlOWQLSRH4}J^f{+<0xX7r0yd^*lRBxI^}Zz zqQw_f{^-Gf+?s`5NeDcgU5?g26L)w_XnMUeP-J*NGF;xgzeRwB)Db#&xNMby~lHio$s*5NuE~v zLi!pYcPggoV!jfjn)Y50*y6|B^#TlgexC);$Z^?*E*Z-3dyhqM2#ldgnr_)ks)%VdZk3JE ze<@g0+yu7td-xtL-L?0#myY+72sb_vaPE#qJZ*dib80*<2e??=XVD`Y^mZTk-~YW_ zZt)8WGg$rH^IO)j>9y~hjEX?$%ih3(P&-}|g_dQ<#ksI>(k=6gVoZp@ z8t5-1olrM0XyjCbLEQ$Ubxc9H7?ewLCOpWz^(s6_EKIABmA3wCma-Bg^5v#}gXWvU zgx4@3OlVR-K&YL-Mb-6_Q$?#(DXN(4Vwqelt+h9E*@`7`H_>85()U)X)@-|7vEk4g zr%^$)O;NQfUZC29LEM=az!Qbmn8CMd3c{5VtVa)t`3r#~J1$w3~u zNs92KpK9d7$gyV9+(l$CKx7bdy3Dk+7W&mPloMAUm`p$BuyB1&!Iqk$p|~iaWuyh^$b(an1yraqPWX@ zTq|?ZqDa23B?-ZeGq4cFB~TP>crNib$Ed1D9c_I%H|3acyq_e9)VvgM4X+ISec@t- z9}u%+(Vi;G5XpUfbpn^9uPp{p^{yh;s0D$1-@bzr^YsHVY!r0R^lDOIAj+o%#EUXX zzNbltOwC!NiNB~+hgn~m5B4S2g0t+WEz?0I#dF-LinAhF6OF--2yb zg}JT&U?mBhi@toywVYunE}>gVZ-wZXc&1NgTG{EjxUIxVU?(dRYd5x)Bwh@w@HChk zN;V=8U%`>e2o-cU2U0A~(xBtZfqg4Bvc6>980=}8`57UIGl#$vxNBP;4IL5+&J7*7 z03Gcy@mC%Jk0Zx=Ab}+(CphV6SmQW&34oeQdnpwSAs$lQNvIcZk7NyGcND}hpZ)*h z_Vd5uRzIGFKU3R^0g+)AvIgnF*wvap@5ckIZ+>7Lk%x+x>yd&49*VJim@I3Wr;hqK zM(;AccKL!Rg^HjefC>-|i@eL|bQF5-TF^d0T8SfL|>lrIw10Ux6 z^VDWkJxd59*s?_wZe{j6**6tj#X6cEEkVl$CEVK{f5#sUt1RC-0cwNDl+7CdOc}Bv z$$U&9(8DWqUAh8^obgig|2+b@!elzcETp1OrOXQcBA|C8xAmsR8R!be@ zaP0WdGR*<+l|dH1e+|ZDPqW`=2yAGpdc_W3=FdP+&A@wyFLnE8JlL=tL#4fVVNGxL zddx}Y$`VQa!qa{<`o_8R7e(PjW!^$!YV9iwoU(T}{Bn5O_nrG%OLEaDxu{1(?F@i` zwRy9S1e%agXU^cB3|wfZ6gPC_~1^-RHJDXE@=2fW%!RQU^=jy zQAz4F<@VA~@k-ixO7K}G`JuyqD<;Fw(ymDyMzLOw?*5=>r{OE zx=2-3izDRc{|YD!CJ=pF0VGnq1nP>uwE`JgAU}N`eTMyxed(ieWO*F~ihU%2er-d5 z$WZ_GDaVHwfQ&$^=TYm(?RUk8TwS32uyoi7-2?-h1Yo%$vm;9Nr2kD7!Bo6q*DerY zt8CiOu0Z>}L#sKv)vbB6Stvbqu{x{$No-x9W8kqS;A3Y$x*6N$nEgrr_Vqw^f8PX0 z@3EI)-C)Vv2RJxB5e1HubNg~Jpok)LT$!e6>oBQ9>9k^lll^&1Te8`<=igp;N(2mohl4E5M`tee8db+dhT!voS@WuZ5~-Ae~=a_;Ust9G7TuCG1n zdoSCcvQxIywSfuSUH(H?w?R3D9-dc?l+*n&UIM;*r*pHH>nUkf)4pcc(0{+c1@D$c z3%;ib@4C;nu0smKz|XR9ET*Dgbyd%M{i_2nJO z|LKf;R$iBwL+;O?Ibsh3NkWzo29f{n1P#j_Zy309S=2NwQ={}AJ zi>+!?Qtf*la_#V1A^8q`z2PGXNIM4A+=4Qma;DEfTuq?qWi}uYD6T#!@Ga|W@Y!7F zZ{d;Hzp{buLJ(=rrSNtq&>^9pP!Y(UeNaix+p6^iF-`^{mX|7^xV9Y}bVi0mtC&te zzxyO8$Il6RKjAn|uM%U4yim&hQp1x3uMJv`P)o@jB3QU#79nfO^I{I(NTCBH z>?=nmnxG-e8Ai=4h{E=+YKyzmz>U&H{5Iv^^e;5unucl-qCcV!n?)Q_0X@6 z$tQ{7f)iYfRS+Q5SWb_4*@+U`Pwl4(k@DRW#_$Zv65Y!EbrATgs|h;8jRp(&=IAIo z6Rn#@K6p-(3nkpYn*H%5!0l`g!T4i`Oaz+3Z})k zdS;ZA91_vVFJ~Nrk}Kf1ULIG`Rp6P#4leXwl{oM!oKbR-A|o1_h-Gt>&97&S9c}h5 zfY%C~r8(Q@-LT9sAx(HZ_$K)vL0*fi8a`a=PSSMG$Wb63E~@U-!tl$Fe({l@WgA6c zf{o9qM#@RYZ{VLZ#1Eg&KjhHZT03u9GF574m`Xj_U-C*+E||R zYo(pZfy0LUL}ROm0N~O3)sFpmup0f z(5T8d_pwwX^0_%23?^Wbl6Tgw3@oULWBZVWJhU^2z!cSmV8uK0nSHOW{M|`~p;=X| z4Hy=OcQ_hB=0fDqr$uH1)5L2pg5QwFIxYUzyw8^r9rZ5C8IfU^OftY{FFRGsfZ^`F z**H&{9%PSo0T@J%&}Fa~`dyvxrbVra*_6H@og0283AKAv=szkSU!{Uq=1Lnx)bd?y zM9hE1;w$Wh0h-L=6zz9DIn7Y6EPNOhNz}1dlM6Gr_tz<@4fX6OMFiQ+&ZFcXZAw<4A9=0&KH< zW3YIQ@#bNo#aeVLTx1nXvtV<2&egywA*KTx5u$j>7Q+i(otkA*{Al4=c9A&v3hlP= zL;No(@<#T5TzzAEol)CnlQd{-wozj{4R_GkcGB2xj2+vyZ5xekXUDd!J$c?^W}Z3b z%lQk|y{>g%r&38*Axs544gSqTGbzx}1h%n%JLYp|YT%*wvrwVI#T@)vRop@^9&Z0v z!CHg54f;<;q7TjL-eL~^XGSaAkp(JxC=B;rT!ZLc7<$x_QYs7yHO1WYz9enB@QA%$ zv|?gi@la8UX_(u8;e!CiH|}$^rk;Rr8zbairwFURvz(`YCXJD92ezxl_2ayvJj;C& zatLpx4tHchF<%AWg5M8)rg=*{Cdff!0AA-uH_p!A869_MJl`E}(@!3kI`a02-bc6} z&>eNVX?|w@RX>1r(RS;1sIJZ?u>MlS0sXQ?Ft@3}#cvxbJKAD@8?WnqQ}U_KS--o0 zc&xI!^7t?Kg5N+n_4GyjtVr*X+h@R})&efS(-FtIF)(@ZZ8SAe3a2V=(t^!V6ETc?v z0Y~(5g4Z2qDH!h=8LRCsN;lKJ*P^8OIo^k~Y=7;Rm`(T&k8enBYz6wO@!OAxIa8gr z_LzTd{}{gx0zw9yedFmf{a&|$L8MbZ)``>k@ZeRP(Y(gZ>azJV<0hwFa~7{g9|YbS z(sXrtW{qyM3v@yNZD=fSJ%A4N>fadJD?6?JrnxJ~dtLWIxOhu?9DaWZ9%iMz-a@58 zKXe7i>^ZScH4Itv3&5@jXAT8T+(~(3FXvvA!*xIkXmnhy%uQyd)K(Z+%9q1 z-G=Bk8%}HMd3Xzau?Mc;sdY7Y+OKeSjo*Top1?@2a^K(of;nBwz=!`cT$u;Is=iE~ zgZ;$~q0lM8Nhv$Y>tNV-EAaEhJup7?D~&UfxPfL#gX=xu$ly6zX~f<-R7zi@K#@@j zrhEnF&tQ8XexXxPlB}iv3VQ>*8tw>|@MSuAFtV8H5XL+*RiP73ZlEG=BfeWeO$-fH zAD1FzjzYb16uA<0?jqqWltspAi5-MNhvKSAq;8#Zy&ZGIswe*Ss6^48j7=%#EZT`O zaG8$dR6tf(C(zP2Rk?7c$wFKkrxl;VAFo(CseYeLtAsYowg6s}L-i!#-M$+oR$8fQ zFOhshwhHCsCm{RyXDQ^ zL-~!toC4ye{22vt%exfLtti38($nDXE`*`6fm$w?RC z*l5PWC^cuZ?6}nc%?BYw`4Eca*ux2L79SDD3B;ZY&-wY%QyH&C{SyH_fKR2xQAby@ zS1605pRPzr_=qV9i%u6;UK}QhJbrWieUlmiUy~NIGAAabVA3nq_gS9;vV9uv^44aRP!uiBg|5wSW-eU!c1o`dhnd<-Dg!RIs}KFA@q}kxrjb2g4O-GWyJ@jAQx_uT0FdL{7Dj zN)3Uz0SmQ$B=c@U(4TU&;yc$?gh9S~I!TymvzSoHL?{phbs^khRBq%aRYAQdV3=xO z$6hwTrZ1jARYy2rnSf@1cA`j58=WW>qcH`+5e_RsIX98_b?y&TE{!9LZm5ee;q~*# z_xSmKDjBqMQJ*Et34GK2zOJ)9Ec=$i^=V8!R@c<#gSNV{tqQ z8wR9(Rq)BQ%E<>jQT7Z167%wR{*AT2W3O`Fk&G^3k&f>WlJ*hDpX|}*?Jw~C8%BP; z3$Yo{FJk##;L*pBUB_y-gaNaUu9bKrU7gEij#Q2+)1*jRE1ez4XP6)z?oJKIovblYv^~EZZ38`sE$>eCTqmhCQpxO*C-|!Rg5)e*K3*RNz6qC zgGUkJg5MDo-?dgYA5vgNMV@5A?2LoY0^Q(;Kf;^D0s6^cmMjucx-1lr!zRPn@}+=B zzj;>9Xh52B)9MZbIex1?#ax-9o{MfU957~bg+R-}$%mbcL zuIaCc;Co^NWwv&ffy=-sz*V%|F+rBwneOT6B`oEc+Xmvv*~ID&d-Heqr{mhW>Wu95 zqjj{Gi-95A*H~)pXPz{GTVNwtJiZv!CF3T)C#k%{jmd#^bJOx60=AwtOY1gT=8f*W z%p)3|a5>EZuyHbtGeJJtjrO+Rwshh6d~?V(^MmN}e(ZyWM-M#w6QIN3I5Zob^^kms zUwt-d#iiQ>@-PW4FSM4`aPIR@Ieo}_9~6AG?V9x9`Ccdbvi6Xx_Rjm{{qmgHV4Szy z`JSlOiRRkmwc0^B>1}W-g8~ZG-i<9kS?Yc^IH^II;@W<3x>>Sn8dA8bxOaKq+9oR5 zfYLeZy~*C#aE+*KrBvJKX3X$>C5quBN^#usJ8e$Ecu&R3PGL{gAk;$y&k)UeUqAgA zn$k7yYe&%p3%m3n3_kRoRz087fQaTb3|2p;0DR!xCFjhCD>T?v51Y49r25gan=!m% zde^rb%y&rpZ0{YUNF_pc_g|Ty)w0MfA(0e6} zws6mQQcIHr)-l|c?tb#P$B$rg9nH+jefE*DJ}OoY+&2~7aeLLc*tWNLyHMP_$7^>^ z!0*0QoL*_y(tewH;b^N2X{*jsM?+SY`?QPw5`8IsfGHHl$*>+4ByRm!KC?iSXV^fHB@J!k^Gk4Svng{* z21b;bN-Zdw(!uc-wZTUe33DA&;XzAArM4-}oHj+|=dC5xSrB|(ZCa_ckZ9K#!q0;% z?029jt`#=<3Y`+2BVW4ANnJ38S<|FD<3p=Vkl4&};;F)Wu>W6R@L%IGlCtoNsqm`QwMi*;s#PuR^Ux0D%7L@?I>`p=0H zDs-f&g4BKR#zMM>fFu%9*>B7wh_a4BO%5wim)*Dy8sqi}V&;%9^w|09&xH~y<}d#J z+c`1Fe}67*ml?y(!L)YpDI5Ngn;#JMVHGakd%PJ+Q07d8Q6xxIv|Yh2V=B9s_W*76w~iMg7|lIE%`hha5YV-$v!)u9Y<&vz7JiV~ zH=-=}^Ww{e3!iwE(TcjCk`Jjn+97cjr%mqbYSdf%+2$_d#y5zGRhl(uBY7NYj2KC&?FQ}&Thg_;XTBP~}4)Hd9 zJGiBUE6L%eytR~aEX-oSjXh0q(@>{wDneTh=1`E&A-t0?{Hi#LkkD_+`L<;FFdKNA zBe$C5bXWMlb$hjbL~^EY?d`*4a7)mvtWM|CPBRr@9>cGqwghDs1`-uCtb;AETW|PU%1=+1$PF_1a?gW?GRs0!Gih*7Vnp*xYPVn znMmiioj*S=09qYS{ppNeqd?g=_xG=X%yE89ki|@{;ZHEr?%*l8B482t4>%qukNa}> z0BHAK7mF6gg=Bn7U*16wJS;droC;>-vs!oA037-eeSaLmRt%&hs@I6~6Q@8Mx$7{7YoSgE(d^vn6fZxxA%ht&o|-o0kOepVm+ z?l4zxdg1s+&w0+_5{>Y2_0SRi$ak@?kv`!;)Oj;fE{iwutE}a`FS_z<{pux&=bXw( zF3tNQYtrJxcT85!CX}B%!&~#X=PY%~n)7av=bB%rYeL&=x1A%UX`vLjcF4J{d4@iA z>Ash-afZU^>eJ~FkAc#CzOcUJ>ai~~On}_7(>e~59z4Wr*Z-JT9=-(2nCS>A?L;8F zFh2CW^kMgK(c^Ggv;|(r&%@fDx1Uacv|S%X3tc$W%O0k+s=v2?oLR#*6D~nBcG(RY z_#i(#j8`61fwx%1sx-hdhY)F@#il&=0)5WfA^?N4cg?k(C`wbaY0-IKhj(hC( zOy|e^KUB2tHy%<)^UrxaCZ;>{-M;vj{loW=ZnxgIc*ovblldeYxWNsz z3*%e>&|CD}qTXYno~}r?yZ+EbHmiMAD4T2Tm3^@EQzE1$He1cfeg{rC~l&Okba{q($+{-tHcii zhLK#A7BrpgxPt*y}9AGWAcj>2+9k6K78Q5>qn!V%Ku zUV%y<{IyiR_++ucGNZhXZvvOIyf-tle{-v>aQ+<1#ya_{#FWgKNcOfu-?aVNUD0yS zGZOER$D~T8E-C41+?%^tIV20&?l~@l<5jtAcGsx`(BCS`B56pefe*z3C%psW+zN;o2=S{^=que` z8`^RzV*<&QB!4oury0oEPGtZXB#Xp!=FC$S3z*r-9T7Ba(CuNg^r-V%Uda0IR^A2u zxBM&(xH)mu#5c?HaY9JQX;8}7^szEU{x+2vq$&2%RiG4Zi_lj55w?Xgc#at(C{||H zR1vbSFbL(&&q}EpI-!r86vA{i8izo%jg!wV;33RmI@S2P33+1t6I8@fRg`*6>2Fq$ zY?5D-At1y`P!zD1?rUk-=iGlpp-{(5Ag9q3kA%?~v1YA~4wU(KBpc&ff9|ckJGY5# zdS-=7=V7Lcq)f|%d6$scH_zeH)^nvPPgX09xG(Tx2+*B=GQsf0LL&tr)|iZbt0XbS zM#`H|QSzBBh;;418*^__3i2ee@JgIYuOA8Ac6y55#)2GkyK!8#{8*|a`3SeO^x|1U z#c?Tvz@A{&bDm&|HJ$ZGEcxXbIc(BG`endT0c+-3k!Obej48BM0mat0YCRvLp&Z7J zR`&I0o7P-|WbxK$#9saa;Tl0i-0%KE9b)mintY`4{XDd$A0=mlxHvLyn!n4D*cUF0 zBrB340`#54bAQk!!sP($3bB+Mst(J>=0F<&81A@9T+R?NGZo%KuG zqt9BHq}X-TWYd_0{YtBfwJNU~R<8H`sgL+4oiA5Zlh!pGDeMBt#NK_(ioXu zPEg_?6*aaO(J6?TUcnEmGYtw&*TrB!RC64{28sxwr=>@&FKmC2Tcad)VDOwyjo_eR zq;dSPoNBXv3r6AWaHOLTkMEmtnOmLeaLqH_*9elfnL~so zH!sxyx_J%CVWo1DqJBjO%SoAFSw_R$^Y9(wKl0}SCO`PfI%IRj@f)RkORoeI0kL$UJRiiH%ZUr%C%=Cozo*jb&-H zzCB#GLua&43wD5T81*VzGyT7C2!11GI?~brL&%eCA|*)2!Y_}gQd z_M#W>lHYOInYDW3z*!6Ayy!4B#cbo|&uz5nzj*Q8bJe33P!Frk1I~;`0rv#!cvKc< z0X&QQvb7KygdQ|b+q|N>{^Va)QhtcoW&gPFaOh|`!Ah=Z8&{16FuCkDn^M{|^zZ@S z80@xg_B9Yp;3{`nZ{^rGcvpTMRdqI}XJr_25O$4s-b(KJx2k1by&XSR-mJv|GzS4C zZWo5guFD6>8?+nE`usH}RvAyXy2-njoTs#jkHF(JN1%7=^Q{}o$6pNso%89RsvBpq zw2V+{9*CRn>l_suodQr`x~np@|bjRU+Ns%7?F=AX+(|&d1pBvFTtQx%76z&Ox3a9WZGRnv?=~JoC%GjW69WVy?VgX!oAZ~&vo|XaLxd&=J;nNMm z&UtXz%9DJy2b+zqsTaKC(?XgsS&$l)uQ3Oi=#cn1)Y-TOrBENl^U=>kGgi^|{30wU zh*%i-N^>4@B2s0^L+zR2Sn)LmvOYdz(74wi7vcUz!Q+UsM$rA2fK|m@*}O2nq8VMj zEV|NP?UP3h&1Qob%((fK9~$C_!#ic#rdYIu1}dc*C#9`I#Cf^0rmPUzefaRJrN{Et z%b55DSxLK9OlfPhHZ*hk1K)EgzA)=<*EeBQ`_^eronqP1MMhIxak( zL)Rwa4^IX;fgtaPzCS$?;nb;MVS@H$5}5dsZ3H>oimVrhS?QY=iJZJ7)Gpm9QBvv) zLmM%c>ZfvaWk@4SG0T!FrEiT9aQ92%@d-WNfftrZl*8KLT481aQ($0>axe;3CEPfm zMxX?1Z~40xQ$0DVWmJzULzpO55$}zm_RnZ|6E7nOZkX0JmDNf7@2Ik@))*8da1DaD<5Kl5K); zI^#qfl3rbm8lHTmQ8WfT3Ufar39dedLs%*>3_UAmzL;?{+l=_iiQ|S9!r=$Bl_;1JaVJ!PDt%*(9MsjT zX;8uQty=J&sFyauR_Jq;1gr)Nc6r?YXQ%$Q4#X}8YcW+I@33>zH;CsbDbmZ2z&Q2H z3XJ%I><9_in8dSxcV|JaSg-)b?^))ld}^+zr}89IWZ*T_rre<_LR5S+j*=bszs|ah zMW$gC2siMH4<$M%h+VN2ps>JCG|dl+8=4iSF{%Z`&2Ont;1H1Fv7rC>$EoR7ZQj`X zHS#pRn33Z7_q5Sk3VA`9NPcuf@Ogl!!KV=vAuoA^0>9=GD^ajD4olP=jtW0RKpZOy z{-amFWD}&z?&7wwX z%FQJFDNDU|uFSQLC{OlvdFDj&IW|aZeM%BSy|Dz`E1AT38r|8mq-Yw2nlkOtgYe;V zEO+RBRm~`fnxoWXm7HAR>C{8^CH5i{VC8Ab9r6i8h>}njQ)-x1lZTjVI#?J|&rJ%8 zc%+OO&QF(|?#{brNcPH%U+cgIOfOPNI(Bkbw4uXO8Mdn0oLFSnwRn;z?FzP&scqR= zy~x*!8}}+V`^xUHn9TEyC&V=Tytd{q=Y&CAy=ugtwwdX74Tx?WFG-h=%#Fg{f!9(I z%nM<+Q(6=hM#gA0X*J>6M@*-0q-#PWN}p+AZsoRuq^idZ#@3Rh3!-U=+Gz`mZ(|*n zb(>0fl>RS7f`O>&Z=hqq)BMZk5;OlkpcqW$GN{*O57uxc68I`g^7U@u0|QJ6&h3K! zzz9bDUMwHr_tE#^c-Mf}{c)vlnEi44*x_|A_SosPjHSk4fBo$)u6*t7goq=B=hsc> zd1~JVpBRthtK9rO!}G!jWB1G2b9zTQ=2F*lt&`@dH9PofG@3=r({l;~p!sruV$1i` zAyu_{mwMy2PI+E=42{C?u-4P@kLkKv0&%bP*)O@7G`HRB+o*(r>0N3WG^z|j*(dFr2>jSSD&@y9e z$-1vpo!Q)Y85@YZgm&If2HFtvWP;XQI{c$<- zHPg202F=;RYHCgRbmKN$1?9;uzZ03?IkPfGEsC4NZ33QBGvS>?JLa)gGuchZr}#ybda1FFU}O zj~g#{Mcvm3j-09YyBMebrnN%@m3ph@)s4wQQ()I<yVNU#ogco{bBf4fXLj+6g z(h+Qje6vnBw$v9JF1@=w2iO6M((kj@Gc?P4Fn=}m(K*avR?ya}hKND52H0?_!TTJ( zNpZ5dOW%9#s>S*Q=x_vf&DctITMx)2;zqGBOED{@OYlt~WDX;15k&hWAj6YK+-b}a zYiUfr!4Y88+O+RP`S?|)=&F1sTkB^rCee4y7Uc^T`N(utMmV4Lq4&1E`_T00hU;Sp zi{Y)1$>fr2lNqhwL6jnlwW{NilT(_)u7^~77MkG7`RT4$sjlX$Q>?&?h7Pt&q2QPO zSYk&+I#DIXdboc06%P~lDI7B+C>d^9`kPvYLaVwgd}H(Tk7A@GIaHw4yaDSU)sX|0 zIH|=l6DcN|N@?;R?7yl2&R%8u&OS!ty=}1ur6yv`upwL5ZuJy%ShRB`#i$C{D%0B* z+=R|LC1`3!367X_a3H4DKUN&$5OqEMxds3nG7kf+Qe{Mqu~`*M<@4|=(A~Y}&=Ci` zm$WIXLftuX8ee+TM9j!Z1pV{X7vf9K% zmf_)VhmK3w-Hjjhu1XW6;81MJ@rQWl0DQypm`jr{fJ`co@MIayPZl9s(J`^G{CPX+ zC493|P38u&QI}YTVxgixcW}j`xvj{vjUZJm$yhD~GtmY2#rfW#qm?HgD<+{<@@=Rh zt+BC&+@d>QG?%zUPZA~LC7$DXpbM%U1#MByCCZq9ZQXdkj z&Zs(-YR&2rM+1s4`d>0ezjiiW@f4 zjCwSakSiYTIzPc;JXIFrXAarP%wtfQ>IkcP0#L z`y1^NtPQ}UfZ=PRPsir%O<@xKq_Oxm%oVt5K!*)z|BU-h79hV73KC$eJ+^)kieXF4 z+tuk-C>vw1vo)A-%`N>yKP2XmhkvW6K0B&%gbB?l<&#!k5MaMvqhv?Q9wDsR#hX@_ zP5qksU%&_df<#noKt9gk2wceWM?C$ho(`Cphndc7Y@}srQTC? zp0dJS_wr?x$ahx`aWM&*-_-K00>}L&4$|%VwB2XwA~v;YVb-=2_$nsV+TQiNtQ0K+ z@(QQlpw4o?5p;2QtU$5BLpoZpX}Bhm+bu^AFY%gS9(ogf3RFymsA<7ENKA-nppL#n^9M3(tnr1mai_KN? zxlj>ux>{Z0WN+>)G~29Rd$jBP9kvGXyUyK(6WZuBbhr;6wa}i60W>|HZ}CF^xQjvVfztldlyS&yW#aECHj>%tk{99f-_q&jaelHESQ_~7p2ci?pCOSY}W8_!2R`TNY3BR-~=$2(!}s%=iy|l1*hj znQYT+!u?GmHNgei%y>pS()>}HSS!O}D!Hs73t(R$ zyeiPWxp6jJOtY3_rNPX6h1!tsx+OTWr^^od!O}<+%TB%Fy zK$v{FR<%DW>45>{>4e5A~3wBphwe4@yaj3i$H_YC)oDW1$OGKF-WDj&_Guyr4f# z8YHKw_9O$3t@FdMe$Gbb#x=1VH!0XJMnpski+gG@vrKwciBhE|wnuimMhsd&BTAu2lKi3*FoePlW>UcUy;yU`Aegi>5EOF%Qpk%hd|IoZju~K*v{>GRQ!v<( zgpr}zI#?jkT|zcWk97fM_Z?42Jz~PKM#C_G;=+HVdKye$Z|B8K_a^MBGFW-N<=CY5 z%BZEMeFRu`nF3;4mTBw(@&{<@EBYPLNpAcHL!c#Xq6PLxID0%>4-lfbEMgs)H(d-f zf~MgIwlu>pum{bY{=sjP%^u0h>_Eo+Dbx0YS0*-e>7XEwf=N`MV9>Pir)uad`4^X| z$+Et$$c#r#pz~Xf6h@0&o+`g(%%5mj3U z2@u_KWU5Fp!%;yLb)~Z4aea{x;y1p9`FBkSX+_Ua2vj`ZKt)&ydiZ*KHag(O2cY7a z6RZ%ovlsQu3&!&t1%3>83;YAv!rd{}Q0;-9U&!n@gk>Zx@3+4=v#?B`h!+K;@c5-p zDp1)<{bdxhLtKuma2|1qht{FzFqGv@yx5A+6YqtF7yxn2sCLGp?2!7PCJ9sPX5m;e ztrd-7rVo_pDmhCd!=CD}XID1TH6{hq(O|H}_rW8ywHEd9zeyT{^L%z=< z)xcYRKUlrVX!i%pL~U6q$3l&1n`nmxvA;T>8KPV35ZkK;#5`(dga0D#G^|m51_2uM z-26?Ud+;X!w*oRhzxwBGuyrVdqk-!C3!*5K5?I37vAO;)_@y#o2Si*{8t zYQ4_PFNZ-3<0wOvdi&t#Tvn8|_clvim`Bi{wzb&fwdHE(6U#32rq*^;^QN|`|C)nb zmZ@!xnv;gjWIWfY!AlA|%7zmbF!1%2XmjE40dRhjXoIs(&e`(!{L!VwsrexyKZ?(# zaIDwS#p`G!*tVk5*6R86yxHraqu2$>+wD(Cxy|G%8YG8}I1I*(TwBPwd=^!C^y~o!#!@GC4QCZE0ND84VX>?d*1R zBka<3JUiJLie#AYpMCdnHr`48~vk zl9x7<3Lw%a^Zqv~vQy&F9^*DWST9^#`Tbnj((WZukPb{4#YDy1@0u@I%^m`;9x4Al~H^@SX$bxSP#F_C?dN z{z3ZS1d-Kac{BgYQ52_Y=Q)nr+d;uS@`{C{PFtX!$!=nF1jmc(qlU|6_hMW0o881x z)(7tD0Ufm4!>F}t+Zx{m)bY&3S!;J&d*y}aVsP+y6@SeezismnEv+L1;JP4x@@XP4 zar1k_`cV&TyzP3@%X(62yRO&ef=;5q)P^<`p=m;XG;Z7f>#L*llrQqbh( z(c57c3$`=T`~UnAXUly`x&@Rz!1ocrA)q_ef6Nu{YR}p8X7$&5Z=F_|vBON#MsTvYdFRo879kCtqh z#)l}RN}sYM5g{IP$XQTi=V@jTU{VBAX<0WZmlM>whK3JE{fZ&~apD32K;aaSunU`@ zD8xsX>n(_H!h@!XMz_)}H*FVbDCaneO73~J5wyM4gq(`>P_)^bk0C~==}M`S3Hrkn zrxM28F)`$BHVJD#ESWTpjBOk&-nxp3o(88VESoZZgdXyuqKDTH7d!ijk%r*j6Q(_j>4F=z$&tI5=4(r@vHvftoF1QM$c2YWT<4&r?){>k$5*j@l~ zJ?O9iOXMUezrjEfNlz$TC$!35h|hF2$LGNUjisspp+O>)Fs+15py3>ufFpQ;6mIKZ zRFreRs?+a#-mc6vvVlVBA44j6V-oN1x(wIDOuym3+o;@hB*>Z9T~e4MFfQ&`q)>lB zm%U>Vk`wAx=G3V)Zc*h{IS--eBNnb@4iRb6I!p8{j5&S?3zX#5s}emxO%SP3!DOOD z`NhH5CR3Hg&L^QV1i3C*T2<`^j0&(6kf6tcOd?|B&@TbY|6bN zq|br@iERWoQdp_56I<${|F+r+*i;|fOaeyPZp6xg{EvTc^Q{=y`|-`RwkS>HgH<iy951SgMIWG{}c$uT;Q$R&yW4Ix41`MAmF%glP@gTF(!<72 zAz?;+7DfcOp&%}e!Z$57#5h$K9k1mZYJ^&eC)csBdIB2DvyqIY0lMMhb(eDPPN>;g z?a#QRT6hI#MEt^GA#8!p7VfehYfz9e;t58?0NF?Dhtlic_o>52e<=Q+ zX8wxK^Ck-rXObEd41yvcIJPt*BORmV$ksAr&4LZHhHoVPCtr-WYNaz`NBq!_(e+LS z>iq~qei1tT%I?$8qRA8eq7G2z5gJ9U}Of*1I~tU^r1jokcO%ZaUq zQNo&VpCCiGU?OFfsBK-mxh=IyJ=RfM7=KO{#wcew}4CUM~nlB>~F&p+!jhZy%wCGCI zj#Sh=220Sl!W?I$;#J{Xsk*;a<0vQ z;0cX(u%-U(Q+%@&BEeyy2$ANRO1S+mym6vH3U~iMYVM2d>z(WWxRm8-qJ-y@uZiwJ zM*vJ&85?)Z{Qs<>=N>>d9X&SDV_HPOon0W;#U`2{`c*CMq69g-40_8<;lgUgr*hqp__)E{L%%7Z*Efufsa|YJ({4m z>%d);%JkP`g_AdzF5t6NIrx8k-n;XSzdS9z#O6{8_{dY_ev_}IA$MyEqaTaYHX37D zNTOSbvl>aVUdeO8bw`2n{US_>>V6rpA$0^H^n*J<7wq!1VbuB6mC0A^*N4tSPvvj*niOSo)argjzAU}&`<}fe-|gOdcdAprDoVM> zyZ!FOR3eeiYZvD-j>pRGhXW*VxOA*{cG3gPx5L4^1!;Ucr>b=v=e6;2N;t;QeHz~F zw{iIB>Og+cMy{%j<8hR`dP&taNrrj{6(Cuyr@pf3JS1i||1h9^b zuI{=&PBf*9z<2pq+}Y`_*m+!mtlL_Aznw*^&9Kq@q(D&7am7=;93M?Ud09tqU*NOu zwAw@X_kjQPa^B4v?eFtYatzp^PthapzNd8Zrr65v-5nURc$t90f1E#NdmZ_@;bC{- z4bXGRzM*BD&^S5KnV8Gwrw6VrzS=ati-v#iET}yqTnW4YC3Wr1-zV{yH#dUq9umvP zvaR07t~lu)(7lgM!od$X1BY_%-mhv^K(EVNu?)_4O$JOG7@-@!b1;3#m!ty$*t%(EO_IeMNn zxoe%puHJvrI>ArT5OU-#N6LQfIUi7rG2s5X9m;JOon(K~vA?6}KO21*sM2$0F7P$x zuY&?}5JW?x#IEjhjk#>93$*a91p2TSu%tPnqbi(h<$G?UMh`nNQ>VU!=1weIEJn)w z#d~H}f$IMBXNzCzf7l_2H5=tHoT>b&2^E=tECOKhS zb_#v0wAMCWGn5=DkA3^yh}_D9T+;ki2D+}n8QF5}(2LE6Ee;Q^gk962F%vhU zBey_S@mRZB|4z!2twPdYmWDO)PV+B8?;M8iPZ3&c)|WBI(k}#!jR^!(!d}%Joo=jHMVF4nucGYYllpZZTB?+{R zMQj?CqK;B&lvCzVttZn*`cD4{BygY*{Pd`Lg7LslZ>GLUY0sZ$NjxR+`qvkX3HRn` z&MykK2Cd38-(}yau!c8c5aPI~P{-R8gza6d$R*m7V=37|d5z2pC5y4Y;mZ6ZqhM4P z%%Z=bS0f63BfNK{*+UZavJg`4^ZTYIKd2&1rdY2MW%eyd4_E6mdj_?AHRroirJ|_f zlPC$aaygyFfnwA~X|WP=CcS=vdid*13~7JB7uo^&IduE6Bp7NAh?@)CQeOxD3m+$t z?W#S58K;F+@mDUDn6&=LS{RrZJY!xL)C8IWWD$jBIW&nneF`B%7CIJb7<4|D;jR4^ zUU4qr9Ql)#1M!kUL(phMp!25Lx2zdkPKQ=(5Ch6dN+7h-SddcoH`WB&Ke+#D zdvGEg@V3@v^LWKez`sn+wNAkl%pbg9-#l<7SgQ=_Dr23Q9`2xCp1&&Bx=xFB)*Wqe zHYDqN`S0)7>XmZDo!(NVsG38kGAH|AB`KlDc4`!{#P5-kY{vRgXKut&2`1jg*SNuEN{<`}l#QO|LeM_hCWM*cAf9B{Xyv*s+99HOvuas{X};il9X z^mI`UB=}U(6A$v$nMWkr&A@!*Xh=V=J{K+hH@J~ z@l!SzNI2wdOA<_wLsid}3eNsh6Ir|MO`tYy=n44iQ!z^f!xstfLAVr9zWaO4T3TzW z;r{=DXdoe36qxB9Hgf~~$}o8NcDPq~!D~Hrxd~)~?4!mE#+X-oMfqU-@c;Po2AjYA zH8e+w@j&Y#dl&e4bJmmVlG(J+oNY79Yp@+3t?M-9V#1Hke{-ypTgnrx3f@Y^nRmbvgg_Om`}s;yt&NSJyW6av^cSL4t1 z+BT7SDvxHOZJ*d0XGj_Aq>u_Z0TA9wK+i)J&h}dqx9DaVO9oN9Q7<57)u6M~l!Puc z1K)0;BTwT46eCeu_fv!l=kA90+YH`G#C75Ll&J``m;dXc_P*cwwJAsI4czn7HPnkj z@sul-*Xv^P6R-=W{dGChG&4gBVg9wbTn7PK&*JM7=BmxlT&~>u z?unkqCQ*oLXGJ-yHlOP|&n}zYcZxU zY)Y2a?6>gq**Q0k^V4Oy-Oux@){HCTlkfDNnfTe3-IqID>s`X$HNYYld&>UrORoCO zfflyb9%pry^uSfJ-b)>qdXFl(srPw4_AL8vF8lI27O9lp*L$+C2UQ;)zz0RG$B^u8 zAjs;Pr+o_0Ei47vdGbiwtUJ-Gd3zlrw#^@I0x3if06L#CemD;4yqIHwN4zb;?hdG$ zyypvwUSN}YS9!zN*RIJoFx>}m^B$l#4@OFl0&fm{+Oc5Id^B&wTs~0f2G)M7BB`6K zSDylgabBYz^KXe#7xXn64?Ew~HEM2wG0^2;`yO5f7q_A5JxGIqUy05TvN<=x&HmWz zcGL99Tnk^7Dq|47(vqgr|J)n&>XuU8ad6*(m*G{h#PKk2R<^<}hnP`8_euS;X5o9& zi>`M{hF(~)J{C(~5i*?zbMPx0{W$j5b{S;6{fldnVbRmya%KEHUA+PHV~(6Syh8aO z^C9kwPDW7rgGvZ4iE|qE0$87SzBr8q2kTjcIpU(&LPx+@WZl5FF1wn{js5>(>a3#T z3bt;Y5C|3|xVyW%LvRW1?u`X^8VL~G-QC@t;O?%$T^pC~%YWsZ`?AI!`(Zy-jkT-R zoZm#GIWFey9ST}8Vy#G0V^1?~G2^`bz>Y9S($K&!)noK!=;fxS7p2$*%7en~n{R`i z5F`n67h!|r*VIMJ|IUWxo+tt$cY{qn2xqefL#Wj0v^GHiIecwVUWW&xb|kDfC{qlK zcEp3v=Nb3F@lV=3M+r%Xz55+`!b4|my$XBD%T70r+wtk*^a%A58mAiR;i;qtUsWYT zBQIpVic{tj{9s9b!P{cO^OxNGv`V>6Fp9nW{{1jQdmyhb5$|jHEK$o%bZX(g!SONM zA-o3NZGy(C6CsImPNJlEbnHeaiiR$x`d|py6 zh1%FDBl5vreL2)9(HN#~{w%}Mg3YeeD6cKIAvF50vZG3*Msz11 zjQc+YO`V0qLU^C*$nT`9r0*%?&)D$zF+)Z2!Z{;#M&XJSWef13DATOC6bgRGC(n?@ zCp}ei0jL=mbEZCX@sgNtj;F_ydInZd>L1}}GT#KhZ(obp9u>d#Og`p}#(dmSTa~3< z36BK+*6#R&Vp>CmK@E>!r6rKWkUsNs5@Vq}x~%Kw)0D1D?>DH@0k~Sd1}Hndk<(Rp z)k3rnAe{M*C{kcJM<(8He}e}p7txcLg{4}8$FGqCZN;HTxa`%zXo4zvsWcA}GZZct z>Dsa5gvJ=_YQZ69WV$10BB>1OdH$Gav@J(bk+QVX@PU<0I`R3X{mAiQuC;u*Ed71M zlrR?b#WcmH-K)gr_&@df0;+egzixf9ARj+l!s)-XDGYn?@@#>N%8(aIViGNo^_^&9 z5PkgW@?GV7ISa0o!pOfHR-|0PxS6kdWjcc&ye?O%!@aq}ePng=@ql-y(ae3mG`6Yc zAFW$7t3L8t&v6=Z?rf+qHg{^j_E@RS@}VB99)YhPf+5BaD1mr&2Ay0s`?;J8)9RIM zXYUslt*TX%r6Nyl0QDVB8D$xrMPeS&u?1dI@+@+Kx(yp{GHvTAi%A*7FkyiG!ZO%0u!j?lkgN$LPfEGX1~GCyw9hg#JBX z`J7Ujj`9(eOv4+7N3B3cB`UT{gZu2-nDt0!c1#%@OC%!Rpy(P@CR30gS{-MBcRgbh z2dApqfg0Q7LpwXA6K`?Xq!Rh^vmq9w6WnOzSx2B=2DMBG8!lSUvQ)^zjHW<1hUG+< zZx-54ub?~Ii22|0PW=sy+AkHHkotex>N~YNSUdv=0SE1I1bzp-eDZ7hKwj?(ub_M& zuW_@nSUI&-rBd|#h6c{M(A23r*Bl*>`+2K=_OFz>k2$Q)_wKQ$<*yrIJ@+$0IckUpLse(f z+6Ivtsp_xy4ihQWK)X8f953hfE(86;yp4p2_qykeRh#JthfU`ucZ_mio{Q%0dlysc z`;037c}opr&rJgUW!GNn+cTqOLX;oZV;Fj}_xG3M@3--m&+A75-ChSup))`)VDRh~ zs*A$&@vD-{(`09YW~ECkmG2dN{R5-UPMQ>$1UJ5Vnt>M1B~G9j&Dr5198_U@Rw|7B#`Yf@l8a=wx{hY z%EKlwir}p!W2PfTx72l0J7xRjtSUypJnPgHzpE7jD)U9llH1ziH1LVC%=UO`nZ6LY z0wX_6T|v&+t}ZTOw4al(-Tdx*u-ZxauKwJfVQ=|ecTgu|d6{J$X`~B0MeHpZ>a0z8 zH8iau;>&$E==@g@QC{Qh;O<+VXwdJDU11E@|F`LTr<;xkv1Lh3JmtKF6pyD4={^q zNubdmm;5W*K0O)aT(0}wi;vmsFQaKko2;N(!J3})7=Aa^=O3En85tf0o!~pO&_QC< zfz=kU8&8Ad1v|6g&0B(@B^ZbW>2ZKO2Z9~u!H~^JU_VfRHq!3a8DCx41tMCgg){Dm zn?h)P%lQubZUPbY^8ptm-<0*_#;X#^Asz}J2WCO$30&0y3^5^n1JYuy2+Sq^PFPb; zDr|@Kexk@XBx%)!3gb>_v;!i~X8JhXa{8SV(()CuxltH#H}%#8@X!^U94{(JsB-E- z&ekr0VSs8)d=1#Zuhg}&^ZvtiQMcsA1o(xV7e2YCuG-QKwra2%mcZbq$y%TZ z3@#yQ)5cmalv3J7S^xr2f=xM;<;)sB4|pFaBcB!3&lKjNZ8UU0?QF%-_3~b;u<83n69t7JKHE@Xdc(>T%%jRjlP-E0G5W zYFN-u-#05+X*)BqK!0;1PdN*)@tZC46nTgWG!U|07)Z)-lkwq|V*ZqAs+I4{7~1s8 zq!!hGipW>VqY#HHsNk%hj%JfyJwjJoPr>UK4gTcqv2c1C&9z@4nlMI(zHWjVjk2pe zjWP4Rx88Scc^#fA;mqG9(1C@r?NgMlOFh(_R(_R+Scr2O)D<6Xt0eBA4`NyI3$mGl zR^8dDNO9=$L0xsqfh>-gC}Y@9t=Z!gfM`#S<%cY6Ni5;Qpj;QpBrl4?O8VRg2PIE? z?W7QaY(}gr*N*n9ESCzCmA0E~F1v@+To?d_Zo!)($g)CxYCo`D3%RON%Aw+k$nJ{|ewP}g!RURv(j}y?6Z^FKlokc3iqoNNxv~FNM=r4aEE^Xibp9o zP(=@RX`{3;0^~yh&LvI&j3Rp$ESK6C6e7}I@p4Lx@06MMK8V#N30A)TJ0XTw=|no5 z&We+R{3jt3O&zYeOMP939)-w5-u`!e)$WF-+R9; z$kA3*d%%pnYW}X|H?5JP!%3>=w{pLX+!e7&S*?F-ISu>;(yys$Bx(jty9wW+oEh+? zf--`M_`^E)V>2|`9~MHvPWy($9&QCO?%NbTTU(bqa#vfFz>%ThX$%J)Ptb0r(%yTu z<^yO$sb$@B__W{eYy!m0>l5>%V0bvjw!XY+i&8Ed91&B~j=pA`H<_aAF}s=6k;8Yj z_gG_Ou;F$kKL6VjM5L*383OiM=t~hqH~o0qqF?)Z(W7&);2w;>Y~BQOO>Fv*)2w|o*bpbRw`i%b)N#9^ zndO^u{>Gahpzrbxr*Q8c97E_ z?goDTtp>NjC6Gi|t90n1$)TZXKNk;X!YSy{ zhYmk~m@lfRl29fyRg*fS7gN>@*kbCDfY6vWRll=kXQ5`2JBpK->V2pHRIkW~#zcwK4NV&O-YrUxGD{76Uc10dn!*Xmz4Y*l%nqY4S3Ma``JSP< zzu$4J?#Fr+@wz~<5zMm+n5?2fC3Wnv`0r4CEsBd?7b7FIdK#4EFW<8`Pik^(8&>{a zm}=hq&9d`bbGnso?v6Dm(Rr_YrSYP7(4*lyto7*UA*vs4a|em3%caUa=%05omLR?IRk3(&LE&ju z$`tlgu=+l!1cifa20zafO!bH>%A5ur6Zo|H;_~BNQ+=oh#jPh*)#?pOS+W|!;>R_#Y-69OD{l1rkNW{hOnjKAR``?@Cjr)aip zqjh0&EMD7g)%*hgoDvQ6W_djgR;`G``dE7G+rWRsIS_^!m5(PhL^O*pB_(4jOO*|q zR5Mj_I#3PgGMvbcd^>}fstz~m*+~0T`fNypcZ=nethf`_78F|*D4xZJ7j;nS7ag2S z&}+zH-+Xj)5Ij6SlBtY~lUNgQzeYD1jMwtcNFSg6QQ$)RRWpCer(dXw8L3u-B(Cnf za{l>HdW7u@HNz5YkWW;pJWKQps#KMKTOh}2yOoAirHdS0if&mYE;a9P1?ZB*1uYKV zH40}YK3d>!1`HK?Sv7~Kh*u!;x#%$Sn!)D6gdQCZwLHG)VBIWx_`Srp2Q<%mz6tZB z0A(g9*Fc&d;NPZw#^Io`$TC zwH>PW=^X3K$B|4L)PGJ9KEMphSrC3JA)$oNFi#+x3Ag3p9#GVnXpoRx%GFoa^g5~Vmm&? zDq5}YJdq0WZkSuUQvGO~r^EiHW^WoHmn2$(O9y3^u^l`dM1V%C-e&~WkrKIDd($zJ z+0l~wGV?#gk0N~!Dz5l>0@Wy}tcl?ngdP9ZqJzE)GOh>6w$IMYcFtXp4SG$<7s6iH zlSHLDIrPH8Oi3hcCQ6u~?x&O#J6mj2as8k{S{^X*-dYv%N-FE$1OIIJX#uFV+?dhS zt2s*zk`EcSY067s$HYeb?Sy{G@#*sg2OC#evzDxzHO~psTIrdjhP>6U5i|V!kQU>p zNy_2-kQmGn){4`%U;heGf6kvXf?M7Pt(Vd)vi@66Sb?!T_x*RoK3b$9)I644ms5*bUe5iE*z}1$CB=b>4NK+ErDhnkSui zO>9Eoef2B_@@pJqWF+_RrYrs8;p8oZ6`mWpXWSJ|qN!%?{>x*@d;A8$pMej>NAe zyLQ~dcekGGz}3^PkAp3Hy#2o6tIfgP?i#G%y-HJOOxu!JNzKinJ^j|hG7{JWvSV_C zqG?bE{&3Cy(Q963hWj0{_`#|gp4&01Mg&CMVdVQcHQ4` zGo}QsuPEa#xOF^=)LOb!2FN(MGhCtenTd= zxYOO8gAqMm{%%(yRQL{{mObGW;KA}`7l4Vz&Yh(A=g6RhSFzgID66b(?AZv%8Gi*Iar-wA{Z=E;wI@&Im(;zv6 zkgG1R<;zDlmd%I6dH(UV@FR-?A~Ry^B#`vI&uPNs$-jYWG37^yRtWFC{_(&C*t0!|8`2|>;nBJLm^nI_A{i(3bBmXV zr-LE;K@$}q{{0XsY&_2ut6%kijdLjyP##$>(v(CiLY5`*vpVS??aVKDFAP`-?i|gH zPY3i-KA0|QK{dSzr@2bz=O(WCC9z=^FMg7ypBPm}YX_S;&TBOtK&ukz-|$THQ)x)W za;lCdN#jgU%S_1r%1&x@Y?U9=%n>5`x%Fc8uD}qmiJQZqlP3t-ds1aHw#bq2l#1uk zQG5AN*~ZL#UUtIi;uMvaIUCdda}`aV2_Sp-OM^ZxOX+nt#+;0_>FVoxAntvWC+ zPg**yGqB_R)t-Z_UBh}a_D)C2uC?S6o~Mq*iTF9y!3C^TjsV@CXFxDSTgKFg*0!@k zux3={-GCGGIOaO}ZHRe*Duex-6|?i(tfoBq@0! zy>$QdLxhg>3$C=h8p5QEMdH-mOgd*XY6xRllux}%gk4b_{=vM6#g^}?qWsV^$zMc3 zAn_kc^Pe-beTB-VL)lz_MM{aWxb6i9{2;LsILg<^ZE2VBAKq*j0XlgVF24g*SakJT zlGBfIyXf;jGwVu9Mz^-lPGWj;!8CuQ3MlZJDQOOqB*`e8kG1|og7R16OfwB`1fcN8 z{g5VXLBl1&T7Ke*pztUnP2uZm%wXU-S(*4%K(|uEBJFo-VH?myitt5;I_~(klM^rw z6OM$QYO%hZ3l3F3T7+0ZFbp~bCn^*i_@*9-_dovf5E~aJ9*J#5`)n6R?oY$xClF%c zuEk6@)W4FeqgZ!{J?HjPB4{{~ae7jR50{|^LPx+ih{;F6Rs) zO=Ws%<9;q!v)l4jI3H5TM$5;MzXAG7Gqe{MtSBxtJ!Yjv%nhl>HRz|@=oaJcX7cSH z<~VzsuHl(XB_4_Ih1ClEv{TLBpTX#Iwl9cpQu{g(-I^9=!2MSrnSUBoDl;L!Q*Chh z66`Auoa$29Z+Q!G1NGaMV>%4<$woXy6`65LaqTxa#4axCl`%k%!xeNFyP_XXvsE(t$885}dACmn;gYxQ<>$~Ii)V)vBH=?U zaLuYE)1aFNsWJr-?uA_T)9D2;1GMCi8S{#2On=1$3VqG5f9l2JC-l7KtT8YE2erLq zSiau{EpH)leQ?8CBo8Nb1^-eNWW;n|{W*7JCID_2GOze~^p?!%(^ooXyMvX%=P?N} z*xRj|&+8lf4tew5-46?X*wwHT(w{XqU$@BcgSj1AroITLd6v5R(Puh8DX#-PwzTD< z6<2%`w1FSGsfnVR&gXhCvy$)O?klTjo2JtCzvHgV;1u19z`=k^PdVn7l>ihX@Zpb8 zgWQQ=!?*oI0|ULL$D1|m2|kxAa$ueQsOmLO(7 zzLXV_z5X#OE^5ZM=kt5Wu-R_uznUVxzZ_5Vv+rPBT5V}fYufjH*(+KW5<1Irj%@$g zW#{Ute3Ggv#_mVQHU}AHDPTY#exj- z)2W5=1#WvaHj^~NapOAtP;9?3y#5M#Im>Yqb}UM2@q7-siE`+1JY{px?>N#=i6MIp z7d&L>JeI7m_nYhhtGYJTZ$|&WbMFiB?gtWm4bqcvbM=Hmu{1subNNPWYY<3X21Paq zb8hp30v-f|_Rb*1wf17s`W~m>wR=IpYna;{CKyB(19CjHbBxVW%6=z8oG3gfx#9}N z1&kLzoktpT4vKYjYICH&TnWt4Z2dxpe?l3qTyCK^36}M1^2FT`EI0B8p^!OB3z}qt z0uYh=QPRs8E}R2uxB%~7xgCDnB6L=aM0N4uf3>n^Vc+A7Jh@htLAFCgpMJGy7H8Nq zAv(2NP@lfr57cqiquMBUi>l5*-*m?Q;PXSIT?Xy^oaN)%s^Kl9(746KhUM!n7fgjE;i))c8r#xbuqKW_ICkL7nP|^TiYVg2-#c~7 zN9w_a=`x(9-qTH~wK46D7o;-*tm$TlD&(sU0SaVsQuveu>e`aHmfosu^grJ$?uA{A zY;ArDOM5<iT&$OR~dU`t)mtyz+$~V$ulHk zR9O;X*F9oVK7?A72d~ft+ZMQqcVbqpYm zC!w=^DL2gB064}nNBfpg(jH3C%xP6@n(Dhk-D0X#AX__I3EmSu{4P$ncC(Ram8Jupv0Zn4t^Mg@=rC)sYi6;xZ9HJV~vo68~PHA$cA zA%v2u4#h4_L##AJkX$wfH~+IjB~{cWF8L_K)ihD;0_xzgNmLsd*1#@S)yWTG9zB1F ztbw*y#1sjBuXghY7D?+k=-at(kgvoq0}n#5v&Rp_qHhnBonYeT7@le1%zsY4*D&x6 z;yKaMgGwYUa$l-zI&w|>9I@&`{={43nYVIGV6dV8O}+LLw!Hh!l~8lX7D-2mVBCe# zo8=U5pRn87OQYS(tftU(BKaH}Ay5qa_rM_9{JvDx{j5?uL}fB{?2t6SWUb#gF4VI$ z-I`TAfWYF*WZK=QszHFOpz0N}N~V-Z_wrQYee!(1b$eP#qAl0tORYLwsl74UuSgAa zz!x6YFsJ*{3YQ4FUb%0ZmT9roPv40tB--^I0?fONeswGA+8s?wM|; z&z$0;6-XZcv3N%Ld2Yb_*DxtT-UI~=i!PL%jeyA7QY+iTzL3UDZ~D%#0;hI9)EAke zAG-V6^)rf68io_8B4a7*TDn*0pnltLQnGK9#>sU@uhRmD&ti~Kh(p&_H;K@zf8e;A z^m^9P3NA-%2x%_7_yJ8#Z1vBF-^nT#8ww^Hh1p!Nv72cK8|akB3ddfE&iIT&p8-OG z6!caN=$g!JTBV2D9>|dZX>ENU?>5wGrNz__2Gs6CxeEgWob_$>Jo} z9UMr1(K4elunHH8wNaW^Phhw*2eZK*bu93>hk7 zD|!QA5!{IVI0kO~&B(bJ?S_04-Y;7k9kk21giOjuX!*uxi>W024sJ(iR$@6$y}!Qx zfwurgUI4TkJYs&Na$)1pe=nH-_tV|ektleZ7y?QHi~oD-c|l1|1%n^m+5T-}2@-DE z#fgJ=gz=gD`neuHq*5zaOG+$>(laD2aYPl?ze4-D0RoJ?@VxyN=VJ7efv>u?z{iAnF(RI^BeJ%4kfSE4d z5-9V0GSbH@sg#Lz(ip&r8a&&OY>gx(;@*?_8xyF^kdN(R3Fm z-UJSX(r@vAU0U|JP|`{qKtK0<-kmO1($t<4my!8j0u{D|AA9V9EL}scS3wy>H;yiQ zI;;KeTSsZs$tO9u+p;-5dk9KfjkEolh)oK@oiu_+ZQF)VuW|*Ji~LUuUu~xJUhA6d zv)|mxzElrh8cqto$70*B0uhgy%3M}tmVNy7dsqe0{a#jd?Ki@OPrE9Zj1;xV?oW2d zz1yO=Op({Tr-zTykNg@ZLQ@PquZ(wIG|zp<&iDoExF51T=M<*5TDP??q5P4%Pc}pC z9^rxG;g3D;ce_AlmNzE{19(q&ZY3QjZE(3ev)9q;S;St7l7UX=1LX^m*K?9Vr+va4 zz;df2z-337*`WP&HP}04Gp(j>d|}JSI?PbW;B|CDlgh@Sbu)@O5H`s_>T$(;(l?ps ztpGPdKq{wuJs&^IwHI;uBB|RU^wsZi^bj~s+&&m`Gm*jMvl|xmp4ddxHdLUCnce;1 z9y2ZA9Rgf{J#%Q_Ef=kFZuwT%Kh4Grd>#}Z$hnN?JBsBl3Z9R->UlwetpvKcm>G zkhD**sAv9N%qNh;cNTP`G|Zo)v)^SFS$Uh$Rb>qIWmiE7-Mb%}Dx%LhavoXxDO?n% zV3gN%;7M#0(22uj!ZRtzRr z`nO+pR2>!R#zxBj?F)rmpC#=AWF%Jwk|lbO0OFEH5CUm)QDS(zIC9kU3w9#g7|cnR zD#}EBnvWzms+=kbt z(*(T1rwKZQ(|uHh^7~p5Rt95UiBx&1ejKKtzVFJWwpcFls6_RR^}LgWZl(1srlrlGT14`6JWS6QyzsR{rG5jJ0uZ zpKAwIp8`(VEr9cgBugaOY+V{qi@v~LAb^A%uOp>s4Lx!+N3%QET=l6?sddmzNb%3N z@4TJ12nhh4colm(a_+x3B1Fj4rW->}>1wJ;CS1amR&dFZhyk%G-o;R6a_^{tuz)&M ze79a18wN9-YT^3_G)za^IJX?8grHB1oNXAp@#>ME>7i7uamz&IRCyF&)#%M>6^8%O zCgfccksfRy2+lR~&9j!vvJN}B@!E0TGsW)}ASnMuJMhDD!Q_d^H+=eX8mV{B?JY%B~Qwmq(W%xLMPZkd^e|$J}VDzHs$v+r1gCeLb>53Jn=pVqYvaJr=0t*Z(+8x_?B&>X(v{n z$LC6};^H?F^Tu^km}7RaQcFzKM)O3yt=H*R5d-RJD z1rpEt^6CKS-1Zh zR4?&lG(EL1iIwz~hyPlQZ?q^J!LEo=W?VcI3#rKHG&D3siJJc4=9fGMNOYEfx}bHr ziptZ2?g1n}MiXxa=f6V{rd?cMP0p3H?DZZZKTE~&yZv+en0Nw*R*hRj`QnkpcU-3f zxJeC1DN8)*St8DM*4#95m^hEJR6sj|`n2MKZYP=xMOGv$Cc8ERp@vwZNN)4;uB;Va zg@(>TX^JLAO8=ZEOm6`WV>`OHSlcrZai3c;D_&w<@pwzekNE=xD(+1R`?a8AL972; zzl#2?t_;c{Ud?S@tT6B=GG#Dnx2-4+BG_bV>k6qpOd47JtB5uPq&Nt)-N%J-+er1 zeQP|8L-8R#=DP=&TN{`2b`Fm9a!l^REfPLA5tf8)kZod*oyk#Ki<(ek{oj6m!Q|NM zF6%jNij+c<=let%Th4)w_}v?HOIUI>?vqIO?#q6D^XeDmyBkC$1nnbh^cF;X;J7Hw zj>y-3{0zbS1oJ~I?p3#-Im5F(!Wi%BhH-C)3$G1b{GP7A#+uo`*c%5JU#nfPy!x~^ z)v%N%DM z9(k@ZEw^pYJttvaQLWA{9=THqru|L06wx zO;^k7I*Q=ib+W0?yj)M+%)@x*YoBM1d^I0%TAP0H(&uV(M{+l$ zV(BomHm`YBwS>8OMe?O>;WPh6Eg@tkAR_yD#?{@>{U3ZwcEdyYyYg=Lk$>=Z*VxuL zpIySzZr>nw&FiuLS*N~-aobJu2R`6GH|DVKZ_mObE^iQ~p&n((yfRE%3Z!lkay+X> zgg0LPd!(Gux9f#i@TKpC_~3t}*K~DrTG1C_95t-7W}>IS!!B4vCzc=3oE`m6{bG!p zgn0=|6lnhTa7|EHNk2wv{$LuHVu-ZplYop29pFm`W9BH-FCX~{%v#EW0;BH8>1*1^ zVTu2sQox9;I31uFPGN@QA)4I#VVv52IfM;nu#J+F z>15@aH8A{~uhOozz*?l=$6lu!BMCs7JnKvnQ;s7}w&wX9oE~zlNLo`2wf>7LS$W(7 z?L7p!rGE4449p1vj_HiZS>s>7`8p__s&YTUsgSr2MqfD%vaErF)u;@Yi}-pRtE6HR zf93Ld^oYxMoESI-o3C2O4Y{L%DXoG;3g6O%MT z&vw$+^HZIWV!M?gErp18?Qz;1z6IM&v~*RP0)}<(l?rAn49P{b(BiWF4>Z~g2U;_X z7J1)Ja6CK6+={IFjPk#DltYVJ+oqNWYp+}ch$1>fQ3Z7tVuyOwr4S}_4#tg~wqA}< zWfcrdSOY>h0R+iuW?`A|W}!i0TSS4s&}x#`T=h;z4B9@aXm8G8)P8c}`Oze)uY;1o zSh+g-OV&LR-4n-Vgr~xlS|r@A%#6B7PR2~)AE&M@mm{FkSzBi+gOb7cTW=Zu&+~s0 z^D_5jjg)eBk*v2Tho6+f;b7q?*#AD2LSr_(YfPkgu}IaA;FNLTcCZ#+sI<@6ugqxC zG_V}?(n>jnD$D(qUDA^2!+`ot%e_5<$RjQuRd+}S!x`Bl^FH1AK0pdm+G*-t=CS{n z+dO}W{o8Y%f~p|ewMB=-;06+7H~Dd~ECBZ$o$Tk|nJj3{ra?bvhz}gg)h5fCV8ac< z`sef-qGu%XpxDAntF69ZO+)*Ta$EW92s0$M%m4gD(I;)pIg4`=k5;-T#zpA<9wNyn zq2N9fwh0f^Ddt<5 zY@9S$q>hY^rsGH|r4Fk$^+>Z4QyyE1L8zaKHcJM4xtAy@O~1F#uMRjt(6H%E(_$&d zQ9-Ixlwqb0)iPU@N%%2Vpwk|@=PLDsGe*jUR~EfZAlAJhPH)i()t;YZqF9e@=@ttG zMRlo_`L(vx0;K)ZVz0N+TRV?pbfOgcXxLsUrVp9nbK$s--a5q-Z~^iZ*XO7GuH@T>$XMjBfE5FNC#^OgiuzCKMJ{22*>QFGO&$pN)P+Os4gv@ zT*8Po(S1lY#yiCxF#=7$u$d;d=1s~o3KIr4Qj#Rn!;zPTnNbOgwQ-=`zbog#Afg(Z znG;@edFV!l+v*RD)MAOLIybA?9ZIv7mOOnrzYpNczI$D@7ot!JRF0OMUt+ft{Qt@x zD2O7KxEK;U{|fx@m~=uW+93hMAKEcd)Neu7(1SA{!|VNz;WhYUcpXoI1|Rvc+1G)W zt7mzE@p_mmN0FxXkY^`;DcBSZA(JUR^SxDP%k74(Oq3L!vzRjymW(d%E>Jb^P4XV_ z{c?A?r+w%Ldn0?_Q%MT(U`FW1uXWjmdLa5GP|*2AYD=|c!{f5xwPb4b`S5n*wFUT; z#twA5NA4A4#!5gDE~)f*PO!Ni*LU9~yE+HH5fU?s8aA(tQiwEz95~!IK!v;qr_oAV z(gL^VS9~d%cQ4r;;QPO69y|iKLQHydPbUpWS5}7*pY>C3yER>lBTf{^b=FW`#n}@+ zcD0=-o?*&AK`VUcsoGJ@C1lH zZwU^s?7gj+o|}&AI9pc_+f<`dOF?`g)5F74ekZ9Fb)3$YK(D5|V`q1QMT3{?XC@sR zh3jy_P`TNf%IoK;BcIxJ{fdYRvjh)&gV!fTTv%gV>JboJ2%Eos#Ak5P$bbG_Y1n!oe&#ksWs?p!j zKU{8$-Jul`eH-_e2Zx0hE&{8o=X&9fFry zDdx1zwv*?Q%bd-we{CN3a}E?Ytr6H17Vk+pHMOTO#CA6i1{DNNX9Xx%e-gQ#x%MFA zZxGWQNRUq#1poKcK7^PIj1QSr?|zBuK=NAyt5&D{%q~-m=*7Bae5Zc1fIP2eLB1#% z(mfqK3*TEuZDr6y;E%?Dx%NUu*e@PsIyjNnE&=qqTt>-*vi$0Vk42GsAS%I;bCh2_ zSsMSM6`_qAvL`TM%1?4vvmImL`vX+(d}6)<7j#K#jBifUUuo5P6L7P&jdu zC!Y9@jITtDQTwqA;Z#%Vt8(LRBw-{(L@6EkBZ-w7*$~wLbi%c-kviAk1FCyzhvbJy zw@MH^)l_}j(tgzvC4_yIAY$ZbGZ|2XvWrBI)rx*^go7fP82!S-!sghr3Fit`vnHE2 zyc2MS6|$M1Sxp@)#)dIs(Djd3t=&9PLHQ3TP~g<1;t%Za?J5X96sow8#i(OQe!KoO z=U1*N{A$)rH5ziJ)GRNQpa!ui_zQp`&G3)8ll?5xRQw>xS$cLysB2|xCVoY{0n@DV zwmSZ5Qo-f}B|!B;#9v!pDLP(KCJzgBR(S@~jOb5F5hrS7yc7Sz;NS?t@nqVw0jXjW z!N%ML>gY&VGK;pv_q*9x%4j18(nvNe-Lc%0E^zQhV*$FDqaX%ExF}NQf%%FYYnNZ7 z+EZ@(Avo$Tlqav10z`czLX2Vhnhvm4VVtOExuQuR#+Z?&!enz@k!UOrb{fqFwhTEg zPolBFpIxVsHfbTFE>@Wp-1)MxY75P>@ZSnpyK0M5&cgu5X{1HYB2??=i#xp+9bsxs zNEQSpxxmnO;Wp-G&97}h=^6n2`uW7u^z_a*%M2{`BygUq6ZLK zp5;T3C(GJRRof}d&=f5~<*Wn_>zOLJliyHas-A=id zi0lWo3agY9P0W*i>UXA*t993^{N0^NgdB-2|FADym@y*s-Py zkx2r!$L2rS-@zWXN4#hc=v^MiCnibh-3Z=dJaERCGHPR%=G)~*jn+UuU*>uEqw4p637r4=IbPIzI#ct@BIphlNnRm&oh);t4Hp?em8h(-7f>Hx z8+HdrE{=yu6I^K3R?4b^ofBL2O+me5QYL{mzdV(&IiA3pZ?H}xl(1n=(sx5){?o<1 z&$=7_jHWf#E!2r&(W?9zJwzrM=L!FP7?KWo3kCW61BFnJ4Mn=`6-tH>Xu=FK=q&T9 zRcwxm*)bNO)SB27)S8PapNjeJIBH0n?>?tFUn|oa(M>87V&L*7kGx6aMFeXIg$A9l z&LyhASJG<2i4=0o5Y4FN>B$@A=hcB*S<@9$%-ir|^?4^-|Dl?UN&mca(vviS>u1ln zk5ob)kWd~e^gorxPnOgf`_x6Cfr}*fjS)FCzVe_y+Aj4SK*1lTXk>*UEN1f;XMVF9 z_cS*C``_v)d=Xn5Tscb}4f{fja&l(YYzncsYHu;vp$aVWpDx8*<#QZsOvoMzzn=`O zXA&!{TJm7fNTG=GoTbSnNTLb*1|_R>72y4T>zYk3*p9pCI&uZfEAfTXu<@cksS>I*w6ZlI%k3=qXbOB`b1Gsrj z3A#$vF)CQO70owP^~w>9j7;Po$nhF z!(Gkqb7Hrf8(>@1F=%LQ8(xnNzkbspa^hl_?};V%+4 zht3;xRhfx^+8+BFC=-v@SwLZ%hLYDD{iX$n0(R_fn-cde54hFi;Pqzyo9nkJDFPgQ zH^rMgY>hR@U-daT$WBA(GNiwmyT%7hE4Afx-vlezcB?AagT?U(o^RH5$no<%Qqo+% ziEg{jq1@7!-~()t8}j<*Mcm^1)oVHykUwf&4U-K;Ms+O;8So9tze24PG7Mk9(WB}+hPPX4-xA-`TT=-tQ zUV}kQFPm&AH^T(3!?KT46?-6Q*mI99_O|(`B6@GT9N=LAQnTT&oESx(^M#wYm=z_V z?sbKc$qc>51(SQFrFYJ!O3SSWv%PBboeqalhI(F?A)%r#nuhnyzQTMvl`-3p#d-V< zpWTl4>PCNDksklkbXzI*Zs!Uln?fI&@QhY=Tq z)KQ4A#2YsleZM~Bh8el^>EuOeWSC5gO_#Nd z^G7YUu5cTgpv?FovPGN8Savbi4^p<yuqF{Tmr`uxSQT-=lsiVzzJzHxwBj})_fBY~yp>-dld)Lta1oOwNY-C^;ZlaI zX>{69E-C+&!+O@sk*!ti`FZHc5I1}PZ3MGtmKcT^A}6W1mZ(OPkaXr%tU19N z9G-xNZrv!_ueCklADd3wC`c6d(-aCu7M(NKTIN3MjavP4h>C2j8k^`XnpAEQQL+js z>rZO5V^zjEc7OV|$Z5JgAU0L0&8~-h5wVb4z9qy2w-1DXI#iWj{-P#cBJE&19BuUs zXZ@5=y)u1lq>aFa6`kVPLvtICS@aab`7ZBL%Y}8SC-3^HLi3sdv24w&L$FF5UtK`` zH%rFJ4$_yY!^m$}*ioc<=j%QNr-x2}0@6U<*bs4lfy6}%WKpZ_L2R4NwtU61hXZk@RG|p5_(?Ma31;5~L|w_s7t8PE zq>Es=&ddwqe^<&|wK_4+)6G|*(d5p;Wt-Kzsf3=A^TXwn&Cr!M*&^UyZ{Xy_s#DWf z%($OG9zK5M!amw?kb%L~ROZL%5@IAQ3`wgfJEVt%9a2r=9UG;Kq2U&*GJF!yUF>kw zvMsbpFh;SXN0(*@v`-y51$k!H^Ik=MdwvrXy)F`(>#XwG=PE@@iytxg$eLo8Jgd>WYl@2rY-A9vEk53Q(Msy;L0a` zn%O6oRnd^tJ7w&4VIz;oJ-U+N%JbBW#}%-Y=~yOTpw(%I2QN{X_YvL={88Aeky`=S zb~L2fPjr)k8YFKOAYkgLCU`I9_=fu>=Jx(w7y=d``Im#{CTil9W-xxOt~l+sBZL-q z3Vn%LuYn>qCQ4U4Pm4N??=(85X#2w!DqK!Atu&AnzGPwgNq~5{!;@x^#wyb0c?`N} z7;3l(u}cr}lK0p4Yy@vG+RG*e<&sG-48S~4G zM;bwTas;&mG#%W-O7y?D6U!(L#{2SPR2-Q?gM&0=vgVQ#O;w3TI9V*34AYVr&+MRR zxVWGdJhn;4M#A7+k=eXB1(>WGWZSKDsJs{_9c~=p-s~>5}~MVW|nzHZ_Dl;5|=!<>CC& zaE6;X;Hfb8aq{=XQor4!V1)5bws*Q2$nPLA&fz_(XDR=3z(uCf5Hd~x0NM;^z zh&!ULZlK(Og@6)a!;5vZYJ@G`f=8|T?Uu)_*b}~|A%aD%jE7lD60Dg{KooWB3y^l@ zoEOl&8%8bF<>)hK@YdiX-4zM4? zIkUOF#%{IcGcEwIX71A8ZK`SGWAgI2a&2?=5ct{kIh|9K>b>_$r0rAcwK``{;1J+ao(->GLvp)QpGFxWL-UzQFiVSk>FTKW3nXg)xvZpqA zF6;g=A#iY+K5gFgzKd`0wlO*6w!Kz0)$ROEQf~jWekxJt-tgE9UkZuXs`g*3#%RjA zP#~&vy!$&pLDaZKZUu70*&TAIxlVOr|LmIt2@icbvA+QV;-8t{M@%{w%HNyr^4c}p zOmi#5N_e0HI<5&L$(7n?^KnV!Bx)MZ^?I>n3UUw1LlXJI16PyN?aCCNp$9kpZXO?@O0~Uj&bo z-W#+(;O4`C^asl9er~LDl%j(t#qwkSZ(&Km@ji#9a5RwGB2~HNf&A%0FYP(n$ZUR)|4O&_hZPG!pdy^|1dC^I6X8taHvINiU`c!1TsZRngV6MaFzcA3Pzl+JOe35Y=fJF#*&D7yK`-VT zQkRP?)O9?Anx2*-tjxmL5rQSRnOSYNa*&kZa&U@G5OA7KXXD`%aRZ!MbIiTm#$C6c zUVPpj4vbgyF2ybJLb+VDB8PtWcfvW%@VD`>7)#f}Z;^#s;#i7Qq~zLl%_=BLz9&-u zBq}wWSI~n3EpOc$wI*I6d9rLWvDZw|aL2jGAj1k1xOQPFt6`QB8&RK-29R2UstFW} zj0j4{t2LnoV)IidYBgWAG&3xraqSQAp;IdtLn46$2O9N3E4qt2*&5JeONC%3VVaP1 zKqVoLL~A&j;8Pmg7=G0iMqIh&2RG@r+_yeeIO;je_ao4=vLM#y`@21NQ^qpsR+TEI zMhkAv6GVt?>sIjWi-D6JC}quklenfelPG$xmYec)CEQT0E<}_@uSgs>A2u#qS`?Hy zmp&s8&H7PRA2SY!dWkq|lx&zm_fgfs!X0z_f=D@Vm?Ra}AdQE)QOF_Hj0=^NaylL< zf84TH=t>8R)4gAD5HT9~M@>8u?z3{Dw)&Bq63!cico=Zi8nn{TsCOomV9uQqo`$WI zhfqHiemGCI>$M0W2Kitr8MESXRc%>;+5kKl$Hs@2>n1Kp`OpUhNyt{S);f~O&K=_N zCUS?sDf8j0=v!-%h0}RERys{NBUpk;=nXR}L8R*8zffu_SfuQiD~m*;OqlAcLRrf$ z0UN9$R7A7$W5wF(KXdZMbaViLxC}|P_ZkypP1y#nU-2}{-vepvDzn@Qf`_;C~; z{77e-^$TCj2D@4!fOHt3YH0}Ew*XH(?IWmll|Iu{b3n4ksbne55=Yr?+EC>V#q@RFs5EhO z9rm%Tw)!tn^%6tHesX+R9lmV|%lK^o@Z040zb4#ZQ%*v<V_b?koOMc!ZuG81c0(Z*G zf}Y!{hmRyR&izp{)pyt(3u|v{(B7Yh;b~b_xu4ft0Xbd%B|S$20Hwd{RX81uePdV4 z-E6TukNJI<54^7~*Jnjb!T}lj%dNG*eQ}>bVS8s@P}xV3JoAfRT#ch%z`W$rM#1W? zlB^@oD(Kw(vHSh~$++YAkkP~2p}YUKFSF^*Vp6PbfPO5`!CA{L_X#`T6#M9r+!*k5 zzQgq7*v{!^`Ly4{^!i4{;SS1(5_oM8Ql;bW>po6Qt95x*XRiHY6SZ*E<85+vG3RXe zF4)w1|JTA*3t+fe)M9j~=eEi|RuaeO^C*?)=sC8N5=GJj7@KMpe2INfdigPu#m3xw zJyGQWt1ivhcXx=>>$yaEmD~Aj3E#f6W5xJ$o%zW)LhxdK&AcC$ORqcI*lPwhugC1+ zGBi!7`=28@SmCtc!!*&MU`Go??@1dT$oLRM;tQJLegI^hfL?7Ssy2t!w;28O(kj zl;~@Xs##@~uXbhp4YC-VXeN&HS(&1h3cHHmQnoxmwF!rYkp)DrZ=9UCcd!dTC%HJ9 z!5|&tW`X6v>7h&Wf6U*1YVPy!{0ZMKHX6pz$+bW7WlE#M(oyhCG#FAYt(NoGgFkag zsFo4=B{{5`NB`SLJ3)}zQeHw#v#@$4XA`z3C`cn@Y*aMnR^`OXyD|hFi_dn*ZA}cQ z(x?Fw5}A-Oebs?TBX7&APU68rbP||A9LW>g&$hp`V>G&i=@flji!c%SkJy|s`$#q* zJ^fgO1pch}$3!zXVJ04~>$8!ReX&i(C?ZgG^;8RJNODsVt&M*KnJWHbBdLq*Opt5j zD~bZX-}L~93N(s-7G$@MVpRQo?qiQgb^Wiv90r*`XnceyaU$h52n*AoToOJazWfiS z2?_=kU73mlRCIr_F#6h5eV+CRj~rK(P$i~CCc8{GIOiEL#4B=)UTU69KV)p{=yb%l z)5(<_%mNPyNJeU62`)``avvxQ7;kzR3r(|qMW2{z&am#o5Rzsu4QWRE_yU30>FMJ2PS&; z8KVI+iy-iGyn>r2Ac{<%kpUGY@c3bCP`tXvH$ zw@V?jy@p8$$7(62WI*|&E|FKE)YKJPED*o^8;x~x;gwhKz>AMxZWfM}>^rf1BPlUj zM{1C{J35jepJ;fD+$K0YQ=OP>9mhbZE#Giv0NI$27sANj?r7Md^Yr~ShZ;Q;wn15NI8tgl!K!GVmCaW#4LQ=;K zp*RKZpFUZj#VZKc`SJaC3t2+~$37Dk)s7sk+rr;+=(}_XPnt=U=&)J3h2;8kZMe0H zB7ZvAGP&uFzUgcR{Me+=+g2@@hY#?AVQnh%k8uW)a9zZQ5hgh{Yk{n)xWJ z=~>yeILsvf3n2Ype;U3CcNH!zy_xj&Uu4o&(%Q>z(ff3`Pi$XBVw&2x)>GZ%N|5ZA`vnofCCU;{&;_ zqtF?P%if%oNeF`GCo#es+eBT{PTb7rW7&&F;Ft{Aiv${K3A1M9DE%Cy6y;TdLL{jhPMWI>KX~( ziXFD!^tcMOJ3Ly(8MctN-FG}~rusS02;6fx3f#l^8~khzTX2=RJN$Iv(4VCi2icpV;UYZ-g4_Bp)wJ7#VA{Xw=H0&b@2 zyzW|W#7OlVEfWcP1YW1Z9;}GZcz_)pLg_64Bc=pA>w5GLO*xb?z)lJKYBe;^NIb6+up$IdYBE~yN+5$ zw2kibDUrP{rySzC_s1W$UjJ9Deftli4qD!VP|!dzpmHwq1<(-0f$}mSAAMd-J{tb+ zVF4hJ{03Os&v$wxIX*fPcE@I5r;V`EQ}Moh?Gtr95VjmI6e*lXgHbj3Yv))AWg-G| zKJO>U3zyVUm>K5l-?W=a&L86jo1`bn`udTsj-gu=NtLuwii&E@qna&rfrlZhp@FZ$ zxmNKfUb-z@0@C#tjlzIzu_RB$ir521Rs#)`bQd{y?ov!V6}K}0m)n_YWJLza;w*5( zo#J~PX{yDs0ilmq4&EH%S4FIYyhHs<`evVFHdpJTFVnpFD?wOGE$8(GW`5n4=G z?e)Ua0H%Q_M2+ntE$O2i-1F9FnG-!>qe@K@b+UB5TJ+{%C6K2EW(;FN1U{BP2{C7erhq6p@J|hx(Zp6|AsV6xidTtEX_N+QuDLAQ&8kTg+*4M;p4CV-B72%lp%0LJaWiwc6wU7MJ$OF=qu|CR;dNa1m_M(9*22qgEZdy$vgBNw!U~!6TEB?8T)U zCH>*bNV@8X%!-89YWrevj8$*RNS$8eVn9cgDd|*hE=k|d2XpHAilGA5V8oWKmBrg< zpae|Rk%g3C8rgp*z#_xX@~$zO_*4Mf>_Z$Evc8 z7OU#S&BH%rED^bdSA!BE#FpY<_>Be?8WhBO-7)uNC#GPuNgsK(GyBL zob~eOFM}bNFxC@pnjS8fIWY8pExp?)|47pmTiohlMsOwES*2xO5ku4?#WZOKRc2@? zMU!KmiA+O603yc(R~qSVWGUrB&B(IF`^m#4%#O9CJDMO)wZ!0<}syEVwz_r z`fl?7;N1xY;wu>GlYJg^1RGiRHiI?efcXA3u?Azts*#5M`O;*s0k2LNbLG70zU=Mw*!>Kj4lB;4`lU7tTkFu)PGCD1uNt8AF_`JS#@#stP} z_R-Tcle6qTEqsu(jk5;%Ds4CEeK$V+gBvtUpZ0lyQFlq1SFFEptPP98cT-rl%#%kl zgkqG$_t|tYXeR_8%k%E--wPe-%?-f!?tWRHhw42J%`$%J8kcsu%qQgQa2(1?6+Ej~ zk5j(T1zyezUxYYvdF}q@PCIA(>3Qk&*t}Bik?W;e1C>&|zlpaA`;%h=tWq>*1elvP61cNFhB%X6eCmj=H-F9^ z#AQ2u91@V6yDd)S5p|qqb3BTdoy-_Y1E}FeO(%hN99c^8O zZXdWWeI7HOf0BQ)T@5|izpbKkPc{wo_-=jNh;CDbPX*|O#rnEblqkJzqreJuL-non z$8Eaqq_pkiIkX=w<|V9WJR@6ux-@aWrhS?|xQ9p8c8@U8*FFLbodC`a4&!&#DQmYW z{+^kjiUmBYo|dnYUZ&?mdg>hKfv6f@6U!{?o-#p;@Vt9UbAp5%@VE`J_`kd0R*=YlcEQ!pPVZJaJ3cP}XOS1>6~MRxEscK% z?4kY>Ah>T9@SL~xBHW!Z;MK&(=+bvQ#r8F3%%p%wBmE>{#q+dD!;h0_C0OSI(|+*?c&cc?gGn0TlVfeq(t zrID$GZ^W)Ba;31cQk?o}Xa2RBwaDV&tYMXMM}~C%jzi0n`{WX@=;0up&>gvC0WMY4 zY*eXT6Y@^#vFG7AxBs@rLxaW#g@2IOZ|V?h99+tu|jBgxu#bBg2z>x>D)CMVaZ7>CP1b`Q?>Dv#vcR;5T|?M<-y9 z8;_ucz+xG$Vdr2(1o!4SF1dNw3>DOi%82^%x#r*#W7{aLHdIbMqMD*G7is*z;uV(* ze9b?^b^pX#6l6N0l5PBa*65>mPokMkc^A;K$TqJ{btw=ngJ|5%N!#C76O$P0mu?{KA$lz9}H#lwGP!sd0`pZ&GK&r}JO-a|SDd{9=&f zxPRj^7J>shi+>EkgB|kl(VJ|S1hSqr|9sqo3bDF(Y{gZ72LvA&URTOQye8h4Ud?J&BLJ^1o z{1K9pR7s)1kULS2yH3ajPGYO)Jg3^^!)<~r9l)jlb<>V1$1#uBO5aGYsancQYlA7N zd{zH-M?sjk8^dSAk!)TE-<(4eSLoHsYVRS59g|4TbIqQz;t5-AJWz#?kQ` zWdM@!981pxpQLP5NnjdVLZq!_9L!-asqVEe=!eQ%+NasqkHjQW33vW&FYi5E_CyK? zzm1}N>sLj??{BK|nMzH@_E#C32F40)IR?0{T*9iKM_C+ygrgsrh3^!8xBV*JwaUEy zDVCNr*s2tpXjHjkvO2AUi!QD%mKZP742;)>vXv@KNaBDQ?ViE1*be)f&*FsDdOA04~Dk&F*hT|Au7al@>;wX zLTQRwe_c_#@Uk63CpAV{^8*VCkjY`O+H_9iYaHRX!!aDs;r3Xkc0#5~L`(T3dUXO3 z-@?|HD5`ORW2UK+(NmurzxJacr+EJT7eI@m+kchk0hYa>kN@#a<=D*_-HbeaC5veP zp$Q5;20W7N=Dowd!9Ak{eaDUdj(O{U1>*Hwrj9e(eL_e>_IobJ(gH<2p4yx+fJWvo zBjmUlPmP6-wvooOqJ?iuPab)`yB-}d+rKVlOgQ!|LWEED9yIH>8b9w#A{V4~zn7eC z-)nUVZ6l)ade%l1kq1|&gQLulGwzZr2#!bFXe~wz?{dW7yXUq_SYjhb1zCF@ zP*q!P=R&6KN3ids;zieML!ZIn7zO}z>uYDA)$Y0MZakk$bMbIJv@xjdXIeJp)c$^N zoYNWQIdl0n14m8w{Y7JLQR-Im33%`YbR5q)K4$la!tzXPUH3ca*W6Cp^a)w-8P*O> zYEt<>DWl}wLAIKo1pW8V>M!C-Mo60LIrIB@j8xHrKuvUiBEH-eW$ZBu?K{op>HDK^ z!jaeZ#yhQJ=Iuv|FaseVAYi8bw%;5KkGjT|#KiG&c3ztU<@M}Q+KJ~37!6{+1I1kk zL)~(Mf~+0^pQJZi&nQ}Ee*0E!AlO4QcfH`>^FGb^0C|vT@0V^Ha0I%(xo7;#z~iqB z{vY8s{!6$;z@TkZufjg}(?S}iq$Q{TJ8b!-rpmq`usm?F8%XC4uhS`fh!A5AKbDHX z8ocBy!?#s82ZuzQJYGbB5YAF_FsVhg0gcGBCrsjH5)yW~Wn=wh67MJvKr1I;MbPo3@IE zOlNeV16&cwKE(Q8bfT1EV19wOsnSPpR%BENj~DEFx3c}p$f{JHJvH}Z|` zb&6H9DLDBFV@hJVCPg&(h_G(l;6wFjHlp97u}fsS5i!*zqH-0kIR<;}#zwh&% zHF+2P&@a(occ3c-#}FmiJJUi}ZsQL&AO7u7kAjCb1O5|X@W&wTBPx}?1Lw^@7~StS zm@s%oV>nn{X1H=aMK`GG6+Di#DXw>>Y-A-+VHSilzk=E=zHLZ({@|E5&5n0hafDs% zWsRgXbjEW~c<^E6kk#|XXykJsL9FaNQV>p7xe87B`wtqmLu5!J#zEFc8h_EHG1tit z7PK>Iyz7?kDAA*;oa4iDFLyj5@kLR%q6SO{@l!2QRq!t+_yxKoF2cuoQNu_@y=VV}$ z2&yX{4BhKgT4?f?N|k(1W>$Re%}{F$4p_IY2xZVZR=cEGU=RwTE)`G5l*orcsSKgR zF^s`>t>h_Q!PJ*gDm0OK%_$W;UjFK=rZ`@rIJUfCTfq+r$gO>}%~!=PEQZ(U+)xXi zz!}%&J6mZ%2Qs+X@ixQ6`Ygij%WKs|Q^#oeV=nQ#m(+B)Tdz+5DL0DTgQU#<1db1} zC_f!5II`^2%zaB`D>_WacF~XyVs|LCUgJ7%RqbVb7R?}_xGgeOB_Hn&S=Hr$+y7Ej zoTY}g=`E$zf=oZ7IIl@d{OizTAqt3ivf4>hY}-D=d- zVitGuOe5uda~;fOIbDJmTSu~k`?>FN9*}o4mB@$?EA$Jvd{Hfqpt%uO;IhOdkRTrXvL8Kj z!p+psb{4W@ufJy+5qs*#?0*3yDZ0I{JPC*Z?FqAgC0hTFcWPL#t7Cn!_v7kO)Wh#0zsr_{(~2k;=+H)=3a~xV z$N4l5W}mq}A1gQOd4Fd^=zgYkjd7ccz6jf^g6_ZGmb#m_{SJu>11===83s+795!CwM&pg zjjeaXZhWUte^vkDeP#IR)7A!&>FqP}6qoKf1glZS`*os}_Iw}OQavMV4|2ScADHaa z&jz4*Y%T(?v|dBKBtBOr;`_2)^k3H(n(Vqcd<|RNuM)fR?z419TM%IS*3BYeTXX6J zaK3D4T+Bp$H+TlDAAiNt1a6=0{#iuoRxx10w*P~Us_=A=?Xlim=nBSg>b(p4__AZAY}NYTVujm#FOU#-_});{%b$0c z&UM~4e^71aUA~?_pKgUM3wx%zB7gsv~d$MWWYb(2CYLA0S`*s$w#Tlh*4N zxtKZ({i8#h`H5fTk(*n{uGZr;fS;(b*q7Vq=Ek%7E#WR}iYxc(ei>Oq8IH-{tL>)b zi1@|MJBuC%h;Kk!CGZk{SRLAGNCh}+>0+F!cJJ>WdtmOc`#5j}Om;h$wdML91Pg5>(5cH-+8oqJt@ZK9;tlvmK<&zh#s`fz$*J+J0-4yaQ>t40s$(|XI~22|C|mX zfbh)8%>zN_@31>&XiTh&%mH6P^(6OMA4f-?pUN4sU)gGJlHP)8A6x&vC^*>@(JNXe zCsxTN3^$E@IIA~Qf+-lY+eq8}Zq;%gHFTdxFn`ywFX7=JGSJSjd~Qs>K2*<}4UGGIwh9 z1g~{Q%iF2qRL3klQj+v`(t!h|0wQE*51k0cX2%NK3FYMB!+LCWXic0+qn5+yF>L)i zA1~sw1X>+JM04%spdC*jXb|$(zl${b7OC$l=tF*3C)#qh5X3lY3gJ~h%xPNDi$=|o z5%;(U5Yb+osg@OvNOdcy(pfiQrt~fvOIJh+)EUAr_vtqAdp|IdCpEleTMZyD|iEJ)k*a$eD47 z!r)@Gg!z+~+{QpjW2$Ep+rSt?4I`F%Fc223Rjb4Qa?86!%`N9QEc}sG25h6%;oJF8)tP2Kt8xEFEMh;==#vGqobA+<%rCiU%*I6*b@jH@n9VWp+ zv(W8Sh{^z;Ca30Dl&$J?Rd29$U`kjhvEjLdSJGKWM#6{|>{dVE)|dearsa!+ZQ!Ni zGfMjF-eF%~USOjNu~ieEVUFlYmdUafN1{h0MR9N=aH%J8XI1 zFLHg1PLj;0(n%-l(x-~6TNKR?hR``67HZpKIu1tRT!2zRQwZRN7z4)ukA4a%Ag7enSVPpBd zo0;mya@huje0@$Kx?GjBWlf^2FGGnOjm`0_bPfj9Yu6Irt%gb+k31n1E$Q0z0*)?S zsWVW^B?XFCtoSj$-1Fz)z2BrW)exqrP39^qz6+i;UImwMEba$L5Cn^qIoZbt8hITD z9M9dyzSMrIzZ7y4USDMneyFphxp+lH%R){i<#=qumCi^129Gc-601%&V`X|60_Tn_ zHvVe4=CI{2ax7t{V9j_$8&Ur-V&|;L?EPIt$n%|DO7j7I6AYI}^e;_INN}5)C32Ps z5~XMd2CfVG22+qGjN$MpWsazr$Cynl4vpx(Go?~21}{6N2n0T&$E1r%w9~HgDHL07fLZ$XVVV`Z;KFH~2%|H5)a9bsEM6ioD8N3+{(o@SNA@lI zRrYme@^uRZ!}uw$KkTsj%dSj=TJ-Z9HSO+~UHL)zQ~Vw3JzQ*zc@si1aH|P)?y})P z|G?Cd6JV7QijQObLfCs|dNtvj(=mT5&*;9nhvLZ7skC|9fkmR4%j=io1q(VIvU9EV zw}>($rtRL+J#G*tC}Z3h9ae^#xSy;te!tG#+Y~UZJH@s`4NXDT2lUa0<7_qma{*`u z?+&Ihd5`2oA}C3vrZM+^#ztX#ovrjK{q0vIC|+}7@L8gdBd(aL!S3M<*M&l6P(Iz?0*pP#0@C%iVOIFP}R1v2U<;|Cp*4jLp!v{;Iic^LJPp z=nD}#{>)rAX<;N5+N=KX_I?v)ynEga{<;==LE#0@1LQy|w}1?8)-7;078rU>7PJCT zfDR@mX-HdY(=P|3n{By*W(T1{U619<*oGb!W*v;kJ+D)@=RUiTJKLjyd<4#H;FtjJLNny#2Eh{b%LPb?XyfCIQf? zV3qPX!8-fZ@AUy?$)-mwY;T{ssTn{fFqstD2M{$RG{-F~Mt_EI@j1qRsJC!;)F)xU z*ZHHbYANGm#bt@_bGv^7N9Zq_%$*ueo}!G!&o-hfmkWKS zCu{3EDS?JLMg&DETlrV<*Ys=P>%qGf#J#JSbuhA7YYdk#nwRiwmS5e8Ttc}>Ex$c! zNv3oOjHqB}D;kH=Tml%uMm&AzffjghP&2*NfU0r`Y4HkCj9L%ovh?2CFCS|4zy7$~ zk|XgGiuhTv-x(=kR2ZG^2W53qBQtO`VgGbk>MX1^uaylsT4pmU7Q+}Xvgr=RvWH!w zh%j%mdGx_i{zUrWDI~6!p~A{P%vy;=D?ZvjMB}_E{qE3 zRPqc38lP|ECLA#|^N#V(C7dagY;0jztWFx~4GGhsG8CB7fe1~SR(hBGF9tz7(BAsEp{3 z6I-eBN(d7@Xv#QAy6l|Q_}dx@bm(wojZzYhBr%kc>tPiFB`{cO3x&a#0lsKJ%DW>UxYSnUeEj>X(xNC6!p=h~%0P->ndp^oUA{kM;WLqi76i zk6wZ=g@_Ta%_&N5)+SA%LCC76S}>&-o?HVyP@07`sNr78Ms&ahE@mHit` zdqxX!(tgGu0P9e`R{S7hy;=QEGjwEMDQTN_;8-JKw>c=ob|5UIbWqCuG{t+Ie3&yo zCo`Tci<(xPvp-{^g^CMC4my*#R8lAu-JnEVG=@d6){Q79g3U(=6JMz^SIu{<`eSl! z=Dz?+k$j(N1H6TQ2Ai#Hy`lX6({uzd9)ft%IcNA8CyDaG3|jTtvjVxyl)WE?)GaBi zq=TWs7s-4pIutnzwEGCptA5S+yyL#uQh8=y>$`YP5%!57mHAex;xa7^l>?dAd3X77 zmE)WFJkp}gck*i^Z`E%ot*DH|=O}V-nX3;}l*i=zn!pcgeb6}=|4_QRy3P%lk2>wE z^9Z`xbr*Tgerme<1}oV0>FQZrg(CFE^bmfOns-#=cUUx2=gj4LV5kfF!}(Z2NSo_5 zDqBVvFrLb9zeqJL008VvvQt^fob~z+Uumt}#n1P>&7v5s?6$8})uB#E34>0gPi2+! zI6;$?#sS+AJh=iJox5?uMmAfUrxWH{=l0FFv3+S_)2w^%FuyLiup!($M(p^Jo`gjW09kzktiNW1mFyh= z|AhG8e3_uPgpQ&&0A9178H~ubpVeMZo%a^fxxE7uR_oq8BaFR3$g*UnjkD6dr%^v) zo{M%J-`%ATW`EZW_1L&JXvX4$ zcIVzhxOT@?F~Jg_nfT%Oq7v^uioW2`mQPIUq$SCR$KIF2EA6VUMgJlNIJ0#N}C+BaKkhS>WU6?_zOx#y!e@8W{d1oKGC{j+m(VuI20p5JqIWPPnewC^3I>)dPL zbG!6u#MRiy{;H^}4&CwSWv`e-{EATHWdm!SisXH#n_mlYo6$!fQ=0R%Gx!p8R`O_z z!;CI?49NdPSqJ?E`F#bxoC`m1eQD5e=1YLy#0QiQtA20`P#=lPuquy#ywm4?rRtRze^nc_bfH5AxLl;%Ds1Yp-v#SQUQGEFDKU}Hyl=H6?9E3A zSm*{a9SJGLeCk{NeYdjID8wQ3qak~9PE9V88VaB_kJ4~8b(icN{xiii3&HbS8$Ptq zkf`MPH_t()di|^kzdBmYTDwU!>eMtGuGzB#M&1}>*kHkWRoSVazBv!eNFz-By>rKpa&AJ$F?6xVzbuL4n-f+} z>jk*w%&Gdr2(8=W7qyG->z7j~^-}#yHaXsOG=@^-dZ?^v!_H4+2a!Z3XnDaF2}%ec zOOCyd|8DE2u)^@dr^1%m(VhOA) z)rp^g3{w%&O_P@Zu&}y11TFKBRmY;bmt&6mkgM;&8<9*}6$)Ig+=J6Ij+%CK=b z$Y%aEM|TYRsK{^KW=Sk~2r-Hu4OkjY2N9AdIL-2kq#-S*`pMS$M(m;B>DSzp;*kpw zKqu>K=ow{S6o^oUn_q_n2~#cb7=5{Vt1% zs3$IS+&L8nOjZ?$zA%kD|Cw7`5^m^}y^vIHS1gvFs#H!||F@H!RAzmAX&f&r=blZq z>-gEx2{U=I)HnydRi%F$?O@cfi=qA9?a*R^C8iNs2dPms*fOy)n9TTUHn);qPC-(1 z?HCV#$p#y!YNzodKE!eox%llHgomqQut|RB(3U3Fm9m9Y6@KEe{B)xtkK;Hdv{Fc{Zc~=#cJnyWWYbq z^ra!y3TKa#amI51gBsw^% zLQ`=6b;%(yYTuHpvS#|YE|7#zLLKlG#JF|&DcyJzrM{I!qehZu2TNMbVW8FWT%Z2p zt1p02ksFNVtk@4})*jHaR3Ztrmc>VVfP!50`!Q$1sJvwRK*RjjyjWqOT12IosM;m1 zy#E>k6`#39BN@w~6sKwcb1_S**@9JeN~6#QwnY2$4}XPh=#y-dGQLNy1ESsd!Z56% zLozf!>K|tpZ-%+hXk*m-PIi6@YwS=<)&CEl+)Tf~zIK|z|Li|zv>SyCL9R+?g+zUi zuOtvqwBM*$qX#}sK4vESK7g+zw`X-AGLhs$8i?U|fcwXcV3z&e_|(&S&qenHbHIMG zxaZ4R>*?E?XD*&0U%Pcy^s zjQ2l5JfDE62jOq`CojTHH=rtAkiv&De?M^jh)^ZK^$bw|{fHE#3cKgu|01k(oADql z`3cklu_x)xrxzcn=+0ZswS`uIbg$WUB2Y?4BoML5OwC6k`%9u*)gR!%G;L2g6cq+{ z1N${~$2tX>GrbSPGwy#{8gse^uoM!7&FGVzuT&O5tIFK6l*M~N%e|1X(D|V0ik-z* zq7RDUMiU8^u}^crSjaG?sB$M^F;p!!FNTo5rbawHw9Yp4vnI+WMCig$d}ZxsWOQ%L z_QcxWyQCB+I?vZI5aI^7;?lv$mJWDmafDKF+D>*~p#n9KO{xO6E-Zk&zcleF{OW z)@W2ig(cJ{B$Me&Zk%(G_#<$2qY`fyh?c_+NhkN(!9+95SU{O5=dkZAaxyUm3Ic0Y zaxs$s%P(n+l%dooR3L?6;NV-7f0m_*q-85kuJ zL5j^Sw_IgZ!0(X~jb&M-TIvwtCC-9QFFnG=S^;m`Squ$f6bRHK`F~V>V{;u~w|3(+ zX{^R}W1Ed_+qRS4G`4Nqw#~-2ZSU-p_sl%!nfJ^31NY3mW?kIH55x>}!DIS>B#Kom zj|~Xavpk5YBkJEZf))c36-rI@m#!EyQk6&4{*!rGPynm?E4yn!@a(**QBXFAd}1=I zlxB}atAs_{FyAba9D%B;9CDi93#Xek#!SZI3`oq(`|ZufEdcdSF85R8)v$e<9Nd7q ze)Y&!A4@V{ihR|n%WTSIn|m3V2s;y1YmEL6!mJGGDK7#Fv+l$>G7S|3W_lYL8-l1V ziIA??7u*s zh#&H!$uY;}6O>)N`$hHWqDwL?sk1=jKXWvA^rw0i6GCi?Gpp1=sOBI-h~-KPkB~{F z?pJ!@Ry;&LbA!mJM9Zq}NuetKBbq!04mQ2hkIi8;QDfP>jWV*pOB6jTewP_2NGhM}yMrg0a4nQ_Py-rg+kw9tHGElwwi1%~%dxxEQ>EDelY{ ziRm$&R_B}-kP1?}IR~ZFJk55h*<(3f6<$OH&?v`ug_Ul)db!$_r>u|>WK#lLo{7TaBb4|DJn2|vqp?G?TrlN* zo*)nlQZ|)YX@;1T;f6<kx#ijcT1~e33yp*r z6@{ABH&sN3@y%n0s%YbHI&I>k87Ed476&g8DIg}bs4K>>U zqS$`NAEcNsV*+=CC)Xb#Z_qDDfd;U!1F%6K5kT`C42DjV<*qzN=YCapBz+XSzk%8U z9v&6q^y}w&NMk+Oew%W;!N*;WC(ra`_G>m?#ACB_-XTp-e5Y$|NcwJ6Yjf;9CaXhF zE5?mk^#|ATt+uP=$-eH>xc^9JvKr64D`e%i9om|feciTuKG&5%-FMY@!!!Di2Q|q; zME4t6i2^nrLBQT=`R;bf<561vc8AT=gYairr#k(~4#NW7%k3@xYyY;2%U0k^v96uo zTjYei&*ko%tasJ2g#Ffd7hu4vXGu2V`0Ee36hxZhO?dedSsVN_a>@xLVo< zzNWKLN*}X7L;wg}l&&kid+}>N4z@T3_}ny}4&9F!d^f%3lwf!l_1puF8Dw?uVeWU| zmpQ%0I7-}eoNt9+kOr@6m+RDRM1!2a@=(*9Q@UFNc+2b62{#0QzdhqF<$42bIdmVg z)MMT!0@kz0Zg2TivR-7`i3s*LaR%1oXWN3y-dryLTvId|SG%(=+UvsTs4a zy8vg49eSYVk6GFC{`VXoApec@M5g=Du(cIOjh}Y`&)chH5U{4J!fOqPdwR{_?VU$Q z=LvGF;47?lkKf94Uqs`9T6}xud6UK`xN6w2X9rwX`RenBYhL-YDcv88-)l2Fi`76@ zMd*J%N==Lj_`Y+{K5w_~aX&^CIrr#=>D)(IbA0aXs&2o3o=?-t56|?O>%insmy4Uv z_`Znu{idaR91-9zw0B;mhRO2kT{O?WJ8R~_?>P*qZIrp*7@E#@{=jMj2}FbR-9at# ziy$JRz^P$SjS-OLlLa4v_s01Q&|UYrPc{SvaKaX~I_xe5MGC9~BJFcP7OWI4<*}7q z%9eRYpkFW8zXtnE+`+!1dqbt-k){t8o8K{GS(q=V;p`7NMiB|-G26*0HT~iY3Q;1k z?`7qtUUIM)|EpDPy^2w$vi}p4-2k3`pKl!7pjYDhWmn22Ffv6y^~ls8Wb)olQ*@g zMJvk%w_=FI3k@4wOq$(BXl2H%fxiAk!o*tP4Jc+s1o;K0l2K-wiIVx?={*Q;ySieC zV-cE34PzJXu|O%jqzfUs0t0G{Aht&I#YR(^(+I5oM zyMMLpHaF_7LWT1FW=7?CAc4`GIFU?RuPvX8Nb45G&O~!m#6EjD1O{elBaCSxLI8(B z_Cs~TCOtsPuRKK}4wpRwf2FoPDLVDX+;r~R-GJLSG$v9ZI^0rsXbIvh)G=sHHBFM7 zq4Uz<#*uk524zIt&Y#5e8muUp7H>uTqsMoACF(@n{8&HjB!7dElhY_ix*^+Hprnr& z&@HekhvuXDMeSGEk`7^XIN{;S>Tu8=l3g3nmCqx8fJLTSh=b=Z)TTZR`;e>NBb(&E z3(dWvekyA?pmUmmC^{+B$`n%{zwq~C=NRywy3Ym&?J3Gn7QNC}fwjheE!wXp=|+G2 zC&U#KXG+nx1{L!{&}kK0?8=Lc>QEufGD7dXxDdb#$XoMMBELxIwuAx8*#u;?C}$e3407Qi+k7J+DL< z<|@Cs-#<=dx+ov!!i!eSDh#m0mlH~vi_-NV++>2%|M+LuK@%LWYt+P5EZpsD+2Uo8 ze7m=y6+a)^P5p%x-h{d)|~*{vsTdG|Bhk&xiHwWv17u?bPY1iS~zM!Dp`$ zD=F+BOuY1pJmvN>gFP))wLmD54gC3&fDLWLqm`Je8rN9PlPsj(Jj@c#{=t7#JPC^Q z&>Sa9g zQtX;$mCBY2G;U!mluBh*6(*y4VvHy{6*PQI3?kv?oO+^=)ghP{78?eJ%|D8(ev{@g z5^1=k7LS48Co#`5U-C5jzwwDh|MyQ%+9%68=#o}5=Psuqm1}K4zX#L{DQCb4nWvxo z3G=B9^3S#Z^YuN-_)`hz4fd=65Iw9*NFOG)?F8z1+n((xdEa{9Q6t;rmXSbN1_;7-+QN@)IX|m@B}=X9mm@20WRM=F#V?Ho{Q7~ zH|9w(c1`+RyEl^-Llwu9Jy%u63|f1wp3ZL9^esA;ahr(ENv}_qlwIBZs`va}c4N|Z z@2fG*yjLsUGk~|562S8U+VhIk(_9#gKfw6*P$1mizNGqsO2yriY-<36qRBz-L4lIL*B1H_o|B?L~~?_ECM)ug+BnnYm` z_H>8M=*Rc8r?57B1Yx|E>C?R*``Y^$mK}Qad>(pjb8UOhzJAkar$~$eT)r$L>aJ_S zf>x!0z*e{F*SV%t#|yD@uo<@+&b!P6yBzmvO)MWkd+<%hVhp(aD-i9U{oKM#vu>gD zQT?)B+xqt}kCyh4*#4%Qs$bK`UP-rea~1qdZb)%*>w?$WntQ}?W~0*8k4nKz*FLBt z2-o{3&z`c4`pabXDZouT8$CY&-GS})4J!dneRl{vf%X{@8xc9?Un<0@;UF` zVG4TXv9DjTHGEV=<9m*aVz@{m?0JmdKLWmRx@T?7aJx4H{H{$h&c1rR?CTJgyuOm+ z6S1@($`b4Wmo@K~8*K*9=ZGTLIzBTUOI{_lThDr{rx6<1eL?-fk-ZwI~gs9|JN%eiaK}ohor5qPJ{uG6+te!kPz5mfU6C#+{zr0Y4DLYM_1ua4y{*C% zcM)PDeqw00L0c2%0*+-P;cXD-NeY-@W(khdI$}{d92RuEGNwvdDaVL|zJ2K53l02L zX>(?j<+U=~JCrZ9#6(l%;Qp!N3`D~2#&Hgr{W#O`BA{O6KB*%;eCqUk`HoE|QD@M@%D ze`h$#Riu!mgg+{QT_~^2mN3Ar^baDPP9e}Mve#tZc&jRE{HqkWCJQug{I}L*=I!h6 zkf(V459>W+V%TqkJ2wYppZ^&i2VM#lSe?v$0KW4ByB7Bz2g=}=D*rxZ^IC@V}d;|n${H1r|1iD1r zD*h0J_iPlC_MvJSXgkt{SMZ1^@@PnA$qFV_#fkY~eA+1Vw)RbU!!?EyZJWdqQ|1DH+F}$^lu~W_+aEbSmPF5OL7Am`WTGOs=>%CK z%wjQ^+P`OtYzTJdtBNPm3v1l>y@pZeY?em3yu^scS?uq3IeC~2HHV>dIl(eqqZ7Pc zD_E_H81ptKp2D$-R8m7-ekqGeBK}gNQ&Zwbn1vKk{YaH_4=`03Dlx)b0Yb!2DYw z#jDN=W3QJZ9PQS2!J-3S&Gc~GhYvz~H`SKsq0yN6LZuCasCFFm`ekY=I4%oC{vuSV zQ^8vRw8%vp(&Xi9NpjU8LrjkdO~3OT1bgN~l>1V{!a~$r z1;CkdkF`R|^=qD`6=nZ-fM_F#V(q`eO8%GCerp7gRrDWz9kq+b@9 zuul;o&fi9yQosn{ab;Uckb9-yPBzGGE@seLtl`0fXAkG*x=n{D=6HT!4;{e5fum%(9=A50XZ}wZ%FO5Sj_YcFhVD(d0KS%0 zros#OX2{C2wn6-hzMd6hsE^6R?VcN=K0kv5wwRTpQ4Dt9Hm@T-?bVja_g*dgYjJn3 zex6$?HO<51z8V;3yVo7`+XEoSR^N*KY0sB0>RI(#y|37s?rkR~Dd;AriEy02;jH*t z@ADtSOAfCRZ;0OMVwKzU)$94ZH_Zp=rqX;|9x7@-$BHpjOj}V_6EJo&e0H|9;R=7Q%Dd*aRwwRq; ze!#^B241gu-tL903f{H}W5@>F?t=;*nHF8|7@ijH2m%geP zki!+KuX$Dn;PFmM+s@hEukQNevB0!@6bN$s08u;vGNM5GV{hgkCD6>X58B59%9dva z^+$i4q(S+gEI=F3E9MeNrXsdb5-n_=$+BMIlSP*bWXWQxy+E;vBbp4%+!s%CgA$~! z(ivZm$Lxrf2&oJ-b`gCl6k^bJWSRY0urp}K1}<#r?ke;6Zk+PxQp=)H{O7^|T`!BW zM#W;y5t+cr%TKHUOvSUtEXTcmrlQ|_sR{#SdV%LmU!Vu0jQg9d_FzNX#64FwAUBCyG z3on)_gQOTjwK~n}FJKAb>7Xc_j3REs3`KUu(nvUW;pv%UVd3I~%shWlb;kX1<%85> zM|JH0=BLvaCx~8~ItK@#D$SPnKeC2}GyX^sFQZcD2=7D=t^Jno8re(QR&@}iqzbvh zpbkp-29(R=oLzu@*m08mDTKm|e#f{*@cx@~^TaZ+C{)WP>Ru9?{MKsZvJSgZv?Cyq zbu!2m!Ge6qt?f|D_UAFLQ6OVk;z{r9WI{NF&A%9BlH|ogKPl;O#ptSDmASI#$M*f? z#@Z<&<6c^`STlRU05?9%l+8Pbo#kOZbqgox;A2iieC)b#|MK46h1yf7`~}r;*`6vn zGv;TR|)QBMkuF^TV7{527N`BC$SqgKx>3L_TnLH>$3P?ZP?1_To(QQUGC$XjDd zESi^`YQ97>MvfZzaVQRQK|1yy#=(bBwFNvXaybbyK6%qTNB@GdQSk*U)k_ZZ{16ff zF6Yvg-~gv@>w+?87p)3s$se(>nctTq0@cbAPBD4B@O9Q`rlBQQ0UR3L#Ck97GS9f8J7@|8R8HA*#l5P0^jBG@IV?xHdGz_#xi ztJW`uHh7V<)JYH;9UG4zV9H9pT(~r)>`bL1V*sa4oy5p-WtrkpDX z-@MIV!Ia2j;~dtFtg9oxQ2GJLFC zXAzlVF&z0)v{)z!nu20)SH2`4Tj2I*2k0Z>tw&Q&!7Y-wpkOg>rQ$%`Q;9)-@C=>R z*l=$7%#BB@4NICFw)af2#8)l}>#w z7lkA$7OW-1jcgJYl^l>1Q0>M-+;L*~)wUIOa5Mq)OoW&eQEnx)cSbtnN%`O!SJNqgE(hE+C|DF?s9jX3>ZC>mng3$&>xgYRjHlCz2M*MEj zVEw=GK&J=k@5cf(cl&()B5p4Qj=O+IVPB_e?oS~FNQwR%fhWR;>n{Q07g8)m!h#eT zh&jpdmhv{!CSC0|7ax)3GwI)Ff8+U_RX@D8j`wge0FyIxCcPQ^>~=jdaT*Vo5%mlmmDZJVba+=zFa_ z9>d^weDBz>4;=o?L0|pzS%y^eLdZy=*7kNk&ptF?e{pkqvAFI z&!M}>e^dBUVtXApQo|4Gmrhg$oY8|3cq~__>nUnJsd%+?-QV5StS{@i&OJVfTTkix zU0e(2+)c*q=x2Z0%IRM$J1@7Tb~p}P+wTc35m;paEE~N44!YAMcDot)Ed91h;#qBQ>6P7~;U&;(?hgo*MU+jAgJ7Pj!Jy zpcRlsPeZS3zu4LDeK6eI_MOug)@#I1x{B|*^LnFcRGd=ZV?z3UaGQ^oH^xKo^XBw6 zfx+RP!856w__6n(D=TI7JT3!q)6nZ27@}vq@pkt8Jf{Jx>wD)o0}^m-61SrXsr5Ng zpWx-E!!@0FmczIgSnWo^GM>kBSO*`d5A}%Qn)_`0{@$MPoEP9)aW{AvBd@RcN%!cS z)A^cy(`fuU6}{m;abMFF+IkQrVB`ClH9_dH!!2*Kepb^m!m^wRxCWa*BFF%})y-j~ zTs3RE0SUVk^v;X530HTZkNR;Eu2@)4UOFiwfEoH?lciVX_GIr0pv2{ddmE8a`{r50lUu23L_s6ke8aPA z-Sp?P4tpJkb|WX?@hhxEHM>YILj*FK!6o-fG@G&&A}MUflh<*^aaC)DlTF6mObI;d z#lmZnk(lC3q+S(dG`Lprtbr(zeV%FwVnv(p)xQiL+= zZB3a?=pu^Z+9l%eRUT72ZbRrSgp=k-69;2>kW?CQQn<6a9!!u^GqP1|)`(TrHv4G(2Y=MrBk^BJup&)My)0Dd>;|O8;o!j`a-JJ1+DcMH`1{Jk1CvF@q@iW{Ob2hLRzW^dqlU&FO=WjUQBqdzq+&CS!Qm?E{LL9Y zdZU7M^p(eXA|}0j;X(+v=4nL%LiHywMViA%rE02jNK|ROt+lx6XS{N?;Y{4HL^YFa z;c!z3kcm=}%~}2Hfh!i0wn1bC1p$^??AT`o+xhhP2zbwU%LzIK4ZnpZC4x1s&Nene zq~sA_&I$G9LI~)~xUUCs4)xy*LW%GlE|n^QnF7JjP<;wekwO%9V5`^UoBWxhP1a<{ z8h4Gd=4as&BE753GAEk$gbl44#5UB6;-QiZrjev1xL`_>;+K9sgsZH<5fdU?iQ<*J zgoleaV&D{NkBfLT_f2=QmAl@UO)`_x_@K*K%Zm%P;ynzwqG6i$yXaL$c7%FFy8ab;6wwXz8{5ySn}Aalx!++w0%i{WFW7*E@-Nkh(-K zytdubaM^RG`K9YlUld`c+lqCDKF9MV$1|PH%_fe|N0s@sCvig`m_#e}yw0I~O;5j_ zL$7lT|K~g@#~WJR_7v{t4Wf;+XZ@M2x1Bk?)9r8R914ASFYzvO_R$CqbFBrrb=}$n zTKTKC^Vf(AyiJR0zcii5y&FOX;LZ+||!Mgq@u`M>p@8uq;#)x0Y-Xo@YIQG6f2we^Wm!iK_(JY z+fVsu>R6ois)5<{wJ2ocevdB^)=9gkvp?=tJfa7-J9x{yss}F)n7_O0=Q1>XF5f;vfDonCbh+Fl(<~>^-Guef!?=`gq=Mrsue#{ zQnTxFnv-63Nxo=n?wgmx!4W-urq=g-)!b(+{~4X@n}le6E-p)iYb5K>*Y_v0SKk`m zaGlfAsO*l5n~A9|`_C;~q)Q1q5Sbmll27Sfc}|z-CgGK{n|s3{rv77741LeTv3k_l zd*)V5_Qw!f$%XqNo^^l#uN%YTXtuf@Sasvr_19}@gKEv;0AT7oA)p}!r;6;y2im@Z zJ|tQ!{x;w+kB%o5S^7e*>$FZID=L-)O#I`-Y zZBKww%%tY=QALcF4b1JKv!2F2^vE27&890NO%XN6sboDYn9`jvae7}a#nWh-(iWh6W)F0iLvm6epluwkH13Y zB&7g9TN9xs85TiNr{F`WY7=belB9v$Bw=dmbW8(znKdi2CWU8wSy-7A=1V4UQ5f4r zQm=ivMJ|(d%4FzaF8)q6nXTj=<;DhSBqB!neo`X$bl;+CWRR2a&EiYSF4Y=C9UTCn+$d^O;MjT+&>A(JU$jNrfRH zsZm9Y(AL_wM5i+*MZVvL5mI6C@NaLXtV?F?IKfe}i*fitiDrx`M z>H2ngpA)oZ#eYj^k(a7liZp^Lw8-2JCNmpW+OcV+{}hR3mWTXr5$i$*5D8F32){8Y|QAy8}YDjCXxepM)t@^Qi;txSFO`{79Gz0une}S(#)v_~k}q^ejP_EEI=H=C$FD}?&!P@AU^;*N8G5rOHT|V_6hZaX5{p;?z}iQvam8 z1Sh{ze6&OXg0L_)yDBazX$8R?0S!Cx&^Y4{#aXauo8#|X4jNSqOhY7F1yd@LH?-`U zKixN|DxZmI5>7`v)siP9yH~7wcNe59h_mq#aVTI6^8A~fWQJ!Jm4dWHYTU#(X_g+# z>Co+0{%$$qEz~3n0*KVUB0FZHM%XH1mf)sjR>tdp_mVS?-3N0n2XfPij$HC;HqYM0 zmY1Za8OU0JkBu7@vq^j}H>j(oGCYM-xrnc#MzwN zTuA1dg;^8;;Pgq;GWKlWwyF8t?R9mY(WSw40sD4a1-Nmt-sU>~cwc&_d!Ns-?Evfp zakKS57Lf=$E*JR1h;b`H)6#&pi@9Uk9__;&tY;s~{gZ0XO z!?WZ5N`sR3vzzv~%cB?igYJFP=Ze0BKTchMcduX*>3yC=-rhI+0lgmo=1KTv2I<>v z!2CT@mWRRHc5~=f;?mZA0oo-WR)XH~avnb<#eR$)%CtVfIr0^_I#N}r%iek!EVA@z zVe0u@!J+YX7?+mTvCnlc#=v`fcC@ai-?O`+trj@F^&(Em>%8AJB!1oDb|sXe7uR0r zxqT$@o}6UwvELL@-HqkP$n7BguzMulLEyOR2heh?-|*&Ho#B0XaZHdVylH3faoJ>F z^NXl_c(`8T1a(zB`95yjaZmf*@K6$ZR3T@l?Qv`gc;kA@yme_e)3@Y!XuNDijNlJU znHWaYd_+vAm%xelc~Y}vT;?AU2*}#H-Fh88F4ijoZ=QH+x<0*+ zb=xJbx}3QIHvIQ1wj;J|o|g>LmyabFTc4Z%5l8`%-~jC)TqaylPxzz!i~JyGCu^GD z`Ugxhr#S^jl`wNk-`BC*n{z5~*Yc%`+=w4WEg4{54#sr)MC$y)lr5hk^|+S{?xV`s z&kkF``JjlHk9TE$J=}ZD5=Cg}StI;oyu0@)(3i)WQcNFq!+_QUQ}$7 ztLR6lP(V2m_8N^WMJA=?WNRw-I#8>ttO=tSMx-8-80Tx=;D{*2h!%e<)UgUn9eIL+ z6sBm))Pb73Eeuh!H4V*Aw`xn?ileStu;LVzU3R6N!puUI|HWBQ2~U?mygNL}G8+_| z9aGOV;rhpl1)Ewoo6Q*ga9nj2e`q08xTN{yL*VI(=PIt;4xO_rQtJA5vL3jZSDaZf zdD@tX6!X|*uHd+d8MCArGd0WiId3!tFEkevs6u#Y<#C#>@9@9E(UZ0mz1n8pwz{q> zdXq314&O3o_&a6@-!IIVk3Xg}@29Rmyvj@zn7K{(B+0rlktBtXy*rmrhRA7AR$vim z+u_I{rye^*hJGR;1S3Fe5lg`+eK78>jn-PS4`k~mr{ED&fx4%y(q|CFImDixK-2*%SoLty2z z4`8tmNilvXg9!A8^nxm9vJh5XL~0<%r0MM$4WdOj$h7Dt9#X_aa;aZ@Ii)1HySz2y7@Tf63Yv_mTJ?ZIR82 zQ3hj3u1z;ZFK04%C}P|Q$?791|MfW0;8WWQj`QPR><~N}d3@}6QEtRMIaed$0R<}q zy%~|PFyey}PdbP~FX$4i`%peS^a06y$wY9!@Q<90eBe;)gZrn*uK%Tvj0X^DU0>%w zU?*h;kZe(|c_DCvngtq`(^d${e7G2e{Hqs_;Uv>ugyx3Pu%ZXh$v-ethUacpqLvm> zD?sTAT(43Z98B<g)l^_+xR7j4B#w(5N+XS=pZZ9p8#n13XEkXn*Wg0fqIK*`09jgiJ zkSrk-`-ihiZAwa40=V$MFyY0QhD_R5;8~q%l94v@(C7VVWqe#yj#VqN`7^osAEs z9=+LC#v%FWsD(@7UzI=#F-^=WL<=di;CiT8B^#$zfn8=Z-^1NYwD3NjG%K2iur!2e zQj??8KL`3LM>(82Jhpm~VhAMolx;nNGCa0`}k)mjxO77@5pLdHFIO2HL# zm0(On*=Y5`Pu5aByeY|MooXoc6okoc!4uW4sY7d^(XBM7v0DHB?*M&|A_`^rDq*|= z`BGdCd?u_rH{kYs`xMC|3o}L!1380;Kl=c+41Yk#UpfDrP<^1U3ZLto58Y0OZKT1F z7JX2QbM+?K5TEnY>b`o->cyNf#{FbR_;zOmZ?Df`2@J?IYcc=O?fnW7sbn3%>y{Ou zCU8^^CEz{1>bDAkm{jOlb!+eEsPH+I#2(r08$y+>r)T}xLr|IHr~5vRd&J-Mk6D^f zU4K6{XWQYLgTwbW9)^K04Dq=_pmRB4{t8O|+IO_Pg0*5@FF?QPW?5U0lvrCB@OICh z0xXZg`|N_iveEGV={@9mO4(BFepWE3_bGk9?Wx0a$k0gN@Io51rtbSb zU18tf(w^1U-1aQj(v5r}v<8TsK<9%NUHIy|FMdo3yW?o;qesk3r+;jfdD2N9`0>6D`dEkQyzhs(1Evwm z%y3`6VcA#PbsXvOV7Yq*2H3CemRT=*%5q(3t6#X&*GD;~R8n2!=o{`Yh`F48YJ4Pz?3goryf(j}Gwn3Kx(ObWs=UA4nyXF@oyT9o8whpcH*n{pi7GuZKnoOTHUwW;?`Ms-~HZjCAAGNO4v9j;q z3?c-4;%`AMFCfo%qz9BwmJHBqS|eZxAc{IUsLv0gmIJ0i>6&pje2NO>frvn$ml&k+ zN(ih8el4B)`|Vir3ebSW{CMke!_VPZaDph|dML*1X2$4G*Y>df^gXZS!NlqteOik>cv;&q)LIJ}D@quibH{5n}$Rki0 z@+WxOFjbL%wO)m?9hmDAScE5kSLm*y$y%G0nI(D&KAe7(z))ed{~FOG`z3qnh3wgA zDx~_o{-0T|c{t`g;aVBo=7mXAc`Pb;!u69NN5rs5Ap^M+1ytdxYirt-K8FY7eSw;l;+Xk9e;d;^h3&^B zQ-3&djo=@&=Y~0!<)(#ID;*R0D~Xb&GB@VgZM0dG@Hpa6RFP*w!^W5aHrrno_C_+QtRgE)0r+x{1i~UH2 zeUl-FbNrnt_s(^pDRlp!jPK{`r&Qp?752033$cMGW@rcWY87n@7)P za3&R8cjd}BRINuUY6rt~i1bLrbSN5lL(c2u z2bY?qWPJ6c_JOU$7$s6OR$JIVSt_W*mOtj&p(P9KC|OU&94P(>7u!47lz}0LBcB|0 zRP*GPHG(09#G_k#t+!xsOip*gJW7>?l>Xp#q*WTFUBwBn&kRd-7_hTI&T5dPN`@Dr z&-~tp(1abF8YS((GNYUZy+_L`h%ur`xp!C3&r%R=n4R&;geeZ&YBtoUlBmhW+G-ik zqUAAP?y#6RqFOH8op^n`@y2NMtz;u1&@zZ^B2fS(v&@tm{ck@PneiIJb|3safnIaL zS>^pC_g9(Ve+Iyb6!s4O3)+4p~q zrsAEi5eod^c%MN+lDbUCyl`H9t?*6wy}fetB^T;>thHy)<~n@K*yh@6u1S->VOR!0 zUr@Urak*>gi*LEqY#Xd9%W+))id!y^PR3y}Ye!87^Z-fCjm|acVUwND$Z3&oin9Yc% ztb1gT=J0)=BKRmVU)uUg9MkaC1Jqu$~cU znPAAsxOClSK9Rl1RChR)*-WeFWo}u2WbMfFl zpK82iyWi!GIuqpA52By#yYBnB50#SqL3tmBtixqWvv-ri>+>Xyzly*=LFX|pyi;F z4Uix%&kK*cFQ{rldb<_m7Rh(SKsZ@N=zFNAtzRd5Kkd3qXWO&*KE6AxEzt9rHL|^Z znwR5uoJ&inbIxj9cIWy2Ydcp?v-RRV$QJAZM%>O*^ijn)NO@`HxnCNwyB@yhp~2Y} z`&s@~vUb<|=sjqnds{c=CTClv)gx;g@PDiJ1?9L$=*#fiU;zpTX<%2fzs@a!gu-pn zXzOWyHN48737m+(%O6gBskLAd)+p*v4D!h_rdUpXWP6RcQ{1=Mi{0R-waH-fyu z>q3je>HOxN9t@4=nPQI)KTU@Z<3+Fv68&2$L>vo$SR({qq0lwPgnSo$%TF3dgNv2r zSZCbM^ptJ-)whWIJC)!LU3D?^bA^UcSX~UxvIE8Qq>-?`v?6ddt!<&)1XxE@i~VC1 z+Rrq#24T}ks|v~t!AjINir|Di#x>4gA}R5ih{L+#Uic)?Ao%cY5X8@HZVA zpfh8?3@cdNKh^FUen`$$%17yl9>l3(G!!xa3%K2I(4c3Bn`-yZ)nu7HBN4XlCVwb( z+5R13gK&aG-ExvyHTE57(7COM_I?E&>mo=)F7I9a&J};DjMxJRO=E0}@ zwD?2A)gO*zX&gC&4bs_WT*7RF3W+-!T%0`Y=OD!*oV9}}hliKwpxel=01VaxWvCv_ zVP*%3kUt3|5{l$mu=|&d8B-ok#Yu=>R^)utiu^-?Wmk=IkeVxUO?lKxrl{mnq8k&E ziJ}M{;JwEbxf)LSk$MyA6mojifjPyWNL^H&(MkX;J=%aD7dE{tKmB&%A;`q$a0J@T+TEH=>A)rc0&Z*WnW zj&@IF1s7JLoZodW&H`)*?nw4dxA9COp8J&P>E~F}&k@5H!%!rkoBM*f7hOxNwN-T5 zaf4#(0lidgS63Pxf%D}ch^u6{q&bRV$h zEX)+sazN3`y#kOnts4?huux;lws6OVVN21AVsU1U{1mA_*&%ZpScbmB(Im#F*J~jf z;jL;$o(eSFeTxqjIM3a|&G$I>5%Y{AYu+(vSrvc%YGD3ePo|1zX6h*@Q@0W_EQZ-D zTqX+xlq=L)6{RSZN`WtJFK(L;eay$fYjL(Io1d+y>?TlfqkX^MY)B zC>?3Ob10Y=WUCk&bV?A%NDmYxm7pCUSb8jG>9NVv>K|mbI3DzCz)=IYvWZIjyZP-x ztvf_mRqfiCdo3!G0$p`TC?RrPgN7p$R+;fTLLJ6HP?&P*iUn9Y>&jcp0O0LHulJ%_Z!eAV&JZIl%LY=m3_A`TtYY{ur7-EYr{O_oI}^| z9amo!=~WR*=XA$<>FtuIC#FTqGR-uaKgiWS`+X@Q$iC+F@z4)&UlC+I3$Y!wt#v!w zAh&7aa+hGO^HKsu*`twp-+;E29YJv01k^gW4EafS(OI*t-}9EM>-Mo_yu48aa@|C7 zqf2=fxI~h_aFhZ72Vy{*FddcLn{P1gydImbEmsoPp0_n>msPF@n;SI*E-l^aOuHl5 zD~`C$F4K}Kw8TBlXRiXD2U`&UmznU4?vDHU+ps9<=o9awpyg@T+X{AV;IC{?iZC9qf>YX3nB>m|!@V@lN?eRRy+U~lyeyO?gy&Vd0 z^Sd5W{vW2!DY(*T>)IWwlXS;s$F^ex1S(y`UCZQJVD+_7yt*?&&eSLggU^KRX| zwd$QU$9m=%fMz1k9bEHj*SB}uchBLTTzNYT44-Rur(!_h-Ehj456tH(jrApWr&(48 z(8s%h1Ut>gZEvD`G;4*z)p+&w?n?>yV(LBg3ofd2V9s< z-)kgfevf+|m`$!t*Ro-aogif^T#c!f(Y4 zq_BU&!x+p+n2FZ2^ICOFq&y?6-HCeOO-+D?MjMp9PVz!S#md`W%EEh$j7Gs&7wji_ zDtJdlvc$Qk!9?F3Cjb2mz${l87mR$-=ce^X+J$p4{k1sOrR=}=T>8V!STL`lsXPUr zMrnO)+<}ng7C(P|2S&tntdC99x<4(3G*~o!yNPK2LIi9I@MWN9#akZ;mgT_9t^2c89#dk&oBArVv9(B${+6QeWrabM!cXI9o8ty(*-=T=)MED;S@hSY51VyMPAPe~0VXriVAPr^|z1EDcc(Ed6onGDoQ<)R_%_}#J$$-fu8b`VbG9}$G z-ll>$HPH26K`A$z6(gg-w{+tc?Q-mE#+_944*!OS>_lrMF-huNLn4L!{=bXL3EN@5 zlBl)GBFV1fVxIrXQi^djz=P%{I$4RT)(feBiWAtEte~)+CRp$Tk zOZ&q)j}H$SB>Zy`!+D1iL&B0s+I&>K{{bX zGQoAKw_O1$L8DPA>7KllU>Ku_PO40#z_<|NSZ!ik7Tsf5uK}$5_L0L(9F}|NpVEPL zW$PFXW_jR0JwgJyN)gB8zEu@6b{<{J>1MF=>idT>MWaVvWCCqjtu4~(b*h$T%5l|- zmyqGWswKS&G7at3Ut{z!~Z;PNR#6|NdIHZ=$8pL z1WtPz{gGy44c<%22copuwL$Fv>=;vb_;~?m+QLErPYkZS{d-}jn94MYRnIYuWVg}4 z)&XpxzdT7>5tCfpF$hTlcB;aEm&i!QD5AO`d5HI(DuKtm&H^LS?7yYE_JTzc^iuL4 z*G+*}sPA9+QIZI{nrQP`e=ASMI&c~Ecp#jl53kM*BcEQ zS6F)aI^A(khz2d-^S-8^^HMQP1u4deLf-OGlIy&XhMeQK)kX86wd#1{>bCwqcdCD; zU&;RzTC&vY(|Tu%oO69D@@9vk>v)wjQW48}`B+nhx!F9~tiP>WKUgF0m+v@bYrSZ& zau$5Y&}nlEq*Gr$2no1uu+`VS+}ZfE)eTs41txBZ06>{6sm{|k27o!wTl4A7=d2_5 zc74z8zuL|_?!dpv<(chnNB2C-6o9jPcE6$SbI%hSr?!S}uR<5P+UX(tt-CpE2K}_} z>;lw1A8s|qX9Tz7HIE8BiM&t!TrJbySCi2s+aI_Z1qxi5IoEH5tp^zj7H|6PLxfsq zmwunQ-cz|56!_im)Qh+w?lqo|A6?E9616~3=^fxyS|A%RJZsP~-bKS%<@JzOLf5ce zH`>XQ%-!s#xT{k2mW807LNidwWr3FZ=fPbc`(XCB$?3ejMcsd)x@hk>5vPU|5kbi066Vy?g2~Zpm`jcTL($UVHyQck4V~2yNlMd%r)MKVsLs zEc8UU;{RNHi*5BJeJ@LNEAN`nf6l6DOm2I4yNa&%MEIQ7uuCr-TLJ~%fUpZe@6I5h z&zpCSR6(;35Q`;f0f2!{8T)A-a4TeRkkEb2bkyV8ooc;Ik|ANXWXEE_Po08qVYZ>3 zXkmWSF85{uax~f&v0idJG!}^4d?S2pdY%gaJgj1V;dC|nZ@V%u7<%4yw0%xov2^W! z)2!{KSX-Z0D~i&{%1vQKD$0XdK#CO8=;ojH*6Y{IVH3>XNjFbncs6Z zSWLbuk=_D;m^F@7Sd7zl`ALszpd@c)sV6@mG4RPrLG1U>CkDbdOxr9n-zA=gd0!rO+j+(JC^hJVk* zH3@$1Q}J5b)J}KaA=g5|B*q@O;wQpsh`92>-^!wXrUjfS+MW^!58aVsxrEag+xp)H zivcN8(YU!M7M|-WD^xSMP>EJ-smYv;qBA1IQbZ(23OKC5YUnJC2~}FQBXPbi9Y!&h zja!vmW}{V`Rf6B7t`iWHf0@r4wM7OhG=c7{)YPj*ARq0dvt#Ej6Q1vnFjYE0N^Xh|7BCY7J=uhCG*-W?^PMJXe|K zi4SD<*g8zGc^vMg^U!k!>X_b#h#4LyQWG*UM0X zTbJCl7ccetsGYm=*veWQ*=A>9i+=oORJ|kPfR;`VUWJd?F(zTS%eK&{^vQpciKgYd zE%1kx==|wUovyF&H{#fO_ir^?moj@8lXSKTb}o{XDZ)Qa0ptw*zvPqP(DRA3OH>ik zh6{*{RbWq0zXp;kn`>OqTP@XjE6H0do5BnEu&!?$+cC>uYE@&%v&$9G;SXd z=<3#|7clFPdL?CRM_lJ_@;kGUbM7!K0#o5|UUo@-DbGz!TrpW6A|&s$y9N?`Q-{OV z3VDrHxd2>o9HLpDFI}kmQI@b!wa$xk>A zhk%!zG1LT&V9v9cxlTk;#fm2Vaw=Jzxa5D<64i|`?E5oJht-UmoM}lc9;?Nn7`@ij zcV<5#LP14(Z7iUx9wjUrc2bt?dIW{0JG3c_KCK3oR37}Eo^r>g*p8A>X1lFj8wrJ@ zM9?fr0aaPR5=zUFM6I=S{x`HMX9|0TcT^3ol7iwwMCjNj5f4;vw(=;?ZEpfL6x~@cN|p*4 zexozGXr|R~=kyAxChEbNwipeBVpB@OC|=?_Dx+uGy9ws$|CN-QpTC}iCqMyaPayup z$DQ{a3jL|9&zB>RA|%)jTJX<*0+S%(KEMcwSOD~%lLmwop$t=ke6*hewRv4fcC~!9 zm<{@N0pIJnr$T_X-*HS8a_8&6exSjcT`(%k)<=WydCWkSfsXmW+(kEJ;Pc~Oj zs`H+8?Bcoa8^Grg{It9xv<9?a*rYzIlA)b3$@AV#x`cYg?^JL>&v`sY)7`Q~H#zV~ zmaSvAa^(Ix4t5kU%=gy2INrt2|CO0BF@W5CP>g@2^|7SW-E)R|9`e+H?|Jt6IDGN4 zeRJp6q~|)#@+fe$--X=usaySgy)-ZI`B|?h;&X#M4wF2t4>>!NmdVRK3>mH5eTz!BqXuEcG5SnD6&uk=SU_yIufTBGAUG}tZ zpWDiup zwZ$BdBd|W zn?~PfXB@!))+j)wGl`%eurqY;HhD1F0(d=q!YuYSpZ27CGO@x=9GTY9@ja;@og7JA zFjjgf9jKocT`6kivmYa5;*Z!gf;xY=`#K|o`E<#1*hE<4{J67A_7(Z&JdOYPd<%D{ z@p+diG5zvu4`hD>x|;&M#DR#mZQemPt33%I2-6uOkW30F5Pdw7KW?omGmR}4?U6ry3BW=E>zh6{{MK)j zGgww0d83xzT&RSgz>O|xpY)uqZMC}C=TX_O*NKH}J+CO6=tj3iRgb?4U2IBiAJI4` zh3n8{(yC>`TaDFzWzO3mRXE}}wzOt66Qtc}1o`#?#hWEoq6QZtz3L3uw0V`P)S zRtAI&;cqx?sD&1Il%K$h6-H9w6}-MU)&HKZVuB%|$b;hV7{C8awxE2gsq z#|ooE@If6vN`3r$trb7GW7cd4R4a@=JgcjC>!N2pt@seiWJavDDi$dX4(1E7wnF!W zJ?2Yy=8M2XUsk5y!aE#I&h@B;I@M#U6sd~GMI0CA3i#`iNZ4#5C976uv^479evo&8 z^TRtx#}fG^ZpxJlDYQ+<_15zJ$o>Iv-GfjgMQm_n{$cL;iF|u74${gmI|MyXCj_l9 zvUjFquojoaApA0(hkVdvtgno-IXLyDJ#UCl4E>-aW6{@2gfTW!Jo)?X z2bP~jbXA_Y4nv|v9b%bdir&C>k$jCYxiSekp;pgjYW0_vLG9!@KJ8SY!jLZ0%min0 zY1pnfb)WfirV>mAj^VcX0Ffm`SY7P~uf}Al$RS6dI8w+;;D{KgSZoI!ujA-X`4F>yl1j3k zeKK#NqFOwIX5Ts{3MX?gQEDZ~&q0~0<`y609`@ZLRgcriJ1b%$WghR33LW;orUCIV z%e*vnv+wdlYUV$oTmez7^qLYHHbh{qddoius04i0cd#RhTT1gbk&KI!zL-BEsEp!< z0*NS^sYBk%nD_YH*Mb!I58@#<0~>-TOxpO{(sZGha>dL#HcDkA#m$mJ=4*>SLV=QK zf25nR?2#ekCXdNfT7FKbTgdmD&HI>rm@fhTuN(=K|NM17cu(lz2D)mnAiT}FJJNMs zS)bkjNXGs9fkr{JkNS*!kNhd(3-%5J&g7(IhWmN-m@}`Dccf|1c5oqsto73JM&Lk~ zBJE~d$PizBwFTUIry#WHdW6C~U*|i!Ana)e8eA^lO^lviW!^lxp8vesHGO@sr5D&q zf0rl7uW@1ol^D(+_9=c(<#&ew(AG_=E~wZdk2A({dEDMo$qxr2bu=vKB0UIr)`d2oy5|L zYsy`B*RYiW?b8B5Y^Ee_0O&8l+Y+*ZKpp6{ZRc!dlD^e6qwNX+@p0&cKreh*dEv^U z#Q#`ld=xa72gp=}sd*2*7|7Bgb~)@PtW0Y&Uo)`rJH>D>1zs6fs%E>N(!KG4#(j}_ zTKE7PP_ZBV&$E49N!&Dg*Q+@oG@F|S9wfg*348jE@+@ud7DPh8UT3z?*! zu7Gbz^r)*v?}aheX`07t!*v%#?33lh#@o)^w(lpUA?B@4gaKC>2cOdO`hsQ8|@ ze+hg2vReN<`cm4VK;h4wDUm%k4}i>8P4zyKGlfW7s+XY8M4v*?$a~5pKr!5v$g;eD zkcvZ37$lWE0ucYM@*rWwk9(-oBs`a{DvZgfORSm>u|iy|!jafG7BR(5LjUBVKUiU= zLNOpoBBEu4llEGxK|B`DNhJ$oS`Ex8tRU;fT{ZMuA53fZM}~m{vo=X^%o$4GfD?WJ zQz&(Cg~v>SqdiQoLeYU4S2X3mKQ&%Dr*6Xd&6HqSC_@T^0sjmA;Wm}tgkmzDl3Xi> z16nKIK7bVhdST|mMN!}0WtjjTYS1kAY$*tG6`DkY8lP@27PVTSs8NaP{8320zF0Yt zc3E`oV$Y&X6Ha#J0&~TRPtU@2Kb2s`GslFFDD+fa`i#oCzs5|llpllDA;`$evCauGBUt4S@-h@jz&3Uj&noR$US z1ThYorQcS6#X306%AT&O zK&Ym=CXDG-poV1tzuVO{!kK^!`y%aQj!Agx#x{*Be09vK5hB)Y730FORF=eEbG&T) zAFhj_qA^*lGOadfWFFBf^^jS9!yu`i>C#`D;V>t#C#lo|sm%dKiv3XI@WP9V+^Dn6 zZ~TNpvH>tf!U{4)?YyR*#9NfxD@IEqSxgd0b*fkjNw1tN(Og7ws<>1BPOe-|JG{Fl z6%SNVXuVRSP~Iq`)&Z2ipbA73iqjEq_12`xh3C=A+rgn2?ZJ4r|N7f1E<)_ z;3bogq}Z*59%^9|+my7j(w?#8<5b0x4*6lG6@mKLW_Nr8MDT(?UB#n2i((c)z%N~a zUg3D}4CKOW)(?abwMi5xXAbvk~6KhMw zs?$!A#VlK`)c&Ub$SO~qYRYX)zl>4g+S*10A0EINKcf_$YNVBcV6&V<7>ZaP zmN1O(2cN(xQbhTFs*7!F-DN{!Ha|cD9+`insh>oS6EACdkw!U<9--;^omB@>9SNrB zzVSr4n=V9cVjO0#UHb$LA>nFAsD(c_9M`6g10-pgjwC)?g z7W)f#(0FiCb?bH4Xp6Ff!6kp|K)5sDF52DR?{;W?jse~& zdBv*;;d0frrzmDZEgP_>W(T-8A$z#6|2PgZw&U`Xcbbv!@fF?wblRuWD4+-%vBq4# z`Q)e;_(;*A^%d$j`aYx}}>XDP8d zr?^ARS2h4Mb%l+aiU)QB`;-F>-Pgt8X@k6;vJm|7Zj734`NIg@7)d|C<}2`=Rr_wo z{(bvq-2G$FN}&e8p5u3&P}Jge)Yml|7^Cl8RAQmuOt%5n7}Yjr73kyE#0 zYF^U@%v@y98o9h*LPst=vIA{)?d=`)ye{pNYd>#TKM{P6l;h4Z_Jl?R6rFVr}QEVs342o0KU)W31!5YwAy2?tgcldFv2q@)M_iB-1C z)l)TWR!Au?vNRA#$ek&hd{>THVcf8hPr6-El89Rqeu9)>iqhy77puP0eN;-6MDM3XDp_H18 zC>5R0PsiPt{+c7n(KZoQ@e2>eic<;5PmI|48f0A+zhlLu;o#<-R%`<4jg-x=0vVAD+nM%|v}qEOVLu7DV|N<`8N@SlEq6 zemQuRkE=fHz`7@Nvo)MjfE^+Y3e-YIOWUCa$EqNCI2wA(C`}hS?XmfD^$@b!$TC>o&^?R)8K4U^*==|htWentvu^yS06)?bJOrmRXqdzv(u2S$Xnl7KiiKY5bEm$azOi5e|nN7r5mNF}Q zgaC1pSM-=guPG_5Q1)*=vA{<*Pt&W(ePc-p}af`XWXz;^d=f)et zo~sOL*ag|&tzMieonrPVxpGvY?Ul$z{#30Rl$3QetUbJgtIz?ddoZqx8GIOZeB zjP_U&8|aK_xuwUZnZt?vFKFW|UoG0@IYMpd)E=D)_{mSi^)IzhBTrDB#3O@iIq4^Aet@oRcxAVib&DB7**g!!OrG__5_f#xmudYjv%R}) zo8%hrtCb>l)z}T&9VhFHyVb4=eBF+|?$@fPXoD*4w`9hv#uMPMfPrOn&5{Q1>GDO& z%ZIl_SKA%-%kwTGrj5^X^qY;3S!<5(J~1wS+q-g0=ib)i;(g7PrUx*S$ISrb<`7)t zCSZ}`4sdQV?KWtA%tx2^OU`;a>aX8gqiq;8E&1GDT9oIssgil(1s!L_v|Z+*{(%}+ zMBa29-ay#O*6Pvg-e!C1>Huz zD;ix)l8Idr2R)sWJ2gEm=Pg$qJNH$Gc3PTNDFYx@ zdyg%y9`7QLC0rViAN?oL{KWwOZNY7Fp_ov&+xhZU1j$YQ^FpVB&KC_ZYp<{UqpSYB zp_dG(+ct+#F?QD@ZqxH4C8p`r{`#`gB>8%Mt^rmQqIN>pHw0j;s%M%;h7mh)$qqbpA?Fy z_TwEbys*YL4pXVwjYCMQ|8Xf6WU59#IrP~EW;(?#DHF01JSxBwfH|)-|qtVKST<~`w@$G;7kX_#^ET6w` zSKt2YjnBty%PG3u8Y$+`_3eqK$|mb(0gR7M+>3r9sY|N=+au&9CU-Rw>K>TzcEtFB zEZG_BLzKX|B{3UD1@y>Mk*bh`R7Z4C#Oq82_CS8>fD4+-Hv{!a`ya0k!PN|uru3xv_ z$?QQ0q;nSJFSQyI+dk(jP4t|#KQfE0T;?XPt4dj_;|An|vE@LRUqRQ8?5-S9Ieh;% zalz3n7<0QQWe5`Jv=Zpn5^RgHJ-F;5}UP zm>C@!Qs1IMlkTDnT7_UAtg4X6qKMkgeyKqSzfRUW3c<(}oIJpiEM!OwW*M zA!a~g3(aKll-H84T@(%*2Mbwijo(?tt|L0KX_nEj!K=gPwP~~p;~Cv+peu@g;LhHs z4jK8^WwJrrrxt0?I+yN0jJ7i8C^I;8pwy|$Scz6$Ke*JD9UYtJoiAtxGR#fd~jKlxSNeOq~ZgJK1y5LZ&nLB6{1b>t*(($63l;zbgsx}|UhXvMA+q+X`!GeMp` z!wqxnhS)p8}Gqhzt=IPuh8y}BXmD`)UUNF~2{tQ%5$_L#eO zi7QrEks3T~Fu^T0MXg=bO6Ae#Vk{4Nv|R}gG@eK4G^;4j55jAl|3QP~OmdncW=zA1 zLF1riAw{v)+@suAW*vldZ6!o(OD_~m5EsKHj(iMJm1o2UmL{`ct%-#vu^)Sy+j z5)IX(>2OZF@;>-kVbC@8IgI#$tB*Xra&a)AzWP4zbQk>kan>ZDwHNd-5$V@8DV77K zlYN6~HjP`%G+k2D=4o>e{5bpk*s^&)hij?nF1gup1Na zd9OQuZCY*k=^o+T-QRkp;DI)oo^l$`Z{D~cAeu|*04sSKbZ-^LRyr4Lv+3UXOSjHS z_wXm91u^L#I8Eo310Uu?5|4h|fHOKmzlXz*Y{IUVC3~79Lgx9{jgBcVYRIk6DWsgu z4m;B$nHGU-4(m&o#c_M0M}=6AkJXYVU2qVWO=Fx+C~u?hu-Ls&%yxN8RTo0{L8Eg{ zUUrr}p4Zt!+Uvu(zXs@o{IyDtzH7mzYb59Mk&UqH^*yrpF$e!f*B5agwU!U?G?_v$ z+3u0k#^XBG&HFM17AxSvT%Pl~v$|HbliBJ}fS_;5?=xIKoiWVIdbfver+JZp%HDM{ z@o?Go)cY~rv!BosxAnfejG4VGTNbmaXFp8;HpBeZ@4WR9*oF=oV>O%>;a@M!>Fm69 zxxNW}s`l6#Slzx1wDat!KM%Z~$DHgs(uh5#nE;&39W;A;(}{Ab_<&yZrZx}Do;Ex8 z+PNh7KZioiD{Ci@IdORKkE?pl|1^ExetY#g4JWnzs2t!}^=_Jrd2L57Lf&+qU$Q4? z1yn2pu|YY*psQuT@9){SIaj40JfHIg+$PT=JfITn@KN4hn1g~5%Fn=i!sGFeBN$B( zY7t{wsYs$VlYajzp~dJaU{#$e-aOI7^gN2OST?!?T(AfwFNcja9m9u72j^cPv~;o5 zMzxz>W#F|-glza89u^l_*L*U?Q(WSyk5ol4m&B4VdhY1%zEIRloC$mzI37Z$B;vi{ z;uBOy1^h>l1@P7)6z33K!)7*bFW#g7@}9GD;mGt%OH@GM9ljXo)8B=i#{gsiSg zMJ%G8$C8arF~}nut?FlBi!{Hw6gfB#uF>A?uK{UiFhou`3dsy|vqIdx!eMfjV*SwD z0r8TtJ55E$NhWJ?oQoSxs94kQ?VHFIzoCB_lNMJvJ3*H^9jFHd4a!R&?vd2Ej2TMy zw&CG7S78~QS~c?v4`T;zzm}3v96)RQ`3)wVH|t>2@*SPh=PLmCRZwNfhly~yZ9r6R z0Bte?g&FxwJ50CkKrk~ge1DY1DBj3_~rJ#h2s3AzE)crAFXr|I* z8tmUcOczNbC}xR|SoMXXcM^dkamxJd7J5H3PxFd(HS0Gp6|YB8KTMoU+1^(n7IQ3` zrA?hUe)<5361$KtYsx*MC}ZxFM}#26lh5g?SrHGGD2dtbm2d9tLJm#kZGCfxc`+_6V~48O_y+NIv;oR13a^RS1zHZsh?5wAB|9Gq@ESwmC$P1>8#ZtcZL%nqFOx;1RnYpL0r;i&YbQyrZD zPJ?IC2wh8-8xk1}U;7o<7mKk(ws6;`2Y)R8R*ZliWc24Ei#xFq6N4NXOv2kY|Iry= zg&;UZBN(PH*?yzil@)DG=cbwWk@sDWTnhCO=9V*{ovT~|ol;4)mp=03VtM3|X_8?f zuN8SaBA_|)$2k3C4kK((&23I=_cGv?M1(bQboyi1==BSeFXVs9Vfel^ZEqa0Q^dQv zD9p*VU9Z%Rzv5%~yGR_$pYX0q+TUFg8~<%nQt|fteDI9Pnrl$hAEDmTOOi=Cok!OtROH*c=hMFR?g^?tN>mL#SK?gX~gOU>|U|InvSOk%RxZO z4MmSzede%3ZO};BD8+=ZisCn9G6zbcj4l)=4BI(>ZPQv-l=DoXToDV41Nh41C{ZnF z)bzPXaP}IYglUIvTpcaS`71z2A=4<6YAEf0#VQh4YG+FUL|nWC>W+RC19@J*O89;9 zT@%8W7=90^t5E_4f)YVQTM(c=qVJ@NQTd?xx1J5gyWP!qPYxUnKc}a>C23#};d+D7 z^FjtDZ|4L-g^kl{bf|%&PVLLpYYlJxaPs>V@^^OQ=@2B|-&?nC2q`NcCu|0~mQPIz z?KUn4)2p)euB&q!k^IRF{FlWL>P!q;?t!14v4lI-PNHs`a94Dkw*f2n+8tM)!@+MK zWgWL^ErS}oc4-__tA2@Z?w@yM?tb+zA5TIsSqI!Hoqn4NQ;JBM?$=9qJT;$aXzX&FXv{uV{S+!0hnoF?OORJ!AN&ZWCL znZTw~7ZYiTy%r$r;kS1~(bfT=W6wO+9x(lmxRR)_F`p$>_5SPz@VY%wZuxvuxYkp* zvE|s}_1kO6_IY%C+pl2g+B-njUpv|0SlT$9+@r^v&j3I#=yQs3o?cYQP-J%OqONbU z*mKKig5pm!Rup(wJwDDe^t-*?K*%u09I@(YG09irQ*Q_B_=GDr{`Ymrm#?lvprad5 zM>Qy*$Kw+jTy79#U+~q2S;#FQKXzVXP1uM>QItkcMGfWw+aUM%61ee5B(fHAKyu|L zj6MknF3pQctum4z*;X1p%`W8>Hg4qE2&x`okk+2d5h!>ni87h$)l|lM9p(;2S(CvV zQRYHumqb>>*DQlQs;DA<4Bf^FV=}5VMw5ICJ=$JyE{L)C3#TULpfKcMY!V~tFI!`I z#UB`;E;*sIH+IQV|L%is+E8R31DI=I2{eAQlsjYfPvP)isg3o-%O#QZ8nq{faW|GN z`tW3>Lm|H-EoVFz?CxsQZ>iO_&%iSu%Or^d^po3l%rtdb(Q+y-yXPSW}R@s#11 z$2u?63P{x}tG6juoGw$EBKCW*h(S^3)-lKb$Wr1MY|cY7fIaIzhY_c(L@uzZ3cV47 zzxfJAj&qdQQ7!^Em{@cGtA_OBOL^!JJi=WBF;f1>Pg9>Sk$_*C%>t7$b!_7#psr8e z9o9yDT*n#=I*uc;=%Nc1S)r=SR8xuY>sF2!Vnw_c*Po$@#Y$$cC!yLuU{p3ntgsZu z|E0nzwNPgr_-A_;norVQ8EwPCJ6xKTBr7vU9haUlik2Bn3L9@MPhE=IEkVpvQ##eS zhQ!EbmbO(>4z1s>Scu{dTiMN(o)4)#a~?OP%cS^QA+~jDokfEh-OmdWVHfx+H*|OF zhk$anJG#=CBWY6Q-iqCs3Ue$J`7(Cm{X(-gMfP@E7$RN@Y;8{nYRwn%rAzm>I;^6B z2P|znZNw#w#m3R)mk478f`%9?caaFC{MG=PMneicq?vtv@?B}FfEwkX&8R<>3!l&r z0;9Y6uY?zb{b!{M1i)^R&QAs%m-oEa=>*yTEL-X4Gmmpqnkg3e(@cJ!@mIbivTTy9 z#XK5k8$iEi-}{4;9yb9=y~?ReGJc}okvd}ifEJJ9Sss~AN6O$aW zM;tprYX>($AM@ES51~vlzz&K0BX)5e^76@|>IbL3{^E6AB5=rTd4^k#X!azafHR?C zrgex#s}@!RaU-yeTR(44Sm7&8VBC|E-gyqoOjLOngB1|*NjA* z9QtuoSIH#x7ABg9&bol7TY^Tc$ege9CySYEq;TO7kL}Q4I%O3>y>whZ&uZYe+}%qtW(?(X&iPlcHuIE>oTo0 z?lKW>OBL}<<|2-GCA;=D2!`+swM zs48>lctwqkLZ~jD3Crp`wEnw^G#qB(^mA4f(h%w$btIf{n0lLyx=jcX@IryYVCIWP zUBk|_OpilMbV>mtC@80akiGEOlM2FvrKe3B;1^-6TzHz;iX+#)RJ5M;8lxN`d*Z}; z_zQ0_cBluESMa7dXU|$4I50+o-I-X@ZvUY4WlVTZgvv#o3Y1V>9&l7x_((HE!1V&t zH|!N#xPrx0G+F;!?g#9CiTMb8n4i9f+86ou0qDUo@H(d4uLQ8TJjEq(24?^l0{;ZQ z3_N|W3Dfh*75M&ql$-$w#u1UcY**7U4>-oU6Tg1t<0DxyJSM=Cr%C7A9q#?{(44sl zjP;gb3<&dU(Ze|wgQSh4k`0#!?k8WA>KhMU&&}dzC|naHce~JA!l|yC_Vojxe2?K0 z70vC@h2P@*mqBaaus}QLM&b%!TY!ywdDp9=(etqRhb3p|aI2fE;o98YKu^GK66R81 zkeAXEq@(GaLNOVLv{LtZ+#W6Rd4E{%?#s;n-m&R>7I9>+f46kBl;P|9A?Z=30&sP( zdz5?9O>eat+6m`4+^~qr)_mF-o=%_5biDekSzlW*Xm`jkxV*jL-t?YNX*2oEx^;L{ znC3av=;(Pprk=6AQ3*Uc)97sL4|%HE`-e&2`sRPafOmbT^(8|4`E7a^kzEt|yzn7; zS`7WvI8rc+<-MK0NwVuKaD2sHNYeP&)xWNhA#BYw zu^YE#;Z*MVvrg~heD<_8Vuf(EvD0TBo9!)r+cHhyeXUcMvBRU$@q~S)Wf|R2VsPVa zi+<8_l`lc)`oL_i>wEDhQf2MjXM|E>mvm9aw2_KKoje8Yq+I7p7uNcE7&orhb{u%;?JWKZeq=JxPCW$>>sD8pK)&45A)bVg{MhgR_hRNl{psCt`h0% zY@{jslmmvhOf=xismWOG4OvD@%^}qY*0vSJK(Fp1iAup(>T;PvwDz;1S1AE2TxH|s zexqn14fZjwB{NQcRceoV9d(3{2+n&+`%*X5G~v{fLtWu=H)_wQNFfux;-OpY3ft%6 zt>MX9~i!8QwYRfzrdvyeop0>_9E*2667Q&EEL|JCU z>0X}TBRj*eQUB6$8=^*h^Gb)LHtHjLPz5YwWBwLULD`9y|1~hgdG%vOh)V;B88Qku zF8p_dZA@}IAy5=M5}M9W@Qw@;YEOl@5hCq8?fW%| zR-MskuhuwN8P2 zJ!ej}|Ik?d{~dwjzD8jA9F#OhOJHI4w>XDpRfc*^QWU!WVxt19HVs<4;dp-j2~lq*aSu5IKf40N>CvxKlYmH%h_j`<>4Qx z{hTa>xgzbgCQFk@e{pOQH~z{CXw5bgC(gw&ocLa{a!*SJm3p``dVB z5KrN*Q;?ijNuo3=rrKmFQ2&WqFD_%=q#LI6D=+fZA#W@r} ze3hEqakiH*DH*fh1o;?UArrpF*dkh((5vQpIXHIhJ!L@#HZ4M9V!KpK5787^#@DRE zuLrMk(BbF%whhR`vNZ@6^XF8?D_8-##hI}}Bmiki+RlatX+g9k7fB=KH~h+lQv_>f z3rgZ6OY$>m9g1?esqWN7-yd<J9}9T#ii+ z-TeDz7lpAjH^I_D=|#WEKYb}}Or&gNt*)Dtp+^Xe_dlJ}sFJx8D^r)nNy;8B>->gx z^HeI~HLDGr{iJ=2v}H;YfMjtke+`tYHkjnt-}t_oGB_hxwjxP2+~qOS)K#c4VZ+Y^ zG0Ehm>^zPtoFf!gORS5<(y4=kp3?;`&yBR_|Sh* zFYv~;^h#0KXr|2g2~%!elOXHsw5X?Q0WF238g>FvilRzK#?N9NW%@2-^|#dv#g z7}Z+0ZWE>RC3DMc0alJ&Ui3HMXMkG=nL7^WRoo+53TKYTdXAI$vpx3J_FJs-f4p2) zdvbf;`^iUp?4Iq(qY&W<2+c>I+S}Q)* zwVag)7<`_9QCH(n2T+qxPP*$h@{64PhULCvj`qtEK8|&AXI=ZY#&h84RHy#I-OYdr zANOg;3H!G3vE#tbiq1tjR_+H(kLA1NDvw#9+@r?h6C!Tw-La<~Jx|G$oA+0Ar~STZ z)wI^>@`jJoU{$Y_AopqB8QHs*f^@||F3oDgU_EJ2M$jg^8BsL-@m)W(o^^AYb%UO^gKxRM@7 zP&P)jH9Jh8VDKnqE4wwJpfCv99giU#&39|&#*O@|S5b6+R~8H2oVCh^8};iuk4!|d zfVOP~@L!*QUS0e^9w9#Uzas-PV@ydirg#*ESn<(7NhNuE6o(LJ!o4UgzMXM#l~f{6 z9{iFK(F{5Aud!AWBl9L~s_38DhtqXC04LPn9+BX4#<|N zLw;5rzKG|EDZ0c#1i$4iSes0+cBlDA66z|&Ic%c^=#ohvA=|SSxf9+^Kl!5g)dZdE z_o_rM|M9O?;KGY^9QlSQ!+98Tg{@kg*q}jgW>Ud2b70c@LYaBQ zN#FnRU=c_6RNbyfLPkxC$Nn*lf--2&xus8}WlH^;!IAX-n}7%qQO04z7Y|pgAT%}X zSwA-pHtxizdg@w%`(5QjRM0e|s5Gbx)>WbzPVGDIb_Jo3pxnIxLchz^KYeNY zc&e7}Cu150nEWSCLH$42H^g^TwdV%ii%1q=(Jr)u5UkNOOKTj`EB#N03n#a_vggR! zvNi)*;HYsW`Yw0Esy{Q}c?w0clmHp3kxQWm2HJu;t*p`$JmM~44&;^WTJS8fA^B_H zzUsxo?f!&I6f`%en$sXO#-ogle`(JPh9Jgax0m8iVjrIsIi}uI20|nw^lZRGa(%j4 zmNCI8u{xOwOgF?$#F?;&k$!1mJl~msP7_X1c?|{HUw_Qxa#obMkL{bJ+WY%CJG&#H7#Q+jLRWb!+s8q}5sBtXO$^H_G530-f_m~l}L zFEgh4mIWU+ws%=@ey&NmRiat7T~@j51VtH?CFpXii&4#fE6P4dsV+%gsS1TtvYC~HQgmi9;a7TM{x2-|{1cCO^Laz$Y5sh+ZlZsiHJHoseZK~V z=E+A0!X$lQf8~L{&U|0K&V0wl7o`i4Li9lfAWrv{uHKUE+Z3Iv8uAn9O1_Sn%YH0w z%;d=AsVAvv-nTA(lNc{YVEe`BzrD?kXE(1k&z*M0o`c)8Nm<3b{Wk(@?uQpz8{T3j zAje7ihL6Lw5;Wd|Tjl&VDEMdrn!s)5^_;*Zi+dYTOK$agJVSk*Z>q*iwt2C@d-J;C zXv^!E4}2K4;X4PonzBB1JD>FOqiF*t-_WUR(%!~&y%TZdB=vSWCwvZ&-bcK1xNobc z#xb&%zxpA$Z8}_cWKQnZ2ZUBCwC`@$O8sNKTlSjdo<8gWZ-dO8xwo1Z<9ay9OpROkPpxMK zQP<}k0XW#ZygmuCI3CWn>vZ(LZHLEt1Vrk(3rm=}g954y=Pq6;dgUAOI7xR`#7(!kstFR>1x>9 z-HuRaH##YQoHdH+x*GXpUm&zy%~z+m16MSjk=3eKw2nTMR(|>R>@P6;e9Re~*mU29 zOg?MxEvuM*$Wm)_csBA^_290%5g`Q7+c>_Bu=m(4DLmbF@A&=?`_?@B3YDJw_EbLI zyu@mpo1d$Z^zZ0_1d2p1!WGDoBi&yt-w>a^-tu~W9#DNoe3n&6Bpa#bz=Llc={-Sf z6zA**#Y6aL$9CY$$@Q3pnRx-_h5b!Gc`Nipr1*0PiD>==2Qiqu%QA~P-ITD;!pAImgaXAA z^EfvDwc*GbDcQ}BZ|+7FhA~}d^f>x!ZP*VNtr>n(QofKew_-`1AN3$y-6)L!b;LuG zx?JerACEgpV|6qr8niAqSQXOF>)}NKY!(K;$rmf=GuI#Cw^EXnFy3c4Rg5KVBJaJB zoBTnm5&HGT<-nb<&gRF#hg{MOi?6E|5`z}Kb7b{HK>u%Z@Y^zoH~EzXhx!Ojl~F#9 z^Cdx8^bO(Ou(#JRraOUh>DJ8&ii3wQ`z;M|Jq1a|Ap?CHs=V{Q!os*9cm)%~fd=uA zz3MEYk$(u=k^?uG(&M*S;v9wWwisl1&Nd#VpH&wU+hw~~^VNy%e@Uy9y?WN&dEY<7#12(x(h7SRPQy zEH5D9sJ(r9Z^(tf+GJ5t=J$g{?ecLcPYWG3(6D%7|GaEt%wHXPEF)){oPh%QALAZ* zoI}kh?3xoRS!a7xzL4sC*%5q>A2EDG>bAU8t>=0(E~v*G0Kst14#op}Yoy34vc+KmrW2 zUV-?uB1&6{YzMysb|jjK>C%o$u+8FNr`w8RtTfIm|mV}41guXxW zZ^&rfs$qLZjYI>;1WOsB305)2VB!6}Lt7o z`1ipeT!Vr=2+XY@(QO8PiNkr*1biIELL`i2r)K?N;$H@fe8{!S9a&mr-A{3B6>Hdt zecFkH3Bv0#;}V)w4`s7}`ah!$(3z_KyB^8+h+dpX)x;DVN>#9%y;x`@F2?(7E~AKQg*CpzRUe zv9R*TI@MAy_aU_TxzG0V?;HNW&5DlCC(Si*bAU5=H@;LAt_0-rc&ikV*Cvda4sp1k|{bgI2_72n(O zu**sKS>&(uDjDS^y3 zv-g3oQ>ntpcs^0>*)<7LcXBcrmr&h&mT zw#EJBr1$d@qg2rnV0$8$L+4`Ju`(ad!=1H7!P)-EkjersKaE zR^#7(Y3@b9zXA^PKE*#~($hZ-y)V&S9oE=(-R?dhN>)$idR}jz`FBlV9p((TwtBrz zHM{y6d8c(hZB?sjdhbo(Y_gao&)xt{p1jrg9EERk?$Io@9S+Snbvp004_63S zk>}yGZ0mVHZo!+Ub9MGguF|~wu5$Q~9;IS@y(ZOKv_JFbuf@9TRtZvbTD4va)?Vaf z`9Eq_U#}Ur7cqcIJ&*1j^@IOwwp#bi`#LjnqWbj3x!SqQouhbu;BR{)P>xW{PeWy7 ze62-1`mAN;{P;3lg|>n+v$T`ONB#lBVid)fNHfUqIGkns-!RxxPIA; zetjGJ`DLR2 zhITnC6(hq=Yd`kHhwd=Lpu0aYrN&9=V==U)MXCf~Qh*8Brg#Bg9n&4dNZo?237Z=n z*^(vI5&X#OiHr#VEk&q7rI_?oJlG5`T1}SDHKKX_?24o!9FY*Syh9|~r%mMICa|3> zFQ)j{q#2dRs(qIEmLFs~c=Tcx+-!DM=n@`QTovl$glL0_Fk?jQ;k^$7!Wl=&(cB#iS*&pEF zb4Zqc#*KznS;jXg+mvJpv!X@ASkS03{~%?wF@UT|mEvTbY}EAbl2sUjxmc-sqEO~2 z1e4{PBn1njm4lM#%0FBi(9iRCjx#gl=@;^!?JH8IQWWZpIpJiO4l^bfs$g;aC&%uBN!%sNpSpa_!)wVRxnG$^5DC80L)#Wc6(!t7R0*EK0R#%H?xl6M@LsA^uR8eL*5s z9)tL+Vl8YKFeO{=mr+|fwUa{hyn4VZ)F%qa3)K4Wi+TMuM+*Ljc|ZQcyggscizf!F zP{Lk7%mx;evma|@ROh$9+%`{?&W7Ifv&Jfc2R9|j>+j=u*)VIUs`#ETzIm#cNw5XN zdbf=P3kkfu(Vr)!5>zWzjM3w4rIq^&MD_;0GcEv1AKxXbPA3ENFl?rp)>HC z$iVg#HEY5gy2A>SHcFgC`IW=({di^_MH*$Mm%osAv*xOt?nO)%0A(>Kclnho2Q68C z*s{x5UxD_rP^g{S$4+=dKWMO7&a4Fl(&hY61`d4KSHod(Du^soq4r-W(Df|jhTR=x zkr2OTotJU{3{|Pq%TS&T8=#*z@^$3SI4t-z=sx&hNg!GW%eI9@%1DIoxGmty&?J^fG+tlBV?*U-Z=1FPHSs(`IA{M zp!eCQgOk`Fy}SHoKAk=RzflF}6HEO@_Ren6=S)GPaw{N3&@1$3KhkOB$HSs6uyvH; zdp;w~NGV8aE`3Y%v*c;!y2Q5YCU5VqRx)$DVY9@}>#3a^xX%h2N?#tG$#H!1Z1wfJ zOet2btveg&#j7lqHQaH+z~y_0Ek*EgTrB*`zRc$I0L<0A@6Q_s6gRH5(`>5S4rJB3 zyZ4eC5xm?=U#YcS4$m!b*=t`{KDCe=ZQPEN)9OI5AwkQ^mV|6jYe2elb;T^8&CaWx3(M?1!UXeA50t$9brHmM6v*mVnXy zuw=o_=S29tFyPAec^RYT0@u>7#{W_E~#wi0fQ1R00y-L&^O zI@+t9yOFSdUeel8`r!>)<%2l>_=+A~rg_@CoF94b^Kb8!J?M2l)t$*@BUQD!+^tiz zh&n!aF?C+e zA#h_`=JwJdA+iayx*rBSufB_11Q+scxm``#_(n0T>Q?riNxfy=QFYdK-BhH`t`Xgx zD)DOo^3+`U3xaYV4>#m`JjS|UVyAIc&gWu!+YDE=V(HX;9x{d4rn5Wd14dPK-o?0A zEyQwt-(%Ubm=iUh19;V52{1v2ARf>M&SzlUX%fhb`bzI@wg6)Z8U%y{81(9n?aix^ zbUi&Y? z7}w0412Cc`+A4^m>q`!uWbGn3#c)$64ET{RSbKlQv?1(V1Ojv|DE55**&+t;&B-+$ ziMD*%ptea4`bXN!;z_IAq>kTW5(pd()Mh8WjMV~glNyx_h!gL*1eS2pf2{_-GWwxd zrL%{MS`sFZ!nB}%l}EQ2uPU8!Q8+zd8XHwDMRoeig;2}>A7|JXa4t>va!3b3 z8B!iD!k7b_5P2!*9}$U8d>~D!k51aACkmBIk5`Jh#qc-J|Bh0kVi3NqtbE|`K$1_x zI7yjt1QkW!3l+z?VUMG7zip;3t)Ns%n-#i50P*S$O6wxx+gMo#q@lZDN|R#RBZXji zg94w;2?bw{a6OCEp_?&Hbdq3Lm|OF;Q%1HIWjM2&@%>kL3t@m|)95ezy(XBAxVP5= z+P~|+=oV~*@J)Zm^B)m3lJm)a?}3X^#Zn9QCK;PgVv?|a3vn>0K`ScIZe*S!Ie66! zw2rZx4ua3EqgIJ>7GhOJkf3MQcW%|RfN|)Jw=}jN5I=GOH$8oRwK^Zdz&C zAX(3fP#|1@MA``%Zad)|4<4y0YBR=IDdke0WTFbOa|$H@2M*OS-fqOO!MczrCP_7v z(fPT9yy1Jsze4miqxZWjh1O(BuA2OF($3PCe--6_Yc%y-fpO#H6Q<~63(iC)%I$pgDBVUmD&sHkC(v=$zfMB;-igQ0} z#y2=v2|WTztdih1XRsz2YFd_xmobD3pU7cLA|W{3uoA`mkd;MUX-fr_A(8d`Sk7SG zU%QrvFtTe4`+z|~#+=UzfKd1=&qu}`1gdmN#cVmWc-RlKcz|Djs#a_wVn9%#+4uZ$ z22Lbn%wqymm0bdKA`MG*wj*UtY}X0onNeJyrJ5u|kG>!QW#ddLO+=+N<7Vz%s+cV2 zEC{G5M$+y0a!HLQ&aXcaKTCc|Qc5RWfi0T>nec0=j8+Lw=h|X0OEN3oz@kysey3L} zC1F8FB%UTxMPa*4mU0W#DL#5jR--3`%MO~Z3yp#Q+V(>wD;{CSD#kLh>qs+$UrYYp zbd8NLXOtaxZA6JWO{F7yvqs1F{Xo7a0ijJmN9?p-^k)#=AqOVn^S)165HgBt-OQXY zwjmevQ1D|~cr@*dZF5=%(kL3AsRv$xtq5KJ*F*d4A^v+>fCbVOHs$2qYO@KRGm)(U zYM~muD?S#Z!zD?dw?~2zqRQ!y5*}*1Xhl}wRZ0#@uRzyV5`_|!{vUYtEsSS*?5+a& z|6jo}`6>7Ch_Zj-t@}2hs=3VXv^wc>2 zl5OoAkU~B41tM;+M4H_I!}hOmSIaL=0!oY5NGxO`74kDrfDo zR8>ZBe;7EqDGb$WLg+XOG?%(^ekiFNGHRT$+?u9;9>Tw-j+NVS&joWGo9yF;(*v$C zGAlTwr(1#y&b%G9K;92>@s4-Q{KXD9A~-;jC+Vy$qnpYbZQqf|C+1T+a+fElw+#!k zssx`G+f-aU+~%puO2q8aTD`P?=kcioAE#B8wmbU`mwS%b3l+e%H*!b1PV1veb|09R zGZ#5s&yC^9Pe$LTzZ=A07OsjmCI7$RO9@O`uin>?gi%J(r+ZDz}*R?=)4h40f3B=!E&<{fU?{b7@OyZt_l z^=9*M>o$%%)(ub#t=KyK@k;s?3~N^91UzqaQO{=oo~1wEJ=)OL4tJ@y)%c7$#zCZA zeII;~TXx;_9syu%g5H|a9}w5*UuF9{&G#17_~JUB6G~e)ogzy=i!MJYJ}*)cH0bJA zxuJc#-*QFnK%QUTY@Q>~muSR(?#lzUu=Rvk^9h}pC{3tA^r;u=pjY@=isI!CoJG9( z$dw4_{3}!-Q9v!IXdrR!i>?z$>dxq0<)m42IGO~j)TenGcYolQ1cBp3eS}sSU*jYK zR~zSMTl97$&Tz5pRkc`V&%1(!KpkCA$(p9#3oitgS!4Y2eWX)^a90P$KNFCrxX9Q= zshR*Y&XrYsuTrUN+OOWQ8N|w?6|Y|ZTZwLcn&C>3GliuI(*%(vPnr~`x@BLvUfOn7 z1t;WUyc@L`QM0|L_ubF4DD5FxyE&I^yFJY({TfV}mgh`bou%e`q zCbpuzP3woDX{YMYFcAl~lCoD3y9Ig-G3FL6oxs|L^0}2 z;&By~d65JJs`r<_ui1{jx6rys);vc$^ye4rY0V& zN&(iYZOsNESu2Xo=>bIW70m{4IMX6zB4>nTAbF4n8TMJI=99JS1%<}d5Icp)S;@5AMDv?6Dc40wnaPXlL%%#xTm8to)q6c}$2 z`gyibvydt;338N`;v3HnIjHHAzikoHvk|bv#|L__1)f}Zewx*nWPqM>hb0=jf8(ZT zn)50dcKFecndGvJS5UylOqd;sB8FPDYs+G}i6S@(i^o_jyL1FndzolT*SSbaK9;N7 zND0xqIR24il4;?ABt|YURfXVKq{V>5UxiKxFEt<=K3q=FChdfun038GP=YTlgmHk( zrHAcSuKk(BVGtLkvBI2aZk^F0hGG~MRx#CdhRho9Q*m5!K)KrZr}6wZ+sOLt>J(ZM z8)KRV0u!)pxZjA%nna;)?%_5fl9F;fn^Kx&N0C15IZvEJ=Pp{#NEU?&apqB*-*d`M zFrk7UKaeOwWy+~iX(p=@Q*4^_g=%=-I|K&F z@WkxBKceP&t?sLb`ybFZfM)sA=X$57iHsb;^kqoh3?-LEm8vV1NAXO6{S29YuiHz- zs7(Y){$U(37anU8Vh<831ZBwSqcXpRW;UZ?kcOI8tV;3_v?2-wW$^E8$Ww3B0m7!_ zMmv{Ij>8^l7O}4)!}^iRzcNsfsgH3E%ps9UQ0ENQu!vTstRJjGk1PyH8AiP@(1du1 zweS?j-OF33+T;Z+N)NEv@9zZ*S+HILz32)2b^2t~is@)YbbF*ItxfjLGq7FCx(eHM zipqxG2#H=2QYlp`e-j-+85Bo^mk0$8{$LFgLMW5uL}p#U^Es@y)}U#T88Rm`7%zGd zUyx|jDbf`PNKXxk$+D4`p{-|ZWh}?0QL0{P)P`|VGF+>{aP}h7n5Hn9)|{;ZO#K%| z$id0;YfC{>KA?B0aJjeG9=W%v+D%_^q~E_VMgLs--hhMzLHqneYB&5OVbf9e0m2IV za8J1hJ|IDhqe)x0dcf_rB$=n_Syt|+51@2AxARVnre$!)#mCpf`TbQV#`kfU(q#eM zl>kWr2QLWp`PbnJ?<-}B&EE7ZIqrbL|6%YDvRk5L`)PNrxcqd7vHkH@LS56c z_Hvqh-1TvaGFa@oW&n3HI6COsN z_%1?9?YzDh7jcSd3;r&JFP?1OxTzDf;SBMBYSGrcJw-o09G7T3`Gto=R&UKjH^HEW*z=->xFQL@kPmYh-h%-i8@I&6Zz0WOEUEN$8Vi!5>>vYM?h%GlCBXn?2 z=RZ%b+z%ID4$m)UI}M_PN1!f-Yt3>q8zmjp9+LEKZl4fscdiOfG#$GDtL<*-lQka4 zv|pb#mi^QBChV!I-8W}OH{G`-Q+yXw@h2OeSx?cy zwzxf;CS9|=b(8TspifEe?8c9pXIVNu+gV5c7n|mfXm0+0+}_hhiLW?SEt@xLx^|z; zXK+4=AJ_em7j?Vs=S*VLg(6#G*+PAqbZrb%tvgE|ikhOf(z}>RoEUZU zp^7U9XSLlBaaP9rPjDdPLVZygnL9B-%pAV@ljpRiIfIIp^wJZfa~gD~bk5MBLp!Es zwfML@>cPo{x$R#lKb~Z9B4(TNI?)1j9T#4K#8H=2$vev6LE>%F2957DMH=IR*ruvC z6UD#&Stg)vs{~nr{dr}HP>xg>Gcb)pRP=W6Q*-Fr%c!kiz4?X-d=^=Q@A_i}A=w5?!7aLwzV@4U=d<5w}U9HK7Tn4T&u}Emoo(fm=oJTs1i@ z^uqx6h_GoDlN^t&e}jux+|Mg%LOmoT1+6l3K9d*w;vAklQV_2tT4vq7i~5X4W!f+5 z!g={OvapkC602Zo&<~DcaK9Qy@#SjECyaH_3Fv}fPa2e~otv8kjv(|=pha-dg$u!1 zD2>XCa>{Dx@YgMCy<)garG)%1dvZ#UkC63GV#T^NQwdu&QBCrr=mydRJSXchiD;F8 z>p+$$%WtSAo&qSRxPyr^cui#*#!3lk&ehea<`hJxulLb5!IXYeY_?Y$?)%MeFao3Z&;*sGZ(_*v z=PnNlff%VTyNaP`H0Ar~fq~{E{JDvmB+40IA*wv}jFPY`)5uTNV1a+Qvt96Is?8`Y z6$wk`Gn(^NXw&}zpx%$Hpx&HM=6B!?Jt^NAzt{&L52MEe%#%X(+ zyW8iU=lwWRs#-0l?V$)zw~Xk&;)_#j1Elu&WP+}BKYU2W+kRQLfJWb`%f${Z{d8!= zAbCX;yKLou=Dl3mxhlpVyuAJFQrp%|q0|N(E3W1=o^`_Qbf3>pC!OqUc-~$F5)K-L z;B@s|Jk_S?Y1#ns{BtqkVnD-8$(EGA`CW@sSH-P+-tH~6f!JcTE^BO~oApod&^o}Z zZJ+nqm&SMIeTf_Lopwu5XN=}kPI3@2zFXbxbgABq=-IPuXvyRU@H%(7*2k^#Sxx6* zb)A^Y_pW{&8ybC<=O5>xryPF%?7Nbw(TN{tCQfV;z2;d=EYt;_%SdzN9zVCuLnf<_ z?_#wl(JGz#?J?9#j@n@fJJ09tD>?q%!QcS_|D*B@KPXG>q#i@}?)`?qvA=~qmy-W( zZ*nC!Vh4m5XMxxC+IZq>yLlL&>GK+PKNOAlNz?=RxsBfqbk#YQtL3u;?94Z(b{m@9 zt&WotST}wsJ=DA})^vKtW;+7xOEcatJ2!tn+p>X{aca05?E3JCW4@@8zuITz?zwSa z=wW8l$Yb)QnmyO^<&l@p^DT6|9Vb?e@1cj4Pumx;@rkVce3-%h`81@|`#i%rCbP5t zLZ8}E938_62pVm{A^-v_Te|f&Y605^uUAi6F0t9;xw$?gAqUT`x{|z?wRZ>YYO=ih z%h^5?R;eB?(`Q@MJw6{-Cj@|K=$Uo*TAWV~-;HyL+@n{J*e9q0c%t+M`jfu)0Wul# z-RHlGk~mChdf@N=A-1YNldj=QhWvpAGG*yh9wB;^Fl)vf; zmnk>qo59lU;_n0_GrH6Z;o;xk!H>E)n)0P_76%C}=M@uf7qO|$ggThx%xX$59Vtt< zV(a?&ei>7#M?_JCm3cVcvpl_QT#G=MX`2IL`VjzVEP8Sg_v{rZy5#3U z)ry5yO-7r5=!q$vB4_g3%oRT>s-&^!0Hz>kw}mUPX~Uh8i**J?2kG2FDGh?k2Jc1s z;WULijXGvi+G^#h4&L8%hEyZ+YgW#N!WDlxnE$Kk5Ze+USvdL)2Mi6EaUEYsd7?V4L>$ zei08HIwdsq(vNuC*(eu@afN`9Qu-BrU<*V3l?=#BZf*!w(LOeo>}| zU-r535y6F@r^1b!d@DkZ5;Y2#RIj376XQ0haySlh*ldqsvO-iah<>=Gu|kGR7Yr>c z0s`U5_62-4<3{XNOJjz9acL|UJdHEV|A7ZzUOVJhkN?+lor;|Mm^-S={kUAa?W+$l z{>K<<#tZ6el5foy>DF?WpTR$FZ0he!pI#m41E@va^8(zY?k2tv<69^L8usgu^Lx1* zy{^)6AN64PeoSe0F7424`A!N2db+&-@)^CD%`3E>=D!Ts0ZLctF!#^_*GJ53r3gF> z?q+y*fEydt*ULC~KBF~{Xxo8r1GYBm?yXL@1Ct(=-`RC<1MU}}pepH%XxzNEWLn;y zwhH%%H}K3sccEh02{#`=HLY3Rqi$D(oyw2%*v(j%-1j|pHqN7Hf*v2SLO6V{m$jhM zn%4fr!Gnm4DbB~MT;8_{%GLH((5s7EB#Pe#l69}rMk*bq?+M*mzS;`s+em*af@6F& zo%ZWL6uphTDOVew%d*atcZMVF!fh`J-S!^W3Lf9wQqS0&=k=`8_+pHj+iXkM_PeB3 z0-nSC#Js{2nh;PGV5HC$k3Yjx!Qugu{F3YWy|l`%Qj_B+RZZM4)ZpaF$4Rx9Zxe1-gqy;I#?vx_xw<NX*1|$e}TH!aiE<0rgtI}+V*bY4I>w#*75yb zEt}sg7AJNqi^H~6N|)F7I>0+^y!G09KQM83r@BXlv*+##Z3nnphoc2ZyyjJK)8~H* z$>p!NCo}qd+z(V;%h3Xj7bE%}m!ot+`fgrLEYEHkR*!~_#+Ky#X77=XcLmbSg81)2 zYFGSom#?|CR9`lqaL8m_Q08|LJtNSszj%kIGy~Kg_gFykR~C>&8|m#w>>w#~YR(=S zx~4Qp0)5gqOMU)QRwtXKAyKwfk$$Nj_0LdP|2fc41+PVY`jJ$b1(*~m$Hfd@i9O^- zmj@q1H^yvKmM1SbST9bWb1FeTjPzFbop3p-6oa&pg%!sfr7}o|l)+&OUtMA~H3$6@HLl3XT_N=}Kmo{s>dZL`g2s#cj3ATa7?es2$g4 z5@<}5VvZ^%YEbc#ljculok$Y`Id%Tbh&PuYQIqBfudy0eM($cb$d60K+E6o5S5#C; z(ii;)zg(EhZ=st;YhQ|Q3C?qff(&*m;`?LYZ*GT!A+*J|U(_6hEeZChDv|!$Y+g({ zVt;wCpq1*Ar7Y2yc>x_O;^OOr>kRcAtWXxY7awwL;Bju6*KuB^>!e;pwZcf(8scjh z;dgmtIKo3ojpk)&?^Y-krXd|EgARlL%GlccdCGq(ATbEJ!#qH?=&J>|F}Zk}ix%*X z#0fDkTO*eG@cM!OFc8bHFv;8xJF|0PV2w&rr$SiALfTa>2>kgW3}(d7Ou=4Y+S>oy zhIFtHcSDBDx&Wc%jD@7q7`{|MRB6yq348ufzOn?S4jMI-M;0JYoPmX!!AR$_7In-@ zk`|1Oy=ZUEx^iDwe)u{y0|OChcq6a1&+ z3t}@xcMOQL8{yT8j=eLtjpTiHUz(NRU9N${e8pBpI=~MnMGw|by)igy_6$MI9=fHd zH81^_Zn3Cl1vf-?+jrG6`<5M9Q^gRd^%z|{724rCD_Cfi;92x2UbfK+=8(N8Ps#glf+^m$jr`I{urKc7$*~Da-%LLtqV6bw3q*@dNH0>0g+8)298C|KZOmExF<}i z$0!p~a;sTQ2N}(G7Ac;AJu@Ydlsw+aa}|~hB@Ta{0au#OmOj{ki}2EI?_Wz;I5j$j z5K#YN3oHfJgQPjAmUFNOzI0BfmgVa|@il@q2#N90%B3A#%+qvS+sw>u=rXO*10>~- zuk`>uF`%EE<))}ymcm3Bt4yW*l_s_otLBz@MXciALdNr7luC4J>4qh^?!pjtOLN;i6p`D1 zinR1mAt-4lrbo1B_IFN6J7gVtkVeHbB_o@^`}FddF8k1l8gn1D2-r^`4Azx>b4zbE zRv0lZGEKTrVnq^B7Q6kKgniOEE$?5=q?Ku!RW_^@kI&LfCbxT@)WESxvaWOp*|Ps+=~cK)NUo$XNM)hl3BX^sVL~I5U4^1bq#HS&ib7b_pINo{i$BsW z#(8B_%v>?=R!R^=Gxg&9*>%Taev)oa1+DU(Kb}u+r$qxg!#VH2K+0{04D@(IWa|Vy zn+%bEoCsca%F%JM$yWKdG+7rJx0%KsgB$vD1!IkzEkz}Nn+RX9q6%$ zAYp#Hpu_62B5C;I?nL68-`cw0vw^}bw3>E zR&$(;s345g0@q4ny&gLBY<0<9J3iQooYpcnzLE31u28wwZhhpOZaSXDn_08#oGnD7 z>o#9n@93I1T3@u6ZayqDJjD9AL;_n)RJDGB*4}#vfcx}jy*xK<{F@(SF7LH$?k=$c zGaV#c$d?}pYnIdNS7zPU*No4Z7_`otx;VX_&O7a{$x-!NuRHTC-1ZOTS69B>`(pIt z)o=K4tGpOp$=QxOw^f|YleOxf$2ZfxKA#>qK5etFmbHuB##+}4XKOZ&3~<@R6Gx1o-GHv}<1mRkM!xtVX5(4*sw`X1)9R?x)y@5tH+gH}IWpDO zSRHDzjbY`QP1T3{p0*RVRn*G$k}|`r7cN@mkOB`uhJ6^^MV$hRf2E$;7s8 z+fHU;Ol;dW_QbYr+fF97?POxx$=+Yickf;2Pp{|y`>s`8)zw{i%YO3Po#!b#0++!I zL`Ty*En2A1n`q~zlgGC@OJWCM<58>inZrt?+pO6ZSVS~`a2goDYiA#q#GLC!{S2SVhyPrw~=;!33MXnSS zNx?m1NU!Jz^jeN5MzTwqER~Af;$jtPrm9>k3<0Z>vk^%J0pD~Ctr8j6a5&kFtyNCZ z@{Bt!F$p}A>t_o?%u*&A_=Td@-4+Vk*U@R+7c&$uOJ9v@nOMIqmO$$I(zY$sep}N3;EhduV1T$v8^0u4r9C%t~QKpNEXj93lWLN zO)y1Kw^39p-I;hk$THPJXor?REA*Kj^e9zzmFvv1ZlGx7b91zTZ~71K-JImbQ0H^v z$0?9^<(Sj z*zC8MOo#Z9VWsvoQ(DJ%E@bw4zI&8T6rLfP0rYteY6o_~$ygU}=oG8{VQQoUZ*X?X zeV=kh*R$-j5*eF?bL(tK+=oT!P?eDKrnR!SEEEOdad9uba9g>9@Vs({1~{Z|wSq}n z6h=qCBJTsF3`b9m=pyeh@{`y(7{^K_Rj=laur5%2OsSEX6>C-zt)utyqYQMQ{wQub z4@#S!P`UoRv)F#1NQE~3(FP@=OkhUDLR_t(M)_=Y>N?Fzg;hDpW(1uT#&DS^ zV0LV6ei7Xmy3U7;8Wy4KhNY2gZPf`Vmth(Jy34hSHXhGi08ILrE824J0%#GRHLV7~ z*ivoZ!66B$fAt75JZ|0PZCVSvGSzD549h|5WveXO6&{<>Sr9TwC!`b@4xhiqP&J*S z#}(eyTNP0ORnGtFc5S+J8@NZgIFGieHa$sKVZ{1TF-tUSD>4Q9Q*fB2 z1`51ei-fUl^bZ5apr{UAEFF*Q>M>-qOG_=?XV6B$*aqLVLwW29OAf6EC-!ap&+HW?&L{DK4m+xyC?U?Tex zqZcM}U(dg0yVO#`n>{y%2ZKv7X z*q-+Rq89f&1x-$ko5;ZD0z{r?OaowHZ%;em4LGwfm5N)L)i8r}B-JV;uiN-9o{xd! zx?f<%`&8N$2quvoSJifoQQcXiouc8EUdZGNhz;FDVDd0MAZ)dB7(H8x-dXotd*ZPs z5Cr`Tl-IhFm`)tY*aJ=wxDt7>cQHRN7t_3FL5&tNer{i@-Mf4FO+>qA>nRYpZ`P#7 zU%MBz3p^#G`C-RDyu0(a??tZ8Z{U>Lc&s%qCCc+1;ML~VABsKnlxEjm`A>HCK3X;7S`_8&EaC{a0@c ztc$kW7rAP8Ajxq~)7|n~w!X$t2G{lCK<+w>=HtjT-|=0lUV@iZqOQE=(~zrukMSi` zV&lj=JCd^fcDwJT{kD*9Y4)r6b-LaYP%Li}=FJDdQR&tC;t>!D9CSvc9+sAAA8OB@K9JDncMZR6{_oLGxiy< zXFooLh5tT$HKv_?Y4?0|>G*hrROQ(}UdrUU6d`lnbqsqi2(RYxnD7hu5}l9nXAB;NRbN*0geR8@yAMz1Lb?QE{JFgGR1*FbEzs zb3lLtQ0+S4_e&xWeEJB)ME1pz=RVx#KDh9b^z}htp1&l1Xyx9Fn_q#zeLFzHGFhOT z$mMdjXW_hJcm;+OkZ`0sFq9yMs;Hzq5C+2xL7Vm`S)MI#*Cyvl*LTPe8byEIA?G~v z$A5mtKVZslx%=DNSWI_s)99DCoOUoU=FA~qTU4XbpopoOQ&ebD5m51{nnfDNPmALi zwcU8D4VKbEAmw{Elgbq*#_xZ1r_&(uGgMnGX!)CKzo5@XHkh6(Rl<^Vlgc>>bO$K& zBm7$k!cL`<#i|Y}WK@?nUdtb&5$Q1ss3T32x0B}Tw1Oel8OzRtXF^J&PFFjnoQ}nf zpmIL@%lf9;7!JX*)J#D>fv#MkEN2+pqZ<<9KhsCSdH#*@huNhL8Q0UgXAwWVhu&SV zY_%Fqm@eXg>^jGp#!hH5{dcDxp)ZZ_02W?T7n zzwAdoF}eP(D%%A}AvwBzOJ*BOQ%)S0a`7EPQ;*W>q-gjP3-O z<*>Falu%@AanNni(Cu1cdlTYYc#7CCB?sT}=_@{|$UKLFBkjs!ME(|r%c}>MY#Ac$ zCn?tIXL!n4ui2;uLb2*K|Lm8U-wg{RtDJBC<+W%lBBFT}7U&ZfL4z>6T0g!0;Fq~)bvr!K9Bz+KmXsf7o0&p<1#r;Dc7=zKg+})(tgg= zB5nf51cnefkQt9Wof1-9uTTyN(rmHB0RHNsL?l1azSz@yJ@uW0YQitUsKF4!0*xS` zhMTm&4O=w(Z7AnbjV)c|dwBWTA~p}P`8`WQr5hAvdIDtds{eNjba>6`S!OzAVp?xB z&v6;O{#n_=AlgIhQ`HDny_5SCK}x(I%gW;z6*6p(>E>yO)*=}bNCG%gV&chFVEHm( z3H*kK{&*se^Q`%UiQhfQ$?OI&+LUG%^Z0*$UD<-Z+gnBa5gW#!GUFO;R9wOS4U=}w zi~>G*oH>)Fu^3lO{eVWrWsciAX1s1q6>kwcf6}Zt(E?3Q=DgD{J4Gu&*M?M${oTohjZ?8#uq;WYc#1?u+&X8ag&^n;9Rz8+1u5&0{n(g_Kx zHrlr+CO0p=9^wfw>L)Kj(j`7LFMN`M)Zlujxl<^g^kealqVuG2lgt=4W9|VlQ{)^^ z8tURdZ7LR%T||$8(i{$rA4NH7tlF%!^54%*Nq$AK*3rE&q@w9~{Z{m9r@loOSJMrI zq=*nUOE*vP{BHp={g5}(R{*7d0-yiCI=zE=M4{geGGK-&uz(a368q%3_(I)J+!v$} zf9Nn1Nz!|W_n94^tGh^@x0KITo$jVny`4`OF(HrlbuN4O`Od4?_uWu9t~Xy7pyf#K zxO+*OC%YyaAu-nW$3L{Ls9;oS*OWlhgfbo7Q^MrS|eeaepi4|%y6!2WEYyU^9! zJJF8+hSBSX7T$#*;D-Qr+YJ*@h&@6w@+L6(c(O63`zm4RCf60|WxM$K z($pDG=G^vUnSv^m$)>?zyKx2I>jPqb>;2;>)j8MeEO6d3)h7~o$e9S)HMJ>rwd2X| zzLE))ezWgc>t^&mr#SL1?H;fCe&xQNo_X=RHpge-v~{a{7wdZOVQvo19kcezru}?k z17y~%WL90QCzWHQwgxEF-(=}l;@*RQFRe9A(FP6)X~pXLuCT29rmJyS%DL7%CCCL1 zTw(P%osXaAHV|~}l-w^1S+0P0p|yISWRX3q&Ah>ME;~+KbnQED`EDimUF2L$Q0XrY zBCeekob6*VblrDNNxW~nj~w3bhP;yqvV@^#$3ZozVO)o8ZbdEA+M0zvVhUMrA@pe6_*=Mwbv#ee?^6*kye z$ZWn6N#?Z&DX*sQ2sMKK=AH?CB&dU;-B;6pRW(@{qv}k)+28zo1c?M$j=&Eott(}& zB|!}Qgp?%tw5!cLSJlB#eU(9Sb79Gbk-y?$RT*!&?OrKhod&@!){`>+>b*Uf*L*~UM+bQ z))eBws|3-}o@I@t>>2+znUIaztJo?yd^6tEzXbt{4h4K6(Q1lXOSFOq*QGz6%jU4a zuyB41OUVe%;I?^m^d z5jJ%}s%8{KQ^W?LEKG~Oc;y-*`j74s^FWQx0C^=BN!eG+!dNKzO19s+fV4|GuVBaF zqRVjTpwf0o17AUq;-7FmGo`v=<-~mAIo?D9*ngANTvno`)xjyD#Y#HUHsd8!iwmw; zNm(LNc+ggQWzN)t@P7!;&+L-Zei}A@!HbLpDd&<*(vNX$2c^hB6^Xen8q0=2C#5FO zs+7i}C=MIb)ub%B`fv0y3Ha>H3W{3D=E)PHd|AV!=0BVqneXRjt*WV7V8P?*Fg9n^ zcrvNsF*+%jcv(~@Mg9zXi&7omq=c9S6@k~AC_I)^Rzi2|HHdc-j@#8UCqxh{jy{X0 z$6J+hFk|?)ca6xQz+o4l7&b3_#=v2a1x#YjQ%qN^t3n;|4$khug%duQ4?C5k#$04v z;2Etu1ugy@!Wd)!ApLW9Su_!MXTXi)>a&?JQSr?4QJP18m)kE?ypls3^Qj4XT?Hgi z%m6U0E52U4UoPeam_RIgYHjFWm=@*OR zS%y8A-O=0jQk4ockJtHCh*flPz&*0rWy+;Aa8AMK#>v9aU<%iv^EKEHbFlYiJ?A)+ z7vl${P--M{G!w(!CSA0<0`G88nI+c=Frz!-s1Zi+n`C)8EJTw1WYOdrr_CDuNX_0A zci>fh^BRNYkz`Y=Tn$)33)R0B#mvUqWRM`|ro zM;4w_a#L(1X74Q1ob8o4NZM*LiZs>QN|11mav5@z39e_YcK6qEn>7jb*!CAfOc53pYCuQ0Wj-epHUs;tL^&Q8 z{oP-0(R^Oa`8P}!ccy%obg@lyx@F`pTlvvnLpo8+dwA5MLVE7|4vujOhDoSymugZ3 zC#B&UJXDqJ^(tmd=XxX(7`G{Sn;3=XZBtipV+L0{##_!cFBQ{ z54ry#y%d6bLRhw~k2C3C!(r$+VrKTh#97dl&`a+N(i6uG(f400=pzO{-o6}I0tYXp zv!3s@?(%xbes5`Y^CDCy{{+x{XA+m}XIy()pEP%RLcBiLj^eGEH13fPi}#=T-^a*W zwx78hIC_zDwz~_OrW@W4x^j`}x;%#0sdV02P0!RfZv&wKI6^AC=xepT|GXzAyLa!- zoks*d50XclS5#(p%+{6wE(?5EE>M{l3)^Oo)qZuuTCCwZuh~~KwOSG#Q-au?0G*1D zlXA4)+rAv_Ot|Z@>5b<%>l}dfAsXYlPy4+--*tZL)bq|U99GAQee)z^?eyB41l;A@ zK|huq_s0s9;`^stCzT#QXfrhz@UaTs>#6^-A+)aWHo!OHUfX&(R7;ROhp9toa$iZ* z{jA0$FoW*ai<#ZJx8wfA`1Xz%T6GQbjQj%MLqEhz2fVvYpmuMv=F4b<^VPaTGMc)e zx}S9>!a%5+x2R;b-|m&r=1u30z`rE@9AEXjw*jV0{f{kzb0(yVu+5J7Lv3BDUZ>4N z`<>nm-%ufk3n#$aP0C5jh#FDSbmw^~Qm^yz#;HIKkL`vSSC7G#_Gf5wzv{Bc27c3~ zT`NCe)0+#;-PV=ht#Ycy^De7XUErex|5g|JUd`(=F!8y|ddqet*ZUC6y0#A1^__9T z_u+#MP)PMeB#*1}DY?FF+=phq+3}i{JEgyu#pe#33gGa&y&TvQAml&H5sG%_|M#+? z?xoy&@E1e=6kz_~=CC*S)y(y}HE%uZ9XEr2g-5*rDdA$Z+9o(hd|ht8avA-J9G-6; z&r?2cSym^!x9Y#UJeX^8JfBx6 zEYgn2!1cn_kHeK!W^b~i`Mc_)LD)~DT|!dJk`3*Vbmj6z9>)>1Ee=r1=&-_Y1pN9n*Eh65S9HBDq}7>mhkHqP;zr!*x+?8mOn)^o%Z5q@?ld512lNWv5D_r z-#{*4sALGmGaLMT2BziTTN)8YEZHfT5uP+E7jUB3v?@_hd||Rp`f$e!17q0A&WH!s zwFH&GV3{~?9WgFc5`Fq#JUN0I1cJe7QY79NPz5n3A#t09Cr<0jJ4zhP#+}{iA#@VHij6$R(gt2q9Pppep|+Hc6Q zKLs^{I*zgMR~PsFfWm47ZzF3kk5O30FYVf3+|)TruNGCOOfhsU*WO$PBWbzs);8k% zJOGXIVs>Jk#eSOnL*9j_a4&!3l0&JAQrANr725UR;d^Z&xJVR8;l!wxW$VJQH%6T1 z22(aI8ARX)`I4pMM)q-({ew~qqEc`8pM&@P1#k8XcVAdsRTg`@<~tDk38i)S@t=*N zuh*B|neVr4@$L{Lya;++sB&1C+pjcOW?8(`K&_JKFqK9Fmv`Cqe==Wj0l0|sDQ5#T z;ff7=T=$BRbQI}}qhp6)WNvqXBGdWAgoetph_0mB$dNaBsuJdcBX#``-DN0lQDI-V zF1Vf&ahW(+$-oIuS)I7SDI>a*Daxqg16bn>g0r1Yi~8OjTfY^M!fdu z7f+SB&!4|E@;l~A;)Px4>6Q^Z6lKHS3p!U@nn@CE)RSveL&O^OrM;VlhfzSr&S z{T8Gs-f&sHKRp$mLLSguBV4*ehz1}9iN8bW{ zmosA?HaO`I^-0)K1A}HXyPBL~yta+oq)|2&Ek4VABW&nWK(z?-PAt41EII`%eUrA< z_;Ve<1{qWos-<3B^Lo+H?|Och`3|$Eb=p{JMp8GHWyCFcNTW;~d?vvzkOE<0MHBI`Ap@RPw3T}sl7q2%3GdIxnM3}*1u|nI#MT6R;vTU9*eX5b-lAXlZ)RC$)87eZ#cg@uFT?3D#nca zR0%E*!^lvPd!*-faK3H7^{&%3ZJ@`Z-iojJDOn8@uv*Uj@;G|nIsL<} z_x(VIbMOh^elG)XK1JFA+7Y~b&hK;+y}jdPR)6dz+Q&X`ymU8T_q>wr%^fa#9pb*2 z$M*ORpmcV5t}b8=N!T<6zzcSfofE!vj%6&)O_KmZ?ojAz-~X9fCvVBExN@G_yxHa7 ze-KQ)R#r(&HeUH$mPIB_#K!aPc>27`e{M>=op*h#4n6Nu3EpH^|Ls*80a|Q*KqApW zU3UT1kaF(-gTOq!)qjG-A>`oQMYF~bapP=HR z18Zk8s{j+87ME1DIj%DzpQmK%*&WlHJ25e`IqO`0@}2t^L?6k3k0k4unjLRN5O9g9 z_c1iH+GXn(CaFR5*%b?ZBvf_r+usWw%A`CnU>FA(Y-9hClm z_WAaPG){FHq;EnZO$dwv2Kse?=sh2IFstP}Gk#$`;$UIU0A`0OL6|CU z9+S9wdY7YG`Fdh9p5KBCe_k7{eU#19!We3tDh2b3xLX^xY_XG6rrcg+6sp8o76-#K z4BDLhv`~DtY+1kNYGfd8pk>i88sA3^P$FBXmN27{u;fr|8PTCr>iG1~n(!uHBwA&s zS0D3ZR{6;n={juSrp5jTjJuJ4vO)ka9X+vJ=^5H%lbSsN=JZd6X`XN3;Cy$Dr8#lQ zEI5P0afMd7kma&42GuF70pz^!c)Vmw(JZUTg4MVA&-|!ZC0PdR%sXaV?KOvgH&g!x zA<`u?O!6j2D;^P|j5}~}EF2uvC`>rZ{vArysGh9Q)*LE|<*z6$66cG~szk+57%Vnr_KgN2dzy`+ z@fUCR5jMy0t_ky^%=~1s9IO0_rTIH-T=fB;W!s?osRjPA%G{AST00C6%!H8>)%cp} z_OJA;oK}Hm(IOF?@AnOy$)2Tac^t;yWJ4`h%V4%u2sswj`o<$5^erTRLcoU#_!J>z zv;4v_sOC2Doh^!Fw+(+`W_qF7IZe`n5Vpc_@zR@qbQW*z@2}y z44Iyj$tsOyNZxIU$I>4r@+^iaxW%%Lq&C`#4ptXkzlkFBM+$S*20G0$SN&p*Y$835 zeCwr{{PiJ`{5rRCBs4Tr4iZ@%I)NIglNyCwx2sga2#@G1QyUOZqr4nhu!}8jRHL<5 zfwV${W9Cz=*0A73H}H4-C>n_1A(X37;ZX+5yu*| zaG$jin&5=7OCuP{9v`)sRne6_Owi~s3D5v9ljJERjb=0Wy8jZavHDc@`;5Kg_Ivq( zW`4RIe5k1_HHlz_3ljRj7n24w8y6E5EmI=0PJ;=31=BXDdYYMNK7SbC;!M z`^!-iDo4^b)UHyFF@r6iOyFxx#=-|be&<|f!6RW_-U!Z!C>jNmX`)>#FUX^rW*hP> z;hsT1PXEUb!ip{`yQT!CkAr;4o-~2?sqI)7PYm}&E_aCke*B7;%!&f=fbxOipx-;3 zAQ3FHW|#XF#Xb+kFNQD0Q;q4qC9RBvSJ}I~!oy_F6U!ttD<&Xy)=g2@~7a zyAy21$WcnNU;P)jVwMeh{+RAHMOz821W`8P-Ot%}UVDL1galYy2P!HBxs98q`RE$8 zw>Q^cLUL`fdqlT8M>aNu04upEeuukxz{8`fi(c%!|Q9Y;us#Uox)|htjw%Q4R-dkPBX8B{bssjF zUoq)AfR4DT+bA*lY(ZRHl>%?Wd-ghQ3)NWAD|(JLI(E7S{YTBc!zLXH|A>vw{6;nSleY zrMH;YH(oQw2On0eryFh!M#H5LWjK!bvXQcs- zEe3O)A8GQ^RvL)xm<<`?DouObVyTKXYBml+)!L>E~RP=(2kX-PtsPrb9fp? zVr-$&#NWqb0z+MBY^WJ#&oX`B6nQ)i(__aISiq}!h61p!6|2XYCxRR~)n^Wswt65= zVZ1a%=ooh?XCpXMG`d3(WDW_1OtSs@u4$*7=mgHN>it<*D{qHQfQ@Q1gj%OH7p}}B zSwCkzjH^z*&5-{N3F;tDnjym}q#H8aDp=I>UL59)+N^Pd)S4jw%eix1ku11_LRxBz zuy5CkW&O3HGYSv@CW4FNINOHM7qu0Ybk-0a`lc(lITmm`IwGTP1xcKHbnn=uXjMbY zyQ8t{`C?UsQeyi7PwE_UA39OM<4*Xmh+! z5nN}=X&W6<<(GK*EW!GR;4mrCQy%zkd)58ubuC9c3vaTcqBOA8ikk zWY$>qd!b*$MgTX7-iRu3gAoDBm_tU&2{&fwNs|d*z^q*-V)~Re>jsu0$BHq%`p|5_ zZ*rB5{GXVtvmM59iQGLCiLlBtNp~0&Auatnvo@!oZJ>Ri8G+*8a-e_mbC%)2M{J7D_PcXqS=sy)KkW;1zc2x z9cE?o-<;V9{sKMPjpejDi7rcN;mq*@_6X~2N1`+09Gt;B&u+s(59k71sS55C-jIn% z79M3&NHmDSC7bamGrHD+^VyYb#$ zZ74USOnxnjhf2-3^F}Ssph<3|`pZ_R{Qav_`m6Ybv(!wgP35dmCkP$Go*rI@LCuoN zvxdrIHIHS|)6{J=uh58`#%O^Si;Ot($+s2@BS@_w@<-CBJ6-q_vswh6F2;g4J;zan zTqt6NZ<8{S*@9EU5&^un3Gbq641VRG^@uQkOq}`F6_A{nHr%TM{oBr4?;PUTFvW(^ zr_B&iG9=W@cH!=%G2j#PTiCTQu;}7m7X(RjOs0KTz!BvM#pjzu~Sd#YXNk=t*(l7m_ zoBOeE#-ms>8*Rdq9|jix1J|)WmxWdks{OI2_W6=m6XD(_XxYh;h|H3$3Q2-~Ow@oA zL7Ae4`bnn?CdIiTOg2Ai!HsB_aLogQPQ}G6sNuND4 zo0|*R=ZaM(Z@Ebso$5(Cz9=X1(Q;j$>|FksXrha0w}nS<(`1X~E^HpLk0||k`EJ>o zKGOWu`QD`->vdGvUnr#O(9;H7H{ZPi{|r_4ws^?o@^fF}AavVnpKv_aY5An6y?Agm z>W1PQ9Os`v6 ziQ}cVek6@s)=Uh(gK)z=jq%Qcn@8<9XJePQV}K6tv5_4O!(zWWgQNX(o$iY+b9Dg} zQ~7ps;0tH?mR_6FBNksJQya8*2>)>hhQjLJ4N{21@ue;j{d1~Sl=;>t(79V_AL3f% zIw%=)(u)$~k^}ULmMf(iv(**o_pR3XF!>tbF$#HY6xi+L@tlzB?y1dzCmFf0WJQ{Kp;zk21ynz1mqte|Fo#ehEi5e&$_kOj7 zrv8@>Bp}N`5L;b!%A4a=BrZC{wmU~%u&F|b$~69XRy#9|dR+Q^fr0!xKd{iL367l9 zqAcolEK)lD!cuHaIV-qVxgB)NS9mm9@H?s5ZV(9m2<=0zd6dRQDYgq@`N1n~DOqs7 z8Z1)oALe|M}$@X z8_02v`cBS}+jFizQdAYKzRO7-c0#H*@!S}eAdWQkxkl0ll zzR6%t39>A%!{Zw-?0Z#dIgOI8(pBzLH>Ig9+L_2@M67uxsZ<80sMxz!FH2f4b*fS- zih(t6sA%Jm7u*G>Y}u2ja_L7T_Y)hLqW@agP@{kUO%P3{iJ@+V49#n{f=Ziir~rEr zulC&{V1e&D{M=U58e4#)W0tg&{}e>H9noaVhzF)M0*ZiH(3%;z)v~jZ_N6~-DJeJM zxDu3sp-_!j*Alp7Z)Rf_9iLY(822A80I6Eh=jR*FWMlw>rVf~?KU=ap2&pqbpa;7n;n9sfK2 zp#333{UkL4u4^*0b+ue>C$YBWvLPlM<{xj2ZD zjCUom0G~w~JyAfVvDs^b-k5=j)!z?%rpR>|E7&YTMkP!X$(F`KgqT2p*f-GTps_E^ zW-zN})3BZQm%8(12qh*|yIaZc^Wkr!m98$W)}j=}*Wz~|%q~BicSEd(T>l#yONIwH zXpSL2Ae|7k-`<)KTxNJ;HVd$Ta4+WbJK~_ zRIjWZ;`=Bw>Zq&h@3PSFjGz7In=Fmjx$4~4;x2- zoty(lf%w~Menv^YXme7U1@q5uef3~mHUmGs4a(4{W`5F`{~;Z4syam2?^uSB8w*X7 z98_ivu2g))ym%AP5S-w zISD)$<&u1~6jFSM(NVWl-@4xm>|C!TIWR zE}g7vr|5Xivc{YC#e=j-mkVhUp<20DlCq^?ianeAq9ufpIvMBKml?s%z%p>k)9dkf)~jL?wF8)o*Mi=6`l zK~=A>AIHkyp#25CKW4b#|4_Osh&YnU8?CB;6E3y;yiMn-^__WHvGeLP7UDffI&97M z1d+t{dawAKZ>d|^c3r3MmP}mT{zs)h7nI0#JSBuPsI04a7F_C zQ;7Sm)@`1*CW+b?VZgz%+$LPDHuHI*wRo)H*$9;OW!9?k%|NwFqTm(5ZVp|#&}LkQ zde92*)7;QEVZ1;l(6r~SW~A@gODZh;n!{DDGXvjy!pgB;D&KSRRLhq0@nO2YZO-at z4aJHN_3OhPm*35cV&iev+~z)|S+TJ?w~_wKUxY{nuF%@8c(1pENsMc*oVDE?nJeD2 zvrUrDuDW@tTGSb$_dNFHM?A~D9c#M6X@$uRA=F^kVOX>pD-G-Nf z_gZXUu?!y)?Os?9BA(4d+4zjojr2V3nF^5+c|>iRCG!z|@U`71fWScdWgw8{x2BiR z9b~5n5PIt`len8S=S@UL6J zj=|GzLpJUCNyHeXW%3OE>W}avufaM!1cg32XVfOF31vCumK2;@tQO-mUlC|J-wZ}i z4=8#@?^MXD&xTYQ{uz_8GRV4oKWp~TO2i}693P=bJ0GUz&Jh+Cta^BL3#KE^hgy_Q zuYz*V%u_>IH_7KJGJ#0=ND@%q`Q31q@9WNZ(#m zmoRkMy`SuxYVK+Uw|xiAd77M=Q{gS^h~Jc&=JX3`3n={oeo0m7^GQQTd8l+kl#I>fsYL zZQ(E>UG`}tF^x<0D056c!2YQakqi2F9=01*rfw>|jDcz$>!({b))ZvCFulypeL=!X z|EdKsRC(TFUx0iStK_kAj6G6vK|l#FW8M+0zg$F%ElL;{ZRx7TM(x0#qF@h!H*`IF z^>@EAg-5`e(b!6l?^D-2bls~8^_M%7v#9K1yHZ1B9C91o!41fJu>>8z|2A_1WY*LYq zzEDw{#KM`fG=XNy*N6|mO}a#w|CKUqF*=SC(U(MDC*Q{74r+h;!@J|K*%2|s_x6oyFm3Eip&93|gZzxi;yM%d&L=bD~ zs|cK(7mU|W-K!s!oEw^<*?F~jZ~0Ys5~+c5qiQ&3uBmts)9v`R*tI#nsyRU}-6qzW z>?3rY?v{_!VZwP)d=`=%1S=UY!@i(OqxVBIOPRLbu=t=4)4ERTuXAI17v(AYw$)#n zw8qH!MXy%7bPfv}tlN!*GERZdM|%~9GV`bb+2#S*ljKj@8+YEzM_#dC3A zp|DZ2@>yjo)Cv1R@yQcGmP=-T36fcLONXWT_I5HxPdMR}N9m#gpk5o|@TMAPpmz6nfwid>>%hOo~#fT^GwP zk{<5J-orLjB00lLL_%$ES~8-#0}u6!OnottXq^-xsIfXCj=xl07e_r2i{llZB{>h` z`TbOCFo#Z`5%B9P#0?fxuCD+T`9EEN{s|}qMfn)yL-v#ov_F>1^c$bs@dLGv75sJN zjxp5t0?wE~06IW;kiJlFy(Dn$lu;0_eW z(36m3COGW^QHVOkd*hR~mt1_;ZQZmjTMWSQ6o-nr9II%FaHq`6@?X^z*+0I11wud2 zi?P{&y5Q?Q1`u(x@o4VtTA^}U(!OgFY(YK?0EBA2?6_c)Dc}?G14f-qBsqSdNn8m$ zJJzmm-apADdoDYyn93g`JG>4D&a-rGHb_{Ve;rhL*?)dY1~~k49C60+JDTBovmpAo z2t{hYO6^n?>Tw0wuHYRAeHc_H#_+swA8xkV_1d&L<67&eJeYwYbvGVpeMHdNcn@C8 z|H}d;>N>oR0e;ByIXwAgZaqz-tiLkV_N-g?p=qxHULK1Jo1eb5Zh_pHd^{FAsy&G~ z#n;E}2_MkRccP(EC*N-xvXvXJyxLlK&v*{o?XT}jcSUW06F9H?WD0t&p#3SnZGo3j z1bsf&%U;1iB42mV8iLzyPRi|?kdR9`4j}z~pQ^Uk<34d`LdSO?D|4qkg7#yV;5=bV z-wWOEdEQ%riNN#5S*Et`eUd2m#ljpoQJnp>eI7oMh9eXFZrj$4NW{xD#n8FCtgWzV z{;s^3erXx|@iK|A&9B0DWCk2cPHnqMPj&0!>I5w`&ZISpn8%8>Xwq_D*G^=c@Ynmn zdH|mG)df9bhwj{?5Ie<=o_u_<^DeFBfxVGYS)>y?(rG}2?(cgf|o;`B)tZ7X8+N5Pbi3{#2nSvqf0~;VSfwur5CeQ{2gROf~53W_h;z_5uq~C zfxM6SG!Hpaq-D_%+fouST`Rbzc;Rq4PcRC@Ruyv5&72(hwg?XKXTJIo0=cf72U*Xb z{)9yAN4VmGT?m0-vZ)A&rL7pd!3mX)1ldT-8t7Jk8|dVQn(Co9i(aKgm2y2poH*)| zaLln*NFIEX7Y&i%MUmk@hrGIIP*Is^)m3 z0>zq@D@(5(rYT+alvxJCl*0gI;smVZOml%1)i50WvOUJRVpk&AT>)=8d2al$iohVB zTe7U>Zyb5`YHX>6hQIJ5=>@@x9-8O%iVeifv~-Y8a#8(0`q-kv4RMz(tf=Xa<-h3; z&YN_Osfu=9Rs1&ABTAQzKKIhZv>IB;X<23ez#6 zR~`$eZ0>~wDRzf<#VF+_s1G6~ZmUE%D1x{?-d8}j_5Y8kZ|trt>Xwe#v2Azkq?6M@ z$F|k6ZM$RJwr$(&xMLe9K5w3J@B7>@bF3e**REAH=d5bU0387$DH^*Kn+rSJOVo*f z|Kv7ws#;l6A{sN9ltsUuq?%$6P1!(7Bb`Qt;3&FL!7vtx$x8g zGlq-Dpa)NxjwXa$lBmKtUl&+tAn#i0BM5RNf)6(4<|j1X&&g#!ORiCENEC>&cZar9 z2P??DgfB0`a(*koRiEskq-k)(qo>pyiN*1;IjxT%nWp%&x)C4oPlg*N!J z>ze}UC4731+V{4^)mz3cF%FD)dSP0#XUIwg6E;2l12p8bSkas+{#_p87{|51K-i;$ z*TfKxDOS1hWLhOu#OkL!^$0eJLOU+>Xk^J~N}Ni`Y1ZR`6I>*ua0bx?70e7v)1*?| z9Izy%1oJe@aqT4#QZ)JM8$>#mROAe(d;)&Y3g~z4gH6gxn%Q)_ZY=*Kc*)`39k+-h zSPPDYqxUV}Gg6e~nQ)oJ{{6@EtScZxD#!wrsR0^$YLQ6V3VjNd!pWM@ zzMxAP)~Y*$t>&&>L(G;lQjc-vajY$W-ce3e8o^xAxLmQJG7ro3LuP6`g+fyDcXEv+ zM7Hx1Hd2Btvh=c%-2RyhEMD|pbcsZfW|ie4UWPS1$7EZ&V`$0xI_a7@>Nsumux?T_ z5g6q`67eD?5w-#AesE}F`5EL;1+07f_ki*d^AjzH9BMN7k%9pFL)KVgoJdr}ph2)b z@bA*jIt;r~oH5rlbHT$!cz>iuUXu8p_>0ELKlU_~He8%I)Zj_J?8mXt3Mj%Po9pPu zAy#M;vNW=X>T=R2jj-mgBmbPCQcvb1t0L$^GO@v-AS&yaMn=J zp}ub&0RGc(_)mAgaJzTqWaAhB7ZQ&fBbzdmdQbA4`;78V^bbHAk%x<4N_w#~<;S#s zk-A92`&807Tl>Qd;5Ew140;Xwa$j7qJom1*%(8wPzb6y>h@bC3q+IgB6C6>$*`QKid)9%muCB*@7Z-3E(YHgn61*91t#atp`=ItA!GZR@)8Cl%D#ab(kk>wf34L`f`gB@IFQd=J<{ZYF~e1 zC-Hu8oS(Kb@9YI`9L;*Yrv=q)zuT4W^lG8xe7@I5+w8m^o-up{fQ-_p9WnJT2&%V+ z@>@R+NSi-q9lVT^c;Ck^al7#vSrLiJ^FJY#6UK2d5@CkWEg09w7(*1hG6>l~Wj6;sP4ji`FmWou=`3do2)=b6g#8xI! zntgMfDPKF;1O;!Wgu`Yoh6gOZ%VrNNd8uf9DjLLW!|svjvMq!h^vx}XBO-wr!E(l3 z7_dWqM(g+(qX?Q&k)?~Og0mULU=_4I8VzIxQ#=XrB=SZg6u(2#GJt1Vg$6ek;pWHu zr{r_x8n-&? zX_F=R-!(s@B!VgV!d7vg4;phtiki@#=dlnC-FsF-9kRpM%>kvsO}_E5Xu=@%D=*Z^ z%at&iXGTkb4Xc2~6If1;#x-F8A5)mACx{_Nt&;;r9C}v&!EFHdgspLp--WvV;S2Ge zMLB3)4~7;t1@nPfnvijiK|$7%?HaP`OP4pOjiZQL6!Fpj6KGE`$0pYh-$2#uzk?1` zli;>iH)=XaRHFbtAtitPC`!X0W97Kqd;4WCvSaG+YLiduBVaa8$X z(@NPo!-*6#(4mVK?kyYa`Cwe|rZR?VQ+Hu*-d+x+A+}J?g~q<_YNY@tuB9pa#}*A3 zBw7@b?VEA`GlCh+<+qBBrL!1OdP~2WCSiSreh{b#y96TaqV#}M_33Tm7|ZDcl!_2c z1A*-WdY(11;r#0S+dCMyY&5b_OeJ!Z%EW{yHl%d*Mtx*g)DlYlrzwZBK5fds& zBrLA?UUmy_s=eWaY1nT-fvdL_GcYjv;Q^eGrO>BBm=|@8cXs;gAeoibB{(&ipeX8< zjyn?4t)YC?l5ZV%#LA;!?a#t5GTbs}{jD1MQY`1&T#ws*PZ?>pQ^ zxrYF=oz5eo9YIjPLPDQGVBZ|`F<=aEOLD;9=f{E&s1O*10kZwPkKAU}w)Gj))xL6# zeHas&v_EHbzt21WY#Dm1-7!!ZXV}&#Ht*low0eJjFXj45H)tKBlO&C2ueTx zd^t2zrw|N{L7n1X$#FW$F}v#M`dHk0WA{WcuA4yX6*$N*ay=ulo6sfS=^cf=uHpA1 zaVbu`*5Y)yJzR9%aA@9iIZ@@;bD2pj>OBuQ-~MR*E0t{0y^-r>KZ+>ec1Q&L@m%=k z>+|yXWr%*a>_^y(xFu2n|EuMd) z^f_~S9kacF*}##*5$Vhw;3#6U4Up$5iL;w3>JcP-(fAbTR{Pgsm1w|3ZTU%azvOb& z6G_Vt#XK^$5Nk!?l-a=JY3hzRRrILbO;&od8_32icxemS^8oAqSSmKk_-y}4@5ko> z(|QZ8E#J%RHuUL5ZfE-(QRm@ux}T8aI`GQaq3Qc)H(&5Oe|(?&?+cVM z<;1Y$3F!5R6L4ZdQP`27XO+MiN(GZ4ZUOMA$LX;dFxK!14a?RD4r$5y%rM=iS@C^a zUf+a}WrYW%_xyA~AtU zRt&ftjc-ajQuPbRs_zMS{Y4vAY|dTls8z)&6L!#7(d=JFn4mOOGU=|tT-ZcO+jdzm zq8@!GL~@QKCAfD$)N(q4ag_F$c}a_HfUxxKHE$bt2<_*a=OaK+!IH90Y2zHP>MPF) zGg)6Bxtb7i2Pc-RtnF9gpStzl**fJRE(S_+K z$ryJ+dVzN2A)Krr*p+|l3`bmmC0X8i!JBT_7`ky+jc(P(_>Kz~BCtYz%Qac*Z&$7h zB5zH9y4I>>fM!uL?W#akynHN1b6MiVYL~GT(fJn7NCtF`_H|2J5u|^$l3v|;dlbKc z3WWtXReq{-a7zl2G2%4e8nM>$($}nch6cj}zX#5DHRxQEgl5k<>*0u>oHC@6zqlPs z@SS<8W*+Zl^r%J)edkrPBJ7NBj03BYtET)VkpjIDI5yHVL^usP2&HjV^MVf&i}Pj& zvXZmj_pu`!ZdN7G0ueW?o{^8BHpt;)#z>ZF zS4RPAo8QB$<|@m-GsQ~@&>T)sbRW@CB_i`DTT(VFp(VJ5cdZ;!=`YU1R32FOi+a-* zy9?wgUkn))2XEqq2bJl-CpijV{A-WU7lPwqc8NoaZ2u8sKJE;T-H{z$GlE`#p2tH; zX`~Bp&`fO1F%corTHlpKIC5tJ_=EDDQ5Od~Uvxw(!?Kgtr(y7CoNj)DLkW8`G{iQb`C&Z{uhLX04e7Qn~G(l;A=m`zIpW$Y%mgAxzu+jV5LibelKGKG zy?F8f&(F4%HnL`n5%P2*HyY_zMB|ic5DsXbo-Ifv*+6bhx<=huU2sR|L|?ESHfz1{!a%IoS=BhE+F8;W@& zTwtCgfGRG@lHebI^4ua@gogeV@j6w_-k$TvF){WVs|db0`h~F-_L6PTS_E#2b+_R6 zd$pc9S{FEB11mxn>!u{pNd#JgU&-`rRg=Q~djs>NCzb|A9M3w~bIWL(AcVnB>s2Z^k2k=7t-0 z5?PgfZ7Nf>y}VuyVc-S{Pr@N7p0J*D1PA?k{&1Wn%%covhOjF`mPHrL9%BD#r$s2- zoA@3UTyp2P6YP@$`kHL+d}*Eavq#S-O$gk(`69&+U!?fyixfl2#3g3Z?18R6?N+xO z&E)~Fd()|2F1^QFyY%Om>RK-?TTlGj@0l(C0v>M)ld@}m*n2;Y5M%=w99B^>0eo~$ zlQO-&&YC?gt&OX^@6i^$sl;sutJ+h){Oqr}2r_&TyRCO}YtnkX7+sq=nY_1s&dL{O zdR<2Kxm#YI%}-{x~{K-E_cw4xS+-}nv__#+AX4iM^I3{*1=s1mU|27fZ z0$OxY|8#H97O#A_-Y|2kwROL7WT?5{Z3O1RGu_^rX1m1-FMYNZy@~k!4ykrN4=*!^a@%JF_Wqh&^INe#$Ht#>048QO`3;NJW4oIh z8uuH=A#YCys+urIKTLnC818&5hBUW?W z$KLxgT^4K>QeY`(*FPzbY5}^wS517_Zy${6N+HQb%D^7eYWB>9N#OK?-wox>UlMtD zv!1X`&d+6~>&ts|*FLMacjHqk6nC#6U7usK)M*U)!4S@k)@)v%NJQ6i(5`zMpVjQ< z`))uqRm_g_eY*U#``u==p6lmR(qT{Qn-A=VO?LHX!<6TU5;xbe%|n>}=UtT%NzPmJW%);QZ ztXRKapX{IBpOAi_=U7Gj^2BHFyO8n7FLAL;2bSavLeC^wul8GV# zX|_!0M1rmDW~uUHQOwdlR%@z^+DjTNzFyhGATAbnl#=A~neL91#jR`NA7B-$L4h#z zlR3kbcGKN%o!*SzrXUx${!i|)Dy%q~dB*mW@ zmpQt_$$E2?dxr3`ZJHxTf5tzCHlTy>Mb zx>%28D|G*$)nnVGDu1RuS`Mn*mx&pbMU@H!^cm}Y&4_W|RLdk^v-8`&Ozp-~3*G%7%AuiK+Dpp@a zlYkbd3Lz|lU#4#ba|l&f@&>s$4dt@|cQ2{-J(JMvAGVs5;UKjn{|QUK5_8a z4qk{cr?m#HSap}IS_@tl-hV-Rd1xeiRYJ`t1-aNX>{$(-4T9)S$tfi;d55Tu_)-xS z8Dci1Mk)mK&ux5FWri#hW$>XO{71le$jdP88=VJHixZjPupjnq?kzAD^nFFGF&q?y zQ#r+E-0!MPf?&fB7D#Bf^rAzK979tOFedg_&V-MYxN+gbA!C;YG3BguM0KrU7~f*V zrg|-o(+b_!-2N|~Czyn4b{og{c&q??0+(-0G~cT+31|{cCl*EM=3O9|`8lk>S8R*L z4$0S-@?=^N6T2IhQ&96Tf4K}zn7{!-@{yM0(#cZ4Md)oErOD*?jq(OG7b^`WB#Oj_ z3Rz*I))}fxFO@AcHM->GEcO+NY3Tk)v87Z}4L^n@B)3w^FBepTVDklnU8$|EY?O<;D-(pytrIspya-(|`zd z^~acfqC-3R5urZkBSj(70Gr5-G6^y+&P08xvLC zm`X-kvel-DbBs7G*{)12b1gZ06`Y5>v(aEkpz`$%I(6w)oh1JRd?R28&iZb z@W+5;esJp0Sid)%%+YyQx}0%{ZB4usBwo>CY9};{9`$6I23=jw_8j~30Spud!xx1NID>rGG#LM;v$2d9RREytQT6!KXlGTswU)Tc z`)EtM?(K)m4d-HtpJl3MX}0r>r*00qNn@vu6?#uMs!Cuw7*^{f({|s;{ z0L_F9Y=`O8y=_mH>TPnoh<_fmgy?F<`MzpI_LM%)HFmyuE&D-L_3j>}bzaD~dgaqj z@mIb*DNX9S-?z_Z**_PLDwzp11NCFP?*|FO#6b_O4!bdzTwckYj)ycL=h=h}Mz^K> zU6kvt>q34e-Ywov_fe*?LU#UHBHoX8nwU*si)_lr;+vDHjn7Ur@ZFHt9t-So!HvY_ zpry0x3m$P~cV7OL7U-(CTfF{W74+P5$+XM#Y;QPoz3v|F^<-(?oQ(u{gNl^5?pL~9 zU$Tk2O7A!6`P&(49#{AEGagu-4Dqo?R4dHdtF^$>AkFP z_DpGh+^txs6E*Cq--6^HKpRJZ8_)q@2=F|+^kTOY{(<;zM*F-{_S{_w62i1KWJwh_ zp+NEZ^$F?21XAqr``E#(zl#QR*mb#M`3v*FYJmD(WkCM$({*qiiJBX5tsRDuzmlFi)RX$B;{0-IZKId@lR58 zYRM7<(28*h7xL$`g^i0d zZIpM#sE%I)PdChENIn-};G)HtR>WYAgo=39`+mHLJ`>Gw@{>+cV1>J%ED^a;U=&)a zK^2#sk*Y4=fgfWM`g?q-5@bO#b%Lj6l0AeYZ6qFdnsfWeWGF zsQEfWt8o$L*Z>dFd7)hWmYfBj(k0iVqA>e@%HI>%L&Bh6i1MMV&pa`TFVrQ7XMfSb zuB~oKT9Bi(4Fx5Bsl*PJ!Ca#~YKRvKI2&+#gj=IOdQUgmi<6^bUr!{DQ8x;W1+pa4 z4gEIUw1A}Q(nOi8*NVBi=Uo|JR|Key7prFO(v*c61E|%<>;YzmDU|$#ukM3Yo z!81S(EA=M*(~86OJc(Fn%sv(Y&04c+>DsswL)|#onqZq6x`d3Y8oGsA5B*)Av^alb zz{ya=l2!qQls-K`gR~uOB{<7h-2(a)qT)0NGhW7J-9r2T-BY#3p)6L&!dVpi4r(%% z4O;sQ8xi^&RG>zgoNtJ@r4GY+J(o>{@ZjZQ-ubVnHL215i98$}B#3@!0az^MIP}y@ zo#})w;rxsm2v(~s_L1FivOiLQ*sCm z@VX`TEs1$Oix)emX;TG%g%p~Jo$%Gv~VqIhEVso zM1gdyIN~A%;V$dATT)Gn;@>V^-)KRx-EUxSSsmEWGRy_g5cwjs`FM4n@cCm2*5hi8 zCYmXRV3IWrRBI_V<0a4#l+J1J-Bb_Qqz~J|h^U@s<^gkF@}xIEy10SV;I?UT(jL5C zJufBR?8jv_J}aNITAf&9=J^K-L>W~u#!EuVj^tL9#otg$Fo&b8$dawGbm5d_o2&15 z5=JAdxg>v)CE*9?{$xzHT4d%_N}AlGssmW*zc^z>gRXRW({ag3288j!fQ+ z`3CKdRNKr(rb>`r2j^}vc0uRR9zs_bBk8)KhSbbw-OlsG!+KhZAu)2bQq+@Grb)`I zsijIHo56u~M44ejK{zKfIxbUdjdgSlf|R>n#<>Iy&g_6_NF={~7JrC;}>+L&aC7;t(0tYBa9HuU=tu2#LX0{b7|_0W+sA6DieLq)Dijq}79D zm=IU3T45cV(!K64dG9!XQhIAtD>`&p1!?)a;~a{G(y>?zbt!;rVRjI*VM$2`<22Z% zSj->*(yJu(_Y?;jl~v&3;o8`=gO+~C4ZK57MQY*dV$$aGojhzUumn(5MeQ)|s`^+PAR~R*H=aDs3rWpk)hiMV z;PEtUva+A#)g;hoN=(t)H!o#7i?!*6KRsxz`WfMFH%!hiBJWju% z2u(8}<|(ATAAf;-5a{0y1c=Nqu+JfG=yU54;G~}Jbz_-n+j~cnFsl1{L9mY)lK*TZ zsb{-$k}b}yaqDHJu5aYqwURQson_0YszvRV9sYI{}w)O!QID-P4t{-N!+wII27$>`XgN*TFj0-r;*cn)dgm+iQK# z-HhcfMmPP-!0enV<_(?Ww9XbEho=_l?{6CvD~v>M>{9b7p#28zDyRLsHBOX`m+6gd zKdT+}oV6^T(~)bNw((uYhXB>q9==y-pW}wLrHI+y&U-PE7}vK`^sAh=9>1s8u;ff% zU^B3K6Wx84|KKC!53hE0PYH12vBuLdq}6i{ve*0FY=+UPj{gDWNRZd9)d!{H<8Nug zIp`{dV(%Wi&ySvl=r)Lo`TFxVOQ6NwrgP8~WK_%6wN-gs-8LOChQCW~*C^lBIrtg2 z;~KZ_<+V(JY;k!%p>36OspH@7XB7TRf~e_qVm>eD3o!SGV5=1PJ;vnctK?muS{&K{u0KpxhCV-MZh; zclJ-n>1WU?+b0%?m1={g$LSFe{=+U7I%UL|JJwec6d<_cC$%F0N~dm4$RuGHKAnZW zCovCrFI_`oS4%7}Q5K$ILub*f!~|b3!7DkA97p)>UZ*eFq*78Mnx-%gbj~Rk?G|RU zlNe7>g;|t=f;S2KcMg}^pk$Nsz3nGMfXj>JHw%MtBZ7j-^fQifIHE{S+#lB^>_=cI z5NWYlMadkF*|ttRH<-C1Ud<8-3AhFW1w{`T1<6yfWg{F;h7aB`|B7J{xGlfSF1jjB zM>k@XX%R0W(sh4p76^kP;zvO%Tq#1VOIHh+;X+W&ns947gCp#(_GJ@K(Iv{Y$IWGu zFW@2g)!o4J0hT^zrX`R*a-J+yPxLPXF<3NSN}OkgOZUsw5w2v`fEdNIT8=xFB4Rpp zX^L;(o$ZN5U<6hrl!3<_cDhM%D_ai;mG?`(9Fz%vu&3e?l}J~cKMK8Whkc8#cWE}? zg9(%jv;vL`A|p*nBrN(gv$PoJp71D0raE>gWD`RfR45oGKxPV7nIM|)FqPhgw20){ z?##0Vs!f?F*=N&f{YpB)+7KQ?LC}@U)muf63AvO2!{^!xd8mWWS7Bl@O-6<`^dPIC zY>dulKZz=9xh!_9* z_kHzy8|DlrZiWTQqD2&*)AHB>KO}m=LV6C@c+vzs4m7^TUsSKctVD!Yy4K&v#i9Jz zzc-4vsL$MSizD4OM^&{Y@lVM8}rMZ?I)js%wtdkEMHIUF%O z`0Xp*51g~yy6tiTRHWZ=tZSc0T2gps{qnAJK;P$7*mwN$pwB>J@Lm4=#Vk@8{w!#e z9i~+84dOJ-Fel+HW2s7I3emedROic9dXn}Xi_euTbcoD@ITi3xm!)`ZWYqY)eKUd1 zDaY{q7k}H(euYF0z*rLgO^2euS8bJTx8WcOR|~miEGxB&P;jLnk&Bcg7r2r256bJ% zo56f<^I!frQxLbBMqP#vrjJpOT~e@1O6lUeEXxy2pYur)$|{g?W*ff)`$h_d%7}xY zkz<2Gows<|C&6lwr=d-c5>a5z0D(>)N@@0%#*6uP+uykiW?n6dV_7WFv)K&tk09|) zV#@x)6D6;0^N$YWZ=KLm_q&)ndmSG+*f1ByaBRlIBOOw6mk~9>G1_z_CJOA39KYD2 zoamUInL!rfA>%kN^1eNwZ?{1nutXv5 z6GD$*QyZQq{{@GiZd7*g3P+WJ8k^xRx?-gx@$D3KOl=}#l{RI)24lm6veKf3R-QTj z?<8)sM59$WN+^6S+{T)(o>{`aW2+Gk{6Ya|w!$R_a*+fO2gh$-*@iG79qzq>#VDl z^RFp8<8ISNLi`U1{I_@7c_DlG(_`<&a^ZwrMy@Tef8uiWyGap43d@-}62Bx(qZa5& zx2_V*`{<-(?MynBmx}BMR#6Oq8UYkQz^=%6`RqQ6x}Y z($fvOl7A1oMCSX7ynAB*Z@JGElt2Z!zM`--ega*hW?yF+Z#!3g?mtEPS;T%)iuuBW z`a%7E;dTKa1)eA}s8Erm-Zj6NNyhd^zOZQlr}AOxLjlXw-mWj~ibdc?n)x`nqj1|e zZHHvi@w(icUzYvZn5tJWRlS7UGG?sY|XwKN|ff>1b|FtD!A?1 zw-`X-Y4>$0d(-o96ZUM=Eo@=LWTF3ah%x)AaegZiK~g{5-dE z{v{tSANu%qi`iv!KRu~;1cUPK67@+4bJ*XmD(7xJkfHUnxJir3qkrT#QXV0rqV{A<3F9zrA}k=Q-C+q=|Zlb7yz%n!Vy%Ew2j?_r#@* zw|!>y9gjEj=NbImO(Fp~O(Gx3p9Q1WgBNXbcOot*mOI0#{AcM$Ua2>B4_{9N@Go$N z21x2%62Gjl2OToI->ee!xE->~GYikQ_jXs5Zr&U@aZmSHN4m**9FRt|nHuhGCVDaJ ze+;zrS>Vie1bd$azY*&X`EB6?d=>+4M$M|AiJs4O-GcNlWmj|__QQZFgIjv9`%I&7 z8`eOj_{pn}72D%?%g0h2ZRf5MuFd^X*xZhz%F1l&)y>0YvzU%7EeHD}r32-u@^{>i z$zOnu7NGIbjeJY*v)hnb>~+V)AjA9Zfja4Hi$J9|vG-e6rk=+O?NOI(*J5iGN;^RE zy3Ol70pL}7?&eanZ4$=lyP`wh47>=7S$C=4Snb@NB57RP9Bct_`W^*vYroCNF?(EJ zo9;9m%RhBw-yG|#e(a-cbaQ{%yLnh0AsjN_fBNBrdM!Zx@n7Ga%*WRQ@C$oS_g8RV zXO=;E2w$V1Rz?XMpABE4b`QuK_}WYN%h2;guBwi&!~YYKSp&pvbr8%+R}PI)r=UQ^ z1F!CHlq;HGif|vU0LRXC)%wz=&sI@LJ`$4zr5aF|k%BJeGtF*N&b%!MIU$XZjN-fJ4e_xCXN%lionPS{y za}|WS!C>q|qatxrflGSSsgkVYp0a9Tp(oK$6O+HkBVxJ3YIew$!ENMT_h}dVU@Zj@ zTb)N24Ep-!0tIJU3N?bm(v5bw85~!4?-z!mLy@$YmKm2HM~iD%xe{g+!lbh_rbMvf zp=| zvWk*@yuMed&%_1rkO>Y_lq`;_{EF2HZ{}s>1MCZv} zIUzTS;dB&^b58<&w8mPf>@uknWN@5hJ?JvmqUe|DrmZj&MuSYjiAK$4rSv`P#BLZW zJ>_i}*^h5ZG!hdKeF_+zarLC?@|dEmXZY?Xp_oDsAJ$M_fgIi0T^waEYTbN74&of` zlD$bL^VR{YE~BvlBdF)el?vne%8-1MTv!77Hm+JQ3#ZNr;lGU8;A_#^;GiPg9pbAo z%XxMqCA;J^sC<_&0uX|vevcJ3ENL_=RV+g?l0_^dYpke9_Sb*slT-7oKTxu$<2|GP zO;47ZF4K~>yPuaU3H~E_R+dm$97a=-OvY!Ze^>n`ceCqpDD9>5W?hI}F})m=ehs*B z`|>O|ulUa?Fj&(LjzOnA!#MO8D(Nd#<{8jfue!nB#}g`WR)lmQG@5Xra6p@R426fqR zm|$M0I<3VLuZBCPiTY#+oPc)H><2`hPv$=9AHq~xYIH|Pohz4c!kXsHu{0rQC+qp5 z#NuqPbr~4lnHip97 z1L1!xIs0{}{@lT>)K1uPD4ui7l{Q;u4GtSZFgr9br|1YWW5URCEa$Ko>g<;&a~@?F z6IRuD^gUK<%r}Cj<<3KPdbrGHeN*7P_5F&ODmMQ*gMt2N6SxuQ}d z^**5xb5;l8Xj+l6>YP&__lxdby>`ZK`(1}t-^XZuT(A>|+35#w=hfrztZVVNH%)rY z-reO_>gjnX`o3*@!Qe3Y%?MVGT0D!t=bUM}b@O;d1KNAD-mWO77Ssi9BtTc|AJU)@ zPmlacW@4gs&oWot>$Bt79CoyJQ-{=3&I#Ph7$2I1{MEr}rS$AsFs$ZMliOvlt+)@mfE1)pyc*H8)tENO$9KyZtT8 z$v&O$sbNK!8Q?6f`~F;}owG*Sx?NnVl&Qbc^)P!%ATQ{*6{a08V*7f~46JhA5qV>r zx$apOUPrgOa$L{0>+YzyMG%_qu>Oa?f!fc$WNJ6lPQo|C_wn3I-@J96O2j8K+s!7o z)%k1<|vk6(jhW&gQgXOBNZNHLh?e)3~c%RoU zjd1|-+NAy$d4&WwKu8(opm(j2-aPhQ zjM$|>F^;_8p-q$PQK}a@luC4h-vueS61ps6C7sMFjkn{fjSkzu3V!{uvn1?~VKO>x zdU_Kz+k&&mDz;Tu(j(unp(vIZQBRrlpKljuRGrkoG0$eqBsR%BhS<8$(O4C)SHDgs zeeN&8Ch*L36=~oEB0LZEVya2&389xI!-Yr;m`0=KiPfYofxO79D}+CqW62n3Sa#$TGfx zvUW(Ea|2A97=xHQ2lS{*e_%z-{i8-~$~ecNRdg7FV0KgTWoS{_B&Jb#!JeeLLvi5Q zLNJBviJzjPlq1-V3@)G@3z?b|sY-TPr3@)$QObhKnv?KpJpLa3Z03M)>0=*a(r^nk zP?Rwa^3EA(6CMDv@Egjwi6PJwqo5b6LXW)gmwHyX2z| zt8&zRcSE-2x4$dux493cA3Ha_h_!H{v6<|jUp%+R{?Co}IRKGsc?w8k95C@cIxzEa zKky%-tbadsxCY}`w55{&xua0)B^!_Vqe`a+sg`H$+WCq?m15SXSJSiyjL~aO(tH-j zH3uv-3pDC)v$^v`BgoM8p}F6lG5tgN$bm9F1&QT4IhK^0Vn%a}9Gw|54@e#txO7x@ zMN)<(`7~h5e;m+q4y0;IQ#D(5#e>KhLP|oSy3q*~Z2}k)oSmW^6Rm5ekDSZ9`>IG4r%xUo zvMo}=6-)df!|}1k>&`lmq^&E{V>G34*xgZ5#~p^bRCyv2$hYgmlFSe3?9FLpzDcV) zmSjA|S*OTD$X$2{G(;+cnnCgu^gdrpV{#e#AQ36+Yw5SxkG0oa&=oA~`)`r9S@=C? z3Jwex?}{#H%P8bA}*)Y^=NTJdKc-B4#XmTS9SfG&&v( z(dsu<#vnJoq`0f}s9;IXVzX1-Cb@Jl%lIvaW_&!P_1PmDHG_Y)c!#6WzRU7l2sR9M zBO*}+XeJz%GJC8ODMNhu&am|gW2JoHal40(q%7L4vW>$`@ZEX z_dfutP#hex235x?z@lmd+i@=h%+L?TBndnyE(F6UPN%+c5*&eHY`BXIldhV6$GX0!C z`^?M*ZQ8Z8OZQ&S5y5W9+5*gH%?RCQQ*%9h-c+>)rhz&)OD4TPjM8Cu`0QH~Kb<$4 z_Yh$H+&Az$dpp2B8=r(quUbxKQ~gdKlk*;5YygCpOwYH5Q)<(ImQ@P)qrl;*BAm69@QX5XMHIx=@R(I>lN;ST{s8W3mn4Wk9=HGgt z%Mm*Rg3|5Yu0~#$*N|05zmDUFRp0LYz1Xe0egwdqLG8-MZ2sgm{-yIx=WuGF9N2 z`>yeU(qZrja4#+%|3PQc9#~D41hYr~bJQ05(NMh)7Ji#hsVaSrS8;~YaGK6DLUxJB za*A^!ehx#nRrZu9dLb|CxXrlpfMys5?1e|Ek`yXKty_?_eB54&yAmF{W(>Z1{ru=M zgQS_>X8!w)&h$8?ly4qcwDVud^+gLhq$S;m6)nkzv}u>UKVx}C{L{yX!RM$S^L4*e zzn2EEc>>Z5^cr{`svgQTYFy|Szl}z9Ory_D;qmq_d($V%q6@o`t2m|S^~2(|#?1YW zPC7GhXRVPSRh++jR#-t-qNs^QbnV%ZrN0D=gQ#MRrEzG~pGGT3J0JUyf!t6Lm?nCi~ihWqV5SCVX9# zPa$^_l42UmfpsCIli>^!)*_IB8IEF1xnGmnwlr+}m7+wBM5$7a<)Ps=7jCt$2LDYf znR@9?dwH|YXqVNf@9MLTlr#bn zPn`x(_s7l%0@PZ2dh_7RXOIu@-7KIap zR56hszPt9o30@nvzXk;s9Yr(2N zNUjr2{Q>T@zdhxY3QG&wx`e!CC?{V&FmIJZmHBt{@2LnR-lT$eW6S~wtUh|H0*svOROkwBc4(jrTNA-n=*jXI}88nsW^ z$%v`jT+)XW(Jo{KanoXl)gUjYNu&?aYO_iX-O5xM%hf@?|BSr?0VM4rd*JE#ZGDW{ zu>YTsaNGKEG074_=Ea9M*3@iYOX_)Gkc66&rqJ2XjAV=nS|0NfRMJ&8%ZR1sbI|$6 z4kdNkF<|_}?+R2>%Gg99*)puoPe|Lae^I7)wN#!&-l0{nP?2}KG^Csm&k-;wG9C)n z@NHd$eK9mCLfe#HaFcr@$}HA$(6b>oB#GY6YIvM7zGYesnjRJPG7@Q{8j%p<&hr;o zXb>BwmrPT| zEEz~4N;5F*wFsozf3w5}J2*xDp3$+STj_IpAu%|R;qaOdSyqBV&7xiR+2F+H1e2DfN zKb<}uDg|!8n!6Apm;vOp(4S6Umf`(=d0!AqiW`WrNP_uk_ms;{($VfKSN6mGeSsMq z_S$(JyWB0u>taBJU}3R!3yAx$%cow0+IwoS-O`z@IKa3+A)WFmyT8yZzj^bT7!#Va zfFHT(#`J7`*|*gT+O-h3ZTXyNUk1F|Um(_DP|Ch_#4T0RA86;Lba+ zEpyD>mZytxB2G_8aCd)28h2CWf1EtRVgpt@o}(u|rqA`Zj-l-Lvs>G)q(-SneFzq>k}U6o!4#aaWD262(0aP z@fEC}H?*7jJaj=EKKFjuMAp9Qy?iO{>VE0~ZfOj{e-#;CW zJ9umw*YgKLM_a1)+GeS!JDh&Y`veZ=xIUYUrv{W7VtplneS9#!$3+Ts?DRNT^}9a8`{TBnnvCI(D}^r8dwi1cb4dh{)8beWSJG zK{oy9`o!G$405hnPoH0|mVbjVVqtd!Jx444w#TU0b1rekybDRIovP$m4mWeE2zD7} zxsBQEF2F|#QZ1>qY#v_niNt$#q_Kib{URHd5xCGv!=J+@buh3wL#R__u+Hk;Gxjg$e^Cc>>RZ4Oh+7!#2rwuD^(rFWBdINwKe=K}!t55u z1LK4n$yu7+Nmb4VZvQ+abH~dT;%+KM`QR@Q^g$jYQ>{5-#L&bn_^_A_z2WiTiEM zVPdq9&GNn(atP;&FhfE4^CU`-IaJ+o!1>*(&LrIj&*BwfX+?q4uE14NOvsbzzKbyh zHJodo0iAa1D$G*9F)Gz(bFgDfF$&g~T@j^ew?3IsxIi;hxP6?Pm^W|xX)MAXA;aGu z*ygCKID9$jwGVtC;C;V-n*o(&eE>jd7rYZ}(PITemL1jNGf1{8AWhA31`YovO|7E3 z<(M**%a+K-J>4DBQJ{YY$4_h5lFKZk5m_4xkzoWuJUUwx1oNc7x3v~wYb4f~AWsrp z`4jpUDO|51D#JR(rhJ76MLeHUW|-hS214s;SR}lJBQxnTd6t~v&RlTHfjC!%`Gh~# z_7fDNK2mjY!)Rv)QAyK|#X?S@L}k8e&4zxFDN5)FCjxy)s22)tLqWy*2v@v0resL8 z(6))eSk-w)wd(>&w)dgq&8tdhZH|r5G1N<6HGes zsEA*Vgi5fE=I`_{*~EKrvI4aFY~7_!@2@SL9fcN9z##g%~rXoUQc-mZ&p;r5FYX@ZPd`9Wt44Rv~W@UC@quJ z3Pu&5#X`O=>ickzmEOw!Kf$`HNU#*On#Iu+Z?4KWJU;abGTqu7>t(_^rP0)bIgPs8 zD@B!GE?#k3B()(3poqs7r5MZz7kdTRgAj$gvO3AcRI6B`jENIU+%VkU zv~(EoTrY(imlPkopemxD+z`~98n-UUyDC(m!Sd8AyfUnkH3JVjlkG4ogPS*yZDT@i z$Nr($UlJyoF_v%3VS;SdB+zz3wD=}h1r{*|i!y7l{8t`5EXfD&M1%hpUEfYvL>nB0nkWk%{Jx@tqpVr|X zaN?)gBU_DwME+Cwhue$(6k6RcUmfz-y6+QqNJ-yeVfN3ry==P~`fdc@zCM7h{9o6r z_p~NE9^V;VHt#2x^W+b9zhnCLml-dwZeKU9t2AZ5mS=p&`y5$)ufw^Om)I~i_e+v= z+^tff*9?FA`?jrmC#kxo_0rRi3$6FOU_Q{56@SNV<#EAG*_0Mwp-K%P)!gTh!V8PCCaGp{CIt+V*MF;KyMcT({dN`h1mk`_5vjL8!>^_%+Mi zJ5$WZ=WhA5ogjSxAO}<5E7j+86M(qpsegCJ(nHqs+LzAL_(l?)=er_r1|{y>I9>@b zZQxXY+UECpJEm%CeO0v$Ucv0~u{-J8)GV)`=yBZv>11Iuyyi0B+4A=~sma%4`y9I3 z=;`XaLUx~4N_#seVAr1XeC%$c*SBmrnep>pc67&E{X7b^-|~Acg0gAs-~DvG`Ov%Q zGuGESm8ZVI>3--omJTcvzF~dU>}y_{f{G<>zx*JJ-wB zb3r%obDC~&&*$RG4 z|F6(5``bsdtVp2#$ZPqRa?S~VX77}tH?O5kh5jtC_Tg&M&{Qqs*e2HUi+r*=Ftd%) zT(WZbv#a*@?Q1~vpShD-x>ygT`4e!s=QyA1wl44EQyJ=O$vNNu{9pOWbt_4wMbN{S zk=M2BZ-{Arcj4@^ic}{z1xDDdGpKXu93H@CYT`nXqNUddh!!f}RL~bWj1-`kRHF2x z*6|SRcp*e0gg2QS)`w`K%(b6JdZ0_7wNn5zy}^lD^R(Kf@z*<8p;;MDsFDgTJNa{f zOns~$J8l(c_(N!rX=JMc0m3K^W5BCI*%N4hi>#W2QJxj-8?o|f%c`H0*jxpbfD`29 z=vHIhJ=#VU8n(_LxuHV=j;yMBhn^|%o(i7C;RD@fnRDERJt;U7cN(bTaRo62dv@+- zg$TK3bKo(R4+)5D^4~&nnSJnlRjND^2%*Lwl+gTD*`bM%M@*u`%zZQwR=b`H&<&1g z<4fdXtdcb0WlesWR}(?@6hhcnV^$41txz&>_1Ko6LyEk1@X%HAD+bGWkXqGYBVoLe znPIv8Vv;;kuc0tt;lFW9#$eY8wU0?fz0^3m;gH1_(o|BE7QPX`{t)#X_KZxT7s$Ny z=76p=!+bhC=jP3ra!(%;O2qOpgK2Z?{gUA&;&ey~R$b+UlxP!*A)Uh)a?Ro?4RZb@ z57H`mB;^_v-KmMctspFnEet;yFmU3F8nQ4C6SL_kg!Abvjsr$vgvC_=Vf~`p(4j#B zpg3D5Es`q}14>#XRx}AXh#!OX=t6O#BIBeZW-@*Ggvs?x8F^;oyJa(~P|5eQSn{k? z4s>Wt2Y+>bK>22kv;Jcgz+OxIU4>>Rg_~~hM!ZIl8f?QJb|ungn;IsWVp^isN9@y= zYBGN?E=o(XJU7ljWH!O~GdNFj7FG~p#4ZxMFmc2EuZ^H#3JZJ581#htlv|3M;Cn-=S6 zJv)QJwH2w+OkEkYaMyvSoNz_DgxWpHpg0;u6*80|82TiZ<@CdOlUC(UK=QdkNLM1n z)O7v`JHx8FVP{-kze@;}n(#oxvY&$$?LKFJ6P3Qcky=9WB0Jp0TIez1S%fkgpj3{ESXhCvWzw;)xOp| zQTemNVzpjr8hD`cv2zi7R>&KX987E**WgsgHw{@@KQ|)WWfEHq4}x|krg8c#9040+ zRkiT5Jf45Wbq|9>MA>+ffg}+M0K&rdX_PLQ(5jOf}ZL`UqlgL2J0~ z|LjcxNPNn`hnAR`MWD{#+qtomp0{@bv}`^a@W_E#{_k)qACtd65X>L$++QK7p8=dy z;c!O>=)4rTX|Jy5Jx$Bb+p4pdclz1lu6KEzn%})YzIZu-$!YuTw0d6(z32kRbACnN zpno{mJI2ZGVYjXwdEsM2xd8_BlDtrNhO_VSZTOfaW6%2>zM<1S!asbS>;9;7 zS~%O8!2=8qo!C+6xt-g$t?yUiyh=~=-5$zDabG<|Q>#sU?oEH^s~;PXR@8K(vYysU zH%$I$AFprO>5geWJNOn07c}wv8QFdIr#<>v*ELe=zkc0hZ>-C2@xH|8+W<&Dr#0zq zSYJXWr*P2JINl9y9xth$)X|SJ+NkqwSU$Q92A(c(gxA>PeR`ee$HeJabUJ;v&N?aL z{5+aR&X-m$Nt(uW>3{floy=Cp_uNguEnck9 zu$+wc$wlKi?2mtp)=m03&XvorzMpQyFHGvjZ{0L=@@rkUb25F64bKtS?L4nTUEn;e zyj`W0ZgI`1+4*|4SNpY0Tcl#Lc~U#yS&Q3x-oswHeo)*%QBTlx0JJNu?fq^_qGvjfqVl_Z`l73On{S`9x7B^#4xf{= z393`mt!uhG?s^`8&F`bD>F-bPYn*2;ww3N;1X~)NZ+K6{XXnP@^mL@edp#}OJ5OBu zYS}hlcV^+Ww{zQ=C#~Ip;(-eO%>^~TC(~`9`~i?%7x=*W0SsXN`u-yQOTVD(?>Pb7 z>OipR4KQ)KRz^#qVEsQ|;n94(U*!+E)xbne-lSDe-rdQDW`PgjWG5utZS2`=2`RM# z_0EuQ^fcl*^74LwRlGtZG+cKB6o!~Ccb`KE2Anv>TI6lZ&ukvEDkHqX{nq#;Um zdV*B7Y^X>X=0Yl@0EU!Z`Rq3#k`)(0WD;)GWWyndFT1Wp3ac^YS2oxbDx+|w1>v{% zL6w%%?O(b!nH06KKr!>RJG9WLDOg*@o1wLkDnqAHhKCxd%D}{u@z6A;O~<-pax-RA zUPjzc4~++J_{uoNe{IrsloxV>2%f?fK@dhP#MXx1JX5X{5m4m5b=1U`-Khaoid?A| z2N6WWa)K{mYAKVL0V=KBh!NKntaL3081X{56WLc*-E5K&8q)~TfrW?w^?dLu^Cb^CZ79MWGuEVtcprSAXlbdQCOzg;RNYQ9$Xt|2?U08WLa5e z1(IV`dQJkpgsH&|_%-dGWMs;Re`LBfP~qH4Mhuz6NV+9TwzDH3Re&IAg%ql!JU-ry zx=4421$RVEwN@EqRlm%sG29QpL$Q#!u`EYwiHeFc*XxG3aRIjh{=><`|3?2)ypgoI zbJT&%U)M|jv1>o*e>D*rw(|ZmHx*vtcGUYJ=GC#5mdSSTz>+C!BU)FYIWZnlW&^>o z{-hXjCfq{`tJ)*gXwWW>*b)JH1$mVzyAD-@zf;XgRBb)_IMjCU!)mS?{ieoKkEV>9 z;l!d8m6&V7Y{)r7h9V0tZ8kd#mJ2(=(eiUNBXEQ~BjV-nwnn4x;7laBe91a7#PWm| zdX<=uCm}10nDXGL>PIlub!(7c;MB<|A32B*HOa`B2sh5a?yBW-h2mThEm!<<6X61a zjWkHA+p5c3zXYT3;#i-7W)2@m!5Ok`8v$6B<}NyV4LVj0N1-Y0#&`rW=yJAO%5Uc2 z^)ASiG0-#1R~I)GZx8gFmyHZOLR!pmfhYWe`%1I5%BaXwe{Wzuy+aXw6A|@M(S8$>gD;R$mIi@<$_nBt(tH>^UuPn;=_o6=-H@)PQaY`+qNR41r>9XGtl@c0dyw7EEBxMjPjS5- zAF4wHH@#D>nAJ_Kdd8*SXp7x6f*hwkYxdGGan9(xyRpmcw)MS40-Cm|?QDClmvgwQ~_MIy}mo5Bh`hutJEoqb(Z>_rSuJfgdoV)edHl8oxyh%Nc z)iX6i)`N6u`?g`Sa6gy*mr4!3#sC!h{M%8#nI4b5On2Ik;nYr^HaK9@BawXW$0T+; zl74Hv_f8k_K3msQ2iOkJe%#_he7E3ca{K3~GU6|M$1l-k@xG3DarL}5x2t#5ZxUA` zQs%;bs@nQTmF%{LX{_lwaK(QaYy|)X)HK}ASJSci?GTwyANGgG>*_(kBDKlv#P9XA zan`;yE?!qp*BW#aU~mWdSh!C@O(@>wy3bHWIQ7iu>zY5LRd_W__k4xShEzVz$&?cKbj zNJWRF=jS+?!ind1awb~!tp%K-x9k+O_tLdq$6^8vKFniy>2*&xo7{XYucnmS*zA0~ zW1X-4{0h-uJSq7c5U_azbw2;q+TrjxO?F2EKDQC;k2#C zAo$+C4k+;8r>eo6q>1;H^o9Cu++dmzaw;b+O_m6^NOx61DbuuUq#r?Vn*8-=<4?&_&Gr>^{ZhcU zshCrYRS|<)KvrJis;UqovqAgfupu$&*MMO`5*j8kYfB#soM>JC=t)fjD@JpDfeSQp zkd{&{4z!jb^lVo39cXg&IatRx>Wfu~kSZ!_&NeZb>q%0T&ahN&T?n4WHm$1*n{iC5 zK{r(#GEor{JfX5u6gk*QsDMLB1 zJ4n_nf{-gpPRNqFR-io8KP4MvS#w6oJLa?f`elWt;2&(4f8?NlGhE8l{V5{x`W>yw z3VpqpB?Xem~51l$q2zI&mA4GtJmm*C<0HN%*fI zX?QZ%R5JMT1?wORMyq7z4`|$6^4vVQeV`C0L@vaF3Xzgf9$R zxKlQ&P-t`6Y;=Rx+u}muc$m-(M4&I&sQP_AME%m=mpoj^JL7 zOSOy)oU>m7a-C_T=Eu_F&b+O-$EGw6ltioZ61bIu)V0w554K*q?LM4W} zy~pyeAb1Lrcd)y=}YI@L50{bE$ZxP6c6RA2e2QsqIApE62)>oE5A<`=!%-xyXeW!1G6DVqWGMu zHXQ~R73d!4qEe6N$@2fWwoCHl#PFcsa_Jyd9@DTDR<@_m@p* zcIlscTB6H{!^ngQ7TT3m5*4S940#bju>e|eQinfBkuG5_i{t1dtXNYf3`yP2{Majs z8BWmpz{e77#WLV0PWXX=AvA+Hqe<-Y-}H4o5cl{H%Zq7?}EI0Sh9?McYWa z_R%y|nzbZaWm`?P7P9uS<#{2BN0fEY!k1P7q3~HEn(mjMY1`7L2`kwTw>ilI+u0C^ zNA18BzgK^q)J$uZhXfw1u zW61e3ot0W_WN#3xY>T1gYFe>OC=&=kQp+si4n~zmTtm51V1BIad5&X%}J)u#_Bd>^Jz;rWKmu#=*icu(EH5HFS?x zNO%aXN`+Eusr*M8c}twzC3xTvEzbpnoNU2Vj;fPGAFR@4r-HpE0WFL*B;7p1EX=~} zf3mL)3o7Q9@fAG%y&%WD69r-sey8_${F69>4jfPflYmV?LVgh-(Jlm#@N$C>c=C7P zy7Mf=ozY@|;)`u_Q_|Pr9L~SfFju)w(;wMqdHO+4^KM#pCLcJuHDh--%n7EP^U|+f zT|9DgFXTD|XXjx7DA(I&?QLoSl&Qm7Px&1m3cG1srXm$A)=fy`HMI9g+$?*u_hz*p zJg+^ZCEEENeW|N|{_SCZzRn?W_j3Sx42gby{fm3FRR8kKmwoPjENd~ZYuy;>ZO`CY zS~t!fm>IM2KZ8xz*}e2$mK@HE-h4F#EPuG~AN##NYfId+~KX@iO=kI}aPqe*PcY^8H_AH#-l5g44g(kfuA@ z>@f#zw|VYQyl3)uK6YKt=G^6e5%}EQyHERH0`OWtZ?j)##%F}&`91oM_dRaR5xt+{ z`2p5%xxve;j(~3a&eN9hqI6w*8mE80!CQZhOJ@>PQ(ya4XAjc+?jGUdvugt;VVvVV zoSvv7U#PvOd9A8>zab;b#BFw`+b-i{>NfRHdBIz4Ut_A-HT74L(l!3XfDO)zIbB4ct-0nu6!r2X`BBk_(Yk2@1ERSvi(l%yiDkPtVQ3K6Hs3I zqT!m4nfJL=&fQDc?Jj2aJpZpJTi12gB9-ig&3^0TF4g1qlKbTI+Pt&-OpqP#b3~-I zqg`41*}*%toGuyTV**gUY5eUi1FC-k^8iqCWWA^SuQFdiy8VmS_~n_~b$`u*&%Jk~ z{*ieNhYAZW?a!+3_f-jq?8MIpbWAxbrC#U_jWnQ70m@*E`zx>{T6L5f7|2SP%?~g} z+<_<<3m0ZTJ1-FvsVYrrgoX;5(QLR9%N%pVr?7ZgG*zrfQXF5J@lZh?VF;^k6vLnx zgCo^*ieHv-L94n)pO)-H+9uT?3Zld`s7;-jcv|qN$fTVp_2iB#j@KWknsDO9QJ`8X z{OK3q&$Q*p1rh9b=mq=8B(Hu$J3jPMN|18dG|;JJq4c9+Bj@~e(2#P56b5F?;rPf< zMAHeYQKelwyOoHkkvP69$X)f9Z-OWbZMhsz*kO!Z#o(x5uwMmtB#*1L z6c?VC#4~rW?AA}4&hLX&Vf@Prs-dln!!~3zG@^0e93rVF zvcl`qT*pFCv40FVs32+bR;2-R1u$`P_J#?V`*F)mt^CyQ&HsNJfhodf~zzM>KERZTXepoi~kGox@l5a0j9WcnR*C*MV@Dyu>E4#GF zm}Q(jD9&opUxW*{!NQpE1w2L}vSbDE$f4&7MpZYR*|jc(RX7dFzT7d278TVsYyD7%uff9pfSMGt}5b@)VvGMJ9>6%n1ZcdA(loe)X9q!BDI=; zxlgnhP9ocAO@$1(^-mgCLJG@~!tD+jbqcn|XgQ^@L`0Ih9?}?-Rx=W{$ZlZLRNPR3 z^VYmL4;d92xWZU4UFD+A;2y>{qJRV!<)DfX3PrVj4$1bNXk7emOz28)odX>rM!4%<+cthed^EKaJ~Bg<44Lxs}%~@ z11$T5Yhk^yg%Dj;@+_9l>N|E%^DK?E7`j?B94B2v6dxv9pJnwK>vy~F2aGsmsxr?o z1&URF2ZMcQJKtLEQ=IF;MM*+nv$n!$Qk9)bmcdDmhdemuKS(;$!L{_(U%Vk8agOk4 z3hQMVHzIMS3>!troa54zy-{)d(cAHlSVi+vKDPtvy>&>09_Zg~@TNW^2Q|ioAqslp| z5GS#*NsdQiY>YW2*|2rvE5#-|sE@v9XMEBO=T6$zwN0!6BnVPE?>pMSIE6BP>U;-|HVzAl~rWTUiQ#~0O~*5gQd zdk@h1`>rK??_0MPzcC5|ytngIYJ0z@tOxw_ny!oTnEHN2B%jY|iSGx#c*fT?*qMG) zsj6p{`{H$^ZL7QGb1t5);gq?PfWtmC*)FR|$LQKLJ@5G+Rl0k=C=LRhBZA*$HjejtT6uOQ!xep>iM5oKjLlAaY^wU zzy(qpU`qa&dOoxlIM#U5g>^j5eKwV?gl$jjwfE7W*uQQnI%HxT7k^<2DCs(}&vkUZ>0ZGy*E6ZF}=u^6$ne)b*N=f44r} zeL;PG^@zUoeAL_T^D8-ZZR*o$?4`n`>Fp);>eYY2VWwSg?S`%7tzTAE=l`+p{F2MA zVdh^|c(@F|?(TZ0nASP`2L{`_Rk*+laP#PXXyr`i^gH8ps}DIy_SWlphLUfyOJ&ys zEWxF=uxq`j;{aWh%`0;q z`Jg3CzaN&KxM|pAAM5?Ih4w`5y?d|j>g>pXyXApnQSN~A?(24b-o5qe z=!;r!_c!zOkD1AF|F=Z<0H8ilfSGr| z8`7RQV2Dlm$mi*KZ=uiRKv!|GP*{9V5pYodn*Th0#@`45v+RZ5EG05Qj}jP(IqnbI zY-c3XUKJ~&FFLOTGNvRTZ;r5#S_mD;-MoUcYgC*4Qm%GlI>U|BEtbKYZytT z{eT``fw82vP8%zvkW!Y+r^T8~LV2_t>K09f#1tzepK6*?gog0Yi8v)zi5!JtU8^As ziGYpqAgAwyYFo_)Sg%kIu&G;75*cCh%v2f^Q^PMU))O$_kmD;=#q~DquOB_K{O2Vr^&i2fG5nw|~nU1=gx$V>uK81+ybt_d9LEDyOevctKOTfjD zu{~2=Ae|hf5zn-IN7wyW(`?9B`VV0UQxl4krkTueR5W+h~5d{z3F8%9GGK8xGn+&{Vw zD;%46RIsYtOK4ivQ)LsJ#c`kP7%b>pv~p68-{kUTMN(CDY#9n?EKgx}*4WmvXuLEO zXXIBeh(@esg`eyB4PuFI9rx!wBP^pU!#xAxtAJ^G zTNUtG-+PvJ;J@$xKFx~4W9RR0ifXDX#?sG%QKmQi$Cx4*PMoc=#t0)Tdb7)4+QmB) zWRoPN%F5_U4C)bp9;&USnSs|CEbNn&Mcg%&mGL6=>JR+H*5#-!9UVA$S5Wh-l%G~; zwjX*BH_rkM!s4>vNy2D%RB2Pq8Hx(mhP5$g963gc0TRVaDtXhxZ{TYo&Q;VeI=loA ztWe8ahH<9jvBM4^AoW)=@>DGpEM+U&Rvm?^oi=S~pte(okTxPlX2`KzgQKb3oGi&= zT#yq8wr-TI#EY_&16^UQ!d^e(eyTj7X5h%|OHIQ<8+e6x*)3V4l2>ZOaD*~1*;(Ae z%>Enc$wiysiV~{T$}6H4Da^mdYS&A03eTmya=ibc0s?~mO&)E%npwCE$zTfsCYf0R zoq?6NEXJlrQa^eWZmuRQc7Zt~!*Iv5QZh71%)fg?-Ni#Sz?>x6)+QyenA0UPTc@(y z&lXwOOjqKCL#^Nc{z34q$#$kLOAD}$?V{Y+k{rN$K}q=bh6fx=dIzYpAd8O=l3tNR zc@dEutuiUuh4|VOG>eQ2ixLyLcwzAj@8=Mba{igOI>|cAnf%cmVQ9K$Q#yd3Jah1O zw3H>q4dux%qZF3}Z!IYU{bLO_$(4z+?iedmq!N0CDoi~^5tp(}R@N{XLpPjx+au`U zkYUd1XX0h-W)I65G!a%yF57Yi;T#4zmt|)hK5BgC z@TQR3dOmojHLM(loudJ?T!)x2X46>j`iV~~yk8mRdO4vs-t!bAxvryy_Bprf#{9nS zy~5AE9i2zY);!PJ$L~#SoCoyk2`iE#eH2?AYbuZBN7p>!>y1TXi9J^SNR z$1G~Ba-XH1uPx%&O`lnqc&@Xy;yY~yVq{NJC=#yZckpHK&KT`vsA(QB9Y(s}nDFB#k! z3vhM5uRk93%<*@)Uf5R#4tjgK&Ir;?)p$=zH}iKg{nw}|947LCE4pn)K#zY`-P}9c z+q=u&mH6h`c*o?YwYJZjgnuz|yx-9Ix9)FU<7)Kq2|hl*%5}ZI^6h6>x1b0(yw^tD z{0?)Imvv0s%yKvA4Cwjy6Ova}pSCIdyWj9{ZWbHW{hm;VxaQYhlX>Gco*Sz1$FJt~ zKF4+AvuPY>n4;bEecj{T<^1mg^YOe7&8mH$AFZ|PAr7m)Ae#vC+fE=;x7hS9qWJS% z4u5O+_{=e#__RJmozJBEHMf1=vAN`T4|mUBdtAjyxKIwa@z=3h@K}}}RK3^+zLu4f zeZ8kU^LIVA&xoQWS?&8Wz|`N^J@M))ACHgW?6+$rHsYnJPIm5 z*`&lFw6kTPb?Rg3NU2wkY}yl1#?i7-6Lt95>2UaHAVX9oQ@M)kH-2E} z=v$elHprRGx-`bS_7|m|l?O# zNv|e=9gz@)JOi&#rY8o;SAR^wmzh%u8?Sr0(oI^lS6%p>b89d07w)sO!idybst)0~ z-cGuuKL^MrwoHW~p{m7ba=1xTRuvhEOce_^%^2q9T)n+auXl$I3fv}*G9HFc(`Ep* ziFXDB5qmLMSqi=?L=`;;S%ks*FUuC>;;<;}Ie0RL%e&t!%nntq{7C7Ltc;9*1OP@1 ztt8xWnllz41~aI+SpiEHLowPcW(jfHlEFvhi6W;VG%-~yqtPXKvXD{#;;my9ld6p6 zOEIEVUC3ad%$T*)p*WlSjj8xq?&;<- z&5nPhY>;dT-x0~1D?4aWiJKImf_~N`Sjwh=TVoWrq3ZDokLHAw8?oWA$>?CuwIGUC zQH{27G2ul|C#V`hERot9sb3tC{&X3Z;G}E=6<3#-UBLO?bXthpmgY#AthyPDld-WG zDl`y}7)3`Ur$I&O#)u)zQa>ufj>Q%T^I+YExS=%fQ4A{}Eixp(@ zR#)t;MPi4Haq-G7|IHU`E>NN>4~)S?8*zax`>F$qDBktv0);Q~KjH_KC8?9&R^Ir@ zMQAyI6oP<@&wQX6KMTPkTp-emt2lG8P*ns4b8U_?*m}!fODCfIUvFno8P@VT($a!@ z&PntXonXjO?_UNeZA;UXa~Kth)G+KvY8aE)5_Hq!q%gk}LB(yYR4}?z(u6-e(o>}0 z_C&G}o9q;8o)pyFoBmusyXc9NVNSk>?UwdAB0O)MvvhMA%26W=G0PV#(CLevFNCGm z3k?1|H1r3*Xg;(6qvO9HLRrBRmE^Y;3{_z}#vY3rt42KrQ916@G2MhhF-e#Xq-1*xw#i|?JNv}W zr405VKP{9)x(v}MP;8aXtRJ9=mRYmI!e3nyB13AFV-e`EfAxPwdINmtxduoRLln^ftuH{_9-LdE_gxTr zk=SkO?5KDh*S*?o;4)vZAcl9<-K4a;$?{GiVAUDPwqtaj+s1X<3Z2(i2~`H_?&7^>-r=I#ryDOudjbRyvcw3=l=0DiguZ{)_a0g9=K0%^T+p! z1he=4^2W{EWeL4$7FJv57qT-Zzs=Bi-XRsz&C~Q7t{)*F{HgJzZO6kg^f}w#HrM&s z+*{Y9Y+co%gs{&hF&hb7kAHG`Gno z-E+5Y7(V(C=vmQq5JrtG4Y;0re)mU0Tt8ZG`SN&>s;#|feR-MFZS!R_f1`dF3TN}b z+*^9y@fms2mzq}UTWDJaq?PA+7=sy%P*4nw=y#hhQ%y|vym5T(w%NS{&ivP318`3K z7$)hS=AXsavva@ax$j}6@xHFftZ96f!NKf2;ynf*a4k!0uS>h*$8cMb?Q-vN#ql$= ze#g`oUCl4(-KEbOd-W?bJMPJC%iWhR628&Z$Ch<^?GIpWAO0@{Z&USxy52_%;#ZAx zJ^M3l9VeN4*M@gp3#&mg6gj$jt?V3UroL_B?0(+7M@iFh=_P;0Xj?Uyw9;(}UcaUZ zBu=&?rliPwN`OFWp#RKQ@IU4c|DL*6>@P4?Mp$~_>Sy`Sy9Sm$JQx%v*e`Sd)Ytc5 z+TZ1AhulYOU}!QZ^5YSUCI|Qr?ufrEJ6YMKbx&>3#MZ`C+jtp5g9bMxQ!ZGfNQN%? z*@j(MgeN0UuC;<3N|sQ?G7EbxL_3ILKbA)|O@KXJRuL`R?k^-fOLD2?WKr%fsh@>3 z7eP0KvfI<{jdlyQ82D5)@q9Tl=GeodAcK{mNa5*)4C3}%o7;31~+q((jn#kMIs zacfgTsnOG8aG0w&-HBa}=EOtj@Y0NH<<>nKv-Kk^q0jeIx@~gJN>_TO_1A`|7^4&= zUoVGw6dqbFv7H(;{CcejA9_}xN`~jUM)Vqj{6%FHS>}bzQGw-ZunY4kAvNj?TM8vg zUEgFxmRPKvqbwBkNV*`sYMNiLE*fdOD;(rJuF77{B{>>jfUHURW6WL!80!{@YZooL zWRXeMGMvtwHU9jmhh+<)KzFma8|xf6%D>lS=4vm)2C5aps3%(%Ie9|YAhs!N>`W%FMyh1#cG z!3M5l>?fM3@EZG4u1HA*Qo<^zvD^lObexEB4)WAxm0D$Kc562EvIC>AeI~7BkgO#} zjhYt7zp0Bd#Va*JTr^%!YU(G#rMb0k772#h3c*L&9&8E2jw8RbjK*$Nn~Y1WPz^R0 z-~|1J)><<5c!k|dWu7nSxy%;e<}Xfn7OF235});3)xYSqU37N&fv$6RP~W5y_W#VN zZ~IF$y*KeUl#KrEzM%vtiGoX6vn*GPCjU(_K?kcz|GjPCeZS;H)mwqSxp_$bw_b1hpIEN)|N%(dd!$3&E6v{7pq%#xl4K_4%U$|00R zzW?qh4O`Vuxt0Kie7)-%fUd#z=fQYksKH7(v`gpvuC6C>ph|-s`LBU3I}LJ3-S#a8 z3M|U}xnPcb(K*2%!RI0gAW$#!?Ntckwb)Xo)MsbVsh5K&=e(d7X+#Xg&>*}6mYJ=07!j|EW^1g(x>~; zYT3!bdJ_z6&o&#^E>JexT@o)YQYS;qeNp!e`iqi;`lO$!3-FxN^#XX4qL$M#;~*#O zK`P9gCil8rf}}Wq=cz*^d(I-kRjy=rLgM4vH73&cIkc$*h8&BB(8U7!Otsg4-CG~2 zb&e4!Ffszh|8Fn*YiB4i0$Er{Vj|EV)yt_K~BRg%n5g)}p zUzFASZx}vYZ9gq^)-Q%VZl{}mdnZR1zdeJ@tl>=a&;QWRR{tJ^a;`M2h2whwi5|C~ zgCD~0((1BT1&>90NRApSD@ zSzgP_aUWlL7Phdb&E(rCe#H3s-Y_cN4Y5DJouM?@BQ9IzCHOhN%t)zLJ0<)j?OA2L zTkfp$I==t5qMdhO%6vUvB8=pc%O$)-`IhUZwH;g&q?LwEcbK1BJbrh$_&1T#oBr8`)Jg&iczcJDDzEDkH(18CEfPXaoRi0?yKjiB`p+1AL0Rk=w?u>u5 z{|!lRud@>6*PNU%@r7kw7I^ssYWW73Hi}x1P8UN$Ur#D6262;?_(Gxzn66;Wyl_P> zT4*DEmZ};pPsKl@$~~f`vR&FvJiz z1&e+T$`LqCrW)Eyyl4_np+h$zQR)??1=LFsqEDd94^>EZCcA353@VhiW@Z`)x~)PN znX$t*3Pu_$>_-CY^|pPC&cIQm6{xsU6$~W5Ls~F!5Rv z1+|QOaf?WLHAdZ_tp~@-_$1t+dx=j|WGe;cq>*@4<&GZ}@Q^~9(Kn2n^Kevg(jpco zyI==uvu>Vg{w9#63Q8t(2Oh{P@K-Df{?&u3;@hCb;8N_)oE9X z0iX6LjyiI~O^Ij7>}$w7CK9bejVZQ_ZWI?LOq`({{O59(IMs5Qw!tD*zhV5O$nuCY z#3YAE?ZXPD%2lu&1Te8&oJm^@vS1l5EtzTa{g;*nFrg|(|{HKwnM&(i<#v8Kjekk^e zZ$@Fl1AOv`>jk>8DBB^5)Pz>D=Hy#eZRXCw#4*)+Gkwff3%QGMG1=8Bfsca=i4CeZ z#xhZjmJR%9A1!i(77HPiT3a3a3$l2@RIYyr6Ezpk$ZJ>G$(Nw-p=7dgexT_zKRrs& zgz%)*8l=V6_<}b90Eq0oLUhjL#Qp)5mGo!7^xCVOiNJOOs0+r2K!hvOc;|! zr(cQID3qv~rURdG>zh|*%-cNm`}P!gR`4m0Q-J~p6EOOb7g7$d@re!jQ*5_$vrth* z&<~q5C3M;0402ZaT`LFyKrJ{$y7}yw5#M-(4*D!S$<8CINrtm>(D5@poZ`LI(D@nT za?LTKG(cFV-#hfiaAZfEo(Wmv*0bQa!*_jtG~blIy`>V%q%cc0l(8<$7P{rN0bNW(nMoRibKUocOZJw;_1IYYDoDc}^VG76@elcGNCzmvf!h?}opuwsLl# z2gH%sR|6i-aU-e?7&_zXvwYS|XqZB3@5jxU*PP$(JUs30mzpOFQ`=0z!J&LgaR z#IGOHX!;FCb|wsd|Act_yo zUNF1~zMeI>xNjIfW^d`ENlcz|@;EofY_FPgoZ{Gg3~`+9cDR={%}b0S^iPs_J+E?c zy?a8CV;fbDr@uSgM#W_o^SWD||5ddQy@nWo?W!>^?Jj*+evYS1={yGav>s=zRR1IA zo7Q?w-ZJ6?pPl(KYi96yoL8r)FKM(^!m(0hpdkP{QzOz* zttF^-+ujiOpvjiLTQm8Gpa#@)@Z>!YnnZArWAe)B26 zy=8`=p95DJ3z{fQ%}E&pTeudNpW)jdl;ZvT79okR?JKbP$+|=qlI8AGSw*We{_h1; znc-0=E~%&Yv$2Q@pe@pz)=wSl6d6)u^O(}vgORosdiVXLChnc_X|n}?!b`?Y`mGX5 z#Q(J^PsDBp!ZjR5967hC{q%S5jQvTZYb#4LQj)bV-N9NGD=LZpMv)(mjnT12neRug zSFWyVLzz;Q%%kcZBU>SOEgeLSo-UEEfW=yE+%J==f?qo8-fvxPZE@{bbdpmq1Y{H7 zBvIngD||l^J65g=rf#J5`?KUjjxN7O+a|O4eI^y-^WuHz!)2=u7)6xNqufOaeZZ#*T#_!rS5( z*(+{#U9r0YNp*ZLxg~g_ykmo>(8<%dZ1pF?y+u?`#HvPgA@+?Bgq#TPR7?SB`ThK% zF%ERS`8-)X=LBsA*0c{wAuKE~aoEGtJ3LF8a7RfYmTbUKtNHSEzy4o|H1=#hZ}&mn zAgg8j;#onPXbBI8J-0T+FWUAFvbe-R1VUPFw7N1ST<#cRHOz#QwL_ya{FL2r>$q&F z8l~7Q^v0MQe+NhT=|#(wWh8Wtu_Eg3UB#qO_CF~dl=BJ%*jRI{T}Vbm{Pz)m`<^7k zwu;_IE~A39Q)y9#d|6J%oH8DrSHiC}8cjQ7WBmV(gjJQ`RvPqtWc>_50>M*$KtykS zVwxO_QiO@ks%kIiqTnG5dMw_uxp9?tlP-@*(E-N41aeAC( zsSwMWA2kv8z1F1{Q2Y0hbxG0wp^UM7#LeW0%_S>jjTt51Q&>zt^U~1-6LVc1tm%$_ z_2QUSfYlp92abt-N5gjKB~S4C+AD!iyBj$%A~KE@MiH%3sdm>O(S#5_P?=LUW%he? zdbhfs;s_Jl;d7_gAfW~#ZA(xr-=_=zssjy5=sni1nzVXtz8X0?Y_A29GPvYy>homT zC3XhZw_=Ppdw-I)k92+o9;iRY%&i?!_&iQnc1 zzH?IIIs{^IDR&1SEV(HaWb!y1o#f%4W#s4n?}(_y`78@!d56!1KuehRkUs88Cj|vu z;~?4RI#@snV~{`C0!;SN4~T~-TSL55az|w9U58bGy>7$PR>c+n>(FH9gwXK^Cfd5w z=pb6pMKY%QbCT!Cmc!nCE${p0*4lo1-bTm9AfU&!yIG%aH^4<9yVJv~8-5)Ve6g&+ z(ciqSe?K#Q>HSdMssC|m?Qr$9B(70A6t^B#>+yl%z@*V}z1U}Vl^eP3^Y{UH+gaEa z>K@P7`f6eDIJUkvPJhw)AhmwsehCxT({hM^N3cHOj+ zRd6Y))>UYlgBGm5)2z6@yTIW zn(E`76hMv7Xq33c$Egh;pkpWc$)n5a+{|F*`T6yX-?&0qBwrclev)!|1p|IW9SKs*uKF7QM{%x1(SgBIL z<)8G+3(CQ$&IWR$C=L&JV!q`<_UJ0Ldvm0x;RIIF-s>_uhr|cmK*eQ1uwgN|c%^Nn zB4r`ZcP8?3p~9*A&RqS*sS9r8;9Z_w=6_jW`d1q#@ZKT>eAqS1s#$E)dA&a1$O$tC zdV}xY9OChFLFdKa{9fx(JZgdN&%A5I^c!{mET=kpo-R`WFB9?>gz#PHlWPvE`)S*8 zUBIGqh2mJD$LdaVy_@wr{q@Jp?RP%_7Tv{}kXcPMt{!))l zk7oc$R`o&r-7Z0?op`#sO(SNti?jh@RVWcE+EsfI(WH6UmNRLLF9_}0Dg+Drnad-t zzu93>MDv)iVGE2Gc&+qoVvt23Dv?TVS9pymC5-O-i1*I1(aQH?n+g#rVx{tSgcXJW zx^-h@{^pkg&$cHD2@_*Zzj7T@RHHVU$v#;;P9g|uleRD3&W`ct4Ui(UjnNp6e-BP~GI!1-K zGY}t2%SXJVB9O{5P-q zJiS*WI@=7*y*h7}S4|4ZCm4Ds;CpYmOZ>HvGz2T8clOvRoWAtlHF_{Q)HKUwm|0X{ zIzXFj4(F%iLHABTDH{G~HRMy=BDwzb16d|K-yaPoYjbwr7#?rZMdBY!IMlYkI@Ed? ze|J7?8=h?dWj94L7jb-QHxiBQb0JQ^otMDB=hu%bg6UXda$t2`J*JP-2 zIX=A1GGxgLRBF>@pyQ-+$DGTKNKzJeh%$8GyM1_jlR8jN(mxvZb8+zO(!FUdKiM9W zrh?L7!gS+&sfNt~$_zDS?e^se5pG-CC+P}Z8!Db}ap?IPCHU+xnpnzZZazsDjw=BL zs#1*F`?@{SV;s0O;<6OkEbM9*aC!wx-tJBzb4bIwnvE4x5Ln-G1~W=IGy z!k;*z+ZR#gQ2TfCPnn>$rECZ80RaNae~e_Mz^(fy7?WzGD|!kFEMC&9;IrVr}Y?b$1*~K=LP?6%3;)>@3fYiNO+u% zuX`DvwDy~~ZF`Pnc61=Ft-5WV`@$jflw6J*$haD$?!hGRrv4frlzoN~1`LG5?ErLB zPdK!)x;uZ|qgC-mPQ_jU>yIG!zBx@UNfLWK49a|ao=`aqi}QKAzE-Jl+2ga= z8L#%f&CUDJ6S&|1z%liFeAZ~>db7QLKI>!z?^WptJ&&VY^*D`N4JYCPT?RJ#vwLoE zt9*04=gzXO8ZPDD>|Cq$*3H>GM&A>;^u4zs1hJkYr?fne5nn=neeJO;%)NS@JkMHz z@GF4v=G=?U)cSWz{hx$7-`o~q%w9?fHMVrzo(!0jd0%4UV&C5lJR~YWCjS$ix_TEf zPzT!`f%5)uWcfQa6Ppk(IN;W2%4nY*!B^HE8*FK1J%?=0> z9?jN=a5Jyb?bXImXEIcMZDIGN<&S zL{^3amLhpA_kou$h+qD)({^AIA51vDn!7{>aATFloMi{xS3G>CRQIte@Tc$CkJ&#k zL!c+bI2eixRk#LNNJe--+y4Di4ZFAl15{b{HnkJ*Zv4(DwpeumHbXMxgB`J@g+>V?m-{ur6Ps{t7I zQF55n3_WWR-X(dvjR>TMH>#2L7IH$BXt0SfZGtst2X#D-u6&D!52A?yVUz3?5{x$f zp3$Zrdn<9-ZGkG@<4{!&2SQk=pPOLt{bWMkCW^wj!~zbwQx%&jOE(>kZ=+Q_`YG{* zjp*?f+!9-{@#44}&BxC^SE6_ekCH^lx5`tw*tVLPAamuQI4|l>5_`cG1XhyH-k+mz z)GFoDutq12eNEk=Jg^>}>gd{nnGmZ8)3)r@q#S#-Lbp3UQ0}uUD;G_=6FoWruf-nrHcVi`@VYT0VqQLiG4 zIBhj7N##`0&Nbqo`-*188a0S908K{jg1-7~Jfv!QqEC96qV6c1__L$NxUo0aEWQjS z0ty?PI%R@LI#i+gii&ZOB$eowDkv%EDpQd{7UAQtQ%mkY)u6w9CRy&R?aP7DD{W-q<4b zSuwNrDYp%*sbo^K?5{J{@?j;*W!!z}8t2uD(5|e@qUGPE)Ci47?)&FP=pu{+S!8n1 zafrSEj~Q$KQQL@yUPd2+*ga^m^EY$2O=L`F=ypP0$g;4K`R8orfZANWUb*N4;Y)@~ z;}VW)72eUQhkEXoFRm0}Cp-+%7}Pf+=D6jb<48r&CdS_pvfeEO^k$ERVyXVo&NofB7u`y*7{7h z9X`rR8Lp2&#R!KRUUhMcN6mG%_;+b%ZE`F40t#!MNp4T@()az<0sI$iVRY8hKFoqJzosGbSFwc1zF2y}W4Lb>;_F2J0XA)9I&XsK+joB@bELYnyhSAywxZJA8$aAoL z0+zaFUWn^wjE!5>SQjS}Lrb3F<*L)e)TIu_i%p)GS0wDFItf&qRV6p>TO&t~PQ{A_ z_=SG|>>MYRStuf4joj#}O7C1KveqI}L!o{%0@U~?tO2j9MNWMfTE(WwO;^dDCv2Dc z=~c8bF+8&3mkAHy`8}(a(mXNM`XyRHE-~l0Wl6Xf^yHIx3zE4p>(|K4pC^n;fBtap zeiB^>i_&7c9E!B%_}cvk{kvvyUCFd8UFZr4##otnYGO0ogp6s+66%+FJ8GU{yynQQ zvM-93_2Zd_PhgWP!G4m`n&5zW(XXFHuNZ?BiRv=d{6Af$E>+#uc;#zx)pNYgkKrMFSbUz=w$JA%PmtmqE+Zd|>!6LyUm% z$q%v<5Tb+z@7b94DeSfX+xE6~%=wgk2^Y6hYoo@BUnP7?hL|M3+l_c*&HBY@>tpA| zeji!IkMoAG*zJ#UnWYmD>2`?NyflqJKyaGtPT>39NtLDHIdS>n8qk~nU_Wk-p&hqZg zE8oUTgR|*ny#}71D;Z|$5qQA+<;8rVHx~VT zRVQbBTRQHeZaahU^7kU!6Xci1xK3oGfGL2xA#aCTP*BRW&&6e5{tbPYjKikYM$b`! zk8F+a)$JxN@IVqN>UOw6=XcBFbgFW#uhi4!USZ{v=3NmISKE2TE1Qkr?S$6&x8|R` zfToT?`V+kv;#vUE4yZtw(w8;S>_?aLxHXjb*L`NLR^Q##xqaht9kcd*cls%5S$?~W z6QZ*MeO{a9nY*uM)>FH@GP*ehfSG-AwdX%&S3nKb01m}Kw#=+)R+8zw-y@@vz}NF} z4S~nI`==Vu!7axJK9G2;CKsa+hSLE2Yh$N=;`WCEACb#Skh!4B!a+dlwM}H)@eGDgos3KV;xiUgD4|5_2_3zk09sn5#r^2s)!@n7sT4sznO}4?#59Q*4D={okGqy1gBZXJYdZe@c z2V}#)faHfFb_mVF2?zw*GMpfqdfSmEq11CJ-rBbHAJS; z%+!r6OXTU&dUGlZd4twoTQz*#kbr27u)Emn@>^{g8DYWAg#%+m|35WUKA@QZE$B2w zW(T-f6s@yAA+V}>^8XCELL^1gN$o1t;RN?lBE?}H3_lTFqugb zu4k%Q)M|F&OlhQB1NX|t1Dz@P#WuH+nwtP zS4}pESZKqHh*t3$lM^n{=qbpf0=4<5D4hJqrAEuw+@n;qM>#V;|5_)dFV`h*(K40g zx)0SDsu*p{mT07+kIDQ^W~I?@>$PAJl|8pSRs{!V#l7smD*?r14#lL@Uzk0g)ZA8t z!eQOycpM&d_bt!p*x{dzrAr07iUBBWcj?`I2^ZJ39O|f+18ghsgVA(#51lSldO1V`U4$l=J>PXj<}ewVqCih zS)+^9(3{s1m6BDoS~OFmQ7zJcQnr7hkX(tS(*ExiVIhC%XGeKqpTX>SJS;@&(|auu zlqQjHj%&B~Z^hZ)C3evnIKHzR>`0q5O=wb9Q_F4Ao*6He5K^n2vKY7gU}&W1A&5AH zgU5ZwP-M6^iNhEKwB$ZN9g6ML(i`S4*6*q_G2#EDy7Khn#EZT8O&7qjMOU3B zF$Q@Y9WRT?X@Q-Z7I_;z`{;{had9dy!tr}(F3vjam?aHqTyqXl(s!OmPyRCZ%+rMV zP|=FoyZ#Eb%o<_4(3!QC9~DNu!FVz7Kv9eZ*hneb5|ib13E`OVV78rKeAcaP!|Kg>Z#hyoL5c`swqB^FVT4Bd6v{lCKiRPpoHA0e=43V|j|Ev#nzFZy z;vsOT13wE+tO<_9(+V1tm&_x4ieofCaBV*dCRn7I+*`T)(%yAC!)O-jWR7R?|AslJ z6Amh9d+1&0JA}dcragrF1kQHv|Csi>djlwcmNH~PH7N(Qfh~BQKHR}*uZ%0;pgtCU z-%*L>nBb(5(ojp2YBoAa_}U*;GITv{X*M=e1YqK7TLMgxpzm>d>7Tz z9tT*soU*Y$T@^Cu4DDHBCfQ`wY%s%(d`=iYO!cy=j#BXO^Ek;G7huL)C~Dhn3`?2z zyyn@P_=%{H^B9&BkDZWY4y-#~Td!?9;W!p}Jj*b`1a?}(A_lD#0 z`~mE`H#t7jr~J;1evn=e-KLB?dQkisrVX>(X6IB~{2oVdH~dC;ih*E_t;JuDnT;oV z?T=uSEzUQP$v@s&hu59My#5j819i&G*QQ&*UROP*`$?X# zsy(#xjkh_B#6f`5q9>>4;00_0X{&ky??B|e-4M7Z^``a$?8IJ>`!baShNWvC-)$ot6snnEG)KL^tH9G1N|3WEBwp2V@cim6P1_!>t zMbDQkTqGt^l(ME5MQ7559%O=8W{GdwaoFjUa+2eZMZTNwB@$j&X_z1v=bVb##Xi1L z_9iuVpB{Nzo!fU}9q7POT?KpyanqP@ zdN2hc=inunYl%+yMr?BW7Nx4IA#d!;=taRrLYsEm)-A)BF8dbv_?TTyDM#c$`$4rI zb5;o7GMbf$%VJ{KL%5x1i0bvp$PhVGXwk_#sw!T42L@Cwz2 z6uR=y2aignP@eo@nhA*IW~uHv_x`qn)gj+ysgFaJ|GaSRHrspU^vN1Ie|+RUcea8p z0#Y-<_j$0q=5mpfQn2_a#8@zO_Q4&ZQiY{L1YEO?UQxV&m6TgNP(ToBL1}ia#uL>XPwM%2l!c8jzb?qNshbBSxNSfyW?1>7)n-oC^tmo>js$IU$#Z!*VB7Gj9`zM z){^pSwR1P!RTLBAXH=W?dyhi1x@Vr96{e5o6QpAg)9E6N2%d8cZ=y0B!gOn4^?oU6 zlpj+xt6rJOnrK@>Ck{N8@eKVeO&m$o%tK)iYHFv7kDnrI9qj(KvY*E2yNEl|sdUBE zA2Uj^Q|`x#{Q}^h;K*g_MO_X`|JPug#4)jN5D&HWx8_U5hr_Dl#|KH;KU(Fpu zMb?#)FQ5$ROxDRWzPWW&%i=mj&()h!y(d;v8KX!)W-wfgVeH;|OAK}}2z_&ImT%1? zQm!ztlOj^2;$@vstE=EXD?RyR%1y3(A|+804yzPWoZ(5jFozF2A^wi6Vn`=Yl`!cp zi`8r`Zd(O~tXob!+NG56M_TX1uwS{yEE;5+TNS%8lRW#04rQaP!0MrDJrirVJ}-@@ zf#RqWC>==liB>Kmv|JW<)lYdm^raVz$Le*vT^3_9lnKpfQXh~Ql`av+=@@U_mI7s9 zC+{7dUe*x|{n>VhGJ|DxMBK7KzxTI9vU8P=2JY0U#V0Gcc=P{`4-FLP(7$FMFz zkU)GH_oF`U65N1E5D@1Mdf*?H(Bg2wh0x6Qi^7@Cju3a~Kg!(94<4{NmBf4scG z)GX$3ebD&y0qR{o>H=-3Pp`v!UU9eh!p7>RJ}VsQ|Ap+So#Z$4t+CBDJ+$XJq(eFS9KnTqHfm z3mW#1uaMi$2wCdQxQISXuSb)^2DdE%8=kA`YyDY0bsIYH?w24S4q;FI{yHv5spp=} zaWt-xPZwojoA0bx4t15z$;3Fwm#fn~LQdgjb)25ad!zJ<_`Mrc0a#Gyei%^G&+T5l zY89?I&Uu29QD?YCJot-LyLHKVzn12{(n3JwxA^)5y1vty60nS$Qqj;$d>$kjp5zgN zo&~-nwdz}iEVk?{{eCU1)(}K}-p{s({g|hHa?!9C0G)ECZG!vA^6UXe`y()1+deN$ z`ZlLXsU*OUmpFwnV(`Fe&-U5M?5NJ;^1AI3+IITg32fzKp1=!yk7F6y!O#0b&c82n z*@8A)_Zm^Yqj%utXRurzI7t+eOJqClfxL+ZHzeE_uF3`p&wf7d@JD8xgU7dDagS-h zMPS*#3jpqi&SN1bL30zby$iYl3)~R^HKexrW57yFvs%?g4w*P0g>0bsQ>g@&vsZ!) zc5`NaKU75Npi=-db+|XH%0JCoxsHgn-e09>Z4w^bGPkQGHK^?K7V%9s&>&0EWSbPc zrhx!DO=JH`Y4f>Xp@(8@1e$*1fxc)*1ZC?q*CHEN)`dTEzNi#C4b#us5{}>*!=Ux1 z<6zj*Pp5Sl3#2g+;4={MZ4IcI@Dsi@i?}G`J^T}ml?lA)6^CY0p1@cqafRynBvm$_ z^oF@i<7i8XeQS$-sXX5m`{dJ1C+I}jtY5H|dct3DpCdLIXtObc+nd~1W(bFlQ8HS9 zSpa2Dc$iJq+N3Q%VEuF1?kJHV_*83U|5xx*g=G}$kWs4=HD$Bf#0gBJMIh-8lPJ$0_jDWI;Cky?iZf3VTe`Z0J`a@AG4BF9s1^ko3-Ysy}8b!YUk8&KSNe> z9qLRxoWPt50m858eI?0|NzLlkLhHY)3LV7VEY93z*KB)P0Ewk?_|qzq4rZFn7_I797>{OtK4DBLb))$Cy?4E z)kuGvp&_POzIaH?Me{(c^Orl3Zaue-_+ZIvNk)`F(c>}CdT!enOYHqJX-}4K5np4c zxjRq}ZCRiwrd6EVJmHi|@A_<>AC0OcKN&e`yQqqI!!9g!-FvEf9?ReKgZ2JIn~MQ| zQY1=&rT5FX60z3g%HiTjB^3-c+*#Z`5Xo3>=(6KA*Di;IGUUz}b_Dop5&QTB?RoPq z4_4dy=xy3mr#S(H}RidOI(lEBe(q zm6H}eXLy1>$(VIkm&ll&bcFX$5-HX+h13Yezjo^~XAsQ0ri$XlXURJklJA|?kJGR* z(hL{FyD68Y1bbo(A=LbPXs{2T{Yf}d64+$Vd#DZ}faIfU5KvGLlV2O!iZEu3p|U43 zIMPzf%7<(7N(YO!_J{AoX>rnP!7+crv?0LgYMB{^X@x^Ai}=EYjuKK3J+%aEDx;+g zncWx6PM?uB^>_N4Yt!@#eSr-&v#-Pd)7K_MwFzm#^$XS8WC|MWIhWN0W3$R;q5-ZM z^;Hg?MOWtX*3MN4KRhI4+PV1nU$IEUhU`P6WqQ9}Ar)Xa|0>?GjW`uRVc>AAtXk$j z;DtLo&ZLplCRLw~gEfGLfxMe_2e*R|ljX#lc{-7=o8t5meIXntx{HXSDqk-PmvE;S zu`E)Iy9OgQ3ty!bMHMHC#-JY~n{V%&1T5?K8B6luS%tlhG&$o_-bBmLbS`Bmg=r4q zMdl^~b;O1w96CefZR9?6Lb2#k|H(>XPvfHAl6efW8gtSVG11XZh6z(TIz0j?GwxrO z%G(~{wroq@CS{rCUK~)5dZB~HD@7`bDs<{el#HWhd`!ni9=2~()l0-Uu65)v6gpP+Jvs$$Y3k3u3O*=LuUf{Gm1#OME4{UL=UGIsVS8 zdZvxI_|h3nrv7f`VQI$*QPbrhYo0Yl0e)44!w~J6wmJ}23SkgE0y-_JRt(bp5v}pJ z6m@}%GOx4z?>GV6knVtA;2gn;;3D%g0Hj6?Ty`5qBO`{jN30|uM} zHr$2=ld+@+lMzwW0~)~>w9ub!Ca6JKJ~gf%6gl@Ui(BIwC^)`yjbL=19)2KmsXN-% zi_1genNLh}4QgUm(9_2y+x{Yj;OyNSc<;b*3BR?r@~Tnn?Fa^!M^o!CF>B}XD~(WN z-;bUF8(eqlShrU_^HiHvG2S~le<=@>6G|)lK2svN1-;>`=woI+=<=DsS zIdj8X2tASCmKDhb@^JAy4!|X$-!D*r>*?SDuGLSS_o_w5;YG!|KF5N@b$GWkyFIIE zzER1$@ovg{_pXqW_xdi(zUv#ihVRYEY8t&uT#R>^f!l-5vTxhG1Fr9##+eLPRom3Y zst!ciYq(2oxvuRAy@2Kg(AIIE4;tD%ga+SFFsh#HwZRLF9xarxIxvf8Qh1N*o0C9Nc=cl}^XrGjhcxSI8^^E?$- z&r@$w&O6hmN8M20PrPQAd4k)HX_%;8`tMHS-RIF}MLNv9&Vx5bGtD%-J*#b?pzG68 zfM2>G{p)7FLY^boMq}e;=WRM~v*#5p<2_NMHK))+xG$g}SPI)?eKn0z1S z!ZxrnHFA2m|89oqwB#ZUHuLuHJAhX&3e~xB|S4xfVZ2#z1O%P_yO}h@bZrjSa5*MrU=DzB=lkH zG5}q$lr%eA-l^qf`Vt%g36%ZyfdE5lVUL`r*ca8QHv(T2nhf6nd!aiEjho*RDq>|` zf+Z;Dg_-BcX1|t*;ArNU@Iw&GRhl#2kf={z)GkDk zsF3yKQ&RpC`k+(#tS}bw`bs*D57Ux}ICCL_5_&Ai{V&RKnQab7pX#@-{4mpNc2mGg zMV#Z$y?@4t=8u~taNTL3bgzrGdk0UxGYH>Pp3Arg8?~8fAU>O7d8|4!U-UhaW?Xj# zq#a~X`X6lCXOygq>TpEGBqzl`h|r~pzX;NXdkNXc0q={LJTXQNOgohC7}rAgm`aMr zu}gnGLbXVqa4MmP;tdpkc3Wsge9v7zAN)y8CfuKFIb1b>RXVCGk%hIEs-zl{9pQ9v zKRA?)Y$%L{GX!WrF~n;Q<6L9!m!DqXSGO1`QpQ^%)MGn8eMcO5*lju!`L2gGY(mgq338TfL0-6&+h5cttko+-g}!a7n4LqOi6V2_n3q9^qKvbO zD=!WFv+%e@PGW~q`!Xv}ETJFAK zqK%heCt4*jEKyI?t^T+_6+o99E#NE>vtlXhkKY&`&>oUal4ZI$^qrGh630uP4@sf3&S&u~ZdkAp! zhIaqI3t6E__!tb?tb%09pfBzLQeQoOqnZzI3W_Pj5?wc~hx(I#EPLUK_pD7%S`H;x;nrE7#Ylr!Ov4WUQ{p_R zs4ByZoUEeWfKD7+THvo(_aa08Rn1`4Z z+Nh-|UTQ!>AWp?nVgLi;%HoPL?lhQNV4<>c?~y@46x}8ggM_$_<}A5SpNMz^{X)nJ#zOiW1O1fEdFSuGD#dK9XuGg8%mP$;U2-(@zMyNOW0-=C3C%_t%NPg z@Kz1wke0n6)s@g8*PGN%x02~!xj;2zLXkvRQ#XugUc;0p82`RaFrw@e{iNeeD(SB~ zE(OOumys>@v}WI++NZ*r9P5UADo;R+CDRBC@5UDsJ2$&ennd5hkVyK)g7up#^-m(a zhKre)h^9QWCTmu*I*JU+b?E^`Uz=BBoc?~)x`qSpl_Y$6dezpm=|BgF=6FSQ+ z@IEi&b$gi=qED*f--KR{-ot{wu!IzmV!aN31c7qEJOA0fO4+2O$N@Ky?Yr^!l(VPf z6r^Tr-bo{&reM0Sk@jY&H<7|8uSQ2hj?=`!#luQJ){L=V-&^>B#-#^lRLP+rktH?c$y!q5TY? z=I`icn2@nYtcZf=MR?j2Nglh+CHXb1#965LBWP!K+F8g8q2ng@O;8iqHh(E--*4cW z=6!yeb|vH&!ZU!-qs2%DdM-lj_%K}E23eu)#B+6M*fx(JuK(`XxR7a|&+ERqRDn1P z;Qad=gG=rAHk1$`N&98s)Kjgm<(15)xS$T*s!dJ%e$sN4oX(Zo z5IJ)i&JK0wr`79)DFVVO&F!mwpQ(Ub zn)m2YC)!9=Z!d2DUEz}k*z|P1W&F}_m^_Y(OWy)zOHS8<+r^!CW5eP-250q`{{B7T zQFvjgAkw4^UHM*K^C8!2rQ=l+;g+yHbkDmVEFN?7EMF&+pX}j$p=SJ<*$IV@3 zG&BEk@DUGM_uJIT;n>6O_|YAW&~xSf$=N{xP1E?uMQCSU7h%25T|wcN_enifs;A-p zL+b0k^VJ7v>PY_zR7VRsiyvQYM*ICN`gF&({4xmpMg;29Gj-gikjxveuFezKg6A>4 z%st@kB+>U`!2&z>Dnz?XWxDM;On+IblkXlCdMd!3?mE5n$o2NTaf{pd7+@3PdEUVU zboQ|Dq}u}iM;$}{{ixoz&0hh2|5qHVeS&eGgJi>gDB(wpfb0+KO8_^ zLR_T-+1c=`u;*YL=6JAY%WkR(v4`Q8o44FlDIT|8noPCg@ z45_3IbDEIaol*m^lNR5jQaFl9SKJkO4t)cAmJEv%ooD%4Q$^JPb!ZM=%(Xk5Bf zRYKo6MKvQ7S-GnhV#nXD3Fgm%2@-0Fzt&_b1y|fy#WdmngxuyuBP3gkFwm@2L{N8t zzH0$bOST{vGIMQA4qJvYqAisdy^U>~e#2_~9Kpl>j!Su7#Ge2vLbw)*o%F|=j5Pg8 z;6i?cgr}!*NT!<|jF6@}sx-xHC{9Vot|KNsLDTp%FFH_ELoQkv5vtC$MA@(ib^DC# zH`jU{G@ZS_C;)^nxbWzYz&4svcit`+FVXmXn{CZbce8w?q$<2=4#=D zN!Abv?a@j>hF>Vv`Gd0c>8J#W$KlaS49hX9pE9eyu8e8!L8ui~__7XZ^4SLLT;)Pap_Cy{d$0(Nj-B*|?m`lDMM%P0 zMygdOPI63|qLY?=unTr;c1X8(c!VjW7Me16zD+gK`>OqPMt0a@19fcQ*saRr>X;NA zt23i;?lS&yNy;Kp#t9fS|pOUWb({`q@0vQb4Gt~pHTGERa98k3hbW&z*P49&3 z<*|S0X4Ht&HY2QB6Xbq~a_)1|d50v7F(ws93F0Yv6#_NY$)>zI)EJ)q7&8!fLt2p0 z2ZU|t@MFSA6KRX#+Nq&J>n6iBE7Fp+Pwg8V`V7T)z3XPnD{vSCQR#8szv3rzM20~H zoVX85HNa19nF>wO=;s_{zN; zBT{%%rUvHTnu{DN6g6BhtH=uMs0kwcCLh;*Kh4eZTNcY$SCZ@-<&kN9mBW#|CB>P9 zUScEu#g}!DMv2_`?P9fT#1mxGSRUTsQgU4cI2nBw;b^PS=-IY47yWi!zfMGmF4;B2r!_>UY1}$EOCMT@ktxQe}?FYrAZr&y4XvA6o>GGO@FzfbD zVY5l6hl@y@Zx7^rzrp?nU2hjZ7MC5o=zFA(=NoIf--4q6j~8Dxa++Pvw$9_`pCnTM z)CyMnJWQT%`m9(U4`c5P9NjdIZWFbxyXfdSj_Rdt|I+PRjc|Rre;_@{*%uVdSGh27 z+c|?s-6%`_-e^Wz4Txw3Qky->~{8J7hQ zy9MG+3Uy+)!38>r$5pO_JBKc@+-D7W+s$*00i{UeZb zZPMdJ_g{&tnJnhNi5;)+7kq%roSp~XN}$Rp{;}Tevkg2yh~7C3eyYuMHMo6k^6IZk z**lNZ%H4W$t9AomnJLZQ>+UoTY#SEUeC{D|=pp&HW6h0zhcD=*KyU5k00=o9bAP?) z9FJo3m{0iiHnq*|lWnMX?_LMoa+&UWl`y+U5Ej7h;qgCfb(opW{#u8cw ztxoHAAIw<1Ubf_cPc;-c&Us68?Z;iU*4+ z)|TE&{beaw*UbK*)I$rSg&+@CnEHR1ddKd{+Hh&KlXPr$Y}@JBwr$&X$F@7RZ6_Vu zwryu+y?OQ+XYcdn`U$gU;jS_XO;EAosHhi1bu(nWj~?j5f@vOOgea^!HtGLc_Gm?f zjZ}gA@{f2A?vaZbv}v#GEYyXic3hO{`p_`va-lju*Lc53U#$V2`d9i?Y8cj4bR45m zBpEzepEK*Eu}h^Pm@1mMb_kyyji|17rbn^qICH&?0vwmdAanyJ)XNxQ+(zAwD0OO< z>I8Uf1(s@=**cUKNQYQ|O-gXGRzn}3jso$VJUc`IR>L=Omtb^($6D_G83CC(&USyzn-#b+6 zDwZYjhb}TU3wYy|VglCrpA=g^7ENHENa@Yt$`lK9ES@7pWUD4@HYW3NU=$jzsZG8SMz6EaCk{*YUuo1Ng8Wm=y?$L7;yfZ@rU*>#z4!Ykr03PNC> z%2(_RfJ0jix3J?vy!ca=+!*3>`9oN#%#7S^Hxa#Z$^Hdrpp8&?YCe2i+>8fz;L4Ng zH=NXv%Z~Y2e#NlfX-sL7#eRy{5=KDmdJjeecrEH9cPLy8p|go{H#WZOS~94kSRuM+ zk|a3@Ikl`JK?hvvx?pW!yOFPniKu`J7IIAKL&HsSSoB77X9o*{bD)R|sY7DeZJw0$ z@$X=z9DWPUAsJ>`^GIR(K_&2JGq=ET)&Ykja??f(jkB~7H;p5V0snMQzz+G-H~3Bk zB+b@B)dEM(!yi5&|7Qq_j_q4=)rn`^pohI9WSN||$OVm;jBum?U@ThZr7(&)5+~Vt z>9tF&cK0yhQfW4%2s1AUY2{~@5f>*U^Py?0Qm@b!`Plr(^DMP2Gaagi!yaSay8f4b z71*JgC1A`jU3Ob^!j^d@MHnThtNz5k0!14){YZoASwuq0m}l+UzC)N0z3*PpECoWt zjgEO)H0oGR7n%{Q2?iM?hckYTlvYT}G}$Z>`k1A-gWf@fbDCkvEMu93je(^ZuB1w) zIyz>@S+du#9jEN0biJq3t2r%Kv7{4m!pfIl&Q9|*0j?yl^sN*mBE;05 z1J!O%Ui_6;LA(3DSl<5tO;9vbBTbHQ<>= z3#BcXmP}2oMmjFiIOC=TaWs~iI)Hbd&DkYKGA<6Ujc8b!g27UnLYpO8os3;C0WTge zj>RP}eF2j`9{2iV%lX!}%4)4h7ch`BFyAf*UpDTQjW1N9OkZg9Cn^hopE8E*sJOeC z$Z0U<1KyZ*o%e^vQ<(J5gqL9sU3&PEiyV;`?si?Sc>l5E3duITMyVu-{jjBtdb_qy ziI+69+DZ>UpM)}_Sj??ewfcmYGg7I7Ho}2BJTSR1f{ZH8ox+UN7Dq5r@7 z{H;TO{elOT^Th#BfdBcQ=(f+CzaHi1>&v%8EPxc5@am%UiTd3e@(sbg;9p>d3lXvd zKViPUryAp&<*a=7)pyce0cIckE|cBrH$CIlE8Rtc@>h~;6x)k{2k~3j3BBhz3hAz- z-@txIe$TfaxbCwA>rIcVi?EtdUx%skRvw-Un6K-H34jFg=}3s`=!V*AXV*CT#Aes1 zJbO`&*Hh7xUXLN3aqflM&W-rUC%uB0GeY;t{7~k!LlPPLj?LilTmevw~z~djTrZM=DxCYiu z=t}?MN4Vj19C~?%;X5FD}_}AD>z?Sle9?P!g2& zHn!GVpNDwcm3IR_t`XyWPh$rCyk^7-+e6kV;^H&lcQvQy`jIn6+!5vc9hZFNb@qk_ zzA}2;*D5!<9@js@dYd;&-T53U+@Jqfh|bf$1VRw8+yO5zfssHFInD^5m1&^iU~f)+ zHjCi0T;Vqf7Wj_@w?FvrpXI_hwFK4OJ>t`*0|j7@`46mkV}ucmZc|Lgs^EmVL88Mm za|Fm8m6$nIV#akT=Kq$dn2Y?H%P{PRIR{ADX!@A^#Ec`gV&%Cj{`b>p1XNQX$Dh_pLXCfRKV|(nKsF=lOg}>RC*fZSCHi4wMsH4|%(kcp#D3rDmvb8YXu6{IJR5XaYEKseH*; zZMY`_qS{9uM{x8k7_34HnifC{?rkU!b<^FL&^d1i4+G*E|XU39A#R+bj@diVlt!^Us%LbqaDZ&&|toO&ko30i5jDR9)`gb!NUqDN82mqr`wFo&yoL`x2)@o$|*nhq9d_bT+JC&c{YXA)s8sDIL@ zOh!7w;fgaY-MzL{sxz^bM4`(je0xcPscLmpN{}&1x{53jMkBP+xVu9au^YfEgJJ&K z=jrq)u%wXc<>P499 zv@y9i3Sx(!iQh6zFwcZSjn)W|94u6$QRZ-gcyStH1(gb3l+5yN%v2Ji8!MoinXsZn z_PEark4xnB$8`7%MnvkujfTp*MjOd?LL3jbBEY41#k4^U&vdducZ308TuXUES$RhE zoGzB#|5lHV4&55D?mjEj{9dQX(^mk?4qgNDn86DP11jHpkFwvsl1xik%me`=ulrvF zzhOUph1-A-4;$G|^UQk*X=B9~PHDA8O5n%>``8zYP&Cj&Tv@62DL-|c42z~!T*x=z z!MbZw^QA(U1?*lPnVG^cpc<+VJtxM{#zXs+sdLqba7Dq0*?d0;sS4CgQI85>OCYeKRNyFD4$vmp*9xOD$d?Ye7gn+b zVOSH-5U$!k3GvH=@R_Z!cqUu^MiNHhy`;<-9Zwlryz4*UU)TFY0QLDjmK?oH8jJ)5^*xq+a<0$*qG5TZN(=a8 z$%emHe%_KS-)=mu!qN9MpBCfT=^4P^I6Y^ZcL12``R>NgoalV~8~o+n4a?5k#m((} zuHAl-sD7Q<<(GjTG&5}&maz>vv$N6F=J{Fb-c6OvaMW=Y>iku|k)w+9*8{al-ablv zbg6aYzG?0-zcFpYt$Aeza62eJ7+t&c^g4wcyGS}9wV~tL2_rC zOb*Fu*tbS`r>&@WK0FLg>j8Uy&2LZ!eM)xfc5iH%UPmm*wLj)5yT2KD>{?R%^`E?G zO!ak+p<&Ni=sAtnuWmE@%tNoit7TNmr+I1fO;RQM;!o|II%E>S{(}huL(e$|M4hq zAzl_iSE8?|=UwyDiWZ;-x%DUnl0b~Ev)W^oW+ou+^5KoCwY%$SFD*Nfgq;%*Ez7|7 znzY*-v)$o%bBxvMn!5_qao<-QCz4O$_P%wLRU7g-y=qwhzBxZ5Wj~sx_j11UatR0p ztZ$N;_kNzpgB@38#c3DrWOY9uP1rfzW{Yn>eW`uaHeX4)<9Qsx&bCi{?Rw|hJ{@;T zs%qaohcSrres-NK;C^0@yj*sjo$M9P!8_OJeQmp{ZCzz^sQa2+Stwg>A@|iGlE?Q{X_M~6;rcWcNv5Q0^1%HdSwbsVOFCh4S%VTHLjW>D zD(h?uWKowtUB-*ml4+!aDuu14oY7UsK(ev8z(RHL)>NA>H+;@sYY)iZpBvt9$|&T)K`>l*+j=F zqM#}FDmwiPf;Ap2%i_}Ev==DdslAICd`(1d0K*)mEQq?||T@9fCzK)PCF4@Sm zfU#D7wwd_vv>2Xl_59sH4TPp}MzAzi>u#h1?!rG{(Ni%0!s{ln(HD$q;CnQ3EF5Mg zFB}9@cuII=bF?J_Fqo;JQV&Uk!~Wtp=(sZ?NtL_7Vg{(mbSA5z21QaSM&qiAsIXBy z*)>}hy}=3} zDbfvdlt_AjzBO*ZiWXRLQ_eW7LO!sv1dN$_K7NyD z{bOS^0ZrrP3~vKIA|SoSxfHkFZ*-n?p@mZzT#=Ah#-9? zA4tw1^!WwRDaEk{#W7MWhzdj9<*aEfi(xObD)aw6C%|(;gU|l~SAL)W;?IM%*EWxI zw*<`K`$&I;{_#H(eBOLQzJDX@9~pBtxP7Y2olE`?$w6)XuD3LMd&dc8dA>TO+toM% zYaOS}{wUdJZ)4Y+!Ke0@L2>&HI}*Ux#rF0~294f2;OXSq->|U9_W<6S|K)mu`||Y* z1rmd==dB$FqthPwd_f=Q=-RXMkiDr4II`_K(kq({3nm{ZgzVjPsj4Q}wB9h8N;{EA zJEq)XW6_^#JC;bNnQE$OCQRv_jQkAeJ<|Y9<^2;hSo3+i@$!kQi{qu6&Ous=;h?+s z;f>TEkeF+V$2&6f_U<`d^MT*xqxESsxI@SMKm{f$&u2EJ-s15d-fiFU9AEn7bqn~V zaWdKYdEBTiuODN7RKB5h!*h^5#lC)6;d=bOaKhvGn$oF1=Xn}2Xz#|(_d$ErakP2T zJ=4P9gw9R)`cSQOJL`R#H9g!q_4*o$uD0>`ZJu&hdfhEwRBQTFHO*`erONRL<@lYG zgf)%4%=&L$t-`D8ORc{*S%h_C7_!^pFJyPFQ;Gj|pN4)b9RX|)sh2Z!H|2OudPUir z);#Hco>bvngXy!VcRb(2&iGtE%C|!6^E_w61F{Y7XI3`Sczjj_V}-JzP*}L)OhMX#V9|wectl_Yvn8S#CKdh@YZSHmi^egJ>RfL^Y>H$ zMu$nI-8{6fY&dW8^=bzps<-EU&nl>9_))mtbUl_6tS{H{6);}MqhqX{6s>Z8Y8s>h%ihA5RV(&h`h4<@yEnP_U zd5+;fIT#`EST5WHx8`kIk^1#{Iai8k-^=Y6rLVc6?%`OxAV={Ox0SYCo2AVoMsU-$ z$IrTcRaMjaPUfzklie*$lulmTbj9A;6&KB2>ofHLH2nnT15T{pd-IjQfZfslL;h&p zCPjW;UxgZ+q{>agrirLN(!l;N;2i-@!kVNX-*gOfM94jX&EC1ck!c-n9E4qo{$iq> z?C24c0kiud=v`$qvV%uCP;sP)PY0vJgS}vFz>6Zg^ zHcc@_0o+BT%nKzwOqYc-$;@rqQWzId^%w+Zx1#hcDRqcDVjW`&4w@Q{s2DB&fKYHH zb=&r7D1q+adn@_UFgGpu4qXf>j5)#_)2(R*!7`QMgH4b`8)^}ad1Vo`~Y^; zguuS)bVi8en?rs$gnt{HC}Y17M#HPB&)HQjP)T@rC6lc( z%pJF*&es@)Y}sl_JOyM{5)9|*ZW}_it5y{@^Ne5Cl!{G?=e*)0QI%S)g9+(d5AQX| z8yvc~WJrsG37)hC`X_Ril(yoOutrhxDFzJ-Q8WPPg5m`fi%&J?N@&2GH zt2`w=Ra`@=GENA=u8B|=6mIDDpUy^dr;Xk<)SaFyk_&9$kQ}HOkD84%mk61WUom$; zgALi9Be8}Vg<{RmVpC3VHb)&se+s7vStk_9Es6^Xj^mWV_)Ej$ zRvB34+$m-Q6GjJ2vF;uOIK)R%_`mA;INRmvswUXZ^@PFNOypyVg2mHdpNcFDElP-+ zZT?P>O*GeA=h>zF+7C%RGnKAWM@)ta`)oK(FIcv7#nyzugr03HQ^|0m8;$o$aRT(D z8A@HDXhkNx=@{wEyz!V99(5o}s^Q|9lskzSP~}#ucAU{NX&xq06>Jo$FkP*Zo;e^N zcoO0<$B>gAE!ePpCl}l4)6E6_bO@CPGuNspcr4OuTq4HUz`7~5kLO(*^lRU&Ho+jB zOn;K^B`8gLw8#D~U@e}(VBRuJ9#{E2pkkqHE_Cih0FT-$UVF9naF$7weQPWoyT15PXOjZNT#;C``$K} zYjtDV?~kf(<+R#W)RNr5uDYe9?%WWDX|I<{YjfOQtFW)3`xD!)XJihZ`;!%a*P-hSpg}i(6_FE2TkV_Bt-zMlqi~3=#hjZ5x z@-&tIt4rFE{#K>`SSiQ%W7>m_Y?oPfYkk16w)#}hE+U10*BN#%zjxe){?^;|uQt=3 zD4`rFhm>)c)pr`He``Hjo{NzW*f4}v3IG5*&+CG$_SG@2dn521gXZ?}ju zUalYV1?Fb>sqZxY5B9bST9&ALSG}|?W9ZiH?j;*j&eLJfm|J0d&N#khYThnEcrDrs z-49>ybgwsloeRDM*)H#qaddA{->QV1|3R1U1Wum%jn}wNmfpwU1-pt}xvj^$^vzb= z-q7yM%Fg3ooM%S)t~H%!sHdnncKy$_g|Fwe0tUSHgW}h$PTl6kBYU9M+hg-aYmIGi zR_8Y0+%}H-489Nbh3`F+W14$^TU1WNWyo?K`Qq!ne7^hFGo062Wr?qc!QFj#=D_yG zPR*sDyna=CkiY0&%bs3b@8c@dFMQp@C+GgO4J#uDu*n-NSP{xD`> zB*Y_VFpo5oAs%e#=8aRc(N%INQ_89(6G0=_Nh6LaIQ7TRDUpE^sJk|C);LJ^8Vq#v zt&EwcG{sS5T2;ey{opwz=hX=<XMW_9%(~n zc;ht_a42WhF78MzObKuz+pU!8{&U2FuY9d~;fG3A0D)N48}u74avYrI|I}S)o6Q8y`2LiEc@1tp`C6L7o$CJRxN<;QEwHACH0tH#=Ig zc>szys~&l;jBdlITn2K~zxB%=MFB&37^;x9#!gF#>Uz9K!+xE&CB}80Dl75x&tH3U z&@frfBOAep2nk}!7Zy#=zRHvevL9l3DIfL6;q;P(V@_-PjPPRQBj~cw{Vc+?>hdNN zcbSwFP@LGB!ejW9Av!FA_dz^@a18>6@pTgM25nt-w?wpk-PD7fPaqP%V=c@w0#i@p zB>7e_i*sn`~ndiB_58&nT7Wl)Tx zY?d!Rpc|-$iHFVcmTg(e4hNBjwKxffF(U}0U#&8XDNt$c3#}HFxL_{1)yCCS=Qs`< zxOOks17tJ4+ej2!!yd#A4<|xZu)sp)f1{O}kSe0vjFV+nNYnFx*MeopR=tY3=G%w>cUl?)hRL8!Vw5r&o(y||~ z%29JV%wfy9qZE7bE%o^r3ZMun!gbc^OWkjE93vWl?1Cy!LUrJ#EhWz{X9*4`I!k5X zW$1J$!HNeHz-1XKK3WIWY+8poIIgN^#vtTCY6FhL!OAQ!f1x`r9?-7+@nq(dQ@x_B zg*6rmx8hlkGbhr46RsK((IMNW#vsk5T$w6MnS2|}L2Q#+BR^77-xX*NCMD!aKL1-R zQEVlXLMLmGpJ40Z*|2=T^{1;q6MHZW4_wb!*s6xo`WgxQu*P_5HNNpftyM$AF1@j$ao|> zFKZv~Vr1GqmWmT&SURzM)RqH5IOtl$x-iqn1AFj9x?P?UW-M7gyY?@gC<%;2^`Y^8 z6`Knn!Xp1ms$HoX;)vA9#Qif9E|`$$)<6~i%`#q%l~T7R7Dk6P(PS>aqTo1HbkT7S z4MG)rNny$)%XRc%U@(nY0xy9hOV&>^cn>&|%GZlZgwVng#VG zByikPUHDO2Y{dytNP!P;7(4XCi2#Dn~$)+9_KR>bC+l`eeG{kh*gQrIJw+mZQgD2CM z*EQ)}{g(;LINELy!BBbp*E!wJzs~#C+&@kp)w&IiABV2}>&|Rb+iZ@PoO6MXlUJWX z%iOQc?)+_LE3L=Vo%VMx?2+_ibbc!p{{;CL?D#GdFF^Mms*e%mvz=A#(z2O1ZvNZ= z&M)@8#Ch^3w_nP+Yr37A-k@`JI~nSS;jQ)E2MU`-m;VBWd`l@fRxkRs)%{&xg-r1d z6I@fNwmLpw5p$gnddzpax*ZPew5L5ijx$Sp9L8&|Sk8kh8M&HjFV zAlh;JZ{dA8T(B${oR$@nl=xv5UBwM6aGD4{TrX@T6{kJl{L85IpcG` zA0#)N1Aem2i9<}VS}TUl`4%0TA($AL?uA z%l=daaPq?Zg$@*~-WPZq%LWF?=sA%#vL+bz${hB@0Fm@>_($cZ{gVs$Bu$*#jL7an zs(?h_71rxVUIbF=7M?POzCr92=-Xh-Y>bHc$;*%Lk_Cpr3EPcEf(_-_1#= znwV$5n}f$qAL{e4F$1f^lG2nV2SX8>bl|N&JT~m_9m8p8h>a0`&IVWZl(GIT`W+zF zvqM;BG+F#JD@cGhh`qp(S9w{wTt*4Prh~{uN<;Rqj5wc1QgQb3GWh_-)NVMBbZ=F*Qs|Z-mZK?&vu7Q5C-NH8MFBSI2Qqvt1|vac%vd<*kI@>mg5Th5QQ#*)NaM$coS-(A=KFu-V+&PRzG*t5 zNf(?Y{CbJ>RaYHwTy+17OPsvBiIefIwJgjH4u;`j6E6V5HbO-Q5t3{3z-iboVXNcRMcNn zbyN~*`85YV2um#06~-dg$+UdhN==jkMCGX*31+Za`xeMGY$nX3I-Mz!A7o(|V3Lmo zvvMw*X856^rYNnQA-{-YvdReSvarBy%(m?|0&0W7xgtcpn3qGUOlrQ&Vn)X5Oco%Y6~QxS z1w3K0MrO-^+CehQ0A2#sk~5O~V=ciMqXkPd_948i785#>p58C`h;$6dZOOL#U}kak=2<248EW7F4zA){u4rwkeZg zJNU5+iFVAr$?{V{@7bkj#u)Xm4!JOBNm0j5KnRXEVOHy-OnpouDN`;tMhw1I=e2{co3dxrEwYFL3uLSdlHBNim<_7|Ie^;6` zzt)a8ri(*Z?VvFJUUo3sj{eK5mUgT6V+MYor}f;vak~u+xmN!OTjxG52A#TP>=|0u z)%@H7bMap{AM?9p{wW^~FPCqeE`W=96ls!kDw+mK9xZd^s z(5G5*_x9UxWB-rWgNKrxiJet@`xZ1#=M;__FPHcJ5nkUf{RVFLn_X_}&8#k;nP+#9 zY%&DBr>^05f}$5rhpCKzN0q#tADdA#o|5*{1=G6M@sQWA$xhel*0i0g+|yx0-UQrQ zdN%ORwwE;r;F-?5Kc2EP?$ZUU#R;|<`Q z*5%-pT52X`-Iy2$!Q-@G2%bByN4e_T!wP;4;1}t(=hylKJ?|Z+{r0;Skl}TSV2AHGHA&6X*}mGjqiN_WOZe8&!M$@o_6pG|YP!b$G@2 zA7q~EdlUs(^J>zX{o%~Vbr9@!6dsdHy_2%)xX^B2$Fc*wo&kQo0{JKTft&tDKn-Bf za9#PA{m#T|=@*NCP($u}Ep$Dk8tU394m%|`|8%g1;gNzNjYjB{EQ+9^pK?y-BqnTP z-{;Cl94@H7WB@P=>>Kip^kM1oUe#-T`-{PV=gkalF1r)ftxltd%)~<#B1zWvV{l!& z>k}c8J=#nE1e^cf$bJ>Z#;cI`c5*FlJdzs9k^bl)^vO^Hq(w)*#YIy~&+IUcwMQ^C z(&YD92cfB8I<*Tr z*l;ydCIlGsBIB0ms#oU=kJl^mLd@#IP`8TDl7=u)frO_y!_0{W(a%wLq9qQV=9tX7 zE*GN;QBXwT;o)@tRan>@Z(9~ipw1&9CtsSk?9@4?9J`iBsSOBO6N|CKN@Q)4nT{iJHv|V}MT969KOUeYYRhV^DkxswV#ZD!t%71i zzZ7kiNaLmRPnB83Kvl|hl28D=gxsA-X5K}Xeq4sx%hq?P1E58SpAt`}$Hl<9o^0V)zPqG(H2M@|}fQ?#|Cj(;o8i>-!7 zye)acVku?}Q~Hzzc?gknQ{&qbXHLuLVnjm`0>&EGs>5`*hIN<{;vDBFtxZVSL%j;- z#!yIL5#Md*=}Wj(I`S6>%K{@We^2Ly(;33+L*TNPGLM!)K975KT9s?{C&T2YH*1!N zw@X#x6&MpskajtBDPJX8>87~^-#wh!I2)8Q^9Cff)0bid=ZLz6(dx?`FKRI15L9FY zr<+;(2vLiAqSz^=nhxUTL}GT*!`&y8giE&OX(}xd+jjKaXxlt2HIbGI4fI@Y%&_n>KXMA=BcOn0MMgPlafAC*a*&5xVObw z`pDa|Oxfmjti08f38A#=geAq=1sAZ|2nf^WBT>U?8zdd-iB>7Ep%jBvv4cFENTiZR z69VuNyih@0h|x3ASY#YMyGeuyHP$?*J4dZh>A@1~b|RP~LWtTBowP;hHT92(I#QM7 zoV|T144NV>V?ukfgDF~~g`bhqaMzDwUg%Es*U8Yb8MFU)7GM2?26hRI0f_in75}M| z>gWD7I-H*G1^hk$#E21vWDz8kkJ2Z8%umE8{@1v?uQ1Z`F#=KqW#I99F3YorE!$1G zaIpT7==FdmPOV2DbyQ6^2!Z}dzPTBI?)fu6&faZT${N>i;SSJ=PjtpX@OB9}k%G_5 z(s;ILbmDhfrQ!8_S>yiOI}L`D`fCuub07Ks>ANWFaPR14l-F}{Qg>Ngt@AZ?NqzM= zZ@cQEcEOI2%egjX?^GP0>YN>3)xOyt%94^Rl;}ivUT&& zlsn6W`uRA#ynTlLmCthr!?R;30KLK5=k~pG;TY=W@^x2KUYETP+9i$mp#WT#3M~#P{6NIp+KfmYdUP(YDWKJzT3}m$XrpL9q-OSK~Pz z?aZK-x_NlQlCO3%_8mp^HV1RcV3Qwc7uR1qUhB?@>UIaxR9*v@A#QxGYhGK2wQ=x$ z#~o?({-7Q6JO|N;HE%B4s`mI%zF)J3 zwRp{E_AfrgJ!9>aYKSZ85B%>(M<0R|`0m43i-0|@E$drze(jSay|IkOaG%3@a|T}f zA?@esY`}bztQx?kS=rCs?<=92Uir3JjlZr=>0y0H&Hr=&44?OQ%-4R+;NB z$sQc$0K>lOqg&00Pg%}6QCr?ECsjUf2*d0Q0*&!r|HCOrk3VvNSW_C_xZ02t(ZoSH z(lFWJ0SOs}j!$=B*pwYZtC+c{@v1}f0IhEC&?MVr(@2@JjutU1T3tFyk&R96hg=TJ zfE>ZFkxO|z$0vdbxtHNsoly)f3bEv>m8=~}ZsD*GxvGqLwNC|Vgk3@EP^SrQ^bcXj zQLDny*Mub(EzI?cHTv3!>;wYU^9UZ0m(HS?7R^Zk1I=VAx!`z0eN>I<-4L}1(D^&Y zT+DUL8S5y(Yugpp^^Y*9DB*E*w3(nt3ky4N>3|rRn4cjwFtV`*dacY=ipOG(=zYBl zZ~PIY0*FnIgxhjWg^J5jrBP}j1Ly35Xcw|$yO(gMfti~Ni|j{?hV1t|8Y!972^9|W zKUAAQkTM$-PJ`Li3vM^dMxj6oSId3cV|U$VskB4Lxgm!*GQvNHPMo*r7$={R+{p)OJAG~M*8$w0_zi02@Z{fS{=5^smZ}3A6{M&9 z-)9Db*Fd%qE@D%sD7xuqsrpqWM#It5NT^uGW<{+~P{ql*b(imvqR+`y7)tsxLl-o* zlU~2qk8dUB11aMRH_PBeq{u56IV%q-+Fi7jSfGl76g#n{7u2Tkih~n|hwBBwNrPav zn;8GQsdg zM*?P_I}L`bpX%(Q{#c}^Nd``^i7j=&qF`08<|F?@#}UX&;4KO5H>{V?P{pd)&}5z~ zMy)BE*z%GhhKx_K41x|h6Tn?ycuVnEG^P;g}5BKpJZ_~Dhc*F$R6_RHo*oV}}Rqt7w1 z^Nd061NH-c2A_954*vUYu{S@btyd$A2UtsCND z5`>fLcXWvpSZUwh$N$iGyDOULuD0CC`LOMIk2MmIJGqLMRex}O@_CQN_%+8XZudDZ zd<|LHpVPl4zmvr0JVQ3*Svu+WSpehbU>$_|Mabj+MMSan-r@E(f8jiG?fayMxYay* zMe!|AU31ia(fEXf{pVG~XE!d6z2v-dHJndorvfg}FHS_BM$h){Pwd>bnm_FFh`GDK z|JH4D)@D1*G5c#?bNp-H_@&;tmt$^7H^8&KvcWZZyCv0o*a6OjQKI~oZ?iY&M z7x>4vLUy{}H+OP;1|e6}@Y_$fK5p9Xm+6*yUK$5qK8-4A+pX#+eoy`Jzf#+`dOYcwLqu) zeQ){RE|;Sw45yn6it3h;ud%Zap4Jpu9_Mq(dGk1d69z*cpT`Fl4C`*!)vphN6!HJh zuLkV&C;@|HQv=FhfxiF6!JNw0lm4@;$M|D_tLY07--dNz?Mv=|2t58fjH)VtvI^N0 z>4T9AvWkXwdt&g{G>(@7Yf0-gl^^Gl+JLq zf*_tKt)grx_j+CF^HM=Ba*`MOa2mEQ&e$&-*i+Sz=o|2$1Z^71~w|}4g^aQ z!%}@4tBmgjbf0$O4&Lgcs8m$!+qzma5s^h6Tm$s7tO92|nF9;X(xC%QB=mHxU-xf< z;?`mrHbgP!M+q<-DA-#qEOtG-$2`@F7M-dMsy{twESfs&71{L%oU}|2IXd8>k2eJK z`FAFYyf7-&&v~xbf&+i`iA1SYYta}T!KooLgCWQFCIK0J^W>Tg41>oKbecGmmf98T zx9we%bvhGj>abzW2Ld$@97v4*1`K#^|0JtDwG5PNS?xjnVFr&i-fq*mL%so z_B8xk7rHFo4hkS=!TiK@Gy2&!<&IRgHEnjMc#1J)7HSg%`9piGXtO}!xyyyXy2S&O zp`}}|HHu=GSu2u+Se|_ghW_#Wh)-8V%P+hk{vW2PUZc~K4|HEpqQz~zn4-pPoJkQl zIyl`=;Ue7dYNBx^GkFymuyQV?ZRt6auwi37?om|emT?X*h`x?0k|J;PYW{KTF1n}9 zU`n$*`gtpBHx@%Rw)LnbM^UOnqF87W{1{HvNW}|uHA|ReFvfPhp94uAd5i1iPQ|RO zCU@WOq)>O~4%-O)SU2&G_rsVl0EuxIqCAx!@&5j6^RFk8xTN4Qu z;Lj|^yU{SU7?B|#jM)8Y)Z`z6@59JhW}KP6>zcnLhj9w5wsgR7=uCm(oYrbcP0^*( zO=Nay*O@?aq`I&+f_*qI4n;9a-N2WovqwY3MMRTz{P!v4+t*UTNqxT0F}akEBwdBAh}C6}KKD z=jBvrOrjorXW6z|JE{=0fYWWnlxEwvWoJW3&T{;NSh7@(EsGxOw?G10h+d^h2<&@r zze{>^57BpZBlwr`M8qSy6lM;X7Yk(Wx~-y3DoI9-&DyzsmNbt9V107!W1DVs8})=P(kFX z6^9WHf90OnqUHBZKqgI;eaMz95q*e3Qbh3yxjxge&$<;CraQ_FTZJw2210aHYL1ZV zSErOcEO$dpk|0TFmn^XARxzWqkqglxL2(ZPN>=ZWY>eO zm(Tva^HK=j9SJQjKJCB1aB7BnSfAfqB4PzQfo)zcS2V zeN2eK)!sEfy1UqoAM!g^3C}RYp~q8cEgllRJ}>tw7dau^yGGS;1~Gt2Z^4_z+R$qSo!jgqz3_rvpimH5mz4@V7; zkr!2owk)bZ^KBn9U)SrU+3#+X(b=8et7$2n*KJlPS|VmSe^)J-ZIj1u4D(nzy{#_0 z;c`^!=o_aC8|%yI)!JsbUYXSO^X+;lgzkMkR7;Qb747%X_3xd`qc+WMciLX}J&v+T z(LT9Sv*qm9BIUMnwXpw^T^L!g^F7~E(L0+S$9VC&46f$w`8qe5ZHeJ~h|-WN$?U&9 ze0E%L-7q4#t^MWv`;z zK9&&Ke7u${h&}}$2ReG!ya%Ji8fZ{fke)` z4S?d^6L|J{_(}0+$Co_ZwnV-E==s|j_D$gdGDM@(2Z~gzn@*L*H+RPT$jjPBWR8bmn;U8#L+M#oW4t znDNi;PmaW^(mHA3%=f-Mu9(YRky2hlO>(Upb8;Qq$%e|g}+ma?r8;FoK;1pGSp!?t9Y5uQ;3=^!6VQQ$a+DPvv4;= zQEY9*OALE#+m4uyMh!yL*6K!%&xeWeqOpS`L@=~8jm?XUG&%KT{-yT_#eiasd6z!; znd4CAMT0E<3Cbb<$XYi4d4&nb6>jR{yF7CmwFt}7jaD!1W}S*!FE5cF4tJcPk-sEf zKY*0?2VFBXS`s`U0`HMj;+#->CnOzzajHS296kA$363)%E5W=&V!w4W%l)A;{sBYH zHfcc4fHC#ZSi+oO+Q__f)Gbmlfve5P3|u1na_Lw=@%&xN z9?Op?i3VIvO?LbxBU;il;RK?n@vbb%B=J_+=KUIV)QW++I9fH17LX+-Dh9)_IC&_9 z6oL(YModD7P8-SgeDs9zEUZPe#(4Y~JVqIq7b`0#0vj}v9dJ${a%hY9MvVjju&$+=Gmgui?O$-LE zn-v2kOySq?bs+p#-fom+croFa6E2YqsJCw=5t5i9@b@ZwLJ%%B1z{6uu^|a~iLZ)d zutyVzp^-=U5+J&XEi{dK!tw8i7<=j3EO=5K0L|5@3!!3GY>P*IeKw;YOB`huv!oj{ zZ|+$qg~>k2s#CCRVG-*v842)4x+SVNZ>HNhV$J#o_Lw2=QkJokghBOkBW15CLJO_n z{0sQ7s^5{cy3}MpB$}vE|58e9Amn=gJBh0V20gG z>;>ZFn*I2V@dlzu2I!x&dk_evGFRcjM#LPDLbRa5an*cM$7qnEW3L$@84a1P(O~A3 zm@`-X#R7{YiB>m})OEOOL0A_^2+tBV;#jU!=d6i{MNSk>RRu%N2{9#g%riJfiuO0O z(>4PSI|<=$z2QoW3uj`~3{RePiKDcW<9TyQkknH-@jv@u9dg+xDf`eOpU; zb6*X|mI-l(F<|EX!cKMTX-;d~+i8S}e#@2Ax$x_bI5(Ef=RtiptI&4br^~j>qm*ym zsys4P%Pthas__uz;n#V+9%+`eB7jpG6?xL-F%`dYUaR9Ue3#wRa2@0)9Zo>^ah#7~ z4H#qj=Yr#A)O4xWvORj4ewFK2ui#9zpL4tV-s++{o%Ohhg6tia#9>Ea7zvNSZ4>o1 zwRwK(HAF2IduR%@;P5>zm9q}c<+iz4z?UP??7TXh449wH^=-Ikc?IizAD(~7vVWM^ z3vlZO>^Bq8dhE#(n524r%uZfO@bxEMQnUHGNA}XbAL_aCnXFUJYD?m}Upr)W&rY$Q zpHSmIju_5bbG-y|slL;FHMT7RT;7LGa9Z(h`>R`Z{^EV=dKJ>H_y+AbXU;HL*&2LS zb#CgNkox&8*?jD{uXJ55?20a|aGJ6D`I@D5clJCSN7}U=cwFRacG&V!H=7)=6=sQa zd;VLJ^7EeIDz)ypajCtE;Tv|kxqRF1QKKur^xD6`m|Ng2yK4H*dR4!+xdSSxRqnr- z%J)4d2^6&pRMy;N{3atBCy__BolW)ePDs@{4~ac(FEWPRx((iXr%_>3RhKdOYHoJv z8)kIfy1uUQN^9=8`Fnh?TUM$*_XzbU@tOxZrY)X)f?fJ2+3L61%|E1Ccix)yJLx+R zbvni#t&P^8KgB(Wj1;`C@%?yvJ_07P3R{B^>)6)Gx(A*S*Tn!=|IabD1%%K2zVFEY zj~jc?a}w=8M_Y;4M@l7B!D7n7oq4~J|M7~=`bAh4sdEqyo`*Hq19nDWSAevGh#^IC z$@=Z;{G8@3(Z&JH5v&s3)o6v|*<*+a@C^3B@q^A&b>v7ZmvX!a z5t4>NreB9~tT~`{$Tp#t`Er3gU8=32=>|n)BIq?|pZ<(IN|!jpWw}^~pu^HZAVsSx z^1FLUEP3r66pH++gqt}?Dv?Q?mts98O047L;}dzD*q%ZKJcb3vq-!27_vEk1U+kC{ zImpH##o7z7zZzh6Z8!55@bX8JxQQ+dG$C+1+cEh9k*jxNlW5c+J?Qqy6X`D`bUBd4 zrhB%cv991OQlyCbni3%>_R7fD&jaeQO%Ly?bSo)&*aG&1c`jV49KZrCdW6+YVr+-G ztIl4SmJhRKil}3tlX||-wb*%z8Q_X_2utMYopkrXQw$fC39IEPFeu1U8tVj)q+B}G zf`du((+P3H%zM(5$N}f+vao#}?Q^%?IU*!RsB~x8*^0yg$*5r$Ct`Q?WI-V`%+ysW ztgzxPaprCk0S*dFOH;;JARx+@tsBX_Y6KAiOw^*~(&cts9@yBya8sG;l~RPFa^j3v zB>T#WB-9&?y|6KrZqd`=p%&dvfg`g!dT_9Q7`i(2$E2m7 zW&z)3SRSB8S+QvVFbbpM%M1>SynnQkI{?(Qs+55;ql%eyuu^ryf_ukmNV@`gmrAyV z;tyFNq!kizhHWCG3QJH7YLEGcaSY2y78iJ!qiPIMxuS02VgUa)%aTYjF&f%B_P~%Q zOe>tID9tvY8n#Kr_{|Webpi&pqE$k=)C19cOtEpBDx;WgaW}%7dr)Jf4DQUJ1UDL% zFjKY?0yYH-tyK91(sn?KEQouJev(J!M&U0czfnN|D`=fwBc)NER0^ly1q{+p{SNK; zc~D-4_7uwuQPUqPK9S#$5y+HX;U4G{I3@}Z4z!E+X2bmO7cHUSON#Xn|AN&YFO{Ob z73AM&ksczI?4sZ0%@RmuZQKL@9DnOowl+7hhr^j76^oMZs3Vyob1(Lk1GVPA5P{lx|JaAbU| z@q`pRmo*UGtCG`0${IqCcGR)DwK?e~R{o1%I%G;27Ff&qux65uXM>5D`#b4}+001wOy4x!z}6 zr($Av?joqCxa*f82$1A<-rhIW#KMzhWAV4oe%p`e=;691KkQ0K)$#xU-ObavV^^KG_!jc2cYr0|LOn#W#yDwjrhTMwYP)7`Z#v)libP*ju` z(|;XV%{N8(effN#O`p+UvVXd7c$xaHx6}D7;JI-{_Po6%PUfVnrFwhBD%Cpfe0?74 z_|-3rEC#t49yzhhKFx-Iqmparxel^T__z;_5p%X}Myi}z)7%uTMf^%lf_K=GTvEQW zeOo$qO6L?B`zFL1|5S>ua6g}9^0J>uUP^oYn`YCx`MWS(skcG#;_vdaXYwvt=3tXR zHF!n+C1>`z)2Mf6hDVgOuEp;qH~MCu&uoiXP4jHmI(frn8G8FQYtxjgw!(Wv_c5b> z!AxrEbJ77A+Wq10nkk6^Ax$4RCs><5h*?)brXbcrqt!sR(Qt^4Sx2+h@SWABtyBm> z2*4ubCw$zd>we*UoP+v)`XwK6FwSk@J5zS@>slHT-(;(CWr9;fL*oQjV;%V1%LfF; zWP9x{M(VEJ_D`)%W09CnpI?#q{OxLcmF@d68c2^4vDlR{UtY6adg@5j=1ztUbY?^+EdH?dH@#( zZlCvnh0+~nfs^8OH+&*hWS|e(?t(!Zp+b2ORx>*iy#jxqX zogrZEhF@Or>#Xr7P-3L_fUgY!Ir)YoZy)1=kIWAw1o}~Uo2njo{>HZ}2q?X+{61kH zTJZj!gO#Ng7Ybe^enV^%|N2uSkClRG(^(e8ffP%@yaJlA7M_$Gi9v~Xt%%leu4;89 zP4_RRgCzmCRSK?xiE9#}iy%#X2-yLrhRVLbc z9-bdC+l(e+MH=o&l)ro>rS2MC~ z`>|)35}*!#b2eqqaNXJM$c3T$x;gZR3R1{yYiP#)#up?3&$ zO@FB3IU5sa?>X0saVaF0yHY`7e-mu-tnB?(6?|%$^5BK1D{!-)?b8f?Oif5S@EGh# zC))fZYnTd2GhHtzOEru^nHLelCZF^riVr2r8WA(DApeF&vWb@6n`65Du0>a%gbusFnI^!SW)4Mlt%lmO195BT-~*)9`dfArgm@Wo&0QPx`13&7 zFoVk>*FZ26B;7uO59J3Ag?VyR1W5mgvsY(WJ1fBmhqV#Hp1V$ zIe}jPE`APn5RfYC>claHUS&+S9gvZR{&51ujH>&XYObGqF6#K)T}>0Jw?+^Gh>eSJ@O!8u)76S41I z$MPG4##A$DOK$1aI|I5zIp*03(njbS9T#+Wgw{1^#f~Uxrqodw;aT9exTx1Jx%fa> zR&rgE+&`2w@(lS3d(`39n%8ED8iPxW^ye!3hJkn>7UT*{j^p)Y3WTHTub4lv2OGvH z4yT5EXv}^k98nJHRb(O?$aiEG zZW}vAq)AX^r2t7(@UQ4WnsfHQ0z4KVT%}*|%Nqyu<{EmB`qhMPAXf18emBms1{r`4 z%ze-HRlf&PU~?F{if5=PIM>JsBO!qEtlJ= z3b5tzPHwaJXy#$3v+^Yrk*@3c)aixeeMZZ*a$1tFrE4$S{lzlV&++k&=mqJ${=Cau z{Y>;k=>SU&|Jr+!1JSo@iD!BcvCAxYT2)WU9XRsA%44zgaD3Bz!|Uz-1hsJW?UQ!7 zHqx?b9*HnNI;3COdTG>Y<@4HVG_@7ocCo#eGqd#>GSM3*a3}4bSh((ZS`vD6%I#?F zoVW{VUB2P%u{zi)y+YY>r+&PBM!C8|k;`u0B<}VZbE(8-kB_2&)+_zYm2^Ne;L3h;EzNRTDsKO^z#>_jQ(&?iTQ%x7$hFw({&H z1&ZxT7jWguR^F2cH3D64xBl$t!~i?eaRd&VWF^1}Cco;VbZFOloJOtQd9ahmC* zm!0Eto!6*)h_7{0=HxbRjoSNAt7q+ci{*yru(+EvwJt}WJ+jhNLixcW+m$z+({N4Z zW`h8HULGau`QUVWAJog~esCPkZZq4v@ggJurQf0ZrZeMT$aUjxCY$DD)&tH)b@<$E z?3_YFldnp(9rh&#q1?Vvj2@G;cdceP#Z-$_h-Xr+tZ5Ge*e^VO4?>~nHTc!sz!1Z> zyLzskj%UVPowwx>rx`%z-D8)kXV>em2VMfc*6X)Zmf7uwxHq88ClKPh^eV_? zOP@K)BFSG-QBxIx1sj3aCK7NU(_@fdhng)exopG1nXQ|`QpzSM~TaHonR(mYL-U_2hzeNS54iD z+Tk8JXUOc)=Cd_v^H{!MQ}&HZGD{!*qf5B`u!S*8h7g;Hqq!c|85lO#TQCu1tUy|J zl?Mq&ixOz4q%bJfqZx3Sf(Rry=3^#YR8TMG63CChG)V7%x5%AkAjbLw#!kY(QM)`) z{Ie*OSrJ9K3f->Nyv}eB6nWOYA?XLWRCQvsE)T`iV*Z3`x`3ogzWV6(@?&_`pMQ!; z$9bW3TLPt}LF`7%hNvog|4eB~MVo0Losp-p`W=JiVJ$bny2;^>2f){@m|P2%&#~%o zUNRf_$+i%LN)twSrf6#nL_@Ib7Y#-?`6NFOIh7r}OW>fA5&ZFgbo>hoBcFm#LE|IZY%hLW@Nq zj5vy?Vk#$C`Xx;yTCWQXGAl+$7!_&V+Y@3t@U9>cjp8Vawg2AdaDE>BZV>sW&0|as zI9a*mi)>i*zTlfH_^VM_n5V7atZa=c+aXARCs9mJ6Dit2iEZ6fsXPN! zt!(iewoZ=BwAZqFK`xSTds0loa&}G}%ljex!cbUtug@16;HoEFd8hm9uT!yT%^26A z{3-Ffu&>I4@Pv6YJDrHIIK4*k8UrSTejEg34k0@$i@!|#{^F%Mk`y^nALNXkMcuO@&rg5(RoxmhzbGDn3eVEsq$U3vfaKJ^2r1Z0y0 zmnXW8zSrc>y8V7f~!t+=>UbOIT&}!nlx62 zN4P8)EKhuYH8#t305|_IC|ZFuQC>0{bD!OY?z->%^JbXZoB$gUw_D_-k})bTN*nZN z5mKE>kKxj4iwXHXs8)Dlvm+f?14|Ti(frs$=-V&RhwCt@y2HF6=X=3sW}1-;lv-zI zX)7f8(K?4Y>?Ty?kaB}&yFO__45)aC1MTi*=MMPf!N4q1CyzC^4N#ql<~wv1v35EN zj9(&zHYW^4BQ5))X}8SnE5u#LMNiV2v;URD*HHn&aJ>?s^fT~HV#Ez_GSqs#c6{m&32pdI6dG)b^W>N z@N9V-<~9r0;^qAM7hCH4wxWWsYJ3~^_SI95*guKTaaA4}a3<<~wD*Jiy$@poo%~D7Dk(be*12GTmV~P_UJ}U*h9Mx_UT) zG6j%pe@D?czl-}?r4Xe%P3k^YHmu}q*v)vEUCy}Na=d1Z7IwJoM>QVbp{BaO)UO%5 zip7ql0hVBAcuncsw#*RJb?(Af@Py%JlS#f42Bj_lWCwbJ5_ zyxvahQTr#(q+U3O)HXXH43UnD5_r6FNk*{K<#9KZ`cOWK*qhXG;Gg}1W0k7iFbh>$ z^RPA##n-gDQ`2(=Yy8z=rE?$PHGz-Vi=GnOZJxe|m%6pM`na|&cnoB_1D@0XHPnG@ z*56$ss0TZD1Y52Nx3x2Vfq}}1!IV7lkATUO@9xZp+&CcGG7u9_nn80+c%ZZFiSM=` z8@NC_a)4U&p&C?ULil@UVV!?4AkvZHUXU?Nz5GPh*ut`vl3fxd*=Vc{)08^Cf+JYA zW=vydwZ4f|5xvp3mH^R3+1~$e;(6&>!$MLgr&R}7w;&69YdU@DeGF-!5j}bAdq6l_ zqT!#&lrds*R~Yq}`6vGD*JZFDp$vM&BE^4=(^RXK$H)l(tTZa>OVH4L&A8y^S7W0Z!}Qze*y>8}1L zNe6ZSQ>E&DDow_Cjy;rLv`SqD@fYDn0(G@?NtO}!$; z;@2=a1?iweekQ?gIeu14d`#krrD5@=qvH{2dK?%bj@iKzlWLI{$5;uZb(|!jK;Dtm zG=9}aa@R&b#0K4}%=RO)=TzCaBG!4Tvr3bt1w}T5Bu{-}LVo-P2OV!#s&-5j439nX^zG&5$oJ z_@+5_9F2UJgvMAJ%>E7Zlqhrv(YJDsdaQsLLExw(M@p8CfYffsNlc1DD{Bfgy;uu5 zea}-5kCl=UM^v)N{|T?(vLKW8kDaK3HR+{1q(sRE&r-6+1gx95Aa!&&W8!%j`Qm{T z`ky4RXo;A2FGxMfn1KqhjKDz(23(PNF-eJH{aT-k#9xC-mpu00nhYnF5>ftvzR~4| zBn#N7#0xEr_Vw81tXa4eW8TtYoyKYQA;`*X8%a_NE$JrlpnV)1EfJ%hW3k)+)6x~Y z0E`}>_FP)X$eWWDjlvO1H$XuKVcn385a>%8JIwQsq|=miMaj=EuhW#9v}mKJrJPHm zrOdrGSdCYYpHaqRl=4JZGuI-QkD=)FSZrb8sUZ$D6}m#sjKd9}{WUJkP}gT5qwFMH zw04&zLLNwG=?vYha2DKk%v#U5D=p2ybAg!0-zPC`YxdS7Rwo>vuNb)8JZ#CU@w2ns zpcL8ayuK&FG?_Vu{mOmN+ySi_KCUIkBrd5inn@$V^4R$|i|mDNq_jk`G-JH^Gh>D% zG&{ZI7LnG_e4b!Jk%5Cg3lnWOr2lySnJZPBOo|ef55Mc8LrC4QEypq&7ktrHBWZhy zGA-v&dVQt@9HtO1$+Yfz$_R?mP-ats1a-#$%J*U#8XRcyj>yywd{K(Jd7lMya?Jhw z{0c&H5B!S+KJwKL+yzei?dtgh^9W;z4+Hgf#h!B;Q+G}Sga}=-&yU!$6x$poNaPBu zX>l;NKEKwrbRlzC0ZT8fx;NW=e5`;<7BRC;rd9o~MkrdFDNTurzVnndE?w1- z)K~S-L)`b}jVqj()%^$+-YuhGpH#J3O?b}J4!-ioD2iHaZ_o869$C-pOL#f=i=d+$ zJ=2k$f!5AOH_f*f5AE!yc~QLtIcq>k*Gy(B-or9=<$3A#-CJU}7@f~`+~|$x9n(%w z&tJViPqGJ5m7RCl2n{y?!vl?Vx}!fwoqV1aB33t*7+$Xd@U8*2ItTA~IiJp*YnzIp zcHS#D2x%`e$)X>l_u2C&1a9V&jWC zK!)O(DR*<&epdUcS?FKmG8cvD*jK68Y?j|;j}l#%*@9ZDw!^WMP5b*Nbz}H+=FKsy zj?=7BiY{!V-l}zOx5IJmXzrxU6@{WEr0;#eK#ZmzZ6bc6p;) z*UCn|@9H{EKx?)0-~++7^X=qHUAv81XFEKEti4(H_z*{18joX8VwNnbhO#pvN+R&$#FppCngZxcg?Fz019f|Q%m=-LV z#6dsBL!+o%3RS_j@43vNQR4z;^n7|3gY1&)qUKS(zp++O zR7Q;&Oh_e-d7N-z$XOn7lJjocK#VY<9XJh}gNnOg$Yy+&BLn?#2s^D|6e_m;M$nrA z!*7ItmQ>Dvh;5MIYgQ!$ZH4|`;_m#|N9F^!O40~}9|XZ2CRr;VDgSlpnat2fDL5ZU zq{7?@qp9yjg*Q7tT%Y1Jnq~RdAn-0g7X{qO8|G+SbZ&eBVqv(7pcRO7%&EPdK>h*; ztOeHf*M66BS^Q^994B&5(6-zMVYBbp$UJxX01#ikRfaO3qjS@P`_XDkZkVX zWSNK=ksjsSmNidJDbmChh9^7L(L8bZ@&P|1{VfFTnWH#SvctS{R~oIFU`?JeB{5z? zG;j8-Sz8iUTzJtiGnxbVa+v3~l%_Z}ax)RX)jmXNLDZ#fGnSH0Txf&hI%B1b3J&?C zM?q1lM0*lErQWE3&V49NeBqpM$v_b;Vk&W-k|-0XV%backH=f$5S0m&E}Ek8pVM3w zh@;dRh%Idb6`2FxT!@9^A@i|V#XrR(f;An%tD6>N2Px2Mi)7Q2aq*OPM^f zp0h34G{733Sjr238AE5PP(@W3OSvuiJE<;54ccZa&Oo&nM9>Y~;9CUJC<0rRc@*NG z#0j0ovp6b}JRxaU0vYPO179d|sJgS4oWRh#mNopgM+qVCP@aUnzF3(s9n@SNNA9XNbuhFlV9SMl}Yo)?tivCd!x#;^GO7$Wm3e+fD({wk=my`goG#eEABm;%%3eN6=k`GTl{ zmiU3bBTgBYpLU3^4_h~iG56{_=WBBjI_Q$eKwb%QcPEESZbT_2?heV?i zrE5-3`!PkTb+dOmm)mT2{sR8S{!wC=6)V-{V&b4jD8a|b)6mCFxBa}->ad$`$fXaO z)2uG_mI?R!ST0+toQK@M zm!(;(xAPHJBddlH%L^M9X|5*c*4pb3nCdoHv))DP_DLwd$C=iu*<4on7FlbrjJH;9 z1*rC83B zdnGl`!?)>|?lv23WFNqHck;XC%3FFlTTf#_!_Jc>u;hZxw1UZHU4_2pPUzFD)hBhE z{yB9?PTQ~9hk(OpRxI|FwsBJJgx2?b6N}CI^{aHXpN-e^t-w$OK;n_`gTF{@IE8A#k0cmCi1Yo63Z*Q zym)L_&f#{Iz2-aaL+9@G0Z%|cE6{Df0PxZShyra+2NVs$BQH~0KLSp?9ZP#>wdS!Y z!cJ}`c|AuqfQ(1uXox;Py!Z3?aC=5w3AQ~czqV^qM`PKKSDj)}T1xQS_sYvheYeNB zc>&vto3J_hdd0k3j|J(WUGcidzNa~@sa;M)55UY>IXeIa;IJK+P>d7;pS(u<>%hQ=88n-jSJF3*(Y8?fvwwjalV zTDco8LV}j!5d0}NrA}X%?!mq*QJr}XUxv0z86c%Bw+W`F*q_Pc^-oU1dS_K9i`EUA zjRWJYMhLJ53C-A+A5gZ=l8lC}uG+$5PLG$E&l**el)=GU$vg-%dvD3K%Cv|b?+i8! z5`nZykQ)8bw36=chaGU(NivTNUyNq_QFnGL>QB&_!L z;uz7$NLZi%|D4U5$yQxFIut_{dS=KWtF|Uqo_p$@k#pRPW|2jSArtt>XZkK4M*UK)v-)qWd~;gcGTXFf=nSNK!|}aa!^0GE2?*!(an&Yu4#g=?or`!|A9+>0&FYvg$v<3U?W%($QH*6t>sN*f zE==%5&`GS($D94DhN%8eA<)(c3wPjHvuG8Y@F^w?ZIiH@}8qN~wCg1Xc+^#62{3SF9uL#j!V%do<1U?ops)B@Q26N;XnQuv<4CTJOksEC3L(R?#KLjmEBxm06JZ-8ojdPxryuP%54nea?{eX# zzwk0j9R07|_$>{Gj9_CvG{znQ$E+pgj@4J~K@I7#MKzMgZ_v!|$WyEQ1)8N4_d?c& z0ksSVswmjvORTztk}PwP|AHmeu98F1b#PZ>Odhfl4y0@#V*WB3sQRp5fC6%~DVrqB z)98Osdwa(HUU~G^r*LG?kmoPcHOq`?`13b|+T$tM?(Rz1uUmRhkf(NfjAf`s(34zwQ__-}|(HXj8z!!vn_h(L{ z7gBhE^s0g;WA~MqChW|@L6>bs-n3h|^JH1;oML#&J~+#dZdBC8U4Oh6K=xNDU|3=~ z-8lQdGJbbOh;;uwcN0JS_{LvjfSYy0y?RE+IZj21>ten>Pw9v@OeX^*uJ?Mr zk4HWwxOE4}=NI%_1hv{N^Fa%yv6y3! zZhLb-JT-OuIbG&JZTVaX>>ttlu~gP!b^{5CD+G0eS&v-&b6v?ZGv*l1!^=O^&uG~M`+SXVTnFnU-$M$F+9(v zZ0p6XN4$O>drfRs3vQY1wRck!BUxL^TENIqyRPR;7kZuKp3A=v*L=>^8`tb4bk(n^ zyH%xX90uFRY7i8r-N21;lI0yI;C09e{mYMJzz+|b&*g(i@ z{B-6)CFT9Z06=NA0r`7*f$`|fWEtY?(Yix!-;=mbqzI&bX)9wC=uIH9J>qSZEDaakKbFN57g-w*p9@}L5tCZ?#mZr(pj{+303v{9_ zscf;J{pQ~IBoHts@d`{VREgLaPv&7`V6h}j3XoE;5EL+F3iAjK;vjI$6dc`6xUK zO4jfry30B=jFXce*{D@1k$n61)G?NXKb2v;V*GE+nBcIbXd|+TI?BDXHdRUAJ_F=l z3{{ZosPRw{54Iql=P+O*hFjPI@UOo<3{IFHEa697$K6om=vW z7VXK)IVi+mrCObr5@wheiMH7Ar@+V{JONUbSHTgGmQr99UO^r9 zrA`n_G&b>9qFz?jp0heX-URc9;^i?Ik7@Z16PNhw{7bNg=WR7mdh>cp@RK5S8Ca@o z2W#~N=`FW={a2nR#d3nMk{=pBia{#N-3j^T7fV}slnQSHxB|nZJkIG`0|RL{6U`u8 z>^NjLRHXo=pa3H{EGV{tMQy@qKk`s zN)rC5{>&Rd8^bqRRTZ^TsF`tsz`<6Z2+JNSkf6!UGEU<#aE1PQeht&k(Z*105P)ogdu?|5ck?)h-Vd z08#_<7{q-;{hmL^{k-7F47lU@>#KoOr&%6Pi`m!ONB^$L)`{r9LN(ftt7^Binll<7 zaAL1~0TqbFshvfQJEFDR(mQ^u8D@N)s~}!nxprRtXl~oyS4^dmfUoY>u9ts+=Od`B zrZa(0kOc&tyCO7G0&fBI_S}J#ofpZsI@;P-dm)E|&XlgQmc5!i+6&x!7?0k_8TYQn zqyD+$%~HKB`?(MLtyVRUk(2vrxhfyqqYIsuT9%vF3xQa@j+;#kd=I;Iyhj_i(>-6Y zISjmiZ-%wqtsFUgR_WBWUN%p~tR9Dvg&(=oHNMTV*M&Q_)4DF1z?F$73cZ&z*y*R- zjfW(QS$f*-=g!EMEt}x!lAY3M)d4*(!+Ip&*Am15EURsYEH!t}2iW7w9-r~#TzOVW z9iO?WWIyOr8k{ZQvQlpT$MxOP%n{>)my4`bY2{6)Q}X0B`{y?jVe@v+g9177WaUxt z#_r?KhT(OwTDJWshZ(-#ic_nd^MlD4^U3l`H&y7=HsXwi8g2o8b8a3PU4v(2t@9O` z)#n+OEtv1P*6nW6$&H73Vk`aE!?4;_ho;lr$IJ);Q*Mvzbv-?=!L#xlWe zyOn;dZOcdZiE=Afx~6M*CELzf(Nc;?~h5)_vm|UNB`bSI|C7Ofw22PpxM_O+qs`U zuB`M3FxT+=cdJn+z%li?BJ7q1pDA+b#Y#D?XIel#=iRqJo5rSzWcRomepoY3!L>u~ zwm$&)PR{R0Si_%tAr{qrMf&)7o%Qv4UG3;{-rnebw5B3>J6)ly&oh}%6# z+-_Larcm6kibgx(sQk-$6(!F^C--$7v~r)t=J$(D{hU! zN&?(5o3XO@_)&!IYHpN7cw{KML`Nu4Zeje7mFL?9MBlXkbo`CXE#H=pqlS-EXx@_bAEMqVy0U2N8m$;rLB&SJwr$(CZKGn_wrv{~+qP}&>_6wbx1ICS+j>}! zv#q)M7#(a`va#4dH0LDH2})>Mi&fz+D{V$_iGGbFK{w%$8S;>xhRUX-a0yN`<(tkN zW$Kb*TP+y&2v{{E&L$j0aotssD6irfgL$sPN)9*V&zr92Dl6sEcq&q`jsV6zewU}4P8~h zidL&u4it5Z^-?(Vl8d$+YAIOiAKNU?e3Vnz33Bmb5`#&Z0@h_<6VEo~Wx2+M&7C|J z|7gcq8<|T^q#)ZMC=`JR8kUs_D;q}jSIA~a@Jl=!@uZjUH@g;wi|Oa9m!luJcbF_I zS^;_u6Ec zqn=iYjGB|r=>8k6d?8PgBerqi*8+>N8XOk`JJwyVS#C)bc|Ialp)IinNkCQ~Ay~j|WwwX5z8}qt zt-&&Cy=N@|!{y$4GmtZS0aI)pC(C1GiHbb4LcSf0DvG=8FPo!$^e-a0iIkAV(-W_> zJwFZRO_`9~blpBWPxMTi;szp2`e#9K@~vd!<^-!%_0~nO5p-6Vb%=Fl$ z8_D6Ni`Hc+#IS_m90u|;#>V+p;qU_n1Y67~lag$VMhUoq!=88;WQ%<>m5R}_1m=G< za9l-oX5a^fgpH#V)Qp2W+uAqkVw*tQ{6_ zZbKi*mAaXJvwAh0Jl-DJYlBO-sM$-A@wW zQJDEMjJES}Kk({uJ2y(p=H{oq1sD_3({>&G;F8J$K6YFAQSkY`YrIvzaNCc$&0USS zS@%RY!@nPQW&SKw>1~<4DuFliZhODc&FYwpF8qAt887|3?wIm}MhEn;8wGADY1Qp> zsoXWbsBxJbp$7E&ajx&WA0JfH@vj!YZywMsOr&k-we5h&S$9JC&S&b;UDPsqN4r`+ zAZ$J!c!ghZhT5rZH#n_z-*ZcCJ~n>HYF|ycO?h~IU4?|UK#lwHJzg#W^qXt#)JuR3 z(p9~mo#>O^yO+H@F7qQd+g|fv*u6WRPj7Cl-j+`mD2*#h2)vGkb&k~Fv}^atP$lFoPax?Ra1*eD^nLcyFM-bsQGTUgrAg7jd$r#U1Il>|h`o6T znnQs=O@Q2(o;e`4@ALiK?-wN^F(%b4jrrU(P~#ShS`x?>wUQxQYxF_9;HDUtX3I;dE)nhy3Qt@sy(A_~8jpoiplVlwpP$0M97l({6 zE#hB~cCN{Kj&TJdKFoNP?m(pw!umqP9P@P4(z(zLRVV8FLI;`$`#5u_z3 zh#=}RmYQSA5cy#>DXj98$&5z&KY!k@>8e(;18TUZ8`tn)$PDu}u~I^F7DY+75kkdb zQ$sNQ-vplclws|gjj^RY1HB_BXHnM($8+YVRI@9Xl@Zw!Ek)H!HUG(MW+CYmu9Dxx zw5xmXQ&uQ|43__n>#q>SR^jAG8#A>W#+YEq20>A>vecA9tA?$fJ0&Md9U%-c>+mQJ zej9Wy-!NP%=zn{LrXMeiDE{s3Uv@_v4pkiBcd?qo~j>*taIqfVfXkkE1fo#wh%Y^Gh`Bn4}#?55YvDlE2+>;$l@bS||(LZ1L`{ z>^R!;Y-lJo0=sfw7V5O9V%Rt{p;H=z%|Hcncx@43)j5g=y7s{DS1ss8aYJHeOz(HT zuZV`_*Mc9~w*%Kly~5n4T}gWI2h>uCXW={zjCG;$>-o@Q=%^CzYVF`a24G=`t}~Cc|7L{)s^(V#z0kjv&(O8xb|Z93~K=5eO;TB3if;A-Ffes*E=zRt`St22oD2YKi=Voi>@XjiX)xZ&f7` zBC>e@m3pVykY)>ooI1f`j7jJ~{9`dBuN7I=QF(e)+q=)Q2~pCQapecB8`o!XJe=+%HO6S=!5jIR72ErbeQg^R%Cj5#XgI&C$kLG8H2 zx%&8j<`UxOKP**Dg-BT>OJR7ZlNL>TD~qtpW6mLlQ=~EmQAmYJSf`@*eQPMJgeCD> zlacmeFjTNvEC_Ps#B|rC(%Ql-4oc>ms|D&S{AE(88F=LKE^$Cx*Ssr55AzvuO3xa z+X8%Bm0&Q2p)pANzRgRsbaQ^BcqR$_zi~d|0cOidy?B$pPYt*4Tz5vl4pX}EX}g_P z|F(6_=SD0^*{$70rgxIMaTPqhJxN8#ZMki8i51R# zKD|&mKsBprT%Vei=(Mi*&URY)dScY(d1*(wT>H7y?$CYgYOK&XO>B(n`tD zl9hFzsiBtew%--rShHM&DB*n=Zm?|oI!a;Z-dTLiAD|0ecRGdiqPk7%W>x{GMNd94 znZkFxss4Grbd=miV=72fU1dyTkWg}I3!(|&y?dilD(04-UaA+pgJ=^tG-hKhC z=G&$9MQy8+e_Si;$KW%?hhO)o*nDhXyG7UITbsW+d#1Nw_I2I-g8%7s()_^6 zzSVgb`Z`lHM%Vth!~3>tr*kU)bzW-AJJJ4}$hYk=CV(ANDz%bTHz%?1EfaSA{`sCHf<#7(pugGG|`k+by(K?9ulf~NzU1uD zfMs?1n9!V=3h8>R6te1)_S~R`Dg&BxHvPGdU=9|VH+2hI2P02-Fm+yT)zEn#-@#T0 z#ipyh*S(F#??Y>N?GmN$lC^et9Xed!uM(WYcDHB&@ZF~4fkC&tUW6?)Q+q4|EEM|9s80?r?66!W)DJ{&&{P4h*u&bSxlWJjGZj9lncaIxJ-x4re#S&wai*(6?9p#C&4Jvc3G6@!3Ad+yK%gxiM4XD`!^Bs1Vn7V3M#iMtWRo(Ev62;A7f}4VPaLRQ40mdofg<9j&X7kh?~9-k0;4DllJ10q!K5_YmGt{3 zI)_0CW+H2ydSIYR4;oe;Pqff9TM_5@r-<270-2N1iiEc)aVlwLN(r@-wdqNMHG7v` zJC^AdJnsYJ(xc>tMW&U@e>f+aov=pEj=veUkalgwN5e)X537u91P5*HASX$6uK&kN zW66(F|DlyipemRm9wmz=sv3;IjHNR!U#>9Yf)@eYLdw5i*4DcX!ig^F{8BEGM*rwO zNR>kCdju<6a>>C^xqo5lBwmU^(C+m8s+m_=VjeiPp<<~jFT9h-m!>niL|DwHHqL4p zb79WFzrzU}mT?C^wcmMx`h8PTQdoNU=ZNCWH9_3p2b4ytW-|neK-CNd`>vBE6O$Fu zGiYI$wNk!r_#WrS33s*ds5{fBoBd?)Y*ku9y1B5cVtN(bacS=YR^%G=b>v#z619s> z)9jukvz^LD-g+g7OjlwiG@K?0WA!_|A(oERxZ8qqDoT}S_ZdVMCi$Pmr}l7ptCjmd z`@5`Y6u)TY!ALg1A{1DK=OJntB`wO;sXJk>eQ<$q);@DHpF*D1XGolB<-q55pg$is zP$Mt@*a;Yp7PfX#9FHH1VTTZ77L zmA#%fQi*X1DUeU2cB+a)fWhbN?@DA~%Gq-v4UD7TKi8mDkia+)q$+m>W#h3yHvC5< zvT}DGxNOh(h*CRcn1ZtGLmBUALSVCDYO1a8h^k=cL{N0DPObpqF;HUOmhKd-$#Q`X zE8eI&<0&o`Lq!v%SXakewN6^a&aX_3=4I3raqB~hGRlx8r}luuPCd{151s{+^ub>L zVzzC2a$ciLg+X~y#xzTpfpB8J3GQ%_*g_IVor2{Ohht35Fh33dDBZWWAGVCzgcLUx zS&MxR8o)e?;>l_UA4FgFbo6W4dE|%Xk}`X)pjd9{+A6%ryWU&ueLJuT!t%cOiwOEK zY-)DiEEI%f?(D@cF*CA!xejD@oIQR)Guw0qcaB;#!eZ|H#DHEdvoL5XBbXk0RT7)Y z+r_+H2yMbs!HL|+v_umO8~1mZSbG7JwUJ9NOLl;wNwp1PKq}NvM?NiFxe!2(F}Y~3 z`ryQ{Xg<^ON7=k`qs?}tl6{N$k6*kourR1hFuZBemuODZ8 zOiw#K$*%=KoV#u8TECaCz(H}?QF`iNz|0pIFcDbP1N9Y1WPu@~A4Sk(0OT;a#z*i9 z^#0hk!UyaQ#SU|3_#DpiDLIu}+4|wD;N>CcZ63nw8fAtm^}$R{mzEaGdLGb8VfOBj z-0!}P+F)4ubsyYHZR6GuT4VRN-ZbapHJa=t%cZEZzJzrwlA58io=rKheQ4apH@-%% zXX@PWbnO)Eaf}?T4t~hCYtf_;;kckcXBD-JX>E zT+by=q;^44z-=z@`SWL|p7-Q;BVgd09d0K8^Cah^a_jws+T*ssth%Swk@#a8E9dQi z>B)(AY};e0qEh>lw~58)Yb!P9?U_@oYGci=GS}Mcq>t~oa3sO&dAc3HlKW+$y9|5y zGxZVJdjh<9|HL;o1gnAsF{YqVbG(O6~B@PB^O2JCHbO{Ikm^!vD6Q_r_d9= zyGOX*g29Cu1XT3X&)k`HeGoKKF{3VP<^t74C(MQt<3xi}&_1~0Ac-jh(WxLpjXh#q z9OmpG1)7jN_)@EoaY{J%Stov@tgJkV{ME~M`^@@X)4xS&w6j z`$osS;jPuggXp0cw=fP-GS9I{m@(J))50i+;}es9M;AO;VvBgf{CM;HA_4;sQ-WX3 zo<6AyQo$I_CuHPJOqfF3DI{!*cRly0NLuQI*_=ef_KBTdT-Pqhl6x#9_=Ukn@bKFmm9I{fS` ztEGg5#rIpNmU^)t$E;!tQlyg=q`Yhi>$d?!n)b_M0@4i4^G1LUgF6BZt-XCASXMVK>7!p*(I3TD#3f44;l zR$CNl)f{&{m91I{va3jB24zvHS#{9D)cHe5Dl9o1(T-M;to391N_nEM!qs8=64g~J zR98jG@I%}FhPWoZW1RpGd8ukKkG}}JUA+r4KhQU*fT`6CzQ=sC2;UNK^Rl;1KhmEG zrqP16%A{CGL}4&_$g9j2QR&)*uFk{!kKjnozk3(IOEZZ{mNL|HWgOm2-7v)4w8fvt zheNEHr9sO1jXRP+Bl5T{(rmxi;6*6KVq;i)NfObE0OKgUEH z^~%edjfv+isspm*^*fbaWzvByoYn~MPc zelMJ}*KEo#xU|qv!B&m4dhWiksI@!>NpJlsKTfNZs8BL6kPLeHD^tB1ibNh>s$Uc4 zuk;u!>R-%L`ZFQzcC{*fom^=#&HA4zVER$A_VDAZj)mSU6QtgfvE{0|Ooy~q$FD6> zMU5>Hi@$`Fsmv{r6ow5ZkC2E(ZGLb>;syguf3r$;$58AR&=nBn&S^6YKTo=X zK6U6MS?NDvah@3~+U{J(!5Bh&CebWkjDw#x5hVUZ4pA3>o+wIZ1`|G(k}eLWu%$59 z#B8>RaUl{8MvIl<^V)q{=4V7W05^x(1{>VKZ;{(Vb0+=rRc0|4B{Ajg$ z+Mizf{Ops&_t@{!b3f(20>9q~<-cVPGBkh3e$Lg(P3wN)@#^weGSTYdwYuSL8Cg=R z?w+le>Ux+Hd#|wj{M!6j=41k7?%epTMt;1=@-$3PcdN(M+p+fr>v132nT1MqKQ5ks z=6BYx-z3GNbFz28&3yXw(FK8K7)~QccmXb>zu9zu3NFLt7j=P^K#`> zI^AdS___9*^P@dVdi(mj=?ktt7cFeH?1%S!-A~xrKHU#e!&2!xk zbg?HZ0M1;u5vOr4H#+ICdi~3P$FbN52Xhm{Ns&}@@W4gJvbncfmi9v2;(f4Rr#Nwq?>B}UMy~8 zP-KE4Y1bjQ1g)0Yz3aOd7oi*C-c|Ebp)A0ps?*@UewDVGC9QOqAc}H!JRB|w>o15z z2oBk?u5*D}2&JAE5^9~{2uh{~JrL~S^3Rmns;Tn{H*a-!DvSPr=uu?ij8d#`1gjZ* z^_aUVGs@@5ZYo40f)ka@UB(Iz0&9{ExVI8aF}{=NS;G2rN1#SaVZp8Ue6Qf5+{{sI zw>VFL^IT3|%fu5tT!c53+77?Q^gHjp`ID^hhfJx>*qiM??2<_faDjGvPN_`M6_RmW z?BYZD5Jg<3Xw|rmX_a>V5i)tsrY6P1b9N=je}tBf4cZteT|olF(uv6Ne;Aj^SLIml zZ^5bHCgcCTM)R&s%u9Dr!w0%EUZ(!^0hN#^kjH3!Q)LK+%McGt7+t85JBJ5ZUh;04 z_FSS2q{m$s9kM1ACu+zm??TeGWwT1fl=wltmT*h48^qUhoqnUjT`oF zx%D@83z4UWd@1JwRdFTocv=EgJmPT48p*U~V$~QGyET7%WPQ88Hr5K;5Y< zEi;jnm@ga%IP5xSM$ODRrluWV@rP#T_|voGeAfg9@Y6zC;OR^Fs2v^*2+I;fmVK)} zGeQu{D+-h_*{xi)snnDm!OZm8q`FO4sPFAX{z=WIwSr3FqkwdYW=v`S6bu%0Qxtqh z#)jcYaLY*KO{Z}=Cz_rzM(VnHW=tzVPmI7R+d^W`Cj*yIQiMJXHr2$8dj>w>*Wr%? zE55L4e6IP72oLDW&ABxwxnd-O;{- zyosfUEj9L)z!?AN@*}Kg&?Y?@Jnp}-9u(7W_4bfffl8pH1Fr0^p9A7q{{lJ1n(S4P zx@JYYd}&fbpd(x{YFKee1avJ0MAcQj2sVd1q9L!3?+9fUwVMCr6gMpvnI&8q$_7g~ zSG}2U%agYKlOcsbxl97tLJGR3-$DQNbNRBssyI+JsP)i1iLMa2!1Uu!5vmWpRlZ51 zwhXy&G6hF_0vU>yP;(4uI6+c&$FRCaC#QT!+_q$tMpM4gk-({ea_^OcqMie$PAPG7 zvi)GxnSOUZQA_C!mJbV9l(X%8u)s&e$6{{jk*Ku1`pWFU*U19K7&HSr!DW(y_MTOFXdWUUlC5s zfZc}LtGa{E0E|&+h7j-wZHE%!^E*+0S@DzM|o6ni7oNob7-KpxU z(<zC*i4CH_n4 zQScVqw727Cfg1x`PVcZ+E>7bOzph{L1Ongt8jB71KZ9tk{kYrj?Whlx_>X1 z+xB#?rolz*4xh!sFy1Rg-4H5dn#X6;MT?$Q{K<^p@hMx)&UNBMZ2S4)!ija_miI;b z>QA-q?DH&lv$oa76YAFN+jBBHLB1`WJXPN(|5Dyn^%}j;$2~QGaUoZ44A9zp8?)7x z{Ubm0%kykMRWUSr##jF?^_u;mU<>c{Kf3dQIl+W5HGloSVc_OIlk?ms zE4A4%{cEpq<)HNzt`QMN#Z?Rq*~eDOO54e)jFOP(&M(R*O~5hZt++s|My4i zx>dnQcPlm7K?0y6ztKJ9bZ}_jm^0@8yT*HQwOV zviIJ+j4huXp4%6!oK5$BWUtR70+@r`#dx8t-<{MuaOVN|QvbCv`IT!&@_p^5mklR< z1b*jSX3O60{+TM~J;?aJc6U=hW_F=Y`2NsHZwRF6`m$2essq^U|9*}xb?EA13*#aT zH!ACux-|VbB%U~mlkU(s3z`gb@Pd&!MiMW9O=S{kzBXx4DO{3_0_)&muxVDRz%*qz z&vcBfr>bLw6xa6WX*EWlkO{14J8BSl=BUyN=649#lkU!Bh?X5>>W*2Ryo0t&6|pgn ze&av>Cru;?a%R|Tb`LY?zgdPG>ywzXO~2iLM7$uZtdJssG78sawlZOoHQA);LT@3x z{%4D1QX*;m2QqabxP;_bsS_)Te`2`OU-MiG3{N_;CfF@0>*DjqvuEi*ck{a&x|BDJFAG6I@ zFH<2ZfOuITQh++&Tj2zbLO3?iBr6%##E(X(wB@xPG-VEV6gm^i!5vAg;*$>|GGcVd z7a0;-FVU!q%?F_08iG1p=;RG^7(}9yn&fjAG&SfQUO*(!ZLHhB)6cgD2^#NP*Pos| zsQhiz=qzhWI{V~+PS8cRWHTlxj!L&iU7GL-J8hQ@>syk9xTwd)0gLAj8~}{9Nv2Se zFkh*3q%2ThTqQ70|D`Bf{TB>Pf0{0kP~};2{1OPd%GxB0vSBkLb1dIIC(Bl8WGSpw z%&V??(IKx8O?r+j!iN||N@IMhTnSHUz3DfyG)jvBq3h-UG~Q4c+^ zpkRSqXdiO~6`Wm5QS%B5b3%gvL9#06TH`N8ML?2^z9hN#;L{Fh&DlNEMR@K9!sp;a zE(De(?+d=YziY=O;~S4gr#C zaBk(+kf*Gzy^VJ7Zfn*G2@FFM5`;8iE>|xXPH9m?PW!fZeMEsce`)A0i^L=6+PD>L zSdvsi$%}?7*A`yP^$vQ$drkCeM>PN92ZDm{t|RkxZO+Q5w?D<-0ggchh6?>OOscnG z1gCwE>5d~a7Fd!iG_@CNnkv6ICGsp+LKzlbV9kASOxMBwTwrsaI278}kS1#}C`vPE zG;_F8vCjNiLmXe0H2&q~n9T^WNci`f7*`}K%w@o?;VUz)p6?;o_|@*BR{=So0t|)D zl#!MT6J05c@0ysTDrSjD?LsbBjXHT(s-2SqBbroSF{vpafrUz_m|XP&bKL4yK;g%s z{W_at1?8}D$`dH^KDI~=1ByY|W$CVM621ypp#~NS1~c`Xp^^}pFvFa6lCtoAB^G2J zOa1hS&~gKz`#i2$7`@6=34in2AS0aRDu!#FWw^BqI=3~Q}qoT=IMIhYse|ATNkQ7joBK7iTrXQ&-X&o18z&Eppuna|6YkbgOI z1}Xh5)uNviAQ8B`0|q42M;SIi47s&i^?TNOOu?S<%j7U_?Y*w6$l|lM-_!bebkcpd z3*ai>&$-xs+@$`jDmANhKFO7>PitQO;Bi~$lH(!GZGRrd*OjF17>cm->lh21*%7*g zaB@mrzv*dprJ3G1ocH4Mb&g%o>_%NU$*x1w*zs5!wdHY44#fAn$eHkM90i2-0Q)?w zZW`}G-!F5QbagEAnZFWK?bH)$rr+G-QDebhG)-|c*H7aQ@PJRE+X7;}ACKo#U@wEN zI5)f(`KU3z<_DzxwJ;%P+g^kGX2} zT#pH!=kL+-6TfRBF2b5=;ffmIVLy`Z{*#L>H(oua`uDs!Vi4C>xe!&-l_MP;DE|}>6h{Q$b1=qI%$&Yxu4nCdfX1rY)lMB zU$=^BII>!yeOZU`>T0HQ_xvi6`M!0l^s?Ias(4oT?iJ48=krf=J>Jbf3+kMJ%_R7I zz+0!Cj-x{C;-AO7_ZvS0rFMW5NXKBI$*Eh$Gg3G17s?I&cn|lKTHJLrPN~)$+-3){ zIjwAKSJ9crS8e+_8(qu1j-U* zHh9Q-y#g68&L-&m7IPZ|d@rBbl4Cn3{bqX3-d0$VT)Xar@#kh{$aug0e|mcZd`oz@ zyPf=+`M-;nP%|w7(0>IK7@j#T`7K`wd)ejf87 z@*>K!<%$JA8;6O-Q~mit%i=X;Ph4^pV0hZy70LkNCtXa{vJ>rOBrEy$mqmbB*eEeL z^U z?EAQQ7Xvhdu^G0V8$s+i6n~*X9bqwL@QVnT=Pg(`EHbjw(4F)p%>bsb7jD?T^+_Wb zm8Y&3?G6+|uPC(51jDprj$CwvTimN~AUvsqj-Dg43q)`ToJf{?Byx1Weg8_6lpwfC z!Z1lNPn_3qUemk834#?cM`S4Hv~(+{K#Y`4xf3N`4Y6+wErgIaFUY4&q77X>o``^9 zqU+>h<+V5IUBOGSQcbKeDy0uq%@McDf{G8Ei%*me6^xaNR}k+mhXv&S6-bH38Ef`( zaM(Qo7kP%O;y!#|vaUTZuq1d6+-yozUjLC0OXZp*Bb`~I-cV?~jvcsT4`9W=(PnM_t8T*5X6Nv8!qCOjxkPQTUZ`F2b+K9 zTn#=_7kq%XAusbMISM-qoiIT8+Ot_#Zanr!2!;z|S2QHRyImtskeAM1CM^lJKHN;8 zdPPYnYJA^&{KQGXE9xl8)xp0K ztoQ)CTJ{gc3JdP@fpb{#c!pvDvWJ4st&KtJG{>3OfhR@dJ@ zig5@tLy7@vaf2|vDq{aBEnc+zRFw*@JLbMo=mu~xz$yf?Y$|;NIVJuiK z>fgDoNJeF4`NI|%-_EvL}nIH^>jB5LW>Ivq*eo=aYaPeg5Aqh$v1K4qTFb3SA1Kis z^UGpq@7zFgrtQhHdx1`kDf^ea(k~*VsXNdd`LVxp&5oiNDRqeT=1NkqfTCOhF^J(k zh`K3)g%xz#J`a`4FN$v*E9_T}eoScuoozayMY-EpTv&(?sV7t|( z)5~2e-}7FuS@omiO{<&T+b-55pz`W@mlEB(>rthUWm^Y$!1Mt%y$$FprOWM{s8`c* zda5z&rNDdmvK`f{&v_Mp{NX*5Tg&}^HmP~mj{X2;3%EDVt<>Z3aQzPvv3ukimk>=k4NKL>v_R|ol|vPw+M1FT%C%rwVU1T>glluP-R{2 zI!V0nbAHWAmSaEJwW(5q=K$_gsiwUQRj}1`k6CyDs_3j+SD)OhT`s#f@>_xTi@BSF zU7H;gZk|3jLip@w6>Ru*g1 zz|QE0<7kA(XD#F|)9!v1HM^6dYrvbA+EyFjz_P|=F^ldD=r;r0X$E?00NAWafqvL` z_^${#7mrDYz2x$bfTvvLc-6du@_^y9p=+vlgwLG=K1%LxY4N<$)GqxGzg>v?T-zC0 zlHt6i3*=ze`kz`Os}Q%oidf=CizTlLDL-f^@YsJdQ?3e*PZ4@(6%Di@Mj!Ucd;j4p z(D_xdNLfvgCq}W*6!Am2m>g+rS08QMxlea80RxS>tA3PpiQhXH3 z^2nt0wiQL(*5o@$#D!M>C_#7+K2<&>bS4~ zd0DSN^JJo|B1_Ee^rt4fvf<`j^{_)JvpC2cO^eG+?eqj(=5iNB4vld&b+&MqYIm#O zMi>gBNX)Q|Aa|m_TB@<8d3R~a4bbwDogU1y1wGimPQ4@Usej7RCo*a>D#3NqLI(#$ zD@mXPRIk#E#M4kh(!fa)3}SBO(}KE`NdBBuFA*vRIdEMGfhw4}SK-NCvI(~|HsK&6 zCP#}=iG4mJ=9V7yZD$3iN^FtbAkRB54>~PMH{?jJuk>I%ct(!L5lfe5BfV42usLMN zA6ucaDV_LJF1d2n5l-LaghG2;Q3+z*xB+jxl&Dp3#VkK!JydPi@`Wv1NjsON!S=c7 z7x!IUPCYCC(Ec5v+5`+0p%SQvKtDP}{3q5RGql;3UF{|w)0iN^RW3~|V}h(YE+y_- z=8vcTAm+@q@~cRYKwP+ooVl*%7z-o~#F{nWsB1L5(3UjWMg~%oEM-9>W|ycCekJ%h zFN2t>i%hg!I~JQVB9!E?L4iRrI^)|F{DW4ejv>$twX~uQM^WUxxJDD7VhYy8*VX;! zPLOs}LLb~f)#ez1I zx609B8DoT?=-vgy0>TA*goorSRILh5{2l%`VI6X!DM^jc^>Xk9o()K>lGceufC5zz zF&<7U1=opFbYX6_V~(y2)nA6|*!cu{C+Gf?|75^0D;L=`fmis?Kx%nFtHp6HMpi|N zjtXXJM$6F!hqCiV+kU&R%C9QdA0l09)fI&EupzWiVB_k`xPva1LLiq(a84O2kG{FI z11?pm7q{+Ju@Oa?*v=h3F;Z}_HZ#?+?pd?z3=(s)AOvaf)eaOv@FtGJr8W)Qw8f92 zH5RHWE(yCnRp~XtXTk(3j|LNH>7eAs_83Vp;)WF*xM4iAF(WmE>fx4R#YT+H_;9K{ z4x#urJZ|4H%8#Ylb{a7qRtIu!7frf)7qivRRXc9G4|D6w)3+pzG2R~SEMN3iv2wBR z&iNjhRTm_Dnv3dm9`p57dJS^EO1tDYi4#>c$Jg!qtc}m?FM{Ga50_ghoad**(+ag6 z*@X>}sD`6RzC$lPo1Up5y53Tnkb;$ZoPsJACJDRs^6cvf$jx z8|T-ApP0Uz&!z}4PEtlz^jl-$?B`3ZXYLcSGS_ip;y2G7%b zK_W@=VNENZ?*LSzr(93#(WTJg(|4C_SK?#!mnx@t$5#z1+sD)1xa3jbgxGpCO)X0d zJEq4;>%}&3i034?0kFJ+tHXQWT?vJb*{k`sw6pV>nR>#pksVvxb?<`B;{!MkWkus$ zrv5z5)=1Uy++FZn`?|wj8he@><_l2e*sq<<$G^}janpJ1xZCsM5bI*{(?I+Fy|Et} zukCibtzKF><^hHdhahP4`IQgETn%^9)qrkc>3pqJ>S|q-M8ZH_x@ov_C?(f;XwEK+9ZA;=jO~dHT1A#ffUMt{V(`TT!+FkBz z?517)BtrF9CK7D&moevDU~mNUTg0~-pd1)Bi7@3y@HeF-wPHxn4k$e@ zP8jr$UR9{L(rf(_DAyp}|%JJg6% zd7sN|-fX!GwnPt-3kv^3<3L@YgHc9~@OvF1hbknRjn>i~D0k9NEak?~->_^4mh@Pb zL=ctDup&y7sQf)9QG$62SVv^GIqADBHNyxA(c&rC2|CE`sy{#8)#1`(vRpq?`ekp5 zb)A^gNUfGcsf-ddNGHLpk@FNEiFC?5uesb+TDu+BW3Xj8p%1Ujza1dE&mh2yQ+2cG6 zgn`ZOIYYE{TKv}>*~aB+UwPVy!wcG-MT5oDqecLB_dx>XnGuC!1rju0?LWQb!}@h!wkb5!PE&8(8o z=AM`2qMe`!AMkK$FvRoX1@MY2j5qJ4>PC!LAg{@N^x~}Vu1!ec;EY& zdwueS43jSG_U`?e2%I%G#xj#^cVGeAq z1Ov{l0DWf~iPxZ@0N3IxgwipdL;g3cX;{37UPm>db*k8CN(vOa*!8wd`~@Nb7A!8v~k3L}BO zYtL7>h+5AJlfWFWYgC^&!c7bwB1O)IH|ffqS4Y*@ldw2?`tIyKm4(>$N~t@9Sd{hz8K6WB-TgZ{{Nx_7#P(z#%ufiSm??-u_NDu3^9!@l>o{PYn7?9zEV&Vbgz7WY4#E}240 zBFq1--25EYmSX&)GS$2a-u6JWa$Mtl3K|Epv{;XfUP{?$c{txr?_|wPTm2lDr4GfQ z>|P$bsYbc9J?=BVspI~I8QhKuU7OR*NfpnwHBaYyBzleO_%K3l$16yrMJMjdA%&VV zo#ydbVa^+cFa6KiOgljTK9_Douk$IzNsTW$Bk$gpRjzaodG7Pvo?p*%zt^$dVXyr; z!-hb~goo+jVv;T}0Dq5w$;fBv$WjZ~eP8X`I`3 zFZNFH`W6f+m6|%cd5EabijKM$pr|+MN2~jF(mz+(aza!|8IU(s|lF zPRFL(=D2}Nh6nr*vg6pt^SlXN=6<`%t@ay<cL zd)D&VeroF@AAsL>UwAvJzSVgj{Iq$ybT~~Oy>=8c&F|G}4RtXU&4L?h4tTk*-}F4P z@onk+;64kXNUiz5n(`Y;%$Hlw>>Z>X4jS;!h>QIPXnM7mqMXH}ot-Vhdg`(I;J6?E zD1H5!vcYrxpgFydjEYEvx+Qe^8r`0KBf}LrBi+K`rkBK$>q7dDF-3Lzn-=)+DPqJ0 zT)1T3lhHgewU$I59}cgBU*IJVLZ16$MZV)?mv@siM~EOdaRW(222+oVsXX_RG*%F@ zG(Ka|e%=6Q!I}LW6B>@ZG-Uy4MVl&s42c%MFSA9ss#1VDknY5d01Gbpn_ojZ#Hi@r zCd$3gq*ce9sr7GNvA&40pkufT@k64Y{dxz7(+^=8X-+$+4PQ5vWeUnMm}w z>{;`q6?}tU$c8C6zeqOe!OBLB4sufa`i zyD=ppZ9>KJiqLT==x<0rqv`7PFwTzZlzbh*m`Ru{%WWTI%NvVjV0)78# z1x-+B!5j6hfotTtTkjR;Q<<^!gw5*nYhNfxwGDN;isUok!(1>VWBLO|H;&cXqWJ_% z=OLma1;N?#jb%(?-ZcvHYQ~KAZWhPT97QHMcdw2{#CqztF+c%|?|f z%AT7_9*Q$X)|j>b`QRsw)PrKV=Cryr2}^j8U++_Xw|>kVTeW_#m=IMtEcVodNR94a zX*NKyCHMEJV8;7zNW}`pJWZKQh0S^BB%$-m4DR#4(*}ZwceLf~=F#pH3j{UMg$;wH zs3O}g48cYwcPvKwziv~vl|bxD8@2X@&~))8;`Trw4o`MSV6Dxk)BT z^VF}T8(`4UsDGe@wB!_(STi{LMDP~z;3qg2ET0x%gQ4TG5Uuuv#?zi*C+9z6ej!2d z67~l<@*RUsNrc)0QfP8ZHUA*8-RT!;4!!k!lF&f(`^$nX&Af9LLLfhN9ouS^aFNsW z+Ql8xsM!$}%>I!7&hy%2bXzkrba@aSDq`T2SSHaSHuE=- zT-frHG4OAYmZ%frUQH-WXjSUY4PTa*0L2 zl%>TKjB>TnoJn*MUVNCAiB}-*QnFdVl4iMv_}Ua!)GRF}J9V~MWCeocoJ4YF95Xq% zjl__cTLBiD!kGshV|k?=pW6&JZANdw|0|#ZiNb-WIsfbQhaP*9FWq@q&p-Z!?>bin zC-?^?k{=X^_)B&UDs@2rHV1o;^fnzlFjmaQzT#D1oE!OXuUHqfs^w~T8n0fFn(cXE zY|pP_sVi%{6dD6}fBf6IRlof69B%qbjIQyTWLO}#0@-EJgZHg(%=l?z13qQrz69v! zbRX`W`#gjp;a)#6)k^p=0&~ZqVYJjZX#B|cZhm(A_Gw$cHuH6v^z)fSSbE=YFU(zi zi~fk={5%5Ex!+k%`_}avuJ!or@Oc;e73wu!2{F_p6Sw*-Z9az>t4Z<$K&`EWt~00N z7r=YLH<7c>_Lr+8+NRTsrRugj@zcSP)4NZX2jSG3?k8syy5b?4T)z~gXzR-?Ha&E} zp?%iJL={ZfeRTFa>NsBGGzIX==dCl+zw^m1waev98D^sU>6^4Kv$GKXuQ6{(pae|L ztLwXY?t|`0+XNdxuj1wX$NpaJmg6v6>1DIsNB-yCQ;*vX{oUfMxxW7e8jm!?mFpG> zO*QbDI@1oF*3Q0tMHR;Geda2{djB&0X&?Oe?U}9%k8i|%3^M4mgpe>NSGTY=qwB35 zh_Ynn&h^Z1>w2)l#_{p-@tS`cc`1B{>21#Px;pPS)^L*;3tXyx?e$Du?+o)hkmi~6 z+TDLm$Mv}%lMCnZ7qx3Xbep#Eh;jCk^K7W+eAvO(w!N9J0iLsR4(nn89*@*XQM_;7 zk3jdk{3t!FN6(E7H*=}AS>8MRH-B9>DjBlP{co4l<)HR`RiRaXh3Cjm$jSfpDKk08 zl)Z1io4?j(pvstX>nnGke&)`9*_0_Q;tzLE(0OzOK$3LJFM!K5h?T$fW7zpJB7O;$ zqX9X!(SIEcDhQxn;-$;;2$JTRs>897&Lm^vUDnd;eo!iujYlXX5BD1mjPbSG(frWI zhSVZYBH|)|R*Pl&704m2ReOH_ni#@NX$2jU>6%f2_?)J;x5+5^xNG*^!}C{*BT6;) z7wW@VwRVO+;QhNjTbWsfg4Dl$#`yA#F0~}g=lmEEN_exKf@N7a2&D-pIQ<-06=&Xm z9}saCixur!u{E3%u$Pql+6K`&=&U@06+sjpGn7wa!qq5>P?~7aO_wyp{3H9$AJn?H zuir>cN@N)KV)vuGJ{)pPB{3n{VP)uWz9*V zFn9pfxf3eHDlZiTpmG16@y6ELh9EEFz>1*NOfi*Cq18?irEFQB|DVijaEL#o_i^7( zXS`+0;JSk4EQp)H(1-+t%#X95K{7Cc7w={Az~t5#eLH6D(ASREKmDuuXAqsuw@B~r+M@&ca^y}=wV z+!T~g@)wtzS&qDK0wcX58Ov2`kInh_{VXZ@v#x@Ys%nmtUt>!3VSdZESpqxrIgRLs z44KI^bnw6%?B&X2obw6ykPbZYH@hygBy4WFQ;1+Eq#&Y!x@ompvbOI@ZSaS8R`GY# zd0WGUa5F#mq`GmigGtZ1ENar@dC1LDAG!st1oMR=j5~$tT+cj2IIeE>+asQeHO z)QegES<34CLW2}q9w=%M5lRAO#bQbxZB(tOjOn=L9%Q&!-~v^G20d&g#!yp40aXB> z*q4S@)H?!u`=wM_q7nrZ3aZ9hiHw|hRM1MS{F@;NNTO~vRJ1yB9Z0eP#5n6(sT4sj z5vUT8GFwyAXa@aJ*2&u*Q`GBUJDL4c_#D z3tpDy%=Lg$)vBpe#u4mZvLNKp5dET9+buMv&}(IKn^Tj}i7SW67;Se>NJ^INIAl41 z9D_JHlKO$2#L57GHtI`M^j5GcOk5hN&|X(t)R#WOO|6+tjw>XLf7Selyx6!);67iD zMPKD@B#hw3usZX~Nsb!Y2Lk$zZp9c-4hpOv*ygVV#lD4u>SiY}8rwb#Y1eU)pZ#r- zpWFwtMAFWR$uY2+sYN?x8Lv%*7Qw`+ioX3b(=8@}Hy#sMamyrKahsmER@S6sm%y_; zxC0+C2&9Rqp;??ymu#9>WfF6>z@St;W~USUIX^Bt^h=fStr`~Q%_fDxWv*J1)HcC<7)eRt5NE&)_tXznN`*8X>oSUPhPTC; zs_!@}Lv(QVuMz-E=9PcTp+u?+uas;o@+c!|_}~0=@a5;{i!4)>&_=A9cC~WI6zQrG z{OU0g1v7#@LP@&Pn=QNbU;R&ubaoAQQi{YigInoNIt2@Eerq7Y2${LAfW z$Bivx^(Y`O`xYl>1|7^hYokHTyeP4lYnr2ZnEv1Lvc*XG{vZ0LFo;-U_v!;CQy27R z1l_cipf2=A=XmP>B45!cwDT_iGJT_8mP>>cK|~oXz$&(*-HR)T`>7AmJY)HQ0bRYb zIPVDL?&eD52efkkN>XZ`keP74ZAvr|``Uq(Hh zYu;a2GC>w^A8Sip36&U2R~L;pfq>8LH0{<*U`^dh?_wurukBXX%dOX88z%E{^ivEW z=QHJayTOsZ&wGJ-r#lEh0K3_FDX#tYq|Xd0T7T32D8IjKyMM0~pU!NYN`%?0zo5sK zwdsi;8_cwEIBVxf+4_lGzv*MTVgATj`OyUcT;I@8&=2Rc|BAC8+xZO1)z)?&8CG62pO8=g*n_OiSklCs zVS-IC_?axBQ~^Akqj$LF4W7UxP2fJ5gy z%C?Sg-Q(C#v$gf0#q#t~>>W$sJf?KqrC$4*xToj!7N@`Dt_#<=<#SzOy{-$;`CI{H zwVGVjbq$8P>zr-7{*#Tpq`Dxn)4x2@?gGvF_1~aI`hysvK%m^0Bf?jds9paf0BrcL z#v4#17HG!*Cp#qy$UEqkvMNHf_caT1zN^+uiN<-hO=F5IVQ=bvEXo|Uy(8(;Ct)P{ zD{Ye+?z)_Gag;PSb>Q(c)7RJO_-~Kbc`hFJbuGagMJVzF-kXRMsg4tt&LKB~zJ$HB z<#D2MtrZJbrDd3Kqt@y4I}t-_y!od+ON$M3qItJpz&|H{*~m|AwWQDKDhb1%^j>A) zZ%c?&wdvW=8%3RdtcJ?TVq8b?adR*wq#82|A@*@LwnXZr>M6!e`*A0IMY>Tu7~=a{ z)qhiiBxC4?PR!Dhag>7NjmA)nl&`_G1D;7^c&zfm7s8e%49ZlU6;uLW>Bi-nQJpD) zunH~7d~P0tg%r}WI~No0(FsA4IXht)l^u&zl`k{|3##y(`cuLNX{%nTsngWp6^hOXn|d}!g*ptC zE`8Ue*6P7bUAmx=kRiyCclr{Q+h3M$Pdv&fqf0G)BGX6L)Pt&`*M^mDMh(}<82(Yk za|>wwK|O*Eb4>K2fK=i0uZa>}CX7m6g~%wuQaj;NRXT|EXxoB4p#)0edg6Dv79J!9 z9h8YqHJO>~-xL$u?+t>ux2}BGMc}#A+*xL9G#DZliAF!o@pS{8+{`tU-$_M(s$f>C zW=6-^A9c9?I5vb-VUUASY2m4k{2K6wQjrTI{S&fQF<>I=cd~26O}1gF6DiY4`o;R(R&MP&K>UW*L>*rhy8^9Le*e_Z{u@;i z@H*JN!%Q6p93r6nw{f15qBCFOFDxOZKb#xp6sGax8odTe;*M;yt3h6YM-jXhBKr!J za9&%LJLIHP{01cDdD>@ndrWGC?tcT+F|7%SjSM~TKW#ne(y=>Ofo9LSJ1H+ZpquUt z>ySw91+d%+Hqbc^abZJyNOE<7*gxk=Z2Xa@;L{O$D#u!7J0Uoo1Lrvz3f#oWJdGM_ z&Qx;fW{Zi1$c=$4Gad;X_Ekzcvs)?2vOv~2C(*{Z@YR?aU`FB1hZx$hXk*YIgxSIf zw6Ql8wW)G&RAwqt0UC?Y{HQ>&WC4%N1PoT*$`Z+Ql4X10?Rgg@*7=SjxHXoNB1`D7wfx8blqR3plNNAuXn?;yWJ~U!0@BR(`NaL<3V$}) zcu={fO~_yt-)O=IYJvQ-5wcX~z@O;_EuoU6Wy9Z3*__9o=^^19dle`}+*Iv)m+tTN z+EvVCIFI-?NzSg6G)J$j8h`Q>+cEo*1TLo-*1k<=EGR8gAcXJ>6rRRN)$A&3e*)8qA*>&d? z3&OFSK1jPYrc-G(C!Mc_y?3!7$GgfHes1oQTQ+&SLw0~mYL}gzYHEdEqrc^5dr$jo zG$hIwSMse4p(UsC^YoeIsmmWU=VuPMIUKUj?OZUK-Ud3OY~bkNrvY!E&o&;W?6tPI zlb;U;DeyeD61?%--mw8byXp8n-hY{gyE1{h!{!^?e04C5^OCV_wYb%WdXCYJ1JC`+ ze!lOUTR_)h;C8hg*WfWttK~4DJfn5JyO)sO_h4|-FSc&W{E5fjvCX1q;w=Ae%8Ss- zS{&GdzfTr5*&+>**=6Zgm2H4%X?MQrW_xo-R zws~pgo`jmd z)SY|RduTt$`l&l$bG_$0WTE1h)AWuv%3+oD$88OXzsHrAJKhsS!-J3W=05CUOJ&Pb zY=`6LbRz>n+l6YVcjZ+IzwPAR6t_#OG2y?f52TaAW#%LP=jFMcV0*pYhKfee#a)l{ za~90fTkoy;CHNW5J8Q?q7peW3g;nTESbD!Gnh2Pv-|f@_yr~f644p9VoV+=vD=X!6#R5_Gj^@`3{#x($KyUMZr7y zT5E(c(lAEjdKqLn<9Sl4&KhCMvA}2r9c9zG+qi5!(-wZI4`n8q1bA#ZPB3OufSqV( z*`NZu*|TIVa{!pJMNyTXuvD;2Gf#Dkm~P?E#zH3{g=Qz+l5mJ*OE}pcQ>O*Dqzjcd z+0Zgl(;}9C(dcLpap+K@+%W1hK8`b?cME!qBikWadqV~0^}2~i4<^4jJPPKmTPv%j zR5G9~@`D4qb!0sm8Bup#x>Ro7;%%2E%o13w=SL(P(nMT4HsT1a=A;Z~WxVxB;1i43 z&SAUEMh{E4b7RjAaEK1q1*(jWi-uz?#t&IEbV(eWe_`+krXKbjm3M&H z3$+<}XHTe*X8SXAYV8G_LsqhR+O8*VnE6c^XmtwOE)O2(M|CoQV@6wTL~jpG)Oe;8 zT*P28to92#LzUC=XvzbGKj@F(DY8;l*)((5)Esh{=RUPoZ7NxqV@SLM-v@_D`v-RG z7DZ_$<4E|}`Wh8x6Y*A_9M>T`M1L4kklJK?BtVwlsisfN-#K;d#~X3gws`0BUbf@u zsr~syPqtv?Y*9c(XKR(k5(m$fH;0Et6pp^uE+scdgeL_}sXk`W&UoR1Zx1g=E)gN; z04!%a`!$<1%a<5==dppKMp3^B9jC|Ex0fZ$BUdu`6?gKZ0qZKtyaC~ZV)Rqi1Bsec zJFOb@!o38d9aFi}|7@f*bc;aO?4uzwQ$GxFk~gP$%u_TAi!cTXrJk*M>08GL6r`)1 zL_}IftF-X40n{a$G&l%BCSY2eP*Bv0WXRlXu!ae6rPhj4ON~oGZ0CxWnHhL ze);O=s59D%ASw9c!H~n)zKtJOSQ>#gYIWZ0L(08m^VeUc*S-8yQB7gCped zOe_{rnZbT>BOP{*Aw;RhRh!Nwd{HBEo;@Z9Z%ioYT*&w7=#Tmz{@ax0etKz>^ZX|u zNGZIA*K`bE|O_bMVbN`|1Gau%#?Va)UPPWlaHWJ zp`p@`qk7CojXRoc0IA#$SShp-z$4*vD$!F6Sbd4rMbW&?Xzhhb*>t+xaPILup@yODIgH>5DFsx~ zd%m2O(l@53y&qiIgk)d>dFC3o7YLsx?LZYdH_4agt?y?_bm!Malo&$ zXg-JE?@nA#!?7AAmFF&qizd7N(p?$R_gT&SGS}0q`bf8i&HiCauaQ>Yq&3HTf0ic2 z&uh8`z_A6moO*XUf5Ba>fZ3isj(W$T*;wlEb+=mC{l}C2lr7syXYZfrE$aXJqR;pF zhOgEMnw;ZUJ&8Ty^>?iISPUs8@LBP4X7Kgs^`(hDO0}l3^`-2%!e>_Xxai&DdpT}& z|2zR6P4)Pfs>?+YzV^2B@Jml_`Sp6O(LGekK6!bEzx8tUtcmCvwHL~Hjd|@IByZ{* z4h3cOWO`2^JKK9n@qK771`#@FZ+d`MPq9PoUd>1N{FKl0Td$TM^D$ezcScyI{Q8#w zd!HcdcTmCyOfX;r1d~$@dKVh%*#*QAHbLw2fYL`yU1?=8+0E*PzN{EgprhwlD9rX% z8Ktvd30)GOEMHOd*l9#xQ!*(sr)qvwbOj?UuwSf38)ivg7#VQ9VyR|g>m8%mFy&%N zl8yRjtjMS;Dh{TgB<_=joPHbIfH0q2{9DC#uqfi<>`_BY!-O2fP(|MayC&P7g#>Y{ z#q!FBCZYl{66)FZ48q?!bj3Uiu&zp)Y=}(VgkVg{w2CUCX}>z9ytsPkSajTUZYNm3 z#hyVKPBa&Vjn1NSXB>Z!VyI+$wbHA?crnnCl%a$T8cmFGQgIiYu*UoKK(CnMp=VH@ zqZyW!Rd5iStVOj8{P0SwAzq?v+(~L*mU-1216K-C%2wuXw^+XugDm(Wv0+0NM69#M zLZua1i6Z5WJlwZ2H;;|5>f-bz;aw;3qMr$;Mu92n;(;X3z|Nl<=VHiFFVc(V2dIL@ z9}u;gZ`UWDpkU_G@is3hzOR(hBs=kuML$C$s{i3t6o$@L8HSW<64EXREj>M0Y?`OJ z6A2DN^urp}>bi`C5@dTYW;r~69(Zj?}-r1<)?k{H)+-hEojQI^xg zAuYJpNyRV->rXcnNv%|JDlx}#SQI0ZX}474I(X5o;*w1k6C1EZWC!+Oo+Z0e_-6Qgm z8o0rJhaW5zb}U3@#P2j90Syk}bIeF7F8)p9e@;Kpf zslb#SLMNM`!xt|rtobxzW(J{}L`Bw_klDhp4Ygb= z^AH8Q8m;zN9gBpDtA2zl=181-SS1o)C`hTTG)!8cN>domhxqqvashvN6fG@;tyD_x zvUo^<4};Y;Vu89&Y@(w|ffWH6k6qAaCPp{9xGH4*dqCDdV{u61L(jiIy&8tJDz>DBPhz5x z@o|lUjJX*T7QG7C z0gP9kzjt##I4iu%8Qq9G8hhqD!NGU#?PnAu;J2(nm zpXF#mM7_<(<%>)d>ANs*f^M_nkE?Fm!n+u)-PB4(R#f zjkaq%*S}?Z4`V7i39a($RW&epXRlHIlJ9@|vmYwf)xU9)kEh1Fmud3f&)5oW-j2O` z_YI5%a(g|-kGV*^C&J2wTAz0Yz!o2_#O^|`xhX<|RCcvR#by@f`!j_wvb{AIA4Z_9KlFlW*SAS?tr+uIAUVHzW zbLU)3muFXhEw5k0n%vs@v0cZ!6!4w3ZF}-zA*hx14PnaPs@HqCrtVgSi=+$a`;t4= zc9*P6I8x~lSL6NoYQ7C;{$bPCghuS2 z{y+BgZwOKGShe+mp8)0ZtbWreQL<9z4~h@-+m+8dwsR26WG}ON=1Un1)kDF{v`PH? zFeX~l$Z50DY5|hAsv1miM=+mx~ZXi&}7R{{*k8dj8Os(1HS(>+|2w9b=;AFA({$Lq9X4$YYm4S&W{f8ks2UNpB^oll_JHN;Qq#m;cZ?K^D66NZDiUQa^sTkk-?W|sqwZW7zY%&y` z$7Hmo27J@Q4Ho{DhKv3Z?FJ7akL(Mc2Md#!z*w~%-NDrvM#Wzo3H`N&S7$U}y-zwJ zbDG`26m|QuoE6r;95Xi=VJ@7c-)aVt3W10R$$)O;LK_<-W4WG+*3*XdnW*1}&S?fB z??i1MbNK&e)lofu|F`pMCNWwAm33n9cpstZz;<@6=uV2vAhf06svP-8T!su27i<&Z zW}suEZqsbcR;dKRmD^}SoI1$YCgzjL;S^~l1p52MtXeE7(}`1`{(1>s6!ZK%bidKD zJJAeX zUZwU*KBCKR)FmP~NztvzgjMq3K~3EfyCg+X^k)_L2X#fAOxA6$9+G_mQwu9!VKwauv^ESY3Ub9cvpWoL9sS^~ZMurx=9ch4@?N)wpeNwAPs08L_nx z+nkVx_0Qi>F-W{+<3y@lxincnE)<}r?U+3MCjT^&#ktc=4>%VR{$>~SVkCw=-`0|3 ztx^tl3m1C1Ko^_>w19y~G}DsDG(lG2L(AtP&OYPeW7?B!uh;4wF1B%7jmI)$wb;k$ zwsJ@pNMVC`8q?cut*_7><$MrIGVuK?fN#DpVYxWbH>d@Wm)0~rm-_rem~JqvqyZoP zt!sX22UR<_y(B|p;pn6&5MvdVhbjepfpqTok8l#crVY}GDemd2yNUmncN9GI7{9N+ z+XCwUvQHlX)Y0rWo~~1`09f#XtbhI?yn)_HzPMde{&BSdAOozBy>F62%U{o4WbWq@ znwaN{gxZ=%yt?}pK+WaM<_^kD2qvEUr~UXiQg~znM*O+&qO5bvhSx)+J>amvbW!WH zS=-LfG(EBA<)2t6plwZ*#yr>Oy1g33sRweu-4 zMKy5K?9ImEiDR}l#{vB%(KvPQ($jPl=*F;l!}wP7&=u=9sq;GFKM`-Yaxa3Ia)K+@ z;Umr1ZF$L2PR5U=YWF#0yk-O3=X$b#dX&yIhBTZ8b;Nid7 zE?>nCLgVLjEMA~zUecBIaC~{pU#e}m!#?6KKVYv~%D->qxbXeU!SR;jG36|29sID= zcA$i&%l*DN{1$g~{&Fwwep##sMtCz1UfRv#@v=C0ldCEx%1#Z4_XXti+~vHj`#-b? zNpJe)Jw{8{=m-ODZTH#{f^nh0IsUm`^Gn^>e}8Emy}66+X}hUtr+ea8Yd@cHKUz-# zntx)vkZBRxZ~1+8uhncmaa7vhRp#=tKBd{eZ>N_7MOW_uU3K6wTM@|J1eV#TbkEF=WutMyndUV4=Fwh?U&hI?wp`(@mTLy zO!+N7cbC8AtHh^v>i$C?prvP!>D#pV1&AF8I>KcBgaYNm>p6${SmmG6Tmc3fxapl{ zRWi)#{Ac}3axVazOH=+Pa#Chaiy}Fr+6SU*AlnX!PvgA?W;-{72*!)Hi~a|(M&x^I zMPq{#Sy)?SS;iEah}rR5i`oQ2cA9E#3v3OlYau$yMoCK%^TF?S@?5a+QoO9x#jJUF zrzOZSu4$n+PU^BxWkV_@&4TC{_=?S?Mb3x8*a7}J zJUKT7S4W%%GY>4ePtQ#$ypfY!W`dPJ+#)q=`_rW$X;_9r`bUQn%8O(xC*A=!ce$fL zo5v>$L{)%o`+A$1HA!0(7C2DwJ)H#cHsO>LAHij&cVQoU9{$*T&t3)+AokaK#Aq ziJP4iCDC6gI!mMG7om!>qe@3|d86VV<*0aPsndGR>Gv~fDPy<i7KU6zl#TdAyCke6bE6DSSjRvw8=;H178n-;*!S{P!S~jK%s{dxZa>a2T zZbpb1?I`bB@*y-dzM_V!*;s0&A(1BX3P;-t81>lTy1cAa)X;>eo|P*sT3t3vGPy8w z)18Q_C2y9Cs!M8S3A(la-e$1?jNg`{XCm@yi9fUDRC-c&M$;P!6 zJp3S*Q2s&^$(ku3!wNwy!pF*H!rh_3p+bc=6Ti$zLWP#tF=jGA8*F5Sc|K-adlvpq zN^u=hrR@1F7XPn6M^_Sa`p*OgTM$P$($80vw0FRhKaG2{OZZ{(h@^QDWq;Evwia&h z96K21ZMEBc?GBU-b&Kv4Ys620>S)CL;+RQD7*H>&s6bJ?(3BQ{yejndJ)bY3wdCn*~_m^^F)9FyJ*cKVhZ#L+Tt%}MhP-F$HKUL{@;9a@)Wz0xd`k`E^R z(_)*y=c;DiW`g5S#O4VP!$J`xA?fLB2sjEsKIAyb#iJU|4)_F7W``(+Rr!|1s1?k{ z?zk;F;N;k)b4j-rL8b@DA=Gq@mBIAknjv~~%GeGSqtU;TY+L!N%F>;*og?P>nF|t- z`O}JXG*8q2TVDPnEx%d4qHqI0pG2eN-(vON9#-_hLHXbD#1(dP%fGlH5ud_|uu=J( z4_7sy_D)5{TX!LQK1r=C@5EP=jn zs`AUP>Aa^N5xEB#&grXuseW7b-qQ5k z)a>E58yDWjRlYASAGLh5^BWajb)y-_%x&C`Y9x5SSWRc6Z(O_}T+%w~qX|Y?IivUX z(B0X*nBv}xvhPmvx!QxQ(L24p^xdIb?KV!)YwtK`KHB_#_1(AZ!y-Fb^?j2pBGtBF zJ>!-ofD>7_m_O92FaXBX{z0Qwx4H{Ye& zPK4V55{legJF80ueH4iM8P9iaie+3MjwhR^@Tb^4f+pZo$kA1B&1|Px;>*!{o6n3t z9!R3?lcR-y`=Quw%{CUO{u1>Ds=WbKwt?2Zw7vgKazB;Xhq0cT*FZ=K_z21E!MJxC ziC=9s55)C3mrh$H9ADBbS`7;PIqF}QmYWvCGc)`VQ-w7LZR!rjB1hwp=jOaR(Js-L z!`GZQyX*)rsp%deQh3%6`=`j!fi=;yqb8#-j+Xm=r;qWXk$30xQDxnamA=`7SB!VJj~jW64KaL=3-oQWLUSVfV~5eQE|0;cEsu%U%ng_ z(HshEo0hVY>5rdUZOqi^FJh*=bg4YX(T&YTnrBXf%)(yE`B@jGSO&DLJA#F*4oK?k zp|bMw=|6`^HM%!ZNM;N(3(K=|Jv<8trn7JnCt4fQk!h*jYGGo89N>$RSQ9u4s|tTR zawWzm6yW`&GL)hTO3B6mjtyiBkV3<&Fx-z1_J%9}1!Tuo` z$=8;fHcC5)2GvzcHiDfvItQSi8Bk@jRGA4{%eI%CEUm2VfLHe_nD->0?(WRYxpacU+Bi%*pd?J$Pa<=AweQaaD@hi zQp@>9tI?4N<)T1toAS}byjcO6j^ptuktO9nsQcN9W()M1k ze*xelE)+xz1$y8JLt&gFdmc7w=)dHbgt_EGg$i7}KI&CPWu>nXPC02?LN#F%-muT`J_2y1|o~ z5)^1f5>GbDx|Gl>rt$Owg0EBYwP00WSWEY+s7 zW_prKy-YLdD$glv4OMnV!D?`{Nk8d7N+y-MQGbMyOMHm^L$dlIDS;Gg*)XZ2(wBee zLcY|}p&$pwEeKBq%%Vi-a)h2bypwHQ+xcFw245yO%t6M+X11pYb6KL9C~FE&<(m+8 zKA&m`bMp&zMWUcdBs6 zg;kKVQxNhQI`|LzIQnI{dQM7`urG`i*twC*$i9=!LQckHR?h7lGT^^L@&8E1|DzWB z|NqotgJ~qU|ER^{5=o>~IKM&lpzSX^>#_QOq8`Mk{tQvxZ=C~1#1!UHCr)AZc)N9E_u!5KT?0XS}>=yA#e zMhx)V{-JKmb`>^MJN10LK%yjG4gAwS<~tk);JIrzonF10P1Nre>p1OSiuLSzEZFqg zNd{^&030V)jy`XrwdLtQc8X{1w0%7epZGPBb&%GrhS%J>Pa9a=L44b~_5I=Qe7;NK zOS<3W2=sSfJ-7Tkd!#wmFBZ;DLLWPile_%7UJ{=8?k4;)FFJ+JAWH5(yXM9pNn)#N zjzLgoRbPZSAV=?q8qETMJ{~CjZ99K>TU__c4b&{V2zsf&J(tjPnu>fl8V$si z*;;W=w$Bc-bzXyfY{o^_cJ^=BI-WsL-*i4W@^3#k_HOHCV1Ir|ukC!z9KG3vTJ%Nf zetNr`(lLw97Vpvby_iH6NcnK=oZ`N_bY5EX9;{CJfOG|GlWAL*Ji|-maNHHIJa4{j zabJJvGIsOa&7f)V0F|Y}Gju|TGWa$+%-}4v#^bkW8@}`(jB)(&@!fFET|G`isAYA_ zB~fg9nTn08WLVyK-!8V+fBwv>?0y*cozA^%e=>F_d_jBCypNGxd>hq%y7Iq21@L8V z?#_?F>|;>mc23Tg+6M5K=z`|%)UuUJ~)nDBta%5Lvk&kD2+{Tv3lrHbPOR2na@doLslzb6|OjXYC37h zY@sUr++z3uRRt(#5(!|j5g~cY;oAfZgNm~1;%!Ql!Zhz9^RDBrNP60#*7?Hwhu0z(9)7}ZRV_QQAWH- z6Z$Lx6Vad)-f6C7m?Mcd3#Z;BU!|%pczF@Vt+D?aT*x)R zSW1jx^oAh%8wiInBr~&-*oPm)YavS+g$3z`F(+yqzp64Ddf3eu@&zbIKWfBVi#4a> zmI$op^}`Ka)8!Aa@>HH=lp5`z6*EILH&#EyzZ zrWiZ+TvTX|_Q^`f?|fo?XdhOjC`9v-InkwCL%k9SFubgq-I~dtH(1@twV+hqy^w9d z8;Ri6m@7@q=Ov_}ChYjvtv$%H*{m8cW;!c8!7gPuC8@bSP{x`~YhazT$S&J8l5ATy zGtoqCfQA?82!Fvo7RMy@P~=zT8ux>m=7PT_`nM6W;_9V}g^5$~cgV0Z>pLapTlkN7 zJI^vU85Rw}ezX(TNjL=NC@?z zgOl1<>1^9btqT)HQGN9u=cpVoZsI8idUvZboBNF}Vd2G*r!OsY7iDuj9j03*5+l?I zs0+;?Ve8PY1nEP=khgzFTq>q~4i4r+kt*U%!+{LeN1q1M*35zWJ@qS)-HE4ZMTLt; z^XUQ=Ka;avX;bnW&QFb2jNG4>E|g^?NhWj>EEX%Q8BvI3{hW~1RY!+3Y4rmwIZhrb=yK_{t42UF^sh-_ZP3Ghs?1Oi{VP$ zI>Ey@ipFJHaFH9V|L_o~h`2_V3*vr03OX&j8E2XN2PZzexwiWiXZ)|1?>m@`d{_Jr z<6Uk46Rfasf)p?$z&a4}7s;-Ekt_^W9;4wg`}-Hknt;an97YUk2+yUD1B6?;%v!F~ zWGBrsagC!tN@XOs;X|rM2!#$#tewbSPj+~`=51D#YL8LDhQ-lkc(J?N*}jILKGxFtWeW zM?K>^1INSgT~3R~%W)0}%=7v^;K#-bChnwmZIRa_K9c;R(~z(=r(0J^E;K=h@d>=o z2%cO2Q1!!bbZ^$9ZnD?sbCiQghs%!R@Q;#;3!biZ)}2k`*K795X24<42Yr{4?Lu)u z5u3+*hD+sBK+zhB>bC37*X3}Mq$%&Wg^ii@kCU(ZrZ6umWv8YkQu2(6YQunekw+zPl%@5IE z8|iv6&Y7mwcB{`IkYzKM=FPf>%$Z4@2*2sO&F2$W&TGpE|coak_^t->M@e`OjUdg1ngMJDG z7;UURt%*}qcfs8Ng1iL=y3r=BOvr*tQ+F!BXP!xpRz0gzLOh7nTo@4!cTQ0_8r%sd zGS6CeQcOKAU3>zsMeYx6A>m$@@7OD9INOALbEvogXI0XgK2;x7*dcCLCbf!Za{%cQ zEXOovubMR`ry0>es%{aLlXL_WWwMRT(f5UhPGmCUX~7&cTw{k+>!)As@h=0lIA|JB z^ol}*s8`?Eu~Tv!zuFAs)Xejh6MRjd&FVG&#`1vv5b`r2=LpaB-aWi z@2ZmD_b>Z2zA5>j$nEUatukRNq3`Tuf#ProN%Eovf5> zsUB}6xgBp6&xE4jOnj+KgiOJ0gf@=gktm%jkVY$~vgSb$;&7i;L*_|V6k_+z=W{4s zO}+A=QJ?*B2l(9nXlp8F8FP7Yx0l3nvDy&2T)oryoPla_-G0 zpobq+l^q9lyoj;qvgVU)T&8}>KRX||R(*oioqiY6#s$@@){JL+q@f|53Xs60ML$DG zFc)5J_3bs|usD=-l6xp$qWGnphGmZzUnE~{bvQr_r-Ki%<^d3{OILwDI2lj5bIKvzEdFm}F5^B+o7`XnAd z^byE{@m1#`n*`q4bwhLGL___`zcaYxI?Bo1Wr5`Nd0o@uP_it#G-p2snh^zXNj^cp;&Y z^1I*#JSDO?qFjBgO8ZWe*n}8uF?4D8?8IqtmgSjL<=@qZAMJ#s?sNj;8g$jvrkuF# zVu3FQks%o@RkuAO2qm_*)yTMfbvG?t;(Kms%mDOfcCva_I@h}H zn~`AqcA~Y(XeGFJtS{?!NB_MxTtvHycW>#~-tcDhJT|sRy3DGN?4G#751Q3fJE*v> zqFNkX(>|Hr_8YOi{yTs)@w(|?-vpee+3Ya#wUBi?V*_vDMETmU zl$YUF_2?N-vbB2bi=L{7TeMI5k5a5=SX;Or11fCRIz0i&7ELP;`XBtDvuUKM@vh~K zdlUGbj^lhVB)($8&LQiI9k&518={Ts_|JhQ(PRSWneLZL^p!5-AtaY~Dj-RxAepu6 z{q={+)=O%kM|VQI)kIgksP*IQa|Yn-fShi}QTQ6Oq^rg1A|29aeXqTZ8=o1pFI?IZ z39p*owGf%a-hCd=?Za@g=aHh>Ds%sOz}LMyTLE+*biS#%)iO|V%c9*`JI$Tkc)+yu ze)50ou;OzecDQNm4}zcJ+uxd4p#OZzkIC_TX?AeZ8%mg7kCo+Xo5wf-T(kUoCTRFv zF3DP#_Dt=0C{e|l;srV{kljrE1-=j7kykBq|9z1Mi-tvFEMYad!Dmh&yNByreU|7P985ZZmxM0Ki+^OXkO>T z7CYJ}CggZoZO`O+&Ig;COb$A0*Y=DKU*|zmK{-PpoA$488{Z9oSlKJcDbi=i2P%7h zrROVC6e~1QyKjVQPW)kX;j>Hj9@Fpr@;S1AIEkhih?wM?l7;w&q$x@Y2gQdAUCP9#OQDVHHf#o0mC(rl zMll_mi}wjX2n0*9T#&f09&|b~!_g)UQFFGjig9B8+pKDMq#n zm$>(Cxgar!Pa0IJmK0x$=UZl3Y*9$rZZN1#&s1p7qp8cD}hroRBib=>N9682|>ojLD3`6f|zvaq`*6h$wIgjK)Z_GN@tl_DG`!w~}Bwz2Kl zOF^SX1=CupmLiQ`3T3FTozh7u7wj_^E7t)S%=TBJ;BYIaQdy~8lj@Yp-xt3_3HO(^ zzT6VPk$stpx#|~JqvF}$lz!;%ng)5H5$i()2(8W;QbJ&+5KDh0Dh)mUNYma``W*)B zwH6c>v>HA<3*4-0tWAz*nJ3xV)k+_pC00BYA)Dr_$X)6!9qWU@;>14k-wBKBT7e<) zEUwW<;E7;VW19y2rrl?U>9`5bLSUY|iFl>q~Y_<-O?!3nU44CE$ za3wvCUzZ4<@?^r#25I7laFD1@N&`Z{^@vBL6631okB1F@BHz`5W{lHubmt#vEFoon zQwyT!MTk(UOqj9=?{aP2_BnRSJU>bBV8Exn#^FalhGbV;B9oAk6!i}wH zXiJ(tcDgg5CF#)JQ?!63z+Av8D~D4lL@ensAXMQD3~tHSV1S)<#z)a$9?i0;SvGDU zj>VsokF2~#(Fj-PSd%=7iEA(xzRNLG9MBFCe83lLg0B$^+h>@sRDlwy zsKy=bj=m_NhOj2uXDQiWkKL?u@OL&h*HB89BEZ{gF?%z~J!(oyeJ&AQ`ab}WBj647 zWC59%Kpz&^IWIZvFZXPqV*oiUs%yOOp5gshgBTDA7~l>6NghVVK;wse+S36%Ax+zI z4;iq&n&$bKUU@KAb+eE?T9d{)1fo*OX1T0TZa9`6lz#P4+jucQt)s6D(Q~|fM+Cmn z%64_#Ze#MdStTLSqZgpgfPgnYyg@wY+4wFU*GoOs3@67%%@};0A8|l*(Ux@&ozH*f zL*&kDI*$CVz`+FP57RDH{#V$YF1sU>rmSNE(B?zgapq$43Zgge&MIh1cc;U0rr^1i zaLXrW0u#&Q&qUSp<@*Wd`_og>7GGDlTxnLj*Hy093h(8xq<8HHVeESPgignNY}eDO zx(6Zf9!k{a^Ni_pW=qxHhK7Rv0frM$h;JnSCAV8*#fYa)E z7?ZDa5|FmB4KR%wsOEEBo*EE!-VkX!zHQ0gbUC;fUg3Kj1uQi4n;fBwLD&BVvLg0l72;JvL!{f^CQp?tN7l|cD~!Z+_Gi6}T_OCIC~cV4K%J}q29CNw=cN7RIP z4yjNpStEd@8PS;(xD8qnl{OA(mb@MfDlPR6oIvb;UMe?txKYHx+NPsHKz!F)I#D zKk*+an)X9k0$qvyBqgFlT$Tp^tRGqw=D=4fP!L98h#+y=c~OhYCUvwXvsVnY zHVYR~TGJ=vSD~F?X@od$w1nOdgqkERjFu{P__-M~Y}d}C&)GTK5-!KZ1lDKZRw^Bh zQXpTTP~GR4B>BTm+!?YlTEA;QmO@;iVwe3)PX_?5cK!$lzN!1#OGg zPep`GGks_H%SFRdZn{LONCET*)@&K(Cj~8sg60vGRA*r{7&$ym@HY9gW&@^KyP`~k z7vgC4d~swrX?`3C*VOBmJ~Vk4TL>Di)bMlzKL&j9nq6~;T$1L2A4%2KjtJk39tqTz zONUEGoDqt13`R~>ZwbxiK{>ZKAD~_>aHx_`lRA*^*TYgTFEXwJ5lNyNZ?FjKHUB_e zl7TAyDi)+c{?JpSwvd}(o)<6DNnq@zEudtS3@y(#c}VbpiIDGJ3{S0{zaYI+2o>+< zZIjE*vT!;Gm2wu>6x1^ogIv==C_{^kTnj~fKf;?sG7BSczK@d9lKP!GTRZe=C__Y* zl2Y(1SJhvp!(1-NosIMQce;PVq`)&W{8qIh-ZH~T|7Lf8c~SJ?xuI5UU^+|M+tJ^# zctJlLuqpR6zXdZtToy&GPCi4dLD=>L2-x#b^$M*}BnsT|l!qZZFvWM7p6yVLEB%!0 zN}^B(FqD8~>fll~5T@+BwuanvkV?^| zyUl!)_Cq4&8N#L=jL}dcKWT~~@R+HksKxip1Pa7k`aHt)TXbfB{wSi+Fq1F(V`EA& z*czBEh(GL~qz8>weg;+=E!<}}ai&AEFjSU{NV-tG5+_TzV{3+kb$kK&(MijsE=w?Oh zQH=IWILe!e31nj(HMi;yYb|de`Uc<}9huvXqkw>b)8j?=_C$$5{UuIO|Dj2Aedu5s z;Myw0a1&_y3S6j(XyM8tys7^%x-&5De0@D0^<&mCz+vA4mVCwSy7eE0ANrJKJDvh1 zv$Ik=^XH@UemlX~dS~Zn2i@v>#VeAk zdfwkF$gIvu?2H%L)gme@&Pqaho>sfIrq6!{>>ew`?A|vgXInZ&d~rGI7cCv1MmGUD zuFs+P{9BK$Mj@D$9&ZzvS53?QD{M72jXuEL?U59oj;D0SI7AiU$@yn`F#Zq##ue}%j5gCfZRLQD?_>5jZ&eunI#6^&tZI{=x* zZ}b01V=HNZ>Q8#|B%gDRU8a4M-0$nnpp|({Na?rUY)%#4VnQ&U?s9)XJ8_!3;Eq*h zj)RBBppRGir5PYrs`g{ESgPGsE?otN zLV__02j((yi|enK>XV|Ogd1^G2Je|loKrcMn{eyJh`;8o^*1&um0@-BI#=$`ULn!& z|MJT}khkM4W*rI-KNMP_G~)d(qk*VVfzeP)IaHSYgIT44+s)TCfl8t)UW;9L0xOy+ z`t;jaoZoVQF;{h<9T&{04*yNcJvv!j?uIMp<;leJC@oTizh5l=HX8{XDt0T1qHU>w zAs*&#fUARAY#)?*K~uasD(XMlCE6nnRP&$Ut2lWDg=iOPQ<3G(jwE?0Wc*fc`t`fe z>byeV&MUG&!QVOMZp!B4d+gW>IEni2N0DYGwq1@btO8}jOX+&sz=r{@toeah3ujGIM2CD7 zdgvsLjD&*rbS&kFZ;CdJ_PJDX@O~**YVvWDbTR*gJ7r%UiO>?GbY) zj1?<;iaqt4^MoU>O$ob;`cJm%k|+2^kv{+$<0?1AiuzkEyECCO)^y+&F0VOKB*-Ln zh!YMb>T3TPL5CTqQYi!qy+C**UjOESgn5)gx5vu}wk=5Bt%#B#E+<)Ls8N~UZ%sLE z5RTp*v-=SU5HSzkwFWod!y^z$O(k$g_|~qMKB4~;cb5@!Ik1%0inD%b^&)sPzmOMABsm|R*iN34+cmRN;K8bs>2NLA`m>GnibdgRiPc*cNvHA?1Xe9b`yQl0oQG)7Z_xL@vIsMVX9A%|PAhm!)kgq@)I zTrl3^J+a1BowP4}CjnjXkMaAWF_9Te$c)GGRaP64& zHH<2j{S8PE^R$RGX`R}u8N=^5S&IkFB9<-6JmJjJ&Fah0KE30jrH}2DYLJi#p1Ey> z>Dk;+S&Xvw?!_@~55RY7JK`aV%%@UGGUR)Q6!K@BEX#sUh7`~tXYyJf(X9-{5S6Tmcz!1Fga%if7d4Z3E=s-z=YBV=ood<+-Y6`PU!J(#*6Ey zVx;2zt*d5xm+6`-MBOQEXIm?B+0(TZ;bnE^#{FuVEG~eW+ zWg~IaBgp*2%L%a3Jixd17=Ld|{ITG{4in>fsb{nGGps1um2DVAaC-3T&7v!@z8mK%A!uJ)->7lI z(C1^li9f4J;7>`E(UAqDewgfy{nq{nG*=lMv<{I9jKaj6t{nt zQ1h-vClw#|-C&&3#4bKXvmSK%^R^9Q#UP(v!ZrY8tQ$d(|EgN!byoxqI&Y%ycKkQj zRM7}dO#nU~w4aYCt|>!?q3glPKW2hRyTv}<_I!xT3i&tf(~_ieSzP3f0*>gR--L3( zXChSrL~bx18^I=0PkY{QNy$r9T;CR*C_;@sXy`tbI&<-fMS(HW#*-o9IY|wdi(aV7 zIVE9-PZ4)+xKE-LF)D?6GiJbry6{h~T+)pDRK&2Ms3=5&3*NB8xCGs(-<>DzM4Kmj zMPRNzNo3NJN;~LjezTO5f}(a4KiZ8gqwgxT`lZ{r6L#q|yuwK#lCPieQhkOzFRIR8t z^|wxoagRnl@{SBr4{|MK=eQT~r1xGj0IDQAYVJ!yZ8&1>wOU0- zAQrt!5HZzxx&TqMZt|a@Ip`miTpE-a*x$p+DR8Wv8lopxB3U-ZxYUPbl)lps6jLM~ z&<+y{X-NzxWg}res5lY97idt=e5~iDjDrhFVc|qp=7P_{OQQca9fOpt3i4C49mwB- zrjF$e_K4GwK-x2oHGnCkbDgi%fMM)Zbn&Ih*~Qm@rd%vbge9Pf&KNCCzAmp{d;I85 zlELImS;B?6Sy^kYTxruMRC;w!OOg0xC8J;+8LLsPQ1gPI1s@srQ?e}0Ulz6Lk|-Ot z6-)(l!D+yh$y_9P5g||3$Y;eJjzvN|Tt6&EQ=J~;- z0a{7SooekF(hJGbd)hr#Mhc}u3B2nPf!S3VX)5FQ3Y6(L9LhvF%=55GV(C#dnJdzR z`)cY}&k^d$NO0nK6E3tV^z8B2?WCdrm7W?d17d=tytwa4kM`e*%mK-whMOWAAz>0o zbmw7Wq^}$~(@}F80!0~GTSjiW5+VsbPE6L^0q0iAd@|&Z294GGCS1U|h#5bD|d>f+CYOyK7B=m|P!~mtWWE^iiWI zETmuOR~nn?x1s&R92dw4_)`h~nRW4rbkgZH$7my23KHM5ZPR9;Xq!cRZ2l*nJWC28 z2EXU+;|pa?12$(Ff!qp#EuewgV4=8>AVI z!WNh+LLBDItwW}iU_D;u-gOOjSFA!G-Bg$~H73%LS~=^x6!j#tIy}bwO9}vsZ z7GgbVvJfJ~n>VvW@PhIU=#*t!-ofN9&73OZ&X6s=@W|ou$uX#7Q0L|3KZ8%9ESt0J zq0BQgnQ|$?)Bl6_FTtMtsk0Ur zIfpH|zz{X1u0&Flh<8kY=7o<8_UClViCQHITq{$9t5<^3#9#!TCJT1(Ex&0NkTj{~avh=EVyj?ohSP8i)o z4nHUzi9oRGW82!t{%*qK=OOETdyAp*mzn$>dJFJ6tlI7U*3WO54RjrO>U+w)y&fk# z;Q`#2!>7_|dhE3Y1Yc2)wx3eQr$ReW6>QmQeSSU%fR&7o{03+oz4i{497wj#mv}Qp*t!sW z4*uuLKZ)9PP0qfJWw$FS2cE=y2O~5)-1AXf;-u~;+wcd;; zcTR>`um|4L2IRs_`?pWY=9iU|9qllk4UYZ8o$qyQ-6#ZWn3y9uM#P zUfiB8n~8=P`2|rzFZXJ<4acJzO>OsVpRmTMq^`|(2NRv8o06Zs6CwaVzht=5Cx~mfM**Zb9f>M= zY5ZAL4H7)^XHbDZB<&-KqgMqLh)Pz2zblJkl#Kn8M39Q&qTP;q;#!g*7Ago;gS_5NJ|AC z26W8g-`?a9 zx>D_eWJVFL3>~>g=U|D(P6h;G6HM`&E|RCptfCPwI3prP&{s;0D;-s=$lX;$og0R< zsPSsUWMXh#QC4s?u?ZoSbchVqg}M3GSp1uB;$_0DmZ*7`q%g;ML#BUcdZtGPm9YjbJB!ZJZOdmoudSs{k3}&PU4?>UJogahJsF{f3NLjF# z3O$r^!eW$Q`1hTI_ZTWFGbo8f2Y(0*SJ9!BFAag_EIwT?1sT~HO;qq-x51qHvS~)7 zWQI2a)qU(wLGx>__kMZH^{%ugM9J_}xdoqh_TIz+?z*1JVt)@+M)H=z^rLE_Uyr3|i7&INMDtcEd zx7jzZ=7<+=E@2NuX5An)Q7P+f*dmpqXUSJ+nQ&^TMrP6rXlU&F8kgJ6>Fme8cid{! zQe^e4O4wxI3 zK~`*`2+MsQlH_NKYFIzR;7{Db6w0TPX_A+ zF_h7I9jYcs+}@~nv|f1KquLTzrtd0F9oqfjKn4+8!Gu?pQX(hhQqnMIjK-^a>sr6G#dn}U1YXU* zUr|CG=#A#A6=D8E#!`lkC9&uVQ=Niy#nTUB31smGM9D1bN=NHT^$J0PV`={RloaXz z!8^!y7wh%vktIA0cx=K?^M%IScRaCbL zz-~bri3@l?p<8@yibQA8>2v|5+4FI)smk&3!}v;5&HI=>+NP1f)oEFFJME? zdhw~x{MvPkR%;#&F2yKS?O54PPn%SCty_7h_&j%I;d-#_bUc&+_n-k*4=>3c4oQ;q zo?u?Gycpd+C#niaysvx5HSKWRf zaSp4$ElF!fvpF{oPs0u~TyI$&#r!T)5e_aqop0?8@4^rCVm59&A@4FilE%}V_A_QK zz`bq7WlMst{^Ok-{)c8%W1rWKHR>$)G2(5nwUcO0cCSJ54=qlFn<^oM52qyX)#+~| zN7a0H-Ai;llo}N-mqwqDZz())my#D4^kcLW)~%|a2jI?LFXt{Nym5RdZwb*Ka|84i zR>vOw2q$!}Pja;CxHWb+UKLK)b2FJYz<=l`<47~=4hI&|+}&&% z-UUlN>?T%Sj#pds+CBrkHn~lZ75|@!&Axm&vmlfIC&|M>EKWjm-40(<^Y9g4<#si1AhT9JsPxk1tG(H6j=m@+B27dL|5>!;lY^qT;qMV@_=dG5|U#8)VOky z;E|*Tjq1T$xZop-mO*^N1I1CSmov|`a_=vT$o+0Vv3;Ut8CXONw(%qTg$36@$#0E+ zqyMFxGxBEmiL@9-o!|YiKD{ZcoB3UzIUHrF686`TzxNguOLMh6EW8bi&LM;QE zJ71kngfDk6l&pUKb&U&+*ulw9T90Bra#o^8F{Fs9e<@E-nJO))U44GkwPhU}Lm-Fp zn_SJlhyMb@-!w-9P5NUJ4O*p7sW=1?^#%(Tkg4>oLXtGBe=5(C@u5b( zzPDy+zZLux1eU78B~)!Sbl@u4aUuf)RLHW!3ZT|)sGyTBCD_fn9 z;^KPS4O)&8f&u@t6X;pF5#|y;pj3_$$qOz@eLfpJlCYBVLR5YgB+e!k-!CBPXAAbU zDSjTd6lE>lH=*oHN!k5Fg@mRL39&?_Uk|;^MLnNcY)F8qYj62&=)rLGjXPiR%mTbHFlN8;9t z*hy4FanwP1CZ*y7$6Egm%gv#Pxms@&?HR2D;FA2>@G^d~{H6}Rf-&Ce&LYUQ*Tr!Q zC1wlsF1uoplqNquz9)#Cj64@=$Uc9nUn_H~4>lrUFopP&Nz5ru z=!TPwDP5Azti=;B!~sRY;Fq#YS^$HA(40;qhL!SED@JdTq*Y*m#*|c>V9ChXafKk} z5{RkYWRp;&PYf1~9Qxw-9Zw&H^;T*1;Ju7Xz5pPN_hr_e5Ubx|Xz*(yE)0PUDR|3Cgc96IUQW7>L~2P(dO{h~oFgvhrs zh<<#8gOpt(afQ}{4sv2F7iYQs44#w~&QFo1e!iN8T2wpIZ6YPX?{Y$e|I8pf6o!43 z(as^yEGNr|DL3QPDU}zB=rHDv#!hbh6)Vr$Ga=zjEl-;ZIkc^n>*GiSUk}G3cC|Qb zj75_ovncY1ShnFE0>0}frvD*lr)o(*`c`zNhO8n-#9rHOO8K2 zP6}@rpA{VTsnyoHX?S+6?N6t7-`nvA@3!Z-4jp^>m-T^d(8l{NCBHG4ckMyK%m{tk zzG*xyfUtLJB~m#F4UDZlVOBi!6jC%*Ecye zx_sX55fhp&`5TWW&AWXQ4#(K%*WCQgQ(g3YWK%t#@AJwlz|%28Yj!}fgEc7XW4ulr z6bdi9qaWb+c8C2j^*#{E4=}GlC3HW@MPJ_H?#gH!?l*8A`6&4de0s~$e97$W=RB#p zn_DM5B;4^?KQGz30|<|ld>%iqdc}0R>eue8S0(7$e-fs~@UdDgv$FIY?M>@YuaRf6 ze#~#V@S6>P#(R%Yv1_wgjo>a@SiUX#(YN#|C2_bEq|kjlWYFW1XVwM2fz&@i#Q+mn zfRBJ770?I&%PE!<+Fs90{9|cje1bxmw{H12sJzfpDKu^(GlQ- zu@z9Xn(DZZL#`B=s>v+5MV#ksu|<_zxDKOg@#>jS-9$~9H@RAD+^1KQ)*BkRG4^6m zr$e*f^c~aBl5TQB`R7?+{E-T&rj>ket0?P}5Looeh6X>gR5DMMRp3_@kW*i@_U*7p z*UE_jlj?bMYNt8|>h`F4K5Tv_qe$}tc(06_OiU${3`wY(g;`-GlCZ9DhR~$(ePEuk zvM~GVPx&anCHIhW{ifGdI!+4V7c9kSaJjBng2p%VKlTNh=q`^?ysMQ344&gOynjRp*anoYn0h3J6iH*7-A( zDx-*P>lwC>vVzAsOR3SDST^!RvszUKLEUNK6Wc4XgCTTr5gx2L>IOU1rO!olxbugv z_-BhT$}g}Bl?$ zIV1(~3*h)0)t-^x@u=`(9lU`SWsN9E zn=*wdc2j0y-&0jx=@MzH=IIk6!WUel>Glo4NyRqfC~6?okfRszME?9KxRCOeqYVoH z9RvBjScaYcuSv{vZ+ow0*(cfhfBC3_BJ&0n`@fly#Fd%sewO4{4OWE^Q4xV79uV=) z?&V3v6Q#Z(rTfBeCF2=9;>9G(h4MNoAyQa5G=Jh?_W~ln{o|32X+_i1Qz(PWA0RF` zOh-%(*Go>rb>mxQ74pUl$~NbRDCZ>J$Vr8Tppb*%iN^J_`YK6yJBkCAC0!Tu#aKGp}2FUO}c%9Yv-*K#lur`f!egZQAOKymf9GYLc%6 zI~yPRo3eb_>ZoxrH4>(9(V}R9tnjCSCf$WGE(ezpui`TEfAEmQXNv%Ien;YI0=+mz z&V0;J&uIC5*{-351w89He)suY^WV12`Pjk)$Rmh|d$9&;E31emhkbRmdZS3iD3R^k%Yt9Nz#D7$`19qz2j3TO#wmex} zULuw+b8T4W2yYw!GKY`4ODS-1HvpOw8Ay7ZlD zGWbEYo>!Aws(@Xz+v0+>L)ujm_IFinLT$(UBL0mVJ(Hj-)s4?9hsZ9KZv7h39iR7< zy5W~)gBK5gY=+##Ceu~tR(S*ahva)CILZs5XYY)+-O`guBYPWF{PgEQ9KV)TAITK@ za7m8yRnY<+K<|Q{JhS<-ME>7~! zwk?c}KMP|^J|Dwdm_3impCMJiyY!3s6A%agm6D+cZ_5R(>vca8=le{V%lN*`5UX>R z_quz`^$c+gkIQ<9Xajt6mWle@MFHTH*98XS+RO6pt*7vA#oEnyBrSu-VJk@VfIf%U zDq3o>tqL57s{J-fN$?qe#GZX$FJ*_^d@y_{91k8Q_6J;Ix&KM`7hwDU+3-FCOA_UAsZ9Rpgh`{3 zP#%k#tt8^G@x|M3kfk*PJxlg7oiX7OA(u~}K@EseNfK-@B5e{TxdsbMh2|y1Kg~OJ zQzj$Nbyi%8BmH%;t3xZT7TqcGS!lCLnWF&PYNkPLj;E5rIecYYFfy^YtAbK_iWX zD^JO8adTEcF5w>8CwBx%qFYvAVu#R0wysnt*!K1$WSrC2c$x{KElI(z9Lh(I_GKj% z9O|K&n_Ry&k>nnecH?gT)h?H5FUT#Y_5 z;nbd{69B1ZJLyOu7?Om67DUE|dBL5gM1EPABFp39ND2wFGx{k4jvsdU#Eb`KrCR}G zUqiw_2PQ9{rsXLa!#{+F3_7SMg|M|x> zazd@qGJEAfu`_N3_(&dZ8au9XW^fn|q$LmXJm}GPY8nDY#4uGyAsY4~D3D%x@c=+% z_eYFJRtIV*j3633M=GL+s9%L~_#BaB3U%dL3e|eaL`o)+WQ&nz%PG8s-YK1v00a=C zhpm5*j)32sr$B9fYhTdppzBG^AuulkeyYQb=Ss%YH>=9_=m*!%N0WI0{>B?{rYw=3 z?lg*_P%+d|%M@6KMD(J^0%0c(-*M*RXC>41$t_3HbV{fW|2Y&#nja#>U|nKCr7<~Y z614yfqz&$0GJfz?7J~BwWgXX{B1LAb$I?o;g6*399~a0wow< z!JE;iE=6|KZX>8Dw<*N>OLP#``C1x^w6x9O8z09Aan zU)!4~9H869g$JX?6aW#T)G<`3`Uq|yON-NXf)LJ>K^v?ZwfAO`3zo?SdK6){_!lgm zKh}=je>$r-4~;tgzvYYeFOk15@0aQE%kJ*PYXD%YZlQY_rNw&})m^tVrZ>2kF5~>6 zz12Sr&XTO#)aC1Tht*YBU8{MlYoEuK1;SKYaNFCup{u)nh=s&v&0%fQMzlM$53}_3 z&a1l)7eD)f>&E2Onof<)!!x9m4v=oZCwFa8W3N|)``OfDtLJ+xYid`K&kH}RcKsvf zy=~#@oolMjIc;Q5-NGU%Yved*3hoXsWn0NY=hJZR%{rI&I@W8ZuY3Ps=al<7*};t9 zF1zzGqm8>o+s4;umeo#@o68Jo;Gl`M$CTup0c%g)%>MIot@bUYn^!w?ao*9 z^DTXC>Fl=Yhsox4jfbvx>}ag_LrrQq6zs<5zxC_)ULM2vdv8%2CMmC`(eHPK-63BY zt&_G=2HtLqWx`nQ&-m4(4Q)qTpX|@Uk=AZk2+d8Cr%2v)hs`}y*{-I+bJnV3FQM%_ zWJi?F$GuAKhxf_*kC!gv-8#kI_epkMZG+h-THT8{Rmat1+8y)gf!XWIzjhNPCvFQX zvDxy=s%*DatA!D6i(6RN*^M__2SLmtShfgSdS9;-;FGDnAN3v&+nv~rMtccIHadqT zov5RfaEzfxKhjh4IDeWhwa}}dU!;KtJg`r$MM@X|e{@C|x!oA#kL))&7y4xT!T!3e4 zZrygP8`DA%AFt8n(k!+_1z>Fg$h9^8g!%?q z(9^Z>83sOjS@k`p9usa@88~{){Ym?p`~*+&@%!4ff>msChfR{E(gU!%`G1b4f|$j{ z3u^|GQ_`?h&8z(?8ZU!$4u;q=Wyl6*#~%sPK30emBH8njw}0P~vlLE*AQ`Y=U)ms4 zfV)u3Vmcr8@TjW$RfFuw&5bTwYdj`W`0EiedM0Q;$^gfolvq*B5=mGwBw^k>I#Xzd z+MZqY!J^!!7D4aww;7&yK`NcYkxI)hh_&@)y;7#IHTx(-y()@_Hl{U`Wr{Y;Z|0k% zJQHH73Xb?Ff!wl}l2SUe#dVz6d#&6`f+|?zV55w>^KmNel165vY3C_m9kQi&{>>y& zYLm3VVXo@YZ5}l-Ls&T^!u;}oZv@N7@(8`PW6~9nq~YGfh6!=jDT=I@y-BckU#X5g>5NJblqUfh~_X&ZS{tB@&0nrUcLN@ zF$%470@?G`0=#BN1$Scl;zmTk4s*g`b{YH%9h&H*-mK=V8PgKL)Ct39FpP|4iczBB zGmiv?;gAbOZ;)ZCB>QQmA5Y;)pc+Li4u<7Bl&)E6O&5rYib?%lBxXpQHztgRkh2!V z!~06R45Lhkh1vN_QF7(7=i(WcKvRAJa|#`bsnS_E20U7X+NjhS6f1WZcSWgBBT=Il zUWV^#dl34kb;o&2#n$$C$1avX6Y*&Rv(v^D#k^Ym8^d@v9L|cpL2Fn0% zcO@9L;RWF)G;{WuF_uDp7c&S#HteG%ihslr(FM8>qjAN;L8V8S4$bOT&)mFWTy@2A zcr>2bUWN%`O&Z+d_5`xHE|euH^Vr3pqJC-P`Nnl&tBZJKY1~cW1{7vt)5ud#c7i3TfVmueMw4J(5$)7V^HN8J z_3k5x%dZzKZluXSx*Sxef?srY8P9O1zzV9As6l-2$3*Ql_ZsjF_rwde0+=qUP}`6$ zt`u)MF@4XDdl`N6vScI5RD%rzC3cx(fq4;zYWOM{PQire9`kV9Im@s9mCw1YAmhh0 zNRcKFe7IE4zrjvpFv+DsuIevOh0GUXr5sg<=+c!Ri{=rmkVe#Bh+ubF zh+JDBnL;TlPYA)1uWr-j9vRl@;fqTf&6sI`p(V*)pBFtfg>1Nz0AZQqKIXsW!qG-3R$|xBCY{& zGL{^*abPsbVE$4fGsY>#L9YK6Kq{CxQBUqSW8?QrbrkJ8T+7JMN)_B^sE{3GC=&AX z(|6)4&pTXl7SAOe>>$7d;C?&KE$gn)QLx5qdVeaZ`Oh=wZ3Dr!s^K6s*2$K~4EFnb z@guj=rfz9s28eYco!6>4!{d6FqoifzTXU8H7Dk7Pmdf^aQE(QO#0}xF0EPH z4rn>Kdvjd-3ddvnfyuHaQ~wXVI2JsaNP-0L_wR9D?{+b#5@eKYvD9-n<2 zobf5~nFgy&8zApx=gzs%a?N!*(D&W4=xnX!*(0?)5yi^6ja03{Kd#Bdy6GAr6m3yZ zJr(^48*|3p{TSOHqjF(2NCanPZ1sn2cTUWP>v(uq+^N)Z*bRJRtxcT$dX35K4F|0C zt^vw^Fxht}FhAq46 zMbx*?wf*QwGB|sQkvG%xkJqYJ(#HYNi;eTfPUQ*S%XcnUL3Z7V&xx(m1!gXG$7G2s zw)fMqChKYr$|ZMA&KBi%h~YA8?$-t9P-+(-cNB25<_rHf{Vw;$>?fi+v2nrS6$L73 z*ANhY_0IG{rN20IZOMA{JV$>;d^i;aIE)|7Qw=iDdu9|Q? zXPEg_!S=ZMdzCUXT7d$nvbu)#oU9`jk%rsc^oR;LpS{w$4sm;=gJ9hzwke!~U7+&9 zY1jy14C1>CDe;KNoV-LvPegi9QNcvaL2b>(C8!~%d|jt|ZVGwSpQzl6Kw^YH;8rjS zF24-gY2wOxZ;r)>y79S+oqvi}@)1d@#B$c>` zB*kP_xw%|2@D*u*O~7VC5zApU)#fZw$yu4<71AqoAj^Da#mL1upB>gSU_B7d)P;iW z$S`QrL=;c&%Il#)*y$};Ez?me64&{8i#kfKhlyL(gGPc9k?BHFyZeLSzO=j%6SI}{ z&XaSF;+3q!?-3T9-)B|Clm-`{dVA`u-XhyptJr`C=-pM7%t!@B@R4pss)(` z&7mjjmGwuidxT7^{A!0-@sPs0Yc?rf!ukhnmMmhxeH1F(P=t@80WI7DRg4rBj#rR$ zo|33WWmp9@5IDs~^~)jcoC&grUar!NL;-JySz%Z2DlYAWH*kwLXw_=jnvU^_m)8iO z9#?MC1HgkqG|^_tZw9xoiBiJkbJmJH?dm5<#Ym+G|P6X!}1#+dZh;0Ngu z1s4`FKVYcL5--ItUan%s;?NE3_o2n+l%TA;Lizc~Jx(Z}FE>&LM0nRW8xfe0#X9*` zPlo&ftAhniDmH0tMB%WD8U9D;m)s&|9>kX9D0dN9e#Ty~&(QOORjB}Yi$+8mSLB9Q z%WmP3_(}ppG|m)0KSO!!g0@PlpT?2}d4c)n!FC?OLliIT*p#JQe z3*bLC`*i|UdvnqnUnqISmI!HYPR5jAOdLIKl{D}O{M*cJYrZ_6gh(2~YPA7cf~k)V zf1*GGU0sP)8$C7OMerY$j0I#=9R5cP>_FA#GCR3EEeONX(}YN+ez7%|@*-tUx-(%3 zT7eoN0s#^eJ$g*#ij&T*k-mraW=`e=Irq#&JohwNA|%~}>;hu(9S>QoGXoGfHJjuJ zv_t?w+BHkDh3Luw7Z*V=Q%rht4;@B&aKm+2*&akUG#K*YlU*1IW`zdkrgVuAa}ooG zl{uL8VV(#9wr9o$wmy6K$dZ6cB@7w2yu!!!hS=!b95o1g^la&R4EOm+h?3Z&zMDse z0EgLl-2w}R3Hfk<_W0#9l(o-gN5#%PRQ6fZWzwTce)AQ;lG{GS-UQwBzr|zwlg62THW9*I&MHb*f7TPljJ?&`Rl9mm!Qu56f;9DVA{j; zC^NP5VR@THtjhkXVD$58=@S9`d++LsmeX`r+_DwX72C5<5G@NZ>CLO-<$75C z1SgJ?v-{XL|4v!8)$sOxQRIla|O)xCdLX^V~Rf~7$6M(x`$AbeA0_oeId zz3$P^zw>2l<2x5PTigE3kG18Z(tLORZ=1LG?qX^D$J5rZ8QqSIzI?ukw)Q##ps;l9 z`apcW_X;C@Fs@xrohxnWE$gd);;~#N7d%<=_xdMgrXpL}@7GVRo?8-<#wo&yGZK4I zT+%n)o%6A4-Qp~|zQ;pfYL~@&+K;Cz-+dW#yIy9kO&`!;yPog3fBrNhDYflhZC^xO zdF&E3BjwKzN_E;D2c=hf8@^W%eR-ldnLmjX^1pcZ6+>;Hyxl&dRe9d=y$>Wjaa?cC zc)eX{KfH9k3Eh_}EVCB?!ylD`tLrDbb*F(J+xE-R;9<1XqLBkGfsDRi-`S}!EgmOd zXpP!e_g6DK){lvuvu%LONm!}s`%2~+wF3p|XZb&JnCCXqIsrpNd<(Tz;TZ9WF#EFH- zUPSmGG5$4kj%Ud!i}LEopLfwIL-J_Zq$;S7E2I(Sw>zi*$09bNyOKdTm`o6 z#C#_D`dg%V&h`Y<)JSEqqyK3pF;XS5>8St135fNruaPyw+Hnih(L;#!dQ!g#qSqS&zgdguV-Le@sWtQP z?1YO@;iA94h;YEA1L!pycGu>FrCHH)$yt<^6%173+?2Q=NJ|wjE3p<#DP~yE$pXJ4k+>eM^7=Q9s**c%;F3yaSt%SN!6gaslPM#0Kx{38eHAhmWbh@X`033?YWV^|--7*rYk1^+F8%0QxoU0HzmOclTz>mc&m(aZdb^gq&T4_r!z zICxk4l6&|v=WF+qg`h;>59s{p#lBF{?EJJztbE}%Kbt3v6|cpzrG6gZw5%A_VsD?} z*JWSOF?ZN`&h2r&WLEWB+dV4HoYh$KUGg|7fs1a`X-Jz~@%k*<{(Kr~B*l*YS>~-@uN-DX^Eq3)j&ZcO(bjC& zLw&h)DSTqpycxgsQ#2K~{37dm%Wuxv?D<*|WxCtxw6*!L%T4gbyzB-%$AKRjr~;oYFHoiWZe;8KM$Ku{azg3E`F8n z{E^(1;C0~|&#w*E*iOLypv#8Y`u_fe z(^9wdG}qPhC4Bh1t6vmuCgjqv(=%}A`GN+()6B0icg_A1zq`}?cIBwz9;*IXFy%P9 z87nHP>#|fz=@6_gOXIRP+q!KO8oWHY`bqDx6dQn~7|PmnG1ubm zs`eI(rVyuPCSFv>&CLBSmgNHHcF#J}D3fOA-i5>5N8HQFuhFmmx7aDv5%&|;TaE81*2Ul_t;DeM861!wpl8OZjC1uNm5x`;?2b{VG_Es`mij1s8WEJHdZ4{ zv04QYNeC{xOPO!NV~Y|f2h_C@Lw#K4HAwVSe*jk{NP>Ow5~l9BZbf*&#Z|$f5`Xso zh)65lM8|NV$&8u%4@PAaPvqYtFY ztrvuapaDZDG?bRV-?j@in8Rn?!VJrWJM}ayC!~4IlleVun{YhsutRflV_%ep34>U- zgkyd@#=KXfddZ}?k(5k?ItbY#Os2T=xlRiyaR&TJYU5&6#ASFiCc6d2uss-xD7723 z2TSb-w~f`)XNko~8IVFoqA(EP$N3gg^CeHTa6wM07blRn7c4#f?vfa2Gh#5o?vEze z5IkziRv6{R0yboe7p>B&FLcWQgOU14%e-(1DsGf#SZt}723{e_h|e#`(yrSgI<3Q- zVgywy#{8>RA)r;|Jh-8TUP{`Zr#V*e`(Jz7Nys}96__090Ri3w%Kc)Yq&tNvxQgPl z`UtHHd@s@FCeWV{Yk(c1wbu%1J{ND$J@fO4PoW zVLJGMa0Kv=dE&T9SX59d*z+Wn>2+mnSH7HuX9K)wAO1Z=cjumJil znc1I9$JZaxP5=B~(WMqki_S+CAtc`j&1CuKz#mj+;Q~Est@MW>P@?GNA)@d?T{4Rf zPl673)h6l+2OBy&fPvfHVe33D-6VWg6#+=hK}yY_i+;r*zyh+t`wz}-)%JL%2U7VW zJXxe+?P^sg_H44VzbU7-GPX>f5$qxZJ0i#iar`n?c0}M|1JF*=MsSn2pX5l2-}vK9#_cqFX=;6g!aFBAEY)hy8NsZ+iB-rhEk^N0enJg!U~I z%4e|@dNYQyL-ZCj@q-3Phd`I4Yf`~R)oB(WBp8uDA(TCw5_A#EXcAOa%zX(MaXw}R zG28hY@T!s89R$NDlyMdqQsj{)l-Yksd{%$Yc@c*YC7sT~HPZhjzf%ob|7qs{rVMjv zpK?EUUtB)kS8Sr7=fsn-@1t4vJn%H6_Gl#4#S$(<1y=*OrEgTQNh<~=4oxgv8exv? z2B_flnu(%~cN-)842HIS+BI3<^(CmA#hSpQv15=mrL$Y#?Ruo< zp1?M#KjgQ{lP{9~AU}8~DU3S7(*Dba5P_DW4Qz*~j8BO$8dC_iD$QDqiU(UZPpE2d z{{7eUh)!K)z@8&r<`-fNIF-7PGMjA6!xa$fKY6&S#jsFU@c@?*X&Vl3v0;dnu=Oa_ z0IId%^s`4bGhsKMzF+ozm^$^J{ZbWA}V267awMi?>kk{hdK7q+k1S|(!j5Cb?EsWpxalhZXA90OL05`VA zUh}>-Lpr=~oiDk+vxG|1*`*M5Z+H)VA8;={|M5aV3(uX+C;kUD?DO_$XnOOqAOh<3 z@PU;(bB5cwhnSA7vg!V8-%2B@^D$R^vh&b~uy@m1rR_z`<0*aHz=`Ygo=460&tFpa zdfH>JOfvVwDBMs+>v<`bX6>N{ZdUj>E_AEo-Z0QPr`~4kLFNSBbn(d)yIuS!OL)cr z&-7zB*4??29SzgQ}T*CM}jmqYLEtJXWy`)mgUZM(aY=i_$Jmwms=cm<@;Y+aYuSUcVAFyto+>&zC* z7}f)jI%NS~y~cUez+3CS3$fW-wKQRy*JMQU#_(Hm(GM)dX6TyDjo36@Qx?VdP33H=)c+v=Aa&fg zZm)TQ-SVu`*WraAvmn#^RrMqbH~0D5ezM1NXM{J`QXh-wuIl4E0?PKS@0wISG^=h( zXH;qVN@v>Z|B3F**U8UuVBVV4CxGQYs;iIL+*~W>*E{-MSVycB)2 zp=J={tN;=rvhriITB11+v4SETb?FyJ5zbtDNfFVY5e<*O>%Z2?%UViUAwe;y@bwig z*rVGJ+ORoKi$W7wEc(MCmRyE_z&64uHm0$X8%qwp>gtKiJEAOgZ`OrA;FoqPu% znuVk-!v~n+;UJqk(%iBPa3%Js^B$yR_yaj}fv z`^PhJ2!l)Kcb~n)?6h5@m9fm@sZYt4Ou%OQ*L(GVGpZ;GYZOOeQ%bk&8F3N*N+Sqf z%0^BccEHiiPio5)ud5$$4)P14i;50)4mM^msMc`0Y^oj=W}7C(=v+9j3`E8TNg{EX zb~8f**$I7*HbIWm>t!NqWy_{ct2NAC=w)VP$SNIMHTAdve3r$4 z&S*Gcm1dq5Ow6uqCy%)Lh<^~$>_cGI`hY+mo}?ujcM;4a&=KR0g|srXR%J{2t7+kG zxj|b}P0XeUOqq)|g}HSPWmGSo^2C57IjLQN#U;bOHSUZ7R;T!0Y#0as_qZWBuAHKi z%Iu+GMxCfSLGGhA$DQ=2>CXE;-4op2@@QoHP!!-Z?#q<_|5{yIxlCz__zL%i^qNIX zJid;?pJdYF{J-kr4odob3vv2&YRtPb?gBH}$d%P5DlVV;8H`qGSN}R}(yatAiiwjz z+IH-I9aFhvRmgQ^$-3riRA$T1d+kCCX(|`W-Emc)ZAQO~os-*pU)tqmIou+UJ8f+L zA#1Q;*ChixW5FW%!&_boQiQ|;hC6toEh+7S2zxMLHKz1~$;)HY^QXI%} zf`1PdIcS9W*Ad)dWot5&K_a}vsfm?O+1D$qG^CA0%2DZN!!C!NEA}QBQ2P^H$Wn49lJ6RxAW3ZiS;J} zy!7JAOQ6!H$_kKz6467&avs@nP)8v_o)ltsltN`hZz_zEh8om;m4-Uv^W)mx6JkTn z!O%-B5%6Of#`;n+tT}iMc^RJ>|63S)*u(u7gLv zmwogt?1}vrG&pn`2o-B@V`T5qYnoj*2#>hSG9h9!%?YLU)?Y1g;OO?s&Bxv=e8r zQhA)~JwV}nvU|{bPb%3w@ALh%e(U~Rz2kiLHR6mj zs!}YT-u3(rA0wmI+PTg#oaMBxjlFLB@E@G*0MO3z_@2^V92YOa@@|wouix~91FG)! zFhjleyL|dEXs5Rgc7s26vCnOqo%SAMU2;2LU^f`jV^y@?%St*_9qv6sKB##whK*x1 z_Yc0KYpv_fZI*aadD}KA9Lu?LI4tCkj~LyYH}_LAr@wEbRc~xJ8*R9ck~epEp%w>ML#s6TNfzdU-MWN>fnDx8B@6N^>pV{6E zo>7-7XDB&y6T5Hz9`u}=4tCQP&9Iq!z1DR8bzjO-ZQ0T1KAXBU7yWBDS3GK&dHvKH z{Q^|$`xpU2`@V@fYejzj{-KJqPBq!9v3VD7{jB{ud>Fnt<$i_kcpY=TC76qK%Uabn zD$tp|tz~eH#Ovem!dor(>SXz3vVVk2?K$5V_h>wS_3#SNe(@bN`MII2ysLeMTZnF| z-N^g=xZn+|ny)KJE`iW{&V9-q0^k7BkFTt-lda9We%7WCp$>VujnuFL+{=KTxpy*{ zM#|`bofyyz;$TqCI=J~d7rVl*2$&;oT0Di9of@67j@|L|$lUV!nq^X|R`m7BSShd* zCR!mN;~t`8tQ*aI3M}g`os`l3GT{9V?Yh9z3NKeT;asd;OgE{3)j(W@yLV!h)046r zb!XNDUaALba7b0Gl3_oHP8*vQ^6o4^j@&L_oiI7K)`buLqtG9}o@iOj1Oq!|mQ?LA zcu3?Qz}I=awCryYOR{}glqxGk2zv$FfBw_A`LOUWD-W9$)&`#;Fz1`;OFZO{{F&<-3+jHMFE7o`*LO2ItpTuEn1v|vFyat~1xQJ|)t z60BvqR1K7Ed&uhq(FZYsF3`Ni28$W4wF{v@V7+{LST~OZtwoeqR}E!Cs;}oo>cFtP zU$(ZiN4H*UG$*r&;AaxZ2m+786y-EL)D%LLavFedbjJ6`;}2`!kVfMgvDpOjk$vt> z8q6Rp!Zd~B;$Lp54?aZci)8`OpLtyG;ROQcI9ZtRnR6W*^f~nE>0{>(e7V>e6OSFE zG0R0DXxR{%b;DN42NPaJx&Ih5ln^WBsiD)DV4%TxqqWJkg9?I>Fr00dn*+5o5~x;BTu&DxG@0>TL(dxQ)fh?6xszP#-nv;_!?W z>r@6EM%M1Q0i!4sx)R_h(Td{2K4EgL7l86ixh4IJ2mPvFQMW_Y2pu^togH4|>O)wi&i%uHg96B?g3_M^mu8d0% zNTc4;(*&8IQ71knl$Ryr&46XB)5va4+jL_wRZ91$5+xu>6>zrY+{hp? zmg5psbD1*$p%?3K(nN4C=q(&|tk;sdRUrd~oC*`AryHHD0`T;Wyp+?9C?3AR6Vx6h zzf5mI0dE;Tc749Ke_l}HXxSkeb5}#uM)D)y79KOxAc!fQCcs5dplwl&$hec-emVwX zZFxd?5G9y#;*RC_VXGh0LX>1o&HDCP5SfOZq!ohd&1)$YAwYBI6>s^OW)0c$V;20C zC8b75ffM-YxZ~RtjOF{@IJcE38*kWDdhpHY@sx|h%+w#8fWH8 zlvLI@(E5E4Y|$#BB;O&fNbRb26D8I)U@71_wF)yc`Ue3>UysXTZT^NJ`r1qZnr8G|Hy0)uC6e=V_%eAJ5Lv_k7-;6Eo-MazEGUj zJ#0TJS2W%C-m_Y5xZaCkWY=GLuQz<<-xk}rR`T@ zpL;ObuZEVgs#`es5>|~rJA_fEak@S!Vsq>7@=1NkPM)Q3AJm@K7%{7}S+l*bYkAl* ze7|l7Vf%R2T!i1Byys9@fBF@DPkZB%0ESeqX0K6lQL4Aqo#67p*z2nvSJ7=Vmg}Cb z34!*Hmq?j)kJP)PGtFAJ&#dIgcG0m$9V*_QCoEpY+zX!W*>P1WPn)Nfi?mhfo4wp_ zr_<86C0kkE^8{zJoNUiY{41zAMOj_O_hIlQpGffc63-Mp2n!8iAlDqcdMbb=9HW;rFZP4x`st%G) zWLGrMct~vDPyLYP2JVR)+t^aI5!?I9_MYZ-{-?|R@>UA_S$V<(Sn_v2p=orYGEWvW z!FKbwmJatn$?eRSd04SfM^}nAuzkmESC`50adB3PV@FU7nBZI%+D0=mcqpXo@Ym zA_+4jI6o~xpep)3ksu5UVUZ?-V3wJix8a@}k5S6vdoJ$CX3SYbj9b{mya`>7z`va) z5w9-%uYyJ3vZdhCaz1oCqn1>ZL5<#s zv=B8oj~VJudXI^Gm-%T*xu2cF%d$A=q^Y&v1LGMcTeo0~0TIZ&S#f^=?AsBU!FZX_ zvAl2z(oqoH;#=0jaHLm*HA*`bL)C~0XQ~Vc|8Pts4p~&8evdkq19R^rD16#XOO?^4 zbc#7gdFqgV`u$&=;=dvFzzNqRQ3j;h3JB&NXaq4O(&CBeGzKT@x(F-B)FKQ{lGuw`r4>BF59#*(i5$KgFA$Wa&*FSAXg0iW5S?$o|){C?`$fhN%!eU zI)}|;ILAP@ovhl+Ir@<4I)s)N3;oMAZ5Tt6I!^eF7;RZMw6h+eXtt}-GoYF+s_V-t zX`&sCIB3nhHu0-~|Kzz%IW^!FDSHeQrBX$RtqEC(EB#SeVN#TKanx`KN$V>O?yJK=ul~$XdG@+IFMkn zWso0!7h_2gBp^HQhsd+?q~lLVZ?lE8jJOZtU6kpxpuQDzcFy#P<^Vj%_lhoSm-wp? zaieZ|p7G5?LSdA@lrydp)WsmFOeEs=(4=bFpDi6?4SMAO)8sNvuq)OTqCA5zavDA8 z@~oQNgJ|QQ*OJ}aecurna5B9`722FgshVY!-%c2LD@f@`Cd$^eaCjR@`QxLfIfrP< zqg0p@V%Ts)xXpmIr-bpJMg++6^zhXgJOQ~qzF+smXf?}V^F{%a@aG*Qwos7Us38f7 zGtgifHM=y+?=nL&_gc*7FkVq}Bf^+g(#RY#$A0={YlH%1v$~{81{`qBtCtUV`clZx!1Z7EF;XfH z3(b;=FIRI>W+0@g3?qgP6s1F31;SqmCb9_vMM$WKNxV70sM{{3U!&ACQH+W<6kCV&55zN%&{Qtu5z_s8NXK)}crj zmjuQ$4m+jM2BY!!YJAp6P4HTf;C;RPhF z!agP1Qj!HZX3Z(290dkY=7VPv?%#DA1`L{2qsrBsE#dm!BTgn#rvEJ_UiNX~ub%1v zkl7`G7v%xe6E7lU9alO1@&D#|+Y!Y6wpRLvzD=c{Z;0l2)lw_Vx*ZKR`g9((Pm9`qFXIAQT$8v@ z7tYyNcYK}`K51EqbOb9uth`_AACa)o4g-IHB7nxWP#KN;=pFqX4$*AaoyunfB%{~+ z-0!w?S=Fp%nNQ_3&u?8`&a&5UifT_^*Q@u^JJuftO;8FlU6llO<+9!qtCExp+0 z-S^Yz(3Xy)Im#F>ucsw!I9{huiSl*Po%;>x8{FoUbSM|KrsrD-IE7ZSP;^@ABsD-> zWsSPw!!CE*7P#t6$7gjQ%@%3z7^N&%-uCSj$R<~7%A<5!nXB3i0n1*`eIMI*EZd;V zx;XeuGR8hF{j#f9x;V313DsTqWWbwK^?dL1 zG^@hVYX1PCSp%u%eCdt*Kh5!nl=5(6G1#xuQzVls zHk$qIc|Bwc&z+vjW637#f}}1bO@Q4fl6pus^jBcTQK=p{o}V6FPQ4CMoPI5Ia&Zf^ zvP84ZBFdX2ONzm!(NMW>4rG$LVoH;W0@6Vz3NvD$BSsaT3M1vgtCwwFY$$Irsuo08 zi0WiNO^lMdfV=(_+Wd(kSR!ze$s5^%P<|X;o(MD6ab3UCbQ6R-Gp12SDWyTX9aqLL zVoZJ6VhS^7TcU$N_uLb&oKc(!m4qm(79TMMlrb)Syj0|`C3_58m@>~F%s}K+muN7$ zcayK(1U@j!-zYqLhkZ0d0=j(rbz6}hYW#U zn}ZQ9zt|$UnNA@h9@M=35c10RmBbMOt5g#@T~=tML(&FH9#jG&7?J8VY9`bwWL6!s zbj<>nq4Sj72G9QmqAE)T9l_E|zm1x8r%g0rqbLxUqc5l=A%=!9d!N>aTih}uUAiv7 zE7HbEmqHJT`EtQ(7S~D2)9HjqcI&Z;JlWIzOc+rWsYEP05pfd~0;ou^Jgj#NsuTro z-4sLy_&|j!P58~SF2oSA;@#5;l(6=8}hlcAm|~ZAX_So;CctX;~qbJ`ToGzq6@2R=v z8G`Z;ep3e|LQ1iKqm*=ozpNb>Z%WHybz}2A!4*GDAX<$y=eMFv)hK7X>(W9>)iKor@!fyFg6&uuShq6pP7TN?eO7$=t_^&?=lUmMe*0c-yEYvxE&uWm zzz8D)3BvS%L$8ZiKBY)GBp6q2K=~uqphcvLBFO-+cWV8I4uab05B1~DCf{ig=AZ7M z9Z!hc>qG9IC&YgrY0yw1hu57eQ(uND)tn3KqbHx&>mQc00Ce4Iz;kaV{4Fgwi(`NU z8dli)Res@N8bZI7@0^5*X!V^QQ;ka**r;5SepID%mlOsP@NcVe#g6s>ZPHD0%~T}j zbkS{0ZEClkEOP(w`z07z4D3WJHhodQQ|RQ%1+O^~`%$xC8H7_Q>8=n?9I-$bgp0=Z zc*$ixiD|jAGwDZ%!~{CnCGE;Bg~nUH(-x1bDw+^MWxC?uf*yR0CHh8amPCg;Wr@Gq z?KiBYq`#`Qaz?96if%PZ=VLRnYknNIKIGD-2{hbPmX7l2Uy2dF9z1&~5#jb6#hea& z1<;vI<8T4Zp#1+s)Hy$78h713Of|X5m};_Z+qP}nuF1A*GVg5Lwr$&WpPqBh`@FyG zKjB)}UVD8%YdBjsC5&=&q4a{d_haGs@82}JzObkg!4-a#{wz%p&jdis7=(CvY!N8c zcotdk$q&i)7-L4)9fW98dK46lcI$3ah&Vi43$;> z@}57&pnV&voNrux`Keiw0QyG)S2XQetL=yJNvScqM3oa@C} zJFjkk|HkxQ1Dz$~SrBwr91FfV&9shn<{}9Up9OPm>6(cUQ9#^%y>PEBc~hUT2OTTC6ogI6RGP zs)5fN=T3&{T|Mi=qHMg3B@bJknbu!*>#LmY7DscbFzE%f9r+Cda&$m|%MRn^>WIzt z#=HYtX6wMI{ACMY<)_*!#h2z|8qU=E#fML>k9VdVx*uu_>0{=-+`9Yi2ZZM6G~D)!DKODji21zC5GOBUj5LH7~A#Ri@U%b;y&4roG*&9X3B?n7NENAc!(HI$mSIWxgsAMRB5Sg zw&|Mf@=CBpB+#Xm#Z@^ltJ_BVuhC~W!BdiuF}ExHPTq6)ha!@bYJ)pzfYN-0PMv+m zlvl7P>5?E_f}B?7V3P+Os;+|wYR4ZV?vS;ccpF!Eku=Gi*i?~n%Bg|vK`(r8!cQgP z04nh>&1xpPi?LCZ%*dEr`E1b>!93tKX>rm}lfM?uh7c*`^kw>ZkawP zh3Tbo-lAer>8W#C7~7qN=gy)%T37_^9^d_w?T2gHlW3M2@`>PVwHXr+JOe=-)A*_) zN%fPB2BMg2S1wMhacv@gok)QdqVdWC)eoFZ|LfQ@*+XkQ%%^z*^EhZ2M$Oa$E=Y;r83{VUVhnd2uM79W3EnyjUbE6-E2?^N_F$YVPA*Z7~cSc)-BmzvPEZ&Lyzl~k3N7`y^<1GNQJ(1Gy!CEyu zt_EXQsBp&0Rfts8Fyl=)qN=Uq3PTz-+ZcxiWg5`1S!H)JsREW_d6m2@;?g&FdF)_mbZZ(m2l%L)$D=Ki^w7szL5%fyDC~o9={-#K7-DFZ@QG zD)vcQ2-u1Jp^p-0+E3@utPuSyZTr)?S`08-^ZeiOWfau28$96`2VC|mJ_mZ!eM@Yu zr`tx&x1NUo`V-Pa{O0$L_(As-MDyc|>H1P2jvxAi>nT_0R?05Hj7EjyV2MjtZ?B+U zw#v_YIggBSBb%#(Gv^)5egPI|o2~0qfHTQ{T;^q)?X^dene%#&)&BV? zXJw7sY2VM;j(x%q+ttPHS>8T~_D0I!`_0$Pb~!%?nvA86okRh-TfCn#2dYdh0=phG z?IydtUo*81aGY{@u4|2SwF{b_Tpv}wcu}|>o%d#67`P~OBriX9RroqT@)XVBvfr2R zjzg!p9r2HKya#{b0Dkhi_Nf{)Tv?pc)i0V%1C2lSl5YsZwU!TMw=E?KZnkn=KPZB# zbaW18qItWYqWaMX{N~u`>bGFm00$Gzc%0V&xkIXbjfzT*j?%r{Ih_ZL%&t~uNFuiIvP;AOrPo{v)~%JtU)i0cvb4SvvYXR}<#_2(u&d56n_**Z)0clq_q zn-{Led{d{s^7hWb{%!KqD)7}zwd=U(@<>pNuK0J7<|po6axN!b<=c@&VtelPb-*OA zr^od~c4)`DneS8%0)i=aTm929!cO3urJ{7(D zI=vAuS(oz|pts?6~0rbyEuUEaT!O zzxzYJTkqFcJ_|%iK-~#haC!2Ri#z!szneHlO*}MmziYEjBKv0fzeWd&5#dRPpMx^8 zg%*X!T7xSr9Dh}%!m>u?XsBlMQ5S}MaFOEr{^>4uDmIPD7hAQtF4e4!ifUP#EmBiH zSeX+{$1nvc;?d4^4$Q<;qZNocYLP~?R)P=Ast*KnQZ!tuf8!}|oZ{*5Y$r80_j8f8{`YS?Zi9vtW2fn*K^IvEop9!T~JUM?v#_@CVXXadWA%khx` z4c};tJ$E#5xdDwp50>^lEDAl&4_#{64B|i3>cCu1c?zRP=c&H&{S2|CMlh-YX=*WT zg2GA(CvEY+{RRP#&R9`AhBM1LrF8n1kQWY^@f2k~Ahzoq9SaO6nzd<(8W|%7Rk^ zM#HJYS29CbT>3(aN@0^?BzR*ibLD_Wk2GXvMtMT_0>BZl<5+kpL-&3HaDo$980Rlx zbTKr{EkCq^RM95i>EkaWWZPo?kRYF~#w+2>77A2QZ$K8?im?4{3=a&)7G(@q*d8G6 z#3ty zdJ7|*Su7VHtUb>F72gNrEL}fo4$;^YoIAZsy0X;;$*iL-zQbkaK`n_F(U~B~i%g-)rzw|wC`8=X>x;&1PNk!NO%qG z1^dJ!cueGQC}^ych&PXjMqEGnirBm!{M{o zpAr4odCJe?hAYhT@l|M-Ad~jdL7XcRoDBV~>WS=}q|-R2lyrZ+6gNV(7BK^smqBYm%-rJ~7_L zZ?HxO5Q#j4P~pc=FL2#2E_l}OXW-uv)W6?{Ip9aJ_xflo#glGZ+*J& z#{RG=tx$D{U)OYo*A(YjC$4X^F3w7m6SvEx^l72o-+eWXotjTIj+df7&UQA(O#IeM zh_U2YZI_;iOt)n(_vp`9&ySSIB0k)v>4avRM#7hjw_V-loas)tu~{hEMRvdA;aaI{ zKI19L62G@oyJ?NdRci((v*UgjzwXhxbDh>>uV-8HYIB~t+tyP+O3P!p`)wzkE(d&f zy z-Ds+g`%92o-ucMleyj$Qx0uUU-6W4)-SuV%p2zNd9c9h~!ZsFS`rY|DM# zhf8vJJW^&6uV?>ZvK+jg7a$B8*zHpIR7A% zU3V(jPuaSBxZHL>oH(}SIahmje&RIlghvNOWZ%&~4)T%Hbt~&rxYEPZd#$$O=ts*lJVXS#E-+nlphzKHMkqfUvbzW<-L>V{#>WYaU!^3jMIe@?i7dA5 z{dk!+?)oULBy}W{wm+i45}+*O%CDR_ z*3+xxD}M#Ec$7wS5U8pfupT66oob>7;+buLN*rQtc?MRasBttXJU%I;fMG4I!*e#H zk2Q5}VScwHTQE#DUy*&TsZdk6Naw%Zby8d(Q zRXl>yb!!L~3Hmw2AR)#&e#R17amauy4{Rhb2WZg?TI{GZtujxsNU(+*JNnRoM`*=@ zC;eALiwrrtZEknYJseR?1eywC(9>-J&v4Q*iWsyCzCFZukc(QgmL1UQUvAGk3A1hUZLX!&}{P zicGawfjJY5)MH!IR|yloQW%pQaI$dR8Cbbm_AlfAa_JbNJd$M5Th&(@!jT< zpHxQ5CC>cUeG#ySj~AF;U3Me|OrKb080Snt<4G>(*TohmO%RuyN|Ks%jq5$b)gB&0 zDoI6aQ_R^>;rzSCn_PoZR>l%Sn97t`HrgJm6sIFeB|%mM9wQ_qL9we6ogkOuES({# zA>M1A0AnHSJF&#+LWBJdKT}JNhBg4LbYs3~-IG|(S%ydrBAIHyl-DFlNG4^3LF@CW;;iiNX$+an=L*ilE3%Z7X7oeXdA5z!9hB{7F9u5Vjd?%40B z;tPkSw@jgrKlDW2-WbVRwj=-7Lp!&kq{1uQM&g}O{!l+2;3tJ>VLLtl(*ft^^Nn{W zj|CMbc)W~kNxx>dYWi}-^dkfM!-o0H*`7@Ch)AO4A2WuiR7ZXFczD#(9h4TzKFiG+ zX_Z+>@5I{tJ9-Rz#a1*IoIg3Ur;^Gwmc~BXMu~tLp2sQh8Ymf_TvEm#YZ6U>QBoyo zluv^SIh0>#?lYxD3(O=KRy5&%)BkMd`xImZonun}<>_AxMU|rZnNa56gINGwnGYSY z)if8A5KT&fj|l79Ho6~jS`3po)q~B{6vPf-E-|KN7hzv5O>C~q2t_CPmp(p9$|dSU zoM`|BXv@(@J`&c~;mM@^8wMVr;A{_r1=Dx_=W-O#Q*~mFknjdQlNfSeVPFW6zIA;``?~0cG{+Pn^8~Fy*^%- zMu*%!yeHwc$R^nxf*a4r{S>+n4{;Awr+FAht6 znx^~kjkC$^06Ec@MVHf@*6z7vQ}_&~lG}Hr_~>q%ZR=0m<6-eL>ia|S^-Lvj^!U0w zQ*rS+JdQ5J*0^--uQJ)1mN(y)S!^de5q+OK?t}03^gKp;7neKD4%%^um$Y9&+>-fX zrYBq6Zt@MNYxh}8He6;it1n&FjI=slBOZnlnB2PkF0bUKC$nhHnRH#<^p0KzV>owD z&QrYnO61&n7vE?OS(Y_uy4RqXoSN^LrUR-H<_&2(Cx=9pAl za+m$u_GO1@!hqI9+Fn>MZy2f7H$zg#*&SaLi!RshpUgLk&JIq|a&%woUUJ%RXP#tT z?l%_&Q+8KheRFm+4vPj_n{`T`Z_%9vzCP1uk+^kdEKdm)Yie1R-*6E-wU%yY&&v*x zR6;gS_t}EjxfIW+Hru-ei+(&-Sacw~|cGYt8LP(F)zs)vV7)_(%UBJnPoc^c9vL zr7f_1IOX#cT#nlJ;_%w%?)5JEfR*aHdFZJ6;$Z{jq%xQGwz98T%JzBDOKsEO7?G`G z!q+`Fbt_P<^}g->IP2kM{)2T&)Nbpk=Pdd70mb`kZTs>`(RFDv^uN*ymB9_#fa%Oi*o#YW z%p7+rcJwKs-WY#|Iph|9!QnJgsJjG$37L33)~ZjSOVJ7h6sp7&s4C$YjcPaU1>4e% zN+teP%rq`nPPYcrF5z%Z4^Lo#m95sJ97hwEvFbO_rZ@#XxECj~3T8j@+*kmgha_4n zM-o&xt*e`k&L9U@h8QyL5N(u*^{&L~4@AO5)(QCCpyfaBJ5n8$0%rJ3OFx z&7u4}qekY@N%}Y8j~<$tSNydfGtz-K?$LkC*8Hhi80vES=W`gak~G`&pNLD7^CdBr z@Q^h*6`Z^!pOJljQ0@KFIy07rs976gFMqJcze@N40~H*YPJww@8bOd;MLyURAG~Xr zgbgFU4T!7B5qCE7&T2LBj=w8*yc9!rC^YSBx2Bu2W>Xr>$3(fUXb&w17(|WgI077PQ!1V zR1OU2c4?mKq|2GVMn!xJ5p7XRHvdAGG}EWd|0<)=bBsuma>Zcu_@#NAx_nHZx`e3* zAF(y4z0Ef@gz7YEl`02?6X_=SwR#>e3MX z0|;wl$0!k+r*a{wAl#m*6CS2veEib{Y402oADmIZV|YbCYJQa^w97b3V-#fFq$yOO zUyoV;{Hux+kJiGK0+~Mg=gi@c$TQ`yC7Z=PZ5YEo1|`fpJpKjpYR$?b^Y#Ux1Qd+X z?8udnXxL}42m=yf>UVLq3TFvTXaf?l^3YgTHQKczJt=lztJr#S$3@mOfaP}7T;{t~ zOT^3duJK~z2)-K&l{>2V!9y(%a@IqFc^0QEe|ukbRTya86C;swK5LdSJw~pdA%}Jk zxl5^EDB;riERWtFk-!?|`o)mIHW-(4daN{YimD2w`HPNy9wo%(j?<=Iu|#hE|7LMN|F}ObEzmEzq;&Vz7)G2k4SUA}t}lRa_2=T>rAeNtj1qzU2Sk0h|@sIqCa;1Nt9r z{`IZRW^C5HuR-sKypQVt$e~f_@4oHiH@YvOkDD*1$Eo`<&0Y%XN8I=6%UnpKx5TVXmF~1;w)N`_X-~-Wv{s zwkp{pOA3eC{66jbs^WUom7dLGw5*1o^SUYqpt=A2`KtRZvm`VU_%ybTsN-yEf&@Gr zH5pgS`c!jwoJ3=rob0e4h+%r-?Wny>#<+CaO|iNTd0gg@+i;Ct>JMT$jrDz9Xy>wa z*gQKXNH4nb^{yugYzO-8!Q4%7ZFB4$PlH~=<*@H=npAld{Ly_LS9A4vlOP%G{4@Cl z-n5i3adtLJb-}!!GTz+gxL*Kdd|TjtjD)z&&D@`s%_g8Lqi!3jlX{lpc7sUq9zE8ljX zQR3R}(C&oyz`MS8iJ^46)P7T+`|{^iP3hffzmPA-?GuLS%GWbIHSt~d>xzl$_wY5l z+iEM$#k0FnWc4=~WCY090Nfc-`!s9&I(|k5#sK*Zss?~BA7Z9VH3R5m_nwm8Qow+& zB|qb<;Uhk!b34ieN)_b>ty;|KR3QJiy9^CLe{giggC`(U%kORD_zf0hSiMob>s*UR zyyn9u=_XdzvuBi9_Wf99mlB&P&*)$*i(svV@Qxu0j-&&d1*za98WLprqR?IzrO22q zz@v@k%`}}oO<5p`$o~6;7Y*XJ|4^Q#&@prNn|Psdg`>Geq`KDnsNG_9*)5VspkRi03sb zgS+hJtesg|<+mb{e=V3%XC3gZ29)S5AJ?2&C&*^JORQdO(+=K*C1CyQrhl!n&ME!_ zHNV}YHCe}|k`&27PD3|eOO88_9TxWDZk!pGNJEkk+O zVUB2;aBfWDD<|r=u2skl`=vtfGgNuj>Dr7EB}0NGmQmI;tfTq3M!%5Coj&VMJq&JA zTSiP8n5QDvLQnc$nailLDc=6*o39i?L|*8k8~tY3L`$zkH7u}&@u$-U;R8}G-Uk6h zOIHZfcwq9HS7q5^7ADS@=~W7v>+N zB0=^R`N@A76>(@&No7VY+CBw5FX}B1`sIsJ<7i+k)TP0Y z?pwB$v31rL?vjf33$-!n{DB9TWe?b=z$9HG?sALo4fuafxA@3IoZBpxP;3xt zh8lDXBrkLLpkXwJnr?zd=KT zE5}x+nFJ+;N^4q$`~$24W+ay$wHbtl4*sQBL=8FAYC02_@r!>7BrDo4n+%KaW(JRe z^V_zKEKHOr1Q*Mrgq74wFn~#8Gm!+0vMqV?STODk)Ef z(4UCrkaVkDu#{M-=9G`47ZeUPH+~l z1^LyYV2dhJME41mC)ocL!aVK)%mpTu6Q*kM183(iJsNlYfdKZ6<}!FTJHA$~KF(Fj zB<6~oofZ8e$Z}>iDRO!N$L%O1%T2BQ0kLd=Tz*)9XxjIV~-gQPOL0Q=_-~3`Y4eudFgA*9v z7bVxi@?=I>RYyzrln9%t_ic(ucaB8TI>lob9+AWi(WuD8bPcLfO&uIkzXZP|=CS=F zIjMS3C6?ytTe|k@YQq>UGOy13-|>Kt`Xh!W=?h#2`1Sm~8{g*Qq-Y=X5}|_udy$Yx z7=8oMKmBU{<2qvwl+eP9br}I$cmK_Anc%CNb^FkI-cCW;X3taWgz`4IKEB9pmv^@; zKwrPog)Ofv>P>PK_yRvqs-Lzji{Mk_x*pnxr!^iXbUu}0eol4x*fxJKt#H9WH<9+PFKF0ZZWEVAuR%ss4t@F7pRDQDQ zyk;pe_G(-|OC4{!T+&Ug3hUmP8V>@7$$GVp@LHYZp1O>5K~>l7i)fm2KW-8FX^Jku z$=GyMy!oyHuce_hnV^PHS9?DXDay8@H>%xOjN7+8Ap_b=&fc-&RJc$6vX@ z$c#~Z&JDt4wyK_gS|w{7S<9T3r4JUG?Cxv6ZlH49GV}8JnomcpY3_cUbLigQ`C#Mo z-Ydz)t>09fnHSUZn}%4g{J6zodR|o9u-Gp;az9Q&)ckC@bYuVLFy&P7yJ2#zGxE8u zI)m#bZ+$vM<^kZ|nn)&|iT=g~M78v^h6nd9~`6>tU|BvsC zyh5(YSvX(U!_T(>FJ0$sJOOAuFgKvt9tazr2_^+gEcGG#&Y(56YXhZD}f zluRj8vn&IXr$G)ru-7L*R@UdIFrM%Ku_^JG=~7V^WhDTjQOJpO!$7$51J`Mh5oUFd zxcVuGTMycRAMHcpPoQ*`;#)Z7tP&^Z?x|$h{tu=pxP(X01LYA)vm|GQ6Mqf3-crNr zOsgm<<9>aj9tJFf-=!-n!>BV1i7DCFB;}8yq0`G`5On}5Usk<>2&_4A&0>}Qb50fP zVoS-eo?7k!(B|j`J01Nx!L62x8tJOTcOR*aB z2m4tUoHKIJG+1R|bcSYoU>L(+=y?{EZWdeDiN3-(ws4pMvjX8ZZKQkcEPJlXK34;U z^IO$+HP^3B zynJvmmVbO>rcTdFK9J8T1qZL=a0M?#QL9%*0WcN(1Eui?{=9F3?7!nHQWNakSabet zru#g`X@K;9YE7dnC;?yy+4$ZW zxP0|`n1aUYL=5hgSPOGF?^C1@^IL(Yg`${?;-|lXD%^%e6fQotrKQV8Iai&U>d>Px zf`e9o{3TpsYhj^hRGiF!Iq%`4C{}eiD`iX4!Uo|^84aI`qIT6jngd^Ys5d=dKC|r# zI(Chso9FjAsr0*+S;o7VpP=ghaypK2qeV}APkcMK@w7J zLRIA_^UK;mB1c-vgmVc)+L)t;9ULPG^IuDnW>KefWF*!3Pfqs7HsCyv3~gz}?hLr^ zeaaWb{y0Eg3Pe3x3<3XY-m?cLOuV;R!=Cnq3j;{gd;g)=$YOy(>JU;=`Fsaumn`Mw zvZEYn^5~+@1l&+Xk*rH5|FYb1IRAld0y_B~!6sHW2;&ikB zj^kmJA2D=U-*8djbLYVK-Z8%2`Fe(U&4(l$XC6V^yYQV=e)-NSw|-}tr z+J`F|bYGv-*F3FnDUOFLRCwpO9)IfBi_RsceOzy|wl^9}zYd_C^wyu6=2(ZPx$ke) z^x)3D2Fyxyz4o7Y2+snFmiTshBFP`7l+@T=9y<}Ivv)djJ8~Hjc`U1qcvqZC&Z^A1 zS-1@=mU;Djt~|8(8qc}>I)Ev+WEFaMr8P@bY@0&Yt!t$0bpv#!*~~3FH)_>-M^{4U z&AJo#4-->+5$ArIiU>UC3u@c!4;|-AkIn6uO(f6TPiuzbn}^xaX4k+}vwl&1^6nNe@F5OwR%hfQsMZ6r?I`>VP+jum$4KL=Ofz5L6 z=IKMd=UWxFZU*nq$wp1ByNFLEqk7ZYAG1I14IGYDs=ZHxMEFWo@I8**1`@2g9F{=I z0<`ox_qkGkXL_7u&HK%HyCn*JwzF#6O_rqk>?eSq2W>9j$85X~0k-o4^{(kh@S3mY z+P7anT-T>`ZDvc3-uef5m&AgEO%v(r)_ET4sSt67s5%=@psDz3_ohwlgtZ?&+AFSZ z$Flm`QbnpeYQ|l)IM1s+HtVHAO7J^Ys*kghxB>KPW3sw0hh%DWzy2b-b>92A zoDR3iv)5xhZ|?a%+4RtAPX;U8F?b;~^az3Uo&eVR!_2lotj8w5G-KIV!W z&({v90&A~6Qoe$`JAvf?xzDv}w<3{*)Aw?#NxYbEDCfLf9Bc(qJ zciK)H=UkgW$Hfz1C_jOGUE;_@1v3!N z+yoK;$DoF=Cfm0J@R%fL-b!U14ZOa*AFlnrjC==cJe;9Nkfd{0g^q`X+LmOZo~11Q zzHPlO5i1L8ndCh`Fg+wAOYO5ZDg5cV!}HeSYBs=ny%uI1)IVST@{&2+*jwhJWpYRKpiEg#IFx~f zBG!Ia9>j)A!)7`TTsUM!5@edct$6e;{#st3BH_KHq+u~gQzaZxCqfo_kDltmI?UYbsd|Ja{Y`pCBIw+v0yg^4 zYFt5nOM3+(%lcE(;i9aRNM(n?u23dfdfmY{tN|>RnvC1x5LOfw%7BRpojzC3F{Wj&jY#i^5RFqM5h)g+3y_Q9WV3o$dZ;Se6j2pNMr06X6k}qfcuK9XHeEXkJ6~3|W zoV6J3vvwuhm6-bvb)ii$8xcEHiRKXpPn!``0s)m3fuQ?+?$Y;HbL9Z$?)1Cz4|%#( zh_T3*Eu_Q#h^%>k>k_YwpY&6UCfYSqC&GAB3%N3tjv?|!z-%b>U8xmW4z9I`!jsx6%kPI}0(hfNWleiXB|WE&F!W zv!exgpRvgqN(3WPD01A0w21*3ljJX%sR}^=Lb!xQip3F0%;5p{nMbg$2fhCvZ;<#; z*(I#dTY2kcWLFwiE?bb5M#9L#n+0HlMo>pt?q23c$(PAzbKyuI>;>OmhpqrfKYE$R zWT4_ghpE7}`p7)gI|O7*wm>F&pS7F+;H4_gwDjb>YyGUvvSy`gDqlATD{XV^7AE>d>bbY z3eXTp+9>xrizBT-Z7Wlerkouxii>392zVHX>OGZm{w{&mfJ5^x1!);a>1_M-yeLVGc%T)Lbo-zT_Z2txvU@Y+{tm00}Y?j>(l=`{G^cBYwf?QiN7V-=Uals za=y{T-^(w-&%lA=t}YQE{$B1U6vX#sIG`8xFY-^(o$uUL2j@D|ljm`GP*w6F&iwS1 z!%GAi>a;sB=csBw+l==8#Asc|o8N5v>uxiMZw&$%w`o;l=X`1|Mf|Sr2V7s?-p`{s zMy^O!{iJf5ys8(AwYh2UWOGl!+YaGwUqYtaYFs1fj^=BuVz-buX(^fk=(ZdrVBjBl zp6B#@y#~grZ9JH1jZOzaY1iGRG!wLkzUwH6>SqanI~<|#d} ztXzC%V?o(E9|coYwe{2Czkjk+Pj(4~e1dEV}FJ=1@4;)DI(_GZsEzl)3J?ED%(0;Z{k?HtAt{I=ZNRZQ{hpHl3){ltz> zKXarno%<_Ye0}6fqmrL>ear!Nw2fhC^y-%AnbG&W~)NtjloR**}YKOCX?VO@K zHY^dDuDN;IUXBqbH9ZCozWXHBNmTh&dEN)tW=rs0`widd-rhS_x=7L<--EW=Qn_R{ zP_r^m6!})K57=V6UzRS9_RjsBA2ZDKe1^NY`0D+x=!VVMJPge}e+gk|zAj} z$}4`~4sjhwRoJ@9KtNkYUNavbMK`P4u>o7hZL^)e(7Y}?rdY?WV=)0PZ$6jscAFpI zw+U#pFCQz7O`QDP9}V3+O}!~vHj?GjSM31_@})|#+PCRXbzIFivr#2+Le1N|w!kH_ zZqpAS5fIq(6~wQn1ho0iGt>Pi&uqa=8jQdBnk!zXb+V9;fVztQM)OJbn7hvhNSffR z(Jm|aJ`j_!=zYysr7&?wV(rw$DXw|TRVSH)Ts(Hsq0K{W8xHzERTvAShQkaCT$}dGmsLm8{6pT{RWK`=53@ma! zExaj@SxCfUIdA-(hmMl;F zzPJiDmuDaebD$a52=_osCfGKTZ`&0>LNH>3MR|!xoQ%n{O2NvqX$>*?3_nt-=c^F* zf~rx^At#uAitWu9VRacQ zsY1}n3$~6^n7Uy0$`FGdE6NrRo8S`b*h|)cq}sQQ)w-yGw^&x}L}f-%dD<*al{qu6 z1B`ErwHGpB?2f|}GEO->p`IZ_Qp=X|dF>R^lcYsgKxCH;_;*fetwl}qQ>Ee{x#LW_ z#8u~3Ve*seen}>fCoyT#7)6QyvWj_8#IWYbR+hW7AWZFh^CxOZIQuuJQb)tcU}2SY z^aRjXW?e@6^_mtNsCzwrJqBP;^*bEeI0a|g7&ObxFKt; zoz(yV#vd>GMLK=k&L(oPuhnqPz%ieG{0iX2wDNZbtMG_y(ltCHAHf6kJjexP{Bh){ zhkS^f`&497A$9<4xLiPmE~?Tui{?q@mvpMr!oYo}LpU+uyBSxY@~0#3@%*ouv3v#< zr3me^@6w}`Lr%{!SvTaeD0zwp_1P07=|K=OAtUWS204<1rdcv0Dy_?7!r8R&D=M=J zTs$oOPk(P~s5t%=Ewoy9rrGoaiYdXj$v+%8P9qO_mRqF2dmt6QCla4AN-qNR`Pl|g zF`NVlw8({R7}V~E|LNIEMX)GpTE}4bK*alF-^=lbz z&ak%|rZOiQc_GS0yldbQ7b@)TMh6Nks2hBg8$^IPS_{b@DC4*sJeos=P5Ck5v6 z?T3R}JON9-v@kWdzYP|)Zf@W_GKY1*=P40Qw&=joOTa$`O2~ip`ddpcGWB8`i-rCIPt0#k?p3odc!e=_2wI*hRk* z02YcFC+qIRCXC3zMRT}@GhqXQO$l^kI#A^8qD+^=WtLO$=jdZ~l4YQIDBMD9_a1rF zja1^znV@AB)EPth|2yy;@Vx>uF(_63{_O(KSCEm3Ti5QJ8i5E{;XrUK#8lL|%5T*KV2#e<*r? z9b$By`VZ&Bn|6G$-9)5Lt+{qrqjyoSu3oi$oQDRIvD^COLD=bB<@4n>pG`&LvtGVp zG;i?hp57@{YnuQQS!>X9J&2_6Ti%DxE~juUp4-AD7jSs8AxA2H^ z8*i!OSDmK-nNm!&?L3T2%ys?eVYTS# zBT>EWL~Z9q=9KlQ4hD1qx@q)ESrXL>qUW>BH~*$UVX#M5((Xv@s;O+ zhZt_RXvUV3=XqsybLR(OT{pe8hxRVp&Hr6i&-Zo{(M!KM^cstHHe|oT*72&>%A0$? zd@(1|Rrf;r;mc{NN(aU3an9`PV-3a4$4N$P^D;7m!~Hf2?aBKt-3ndL49yro^(<}c zU~Muj2^1vazo%m#gl53}IlMN0{ag=&LIqndbtnlO6t@YTX=d0-f>b&42Rq_yl6)VV_ z*()Ld+;QE)HORH-I_+}w8GH9}l*phXT}GE}n_aeT+qP}nwr$(CZR@|a?>Vv0OU8;7>uEjAjF~yc zH&XhbbW<-zC7qZcAi>Mj8u^xleWbtOU#{eKQ{PH%)rl8`T+F{`08cscw;K;RZR_U8 zukbvqddrG^nxuT~_Vl4Zs#TPcDkzLi&I)CeMjQp;OZ>m9b(g@@%|*h2ols_NBHbp* z>nuB%VGJplf$P0k^R!F6BxVQx^-M4hPdON62f{jSyB9?S(~x8qNPwnqqyj z7on0k@{f=RTpDp`ol>m!d^P z%@Jz&reCxMBa(nKP~|wt1XZ}Hryzc$WETzi`^EQ__ia-)j}1V46N7ng`(Aj>e#Z+; zi}1Epm4;*BV-E-&((D8qv)h_M7T_0l%NKt@3ZMu~MFLZ{oNp>bFAQ1gG>KVrFSlao z`-^VO9o}2cmqyw5rX7Qah(lcclXYPkfmlwTS(0Szy;*5Sk0SX(p+tTiPF&P$^b`&G zP;M=deNO%tmdMOR_r9Q9ON0}NtK1gMN-4oe@TD<&tmNK_?q4J!D^3uqJoFg)a)i;6 z|DJ|!T5Vu5++UpJQ8w!MQFA+af>a@xittEdLeb_DRpB_vq`pwnR#Y1md)H+J(^Xta z-0Eb-m0DjBU+b#0(t;yV%i?)gwH#^qg8#2c$)x8C8CI^Sc?!% z9!eS9=2$hgc*Bz~3M2d533N0-U6% z&1yqygI+cDMgmTF>q25&?aFRmXT*9+bN-@-^P_+nB#c0;{nAEO{{p;@h3{PO0u;Xk z@agVxzSrK+06#nrU1Svge5^0B)6bxbWR9UNUan)Alb)!hS-A6o6~uA}>ytM}6d z8?MiNZ;7qBjIS}g7`FY^m}=P-4(DYOiLJ&J3+QSJsuv`eJ^2OY4Sa|3E0ftAx`LN; z!c?Ezq6Ik7950ufilTX&?&Ez%TFnx`bb|+uXYYK*Q?#fGSd*|!8WS?C;-kj%4%qZUE zQ7IOn0$$wCgXN1!wu4g#G}jx9%gO!smQAnQg-3_iB~I$*vmI8>vr7+WpYJ=)>m73w z+&S>a(3Ea*9sB;NnNDU)xEQaSVh6My%ZC>g9iu#<7bd9B1i`D0W6%X&_s4bC_8aV$ z_Zi?Uu4XfjWwiE|8@a3{)Q+3Cw6Cn`dRcp3-LRvT9-pNOIJe8b1ACRqT4FtJpPhe{ zh6fooE?b--*Y~IOteGuSb~Ogj968rAIQ=^ z+Gz%0eJw3KF9Q)a9akqkfI|S_h?n=Amo6L-0r+d@ zNbwCIxDfd|*?{;r?PDd&WIwEJF#F~Q@$b1aZQ!>U4^lo7j~Fkac9~a3OBvTzdP2*e z?j0X>;M=UsCBp%{aWxOXQ1`JW$L)>wN2Ubi_m)MD!&&d)dY)J}=IzeAj659aiuElM z)5$vJkXX2S&GDvt5nbwM%q112UAeOn0y}>w?D1tTxY6!C<$#03HHN43Q6-FBBjD?a|M-=1kiU&ZZU}UiFZ30r zD=zCIQN?`$IV?!^Qz_KhZ9C(5go3IAQw=VJk0={N*Lav=TIxDARq&V0&db1xWMo)_8E%${^MQ;6lTD+j@7i=8~9vT-XC znoAs!3#cHLoi@>Jk~Bc4FKrakA?xR>WQ}G8DHB%QmDgD?2v#?R)(saEGGY(OR|n#d zE5epw?nB3k3mPqr$F7nmVokS_Ol zY1ub}is>9N1|lbEU6*-0DyV(+{M)K4(QNcf&N$TKOTJ$AiX_5}_R4`Czx$coEg${x61&y>dP21vNDaa+G`#C>vix zh^hQFWJN<&88cr*F!6#V3lAq1aS3C;i&gu&{thc;4ET9OmU1(5YQ*yc{jIVMJ-H+| zc*;b}wdw#xR0|M0kNd5_D>3(o;x6eiEHKNKiC4KCEHP)s(-KHEmKCA$aaUD;3hlBK zpsC2T-TL^Vmko1J+W^-d`Eh?I$x`$vbMarz?>F{Kc+fS2EqhB}C$}8G@jbbmgxE+o zqkYIW*B_1%_cpDWdo#O^OK_n`4i9@L8{fDzLq=dr;9p6s#0m2bF@q)S-M1)9Dk^o+ z7(olUn9h+f0=C%HMj@(6!wZC#@Op6s&gfEMo?sg)fD?Kk-rdS9lL-6Dm$_lEN&6hd zEo_NXWe}f6VHC@EjOjAt%*o-Q=gr#FMagU-@Qy2lz;4y+&`+?T#N{ct7(U8aDori1 zDd7s0M@E}B{ZZ_16Lyg>Ayr`5ag7qSz#5cQ=Ey@i}VjK2famIi|h-|#7;1vJ3Ejk{D-!0 zCtEl`vNnwtVWk!xNJ29!PMbp+BMgG#_a#t)>mV;S(B#+dEA5RE7|1T-|7NKFDk$P# z20-?9N|y#3+sk~m;#vSC+w|`CSnMS4QnenMOtF~d*}+}O;})6+O1Iz$Qn#$$t5y{mYf@>NOiD8C$gcYL~Kfu-mgRrO|yDKip z@IB>m%a4d=m6fMroMtLg`xA~XLMo{d%TnhvYO<)6ct|4Nm;b9Dl4`Qah)*XkOZ(qa z_N0I&Ch%bR1<#}ec!;RHSq5N#_kHwn$pQr9=>CNK!hWB7$3uEgdB=0bEd}uFVHfL$ z3Vbho?a-_rP&_r=E_1?rxDNfPayA+QZDxDudtq@ix={(x0CWe~ak9fw(1ZfK-x0g% zc1Xq{H>UYm-#p*fAxT@oZ=aziclXGOD>hBZq8Q zYwqJeYC5OS7c5rFHhdaXu2Umsdi3_xa%|rF27KOL&uLY-UEXmi=~+8J`VwMz-NwH^ zn4L9@cc61rj}}Q=a_-JFSbxF>arfjSc$q&Bhws%TyooCB`=eJD<5qB)mjM)ZFAHf| zI%?gn*Ob#6klN0Gx|2%Wjq_>3m>*rU!^@iG1l9sPR}~yD2hNzb;}yFI?#pr)t87R1 zpQ?x1ij(flRzpC*Gnk*mbLGy#yR(h` zSr1R`&5%eB=e9|F`ZYPuOppCBLxoq{mqE)l;)M14AgD;Fgq}~@ou*yeebUNxmYI*+ z-SyZ-y#*Ej)T%`f8eY$%Q_oA_8{4uQD))J1g~s9>_hXnxwnnMvsG!Z2&pTSyU^+CH ziihKd4bP|h@=mt#<7!yhk+#~`q=SPBmmHf(l@;rV&5l_VJe>Po7$^@X0X%2+cLomxxwI~>gh9AwoP&UXV@+gF?5}s#jAhtbtSUxeV;7Ct6{J<`~zIY z;rzZFFy^hr?N~?}iE&ZCzB*EV&wc^m-2qmr0dLuFytj&9Gqm;JS?@V4NplW8ZQnL| zsh=!Zhltu^--F*aRl6S-KHdReJCkClm8uDYT@Vir%z%@P8(kW2dhUC=;a`Wkm5F?8 z+AUF!t?-VqwX=A7cLI=c6Wxd-Y4jjSLC!k?Q^CvQB@qSbqkp(@AK7@rNza9ICdB2| z<=5$3{~ZGLOPZ)j9SQw&n3Nt!Kv1;i_@ljt^jF1_MI$ovf{3wxbU1Wy6f#0Q!MI$G zV%tD~phm^lZobq-Av8D1VF|cm;I^!&nfOC5@#@-7tl_yYlV6v!tz+J8sL zS=F*ikmN{06TZ-pVl~r`7j=r<^phcRU&*ZXD$HBVEO4w7A$0ew2}XsOpE`Oa?ZX_saKaR{+esahzj;iV@4im zNGo07M+RG-fzzzxS9Q%(Y;EBVYN0#5)Dg}J;5POyiTi3 z(QMYfo<8~fB6`OX(lCNP10U@1k)Pq{)D=qgvpdqSTlq?)B&DVTfds|8-N=aKCCO(_H?s&TyrC8TCnxd9W>f3lcJb>*tX9f!%u6W6I!u)B``8>-HD zN)Ui59Pu77!^D?66|M|7?h>`byMKW4c_BvqdH%}c&dqEZ zNkpbYJAy!mhn0vKcQ#I}1FoT#8;ESaCCX~(tO?a&nue0dhGmM+*lW(-A)kmjoog-n6 z4%nXsE|1)d?GV>cX)iyaGlXOkSRF#3MR_tW!toEFN{Bkz-{Oz^qZVi18>~<& zm|i95s})+u%?6HG*N7Lee#f&p$k-_Nc<*Q&D+zz@rD!i7P`&W0+;CaG#%Y7~hyYZFF9UW6#$#+uowtSVQ8#w`3<(r^AfVJG9Q#f_iQ9Ti?h046paMUl!yw??LJpoc7o4 zk9d6VG$6Xu;Oj62t>%)-bK2=>a3Jm5Q)jWH?}MAi>KSeeZG|fgYEsJJuX_oXw%e}LC zW-Frmhn(GaeG4sP?R9gk(GfD`ehp-v_Pio-f^SD@Pi9qcMybVyZMAO|z~$YCcupDe zt<>fEkyg>!d_W+hZHwCcRT4qO@_9M$as#-3{*2!63CwEUnz_TX=K@5xgpL!;*qz`2 zo`cXln^zf{Bv#UITpDm!t?0avk$PV0_fF=}Gyr?#faN`nq$=9htLiHj-jCFOcvrZ! z`*F7$BIY?Xk44|BjTNgn*NNHMQ5t)*q~FhX&1hN8=5f7gicxV>^BRaZyYply%|cALg+fB^Gid0g zF89`HcQjJ{8>`lN$TGqz#%rF-_lp)Sdv}v!4Y!XqNEXVShSeME_w;s)_tUKua!3>&3^|AGb%7Yt?qrnZx4BWZ^hOcFl zE>u-@C>y zMu9U%d83zGseX|ITFr}%m)PE3@3p6+I~Z) zaIah+1%pRF3M@#RZJp=#Avcb}NV1YUMtVjDGfHbcq=zl9A}-Mrkt1wLA29<_4>v$n z^^-)fmw*@%&(?|%}B39)^{)GTvn@mGWe#q=66SaWSpA;WMzx+9G@>qR=mz}}{ z#{K^ZC@n0{9%yuLS{7;8Lga1z)dBqgsbKzt)!+fuNql^uyH(ysre)fHl&25e`RVXU zng$^oO^UBmT_zhKOkW*M9Hxg+_Oiqfgjk%ZG6g)eG7mSg3d+XV|4^HWsS%G*;{=lY zLkO>{Y2+53WKcuSIczZn!^&UD8)>J7X%x>Oe{EjE_~pe8rL;l6Kz8V{m%F#fFNd=a z3k!+)h0B0_LKolMN~0MJHXwmk0K6(%{?zPGl5hZ%iX&)hbg!G&o?toFW?ii)zo)D@ zyH5^@5Z_geg$1G81CiW|K84YqD7U4)bZtP6W)tGx{1@$u2`;E=76#dh1GPYuV$ul# zcz)!!EEInZ@Q_^jCaTuJS^U9R)VTmjKvO=Dl6z2mW>6wO)p%ME;*vq!FIs!h3i%{R z&-4Ri-(W#Z>E#QzR<*h!xz2^@&qy6E!1f#Om+1M2!Z+iHk9Y02$@bI#jKF7Ht^29g zBbn*bEHqTrfsqbebB4*c1rFG_t7AIEg-f05iia{#3GJ0p_E7qhLzes!W25fL%8o=x zGAtzSRYmf|Aw!$=+w{Gt_(1DUni;ekcIbA0563krOAz%Y@}8@V!6i>Z7oT+SuPZ`< zNcFX;=bsB1OF%qo6HAv`1y>8>5OG%%t)i^g=L*y2$dwb39yc-B^kN&jphurG?>45K z!~cd_A=6c)5QPDfVXZfimU+aeWkAT1?wb^>a&I0CY(&Hw(xg8MMw*wwFW^U@TM~y8 zq~c6!(c>*(#)bt;mkoT&lx|?3!;)vqj?zpc#z}H=uoOEruD~HA9?#BE`c)&WCN|}G zR5%?oU+1s6kBBH6wQbw0931ukJF3pt2`>{sgp4&}$9jaHBpWAsJ}H|?c+j;tP7a@? z2!9LR&uKnhFjS0z735TZ6}$GxkelY!ewz}t-nMd1p)XG!8zz8>3PqgSZ~B=)y@r|m z2e*$i#Y6;C0j5-@>kDM5{uYmN0qH(jLnMKHP3O)+y|Bwxf;!2xze|lPnB=Hq4FjPy zwwPc@ditl&xn>HD9Ry52!0vZhdmJ{5QUXGmHa~@l#sLVHV5g#&eb4Wz$=a&YG4Cy9 zL|O?tif!u0c;)D6m%%(pl#tm{)$oreFtt-f5m-uE@T2aC;3T(Ua)1naOXuzh9@Y9P`%2p*vWW;7Ch;bw8mnKQAx(jp=enENQ25Vj?HOewuN z6x9DKU%_Z%1P{dk$tS?uzh#%NleiDGjpLOUJec91S&wY^s~v#=_c+V|$<_68ITP}>g}ba_ zg42E~E##WtFbyq}-2>q{UEKtH0E}kUd4verX*VYLLLI}!f~#qFQ~P$@aeIZQ*)z9x zk>jj$Tq`pVfBCioy(fs$9rl2j`5B>y;Zfo^nJFyrHksi zs(mamrSUb~g+^KBspC^s*z_rAGPkcFF}ZDlJ?dAdq&4+#}kdlb9!=VdHd-HYXg4P zV#9uyzGmUFqoucHwAMt!8{2sYpEJp3=hwkm(%t#+gM$Cuo4LyY|F-XN`J{=7g5S6z zyN-DBA$^J{sl=P4xvAUg-g<;qo_t8Z)tGF~+kC@w{Q>xdJ^cvB3=yg>ZK}T^_j|sIEE|F% z#$~bq3%`4Id@gq~0g^lfR1}{?B1d+4j4I#A(@B8TR==l_?jm$gO%-HG(ZLA5z6{Gy zEz*T+Vio>0gV)T+Fyp8e55ozX(dg!R!B-=pr3a_%e#8 z1Oy)KS*ja*Shr>L4Qr7n?Ndz6wbJ}DqTEne7*Gx_?iz1Bb`cR~H-{Uqo-;QVTLM8s zAx=+Rq*7eJ!nIP@%2&NEesHRtBR{933m7WO6 z7w07eRQpPl>eN*co5g}WFZC>sCz4MrGPKqb?W(tN=MYl9CZ_mrMa0OsqfogC}Le)J`1BFA*|0+}a{ZGDnXfp#D?xAGEtEiOOQDtn_09 z^I{|i-2jLmrD<5`RQfp)uwxmCuBbqA(5+1f?j$*=w7!Vr_Z1(#_$z9`-*)9Q%jgR;RV+LvikvqJ8!eGsUyHNWq3O z7ZHR!V~Sk41FUZOD$|siIznaJvlr2sk)x#t{iBvem+io1lci>F+Bh>Abig0z>0+r- zl4T~f2a+2=iS`L365tur;db&&yT8+803j!U$fb1UH(+gmjx)+@72s31W6EvC=h(a= z?SOZ0Gf<7xf;4=|ct+ZeJ@*=oxC+CFi3>}eV}4xmvoriJs{Vhc`zv z6dC1lNwt*we<4y$>JS1We|uvq8})ky%QuZcu#Q7un~*H-K7m+W+NP2?UpPbwK#Y3ScszBhx&G`L|k6Fa?Yh zDUZ$U@23cgq+_vGlakRwjq4#)i30{0CEHdqgm6Kb8Q8VL;rA$TD_R`3s-ZBzNP!wl)u|$y zRVAoJJk$G8&4zuV?dq@~o!gdqVZXJE2mMYOKhZZwmlopoRG8^y*1U`077tUEq*#SW zwuKl#LdmF!w3Zt&DIe&T17Axi3I-%`@g~%RNa~NI!5GXpCG*=H6_}jRPG1=HJZ5Kx zl*)4=n=~j8;rA=4n?rDBhl#a*nHohd&{!lb21BsF#wrK$E1xYvmRTxFg9s%bh(twZ z2sjvYt;T!|vl-9_My^^n%rmMZ;GGAR&rxiYYBA47Ta}!rD@nj0<`1z?BE*W83527s zH`klD2cVOkVG@%R5cRhHO)U3U9U99PKXC^Z8;T@ae+<_oO`|D|8viQ}C6&ug<&@tX zOpcU8wI^u(-+l7`-z@)UsVwIBb8*%GpNs1c&;kuNM=1mHGbA#BO;{G?>EJuyI|7jV z;0xGA0Ow~zA*}<{0yf>RE!q;4QFge@D^`km`8>J0>~6|ZEeetQ=NYeLl@gwqA5TXh*IdM`<{-y(c}+WY7{~zAxc3uI<(@M5=Ag z?%_?kTlrqP4rsgg4!mwQo>5(PP@6AEHW)5yT-I+dK%+Tc==SbIl)tu=2eSsiadYgB zp`icZwOJo<7YJPYb#!ES8*F=Bc&6aK1=&w^$>6lkl%K%uhg^Nyo!I@@s$q_kuS}BB zxD0j@93D+<81XjUzdlB~-OiIPpI@rnH;y8tcJxy^w8gxg{sXE!JAO%<7H_GkyKgY< z+wuT)IpNmn1kC;6Ybnm^$X%bs;PATHf0B`$H9U`_Tx{z4SzW3?aJm;* zKf1i;+KaYWZM2r`lf4{Lo?gDq|GZ~p;cgoCe6X~BB@nN4_GbfHGa4;_4lIpiJt0Qxs zeK#&2@59_YJnDc8!Wf^{ktrHRq~><3mMxpt|CtM`JmaOlS_4=O%fC<1)PCq7gJ7-n zpME;BIU!#nqUr|xdiZiNC6NBm$3I;^go+!4(Gib@7!7yuR*jyAlZa%vI%ic;$QFJ1aUj&4 zbJfs=o{L6k8hLzmj(&bJ0$yJT29-n5G>EG#-=FYeIoZD zX&V#h3a78qTtah9F?#xBZP+u}CA%nUR$&#U;i}Vs;w{i5zmfpVn_YpHz*6^CxdIig z9)X@Q12s_DGG~18>R%;)P3kf^yOKpvLgw5;QS0llfI;EfyUksZH+);xlGXH-)Nh}$vNY;NG+b0FhjO_6aj3S>7D3Z!$>eZA8 zK^IAL<#7`(%`4|efuLp_lj>8>nB%v~sb0t_EeAlmbtg;}Vqhn>DAuDQ?1d90>eM;z zSMkM92i(C8#;<&(qkW}SV#JSHCm1EYL~{e;2}=ztwL{Zo1=B5Q-0+@)?Zu~I!sCey zF|V3soe82s&r4+?+2L*94Fn7V@-6!?*PuI!`;FrQQzp@bOf*04xJ z%dJs=2{EmcKiX$g#)E&o$KE8LWx~-V)9QnUjk}wBkmU+zSTKiZf=j2!_p|lgf%BUM zE742g4Bxi}CS@X0Dupj5O8 z3rdf$Q{o@%18b%WWIxs2_3^NEK4K;ydR^?21N0PscU5^D*3ik}}SHmRW0$_a0G%qf) z^MseTWN*ctW#9C;I_*OG@$!=O4%m6KH0N*h>-VjMaZ)!`IB*S3)aYu?kqx9vz*H9F z3^Iknq?u@o+YN+@tBAoWrMIW5q8O{9QiXu}LpDqqOO<#*9a3k>3?ID#Vm^l$Wt$GZ zKSZ&Z2gbv^%#l|k)m_ccsA9p&%#d@1dW2h`1|%oy9H^>pe4d5t*M_i?X_;H4UZ#2} zD{fe%MyA5dX|{+}hM-|LU{`pW27~hcgj7R_3m4mdZTdT1LbsS|BTYUrR@jS~q>$=2 zwX%VIr-T#7EIQ5bs`Y$XYW5sFOnl99g(>k8wLM<}IDHnurp-we(ULI7--;ry_&y_H zI9O6nh=1Ey${c~l%>xu^DM`wc3y%3m&sgk()Ac}mAJr@K>3@dy1JjX_)p;#=Hc<8? z5vTvJ07n1CuXdjCDm>tM$31BQfE%`ge7pdCb_{TccWlAmtpMGJe83=is;_S1yUdGE zM}PNcyisr3j1=crGikT?aY0E=hf5!iS1%|j+zZe99<|A}!@(H+?)(}2);8y3MNkSS zU~s&#uW_+>Ceme7?`?nFgr;Nv5S=h4#|C43G=0oLZd5L^E-J}|8V$(@WZmT`5}IY`s?=H0^9SQre@3aQk@xxyix}l zm(vvZ%J0cV_2U9wW&NgAX-CVhMTTYYSTLL0I3k0`^J(vi_05073NWzJJ>FpwFtxM( zJiekW*lVMmc@y(u>9({&%K8$1_%f{y_PW16Vm*?xYB5%Rfx#scpdJ0(7JSY?j1kKNX+nF9e60Wy_47$__sXaFC3dFBPQ#y zdWC9T%Uqy>AC=AId?}pN9JJ_oex*ULfT5*2KQ|eFZgZo(?XOdJZvqs>xlWU^np2-I zcWSn-$7+^8UB6aTlp$8Z5u4_8aQ$_}sLO9^{TkkauH6c#bzUbls(N^u_oqj0@;n<3 z2u-M3%h|JU^tzp%B$`~lSdaFNrUDXPY;wvf)7O}LhLz%KNA)1J+J`nsb$qCds~D`@ z!o8N?GG!AUWHjd3_Hpc=bCSgwCh(lsKz(ks9v=BcY_vP~$iX_29(g_wBmSfr>A0PV zn_md(_?&xe1AGPnIvwATg54Lqvp)l5;^m$_UPtH6=&>F4()5)t$YVm-KRr0(v67#Q z-!`)^KhYx_4|qj^Qals{LYRXg4oAGRnr|{QPo>7YLq*OU8q5~jUXn(@9KuQ!YRuq4 z#6#kIjdC?Ajde9I_@ZD~ySYKb3F=*yDbS@7&wb7*)2##5kP@n>H+%9xLrv8f>Cgu6)du)>olnR3Q0jz-ml?TZ zDb@8^XABcM(+V3~kq6ej5Njy4$^};<>8FB{9EZyPVPmkUQpYT7kR2)b5(P!d-Z)=U z$$4^G*xB4}Oh>FS%@%K<3yzrbZ z8Gb`_X7qq~N~|GagnaEFi$?{8l-(9$VW1PNJ~fQ!fXo<0A~8ceQIB0s*sp))96)A(gejR1tp${J4eaMAAfRg-1Vqf5H=$>P0~#>g+Md??R)E{46-->uXhw^ zu=MPc#9Yuk9>Q8+(_EpB&AAXlo=STjvSlrY#AXg~^eg+y!c#f-%(16fdfeI8iaa|Y z6$g-=nmBJoWRN0;!r-yGeECXUx3$vXF-@8+U3r3e#Glphg+VMeJzV@^l^(AWZize4 zyqJSvRHdFd;l;j`jvOH2?b(x_>|4QA3YIS*?LOzH>wZ0dnpFR%|APMX-zO9= zg!e_=OjLB;O&k2J(ooI=eTeKqFvK|}8zl9@F>geFdUf-m8f1N5rcpLk(--SoZF0k)POJr)-bpRzhFH)St- zSK?jp!cq~=Lo6pDC){hQO*~Tz*=kfyV;Cn~$87X1w zvon-yuH%Ebk;c;5$JWhB5J*%0N}`EDzGXv(F?$rmL(SY0SELujA@b(U3NCA^;wK$x zj!ueaE`(FZz5HFq1Z|?|O@8K3gZobY6GoWee+DpVkXwXtqNf$Vv_Yo}XZd_X8%0O< zMkmSN!UH=(IrRHCZDpwjJD_qk{^eSm{G|jICs`Es?{$Zr$dhML=Ccowm+cYccK1g-bhD>Xjtju?lbXTZ|8W+}Ws2u@3VCPkxEE9> z=WCmSRfof4t0c$6$3zdq+tbYBL;m|rhPLN;o$;905kSY|(Bp-9LRFt9=F4cDecMq5 z@9}yZQpMfk0qDz+dA}gtj1PJHi90@4|7u|E06eC>jcltveLrXGShKC~RZICAcwMH)$F#Jq{II6fudfxprLEp=nI7_2vfIC(zmuo0i_EUSSZlOjU)8Tl zCtA1-myc7DVyCq| zlVuLg)hhSx#}2%fWY?1>4BAWQ+q9A_6|TI7&32I+0F0gNsv&E=|KtMInvT;BXp5$S z>n-JpmgDFs`^&Oc%dYg-r~g5WpbcsWUgnd04RVLD=GD@A^d^0YREE85L4m<1Otes-XLS=gVJ^-_?L# zg{PdJ(RY_mkv{s(@2M#O|EnR?kreL16xciR&llPNMEM?W0R5Y&D2agG{f_4J4@PO+ zrxO8#02n?2ioVo*O|%5@x2STfGo{8Pv=Yj>v#B5heKA57}?8dm+#SzQBJQt-v2yIu;)JL8^pr^mR;Xw0Emd$+a?*h<4(;&)MUX?+kR z*fPmHMBSpygQQ-z^Wg^?SQ8-nl)vN3QaOcIc2M)~+9ehq_82lR%>V zxDi*zEd=gPU95ZyYkPkwHso7iax=*mhjGvXb*HCl5B3o5nsBW~M6TqakRI#YLPv`{ghflz zPkmh&o3gicw0X2kaFN>|DHPbMd=VirgKxj`VLd&Pgtpmwh1tht${yTyBeH|)3A4WW)!~=O^ z6arRsSu2Lmqf(ica8ej98z8N{k3@6R&?zR5$`1@Y0Dq@1U-<6cUFBFIt{n|NV9XyV zzJ$95lP+M5jVy~dU%CGa_5v}OLF7xcE0aL+Gt02yzIU)X*@iXMj z`8x(6^WbA@hD~d$U=r-`3Hg5YHlu09{PUEZLAQY-IJ0c zC8gqi=osszJd>-M1F-&dB;?_l5q9E5RE2+;C~k>Lum}QB*pVX)VSA}t)J4(DF0lcA zBroS7#{i;}NkANEHokW~Kop>*(Q<>elQ78_hAx;o<}QDppX82^z62~+$)1F=#h-Au zN;aNM?-D4_q60b3A10dT#ikPWqF*NrS@ehFC-Hj>!(bNUutSI?;6t-%Lzs~F^mowS zuln>hI+2wJI0bp%%!zv7oKgvHi%dG9(3|%Bg(z~ZKI7j{G>L!iele$Ok%7Y3TehjY zh;ix=^=mVh`F+`8loo1PqfE>Rb(BYZ!5w*c&C)3D*^Xvlpa;xqnwC6BLhPl=8*BbD zWZ*n4Y!?iUj_bxE08$^|io$0+FZGWi#j@TO$&egTmds#QiuJPxZIxEG9HWK{??w&| z#4=nW+Qw|sPd!!k$|Ym2^6r}+6J}uylTLugNWsjTdxlpl87Bx@aT_BYG3CQG6(XLG+Or;Ffv`xcgUAX zx(e^dH>HeVrd2Ppaboi3XJQdV43F!bvP|~JNk`0i)#o9y2;h5*wZ`)yS1HER;N+ma z3j+)PYJlg%edxf(<7tYxh4Z#FsN48)oNzs2e@MbweJp!p&11nLCb{%a*odMrjpP77cq->!R!8C0G0PO7HzfDRbTJtg-yqV8MMvIw0uXnhURC78flf| zd0h?mt?wWGn(Lmzx9zd7fr*|9l!u5emV;_exYhODXZO8yYVk*gAke7->s6bw7*1L( z1f1r#p&7h;zPrPh+&2|30F=tsN$#J!2+R_xo)dt<4NvbD$&84fV1K!9{kXOsJb#s$ zn59~>m0GglSUfc}h-$LcT09l4TK!sugu1(AHeVtcu5 zX#pQLej4)b7=Y{>H~Va&nKAa|y6%^SkFWdgovM!F1&Oco=pYfxkBad=TAFp+n38L^ za}!!^md^7%sTAJxDhvyr7SjW%lxc3eF=u$Z#?QG)mpeSKt(Tb!u1@3?z3YB)~KxZpYXn(%A*Ps%ezfZ4=%?KaEEMI zcmX`GuR~;Oa~-Fm*R!_|ZaYo=Z+{P#@SdlQXs37Dn+?~O^M{emMX#ezt3`$4&!=jO z?e3$l#}PI+M+uva)hzer`|~Hp3QzZ;-sT4>xBACMw8+cU%5yf< z4eQG$#*1g;(kTNn;DBTVuW9AE1jpgfqvOhcVScf>=DO*``IVm*I;QPt{2ab=Vf&rY z_Ujc7F)t9~EMwQ>aC+s{fxA=J~NdPrgCGN41QLva~< z5NXW`BgzdrA;4w0V@_jTeU=tKH_GuwLuK_k&1>;4?K6c_PEglL8opBKI!QsmAj*rF zD+w=a#ZoSV^h90YFPIfQq%Ybct)fd3QCbROwhQN@!Z=zISm1<4f<8g=DO(s0T6XG2 ziL4bXz^W%j4ls)POSPJfoD~J?=_@`TiXIkB(&e*v!@1}iGAxa@gHq)50d1I~mV+z{ z$yfV1TR>C}g%|PXvB$NxHz_MniPx?^3dUm_&w@k_o|@;!nm0mr_MS^En}YtCl|>p$ zzL9ON8LlWYM8%EVWuRg+_nAEI8Xa?NS53HA=o>s4Iz+Evf>d{^9ED?xD-Z;F-HaM4H{XA2J6psqaOYcij*tsZWajPR8L6P?e(^y{?_?2R=40*LQJ+ z0&Nd6MiuhM&T>GkW4$ah#xj0^MPq(M1wH&JNNQBIRsF0y$YblzkNi))wse<<~3KSjB14-dB~E6-ts5{ zjHTI6E_^Yw(uA3p_fc$^c!5TKr_To|Cu9Zav*Xsh{HysMcJGPTlJ>6ToHwFj@dqe5 zs^7Ghm}jYD?wU!l&L`~jTfTd?WXPCc3i5}g%n~+>0iT7bbHf>Bp4L#V$Ei%+aHgID zCG1savmC`Q>BJ5SrdoBD~dm8U+6V60RUp#+m(km>*Y+wYhu32C@kS|{SU0AHF zKyLD!(6Au6FChs8znB(eVDiM8skh>iuo2niD*fziN8ztZZ0r- zsUWx|tONx>@g`pBs`1$?*>(rkb4fgSQd$J+3X}z^)5G#BGg!)ULVw*SSgp(MmG*Zbpq`LT1Ek%SC;^2=ViV!VLBr3}sGm@k|5`iXo zbW!YuL$PX4)P}YPtNf5#V?o$W3paSy1nw5;AXJ2y1Bk66c5mIsq9EyLF6!ybPxTmJ zVK~c$ZfdG&|i}Uuon+`VfRi*h45;B z3ZI!yqpf+Gf0{H8(X8|Oz7q8Dx-pp;EV***3%H(4f)koai|@R*1JGXBJe-(`MADYV zHW8bbsP~tpWIxJVmo%-UJLn#)Ywd7YR&nzie?d1m6i;T5*LaRSUM#!5&CFcgKcr>7 z7$e7A+3rI$z`vgE63TSb`7rm47F?o>a{ zelERaTV1uF)E~Rt<$O{PJQ#N={*88b@7ei0uQFhWoM+RwlYyhn0 zLN+@hzR76SUs|_T{vT2A6kS=vL~D0Cw$(|;9ox2T+fF(*I<{@wwv&!+b!+?;B@Y616Wr^$+(fX}ZAS3DS}@(Cy`~&73FT>pXI; z{z1zwrOGVd#aWPjyWPvxwRda})8YmdUzhiX+5NHq=6UeNEO(^e&Gzw6hF!;J0*XAI zt7)O@>$APYPq*_1LAEbE z^YbD|xQ=TgHkh9h2cu%Bw=CjE-Uv71xRDq**r^fXy;ud2>b}*_G}KbaIF+BgT#8~M z99Bb5LQU#nv@|>LE^|^D&DjVs1;PL$8QCg~ehPs7S76n$a*L3rF!#19Q#EUoC%M6s zOCOgpFGUXRA1V|YNGWd;Xae`pv+CU13H%FEnWIyAn3ZKxRd17Wv>O zab#HZ8YL@9A=qDsaHQs@DIP)L7I5iv@sPx4Mf|YEBS?kP&FRsA?a)Z7zx7)vXTrTh z5QX$X)`X2Y(v6aTQU4w`vY{mJ6B$UXxz#2KMxY_W>|TB3ktx!@QneD3PooO_7{TM( z{yX5=H}GRV-m3AA85d*N1^L&y5*5lGN*XzV%3$Z*G{BrDsqkJ;fOnGI6qA5!E!_xa7tV_3MN(2=h0ol=_d(T@4AnqB-!Lri)5w8D5g z2-^~^tN6~9x>YfHEeYFp1o9D-O6TG{bhM+t;nLIPJBELHtzumS2^`N7Wl4E+nl`d= z30tx}Vk9YwEj67qgI<`GsShPVG&t=Hkt+n4`Fi)cFV2VV`3C}K?gkq z5nDJfYyT#5DQPu<^w_G&GAiX!9&0w!jxSTM;2t3NY$PGidgcuJuGX_7y$35kGk}X8 z9cVfn|E0XIvoGkR$2WsjEC^)&jiAjmAUNpp!=fQI^NXpVm(7T`ULBTcIHS7oUD0Sw z^LvBrfU6uUHlwP7LQ#nmSI+dPQ>tz3gmCMwX_ww~-QM(IegHcu69NVloh+@sA#6SF z(%~lKI2-AlG-&0}r|JmSa?2-{z^&`?1lBg5Ri4EJu!FX*JTQ;gV8W+QZS2N5#CBXb8_qUb1c8(!tg0DC^Hj>t$l37&fbPPRx*;17v*Fv}tHi?eY zQ48`P;F8h)pZ#}xb4JdkD*fzZbU#v#{s+f4A!6PQsrYNk7=W)t6G;Lh41QRPn^r+R ztsXS9xJkGMqSiICX>YlIuRfWT!B}GscX30zxRG=`9FNej)lZ6b_;(}vIZLhbBV8IL zQ;}~qltDx`X*A$=b0x*ed<`pYuie)4?%!wXFLqCw?b5(VId|RXvyz+M?f1{T+HOD^ zPn}&=9)6E9+r-hS`q>s7nHewXpkTh0r0K(`kYnk#RS z<2m=s>658Uz|yqjUE8q8V)aIPj&u zEb_V+3BPVUo)3L3Y+XHV&Itz}fGzBvNpa?rkDxO-SAZK37d@5-g`H=xxJe;p8<)uw^7{axeIv|gD#~m z7+kOIk*}ZkLQnWxA|5E+w<)lfx{kg3JntMVK*u)6And#U60aX^W*%b5g$Smz1mGIW=JMD4Ht*B3h$}%ioe$Fu5+Q*oV)Y*#l{|OwLjrIiMk(= zjI<5WqqA_u;G<>!VqIz&advgGmOj*wDx~sv@L4gwC7DNO-Ch(pqwJ}KY0YS?e~jU1 z#3#sN$cJ2FC=+u160h=Nv23v8ac$pK@E_0xqGUS}EEZhFo%9@NOZU~KWvxxDH5q*g znjF_mC=K?wV_@XIn@Ilo1GPF;fTbYV8~JyL@tacVUxxDD6QDcE%=MObL1&cqmT#B#_dRaQbm#EDpI36pAq!e37L7D+hf+FWqWQ@IIp za9R|(-vHve6NpZiD5t({KnF_2vm;1K)_Ga=Y144+4s4p}P~3@vjK+!uFT}cfr9Ui@ zzq@8FGbYj(2J8ooRA6C-oecR9U05oF8qbaNt9C990cw2&t=!G2!E#ij6{v}O+8vIU z9K5{-LL0gyi_7Txy%J6Z84|y^z*tYM=f)%uvQO2sxl5reDe7MKwK2x_yhzT5rI+&6 zYu#{+OrKc%r0s?=;qD*Yq<<k{^hO= zYr&=7b-)v6XDCTzE`pRoR%h`*tl|m~!C`VXMTnZ?lxzvnhPK0&I4Itg^Z**_x9>r!3oAXS4CUg4gotW=Ger2wT(571^7LIFO^{uEzAp$=+Kb|I|A;RsLBUmE9SR&)@oF`1dl zDY)_}w9Izc0VC$nQiio$k;Ll_M4eLVgo0LOI(EM%)qMwV`*NsfILCzoX;w zt%V(sFjjFSJvPQBG^z9#J<7_7^h$DZNi?zJl*Rifw3}fp70Fj=U4z@l)%hy2i#KvY z5yrl^4vnH&k5r_G#?vi(^4|&-SD|4J*&I=Z*Kam_-yOgelrIyDqme)Kp#nRLmSanO zSb$ir#jYfQV{34kHQHucLulZxSs%wpnBxwG9ZBk?TeAX#?*1_wUCG86a~NdmZ5)^k znXza^NYlKn%br8cjdiJFjAvr_6+xL*Drd389nxCw5mJstBRKB#VX7_i!7xO-1rxQq z1d74ztp*W?n7-%$;@+0u^FW)(NUvj|jt0)*Iwf`P>GiY7*%5?ESicF_Y6r3Y#w3&y zgQLXERoK(rpy!T;K=QNQ60^&MXr>wS_%W$~EtcaveugSWuz41pKH-TNt%(;aYbX3@ zpwDkH_M;Oi2FQX_uka{?Rgai*E}XB+GeF4&AMR+P>tqN`N^_#pHl7t4K2QI_aDkn; zJkbeQs<9AfKNeGkvRbio{f1UyF2LkcgK`w!pc(;ZSph@UdyHC6;1(4xv&^zLY!KUc zpqd8u!=tZmIOv-#qLP0y%z{ar{F^vaQek_!opMgBgP5_MF1S`sP4ZCf-{Rn8U7|N_ z{&9Du087Skzy1N{3k3+bR!jI8Nv9|yYQ5A@)XW0kW;DW+OX2E)Lo#xFJh|-$onx{G zS?1aQ75@bysq?WjfwjXgMgBVMRC+ zqvTijRS-S|ukS-lUNVx-Nd*9Jw!8j4u&d_np+sJ{`I&Upw)@(SgMr)R_)pRc-+qM| zUe-?4P0P(f%0AO1DW2Y3$Ni$2L5It+=j60v`R>myr-#bt#ENB$I_xZi%aJ)xhn0Ul zH*$~HfJNLeA;J51yfeVbuAYvUee)02hk>Q&A_9Xdk40X4x2t5l!o1~OE=upy*|Hi} zkQjEa<32y2Povvp8?lVfWe#ynGL6n(`X;S!?V{WJ#LgMe$U`Zku?-NBNelS3#bRlg|~Vu z$Whp}t2sdCsy5KRJ^|7L6b!sFz$Viv5qsd7#fDD?UNpTAyoG_Wu7)UvK<69+hc8 z30&sukIjQsan+6UuoPR(`_)OiQaJ28zHMgHZ$v*{089p6gt+14SwtNUn4hwf=CgInW;!jXNyntp)zNBi~#RH+taJ`UgejFcNAWh(Kd zrMy1qKA}Ngpg?~wU{Pa2`9ga+_p9-<{}A@1|GTx4m9hMa+JTTC(O7or4%F0d?iA_M zH(s53J|X(FHGQuwYj)w=o@7S*S3u}yE9v>i21}?On}O|8SOG$;QkBkCi+m=;ih^=cn$7HF1J-{FQ}3G^ zYWMUi)DxT!Kv}G5-V&HP>u?eZHKdhq1R;AMU^ zRSS87`nMwepj+z{B)cv?m$TqN#S-$BumgxKNIAO3WH*Qn+RE|Tbq=GNvpwPiaYa5M zN4>>5u%1Y)VIEYlK|V7|bpUQ-j3fD2I&<*+KIe}C`Vvwx+I5@aZsv96e3z`qIaw;o zr&se(XsDs)C}gqGld0dXbCQo2>#-Vw#8|be5(NI( z3$ly|30|TMlEDOB+Y^aw%9cwPd66ua(*w(HNTmw0!4z2z6qq`KdoRnCsuAgr2a$z= zhK!oFu^u!cOf*l$o6`ig*75rMrEKHp-7OGem{LOaCFr>XL?plm(yA``Vm%FDUwq`r z`skAC*z&4lfNi&+v6fn?cUeOU;l$Legr6_}K&o{gT_)!=9TSE|!e>+*#Tt2$5bmy) z(yqWgksX594%oRDOm%+3sS72|CBtQ&4AK1OhAx!P?b9^%KH~AiMoby61&XWm=S9c! zT=j8tI@GIe5{Ob=Bu8$_bV=8% z63KCYNq?#$)_^&|O%q~ zo^7C_C8mT}56zmeHivraNMbXo9)B6|{kKha1Ojc;@VjDo8IqLKG7_lo#UC99R3%p;Zv6nMhur$rgB@q+2nBZ%5`b>P^IexuID86-T_Qi^$s z7sjUvs4TNMney7_%^C-84xlF*-zhz#*pXHyBLx7iy3sn;|L{+0a*nypJcUX|5yCqUkP4M^4=A)!$CzL!=z9D-aN3MoKNDX{ZviB$uIP_uj69f>+IQX z)mH!}_Z_i3D*B6@4~>V2#FglP_B7-h0|Nw z@nJSsMq{@}+u_FJ#ji&O*g9?1X3%PMa2b`>rP4FzIkTyGHp;=SkSkonx^rU~S`ySzPC^&S4s5_}xP>9|~+vz&X58UgBF2X?%BoQBDH z^z^ik3adbFVZQ(5Uvxi)mo{fQuXgxewwjuaY!23Z>$d&g^Q=4U{D0TKr?t`Vo(x;2 zO_6^ElLGwS2ed7A`VnNZ`g#oyL>RQMvRl+Q82ZMtUFrD`*Dezk9B#+qIj%hSj$Zsz zecURb4RV2x1}{EN>VBgu{+(7p9S$;r_lIYeUii}~FNg+0Z`NBd?C-K6ZMaqnq0 z&#@ngqJFlzrLAuPu-LZojka1C=r)@-P1opOFn+Y_X`Z66x@CQCVbS{>Rzxt(;$34H zHSrlw<_H1&7HP*=Ejx)jWVfPKxx3y z$O)8l9kZ*LW1DE)w1zLyY)Ksm!l#+2pT(x=O};=viDeEiI8z;_pM5J5kCXoPg=qDi zC!BC`)*W$;9*TFu{Hbi#9T;3gTz6+w6F8BYeO~X;L5yvZfvWzarN5urG;x_MzZj#1 zNJsOVYmw|S8Lvp*Uzez7(R-L!7NtJb$}@9w)&w6f%}Tl`z3_Y}y|&@UqR_Bcvwq1Z z@pQGemRcnj%V}9g)2^MXa8<8><^tnrO4MjwyF}eul%>vTFgmR({YLcYtKR}esuVjR z@g--G`Eao8vVQjdaK(PTxEc8^@j%{z&(6dIhSpduZ3znfK%3zzr@X(1Z`4O2R17&| zQR|$?E7h5So1ybF8^0+ya!X<6YsHN|S0rq&nv; z8g27jBmZR3Sc+((ZkDTz)5zJ9ph62}9ElrdL~n`*I5DAJi<1+n#ft}-nsstFAH>9F z8GG5$%vf0Kt&g_jFjTe(t1iMg1Q*HDC57*z#hV*X52i&TVkvF<^rS)^9B@-~TsY{Xx5Z7i867naB; zmnT~%vQGi5!)cC0{IOUeMJ|96i~ET^^8J^VTZy90qbeQOFew$hdjRdloJS3X&F6RU zfprA=n^%yuEhq!TXs`sj^~ct4;GR#U0Q7w>I$i)dU(m7LE5LenZF;YO#B>x^iz;$m z#dn|5<_JrZsV0fbUc^*?8ki0tQ%h(pnJEY2i(I)o2Ip=~^uf~2miVQ(kMQ#%xzlAV)Rl?8nN~pX zjLd#HlnK|-sRzMk>; zz8!_+;%ut#P?r*#l%Q2$K_$7gPw48o|76g7v}@7ppNr>sTcCu%iooUMR}R5J~&K7n3`_l+RXFVB($7vJrUVjcZT=%ILZNH*gu3 z52WC~i;7Gldsn#dr#v0g1d05kj6k=<2XL%{bRGXPC@*q zA3V}n?;O5>4Zt%*2lk}0=}qjv%1G}M-JYpfHs2nCAUf7bE^&V_WqprMV&4aD4}N7 zq1W#s*MZf5?<%*1V9l#%c1}e=*CE$$qZ$*L+&)rW+ahv-7kK*S-TE z6nyIGZeOB~PpH3H$?7WSJ=id(@U{~mNbFxCI0F$!`{_2*!;jmu z-lpe?tMk57DL`NII=DN7h;`Z}fSK>lj?S|QZ~}0%b!tYM#^-f}xjMb&a!EM58J>HM z|N7U#T<@h#PyGj<<5ro4kINC>l&8Dc86SZ+-1}v82TL00-~T@q|4P2>eDKd7e+BtQ z`xgMii~z#l-^Q0g|BMsG#Fm99fFE>#KCV4b_Iuv_u#Br?!*c&u$F~IX0kUXDgVOoy z741llCd#uZ!&3rtFOb0nk@ly>N6yQ)m64qxC4TRp=8tpQTFm{#O^Jw3s!^k}z{o5t zR2oeuxzi74?e5H|`Rk+g9p|s5$Wb{m%TcwEvgvB580Kg_$<~Y@L^N@O>|ofwE@d%O z)5>2Amilvya(ap}{1%+LZ_NQwu2GZb)TYEt#r5Lf;Cra~tdAtKSB(pis5;TTwBuR! zvS*V&vL%ZP>EST7rKn6u1^d{~n<=^AH<$h@OPF9rtrss;ide=_M4=5K>ZppJG_oa$ z)+_O){b=MC6@B9*9Vq=a^35|l=3Yz_4-J7?(&}rZeeb8Aa!CDUQI{aH^voV@z}fxv zx3ZigxZ%t)yf!-ZnR$+b(2k(ce8Nsu+vQE1CrJ5=+sI5G1%xV$B*FO^v7DXK*nUA10%a__oQX{o(Md zQDdP+W+FanGunNQIz4%*C0XOL`Bu50TL;tO?x$ntYWUG{Sw5v3m18 z#2SL0a%!S<-s1-ArPv*Us{Ao3*XVMv{GWQTX51h7jIkXF7&z<;bIVwdH+-NlDI$WE zoNCZpBM|!YY#BtmqWoY0Y~nO()v_J95}X||d7~$KiZEt2k1auRNakgo9K9+~ZEe_3 z|4|~VK#^z;E3^K{*f`=<`PT+<=Wl!IpFxj`!absI?1-7Tzi3x!-g2~;2uax|-B^}! zZW`e*OH%X5r8RGg;fR_Iy~DV+6)&e_l0AW5N23%5>(F$y^by+v_f zx^(GwT8zoY*awuvek|iAQ+qUS$*Rf zt6?$7jMz3DD)17?4~x`{KBz?yi;(lU@YSj*S9+2hQ3dQh*^;hPWr&)5JD$>(t01A2 zi7Qa7!%jfUb!Fufgez9YOPRn#Xo$>QJ(p?a?nuUHO#&w6SFae8B+h6 zq{^`0G{r*P|5lq%SE_F6%vXX$-MbCB*S?uV(-Ej@uhunP&WDzuL{E|~kKquQLac*c zNuci5=_w6CjPS2Lu;1K@G;PqS0R?q)T6Bl{m91@6?zfbaqO92)#z~>p;8{UVH-pQg zj~3msX!|b7AsjpkgwBYl#^vh88JTKf61tIdaZ+X)=@FbJU52`I`l>gEhBQ=$F?9|m zdPcAKGdHt=%yBtWfXl*nr^_n-ZQ>slDyuwu zvpXF+hqb#FkS}!>GjFfY)BUbzX6ii`wIL^HC%hDZy+KlYRSAl|yGyXJtH|sI%l9h| zhTpq&D{3pT$GqMnm|It`n{la~uNNCv*OAT|G$gd3vPJ&h6IP=M0swuB0w&k-t(AXf z>)yfoqz<;;(?e2H!!-N**W%iafhWV`t+mB`tH-dF|EO35>gL0E6v{%PLWaGOy~qA3 ztghg+HPO$uvU!9&%iwA33Yp)i$s1euwoLCD@VXbp08n{6MmTDNmiK<$(u$}+w#N2# z0idlCWac$)coI%cUd3-b?EI(h+`cU=H6;YOZ`$5xDRrMN<2zVkw4OY@N3&QytvgTH z_}!a>S9yFPHK41un;8H-a8awa;m{S29`LG_x7Biy0zjUP0DV0@a`3$27TP#|?9Z#| zW7{I?LtOtb&(OQ*XV|haxR}fDvVFnP^A?~IVUy&Z>wEU2L(3uOZlM&=wH66Y(6RwX zLC@jQ(zGzR&7Tf>kG$xrSt8QKwMqU|=DBR-Uuk^Ipf&)X<~Q z>2|b%?l7E})A?df1A|b^V|zGc#4at}Z94Oe!Wi$;`R-l!8ND@0;9}w4yT5UO zCfytV<#7jEx@xNv@XLb0-(c?m)8OqeS#M|41^lX+t*zL7$L(1=wD&XY`N^T%`r)3y6c5Q(}!&{Q9PYHls*Sv(3;BAQe|M{+c zroSRFzXss?{|&%}`K{l-W|D8b4gen!dD+IlZI5}UHlGsGpGzOm=!pi8{vu*(K_SP+ zZwk#{#_K0la`lmTA>63?KTHXCPzdo<$2<+za2K(gj^Ng;%TSc!=k=M@(VE~^)I&xi z!@Qad2%St^p|};ADfs=eJ$mT3E>Qd5)cRjx5M`=aP>upg*ay8};j9n-y2;G1B@Mep zslsxk9k{d`YA{C>M_p(}{itUZLiA>iuVPM5zLZfc#?-M-DPnmgDvQ%Zk8!PtP$j$H zaBctTFeeOYtZdJe5i|coOpva8xp{#V*`;!ia_;Dw^XNx$T>{zOJ=hj8W()j~@AiS< zj~H3$dznucHaM#E$8%x)*_g=@#&u=mfbDqSqKt(06m>Jr7g;rHlS4tf6)C-| z3@hr?P*IxG=lxJFTNmgfp;8eE98C!p*!~ZB;1EVYfvuakS}6fFcrfLA20k-dPpV$I zSD@;Nw{+(rxnbA@(VNGP)cyfIH;U&@?7L!4IVTkojLE@NJ{^^4>9hyda+nk6RvER+ z&divoXgSfJqF2nRngVg@7d~?Jy^hL^Rv{T$OC}wt@Z2jlghYv`2Ezc?DRX%9g6f>W zF^t?mHKrRcwJ^a$mm%5*LnAtmV$bM;T#8geZgnGY{A*zkBEe6iSF&Q zMoiMfhK>pYPZ|P)9x$C5x$W<|)t~n4yIPvuB1my>0uq1Nj}_E{TLar&v6- zPcs>J(uGrZv}D9 zemosYwH&Dk(>(ramRG}?uuB|5lxrGYKp+u2I3B|{PTD}xkQJ_ZszHy2F^VQsJq9yw zzgpfOxK`z=9FO`Y`@|JgS{3#PKbRmxr%)JGgbQ#a!N@Mf8fJzqR+1R$4x6N!OQWT= zp{7!NU{V#$iv^45cNDBXg*DN#e-I=cQd%cc5{^uce9tc~7<5!se)J=xz~}mzf>FaC zK%~jiPI~YrQqH;Fh2<pue* z5fx4lW8&)xFz5s4Gc5C!@s20`-5oG1(p861+(>Pio4fP=G6@e)K$AUkqv2yWO=sU) zHpaeNK*Mh97`K&H> z&eP?eiR_n?JikYadEJ+aIAl}(yq<@cFrS5ua(}kR6Ze}QZtsUlXa1h2(I$E?H!oYc zg4-!?cn)pHd2YPCwuPlZ8w%u9?om!S4@ZyoHD9lYGY5I!y7mdPFx7!Q;7hJ>55Vr@ zWIrWM^Zw$4qOg|J!u|d8M7@I$+aZhNDFR;Jx5#ai|DmnIXV@pcvlrCurge^;gQx*^ zy=8s9v5Iov+SC9q&~c%>mp+-gbB*#4Lg!+A@;=Uh|1_?XmG`k=-N)rU|Kqr-3Uq%> z@%Xchz*p;`+swgAJx$u7uStE!`^Njm^St;RS3}ol`p;&2-cP(fkEpY-nY>P^bH|8+in57Xto?8L5up_|)<=+`so+?3MX z^IFi{=Bg6BL#F#H)=ltJ#tigaj8yM?`6WShQ(D zxDsxPQJqECg7gW?LJc*hnSxpfZ;47ZNU%_sp1Ku zF<;{TZqPk19N=7;OQcJxH$e(uBOy4bUK6xe|3b+q52R~T#=&V((qY_ZbE<1w)p3qa zCamDL|J)*N|IQZB=t_s`<+=8qd|{YAnMKCPDE>6xu}JL)7hCAX@7V41*GMe`^QDIU zqf^ydX%a|J)!S#s=&M~|RKmO&U zQs zV>MnYndA2LeN46$22}ctpD#ADE!y92Zw>{T5tpuL*Y65ZnIvHgwXc`oEm4sx!)FX- zxw6QlQHPqf!KkFUdeQ2_$3^A9SmZ@)FyMUS;sT5ZV4#Y{I!HI%71P!0t;ImlyX@jlQpVj z4C<>v&CbjN6xH0nPALg%)_*8W2G}FvvLVs+IT1}HZ4|W zOq9gmVIzWcEcj!n;?_smN}6?KAx?=kWZJA@9A^nhi8{T>62t1<@-1hn%TUcOS_5oJ z(!UbdkqGw0QXeXWTc}weLtF0fZ55ftBsv=Q9*txFVRuRL?*=Pbu}V&~1VB*dl1H1Y zt1A@<1;zXhQXVfOl~w)QELXa0UPbQQ4$(5;#lAR_iA%j=!C70$sMfZyQbf@IZv>{) zP6~%O(_~+tg_=#~w{Uf*Vf9ayCh2be>V5EOCspfc_l0TUlott4aD|~rX;r3t6Et00 z9P#mVChG~lDaIaIgK_v~=oP6d+9lJXlnfZ%NWIE;T>aUsObo{q*(BjeEgE%5FO$t_ zjuPP`1B9l2&~LZ48MRmOQECp~>{#zd!{pyG$!Ni_6w4x$j5rU!RjJ%xgVkw}b*1Ks zcpYF2zt_jhsuN<3X(e6{qiGc=_a7##E!z5O&OE`PE(Ai*TYK`=Gup0ystdqMm1;_b z#~Y)D$RpF;Jq0O`i8ubx6Bk!Kq39bd!?d80A_G!X1^7(o9a^ zRw|3dw#NCE02}@n2klb)PL$eGZ7H}Pk^72!&5#T|vpuU`R$yjHqS&b4N@v4}6$pixIbi1^l0433#A1$`M6w3#%n zMsh#%aC;_Xqb}8=O<5CL=7@7Gwdk4odU8}rgm-KU4pH{=Nz<+SG3tBYrD^swCT2o#2~JPxk-pvJ&tEYtAcV^hZFyUg4+tAJ!#q@=~^X zeE! zJAC>kcYW+CF01!kU$&a%q`VGG7ij4k5)wfZ6{1<$ztJ|kwv6-J6+xuNhnZRU=I=$a3 znCB)Z0-dWZn^h8)Z|J)n)=3w+&beAvi)OoPZ@qClI|s-YIn5LH4p*wZH`7U_0fmrI*`#`t?K(9Ij#et2Osm;sqgfPx^S8in zuw?zgXojaK!mw|_IBRglaUz*j*K&(2pntt*w$pu`hz;_&76W_*n8AL6 zhCVcz5)aXJy1w^MeXE1FIv?^;6+v9H{bn z{uY<0ASvzq&cdfP@g#7k{H73>$kR>JFr+SzgDeLftcdIwEbWjiE=?~011(gf2Rop< z{5x{1-eA$W=yz>ovkiKmVqH^=X!4-0z(v07kmH@W6y`cu{Ar*n)HG5-BuX?l8hgX$ z2j@tZ33{cseedoZ*#w!A?oZV&V=d7pPTiMn>o7&wz>6lS{1aG|c|>iTwR$eCKxgn8 zivZc3)<3!Pe=2?yvual)LNq=Fn~sU;tB&`Q(b#DjWteJ0L=&Vcq(p{jt5hLlY$GBv z=P6i3SnncRQY72{EV%CoTqSDKzkEOolcv>*{59a@RS|0cJpu#uaZ7S0?l*DukffQV zW=e0hkv2TRZ95^JHlBlXhjvO8MMb~-t8Pc|_% zRm)!0nX))SnAE3W><6eNRf!ov6~%dU8bBI-aLACDfkLUjCIfzDQKYA3)rM8GA#i_XOPRZlO7IVNwChK z&<;o!8%a%+i1_V&X@T3W0vnxKT71To1>R+>iz*kN(|>Mh%S8s87AjKtub77{3B8-r z>?we~7@@gTp}1_DJh1t+F;45syy2wudu?f4K`y)rd&aCsbV6DtW>)m5)0~aAEBD2{ zaw-({TXGdSd2bboDNzL%@2Xv9NH(n4KA8$0u3w?zL4i*X&-s}AV0{ysY@F(DHHEY( zGJZ@ze;uP6Ds|}~e}Tf9JOwr@OOkrcFAF|ao7HN0>>AUkrGDm#JJWr4Jh7fFyM!YB z_>wF$@VQYTE(Has;&iu8p^7CM$oPmxr6$`|6;}e{$XMk= zYRtkB?Qbe&Ns!!#<^uP5RyMSwd5Pvt^AZ>S8^Y>N_tKqUtUpc5t0Z+K#tTv?63 ztLfJ}?KaX=5$c|{IFEVu%b%t4vPbGHLm+-cp;Ii2oohN! zHnhr;*XvX4J>zLniH+fh56Bzr;p(4%GfG2$|E`k6hG8ocXsp4cp=O5$*VO{MeBY3| zTu;#(ZW>03U2i-s*;;>B&SKvz4N&^J)X(>VqmT)AtD(g&g1QwaN7W<_V z=xB-JOW8iPNI+ydf#WZ?DVL_XcJ1&$IOd8<=7wgBTP`)4j^L&7E-+igE>(lbG2|HrFjWz)`?jWamyVPOY^YC|Upg+9v-0#jv(_C@$ zFL0N8O!`KM-O6Dy%byUPu1bL3@r_qXbw0_Snz*V6I~P6E^v`_jPnZROGkfmS9X1pf z0E?a;7T>VP4-(TfHu;W^z%r!vf0ZmVK2>)UxVx_pGK9K*@7`^Beh8i?ZD!M)=gUc} znSJXjdjs%!o_<;9q;1vyqfj( z_jen}ljNq@7ltkO&pz5P>kA~R<7QuZueThY%-KAFlN`AhATO|K6lv0~7G!kck@nLd zbG6eL-D59fOk*|~eUEhZ+Fv$B8`#yx-@NRwG3RQN@G{B44>ij&mK~s*D(knukBt3&=2VA0mMQR=K2aeT>s&bdd#eT@BE&?7m=9H|1n*|`?$R=rOV*`NC_{v5BLeM z@a#Y8chRWjz`=rS(E4v<7kGyL4hnk%?Oq9tE8ON~JnZ(yzgm2hZP%&_M3u3umcg==OOL}S{f@IwVSEgUECow82LL6E0pC~f} zx}NRuVCI%Xcs&O_3nqG;jFH1(RR`R{g~e@i;>c5B=6)eqo{NsuXmxO|l`_mf_um%z zg-EIi()vnq)SjZ{`SgDQe(2&g+_^5WQxaR0(UOH6I7*^O?lt_fsuI(-ThD>A6N8F$ z^p!{Q3ZzvD$B*SGGR@yzhGX&MGX5<^!yem&GmR#SjFhD$))ss0rDg8@>84q#<8+V7o1go&DS8d#sM6_?VR9}7SHN;LR*m7NG;*fPG>!bp!nRN%w zeluJQ9~1pC?h2D*lZ@uK7+calDa-BFl~y_EIvfGTC_AngtCnIsDOA#|&hGWq+j*{= zgIOh}vW^l^i=z`BqI{Pf)Ne3QC2C}?u*zOTyMr3#ETVQ^%W@t%lPOPtZ?azW3}yQXt{}CZfo^ABww2tuwj)oi{a7 zgy<>^7Ui7FE|yU$Wf5W^ulK?@$b}-NRt0}ggpc{q-i%VSqPr-35gC)ND3xs)mT*Y6 z9Ncf0=2%GxoPsJs{GdU{j48sN5iK!pQN9TBMU3}5i)^V4#cS+!(wd?QJdCs=EIoZ1 zYrr(OW{y3pjcXOS5$dng#pADd0-Dm)Y7p#lpH!VaA4y`~;00*x7_+Yu*u?suEQ9|i z%Slp%U(xP}Bj5YoClaL1`+cCnBVsE`l`2>(pTvLStla$$v0@Y@F~a7gBUH7?$%k<- z=B|^k%8-vhgd~B+NjH~oSL(qh6$>eqMW3hRgw+`?#=qbG-K02Myk5IxlT6u!r6jxk z&-Kq@HyNLN?2tGCPGfB4P)4I+=@!DG=p&L+%)dZ{F@1JacnGCxan&u`$KbgOv%BEs zJ+qM@fZ;d`uFC>grAc7cJC+P?>hQb?jJhB92QT|`l zN2{AS8Av%;ZZf}wDD-#i#nYoS z`}Iy?(VUJ}FK*V%D3l&h@Ro`?L*w^;tFA_=b|igN1thb+^?mt_H~~CI0n}jwgMc9( zFl3nMuU8MFQFFE0X{lq8Ji%qnd!_(T{LsDCHm?blJ9*N#;rqJ{9f9Vema! zE3#k2@lJA#^zsEs9QTbU)CZN{S=?QPORAit?npSSi^LTB`V%Z95$Ukqx;86QT&bu^ zcsIIu60+so`JGE+^=!$=cae12HS!6Jym4k)_gV(6Di=`rsQE9t6bgg!vct=4OfyKU z8KJdxWTk23=V_l(-T!6{&;~b`JTUub#WS^{faH+70!|)`^TB#)3Eq8u)aXWy4|uj6zoa4AXbB zl-q1-b$EXbAhK_DUq99B*JlG%9yrHN09`h)up)yBHFgj6JNgWpm1uXbbM7>%HM>7v z{ckTC2wTs3?Nj}3g4V8hZo;_kYn$`;V*RcC{YxRQbWe7|+?TuCXV0XFSi3$fT`u=x z)3W|CvNHO6Jgy=vW!h&saQ}(krcjwahuHy8%PE*n^lamVBY4Dm_QCUWyd#X*Aqjvf~Esyz^R}8UCm4Ud|TXyhqD!aeiK^+ zf42xr;e}vbY&YHi9o^(&h@aQXE^!~lZxPu5d_Y^ie!%D}=3L&J3%;7Jy=upro5Z(A zzmF=hC4uM+0guEnhw}?iWfKu-XA(hmi}xb#(>b{Hx!O_C|G1pyV8#!*+pKNvxYy!M z`zz@D)UWCYVR$To zraR`mILzn@6p6zdpu@0B%bf4YfJIQ_MEU<5HQW&AN?fEP7t+BN&T~ws)}>(CvLHmg?HY z?D3V;KCdQ`_ql&6wIaSNj@O^-SBc2O&@+QJ9rKx5Lcb?zmor$NMc|hr~HG&_CTJ^{l?>HYYFHoQ#q&sx2ptXdz z658o%mIk~Dy%wiW-yVv}+BA)B-=@%_ z?JCw;oU5k@wSH>~Zp4IgjS0>>r8abce?a5yTLqEIZ#9p7g{??^YH93b_a@thUziQD zHWg^(d!kO$&gS2%;~+3!(nW^{6C7h!5fhCG+L=g*jUrOgccLrcy=~@uv2}|F>Sab& z>JlF7OjOIy9Jntzf7G2h)iHXks}arqHH!{cl_`h>?;)OH+=gBW(?wR#rEb@e)(n?a zWGOc2LB`>PvHd(;tEtnEW>MzFgmPF~Ma#tX_()LM&kTliv{q*@_ zF=@HBUUM1~(#mI9U%7dwsWTZ>>`^Og0yG}G$A+}f&08gzX@31at}p}l%ZO9I+jLFB=GuSw-AaSJs%BLp^1-+# z^WJrk;a9vWehk8ivHi4cSPGIXS-$GmdHY7==RTdKE5%4r;7{@z`O$T&w5j^c*>idB>yaWMs{?l}v zcWz)5tXY{;Ph%V{`FlvD_C3Vrlrk!;2SG*H8l(o4^--+a5E2Bs@Q>E2 zp{gOmlU%*UU?zba&1l;vGEAy}5o2pz3b-94k*QOCB!PLcPQy)<7*x6p=&;RT>MwTn z=ZDJwPW~tdY@e%Oh9%IlHQpE?#SBQw&T;HV8l+`9cwR09jR6Y6-x}`#tcy~gWC+&l`DG|mAnV=}iX+hPldsDc_P6rA@nIYl zNgH|*eXT>?lR*CA3Nc{8*a3#Y2y~7Y(um0%ar-4d@UI}-N7V<0;rUXZX-?!a~D3!9?CZk{^D=b+> z7~Y(~i+?glfl)eezY?dwybK6lyyk-On^Dct+)NVs*Zt!H?C6m_VM^4o9nA-$;^mtk z0%3Q_gsOf*LuiumjP4LJpK|C~CdjfB@~*+cbUIU#CF+!~z(j7q)*xi1meIXKK{Uz5 z6Z47#jQHkKdNZAdt!@!N#;2$Lx5)XH5dVB1I}th_f8WCTLG+XxR!T9P`VSCJVGk~O zJyrJ!1L6aTbU}S4rZu~<{@IazKQ%lR8p`F@6$HHh1YLT?zEzsgDfR!2&1#*id9yTp z$Zhut>I`|Cd>=^9+~~0UfWP4ScdIMVXoto)A>>=T+lO#&+2wau4Fs6(bQmV(_#HL& z9kFk9GPtZf)jq?$p3{wG2~l_X-U1`ppxm~WuGUx@6i!BE0c}Cg*>`B{>h`4}P451; z`y7va-`cR(nEB42@19i+`Zs|bHd((`gWiqD$1DMv{?~af8lA6Fns(Qpkmq|(mKyE8 zGb6E`FGh~(7?@aoDuNaR61Mg|^xfA*ni^dWdy_6c$Tfy{rH(FJE}MQ2GDpb*d+^>< zBBchd7pFRPRv6bA=cZToT^ovq#$20Byoclmt&Y4aQitbVjBS1Jx>fgXCk%&wdTeut z0FMICIR{&Q&e8Afkxv4iONO3Yg!~@0yO>N@Ui0}=cE46(AU=;@kGj8KdR)+5xyG&? z1dgWzKZmxDlOA4w5jL;OXLRh@PL*I9y4;?5yx)X#x#JUkoEoT@IJkeVof-TZ$W7td zdoca<#jsb`Y<-@(oXFuVa67rrGSj!yV+~tY|i9J0@ zb(MDeJgaW`o{U~)J&3XT^+exI`LQ@nB>U97_B$V}y`Qp;i8|)IGq;?MznDU~Lo?Z@+-z7X4K%cY-Pl<{;_tQ**|J8RVK7&Zv&H$hKH&f3j1wYi@ zR4J*u`#;IrWgms^NN2J&@N*{s(;$J*Il1t;F$`*4{jVML@z)M|j#*d9eLA0m`rxld z7d9?Zp2~OGh;t;|zj{e9*(ZhH#ba&5J59LZ(nPu8hn(Q%ah6E%2(+HO$m|x*n-?2J zMC8PXneB6Ate~=szze+Lkogc(%eQ$$mN=3YRX!vII0|0BwbE(A_2TuYhxKJkBO%#2-Kzf!Pnp5=Ck}ojFPcuB%Ixfc zyEp>_kyy43_YXEWSG7pCa{x3Iv9^5?F%8R!$2RtaPu6#zi(fy>r0MOxaLhN~QZ>k| z`Tf3CK-cA7y%S-U5lg4^Zja{CxFqj1j<5uZT)}M*ciK3QS+6j*18+5W9>@SxSVQfjh+5*<(2I@1W>lmWJhouRmaI9b zRI9>q0v7ni*piWchh89x?9UI;ZRNRw{Tu;zhQmSi0b z5p5ryo+EMtw_YUT9-v=s7RU#ORMF%TuRL$YlV`J3nY$6m$fIZZJ$u|pG#YWXl5x|QR8)s~cfU88jqv?vPPn1E1P<;<)h?3oNm!g{W z;zAtB(w`)USST5-;FAo7S~2dEvF9B>gexfhJunMu0pZ~%3)zFXDqiA2Q6cola%)3F z@1=hm-+I7vgC%U5&=rS?lPAvf1!CR>d}>i<%KGwj&&tJSYBj zYc@N!@6CI#n~@p`O#U&ZBd}uH5hE{GxnZC+sON0N^W z`1(ce9h3fVfD(Rh!2}W``n;9cv{jiN>o#ZIM8=#+S6r@;E`=apzNBNCWbTVbX1?Fg z9ed<#(W!0qJIB%3o^G(I)iQ;$#7<6}8$K;fcFJf55p&{y%EuN`pqwAihvnh>6%)DO zq0kb;T%p6u)0-mcAFA)9BB<9wkGb=yGXQ4PzB+5MPt9DA%d!jABxP9dSY)rf`-XcY z#$^^hwm`Dh%X8|KG~qq*mim_B`K!WH9S0GCpKWD-fG*Oa=l%217SH9p%M|eD=qUGA z;WdxUA9x5o;bM8ke|x2I<+}ES%9T+& zDFk8R@7&+8RC48MF$tW0O6l}oFyDkTXnh?X$8pTMJcVB2|5#f5< zi>d7JbUb+|B{F>M82Uk+1 zz5LnGJ|OmdL3+|{jVs=)&iK=F7Cm;@$;y9FKYq3}@ld0)u(~94J!pHFvZZwgw0*4c zzU_H>5;D3F`}DlpJFEQav+%vETiP$xn(p2f-PK3c9V3Z`0GICWjz@#*&)(>m)|4)? zmA2y;It6`@{(kVqz+7!%G}+<1)fkEA*bQCIb(lHeCR5Y#V`j>+sbOS~QP4F#m+(p4 z;&N?BzhmM7ckH9Xb4_Rdk&izJV4CfcpQ*C6?t1nDXul7-gTbrr8hkmE(Y*AzLZa#{ z$?+Mv>1OH%oFPk10MT<>);It788Y#6=^T`fl{^XU2k5WynN4l_9zhxyyd7!}r~~+} zYQiiG`Cebp?wiY08@k42Kw8DOl;S3ozes|v@yc7hT0vGXX1ubXVv8q{i@Ps-%i(4F)&*l}6 zK}3fjz|$+y``*`woHpnsq+e)H$jDzVrrY@w4Z(qprk$7f%kiB%^TiQ97c%Vm*fR0* z-nvid<)oqCc+Ksfy#OtW+hdzE#4QAmgyW_5j)N%;q!?1)%LtU}4eTH~-?IR>JBY9ja$uJL+aF`kaFr#llJf;BiOeuExtmmC zkI6U$QyFv57FGOiVEA@k_|yJ3e6oQ|w2d^+#-Go&OmArb>t2^3+NOW^~5uC~ocQaT4YX{ z(l|1v7&t#Fh{r^=edVC#YWp}6(a@M8%+%ofJNilU*)qvr0wgQY_$lQAQ*v`>{D zjMn?UV-=b6_oenWj+O|EOH*p2+03JA(C*w7R%lhplXli5r)980vs?E6k7h~rJ}UFay^+~NEpUBP95kd%20?aKhObjpn* zPQx(@)v11jS8vRfzQ&MJW0yh5H5w62z|nw(*9 zq|?`xdeuut(0Budos^fOy(_Vz8tTkYH(CPsbmQOiG!idF$Wiwfh1stX@gaefml;Z4 z0p-M)_lf85M-RnYHTbzC+E;^;;7+c=AX`gz6EjPlJi(kPGSoJ>;{634v~0g1V}78X1GPYTs?#-JXW zXv82HutpXF{2;xC$9PbGkagnc*O+@B`(8?7rbLAW=zYyCUO`bXmp~oP^j<(;5oKCx zph`5$M#AQ{Q!^R*DQd?1W9b=_m6p|)Y=%CPbE&T)Fe7QDWZ@|RQlS`ZL2ifBFqV%+ zjTYNe`Rd+C-R+EBk!(O=d0#KhVexx0t4a7j6F)-Ra5+dUNi+qkyJOh!i}`*r4lb;a z5Ub_kN^x`MkG(&2N!6JaQmWJ%^he2cROa%U+xhPBfq&31d3-}Ek5&kO^F}B>|H-4_ zc++T+JM$_u@tECEkWpwH`oaLCWn5xUu*k*81SScS3lUuF^DuHDknH3OPs zpvM3Dhdy6_r$7siBogQ$qa9cD;=~mpichp(rUITHSVmycBSSXxN9H0J{#P{A=18Fq z-Q4d^$^kUCx1I^^si?d0|1NUA^souf&aYGBPu<;d&#fT41noOKLkJKFEUG*z^9{}- z=sVy@==f{gOV@@dMv-0C;vWalrV()l9NCD*k5_OpZ%x!Dm! zy_d5IKzGoJ-?>L7M!wtoDkT%(N^|P+W{Bg`+pmYUHgs#%d2X$y(;3f%!eisxb`I5~ z-}o0iS)lggfNyDCx5M~j>!kcpV#>kwvu#Z1qf_9~|Daw!m%T$EDwqGW(RVodtYehm z&Fj6CPp9q~d^=+4=psvkYyI}m-rqqHDZ56VMu24nETX35RJ4ww``NZXl@qQC9j4rGXn zW){+*X_mc%OUlFwiKwSF?Pj&3*G6# zWpMR$!l&@Mn4)XYe(L_#)ddccJS%o28sXb=6p;%M1(+I;;85@5c1f!g4_@YH(nP~E#)`$uDWK4JiJYp zUe6D&hkr?KL06NG5{w{Q?u*=cc%i+sze{bpCIE;&{rm(>H@_1f3sF-pJFpe ziz#2h7qUUwQw={-73+PrSH)XEEQmcZAt8){He2s&yd5dN%{9QyC0`e%vdV8h^U0%n zR3;wgp{|hNA->Sx1vNc| z9atqoZl3V7;r!pHIlYUkT8yK`?Lh_awi_0pkqzTneJSTXy2l;=>sk2m( z?AjZNmjJsc5US07j6qw$ojy48G^HbsROGo+tKHprkL}`i8RjXWCMTO`A3`KeN6a>L?_;QGzpZ*? zn_Z1=qi%_g@~b57ue3Z(*&f1`Xv(U=ogl&G*QHC4q1d^}t&OVK+(7t`N`f#@qKF=w1x3CrkBZ&f9bT4#f+T3Mox?O7McIxNI2m5SBS5sL z-ORoCqJh@PT?Y|9;*Z1>YL*_2OA<9Bj#6zKQ9%l+Wx^8Os7xf`J4Am!zZ=|SjzBo` zlTOw-nHW-c6jo_)!aw4Cz&&HI5&97ITifUw6wPwebk(kQE9Z|UX{7}_Wk)Qr=|IVP z;`li(TBUy^Ct%t>+j|QdT&W~{HDyS2p2U_jPQZlwOr(6?(@KuIL?UQuEIZ~^@wB>; zl2UQRS+a|yilN^FsbYiQ_kCFwu$YG`)fy`*8cU}V0!JHD#$P06T%<|#HC@W>)Ow@W zvE|WEV)%2eqpej5QQKljEPH!|xtvcEq~KXn87(G0lr+HGTE-`6-CzQVgSJrmf1wI7LG;W>JiK z!Io{bL`w&lsoG7O@LMSP;VBdPoR=>85-yCpG&t8}^qHD?F>reuq64)^85%O^ppZIt zQoyAgt#B$GoMhyUUbWVc2i3KbeWN60)Jufu&(aiW%(xKbgLkyl+y2zJ4lLtQI5(?h zC4sBuh3RElq1&d%(>5VaXu`O!g^|cC;neK!HHO8WfeP`u~?iYF_x*aO6ZhTOgxYQ-TldK%e7} zF=Y9v8{{>wyCEh|vz>HZ1MeQ?+S=pwExniF14G#?U*)|;^l5%-ysUTN1Z8TnBV+cn z)&Y=-e))dskaB4DzPAl%&t`k``eBazMY0)ss@%GtU)@?mqR00h#c*81a#Kb4LNG78 z2UyqekFBZ#e1;-X{Ed2OWA`

V0wrlg1t0n|U!mVkN$Y*gCSw+`Bm;qF;MIo*Pc9 zyawI*J}&u>4_&abd_GlS*8L;`0k?r$hW>+ZXSpBivcxaUFInwlYeZGIryt8R$Fh75 z-qVRQ9!%j~!0V`sbh?)I_wc>L3H=aW|J zZ(dXb6$S4O4d*Ngt}mZzI?puUJT0sKeu@cgC}~}n3WQp^93L;^ISK*Ywm7MBZ=x9p zL9qn2ol4x!YnGq49|zqoz3rC;LIU0jJ_}NhUY|3inuebph3?DtQ_=pulL|{i7X&%u zRL*T9On}A#gA<}nzj1(>hgpr_*?$G3##%wTHk2U1kFS++EOtCAh(`S;bqQe9V^3;w zZX9^_(I?gha#28jGXq%z4&J4TXy*zxf+S=@Lq=3yP@2^~_b~0b$0GPi@w2gRv5{<^bROVR*GcB)xf#Iv7hO*B$q(9Ikd>GF>VF_gAc18 z#jXqV&m}6~V~-FkuMoc*&BNT=$tzNqCEd8V-B9yb4Kh|H{LY{-ULtd1hct3L3rlHc z8wDny+LF;Z$Q&}ZH#2;RW{)C)pM;W~vvKQ_k|eEh#?Ln02F-bRW*r;_=UCvb;(vaU zLI){hpzdO=$AD4o3P0mUg%)97V23M`NPL#FiNsfkFDqj#=>8E`nG8)(Gci9G@)#^a z1pz4>KTY5GGYEBUp8bGFM9XZ@jvq0jI4ThdsFKM*!QH4IB2}bt#HXFF^*#H&PTP9z zHhcwLKq}ufZBr+_9qvZ9{tjB#LP;9pu;#I*CF2oTGYm+_dOnnU< zYe{V^x{B=5^du0WO0J?VyR4Fwm+E=L)lHe&5@pB!G_sBA0{GnK1=I9VcFPuU4QqCl z&vl`9Rq;$y6~j!e^@N83I9g12_jZPJ;l!+uRY&DL{%%*~>7X zu2{$7k7st;f{d9XKR7ibxcsWCttbUTdRBnh24|$~kMVei%IUELwQ?=&#Hv0oMyBas z6a*;W^(%}Zc%XVj(!k`lL>ncO@M4`sVi08^D3g_^8mJT981N zJe??|-$cJErg7%}QtDr;J=8cDC%>j;2?~u!u}br1z(m%c*SdLAXoK0B(?3_(-hMo$y8wx4M048M z+#HF^>}cKGdpc8`js+=4fU*2=?0g`t?lb$0i32$@I$(O?9W|G0EhfoInyfDQWCGpJLuS4vv)fU%!MEbPfSm}d`!v~%tuMd@HCRuCBFUg|p(HA0-M z1|`yE+6hTv9Sp=(1RT5k#EM~jrB{o3@S+jKeF@fqa@0H+COS%n)M$Qn8WUK9yaY1Q z)CJqV$;fO-(m3JZoF($;)MnM9$fcvGlk%S0Vb6J`Xpg_IV93%h-b%#8jU%RnC&!IN z*tFP#B>ubH1Gqnr9*&6KP+}-RnIQ7iXGKz$yN|D3@%GDDHuzMoTR-4s%7Tjit$N$^ z)8!rOl*%gbU+DyC0IC&j8&W-7$Bf~J*@fb5Zud+sc_5`wi4YL5gB5FJM*633E)o=$ z=iH?4i5Wb900V z)W+|r#P?eN#@XD=OT>NDiM8~8#-fB#$V}#{V?HRvE$&+n?_F4h{2g3 z5rlz`&l5pQ+wc#6KXyO+C$8@26^|M}kHiK;UDwY*ZB3%vV>FK%??V)W=|SD@%(X+E z*B1mS+Ygh8HlOw8>(wRzSod|*+oF5e`m)|K|B;_Vi_OuLsb3}CHTl3~YbawVp_Ad}luQ|VF6S4MKOZNKx}<06s~_;U1K z-r}&B6>_cE=`+Qs2~y@mLg(551zR>-@-*s0Gv)euD0He3BR%&O70FgE6*(`ou0c{ze8m# zJ%E+nzzp3DSGQj)bcXuWVeXXt*r3wBLr+l|QU@TC@P-`+Y^A1zpc* zG<)t8+ssN2@xF+t1GSqgPa||kAjNwS$m`<;@eEMc{X~R5Wbt)GU38ZSqkWG8Ey?e? z8>@Yyd9ju%Ns-ZY?J~7#T7sNb2veVq<->!Y;W7&Jj(L@^tMDlfQl91fCw{FJb@EqO zJAQlAw1**G)}Kllbm0+U3jd-f9|xoSSUaEiu%vK!@~9MhqBM;B#UWMR zS9jh!0X6PR>{xuOZg;Dmu52(!EVR;!x?>?$_9mx(O_2XXX+r-Ltioyns!%{rF2}Ul zP+2=AwkKQ4=~6P6Mq1Mgl=d2Zt4sMND9gfEZ7x4>%2^)(&K1-ieUhzGc3ia(OD9Z% z)eEV~M52X;qn_RjpRdFAv-H-YN;4Ug%-mD&hl(h6!U+BmFgX3^;XTQ+rt*xf7PzauHPlN`zfxPDriF`f&bX&TpqOhkdOD9SzNdK4*<<_5oVa3}7HD!AvY z)0s)9)~TjdkZ_Vhy(0Oou@ssUUAnXxKJdo^Fxy@19w-hLNG7y_L-}o(ZJl@BksFL{ zbYJCxGP#V3jPUj}E+q^ftvcOF0WS2_tRF8$H8D{hDolwGrN@l@@EZKo2b+f(7V#(U z!A+S^nIdkZrahAI+S3ZH$dEfZ!b`mNoNk(CMX%p{G3}gp%@q1VK(hN;HFOkxxp}~p z%DBG?LuSpsD<&=E33Ng%9riL432iSncYuN`#Zdm&!^RvEsIP?0z?LNb7jlt!Z2Yxj zy|lF|YEf07VuI3Y|aG*JP#rjF+|A@@dEmR$(M1k><@+dS-tK>Swdmk&#B8ihy3|5 z6FoLjUSuFyRaqY_kPyMI*nhd}lxXyXw4@tT=U|N+%oy z!t$RDS@mPEn+zUd!W9WcGswt`?S(96ZDj$pUO=T_+&zbQdz5Y1DLk41nwK`wJZiOg z5gWVZfK`oGp-VgpLsIZb~Oe z7;!ARvRuMtImX`?{8P@swI)G+Fq7|=FpMRs;~ZoDkA0I_rAkz@(qG<>e7vIoLiGF+ zX6IslgSZB#z{|a29le_pYX!MRJo~icV&0L(e=&S;OTX~k*(=!0I32a*_+f#JMrr~r z-z*UYL(fB%NJkjw0y?!KNn@(m?_-pR@{?s)MCPmk%m|VK?D^=LMmOAGY%>w`Y0nbkkR2(gl1pFCW}ixISU@DgZFYW z*A9=dE1y!yQ*M;Iv-VxN!2c_i*OmwJ~#nM!$K?_so zUYSD`jJvPRvAAa~trgjF6X2j`zlJw`FA($K^Fv~qF(s%vPT4cx^^QF`a?1QG<0otd zgSgW>N0OmXI&spZASGxsvP36SSKsf$dNS%-mRYjKz41~BLt)LSu=FwO`tPZl|GU$K zYdfsSi7RixJ-?$>jOrXKWMLE%lKkiWx?Xs>9bYM=#-{U23Hkhu&MJXBNz*AeMfSxZ zFg=g*SB*p;611^8PpT`fpqB7I6H-n3<{nYXE7L_Nt5my?I;lkV~-BtPzw2P&3LdUvPMvTW{*{L<6?pV955kTEfgDC%H+XA}jdNMN2e% zuER-dl*Y;Pc5Mu)GmT3LX z@_&n*uT0!Eh#%}j3?#h+xDt{!JAB(R{Q2)L6^NfBbcO{w5Zc<@W%}{X0@A)7K$T$) zpqNo3{gX)Dg;Y<|abx&lnXUMk+YL^PF8vM!xAK1A4kdSr5=H}I|5nKEgnpd$SnhjX zbWT636@bv)iQoFX-?s#M9BA@C5}Zm2b$-5Og6<*BYZ(|3hbW)d4Un9?e?knkkNU@IQ4C2mRTT7#&hLJ?RTf6@)pk6;&mDFBU}*K= z*bW*KdVW|7%k3UiZ%`QSa(SbG4~30gQi@|~s36$^E=>>_c^#lmD}z1(GkTt|4<^jgOgfdm}3D@!(~ z6oY)F>s@OZ9v$uz?{p44OY3@Dq}1zw2i^D>KtK*ufG4m46Sx+i$~y2ashD+tk0Uk7 zg53FVvH=>eeR@qF(`$SyY;fN)bmRw+HQ7DQW=~b55;|PCq&hhK)fY5yU+NQZ4gn2q z`U&$X=to0X9EU3QvfUJS88AOPgF&;t>~ixi0DhY9DGsADhp5~Qt_h5NY$qZTFEL6o*= zc@J>u%J}muK5;v}ABBMyk)GzY7sZ^bxbZLbOQmlpDEJ>0>Q;L2UIVJ(6KM6V@pv`> z@U)7h&wG7k@KzuTgK6Lsk2Vux2{sZDKCb7ZC?ghG(`k@B;)18+uwJJ5o(>xR!8VYd zyOGxXHZE5`UjMIKFKc{cv=OgZR*CFdb(b7UHbD%Qc00OqpZ%MvJ?s^XN>5VWpw;h# zLOJz#xaF^nt{ZCjfz}vGV!zDVF6?;9Y#OZvI$QFW|JG1xEV^d8>@d_=W`?h3;leo> z^2o?si*bLb(5#}}iTbv$gqPqAnk~`&Auw-Ng@>o2#73AnVJ|&cKqlYMhFdbh&Mj%; z)^!VZJxau@Ss_iSdOq|{3=Y4aWlouTL!&M~gzr9y)i;kq)oWIScSRDIuUSR{N9A6j z_9Kmz9~RzD7waG^4^cuXXOv+JVFP*@LX~BQPI99Ts4Com=Ufrl#-N1lWVYX^Vx-Nu z?3#?^?66KhlOe<;RA%b9rbWhr9*-m^H0q?_mpwT{T1Fp;|X+W_ZLv6fV!Zl9Rm@pA-iuDb4 zTFI)SI7+VQTphhD8s2UKbI`adNvABNoeiZieDriUaJ6*<+e0l<)uvbJk)3+UO#t)T zYY|vz+J-UocXs?JJ`NHjuV0;4yQ&n9V_v++M$L=z@zHu*mhlFq`ZhrvGX&1ca*at~ z!_iXuP(P^GBgi5-*}`wy1f`G}eSImmS|&9cCRS^&>+y}Db&dq8BmhO&iQ``5%d%6788t8E(}A?!Q*SyQS}YVg_uuUv`PPfxHQ>jgqp`WEm|Q znQ)6zT5WEKKh!a!zlSvR!ZTe7Rwqi3Hta1$5|ZUMPMYJ4W(nQLeWA^mji<%V+RTbv z>d2l4cCaO9L?pk3{T}+=xOeke&|Z)=Uge*wtT~PYK7DYlWW75SM&C6^}z4$YVm742b)im%- zTiKhEH|n4+sa37If9WAW&({2{O>}A|vPnY)eDvby(&`603k}jY^W7Z*M3u~}-|c@1 z9thUtq$?7hRB=`9sYQqu=>~4Yjf#{kd$kI0!RTTOtR?0J^e#;5*r`$3EnJ5rOTXX} zR&A+LtJpTvL6hMK@}V~FmAuvYq?jChb-KlJ#I>63<)WxayXfh7smhr|K#7J@x4sM% zjiETZ)Zjm~t`{Pf{8{ZzW5Xdol$mLzyZ%8>f?=x}YgpUV1gM;dPtK2OcM&x5Vz5RQ zsi%!SHjw2U`;?1v#nAp0nd*>^7M0WZu<+M9L3aiV_>q`DbTl|&)7;0E*#OOMEBybJ zy~LoXp#Ji`e6q+rUDs=leLpWUE8aT+CTc<5ncWxvN8qkmI(Y%ii8lmzto*CXk2# zn?AB3taEP(S;#*%*ZC9m7GVe=MrNRMa495uw&^k?ZCTy9nV&d%P@DA@cA%Np(&^b# z>$tA)g-q}eT0f7tVp_gzY}xd-Nqiv^1Y&N!KLe*g-?sK%Bh#;3nu(%6z;3rN{Y;nPweFX*Vk)MV6Qt6Mu9cJA zQjqRVg;e3u^Q1;M8H#}IGuv+S^vX>q*OI>XP$bdE+{+G9bVKUOSyC#>7RtTjhG{uf z4*ydW0YF81t5xpQBcyNY^Ds8`Wr0gEB6`jL*Xn63f78Gv9tcw~IH*3r%zDngFx0v__Y|oGz6xOZ)eRaE zBz+v`=Wfn!7I#7g_}+bpF?wtYwG}?TG3kQ@j_OC#$KKDgkgAO~-D4YlP~IPI7)Hlc zmjqkrUG&NkHp>>-)N>lTf3lCzfY8#kxxfvRyN@X~VJd7m~(sYJtx2>3q z;)Agp^~KN8-bslTo8W+cpB1=xEgm-OB_0N89O1aobNq{B-^u8z+cKN93l>9#JmIrj zZnd5GsKjq?+3ibs&e=t2n4_E|Y#eCN>D(7H--JQFA6pf|rbWW_wm15%mCzg%Q!6j9 zk1poX5Al+UR5aB_Fy9kPRkQ^|G|KV!6cc6q5uLS42a~+=wxe%YRpkOq!zME3U^P0e zy^VJL=_E@f2jY5n^Zvk#w~xqLi;fBF*PL0|aUEb#W#Pa5-fN!sZ{FMY{-(A6t1%Nj zaFaa;^JiJ5Y_b)-%ZW&cxJsu+q(;A9={$M9`(RQ0C9_o>fiMG#wqm_WH#>=p8reO4 z%i3gYf@Bc2I_ehoABU;JC+muvq333pQ;X z`sM{Y)RlS2EcAUJ2GRM6Dm}Gk83a?*^W3FsCpZ*sKV7^r9Eg8IKH!~lSIOb8ot~BZ zvLxI35rVXb&l3OBvWo-J=Ix?y&elQpPAM6nJ)uZ6i-`)p9+!N{H(u_Be)eyvRfqb_ z4ojoSW=38=qf5VSB)M421ok4PE9#7nLzQx4WWEY=pYX9Kia4pnXCP!+$e%g5Z#TXo zs}KcQ$YgnT;Y)eKGo&Z_Z&pOh1qZbG&fQP^(6`eh1?I;3!f-X}efJVGN+XT`%M|`6 zL!Eas51Nck$e!J(WKJXvy_^KwC&ye=wH?>nJJ1WQOeaJjzHz;gjORPVeZGw9xMCgZJ+@qBMX0L}*|fLkq-jNP&9W z=8|hp*?{%3giDdc&?B~hfLJ$RaG|f{ly0!vIS0~!6S;_iM$jExrQnw?_37 zaqK??lfOi+2%@&lQ)^Y=6S&j=uf!-K;s$nSe6qd0TrrvX&H|7HAM!K1AU?&mVM7X` z0{=q`?~eEs`#~MiiyiPD_Hi`t^0@q>;F+8J)C#9_c>hvb&EUZI{spcAT(4WjdI+w+ zq$GL>`FFE9_ilxL=*G z6EsG&q*AlALkf%$( zmnf-N?{&}(m;U2o>7zL)>Qc}n2bc=Dz}Yd!>+Ieo2{ZIu`v9!i74B)Q9gW=Oth=7P zg!pl`8E3DB)_QjHJH_t2-2pzH9b?J2@b5p_+l~pm+NwE)tb*{C5jHz^(;OW;R{An8 z*FayOmD6vQgkG;xoC0UHmWKBY1oM^}LN1K=Gq0r^FNL~>t=oZ5n06nRz}x@B)j35+ z0&d&7la4yJ-5uLb#p&3#ZM$RJwr$(CZQHDyea;>Gj&WbsLp|51S!@1teKQM^Oaj;b z%T8iDudB=Zo#%6}GW{BkmHp_{$-@J&xZ39s`D(mp!$uQo^Y;GJei^@Jpd3R|W_N1a z{Jj+;Ut^vE#~>Jj1_e0IE~?cJ_q{aB+jgp=X1SeR@x1e{^NPB*!J zov`9+jAn;)y)Sl%&fZo8v>YyWc@Cy|fK16%3jsXgI**Hz3BFwCiw6^*xvWB&*rX>r z89cVb5Gt&-+mA%jE4+?4u^%pY*0VbM^JnmI3ay{n;IBJf>{oc{s@i>hW-EQx&Vp5V zU;8Kty7%op@I3qISOI$;!{*x#%5GnmR?V898OyY-Gp#N_n*)dJyAL4Em(S{#pm!Kh zxBeCwjtPtcI{r2e^Sbr(?cxzL2}Z9bQy`(E6ef?jYe5Qad+?Bc~2OHZB_LppjQ95s|75P zRLX^!T-Ah8V5*j}tU1wIff6DOJ2x>vdF35AQSK$Axe9{+RtL$pNefa@JYNW@(QsC+ ze0D{UyBD@G##TeUvd;`<0%fK8Y#7x(xTx&p;q8JIA#i#S(F zMG}n5s%e5e^-Vn{EShH?01*;8+zetD#-oEChKqKb-3=$Emi<_LOR}1Q7s?zK3I5$SvReY}xUifM$EzW7VVQhgZ z5hm+(riV2=6;^d>i5kgG%2$$BCXS?w-fV3WY{CBxM*dQ@;?V~O0J+Hfi=c_ z<{|72W+PNmIjNqptZ^YJ^b8?%x_%?*lRF-Q=z>yl9TT~Sosd8p9aQ!@2?;Z9*e*So0Z_)*Ielte%rCjfFW0wNQQqu;lO`&p;6O(*I zy$m@?WF>Ze3RWhwKibqimosE!zyJONNe}ONb5y;KP=JR}hnF%K>nS)1lZ`NB5hvo2 z&J6iEW^h=WoQq4QWDM%@FR_$Yo1)!-uz01Cb2^H9!#}Z?9nS>%c2t8<7?D@LS z0_6eikm;MYQuDSa0DPVJ{`;r(pXN;C*zYeEit$fg3yPZnoMCGC96{pi$MZi?hR`Wn z<7)g$B&)gyBgTkDC#gPD=Hfq?THQ|y8i zRpXB{mCI9)xpC^<8QA5)AjMDy$*mj*n?wr^8Tc)5ab)bx)r@`yq5Gk(JN4z!BlT|{b)g&GcKsc9ti{o#X1(cEdZER7Q98`Eu2p3GD??k?$> zGzO`#^N+!G+BB2JPlvY>4Z1v*n|OBrZlUo#ld5qh0>hCX&YgkEIWVUGr6JZ8#`qU8 z@!q-(aZhV7Eos8^uhcNM88+Sk*zYBpG-a6z1Q=VljiLAN82;TiMR(*>kqr6_$N?ln zN#Z^KAYj!z07MOp1(neA=-N%czluVFqHitZ54XF=)4`6H;F910pc@5R74KxHh)C^s z#BNN}reWT|1|~rkk8*hjr0`@-y}J*F>o+TlQkZr&XdBr z2I3i&g>N0}SqjMK&6wnPM%`#8s7%cW&HNV({fdUuK$ppQBgYdtlLskF(-;xUQ#2Ot zAp958m9u{-wKB;rkeX1&;RZQZ52;ei?tAkhEBla`YNLTIOD*+wbU`O11xxbvxaLQ4G zO#AP6vtcoXdNqHWwgfi+kM`1L^mjfVz9abNfJGsZi+nl&`M-L7c-=r}Fs=b$tPUVh zp>YR3D?U>kXTJF|o=yC8n7r@%fG^8V3ztqhhruF`tlD+|axcXWZyE1$e`SfMCejx? zAI^_w6?xGP=co7buB5lA+GNX{E25ja_0O`}zD2;>eQqC&g;Uq0&hJM{6{^&sEcPL^T3kmd}!cPZvXbxA)Vtw`Sw< z^Og$mV*4$;(L7bBA`NiD+TySp$JGG5+jt*z!B;m?It&K%z^eoEERuY*H5}q$XkAY) z6nHnD`*B>j_V?efzIL^^GV4%Wc5woWkMDf6tJ;rI` zyPqmDWgvN9zKrkbpvE0!)E-6O7UL@#j&DbKzOUBTvd>j4?a!vt-M`~}eecy;ZyyL5 z+n~J>w=@g>6h)t`!-%33k;&v&-rYO<9O|h&f`_R!}fDKQm`nV?Mq4t%RHJX*Oqi%w)6oMD<^ zhnxw zYRW+e^^eF7>rCg$AnYl_fWnZ>qdHG61sVzp>?v0A{B1hr^ug2bw?h#2`$N&+6ok}u zhoSV5T>q5taaa%ckh8#XIHVRBzZ}7wOTDdAVCbRFr0)IwrZ6~d!zv3ka%B%-0xHTH zBgn`Clpx~R_t40OP0BidvB?KGLPxVx2maQ}FWiaZj@&bE>Um_c3ydC8@H4a+bPd6< zFfCFOaf1K5me@wlEMM9r6Ey(;)yK!bjc&z!j5LEW8^7`a30CDmNFJmWOBKqcxn z&g3Xl83`l;K8#EKdLS@UE4@``-WydzCqVK9nuH_fS-cW2a^H+I)Df&wYf zv~n+m@*m0wwWC;`!jB#OIs3V&ZSh^x;+ceYtM*vs`hrxdAYp0{1<4&>0QRfE{5fu4F z^H^A%X?bCWtn1gP!AhVbP86Yd6BJ0$8VyYB$>~(!GDV1yao>e?2uo4g%ipBG& zAg_V2mg4ejNR6^IW1$etcl@b^EwY$yiDS&>YV!Z+%hX2`k^5%3@Wlh+3RA0LZ;6mo zBU8C>;U{GmQq71m(Nc+b8Ww72u-Kh8q2ZcMoES(xub0u7@>o!``**JU%6UTGXNy_x z-?LRzG*19C%hNvS7Nu$jfZM$QwQ$7t2&`pN*piFGO?K&9``OopUN zqt}o~lb19EMx4k5E8aM(EtNUwZbjXu|l&Me9Ff+Vq?*Jj15sAGGE66U>DpfYefVrCx*c~;!XtE$Ji34xNU zmJ@2kjVxj6Ep%^M%*c;9{I>?o1(%jea@IE*IZ}-4z%VAQVL-b7BuaELR_vAo1MW-< zEuoWOZz>Ua3+{ zK?q0;EsCSzYIHY*!<3TzMPdWmxc9xQU$LduXx-eaCW_j+$QFt9O(+w+fDPmZ2k$|P`w?1+SBSDnLkSlDs zJBX?4W&tk+vK#i*iklFIJZ*lSn#8_kk$hwP#Ryu6z;f@{q%Np@u1cSgBEN_3%2dCv z83<<9Pe`m^X@hxc)cIaeeNw(5!1LEXcGKy9@5cCAkQwja`uuD5PozG%(AT#< ze>Z8}RR06UK>1Ei=))EQ`@b9zkLm38bdEaeOwM*MqC}aqb&Qh%8OyFaRa?{7UteGC zxE&RDke^^Chm)PnlRFh-M35FX@G-FWk)Ks<9~;}iTgXxz_ir@$E6B}zxs~fI92KCZ z?{1~(yozvI?Rx*%`}u_j`hJ6MyM+W^Th6BI?cr|UCDS9o!Szw?j8C^4ZR!2wCG*Ny zTK#m4-eYNv4gl;?CrIGka{gGDew!9*_8aJ}{@OFh7WAo~zC5&Y&Co{VKWyiO3RxQr#-IZg(jecqn5JOI}l_M3hUwoCav!{yE2Wmc<7 zv~ELR`)u%AH|vpb)~;76PL<8e-(8^#HW1xTtG`unMR{BtuKc8)@sXD+=3LKqpT3!B zYb>JLKE>|G9|k&}vt!^IU5)RV-(4B$?Gsug_kA1DbXy+r2>Zd(YK6wz_DdcX+V+E3 z-S=Bw_EDe5;E);huU-h#-Dg~6_$)3uU@td*nOAOdDBj)+km=UNTyz9lk#nkC$qhFKDG#& zx*RujjI*t>nZ$9d-iv8;zD}L3z}sxrFPnI9WIkWt2&&xre@Ou9-ln5hp4S*$mY-SK zUv|viXdFCF@{|2Cw>7Lj8)aTc?bfXt4sKGnF(K*RgYLLCQ>L@t=NPZl&nLHmY|YfJ zVy#W@7rruDEgK-u6>XElGxj+6pYxeEYBr(k7IgTH2b<5HYtV1aFF>PrguCctU=GtZ z!~eR~F9-z(Z(k-Ez$ z{?I6fkD-=;q$NQ}SQ|AV4B>AeZ*Mc_DfaizO*C?2O9q|P7%%5Z^JOU$Uoj&GoU0=t z`JF7eotbi!d92(i4875bF@mjP3eCYi6b)K%+YaP>*H8PQhLq67ytQC=bC&9$-x(!F z^7CyhB%n#jZbVdb!tTV*!OV#2{;rZP?TxI0v*tA0GxwfES|y_>-K!O(vHuj?2?N`O z;jr!M{CzdsxbT@NKSl5(QSzV~0NY>Lp!9d^G##2mm-gv5m7xH$m`BO65-6t;0zS0@ zlbTl6!y3nCS%mq)8ePVDJ#aj~1b#uqUeFlx=(G?`J$W+}k>Qe-LG=>MbLMg*O;zh@J#p{Mijt zZHL33x+=fByy}B)@*g=K-3wUF#fF9cod#>p2y0lHlS_Qkvt$vVjJ&8>rhd(#u9BDb zs4Q2Ub2h{HCo@OACilgNTnk)poe~apmgao62jWfAFo+>+*hrZn&OS6{sjO|r{5Fxc zYA9==8s(m?Fr^vz8Uhn@>ab zl)5;vs50-y#Z1P4vh&F%cxX#H2_a94q8DfcrWUXm#qGuQveKwSB<+Eq9L$lJmFh+& zfl?(t0kv#5EhZx3OcP7*2xE<^e}hti)-1gVi^#)2D&4Q>>2|#=EayZSplwM?Rv8b#!;xX;ur(?VHuYW*8wU^841MeIVUF;- z4`OIJZ4)qo_tKMar{14U!zMDEeDt9}=w`K77FwQnnAzU3kR>P)#Geb?+L-b<*jhB@ ziSgqPtR``aT8P@}Q6}~5o)qNiL$G`R>DQ7FP2Y} zr~7T4k(U7AMpJjyM;Mq(jxE3d_9gQ^&7tveXLx?{;@`N; z$&&hU^xYwA;@R!Ju)#FNb6v@Fyy@1jK-MidAhoWH%X*Gl8EZC(A7 z`6TC7e0P)0>UMm8N%s0Iaa!v!Vi-D_!_hkyFxYK^o$l{!;yLK5~;=<+4_!!sQ zrDL<&=B<2n`}`ysVaK~B`Cl8(QnWD}?=H7bAV+(KlUaSsSZOt&_IwNy`v{e6?Ir+%Xy5DiQq_sdiK8( zWVnq@7JpuyC{**@Cq>e27=4tnt=u|)?0+-JRo=G_Jv2WC{O_)%!HzoJ9*6{wh41c; ztq+=3kkTwzw%Tpj2px|0A4JA2I}iBR2PHnwX4jM1ZwFMqnX@vxaU&KuUGBm4cPGOD z-p3=fDz~M_X^*ELhNq{o*f)J2<IkG@o&SJ}5s2{!TP zz#HBT%IS>fD}&+7`%4^`m&5&PURQ7H(rcTqVTmlZB_9zBiS)$cU~R7*ZPdq`pNTq( z1(3(McmMZs_!4k)@e0scdU5%HTo`P5#uB?yS@xO9lNSjK4H(gcd&l^Me7oKUST&4% zN5u?s1}}gRG}=J6-{vkHAaJId=p2C?)x;V3#t;Z&NT;8ar?*P9mx%rzX9 zyn5nLw#qhb<%mFYF>&e2)ELpg`2A6$==b-7I5g^dvLM?TDp z_YF71fbz7Ps=R`Tng}lGeUe)(q@y#+DI}Ib6%@yva9xt_vAR=Uq0^+8hci}%jS$Xb zKto9X>Iz1w!NbJgCbh3s=l5Vld!?tKV9@+A@J;=efj1p+?q^_}_cb+g#8a@R z!Q@}%UV{o2PDw#DhD=JB-^H*N8Xq=4wH&u`_Dg-KesYxrIUP`)L+*cFN zZ)|L_Oc3w5VFepbo0?TbQ}xFsQ&SYg3-ZAf3|paKmBEm&ha{+EUMNc}CxKqBtRENM zO_R6G!+Zw%Mw0;cQ;2rID2e>Emb!PVN4zL-HpMn*LNWjfikN8v&H(=Xo(2KPr)IMghXHDwCNSr(7&^4 zCF|_K5K}KxK4V&_aIJ=t1lrd~u~$rko38NQP3$@$7oOzjseDypX$s*SUVuBT&4YUX z)bS00_3kTR{_Xo6m^krTA-ne+*l!*J^9lL&_ByRk!xH`hsh&a4#gO3KwH;MTxDA3$ zQ50&pI+Rj+SKYjDe7#?#+H{uW{-zQWQy>SnU;A6F8V3~JFlv7yZi?W#&5r?F9 zjW}(!Tp8!UQe#DAJzm;n=D8G!`RQ^euGv88q=WlQOI5Iye5@X1;XFoa&Vf;{m>g7$ zcfjOp86Lwwz))&J+kc#XH6TG03zF^3TQ9?TfI&l0em~?-x>+SpZAR%fp@rU3ggJ7| zf+&9_lyWMzXrNHJ4xuOtT7_YU_CnCZui(XcXHEIW6uhJ~juI5n(9`-_kuzP5s(uPx z)VV()qzAf4^@55ep2{hQ9l~Es4(;{fmw>ndFwpTtte{=_m5FSaebyT+-}FNhYhqPN zm16LGv2mE!;pEJ)0aL@RJ(0w`B1v3%ECiFRKt+!NcP59Z60Qm6OZS|zLIXyvc{?JK zo76N}Ni1}B%y;Jkio_^0D*XhCg>~28Bm07UAVh`(=3-f8%&Qw<3lY7FW6~Pd+Qd{O z6ZjmLlAMf(Mc4=)P5WVj#dD?TR8Z@o2EPJ9ii`ri3h@z@J&+9#ka$4v)u-ax z@bQwBShVy}Z70`qrcMMiptQ}$2Ta!k7x2<15` zRVb!X`xBs1N7`?wEhUbfk}j=|C*=%Umh(#?hYrUV-$>lMb&Pn?nivcV^k&pzfb9vk%Dj*9xzD%i762`4CMo>swtdJ03S@ch1!$n$2jBu=a>ek{=<{GKvq?^HH{a`j9eg)`PWReBKSV~`IyiYNQ>w&H>oy#@dRS#?Z7x4GIgz(*PUI!yvBIh53Mb{g4;in4kmB9G? zsnFPCE{V8{CK zw+($(o^jW+R%o&1`F8U@wUII(hq2^#mua-kt>bexL87f=woJ8@_wq^LW^)X8`hK)R zSLuBn#fDq|Uf=#D=5bN&kt7n?*yJkFR^06Lc^i$;%)`Py_&PgOiqf=uS46GXM&AtLmEl>FvN(&iDhZza?VK@L0I#j>n z3*0+Rv1`nK8CGP?mO715_8iPp#Kz*tPY;nVPGhT=;#2v_7hCe+FwZOL{Xv>bD5jTp z8Os@BEG*lUmVxjKh;wa)b(KB|(9YYl4PtVrqiwRJNLrHwEcHIPCRE?NTHEm*ih{@D zKle)y&hX&I<(M@eQ-A#6pwC%>n1ZoHK1oZwZ9}P@9f90euV1)YV#c~AGoTrjPVCL` z9me9a1o!t#hYAi!3M?3x;l;p>EAJ?2r!A$S-_jq zgBdIzOTd}@Q^zBCTO-ho%gL9H6v;kp=bC06b$05j(&S$hhoT`yD?qkTa)JS)q=4!q zN|sX4hj6Y{r)SEdX%ms4OaT^@Z2?5+|LLwOyjU@$uJuzG+DYX^1&3vKTt7ghT^q@qUzP>LT zx%=xrDivsvAxk{FSRmoIiSobiz&+uM#`Vl3L7&Q0fPXZ6Q&LI-_rKSXIlM5LQsvit z51l(N!OwDN&}bAgLXczq-(=-4m^RIsEYFBc!qEn8&yCPAokS)|g6-E*R7RDPp_t+f zYn`?hG#vA-CBv-*g)uRTR{SiMcgz{nf+D2@@%SjXtLC73lq|K_?pa(8Ol`wVdolkw zk1ATtjIL*~S1!JQ1V^c*!8>Xq2ACJc>FL*Kx*Up8{F3MSL13%g$Vn_~Dr?uCkjt1E zJIiFOO)8R8lt6Wi!@)ka0NY3^+RvIWObMoC!|JulV9GoXi8` zt&p2CImo*tzT76IW4grGS)kOJwPo4!*c&sAR*YGu2%dq@$4Bvd3@cv}BD{}!ETD4w z3^){x{^(OK=ILGgY4Y*wyD6FaCK_%Ry_o=){=N><%q}DH(i`>h+#5GlQ5Dy>LII0G z|MyfM%AaEg1s(-FmD)1dnESwzG&oY`WtK-vbX~9}aRKVMaYKFrDd;ap^@c$7Oqv2C z#|=5+29=Ql$^+(;5EA4p=GT&NV%;AaV4&^%a5HFK3js9tBfVyuq$8HU^TrzcVl0=G zCP1tLsyMv$ok*xON>C2}=xT}VIU!clFS3Kj^F{IXd0Q=j9J+6k8xl1UKCDxSpz)Bc zTl=q;En6zZX6cmqTCM*b%AG}O56X!S5=n?$a}>#faAR1<72u0coV7Pstt$9XtT=M7@^7pwpwIgM z{bpv#)+!s-7K5$wu;mzvzQQLcypUIjwiSq$xjMrZWcY;kC^-T*|>mQbl z+uZiE1j;Mt8W^8PD<~74o!MDfmv;sA10qp>vlN_{HodO~xh}jug@e00E}mSrxSzKS z#L2R~7Tv0=oLgFl`z0!zcHg1_FZY693)wCwcy#vNHCNu2QQEF2SN+;Nsj)}hHK(LD z8}2Jn#khC*P8ie7?;( zNBoBY+VakiVLW9XC$GcxrKoXBuIo9ashy*Y_mw9ypX;~jeL%d!A%c1$0gs5v3kpEJ z=AO-Y?R@|vz1rG-iv+{+-QSJM%I-pYV_I6L-Ij_5&W7FX;c4vIMf&xT!b~BfhvpZrRV1@mkiCy>w$ zmEdKEWOn7ghNXMG^{yiO2b96{zP!`ozCA`eE|kW_ze4mxo$RhJAZE1`zth~afi8* zsC-%4rioRt;*k94FU$ z7o{wp!7HQj$x%lC=GAM2l6zrTF+11pgfO2+3}UBVxBFCXrJE&(Ti{*(B4C9}xVdUj zmULaLH&0VZJsNmZG=;StkvZlI{_7cv0^O!LS40{>U)jc&1m03fWZ9iH?nn=MB7jvw zD4Q~mP)i+obT%+SXX*=LbWTz%E_zzWL;2kKM~js3cT<~Iy@Ztfq@u2pI@khvFkg7a z&3@ZPO^{|Wy(Oo4(|#kDx}g3XG3yvbr@-1(zn+EwQp2EYrog&1o4pzrBpRueVEvC` zc{x#onAy5J$q>GC!ExVUBZXwrOzTDkX0iONXfpil-+%r%8()RZp7g+0tPL^A*Bf7WYBEg=0>nN+HnYY@_^Sf5gMa*1sK zLR(&(cFND+r(0JX^s|Pc=G$V1f|2mod;AVzd2bY@)fe_w*8{1i7ygBS zlZh>x#D`8ea|?(Q*N(2{L@8uc9Hz;}b%dO3v6&L;T_IR(*~P?>mnt+@9LdvKaMx24 zcbIgS#cj3fDN$6HueBj!SSw*tM3_o0v?p)z4@#TIHm`tRtw^g{p67>f6zdSLf11p^|3qDALTFP@RDj4QrWzp<9t?Wc7B|R=o$ZKJgm*_j z3{x7qHeHvp=PZ*|F{|hWI1hw_Y5bPlq*{zu1ggo2l)=aBC9-EA;r~eP7eNXEeUgW<_yo@W zk+FKy!Bi-(vBEgVpMOUiIeFrf&MNfVy(bI#muwu@emkn-i>sAYDHcm2^Hm6=KOpf? zm+3luH)Mab6rd>$n}H5Cup6O9FYZOG-Bz>_DNE%2E>i!KFgV^dhps^Ezu00|E5e2~ zfUlq|QzFIGkIaQzWQk}x`fC<(AHpaR?9Y0pYNWPz3~Hrus1tOnNJvOtmYrEYTHWK- z$k4eZcm=eaNk()$^HhQ_1w(z#Lb{l;eq6yRF)mNxnUNyhvlH74&-fkJ7G_u&wmc2y z(8PLq185oSQoQ{yaW^H8Bsb$!lmCumpS~QTyYf@Oisk2ZIA-<(fx}Pj*SpW)A^MOa z1}I@*D=_AJ;XU|XcuhewQ&-5v6o7g_j`N;j8IGr8n``GCT8$#`%V!7RAKcp>w|p;Y z&jR2~Rc7RL(Dt_eBuo_7roMk?^SIj)r-W7OJ_OxlsU^$m;nHN)#g#{@ zvw4}*9_5O}H@53tD~tU$<<3Ut^W3G&XZtHjs7+7p}?38hAdq17MrfZ3L*WB(C*l2qHec9wa_W`~|Ui-Z5#-Fj#NmY2B zzOFkr<81=nJ|H=$EGdePdp14?Ygg*4a-2bFckps*ZcoxNN#-Dk9euK~I;nm-CVA+b zZmDqjydI{6l z&7xEgL*Ky{+fn@-{kg2yF+yM-Fz0*Mz4`tyfsr|WU{5$otYB~*=>HwMim(uA6WX;$ z!RhyvwbXUxfV1V*+-;Z((bIZ{rL$xNO(Ig}B z8fuNEG@8{U!+Fr$vd0|+b*~%Et5h5j#2%N5g zW`~ax$HP3F%GTpZ34(JkVli+8QO1IMVmBk|?+qEXE2k*eLX)I}(Gkb8P&7a|$y}nN z!0VHNC=M4b(o#OGd5X3>N)xQ zT3}8%vT{I`@X1-nk< zt*35~Q#A;}qvdRdbc!Mg1T!3!+KOrsTIJPit%8gZwXih;Qxko}Iv(hl0k7!WpY%Sn zzZmlQ@EWo&rChWWAj)SmKc-9??TQH*lq51lmh?s(JWvOg4Jqdoky3*S+iYwg!`0oPLNbqBpE0U*>1$pJ4h0=$WiiZh}dbTZXFR zML`W~SUXocrIZg!bSA4jrqAhruwdt~9MVw-vW1?~J!C6>Y(M!J9L&+5fGJkZvBEX- zPMm*NWjNZQh~g-;f-aG`9Yy}MStrghr8Gs0soB2U=@BX7m68g=GmWJ)PnEPYVlhcSX3vZYOed(X>#)Z%!zu}{U8*dM(whgBl6x@<1ZW$vOc!@@j z<91oBy!(vxkY40tx+be{3qOOY(kzba=zBCYGi4YAVR2u{1&;HMp0-if6`{%|^R zUA2L5me4s($fpxNT3<&5N@zI`P-Xi{)R{PlM7b?=;ne{8qLhOZibS?EC%~n7iTN9p zR)cCOy)sJ~rv*>_64QUjeYevL;^X5(_UdOhozZtZD~e<6(MAs3wtyk``&2x9*khg8) zIeOV#qjB|e=iV(V)3w<0wxvWD9>w|Z{fGC}LGRS-Pib|V_tB2#f0Jy5(H$*3*WoYI zT^QM)6`o69S2)+1p8LpwBy?F>Pa7H8`*ixt6KeMt#ZR;bDnP^D{ZlXH&)GdHpBB{z zYUlY|0pMNw3eVu4|G`x+MEge4>g38Nf(2gZga^SDaPxrz&bf6tdfi})lZthkWsCd0 z5zb|Z78U;b<51M+P?`Hd#PE@+zyKqIXZ6Zu)^|VyN2~GmD7mWrlII<-b3D^0PdgIc z{U!m>;dAS~J_)$c20k?QJTCF<-VL&HTMYMS>6r9(K3m!kzD`r$%D&!icSyq`sMoBd z0=SBhnx1gP$FsZlgXpdRBDAXJi}yM{hLuv$Tt_J;8HHIIcaUt8n}#q~aPrs-Y%En- zn%%ce(_YmreZLO9R7~)n3Fu1<23asP&IY~&pTBk$j)0=K!1AZ;Z_hetA`AFb81da! z>CQnt;XVH`9BN`O+wlG0B9HRpKL}JS8TfZaAjM&q*%wp%0&PdYL&JzNnXqx}2c*Uy zU~Rn^8xBSbVM1go%-+UA4Mi+rkk}ZCVf3}K2>Arb zMrgI@ND0$27!Bv{i8qA_%fugXe~(3dE85`FYS?KD?InZoM5Dmlc{;O?dl@zn^n)q* zpt%dx7%BKEhv6@&budFy`M`)7l^OHvY{JTZ6Zb2lfWoc&nZM+asT@jL9MvWc%1t}n zITgy{@VDvs7W=zv1qdq;Z-AvNAa$iDj|f!!{;fE#j+a+aID81PE;6p3SY?!Iu9)@a zi`mATcZ052*lXV_huq1zga>sp&HYnIZbkzONu<<#e#W%^`wR&w4-{2qUr80RaUrDy z`7)rosJ4z~Wxlqmp=H+jkNHjpF`8of0c*eUFU~ManmOH!DK&W83&IhWw;NV$p z*7!GzYg|0RlO{}tn(a65 zN`MhNl+~03k4*zClX>IzSJk4;LRx5K1R-jPN9DIG!X+hV;o!@@r%-lFcLiL^6;96L z0UjHCUoCkJR96D2*Zw23y5BOZ7h<|=+|GoYfN2`$R=l7`X~tmHkfBT=yqIO1rRJJo8H~eE^2Stp6q2gMpMf**8T8w#cJ^AhF>59D zOKwk?Wbi36Z3M`$;nneihnM9`b5B=;CFWrHGsudkI9C%%n%^cb0xtn?)7{^P!$D2R z*hHUozbB|YB2vO76SLG@%On#o6XM;+FZlF|*+hQM7U39EmhngNrWTB?3PBI^{j@OI zL{Ch0^pKYPjf5Z-lEsMBO0+@B`KdRAYT{P_fRkXULg?!|7`!Z{53THR1V#^I z#{hdy!GN$hZ<}!&=si0+pvqQlTu_#TiIRfo-i9WasF*fwMk-eiDh6K{2wgE)0@v~x z%UZ^AV@GLlj2c|ZbV+QaA*Al4C8y$kHFCRB@C&B2Xp&gH7W8eeAhs$ER=y7xJ$&IeL25P%NKzUf>5$U4;k`|Ib~OkI1SJWHRSQmf1Gn=$j=v{Fx5KI2)* zsYB8(6|coCFr|1Zp7*ca+HUu9!%gasbm>IVRgLTG&CXXm7dy$c>jxhW@E+~%^J6Pp7yaeR)ms(L z*p8Q0)!@N+?+aBHmS5t4`r%Ls9^l6Z${^s{&gSU=&%GG%MeXy*IO8xQmG=Yx>-gtZH7h*eqv`cXxLoJWzth|y5$~Gwyk-d@ z96+0#P%I)F=u?JrO_$~)VYzw;)C<*SS7@uAm7i)f>1D}(3R>u$}TK=lfn_Wr^p zau?$^+drpWc@?ZBavwhvC$r^6clxu+>#2Yizv{JD3G&BI;JFsVby@Q3>$3V;H9`Bi zZ-VFPxyF;Vn{jWmPcz$Fu|K}6OKI}Zm-SuvReW&k@rBE2(GiJF#}5GWs_u28^Y)0^ z<5OW$>-j-2Z-@SM7`@G!xy2f_wFj*<+}ET)`!bIb$+Uy(CO4dl&1FLCsi@4 z+iTJ#!sp^4&ZYfb(f!d-;_~#%DCIXEw@2IOGe*1fe#<3m{jItCRz>wbQp?)M=Cd#g zxUX@o?fTk;aNV^}WI`avq@s7+Y4;N7^0d|M7A~mW2I|h$xLZ5{jNSvPTmrrqWUFsl z7sY<|ZT3I7)(N(0pRlqBjADD@)ynB}zzYx;Xf~k~Uo%BQWYlDWSpCXZxBf94A(aN+wsabq zrpcIa$qzA};OkCFck($3Mix-h7lvjfJH_OWbmjEkTDmqGnVY60S@-E(m3BCx?0d7P zDY|D;XPT8NCMChAg9wRK+)7JYc;{wss^1kK%8@OspgD?1FGu|wt^ZsX%!GdOpF(-O zKuN+w6Z*Pq`S4Fu9V~3u3 zQTyrh)=cuV3@H!;bc(=!V_#gYVR}{*L6m+>S7LaU7x(gbDZ5p4t@1J=?doLC3PhC! zIgWrAWO%zoYli}3C2WEvXnaI}Jn^fOR#}pwhlMg<=mi62MKk@X!6UNRYMEeoT-`6k z(@5?%z9COFhg{_HgjQu9To9*Nd;Q4%g}iK5JE*d^O~rIv%+<1l0A6m|Wml005;+#m z$K28}nhLBLZN#PpB8qu+9Ku<7`7#49QVrBFv?fJth9-tk)Re4NB+uqJI%XoKKIGhF z8)!KHiu?GERC-qErOTzBp?|J?tY`i)>8bCd4Kb)>z7>r@)ZY}RAW8Mf8a=_CfkF)w ziV8Ajze11P8Jb8`zs7uTIS9tVI5DpL-hpQ&7g7~#^He(9sF&g=pZniQ>A&#nHT<_V zfochbM+U%N43Y^_e_32Z*i5_uUc%ED2K1Z<;m4>YC-XFzF%b2z0OXA=f)bv(DlgVU?n&RU*@I{7cGSgr} z8{#pRJaEB&+Ks|3;eRG`{G3aip&|Rox8--ai_b|2CeM?o7Yb=*f?<>FVaFPW43Mb* zP0*i&y;94c{R?6fX7pUtUpFp3Py0vUErq5-mBL0&`WIzM0$fYF3cE{FS-oH$< zBKV0SpBC!7N=Qg99MreU&>RGEa zVZCR*XoD-xNwYmS#{@IDCZ!5PEbJ(*$k7NYmA@sPFL^Z_{C!)R3Y;f4f+JG{Bh+~z z9M$#-WL^^F99A3RFx(#k`BnQ|5V=Cy$peRm9dKT`vies~;^&^#Tj+ox*=F_ zf(CaF?j9t#ySuwPG)}PK?gV#tcXw~x-Cep5-*@)j|9>;9x~ebNTXU^B#vG4|b-uU9 zQhBd2kDamFIpVE{mqaYvuY&?w028m z5yg;A7kOPAv1ON#y1P-tGGKKp3X4&a`b~@1#tH9}S%6otZC(k#Jk{z%0hB&<{5^u9 z>^VwPH0rPrI&L_77EHMG8zOq)wh)5jryORLWZqip(D=R!t#{hY7g=PR5%Prmp!iiq z-_}^y;%p6ki$BwrQnNjDoB!L`{AqCphYIzBw_c8jUQvY5z>5GTsPql+8w-p}58CoC z*q?rf-EY$z6IT;J!5zV3pHja-18Rs~)aW^k-!{IgFJ50ROd)>hD8d4a*7Zli|QTgrUkj!M1k%lgCDedytwkNyL-&IqpK zjmVk12s^H)P=sc!i`9N?z;znJV$S<% ztt+FJLs-jfy1IY|QToO+`C)iDHt@GbO~3waN<}9a#omr(YCFkzOYkpvwQ>=5t9|cU zu&eojh>-ViO}zIe)0lJ3dXG0}<;ebpzxxiPJVfxYKqF2F+ARR|TgBMaZZI63cgsFZ zB5nGdzqx&^zh&dtwemmIqi}5Q3`N>$2*0-b9W-yrY=C+5Hmx^6k-RbZA19a7kUT4= zvqXYOE?u(xPwj6@Eib(XRaZY-f!l>=47wi>4%6M|Zow^QADkP!Uf3IclbL zO0N>o&S^z^!ZyR6Ups9I%PoxIUZIaxLGoGPPL8`I(|s16Ln210zbSWQy8=D-22%D^}0q1QM&IN z#!h(A%k{e6^qcu^ab1(_b6R(oq}Q3R`-{cTZr*ZqUI*Q`K6dW_hVNkTgdlhZU~t?0 ziXxo$9SgXlvV-dI0lPEiX2)KteX5_}%vk3DHv(5f}~c`hK$TAZANH(^A|BfJrd zgZxwi=XlS0IWaA>QE@s3SId;?E=Y$&JM(2Dx@1v$Z*F29r2up1U&FDW$?r74c*NLA zNCu%(&I`53Sbb-~fZ88EiKb98B=oV;sI~I1!MvmyiHU?9Nf0u{pEv!}7Begv<^E)r zo>I4Yi)7x?4iR%;!Hj%bKkhPS@d|N*wKRVle8J2YXN`Pw!$~>K$}p^N^2$ppS3>Oc zdrvKGQHL`P{_s9^sbCDky~RtlN=%b#oN6gU^tixxU=)|_HZJ}Ejbm!X2D zRa4zp)$gX9z$2pcjqTwa{;x(!Ay!}FX70Ay=aK+R$UYm%zh6$S13lSFQWEwh*2>?j zrhGboGa0m^q5b7NUy2M?m_VoRoBhUAmYCpgJIROO$dP3yRhBq9bT0f>{_C`Fazv&L zw-}qUc3wU$j>wk4d>&%SH6Y@`GfgtJ8iNH<^l42Bzs#i^7RAeEin<`r0yP$4dJ`2@ z1t%<>**TKdvO1K*+f&Ac42t;9l4OxWDb4QB+~@ZmQAiDkG44|4%Xa*0Csy<|n%QVE zNh+`BZ%G?(A&rC`icLtqm~W3vPd-NpE~{p@W+o*9PG!oEs5}$WTI}lwL`j5BsZPE` zQ6_b3xSf_PB?Ov5YSlWKK)Rli_+4I`I0#ISuj;;1WgPj;-&GdfIILsV%iw{eFs95w zV#BPUU#62#QM zS75T&^`TZ_#2c_#Hm?j|7uiBmFV;1{&}3n)R3S#pOwezhbW7`j6+L9>E5JCMU}cY_ zQ-`Rj*XiLMw^z-br4O%59EMXRNS}@+pH2S0hKUH}kq689d!yxj|6jsPBh!CG5fm$< zv?ke|;Q!1*J3&S`5hp~K7b#Pyw}n1IFLKTgm>U@s4PPcy(IN8)M%$9327IJQyLw=iiMMW zf!NMJ+H}&A<{J6C-)bI03s7wT^&X*CbJW+MA7Y`NU zJ)eaief`<1{)k2XsG>`U4vF7T%~o=Z5?3T+Y^@4z^U#t?6wy)~;~;P07v@}Pqw(U{ zMxqXQGJ6a(cb>k?M*5V~1s7Bl05 z9aUsdY8=hEwuFbMn z+TK9va=zH;sx&40x$3iJOeA=fpY_KS;6CbkU*S8UU+-mMdUBN$kqymyR(VXK-g;yuN=fI_9L>*J~cPn%=VA#`ziboL(81_`qpfm5=R< z?j8%BW*ZJ^llm=hL;Nvbmkc*?x>bC69m|GS8=ct?^{NT)H|j)f%r9B9FpOvPux2T4rd=R0LOaovFb~g?W!0&*lEDUgz}W!l=exgG@ke;rK3Cp zm(d5%`k?1?89xv9Sbr7VJUe#vE6jll=xq}3xId@GF84k@>SpJc=myz5KSe@+0Fwnj z*QMNf->%t9`lr#+9)a5P+I$W$Q1&inj@4la29p__zD7A$A=Vw&!jLj0yqmn<4`DgH zl@DPDZrSgVV;kxufq&(8u84{y3)m%`T!<>Zd*)S&E+=ix2O?zW5l;pq+E zURdu<9o`cecOYj}bdIyq6TbUxGuUtY?M+^O)ggpF$6IgXD)D1lUA{^nwQU}B7Wk3V z<=Kc*r48~v;`7dIp9^|>4|qv@0V}?PBR-GZx$+b^?c%@F?;?0ILmF;3KQ(~PiVLm}MVb+FxgY@G2gNpZi++r|021`dUC&4M*+Ph;gO zmr%6LpK4STxxX~D1V_sKwi^&;f7v5>`x0FgtVD_8s*KMm->oj&uusrYKz}Q_$!Lk zS-QT<^mt2A%K6TM>}h)pFsHxY8ZaK35dsqt=PyU5{&D3UjYZ@CqiT&OXK@%NiYZP| zqvpMC0WxXQMxBgu!3=*<&p1U}z;@<_N;@Tvp0(-Bv17HvVudR^4@=+a?Y9)Fbf2MI z7>N5(iMX4;ax)Y{xFrkW#zgI}Jed%wDvK1BxJfW9j45+e|9hmgCjkvQ23HpECYS+D zhIe8`wWqDu(#Jx&waxBpr&*!Ftqg6MxFH7FLQffu9Ax-gE=)<^K5|;{F;FhFC*sINXFBE4= zX)BUhsUfVC+LR)_E7MGfnCeBb19b%mImp^s=qLG*uCZ6N$+2%=j|FqU=&pP}U)Uzz zwwjw;YCy2y!^Qs!&R3v%i6gL#hg+=jvws4aL6ixe3FpCz5JuBk5SG11Th3md&PLs$ zp^70A2SXyB>=?FoV}A7Q2g87>S#o?!Y`SKFjX&X_N5GxLnZ^g)D9tUvNgZp(ILm+Nb(cV=J}dwbHjO)|nz&c4t|b zN8X|_D$i(|5x5U{&{hwea2|k-Z5Sw$FzC$9NDGmY$*{`ohkH!Cd1iXwa=x3fg8e`- zw5D8QQIT1%RRYa<#hRdKU!`Lg%$r+Zos>IsXzCf}Z3>dqEPwd2F1k02aT%AwN5!>K zod%j=juwWftmHbGY8qr>ji9t=o1W}@#K#>JP>v2tO}ficY8Sq%tTd#v|L7I<|1csH z{C`UHe>Lg5ZljrNF!*aOU<@$wA4%HyQ<4^V5Aj-G{&bK*kvJq0mwpP;*MLW&AFsI2 zC|?u4At^G+enfs8HRRa7FNdWyGr)5G1v`On-}JyxS}Sjc`@zaF8*ja?`n+zf^;>yv z{Gf?K^)~BDbFjx%UWlnZC$`|t5;l>*oxgaew0(!AlhezlzAcQN^E$C2#em8N~`D3@Qb(Z(z`Hq^GM-`o-8omw;Kewy}mokXzb zdh&M0vvc;U9*IKUxcZ|UcU#R-(VBviA_!@L|NOxz?)>=jb~P=yclCkI{a&;#nQ`ep z8i;^>BROcsMZ+LyDYyQ|^?)kKpKi__i z&M~VsZvSE?hcK*P7YuTAJ}tJQY}KVbj4(V8T^%9|yhgSAWqDo{A$*F;wc@r+%e;=J z$5E45N6lK*eliXlWt^K0mzbKnGm*A#cdDD*#=yH2ojrRzNOwc|U2$=2e8+7Z!6fK+ zg6#la6s?01!FOU!$H|nV_4X?Ps?7}T^44d^$M3EJAk*jP2v{sXm&Kr`tfrxpqnszX z%kABvha{rsrLyT-yg>C!$Jfo6>esA!uwUHuJsdAz1IZX+&n6cxq5JeB=a!dJ~Me$6y2MTkDfEJVcmtU+pwp`BfwLhY&EWvbymyrwA)-o5a${#*YmlyJNOO4 z8JVpa;JUT7tNkhLdmREjZ)OJv$?Ubg(+U|pu6!1FpZXD#z3741_-v|RjT6^zz9EvJ%CIR@ zj|&3VQegMQ3tJhrW0qrxC(44oDfH-}Y^h|gm2KUF*Z zQrvIPB(^5TL31BV4Ml9cGV?`rg$)V;%JfXyQW2^mFj+bp*OAE3q`JYkQkwI6CwztQ z%;i4#W$L8)P8Nelk%85RW8 zN0@nj+SX3MxKNZ%)NXvYmSF~%P^gzptfQU|wk6aCDuqft(+#4w)kpl&sU-m@k4S2D<0h&Br+T3-@PNQGI54=ahUFo#d!_5E{ytN zDr~hb`r-@zH58KyuafMe%#a4TH+o3ROg)#|p~di!30}u%$j0R9>I%0A^Ulr{)g;EVnS zZ+B)@s)yTRv%^&g6CZqmZhwef5HKCMY{hl9oOl)ui|L`PY#=Abcyy znj9=tnz%)6#mGdclY|&a*EWo-zMLu#S&=}Xt(<6uscZ8WmVWW`Z-}QghxRsS_m#^} zM>v-62hDvx^pozV?o9=9Iev)j7u3b#zpU!l^D@X{)z>^b{>=JVU5wH4&ML(BDAC$F zSyQjBOG0U&fBKb;64`wI^!pta2m<|^_B@`lW|?S(1EzqWYcAb9DoNy~^%Qyq2iQ2WT z98_0RkizejX3u}S@0eo2Yj2s;vfvt{*LOtd33DaNQR)iaiUU{8Xp-q?NF5{$HNQb|rJ z{PI(sCZ4k+x9=`UG)TFc(%CY~lCa)F1qX~fu}CmUelBox7cOQ%_=~ruF=qTQ znOlgpqP#}evy(C|Q@b#JU>J4p6#|k;r&lO+&DZqs5dD+I#|K)4g=3O_Q4*Sq%0;_So^1K!0B-oVMAnJgu@Tl;K}deKhyNE<=+N?7 zWhoJ(2^{R3}1BMs6Mu_yl+~JXT&2c4qYJs<1Pp|&mov+O&Q z!~n-UGmK&Jm4li zdBUWhjk_`;&P7A2xSxS#s0g}M$*nPpPt=(re7Vw5(3&+KYLG2e(yMACG(1pE0v17f zwakg1=#bg*kOBirWfwU-Ak=MMmziGTtMxx5~9XAeq3Wr8#EhTE@O8{l_B?@xhJ7M@L#;al z+OZCyr%STMkuWU$R!-alEkYjkOC8}gww=$!UmeMm5dw!MqU;cheq%xzi%6EGeu3F=vN!}P z=`*^sd_g+Ua%I=i}eUNd-KJsKmndK z36%N2z^L_mX;C^#HjTSmZ|JnMf76O1EiE#iSJbzd<5;a@;ohY7hf?TYvE)uj(yG#e zNA1eGyZ9yhlp*s?=sdUpYRg}o1|ktxlF*FSPMp%|z(ym#K(S{L7ABSfM+0SQd@!8Y z{g-xlzc6D$$w&j-t=BGxf{LYzgnY2BE)BP%;f#~d@Jxnmp_(}tD$J0o!}iIAqiR?! z$*4yc$)5=>NAc1&I;oFuV?_oyB4Nir7Nu-$$=&D{OfcFU**PU#IFarVM`cWlXqdGL zFqF|H&(j^r5>91}v#Ug9YY#XkbXZZ2__K}5g*A1ao8T|YpZ`Q9DF#5-HI(;Bk|ERrJ;DW zz}Mn;tjg||OSI|<@0&>!y|)X@k*V=SJAotZQ*;#Yb^+_-3c#G!@2<`EFaNH$JEQj$ zeasx$;M+-C@y;T*xt`w$^KiG*lVQq)?%fUriY5WVSbKLcKKs*QA?Ed10->f;#uE26 z_6^ZZ5}f;xul+he309ku)g0~)^W1XxZ445?Ro1buPxQp0_u7Be^Zt6rNaXhvG>^=C zH9ef&&<5Vq=L3wC4QJ26HgEWCDBsTht-O;i&vbc6PP0u0yB3ef^VBvMPwnt79sgxUK6< z*uzfn+P;5I#vu{m#&cTcyPR+Fg&tpkKHw?g5!CB+b;;s`d8{Q}@c?{8*~8Os^}N({ zKIV5{vC7cT7VfSaM7Q4n+!YpQ&9v=~5H&WBFL7#Lk98F5{}60r@6U=enC^b>t3Kp! z@m*Q)bC@_8&n9w>*1q(98%D9y1@D~36l{9#{a*_<(XR4q_v9n^U1>;gPw*g|&86G% zGt1g=XO1lr+t%`y`@{V81ayZ~0ZyChsLx^G0}l%oZj!!CyTrYl&-5M0^u}z6^5X@Q~S+dK{BK8-b$82YlE%YBV1 z0d4em*pkj{>DUWsV{tZB{uhg5y{*Xn34B_sFs0xPU(eBEYGAPU?6#-d@jJ^S#za0!c2*5|zS}wojGahncKB!&} zU#3av*@@mhPgE+w_i>UeJD2_2ZxS$Bv@r2%T9t0IUfAOq!A$sV2Qnn6KD=aj>@3De zB=l4cl?~i^?BfJ+rlLwr^@v9*-z9)Q`xi2n zQA!$se0sqJE&CN|cv$F>O0j>eE&K)t&v(HpaGJ2A<*O#h*!NrzLE1-P9zae* zaE(Y;Ja5SnGU)@dm-0FNl@}fcmsAQ#{yDH;*Fd8>I zyH1F2CoKn1q1-0Hz#hMhE7q#aqgwB3NO|0%8Hr)AcLQSmmx?Dw5;U^Wnn)7jP^zkl z*yV(M!`&RYDg=#o?wT&*)0Z(Swj5fFZJT!NzdoM3&1PN1w*?Z)M(pEH|MXNC_qkxE z!udCUXgOx#!H8;JL{c~;YWzx~T2DM#N{38>s4vi~lJ3`hOKZ&epR#(B1B+y=FAq-p zc)R+qFM9%EbLHH6Taa8vh$+M;9C%yKIY<0q}u>dj~k86wRjg-=?>(i&? zV*&R*`r^X*D?+!S41lI%erwa~Lzgj`?SqxL2gdqe+xMQ~j>#^$#y(U7PwG-tdv|rXsx{IbUSNG&Xkr@4>u|-hRurhYR4m4Hv-oUW^ zd;cPQ`MT4lJ7dh|X~p&KTk)eFmurf>ZSAZYHiO4Y{65Cc*g^fWVC!PGcKg|e!^>0a zJT}<)^m(KE;Vmr1cUR=5;AxY~W2&>6zj0PmkjpYl->&w}U7SueX8pp@w-|l-W%8Sr z*FWy3oWBRjtwk>vg7~k^FGu`cK$G*^Zu|b~`n2KjtTkNW1+JCWe_nRQ$~_|Vb-Fkn z-1;Iu)KT0l)Ra-b^`6kY0;_x4nw9v%sPnMPF@9cikSs6I1+pwo*=(^U4)6xw5*wY= z)4u*6WA+9ZDWeknQud#wi)(r|@LyXtbczOl@;Tc(_h&$6&Yoap!9bC@0J+8YX>b76 zD8Q)q$r{%J)``~9TBUZzs?L8K$X6J6Qn3U3LSEwRfX^nWE}s`g$jiN9534JC89FNC z_Zev?nD&1JDO{`V|g0FS^jVvE<84F|KG8Jv~(J- z1HL`t4LPM_EOe!R)7!djUxz|gXa*(8njnjZ^bR1a1UwKbm6mCms$BJ2NL;ruEKNF* zNYZ*hX5MpiCbE1e3H-%f-2@w6b@dYzSN#r{hs%Fb5J7;zS7eP-RL;9q2;O)xW>FzD(CCZ9ELbdS|YR`zEd-pCn`0Enz!6%Smonp85J$o<84iw2i~m z$I=HwD%00-TW9i<2B+9UnSrW=#lT-CV&Ck?JnGZ@O@5!d?zIgj`Y;=5YYC9NVtOn* ziO%g@3oVVcNtI6vCvGH;d62KNlfj&u)rKT|xIpGi_@LLDmKDn4M(dcF4V~BgTp|v! z>4^`__|CHzmBLum2d8e?a8dEs(pQr73nQeeW9>x3OH)Dqw~6Ml!Gb)~U=3Rj&!s1b+g2xBa_qzdZ>W2rNbS(rU!#YgNTP5|}IXe#1Ndsp^Zv;0dpk;ab=^PxfF5Ul46j z6d{=zXNX)$9P=HvvLp_jY~5>5{%_o6R;}qlIxV{2by(1dv=^3q6b&}iR2w79be3{r zq#Z#4N_1Hl=?|rb5nUnjzH}v=p~NLUhTXAroV<-ZDX0FwejZvB9>iN^k?T6;9wy}S z-VOb%I)RKfpGVSi=27W3mP?IIsq^j9M|y8KlY|&2`gN7Tb0AKi39z??(nTsUmST~-nbzsWE?XUAnCXcu^a81kH{f1v05&_3mL7JGFF z>ezu0*A?tMYW%%>*M+&+J>{9Pb-%(ePXBhFc>!*rYXLaE=ufnsAwG>P(ncGn{fwvJu+=xeGUTx zfbb0RzV@p`o4%-_n`?fO>v*s8F-P=wK_Vg7fhixhRY1Yc_s`Yh*G)Wa!M6*tD;vYj zrlr*p-sW|usj$L6W5%kk2^L;?4gtsJy(+*_X>^m$PVPpGDUlZ&j_&hJ6|c>Yt`3aD z$&KUpNHzZ3lryer`j-Jq?N0B#*48ETCAb~c7#Rj?LHF$;d4c-{BW(bZic2*2*2g93byqjgv^nRe=OQzPcfTZX_tp81`E5p4Or8 zsY%l$u>#1i7`Y&zNT4C_PkbSh4_WP*|4kl^eg$v)m;Dk_gh>}IS(8Cot zjV2W;IGK43vV{6l8(|LHk)yk=NYipHN0SqyNUY+2-?AyjZwqSXujsnv$trY##wSGca(@?U{Y ze!_Dw+?JvrfSpxQ`v${Q)=X>AIbse>aH4H6-z@eQzAVASF0(92o_-6w`nvY{l!iU# z$r~B9$sva#O=6o{9GRgu-j=pZFTxZ&C$IS-52IRwo0d%f5ELr@V8w(nI_R?*`_sR# zzTd7b4rMk}LMoMSvI!G)uYD~w#>dfQ1gAuk{xOgkN)lG)U+0XiDV{=d8b+`s#Ra6W zsTn0|CPg-9Di93t#lC*?vd^H-ZdU0C;jrQ)0h8Ms)(N{y2H^O(s=MF9vAT5ewz z3T?tHk}PUQ%bZ9ei3hc^PvNSx<9i^EoP(jQp(YQ$=9?jSszQv1ucC(RP)FQYax8wq zFJ#J=Q)&IK#?`l1%EdaVK30SUvu9bY>c-7Wm~TmMy(gk7JNvyDB~Q)>tCCWKJ|Gab z#DuDLUqI%Qc`*_-PJP|+eKjYKOaTu<1MnCV7SXN~(1D|IK zuHNyS6ID^>p`C!>mrT(X5!U#D-7rHTZKXz4;#&me!@#HmK9xi4Cl4@td|;#C#OySF zg>Eo6H@Yl4Jx0m^>Rz!MDA%|UK&t7)KPeo)IegqvnS5X+T(oOou&r6ZYk+H{7!l>B zjk`-zLo?AK&d5RXRe~>&5P`m>Dvn3D23nLLin-7lS*%b-G}?HXc-JOpA_dayo0Lm+ z=EMYyM5ls0u0kz-UQckvpd3{$F-$hO-%50%kuXn|mgcw;TPo*nr%~Z{)>NZ3MV^yJ(1CI+7kZ;C4|cri&%Q|ih- zenyO{l#*+^I3v$4ula{a)3+rWJLd#zS{!Qm>Vcc1Zbn~oYDbC$mjPNidf>a4&lW5X zYpbRdg=Uzxj@mbbfAW-%TpsZdILM}D8&8#vE zRyDCB30ak>g}Y9Vbh^m%Qvup;#cbR(%SMEiHF2L=%4;3(anTLiAGbl-@x&&UwLdn9 z?s%fnTHVr9W1-%*Yqqi_7zm$6sCJg*jT%oondvoU)RAmDS2jcHZ>K;cm2R%}uK^Ex z9amW{K@lE8#8-+VSVr8!3~JHA;Cs4*O{d|JRHt0q#PVvDKwYdCx&rqFy(pM#hs!1{h|gu*5Pp)kODrZN?~nhliRW-GmGZ0 z>bSo(&S~Em%X~qY^ie9*R`Xijn10f0d+C3Ydp)_7zM`4ja7mNq;4`@P>6oB@+REv) zmG;-z13G#Q?}XW3y6-0wb=^+z9kR8wfE>3n^gEwp4Lx4v`0QH?h_v-Ao4WM(ezo0iro2rZT$$!U4`)f0S%cfX)VoFw~`$L^} zHaEziOLNl*4PbuBa;NTT?(Hal*fh#kKQK0eei~t2$l?7*@MKZ;DgMYFlz2yWlk&+Z z?nSucnAZ%}TWGr_ynm&b?kvynHfo0Ck=J#5&Nyi`=l@u812W`j?>1!69%Md-ymn`O z+#I|EQGU8#+5&A?vYRX1-Y!bo(f$4GtkdI}a(XnQ+C}g2&zT;8?t`lfOmCm1g+6xQAMi12 zBmgJ?NVT{*>`ywIA@$!vY(7S!v_f?cl%wKh8t5zt+_0H@_8 z?7ALasG3`M1AW0AQ%GCQeoGn`N5^Sby581DtK$FOjugc~Af=l3z1O{Hr5Z@5xBT++ z`XTLQeZSFcX_5Ko7ilV0pNP4%j{aa_E?QoGLz{S)JybQA5v;^pH7~O~kaO^xGeEH`bvd6%v_BvwyilI~Xa5EZe$C zj?@oZz)Bow(`1o|=TRs|w% z+@l;MOqOz^fqsAS<4?N6FlJPy47^&E|C6){phpzy;zTX3cSxAXHIf2nZZe`Ez0Bqa z*EPOJyhJv!H#A-83r4XG3EWCl5`CT5kSSN8e6)j>gJ-u9wiRT(RlhH611@*@L|xZG z1_b2JX{^{FwG$h$^dq~J9X9J9wL7N^K2uH)PLvo$I&o(LfZLs~~Xwt^POS@umt?+J)L;@`SG(IMf>>l+8`YrsDzRPMsT#0cnS zwmiivCjMv=qfl+igsxr~dK1lbCFry+f=l>8$@wF@LuSqXZyz5DLHn`q}0YxWTFwLSV3*vHhC4=3jhZZZ znN^zqPjP#H$TiqKI}v>T4AU(Ck@J`X{JZYi3FriG{|GFA!w{S8z7ibRdPaF=zb3+` zG7~`kx_6y&F6ey)x@M=t%+Yc`g3MmaBcC#!>hh?6PEPu}esn#r$8SNmKUxTE*D6Qd z`+Z?d*!`Z{jM8#9b>-(X5;wYgbl%d};T`*wuqP*AR+xBqoV8rt@{Go4SN|X)bQqi@ zWzX+6I6jViq-#92`m%HOZ%aZ){x+5Kw&cxw?)VsRMQyL^ ziPegq^WMvIUAYTiOtf$7^l-%}aIjIhv(-BfyUkD3w)@!lw0Rn#%c)_$r*arOS6eP1 z*6Dblgs0bd&X0ZWGW7vmZ++q)-+XZaiu%>-JD(UgeUYdBaMVwTf7BEA^#TnZfyYYh zx~*E4NREWJ07v~-7pto~JC}~q6EQhz>eBqGK>+9bUf2tkOB+zu=Tv(9-7%q;luQbR;K3_Z6x9M(h4IFeN*A0=&U~4}aFp?s?T}?dI{L!)7nC zdgZ3%pKNva2Z8Y-i^M?pc>bW6IW1 zO(82vb#338^i}($Qn@|||7D0^+~7)xD6{D}BI!X-$CUZyBu0Prxl0!0^Kc?w*|s)K zSUcc6g=g7q+%+$FJ>zBr@S>=n8}s! zZ)xTK!|`?HXFsRPpAgxt~!MM*i*AHmF*m2>;P^MgZ~6*0l(#H=?))ItGwbE4JeE? z5wJhV7OogEwv5)Vgw_eOZ1HSk?9n~*A0wahhUSkr~G<^L-}tD%8bvVyAdvyuV8iKl@-1!U3S@;Yv+up z^Trv*QX-M52);|uB{46@lsouLtV(kxfuuJK8*TwCH|unXv|lsTTah_!)PoXpbxX|q z)MFV!y1djhRdj_Re?BXr6%D!1aoRTU>Kk*BwgjAx*hJa+##QE)a1j((LFQ{fL_!de z4qOJ7XE^H6z2_KCq5KGAjuE03BJDBf%vNfp!^F@?Sy$@Fx>*QKhX2RTB zU?`Wx?NC|ef-^dp8N4Px(W<2NS!TV}y>4YC_E_kB+EH71%Bi}0R1)@}=r zVEh=^%6as{&$N~+Uy>x*g0=G{x=HHT1`+$j4D6ZuZCl*Nqwf+*!>+G>WXLUf%h~@g z-^>dSOYxt8RTuC@gGJyL9>E_!G7A>*(8ekFw_yI|PBi}HEAYidk@^9)8k??Po z%HZR;eDNl++roKyBW@7R&v5O!3iDkWP)wvX4!6@K*#4Y+Sn_&K-|5r${)Hez=qP#} z3tqNM(lmIx*ojWpwzi&`Hbcb zqe$a^^$G%^>sm@fuG_I*s+vx&F$F$z#0>PUrz)3v9W{URExXLaJ1o|nji-D#N{8Z7o#vZvKXyA{$pRGc zEqBGLu1=uWH}vNEbNkC<$8SykA?|B8w`j+&_Vua+X`}I>M*3KzZtHnzy3V>L#leZN zQjgQ3gL_B7{RVtn(5A+~W`DE}zw?2?V+#1dxSA#K*KD>MaQ~qJ81kGqzbp3k?0476 zQt0-d6-H9I+3J3O*Ae91cAkk9^gq%0sG$Kqho2mr<5W>2jUa9L44=(bKRtVIPrSo| zSG@`yS(y(HoL%&}9^AzC9M8z58glwp0?*^Nc~Ai}txG+;(P_Hpyf0s5E?+2dgk->k zjJ!Vm?fvC2)-YS=0e>Rjkq2PfE3oc4?;ASLu>pLb#Q{bG4aNESU%yX@sGIVsG=fSp zc7XXnL!i%RSumaFw6AG*v*UMbMCb)@rDU|lU)9)#4&(fQhV^_UaKJR&y{BQ@O1mf{ zq*l{m0T)VC^w;$y+yuiSXjI8P*}xFTA0M<>)gLqosAIeI?6?_Lfk{pg>N36^FlsH3 zbTJf8>ZsxnW*{kU%tvE6E6p_sABT?GH*Buofy4Nk^k&8J46CuCAl;rwNiwa7l5}~E z%hu%~?H=1c_L?Vnipyo!dWYhLJ6Re+-0He^azRStVW(EDAZ@jzNw8La`R3kZW!qA& zBy$!zX_2{NZrQ5kL{UXFGh`LL8Bth$#X4318SetD9ifpT>#(qW7U&2l}=+i zw5bpq?y9tXRqEaT751 z|NcE!B@40b_=6Xj8x0qa+J8OBLP-HDGq|yL?Gw!H)u4brad8#L7RBKvOmckH#4O{ysf|oVxtpEjQoq+D8$#8)WWah93V8A{qfF8R9n_i9#Ms%`6C7@lB}kf z12L|sOwF-@FI=#T`I(w!#Dp$>p9{a9LYE9uVNJ8o{LL!(O22;Q*eIt=A(HF0%h z<}lWx#N|Miz(0-?Qecvo{&I+5G8a zv-Mo}lE;Q?X z?(Njy|LSx4&zt`}K&931GW6it|8|M@0KuK#FGiy_Hh1%3i?mgkqAj<3+;D3j_r<;~ z5^%1N7PwbJ_^KuC=baPOzRqV_NZ0wbvkVPiti(Ky<`aOu=_k^AFmYt*RxikGrfXIR>wX%@%*Z6P>o)hIb+d`W^}b*S*n8 zn6xjbZq0|thZnqVw>O-)x@FHff2SL>W5$l7_sK$?Z;EBfW|k*2)t`gj5mAx z@#&N6hUW(dy4DwOx3hi(cO;FjpFUc?OUsgKB^g}nN` z_w&3$E%zo*y&XuiZ*fyrSm%>^RXbm|tbILu*n7Z4Q)Tn6kg zdAb8;`z$}vzLJXMe6+tto&rSwQgdSRgQxL*5N!dWfU>}Z#&0cgx73haKr(-jA9@M= z!jWpj$&{>`Cw>h3M>+pJ;z<68+nAAoExv!T~2mIm~R|TMU29*xOXBAk`sw z%b!(^YJ`}z5E<)wcYP1UVkn^&L~rPfyLiry*vo|tn{-ZSiQec(qal5o4P*}md+I-} zY$?-{A8)F3aX*7h4H?+!NZ!1~p^zi{Q>0gM2Fc5Es?3Etg{iOprh7K#w1es7ItS^M zAF73mdz(ZIg#9F~B2W1Zmr=}Q1k%Vez~c&|QCwe+*w~l>r&O|KJ7l89$fQUib>>#b zahWKb5(r4PuqJi8wiI&cW)TAVyKFwRa#H3NZVaKX7_)Jo~8TnS3B6lSLaW7mxwE4-3od)G^y8{gK z@X0BtU`?{wA{8xvq`GtE3~y1iB78JTIOZAHHkgn_y!ogpA=#^x0D||Gz?s@!i0!yz zr#1|1(b}xzP{xgkuR7;|bj!c#1`a~F3@aU6$YAI|(IHh>Um^nW(6jU(675V<1MUP? zXnvwIkhUeuXobJ>REY^Li#5f=d21zPx8xaUN^IN=c_v`UQTG2S(Oba3Myrc)IsROM zS13}^B|R#ZDz=r!Q_MK@u}6%1j16&dmA3K${M@twF|`;(zYOBt%N+Jbrq0BF=@X)7 z?&%NM?|UYyWMv!wFPWPEpGtZr@s;3AL z6P7{EI_OknTl6QgGtH0YJc+?1s0*q+zsE8Z7hX$?P5!z@gGN~Q6Bmb|tj85YX8ep2 zA3jvuWW7*OBR;WbE zR=+kQ9$ddZos1Xb&8+HWZ`i5l!Q{f>`1_d#Ats%8>sNN9N;hJ@UN>(tlyW((9X%LC zWR-b{c3%GP zSc0A?HENXfD***^?mGi!fNGeAo*ZC@U6;%*EWNF|yQSgE+Fj3Vh1Euh3uN($}Q zaY3MO&H=^be>*Bm$|9UlW)z%d>0V9$(A`p`MVES0H-?&<9|mv5QYqmSX}7ZIZO4*k z4}r8y)ld0K*b}3=rNeeUu??qx3LmUH za=K8bRsPyn%Q^cY$;no>vVTC44(tYNg#3#NScY3pwTUjkmOA)9CSHH1It-0uV4W?ypL zk4BS6q?X3~F>?j<7!PnwM|*Wz6g&(c$+az*yeVfuFauz{el#E{tVP zu-l(Ezh@edF1hONLF#4@o+TN8VmGg=50t$amShJf=7goGP^?QfwEoE_fjVtaz=u^Y082vB0IjxtY zl2*ZM1&6J3D5Nc>!#bMH`sEd$-1e&`1$>vY8V$bQmo^Pvp z8`MqD^IFXH#xBWGzFr$puJNuhjLk#W3hPgRikEq?*z56t#^nqaT?Tz==)lBO6zUyMxgb9 zb%Wr3!Z6g0sN=#kN$bwhA!Vy>=j^W?=K4B(Z)kIyX23SeoDO5rC;>x{0Aq(|SeClI zpf`rcYR<>`iLb{=8AFzer{AJnRt_stHwYtwf%g;cmoG3BmMn+9JK%|t(crFmXab9! zLDPe$^ZhYr^@86Yu-~TFc~Y`;;BkTk(A4{k5(L8S1A!J_Zyy%{j*kwXP$YBzWi0ny z2rff>C4Jmz-3igQ{@y%6rvlVjsMDGK`Zb~INL^G|QpuAs{v+$BNkAgZMBbI)8}n@i z-P*_JZ`0eI%Znt@Z{np1@Nh0D;CW4u+jW<5^qM}O)@@)^&+#&KOehcEM=wLl8&8|W ze(7j?3h&KJKJ#rOCSh-({j`Bji1w}TPz^|5WBkQhL$e51Ns$r{kcmuTY`f21Mwz<| z3EN<`5-a|<&<=Sjnu?ciN`A{)%~0hwW&6ltxgPvMUOB8L%|d@XVJyn(tSf=5`eU@3 zwOTT)BmZB_8H@v5E zYgPSlgwBoHJDsRk!jK|%S{i>7?V3HGEfia-lZx~@?FgC@;xObTjDHZpdBcsC3P?e; z6{C$TlxouQmav&*^A#?`0m&Kxf|02*if45Sqp184A;~X0HhL*v#E@!K^hR|=YB0p< z%)g$+4X2Vs!p?n5bA?JE!MqM<(K7Ce63c??!Q#m9xnPoO&*zmsSMg zP2vpHD&UJ+tyCIw;{+rWlBO9T>yK{r!Pe2NNPm8RJ#_7@0KG8@u-q#_1u|^D=6{mv z8HrV)Y0~A~>nv-6erNXVI%yCsSR>3+IwZxd-BfN~VB8lJ|5^2LSe3yr#=beT?u0)X zvs1Ad!@&LR7M6>F1TjI^vpt66FI1g08AgqJlu3$QXhr~|zq{i?xQ97;r5e{_U`+e; zuKP#0q(nJ^KoSwgBP3iY5u`efQTgX6q+ZeEo<0}mUxlTJ`&{Wf7Iny+QlBx)ffJ=g zmmhD|$-EWnBc#Y;9cT(@Y>=Ol>rXGf$|dKmP2`)@-8*R4oad!s3X)@vNUy@cQeAn% z81NQMDMDNr)zEV$JNR()X!_qcX2^(5A=P-AO=gbwTvJTJPJMZDBN+)|4X&CM<;Kb3 z=-07L2ixu2r{Bj8Nd#cZZ6sD;=Kjj2wx-xG50TN!Ks^5qc#F6rfgVF7V$9d>Ui*NJ z6?#>3dlx!~R!lxLH>)LBvawThA0gWKGLg33tnN#^AingsSyl%~z}3d7`xfeO+>GEtH`UX#%#rj(~vO*%EoZ&N`zCz_2mRVwrN_DuRp zNV5!X@GP(Fjg|ykPF*$pf`f#b0ZSMai@tnZ`L<&S?f?3mgt|3zuf-#OMW-yhDr4dhpG(O z#&eabu`WUqJJoO@dWqTR+j&#SpQr{gqN(Vvj%zb+-D@thXZY5oSnu99tCt$ ziV8ACcZNj5#)+E2UaKaXmR|VZ0X!BanOk)NAc;?X!!D&q%2t7f-@oW1ef|I>&@yJS z7{lA08z6_v!ROOE(Wg!QSD27fV!k8TN8<~Sdx8Jr#YWe8HcG>;bB#7k*Au9(A>Sfq zFO1lsyS`s~bH(|#UgBUI@XTS62aI~z*0avT;+f3x8N;;!(B$l#y-jigM1R3(4Q}ZDbFgN%b}-jnIVa4E{7|M zh8a*F2j6Y~=Z!-DUUT#vz44E&S*6QPxq!|ks71le`q2c7D;|$^F9&g%Y)QLAR*m;Q zHOz~GuI`o{C8%k@&x?Ta9`%5`ps(Ba#UZ?pkIk#}i@ty(lFy$zH+(I#HgQ+3$3Oip zd*FuQx&{jn7x=NUObdGexM6_3@Pk|dpACdsy49-rHc zfHj*9))jBlCp}j{SuL70w)xV!Fv%37X> z@v4Onf2Nnri&g%cP{Gio+x=jjP^eWO|CSVke^xU#3V_m&2gA{*G~ob8pdaT>+u81% z7}6%7o;7vba2~DJ!Hdz3`zFO~mEW{1jkEo_KEal`Fzj3UUx3WwBPeAuX_y1M= zM}VD$?_4JM^a!xd_>=V_AaeP)z}tUBzqA@Sz1c6_O!X1q+I!yTYtt%lsn_cwpcMb7 z*?st_TH?2V-nxrVH}y`mbYCS+jrC_*YT#7awQw)6#!Ei2PBTM_ei{1+H$`3~D0VFe z_l&xHd|5ZARwp{lEyt)!i>S~YhMLCGrSeHwJZ2pFw12I6HpZ%s>-a!l3Z+E2z+m#{ z9#^gQd7yk3^9~Y36eIdKfxfKZS|^fMq;y)8=y;}*W0sERk4F88(0F6NWt{0enr058#3d_oi~Vb zC{dy{;@wV!w;k>O!eoa=g^Q&&JEF#KrjeRd;MI@jjb6AuWDYz#G3qh0qQlKE;GNPO zm;wihW3!Mv;hjUCgcJ4P$}In#LH$v%Ja5aI0^PiMk^Hk#G)#y?!s&gCA%iNsLz7SJjyuguSz*I7#3N%3A-Gu!+ucPTy__~+C|g}h=yfb zE-?p?c}+$7;wm&>WC++YWN^%xgR5rtY(!SkqKd<(e<5dhUvqdMg{!w@WLv^q)MbiB z1?pqJ4f+FE;65!>fmOE?yxNEv^cen0tN&%E8+rEv{b8uR3w1j~?D5{zX@}$3l_b*0j zeCnr|!2Vrvf(mx&4y=k;w)J`l8Y_q6BJ{FDlI900LS{P2 z$j>rXn9YUK_%%`{UgqPH)MO*C?goi z{{}7tWAHTu8K=w#6;^;#y4RZ))j(?J8DR73tcBeZxbMuMTvt*}EDGi{M!ZpRdD7g7 zwYW0egq3s~%_8DrJVfn3M>vqQK;7l$Xj%R%GRrclc6?nEZb54FuuDxR*8!T7N#mJ^ z1YO#oE=!8ZAn&a4rrx{;D~NJTSn6sGn&?UHj5Jm)TYRjBXq;crh)-43>Kt3b9cgGd zVzXT|lPAlXHZSM%KX8qPP?kVTNt-~8lO&r`&T}k{HoQ{;Sn@-V_IHDU`gxIx4 zulvsz4c+~Sk@2m`LA~oEhkqZA?>aVLES}~!VY8bc8^;578Ukc}EA*>9FJD>GPI?{> zi$vYc8SmG$9^1WZN-pY~4_N&;3T+-Dtsh%q8V1Hd_i4YC?SpwDexGv&ooqmLW6E1_ z%k`Mxmw_j0S~CMZ^H*7Hn4BUdJOK_Jij@DLm`2l$$?y7jdI^$h&^1>X9?eRoN4 zqSvdt+9;rXpCh6rlG1Kszxxw##i21fe5ys~zyQguHr=hRJv**;|Vt=;@h4lVZS0+fv@AWQr z(#^qr*tx?95K@?=f8KfvK9J@;;S@Ni-ca!SoG6R3pB8-YZ}QN+chKdRQDFS2)z}t z#tI}?^}3!zzV!BeDlsZP^gT@|>)E_qgip_^5Oz3?+8A)X&WqwYnYdLnpnsP}c0-mzw0{i{~1KfaZj~1`9-`m7G(@)kfm8+EV z7zK>V-s`Vm>D+M1WmxqI*ZA)=SR#=B%VgJBE!zvH{*)mZNCtN#$eK0~Z?#@>L0Y(E z{4e^SY7oVU;}v=tB%NxWdyhBXRQmVA|FIH+3^^5cO(xY8op$ z$yt`v7ARyvtV#NbJ8#8)Gq{!W3K%yuep@hwhP#Thf{j#(ckyq+lnUff(34QPHqD|7 zEef^fho5s8{FVO(a13$_oqE=$H`w7Or%c5Rd*{&0w1_HYxy!VuOMQCSj9;p;TO%Sw zCb^rK3Cv9b=ZD;Rv7stz#Rq+nQ1Ixo%y3!Ots#D9)Rui*Hw!pHmX|(uKFOjPRjzT- ziDYu}&tOczM0ILMIyv$*qi z<9Tpb$t!=Ez*PMB?qx&<*`G$=l#1gMtL9`)$?X4&nXMjWQjPVKYAMV@{)r0j=z>oI zWpFCO8o^h1aE?O?UWcCo;x9SON(;U*oQk*ZtW}CXJ0+ZOQg{T5`eN;G}HI7m3Yzeiz#e@XikS%v=}1weD&;Vq`|Vnq$IPfXzS24N?55nB@A0c zP$K2!!syWu+bVbvaFg;bM!TSnEaY00mtySbR>a2P2|qU(qbds#OpLYD_)wpGR1#V# z?BPmHgiGgq)$CSzgZi7{J>jtl{#1&GYY@4TgA%4QT|XmJ-MN@}<;&k{lR_+>-MPZs zL`TEt1PO}lrY3Vj`4+{QcQM5?XiM&ZPrpl=T$PrWicZWf-Jgd4c+b4$;G$akPo@PzIuc&j zCPXP2@0=g~W}kgPaf5r6%^N&0NXV1wJ6tFM*g<7NO;nI-Dt=1<`u6kXoeC}k&ua4& z#%8GvlNX*u;+wxM6Y9p~ygJo4#OcZOWidC7+Y1V{hGgX>l;ULGTGcXogk-c|j>RHn z{i`y8i`DLqnai|2!jUs40H@PR+j#g6y1YholR0e6IsXQJIV3%j)oeDY>OmRmB&p7% z<8Y4$A!+Ohm^jnQ5i+Tv$c!}*nrY12itREy5+mX#DyL!jnfOm96K!Q3>RR** zrIpLJE)bIBi6(O2)_P2{PPO>vXiIJ8Y8|e^myXyA^X~%Btmq*~a~xgW9CzpZEDvo0 zdg`_u8kk$yaqXn;RY{LdUsQ`DBc=?OT<(+qXG8@cfPDe`KsN&p1zi9Ey~(fbz|Z}N z;H_`sS0j~3Kk^TwIpBK0ZotF0y51FBhyP_r93*;*btzcp@8LbpgExQav(strVfb{J z;IVzkpXgJNe)Ar+3_v4#1CXTI6349d@uBD4wG9sz&G>#Uv~cj;CX~&xD0n#z(ck!7 zr(Qv6;A{6BH`o#SMg(}bFDI<%&x%p5XI=YUkQ`4AEfcLY95r}(V}Sk8>SR> z&epa|mG%5BcnyuJ1Kc0?aet<_&6U8)l`M3U!sd8{#yIL)Hp?~`O@R5uq_`JQJYoXP0#E=qrG3$3b_7MBg0=U%X z-RgQm3-}zq*C6or5@V##t2t1Q|2zvE*U=NMMb1g)hZ=EsU z*wIKI=p#4-t*_9z4PgGzj%}jyLp1FW{pOGhlD&SrXGhFS$5ZNZTaS;KVcj;3MC+!; zuIj_mWVGE%_gV3agPJ;FuiLtTgWmpp%!E@Sd52&`Iffcif z^+}+&hsjVD(&k0}1(t2|aOMl(=@YQ6`*MG@SLSjoAlP$Yk+tX`;2M9wlrTgoVD$C9 zlk0Q-K1041yw&{zvg`}q5$XM;z2uw;nA3{Eb&|RW-bZ?i{z40A1aj?g0a0L$@An9c zehF_5<^UtGu0N5m#>zKP_nebRM4JQ(dPs*Q|) zN2Ggd>QZzTSv8O^HCh%hm=a?gc@fU6MqcMXNzad4$D9d8S=1@m3B3d{m{|gvXW^ZVaboU@Ay`a9G6{O^RPW`h zMwQITd2>x!Q^9#5Dr1n~ccu|=F_*4xOY8{@X^tf^32M-yqov)lIkHT^<*Mv;XC&SJ zT+oD5<5WbfFTQ(eD~abA@>P`DVB}IoD@k2})RMh~Ifb-{i#zpKN>MJkBOy63yrKu!YkY0G*+9^F53PC2|jhn0iuBPNG@pi?v$MqL|HW{CRT`| z87KtT&sHVLZ`fFf2w;QiS;+6U;xU;bh$Hu!T6Gq) z7QrMbyH?MDxB51oiB?sE&MkE_5q?rAyc|eD{aTaiuz2JF2`gZssmG~NkfalbB901e z`1>;W6Kq0wr9g6U#U{m2NXcx(L8OVr1phuFaA6_9vO#iRb?Q1kA4xHwJS`Zp+2$>@}!iL#xHN9hz7jo z!2APeC+sZpS+h_rZ+R5#p6T2!nP^QQZU z*IB5KD9|^?vzD5Mqy4htRbV4v80i~p_>KJ%`Nn>|DReVgtxzkJDV46xtbJjJpE~!b z?3N|*=_%Z~`)D#blKHj)gqovRU!jrJWK_bfMrjULO<);OaWt3AwRe4`^9a&rV<&&eM`we4m z!-wjxK7a)_OsK*G(Hkj{x!w0O;%msMgINyqFA@W|bWzg|Fl=)(gfbMgA9gGqEG(v0 z7VF3#4h6qmzd=IRW$mIhM_`ssZ>mOFghn(?ymKWlR!SIyyl>^^CkvxdAo}~26uAO- zsWnD=go<#Mr>Y1`3d1DYZ~1}Tz0@J82}0A6ng+X$X+(ZVpAvP%WY-2nu#l`twsej~ z2Fk7TVjUU?uqt(4sS-V#v;k*Mda8mI)P<{r8;`?(^;+SiV~DhaRHgii!=Tot2(SIq zP}cJ^Sbq%TQ_pJzsNl&no& zb5JAR0!1!nKjVLVY4N{K-q5K}7Drbqu0!1mURgx!DAArUv+qevy4vkIcMVC#2v?^SOP zyRusE0k}8;*CqL*k#|9Z44$`z7RnD|i7Qx!ho8@FcC`VX7cBukdw5wgId5gXO=EzM z?5Ed}S-#h#$!qVMyfTM@Zm-#|n_l3%mxO5%!LuvJ`y$LFU)#yZh3->h+fHm8Z5ig) zO?QKn$EaJH@8w!>T33kWwciUr79sHb>Tl-vQaa#(;8|1wLtp$M0I((AL;Bo%_V9}I zII*1ddsg~l=Su^)N2~7dRW@9=wKsglqG(@pq+s9>m4&GDGPey%*=^3)W;mVntfLrk zQGGD`&dt7l2;#SB<|3on<)DYKV9*WB8-44O%zM8+kHX*j7}uW6bAB_T z%qXLo4Wf1MKX3SIQs~e4_~f_m^FDd8UuSX|TwbjXSe19U>?VIdU%1KY;xp`Xbp%E% z9y@fx3FS0xQ9Q(TJLZ{9={)nKYMa*te4fre{HuEU`i#1A7uYZYvY5r>^>kd|_UT*q zfGY&N=5<~AY?OS(93ABi2Xv=;eP;DTgjKt&-cjcGY~E{JeXM?9d2v+(GRfLM@&%>V z2-1ii4xk{bY&+L^Bx;yGl3lK>!s?8M%DgfxYmWW$n1F&)Km#`*r|I?QtOf=!0tmnO z2ix!9z0ar#7h|6eWk2cuk@a2Se*6pE@8MH|X0~@)_pgq7b39-tG4!5jaSz`}m*9Cs zz~(gaSEDgbxfB;hsxo#go+d3S;)`l`^}9S%t;gU`%8L@=5G~iP zoc=3wTqPznV%ZVdXjLbsk?BeA<%e+ z)Zxs+(i&6*gFTri`FL2t18kEU31Y^ zY;sPUlDP2Z!*ON2PyOlIVr_b6;%BL&!wj{UI|OIIGcKy&-NvojRDdQ%oP zvu%}2Yu1+eP$By>0LPbuer~8W9&Lg+NE@ct@~WFJg~=99$V8`Isc*_-tZx2Rtk8Uf zHWRNjc*3(1x4JX&vJ}!nKZRABtWquYR1@~?(Q7DIwS-q38n|EogKYYbBZE4QzhLn2 z?N9Y`$$r8%vC zO-`gp_q>m#;0Yi0D?v0*hTMR;HQR5)&lo=rbY{wR2$-c3pAm@-cb3tA`SDTG(9j?)A|a<;mtf4 zVAuc14X!fFDQ-LXbpOI_#g;3ktgnVI$~wi<(ugDc1~Y|k_8U{z5}@?>TR*GQL^+DlQ=ZC`SbhL4>pld4&9kW(wkguHXdzcUC5T{-VXPAV_4efc(oDjQoi z~|=!cn9e+Zpse=HrDjS#1eE!NJZA$mWJz*U!$mjMi;>k{Gs02cwJ~c+JE_R z)iQh2CJ~%P!EjD+Q+HKcB8Q%XyA7%*kBqigN*7hLP~x2#5tw4;*ea7&c8g3> z>8F)z;yx+)eLBB&Z&KXbEUM#C2 z#M1sooEX8(&xFXD#O~_DbGBg{|dI=Xd;KXKRknmpG*O>kseCMzXegi zRVOX}*M9YkpkyrFkjN11uEa5QAIQ4zoQa&cE^;$2wOY5~UzMT;!FYzs|0l1hkefF1 zf5y854A_4_*TGX)KtG&2C!p8olP;j@ndmgQ;CCRGys3aFkn?fplky|wWA^exf*4(_ zUl#N8H{c|l_2un)viI$F{^jegnv#&uqltjTZ)3tvqFdgY)~;8FyZb)(Nq+K8!g|AC zpgT#&p(pKy>$JGc-j8q1|Gc*2tES7oT%hlv@#MNi#6Kb@=OA_axssq2I1h=`+wvGi ztH=GSHs*KoFH1v$ai`IHg~-1Bi1Xyw-5Tf(0W26+u(>|1RpP2)eg9DJ3$Pqz5AZU+ z|NBl`nvj?Gap+kQMkp}2c~XhsAX)R6V}{jnbjw?7@3_C6l%vk)(lcCrqvuKCGIr2b z-S8F6$&JUIMXz~cbhI_2J^{MkXv}nY-KAZ(zl@`$j@NiRMug?Vg+r|fyKf&v zPV3Z#c|2Y_`*YRZ?lU+zbZPJR+(min+a0~c-^a;+C+4U983B*qpV+W}KR$?DpVS2T zJMa3186PKg8YT4HKOjbXo@L$&qtq4Z+Q%3^@)AE*#LOEXv>!0}TR?E6^YufyM_un_%2Il z)xF;4y}Xw_UGi??K3sq7)%5Z1mHW8Y_xel=?y&B7e}(#Ocau{WV=78qHO#N?Jgld_ zT^8cJ2OiVj@JWpj z**o$@if$WEt2kH9Ff3364E%oAMegv91y%oIn6rB%27674V>SZu+7-W87vP}5QK|z? zN0_#g5ODCoY%9{g(fj)H-TH(P3C&!X_$7I;at_k!UXc!Pg(b!OU>wK}h3x2xG+7hr zm+btU#cv!!QP8%xPxi{?J^)L;i6gaT*~z3<<3EdMiUfwH#%fM0whc!SbIg>;*PYFj zZgjyEVr8(VQu0j*sW`EnuK(hb#i7NI{96>%sX=Lkx%3G_Vo4~j5~H4zmCK+-w4m~4 zz9CDhc*j;ki$XFuD{2GPCp2cF8L2T+eH&8qnbf34@anb<>ax&e53w~#$&5-k4fC|# ze>C&Gsp-K_bM#S+7Jgw8CaXe^pJ+h}|E-TU6&-buFH&EzpG%2mS#XsXM-xn{85c!f zbY_<*i%}*T^X+{Qq?^O^9LhZ&@wVHPZq7|!B;FpXS63Pc#XtCaAR@CTm6ecXiS%8F z9NcU#PiIjH%f=x`3Z{rEHb*j5Z`0H?%U&5`Q6T-}UkRqHX(`#jgK{adMw#i{B5|Xw z7=}qAPCpk1^QeDu^w0e9KL~Vqze0`EMJJ^BWpRE|$BXo`RU!1ykP0_yI54rVSh-a| z>PuvdDQNKg6oIynKO+eYbysPTDxs|klC+3at6Ch0mhwR_89hUChr8>}PG}Sbt9xKG z(J))3B`qHhimpkMBAfwt?L}7jup59CXD37M>5mto%pPOLM_BL6rnzGc~$rt`f{iUkg9W%PU`9Sa@a8i zYNeMPlLA4pD5g8LtMYz`HY~3A<QD1Tp@&NW64oA+T7oh82>jSBpv;)ntvK0O%^?lBa4FP`O)b)MTcNlo3>i zz{mGTs=(xw-O1aSj*a&lH4EEjh8rPhT+viwT#HCG}4exJcE$yF*g~x6n@@(1YDLsTLE@p_a(kq_r`Y70A&w% z4}w4!L9X2$RCjJ$H#EIaS6d+=qmry^5j%MT9VbyX8{^5FplDu26Rsddm@F>2AJ~;- zY!LiAXI%iLo<-TvH*pP&d=_QQBX{&!a|DEyDy7R}+3Q%@QyS9vteR=-mK0p29{bGs=Gu+?)8x2gT!O%1 zx=2bq>Y_D87o1saGhRt>sY-h_Do9V4>=wDSBa#A}7dY6umF5MqajPp?hIDkiVq}nP zTxflTlXGKAI&SJjn-pgltr%MFMo5Ul8OU~)6F!$2*8dp~JKw6;j~@V)vjO~I**E!e z*_sGg*Z+oeDPU4Er3(>X0xt#E`reT4zS$zsgRE5YLeS3;AG6zEjN877){Jl9f!qx* z0Qy0j8UN0}AWxgCm$n8C{S5=RH__Bp2Pw26gROx3XNev3#r}jchPH=Ud#@KehsCmz zs~sPw$N$6BIYvhsKihf`8xu^Ni9NB?aVEBH+w9o3Z9AD56HjbUY<7(9oAbZto^!v{ z_g<^tRlnM`>)E4cbmPFc`O+j^zs4u`_ZQS@zuWwNz0Nu=NH(whKx?%Pa6o(E5ryA6 zZu!#ZvCTdEXCO*1=&x+*s)*Iq`|e=YTe?iIBSado{k{Uef8bm>lA%s*zH5)?p`lH0 z?z0uLe)UVeqkQFQ&)4oCa8JtXymuUz^E@Dj5AruA_7y}y2k<&M#F+-V-|ePaA7;49 zt8+@}|31GTK1Q~2iFdheIC{Hr-h?=hgE+5jbz8R*dADEx4nNwsS_-tiUc!1!2dIln zyd4A*=IXsYOQ80ry){+|Uj;wHA-10Cme?o2*Za)P+_ada=oTK;Y>Y3{ZkF)hk}i_?5# z_Ts%dH^$~y>jJf26$*h~UO&<;YbZugi8y**Zk^Kv2HzALUs~yOI$mAU4(+!9`ItS- zk^e0?$G&eLPJJYd-F!?QIh%MwLWhtC$s(0W}iLoum}x}mLeQi$>Q!@ zmCqz3cToZ0-(W#Ge~@N>8J%d6o;|FYrB=6mva}GfQgfLwX0egE6%Z3d=R=42);}Q& zm*-E`y~fDGUtua{Jmjy6FH2sbV#)1MXI1P1f^D*iYTYOMzEM1_e@z)X#zuKi1!r)D2p-CKs zR+vpO;ZNqn;{Se`iS4A$j9lMmlQ;Curl;W1qAzW7$~~2+j8ZEWMi9g(B67YM&+ohA z5kVj5meQ}!xG9E`nk@M09CW+F@}*3@F=BWJ1CmZo5!#J9g>rd$pge^Shv3Kky(9sfbB)vgtK<(u~*2S5WRg&1ukN=^6Jm(+ExjMdCcuyTz^I793B`B%PfW+pj*n`7gEeSboaL%{1V?C zr5DoDn}JodQ?f-5K~dVPRG>BfOgQ^Dbs>~aM&ijqc+il?KG8>jZo-4&r>Io4V6a0a z^3o(-qwqZx6{&2bx`b8J_B7_Vc**F*(GJ|Ghwr3cqVAPa(06wX(itCea?4o_w`s!LtSDR!>mj*BjTO_AHy>xGS1=$TD<9afwFZ~2d;44iy}eFeV5 z=KZI^?tzQBb*mrC*O|?j^eJm9gf(qupx?DFX4!(y-(M+ejeA3 z+DyHMF3ZZDxd|X90?4GN@sV+xmgAYO-qvg>XWMkw8AoR`I8I(5KtOD3cSt%`!)Opd z1X@6N)Th~Q7|Od`!RE2aySHyu+c3!}87+D2FlrhJX2t1#x~5`m2SM-h&i0QGI31}@ zUvy4Mja(((0U_@oH#j@Z!%I3~a3d|p4XGgB#QI5P)4gBv zfXwcc;d-Tc^-p!V_my|R?DuePZ`bR`Si5^;%gNOJu!f`C^Oh5JHeLJpcjriPx~G1P z81?u5CVR51oPeR<*&VFkMR$7*v;AX>9!uNr(=dC00|(@C!tr@cB4Bw+Yk>-de|J>O zeFY5rniZwjyWV0=+cu;QXRg&qm_w*+6&2)axJAyt@ZJ-c+dS|#l zMU_CrtKy+KTDNAhW;$MM3-*G=oB-m#EYZbvr|k@N$Mv>)^hdfAJ1&$+JZ?kIe6NT) zr}IE%JiC?w_mRWYYkwt-Nihn=>r|G>6T;C!in zYf8H5hsVwvtR5ExKFT=w6lt76ZdRgaDyRhgUu*hWeY{cz-tzgJ-h|S-ONAEw6!s)8 z=@9mJ90EeAY$>lmtUt7~GLO8$(=is@gH$ScP?4JQ7E!TPe^V{hY)~?INHgA9R7R~* z(6!aN@>vf&WKun9M-bT2r&a%w=h;1u?x?8V(B@;RN~6Okr>YPdf@lw2yGdk~B`a6e z`RnJRZ*_*mByy34aQD!K2jRMWVu(3B@kN~Z{z*V**`N7+AS%U0#Z%ziO(PBG>{9WO z5K>sAaZX!OBl5cmBI52CON9^?)nlACS;m7XX9|b7B9k(OIM91pnui$i;&j>fRY(uy z_J^q(cVy$5yssPd;`-uKj>aGkqvoDo-Ok_qK^39_S z3lk1H7OmYbf;&32-UI0tU{FX z0U1)U)5k%fVSO!TtCsamuxc-)X^n;y@nd#PQ3_+t)lGdCEDqT}jTX%^@!inXZ_1*% z7zgTWW1JHgN3;tSWPFNs_wjYfD#~~|@abet%f*y=3s?oY8IePzsMO~(Ns?KrNjEKA zMCXrRBFowFWB}(wgMO{&oiz>OPm#0GQ56K?83z?>7phXkHkgCLb?m7Kt6d=}8p$!Q zG=EQ}MH5ezeq~O|^oO5{lj5zh3j}LYBC3h-jepDB4^}-B)HYniRwrJT`AbsmrOsKi zfU^#XF*_FE&*_95kwN-0;s6~< zNqw`x!lconE$Uw1l`@S)VE-veWd@f_z*4+wd$Gj2)+CYUB*BbCIFS`i7rJ4C70WNQ z@2;t44UE-N!b-{^m!k(x2efB!6)NWEgB^f_x|k!beL{7K|31Acr9!7 zBXdM+cgT!$)i3Rgrg$D@Ni&TshsGS+VX9O~yoc*-$;y?`y(_BYKhr6Nsc{-s7oY@Lnp1NzkeOe8y!O5W z-;WSaA>zwkL5y&!$0Vu~tKDAHRV`9qXgdX0n6LdfI3ui#QY|>8PiP6)&iI?lgBsBr zl|8eWU>$V_uNADtpajJE%75mT+$8gdG^U^(i-Ze5@~HLx8p)qo;H%)lUzz%(!q;uq zOg>fN=A5j6n>sxEsjeQn@(;C6%fg~U%Q+9rj5SS0{f_H*xjidQ#l=w3BK6uQY~K6@ z#Ymb$;C--^w^%qIo{9R23 z4N+jm?Y2<8UxbNk8ygy1-Xce{o>_#tZ;MQM8-?BnrQ5yMy|!)ZkDIn&2k=w6z6;AM z)oI5-+tljg?J}@y&x&&kC8tg4F(oY(m%n@5`l#uO3B^SnaF|22ta%Y_%DM7Y&8_oa z!wHJK32R0Z(d!mG)wK4bqu=DRKBb%IHR`#Lw7q8g>x1)@&Yk$NWO;)3K5q$sN*SlL zpU0W1{eXSBe3#RJTUeL-8T-wtM9!t~kvh0oYtxUg1 zQ`5MurK~fr>#dQB{{5D{Z}!6}PWQON^d9hX}?)B*!r2s*& zx7Krc%50q{wgCL=Zx_V+Pd8H20=K8B>v{JxZ}+U6J#Li3wtk ztmk%fq8Nnj4cGPBHVw2+s>xmRIANg0;eYJZz2tiFGF_&SpX;2~arlSYj=a_N^@7ju z490%bz@8amdRth8y>X*^6W$iRx5N#R1+CtrYTacxpNN5PKH%lr_Br}GdpTmj+wnLQ zzuin<{T^$OrvwvExAFQ@!C-2g?cF8TByk#t-}&*|S=e?mxTvkcXixTUkOoEDPh&!@e>9|=s5h~M`Ao{6PH ze`{V0YU*^w9|7Y(wzlRoftVs;BSCNR-+U@BJ%9L;$0MSg4e-NjwbjBYo5D%o*i{Vuf58bN~=nR1E7-gy6kQgfTvbUNMl7DyIB zjGi%cZH7Kt=vZ`0j4p%A+-TmZm`lgD`6a9sWET77>8)PCe-0%Ts$9khd(+aI&*Xr) zo+W&pmgSF?XrwWtm<_}(^sW1u;zl86iMEG9!IKceFWWwGZIU+-ea@wP66 z9+ItjusMx*kx7Ds)v>n{NPZtR0{}UT2?~n+AGo**WxMANn)=tX2)W=J1I)5 z#7ncNw0QV%s|ro;kS#G9!;8$Q6UHs5wW}5Rprd405M6e5Tz zpb&ofvL2$s4^JXzX6&-!bco6~)7r zk%HZ!o?2PsRJlRzJz&?FoW|o*BF5vK7&Q2 z{3Ji~u!)iU(AI62Ipqh`t#9RyjQJJ3Su4J)Ow_;T>ce+}Q~9zc_x?!wSW3mlX=M-j z#}Q#_wjzwh+i~Ncx%^3nx`x8tiE`%6qLmoG`6f-g=b1N1Da%<~;XW~@P-sa6E#Ry{ zF7&4$^ePa}#Muz1-V{eTqq(?ED|WkLBb0BQQ!~hTztYF7?B=bD4fOL;fb-%hFqE4& z^|}n@m=b3ru7x$04bwYCgUh=KNxe?F_yiM1%UlKiqs7V+rJMEJetu?E!< zy|@IQq69J#qX`Y}m&hOXR6drFu{`Mbc{VNo5SB##AH4*Xg4In>tMcF%DWOryzpxHJb#%6)$)+ z!WIHS@sEpax!`A`dF64IKPJ{Xn+yeuLLHg3Dda&lzk`<@2iSCK#Vw>q=5q&8`Fjx3 zW2A(aD#hY#nsnQAZQ`Qd1IwSZ7$*FmU3~MA@cw^Q_(LCtTnP28)|Eg6odJ;dl0PHw zNAjJzr@r^#pnne7p=QRrtl5w;a2BNR!w@AT1UCea6co<10`zNx2VaP}b#V5+e!VQP z22mmWGi{M*(*Z5LLY+KzuDsIY61I&XuGjkKq;9Tw?@z7~Z+l~S03XJHs+MPi0nifm zZ4ZZ>daf&)X^cGfO*YfdixY@OV0Pz(u_)l?9w)HDuV=eJy|$gXTX?6n>9O~@5WKX! z*|aSN&~qxmpZ2gCSx5ERuYJtxJZ_)7^xOxJI0ZsUTVq^sdPbiO%vx&squ15 zO>e$YJr3itpy?H=4Q=l`f(L(o;*EpWH2WTqXo=V88|KsFZ=T=6Res~j6FK(hZfDzE zCO5untB}{;bIzr9aE-Kcr~TtO#Y~%$n_=!wquRd+S{9=^RSh`M4^^35iz2F2IBe-h*edWdlUOvMLT-*a2>h^um=pL6ew z+jJm%Tfke-pK95;*#;*V_F``M-Sa)&wh;~clgY2S-U&EiJ|I z`5g*L(J-=FW#Phn4ZL>@>mVIqi}=Gwb|8pqmzX#0!1#mk~7TIgL4N)*@dv5F6iTk;Z zQ2m9Vf*|S_fSHZwygFJiCgeM+IO#nNPBPHEgl!T&{^4#+AIMNb#lmn7I&knrU{`LgGsRtr*DBFy*4Dt>k$Sgr)?xjm*cJ(|+UmlaG*Q_7W3sgot8^E) zK8cG(ngb)eQfAcDHzvK~YE04&e%PnC@)Urjcp%+90W& zvu*&~Xl-&G#$Imz5>*ll0j4;WZ3zhsOT4%Oo9mZf0(p?pPh7(iPJ;m^U75na>hxo* zNY_3?&zo<$g;|!|Gj6m*VumnFFfu~PsmzHB_4GHxWt-6B`-dcJO9yOQI5K>?zPW;LJH(}fva zerY4>0@o5okP9U0iwj4Un3d1tXbQD!&*;}pyCtQESz}o;KMgVG9o(K!r;S@`Z8cPx zApub!q<~*_JH4gqo$E5e|FJ{8Mi4(u-+j=`5nC2M1mk1jXH=zsxb5qG-=?5H0u+A0 zV>c+1Nr7&(#F{We97dDZbEI-AaLw?d&DZ@ZjZrVy7TNjoN;9D+sMZB65~0va%932n zNF0XNS=! zt2De7vgL^5F&W6#hKDpCyKOuOUVA6i&X!7=Y2dwn;dNv+p`;Xot}YOpNAWjAc+~u5 zk>4%cPZ#dHUB+t6o)QYjT3(TZRQ&iw1bKk(Gyc6y^+9QVwYBnyMe=#7zS8HVOf@F~ zohkWbxeyryY7T7Qk{PBEjVh95>%q%EWI-0=6nL4DNMA0IU2DofdK&n$l2I_?UO~r4 z{YKY{nb7^^;0my@-#$P&RwkqA=EfeZJnA}0^sPBFem*clP{hiyid)+Zz_rDSuR~1V z=4F{#&q(YBURHqxo7MuKa+SF|N&{2ig^PEi`F<5C3|%E5;2+L4P)bfhiLzeMe_!|N z_`xffI4v>zbNz9GTn`43g^d6ODzZ_tn8%UkbIEslI;;>PO*~YIno|VuHYbNgr$$knf_In1ix%?IYD-hrIx&%-aqKz|bn8-ZuZYoS} z4lZzu6aErmN%e#%CKGAUk@orXZj;wm3WH8nuJePZgKW6|x9N@@?89^|wsW$5|Qn=XHPgqM`vq(CrB?QkeGW{DDEtvXm^7-`>WtA9jkzsch#I-{^13I1<^ zsKb8#I3Iun96msLqCakh_&m4bcs_*XeB5vhQEV{%BLq!f0@9yAANdzX;OS#$y92P$ zN_y<^9&JHw+=o$5ZPc#yjUx+a+k9R#26}_Hn%wow9-Y-a_jK>QVfDRmTzDU{HeR-9 zx7QvP#_Y7;FAi;c)WcJ?-sW)Jv@f$^)p%E*SC#B{%eH;XbiKhfswm}pD*A`s%aYy& zo15WSIN8@(6S2P^tiEO7Y=a*zK-P#$9;Lp!i_?qK2(V}GFKxiivkHmJCr|?DBgJSa z2Q%pJ;Un=*PyOk^MAv)TJJCqcUT3d>iC#kIdw-FhajW(AS0cglhOu!8-PXt5R?mAW z(8K<mWntcJJlx3L{SL(*ufnuH$arwt(4$YiuTPmAFoq z$3>r~_c>04iRZcp6WF_y(22Kf+k5MdXP$RgR+S5YWGWUkj%nRJ;B>F(xV1Fly1Q_f2;aePyIaFbKh?v%`jNy;Ga95D59 zJM#y%+#5Kk(nkjM*ou8(vy1@h*={_;wqD>D;KBj zQAU6bBTMEmu9qa)PrW2~Q!7OoLa=N--?*U2v(_AKV1$Ks+hCHGA-*8DYEiw zQxn9>mQkWs26>ig4MsPgB?bn-x2rC_ReUO?4P2JyDfs*Woq}*S!W3`Xc4ULof}Qw48L$|A~3xiu2ghp z_QH@825S?Ot>(a3p)KQ;D5#iv?r4f9NAWC9JBGlG-LAd)i`5a0IiJ z^84kVBG!nt@ttr(&{p}EILFpCY3CTe^>8RFD{FS9o3GqQifC)Dm1HExr@z+m!3n0nWhzl|C!cK+Hlr$q@$Oq(XADxv*V z(sGp;qaKIJ8w6@tr|OlRei)Taxctk1zXCt3$^Vrx@_)PXig3y5LVntfm1xY8MjwVN zt?oqh1`->Al57Cpka5Beb@eKA8rHe^1raK!?`%B5>Qk*7mgituPDm@2D{gKE_dN6B(QPi@jI*2VrSe+jE(BEXM z?gUSu-Dn53&?l>Y>}em85I|2xmzZWs8LLR=oBfUPwjwl}NsUyP6~)}p(nBL?WBf|C zc9IGbC~wV%gmu57c;wLIkD!hsNr(EMlM)mNy3LVPS1+4F3_>t26f z$=97#7O0#f@k~*t{TuQhGi_{O-3_f=oDnC9lws(A_HvqdWDvEDPGUij#rSF=_Y#kf zIN8keYe&KIANw#xwJ8^PrLH7OraX>PYl&91lVUR8v2lEXv{;T}ku8~NZITN$*ixFh zjm@k6Bl1N?P!TMbTDqp@WMLQjaRFpM== z)u z-Y&nAl7c+_@_wjZxk379fw2;nvK_k;pM~YKrG2!)Dop98d%T?{owBKik;|WA z)^aUq^1{|OB@Et&;b2^egpxQxRgqe<%NvNdHo$_0m)hk?e#TzwhE>C_BBELK3x2C35nBr_mB? z)S+V`=g4g)_rZ=bYq0pAatxWtpMki7pToc+@qe~oP($;Zj(~YX{tu9G_8G8r4jA%g ze)hWv%p|Y_pzC_bY)L z6iAfu3=l`*X{RHdzksHt$v8icx6h#E)yL$`D}Ie)AZU@BD))JiO1%q|dDR8kk6E4q zT!nhtPXm4LkL)`S&5te|J)SyK+7=| zE?k~d&l#w&)VaJ~xfdLP8b<4DH0peQd7!>G5!6l+cE}0Bd-2;0arBwY4r zFsXI>u*=gu5B%#>oy#BVchf^a`&7-IK~_nd{_XJf0H)mw%#*WU3E;Au9E9LDd$sL* z-p`at8q_TJB$eSMVN6l+9u9%cYc`bEFYZaLg4p)%p>#|^NlMo2dZyf z`1=xVzigHCBG+{}ItKZoJb!HPOC^r-)>@y(i-!2RZ?o}>T&MJ3^F9;WOrBWh!SG1u z^`5olAa~+vi;}YXO z9J$7G&ERHza zh2itsI}fnx^O~`GcDA9s$AZDgt1V0`o)v>?0^l-heD|ELu?O?)_uMZqOzcP9wn&2% zOUQP|ldlg|z%F~Id(&Qii|2J>oBbB=>EA=Wt{0EQz_&n91mf9siS(9-rF9Z&e@z{a z`PtiR72!U2l4w@Y6fhu-^2 z&cpLoo1d5A^{LkGyt>$vQ`z~`%vYR?n};gYyq@9RX$bTU1egH?H$X^6KeEV#e>B~1 z3nbm3zMBgLMb7GTl*0vbgzb9)kNoG}jV^U5#Isk`%nUp~FRDC2i+R!~*fDL?Rpea) zjNp8X>eh^RdfU_q-$HyDx?KM0cYh>SqP$ft_gv2f0Q9|?Fr_1qrMqcaoG%y>Lb3Ha z^>SA;m!b#SORKB9>F$UfBcb9{ZSnB5DR--g}hO_dvzkv4_-suz_uGjx$LajFw!QESp? z&^hYdhXVbneN7Rvge3h(d1ycXDqj)qHgiSX#ACx4GW<$&-OwHs@bZ@^ z@&a`Y37H2u*r7N-!$Q_~W|HGoF!Yx@P5Gd)>_{=MArJ3Pmk=t|4+o1!Qcjr&Q#sL< zZ^_V`3nrr^MW2Xdj(vEjVB!_&J_ohuxjl8AX66T0`JKBi_R#%CVI#j2uTfv34H8Fh zw7M&v~pvkq%ifW?Z{2L&E}j`IeOtI&i$|8`S_1GY+BdDqy9 ziD8uUUGO-<)LTf`S-CFJ{bSYtCr}-$19$FDy+V|-Td!Tk4x8eF26b9oLzBL%`q!b5 zE0_&KNu$>MYb3uY`3Ujsxq+0LQq8%MZ)~ zBiB3BJe$XTVU<#|XD`?3B(!u*#0uE?Wb14QGsQN^mMYyinFuvPbaf;}rbq5l4VVck zuXcU%i@j({sirLBu`JP>RGHA_4ubnsjCZ1@-SnNd*q4_m650jhS+CF-n5R5UBYQ;-m51!_nX(A5r-~}(vVUXQ%U9uE=?z6Ao}W3dcQ+%LylB@W3t*r zoe(sg?l7wqX9ZV@(GtDsxL(XbgARq0e+N%;(q(ZbR+DGZ8on8v2AMHbgr$>8M2;GR z>9|?IMH|xiXe)Y?aaspik1pEAs3{#Zy1~TYHxaMsrL;bt@1prd5nom?8EW#QqvnO+ zZCy)Mp=&vEsFO23i_0=olCxGAPL@IyA-Iq$vPp5&VA;3 zUw^4Jjxeq)i9oMceVfgm=2RUWN3^RM8=_RNtS{YZ z^r$PE=?afo|GYOXDuDw!m+57tXw)4ta>5hG_u5L8jHOM6Db196JP;Sr=o; zY1%DkisAXemuZFMe>Wc-;zcuTqVZ$Fa4qlm&@S6Sx<*@K0y^TJ&rnENO#xZ>?;q-O z$`;92L-+mp%h;9F2Gr2A_XnZc-&Ho^os%ue;cSL#*Fpv2(OdP15m-v%iX1D(z8~74 z%+R0xZJhe=@+N_T5YiL>44AP2Pn)v{BtV>B)lq#dE|2mcK_b+dq0CTHkij?NZ!cMI z#CM4Ckf0)5(PBrW5y<2-02c7jxoq$K62rbECC5+UT43q>T9N`X)LY*f!3RimyVEo; z4=rsxtB1|k<<$Qf1TC+D$L$4Lhj{R-*&t|MA$zZNd)oTIt?sMbhreXcJ_4O$l&=};*GbM`>9Qf=}x!pe{Z~xUIovfy0=PidBZwy z?+GHOgq2@}?dvEZJ1+oFm$%u}f83{tD>?Y?Fj;^>KEF3bAP-&JpCUm|$6KI(=3P$F z6#sic_tjr<&i;)M`lj(L;*0L=w&D({+tc;sDg8DsP62A*bjEYcq`t1xq(xH|k(W_g z5s}7aAFSQP3o%z&?$fQ*@Y{h81an65|+G&MWR5NBEp} z*$6xI@JAURt&ls7=3R9&Pt_;AKZ9aTX#gvGt;)kbsJ}iO1QJO zHS*ftcn6UGD#PmD`yi(6?#ERD{`EZ7c-f`h*@YlGPy3luI1a6sjhv0rG69yn_Q-sC zw{^kYHN-#SxVw(UmVHh0D7O5X-f2LP=^F@W3epc=0xDRvf{)Bu!6|RVGdn@Y(#sIo z#P84v82D*)C@<3okno+dqmP|Z&s!d}SVSW96*Teqs@NDr^O}f$0Cpa;TkK(T^!Tol zphESwdiF8Ehw^e6c77bL@wH{9%%lkado?iv`zBGV2&qU)a-}w|qgwC@O!?pe+Zr~j zA#@8_oLMHp*q~YC8E^;p^R))a!dpqho;}4#4fpn4PE!Iob29qeg}>}n4#{XwM-LC1 zMX|VfBD>Uzk!7s^qEUbMQ@TN*|9mAu)`jG4Jq-vmc{asl0qUe8F?J$Y+?vLZyi5me zLPa;YR!yoyrdS52!It?8LL>JVEGm>_B*~E=m2W#;NBf;LUnoVoQ)+g07eMQk)`(j_ zvt)b>XV@JrX;&+pbOssnm;Wjd!Yh^(DjKmcOvsX^ZZLjVZQ6JMP0GR8HNWK0L>HgJ z=U^Y34IGj;YZJC4_k6b!GpMA%j2@?5J*5tIUA(2J-*w5*>zD0|Ha^TL=7aMTt;R01 z5wBaV7$8xJaZ@7ms7+&r>w{+fJYHoKIfgD~$VR?_(u)gD(su~OO@+{Ql@^r?P9H*i zGC)9V(~4&xxQW`ZHR*eF3xam)fzGG9ZoQt3a@TaWrNF?^AUrk2i#94Y!$?_diQ5g0 zheBMA4av3hwZuIhoVg~8TbQnr%V#)sjJ6my@@8H8yV-ux$6XpW)|3w2!ew{u zpPN@D^E+sGY{(8P^O=^BER8?@$f1$iCsGJrY2cv_al0C(hcwI>faTInb3&d0nvRDN znj3FKM%IMO=T-!1uKEt1#dxT^IQ$^rP6~W_o} zTAfR&%%`O^l+zh*q56jZkys=b3szVshngridGTmcA1nLRfd6q}*EZv*rm&*7iON3w zV4>i)`Hj#^A@x|5!6SX|TnfPo313$~J@dQKVa`MmCTG}R9pU&t*$a|%!D@T7TCRs? zqAflZ0r`V&Is-mDl4UP6^ZC^_t%nA*+s&hDvt=$4yXaY8VZQS3itFP4xYL2L#3j_W z^_Z{E7O_fJK0_j*J%ZBQaJknrOg2XNBbur9wGFS;h-t5AqZ)S7Yvz9oa3EjdDe43; zdj7m^&Ma^OSi55Edw+ELz(&k1)u)N@OuQ5A387G+b>_`97v@3v?m1&#g`I@b6=H@ z^=-U2NlRSP;Ou!0E}4FM|6W9v+wtT6Ce+%v6JXeVTNBj^DQMXEz1{J6#G8`=^clR; z?_5wD8h)*+zJAf(pf$g9)3lmEtZjeESUjXFyKGp1J-D#a&pFa>y~k`rt;)hI+X#L` z;y-+nu>bg;&Bt0=FTwjbVN4BouxUh{!|c~s`kwEmevRbV`6I;7BVFF3XWKkC>GRFn zl$-#j?6CH*<-%3>{vthZ^6d{dDtIy-S?q zJUfUbSlhdHe%mNXpKp+$tv>{iLzfsdAKjvU`L=s|nU`M^Hx4&fm%C<^p}$`~%j3ZO z3#I*%|2o?4KHlwBACp?^Fx>zq8I5;~ zd7E83yl+=;w=LIM_(Y@Icah33rx;=1)$4S|YF4sA1MG(tygI&%Ux|r9YcK-|H&=Cj z7rXK`kX8~fa0?vd*9bx7(}rBIeuo4?t{d4V_j_I5fd&=3|EkF9mTVtmlOX2} z(~l(e&bMvC?Uh%xb<2w^Nb%oM9 zPe22Ak9icw$_Yx5BcU~}FhJr~Epg#2Iw_{49tVeYpf9VklK)d^NrnU>r9*oBfI;7h zR(XLbs*SvOiC1l%qZu`)YsW5rgk_^a$wkTuS_LYi6aJ-SyNOE6Rjmk|uUp?wW|qAn@{2;KVXKU+j4J zX{pk_M$m0|(Gm!m-qN2-O%jW)THha$|%&j*3G@^S>w!MT#ym?E z=7|7Bm$*3w9km142)rAQf33RCr21oYgE@Zzxc%!803p{GfM^z%m=!=oqcF_YO&#fB zg6h?d3qC2THeI9}JqOO0Q`AQP+C*2j=g=njgXtW5h2pv~jQZ3^_+RzUZDT=_WDB!>!aJHxB90 za%Q*Rzx0L4SkLqgs|^!2d~Hc=j{Zav$j3C!F<(wTN1ndV)qSLbueLcYt(;pUbD|VJ z-fa^n0X=9)$1j%|KlF`Xk-AF~Z5E28Ur>yyqJV3+p?)zOt-|Ei@%xdLLZa%8k6`j< zK0;RI%3-C~WV99m`;V7F%d%WNPAdunu7VeI$<|8ImV~6Q6)KK3^;{L`D8HiDvH1C! zshNrM#d{7DVR8q@-xO+HUk@A?Dh8AYNt9CvXp20v4P?27I=Yd{)F>Jhok_~(qZ=Rc z*|C~4>bliTkk)=nX%^KaQn3X#a99JH9$5dUfbv+VzdakhOxwJ-O`G`40UrRfUgx04 zyo`IMm@-8KQpkr^3ETtZ(SLeeeMODT~z|cpc4edmkUjQB-Fmb>`?!c!=HDkW9s;5A z{)_9p#1im6*D3IN;CJWizBgp5>)n6x=DS^Uc4utTzJ9gGknVAXe3d3_X1(jnsOx>5 zvjR0$)!5sev^!q`j83dM-?lJ$@8Y)ax=J`SS$uYCYMoBYW!U)B$bH## zJ5hUn{kd)x@$J2SPXc#mCl|PBFwvdAV}KjbX1B5z>wE4y)sbKS{ul-1ahP9jrT^P` zxCv0X6o`BJaN57G&d#n6PxgA-4=uM4+dU2&w1uhpIwIRAZRUrSt=2<*j3T)Iam~CT>%_nmbkG ze0T8pq6ogxTxe?h%YS$6&dF}?Qz6mwys7Hv=;nrR6O`h%qHo2 zlD2U@hlwiS74zur88m>heR}2b=Y_YM+_rbv`wZ|V6sEf;X5Ki0dc3&3ei-kb>|Xcw zw1jA{b(SD~_f^fu{*2q3-}5@5GpD0pV%y`q!+NQ&*;c?J=gs!LqUGvc=-SR_v0-I1 zj|BoDfB?)PLOb#gkc0=lLR8t}eenE)RMF@v zM=Lh*Ry^!oU$BZL`T0*Bq6r6bD)h1w%hfSP=Sa#v8!K2lMuv)c4dF+jaTTu%SnXeQ zR4lYtZigb|G>C;$=n~!SD~ScM|0p$WRGb^)IK{;K*}qma)~@h9Ojd8wpa)Obm@rrP zqRY^9rJYZWu9*u|9arv`zblN)G-Sh_^5YyOYOz!bJzP2{^7wm3!s=wOnK-l<*8RkN z!HJg@-{cYPsfBQ`iE_*}?wMCb^zoy()5d8&{pgUfgX1fN%b(FJXiVd>II5PLR?G{y zVB5Afq*vK*676Foi{?Oo98mn|6;AMQCNyJNwTc#bOq3(iK!C>aE%gMgdYiyNlezFI zb@eAz1;>VM%!r-I?-X)j+H9pv6o+)utY-a|@!3BpFK)Dq+Mb_c*A~qj<3(Jf$Knu- zfi@mA*1zNtQc)-}3TvIJlPXx?%233Mk?xaaU`f|V)alaZ3`RcnSuvK2kXzjdp|v5P z3{)O$7$jfJ{}>Lj$)@2_4NXt|;V4X{*f3E@Qy3SYh$rHzOQq6R{eQUnrr^lJw%cSf z;Y2gh#I`Zv#I|kQwv&l%+qP}nw(WHH$@kTN{yKGT-ixk%v%7ZHdY|rR6U)iyqq#Tf8Cgar5+?A7#JX5HAYR)T0A@lPjCcq1AYX&!Uj<7qqZ4SW!On2=Bc%n4w!68^Hl_(lN*_6S=|A0S1bymPf{jmeT78U@>MAa zDRURUadC^55&3VJY^6gC=R>-r3#vmZ#xEBz2H&vku7=Ka!8y2&v28hsOxwR|uf6cKa4s^GiHRZZ=di3-nhcvWF6DAavS1(%PX1CSHHq2o ziy!iSpBu~bEPruXhyFA&wqV=V!L8J^c|!CSbvpM~73f5nxRIf~vUGYN6-xthtGiG` zF$J>AJetp8N@uV>I>Ny5&IM>-?Z<=fx6$sOJ-uG0=Mg9XEJSYCie8lIMk;tD0 zaa5A!cuhJ5*hr?#WPPLb31K6iC9(_B;>EjFCOva|qqC4|Mg{p&jQd#%x)?o#y$=6) z*59nslz)d9K3m~bimZN~6J7en?6XiGpZ53Kg0nAVs#$Cs@@HBWLgh-;k&(A1#7~%8 zJ7BR&bSbqjp32;M{IsYK79c1d7U@e)-P?-6qp)P-0Ooa*kreuZ)v3 zTg*CbQIMiaeMqZr(4u)WqgY_X)&&b^rQ)fWt_VU$MGS{hIgDz+hUL+EmhrxJ-#%6` zp(@sSsgQU*E3-z)Di%(WM&UlpWyQc!aeTt@%gYU^?yQ!6FHLg6YQQ`_q9K%yK9lAR zDMGfLyOU-D&B_rW+@QwtzsDmf9_o9~4%n&gea_m9uP@m_0?@IpbwFAd3?wdS4i_pH z{yqW>1V(+S)c*4eg*Y;Dv>eC;#KHRVVJ-7X`?wYO!f71=9YzXzy-@2)VIyr z@v6OMyf|U%KtGwm2i$fobI0hqm_E6%_?{qL8d}mzN@l6EzqPy0Y<>_P0FBwey8gJX zT~4xPcY94#RIeI@HT=NVb~ZjM;6m*3P09h?jV7SDG$}T3e1g4)JUw^rz40G;j;LgH zS-jwU8a#b!CON9=x(q3=yj~gBWIazpQrj;6HK`&->hN*1I@Z6O#s?jKI}apHal2$U zw}z{KSu^l`hspEY|C!>Xv(Tb*5=6{ahUYVp{;;xhYr0|GGQy>sWjHleqXOKk;UVg& zC+|Af_;AeFa$U@;Ns!g?<#b1MdOD7=uKVcbz3Q}^{nCjc^WLrko;eM;LA_IWV9VP4 z2$w^5IrB+x*0$bHYbV<~@2{4vp3fECZ;Kxj3BBc-8LFK_-R;1;k1VHnhiO7+tB;8f zytWTwlPygt00uo?OGd}^%#E%w?D?~GODF!;e%rzg&&A`Xizw(E2JX>tSkf86RN#F5t2TjnDB8G@T#eZn>PADMIu-&ECs$O#WCfk+ibkO1SV^rTM&H zpKN}kp3c+#bejN>V?fegi^dLgh z1CS{r5Dj$q&mJ2%zvL@OD#9-mGE^w^X8Q0|Rlx;hZs0Y>Q8NJ3~X7_ET1J-N{J#jLOJqjK;V@<*$(%vk_Cg z0!o{BZbzGka*HquOrJ{e9Qp?Aq`aHTm12}hRUAy2O`1VIr2vu$2Ni_I_r>v1=Y0OC zUnHU_bwZ;D)-*;Ge#6QWmIzklI167ZXuBw@lyd+}T9f@Gg-fditZn*HezgW{)Ll_F z8}0kM(>n6|zj^q^-?s#7eGVLPR8s5>Q_=*RHG65*R~+KnCs5Hz4`L;`G0yBbs1ss; zLN+A^=bfgdUdopOzVE`xhcX#@Mz&8yFZpls;JLL0tf3wJT}#@R4^6C>tCEWeuTtW6 z%52n1Bqpni^w4X*{VS*2`I*DHYk`fl{M@;={hB+JVnYsf(o z6YlMPb6i`5IDgq_1qSh9!njBOcCfUgZ*%|Jaf_v2zVV9Brz(w#c>gL2NWOAwuZBG0 z{7F%Tc<|@D2Y+ZWk!bX{&H;Hyg6c;0zsh90Rw=XRid+MSFmXj)mF#7z!wZQS{A4(* z8T}5k(sM&D0&ZCJ2gP#;+KH(Se#fQ=zsA(GC=YTw;bbbC6Qe7`hG6p6tv1%sjYk6f zBHSV7&kKNlv9B~Jqb|RZ6*LyWxG>hxIxbx~I%1M2A|Op&1|pZ8v^*{;o8t?(tjKuH zokb}XMM`MvX619Y8&et9>_w^?{XCo(ZOruktjIb!%u0zEcenip64S85Mb`VGeU-*{ zOU~dy(mm$%Y=BN8F8&95jpX|)cko&rNMu6v5TNeW<*M`pqZKELzsmg%5I3dC-|FON zCv{@bv}p?65k?-Kmh108YrZol`H963JB}q(12WCo_urM zwI&hKc$kT>;j8#EHQE4@ai|pQGFpx1} z(9+F!^V;`%u;kmL`scMTqho3>M%Kl%^L`()q}lg<7aSYKa&iG5n`h$28Tlg~7&U<8 z5L2;p;61~0U1@#Yb+EUC$70)K?ECS7l3i4@ez$bRTBQXV%&~FUAL(wAd={wb85*On zRNwBYRs67VajMODR0Zv7;%n8x`>NYttt|KGbnT`^zKwH^aE|0Sza5))(&@hMlLmM6 z+S>l;{CVS0xB~u6)b(<_(U0G5J87Jt?3+Y!)^yYLzFe{_f!{nqwU|B2k+JEzbh~&m zqkV8$Fz_;R!tDS|I*Y*baI2!w5+B2VU-vk`w@TJ{icA2tt_xdke|#o`QN{3n z9cJRv_1F@8XPOz0DeeQrxWD_k>ZUz}3Z`(LZ;Dq{gXY%{bN7I0934{8?$%tEWjj+G zXa8z4?GDdXagu!jfEwMpBk;X+Y~1#p&P&^jmigUILmTB8xhTP$jwQhPJX_cEG(Zq7 zpk_IgYy06q7kuTNy1Ul%Y?n8?`|POYrAM9T)>3unvkAi2eK?(b%l@_3<7(wZh~9hr z6Xf^_>I9tBoc91yKm-i{-!J`F&8uwx%wSc|1NaktHAv5Z9)g}?nwXjBQT83_@eFw2 zbM`4}f~sXu9;Q_mqTm|$39Uf_!c4HLQVfgeQc0?oW1_(}MiKkcQ2l8n66k}e7wLnF zc1)LYy}#1ZEpyFG++j)esbCNp?bVB{3yoH)8!cX?yof~ZgC4iYG)NWas209b6Cr|9 zwUV2c@+aV;>W2$9pOY&G{EH_SoIv4=HGf?!OkWYng^q_pRH`*`XP+*z9MDR%l^GNp zf5_LMSdz~|c$jO%a0b|L&F{f;Qz=C(0lyzzWJ^cplNgDJVUJ2*ic{UUuW2+aSdF>$ zP7KZaH5!zijm5_z-J5~Q=*?x21hVjBckUA@#A2^FsnRs;Pio&P<4Zx8eS;SXX33d& z5B3>BF$xoZ7mvm>y+kFEeTWh;QA;o8{Hqd>i}+(cbIi~rLJ7?M?voti^w8~co+2^3 zF+w=jPnvB-R>Hcw|KSvQ{O5hE3IkUcBXOL0?A85}M`~lQ1~G2`kqD6scwc2vpWi(v zgeL`yCT*WMr@&bG`ce4SHC!_3s&~zNt-4Mv^|YB-apbSSS&eTkTB`imeBy%Z!Gu*Y zoH&tAN<3M!f%)?k$r^I&F%UsF(IQtwtHUNP2bp^>^D+<_kAZaDddvhn@O}zVzr?YJ zc0Ecg6oxDa#gs-a$)JWCC)pPc03=(+Z$B4M>gw5alpcw%Wf43K~K}>Q=0OXHe20|i>s$)Fl`nw9g8M$RW zk3%X{j%BY^Kn6Lb7E(mPV2IbWk)$V=G8R87RaYJ^hQ_j?uS7ij(={Cz+6MDqsS4xD zJvO(pN{E9*--5b4idTCk?rEUHa+T~@cu^{H2!}aG+P(%@!tc`F{az75B}DM=#9N%Y z<)*lsnaD{t)$!QM17|RZJVQ<6=v zT1O0jW?-DZT@CcKW~X0p$A=tgUJ=t2X;v@#^OMESez0*}jAO9fy`|{>*+}mPSiC|# z`l`)4M65-L2g#yz(s}19710l!s>7J_Or}#v5uPy#BW%3FaVq7Lphk^*)9Tv4;3C_x z)ceQ^iaagvwg$_ZyS#d@yi2|lc8PSVb%U9&1@fcqM*=#GaABb>ep+R;&;0xm2&VHd z^};K}>2JSp2GO#!51}of&eE{TJcWvg)oC|f>-r{bf5d5=4KgUZD)33zW5q2j%!_Ev zL^=o($sQ_G(;)oj`NIr3l$NrQ($yLeqdb9>HZOEQ%xkE+_|A|$td2Nq;=?5$Shgr8 zKr$YkuQM;4(MBR&@*NqgViq+i3zvVWRh=uaQBOJOIdhn z)6aUa@ll-<$Y(ClGyzgEFt0{`=NeJJ$wu`SKsp_VrXxgJ#H%~9NOCtUGXL-KUqTsV z@Q%dj34BqHlzpH1sHh(C1_A~7*%48Mu=>6T<=rnr`4FSmm*Tr@0Zag$8vvvN;&=;3 z03~i8H5PNUlFD#1*VKvD?(xqcX=D)hyl;Vjcp#A zUA?TR&QM(1>@0LSkrH}8bWYgfafh%EU0cma52ibJ;7oVFVR zg^xNLnOsU81+GKMfSl`(zBD$F0RUPzY{tvE3y{Kg0&oLzQg1qXnI}z6cW`yOIiAEN z(0g>cOuE|aT-IK=kQ5~>qOfuwRe17zd_s5S&|*8|^P02_+#JnplC$4MwTx#>a-3|I zJVZP6@{BlURMBR6jm5FHE!vpcW^K?r7Sw$>VCz$Bb>7GyqO{m#tv`vp7bdLXYj*wkS3(u>LeWs);s+FDAW0WMznyy_@>`CJo*Nmu$!KZ0#nzWun zAX|zW)Mi*^m(P~)gwFeES&C1=i^c1@|AOg~>)nZJ&-Fb3N$0xDJBQb@##Q%qfhq+d zy6vBjNrLN%N3TiR#bb$0kF|{X!4$}8uYR@-F6k+yEl4x8%-^bBFi0_o_Ht?5hmc^@zLgQNwPBOwdd?V0ek;eGHMFl}h)Q+~oCA~Mg++yMO9~SOPc#;AQ;4k4m zGw1VL->)#NXkp=?s9i;csRSdI{PO~kGY27El=1=H3@lwRy%2`~)N{>^AKDZyVOinQ zyyIoY%DE_7i@;%&JE+v|9J#wlQ!5WHx~^xF8&C((B@Wn;)QYRln06wVh{QMwELio3 z5eyx~gZnVUgwxa2cFQGL4V$z%$=}_O44%k%mnyZ23+ufJr2D=N#XHTAoMuZf5!w*R zAU=t$ogv=RS=Bi$n5~>|#j%yWDJ3D&%1$j7ANlo4nsonwANczGz;bD+Y=?z1%?*xZ zn&{9Z`xt^qI;vJ6vS}BbR&ZVUG_i`w>G0;(!ng5dM7P3@5g^Nv;r%ih&naj*MfuPI zFWyATXI&zm=Iq4yq>UDvQq4?E$2!`BREB=C2|Je2^nY!WRw;|>vvPkBP^mX~a)h$E zr^NLO7(In#k#X_A8zX1+BK!~@$UZct_7OwJW)vbftO*VCw~2!C(S!G63T6MQrpvd( z6*40!@i-8vl<^9e2ymN(3nU>v&6{it(QA;$|4H~asbZQ!+OcT8QNNVW<@gxYQEQ_Z zrc1mjJgJgvm}$#|mA3(i>ZzpTKaJ9>&F5m-aIv-QlI;f?2+zDKv|;=)YmH zPIy@XQxe%Z9#u+|0ikam_EK$fgs36lIWvJclcs|M_8+0`{Yt z>3)-u;)Hl;I%CP62K#Z+;EYsIx1d$rS0QMyT8SL@5BNrvm#!77*P1MnpMD=+ShUJ= zMVNtEQ{A={St_b!8SDJor@jM z7)-NKaA7TBQb03bovW{Y;hHK_OwNZ(^almrJr=Y4DF6Do4SCAZi&?H0Dx8aNP7k1< zI|FIAS;dKo_0`YWN!70tJk{L3;3Pi3E)huc2bx`H-aE!H`y5zQEmLb_5X zt9B_pe z)Mgm?5#-nn1{CZi2{5q30*n9!y?z47qe}Kz{No0D)_i>)1FL+_aE`a?hUll)t$z?x? zRbE#RTU*y*gX||jRrb?-k8Q(t7q|7nf{jELbd1_vhvs%F`~t}K%v^O#$?>`v$B+T$ zHEmATL}7oLl~rwb-^LywdFg-bZ>eTsa65lMV{hB~c&Csz6NhMWzwL6}Q`&akPuoCW zznx0>rdBt*KLK59gOWJ(Jr>!=IU;f~T918lM24-Lj|L1fTBb zwb!q#%EtYziYfOdyTxNRHQx7a!V19i8ygSswVt*amj3N};X)g9u>OFbZTC)QizmuI zy>bcRV>dD9tLAfRvBP`n*ODW~{pSQbLpvzqrSm0}`xTo}NIlZG&le7!>ZOxD3$)AZTfn5K&Brmv`=#Rp;er^6DbwDJ zGt=DHB9=kW>Wx5N4#J#yit54=vikkFB&T6;5~h$6{xtqA4Jv4ng6zN9YlLh<1yM?s z0V@^5f+&MobXO#Q{tA~;aTjUjF=BSu<28)ofIYb-?2+J$tFQeMQ2A)oENW0w^N+|@ zpDW47nxip{usdxpmXd%Vl`uTxV{Fx7`q|DYcat39WfsQxuO8jVa_>CGf+8eRBlVo7Ha#siasR=asE%*Q@bSkM>cs9)s@mFX;<7u<8OHb zd0Y`=%^%}yh1uv?6k|hb0^?cW5{V7w35SAMyHz@Pa||qn4@G=cvK?!L>!Akb|FD$l zPt}#v{BV9S>bI@aA7!xMM-~5RqG8Y}kAbX%Y>h|)399-hE!xmA*U>twbI3l=NnK4DVg%#a_1`SbFyXzJtsXwz^z{ArJ@squT<$sD>~iZkK^j~f(h^0!**+y2 zzeBK1_DUl`C90^mvAB28; zZu4TUKjebSRSu!EjC;=#ztK-@7jEB;Hf0Sk{^-M4dU`1w(#{I01t<+<2=!5NeLZaby zEI&OjdeBZ=fA#v3cLGCkA?a@MAOG)O7XOPIwwlpH4zGt34h!t7S*C#@RiD5p|Zx(p^_!FA>cFhXM&=?rdKCYf6fwuQe zg5POcR*yonyVy~`rU_tpOW7I0-UZ!%nVUgn>NQVt za#OI$#9Ni;Ia@ZdB8XCwET%ef5?W&B>6pc0X3MfPlC6gCcBp?j?U!O?32GcAEfX(5OpU1ds*c%HABX-NW$ahfVe6VTE# z4pL8iw{=RuW5zZlx|!uq%tOp0XHWuH z`2sVwWMg%e1`^5oGKYkWO%nC`5WZ7d624Q0*zW=yg0SEM^m(DIv0!=M1e<~YW{SZVf=cr07;7^}W z=Prs?EfP`cb@Wq{kLMPj_S2S)n|vmqWV3`dwsIFjFF2Fq6RV(!hZ}7WS*s$Qn?Kvxxc`=gRJcox5I4Z_pX@>^A-m<{=N0cG;NI%meNw>@)BuZ@#k>iJubp_-@6( z84QD*L*92?x}8tS6W&{=p;(fzeUkf`H>5YDPx7~;uTC+9NI6t~7@9ZRW8M;8;p^Lh z;R1RcHh3Ggm%Iwm9o`r6kh^QK}MA*gcskdg>soe0YN zS5B@P#*ZEu4N&;TagX;Yv+bnrQPY4z3}+F(;LWAeT-qZQxz_E-gHO-hQ`)5HG}iW0 zO|`o}*WW39`mRe&N8tP9wD=Yi;k^(|BK-~BM_ z?xwTm3GK_Qjx}s(k`<&KRULKb1hd9OsP9}spU^+3odc&0PiBI3*_{Kq5nFAyB`yY5 zpys@Q*z{e`b9pgQzIPP{o*B|@ALVCHoG~ynXA@mj-Y;!Cr6*pl2UDFrIPI4m&{b{+ z_x*6_k4{JDTdc??X%#(g&im0Z%TG1FPTB`mF+O%PmTXfz*Xt)WA8$o9I>}d6z}fm& z*o~dLN34@+E>M>G;?J0B&ka0EgJ9QZBJTS>=$UQ14pY|F$5>jKRu|w@33uCw?vC#s z>O_xMR*SBORhD!%=hynXr?Fq8hj)J!_ZhDFFB|8c7$`__Wk#om+b#+$(e-0NM-@%M zHP;htW6Ia7DF(d-#JdclPXqN18l3k`9fG_FpKEUMwTng1SE@j=WT;QmLW`28{XIEx zpxlTfUZxM{1KzmNL;}j{d;=|^A<_y^2%S2Bt$bnRTY{+|H*_5$uS*39!Gbf#a-K}| zU}&I|#*{KV$K{cf(>IJ?t;5m9#1DfFm%at0(uLbVW9!>+>f#9SE9`4<+B`03!2c`yJ;tT? zr8l6ZdA8)}@!z8~R*+fvcJVPZDP~NHaO0;?rcuGB_(SFyHI^@0@Z8A7$QlC z`Q0J)L0=9AGoZW#ZLu`1KJDLxBJXI;a-mG|)jBcr>H84V0e`>SJnOfADc~E$OU3+U zdL&XF1^&uX=D)SZk0bQiNJD}Rw0hU>U9sn5mf~9 z6{TS(Yv9(+nO^=AKyWx*tjDBEUmQPx%ChIOb5NN5fN1mUqvf(p?V?&kO248=h-4v(Fd*< z>dQ4I1=YJUGdDxlXE7zL2~-3WjNGJOV3(PMK-D57z4n$oeWN!ESS@4YQdfj2jZy_#gT6b6K#5SR&Zdsq!gl2kOJV zeUnW>Xldd}YbuUGL8}l6X=~h0aOC^9hMFgwS#p7^CbL+@nl(G6Mdq?j+`sqkE=V19 zFN}7x)PQCgSqRg8{z8msg?7);qXW4PA&s5yK5bKI48??9?7tW<*8OGB!&6O*+f8Ju zUHrvJu1$4@S&EXxWC9xyALXNa{ilI%%cbGl^0fO>7iB7DI+mc@n3V8zVl@(PhHt$v@|8p0lruCIj3ad%P6UnD6x0Ki%tFS_201 zhy6tyPlBiqG66cC4`)p8cz#{B+U~@;gxPd~KF$rAtkc_e0HkKiBDU4H?Vate5vr6D z;Qa!Wm&)D?wP=>BmB-NANR4|)&vL!15Rw;Y-uQ;cH3}^wQ1j$)y7h+q^Pr9Q$_u0A zrnm&RR^$SJTWxS>+Qv4GdD-QC+fXs>X~z6MU(4;wQ+MMi_j!^KhGLWIy8_3xm5R{J z?Qvzv)_q((4Lpk3)^VR^&FHvbu>1pZTB1tY?3&Pd`|%z*4W3c;I=zfBxp6bMhoae; zx@|Kd_-@MMbPxN8XW9kx^P{`rlDYwJNN4j&+oxb@`tRudE8Cj;U^WK#S+!lQ>=@hC z{erO!8=gov*GJTZDwqD5v)+4NG{7s_1yJnx z1n1?WgueR`==qjwzR_zuVqB}iB1y)~b5q7w4=a6=sc|FKe zE4g}rp{Ku2R)5&O4R6&rHTQUrblCpgU^grKFd^^NR`HI0yY@)Yef@++9|hjKUy~f% zL2f{`WCh)GSpjsjsB=;Q3CWN5*5p2Fe=o;7k~vO0_Ee%CmS2yn@O^BLG&w7rR2!;& zyf1KF+25?KhAwX2->}JXx_7g?T69gG$6d7&G_Nwrsa1LG9Zv?iRe7CWGM2lkXuF{S z)pa4Sqo?uGJ?gf@7f#h?|X3|a{);AAAtI^Lq~a52PnK=-WOPX`IS(8L6!$ zljs?48OVpAQWd~WQ$Y~|U#T%~TuUZh^m=COr71&cNF1mdQI;L_T0OMJGrfVAGF3k% zmM|jN1Wf@ojZl9?vxKiCtc!k^c|dZxM}fvDn1)QFs?V~94pFoF%F&c7b;vZq(&{vF zwOXbk|6R;vHa3ImXSsrZZB(+H+?kCaqWup+xF_-Y9b&U$(U$&mhI#`U`4hwJD>ZBS zEiq-z<$m^%>o_M;O|c|vA1#`@0>-$LKG;mxeAW%AL1W1D-PV6`UZimoVF}f`4~l8< z*LQHFe&T#q1thGy8?Zv+y_co5djpIxPvvSe*+Q%;(ufC6L;>HsCouI`FyVy1qj24& zR;d_Z|B&i^_j=l4ASge!z#HRY6eAk)fwSHN~3$0CBu-KRY8N{BuT;xF#2HeM*= z#4PBqO{YoW+G7A$0ZU`Xi8F7Nlss~S#6A>C?F^2348upC(E4?hz#iZ z*<2G&prmrpDE7vK48keOhYbbIN@4(7N8`4k%PA5@TD4cME~243l@`7#n$n33Hjs+# zu=)F&G5VOaT>Kp@H$th_i1c8v%z)KL`XWNY0`yqAo(fJpy$h_^IaM}~OiF?qmumlr zh03Iv^U^R;Oye$IP8k>$D_*Nv{omX`qa8;YDyPkvIM4uXBz?&G&RE43EytXcm;Fyr zUyskHY1n_USo2pJ0*ctq9U7xvEMe?S)T36Ebo1JrpS~qRMMeu$R8T13%omzBvqkL}x&5Km?Bv(ONgI;U)OQ=U#f z_F!pw_Rucr;|~ z!ab4XWc!@34k0Y$LYt2=(2z}*Vyo#Xe*0zdQ@TmGv{}qVpQe$A7DT?Fo(M`nFQGne zxXbY>e&bDYhTy5H-Y^*ad#cgMZ+!lipA%;X8w1fY3|=O`eBr<_cC468U@|G*1r;ux zhMJ+Q;Dpm!@UEa)Me;z4AO&N`HX6-^w^@1Ez%x>60S(iou#S8mZb;UlW*ZQ^ z7i8R(hpAo_sY#)pFxtSRSCVshm3Oe3bk>Nlfv1`+M>9+D^Z|~&W)T=aIUhtTZ7O?H zq~T;4i{U7AO1iN2mtK}C(1`^{zRHH9_`AZqCET|ycBAvlsf8NZEmOL;Zc|pVpOn#Q`lRlk)+7kW}-5(8y>!l9mw$fu!*_xIfS6lcTZrTfG#*N5Sal{A5|vr zKj_;_V_QW&({{#m+-B%&C*qhBQ{RDqf0$gdO*oQa6p*9UG*8{b^O%O=@lxqKLD{89 zzQT&Mhq!s_T9MN-4SspnfH>BJ^sEBaq6VD2@)L|PzunM%UMzmm-dcSVG27YRSh>32 zMNsweJUIe=et*vN0FXi>J(pItUu;?8Ty{B+a(jBYT`1sNwSrurr+L@UmRZ>?icWf3 zuJ?A?eCnrFZmNJEG1qIp_ZzwyyqeitFKHjmYX%kGuB)Ip?(cw;{@1vulm{0sn3^tV zn2Q>QHn$Pp%Z;o{S-Fm?pTXE(4+X|P&*vM*GOj%h+d%41XS9PeXyENDE;jee{m1q) zx%|;r!=!>H{>wfs67JK7yC$BC^2L;D5?T-F@cN0@`bPKG{dFc;HK%p2WvKzF&FzG3 zy7PX+!sKD)W%KECDIbZ>!|AGO`~e?wMM7>n=_RLe4>*%IT)kZ9sx7x}bmeLMID?(d zM6UHl;J#(r8Nu56(gwI@f1KyqZZ%kNJ@Nf$M50#*6&;{&hGqQ(LjqlfRozVEeF85> z%I0mC-A&U}Pk?91uJns1SDwRc+iQm!dTl-DT=>oc`w;pyFJwJx2Zveo!l{-b7?VB@ zm6fiQ0KvUt&$kL+sqUu=-DUj0jb1MvHznKe(w$2C*nt-<{)Zf0DQv(klfj9e&W#Pl zF88-KIJcqe(5WsbAfxL}_s9|bBYr)5#bvf7)ZX%ijca9~1)^KE8@ z*Xc5&A^O7S#Pfx;`g4w2)60?Z17rvQ)qjyM;y{R*MbM|frS2XturyRIXFhkoV#1e9 zksR@-A!8!uUBfe|?@Q`taA%ncTA-84T2r8DDv7>~KLYK3fpC92O(ImA{giV&4b9g|I)?g4=V0g~s?dC<-2mX^9?tb1@wkclfM9%n`f>ZcO-XL1`4ExID&oq3HZPQ0 z&HT*+uND{0K^|``7=D~I+@u=;k*3&EMvDkdRe$^H)TKLs%ULek;fE)V6pWnI5=$M& zZ__s^u)!=s-2QfE0^9+Vs?vd&qj9%QDf?f?BFgLx!&bz+`VSO_&1g}LVIhX3M+P#v zCDWEQ2x4^#EB{nlhC^jEj8P+DGD)=9+PUQ?6KwDt(~>iT$1U&$9B9$c7UT+28j@ft zoTI)MehZsP0woan{VJ1p?hr?vKMh(GWhF%YI3oE?Wy2)`nS`Mw5mD#Rfs;x_`mUbQ z918HF+l|QO@AwX3HpIGl+eUGLDcqcDTt#>6S$`@0iv`cDD?rXP5u2P!*xN03rFx1wqK1EC`ox}E}>B94vET4Nj_sI76nl96j7cIZT)aY zBR4R@eNtxjM25(QxqnIzN>#8VO{mI>%xTvyRxKtQe(5fhN&P;WOH`@)&cjPp5OqF# zQ9)a_gtdSfCbs7z09Aj5w{ky)PBeBDnG~i(DAr_z!01e0OoM9keC{M8#RQ9dSK(dF zUn`t*wUQ7_7Hr`__Fcrwwe+0x+|pT4YO#Y>Q;-)LBu;+`Vg_~qdA)e6Kf+}DE zf^K;_zJS-6U$}oFUXi*3?HJ`D-@H zqJBj8v3}f*$|Q?6Q#$KQOTs5vnTgjQoTQ>7E02ru#7)LNvhS5pKgBIVo(Z(!JFCwJ ziazNF)gL{s<`uUS-l2(8s;5QoJo68hk8f2&t?F}?HxwrFt*X_b8YxxyPE~dG`d4Zi8-;WR0nSj^j9Hun%_)Qy zO@NEG10%X`74OUInJPCjz{tc<|1F6b`d38?iXU#AO$GT~5NnrvC!>B)b=-XTSv67z?cMwCwI|x;P zQQFG{Snw%pyoJ8dO}@n!oS0b0IC1#|Q^4Bn(PUpwwVR|9P^D}kGGBct?O$yw)ME)T z>nVVHS)$Ep;zmrw!hrDShOk_4VL{!-zLgaGgvVk9e0&0bSFoNHZyJ3w z7@-+k?>dDYH}uTKGMM#AgR+qHiFZpj6KcoO9!%neOIh4Eg{C|UqoBX}_FV!b3oKJ1 zU}IDiS7^2J%a;sV+$p1j33dA=qGut0Z47>i26vtP

VnAP8ruP!}p1TfozHSW3q{ z2V*%E7Oc%X8vswimtm956OW#Y7H6rimQzA44{?BC8hCD_fH3B6?c;O{*Aq2!FLeD$ z^8KGwLDnt>=0#Nd5v-7m>W)whCPHGFQregae2;R!q?Y~v&rHj*!hPtD@PZOS$Ru|$ zpU{G}X|FpN`m^8@T9CN4kFuZ)kd^12y{*kXEYNWsV_X&)o-_d&Q6C1eKyx624;z5* z!{k}_)!(T3pDfKg*iYt{AE0Mc4ge2(NS-E0G1u|3ex_5-(=^8t?TyLw%aF9fI31qo zy#2KDoP$N*YLauno7ytLe}WH;bpO-3kmXwG+b6$oA~xRtZ*vx5nU!27FTX8E#l(EC9TJj%*Kwfj2hYF?+Jh;5#?OIp>}r;wfv z^OqFFvcL69Z1`@Mov*nVh|e9=xG%Q_&^Un1`{!t`iv(`bic9x9?j>ngjpy!uh~Oh6 z_p>;J=#S%XmQA`{%{y(DINRQ3Os>|BJ>iI&D|&Qz)vVxQ|_- zW4nW&O#1+6j@j^$OOU!BV)OIs(GWPUO~Uxz#kQl)c|Y`wC7$D(`k={>qKo^*9Ez%p zMAlLF0nGzV_ei#CO%w6j7BH~myZdty+obpJ92|Af?NPsmY4z)-GIh?!Fy;)tcOjz} z5b`u_+Pne!hfa>;#lh%dfTvI0{+zAu-TTyz@8_HMB7|%uUJUOCH*mH@mssMQ{;sJ7 zuvfR6G^vPh7)nOcK%XIb7xh`fZUjIG$45aIPT`HN*NZ@!zvYd7{u~p?U zaZOiuexk0{cq`sG=9$i@sdie*bG7E&d|pDT_q=*suI>QAZ`}AX|H5dooct5Y!+lbw zYxDT_0ulg#bccC!{6U|F0Jb2ZIZObE=rZR%Cm1qZ#8)$S^Z}}J5y%2u09bH#{36a* z&>S@KK93m2bUNQ%Bf6q-xLq82$Ps|?>Tk0)-IaB;@$?<&Mn}MXRUPRzJMHb^d=?gj zMvvAuQK%h7C5z7vD>1bF$I@taSrNBz6HBK3nV*0_(vh&A1t`do%3w$Fp z-I-BUz!RMYy2?OIOs7iO+z2Z@-Os%UuL(lKMny8sDoO?k#SqrapGS#G#R$>i!>pgbrhTk<=+qDzA(=qR4y);;+#i=jVZK^=yrT-{iKjqFC?; z^#&0KSeppu6f3lNmqzdhVS4tv$5{BtI$x@AM5Gd|S$W#Sf{;pCxkkQRi;!HMarc4L zQpeKVTWWy1)%hap2!z_She1~W92w`XA|GSap@>rbZ?->HlY3Ra65OnOF9^0H(>_GbTuz zX3lX-Tstj{6sXvC<@3idOwwZ!EMhu+28&AyEwwY|4`#&@8NcWN7^QQ6&nzhPxoYk?A>9{IP^Mg#@VB-8lhjMl@G8H&R zr367F!s1~>h1yQ-Rjbx501w%RO(`yf6`0uNS1+SdF+$50YBezk2mT)cn_$nF1qScz z@hMDgqfz8Z8u^sP4&H3hB2sM&0R<$w6mrq)Y$L4mhv!yfq9U01a^~8Tj)44}@L4FX z+OV_4$O#Twl;FG^BXXg*CMvIZMks$}eCdCCVEn3Njp#TNQE@tx`lQ1_F?jh1vp;+kd)Q z@#1-^ESb-VEZ)Ezi7!30#oA(Uq8lG;JQ=}I1R90HDk<834hoTM6!AkjXB;6i3C124w=DKA5tVxB2=3EJ)A#d zRl-(l`qv9Do-h~wEk(m=z3F!WVtp`9&2kpwk6Pmuf!9X8w>ahVB$_#6u_U{TW_Dx^ zfK@{dZPbSvZuxz;8VV zQD72W0Rj|p$;KFl$$9@2LoOy1%YdKB?^$?=_n1F$f!*<68Jbf6U2;!?+yS|BF1kKI zBsgLcVSS@tfRZng^AYKd_g0kv1U-ZtK!S`K_@4yL(CWvinCSI7hsVO!_aDob&3cSQ9u!m9Rrz?y_(aU-Y;x7?AXiKTAog)j=_*8lRfuS znpiDYz+IjSe8;&TrjyyOyPZ>PYnD+R+iuQBnmQd%g|=Hhx9>Cbq-(DikFKGfIlk{% z)V?RtB#S*#`i0sE@E_`d9uURkY zhisQi?z5B4n>w3!_Gb?9i+b(l{~_ueoGXo=tUqxwu`#hR!Nk6?ZQFJx)`Sz=wr$(C zZA|QY-~4vp-L0pp>-z^hRj0c9)93ttwU*zx;#TfDW;p7-Kc52VbSUjNYBPR11cCV; z*N=3%tUH$Qx_jVpzDF$FaQ`0Bihq3cQ_HwVWr+_4ce{p(8y)A)SvyKeAZmth99k98W<70xSN7ZWbB?pl2=iC0fJyrzWB zbQ^ZUcYu9n>YM$9W^^f+U5iR786#P*yIG-+q4E|jcI|y~?{+ONbaXUjeKn_uBD(vQx*@8eK0FWQ%7RMo)YnR)ph@7oIbpEy%q zEyX=fb1@9w|LTf*J{N&h{9a=;RMj1mK0OUDyZJq>*WsanuhFD~RnCJ_gL&63gBi%L z5~S}2M1B|p0$5&i^dmp%UID2FTE{DlAaS$IGUpVyAvc(Jn^!=v!|f|Tf8fpD(TsE` zD>!QGmt#HoD**nc5AB1=Mzq$o-P zjw)R)1=S#o9T+AKg-HYht6}|<#j4R9rNl%sZ)q}fFQ+)V=Q?JV(J)haf`a0OM#M9o zQqzy61d%ahYkoo2^L>RrH57N~~ROR`DgU1CZh!~DMx$jKZW2v4=LRQN(q$n^+@nkcPh2|AoK zQ6yMsXOF;cl#(#0Ag>z9MbM2D+<(}K%^-~u>L(c0qCgz>GfSC4B4P>$eby&kN+{J_ z#^o!j5Y){o#b(O)^U^GZ&?tmPhDa6|HH9@;aFAebAO7Ee)$R1C_h! z&b+oNEozGNGqxx6yh;XM((3||3_?<3_L4hh_J zaZq)9;Nf7=#H>sGNpedM%v*)Jc5qRZn@6VJmrT^_VekpwA;)ntlwgg;Uij>kw5ix=Twn&dB9b=iqb9s4 z7e-ZdO_h@;yMPBF55(S{1ocvN!G|=?{S_{dxny)Y=olbP+F<7q33t?3Ezpc?;;e{l z$kr?&9v z7-bLGy*#?`1gsV)1P_*o*3Pk-p*>rRA{#t)nC=V`` zg#^L4$oDw?0*vZvj>t|OoC?o)+%hGOAFe-|l-9y^SN{I_qkhW0hGk(b76cg}sW}eK zv@8nZ0hOSa-iXsZvO_K$ckFnwlJDE5*`O6+ja z5hgo7AjiZoFc&ODr((nlM8H&fY0o$+H1Kb&FsS^)&CZY9x;3Uqq_|BGrHq_3)#xMz zLzRjI&N>jQv&MrR@E|%c$Lz++`dsAGC}2aEWZK~&Jv^AYER?PhDNX7#Sw(nUP$cdO z1$k%4|T;1rib;*-Z{n@-J#|{v8(7PE_m?Ip7jN{;6TR=;{?1{kQh2WfAC4=FD1o z93QPiP36M&Q~0>_c*&Un3{TjO*{*LXKEA@4ng0x2)X2bvjvHE0Gl}rIv2&y>ORHo3 z`6E(UEm2V@ZR|5`kDq1JJmh`SAqV&Rp2!{p+K=sZX7Z+|2jv~|ixdC5!q|QDwa>3V8K=tU@|6M4&bnGAyxAE$=+t_q7%^0JnCN3(u=KcJ)f;M~s@IDDQkLJ8P z;b7YT8&2i6_8JVhyt|ZszjEX29t(W~``AqKd7Q7B zER7GEgNad(2Ej3bFrGwoh&0Nu}pg%}R?+UTCEZaTYEQzB3*-%ardJ8gE; zi7&wCvg00r3|hOIs*>;C-8HTDybVzv-|7B+u$twyEo^`DaR3q4CI7q8@hPyyoaKjY z+gl&u!Gd?(wH?KK`AO7yg8h`bB;z<8tEqJ37xlB0jjn8EJnP;lF~9$Mpiakph1wgv!1 zFg<&|gvlP;wTxKKeEzGO%50dag}&*L@B!s#ZNGW6E+oq{x|*=xmy8S)^*nBW)3^;i z(4N+3@7S_@-ZATZU(D0qdA_Wt(m}Xs*u46|=*spSh3uBoGmca<&p5M!#AB4jW(WP$ zZDm~Ax@p((934s*u6^=W(d{~D3E(}N4Vt>XsrfjFA?&(cvNO}(%}iP;Y1Wzqf;2!q zHbCLrFV=A|66lBe#P~0Vw<7AL8Tf^i)nS;|p24G~1ux0+ql3b+X8hXqd4OcU$`s6$ zRv&^HNkHMrVW3v-KH5lvrwUBgDBLPRpYsND)aJ0Lwq!}U@+f8mWyRgGrMT;a)YPBI z&I|J6UpG5|s0eQs&HTGEoZFycQZ?P8-BnFu+Gib2=8|k0s3@h;T)d(X%oX7`O`FVQ zPt>{0w;usVOWsZTeF?JU$~7SemGI`21Q9ZgU|;muJNw|!5*i&$1n(?(JDGnNe930Z&t#Yr z>frN)j}n3mo7M0UC+zCU9k!2A7Upu}z;dD976e8k z<4ah`^S1tcV=l%1gEdwH?UJNQTt%J124@ZLQzqYAG!9$!O)OjPkyRsN(uTCOmWC<1 zR55+`HZQ!x7YetbJIP_wa|YrJdg$Dd4UeKqPN}k}D?9NZ0Ot^=nva_D9BxVgo=L~* zcvohwwjz=9TLQ`2foHAu3=ET&!JS7G6>6~tEjgcsjw5F~?4X$tp2k=$s%9oXByNhU zbWRZH5PKNC;9+OX`ul_PXWE&A=&J{!Y^-_>t#3Q$><-ip6rC14$}k-l}2b3nvc4JuTeXAO!xh z1X(=Oi+q_`^g`A{`YNntJjumH1CAu+3W*36mZ~!u^@-*fmolcfWO$s)J#_qBfgoDw zaJhuMJVU7`!=9Z~Lct=(A9(+!zNH{i5Kt(s@y_AjC8+@*&@@vrS?T*MC?L$h5#SRl zSNcM~tk4|6vSb$67%SZ!a0)1E8O#!J0+*ODqaj@9Wf3Sbh_pOv#SSHWV-0QLzd6^H zTPqC`?~;=e(AG2bCCoSj4}?0%=F| z@=pB)XE6r$TUR3%%43Tb_#_>{;Ulzv3twU2XW{fJ{lz^;Pm+0ZklAfNLY-Z{Y~Kl( zWnCjqC=1ZCGOI`)tZk=2vbISJ57}_8IW9aKQbF^7!yD>V*iF9a@ofp zZ)avvx$y(X=$jeF5>y3!@mDx36Gu3DnctxIC?ZOKgb3oj^PkJPfvPw{MoU zi?!gJRPmGxIRT<9wHDA=Q@#1P8mth1fkdp|g}c)~%!`2={{?%yc01pEt+k8gfeXO_ zq&T- zZIG$n7L>?x$s7mK_5nB^PuwPs)>**8UCgG-gytqK=rOuy!&$z#*~9wD!ucVH@4-2x z+q9#ldbuWUnO5f+!mLkT{m^ss`+c-M8S(;5cl)c{?k~p7&J$dF-;=Nd_3pP)z%^El zx4}iRPqfwZ_WNr_%vYy%5Ac5Jic;gUK5!-4hVIhRJsI)ZM zx@(6iwWqRnw$HIo_`Me1rS;p_<*|4lU%cqP%)37SuBfdax8HrAu=QSV4rSY}P}CIGhYEy%n^{=5g%8SmR3UNOVcPXVNHY z>h6P_^)~FM4m&Ft+x8aQs=D0T?qXpw-1V9VwmE=YZ%@oHmGp}{0rA5|PoR-Ekm)^< z%dbyAvlkGy5$HSU*Zq*oyE1s9zAg|#@+$aovYcoH6F>$^`qSe3#aTe? z?$za~V|(OzqSpX?{3j&+LWw_0rQ^Y=wp~TS<)jdkRx)1G3CX7z;G!H z43|sC6_#Bn!j$}ZZr8H3NMMKH+@wV={E&P7Bqea>{0Pb;%cbmvC}72RypjwRN6|-b z*veK`?LaI-RZH`Yz^q$eB%9{w;gii&VG+&-fUH_* z|H8LoCIp#HYek)cCEGz;EP)p$GPG0 zq2-QLVj)#3{Pd9MTAGr8P{_ksxYbFg6xXx_H~!6!euT-hb1ah*!7L}FaxYRQ{|`=? z;9Hdw>dKG#US+W@1ydL|{uQKp+3E=i8MP4>BVK&B2~2%hy7Soy)^~`kGm7)5`1K!1 z12*WySvUn_f-Flh%5YeczvC*@ts~e8U_zT*Si?+5NrgzQWS1cFakp;gu-3!*TF7xs zzBV;_=SGy$9bY^D%Rj>BVA32~NB9wnIhyhp-x3*@9QmarN z8rO}E&4mcRVXc(U?gj&Jk^Vu|vFXB3(L%)(#3o1Ot1(i#Qo~Q+SzBAyUd2-$&Nm-j zz%^{s7|CEYwM7yaI=zXw1t{`uSg>8Fu*WrvOJzBs-^K1~PSXW&Y2--NT^-(4&8>!z zvJbp(xqw?8Lo*AW75|U_}JS&Qe}E?sKgDGB-XSx7e+wxURbht~YvI#;!8v zDhU0iyT>o&?QZW6kh?~FZa>ipOMkvR>LvhsR4pWCRCD!j>UT`T`979s+Bxj|GBr5s z?|^RR1kS=P=84MgIv~aoP_3fgeeq=Gu|A_WnQPAH0*{`PT4z=51)0~4^G4G-O$}EJ ze`@wbmj2^TKn~Y_(Zkb5&mN!Gp)gUWlZSB<#0kD9D3Fh}HXGpDGI4@2u{MPa++xwb zYCg*5DY~%@nQEBX!rTn(s`Y!A51-oR^SW~N%X}XSkp`o)zrQ|Tp|iHR54>A#5ZB=b z8+ujG?9`=j+%tm#5gy4!_&J^9sc%Ccsc#iyZ_jjp06D68AJd$XGVf=>PBLa{c-PPB zoLf8%gJuT&7MDefO61g+KggVpxB9dbnPV)u9<9O#r_WFnusP^RG zE@UUe>-E%9Xa=~~{&)$0(|R|_6F;LlSpTx@U%a|o<|^%busVVBWP{a3 zbSqrOShiV>^YfuwfQv1GS&p71o+EkfX{`n?)@S2z&GX@-WWRc^GwGDd1>ct=C@_})XW)Gv{gTWi-IeTmbk_Kmpsg2b%JN9884o8W=W zP>59&-N{I#7TMBWP`r@Od*GOBYmd@=IUP<+B#~C z$0_e%5RviraiMvNH++G{1B@J@_<6G|T6RmG+I zhlz{>FIUDEhew~i#}go}4L1__#|7@JFr0kRT1LcEM<%%aKfwmy78G}s%HuTL_x>a( zH8Ib=e*xVJxw*x6!>d;=kL0PJhJFQ#nIYz7x3sE#Gzd-d4ZAwBHl~EtSbGx z@!}wo;^<-C0etpqP6GFU%PST6yK9Jly^MY{H|7SGwusG;FIjZH1|@`;f=X@5Nk!sc ztU*%9lJ84@et;W~%#>OUMd24)V%myjQRizZ%2uvh!n0ZzLV;g8bD>JACM=cjq>za* zg;L1bJeS(Qkbse+jkqpaNwo2opNQ+EIUV}hf3|qLW-k3@`7lQXh5s+eO{MoWV^JxI zSCcW{ta1;ig`oH$CH+%IBWR-OXub72S>E#aTRoGNbC}RlMiQ$%JC}RAEnRX%-I`$g z@Td^{wSxgHYb2#uvN)elBDQ8h(1dF3@rjJ6{K{as)`DoK{-lJhbmiDUZz4|?R?w|p zmx75b;!`0%)7DV7$)Yr_f=U$Uo|a=#GEs`N<2q8M%kXLXU26#37MvO_YH;*IuWFz* zMWa#VmFqqZDTE;as++B2!tb)o|VAIL|eUQBtF_ zeG*4?sd-$@V0zSgpOs9UBiPZWw;&<0-e0kk(3pHImHw?X{;yx_oqfX+`w>}QE72zl z4cM2)D%1Y*$zRNX>Sv1jzqJC)VO#iI3{(i)mkC;bE#w*3jC;qvl}U%h#nlcn1&}Lr zoia%%yn|LdZc0bWtQ}Vq^WcQ+^U#SgAk-L{Ffg$-)#@nP6m2z|DYTnyq}B4=g>LvB zm<3L|DD(bodzI$>K_h1+s?J={r zQ2-oQZfZf1sMgym^{ml=jP|+EG1!EbI&wpnusSrKEJ^^c(in9^c5jP$x+yTzIG`v| zrcF$_IMu2EYH?C-g+2}!D_^E$NYJ;+T+T<5`j=_wpYO~AO8D%yd<)Ag|6A_;_^2^H zE#GEbKsiL@-RA&ooxAZ!q8&d6NGcSJ0E35(Pnb`duc&8qVmM{;TcW3&117=^laYxW z?ZpmZe3fOuMK-#luuG z`yDAc=b4Y^({hd7<2evn*LhFNI;-=#{!I#fmS>&UUC*%1iq_s*8vwv)Asu z-!bR9^GW( zuYrzHo3-1l>dJk|==IO~5OT`$rc*b^w4W=wTTdU!hAkTio5ksq0N6ZkDXm9z`8jct zvS!#baUB^Lobq)7{eIj_!M|m^r^;YO0P&Rs#V_3PIHasi?7SkWP1KbJJbOKBNd|o^ zFED01%4)02Y1rqiGq>QLKiyn5Z9U)S9DirjX_z)Z_PZ@mD)Dyczo6Ulo-sW|obgTH zJbF`qPQ4v}r-FTu=0Hi1zu9z$T3zkeI!?RKvxe01Mqa&)<>^Fho0@EL+i_sFK2k0HCR?a;|6Y+|UqnEA)P)-RIFX1{_mTw6R*CzzN~a3UrndJ>+~4BuOvs=Mgkk@t+M&XU(m zW7^7f22-gBox`b)kqs}ixmbp|Y6_#aY?tY5t67mbAwMWBuI4VQb+R+Gxd8-HN+)dx00L z@vLNf77+Q_@1oC>jH@e$bH%SWCkHgSpu+O?@+b%ODHTy_Oos^v!i?r;9gGSh7={GP z$IcCw;fPvp+Hu4gwdppvtdo6eSv-sTsNv8ck|4x0&EXEixzh?OU@5TbfcGULz)59G z2L;zMCyQvvsb@&Rlws=fEZ2&yfGsI4UmKN~E!)8|Nu{UBRA}2#PzrQq$Y859Flx$< z+mo2~EUGCPY$cxtWMi~1Ul>P^YTL!n=xTY1q9XkIy;~EDe~b<;xdOctLmQy-Q+3t z8Zb8fcz+ul?9l`B4x(t^|YGqg) zGRt&X95B$udWJPQ2XEp)jQ^&|`Q^Z%WHe;SOjbmdBK#|9f;!hK8eF_g>Vcf`9X5XH z7J7@ixV2ig?p1K%Tu3zr?2TgEHBuwOp<1olv;-MGeK_Cp=l>K?lwjVf{DNQD*=G+C z>6e_&cpK@xq5mU_7^J}%8M{#c1%3Vn834dQBq-nWi1CYo3y%P=Y=ALqnmmt-X$+6w z7&=lHr7GvN$4mcXcALS1S9G`8T-J==^=8^LzC(O>WWCSpn!K6b?=|cbe6Gw`WCBh8 zt3rZiz~_v07CoT*{X2)x-NW0(r{%-DHGk)(pJ#x+?`5waPi&SXntV;ud|HO>e7AGU zu+p=x+py>b<4#`7=T(S0;C-{Ng~)I8M~tq+G}u2PxvZu&^O7fk%Qon!s4P_9j_65G zZ*9&maPuYh==t|I@&S~LEYY;#8!<%xB9`KPq$NLq-E&=%XqK~Y78@JK?_HXa?iO;d5rO_N| zlF_N}vO!M6^uXAzd#H?{76<|S64gPWr3o=3H5J2VEAKKxa^+FdPz43+Fu1@Fy-Ig5kEzNZf~kYS)QNw>aFTdM0OoB z-Tjf89}q`SSbS8zxBKEw;wLrI(RhO;6N~IGn4NFYMH_^<%NsU9ajkCyOmC;A_M7ha z>o8T`hnWAmQgpk=usC{r*N!Lf{r;s*zt&7~TNRBwdw$N^>SYI9gZj#OollnDf3(Ra zZ=2k2q^uta_=M}adA|29hc_Mc{Eq1o<2LU|Fx&FFlZtcf4KD!!+1)O#Ck&sfGPdnT z#5RPoecy9?_7SFmhY*A^gO5#A}_6+X&TX z0rpIS0L>t8T~Lc92qd__bDQH}QuGe!0NOi$kiE?d8Iiq310j66K#9H~zy;9~UxBge z{Cf=$#8d*P@z;**h0q+Kqz6k%(z)DU=v2o+u_o#hb;TTXsyebzN7Yd^r?_FVR&FK< z?>}PcOX{fOGB}<%beEirn3AgaZ{94(Dr{6=5Ghn1{C%M%$IC78Y4Xoz$>R%%xgSrB zsB^;?wCl7;^Cs#?wwgwU6$>SZIyf;I-;(VQ6jR3B$~&25$Z5b5#56c#i}=SnkaSrS zBGK+?zOsaw$%++6$(3#4r3YUL^^wJX38XkUqQK_!EDvLX)x(npXl9O4j!=jvEtMN% zyfba8G5ZV#H<3=_5$|zQt5soAa&-=ar=pU7xXIJFX2NMtrAIF$-ZeE^`@1wDHbK+W z+Hvbxpd-w?j3EV5)YtQ7A6m*4mbqzx$KIR(@D=)b*%l_6Lo3;Ao}dMF(2a|>B{VSW3H$bZltbNdSih7rL=U*4Az%Tg+Z$XT=RpKPEf zrZNf2m`A1aJkn=3&}I21SEgg`l&YX-xoFtZ)x+XE#@lm@`>xXWQDl+LMxIt9y~L9QsE(-Qb3z()Y4*|0bX`q!pz#lN-wUsrdWd2 z<=B--<;6AOukFgbHgjgfU(?|f zv?t`Yi(NPYePn)`>lLTB0U@TO(;r$9#ezjusrYy0-mn?>`|H2dTjW;W3#tigK zonJ7(X=-Gki4J41d3X_tUzDvfr_rsDIvLeCE8~X=tI8gc{q$f;0#k;ySRUzLT#<60 zjr-%)qj8(IUR%;~>5FJHdkA~BIO{M=1D|E*$;l=}=jxy405Mv7AS5I@EIU&_saB>q zRa(%fMeDjT^%F~g`U@`>+D+Dxd$!28IQ9(A*Qg3^o`;l)nq#9~!(yf1DmOzr&@++o zG_7LBQY_E;E3GRL##O*)1|vjb@O?}yAU*fx525OC6UGiWb64gvhH6Vzv?GVuhD-Gz zkA~{}gV`D*);X#U1-fBfzYr&R?W#f*#w(5`F2tO`8$t>UMytX^;Yiutf9YvCD6Ir& z|I=K~s!Xw2Ra-Hy$W0ceyzxlaW%u(Gb#*L?Tcb&vhGCr zCf$w+=_EZJ>9C=2GCI`kqp<9R5Gt#}sMO`f(>pEB9Z{KTq9_6($WYM9q(mt}5e- z$&`qb&(-CMp>SY3D}(ot`uE+Ai)$KHS>MfxCVl$$J2qOa5ODTnhTKV)qn7^K`%OR1hIL$oWUh2Jn zz5s<|AtU#c0kbXd$UsJ55D4QVG@m+AfCS|O`F-Zs$(DmW{Wc~dQQGIRsvjS_fbT-j z=V;4fL-0w1 zTq>6*VDp+#R-4lMJc~NlKC$84fuqCkUS)jletQ!}UQOEq4*p14Wpo}BDq(y&HM{^A zZglag+4c_gx~Z(#;XAE)ov}lB1`Z)sT!NUN&$B~S;`pvNcenV|H($=)qXX5z z^flD{o(n%{_M!jG`bcYdZ7A6vm_BV|Y-@%V+Th0q7H9ntFnA`Fx$!pdiY&D%Gwt|)ysnDkR7(m+_ z@$K8PwT{mvDb-H*U*>~U+w4|{n}X;y_cXv)v}Iu1TbG;F+LpWa@$u4)Pmk{qi#9!^ zUiV%!6~Wu7nEH0hsL2Es`%xx9}7#h#$C&^x6>*8NM=k)sdRQKmxlAP9bHu&LBpW(teW2{uuK_LKjr!V z<+UCpK+Spu04RO%022gWE8iL_K!W5vZ05hPCGkIXKVg9S2LQ((sI~;jMuccf9$)Tr z*&i_0DWSpDiUkC9=rUC)3b57SMbP?ltc1}LdKc`L2qP9TN8~f(d28PTa&y1`prwz@ zPi>^J#CQ5cn;aN!-7l(loL2M4P$>~^7T;CtU%X_{WB=L0FBHzdjbCvTGIv)ffm1k< zWHXJ-+cC9BYnWY~5ouJ&tv~>#kWlQA6N*MAdRDPzH*g1wGu?m9M9XEfrp_&vPK<*! zf7*;hCEOr~C=jmv$Hr&1cZuAW7O`X{cPm7B)(sgV>TD|MKsABkt8w36H(hz;uoF zi^SnE1t|+*QS3yy3>w5N$A%5?)0-tw6j(s{hpbf_uLy@iZ(TV*1jGAd#Jn z0Wz$QV08bEA8GN~o*qY;h!B%S!C-bvsNjo01$Y)uaZuXwDVlmjPs+lMP5Z@k342F_ ze)j{4)Jd;6LKi-Fj=yqA?(cIv(yhK;yo{DuWof2V^Hz<^HDI(GR-CV`V})Lb&7-b& z>46fZ@ra9&0Y{|LrN2l}Lx1C#2P);$VgF?+y&$!e@{EGl#uA|M;TcdcV>&4$X4CEq zE|xhvfTjFkE=-JLQsUWaUb!;AJ1j-5-$lXYxq_ux%FB~P7RXhU4m7PjCS$VMg;RRI_3V|`Fk*TfHRtJagb%GHO@0he3N9m6a*T}}SPeuE zDqgJ#ozf#Ku+U*&;K(ee!bGuEib@v@uu;U#ajb|>#9gBFMCDKt$cw07LR%oir5Gv$ z-GNkEzV87r7Jq_b6n9PIBZ87!F+syHN2fCq;RE$AEzQ>f4k-jO6TCEK8g z0=shvi2SwU_nkDVh3i@xRCl(A4@w(Peps>n^n3kPe5#{(kg26P@ywRL(ID!E;*mf? z4=$=Ir7o~`@rHqDWy%)WP8z2mG+q@&8~00Ygvo4KDhN)08YwCkx0xJuoLa{4Hv@C*6s*r%JG8ET7{^rcK`=|S-3F4ztmk|Ep z0|TVOeygzTR#@D^$%_cZZs9NK4CAI49vOF)rug;Rk>~Fs-;N)hP>-Y>LU9sQ^Q{hP zmCIP+BuGbj;>(*~;&f&sDA3O-HKz6)CY_C#=mRPF%)BD|-yO$EHYGJeGHisQq)|A) zHncxLS5$H=)2s(F|5rvfznrj3&HxLae!j6U<)Gdgzs84{8vuDoFKj>p@!b_r_yh7Y zl>8)-jTi?E6#98`mx9jG%)u!OxQ5+}#?C==_i=w_;qbEo(&?u;?rNVF%+z!r95e3t z^r`ASpC2`^z9qtJ#k8+_wjDh2TbY^PLbL$AOUzqfPIjn$E*-U}ZS+4E4e4yUAM<*) z**N_-p879#L-Thc-0RgzYV7N0rR~*nxV)}lo|=7Yt`!$pE-qcpKaquc`0sh$PF9-R z4w~Gx#4GFT-BRcDjAM#=9Q4}`XHUK)FE}Hn$DzwL06kf2znmha)VSpO{bY?X%cs)r zXZs8KW7G5;$n$D=^l0jiv;pL_N+FKVbg>Kr&=&SK*-}2~An(~}_FFr%=U9}}Fn2tV zHJ>wI@w=Ivh6$|OyJ+Gt%j{m++1ugw8SCKD^*elgzw)EGd*vFLo3MY*xH$mK32m_I zb+Eo|od5Ws?^)V@L{7Y`_uIB-uN_0W>2|hz3TR+txB~CgJK8z9o9Jq1&+>jjEd>Rf2bzxt1r#mkk z(rbY8yZHD_k_Bi|-;SbpK2=0z>pX&yU^-P!qa7Bt(Q>fbz{&Jnz|9qt%+CRQtUfZv?rTwk(abng1c z-hEqpDNiPo>#&=F`+u9Vvu-!!>7uHlj9a|!!>R0n4_!M?)t(*=?u7Gpo6Hh9ZyPa( z1dJYjNqjjk#*fD{+x)kKoO*X0bTtk0!6$xGFQBiS;?+mMtojTnVDIb$Bs|!&2k_Xg zcp03T_EVT+@Mm5LDZ#29b$=i_y!b46Zn!5(TQHu(LLIY%F=CYm22Cb_9{P(fjT7*N zwYZa&9_+&Z`Oi9nYyT1wty4A9i5@S23=%hv%x}yiinK~f77teGE2XBvU4jLpqct=Y z@*rS1RnWtPtT!<=YE)7kpMo#2$%x%z(jLq^*I@FfM>2;aIY)5jiU{-R+%BT?MESiX zk}*JBd1SU>?0=;y9VFni3aR%kN@S#jQ}bv-(&`%(l=8np!^3?m3FtOAXOnyMmSOCO zg3N-)QSUFHvKEWtMH8t57RY!e=B`?H83Wi5?6hKbVv}{k z3n#x(?JaU)1#dL#SuTp2uy03-!asgxc*xkuI84zkMLa#1g7zA@9sx&wQZ>qHWl(bV z+|!RlFJHTed)B4NM&jx1c@WKFnX~Z% znfN7Q6605z;VLM9<+zG}r*rgXA1&b$hKEx0h8d98yG%(5Hz%oD)7R$CF>G8ez`B6b(!3yHIq-Hw`;0OD5rQSGQc2c&o-*K>)St8%dzR z7W3&oBpq@&SnBE8Rb57auq0_kyO`q@8gu!D!2A(X{C;Y3>OSYl8j<`d+viVSc> z1<{r)p-qy=W*io-VrcY~MDerl*n3spjMEnof)ckVDTc#li41CmZi6wU>FFoRY>ts3 zz26v0ft<=BmU=Fq-b@mQJhmMb38pgTBqC4~PYYE>5a11ag9i~yzHB97*+)SldOr|P z@n)x4wwk4|2Ug=tBfhErc7c^9%s}>`;R&fD*9eFwE0w^p=_mN|1mK`r&P7KLmRi1% zX7U%#w6d-rHKxdl&`PVFy$Ke|7^CcCniE9Z>bID8t@X`IH!ZHS!2A1u1y}G1L(Ic$3EKJ6S28-DBOoPW#^N z;hCcSN^BXU{3#~I z>K`lg813?6Xq+39*KwLa;{Y8s?#@tsS}xopJMeGZg%8|-c9D^@Gu~x*CfEN(K8uOl zG`WEGoS!%kmw9drPG(|a^bIj~8ZR@;%?mgC&Oz4?uv<=rco>e0}f-38V4 z>b|-(1HH}5ay+~(ACKOh-ka>7RhP6Q+MZOu&;@tU{@{V!&aLJLYSaA}&#a=iew_uF zo525Iczpca8712CBmS`dFmDH)AfthzL8Y14kKOf(j|tC2n$~3V`1N%jmppICZ;wET z&yNprX~B9knW_O%jqH|tzuB+ew?>(r+YSxaq`d0q0Q<$d#J5C6T${#{Wf1}wrbWw4 zM9W5vnZwyY@F>`T^Tw-silzv}4!z9Ca>>o!e~ON~Jg@CSP4#f!9y)wv97dX{ImR%y z+ziCzq5{1edQHLx3$sjM@`c^lR9Gu8OQia!b?pkBEKAa#jTtkbz}qz0*=mfU7UgJ7 z(6!2DhKl~A(f%czAgfzBB&ireTtm%j_KaCX7w1HY^ltk&-SY zOYBT97!Qg2XIz4Q-;x!-cg)R*`eG{}HTnYe>W2zXoYh(22y!YU^h3GjR_0q_q*lx| zt%L^3A$Ta4FSn*Ulr*l|->mlQJxI7b9rWP(v;5?;bDIXiJE5|&mTzb8ukv7{sV@@u z4!kRSxr>YSnkxh|czzt(sNRt(6?rKah{EWA6kj%>C&^DhEA)9JN>(-7f%vOehz)h1& zZ4|^wW~o#mH=jFqd+T`PbxB5fT&NDpS*VyVmls=j4|D#6dBuI3>6BsndS#`s!lyv! zIn4Dh{xkHC{FYDVbBM{8&+MRB@GG-jx`6eDTp`14L6G^Rk)9cjbW=i7l%^s5y2R7d zWa&-)p1p{KPom$?YAfYD>gF;ZTxI z`6`VGf=ZM|9H~5H_pNi#O;O*qy;9RExU@#Onm~p7E7Es+H@svcg(amYKl3INByq(_Hnap39Xf9U_cKCVao54>2JNb6v~`S{{?8EpM#< ztoVZyS+aScsmSZnmd|C`=RWUkW`M%kh-I8+Y17HV#x5dxo;A3ge4SogYbV$k=?7HF z7bw9R4aq44)qDxsEmW-^|DpwqtyCA;yL*^zFp1eJQ!l0jiT1tJPaQstnw0}Xf6eb# z_WMJ*AdW1UHDF5-0G1rdG6&xC6i`4-Eu5X(*GkdKt#A=zYI{2><#z>`BoLYcE@Oco9hpb z!~QMDPeJ_nS?zufapOKu;y&WwKi_}%Jpx))tmq0ZD%P_%iEbfJ^0Y~&9}$xIEtOH|LkgS$&Oy{ zK_|?o^QW`J$o$i1KoUc%#Y%PiMWXvUFye;`UpXe(wp^a@NCrDAil<_RVHAquEez6=+0XuQRLjWqyDD$*-l( zcM*}w#{opwI-~cG{G;sYF&@x+@yWsR0jRt81@v4K;YA9#E*L&F?*MF-%HV=<^DECC`rp5w#u_-#_b@R(q!l3eQ8+(VCh3VUKeZ3+novZ!JLZ!bR@0d6o0H z{5mWv%)MS@g;+X?4ZVMM-p&*klpvqB=Ujn7!Z;d{30GXKpc zNE3(uC2S={az=gY@OhXicm4I<^ic=YR;a#p%Bk_vdR^8y16Pjp(Os*1cC&*2xQTjk z4Ky~Nn)+$%m$drPgeBi`bh??iUx1X=iU8cAOZ@T9Z~w7Xb18syiUjZ)R8!aKJ;DL5 zJ9#}KWo`nJ?~o20G#PwAg-t?>VO zqoNw(3Bi}|Fo~Bc#LgiaO$hg&hwfwV2yi`a^en&v>#ODVYp>zmCw>FvEFx859JWnr zuub{m2juLZ5vQ7z=_WQigS_JK*~?Vkra9VGDatg9rdoNYZ$`5r2T4DkI&dt}BiI`g zM2K4?+f)cgQ-1LLs^>MrIkWbFD;aIdttCs)YM|_5C2lk#-rA@&J&$etvgF=uM98S#L~v1&5t5pL z%c$o&npZ6gL>=mqy3VR-zf-HaP=cl&-S2aM47pnLxTIVhG+F-WlnFTI-#ib(oouHE z{I%90ztilT@#DaLCt!4co(!c@wb=MvLL|p}{^Z+v@m>M!B9UII1k%EE2m8(Y!9Ht2 zn>hPj8aCyBI$sGfu4;^|{1Kz`9XIm zi*)dn0_L&PJ%19qLq{c^f01&Nm0%Z@iDu*6ux)*l>Kgu09w&pY(s{WO++ckEl}YX+ zrYLbZZ%Y*}TaSZtvh|fDfg`|+&GkmR8zm!!kM#ikR#xUg`D@j4^ccCA=5Igq+bA5yNcFkCjO{o3lh6rhO8QjKwt5YB0 zxdPDYC&qlrzaGJzxzNU-cHs}HW@mNm{4_8~?~!IVPPHM;c7#rj)Dt>yl1R53`~D0+ z=r#|xc|Ka*@iTwWh(pf9ASoClMViy$&u<7i3fyl9SWWc8Y72vPXd4!mChKa2mi-mQ z(0nT~#zC8qB3Dwy%GxBwNOaL$OxCVW-wnOhx}yfY8cBdz>$^0xLk-`0$=( z;2_h?>mHml;y3An`>aO49vaRCoSt;NZ}PR(jjCieiys}^qn=}*^clX8NVyjOK>OFtEr9d-R^aBxQGvn?kw*cW>B`O<5beZOcSsWGRVrCj^DO{#Pa+^ps z4FcCCE9o>*5rG*uJTppEtKt^Us5Cgqm`Fk2{YdF4yL~xUl3~?R6|3z<;smK-8P{FD z+@}e}bfs{^S!b><50cx;v|RQ{x1zOLrDFc&23tzMT6q`(r;o$V)5Z#4v zlbSfP7FoD0W-so2P#mBUUn=YHu|?MhB6JAblNQ+Ygx!y5pwg+m zj+Y_F+=(nk*5S_3$u3)BsbDx}<`Kg})huR@hg-Bt$w-&>%UPwc1(#fzulxOfa!@H` z2tIhfs|E$3J@>vM!5J^S0Rf`^-i#g$Z6{w#!L4AM_gNg^_9Gq0c^>JU>Ssh8bzmQ4 zsM2ZZY{u?6_=t+muNrIs9tBXt`!;`U$OE1`N2n7-Vd2C%-X8;VK20!2cfAaqLnCj~ zJQsT>n46$KC;A%Z%XYn79Iac>>ac~yy?J_CzKvn(?H2;?^rp;CPx~hQnUCPpcx8p! ztiX>gp!J#9q4oX&S;5JDjI1*K+(_pd$_$fORe15a98>>D6soFTL?TSF*4zabLdT z-HK*>>HMJvukMA+P1;`i?-;|&F8;@AD`B9!>a@4@$D4s$eaN!Tv4Ydm``y9@(MQNs`fI^YPn$ieo*$=q6AIh!JhN+;p|;|Yx))m?B&I|^vB_X`K+_x&AJ?vK zTWE;BSCZayAv5pfBa^~ATUG&i4cAI9!*h|jO$Rqj+1)}L)xi7Z82g@%M`q4sCvAtP zoYyM1CAp9>ZEFEv4wt2o;J4EoMvzBoc19+V5;VYtNFU*~seHR@&|7qJqyKDXw)fQOA@HT_+^ zzx(cl(>dL2o#EZ*INpT4r)u^f!*r@hZO#*3H+I8z7y-Y1snd#Ks}lxrB!gNN{rzJK z=hpql2srB<444G$Y=ff(K|{b2kXZ-l1SZ`6A(tB=LOdO)0~t$Jh|apR3+T>0Ce_#% zRata#u-d~KUr)_+a*el~(S63~-3H!6JdYQwd`3Nrd_MhOUD=d@0c~05dY|?6dS5v+ z5u`a^DFd82$VkF30+m;`QE?oun^Tv{+3l(m?yQaqcprrM1t{b`Hk!i?=hE07Zof5+ z1KXos!&K4lz|{rlUelCPhJAkR1*j~x_$CNEb+0V4?hE*=eX>bk{-p>A`?OLDTgIRd z1Y@?a(p#=-F+`_6x4>A}iy!sl3qWN1K{Kgrl57v43GA^N=qmH66Drq!;CmOB;y#{W8yOIHSdP1QvBl`mlBuz$5WX5RG zSG$-G3?bWTGjfrOFZ||nc)+`KG_CQ8FM2fJN=(SjOUAY4$IERv4Y3m3%nqX%2C))C zV#v`RNUYh#*?GfIrUW+86|qqJs*%q6m8EGe4CO^T2o zHToQalZty(Zuh%Z2vyjuu#XkXZS&{348H~Sm-U%rcbq^wDJuP)J&dY3X7@_6bFqT5 zP;yH&tR0Sy2v$TMldfQ{5e!%oI^-ici-uN|<1|?O4FfB=A4I$*uH_af-k#R{nx_!^ zb(^l>Yc%H=qr|fx5$(Q^{CLAhXskvM$0pP(_CnqFRoPps)9^LN0`|)Xw0%gsCs(N~ zFQ{;g_LxIQQL&S^Us5WOXzhzs^I6IYu*uB3Y?MX&^3|oVG6Z2LD8O0~Dy0|hGj@8g zve&~Bn}9E9rnPiqTfsTjQLhx&;9BQS_X+*%>%~!$kK#02n^m_i^v^*?r8bJy;x5RS zV8}NWp%m+)RJ$bhip$nW9updu^3+Kh2JX6ftK~z*pPZk_6vpr)2xzs6v)}PkW>W?0 zFEMj0zIxZZ+>_Ik&=lyD>m(DR2Q^D!Rw*!MBM}kGdU7}z-(xB${3BNUsZ3!BRLkC*tvjv$8R!T}8Y59jc5!zq66hjuqsz^mnN_;`uhsO?^>QrtXlcVrGV^ z0-QoN{27m-9l#-&upCkuhw;p1Bx`46;y7xsPPQWZbES0#hgUB21>WDM5yy;tJG-;g z!XXMQ=N)kbmhPoYWQ2T;12rt+{nhpEMo{@_00Yf5r<_l|q1+3tnPmSpnmee7UJln6 zmM!akF&X2aEAfK8aVTewDW+7<=6t9hm>mK37D3BnwY7^9Z(5Vu_=fegZuq$Zk;j}J zBn@8N<}K!Z*{RIma)z)>^-_HLr^3Wov?n?(q##(1sfUWPY~)y96AYrtllZsRT=3_DM*HTRaow=6YgLMh3xVdS)aeP5 zvr!6G1ihD<{7Q|Zfz8e)0e<28T?4wmfXW@~Z><4{3fz@;7sd)9oJ_j!|Kb$i9K&)2 zG%auwN=PjKM?joVApwA~S0ac1-mhzy!IL~*3wXf$S0d~|Wb{zxuO&UrAee8!hz9^< zzyP^qz$vf|bn=ANtqAgYczDv&1?`{lDx8R4`>inG5_o>8?SEH}2`y0<8SAbz)49rhG(a%6sPhbYLhWacl$}43B~j}#Of9F2xff07isEVHV$L#G+^rbpUQqj01WeD1?K#oI}HYizVki+VoXV2XR1MANP}(2 zlJ$ra_+Wwy;Qg-k1@Q3x^E(wPH-8G3-}x0@JfFe?!1=nL?|tNc)Ck6lF}#(wENrZc z3x5!em=Pl}+Dw7UHnyQ6pH9q3Puk5nskp82(^;j%Mon~5x;-#Y+kZW{=89cBZx$)Vr{_CRDMowT?pSz>M z2=BPYE~wi{{z)6?SCJoZ%n*Nl6`xR&2CC!`C%hm`XzDI9L=VrQ8z#b)H)0 zRVVesX#@USrowp8JoQGE|McY?@>zlBzwGDQ3i9A@eAvsH0Ezwxp@QwEOmxc zwuMk_MJ9&&{&B&{CSNQR&lk_%xh5RRlcEl~D$E9if5$ujAR2{dL^t7-CV4ftQkN!h7v9Xdy5Rdk`^L|z^ivdHXe~ziBl7iLF87Bia##jaOK*pzKp?Q zY)D`$?URUD3G1#K&WqvE$wnh|ppQZPyK2b@%7FVVVa8N1yxx-pTIJXaltl}K-p${BL1C(B@R zF+|Y%E71+z17OFA5czK{%vWC#(%8Y!N;-$~GU+2H_VnX~aD!krUTTBGAFlK;CkqDC z3;i6Vu|HB!9R)ZTq0%mhamwTuMT{iLlNpU+x686J%Ut-EuHL#y!%X}GPgk6aGmcL8 zG_bwZc;Xq$#@Ki=iqLpqIkXD3ScaI}4d}(%%S@s(<_0*|l%Y9WtPMcN{XL1s0hkTIx@wez_L4E?} zlCR}Cn!#Y#I98(;yJZSbf((~KI)-f~nb%8$eF`fICoT-K%JKb2!0Lg2 z@^aI_yWk_h=i4WMq|XxY+B9#&&j%bpj34kFJ8aMXiRe`SJ?s_s87VlBTsZDKG#K!B z&3kEkZi5e8RS{hE4(^7xU{Z@`m`E`hOQ2s%z!}n>NNF_{N;92-Ftw*{yu^?uo~(P? zMiw8SPU@C^;Xivg>h@#!+hW;9+~s?H*pUNd$acOya261FdWruy`Fp{kS3oIua3ibz zM-{mCykyU)F~IHHYiyU}{voe_+4O|}=5~vuz1cgJj0boOV-?7CpVdBL;5`Z1YS71j z4i2%eqjY#tL+a{)bDor1>HULQTzb2c4Kt5-<1-(cdhPX0OUG9~Se_~1H=Rf)=WX2X z8{_BF`^T-4uXk;HpxPW!pj;(U&h{K@rwa?gaW3Zkgj8SMajx&~t1|&k3e%N&IkTUJ zalM=4)7AOkR2`>>cu~~1>VJY77bQ$DYHrQcbr5qO=Q~ICK;u}~>f4sr6QiaRb`F#5 zgB3&sA1BIYlRW4Drrhl|C09!cAhQ9y%@<~!I$akN60RVRYTmcT6+%yoW8LU)t(uPG zA(sbhuitX*yx!!4=u&x%bJZ=a!0R{ex`soU_TYWr58^n%f<36KH zr~BB?D)ZsjUFvf4aPs!qsaPV+1RIuGo5^~L;{o4?av#&!l|OqP697y16|YNBwKj~M z`nj#5uSiEIPr2UYw&#?69PiQjTl#TfZ^!$YLJGVYBgSUipe9zA*UG?Rkh{;!GuRsh zZvTLJB?PBefgckGf%^av(vxVQfnn$As{(bsl;|>^q+07A-~#Z^%~S3>(+u#QoaGiP zS;v~5`^O<*@9WD9L^Df-Rq`-wbHouZGgCky#Mh%U)&?z;HH*DRz@tkXmIGIfE7 ze&Cj)JcFy3P-B+JzYc5`CA7)|Q&qSE;V)zvf7EQbHV9MB5kgDj2^FPL!qsvQjBSP)?!Wh>Ay{Xl7}9De z(ipB`{#ZyW&CpxHd6sP{TBP|(68a7D`nz$6n5_TkZVzfC70nda? z$)E5MqH}l#zbdTLWeetFJw*cV$!vp*P!p2nrRe*#Z?#x#U$R9JEC*}!k08!Y*T-EOVhNr4 zTh(X^6)R}MlRLC&WO`5%{%cY>cQfV+5*i!#^giJzuHGmmsrFF7V%=If;tx^inh}#G zg|{|~;y#-YgK>>|MfwG^r1)XlaFYv1#N)`kt9XX)K&nC;^%;3`beh;Y)u<)j8Z}PO zPlFvr0+y{wpDB6IMC+lQNJY!RlF&8{)Gr#EnAd8Z!X#p9@;T{PaszZG2QN%H)6*;r ztRL};!I{{$s6hg#&}-tAcmt5~C)x<%hWo;ly34AQik%s=Lp&VStNv3J1;$U#C2DdG zdBi`VN?MRVVK#3cfO?>0?T1hy^Ya%yFw+KS)(znKbA@4ARJ<$$|3Dc%zKa5*6gTo3 zj0Hs`3usnIv87U^e_E7C(}*BWw4{z5k}8`_L>Htqj+=^Da?7$V*csNVb?u-8a37W=a85({OK zP?Y>-(h>3zmEPRc6kCRkc@_z(=?lU^gHq~&4u7l&&J65j-l*uH=(nOPC%v0B5e9X6 zbW7eJD~ zgYimO;aKJ+_eJz#M#IA28yDh7GpaFrE%S()r70o#@wJ!3e0+iEQR_p z-=a=`?ysKDsx*@Zya;n&mvNV=nH^;7^@d}zQ{Xso-3 zCg8622x&3cC{8UoV#}1gK~wvyF--`z$ogk%l+13aND z@K=insD{a;^-{<3aZ7dLqoniR)O&rRYr1(i-IZytY4>n=eB7T&=yaYcWj&_Pdtpmd z?KG2N-_tZau#(kzHXPvm*B)$8fTZ-wDPtDJ>z?iQc0Q=B;W*HE(#8aI*s#XKcflCy z_l6)URL1@{9Edh+txFe0~lYG9SXCpR&9UjvAj{Wo#RVuhnBZN28H+ZJ0WzwP9@9OY1H^)KI;WZ&L7iF%#pOOyfpXXy{Adu|b*+e#*>)O_duNu!|UFi%`+yRlt!y!!RrsLT(FMam_gR(VDZTDJYviA=EK$~H+ z$v@K2)dP2`8<*2dTLl5QD1y$(8t3acCN7gm>m=8FYrt3vB-HeMaFEYYpBdD8TX2Z!QrISfNWHI|pGVPVk3omlXe-k8bxS#+lHmdSxCv_Cy5BAk7t?UZkk zv0VyOPK$KwGYC0eF%spQt6X%B`jo2IM=?pH@DUQW+$Lxn#A#+D|c zyai1M!yn`s_ysAblW~Q^O#;a`qPF`pJSn#Dm8FYLHm;Bne$+GDA$f!iW-^Ws%OzB| zvtv+8W1tVm@vu+tHX}ED%+;xoHC6m7`C-eY+8kMs%VNW%OQZ2pWjgLxe;{!izu@S= z0l5CU6v7KO{@NZY|46z4C#M6|td@RzZ$q+#m{{miJf0kZC_u;_ULpU;OUYdDN9Swx z*zaXo)YCreemUZ?PAIjr{9+-)RYGG;>?l=q52G(zMOGp!ZcXU?$X;J*CYs;56op2L zUd55Fi+9D7ZVr_ozRk4}zy(8|z$z6+J~(+*)hlu!G>gpicYG^I$@Qr8nq{I8l)p;?7uT&+9?wdmXo=X@Cr<(monTld92GG>2F*{KLT*Ssu1O9JCtZQ~ z2v@~$3_Yj32J8nl5-U%&f>`z9 z*fxqg4%8ZPij2?^u%pfJF|=KnEmU8drKylwUz{uklo$!0oOrGcXd-P3zgtJ2!7HFb zMF^sZu#*fK2LB@avZyRd93AGB$`l-K6@ZhOE^ZY!`S({S{?Yf8kfk!S;;Fn1SX{@d zBMZZhC5EI4ipa2VRCo)_)#-_L4NUg$=DQ=F8Q)Qj`cO(lWtdf>tk%pl8pG>K_DYJm z$9T|=WN?II{%-r%`}i}QXfYH>Ti0Y+My*CfC7=w#ep%k#C7r-aD|o>5qNBWU(h$== z7frZIM%B`$ZSSr?`~#spO3cu}H;#b6%#rBnp)Drb(9^{myLn zc>!e+Kk4WBjooypOrg9-(u%R-4UfIM&sCjQ?=i`sep*06;ll)HS^%j+8zN6c(xt{A zc54-ahZNx;XrUEkxaU-^;Wp)f9TR~)l=<^yH7~?P8Wy*?&oO>*qnKru)*>L&IKs9x z2Zy6RK<_x>!EW8a8Fm9>AYbTjdOW2&9*=ejdD|8~<+FTQva^O3hQk8HD?`z5UW`IH zB6?e#)$W0)m$wk_KwVhsJB2S(My7u-D=<+6MzyTs_&YBY`T zLz@XdQmJ`0aRVyWDffNG@DH*`cdMg_#oI;@V3A?jeO4udR|h#GObQqa{daHO$eYEO zZI>pxt*qv~D67r?BP>05Y%z=(AXZQCfCB0#%K=6$()K6l&WkJn z@1jQ`qf3ESA9m!oUxpM?ULK~Nx;bu;8f#1f<@Z zp7O9sLW0g!289M~8-Ki8EVYT}W^SfUf%Qw!8?^E?m*LjJ%-ctl#Zu-m%0ug^3=^Ea zMn1>$zgz6yjYNHYxA*=Nda11xH^Al1A35%;vW;s}rk8`R)98>}qT94e(EBtlk`9b6 z@UKX&4~>5F_BI~B+mIt&72n<3MXD`e{`q0Cy_4vtt>^7N|7Sd$-+iJf)7$Y{<2s&? z$EDLCBT-v5yS@H-jzqSuI(ER|RJ%wG@_%;qNO;nAt5o$O^ zBV2>2B?@oL}C>^m7)sR;}8I_43mYC2~6@#tH2 zV8V1?J1;@Keun($;S0Oi?vDN43#O8o zRLy4BY3DU-J1auX-tz~#Yg=94IS%csw)KQgJ#;?5&#>nuOml_L{HVpyA@h^Vaz1cB z;s(LsbZ36kaUp2B{zHbSOW-1Uh?Dm-JsP}o2cGc-op_)3lKeFRfob*ue~D<%X`SMlh`m>n1Kny16UN<*1yax0)A zOR=CuQQfJVmqj!#2{(QaJ(xF$WuWM6$TD|53O5h8i%aDij2&Y3u_>uW9&)OgE*#(d z>RJCIAs~(H%Ys4yKdYY0AzXE!DX&RW;J2rYV6@QppP?h?NmlTIUsB`|k18arf?PPR z(aPI~hOhzIkn2C(L8b6Xe}ubiNsRcS<>~Lo(=sl8DDmHXM^LCPi_5HSrZZFgBQlI2 zR)I`O>#)Q)g8C9{dV)8LeCnDl+Nf?;$6**`X2R0_CCg$%r9uTZ^d)2dtDH!Z7Bb0D*S`Qw2uztEOr+IKMZGXQ^kzf!p>h!AAKTUaE zGZC8Nl&Z`Q`qiK=xG63rga89|DQ&Am|GZ?UBJBp1g>JxgG5W1>la6AvOtWEL^ZOsi zy6ik0UQFyPW&lK&s$QoH1=x`w?8(N3)O*pCKN-_tt#5YjwPlP z)>=9tP}zzbU%$Sd36X5!{!J5wPirx0^8dmb|B4!rTPW3<^KZzlupFCVoc;$~Y9T^@ z#R*!mi&qr}tLvn3Kg;U*pp9c3>m3h=k_d#An(lxIK9BzBcd{L#WFO60TztkO2VE<# zbj2U+lArF-tf}ZapH%a8Q#wqUmIdMYBTeG?c+a_}qPXQ#E&yaCvd;BvKpY*swQs2= zyx?XfEp;wI94w!WBzke7a8IRy9Fv|sGU@CWW7o8KpZrw3m?lHK2}qlbDED#|YlGu< z5)EuC6l`S8WgAmblpwm07`#;G1$DC7-Fg2>bZs*Qg8K8=|N2`u0D$}lX9=x3Ul8lu za#_i$m>g;#wy0Q_B8<_m{2a^vkKY&5z2ox5Yb}A}%uC1(o{b5XNfvQKLGr~SZH(1Q zzoj}EQ!dzVZ|iCH11)>c|IKz1HjhU&i=JfOO49aZPB&tf|YvUY33s;xB{M3+s zbZo5Xq>Y@tB~eIyvtccVNUF&{FN;ut4kRkzMniYhq>(7GdT^v6DuU_2UDE?p3nBc} z9WFOat_x>FsI6y3@6I_cn1ZMa>=2P2Yle2 z0PBFC^ahl_MCcNfIRV6quM&^BXq?XsZ=7$*t@65NFJWD#Ex)IHymEVWz7TxhkfC*M z6(~*YaA-d#B+`j~o4OvMGpHqMWqqHvX9SdhPFYdZyM#;qenfXwSb=DImnxAyaCjf4Po zS1I6O%^1f1Z52!Gw5hxFauSn{lfLyTw|3hnwCVYab0Go%`1Y5nrrQsw=E^i1^RTjE z>q2|?ce(cc_yA80nDTnMe)4hQPB4}8^scPveyfR9JKKF!zVPUcr0@62P+v%^?55oV zocuHaPLm<=toSYSc^~!K@^#n!A)uoo`Y7nRWyYFX+Y55t(LZ^|5M3{#331h?)4gVte22R_8LG zc;H$~egk!4(>~=zWkYZcolR?u$lP+(yvR)6 zB$G!6wFM-|+BK?M9lY}{o$auKz&T)`9r&f^)jkmf{_h5Hg#XHvzRpLhqnp4%9fD*G z{OQg;(dpaA36=+lYJab4Tkvo+5cBUlQj;JEt%C-O$T}p;b{X~BgZjV-#a}|aIpg*a zHSw~|p(e}>S$bhpG>(3#GigY0t75(qy`QpJ13%HmG(v<{xIqi)O46hm@vGcSMVK4y z^6|GHXZ_tVS!EnozmleQ1J(OnXynz`DzHeqeY(#Z@_2A@keSn-*>YsttYG_O8M9Hj zmCm4}tBTTe)pr4lFqEeOIs@7v*gf!-8sJEL$J5pVM=UAbr{%aILiHcPK@_tr$ij+b7} zr=v_Ky@ITb^;X3k7}=|faP#h_rgSv<`U_?g0&n8MN#{1ODm}d4lnsuY3h7U9L*a^_V8f5f5lanwuS54l#8Yt zJ~NB~MH@wvR))!U8cn95QIio9?W1@>G8Q}YHz~@#aZg_HNVdddInhgElRi%2{)>Ap ziVkR(=M3E$wZxx6OR$u@HdJ&P{Kljy`Qq?f<6c?0$u6aNBU*(Gn|UwsvnU(&Um{lG ztZ+&LetE^ot?F44J4$|WBhC^skl1rXwjT)BYRu>Q3t_i_b^|!9(;AmY9~>n(yQS2h zy0uD#fKxin=-~QUmJzKX*A5$imR`8?<*m3*Nig_pM4*%Ls&umR6q^y9MG1|P%XSU% zQvWE*cZe0w_DGfPX9z}QISi^%%(sJOVB#PolpEy?_&wpnT&N_&{sTrU@6{e#oCLOL z-8yw&(0g#+Nd+nlN*X8Z!v>fasn)K+1eGjKCU0~UlPh=udpT#LWw_hcbM35MRM#YCnk8?jPx0^X>7@uxHrGh)ejl2b1-Z6dP+FP4s}A zgmnlUw5S6=33ih_g|pOp)TIya8c80hTuNTJgfxr8qUd?GzzXbUR#NPeWb^s{i`h;B zDGs{>K60^9u3EN-?O<3)I0~_m7{@PDCGJ+9L%alX_)td;a`YxuO2uZGq72AfT-PD; zIe3_2e@G?fTv(Vqlv;C9rdk)~lA0$OL{*fxgfa`%;Mhv~A^1qwqIu2-!ycwz=LSZo zq(S4B}UpNazL-C{hCSUEr4j}V@^WLEg)U-;fY?ED;&95AjKOR_QMx;M{>URb^ zx}7==!$rQ!vUY1NFl5|*=}Xco6Nh1*ni={=3XpZnG8;3f;#iRn4{4a-Ec-R~*ONbS zn0o~i_rb9LcPX7mGxE~6QrNU)2&XEIs#uDQ&_&xn?HYsxm9#3B2pbHm_Nl1y6I7S$ z*o8%e)(;Yzc;Vz&Q)Gr=5*hw63#xR#jZ`?9M&>m%r`S6j7*%)*>CIZJXlH&)5B%sZ zS;rBjAzPD(HdHw@MRv1HyoVy5%>N|-AHk(v`*hAYkN0FfglSE|O1~<@t~o=%E`rkV z4ZaF4M&r!Iro4u#tmme&IlLa}uv^-B6eB7|ouXMMP32dp4W;;iALm$-jicl(j>Wtu zWw!bM%1JN31-?Gphxxy!9e|Y23J@BJ!W{H@kP5L$|3QnyKiB`{bA2)x=)Z!3NPb4| zQ^Vy08a}yG=cY~z8s;BY08itQgJtfAywZ3X1>f`RZ$CbGpUwb&>h{H2L0WznRBkV? z$r6pbWZHn<8|U>K7A9cx@!wYOE~nV~)qp2K_uh^fgwFU{qF~^i)hZ9@xEEjW0%&|K z@X&BHOf;kGh_+XhnnUBZqjA@VvyfiA%rj(NtWRU_H=f9ON#w26*6@BRqnzq}eFxBK z--2U3szl{vOy|F?A4J<<8p^#Z>E0|K+1zZS0X-`1==?h^X5I0;PeI$SPoCL) zx>~>P73kqKo#I#Lxd=wm&+WOx@V@!NZ^QI9Y41%Jxvvb&+BuIyM4pBW)}XK zP^$B+>KuKB^kItyMuHIlJXEgWwp;h1$?IGx*yH#5T&9~cb~zZno98CWe{AY?-u(;3 zy6L!ieHkLk$mV*9R;`lB%w=kq|Hyh&t*ri7lEK{qcv1APx` zkJCZ;AE82{{7rM(TfB%0_+Ecx^n+q`J*YbdYHNItpXCVq%v!F~oj@GfLo3Irz0G&% z-g+J<7O5w2y!arwJ+~WT&n>K-N&Wa}o(uigKC-Y6+vtnWrf>=Yy;AG&T=Wby({sk=L*agBuIPx}BYy7);!zj}@5AmzNe`>-bz$WQEhppMC5HFa z(@U7($?L$jSDu|F(9B)S#@S?uwXVrr!)q8p%RH*m4-8x5%Hd7}mD zSZ&i9F1@spr4R$060`+On zPwy}wKkzNk5k%Gq&nT80?mmZYj&=Et)FlWyc)}k`l#?tD|8DoEU5g;%i&02O{N{IA zoT#K<$>Bq`A_Oj;e4K(J9AfIPa!nY`Z{JeIzUM2!Ysr>~E?0`#4$3zD4*%Llhvk@o zEKH`#Uhjn`g&18GH`c7|fFSGdlZhe|9H>l_T~QXXLr>nOLYt5Gaj7xmeu_COW38C1 z@SBWQC49WkmXfc0<^1(Z<%^Xvg#x)Y&j{sw2%>zc(>Ig-phxK@Iu(PQajy_;1E?j& zjcYX}JF(paL)Tecb;11K#$*)XC3HhotG7_UTC}tCjzx}sE{ZEckUA_t9h_0(L8$21 zThi8 zxKpPUhKm#}oWUwff;CybbKRwYgV1`ZqXudOPBFs2B6yh&vKgLRJOgLo4p+E76Ir7g z3qk3O4elO;T%AglXgSPq0~JTY0x}z3OKK$&UNu~m50>5tRgcj5A?qA6eDeGKq)Q|u z-mlVZ8V`T`i<0N4gTY2(0{04eE*Dl}fp`si1Z#tr9t?P2`kK=#J9fZtQ7Q_ya?F{C zzpMG<%!rVaj!Yt$x;P`EWLGBNBN$b&{s2+$7B2o0EmSUpXJ1A43F#2A0>XsaygdV!Y#-CY#XID%!$5ZM7)wzI} zU1e;AHbo@zb|p9>rdp>#UU=6xXu&AflMxpdj>3MQ_dC#nx4LXV5=q>ooQFDX2`>2x zH57|I!32X@nS*9m74cFU+Rnva1^zM7WuZVL#U_?tsiu^T?MB^oB35`^ey{&~D>56V zSh5jwe+pzW>U^5ggoue1DW|Ewoobp#v8N*LGAjbr$xkc6AMI&4vH#eEu-hCtab{8u zzB2qA=u*B{g33DVl;+$(T(8?^`jWy}35mwJARicoK&+|Sh`}Utk)4w!cJ>9z{X9A? ze2}(WrDcsEW6VubeeI8idRbej5>MP%2daeu%`5O493b9Kbe}ui3PO_(*Dx*sz9)j~ zWV;OqzEwiJVG1MBmT|Pep)Fj#AMm4PTZ3G*&5KZ!*#UA{l?&*yflNkP1JK}P&x_&;7w1{+Z^e;_3NO%o*0C~c6i~&p zUbN!JX-!*~K{(-bX0L{u59nf3tsVW}ub-S$f^sc}Nep*|dlzfsLj+Pu>c0e)W@

NARD<&H?M`TD26uD3zly3d}qJqHM1o@jmMz$b>=-?rKURXT6 zP2u_1Box&;?jB@Tn6WS$v#W+j^{}+#w}v8dwoA((+*wI1alPj8)QTmZ)YJCg8%2i^ z2z%F~{#}mseN$k=VFL?o8_QV&$pSOvYDF71rD#KTCFH!5!9B;#vp^m3qi>ZvGRV~$ z+L4_v0#S&Lrl;gx&~oL&7NuZY5vTb8N&<`jl~b_GELXk7D-ugP_(^%t{o@1@6kLq? z38N+s43)yB`s^nofA*8(sM&fs7d|<{_`ZWV5xpMvHR+ zJs+COS*g9xmv;)$oHf30Ss%PQK0$_$KH!oOdD_eFqbSvbrrXNQosP1W2ZSpEz!e&_ z%frG>)qBV7vC#}&Vu_1ks?H=S`FsIPar$M&P}@Tfx&6ZwqhiLe84;Zu_nh ztJdctqIQ9Z?K9}LAt**anx@^-ve!FZ!yYK7JXeid} z2K}%CJ=t#V?0%=0^2UqH&f-DS|u&00HNr*g|^ytJ+Lh1i~yRQL0(6no8;&vg5v z{M7x5YS+^j|enkvBOtJ>r@!8}p(aLPRRAi>A&eqgKKUHCpd_p-49oyzTy zts7bSE}iZ=$Iu(v-$*ddrH&pY%frhVZbS! z+i@cRbIlbMgLGcX#BE%dKIlvPVAfhLkjVRVkF?`wG&1D=k#h@vdIvkdA%**`0RN7? zgO&fw9A(!+GTYns1|&{bB^hHsUJ-nA|HM4>9srgl-MSTH66!8Lo5;kUO=J`#ROnhE zd4OzSFpmvY7sTJ+HZ?OZwj_2Vuf<7 zKSZ5#d!13Y^_wP*(Z)_1+l`am*iLqA+s2M0)bZE?nUaOH`d?CJY=KOolElvUjgOQm_-BQrH()RTj_zTs*aB0Siz1PxV zVw!e@eewPlmo#+5piUVZ3qp;a6C1Z?y(fH0k3G}LPGKxq)G#re){u!rBWED8(19gR z-2EA1Rk18G(Y#@{Qj5jvQRR!yr|^~jfz6}?uv=>ldzdKbSMKU})mBku{_2boiX;+3 z4(YURH^=;g1HnYZPHRD+L?;+~2|*nSssdkwl%5h2Go3v&EIG=EwFr*KKXur6JnlGY zWT(W&7~u~v__oMVBEN&Y>Bi&cHlY0^woloS_xw8i#X z$3K|-PZ3@g-d>n&Gq%{7xNj|L=J1_4A=P3mx~bxyn$%tkG_WCd9;f<1Ba6rAVS65S zv&@)rx{r#)eI2t;2_B9DRl#%k{LX{|j+tIu%3}fZI9sm+Y3R_Px!}3kuj2fI-9`m| z8jN;!5l4-pcpLM9=rKf1SvstJqpadv7L>b}$i;CEn$qOo36c{mxMZE*KN9RIXD!uU zLhe>W>6(~YW1cF(ks$Yv`rrTS)&|gtr=91(&s1m>T{atjv31F*Kz?N!e30DtC|)H! z{S%5A??<$APxu!a**Ym*LRw-}q#R;M$`JOFVviI1=6?FCA1*U`MVnkoU11g(hC>*3 zl4)%%#r?~t$4tO)b^q5-e*UfHbFgaVGxbn9I#Z`>MDW@QVVE6Fhi`Chmn|v}(FQ5X z;;Zd+d~z@Kmei{~9InL%-I>cOAG@v;ln|x*X{ZiA2ebZ-5p+o{|F*IUsiA-c1lk6P zR@|9OTPzi3>F4@T;5V6=)AgEC6{$e{+?7}}DFRXEg%W;~jPE^jHjF(-X*|*T(ZVKh3DEWxBi`ktJl&0ku@1-`-!-P_L5jYf`M zpcJTAJ%ZoFSjl9y#KF|$=g*DXzTisE^=>6R@kI_A(ZdCaQOW@F`D{O{&2mso7BB+RmXaBt*9ROt314m#1}+@zRRV zu*U^S&{pMqrSu~jtH9X_Hf_{>eF>`+R(r`vW_ZMT!y~&qxjr^{3is^1!m?_2Vg5>D zZ&8BpKEGg{$LO!hFtPf^heOT(Ea%WZ8+VRB;>1A_x9Bg&sR3J-``wej<(HfH$L#)jXc z^qEB7mp>fee}eGNJoi#gKZ!EIa+j0@@~MpjV^2iUZohLc0h?B~p2yVfj4Pp?bs|G6 z*5w?B6|7k@?;n1w5#5_6ONTMtrkQ=$9LXE`FTb7Fx;N{0_HP3Zo4k+fI9LXCCSe$6 z$J#T;la+J;mjkXkn)`1<53RSGjL6hh^<~%nv&{saZ?z}4QFdcuk8Z7Q(+BNbK~s*| zI-t+Iqatsr&c@e=_D=U+SyoReX}HUl?R0IO%|g4S^Jbg&YcVYGOQNO)2RWk7W2dJ~ zMgZUA!-Q)GxIdbC|ASNx0F24@yecd#9jOPkSKhwWO)+?H{z&J4m>)bIGNEHOo^a)^ zE+bNn=EvjZRC;~+@J1X6ZSuJ>oA9x@m9wRu>MVP>s6G7ro^bWj84HM-osqaY@e%-jYqB1{rXLJ(_&4z&WF4dJkRX618XUc z^mHHhxw->;xdmBHt1#W_`|WHLL_&~P%y~4=>Bba?=6-;=rEYB3ZltFUlv0Fk?V7(weug^RoVhGy&W{Jp7Fn(j^cZnoQxuF+(Y zY@O$o+f(k5$25Y}Z%WI)S1+ z8*Rztkfw0wv|N@MvgaHoE7x#d<2eB~hY0DiA@Ofo+t4FcP4X&jxV{qN-RLHI{bBq0 zxfKxxng@x{gulugp_9I@iL@CHku^)YW@-#c8P!|qqq`VIl(G!_mVHsl#EHStJveb< zfkE1q6zpxV+9Y@8MA^2XNv3%H`-Ncve%Fif_^NMsEXb$w_Yaa)B}Ago2-2U$B%cwB zlRtjMiMzIYbd%zYIMG-9N(f(>yp@++tOE-6J4BI8!0j@}M>+o#9CS#A32h_zHY#uS zq}7eJ0=*WO+L4B1U#r2hhgi&B%ehoR(z|zjRue7}IHJx6kyIjCts;fOMcgI-fyVen zhbHbvdA?{?1KoW2vyRE$i2(13+uv!~!}FYFk>5qJ*Dv_%81Z~#a`!DADp4i+Rnm^c z-xnfGgjft=!+iaet0|!kf9@Ndh7Es1^5i{<5|z}~@~fpG50BIu?SF~{`g!FaBC;HJ zz|PYIe)r8RFpZ`kLV=Yi?)OK=GLV4XPcRpdZtC#ca*}D1^Bu9V;4KT_GoUIFgg@bl zhH{H6Z|lsnoXc4$2@(wLlf)ia@mZo7$SlDSs`)u+oLVaw@XjWybnoUezaTL|{nF_n z2jhgv==2_F+GJKwp`yq7i`{MYpk1^pbvOpQ47s@6FB?;_QE{YDf2`W`9$9+v-o699 z9NCwq6vHbbEh*gxmL>`?BuFo2TJ1dy zS!XfQ1boF)_45)I6=@ihUqS3QACTqU^q;6>K(bH9fnkR{lr-yJnHFnVtN;e59NBQD10%QVjTDd1}}JuTb|pD^(wj|F`qymFeM z+#~2;FUwKW>TlE#XHMu>d}AE39pK9Wf((BD~&K?RvmK{EKWRK$;t8 z#1CSsEh`$XM&cj1>X3B~6quN^y*1-%Q9fyA9D;3eB-l~8Qlw%mw3XLPlm)#I`LbTR zVV5qWYea3N1=j(MZWO6 zCGoHNG-?u+38ft2Q3+sx2W&$GuB_|m4L$rNWn31kHR zB%pBhG%fjv69d+>HFLfj4n_^U@gJ3Vb}gJ?{!F2krqwIvSSm8hs%#^VCYbUld#tkM zM!LUdX5Zz8b_Q}18FxfU;DaO%{upKb_W%dy*jvop5m`BaFN;GjU#99WV>?B9K;noL z;(;-*U_upxN7Dzf0BDr{CZqqkVJj?606G*Il68cA<^NYftxj z@%zW7>g}_&hUR+HASzF#^Am@b?Kw&^D#O;pJPP5K&Aa!5TATNzUyO}PIYFZ5^XOcY zrp;=f)MX_D3}2P@dQ!wV=`kjmc}=dV zxY=&=z;WCT(eBRv()>Yan$7=+VJYNNs_n}8wv96vZLqzi<#VXcwKp=hnN4Er^N@W> z%kTM#e|nM6d3cio=P(9$^SN+624rTff8<#owvH_LG!G!&UUNNB=)WhT5Xu7^K+f+H zQk(4ylVY9s#|T8AT7-8xR>$X+N5DmeAW`#vHBrm$BI#9nGcLnc2k2n%G`r!j5MdYK zdB*4Je!Ev05fWW&tpxbkjhbA(eltae%QkDns_eRx8msi_$LxhK6qDmN4&l4>NAWu9 zn2=S+(>z`-H$B%~>F^vc3)#9F(WbR&$8Fk18al7>x!aj}SqjO)X5R!eh6KdX*<@pz8TBQ4azZ+wk9l$OU z&Dk*a_I$***=~_?ac;@r{xXxo`&ad_>cvyPQtEH}*@Eu!X?j#Qr~gxd^96ef_s7%I z*bE1&+*Zf7yAq?v)jzBz#;g~asnn13txNgDO|aFd=fh(pxcd;Cy#|`TECq{7AAqw- zJ~uS{p0bGFd!YC8P60J%EN;MTwc+F0?oY%Lm;hWVUC~Id>_C|X>YW7ZeJbAb$Ydw^ zG`1GuNI@-@bZeR~`;@4=4TPkM3(6t#jrMCl-+;>_7V)~f+#SVSbxHKU#{5YK@Qyw9 zD7HltgyOkXj_!u2f8Q1YXUDN}4CuHBuZ81S$3!zC<0Z+JJ$Fd}p`NX3^1@=R5ZN@* zOub^O+!OV^{r)_Q`4G7g{SkuHff{}Gy_Lp=kxJ)<8ihLH)tKm2Y8G?K(#Pb_Ut!|y z4KhmnGU7yY*m~37CDS1DY=js%?A+&T$UT_k3zZw!X$+GushL}J>7CJXlLg_rB1}X| z5KP2m!h46kiuwKDQ3WM^1zq+3aPW%O!Pgb;33dyiq}%xxg_M+2tg2&?ms|KxVMPLC zNCtv+cfaLNveWCH|4>5{XUG5}`WZFunhZCbq$2+^D>6vc>Yqm!d6nrJ=r5CDgOtMM zxLzWg=l)yVZh=S^h`!~Dc8W@&5}_xNSnYJjHXyRX;yt%Y~%25k%udOw@2--(N09?wJcEx_-p%k!-K*H4`gmYqzaD@Zmt9DUYY$?Qu&>E|BM zuJkH8D5v89w34;WIRAf3KsDba>b)tLMU^UTDpL`@=(wIP{yvMLV4;C1dq+KZKq?uZ z&yXEF5_f=h667Uv+7;X|8`6j?^CQ<$jsF#sq)r5c5Xu+L_eT!)PK&%NSglzt(*04^ z2_XslP9$g1=v_R#i+9og$te3JeF-z5goGnb`>EyF=B$JO-@6Nyn0Fzq#!48 zFsQgjT%)0eU2m+dVC2PQ^@~fWe%_+U&ogJ$e5@qF5;Bic3W;_JA((36*p0m)!7wi$ z*L@XzcEhXi5O*NCCu&^Tq~HX8A&MhFSyQT4jcQC94+0y{PdiJp*$|D9DrC%yD{`lf z?581>>8-jVOT5AK1Ww+vjjD!)%tFMuaK<)vHHjem)>m$e3AvIems`+VF~_x}&oHRM z_O#m%HG-}IEPi_l{}r`jbiA7m*6=_V^DZEaHyzy(cL+FieBe70=GBgTd{uMS4-t(H zSIMupBfKWd;zEL;5Un=Piz_M2IdmG}d#Yj9da(b=4{7(akxxFwb9W}gll>;(%R&aj zwuiNjykzz)@K-+AT}c>@+PvtO!uj^Sw4jZ|0I)eS09O5Kxr!*qs9O+jm$+;Rf@JF0 zFp%niZ}q#SOwIaGBb1_P+rr-#5o~fujB~dyGSZpOR`_z>|v+GM~yXv}S>HQ;7;)DCa{Q}3z@vY}k<3PDsbA{vg z?QF#?{fz2M_vdv4U7qbQIk~5|uq0?lTQ{rhF`(npx@P+0ee#87Z`;cFJLPygnS*GQ zE6DThn`RVYmg{vz)bT5k50JR)X)jov5l*h7YqK!Db`yuOgXhwAzO`HPvMHpy>t?)l zE}7MK#ci})a~i9o=7w)71N0WI8Ewb`Kbrlhb{avc`$pykjUFbqPq1hGy2Etk2)MVyx$Rie3BvKE-r!^4>F*DOGni?c`PyaGfsI z1HU7SO>azjeu#u>y+g;=~d286{I&dsQ>z2@peF)fMud<$NILn z4FEs*n4WdzgU2ozI;PeQ^Mg{dI*#%GB%JOe^=8uI1f9i?Bh_W{cW z&oRS3w@-5Ap>UPv{Dg;0r5(bb_nzcq4pAV59V%Z;rLQHG)?{!2{?iBIF={==rYKVn z63)PRW>!d3i(9);o#mzq2tXZL!W&Q!S0VO@%)wNWtQqFK5^RW&{6dJgqVOw6s>LX& zEvzbeH{_aA zhW2?Xr1~`(%BTT3>&X=EnU#$p1F|T_Z}@4EFQqmJ7T9bO@D;v@93IH$eMCEc)VNrrJ&?GN4!rEVz1?DDOBxCBao}QmJxy{9gDq zgwDW9T9a&JdY*Hf$XBoNfY1_?56QRFGCQ2w|4cDuMAGP2VC?;!!ZG0sO936toG*u& zaYz8>27V)gO8aW85pN-OpneFUElQ0MvpRe2e5%A}sVM)Okb|giBYL0~Q58kA!aXg* zndTcWv>ZE1%!E`8On+ z!@4tM(}iolnHdLqHz%DJ#0RPOI+&j3O~!2?j+r%M2JAHo%CRK`tLNn(D18LbOQhbP z))kHzvsW*F%VBz763pA8L;O>cK}?HVHR2&KAYVyzTALt1%{^t3Xh904zG(J}$V+{g zA8r*_#t=x3pVL~9EL-YABRJMLS^}wIuVilYj4Gb!tXg-=(NOt_L{h9H#2rE_SL$WWc+hi4KFD~I=FZNw% z@P0XN=vF}gOG80U@G9)zB|QvMGr>E2erda$qWW54<8muT?80KDs7swFl4nfwsO($0%%0k z>5(f1l2oN%*2Vk(2qKYxl!G;~HL{n$^p;*_V0$P`@ZUGnC-n~@zq|N{07y(ybee5G zPSZ7M$8~J1bSJ-=R=dbV4NO6H(y=*ONy$nI-eh5k5@@F+jn-3jfrXO6EcxMJ@$se7 zx&;@ZQZDh^Jj^&3XL$in1Fp%xR?+4pzgXk$qBIukVSdOPyzrHhg^(&k-=cE%uK6(w zhtCmf{6m~an8h(9`{R=@@uEaTs+LEDDX-+ja?uj;kP0o|z(-1TVliLxN2_-IY=2gT zMG93IuV^?KqCPxMs<$j*H1!Wqq@GyL=J4L5Za6qAf6>l&bVp}H#@;SIi*Vg|DO8fL z&GLm>j_FxZN=cndwK`=^BswR&HmmHndLg^N1y|zap;RKAbU2v;sO&I6TKNkx->r#)*3Tt%!!`7>h)0Y>n`ZyC%9MXY3nwd zEIzFi?2Q9Gp?#oeb}>r{#sWW&cy4;qf`Y;LuZ1^gWMQb^MRS-U`>qbIUZ&f?L;!W~ z+P6d7K`_}5&U>7<`rDL`<2W)u(ql4c>kkya$=)HP6m9m~--gw;ncZ7w2+_E^YrP=F z>epe#t=6lk+pNfrv6$BnS<9~5r7?%w?B%KM<0h2oTu?cd?wUs*U{h}D`4;)9qyG4< z>MsFGDA@k2PnEE4Tm&X-zV%M?4=p>6>Xg^fBV$(G?moEodVpg}!G`PTZ}WP<(JvQ| z-A&6ZF95Tp+`q&%A9hM!6NgRR z?|o&j4N+E0`oq65JX@r$+QolAPuGcbItTd}tNMvRM`5l%T{k@*Gq%iA_|4~Co`Dyu zZ)2|K4i|6TRoBB(s;WzUK%L$GH59;2-s(r?w~+u7?av{nO3JVyXwZ}WL+-b*R#Tns zks_X9zmKUenR{isDVQ)$tjO-h zQ$mxS9sx-)e3$zi!7#dR6g@U>Np=V8woyK{n*?k4AL(lhI^ZIJO{>?by64rnqv?9X zTSs~u0Fh(!@$2@%ezNxdox5Du{Sj9>&6?Mp)J4rN)z00z3(I1w=l<vSKU-3ppO9@i-?X>M=Nz*xFYTGL@q^4P3sgVA~44%d+xT;081`4@FN+^r0Y z?}0Y!HCK_Qn_{vcoJP!2lyW@U!VHHeg(P*yaMN|ru!HIp)+gb7v4imf+z)=g27m>@ z9ArV0M}Thh*O0fvU6}a*@Q3e;u!nf!k~iST70=YvbvuF`0I7l(%=A(?4D9*WyoB=RzZ>%}KBA!Ca@zKrrJ^Xyv$3 zn~P>nj@*(CwVcw7$1gyIs$}Oeg0lmT{mbTk?F<=nt;pOL^-1se^S5TBke4YVF$zGH zF}n9lLO-RdMY1H~89M7?%~;AmK^tuNHY7y-7WI8J$d=;m0wm+LuftK>fts=hS8*BR zOXn45Y~gCar6<&QX3Ka^oJG!Z2#k(0VG{_$?>!Ea)%K|-jqrg#?Uk!%Sjm%iuxD;O zuY8Yc4TJ{?N=ezSo$~20tmv19p#@9hW?p?uTnpMLo%AdJ)N-{gWJfwPZK<48a1HM@ z>L>X+_>D7HmMjiqqy=kDY3j34ImIjd<5|W|rC2h_s&;NAGz{Yu^@H!^t4g?Ry9{us)0z(&56RdYd**nOh1fSv z4()Z}D!HN1M_fYRa!75_2pZPWUbdN;-=ixFF%^kwo2@oI$GZX}f-9jmy##G6@Qe|=`Q(?r6X>TZQ#E12W|2i0#&ssG(>FyLz zSA_)9dstePa`)9C0g=S`wfo#!6{cAt@-!G&Av`>he z0!~+ae}Hl_(L6fwkW4)GXwZ*<*}96R0>aQ=ZCX*nut;-obX)(H%X+D}c+N&kR>tn; z1?!kk;t~X#n6Z0*3r-0P7@*uEFroUpm!;RCe$%b~)u*qA$BbD{YCKJiVVPiK{6z`Q zc0Ies7_5n%8%_l{#5V}Qo}(Q&Z+y_)u0 z6U*>n(AwluJ$g%l7}C|T`t4Nm$1q9dsunXNWoMT85f0M;(jQzs2@mEs>5WMd1-TjQPS}L=m_eMy^QR%bO<N0|cVm})Iy zOep2zkaa_nH>!tA;E`4&U*V1=&tHb7^Lv1sHJyqS8alxdHWJ(YFg{Mxjrno)YF^|N z?R!#0cA##==-yugKdriJJ|FY%vt4m$Bc&s7rZ22U7F<3j2vut(iUA%tcnjqN-2ewL z_=Ut;z^GdXMNt~WLk0gtUi#t6+pY_dZZ0OElZnL0POcmc?^Pw^I zK6qXG=dO9VQUYGdR7kq&&)ZNfZ)^HZZ)Xjz^gOCP0LUXKX+dE z=#jnifrskkNHeV&%eR(BrAxUu;l5qJ>9TvdS=CITPsjB#aVl5?oV&P0|4lC`e&*00 zfx6IND?ScQQRtp<$H5Z0*lDt)P?7IK?zs{Jb*O)tWW-zbY-Go4%uU@6sL#OP=wU+Y? zjG)7H%Bj~6S6hBV&0TKG?)Hzi8`2T_7oJJH6rvFXDf(`Y{b>=R3?1J4+Hao>tTkPf z_3PCMpm7pqM|~5JLBn+BXEA=`CUvO&3H>X-iMBFtXx44#*oVC5OouVv&i+u`3ybUe zOV3F+-}8KD6<t^dg)tWVzx(URaok_V=L$=RlnWc}%YqFSjyV;tf zEAKJ)Tj$t64wsf*ubxd?J0(c%r4~`7f!hPB%dH8*yP0Ev=1GUmc9##XhIJ(^gQrIj z0AP1eHbfMY`5}H7^-XTGZbWFy9hdu{h%pbmVpi(y`g}n%omPARzS$9Kmd;vzGH<)m zzbzt&(fo*gq#UAYzj$AIc)M5i_=IYz0O*${?sc_pBcr$(Q*^b>i#gJ}_dp$&m+U+r zvqO)X`XMSV9fqiH`>LiyaM~R+7_%_xBmj4c#@@LXMh35kjs;NXYCa`_1C((@!5TKOT%p@A691GIp<;UHfJ^GYmn^r6lsYDxO&Y2P$UVxEd+Hu4Rq4VWPtqmKCe# z#GGUUJ_3Y&(F(4b6vl^!?Vj7(tR9DCDHmcvZEwm}F62rg_N~W)`BM z|E7iLhASPrPeQk>k#%cfH9a5}sy~3LWrZ1NRhxE{D522!dS7BYLwI6T?8$G_gurWo zY!(7dAyJ;H7_I`8K_0Yj6k7}^fNe8#&3J4vY7e3`pJIAx$ez04)ERp7A(^R?3x$$4 zS3ywu!mm$R?!IVyq%3)p*AN={hMSEoVW&nN@iR9RlgODQqL&MLDNo{?=fcfiWGuh{&9hvfooN(v1qc< z=gc}tOcP%L^F5xdKn?6l}jzRxyvp!72qSL@T z04Yop@~*6=uoe@N-#=|0*A|SbDP;gm60Y1r^;>tr(Yjbg-Kf+Op$awA3FaD<_*-b_ zCY_2T8shD&JLm|^zJwv}5>;$*gUk#;>OmZ3$Nq{_1`5*rEdiCe=Vc%8>v)iL_56Y#1gLgy*$ws;Q5{GDp^*XyncjQeC81$lQ||@ z@_dh220C1*oa#@$hp%MO?*gu91a{VndIOn>8LdH+76IA{hf;javr$CqrO{9JRW=z( ztNQ-6N%8rOf+((@BGfWEUehky))U(}iBAb=^Nk4jt_&uH`*VbF3c`&z1_w`r-*}0+ zw~DT4^bYQgmaVZc!mtKq^2g>j+05y0F8a|d{FE<7tzrpVYH^M0iBs~S zWfG8Oc zM!OUlWJt|r*rdC)>LCMNb}3R3W_KHe%Ivcq_oP|l%gi12G}jBV@gF0SEaDwuloQAN z6UV?lmRBzU_0aA5{npi<5?w`>E z_E4p z{llxFlMr{z}Qg|F4Ot z+ufP-(f82gTMWKevfF($tyax71c+@!sT(Py=dZ)eT#5eInJSN-e`4w&fmwF35e-B za9Nb)t-YLlwDI2hImPGl%;%~#rln6x33O|H-|nOYyuLkuyJS)XfOEtS)pk#w&vNtb zzCS;-rd$6euYRAnwe4`+&eH~UF6G&B@c`->-R6G`z_@%^x?tA+(>!;*(3K%UIoNMx z1bzIGYHBl0c&_Li^F#6a@loGro=*6>%+<`RDKA&Mq_cYvAm{0GoPt6}-;u$)bAUPj9n-@C6S6_T(eE0RfJqVfLKFj~W0j%!;2;Giv$|5WZd+G8$ZfZy zTOeALuE@*6DzMG{G$sE_U;fVHmPJpg>j52$i(QN-N$q*(Ye&>P@(QFj=koo`z!RAA z8eDz=h)DnZ0qh4e_I+S{C}D_}U2$=pEv16RrJ1Q&&dt*#J`&!yED}CN`6Nd)SR64- zraL6;d%|`61o-)hN6r6l0ai1)lystofCK_rS}O5?`N4E#Fg))CuG1L9H~VG_q%dLK z#BWVRuHk6n21Zpt(F7ZU3n4>F!uzryqqgkPh?NRH7j?brB%gvK!wwk1c~2Yx4$H8cvLg^>Ex>#yX&y7 z=R~uG$+nsFyTu;CCi!sp`Q~tx)x-xi(ze9ql~ZYu;8Of{WD|{W?hi}yZO&<-l>x{S z(Qxqc;{P=}GJ7hSd^%>)l6LObV99SoH*vhv!!}GzoBZ-KTmF?E-|0D8(V3V?A+VLkYVBI zI6nsu%J}LR<}FnU(ul?)31IxBQp>nEjt-1)VPX*%(65dD!m#4Ue;Mv#2(I+4LMX8~ zp}4F)mh6`)a4R_oK{bO>#}>9`)SMvB#W&hLo=vC6N}kD;EZuKHaswJ^EVl%W+0ds5 zz0*yql?=md<|LUQV6_pkg{#uoA6FZ&W1_X+v5*`?s=$8(=N*@O$@0C0!f~Au~!FM!})r*O&b)3-R3G|PSK!L}jFV*I7 zkynzy!bNJ80EblTI*p&Hd+_oRN~ILqeJ%EJti`6#zXIFPmrK`v^HssMO-;Me&Mgfc z<(Q_dJ)cdh%-YQ$bV%lNmdHvn021dafsz@bJua1;SNXArj{HAOAzE}z!|@lw&I;)4 z#3x-~1V^g^nIr8h8{$F~r2%8@=tSldf(CST?+&CigJ(4hWxt_jzG<2G$H1~_8$Ii* zJMmWc89SH#Mey>YjSj*6=92E6KymffqJ5PfpPkvi-!mfUSBl~}{QYXV7d!KXzYx_p zwOrk*dA<^UlZe zf}mExsbI3dVDk@@Kax2?%%#`zDwoA=>SSBzm}!J;_+JtU_C>VmYZXM!5cs~|uW0dU zQ&i?G()WLZ41SIjnLfd;FuUoYHW%!jwCvOoJwZg};)G5EYDBXHIjn^bee|=>eH*MP z`=x8I5gv^}fE>1snTU2PEeG&nAzBc}e`mGgdad&nVbnZu#X($1%nVk4~c z1-h3`LoPH4xlsI;Wzq|wWlmvu?xMwn--exLQblfAOH85f$8)l9=2-(gOysA)n51@l z|65tJz#ocd^>3!#d~$97KI^C=Y@#%(Jp9Md8_YBJO|}zF)K6+`zmJKx!@yk=0Qa(& zRN2*E=B>@0QOx`Il&V5x5B-^!&z)WMs+RRq)q;w129=qm7_GKWN#Ob{JR_G=0-tm> zi|%O1*$f9k>ig*nN7Z9=(}gqbMe7*I3c4E9D@2Q=qi#D!z@d@by4G=a(S92*d^iLm8@7%kLuZi&xa{>(A{l0b>oab3(> zwpDI@jqGtIg>caZuI_h0$@VV}fTS$`5IZLQNaNeoI)B%+)%bE&GiOuOIcm{98I`x8 zf`X8XHI=XG&tlFua*ZAmx5%X43=$zHp!?I!RfeM;+L zEFuf=s@LE!%e6kYI{lge0Nq#W=+Gvm-_S>0{H)O{H|1{FzUKq5rKM}&U|C%jR3$x58{7gaPOfEK_E5q#f82-NJu923lk`^91PC=1fCsev^ayh1LGizij zRV(R8^^rN|;iyra)QJkCT#SQFer^#G@y4U#Zc#XvX99jIgP=^d39Dd;%;ES>OQ3RO z#VC#Bk{m^+#!7=?t*sLaaJiaYOOhgjPOaVGPa8TWO1M`j ztbNhsW+WJHQLd>FP)5GhIN54o0m!l`Frf&>5T+}Jo5l-G7aj!`~ z%h4S-YXV7mwHcfOJO)*it5&G@&!NzmiqaA^*=B`O$zpeR3S!G1P7tO0J$S@x=Nh>3 z$<3B=IdN(TY2j9K$A2(b$hb2JQ$FX~n*J1=H3Hri>gQ>Up3}fxYU!?n4FDN zsLk-#t~|mfG@<-MvV|v_IR7}tfGPLAW`-(Kv?jpBIU6cgr)M=#IA6wZ`zA-rXbybv z3^3?B2ZrLjPZhr%I=*&$dp}R168y@($u^VtYqeG)C<1G70_h1$h9~s*A%x2;)=6tg z{99Ee#TD5GtU1R#oBO|*zr2ypBQNt}mAMR>5@lqL3AlL{Hce4qA2(XmyYeVwG*pKdRy$byey``9*>jJmKnl!1Qe9EK0WN7*sKpD^%YMsHb z42}xnP9erUkfl!ompxRW)AKdZPK$SL0)bI&ig-$D{42e!CIbrQIkGBZdh;^Wm>jYi zzwqf$wAtlIyk#!a{rr}JO(CgSIwvt&Mdg+T54-${0iu6PpQBgc{Cuqn=15&%q8d_% z36=Haf?!z;ZYEMo^9(CXS_35Hdh7}oEugG(39yq)Tz3#5nM>T&5r$a(fy5_8LE?W_RF*i3`Fs9Dq`#6JS>=5af7uq%w6$-8AT*!1o3cm;hcEZ zdaf{3VhF1{XEgW%T(t`vGe(%kAv=bzg-yy9xlMsEDj{~{&2WzSz|CRAFJkrxT?-7k z@A9%Zl3g>w`&O8y1{sb8sd|c#$<7H}35B$Td^z7+=Brm2@YJ9#{umBHt#YOp#ATc< zzEP~0%T((n<2k1phF{9S2J(DPxFPXj=lqP z*Tz6u@{Yp9IB|+{hDD;sI&*F)(3E7sAhu+(Cl5!B4Km_CX7rXGsokCB2K}|O8X%8G)M%$bN!^diSTU6B)d`f6lSYcqRVWKkMUx&yE4&zb2$!oU; zc!l7AF=gwi)t!gl`Ii6R4^!=%^eye`O1JI8DZsU*(I$i36raJ$WEDXDm2S7`6$pOj z79;dre~hjk*F4;to5~hTn>u%6b9hw;7&1JOydBoO+N|my??2KIRdEE>SamEZKC17F zIu7(5?aFQ)#EcPUa{X014-&J%(|Bi%=6)LH$WXoXe(a*mem$CR9oht$K1?s@w4cOc ztrBT*fs^NKe^qI`_HNlWzqP3n;lA5kVys5^G@8C|N9ev^pv|A5fqXvfvYnS&FX|3` zK$Gh!P1@jC$1dHqj@CE4(~o7&-Pw~;1mNmpEp3(8W3XT61YdEtYpH7w9Dw(duA{N1 zSmy|QQqrm0vh(ud-F&Y5Ch|)8xJ6{svNgr#V>h!G1fib|{RT)rMdfNZ zw8S=g%8p9HQ4q>0()|e=FZs6u*C(W?f%$dJ0+{T7p3VGUa}PE6ALS)7|Zdq@ysZF_qrgZsHArprPutg4n(+a=qHNc zvq_|a5Ydt((dX7|<|xgR(CcYpriPY6T&72z6n~yPg_~9WfLjnxk96!&s(p-v({Sk9 zqeo)L$62+9Kj&WuS&KA?9u(;wKt)WKe8VG4$EwMtltYd2*Q&&jMFR=vVd>6}6v}ik zS$|Fo`{VOhAhbHw&S!7-At^CE+FpPUewsCLD8auag1s(U8mk%qZw?HNQ6aT*9^OMF zTDU^(E2;zs(V+;X(2)F4H1?kgsn0+kbLPZrI_VqclTi$g1HO)a)r_VYI?IATHtiBg zzXbCU5K(b{At_?_Lu&}!#Jfb#-;k-5vg|sTjOU`UYtrqnD)X1ZiOk2`@=fi)HRMIg z%LTxo{$A3^rwU_6l;lFp?c1mk*Th7`dZ$28)LT5E0)7fL46~S`c1RM3TWOLN{JfuBCdvR{arV$zmY=e8B_=DfQGiU+c*x-Q=g{k#ljRA&$3RxT&y--wft zVJu6KWh*2BCG`8{MmC!8-IhFnwG}ml&IR4Lk31O;R{9aY^X6Y~ANRBWa`|sLDQk?0}dsPfMhc)!@ z8~*r^%)v-dL7*9PZ)29dv`pV(4_#A2n*NqFWJwB#(ENvoy`^l_6vleYzC&UtaV~GJ zM)VIA!ycMWUtn|)#*Yy5>vt5jx>y3&q}oh+@+fx5mV7T0;mCL3^j?WUf-HI49g{f{ zn|JCg3|u5OyO*w6A@(40AXIv}#J&Gfy;IR2ajIv(uSPr;xl~1N96Xp2xneSxbiC~U z!_+sn*BO6VH%%Mcc9S$|Y_qX#+jeqdtFdj{wr$(?iO!R`X68T7i+jJgzrgw}?6r?6 zaG*Od9ax&ASM7NB+%g;Uil`fLXbk6u#Ape6tEwKvdPp*_C~F*yWy*_iKlb2`Q+K(U zGE9T-C+xDYr|v;H$ZmIE^mQlobvs%AE7N+d)iP0}%K;J~P7o`chw^_%ea$}jLfZ$` zX@DH%Pa$#2)S*xS6NqE)k}wf5V>q+PT@Y~BFq%u4$y^+G_4;($ZsUGDIgGK+qlXv6 zBs#tNIo7X}GRXUx@2%_J*d%FFAHk~iiLyU%!9(Hm_S%29Gq-POyRzqSor`|7{W5_F z=;}*)*uPvXwJLu49KT=I1Z-7R>pJ%6bg%nZzUOf1y!WCGZ#DV5Jd3Zf?4M`zcqSue zc{bSf#WZQXPP(^e-)O(QzGc0qenzmwtnB)~WtmUvT)8GMZwPJPEyGcy;{!az7{=uE z=`G9M3b;w@`SC;}_MSOKi>YhX>2o7F9zD%X^|ptP$aBAE>yL?`Wi#(Q)J(f}RP*-9 zZMygz^G~<^dT4VZ$o74wh48ZZJ|B0}d+w!ZQfE!)V{2`q{q2YCSM-XYUUhB9zy5x_ zB8=A_SpHnW==t})H$H#W)Yd!s=?r-~i*nO5y?vkbO%AexMF-mBJgd{ztAxRH*Mm!| z9xRjdpyHC+M!Dnd<)><~&zg?oIe49!UkafLbMA%RBUv%?0%c6erAsHpUGy9yPIS*8anyNO-lZ%GftUaeZ`_`f z^bhJxXu0eGY+@SdeA>!3<=-&7f!fm+{wcxVxnU?�McDCL6`7Rj|V=l~ADfAt;&U zzvnZDK|)n2)6ez42hR49m6c(|)BfDFffGXDOM7ubs%24Ltd#gQivnA~ODPrUAe(-G z%$dvvi=A`0M>f%_qA7<)86Ep)Oh96DxkU=aD#UP@zzF!Acs9&psC-Xw*{pp&Dy03E zGVoF&83M*Y>uA^I_Y+buS*`~0PY)hJG0Y!~@}q~SK4qzFGhRuAoQ8wqWQq1sS&@Hu zZF(|WBvE|t2Vc7j!O+hejOyf?P}R3jFz?KS$Z=2x=YEOx9Aqh@l%bc5Dnlw+&ioF- zF2;7cH8_#@!AE>)g|b7>tX!hTS~Xzeq84|-45dQ0T_@d^N_IBtm$W0u_3yMPnC0gJ zXIPvD;ydw4j3delvGzCGIW%3<0X)g)dF4g*?^r)WG2+cj6i}vOps^Qz58EWD)vrqy^&3>}N5ISOYY8{ST}Gb7 zkHV;wj;h)8ym`ssQ~bawLGx-7T({#bQ5e7)7Yxmkv6pEMN)M<_g#XdfcN!e+@;Z|v zG-~|AQSOJlM-)+X+9Md)ij~FL9aT}xjYDlTwu-n>7k?Pidkbj&#P+SbS9s2xlId3; z=zuROkCh9hFQBnJx`<+IoOPJ7SXUu(WZ%I-flZBi?nthoQByE zZiNcM`-tJh=!l+ye&4FLMwrN1OB ztd0#JHagT6kA`JgAt40)i)vGY{l$aZz}&w8Q`iA{fVM?*0Qrwif+h8?$0P!{M4x$@ zgu>$*cdbALn?{bts#t+F9B9J`WivW@z`rxbFcqxK|CRISwb#5Tey1RiqC1_2u73bL z0_uOl*w@{f0%K0t`=b+$LquHWb~{gjoh@Y`3e9xl`!uZYME+>+6`Cwuzq?naO$1}| z)g7!NIpTw7O~CpRa@Q~9xR(+y=ym_5S{UGwOd1f|9@Nl(-;+omCND|8n$L8ZtUw=s zG823;<`VA7ODy8_*Rp8bGs-yr7bq36nS|{tB(5q@!V51=h7`8A1T_E|FJ_S{_wC*( zVHsr+BEa<4#lnMh4*RzW37ZLIUPNo+Q3`=53+@9?-L@nmJ_?kj1eK-OuhuUHW8DG#!4O*C5`4RIeF*=mQVGHJP;0oHgT{P- zJaL&->(sJT`EZOOTvA!=_jOX`C!7Qv3m)}^0dk!ah20*X;G{@dFDpT*t3 zmtIWT^%B5P>Ot4G_LZruw#QuCefPBJbXQwMoHfPax=PDSN{A_-;W60N`tj}a=P_NQ zrjMGh&t&rx=W%dhLd-}#?dLq<6F^zVPDh4RMf;pil4knLI!M~O8vDq4y{*)&bnLGy zHy|wXX{3GG%9DQb_$XLJz~a6AScih}*x}bZ=298(9n+zB$h<3sWHDR5y7Ov8&R{o-=AYf` zC$AsZ>TjPsv|Q4&7$zbY1gcko$8_l-7dLp$JpRWv8E+5xo#0cPPix6*?N3iSyQAxv zoy%>>=~hiet)sN(xAivWd#)c(nbya~u4;#6idEir@q``qQ|rs0djSXikD|0cdm*zG zpSnPOJ9!r&+uolg3!SzZsVn=w`MRzB)-?4`uCzi^-5!|7V-&{%%}#{dX8XlkS)wX_ zZ!w?!T=%vwlcLpH8S{-T-IR_EWMCu=DGy{VSP_!Jutg zJ%JUyrb_yiN>5UYqoO!4)*_c%MNB4VqlUqMW#VCQ$SaU-mvJRZSSPmL@XvLkbcwP8 z<6_upps?pe4nK=uk4-N580zZtoUuZ`GNdb%Y^^vC7-P$7{b69%MNhu`B;H>XVS}Go z*c{4)PxH>O5FK6WQ6j-gq@ISAXH9D5g_!#ts-_u{i$ogUHT>h)n7&_gub!i` z&=Ncz-vOx7hz~Y{IS)$lWtW#K<=Mn*V-&x)o0?eT_|6&*l$-J-P@+=zDVzyMPDdLQ z);bpyXOh5#w@phsQ&}(ghEdk)!%;$t4EFqEEbm~KNbD^rN1ax}nn6+Wv0hCi=fuLL z;-Jlg<#L{*SJI%BUUf$CPwbP(CC2lvw2mV{5iMm9`vBt zpq@QraJdn-j9_MmIcy6hgRgQ#@hL}D!-BpJmc^ssylSleoK${+)rm-Kllj8eS%#_@ z9FC%x9(=JP1(#ACREv@_L@@V0aw!)n>41PaBkQqBnMa-0=-^Y$24(cYcUcHM zNjhnWg>Ouv2tn{TRw<0+Rhl_v_;~iPQE5Y9PL9lGIc`jv<#Cl4^w88F3<08c0}XP` zxo9Wcnaj-eJ5lQ&4w4p#JiloUEH;-W;M z)mo&RM~_`{Cq(p=@T01gl`gF@7p*0dgdz=Ut$YhbK07BcB-Y=0RvN*2_CQeSxl{8s z!%0Fv$pM3wZ{!|{_UJm2?W;m7B0|1wAg*H+k?<9B8r0w^X6A#hw_~jE$@-+2|5O4A z!Ol}3W$*I^MZWPhI)n38SFanawFMEa$5FFJVWxymtEolYQoHxe7q(!=XvE(-;s3;8 zW|G;g!ZArnnuA)HRP0(kQIl}bTb#cTOO>LNcHD8X|64JDho<72t0Cu)5dSAMkj<*h zzIFa+xKqS561AV)lx6a3y?Okvnn0+Pdz6S(MfhDhhw~OlU=}1JkH3_=NB17M#SDDc2s##_YEJGvRd=dy)+xi*VQzILbCfkf99weI*q`!-qWXRE|?exuz zs#+o|Gm#+wj%{4Aj)@aEfY1V$l5+4%gFhe|Yf-QGF&JgQHK10S%VMfF3rC%%|Cg!4 zEEs*VCJzKJvh%VW56WSB?56AI9S5X{KE5vdf(qj3;S8ZZWlsP%-G_Ww56(M$!kkeg z;$)B4S0GkQZqNN=f=0r%XL%nGPnHjGGVyuau(@5Q+bv$XyZ!vA7|(sryj~KKPqn4R zXS?>A+hNYeGo$|aLU*HK6TDq%^JClVhAv{Mo7EdpHe-4HI%PBJ`MQ07!nLXGK3Y=o z+S)CoR?xGFMKWoF~eINLl z;Bj2BP1oTuK30ay=e;lMqVa}_+W|UXm_Fh8c6s614Om7d+|zJ-wN1WHxFYC}r{l3L z9xmhhmhnc`bjwOnq`P(-#^%%6;Ic*Ae>k;btqW{H&;5CrNvpLVag*ITx_sT{c*xn_ zu$l4PzpVq2kUHkyEVF6L2ki5#=DQRFPElvOxy)Xvrfqk>#$6lnzTX5;1in=SX?Cx4 z+)Fv7eoS>#gW~&e#=9Tg&KAbn-`sl}JJ)%&+_tW}UHh_|K0nA4fz8)JogIhp4Xxuc zru-D2lr2}>S9yt3?6;AdT{JrP_m=uryqg$44r|ZDvgwFkt~GbAS?g}I9ipn9$77gy zhjAK}4^QdERqcaq$CVyJHtD!cZc*(fm6HT5fM&L9jcUZ~nm1+B)b-0{HMdP{$SM}s z7{nOu2Cus^_szGXE27T!@jhvv&hqa5Rf<|_+lKXQ#LfFeu99_y@^-FFxX|Lt#@h@E zKxzia&TA@{t*YJ5;Hr7gWO*a%f0mC~Kz@AVUz!Zi_A8=H{Vr++6K1>do-Lbpt2f_) zikb@Q-|`OOlF^R%UK~W?aozcYUO>C9gjBNb*Ld6?%{m%Iz1G?jq#VNN4^md9;o){ zU`_Gb&v(M`1Cdeob3Q|jR4ic=V^RbTzFT2?3=Of&l_my#Q@KBi^B&m**Rf^_oopP-6?%MVNBz(7g#|-@0)I zsRnEr-M(d8dd0no)#eO3jS8wXJRrZy^hm*}szQ`ssn8Qny9_px_UQaaAbY%pxb>P< z)^%>$X_P2}0LCixDiYRTs5_|B^THoOJ2j|>nw2;`(s2%i^70g6$z_$VEpiBs9ch$1 ziZR0Zsss(2v|9n1`rvX4j z9?{G>x0BLCBz4$xEo4wcJ$I}1y&)Kvb5SrTALMtk%6aWP17IPC;=cOoE0G^NP|6>c z6*}malC9)u-mB9HQ~x_lKryI_3%&Q6m|G<$qnIC5QL$Sp6zN8*u4y>nT$CkCTvZoI`7mmtc_vCxKWYks?Fx%n9F$RHQH-GMHdPE~_|fEY zc69PoVo)m3a~dla%MzFt_2&&V7m*+gd9*E|co)Ttxpqqw92=E7=|nl;N8kiuC!C}e z>QH{+k1?d)y?DMLGMRo(zt|puC`pnV7EghEe5Rn(KgShJg#;ky0# z9!V}iqaJWxux$Yur%GY%ng@GUvIXavnlqfXL%+Y!;lv}?j>oK0rl`+7KbeeDDiHcG zLJ-S;laU=3LZ4LmJX~kZ+?%!NTN;>pGwZcI!l*A9Z6@*H5zQ%|RutzNnp^e5ydW%2 z2{Kd?IYdP-GQO=QZchW1r2xN^fj}9eAtk0h$OXbta7aj<26-G~jqtfB&kOOKT8>En z9jZi9Sd3yWtP~%`h02M1IgQ_~9!4~p#!aMn`~H5w_uAiC=DeQXn(H&xDXK(zIIdq( z?wgr8Uz7%vp*N~YZt0gvcm%51o&d=Ug%NkvgAPFDO*W3$+d`7@f&}s}S;wr4607FN zi5km|s3{XfFJE{bFCKNr>@??F?gURHIVuuyTf9~9Ctk2jfV21H7K#~FJYQ3#%&ubY zDrf#mF4HHEnd*pfqhR~DGJ9xkV^1*^E}n~^YP@XwV)GKKI)kMa@=Au>ww z1_%;+-g$$ONR8=7M>Ml#2%r{js#{R>w*zWk#z%eYnIN%wBROe%ROu8fbYxm2?^WS8 zpU%+tC3BwIP# z%<1aYS+jFgS`20K)d>CyVgjuhYG=bDj!SrSMPS=JE?w{O>Pn zMg)Nmdd!#H^HWU!8TZ{D@;`v{Umanu@7Ez}+fUizuCp`%FOUEfa~P=|W7vlyh#27i z89-)__6r)0_;d2pv9GNhZ)OwZ>x~it@aSWK^>)tWv+3~I%jL@6o6@+8XGt2uu$tiX z+1GX%p>4Twr_*|vad>L4-hK*KR-0=c1vXF9>Q zircOBk83Oa?arvRP~B|Q+3?hTU~B38+xRfVuskK9?Fp2LAzWDZ>RPM4F?$lZ@AfnR zxfV9_wV8YMLNs@~`8)Q^duq3j8Qwcy^E3=akCP#2oMiOPyI!C+xr|@5zTgaOs`55& zB(G1m-Bz-&rh$SAeV;Kp_BuU%fIB5wuREQUZ?=5#oEIPMCiqArpqJ0oaUG{U56?wNO{;bf^bFumm~H2$_q%D>XW4N@ zQ`XCzx@@P{t)yyWc1zJMglgACu5Q(eyW65A-Ae^-$N84WQlaSk-h^&Np+|Z`=tHc| zegY2;p^wY^EthV~E5Y66qG%S9jQ9O+_0#Hor}O+R-D*fXA?@95nq~K!c?(bbUi<^6 zxyG(;y%of&GW1b7E$f7wK|fNDZkt6WHMUC?Pj@m=*j1i zDaqX@ktP}4)Z2NqNmTo>_Y#oNdh|gdiF-XWPV=yK@yv!fy>0IDn5Xip{<67f>QvqK zZsYTB+UAqybtL2|d%4r=&Gj&oZgA>j-{T}IY!Q==;C=PtKr@*p3$Sj;)6MhyqQR&#mt0h&s0V*9jd&AMc^NC z2UJRO6nEEeGR9LPg+~Y?iL|Q3#;Gi#%zef}#o}^eS>-t71_*26$do2*cw{;JuIC<2 z<_F(!@X#Ge{jQFct0lNf4XB+w1m)@MS)xcJ7hhYjqvHa6Vk%YiJ5;7!jIkl>|0zii zJIvaHRp}8qY+?}=?fsw;lv;xkP?wLs*6GOrXNLAphq{t z*=>pYKDJ%{86pl|C9x+Va9XQW6$wAopMjh@RHCUzA5ex4nQL}3h!XUiG8BsTmg-fi z`G?iKI8n;o8s)10o9RJ<{vy;_C>L!b^?UFrMi%c8ke)|NGe2X~#p zektlv*s7Npae_E_I)ZnbU{e&F_A!ndWZxI=a)iT#szsj)kfR%=YtQQssTQ4T9oi?J z(p*fK4O;Vr8lbt)jwA$s)o`M1&hV&bIict98O7ldEA=E)Vle709o<++`1YqA^;wr` zO&RAnRF*DF{N=`iNrL0dEZu~XF8#^HOd*3gGSg9!qhp?6H}|UsTO40XpPYk>Ls;Wd zqRlqch80KeyOOm*l9m4lxgf4`Sttsx9=u${@uI=%RWFauUw`IwT&~U9oTrQ@ zc8;UG*&53=4ee#Tp^?aZCso3L>L=v}&mf>Ib%qBF$PZMq{W2|Q zAhNv*DBy7P!BQzajs*6ea2Wc00y-c*r+mX#9rnoZJDtcU4e zVAX^zps@VK78nck$0y>dlUkXJ{Hz&!3*%%dL+)2tnT`aHC#T3TcZM@GNbOh(qdN5A zJKklV^i$|x7)MD{oad*T-Z@keUV9WArh3@W%H5nWG9PleQ`nYzi}DD=#IBAqsSo?E z#gb!op>cSX!?wfIIL-8Jk+?`F9r_oPtnJt!8Kp5yzM$SAqkKT=oCI1-rVoO1xPbN9 zt1=~oW}{sXQlVB^L7G4OP1AbpA7*75%yTIvIL*{>3lwm0iRU&ycw&5^yX``d=H2yIVg~vJF`SrPK+x=N z`;rfluP~EyKcKK`V~-BAQxx2Cy6ryWT`*=!Ywv+8`|}L*+S~nZ-slSXq6NE}w{B~< zFN6s}!#ju$q2;&xz6NHt>js7AcB9JsTcf~Rk!5o0&Q|9(yHO%(m6qA0ke?8O&&TtD z^Zm!~))`x`yN?5iX29J>;+t1u=k?|0mS46vu#e}l{a$jbTgf9t6$5o!!=Q0~2TASh(><+juIv9{%8`!K8fGo9k{=?j8`E}vdoKG9P(PfGJu z)E;N=M_#WW@#!QeF5jLMS6Yi9Z8z7wfXRErrlNqh>!(RXzJt1j=-%q=4B%oX+g00v zk1PKAaMZwR$cDp*iYgiId)DBk&c@~ZYV zegFAqTJ6DqFuDD+Pc@t8whI1QYZ=&4kHKqM-ML?zF>!(K?KB`#%~vysZBpd=aX3EF z_A<0>eRt;1l`*&I!t-?7$_>&T1`)0UpdQvgnY2Oo0TqBjfCfs%dp@BY==4?gPpt=~ zdsJB7?93MqTU~wLGgW+f%EEVDS72<_AKNwVciBnNrIh=NbNxTme1+ySBr^Q`(#$Ae zUAR>0fjZ`L!BB&fMG~6?=s}J8i-hD--%lI($;Vc(tA!376D@ERVZi@Z+j;1Lmy!no z?*jE0qcI)g-zf*hi8EY3t@yPBK)gKY6P3w`X34spu-g~PSTLg z$^;e|O2|^<*7Q8}nj%#4<&1*tqkcHA7faJ=k_|Nmr?W}!d;9fE}z9Uss7dzd{Lbk1~#q^-Ou0%IP7gq)FMP=XhMP)VehO94*r* z0C^1l8|jEJMw&-5a@ZtpO%j=Vw^&G{4I<`w_(s9T7E$Tb*U5G1^^ds0*hK?@uu(GU zf>MEegoZigxyK6)nEu`Z1z3fk&;%>Gr%s<`*NZ#qU2ZnH$n(JVTN?{gvlI`f+Si}6HgQgkUB(?>?+Q^fIlIj(6>GT$O zZANl=Yz1juiuzTuc`zb;?Bz#(1cOXf9GSLZR|olE1ZpQ;t{4ee7SiW0i=4{M3@5M8Uf)Omw`yf|M=hpOx6m1ZjGRfbpP$|fnZWniH<~svg zzNJinmD0Rkg)mE4SpnFTwRk5{m}!^3O95^gs05^`0V)EeGon{^*Ms1`v{q0lA>Pe1 z{BD;gAN!Dun>v~t<6ky)21j)cBx}K%A$i$G$tc<@_#(juE2_m3bR#nSF>-2s?#5;` zCILw&n0_S^z48MjJCfvBAWC`^lM;S;{9m~^ynOPq!*GMURfOe2TxdlbBKN#22pdg? zn}Q&=&YZx7kf;RMhw=hGXP`VO6;uP))g4+Tb8lHOCZscTrF?9)2`5b}{9Gh0P!CY> z?=g-r?#1kz%w_P;Z?wlKya7aDWbM%SzhiZ_adFzR$|4Q%i;Zw;Y7GrSBO7Y)lG^7= z7#}M|W>Qdg#UUhezs*tn$>JXd_k(Etv4uX{p>m4&yCRrkO@!}ZkX<3xC>_D$pRj66 zwESKUL1{Bi7|!bHuJ13yk6`N9q9o++%J01Wn?! zkXHN7=k>=|A19ey3K=mT@c2{c1MMRu?Ug&8Jy0KH0&0!!Wpf`P(EW|Sdctjgit|w} z>(dQd^e(ZZ{eCme=MRn1y{j8VULU@gXo5XEgt;REtT)D~} zUJJ7;eb#5GRgc3CTPr_NJDyw$Mx7i`PHWx#z2jk);cQXP! zn_3VWAFf?rc|TD%zMkH&nRO>ge<>R_&hOvx~5~=E<9c{(P`gq0?@C!j$hHQ530Rg1p%M-ldC%qCf^8p{v?6C zp4LL1c()GrEKSOWz3Uca%CGh(`siAX)ZWvmta{37fXr z*s$O?YAIGnNTIRo`9&+<-Vf4T%-I^A+hZlhW=F_+Gey zh@~E8ywmhj-{<_%LZN>$g1;z9(zy)9ZqggnrWpnfy5+&ub@dj8B$gOr#IogX80KuX`okRi!5qGdA2P}3z^m-sb5q7n}tIy#SB zF>2C1b1APCO7W$;4g3y_((s+1EH2R>$F5gWLU6+vJ{1u_%K4YvFygN^R{YLO!)32b z1V=?fiEX77c=_*Z3uc450Na;n7OQtGDgENXxj*kf|Mztx7fU#sr{SOk)S>X-av5QD zG1SaJ$rz7P7|Nt#8-7)=-&;TH{)Hc-()t-kIz>CD9g6f|AEIoKTIet-+EQl*6H(@# zC)n4s;kioxwRPoT+r0N6?@cEl^63Wh@e(E9MCzJ7C*;m7L9}K?p>;S=%hN&G6m!WJ z&Dn`Mkd9}xjcRrC>WK~2+e?oZMjVA!38DBBb1dVN*HtncFvxX-9n0s=X1<-S43u$gOKBSGa;~ ziLYfylwt!R#_+IekQ*Bi!ooz&6256)yTt6bTY&RYlvOoQlUn?iBzPzGPyU>=dKP+J zAV|LNPp%5n;G7apMGO1>+Aqk5NrzbU@=_yoN{!MCJod(k8cZnmN_{W9Sg6D2yxA6u z;&Ja$bNkFV^uC%ZVa|b~#)e~zpG}Ep%fflEN_AFQ$%^EgEKbqq=Nb1oBIS_pc}3ueskp~7zh=5{mmr3>#hmV&q)nt= zsU0wi%T7DtgdQwg=!@@`E3a6%PzlM_SfcUwpeh?E2GqnmzOq;V`f_Umfn`Bu^!u2ws1LD zB(}G;5{vo^>x!%)w`z|gG^DuCLW2gDKCl?;TZQtkkcTmRQpS;vsQwR>bQ$*-N`H&R z47RXv_Yx7Q9C7}6LkVGi8}?lCL95y|!<>KEU=9eR$oTmswkh~FfrWqtP*i+ZDM(zx z>YD3K_HzA^57hnNkbA`VENTsnO2%P-t3zd>uU@3Oc=nHa%x)bk$Tv_S%>}Nt!D+&DY4vHSR*UZ6Xe!kKJze8=7nfAk|V~`v}Q;Z}lYWUf0j73J3Br)nT z+ZN@>jp0}*6dX$yBgH8POyulG%H(AY0(8K^62&SO=D@gQO2i-?&;B5-#2fw2v^h|; zgIO-`Itnrlq#YS-GM#UPIW>&pM=p1%N~lojHOfJu*{Wi=G(So;$@;$ml8$)2wgo-O zeuNN(bw3lr1r<$$d_sR-cJ4gRY{6#Sg5Hl+&nKE+OSkW`;{kGfscj!<;&SY91)&Gz zH)}I#pj`^;$wk0t(FbmD&q4ExX)@vaB87N32~uDVE3i1{eqHl!EV1|v{%8(fg;Pq| zbtd~F!)e0ejiBw|_7mgIbRvokguwfLC|lKWz6{#|m|&5NA>?#htrnVAIY;-N z{A{i5*z=~=y*pwG(H^H25c2f@R0gb_F7fEBG2Rc;pKib3EnZ(XFMJ8*l&$Ntx)ty5 z@6`lc^PUbh=abb}=S_q!ouH!n$IWKC`sKf=U7mx7J=xiv7f|}^!^!MNwSxq}fHFd^ z{m3~+O6S48^iG2bo!1`OXK+Z0iFbp<2+R(#cF)YqrB*<0=3+5MM(vq?fOO3;Rk@A* z1J!V&?Ic0xl;FDUI}{aOYj5iD=F<_RqUS>NTjj$iG+=F*J7i0<)8q}?#v?t()W+7^ zxtBz^m^&l z-0i*;unhthf4;4Edxrq|0NWsV;#qSLNMMQYkR-fK+U>J*@^+LjjoMYZ}P{lEG%EkQ?f ze$~}Htaj?CH5`1Vyv~==3I1KJPY(7}u9Yfv{T8iAQXfKHJ)?>sS7$4h)6(u?`fu83 zT{1DBiY^JS-K+9hS&lEcE~(W_zr-7$8kA_xVF(QED}OBGyA7a&{qFB6RAC+&$IDzu z6QiZ|@R*-O$Yn@#I540PzKt$JKhvOvrl3lcV(Nd3%EM_MLi1BZ@TDZrB!SMN&4bcN zM2C^V7*k&B>$Sqho*h~d6R)(Wqbe2%w|N-a*Ehi#x`R@$sQUtPGaKpg}`K-A1__3y7y9RU`9;DJ87_L}pNAzP` zkP}kxJ_a_qMhYkG!ik!sOo{y1?*0Q5GLZyn9yfMiCGohPK9-3=z>f(lfdCF=N6K2Q zQIVMvrR;}@Ah$U2Xj0NJgm8IqAw|+9bn}Kki;_4oG4p|z&m&4x*ixH8vH9kTa|LLa zb&eO+-^?8mNEI6h<{aZzTN5L_yqzXyHR?^j2M`r;<4;H5$gjc;uhhsaX4E3FiCzkG z;lWXi@*mF|V=rVb7zGX<76d=NTF=4^BLq7_#ggN6rX*jIWaoNi1>E7mj{mBdJz<#i z_+Ay%ufp3qkVX)N#3J#x#ApaQKR>|@D8YF@5s-C@O1pR^4LP%K{?0wR?ve2Kliq}bRAX*rCW@9spRN(Uug z+$SLb52YCy`Zmq(d-O|N{N#Cbp{XPpm7$#qxRtsYmqS>|y8yQi>mbRu|NV-Wr2ppCb^rqN&D7xEAYa|e>S8T+GWN#H1;bECzYUbvZrhy zBG>UPHfVBnmtNTzV#?`bnh(DDQ}+JCPNx}XC%yBiJqvw~YTqf`tX+BV0|N*C+iXBQ zjRf7&@4S+QgS0i`yI&cG@(mmLkj_Qq4V<|&r9%38(dm^H*CnM@91bs8x~$$EU=0ar zr5f=FQg;hv3?t4L%ql-i&(y@0HQ))Z4&3_8iqn#C9y`2vg{2tK3j;NXN7Hh3siY3& z-O_&F1jDv!AjgmqCjK=?6SdYF_lpY8nK3G4B;F;lVWLv?)0C$lZ6Y_+`kjp2j14Z6 zw@fvlj=I3eyMSy2FH2nzbG$<|yLX?@+oz(nkUv?Fi##Zo!5l8KSbySUp!QUlK?`27 zko&j4k^x$V+izR6HZyBeE?L>E%u(DXXlw>Cmac{6_X2O$ftPVNrt-+z(6> ztN&16#}4QNIk^>ttM((!(|Ilf}Jlrx|r4(L! zU|BBt0<*t|>WP5@iv5vS$*4S=4AE#>da7?LvL>P6Z#S(#pq+*5_Yua@BP*l|ssO2j zn*Lxk!By@Hzx+4>J!5H0f1lh#ay79R0(;LjucArQ|BU0~PD+$l@g)%de=+!xSC^0J zaYC&n;O#kp9!?Y)Pm&zu{(%Vnq5Xk)hgt&ag@P0O4b@))aQv7Sc%F2fOA88C(3Atc zjA5(t)@^smZni&14&ZQg2l;eeU1-a;+3t4#QQF>EalhM%A_TO}@C+G1c0AsOu{v#N zjBmAVK$LnGw41uCcE+w=_`8;$taWSHO?qSU?fWUZYNuw~Q6Hm10-X3h-wX5Oqt_k# z@Ap&@c^{Fj?vHJ+yx-6KC*j#BJ3bb(hT4+}U9SvGE86Sj-D6=e@ChCLJ=XR#-90xu zZi-}eYmGhC0a4QJ%RG-)_+z(UM)lPup!K=1oNvoS_W42i8DLQf&&J_6NX;o5}!JOo*nYe%T+d`NKXuE63$rRXp#T zms{@^OODhTt+^i0qN{AYKHi@(D($Z0z%L~dpsH;^9nv}Zx z?c3Q{J>N60r!A*zH8Fw>K5hLh{M zN`y#++#jy>HqJglbS?7+=Y){fuj^a@Q1AVy$SuLirz67p<>q11n#RV8$7SMnM%%M_ zb5?`a(WPsJ^f=chv(DvS=ClTo<{9%;@x(EDh zSA@(XG&*oq3`gBOQdA^O#+@f0Pjwi5@}|4?MAzcoBK zZj{>achrZQ=urpzNpnwU(tp&JnN@7FUu(z`5+V+A6n~q;Q+ufNe#G`j*!%ZDC~(C` zp|}^o+zPc5?PXf9Dy=Ve{979CpBW+1b{ZPTB~jG=8ZP*tB={# zNxmWBBtA`ltC650G=vCwR+A+>4!2~EDcMy?k7SXSs!+9ct1LWWv4{aSPqO+9#;6-5 zQId@=ir*-$PlNgdYa%h7qSjaRK!uI)pha%#_;Z6&bI@y^vdoIpwoOu27?;#;CieN zbIOgIcrtohSB(+^GeEX!P^wZ&Y$mVhd(kJwD{v7sF|TqDdN6yNQbYdxR+xwHB$0(?Tci!WLeTSTbvMcF zn{#ko_?}#8`s}5Bzz zeonQjdMQXMG;EkI>8IZbBgSd?-qu9J+?#VC#`QCkhehu% z`i866|6-UFgcff|)5=W8qE8wt;I3zI3D&AF`YTu-{Rr6+>+~3zr8=tT+MXc&_+R(U1tu)scdoj zN!(6p?oOPSXeBQt63RE*IoT%5LzCYea)DB}o)eboF4^YK zss9{?2cPxII5hxZUdBkyqlfqI9};RjzAXoo&H4@+3^gzuT~<;$%8_%f@b`_O)% z{s?+c|2Xc!r`!05kNJGfF(zae+F0BHHQfIN>^$?{6L*4N_&hvuee6BpBAiaN9G9Ce z@p)`pPDx#UF2l>Zxs)zuWrN~0zl@=@eY*D4SGVrOCZzDIr#IsYYE1X*xpv)`gSKBb zJf@A?8E(s&Po>q`&i&AIwl^bluv<%OS7jkCo~9l9rPHLvGqN<;oy>1R#-@Z#(;>+< z%@dzFA6l}S4$C18hJIX#ohSF@Jwj8BTRis@YnZNaZ@;E_-^(jq@2@MgENvbZ4j+v} z`&Bk*x*w1w{{W8s?ys?IA2;j^*JvYnoYpDQm+0CpqV8=r4E{Y*k6%5#ii>i;9=TxV z4DU|+*w42ym5b8c139R-Yu<_1uiG}(_c#Nbt469EcW9eG(Y210cPFm*`5rLuyPXcf zDvw}rJLI^s2D{YubJ$p~2%3)tW^JcGcZ5ML=T&bl&I5PPAGZ^z+1~4&rtJ}Y{RHgJ zsa#K*3vZMD*Iw`A_<%&tvrC~S9_O&H;}W+gJg!(_>E&N(vZ#&#*R?s_=mCo3?ki@i zr@1)yzUt)7%lN;hm7iz&?R-9L3~h_>vMaXth;$s5Cg;n5M1*ypY@scH(UYU)*3&6# z@wL-Qr~+H-+m7^7Iv~Kis{`1xL7}gTp2g@6 z->qNj`bxL$xnzh-0Q9;H<4JP2Z$00wL|ioq`;TpX#0rAUiUxhzH<<4fvedEZuS)`p zvReSO$v(2l6fuUcx1TAaE6DGwS0&#*7ELmCKqD7zG9Dy#Gz!3pn_+pAfv-XcLZDJf zyA1xuE<9@Mv^EH{7Oi;*<@Y^>FyL=9WznIL%3f47d!pKaP6+(~1dS1}D-os)wUImY zj%XsyS6M8XTxGpv?k*>eDAgwoP6H(vaokCB$+&9(y2>DjafHi8HJ5>_1oOUQBdAsk z?gkCI=Oc?e58ZgrK2lOpJz%+$Bou`MUm9Luvc3Z*KrM8=G-sc4^H{l^!aps^SuqZ6 z)*R_ZDVC&8k2!jiYN2BFpWMYT_$o3-vsv+>ybZnieWppqjdbV#W9l5cbL*le9Xlr{ zwr$(CZQHg_Y}>Z2C$??dcJ9vGJ$iKig8gN!aqXJ3Ru%p~V?UHKWeH+gv30kAD&G9u z8uCtIvP7XSDa&&#Z2ja{KZjc)iUl%TlpP?3C$8&Q^P&dyN-NE18ham9~NNfxOr; z(iv-r78rw1#sMoIyVdwO$)&f%67>Lhimb|mOS04h1FsskV<*Y5uPRt@`%23Ge7Ndn z@l0`IFpxoH15>DTFdBSRF8&iN7LTRsx62&S$n(LF41y=_WXy7*`tnDkYM9luiIxOP z)p@c)ZQ2MB2AE0Japkv8F|zD>u9Pn!bPNs`6t!Vt7SQCs(SxKlo5%C=(zyH5y#+qf zR;r%z!9N59>!e6?DrX>+T`DT%n!6W1_<)SfFMKN{8-&tJf4`X@=HFOO_8;bqG=@z^ zNmrFxN2L}N5GtJ{WDCo!|5S1ME5S?3PL_Zs2@N#`sWs+sUM#j81sR;kTukDs#x*2A zYv!z2uG}gsfd<3zSDqHq9YCo}&+o&f*%y=4B5~lt>w`2(Y$!`QnzauyBcl7)3E(F| z5rUl&_g&6q5G3Y$uvQHQDj?&j%&E@tG86t8a9CD^R+}C`oWCij@xf8IW?7&l4~1K} zkTglii%Bp}A%ZDXG?(#l0L$%}2xzF0!@t&#op2Y4Btu}DU|2isu^jf^Qb;MOh@i(z z8geLZ=%_73^8InJO%2C!*&@T;zLHOl*1dMk=8FjH6vU29v7t{x$av`}K(m*g<~V=K&t`zE5|V0py}^?_y9A$;Y4Tg;eb!5tgOPjaicp zBGv=%!8F=pNRkdrGE$b!C}FmWX!ETDL&&{bN63V!<%6z3(FOld0voA^Th0297)+Bn z`?6X)Wil3>MOC7xlVTIlio9A?r9y0Yty#&>eadp^_Up3{9#DM>nbQ)ijOAGRLn2PaIFGlIve|Otiy+JPS=3D2f9`0LxW+36MV5 z?%g3*>RPX^>A_1x@D6v()^t~G+hIjq4xJ%7o%wD1SQR-=Kd$ow9d~a;ciWva zx827$_(7BRm0pMA?G)N;-rZ-+Ov>%5yuVKgwOqGB6fuIf-SFV8=XcDbsN;N_+s|-E zALsr&yZYNfhH#*@^5?b3Yw7EDr=N4E0w*Ad#e(i*hFP7yUcsF2WAZgsOyAq=r%axk zypKgDw|$|o>+4~-=%%CYwF*){$93Um;baWm}yUo{n_&d)7P`y+Z^tl+R(9>K)t=QW!mD5zTV_<vxVc z+4pf)l{Uj=Tkt@3n_ZauO8E3b?LHk|Nxl8tHR{Lx`B>#@*Ybg;uG2g8XSBL)IOM|j z)2DeRsjrTIo$Kmjx3+%J)_g|qK6#|HE(BY7qLLjkxlP-BR=525*7mA(NwVxRWJ~(j z8}AtO%;T^NuHN@_jN7#He%5$cu0JJr)m7y1Lv_nH*%PWV!%=&W>3`f(SKIIo8Aa

R4hrt7qs;^lXlak@jzTYtypUF~(*2+QZVj(49TZqxHsw7Idatj=eB z-B&9Au$*L9!@7e%D^fzcYvJR%B6gWl>w6uE+oA4sS<^$N0`aor;(U^DI)|$6_xN08 z{}tbE+@y`*wV`(uWvkEmwWe&RwWsKq_Wua`yP@{_*+gjiK?NkRHl2R`>Q;kwWkO3i z{O0t*-}Xom=VyG*@5e{{xL6W3ann{t#q?iOm__cF`Ia&GAAI<$(sHr|FTR38Rsrm? z1+g}LX-EZ*Op%!J^uHX&R<~7FvU$=c$q5USYLgBc(p2Yc<%yIFG6N*@|Jf8OOhNzW zKsAagwbFijZ@UBX?!;ywrbae6!i0&=NL-p>gKLu!+$ro9Wfp5~&QiJSpxUxNwo-`{ zKjtYbak8k1X?3(=NL%;>Quk~^FUZE(i1J$fCtXUE6ebeZ)0PSmZ-W+5btAP}No{i} zpmd_hNQjn|431q1ibuSxCGh41MlX5db)E4dcDr}hP05PT7~>mD>CZP>njIM|Y5|)Q zRK7~Rc8JaZm6e%9964uKG{gPhs;IyNH7!ADi!8z@rE4&RicpY)ha9q=ZS00zqXH~ z@?aRGT{$mK7z5EN8g!@3bTX2)5gY8=rD(bpK_yRK;iq?ktP$VfDbo-ef<{wh!?z0+ zl`{mA7_>1huzy&rGK1e!9H5Gvx#OIys(E1N5PZ!O^{ebD1P2fvbTP;l2|1RtX3-^rE;g8({@atUUx8B)l> zne%kVnd^3GwekT8$rQ&Ur1i#as_OOoFl4Vuo_(4kB=iaJi}2L?Qt!k(i=osdKN>7T z730n$>6Zykn+vo8DO~kKt4H;9UUS7rgwUj)w>f~MQ%GGF_G|v#H~Fu}$2`vst6zVZ zh28+o4z5X*?yf_=8{CkIS>bPS%ZYZU_(Knip4FKJL}egBj8KlGdJ=rW24w{5s5K;5 zg^=TT!w4oQs}xNZEeM%7)=K>{RYgnZWx*N&7^1S6!P@?TN;Cc?V<&ah**D5G|7jjp%bMkI2Xi}bBkz77|sN!lo7%Xcj>T zC6HDTDgjyPrGw8a3A!~5ErlsoFX+xpoLn~SG*dJiJ2{CzdG}Z?lEN2*7QhoOTOR;( zrSA3SCW#5OXvNe^by>4;3ME+d%$@`9R;#;`ESgAJ)eaKJAE*6g6KIr}IU{K=o{vS{ zw1ihuEZqZc0A>}}l~CqDqn@Bkvi%K#Qi+&N^Ky2GziESpp+qba^cOjv9CqYdU0%1E z$o&5o(UvFgyUi3x-wof8fd)_7kN#ulKm7b-K`(k1h!(ftJD-3b=c6R_-Ire%cEk)J z0nBePJAnP^7rB66(>{*SO-qmS*iNyxG1_iG-*Ud3VIN^8{nQ&s2k=j+gL zqBpMQYl_yL=6zwO34Mo^&uvwm9YeRl_xa_Mo}MSZ!OnsHp-%Ne+E!3?YE8gXkOjpc1?KjZ`K z^KS}i19AXg7yMu5#1_FleUqC!=(t8J=X|`M=jgj$=0i6vgI40XX2*c9t`@v_`5)bP zi?6dVeEuyCSIP4MeLBB2Wo!P#4-E@N*3W_S;Wkge!EEl^^g-I~ z9cH)mIqcoXwG=gOQ;0lNMjR#Vc8}C~ zaLq~AQ+ZkKR{xG*KYrimH9x6+_f3Fro%Y<@T}e*X{QhWegW>*mQf}W>OOhQ{?qzSc z>URTd8|T;jY3GqkH8TCjhp_wwHvPi{L>ztR zT?ai)-(15go;R)Kj?>vgA9)@X&EKH^@bVhMer|F^mDJbt?HZ5Q+6Ul4Ms|Sv9zc#p z|A;PLificK0{9yNf+RoJAM`d}007}i-+@1T_SG<8FW{r>(!YFYVSiONMsA~U^{%q_ z8PpH|RgQc6;ZXzNTr|1FUBin2f~JZ(nP6OXxzS`D$)rEkMl&@^#{|_&_AF;kyS(7F zbBVP1pPn$m(wq=9senaa(^1=N2eiYu(7-^?sdsME?2j`^&q@{MtPcybWz{M(jUt-^ zIvydMUIi!GhO~M%4LJ3Qh21r3 zg)pGl$)Lezg=D5%tX&o9&>)42hAN>;a+s1s!K5nx3J*8HIec>{h$|$ry;+$fc`BF& zAi}ImLwo6C!J4ADgj+?AanL#YUu)rA!i%yj^ zK6^w5CS5?4_{IfNvWIBG+XtDG6{ieE{hJ)etDGJ2pR&e{Au;80=ZOQ9_<4NU_v%dZ{2pWVEYa)E1xavvFDkmgf9Io2>x&mYZZZzXR5vC8h{$6r zYi3_sbG2&DjYMurXl%!bg|!n%xlyk@35aTz&HWi4V@Ut0@e2;i73n`$1%V*|vFRFP zQ$=D{N*&_Hp+PVMA_vIn2JlvC0C_Z zrQkG|@`)&tMHU}|=|elB>p0FTdZrws?mcTs);R$%<1!g zl1CBHXd}ueEn5wnj)>Q(UJYo3g0;iNj|Li)T^>miT?VslR#L5KrGHiIV0Ce#B$%T{ zD^HM=a_C5Cfhg6S#3WfFIbjMx+Ak8$Bl7=LD>0)iNUoZ{)vw9^hqhXBZn88V)go z65Rc1Z}uVDyxb7g(ai>ru#ww)UH2XcEi>PCwe>i? zfBZIuEwK0L_55U4;dfq*n(KLNEt?ZsU-`X`+}eNU9r~Yb*5%&sux|Bt@w6&fHSOwl zADj1heYx}i|DXIb-sTRo6P#0oc(Ibo(^bFwcnnb z{F**g_d=cZcxlVwnzE?*;p<0KKH}#(v zjrllxS~o$tog+xuBkH)U!Cz;~Mu~^K_cgELP3bniI;mTEoLAR0u49~Mc&%D6Z*`vT zgr#x((|A9V`e>VHeFvTO{XJ)}%Y4adQhN?Jy3eH}kLtP( zV?=|W%iQ!`Zwu~t9hZ@&JtYON{od>yU-QdpIj&(o&ru<(b-YgzO{<^7;Iq}@1xx1q699qwGXOu2$G*~)*qIteL}OgUtuAC*@)=&V% z$O^{NXC(JQg-~2JgJsV=ZK!V|HbNBg=DA5aVqz;?hyDeY8UJeV1UUJs)O=C(Uj|!z zP$!jHi~Hc}4CV?oAp;l4DX#aAfQq-A{G^#OCR)G51};oKEHYz~c}7{1hwo-~$s;8& zNl<8f6+|iKMq8_Yqkn?R{&UpAY~g^WLUpaXh^etcR{YD1ii8Y?la5?}L14u?zfzJ< zvMyj>XyPi54njqhS!u{VZWh%{|P3)c(&g;sV_=rX&&hPI%#d#6+T2Q;b$H8~Xvc`IU%;HB&^> zJ5T(V+hZSuK%^ujp=eOz#u2uS&3r;wtMo>=(NMG=R8lm@dC8Gi-o%=4H`w8mL_a+E z3@p5p5GNOyON2{9(yO7~JQ0z4etw_`TvWC^5-4jPo~sQ5iestTLZVESJqoiHG%dMz z{s_r|7XMRb03CTyCEiE0E;XE&k~$lcPmiTcGfG@qQ0aMdjsrvZq~5}4HjcO~(%=Hd z;2WO$-IJD+L(|m%_zJ z(Z&+n-61sqK@k`K3e3@5`V!EyA*pY&OibRP>K^f_UWsB-;S!Xqx9L6;I zq10{)=P1&V&LqU&s_9~$@f(WH?1)jZ`Thj^gmgJSK0wty!byvGbHkK+^XfN$YWh#X zL*Kh2>*E_f2fvw{4wWEj<5op;FiJpNfeqJCC~g$VaRot(Ov-O`JPT3-yAqWkOCzc? zlb{Y2^HL_S&Y9U^CBImc5OIw7)eu;rN@`^1u@$_uz&6@qe(11{OzH?sN)5Rfp)Kiy zVV5lYbZ#6=%z?l@HDMqUIFkdUrYbZr9rubX3oK?PNEtP29pdLci8hHsFs%z_B^DSK zrk1GP!t8xWubMD#83F5mCZI(qDr0cKbl_}@CDCDUEU-n8M&|#HI&DfdkUrF?N!=~# zj$AfPiNhA6&rKe@8sHGY|IH$b9hGg;8f@JywxCtIWFuX$QWoV*j)dUV1UWQe#RyjD zKWT#lUt>{j%I+ackqKI*qZS})(3TF8!Duw-GtXu7eAK<`XXL-BKK7*>=zZ&p8x*Sv zmShHOOTBxMF3%G#uTM2xerTzPjZpVY#SNe__ic+nUGFa z#xG}+$+#mApJ)_MdkH>2gBfaO{);H_tJ6^pHtL{K6>ca+L~g*^xQ6(TvVs7g_4~J| za1Cd19&6hPoryd+eTIlqV@!obt&OV%&qBhX@ZyxLLUHCg%{e$Z50M!qe=eVE!s~!Q zUevLR+m*Yi7ZRS^2(m5Fu{48*wO_DdB!mrViG)6ml{%Sf8C>5&ZPTs-QbCJcJNYY7 zeGnr{B}grQ+{8=?qb(kbJ2?~ALdnG&bhAW~-~MSc0_G}VIeu&snCong7l=*^j71`n zHME%2S|Ndgh%iah59ofMfa;xR5~~MhwP1vcGe~o!?qo}>%4X@@3GX4CQGro0o)RWQ z$?)J#lUcjA1GSufNYiQ)K$*k~|F;bIfJGo1B770Z5sTm_4=JK(SN?}R2kz`_YNwa1Y6PSh0Y2;dDyCp4Yt)&qnI$M6JKvYf;6#W*Z1w8bGM_Cwjb{Gvj|JFz?6P_b4F$%~uZTmC-zZ@r}ssC&=qA z>6;#!^F5w3$NpSygEV+j1O{JU=tyYMvDx@0C|HPsPc<4&v%+J@*^@cP_YWk3s+Nen^V`xBB5>{<=Sq z;BFeL?-eom57hb6&&RM3__HlJclRz(m2QAf^Et?QM&ohp(7w#;^tGIS8!$+%h7FSH*3NX*ao;OhY7UF`IPq9+Uf!p`@N0hIm^rguqP zsVbG9HKMl_())h$Dt=L2BjmXdYE>dMd{ux}@iJ+Kj$y&HP7O<}e$$5JGNdN5S%H|H zt(^ZyCsc@@&V!g{!j(hH1*5afWdcWzL|hRbyYQI=D!xLm;u=n8`vke>zeZHvU5dhC znH{QBjw-Xn%**qb0gcLeydzRBj){=*&U{1RPF-9|9D#P|E;v&r23!WmE7D@aY7?>I zIt2!bbA?pUX(A4WPR?O*0VRwTn_t~%#UKhFBv*t0TEKsC;$>25#lF^=s)noybwL2` za8qATuuK3#lyo0cOkw%m4wuQvCi5zVia&#eR;`)?v!|{c0k>ZFiAh%_cu)_Sw7x=O z|BsTLf=p!`^+PV|sEO`iX`jzxrC)J80Ca*G+HT9t3h3whO&^TGh3wdr0K9rs!OKaJJ{kO3Bg6dVTxvpsOV6&F=UFIX4_ z3DrJ4Eetd~ra4wI!$TW1Gf**ZAnQO=14EIj@fmcY6Sz*EaU*bB5OC!-Bj>GL(glX zErrcQ989ksW60D5Wrr?ir4Lo2Xn{t9xMdK&{YqQcME76@ZETQX6z;S1oaUWCr$`1f z?FM+?sBR{{wjX<)cgV-cDmxk3S3veCU=JS;kVUV~{HuyjCZ|4ZbMO9zOF{}8FqmpC zC@EEtzq##!6~$h`+Adc+sn&(CN9v#n;=*AEC?wjTijC!K!BpX_A0V$SDOYl0%+VNr zi>WqfQNqSTL5Vm+&!asmklKm50AstE;vNi$RKFxE%`{EEwP!u6n3-gKBhgrM<$I6~ zvu(kQi&@nrsM->p8RKcTY9v2S7PH8yZBBy?d?pMDxs~V!Yr1Dkt5cI9zlN%ThjZf= zLWelDn!=w!U&dTc|BLjz$mb7d8Y|wd7UiH)ui#k`eJ|F6^KgkStRUnlW`0gE1)7Kt zYA2Is|0HGyPbg7oth=0+nxQh8lu}x~kW?!4bpwKNoNQ?{ilRQ9WK}xO&aJ?(MVfo2 z!8Vq-?i;ZY8(I>3gJG6_J-z2w&3CSOT3UqhDcC(tD=3(?Hw~Rg?^aSdXkC@G#wFr3 zKvaXUV2wB;k-;9*O`Uoi4x(K3K$}1dL&_y|Mmje)uK1HBR>-roIu9ZoqEuPr} z>9l|?KCI_25k&o1Yo`+kZF!-t#S>{%?nC*Z$><~s1REt;jR_x1A};%tg@dB}$~)KA zwFpBMa0pa{Q$-;sjAN=P6K=GT4;NmrSQXr>#v+cF?sgXu|ETQWRK%r~lJo{c7OV z<;P|Hy7=vTSC-d){(dyQZ!N#muzTBd`fbt{o;TRt(fWL8vA&mE1#oJy))YpXZ0X6;`>=={LNhZvv1H;Qg8vA#I6^^l8-AO$YKHQA(`P_A*@L5*s8c|wD`_AV(s$*DMnj&wq4*pf1xm9Ep4Q8i7P zwvmU@&DsrT$+;7h1(ujKlLSkXCRqwia||8Sy}X3jqCAaCa=`BNi9}lYFeq)1I*5m+ zT#0vAE?uQ3j*Q#|+#yuyKkV`JDGn#Ai$OxkxR@qHGsYRXo$-J8WYJ8EJ+{Hzm$ zE_oLT(IzEFKJbNuP6+vZxBzL;V5x!mPSh24Cg_z3D^2KRTO^Z97T#KA3dRS{1+gwf zU`1l=X@UByP6F&A$-W?ia~k-6X0+P0X$_f5SR-sJh1eJ@*$l@0mE;5-TL+7+3UWfW ztiboi1*>)evS7BRTSA4J0wD%K7^cYAMyj4nDy%(qojGipG0=17KHO8$MYVDF8M)>Z zR-h{x3~5NR-7?fN9fr#pt$ZuM6s1vkyfgoSp+I3lZ}PBBm{l2&Tg3HD0kOxoYJ=v` z<$-ZK2)G^SUwykOlR~de9M&ecODP4Y5TN*XrRrnq+(nI>hv%F;lC5TgC9WK>D?=HE0xgDNF(i}>sj1XVfe|3;eTLDF=jb6d)ZRTJVm~T}S$HJM z_G=L#as>1x6B~pEBjDlw|C&80CBuo*21cJmz=*=r2|TUF$ddQhay1NMsgKzxNUr zWksrtKM!CYytMW14}J0Y?yo=mqr)`*pO}fLoT~XJ$|~`OLv5(ye}8WT>NA*ZcO%dB zU`9y_t>MAstTo(BldC2nYQ8oTs zscPLR*sCWqiBe+ELtOGsWzXvNg>?N@{uLxzj$Vk^(|Y} zXZgfl<1a}P>(Bqb>+*B^zvt4ieLGi;;4{B`C5EC2K_q#3{*}6X4}BGrLIhAl3I5E0 zuG9S}vyF;VdEeLn%-gS`S~mV<+4zPy6uTayY1hrYFVf%a-d`WyXg^d((=;*pOy#t!Bjh&h*17A-`TIStq(IVs4Y0a<=Gl4;tdREs z={5m+(TijMuCnVRBCnuAG@KQ68Oq~*uSNRvd5Au=g;n28&_&fbt?2cKU5aDly)=CS z+UG(hub(zNqxicnFQR@Be_X7O?^f|MzTXBef4xs9ZuB0O0AqJ;vqFGf+gXR`D$ijP z@=VD*vH$DUvZ>177vH_%;Jj}Jp2w2$f=%ECMh|BO=^mQzeWc0k)>_|5S04vJ;p)`f zDyf=>!^ns`-J{vG_x=aR+;CrA#OcCds}}z8@IOe;j&1IH)a#ule!&4pW_qXc;*c3#qGI_OipH>k@J^N z`?C!D+vhOqh-4i=I2(o+udiq1^dTm^%7kv zPrtYIx%#`Em5$pDoqMdOm8f0P;UNX#S0R5W+@1TC=`O#!oXB<2Kf=B2QPa=;T<&Be*ZMcoKz5W-r>(&yjSAO5;ER4o#AvGH=6KwrIIM&&^p0D^Vd< zl0HM>tGEKoJ7iHBn&GpK`U&nZbg>PSxvc%OMsxgu#%EH4Rd%0Ikc=>wd&sDX1fmm_ zpB3VwTUE4evSN>sQ%@kc+%BiWSzF##p)|HpOAS}Cpn&NyQ*ZxQwGwu*#F5Hgn9rb$ zG;O{!#;FO5Y=coki0^l^=PQ#Op@32XyfCdzq%25S!%a4#+PI6?=IX5^X#g#V*eQUh ze5fF$%Itv^Eg@_BUQ<5|1p;hlg{v`%BLff?Sr z{ndw|P@f&`v0Y!6hU_@k?`?pNZPMbyFyTs6%n$w7m?dF>Z2&fgCZPpFs)4=vyjDp4 zZ|5dKfEg#k_&o-u#S?{zRK`7tdbQjL5gXpUaD!rPNZ@>(wvZo%Lqqz_eMxM7!JP;Z zgqQbU`2a(Sh#>TnoMLq~Dk)t1xXwKRn(`D$w>8)W)6I+GsEz`{qej*O)Rx~`sPeR` zYpWijR!Z#uMiWW0DvjNX44H=!9Py6d9U<^kVc@mlTFg?VWqtX>AY{b;afr!^>*^-X z(`d;v7B8a*rWy@htR<%#74B2oEt{p&4IW8VZVFIo^=MYJG^{Q48wn?&hLH@~;Xfp9 zLnT)3NC2Y(jjCE1l?tr4a3EQwnzSJMJr+BMW?1Wy11$7JqhIIiJbDfQ8VjCufX|8I z$KS&@omZ9dD}Ub^o8;oDLUY7g7LqyhWzC?&l}q3_436d)ax@BsyMOPz&cMrX{lD-O z8y+jCW65;&ODzhCas{a-udXWzwMsa+{nBzMsOwno=D{c14Jh4)9Ve^rq5ADe>hvU_ zU>ch+WcJHqNU3cXaf)cutekQiV0}dgg{TkTGL5?P)&vY-JGy+&gz|OAA~rKb377U{OtT}Y@%u`uQ49zj zLnnu%fD2K|&4zX{igns7RUIZ?EEp^Xk+3m`iGeUbSqYCM5hQlYAw>reyfH)-*@_l8 zbs0I|GuIU9)k_O)X=IhuYADkIE3!}?hBR4LX_?scQGfu0LT@F&d?R-hAQULsT>3JK z{-*Ej_ZbMH4*@%zZhJS*6?{B3k}jKa-W|#|`KL@ZIGJIpRO=jPoH6lG!3j==!VYN& zlwsBO)EJ@2IhjH=8p1RcX<4tgU%nBypCw47GXX2!B69LUB&#k^%2*+%yjC7Gi13t& z*wbp$%Sdkgd7O_X%gg?#&@>}-jq#tS3Vhh#QthNMw$VYX6GofS!FVN2lMJZ2&+C7y z;^k%rs?R=2watbLg-Z%n=#XL+#9D`n4VY=pCjY3B7jRg?7$cP}OoytH800(x($Jl1 zy!yQO3AS8JET@3$)D`Chc+4pw`%<}IP z)p;N2Z3$LHeaU={+nd>La*6Z322k6(nCtLAGVedF+EG<|WLxEQEp5iFAE%LT7|Dy6Nyg@Av(gMfe88o38fhzKC<{J^N;jAE?dT=jn){e6X|?bE)QK}hpf z?`e5iT#vg+$<^sS2~0D9)HiIz_T<)W1w8+bbr)fV`|uj~pT)mDN^y9>dRh+fTi5SY zg7rAs`Y{pg-Nt6RY|-#p5A$1IdQR-wzrA{p|7@MeeO}k3gi%5HT>+D0J#?VsFka?= zxAwS?BENWeKJ()~EZtbs15UMfHJ*FS`P&UX^LiWZg{%0V`>on&csxyqH*0n60d2e6 zxV|%g^?6U8F}?Yleq!n-`uggmb|=$6Z{DoC-P4)4bDLf>hGOw~`5w_nZ+;q@O?$hy zZ=_q~*8F3JtCc6ZXe^XjYQXbnzX3tDfWh7|z}|1FNX}W-U0TL&1HOXXCT9Gm)w}oeIK24A&2U;`+7ZxiPN!xRgA!- z>9US$W&UyP%~F4~b#jjfP-lsYdJ{C!A>3v>(&=Hjrfe{A>VgtyH3tbfadObZ_0(UC za26FeRt5+17^zHquy$*99{x1!jo9TN?~-VaF%sl#?ei6(gz6|__QTbxmtt+KHrQ)4 z1*%~P(KL){HRcdA^*^7u30JJjY88=UDH{JYAcNbz*b-{hCzr8)hjJppT|VxTRRHg9#TbnR5zal-##5h^n{srs56+pbyWH2^ z*FY<6Re(#N?ZBaWNmqlp!<{8i)e|OBiU_S9!>xTM&Ne;dy?%@ERcklo$Ia~qEgNzb zeEC!=lc@y|Xt)jA{#FOqe5%Ccnlz+ovj$03?4JO!4ns15fr0Rbbwim|#YXV98ovhN z2TsaZBVMZzG=*}wXrHutSY+CLGx&m3luNgx3NsZEtMP*DggHja|K81fgoimlKF-ps3BL9NdWUB@trcPqnRgqN$86~Rn%u%pcX*3V9h9RDD zdluP{r2xzRcZ4xUnr%|Jd~?b=d=U9}>P7Zk`zQg~`P2WS!=It9^in+7@`pVRQ1Cl% zVb`xU!vhGPQ~}E3?Nmdh5?_%-fzUH#Hd8MpIumX`GbcNqU2<&Qf)(NjdMi)50x?n^ zIn?E0?J^!q?3`7qr6j=LAToxrT zSrKaM^OY^5rIp!ltrEqfe=$6#s+=j z;H9u?leH>nqyz<5EdJ*r-ef=)jkYY{D1QgSxRy*EhRTdB9V~KKb1HsFAm}6fmTdvL zA}-5g96Sm}_0)-Gq4+W)IxX-DgpM*moAp0EyCr$35Ts3dN35MXHScLj?J93t2>a6^ zpHz_zUtQ_F=E^LS!Lfd?QI!kUHIh%?{K$4Z_CoBb?p2zD`K8pK%6I<{o}X0|i}IAH zzTzKyzmGt+AqyaxZC*~CP|wP6_ZmNl;*17u)WsMyHZ1lBwWT_W8kq175v~g44~bR5 zZk>`3;a0Oa>Tf>~isVGyL;?~uX@MTEpxNO$Fe)+-Y3so9%z(vp%0;R-r6ky}ocsi; zOwB%gwP_IYl!q7)7z{JCS(AOmf;5JFV5|?4)Zf$un^btwQ~cIyc4lhVI5R0ti~0jLPt2Z6DeqU=}wV@psjLf z_zcGtm)Y)K2&hPj;HrV(C0U`=?N6xbmMbiD{W|f_{_ns!^HJ8h*V0#zM9y#a4gbge zCrsuP&r3K(|_Oh9;Wd>{EHLYY?`J2SS)B6tvwBlvv+-n^ww$A@mNl{1vS)ubbg#3DY@xJ}?2>ULX>8<}r(_U?y z?Yb)7+O?}tp5=cyC}GcTz9PG|>E31Q+IoCD7pL`J!GF=(S=*!1Z9vm*X8WYI*e>Wc zeU-~^vg1-PH;^8j%;VQm(tgdy)#HZl_}h7XZ>`7KB1XRS^B8uk(tX$}r4E~|{`fU$9SrP4-UP$qPVi3VIUOTwU%yOt z)pEEE+h)A_yKfu~Aj|0|LB{=fM5W2kON(DyV>WR?N0?7vQ!-Mc?$yYiN{ z%$KKYGYV+?XS3huakE(XyAA`_?fJjg->$Y>KZ>Ap+n@ZN&F9_uIiJ>u5h!>xwj9_# z-XPqkdLMwuJzhuOB=_)c_54;gcP3Lxt{3F1n*r62dh0JT&XYNN^-Z@=uUH2<@@?m|SR~?N$5A)uCQ`!!D@Vf#S>^0tUrt*+B@sDi* z`>ETe{<}JWft*Wp`v1q_6My{`fb(w$1^EZr7Xq2-{97cj>aP9|dPD;s>K(e0^QXbj zFNwdMe#*Y@-t@Brhu1{^wPquo+W+8l>3`8LVNZ*-Dp^{Iq1rru1O~YPA*L{4E#hWk zZdw}Z=`bvqcBx|BVK$|QA@=B?Wh<>k(o`FlOwHpXml%K?ukWZ~CXww+OvlorC1%tg$ zl2V7ohvULYv|5KU8LW_81+6+oiXG#IL*az~gv`P#VvSO##fA*O_Gb!0Hs8!KC`sNe z%c|qnQ5bt%<#SMpOYjge1MRGFR)Mv4qSZ(o-wcLMiP*+58Fo==UL{9`5rIHWdy0+9 zlae+D7FwEyL<*D*E3iG5d^0iG7I7h8;B?az&o!J3EhW@+2%ew_P7 z?3IS!9?2v%h$)c-VYx9_YMV+X=D`={blXjyg0cPtDNy_@M_|k-ra0DFjx0%j(xVUo zu8S0QyjfH80tKGPex;Hu#gbIBloPMYa64g+4pb_roLI>oiO`BlhHOi+r0`r4awgg# zpPj*33rPyCqBsqC)G@H1t2SLpuoR9>lPw6wVY1u_bJ!R&`urbqjoqn}XsjeeMgIA7 zfD|P^hVw-|w;VdlQok0evQSel5pls;oS-h*r7mxEtQOx|Sa9LL2aJPZX; zFe$YL;o}fSl^O`SI%y`TND8dvdI(kOlP5o>yM+`eEVqlhp&M1O z1yGLyIBQ}$?XlxwXsLwlic`Su7J&KRmZ3ja-xntUc~RwV@X-J9*y`k--=$ZtDgI5S zNs}0BjsYPcQLQ|NQ|u}WxtZ&~V#%eE=!>~L4-JFV$-!vd#YovYl|uvYq{?N8wA|$4 zVwr##o<%#*>@~T2iIM(&zBCX>)0!C*Dhj0L4dNZyw+g8s36I4GX&@hlmH%3n)bVJbD%Rjmd51|pr zJX*z&hVivPY7p$?hs7Eh1XpLN0Xbw}x`LS9n&&h^=Fox{^03v>GEovJOCb z^9m!fr^$(zqSLE?T%H7IG$J5~f5sW7s!CSoKD~Waclm9+yI5 zl-3+1wGx;mL3floZh&F7jtaxj-7}&$BGZ_0=R{sLP4lHoqB1#72Y(8R4@|aS%B4NY z7WG;#vB!LrD(0?eVLdfavuzW zILn`QjvL6!#QpKK?N;!l>IGJsuYIP@e#<55L;qz1vg@v-?>*|vEotDQ1=|f^v+c{b z#RFIjdDd3{_tUB7*g@{5SLHU7u(O<|)Kts){=caDrs&85cG;O=k_jia?POwhFtKgh zwmq?J8xy-@+qP{deeqls)HZc*Jqi%?$i3{-_Y`QpdDrMf~EM)tW0k z-BibZ#|A;i>j$80@;6}BE-Ug#@*d~R>IK2a)~P=d2;K?bod$xqH+jc9rh}xvxf_U8 zCb#v%s_Pu4BeGj^8rka#Yp+5%bjX(A4=bW>OdSWmfjp z>^24PoDKD-*G%%*W(WbEuRETWIFH-*CZ~^n^;SZ^ZC4)lwS&&BKZ{_+Wf(|A-}k#~ z+d$t{U9MKI_nS98O+8OLG@~~!3WaQW4Hj+LSNEqa8FV$7uExEmIiAL2Y+mdhl6)IS zOCq%E=NC&d8x_4?32Zxe7Y9fmLk`v~FIu$jL}RKvhMIjpM?hXLOG{6_{X4$9fM3y4 zYoMz?x?{eF=#+3EPyb#s+Qki-Yc%<5Ubf3Ka;yM zLCfE-gDG1+7Ub=&fd6XTC84@bR*&fLo{KGWnw_@q8k>#fq!eol(Ra%l*&(qrn;*k} zqupaGyI3hnY|i_01xIo?+ZY;fp;8xN{m4!1J+fc$g{?RS5vZV*wW_1EPI=)Q-0-0| z7-|cV<_|X;G31@12FQQ2_K!;mV%Etscwo(B)hzO%)0W^*(t;s^s#QeV?no@uqa;H) zPBl{M5GSKh{0Aw*_FU$jizQfB(l=4gh+d^HB(&$!_1!*7Vf56{O;M!*DeaUElUv9I z27wDLE{2K1un0#!G=jnaNlZ<8tqzH&w^D%`ORSU8slWou`WI$$Hfnrc#QtDbE)=)o zj#3TxNnIo3CC(pn#%TqKgddoabgcv7KTyVlLPW_rIOGKi4t_7B2Ur};+Zim72sh~e z#70Z{p{x?FOs$%L{bIv5GYCPb9$D%iD=TM}HDZugB0yKA2QjV`lzet9J;eXJQ|+;X zW#@IkLkrTlP05NXHy#F({77aam{3TbRRHZ+DmHuUQzDm(9ZOvCpzJ|LxJOsS2;@7- zw56&?=&vLu{-6v%DJ1qhwR#y@k0>4PgeKrx{==$aP1{$}@+Z^MbdP>swz#MaP|o!O zpArR&vR&WD%wSoGWwKsTbdlPcF*lPi43(4qevYGv%0~)Yy(K2Yor0Af&O^`QFX75~ zVUa5rzXtuYvNuO2ixb|wB`y)VhY%R9M--`TcPE%qBvkPC9=NbXCenaa!jza))Bm(y#%id53o9~c zgiVl&uKccpaA|_=BUxwRY-)67)Oqd{LauJM3Yn$PsDS^=hFTuCuUG?zoT_y^+!(zY z!e-r7Z3R-WdR{=ON#Vi4g=D05vRQ)5Sh)m2Zwpd6E7&KFo31OPH_1uFo;!aFT<%)|Fi;0NU>SHapxOGp;Y{MsA zKo#K-h;%AI6LB9LyU$GzO@*259l-8}CWpjOaQf-5&9iX@lL{kqn#Zs(n)<6z%cVc2 zUu5k3M4wZg_3k5tGKRZReh$N-Xi`JlAV|L-YzE^6fB81eJP}X zMDdUfoxV}2dX;3*HRe+3Rc81oQBW2rjfeYgs`{>rCF7UhyIJ}J4cjJDSW$;!OrI70 z_8+Y!V!=DVjcAmA&UX0%a-5*|Plz|^+TUW!A3vp>Da9cuYlG@Z09zv}QEl*87Y%|T z7v<&wMYNbhioPek;&ysWrOeHLIm6JX_jDRzH0dO14}S|0M$gKnLJx|Q+sd}I79bWl zG@_lc>xdM|G1Nxs0;D{d^gkoy3l+dpHHs&4D-IcwHwi>f_(BREtl3LQ{HEzgT5%) z2h$DE<3g_80REGy&FbSskuJv*BCzAV{Bdei^CjEU$M>^xXU><7_Hj0DcBUCKpz3r+$45)-B z({XF&CJgkGG`BqSUayo4WL4#Cy`6jRdLwRp&Q(NNHhVZvUX*{!be=N`rdTRD$Wmn> zpwaDEJBJEPx?Dc8eX98wUO4d9>AH)*@uwNSp#o$Sfdn`X7ayjyud0%&`ebwt`d`a{ ztNS;?t{blaRZ!!VdCFz#+jfv6J|cqKQBzE{u8^By=a$`S5rFHZA(&x`*W-XBVQWDK z7`Vmk`yfET<2F{EL+`U8Z)JV8Rrzq@$ekU6hkj}bY^if<_4)9y&31SW-|WNqG|OAU z*MQxyh++QFh2QdgNE^dwzosCt;VQjwT@693@xE(i&-%(+SYvU?c03dsTX*04*ZPso zalCkgb~P7q*|}Io!y5;>(FX9@RZS%8zHd^xdhT2r)hBr$%~wQsJU!)1j(aepfA+O8 z3?CR?7U6T6PNK(p-3Zn{(;;lRIhFiduyxsR27=pi8bn}8e>^(7c7D`KUhOyHOrG9nV@0fO~+b~!P{zp3=HA6uUoXTbCAu`?hSpyjou%vscc zwm?DS+fmJ@<)tYjLGVwKo|*2Z)ex`(9s~WcfCZlEy^5b$A!LE2DG3^hNfbZSa_sD? z;n6)i%j{N1kEp8i+w2`;qra}6j-&HGzx`AUst|Dg;syvpH!4l*yy#|VTGCY~SaTW2 z%q3bitziD3(P{ofD|cO&pC%5X&d;}tk6%%W|NWO1hLSuDCo~vrmqy+jnoYEeR8?wD zI3!pjIZ_Zt}q{gXrh136Q}9nB*D}8h4rR;_T$Itn|ry8lErIhU8KtKWoo8`kN|(d z$nfq(t%-bGbqrkwD=ahs8NBiMDFJm0{fG3{aas91L@XS*NI$8>b7b0=?CKy)9am*g zykw#`!!Ou^X_8;}d&Jl+FRxiYt6WHMZsK>KK~X9KRqoBpq;FaG{@$Z58SFkbyfQ&d z{@=cGH=6zRk^Tzu7s?uLEO`Bh{a-t$@G6aGr3wXExJe7#(FlY5<>VY>Qs|Z~%Eyui z@;wP6-moN5O6`?$_Dlxv24s{@|LQbh^ZlYigbGs;y$5h*I&Hk6f01Qf9ljw^jV4|+ z)i&T1-Y}_Qt?f6^1TNUO)kNh>B%G#X_LmP-IY>V0*YEKYle#1#={;z6;0n2AIE5Mf z(~M!^!Nyj^xAc=^K9|V|G@vlWmhU>kGBGC>@JcCn{aqI>`L`sNk1?{IoGY`tbi2rH zP|Q?P9jJWud%`CtXLZh{Rd*Opo!K}oy4UEd0CClUja0ZcLpjJG2f_&*%a3`ge%i&c zV}~jPkL9!TZmXQLNYJhRg8;w@Li2r?^rcfNdm#X6R({5ul)*(Im2L`&_@&R5#bZFI zLnZxiCqjH%W&}K52gyp$XhF-UL)q)$)BGY980+P?t94-t{44Gre?jO1p6f&{@(S5j zsAd%~h*Xp8Eq+zHk|*sRB{+#8NY%qE+-dD#r4##RLbm;3A~E9~U$w{6J>=8Jpv-~_ zU&09}!<^$ATdA|`X0`KE6j|&Y42n)x@K>AR490G*Yjje+x@8uYYdQrdv}l;t|NG0^ zu<~CbA7(g{J~nBvKc+8&pn@r@csiPi^YZxj;y{0MfpQNc(9xm`{e_tg- zCgxP>!&!i!ZrYfRGm)sA9s5D@%e6<#J;**)HwLCLZe6CEUI4~z<=0Ya9CPrlde`c%_Cs?H9qa34WQ>Jur*c3$=B1EJ@ z$_ZQ#%UOZbZ*kKxx?)y+DdNAq$u+JJY=c{q$_=p1BDp{E5asN8 zk6J5f{nW&1DRsj7Ma(N#WYOBpQ;b<#+3$9x4e^Y*Jk_j{?@h#Q|7(1D29oA7lz{Z> z-+XodeEp3+dOv6E#yt##C)2-Ij9C@*ueB1(U^l5&)7Hw6t zbG?VON6$2EoSrdQJ6`!yRC}yd#GHF*Tm~6GqNv{DyKUE8Y?+rAO7x}Na8JRZX4acBF8y`P*}W@I6{0uK@wmUOIZ zvL4Ph*Y2(@WuzBtqn{UrR$C<-AKMNap0c;P-FEv~VWG0PHufXe9+6*cv#%XJL+g75 z&_LTs0Ij=+Q7UJq6_-wupn@efS%8<~PGa+?<0sTB1x2fM&SpTHPfUBv=8@^vEW@?W zbHwh=n5=7-?}H~duk&7T=tcX$7nb&Y2rKzK=)7CfZfg7PbWg(VjJopxgGDS7WL9 z?qc}%U^xx%HC9CN34q4A$Rs=Pyx!7;f8&JeHFWAXsn|P^Yg?~Zj9E%784}$90B!Q(%&G*Cil4o zheUho0tS+qoi4%yQM$B`HGZfhPP-^h6>4cq&3$qRD_9{=yc!VZ^=VOL9)HV(sWAVu z?^vM0yJUH0P$DYljl}lK8F%U?$aOkgmx*{5tn=#;Mz4+5yco0jH?7I47X+Actf8fR zV^#=Dsa#fXT5d61p~_SbSi^Gn+loq-9y9H#BdZ!?TZbWYTNKRc{1~{kw9153 zNqhlRbSY|Er%aLN_Xx}jR^l{ELuB={aPOcy5m#HtoA)d^5 zw1YXl=R(CLYEGHCNe4M(<>pgm$%*TerhHFOD%W}>+?t&ui%p0yYE7YvUWY{nUV>{jAF@ zz7V*Hi-C+5c!?v-&_V*osJGZIl9Zc0A@s< zd4_rJHn&^(Zwq*(RdaPci7)A#8JiTBEsRLZGN3enoHir=Dk&(SXS(w*DmQZA@`hYh zQxMX(QFjV}%d!Yl>WFBn8q)^L-&roDwQkKo^= z+X%?`iRf0CT{X~U-<)L(-#)+f%ayMAD`d-4Gk;21*v@u9H{T4p4Xb%kV7Z)1*U!;9 zUrS;BPm=DnNPs(6Ig0qeRfteMRRzujCyxm3E z2)i*28P23={hKM50)etdr{FYBqGORi<0YFL<4JgT5Tiw%vTGEo)bR3fP@zjwaedOX z@~HY$2Ij&a3NvFy+FYBkN!gCVY%q!}tx;J;m!=h{^)x8JL%x^oa!ug`xf0@9Fg8TK zdR7kl$Yg9}{eb|7)Pi2liPJ`QZ=F7j(H$n8MnR(Dcav}?ZF+TQk$#Wt%&A9{Bj5zr zR^{D)4=XQfF|bdER|39v(35a~$;Z`cMK+)9$Qwa)0z^0wY5WWD1M%}~$pXKYY=Svu z)*vI#hwUS94T1BvTKj?5w|B$yCg!r;MYS`VGyCP(zo6O2c;bfd42k{2t0ZHZ0DY@#92^&YW)<&xNN(FT`1@R9@ZV6qM=dsh|Eu+~mphJ<}cKD*XK?FK_x2<~Sj`6+z?lD4w zRR7ks^~`U1VC&m3hTnPFs*145V|mdGwp&m_@4Nf_k$s+|^L~MjgBJ$&q086xnT!E) z+A>yIzVvG@eUtU_sk(@Jy->|I!*6qHv{a1&eA~1l5KW<9GrHVs#`Qv)e;t6A+^D~? zd875%m-yphe0jC%E9Kj=WC6?0aS;@8nALazm6GkN;U;aLA}tGipPaB=JKS(P(G9wr z_N*KAVbHeD>b#qkG2QGu!W|N^oqW6gyXX<<=%edx9Y`^UF{$ga(JbziA{ij+(pn0t zau51I_LRx2f_=+uU6((kk)`z|XsPi1_&lm|nx6DL2UQKR^SRU*``UeSmuxJy-{1hb z85_5+x2oQIo^hK!QqcK4`{HGU>;FOQ);#!%zv&(lJa1WjfCP7SZ-8=lq35Pna=u?B zD~AcMN_JXecIh{O6W<%aJ;49t^d)Dm|Bpz(bH8-Zz#Y)--}}@BJpUhve`@ebnY$LK zJPrN^MZ(=M3r81r=MgHM!n*}N)|t2GCRjtob0&nz(qW|wYrH@d60+K8c=;r7O|-(T zaZWtK$=Eb%K^XcX__@}?O-aNTy;Vof#$vYuSEV(wjuqxU0k< zp(-j;H^vWV8fBHyg#gt9k zTaHm0|bBXOS;TsuLzH{p5|9A2H7>Rk0iR(_3uLO0{YSZ=a81 z-<0osI^u_}Uv*$`LN)DokIKR}XkN%!#=492y-l44rq*CNZos5|+24{nnYlnPp~@B6 zopPWRSMj>D5_wOAyA-UfE~vOlK5IBnEc3637&b?dd9n5#SKMY@`8jENw|~a5yOO;3 zaJ6hg+XT0E=ln306@uB5g!T}Ft0hTCp|A?U(AeeCvaXDGrq0meR^d`tD)mi{ea9=% z%J;<(B1QypoQN4ysgSs0Q*N<&j2?w9MaBWz!lU^qUl8Js_jeOWt zQ#hg|-v5`nVXL~#gB*9(v|E`K`&Z`0vl?};;y3LK-y|d_IRE=!$tJ zJZUuOux95;SLOmQE*l{Ty3#Z~y%Q^<)K(rZB+8*3rEp2|jP(6yvD=af2cOeBYxELA zrjrc8RYfuK5cwk22oWz@=Opq9`DC{4p9Mkv{P~Kw@m0n5zfoDmXW>J}zx(p*S z%xK9QJ<7vki+)-F$P}id}{2JdU0I&W_bZm8Q~7!RM^>5i7g~aaQOy1cFJW` zaib!lP{Ri4Pp)Y?$G0#h2-azz3i{r?bj17nRp6P(~qMk^|&1Upbr_;TRs6z^!_dYMc%QxxhB#TYg z^$qPE5LU4Ykd^Iijqq`NLBGQFeauqTYCna1FwAZ~`JQ(VWYwj-TMDVmp&Lii<4-b=D1``*_7NMS6KvA2S zj%HQfog2?fZwszhNSnv3Us84RA!xArdEO~u`ANKKtd zO+edcIy|4+X>sdRN3+mtTOa+~O`z#F&8(-KJ76o~hR2*dV8e9lLba{>W)eo$ww~o} zL%GHWQ}&`xT|ZPgTKlFfhF<-%`cucX=Dz30i(}5Z`y_Zqsb`n_kcA_@_d^&Rf&E03 zu9sa^a};>W2DwL7qwc#>ChtpuWBEyAbRv4Eb5H16cEc$mK?)+jtGl)$KI2t|ZPU=y zqu1+sJwZnO_lE-AVeYJlti~MA*YXa>g|=D4Gz!oAF1ybt%PBsXx8oDX?KM@t&v23- zHv%=@wi`zwxloXdKkLP~i)wafPg9!@ zWd!R+=MR%mEA`P>SG<=tz91?LAsl)x&lns;pS{YGUdE{Nt}*{BfFbWqBjVV87VL*7 z+wx63Ak*nn13;eQM4cW*_RF^lB-sX{czn78#j-?>FM=3|zk<2@xV=)n4qknUnRS_Z zs0@hrib3Ka$Rbs>-oE; z8TH#ole5NALvdOWFq?0Fuqp^ zx_OOZ!SUCagf(L4l!;CV{Ov)&A%o;fwU}-(-RQ zu)#z{y?$B=oD18n693Evcx;?fu@e&ErdzZVBLvEpIdSoPrFvZB*Z|rL%K-Fn-}lqx>qVb zkrra)|7Hw{R&LcR)@{}db^KOCpvNsd^XL<5-b0z_0ge^Ej@W zyC^H4aE;tpmdagc;R1POjds)D|48AkvI+OViQAx*emA{nWIzAxGsrrDHBOHMejTq=30 zuu(h&7WO=%)();!*%WVLD+x3O#nnMx7c0=U(#8$$>_BI`=X;|3uqPMVM6AH2D*ZV+ z@Y;`hQ)ob3E_F9h7}{bHehDE{zG3H&Pc4gs0?we6+NPff$?a;?) zA{-t6#=1s_7zP0oCPKX0au)V=JWc#s@86ZR`@myUIP~Ysy$_J2v znD4^Z&128>Ya1gy59!*a_JeG{U~uH8Xz#D@DCWmoUrl`FraHjAxC1t?+GjJn#?G<0 zON3RFBiiQCn^OW``+J(VD#z<$PtbX=^`)AuHs0Oz@~NUbqw#u3t2Wf z>#0Aq!m1^wWAQ#uwIT2^dJE{&T!PUA;G`jF zI@OJb(gk>t*koOV05#r9?rOLrovJk_I`3j95N&v~#yjtK33ShDT%O-UeZ6+k-guuk zCoQu*)*P0w-d{tvI99AppI=HeG3eWWbS%oRr<%IxMZI@vy7!1JRfkzDOQ~#c>Zg$!~lK`BC>ef49%}LEXM^Ofj z!Pe|vM)j7Hp2@~X_|_R?+HVz&I>G22XDU7}2LbKTykMQRUAMu_bumc82>0}oHH~*6 zn}$mr?|TIF!pmDa#v4L4JdAutIKX9%WzQEJhWakg-S1l-`>nQ~q1H?ru5m&`Q$@6Jnk!k;!qy`tzCMa0tJc;uPzMc%(%jNT-JX(VwyJan2 zlE0z`cC+*fEc`$W0bKajKY(Dve0xAflfQ_szQ|_BL+`htjJk`m*!_IpSZYhsi!t_<=Xv1!%uyw|p)y4gZne2bR`&DZdjK4!{^5o@P_f*TcCHH5 ziZzSKNw6HfR%hr}qj@u?o;9c9$V2#E^pMF-Ze|TrmDlu$6gfW`u7H{f_=Q39S55@| z7$s!zj|@_Z-ycMq29ibc)3|<|P*-`J=4w+)#GSVJ+CQD!b!NVuPuDUJH)P1cyRKU2 z{y|B&JqRcdE))5q!BOP|&WsYdFOgSD0fYo+TRUJ8HE}{7Me0aq zKzaN&bvMahWeS5LS>=&U1}&X1r=gM&2|0knYMR_!(#Ta8Dr2X&?PuN(eg6;QMp1sc zC0zSfjCreIkPP+AA4N4-3dj{gGHTsdkjX!`$EOkcS|w4EXvlZ<0+0Z6Tj)~=AwJ5i zgGBbuPJpkCCbervJ$gmq9US4?$sn60nsAXyMkydhG;c>F-yGjii1FZ8KjBtnO;chS zuEeP5qy^9`r^PYLk*-9EtPm0|I3V^2LVd*p`9pAiPbg`LF)P-W3Pxh2Eu!cw&4KLX zqH~<^*`kSAE*?!EAD#?|;|m{@;n_7pDcoDmSF#KbcY-$*<12;C#RlVBUNo{NeKIfC znAo53^0ktA>xfi#=qKc!-SE#z{Jr2;PDoa3Ugn{+r&KZ*v?dq#r<*NyM_Fqq)B`K} zZ&_%Xp>L3L#ASmN7H=K}YKA#F^KGL_wVbt_QZ;YLt+;77;tAL|QMEPrg2-<{uUeeF z%-;vX z1N~QJ(->PSXf&DgpNNHZxlw?`&!Jfa<#1k7Z7@&6Vy5qo_IW~RbppDw^WX4Ocq2(X zDdi?ewTrFW^U~8~vdlFpY19WZ8?ODy8iX=PKebnBgfJz&Zz*$Mbw&0246au_gwVwd{BJ&}B|M+JpS zjVcXp#+9)o9C$SLaw6vxr%@^h&IWT2vj}~IKcSK;UPGD8pA`19R&b6pqep~8!Ps>)dF-)wfKpoF9um&UaQJZ4xW((8MWE&a4V4_Q0v$d|f>uy6CpBBkotlr>B<lfh3mx=X2uI^*M^5aMMjZr{>eVd6O+rrDx^olVII-?~1vG zb+Khf`@Pupk!^AFZXEn^3w!G>*OGz9YAprPt*T*YN;0&OYYQp`a4>Ed5tH@sChUU} zqOx+4Qp7yPA=z8aWjwcah5J1%YI%_|19;n_V>?M;%QL@NYO7QCWIs#(Wb-mfwQ;cc zY8UZGSINuj`7sV-#`M7D`7vR%Ed|#pv}>YhZHvpzZnDbFX}fi)vr+zXkN}Sh$hPuw znZiJJcE{Ew^1g@nSkTkE-p8Kp{z~v=5bp54y;IEs_?(44r7VvS-L03Xsyhmsfr9sw zmzKBea@s^*w_8ydHXW1RmP0RjJ2*Jpy_RR+bU3fJvs^vBj()f8NW(I$*j)xJc!Ith zAcd34SHQ>Z2>>R7Zp#hv0eqAFMKEyHV<6>HsCdwpJ{eKxvB=$&-r2!va;k=lq-8g3 zyqLY?w*DbpQ@4FgbkMrsQJH|x`^oL4GdP%H zA&2k7Z|zFgZUYCS`4hQ?0+9A;ayy>Ud;=S!{<4%|#b!F0QTW*l)y&7}z5BlVZ)vha zOZ%Z$I)C@)sW8E+p$9Xh{1KGPL;rZ zmV0aEs#zD*H&bSNPJ7v+cNw^8c=ORmvh3{Qb$#vHg|hx(<}k1{2WVXboFd{dZDs*G z-=eHxD}1kZi*jsFmWE!W0UE{;R}?@FkE{rp4ZHufeABZ)&4vGAp-l>irMnzH08Cvf ze;`Vte~tinL5QzIpHB-JAPOHI(3Ckjfvp|w;XAtsbD3zMb~QylOfTYYUeX^|K%)jzP18Kr5MFI#(|)Q(BA&IlnE zZ{bqR=~M`}+Q+BezzIf;I2I^A@O45zeWEnvrld4Z9ivFS74+dIG1{xP)Y-xvn*sf+ zTYIz8lm=J5vIq}lFinJ-5h`8^0mkItsLC1{$NiX)*v&6gn)o*2X+Fi16uhysBTeVr z`Qki;Ne51%rfnXHmQ5otdy@4E8S^H^F%|y6-aY|E7PLI2=Ce6H1st)Db;-c4n zkD8e)*;Ek4+9q-{UG;GC;xxa#$n!0Pj#~5{h2J-1r6cAb-%}-HQ3D-?YXl{sqp(FraMZGkS?7eC zQG{)TRQsWGldQ5#owewbN8zPOL{t)F*hza(J5*E&L{EkcRTd)|FRobUhN~jU~dh1<$RBMar@jVykS34K3%dhe0<-c`2320|1a(t zicTiI(aR-w$DJ?J4OfngoA*btSeeN}C9Y%zXLk3X%%bHJp(@2YYJ$QL38h715@qsP zVYxnC)y%jG=4zI@AEO?&UXhY4GA&Ize80K#P~w`5>gZ^$d8kY=`XhWzS$*cz#MeF&S|=cOa-E*^zc)i25tY>!h@rzHw;37X8>F znwG88rNCcOkaK%g#1pP|&V<6`4u3`zjUB0oMV_fR?C{{HR+!?z&y>0n>)$T3>eU5_ z8A5i{WI|K6aFfUrz)435uP zEZ@-A=SL}B$HfVZ=khPdmpk8!GUzHN2F-yIQWyDXCVqcXe5PDW`TYBcIVuw%8WTem zW}d{DrD30%Ms> ziJDy=8A?k_!DPwW{+j}MW-U6Y?@yPSWRL3f-cm5Jx>fn{KjWkMhxoRx3@Fg_3DouX zxdD_#%IkB6`~XJ~se*xSsBMua-q$0-@_dA;Jz zuB=_Fc0}YwOM!^=yksCM0luTzy}5M^ZtL%Ay^QpIK$1`_5mE zs<@=K4506@wy3XT&+$N1eRi|mkR(QS-I9K&_WLqQ=;bZ^a|&?nWG4z(bqA|>1(6~$ zrCUF>`bOKh^MG>s5O~FB0YpUfddjDp1R?{Uo1>m@FbL9J`)hn0dvXr9YG2b!Xf>=M z=bq=v94(fY7}#Szws$Igig-a6uBD2X@G2A~XZT**Hl0;Ayf$-1%~Ie58;6gM3n@MZ zTGp37{avBwYNuA;tXftB)&rgc_HekjGy-RM>9=myRX2hAZ8dalA5D#i>%hnVtpLw` z=^ZO~zPe&xH&#c{E5Bcqxk0Kqw=(R9c0Qd6h4B_W!QIOOR6U)uPNX%53E&_QY+b~1P=}{E1e;L zI&8^Ega#uCQtFbMB6UGAg8R;VAcG6uHpMoYskmD;UK$0hUL{D0KZm@L=Gp?TY~d=p z$Cs8oUb)LbxPw#6ip!}}94ec>^6PTZFD_moFT28H&x(5^n#P`9(T-C|NZdxS2Zpt* zzcACa_+5+w5~ZjD>`=wC&);%|WU@e=P;3o}Syx; z{|`YS0obBh=q&PcGcDYseU>HH1-n((RX?-&LN>Js>@tChGI#}OHNTTQfqq9V)V z<)L!%^lW?nEZ9!NnY@m`vFcC~xM8W^q!9tpzg+yIwUzP~hcq{Px`z`728U6F?ZHGk zeGoG|#CV5@B)q%zB=D-8P6Pi)agUVZHA30Mha};~I(h8L5f5bwgizbcqWrL?PV&>^ z-%*Fak5kQgg+wFHWI4v3&&s!`X#+C74LzdXllOtNd4rb&#Uu33DU!ft0~$Z46>mQz*Jcst;FFO(m;xUq`MtMtZs zg-k&L+j(Y+vqzYI^vv+DRcqNv6}7_MTVzZ(G=KsgNd~42?&8KbtnZw3A-{$H!aK`6 z^vR4>6t;b5NFz_7cj{HjcHve@in+lK3=S?zm&Rbcq=bwU^ADPT*co>aKQcC5@EFW);oW;VZH|NiW88uB@ zsKk{VCkmsO0TxBHh)9(2tDe=q*KrR_{_J|=JKPC*1lvL#_h7eFGlr7C1b#J>l=1-| zr%9BY;z#|fZ`}^X2jGlHQ^N{`<2?#8V}yP87MdQofPxvXyp(Asa%z)VO3N1@n@8=R zx|btT6;asa7x=IVN`}=)oUtY_hP7hAXU#Cu>25^VV6^j_pwNm7k&?9=^dX(bJu~_x=*)CmOS0bsOsJZ-?=> z>8qv=^s3Wl{=f0=ODRTtcW@6}c>(B(eO)=*kjFc+!eDN?`Zd@OGh7WuCHBRcF{uKd!BQ89lI{Ja;`sYo-PRTaTAURWfpDZQEyRN`@wh z7`QJ709MyCb#GI;9GJzfo=0|DU9acL%~zdn7yI3P!8-`HHMJH%=f3YR1vPxW3v`>O zo4Gcy(Z08PrjwqIa|<@>ucbmO%GclsT&q0W`AL^Pw~_7{le(`>Nzv>&T#q;fn$ZR9 z>sKc@fd>S9m!WsAt&is<$y>K^H}5YIO`I2%6V;_xpY7bC%X>3LJAD74oMZdS4}`Kv z9(^2PrPt276m>aH7BF;L&9ISfO|EEc-?lzK*{j#HwJjx2kIiPiUi~^8j&D>q8%K2$ zMSV8itcP;6>%crvot}~IwmfNk-~9_7*tDrTjK&DAx-uVnWLy`v+KfS*K+s7#Vlw;c zSMaBauj@<5Zo$&hZz$H~1;mw#Bhwm>F5rueE#PR>^!)w4YOSl`B_rB5;c3Ui6}NrI zKeWr~b3MtwzJ_na$0}y=sm5KI<2|IJd8DJQuQ&#H+TnCx{aS|+sfx>cb96d;wc&(| zJ$bjZRd{#&6{nT$V?QZud*1%4xNtC@H&70uYzmW7}UlIFypOQ32Z>r zB8!}l>dn?d*cR?s#CG?l(lW|#$PIMNn6o74@YzD^SM@4IxKOB`5;_?mMcJ1qQmaAm zKSn_(P|0Ns&!I2pxGP%ShxkB^J)XD>%z%m0Mte=2<=c>bhf>*1X>T zJ&sN~i{ri9e}c6tggG5)NW_c)tZ_#q0>SOXQ;m(!F$H)>wQ`ofeo9s>=(X}GWqBKme;G!UX=;kf(0e8--6e5X{E3RM z$;+CZS4r*la53zn^~04bz&Qi)@slO{3q$zrl;{*pC@S-lc!FI;SrQ9FNC0R58nNY3 z??VuX~7nz#M^i-{4jy?)w`?zhpBUl zt|aWbb)1enNyoNrt2?&sj&0kvZQHhOqhs62-haODjC0O^Q)AR^)jMj{Tx+gpay9>+ zEEGiyjXcg=AcmXA771>sxzigN0@T1R3>7OO@*& znwoUm4|!DkM?j4jr_NYGQ$vmlh{we_GahMb)Y95HwiH&?4l1f!CbXNGmD|cp37eB9 z#Jnm3+1QY&OC|-$mQV7`3xi(TsphZpY}oq*LV;-fJJ>lBzKObn`8;7JU*B!#!Jhxy zb{0XWnD($=|3|U$+usgFT*#Th!F^Cdd_bQ&pH*VZC%%ad4>yT~GkRugG(^+pZ*YDP za|}79q7uc#dIpChPr|}a%0RGPX-7BA`~=M+9dFH67!o)Z`9`(W2_4N0clIPJtyLxO zCCUKRO@)PRm)6Ae=S5T}usUlV2@ljk7BhqaVobEdEOqRo`g1}RaRf%_8io4gVoBwm z69;oDuu>O=af&~hW3C7*;81qWXgrW=R)^6J`8$z}V~J!oyk^A*3cn~I1q7FEbZ{!o z4dfT^--B$(ji_W?Lk(D_qx`M@N&eY5oDNZ#tdIu9TTPbUF3YPj5nRSSI#C`fCr%@a zewPd^KMl_+R_7KXi={T^h50FzpZ1KI^qLFEJyrgy0_1YNpaLiFS!hh`zvO_AZvveE zExtgqbW0PKF}5RZ)DaaFHl@G$Tk@b)6`=`}qdgQNB$F(PFjGhUqLrN2(bhahiqR$- zISsnWtvt+8#4Ds=;G#Kr6kTT1eP~ng4MSC*B@ta%+`4abro1jg>*G3fQ!t zRlr8D7Q+^Q8w8a1G&7YY*}}>54KPlVHJwvWE9jQV6hkaae!CGr8?Q~_0t z#Yuy<7&i%_t`lKl7~ z1cUNH@$QS_d*Lhp{_VYDsl*aCL1%>lW`5n|B>OZIUuU;_S^Tj8;fxf_nk;BYJQv+`xGy zj4nuQnyMcERm~Xpvz1)^;MSbaYP-=hfnB3fch??u;C8z$Uc5Q%M|H<8&-yGPVW2eC9NAOVSu1@t+>Lv9ISF$N$0g~QB z++>dK+u?VRp>ZSJ(;o){@3>9JXBw&8sLl#G+xn;`Jr(yD4iW_Zu1SPC@1xR+~ z3oHYgnzR6Xk?(3>3D8d~zOXW}^$dZi7AVxrHngNVr{Bu=5r_x8nBmpt=X>}NiChPw z>d*qEQZtrY<|T;;*HS13$&XBa2x2EWyE9`ODq=9ivakr`R3}~1(kzvzys$RK#-3q_JEZv8-@CRA#FOkA%ow%I|$g=34&b@KfSd2;HO-D}y zA~TgOeyl#xZKuYx>oKFUup@ApB#_F)+(Sv7Km9?>TKjwU^pcyJ-)dz)>LH6 z_u33Hb`i=qe-q2h7Mjp3%tC)Tl%TCj(>o+Gf%^Gq#F^9>skS_Y1jz>7sbiy9bH|0> zJLSm-Nl}6A*yjIw7V4^ z{-*~L-?#Tx7$(2dK_cj$BwUijb+WM2kjZ|capSsj`T2r=?JDa z^+q6aQaDPA`pfSMrO%rlOStPSQOBY~~L3zJCZ&vCTm_8-cqV z=|DQ^ink;s;Z{zK3*%|4a_E#jfOFnva6{llcYu$rYiMe6w#7)+Kt zV!f9}0A_xZQ;KM)1u0CwynxEF{lP5R)T*^t*j;+)9}T%ruBNQXR9UdrG03GOTP4y8_Emuel?kHj zJaa5@ux2o8CuqNLwE38rd_)>61tHii887joj)5ONuoV76P|5fi2RrkpSny1f)f2(Xjv4hf<>@oEjR1N#zp;2CcP^z<=5klTA{&#- zeWDFj*;x+^M7Wh+0}M;HRSSwZ)if~*>orFqdZBZe zW=0cbdKs%e^(^V711Nc=v=|lqUPGy==Kb27|Ic4gbS*^wx_xa5+a$$KHF)F|nA=C* z%9g89LA=v^_K80-i?V0fJzzIsh=-X;uw@JI+a3ba%!?CZLmuKkir=iPxo6tefWhKVdQ-2Nv z@52l%MW3r~(;zsFZGyJ@wM^{nH+db&blVx+p2Fp0zBjk|1TlIy7r3d$VH3P+*t_kg zebQNpTQ>{WnbmP@7y2T*eXz5r+F>6kVDquJXo=S~IGc-U-Q5o}%F)t!Kh#*mjsJAK zB`fiemt1?gQ^4Exz&zRgb)RxaC5G2^Q8T(DH@n&JuwbH=d-q+GYBP9!GwH^3@Y5bP zoZq15CPOmyT0hot@+WgUpY}hEq;zf{hFAHHr>tFft6g^HXK~-x_+}5d-L|_bSI_l0 zKMbF`Ae;{pUkH4!^{y`g@B5A$y_{w3i(N+3PxNssn-+}+H941^YeJUHtNc%3Nsfp- z?z`=~J{jI|Iu=cnZ#=+{S3P?E*A~6n?#)WM-iNjG-jdAGs?H}A0q!dvQ`K7<0ooj& zZ1$UJE$E$M$D5nl$76;Vz_?K1u-y+RHK%*O-t_abXFR%5^0I@5GFD>Mxu*Ri4Aqxpb`sdrbI#8Juo~~a%C>R4dmIKn z4s;KRjY@@&i(c41OP*(aA-ygl63{tM#JYAT{Ziew-OSaq|LUaR|9WR{&HXy8=2=?u z)Z26IGHq|~eH&D~Ww`Np|3~SJ@J8dd?Y_(H(e3UM*jwx=bTsA}Qmo_Ky2-{c)8jZi zQh@k}MHAwk6v$u!cyWIaF#QDTg#%y!rHp^#Bz=Se-!HzkF=P+sahfLWDB2^zq3_zs zT`%JcLKbkn`nSVs7XG!<7u*SO5Iq9uJgC`Hi^5fQ5P`6iIs&E$=~a?-JT@mKA$`bh z0UpQ!Gi`9I-iYlC(_rLNa6cZ!6tpZvjnf(@$;;dhx+-G5dNXR22XDXThg2C4)9y1Z zLBgC~xd{K;-Cbl3HH;4{?k7Y-ent@0&(Xl+qDnO(-Jxx|U8 zXo2(OYbtI{*BK~_pOZ}`COhdy(V9c>Fqe!f3*)I&Q?Fd3{zbfS6eNCC1PDN2E`{dF z3t^-FQC#;S5-KvI{PTp#n^?*I-fe(#)tT4@54$an$+kyo<1$r4PG(oXvG z9F~8TKIWHfJH4WC`OUdojcL;dNpRT5_1yPrU2*1~#W&DGJ%yoUpC88Punk2X1i7&| zoOT6U;};g9rikurrw|w2BQqW3$fIy&m?K?brZ`rWpUY-7`QTnntOWh?!En|Rq%p$m zkmmI2KVE|7G-<-hon99}X~IOXs7na&ivnmAXp0ZjDpP)-`aVqLQyZ9LY3ybeFj*j3 zTZHjHWd1Z%+m$_bNwCTXT7mu2W^%AkKVz@p3sEI%rlQ%e%c+VW&6bBRSE1W8hmHbm zKY}JyRQk|Rowc`^YhHJlGcd~#yhn5Y@y{?-=I>Jug))T;6`xtgL|gIFI2gjoJsJf< z7)%Z6B5FU&mf-MQc%^e=_LMwTRHL=n1*UGyEX+nV(V>0E3gXZwO(Jp~fM%8@>-@1|(lU?!Fi zjlR^f6tr#Su{4B_Vb`>aJ`sQh3fW%|yKO#k$r3|Wul{o-N@(-RQJS9cpu;Mh8N7t0 zjNm|Vq(Vld7&oliKH-Xa8(BBezlNXzG#hlO&?i6p0D z+T>|%tU%Z+A*OYAS zs^1b(XM0nD*NtMez^QZ#%SHh_z)CmZ)7qpKYZBSzXnxZ7<8YfjnZf*fgQolCRp&KQ zs;;>E@6e5VC$9Gs!O6AVWQ3IM^9q4&k7+c=wfCdd-@ub5j@@m~$VQEW=GIv6qwO0z zLZy#IG9JB;>S#nR_f~MYfAtIxJSr=^Cn=$tn>O1#wr9&jNNT#|u1@D8FFo0vukp)! z1SUEE^wiC>kDzVCD42UYEj~f)AGjXLX^w8&0{~J|Bi<5=a2(xy_%NKwH0^2q5TVivRbbCVEE&aN>lB z=O6TES0ww_;tN9qy&G_|x7TCv-1-Dh#_DCI<{=mOwOo7E^;qJ_&~`sgr}y!8v^p(N zX!rWeQKhjH_bRgo@b@rdc&Hy1ct4VxshZV0C`6hun+3e4+!h)UWPAjE9N<9-2-sY7 zW*a=6c#=(kZUcoZq&`<78}Q&&P;T_O-pZ zgO(lP*ZmDsJuEBVIkU;vq&v3O-gW%Xcd5Z0k8Ewpwq$z zjrIGpKhI^E&f^aFyM$*?@8vQ@PLBg1Ld50cDL!=P?&!w%d^gq?5dIb`0hWH}>rM9F z`DyAeWH1JN*>Ki=5ju{9hn-n%bV*MC*Q84W)sPT*Xk*_m_2xlu?W0+n%%A%o)@QnA z^Q2EcQ9f{YZM9Si8nE8%+u^jAtMl=FQ(}qaIOPNr6+SM>#HHiOlN!RWk{u-C^sbsP5zO?ys!zS@iy9J1qAu5Sc4%A!J*4x{&)zSTVBotLwzL zu613dVDaT{!g7#1tO*T@Ei@ck-=$>F@maY`9AMHg@@-slte-4S% z`;ZT^hBEI=J`E8Quo)62z@`Jl4XDupd^$%~5&GNw%(cCENTQ?l40c zwy6aPv=N>%kfy;E=X3Eu2V+lOaFnEtPFzD-$)t;{T^;ke znF8`$7kau)%NU9R>aF}-!FwNiBy|$KQvv%$o)HO8S<;0C`uGs7o}?QYFNRdsE{dXs zfq9r;3*y@enVoENG`ifG|) zI!1kci22K(M$WwXZN%|mGLD-9S3gUqV zwZ?J6Sy-iuP#HI? zj!SaU&c`gVmhKX;?MVnjRQ}~}k>JL&0MSU=Hn+ni&d*KN&ptz>aidpuke$RSaNck{ zttaHzh}wZKA;XA>$@t=w@xV49msv9cBgCzD<0GNCK%F0p(dfS$%)@^&5MaaQm3#=?Ay*~lH|_gIONTwiYDqV1mpdcM6O(m$SomGHK4NdTb*YbX-QK+>R%Cq zyP936{Wy;QB1*guqzs-HJgnlxQZHR+Bxh-JLHXE-6s`~A(60g?98cdXu zRF?U-(OTG$O_pK)#wCiuzloD2A*E%eWN#oREzHgox}#*yHScVdu7Niku-=wq5&8Nj zN%qZKDyJ>6;@DuMNfkL4#{nIy6XS1)H%wi6qSj?9Rjjl{6qL%1bhosjA02Qo2Sv$Q z$E__vBTtWWm;czl7rGO%5Ufk4lB|_Asbw&OYjO#PQ+_{opzFn@Y3c-(gN>+6W6G*) z|9aK&XFyBtcPnG@TR7%fj)-=a^cc=ZC^lCa$;qxPNaG!U`&~Gpa$Y}7MvM)a++Y(- zf`}4gw`{z`zV^&Vh#6O(D18!2q~~8o11n(0guBxzH?D~ zk86bwfzL~wPf(l>9K@Jy>2>{U-BK3otZhx6>xu=ov}O=K%x0Dh%81hUb;a z%kBmEtN%@Jj;%n?_5OpL2)(*hIhK6>f)8fqz^tEZ=R z4e_^5qzON3x0H#1=b6{KHTHSi4rm?QaX8_fBk;NaZF1AG5xLhftIKY=?M$CLr5Vp- z|L33FRrhswqWk^3BOq*w>$FVj?j%J3&%4gPPxJnopr;Jd^+gVGbj0Vz+Fj>tUCpQQ z(Ctm*L*ngxc+#eB!NRv*Z`0>(2Ja(I%Bm}~bEE&G$8Cb8l^^1npirfKU1=)~ z`6h{;fZ#51_~q?cq_fe<_icF<-DG#AApPyi`lQ$GU;ari&&yHtwf4~$MT*8!zL{vG zVD2IC&lT`J>uYxp>wD;ZntSK_cM$>l{rIi-UYeeY#U)Nj5x57ib-8^5)Y|TSj&eed z+apfUusM0aq7ML@_c+vl7zJcHpaSA9_sN*!8mEP<@)7ss!X)i6;R&S*ntUqy4sooO zE?SGz4jT-38sK#4Y@e8#)dv^qQCUCDm(yauV>6a6&&Qx6z{g)yD5Z~ZG&aJAa?~x% zdtygKnzZCd^UC5B$rGad@K^r@G_cfrF{WCuSr=uKCAh=j;pVuEdjtkj5GLHu-NLhYXr&e;Jv2qM5&Co4I z!RRy}_#3U>FLu-;U#UznT^~PqDw+u`g)7t~7IuM1xh%8fhkiL{4{lOft>BA$N_2WB zpV=ZsQZYIyY^2@*VfJI7{;2s^`+O3UL;+5T>Uf%ez$grixL5gG>=}{#xVasB+8X#y z?F(#)IuQadTqWs&9Hv0kS$Kq2^HWF75+D2OPs;pl=e^%#gAGA7mUK{Mj7RdvBv_AP zE^8(sC8nVreDr@ChsI`pemC#Aqp>&VP}a}9rH|5dk?$d}z&$H67?*xALZNDGK8-eM z6%KQ=$o{QX3>1UnmxzrEK>OW-Vu6;g+vf<5W_`%bjn`pD{g>?rsDe2>WxtHfnBd`> z%acJ%xt5*OGZT^&d0-i-u_sxi>x4Xh^gW`Ox&UQE5Rx}8ovKlNFBjyQ8WdQD)vW{=vT$1^56$TVs^j1c2d z1gT8yu8A}GTkSSb26-;x4;2gFfo&bo(m-+A_pUei-naRW|MZDuIJ-Z%_wM!YC+%Q# zD6%fUKLM7Kc}vmc^<^uI#GANKZ?cm3Sg>Zd+I;#MW*m6No3~|b%pY-}x7_^bMuX7^ z%rvHk$`u+3epJ52!Zic6GFrR?ZZk~Q1Yu8iVISpIvNh6(-PLe9#r5n?gh8Wean1!jA%#&3U zt2&xtSTj*bW84QDufKQhw&`irN+3@mBZ|j;I3i7Sw z;YOL2jMw}Tjwcvw@2Gelw;^qE#xdQjLb<2%GDGm^R%B>Zaxpbig)>w5SyZ!WE*995 zNw!y{NW7(JVs@G)FjFrYa6H1D5Z)=fQU;Eyorf<>gI-4oy2)p%e$rKI7j6C}_O;5w88EsMXC@@WRM z|Fo}kdxTNtbG$J5iT&<2o2nKZ1YHZ*=dax&-|ZR3uG~)dAnCah&g*?Px#+u-+*tAK zak%^g==b#coI-tw{c?G3#ez@AeN+YXWS{Ui-QOkStZupWJ_W?;z4EjAT*3rnCAWIt zI3KKE5co20cb9j4P+MNQcwMdT+rLbEoAji69Zum~#m4x@RwCu_J4VhtUjRBF^NQ!SNbag5H zW%j40;{nAk|J$05Z589XPR;8!1IOB<8~`ozvWx2T1dkxidG|9@j>J`%V`By*$NjM= z`{+OAlcfIzvwX^p{?9UBDBY;-9+r$b%)%$Wt2Gn9% zhR1gbVA4FUqL%%xTWjI_d8|ZGrRrn4&Gb6p76{JIdzs~KT5S(}zEMH{h|lhlTnpiD zZ5?;a&edr^g1-wL8s5 z%JRr|yBqqt9k|ADDg_#DOkE+*OYN&3%BrwpXQXl z1xfwDDwrqU^JrGJg2AEmDEv&AZjl*hOJPme5QsQgq!I1Rs5=F0spvfp-VboMJz{JXKNz1KlT(TzfACyP@m_Oey`5$quBwhhcNhMP7 z(*fgyL~;@>+I0uGqk#))<>}UiNw>nIAmBcNO_3?<#&(P80JR!lH%<%UwK(hfZaKFU;qrChu2-<;taVry*5UJm2<=kXU{Q2 z%Vn6kpx|FJ35yg-%sH6p9r-~9`Ed=_arnhUewZs(Rm2_9l1g)7HR#TLd85jO$jAP9 zXR;)LnPb#fguCWATropium|UF;ixU#hMDyLuj-4KIvte8$!+jE3{;aOpk;?l* zR{~LJ29YOYU7A8Jy?=@bxg~}`L*PoJMi{Bti0?ADpC@~Onv31oXA(jDT< zWN&r4eqvVj6>24V%3$M$GA~NvYfzYIDqKucVIK8Xt;`;rr}3OtDdR3oO{`<*^{Nx8 zBQmXX1ab?I)!M>hU&gYsB3H8X;t_q~P!E5F^6ab7ir{m~xKMP{jgvi4swDGDJ>}V* z5)4+B zjiVp8-^*g`!shQQh7}r)j&ZsRmV$Zc<6wHC2s}gfry0AjLO2F*O)z)h2S0j=A|!qI z-gc)xz9)wKlfdJg`>~P89AN&Bgx|!vZ?zZor)*HeBo3XOBV(uj9-m*&Au&HAW`mXl|I@_i)Y)3-oozrud3y zIJR~BsqacP4ezqs;l1z3r}sJAwZc-n^RSqsyZg9fGW%`w@ZT=~(JjRul=J)bF*IaCA9ik z<6%N=c?SIYte4|?0;s5WaDMWMlVGY6>$#VqcCKyP7^v!IVtSQPDK@j+J2EctS!KU1 z^cK16X7lBaRC{7uKPb1Grswmoc;TtHZ7*Qt;Dzt~T;%22;nQ_T9Z;l1z`3`+d;fvw zV&nCXOw!|F*~g>5xHLU<-qO~gkH!}t3JHkwwmXRNqU$Z&dCVZ-edCwS571{ix_olc zyeV{T?K~_{in-+7ZhLOO>h!#tGkV!_|C(^5z}Le2P<(N7sm=vR?znWm^mq%h0x*F9 zpHK}~`i}+jQCqKo54-2{nfjaS`YYK`?fd;!L4$F%m#mMeT)C;tPi_I(lM`F_O=KQ{ zrU{>Gn1xtGAJb>h;ZBYoi&>b=5~^%_s!k;mw<8Vw#VZMS&B`T(<``|!AsRPJ^tILrl*?i_G!2EIf2auE)2dC z@U)OmwoMNXiOce3SU}sV_KoM#$%fo#lY4kN(Uvd7um-jv__#~d?2=%Xa_;YAs`Q>`E%Au#g0`^~k>37}wU z=Uk;5ap2{n_RR8k}2ylu?Wsg@jMu57rpaT@8)u*i>V5ZL$aodvm5mSm#ro`)Tml4Lus*2#1 zT1m6TqXZRbEXF9AWWl?66x`EWtQt2RhuPHV{RnNaayn%=0~VU+{glawR>hfT41i70 ztw!!QtJZMRBv%=7j|-Gqm%u3qA^(m@5Z<{>Yd^a1a!u!(5?0IOBrqO;>#GNS8ViOlVdLbKJ^Ye&QsA zI?ADtHrlTTAGt{$1aevxGaDB|p)mh$U1H@%PLddfA~I)&&GM1!M4jrPAHI-;HNI)4sk^C7UF0)r(M=zMI9$fGt@X{*+}Vf`(yhl zHdE8t=3PXqa@6>%bi~1R%8zE}+=T}!QN|!f42PUo(gwU&$4Cg8oT3gIcbYg?+_H9I zTL{Q85@qZ)hWAi}xQmItKbgo94WSpo=o)zvn|9+;%apu zYmGuYpg#eo0_EVT^$vkXdEZZrc{Hil4=8a-5hw(lZ_n!k-rhsOtTshp-w7q!jw{-h z9pQbGM%z;NVdk4Ee)rfu`GsASSNjE{7>CoxCy7xj6u~O{3YObj9>&6R<;uz_NzX&KTktnbeD;}_I+s@(A{sGK<;tq{{VY`Uz^4Drn`U$o z95RKbRgP^_Vz`sSJA=t4oTka5@c<3+}_~;M4fVqaqhyeXkhdUcNpO(SIH3dNK7W4OFzV- zfmGa8!#e2S>7^;^)fR`UAAN;YWOqk3?37VrLSo7|jU<-?7gd=0x|IyZF! z*TTuYj-!pkfeda=g_VT_Ii9}&=j)^NZ;$9|pSOF11oNMPxx9u~t?bUZ7l$_OBs<19 z^I6?WKn8}Y_GOPmS6S+=j^`@1$cG23>kWiszMcg>f`)(S?{oxKWmg`6muEMh>`>b) zv+Ib=?Vf3Rob9hlv!_tiU7d{Owg$$Yn}Wf4l35;LgUR3LY?{yUwF(y@*IAVjwQ9I& zo`;y>3aPG#k8Zuq+mUG5ZBw|j8id4En`YsRPJ5SV-cWwhq*CesZI~DOU$+FWO#ZcD6uSsqIFhZu~s zH)xyg_je^VyP9>tYcu;sNsG|m9id~EyW)>&72l`G=9P9w1+fAwI#}-nAVxDV_VwGp zUBL1Nteg`V1mgZadSWn>_lofHWv4aS(NI%;&yc`dvh%HREeBlC0@Rza;Ffz1qqv6r6uBz3zQ<${F=FUZN^iJY z*leftrn2!Oh+VCKhI`D0Is&sO=TrLs8^h^fl<`E(7pYr+Z_RSo()fpPs#)2tw z?QIaD5_qg0MllrA(zRetiFE7}B}z|(S$+s|`yWjdKb(-OO`_me;O}q=7Okn)l_w;U zs#dBLB<(*mX(fw^t`F!089Kn%iAN0hco>z&LzL^GySU~*i?S+ybw1^2;Br)@WwP?X z_>*+hL_I#$rJ;{-wX;m2`>B?mq=*ihxPloaf3_(~24rntJeA9?32SyoWDtfZYD$XR zN6slFM(83~6Pz$EQwmKh7V`21FdPA;z|LF>^aCY0Q4fjX2s|!9ZX{fGsz|{~{4KhB z@FbLfwzLavGdC#Or&TA$6a5pBh~-;T_NTY8C#pMEQqb=axCy1bvSpI%7nBxCd>(fS;1ttvtD@YC+s;r7|!5 zuuoD%HqER+)0CVv;_qAi^p6~qCFNhMZHW4D@R(xdLb!?$WMXvD;?7_jICf-1vs{Y1 zq3YT8)6&coApw+PB{t2MyyGi^Z3OM!m}S2x5Y!gdnaCD}O*-I7hI)S^am{CktcHKX zsg}{<^xaK>y|&Cit+fA`#Ue4tr=Z5!L+i+woMe#Aj5ESbNFnKj_LL+*6Dl;kfg3^&<)l0e6;_Ljp~f5CQf;~pxc<1~HvF*El2P$Li0X$#V{=~R^V+km#_ z`3>=4txeVGvf##l`7|qA<}C&>nV(cfKax%;A(|C1f{>>NkfNEaRF6Yc89^+)%-VgZ%c- zY^F2;bS=vNfI*n8Y4)< zWr9?MvLp++X9A%~GmhpnXH`FzVWZF~W_HofoEtrEs~A`qv>~4woouxiksM zYm)DxjvuHja2=fyg?YdDs3`rs0a9!6<^~~`=mwcZXw;Hmfk}mS9m^xq%!k?jGwUe? zviCs4dj;)`TYQxJpBm4$PkEAL6N(>^lXl5Sl!okZCKYIW$F#A$aj2-XxDi(oL}f>W z8F>K(i%0_{^q_GMm-tI{6a|kD9SL~Xlq^B^UX|ZP{jXTf=5Wq#!|fgTlgxcDmMq(l zhiSVWtQn3%AVY+3Z_X!D&bM_8?VT3r`7iBdM*Hy-i9|jkfbmxVkRK@WEq3$2D{-g@ zgs5~Zyd)s!Dp|Rr`I6!smTz zP)%g}Vrcs4#03?9`-EORH<@>@Ay?OKKX!)C`A%f#dk<$8QR97eg3i>bhBIR8A~aRN zYnRKCu70{B6Bxni^*wj>YVI5zq4@&cHh6hi?Xi1CFg57i_!#JB*u0m&%n@nRw-&JWhnf*%j*=qpz+$VdvX_zsYmCO0mfztZww-)$ZY`s}4 zgRpj;I6zv{%IX1-^t2T*t3NZnW@jP}2GbDm)jlEL0Tey;q4k<}pe?n#Ep4^VR|HIF zc)r9Ytx)Kjg`W_4zaCg(EUX=u_f5Cg;*9i{Ir3y$eU6KU^>p{=eF=b@4||3EQf`M< zx5Y0U>&M3r#{v(p?`pOJ7}?H4LKwSmgKx9F;3R6*UHfMg0$vLduHDZ=_>V7$p3b)m zP#oDlLyDeh0=sr~@b}#^;8<=aYGUc5`#1b>!{7(`t*x&+!&j539&T>W?y)%!CC>Zj zuHAL#)9Id?)zdy*F^$(L(A!)eg}V%2hxVJhFE}2t(-SW}?{hIbL|R8RJTE_uCJ*#B zT-UwX+bz;p20N{vb~+-HUpl=P6I0gUbn9O|9RRXgmmkk7Id#S-BQ*FK&BqfDq8K}M z6E)4yN(81e8rHcyAt!v!gA)vZ`(f|smtBX|P3)Cc-Gg*8R~{T+qpJga0buY=>4X>o z%t!2k;F=`fKXo-00r{{VD`WL=iwteO&s6FR{~lZ z+9W;3wCcBQjaSiDyErTR5Mu!Uw{I+RFTNILiTNJ5<_NOIA1Gd|c z>I_>^H`;h-SVJT#K@##Jd4e|7X#ZMyvRW*{@4)2oZwYxm1*Oh=6-Emivrsqk5yzW@ zvyD>5Mt-wvj^yiC%?qAV)@>=039T`_qiWN<=3>TzHmXx7%!A6`b;?zhekfO*W1hP* zgUrPI5_`JJDX5ppt_h1NqefYMb|n8!jhQJc6^j!Y4OZk>oRaiUlH`e|PA1z*AW0>K zH52UFkDHQ3k`!gIokF*)r#V zpO@*AJgqt|+l||l6edM~J|jLriniXcRwv>00-&#U&EcG}G)#71ssT2;^|Sb@t+dN!w+O=Q-? z7K3Ry45yEagHBj6NmfX9dWQ%W>Q33Y>lace&+AAGg~nDrgRse8$Idqo67}vbIF#0$ zc;CbrQ(DI1_;*vZRpdXGyZOs*09#X1f=!e|;~eCWE{!BC z6}~J)30sF$#O-Arwg(bVK@-8nzt9B_?nDyDvE-L(nWBu<x(DE*Ed*9Y7wHh6#Vh2C$X!ay<`ZF*Yb_QN{id#~KJ)D- z@;_%ZulQXF6}F_9WRA{8*r23BrGmyqJgIz92(P=)c!ijDsw}zQwR}q@Pe@KD5#LC( z5#gvY@H;cU$e5D4pFD#XrtQ!6LwpP$fOTp_J}$O5449sK-wTP}%W&x1F8BOq6j2WO z@tOahi}!wt57e zF-F^{pGPqNxgZEnlLv8Qa+occf{#@VGtNT& zsb3em<3&MQHbKU0=7H==Q=0%i9vDwLOmYY$+?6f%uFi^ug;0{yprzr7`GXD96!SW5 zm_|V-Lz%apq!I5Ih1mo?!X(XJL@2w@T#@`zkuh(OokXwhzgzf|wD`hE#=4GjP=yt5 z%I|O4>almHdW)Y6lL|$auog!s^#p=)g$#*TOA$t;Iu*^!!*A}qw7fM3W_!Xhkxu9o zXwV#jro9M~e+I~97(B!Dnv9Xc2sH9&W|u|rSkD}T0F$*{_>W8jUzST-QD3@o=#t^MBeqtFWlUXkUXMARyf#DJk6yA)p`~0@5LfFmy}J&>hmHeA;QqzH8Y#N_p|poH|PFb_`mp`|Mh#bp0(ER``%qxYFhS_ObH_Tm?su@I3wwo zTuNL4d06usxz3UHIuW?`u@bwUEk#;;i#%F!*JbcMRQffIN&j5=(sc50cw%xFTL*ej z*~b`Yw~Jw#1}wy}gKr8*m7>;bS7N~{CuOsM>^Q0WBjQpXS7c`#@+htSZbw};?O4N7$mJdw*_96@I*?4a;$wR|>zHp*HEt5ksa#L8WUz4FhqA z$GRqN{j0w{bXd|x`|VY_hQ*(Z5tX!#ZSZ7c)unZh<9i+f>X#tU*q4hnMdbmL+5xRp z|AWf5ED)7v-&KXZusHJkXonepwF;SdaYF(T{cA4u>iBY_$)lpO_AY`tHSWBo_x<;1S<)EB+=X6PZ5hZvVjws2Tes z|7qMDB%O*JS`mpux<}2trr32;U6ehS{+54BhmF1DBAot1S6+DclZ(Ax1j;X&m-{6# zr-iRDMyy-n5BtR;Wrwjvor!Gpbq!S-sq!q`N$RvBhuOXiZ|h`GlyLZMAj8ctmR%MItLs|l7|{J0_8!#F)Svjk1kkw_9WDa z3{%BG-=x`EmwvSP=oN|-+CsBiO&yt7d4{cGSlM0^whK?!cU(EO)4UhvEIm{C28Y;5r5n#FyGY*T zH3PXmI)`2<^@f4S`0DYrw1G$Qlb`-rYYYChDqoXw+1M**PyuC}F4ZNCKB`&O2K8xk{j-Bx9Q6m^Z5D^7i_;(~ zbP2EXFj)mkc+1`s>5yr)1~$Sl*2cc>tMRa^mOIsjl105xCgGITrTqC$beif#_muqi zS(P+61%=3ykySHVj42cK*0ybpY^H>%&K(_iW>R0 z)6A-wEMvl0PwHBKdMK?hs?2X0ZhA&~ezu>5mCqQ%oiO#e=^u7UgT?Oe`5?KGg`eVa z1mKUZ2r-DOOU9O$+PPW|M4C!07?AiC-1j)K?|95JaDI~X>E}nACh`Mh#|C(^Z33xV zG1tBUKHX2!cf@P-Yr-8#a74+{rwhOmNefb;J(#x8J>kyY3~5}nF^KdBxH9xAAHC(L z`k~9*;grxT7L++2u9uA|%8B+&IG4PY3=Lq?W-F>;fZsMwm1;_P7aHrSBS>pHY4n z5I=cQsFW3U`kVgi9>#j1V1mE@V10u@YRGLjFJJ8&CKXYoa6EzXY2vA9)-P}N<=;cQ zt*l&)_`m8)R=8t+pwmXLcZ`ukalEcD>&tPy3z%|Dwo+4_Wnh+3W=iLs(l0h4OxE=4 zg_?kYF@K8fbMHvsILJumSJuhUmFXqp(v8sEu3t#k>OELoNGp#cFQk7A^3d{uN0Hsq zr=3XiS8S&bXfnt!^YPHIdL~u7*!#IRG8}Sz7v%(hbj1vNKjX8O_@#ej)9kA?f95{y zZQHJ`^pFpDr-B{(v6?BgPn_^MT6CzUu3d>T7{dXjAwv)+1RGF<3A9)l#+Y-+SA4C; zq%{zd6cB2yNls~CExc@^GI}4$8)GJk8>~ghrSle**SDgp%f)$(B9<-cjVyiIqDkyK zi%21k3!vtBr0ZDFM|J0TbQ*Q@_sKX~={&7&ZC`a!eUx_jv95>YImiZL0s)t$laoiP zZ8BL4`>?$gSL0r*9eNpInm&1$dBSGLa9O!0#=QiJLCU+K9x54VJUvA;5F${gF1N9#zh)1OqsnMtU3F*yOs+HQgbkh+HgH;u965 z9Qh4$E%q@VdE_<30EKuVnar_+Y)F{GpNs;%CwFuRyi;kSVl1qFdJ1q9+)=-INURM3 zCx+PZg6{inl0=|a9tT5lI@ODQ-bX(aByM3BHx6G9>^(g^j#oM7JKS=oeo+fm`#xRN z;(6e9y&JCcDE5Ffn!rULCa0h)Hx2H;nm$7xJ~?=uN}4)>d{;nYtRkie&ci%bk>%~F z6FQxF3{ydmT8MZ!uJkwP{B&y%@dW7B!c&TVjp)$LJ*3*y{Wu8UsFSN^dJz#BWB+BK zYVt(lw$HHh@=0sH-pY8hU$^speib^}D7ja{^U8Pg&ak=-7^mv7eB8Eb@yRcL6CWaV zutf`5-&T6tu`cP33BrE}hH}&Sl8YT|D&*eghqZ8ZI>T8EAAzs|TXKmZin^$IL(JC0 z+T^pDQUuhGN8PkVt^ynavg@;@Yp)wX9zCji-zTmsDsR1q!;wRhNS2NC?1|g!m#50e zTJV8%;%07JNBN)Wxm2lm$y=kLwmpRENvnt!=-aBM2;J!`r~8K^uS{n< zc#c2^jOX%1!g`hTW~Fsic;wg3kSq9%u1(5mIbxys#B1MQ_0!|CC0M&Lx9>)<7Ayp_ z^RO<}$a9nPu<6&&GpWcs%`ewe7UQDM$PFJJ0KA||xIXPlWR=I8OQVJsglJLrSV6%F z+m%>V{gM;u`4sq?lT-B@NG3l#e}n;iC8Hg@9(~%7mpv8LEf-UAo$mciI~!pR9XpB( zj=~+t#?9eU$;;uFknH;-Q}`~7*yHY1LpOX-8q`m(JT?|Oi2v(-Zu)KVSi!N{*G?mV z*MpF8B$+jQmP^V*FiB$ zgs$|_aH{q>+hm*_{dMVX?1#6H2lL1}lseO@9YM7| z!z|4o34Wzk5A0L?T}0OGUr5!;i3fGn3m{|xar+54BOg^)sU|U)!2L*eZm-cT(-Y<6f=(P#`c&4B3n0Xg% zDFERVbhaP}C{)wQ)e^=UmTR(CqsA7dQ3(xAEF~WK&R%DG*7IheeDK3NSOC#h7(A3! z5ktzR-c1Buh}pW0@5^Q~;~w?PR|3uoqW zJ7vNJ6JPc55uA^Z+swOM!Uq7X0bRa$=rdxcZ3(Gc`ky6t@TuhH7PCYPZ7#nXM41yL zJfLT2eO>U0?kBFu8EZ1{yB*#nHodhgEX!VPo9OTiCQB(o+HPg*-n%iS#Jd`$K$Nhr zwfl_^6#c}4mYTBpEB&kGZ{v7bDX1^vh3RUX8!)?_)Ni6Pn4LMECo8YE(2xVgo|mc2 zWMnfaR%-)Ufx7SB;l3l)X634jAl?LV4%d>1G-Ak7A4b_ZD?O+I8=(3f6y4$S&xmMy znU~V#wLh{4n@K7AaB(egyd2I(P4u5L(dr&ZGE(BmQNUVi#}H60hA3e#1kwbY`s*^h za$~t?EBiDBG9Fq8g_{^~dCv{iD0pr*Gftb~+sdlScrph%JiPzGM0qGd%JS?)3u7`j zB#2x5`%jVKH}&-p#NwlR$xZ(Qn9r0MQHFF!p29n&rSM6-`Pw=3uTQecs^-Ae3#0w-QoS%J zNkp1Qu&|^P_YYFTQ#Rjc{H{qlfSBOtTH-*PNNEzWQkA*DewvYVllSQhN@ETweXEKi zu*;VDf&_8(2OZUkWYOQHVIf`+evW$Ix0Zk^`r53|s;LUu&CxK{`(~l+itjTYooNFS z^(j8g@ck&CGY3K`xnF^vTH1(*%cJU#DBF?^3p zs@7Ba`t6)`Wc^+vU@J941P4&R552&(-oQQ*wQm&#Zk_)@w^VQqvng-L6WC1!;wkzh zin7O_b>ESVH#z+Zx!}rj-0(%F%FS#6W{_kP$WE?1IiziN19V~y6``O-fJaOr3%5Zs zfhUmRp8iNKdr7rKtdM-it9vjx?ZfB;L<%%R4WT-@(%A|s^|MN}7r!)lh*K*^E!~IM zJxr+6By^q?ZlQ7#+e5w>IjMf@@C$Z7;T#cO@yw)6^*gE9=*WJM&hEUO5|~oB_Sw#a zIJT@U!c)I=hIXTQ4m+B(O6kq&FVJj-;(+NZpamh~2y?)## zw#l?Qvy!^dYJNakD1drWJ%j(j$_E4%GZuAdi_<=F!(TK<;u|;LS@F<W z@Ls-D@Kr3UfLYxYoh>2s$oX+#&GV4wrl&(eq|+YWz+t-V8}=1{)8p@_ss_aRI5PHb zR!y3t*VeS*wco&k6lhq#4->D&w~lk1bs*Eu`%*Z}7ct5SYTvYAUH4u?^CW;s-H%)} zS7a&(-n2s8KI=%DU&gEZW3Ix38YUiw5AhBT9%rswFxRdwNlylDd?repb^3Y)UDgvt zoT|8PR*(H!3O!n`oNlL0kA2T}IxpUkA~tP^BGzudft!ZL+YnEt&n&n8^pR_(S1X%= zXr0cNPwV7|t0g+AULW*tQ@bg{sZs)tige4I8XR(-GfL`(}DE>C7`@%{E$P4%Qi z9RNN|`ziP2#W7ENbL&3uwyL`MfV$23U$zMKFi0DsGdsI-Ppf{AYS8fk32;X2{JqO< zdJT?1DmKbyoQNaks6Af6>XxTNq>wxJboZSDNN0JY$HkutH{3w;U@}-rc-BRLezG7AU-_fO_B_s}8xoWjAb{I(xn&s<9~e3nZKwhHyJ}Y0}m@P zaD;7sZblOc;tz@P{?$SO3LG0jM%Y9IND4}EJL2^hyvkm6E1}Unz~WQHR!x>0YHMwn zVraw&?kdeDCCaJZSKzb#Z7+(o&pg_!R~Uumq~ny5@W;F?MjtbhaVf$Jjj2M=7b+x2 z1RF@`?M@l<%6^rjnLwQZWmkzR1vlxLPj7A4iE9mRFvq>Omn*r;Tp1x6n?oRATe$W4}^t}#8g$egGMCwpB#+Z}NEGd-s4zK$)CM|{xD-8!%# zho8OjHL)lpgxIUP|(Nl&#P6-s`Dqo~fu$k}LA5$#UnOcrW*XK@AcNb8CwpQhT z)>7cK8_MN&|1K`0yehno5v;51{6|(ML)euCK)D^#&U06+Kcs;1Wr?BU<9JGkT3Oew zTh^wn^^?{+n9V{##%iVp#j=)j;HOI1yCIG_oA@^^9MybSF{6orDdeH8{EU=^8zV1i zDsb7>k_AL%H^c?}t6E;6485(^G#UyIFM>_@veS%(UY0z@C?Ws#(36U66g;1Y1hBx55inK~W%RT3t&f5c`97-UrO3gx-V zZJuZB!t33Yg5E^cIn+tAC&iEIrhrU;ALz#5$uZEj%GL({b=M>JPwILzM!;Q7a#o_7 zSPCoGvp&d~vr1#9NSbCD)7dA|q>#r|h@$QPp6}f@!!;4CWKdP_ZzqBKv~6%J6)X6( zz`5mbztaVRQYRcm7#uI58uDXfN8RAq^yS&r+kF&bKP0^@e|46D%R6giSFFkxPvDIA zvgYyKsmfwNiMJ4cw_5G@;zBLT93RQ36X+PaJsU&J%V#weXALaeD1#DqN$kaCX|w?% zJB?yB61Awp1858rU8~yhu=*;O=mYh)HG#?krL?n(;a15j--73D@>ofBti=26u?N^_ zU!QvO>FKR^-;>QZ)%*&%;;M9vUw^6k@u`7*%I^Mm154X>v^}!Wj?_e#>EVqj+|9j~ z-oJT_^ToWSdnvQ)NXA89*0hMMJ_^i~Zg{)`B$--IjFmhY5jQ}dYmMj2e(LQCpT((UXM{bj|aN<$>iYu?g~7g-AjS$F>a}nnmT~5o&HJI z@%6xA>q7qns2KAVe7XgYJAM2?H)NR;5^P(#?)y22>1MC<=D26A>85bU=r*^F=GL+m z7cof*Sy!rr%b722@>G^*1Aie_e(Wc<(Bezkb&{^Hm`*i`yLLcDIx7fX0THWDHB}1i zdIZhw*pm@mvG!Gc+=@)@v;sGel&2!$fq!Osj(=UpdH7t3Ugp?JwbwojZnH|B&kP7J z7U_Gt!I%tv3w-uDGaX!)F(7a(F%q96xz1ygn;86Kh*2`&Wa(Q}VpF0zbnh!2*s{<2 zhPDC7bsOz-19(6z>jF3{>^^s}!mmz1`|ZiQsL0k0aRpQ0iSIZ2Ih(JvXNAg~H&w>9 zBFlgC!_*8seU#RA`ggz`7Cg{X;w1;$?Bkgv4>}!{U^*F?nj~ZEf zL)LVYWAlMpg1!WD-FRztZucQ&!oZOUWVjnR#%(ZDY#lH3ef=6K1V^lAjv<-J;mD&w z)4$*#LBNpUN6)l8b*aS9x0n(g%>Fty9bO)Ap1ScW@h?( zi$P9wrIW-?YoPw;3N(~A73GVX45nS9=Ju}wy=?KcWaWq}7ZW5nwevix&DpT0zXD*I zPfz>fMp45&QuoIWNb&MMtcEEc>5aTC?be`na zvXm31M5}=}X0CN>5b|Y>_xuC6y!(dZmf{BYNMUXf<~JE4w!(w2QR$+0j@ZSg1RS)g z!qI-es;OTn3RZk(o&yw1n^u4BjJK!}G+{JHC%COoYGEs!JfcJ0Vi56y%UXE9ZpNxy>>zM-UIIaUIhM&5r@jH*4} zY#|JLvC-NNqkZ9eUa~>#+22Z+Wzy)~K&!!MVko=3qBUi@rkNg7{k!nQ2!c0ov!5-O zdwJK|%Au8mABulQTc+!F&(#~A@JoE(8sUzfEnzW%h+~OZv&G)ek0Z4Kh3!&CmB^b= zB*Tdm(y&VRA{1#}ah2iT!biC+&LK*n?k_65jkmQsPeSvY%g94;@Z)6rQoZu?S?si> zw~VV1T#SxznqY{(7KU%YECyQJT9`qx zgT96+ z=`q&yYE!!q@|H)~G1!Z+oQ2m9x&8R8Mlr-zKcF#863!b|n!o&lFP#Rj14GzG#3jcN zNJOT2`oiFUCc@m6PUayvoR6IZ871rKPx_`~WC!h2tJ=23zMy}BP$(2t+`z(?11}?Y zJqwTZN7>SXWwd@p;(8F|WD`xJ?MQkI2tbab>F&mCPo&NYR-53g z=fq!q?;{&t`S~Rp9gh?_&5?snr>m~fq#v5h>Z+vtrddWez{r@)3PZnZW#>H~NEPzY z;AX{Xop?a+@6~dXlHTpC=c(Smjq_bxq5Zaf6{cniS~~KScszjMRrMh65`s+c zhu9&YqYgv5>nm0|e8|0Ji-+*-$c4w!dguM&p|(YnVg8Xr+R3j?pPZJ*bh_NDUq?s} zMAO5$TwpHPaE-eesB_f8BU!uO9O1JwL+$9MSy4v=sL2IiZ{4<&7gk7lo*OgXRN+_N zj{b!4blg122k$$OUaNP%FS6=xMtEZIp|IvDrZXH?+B#UwUG{iu@p(ld59rjS5E*X| zqCe_9h;xws3qOf#`r^@o2cNEmNisf$AD6UAEp>5fvftPG)vo6_-|yRv>&**O<+yfO za1@@24-AyN;~;f&A+qk$pKSWrt0)kn9&()1nOD=W7oU2QLXDw`7Nw|JuoI??vCGeB6Z7}zL4Tn>2 z*OQzHj*XiTbmLH9_g5ez+uhd0rS#(%{69O4-0q&3(O|Dk_1hz}iLPb8?RI9j_ji`^rB$rDNI!AOa>0Cz3D_4@##Y4G#z}((O~nY|#9~XWLkXOB3YKrPFKg61dD-&ayH# z!O1|CennANiyKZYPpx?2JvP-}K4PB8QfS_IIKehKva2-Y=_Q+WrPRODub~h`*{rI` zM?pzTb;7TQK532#q0ITjG1%(JXIztotyr;jO3O^AJ4wOL+BzNZKK?_ke^oj^kF8Pq zrg9lUQE?=$Ac6xqV(V}6gG9WpT$5YA!^?9zGh_%opn+zg(y}i)nrhGNPrP3WTd*-O z5Ly_COMbrRJ56;xBb$igW^_gy%r)%A92O|Vb&@Zn-EbbH`Khfb9qk|O{l+hQDeFNZel8Md(i>PJM{-g z{&hA~cgE#MJLJ6#Wu^Yxc;4YaZqI@K@03kKGNC2B)OgvA&}&93OG;l>2JMy?ti}0N z&{us5v_dghbd|C9%>+F5sC_b|^=VpLlbczxm~pl;{G&GV-)+R!unal+d+roHM}G(! z2P8R12(zTjh=k@He*0o3-x$^M;dpG;`iFS{PE#! zE82y99@-!o>n(-1BaJ;M6L~fP39NV3JK~m|5qWcj&$f5yh3NA73QTUoyo#o>)0s11 zZbQcj-s2RbDN3f#-X>@V#E&~^>xQESEGJj5{aI;WFUcRD28{(yGn;P<>Ram6r)K_O z7iFE(%mpeXx_sUV?IMZ)4Z`KiPP*{^aZ(fCWu2gHd*DE@jiE7LCA`vVKD?S9)$6OS z9pN^rr-YK=WT*e!%&t)K2fxt1a|N%?639q#v(ciDgIygis69uiBxLArJg79Y(cBmC z60(9@JBC&AF=T_NaNti@%kq?)~zigF*Sp zp(PgM!1uO`g4or^u*A?@CI0{zqXo(3mTc~k>Vt`RstyO0Di$Y;xPhleMwDJ!ENcf1 zcTK}@qsY*p0yVtp{z@@dE9^hB1ciB)-V+z6x(#%tS6bUD?;|f%MXEMPn-=AZME{Jk zOES|3yrg-4UF6+_YWSx}q}!j3$-c?h{9EkEi#kF z49Q``3A~iCd-IbgdS?1SQ8Hd)CYg7Dr!cg6p%!f_20V6QOslM#X)Ip+xHn7UT&#f{ zoj@p_qBr}p!-}-u6`Q#5C$>L`p4{s1hvS!&vFveg9e(f$UKrzT$ZxQv_dAq|uz9%P z>==r!|DP%F&q2nhH~+8W(Qz1zn&Mkygu?5Fit_LKN8lfUe+2#!_($L$fqw-45%@>o cAAx@a{t@^`;2(j11pX2DN8lfU|NjX52O033U;qFB literal 0 HcmV?d00001 diff --git a/SecurityTests/si-87-sectrust-name-constraints/expects.plist b/SecurityTests/si-87-sectrust-name-constraints/expects.plist new file mode 100644 index 00000000..e0cee796 --- /dev/null +++ b/SecurityTests/si-87-sectrust-name-constraints/expects.plist @@ -0,0 +1,92437 @@ + + + + + expects + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 4 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 5 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 6 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 7 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 8 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 9 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 10 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 11 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 12 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 13 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 14 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 15 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 16 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 17 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 18 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 19 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 20 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 21 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 22 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 23 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 24 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 25 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 26 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 27 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 28 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 29 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 30 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 31 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 32 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 33 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 34 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 35 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 36 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 37 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 38 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 39 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 40 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 41 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 42 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 43 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 44 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 45 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 46 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 47 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 48 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 49 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 50 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 51 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 52 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 53 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 54 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 55 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 56 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 57 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 58 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 59 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 60 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 61 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 62 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 63 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 64 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 65 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 66 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 67 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 68 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 69 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 70 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 71 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 72 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 73 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 74 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 75 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 76 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 77 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 78 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 79 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 80 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 81 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 82 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 83 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 84 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 85 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 86 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 87 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 88 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 89 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 90 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 91 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 92 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 93 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 94 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 95 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 96 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 97 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 98 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 99 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 100 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 101 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 102 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 103 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 104 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 105 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 106 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 107 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 108 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 109 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 110 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 111 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 112 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 113 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 114 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 115 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 116 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 117 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 118 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 119 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 120 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 121 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 122 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 123 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 124 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 125 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 126 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 127 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 128 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 129 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 130 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 131 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 132 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 133 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 134 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 135 + ip + + descriptions + + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 136 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 137 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 138 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 139 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 140 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 141 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 142 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 143 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 144 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 145 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 146 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 147 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 148 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 149 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 150 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 151 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 152 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 153 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 154 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 155 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 156 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 157 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 158 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 159 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 160 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 161 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 162 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 163 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 164 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 165 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 166 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 167 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 168 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 169 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 170 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 171 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 172 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 173 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 174 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 175 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 176 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 177 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 178 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 179 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 180 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 181 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 182 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 183 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 184 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 185 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 186 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 187 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 188 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 189 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 190 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 191 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 192 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 193 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 194 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 195 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 196 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 197 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 198 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 199 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 200 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 201 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 202 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 203 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 204 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 205 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 206 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 207 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 208 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 209 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 210 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 211 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 212 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 213 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 214 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 215 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 216 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 217 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 218 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 219 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 220 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 221 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 222 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 223 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 224 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 225 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 226 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 227 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 228 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 229 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 230 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 231 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 232 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 233 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 234 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 235 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 236 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 237 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 238 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 239 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 240 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 241 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 242 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 243 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 244 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 245 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 246 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 247 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 248 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 249 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 250 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 251 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 252 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 253 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 254 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 255 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 256 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 257 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 258 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 259 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 260 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 261 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 262 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 263 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 264 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 265 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 266 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 267 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 268 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 269 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 270 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 271 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 272 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 273 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 274 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 275 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 276 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 277 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 278 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 279 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 280 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 281 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 282 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 283 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 284 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 285 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 286 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 287 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 288 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 289 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 290 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 291 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 292 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 293 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 294 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 295 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 296 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 297 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 298 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 299 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 300 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 301 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 302 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 303 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 304 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 305 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 306 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 307 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 308 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 309 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 310 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 311 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 312 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 313 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 314 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 315 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 316 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 317 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 318 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 319 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 320 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 321 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 322 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 323 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 324 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 325 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 326 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 327 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 328 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 329 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 330 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 331 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 332 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 333 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 334 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 335 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 336 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 337 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 338 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 339 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 340 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 341 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 342 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 343 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 344 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 345 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 346 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 347 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 348 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 349 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 350 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 351 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 352 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 353 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 354 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 355 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 356 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 357 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 358 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 359 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 360 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 361 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 362 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 363 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 364 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 365 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 366 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 367 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 368 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 369 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 370 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 371 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 372 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 373 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 374 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 375 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 376 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 377 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 378 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 379 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 380 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 381 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 382 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 383 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 384 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 385 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 386 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 387 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 388 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 389 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 390 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 391 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 392 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 393 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 394 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 395 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 396 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 397 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 398 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 399 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 400 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 401 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 402 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 403 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 404 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 405 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 406 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 407 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 408 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 409 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 410 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 411 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 412 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 413 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 414 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 415 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 416 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 417 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 418 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 419 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 420 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 421 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 422 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 423 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 424 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 425 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 426 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 427 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 428 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 429 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 430 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 431 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 432 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 433 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 434 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 435 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 436 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 437 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 438 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 439 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 440 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 441 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 442 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 443 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 444 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 445 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 446 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 447 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 448 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 449 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 450 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 451 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 452 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 453 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 454 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 455 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 456 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 457 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 458 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 459 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 460 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 461 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 462 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 463 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 464 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 465 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 466 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 467 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 468 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 469 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 470 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 471 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 472 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 473 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 474 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 475 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 476 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 477 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 478 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 479 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 480 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 481 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 482 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 483 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 484 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 485 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 486 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 487 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 488 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 489 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 490 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 491 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 492 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 493 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 494 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 495 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 496 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 497 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 498 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 499 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 500 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 501 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 502 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 503 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 504 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 505 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 506 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 507 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 508 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 509 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 510 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 511 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 512 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 513 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 514 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 515 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 516 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 517 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 518 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 519 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 520 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 521 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 522 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 523 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 524 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 525 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 526 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 527 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 528 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 529 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 530 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 531 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 532 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 533 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 534 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 535 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 536 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 537 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 538 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 539 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 540 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 541 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 542 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 543 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 544 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 545 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 546 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 547 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 548 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 549 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 550 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 551 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 552 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 553 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 554 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 555 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 556 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 557 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 558 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 559 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 560 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 561 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 562 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 563 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 564 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 565 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 566 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 567 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 568 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 569 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 570 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 571 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 572 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 573 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 574 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 575 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 576 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 577 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 578 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 579 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 580 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 581 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 582 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 583 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 584 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 585 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 586 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 587 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 588 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 589 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 590 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 591 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 592 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 593 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 594 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 595 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 596 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 597 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 598 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 599 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 600 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 601 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 602 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 603 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 604 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 605 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 606 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 607 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 608 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 609 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 610 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 611 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 612 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 613 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 614 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 615 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 616 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 617 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 618 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 619 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 620 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 621 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 622 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 623 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 624 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 625 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 626 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 627 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 628 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 629 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 630 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 631 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 632 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 633 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 634 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 635 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 636 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 637 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 638 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 639 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 640 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 641 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 642 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 643 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 644 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 645 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 646 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 647 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 648 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 649 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 650 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 651 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 652 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 653 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 654 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 655 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 656 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 657 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 658 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 659 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 660 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 661 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 662 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 663 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 664 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 665 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 666 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 667 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 668 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 669 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 670 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 671 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 672 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 673 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 674 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 675 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 676 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 677 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 678 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 679 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 680 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 681 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 682 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 683 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 684 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 685 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 686 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 687 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 688 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 689 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 690 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 691 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 692 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 693 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 694 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 695 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 696 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 697 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 698 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 699 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 700 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 701 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 702 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 703 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 704 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 705 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 706 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 707 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 708 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 709 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 710 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 711 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 712 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 713 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 714 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 715 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 716 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 717 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 718 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 719 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 720 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 721 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 722 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 723 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 724 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 725 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 726 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 727 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 728 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 729 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + + expect + WEAK-OK + + id + 730 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 731 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + + expect + WEAK-OK + + id + 732 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + + expect + WEAK-OK + + id + 733 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 734 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + + expect + WEAK-OK + + id + 735 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + + expect + WEAK-OK + + id + 736 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 737 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + + expect + WEAK-OK + + id + 738 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + + expect + WEAK-OK + + id + 739 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 740 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + + expect + WEAK-OK + + id + 741 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + + expect + WEAK-OK + + id + 742 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 743 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + + expect + WEAK-OK + + id + 744 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + + expect + WEAK-OK + + id + 745 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 746 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + + expect + WEAK-OK + + id + 747 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 748 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 749 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 750 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 751 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 752 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 753 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 754 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 755 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 756 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 757 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 758 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 759 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 760 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 761 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 762 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 763 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 764 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 765 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 766 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 767 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 768 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 769 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 770 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 771 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 772 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 773 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 774 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 775 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 776 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 777 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 778 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 779 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 780 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 781 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 782 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 783 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 784 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 785 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 786 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 787 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 788 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 789 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 790 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 791 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 792 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 793 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 794 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 795 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 796 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 797 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 798 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 799 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 800 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 801 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 802 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 803 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 804 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 805 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 806 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 807 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 808 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 809 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 810 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 811 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 812 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 813 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 814 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 815 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 816 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 817 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 818 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 819 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 820 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 821 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 822 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 823 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 824 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 825 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 826 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 827 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 828 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 829 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 830 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 831 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 832 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 833 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 834 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 835 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 836 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 837 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 838 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 839 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 840 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 841 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 842 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 843 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 844 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 845 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 846 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 847 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 848 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 849 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 850 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 851 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 852 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 853 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 854 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 855 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 856 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 857 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 858 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 859 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 860 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 861 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 862 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 863 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 864 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 865 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 866 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 867 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 868 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 869 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 870 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 871 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 872 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 873 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 874 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 875 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 876 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 877 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 878 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 879 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 880 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 881 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 882 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 883 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 884 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 885 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 886 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 887 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 888 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 889 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 890 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 891 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 892 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 893 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 894 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 895 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 896 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 897 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 898 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 899 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 900 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 901 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 902 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 903 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 904 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 905 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 906 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 907 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 908 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 909 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 910 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 911 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 912 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 913 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 914 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 915 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 916 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 917 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 918 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 919 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 920 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 921 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 922 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 923 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 924 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 925 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 926 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 927 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 928 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 929 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 930 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 931 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 932 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 933 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 934 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 935 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 936 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 937 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 938 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 939 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 940 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 941 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 942 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 943 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 944 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 945 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 946 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 947 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 948 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 949 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 950 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 951 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 952 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 953 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 954 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 955 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 956 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 957 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 958 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 959 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 960 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 961 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 962 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 963 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 964 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 965 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 966 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 967 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 968 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 969 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 970 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 971 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 972 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 973 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 974 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 975 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 976 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 977 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 978 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 979 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 980 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 981 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 982 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 983 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 984 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 985 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 986 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 987 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 988 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 989 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 990 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 991 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 992 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 993 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 994 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 995 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 996 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 997 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 998 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 999 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1000 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1001 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1002 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1003 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1004 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1005 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1006 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1007 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1008 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1009 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1010 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1011 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1012 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1013 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1014 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1015 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1016 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1017 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1018 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1019 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1020 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1021 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1022 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1023 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1024 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1025 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1026 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1027 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1028 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1029 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1030 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1031 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1032 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1033 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1034 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1035 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1036 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1037 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1038 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1039 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1040 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1041 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1042 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1043 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1044 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1045 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1046 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1047 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1048 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1049 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1050 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1051 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1052 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1053 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1054 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1055 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1056 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1057 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1058 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1059 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1060 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1061 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1062 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1063 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1064 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1065 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1066 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1067 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1068 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1069 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1070 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1071 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1072 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1073 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1074 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1075 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1076 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1077 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1078 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1079 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1080 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1081 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1082 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1083 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1084 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1085 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1086 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1087 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1088 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1089 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1090 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1091 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1092 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1093 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1094 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1095 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1096 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1097 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1098 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1099 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1100 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1101 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1102 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1103 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1104 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1105 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1106 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1107 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1108 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1109 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1110 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1111 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1112 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1113 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1114 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1115 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1116 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1117 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1118 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1119 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1120 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1121 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1122 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1123 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1124 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1125 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1126 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1127 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1128 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1129 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1130 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1131 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1132 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1133 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1134 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1135 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1136 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1137 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1138 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1139 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1140 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1141 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1142 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1143 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1144 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1145 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1146 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1147 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1148 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1149 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1150 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1151 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1152 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1153 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1154 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1155 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1156 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1157 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1158 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1159 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1160 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1161 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1162 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1163 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1164 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1165 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1166 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1167 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1168 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1169 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1170 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1171 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1172 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1173 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1174 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1175 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1176 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1177 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1178 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1179 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1180 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1181 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1182 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1183 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1184 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1185 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1186 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1187 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1188 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1189 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1190 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1191 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1192 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1193 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1194 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1195 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1196 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1197 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1198 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1199 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1200 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1201 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1202 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1203 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1204 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1205 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1206 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1207 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1208 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1209 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1210 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1211 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1212 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1213 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1214 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1215 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1216 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1217 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1218 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1219 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1220 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1221 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1222 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1223 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1224 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1225 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1226 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1227 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1228 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1229 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1230 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1231 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1232 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1233 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1234 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1235 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1236 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1237 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1238 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1239 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1240 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1241 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1242 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1243 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1244 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1245 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1246 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1247 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1248 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1249 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1250 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1251 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1252 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1253 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1254 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1255 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1256 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1257 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1258 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1259 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1260 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1261 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1262 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1263 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1264 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1265 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1266 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1267 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1268 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1269 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1270 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1271 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1272 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1273 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1274 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1275 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1276 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1277 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 1278 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1279 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1280 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1281 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1282 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1283 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1284 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1285 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1286 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1287 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1288 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1289 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1290 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1291 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1292 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1293 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1294 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1295 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1296 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1297 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1298 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1299 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1300 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1301 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1302 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1303 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1304 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1305 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1306 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1307 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1308 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1309 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1310 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1311 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1312 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1313 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1314 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1315 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1316 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1317 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1318 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1319 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1320 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1321 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1322 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1323 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1324 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1325 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1326 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1327 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1328 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1329 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1330 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1331 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1332 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1333 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1334 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1335 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1336 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1337 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1338 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1339 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1340 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1341 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1342 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1343 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1344 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1345 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1346 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1347 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1348 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1349 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1350 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1351 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1352 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1353 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1354 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1355 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1356 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1357 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1358 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1359 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1360 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1361 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1362 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1363 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1364 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1365 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1366 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1367 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1368 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1369 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1370 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1371 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1372 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1373 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1374 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1375 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1376 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1377 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1378 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1379 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1380 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1381 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1382 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1383 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1384 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1385 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1386 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1387 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1388 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1389 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1390 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1391 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1392 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1393 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1394 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1395 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1396 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1397 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1398 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1399 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1400 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1401 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1402 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1403 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1404 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1405 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1406 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1407 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1408 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1409 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1410 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1411 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1412 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1413 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1414 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1415 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1416 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1417 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1418 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1419 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1420 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1421 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1422 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1423 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1424 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1425 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1426 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1427 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1428 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1429 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1430 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1431 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1432 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1433 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1434 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1435 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1436 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1437 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1438 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1439 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The DNS name for this certificate only exists in the common name. Some browsers (such as Chrome) have deprecated using the CN entirely and only use names from SAN extensions. + The DNS name for this certificate exists in the common name but not in the Subject Alternate Names extension even though the extension is specified. Most implementations will fail DNS-hostname validation on this certificate. + + expect + WEAK-OK + + id + 1440 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1441 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1442 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1443 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1444 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1445 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1446 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1447 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1448 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1449 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1450 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1451 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1452 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1453 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1454 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1455 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1456 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1457 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1458 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1459 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1460 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1461 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1462 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1463 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1464 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1465 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1466 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1467 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1468 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1469 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1470 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1471 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1472 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1473 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1474 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1475 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1476 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1477 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1478 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1479 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1480 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1481 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1482 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1483 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1484 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1485 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1486 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1487 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1488 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1489 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1490 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1491 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1492 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1493 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1494 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1495 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1496 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1497 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1498 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1499 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1500 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1501 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1502 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1503 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1504 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1505 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1506 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1507 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1508 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1509 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1510 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1511 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1512 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1513 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1514 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1515 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1516 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1517 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1518 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1519 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1520 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1521 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1522 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1523 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1524 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1525 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1526 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1527 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1528 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1529 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1530 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1531 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1532 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1533 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1534 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1535 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1536 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1537 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1538 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1539 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1540 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1541 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1542 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1543 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1544 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1545 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1546 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1547 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1548 + ip + + descriptions + + expect + OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1549 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1550 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1551 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1552 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1553 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1554 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1555 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1556 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1557 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1558 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1559 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1560 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1561 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1562 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1563 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1564 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1565 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1566 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1567 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1568 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1569 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1570 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1571 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1572 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1573 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1574 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1575 + ip + + descriptions + + expect + OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1576 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1577 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1578 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1579 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1580 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1581 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1582 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1583 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1584 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1585 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1586 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1587 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1588 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1589 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1590 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1591 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1592 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1593 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1594 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1595 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1596 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1597 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1598 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1599 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1600 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1601 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1602 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1603 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1604 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1605 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1606 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1607 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1608 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1609 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1610 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1611 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1612 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1613 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1614 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1615 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1616 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1617 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1618 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1619 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1620 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1621 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1622 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1623 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1624 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1625 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1626 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1627 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1628 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1629 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1630 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1631 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1632 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1633 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1634 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1635 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1636 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1637 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1638 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1639 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1640 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1641 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1642 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1643 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1644 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1645 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1646 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1647 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1648 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1649 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1650 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1651 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1652 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1653 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1654 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1655 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1656 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1657 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1658 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1659 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1660 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1661 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1662 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1663 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1664 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1665 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1666 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1667 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1668 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1669 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1670 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1671 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1672 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1673 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1674 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1675 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1676 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1677 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1678 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1679 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1680 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1681 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1682 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1683 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1684 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1685 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1686 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1687 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1688 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1689 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1690 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1691 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1692 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1693 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1694 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1695 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1696 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1697 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1698 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1699 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1700 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1701 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1702 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1703 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1704 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1705 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1706 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1707 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1708 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1709 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1710 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1711 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1712 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1713 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1714 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1715 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1716 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1717 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1718 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1719 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1720 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1721 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1722 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1723 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1724 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1725 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1726 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1727 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1728 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1729 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1730 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1731 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1732 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1733 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1734 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1735 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1736 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1737 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1738 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1739 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1740 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1741 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1742 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1743 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1744 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1745 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1746 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1747 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1748 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1749 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1750 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1751 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1752 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1753 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1754 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1755 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1756 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1757 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1758 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1759 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1760 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1761 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1762 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1763 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1764 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1765 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1766 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1767 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1768 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1769 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1770 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1771 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1772 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1773 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1774 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1775 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1776 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1777 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1778 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1779 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1780 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1781 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1782 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1783 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1784 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1785 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1786 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1787 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1788 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1789 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1790 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1791 + ip + + descriptions + + expect + OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1792 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1793 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1794 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1795 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1796 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1797 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1798 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1799 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1800 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1801 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1802 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1803 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1804 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1805 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1806 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1807 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1808 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1809 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1810 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1811 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1812 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1813 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1814 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1815 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1816 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1817 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1818 + ip + + descriptions + + expect + OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1819 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1820 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1821 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1822 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1823 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1824 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1825 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1826 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1827 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1828 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1829 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1830 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1831 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1832 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1833 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1834 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1835 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1836 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1837 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1838 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1839 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1840 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1841 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1842 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1843 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1844 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1845 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1846 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1847 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1848 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1849 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1850 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1851 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1852 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1853 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1854 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1855 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1856 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1857 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1858 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1859 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1860 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1861 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1862 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1863 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1864 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1865 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1866 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1867 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1868 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1869 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1870 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1871 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 1872 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1873 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1874 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1875 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1876 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1877 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1878 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1879 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1880 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 1881 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1882 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1883 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1884 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1885 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1886 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1887 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1888 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1889 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1890 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1891 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1892 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1893 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1894 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1895 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1896 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1897 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1898 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1899 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1900 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1901 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1902 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1903 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1904 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1905 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1906 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1907 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1908 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1909 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1910 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1911 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1912 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1913 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1914 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1915 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1916 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1917 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1918 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1919 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1920 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1921 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1922 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1923 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1924 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1925 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1926 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1927 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1928 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1929 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1930 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1931 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1932 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1933 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1934 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 1935 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1936 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1937 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1938 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1939 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1940 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1941 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1942 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1943 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 1944 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1945 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1946 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1947 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1948 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1949 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1950 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1951 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1952 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1953 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1954 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1955 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1956 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1957 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1958 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1959 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1960 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1961 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1962 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1963 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1964 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1965 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1966 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1967 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1968 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1969 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1970 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1971 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1972 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1973 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1974 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1975 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1976 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1977 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1978 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1979 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1980 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1981 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1982 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1983 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1984 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1985 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1986 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1987 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1988 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1989 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1990 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1991 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1992 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1993 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1994 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1995 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1996 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1997 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1998 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 1999 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2000 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2001 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2002 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2003 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2004 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2005 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2006 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2007 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2008 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2009 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2010 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2011 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2012 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2013 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2014 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2015 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2016 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2017 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2018 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2019 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2020 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2021 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2022 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2023 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2024 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2025 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2026 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2027 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2028 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2029 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2030 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2031 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2032 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2033 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2034 + ip + + descriptions + + expect + OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2035 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2036 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2037 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2038 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2039 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2040 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2041 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2042 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2043 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2044 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2045 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2046 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2047 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2048 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2049 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2050 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2051 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2052 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2053 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2054 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2055 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2056 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2057 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2058 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2059 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2060 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2061 + ip + + descriptions + + expect + OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2062 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2063 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2064 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2065 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2066 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2067 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2068 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2069 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2070 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2071 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2072 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2073 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2074 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2075 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2076 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2077 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2078 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2079 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2080 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2081 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2082 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2083 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2084 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2085 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2086 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2087 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2088 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2089 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2090 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2091 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2092 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2093 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2094 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2095 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2096 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2097 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2098 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2099 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2100 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2101 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2102 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2103 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2104 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2105 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2106 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2107 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2108 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2109 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2110 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2111 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2112 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2113 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2114 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2115 + ip + + descriptions + + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2116 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2117 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2118 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2119 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2120 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2121 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2122 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2123 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2124 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2125 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2126 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2127 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2128 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2129 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2130 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2131 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2132 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2133 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + The IP is only contained in the CN of this certificate, which isn't permitted by RFC but which many implementations support. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2134 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2135 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2136 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2137 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2138 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2139 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2140 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2141 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2142 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2143 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2144 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2145 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2146 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2147 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2148 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2149 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2150 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2151 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2152 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2153 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2154 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2155 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2156 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2157 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2158 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2159 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2160 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2161 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2162 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2163 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2164 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2165 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2166 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2167 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2168 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2169 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2170 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2171 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2172 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2173 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2174 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2175 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2176 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2177 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2178 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2179 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2180 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2181 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2182 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2183 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2184 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2185 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2186 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2187 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2188 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2189 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2190 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2191 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2192 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2193 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2194 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2195 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2196 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2197 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2198 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2199 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2200 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2201 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2202 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2203 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2204 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2205 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2206 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2207 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2208 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2209 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2210 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2211 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2212 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2213 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2214 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2215 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2216 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2217 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2218 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2219 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2220 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2221 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2222 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2223 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2224 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2225 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2226 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2227 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2228 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2229 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2230 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2231 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2232 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2233 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2234 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2235 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2236 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2237 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2238 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2239 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2240 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2241 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2242 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2243 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2244 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2245 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2246 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2247 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2248 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2249 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2250 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2251 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2252 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2253 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2254 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2255 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2256 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2257 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2258 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2259 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2260 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2261 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2262 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2263 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2264 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2265 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2266 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2267 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2268 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2269 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2270 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2271 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2272 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2273 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2274 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2275 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2276 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2277 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2278 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2279 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2280 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2281 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2282 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2283 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2284 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2285 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2286 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2287 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2288 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2289 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2290 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2291 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2292 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2293 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2294 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2295 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2296 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2297 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2298 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2299 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2300 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2301 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2302 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2303 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2304 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2305 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2306 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2307 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2308 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2309 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2310 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2311 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2312 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2313 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2314 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2315 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2316 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2317 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2318 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2319 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2320 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2321 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2322 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2323 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2324 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2325 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2326 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2327 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2328 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2329 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2330 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2331 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2332 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2333 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2334 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2335 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2336 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2337 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2338 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2339 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2340 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2341 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2342 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2343 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2344 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2345 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2346 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2347 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2348 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2349 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2350 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2351 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2352 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2353 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2354 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2355 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2356 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2357 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2358 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2359 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2360 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2361 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2362 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2363 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2364 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2365 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2366 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2367 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2368 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2369 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2370 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2371 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2372 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2373 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2374 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2375 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2376 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2377 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2378 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2379 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2380 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2381 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2382 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2383 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2384 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2385 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2386 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2387 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2388 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2389 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2390 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2391 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2392 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2393 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2394 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2395 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2396 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2397 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2398 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2399 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2400 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2401 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2402 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2403 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2404 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2405 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2406 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2407 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2408 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2409 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2410 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2411 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2412 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2413 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2414 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2415 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2416 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2417 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2418 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2419 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2420 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2421 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2422 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2423 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2424 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2425 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2426 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2427 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2428 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2429 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2430 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2431 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2432 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2433 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2434 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2435 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2436 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2437 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2438 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2439 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2440 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2441 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2442 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2443 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2444 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2445 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2446 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2447 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2448 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2449 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2450 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2451 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2452 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2453 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2454 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2455 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2456 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2457 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2458 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2459 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2460 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2461 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2462 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2463 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2464 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2465 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2466 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2467 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2468 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2469 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2470 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2471 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2472 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2473 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2474 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2475 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2476 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2477 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2478 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2479 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2480 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2481 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2482 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2483 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2484 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2485 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2486 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2487 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2488 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2489 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2490 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2491 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2492 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2493 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2494 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2495 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2496 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2497 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2498 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2499 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2500 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2501 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + There is a IP name constraint but no IP in the certificate. This isn't an explicit violation, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + id + 2502 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2503 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2504 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2505 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2506 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2507 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2508 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2509 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2510 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2511 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2512 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2513 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2514 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2515 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2516 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2517 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2518 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2519 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2520 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2521 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2522 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2523 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2524 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2525 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2526 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2527 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2528 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2529 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2530 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2531 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2532 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2533 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2534 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2535 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2536 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2537 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2538 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2539 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2540 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2541 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2542 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2543 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2544 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2545 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2546 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2547 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2548 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2549 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2550 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2551 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2552 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2553 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2554 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2555 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2556 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2557 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2558 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2559 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2560 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2561 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2562 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2563 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2564 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2565 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2566 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2567 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2568 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2569 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2570 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2571 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2572 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2573 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2574 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2575 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2576 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2577 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2578 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2579 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2580 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2581 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2582 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2583 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2584 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2585 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2586 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2587 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2588 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2589 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2590 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2591 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2592 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2593 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2594 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2595 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2596 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2597 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2598 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2599 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2600 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 2601 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2602 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2603 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2604 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2605 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2606 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2607 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2608 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2609 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + expect + WEAK-OK + + id + 2610 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2611 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2612 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2613 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2614 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2615 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2616 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2617 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2618 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2619 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2620 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2621 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2622 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2623 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2624 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2625 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2626 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2627 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2628 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2629 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2630 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2631 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2632 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2633 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2634 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2635 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2636 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2637 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2638 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2639 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2640 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2641 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2642 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2643 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2644 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2645 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2646 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2647 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2648 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2649 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2650 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2651 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2652 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2653 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2654 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2655 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2656 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2657 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2658 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2659 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2660 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2661 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2662 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2663 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 2664 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2665 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2666 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2667 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2668 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2669 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2670 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2671 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2672 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 2673 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2674 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2675 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2676 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2677 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2678 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2679 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2680 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2681 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2682 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2683 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2684 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2685 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2686 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2687 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2688 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2689 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2690 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2691 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2692 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2693 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2694 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2695 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2696 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2697 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2698 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2699 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2700 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2701 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2702 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2703 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2704 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2705 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2706 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2707 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2708 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2709 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2710 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2711 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2712 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2713 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2714 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2715 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2716 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2717 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2718 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2719 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2720 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2721 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2722 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2723 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2724 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2725 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2726 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2727 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2728 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2729 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2730 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2731 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2732 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2733 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2734 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2735 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2736 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2737 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2738 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2739 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2740 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2741 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2742 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2743 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2744 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2745 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2746 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2747 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2748 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2749 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2750 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2751 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2752 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2753 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2754 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2755 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2756 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2757 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2758 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2759 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2760 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2761 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2762 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2763 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2764 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2765 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2766 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2767 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2768 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2769 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2770 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2771 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2772 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2773 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2774 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2775 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2776 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2777 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2778 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2779 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2780 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2781 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2782 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2783 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2784 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2785 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2786 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2787 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2788 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2789 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2790 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2791 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2792 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2793 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2794 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2795 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2796 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2797 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2798 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2799 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2800 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2801 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2802 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2803 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2804 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2805 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2806 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2807 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2808 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2809 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2810 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2811 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2812 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2813 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2814 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2815 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2816 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2817 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2818 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2819 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2820 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2821 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2822 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2823 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2824 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2825 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2826 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2827 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2828 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2829 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2830 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2831 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2832 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2833 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2834 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2835 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2836 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2837 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2838 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2839 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2840 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2841 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2842 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2843 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2844 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2845 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2846 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2847 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2848 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2849 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2850 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2851 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2852 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2853 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2854 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2855 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2856 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2857 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2858 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2859 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2860 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2861 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2862 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2863 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2864 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2865 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2866 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2867 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2868 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2869 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2870 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2871 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2872 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2873 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2874 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2875 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2876 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2877 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2878 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2879 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2880 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2881 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2882 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2883 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2884 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2885 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2886 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2887 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2888 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2889 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2890 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2891 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2892 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2893 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2894 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2895 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2896 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2897 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2898 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2899 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2900 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2901 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2902 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2903 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2904 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2905 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2906 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2907 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2908 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2909 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2910 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2911 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2912 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2913 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2914 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2915 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2916 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2917 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2918 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2919 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2920 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2921 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2922 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2923 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2924 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2925 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2926 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2927 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2928 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2929 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2930 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2931 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2932 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2933 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2934 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2935 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2936 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2937 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2938 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2939 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2940 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2941 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2942 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2943 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2944 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2945 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2946 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2947 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2948 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2949 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2950 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2951 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2952 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2953 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2954 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2955 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2956 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2957 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2958 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2959 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2960 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2961 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2962 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2963 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2964 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2965 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2966 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2967 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2968 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2969 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2970 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2971 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2972 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2973 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2974 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2975 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2976 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2977 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2978 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2979 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2980 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2981 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2982 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2983 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2984 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2985 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2986 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2987 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2988 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2989 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2990 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2991 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2992 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2993 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2994 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2995 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2996 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2997 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2998 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 2999 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3000 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3001 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3002 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3003 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3004 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3005 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3006 + ip + + descriptions + + expect + OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3007 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3008 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3009 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3010 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3011 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3012 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3013 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3014 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3015 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3016 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3017 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3018 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3019 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3020 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3021 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3022 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3023 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3024 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3025 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3026 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3027 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3028 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3029 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3030 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3031 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3032 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3033 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3034 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3035 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3036 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3037 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3038 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3039 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3040 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3041 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3042 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3043 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3044 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3045 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3046 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3047 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3048 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3049 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3050 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3051 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + There is a DNS name constraint but no DNS name in the certificate. This is allowed by the RFC, but some implementations will fail to validate the certificate. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3052 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3053 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3054 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3055 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3056 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3057 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3058 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3059 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3060 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3061 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3062 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3063 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3064 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3065 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3066 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3067 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3068 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3069 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3070 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3071 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3072 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3073 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3074 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3075 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3076 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3077 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3078 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3079 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3080 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3081 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3082 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3083 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3084 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3085 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3086 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3087 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3088 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3089 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3090 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3091 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3092 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3093 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3094 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3095 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3096 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3097 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3098 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3099 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3100 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3101 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3102 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3103 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3104 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3105 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3106 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3107 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3108 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3109 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3110 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3111 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3112 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3113 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3114 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3115 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3116 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3117 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3118 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3119 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3120 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3121 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3122 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3123 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3124 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3125 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3126 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3127 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3128 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3129 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3130 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3131 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3132 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3133 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3134 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3135 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3136 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3137 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3138 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3139 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3140 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3141 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3142 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3143 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3144 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3145 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3146 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3147 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3148 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3149 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3150 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3151 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3152 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3153 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3154 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3155 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3156 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3157 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3158 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3159 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3160 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3161 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3162 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3163 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3164 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3165 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3166 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3167 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3168 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3169 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3170 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3171 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3172 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3173 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3174 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3175 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3176 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3177 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3178 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3179 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3180 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3181 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3182 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3183 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3184 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3185 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3186 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3187 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3188 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3189 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3190 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3191 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3192 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3193 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3194 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3195 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3196 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3197 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3198 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3199 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3200 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3201 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3202 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3203 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3204 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3205 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3206 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3207 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3208 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3209 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3210 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3211 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3212 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3213 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3214 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3215 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3216 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3217 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3218 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3219 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3220 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3221 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3222 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3223 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3224 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3225 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3226 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3227 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3228 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3229 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3230 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3231 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3232 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3233 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3234 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3235 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3236 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3237 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3238 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3239 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3240 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3241 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3242 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3243 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3244 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3245 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3246 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3247 + ip + + descriptions + + expect + OK + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3248 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3249 + ip + + descriptions + + expect + OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3250 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3251 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3252 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3253 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3254 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3255 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3256 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3257 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3258 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3259 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3260 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3261 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3262 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3263 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3264 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3265 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3266 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3267 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3268 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3269 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3270 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3271 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3272 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3273 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3274 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3275 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3276 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3277 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3278 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3279 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3280 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3281 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3282 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3283 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3284 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3285 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3286 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3287 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3288 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3289 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3290 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3291 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3292 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3293 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3294 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3295 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3296 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3297 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3298 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3299 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3300 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3301 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3302 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3303 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3304 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3305 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3306 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3307 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3308 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3309 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3310 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3311 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3312 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3313 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3314 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3315 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3316 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3317 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3318 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3319 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3320 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3321 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3322 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3323 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3324 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3325 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3326 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3327 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3328 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3329 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + expect + OK + + id + 3330 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3331 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3332 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3333 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3334 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3335 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3336 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3337 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3338 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + + dns + + descriptions + + expect + WEAK-OK + + id + 3339 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3340 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3341 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3342 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3343 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3344 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3345 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3346 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3347 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3348 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3349 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3350 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3351 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3352 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3353 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3354 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3355 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3356 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3357 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3358 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3359 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3360 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3361 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3362 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3363 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3364 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3365 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3366 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3367 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3368 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3369 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3370 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3371 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3372 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3373 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3374 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3375 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3376 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3377 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3378 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3379 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3380 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3381 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3382 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3383 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3384 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3385 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3386 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3387 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3388 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3389 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3390 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3391 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3392 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + Althought the IP address is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + id + 3393 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3394 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3395 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3396 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3397 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3398 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3399 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3400 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3401 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + expect + ERROR + + id + 3402 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3403 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3404 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3405 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3406 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3407 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3408 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3409 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3410 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3411 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3412 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3413 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3414 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3415 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3416 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3417 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3418 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3419 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3420 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3421 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3422 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3423 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3424 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3425 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3426 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3427 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3428 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3429 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3430 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3431 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3432 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3433 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3434 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3435 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3436 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3437 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3438 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3439 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3440 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3441 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3442 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3443 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3444 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3445 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3446 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3447 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3448 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3449 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3450 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3451 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3452 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3453 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3454 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3455 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3456 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3457 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3458 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3459 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3460 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3461 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3462 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3463 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3464 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3465 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3466 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3467 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3468 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3469 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3470 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3471 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3472 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3473 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3474 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3475 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3476 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3477 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3478 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3479 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3480 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3481 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3482 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3483 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3484 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3485 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3486 + ip + + descriptions + + expect + OK + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3487 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3488 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3489 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3490 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3491 + ip + + descriptions + + expect + OK + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3492 + ip + + descriptions + + expect + OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3493 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3494 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3495 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3496 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3497 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3498 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3499 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3500 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3501 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3502 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3503 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3504 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3505 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3506 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3507 + ip + + descriptions + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3508 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3509 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3510 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3511 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3512 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3513 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3514 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3515 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3516 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3517 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3518 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3519 + ip + + descriptions + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3520 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3521 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3522 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3523 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3524 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3525 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3526 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3527 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3528 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3529 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3530 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3531 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3532 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3533 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3534 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3535 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3536 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3537 + ip + + descriptions + + Although the DNS name is not the subject name in question, it's name constraint violation may still cause this certificate to be rejected. + + expect + WEAK-OK + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3538 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3539 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3540 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3541 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3542 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3543 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3544 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3545 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3546 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3547 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3548 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3549 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3550 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3551 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3552 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3553 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3554 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3555 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3556 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3557 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3558 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3559 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3560 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3561 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3562 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3563 + ip + + descriptions + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3564 + ip + + descriptions + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3565 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3566 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3567 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3568 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3569 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3570 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3571 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3572 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3573 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3574 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3575 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3576 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3577 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3578 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3579 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3580 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3581 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3582 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3583 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3584 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3585 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3586 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3587 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3588 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3589 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3590 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3591 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3592 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3593 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3594 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3595 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3596 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3597 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3598 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3599 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3600 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3601 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3602 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3603 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3604 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3605 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3606 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3607 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3608 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3609 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3610 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3611 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3612 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3613 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3614 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3615 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3616 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3617 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3618 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3619 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3620 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3621 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3622 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3623 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3624 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3625 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3626 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + The IP in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3627 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3628 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3629 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3630 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3631 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3632 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3633 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3634 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3635 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3636 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3637 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3638 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3639 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3640 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3641 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3642 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3643 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3644 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + descriptions + + The IP in the common name violates a name constraint. Because there is a SAN extension, this might be ignored. + Although the common name is an IP, some implementations may apply DNS name constraints against it and thus fail validation. + The IP in the SAN extension violates a name constraint. + The DNS name in the SAN extension violates a name constraint. + + dns + + descriptions + + The DNS hostname used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + id + 3645 + ip + + descriptions + + The IP used as an origin is not listed in the CN or SAN extension. + + expect + ERROR + + + + + diff --git a/SecurityTests/si-87-sectrust-name-constraints/manifest.plist b/SecurityTests/si-87-sectrust-name-constraints/manifest.plist new file mode 100644 index 00000000..b03dd848 --- /dev/null +++ b/SecurityTests/si-87-sectrust-name-constraints/manifest.plist @@ -0,0 +1,77526 @@ + + + + + certManifest + + + id + 1 + nameConstraints + + blacklist + + whitelist + + + sans + + + + id + 2 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + + + id + 3 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + + + id + 4 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + + + id + 5 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + + + id + 6 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + + + id + 7 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + + + id + 8 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + + + id + 9 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + + + id + 10 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + id + 11 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + id + 12 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + id + 13 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + id + 14 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + id + 15 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + id + 16 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + id + 17 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + id + 18 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + id + 19 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + + + id + 20 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + + + id + 21 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + + + id + 22 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + id + 23 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + id + 24 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + id + 25 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + id + 26 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + id + 27 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + id + 28 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + + + id + 29 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + + + id + 30 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + + + id + 31 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + id + 32 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + id + 33 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + id + 34 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + id + 35 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + id + 36 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + id + 37 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + id + 38 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + id + 39 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + id + 40 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + id + 41 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + id + 42 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + id + 43 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + id + 44 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + id + 45 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + id + 46 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + id + 47 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + id + 48 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + id + 49 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + id + 50 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + id + 51 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + id + 52 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + id + 53 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + id + 54 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + id + 55 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + + + id + 56 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + + + id + 57 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + + + id + 58 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + id + 59 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + id + 60 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + id + 61 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + id + 62 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + id + 63 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + id + 64 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + id + 65 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + id + 66 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + id + 67 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + id + 68 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + id + 69 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + id + 70 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + id + 71 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + id + 72 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + id + 73 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + id + 74 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + id + 75 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + id + 76 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + id + 77 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + id + 78 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + id + 79 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + id + 80 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + id + 81 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + id + 82 + nameConstraints + + blacklist + + whitelist + + + sans + + 52.20.118.238 + + + + id + 83 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + 52.20.118.238 + + + + id + 84 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + 52.20.118.238 + + + + id + 85 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + id + 86 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + id + 87 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + id + 88 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + id + 89 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + id + 90 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + id + 91 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + id + 92 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + id + 93 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + id + 94 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + id + 95 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + id + 96 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + id + 97 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + id + 98 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + id + 99 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + id + 100 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + id + 101 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + id + 102 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + id + 103 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + id + 104 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + id + 105 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + id + 106 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + id + 107 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + id + 108 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + id + 109 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 110 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 111 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 112 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 113 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 114 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 115 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 116 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 117 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 118 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 119 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 120 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 121 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 122 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 123 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 124 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 125 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 126 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 127 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 128 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 129 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 130 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 131 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 132 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 133 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 134 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 135 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + id + 136 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 137 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 138 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 139 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 140 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 141 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 142 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 143 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 144 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 145 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 146 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 147 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 148 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 149 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 150 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 151 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 152 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 153 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 154 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 155 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 156 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 157 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 158 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 159 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 160 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 161 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 162 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + id + 163 + nameConstraints + + blacklist + + whitelist + + + sans + + 172.16.0.1 + + + + id + 164 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + 172.16.0.1 + + + + id + 165 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + 172.16.0.1 + + + + id + 166 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + id + 167 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + id + 168 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + id + 169 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + id + 170 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + id + 171 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + id + 172 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + id + 173 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + id + 174 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + id + 175 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + id + 176 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + id + 177 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + id + 178 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + id + 179 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + id + 180 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + id + 181 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + id + 182 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + id + 183 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + id + 184 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + id + 185 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + id + 186 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + id + 187 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + id + 188 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + id + 189 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + id + 190 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 191 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 192 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 193 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 194 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 195 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 196 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 197 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 198 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 199 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 200 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 201 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 202 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 203 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 204 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 205 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 206 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 207 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 208 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 209 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 210 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 211 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 212 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 213 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 214 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 215 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 216 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + id + 217 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 218 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 219 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 220 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 221 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 222 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 223 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 224 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 225 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 226 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 227 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 228 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 229 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 230 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 231 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 232 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 233 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 234 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 235 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 236 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 237 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 238 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 239 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 240 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 241 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 242 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 243 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + id + 244 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + id + 245 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + id + 246 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + id + 247 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + id + 248 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + id + 249 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + id + 250 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + id + 251 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + id + 252 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + id + 253 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + id + 254 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + id + 255 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + id + 256 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + id + 257 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + id + 258 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + id + 259 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + id + 260 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + id + 261 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + id + 262 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + id + 263 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + id + 264 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + id + 265 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + id + 266 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + id + 267 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + id + 268 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + id + 269 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + id + 270 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + id + 271 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 272 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 273 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 274 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 275 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 276 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 277 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 278 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 279 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 280 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 281 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 282 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 283 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 284 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 285 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 286 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 287 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 288 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 289 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 290 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 291 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 292 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 293 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 294 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 295 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 296 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 297 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 298 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 299 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 300 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 301 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 302 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 303 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 304 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 305 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 306 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 307 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 308 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 309 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 310 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 311 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 312 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 313 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 314 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 315 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 316 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 317 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 318 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 319 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 320 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 321 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 322 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 323 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 324 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + id + 325 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 326 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 327 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 328 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 329 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 330 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 331 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 332 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 333 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 334 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 335 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 336 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 337 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 338 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 339 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 340 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 341 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 342 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 343 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 344 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 345 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 346 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 347 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 348 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 349 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 350 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 351 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 352 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 353 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 354 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 355 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 356 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 357 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 358 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 359 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 360 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 361 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 362 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 363 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 364 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 365 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 366 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 367 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 368 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 369 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 370 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 371 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 372 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 373 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 374 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 375 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 376 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 377 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 378 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 379 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 380 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 381 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 382 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 383 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 384 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 385 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 386 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 387 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 388 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 389 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 390 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 391 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 392 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 393 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 394 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 395 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 396 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 397 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 398 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 399 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 400 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 401 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 402 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 403 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 404 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 405 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + id + 406 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 407 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 408 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 409 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 410 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 411 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 412 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 413 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 414 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 415 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 416 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 417 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 418 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 419 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 420 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 421 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 422 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 423 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 424 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 425 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 426 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 427 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 428 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 429 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 430 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 431 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 432 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 433 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 434 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 435 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 436 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 437 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 438 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 439 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 440 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 441 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 442 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 443 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 444 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 445 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 446 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 447 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 448 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 449 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 450 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 451 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 452 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 453 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 454 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 455 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 456 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 457 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 458 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 459 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 460 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 461 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 462 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 463 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 464 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 465 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 466 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 467 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 468 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 469 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 470 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 471 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 472 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 473 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 474 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 475 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 476 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 477 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 478 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 479 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 480 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 481 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 482 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 483 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 484 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 485 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 486 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + id + 487 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + + + + id + 488 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + + + + id + 489 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + + + + id + 490 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + id + 491 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + id + 492 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + id + 493 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + id + 494 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + id + 495 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + id + 496 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + id + 497 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + id + 498 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + id + 499 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + id + 500 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + id + 501 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + id + 502 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + id + 503 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + id + 504 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + id + 505 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + + + + id + 506 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + + + + id + 507 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + + + + id + 508 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + id + 509 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + id + 510 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + id + 511 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + id + 512 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + id + 513 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + id + 514 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 515 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 516 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 517 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 518 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 519 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 520 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 521 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 522 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 523 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 524 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 525 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 526 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 527 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 528 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 529 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 530 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 531 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 532 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 533 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 534 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 535 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 536 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 537 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 538 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 539 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 540 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + id + 541 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 542 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 543 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 544 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 545 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 546 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 547 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 548 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 549 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 550 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 551 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 552 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 553 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 554 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 555 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 556 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 557 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 558 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 559 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 560 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 561 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 562 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 563 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 564 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 565 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 566 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 567 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + id + 568 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 569 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 570 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 571 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 572 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 573 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 574 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 575 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 576 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 577 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 578 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 579 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 580 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 581 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 582 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 583 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 584 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 585 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 586 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 587 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 588 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 589 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 590 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 591 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 592 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 593 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 594 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 595 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 596 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 597 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 598 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 599 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 600 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 601 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 602 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 603 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 604 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 605 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 606 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 607 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 608 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 609 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 610 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 611 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 612 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 613 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 614 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 615 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 616 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 617 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 618 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 619 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 620 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 621 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 622 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 623 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 624 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 625 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 626 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 627 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 628 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 629 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 630 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 631 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 632 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 633 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 634 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 635 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 636 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 637 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 638 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 639 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 640 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 641 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 642 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 643 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 644 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 645 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 646 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 647 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 648 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + id + 649 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 650 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 651 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 652 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 653 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 654 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 655 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 656 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 657 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 658 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 659 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 660 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 661 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 662 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 663 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 664 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 665 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 666 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 667 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 668 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 669 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 670 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 671 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 672 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 673 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 674 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 675 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 676 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 677 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 678 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 679 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 680 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 681 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 682 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 683 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 684 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 685 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 686 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 687 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 688 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 689 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 690 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 691 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 692 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 693 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 694 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 695 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 696 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 697 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 698 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 699 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 700 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 701 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 702 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 703 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 704 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 705 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 706 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 707 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 708 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 709 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 710 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 711 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 712 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 713 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 714 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 715 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 716 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 717 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 718 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 719 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 720 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 721 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 722 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 723 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 724 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 725 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 726 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 727 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 728 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + id + 729 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 730 + nameConstraints + + blacklist + + whitelist + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 731 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 732 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 733 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 734 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 735 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 736 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 737 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 738 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 739 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 740 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 741 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 742 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 743 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 744 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 745 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 746 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 747 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 748 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 749 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 750 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 751 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 752 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 753 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 754 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 755 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 756 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 757 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 758 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 759 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 760 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 761 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 762 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 763 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 764 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 765 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 766 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 767 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 768 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 769 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 770 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 771 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 772 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 773 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 774 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 775 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 776 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 777 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 778 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 779 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 780 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 781 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 782 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 783 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 784 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 785 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 786 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 787 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 788 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 789 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 790 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 791 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 792 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 793 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 794 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 795 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 796 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 797 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 798 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 799 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 800 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 801 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 802 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 803 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 804 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 805 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 806 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 807 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 808 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 809 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 810 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + test.nameconstraints.bettertls.com + id + 811 + nameConstraints + + blacklist + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 812 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 813 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 814 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 815 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 816 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 817 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 818 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 819 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 820 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 821 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 822 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 823 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 824 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 825 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 826 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 827 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 828 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 829 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 830 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 831 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 832 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 833 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 834 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 835 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 836 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 837 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 838 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 839 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 840 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 841 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 842 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 843 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 844 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 845 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 846 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 847 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 848 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 849 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 850 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 851 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 852 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 853 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 854 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 855 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 856 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 857 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 858 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 859 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 860 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 861 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 862 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 863 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 864 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 865 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 866 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 867 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 868 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 869 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 870 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 871 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 872 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 873 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 874 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 875 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 876 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 877 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 878 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 879 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 880 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 881 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 882 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 883 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 884 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 885 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 886 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 887 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 888 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 889 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 890 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 891 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 892 + nameConstraints + + blacklist + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 893 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 894 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 895 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 896 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 897 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 898 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 899 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 900 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 901 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 902 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 903 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 904 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 905 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 906 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 907 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 908 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 909 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 910 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 911 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 912 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 913 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 914 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 915 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 916 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 917 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 918 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 919 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 920 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 921 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 922 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 923 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 924 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 925 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 926 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 927 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 928 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 929 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 930 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 931 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 932 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 933 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 934 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 935 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 936 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 937 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 938 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 939 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 940 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 941 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 942 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 943 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 944 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 945 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 946 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 947 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 948 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 949 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 950 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 951 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 952 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 953 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 954 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 955 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 956 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 957 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 958 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 959 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 960 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 961 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 962 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 963 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 964 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 965 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 966 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 967 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 968 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 969 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 970 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 971 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 972 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 973 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 974 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 975 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 976 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 977 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 978 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 979 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 980 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 981 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 982 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 983 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 984 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 985 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 986 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 987 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 988 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 989 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 990 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 991 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 992 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 993 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 994 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 995 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 996 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 997 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 998 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 999 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1000 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1001 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1002 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1003 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1004 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1005 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1006 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1007 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1008 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1009 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1010 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1011 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1012 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1013 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1014 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1015 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1016 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1017 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1018 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1019 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1020 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1021 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1022 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1023 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1024 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1025 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1026 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1027 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1028 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1029 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1030 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1031 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1032 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1033 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1034 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1035 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1036 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1037 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1038 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1039 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1040 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1041 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1042 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1043 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1044 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1045 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1046 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1047 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1048 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1049 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1050 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1051 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1052 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1053 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1054 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1055 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1056 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1057 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1058 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1059 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1060 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1061 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1062 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1063 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1064 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1065 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1066 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1067 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1068 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1069 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1070 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1071 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1072 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1073 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1074 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1075 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1076 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1077 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1078 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1079 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1080 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1081 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1082 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1083 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1084 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1085 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1086 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1087 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1088 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1089 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1090 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1091 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1092 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1093 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1094 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1095 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1096 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1097 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1098 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1099 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1100 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1101 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1102 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1103 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1104 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1105 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1106 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1107 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1108 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1109 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1110 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1111 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1112 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1113 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1114 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1115 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1116 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1117 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1118 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1119 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1120 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1121 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1122 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1123 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1124 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1125 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1126 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1127 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1128 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1129 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1130 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1131 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1132 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1133 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1134 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1135 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1136 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1137 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1138 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1139 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1140 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1141 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1142 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1143 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1144 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1145 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1146 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1147 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1148 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1149 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1150 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1151 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1152 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1153 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1154 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1155 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1156 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1157 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1158 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1159 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1160 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1161 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1162 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1163 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1164 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1165 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1166 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1167 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1168 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1169 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1170 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1171 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1172 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1173 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1174 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1175 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1176 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1177 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1178 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1179 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1180 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1181 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1182 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1183 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1184 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1185 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1186 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1187 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1188 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1189 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1190 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1191 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1192 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1193 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1194 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1195 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1196 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1197 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1198 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1199 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1200 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1201 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1202 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1203 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1204 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1205 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1206 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1207 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1208 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1209 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1210 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1211 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1212 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1213 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1214 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1215 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1216 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1217 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1218 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1219 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1220 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1221 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1222 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1223 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1224 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1225 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1226 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1227 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1228 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1229 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1230 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1231 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1232 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1233 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1234 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1235 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1236 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1237 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1238 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1239 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1240 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1241 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1242 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1243 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1244 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1245 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1246 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1247 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1248 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1249 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1250 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1251 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1252 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1253 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1254 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1255 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1256 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1257 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1258 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1259 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1260 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1261 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1262 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1263 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1264 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1265 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1266 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1267 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1268 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1269 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1270 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1271 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1272 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1273 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1274 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1275 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1276 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1277 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1278 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1279 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1280 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1281 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1282 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1283 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1284 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1285 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1286 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1287 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1288 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1289 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1290 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1291 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1292 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1293 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1294 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1295 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1296 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + test.nameconstraints.bettertls.com + id + 1297 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1298 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1299 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1300 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1301 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1302 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1303 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1304 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1305 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1306 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1307 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1308 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1309 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1310 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1311 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1312 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1313 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1314 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1315 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1316 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1317 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1318 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1319 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1320 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1321 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1322 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1323 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1324 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1325 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1326 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1327 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1328 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1329 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1330 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1331 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1332 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1333 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1334 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1335 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1336 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1337 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1338 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1339 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1340 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1341 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1342 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1343 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1344 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1345 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1346 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1347 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1348 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1349 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1350 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1351 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1352 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1353 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1354 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1355 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1356 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1357 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1358 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1359 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1360 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1361 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1362 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1363 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1364 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1365 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1366 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1367 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1368 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1369 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1370 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1371 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1372 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1373 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1374 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1375 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1376 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1377 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + test.nameconstraints.bettertls.com + id + 1378 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1379 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1380 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1381 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1382 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1383 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1384 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1385 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1386 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1387 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1388 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1389 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1390 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1391 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1392 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1393 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1394 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1395 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1396 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1397 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1398 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1399 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1400 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1401 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1402 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1403 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1404 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1405 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1406 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1407 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1408 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1409 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1410 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1411 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1412 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1413 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1414 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1415 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1416 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1417 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1418 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1419 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1420 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1421 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1422 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1423 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1424 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1425 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1426 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1427 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1428 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1429 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1430 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1431 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1432 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1433 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1434 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1435 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1436 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1437 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1438 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1439 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1440 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1441 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1442 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1443 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1444 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1445 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1446 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1447 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1448 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1449 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1450 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1451 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1452 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1453 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1454 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1455 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1456 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1457 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + test.nameconstraints.bettertls.com + id + 1458 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1459 + nameConstraints + + blacklist + + whitelist + + + sans + + + + commonName + 52.20.118.238 + id + 1460 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + + + commonName + 52.20.118.238 + id + 1461 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + + + commonName + 52.20.118.238 + id + 1462 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + + + commonName + 52.20.118.238 + id + 1463 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + + + commonName + 52.20.118.238 + id + 1464 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + + + commonName + 52.20.118.238 + id + 1465 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + + + commonName + 52.20.118.238 + id + 1466 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + + + commonName + 52.20.118.238 + id + 1467 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + + + commonName + 52.20.118.238 + id + 1468 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 52.20.118.238 + id + 1469 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 52.20.118.238 + id + 1470 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 52.20.118.238 + id + 1471 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 52.20.118.238 + id + 1472 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 52.20.118.238 + id + 1473 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 52.20.118.238 + id + 1474 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 52.20.118.238 + id + 1475 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 52.20.118.238 + id + 1476 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 52.20.118.238 + id + 1477 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + + + commonName + 52.20.118.238 + id + 1478 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + + + commonName + 52.20.118.238 + id + 1479 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + + + commonName + 52.20.118.238 + id + 1480 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + commonName + 52.20.118.238 + id + 1481 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + commonName + 52.20.118.238 + id + 1482 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + commonName + 52.20.118.238 + id + 1483 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + commonName + 52.20.118.238 + id + 1484 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + commonName + 52.20.118.238 + id + 1485 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + commonName + 52.20.118.238 + id + 1486 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1487 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1488 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1489 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1490 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1491 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1492 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1493 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1494 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1495 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1496 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1497 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1498 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1499 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1500 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1501 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1502 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1503 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1504 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1505 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1506 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1507 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1508 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1509 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1510 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1511 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1512 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 52.20.118.238 + id + 1513 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1514 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1515 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1516 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1517 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1518 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1519 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1520 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1521 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1522 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1523 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1524 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1525 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1526 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1527 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1528 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1529 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1530 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1531 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1532 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1533 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1534 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1535 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1536 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1537 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1538 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1539 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 52.20.118.238 + id + 1540 + nameConstraints + + blacklist + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1541 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1542 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1543 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1544 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1545 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1546 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1547 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1548 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1549 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1550 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1551 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1552 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1553 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1554 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1555 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1556 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1557 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1558 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1559 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1560 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1561 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1562 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1563 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1564 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1565 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1566 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1567 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1568 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1569 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1570 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1571 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1572 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1573 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1574 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1575 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1576 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1577 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1578 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1579 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1580 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1581 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1582 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1583 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1584 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1585 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1586 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1587 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1588 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1589 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1590 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1591 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1592 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1593 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1594 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1595 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1596 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1597 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1598 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1599 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1600 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1601 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1602 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1603 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1604 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1605 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1606 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1607 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1608 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1609 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1610 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1611 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1612 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1613 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1614 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1615 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1616 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1617 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1618 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1619 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1620 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1621 + nameConstraints + + blacklist + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1622 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1623 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1624 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1625 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1626 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1627 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1628 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1629 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1630 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1631 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1632 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1633 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1634 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1635 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1636 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1637 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1638 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1639 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1640 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1641 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1642 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1643 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1644 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1645 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1646 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1647 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1648 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1649 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1650 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1651 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1652 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1653 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1654 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1655 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1656 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1657 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1658 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1659 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1660 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1661 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1662 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1663 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1664 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1665 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1666 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1667 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1668 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1669 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1670 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1671 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1672 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1673 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1674 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1675 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1676 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1677 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1678 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1679 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1680 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1681 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1682 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1683 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1684 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1685 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1686 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1687 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1688 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1689 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1690 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1691 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1692 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1693 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1694 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1695 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1696 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1697 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1698 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1699 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1700 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1701 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1702 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1703 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1704 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1705 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1706 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1707 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1708 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1709 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1710 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1711 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1712 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1713 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1714 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1715 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1716 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1717 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1718 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1719 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1720 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1721 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1722 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1723 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1724 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1725 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1726 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1727 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1728 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1729 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1730 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1731 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1732 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1733 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1734 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1735 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1736 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1737 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1738 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1739 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1740 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1741 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1742 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1743 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1744 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1745 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1746 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1747 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1748 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1749 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1750 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1751 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1752 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1753 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1754 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1755 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1756 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1757 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1758 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1759 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1760 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1761 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1762 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1763 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1764 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1765 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1766 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1767 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1768 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1769 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1770 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1771 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1772 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1773 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1774 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1775 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1776 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1777 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1778 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1779 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1780 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1781 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1782 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 52.20.118.238 + id + 1783 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1784 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1785 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1786 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1787 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1788 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1789 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1790 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1791 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1792 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1793 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1794 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1795 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1796 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1797 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1798 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1799 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1800 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1801 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1802 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1803 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1804 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1805 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1806 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1807 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1808 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1809 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1810 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1811 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1812 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1813 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1814 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1815 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1816 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1817 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1818 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1819 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1820 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1821 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1822 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1823 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1824 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1825 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1826 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1827 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1828 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1829 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1830 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1831 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1832 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1833 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1834 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1835 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1836 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1837 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1838 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1839 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1840 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1841 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1842 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1843 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1844 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1845 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1846 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1847 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1848 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1849 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1850 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1851 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1852 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1853 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1854 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1855 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1856 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1857 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1858 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1859 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1860 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1861 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1862 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1863 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 1864 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1865 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1866 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1867 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1868 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1869 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1870 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1871 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1872 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1873 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1874 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1875 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1876 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1877 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1878 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1879 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1880 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1881 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1882 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1883 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1884 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1885 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1886 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1887 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1888 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1889 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1890 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1891 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1892 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1893 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1894 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1895 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1896 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1897 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1898 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1899 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1900 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1901 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1902 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1903 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1904 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1905 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1906 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1907 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1908 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1909 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1910 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1911 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1912 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1913 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1914 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1915 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1916 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1917 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1918 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1919 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1920 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1921 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1922 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1923 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1924 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1925 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1926 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1927 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1928 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1929 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1930 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1931 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1932 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1933 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1934 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1935 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1936 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1937 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1938 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1939 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1940 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1941 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1942 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1943 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1944 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 1945 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1946 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1947 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1948 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1949 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1950 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1951 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1952 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1953 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1954 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1955 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1956 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1957 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1958 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1959 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1960 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1961 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1962 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1963 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1964 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1965 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1966 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1967 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1968 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1969 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1970 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1971 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1972 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1973 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1974 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1975 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1976 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1977 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1978 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1979 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1980 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1981 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1982 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1983 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1984 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1985 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1986 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1987 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1988 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1989 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1990 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1991 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1992 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1993 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1994 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1995 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1996 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1997 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1998 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 1999 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2000 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2001 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2002 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2003 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2004 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2005 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2006 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2007 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2008 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2009 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2010 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2011 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2012 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2013 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2014 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2015 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2016 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2017 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2018 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2019 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2020 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2021 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2022 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2023 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2024 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2025 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 52.20.118.238 + id + 2026 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2027 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2028 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2029 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2030 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2031 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2032 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2033 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2034 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2035 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2036 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2037 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2038 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2039 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2040 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2041 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2042 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2043 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2044 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2045 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2046 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2047 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2048 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2049 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2050 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2051 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2052 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2053 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2054 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2055 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2056 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2057 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2058 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2059 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2060 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2061 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2062 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2063 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2064 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2065 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2066 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2067 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2068 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2069 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2070 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2071 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2072 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2073 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2074 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2075 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2076 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2077 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2078 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2079 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2080 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2081 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2082 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2083 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2084 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2085 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2086 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2087 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2088 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2089 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2090 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2091 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2092 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2093 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2094 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2095 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2096 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2097 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2098 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2099 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2100 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2101 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2102 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2103 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2104 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2105 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2106 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 52.20.118.238 + id + 2107 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2108 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2109 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2110 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2111 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2112 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2113 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2114 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2115 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2116 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2117 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2118 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2119 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2120 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2121 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2122 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2123 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2124 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2125 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2126 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2127 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2128 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2129 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2130 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2131 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2132 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2133 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2134 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2135 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2136 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2137 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2138 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2139 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2140 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2141 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2142 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2143 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2144 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2145 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2146 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2147 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2148 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2149 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2150 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2151 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2152 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2153 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2154 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2155 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2156 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2157 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2158 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2159 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2160 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2161 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2162 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2163 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2164 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2165 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2166 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2167 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2168 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2169 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2170 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2171 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2172 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2173 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2174 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2175 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2176 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2177 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2178 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2179 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2180 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2181 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2182 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2183 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2184 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2185 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2186 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 52.20.118.238 + id + 2187 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2188 + nameConstraints + + blacklist + + whitelist + + + sans + + + + commonName + bad.example.com + id + 2189 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + + + commonName + bad.example.com + id + 2190 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + + + commonName + bad.example.com + id + 2191 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + + + commonName + bad.example.com + id + 2192 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + + + commonName + bad.example.com + id + 2193 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + + + commonName + bad.example.com + id + 2194 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + + + commonName + bad.example.com + id + 2195 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + + + commonName + bad.example.com + id + 2196 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + + + commonName + bad.example.com + id + 2197 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + bad.example.com + id + 2198 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + bad.example.com + id + 2199 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + bad.example.com + id + 2200 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + bad.example.com + id + 2201 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + bad.example.com + id + 2202 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + bad.example.com + id + 2203 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + bad.example.com + id + 2204 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + bad.example.com + id + 2205 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + bad.example.com + id + 2206 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + + + commonName + bad.example.com + id + 2207 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + + + commonName + bad.example.com + id + 2208 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + + + commonName + bad.example.com + id + 2209 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + commonName + bad.example.com + id + 2210 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + commonName + bad.example.com + id + 2211 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + commonName + bad.example.com + id + 2212 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + commonName + bad.example.com + id + 2213 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + commonName + bad.example.com + id + 2214 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + commonName + bad.example.com + id + 2215 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2216 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2217 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2218 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2219 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2220 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2221 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2222 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2223 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2224 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2225 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2226 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2227 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2228 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2229 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2230 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2231 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2232 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2233 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2234 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2235 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2236 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2237 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2238 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2239 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2240 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2241 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + bad.example.com + id + 2242 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2243 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2244 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2245 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2246 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2247 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2248 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2249 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2250 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2251 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2252 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2253 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2254 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2255 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2256 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2257 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2258 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2259 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2260 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2261 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2262 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2263 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2264 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2265 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2266 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2267 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2268 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + bad.example.com + id + 2269 + nameConstraints + + blacklist + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2270 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2271 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2272 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2273 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2274 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2275 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2276 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2277 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2278 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2279 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2280 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2281 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2282 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2283 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2284 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2285 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2286 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2287 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2288 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2289 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2290 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2291 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2292 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2293 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2294 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2295 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2296 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2297 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2298 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2299 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2300 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2301 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2302 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2303 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2304 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2305 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2306 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2307 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2308 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2309 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2310 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2311 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2312 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2313 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2314 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2315 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2316 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2317 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2318 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2319 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2320 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2321 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2322 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2323 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2324 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2325 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2326 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2327 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2328 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2329 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2330 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2331 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2332 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2333 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2334 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2335 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2336 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2337 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2338 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2339 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2340 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2341 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2342 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2343 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2344 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2345 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2346 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2347 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2348 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2349 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + bad.example.com + id + 2350 + nameConstraints + + blacklist + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2351 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2352 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2353 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2354 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2355 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2356 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2357 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2358 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2359 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2360 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2361 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2362 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2363 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2364 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2365 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2366 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2367 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2368 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2369 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2370 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2371 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2372 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2373 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2374 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2375 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2376 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2377 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2378 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2379 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2380 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2381 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2382 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2383 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2384 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2385 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2386 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2387 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2388 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2389 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2390 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2391 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2392 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2393 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2394 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2395 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2396 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2397 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2398 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2399 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2400 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2401 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2402 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2403 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2404 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2405 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2406 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2407 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2408 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2409 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2410 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2411 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2412 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2413 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2414 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2415 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2416 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2417 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2418 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2419 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2420 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2421 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2422 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2423 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2424 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2425 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2426 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2427 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2428 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2429 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2430 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + bad.example.com + id + 2431 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2432 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2433 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2434 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2435 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2436 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2437 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2438 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2439 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2440 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2441 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2442 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2443 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2444 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2445 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2446 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2447 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2448 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2449 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2450 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2451 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2452 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2453 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2454 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2455 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2456 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2457 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2458 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2459 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2460 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2461 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2462 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2463 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2464 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2465 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2466 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2467 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2468 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2469 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2470 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2471 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2472 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2473 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2474 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2475 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2476 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2477 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2478 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2479 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2480 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2481 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2482 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2483 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2484 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2485 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2486 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2487 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2488 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2489 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2490 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2491 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2492 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2493 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2494 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2495 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2496 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2497 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2498 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2499 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2500 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2501 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2502 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2503 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2504 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2505 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2506 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2507 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2508 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2509 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2510 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2511 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + bad.example.com + id + 2512 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2513 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2514 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2515 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2516 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2517 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2518 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2519 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2520 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2521 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2522 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2523 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2524 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2525 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2526 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2527 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2528 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2529 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2530 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2531 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2532 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2533 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2534 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2535 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2536 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2537 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2538 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2539 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2540 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2541 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2542 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2543 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2544 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2545 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2546 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2547 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2548 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2549 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2550 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2551 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2552 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2553 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2554 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2555 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2556 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2557 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2558 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2559 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2560 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2561 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2562 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2563 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2564 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2565 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2566 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2567 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2568 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2569 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2570 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2571 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2572 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2573 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2574 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2575 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2576 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2577 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2578 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2579 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2580 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2581 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2582 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2583 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2584 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2585 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2586 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2587 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2588 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2589 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2590 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2591 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2592 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2593 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2594 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2595 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2596 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2597 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2598 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2599 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2600 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2601 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2602 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2603 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2604 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2605 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2606 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2607 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2608 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2609 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2610 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2611 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2612 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2613 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2614 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2615 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2616 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2617 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2618 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2619 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2620 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2621 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2622 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2623 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2624 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2625 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2626 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2627 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2628 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2629 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2630 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2631 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2632 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2633 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2634 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2635 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2636 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2637 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2638 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2639 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2640 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2641 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2642 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2643 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2644 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2645 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2646 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2647 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2648 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2649 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2650 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2651 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2652 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2653 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2654 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2655 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2656 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2657 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2658 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2659 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2660 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2661 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2662 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2663 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2664 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2665 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2666 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2667 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2668 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2669 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2670 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2671 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2672 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2673 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2674 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2675 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2676 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2677 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2678 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2679 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2680 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2681 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2682 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2683 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2684 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2685 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2686 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2687 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2688 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2689 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2690 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2691 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2692 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2693 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2694 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2695 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2696 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2697 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2698 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2699 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2700 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2701 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2702 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2703 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2704 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2705 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2706 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2707 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2708 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2709 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2710 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2711 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2712 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2713 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2714 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2715 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2716 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2717 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2718 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2719 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2720 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2721 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2722 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2723 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2724 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2725 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2726 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2727 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2728 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2729 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2730 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2731 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2732 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2733 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2734 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2735 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2736 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2737 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2738 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2739 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2740 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2741 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2742 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2743 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2744 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2745 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2746 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2747 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2748 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2749 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2750 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2751 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2752 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2753 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2754 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + bad.example.com + id + 2755 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2756 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2757 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2758 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2759 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2760 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2761 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2762 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2763 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2764 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2765 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2766 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2767 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2768 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2769 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2770 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2771 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2772 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2773 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2774 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2775 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2776 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2777 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2778 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2779 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2780 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2781 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2782 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2783 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2784 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2785 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2786 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2787 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2788 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2789 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2790 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2791 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2792 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2793 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2794 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2795 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2796 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2797 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2798 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2799 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2800 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2801 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2802 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2803 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2804 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2805 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2806 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2807 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2808 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2809 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2810 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2811 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2812 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2813 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2814 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2815 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2816 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2817 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2818 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2819 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2820 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2821 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2822 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2823 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2824 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2825 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2826 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2827 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2828 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2829 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2830 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2831 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2832 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2833 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2834 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2835 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + bad.example.com + id + 2836 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2837 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2838 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2839 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2840 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2841 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2842 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2843 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2844 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2845 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2846 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2847 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2848 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2849 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2850 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2851 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2852 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2853 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2854 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2855 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2856 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2857 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2858 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2859 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2860 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2861 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2862 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2863 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2864 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2865 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2866 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2867 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2868 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2869 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2870 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2871 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2872 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2873 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2874 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2875 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2876 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2877 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2878 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2879 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2880 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2881 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2882 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2883 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2884 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2885 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2886 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2887 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2888 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2889 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2890 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2891 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2892 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2893 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2894 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2895 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2896 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2897 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2898 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2899 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2900 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2901 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2902 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2903 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2904 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2905 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2906 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2907 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2908 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2909 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2910 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2911 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2912 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2913 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2914 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2915 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + bad.example.com + id + 2916 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 2917 + nameConstraints + + blacklist + + whitelist + + + sans + + + + commonName + 172.16.0.1 + id + 2918 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + + + commonName + 172.16.0.1 + id + 2919 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + + + commonName + 172.16.0.1 + id + 2920 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + + + commonName + 172.16.0.1 + id + 2921 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + + + commonName + 172.16.0.1 + id + 2922 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + + + commonName + 172.16.0.1 + id + 2923 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + + + commonName + 172.16.0.1 + id + 2924 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + + + commonName + 172.16.0.1 + id + 2925 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + + + commonName + 172.16.0.1 + id + 2926 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 172.16.0.1 + id + 2927 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 172.16.0.1 + id + 2928 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 172.16.0.1 + id + 2929 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 172.16.0.1 + id + 2930 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 172.16.0.1 + id + 2931 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 172.16.0.1 + id + 2932 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 172.16.0.1 + id + 2933 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 172.16.0.1 + id + 2934 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + + + commonName + 172.16.0.1 + id + 2935 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + + + commonName + 172.16.0.1 + id + 2936 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + + + commonName + 172.16.0.1 + id + 2937 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + + + commonName + 172.16.0.1 + id + 2938 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + commonName + 172.16.0.1 + id + 2939 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + commonName + 172.16.0.1 + id + 2940 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + + + commonName + 172.16.0.1 + id + 2941 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + commonName + 172.16.0.1 + id + 2942 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + commonName + 172.16.0.1 + id + 2943 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + + + commonName + 172.16.0.1 + id + 2944 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2945 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2946 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2947 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2948 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2949 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2950 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2951 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2952 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2953 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2954 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2955 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2956 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2957 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2958 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2959 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2960 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2961 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2962 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2963 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2964 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2965 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2966 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2967 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2968 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2969 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2970 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + + + commonName + 172.16.0.1 + id + 2971 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2972 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2973 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2974 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2975 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2976 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2977 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2978 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2979 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2980 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2981 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2982 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2983 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2984 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2985 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2986 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2987 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2988 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2989 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2990 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2991 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2992 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2993 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2994 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2995 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2996 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2997 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + + + commonName + 172.16.0.1 + id + 2998 + nameConstraints + + blacklist + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 2999 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3000 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3001 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3002 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3003 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3004 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3005 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3006 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3007 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3008 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3009 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3010 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3011 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3012 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3013 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3014 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3015 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3016 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3017 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3018 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3019 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3020 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3021 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3022 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3023 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3024 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3025 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3026 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3027 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3028 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3029 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3030 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3031 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3032 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3033 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3034 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3035 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3036 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3037 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3038 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3039 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3040 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3041 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3042 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3043 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3044 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3045 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3046 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3047 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3048 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3049 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3050 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3051 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3052 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3053 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3054 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3055 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3056 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3057 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3058 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3059 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3060 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3061 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3062 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3063 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3064 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3065 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3066 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3067 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3068 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3069 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3070 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3071 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3072 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3073 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3074 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3075 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3076 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3077 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3078 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3079 + nameConstraints + + blacklist + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3080 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3081 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3082 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3083 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3084 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3085 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3086 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3087 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3088 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3089 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3090 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3091 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3092 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3093 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3094 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3095 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3096 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3097 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3098 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3099 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3100 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3101 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3102 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3103 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3104 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3105 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3106 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3107 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3108 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3109 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3110 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3111 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3112 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3113 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3114 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3115 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3116 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3117 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3118 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3119 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3120 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3121 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3122 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3123 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3124 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3125 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3126 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3127 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3128 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3129 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3130 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3131 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3132 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3133 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3134 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3135 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3136 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3137 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3138 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3139 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3140 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3141 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3142 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3143 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3144 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3145 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3146 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3147 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3148 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3149 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3150 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3151 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3152 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3153 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3154 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3155 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3156 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3157 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3158 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3159 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3160 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3161 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3162 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3163 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3164 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3165 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3166 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3167 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3168 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3169 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3170 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3171 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3172 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3173 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3174 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3175 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3176 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3177 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3178 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3179 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3180 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3181 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3182 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3183 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3184 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3185 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3186 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3187 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3188 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3189 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3190 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3191 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3192 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3193 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3194 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3195 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3196 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3197 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3198 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3199 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3200 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3201 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3202 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3203 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3204 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3205 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3206 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3207 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3208 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3209 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3210 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3211 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3212 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3213 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3214 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3215 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3216 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3217 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3218 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3219 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3220 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3221 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3222 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3223 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3224 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3225 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3226 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3227 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3228 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3229 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3230 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3231 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3232 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3233 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3234 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3235 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3236 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3237 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3238 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3239 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3240 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + + + + commonName + 172.16.0.1 + id + 3241 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3242 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3243 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3244 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3245 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3246 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3247 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3248 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3249 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3250 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3251 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3252 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3253 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3254 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3255 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3256 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3257 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3258 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3259 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3260 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3261 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3262 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3263 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3264 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3265 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3266 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3267 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3268 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3269 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3270 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3271 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3272 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3273 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3274 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3275 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3276 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3277 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3278 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3279 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3280 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3281 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3282 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3283 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3284 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3285 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3286 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3287 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3288 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3289 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3290 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3291 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3292 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3293 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3294 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3295 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3296 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3297 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3298 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3299 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3300 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3301 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3302 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3303 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3304 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3305 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3306 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3307 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3308 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3309 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3310 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3311 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3312 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3313 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3314 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3315 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3316 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3317 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3318 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3319 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3320 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3321 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3322 + nameConstraints + + blacklist + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3323 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3324 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3325 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3326 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3327 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3328 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3329 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3330 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3331 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3332 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3333 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3334 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3335 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3336 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3337 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3338 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3339 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3340 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3341 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3342 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3343 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3344 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3345 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3346 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3347 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3348 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3349 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3350 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3351 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3352 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3353 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3354 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3355 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3356 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3357 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3358 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3359 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3360 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3361 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3362 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3363 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3364 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3365 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3366 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3367 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3368 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3369 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3370 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3371 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3372 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3373 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3374 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3375 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3376 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3377 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3378 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3379 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3380 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3381 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3382 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3383 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3384 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3385 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3386 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3387 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3388 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3389 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3390 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3391 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3392 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3393 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3394 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3395 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3396 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3397 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3398 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3399 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3400 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3401 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3402 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + test.nameconstraints.bettertls.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3403 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3404 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3405 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3406 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3407 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3408 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3409 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3410 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3411 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3412 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3413 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3414 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3415 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3416 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3417 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3418 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3419 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3420 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3421 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3422 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3423 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3424 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3425 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3426 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3427 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3428 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3429 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3430 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3431 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3432 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3433 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3434 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3435 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3436 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3437 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3438 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3439 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3440 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3441 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3442 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3443 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3444 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3445 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3446 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3447 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3448 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3449 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3450 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3451 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3452 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3453 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3454 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3455 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3456 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3457 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3458 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3459 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3460 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3461 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3462 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3463 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3464 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3465 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3466 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3467 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3468 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3469 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3470 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3471 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3472 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3473 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3474 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3475 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3476 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3477 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3478 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3479 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3480 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3481 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3482 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3483 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + + + + commonName + 172.16.0.1 + id + 3484 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3485 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3486 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3487 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3488 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3489 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3490 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3491 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3492 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3493 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3494 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3495 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3496 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3497 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3498 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3499 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3500 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3501 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3502 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3503 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3504 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3505 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3506 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3507 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3508 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3509 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3510 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3511 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3512 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3513 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3514 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3515 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3516 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3517 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3518 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3519 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3520 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3521 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3522 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3523 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3524 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3525 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3526 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3527 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3528 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3529 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3530 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3531 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3532 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3533 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3534 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3535 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3536 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3537 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3538 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3539 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3540 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3541 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3542 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3543 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3544 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3545 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3546 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3547 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3548 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3549 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3550 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3551 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3552 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3553 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3554 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3555 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3556 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3557 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3558 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3559 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3560 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3561 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3562 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3563 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3564 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 52.20.118.238 + + + + commonName + 172.16.0.1 + id + 3565 + nameConstraints + + blacklist + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3566 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3567 + nameConstraints + + blacklist + + example.net + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3568 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3569 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3570 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3571 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3572 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3573 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3574 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3575 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3576 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3577 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3578 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3579 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3580 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3581 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3582 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3583 + nameConstraints + + blacklist + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3584 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3585 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3586 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3587 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3588 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3589 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3590 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3591 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3592 + nameConstraints + + blacklist + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3593 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3594 + nameConstraints + + blacklist + + example.net + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3595 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3596 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3597 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3598 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3599 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3600 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3601 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3602 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3603 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3604 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3605 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3606 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3607 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3608 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3609 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3610 + nameConstraints + + blacklist + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3611 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3612 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3613 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3614 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3615 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3616 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3617 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3618 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 52.0.0.0/11 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3619 + nameConstraints + + blacklist + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3620 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3621 + nameConstraints + + blacklist + + example.net + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3622 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3623 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3624 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3625 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3626 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3627 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3628 + nameConstraints + + blacklist + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3629 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3630 + nameConstraints + + blacklist + + example.net + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3631 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3632 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3633 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3634 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3635 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3636 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3637 + nameConstraints + + blacklist + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3638 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3639 + nameConstraints + + blacklist + + example.net + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3640 + nameConstraints + + blacklist + + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3641 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3642 + nameConstraints + + blacklist + + example.net + 52.0.0.0/11 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3643 + nameConstraints + + blacklist + + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3644 + nameConstraints + + blacklist + + nameconstraints.bettertls.com + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + commonName + 172.16.0.1 + id + 3645 + nameConstraints + + blacklist + + example.net + 192.168.0.0/16 + + whitelist + + example.net + 192.168.0.0/16 + + + sans + + bad.example.com + 172.16.0.1 + + + + + diff --git a/SecurityTests/si-87-sectrust-name-constraints/root.cer b/SecurityTests/si-87-sectrust-name-constraints/root.cer new file mode 100644 index 0000000000000000000000000000000000000000..a835f7605d2609e0676780750a395d95c94db577 GIT binary patch literal 992 zcmXqLV!mV0#B^iZl`kzs}0(=`s~cfR*^e&p?)+Wlpn z-)@^w=_zU26NFv5IWrFJ-naEn!-f4Z87Drs%08a)ajQb9Mt0BlJANJK#P#p~ThTx3 zNa3TSF-7cur|zmNPL-OcAG`bU-n04=;S(h$Uy8cMFZ5-3-t=uhCaOQV(!pm_{Pn8$ z@s6K69~gZ(civ##oQ+qwp0cdY>pgbpX4aIoEBm-#9ZN3Bt(QBkwTu0T#|JOPO_kq! zvO5IBr?Wg061>uuA31A#qFCrhPqr^hZA&?`EaP1t=39%-x0}=xbo28T+jg@nrj><^ z_jnlp{9(UYKU>bA%6QVkMM0S?<*Q$9{hWF6*1{Z@Grgz7o~#O4m=mVHn~9l`fpIY~ z1sd=JQ-!QBBjbM-Rs&`rg&b_aR0|9?Mg|A>W6loCzgGIb{~i%x=E`*RZRw0Rm)LCg zAFEomQp!@OyRwak+IOq&+~bQ? z4#K?er>>cFX7;DdG@G4ndcAkMU$@^2(@d$0*jQ2i(sR!3k8OQh%?hI{-%tNz{O(xB zUZ?9NZifFB`_(qE2|v7gRE_Vuv1!$v8M68!QrEAZxmDZ$(fDMeXF=oXZl4Cbo^Q)8 zCmyQ381-SMXiab8ms@=5Mn47C9jKjoWz&P6v)7kwx-Pf%#ImbCuK7$N-G!&5@`6_T p{E1Ayo>*{bri #include +#include "keychain/ckks/CKKS.h" int main(int argc, char *argv[]) { //printf("Build date : %s %s\n", __DATE__, __TIME__); //printf("WARNING: If running those tests on a device with a passcode, DONT FORGET TO UNLOCK!!!\n"); + SecCKKSDisable(); #if 0 && NO_SERVER SOSCloudKeychainServerInit(); #endif diff --git a/SecurityTool/authz.c b/SecurityTool/authz.c index 48e73a14..fa88c365 100644 --- a/SecurityTool/authz.c +++ b/SecurityTool/authz.c @@ -254,7 +254,7 @@ authorizationdb(int argc, char * const * argv) break; case '?': default: - return 2; + return SHOW_USAGE_MESSAGE; } } @@ -262,7 +262,7 @@ authorizationdb(int argc, char * const * argv) argv += optind; if (argc == 0) - return 2; // required right parameter(s) + return SHOW_USAGE_MESSAGE; // required right parameter(s) OSStatus status; @@ -301,7 +301,7 @@ authorizationdb(int argc, char * const * argv) CFRelease(shortcut_definition); } else - return 2; // take one optional argument - no more + return SHOW_USAGE_MESSAGE; // take one optional argument - no more } else if (!strcmp("remove", argv[0])) @@ -386,10 +386,10 @@ authorizationdb(int argc, char * const * argv) else if(!strcmp("enable", argv[1])) status = AuthorizationEnableSmartCard(auth_ref, TRUE); else - return 2; // unrecognized parameter + return SHOW_USAGE_MESSAGE; // unrecognized parameter } else - return 2; // required parameter missing + return SHOW_USAGE_MESSAGE; // required parameter missing } else if (!strcmp("merge", argv[0])) { status = 1; @@ -408,7 +408,7 @@ authorizationdb(int argc, char * const * argv) CFMutableDictionaryRef outDict = NULL; if (argc < 2 || argc > 3) - return 2; + return SHOW_USAGE_MESSAGE; if (!strcmp("-", argv[1])) { // Merging from . @@ -492,10 +492,10 @@ bail: CFRelease(outDict); } else - return 2; + return SHOW_USAGE_MESSAGE; } else - return 2; + return SHOW_USAGE_MESSAGE; if (auth_ref) AuthorizationFree(auth_ref, 0); @@ -563,7 +563,7 @@ authorize(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -571,7 +571,7 @@ authorize(int argc, char * const *argv) argv += optind; if (argc == 0) - return 2; // required right parameter(s) + return SHOW_USAGE_MESSAGE; // required right parameter(s) // set up AuthorizationFlags AuthorizationFlags flags = kAuthorizationFlagDefaults | @@ -682,7 +682,7 @@ execute_with_privileges(int argc, char * const *argv) break; case '?': default: - return 2; + return SHOW_USAGE_MESSAGE; } } @@ -690,7 +690,7 @@ execute_with_privileges(int argc, char * const *argv) argv += optind; if (argc == 0) - return 2; // required tool parameter(s) + return SHOW_USAGE_MESSAGE; // required tool parameter(s) OSStatus status; diff --git a/SecurityTool/createFVMaster.c b/SecurityTool/createFVMaster.c index dd623b7d..36671610 100644 --- a/SecurityTool/createFVMaster.c +++ b/SecurityTool/createFVMaster.c @@ -685,11 +685,11 @@ keychain_createMFV(int argc, char * const *argv) // Specify the keysize in bits (default 1024) keySizeInBits = atoi(optarg); if (!(keySizeInBits == SR_KEY_SIZE_IN_BITS || keySizeInBits == SR2_KEY_SIZE_IN_BITS || keySizeInBits == 4096)) - return 2; + return SHOW_USAGE_MESSAGE; break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } /* @@ -704,7 +704,7 @@ keychain_createMFV(int argc, char * const *argv) argv += optind; if (argc > 1) - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; keychainName = (argc == 1)?*argv:_masterKeychainName; if (!keychainName || *keychainName == '\0') diff --git a/SecurityTool/db_commands.cpp b/SecurityTool/db_commands.cpp index 571ed65b..381501f9 100644 --- a/SecurityTool/db_commands.cpp +++ b/SecurityTool/db_commands.cpp @@ -88,7 +88,7 @@ parse_guid(const char *name, CSSM_GUID *guid) else { sec_error("Invalid guid: %s", name); - return 2; + return SHOW_USAGE_MESSAGE; } return 0; @@ -167,7 +167,7 @@ db_create(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } diff --git a/SecurityTool/entitlements.plist b/SecurityTool/entitlements.plist index ac3d1b60..76e6179f 100644 --- a/SecurityTool/entitlements.plist +++ b/SecurityTool/entitlements.plist @@ -19,5 +19,7 @@ application-identifier com.apple.security + com.apple.private.keychain.keychaincontrol + diff --git a/SecurityTool/identity_find.m b/SecurityTool/identity_find.m index 1fe81888..52c20e66 100644 --- a/SecurityTool/identity_find.m +++ b/SecurityTool/identity_find.m @@ -492,7 +492,7 @@ keychain_find_identity(int argc, char * const *argv) else if (!strcmp(optarg, "macappstore")) policyFlags |= 1 << 11; else { - result = 2; /* @@@ Return 2 triggers usage message. */ + result = SHOW_USAGE_MESSAGE; goto cleanup; } } diff --git a/SecurityTool/identity_prefs.c b/SecurityTool/identity_prefs.c index 2d67ab26..c0e21840 100644 --- a/SecurityTool/identity_prefs.c +++ b/SecurityTool/identity_prefs.c @@ -55,7 +55,7 @@ do_set_identity_preference(CFTypeRef keychainOrArray, // must have a service name if (!service) { - return 2; + return SHOW_USAGE_MESSAGE; } // find identity (if specified by name or hash) @@ -97,7 +97,7 @@ do_get_identity_preference(const char *service, { int result = 0; if (!service) { - return 2; + return SHOW_USAGE_MESSAGE; } CFStringRef serviceRef = CFStringCreateWithCString(NULL, service, kCFStringEncodingUTF8); SecCertificateRef certRef = NULL; @@ -228,7 +228,7 @@ set_identity_preference(int argc, char * const *argv) break; case '?': default: - result = 2; /* @@@ Return 2 triggers usage message. */ + result = SHOW_USAGE_MESSAGE; goto cleanup; } } diff --git a/SecurityTool/key_create.c b/SecurityTool/key_create.c index 6b193f4c..e14f64d2 100644 --- a/SecurityTool/key_create.c +++ b/SecurityTool/key_create.c @@ -146,7 +146,7 @@ parse_algorithm(const char *name, CSSM_ALGORITHMS *algorithm) else { sec_error("Invalid algorithm: %s", name); - return 2; + return SHOW_USAGE_MESSAGE; } return 0; @@ -262,7 +262,7 @@ key_create_pair(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -279,7 +279,7 @@ key_create_pair(int argc, char * const *argv) description = CFStringCreateWithCString(NULL, argv[0], kCFStringEncodingUTF8); } else if (argc != 0) - return 2; + return SHOW_USAGE_MESSAGE; else description = CFStringCreateWithCString(NULL, "", kCFStringEncodingUTF8); @@ -560,7 +560,7 @@ csr_create(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -577,7 +577,7 @@ csr_create(int argc, char * const *argv) description = CFStringCreateWithCString(NULL, argv[0], kCFStringEncodingUTF8); } else if (argc != 0) - return 2; + return SHOW_USAGE_MESSAGE; else description = CFStringCreateWithCString(NULL, "", kCFStringEncodingUTF8); diff --git a/SecurityTool/keychain_add.c b/SecurityTool/keychain_add.c index bfc65544..71d59496 100644 --- a/SecurityTool/keychain_add.c +++ b/SecurityTool/keychain_add.c @@ -958,11 +958,11 @@ keychain_add_certificates(int argc, char * const *argv) case 'k': keychainName = optarg; if (*keychainName == '\0') - return 2; + return SHOW_USAGE_MESSAGE; break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -970,7 +970,7 @@ keychain_add_certificates(int argc, char * const *argv) argv += optind; if (argc == 0) - return 2; + return SHOW_USAGE_MESSAGE; result = do_add_certificates(keychainName, argc, argv); diff --git a/SecurityTool/keychain_create.c b/SecurityTool/keychain_create.c index 00e8549d..8564f088 100644 --- a/SecurityTool/keychain_create.c +++ b/SecurityTool/keychain_create.c @@ -80,7 +80,7 @@ keychain_create(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } /* diff --git a/SecurityTool/keychain_delete.c b/SecurityTool/keychain_delete.c index 6ef85243..8f139089 100644 --- a/SecurityTool/keychain_delete.c +++ b/SecurityTool/keychain_delete.c @@ -55,7 +55,7 @@ do_delete_certificate(CFTypeRef keychainOrArray, const char *name, const char *h OSStatus result = noErr; SecKeychainItemRef itemToDelete = NULL; if (!name && !hash) { - return 2; + return SHOW_USAGE_MESSAGE; } itemToDelete = find_unique_certificate(keychainOrArray, name, hash); @@ -200,7 +200,7 @@ keychain_delete(int argc, char * const *argv) { case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } diff --git a/SecurityTool/keychain_export.m b/SecurityTool/keychain_export.m index 4164f2cb..188619f0 100644 --- a/SecurityTool/keychain_export.m +++ b/SecurityTool/keychain_export.m @@ -353,7 +353,7 @@ keychain_export(int argc, char * const *argv) itemSpec = IS_All; } else { - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } break; case 'f': @@ -391,7 +391,7 @@ keychain_export(int argc, char * const *argv) externFormat = kSecFormatPEMSequence; } else { - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } break; case 'w': @@ -405,7 +405,7 @@ keychain_export(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -427,7 +427,7 @@ keychain_export(int argc, char * const *argv) break; default: sec_error("Don't know how to wrap in specified format/type"); - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -716,7 +716,7 @@ ctk_export(int argc, char * const *argv) itemSpec = IS_All; } else { - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } break; case 'i': @@ -725,7 +725,7 @@ ctk_export(int argc, char * const *argv) case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } diff --git a/SecurityTool/keychain_find.c b/SecurityTool/keychain_find.c index a6e781a2..c1ac19c6 100644 --- a/SecurityTool/keychain_find.c +++ b/SecurityTool/keychain_find.c @@ -1383,7 +1383,7 @@ int keychain_set_internet_password_partition_list(int argc, char * const *argv) SetKeyToString(query, kSecAttrProtocol, optarg); break; case 's': - SetKeyToString(query, kSecAttrService, optarg); + SetKeyToString(query, kSecAttrServer, optarg); break; case 't': SetKeyToString(query, kSecAttrAuthenticationType, optarg); @@ -1925,7 +1925,7 @@ keychain_dump(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } diff --git a/SecurityTool/keychain_list.c b/SecurityTool/keychain_list.c index 02eac3a9..70284e4b 100644 --- a/SecurityTool/keychain_list.c +++ b/SecurityTool/keychain_list.c @@ -99,7 +99,7 @@ parse_domain(const char *name, SecPreferencesDomain *domain) else { sec_error("Invalid domain: %s", name); - return 2; + return SHOW_USAGE_MESSAGE; } return 0; @@ -188,7 +188,7 @@ keychain_list(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -363,7 +363,7 @@ keychain_default(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -375,7 +375,7 @@ keychain_default(int argc, char * const *argv) if (argc == 1) keychain = (SecKeychainRef)keychain_create_array(argc, argv); else if (argc > 0) - return 2; + return SHOW_USAGE_MESSAGE; if (use_domain) { @@ -399,7 +399,7 @@ keychain_default(int argc, char * const *argv) else { if (argc > 0) - return 2; + return SHOW_USAGE_MESSAGE; if (use_domain) { @@ -467,7 +467,7 @@ keychain_login(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -479,7 +479,7 @@ keychain_login(int argc, char * const *argv) if (argc == 1) keychain = (SecKeychainRef)keychain_create_array(argc, argv); else if (argc > 0) - return 2; + return SHOW_USAGE_MESSAGE; #if 0 if (use_domain) @@ -507,7 +507,7 @@ keychain_login(int argc, char * const *argv) else { if (argc > 0) - return 2; + return SHOW_USAGE_MESSAGE; if (use_domain) { diff --git a/SecurityTool/keychain_lock.c b/SecurityTool/keychain_lock.c index ce1be4df..20a8d549 100644 --- a/SecurityTool/keychain_lock.c +++ b/SecurityTool/keychain_lock.c @@ -89,7 +89,7 @@ keychain_lock(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } argc -= optind; @@ -105,7 +105,7 @@ keychain_lock(int argc, char * const *argv) } } else if (argc != 0) - return 2; + return SHOW_USAGE_MESSAGE; if (lockAll) result = do_lock_all(); diff --git a/SecurityTool/keychain_recode.c b/SecurityTool/keychain_recode.c index ddfba2ab..1de237c1 100644 --- a/SecurityTool/keychain_recode.c +++ b/SecurityTool/keychain_recode.c @@ -117,7 +117,7 @@ keychain_recode(int argc, char * const *argv) { case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } argc -= optind; @@ -141,7 +141,7 @@ keychain_recode(int argc, char * const *argv) } else - return 2; + return SHOW_USAGE_MESSAGE; result = do_recode(keychainName1, keychainName2); diff --git a/SecurityTool/keychain_show_info.c b/SecurityTool/keychain_show_info.c index 0952f051..7c099753 100644 --- a/SecurityTool/keychain_show_info.c +++ b/SecurityTool/keychain_show_info.c @@ -90,7 +90,7 @@ keychain_show_info(int argc, char * const *argv) } } else if (argc != 1) - return 2; + return SHOW_USAGE_MESSAGE; result = do_keychain_show_info(keychainName); diff --git a/SecurityTool/keychain_unlock.c b/SecurityTool/keychain_unlock.c index 1b5b5cab..0bd2c38a 100644 --- a/SecurityTool/keychain_unlock.c +++ b/SecurityTool/keychain_unlock.c @@ -84,7 +84,7 @@ keychain_unlock(int argc, char * const *argv) break; case '?': default: - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -101,7 +101,7 @@ keychain_unlock(int argc, char * const *argv) } } else if (argc != 0) - return 2; + return SHOW_USAGE_MESSAGE; if (!password && use_password) { diff --git a/SecurityTool/mds_install.cpp b/SecurityTool/mds_install.cpp index de4baf11..d2f2d621 100644 --- a/SecurityTool/mds_install.cpp +++ b/SecurityTool/mds_install.cpp @@ -23,6 +23,7 @@ * mds_install.cpp */ +#include "security_tool.h" #include "mds_install.h" #include @@ -31,7 +32,7 @@ mds_install(int argc, char * const *argv) { if(argc != 1) { /* crufty "show usage" return code */ - return 2; + return SHOW_USAGE_MESSAGE; } try { diff --git a/SecurityTool/security.c b/SecurityTool/security.c index 67abc3d3..a267dac1 100644 --- a/SecurityTool/security.c +++ b/SecurityTool/security.c @@ -907,7 +907,7 @@ usage(void) " -v Be more verbose about what's going on.\n" "%s commands are:\n", getprogname(), getprogname()); help(0, NULL); - return 2; + return SHOW_USAGE_MESSAGE; } /* Execute a single command. */ diff --git a/SecurityTool/security_tool.h b/SecurityTool/security_tool.h index 0bc40f9e..eb163cfd 100644 --- a/SecurityTool/security_tool.h +++ b/SecurityTool/security_tool.h @@ -26,6 +26,8 @@ #ifndef _SECURITY_TOOL_H_ #define _SECURITY_TOOL_H_ 1 +#define SHOW_USAGE_MESSAGE 2 + #ifdef __cplusplus extern "C" { #endif diff --git a/SecurityTool/smartcards.m b/SecurityTool/smartcards.m index fb934a18..93b9ed73 100644 --- a/SecurityTool/smartcards.m +++ b/SecurityTool/smartcards.m @@ -5,6 +5,7 @@ #import #import "smartcards.h" +#import "security_tool.h" const CFStringRef kTKSmartCardPreferencesDomain = CFSTR("com.apple.security.smartcard"); const CFStringRef kTKDisabledTokensPreferencesKey = CFSTR("DisabledTokens"); @@ -72,7 +73,7 @@ static int token(int argc, char * const *argv) } } - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } int smartcards(int argc, char * const *argv) { diff --git a/SecurityTool/translocate.c b/SecurityTool/translocate.c index 25364fa1..8625d918 100644 --- a/SecurityTool/translocate.c +++ b/SecurityTool/translocate.c @@ -28,6 +28,7 @@ #include +#include "security_tool.h" #include "translocate.h" static CFURLRef CFURLfromPath(const char * path, Boolean isDir) @@ -91,7 +92,7 @@ int translocate_create(int argc, char * const *argv) if (argc != 2) { - return 2; + return SHOW_USAGE_MESSAGE; } CFURLRef inUrl = CFURLfromPath(argv[1], PathIsDir(argv[1])); @@ -141,7 +142,7 @@ int translocate_policy(int argc, char * const *argv) if (argc != 2) { - return 2; + return SHOW_USAGE_MESSAGE; } CFURLRef inUrl = CFURLfromPath(argv[1], PathIsDir(argv[1])); @@ -178,7 +179,7 @@ int translocate_check(int argc, char * const *argv) if (argc != 2) { - return 2; + return SHOW_USAGE_MESSAGE; } CFURLRef inUrl = CFURLfromPath(argv[1], PathIsDir(argv[1])); @@ -215,7 +216,7 @@ int translocate_original_path(int argc, char * const * argv) if (argc != 2) { - return 2; + return SHOW_USAGE_MESSAGE; } CFURLRef inUrl = CFURLfromPath(argv[1], PathIsDir(argv[1])); diff --git a/SecurityTool/trust_settings_impexp.c b/SecurityTool/trust_settings_impexp.c index c549e2ad..b7b40842 100644 --- a/SecurityTool/trust_settings_impexp.c +++ b/SecurityTool/trust_settings_impexp.c @@ -46,7 +46,7 @@ extern int trust_settings_export(int argc, char * const *argv) unsigned len; if(argc < 2) { - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } optind = 1; @@ -59,12 +59,12 @@ extern int trust_settings_export(int argc, char * const *argv) domain = kSecTrustSettingsDomainSystem; break; default: - return 2; + return SHOW_USAGE_MESSAGE; } } if(optind != (argc - 1)) { /* no args left for settings file */ - return 2; + return SHOW_USAGE_MESSAGE; } settingsFile = argv[optind]; @@ -99,7 +99,7 @@ extern int trust_settings_import(int argc, char * const *argv) int rtn; if(argc < 2) { - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } optind = 1; @@ -109,12 +109,12 @@ extern int trust_settings_import(int argc, char * const *argv) domain = kSecTrustSettingsDomainAdmin; break; default: - return 2; + return SHOW_USAGE_MESSAGE; } } if(optind != (argc - 1)) { /* no args left for settings file */ - return 2; + return SHOW_USAGE_MESSAGE; } settingsFile = argv[optind]; rtn = readFileSizet(settingsFile, &settingsData, &settingsLen); diff --git a/SecurityTool/trusted_cert_add.c b/SecurityTool/trusted_cert_add.c index d2edf884..c2b1d12b 100644 --- a/SecurityTool/trusted_cert_add.c +++ b/SecurityTool/trusted_cert_add.c @@ -135,13 +135,13 @@ static int appendConstraintsToDict( if(policy != NULL) { oid = policyStringToOid(policy); if(oid == NULL) { - return 2; + return SHOW_USAGE_MESSAGE; } /* OID to SecPolicyRef */ SecPolicyRef policyRef = oidToPolicy(oid); if(policyRef == NULL) { - return 2; + return SHOW_USAGE_MESSAGE; } CFDictionaryAddValue(*dict, kSecTrustSettingsPolicy, policyRef); CFRelease(policyRef); @@ -226,7 +226,7 @@ trusted_cert_add(int argc, char * const *argv) int policyNameCount = 0, policyStringCount = 0, allowedErrorCount = 0; if(argc < 2) { - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } optind = 1; @@ -249,7 +249,7 @@ trusted_cert_add(int argc, char * const *argv) resultType = kSecTrustSettingsResultUnspecified; } else { - return 2; + return SHOW_USAGE_MESSAGE; } haveConstraints = 1; break; @@ -258,7 +258,7 @@ trusted_cert_add(int argc, char * const *argv) policyNames[policyNameCount++] = optarg; } else { fprintf(stderr, "Too many policy arguments.\n"); - return 2; + return SHOW_USAGE_MESSAGE; } haveConstraints = 1; break; @@ -271,7 +271,7 @@ trusted_cert_add(int argc, char * const *argv) policyStrings[policyStringCount++] = optarg; } else { fprintf(stderr, "Too many policy string arguments.\n"); - return 2; + return SHOW_USAGE_MESSAGE; } haveConstraints = 1; break; @@ -285,12 +285,12 @@ trusted_cert_add(int argc, char * const *argv) allowErr = (CSSM_RETURN)atoi(optarg); if (!allowErr) { fprintf(stderr, "Invalid value for allowed error.\n"); - return 2; + return SHOW_USAGE_MESSAGE; } allowedErrors[allowedErrorCount++] = allowErr; } else { fprintf(stderr, "Too many \"allowed error\" arguments.\n"); - return 2; + return SHOW_USAGE_MESSAGE; } haveConstraints = 1; break; @@ -312,7 +312,7 @@ trusted_cert_add(int argc, char * const *argv) break; default: case 'h': - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } if(ourRtn) { @@ -551,7 +551,7 @@ trusted_cert_remove(int argc, char * const *argv) break; default: case 'h': - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } @@ -563,12 +563,12 @@ trusted_cert_remove(int argc, char * const *argv) certFile = argv[optind]; break; default: - return 2; + return SHOW_USAGE_MESSAGE; } if(certFile == NULL) { fprintf(stderr, "No cert file specified.\n"); - return 2; + return SHOW_USAGE_MESSAGE; } if(readCertFile(certFile, &certRef)) { diff --git a/SecurityTool/trusted_cert_dump.c b/SecurityTool/trusted_cert_dump.c index 0fd4429d..bee4303d 100644 --- a/SecurityTool/trusted_cert_dump.c +++ b/SecurityTool/trusted_cert_dump.c @@ -23,6 +23,8 @@ * trusted_cert_dump.c */ +#include "security_tool.h" + #include "trusted_cert_dump.h" #include "trusted_cert_utils.h" @@ -218,12 +220,12 @@ trusted_cert_dump(int argc, char * const *argv) break; default: case 'h': - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } if(optind != argc) { - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } ortn = SecTrustSettingsCopyCertificates(domain, &certArray); diff --git a/SecurityTool/user_trust_enable.cpp b/SecurityTool/user_trust_enable.cpp index 338d7752..95eb82f8 100644 --- a/SecurityTool/user_trust_enable.cpp +++ b/SecurityTool/user_trust_enable.cpp @@ -23,6 +23,7 @@ * user_trust_enable.cpp */ +#include "security_tool.h" #include "user_trust_enable.h" #include #include @@ -57,11 +58,11 @@ user_trust_enable(int argc, char * const *argv) break; default: case 'h': - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } } if(optind != argc) { - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } if(op == utoShow) { diff --git a/SecurityTool/verify_cert.c b/SecurityTool/verify_cert.c index ae3c72e5..3e32b2c9 100644 --- a/SecurityTool/verify_cert.c +++ b/SecurityTool/verify_cert.c @@ -36,6 +36,7 @@ #include "trusted_cert_utils.h" #include "verify_cert.h" #include +#include "security_tool.h" /* * Read file as a cert, add to a CFArray, creating the array if necessary @@ -95,7 +96,7 @@ verify_cert(int argc, char * const *argv) CFOptionFlags revOptions = 0; if(argc < 2) { - return 2; /* @@@ Return 2 triggers usage message. */ + return SHOW_USAGE_MESSAGE; } /* permit network cert fetch unless explicitly turned off with '-L' */ actionFlags |= CSSM_TP_ACTION_FETCH_CERT_FROM_NET; diff --git a/base/SecBase.h b/base/SecBase.h index 4154dab2..f8808db6 100644 --- a/base/SecBase.h +++ b/base/SecBase.h @@ -221,6 +221,8 @@ struct SecKeychainAttributeInfo }; typedef struct SecKeychainAttributeInfo SecKeychainAttributeInfo; +#endif // SEC_OS_OSX_INCLUDES + /*! @function SecCopyErrorMessageString @abstract Returns a string describing the specified error result code. @@ -230,9 +232,7 @@ typedef struct SecKeychainAttributeInfo SecKeychainAttributeInfo; */ __nullable CFStringRef SecCopyErrorMessageString(OSStatus status, void * __nullable reserved) - __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_NA); - -#endif // SEC_OS_OSX_INCLUDES + __OSX_AVAILABLE_STARTING(__MAC_10_3, __IPHONE_11_3); #undef SECTYPE @@ -310,11 +310,12 @@ CF_ENUM(OSStatus) { errSecSuccess = 0, /* No error. */ errSecUnimplemented = -4, /* Function or operation not implemented. */ + errSecDiskFull = -34, /* The disk is full. */ errSecDskFull = -34, - errSecIO = -36, /*I/O error (bummers)*/ - errSecOpWr = -49, /*file already open with write permission*/ + errSecIO = -36, /* I/O error. */ + errSecOpWr = -49, /* File already open with write permission. */ errSecParam = -50, /* One or more parameters passed to a function were not valid. */ - errSecWrPerm = -61, /* write permissions error*/ + errSecWrPerm = -61, /* Write permissions error. */ errSecAllocate = -108, /* Failed to allocate memory. */ errSecUserCanceled = -128, /* User canceled the operation. */ errSecBadReq = -909, /* Bad parameter or invalid state for operation. */ @@ -344,7 +345,7 @@ CF_ENUM(OSStatus) errSecInteractionNotAllowed = -25308, /* User interaction is not allowed. */ errSecReadOnlyAttr = -25309, /* The specified attribute could not be modified. */ errSecWrongSecVersion = -25310, /* This keychain was created by a different version of the system software and cannot be opened. */ - errSecKeySizeNotAllowed = -25311, /* This item specifies a key size which is too large. */ + errSecKeySizeNotAllowed = -25311, /* This item specifies a key size which is too large or too small. */ errSecNoStorageModule = -25312, /* A required component (data storage module) could not be loaded. You may need to restart your computer. */ errSecNoCertificateModule = -25313, /* A required component (certificate module) could not be loaded. You may need to restart your computer. */ errSecNoPolicyModule = -25314, /* A required component (policy module) could not be loaded. You may need to restart your computer. */ @@ -385,7 +386,6 @@ CF_ENUM(OSStatus) errSecAppleInvalidKeyEndDate = -67593, /* The specified key has an invalid end date. */ errSecConversionError = -67594, /* A conversion error has occurred. */ errSecAppleSSLv2Rollback = -67595, /* A SSLv2 rollback error has occurred. */ - errSecDiskFull = -34, /* The disk is full. */ errSecQuotaExceeded = -67596, /* The quota was exceeded. */ errSecFileTooBig = -67597, /* The file is too big. */ errSecInvalidDatabaseBlob = -67598, /* The specified database has an invalid blob. */ @@ -447,16 +447,16 @@ CF_ENUM(OSStatus) errSecTrustSettingDeny = -67654, /* The trust setting for this policy was set to Deny. */ errSecInvalidSubjectName = -67655, /* An invalid certificate subject name was encountered. */ errSecUnknownQualifiedCertStatement = -67656, /* An unknown qualified certificate statement was encountered. */ - errSecMobileMeRequestQueued = -67657, /* The MobileMe request will be sent during the next connection. */ - errSecMobileMeRequestRedirected = -67658, /* The MobileMe request was redirected. */ - errSecMobileMeServerError = -67659, /* A MobileMe server error occurred. */ - errSecMobileMeServerNotAvailable = -67660, /* The MobileMe server is not available. */ - errSecMobileMeServerAlreadyExists = -67661, /* The MobileMe server reported that the item already exists. */ - errSecMobileMeServerServiceErr = -67662, /* A MobileMe service error has occurred. */ - errSecMobileMeRequestAlreadyPending = -67663, /* A MobileMe request is already pending. */ - errSecMobileMeNoRequestPending = -67664, /* MobileMe has no request pending. */ - errSecMobileMeCSRVerifyFailure = -67665, /* A MobileMe CSR verification failure has occurred. */ - errSecMobileMeFailedConsistencyCheck = -67666, /* MobileMe has found a failed consistency check. */ + errSecMobileMeRequestQueued = -67657, + errSecMobileMeRequestRedirected = -67658, + errSecMobileMeServerError = -67659, + errSecMobileMeServerNotAvailable = -67660, + errSecMobileMeServerAlreadyExists = -67661, + errSecMobileMeServerServiceErr = -67662, + errSecMobileMeRequestAlreadyPending = -67663, + errSecMobileMeNoRequestPending = -67664, + errSecMobileMeCSRVerifyFailure = -67665, + errSecMobileMeFailedConsistencyCheck = -67666, errSecNotInitialized = -67667, /* A function was called without initializing CSSM. */ errSecInvalidHandleUsage = -67668, /* The CSSM handle does not match with the service type. */ errSecPVCReferentNotFound = -67669, /* A reference to the calling module was not found in the list of authorized callers. */ @@ -633,7 +633,7 @@ CF_ENUM(OSStatus) errSecInvalidStopOnPolicy = -67840, /* The stop-on policy was not valid. */ errSecInvalidTuple = -67841, /* The tuple was not valid. */ errSecMultipleValuesUnsupported = -67842, /* Multiple values are not supported. */ - errSecNotTrusted = -67843, /* The trust policy was not trusted. */ + errSecNotTrusted = -67843, /* The certificate was not trusted. */ errSecNoDefaultAuthority = -67844, /* No default authority was detected. */ errSecRejectedForm = -67845, /* The trust policy had a rejected form. */ errSecRequestLost = -67846, /* The request was lost. */ diff --git a/base/SecBasePriv.h b/base/SecBasePriv.h index 7c07fe28..40e33b3e 100644 --- a/base/SecBasePriv.h +++ b/base/SecBasePriv.h @@ -99,6 +99,7 @@ enum errSecFailedToSendIDSMessage = -25334, /* Failed to send IDS message. */ errSecDeviceIDNoMatch = -25335, /* The provided device ID does not match any device IDs in the ids account. */ errSecPeersNotAvailable = -25336, /* No peers in the circle are available/online. */ + errSecErrorStringNotAvailable= -25337, /* Unable to load error string for error */ }; // Guard for CFNetwork @@ -110,7 +111,17 @@ const char *cssmErrorString(CSSM_RETURN error) #endif OSStatus SecKeychainErrFromOSStatus(OSStatus osStatus) - __OSX_AVAILABLE_STARTING(__MAC_10_4, __IPHONE_NA); + API_AVAILABLE(macos(10.4), ios(NA), bridgeos(NA)); + +/* + * For used when running in root session as a agent/daemon and want to redirect to + * a background user session. This call must be called before any Sec calls are done, + * so very early in main(). + * + * This only apply to MacOS where background session exists. + */ +void _SecSetSecuritydTargetUID(uid_t uid); + __END_DECLS diff --git a/base/SecSignpost.h b/base/SecSignpost.h new file mode 100644 index 00000000..ffbf852c --- /dev/null +++ b/base/SecSignpost.h @@ -0,0 +1,96 @@ +// +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef _SECSIGNPOST_H_ +#define _SECSIGNPOST_H_ + + +#include + +#if !TARGET_IPHONE_SIMULATOR +#import +#endif + +/* + If you update this file, please also update SecurityCustomSignposts.plist. + */ + +static unsigned int SecSignpostComponent = 82; + +typedef CF_ENUM(unsigned int, SecSignpostType) { + /* between 0 and SecSignpostImpulse, use every even number + * After SecSignpostImpulse, its free for all for custom impulse points + * Remeber to update SecurityCustomSignposts.plist + */ + SecSignpostRestoreKeychain = 0, + SecSignpostRestoreOpenKeybag = 2, + SecSignpostUnlockKeybag = 4, + SecSignpostBackupKeychain = 6, + SecSignpostBackupOpenKeybag = 8, + SecSignpostUpgradePhase1 = 10, + SecSignpostUpgradePhase2 = 12, + SecSignpostBackupKeychainBackupable = 14, + SecSignpostRestoreKeychainBackupable = 16, + + SecSignpostSecItemAdd = 18, + SecSignpostSecItemUpdate = 20, + SecSignpostSecItemDelete = 22, + SecSignpostSecItemCopyMatching = 24, + + + SecSignpostImpulse = 0x1000, + SecSignpostImpulseBackupClassCount = 0x1001, + SecSignpostImpulseRestoreClassCount = 0x1002, +}; + + +static inline void SecSignpostStart(SecSignpostType type) { +#if !TARGET_IPHONE_SIMULATOR + kdebug_trace(ARIADNEDBG_CODE(SecSignpostComponent, type + 0), 0, 0, 0, 0); +#endif +} + +static inline void SecSignpostStop(SecSignpostType type) { +#if !TARGET_IPHONE_SIMULATOR + kdebug_trace(ARIADNEDBG_CODE(SecSignpostComponent, type + 1), 0, 0, 0, 0); +#endif +} + +static inline void SecSignpostBackupCount(SecSignpostType type, + CFStringRef cls, + CFIndex count, + unsigned filter) { +#if !TARGET_IPHONE_SIMULATOR + if (CFStringGetLength(cls) != 4) + return; + unsigned char ucls[5]; + if (!CFStringGetCString(cls, (char *)ucls, sizeof(ucls), kCFStringEncodingUTF8)) + return; + uint32_t c = (ucls[0] & 0xff) | (ucls[1] << 8) | (ucls[2] << 16) | (ucls[3] << 24); + kdebug_trace(ARIADNEDBG_CODE(SecSignpostComponent, type), c, count, filter, 0); +#endif +} + + +#endif /* _SECSIGNPOST_H_ */ diff --git a/base/SecurityCustomSignposts.plist b/base/SecurityCustomSignposts.plist new file mode 100644 index 00000000..969f9886 --- /dev/null +++ b/base/SecurityCustomSignposts.plist @@ -0,0 +1,207 @@ + + + + + + Name + SecurityProbes + Children + + + Name + RestoreKeychain + Type + Interval + Component + 82 + CodeBegin + 0 + CodeEnd + 1 + + + Name + RestoreOpenKeybag + Type + Interval + Component + 82 + CodeBegin + 2 + CodeEnd + 3 + + + Name + UnlockKeybag + Type + Interval + Component + 82 + CodeBegin + 4 + CodeEnd + 5 + + + Name + BackupKeychain + Type + Interval + Component + 82 + CodeBegin + 6 + CodeEnd + 7 + + + Name + BackupOpenKeybag + Type + Interval + Component + 82 + CodeBegin + 8 + CodeEnd + 9 + + + Name + UpgradePhase1 + Type + Interval + Component + 82 + CodeBegin + 10 + CodeEnd + 11 + + + Name + UpgradePhase2 + Type + Interval + Component + 82 + CodeBegin + 12 + CodeEnd + 13 + + + Name + BackupKeychainBackupable + Type + Interval + Component + 82 + CodeBegin + 14 + CodeEnd + 15 + + + Name + RestoreKeychainBackupable + Type + Interval + Component + 82 + CodeBegin + 16 + CodeEnd + 17 + + + Name + SecItemAdd + Type + Interval + Component + 82 + CodeBegin + 18 + CodeEnd + 19 + + + Name + SecItemUpdate + Type + Interval + Component + 82 + CodeBegin + 20 + CodeEnd + 21 + + + Name + SecItemDelete + Type + Interval + Component + 82 + CodeBegin + 22 + CodeEnd + 23 + + + Name + SecItemCopyMatching + Type + Interval + Component + 82 + CodeBegin + 24 + CodeEnd + 25 + + + Name + BackupClassCount + Type + Impulse + Component + 82 + Code + 0x1001 + ArgValueLabels + + Arg1 + class + Arg2 + count + Arg3 + filter + + + + Name + RestoreClassCount + Type + Impulse + Component + 82 + Code + 0x1002 + ArgValueLabels + + Arg1 + class + Arg2 + count + Arg3 + filter + + + + + + diff --git a/cssm/cssmapple.h b/cssm/cssmapple.h index 9823cd3f..1cead1e6 100644 --- a/cssm/cssmapple.h +++ b/cssm/cssmapple.h @@ -291,77 +291,76 @@ enum }; enum { - CSSMERR_CSSM_NO_USER_INTERACTION = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION, - CSSMERR_AC_NO_USER_INTERACTION = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION, - CSSMERR_CSP_NO_USER_INTERACTION = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION, - CSSMERR_CL_NO_USER_INTERACTION = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION, - CSSMERR_DL_NO_USER_INTERACTION = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION, - CSSMERR_TP_NO_USER_INTERACTION = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_NO_USER_INTERACTION, - - CSSMERR_CSSM_USER_CANCELED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED, - CSSMERR_AC_USER_CANCELED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED, - CSSMERR_CSP_USER_CANCELED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED, - CSSMERR_CL_USER_CANCELED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED, - CSSMERR_DL_USER_CANCELED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED, - CSSMERR_TP_USER_CANCELED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_USER_CANCELED, - - CSSMERR_CSSM_SERVICE_NOT_AVAILABLE = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE, - CSSMERR_AC_SERVICE_NOT_AVAILABLE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE, - CSSMERR_CSP_SERVICE_NOT_AVAILABLE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE, - CSSMERR_CL_SERVICE_NOT_AVAILABLE = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE, - CSSMERR_DL_SERVICE_NOT_AVAILABLE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE, - CSSMERR_TP_SERVICE_NOT_AVAILABLE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_SERVICE_NOT_AVAILABLE, - - CSSMERR_CSSM_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION, - CSSMERR_AC_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION, - CSSMERR_CSP_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION, - CSSMERR_CL_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION, - CSSMERR_DL_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION, - CSSMERR_TP_INSUFFICIENT_CLIENT_IDENTIFICATION = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_INSUFFICIENT_CLIENT_IDENTIFICATION, - - CSSMERR_CSSM_DEVICE_RESET = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET, - CSSMERR_AC_DEVICE_RESET = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET, - CSSMERR_CSP_DEVICE_RESET = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET, - CSSMERR_CL_DEVICE_RESET = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET, - CSSMERR_DL_DEVICE_RESET = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET, - CSSMERR_TP_DEVICE_RESET = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_DEVICE_RESET, - - CSSMERR_CSSM_DEVICE_FAILED = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED, - CSSMERR_AC_DEVICE_FAILED = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED, - CSSMERR_CSP_DEVICE_FAILED = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED, - CSSMERR_CL_DEVICE_FAILED = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED, - CSSMERR_DL_DEVICE_FAILED = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED, - CSSMERR_TP_DEVICE_FAILED = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_DEVICE_FAILED, - - CSSMERR_CSSM_IN_DARK_WAKE = CSSM_CSSM_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE, - CSSMERR_AC_IN_DARK_WAKE = CSSM_AC_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE, - CSSMERR_CSP_IN_DARK_WAKE = CSSM_CSP_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE, - CSSMERR_CL_IN_DARK_WAKE = CSSM_CL_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE, - CSSMERR_DL_IN_DARK_WAKE = CSSM_DL_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE, - CSSMERR_TP_IN_DARK_WAKE = CSSM_TP_BASE_ERROR + CSSM_ERRCODE_IN_DARK_WAKE + CSSMERR_CSSM_NO_USER_INTERACTION = -2147417888, + CSSMERR_AC_NO_USER_INTERACTION = -2147405600, + CSSMERR_CSP_NO_USER_INTERACTION = -2147415840, + CSSMERR_CL_NO_USER_INTERACTION = -2147411744, + CSSMERR_DL_NO_USER_INTERACTION = -2147413792, + CSSMERR_TP_NO_USER_INTERACTION = -2147409696, + + CSSMERR_CSSM_USER_CANCELED = -2147417887, + CSSMERR_AC_USER_CANCELED = -2147405599, + CSSMERR_CSP_USER_CANCELED = -2147415839, + CSSMERR_CL_USER_CANCELED = -2147411743, + CSSMERR_DL_USER_CANCELED = -2147413791, + CSSMERR_TP_USER_CANCELED = -2147409695, + + CSSMERR_CSSM_SERVICE_NOT_AVAILABLE = -2147417886, + CSSMERR_AC_SERVICE_NOT_AVAILABLE = -2147405598, + CSSMERR_CSP_SERVICE_NOT_AVAILABLE = -2147415838, + CSSMERR_CL_SERVICE_NOT_AVAILABLE = -2147411742, + CSSMERR_DL_SERVICE_NOT_AVAILABLE = -2147413790, + CSSMERR_TP_SERVICE_NOT_AVAILABLE = -2147409694, + + CSSMERR_CSSM_INSUFFICIENT_CLIENT_IDENTIFICATION = -2147417885, + CSSMERR_AC_INSUFFICIENT_CLIENT_IDENTIFICATION = -2147405597, + CSSMERR_CSP_INSUFFICIENT_CLIENT_IDENTIFICATION = -2147415837, + CSSMERR_CL_INSUFFICIENT_CLIENT_IDENTIFICATION = -2147411741, + CSSMERR_DL_INSUFFICIENT_CLIENT_IDENTIFICATION = -2147413789, + CSSMERR_TP_INSUFFICIENT_CLIENT_IDENTIFICATION = -2147409693, + + CSSMERR_CSSM_DEVICE_RESET = -2147417884, + CSSMERR_AC_DEVICE_RESET = -2147405596, + CSSMERR_CSP_DEVICE_RESET = -2147415836, + CSSMERR_CL_DEVICE_RESET = -2147411740, + CSSMERR_DL_DEVICE_RESET = -2147413788, + CSSMERR_TP_DEVICE_RESET = -2147409692, + + CSSMERR_CSSM_DEVICE_FAILED = -2147417883, + CSSMERR_AC_DEVICE_FAILED = -2147405595, + CSSMERR_CSP_DEVICE_FAILED = -2147415835, + CSSMERR_CL_DEVICE_FAILED = -2147411739, + CSSMERR_DL_DEVICE_FAILED = -2147413787, + CSSMERR_TP_DEVICE_FAILED = -2147409691, + + CSSMERR_CSSM_IN_DARK_WAKE = -2147417882, + CSSMERR_AC_IN_DARK_WAKE = -2147405594, + CSSMERR_CSP_IN_DARK_WAKE = -2147415834, + CSSMERR_CL_IN_DARK_WAKE = -2147411738, + CSSMERR_DL_IN_DARK_WAKE = -2147413786, + CSSMERR_TP_IN_DARK_WAKE = -2147409690, }; /* AppleCSPDL, AppleCSP private error codes. */ enum { - CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT = CSSM_CSP_PRIVATE_ERROR + 0, - /* - * An attempt was made to use a public key which is incomplete due to - * the lack of algorithm-specific parameters. - */ - CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE = CSSM_CSP_PRIVATE_ERROR + 1, + CSSMERR_CSP_APPLE_ADD_APPLICATION_ACL_SUBJECT = -2147415040, + /* An attempt was made to use a public key which is incomplete due to + the lack of algorithm-specific parameters. */ + CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE = -2147415039, /* a code signature match failed */ - CSSMERR_CSP_APPLE_SIGNATURE_MISMATCH = CSSM_CSP_PRIVATE_ERROR + 2, + CSSMERR_CSP_APPLE_SIGNATURE_MISMATCH = -2147415038, - /* Key StartDate/EndDate invalid */ - CSSMERR_CSP_APPLE_INVALID_KEY_START_DATE = CSSM_CSP_PRIVATE_ERROR + 3, - CSSMERR_CSP_APPLE_INVALID_KEY_END_DATE = CSSM_CSP_PRIVATE_ERROR + 4, + /* Key start date invalid */ + CSSMERR_CSP_APPLE_INVALID_KEY_START_DATE = -2147415037, + /* Key end date invalid */ + CSSMERR_CSP_APPLE_INVALID_KEY_END_DATE = -2147415036, /* Keychain Syncing error codes */ - CSSMERR_CSPDL_APPLE_DL_CONVERSION_ERROR = CSSM_CSP_PRIVATE_ERROR + 5, + CSSMERR_CSPDL_APPLE_DL_CONVERSION_ERROR = -2147415035, /* SSLv2 padding check: rollback attack detected */ - CSSMERR_CSP_APPLE_SSLv2_ROLLBACK = CSSM_CSP_PRIVATE_ERROR + 6 + CSSMERR_CSP_APPLE_SSLv2_ROLLBACK = -2147415034, }; @@ -420,182 +419,188 @@ enum /* The OpenParameters argument passed to CSSM_DL_DbCreate or CSSM_DL_DbOpen was neither NULL nor a pointer to a valid CSSM_APPLEDL_OPEN_PARAMETERS structure. */ - CSSMERR_APPLEDL_INVALID_OPEN_PARAMETERS = CSSM_DL_PRIVATE_ERROR + 0, + CSSMERR_APPLEDL_INVALID_OPEN_PARAMETERS = -2147412992, /* an operation failed because the disk was full */ - CSSMERR_APPLEDL_DISK_FULL = CSSM_DL_PRIVATE_ERROR + 1, + CSSMERR_APPLEDL_DISK_FULL = -2147412991, /* an operation failed because a disk quota was exceeded */ - CSSMERR_APPLEDL_QUOTA_EXCEEDED = CSSM_DL_PRIVATE_ERROR + 2, + CSSMERR_APPLEDL_QUOTA_EXCEEDED = -2147412990, /* an operation failed because a file was too large */ - CSSMERR_APPLEDL_FILE_TOO_BIG = CSSM_DL_PRIVATE_ERROR + 3, + CSSMERR_APPLEDL_FILE_TOO_BIG = -2147412989, + + /* a keychain database's internal information ("blob") is invalid */ + CSSMERR_APPLEDL_INVALID_DATABASE_BLOB = -2147412988, /* a keychain database's internal information ("blob") is invalid */ - CSSMERR_APPLEDL_INVALID_DATABASE_BLOB = CSSM_DL_PRIVATE_ERROR + 4, - CSSMERR_APPLEDL_INVALID_KEY_BLOB = CSSM_DL_PRIVATE_ERROR + 5, + CSSMERR_APPLEDL_INVALID_KEY_BLOB = -2147412987, + + /* the internal data format version for a database's internal information ("blob") is invalid */ + CSSMERR_APPLEDL_INCOMPATIBLE_DATABASE_BLOB = -2147412986, /* the internal data format version for a database's internal information ("blob") is invalid */ - CSSMERR_APPLEDL_INCOMPATIBLE_DATABASE_BLOB = CSSM_DL_PRIVATE_ERROR + 6, - CSSMERR_APPLEDL_INCOMPATIBLE_KEY_BLOB = CSSM_DL_PRIVATE_ERROR + 7, + CSSMERR_APPLEDL_INCOMPATIBLE_KEY_BLOB = -2147412985, }; /* Apple X509TP private error codes. */ enum { /* Host name mismatch */ - CSSMERR_APPLETP_HOSTNAME_MISMATCH = CSSM_TP_PRIVATE_ERROR + 0, + CSSMERR_APPLETP_HOSTNAME_MISMATCH = -2147408896, /* Non-understood extension with Critical flag true */ - CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN = CSSM_TP_PRIVATE_ERROR + 1, + CSSMERR_APPLETP_UNKNOWN_CRITICAL_EXTEN = -2147408895, /* Basic Constraints extension required per policy, but not present */ - CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS = CSSM_TP_PRIVATE_ERROR + 2, + CSSMERR_APPLETP_NO_BASIC_CONSTRAINTS = -2147408894, /* Invalid BasicConstraints.CA */ - CSSMERR_APPLETP_INVALID_CA = CSSM_TP_PRIVATE_ERROR + 3, + CSSMERR_APPLETP_INVALID_CA = -2147408893, /* Invalid Authority Key ID */ - CSSMERR_APPLETP_INVALID_AUTHORITY_ID = CSSM_TP_PRIVATE_ERROR + 4, + CSSMERR_APPLETP_INVALID_AUTHORITY_ID = -2147408892, /* Invalid Subject Key ID */ - CSSMERR_APPLETP_INVALID_SUBJECT_ID = CSSM_TP_PRIVATE_ERROR + 5, + CSSMERR_APPLETP_INVALID_SUBJECT_ID = -2147408891, /* Invalid Key Usage for policy */ - CSSMERR_APPLETP_INVALID_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 6, + CSSMERR_APPLETP_INVALID_KEY_USAGE = -2147408890, /* Invalid Extended Key Usage for policy */ - CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 7, + CSSMERR_APPLETP_INVALID_EXTENDED_KEY_USAGE = -2147408889, /* Invalid Subject/Authority Key ID Linkage */ - CSSMERR_APPLETP_INVALID_ID_LINKAGE = CSSM_TP_PRIVATE_ERROR + 8, + CSSMERR_APPLETP_INVALID_ID_LINKAGE = -2147408888, /* PathLengthConstraint exceeded */ - CSSMERR_APPLETP_PATH_LEN_CONSTRAINT = CSSM_TP_PRIVATE_ERROR + 9, + CSSMERR_APPLETP_PATH_LEN_CONSTRAINT = -2147408887, /* Cert group terminated at a root cert which did not self-verify */ - CSSMERR_APPLETP_INVALID_ROOT = CSSM_TP_PRIVATE_ERROR + 10, - /* CRL expired/not valid yet */ - CSSMERR_APPLETP_CRL_EXPIRED = CSSM_TP_PRIVATE_ERROR + 11, - CSSMERR_APPLETP_CRL_NOT_VALID_YET = CSSM_TP_PRIVATE_ERROR + 12, + CSSMERR_APPLETP_INVALID_ROOT = -2147408886, + /* CRL expired */ + CSSMERR_APPLETP_CRL_EXPIRED = -2147408885, + /* CRL not valid yet */ + CSSMERR_APPLETP_CRL_NOT_VALID_YET = -2147408884, /* Cannot find appropriate CRL */ - CSSMERR_APPLETP_CRL_NOT_FOUND = CSSM_TP_PRIVATE_ERROR + 13, + CSSMERR_APPLETP_CRL_NOT_FOUND = -2147408883, /* specified CRL server down */ - CSSMERR_APPLETP_CRL_SERVER_DOWN = CSSM_TP_PRIVATE_ERROR + 14, + CSSMERR_APPLETP_CRL_SERVER_DOWN = -2147408882, /* illegible CRL distribution point URL */ - CSSMERR_APPLETP_CRL_BAD_URI = CSSM_TP_PRIVATE_ERROR + 15, - /* Unknown critical cert/CRL extension */ - CSSMERR_APPLETP_UNKNOWN_CERT_EXTEN = CSSM_TP_PRIVATE_ERROR + 16, - CSSMERR_APPLETP_UNKNOWN_CRL_EXTEN = CSSM_TP_PRIVATE_ERROR + 17, + CSSMERR_APPLETP_CRL_BAD_URI = -2147408881, + /* Unknown critical cert extension */ + CSSMERR_APPLETP_UNKNOWN_CERT_EXTEN = -2147408880, + /* Unknown critical CRL extension */ + CSSMERR_APPLETP_UNKNOWN_CRL_EXTEN = -2147408879, /* CRL not verifiable to anchor or root */ - CSSMERR_APPLETP_CRL_NOT_TRUSTED = CSSM_TP_PRIVATE_ERROR + 18, + CSSMERR_APPLETP_CRL_NOT_TRUSTED = -2147408878, /* CRL verified to untrusted root */ - CSSMERR_APPLETP_CRL_INVALID_ANCHOR_CERT = CSSM_TP_PRIVATE_ERROR + 19, + CSSMERR_APPLETP_CRL_INVALID_ANCHOR_CERT = -2147408877, /* CRL failed policy verification */ - CSSMERR_APPLETP_CRL_POLICY_FAIL = CSSM_TP_PRIVATE_ERROR + 20, + CSSMERR_APPLETP_CRL_POLICY_FAIL = -2147408876, /* IssuingDistributionPoint extension violation */ - CSSMERR_APPLETP_IDP_FAIL = CSSM_TP_PRIVATE_ERROR + 21, + CSSMERR_APPLETP_IDP_FAIL = -2147408875, /* Cert not found at specified issuerAltName */ - CSSMERR_APPLETP_CERT_NOT_FOUND_FROM_ISSUER = CSSM_TP_PRIVATE_ERROR + 22, + CSSMERR_APPLETP_CERT_NOT_FOUND_FROM_ISSUER = -2147408874, /* Bad cert obtained from specified issuerAltName */ - CSSMERR_APPLETP_BAD_CERT_FROM_ISSUER = CSSM_TP_PRIVATE_ERROR + 23, + CSSMERR_APPLETP_BAD_CERT_FROM_ISSUER = -2147408873, /* S/MIME Email address mismatch */ - CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND = CSSM_TP_PRIVATE_ERROR + 24, + CSSMERR_APPLETP_SMIME_EMAIL_ADDRS_NOT_FOUND = -2147408872, /* Appropriate S/MIME ExtendedKeyUsage not found */ - CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE = CSSM_TP_PRIVATE_ERROR + 25, + CSSMERR_APPLETP_SMIME_BAD_EXT_KEY_USE = -2147408871, /* S/MIME KeyUsage incompatibility */ - CSSMERR_APPLETP_SMIME_BAD_KEY_USE = CSSM_TP_PRIVATE_ERROR + 26, + CSSMERR_APPLETP_SMIME_BAD_KEY_USE = -2147408870, /* S/MIME, cert with KeyUsage flagged !critical */ - CSSMERR_APPLETP_SMIME_KEYUSAGE_NOT_CRITICAL = CSSM_TP_PRIVATE_ERROR + 27, + CSSMERR_APPLETP_SMIME_KEYUSAGE_NOT_CRITICAL = -2147408869, /* S/MIME, leaf with empty subject name and no email addrs - * in SubjectAltName */ - CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS = CSSM_TP_PRIVATE_ERROR + 28, + in SubjectAltName */ + CSSMERR_APPLETP_SMIME_NO_EMAIL_ADDRS = -2147408868, /* S/MIME, leaf with empty subject name, SubjectAltName - * not critical */ - CSSMERR_APPLETP_SMIME_SUBJ_ALT_NAME_NOT_CRIT = CSSM_TP_PRIVATE_ERROR + 29, + not critical */ + CSSMERR_APPLETP_SMIME_SUBJ_ALT_NAME_NOT_CRIT = -2147408867, /* Appropriate SSL ExtendedKeyUsage not found */ - CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE = CSSM_TP_PRIVATE_ERROR + 30, + CSSMERR_APPLETP_SSL_BAD_EXT_KEY_USE = -2147408866, /* unparseable OCSP response */ - CSSMERR_APPLETP_OCSP_BAD_RESPONSE = CSSM_TP_PRIVATE_ERROR + 31, + CSSMERR_APPLETP_OCSP_BAD_RESPONSE = -2147408865, /* unparseable OCSP request */ - CSSMERR_APPLETP_OCSP_BAD_REQUEST = CSSM_TP_PRIVATE_ERROR + 32, + CSSMERR_APPLETP_OCSP_BAD_REQUEST = -2147408864, /* OCSP service unavailable */ - CSSMERR_APPLETP_OCSP_UNAVAILABLE = CSSM_TP_PRIVATE_ERROR + 33, + CSSMERR_APPLETP_OCSP_UNAVAILABLE = -2147408863, /* OCSP status: cert unrecognized */ - CSSMERR_APPLETP_OCSP_STATUS_UNRECOGNIZED = CSSM_TP_PRIVATE_ERROR + 34, + CSSMERR_APPLETP_OCSP_STATUS_UNRECOGNIZED = -2147408862, /* revocation check not successful for each cert */ - CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK = CSSM_TP_PRIVATE_ERROR + 35, + CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK = -2147408861, /* general network error */ - CSSMERR_APPLETP_NETWORK_FAILURE = CSSM_TP_PRIVATE_ERROR + 36, + CSSMERR_APPLETP_NETWORK_FAILURE = -2147408860, /* OCSP response not verifiable to anchor or root */ - CSSMERR_APPLETP_OCSP_NOT_TRUSTED = CSSM_TP_PRIVATE_ERROR + 37, + CSSMERR_APPLETP_OCSP_NOT_TRUSTED = -2147408859, /* OCSP response verified to untrusted root */ - CSSMERR_APPLETP_OCSP_INVALID_ANCHOR_CERT = CSSM_TP_PRIVATE_ERROR + 38, + CSSMERR_APPLETP_OCSP_INVALID_ANCHOR_CERT = -2147408858, /* OCSP response signature error */ - CSSMERR_APPLETP_OCSP_SIG_ERROR = CSSM_TP_PRIVATE_ERROR + 39, + CSSMERR_APPLETP_OCSP_SIG_ERROR = -2147408857, /* No signer for OCSP response found */ - CSSMERR_APPLETP_OCSP_NO_SIGNER = CSSM_TP_PRIVATE_ERROR + 40, + CSSMERR_APPLETP_OCSP_NO_SIGNER = -2147408856, /* OCSP responder status: malformed request */ - CSSMERR_APPLETP_OCSP_RESP_MALFORMED_REQ = CSSM_TP_PRIVATE_ERROR + 41, + CSSMERR_APPLETP_OCSP_RESP_MALFORMED_REQ = -2147408855, /* OCSP responder status: internal error */ - CSSMERR_APPLETP_OCSP_RESP_INTERNAL_ERR = CSSM_TP_PRIVATE_ERROR + 42, + CSSMERR_APPLETP_OCSP_RESP_INTERNAL_ERR = -2147408854, /* OCSP responder status: try later */ - CSSMERR_APPLETP_OCSP_RESP_TRY_LATER = CSSM_TP_PRIVATE_ERROR + 43, + CSSMERR_APPLETP_OCSP_RESP_TRY_LATER = -2147408853, /* OCSP responder status: signature required */ - CSSMERR_APPLETP_OCSP_RESP_SIG_REQUIRED = CSSM_TP_PRIVATE_ERROR + 44, + CSSMERR_APPLETP_OCSP_RESP_SIG_REQUIRED = -2147408852, /* OCSP responder status: unauthorized */ - CSSMERR_APPLETP_OCSP_RESP_UNAUTHORIZED = CSSM_TP_PRIVATE_ERROR + 45, + CSSMERR_APPLETP_OCSP_RESP_UNAUTHORIZED = -2147408851, /* OCSP response nonce did not match request */ - CSSMERR_APPLETP_OCSP_NONCE_MISMATCH = CSSM_TP_PRIVATE_ERROR + 46, + CSSMERR_APPLETP_OCSP_NONCE_MISMATCH = -2147408850, /* Illegal cert chain length for Code Signing */ - CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH = CSSM_TP_PRIVATE_ERROR + 47, + CSSMERR_APPLETP_CS_BAD_CERT_CHAIN_LENGTH = -2147408849, /* Missing Basic Constraints for Code Signing */ - CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS = CSSM_TP_PRIVATE_ERROR + 48, + CSSMERR_APPLETP_CS_NO_BASIC_CONSTRAINTS = -2147408848, /* Bad PathLengthConstraint for Code Signing */ - CSSMERR_APPLETP_CS_BAD_PATH_LENGTH = CSSM_TP_PRIVATE_ERROR + 49, + CSSMERR_APPLETP_CS_BAD_PATH_LENGTH = -2147408847, /* Missing ExtendedKeyUsage for Code Signing */ - CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 50, + CSSMERR_APPLETP_CS_NO_EXTENDED_KEY_USAGE = -2147408846, /* Development style Code Signing Cert Detected */ - CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT = CSSM_TP_PRIVATE_ERROR + 51, + CSSMERR_APPLETP_CODE_SIGN_DEVELOPMENT = -2147408845, /* Illegal cert chain length for Resource Signing */ - CSSMERR_APPLETP_RS_BAD_CERT_CHAIN_LENGTH = CSSM_TP_PRIVATE_ERROR + 52, + CSSMERR_APPLETP_RS_BAD_CERT_CHAIN_LENGTH = -2147408844, /* Bad extended key usage for Resource Signing */ - CSSMERR_APPLETP_RS_BAD_EXTENDED_KEY_USAGE = CSSM_TP_PRIVATE_ERROR + 53, + CSSMERR_APPLETP_RS_BAD_EXTENDED_KEY_USAGE = -2147408843, /* Trust Setting: deny */ - CSSMERR_APPLETP_TRUST_SETTING_DENY = CSSM_TP_PRIVATE_ERROR + 54, + CSSMERR_APPLETP_TRUST_SETTING_DENY = -2147408842, /* Invalid empty SubjectName */ - CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT = CSSM_TP_PRIVATE_ERROR + 55, + CSSMERR_APPLETP_INVALID_EMPTY_SUBJECT = -2147408841, /* Unknown critical Qualified Cert Statement ID */ - CSSMERR_APPLETP_UNKNOWN_QUAL_CERT_STATEMENT = CSSM_TP_PRIVATE_ERROR + 56, + CSSMERR_APPLETP_UNKNOWN_QUAL_CERT_STATEMENT = -2147408840, /* Missing required extension */ - CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION = CSSM_TP_PRIVATE_ERROR + 57, + CSSMERR_APPLETP_MISSING_REQUIRED_EXTENSION = -2147408839, /* Extended key usage not marked critical */ - CSSMERR_APPLETP_EXT_KEYUSAGE_NOT_CRITICAL = CSSM_TP_PRIVATE_ERROR + 58, + CSSMERR_APPLETP_EXT_KEYUSAGE_NOT_CRITICAL = -2147408838, /* Required name or identifier not present */ - CSSMERR_APPLETP_IDENTIFIER_MISSING = CSSM_TP_PRIVATE_ERROR + 59, + CSSMERR_APPLETP_IDENTIFIER_MISSING = -2147408837, /* Certificate authority pinning mismatch */ - CSSMERR_APPLETP_CA_PIN_MISMATCH = CSSM_TP_PRIVATE_ERROR + 60 + CSSMERR_APPLETP_CA_PIN_MISMATCH = -2147408836, }; /* Apple .mac TP private error codes. */ enum { /* cert request queued */ - CSSMERR_APPLE_DOTMAC_REQ_QUEUED = CSSM_TP_PRIVATE_ERROR + 100, + CSSMERR_APPLE_DOTMAC_REQ_QUEUED = -2147408796, /* cert request redirected */ - CSSMERR_APPLE_DOTMAC_REQ_REDIRECT = CSSM_TP_PRIVATE_ERROR + 101, + CSSMERR_APPLE_DOTMAC_REQ_REDIRECT = -2147408795, /* general server-reported error */ - CSSMERR_APPLE_DOTMAC_REQ_SERVER_ERR = CSSM_TP_PRIVATE_ERROR + 102, + CSSMERR_APPLE_DOTMAC_REQ_SERVER_ERR = -2147408794, /* server-reported parameter error */ - CSSMERR_APPLE_DOTMAC_REQ_SERVER_PARAM = CSSM_TP_PRIVATE_ERROR + 103, + CSSMERR_APPLE_DOTMAC_REQ_SERVER_PARAM = -2147408793, /* server-reported authorization error */ - CSSMERR_APPLE_DOTMAC_REQ_SERVER_AUTH = CSSM_TP_PRIVATE_ERROR + 104, + CSSMERR_APPLE_DOTMAC_REQ_SERVER_AUTH = -2147408792, /* server-reported unimplemented */ - CSSMERR_APPLE_DOTMAC_REQ_SERVER_UNIMPL = CSSM_TP_PRIVATE_ERROR + 105, + CSSMERR_APPLE_DOTMAC_REQ_SERVER_UNIMPL = -2147408791, /* server-reported not available */ - CSSMERR_APPLE_DOTMAC_REQ_SERVER_NOT_AVAIL = CSSM_TP_PRIVATE_ERROR + 106, + CSSMERR_APPLE_DOTMAC_REQ_SERVER_NOT_AVAIL = -2147408790, /* server-reported already exists */ - CSSMERR_APPLE_DOTMAC_REQ_SERVER_ALREADY_EXIST = CSSM_TP_PRIVATE_ERROR + 107, + CSSMERR_APPLE_DOTMAC_REQ_SERVER_ALREADY_EXIST = -2147408789, /* server-reported service error */ - CSSMERR_APPLE_DOTMAC_REQ_SERVER_SERVICE_ERROR = CSSM_TP_PRIVATE_ERROR + 108, + CSSMERR_APPLE_DOTMAC_REQ_SERVER_SERVICE_ERROR = -2147408788, /* request already pending for specified user */ - CSSMERR_APPLE_DOTMAC_REQ_IS_PENDING = CSSM_TP_PRIVATE_ERROR + 109, + CSSMERR_APPLE_DOTMAC_REQ_IS_PENDING = -2147408787, /* no request pending for specified user */ - CSSMERR_APPLE_DOTMAC_NO_REQ_PENDING = CSSM_TP_PRIVATE_ERROR + 110, + CSSMERR_APPLE_DOTMAC_NO_REQ_PENDING = -2147408786, /* CSR failed to verify */ - CSSMERR_APPLE_DOTMAC_CSR_VERIFY_FAIL = CSSM_TP_PRIVATE_ERROR + 111, + CSSMERR_APPLE_DOTMAC_CSR_VERIFY_FAIL = -2147408785, /* server reported failed consistency check */ - CSSMERR_APPLE_DOTMAC_FAILED_CONSISTENCY_CHECK = CSSM_TP_PRIVATE_ERROR + 112 + CSSMERR_APPLE_DOTMAC_FAILED_CONSISTENCY_CHECK = -2147408784, }; enum diff --git a/header_symlinks/Security/CSCommon.h b/header_symlinks/Security/CSCommon.h new file mode 120000 index 00000000..161b1306 --- /dev/null +++ b/header_symlinks/Security/CSCommon.h @@ -0,0 +1 @@ +././../OSX/libsecurity_codesigning/lib/CSCommon.h \ No newline at end of file diff --git a/header_symlinks/Security/CSCommonPriv.h b/header_symlinks/Security/CSCommonPriv.h new file mode 120000 index 00000000..e8b33401 --- /dev/null +++ b/header_symlinks/Security/CSCommonPriv.h @@ -0,0 +1 @@ +././../OSX/libsecurity_codesigning/lib/CSCommonPriv.h \ No newline at end of file diff --git a/header_symlinks/Security/CodeSigning.h b/header_symlinks/Security/CodeSigning.h new file mode 120000 index 00000000..ceb8cc49 --- /dev/null +++ b/header_symlinks/Security/CodeSigning.h @@ -0,0 +1 @@ +././../OSX/libsecurity_codesigning/lib/CodeSigning.h \ No newline at end of file diff --git a/header_symlinks/Security/SecCode.h b/header_symlinks/Security/SecCode.h new file mode 120000 index 00000000..fe672eff --- /dev/null +++ b/header_symlinks/Security/SecCode.h @@ -0,0 +1 @@ +././../OSX/libsecurity_codesigning/lib/SecCode.h \ No newline at end of file diff --git a/header_symlinks/Security/SecCodeHost.h b/header_symlinks/Security/SecCodeHost.h new file mode 120000 index 00000000..577c81c2 --- /dev/null +++ b/header_symlinks/Security/SecCodeHost.h @@ -0,0 +1 @@ +././../OSX/libsecurity_codesigning/lib/SecCodeHost.h \ No newline at end of file diff --git a/header_symlinks/Security/SecCodePriv.h b/header_symlinks/Security/SecCodePriv.h new file mode 120000 index 00000000..262fcde4 --- /dev/null +++ b/header_symlinks/Security/SecCodePriv.h @@ -0,0 +1 @@ +././../OSX/libsecurity_codesigning/lib/SecCodePriv.h \ No newline at end of file diff --git a/header_symlinks/Security/SecCodeSigner.h b/header_symlinks/Security/SecCodeSigner.h new file mode 120000 index 00000000..bfbce813 --- /dev/null +++ b/header_symlinks/Security/SecCodeSigner.h @@ -0,0 +1 @@ +././../OSX/libsecurity_codesigning/lib/SecCodeSigner.h \ No newline at end of file diff --git a/keychain/trust/.open_source_exclude b/header_symlinks/Security/SecRandomP.h similarity index 100% rename from keychain/trust/.open_source_exclude rename to header_symlinks/Security/SecRandomP.h diff --git a/header_symlinks/Security/SecRequirement.h b/header_symlinks/Security/SecRequirement.h new file mode 120000 index 00000000..9ff00e02 --- /dev/null +++ b/header_symlinks/Security/SecRequirement.h @@ -0,0 +1 @@ +././../OSX/libsecurity_codesigning/lib/SecRequirement.h \ No newline at end of file diff --git a/header_symlinks/Security/SecRequirementPriv.h b/header_symlinks/Security/SecRequirementPriv.h new file mode 120000 index 00000000..42f5ece1 --- /dev/null +++ b/header_symlinks/Security/SecRequirementPriv.h @@ -0,0 +1 @@ +././../OSX/libsecurity_codesigning/lib/SecRequirementPriv.h \ No newline at end of file diff --git a/header_symlinks/Security/SecSignpost.h b/header_symlinks/Security/SecSignpost.h new file mode 120000 index 00000000..d63913e0 --- /dev/null +++ b/header_symlinks/Security/SecSignpost.h @@ -0,0 +1 @@ +./../base/SecSignpost.h \ No newline at end of file diff --git a/header_symlinks/Security/SecStaticCode.h b/header_symlinks/Security/SecStaticCode.h new file mode 120000 index 00000000..116637f7 --- /dev/null +++ b/header_symlinks/Security/SecStaticCode.h @@ -0,0 +1 @@ +././../OSX/libsecurity_codesigning/lib/SecStaticCode.h \ No newline at end of file diff --git a/header_symlinks/Security/SecStaticCodePriv.h b/header_symlinks/Security/SecStaticCodePriv.h new file mode 120000 index 00000000..1a626c64 --- /dev/null +++ b/header_symlinks/Security/SecStaticCodePriv.h @@ -0,0 +1 @@ +././../OSX/libsecurity_codesigning/lib/SecStaticCodePriv.h \ No newline at end of file diff --git a/header_symlinks/Security/X509Templates.h b/header_symlinks/Security/X509Templates.h new file mode 120000 index 00000000..e0dff012 --- /dev/null +++ b/header_symlinks/Security/X509Templates.h @@ -0,0 +1 @@ +././../OSX/libsecurity_asn1/lib/X509Templates.h \ No newline at end of file diff --git a/header_symlinks/Security/keyTemplates.h b/header_symlinks/Security/keyTemplates.h new file mode 120000 index 00000000..6d9c1652 --- /dev/null +++ b/header_symlinks/Security/keyTemplates.h @@ -0,0 +1 @@ +././../OSX/libsecurity_asn1/lib/keyTemplates.h \ No newline at end of file diff --git a/header_symlinks/Security/nameTemplates.h b/header_symlinks/Security/nameTemplates.h new file mode 120000 index 00000000..9aa683b9 --- /dev/null +++ b/header_symlinks/Security/nameTemplates.h @@ -0,0 +1 @@ +././../OSX/libsecurity_asn1/lib/nameTemplates.h \ No newline at end of file diff --git a/header_symlinks/Security/oids.h b/header_symlinks/Security/oids.h new file mode 120000 index 00000000..d760f054 --- /dev/null +++ b/header_symlinks/Security/oids.h @@ -0,0 +1 @@ +./../trust/oids.h \ No newline at end of file diff --git a/header_symlinks/Security/oidsattr.h b/header_symlinks/Security/oidsattr.h new file mode 120000 index 00000000..6a56c805 --- /dev/null +++ b/header_symlinks/Security/oidsattr.h @@ -0,0 +1 @@ +././../OSX/libsecurity_asn1/lib/oidsattr.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/CSCommon.h b/header_symlinks/iOS/Security/CSCommon.h deleted file mode 120000 index a2c01617..00000000 --- a/header_symlinks/iOS/Security/CSCommon.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_codesigning/lib/CSCommon.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/CSCommonPriv.h b/header_symlinks/iOS/Security/CSCommonPriv.h deleted file mode 120000 index fc11d821..00000000 --- a/header_symlinks/iOS/Security/CSCommonPriv.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_codesigning/lib/CSCommonPriv.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/CodeSigning.h b/header_symlinks/iOS/Security/CodeSigning.h deleted file mode 120000 index 3f02ac7b..00000000 --- a/header_symlinks/iOS/Security/CodeSigning.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_codesigning/lib/CodeSigning.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/SecCode.h b/header_symlinks/iOS/Security/SecCode.h deleted file mode 120000 index ed9f8f59..00000000 --- a/header_symlinks/iOS/Security/SecCode.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_codesigning/lib/SecCode.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/SecCodeHost.h b/header_symlinks/iOS/Security/SecCodeHost.h deleted file mode 120000 index 484bbaeb..00000000 --- a/header_symlinks/iOS/Security/SecCodeHost.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_codesigning/lib/SecCodeHost.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/SecCodePriv.h b/header_symlinks/iOS/Security/SecCodePriv.h deleted file mode 120000 index fedda6e6..00000000 --- a/header_symlinks/iOS/Security/SecCodePriv.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_codesigning/lib/SecCodePriv.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/SecCodeSigner.h b/header_symlinks/iOS/Security/SecCodeSigner.h deleted file mode 120000 index 3f2e50d6..00000000 --- a/header_symlinks/iOS/Security/SecCodeSigner.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_codesigning/lib/SecCodeSigner.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/SecRequirement.h b/header_symlinks/iOS/Security/SecRequirement.h deleted file mode 120000 index d1a9c5be..00000000 --- a/header_symlinks/iOS/Security/SecRequirement.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_codesigning/lib/SecRequirement.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/SecRequirementPriv.h b/header_symlinks/iOS/Security/SecRequirementPriv.h deleted file mode 120000 index dcfaa942..00000000 --- a/header_symlinks/iOS/Security/SecRequirementPriv.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_codesigning/lib/SecRequirementPriv.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/SecStaticCode.h b/header_symlinks/iOS/Security/SecStaticCode.h deleted file mode 120000 index a3d61d95..00000000 --- a/header_symlinks/iOS/Security/SecStaticCode.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_codesigning/lib/SecStaticCode.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/SecStaticCodePriv.h b/header_symlinks/iOS/Security/SecStaticCodePriv.h deleted file mode 120000 index 82e25d4a..00000000 --- a/header_symlinks/iOS/Security/SecStaticCodePriv.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_codesigning/lib/SecStaticCodePriv.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/X509Templates.h b/header_symlinks/iOS/Security/X509Templates.h deleted file mode 120000 index 4e02f5b8..00000000 --- a/header_symlinks/iOS/Security/X509Templates.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_asn1/lib/X509Templates.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/keyTemplates.h b/header_symlinks/iOS/Security/keyTemplates.h deleted file mode 120000 index 86bd66db..00000000 --- a/header_symlinks/iOS/Security/keyTemplates.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_asn1/lib/keyTemplates.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/nameTemplates.h b/header_symlinks/iOS/Security/nameTemplates.h deleted file mode 120000 index 1af658bf..00000000 --- a/header_symlinks/iOS/Security/nameTemplates.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_asn1/lib/nameTemplates.h \ No newline at end of file diff --git a/header_symlinks/iOS/Security/oidsattr.h b/header_symlinks/iOS/Security/oidsattr.h deleted file mode 120000 index 2c68f9a5..00000000 --- a/header_symlinks/iOS/Security/oidsattr.h +++ /dev/null @@ -1 +0,0 @@ -./../../OSX/libsecurity_asn1/lib/oidsattr.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/AuthSession.h b/header_symlinks/macOS/Security/AuthSession.h new file mode 120000 index 00000000..5e9f7d35 --- /dev/null +++ b/header_symlinks/macOS/Security/AuthSession.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_authorization/lib/AuthSession.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/Authorization.h b/header_symlinks/macOS/Security/Authorization.h new file mode 120000 index 00000000..de551aa8 --- /dev/null +++ b/header_symlinks/macOS/Security/Authorization.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_authorization/lib/Authorization.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/AuthorizationDB.h b/header_symlinks/macOS/Security/AuthorizationDB.h new file mode 120000 index 00000000..0ae307d7 --- /dev/null +++ b/header_symlinks/macOS/Security/AuthorizationDB.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_authorization/lib/AuthorizationDB.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/AuthorizationPlugin.h b/header_symlinks/macOS/Security/AuthorizationPlugin.h new file mode 120000 index 00000000..35ee221b --- /dev/null +++ b/header_symlinks/macOS/Security/AuthorizationPlugin.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_authorization/lib/AuthorizationPlugin.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/AuthorizationPriv.h b/header_symlinks/macOS/Security/AuthorizationPriv.h new file mode 120000 index 00000000..516588e4 --- /dev/null +++ b/header_symlinks/macOS/Security/AuthorizationPriv.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_authorization/lib/AuthorizationPriv.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/AuthorizationTags.h b/header_symlinks/macOS/Security/AuthorizationTags.h new file mode 120000 index 00000000..97eab30e --- /dev/null +++ b/header_symlinks/macOS/Security/AuthorizationTags.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_authorization/lib/AuthorizationTags.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/AuthorizationTagsPriv.h b/header_symlinks/macOS/Security/AuthorizationTagsPriv.h new file mode 120000 index 00000000..f0ece70a --- /dev/null +++ b/header_symlinks/macOS/Security/AuthorizationTagsPriv.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_authorization/lib/AuthorizationTagsPriv.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/CMSDecoder.h b/header_symlinks/macOS/Security/CMSDecoder.h new file mode 120000 index 00000000..3b5d8995 --- /dev/null +++ b/header_symlinks/macOS/Security/CMSDecoder.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cms/lib/CMSDecoder.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/CMSEncoder.h b/header_symlinks/macOS/Security/CMSEncoder.h new file mode 120000 index 00000000..6be993dc --- /dev/null +++ b/header_symlinks/macOS/Security/CMSEncoder.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cms/lib/CMSEncoder.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/CMSPrivate.h b/header_symlinks/macOS/Security/CMSPrivate.h new file mode 120000 index 00000000..557fb87f --- /dev/null +++ b/header_symlinks/macOS/Security/CMSPrivate.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cms/lib/CMSPrivate.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/CipherSuite.h b/header_symlinks/macOS/Security/CipherSuite.h new file mode 120000 index 00000000..d3f4fef0 --- /dev/null +++ b/header_symlinks/macOS/Security/CipherSuite.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_ssl/lib/CipherSuite.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecACL.h b/header_symlinks/macOS/Security/SecACL.h new file mode 120000 index 00000000..5a8d417d --- /dev/null +++ b/header_symlinks/macOS/Security/SecACL.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecACL.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecASN1Coder.h b/header_symlinks/macOS/Security/SecASN1Coder.h new file mode 120000 index 00000000..1c2f34cf --- /dev/null +++ b/header_symlinks/macOS/Security/SecASN1Coder.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_asn1/lib/SecAsn1Coder.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecASN1Templates.h b/header_symlinks/macOS/Security/SecASN1Templates.h new file mode 120000 index 00000000..79eb8e10 --- /dev/null +++ b/header_symlinks/macOS/Security/SecASN1Templates.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_asn1/lib/SecAsn1Templates.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecAccess.h b/header_symlinks/macOS/Security/SecAccess.h new file mode 120000 index 00000000..0cca8021 --- /dev/null +++ b/header_symlinks/macOS/Security/SecAccess.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecAccess.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecAccessControl.h b/header_symlinks/macOS/Security/SecAccessControl.h new file mode 120000 index 00000000..49bc4ad0 --- /dev/null +++ b/header_symlinks/macOS/Security/SecAccessControl.h @@ -0,0 +1 @@ +./../../keychain/SecAccessControl.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecAccessPriv.h b/header_symlinks/macOS/Security/SecAccessPriv.h new file mode 120000 index 00000000..324d8187 --- /dev/null +++ b/header_symlinks/macOS/Security/SecAccessPriv.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecAccessPriv.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecCertificateBundle.h b/header_symlinks/macOS/Security/SecCertificateBundle.h new file mode 120000 index 00000000..b651860d --- /dev/null +++ b/header_symlinks/macOS/Security/SecCertificateBundle.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecCertificateBundle.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecCertificateOIDs.h b/header_symlinks/macOS/Security/SecCertificateOIDs.h new file mode 120000 index 00000000..dd3b4e15 --- /dev/null +++ b/header_symlinks/macOS/Security/SecCertificateOIDs.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecCertificateOIDs.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecCmsDigestedData.h b/header_symlinks/macOS/Security/SecCmsDigestedData.h new file mode 120000 index 00000000..31c66b51 --- /dev/null +++ b/header_symlinks/macOS/Security/SecCmsDigestedData.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_smime/lib/SecCmsDigestedData.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecCmsEncryptedData.h b/header_symlinks/macOS/Security/SecCmsEncryptedData.h new file mode 120000 index 00000000..cc59cb7f --- /dev/null +++ b/header_symlinks/macOS/Security/SecCmsEncryptedData.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_smime/lib/SecCmsEncryptedData.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecCustomTransform.h b/header_symlinks/macOS/Security/SecCustomTransform.h new file mode 120000 index 00000000..f79ef46c --- /dev/null +++ b/header_symlinks/macOS/Security/SecCustomTransform.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_transform/lib/SecCustomTransform.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecDecodeTransform.h b/header_symlinks/macOS/Security/SecDecodeTransform.h new file mode 120000 index 00000000..0ba1af07 --- /dev/null +++ b/header_symlinks/macOS/Security/SecDecodeTransform.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_transform/lib/SecDecodeTransform.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecDigestTransform.h b/header_symlinks/macOS/Security/SecDigestTransform.h new file mode 120000 index 00000000..30c69218 --- /dev/null +++ b/header_symlinks/macOS/Security/SecDigestTransform.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_transform/lib/SecDigestTransform.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecEncodeTransform.h b/header_symlinks/macOS/Security/SecEncodeTransform.h new file mode 120000 index 00000000..b9f1330c --- /dev/null +++ b/header_symlinks/macOS/Security/SecEncodeTransform.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_transform/lib/SecEncodeTransform.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecEncryptTransform.h b/header_symlinks/macOS/Security/SecEncryptTransform.h new file mode 120000 index 00000000..ef3a8e71 --- /dev/null +++ b/header_symlinks/macOS/Security/SecEncryptTransform.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_transform/lib/SecEncryptTransform.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecIdentitySearch.h b/header_symlinks/macOS/Security/SecIdentitySearch.h new file mode 120000 index 00000000..1d1c5b82 --- /dev/null +++ b/header_symlinks/macOS/Security/SecIdentitySearch.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecIdentitySearch.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecIdentitySearchPriv.h b/header_symlinks/macOS/Security/SecIdentitySearchPriv.h new file mode 120000 index 00000000..f6e611a7 --- /dev/null +++ b/header_symlinks/macOS/Security/SecIdentitySearchPriv.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecIdentitySearchPriv.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecKeychain.h b/header_symlinks/macOS/Security/SecKeychain.h new file mode 120000 index 00000000..37d88c39 --- /dev/null +++ b/header_symlinks/macOS/Security/SecKeychain.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecKeychain.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecKeychainItem.h b/header_symlinks/macOS/Security/SecKeychainItem.h new file mode 120000 index 00000000..664949a8 --- /dev/null +++ b/header_symlinks/macOS/Security/SecKeychainItem.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecKeychainItem.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecKeychainItemPriv.h b/header_symlinks/macOS/Security/SecKeychainItemPriv.h new file mode 120000 index 00000000..492a149a --- /dev/null +++ b/header_symlinks/macOS/Security/SecKeychainItemPriv.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecKeychainItemPriv.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecKeychainPriv.h b/header_symlinks/macOS/Security/SecKeychainPriv.h new file mode 120000 index 00000000..85953b19 --- /dev/null +++ b/header_symlinks/macOS/Security/SecKeychainPriv.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecKeychainPriv.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecKeychainSearch.h b/header_symlinks/macOS/Security/SecKeychainSearch.h new file mode 120000 index 00000000..c43f34f8 --- /dev/null +++ b/header_symlinks/macOS/Security/SecKeychainSearch.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecKeychainSearch.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecKeychainSearchPriv.h b/header_symlinks/macOS/Security/SecKeychainSearchPriv.h new file mode 120000 index 00000000..6ad6bf6f --- /dev/null +++ b/header_symlinks/macOS/Security/SecKeychainSearchPriv.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecKeychainSearchPriv.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecPolicySearch.h b/header_symlinks/macOS/Security/SecPolicySearch.h new file mode 120000 index 00000000..3b734d12 --- /dev/null +++ b/header_symlinks/macOS/Security/SecPolicySearch.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecPolicySearch.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecReadTransform.h b/header_symlinks/macOS/Security/SecReadTransform.h new file mode 120000 index 00000000..c7e02bc5 --- /dev/null +++ b/header_symlinks/macOS/Security/SecReadTransform.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_transform/lib/SecReadTransform.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecSMIME.h b/header_symlinks/macOS/Security/SecSMIME.h new file mode 120000 index 00000000..35059140 --- /dev/null +++ b/header_symlinks/macOS/Security/SecSMIME.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_smime/lib/SecSMIME.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecSignVerifyTransform.h b/header_symlinks/macOS/Security/SecSignVerifyTransform.h new file mode 120000 index 00000000..c01dcc32 --- /dev/null +++ b/header_symlinks/macOS/Security/SecSignVerifyTransform.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_transform/lib/SecSignVerifyTransform.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecTransform.h b/header_symlinks/macOS/Security/SecTransform.h new file mode 120000 index 00000000..1aa456d0 --- /dev/null +++ b/header_symlinks/macOS/Security/SecTransform.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_transform/lib/SecTransform.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecTransformReadTransform.h b/header_symlinks/macOS/Security/SecTransformReadTransform.h new file mode 120000 index 00000000..d2cbd0a1 --- /dev/null +++ b/header_symlinks/macOS/Security/SecTransformReadTransform.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_transform/lib/SecTransformReadTransform.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecTrustedApplication.h b/header_symlinks/macOS/Security/SecTrustedApplication.h new file mode 120000 index 00000000..c5a12708 --- /dev/null +++ b/header_symlinks/macOS/Security/SecTrustedApplication.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecTrustedApplication.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecTrustedApplicationPriv.h b/header_symlinks/macOS/Security/SecTrustedApplicationPriv.h new file mode 120000 index 00000000..2c315c5a --- /dev/null +++ b/header_symlinks/macOS/Security/SecTrustedApplicationPriv.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/SecTrustedApplicationPriv.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/SecureTransport.h b/header_symlinks/macOS/Security/SecureTransport.h new file mode 120000 index 00000000..adb0d587 --- /dev/null +++ b/header_symlinks/macOS/Security/SecureTransport.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_ssl/lib/SecureTransport.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/TrustSettingsSchema.h b/header_symlinks/macOS/Security/TrustSettingsSchema.h new file mode 120000 index 00000000..477e723d --- /dev/null +++ b/header_symlinks/macOS/Security/TrustSettingsSchema.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/lib/TrustSettingsSchema.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/certExtensionTemplates.h b/header_symlinks/macOS/Security/certExtensionTemplates.h new file mode 120000 index 00000000..5910b0cb --- /dev/null +++ b/header_symlinks/macOS/Security/certExtensionTemplates.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_asn1/lib/certExtensionTemplates.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/checkpw.h b/header_symlinks/macOS/Security/checkpw.h new file mode 120000 index 00000000..c9aca420 --- /dev/null +++ b/header_symlinks/macOS/Security/checkpw.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_checkpw/lib/checkpw.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/csrTemplates.h b/header_symlinks/macOS/Security/csrTemplates.h new file mode 120000 index 00000000..01434ee5 --- /dev/null +++ b/header_symlinks/macOS/Security/csrTemplates.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_asn1/lib/csrTemplates.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssm.h b/header_symlinks/macOS/Security/cssm.h new file mode 120000 index 00000000..cdec35c9 --- /dev/null +++ b/header_symlinks/macOS/Security/cssm.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/cssm.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssmaci.h b/header_symlinks/macOS/Security/cssmaci.h new file mode 120000 index 00000000..ab97d742 --- /dev/null +++ b/header_symlinks/macOS/Security/cssmaci.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/cssmaci.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssmapi.h b/header_symlinks/macOS/Security/cssmapi.h new file mode 120000 index 00000000..88d33194 --- /dev/null +++ b/header_symlinks/macOS/Security/cssmapi.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/cssmapi.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssmapple.h b/header_symlinks/macOS/Security/cssmapple.h new file mode 120000 index 00000000..246de2d8 --- /dev/null +++ b/header_symlinks/macOS/Security/cssmapple.h @@ -0,0 +1 @@ +./../../cssm/cssmapple.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssmapplePriv.h b/header_symlinks/macOS/Security/cssmapplePriv.h new file mode 120000 index 00000000..4bb4e6c5 --- /dev/null +++ b/header_symlinks/macOS/Security/cssmapplePriv.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/cssmapplePriv.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssmcli.h b/header_symlinks/macOS/Security/cssmcli.h new file mode 120000 index 00000000..4f69edb9 --- /dev/null +++ b/header_symlinks/macOS/Security/cssmcli.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/cssmcli.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssmconfig.h b/header_symlinks/macOS/Security/cssmconfig.h new file mode 120000 index 00000000..006fed21 --- /dev/null +++ b/header_symlinks/macOS/Security/cssmconfig.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/cssmconfig.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssmcspi.h b/header_symlinks/macOS/Security/cssmcspi.h new file mode 120000 index 00000000..f1e2c87e --- /dev/null +++ b/header_symlinks/macOS/Security/cssmcspi.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/cssmcspi.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssmdli.h b/header_symlinks/macOS/Security/cssmdli.h new file mode 120000 index 00000000..cd9fe8dc --- /dev/null +++ b/header_symlinks/macOS/Security/cssmdli.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/cssmdli.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssmerr.h b/header_symlinks/macOS/Security/cssmerr.h new file mode 120000 index 00000000..b450a619 --- /dev/null +++ b/header_symlinks/macOS/Security/cssmerr.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/cssmerr.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssmkrapi.h b/header_symlinks/macOS/Security/cssmkrapi.h new file mode 120000 index 00000000..616fca79 --- /dev/null +++ b/header_symlinks/macOS/Security/cssmkrapi.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/cssmkrapi.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssmkrspi.h b/header_symlinks/macOS/Security/cssmkrspi.h new file mode 120000 index 00000000..4ed381a3 --- /dev/null +++ b/header_symlinks/macOS/Security/cssmkrspi.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/cssmkrspi.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssmspi.h b/header_symlinks/macOS/Security/cssmspi.h new file mode 120000 index 00000000..407debd9 --- /dev/null +++ b/header_symlinks/macOS/Security/cssmspi.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/cssmspi.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssmtpi.h b/header_symlinks/macOS/Security/cssmtpi.h new file mode 120000 index 00000000..cb59c36d --- /dev/null +++ b/header_symlinks/macOS/Security/cssmtpi.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/cssmtpi.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/cssmtype.h b/header_symlinks/macOS/Security/cssmtype.h new file mode 120000 index 00000000..67ef1ff8 --- /dev/null +++ b/header_symlinks/macOS/Security/cssmtype.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/cssmtype.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/emmspi.h b/header_symlinks/macOS/Security/emmspi.h new file mode 120000 index 00000000..af3f7c26 --- /dev/null +++ b/header_symlinks/macOS/Security/emmspi.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/emmspi.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/emmtype.h b/header_symlinks/macOS/Security/emmtype.h new file mode 120000 index 00000000..c0779924 --- /dev/null +++ b/header_symlinks/macOS/Security/emmtype.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/emmtype.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/mds.h b/header_symlinks/macOS/Security/mds.h new file mode 120000 index 00000000..9baf55e1 --- /dev/null +++ b/header_symlinks/macOS/Security/mds.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_mds/lib/mds.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/mds_schema.h b/header_symlinks/macOS/Security/mds_schema.h new file mode 120000 index 00000000..5b6dbe0f --- /dev/null +++ b/header_symlinks/macOS/Security/mds_schema.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_mds/lib/mds_schema.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/mdspriv.h b/header_symlinks/macOS/Security/mdspriv.h new file mode 120000 index 00000000..26456831 --- /dev/null +++ b/header_symlinks/macOS/Security/mdspriv.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_mds/lib/mdspriv.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/ocspTemplates.h b/header_symlinks/macOS/Security/ocspTemplates.h new file mode 120000 index 00000000..5cdaef70 --- /dev/null +++ b/header_symlinks/macOS/Security/ocspTemplates.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_asn1/lib/ocspTemplates.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/oids.h b/header_symlinks/macOS/Security/oids.h new file mode 120000 index 00000000..d5320bd2 --- /dev/null +++ b/header_symlinks/macOS/Security/oids.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_keychain/libDER/libDER/oids.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/oidsalg.h b/header_symlinks/macOS/Security/oidsalg.h new file mode 120000 index 00000000..019d63f2 --- /dev/null +++ b/header_symlinks/macOS/Security/oidsalg.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_asn1/lib/oidsalg.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/oidscert.h b/header_symlinks/macOS/Security/oidscert.h new file mode 120000 index 00000000..ca96a371 --- /dev/null +++ b/header_symlinks/macOS/Security/oidscert.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/oidscert.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/oidscrl.h b/header_symlinks/macOS/Security/oidscrl.h new file mode 120000 index 00000000..d9c80e98 --- /dev/null +++ b/header_symlinks/macOS/Security/oidscrl.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/oidscrl.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/osKeyTemplates.h b/header_symlinks/macOS/Security/osKeyTemplates.h new file mode 120000 index 00000000..ac9e5316 --- /dev/null +++ b/header_symlinks/macOS/Security/osKeyTemplates.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_asn1/lib/osKeyTemplates.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/secasn1t.h b/header_symlinks/macOS/Security/secasn1t.h new file mode 120000 index 00000000..941f15f3 --- /dev/null +++ b/header_symlinks/macOS/Security/secasn1t.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_asn1/lib/secasn1t.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/tsaTemplates.h b/header_symlinks/macOS/Security/tsaTemplates.h new file mode 120000 index 00000000..f212ae66 --- /dev/null +++ b/header_symlinks/macOS/Security/tsaTemplates.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_smime/lib/tsaTemplates.h \ No newline at end of file diff --git a/header_symlinks/macOS/Security/x509defs.h b/header_symlinks/macOS/Security/x509defs.h new file mode 120000 index 00000000..d2bdeb7c --- /dev/null +++ b/header_symlinks/macOS/Security/x509defs.h @@ -0,0 +1 @@ +./../../OSX/libsecurity_cssm/lib/x509defs.h \ No newline at end of file diff --git a/keychain/SecAccessControl.h b/keychain/SecAccessControl.h index 98f7fd74..3701baf3 100644 --- a/keychain/SecAccessControl.h +++ b/keychain/SecAccessControl.h @@ -46,18 +46,57 @@ CF_IMPLICIT_BRIDGING_ENABLED CFTypeID SecAccessControlGetTypeID(void) __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0); +/*! + @typedef SecAccessControlCreateFlags + + @constant kSecAccessControlUserPresence + User presence policy using biometry or Passcode. Biometry does not have to be available or enrolled. Item is still + accessible by Touch ID even if fingers are added or removed. Item is still accessible by Face ID if user is re-enrolled. + + @constant kSecAccessControlBiometryAny + Constraint: Touch ID (any finger) or Face ID. Touch ID or Face ID must be available. With Touch ID + at least one finger must be enrolled. With Face ID user has to be enrolled. Item is still accessible by Touch ID even + if fingers are added or removed. Item is still accessible by Face ID if user is re-enrolled. + + @constant kSecAccessControlTouchIDAny + Deprecated, please use kSecAccessControlBiometryAny instead. + + @constant kSecAccessControlBiometryCurrentSet + Constraint: Touch ID from the set of currently enrolled fingers. Touch ID must be available and at least one finger must + be enrolled. When fingers are added or removed, the item is invalidated. When Face ID is re-enrolled this item is invalidated. + + @constant kSecAccessControlTouchIDCurrentSet + Deprecated, please use kSecAccessControlBiometryCurrentSet instead. + + @constant kSecAccessControlDevicePasscode + Constraint: Device passcode + + @constant kSecAccessControlOr + Constraint logic operation: when using more than one constraint, at least one of them must be satisfied. + + @constant kSecAccessControlAnd + Constraint logic operation: when using more than one constraint, all must be satisfied. + + @constant kSecAccessControlPrivateKeyUsage + Create access control for private key operations (i.e. sign operation) + + @constant kSecAccessControlApplicationPassword + Security: Application provided password for data encryption key generation. This is not a constraint but additional item + encryption mechanism. +*/ typedef CF_OPTIONS(CFOptionFlags, SecAccessControlCreateFlags) { - kSecAccessControlUserPresence = 1 << 0, // User presence policy using biometry or Passcode. Biometry does not have to be available or enrolled. Item is still accessible by Touch ID even if fingers are added or removed. Item is still accessible by Face ID if user is re-enrolled. - kSecAccessControlTouchIDAny CF_ENUM_AVAILABLE(10_12_1, 9_0) = 1u << 1, // Constraint: Touch ID (any finger) or Face ID. Touch ID or Face ID must be available. With Touch ID at least one finger must be enrolled. With Face ID user has to be enrolled. Item is still accessible by Touch ID even if fingers are added or removed. Item is still accessible by Face ID if user is re-enrolled. - kSecAccessControlTouchIDCurrentSet CF_ENUM_AVAILABLE(10_12_1, 9_0) = 1u << 3, // Constraint: Touch ID from the set of currently enrolled fingers. Touch ID must be available and at least one finger must be enrolled. When fingers are added or removed, the item is invalidated. When Face ID is re-enrolled this item is invalidated. - kSecAccessControlDevicePasscode CF_ENUM_AVAILABLE(10_11, 9_0) = 1u << 4, // Constraint: Device passcode - kSecAccessControlOr CF_ENUM_AVAILABLE(10_12_1, 9_0) = 1u << 14, // Constraint logic operation: when using more than one constraint, at least one of them must be satisfied. - kSecAccessControlAnd CF_ENUM_AVAILABLE(10_12_1, 9_0) = 1u << 15, // Constraint logic operation: when using more than one constraint, all must be satisfied. - kSecAccessControlPrivateKeyUsage CF_ENUM_AVAILABLE(10_12_1, 9_0) = 1u << 30, // Create access control for private key operations (i.e. sign operation) - kSecAccessControlApplicationPassword CF_ENUM_AVAILABLE(10_12_1, 9_0) = 1u << 31, // Security: Application provided password for data encryption key generation. This is not a constraint but additional item encryption mechanism. + kSecAccessControlUserPresence = 1u << 0, + kSecAccessControlBiometryAny CF_ENUM_AVAILABLE(10_13_4, 11_3) = 1u << 1, + kSecAccessControlTouchIDAny API_DEPRECATED_WITH_REPLACEMENT("kSecAccessControlBiometryAny", macos(10.12.1, 10.13.4), ios(9.0, 11.3)) = 1u << 1, + kSecAccessControlBiometryCurrentSet CF_ENUM_AVAILABLE(10_13_4, 11_3) = 1u << 3, + kSecAccessControlTouchIDCurrentSet API_DEPRECATED_WITH_REPLACEMENT("kSecAccessControlBiometryCurrentSet", macos(10.12.1, 10.13.4), ios(9.0, 11.3)) = 1u << 3, + kSecAccessControlDevicePasscode CF_ENUM_AVAILABLE(10_11, 9_0) = 1u << 4, + kSecAccessControlOr CF_ENUM_AVAILABLE(10_12_1, 9_0) = 1u << 14, + kSecAccessControlAnd CF_ENUM_AVAILABLE(10_12_1, 9_0) = 1u << 15, + kSecAccessControlPrivateKeyUsage CF_ENUM_AVAILABLE(10_12_1, 9_0) = 1u << 30, + kSecAccessControlApplicationPassword CF_ENUM_AVAILABLE(10_12_1, 9_0) = 1u << 31, } __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0); - /*! @function SecAccessControlCreateWithFlags @abstract Creates new access control object based on protection type and additional flags. diff --git a/keychain/SecImportExport.h b/keychain/SecImportExport.h index 225ad9af..7badf0ed 100644 --- a/keychain/SecImportExport.h +++ b/keychain/SecImportExport.h @@ -251,7 +251,7 @@ typedef struct OSStatus SecKeychainItemExport( CFTypeRef keychainItemOrArray, SecExternalFormat outputFormat, - SecItemImportExportFlags flags, /* kSecItemPemArmor, etc. */ + SecItemImportExportFlags flags, /* kSecItemPemArmour, etc. */ const SecKeyImportExportParameters * __nullable keyParams, /* optional */ CFDataRef * __nonnull CF_RETURNS_RETAINED exportedData) /* external representation returned here */ DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER; @@ -311,10 +311,10 @@ OSStatus SecKeychainItemExport( OSStatus SecItemExport( CFTypeRef secItemOrArray, SecExternalFormat outputFormat, - SecItemImportExportFlags flags, /* kSecItemPemArmor, etc. */ + SecItemImportExportFlags flags, /* kSecItemPemArmour, etc. */ const SecItemImportExportKeyParameters * __nullable keyParams, /* optional */ CFDataRef * __nonnull CF_RETURNS_RETAINED exportedData) /* external representation returned here */ - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); /* * SecKeychainItemImport() * @@ -351,7 +351,7 @@ OSStatus SecItemExport( * be unwise for an application to count on that ability. * * PEM formatting is determined internally via inspection of the incoming - * data, so the kSecItemPemArmuor in the flags field is ignored. + * data, so the kSecItemPemArmour in the flags field is ignored. * * Zero, one, or both of the following occurs upon successful completion * of this function: @@ -510,7 +510,7 @@ OSStatus SecKeychainItemImport( * be unwise for an application to count on that ability. * * PEM formatting is determined internally via inspection of the incoming - * data, so the kSecItemPemArmuor in the flags field is ignored. + * data, so the kSecItemPemArmour in the flags field is ignored. * * Zero, one, or both of the following occurs upon successful completion * of this function: @@ -640,7 +640,7 @@ OSStatus SecItemImport( const SecItemImportExportKeyParameters * __nullable keyParams, /* optional */ SecKeychainRef __nullable importKeychain, /* optional */ CFArrayRef * __nullable CF_RETURNS_RETAINED outItems) /* optional */ - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); #endif /* SEC_OS_OSX */ /*! @@ -651,11 +651,11 @@ OSStatus SecItemImport( @constant kSecImportExportAccess On OSX, specifies an access represented by a SecAccessRef for the initial access (ACL) of a key imported from PKCS#12 format. */ extern const CFStringRef kSecImportExportPassphrase - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecImportExportKeychain - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecImportExportAccess - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); /*! @enum Import/Export item description @@ -674,15 +674,15 @@ extern const CFStringRef kSecImportExportAccess certificates for this item's identity */ extern const CFStringRef kSecImportItemLabel - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecImportItemKeyID - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecImportItemTrust - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecImportItemCertChain - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecImportItemIdentity - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); /*! @function SecPKCS12Import @@ -700,7 +700,7 @@ extern const CFStringRef kSecImportItemIdentity incorrect password was supplied, or data in the container is damaged. */ OSStatus SecPKCS12Import(CFDataRef pkcs12_data, CFDictionaryRef options, CFArrayRef * __nonnull CF_RETURNS_RETAINED items) - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); CF_IMPLICIT_BRIDGING_DISABLED diff --git a/keychain/SecItem.h b/keychain/SecItem.h index f34d6957..1329fa22 100644 --- a/keychain/SecItem.h +++ b/keychain/SecItem.h @@ -51,7 +51,7 @@ CF_IMPLICIT_BRIDGING_ENABLED that contains the item class code. */ extern const CFStringRef kSecClass - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); /*! @enum Class Value Constants @@ -66,15 +66,15 @@ extern const CFStringRef kSecClass @constant kSecClassIdentity Specifies identity items. */ extern const CFStringRef kSecClassInternetPassword - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecClassGenericPassword - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); + API_AVAILABLE(macos(10.7), ios(2.0)); extern const CFStringRef kSecClassCertificate - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); + API_AVAILABLE(macos(10.7), ios(2.0)); extern const CFStringRef kSecClassKey - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); + API_AVAILABLE(macos(10.7), ios(2.0)); extern const CFStringRef kSecClassIdentity - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); + API_AVAILABLE(macos(10.7), ios(2.0)); /*! @enum Attribute Key Constants @@ -447,113 +447,113 @@ extern const CFStringRef kSecClassIdentity backed by device's Secure Enclave. iOS only. */ extern const CFStringRef kSecAttrAccessible - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0); + API_AVAILABLE(macos(10.9), ios(4.0)); extern const CFStringRef kSecAttrAccess - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrAccessControl - __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0); + API_AVAILABLE(macos(10.10), ios(8.0)); extern const CFStringRef kSecAttrAccessGroup - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_3_0); + API_AVAILABLE(macos(10.9), ios(3.0)); extern const CFStringRef kSecAttrSynchronizable - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); + API_AVAILABLE(macos(10.9), ios(7.0)); extern const CFStringRef kSecAttrSynchronizableAny - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); + API_AVAILABLE(macos(10.9), ios(7.0)); extern const CFStringRef kSecAttrCreationDate - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrModificationDate - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrDescription - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrComment - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrCreator - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrType - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrLabel - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrIsInvisible - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrIsNegative - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrAccount - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrService - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrGeneric - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrSecurityDomain - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrServer - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocol - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrAuthenticationType - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrPort - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrPath - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrSubject - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrIssuer - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrSerialNumber - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrSubjectKeyID - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrPublicKeyHash - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrCertificateType - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrCertificateEncoding - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrKeyClass - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrApplicationLabel - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrIsPermanent - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrIsSensitive - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrIsExtractable - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrApplicationTag - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrKeyType - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrPRF - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrSalt - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrRounds - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrKeySizeInBits - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrEffectiveKeySize - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrCanEncrypt - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrCanDecrypt - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrCanDerive - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrCanSign - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrCanVerify - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrCanWrap - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrCanUnwrap - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrSyncViewHint - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); + API_AVAILABLE(macos(10.11), ios(9.0)); extern const CFStringRef kSecAttrTokenID - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0); + API_AVAILABLE(macos(10.12), ios(9.0)); extern const CFStringRef kSecAttrPersistantReference - __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); + API_AVAILABLE(macos(10.13), ios(11.0), tvos(11.0), watchos(4.0)); extern const CFStringRef kSecAttrPersistentReference -__OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); + API_AVAILABLE(macos(10.13), ios(11.0), tvos(11.0), watchos(4.0)); /*! @enum kSecAttrAccessible Value Constants @@ -604,19 +604,19 @@ __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AV restored to a new device, these items will be missing. */ extern const CFStringRef kSecAttrAccessibleWhenUnlocked - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0); + API_AVAILABLE(macos(10.9), ios(4.0)); extern const CFStringRef kSecAttrAccessibleAfterFirstUnlock - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0); + API_AVAILABLE(macos(10.9), ios(4.0)); extern const CFStringRef kSecAttrAccessibleAlways - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0); + API_AVAILABLE(macos(10.9), ios(4.0)); extern const CFStringRef kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly - __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0); + API_AVAILABLE(macos(10.10), ios(8.0)); extern const CFStringRef kSecAttrAccessibleWhenUnlockedThisDeviceOnly - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0); + API_AVAILABLE(macos(10.9), ios(4.0)); extern const CFStringRef kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0); + API_AVAILABLE(macos(10.9), ios(4.0)); extern const CFStringRef kSecAttrAccessibleAlwaysThisDeviceOnly - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0); + API_AVAILABLE(macos(10.9), ios(4.0)); /*! @enum kSecAttrProtocol Value Constants @@ -656,67 +656,67 @@ extern const CFStringRef kSecAttrAccessibleAlwaysThisDeviceOnly @constant kSecAttrProtocolPOP3S. */ extern const CFStringRef kSecAttrProtocolFTP - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolFTPAccount - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolHTTP - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolIRC - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolNNTP - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolPOP3 - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolSMTP - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolSOCKS - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolIMAP - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolLDAP - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolAppleTalk - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolAFP - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolTelnet - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolSSH - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolFTPS - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolHTTPS - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolHTTPProxy - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolHTTPSProxy - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolFTPProxy - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolSMB - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolRTSP - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolRTSPProxy - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolDAAP - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolEPPC - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolIPP - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolNNTPS - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolLDAPS - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolTelnetS - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolIMAPS - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolIRCS - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrProtocolPOP3S - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); /*! @enum kSecAttrAuthenticationType Value Constants @@ -733,21 +733,21 @@ extern const CFStringRef kSecAttrProtocolPOP3S @constant kSecAttrAuthenticationTypeDefault. */ extern const CFStringRef kSecAttrAuthenticationTypeNTLM - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrAuthenticationTypeMSN - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrAuthenticationTypeDPA - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrAuthenticationTypeRPA - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrAuthenticationTypeHTTPBasic - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrAuthenticationTypeHTTPDigest - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrAuthenticationTypeHTMLForm - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecAttrAuthenticationTypeDefault - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); /*! @enum kSecAttrKeyClass Value Constants @@ -759,11 +759,11 @@ extern const CFStringRef kSecAttrAuthenticationTypeDefault @constant kSecAttrKeyClassSymmetric. */ extern const CFStringRef kSecAttrKeyClassPublic - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); + API_AVAILABLE(macos(10.7), ios(2.0)); extern const CFStringRef kSecAttrKeyClassPrivate - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); + API_AVAILABLE(macos(10.7), ios(2.0)); extern const CFStringRef kSecAttrKeyClassSymmetric - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); + API_AVAILABLE(macos(10.7), ios(2.0)); /*! @enum kSecAttrKeyType Value Constants @@ -781,27 +781,27 @@ extern const CFStringRef kSecAttrKeyClassSymmetric @constant kSecAttrKeyTypeECDSA (deprecated; use kSecAttrKeyTypeEC instead.) (OSX only) */ extern const CFStringRef kSecAttrKeyTypeRSA - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_2_0); + API_AVAILABLE(macos(10.7), ios(2.0)); extern const CFStringRef kSecAttrKeyTypeDSA - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrKeyTypeAES - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrKeyTypeDES - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrKeyType3DES - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrKeyTypeRC4 - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrKeyTypeRC2 - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrKeyTypeCAST - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrKeyTypeECDSA - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrKeyTypeEC - __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_4_0); + API_AVAILABLE(macos(10.9), ios(4.0)); extern const CFStringRef kSecAttrKeyTypeECSECPrimeRandom - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); + API_AVAILABLE(macos(10.12), ios(10.0)); /* @enum kSecAttrPRF Value Constants @@ -814,15 +814,15 @@ extern const CFStringRef kSecAttrKeyTypeECSECPrimeRandom @constant kSecAttrPRFHmacAlgSHA512 */ extern const CFStringRef kSecAttrPRFHmacAlgSHA1 - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrPRFHmacAlgSHA224 - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrPRFHmacAlgSHA256 - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrPRFHmacAlgSHA384 - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecAttrPRFHmacAlgSHA512 - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); /*! @@ -890,39 +890,39 @@ extern const CFStringRef kSecAttrPRFHmacAlgSHA512 key. */ extern const CFStringRef kSecMatchPolicy - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecMatchItemList - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecMatchSearchList - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecMatchIssuers - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecMatchEmailAddressIfPresent - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecMatchSubjectContains - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecMatchSubjectStartsWith - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecMatchSubjectEndsWith - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecMatchSubjectWholeString - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecMatchCaseInsensitive - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecMatchDiacriticInsensitive - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecMatchWidthInsensitive - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecMatchTrustedOnly - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecMatchValidOnDate - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecMatchLimit - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecMatchLimitOne - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecMatchLimitAll - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); /*! @@ -952,13 +952,13 @@ extern const CFStringRef kSecMatchLimitAll persistent reference to an item (CFDataRef) should be returned. */ extern const CFStringRef kSecReturnData - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecReturnAttributes - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecReturnRef - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecReturnPersistentRef - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); /*! @@ -979,11 +979,11 @@ extern const CFStringRef kSecReturnPersistentRef even a different application) to retrieve the item referenced by it. */ extern const CFStringRef kSecValueData - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecValueRef - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecValuePersistentRef - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); /*! @@ -1021,17 +1021,17 @@ extern const CFStringRef kSecValuePersistentRef keychain operations. */ extern const CFStringRef kSecUseItemList - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); extern const CFStringRef kSecUseKeychain - __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_NA); + API_AVAILABLE(macos(10.7), ios(NA), bridgeos(NA)); extern const CFStringRef kSecUseOperationPrompt - __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0); + API_AVAILABLE(macos(10.10), ios(8.0)); extern const CFStringRef kSecUseNoAuthenticationUI - __OSX_AVAILABLE_BUT_DEPRECATED_MSG(__MAC_10_10, __MAC_10_11, __IPHONE_8_0, __IPHONE_9_0, "Use a kSecUseAuthenticationUI instead."); + API_DEPRECATED("Use kSecUseAuthenticationUI instead.", macos(10.10, 10.11), ios(8.0, 9.0)); extern const CFStringRef kSecUseAuthenticationUI - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); + API_AVAILABLE(macos(10.11), ios(9.0)); extern const CFStringRef kSecUseAuthenticationContext - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); + API_AVAILABLE(macos(10.11), ios(9.0)); /*! @enum kSecUseAuthenticationUI Value Constants @@ -1049,11 +1049,11 @@ extern const CFStringRef kSecUseAuthenticationContext only with SecItemCopyMatching. */ extern const CFStringRef kSecUseAuthenticationUIAllow - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); + API_AVAILABLE(macos(10.11), ios(9.0)); extern const CFStringRef kSecUseAuthenticationUIFail - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); + API_AVAILABLE(macos(10.11), ios(9.0)); extern const CFStringRef kSecUseAuthenticationUISkip - __OSX_AVAILABLE_STARTING(__MAC_10_11, __IPHONE_9_0); + API_AVAILABLE(macos(10.11), ios(9.0)); /*! @enum kSecAttrTokenID Value Constants @@ -1069,7 +1069,7 @@ extern const CFStringRef kSecUseAuthenticationUISkip possible to import pregenerated keys to kSecAttrTokenIDSecureEnclave token. */ extern const CFStringRef kSecAttrTokenIDSecureEnclave - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_9_0); + API_AVAILABLE(macos(10.12), ios(9.0)); /*! @enum kSecAttrAccessGroup Value Constants @@ -1082,7 +1082,7 @@ extern const CFStringRef kSecAttrTokenIDSecureEnclave be able to access items from external tokens. */ extern const CFStringRef kSecAttrAccessGroupToken - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); + API_AVAILABLE(macos(10.12), ios(10.0)); /*! @function SecItemCopyMatching @@ -1147,7 +1147,7 @@ extern const CFStringRef kSecAttrAccessGroupToken of the same type. */ OSStatus SecItemCopyMatching(CFDictionaryRef query, CFTypeRef * __nullable CF_RETURNS_RETAINED result) - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); /*! @function SecItemAdd @@ -1188,7 +1188,7 @@ OSStatus SecItemCopyMatching(CFDictionaryRef query, CFTypeRef * __nullable CF_RE On OSX, the added item is returned. */ OSStatus SecItemAdd(CFDictionaryRef attributes, CFTypeRef * __nullable CF_RETURNS_RETAINED result) - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); /*! @function SecItemUpdate @@ -1207,7 +1207,7 @@ OSStatus SecItemAdd(CFDictionaryRef attributes, CFTypeRef * __nullable CF_RETURN pairs to the query dictionary. */ OSStatus SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate) - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); /*! @function SecItemDelete @@ -1238,7 +1238,7 @@ OSStatus SecItemUpdate(CFDictionaryRef query, CFDictionaryRef attributesToUpdate undefined. */ OSStatus SecItemDelete(CFDictionaryRef query) - __OSX_AVAILABLE_STARTING(__MAC_10_6, __IPHONE_2_0); + API_AVAILABLE(macos(10.6), ios(2.0)); CF_IMPLICIT_BRIDGING_DISABLED CF_ASSUME_NONNULL_END diff --git a/keychain/SecItemPriv.h b/keychain/SecItemPriv.h index fe66f3eb..d827b882 100644 --- a/keychain/SecItemPriv.h +++ b/keychain/SecItemPriv.h @@ -348,14 +348,11 @@ extern const CFStringRef kSecAttrViewHintPCSMailDrop; extern const CFStringRef kSecAttrViewHintPCSiCloudBackup; extern const CFStringRef kSecAttrViewHintPCSNotes; extern const CFStringRef kSecAttrViewHintPCSiMessage; -#if SEC_OS_IPHONE extern const CFStringRef kSecAttrViewHintPCSFeldspar; -#endif /* SEC_OS_IPHONE */ extern const CFStringRef kSecAttrViewHintPCSSharing; extern const CFStringRef kSecAttrViewHintAppleTV; extern const CFStringRef kSecAttrViewHintHomeKit; -extern const CFStringRef kSecAttrViewHintThumper; extern const CFStringRef kSecAttrViewHintContinuityUnlock; extern const CFStringRef kSecAttrViewHintAccessoryPairing; extern const CFStringRef kSecAttrViewHintNanoRegistry; @@ -538,8 +535,11 @@ CFDataRef _SecKeychainCopyBackup(CFDataRef backupKeybag, CFDataRef password); CFDataRef _SecKeychainCopyOTABackup(void); OSStatus _SecKeychainRestoreBackup(CFDataRef backup, CFDataRef backupKeybag, CFDataRef password); +/* + EMCS backups are similar to regular backups but we do not want to unlock the keybag + */ +CFDataRef _SecKeychainCopyEMCSBackup(CFDataRef backupKeybag); -#if SEC_OS_IPHONE bool _SecKeychainWriteBackupToFileDescriptor(CFDataRef backupKeybag, CFDataRef password, int fd, CFErrorRef *error); @@ -548,7 +548,6 @@ _SecKeychainRestoreBackupFromFileDescriptor(int fd, CFDataRef backupKeybag, CFDa CFStringRef _SecKeychainCopyKeybagUUIDFromFileDescriptor(int fd, CFErrorRef *error); -#endif /* SEC_OS_IPHONE */ OSStatus _SecKeychainBackupSyncable(CFDataRef keybag, CFDataRef password, CFDictionaryRef backup_in, CFDictionaryRef *backup_out); OSStatus _SecKeychainRestoreSyncable(CFDataRef keybag, CFDataRef password, CFDictionaryRef backup_in); @@ -569,7 +568,7 @@ bool _SecKeychainRollKeys(bool force, CFErrorRef *error); CFDictionaryRef _SecSecuritydCopyWhoAmI(CFErrorRef *error); XPC_RETURNS_RETAINED xpc_endpoint_t _SecSecuritydCopyCKKSEndpoint(CFErrorRef *error); -XPC_RETURNS_RETAINED xpc_endpoint_t _SecSecuritydCopySOSStatusEndpoint(CFErrorRef *error); +XPC_RETURNS_RETAINED xpc_endpoint_t _SecSecuritydCopyKeychainControlEndpoint(CFErrorRef* error); #if SEC_OS_IPHONE bool _SecSyncBubbleTransfer(CFArrayRef services, uid_t uid, CFErrorRef *error); @@ -628,7 +627,7 @@ SecItemUpdateWithError(CFDictionaryRef inQuery, @function SecItemParentCachePurge @abstract Clear the cache of parent certificates used in SecItemCopyParentCertificates_osx. */ -void SecItemParentCachePurge(); +void SecItemParentCachePurge(void); #endif diff --git a/keychain/SecKeyPriv.h b/keychain/SecKeyPriv.h index b5af4ce9..77bfcb5b 100644 --- a/keychain/SecKeyPriv.h +++ b/keychain/SecKeyPriv.h @@ -38,11 +38,6 @@ #include #include -#if SEC_OS_IOS -#include -#include -#endif - #if SEC_OS_OSX #include #include @@ -270,30 +265,32 @@ SecKeyRef SecKeyCreatePublicFromDER(CFAllocatorRef allocator, /* Create public key from private key */ SecKeyRef SecKeyCreatePublicFromPrivate(SecKeyRef privateKey); +#endif // SEC_OS_IPHONE /* Get Private Key (if present) by publicKey. */ SecKeyRef SecKeyCopyMatchingPrivateKey(SecKeyRef publicKey, CFErrorRef *error); -OSStatus SecKeyGetMatchingPrivateKeyStatus(SecKeyRef publicKey, CFErrorRef *error); +OSStatus SecKeyGetMatchingPrivateKeyStatus(SecKeyRef publicKey, CFErrorRef *error); CFDataRef SecKeyCreatePersistentRefToMatchingPrivateKey(SecKeyRef publicKey, CFErrorRef *error); /* Return an attribute dictionary used to find a private key by public key hash */ CFDictionaryRef CreatePrivateKeyMatchingQuery(SecKeyRef publicKey, bool returnPersistentRef); -/* Return an attribute dictionary used to store this item in a keychain. */ -CFDictionaryRef SecKeyCopyAttributeDictionary(SecKeyRef key); - /* Return a key from an attribute dictionary that was used to store this item - in a keychain. */ + in a keychain. */ SecKeyRef SecKeyCreateFromAttributeDictionary(CFDictionaryRef refAttributes); OSStatus SecKeyDigestAndVerify( - SecKeyRef key, /* Public key */ - const SecAsn1AlgId *algId, /* algorithm oid/params */ - const uint8_t *dataToDigest, /* signature over this data */ - size_t dataToDigestLen,/* length of dataToDigest */ - const uint8_t *sig, /* signature to verify */ - size_t sigLen); /* length of sig */ + SecKeyRef key, /* Public key */ + const SecAsn1AlgId *algId, /* algorithm oid/params */ + const uint8_t *dataToDigest, /* signature over this data */ + size_t dataToDigestLen,/* length of dataToDigest */ + const uint8_t *sig, /* signature to verify */ + size_t sigLen); /* length of sig */ + +#if SEC_OS_IPHONE +/* Return an attribute dictionary used to store this item in a keychain. */ +CFDictionaryRef SecKeyCopyAttributeDictionary(SecKeyRef key); OSStatus SecKeyDigestAndSign( SecKeyRef key, /* Private key */ @@ -389,6 +386,9 @@ typedef enum { size_t SecKeyGetSize(SecKeyRef key, SecKeySize whichSize) __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_5_0); +#endif + +#if SEC_OS_IPHONE /*! @function SecKeyLookupPersistentRef @@ -399,6 +399,7 @@ __OSX_AVAILABLE_STARTING(__MAC_10_8, __IPHONE_5_0); */ OSStatus SecKeyFindWithPersistentRef(CFDataRef persistentRef, SecKeyRef* lookedUpData) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); +#endif // SEC_OS_IPHONE /*! @function SecKeyCopyPersistentRef @@ -410,6 +411,7 @@ __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); OSStatus SecKeyCopyPersistentRef(SecKeyRef key, CFDataRef* persistentRef) __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); +#if SEC_OS_IPHONE /* * diff --git a/keychain/Signin Metrics/SFTransactionMetric.h b/keychain/Signin Metrics/SFTransactionMetric.h new file mode 100644 index 00000000..6fd9876d --- /dev/null +++ b/keychain/Signin Metrics/SFTransactionMetric.h @@ -0,0 +1,68 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ +#ifndef SFTransactionMetric_h +#define SFTransactionMetric_h + +#import + +@interface SFTransactionMetric : NSObject + +/* + abstract: creates a new SFTransactionMetric object + uuid: iCloud sign in transaction UUID + category: name of client subsystem. This will be used as the category name when logging +*/ +- (instancetype)initWithUUID:(NSString *)uuid category:(NSString *)category; + +/* + abstract: log when a particular event occurs ex. piggybacking, restore from backup + eventName: name of the event that occured + arguments: dictionary containing a set of event attributes a subsystem wishes to log. +*/ +- (void)logEvent:(NSString*)eventName eventAttributes:(NSDictionary*)attributes; + +/* + abstract: call to time tasks that take a while (backup, wait for initial sync) + eventName: name of the event that occured + blockToTime: the block of code you wish to have timed +*/ +- (void)timeEvent:(NSString*)eventName blockToTime:(void(^)(void))blockToTime; + +/* + abstract: call to log when a error occurs during sign in + error: error that occured during iCloud Sign in +*/ +- (void)logError:(NSError*)error; + +/* + abstract: call to signal iCloud sign in has finished. + */ +- (void)signInCompleted; + +@end + + +#endif /* SFTransactionMetric_h */ +#endif diff --git a/keychain/Signin Metrics/SFTransactionMetric.m b/keychain/Signin Metrics/SFTransactionMetric.m new file mode 100644 index 00000000..74ee8219 --- /dev/null +++ b/keychain/Signin Metrics/SFTransactionMetric.m @@ -0,0 +1,127 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ + +#import "SFTransactionMetric.h" +#import + +@interface SFTransactionMetric () +@property (nonatomic, copy) NSString *uuid; +@property (nonatomic, copy) NSString *category; +@property (nonatomic, strong) os_log_t logObject; + +-(os_log_t) sftmCreateLogCategory:(NSString*) category; +-(os_log_t) sftmObjectForCategory:(NSString*) category; +@end + +static NSMutableDictionary *logObjects; +static const NSString* signInLogSpace = @"com.apple.security.wiiss"; + +@implementation SFTransactionMetric + ++ (BOOL)supportsSecureCoding { + return YES; +} + +-(os_log_t) sftmObjectForCategory:(NSString*) category +{ + return logObjects[category]; +} + +-(os_log_t) sftmCreateLogCategory:(NSString*) category +{ + return os_log_create([signInLogSpace UTF8String], [category UTF8String]); +} + +- (instancetype)initWithUUID:(NSString *)uuid category:(NSString *)category +{ + self = [super init]; + if (self) { + _uuid = uuid; + _category = category; + + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + logObjects = [NSMutableDictionary dictionary]; + }); + @synchronized(logObjects){ + if(category){ + _logObject = [self sftmObjectForCategory:category]; + + if(!_logObject){ + _logObject = [self sftmCreateLogCategory:category]; + [logObjects setObject:_logObject forKey:category]; + } + } + } + } + return self; +} + +- (void)encodeWithCoder:(NSCoder *)coder { + [coder encodeObject:_uuid forKey:@"UUID"]; + [coder encodeObject:_category forKey:@"category"]; +} + +- (nullable instancetype)initWithCoder:(NSCoder *)decoder +{ + self = [super init]; + if (self) { + _uuid = [decoder decodeObjectOfClass:[NSString class] forKey:@"UUID"]; + _category = [decoder decodeObjectOfClass:[NSString class] forKey:@"category"]; + } + return self; +} + +- (void)logEvent:(NSString*)eventName eventAttributes:(NSDictionary*)attributes +{ + [attributes enumerateKeysAndObjectsUsingBlock:^(NSString* key, id obj, BOOL * stop) { + os_log(self.logObject, "event: %@, %@ : %@", eventName, key, obj); + }]; +} + +- (void)timeEvent:(NSString*)eventName blockToTime:(void(^)(void))blockToTime +{ + NSDate *firstTime = [NSDate date]; + + blockToTime(); + + NSDate *SecondTime = [NSDate date]; + + os_log(self.logObject, "event: %@, Time elapsed: %@", eventName, [[NSString alloc] initWithFormat:@"%f", [SecondTime timeIntervalSinceDate:firstTime]]); +} + +- (void)logError:(NSError*)error +{ + os_log_error(self.logObject, "%@", error); +} + +- (void)signInCompleted +{ + //print final + os_log(self.logObject, "sign in complete for %@", self.uuid); +} + +@end +#endif diff --git a/keychain/analytics/CKKSPowerCollection.h b/keychain/analytics/CKKSPowerCollection.h index 7e7deb2e..aa150f07 100644 --- a/keychain/analytics/CKKSPowerCollection.h +++ b/keychain/analytics/CKKSPowerCollection.h @@ -26,10 +26,31 @@ #if OCTAGON +@protocol CKKSPowerEventType +@end +typedef NSString CKKSPowerEvent; + +extern CKKSPowerEvent* const kCKKSPowerEventOutgoingQueue; +extern CKKSPowerEvent* const kCKKSPowerEventIncommingQueue; +extern CKKSPowerEvent* const kCKKSPowerEventTLKShareProcessing; +extern CKKSPowerEvent* const kCKKSPowerEventScanLocalItems; +extern CKKSPowerEvent* const kCKKSPowerEventFetchAllChanges; + +@protocol OTPowerEventType +@end +typedef NSString OTPowerEvent; + +extern OTPowerEvent* const kOTPowerEventRestore; +extern OTPowerEvent* const kOTPowerEventEnroll; + @class CKKSOutgoingQueueEntry; @interface CKKSPowerCollection : NSOperation ++ (void)CKKSPowerEvent:(CKKSPowerEvent *)operation zone:(NSString *)zone; ++ (void)CKKSPowerEvent:(CKKSPowerEvent *)operation zone:(NSString *)zone count:(NSUInteger)count; ++ (void)OTPowerEvent:(NSString *)operation; + - (void)storedOQE:(CKKSOutgoingQueueEntry *)oqe; - (void)deletedOQE:(CKKSOutgoingQueueEntry *)oqe; diff --git a/keychain/analytics/CKKSPowerCollection.m b/keychain/analytics/CKKSPowerCollection.m index c3bbde44..7442658c 100644 --- a/keychain/analytics/CKKSPowerCollection.m +++ b/keychain/analytics/CKKSPowerCollection.m @@ -27,6 +27,16 @@ #if OCTAGON +CKKSPowerEvent* const kCKKSPowerEventOutgoingQueue = (CKKSPowerEvent*)@"processOutgoingQueue"; +CKKSPowerEvent* const kCKKSPowerEventIncommingQueue = (CKKSPowerEvent*)@"processIncomingQueue"; +CKKSPowerEvent* const kCKKSPowerEventTLKShareProcessing = (CKKSPowerEvent*)@"TLKShareProcessing"; +CKKSPowerEvent* const kCKKSPowerEventScanLocalItems = (CKKSPowerEvent*)@"scanLocalItems"; +CKKSPowerEvent* const kCKKSPowerEventFetchAllChanges = (CKKSPowerEvent*)@"fetchAllChanges"; + +OTPowerEvent* const kOTPowerEventRestore = (OTPowerEvent *)@"restoreBottledPeer"; +OTPowerEvent* const kOTPowerEventEnroll = (OTPowerEvent *)@"enrollBottledPeer"; + + @interface CKKSPowerCollection () @property (strong) NSMutableDictionary *store; @property (strong) NSMutableDictionary *delete; @@ -34,6 +44,30 @@ @implementation CKKSPowerCollection ++ (void)CKKSPowerEvent:(CKKSPowerEvent *)operation zone:(NSString *)zone +{ + SecPLLogRegisteredEvent(@"CKKSSyncing", @{ + @"operation" : operation, + @"zone" : zone + }); +} + ++ (void)CKKSPowerEvent:(CKKSPowerEvent *)operation zone:(NSString *)zone count:(NSUInteger)count +{ + SecPLLogRegisteredEvent(@"CKKSSyncing", @{ + @"operation" : operation, + @"zone" : zone, + @"count" : @(count) + }); +} + ++ (void)OTPowerEvent:(NSString *)operation +{ + SecPLLogRegisteredEvent(@"OctagonTrust", @{ + @"operation" : operation + }); +} + - (instancetype)init { if ((self = [super init]) != nil) { diff --git a/keychain/behavior/SFBehavior.h b/keychain/behavior/SFBehavior.h new file mode 100644 index 00000000..69fc256a --- /dev/null +++ b/keychain/behavior/SFBehavior.h @@ -0,0 +1,72 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ + +#import + +typedef NS_ENUM(uint32_t, SFBehaviorRamping) { + SFBehaviorRampingDisabled = 0, /* must not be enabled */ + SFBehaviorRampingEnabled = 1, /* unconditionally enabled */ + SFBehaviorRampingPromoted = 2, /* should be promoted by application */ + SFBehaviorRampingVisible = 3, /* allowed to enabled */ +}; + +@interface SFBehavior : NSObject + ++ (SFBehavior *)behaviorFamily:(NSString *)family; +- (instancetype)init NS_UNAVAILABLE; + +/* + * Ramping control controlled by CloudKit and configuration + * + * Return the current ramping state, can be called as often as clients want, state is cached + * and fetched in background (returning SFBehaviorRampingDisabled) until server changes the value. + * + * Ramping always go from Disable -> Visiable -> Promoted -> Enabled, can can skip over steps in-between. + * + * The feature can also go from { Visiable, Promoted, Enabled } -> Disabled if the feature is disabled + * + * Passing in force will for fetching the value from the server and bypass all caching, this will + * take its sweet time, so don't block UI on this operation, using force is not recommended. + */ +- (SFBehaviorRamping)ramping:(NSString *)feature force:(bool)force; + +/* + * This feature is assumed to be enabled unless disabled by configuration. + */ +- (bool)featureEnabled:(NSString *)feature; +/* + * This feature is assumed to be disabled unless enabled by configuration. + */ +- (bool)featureDisabled:(NSString *)feature; + +/* + * Fetch configuration values that might be changed from server configuration + */ +- (NSNumber *)configurationNumber:(NSString *)configuration defaultValue:(NSNumber *)defaultValue; +- (NSString *)configurationString:(NSString *)configuration defaultValue:(NSString *)defaultValue; + +@end + +#endif diff --git a/keychain/behavior/SFBehavior.m b/keychain/behavior/SFBehavior.m new file mode 100644 index 00000000..cd46021f --- /dev/null +++ b/keychain/behavior/SFBehavior.m @@ -0,0 +1,140 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import "SFBehavior.h" +#import + +#if __OBJC2__ + +@interface SFBehavior () +@property NSString *family; +@property NSXPCConnection *connection; +- (instancetype)initBehaviorFamily:(NSString *)family connection:(NSXPCConnection *)connection; +@end + +@protocol SFBehaviorProtocol +- (void)ramping:(NSString *)feature family:(NSString*)family complete:(void (^)(SFBehaviorRamping))complete; +- (void)feature:(NSString *)feature family:(NSString*)family defaultValue:(bool)defaultValue complete:(void (^)(bool))complete; + +- (void)configNumber:(NSString *)configuration family:(NSString*)family complete:(void (^)(NSNumber *))complete; +- (void)configString:(NSString *)configuration family:(NSString*)family complete:(void (^)(NSString *))complete; +@end + + +@implementation SFBehavior + ++ (SFBehavior *)behaviorFamily:(NSString *)family +{ + static dispatch_once_t onceToken = 0; + static NSMutableDictionary *behaviors; + static NSXPCConnection *connection = NULL; + dispatch_once(&onceToken, ^{ + behaviors = [NSMutableDictionary dictionary]; + connection = [[NSXPCConnection alloc] initWithMachServiceName:@"com.apple.security.behavior" options:NSXPCConnectionPrivileged]; + + connection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(SFBehaviorProtocol)]; + [connection resume]; + }); + + SFBehavior *behavior = nil; + @synchronized (behaviors) { + behavior = behaviors[family]; + if (behavior == NULL) { + behavior = [[SFBehavior alloc] initBehaviorFamily:family connection:connection]; + behaviors[family] = behavior; + } + } + + return behavior; +} + +- (instancetype)initBehaviorFamily:(NSString *)family connection:(NSXPCConnection *)connection +{ + self = [super init]; + if (self) { + _family = family; + _connection = connection; + } + return self; +} + +- (SFBehaviorRamping)ramping:(NSString *)feature force:(bool)force +{ + __block SFBehaviorRamping _ramping = SFBehaviorRampingDisabled; + [[_connection synchronousRemoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) { + }] ramping:feature family:_family complete:^(SFBehaviorRamping ramping) { + _ramping = ramping; + }]; + return _ramping; +} + +- (bool)feature:(NSString *)feature defaultValue:(bool)defaultValue +{ + __block bool enabled = defaultValue; + + [[_connection synchronousRemoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) { + }] feature:feature family:_family defaultValue:defaultValue complete:^(bool returnFeature) { + enabled = returnFeature; + }]; + return enabled; + +} + +- (bool)featureEnabled:(NSString *)feature +{ + return [self feature:feature defaultValue:true]; +} + +- (bool)featureDisabled:(NSString *)feature +{ + return ![self feature:feature defaultValue:false]; +} + +- (NSNumber *)configurationNumber:(NSString *)configuration defaultValue:(NSNumber *)defaultValue +{ + __block NSNumber *_number = defaultValue; + + [[_connection synchronousRemoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) { + }] configNumber:configuration family:_family complete:^(NSNumber *number) { + if (number) + _number = number; + }]; + return _number; +} + +- (NSString *)configurationString:(NSString *)configuration defaultValue:(NSString *)defaultValue +{ + __block NSString *_string = defaultValue; + + [[_connection synchronousRemoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) { + }] configString:configuration family:_family complete:^(NSString *string) { + if (string) + _string = string; + }]; + return _string; +} + +@end + +#endif /* __OBJC2__ */ + diff --git a/keychain/ckks/CKKS.h b/keychain/ckks/CKKS.h index 3b6a8545..45d4fc98 100644 --- a/keychain/ckks/CKKS.h +++ b/keychain/ckks/CKKS.h @@ -53,7 +53,7 @@ extern NSString* const SecCKKSActionDelete; extern NSString* const SecCKKSActionModify; /* Queue States */ -@protocol SecCKKSItemState +@protocol SecCKKSItemState @end typedef NSString CKKSItemState; extern CKKSItemState* const SecCKKSStateNew; @@ -64,14 +64,14 @@ extern CKKSItemState* const SecCKKSStateError; extern CKKSItemState* const SecCKKSStateDeleted; // meta-state: please delete this item! /* Processed States */ -@protocol SecCKKSProcessedState +@protocol SecCKKSProcessedState @end typedef NSString CKKSProcessedState; extern CKKSProcessedState* const SecCKKSProcessedStateLocal; extern CKKSProcessedState* const SecCKKSProcessedStateRemote; /* Key Classes */ -@protocol SecCKKSKeyClass +@protocol SecCKKSKeyClass @end typedef NSString CKKSKeyClass; extern CKKSKeyClass* const SecCKKSKeyClassTLK; @@ -125,9 +125,9 @@ extern NSString* const SecCKRecordCurrentKeyType; /* Current Item CKRecord Keys */ extern NSString* const SecCKRecordCurrentItemType; extern NSString* const SecCKRecordItemRefKey; -//extern NSString* const SecCKRecordHostOSVersionKey; <-- the OS version which last updated the record -/* Device State CKRexord Keys */ + +/* Device State CKRecord Keys */ extern NSString* const SecCKRecordDeviceStateType; extern NSString* const SecCKRecordCirclePeerID; extern NSString* const SecCKRecordCircleStatus; @@ -135,6 +135,8 @@ extern NSString* const SecCKRecordKeyState; extern NSString* const SecCKRecordCurrentTLK; extern NSString* const SecCKRecordCurrentClassA; extern NSString* const SecCKRecordCurrentClassC; +extern NSString* const SecCKSRecordLastUnlockTime; +extern NSString* const SecCKSRecordOSVersionKey; // Similar to SecCKRecordHostOSVersionKey, but better named /* Manifest master CKRecord Keys */ extern NSString* const SecCKRecordManifestType; @@ -153,19 +155,26 @@ extern NSString* const SecCKRecordManifestLeafDERKey; extern NSString* const SecCKRecordManifestLeafDigestKey; /* Zone Key Hierarchy States */ -@protocol SecCKKSZoneKeyState +@protocol SecCKKSZoneKeyState @end typedef NSString CKKSZoneKeyState; +// CKKS is currently logged out +extern CKKSZoneKeyState* const SecCKKSZoneKeyStateLoggedOut; + // Class has just been created. extern CKKSZoneKeyState* const SecCKKSZoneKeyStateInitializing; // CKKSZone has just informed us that its setup is done (and completed successfully). extern CKKSZoneKeyState* const SecCKKSZoneKeyStateInitialized; +// CKKSZone has informed us that zone setup did not work. Try again soon! +extern CKKSZoneKeyState* const SecCKKSZoneKeyStateZoneCreationFailed; // Everything is ready and waiting for input. extern CKKSZoneKeyState* const SecCKKSZoneKeyStateReady; // We're presumably ready, but we'd like to do one or two more checks after we unlock. extern CKKSZoneKeyState* const SecCKKSZoneKeyStateReadyPendingUnlock; +// We're currently refetching the zone +extern CKKSZoneKeyState* const SecCKKSZoneKeyStateFetch; // A Fetch has just been completed which includes some new keys to process extern CKKSZoneKeyState* const SecCKKSZoneKeyStateFetchComplete; // We'd really like a full refetch. @@ -187,6 +196,11 @@ extern CKKSZoneKeyState* const SecCKKSZoneKeyStateHealTLKSharesFailed; // The key hierarchy state machine needs to wait for the fixup operation to complete extern CKKSZoneKeyState* const SecCKKSZoneKeyStateWaitForFixupOperation; +// CKKS is resetting the remote zone, due to key hierarchy reasons. Will not proceed until the local reset occurs. +extern CKKSZoneKeyState* const SecCKKSZoneKeyStateResettingZone; +// CKKS is resetting the local data, likely to do a cloudkit reset or a rpc. +extern CKKSZoneKeyState* const SecCKKSZoneKeyStateResettingLocalData; + // Fatal error. Will not proceed unless fixed from outside class. extern CKKSZoneKeyState* const SecCKKSZoneKeyStateError; // This CKKS instance has been cancelled. @@ -198,6 +212,10 @@ NSDictionary* CKKSZoneKeyStateInverseMap(void); NSNumber* CKKSZoneKeyToNumber(CKKSZoneKeyState* state); CKKSZoneKeyState* CKKSZoneKeyRecover(NSNumber* stateNumber); +// Use this to determine if CKKS believes the current state is "transient": that is, should resolve itself with further local processing +// or 'nontransient': further local processing won't progress. Either we're ready, or waiting for the user to unlock, or a remote device to do something. +bool CKKSKeyStateTransient(CKKSZoneKeyState* state); + /* Hide Item Length */ extern const NSUInteger SecCKKSItemPaddingBlockSize; @@ -216,6 +234,9 @@ extern NSString* const CKKSServerExtensionErrorDomain; #define SecCKKSOutgoingQueueItemsAtOnce 100 #define SecCKKSIncomingQueueItemsAtOnce 10 +// Utility functions +NSString* SecCKKSHostOSVersion(void); + #endif // OBJ-C /* C functions to interact with CKKS */ @@ -247,6 +268,9 @@ bool SecCKKSEnforceManifests(void); bool SecCKKSEnableEnforceManifests(void); bool SecCKKSSetEnforceManifests(bool value); +bool SecCKKSReduceRateLimiting(void); +bool SecCKKSSetReduceRateLimiting(bool value); + // Testing support bool SecCKKSTestsEnabled(void); bool SecCKKSTestsEnable(void); @@ -262,11 +286,9 @@ void SecCKKSTestSetDisableSOS(bool set); bool SecCKKSTestDisableKeyNotifications(void); void SecCKKSTestSetDisableKeyNotifications(bool set); - -XPC_RETURNS_RETAINED _Nullable xpc_endpoint_t SecServerCreateCKKSEndpoint(void); - // TODO: handle errors better typedef CF_ENUM(CFIndex, CKKSErrorCode) { + CKKSNotInitialized = 9, CKKSNotLoggedIn = 10, CKKSNoSuchView = 11, @@ -283,6 +305,33 @@ typedef CF_ENUM(CFIndex, CKKSErrorCode) { CKKSNoSuchRecord = 22, CKKSMissingTLKShare = 23, CKKSNoPeersAvailable = 24, + + CKKSSplitKeyHierarchy = 32, + CKKSOrphanedKey = 33, + CKKSInvalidTLK = 34, + CKKSNoTrustedTLKShares = 35, + CKKSKeyUnknownFormat = 36, + CKKSNoSigningKey = 37, + CKKSNoEncryptionKey = 38, + + CKKSNotHSA2 = 40, + CKKSiCloudGreyMode = 41, +}; + +typedef CF_ENUM(CFIndex, CKKSResultDescriptionErrorCode) { + CKKSResultDescriptionNone = 0, + CKKSResultDescriptionPendingKeyReady = 1, + CKKSResultDescriptionPendingSuccessfulFetch = 2, + CKKSResultDescriptionPendingAccountLoggedIn = 3, + CKKSResultDescriptionPendingUnlock = 4, + CKKSResultDescriptionPendingBottledPeerModifyRecords = 5, + CKKSResultDescriptionPendingBottledPeerFetchRecords = 6, + + CKKSResultDescriptionPendingZoneChangeFetchScheduling = 1000, + CKKSResultDescriptionPendingViewChangedScheduling = 1001, + CKKSResultDescriptionPendingZoneInitializeScheduling = 1002, + CKKSResultDescriptionPendingOutgoingQueueScheduling = 1003, + CKKSResultDescriptionPendingKeyHierachyPokeScheduling = 1004, }; // These errors are returned by the CKKS server extension. @@ -377,3 +426,4 @@ CF_ASSUME_NONNULL_END #endif #endif /* CKKS_h */ + diff --git a/keychain/ckks/CKKS.m b/keychain/ckks/CKKS.m index d0d130b6..4c7e99df 100644 --- a/keychain/ckks/CKKS.m +++ b/keychain/ckks/CKKS.m @@ -23,6 +23,7 @@ #include #import +#include #if OCTAGON #import #endif @@ -37,6 +38,7 @@ #import "keychain/ckks/CKKSViewManager.h" #import "keychain/ckks/CKKSKey.h" +#import "keychain/ot/OTManager.h" const SecCKKSItemEncryptionVersion currentCKKSItemEncryptionVersion = CKKSItemEncryptionVersion2; NSString* const SecCKKSActionAdd = @"add"; @@ -101,6 +103,8 @@ NSString* const SecCKRecordKeyState = @"keystate"; NSString* const SecCKRecordCurrentTLK = @"currentTLK"; NSString* const SecCKRecordCurrentClassA = @"currentClassA"; NSString* const SecCKRecordCurrentClassC = @"currentClassC"; +NSString* const SecCKSRecordLastUnlockTime = @"lastunlock"; +NSString* const SecCKSRecordOSVersionKey = @"osver"; NSString* const SecCKRecordManifestType = @"manifest"; NSString* const SecCKRecordManifestDigestValueKey = @"digest_value"; @@ -123,6 +127,7 @@ CKKSZoneKeyState* const SecCKKSZoneKeyStateCancelled = (CKKSZoneKeyState*) @"can CKKSZoneKeyState* const SecCKKSZoneKeyStateInitializing = (CKKSZoneKeyState*) @"initializing"; CKKSZoneKeyState* const SecCKKSZoneKeyStateInitialized = (CKKSZoneKeyState*) @"initialized"; +CKKSZoneKeyState* const SecCKKSZoneKeyStateFetch = (CKKSZoneKeyState*) @"fetching"; CKKSZoneKeyState* const SecCKKSZoneKeyStateFetchComplete = (CKKSZoneKeyState*) @"fetchcomplete"; CKKSZoneKeyState* const SecCKKSZoneKeyStateNeedFullRefetch = (CKKSZoneKeyState*) @"needrefetch"; CKKSZoneKeyState* const SecCKKSZoneKeyStateWaitForTLK = (CKKSZoneKeyState*) @"waitfortlk"; @@ -133,6 +138,10 @@ CKKSZoneKeyState* const SecCKKSZoneKeyStateNewTLKsFailed = (CKKSZoneKeyState*) @ CKKSZoneKeyState* const SecCKKSZoneKeyStateHealTLKShares = (CKKSZoneKeyState*) @"healtlkshares"; CKKSZoneKeyState* const SecCKKSZoneKeyStateHealTLKSharesFailed = (CKKSZoneKeyState*) @"healtlksharesfailed"; CKKSZoneKeyState* const SecCKKSZoneKeyStateWaitForFixupOperation = (CKKSZoneKeyState*) @"waitforfixupoperation"; +CKKSZoneKeyState* const SecCKKSZoneKeyStateResettingZone = (CKKSZoneKeyState*) @"resetzone"; +CKKSZoneKeyState* const SecCKKSZoneKeyStateResettingLocalData = (CKKSZoneKeyState*) @"resetlocal"; +CKKSZoneKeyState* const SecCKKSZoneKeyStateLoggedOut = (CKKSZoneKeyState*) @"loggedout"; +CKKSZoneKeyState* const SecCKKSZoneKeyStateZoneCreationFailed = (CKKSZoneKeyState*) @"zonecreationfailed"; NSDictionary* CKKSZoneKeyStateMap(void) { static NSDictionary* map = nil; @@ -156,6 +165,11 @@ NSDictionary* CKKSZoneKeyStateMap(void) { SecCKKSZoneKeyStateHealTLKSharesFailed:@13U, SecCKKSZoneKeyStateWaitForFixupOperation:@14U, SecCKKSZoneKeyStateReadyPendingUnlock: @15U, + SecCKKSZoneKeyStateFetch: @16U, + SecCKKSZoneKeyStateResettingZone: @17U, + SecCKKSZoneKeyStateResettingLocalData: @18U, + SecCKKSZoneKeyStateLoggedOut: @19U, + SecCKKSZoneKeyStateZoneCreationFailed: @20U, }; }); return map; @@ -192,6 +206,17 @@ CKKSZoneKeyState* CKKSZoneKeyRecover(NSNumber* stateNumber) { return SecCKKSZoneKeyStateError; } +bool CKKSKeyStateTransient(CKKSZoneKeyState* state) { + // Easier to compare against a blacklist of end states + bool nontransient = [state isEqualToString:SecCKKSZoneKeyStateReady] || + [state isEqualToString:SecCKKSZoneKeyStateReadyPendingUnlock] || + [state isEqualToString:SecCKKSZoneKeyStateWaitForTLK] || + [state isEqualToString:SecCKKSZoneKeyStateWaitForUnlock] || + [state isEqualToString:SecCKKSZoneKeyStateError] || + [state isEqualToString:SecCKKSZoneKeyStateCancelled]; + return !nontransient; +} + const NSUInteger SecCKKSItemPaddingBlockSize = 20; NSString* const SecCKKSAggdPropagationDelay = @"com.apple.security.ckks.propagationdelay"; @@ -281,6 +306,30 @@ bool SecCKKSSetEnforceManifests(bool value) { return CKKSEnforceManifests; } +// defaults write com.apple.security.ckks reduce-rate-limiting YES +static bool CKKSReduceRateLimiting = false; +bool SecCKKSReduceRateLimiting(void) { + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + // Use the default value as above, or apply the preferences value if it exists + NSUserDefaults* defaults = [[NSUserDefaults alloc] initWithSuiteName:SecCKKSUserDefaultsSuite]; + NSString* key = @"reduce-rate-limiting"; + [defaults registerDefaults: @{key: CKKSReduceRateLimiting ? @YES : @NO}]; + + CKKSReduceRateLimiting = !![defaults boolForKey:@"reduce-rate-limiting"]; + secnotice("ckks", "reduce-rate-limiting is %@", CKKSReduceRateLimiting ? @"on" : @"off"); + }); + + return CKKSReduceRateLimiting; +} + +bool SecCKKSSetReduceRateLimiting(bool value) { + (void) SecCKKSReduceRateLimiting(); // Call this once to read the defaults write + CKKSReduceRateLimiting = value; + secnotice("ckks", "reduce-rate-limiting is now %@", CKKSReduceRateLimiting ? @"on" : @"off"); + return CKKSReduceRateLimiting; +} + // Here's a mechanism for CKKS feature flags with default values from NSUserDefaults: /*static bool CKKSShareTLKs = true; bool SecCKKSShareTLKs(void) { @@ -342,16 +391,6 @@ void SecCKKSTestResetFlags(void) { SecCKKSTestSetDisableKeyNotifications(false); } -XPC_RETURNS_RETAINED xpc_endpoint_t -SecServerCreateCKKSEndpoint(void) -{ - if (SecCKKSIsEnabled()) { - return [[CKKSViewManager manager] xpcControlEndpoint]; - } else { - return NULL; - } -} - #else /* NO OCTAGON */ bool SecCKKSIsEnabled(void) { @@ -371,25 +410,22 @@ bool SecCKKSResetSyncing(void) { return SecCKKSIsEnabled(); } -XPC_RETURNS_RETAINED xpc_endpoint_t -SecServerCreateCKKSEndpoint(void) -{ - return NULL; -} #endif /* OCTAGON */ void SecCKKSInitialize(SecDbRef db) { #if OCTAGON - CKKSViewManager* manager = [CKKSViewManager manager]; - [manager initializeZones]; + @autoreleasepool { + CKKSViewManager* manager = [CKKSViewManager manager]; + [manager initializeZones]; - SecDbAddNotifyPhaseBlock(db, ^(SecDbConnectionRef dbconn, SecDbTransactionPhase phase, SecDbTransactionSource source, CFArrayRef changes) { - SecCKKSNotifyBlock(dbconn, phase, source, changes); - }); + SecDbAddNotifyPhaseBlock(db, ^(SecDbConnectionRef dbconn, SecDbTransactionPhase phase, SecDbTransactionSource source, CFArrayRef changes) { + SecCKKSNotifyBlock(dbconn, phase, source, changes); + }); - [manager.completedSecCKKSInitialize fulfill]; + [manager.completedSecCKKSInitialize fulfill]; + } #endif } @@ -452,3 +488,47 @@ void SecCKKSPerformLocalResync() { }]; #endif } + +NSString* SecCKKSHostOSVersion() +{ +#ifdef PLATFORM + // Use complicated macro magic to get the string value passed in as preprocessor define PLATFORM. +#define PLATFORM_VALUE(f) #f +#define PLATFORM_OBJCSTR(f) @PLATFORM_VALUE(f) + NSString* platform = (PLATFORM_OBJCSTR(PLATFORM)); +#undef PLATFORM_OBJCSTR +#undef PLATFORM_VALUE +#else + NSString* platform = "unknown"; +#warning No PLATFORM defined; why? +#endif + + NSString* osversion = nil; + + // If we can get the build information from sysctl, use it. + char release[256]; + size_t releasesize = sizeof(release); + bool haveSysctlInfo = true; + haveSysctlInfo &= (0 == sysctlbyname("kern.osrelease", release, &releasesize, NULL, 0)); + + char version[256]; + size_t versionsize = sizeof(version); + haveSysctlInfo &= (0 == sysctlbyname("kern.osversion", version, &versionsize, NULL, 0)); + + if(haveSysctlInfo) { + // Null-terminate for extra safety + release[sizeof(release)-1] = '\0'; + version[sizeof(version)-1] = '\0'; + osversion = [NSString stringWithFormat:@"%s (%s)", release, version]; + } + + if(!osversion) { + // Otherwise, use the not-really-supported fallback. + osversion = [[NSProcessInfo processInfo] operatingSystemVersionString]; + + // subtly improve osversion (but it's okay if that does nothing) + osversion = [osversion stringByReplacingOccurrencesOfString:@"Version" withString:@""]; + } + + return [NSString stringWithFormat:@"%@ %@", platform, osversion]; +} diff --git a/keychain/ckks/CKKSAPSReceiver.h b/keychain/ckks/CKKSAPSReceiver.h index e9788bc9..7f83dc0a 100644 --- a/keychain/ckks/CKKSAPSReceiver.h +++ b/keychain/ckks/CKKSAPSReceiver.h @@ -31,7 +31,7 @@ NS_ASSUME_NONNULL_BEGIN -@protocol CKKSZoneUpdateReceiver +@protocol CKKSZoneUpdateReceiver - (void)notifyZoneChange:(CKRecordZoneNotification* _Nullable)notification; @end diff --git a/keychain/ckks/CKKSAPSReceiver.m b/keychain/ckks/CKKSAPSReceiver.m index c8bc2158..57fa30a6 100644 --- a/keychain/ckks/CKKSAPSReceiver.m +++ b/keychain/ckks/CKKSAPSReceiver.m @@ -65,7 +65,7 @@ static dispatch_queue_t aps_dispatch_queue; static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ - aps_dispatch_queue = dispatch_queue_create("aps-callback-queue", DISPATCH_QUEUE_SERIAL); + aps_dispatch_queue = dispatch_queue_create("aps-callback-queue", DISPATCH_QUEUE_SERIAL_WITH_AUTORELEASE_POOL); }); return aps_dispatch_queue; } diff --git a/keychain/ckks/CKKSAnalytics.h b/keychain/ckks/CKKSAnalytics.h new file mode 100644 index 00000000..37962904 --- /dev/null +++ b/keychain/ckks/CKKSAnalytics.h @@ -0,0 +1,130 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import + +#if OCTAGON +#import "Analytics/SFAnalytics.h" + +extern NSString* const CKKSAnalyticsInCircle; +extern NSString* const CKKSAnalyticsHasTLKs; +extern NSString* const CKKSAnalyticsSyncedClassARecently; +extern NSString* const CKKSAnalyticsSyncedClassCRecently; +extern NSString* const CKKSAnalyticsIncomingQueueIsErrorFree; +extern NSString* const CKKSAnalyticsOutgoingQueueIsErrorFree; +extern NSString* const CKKSAnalyticsInSync; +extern NSString* const CKKSAnalyticsValidCredentials; +extern NSString* const CKKSAnalyticsLastUnlock; +extern NSString* const CKKSAnalyticsLastKeystateReady; +extern NSString* const CKKSAnalyticsLastInCircle; + +@class CKKSKeychainView; + +@protocol CKKSAnalyticsFailableEvent +@end +typedef NSString CKKSAnalyticsFailableEvent; +extern CKKSAnalyticsFailableEvent* const CKKSEventProcessIncomingQueueClassA; +extern CKKSAnalyticsFailableEvent* const CKKSEventProcessIncomingQueueClassC; +extern CKKSAnalyticsFailableEvent* const CKKSEventProcessOutgoingQueue; +extern CKKSAnalyticsFailableEvent* const CKKSEventUploadChanges; +extern CKKSAnalyticsFailableEvent* const CKKSEventStateError; +extern CKKSAnalyticsFailableEvent* const CKKSEventProcessHealKeyHierarchy; + +extern CKKSAnalyticsFailableEvent* const OctagonEventPreflightBottle; +extern CKKSAnalyticsFailableEvent* const OctagonEventLaunchBottle; +extern CKKSAnalyticsFailableEvent* const OctagonEventScrubBottle; +extern CKKSAnalyticsFailableEvent* const OctagonEventSignIn; +extern CKKSAnalyticsFailableEvent* const OctagonEventSignOut; +extern CKKSAnalyticsFailableEvent* const OctagonEventRestoreBottle; +extern CKKSAnalyticsFailableEvent* const OctagonEventRamp; +extern CKKSAnalyticsFailableEvent* const OctagonEventBottleCheck; +extern CKKSAnalyticsFailableEvent* const OctagonEventCoreFollowUp; + +extern CKKSAnalyticsFailableEvent* const OctagonEventRestoredSignedBottlePeer; +extern CKKSAnalyticsFailableEvent* const OctagonEventRestoredOctagonPeerEncryptionKey; +extern CKKSAnalyticsFailableEvent* const OctagonEventRestoredOctagonPeerSigningKey; +extern CKKSAnalyticsFailableEvent* const OctagonEventRestoreComplete; + + +@protocol CKKSAnalyticsSignpostEvent +@end +typedef NSString CKKSAnalyticsSignpostEvent; +extern CKKSAnalyticsSignpostEvent* const CKKSEventPushNotificationReceived; +extern CKKSAnalyticsSignpostEvent* const CKKSEventItemAddedToOutgoingQueue; +extern CKKSAnalyticsSignpostEvent* const CKKSEventReachabilityTimerExpired; +extern CKKSAnalyticsSignpostEvent* const CKKSEventMissingLocalItemsFound; + +@protocol CKKSAnalyticsActivity +@end +typedef NSString CKKSAnalyticsActivity; +extern CKKSAnalyticsActivity* const CKKSActivityOTFetchRampState; +extern CKKSAnalyticsActivity* const CKKSActivityOctagonSignIn; +extern CKKSAnalyticsActivity* const CKKSActivityOctagonPreflightBottle; +extern CKKSAnalyticsActivity* const CKKSActivityOctagonLaunchBottle; +extern CKKSAnalyticsActivity* const CKKSActivityOctagonRestore; +extern CKKSAnalyticsActivity* const CKKSActivityScrubBottle; +extern CKKSAnalyticsActivity* const CKKSActivityBottleCheck; + +@interface CKKSAnalytics : SFAnalytics + ++ (instancetype)logger; + +- (void)logSuccessForEvent:(CKKSAnalyticsFailableEvent*)event inView:(CKKSKeychainView*)view; +- (void)logRecoverableError:(NSError*)error + forEvent:(CKKSAnalyticsFailableEvent*)event + inView:(CKKSKeychainView*)view + withAttributes:(NSDictionary*)attributes; + +- (void)logRecoverableError:(NSError*)error + forEvent:(CKKSAnalyticsFailableEvent*)event + zoneName:(NSString*)zoneName + withAttributes:(NSDictionary *)attributes; + + +- (void)logUnrecoverableError:(NSError*)error + forEvent:(CKKSAnalyticsFailableEvent*)event + withAttributes:(NSDictionary *)attributes; + +- (void)logUnrecoverableError:(NSError*)error + forEvent:(CKKSAnalyticsFailableEvent*)event + inView:(CKKSKeychainView*)view + withAttributes:(NSDictionary*)attributes; + +- (void)noteEvent:(CKKSAnalyticsSignpostEvent*)event; +- (void)noteEvent:(CKKSAnalyticsSignpostEvent*)event inView:(CKKSKeychainView*)view; + +- (void)setDateProperty:(NSDate*)date forKey:(NSString*)key inView:(CKKSKeychainView *)view; +- (NSDate *)datePropertyForKey:(NSString *)key inView:(CKKSKeychainView *)view; + +@end + +@interface CKKSAnalytics (UnitTesting) + +- (NSDate*)dateOfLastSuccessForEvent:(CKKSAnalyticsFailableEvent*)event inView:(CKKSKeychainView*)view; +- (NSDictionary *)errorChain:(NSError *)error depth:(NSUInteger)depth; + +@end + +#endif + + diff --git a/keychain/ckks/CKKSAnalytics.m b/keychain/ckks/CKKSAnalytics.m new file mode 100644 index 00000000..f26019f9 --- /dev/null +++ b/keychain/ckks/CKKSAnalytics.m @@ -0,0 +1,302 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import +#import +#import + +#import "keychain/ckks/CKKSAnalytics.h" +#import "keychain/ot/OTDefines.h" +#import "keychain/ckks/CKKS.h" +#import "keychain/ckks/CKKSViewManager.h" +#import "keychain/ckks/CKKSKeychainView.h" +#import "Analytics/SFAnalytics.h" +#include +#include + +NSString* const CKKSAnalyticsInCircle = @"inCircle"; +NSString* const CKKSAnalyticsHasTLKs = @"TLKs"; +NSString* const CKKSAnalyticsSyncedClassARecently = @"inSyncA"; +NSString* const CKKSAnalyticsSyncedClassCRecently = @"inSyncC"; +NSString* const CKKSAnalyticsIncomingQueueIsErrorFree = @"IQNOE"; +NSString* const CKKSAnalyticsOutgoingQueueIsErrorFree = @"OQNOE"; +NSString* const CKKSAnalyticsInSync = @"inSync"; +NSString* const CKKSAnalyticsValidCredentials = @"validCredentials"; +NSString* const CKKSAnalyticsLastUnlock = @"lastUnlock"; +NSString* const CKKSAnalyticsLastKeystateReady = @"lastKSR"; +NSString* const CKKSAnalyticsLastInCircle = @"lastInCircle"; + +static NSString* const CKKSAnalyticsAttributeRecoverableError = @"recoverableError"; +static NSString* const CKKSAnalyticsAttributeZoneName = @"zone"; +static NSString* const CKKSAnalyticsAttributeErrorDomain = @"errorDomain"; +static NSString* const CKKSAnalyticsAttributeErrorCode = @"errorCode"; +static NSString* const CKKSAnalyticsAttributeErrorChain = @"errorChain"; + +CKKSAnalyticsFailableEvent* const CKKSEventProcessIncomingQueueClassA = (CKKSAnalyticsFailableEvent*)@"CKKSEventProcessIncomingQueueClassA"; +CKKSAnalyticsFailableEvent* const CKKSEventProcessIncomingQueueClassC = (CKKSAnalyticsFailableEvent*)@"CKKSEventProcessIncomingQueueClassC"; +CKKSAnalyticsFailableEvent* const CKKSEventProcessOutgoingQueue = (CKKSAnalyticsFailableEvent*)@"CKKSEventProcessOutgoingQueue"; +CKKSAnalyticsFailableEvent* const CKKSEventUploadChanges = (CKKSAnalyticsFailableEvent*)@"CKKSEventUploadChanges"; +CKKSAnalyticsFailableEvent* const CKKSEventStateError = (CKKSAnalyticsFailableEvent*)@"CKKSEventStateError"; +CKKSAnalyticsFailableEvent* const CKKSEventProcessHealKeyHierarchy = (CKKSAnalyticsFailableEvent *)@"CKKSEventProcessHealKeyHierarchy"; + +NSString* const OctagonEventFailureReason = @"FailureReason"; + +CKKSAnalyticsFailableEvent* const OctagonEventPreflightBottle = (CKKSAnalyticsFailableEvent*)@"OctagonEventPreflightBottle"; +CKKSAnalyticsFailableEvent* const OctagonEventLaunchBottle = (CKKSAnalyticsFailableEvent*)@"OctagonEventLaunchBottle"; +CKKSAnalyticsFailableEvent* const OctagonEventRestoreBottle = (CKKSAnalyticsFailableEvent*)@"OctagonEventRestoreBottle"; +CKKSAnalyticsFailableEvent* const OctagonEventScrubBottle = (CKKSAnalyticsFailableEvent*)@"OctagonEventScrubBottle"; +CKKSAnalyticsFailableEvent* const OctagonEventSignIn = (CKKSAnalyticsFailableEvent *)@"OctagonEventSignIn"; +CKKSAnalyticsFailableEvent* const OctagonEventSignOut = (CKKSAnalyticsFailableEvent *)@"OctagonEventSignIn"; +CKKSAnalyticsFailableEvent* const OctagonEventRamp = (CKKSAnalyticsFailableEvent *)@"OctagonEventRamp"; +CKKSAnalyticsFailableEvent* const OctagonEventBottleCheck = (CKKSAnalyticsFailableEvent *)@"OctagonEventBottleCheck"; +CKKSAnalyticsFailableEvent* const OctagonEventCoreFollowUp = (CKKSAnalyticsFailableEvent *)@"OctagonEventCoreFollowUp"; + +CKKSAnalyticsSignpostEvent* const CKKSEventPushNotificationReceived = (CKKSAnalyticsSignpostEvent*)@"CKKSEventPushNotificationReceived"; +CKKSAnalyticsSignpostEvent* const CKKSEventItemAddedToOutgoingQueue = (CKKSAnalyticsSignpostEvent*)@"CKKSEventItemAddedToOutgoingQueue"; +CKKSAnalyticsSignpostEvent* const CKKSEventMissingLocalItemsFound = (CKKSAnalyticsSignpostEvent*)@"CKKSEventMissingLocalItemsFound"; +CKKSAnalyticsSignpostEvent* const CKKSEventReachabilityTimerExpired = (CKKSAnalyticsSignpostEvent *)@"CKKSEventReachabilityTimerExpired"; + +CKKSAnalyticsActivity* const CKKSActivityOTFetchRampState = (CKKSAnalyticsActivity *)@"CKKSActivityOTFetchRampState"; +CKKSAnalyticsActivity* const CKKSActivityOctagonSignIn = (CKKSAnalyticsActivity *)@"CKKSActivityOctagonSignIn"; +CKKSAnalyticsActivity* const CKKSActivityOctagonPreflightBottle = (CKKSAnalyticsActivity *)@"CKKSActivityOctagonPreflightBottle"; +CKKSAnalyticsActivity* const CKKSActivityOctagonLaunchBottle = (CKKSAnalyticsActivity *)@"CKKSActivityOctagonLaunchBottle"; +CKKSAnalyticsActivity* const CKKSActivityOctagonRestore = (CKKSAnalyticsActivity *)@"CKKSActivityOctagonRestore"; +CKKSAnalyticsActivity* const CKKSActivityScrubBottle = (CKKSAnalyticsActivity *)@"CKKSActivityScrubBottle"; +CKKSAnalyticsActivity* const CKKSActivityBottleCheck = (CKKSAnalyticsActivity *)@"CKKSActivityBottleCheck"; + +@implementation CKKSAnalytics + ++ (NSString*)databasePath +{ + // This block exists because we moved database locations in 11.3 for easier sandboxing of securityuploadd, so we're cleaning up. + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + WithPathInKeychainDirectory(CFSTR("ckks_analytics_v2.db"), ^(const char *filename) { + remove(filename); + }); + WithPathInKeychainDirectory(CFSTR("ckks_analytics_v2.db-wal"), ^(const char *filename) { + remove(filename); + }); + WithPathInKeychainDirectory(CFSTR("ckks_analytics_v2.db-shm"), ^(const char *filename) { + remove(filename); + }); + }); + + WithPathInKeychainDirectory(CFSTR("Analytics"), ^(const char *path) { +#if TARGET_OS_IPHONE + mode_t permissions = 0775; +#else + mode_t permissions = 0700; +#endif // TARGET_OS_IPHONE + int ret = mkpath_np(path, permissions); + if (!(ret == 0 || ret == EEXIST)) { + secerror("could not create path: %s (%s)", path, strerror(ret)); + } + chmod(path, permissions); + }); + return [(__bridge_transfer NSURL*)SecCopyURLForFileInKeychainDirectory((__bridge CFStringRef)@"Analytics/ckks_analytics.db") path]; +} + ++ (instancetype)logger +{ + // just here because I want it in the header for discoverability + return [super logger]; +} + +- (void)logSuccessForEvent:(CKKSAnalyticsFailableEvent*)event inView:(CKKSKeychainView*)view +{ + [self logSuccessForEventNamed:[NSString stringWithFormat:@"%@-%@", view.zoneName, event]]; + [self setDateProperty:[NSDate date] forKey:[NSString stringWithFormat:@"last_success_%@-%@", view.zoneName, event]]; +} + +- (bool)isCKPartialError:(NSError *)error +{ + return [error.domain isEqualToString:CKErrorDomain] && error.code == CKErrorPartialFailure; +} + +- (void)addCKPartialError:(NSMutableDictionary *)errorDictionary error:(NSError *)error depth:(NSUInteger)depth +{ + // capture one random underlaying error + if ([self isCKPartialError:error]) { + NSDictionary *partialErrors = error.userInfo[CKPartialErrorsByItemIDKey]; + if ([partialErrors isKindOfClass:[NSDictionary class]]) { + for (NSString *key in partialErrors) { + NSError* ckError = partialErrors[key]; + if (![ckError isKindOfClass:[NSError class]]) + continue; + if ([ckError.domain isEqualToString:CKErrorDomain] && ckError.code == CKErrorBatchRequestFailed) { + continue; + } + NSDictionary *res = [self errorChain:ckError depth:(depth + 1)]; + if (res) { + errorDictionary[@"oneCloudKitPartialFailure"] = res; + break; + } + } + } + } +} + +// if we have underlying errors, capture the chain below the top-most error +- (NSDictionary *)errorChain:(NSError *)error depth:(NSUInteger)depth +{ + NSMutableDictionary *errorDictionary = nil; + + if (depth > 5 || ![error isKindOfClass:[NSError class]]) + return nil; + + errorDictionary = [@{ + @"domain" : error.domain, + @"code" : @(error.code), + } mutableCopy]; + + errorDictionary[@"child"] = [self errorChain:error.userInfo[NSUnderlyingErrorKey] depth:(depth + 1)]; + [self addCKPartialError:errorDictionary error:error depth:(depth + 1)]; + + return errorDictionary; +} +- (void)logRecoverableError:(NSError*)error forEvent:(CKKSAnalyticsFailableEvent*)event zoneName:(NSString*)zoneName withAttributes:(NSDictionary *)attributes +{ + if (error == nil){ + return; + } + NSMutableDictionary* eventAttributes = [NSMutableDictionary dictionary]; + + /* Don't allow caller to overwrite our attributes, lets merge them first */ + if (attributes) { + [eventAttributes setValuesForKeysWithDictionary:attributes]; + } + + [eventAttributes setValuesForKeysWithDictionary:@{ + CKKSAnalyticsAttributeRecoverableError : @(YES), + CKKSAnalyticsAttributeZoneName : zoneName, + CKKSAnalyticsAttributeErrorDomain : error.domain, + CKKSAnalyticsAttributeErrorCode : @(error.code) + }]; + + eventAttributes[CKKSAnalyticsAttributeErrorChain] = [self errorChain:error.userInfo[NSUnderlyingErrorKey] depth:0]; + [self addCKPartialError:eventAttributes error:error depth:0]; + + [super logSoftFailureForEventNamed:event withAttributes:eventAttributes]; +} +- (void)logRecoverableError:(NSError*)error forEvent:(CKKSAnalyticsFailableEvent*)event inView:(CKKSKeychainView*)view withAttributes:(NSDictionary *)attributes +{ + if (error == nil){ + return; + } + NSMutableDictionary* eventAttributes = [NSMutableDictionary dictionary]; + + /* Don't allow caller to overwrite our attributes, lets merge them first */ + if (attributes) { + [eventAttributes setValuesForKeysWithDictionary:attributes]; + } + + [eventAttributes setValuesForKeysWithDictionary:@{ + CKKSAnalyticsAttributeRecoverableError : @(YES), + CKKSAnalyticsAttributeZoneName : view.zoneName, + CKKSAnalyticsAttributeErrorDomain : error.domain, + CKKSAnalyticsAttributeErrorCode : @(error.code) + }]; + + eventAttributes[CKKSAnalyticsAttributeErrorChain] = [self errorChain:error.userInfo[NSUnderlyingErrorKey] depth:0]; + [self addCKPartialError:eventAttributes error:error depth:0]; + + [super logSoftFailureForEventNamed:event withAttributes:eventAttributes]; +} + +- (void)logUnrecoverableError:(NSError*)error forEvent:(CKKSAnalyticsFailableEvent*)event inView:(CKKSKeychainView*)view withAttributes:(NSDictionary *)attributes +{ + if (error == nil){ + return; + } + NSMutableDictionary* eventAttributes = [NSMutableDictionary dictionary]; + if (attributes) { + [eventAttributes setValuesForKeysWithDictionary:attributes]; + } + + eventAttributes[CKKSAnalyticsAttributeErrorChain] = [self errorChain:error.userInfo[NSUnderlyingErrorKey] depth:0]; + [self addCKPartialError:eventAttributes error:error depth:0]; + + [eventAttributes setValuesForKeysWithDictionary:@{ + CKKSAnalyticsAttributeRecoverableError : @(NO), + CKKSAnalyticsAttributeZoneName : view.zoneName, + CKKSAnalyticsAttributeErrorDomain : error.domain, + CKKSAnalyticsAttributeErrorCode : @(error.code) + }]; + + [self logHardFailureForEventNamed:event withAttributes:eventAttributes]; +} + +- (void)logUnrecoverableError:(NSError*)error forEvent:(CKKSAnalyticsFailableEvent*)event withAttributes:(NSDictionary *)attributes +{ + if (error == nil){ + return; + } + NSMutableDictionary* eventAttributes = [NSMutableDictionary dictionary]; + + /* Don't allow caller to overwrite our attributes, lets merge them first */ + if (attributes) { + [eventAttributes setValuesForKeysWithDictionary:attributes]; + } + + eventAttributes[CKKSAnalyticsAttributeErrorChain] = [self errorChain:error.userInfo[NSUnderlyingErrorKey] depth:0]; + [self addCKPartialError:eventAttributes error:error depth:0]; + + [eventAttributes setValuesForKeysWithDictionary:@{ + CKKSAnalyticsAttributeRecoverableError : @(NO), + CKKSAnalyticsAttributeZoneName : OctagonEventAttributeZoneName, + CKKSAnalyticsAttributeErrorDomain : error.domain, + CKKSAnalyticsAttributeErrorCode : @(error.code) + }]; + + [self logHardFailureForEventNamed:event withAttributes:eventAttributes]; +} + +- (void)noteEvent:(CKKSAnalyticsSignpostEvent*)event +{ + [self noteEventNamed:event]; +} +- (void)noteEvent:(CKKSAnalyticsSignpostEvent*)event inView:(CKKSKeychainView*)view +{ + [self noteEventNamed:[NSString stringWithFormat:@"%@-%@", view.zoneName, event]]; +} + +- (NSDate*)dateOfLastSuccessForEvent:(CKKSAnalyticsFailableEvent*)event inView:(CKKSKeychainView*)view +{ + return [self datePropertyForKey:[NSString stringWithFormat:@"last_success_%@-%@", view.zoneName, event]]; +} + +- (void)setDateProperty:(NSDate*)date forKey:(NSString*)key inView:(CKKSKeychainView *)view +{ + [self setDateProperty:date forKey:[NSString stringWithFormat:@"%@-%@", key, view.zoneName]]; +} +- (NSDate *)datePropertyForKey:(NSString *)key inView:(CKKSKeychainView *)view +{ + return [self datePropertyForKey:[NSString stringWithFormat:@"%@-%@", key, view.zoneName]]; +} + +@end + +#endif // OCTAGON diff --git a/keychain/ckks/CKKSAnalyticsLogger.h b/keychain/ckks/CKKSAnalyticsLogger.h deleted file mode 100644 index 6d249200..00000000 --- a/keychain/ckks/CKKSAnalyticsLogger.h +++ /dev/null @@ -1,63 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import - -#if OCTAGON -#import "Analytics/SFAnalyticsLogger.h" - -@class CKKSKeychainView; - -@protocol CKKSAnalyticsFailableEvent -@end -typedef NSString CKKSAnalyticsFailableEvent; -extern CKKSAnalyticsFailableEvent* const CKKSEventProcessIncomingQueueClassA; -extern CKKSAnalyticsFailableEvent* const CKKSEventProcessIncomingQueueClassC; -extern CKKSAnalyticsFailableEvent* const CKKSEventUploadChanges; -extern CKKSAnalyticsFailableEvent* const CKKSEventStateError; - -@protocol CKKSAnalyticsSignpostEvent -@end -typedef NSString CKKSAnalyticsSignpostEvent; -extern CKKSAnalyticsSignpostEvent* const CKKSEventPushNotificationReceived; -extern CKKSAnalyticsSignpostEvent* const CKKSEventItemAddedToOutgoingQueue; - -@interface CKKSAnalyticsLogger : SFAnalyticsLogger - -+ (instancetype)logger; - -- (void)logSuccessForEvent:(CKKSAnalyticsFailableEvent*)event inView:(CKKSKeychainView*)view; -- (void)logRecoverableError:(NSError*)error forEvent:(CKKSAnalyticsFailableEvent*)event inView:(CKKSKeychainView*)view withAttributes:(NSDictionary *)attributes; -- (void)logUnrecoverableError:(NSError*)error forEvent:(CKKSAnalyticsFailableEvent*)event inView:(CKKSKeychainView*)view withAttributes:(NSDictionary *)attributes; - -- (void)noteEvent:(CKKSAnalyticsSignpostEvent*)event inView:(CKKSKeychainView*)view; - -@end - -@interface CKKSAnalyticsLogger (UniteTesting) - -- (NSDate*)dateOfLastSuccessForEvent:(CKKSAnalyticsFailableEvent*)event inView:(CKKSKeychainView*)view; - -@end - -#endif diff --git a/keychain/ckks/CKKSAnalyticsLogger.m b/keychain/ckks/CKKSAnalyticsLogger.m deleted file mode 100644 index 952ae55c..00000000 --- a/keychain/ckks/CKKSAnalyticsLogger.m +++ /dev/null @@ -1,170 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#if OCTAGON - -#import "CKKSAnalyticsLogger.h" -#import "debugging.h" -#import "CKKS.h" -#import "CKKSViewManager.h" -#import "CKKSKeychainView.h" -#include -#import "Analytics/SFAnalyticsLogger.h" -#import - -static NSString* const CKKSAnalyticsAttributeRecoverableError = @"recoverableError"; -static NSString* const CKKSAnalyticsAttributeZoneName = @"zone"; -static NSString* const CKKSAnalyticsAttributeErrorDomain = @"errorDomain"; -static NSString* const CKKSAnalyticsAttributeErrorCode = @"errorCode"; - -static NSString* const CKKSAnalyticsInCircle = @"inCircle"; -static NSString* const CKKSAnalyticsDeviceID = @"ckdeviceID"; -static NSString* const CKKSAnalyticsHasTLKs = @"TLKs"; -static NSString* const CKKSAnalyticsSyncedClassARecently = @"inSyncA"; -static NSString* const CKKSAnalyticsSyncedClassCRecently = @"inSyncC"; -static NSString* const CKKSAnalyticsIncomingQueueIsErrorFree = @"IQNOE"; -static NSString* const CKKSAnalyticsOutgoingQueueIsErrorFree = @"OQNOE"; -static NSString* const CKKSAnalyticsInSync = @"inSync"; - -CKKSAnalyticsFailableEvent* const CKKSEventProcessIncomingQueueClassA = (CKKSAnalyticsFailableEvent*)@"CKKSEventProcessIncomingQueueClassA"; -CKKSAnalyticsFailableEvent* const CKKSEventProcessIncomingQueueClassC = (CKKSAnalyticsFailableEvent*)@"CKKSEventProcessIncomingQueueClassC"; -CKKSAnalyticsFailableEvent* const CKKSEventUploadChanges = (CKKSAnalyticsFailableEvent*)@"CKKSEventUploadChanges"; -CKKSAnalyticsFailableEvent* const CKKSEventStateError = (CKKSAnalyticsFailableEvent*)@"CKKSEventStateError"; - -CKKSAnalyticsSignpostEvent* const CKKSEventPushNotificationReceived = (CKKSAnalyticsSignpostEvent*)@"CKKSEventPushNotificationReceived"; -CKKSAnalyticsSignpostEvent* const CKKSEventItemAddedToOutgoingQueue = (CKKSAnalyticsSignpostEvent*)@"CKKSEventItemAddedToOutgoingQueue"; - -@implementation CKKSAnalyticsLogger - -+ (NSString*)databasePath -{ - return [(__bridge_transfer NSURL*)SecCopyURLForFileInKeychainDirectory((__bridge CFStringRef)@"ckks_analytics_v2.db") path]; -} - -+ (instancetype)logger -{ - // just here because I want it in the header for discoverability - return [super logger]; -} - -- (void)logSuccessForEvent:(CKKSAnalyticsFailableEvent*)event inView:(CKKSKeychainView*)view -{ - [self logSuccessForEventNamed:[NSString stringWithFormat:@"%@-%@", view.zoneName, event]]; - [self setDateProperty:[NSDate date] forKey:[NSString stringWithFormat:@"last_success_%@-%@", view.zoneName, event]]; -} - -- (void)logRecoverableError:(NSError*)error forEvent:(CKKSAnalyticsFailableEvent*)event inView:(CKKSKeychainView*)view withAttributes:(NSDictionary *)attributes -{ - NSDictionary* eventAttributes = @{ CKKSAnalyticsAttributeRecoverableError : @(YES), - CKKSAnalyticsAttributeZoneName : view.zoneName, - CKKSAnalyticsAttributeErrorDomain : error.domain, - CKKSAnalyticsAttributeErrorCode : @(error.code) }; - - if (attributes) { - /* Don't allow caller to overwrite our attributes */ - NSMutableDictionary *mergedAttributes = [attributes mutableCopy]; - [mergedAttributes setValuesForKeysWithDictionary:eventAttributes]; - eventAttributes = mergedAttributes; - } - - [super logSoftFailureForEventNamed:event withAttributes:eventAttributes]; -} - -- (void)logUnrecoverableError:(NSError*)error forEvent:(CKKSAnalyticsFailableEvent*)event inView:(CKKSKeychainView*)view withAttributes:(NSDictionary *)attributes -{ - if (error == nil) - return; - NSDictionary* eventAttributes = @{ CKKSAnalyticsAttributeRecoverableError : @(NO), - CKKSAnalyticsAttributeZoneName : view.zoneName, - CKKSAnalyticsAttributeErrorDomain : error.domain, - CKKSAnalyticsAttributeErrorCode : @(error.code) }; - - if (attributes) { - /* Don't allow caller to overwrite our attributes */ - NSMutableDictionary *mergedAttributes = [attributes mutableCopy]; - [mergedAttributes setValuesForKeysWithDictionary:eventAttributes]; - eventAttributes = mergedAttributes; - } - - [self logHardFailureForEventNamed:event withAttributes:eventAttributes]; -} - -- (void)noteEvent:(CKKSAnalyticsSignpostEvent*)event inView:(CKKSKeychainView*)view -{ - [self noteEventNamed:[NSString stringWithFormat:@"%@-%@", view.zoneName, event]]; -} - -- (NSDate*)dateOfLastSuccessForEvent:(CKKSAnalyticsFailableEvent*)event inView:(CKKSKeychainView*)view -{ - return [self datePropertyForKey:[NSString stringWithFormat:@"last_success_%@-%@", view.zoneName, event]]; -} - -- (NSDictionary*)extraValuesToUploadToServer -{ - NSMutableDictionary* values = [NSMutableDictionary dictionary]; - CKKSCKAccountStateTracker* accountTracker = [[CKKSViewManager manager] accountTracker]; - BOOL inCircle = accountTracker && accountTracker.currentCircleStatus == kSOSCCInCircle; - values[CKKSAnalyticsInCircle] = @(inCircle); - - NSString *ckdeviceID = accountTracker.ckdeviceID; - if (ckdeviceID) - values[CKKSAnalyticsDeviceID] = ckdeviceID; - for (NSString* viewName in [[CKKSViewManager manager] viewList]) { - CKKSKeychainView* view = [CKKSViewManager findOrCreateView:viewName]; - NSDate* dateOfLastSyncClassA = [self dateOfLastSuccessForEvent:CKKSEventProcessIncomingQueueClassA inView:view]; - NSDate* dateOfLastSyncClassC = [self dateOfLastSuccessForEvent:CKKSEventProcessIncomingQueueClassC inView:view]; - - NSInteger fuzzyDaysSinceClassASync = [CKKSAnalyticsLogger fuzzyDaysSinceDate:dateOfLastSyncClassA]; - NSInteger fuzzyDaysSinceClassCSync = [CKKSAnalyticsLogger fuzzyDaysSinceDate:dateOfLastSyncClassC]; - [values setValue:@(fuzzyDaysSinceClassASync) forKey:[NSString stringWithFormat:@"%@-daysSinceClassASync", viewName]]; - [values setValue:@(fuzzyDaysSinceClassCSync) forKey:[NSString stringWithFormat:@"%@-daysSinceClassCSync", viewName]]; - - BOOL hasTLKs = [view.keyHierarchyState isEqualToString:SecCKKSZoneKeyStateReady]; - BOOL syncedClassARecently = fuzzyDaysSinceClassASync < 7; - BOOL syncedClassCRecently = fuzzyDaysSinceClassCSync < 7; - BOOL incomingQueueIsErrorFree = view.lastIncomingQueueOperation.error == nil; - BOOL outgoingQueueIsErrorFree = view.lastOutgoingQueueOperation.error == nil; - - NSString* hasTLKsKey = [NSString stringWithFormat:@"%@-%@", viewName, CKKSAnalyticsHasTLKs]; - NSString* syncedClassARecentlyKey = [NSString stringWithFormat:@"%@-%@", viewName, CKKSAnalyticsSyncedClassARecently]; - NSString* syncedClassCRecentlyKey = [NSString stringWithFormat:@"%@-%@", viewName, CKKSAnalyticsSyncedClassCRecently]; - NSString* incomingQueueIsErrorFreeKey = [NSString stringWithFormat:@"%@-%@", viewName, CKKSAnalyticsIncomingQueueIsErrorFree]; - NSString* outgoingQueueIsErrorFreeKey = [NSString stringWithFormat:@"%@-%@", viewName, CKKSAnalyticsOutgoingQueueIsErrorFree]; - - values[hasTLKsKey] = @(hasTLKs); - values[syncedClassARecentlyKey] = @(syncedClassARecently); - values[syncedClassCRecentlyKey] = @(syncedClassCRecently); - values[incomingQueueIsErrorFreeKey] = @(incomingQueueIsErrorFree); - values[outgoingQueueIsErrorFreeKey] = @(outgoingQueueIsErrorFree); - - BOOL weThinkWeAreInSync = inCircle && hasTLKs && syncedClassARecently && syncedClassCRecently && incomingQueueIsErrorFree && outgoingQueueIsErrorFree; - NSString* inSyncKey = [NSString stringWithFormat:@"%@-%@", viewName, CKKSAnalyticsInSync]; - values[inSyncKey] = @(weThinkWeAreInSync); - } - - return values; -} - -@end - -#endif // OCTAGON diff --git a/keychain/ckks/CKKSCKAccountStateTracker.h b/keychain/ckks/CKKSCKAccountStateTracker.h index 19370999..fb055091 100644 --- a/keychain/ckks/CKKSCKAccountStateTracker.h +++ b/keychain/ckks/CKKSCKAccountStateTracker.h @@ -51,7 +51,7 @@ typedef NS_ENUM(NSInteger, CKKSAccountStatus) { CKKSAccountStatusNoAccount = 3, }; -@protocol CKKSAccountStateListener +@protocol CKKSAccountStateListener - (void)ckAccountStatusChange:(CKKSAccountStatus)oldStatus to:(CKKSAccountStatus)currentStatus; @end @@ -62,6 +62,10 @@ typedef NS_ENUM(NSInteger, CKKSAccountStatus) { @property (nullable) CKAccountInfo* currentCKAccountInfo; @property SOSCCStatus currentCircleStatus; +@property (readonly,atomic) CKKSAccountStatus currentComputedAccountStatus; +@property (nullable,readonly,atomic) NSError* currentAccountError; +@property CKKSCondition* currentComputedAccountStatusValid; + // Fetched and memoized from CloudKit; we can't afford deadlocks with their callbacks @property (nullable, copy) NSString* ckdeviceID; @property (nullable) NSError* ckdeviceIDError; diff --git a/keychain/ckks/CKKSCKAccountStateTracker.m b/keychain/ckks/CKKSCKAccountStateTracker.m index 9c340e19..ee8a40ba 100644 --- a/keychain/ckks/CKKSCKAccountStateTracker.m +++ b/keychain/ckks/CKKSCKAccountStateTracker.m @@ -27,16 +27,19 @@ #include #include #include +#include #include #import "keychain/ckks/CKKS.h" +#import "keychain/ckks/CloudKitCategories.h" #import "keychain/ckks/CKKSCKAccountStateTracker.h" - +#import "keychain/ckks/CKKSAnalytics.h" @interface CKKSCKAccountStateTracker () @property (readonly) Class nsnotificationCenterClass; @property CKKSAccountStatus currentComputedAccountStatus; +@property (nullable, atomic) NSError* currentAccountError; @property dispatch_queue_t queue; @@ -59,10 +62,11 @@ _currentCircleStatus = kSOSCCError; _currentComputedAccountStatus = CKKSAccountStatusUnknown; + _currentComputedAccountStatusValid = [[CKKSCondition alloc] init]; _container = container; - _queue = dispatch_queue_create("ck-account-state", DISPATCH_QUEUE_SERIAL); + _queue = dispatch_queue_create("ck-account-state", DISPATCH_QUEUE_SERIAL_WITH_AUTORELEASE_POOL); _firstCKAccountFetch = false; _firstSOSCircleFetch = false; @@ -90,9 +94,11 @@ if(!strongSelf) { return; } - [strongSelf notifyCKAccountStatusChange:nil]; - [strongSelf notifyCircleChange:nil]; - [strongSelf.finishedInitialDispatches fulfill]; + @autoreleasepool { + [strongSelf notifyCKAccountStatusChange:nil]; + [strongSelf notifyCircleChange:nil]; + [strongSelf.finishedInitialDispatches fulfill]; + } }); } return self; @@ -104,11 +110,12 @@ } -(NSString*)descriptionInternal: (NSString*) selfString { - return [NSString stringWithFormat:@"<%@: %@ (%@ %@)", + return [NSString stringWithFormat:@"<%@: %@ (%@ %@) %@>", selfString, [self currentStatus], self.currentCKAccountInfo, - SOSCCGetStatusDescription(self.currentCircleStatus)]; + SOSCCGetStatusDescription(self.currentCircleStatus), + self.currentAccountError ?: @""]; } -(NSString*)description { @@ -139,8 +146,11 @@ dispatch_queue_t objQueue = dispatch_queue_create([queueName UTF8String], DISPATCH_QUEUE_SERIAL); [self.changeListeners setObject: listener forKey: objQueue]; + secinfo("ckksaccount", "adding a new listener: %@", listener); + // If we know the current account status, let this listener know if(self.currentComputedAccountStatus != CKKSAccountStatusUnknown) { + secinfo("ckksaccount", "notifying new listener %@ of current state %d", listener, (int)self.currentComputedAccountStatus); dispatch_group_t g = dispatch_group_create(); if(!g) { @@ -205,6 +215,10 @@ if(ckAccountInfo.accountStatus == CKAccountStatusAvailable) { [self.container fetchCurrentDeviceIDWithCompletionHandler:^(NSString* deviceID, NSError* ckerror) { __strong __typeof(self) strongSelf = weakSelf; + if(!strongSelf) { + secerror("ckksaccount: Received fetchCurrentDeviceIDWithCompletionHandler callback with null AccountStateTracker"); + return; + } // Make sure you synchronize here; if we've logged out before the callback returns, don't record the result dispatch_async(strongSelf.queue, ^{ @@ -254,6 +268,11 @@ if(sosccstatus == kSOSCCInCircle) { [CKKSCKAccountStateTracker fetchCirclePeerID:^(NSString* peerID, NSError* error) { __strong __typeof(self) strongSelf = weakSelf; + if(!strongSelf) { + secerror("ckksaccount: Received fetchCirclePeerID callback with null AccountStateTracker"); + return; + } + dispatch_async(strongSelf.queue, ^{ __strong __typeof(self) innerstrongSelf = weakSelf; @@ -281,6 +300,57 @@ } } +- (bool)_onqueueDetermineLoggedIn:(NSError**)error { + // We are logged in if we are: + // in CKAccountStatusAvailable + // and supportsDeviceToDeviceEncryption == true + // and the iCloud account is not in grey mode + // and in circle + dispatch_assert_queue(self.queue); + if(self.currentCKAccountInfo) { + if(self.currentCKAccountInfo.accountStatus != CKAccountStatusAvailable) { + if(error) { + *error = [NSError errorWithDomain:CKKSErrorDomain + code:CKKSNotLoggedIn + description:@"iCloud account is logged out"]; + } + return false; + } else if(!self.currentCKAccountInfo.supportsDeviceToDeviceEncryption) { + if(error) { + *error = [NSError errorWithDomain:CKKSErrorDomain + code:CKKSNotHSA2 + description:@"iCloud account is not HSA2"]; + } + return false; + } else if(!self.currentCKAccountInfo.hasValidCredentials) { + if(error) { + *error = [NSError errorWithDomain:CKKSErrorDomain + code:CKKSiCloudGreyMode + description:@"iCloud account is in grey mode"]; + } + return false; + } + } else { + if(error) { + *error = [NSError errorWithDomain:CKKSErrorDomain + code:CKKSNotLoggedIn + description:@"No current iCloud account status"]; + } + return false; + } + + if(self.currentCircleStatus != kSOSCCInCircle) { + if(error) { + *error = [NSError errorWithDomain:(__bridge NSString*)kSOSErrorDomain + code:kSOSErrorNotInCircle + description:@"Not in circle"]; + } + return false; + } + + return true; +} + -(void)_onqueueUpdateAccountState:(CKAccountInfo*)ckAccountInfo circle:(SOSCCStatus)sosccstatus deliveredSemaphore:(dispatch_semaphore_t)finishedSema { dispatch_assert_queue(self.queue); @@ -300,7 +370,9 @@ if(self.currentCircleStatus != sosccstatus) { secnotice("ckksaccount", "moving to circle status: %@", SOSCCGetStatusDescription(sosccstatus)); self.currentCircleStatus = sosccstatus; - + if (sosccstatus == kSOSCCInCircle) { + [[CKKSAnalytics logger] setDateProperty:[NSDate date] forKey:CKKSAnalyticsLastInCircle]; + } [self _onqueueUpdateCirclePeerID: sosccstatus]; } @@ -310,28 +382,17 @@ return; } - // We are CKKSAccountStatusAvailable if we are: - // in CKAccountStatusAvailable - // and in circle - // and supportsDeviceToDeviceEncryption == true CKKSAccountStatus oldComputedStatus = self.currentComputedAccountStatus; - if(self.currentCKAccountInfo) { - if(self.currentCKAccountInfo.accountStatus == CKAccountStatusAvailable) { - // CloudKit thinks we're logged in. Double check! - if(self.currentCKAccountInfo.supportsDeviceToDeviceEncryption && self.currentCircleStatus == kSOSCCInCircle) { - self.currentComputedAccountStatus = CKKSAccountStatusAvailable; - } else { - self.currentComputedAccountStatus = CKKSAccountStatusNoAccount; - } - - } else { - // Account status is not CKAccountStatusAvailable; no more checking required. - self.currentComputedAccountStatus = CKKSAccountStatusNoAccount; - } + NSError* error = nil; + if([self _onqueueDetermineLoggedIn:&error]) { + self.currentComputedAccountStatus = CKKSAccountStatusAvailable; + self.currentAccountError = nil; } else { - // No CKAccountInfo? We haven't received an update from cloudd yet; Change nothing. + self.currentComputedAccountStatus = CKKSAccountStatusNoAccount; + self.currentAccountError = error; } + [self.currentComputedAccountStatusValid fulfill]; if(oldComputedStatus == self.currentComputedAccountStatus) { secnotice("ckksaccount", "No change in computed account status: %@ (%@ %@)", diff --git a/keychain/ckks/CKKSControl.h b/keychain/ckks/CKKSControl.h index 32aedf63..2e3434db 100644 --- a/keychain/ckks/CKKSControl.h +++ b/keychain/ckks/CKKSControl.h @@ -28,6 +28,13 @@ NS_ASSUME_NONNULL_BEGIN + +typedef NS_ENUM(NSUInteger, CKKSKnownBadState) { + CKKSKnownStatePossiblyGood = 0, // State might be good: give your operation a shot! + CKKSKnownStateTLKsMissing = 1, // CKKS doesn't have the TLKs: your operation will likely not succeed + CKKSKnownStateWaitForUnlock = 2, // CKKS has some important things to do, but the device is locked. Your operation will likely not succeed +}; + @interface CKKSControl : NSObject - (instancetype)init NS_UNAVAILABLE; @@ -42,13 +49,12 @@ NS_ASSUME_NONNULL_BEGIN - (void)rpcFetchAndProcessClassAChanges:(NSString* _Nullable)viewName reply:(void (^)(NSError* _Nullable error))reply; - (void)rpcPushOutgoingChanges:(NSString* _Nullable)viewName reply:(void (^)(NSError* _Nullable error))reply; -- (void)rpcPerformanceCounters: (void(^)(NSDictionary *,NSError*))reply; -- (void)rpcGetAnalyticsSysdiagnoseWithReply:(void (^)(NSString* sysdiagnose, NSError* error))reply; -- (void)rpcGetAnalyticsJSONWithReply: (void (^)(NSData* json, NSError* error))reply; -- (void)rpcForceUploadAnalyticsWithReply: (void (^)(BOOL success, NSError* error))reply; +- (void)rpcPerformanceCounters:(void(^)(NSDictionary *,NSError*))reply; +- (void)rpcGetCKDeviceIDWithReply:(void (^)(NSString* ckdeviceID))reply; // convenience wrapper for rpcStatus:reply: - (void)rpcTLKMissing:(NSString* _Nullable)viewName reply:(void (^)(bool missing))reply; +- (void)rpcKnownBadState:(NSString* _Nullable)viewName reply:(void (^)(CKKSKnownBadState))reply; + (CKKSControl* _Nullable)controlObject:(NSError* _Nullable __autoreleasing* _Nullable)error; diff --git a/keychain/ckks/CKKSControl.m b/keychain/ckks/CKKSControl.m index 276c41b6..3f56cf49 100644 --- a/keychain/ckks/CKKSControl.m +++ b/keychain/ckks/CKKSControl.m @@ -30,6 +30,7 @@ #import "keychain/ckks/CKKSControl.h" #import "keychain/ckks/CKKSControlProtocol.h" +#import "keychain/ckks/CKKSControlServer.h" #include @@ -109,27 +110,11 @@ }]; } -- (void)rpcGetAnalyticsSysdiagnoseWithReply:(void (^)(NSString* sysdiagnose, NSError* error))reply { - [[self.connection remoteObjectProxyWithErrorHandler:^(NSError* error) { - reply(nil, error); - }] rpcGetAnalyticsSysdiagnoseWithReply:^(NSString* sysdiagnose, NSError* error){ - reply(sysdiagnose, error); - }]; -} - -- (void)rpcGetAnalyticsJSONWithReply:(void (^)(NSData* json, NSError* error))reply { - [[self.connection remoteObjectProxyWithErrorHandler:^(NSError* error) { - reply(nil, error); - }] rpcGetAnalyticsJSONWithReply:^(NSData* json, NSError* error){ - reply(json, error); - }]; -} - -- (void)rpcForceUploadAnalyticsWithReply: (void (^)(BOOL success, NSError* error))reply { - [[self.connection remoteObjectProxyWithErrorHandler:^(NSError* error) { - reply(false, error); - }] rpcForceUploadAnalyticsWithReply:^(BOOL success, NSError* error){ - reply(success, error); +- (void)rpcGetCKDeviceIDWithReply:(void (^)(NSString *))reply { + [[self.connection remoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) { + reply(nil); + }] rpcGetCKDeviceIDWithReply:^(NSString *ckdeviceID) { + reply(ckdeviceID); }]; } @@ -157,27 +142,43 @@ }]; } -+ (CKKSControl*)controlObject:(NSError* __autoreleasing *)error { +- (void)rpcKnownBadState:(NSString* _Nullable)viewName reply:(void (^)(CKKSKnownBadState))reply { + [self rpcStatus:viewName reply:^(NSArray* results, NSError* blockError) { + bool tlkMissing = false; + bool waitForUnlock = false; - CFErrorRef cferror = NULL; - xpc_endpoint_t endpoint = _SecSecuritydCopyCKKSEndpoint(&cferror); - if (endpoint == NULL) { - NSString* errorstr = NULL; + CKKSKnownBadState response = CKKSKnownStatePossiblyGood; - if(cferror) { - errorstr = CFBridgingRelease(CFErrorCopyDescription(cferror)); - } + // We can now change this hack, but this change needs to be addition-only: CKKS: remove "global" hack from rpcStatus + // Use this hack + for(NSDictionary* result in results) { + NSString* name = result[@"view"]; + NSString* keystate = result[@"keystate"]; - NSString* errorDescription = [NSString stringWithFormat:@"no CKKSControl endpoint available: %@", errorstr ? errorstr : @"unknown error"]; - if(error) { - *error = [NSError errorWithDomain:@"securityd" code:-1 userInfo:@{NSLocalizedDescriptionKey: errorDescription}]; + if([name isEqualToString:@"global"]) { + // this is global status; no view implicated + continue; + } + + if ([keystate isEqualToString:@"waitfortlk"] || [keystate isEqualToString:@"error"]) { + tlkMissing = true; + } + if ([keystate isEqualToString:@"waitforunlock"]) { + waitForUnlock = true; + } } - return nil; - } - NSXPCListenerEndpoint *listenerEndpoint = [[NSXPCListenerEndpoint alloc] init]; - [listenerEndpoint _setEndpoint:endpoint]; - NSXPCConnection* connection = [[NSXPCConnection alloc] initWithListenerEndpoint:listenerEndpoint]; + response = (tlkMissing ? CKKSKnownStateTLKsMissing : + (waitForUnlock ? CKKSKnownStateWaitForUnlock : + CKKSKnownStatePossiblyGood)); + + reply(response); + }]; +} + ++ (CKKSControl*)controlObject:(NSError* __autoreleasing *)error { + + NSXPCConnection* connection = [[NSXPCConnection alloc] initWithMachServiceName:@(kSecuritydCKKSServiceName) options:0]; if (connection == nil) { if(error) { diff --git a/keychain/ckks/CKKSControlProtocol.h b/keychain/ckks/CKKSControlProtocol.h index 2492a3c6..bbf3bc40 100644 --- a/keychain/ckks/CKKSControlProtocol.h +++ b/keychain/ckks/CKKSControlProtocol.h @@ -23,7 +23,7 @@ #import -@protocol CKKSControlProtocol +@protocol CKKSControlProtocol - (void)performanceCounters:(void(^)(NSDictionary *))reply; - (void)rpcResetLocal: (NSString*)viewName reply: (void(^)(NSError* result)) reply; - (void)rpcResetCloudKit: (NSString*)viewName reply: (void(^)(NSError* result)) reply; @@ -33,9 +33,7 @@ - (void)rpcFetchAndProcessChanges:(NSString*)viewName reply: (void(^)(NSError* result)) reply; - (void)rpcFetchAndProcessClassAChanges:(NSString*)viewName reply: (void(^)(NSError* result)) reply; - (void)rpcPushOutgoingChanges:(NSString*)viewName reply: (void(^)(NSError* result)) reply; -- (void)rpcGetAnalyticsSysdiagnoseWithReply:(void (^)(NSString* sysdiagnose, NSError* error))reply; -- (void)rpcGetAnalyticsJSONWithReply:(void (^)(NSData* json, NSError* error))reply; -- (void)rpcForceUploadAnalyticsWithReply:(void (^)(BOOL success, NSError* error))reply; +- (void)rpcGetCKDeviceIDWithReply: (void (^)(NSString* ckdeviceID))reply; @end NSXPCInterface* CKKSSetupControlProtocol(NSXPCInterface* interface); diff --git a/keychain/ckks/CKKSControlProtocol.m b/keychain/ckks/CKKSControlProtocol.m index 10df4da8..5a73df3b 100644 --- a/keychain/ckks/CKKSControlProtocol.m +++ b/keychain/ckks/CKKSControlProtocol.m @@ -101,9 +101,7 @@ NSXPCInterface* CKKSSetupControlProtocol(NSXPCInterface* interface) { [interface setClasses:errClasses forSelector:@selector(rpcFetchAndProcessChanges:reply:) argumentIndex:0 ofReply:YES]; [interface setClasses:errClasses forSelector:@selector(rpcFetchAndProcessClassAChanges:reply:) argumentIndex:0 ofReply:YES]; [interface setClasses:errClasses forSelector:@selector(rpcPushOutgoingChanges:reply:) argumentIndex:0 ofReply:YES]; - [interface setClasses:errClasses forSelector:@selector(rpcGetAnalyticsJSONWithReply:) argumentIndex:1 ofReply:YES]; - [interface setClasses:errClasses forSelector:@selector(rpcForceUploadAnalyticsWithReply:) argumentIndex:1 ofReply:YES]; - [interface setClasses:errClasses forSelector:@selector(rpcGetAnalyticsSysdiagnoseWithReply:) argumentIndex:1 ofReply:YES]; + [interface setClasses:errClasses forSelector:@selector(rpcGetCKDeviceIDWithReply:) argumentIndex:0 ofReply:YES]; } @catch(NSException* e) { secerror("CKKSSetupControlProtocol failed, continuing, but you might crash later: %@", e); diff --git a/keychain/ckks/CKKSControlServer.h b/keychain/ckks/CKKSControlServer.h new file mode 100644 index 00000000..e2864dd4 --- /dev/null +++ b/keychain/ckks/CKKSControlServer.h @@ -0,0 +1,12 @@ +#ifndef _CKKSCONTROLSERVER_H_ +#define _CKKSCONTROLSERVER_H_ + +#define kSecuritydCKKSServiceName "com.apple.securityd.ckks" + +__BEGIN_DECLS + +void CKKSControlServerInitialize(void); + +__END_DECLS + +#endif /* !_CKKSCONTROLSERVER_H_ */ diff --git a/keychain/ckks/CKKSControlServer.m b/keychain/ckks/CKKSControlServer.m new file mode 100644 index 00000000..fecffc4c --- /dev/null +++ b/keychain/ckks/CKKSControlServer.m @@ -0,0 +1,60 @@ +#import +#import + +#import "SecEntitlements.h" +#import "keychain/ckks/CKKS.h" +#import "keychain/ckks/CKKSControlProtocol.h" +#import "keychain/ckks/CKKSControlServer.h" +#import "keychain/ckks/CKKSViewManager.h" + +@interface CKKSControlServer : NSObject +@end + +@implementation CKKSControlServer + +- (BOOL)listener:(__unused NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection { +#if OCTAGON + NSNumber *num = [newConnection valueForEntitlement:(__bridge NSString *)kSecEntitlementPrivateCKKS]; + if (![num isKindOfClass:[NSNumber class]] || ![num boolValue]) { + secerror("ckks: Client pid: %d doesn't have entitlement: %@", + [newConnection processIdentifier], kSecEntitlementPrivateCKKS); + return NO; + } + + // In the future, we should consider vending a proxy object that can return a nicer error. + if (!SecCKKSIsEnabled()) { + secerror("ckks: Client pid: %d attempted to use CKKS, but CKKS is not enabled.", + newConnection.processIdentifier); + return NO; + } + + newConnection.exportedInterface = CKKSSetupControlProtocol([NSXPCInterface interfaceWithProtocol:@protocol(CKKSControlProtocol)]); + newConnection.exportedObject = [CKKSViewManager manager]; + + [newConnection resume]; + + return YES; +#else + return NO; +#endif /* OCTAGON */ +} + +@end + +void +CKKSControlServerInitialize(void) +{ + static dispatch_once_t once; + static CKKSControlServer *server; + static NSXPCListener *listener; + + dispatch_once(&once, ^{ + @autoreleasepool { + server = [CKKSControlServer new]; + + listener = [[NSXPCListener alloc] initWithMachServiceName:@(kSecuritydCKKSServiceName)]; + listener.delegate = server; + [listener resume]; + } + }); +} diff --git a/keychain/ckks/CKKSCurrentKeyPointer.m b/keychain/ckks/CKKSCurrentKeyPointer.m index 77e826bb..0d556eb1 100644 --- a/keychain/ckks/CKKSCurrentKeyPointer.m +++ b/keychain/ckks/CKKSCurrentKeyPointer.m @@ -47,6 +47,25 @@ return [NSString stringWithFormat:@"", self.zoneID.zoneName, self.keyclass, self.currentKeyUUID]; } +- (instancetype)copyWithZone:(NSZone*)zone { + CKKSCurrentKeyPointer* copy = [super copyWithZone:zone]; + copy.keyclass = [self.keyclass copyWithZone:zone]; + copy.currentKeyUUID = [self.currentKeyUUID copyWithZone:zone]; + return copy; +} +- (BOOL)isEqual: (id) object { + if(![object isKindOfClass:[CKKSCurrentKeyPointer class]]) { + return NO; + } + + CKKSCurrentKeyPointer* obj = (CKKSCurrentKeyPointer*) object; + + return ([self.zoneID isEqual: obj.zoneID] && + ((self.currentKeyUUID == nil && obj.currentKeyUUID == nil) || [self.currentKeyUUID isEqual: obj.currentKeyUUID]) && + ((self.keyclass == nil && obj.keyclass == nil) || [self.keyclass isEqual:obj.keyclass]) && + YES) ? YES : NO; +} + #pragma mark - CKKSCKRecordHolder methods - (NSString*) CKRecordName { @@ -217,6 +236,18 @@ self.currentClassCPointer.currentKeyUUID, self.classC]; } } +- (instancetype)copyWithZone:(NSZone*)zone { + CKKSCurrentKeySet* copy = [[[self class] alloc] init]; + copy.currentTLKPointer = [self.currentTLKPointer copyWithZone:zone]; + copy.currentClassAPointer = [self.currentClassAPointer copyWithZone:zone]; + copy.currentClassCPointer = [self.currentClassCPointer copyWithZone:zone]; + copy.tlk = [self.tlk copyWithZone:zone]; + copy.classA = [self.classA copyWithZone:zone]; + copy.classC = [self.classC copyWithZone:zone]; + + copy.error = [self.error copyWithZone:zone]; + return copy; +} @end #endif // OCTAGON diff --git a/keychain/ckks/CKKSDeviceStateEntry.h b/keychain/ckks/CKKSDeviceStateEntry.h index cd3ac7cc..d7b07910 100644 --- a/keychain/ckks/CKKSDeviceStateEntry.h +++ b/keychain/ckks/CKKSDeviceStateEntry.h @@ -34,6 +34,8 @@ #import "keychain/ckks/CKKSRecordHolder.h" #import "keychain/ckks/CKKSSQLDatabaseObject.h" +NS_ASSUME_NONNULL_BEGIN + /* * This is the backing class for "device state" records: each device in an iCloud account copies * some state about itself into each keychain view it wants to participate in. @@ -46,13 +48,16 @@ @interface CKKSDeviceStateEntry : CKKSCKRecordHolder @property NSString* device; -@property NSString* circlePeerID; +@property (nullable) NSString* osVersion; +@property (nullable) NSDate* lastUnlockTime; + +@property (nullable) NSString* circlePeerID; @property SOSCCStatus circleStatus; -@property CKKSZoneKeyState* keyState; +@property (nullable) CKKSZoneKeyState* keyState; -@property NSString* currentTLKUUID; -@property NSString* currentClassAUUID; -@property NSString* currentClassCUUID; +@property (nullable) NSString* currentTLKUUID; +@property (nullable) NSString* currentClassAUUID; +@property (nullable) NSString* currentClassCUUID; + (instancetype)fromDatabase:(NSString*)device zoneID:(CKRecordZoneID*)zoneID error:(NSError* __autoreleasing*)error; + (instancetype)tryFromDatabase:(NSString*)device zoneID:(CKRecordZoneID*)zoneID error:(NSError* __autoreleasing*)error; @@ -60,16 +65,20 @@ + (NSArray*)allInZone:(CKRecordZoneID*)zoneID error:(NSError* __autoreleasing*)error; - (instancetype)init NS_UNAVAILABLE; -- (instancetype)initForDevice:(NSString*)device - circlePeerID:(NSString*)circlePeerID +- (instancetype)initForDevice:(NSString* _Nullable)device + osVersion:(NSString* _Nullable)osVersion + lastUnlockTime:(NSDate* _Nullable)lastUnlockTime + circlePeerID:(NSString* _Nullable)circlePeerID circleStatus:(SOSCCStatus)circleStatus - keyState:(CKKSZoneKeyState*)keyState - currentTLKUUID:(NSString*)currentTLKUUID - currentClassAUUID:(NSString*)currentClassAUUID - currentClassCUUID:(NSString*)currentClassCUUID + keyState:(CKKSZoneKeyState* _Nullable)keyState + currentTLKUUID:(NSString* _Nullable)currentTLKUUID + currentClassAUUID:(NSString* _Nullable)currentClassAUUID + currentClassCUUID:(NSString* _Nullable)currentClassCUUID zoneID:(CKRecordZoneID*)zoneID - encodedCKRecord:(NSData*)encodedrecord; + encodedCKRecord:(NSData* _Nullable)encodedrecord; @end +NS_ASSUME_NONNULL_END + #endif // OCTAGON #endif /* CKKSDeviceStateEntry_h */ diff --git a/keychain/ckks/CKKSDeviceStateEntry.m b/keychain/ckks/CKKSDeviceStateEntry.m index 38af3b74..e520e181 100644 --- a/keychain/ckks/CKKSDeviceStateEntry.m +++ b/keychain/ckks/CKKSDeviceStateEntry.m @@ -36,6 +36,8 @@ @implementation CKKSDeviceStateEntry - (instancetype)initForDevice:(NSString*)device + osVersion:(NSString*)osVersion + lastUnlockTime:(NSDate*)lastUnlockTime circlePeerID:(NSString*)circlePeerID circleStatus:(SOSCCStatus)circleStatus keyState:(CKKSZoneKeyState*)keyState @@ -49,6 +51,9 @@ encodedCKRecord:encodedrecord zoneID:zoneID])) { _device = device; + _osVersion = osVersion; + _lastUnlockTime = lastUnlockTime; + _circleStatus = circleStatus; _keyState = keyState; @@ -113,9 +118,11 @@ -(NSString*)description { NSDate* updated = self.storedCKRecord.modificationDate; - return [NSString stringWithFormat:@"", + return [NSString stringWithFormat:@"", self.device, self.circlePeerID, + self.osVersion, + self.lastUnlockTime, self.zoneID.zoneName, SOSAccountGetSOSCCStatusString(self.circleStatus), self.keyState, @@ -135,6 +142,8 @@ return ([self.zoneID isEqual: obj.zoneID] && ((self.device == nil && obj.device == nil) || [self.device isEqual: obj.device]) && + ((self.osVersion == nil && obj.osVersion == nil) || [self.osVersion isEqual:obj.osVersion]) && + ((self.lastUnlockTime == nil && obj.lastUnlockTime == nil) || [self.lastUnlockTime isEqual:obj.lastUnlockTime]) && ((self.circlePeerID == nil && obj.circlePeerID == nil) || [self.circlePeerID isEqual: obj.circlePeerID]) && (self.circleStatus == obj.circleStatus) && ((self.keyState == nil && obj.keyState == nil) || [self.keyState isEqual: obj.keyState]) && @@ -182,6 +191,9 @@ userInfo:nil]; } + record[SecCKSRecordOSVersionKey] = self.osVersion; + record[SecCKSRecordLastUnlockTime] = self.lastUnlockTime; + record[SecCKRecordCircleStatus] = [self sosCCStatusToCKType: self.circleStatus]; record[SecCKRecordKeyState] = CKKSZoneKeyToNumber(self.keyState); @@ -203,11 +215,20 @@ return false; } - if(![record.recordID.recordName isEqualToString: [self CKRecordName]]) { return false; } + if((!(self.lastUnlockTime == nil && record[SecCKSRecordLastUnlockTime] == nil)) && + ![record[SecCKSRecordLastUnlockTime] isEqual: self.lastUnlockTime]) { + return false; + } + + if((!(self.osVersion == nil && record[SecCKSRecordOSVersionKey] == nil)) && + ![record[SecCKSRecordOSVersionKey] isEqualToString: self.osVersion]) { + return false; + } + if((!(self.circlePeerID == nil && record[SecCKRecordCirclePeerID] == nil)) && ![record[SecCKRecordCirclePeerID] isEqualToString: self.circlePeerID]) { return false; @@ -244,7 +265,9 @@ [self setStoredCKRecord:record]; - self.device = [CKKSDeviceStateEntry nameFromCKRecordID: record.recordID];; + self.osVersion = record[SecCKSRecordOSVersionKey]; + self.lastUnlockTime = record[SecCKSRecordLastUnlockTime]; + self.device = [CKKSDeviceStateEntry nameFromCKRecordID: record.recordID]; self.circlePeerID = record[SecCKRecordCirclePeerID]; @@ -263,7 +286,7 @@ } + (NSArray*)sqlColumns { - return @[@"device", @"ckzone", @"peerid", @"circlestatus", @"keystate", @"currentTLK", @"currentClassA", @"currentClassC", @"ckrecord"]; + return @[@"device", @"ckzone", @"osversion", @"lastunlock", @"peerid", @"circlestatus", @"keystate", @"currentTLK", @"currentClassA", @"currentClassC", @"ckrecord"]; } - (NSDictionary*)whereClauseToFindSelf { @@ -271,8 +294,12 @@ } - (NSDictionary*)sqlValues { + NSISO8601DateFormatter* dateFormat = [[NSISO8601DateFormatter alloc] init]; + return @{@"device": self.device, @"ckzone": CKKSNilToNSNull(self.zoneID.zoneName), + @"osversion": CKKSNilToNSNull(self.osVersion), + @"lastunlock": CKKSNilToNSNull(self.lastUnlockTime ? [dateFormat stringFromDate:self.lastUnlockTime] : nil), @"peerid": CKKSNilToNSNull(self.circlePeerID), @"circlestatus": (__bridge NSString*)SOSAccountGetSOSCCStatusString(self.circleStatus), @"keystate": CKKSNilToNSNull(self.keyState), @@ -284,8 +311,13 @@ } + (instancetype)fromDatabaseRow:(NSDictionary*)row { + NSISO8601DateFormatter* dateFormat = [[NSISO8601DateFormatter alloc] init]; + return [[CKKSDeviceStateEntry alloc] initForDevice:row[@"device"] - circlePeerID:CKKSNSNullToNil(row[@"peerid"]) circleStatus:SOSAccountGetSOSCCStatusFromString((__bridge CFStringRef) CKKSNSNullToNil(row[@"circlestatus"])) + osVersion:CKKSNSNullToNil(row[@"osversion"]) + lastUnlockTime:[row[@"lastunlock"] isEqual: [NSNull null]] ? nil : [dateFormat dateFromString: row[@"lastunlock"]] + circlePeerID:CKKSNSNullToNil(row[@"peerid"]) + circleStatus:SOSAccountGetSOSCCStatusFromString((__bridge CFStringRef) CKKSNSNullToNil(row[@"circlestatus"])) keyState:CKKSNSNullToNil(row[@"keystate"]) currentTLKUUID:CKKSNSNullToNil(row[@"currentTLK"]) currentClassAUUID:CKKSNSNullToNil(row[@"currentClassA"]) diff --git a/keychain/ckks/CKKSFetchAllRecordZoneChangesOperation.h b/keychain/ckks/CKKSFetchAllRecordZoneChangesOperation.h index f9459459..400ca965 100644 --- a/keychain/ckks/CKKSFetchAllRecordZoneChangesOperation.h +++ b/keychain/ckks/CKKSFetchAllRecordZoneChangesOperation.h @@ -26,6 +26,7 @@ #if OCTAGON @class CKKSKeychainView; #import "keychain/ckks/CKKSGroupOperation.h" +#import "keychain/ckks/CKKSZoneChangeFetcher.h" NS_ASSUME_NONNULL_BEGIN @@ -38,13 +39,17 @@ NS_ASSUME_NONNULL_BEGIN @property (nullable, weak) CKKSKeychainView* ckks; @property CKRecordZoneID* zoneID; +@property NSSet* fetchReasons; + @property NSMutableDictionary* modifications; @property NSMutableDictionary* deletions; @property (nullable) CKServerChangeToken* serverChangeToken; - (instancetype)init NS_UNAVAILABLE; -- (instancetype)initWithCKKSKeychainView:(CKKSKeychainView*)ckks ckoperationGroup:(CKOperationGroup*)ckoperationGroup; +- (instancetype)initWithCKKSKeychainView:(CKKSKeychainView*)ckks + fetchReasons:(NSSet*)fetchReasons + ckoperationGroup:(CKOperationGroup*)ckoperationGroup; @end diff --git a/keychain/ckks/CKKSFetchAllRecordZoneChangesOperation.m b/keychain/ckks/CKKSFetchAllRecordZoneChangesOperation.m index 528ba34e..a2eb44d1 100644 --- a/keychain/ckks/CKKSFetchAllRecordZoneChangesOperation.m +++ b/keychain/ckks/CKKSFetchAllRecordZoneChangesOperation.m @@ -52,20 +52,23 @@ return nil; } -- (instancetype)initWithCKKSKeychainView:(CKKSKeychainView*)ckks ckoperationGroup:(CKOperationGroup*)ckoperationGroup { +- (instancetype)initWithCKKSKeychainView:(CKKSKeychainView*)ckks + fetchReasons:(NSSet*)fetchReasons + ckoperationGroup:(CKOperationGroup*)ckoperationGroup { if(self = [super init]) { _ckks = ckks; _ckoperationGroup = ckoperationGroup; - self.zoneID = ckks.zoneID; + _fetchReasons = fetchReasons; + _zoneID = ckks.zoneID; - self.resync = false; + _resync = false; - self.modifications = [[NSMutableDictionary alloc] init]; - self.deletions = [[NSMutableDictionary alloc] init]; + _modifications = [[NSMutableDictionary alloc] init]; + _deletions = [[NSMutableDictionary alloc] init]; // Can't fetch unless the zone is created. - [self addNullableDependency:ckks.viewSetupOperation]; + [self addNullableDependency:ckks.zoneSetupOperation]; } return self; } @@ -175,16 +178,16 @@ return false; } - ckksnotice("ckksfetch", ckks, "Beginning fetch(%@) starting at change token %@", ckks.zoneName, ckse.changeToken); - - options.previousServerChangeToken = ckse.changeToken; - - if(ckse.changeToken == nil) { - // First sync is special. + // If this is the first sync, or an API fetch, use QoS userInitated + if(ckse.changeToken == nil || [self.fetchReasons containsObject:CKKSFetchBecauseAPIFetchRequest]) { qos = NSQualityOfServiceUserInitiated; } + + options.previousServerChangeToken = ckse.changeToken; } + ckksnotice("ckksfetch", ckks, "Beginning fetch(%@) starting at change token %@ with QoS %d", ckks.zoneName, options.previousServerChangeToken, (int)qos); + self.fetchRecordZoneChangesOperation = [[ckks.fetchRecordZoneChangesOperationClass alloc] initWithRecordZoneIDs: @[ckks.zoneID] optionsByRecordZoneID:@{ckks.zoneID: options}]; self.fetchRecordZoneChangesOperation.fetchAllChanges = YES; @@ -256,7 +259,7 @@ } ckksnotice("ckksfetch", blockCKKS, "Record zone fetch complete: changeToken=%@ clientChangeTokenData=%@ changed=%lu deleted=%lu error=%@", serverChangeToken, clientChangeTokenData, - (unsigned long)strongSelf.deletions.count, + (unsigned long)strongSelf.modifications.count, (unsigned long)strongSelf.deletions.count, recordZoneError); @@ -330,6 +333,8 @@ return false; } + ckksnotice("ckksfetch", blockCKKS, "Finished processing fetch for %@", recordZoneID); + return true; }]; } @@ -350,7 +355,7 @@ strongSelf.error = operationError; } - //[CKKSPowerCollection CKKSPowerEvent:kCKKSPowerEventFetchAllChanges zone:ckks.zoneName count:strongSelf.fetchedItems]; + [CKKSPowerCollection CKKSPowerEvent:kCKKSPowerEventFetchAllChanges zone:ckks.zoneName count:strongSelf.fetchedItems]; // Trigger the fake 'we're done' operation. diff --git a/keychain/ckks/CKKSGroupOperation.h b/keychain/ckks/CKKSGroupOperation.h index d157762c..ccbd4a17 100644 --- a/keychain/ckks/CKKSGroupOperation.h +++ b/keychain/ckks/CKKSGroupOperation.h @@ -33,6 +33,10 @@ BOOL finished; } ++ (instancetype)operationWithBlock:(void (^)(void))block; ++ (instancetype)named:(NSString*)name withBlock:(void (^)(void))block; ++ (instancetype)named:(NSString*)name withBlockTakingSelf:(void(^)(CKKSGroupOperation* strongOp))block; + @property NSOperationQueue* operationQueue; - (instancetype)init; diff --git a/keychain/ckks/CKKSGroupOperation.m b/keychain/ckks/CKKSGroupOperation.m index 1ea9ea85..4ead9621 100644 --- a/keychain/ckks/CKKSGroupOperation.m +++ b/keychain/ckks/CKKSGroupOperation.m @@ -64,6 +64,7 @@ [strongSelf groupStart]; }]; + [self.startOperation removeDependenciesUponCompletion]; // The finish operation will 'finish' us _finishOperation = [NSBlockOperation blockOperationWithBlock:^{ @@ -75,6 +76,7 @@ [strongSelf completeOperation]; }]; + [self.finishOperation removeDependenciesUponCompletion]; [self.finishOperation addDependency: self.startOperation]; [self.operationQueue addOperation: self.finishOperation]; @@ -113,9 +115,14 @@ - (NSString*)description { if(self.isFinished) { if(self.error) { - return [NSString stringWithFormat: @"<%@: finished %@ - %@>", [self selfname], self.finishDate, self.error]; + return [NSString stringWithFormat: @"<%@: %@ %@ - %@>", [self selfname], + [self operationStateString], + self.finishDate, + self.error]; } else { - return [NSString stringWithFormat: @"<%@: finished %@>", [self selfname], self.finishDate]; + return [NSString stringWithFormat: @"<%@: %@ %@>", [self selfname], + [self operationStateString], + self.finishDate]; } } @@ -133,9 +140,9 @@ NSString* opsString = [ops componentsJoinedByString:@", "]; if(self.error) { - return [NSString stringWithFormat: @"<%@: [%@] error:%@>", [self selfname], opsString, self.error]; + return [NSString stringWithFormat: @"<%@: %@ [%@] error:%@>", [self selfname], [self operationStateString], opsString, self.error]; } else { - return [NSString stringWithFormat: @"<%@: [%@]%@>", [self selfname], opsString, [self pendingDependenciesString:@" dep:"]]; + return [NSString stringWithFormat: @"<%@: %@ [%@]%@>", [self selfname], [self operationStateString], opsString, [self pendingDependenciesString:@" dep:"]]; } } @@ -202,8 +209,8 @@ NSArray* finishDependencies = [self.finishOperation.dependencies copy]; for(NSOperation* finishDep in finishDependencies) { - if(![ops containsObject: finishDep]) { - // This is finish dependency that we don't control. + if(!([ops containsObject: finishDep] || [finishDep isEqual:self.startOperation])) { + // This is finish dependency that we don't control (and isn't our start operation) // Since we're cancelled, don't wait for it. [self.finishOperation removeDependency: finishDep]; } @@ -289,6 +296,31 @@ } } ++ (instancetype)operationWithBlock:(void (^)(void))block { + CKKSGroupOperation* op = [[CKKSGroupOperation alloc] init]; + NSBlockOperation* blockOp = [NSBlockOperation blockOperationWithBlock:block]; + [op runBeforeGroupFinished:blockOp]; + return op; +} + ++(instancetype)named:(NSString*)name withBlock:(void(^)(void)) block { + CKKSGroupOperation* blockOp = [CKKSGroupOperation operationWithBlock: block]; + blockOp.name = name; + return blockOp; +} + ++ (instancetype)named:(NSString*)name withBlockTakingSelf:(void(^)(CKKSGroupOperation* strongOp))block +{ + CKKSGroupOperation* op = [[CKKSGroupOperation alloc] init]; + __weak __typeof(op) weakOp = op; + [op runBeforeGroupFinished:[NSBlockOperation blockOperationWithBlock:^{ + __strong __typeof(op) strongOp = weakOp; + block(strongOp); + }]]; + op.name = name; + return op; +} + @end #endif // OCTAGON diff --git a/keychain/ckks/CKKSHealKeyHierarchyOperation.m b/keychain/ckks/CKKSHealKeyHierarchyOperation.m index 130da74e..fdf0b0cb 100644 --- a/keychain/ckks/CKKSHealKeyHierarchyOperation.m +++ b/keychain/ckks/CKKSHealKeyHierarchyOperation.m @@ -26,6 +26,8 @@ #import "CKKSKey.h" #import "CKKSHealKeyHierarchyOperation.h" #import "CKKSGroupOperation.h" +#import "CKKSAnalytics.h" +#import "keychain/ckks/CloudKitCategories.h" #if OCTAGON @@ -146,8 +148,8 @@ newTLK = topKey; } else if(![newTLK.uuid isEqualToString: topKey.uuid]) { ckkserror("ckksheal", ckks, "key hierarchy has split: there's two top keys. Currently we don't handle this situation."); - [ckks _onqueueAdvanceKeyStateMachineToState: SecCKKSZoneKeyStateError withError: [NSError errorWithDomain:@"securityd" - code:0 + [ckks _onqueueAdvanceKeyStateMachineToState: SecCKKSZoneKeyStateError withError: [NSError errorWithDomain:CKKSErrorDomain + code:CKKSSplitKeyHierarchy userInfo:@{NSLocalizedDescriptionKey: [NSString stringWithFormat:@"Key hierarchy has split: %@ and %@ are roots", newTLK, topKey]}]]; return true; @@ -168,16 +170,7 @@ } else { // Otherwise, something has gone horribly wrong. enter error state. ckkserror("ckksheal", ckks, "CKKS claims %@ is not a valid TLK: %@", newTLK, error); - NSError* newError = nil; - if(error) { - newError = [NSError errorWithDomain:@"securityd" - code:0 - userInfo:@{NSLocalizedDescriptionKey: @"invalid TLK from CloudKit", NSUnderlyingErrorKey: error}]; - } else { - newError = [NSError errorWithDomain:@"securityd" - code:0 - userInfo:@{NSLocalizedDescriptionKey: @"invalid TLK from CloudKit"}]; - } + NSError* newError = [NSError errorWithDomain:CKKSErrorDomain code:CKKSInvalidTLK description:@"Invalid TLK from CloudKit (during heal)" underlying:error]; [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateError withError:newError]; return true; } @@ -220,9 +213,14 @@ newClassAKey = [CKKSKey randomKeyWrappedByParent:newTLK error:&error]; [newClassAKey saveKeyMaterialToKeychain:&error]; - if(error) { + if(error && [ckks.lockStateTracker isLockedError:error]) { + ckksnotice("ckksheal", ckks, "Couldn't create a new class A key, but keybag appears to be locked. Entering waitforunlock."); + [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateWaitForUnlock withError:error]; + return true; + } else if(error) { ckkserror("ckksheal", ckks, "couldn't create new classA key: %@", error); - [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateError withError:[NSError errorWithDomain: @"securityd" code:0 userInfo:@{NSLocalizedDescriptionKey: @"couldn't create new classA key", NSUnderlyingErrorKey: error}]]; + [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateError withError:error]; + return true; } keyset.classA = newClassAKey; @@ -233,9 +231,14 @@ newClassCKey = [CKKSKey randomKeyWrappedByParent:newTLK error:&error]; [newClassCKey saveKeyMaterialToKeychain:&error]; - if(error) { - ckkserror("ckksheal", ckks, "couldn't create new classC key: %@", error); - [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateError withError:[NSError errorWithDomain: @"securityd" code:0 userInfo:@{NSLocalizedDescriptionKey: @"couldn't create new classC key", NSUnderlyingErrorKey: error}]]; + if(error && [ckks.lockStateTracker isLockedError:error]) { + ckksnotice("ckksheal", ckks, "Couldn't create a new class C key, but keybag appears to be locked. Entering waitforunlock."); + [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateWaitForUnlock withError:error]; + return true; + } else if(error) { + ckkserror("ckksheal", ckks, "couldn't create new class C key: %@", error); + [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateError withError:error]; + return true; } keyset.classC = newClassCKey; @@ -243,6 +246,8 @@ changedCurrentClassC = true; } + ckksnotice("ckksheal", ckks, "Attempting to move to new key hierarchy: %@", keyset); + // Note: we never make a new TLK here. So, don't save it back to CloudKit. //if(newTLK) { // [recordsToSave addObject: [newTLK CKRecordWithZoneID: ckks.zoneID]]; @@ -279,7 +284,7 @@ // Kick off the CKOperation - ckksinfo("ckksheal", ckks, "Saving new keys %@ to cloudkit %@", recordsToSave, ckks.database); + ckksnotice("ckksheal", ckks, "Saving new records %@", recordsToSave); // Use the spare operation trick to wait for the CKModifyRecordsOperation to complete self.cloudkitModifyOperationFinished = [NSBlockOperation named:@"heal-cloudkit-modify-operation-finished" withBlock:^{}]; @@ -296,8 +301,7 @@ modifyRecordsOp = [[CKModifyRecordsOperation alloc] initWithRecordsToSave:recordsToSave recordIDsToDelete:recordIDsToDelete]; modifyRecordsOp.atomic = YES; modifyRecordsOp.longLived = NO; // The keys are only in memory; mark this explicitly not long-lived - modifyRecordsOp.timeoutIntervalForRequest = 2; - modifyRecordsOp.qualityOfService = NSQualityOfServiceUtility; // relatively important. Use Utility. + modifyRecordsOp.qualityOfService = NSQualityOfServiceUserInitiated; // This needs to happen for CKKS to be usable by PCS/cloudd. Make it happen. modifyRecordsOp.group = self.ckoperationGroup; ckksnotice("ckksheal", ckks, "Operation group is %@", self.ckoperationGroup); @@ -323,8 +327,9 @@ ckksnotice("ckksheal", strongCKKS, "Completed Key Heal CloudKit operation with error: %@", error); - [strongCKKS dispatchSync: ^bool{ + [strongCKKS dispatchSyncWithAccountKeys: ^bool{ if(error == nil) { + [[CKKSAnalytics logger] logSuccessForEvent:CKKSEventProcessHealKeyHierarchy inView:ckks]; // Success. Persist the keys to the CKKS database. // Save the new CKRecords to the before persisting to database @@ -371,6 +376,7 @@ } } else { // ERROR. This isn't a total-failure error state, but one that should kick off a healing process. + [[CKKSAnalytics logger] logUnrecoverableError:error forEvent:CKKSEventProcessHealKeyHierarchy inView:ckks withAttributes:NULL]; ckkserror("ckksheal", strongCKKS, "couldn't save new key hierarchy to CloudKit: %@", error); [strongCKKS _onqueueCKWriteFailed:error attemptedRecordsChanged:attemptedRecords]; [strongCKKS _onqueueAdvanceKeyStateMachineToState: SecCKKSZoneKeyStateNewTLKsFailed withError: nil]; @@ -387,14 +393,18 @@ } // Check if CKKS can recover this TLK. - [ckks _onqueueWithAccountKeysCheckTLK:keyset.tlk error:&error]; + bool haveTLK = [ckks _onqueueWithAccountKeysCheckTLK:keyset.tlk error:&error]; if(error && [ckks.lockStateTracker isLockedError:error]) { ckksnotice("ckkskey", ckks, "Failed to load TLK from keychain, keybag is locked. Entering waitforunlock: %@", error); [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateWaitForUnlock withError:nil]; return false; - } else if(error) { - ckkserror("ckksheal", ckks, "CKKS wasn't sure about TLK, triggering move to bad state: %@", error); + } else if(error && error.code == errSecItemNotFound) { + ckkserror("ckksheal", ckks, "CKKS couldn't find TLK, triggering move to wait state: %@", error); [ckks _onqueueAdvanceKeyStateMachineToState: SecCKKSZoneKeyStateWaitForTLK withError: nil]; + + } else if(!haveTLK) { + ckkserror("ckksheal", ckks, "CKKS errored examining TLK, triggering move to bad state: %@", error); + [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateError withError:error]; return false; } diff --git a/keychain/ckks/CKKSHealTLKSharesOperation.m b/keychain/ckks/CKKSHealTLKSharesOperation.m index be883bd4..90413363 100644 --- a/keychain/ckks/CKKSHealTLKSharesOperation.m +++ b/keychain/ckks/CKKSHealTLKSharesOperation.m @@ -89,7 +89,7 @@ ckksnotice("ckksshare", ckks, "Key set is %@", keyset); } - //[CKKSPowerCollection CKKSPowerEvent:kCKKSPowerEventTLKShareProcessing zone:ckks.zoneName]; + [CKKSPowerCollection CKKSPowerEvent:kCKKSPowerEventTLKShareProcessing zone:ckks.zoneName]; // Okay! Perform the checks. if(![keyset.tlk loadKeyMaterialFromKeychain:&error] || error) { @@ -140,8 +140,7 @@ recordIDsToDelete:recordIDsToDelete]; modifyRecordsOp.atomic = YES; modifyRecordsOp.longLived = NO; - modifyRecordsOp.timeoutIntervalForRequest = 10; - modifyRecordsOp.qualityOfService = NSQualityOfServiceUtility; // relatively important. Use Utility. + modifyRecordsOp.qualityOfService = NSQualityOfServiceUserInitiated; // very important: get the TLKShares off-device ASAP modifyRecordsOp.group = self.ckoperationGroup; ckksnotice("ckksshare", ckks, "Operation group is %@", self.ckoperationGroup); diff --git a/keychain/ckks/CKKSIncomingQueueEntry.h b/keychain/ckks/CKKSIncomingQueueEntry.h index 1b3971f8..991e9a59 100644 --- a/keychain/ckks/CKKSIncomingQueueEntry.h +++ b/keychain/ckks/CKKSIncomingQueueEntry.h @@ -51,7 +51,8 @@ NS_ASSUME_NONNULL_BEGIN zoneID:(CKRecordZoneID*)zoneID error:(NSError* __autoreleasing*)error; -+ (NSDictionary*)countsByState:(CKRecordZoneID*)zoneID error:(NSError* __autoreleasing*)error; ++ (NSDictionary*)countsByStateInZone:(CKRecordZoneID*)zoneID error:(NSError* __autoreleasing*)error; ++ (NSInteger)countByState:(CKKSItemState *)state zone:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *)error; @end diff --git a/keychain/ckks/CKKSIncomingQueueEntry.m b/keychain/ckks/CKKSIncomingQueueEntry.m index acd12e9c..94e6b5fa 100644 --- a/keychain/ckks/CKKSIncomingQueueEntry.m +++ b/keychain/ckks/CKKSIncomingQueueEntry.m @@ -125,7 +125,7 @@ state: row[@"state"]]; } -+ (NSDictionary*)countsByState:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *) error { ++ (NSDictionary*)countsByStateInZone:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *) error { NSMutableDictionary* results = [[NSMutableDictionary alloc] init]; [CKKSSQLDatabaseObject queryDatabaseTable: [[self class] sqlTable] @@ -141,6 +141,22 @@ return results; } ++ (NSInteger)countByState:(CKKSItemState *)state zone:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *) error { + __block NSInteger result = -1; + + [CKKSSQLDatabaseObject queryDatabaseTable: [[self class] sqlTable] + where: @{@"ckzone": CKKSNilToNSNull(zoneID.zoneName), @"state": state } + columns: @[@"count(*)"] + groupBy: nil + orderBy: nil + limit: -1 + processRow: ^(NSDictionary* row) { + result = [row[@"count(*)"] integerValue]; + } + error: error]; + return result; +} + @end #endif diff --git a/keychain/ckks/CKKSIncomingQueueOperation.m b/keychain/ckks/CKKSIncomingQueueOperation.m index e2e7ecde..131c72e1 100644 --- a/keychain/ckks/CKKSIncomingQueueOperation.m +++ b/keychain/ckks/CKKSIncomingQueueOperation.m @@ -28,7 +28,7 @@ #import "CKKSOutgoingQueueEntry.h" #import "CKKSKey.h" #import "CKKSManifest.h" -#import "CKKSAnalyticsLogger.h" +#import "CKKSAnalytics.h" #import "CKKSPowerCollection.h" #import "keychain/ckks/CKKSCurrentItemPointer.h" @@ -43,6 +43,7 @@ @interface CKKSIncomingQueueOperation () @property bool newOutgoingEntries; @property bool pendingClassAEntries; +@property bool missingKey; @end @implementation CKKSIncomingQueueOperation @@ -59,6 +60,8 @@ [self addDependency: ckks.keyStateReadyDependency]; } + [self addNullableDependency: ckks.holdIncomingQueueOperation]; + _errorOnClassAFailure = errorOnClassAFailure; _pendingClassAEntries = false; @@ -169,8 +172,8 @@ } } else if ([error.domain isEqualToString:@"securityd"] && error.code == errSecItemNotFound) { - ckkserror("ckksincoming", ckks, "Coudn't find key in keychain; attempting to poke key hierarchy: %@", error) - [ckks _onqueueAdvanceKeyStateMachineToState: nil withError: nil]; + ckkserror("ckksincoming", ckks, "Coudn't find key in keychain; will attempt to poke key hierarchy: %@", error) + self.missingKey = true; } else { ckkserror("ckksincoming", ckks, "Couldn't decrypt IQE %@ for some reason: %@", iqe, error); @@ -265,6 +268,10 @@ [ckks.notifyViewChangedScheduler trigger]; } + if(self.missingKey) { + [ckks.pokeKeyStateMachineScheduler trigger]; + } + if ([CKKSManifest shouldSyncManifests]) { [egoManifest updateWithNewOrChangedRecords:newOrChangedRecords deletedRecordIDs:deletedRecordIDs]; } @@ -298,7 +305,7 @@ return; } - [ckks dispatchSyncWithAccountKeys: ^bool{ + [ckks dispatchSync: ^bool{ if(self.cancelled) { ckksnotice("ckksincoming", ckks, "CKKSIncomingQueueOperation cancelled, quitting"); return false; @@ -321,18 +328,17 @@ __block NSError* error = nil; if ([CKKSManifest shouldSyncManifests]) { - NSDictionary* stateCounts = [CKKSIncomingQueueEntry countsByState:ckks.zoneID error:&error]; - if (error) { + NSInteger unauthenticatedItemCount = [CKKSIncomingQueueEntry countByState:SecCKKSStateUnauthenticated zone:ckks.zoneID error:&error]; + if (error || unauthenticatedItemCount < 0) { ckkserror("ckksincoming", ckks, "Error fetching incoming queue state counts: %@", error); self.error = error; return false; } - NSUInteger unauthenticatedItemCount = stateCounts[SecCKKSStateUnauthenticated].unsignedIntegerValue; // take any existing unauthenticated entries and put them back in the new state NSArray* unauthenticatedEntries = nil; NSString* lastMaxUUID = nil; - NSUInteger numEntriesProcessed = 0; + NSInteger numEntriesProcessed = 0; while (numEntriesProcessed < unauthenticatedItemCount && (unauthenticatedEntries == nil || unauthenticatedEntries.count == SecCKKSIncomingQueueItemsAtOnce)) { if(self.cancelled) { ckksnotice("ckksincoming", ckks, "CKKSIncomingQueueOperation cancelled, quitting"); @@ -394,7 +400,7 @@ break; } - //[CKKSPowerCollection CKKSPowerEvent:kCKKSPowerEventOutgoingQueue zone:ckks.zoneName count:[queueEntries count]]; + [CKKSPowerCollection CKKSPowerEvent:kCKKSPowerEventOutgoingQueue zone:ckks.zoneName count:[queueEntries count]]; if (![self processQueueEntries:queueEntries withManifest:ckks.latestManifest egoManifest:ckks.egoManifest]) { ckksnotice("ckksincoming", ckks, "processQueueEntries didn't complete successfully"); @@ -437,7 +443,7 @@ return; } - CKKSAnalyticsLogger* logger = [CKKSAnalyticsLogger logger]; + CKKSAnalytics* logger = [CKKSAnalytics logger]; if (!strongSelf.error) { [logger logSuccessForEvent:CKKSEventProcessIncomingQueueClassC inView:ckks]; diff --git a/keychain/ckks/CKKSItem.m b/keychain/ckks/CKKSItem.m index 2b9dde4e..e8ab777e 100644 --- a/keychain/ckks/CKKSItem.m +++ b/keychain/ckks/CKKSItem.m @@ -33,7 +33,6 @@ #include #include -#include #import #import @@ -189,46 +188,7 @@ plaintextPCSServiceIdentifier: (NSNumber*) pcsServiceIdentifier } + (void)setOSVersionInRecord: (CKRecord*) record { -#ifdef PLATFORM - // Use complicated macro magic to get the string value passed in as preprocessor define PLATFORM. -#define PLATFORM_VALUE(f) #f -#define PLATFORM_OBJCSTR(f) @PLATFORM_VALUE(f) - NSString* platform = (PLATFORM_OBJCSTR(PLATFORM)); -#undef PLATFORM_OBJCSTR -#undef PLATFORM_VALUE -#else - NSString* platform = "unknown"; -#warning No PLATFORM defined; why? -#endif - - NSString* osversion = nil; - - // If we can get the build information from sysctl, use it. - char release[256]; - size_t releasesize = sizeof(release); - bool haveSysctlInfo = true; - haveSysctlInfo &= (0 == sysctlbyname("kern.osrelease", release, &releasesize, NULL, 0)); - - char version[256]; - size_t versionsize = sizeof(version); - haveSysctlInfo &= (0 == sysctlbyname("kern.osversion", version, &versionsize, NULL, 0)); - - if(haveSysctlInfo) { - // Null-terminate for extra safety - release[sizeof(release)-1] = '\0'; - version[sizeof(version)-1] = '\0'; - osversion = [NSString stringWithFormat:@"%s (%s)", release, version]; - } - - if(!osversion) { - // Otherwise, use the not-really-supported fallback. - osversion = [[NSProcessInfo processInfo] operatingSystemVersionString]; - - // subtly improve osversion (but it's okay if that does nothing) - osversion = [osversion stringByReplacingOccurrencesOfString:@"Version" withString:@""]; - } - - record[SecCKRecordHostOSVersionKey] = [NSString stringWithFormat:@"%@ %@", platform, osversion]; + record[SecCKRecordHostOSVersionKey] = SecCKKSHostOSVersion(); } - (CKRecord*) updateCKRecord: (CKRecord*) record zoneID: (CKRecordZoneID*) zoneID { diff --git a/keychain/ckks/CKKSKey.m b/keychain/ckks/CKKSKey.m index fc10d37a..a927bec6 100644 --- a/keychain/ckks/CKKSKey.m +++ b/keychain/ckks/CKKSKey.m @@ -35,6 +35,10 @@ #include #include +@interface CKKSKey () +@property CKKSAESSIVKey* aessivkey; +@end + @implementation CKKSKey - (instancetype)init { @@ -235,10 +239,28 @@ } // Attempt to load this key from the keychain - if([self loadKeyMaterialFromKeychain:error]) { + NSError* keychainError = nil; + if([self loadKeyMaterialFromKeychain:&keychainError]) { + return self.aessivkey; + } + + // Uhh, okay, if that didn't work, try to unwrap via the key hierarchy + NSError* keyHierarchyError = nil; + if([self unwrapViaKeyHierarchy:&keyHierarchyError]) { + // Attempt to save this new key, but don't error if it fails + NSError* resaveError = nil; + if(![self saveKeyMaterialToKeychain:&resaveError] || resaveError) { + secerror("ckkskey: Resaving missing key failed, continuing: %@", resaveError); + } + return self.aessivkey; } + // Pick an error to report + if(error) { + *error = keyHierarchyError ? keyHierarchyError : keychainError; + } + return nil; } @@ -493,7 +515,7 @@ NSError* originalError = localError; // If we found the item or errored in some interesting way, return. - if(localError == nil) { + if(result) { return result; } if(localError && localError.code != errSecItemNotFound) { @@ -592,13 +614,11 @@ } // We didn't early-return. Use whatever error the original fetch produced. - if(error && originalError) { + if(error) { *error = [NSError errorWithDomain:@"securityd" - code:originalError.code - userInfo:@{NSLocalizedDescriptionKey: - [NSString stringWithFormat:@"Couldn't load %@ from keychain: %d", key, (int)originalError.code], - NSUnderlyingErrorKey: originalError, - }]; + code:originalError ? originalError.code : errSecParam + description:[NSString stringWithFormat:@"Couldn't load %@ from keychain: %d", key, (int)originalError.code] + underlying:originalError]; } return result; @@ -614,11 +634,17 @@ NSData* b64keymaterial = result[(id)kSecValueData]; NSData* keymaterial = [[NSData alloc] initWithBase64EncodedData:b64keymaterial options:0]; if(!keymaterial) { + secnotice("ckkskey", "Unable to unbase64 key: %@", self); + if(error) { + *error = [NSError errorWithDomain:CKKSErrorDomain + code:CKKSKeyUnknownFormat + description:[NSString stringWithFormat:@"unable to unbase64 key: %@", self]]; + } return false; } CKKSAESSIVKey* key = [[CKKSAESSIVKey alloc] initWithBytes: (uint8_t*) keymaterial.bytes len:keymaterial.length]; - _aessivkey = key; + self.aessivkey = key; if(resave) { secnotice("ckkskey", "Resaving %@ as per request", self); diff --git a/keychain/ckks/CKKSKeychainView.h b/keychain/ckks/CKKSKeychainView.h index b7fe760f..0aa9d38a 100644 --- a/keychain/ckks/CKKSKeychainView.h +++ b/keychain/ckks/CKKSKeychainView.h @@ -27,6 +27,7 @@ #import "keychain/ckks/CKKSAPSReceiver.h" #import "keychain/ckks/CKKSLockStateTracker.h" +#import "keychain/ckks/CKKSReachabilityTracker.h" #import "keychain/ckks/CloudKitDependencies.h" #include @@ -71,6 +72,7 @@ NS_ASSUME_NONNULL_BEGIN @property CKKSCondition* loggedIn; @property CKKSCondition* loggedOut; +@property CKKSCondition* accountStateKnown; @property CKKSLockStateTracker* lockStateTracker; @@ -86,6 +88,9 @@ NS_ASSUME_NONNULL_BEGIN @property (nullable) CKKSManifest* latestManifest; @property (nullable) CKKSResultOperation* keyStateReadyDependency; +// Wait for the key state to become 'nontransient': no pending operation is expected to advance it (at least until user intervenes) +@property (nullable) CKKSResultOperation* keyStateNonTransientDependency; + // True if we believe there's any items in the keychain which haven't been brought up in CKKS yet @property bool droppedItems; @@ -98,9 +103,6 @@ NS_ASSUME_NONNULL_BEGIN @property (weak) CKKSNearFutureScheduler* savedTLKNotifier; -// Differs from the zonesetupoperation: zoneSetup is only for CK modifications, viewSetup handles local db changes too -@property CKKSResultOperation* viewSetupOperation; - /* Used for debugging: just what happened last time we ran this? */ @property CKKSIncomingQueueOperation* lastIncomingQueueOperation; @property CKKSNewTLKOperation* lastNewTLKOperation; @@ -115,12 +117,16 @@ NS_ASSUME_NONNULL_BEGIN /* Used for testing: pause operation types by adding operations here */ @property NSOperation* holdReencryptOutgoingItemsOperation; @property NSOperation* holdOutgoingQueueOperation; +@property NSOperation* holdIncomingQueueOperation; @property NSOperation* holdLocalSynchronizeOperation; @property CKKSResultOperation* holdFixupOperation; /* Trigger this to tell the whole machine that this view has changed */ @property CKKSNearFutureScheduler* notifyViewChangedScheduler; +/* trigger this to request key state machine poking */ +@property CKKSNearFutureScheduler* pokeKeyStateMachineScheduler; + // These are available when you're in a dispatchSyncWithAccountKeys call, but at no other time // These must be pre-fetched before you get on the CKKS queue, otherwise we end up with CKKS<->SQLite<->SOSAccountQueue deadlocks @property (nonatomic, readonly) CKKSSelves* currentSelfPeers; @@ -132,6 +138,7 @@ NS_ASSUME_NONNULL_BEGIN zoneName:(NSString*)zoneName accountTracker:(CKKSCKAccountStateTracker*)accountTracker lockStateTracker:(CKKSLockStateTracker*)lockStateTracker + reachabilityTracker:(CKKSReachabilityTracker *)reachabilityTracker savedTLKNotifier:(CKKSNearFutureScheduler*)savedTLKNotifier peerProvider:(id)peerProvider fetchRecordZoneChangesOperationClass:(Class)fetchRecordZoneChangesOperationClass @@ -150,11 +157,11 @@ NS_ASSUME_NONNULL_BEGIN rateLimiter:(CKKSRateLimiter*)rateLimiter syncCallback:(SecBoolNSErrorCallback)syncCallback; -- (void)setCurrentItemForAccessGroup:(SecDbItemRef)newItem +- (void)setCurrentItemForAccessGroup:(NSData*)newItemPersistentRef hash:(NSData*)newItemSHA1 accessGroup:(NSString*)accessGroup identifier:(NSString*)identifier - replacing:(SecDbItemRef _Nullable)oldItem + replacing:(NSData* _Nullable)oldCurrentItemPersistentRef hash:(NSData* _Nullable)oldItemSHA1 complete:(void (^)(NSError* operror))complete; @@ -182,6 +189,8 @@ NS_ASSUME_NONNULL_BEGIN - (CKKSIncomingQueueOperation*)processIncomingQueue:(bool)failOnClassA; - (CKKSIncomingQueueOperation*)processIncomingQueue:(bool)failOnClassA after:(CKKSResultOperation* _Nullable)after; +- (CKKSScanLocalItemsOperation*)scanLocalItems:(NSString*)name; + // Schedules a process queueoperation to happen after the next device unlock. This may be Immediately, if the device is unlocked. - (void)processIncomingQueueAfterNextUnlock; @@ -197,10 +206,7 @@ NS_ASSUME_NONNULL_BEGIN - (CKKSResultOperation*)fetchAndProcessCKChanges:(CKKSFetchBecause*)because; - (CKKSResultOperation*)resetLocalData; -- (CKKSResultOperation*)resetCloudKitZone; - -// Call this to pick and start the next key hierarchy operation for the zone -- (void)advanceKeyStateMachine; +- (CKKSResultOperation*)resetCloudKitZone:(CKOperationGroup*)operationGroup; // Call this to tell the key state machine that you think some new data has arrived that it is interested in - (void)keyStateMachineRequestProcess; @@ -208,18 +214,14 @@ NS_ASSUME_NONNULL_BEGIN // For our serial queue to work with how handleKeychainEventDbConnection is called from the main thread, // every block on our queue must have a SecDBConnectionRef available to it before it begins on the queue. // Use these helper methods to make sure those exist. -- (void)dispatchAsync:(bool (^)(void))block; - (void)dispatchSync:(bool (^)(void))block; - (void)dispatchSyncWithAccountKeys:(bool (^)(void))block; -/* Synchronous operations which must be called from inside a dispatchAsync or dispatchSync block */ +/* Synchronous operations which must be called from inside a dispatchAsyncWithAccountKeys or dispatchSync block */ // Call this to request the key hierarchy state machine to fetch new updates - (void)_onqueueKeyStateMachineRequestFetch; -// Call this to request the key hierarchy state machine to refetch everything in Cloudkit -- (void)_onqueueKeyStateMachineRequestFullRefetch; - // Call this to request the key hierarchy state machine to reprocess - (void)_onqueueKeyStateMachineRequestProcess; @@ -243,7 +245,7 @@ NS_ASSUME_NONNULL_BEGIN - (bool)_onqueueCKRecordChanged:(CKRecord*)record resync:(bool)resync; - (bool)_onqueueCKRecordDeleted:(CKRecordID*)recordID recordType:(NSString*)recordType resync:(bool)resync; -// For this key, who doesn't yet have a CKKSTLKShare for it? +// For this key, who doesn't yet have a CKKSTLKShare for it, shared to their current Octagon keys? // Note that we really want a record sharing the TLK to ourselves, so this function might return // a non-empty set even if all peers have the TLK: it wants us to make a record for ourself. - (NSSet>* _Nullable)_onqueueFindPeersMissingShare:(CKKSKey*)key error:(NSError* __autoreleasing*)error; diff --git a/keychain/ckks/CKKSKeychainView.m b/keychain/ckks/CKKSKeychainView.m index 2b9260ff..664cfcf7 100644 --- a/keychain/ckks/CKKSKeychainView.m +++ b/keychain/ckks/CKKSKeychainView.m @@ -53,13 +53,12 @@ #import "CKKSManifest.h" #import "CKKSManifestLeafRecord.h" #import "CKKSZoneChangeFetcher.h" -#import "CKKSAnalyticsLogger.h" +#import "CKKSAnalytics.h" #import "keychain/ckks/CKKSDeviceStateEntry.h" #import "keychain/ckks/CKKSNearFutureScheduler.h" #import "keychain/ckks/CKKSCurrentItemPointer.h" #import "keychain/ckks/CKKSUpdateCurrentItemPointerOperation.h" #import "keychain/ckks/CKKSUpdateDeviceStateOperation.h" -#import "keychain/ckks/CKKSLockStateTracker.h" #import "keychain/ckks/CKKSNotifier.h" #import "keychain/ckks/CloudKitCategories.h" #import "keychain/ckks/CKKSTLKShare.h" @@ -77,13 +76,20 @@ #include #include #include +#include #if OCTAGON @interface CKKSKeychainView() -@property bool setupSuccessful; @property bool keyStateFetchRequested; @property bool keyStateFullRefetchRequested; @property bool keyStateProcessRequested; + +@property bool keyStateCloudKitDeleteRequested; +@property NSHashTable* cloudkitDeleteZoneOperations; + +@property bool keyStateLocalResetRequested; +@property NSHashTable* localResetOperations; + @property (atomic) NSString *activeTLK; @property (readonly) Class notifierClass; @@ -117,8 +123,9 @@ zoneName: (NSString*) zoneName accountTracker:(CKKSCKAccountStateTracker*) accountTracker lockStateTracker:(CKKSLockStateTracker*) lockStateTracker + reachabilityTracker:(CKKSReachabilityTracker *)reachabilityTracker savedTLKNotifier:(CKKSNearFutureScheduler*) savedTLKNotifier - peerProvider:(id)peerProvider + peerProvider:(id)peerProvider fetchRecordZoneChangesOperationClass: (Class) fetchRecordZoneChangesOperationClass fetchRecordsOperationClass: (Class)fetchRecordsOperationClass queryOperationClass:(Class)queryOperationClass @@ -131,6 +138,7 @@ if(self = [super initWithContainer:container zoneName:zoneName accountTracker:accountTracker + reachabilityTracker:reachabilityTracker fetchRecordZoneChangesOperationClass:fetchRecordZoneChangesOperationClass fetchRecordsOperationClass:fetchRecordsOperationClass queryOperationClass:queryOperationClass @@ -141,9 +149,12 @@ _loggedIn = [[CKKSCondition alloc] init]; _loggedOut = [[CKKSCondition alloc] init]; + _accountStateKnown = [[CKKSCondition alloc] init]; _incomingQueueOperations = [NSHashTable weakObjectsHashTable]; _outgoingQueueOperations = [NSHashTable weakObjectsHashTable]; + _cloudkitDeleteZoneOperations = [NSHashTable weakObjectsHashTable]; + _localResetOperations = [NSHashTable weakObjectsHashTable]; _zoneChangeFetcher = [[CKKSZoneChangeFetcher alloc] initWithCKKSKeychainView: self]; _notifierClass = notifierClass; @@ -151,6 +162,7 @@ initialDelay:250*NSEC_PER_MSEC continuingDelay:1*NSEC_PER_SEC keepProcessAlive:true + dependencyDescriptionCode:CKKSResultDescriptionPendingViewChangedScheduling block:^{ __strong __typeof(self) strongSelf = weakSelf; [strongSelf.notifierClass post:[NSString stringWithFormat:@"com.apple.security.view-change.%@", strongSelf.zoneName]]; @@ -169,14 +181,14 @@ _currentPeerProvider = peerProvider; [_currentPeerProvider registerForPeerChangeUpdates:self]; - _setupSuccessful = false; - _keyHierarchyConditions = [[NSMutableDictionary alloc] init]; [CKKSZoneKeyStateMap() enumerateKeysAndObjectsUsingBlock:^(CKKSZoneKeyState * _Nonnull key, NSNumber * _Nonnull obj, BOOL * _Nonnull stop) { [self.keyHierarchyConditions setObject: [[CKKSCondition alloc] init] forKey:key]; }]; - self.keyHierarchyState = SecCKKSZoneKeyStateInitializing; + // Use the keyHierarchyState setter to modify the zone key state map + self.keyHierarchyState = SecCKKSZoneKeyStateLoggedOut; + _keyHierarchyError = nil; _keyHierarchyOperationGroup = nil; _keyStateMachineOperation = nil; @@ -188,24 +200,42 @@ _keyStateReadyDependency = [self createKeyStateReadyDependency: @"Key state has become ready for the first time." ckoperationGroup:[CKOperationGroup CKKSGroupWithName:@"initial-key-state-ready-scan"]]; - dispatch_time_t initializeDelay = SecCKKSTestsEnabled() ? NSEC_PER_MSEC * 600 : NSEC_PER_SEC * 30; + _keyStateNonTransientDependency = [self createKeyStateNontransientDependency]; + + dispatch_time_t initializeDelay = SecCKKSReduceRateLimiting() ? NSEC_PER_MSEC * 600 : NSEC_PER_SEC * 30; _initializeScheduler = [[CKKSNearFutureScheduler alloc] initWithName:[NSString stringWithFormat: @"%@-zone-initializer", self.zoneName] initialDelay:0 continuingDelay:initializeDelay keepProcessAlive:false - block:^{ - __strong __typeof(self) strongSelf = weakSelf; - ckksnotice("ckks", strongSelf, "initialize-scheduler restarting setup"); - [strongSelf maybeRestartSetup]; - }]; - - dispatch_time_t initialOutgoingQueueDelay = SecCKKSTestsEnabled() ? NSEC_PER_MSEC * 200 : NSEC_PER_SEC * 1; - dispatch_time_t continuingOutgoingQueueDelay = SecCKKSTestsEnabled() ? NSEC_PER_MSEC * 500 : NSEC_PER_SEC * 30; + dependencyDescriptionCode:CKKSResultDescriptionPendingZoneInitializeScheduling + block:^{}]; + + dispatch_time_t initialOutgoingQueueDelay = SecCKKSReduceRateLimiting() ? NSEC_PER_MSEC * 200 : NSEC_PER_SEC * 1; + dispatch_time_t continuingOutgoingQueueDelay = SecCKKSReduceRateLimiting() ? NSEC_PER_MSEC * 200 : NSEC_PER_SEC * 30; _outgoingQueueOperationScheduler = [[CKKSNearFutureScheduler alloc] initWithName:[NSString stringWithFormat: @"%@-outgoing-queue-scheduler", self.zoneName] initialDelay:initialOutgoingQueueDelay continuingDelay:continuingOutgoingQueueDelay keepProcessAlive:false + dependencyDescriptionCode:CKKSResultDescriptionPendingOutgoingQueueScheduling block:^{}]; + + + dispatch_time_t initialKeyHierachyPokeDelay = SecCKKSReduceRateLimiting() ? NSEC_PER_MSEC * 100 : NSEC_PER_MSEC * 500; + dispatch_time_t continuingKeyHierachyPokeDelay = SecCKKSReduceRateLimiting() ? NSEC_PER_MSEC * 200 : NSEC_PER_SEC * 5; + _pokeKeyStateMachineScheduler = [[CKKSNearFutureScheduler alloc] initWithName:[NSString stringWithFormat: @"%@-reprocess-scheduler", self.zoneName] + initialDelay:initialKeyHierachyPokeDelay + continuingDelay:continuingKeyHierachyPokeDelay + keepProcessAlive:true + dependencyDescriptionCode:CKKSResultDescriptionPendingKeyHierachyPokeScheduling + block:^{ + __strong __typeof(self) strongSelf = weakSelf; + [strongSelf dispatchSyncWithAccountKeys: ^bool{ + __strong __typeof(weakSelf) strongBlockSelf = weakSelf; + + [strongBlockSelf _onqueueAdvanceKeyStateMachineToState:nil withError:nil]; + return true; + }]; + }]; } return self; } @@ -226,16 +256,17 @@ if((keyHierarchyState == nil && _keyHierarchyState == nil) || ([keyHierarchyState isEqualToString:_keyHierarchyState])) { // No change, do nothing. } else { - // Fixup the condition variables + // Fixup the condition variables as part of setting this state if(_keyHierarchyState) { self.keyHierarchyConditions[_keyHierarchyState] = [[CKKSCondition alloc] init]; } + + _keyHierarchyState = keyHierarchyState; + if(keyHierarchyState) { [self.keyHierarchyConditions[keyHierarchyState] fulfill]; } } - - _keyHierarchyState = keyHierarchyState; } - (NSString *)lastActiveTLKUUID @@ -243,204 +274,181 @@ return self.activeTLK; } -- (void)maybeRestartSetup { - [self dispatchSync: ^bool{ - if([self.viewSetupOperation isPending] || [self.viewSetupOperation isExecuting]) { - ckksinfo("ckks", self, "setup is in-flight. Ignoring timer fire"); - return false; - } +- (void)_onqueueResetSetup:(CKKSZoneKeyState*)newState resetMessage:(NSString*)resetMessage ckoperationGroup:(CKOperationGroup*)group { + [super resetSetup]; - [self resetSetup]; - [self restartCurrentAccountStateOperation]; - return true; - }]; -} + self.keyHierarchyState = newState; + self.keyHierarchyError = nil; -- (void)resetSetup { - [super resetSetup]; - self.setupSuccessful = false; + [self.keyStateMachineOperation cancel]; + self.keyStateMachineOperation = nil; - // Key hierarchy state machine resets, too - self.keyHierarchyState = SecCKKSZoneKeyStateInitializing; - _keyHierarchyError = nil; -} + self.keyStateFetchRequested = false; + self.keyStateProcessRequested = false; - - (void)_onqueueHandleCKLogin { - if(!SecCKKSIsEnabled()) { - ckksnotice("ckks", self, "Skipping CloudKit initialization due to disabled CKKS"); - return; - } + self.keyHierarchyOperationGroup = group; - dispatch_assert_queue(self.queue); + NSOperation* oldKSRD = self.keyStateReadyDependency; + self.keyStateReadyDependency = [self createKeyStateReadyDependency:resetMessage ckoperationGroup:self.keyHierarchyOperationGroup]; + if(oldKSRD) { + [oldKSRD addDependency:self.keyStateReadyDependency]; + [self.waitingQueue addOperation:oldKSRD]; + } - __weak __typeof(self) weakSelf = self; + NSOperation* oldKSNTD = self.keyStateNonTransientDependency; + self.keyStateNonTransientDependency = [self createKeyStateNontransientDependency]; + if(oldKSNTD) { + [oldKSNTD addDependency:self.keyStateNonTransientDependency]; + [self.waitingQueue addOperation:oldKSNTD]; + } +} - CKKSZoneStateEntry* ckse = [CKKSZoneStateEntry state: self.zoneName]; - [self handleCKLogin:ckse.ckzonecreated zoneSubscribed:ckse.ckzonesubscribed]; +- (CKKSResultOperation*)createPendingInitializationOperation { - self.viewSetupOperation = [CKKSResultOperation operationWithBlock: ^{ + __weak __typeof(self) weakSelf = self; + CKKSResultOperation* initializationOp = [CKKSGroupOperation named:@"view-initialization" withBlockTakingSelf:^(CKKSGroupOperation * _Nonnull strongOp) { __strong __typeof(weakSelf) strongSelf = weakSelf; - if(!strongSelf) { - ckkserror("ckks", strongSelf, "received callback for released object"); - return; - } - - __block bool quit = false; - [strongSelf dispatchSync: ^bool { - ckksnotice("ckks", strongSelf, "Zone setup progress: %@ %d %@ %d %@", - [CKKSCKAccountStateTracker stringFromAccountStatus:strongSelf.accountStatus], - strongSelf.zoneCreated, strongSelf.zoneCreatedError, strongSelf.zoneSubscribed, strongSelf.zoneSubscribedError); + __block CKKSResultOperation* zoneCreationOperation = nil; + [strongSelf dispatchSync:^bool { + CKKSZoneStateEntry* ckse = [CKKSZoneStateEntry state: self.zoneName]; + zoneCreationOperation = [self handleCKLogin:ckse.ckzonecreated zoneSubscribed:ckse.ckzonesubscribed]; + return true; + }]; - NSError* error = nil; - CKKSZoneStateEntry* ckse = [CKKSZoneStateEntry state: strongSelf.zoneName]; - ckse.ckzonecreated = strongSelf.zoneCreated; - ckse.ckzonesubscribed = strongSelf.zoneSubscribed; - - // Although, if the zone subscribed error says there's no zone, mark down that there's no zone - if(strongSelf.zoneSubscribedError && - [strongSelf.zoneSubscribedError.domain isEqualToString:CKErrorDomain] && strongSelf.zoneSubscribedError.code == CKErrorPartialFailure) { - NSError* subscriptionError = strongSelf.zoneSubscribedError.userInfo[CKPartialErrorsByItemIDKey][strongSelf.zoneID]; - if(subscriptionError && [subscriptionError.domain isEqualToString:CKErrorDomain] && subscriptionError.code == CKErrorZoneNotFound) { - - ckkserror("ckks", strongSelf, "zone subscription error appears to say the zone doesn't exist, fixing status: %@", strongSelf.zoneSubscribedError); - ckse.ckzonecreated = false; - } + CKKSResultOperation* viewInitializationOperation = [CKKSResultOperation named:@"view-initialization" withBlockTakingSelf:^(CKKSResultOperation * _Nonnull strongInternalOp) { + __strong __typeof(weakSelf) strongSelf = weakSelf; + if(!strongSelf) { + ckkserror("ckks", strongSelf, "received callback for released object"); + return; } - [ckse saveToDatabase: &error]; - if(error) { - ckkserror("ckks", strongSelf, "couldn't save zone creation status for %@: %@", strongSelf.zoneName, error); - } + [strongSelf dispatchSyncWithAccountKeys: ^bool { + ckksnotice("ckks", strongSelf, "Zone setup progress: %@ %d %@ %d %@", + [CKKSCKAccountStateTracker stringFromAccountStatus:strongSelf.accountStatus], + strongSelf.zoneCreated, strongSelf.zoneCreatedError, strongSelf.zoneSubscribed, strongSelf.zoneSubscribedError); - if(!strongSelf.zoneCreated || !strongSelf.zoneSubscribed || strongSelf.accountStatus != CKAccountStatusAvailable) { - // Something has gone very wrong. Error out and maybe retry. - quit = true; + NSError* error = nil; + CKKSZoneStateEntry* ckse = [CKKSZoneStateEntry state: strongSelf.zoneName]; + ckse.ckzonecreated = strongSelf.zoneCreated; + ckse.ckzonesubscribed = strongSelf.zoneSubscribed; + + // Although, if the zone subscribed error says there's no zone, mark down that there's no zone + if(strongSelf.zoneSubscribedError && + [strongSelf.zoneSubscribedError.domain isEqualToString:CKErrorDomain] && strongSelf.zoneSubscribedError.code == CKErrorPartialFailure) { + NSError* subscriptionError = strongSelf.zoneSubscribedError.userInfo[CKPartialErrorsByItemIDKey][strongSelf.zoneID]; + if(subscriptionError && [subscriptionError.domain isEqualToString:CKErrorDomain] && subscriptionError.code == CKErrorZoneNotFound) { + + ckkserror("ckks", strongSelf, "zone subscription error appears to say the zone doesn't exist, fixing status: %@", strongSelf.zoneSubscribedError); + ckse.ckzonecreated = false; + } + } - // Note that CKKSZone has probably called [handleLogout]; which means we have a key hierarchy reset queued up. Error here anyway. - NSError* realReason = strongSelf.zoneCreatedError ? strongSelf.zoneCreatedError : strongSelf.zoneSubscribedError; - strongSelf.viewSetupOperation.error = realReason; - [strongSelf _onqueueAdvanceKeyStateMachineToState: SecCKKSZoneKeyStateError withError: realReason]; + [ckse saveToDatabase: &error]; + if(error) { + ckkserror("ckks", strongSelf, "couldn't save zone creation status for %@: %@", strongSelf.zoneName, error); + } - // We're supposed to be up, but something has gone wrong. Blindly retry until it works. - if(strongSelf.accountStatus == CKKSAccountStatusAvailable) { - [strongSelf.initializeScheduler trigger]; - ckksnotice("ckks", strongSelf, "We're logged in, but setup didn't work. Scheduling retry for %@", strongSelf.initializeScheduler.nextFireTime); + if(!strongSelf.zoneCreated || !strongSelf.zoneSubscribed) { + // Go into 'zonecreationfailed' + strongInternalOp.error = strongSelf.zoneCreatedError ? strongSelf.zoneCreatedError : strongSelf.zoneSubscribedError; + [strongSelf _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateZoneCreationFailed withError:strongInternalOp.error]; + + return true; + } else { + [strongSelf _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateInitialized withError:nil]; } - return true; - } else { - strongSelf.setupSuccessful = true; - } - return true; + return true; + }]; }]; - if(quit) { - ckkserror("ckks", strongSelf, "Quitting setup."); - return; - } - - // We can't enter the account queue until an account exists. Before this point, we don't know if one does. - [strongSelf dispatchSyncWithAccountKeys: ^bool{ - // Change our condition variables to reflect that we think we're logged in - strongSelf.loggedOut = [[CKKSCondition alloc] initToChain: strongSelf.loggedOut]; - [strongSelf.loggedIn fulfill]; + [viewInitializationOperation addDependency:zoneCreationOperation]; + [strongOp runBeforeGroupFinished:viewInitializationOperation]; + }]; - CKKSZoneStateEntry* ckse = [CKKSZoneStateEntry state: strongSelf.zoneName]; + return initializationOp; +} - // Check if we believe we've synced this zone before. - if(ckse.changeToken == nil) { - strongSelf.keyHierarchyOperationGroup = [CKOperationGroup CKKSGroupWithName:@"initial-setup"]; +- (void)_onqueuePerformKeyStateInitialized:(CKKSZoneStateEntry*)ckse { - ckksnotice("ckks", strongSelf, "No existing change token; going to try to match local items with CloudKit ones."); + // Check if we believe we've synced this zone before. + if(ckse.changeToken == nil) { + self.keyHierarchyOperationGroup = [CKOperationGroup CKKSGroupWithName:@"initial-setup"]; - // Onboard this keychain: there's likely items in it that we haven't synced yet. - // But, there might be items in The Cloud that correspond to these items, with UUIDs that we don't know yet. - // First, fetch all remote items. - CKKSResultOperation* fetch = [strongSelf.zoneChangeFetcher requestSuccessfulFetch:CKKSFetchBecauseInitialStart]; - fetch.name = @"initial-fetch"; + ckksnotice("ckks", self, "No existing change token; going to try to match local items with CloudKit ones."); - // Next, try to process them (replacing local entries) - CKKSIncomingQueueOperation* initialProcess = [strongSelf processIncomingQueue: true after: fetch ]; - initialProcess.name = @"initial-process-incoming-queue"; + // Onboard this keychain: there's likely items in it that we haven't synced yet. + // But, there might be items in The Cloud that correspond to these items, with UUIDs that we don't know yet. + // First, fetch all remote items. + CKKSResultOperation* fetch = [self.zoneChangeFetcher requestSuccessfulFetch:CKKSFetchBecauseInitialStart]; + fetch.name = @"initial-fetch"; - // If all that succeeds, iterate through all keychain items and find the ones which need to be uploaded - strongSelf.initialScanOperation = [[CKKSScanLocalItemsOperation alloc] initWithCKKSKeychainView:strongSelf ckoperationGroup:strongSelf.keyHierarchyOperationGroup]; - strongSelf.initialScanOperation.name = @"initial-scan-operation"; - [strongSelf.initialScanOperation addNullableDependency:strongSelf.lockStateTracker.unlockDependency]; - [strongSelf.initialScanOperation addDependency: initialProcess]; - [strongSelf scheduleOperation: strongSelf.initialScanOperation]; + // Next, try to process them (replacing local entries) + CKKSIncomingQueueOperation* initialProcess = [self processIncomingQueue:true after:fetch]; + initialProcess.name = @"initial-process-incoming-queue"; - } else { - // Likely a restart of securityd! + // If all that succeeds, iterate through all keychain items and find the ones which need to be uploaded + self.initialScanOperation = [self scanLocalItems:@"initial-scan-operation" + ckoperationGroup:self.keyHierarchyOperationGroup + after:initialProcess]; - // First off, are there any in-flight queue entries? If so, put them back into New. - // If they're truly in-flight, we'll "conflict" with ourselves, but that should be fine. - NSError* error = nil; - [self _onqueueResetAllInflightOQE:&error]; - if(error) { - ckkserror("ckks", self, "Couldn't reset in-flight OQEs, bad behavior ahead: %@", error); - } + } else { + // Likely a restart of securityd! - // Are there any fixups to run first? - strongSelf.lastFixupOperation = [CKKSFixups fixup:ckse.lastFixup for:strongSelf]; - if(strongSelf.lastFixupOperation) { - ckksnotice("ckksfixup", strongSelf, "We have a fixup to perform: %@", strongSelf.lastFixupOperation); - [strongSelf scheduleOperation:strongSelf.lastFixupOperation]; - } + // First off, are there any in-flight queue entries? If so, put them back into New. + // If they're truly in-flight, we'll "conflict" with ourselves, but that should be fine. + NSError* error = nil; + [self _onqueueResetAllInflightOQE:&error]; + if(error) { + ckkserror("ckks", self, "Couldn't reset in-flight OQEs, bad behavior ahead: %@", error); + } - strongSelf.keyHierarchyOperationGroup = [CKOperationGroup CKKSGroupWithName:@"restart-setup"]; + // Are there any fixups to run first? + self.lastFixupOperation = [CKKSFixups fixup:ckse.lastFixup for:self]; + if(self.lastFixupOperation) { + ckksnotice("ckksfixup", self, "We have a fixup to perform: %@", self.lastFixupOperation); + [self scheduleOperation:self.lastFixupOperation]; + } - if ([CKKSManifest shouldSyncManifests]) { - strongSelf.egoManifest = [CKKSEgoManifest tryCurrentEgoManifestForZone:strongSelf.zoneName]; - } + self.keyHierarchyOperationGroup = [CKOperationGroup CKKSGroupWithName:@"restart-setup"]; - // If it's been more than 24 hours since the last fetch, fetch and process everything. - // Otherwise, just kick off the local queue processing. + if ([CKKSManifest shouldSyncManifests]) { + self.egoManifest = [CKKSEgoManifest tryCurrentEgoManifestForZone:self.zoneName]; + } - NSDate* now = [NSDate date]; - NSDateComponents* offset = [[NSDateComponents alloc] init]; - [offset setHour:-24]; - NSDate* deadline = [[NSCalendar currentCalendar] dateByAddingComponents:offset toDate:now options:0]; + // If it's been more than 24 hours since the last fetch, fetch and process everything. + // Otherwise, just kick off the local queue processing. - NSOperation* initialProcess = nil; - if(ckse.lastFetchTime == nil || [ckse.lastFetchTime compare: deadline] == NSOrderedAscending) { - initialProcess = [strongSelf fetchAndProcessCKChanges:CKKSFetchBecauseSecuritydRestart after:strongSelf.lastFixupOperation]; - } else { - initialProcess = [strongSelf processIncomingQueue:false after:strongSelf.lastFixupOperation]; - } + NSDate* now = [NSDate date]; + NSDateComponents* offset = [[NSDateComponents alloc] init]; + [offset setHour:-24]; + NSDate* deadline = [[NSCalendar currentCalendar] dateByAddingComponents:offset toDate:now options:0]; - if([CKKSManifest shouldSyncManifests]) { - if (!strongSelf.egoManifest) { - ckksnotice("ckksmanifest", strongSelf, "No ego manifest on restart; rescanning"); - strongSelf.initialScanOperation = [[CKKSScanLocalItemsOperation alloc] initWithCKKSKeychainView:strongSelf ckoperationGroup:strongSelf.keyHierarchyOperationGroup]; - strongSelf.initialScanOperation.name = @"initial-scan-operation"; - [strongSelf.initialScanOperation addNullableDependency:strongSelf.lastFixupOperation]; - [strongSelf.initialScanOperation addNullableDependency:strongSelf.lockStateTracker.unlockDependency]; - [strongSelf.initialScanOperation addDependency: initialProcess]; - [strongSelf scheduleOperation: strongSelf.initialScanOperation]; - } - } + NSOperation* initialProcess = nil; + if(ckse.lastFetchTime == nil || [ckse.lastFetchTime compare: deadline] == NSOrderedAscending) { + initialProcess = [self fetchAndProcessCKChanges:CKKSFetchBecauseSecuritydRestart after:self.lastFixupOperation]; - // Process outgoing queue after re-start - [strongSelf processOutgoingQueueAfter:strongSelf.lastFixupOperation ckoperationGroup:strongSelf.keyHierarchyOperationGroup]; - } + // Also, kick off a scan local items: it'll find any out-of-sync issues in the local keychain + self.initialScanOperation = [self scanLocalItems:@"24-hr-scan-operation" + ckoperationGroup:self.keyHierarchyOperationGroup + after:initialProcess]; + } else { + initialProcess = [self processIncomingQueue:false after:self.lastFixupOperation]; + } - // Tell the key state machine to fire off. It should either: - // Wait for the fixup operation to occur - // Be initialized - if(strongSelf.lastFixupOperation) { - [strongSelf _onqueueAdvanceKeyStateMachineToState: SecCKKSZoneKeyStateWaitForFixupOperation withError: nil]; - } else { - [strongSelf _onqueueAdvanceKeyStateMachineToState: SecCKKSZoneKeyStateInitialized withError: nil]; + if([CKKSManifest shouldSyncManifests]) { + if (!self.egoManifest && !self.initialScanOperation) { + ckksnotice("ckksmanifest", self, "No ego manifest on restart; rescanning"); + self.initialScanOperation = [self scanLocalItems:@"initial-scan-operation" + ckoperationGroup:self.keyHierarchyOperationGroup + after:initialProcess]; } - return true; - }]; - }]; - self.viewSetupOperation.name = @"view-setup"; + } - [self.viewSetupOperation addNullableDependency: self.zoneSetupOperation]; - [self scheduleAccountStatusOperation: self.viewSetupOperation]; + // Process outgoing queue after re-start + [self processOutgoingQueueAfter:self.lastFixupOperation ckoperationGroup:self.keyHierarchyOperationGroup]; + } } - (bool)_onqueueResetLocalData: (NSError * __autoreleasing *) error { @@ -525,132 +533,131 @@ } } - [self _onqueueAdvanceKeyStateMachineToState: SecCKKSZoneKeyStateInitializing withError:nil]; - return (localerror == nil && !setError); } -- (CKKSResultOperation*)resetLocalData { - __weak __typeof(self) weakSelf = self; - - CKKSGroupOperation* resetFollowUp = [[CKKSGroupOperation alloc] init]; - resetFollowUp.name = @"local-reset-follow-up-group"; - __weak __typeof(resetFollowUp) weakResetFollowUp = resetFollowUp; +- (CKKSResultOperation*)createPendingResetLocalDataOperation { + @synchronized(self.localResetOperations) { + CKKSResultOperation* pendingResetLocalOperation = (CKKSResultOperation*) [self findFirstPendingOperation:self.localResetOperations]; + if(!pendingResetLocalOperation) { + __weak __typeof(self) weakSelf = self; + pendingResetLocalOperation = [CKKSResultOperation named:@"reset-local" withBlockTakingSelf:^(CKKSResultOperation * _Nonnull strongOp) { + __strong __typeof(self) strongSelf = weakSelf; + __block NSError* error = nil; - CKKSResultOperation* op = [[CKKSResultOperation alloc] init]; - op.name = @"local-reset"; + [strongSelf dispatchSync: ^bool{ + [strongSelf _onqueueResetLocalData: &error]; + return true; + }]; - __weak __typeof(op) weakOp = op; - [op addExecutionBlock:^{ - __strong __typeof(self) strongSelf = weakSelf; - __strong __typeof(op) strongOp = weakOp; - __strong __typeof(resetFollowUp) strongResetFollowUp = weakResetFollowUp; - if(!strongSelf || !strongOp || !strongResetFollowUp) { - return; + strongOp.error = error; + }]; + [pendingResetLocalOperation linearDependencies:self.localResetOperations]; } + return pendingResetLocalOperation; + } +} - __block NSError* error = nil; - - [strongSelf dispatchSync: ^bool{ - [strongSelf _onqueueResetLocalData: &error]; +- (CKKSResultOperation*)resetLocalData { + // Not overly thread-safe, but a single read is okay + CKKSAccountStatus accountStatus = self.accountStatus; + ckksnotice("ckksreset", self, "Requesting local data reset"); + + // If we're currently signed in, the reset operation will be handled by the CKKS key state machine, and a reset should end up in 'ready' + if(accountStatus == CKKSAccountStatusAvailable) { + __block CKKSResultOperation* resetOperation = nil; + [self dispatchSyncWithAccountKeys:^bool { + self.keyStateLocalResetRequested = true; + resetOperation = [self createPendingResetLocalDataOperation]; + [self _onqueueAdvanceKeyStateMachineToState:nil withError:nil]; return true; }]; - if(error) { - ckksnotice("ckksreset", strongSelf, "Local reset finished with error %@", error); - strongOp.error = error; - } else { - if(strongSelf.accountStatus == CKKSAccountStatusAvailable) { - // Since we're logged in, we expect a reset to fix up the key hierarchy - ckksnotice("ckksreset", strongSelf, "logged in; re-initializing zone"); - [self.initializeScheduler trigger]; - - ckksnotice("ckksreset", strongSelf, "waiting for key hierarchy to become ready"); - CKKSResultOperation* waitOp = [CKKSResultOperation named:@"waiting-for-key-hierarchy" withBlock:^{}]; - [waitOp timeout: 60*NSEC_PER_SEC]; - [waitOp addNullableDependency:strongSelf.keyStateReadyDependency]; - - [strongResetFollowUp runBeforeGroupFinished:waitOp]; - } else { - ckksnotice("ckksreset", strongSelf, "logged out; not initializing zone"); - } - } - }]; - - // On a reset, all other operations should be cancelled - [self cancelAllOperations]; - [resetFollowUp runBeforeGroupFinished:op]; - [self scheduleOperationWithoutDependencies:resetFollowUp]; - return resetFollowUp; -} - -- (CKKSResultOperation*)resetCloudKitZone { - // On a reset, we should cancel all existing operations - [self cancelAllOperations]; - CKKSResultOperation* reset = [super beginResetCloudKitZoneOperation]; - - __weak __typeof(self) weakSelf = self; - CKKSGroupOperation* resetFollowUp = [[CKKSGroupOperation alloc] init]; - resetFollowUp.name = @"cloudkit-reset-follow-up-group"; - - __weak __typeof(resetFollowUp) weakResetFollowUp = resetFollowUp; - [resetFollowUp runBeforeGroupFinished: [CKKSResultOperation named:@"cloudkit-reset-follow-up" withBlock: ^{ - __strong __typeof(weakSelf) strongSelf = weakSelf; - if(!strongSelf) { - ckkserror("ckks", strongSelf, "received callback for released object"); - return; - } - __strong __typeof(resetFollowUp) strongResetFollowUp = weakResetFollowUp; + __weak __typeof(self) weakSelf = self; + CKKSGroupOperation* viewReset = [CKKSGroupOperation named:@"local-data-reset" withBlockTakingSelf:^(CKKSGroupOperation *strongOp) { + __strong __typeof(weakSelf) strongSelf = weakSelf; + // Now that the local reset finished, wait for the key hierarchy state machine to churn + ckksnotice("ckksreset", strongSelf, "waiting for key hierarchy to become ready (after local reset)"); + CKKSResultOperation* waitOp = [CKKSResultOperation named:@"waiting-for-local-reset" withBlock:^{}]; + [waitOp timeout: 60*NSEC_PER_SEC]; + [waitOp addNullableDependency:strongSelf.keyStateReadyDependency]; + + [strongOp runBeforeGroupFinished:waitOp]; + }]; + [viewReset addSuccessDependency:resetOperation]; - if(!reset.error) { - ckksnotice("ckks", strongSelf, "Successfully deleted zone %@", strongSelf.zoneName); + [self scheduleOperationWithoutDependencies:viewReset]; + return viewReset; + } else { + // Since we're logged out, we must run the reset ourselves + __weak __typeof(self) weakSelf = self; + CKKSResultOperation* pendingResetLocalOperation = [CKKSResultOperation named:@"reset-local" + withBlockTakingSelf:^(CKKSResultOperation * _Nonnull strongOp) { + __strong __typeof(self) strongSelf = weakSelf; __block NSError* error = nil; [strongSelf dispatchSync: ^bool{ [strongSelf _onqueueResetLocalData: &error]; - strongSelf.setupSuccessful = false; return true; }]; - if(strongSelf.accountStatus == CKKSAccountStatusAvailable) { - // Since we're logged in, we expect a reset to fix up the key hierarchy - ckksnotice("ckksreset", strongSelf, "re-initializing zone"); - [self.initializeScheduler trigger]; - - ckksnotice("ckksreset", strongSelf, "waiting for key hierarchy to become ready"); - CKKSResultOperation* waitOp = [CKKSResultOperation named:@"waiting-for-reset" withBlock:^{}]; - [waitOp timeout: 60*NSEC_PER_SEC]; - [waitOp addNullableDependency:strongSelf.keyStateReadyDependency]; + strongOp.error = error; + }]; + [self scheduleOperationWithoutDependencies:pendingResetLocalOperation]; + return pendingResetLocalOperation; + } +} - [strongResetFollowUp runBeforeGroupFinished:waitOp]; - } else { - ckksnotice("ckksreset", strongSelf, "logged out; not initializing zone"); - } - } else { - // Shouldn't ever happen, since reset is a successDependency - ckkserror("ckks", strongSelf, "Couldn't reset zone %@: %@", strongSelf.zoneName, reset.error); +- (CKKSResultOperation*)createPendingDeleteZoneOperation:(CKOperationGroup*)operationGroup { + @synchronized(self.cloudkitDeleteZoneOperations) { + CKKSResultOperation* pendingDeleteOperation = (CKKSResultOperation*) [self findFirstPendingOperation:self.cloudkitDeleteZoneOperations]; + if(!pendingDeleteOperation) { + pendingDeleteOperation = [self deleteCloudKitZoneOperation:operationGroup]; + [pendingDeleteOperation linearDependencies:self.cloudkitDeleteZoneOperations]; } - }]]; - - [resetFollowUp addSuccessDependency:reset]; - [self scheduleOperationWithoutDependencies:resetFollowUp]; - return resetFollowUp; + return pendingDeleteOperation; + } } -- (void)advanceKeyStateMachine { - __weak __typeof(self) weakSelf = self; +- (CKKSResultOperation*)resetCloudKitZone:(CKOperationGroup*)operationGroup { + // Not overly thread-safe, but a single read is okay + if(self.accountStatus == CKKSAccountStatusAvailable) { + // Actually running the delete operation will be handled by the CKKS key state machine + ckksnotice("ckksreset", self, "Requesting reset of CK zone (logged in)"); - [self dispatchAsync: ^bool{ - __strong __typeof(weakSelf) strongSelf = weakSelf; - if(!strongSelf) { - ckkserror("ckks", strongSelf, "received callback for released object"); - false; - } + __block CKKSResultOperation* deleteOperation = nil; + [self dispatchSyncWithAccountKeys:^bool { + self.keyStateCloudKitDeleteRequested = true; + deleteOperation = [self createPendingDeleteZoneOperation:operationGroup]; + [self _onqueueAdvanceKeyStateMachineToState:nil withError:nil]; + return true; + }]; - [strongSelf _onqueueAdvanceKeyStateMachineToState: nil withError: nil]; - return true; - }]; -}; + __weak __typeof(self) weakSelf = self; + CKKSGroupOperation* viewReset = [CKKSGroupOperation named:[NSString stringWithFormat:@"cloudkit-view-reset-%@", self.zoneName] + withBlockTakingSelf:^(CKKSGroupOperation *strongOp) { + __strong __typeof(self) strongSelf = weakSelf; + // Now that the delete finished, wait for the key hierarchy state machine + ckksnotice("ckksreset", strongSelf, "waiting for key hierarchy to become ready (after cloudkit reset)"); + CKKSResultOperation* waitOp = [CKKSResultOperation named:@"waiting-for-reset" withBlock:^{}]; + [waitOp timeout: 60*NSEC_PER_SEC]; + [waitOp addNullableDependency:strongSelf.keyStateReadyDependency]; + + [strongOp runBeforeGroupFinished:waitOp]; + }]; + + [viewReset addDependency:deleteOperation]; + [self.waitingQueue addOperation:viewReset]; + + return viewReset; + } else { + // Since we're logged out, we just need to run this ourselves + ckksnotice("ckksreset", self, "Requesting reset of CK zone (logged out)"); + CKKSResultOperation* deleteOperation = [self createPendingDeleteZoneOperation:operationGroup]; + [self scheduleOperationWithoutDependencies:deleteOperation]; + return deleteOperation; + } +} - (void)_onqueueKeyStateMachineRequestFetch { dispatch_assert_queue(self.queue); @@ -663,25 +670,22 @@ [self _onqueueAdvanceKeyStateMachineToState: nil withError: nil]; } -- (void)_onqueueKeyStateMachineRequestFullRefetch { - dispatch_assert_queue(self.queue); - - self.keyStateFullRefetchRequested = true; - [self _onqueueAdvanceKeyStateMachineToState: nil withError: nil]; +- (void)keyStateMachineRequestProcess { + // Since bools are atomic, we don't need to get on-queue here + // Just set the flag high and hope + self.keyStateProcessRequested = true; + [self.pokeKeyStateMachineScheduler trigger]; } -- (void)keyStateMachineRequestProcess { - __weak __typeof(self) weakSelf = self; - [self dispatchAsync: ^bool{ - __strong __typeof(weakSelf) strongSelf = weakSelf; - if(!strongSelf) { - ckkserror("ckks", strongSelf, "received callback for released object"); - return false; - } +- (void)_onqueueKeyStateMachineRequestProcess { + dispatch_assert_queue(self.queue); - [strongSelf _onqueueKeyStateMachineRequestProcess]; - return true; - }]; + // Set the request flag, then nudge the key state machine. + // If it was idle, then it should launch a process. If there was an active process, this flag will stay high + // and the process will be launched later. + + self.keyStateProcessRequested = true; + [self _onqueueAdvanceKeyStateMachineToState: nil withError: nil]; } - (CKKSResultOperation*)createKeyStateReadyDependency:(NSString*)message ckoperationGroup:(CKOperationGroup*)group { @@ -697,25 +701,22 @@ if(strongSelf.droppedItems) { // While we weren't in 'ready', keychain modifications might have come in and were dropped on the floor. Find them! ckksnotice("ckkskey", strongSelf, "Launching scan operation for missed items"); - CKKSScanLocalItemsOperation* scanOperation = [[CKKSScanLocalItemsOperation alloc] initWithCKKSKeychainView: strongSelf ckoperationGroup:group]; - [strongSelf scheduleOperation: scanOperation]; + [self scanLocalItems:@"ready-again-scan" ckoperationGroup:group after:nil]; } return true; }]; }]; keyStateReadyDependency.name = [NSString stringWithFormat: @"%@-key-state-ready", self.zoneName]; + keyStateReadyDependency.descriptionErrorCode = CKKSResultDescriptionPendingKeyReady; return keyStateReadyDependency; } -- (void)_onqueueKeyStateMachineRequestProcess { - dispatch_assert_queue(self.queue); - - // Set the request flag, then nudge the key state machine. - // If it was idle, then it should launch a process. If there was an active process, this flag will stay high - // and the process will be launched later. - - self.keyStateProcessRequested = true; - [self _onqueueAdvanceKeyStateMachineToState: nil withError: nil]; +- (CKKSResultOperation*)createKeyStateNontransientDependency { + __weak __typeof(self) weakSelf = self; + return [CKKSResultOperation named:[NSString stringWithFormat: @"%@-key-state-nontransient", self.zoneName] withBlock:^{ + __strong __typeof(self) strongSelf = weakSelf; + ckksnotice("ckkskey", strongSelf, "Key state is now non-transient"); + }]; } // The operations suggested by this state machine should call _onqueueAdvanceKeyStateMachineToState once they are complete. @@ -726,25 +727,33 @@ dispatch_assert_queue(self.queue); __weak __typeof(self) weakSelf = self; - // Resetting back to 'initializing' takes all precedence. - if([state isEqual: SecCKKSZoneKeyStateInitializing]) { - ckksnotice("ckkskey", self, "Resetting the key hierarchy state machine back to 'initializing'"); + // Resetting back to 'loggedout' takes all precedence. + if([state isEqual:SecCKKSZoneKeyStateLoggedOut]) { + ckksnotice("ckkskey", self, "Resetting the key hierarchy state machine back to '%@'", state); - [self.keyStateMachineOperation cancel]; - self.keyStateMachineOperation = nil; + [self _onqueueResetSetup:SecCKKSZoneKeyStateLoggedOut + resetMessage:@"Key state has become ready for the first time (after reset)." + ckoperationGroup:[CKOperationGroup CKKSGroupWithName:@"key-state-after-logout"]]; - self.keyHierarchyState = SecCKKSZoneKeyStateInitializing; - self.keyHierarchyError = nil; - self.keyStateFetchRequested = false; - self.keyStateProcessRequested = false; + [self _onqueueHandleKeyStateNonTransientDependency]; + return; + } - self.keyHierarchyOperationGroup = [CKOperationGroup CKKSGroupWithName:@"key-state-reset"]; - NSOperation* oldKSRD = self.keyStateReadyDependency; - self.keyStateReadyDependency = [self createKeyStateReadyDependency:@"Key state has become ready for the first time (after reset)." ckoperationGroup:self.keyHierarchyOperationGroup]; - if(oldKSRD) { - [oldKSRD addDependency:self.keyStateReadyDependency]; - [self.waitingQueue addOperation:oldKSRD]; - } + // Resetting back to 'initialized' also takes precedence + if([state isEqual:SecCKKSZoneKeyStateInitializing]) { + ckksnotice("ckkskey", self, "Resetting the key hierarchy state machine back to '%@'", state); + + [self _onqueueResetSetup:SecCKKSZoneKeyStateInitializing + resetMessage:@"Key state has become ready for the first time (after re-initializing)." + ckoperationGroup:[CKOperationGroup CKKSGroupWithName:@"key-state-reset-to-initializing"]]; + + // Begin initialization, but rate-limit it + self.keyStateMachineOperation = [self createPendingInitializationOperation]; + [self.keyStateMachineOperation addNullableDependency:self.initializeScheduler.operationDependency]; + [self.initializeScheduler trigger]; + [self scheduleOperation:self.keyStateMachineOperation]; + + [self _onqueueHandleKeyStateNonTransientDependency]; return; } @@ -753,13 +762,13 @@ [self.keyHierarchyState isEqualToString: SecCKKSZoneKeyStateCancelled] || self.keyHierarchyError != nil) { // Error state: nowhere to go. Early-exit. - ckkserror("ckkskey", self, "Asked to advance state machine from non-exit state %@: %@", self.keyHierarchyState, self.keyHierarchyError); + ckkserror("ckkskey", self, "Asked to advance state machine from non-exit state %@ (to %@): %@", self.keyHierarchyState, state, self.keyHierarchyError); return; } - if(error != nil || [state isEqual: SecCKKSZoneKeyStateError]) { + if([state isEqual: SecCKKSZoneKeyStateError]) { // But wait! Is this a "we're locked" error? - if([self.lockStateTracker isLockedError:error]) { + if(error && [self.lockStateTracker isLockedError:error]) { ckkserror("ckkskey", self, "advised of 'keychain locked' error, ignoring: coming from state (%@): %@", self.keyHierarchyState, error); // After the next unlock, fake that we received the last zone transition CKKSZoneKeyState* lastState = self.keyHierarchyState; @@ -774,22 +783,29 @@ }]; }]; state = nil; + + self.keyHierarchyState = SecCKKSZoneKeyStateWaitForUnlock; + [self.keyStateMachineOperation addNullableDependency:self.lockStateTracker.unlockDependency]; [self scheduleOperation:self.keyStateMachineOperation]; + [self _onqueueHandleKeyStateNonTransientDependency]; + return; + } else { // Error state: record the error and exit early ckkserror("ckkskey", self, "advised of error: coming from state (%@): %@", self.keyHierarchyState, error); - [[CKKSAnalyticsLogger logger] logUnrecoverableError:error - forEvent:CKKSEventStateError - inView:self - withAttributes:@{ @"previousKeyHierarchyState" : self.keyHierarchyState }]; + [[CKKSAnalytics logger] logUnrecoverableError:error + forEvent:CKKSEventStateError + inView:self + withAttributes:@{ @"previousKeyHierarchyState" : self.keyHierarchyState }]; self.keyHierarchyState = SecCKKSZoneKeyStateError; self.keyHierarchyError = error; + [self _onqueueHandleKeyStateNonTransientDependency]; return; } } @@ -803,11 +819,13 @@ self.keyHierarchyOperationGroup = nil; [self.keyStateReadyDependency cancel]; self.keyStateReadyDependency = nil; + + [self.keyStateNonTransientDependency cancel]; + self.keyStateNonTransientDependency = nil; return; } // Now that the current or new state isn't an error or a cancel, proceed. - if(self.keyStateMachineOperation && ![self.keyStateMachineOperation isFinished]) { if(state == nil) { // we started this operation to move the state machine. Since you aren't asking for a state transition, and there's an active operation, no need to do anything @@ -824,6 +842,17 @@ state = self.keyHierarchyState; } +#if DEBUG + // During testing, keep the developer honest: this function should always have the self identities + if(self.currentSelfPeersError) { + NSAssert(self.currentSelfPeersError.code != CKKSNoPeersAvailable, @"Must have viable (or errored) self peers to advance key state"); + } +#endif + + // Do any of these state transitions below want to change which state we're in? + CKKSZoneKeyState* nextState = nil; + NSError* nextError = nil; + // Many of our decisions below will be based on what keys exist. Help them out. CKKSCurrentKeySet* keyset = [[CKKSCurrentKeySet alloc] initForZone:self.zoneID]; NSError* localerror = nil; @@ -831,7 +860,7 @@ NSArray* remoteKeys = [CKKSKey remoteKeys:self.zoneID error: &localerror]; // We also are checking for OutgoingQueueEntries in the reencrypt state; this is a sign that our key hierarchy is out of date. - NSArray* outdatedOQEs = [CKKSOutgoingQueueEntry allInState: SecCKKSStateReencrypt zoneID:self.zoneID error: &localerror]; + NSInteger outdatedOQEs = [CKKSOutgoingQueueEntry countByState:SecCKKSStateReencrypt zone:self.zoneID error:&localerror]; SecADSetValueForScalarKey((__bridge CFStringRef) SecCKKSAggdViewKeyCount, [localKeys count]); @@ -839,6 +868,7 @@ ckkserror("ckkskey", self, "couldn't fetch keys and OQEs from local database, entering error state: %@", localerror); self.keyHierarchyState = SecCKKSZoneKeyStateError; self.keyHierarchyError = localerror; + [self _onqueueHandleKeyStateNonTransientDependency]; return; } @@ -849,12 +879,45 @@ NSError* hierarchyError = nil; - if([state isEqualToString: SecCKKSZoneKeyStateInitializing]) { - if(state != nil) { - // Wait for CKKSZone to finish initialization. - ckkserror("ckkskey", self, "Asked to advance state machine (to %@) while CK zone still initializing.", state); - } - return; + if(self.keyStateCloudKitDeleteRequested || [state isEqualToString:SecCKKSZoneKeyStateResettingZone]) { + // CloudKit reset requests take precedence over all other state transitions + ckksnotice("ckkskey", self, "Deleting the CloudKit Zone"); + CKKSGroupOperation* op = [[CKKSGroupOperation alloc] init]; + + CKKSResultOperation* deleteOp = [self createPendingDeleteZoneOperation:self.keyHierarchyOperationGroup]; + [op runBeforeGroupFinished: deleteOp]; + + NSOperation* nextStateOp = [self operationToEnterState:SecCKKSZoneKeyStateResettingLocalData keyStateError:nil named:@"state-resetting-local"]; + [nextStateOp addDependency:deleteOp]; + [op runBeforeGroupFinished:nextStateOp]; + + self.keyStateMachineOperation = op; + self.keyStateCloudKitDeleteRequested = false; + + // Also, pending operations should be cancelled + [self cancelPendingOperations]; + + } else if(self.keyStateLocalResetRequested || [state isEqualToString:SecCKKSZoneKeyStateResettingLocalData]) { + // Local reset requests take precedence over all other state transitions + ckksnotice("ckkskey", self, "Resetting local data"); + CKKSGroupOperation* op = [[CKKSGroupOperation alloc] init]; + + CKKSResultOperation* resetOp = [self createPendingResetLocalDataOperation]; + [op runBeforeGroupFinished: resetOp]; + + NSOperation* nextStateOp = [self operationToEnterState:SecCKKSZoneKeyStateInitializing keyStateError:nil named:@"state-resetting-initialize"]; + [nextStateOp addDependency:resetOp]; + [op runBeforeGroupFinished:nextStateOp]; + + self.keyStateMachineOperation = op; + self.keyStateLocalResetRequested = false; + + + } else if([state isEqualToString:SecCKKSZoneKeyStateZoneCreationFailed]) { + //Prepare to go back into initializing, as soon as the initializeScheduler is happy + self.keyStateMachineOperation = [self operationToEnterState:SecCKKSZoneKeyStateInitializing keyStateError:nil named:@"recover-from-cloudkit-failure"]; + [self.keyStateMachineOperation addNullableDependency:self.initializeScheduler.operationDependency]; + [self.initializeScheduler trigger]; } else if([state isEqualToString: SecCKKSZoneKeyStateReady]) { if(self.keyStateProcessRequested || [remoteKeys count] > 0) { @@ -866,15 +929,13 @@ } else if(self.keyStateFullRefetchRequested) { // In ready, but someone has requested a full fetch. Kick it off. - ckksnotice("ckkskey", self, "Kicking off a key refetch based on request:%d", self.keyStateFetchRequested); - [self _onqueueKeyHierarchyRefetch]; - state = SecCKKSZoneKeyStateNeedFullRefetch; + ckksnotice("ckkskey", self, "Kicking off a full key refetch based on request:%d", self.keyStateFullRefetchRequested); + nextState = SecCKKSZoneKeyStateNeedFullRefetch; } else if(self.keyStateFetchRequested) { // In ready, but someone has requested a fetch. Kick it off. ckksnotice("ckkskey", self, "Kicking off a key refetch based on request:%d", self.keyStateFetchRequested); - [self _onqueueKeyHierarchyFetch]; - state = SecCKKSZoneKeyStateInitialized; // Don't go to 'ready', go to 'initialized', since we want to fetch again + nextState = SecCKKSZoneKeyStateFetch; // Don't go to 'ready', go to 'initialized', since we want to fetch again } // TODO: kick off a key roll if one has been requested @@ -884,40 +945,56 @@ if(![checkedstate isEqualToString:SecCKKSZoneKeyStateReady] || hierarchyError) { // Things is bad. Kick off a heal to fix things up. ckksnotice("ckkskey", self, "Thought we were ready, but the key hierarchy is %@: %@", checkedstate, hierarchyError); - state = checkedstate; - + nextState = checkedstate; + if([nextState isEqualToString:SecCKKSZoneKeyStateError]) { + nextError = hierarchyError; + } } } } else if([state isEqualToString: SecCKKSZoneKeyStateInitialized]) { // We're initialized and CloudKit is ready. See what needs done... - // Check if we have an existing key hierarchy - CKKSKey* tlk = [CKKSKey currentKeyForClass:SecCKKSKeyClassTLK zoneID:self.zoneID error:&error]; - CKKSKey* classA = [CKKSKey currentKeyForClass:SecCKKSKeyClassA zoneID:self.zoneID error:&error]; - CKKSKey* classC = [CKKSKey currentKeyForClass:SecCKKSKeyClassC zoneID:self.zoneID error:&error]; + CKKSZoneStateEntry* ckse = [CKKSZoneStateEntry state:self.zoneName]; + [self _onqueuePerformKeyStateInitialized:ckse]; - if(error && !([error.domain isEqual: @"securityd"] && error.code == errSecItemNotFound)) { - ckkserror("ckkskey", self, "Error examining existing key hierarchy: %@", error); - } + // We need to either: + // Wait for the fixup operation to occur + // Go into 'ready' + // Or start a key state fetch + if(self.lastFixupOperation && ![self.lastFixupOperation isFinished]) { + nextState = SecCKKSZoneKeyStateWaitForFixupOperation; + } else { + // Check if we have an existing key hierarchy in keyset + if(keyset.error && !([keyset.error.domain isEqual: @"securityd"] && keyset.error.code == errSecItemNotFound)) { + ckkserror("ckkskey", self, "Error examining existing key hierarchy: %@", error); + } - if(tlk && classA && classC && !error) { - // This is likely a restart of securityd, and we think we're ready. Double check. + if(keyset.tlk && keyset.classA && keyset.classC && !keyset.error) { + // This is likely a restart of securityd, and we think we're ready. Double check. + + CKKSZoneKeyState* checkedstate = [self _onqueueEnsureKeyHierarchyHealth:keyset error:&hierarchyError]; + if([checkedstate isEqualToString:SecCKKSZoneKeyStateReady] && !hierarchyError) { + ckksnotice("ckkskey", self, "Already have existing key hierarchy for %@; using it.", self.zoneID.zoneName); + } else { + ckksnotice("ckkskey", self, "Initial scan shows key hierarchy is %@: %@", checkedstate, hierarchyError); + } + nextState = checkedstate; - CKKSZoneKeyState* checkedstate = [self _onqueueEnsureKeyHierarchyHealth:keyset error:&hierarchyError]; - if([checkedstate isEqualToString:SecCKKSZoneKeyStateReady] && !hierarchyError) { - ckksnotice("ckkskey", self, "Already have existing key hierarchy for %@; using it.", self.zoneID.zoneName); } else { - ckksnotice("ckkskey", self, "Initial scan shows key hierarchy is %@: %@", checkedstate, hierarchyError); - state = checkedstate; + // We have no local key hierarchy. One might exist in CloudKit, or it might not. + ckksnotice("ckkskey", self, "No existing key hierarchy for %@. Check if there's one in CloudKit...", self.zoneID.zoneName); + nextState = SecCKKSZoneKeyStateFetch; } + } - } else { - // We have no local key hierarchy. One might exist in CloudKit, or it might not. - ckksnotice("ckkskey", self, "No existing key hierarchy for %@. Check if there's one in CloudKit...", self.zoneID.zoneName); + } else if([state isEqualToString:SecCKKSZoneKeyStateFetch]) { + ckksnotice("ckkskey", self, "Starting a key hierarchy fetch"); + [self _onqueueKeyHierarchyFetch]; - [self _onqueueKeyHierarchyFetch]; - } + } else if([state isEqualToString: SecCKKSZoneKeyStateNeedFullRefetch]) { + ckksnotice("ckkskey", self, "Starting a key hierarchy full refetch"); + [self _onqueueKeyHierarchyRefetch]; } else if([state isEqualToString:SecCKKSZoneKeyStateWaitForFixupOperation]) { // We should enter 'initialized' when the fixup operation completes @@ -943,18 +1020,19 @@ // Huh. We appear to have current key pointers, but the keys themselves don't exist. That's weird. // Transfer to the "unhealthy" state to request a fix ckksnotice("ckkskey", self, "We appear to have current key pointers but no keys to match them. Moving to 'unhealthy'"); - state = SecCKKSZoneKeyStateUnhealthy; + nextState = SecCKKSZoneKeyStateUnhealthy; } else { // No remote keys, and the pointers look sane? Do we have an existing key hierarchy? CKKSZoneKeyState* checkedstate = [self _onqueueEnsureKeyHierarchyHealth:keyset error:&hierarchyError]; if([checkedstate isEqualToString:SecCKKSZoneKeyStateReady] && !hierarchyError) { ckksnotice("ckkskey", self, "After fetch, everything looks good."); + nextState = checkedstate; } else if(localKeys.count == 0 && remoteKeys.count == 0) { ckksnotice("ckkskey", self, "After fetch, we don't have any key hierarchy. Making a new one: %@", hierarchyError); self.keyStateMachineOperation = [[CKKSNewTLKOperation alloc] initWithCKKSKeychainView: self ckoperationGroup:self.keyHierarchyOperationGroup]; } else { ckksnotice("ckkskey", self, "After fetch, we have a possibly unhealthy key hierarchy. Moving to %@: %@", checkedstate, hierarchyError); - state = checkedstate; + nextState = checkedstate; } } @@ -965,15 +1043,25 @@ // Someone has requsted a reprocess! Run a ProcessReceivedKeysOperation. ckksnotice("ckkskey", self, "Received a nudge that our TLK might be here! Starting operation to check."); [self _onqueueKeyHierarchyProcess]; + } else { + // Should we nuke this zone? + if([self _onqueueOtherDevicesReportHavingTLKs:keyset]) { + ckksnotice("ckkskey", self, "Other devices report having TLK(%@). Entering a waiting state", keyset.currentTLKPointer); + } else { + ckksnotice("ckkskey", self, "No other devices have TLK(%@). Beginning zone reset...", keyset.currentTLKPointer); + nextState = SecCKKSZoneKeyStateResettingZone; + } } } else if([state isEqualToString: SecCKKSZoneKeyStateWaitForUnlock]) { - // will be handled later. ckksnotice("ckkskey", self, "Requested to enter waitforunlock"); + self.keyStateMachineOperation = [self operationToEnterState:SecCKKSZoneKeyStateInitialized keyStateError:nil named:@"key-state-after-unlock"]; + [self.keyStateMachineOperation addNullableDependency: self.lockStateTracker.unlockDependency]; } else if([state isEqualToString: SecCKKSZoneKeyStateReadyPendingUnlock]) { - // will be handled later. - ckksnotice("ckkskey", self, "Believe we're ready, but recheck after unlock"); + ckksnotice("ckkskey", self, "Believe we're ready, but rechecking after unlock"); + self.keyStateMachineOperation = [self operationToEnterState:SecCKKSZoneKeyStateInitialized keyStateError:nil named:@"key-state-after-unlock"]; + [self.keyStateMachineOperation addNullableDependency: self.lockStateTracker.unlockDependency]; } else if([state isEqualToString: SecCKKSZoneKeyStateBadCurrentPointers]) { // The current key pointers are broken, but we're not sure why. @@ -988,18 +1076,7 @@ ckksnotice("ckkskey", self, "Creating new TLK shares didn't work. Attempting to refetch!"); [self _onqueueKeyHierarchyFetch]; - } else if([state isEqualToString: SecCKKSZoneKeyStateNeedFullRefetch]) { - ckksnotice("ckkskey", self, "Informed of request for full refetch"); - [self _onqueueKeyHierarchyRefetch]; - - } else { - ckkserror("ckks", self, "asked to advance state machine to unknown state: %@", state); - self.keyHierarchyState = state; - return; - } - - // Check our other states: did the above code ask for a fix up? Are we in ready? - if([state isEqualToString:SecCKKSZoneKeyStateUnhealthy]) { + } else if([state isEqualToString:SecCKKSZoneKeyStateUnhealthy]) { ckksnotice("ckkskey", self, "Looks like the key hierarchy is unhealthy. Launching fix."); self.keyStateMachineOperation = [[CKKSHealKeyHierarchyOperation alloc] initWithCKKSKeychainView:self ckoperationGroup:self.keyHierarchyOperationGroup]; @@ -1008,34 +1085,27 @@ self.keyStateMachineOperation = [[CKKSHealTLKSharesOperation alloc] initWithCKKSKeychainView:self ckoperationGroup:self.keyHierarchyOperationGroup]; - } else if([state isEqualToString: SecCKKSZoneKeyStateWaitForUnlock] || [state isEqualToString:SecCKKSZoneKeyStateReadyPendingUnlock]) { - // We're in a hold state: waiting for the keybag to unlock so we can reenter the key hierarchy state machine - // After the next unlock, poke ourselves - self.keyStateMachineOperation = [NSBlockOperation named:@"key-state-after-unlock" withBlock:^{ - __strong __typeof(self) strongSelf = weakSelf; - if(!strongSelf) { - return; - } - [strongSelf dispatchSyncWithAccountKeys:^bool{ - [strongSelf _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateInitialized withError:nil]; - return true; - }]; - }]; - [self.keyStateMachineOperation addNullableDependency: self.lockStateTracker.unlockDependency]; - + } else { + ckkserror("ckks", self, "asked to advance state machine to unknown state: %@", state); + self.keyHierarchyState = state; + [self _onqueueHandleKeyStateNonTransientDependency]; + return; } - // Handle the key state ready dependency - if([state isEqualToString:SecCKKSZoneKeyStateReady] || [state isEqualToString:SecCKKSZoneKeyStateReadyPendingUnlock]) { + // If we're in ready and not entering a non-ready state, we should activate the ready dependency. Otherwise, we should create it. + if(([state isEqualToString:SecCKKSZoneKeyStateReady] || [state isEqualToString:SecCKKSZoneKeyStateReadyPendingUnlock]) && + (nextState == nil || [nextState isEqualToString:SecCKKSZoneKeyStateReady] || [nextState isEqualToString:SecCKKSZoneKeyStateReadyPendingUnlock])) { + // Ready enough! + [[CKKSAnalytics logger] setDateProperty:[NSDate date] forKey:CKKSAnalyticsLastKeystateReady inView:self]; if(self.keyStateReadyDependency) { [self scheduleOperation: self.keyStateReadyDependency]; self.keyStateReadyDependency = nil; } // If there are any OQEs waiting to be encrypted, launch an op to fix them - if([outdatedOQEs count] > 0u) { + if(outdatedOQEs > 0) { ckksnotice("ckksreencrypt", self, "Reencrypting outgoing items as the key hierarchy is ready"); CKKSReencryptOutgoingItemsOperation* op = [[CKKSReencryptOutgoingItemsOperation alloc] initWithCKKSKeychainView:self ckoperationGroup:self.keyHierarchyOperationGroup]; [self scheduleOperation:op]; @@ -1048,32 +1118,154 @@ } } + NSAssert(!((self.keyStateMachineOperation != nil) && + (nextState != nil)), + @"Should have a machine operation or a next state, not both"); + // Start any operations, or log that we aren't if(self.keyStateMachineOperation) { [self scheduleOperation: self.keyStateMachineOperation]; + ckksnotice("ckkskey", self, "Now in key state: %@", state); + self.keyHierarchyState = state; - } else if([state isEqualToString:SecCKKSZoneKeyStateWaitForTLK]) { - ckksnotice("ckkskey", self, "Entering key state %@", state); } else if([state isEqualToString:SecCKKSZoneKeyStateError]) { ckksnotice("ckkskey", self, "Entering key state 'error'"); + self.keyHierarchyState = state; + + } else if(nextState == nil) { + ckksnotice("ckkskey", self, "Entering key state: %@", state); + self.keyHierarchyState = state; + + } else if(![state isEqualToString: nextState]) { + ckksnotice("ckkskey", self, "Staying in state %@, but proceeding to %@ as soon as possible", self.keyHierarchyState, nextState); + self.keyStateMachineOperation = [self operationToEnterState:nextState keyStateError:nextError named:@"next-key-state"]; + [self scheduleOperation: self.keyStateMachineOperation]; + } else { - // Nothing to do and not in a waiting state? Awesome; we must be in the ready state. + // Nothing to do and not in a waiting state? This is likely a bug, but, hey: pretend to be in ready! if(!([state isEqualToString:SecCKKSZoneKeyStateReady] || [state isEqualToString:SecCKKSZoneKeyStateReadyPendingUnlock])) { - ckksnotice("ckkskey", self, "No action to take in state %@; we must be ready.", state); - state = SecCKKSZoneKeyStateReady; + ckkserror("ckkskey", self, "No action to take in state %@; BUG, but: maybe we're ready?", state); + nextState = SecCKKSZoneKeyStateReady; + self.keyStateMachineOperation = [self operationToEnterState:nextState keyStateError:nil named:@"next-key-state"]; + [self scheduleOperation: self.keyStateMachineOperation]; + } + } + + [self _onqueueHandleKeyStateNonTransientDependency]; +} + +- (void)_onqueueHandleKeyStateNonTransientDependency { + dispatch_assert_queue(self.queue); + + if(CKKSKeyStateTransient(self.keyHierarchyState)) { + if(self.keyStateNonTransientDependency == nil || [self.keyStateNonTransientDependency isFinished]) { + self.keyStateNonTransientDependency = [self createKeyStateNontransientDependency]; + } + } else { + // Nontransient: go for it + if(self.keyStateNonTransientDependency) { + [self scheduleOperation: self.keyStateNonTransientDependency]; + self.keyStateNonTransientDependency = nil; + } + } +} + +- (NSOperation*)operationToEnterState:(CKKSZoneKeyState*)state keyStateError:(NSError* _Nullable)keyStateError named:(NSString*)name { + __weak __typeof(self) weakSelf = self; + + return [NSBlockOperation named:name withBlock:^{ + __strong __typeof(self) strongSelf = weakSelf; + if(!strongSelf) { + return; + } + [strongSelf dispatchSyncWithAccountKeys:^bool{ + [strongSelf _onqueueAdvanceKeyStateMachineToState:state withError:keyStateError]; + return true; + }]; + }]; +} + +- (bool)_onqueueOtherDevicesReportHavingTLKs:(CKKSCurrentKeySet*)keyset +{ + dispatch_assert_queue(self.queue); + + //Has there been any activity indicating that other trusted devices have keys in the past 45 days, or untrusted devices in the past 4? + // (We chose 4 as devices attempt to upload their device state every 3 days. If a device is unceremoniously kicked out of circle, we normally won't immediately reset.) + NSDate* now = [NSDate date]; + NSDateComponents* trustedOffset = [[NSDateComponents alloc] init]; + [trustedOffset setDay:-45]; + NSDate* trustedDeadline = [[NSCalendar currentCalendar] dateByAddingComponents:trustedOffset toDate:now options:0]; + + NSDateComponents* untrustedOffset = [[NSDateComponents alloc] init]; + [untrustedOffset setDay:-4]; + NSDate* untrustedDeadline = [[NSCalendar currentCalendar] dateByAddingComponents:untrustedOffset toDate:now options:0]; - self.keyHierarchyOperationGroup = nil; - if(self.keyStateReadyDependency) { - [self scheduleOperation: self.keyStateReadyDependency]; - self.keyStateReadyDependency = nil; + NSMutableSet* trustedPeerIDs = [NSMutableSet set]; + for(id peer in self.currentTrustedPeers) { + [trustedPeerIDs addObject:peer.peerID]; + } + + NSError* localerror = nil; + + NSArray* allDeviceStates = [CKKSDeviceStateEntry allInZone:self.zoneID error:&localerror]; + if(localerror) { + ckkserror("ckkskey", self, "Error fetching device states: %@", localerror); + localerror = nil; + return true; + } + for(CKKSDeviceStateEntry* device in allDeviceStates) { + if([trustedPeerIDs containsObject:device.circlePeerID]) { + // Is this a recent DSE? If it's older than the deadline, skip it + if([device.storedCKRecord.modificationDate compare:trustedDeadline] == NSOrderedAscending) { + ckksnotice("ckkskey", self, "Trusted device state (%@) is too old; ignoring", device); + continue; + } + } else { + // Device is untrusted. How does it fare with the untrustedDeadline? + if([device.storedCKRecord.modificationDate compare:untrustedDeadline] == NSOrderedAscending) { + ckksnotice("ckkskey", self, "Device (%@) is not trusted and from too long ago; ignoring device state (%@)", device.circlePeerID, device); + continue; + } else { + ckksnotice("ckkskey", self, "Device (%@) is not trusted, but very recent. Including in heuristic: %@", device.circlePeerID, device); } } + + if([device.keyState isEqualToString:SecCKKSZoneKeyStateReady] || + [device.keyState isEqualToString:SecCKKSZoneKeyStateReadyPendingUnlock]) { + ckksnotice("ckkskey", self, "Other device (%@) has keys; it should send them to us", device); + return true; + } } - ckksnotice("ckkskey", self, "Advancing to key state: %@", state); - self.keyHierarchyState = state; + + NSArray* tlkShares = [CKKSTLKShare allForUUID:keyset.currentTLKPointer.currentKeyUUID + zoneID:self.zoneID + error:&localerror]; + if(localerror) { + ckkserror("ckkskey", self, "Error fetching device states: %@", localerror); + localerror = nil; + return false; + } + + for(CKKSTLKShare* tlkShare in tlkShares) { + if([trustedPeerIDs containsObject:tlkShare.senderPeerID] && + [tlkShare.storedCKRecord.modificationDate compare:trustedDeadline] == NSOrderedDescending) { + ckksnotice("ckkskey", self, "Trusted TLK Share (%@) created recently; other devices have keys and should send them to us", tlkShare); + return true; + } + } + + // Okay, how about the untrusted deadline? + for(CKKSTLKShare* tlkShare in tlkShares) { + if([tlkShare.storedCKRecord.modificationDate compare:untrustedDeadline] == NSOrderedDescending) { + ckksnotice("ckkskey", self, "Untrusted TLK Share (%@) created very recently; other devices might have keys and should rejoin the circle (and send them to us)", tlkShare); + return true; + } + } + + return false; } -// For this key, who doesn't yet have a CKKSTLKShare for it? +// For this key, who doesn't yet have a valid CKKSTLKShare for it? // Note that we really want a record sharing the TLK to ourselves, so this function might return // a non-empty set even if all peers have the TLK: it wants us to make a record for ourself. - (NSSet>*)_onqueueFindPeersMissingShare:(CKKSKey*)key error:(NSError* __autoreleasing*)error { @@ -1125,12 +1317,22 @@ // Determine if we think this peer has enough things shared to them bool alreadyShared = false; for(CKKSTLKShare* existingPeerShare in currentPeerShares) { + // If an SOS Peer sent this share, is its signature still valid? Or did the signing key change? + if([existingPeerShare.senderPeerID hasPrefix:CKKSSOSPeerPrefix]) { + NSError* signatureError = nil; + if(![existingPeerShare signatureVerifiesWithPeerSet:self.currentTrustedPeers error:&signatureError]) { + ckksnotice("ckksshare", self, "Existing TLKShare's signature doesn't verify with current peer set: %@ %@", signatureError, existingPeerShare); + continue; + } + } + if([existingPeerShare.tlkUUID isEqualToString: key.uuid] && [trustedPeerIDs containsObject:existingPeerShare.senderPeerID]) { // Was this shared to us? if([peer.peerID isEqualToString: self.currentSelfPeers.currentSelf.peerID]) { - // We only count this as 'found' if we did the sharing - if([existingPeerShare.senderPeerID isEqualToString:self.currentSelfPeers.currentSelf.peerID]) { + // We only count this as 'found' if we did the sharing and it's to our current keys + if([existingPeerShare.senderPeerID isEqualToString:self.currentSelfPeers.currentSelf.peerID] && + [existingPeerShare.receiver.publicEncryptionKey isEqual:self.currentSelfPeers.currentSelf.publicEncryptionKey]) { ckksnotice("ckksshare", self, "Local peer %@ is shared %@ via self: %@", peer, key, existingPeerShare); alreadyShared = true; } else { @@ -1138,16 +1340,23 @@ } } else { - // Some other peer has a trusted share. Cool! - ckksnotice("ckksshare", self, "Peer %@ is shared %@ via trusted %@", peer, key, existingPeerShare); - alreadyShared = true; + // Was this shared to the remote peer's current keys? + if([peer.publicEncryptionKey isEqual: existingPeerShare.receiver.publicEncryptionKey]) { + // Some other peer has a trusted share. Cool! + ckksnotice("ckksshare", self, "Peer %@ is shared %@ via trusted %@", peer, key, existingPeerShare); + alreadyShared = true; + } else { + ckksnotice("ckksshare", self, "Peer %@ has a share for %@, but to old keys: %@", peer, key, existingPeerShare); + } } } } if(!alreadyShared) { - // Add this peer to our set - [peersMissingShares addObject:peer]; + // Add this peer to our set, if it has an encryption key to receive the share + if(peer.publicEncryptionKey) { + [peersMissingShares addObject:peer]; + } } } @@ -1193,6 +1402,11 @@ } for(id peer in remainingPeers) { + if(!peer.publicEncryptionKey) { + ckksnotice("ckksshare", self, "No need to make TLK for %@; they don't have any encryption keys", peer); + continue; + } + // Create a share for this peer. ckksnotice("ckksshare", self, "Creating share of %@ as %@ for %@", key, self.currentSelfPeers.currentSelf, peer); CKKSTLKShare* newShare = [CKKSTLKShare share:key @@ -1303,6 +1517,9 @@ if(localerror && [self.lockStateTracker isLockedError: localerror]) { ckkserror("ckkskey", self, "Couldn't find missing TLK shares due to lock state: %@", localerror); probablyOkIfUnlocked = true; + } else if([localerror.domain isEqualToString:CKKSErrorDomain] && localerror.code == CKKSNoPeersAvailable) { + ckkserror("ckkskey", self, "Couldn't find missing TLK shares due to missing peers, likely due to lock state: %@", localerror); + probablyOkIfUnlocked = true; } else if(localerror) { if(error) { @@ -1480,13 +1697,12 @@ // We don't want to fix it up here, in the closing moments of a transaction if([error.domain isEqualToString:CKKSErrorDomain] && error.code == CKKSNoUUIDOnItem) { ckksnotice("ckks", self, "Launching scan operation to find UUID"); - CKKSScanLocalItemsOperation* scanOperation = [[CKKSScanLocalItemsOperation alloc] initWithCKKSKeychainView: self ckoperationGroup:operationGroup]; - [self scheduleOperation: scanOperation]; + [self scanLocalItems:@"uuid-find-scan" ckoperationGroup:operationGroup after:nil]; } // If the problem is 'couldn't load key', tell the key hierarchy state machine to fix it if([error.domain isEqualToString:CKKSErrorDomain] && error.code == errSecItemNotFound) { - [self _onqueueAdvanceKeyStateMachineToState: nil withError: nil]; + [self.pokeKeyStateMachineScheduler trigger]; } return true; @@ -1543,11 +1759,11 @@ }]; } --(void)setCurrentItemForAccessGroup:(SecDbItemRef)newItem +-(void)setCurrentItemForAccessGroup:(NSData* _Nonnull)newItemPersistentRef hash:(NSData*)newItemSHA1 accessGroup:(NSString*)accessGroup identifier:(NSString*)identifier - replacing:(SecDbItemRef)oldItem + replacing:(NSData* _Nullable)oldCurrentItemPersistentRef hash:(NSData*)oldItemSHA1 complete:(void (^) (NSError* operror)) complete { @@ -1560,104 +1776,52 @@ return; } - __weak __typeof(self) weakSelf = self; - - [self dispatchSync:^bool { - NSError* error = nil; - CFErrorRef cferror = NULL; - - NSString* newItemUUID = nil; - NSString* oldItemUUID = nil; - - // Now that we're on the db queue, ensure that the given hashes for the items match the hashes as they are now. - // That is, the items haven't changed since the caller knew about the item. - NSData* newItemComputedSHA1 = (NSData*) CFBridgingRelease(CFRetainSafe(SecDbItemGetSHA1(newItem, &cferror))); - if(!newItemComputedSHA1 || cferror || - ![newItemComputedSHA1 isEqual:newItemSHA1]) { - ckksnotice("ckkscurrent", self, "Hash mismatch for new item: %@ vs %@", newItemComputedSHA1, newItemSHA1); - error = [NSError errorWithDomain:CKKSErrorDomain - code:CKKSItemChanged - description:@"New item has changed; hashes mismatch. Refetch and try again."]; - complete(error); - CFReleaseNull(cferror); - return false; - } + // Not being in a CloudKit account is an automatic failure. + // But, wait a good long while for the CloudKit account state to be known (in the case of daemon startup) + [self.accountStateKnown wait:(SecCKKSTestsEnabled() ? 1*NSEC_PER_SEC : 30*NSEC_PER_SEC)]; - newItemUUID = (NSString*) CFBridgingRelease(CFRetainSafe(SecDbItemGetValue(newItem, &v10itemuuid, &cferror))); - if(!newItemUUID || cferror) { - ckkserror("ckkscurrent", self, "Error fetching UUID for new item: %@", cferror); - complete((__bridge NSError*) cferror); - CFReleaseNull(cferror); - return false; - } + if(self.accountStatus != CKKSAccountStatusAvailable) { + NSError* error = [NSError errorWithDomain:CKKSErrorDomain + code:CKKSNotLoggedIn + description:@"User is not signed into iCloud."]; + ckksnotice("ckkscurrent", self, "Rejecting current item pointer set since we don't have an iCloud account."); + complete(error); + return; + } - // We pass this into the change operation. If it's nil, that's an indicator that the old item doesn't exist in the keychain anymore - NSData* oldItemComputedSHA1 = nil; - if(oldItem) { - oldItemComputedSHA1 = (NSData*) CFBridgingRelease(CFRetainSafe(SecDbItemGetSHA1(oldItem, &cferror))); - if(!oldItemComputedSHA1 || cferror || - ![oldItemComputedSHA1 isEqual:oldItemSHA1]) { - ckksnotice("ckkscurrent", self, "Hash mismatch for old item: %@ vs %@", oldItemComputedSHA1, oldItemSHA1); - error = [NSError errorWithDomain:CKKSErrorDomain - code:CKKSItemChanged - description:@"Old item has changed; hashes mismatch. Refetch and try again."]; - complete(error); - CFReleaseNull(cferror); - return false; - } + ckksnotice("ckkscurrent", self, "Starting change current pointer operation for %@-%@", accessGroup, identifier); + CKKSUpdateCurrentItemPointerOperation* ucipo = [[CKKSUpdateCurrentItemPointerOperation alloc] initWithCKKSKeychainView:self + newItem:newItemPersistentRef + hash:newItemSHA1 + accessGroup:accessGroup + identifier:identifier + replacing:oldCurrentItemPersistentRef + hash:oldItemSHA1 + ckoperationGroup:[CKOperationGroup CKKSGroupWithName:@"currentitem-api"]]; - oldItemUUID = (NSString*) CFBridgingRelease(CFRetainSafe(SecDbItemGetValue(oldItem, &v10itemuuid, &cferror))); - if(!oldItemUUID || cferror) { - ckkserror("ckkscurrent", self, "Error fetching UUID for old item: %@", cferror); - complete((__bridge NSError*) cferror); - CFReleaseNull(cferror); - return false; - } - } + __weak __typeof(self) weakSelf = self; + CKKSResultOperation* returnCallback = [CKKSResultOperation operationWithBlock:^{ + __strong __typeof(self) strongSelf = weakSelf; - // Not being in a CloudKit account is an automatic failure. - if(self.accountStatus != CKKSAccountStatusAvailable) { - ckksnotice("ckkscurrent", self, "Rejecting current item pointer set since we don't have an iCloud account."); - error = [NSError errorWithDomain:CKKSErrorDomain - code:CKKSNotLoggedIn - description:@"User is not signed into iCloud."]; - complete(error); - return false; + if(ucipo.error) { + ckkserror("ckkscurrent", strongSelf, "Failed setting a current item pointer for %@ with %@", ucipo.currentPointerIdentifier, ucipo.error); + } else { + ckksnotice("ckkscurrent", strongSelf, "Finished setting a current item pointer for %@", ucipo.currentPointerIdentifier); } + complete(ucipo.error); + }]; + returnCallback.name = @"setCurrentItem-return-callback"; + [returnCallback addDependency: ucipo]; + [self scheduleOperation: returnCallback]; - // At this point, we've completed all the checks we need for the SecDbItems. Try to launch this boat! - NSString* currentIdentifier = [NSString stringWithFormat:@"%@-%@", accessGroup, identifier]; - ckksnotice("ckkscurrent", self, "Setting current pointer for %@ to %@ (from %@)", currentIdentifier, newItemUUID, oldItemUUID); - CKKSUpdateCurrentItemPointerOperation* ucipo = [[CKKSUpdateCurrentItemPointerOperation alloc] initWithCKKSKeychainView:self - currentPointer:(NSString*)currentIdentifier - oldItemUUID:(NSString*)oldItemUUID - oldItemHash:oldItemComputedSHA1 - newItemUUID:(NSString*)newItemUUID - ckoperationGroup:[CKOperationGroup CKKSGroupWithName:@"currentitem-api"]]; - CKKSResultOperation* returnCallback = [CKKSResultOperation operationWithBlock:^{ - __strong __typeof(self) strongSelf = weakSelf; - - if(ucipo.error) { - ckkserror("ckkscurrent", strongSelf, "Failed setting a current item pointer for %@ with %@", currentIdentifier, ucipo.error); - } else { - ckksnotice("ckkscurrent", strongSelf, "Finished setting a current item pointer for %@", currentIdentifier); - } - complete(ucipo.error); - }]; - returnCallback.name = @"setCurrentItem-return-callback"; - [returnCallback addDependency: ucipo]; - [self scheduleOperation: returnCallback]; - - // Now, schedule ucipo. It modifies the CloudKit zone, so it should insert itself into the list of OutgoingQueueOperations. - // Then, we won't have simultaneous zone-modifying operations. - [ucipo linearDependencies:self.outgoingQueueOperations]; + // Now, schedule ucipo. It modifies the CloudKit zone, so it should insert itself into the list of OutgoingQueueOperations. + // Then, we won't have simultaneous zone-modifying operations. + [ucipo linearDependencies:self.outgoingQueueOperations]; - // If this operation hasn't started within 60 seconds, cancel it and return a "timed out" error. - [ucipo timeout:60*NSEC_PER_SEC]; + // If this operation hasn't started within 60 seconds, cancel it and return a "timed out" error. + [ucipo timeout:60*NSEC_PER_SEC]; - [self scheduleOperation:ucipo]; - return true; - }]; + [self scheduleOperation:ucipo]; return; } @@ -1675,6 +1839,9 @@ } // Not being in a CloudKit account is an automatic failure. + // But, wait a good long while for the CloudKit account state to be known (in the case of daemon startup) + [self.accountStateKnown wait:(SecCKKSTestsEnabled() ? 1*NSEC_PER_SEC : 30*NSEC_PER_SEC)]; + if(self.accountStatus != CKKSAccountStatusAvailable) { ckksnotice("ckkscurrent", self, "Rejecting current item pointer get since we don't have an iCloud account."); complete(NULL, [NSError errorWithDomain:CKKSErrorDomain @@ -1839,8 +2006,6 @@ [op addNullableDependency:self.outgoingQueueOperationScheduler.operationDependency]; [self.outgoingQueueOperationScheduler trigger]; - [op addNullableDependency: self.initialScanOperation]; - [self scheduleOperation: op]; ckksnotice("ckksoutgoing", self, "Scheduled %@", op); return op; @@ -1893,31 +2058,37 @@ return op; } +- (CKKSScanLocalItemsOperation*)scanLocalItems:(NSString*)operationName { + return [self scanLocalItems:operationName ckoperationGroup:nil after:nil]; +} + +- (CKKSScanLocalItemsOperation*)scanLocalItems:(NSString*)operationName ckoperationGroup:(CKOperationGroup*)operationGroup after:(NSOperation*)after { + CKKSScanLocalItemsOperation* scanOperation = [[CKKSScanLocalItemsOperation alloc] initWithCKKSKeychainView:self ckoperationGroup:operationGroup]; + scanOperation.name = operationName; + + [scanOperation addNullableDependency:self.lastFixupOperation]; + [scanOperation addNullableDependency:self.lockStateTracker.unlockDependency]; + [scanOperation addNullableDependency:self.keyStateReadyDependency]; + [scanOperation addNullableDependency:after]; + + [self scheduleOperation: scanOperation]; + return scanOperation; +} + - (CKKSUpdateDeviceStateOperation*)updateDeviceState:(bool)rateLimit waitForKeyHierarchyInitialization:(uint64_t)timeout ckoperationGroup:(CKOperationGroup*)ckoperationGroup { + __weak __typeof(self) weakSelf = self; // If securityd just started, the key state might be in some transient early state. Wait a bit. CKKSResultOperation* waitForKeyReady = [CKKSResultOperation named:@"device-state-wait" withBlock:^{ __strong __typeof(self) strongSelf = weakSelf; - __block bool wait = timeout > 0; - if(!wait) { - return; - } - - // Determine if we're in an initializing state. Otherwise, don't bother waiting. - [strongSelf dispatchSync:^bool { - wait = [strongSelf.keyHierarchyState isEqualToString:SecCKKSZoneKeyStateInitializing] || - [strongSelf.keyHierarchyState isEqualToString:SecCKKSZoneKeyStateInitialized]; - return false; - }]; - - if(wait) { - [strongSelf.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:timeout]; - } - ckksnotice("ckksdevice", strongSelf, "Finished waiting for key hierarchy state, currently %@", strongSelf.keyHierarchyState); + ckksnotice("ckksdevice", strongSelf, "Finished waiting for key hierarchy transient state, currently %@", strongSelf.keyHierarchyState); }]; + + [waitForKeyReady addNullableDependency:self.keyStateNonTransientDependency]; + [waitForKeyReady timeout:timeout]; [self.waitingQueue addOperation:waitForKeyReady]; CKKSUpdateDeviceStateOperation* op = [[CKKSUpdateDeviceStateOperation alloc] initWithCKKSKeychainView:self rateLimit:rateLimit ckoperationGroup:ckoperationGroup]; @@ -2014,8 +2185,16 @@ ckkserror("ckksdevice", self, "No peer ID available"); } + // Reset the last unlock time to 'day' granularity in UTC + NSCalendar* calendar = [NSCalendar calendarWithIdentifier:NSCalendarIdentifierISO8601]; + calendar.timeZone = [NSTimeZone timeZoneWithAbbreviation:@"UTC"]; + NSDate* lastUnlockDay = self.lockStateTracker.lastUnlockTime; + lastUnlockDay = lastUnlockDay ? [calendar startOfDayForDate:lastUnlockDay] : nil; + // We only really want the oldcdse for its encodedCKRecord, so make a new cdse here CKKSDeviceStateEntry* newcdse = [[CKKSDeviceStateEntry alloc] initForDevice:accountTracker.ckdeviceID + osVersion:SecCKKSHostOSVersion() + lastUnlockTime:lastUnlockDay circlePeerID:accountTracker.accountCirclePeerID circleStatus:accountTracker.currentCircleStatus keyState:self.keyHierarchyState @@ -2656,48 +2835,92 @@ if(![proposedTLK wrapsSelf]) { ckkserror("ckksshare", self, "Potential TLK %@ does not wrap self; skipping TLK share checking", proposedTLK); } else { - if(!self.currentSelfPeers.currentSelf || self.currentSelfPeersError) { - ckkserror("ckksshare", self, "Couldn't fetch self peers: %@", self.currentSelfPeersError); - if(error) { - *error = self.currentSelfPeersError; + bool tlkShares = [self _onqueueWithAccountKeysCheckTLKFromShares:proposedTLK error:&localerror]; + // We only want to error out if a positive error occurred. "No shares" is okay. + if(!tlkShares || localerror) { + bool noTrustedTLKShares = [localerror.domain isEqualToString:CKKSErrorDomain] && localerror.code == CKKSNoTrustedTLKShares; + bool noSelfPeer = [localerror.domain isEqualToString:CKKSErrorDomain] && localerror.code == CKKSNoEncryptionKey; + + // If this error was something worse than 'couldn't unwrap for reasons including there not being data', report it + if(!(noTrustedTLKShares || noSelfPeer)) { + if(error) { + *error = localerror; + } + ckkserror("ckksshare", self, "Errored unwrapping TLK with TLKShares: %@", localerror); + return false; + } else { + ckkserror("ckksshare", self, "Non-fatal error unwrapping TLK with TLKShares: %@", localerror); } - return false; } + } - if(!self.currentTrustedPeers || self.currentTrustedPeersError) { - ckkserror("ckksshare", self, "Couldn't fetch trusted peers: %@", self.currentTrustedPeersError); - if(error) { - *error = self.currentTrustedPeersError; + if([proposedTLK loadKeyMaterialFromKeychain:error]) { + // Hurray! + return true; + } else { + return false; + } +} + +// This version only examines if this TLK is recoverable from TLK shares +- (bool)_onqueueWithAccountKeysCheckTLKFromShares:(CKKSKey*)proposedTLK error:(NSError* __autoreleasing *)error { + NSError* localerror = NULL; + if(!self.currentSelfPeers.currentSelf || self.currentSelfPeersError) { + ckkserror("ckksshare", self, "Couldn't fetch self peers: %@", self.currentSelfPeersError); + if(error) { + if([self.lockStateTracker isLockedError:self.currentSelfPeersError]) { + // Locked error should propagate + *error = self.currentSelfPeersError; + } else { + *error = [NSError errorWithDomain:CKKSErrorDomain + code:CKKSNoEncryptionKey + description:@"No current self peer" + underlying:self.currentSelfPeersError]; } - return false; } + return false; + } + + if(!self.currentTrustedPeers || self.currentTrustedPeersError) { + ckkserror("ckksshare", self, "Couldn't fetch trusted peers: %@", self.currentTrustedPeersError); + if(error) { + *error = [NSError errorWithDomain:CKKSErrorDomain + code:CKKSNoPeersAvailable + description:@"No trusted peers" + underlying:self.currentTrustedPeersError]; + } + return false; + } + + NSError* lastShareError = nil; - NSArray* possibleShares = [CKKSTLKShare allFor:self.currentSelfPeers.currentSelf.peerID + for(id selfPeer in self.currentSelfPeers.allSelves) { + NSArray* possibleShares = [CKKSTLKShare allFor:selfPeer.peerID keyUUID:proposedTLK.uuid zoneID:self.zoneID error:&localerror]; if(localerror) { - ckkserror("ckksshare", self, "Error fetching CKKSTLKShares: %@", localerror); + ckkserror("ckksshare", self, "Error fetching CKKSTLKShares for %@: %@", selfPeer, localerror); } if(possibleShares.count == 0) { - ckksnotice("ckksshare", self, "No CKKSTLKShares for %@", proposedTLK); + ckksnotice("ckksshare", self, "No CKKSTLKShares to %@ for %@", selfPeer, proposedTLK); + continue; } for(CKKSTLKShare* possibleShare in possibleShares) { NSError* possibleShareError = nil; - ckksnotice("ckksshare", self, "Checking possible TLK share %@ as %@", - possibleShare, self.currentSelfPeers.currentSelf); + ckksnotice("ckksshare", self, "Checking possible TLK share %@ as %@", possibleShare, selfPeer); - CKKSKey* possibleKey = [possibleShare recoverTLK:self.currentSelfPeers.currentSelf + CKKSKey* possibleKey = [possibleShare recoverTLK:selfPeer trustedPeers:self.currentTrustedPeers error:&possibleShareError]; if(possibleShareError) { ckkserror("ckksshare", self, "Unable to unwrap TLKShare(%@) as %@: %@", - possibleShare, self.currentSelfPeers.currentSelf, possibleShareError); + possibleShare, selfPeer, possibleShareError); ckkserror("ckksshare", self, "Current trust set: %@", self.currentTrustedPeers); - // TODO: save error + lastShareError = possibleShareError; continue; } @@ -2705,16 +2928,16 @@ if(possibleShareError) { ckkserror("ckksshare", self, "Unwrapped TLKShare(%@) does not unwrap proposed TLK(%@) as %@: %@", possibleShare, proposedTLK, self.currentSelfPeers.currentSelf, possibleShareError); - // TODO save error + lastShareError = possibleShareError; continue; } if(result) { ckksnotice("ckksshare", self, "TLKShare(%@) unlocked TLK(%@) as %@", - possibleShare, proposedTLK, self.currentSelfPeers.currentSelf); + possibleShare, proposedTLK, selfPeer); // The proposed TLK is trusted key material. Persist it as a "trusted" key. - [proposedTLK saveKeyMaterialToKeychain:true error: &possibleShareError]; + [proposedTLK saveKeyMaterialToKeychain:true error:&possibleShareError]; if(possibleShareError) { ckkserror("ckksshare", self, "Couldn't store the new TLK(%@) to the keychain: %@", proposedTLK, possibleShareError); if(error) { @@ -2728,21 +2951,13 @@ } } - if([proposedTLK loadKeyMaterialFromKeychain:error]) { - // Hurray! - return true; - } else { - return false; + if(error) { + *error = [NSError errorWithDomain:CKKSErrorDomain + code:CKKSNoTrustedTLKShares + description:[NSString stringWithFormat:@"No trusted TLKShares for %@", proposedTLK] + underlying:lastShareError]; } -} - -- (void) dispatchAsync: (bool (^)(void)) block { - // We need to call kc_with_dbt, which blocks. Route up through a global queue... - __weak __typeof(self) weakSelf = self; - - dispatch_async(dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0), ^{ - [weakSelf dispatchSync:block]; - }); + return false; } - (bool)dispatchSyncWithConnection:(SecDbConnectionRef _Nonnull)dbconn block:(bool (^)(void))block { @@ -2768,6 +2983,10 @@ - (void)dispatchSync: (bool (^)(void)) block { // important enough to block this thread. Must get a connection first, though! + + // Please don't jetsam us... + os_transaction_t transaction = os_transaction_create([[NSString stringWithFormat:@"com.apple.securityd.ckks.%@", self.zoneName] UTF8String]); + CFErrorRef cferror = NULL; kc_with_dbt(true, &cferror, ^bool (SecDbConnectionRef dbt) { return [self dispatchSyncWithConnection:dbt block:block]; @@ -2775,11 +2994,13 @@ if(cferror) { ckkserror("ckks", self, "error getting database connection, major problems ahead: %@", cferror); } + + (void)transaction; } - (void)dispatchSyncWithAccountKeys:(bool (^)(void))block { - [SOSAccount performOnAccountQueue: ^{ + [SOSAccount performOnQuietAccountQueue: ^{ NSError* selfPeersError = nil; CKKSSelves* currentSelfPeers = [self.currentPeerProvider fetchSelfPeers:&selfPeersError]; @@ -2817,18 +3038,33 @@ [self fetchAndProcessCKChanges:CKKSFetchBecauseAPNS]; } +- (void)superHandleCKLogin { + [super handleCKLogin]; +} + - (void)handleCKLogin { ckksnotice("ckks", self, "received a notification of CK login"); + if(!SecCKKSIsEnabled()) { + ckksnotice("ckks", self, "Skipping CloudKit initialization due to disabled CKKS"); + return; + } __weak __typeof(self) weakSelf = self; CKKSResultOperation* login = [CKKSResultOperation named:@"ckks-login" withBlock:^{ __strong __typeof(self) strongSelf = weakSelf; - [strongSelf dispatchSync:^bool{ - strongSelf.accountStatus = CKKSAccountStatusAvailable; - [strongSelf _onqueueHandleCKLogin]; + [strongSelf dispatchSyncWithAccountKeys:^bool{ + [strongSelf superHandleCKLogin]; + + // Reset key hierarchy state machine to initializing + [strongSelf _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateInitializing withError:nil]; return true; }]; + + // Change our condition variables to reflect that we think we're logged in + strongSelf.loggedOut = [[CKKSCondition alloc] initToChain:strongSelf.loggedOut]; + [strongSelf.loggedIn fulfill]; + [strongSelf.accountStateKnown fulfill]; }]; [self scheduleAccountStatusOperation:login]; @@ -2855,15 +3091,18 @@ ckkserror("ckks", strongSelf, "error while resetting local data: %@", error); } + [self _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateLoggedOut withError:nil]; + + strongSelf.loggedIn = [[CKKSCondition alloc] initToChain: strongSelf.loggedIn]; + [strongSelf.loggedOut fulfill]; + [strongSelf.accountStateKnown fulfill]; + // Tell all pending sync clients that we don't expect to ever sync for(NSString* callbackUUID in strongSelf.pendingSyncCallbacks.allKeys) { [strongSelf callSyncCallbackWithErrorNoAccount:strongSelf.pendingSyncCallbacks[callbackUUID]]; strongSelf.pendingSyncCallbacks[callbackUUID] = nil; } - strongSelf.loggedIn = [[CKKSCondition alloc] initToChain: strongSelf.loggedIn]; - [strongSelf.loggedOut fulfill]; - return true; }]; }]; @@ -2901,7 +3140,6 @@ if(isChangeTokenExpiredError) { ckkserror("ckks", self, "Received notice that our change token is out of date. Resetting local data..."); - [self cancelAllOperations]; CKKSResultOperation* resetOp = [self resetLocalData]; CKKSResultOperation* resetHandler = [CKKSResultOperation named:@"local-reset-handler" withBlock:^{ __strong __typeof(self) strongSelf = weakSelf; @@ -2911,10 +3149,9 @@ } if(resetOp.error) { - ckksnotice("ckks", strongSelf, "CloudKit-inspired local reset of %@ ended with error: %@", strongSelf.zoneID, error); + ckksnotice("ckksreset", strongSelf, "CloudKit-inspired local reset of %@ ended with error: %@", strongSelf.zoneID, error); } else { - ckksnotice("ckksreset", strongSelf, "re-initializing zone %@", strongSelf.zoneID); - [self.initializeScheduler trigger]; + ckksnotice("ckksreset", strongSelf, "CloudKit-inspired local reset of %@ ended successfully", strongSelf.zoneID); } }]; @@ -2936,9 +3173,8 @@ } if(isDeletedZoneError) { - ckkserror("ckks", self, "Received notice that our zone does not exist. Resetting all data."); - [self cancelAllOperations]; - CKKSResultOperation* resetOp = [self resetCloudKitZone]; + ckkserror("ckks", self, "Received notice that our zone does not exist. Resetting local data."); + CKKSResultOperation* resetOp = [self resetLocalData]; CKKSResultOperation* resetHandler = [CKKSResultOperation named:@"reset-handler" withBlock:^{ __strong __typeof(self) strongSelf = weakSelf; if(!strongSelf) { @@ -2947,7 +3183,9 @@ } if(resetOp.error) { - ckksnotice("ckksreset", strongSelf, "CloudKit-inspired zone reset of %@ ended with error: %@", strongSelf.zoneID, resetOp.error); + ckksnotice("ckksreset", strongSelf, "CloudKit-inspired local reset of %@ ended with error: %@", strongSelf.zoneID, resetOp.error); + } else { + ckksnotice("ckksreset", strongSelf, "CloudKit-inspired local reset of %@ ended successfully", strongSelf.zoneID); } }]; @@ -3004,24 +3242,33 @@ } } +- (void)cancelPendingOperations { + @synchronized(self.outgoingQueueOperations) { + for(NSOperation* op in self.outgoingQueueOperations) { + [op cancel]; + } + [self.outgoingQueueOperations removeAllObjects]; + } + + @synchronized(self.incomingQueueOperations) { + for(NSOperation* op in self.incomingQueueOperations) { + [op cancel]; + } + [self.incomingQueueOperations removeAllObjects]; + } + + [super cancelAllOperations]; +} + - (void)cancelAllOperations { [self.zoneSetupOperation cancel]; [self.keyStateMachineOperation cancel]; [self.keyStateReadyDependency cancel]; + [self.keyStateNonTransientDependency cancel]; [self.zoneChangeFetcher cancel]; [self.notifyViewChangedScheduler cancel]; - for(NSOperation* op in self.outgoingQueueOperations) { - [op cancel]; - } - [self.outgoingQueueOperations removeAllObjects]; - - for(NSOperation* op in self.incomingQueueOperations) { - [op cancel]; - } - [self.incomingQueueOperations removeAllObjects]; - - [super cancelAllOperations]; + [self cancelPendingOperations]; [self dispatchSync:^bool{ [self _onqueueAdvanceKeyStateMachineToState: SecCKKSZoneKeyStateCancelled withError: nil]; @@ -3044,10 +3291,11 @@ CKKSManifest* manifest = [CKKSManifest latestTrustedManifestForZone:self.zoneName error:&error]; [self dispatchSync: ^bool { - NSString* uuidTLK = [CKKSKey currentKeyForClass:SecCKKSKeyClassTLK zoneID:self.zoneID error:&error].uuid; - NSString* uuidClassA = [CKKSKey currentKeyForClass:SecCKKSKeyClassA zoneID:self.zoneID error:&error].uuid; - NSString* uuidClassC = [CKKSKey currentKeyForClass:SecCKKSKeyClassC zoneID:self.zoneID error:&error].uuid; - + CKKSCurrentKeySet* keyset = [[CKKSCurrentKeySet alloc] initForZone:self.zoneID]; + if(keyset.error) { + error = keyset.error; + } + NSString* manifestGeneration = manifest ? [NSString stringWithFormat:@"%lu", (unsigned long)manifest.generationCount] : nil; if(error) { @@ -3063,7 +3311,7 @@ [mutDeviceStates addObject: [obj description]]; }]; - NSArray* tlkShares = [CKKSTLKShare allForUUID:uuidTLK zoneID:self.zoneID error:&error]; + NSArray* tlkShares = [CKKSTLKShare allForUUID:keyset.currentTLKPointer.currentKeyUUID zoneID:self.zoneID error:&error]; NSMutableArray* mutTLKShares = [[NSMutableArray alloc] init]; [tlkShares enumerateObjectsUsingBlock:^(id _Nonnull obj, NSUInteger idx, BOOL * _Nonnull stop) { [mutTLKShares addObject: [obj description]]; @@ -3079,7 +3327,6 @@ @"lockstatetracker": stringify(self.lockStateTracker), @"accounttracker": stringify(self.accountTracker), @"fetcher": stringify(self.zoneChangeFetcher), - @"setup": boolstr([self.viewSetupOperation isFinished]), @"zoneCreated": boolstr(self.zoneCreated), @"zoneCreatedError": stringify(self.zoneCreatedError), @"zoneSubscribed": boolstr(self.zoneSubscribed), @@ -3088,20 +3335,22 @@ @"keystate": CKKSNilToNSNull(self.keyHierarchyState), @"keyStateError": stringify(self.keyHierarchyError), @"statusError": stringify(error), - @"oqe": CKKSNilToNSNull([CKKSOutgoingQueueEntry countsByState:self.zoneID error:&error]), - @"iqe": CKKSNilToNSNull([CKKSIncomingQueueEntry countsByState:self.zoneID error:&error]), + @"oqe": CKKSNilToNSNull([CKKSOutgoingQueueEntry countsByStateInZone:self.zoneID error:&error]), + @"iqe": CKKSNilToNSNull([CKKSIncomingQueueEntry countsByStateInZone:self.zoneID error:&error]), @"ckmirror": CKKSNilToNSNull([CKKSMirrorEntry countsByParentKey:self.zoneID error:&error]), @"devicestates": CKKSNilToNSNull(mutDeviceStates), @"tlkshares": CKKSNilToNSNull(mutTLKShares), @"keys": CKKSNilToNSNull([CKKSKey countsByClass:self.zoneID error:&error]), - @"currentTLK": CKKSNilToNSNull(uuidTLK), - @"currentClassA": CKKSNilToNSNull(uuidClassA), - @"currentClassC": CKKSNilToNSNull(uuidClassC), + @"currentTLK": CKKSNilToNSNull(keyset.tlk.uuid), + @"currentClassA": CKKSNilToNSNull(keyset.classA.uuid), + @"currentClassC": CKKSNilToNSNull(keyset.classC.uuid), + @"currentTLKPtr": CKKSNilToNSNull(keyset.currentTLKPointer.currentKeyUUID), + @"currentClassAPtr": CKKSNilToNSNull(keyset.currentClassAPointer.currentKeyUUID), + @"currentClassCPtr": CKKSNilToNSNull(keyset.currentClassCPointer.currentKeyUUID), @"currentManifestGen": CKKSNilToNSNull(manifestGeneration), @"zoneSetupOperation": stringify(self.zoneSetupOperation), - @"viewSetupOperation": stringify(self.viewSetupOperation), @"keyStateOperation": stringify(self.keyStateMachineOperation), @"lastIncomingQueueOperation": stringify(self.lastIncomingQueueOperation), @"lastNewTLKOperation": stringify(self.lastNewTLKOperation), diff --git a/keychain/ckks/CKKSLocalSynchronizeOperation.m b/keychain/ckks/CKKSLocalSynchronizeOperation.m index 5d14ba1c..88cc6a98 100644 --- a/keychain/ckks/CKKSLocalSynchronizeOperation.m +++ b/keychain/ckks/CKKSLocalSynchronizeOperation.m @@ -27,6 +27,7 @@ #import "keychain/ckks/CKKSFetchAllRecordZoneChangesOperation.h" #import "keychain/ckks/CKKSScanLocalItemsOperation.h" #import "keychain/ckks/CKKSMirrorEntry.h" +#import "keychain/ckks/CKKSIncomingQueueEntry.h" #import "keychain/ckks/CloudKitCategories.h" #if OCTAGON @@ -123,7 +124,13 @@ return; } - if(scan.recordsFound > 0) { + NSError* error = nil; + NSArray* iqes = [CKKSIncomingQueueEntry allUUIDs:ckks.zoneID error:&error]; + if(error) { + ckkserror("ckksresync", ckks, "Couldn't fetch IQEs: %@", error); + } + + if(scan.recordsFound > 0 || iqes.count > 0) { if(strongSelf.restartCount >= 3) { // we've restarted too many times. Fail and stop. ckkserror("ckksresync", ckks, "restarted synchronization too often; Failing"); diff --git a/keychain/ckks/CKKSLockStateTracker.h b/keychain/ckks/CKKSLockStateTracker.h index 0780a2a7..502ac6f6 100644 --- a/keychain/ckks/CKKSLockStateTracker.h +++ b/keychain/ckks/CKKSLockStateTracker.h @@ -25,8 +25,17 @@ #import +@protocol CKKSLockStateNotification +- (void)lockStateChangeNotification:(bool)unlocked; +@end + +NS_ASSUME_NONNULL_BEGIN + @interface CKKSLockStateTracker : NSObject -@property NSOperation* unlockDependency; +@property (nullable) NSOperation* unlockDependency; +@property (readonly) bool isLocked; + +@property (readonly,nullable) NSDate* lastUnlockTime; - (instancetype)init; @@ -36,8 +45,11 @@ // Check if this error code is related to keybag is locked and we should retry later - (bool)isLockedError:(NSError*)error; +-(void)addLockStateObserver:(id)object; + // Ask AKS if the user's keybag is locked + (bool)queryAKSLocked; @end +NS_ASSUME_NONNULL_END #endif // OCTAGON diff --git a/keychain/ckks/CKKSLockStateTracker.m b/keychain/ckks/CKKSLockStateTracker.m index 49680e8d..a0e5b828 100644 --- a/keychain/ckks/CKKSLockStateTracker.m +++ b/keychain/ckks/CKKSLockStateTracker.m @@ -28,13 +28,18 @@ #include #import "keychain/ckks/CKKS.h" +#import "keychain/ckks/CKKSResultOperation.h" #import "keychain/ckks/CKKSGroupOperation.h" #import "keychain/ckks/CKKSLockStateTracker.h" @interface CKKSLockStateTracker () -@property bool isLocked; +@property (readwrite) bool isLocked; @property dispatch_queue_t queue; @property NSOperationQueue* operationQueue; +@property NSHashTable> *observers; + +@property (nullable) NSDate* lastUnlockedTime; + @end @implementation CKKSLockStateTracker @@ -45,6 +50,7 @@ _operationQueue = [[NSOperationQueue alloc] init]; _isLocked = true; + _observers = [NSHashTable weakObjectsHashTable]; [self resetUnlockDependency]; __weak __typeof(self) weakSelf = self; @@ -64,16 +70,33 @@ return self; } +- (NSDate*)lastUnlockTime { + // If unlocked, the last unlock time is now. Otherwise, used the cached value. + __block NSDate* date = nil; + dispatch_sync(self.queue, ^{ + if(self.isLocked) { + date = self.lastUnlockedTime; + } else { + date = [NSDate date]; + self.lastUnlockedTime = date; + } + }); + return date; +} + -(NSString*)description { - return [NSString stringWithFormat: @"", self.isLocked ? @"locked" : @"unlocked"]; + return [NSString stringWithFormat: @"", + self.isLocked ? @"locked" : @"unlocked", + self.isLocked ? self.lastUnlockedTime : @"now"]; } -(void)resetUnlockDependency { if(self.unlockDependency == nil || ![self.unlockDependency isPending]) { - self.unlockDependency = [NSBlockOperation blockOperationWithBlock: ^{ + CKKSResultOperation* op = [CKKSResultOperation named:@"keybag-unlocked-dependency" withBlock: ^{ secinfo("ckks", "Keybag unlocked"); }]; - self.unlockDependency.name = @"keybag-unlocked-dependency"; + op.descriptionErrorCode = CKKSResultDescriptionPendingUnlock; + self.unlockDependency = op; } } @@ -92,16 +115,33 @@ -(void)_onqueueRecheck { dispatch_assert_queue(self.queue); + static bool first = true; bool wasLocked = self.isLocked; self.isLocked = [CKKSLockStateTracker queryAKSLocked]; - if(wasLocked != self.isLocked) { + if(wasLocked != self.isLocked || first) { + first = false; if(self.isLocked) { // We're locked now. [self resetUnlockDependency]; + + if(wasLocked) { + self.lastUnlockedTime = [NSDate date]; + } } else { [self.operationQueue addOperation: self.unlockDependency]; self.unlockDependency = nil; + self.lastUnlockedTime = [NSDate date]; + } + + bool isUnlocked = (self.isLocked == false); + for (id observer in _observers) { + __strong typeof(observer) strongObserver = observer; + if (strongObserver == NULL) + return; + dispatch_async(dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0), ^{ + [strongObserver lockStateChangeNotification:isUnlocked]; + }); } } } @@ -117,6 +157,17 @@ && error.code == errSecInteractionNotAllowed; } +-(void)addLockStateObserver:(id)object +{ + dispatch_async(self.queue, ^{ + [self->_observers addObject:object]; + bool isUnlocked = (self.isLocked == false); + dispatch_async(dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0), ^{ + [object lockStateChangeNotification:isUnlocked]; + }); + }); +} + @end diff --git a/keychain/ckks/CKKSLogger.h b/keychain/ckks/CKKSLogger.h deleted file mode 100644 index a3b8b673..00000000 --- a/keychain/ckks/CKKSLogger.h +++ /dev/null @@ -1,64 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import - -#if __OBJC2__ - -@interface SFAnalyticsLogger : NSObject - -+ (instancetype)logger; - -- (void)logSuccessForEventNamed:(NSString*)eventName; -- (void)logHardFailureForEventNamed:(NSString*)eventName withAttributes:(NSDictionary*)attributes; -- (void)logSoftFailureForEventNamed:(NSString*)eventName withAttributes:(NSDictionary*)attributes; - -- (void)noteEventNamed:(NSString*)eventName; - -// -------------------------------- -// Things below are for subclasses - -// Override to create a concrete logger instance -@property (readonly, class) NSString* databasePath; - -// Storing dates -- (void)setDateProperty:(NSDate*)date forKey:(NSString*)key; -- (NSDate*)datePropertyForKey:(NSString*)key; -- (NSArray*)datePropertyKeysToUploadToServer; - -- (NSData*)getLoggingJSONWithError:(NSError**)error; -- (BOOL)forceUploadWithError:(NSError**)error; - -// -------------------------------- -// Things below are for unit testing - -@property (readonly) dispatch_queue_t splunkLoggingQueue; -@property (readonly) NSURL* splunkUploadURL; -@property (readonly) NSString* splunkTopicName; -@property (readonly) NSURL* splunkBagURL; -@property (readonly) BOOL allowsInsecureSplunkCert; -@property BOOL ignoreServerDisablingMessages; - -@end - -#endif diff --git a/keychain/ckks/CKKSLogger.m b/keychain/ckks/CKKSLogger.m deleted file mode 100644 index 5cc74413..00000000 --- a/keychain/ckks/CKKSLogger.m +++ /dev/null @@ -1,706 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#if OCTAGON - -#import "CKKSLogger.h" -#import "debugging.h" -#import "CKKS.h" -#import "CKKSViewManager.h" -#import "keychain/ckks/CKKSKeychainView.h" -#include -#import -#import - -NSString* const CKKSLoggerTableSuccessCount = @"success_count"; -NSString* const CKKSLoggerColumnEventType = @"event_type"; -NSString* const CKKSLoggerColumnSuccessCount = @"success_count"; -NSString* const CKKSLoggerColumnFailureCount = @"failure_count"; - -NSString* const CKKSLoggerTableFailures = @"failures"; -NSString* const CKKSLoggerColumnData = @"data"; - -NSString* const CKKSLoggerUploadDate = @"upload_date"; -NSString* const CKKSLoggerLastClassASync = @"last_class_a_sync"; -NSString* const CKKSLoggerLastClassCSync = @"last_class_c_sync"; - -NSString* const CKKSLoggerDaysSinceLastSyncClassA = @"lastSyncClassA"; -NSString* const CKKSLoggerDaysSinceLastSyncClassC = @"lastSyncClassC"; - -NSString* const CKKSLoggerSplunkTopic = @"topic"; -NSString* const CKKSLoggerSplunkEventTime = @"eventTime"; -NSString* const CKKSLoggerSplunkPostTime = @"postTime"; -NSString* const CKKSLoggerSplunkEvents = @"events"; -NSString* const CKKSLoggerSplunkEventType = @"eventType"; -NSString* const CKKSLoggerMetricsBase = @"metricsBase"; - -NSString* const CKKSLoggerValueSuccess = @"success"; - -#define CKKS_SPLUNK_DEV 0 - -#if CKKS_SPLUNK_DEV -#define SECONDS_BETWEEN_UPLOADS 10 -#else -// three days = 60 seconds times 60 minutes * 72 hours -#define SECONDS_BETWEEN_UPLOADS (60 * 60 * 72) -#endif - -NSString* const CKKSLoggingTableSchema = @"CREATE TABLE IF NOT EXISTS failures (\n" - @"id INTEGER PRIMARY KEY AUTOINCREMENT,\n" - @"data BLOB\n" - @");\n" - @"CREATE TRIGGER IF NOT EXISTS maintain_ring_buffer AFTER INSERT ON failures\n" - @"BEGIN\n" - @"DELETE FROM failures WHERE id != NEW.id AND id % 999 = NEW.id % 999;\n" - @"END;\n" - @"CREATE TABLE IF NOT EXISTS success_count (\n" - @"event_type STRING PRIMARY KEY,\n" - @"success_count INTEGER,\n" - @"failure_count INTEGER\n" - @");\n"; - -static NSString* CKKSLoggingTablePath() -{ - return [(__bridge_transfer NSURL*)SecCopyURLForFileInKeychainDirectory((__bridge CFStringRef)@"ckks_analytics_v1.db") path]; -} - -@interface CKKSLoggerSQLiteStore : SFSQLite - -+ (instancetype)sharedStore; - -@property (readonly, strong) NSArray* failureRecords; -@property (readwrite, strong) NSDate* uploadDate; - -- (void)incrementSuccessCountForEventType:(NSString*)eventType; -- (void)incrementFailureCountForEventType:(NSString*)eventType; -- (NSInteger)successCountForEventType:(NSString*)eventType; -- (NSInteger)failureCountForEventType:(NSString*)eventType; -- (void)addFailureRecord:(NSDictionary*)valueDict; -- (void)clearAllData; - -- (NSDictionary*)summaryCounts; - -@end - -@implementation CKKSLogger { - NSURL* _splunkUploadURL; - NSString* _splunkTopicName; - NSURL* _splunkBagURL; - dispatch_queue_t _queue; - NSInteger _secondsBetweenUploads; - NSDictionary* _metricsBase; // data the server provides and wants us to send back - NSArray* _blacklistedFields; - NSArray* _blacklistedEvents; - - unsigned int _allowInsecureSplunkCert:1; - unsigned int _disableLogging:1; - unsigned int _disableUploads:1; - unsigned int _ignoreServersMessagesTellingUsToGoAway:1; -} - -@synthesize splunkUploadURL = _splunkUploadURL; -@synthesize splunkBagURL = _splunkBagURL; -@synthesize splunkTopicName = _splunkTopicName; -@synthesize splunkLoggingQueue = _queue; - -+ (instancetype)logger -{ -#if TARGET_OS_SIMULATOR - return nil; -#endif - static CKKSLogger* __sharedLogger; - static dispatch_once_t onceToken; - dispatch_once(&onceToken, ^{ - __sharedLogger = [[CKKSLogger alloc] init]; - }); - - return __sharedLogger; -} - -- (instancetype)init -{ - if (self = [super init]) { - _queue = dispatch_queue_create("com.apple.security.ckks.logging", DISPATCH_QUEUE_SERIAL_WITH_AUTORELEASE_POOL); - _secondsBetweenUploads = SECONDS_BETWEEN_UPLOADS; - - NSDictionary* systemDefaultValues = [NSDictionary dictionaryWithContentsOfFile:[[NSBundle bundleWithPath:@"/System/Library/Frameworks/Security.framework"] pathForResource:@"CKKSLogging" ofType:@"plist"]]; - _splunkTopicName = systemDefaultValues[@"splunk_topic"]; - _splunkUploadURL = [NSURL URLWithString:systemDefaultValues[@"splunk_uploadURL"]]; - _splunkBagURL = [NSURL URLWithString:systemDefaultValues[@"splunk_bagURL"]]; - _allowInsecureSplunkCert = [[systemDefaultValues valueForKey:@"splunk_allowInsecureCertificate"] boolValue]; - NSString* splunkEndpoint = systemDefaultValues[@"splunk_endpointDomain"]; - - NSUserDefaults* defaults = [[NSUserDefaults alloc] initWithSuiteName:SecCKKSUserDefaultsSuite]; - NSString* userDefaultsSplunkTopic = [defaults stringForKey:@"splunk_topic"]; - if (userDefaultsSplunkTopic) { - _splunkTopicName = userDefaultsSplunkTopic; - } - - NSURL* userDefaultsSplunkUploadURL = [NSURL URLWithString:[defaults stringForKey:@"splunk_uploadURL"]]; - if (userDefaultsSplunkUploadURL) { - _splunkUploadURL = userDefaultsSplunkUploadURL; - } - - NSURL* userDefaultsSplunkBagURL = [NSURL URLWithString:[defaults stringForKey:@"splunk_bagURL"]]; - if (userDefaultsSplunkUploadURL) { - _splunkBagURL = userDefaultsSplunkBagURL; - } - - BOOL userDefaultsAllowInsecureSplunkCert = [defaults boolForKey:@"splunk_allowInsecureCertificate"]; - _allowInsecureSplunkCert |= userDefaultsAllowInsecureSplunkCert; - - NSString* userDefaultsSplunkEndpoint = [defaults stringForKey:@"splunk_endpointDomain"]; - if (userDefaultsSplunkEndpoint) { - splunkEndpoint = userDefaultsSplunkEndpoint; - } - -#if CKKS_SPLUNK_DEV - _ignoreServersMessagesTellingUsToGoAway = YES; - - if (!_splunkUploadURL && splunkEndpoint) { - NSString* urlString = [NSString stringWithFormat:@"https://%@/report/2/%@", splunkEndpoint, _splunkTopicName]; - _splunkUploadURL = [NSURL URLWithString:urlString]; - } -#else - (void)splunkEndpoint; -#endif - } - - return self; -} - -- (void)setLastSuccessfulClassASyncDate:(NSDate*)lastSuccessfulClassASyncDate -{ - dispatch_sync(_queue, ^{ - [[CKKSLoggerSQLiteStore sharedStore] setDateProperty:lastSuccessfulClassASyncDate forKey:CKKSLoggerLastClassASync]; - }); -} - -- (NSDate*)lastSuccessfulClassASyncDate -{ - __block NSDate* result = nil; - dispatch_sync(_queue, ^{ - result = [self _onQueueLastSuccessfulClassASyncDate]; - }); - - return result; -} - -- (NSDate*)_onQueueLastSuccessfulClassASyncDate -{ - dispatch_assert_queue(_queue); - return [[CKKSLoggerSQLiteStore sharedStore] datePropertyForKey:CKKSLoggerLastClassASync] ?: [NSDate distantPast]; -} - -- (void)setLastSuccessfulClassCSyncDate:(NSDate*)lastSuccessfulClassCSyncDate -{ - dispatch_sync(_queue, ^{ - [[CKKSLoggerSQLiteStore sharedStore] setDateProperty:lastSuccessfulClassCSyncDate forKey:CKKSLoggerLastClassCSync]; - }); -} - -- (NSDate*)lastSuccessfulClassCSyncDate -{ - __block NSDate* result = nil; - dispatch_sync(_queue, ^{ - result = [self _onQueueLastSuccessfulClassCSyncDate]; - }); - - return result; -} - -- (NSDate*)_onQueueLastSuccessfulClassCSyncDate -{ - dispatch_assert_queue(_queue); - return [[CKKSLoggerSQLiteStore sharedStore] datePropertyForKey:CKKSLoggerLastClassCSync] ?: [NSDate distantPast]; -} - -- (void)logSuccessForEventNamed:(NSString*)eventName -{ - [self logEventNamed:eventName value:nil isSuccess:YES]; -} - -- (void)logFailureForEventNamed:(NSString*)eventName withAttributes:(NSDictionary*)attributes -{ - [self logEventNamed:eventName value:attributes isSuccess:NO]; -} - -- (void)logEventNamed:(NSString*)eventName value:(NSDictionary*)valueDict isSuccess:(BOOL)isSuccess -{ - __weak __typeof(self) weakSelf = self; - dispatch_async(_queue, ^{ - - __strong __typeof(self) strongSelf = weakSelf; - if (!strongSelf) { - return; - } - - if (strongSelf->_disableLogging || [strongSelf->_blacklistedEvents containsObject:eventName]) { - return; - } - - CKKSLoggerSQLiteStore* store = [CKKSLoggerSQLiteStore sharedStore]; - if (isSuccess) { - [store incrementSuccessCountForEventType:eventName]; - } - else { - [store incrementFailureCountForEventType:eventName]; - NSMutableDictionary* eventDict = valueDict.mutableCopy; - eventDict[CKKSLoggerSplunkTopic] = strongSelf->_splunkTopicName; - eventDict[CKKSLoggerSplunkEventType] = eventName; - eventDict[CKKSLoggerSplunkEventTime] = @([[NSDate date] timeIntervalSince1970] * 1000); - eventDict[CKKSLoggerMetricsBase] = strongSelf->_metricsBase ?: [NSDictionary dictionary]; - - for (NSString* blacklistedField in strongSelf->_blacklistedFields) { - [eventDict removeObjectForKey:blacklistedField]; - } - - [store addFailureRecord:eventDict]; - } - - NSDate* uploadDate = store.uploadDate; - NSDate* nowDate = [NSDate date]; - if (uploadDate) { - if ([nowDate compare:uploadDate] == NSOrderedDescending) { - [self _onQueueUploadDataWithError:nil]; - } - } - else { - store.uploadDate = [nowDate dateByAddingTimeInterval:strongSelf->_secondsBetweenUploads]; - } - }); -} - -// this method is kind of evil for the fact that it has side-effects in pulling other things besides the metricsURL from the server, and as such should NOT be memoized. -// TODO redo this, probably to return a dictionary. -- (NSURL*)splunkUploadURL -{ - dispatch_assert_queue(_queue); - - if (_splunkUploadURL) { - return _splunkUploadURL; - } - - __weak __typeof(self) weakSelf = self; - dispatch_semaphore_t sem = dispatch_semaphore_create(0); - - __block NSError* error = nil; - NSURLSessionConfiguration *defaultConfiguration = [NSURLSessionConfiguration ephemeralSessionConfiguration]; - NSURLSession* storeBagSession = [NSURLSession sessionWithConfiguration:defaultConfiguration - delegate:self - delegateQueue:nil]; - - NSURL* requestEndpoint = _splunkBagURL; - __block NSURL* result = nil; - NSURLSessionDataTask* storeBagTask = [storeBagSession dataTaskWithURL:requestEndpoint completionHandler:^(NSData * _Nullable data, - NSURLResponse * _Nullable __unused response, - NSError * _Nullable responseError) { - - __strong __typeof(self) strongSelf = weakSelf; - if (!strongSelf) { - return; - } - - if (data && !responseError) { - NSData *responseData = data; // shut up compiler - NSDictionary* responseDict = [NSJSONSerialization JSONObjectWithData:responseData options:0 error:&error]; - if([responseDict isKindOfClass:NSDictionary.class] && !error) { - if (!self->_ignoreServersMessagesTellingUsToGoAway) { - strongSelf->_disableLogging = [[responseDict valueForKey:@"disabled"] boolValue]; - if (strongSelf->_disableLogging || [[responseDict valueForKey:@"sendDisabled"] boolValue]) { - // then don't upload anything right now - secerror("not returning a splunk URL because uploads are disabled"); - dispatch_semaphore_signal(sem); - return; - } - - NSUInteger millisecondsBetweenUploads = [[responseDict valueForKey:@"postFrequency"] unsignedIntegerValue] / 1000; - if (millisecondsBetweenUploads > 0) { - strongSelf->_secondsBetweenUploads = millisecondsBetweenUploads; - } - - strongSelf->_blacklistedEvents = responseDict[@"blacklistedEvents"]; - strongSelf->_blacklistedFields = responseDict[@"blacklistedFields"]; - } - - strongSelf->_metricsBase = responseDict[@"metricsBase"]; - - NSString* metricsEndpoint = responseDict[@"metricsUrl"]; - if([metricsEndpoint isKindOfClass:NSString.class]) { - /* Lives our URL */ - NSString* endpoint = [metricsEndpoint stringByAppendingFormat:@"/2/%@", strongSelf->_splunkTopicName]; - secnotice("ckks", "got metrics endpoint: %@", endpoint); - NSURL* endpointURL = [NSURL URLWithString:endpoint]; - if([endpointURL.scheme isEqualToString:@"https"]) { - result = endpointURL; - } - } - } - } - else { - error = responseError; - } - if(error) { - secnotice("ckks", "Unable to fetch splunk endpoint at URL: %@ -- error: %@", requestEndpoint, error.description); - } - else if(!result) { - secnotice("ckks", "Malformed iTunes config payload!"); - } - - dispatch_semaphore_signal(sem); - }]; - - [storeBagTask resume]; - dispatch_semaphore_wait(sem, DISPATCH_TIME_FOREVER); - - return result; -} - -- (BOOL)forceUploadWithError:(NSError**)error -{ - __block BOOL result = NO; - dispatch_sync(_queue, ^{ - result = [self _onQueueUploadDataWithError:error]; - }); - return result; -} - -- (BOOL)_onQueueUploadDataWithError:(NSError**)error -{ - dispatch_assert_queue(_queue); - - NSData* json = [self _onQueueGetLoggingJSONWithError:error]; - if (json && [self _onQueuePostJSON:json error:error]) { - secinfo("ckks", "uploading sync health data: %@", json); - - CKKSLoggerSQLiteStore* store = [CKKSLoggerSQLiteStore sharedStore]; - [store clearAllData]; - store.uploadDate = [NSDate dateWithTimeIntervalSinceNow:_secondsBetweenUploads]; - return YES; - } - else { - return NO; - } -} - -- (BOOL)_onQueuePostJSON:(NSData*)json error:(NSError**)error -{ - dispatch_assert_queue(_queue); - - /* - * Create the NSURLSession - * We use the ephemeral session config because we don't need cookies or cache - */ - NSURLSessionConfiguration *defaultConfiguration = [NSURLSessionConfiguration ephemeralSessionConfiguration]; - NSURLSession* postSession = [NSURLSession sessionWithConfiguration:defaultConfiguration - delegate:self - delegateQueue:nil]; - - /* - * Create the request - */ - NSURL* postEndpoint = self.splunkUploadURL; - if (!postEndpoint) { - secerror("failed to get a splunk upload endpoint - not uploading"); - return NO; - } - - NSMutableURLRequest* postRequest = [[NSMutableURLRequest alloc] init]; - postRequest.URL = postEndpoint; - postRequest.HTTPMethod = @"POST"; - postRequest.HTTPBody = json; - - /* - * Create the upload task. - */ - dispatch_semaphore_t sem = dispatch_semaphore_create(0); - __block BOOL uploadSuccess = NO; - NSURLSessionDataTask* uploadTask = [postSession dataTaskWithRequest:postRequest - completionHandler:^(NSData * _Nullable __unused data, NSURLResponse * _Nullable response, NSError * _Nullable requestError) { - if(requestError) { - secerror("Error in uploading the events to splunk: %@", requestError); - } - else if (![response isKindOfClass:NSHTTPURLResponse.class]){ - Class class = response.class; - secerror("Received the wrong kind of response: %@", NSStringFromClass(class)); - } - else { - NSHTTPURLResponse* httpResponse = (NSHTTPURLResponse*)response; - if(httpResponse.statusCode >= 200 && httpResponse.statusCode < 300) { - /* Success */ - uploadSuccess = YES; - secnotice("ckks", "Splunk upload success"); - } - else { - secnotice("ckks", "Splunk upload unexpected status to URL: %@ -- status: %d", postEndpoint, (int)(httpResponse.statusCode)); - } - } - dispatch_semaphore_signal(sem); - }]; - - secnotice("ckks", "Splunk upload start"); - [uploadTask resume]; - dispatch_semaphore_wait(sem, DISPATCH_TIME_FOREVER); - return uploadSuccess; -} - -#define SECOND_PER_DAY (60 * 60 * 24) - -- (NSInteger)fuzzyDaysSinceDate:(NSDate*)date -{ - NSTimeInterval timeIntervalSinceDate = [[NSDate date] timeIntervalSinceDate:date]; - if (timeIntervalSinceDate < SECOND_PER_DAY) { - return 0; - } - else if (timeIntervalSinceDate < (SECOND_PER_DAY * 7)) { - return 1; - } - else if (timeIntervalSinceDate < (SECOND_PER_DAY * 30)) { - return 7; - } - else if (timeIntervalSinceDate < (SECOND_PER_DAY * 365)) { - return 30; - } - else { - return 365; - } -} - -- (NSData*)getLoggingJSONWithError:(NSError**)error -{ - __block NSData* json = nil; - dispatch_sync(_queue, ^{ - json = [self _onQueueGetLoggingJSONWithError:error]; - }); - - return json; -} - -- (NSData*)_onQueueGetLoggingJSONWithError:(NSError**)error -{ - dispatch_assert_queue(_queue); - - CKKSLoggerSQLiteStore* store = [CKKSLoggerSQLiteStore sharedStore]; - NSArray* failureRecords = [store failureRecords]; - - NSDictionary* successCounts = [store summaryCounts]; - NSInteger totalSuccessCount = 0; - NSInteger totalFailureCount = 0; - for (NSDictionary* perEventTypeSuccessCounts in successCounts.objectEnumerator) { - totalSuccessCount += [perEventTypeSuccessCounts[CKKSLoggerColumnSuccessCount] integerValue]; - totalFailureCount += [perEventTypeSuccessCounts[CKKSLoggerColumnFailureCount] integerValue]; - } - - NSDate* now = [NSDate date]; - - NSMutableDictionary* healthSummaryEvent = [[NSMutableDictionary alloc] init]; - healthSummaryEvent[CKKSLoggerSplunkTopic] = _splunkTopicName ?: [NSNull null]; - healthSummaryEvent[CKKSLoggerSplunkEventTime] = @([now timeIntervalSince1970] * 1000); - healthSummaryEvent[CKKSLoggerSplunkEventType] = @"manifestHealthSummary"; - healthSummaryEvent[CKKSLoggerColumnSuccessCount] = @(totalSuccessCount); - healthSummaryEvent[CKKSLoggerColumnFailureCount] = @(totalFailureCount); - healthSummaryEvent[CKKSLoggerMetricsBase] = _metricsBase ?: [NSDictionary dictionary]; - - for (NSString* viewName in [CKKSViewManager viewList]) { - CKKSKeychainView* view = [CKKSViewManager findOrCreateView:viewName]; - [healthSummaryEvent setValue:@([self fuzzyDaysSinceDate:[self _onQueueLastSuccessfulClassASyncDate]]) forKey:[NSString stringWithFormat:@"%@-%@", view.zoneName, CKKSLoggerDaysSinceLastSyncClassA]]; - [healthSummaryEvent setValue:@([self fuzzyDaysSinceDate:[self _onQueueLastSuccessfulClassCSyncDate]]) forKey:[NSString stringWithFormat:@"%@-%@", view.zoneName, CKKSLoggerDaysSinceLastSyncClassC]]; - } - - NSMutableArray* splunkRecords = failureRecords.mutableCopy; - [splunkRecords addObject:healthSummaryEvent]; - - NSDictionary* jsonDict = @{CKKSLoggerSplunkPostTime : @([now timeIntervalSince1970] * 1000), @"events" : splunkRecords}; - - return [NSJSONSerialization dataWithJSONObject:jsonDict options:NSJSONWritingPrettyPrinted error:error]; -} - -- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge - completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler { - assert(completionHandler); - (void)session; - secnotice("ckks", "Splunk upload challenge"); - NSURLCredential *cred = nil; - SecTrustResultType result = kSecTrustResultInvalid; - - if ([challenge previousFailureCount] > 0) { - // Previous failures occurred, bail - completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil); - - } else if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { - /* - * Evaluate trust for the certificate - */ - - SecTrustRef serverTrust = challenge.protectionSpace.serverTrust; - - OSStatus status = SecTrustEvaluate(serverTrust, &result); - if (status == errSecSuccess && (result == kSecTrustResultProceed || result == kSecTrustResultUnspecified)) { - /* - * All is well, accept the credentials - */ - - cred = [NSURLCredential credentialForTrust:serverTrust]; - completionHandler(NSURLSessionAuthChallengeUseCredential, cred); - } else if (_allowInsecureSplunkCert) { - secnotice("ckks", "Force Accepting Splunk Credential"); - - cred = [NSURLCredential credentialForTrust:serverTrust]; - completionHandler(NSURLSessionAuthChallengeUseCredential, cred); - } else { - /* - * An error occurred in evaluating trust, bail - */ - completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil); - } - } else { - /* - * Just perform the default handling - */ - completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil); - } - -} - -- (BOOL)ignoreServerDisablingMessages -{ - return _ignoreServersMessagesTellingUsToGoAway; -} - -- (void)setIgnoreServerDisablingMessages:(BOOL)ignoreServer -{ - _ignoreServersMessagesTellingUsToGoAway = ignoreServer ? YES : NO; -} - -@end - -@implementation CKKSLoggerSQLiteStore - -+ (instancetype)sharedStore -{ - static CKKSLoggerSQLiteStore* store = nil; - static dispatch_once_t onceToken; - dispatch_once(&onceToken, ^{ - store = [[self alloc] initWithPath:CKKSLoggingTablePath() schema:CKKSLoggingTableSchema]; - [store open]; - }); - - return store; -} - -- (void)dealloc -{ - [self close]; -} - -- (NSInteger)successCountForEventType:(NSString*)eventType -{ - return [[[[self select:@[CKKSLoggerColumnSuccessCount] from:CKKSLoggerTableSuccessCount where:@"event_type = ?" bindings:@[eventType]] firstObject] valueForKey:CKKSLoggerColumnSuccessCount] integerValue]; -} - -- (void)incrementSuccessCountForEventType:(NSString*)eventType -{ - @try { - NSInteger successCount = [self successCountForEventType:eventType]; - NSInteger failureCount = [self failureCountForEventType:eventType]; - [self insertOrReplaceInto:CKKSLoggerTableSuccessCount values:@{CKKSLoggerColumnEventType : eventType, CKKSLoggerColumnSuccessCount : @(successCount + 1), CKKSLoggerColumnFailureCount : @(failureCount)}]; - } @catch (id ue) { - secerror("incrementSuccessCountForEventType exception: %@", ue); - } -} - -- (NSInteger)failureCountForEventType:(NSString*)eventType -{ - return [[[[self select:@[CKKSLoggerColumnFailureCount] from:CKKSLoggerTableSuccessCount where:@"event_type = ?" bindings:@[eventType]] firstObject] valueForKey:CKKSLoggerColumnFailureCount] integerValue]; -} - -- (void)incrementFailureCountForEventType:(NSString*)eventType -{ - @try { - NSInteger successCount = [self successCountForEventType:eventType]; - NSInteger failureCount = [self failureCountForEventType:eventType]; - [self insertOrReplaceInto:CKKSLoggerTableSuccessCount values:@{CKKSLoggerColumnEventType : eventType, CKKSLoggerColumnSuccessCount : @(successCount), CKKSLoggerColumnFailureCount : @(failureCount + 1)}]; - } @catch (id ue) { - secerror("incrementFailureCountForEventType exception: %@", ue); - } -} - -- (NSDictionary*)summaryCounts -{ - NSMutableDictionary* successCountsDict = [NSMutableDictionary dictionary]; - NSArray* rows = [self selectAllFrom:CKKSLoggerTableSuccessCount where:nil bindings:nil]; - for (NSDictionary* rowDict in rows) { - successCountsDict[rowDict[CKKSLoggerColumnEventType]] = @{CKKSLoggerColumnSuccessCount : rowDict[CKKSLoggerColumnSuccessCount], CKKSLoggerColumnFailureCount : rowDict[CKKSLoggerColumnFailureCount]}; - } - - return successCountsDict; -} - -- (NSArray*)failureRecords -{ - NSArray* recordBlobs = [self select:@[CKKSLoggerColumnData] from:CKKSLoggerTableFailures]; - - NSMutableArray* failureRecords = [[NSMutableArray alloc] init]; - for (NSDictionary* row in recordBlobs) { - NSDictionary* deserializedRecord = [NSPropertyListSerialization propertyListWithData:row[CKKSLoggerColumnData] options:0 format:nil error:nil]; - [failureRecords addObject:deserializedRecord]; - } - - return failureRecords; -} - -- (void)addFailureRecord:(NSDictionary*)valueDict -{ - @try { - NSError* error = nil; - NSData* serializedRecord = [NSPropertyListSerialization dataWithPropertyList:valueDict format:NSPropertyListBinaryFormat_v1_0 options:0 error:&error]; - if(!error && serializedRecord) { - [self insertOrReplaceInto:CKKSLoggerTableFailures values:@{CKKSLoggerColumnData : serializedRecord}]; - } - if(error && !serializedRecord) { - secerror("Couldn't serialize failure record: %@", error); - } - } @catch (id ue) { - secerror("addFailureRecord exception: %@", ue); - } -} - -- (NSDate*)uploadDate -{ - return [self datePropertyForKey:CKKSLoggerUploadDate]; -} - -- (void)setUploadDate:(NSDate*)uploadDate -{ - [self setDateProperty:uploadDate forKey:CKKSLoggerUploadDate]; -} - -- (void)clearAllData -{ - [self deleteFrom:CKKSLoggerTableSuccessCount where:@"event_type like ?" bindings:@[@"%"]]; - [self deleteFrom:CKKSLoggerTableFailures where:@"id >= 0" bindings:nil]; -} - -@end - -#endif // OCTAGON diff --git a/keychain/ckks/CKKSLogging.plist b/keychain/ckks/CKKSLogging.plist deleted file mode 100644 index 060222c3..00000000 --- a/keychain/ckks/CKKSLogging.plist +++ /dev/null @@ -1,16 +0,0 @@ - - - - - splunk_topic - xp_sear_keysync - splunk_allowInsecureCertificate - - splunk_bagURL - https://xp.apple.com/config/1/report/xp_sear_keysync - SyncManifests - - EnforceManifests - - - diff --git a/keychain/ckks/CKKSManifest.m b/keychain/ckks/CKKSManifest.m index 66587a72..7b2c78f5 100644 --- a/keychain/ckks/CKKSManifest.m +++ b/keychain/ckks/CKKSManifest.m @@ -1394,7 +1394,8 @@ static NSUInteger LeafBucketIndexForUUID(NSString* uuid) SOSPeerInfoRef peerInfo = (SOSPeerInfoRef)peerInfoPtr; CFErrorRef blockError = NULL; SecKeyRef secPublicKey = SOSPeerInfoCopyOctagonSigningPublicKey(peerInfo, &blockError); - if (!secPublicKey || error) { + if (!secPublicKey || blockError) { + CFReleaseNull(secPublicKey); CFReleaseNull(blockError); return; } diff --git a/keychain/ckks/CKKSNearFutureScheduler.h b/keychain/ckks/CKKSNearFutureScheduler.h index b8670e01..1bc7294a 100644 --- a/keychain/ckks/CKKSNearFutureScheduler.h +++ b/keychain/ckks/CKKSNearFutureScheduler.h @@ -21,8 +21,12 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if OCTAGON + #import #import +#import + NS_ASSUME_NONNULL_BEGIN /* @@ -41,17 +45,21 @@ NS_ASSUME_NONNULL_BEGIN // Will execute every time futureBlock is called, just after the future block. // Operations added in the futureBlock will receive the next operationDependency, so they won't run again until futureBlock occurs again. -@property (nullable, readonly) NSOperation* operationDependency; +@property (readonly) CKKSResultOperation* operationDependency; + +// dependencyDescriptionCode will be integrated into the operationDependency as per the rules in CKKSResultOperation.h - (instancetype)initWithName:(NSString*)name delay:(dispatch_time_t)ns keepProcessAlive:(bool)keepProcessAlive + dependencyDescriptionCode:(NSInteger)code block:(void (^_Nonnull)(void))futureOperation; - (instancetype)initWithName:(NSString*)name initialDelay:(dispatch_time_t)initialDelay continuingDelay:(dispatch_time_t)continuingDelay keepProcessAlive:(bool)keepProcessAlive + dependencyDescriptionCode:(NSInteger)code block:(void (^_Nonnull)(void))futureBlock; - (void)trigger; @@ -64,3 +72,4 @@ NS_ASSUME_NONNULL_BEGIN @end NS_ASSUME_NONNULL_END +#endif // OCTAGON diff --git a/keychain/ckks/CKKSNearFutureScheduler.m b/keychain/ckks/CKKSNearFutureScheduler.m index 5d1ed527..583a900e 100644 --- a/keychain/ckks/CKKSNearFutureScheduler.m +++ b/keychain/ckks/CKKSNearFutureScheduler.m @@ -21,9 +21,12 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if OCTAGON + #import "CKKSNearFutureScheduler.h" #import "CKKSCondition.h" #import "keychain/ckks/NSOperationCategories.h" +#import "keychain/ckks/CKKSResultOperation.h" #include @interface CKKSNearFutureScheduler () @@ -31,7 +34,8 @@ @property dispatch_time_t initialDelay; @property dispatch_time_t continuingDelay; -@property NSOperation* operationDependency; +@property NSInteger operationDependencyDescriptionCode; +@property CKKSResultOperation* operationDependency; @property (nonnull) NSOperationQueue* operationQueue; @property NSDate* predictedNextFireTime; @@ -47,21 +51,31 @@ @implementation CKKSNearFutureScheduler --(instancetype)initWithName:(NSString*)name delay:(dispatch_time_t)ns keepProcessAlive:(bool)keepProcessAlive block:(void (^)(void))futureBlock +-(instancetype)initWithName:(NSString*)name + delay:(dispatch_time_t)ns + keepProcessAlive:(bool)keepProcessAlive + dependencyDescriptionCode:(NSInteger)code + block:(void (^)(void))futureBlock { - return [self initWithName:name initialDelay:ns continuingDelay:ns keepProcessAlive:keepProcessAlive block:futureBlock]; + return [self initWithName:name + initialDelay:ns + continuingDelay:ns + keepProcessAlive:keepProcessAlive + dependencyDescriptionCode:code + block:futureBlock]; } -(instancetype)initWithName:(NSString*)name initialDelay:(dispatch_time_t)initialDelay continuingDelay:(dispatch_time_t)continuingDelay keepProcessAlive:(bool)keepProcessAlive + dependencyDescriptionCode:(NSInteger)code block:(void (^)(void))futureBlock { if((self = [super init])) { _name = name; - _queue = dispatch_queue_create([[NSString stringWithFormat:@"near-future-scheduler-%@",name] UTF8String], DISPATCH_QUEUE_SERIAL); + _queue = dispatch_queue_create([[NSString stringWithFormat:@"near-future-scheduler-%@",name] UTF8String], DISPATCH_QUEUE_SERIAL_WITH_AUTORELEASE_POOL); _initialDelay = initialDelay; _continuingDelay = continuingDelay; _futureBlock = futureBlock; @@ -73,13 +87,16 @@ _keepProcessAlive = keepProcessAlive; _operationQueue = [[NSOperationQueue alloc] init]; + _operationDependencyDescriptionCode = code; _operationDependency = [self makeOperationDependency]; } return self; } -- (NSOperation*)makeOperationDependency { - return [NSBlockOperation named:[NSString stringWithFormat:@"nfs-%@", self.name] withBlock:^{}]; +- (CKKSResultOperation*)makeOperationDependency { + CKKSResultOperation* op = [CKKSResultOperation named:[NSString stringWithFormat:@"nfs-%@", self.name] withBlock:^{}]; + op.descriptionErrorCode = self.operationDependencyDescriptionCode; + return op; } -(NSString*)description { @@ -198,3 +215,5 @@ } @end + +#endif // OCTAGON diff --git a/keychain/ckks/CKKSNewTLKOperation.m b/keychain/ckks/CKKSNewTLKOperation.m index b9d09a86..8af09132 100644 --- a/keychain/ckks/CKKSNewTLKOperation.m +++ b/keychain/ckks/CKKSNewTLKOperation.m @@ -231,6 +231,11 @@ // Generate the TLK sharing records for all trusted peers NSMutableSet* tlkShares = [NSMutableSet set]; for(id trustedPeer in ckks.currentTrustedPeers) { + if(!trustedPeer.publicEncryptionKey) { + ckksnotice("ckkstlk", ckks, "No need to make TLK for %@; they don't have any encryption keys", trustedPeer); + continue; + } + ckksnotice("ckkstlk", ckks, "Generating TLK(%@) share for %@", newTLK, trustedPeer); CKKSTLKShare* share = [CKKSTLKShare share:newTLK as:ckks.currentSelfPeers.currentSelf to:trustedPeer epoch:-1 poisoned:0 error:&error]; @@ -248,8 +253,7 @@ modifyRecordsOp = [[CKModifyRecordsOperation alloc] initWithRecordsToSave:recordsToSave recordIDsToDelete:recordIDsToDelete]; modifyRecordsOp.atomic = YES; modifyRecordsOp.longLived = NO; // The keys are only in memory; mark this explicitly not long-lived - modifyRecordsOp.timeoutIntervalForRequest = 2; - modifyRecordsOp.qualityOfService = NSQualityOfServiceUtility; // relatively important. Use Utility. + modifyRecordsOp.qualityOfService = NSQualityOfServiceUserInitiated; // This needs to happen before CKKS is available for PCS/CloudKit use. modifyRecordsOp.group = self.ckoperationGroup; ckksnotice("ckkstlk", ckks, "Operation group is %@", self.ckoperationGroup); diff --git a/keychain/ckks/CKKSNotifier.h b/keychain/ckks/CKKSNotifier.h index 64b550fd..312bbb3f 100644 --- a/keychain/ckks/CKKSNotifier.h +++ b/keychain/ckks/CKKSNotifier.h @@ -29,7 +29,7 @@ NS_ASSUME_NONNULL_BEGIN // There's terrible testing support for notify_post, but that's what our clients // are listening for. Use this structure to mock out notification sending for testing. -@protocol CKKSNotifier +@protocol CKKSNotifier + (void)post:(NSString*)notification; @end diff --git a/keychain/ckks/CKKSOutgoingQueueEntry.h b/keychain/ckks/CKKSOutgoingQueueEntry.h index aadeb473..a4a91c21 100644 --- a/keychain/ckks/CKKSOutgoingQueueEntry.h +++ b/keychain/ckks/CKKSOutgoingQueueEntry.h @@ -73,7 +73,8 @@ zoneID:(CKRecordZoneID*)zoneID error:(NSError* __autoreleasing*)error; -+ (NSDictionary*)countsByState:(CKRecordZoneID*)zoneID error:(NSError* __autoreleasing*)error; ++ (NSDictionary*)countsByStateInZone:(CKRecordZoneID*)zoneID error:(NSError* __autoreleasing*)error; ++ (NSInteger)countByState:(CKKSItemState *)state zone:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *) error; @end diff --git a/keychain/ckks/CKKSOutgoingQueueEntry.m b/keychain/ckks/CKKSOutgoingQueueEntry.m index 032e604a..cff41eed 100644 --- a/keychain/ckks/CKKSOutgoingQueueEntry.m +++ b/keychain/ckks/CKKSOutgoingQueueEntry.m @@ -307,7 +307,7 @@ accessGroup:row[@"accessgroup"]]; } -+ (NSDictionary*)countsByState:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *) error { ++ (NSDictionary*)countsByStateInZone:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *) error { NSMutableDictionary* results = [[NSMutableDictionary alloc] init]; [CKKSSQLDatabaseObject queryDatabaseTable: [[self class] sqlTable] @@ -323,6 +323,23 @@ return results; } ++ (NSInteger)countByState:(CKKSItemState *)state zone:(CKRecordZoneID*)zoneID error: (NSError * __autoreleasing *) error { + __block NSInteger result = -1; + + [CKKSSQLDatabaseObject queryDatabaseTable: [[self class] sqlTable] + where: @{@"ckzone": CKKSNilToNSNull(zoneID.zoneName), @"state": state } + columns: @[@"count(*)"] + groupBy: nil + orderBy: nil + limit: -1 + processRow: ^(NSDictionary* row) { + result = [row[@"count(*)"] integerValue]; + } + error: error]; + return result; +} + + @end #endif diff --git a/keychain/ckks/CKKSOutgoingQueueOperation.m b/keychain/ckks/CKKSOutgoingQueueOperation.m index ea8a9540..d8869334 100644 --- a/keychain/ckks/CKKSOutgoingQueueOperation.m +++ b/keychain/ckks/CKKSOutgoingQueueOperation.m @@ -29,7 +29,7 @@ #import "CKKSOutgoingQueueEntry.h" #import "CKKSReencryptOutgoingItemsOperation.h" #import "CKKSManifest.h" -#import "CKKSAnalyticsLogger.h" +#import "CKKSAnalytics.h" #include #include @@ -55,14 +55,12 @@ _ckks = ckks; _ckoperationGroup = ckoperationGroup; - [self addNullableDependency:ckks.viewSetupOperation]; [self addNullableDependency:ckks.holdOutgoingQueueOperation]; // Depend on all previous CKKSOutgoingQueueOperations [self linearDependencies:ckks.outgoingQueueOperations]; // We also depend on the view being setup and the key hierarchy being reasonable - [self addNullableDependency:ckks.viewSetupOperation]; [self addNullableDependency:ckks.keyStateReadyDependency]; } return self; @@ -97,12 +95,13 @@ return false; } - //[CKKSPowerCollection CKKSPowerEvent:kCKKSPowerEventOutgoingQueue zone:ckks.zoneName count:[queueEntries count]]; + [CKKSPowerCollection CKKSPowerEvent:kCKKSPowerEventOutgoingQueue zone:ckks.zoneName count:[queueEntries count]]; ckksinfo("ckksoutgoing", ckks, "processing outgoing queue: %@", queueEntries); NSMutableDictionary* recordsToSave = [[NSMutableDictionary alloc] init]; - NSMutableSet* oqesModified = [[NSMutableSet alloc] init]; + NSMutableSet* recordIDsModified = [[NSMutableSet alloc] init]; + NSMutableSet*oqesModified = [[NSMutableSet alloc] init]; NSMutableArray* recordIDsToDelete = [[NSMutableArray alloc] init]; CKKSCurrentKeyPointer* currentClassAKeyPointer = [CKKSCurrentKeyPointer fromDatabase: SecCKKSKeyClassA zoneID:ckks.zoneID error: &error]; @@ -155,7 +154,8 @@ if([oqe.action isEqualToString: SecCKKSActionAdd]) { CKRecord* record = [oqe.item CKRecordWithZoneID: ckks.zoneID]; recordsToSave[record.recordID] = record; - [oqesModified addObject: record.recordID]; + [recordIDsModified addObject: record.recordID]; + [oqesModified addObject:oqe]; [ckks _onqueueChangeOutgoingQueueEntry:oqe toState:SecCKKSStateInFlight error:&error]; if(error) { @@ -166,7 +166,8 @@ } else if ([oqe.action isEqualToString: SecCKKSActionDelete]) { CKRecordID* recordIDToDelete = [[CKRecordID alloc] initWithRecordName: oqe.item.uuid zoneID: ckks.zoneID]; [recordIDsToDelete addObject: recordIDToDelete]; - [oqesModified addObject: recordIDToDelete]; + [recordIDsModified addObject: recordIDToDelete]; + [oqesModified addObject:oqe]; [ckks _onqueueChangeOutgoingQueueEntry:oqe toState:SecCKKSStateInFlight error:&error]; if(error) { @@ -184,7 +185,8 @@ // treat as an add. CKRecord* record = [oqe.item CKRecordWithZoneID: ckks.zoneID]; recordsToSave[record.recordID] = record; - [oqesModified addObject: record.recordID]; + [recordIDsModified addObject: record.recordID]; + [oqesModified addObject:oqe]; [ckks _onqueueChangeOutgoingQueueEntry:oqe toState:SecCKKSStateInFlight error:&error]; if(error) { @@ -208,7 +210,8 @@ // Grab the old ckrecord and update it CKRecord* record = [oqe.item updateCKRecord: ckme.item.storedCKRecord zoneID: ckks.zoneID]; recordsToSave[record.recordID] = record; - [oqesModified addObject: record.recordID]; + [recordIDsModified addObject: record.recordID]; + [oqesModified addObject:oqe]; [ckks _onqueueChangeOutgoingQueueEntry:oqe toState:SecCKKSStateInFlight error:&error]; if(error) { @@ -234,6 +237,15 @@ return true; } + bool uploadingPCSEntries = false; + for(CKKSOutgoingQueueEntry* oqe in oqesModified) { + // PCS always sets these fields, and nothing else does + if(oqe.item.plaintextPCSPublicKey || oqe.item.plaintextPCSPublicIdentity || oqe.item.plaintextPCSServiceIdentifier) { + uploadingPCSEntries = true; + break; + } + } + self.itemsProcessed = recordsToSave.count; NSBlockOperation* modifyComplete = [[NSBlockOperation alloc] init]; @@ -265,16 +277,16 @@ return; } - //CKKSAnalyticsLogger* logger = [CKKSAnalyticsLogger logger]; + CKKSAnalytics* logger = [CKKSAnalytics logger]; - [strongCKKS dispatchSync: ^bool{ + [strongCKKS dispatchSyncWithAccountKeys: ^bool{ if(ckerror) { ckkserror("ckksoutgoing", strongCKKS, "error processing outgoing queue: %@", ckerror); - /*[logger logRecoverableError:ckerror + [logger logRecoverableError:ckerror forEvent:CKKSEventProcessOutgoingQueue inView:strongCKKS - withAttributes:NULL];*/ + withAttributes:NULL]; // Tell CKKS about any out-of-date records [strongCKKS _onqueueCKWriteFailed:ckerror attemptedRecordsChanged:recordsToSave]; @@ -282,61 +294,73 @@ // Check if these are due to key records being out of date. We'll see a CKErrorBatchRequestFailed, with a bunch of errors inside if([ckerror.domain isEqualToString:CKErrorDomain] && (ckerror.code == CKErrorPartialFailure)) { NSMutableDictionary* failedRecords = ckerror.userInfo[CKPartialErrorsByItemIDKey]; - ckksnotice("ckksoutgoing", strongCKKS, "failed records %@", failedRecords); - for(CKRecordID* recordID in failedRecords.allKeys) { - NSError* recordError = failedRecords[recordID]; - - if(recordError.code == CKErrorServerRecordChanged) { - if([recordID.recordName isEqualToString: SecCKKSKeyClassA] || - [recordID.recordName isEqualToString: SecCKKSKeyClassC]) { - // The current key pointers have updated without our knowledge, so CloudKit failed this operation. Mark all records as 'needs reencryption' and kick that off. - [strongSelf _onqueueModifyAllRecords:failedRecords.allKeys as:SecCKKSStateReencrypt]; - - // Note that _onqueueCKWriteFailed is responsible for kicking the key state machine, so we don't need to do it here. - // This will wait for the key hierarchy to become 'ready' - CKKSReencryptOutgoingItemsOperation* op = [[CKKSReencryptOutgoingItemsOperation alloc] initWithCKKSKeychainView:strongCKKS ckoperationGroup:strongSelf.ckoperationGroup]; - [strongCKKS scheduleOperation: op]; - - // Quit the loop so we only do this once - break; - } else { - // CKErrorServerRecordChanged on an item update means that we've been overwritten. - if([oqesModified containsObject:recordID]) { - [strongSelf _onqueueModifyRecordAsError:recordID recordError:recordError]; + + bool askForReencrypt = false; + + if([strongSelf _onqueueIsErrorBadEtagOnKeyPointersOnly:ckerror]) { + // The current key pointers have updated without our knowledge, so CloudKit failed this operation. Mark all records as 'needs reencryption' and kick that off. + ckksnotice("ckksoutgoing", strongCKKS, "Error is simply due to current key pointers changing; marking all records as 'needs reencrypt'"); + [strongSelf _onqueueModifyAllRecords:failedRecords.allKeys as:SecCKKSStateReencrypt]; + askForReencrypt = true; + } else { + // Iterate all failures, and reset each item + for(CKRecordID* recordID in failedRecords) { + NSError* recordError = failedRecords[recordID]; + + ckksnotice("ckksoutgoing", strongCKKS, "failed record: %@ %@", recordID, recordError); + + if(recordError.code == CKErrorServerRecordChanged) { + if([recordID.recordName isEqualToString: SecCKKSKeyClassA] || + [recordID.recordName isEqualToString: SecCKKSKeyClassC]) { + // Note that _onqueueCKWriteFailed is responsible for kicking the key state machine, so we don't need to do it here. + askForReencrypt = true; + } else { + // CKErrorServerRecordChanged on an item update means that we've been overwritten. + if([recordIDsModified containsObject:recordID]) { + [strongSelf _onqueueModifyRecordAsError:recordID recordError:recordError]; + } } - } - } else if(recordError.code == CKErrorBatchRequestFailed) { - // Also fine. This record only didn't succeed because something else failed. - // OQEs should be placed back into the 'new' state, unless they've been overwritten by a new OQE. Other records should be ignored. - - if([oqesModified containsObject:recordID]) { - NSError* localerror = nil; - CKKSOutgoingQueueEntry* inflightOQE = [CKKSOutgoingQueueEntry tryFromDatabase:recordID.recordName state:SecCKKSStateInFlight zoneID:recordID.zoneID error:&localerror]; - [strongCKKS _onqueueChangeOutgoingQueueEntry:inflightOQE toState:SecCKKSStateNew error:&localerror]; - if(localerror) { - ckkserror("ckksoutgoing", strongCKKS, "Couldn't clean up outgoing queue entry: %@", localerror); + } else if(recordError.code == CKErrorBatchRequestFailed) { + // Also fine. This record only didn't succeed because something else failed. + // OQEs should be placed back into the 'new' state, unless they've been overwritten by a new OQE. Other records should be ignored. + + if([recordIDsModified containsObject:recordID]) { + NSError* localerror = nil; + CKKSOutgoingQueueEntry* inflightOQE = [CKKSOutgoingQueueEntry tryFromDatabase:recordID.recordName state:SecCKKSStateInFlight zoneID:recordID.zoneID error:&localerror]; + [strongCKKS _onqueueChangeOutgoingQueueEntry:inflightOQE toState:SecCKKSStateNew error:&localerror]; + if(localerror) { + ckkserror("ckksoutgoing", strongCKKS, "Couldn't clean up outgoing queue entry: %@", localerror); + } } - } - } else { - // Some unknown error occurred on this record. If it's an OQE, move it to the error state. - ckkserror("ckksoutgoing", strongCKKS, "Unknown error on row: %@ %@", recordID, recordError); - if([oqesModified containsObject:recordID]) { - [strongSelf _onqueueModifyRecordAsError:recordID recordError:recordError]; + } else { + // Some unknown error occurred on this record. If it's an OQE, move it to the error state. + ckkserror("ckksoutgoing", strongCKKS, "Unknown error on row: %@ %@", recordID, recordError); + if([recordIDsModified containsObject:recordID]) { + [strongSelf _onqueueModifyRecordAsError:recordID recordError:recordError]; + } } } } + + if(askForReencrypt) { + // This will wait for the key hierarchy to become 'ready' + ckkserror("ckksoutgoing", strongCKKS, "Starting new Reencrypt items operation"); + CKKSReencryptOutgoingItemsOperation* op = [[CKKSReencryptOutgoingItemsOperation alloc] initWithCKKSKeychainView:strongCKKS + ckoperationGroup:strongSelf.ckoperationGroup]; + [strongCKKS scheduleOperation: op]; + } } else { // Some non-partial error occured. We should place all "inflight" OQEs back into the outgoing queue. ckksnotice("ckks", strongCKKS, "Error is scary: putting all inflight OQEs back into state 'new'"); - [strongSelf _onqueueModifyAllRecords:[oqesModified allObjects] as:SecCKKSStateNew]; + [strongSelf _onqueueModifyAllRecords:[recordIDsModified allObjects] as:SecCKKSStateNew]; } - strongSelf.error = error; + strongSelf.error = ckerror; return true; } - ckksnotice("ckksoutgoing", strongCKKS, "Completed processing outgoing queue"); + ckksnotice("ckksoutgoing", strongCKKS, "Completed processing outgoing queue (%d modifications, %d deletions)", (int)savedRecords.count, (int)deletedRecordIDs.count); NSError* error = NULL; CKKSPowerCollection *plstats = [[CKKSPowerCollection alloc] init]; @@ -408,13 +432,13 @@ if(strongSelf.error) { ckkserror("ckksoutgoing", strongCKKS, "Operation failed; rolling back: %@", strongSelf.error); - /*[logger logRecoverableError:strongSelf.error + [logger logRecoverableError:strongSelf.error forEvent:CKKSEventProcessOutgoingQueue inView:strongCKKS - withAttributes:NULL];*/ + withAttributes:NULL]; return false; } else { - //[logger logSuccessForEvent:CKKSEventProcessOutgoingQueue inView:strongCKKS]; + [logger logSuccessForEvent:CKKSEventProcessOutgoingQueue inView:strongCKKS]; } return true; }]; @@ -450,12 +474,11 @@ self.modifyRecordsOperation = [[CKModifyRecordsOperation alloc] initWithRecordsToSave:recordsToSave.allValues recordIDsToDelete:recordIDsToDelete]; self.modifyRecordsOperation.atomic = TRUE; - self.modifyRecordsOperation.timeoutIntervalForRequest = 2; - self.modifyRecordsOperation.qualityOfService = NSQualityOfServiceUtility; + self.modifyRecordsOperation.qualityOfService = uploadingPCSEntries ? NSQualityOfServiceUserInitiated : NSQualityOfServiceUtility; // PCS items are needed for CloudKit to work, so they might be user-initiated self.modifyRecordsOperation.savePolicy = CKRecordSaveIfServerRecordUnchanged; self.modifyRecordsOperation.group = self.ckoperationGroup; - ckksnotice("ckksoutgoing", ckks, "Operation group is %@", self.ckoperationGroup); - ckksnotice("ckksoutgoing", ckks, "Beginning upload for %@ %@", recordsToSave.allValues, recordIDsToDelete); + ckksnotice("ckksoutgoing", ckks, "QoS: %d; operation group is %@", (int)self.modifyRecordsOperation.qualityOfService, self.modifyRecordsOperation.group); + ckksnotice("ckksoutgoing", ckks, "Beginning upload for %@ %@", recordsToSave.allKeys, recordIDsToDelete); self.modifyRecordsOperation.perRecordCompletionBlock = ^(CKRecord *record, NSError * _Nullable error) { __strong __typeof(weakSelf) strongSelf = weakSelf; @@ -539,6 +562,35 @@ } } +- (bool)_onqueueIsErrorBadEtagOnKeyPointersOnly:(NSError*)ckerror { + bool anyOtherErrors = false; + + if([ckerror.domain isEqualToString:CKErrorDomain] && (ckerror.code == CKErrorPartialFailure)) { + NSMutableDictionary* failedRecords = ckerror.userInfo[CKPartialErrorsByItemIDKey]; + + for(CKRecordID* recordID in failedRecords) { + NSError* recordError = failedRecords[recordID]; + + if(recordError.code == CKErrorServerRecordChanged) { + if([recordID.recordName isEqualToString: SecCKKSKeyClassA] || + [recordID.recordName isEqualToString: SecCKKSKeyClassC]) { + // this is fine! + } else { + // Some record other than the key pointers changed. + anyOtherErrors |= true; + break; + } + } else { + // Some other error than ServerRecordChanged + anyOtherErrors |= true; + break; + } + } + } + + return !anyOtherErrors; +} + @end; #endif diff --git a/keychain/ckks/CKKSPeer.h b/keychain/ckks/CKKSPeer.h index 9c6dc3be..bb96afd1 100644 --- a/keychain/ckks/CKKSPeer.h +++ b/keychain/ckks/CKKSPeer.h @@ -25,6 +25,7 @@ #import #import +#import NS_ASSUME_NONNULL_BEGIN @@ -70,6 +71,8 @@ NS_ASSUME_NONNULL_BEGIN - (void)trustedPeerSetChanged; @end +extern NSString* const CKKSSOSPeerPrefix; + // These should be replaced by Octagon peers, when those exist @interface CKKSSOSPeer : NSObject @property (readonly) NSString* peerID; @@ -86,8 +89,8 @@ NS_ASSUME_NONNULL_BEGIN @property (readonly) SFECPublicKey* publicEncryptionKey; @property (readonly) SFECPublicKey* publicSigningKey; -@property (readonly) SFECKeyPair* encryptionKey; -@property (readonly) SFECKeyPair* signingKey; +@property SFECKeyPair* encryptionKey; +@property SFECKeyPair* signingKey; - (instancetype)initWithSOSPeerID:(NSString*)syncingPeerID encryptionKey:(SFECKeyPair*)encryptionKey diff --git a/keychain/ckks/CKKSPeer.m b/keychain/ckks/CKKSPeer.m index 094bb7ae..43fbb70c 100644 --- a/keychain/ckks/CKKSPeer.m +++ b/keychain/ckks/CKKSPeer.m @@ -25,6 +25,8 @@ #import "keychain/ckks/CKKSPeer.h" +NSString* const CKKSSOSPeerPrefix = @"spid-"; + @implementation CKKSSelves - (instancetype)initWithCurrent:(id)selfPeer allSelves:(NSSet>*)allSelves { @@ -32,7 +34,8 @@ _currentSelf = selfPeer; // Ensure allSelves contains selfPeer - _allSelves = allSelves ? [allSelves setByAddingObject:selfPeer] : [NSSet setWithObject:selfPeer]; + _allSelves = allSelves ? [allSelves setByAddingObject:selfPeer] : + (selfPeer ? [NSSet setWithObject:selfPeer] : [NSSet set]); } return self; } @@ -58,18 +61,13 @@ [self.publicSigningKey.keyData subdataWithRange:NSMakeRange(0, MIN(16u,self.publicSigningKey.keyData.length))]]; } -- (NSString*)prefix { - return @"spid-"; -} - - (instancetype)initWithSOSPeerID:(NSString*)syncingPeerID encryptionPublicKey:(SFECPublicKey*)encryptionKey signingPublicKey:(SFECPublicKey*)signingKey { if((self = [super init])) { - - if([syncingPeerID hasPrefix:[self prefix]]) { - _spid = [syncingPeerID substringFromIndex:[self prefix].length]; + if([syncingPeerID hasPrefix:CKKSSOSPeerPrefix]) { + _spid = [syncingPeerID substringFromIndex:CKKSSOSPeerPrefix.length]; } else { _spid = syncingPeerID; } @@ -80,7 +78,7 @@ } - (NSString*)peerID { - return [NSString stringWithFormat:@"%@%@", self.prefix, self.spid]; + return [NSString stringWithFormat:@"%@%@", CKKSSOSPeerPrefix, self.spid]; } - (bool)matchesPeer:(id)peer { @@ -106,7 +104,11 @@ signingKey:(SFECKeyPair*)signingKey { if((self = [super init])) { - _spid = syncingPeerID; + if([syncingPeerID hasPrefix:CKKSSOSPeerPrefix]) { + _spid = [syncingPeerID substringFromIndex:CKKSSOSPeerPrefix.length]; + } else { + _spid = syncingPeerID; + } _encryptionKey = encryptionKey; _signingKey = signingKey; } @@ -120,7 +122,7 @@ return self.signingKey.publicKey; } - (NSString*)peerID { - return [NSString stringWithFormat:@"spid-%@", self.spid]; + return [NSString stringWithFormat:@"%@%@", CKKSSOSPeerPrefix, self.spid]; } - (bool)matchesPeer:(id)peer { diff --git a/keychain/ckks/CKKSProcessReceivedKeysOperation.m b/keychain/ckks/CKKSProcessReceivedKeysOperation.m index 98f9ba06..01b78bce 100644 --- a/keychain/ckks/CKKSProcessReceivedKeysOperation.m +++ b/keychain/ckks/CKKSProcessReceivedKeysOperation.m @@ -27,6 +27,7 @@ #import "CKKSCurrentKeyPointer.h" #import "CKKSKey.h" #import "CKKSProcessReceivedKeysOperation.h" +#import "keychain/ckks/CloudKitCategories.h" #if OCTAGON @@ -115,9 +116,8 @@ if([key wrapsSelf]) { tlk = key; } else { - ckkserror("ckkskey", ckks, "current TLK doesn't wrap itself: %@", key); - // TODO: re-fetch? - [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateReady withError:error]; + ckkserror("ckkskey", ckks, "current TLK doesn't wrap itself: %@ %@", key, key.parentKeyUUID); + [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateUnhealthy withError:error]; return true; } } @@ -125,8 +125,7 @@ if(!tlk) { ckkserror("ckkskey", ckks, "couldn't find active TLK: %@", currentTLKPointer); - // TODO: re-fetch? - [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateReady withError:error]; + [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateUnhealthy withError:error]; return true; } @@ -145,12 +144,7 @@ } else { // Otherwise, something has gone horribly wrong. enter error state. ckkserror("ckkskey", ckks, "CKKS claims %@ is not a valid TLK: %@", tlk, error); - NSError* newError = nil; - if(error) { - newError = [NSError errorWithDomain: @"securityd" code:0 userInfo:@{NSLocalizedDescriptionKey: @"invalid TLK from CloudKit", NSUnderlyingErrorKey: error}]; - } else { - newError = [NSError errorWithDomain: @"securityd" code:0 userInfo:@{NSLocalizedDescriptionKey: @"invalid TLK from CloudKit (unknown error)"}]; - } + NSError* newError = [NSError errorWithDomain:CKKSErrorDomain code:CKKSInvalidTLK description:@"invalid TLK from CloudKit" underlying:error]; [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateError withError:newError]; return true; } @@ -167,15 +161,30 @@ if(error != nil || ![topKey.uuid isEqual: tlk.uuid]) { ckkserror("ckkskey", ckks, "new key %@ is orphaned (%@)", key, error); // TODO: possibly re-fetch. Maybe not an actual error state. - [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateError withError: error ? error : [NSError errorWithDomain: @"securityd" code:0 userInfo:@{NSLocalizedDescriptionKey: @"orphaned key in hierarchy", NSUnderlyingErrorKey: error}]]; + [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateError + withError:[NSError errorWithDomain:CKKSErrorDomain + code:CKKSOrphanedKey + description:[NSString stringWithFormat:@"orphaned key(%@) in hierarchy", topKey] + underlying:error]]; return true; + } // Okay, it wraps to the TLK. Can we unwrap it? if(![key unwrapViaKeyHierarchy:&error] || error != nil) { - ckkserror("ckkskey", ckks, "new key %@ claims to wrap to TLK, but we can't unwrap it: %@", topKey, error); - [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateError withError: error ? error : [NSError errorWithDomain: @"securityd" code:0 userInfo:@{NSLocalizedDescriptionKey: @"orphaned/couldn't unwrap key in hierarchy", NSUnderlyingErrorKey: error}]]; - return true; + if(error && [ckks.lockStateTracker isLockedError:error]) { + ckksnotice("ckkskey", ckks, "Couldn't unwrap new key (%@), but keybag appears to be locked. Entering waitforunlock.", key); + [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateWaitForUnlock withError:error]; + return true; + } else { + ckkserror("ckkskey", ckks, "new key %@ claims to wrap to TLK, but we can't unwrap it: %@", topKey, error); + [ckks _onqueueAdvanceKeyStateMachineToState:SecCKKSZoneKeyStateError + withError:[NSError errorWithDomain:CKKSErrorDomain + code:CKKSOrphanedKey + description:[NSString stringWithFormat:@"unwrappable key(%@) in hierarchy: %@", topKey, error] + underlying:error]]; + return true; + } } ckksnotice("ckkskey", ckks, "New key %@ wraps to tlk %@", key, tlk); diff --git a/keychain/ckks/CKKSReachabilityTracker.h b/keychain/ckks/CKKSReachabilityTracker.h new file mode 100644 index 00000000..b2c1c370 --- /dev/null +++ b/keychain/ckks/CKKSReachabilityTracker.h @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import +#import + +@interface CKKSReachabilityTracker : NSObject +@property NSOperation* reachablityDependency; +@property (readonly) bool currentReachability; // get current reachability value w/o recheck + +- (instancetype)init; +- (void)recheck; +- (bool)isNetworkError:(NSError *)error; + +// only for testing override, the method will be call sync on an internal queue, +// so take that into consideration when you mock this class method. ++ (SCNetworkReachabilityFlags)getReachabilityFlags:(SCNetworkReachabilityRef)target; + +@end + +#endif // OCTAGON + diff --git a/keychain/ckks/CKKSReachabilityTracker.m b/keychain/ckks/CKKSReachabilityTracker.m new file mode 100644 index 00000000..3086e568 --- /dev/null +++ b/keychain/ckks/CKKSReachabilityTracker.m @@ -0,0 +1,212 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import +#import + +#import +#import +#import +#import + +#import "keychain/ckks/CKKS.h" +#import "keychain/ckks/CKKSGroupOperation.h" +#import "keychain/ckks/CKKSReachabilityTracker.h" +#import "keychain/ckks/CKKSAnalytics.h" + +// force reachability timeout every now and then +#define REACHABILITY_TIMEOUT (12 * 3600 * NSEC_PER_SEC) + +@interface CKKSReachabilityTracker () +@property bool haveNetwork; +@property dispatch_queue_t queue; +@property NSOperationQueue* operationQueue; +@property (assign) SCNetworkReachabilityRef reachability; +@property dispatch_source_t timer; +@end + +@implementation CKKSReachabilityTracker + +static void +callout(SCNetworkReachabilityRef reachability, + SCNetworkReachabilityFlags flags, + void *context) +{ + CKKSReachabilityTracker *tracker = (__bridge id)context; + [tracker _onqueueRecheck:flags]; +} + +- (instancetype)init { + if((self = [super init])) { + _queue = dispatch_queue_create("reachabiltity-tracker", DISPATCH_QUEUE_SERIAL); + _operationQueue = [[NSOperationQueue alloc] init]; + + dispatch_sync(_queue, ^{ + [self _onQueueResetReachabilityDependency]; + }); + + __weak __typeof(self) weakSelf = self; + + if(!SecCKKSTestsEnabled()) { + struct sockaddr_in zeroAddress; + bzero(&zeroAddress, sizeof(zeroAddress)); + zeroAddress.sin_len = sizeof(zeroAddress); + zeroAddress.sin_family = AF_INET; + + _reachability = SCNetworkReachabilityCreateWithAddress(NULL, (struct sockaddr *)&zeroAddress); + + SCNetworkReachabilityContext context = {0, (__bridge void *)(self), NULL, NULL, NULL}; + SCNetworkReachabilitySetDispatchQueue(_reachability, _queue); + SCNetworkReachabilitySetCallback(_reachability, callout, &context); + } + + [weakSelf recheck]; + } + return self; +} + +-(NSString*)description { + return [NSString stringWithFormat: @"", self.haveNetwork ? @"online" : @"offline"]; +} + +-(bool)currentReachability { + __block bool currentReachability = false; + dispatch_sync(self.queue, ^{ + currentReachability = self.haveNetwork; + }); + return currentReachability; +} + +-(void)_onQueueRunReachablityDependency +{ + dispatch_assert_queue(self.queue); + // We're have network now, or timer expired, either way, execute dependency + if (self.reachablityDependency) { + [self.operationQueue addOperation: self.reachablityDependency]; + self.reachablityDependency = nil; + } + if (self.timer) { + dispatch_source_cancel(self.timer); + self.timer = nil; + } +} + +-(void)_onQueueResetReachabilityDependency { + dispatch_assert_queue(self.queue); + + if(self.reachablityDependency == nil || ![self.reachablityDependency isPending]) { + __weak __typeof(self) weakSelf = self; + + self.reachablityDependency = [NSBlockOperation blockOperationWithBlock: ^{ + __typeof(self) strongSelf = weakSelf; + if (strongSelf == nil) { + return; + } + if (strongSelf.haveNetwork) { + secinfo("ckks", "Network available"); + } else { + secinfo("ckks", "Network still not available, retrying after waiting %2.1f hours", + ((float)(REACHABILITY_TIMEOUT/NSEC_PER_SEC)) / 3600); + } + }]; + self.reachablityDependency.name = @"network-available-dependency"; + + /* + * Make sure we are not stuck forever and retry every REACHABILITY_TIMEOUT + */ + self.timer = dispatch_source_create(DISPATCH_SOURCE_TYPE_TIMER, + 0, + (dispatch_source_timer_flags_t)0, + self.queue); + dispatch_source_set_event_handler(self.timer, ^{ + __typeof(self) strongSelf = weakSelf; + if (strongSelf == nil) { + return; + } + if (strongSelf.timer) { + [[CKKSAnalytics logger] noteEvent:CKKSEventReachabilityTimerExpired]; + [strongSelf _onQueueRunReachablityDependency]; + } + }); + + dispatch_source_set_timer(self.timer, + dispatch_time(DISPATCH_TIME_NOW, REACHABILITY_TIMEOUT), + DISPATCH_TIME_FOREVER, //one-shot + 30 * NSEC_PER_SEC); + dispatch_resume(self.timer); + } +} + +-(void)_onqueueRecheck:(SCNetworkReachabilityFlags)flags { + dispatch_assert_queue(self.queue); + + const SCNetworkReachabilityFlags reachabilityFlags = + kSCNetworkReachabilityFlagsReachable + | kSCNetworkReachabilityFlagsConnectionAutomatic +#if TARGET_OS_IPHONE + | kSCNetworkReachabilityFlagsIsWWAN +#endif + ; + + bool hadNetwork = self.haveNetwork; + self.haveNetwork = !!(flags & reachabilityFlags); + + if(hadNetwork != self.haveNetwork) { + if(self.haveNetwork) { + // We're have network now + [self _onQueueRunReachablityDependency]; + } else { + [self _onQueueResetReachabilityDependency]; + } + } +} + ++ (SCNetworkReachabilityFlags)getReachabilityFlags:(SCNetworkReachabilityRef)target +{ + SCNetworkReachabilityFlags flags; + if (SCNetworkReachabilityGetFlags(target, &flags)) + return flags; + return 0; +} + +-(void)recheck { + dispatch_sync(self.queue, ^{ + SCNetworkReachabilityFlags flags = [CKKSReachabilityTracker getReachabilityFlags:self.reachability]; + [self _onqueueRecheck:flags]; + }); +} + +-(bool)isNetworkError:(NSError *)error { + if (error == nil) + return false; + return ([error.domain isEqualToString:CKErrorDomain] && + (error.code == CKErrorNetworkUnavailable + || error.code == CKErrorNetworkFailure)); +} + +@end + +#endif // OCTAGON + diff --git a/keychain/ckks/CKKSRecordHolder.m b/keychain/ckks/CKKSRecordHolder.m index 13b2a78f..34bca844 100644 --- a/keychain/ckks/CKKSRecordHolder.m +++ b/keychain/ckks/CKKSRecordHolder.m @@ -26,6 +26,7 @@ #include #import +#import #import "CKKSItem.h" #import "CKKSSIV.h" @@ -63,8 +64,7 @@ if(!_encodedCKRecord) { return nil; } - NSKeyedUnarchiver *coder = [[NSKeyedUnarchiver alloc] initForReadingWithData:_encodedCKRecord]; - coder.requiresSecureCoding = YES; + NSKeyedUnarchiver *coder = [[NSKeyedUnarchiver alloc] initForReadingFromData:_encodedCKRecord error:nil]; CKRecord* ckRecord = [[CKRecord alloc] initWithCoder:coder]; [coder finishDecoding]; @@ -79,11 +79,9 @@ self.zoneID = ckRecord.recordID.zoneID; self.ckRecordType = ckRecord.recordType; - NSMutableData* data = [NSMutableData data]; - NSKeyedArchiver *archiver = [[NSKeyedArchiver alloc] initForWritingWithMutableData:data]; + NSKeyedArchiver *archiver = [[NSKeyedArchiver alloc] initRequiringSecureCoding:YES]; [ckRecord encodeWithCoder:archiver]; - [archiver finishEncoding]; - _encodedCKRecord = data; + _encodedCKRecord = archiver.encodedData; } - (CKRecord*) CKRecordWithZoneID: (CKRecordZoneID*) zoneID { diff --git a/keychain/ckks/CKKSReencryptOutgoingItemsOperation.m b/keychain/ckks/CKKSReencryptOutgoingItemsOperation.m index 3b975a66..397516af 100644 --- a/keychain/ckks/CKKSReencryptOutgoingItemsOperation.m +++ b/keychain/ckks/CKKSReencryptOutgoingItemsOperation.m @@ -47,7 +47,7 @@ _ckks = ckks; _ckoperationGroup = ckoperationGroup; - [self addNullableDependency:ckks.viewSetupOperation]; + [self addNullableDependency:ckks.keyStateReadyDependency]; [self addNullableDependency:ckks.holdReencryptOutgoingItemsOperation]; // We also depend on the key hierarchy being reasonable @@ -109,8 +109,8 @@ NSDictionary* item = [CKKSItemEncrypter decryptItemToDictionary: oqe.item error:&error]; if(error) { if ([error.domain isEqualToString:@"securityd"] && error.code == errSecItemNotFound) { - ckkserror("ckksreencrypt", ckks, "Coudn't find key in keychain; attempting to poke key hierarchy: %@", error) - [ckks _onqueueAdvanceKeyStateMachineToState: nil withError: nil]; + ckkserror("ckksreencrypt", ckks, "Coudn't find key in keychain; attempting to poke key hierarchy: %@", error); + [ckks.pokeKeyStateMachineScheduler trigger]; } else { ckkserror("ckksreencrypt", ckks, "Couldn't decrypt item %@: %@", oqe, error); } diff --git a/keychain/ckks/CKKSResultOperation.h b/keychain/ckks/CKKSResultOperation.h index b387ba5b..95a14286 100644 --- a/keychain/ckks/CKKSResultOperation.h +++ b/keychain/ckks/CKKSResultOperation.h @@ -27,6 +27,8 @@ #import #import "keychain/ckks/NSOperationCategories.h" +NS_ASSUME_NONNULL_BEGIN + @class CKKSCondition; #define CKKSResultErrorDomain @"CKKSResultOperationError" @@ -36,11 +38,18 @@ enum { CKKSResultTimedOut = 3, }; +#define CKKSResultDescriptionErrorDomain @"CKKSResultOperationDescriptionError" + @interface CKKSResultOperation : NSBlockOperation -@property NSError* error; -@property NSDate* finishDate; +@property (nullable) NSError* error; +@property (nullable) NSDate* finishDate; @property CKKSCondition* completionHandlerDidRunCondition; +@property NSInteger descriptionErrorCode; // Set to non-0 for inclusion of this operation in NSError chains. Code is application-dependent. + +// If you subclass CKKSResultOperation, this is the method corresponding to descriptionErrorCode. Fill it in to your heart's content. +- (NSError* _Nullable)descriptionError; + // Very similar to addDependency, but: // if the dependent operation has an error or is canceled, cancel this operation - (void)addSuccessDependency:(CKKSResultOperation*)operation; @@ -66,7 +75,11 @@ enum { // Call this to prevent the timeout on this operation from occuring. // Upon return, either this operation is cancelled, or the timeout will never fire. - (void)invalidateTimeout; + +// Reports the state of this operation. Used for making up description strings. +- (NSString*)operationStateString; @end +NS_ASSUME_NONNULL_END #endif // OCTAGON diff --git a/keychain/ckks/CKKSResultOperation.m b/keychain/ckks/CKKSResultOperation.m index f92f957f..94612530 100644 --- a/keychain/ckks/CKKSResultOperation.m +++ b/keychain/ckks/CKKSResultOperation.m @@ -54,12 +54,16 @@ return self; } +- (NSString*)operationStateString { + return ([self isFinished] ? [NSString stringWithFormat:@"finished %@", self.finishDate] : + [self isCancelled] ? @"cancelled" : + [self isExecuting] ? @"executing" : + [self isReady] ? @"ready" : + @"pending"); +} + - (NSString*)description { - NSString* state = ([self isFinished] ? [NSString stringWithFormat:@"finished %@", self.finishDate] : - [self isCancelled] ? @"cancelled" : - [self isExecuting] ? @"executing" : - [self isReady] ? @"ready" : - @"pending"); + NSString* state = [self operationStateString]; if(self.error) { return [NSString stringWithFormat: @"<%@: %@ error:%@>", [self selfname], state, self.error]; @@ -86,6 +90,10 @@ strongSelf.finishingBlock(); completionBlock(); [strongSelf.completionHandlerDidRunCondition fulfill]; + + for (NSOperation *op in strongSelf.dependencies) { + [strongSelf removeDependency:op]; + } }]; } @@ -109,14 +117,57 @@ }); } +- (NSError* _Nullable)dependenciesDescriptionError { + NSError* underlyingReason = nil; + NSArray* dependencies = [self.dependencies copy]; + dependencies = [dependencies objectsAtIndexes: [dependencies indexesOfObjectsPassingTest: ^BOOL (id obj, + NSUInteger idx, + BOOL* stop) { + return [obj isFinished] ? NO : YES; + }]]; + + for(NSOperation* dependency in dependencies) { + if([dependency isKindOfClass:[CKKSResultOperation class]]) { + CKKSResultOperation* ro = (CKKSResultOperation*)dependency; + underlyingReason = [ro descriptionError] ?: underlyingReason; + } + } + + return underlyingReason; +} + +// Returns, for this CKKSResultOperation, an error describing this operation or its dependents. +// Used mainly by other CKKSResultOperations who time out waiting for this operation to start/complete. +- (NSError* _Nullable)descriptionError { + if(self.descriptionErrorCode != 0) { + return [NSError errorWithDomain:CKKSResultDescriptionErrorDomain + code:self.descriptionErrorCode + userInfo:nil]; + } else { + return [self dependenciesDescriptionError]; + } +} + +- (NSError*)_onqueueTimeoutError { + // Find if any of our dependencies are CKKSResultOperations with a custom reason for existing + + NSError* underlyingReason = [self descriptionError]; + + NSError* error = [NSError errorWithDomain:CKKSResultErrorDomain + code:CKKSResultTimedOut + description:[NSString stringWithFormat:@"Operation(%@) timed out waiting to start for [%@]", + [self selfname], + [self pendingDependenciesString:@""]] + underlying:underlyingReason]; + return error; +} + - (instancetype)timeout:(dispatch_time_t)timeout { __weak __typeof(self) weakSelf = self; dispatch_after(dispatch_time(DISPATCH_TIME_NOW, timeout), self.timeoutQueue, ^{ __strong __typeof(self) strongSelf = weakSelf; if(strongSelf.timeoutCanOccur) { - strongSelf.error = [NSError errorWithDomain:CKKSResultErrorDomain - code:CKKSResultTimedOut - description:[NSString stringWithFormat:@"Operation(%@) timed out waiting to start for [%@]", [self selfname], [self pendingDependenciesString:@""]]]; + strongSelf.error = [self _onqueueTimeoutError]; strongSelf.timeoutCanOccur = false; [strongSelf cancel]; } @@ -167,7 +218,10 @@ // Already a subresult, just copy it on in self.error = op.error; } else { - self.error = [NSError errorWithDomain:CKKSResultErrorDomain code: CKKSResultSubresultError userInfo:@{ NSUnderlyingErrorKey: op.error}]; + self.error = [NSError errorWithDomain:CKKSResultErrorDomain + code:CKKSResultSubresultError + description:@"Success-dependent operation failed" + underlying:op.error]; } } } diff --git a/keychain/ckks/CKKSScanLocalItemsOperation.h b/keychain/ckks/CKKSScanLocalItemsOperation.h index b1b7754d..2f2d2705 100644 --- a/keychain/ckks/CKKSScanLocalItemsOperation.h +++ b/keychain/ckks/CKKSScanLocalItemsOperation.h @@ -36,6 +36,8 @@ @property size_t recordsFound; @property size_t recordsAdded; +@property size_t missingLocalItemsFound; + - (instancetype)init NS_UNAVAILABLE; - (instancetype)initWithCKKSKeychainView:(CKKSKeychainView*)ckks ckoperationGroup:(CKOperationGroup*)ckoperationGroup; diff --git a/keychain/ckks/CKKSScanLocalItemsOperation.m b/keychain/ckks/CKKSScanLocalItemsOperation.m index cc42a1d5..a60a5ff0 100644 --- a/keychain/ckks/CKKSScanLocalItemsOperation.m +++ b/keychain/ckks/CKKSScanLocalItemsOperation.m @@ -23,10 +23,12 @@ #if OCTAGON +#import "keychain/ckks/CKKSAnalytics.h" #import "keychain/ckks/CKKSKeychainView.h" #import "keychain/ckks/CKKSNearFutureScheduler.h" #import "keychain/ckks/CKKSScanLocalItemsOperation.h" #import "keychain/ckks/CKKSMirrorEntry.h" +#import "keychain/ckks/CKKSIncomingQueueEntry.h" #import "keychain/ckks/CKKSOutgoingQueueEntry.h" #import "keychain/ckks/CKKSGroupOperation.h" #import "keychain/ckks/CKKSKey.h" @@ -39,10 +41,13 @@ #include #include #include +#include +#import +#import @interface CKKSScanLocalItemsOperation () @property CKOperationGroup* ckoperationGroup; -@property (assign) NSUInteger processsedItems; +@property (assign) NSUInteger processedItems; @end @implementation CKKSScanLocalItemsOperation @@ -82,6 +87,9 @@ __block NSError* error = nil; __block bool newEntries = false; + // We want this set to be empty after scanning, or else the keychain (silently) dropped something on the floor + NSMutableSet* mirrorUUIDs = [NSMutableSet setWithArray:[CKKSMirrorEntry allUUIDs:ckks.zoneID error:&error]]; + // Must query per-class, so: const SecDbSchema *newSchema = current_schema(); for (const SecDbClass *const *class = newSchema->classes; *class != NULL; class++) { @@ -116,7 +124,7 @@ return SecDbItemQuery(q, NULL, dbt, &cferror, ^(SecDbItemRef item, bool *stop) { ckksnotice("ckksscan", ckks, "scanning item: %@", item); - self.processsedItems += 1; + self.processedItems += 1; SecDbItemRef itemToSave = NULL; @@ -179,6 +187,7 @@ if ([CKKSManifest shouldSyncManifests]) { [itemsForManifest addObject:ckme.item]; } + [mirrorUUIDs removeObject:uuid]; ckksinfo("ckksscan", ckks, "Existing mirror entry with UUID %@", uuid); return; } @@ -243,7 +252,45 @@ } } - //[CKKSPowerCollection CKKSPowerEvent:kCKKSPowerEventScanLocalItems zone:ckks.zoneName count:self.processsedItems]; + // We're done checking local keychain for extra items, now let's make sure the mirror doesn't have extra items, either + if (mirrorUUIDs.count > 0) { + ckksnotice("ckksscan", ckks, "keychain missing %lu items from mirror, proceeding with queue scanning", mirrorUUIDs.count); + [mirrorUUIDs minusSet:[NSSet setWithArray:[CKKSIncomingQueueEntry allUUIDs:ckks.zoneID error:&error]]]; + if (error) { + ckkserror("ckksscan", ckks, "unable to inspect incoming queue: %@", error); + self.error = error; + return false; + } + + [mirrorUUIDs minusSet:[NSSet setWithArray:[CKKSOutgoingQueueEntry allUUIDs:ckks.zoneID error:&error]]]; + if (error) { + ckkserror("ckksscan", ckks, "unable to inspect outgoing queue: %@", error); + self.error = error; + return false; + } + + if (mirrorUUIDs.count > 0) { + ckkserror("ckksscan", ckks, "BUG: keychain missing %lu items from mirror and/or queues: %@", mirrorUUIDs.count, mirrorUUIDs); + self.missingLocalItemsFound = mirrorUUIDs.count; + + [[CKKSAnalytics logger] logMetric:[NSNumber numberWithUnsignedInteger:mirrorUUIDs.count] withName:CKKSEventMissingLocalItemsFound]; + + for (NSString* uuid in mirrorUUIDs) { + CKKSMirrorEntry* ckme = [CKKSMirrorEntry tryFromDatabase:uuid zoneID:ckks.zoneID error:&error]; + [ckks _onqueueCKRecordChanged:ckme.item.storedCKRecord resync:true]; + } + + // And, if you're not in the tests, try to collect a sysdiagnose I guess? + // Re-enable IMCore autosysdiagnose capture to securityd + //if(SecIsInternalRelease() && !SecCKKSTestsEnabled()) { + // [[IMCloudKitHooks sharedInstance] tryToAutoCollectLogsWithErrorString:@"35810558" sendLogsTo:@"rowdy_bot@icloud.com"]; + //} + } else { + ckksnotice("ckksscan", ckks, "No missing local items found"); + } + } + + [CKKSPowerCollection CKKSPowerEvent:kCKKSPowerEventScanLocalItems zone:ckks.zoneName count:self.processedItems]; if ([CKKSManifest shouldSyncManifests]) { // TODO: this manifest needs to incorporate peer manifests @@ -272,6 +319,10 @@ [ckks processOutgoingQueue:self.ckoperationGroup]; } + if(self.missingLocalItemsFound > 0) { + [ckks processIncomingQueue:false]; + } + ckksnotice("ckksscan", ckks, "Completed scan"); ckks.droppedItems = false; return true; diff --git a/keychain/ckks/CKKSSynchronizeOperation.m b/keychain/ckks/CKKSSynchronizeOperation.m index c1c77318..16434514 100644 --- a/keychain/ckks/CKKSSynchronizeOperation.m +++ b/keychain/ckks/CKKSSynchronizeOperation.m @@ -94,7 +94,9 @@ [self dependOnBeforeGroupFinished:outgoingOp]; // Step 2 - CKKSFetchAllRecordZoneChangesOperation* fetchOp = [[CKKSFetchAllRecordZoneChangesOperation alloc] initWithCKKSKeychainView:ckks ckoperationGroup:operationGroup]; + CKKSFetchAllRecordZoneChangesOperation* fetchOp = [[CKKSFetchAllRecordZoneChangesOperation alloc] initWithCKKSKeychainView:ckks + fetchReasons:[NSSet setWithObject:CKKSFetchBecauseResync] + ckoperationGroup:operationGroup]; fetchOp.name = [NSString stringWithFormat: @"resync-step%u-fetch", self.restartCount * steps + 2]; [fetchOp addSuccessDependency: outgoingOp]; [self runBeforeGroupFinished: fetchOp]; @@ -108,7 +110,9 @@ // Now, get serious: // Step 4 - CKKSFetchAllRecordZoneChangesOperation* fetchAllOp = [[CKKSFetchAllRecordZoneChangesOperation alloc] initWithCKKSKeychainView:ckks ckoperationGroup:operationGroup]; + CKKSFetchAllRecordZoneChangesOperation* fetchAllOp = [[CKKSFetchAllRecordZoneChangesOperation alloc] initWithCKKSKeychainView:ckks + fetchReasons:[NSSet setWithObject:CKKSFetchBecauseResync] + ckoperationGroup:operationGroup]; fetchAllOp.resync = true; fetchAllOp.name = [NSString stringWithFormat: @"resync-step%u-fetchAll", self.restartCount * steps + 4]; [fetchAllOp addSuccessDependency: incomingOp]; diff --git a/keychain/ckks/CKKSTLKShare.h b/keychain/ckks/CKKSTLKShare.h index 239e492a..18f590a8 100644 --- a/keychain/ckks/CKKSTLKShare.h +++ b/keychain/ckks/CKKSTLKShare.h @@ -69,6 +69,8 @@ typedef NS_ENUM(NSUInteger, SecCKKSTLKShareVersion) { poisoned:(NSInteger)poisoned error:(NSError**)error; +- (bool)signatureVerifiesWithPeerSet:(NSSet>*)peerSet error:(NSError**)error; + // Database loading + (instancetype _Nullable)fromDatabase:(NSString*)uuid receiverPeerID:(NSString*)receiverPeerID diff --git a/keychain/ckks/CKKSTLKShare.m b/keychain/ckks/CKKSTLKShare.m index fd3b269a..20f7b6ff 100644 --- a/keychain/ckks/CKKSTLKShare.m +++ b/keychain/ckks/CKKSTLKShare.m @@ -23,6 +23,8 @@ #if OCTAGON +#import + #import "keychain/ckks/CKKSTLKShare.h" #import "keychain/ckks/CKKSPeer.h" #import "keychain/ckks/CloudKitCategories.h" @@ -95,7 +97,7 @@ } - (NSString*)description { - return [NSString stringWithFormat:@"", self.tlkUUID, self.receiver.peerID, self.senderPeerID]; + return [NSString stringWithFormat:@"", self.tlkUUID, self.receiver, self.senderPeerID]; } - (NSData*)wrap:(CKKSKey*)key publicKey:(SFECPublicKey*)receiverPublicKey error:(NSError* __autoreleasing *)error { @@ -108,18 +110,15 @@ SFIESCiphertext* ciphertext = [sfieso encrypt:plaintext withKey:receiverPublicKey error:error]; // Now use NSCoding to turn the ciphertext into something transportable - NSMutableData* data = [NSMutableData data]; - NSKeyedArchiver *archiver = [[NSKeyedArchiver alloc] initForWritingWithMutableData:data]; + NSKeyedArchiver *archiver = [[NSKeyedArchiver alloc] initRequiringSecureCoding:YES]; [ciphertext encodeWithCoder:archiver]; - [archiver finishEncoding]; - return data; + return archiver.encodedData; } - (CKKSKey*)unwrapUsing:(id)localPeer error:(NSError * __autoreleasing *)error { // Unwrap the ciphertext using NSSecureCoding - NSKeyedUnarchiver *coder = [[NSKeyedUnarchiver alloc] initForReadingWithData:self.wrappedTLK]; - coder.requiresSecureCoding = YES; + NSKeyedUnarchiver *coder = [[NSKeyedUnarchiver alloc] initForReadingFromData:self.wrappedTLK error:nil]; SFIESCiphertext* ciphertext = [[SFIESCiphertext alloc] initWithCoder:coder]; [coder finishDecoding]; @@ -229,6 +228,16 @@ } - (bool)verifySignature:(NSData*)signature verifyingPeer:(id)peer error:(NSError* __autoreleasing *)error { + if(!peer.publicSigningKey) { + secerror("ckksshare: no signing key for peer: %@", peer); + if(error) { + *error = [NSError errorWithDomain:CKKSErrorDomain + code:CKKSNoSigningKey + description:[NSString stringWithFormat:@"Peer(%@) has no signing key", peer]]; + } + return false; + } + // TODO: the digest operation can't be changed, as we don't have a good way of communicating it, like self.curve SFEC_X962SigningOperation* xso = [[SFEC_X962SigningOperation alloc] initWithKeySpecifier:[[SFECKeySpecifier alloc] initWithCurve:self.curve] digestOperation:[[SFSHA256DigestOperation alloc] init]]; @@ -238,6 +247,35 @@ return ret; } +- (bool)signatureVerifiesWithPeerSet:(NSSet>*)peerSet error:(NSError**)error { + NSError* lastVerificationError = nil; + for(id peer in peerSet) { + if([peer.peerID isEqualToString: self.senderPeerID]) { + // Does the signature verify using this peer? + NSError* localerror = nil; + bool isSigned = [self verifySignature:self.signature verifyingPeer:peer error:&localerror]; + if(localerror) { + secerror("ckksshare: signature didn't verify for %@ %@: %@", self, peer, localerror); + lastVerificationError = localerror; + } + if(isSigned) { + return true; + } + } + } + + if(error) { + if(lastVerificationError) { + *error = lastVerificationError; + } else { + *error = [NSError errorWithDomain:CKKSErrorDomain + code:CKKSNoTrustedTLKShares + description:[NSString stringWithFormat:@"No TLK share from %@", self.senderPeerID]]; + } + } + return false; +} + - (instancetype)copyWithZone:(NSZone *)zone { CKKSTLKShare* share = [[[self class] allocWithZone:zone] init]; share.curve = self.curve; diff --git a/keychain/ckks/CKKSUpdateCurrentItemPointerOperation.h b/keychain/ckks/CKKSUpdateCurrentItemPointerOperation.h index 3cdbdd92..47465f9f 100644 --- a/keychain/ckks/CKKSUpdateCurrentItemPointerOperation.h +++ b/keychain/ckks/CKKSUpdateCurrentItemPointerOperation.h @@ -21,21 +21,28 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if OCTAGON + #import "keychain/ckks/CKKSGroupOperation.h" #import "keychain/ckks/CKKSKeychainView.h" +NS_ASSUME_NONNULL_BEGIN -#if OCTAGON @interface CKKSUpdateCurrentItemPointerOperation : CKKSGroupOperation -@property (weak) CKKSKeychainView* ckks; +@property (weak,nullable) CKKSKeychainView* ckks; + +@property NSString* currentPointerIdentifier; - (instancetype)init NS_UNAVAILABLE; -- (instancetype)initWithCKKSKeychainView:(CKKSKeychainView*)ckks - currentPointer:(NSString*)identifier - oldItemUUID:(NSString*)oldItemUUID - oldItemHash:(NSData*)oldItemHash - newItemUUID:(NSString*)newItemUUID - ckoperationGroup:(CKOperationGroup*)ckoperationGroup; +- (instancetype)initWithCKKSKeychainView:(CKKSKeychainView* _Nonnull)ckks + newItem:(NSData* _Nonnull)newItemPersistentRef + hash:(NSData* _Nonnull)newItemSHA1 + accessGroup:(NSString* _Nonnull)accessGroup + identifier:(NSString* _Nonnull)identifier + replacing:(NSData* _Nullable)oldCurrentItemPersistentRef + hash:(NSData* _Nullable)oldItemSHA1 + ckoperationGroup:(CKOperationGroup* _Nullable)ckoperationGroup; @end +NS_ASSUME_NONNULL_END #endif // OCTAGON diff --git a/keychain/ckks/CKKSUpdateCurrentItemPointerOperation.m b/keychain/ckks/CKKSUpdateCurrentItemPointerOperation.m index 39a2d886..95efedba 100644 --- a/keychain/ckks/CKKSUpdateCurrentItemPointerOperation.m +++ b/keychain/ckks/CKKSUpdateCurrentItemPointerOperation.m @@ -31,39 +31,62 @@ #import "keychain/ckks/CKKSManifest.h" #import "keychain/ckks/CloudKitCategories.h" +#include +#include +#include +#include +#include #import @interface CKKSUpdateCurrentItemPointerOperation () -@property CKModifyRecordsOperation* modifyRecordsOperation; -@property CKOperationGroup* ckoperationGroup; +@property (nullable) CKModifyRecordsOperation* modifyRecordsOperation; +@property (nullable) CKOperationGroup* ckoperationGroup; -@property NSString* currentPointerIdentifier; -@property NSString* oldCurrentItemUUID; -@property NSData* oldCurrentItemHash; -@property NSString* currentItemUUID; +@property (nonnull) NSString* accessGroup; + +@property (nonnull) NSData* newerItemPersistentRef; +@property (nonnull) NSData* newerItemSHA1; +@property (nullable) NSData* oldItemPersistentRef; +@property (nullable) NSData* oldItemSHA1; + +// Store these as properties, so we can release them in our -dealloc +@property (nullable) SecDbItemRef newItem; +@property (nullable) SecDbItemRef oldItem; @end @implementation CKKSUpdateCurrentItemPointerOperation -- (instancetype)initWithCKKSKeychainView:(CKKSKeychainView*) ckks - currentPointer:(NSString*)identifier - oldItemUUID:(NSString*)oldItemUUID - oldItemHash:(NSData*)oldItemHash - newItemUUID:(NSString*)newItemUUID +- (instancetype)initWithCKKSKeychainView:(CKKSKeychainView*)ckks + newItem:(NSData*)newItemPersistentRef + hash:(NSData*)newItemSHA1 + accessGroup:(NSString*)accessGroup + identifier:(NSString*)identifier + replacing:(NSData* _Nullable)oldCurrentItemPersistentRef + hash:(NSData*)oldItemSHA1 ckoperationGroup:(CKOperationGroup*)ckoperationGroup { if((self = [super init])) { _ckks = ckks; - _currentPointerIdentifier = identifier; - _oldCurrentItemUUID = oldItemUUID; - _oldCurrentItemHash = oldItemHash; - _currentItemUUID = newItemUUID; - _ckoperationGroup = ckoperationGroup; + _newerItemPersistentRef = newItemPersistentRef; + _newerItemSHA1 = newItemSHA1; + _oldItemPersistentRef = oldCurrentItemPersistentRef; + _oldItemSHA1 = oldItemSHA1; + + _accessGroup = accessGroup; + + _currentPointerIdentifier = [NSString stringWithFormat:@"%@-%@", accessGroup, identifier]; } return self; } +- (void)dealloc { + if(self) { + CFReleaseNull(self->_newItem); + CFReleaseNull(self->_oldItem); + } +} + - (void)groupStart { CKKSKeychainView* ckks = self.ckks; if(!ckks) { @@ -78,11 +101,75 @@ [ckks dispatchSyncWithAccountKeys:^bool { if(self.cancelled) { - ckksnotice("ckksscan", ckks, "CKKSUpdateCurrentItemPointerOperation cancelled, quitting"); + ckksnotice("ckkscurrent", ckks, "CKKSUpdateCurrentItemPointerOperation cancelled, quitting"); return false; } NSError* error = nil; + CFErrorRef cferror = NULL; + + NSString* newItemUUID = nil; + NSString* oldCurrentItemUUID = nil; + + self.newItem = [self _onqueueFindSecDbItem:self.newerItemPersistentRef accessGroup:self.accessGroup error:&error]; + if(!self.newItem || error) { + ckksnotice("ckkscurrent", ckks, "Couldn't fetch new item, quitting: %@", error); + self.error = error; + return false; + } + + // Now that we're on the db queue, ensure that the given hashes for the items match the hashes as they are now. + // That is, the items haven't changed since the caller knew about the item. + NSData* newItemComputedSHA1 = (NSData*) CFBridgingRelease(CFRetainSafe(SecDbItemGetSHA1(self.newItem, &cferror))); + if(!newItemComputedSHA1 || cferror || + ![newItemComputedSHA1 isEqual:self.newerItemSHA1]) { + ckksnotice("ckkscurrent", ckks, "Hash mismatch for new item: %@ vs %@", newItemComputedSHA1, self.newerItemSHA1); + self.error = [NSError errorWithDomain:CKKSErrorDomain + code:CKKSItemChanged + description:@"New item has changed; hashes mismatch. Refetch and try again." + underlying:(NSError*)CFBridgingRelease(cferror)]; + return false; + } + + newItemUUID = (NSString*) CFBridgingRelease(CFRetainSafe(SecDbItemGetValue(self.newItem, &v10itemuuid, &cferror))); + if(!newItemUUID || cferror) { + ckkserror("ckkscurrent", ckks, "Error fetching UUID for new item: %@", cferror); + self.error = (NSError*) CFBridgingRelease(cferror); + return false; + } + + // If the old item is nil, that's an indicator that the old item isn't expected to exist in the keychain anymore + NSData* oldCurrentItemHash = nil; + if(self.oldItemPersistentRef) { + self.oldItem = [self _onqueueFindSecDbItem:self.oldItemPersistentRef accessGroup:self.accessGroup error:&error]; + if(!self.oldItem || error) { + ckksnotice("ckkscurrent", ckks, "Couldn't fetch old item, quitting: %@", error); + self.error = error; + return false; + } + + oldCurrentItemHash = (NSData*) CFBridgingRelease(CFRetainSafe(SecDbItemGetSHA1(self.oldItem, &cferror))); + if(!oldCurrentItemHash || cferror || + ![oldCurrentItemHash isEqual:self.oldItemSHA1]) { + ckksnotice("ckkscurrent", ckks, "Hash mismatch for old item: %@ vs %@", oldCurrentItemHash, self.oldItemSHA1); + self.error = [NSError errorWithDomain:CKKSErrorDomain + code:CKKSItemChanged + description:@"Old item has changed; hashes mismatch. Refetch and try again." + underlying:(NSError*)CFBridgingRelease(cferror)]; + return false; + } + + oldCurrentItemUUID = (NSString*) CFBridgingRelease(CFRetainSafe(SecDbItemGetValue(self.oldItem, &v10itemuuid, &cferror))); + if(!oldCurrentItemUUID || cferror) { + ckkserror("ckkscurrent", ckks, "Error fetching UUID for old item: %@", cferror); + self.error = (NSError*) CFBridgingRelease(cferror); + return false; + } + } + + ////////////////////////////// + // At this point, we've completed all the checks we need for the SecDbItems. Try to launch this boat! + ckksnotice("ckkscurrent", ckks, "Setting current pointer for %@ to %@ (from %@)", self.currentPointerIdentifier, newItemUUID, oldCurrentItemUUID); // Ensure that there's no pending pointer update CKKSCurrentItemPointer* cipPending = [CKKSCurrentItemPointer tryFromDatabase:self.currentPointerIdentifier state:SecCKKSProcessedStateRemote zoneID:ckks.zoneID error:&error]; @@ -103,42 +190,46 @@ // have a CIP, but it points to a deleted keychain item. // In that case, we shouldn't error out. // - if(self.oldCurrentItemHash && ![cip.currentItemUUID isEqualToString: self.oldCurrentItemUUID]) { + if(oldCurrentItemHash && ![cip.currentItemUUID isEqualToString: oldCurrentItemUUID]) { - ckksnotice("ckkscurrent", ckks, "Caller's idea of the current item pointer %@ doesn't match (%@); rejecting change of current", cip, self.oldCurrentItemUUID); + ckksnotice("ckkscurrent", ckks, "current item pointer(%@) doesn't match user-supplied UUID (%@); rejecting change of current", cip, oldCurrentItemUUID); self.error = [NSError errorWithDomain:CKKSErrorDomain code:CKKSItemChanged - description:[NSString stringWithFormat:@"Current pointer(%@) does not match user-supplied %@, aborting", cip, self.oldCurrentItemUUID]]; + description:[NSString stringWithFormat:@"Current pointer(%@) does not match user-supplied %@, aborting", cip, oldCurrentItemUUID]]; return false; } // Cool. Since you know what you're updating, you're allowed to update! - cip.currentItemUUID = self.currentItemUUID; + cip.currentItemUUID = newItemUUID; - } else if(self.oldCurrentItemUUID) { + } else if(oldCurrentItemUUID) { // Error case: the client thinks there's a current pointer, but we don't have one ckksnotice("ckkscurrent", ckks, "Requested to update a current item pointer but one doesn't exist at %@; rejecting change of current", self.currentPointerIdentifier); self.error = [NSError errorWithDomain:CKKSErrorDomain code:CKKSItemChanged - description:[NSString stringWithFormat:@"Current pointer(%@) does not match given value of '%@', aborting", cip, self.oldCurrentItemUUID]]; + description:[NSString stringWithFormat:@"Current pointer(%@) does not match given value of '%@', aborting", cip, oldCurrentItemUUID]]; return false; } else { // No current item pointer? How exciting! Let's make you a nice new one. - cip = [[CKKSCurrentItemPointer alloc] initForIdentifier:self.currentPointerIdentifier currentItemUUID:self.currentItemUUID state:SecCKKSProcessedStateLocal zoneID:ckks.zoneID encodedCKRecord:nil]; + cip = [[CKKSCurrentItemPointer alloc] initForIdentifier:self.currentPointerIdentifier + currentItemUUID:newItemUUID + state:SecCKKSProcessedStateLocal + zoneID:ckks.zoneID + encodedCKRecord:nil]; ckksnotice("ckkscurrent", ckks, "Creating a new current item pointer: %@", cip); } // Check if either item is currently in any sync queue, and fail if so NSArray* oqes = [CKKSOutgoingQueueEntry allUUIDs:ckks.zoneID error:&error]; NSArray* iqes = [CKKSIncomingQueueEntry allUUIDs:ckks.zoneID error:&error]; - if([oqes containsObject:self.currentItemUUID] || [iqes containsObject:self.currentItemUUID]) { + if([oqes containsObject:newItemUUID] || [iqes containsObject:newItemUUID]) { error = [NSError errorWithDomain:CKKSErrorDomain code:CKKSLocalItemChangePending - description:[NSString stringWithFormat:@"New item(%@) is being synced; can't set current pointer.", self.currentItemUUID]]; + description:[NSString stringWithFormat:@"New item(%@) is being synced; can't set current pointer.", newItemUUID]]; } - if([oqes containsObject: self.oldCurrentItemUUID] || [iqes containsObject:self.oldCurrentItemUUID]) { + if([oqes containsObject:oldCurrentItemUUID] || [iqes containsObject:oldCurrentItemUUID]) { error = [NSError errorWithDomain:CKKSErrorDomain code:CKKSLocalItemChangePending - description:[NSString stringWithFormat:@"Old item(%@) is being synced; can't set current pointer.", self.oldCurrentItemUUID]]; + description:[NSString stringWithFormat:@"Old item(%@) is being synced; can't set current pointer.", oldCurrentItemUUID]]; } if(error) { @@ -161,7 +252,7 @@ } if ([CKKSManifest shouldSyncManifests]) { - [ckks.egoManifest setCurrentItemUUID:self.currentItemUUID forIdentifier:self.currentPointerIdentifier]; + [ckks.egoManifest setCurrentItemUUID:newItemUUID forIdentifier:self.currentPointerIdentifier]; } ckksnotice("ckkscurrent", ckks, "Saving new current item pointer %@", cip); @@ -183,8 +274,7 @@ self.modifyRecordsOperation = [[CKModifyRecordsOperation alloc] initWithRecordsToSave:recordsToSave.allValues recordIDsToDelete:nil]; self.modifyRecordsOperation.atomic = TRUE; - self.modifyRecordsOperation.timeoutIntervalForRequest = 2; - self.modifyRecordsOperation.qualityOfService = NSQualityOfServiceUtility; + self.modifyRecordsOperation.qualityOfService = NSQualityOfServiceUserInitiated; // We're likely rolling a PCS identity, or creating a new one. User cares. self.modifyRecordsOperation.savePolicy = CKRecordSaveIfServerRecordUnchanged; self.modifyRecordsOperation.group = self.ckoperationGroup; @@ -265,6 +355,79 @@ }]; } +- (SecDbItemRef _Nullable)_onqueueFindSecDbItem:(NSData*)persistentRef accessGroup:(NSString*)accessGroup error:(NSError**)error { + __block SecDbItemRef blockItem = NULL; + CFErrorRef cferror = NULL; + __block NSError* localerror = NULL; + + CKKSKeychainView* ckks = self.ckks; + bool ok = kc_with_dbt(true, &cferror, ^bool (SecDbConnectionRef dbt) { + // Find the items from their persistent refs. + CFErrorRef blockcfError = NULL; + Query *q = query_create_with_limit( (__bridge CFDictionaryRef) @{ + (__bridge NSString *)kSecValuePersistentRef : persistentRef, + (__bridge NSString *)kSecAttrAccessGroup : accessGroup, + }, + NULL, + 1, + &blockcfError); + if(blockcfError || !q) { + ckkserror("ckkscurrent", ckks, "couldn't create query for item persistentRef: %@", blockcfError); + localerror = [NSError errorWithDomain:CKKSErrorDomain + code:errSecParam + description:@"couldn't create query for new item pref" + underlying:(NSError*)CFBridgingRelease(blockcfError)]; + return false; + } + + if(!SecDbItemQuery(q, NULL, dbt, &blockcfError, ^(SecDbItemRef item, bool *stop) { + blockItem = CFRetainSafe(item); + })) { + query_destroy(q, NULL); + ckkserror("ckkscurrent", ckks, "couldn't run query for item pref: %@", blockcfError); + localerror = [NSError errorWithDomain:CKKSErrorDomain + code:errSecParam + description:@"couldn't run query for new item pref" + underlying:(NSError*)CFBridgingRelease(blockcfError)]; + return false; + } + + if(!query_destroy(q, &blockcfError)) { + ckkserror("ckkscurrent", ckks, "couldn't destroy query for item pref: %@", blockcfError); + localerror = [NSError errorWithDomain:CKKSErrorDomain + code:errSecParam + description:@"couldn't destroy query for item pref" + underlying:(NSError*)CFBridgingRelease(blockcfError)]; + return false; + } + return true; + }); + + if(!ok || localerror) { + if(localerror) { + ckkserror("ckkscurrent", ckks, "Query failed: %@", localerror); + if(error) { + *error = localerror; + } + } else { + ckkserror("ckkscurrent", ckks, "Query failed, cferror is %@", cferror); + localerror = [NSError errorWithDomain:CKKSErrorDomain + code:errSecParam + description:@"couldn't run query" + underlying:(NSError*)CFBridgingRelease(cferror)]; + if(*error) { + *error = localerror; + } + } + + CFReleaseSafe(cferror); + return false; + } + + CFReleaseSafe(cferror); + return blockItem; +} + @end #endif // OCTAGON diff --git a/keychain/ckks/CKKSUpdateDeviceStateOperation.m b/keychain/ckks/CKKSUpdateDeviceStateOperation.m index 0a78ec84..6223fcf0 100644 --- a/keychain/ckks/CKKSUpdateDeviceStateOperation.m +++ b/keychain/ckks/CKKSUpdateDeviceStateOperation.m @@ -124,7 +124,6 @@ self.modifyRecordsOperation = [[CKModifyRecordsOperation alloc] initWithRecordsToSave:recordsToSave recordIDsToDelete:nil]; self.modifyRecordsOperation.atomic = TRUE; - self.modifyRecordsOperation.timeoutIntervalForRequest = 2; self.modifyRecordsOperation.qualityOfService = NSQualityOfServiceUtility; self.modifyRecordsOperation.savePolicy = CKRecordSaveAllKeys; // Overwrite anything in CloudKit: this is our state now self.modifyRecordsOperation.group = self.group; diff --git a/keychain/ckks/CKKSViewManager.h b/keychain/ckks/CKKSViewManager.h index 06f24aa7..317930a6 100644 --- a/keychain/ckks/CKKSViewManager.h +++ b/keychain/ckks/CKKSViewManager.h @@ -33,10 +33,12 @@ #import "keychain/ckks/CKKSCondition.h" #import "keychain/ckks/CKKSControlProtocol.h" #import "keychain/ckks/CKKSLockStateTracker.h" +#import "keychain/ckks/CKKSReachabilityTracker.h" #import "keychain/ckks/CKKSNotifier.h" #import "keychain/ckks/CKKSPeer.h" #import "keychain/ckks/CKKSRateLimiter.h" #import "keychain/ckks/CloudKitDependencies.h" +#import "keychain/ot/OTDefines.h" NS_ASSUME_NONNULL_BEGIN @@ -47,6 +49,7 @@ NS_ASSUME_NONNULL_BEGIN @property CKContainer* container; @property CKKSCKAccountStateTracker* accountTracker; @property CKKSLockStateTracker* lockStateTracker; +@property CKKSReachabilityTracker *reachabilityTracker; @property bool initializeNewZones; // Signaled when SecCKKSInitialize is complete, as it's async and likes to fire after tests are complete @@ -68,7 +71,6 @@ NS_ASSUME_NONNULL_BEGIN - (CKKSKeychainView*)findView:(NSString*)viewName; - (CKKSKeychainView*)findOrCreateView:(NSString*)viewName; -+ (CKKSKeychainView*)findOrCreateView:(NSString*)viewName; - (void)setView:(CKKSKeychainView*)obj; - (void)clearView:(NSString*)viewName; @@ -84,12 +86,12 @@ NS_ASSUME_NONNULL_BEGIN added:(SecDbItemRef _Nullable)added deleted:(SecDbItemRef _Nullable)deleted; -- (void)setCurrentItemForAccessGroup:(SecDbItemRef)newItem +- (void)setCurrentItemForAccessGroup:(NSData* _Nonnull)newItemPersistentRef hash:(NSData*)newItemSHA1 accessGroup:(NSString*)accessGroup identifier:(NSString*)identifier viewHint:(NSString*)viewHint - replacing:(SecDbItemRef _Nullable)oldItem + replacing:(NSData* _Nullable)oldCurrentItemPersistentRef hash:(NSData* _Nullable)oldItemSHA1 complete:(void (^)(NSError* operror))complete; @@ -113,9 +115,6 @@ NS_ASSUME_NONNULL_BEGIN // Called by XPC every 24 hours - (void)xpc24HrNotification; -/* Interface to CCKS control channel */ -- (xpc_endpoint_t)xpcControlEndpoint; - /* White-box testing only */ - (CKKSKeychainView*)restartZone:(NSString*)viewName; @@ -130,6 +129,11 @@ NS_ASSUME_NONNULL_BEGIN - (CKKSSelves* _Nullable)fetchSelfPeers:(NSError* __autoreleasing*)error; - (NSSet>* _Nullable)fetchTrustedPeers:(NSError* __autoreleasing*)error; +// For mocking purposes +- (id _Nullable)currentSOSSelf:(NSError**)error; +- (NSSet>*)pastSelves:(NSError**)error; +- (NSArray* _Nullable)loadRestoredBottledKeysOfType:(OctagonKeyType)keyType error:(NSError**)error; + - (void)sendSelfPeerChangedUpdate; - (void)sendTrustedPeerSetChangedUpdate; diff --git a/keychain/ckks/CKKSViewManager.m b/keychain/ckks/CKKSViewManager.m index 1e197fd9..44cadf3f 100644 --- a/keychain/ckks/CKKSViewManager.m +++ b/keychain/ckks/CKKSViewManager.m @@ -31,6 +31,8 @@ #import "keychain/ckks/CKKSCondition.h" #import "keychain/ckks/CloudKitCategories.h" +#import "keychain/ot/OTDefines.h" + #import "SecEntitlements.h" #include @@ -51,7 +53,7 @@ #import #import -#import "CKKSAnalyticsLogger.h" +#import "CKKSAnalytics.h" #endif @interface CKKSViewManager () @@ -78,6 +80,11 @@ #endif @end +#if OCTAGON +@interface CKKSViewManager (lockstateTracker) +@end +#endif + @implementation CKKSViewManager #if OCTAGON @@ -118,6 +125,8 @@ _container = [self makeCKContainer: containerName usePCS:usePCS]; _accountTracker = [[CKKSCKAccountStateTracker alloc] init:self.container nsnotificationCenterClass:nsnotificationCenterClass]; _lockStateTracker = [[CKKSLockStateTracker alloc] init]; + [_lockStateTracker addLockStateObserver:self]; + _reachabilityTracker = [[CKKSReachabilityTracker alloc] init]; _operationQueue = [[NSOperationQueue alloc] init]; @@ -132,7 +141,11 @@ _completedSecCKKSInitialize = [[CKKSCondition alloc] init]; __weak __typeof(self) weakSelf = self; - _savedTLKNotifier = [[CKKSNearFutureScheduler alloc] initWithName: @"newtlks" delay:5*NSEC_PER_SEC keepProcessAlive:true block:^{ + _savedTLKNotifier = [[CKKSNearFutureScheduler alloc] initWithName:@"newtlks" + delay:5*NSEC_PER_SEC + keepProcessAlive:true + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{ [weakSelf notifyNewTLKsInKeychain]; }]; @@ -165,6 +178,88 @@ return container; } +- (void)setupAnalytics +{ + __weak __typeof(self) weakSelf = self; + + // Tests shouldn't continue here; it leads to entitlement crashes with CloudKit if the mocks aren't enabled when this function runs + if(SecCKKSTestsEnabled()) { + return; + } + + [[CKKSAnalytics logger] AddMultiSamplerForName:@"CKKS-healthSummary" withTimeInterval:SFAnalyticsSamplerIntervalOncePerReport block:^NSDictionary *{ + __strong __typeof(self) strongSelf = weakSelf; + if(!strongSelf) { + return nil; + } + + NSMutableDictionary* values = [NSMutableDictionary dictionary]; + BOOL inCircle = (strongSelf.accountTracker.currentCircleStatus == kSOSCCInCircle); + if (inCircle) { + [[CKKSAnalytics logger] setDateProperty:[NSDate date] forKey:CKKSAnalyticsLastInCircle]; + } + values[CKKSAnalyticsInCircle] = @(inCircle); + + BOOL validCredentials = strongSelf.accountTracker.currentCKAccountInfo.hasValidCredentials; + if (!validCredentials) { + values[CKKSAnalyticsValidCredentials] = @(validCredentials); + } + + NSArray* keys = @[ CKKSAnalyticsLastUnlock, CKKSAnalyticsLastInCircle]; + for (NSString * key in keys) { + NSDate *date = [[CKKSAnalytics logger] datePropertyForKey:key]; + values[key] = @([CKKSAnalytics fuzzyDaysSinceDate:date]); + } + return values; + }]; + + for (NSString* viewName in [self viewList]) { + [[CKKSAnalytics logger] AddMultiSamplerForName:[NSString stringWithFormat:@"CKKS-%@-healthSummary", viewName] withTimeInterval:SFAnalyticsSamplerIntervalOncePerReport block:^NSDictionary *{ + __strong __typeof(self) strongSelf = weakSelf; + if(!strongSelf) { + return nil; + } + BOOL inCircle = strongSelf.accountTracker && strongSelf.accountTracker.currentCircleStatus == kSOSCCInCircle; + NSMutableDictionary* values = [NSMutableDictionary dictionary]; + CKKSKeychainView* view = [strongSelf findOrCreateView:viewName]; + NSDate* dateOfLastSyncClassA = [[CKKSAnalytics logger] dateOfLastSuccessForEvent:CKKSEventProcessIncomingQueueClassA inView:view]; + NSDate* dateOfLastSyncClassC = [[CKKSAnalytics logger] dateOfLastSuccessForEvent:CKKSEventProcessIncomingQueueClassC inView:view]; + NSDate* dateOfLastKSR = [[CKKSAnalytics logger] datePropertyForKey:CKKSAnalyticsLastKeystateReady inView:view]; + + NSInteger fuzzyDaysSinceClassASync = [CKKSAnalytics fuzzyDaysSinceDate:dateOfLastSyncClassA]; + NSInteger fuzzyDaysSinceClassCSync = [CKKSAnalytics fuzzyDaysSinceDate:dateOfLastSyncClassC]; + NSInteger fuzzyDaysSinceKSR = [CKKSAnalytics fuzzyDaysSinceDate:dateOfLastKSR]; + [values setValue:@(fuzzyDaysSinceClassASync) forKey:[NSString stringWithFormat:@"%@-daysSinceClassASync", viewName]]; + [values setValue:@(fuzzyDaysSinceClassCSync) forKey:[NSString stringWithFormat:@"%@-daysSinceClassCSync", viewName]]; + [values setValue:@(fuzzyDaysSinceKSR) forKey:[NSString stringWithFormat:@"%@-daysSinceLastKeystateReady", viewName]]; + + BOOL hasTLKs = [view.keyHierarchyState isEqualToString:SecCKKSZoneKeyStateReady] || [view.keyHierarchyState isEqualToString:SecCKKSZoneKeyStateReadyPendingUnlock]; + BOOL syncedClassARecently = fuzzyDaysSinceClassASync < 7; + BOOL syncedClassCRecently = fuzzyDaysSinceClassCSync < 7; + BOOL incomingQueueIsErrorFree = view.lastIncomingQueueOperation.error == nil; + BOOL outgoingQueueIsErrorFree = view.lastOutgoingQueueOperation.error == nil; + + NSString* hasTLKsKey = [NSString stringWithFormat:@"%@-%@", viewName, CKKSAnalyticsHasTLKs]; + NSString* syncedClassARecentlyKey = [NSString stringWithFormat:@"%@-%@", viewName, CKKSAnalyticsSyncedClassARecently]; + NSString* syncedClassCRecentlyKey = [NSString stringWithFormat:@"%@-%@", viewName, CKKSAnalyticsSyncedClassCRecently]; + NSString* incomingQueueIsErrorFreeKey = [NSString stringWithFormat:@"%@-%@", viewName, CKKSAnalyticsIncomingQueueIsErrorFree]; + NSString* outgoingQueueIsErrorFreeKey = [NSString stringWithFormat:@"%@-%@", viewName, CKKSAnalyticsOutgoingQueueIsErrorFree]; + + values[hasTLKsKey] = @(hasTLKs); + values[syncedClassARecentlyKey] = @(syncedClassARecently); + values[syncedClassCRecentlyKey] = @(syncedClassCRecently); + values[incomingQueueIsErrorFreeKey] = @(incomingQueueIsErrorFree); + values[outgoingQueueIsErrorFreeKey] = @(outgoingQueueIsErrorFree); + + BOOL weThinkWeAreInSync = inCircle && hasTLKs && syncedClassARecently && syncedClassCRecently && incomingQueueIsErrorFree && outgoingQueueIsErrorFree; + NSString* inSyncKey = [NSString stringWithFormat:@"%@-%@", viewName, CKKSAnalyticsInSync]; + values[inSyncKey] = @(weThinkWeAreInSync); + + return values; + }]; + } +} + -(void)dealloc { [self clearAllViews]; } @@ -205,6 +300,13 @@ dispatch_once_t globalZoneStateQueueOnce; return _globalRateLimiter; } +- (void)lockStateChangeNotification:(bool)unlocked +{ + if (unlocked) { + [[CKKSAnalytics logger] setDateProperty:[NSDate date] forKey:CKKSAnalyticsLastUnlock]; + } +} + // Mostly exists to be mocked out. -(NSSet*)viewList { return CFBridgingRelease(SOSViewCopyViewSet(kViewSetCKKS)); @@ -267,6 +369,7 @@ dispatch_once_t globalZoneStateQueueOnce; zoneName: viewName accountTracker: self.accountTracker lockStateTracker: self.lockStateTracker + reachabilityTracker: self.reachabilityTracker savedTLKNotifier: self.savedTLKNotifier peerProvider:self fetchRecordZoneChangesOperationClass: self.fetchRecordZoneChangesOperationClass @@ -284,9 +387,6 @@ dispatch_once_t globalZoneStateQueueOnce; return self.views[viewName]; } } -+ (CKKSKeychainView*)findOrCreateView:(NSString*)viewName { - return [[CKKSViewManager manager] findOrCreateView: viewName]; -} - (NSDictionary *)activeTLKs { @@ -305,6 +405,7 @@ dispatch_once_t globalZoneStateQueueOnce; - (CKKSKeychainView*)restartZone:(NSString*)viewName { @synchronized(self.views) { + [self.views[viewName] halt]; self.views[viewName] = nil; } return [self findOrCreateView: viewName]; @@ -325,6 +426,8 @@ dispatch_once_t globalZoneStateQueueOnce; [self findOrCreateView:s]; // initializes any newly-created views } } + + [self setupAnalytics]; } - (NSString*)viewNameForViewHint: (NSString*) viewHint { @@ -421,12 +524,12 @@ dispatch_once_t globalZoneStateQueueOnce; [view handleKeychainEventDbConnection: dbconn added:added deleted:deleted rateLimiter:self.globalRateLimiter syncCallback: syncCallback]; } --(void)setCurrentItemForAccessGroup:(SecDbItemRef)newItem +-(void)setCurrentItemForAccessGroup:(NSData* _Nonnull)newItemPersistentRef hash:(NSData*)newItemSHA1 accessGroup:(NSString*)accessGroup identifier:(NSString*)identifier viewHint:(NSString*)viewHint - replacing:(SecDbItemRef)oldItem + replacing:(NSData* _Nullable)oldCurrentItemPersistentRef hash:(NSData*)oldItemSHA1 complete:(void (^) (NSError* operror)) complete { @@ -440,11 +543,11 @@ dispatch_once_t globalZoneStateQueueOnce; return; } - [view setCurrentItemForAccessGroup:newItem + [view setCurrentItemForAccessGroup:newItemPersistentRef hash:newItemSHA1 accessGroup:accessGroup identifier:identifier - replacing:oldItem + replacing:oldCurrentItemPersistentRef hash:oldItemSHA1 complete:complete]; } @@ -492,7 +595,7 @@ dispatch_once_t globalZoneStateQueueOnce; if(reset) { [manager clearAllViews]; manager = nil; - } else if (manager == nil) { + } else if (manager == nil && SecCKKSIsEnabled()) { manager = [[CKKSViewManager alloc] initCloudKitWithContainerName:SecCKKSContainerName usePCS:SecCKKSContainerUsePCS]; } } @@ -529,26 +632,6 @@ dispatch_once_t globalZoneStateQueueOnce; }]; } -#pragma mark - XPC Endpoint - -- (xpc_endpoint_t)xpcControlEndpoint { - return [_listener.endpoint _endpoint]; -} - -- (BOOL)listener:(__unused NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection { - NSNumber *num = [newConnection valueForEntitlement:(__bridge NSString *)kSecEntitlementPrivateCKKS]; - if (![num isKindOfClass:[NSNumber class]] || ![num boolValue]) { - secinfo("ckks", "Client pid: %d doesn't have entitlement: %@", - [newConnection processIdentifier], kSecEntitlementPrivateCKKS); - return NO; - } - newConnection.exportedInterface = CKKSSetupControlProtocol([NSXPCInterface interfaceWithProtocol:@protocol(CKKSControlProtocol)]); - newConnection.exportedObject = self; - - [newConnection resume]; - - return YES; -} #pragma mark - RPCs to manage and report state - (void)performanceCounters:(void(^)(NSDictionary *counter))reply { @@ -558,10 +641,16 @@ dispatch_once_t globalZoneStateQueueOnce; - (NSArray*)views:(NSString*)viewName operation:(NSString*)opName error:(NSError**)error { NSArray* actualViews = nil; + + // Ensure we've actually set up, but don't wait too long. Clients get impatient. + if([self.completedSecCKKSInitialize wait:5*NSEC_PER_SEC]) { + secerror("ckks: Haven't yet initialized zones; expect failure fetching views"); + } + @synchronized(self.views) { if(viewName) { - secnotice("ckks", "Received a %@ request for zone %@", opName, viewName); CKKSKeychainView* view = self.views[viewName]; + secnotice("ckks", "Received a %@ request for zone %@ (%@)", opName, viewName, view); if(!view) { if(error) { @@ -574,8 +663,8 @@ dispatch_once_t globalZoneStateQueueOnce; actualViews = @[view]; } else { - secnotice("ckks", "Received a %@ request for all zones", opName); actualViews = [self.views.allValues copy]; + secnotice("ckks", "Received a %@ request for all zones: %@", opName, actualViews); } } return actualViews; @@ -590,7 +679,14 @@ dispatch_once_t globalZoneStateQueueOnce; return; } - CKKSResultOperation* op = [CKKSResultOperation named:@"local-reset-zones-waiter" withBlock:^{}]; + CKKSResultOperation* op = [CKKSResultOperation named:@"local-reset-zones-waiter" withBlockTakingSelf:^(CKKSResultOperation * _Nonnull strongOp) { + if(!strongOp.error) { + secnotice("ckksreset", "Completed rpcResetLocal"); + } else { + secnotice("ckks", "Completed rpcResetLocal with error: %@", strongOp.error); + } + reply(CKXPCSuitableError(strongOp.error)); + }]; for(CKKSKeychainView* view in actualViews) { ckksnotice("ckksreset", view, "Beginning local reset for %@", view); @@ -599,14 +695,6 @@ dispatch_once_t globalZoneStateQueueOnce; [op timeout:120*NSEC_PER_SEC]; [self.operationQueue addOperation: op]; - - [op waitUntilFinished]; - if(op.error) { - secnotice("ckksreset", "Completed rpcResetLocal"); - } else { - secnotice("ckksreset", "Completed rpcResetLocal with error: %@", op.error); - } - reply(CKXPCSuitableError(op.error)); } - (void)rpcResetCloudKit:(NSString*)viewName reply: (void(^)(NSError* result)) reply { @@ -618,23 +706,22 @@ dispatch_once_t globalZoneStateQueueOnce; return; } - CKKSResultOperation* op = [CKKSResultOperation named:@"cloudkit-reset-zones-waiter" withBlock:^{}]; + CKKSResultOperation* op = [CKKSResultOperation named:@"cloudkit-reset-zones-waiter" withBlockTakingSelf:^(CKKSResultOperation * _Nonnull strongOp) { + if(!strongOp.error) { + secnotice("ckksreset", "Completed rpcResetCloudKit"); + } else { + secnotice("ckksreset", "Completed rpcResetCloudKit with error: %@", strongOp.error); + } + reply(CKXPCSuitableError(strongOp.error)); + }]; for(CKKSKeychainView* view in actualViews) { ckksnotice("ckksreset", view, "Beginning CloudKit reset for %@", view); - [op addSuccessDependency:[view resetCloudKitZone]]; + [op addSuccessDependency:[view resetCloudKitZone:[CKOperationGroup CKKSGroupWithName:@"api-reset"]]]; } [op timeout:120*NSEC_PER_SEC]; [self.operationQueue addOperation: op]; - - [op waitUntilFinished]; - if(op.error) { - secnotice("ckksreset", "Completed rpcResetCloudKit"); - } else { - secnotice("ckksreset", "Completed rpcResetCloudKit with error: %@", op.error); - } - reply(CKXPCSuitableError(op.error)); } - (void)rpcResync:(NSString*)viewName reply: (void(^)(NSError* result)) reply { @@ -698,58 +785,74 @@ dispatch_once_t globalZoneStateQueueOnce; - (void)rpcStatus: (NSString*)viewName reply: (void(^)(NSArray* result, NSError* error)) reply { NSMutableArray* a = [[NSMutableArray alloc] init]; - // The first element is always the current global state (non-view-specific) - NSError* selfPeersError = nil; - CKKSSelves* selves = [self fetchSelfPeers:&selfPeersError]; - NSError* trustedPeersError = nil; - NSSet>* peers = [self fetchTrustedPeers:&trustedPeersError]; + // Now, query the views about their status + NSError* error = nil; + NSArray* actualViews = [self views:viewName operation:@"status" error:&error]; + if(!actualViews || error) { + reply(nil, error); + return; + } + __weak __typeof(self) weakSelf = self; + CKKSResultOperation* statusOp = [CKKSResultOperation named:@"status-rpc" withBlock:^{ + __strong __typeof(self) strongSelf = weakSelf; - NSMutableArray* mutTrustedPeers = [[NSMutableArray alloc] init]; - [peers enumerateObjectsUsingBlock:^(id _Nonnull obj, BOOL * _Nonnull stop) { - [mutTrustedPeers addObject: [obj description]]; - }]; + // The first element is always the current global state (non-view-specific) + NSError* selfPeersError = nil; + CKKSSelves* selves = [strongSelf fetchSelfPeers:&selfPeersError]; + NSError* trustedPeersError = nil; + NSSet>* peers = [strongSelf fetchTrustedPeers:&trustedPeersError]; -#define stringify(obj) CKKSNilToNSNull([obj description]) - NSDictionary* global = @{ - @"view": @"global", - @"selfPeers": stringify(selves), - @"selfPeersError": CKKSNilToNSNull(selfPeersError), - @"trustedPeers": CKKSNilToNSNull(mutTrustedPeers), - @"trustedPeersError": CKKSNilToNSNull(trustedPeersError), - }; - [a addObject: global]; + // Get account state, even wait for it a little + [self.accountTracker.ckdeviceIDInitialized wait:1*NSEC_PER_SEC]; + NSString *deviceID = self.accountTracker.ckdeviceID; + NSError *deviceIDError = self.accountTracker.ckdeviceIDError; - // Now, query the views about their status - NSArray* actualViews = nil; - if(viewName) { - secnotice("ckks", "Received a status RPC for zone %@", viewName); - CKKSKeychainView* view = self.views[viewName]; + NSMutableArray* mutTrustedPeers = [[NSMutableArray alloc] init]; + [peers enumerateObjectsUsingBlock:^(id _Nonnull obj, BOOL * _Nonnull stop) { + [mutTrustedPeers addObject: [obj description]]; + }]; - if(!view) { - secerror("ckks: Zone %@ does not exist!", viewName); - reply(nil, nil); - return; +#define stringify(obj) CKKSNilToNSNull([obj description]) + NSDictionary* global = @{ + @"view": @"global", + @"selfPeers": stringify(selves), + @"selfPeersError": CKKSNilToNSNull(selfPeersError), + @"trustedPeers": CKKSNilToNSNull(mutTrustedPeers), + @"trustedPeersError": CKKSNilToNSNull(trustedPeersError), + @"reachability": strongSelf.reachabilityTracker.currentReachability ? @"network" : @"no-network", + @"ckdeviceID": CKKSNilToNSNull(deviceID), + @"ckdeviceIDError": CKKSNilToNSNull(deviceIDError), + }; + [a addObject: global]; + + for(CKKSKeychainView* view in actualViews) { + ckksnotice("ckks", view, "Fetching status for %@", view.zoneName); + NSDictionary* status = [view status]; + ckksinfo("ckks", view, "Status is %@", status); + if(status) { + [a addObject: status]; + } } + reply(a, nil); + }]; - actualViews = @[view]; - - } else { - @synchronized(self.views) { - // Can't safely iterate a mutable collection, so copy it. - actualViews = self.views.allValues; - } + // If we're signed in, give the views a few seconds to enter what they consider to be a non-transient state (in case this daemon just launched) + if([self.accountTracker.currentComputedAccountStatusValid wait:5*NSEC_PER_SEC]) { + secerror("ckks status: Haven't yet figured out login state"); } - for(CKKSKeychainView* view in actualViews) { - ckksnotice("ckks", view, "Fetching status for %@", view.zoneName); - NSDictionary* status = [view status]; - ckksinfo("ckks", view, "Status is %@", status); - if(status) { - [a addObject: status]; + if(self.accountTracker.currentComputedAccountStatus == CKKSAccountStatusAvailable) { + CKKSResultOperation* blockOp = [CKKSResultOperation named:@"wait-for-status" withBlock:^{}]; + [blockOp timeout:8*NSEC_PER_SEC]; + for(CKKSKeychainView* view in actualViews) { + [blockOp addNullableDependency:view.keyStateNonTransientDependency]; + [statusOp addDependency:blockOp]; } + [self.operationQueue addOperation:blockOp]; } - reply(a, nil); + [self.operationQueue addOperation:statusOp]; + return; } @@ -762,26 +865,11 @@ dispatch_once_t globalZoneStateQueueOnce; } - (void)rpcFetchAndProcessChanges:(NSString*)viewName classA:(bool)classAError reply: (void(^)(NSError* result)) reply { - NSArray* actualViews = nil; - if(viewName) { - secnotice("ckks", "Received a fetch RPC for zone %@", viewName); - CKKSKeychainView* view = self.views[viewName]; - - if(!view) { - secerror("ckks: Zone %@ does not exist!", viewName); - reply([NSError errorWithDomain:@"securityd" - code:kSOSCCNoSuchView - userInfo:@{NSLocalizedDescriptionKey: [NSString stringWithFormat: @"No view for '%@'", viewName]}]); - return; - } - - actualViews = @[view]; - } else { - secnotice("ckks", "Received a fetch RPC for all zones"); - @synchronized(self.views) { - // Can't safely iterate a mutable collection, so copy it. - actualViews = [self.views.allValues copy]; - } + NSError* error = nil; + NSArray* actualViews = [self views:viewName operation:@"fetch" error:&error]; + if(!actualViews || error) { + reply(error); + return; } CKKSResultOperation* blockOp = [[CKKSResultOperation alloc] init]; @@ -801,30 +889,15 @@ dispatch_once_t globalZoneStateQueueOnce; [blockOp addDependency:op]; } - [self.operationQueue addOperation: [blockOp timeout:60*NSEC_PER_SEC]]; + [self.operationQueue addOperation: [blockOp timeout:(SecCKKSTestsEnabled() ? NSEC_PER_SEC * 5 : NSEC_PER_SEC * 120)]]; } - (void)rpcPushOutgoingChanges:(NSString*)viewName reply: (void(^)(NSError* result))reply { - NSArray* actualViews = nil; - if(viewName) { - secnotice("ckks", "Received a push RPC for zone %@", viewName); - CKKSKeychainView* view = self.views[viewName]; - - if(!view) { - secerror("ckks: Zone %@ does not exist!", viewName); - reply([NSError errorWithDomain:@"securityd" - code:kSOSCCNoSuchView - userInfo:@{NSLocalizedDescriptionKey: [NSString stringWithFormat: @"No view for '%@'", viewName]}]); - return; - } - - actualViews = @[view]; - } else { - secnotice("ckks", "Received a push RPC for all zones"); - @synchronized(self.views) { - // Can't safely iterate a mutable collection, so copy it. - actualViews = [self.views.allValues copy]; - } + NSError* error = nil; + NSArray* actualViews = [self views:viewName operation:@"push" error:&error]; + if(!actualViews || error) { + reply(error); + return; } CKKSResultOperation* blockOp = [[CKKSResultOperation alloc] init]; @@ -844,28 +917,11 @@ dispatch_once_t globalZoneStateQueueOnce; [blockOp addDependency:op]; } - [self.operationQueue addOperation: [blockOp timeout:60*NSEC_PER_SEC]]; -} - -- (void)rpcGetAnalyticsSysdiagnoseWithReply:(void (^)(NSString* sysdiagnose, NSError* error))reply -{ - NSError* error = nil; - NSString* sysdiagnose = [[CKKSAnalyticsLogger logger] getSysdiagnoseDumpWithError:&error]; - reply(sysdiagnose, CKXPCSuitableError(error)); -} - -- (void)rpcGetAnalyticsJSONWithReply:(void (^)(NSData* json, NSError* error))reply -{ - NSError* error = nil; - NSData* json = [[CKKSAnalyticsLogger logger] getLoggingJSON:true error:&error]; - reply(json, CKXPCSuitableError(error)); + [self.operationQueue addOperation: [blockOp timeout:(SecCKKSTestsEnabled() ? NSEC_PER_SEC * 2 : NSEC_PER_SEC * 120)]]; } -- (void)rpcForceUploadAnalyticsWithReply:(void (^)(BOOL success, NSError* error))reply -{ - NSError* error = nil; - BOOL result = [[CKKSAnalyticsLogger logger] forceUploadWithError:&error]; - reply(result, CKXPCSuitableError(error)); +- (void)rpcGetCKDeviceIDWithReply:(void (^)(NSString *))reply { + reply(self.accountTracker.ckdeviceID); } -(void)xpc24HrNotification { @@ -887,9 +943,140 @@ dispatch_once_t globalZoneStateQueueOnce; } } -#pragma mark - CKKSPeerProvider implementation +- (NSArray * _Nullable)loadRestoredBottledKeysOfType:(OctagonKeyType)keyType error:(NSError**)error +{ + CFTypeRef result = NULL; + NSMutableArray* bottledPeerKeychainItems = nil; + + NSDictionary* query = @{ + (id)kSecClass : (id)kSecClassInternetPassword, + (id)kSecAttrAccessible: (id)kSecAttrAccessibleWhenUnlocked, + (id)kSecAttrNoLegacy : @YES, + (id)kSecAttrType : [[NSNumber alloc]initWithInt: keyType], + (id)kSecAttrServer : (keyType == 1) ? @"Octagon Signing Key" : @"Octagon Encryption Key", + (id)kSecAttrAccessGroup: @"com.apple.security.ckks", + (id)kSecMatchLimit : (id)kSecMatchLimitAll, + (id)kSecReturnAttributes: @YES, + (id)kSecReturnData: @YES, + }; + OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &result); + + if(status == errSecSuccess && result && isArray(result)) { + bottledPeerKeychainItems = CFBridgingRelease(result); + result = NULL; + } else { + if(error) { + *error = [NSError errorWithDomain:NSOSStatusErrorDomain + code:status + description:@"could not load bottled peer keys"]; + } + CFReleaseNull(result); + } -- (CKKSSelves*)fetchSelfPeers:(NSError* __autoreleasing *)error { + return bottledPeerKeychainItems; +} + +-(NSDictionary *) keychainItemForPeerID:(NSString*)neededPeerID + keychainItems:(NSArray *)keychainItems + escrowSigningPubKeyHash:(NSString *)hashWeNeedToMatch +{ + NSDictionary* peerItem = nil; + + for(NSDictionary* item in keychainItems){ + if(item && [item count] > 0){ + NSString* peerIDFromItem = [item objectForKey:(id)kSecAttrAccount]; + NSString* hashToConsider = [item objectForKey:(id)kSecAttrLabel]; + if([peerIDFromItem isEqualToString:neededPeerID] && + [hashWeNeedToMatch isEqualToString:hashToConsider]) + { + peerItem = [item copy]; + break; + } + } + } + + return peerItem; +} + +- (NSSet>*)pastSelves:(NSError**)error +{ + NSError* localError = nil; + + // get bottled peer identities from the keychain + NSMutableSet>* allSelves = [NSMutableSet set]; + NSArray* signingKeys = [self loadRestoredBottledKeysOfType:OctagonSigningKey error:&localError]; + if(!signingKeys) { + // Item not found isn't actually an error here + if(error && !(localError && [localError.domain isEqualToString: NSOSStatusErrorDomain] && localError.code == errSecItemNotFound)) { + *error = localError; + } + + return allSelves; + } + + NSArray* encryptionKeys = [self loadRestoredBottledKeysOfType:OctagonEncryptionKey error:&localError]; + if(!encryptionKeys) { + if(error && !(localError && [localError.domain isEqualToString: NSOSStatusErrorDomain] && localError.code == errSecItemNotFound)) { + *error = localError; + } + return allSelves; + } + + for(NSDictionary* signingKey in signingKeys) { + NSError* peerError = nil; + NSString* peerid = signingKey[(id)kSecAttrAccount]; + NSString* hash = signingKey[(id)kSecAttrLabel]; // escrow signing pub key hash + + //use peer id AND escrow signing public key hash to look up the matching item in encryptionKeys list + NSDictionary* encryptionKeyItem = [self keychainItemForPeerID:peerid keychainItems:encryptionKeys escrowSigningPubKeyHash:hash]; + if(!encryptionKeyItem) { + secerror("octagon: no encryption key available to pair with signing key %@,%@", peerid, hash); + continue; + } + + NSData* signingKeyData = signingKey[(id)kSecValueData]; + if(!signingKeyData) { + secerror("octagon: no signing key data for %@,%@", peerid,hash); + continue; + } + + SFECKeyPair* restoredSigningKey = [[SFECKeyPair alloc] initWithData:signingKeyData + specifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384] + error:&peerError]; + if(!restoredSigningKey) { + secerror("octagon: couldn't make signing key for %@,%@: %@", peerid, hash, peerError); + continue; + } + + NSData* encryptionKeyData = [encryptionKeyItem objectForKey:(id)kSecValueData]; + if(!encryptionKeyData) { + secerror("octagon: no encryption key data for %@,%@", peerid,hash); + continue; + } + + SFECKeyPair* restoredEncryptionKey = [[SFECKeyPair alloc] initWithData:encryptionKeyData + specifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384] + error:&peerError]; + if(!restoredEncryptionKey) { + secerror("octagon: couldn't make encryption key for %@,%@: %@", peerid,hash, peerError); + continue; + } + + //create the SOS self peer + CKKSSOSSelfPeer* restoredIdentity = [[CKKSSOSSelfPeer alloc]initWithSOSPeerID:peerid encryptionKey:restoredEncryptionKey signingKey:restoredSigningKey]; + + if(restoredIdentity){ + secnotice("octagon","adding bottled peer identity: %@", restoredIdentity); + [allSelves addObject:restoredIdentity]; + } else { + secerror("octagon: could not create restored identity from: %@: %@", peerid, peerError); + } + } + return allSelves; +} + +- (id _Nullable)currentSOSSelf:(NSError**)error +{ __block SFECKeyPair* signingPrivateKey = nil; __block SFECKeyPair* encryptionPrivateKey = nil; @@ -906,28 +1093,25 @@ dispatch_once_t globalZoneStateQueueOnce; return nil; } - SOSCCPerformWithOctagonSigningKey(^(SecKeyRef signingSecKey, CFErrorRef cferror) { - if(cferror) { - localerror = (__bridge NSError*)cferror; - return; - } - if (!cferror && signingSecKey) { - signingPrivateKey = [[SFECKeyPair alloc] initWithSecKey:signingSecKey]; - } - }); - - SOSCCPerformWithOctagonEncryptionKey(^(SecKeyRef encryptionSecKey, CFErrorRef cferror) { + SOSCCPerformWithAllOctagonKeys(^(SecKeyRef octagonEncryptionKey, SecKeyRef octagonSigningKey, CFErrorRef cferror) { if(cferror) { localerror = (__bridge NSError*)cferror; return; } - if (!cferror && encryptionSecKey) { - encryptionPrivateKey = [[SFECKeyPair alloc] initWithSecKey:encryptionSecKey]; + if (!cferror && octagonEncryptionKey && octagonSigningKey) { + signingPrivateKey = [[SFECKeyPair alloc] initWithSecKey:octagonSigningKey]; + encryptionPrivateKey = [[SFECKeyPair alloc] initWithSecKey:octagonEncryptionKey]; + } else { + localerror = [NSError errorWithDomain:CKKSErrorDomain + code:CKKSNoPeersAvailable + description:@"Not all SOS peer keys available, but no error returned"]; } }); if(localerror) { - secerror("ckkspeer: Error fetching self encryption keys: %@", localerror); + if(![self.lockStateTracker isLockedError:localerror]) { + secerror("ckkspeer: Error fetching self encryption keys: %@", localerror); + } if(error) { *error = localerror; } @@ -937,7 +1121,35 @@ dispatch_once_t globalZoneStateQueueOnce; CKKSSOSSelfPeer* selfPeer = [[CKKSSOSSelfPeer alloc] initWithSOSPeerID:peerID encryptionKey:encryptionPrivateKey signingKey:signingPrivateKey]; - CKKSSelves* selves = [[CKKSSelves alloc] initWithCurrent:selfPeer allSelves:nil]; + return selfPeer; +} + +#pragma mark - CKKSPeerProvider implementation + +- (CKKSSelves*)fetchSelfPeers:(NSError* __autoreleasing *)error { + NSError* localError = nil; + + id selfPeer = [self currentSOSSelf:&localError]; + if(!selfPeer || localError) { + if(![self.lockStateTracker isLockedError:localError]) { + secerror("ckks: Error fetching current SOS self: %@", localError); + } + if(error) { + *error = localError; + } + return nil; + } + + NSSet>* allSelves = [self pastSelves:&localError]; + if(!allSelves || localError) { + secerror("ckks: Error fetching past selves: %@", localError); + if(error) { + *error = localError; + } + return nil; + } + + CKKSSelves* selves = [[CKKSSelves alloc] initWithCurrent:selfPeer allSelves:allSelves]; return selves; } @@ -961,28 +1173,36 @@ dispatch_once_t globalZoneStateQueueOnce; } CFStringRef cfpeerID = SOSPeerInfoGetPeerID(sosPeerInfoRef); - SecKeyRef cfOctagonSigningKey = SOSPeerInfoCopyOctagonSigningPublicKey(sosPeerInfoRef, &cfPeerError); - SecKeyRef cfOctagonEncryptionKey = SOSPeerInfoCopyOctagonEncryptionPublicKey(sosPeerInfoRef, &cfPeerError); + SecKeyRef cfOctagonSigningKey = NULL, cfOctagonEncryptionKey = NULL; + + cfOctagonSigningKey = SOSPeerInfoCopyOctagonSigningPublicKey(sosPeerInfoRef, &cfPeerError); + if (cfOctagonSigningKey) { + cfOctagonEncryptionKey = SOSPeerInfoCopyOctagonEncryptionPublicKey(sosPeerInfoRef, &cfPeerError); + } - if(cfPeerError) { + if(cfOctagonSigningKey == NULL || cfOctagonEncryptionKey == NULL) { // Don't log non-debug for -50; it almost always just means this peer didn't have octagon keys - if(!(CFEqualSafe(CFErrorGetDomain(cfPeerError), kCFErrorDomainOSStatus) && (CFErrorGetCode(cfPeerError) == errSecParam))) { + if(cfPeerError == NULL + || !(CFEqualSafe(CFErrorGetDomain(cfPeerError), kCFErrorDomainOSStatus) && (CFErrorGetCode(cfPeerError) == errSecParam))) + { secerror("ckkspeer: error fetching octagon keys for peer: %@ %@", sosPeerInfoRef, cfPeerError); } else { - secinfo("ckkspeer", "Peer doesn't have Octagon keys, but this is expected: %@", cfPeerError); + secinfo("ckkspeer", "Peer(%@) doesn't have Octagon keys, but this is expected: %@", cfpeerID, cfPeerError); } - } else { - SFECPublicKey* signingPublicKey = cfOctagonSigningKey ? [[SFECPublicKey alloc] initWithSecKey:cfOctagonSigningKey] : nil; - SFECPublicKey* encryptionPublicKey = cfOctagonEncryptionKey ? [[SFECPublicKey alloc] initWithSecKey:cfOctagonEncryptionKey] : nil; - - CKKSSOSPeer* peer = [[CKKSSOSPeer alloc] initWithSOSPeerID:(__bridge NSString*)cfpeerID - encryptionPublicKey:encryptionPublicKey - signingPublicKey:signingPublicKey]; - [peerSet addObject:peer]; } + // Add all peers to the trust set: old-style SOS peers will just have null keys + SFECPublicKey* signingPublicKey = cfOctagonSigningKey ? [[SFECPublicKey alloc] initWithSecKey:cfOctagonSigningKey] : nil; + SFECPublicKey* encryptionPublicKey = cfOctagonEncryptionKey ? [[SFECPublicKey alloc] initWithSecKey:cfOctagonEncryptionKey] : nil; + + CKKSSOSPeer* peer = [[CKKSSOSPeer alloc] initWithSOSPeerID:(__bridge NSString*)cfpeerID + encryptionPublicKey:encryptionPublicKey + signingPublicKey:signingPublicKey]; + [peerSet addObject:peer]; + CFReleaseNull(cfOctagonSigningKey); CFReleaseNull(cfOctagonEncryptionKey); + CFReleaseNull(cfPeerError); }); }); @@ -990,48 +1210,56 @@ dispatch_once_t globalZoneStateQueueOnce; } - (void)registerForPeerChangeUpdates:(id)listener { - bool alreadyRegisteredListener = false; - NSEnumerator *enumerator = [self.peerChangeListeners objectEnumerator]; - id value; - - while ((value = [enumerator nextObject])) { - // do pointer comparison - alreadyRegisteredListener |= (value == listener); - } + @synchronized(self.peerChangeListeners) { + bool alreadyRegisteredListener = false; + NSEnumerator *enumerator = [self.peerChangeListeners objectEnumerator]; + id value; + + while ((value = [enumerator nextObject])) { + // do pointer comparison + alreadyRegisteredListener |= (value == listener); + } - if(listener && !alreadyRegisteredListener) { - NSString* queueName = [NSString stringWithFormat: @"ck-peer-change-%@", listener]; + if(listener && !alreadyRegisteredListener) { + NSString* queueName = [NSString stringWithFormat: @"ck-peer-change-%@", listener]; - dispatch_queue_t objQueue = dispatch_queue_create([queueName UTF8String], DISPATCH_QUEUE_SERIAL); - [self.peerChangeListeners setObject: listener forKey: objQueue]; + dispatch_queue_t objQueue = dispatch_queue_create([queueName UTF8String], DISPATCH_QUEUE_SERIAL); + [self.peerChangeListeners setObject: listener forKey: objQueue]; + } } } - (void)iteratePeerListenersOnTheirQueue:(void (^)(id))block { - NSEnumerator *enumerator = [self.peerChangeListeners keyEnumerator]; - dispatch_queue_t dq; - - // Queue up the changes for each listener. - while ((dq = [enumerator nextObject])) { - id listener = [self.peerChangeListeners objectForKey: dq]; - __weak id weakListener = listener; - - if(listener) { - dispatch_async(dq, ^{ - __strong id strongListener = weakListener; - block(strongListener); - }); + @synchronized(self.peerChangeListeners) { + NSEnumerator *enumerator = [self.peerChangeListeners keyEnumerator]; + dispatch_queue_t dq; + + // Queue up the changes for each listener. + while ((dq = [enumerator nextObject])) { + id listener = [self.peerChangeListeners objectForKey: dq]; + __weak id weakListener = listener; + + if(listener) { + dispatch_async(dq, ^{ + __strong id strongListener = weakListener; + block(strongListener); + }); + } } } } - (void)sendSelfPeerChangedUpdate { + [self.completedSecCKKSInitialize wait:5*NSEC_PER_SEC]; // Wait for bringup, but don't worry if this times out + [self iteratePeerListenersOnTheirQueue: ^(id listener) { [listener selfPeerChanged]; }]; } - (void)sendTrustedPeerSetChangedUpdate { + [self.completedSecCKKSInitialize wait:5*NSEC_PER_SEC]; // Wait for bringup, but don't worry if this times out + [self iteratePeerListenersOnTheirQueue: ^(id listener) { [listener trustedPeerSetChanged]; }]; diff --git a/keychain/ckks/CKKSZone.h b/keychain/ckks/CKKSZone.h index 3e4b94ee..8938c2ee 100644 --- a/keychain/ckks/CKKSZone.h +++ b/keychain/ckks/CKKSZone.h @@ -25,7 +25,10 @@ #if OCTAGON #import "keychain/ckks/CKKSCKAccountStateTracker.h" +#import "keychain/ckks/CKKSReachabilityTracker.h" #import "keychain/ckks/CloudKitDependencies.h" +#import "keychain/ckks/CKKSAPSReceiver.h" +#import "keychain/ckks/CKKSGroupOperation.h" NS_ASSUME_NONNULL_BEGIN @@ -39,6 +42,7 @@ NS_ASSUME_NONNULL_BEGIN @property (readonly) NSString* zoneName; @property CKKSGroupOperation* zoneSetupOperation; +@property (nullable) CKOperationGroup* zoneSetupOperationGroup; // set this if you want zone creates to use a different operation group @property bool zoneCreated; @property bool zoneSubscribed; @@ -54,6 +58,7 @@ NS_ASSUME_NONNULL_BEGIN @property (readonly) CKDatabase* database; @property (weak) CKKSCKAccountStateTracker* accountTracker; +@property (weak) CKKSReachabilityTracker* reachabilityTracker; @property (readonly) CKRecordZone* zone; @property (readonly) CKRecordZoneID* zoneID; @@ -70,7 +75,8 @@ NS_ASSUME_NONNULL_BEGIN - (instancetype)initWithContainer:(CKContainer*)container zoneName:(NSString*)zoneName - accountTracker:(CKKSCKAccountStateTracker*)tracker + accountTracker:(CKKSCKAccountStateTracker*)accountTracker + reachabilityTracker:(CKKSReachabilityTracker *)reachabilityTracker fetchRecordZoneChangesOperationClass:(Class)fetchRecordZoneChangesOperationClass fetchRecordsOperationClass:(Class)fetchRecordsOperationClass queryOperationClass:(Class)queryOperationClass @@ -79,7 +85,7 @@ NS_ASSUME_NONNULL_BEGIN apsConnectionClass:(Class)apsConnectionClass; -- (CKKSResultOperation* _Nullable)beginResetCloudKitZoneOperation; +- (CKKSResultOperation* _Nullable)deleteCloudKitZoneOperation:(CKOperationGroup* _Nullable)ckoperationGroup; // Called when CloudKit notifies us that we just logged in. // That is, if we transition from any state to CKAccountStatusAvailable. @@ -90,7 +96,7 @@ NS_ASSUME_NONNULL_BEGIN // Actually start a cloudkit login. Pass in whether you believe this zone has been created and if this device has // subscribed to this zone on the server. -- (NSOperation* _Nullable)handleCKLogin:(bool)zoneCreated zoneSubscribed:(bool)zoneSubscribed; +- (CKKSResultOperation* _Nullable)handleCKLogin:(bool)zoneCreated zoneSubscribed:(bool)zoneSubscribed; // Called when CloudKit notifies us that we just logged out. // i.e. we transition from CKAccountStatusAvailable to any other state. @@ -103,8 +109,6 @@ NS_ASSUME_NONNULL_BEGIN // Cancels all operations (no matter what they are). - (void)cancelAllOperations; -// Reissues the call -- (void)restartCurrentAccountStateOperation; // Schedules this operation for execution (if the CloudKit account exists) - (bool)scheduleOperation:(NSOperation*)op; diff --git a/keychain/ckks/CKKSZone.m b/keychain/ckks/CKKSZone.m index d1006737..40c32544 100644 --- a/keychain/ckks/CKKSZone.m +++ b/keychain/ckks/CKKSZone.m @@ -28,6 +28,7 @@ #if OCTAGON #import "CloudKitDependencies.h" #import "keychain/ckks/CKKSCKAccountStateTracker.h" +#import "keychain/ckks/CloudKitCategories.h" #import #import @@ -43,19 +44,22 @@ @property CKDatabaseOperation* zoneSubscriptionOperation; @property NSOperationQueue* operationQueue; -@property NSOperation* accountLoggedInDependency; +@property CKKSResultOperation* accountLoggedInDependency; @property NSHashTable* accountOperations; // Make writable @property bool halted; +@property bool zoneCreateNetworkFailure; +@property bool zoneSubscriptionNetworkFailure; @end @implementation CKKSZone - (instancetype)initWithContainer: (CKContainer*) container zoneName: (NSString*) zoneName - accountTracker:(CKKSCKAccountStateTracker*) tracker + accountTracker:(CKKSCKAccountStateTracker*) accountTracker + reachabilityTracker:(CKKSReachabilityTracker *) reachabilityTracker fetchRecordZoneChangesOperationClass: (Class) fetchRecordZoneChangesOperationClass fetchRecordsOperationClass: (Class)fetchRecordsOperationClass queryOperationClass:(Class)queryOperationClass @@ -66,7 +70,8 @@ if(self = [super init]) { _container = container; _zoneName = zoneName; - _accountTracker = tracker; + _accountTracker = accountTracker; + _reachabilityTracker = reachabilityTracker; _halted = false; @@ -75,11 +80,7 @@ _accountStatus = CKKSAccountStatusUnknown; - __weak __typeof(self) weakSelf = self; - self.accountLoggedInDependency = [NSBlockOperation blockOperationWithBlock:^{ - ckksnotice("ckkszone", weakSelf, "CloudKit account logged in."); - }]; - self.accountLoggedInDependency.name = @"account-logged-in-dependency"; + _accountLoggedInDependency = [self createAccountLoggedInDependency:@"CloudKit account logged in."]; _accountOperations = [NSHashTable weakObjectsHashTable]; @@ -96,6 +97,15 @@ return self; } +- (CKKSResultOperation*)createAccountLoggedInDependency:(NSString*)message { + __weak __typeof(self) weakSelf = self; + CKKSResultOperation* accountLoggedInDependency = [CKKSResultOperation named:@"account-logged-in-dependency" withBlock:^{ + ckksnotice("ckkszone", weakSelf, "%@", message); + }]; + accountLoggedInDependency.descriptionErrorCode = CKKSResultDescriptionPendingAccountLoggedIn; + return accountLoggedInDependency; +} + - (void)initializeZone { [self.accountTracker notifyOnAccountStatusChange:self]; } @@ -122,7 +132,6 @@ [CKKSCKAccountStateTracker stringFromAccountStatus: oldStatus], [CKKSCKAccountStateTracker stringFromAccountStatus: currentStatus]); - __weak __typeof(self) weakSelf = self; switch(currentStatus) { case CKKSAccountStatusAvailable: { ckksnotice("ckkszone", self, "Logged into iCloud."); @@ -138,10 +147,7 @@ case CKKSAccountStatusNoAccount: { ckksnotice("ckkszone", self, "Logging out of iCloud. Shutting down."); - self.accountLoggedInDependency = [NSBlockOperation blockOperationWithBlock:^{ - ckksnotice("ckkszone", weakSelf, "CloudKit account logged in again."); - }]; - self.accountLoggedInDependency.name = @"account-logged-in-dependency"; + self.accountLoggedInDependency = [self createAccountLoggedInDependency:@"CloudKit account logged in again."]; [self handleCKLogout]; } @@ -151,10 +157,7 @@ // We really don't expect to receive this as a notification, but, okay! ckksnotice("ckkszone", self, "Account status has become undetermined. Pausing for %@", self.zoneID.zoneName); - self.accountLoggedInDependency = [NSBlockOperation blockOperationWithBlock:^{ - ckksnotice("ckkszone", weakSelf, "CloudKit account restored from 'unknown'."); - }]; - self.accountLoggedInDependency.name = @"account-logged-in-dependency"; + self.accountLoggedInDependency = [self createAccountLoggedInDependency:@"CloudKit account return from 'unknown'."]; [self handleCKLogout]; } @@ -162,25 +165,15 @@ } } -- (void)restartCurrentAccountStateOperation { - __weak __typeof(self) weakSelf = self; - dispatch_async(self.queue, ^{ - __strong __typeof(self) strongSelf = weakSelf; - ckksnotice("ckksaccount", strongSelf, "Restarting account in state %@", [CKKSCKAccountStateTracker stringFromAccountStatus:strongSelf.accountStatus]); - [strongSelf ckAccountStatusChange:strongSelf.accountStatus to:strongSelf.accountStatus]; - }); -} - -- (NSOperation*)handleCKLogin:(bool)zoneCreated zoneSubscribed:(bool)zoneSubscribed { +- (CKKSResultOperation*)handleCKLogin:(bool)zoneCreated zoneSubscribed:(bool)zoneSubscribed { if(!SecCKKSIsEnabled()) { ckksinfo("ckkszone", self, "Skipping CloudKit registration due to disabled CKKS"); return nil; } - // If we've already started set up, skip doing it again. + // If we've already started set up and that hasn't finished, complain if([self.zoneSetupOperation isPending] || [self.zoneSetupOperation isExecuting]) { - ckksnotice("ckkszone", self, "skipping startup: it's already started"); - return self.zoneSetupOperation; + ckksnotice("ckkszone", self, "Asked to handleCKLogin, but zoneSetupOperation appears to not be complete? %@ Continuing anyway", self.zoneSetupOperation); } self.zoneSetupOperation = [[CKKSGroupOperation alloc] init]; @@ -203,6 +196,7 @@ [self.zoneSetupOperation runBeforeGroupFinished:[CKKSResultOperation named:[NSString stringWithFormat:@"zone-setup-%@", self.zoneName] withBlock:^{ __strong __typeof(weakSelf) strongSelf = weakSelf; __strong __typeof(self.zoneSetupOperation) zoneSetupOperation = weakZoneSetupOperation; + __strong __typeof(self.reachabilityTracker) reachabilityTracker = self.reachabilityTracker; if(!strongSelf || !zoneSetupOperation) { ckkserror("ckkszone", strongSelf, "received callback for released object"); return; @@ -250,6 +244,7 @@ zoneCreationOperation.qualityOfService = NSQualityOfServiceUserInitiated; zoneCreationOperation.database = strongSelf.database; zoneCreationOperation.name = @"zone-creation-operation"; + zoneCreationOperation.group = strongSelf.zoneSetupOperationGroup ?: [CKOperationGroup CKKSGroupWithName:@"zone-creation"];; // Completion blocks don't count for dependencies. Use this intermediate operation hack instead. modifyRecordZonesCompleteOperation = [[NSBlockOperation alloc] init]; @@ -267,14 +262,21 @@ if(!operationError) { ckksnotice("ckkszone", strongSubSelf, "Successfully created zone %@", strongSubSelf.zoneName); strongSubSelf.zoneCreated = true; + strongSubSelf.zoneSetupOperationGroup = nil; } else { ckkserror("ckkszone", strongSubSelf, "Couldn't create zone %@; %@", strongSubSelf.zoneName, operationError); } strongSubSelf.zoneCreatedError = operationError; - + if ([reachabilityTracker isNetworkError:operationError]){ + strongSelf.zoneCreateNetworkFailure = true; + } [strongSubSelf.operationQueue addOperation: modifyRecordZonesCompleteOperation]; }; + if (strongSelf.zoneCreateNetworkFailure) { + [zoneCreationOperation addNullableDependency:reachabilityTracker.reachablityDependency]; + strongSelf.zoneCreateNetworkFailure = false; + } ckksnotice("ckkszone", strongSelf, "Adding CKKSModifyRecordZonesOperation: %@ %@", zoneCreationOperation, zoneCreationOperation.dependencies); strongSelf.zoneCreationOperation = zoneCreationOperation; [setupCompleteOperation addDependency: modifyRecordZonesCompleteOperation]; @@ -323,13 +325,18 @@ strongSubSelf.zoneSubscribedError = operationError; strongSubSelf.zoneSubscriptionOperation = nil; + if ([reachabilityTracker isNetworkError:operationError]){ + strongSelf.zoneSubscriptionNetworkFailure = true; + } [strongSubSelf.operationQueue addOperation: zoneSubscriptionCompleteOperation]; }; - if(modifyRecordZonesCompleteOperation) { - [zoneSubscriptionOperation addDependency:modifyRecordZonesCompleteOperation]; + if (strongSelf.zoneSubscriptionNetworkFailure) { + [zoneSubscriptionOperation addNullableDependency:reachabilityTracker.reachablityDependency]; + strongSelf.zoneSubscriptionNetworkFailure = false; } + [zoneSubscriptionOperation addNullableDependency:modifyRecordZonesCompleteOperation]; strongSelf.zoneSubscriptionOperation = zoneSubscriptionOperation; [setupCompleteOperation addDependency: zoneSubscriptionCompleteOperation]; [zoneSetupOperation runBeforeGroupFinished:zoneSubscriptionOperation]; @@ -346,7 +353,7 @@ } -- (CKKSResultOperation*)beginResetCloudKitZoneOperation { +- (CKKSResultOperation*)deleteCloudKitZoneOperation:(CKOperationGroup* _Nullable)ckoperationGroup { if(!SecCKKSIsEnabled()) { ckksnotice("ckkszone", self, "Skipping CloudKit reset due to disabled CKKS"); return nil; @@ -361,12 +368,18 @@ [self.zoneSubscriptionOperation cancel]; // Step 2: Try to delete the zone + CKDatabaseOperation* zoneDeletionOperation = [[self.modifyRecordZonesOperationClass alloc] initWithRecordZonesToSave: nil recordZoneIDsToDelete: @[self.zoneID]]; zoneDeletionOperation.queuePriority = NSOperationQueuePriorityNormal; zoneDeletionOperation.qualityOfService = NSQualityOfServiceUserInitiated; zoneDeletionOperation.database = self.database; + zoneDeletionOperation.group = ckoperationGroup; + + CKKSGroupOperation* zoneDeletionGroupOperation = [[CKKSGroupOperation alloc] init]; + zoneDeletionGroupOperation.name = [NSString stringWithFormat:@"cloudkit-zone-delete-%@", self.zoneName]; CKKSResultOperation* doneOp = [CKKSResultOperation named:@"zone-reset-watcher" withBlock:^{}]; + [zoneDeletionGroupOperation dependOnBeforeGroupFinished:doneOp]; __weak __typeof(self) weakSelf = self; @@ -398,23 +411,28 @@ } } - ckksinfo("ckkszone", strongSelf, "record zones deletion %@ completed with error: %@", deletedRecordZoneIDs, operationError); + if(operationError) { + ckksnotice("ckkszone", strongSelf, "deletion of record zones %@ completed with error: %@", deletedRecordZoneIDs, operationError); + } else { + ckksnotice("ckkszone", strongSelf, "deletion of record zones %@ completed successfully", deletedRecordZoneIDs); + } if(operationError && fatalError) { // If the error wasn't actually a problem, don't report it upward. doneOp.error = operationError; } - [strongSelf.operationQueue addOperation: doneOp]; + [zoneDeletionGroupOperation runBeforeGroupFinished:doneOp]; }; // If the zone creation operation is still pending, wait for it to complete before attempting zone deletion [zoneDeletionOperation addNullableDependency: self.zoneCreationOperation]; + [zoneDeletionGroupOperation runBeforeGroupFinished:zoneDeletionOperation]; - ckksnotice("ckkszone", self, "deleting zone with %@ %@", zoneDeletionOperation, zoneDeletionOperation.dependencies); - // Don't use scheduleOperation: zone deletions should be attempted even if we're "logged out" - [self.operationQueue addOperation: zoneDeletionOperation]; - self.zoneDeletionOperation = zoneDeletionOperation; - return doneOp; + [zoneDeletionGroupOperation runBeforeGroupFinished:[CKKSResultOperation named:@"print-log-message" withBlock:^{ + __strong __typeof(weakSelf) strongSelf = weakSelf; + ckksnotice("ckkszone", strongSelf, "deleting zones %@ with dependencies %@", zoneDeletionOperation.recordZoneIDsToDelete, zoneDeletionOperation.dependencies); + }]]; + return zoneDeletionGroupOperation; } - (void)notifyZoneChange: (CKRecordZoneNotification*) notification { diff --git a/keychain/ckks/CKKSZoneChangeFetcher.h b/keychain/ckks/CKKSZoneChangeFetcher.h index f03db22a..52f083be 100644 --- a/keychain/ckks/CKKSZoneChangeFetcher.h +++ b/keychain/ckks/CKKSZoneChangeFetcher.h @@ -29,7 +29,7 @@ NS_ASSUME_NONNULL_BEGIN /* Fetch Reasons */ -@protocol SecCKKSFetchBecause +@protocol SecCKKSFetchBecause @end typedef NSString CKKSFetchBecause; extern CKKSFetchBecause* const CKKSFetchBecauseAPNS; @@ -40,8 +40,9 @@ extern CKKSFetchBecause* const CKKSFetchBecauseSecuritydRestart; extern CKKSFetchBecause* const CKKSFetchBecausePreviousFetchFailed; extern CKKSFetchBecause* const CKKSFetchBecauseKeyHierarchy; extern CKKSFetchBecause* const CKKSFetchBecauseTesting; +extern CKKSFetchBecause* const CKKSFetchBecauseResync; -@protocol CKKSChangeFetcherErrorOracle +@protocol CKKSChangeFetcherErrorOracle - (bool)isFatalCKFetchError:(NSError*)error; @end @@ -56,6 +57,7 @@ extern CKKSFetchBecause* const CKKSFetchBecauseTesting; @interface CKKSZoneChangeFetcher : NSObject @property (nullable, weak) CKKSKeychainView* ckks; +@property (readonly) NSError* lastCKFetchError; @property CKRecordZoneID* zoneID; - (instancetype)init NS_UNAVAILABLE; diff --git a/keychain/ckks/CKKSZoneChangeFetcher.m b/keychain/ckks/CKKSZoneChangeFetcher.m index 551f870e..bf1737bf 100644 --- a/keychain/ckks/CKKSZoneChangeFetcher.m +++ b/keychain/ckks/CKKSZoneChangeFetcher.m @@ -39,13 +39,33 @@ CKKSFetchBecause* const CKKSFetchBecauseCurrentItemFetchRequest = (CKKSFetchBeca CKKSFetchBecause* const CKKSFetchBecauseInitialStart = (CKKSFetchBecause*) @"initialfetch"; CKKSFetchBecause* const CKKSFetchBecauseSecuritydRestart = (CKKSFetchBecause*) @"restart"; CKKSFetchBecause* const CKKSFetchBecausePreviousFetchFailed = (CKKSFetchBecause*) @"fetchfailed"; +CKKSFetchBecause* const CKKSFetchBecauseNetwork = (CKKSFetchBecause*) @"network"; CKKSFetchBecause* const CKKSFetchBecauseKeyHierarchy = (CKKSFetchBecause*) @"keyhierarchy"; CKKSFetchBecause* const CKKSFetchBecauseTesting = (CKKSFetchBecause*) @"testing"; +CKKSFetchBecause* const CKKSFetchBecauseResync = (CKKSFetchBecause*) @"resync"; + +#pragma mark - CKKSZoneChangeFetchDependencyOperation +@interface CKKSZoneChangeFetchDependencyOperation : CKKSResultOperation +@property CKKSZoneChangeFetcher* owner; +@end + +@implementation CKKSZoneChangeFetchDependencyOperation +- (NSError* _Nullable)descriptionError { + return [NSError errorWithDomain:CKKSResultDescriptionErrorDomain + code:CKKSResultDescriptionPendingSuccessfulFetch + description:@"Fetch failed" + underlying:self.owner.lastCKFetchError]; +} +@end + +#pragma mark - CKKSZoneChangeFetcher @interface CKKSZoneChangeFetcher () @property NSString* name; @property dispatch_queue_t queue; +@property NSError* lastCKFetchError; + @property CKKSFetchAllRecordZoneChangesOperation* currentFetch; @property CKKSResultOperation* currentProcessResult; @@ -70,21 +90,22 @@ CKKSFetchBecause* const CKKSFetchBecauseTesting = (CKKSFetchBecause*) @"testing" _name = [NSString stringWithFormat:@"zone-change-fetcher-%@", _zoneID.zoneName]; _queue = dispatch_queue_create([_name UTF8String], DISPATCH_QUEUE_SERIAL); - [self newSuccesfulFetchDependency]; + _successfulFetchDependency = [self createSuccesfulFetchDependency]; _newRequests = false; // If we're testing, for the initial delay, use 0.2 second. Otherwise, 2s. - dispatch_time_t initialDelay = (SecCKKSTestsEnabled() ? 200 * NSEC_PER_MSEC : 2 * NSEC_PER_SEC); + dispatch_time_t initialDelay = (SecCKKSReduceRateLimiting() ? 200 * NSEC_PER_MSEC : 2 * NSEC_PER_SEC); // If we're testing, for the initial delay, use 2 second. Otherwise, 30s. - dispatch_time_t continuingDelay = (SecCKKSTestsEnabled() ? 2 * NSEC_PER_SEC : 30 * NSEC_PER_SEC); + dispatch_time_t continuingDelay = (SecCKKSReduceRateLimiting() ? 2 * NSEC_PER_SEC : 30 * NSEC_PER_SEC); __weak __typeof(self) weakSelf = self; _fetchScheduler = [[CKKSNearFutureScheduler alloc] initWithName:[NSString stringWithFormat:@"zone-change-fetch-scheduler-%@", self.zoneID.zoneName] initialDelay:initialDelay continuingDelay:continuingDelay keepProcessAlive:false + dependencyDescriptionCode:CKKSResultDescriptionPendingZoneChangeFetchScheduling block:^{ [weakSelf maybeCreateNewFetch]; }]; @@ -150,15 +171,20 @@ CKKSFetchBecause* const CKKSFetchBecauseTesting = (CKKSFetchBecause*) @"testing" ckksnotice("ckksfetcher", self.zoneID, "Starting a new fetch for %@", self.zoneID.zoneName); - NSSet* lastFetchReasons = self.currentFetchReasons; + NSMutableSet* lastFetchReasons = self.currentFetchReasons; self.currentFetchReasons = [[NSMutableSet alloc] init]; if(self.newResyncRequests) { - [lastFetchReasons setByAddingObject:@"resync"]; + [lastFetchReasons addObject:CKKSFetchBecauseResync]; } CKOperationGroup* operationGroup = [CKOperationGroup CKKSGroupWithName: [[lastFetchReasons sortedArrayUsingDescriptors:@[[NSSortDescriptor sortDescriptorWithKey:@"description" ascending:YES]]] componentsJoinedByString:@","]]; - CKKSFetchAllRecordZoneChangesOperation* fetchAllChanges = [[CKKSFetchAllRecordZoneChangesOperation alloc] initWithCKKSKeychainView: ckks ckoperationGroup:operationGroup]; + CKKSFetchAllRecordZoneChangesOperation* fetchAllChanges = [[CKKSFetchAllRecordZoneChangesOperation alloc] initWithCKKSKeychainView:ckks + fetchReasons:lastFetchReasons + ckoperationGroup:operationGroup]; + if ([lastFetchReasons containsObject:CKKSFetchBecauseNetwork]) { + [fetchAllChanges addNullableDependency: ckks.reachabilityTracker.reachablityDependency]; // wait on network, if its unavailable + } [fetchAllChanges addNullableDependency: self.holdOperation]; fetchAllChanges.resync = self.newResyncRequests; self.newResyncRequests = false; @@ -180,6 +206,8 @@ CKKSFetchBecause* const CKKSFetchBecauseTesting = (CKKSFetchBecause*) @"testing" } dispatch_sync(strongSelf.queue, ^{ + self.lastCKFetchError = fetchAllChanges.error; + if(!fetchAllChanges.error) { // success! notify the listeners. [blockckks scheduleOperation: dependency]; @@ -189,14 +217,15 @@ CKKSFetchBecause* const CKKSFetchBecauseTesting = (CKKSFetchBecause*) @"testing" [strongSelf.fetchScheduler trigger]; } } else { + // The operation errored. Chain the dependency on the current one... + [dependency addSuccessDependency: strongSelf.successfulFetchDependency]; + [blockckks scheduleOperation: dependency]; + if([blockckks isFatalCKFetchError: fetchAllChanges.error]) { ckkserror("ckksfetcher", strongSelf.zoneID, "Notified that %@ is a fatal error. Not restarting fetch.", fetchAllChanges.error); return; } - // The operation errored. Chain the dependency on the current one... - [dependency addSuccessDependency: strongSelf.successfulFetchDependency]; - [blockckks scheduleOperation: dependency]; // And in a bit, try the fetch again. NSNumber* delaySeconds = fetchAllChanges.error.userInfo[CKErrorRetryAfterKey]; @@ -209,7 +238,12 @@ CKKSFetchBecause* const CKKSFetchBecauseTesting = (CKKSFetchBecause*) @"testing" // Add the failed fetch reasons to the new fetch reasons [strongSelf.currentFetchReasons unionSet:lastFetchReasons]; - [strongSelf.currentFetchReasons addObject:CKKSFetchBecausePreviousFetchFailed]; + // If its a network error, make next try depend on network availability + if ([blockckks.reachabilityTracker isNetworkError:fetchAllChanges.error]) { + [strongSelf.currentFetchReasons addObject:CKKSFetchBecauseNetwork]; + } else { + [strongSelf.currentFetchReasons addObject:CKKSFetchBecausePreviousFetchFailed]; + } strongSelf.newRequests = true; strongSelf.newResyncRequests |= fetchAllChanges.resync; [strongSelf.fetchScheduler trigger]; @@ -226,11 +260,11 @@ CKKSFetchBecause* const CKKSFetchBecauseTesting = (CKKSFetchBecause*) @"testing" // creata a new fetch dependency, for all those who come in while this operation is executing self.newRequests = false; - [self newSuccesfulFetchDependency]; + self.successfulFetchDependency = [self createSuccesfulFetchDependency]; } --(void)newSuccesfulFetchDependency { - CKKSResultOperation* dep = [[CKKSResultOperation alloc] init]; +-(CKKSZoneChangeFetchDependencyOperation*)createSuccesfulFetchDependency { + CKKSZoneChangeFetchDependencyOperation* dep = [[CKKSZoneChangeFetchDependencyOperation alloc] init]; __weak __typeof(dep) weakDep = dep; // Since these dependencies might chain, when one runs, break the chain. @@ -244,8 +278,10 @@ CKKSFetchBecause* const CKKSFetchBecauseTesting = (CKKSFetchBecause*) @"testing" } }]; dep.name = @"successful-fetch-dependency"; + dep.descriptionErrorCode = CKKSResultDescriptionPendingSuccessfulFetch; + dep.owner = self; - self.successfulFetchDependency = dep; + return dep; } - (void)holdFetchesUntil:(CKKSResultOperation*)holdOperation { diff --git a/keychain/ckks/CKKSZoneStateEntry.m b/keychain/ckks/CKKSZoneStateEntry.m index f8e808fe..060a9960 100644 --- a/keychain/ckks/CKKSZoneStateEntry.m +++ b/keychain/ckks/CKKSZoneStateEntry.m @@ -24,6 +24,7 @@ #include #import +#import #import "CKKSKeychainView.h" @@ -101,8 +102,7 @@ - (CKServerChangeToken*) getChangeToken { if(self.encodedChangeToken) { - NSKeyedUnarchiver* unarchiver = [[NSKeyedUnarchiver alloc] initForReadingWithData:self.encodedChangeToken]; - unarchiver.requiresSecureCoding = YES; + NSKeyedUnarchiver* unarchiver = [[NSKeyedUnarchiver alloc] initForReadingFromData:self.encodedChangeToken error:nil]; return [unarchiver decodeObjectOfClass:[CKServerChangeToken class] forKey:NSKeyedArchiveRootObjectKey]; } else { return nil; @@ -110,14 +110,14 @@ } - (void) setChangeToken: (CKServerChangeToken*) token { - self.encodedChangeToken = token ? [NSKeyedArchiver archivedDataWithRootObject:token] : nil; + self.encodedChangeToken = token ? [NSKeyedArchiver archivedDataWithRootObject:token requiringSecureCoding:YES error:nil] : nil; } - (NSData*)encodedRateLimiter { if(self.rateLimiter == nil) { return nil; } - return [NSKeyedArchiver archivedDataWithRootObject: self.rateLimiter]; + return [NSKeyedArchiver archivedDataWithRootObject:self.rateLimiter requiringSecureCoding:YES error:nil]; } - (void)setEncodedRateLimiter:(NSData *)encodedRateLimiter { @@ -126,8 +126,7 @@ return; } - NSKeyedUnarchiver* unarchiver = [[NSKeyedUnarchiver alloc] initForReadingWithData:encodedRateLimiter]; - unarchiver.requiresSecureCoding = YES; + NSKeyedUnarchiver* unarchiver = [[NSKeyedUnarchiver alloc] initForReadingFromData:encodedRateLimiter error:nil]; self.rateLimiter = [unarchiver decodeObjectOfClass: [CKKSRateLimiter class] forKey:NSKeyedArchiveRootObjectKey]; } diff --git a/keychain/ckks/CloudKitDependencies.h b/keychain/ckks/CloudKitDependencies.h index ae8f9e3a..75ea2414 100644 --- a/keychain/ckks/CloudKitDependencies.h +++ b/keychain/ckks/CloudKitDependencies.h @@ -41,6 +41,7 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic, copy, nullable) NSArray* recordZoneIDsToDelete; @property NSOperationQueuePriority queuePriority; @property NSQualityOfService qualityOfService; +@property (nonatomic, strong, nullable) CKOperationGroup* group; @property (nonatomic, copy, nullable) void (^modifyRecordZonesCompletionBlock) (NSArray* _Nullable savedRecordZones, NSArray* _Nullable deletedRecordZoneIDs, NSError* _Nullable operationError); @@ -108,6 +109,7 @@ NS_ASSUME_NONNULL_BEGIN @property (nonatomic, copy, nullable) NSArray* recordIDs; @property (nonatomic, copy, nullable) NSArray* desiredKeys; +@property (nonatomic, copy, nullable) CKOperationConfiguration* configuration; @property (nonatomic, copy, nullable) void (^perRecordProgressBlock)(CKRecordID* recordID, double progress); @property (nonatomic, copy, nullable) void (^perRecordCompletionBlock) (CKRecord* _Nullable record, CKRecordID* _Nullable recordID, NSError* _Nullable error); diff --git a/keychain/ckks/NSOperationCategories.h b/keychain/ckks/NSOperationCategories.h index 3672768b..9740dd31 100644 --- a/keychain/ckks/NSOperationCategories.h +++ b/keychain/ckks/NSOperationCategories.h @@ -39,6 +39,9 @@ // Insert yourself as high up the linearized list of dependencies as possible - (void)linearDependenciesWithSelfFirst:(NSHashTable*)collection; +// Set completionBlock to remove all dependencies - break strong references. +- (void)removeDependenciesUponCompletion; + // Return a stringified representation of this operation's live dependencies. - (NSString*)pendingDependenciesString:(NSString*)prefix; @end diff --git a/keychain/ckks/NSOperationCategories.m b/keychain/ckks/NSOperationCategories.m index da565e2c..5d9d2c7d 100644 --- a/keychain/ckks/NSOperationCategories.m +++ b/keychain/ckks/NSOperationCategories.m @@ -115,6 +115,18 @@ [self addDependency:op]; } } + +- (void)removeDependenciesUponCompletion +{ + __weak __typeof(self) weakSelf = self; + self.completionBlock = ^{ + __strong __typeof(weakSelf) strongSelf = weakSelf; + for (NSOperation *op in strongSelf.dependencies) { + [strongSelf removeDependency:op]; + } + }; +} + @end @implementation NSBlockOperation (CKKSUsefulConstructorOperation) diff --git a/keychain/ckks/tests/CKKSCloudKitTests.m b/keychain/ckks/tests/CKKSCloudKitTests.m index f0ad55f8..b91df343 100644 --- a/keychain/ckks/tests/CKKSCloudKitTests.m +++ b/keychain/ckks/tests/CKKSCloudKitTests.m @@ -65,6 +65,7 @@ + (void)setUp { SecCKKSResetSyncing(); SecCKKSTestsEnable(); + SecCKKSSetReduceRateLimiting(true); [super setUp]; #if NO_SERVER diff --git a/keychain/ckks/tests/CKKSConditionTests.m b/keychain/ckks/tests/CKKSConditionTests.m index 091500d1..1c0c6bb2 100644 --- a/keychain/ckks/tests/CKKSConditionTests.m +++ b/keychain/ckks/tests/CKKSConditionTests.m @@ -20,6 +20,7 @@ * * @APPLE_LICENSE_HEADER_END@ */ +#if OCTAGON #import #import @@ -69,7 +70,7 @@ [expectation fulfill]; }); - dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(150 * NSEC_PER_MSEC)), queue, ^{ + dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(250 * NSEC_PER_MSEC)), queue, ^{ [c fulfill]; }); @@ -95,3 +96,5 @@ } @end + +#endif /* OCTAGON */ diff --git a/keychain/ckks/tests/CKKSDeviceStateUploadTests.m b/keychain/ckks/tests/CKKSDeviceStateUploadTests.m new file mode 100644 index 00000000..a7bfeb28 --- /dev/null +++ b/keychain/ckks/tests/CKKSDeviceStateUploadTests.m @@ -0,0 +1,622 @@ +/* + * Copyright (c) 2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import +#import +#import + +#import "keychain/ckks/tests/CloudKitMockXCTest.h" +#import "keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.h" +#import "keychain/ckks/CKKS.h" +#import "keychain/ckks/CKKSViewManager.h" + +#import "keychain/ckks/tests/MockCloudKit.h" +#import "keychain/ckks/tests/CKKSTests.h" + +// break abstraction +@interface CKKSLockStateTracker () +@property (nullable) NSDate* lastUnlockedTime; +@end + + +@interface CloudKitKeychainSyncingDeviceStateUploadTests : CloudKitKeychainSyncingTestsBase +@end + +@implementation CloudKitKeychainSyncingDeviceStateUploadTests + +- (void)testDeviceStateUploadGood { + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + + [self startCKKSSubsystem]; + [self.keychainView waitForKeyHierarchyReadiness]; + + __weak __typeof(self) weakSelf = self; + [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} + deletedRecordTypeCounts:nil + zoneID:self.keychainZoneID + checkModifiedRecord: ^BOOL (CKRecord* record){ + if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { + // Check that all the things matches + __strong __typeof(weakSelf) strongSelf = weakSelf; + XCTAssertNotNil(strongSelf, "self exists"); + + ZoneKeys* zoneKeys = strongSelf.keys[strongSelf.keychainZoneID]; + XCTAssertNotNil(zoneKeys, "Have zone keys for %@", strongSelf.keychainZoneID); + + XCTAssertEqualObjects(record[SecCKSRecordOSVersionKey], SecCKKSHostOSVersion(), "os version string should match current OS version"); + XCTAssertTrue([self.utcCalendar isDate:record[SecCKSRecordLastUnlockTime] equalToDate:[NSDate date] toUnitGranularity:NSCalendarUnitDay], + "last unlock date (%@) similar to Now (%@)", record[SecCKSRecordLastUnlockTime], [NSDate date]); + + XCTAssertEqualObjects(record[SecCKRecordCirclePeerID], strongSelf.circlePeerID, "peer ID matches what we gave it"); + XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCInCircle], "device is in circle"); + XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateReady), "Device is in ready"); + + XCTAssertEqualObjects([record[SecCKRecordCurrentTLK] recordID].recordName, zoneKeys.tlk.uuid, "Correct TLK uuid"); + XCTAssertEqualObjects([record[SecCKRecordCurrentClassA] recordID].recordName, zoneKeys.classA.uuid, "Correct class A uuid"); + XCTAssertEqualObjects([record[SecCKRecordCurrentClassC] recordID].recordName, zoneKeys.classC.uuid, "Correct class C uuid"); + return YES; + } else { + return NO; + } + } + runAfterModification:nil]; + + [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:2*NSEC_PER_SEC ckoperationGroup:nil]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + +- (void)testDeviceStateUploadRateLimited { + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + + [self startCKKSSubsystem]; + [self.keychainView waitForKeyHierarchyReadiness]; + + __weak __typeof(self) weakSelf = self; + [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} + deletedRecordTypeCounts:nil + zoneID:self.keychainZoneID + checkModifiedRecord: ^BOOL (CKRecord* record){ + if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { + // Check that all the things matches + __strong __typeof(weakSelf) strongSelf = weakSelf; + XCTAssertNotNil(strongSelf, "self exists"); + + ZoneKeys* zoneKeys = strongSelf.keys[strongSelf.keychainZoneID]; + XCTAssertNotNil(zoneKeys, "Have zone keys for %@", strongSelf.keychainZoneID); + + XCTAssertEqualObjects(record[SecCKSRecordOSVersionKey], SecCKKSHostOSVersion(), "os version string should match current OS version"); + XCTAssertTrue([self.utcCalendar isDate:record[SecCKSRecordLastUnlockTime] equalToDate:[NSDate date] toUnitGranularity:NSCalendarUnitDay], + "last unlock date (%@) similar to Now (%@)", record[SecCKSRecordLastUnlockTime], [NSDate date]); + + XCTAssertEqualObjects(record[SecCKRecordCirclePeerID], strongSelf.circlePeerID, "peer ID matches what we gave it"); + XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCInCircle], "device is in circle"); + XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateReady), "Device is in ready"); + + XCTAssertEqualObjects([record[SecCKRecordCurrentTLK] recordID].recordName, zoneKeys.tlk.uuid, "Correct TLK uuid"); + XCTAssertEqualObjects([record[SecCKRecordCurrentClassA] recordID].recordName, zoneKeys.classA.uuid, "Correct class A uuid"); + XCTAssertEqualObjects([record[SecCKRecordCurrentClassC] recordID].recordName, zoneKeys.classC.uuid, "Correct class C uuid"); + return YES; + } else { + return NO; + } + } + runAfterModification:nil]; + + CKKSUpdateDeviceStateOperation* op = [self.keychainView updateDeviceState:true waitForKeyHierarchyInitialization:2*NSEC_PER_SEC ckoperationGroup:nil]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [op waitUntilFinished]; + + // Check that an immediate rate-limited retry doesn't upload anything + op = [self.keychainView updateDeviceState:true waitForKeyHierarchyInitialization:2*NSEC_PER_SEC ckoperationGroup:nil]; + [op waitUntilFinished]; + + // But not rate-limiting works just fine! + [self expectCKModifyRecords:@{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} + deletedRecordTypeCounts:nil + zoneID:self.keychainZoneID + checkModifiedRecord:nil + runAfterModification:nil]; + op = [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:2*NSEC_PER_SEC ckoperationGroup:nil]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [op waitUntilFinished]; + + // And now, if the update is old enough, that'll work too + [self.keychainView dispatchSync:^bool { + NSError* error = nil; + CKKSDeviceStateEntry* cdse = [CKKSDeviceStateEntry fromDatabase:self.accountStateTracker.ckdeviceID zoneID:self.keychainZoneID error:&error]; + XCTAssertNil(error, "No error fetching device state entry"); + XCTAssertNotNil(cdse, "Fetched device state entry"); + + CKRecord* record = cdse.storedCKRecord; + + NSDate* m = record.modificationDate; + XCTAssertNotNil(m, "Have modification date"); + + // Four days ago! + NSDateComponents* offset = [[NSDateComponents alloc] init]; + [offset setHour:-4 * 24]; + NSDate* m2 = [[NSCalendar currentCalendar] dateByAddingComponents:offset toDate:m options:0]; + + XCTAssertNotNil(m2, "Made modification date"); + + record.modificationDate = m2; + [cdse setStoredCKRecord:record]; + + [cdse saveToDatabase:&error]; + XCTAssertNil(error, "No error saving device state entry"); + + return true; + }]; + + // And now the rate-limiting doesn't get in the way + [self expectCKModifyRecords:@{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} + deletedRecordTypeCounts:nil + zoneID:self.keychainZoneID + checkModifiedRecord:nil + runAfterModification:nil]; + op = [self.keychainView updateDeviceState:true waitForKeyHierarchyInitialization:2*NSEC_PER_SEC ckoperationGroup:nil]; + OCMVerifyAllWithDelay(self.mockDatabase, 12); + [op waitUntilFinished]; +} + +- (void)testDeviceStateUploadRateLimitedAfterNormalUpload { + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + + [self startCKKSSubsystem]; + [self.keychainView waitForKeyHierarchyReadiness]; + + [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID]; + [self addGenericPassword:@"password" account:@"account-delete-me"]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + + // Check that an immediate rate-limited retry doesn't upload anything + CKKSUpdateDeviceStateOperation* op = [self.keychainView updateDeviceState:true waitForKeyHierarchyInitialization:2*NSEC_PER_SEC ckoperationGroup:nil]; + [op waitUntilFinished]; +} + +- (void)testDeviceStateUploadWaitsForKeyHierarchyReady { + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + + // Ask to wait for quite a while if we don't become ready + [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:20*NSEC_PER_SEC ckoperationGroup:nil]; + + __weak __typeof(self) weakSelf = self; + // Expect a ready upload + [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} + deletedRecordTypeCounts:nil + zoneID:self.keychainZoneID + checkModifiedRecord: ^BOOL (CKRecord* record){ + if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { + __strong __typeof(weakSelf) strongSelf = weakSelf; + XCTAssertNotNil(strongSelf, "self exists"); + + ZoneKeys* zoneKeys = strongSelf.keys[strongSelf.keychainZoneID]; + XCTAssertNotNil(zoneKeys, "Have zone keys for %@", strongSelf.keychainZoneID); + + XCTAssertEqualObjects(record[SecCKSRecordOSVersionKey], SecCKKSHostOSVersion(), "os version string should match current OS version"); + XCTAssertTrue([self.utcCalendar isDate:record[SecCKSRecordLastUnlockTime] equalToDate:[NSDate date] toUnitGranularity:NSCalendarUnitDay], + "last unlock date (%@) similar to Now (%@)", record[SecCKSRecordLastUnlockTime], [NSDate date]); + + XCTAssertEqualObjects(record[SecCKRecordCirclePeerID], strongSelf.circlePeerID, "peer ID matches what we gave it"); + XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCInCircle], "device is in circle"); + XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateReady), "Device is in ready"); + + XCTAssertEqualObjects([record[SecCKRecordCurrentTLK] recordID].recordName, zoneKeys.tlk.uuid, "Correct TLK uuid"); + XCTAssertEqualObjects([record[SecCKRecordCurrentClassA] recordID].recordName, zoneKeys.classA.uuid, "Correct class A uuid"); + XCTAssertEqualObjects([record[SecCKRecordCurrentClassC] recordID].recordName, zoneKeys.classC.uuid, "Correct class C uuid"); + return YES; + } else { + return NO; + } + } + runAfterModification:nil]; + + // And allow the key state to progress + [self startCKKSSubsystem]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + +- (void)testDeviceStateUploadWaitsForKeyHierarchyWaitForTLK { + // This test has stuff in CloudKit, but no TLKs. It should become very sad. + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; + + // Ask to wait for the key state to enter a state if we don't become ready + [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:20*NSEC_PER_SEC ckoperationGroup:nil]; + + __weak __typeof(self) weakSelf = self; + // Expect a waitfortlk upload + [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} + deletedRecordTypeCounts:nil + zoneID:self.keychainZoneID + checkModifiedRecord: ^BOOL (CKRecord* record){ + if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { + __strong __typeof(weakSelf) strongSelf = weakSelf; + XCTAssertNotNil(strongSelf, "self exists"); + + ZoneKeys* zoneKeys = strongSelf.keys[strongSelf.keychainZoneID]; + XCTAssertNotNil(zoneKeys, "Have zone keys for %@", strongSelf.keychainZoneID); + + XCTAssertEqualObjects(record[SecCKSRecordOSVersionKey], SecCKKSHostOSVersion(), "os version string should match current OS version"); + XCTAssertTrue([self.utcCalendar isDate:record[SecCKSRecordLastUnlockTime] equalToDate:[NSDate date] toUnitGranularity:NSCalendarUnitDay], + "last unlock date (%@) similar to Now (%@)", record[SecCKSRecordLastUnlockTime], [NSDate date]); + + XCTAssertEqualObjects(record[SecCKRecordCirclePeerID], strongSelf.circlePeerID, "peer ID should matche what we gave it"); + XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCInCircle], "device should be in circle"); + XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateWaitForTLK), "Device should be in waitfortlk"); + + XCTAssertNil([record[SecCKRecordCurrentTLK] recordID].recordName, "Should have no TLK uuid"); + XCTAssertNil([record[SecCKRecordCurrentClassA] recordID].recordName, "Should have no class A uuid"); + XCTAssertNil([record[SecCKRecordCurrentClassC] recordID].recordName, "Should have no class C uuid"); + return YES; + } else { + return NO; + } + } + runAfterModification:nil]; + + // And allow the key state to progress + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:8*NSEC_PER_SEC], "CKKS entered waitfortlk"); + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + +- (void)testDeviceStateReceive { + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + + ZoneKeys* zoneKeys = self.keys[self.keychainZoneID]; + XCTAssertNotNil(zoneKeys, "Have zone keys for %@", self.keychainZoneID); + + [self startCKKSSubsystem]; + [self.keychainView waitForKeyHierarchyReadiness]; + + NSDate* date = [[NSCalendar currentCalendar] startOfDayForDate:[NSDate date]]; + CKKSDeviceStateEntry* cdse = [[CKKSDeviceStateEntry alloc] initForDevice:@"otherdevice" + osVersion:@"fake-version" + lastUnlockTime:date + circlePeerID:@"asdfasdf" + circleStatus:kSOSCCInCircle + keyState:SecCKKSZoneKeyStateReady + currentTLKUUID:zoneKeys.tlk.uuid + currentClassAUUID:zoneKeys.classA.uuid + currentClassCUUID:zoneKeys.classC.uuid + zoneID:self.keychainZoneID + encodedCKRecord:nil]; + CKRecord* record = [cdse CKRecordWithZoneID:self.keychainZoneID]; + [self.keychainZone addToZone:record]; + + CKKSDeviceStateEntry* oldcdse = [[CKKSDeviceStateEntry alloc] initForDevice:@"olderotherdevice" + osVersion:nil // old-style, no OSVersion or lastUnlockTime + lastUnlockTime:nil + circlePeerID:@"olderasdfasdf" + circleStatus:kSOSCCInCircle + keyState:SecCKKSZoneKeyStateReady + currentTLKUUID:zoneKeys.tlk.uuid + currentClassAUUID:zoneKeys.classA.uuid + currentClassCUUID:zoneKeys.classC.uuid + zoneID:self.keychainZoneID + encodedCKRecord:nil]; + [self.keychainZone addToZone:[oldcdse CKRecordWithZoneID:self.keychainZoneID]]; + + // Trigger a notification (with hilariously fake data) + [self.keychainView notifyZoneChange:nil]; + [self.keychainView waitForFetchAndIncomingQueueProcessing]; + + [self.keychainView dispatchSync: ^bool { + NSError* error = nil; + NSArray* cdses = [CKKSDeviceStateEntry allInZone:self.keychainZoneID error:&error]; + XCTAssertNil(error, "No error fetching CDSEs"); + XCTAssertNotNil(cdses, "An array of CDSEs was returned"); + XCTAssert(cdses.count >= 1u, "At least one CDSE came back"); + + CKKSDeviceStateEntry* item = nil; + CKKSDeviceStateEntry* olderotherdevice = nil; + for(CKKSDeviceStateEntry* dbcdse in cdses) { + if([dbcdse.device isEqualToString:@"otherdevice"]) { + item = dbcdse; + } else if([dbcdse.device isEqualToString:@"olderotherdevice"]) { + olderotherdevice = dbcdse; + } + } + XCTAssertNotNil(item, "Found a cdse for otherdevice"); + + XCTAssertEqualObjects(cdse, item, "Saved item matches pre-cloudkit item"); + + XCTAssertEqualObjects(item.osVersion, @"fake-version", "correct osVersion"); + XCTAssertEqualObjects(item.lastUnlockTime, date, "correct date"); + XCTAssertEqualObjects(item.circlePeerID, @"asdfasdf", "correct peer id"); + XCTAssertEqualObjects(item.keyState, SecCKKSZoneKeyStateReady, "correct key state"); + XCTAssertEqualObjects(item.currentTLKUUID, zoneKeys.tlk.uuid, "correct tlk uuid"); + XCTAssertEqualObjects(item.currentClassAUUID, zoneKeys.classA.uuid, "correct classA uuid"); + XCTAssertEqualObjects(item.currentClassCUUID, zoneKeys.classC.uuid, "correct classC uuid"); + + + XCTAssertNotNil(olderotherdevice, "Should have found a cdse for olderotherdevice"); + XCTAssertEqualObjects(oldcdse, olderotherdevice, "Saved item should match pre-cloudkit item"); + + XCTAssertNil(olderotherdevice.osVersion, "osVersion should be nil"); + XCTAssertNil(olderotherdevice.lastUnlockTime, "lastUnlockTime should be nil"); + XCTAssertEqualObjects(olderotherdevice.circlePeerID, @"olderasdfasdf", "correct peer id"); + XCTAssertEqualObjects(olderotherdevice.keyState, SecCKKSZoneKeyStateReady, "correct key state"); + XCTAssertEqualObjects(olderotherdevice.currentTLKUUID, zoneKeys.tlk.uuid, "correct tlk uuid"); + XCTAssertEqualObjects(olderotherdevice.currentClassAUUID, zoneKeys.classA.uuid, "correct classA uuid"); + XCTAssertEqualObjects(olderotherdevice.currentClassCUUID, zoneKeys.classC.uuid, "correct classC uuid"); + + return false; + }]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + +- (void)testDeviceStateUploadBadKeyState { + // This test has stuff in CloudKit, but no TLKs. It should become very sad. + [self putFakeKeyHierarchyInCloudKit: self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; + + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:8*NSEC_PER_SEC], "CKKS entered waitfortlk"); + XCTAssertEqualObjects(self.keychainView.keyHierarchyState, SecCKKSZoneKeyStateWaitForTLK, "CKKS entered waitfortlk"); + + __weak __typeof(self) weakSelf = self; + [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} + deletedRecordTypeCounts:nil + zoneID:self.keychainZoneID + checkModifiedRecord: ^BOOL (CKRecord* record){ + if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { + // Check that all the things matches + __strong __typeof(weakSelf) strongSelf = weakSelf; + XCTAssertNotNil(strongSelf, "self exists"); + + XCTAssertEqualObjects(record[SecCKSRecordOSVersionKey], SecCKKSHostOSVersion(), "os version string should match current OS version"); + XCTAssertTrue([self.utcCalendar isDate:record[SecCKSRecordLastUnlockTime] equalToDate:[NSDate date] toUnitGranularity:NSCalendarUnitDay], + "last unlock date (%@) similar to Now (%@)", record[SecCKSRecordLastUnlockTime], [NSDate date]); + + XCTAssertEqualObjects(record[SecCKRecordCirclePeerID], strongSelf.circlePeerID, "peer ID matches what we gave it"); + XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCInCircle], "device is in circle"); + XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateWaitForTLK), "Device is in waitfortlk"); + + XCTAssertNil(record[SecCKRecordCurrentTLK] , "No TLK"); + XCTAssertNil(record[SecCKRecordCurrentClassA], "No class A key"); + XCTAssertNil(record[SecCKRecordCurrentClassC], "No class C key"); + return YES; + } else { + return NO; + } + } + runAfterModification:nil]; + + [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:500*NSEC_PER_MSEC ckoperationGroup:nil]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + +- (void)testDeviceStateUploadWaitForUnlockKeyState { + // Starts with everything in keychain, but locked + [self putFakeKeyHierarchyInCloudKit: self.keychainZoneID]; + [self saveTLKMaterialToKeychain:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; + + NSDateComponents *dateComponents = [[NSDateComponents alloc] init]; + [dateComponents setDay:-3]; + NSDate* threeDaysAgo = [[NSCalendar currentCalendar] dateByAddingComponents:dateComponents toDate:[NSDate date] options:0]; + + self.aksLockState = true; + [self.lockStateTracker recheck]; + self.lockStateTracker.lastUnlockedTime = threeDaysAgo; + XCTAssertTrue([self.utcCalendar isDate:self.lockStateTracker.lastUnlockTime + equalToDate:threeDaysAgo + toUnitGranularity:NSCalendarUnitSecond], + "last unlock date (%@) similar to threeDaysAgo (%@)", self.lockStateTracker.lastUnlockTime, threeDaysAgo); + + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForUnlock] wait:8*NSEC_PER_SEC], "CKKS entered waitforunlock"); + + __weak __typeof(self) weakSelf = self; + [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} + deletedRecordTypeCounts:nil + zoneID:self.keychainZoneID + checkModifiedRecord: ^BOOL (CKRecord* record){ + if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { + // Check that all the things matches + __strong __typeof(weakSelf) strongSelf = weakSelf; + XCTAssertNotNil(strongSelf, "self exists"); + + XCTAssertEqualObjects(record[SecCKSRecordOSVersionKey], SecCKKSHostOSVersion(), "os version string should match current OS version"); + XCTAssertTrue([self.utcCalendar isDate:record[SecCKSRecordLastUnlockTime] equalToDate:threeDaysAgo toUnitGranularity:NSCalendarUnitDay], + "last unlock date (%@) similar to three days ago (%@)", record[SecCKSRecordLastUnlockTime], threeDaysAgo); + + XCTAssertEqualObjects(record[SecCKRecordCirclePeerID], strongSelf.circlePeerID, "peer ID matches what we gave it"); + XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCInCircle], "device is in circle"); + XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateWaitForUnlock), "Device is in waitforunlock"); + + XCTAssertNil(record[SecCKRecordCurrentTLK] , "No TLK"); + XCTAssertNil(record[SecCKRecordCurrentClassA], "No class A key"); + XCTAssertNil(record[SecCKRecordCurrentClassC], "No class C key"); + return YES; + } else { + return NO; + } + } + runAfterModification:nil]; + + [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:500*NSEC_PER_MSEC ckoperationGroup:nil]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + +- (void)testDeviceStateUploadBadKeyStateAfterRestart { + // This test has stuff in CloudKit, but no TLKs. It should become very sad. + [self putFakeKeyHierarchyInCloudKit: self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; + + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:8*NSEC_PER_SEC], "CKKS entered waitfortlk"); + XCTAssertEqualObjects(self.keychainView.keyHierarchyState, SecCKKSZoneKeyStateWaitForTLK, "CKKS entered waitfortlk"); + + // And restart CKKS... + self.keychainView = [[CKKSViewManager manager] restartZone: self.keychainZoneID.zoneName]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:8*NSEC_PER_SEC], "CKKS entered waitfortlk"); + XCTAssertEqualObjects(self.keychainView.keyHierarchyState, SecCKKSZoneKeyStateWaitForTLK, "CKKS entered waitfortlk"); + + __weak __typeof(self) weakSelf = self; + [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} + deletedRecordTypeCounts:nil + zoneID:self.keychainZoneID + checkModifiedRecord: ^BOOL (CKRecord* record){ + if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { + // Check that all the things matches + __strong __typeof(weakSelf) strongSelf = weakSelf; + XCTAssertNotNil(strongSelf, "self exists"); + + XCTAssertEqualObjects(record[SecCKSRecordOSVersionKey], SecCKKSHostOSVersion(), "os version string should match current OS version"); + XCTAssertTrue([self.utcCalendar isDate:record[SecCKSRecordLastUnlockTime] equalToDate:[NSDate date] toUnitGranularity:NSCalendarUnitDay], + "last unlock date (%@) similar to Now (%@)", record[SecCKSRecordLastUnlockTime], [NSDate date]); + + XCTAssertEqualObjects(record[SecCKRecordCirclePeerID], strongSelf.circlePeerID, "peer ID matches what we gave it"); + XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCInCircle], "device is in circle"); + XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateWaitForTLK), "Device is in waitfortlk"); + + XCTAssertNil(record[SecCKRecordCurrentTLK] , "No TLK"); + XCTAssertNil(record[SecCKRecordCurrentClassA], "No class A key"); + XCTAssertNil(record[SecCKRecordCurrentClassC], "No class C key"); + return YES; + } else { + return NO; + } + } + runAfterModification:nil]; + + [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:500*NSEC_PER_MSEC ckoperationGroup:nil]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + + +- (void)testDeviceStateUploadBadCircleState { + self.circleStatus = kSOSCCNotInCircle; + [self.accountStateTracker notifyCircleStatusChangeAndWaitForSignal]; + + // This test has stuff in CloudKit, but no TLKs. + [self putFakeKeyHierarchyInCloudKit: self.keychainZoneID]; + + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateLoggedOut] wait:8*NSEC_PER_SEC], "CKKS entered logged out"); + XCTAssertEqualObjects(self.keychainView.keyHierarchyState, SecCKKSZoneKeyStateLoggedOut, "CKKS thinks it's logged out"); + + __weak __typeof(self) weakSelf = self; + [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} + deletedRecordTypeCounts:nil + zoneID:self.keychainZoneID + checkModifiedRecord: ^BOOL (CKRecord* record){ + if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { + // Check that all the things matches + __strong __typeof(weakSelf) strongSelf = weakSelf; + XCTAssertNotNil(strongSelf, "self exists"); + + XCTAssertEqualObjects(record[SecCKSRecordOSVersionKey], SecCKKSHostOSVersion(), "os version string should match current OS version"); + XCTAssertTrue([self.utcCalendar isDate:record[SecCKSRecordLastUnlockTime] equalToDate:[NSDate date] toUnitGranularity:NSCalendarUnitDay], + "last unlock date (%@) similar to Now (%@)", record[SecCKSRecordLastUnlockTime], [NSDate date]); + + XCTAssertNil(record[SecCKRecordCirclePeerID], "no peer ID if device is not in circle"); + XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCNotInCircle], "device is not in circle"); + XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateLoggedOut), "Device is in keystate:loggedout"); + + XCTAssertNil(record[SecCKRecordCurrentTLK] , "No TLK"); + XCTAssertNil(record[SecCKRecordCurrentClassA], "No class A key"); + XCTAssertNil(record[SecCKRecordCurrentClassC], "No class C key"); + return YES; + } else { + return NO; + } + } + runAfterModification:nil]; + + CKKSUpdateDeviceStateOperation* op = [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:500*NSEC_PER_MSEC ckoperationGroup:nil]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + + [op waitUntilFinished]; + XCTAssertNil(op.error, "No error uploading 'out of circle' device state"); +} + +- (void)testDeviceStateUploadWithTardyNetworkAfterRestart { + // Test starts with a key hierarchy in cloudkit and the TLK having arrived + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self saveTLKMaterialToKeychain:self.keychainZoneID]; + [self expectCKKSTLKSelfShareUpload:self.keychainZoneID]; + + [self holdCloudKitFetches]; + + [self startCKKSSubsystem]; + + // we should be stuck in fetch + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateFetch] wait:8*NSEC_PER_SEC], "Key state should become fetch"); + + __weak __typeof(self) weakSelf = self; + [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} + deletedRecordTypeCounts:nil + zoneID:self.keychainZoneID + checkModifiedRecord: ^BOOL (CKRecord* record){ + if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { + // Check that all the things matches + __strong __typeof(weakSelf) strongSelf = weakSelf; + XCTAssertNotNil(strongSelf, "self exists"); + + ZoneKeys* zoneKeys = strongSelf.keys[strongSelf.keychainZoneID]; + XCTAssertNotNil(zoneKeys, "Have zone keys for %@", strongSelf.keychainZoneID); + + XCTAssertEqualObjects(record[SecCKSRecordOSVersionKey], SecCKKSHostOSVersion(), "os version string should match current OS version"); + XCTAssertTrue([self.utcCalendar isDate:record[SecCKSRecordLastUnlockTime] equalToDate:[NSDate date] toUnitGranularity:NSCalendarUnitDay], + "last unlock date (%@) similar to Now (%@)", record[SecCKSRecordLastUnlockTime], [NSDate date]); + + XCTAssertEqualObjects(record[SecCKRecordCirclePeerID], strongSelf.circlePeerID, "peer ID matches what we gave it"); + XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCInCircle], "device is in circle"); + XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateReady), "Device is in ready"); + + XCTAssertEqualObjects([record[SecCKRecordCurrentTLK] recordID].recordName, zoneKeys.tlk.uuid, "Correct TLK uuid"); + XCTAssertEqualObjects([record[SecCKRecordCurrentClassA] recordID].recordName, zoneKeys.classA.uuid, "Correct class A uuid"); + XCTAssertEqualObjects([record[SecCKRecordCurrentClassC] recordID].recordName, zoneKeys.classC.uuid, "Correct class C uuid"); + return YES; + } else { + return NO; + } + } + runAfterModification:nil]; + + + [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:8*NSEC_PER_SEC ckoperationGroup:nil]; + + XCTAssertEqualObjects(self.keychainView.keyHierarchyState, SecCKKSZoneKeyStateFetch, "CKKS re-entered fetch"); + [self releaseCloudKitFetchHold]; + + OCMVerifyAllWithDelay(self.mockDatabase, 16); +} + + + +@end + +#endif // OCTAGON diff --git a/keychain/ckks/tests/CKKSLoggerTests.m b/keychain/ckks/tests/CKKSLoggerTests.m index 0ef3b1e5..4a83cc8d 100644 --- a/keychain/ckks/tests/CKKSLoggerTests.m +++ b/keychain/ckks/tests/CKKSLoggerTests.m @@ -21,13 +21,16 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if OCTAGON + #import "CKKSTests.h" -#import "keychain/ckks/CKKSAnalyticsLogger.h" +#import "keychain/ckks/CKKSAnalytics.h" #import #import +#import +#import #import - -#if OCTAGON +#import static NSString* tablePath = nil; @@ -120,8 +123,8 @@ static NSString* tablePath = nil; XCTAssertTrue([sqlTable openWithError:&error], @"failed to open database"); XCTAssertNil(error, "encountered error opening database: %@", error); - // delete the database to create havoc - [[NSFileManager defaultManager] removeItemAtPath:tablePath error:nil]; + // delete the table to create havoc + XCTAssertTrue([sqlTable executeSQL:@"drop table test;"], @"deleting test table should have worked"); XCTAssertNoThrow([sqlTable insertOrReplaceInto:@"test" values:@{@"test_column" : @(1)}], @"inserting into deleted table threw an exception"); } @@ -129,11 +132,31 @@ static NSString* tablePath = nil; @end @interface CKKSAnalyticsTests : CloudKitKeychainSyncingTestsBase +@property id mockCKKSAnalytics; @end @implementation CKKSAnalyticsTests -- (void)testLastSuccessfulSyncDate +- (void)setUp +{ + self.mockCKKSAnalytics = OCMClassMock([CKKSAnalytics class]); + OCMStub([self.mockCKKSAnalytics databasePath]).andCall(self, @selector(databasePath)); + [super setUp]; +} + +- (void)tearDown +{ + [self.mockCKKSAnalytics stopMocking]; + self.mockCKKSAnalytics = nil; + [super tearDown]; +} + +- (NSString*)databasePath +{ + return [NSTemporaryDirectory() stringByAppendingPathComponent:@"test_ckks_analytics_v2.db"]; +} + +- (void)testLastSuccessfulXDate { [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. [self startCKKSSubsystem]; @@ -144,12 +167,54 @@ static NSString* tablePath = nil; [self.keychainView notifyZoneChange:nil]; [[[self.keychainView waitForFetchAndIncomingQueueProcessing] completionHandlerDidRunCondition] wait:4 * NSEC_PER_SEC]; - - NSDate* syncDate = [[CKKSAnalyticsLogger logger] dateOfLastSuccessForEvent:CKKSEventProcessIncomingQueueClassC inView:self.keychainView]; - XCTAssertNotNil(syncDate, "Failed to get a last successful sync date"); - NSDate* nowDate = [NSDate dateWithTimeIntervalSinceNow:0]; - NSTimeInterval timeIntervalSinceSyncDate = [nowDate timeIntervalSinceDate:syncDate]; - XCTAssertTrue(timeIntervalSinceSyncDate >= 0.0 && timeIntervalSinceSyncDate <= 15.0, "Last sync date does not look like a reasonable one"); + + NSDate* nowDate = [NSDate date]; + NSTimeInterval timeInterval; + + /* + * Check last sync date for class A + */ + NSDate* syncADate = [[CKKSAnalytics logger] dateOfLastSuccessForEvent:CKKSEventProcessIncomingQueueClassA inView:self.keychainView]; + XCTAssertNotNil(syncADate, "Failed to get a last successful A sync date"); + timeInterval = [nowDate timeIntervalSinceDate:syncADate]; + XCTAssertTrue(timeInterval >= 0.0 && timeInterval <= 15.0, "Last sync date does not look like a reasonable one"); + + /* + * Check last sync date for class C + */ + NSDate *syncCDate = [[CKKSAnalytics logger] dateOfLastSuccessForEvent:CKKSEventProcessIncomingQueueClassC inView:self.keychainView]; + XCTAssertNotNil(syncCDate, "Failed to get a last successful C sync date"); + timeInterval = [nowDate timeIntervalSinceDate:syncCDate]; + XCTAssertTrue(timeInterval >= 0.0 && timeInterval <= 15.0, "Last sync date does not look like a reasonable one"); + + /* + * Check last unlock date + */ + NSDate* unlockDate = [[CKKSAnalytics logger] datePropertyForKey:CKKSAnalyticsLastUnlock]; + XCTAssertNotNil(unlockDate, "Failed to get a last unlock date"); + timeInterval = [nowDate timeIntervalSinceDate:unlockDate]; + NSLog(@"timeinterval: %f\n", timeInterval); + XCTAssertTrue(timeInterval >= 0.0 && timeInterval <= 15.0, "Last unlock date does not look like a reasonable one"); + + sleep(1); // wait to be a differnt second + + self.aksLockState = true; + [self.lockStateTracker recheck]; + + NSDate* newUnlockDate = [[CKKSAnalytics logger] datePropertyForKey:CKKSAnalyticsLastUnlock]; + XCTAssertNotNil(newUnlockDate, "Failed to get a last unlock date"); + XCTAssertEqualObjects(newUnlockDate, unlockDate, "unlock date not the same"); + + sleep(1); // wait to be a differnt second + + self.aksLockState = false; + [self.lockStateTracker recheck]; + + sleep(1); // wait for the completion block to have time to fire + + newUnlockDate = [[CKKSAnalytics logger] datePropertyForKey:CKKSAnalyticsLastUnlock]; + XCTAssertNotNil(newUnlockDate, "Failed to get a last unlock date"); + XCTAssertNotEqualObjects(newUnlockDate, unlockDate, "unlock date the same"); } - (void)testRaceToCreateLoggers @@ -157,7 +222,7 @@ static NSString* tablePath = nil; dispatch_semaphore_t semaphore = dispatch_semaphore_create(0); for (NSInteger i = 0; i < 5; i++) { dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ - CKKSAnalyticsLogger* logger = [CKKSAnalyticsLogger logger]; + CKKSAnalytics* logger = [CKKSAnalytics logger]; [logger logSuccessForEvent:(CKKSAnalyticsFailableEvent*)@"test_event" inView:self.keychainView]; dispatch_semaphore_signal(semaphore); }); @@ -168,6 +233,76 @@ static NSString* tablePath = nil; } } +- (void)testUnderlayingError +{ + NSDictionary *errorString = nil; + NSError *error = nil; + + error = [NSError errorWithDomain:CKErrorDomain code:CKErrorPartialFailure userInfo:@{ + CKPartialErrorsByItemIDKey : @{ + @"recordid" : [NSError errorWithDomain:CKErrorDomain code:1 userInfo:nil], + } + }]; + + errorString = [[CKKSAnalytics logger] errorChain:error depth:0]; + + XCTAssertEqualObjects(errorString[@"domain"], CKErrorDomain, "error domain"); + XCTAssertEqual([errorString[@"code"] intValue], CKErrorPartialFailure, "error code"); + + XCTAssertEqualObjects(errorString[@"oneCloudKitPartialFailure"][@"domain"], CKErrorDomain, "error domain"); + XCTAssertEqual([errorString[@"oneCloudKitPartialFailure"][@"code"] intValue], 1, "error code"); + + /* interal partial error leaks out of CK */ + + error = [NSError errorWithDomain:CKErrorDomain code:CKErrorPartialFailure userInfo:@{ + CKPartialErrorsByItemIDKey : @{ + @"recordid1" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid2" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid3" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid4" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid5" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid6" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid7" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid8" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid9" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid0" : [NSError errorWithDomain:CKErrorDomain code:1 userInfo:nil], + @"recordid10" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid12" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid13" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid14" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid15" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid16" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid17" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid18" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + @"recordid19" : [NSError errorWithDomain:CKErrorDomain code:CKErrorBatchRequestFailed userInfo:nil], + } + }]; + + errorString = [[CKKSAnalytics logger] errorChain:error depth:0]; + + XCTAssertEqualObjects(errorString[@"domain"], CKErrorDomain, "error domain"); + XCTAssertEqual([errorString[@"code"] intValue], CKErrorPartialFailure, "error code"); + + XCTAssertEqualObjects(errorString[@"oneCloudKitPartialFailure"][@"domain"], CKErrorDomain, "error domain"); + XCTAssertEqualObjects(errorString[@"oneCloudKitPartialFailure"][@"code"], @1, "error code"); + + + + + error = [NSError errorWithDomain:@"domain" code:1 userInfo:@{ + NSUnderlyingErrorKey : [NSError errorWithDomain:CKErrorDomain code:1 userInfo:nil], + }]; + + errorString = [[CKKSAnalytics logger] errorChain:error depth:0]; + + XCTAssertEqualObjects(errorString[@"domain"], @"domain", "error domain"); + XCTAssertEqual([errorString[@"code"] intValue], 1, "error code"); + + XCTAssertEqualObjects(errorString[@"child"][@"domain"], CKErrorDomain, "error domain"); + XCTAssertEqual([errorString[@"child"][@"code"] intValue], 1, "error code"); +} + + @end #endif diff --git a/keychain/ckks/tests/CKKSManifestTests.m b/keychain/ckks/tests/CKKSManifestTests.m index 2728f7c6..e427957b 100644 --- a/keychain/ckks/tests/CKKSManifestTests.m +++ b/keychain/ckks/tests/CKKSManifestTests.m @@ -95,6 +95,7 @@ // Test starts with keys in CloudKit (so we can create items later) [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; [self saveTLKMaterialToKeychain:self.keychainZoneID]; [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID]; @@ -119,7 +120,8 @@ OCMVerifyAllWithDelay(self.mockDatabase, 8); [self waitForCKModifications]; int tlkshares = 1; - XCTAssertEqual(self.keychainZone.currentDatabase.count, SYSTEM_DB_RECORD_COUNT + passwordCount + tlkshares, "Have 6+passwordCount objects in cloudkit"); + int extraDeviceStates = 1; + XCTAssertEqual(self.keychainZone.currentDatabase.count, SYSTEM_DB_RECORD_COUNT + passwordCount + tlkshares + extraDeviceStates, "Have 6+passwordCount objects in cloudkit"); NSArray* items = [self mirrorItemsForExistingItems]; _egoManifest = [CKKSEgoManifest newManifestForZone:self.keychainZoneID.zoneName withItems:items peerManifestIDs:@[] currentItems:@{} error:&error]; diff --git a/keychain/ckks/tests/CKKSNearFutureSchedulerTests.m b/keychain/ckks/tests/CKKSNearFutureSchedulerTests.m index 84de78f7..107af38b 100644 --- a/keychain/ckks/tests/CKKSNearFutureSchedulerTests.m +++ b/keychain/ckks/tests/CKKSNearFutureSchedulerTests.m @@ -21,10 +21,13 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if OCTAGON + #include #import #import "keychain/ckks/CKKSNearFutureScheduler.h" #import "keychain/ckks/CKKSResultOperation.h" +#import "keychain/ckks/CKKS.h" @interface CKKSNearFutureSchedulerTests : XCTestCase @property NSOperationQueue* operationQueue; @@ -47,7 +50,9 @@ - (void)testBlockOneShot { XCTestExpectation *expectation = [self expectationWithDescription:@"FutureScheduler fired"]; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay:50*NSEC_PER_MSEC keepProcessAlive:true block:^{ + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay:50*NSEC_PER_MSEC keepProcessAlive:true + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{ [expectation fulfill]; }]; @@ -62,7 +67,9 @@ XCTestExpectation *expectation = [self expectationWithDescription:@"FutureScheduler fired"]; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 200*NSEC_PER_MSEC keepProcessAlive:false block:^{ + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 200*NSEC_PER_MSEC keepProcessAlive:false + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{ [toofastexpectation fulfill]; [expectation fulfill]; }]; @@ -83,7 +90,9 @@ XCTestExpectation *expectation = [self expectationWithDescription:@"FutureScheduler fired"]; expectation.assertForOverFulfill = YES; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 200*NSEC_PER_MSEC keepProcessAlive:true block:^{ + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 200*NSEC_PER_MSEC keepProcessAlive:true + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{ [toofastexpectation fulfill]; [expectation fulfill]; }]; @@ -118,7 +127,9 @@ second.expectedFulfillmentCount = 2; second.assertForOverFulfill = YES; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 100*NSEC_PER_MSEC keepProcessAlive:false block:^{ + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 100*NSEC_PER_MSEC keepProcessAlive:false + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{ [first fulfill]; [second fulfill]; }]; @@ -150,7 +161,9 @@ second.expectedFulfillmentCount = 2; second.assertForOverFulfill = YES; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" initialDelay: 50*NSEC_PER_MSEC continuingDelay:600*NSEC_PER_MSEC keepProcessAlive:false block:^{ + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" initialDelay: 50*NSEC_PER_MSEC continuingDelay:600*NSEC_PER_MSEC keepProcessAlive:false + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{ [first fulfill]; [longdelay fulfill]; [second fulfill]; @@ -179,7 +192,9 @@ XCTestExpectation *cancelexpectation = [self expectationWithDescription:@"FutureScheduler fired (after cancel)"]; cancelexpectation.inverted = YES; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 100*NSEC_PER_MSEC keepProcessAlive:true block:^{ + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 100*NSEC_PER_MSEC keepProcessAlive:true + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{ [cancelexpectation fulfill]; }]; @@ -194,7 +209,9 @@ XCTestExpectation *toofastexpectation = [self expectationWithDescription:@"FutureScheduler fired (too soon)"]; toofastexpectation.inverted = YES; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 10*NSEC_PER_MSEC keepProcessAlive:false block:^{ + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 10*NSEC_PER_MSEC keepProcessAlive:false + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{ [toofastexpectation fulfill]; }]; @@ -211,7 +228,9 @@ XCTestExpectation *toofastexpectation = [self expectationWithDescription:@"FutureScheduler fired (too soon)"]; toofastexpectation.inverted = YES; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 10*NSEC_PER_MSEC keepProcessAlive:false block:^{ + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 10*NSEC_PER_MSEC keepProcessAlive:false + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{ [first fulfill]; [toofastexpectation fulfill]; }]; @@ -235,7 +254,9 @@ second.expectedFulfillmentCount = 2; second.assertForOverFulfill = YES; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 10*NSEC_PER_MSEC keepProcessAlive:false block:^{ + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 10*NSEC_PER_MSEC keepProcessAlive:false + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{ [first fulfill]; [second fulfill]; [toofastexpectation fulfill]; @@ -272,7 +293,9 @@ - (void)testOperationOneShot { XCTestExpectation *expectation = [self expectationWithDescription:@"FutureScheduler fired"]; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay:50*NSEC_PER_MSEC keepProcessAlive:true block:^{}]; + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay:50*NSEC_PER_MSEC keepProcessAlive:true + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{}]; [self addOperationFulfillingExpectations:@[expectation] scheduler:scheduler]; [scheduler trigger]; @@ -286,7 +309,9 @@ XCTestExpectation *expectation = [self expectationWithDescription:@"FutureScheduler fired"]; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 200*NSEC_PER_MSEC keepProcessAlive:false block:^{}]; + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 200*NSEC_PER_MSEC keepProcessAlive:false + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{}]; [self addOperationFulfillingExpectations:@[expectation,toofastexpectation] scheduler:scheduler]; [scheduler trigger]; @@ -305,7 +330,9 @@ XCTestExpectation *expectation = [self expectationWithDescription:@"FutureScheduler fired"]; expectation.assertForOverFulfill = YES; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 200*NSEC_PER_MSEC keepProcessAlive:true block:^{}]; + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 200*NSEC_PER_MSEC keepProcessAlive:true + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{}]; [self addOperationFulfillingExpectations:@[expectation,toofastexpectation] scheduler:scheduler]; [scheduler trigger]; @@ -335,7 +362,9 @@ XCTestExpectation *second = [self expectationWithDescription:@"FutureScheduler fired (two)"]; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 100*NSEC_PER_MSEC keepProcessAlive:false block:^{}]; + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 100*NSEC_PER_MSEC keepProcessAlive:false + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{}]; [self addOperationFulfillingExpectations:@[first] scheduler:scheduler]; @@ -363,7 +392,9 @@ longdelay.inverted = YES; XCTestExpectation *second = [self expectationWithDescription:@"FutureScheduler fired (two)"]; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" initialDelay: 50*NSEC_PER_MSEC continuingDelay:300*NSEC_PER_MSEC keepProcessAlive:false block:^{}]; + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" initialDelay: 50*NSEC_PER_MSEC continuingDelay:300*NSEC_PER_MSEC keepProcessAlive:false + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{}]; [self addOperationFulfillingExpectations:@[first] scheduler:scheduler]; @@ -392,7 +423,9 @@ XCTestExpectation *cancelexpectation = [self expectationWithDescription:@"FutureScheduler fired (after cancel)"]; cancelexpectation.inverted = YES; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 100*NSEC_PER_MSEC keepProcessAlive:true block:^{}]; + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 100*NSEC_PER_MSEC keepProcessAlive:true + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{}]; [self addOperationFulfillingExpectations:@[cancelexpectation] scheduler:scheduler]; @@ -407,7 +440,9 @@ XCTestExpectation *toofastexpectation = [self expectationWithDescription:@"FutureScheduler fired (too soon)"]; toofastexpectation.inverted = YES; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 10*NSEC_PER_MSEC keepProcessAlive:false block:^{}]; + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 10*NSEC_PER_MSEC keepProcessAlive:false + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{}]; [self addOperationFulfillingExpectations:@[toofastexpectation] scheduler:scheduler]; // Tell the scheduler to wait, but don't trigger it. It shouldn't fire. @@ -423,7 +458,9 @@ XCTestExpectation *toofastexpectation = [self expectationWithDescription:@"FutureScheduler fired (too soon)"]; toofastexpectation.inverted = YES; - CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 10*NSEC_PER_MSEC keepProcessAlive:false block:^{}]; + CKKSNearFutureScheduler* scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay: 10*NSEC_PER_MSEC keepProcessAlive:false + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{}]; [self addOperationFulfillingExpectations:@[first,toofastexpectation] scheduler:scheduler]; [scheduler waitUntil: 150*NSEC_PER_MSEC]; @@ -434,3 +471,5 @@ } @end + +#endif /* OCTAGON */ diff --git a/keychain/ckks/tests/CKKSOperationTests.m b/keychain/ckks/tests/CKKSOperationTests.m index 9ac3c81c..fd460dc5 100644 --- a/keychain/ckks/tests/CKKSOperationTests.m +++ b/keychain/ckks/tests/CKKSOperationTests.m @@ -21,6 +21,8 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if OCTAGON + #import #import "keychain/ckks/CKKSGroupOperation.h" @@ -223,8 +225,46 @@ XCTAssertTrue(second.cancelled, "Second operation cancelled"); XCTAssertNotNil(second.error, "Second operation has an error"); XCTAssertEqual(second.error.code, CKKSResultTimedOut, "Second operation error is good"); + NSError* underlying = second.error.userInfo[NSUnderlyingErrorKey]; + XCTAssertNil(underlying, "Second operation's error doesn't have an underlying explanation"); +} + +- (void)testResultTimeoutWithUnderlyingError { + __block bool firstRun = false; + __block bool secondRun = false; + + CKKSResultOperation* first = [[CKKSResultOperation alloc] init]; + [first addExecutionBlock:^{ + firstRun = true; + }]; + first.descriptionErrorCode = 604; + + CKKSResultOperation* second = [[CKKSResultOperation alloc] init]; + [second addExecutionBlock:^{ + XCTAssertTrue(firstRun); + secondRun = true; + }]; + [second addDependency: first]; + + [self.queue addOperation: [second timeout:(50)* NSEC_PER_MSEC]]; + [self.queue waitUntilAllOperationsAreFinished]; + + XCTAssertFalse(firstRun); + XCTAssertFalse(secondRun); + + XCTAssertFalse(first.finished, "First operation not finished"); + XCTAssertFalse(first.cancelled, "First operation not cancelled"); + XCTAssertTrue(second.finished, "Second operation finished"); + XCTAssertTrue(second.cancelled, "Second operation cancelled"); + XCTAssertNotNil(second.error, "Second operation has an error"); + XCTAssertEqual(second.error.code, CKKSResultTimedOut, "Second operation error is good"); + NSError* underlying = second.error.userInfo[NSUnderlyingErrorKey]; + XCTAssertNotNil(underlying, "second operation's error has an underlying reason"); + XCTAssertEqualObjects(underlying.domain, CKKSResultDescriptionErrorDomain, "second operation's underlying error's domain should be CKKSResultDescriptionErrorDomain"); + XCTAssertEqual(underlying.code, 604, "second operation's underlying error's domain should be first's description"); } + - (void)testResultNoTimeout { __block bool firstRun = false; __block bool secondRun = false; @@ -260,9 +300,7 @@ CKKSResultOperation* operation = [[CKKSResultOperation alloc] init]; XCTAssertNil(operation.finishDate, "Result operation does not have a finish date before it is run"); - [operation addExecutionBlock:^{ - NSLog(@"test execution block"); - }]; + [operation addExecutionBlock:^{}]; [self.queue addOperation:operation]; [self.queue waitUntilAllOperationsAreFinished]; @@ -298,6 +336,22 @@ XCTAssertNil(group.error, "Group operation: no error"); } +- (void)testGroupOperationRunBlock { + XCTestExpectation* operationRun = [self expectationWithDescription:@"operation run with named:withBlock:"]; + CKKSGroupOperation* group = [CKKSGroupOperation named:@"asdf" withBlock: ^{ + [operationRun fulfill]; + }]; + [self.queue addOperation:group]; + [self waitForExpectations: @[operationRun] timeout:5]; + + operationRun = [self expectationWithDescription:@"operation run with named:withBlockTakingSelf:"]; + group = [CKKSGroupOperation named:@"asdf" withBlockTakingSelf:^(CKKSGroupOperation *strongOp) { + [operationRun fulfill]; + }]; + [self.queue addOperation:group]; + [self waitForExpectations: @[operationRun] timeout:5]; +} + - (void)testGroupOperationSubOperationCancel { CKKSGroupOperation* group = [[CKKSGroupOperation alloc] init]; @@ -455,6 +509,10 @@ [self.queue waitUntilAllOperationsAreFinished]; + // Shouldn't be necessary, but I'm not sure the NSOperation's finished property vs. dependency triggering is thread-safe + [op1 waitUntilFinished]; + [op2 waitUntilFinished]; + XCTAssertEqual(op1.finished, YES, "First operation finished"); XCTAssertEqual(op2.finished, YES, "Second operation finished"); XCTAssertEqual(group.finished, YES, "Group operation finished"); @@ -559,3 +617,5 @@ @end + +#endif /* OCTAGON */ diff --git a/keychain/ckks/tests/CKKSRateLimiterTests.m b/keychain/ckks/tests/CKKSRateLimiterTests.m index acb9e697..e0472a47 100644 --- a/keychain/ckks/tests/CKKSRateLimiterTests.m +++ b/keychain/ckks/tests/CKKSRateLimiterTests.m @@ -24,6 +24,7 @@ #if OCTAGON #import +#import #import "keychain/ckks/CKKSOutgoingQueueEntry.h" #import "keychain/ckks/CKKSRateLimiter.h" @@ -272,15 +273,13 @@ NSDate* limit = nil; [self.rl judge:self.oqe at:date limitTime:&limit]; - NSMutableData* data = [[NSMutableData alloc] init]; - NSKeyedArchiver* encoder = [[NSKeyedArchiver alloc] initForWritingWithMutableData: data]; + NSKeyedArchiver* encoder = [[NSKeyedArchiver alloc] initRequiringSecureCoding:YES]; [encoder encodeObject: self.rl forKey:@"unneeded"]; - [encoder finishEncoding]; + NSData* data = encoder.encodedData; XCTAssertNotNil(data, "Still have our data object"); XCTAssertTrue(data.length > 0u, "Encoder produced some data"); - NSKeyedUnarchiver* decoder = [[NSKeyedUnarchiver alloc] initForReadingWithData: data]; - decoder.requiresSecureCoding = YES; + NSKeyedUnarchiver* decoder = [[NSKeyedUnarchiver alloc] initForReadingFromData: data error:nil]; CKKSRateLimiter* rl = [decoder decodeObjectOfClass: [CKKSRateLimiter class] forKey:@"unneeded"]; XCTAssertNotNil(rl, "Decoded data into a CKKSRateLimiter"); diff --git a/keychain/ckks/tests/CKKSSOSTests.m b/keychain/ckks/tests/CKKSSOSTests.m index 819bbf44..c1032239 100644 --- a/keychain/ckks/tests/CKKSSOSTests.m +++ b/keychain/ckks/tests/CKKSSOSTests.m @@ -335,6 +335,7 @@ - (void)testFindPiggyTLKs { [self putFakeKeyHierachiesInCloudKit]; + [self putFakeDeviceStatusesInCloudKit]; [self saveTLKsToKeychain]; NSDictionary* piggyTLKs = [self SOSPiggyBackCopyFromKeychain]; @@ -526,6 +527,14 @@ }]; } +- (void)putFakeDeviceStatusesInCloudKit { + [self putFakeDeviceStatusInCloudKit: self.engramZoneID]; + [self putFakeDeviceStatusInCloudKit: self.manateeZoneID]; + [self putFakeDeviceStatusInCloudKit: self.autoUnlockZoneID]; + [self putFakeDeviceStatusInCloudKit: self.healthZoneID]; + [self putFakeDeviceStatusInCloudKit: self.applepayZoneID]; +} + -(void)putFakeKeyHierachiesInCloudKit{ [self putFakeKeyHierarchyInCloudKit: self.engramZoneID]; [self putFakeKeyHierarchyInCloudKit: self.manateeZoneID]; @@ -559,6 +568,7 @@ -(void)testAcceptExistingAndUsePiggyKeyHierarchy { // Test starts with nothing in database, but one in our fake CloudKit. [self putFakeKeyHierachiesInCloudKit]; + [self putFakeDeviceStatusesInCloudKit]; [self saveTLKsToKeychain]; NSDictionary* piggyData = [self SOSPiggyBackCopyFromKeychain]; [self deleteTLKMaterialsFromKeychain]; diff --git a/keychain/ckks/tests/CKKSSQLTests.m b/keychain/ckks/tests/CKKSSQLTests.m index 408c0772..7225246c 100644 --- a/keychain/ckks/tests/CKKSSQLTests.m +++ b/keychain/ckks/tests/CKKSSQLTests.m @@ -274,6 +274,8 @@ // Very simple test: can these objects roundtrip through the db? NSString* testUUID = @"157A3171-0677-451B-9EAE-0DDC4D4315B0"; CKKSDeviceStateEntry* cdse = [[CKKSDeviceStateEntry alloc] initForDevice:testUUID + osVersion:@"faux-version" + lastUnlockTime:nil circlePeerID:@"asdf" circleStatus:kSOSCCInCircle keyState:SecCKKSZoneKeyStateReady diff --git a/keychain/ckks/tests/CKKSTLKSharingTests.m b/keychain/ckks/tests/CKKSTLKSharingTests.m index 2639a5a9..3bda9247 100644 --- a/keychain/ckks/tests/CKKSTLKSharingTests.m +++ b/keychain/ckks/tests/CKKSTLKSharingTests.m @@ -26,6 +26,9 @@ #import #import #import +#import +#import +#import #import "keychain/ckks/tests/CloudKitMockXCTest.h" #import "keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.h" @@ -34,9 +37,11 @@ #import "keychain/ckks/CKKSPeer.h" #import "keychain/ckks/CKKSTLKShare.h" #import "keychain/ckks/CKKSViewManager.h" +#import "keychain/ckks/CloudKitCategories.h" #import "keychain/ckks/tests/MockCloudKit.h" #import "keychain/ckks/tests/CKKSTests.h" +#import "keychain/ot/OTDefines.h" @interface CloudKitKeychainSyncingTLKSharingTests : CloudKitKeychainSyncingTestsBase @property CKKSSOSSelfPeer* remotePeer1; @@ -44,6 +49,11 @@ @property CKKSSOSSelfPeer* untrustedPeer; + +@property (nullable) NSMutableSet>* pastSelfPeers; + +// Used to test a single code path. If true, no past self peers will be valid +@property bool breakLoadSelfPeerEncryptionKey; @end @implementation CloudKitKeychainSyncingTLKSharingTests @@ -51,6 +61,13 @@ - (void)setUp { [super setUp]; + self.pastSelfPeers = [NSMutableSet set]; + + // Use the upsetting old-style mocks so we can ignore the enum + [[[[self.mockCKKSViewManager stub] andCall:@selector(fakeLoadRestoredBottledKeysOfType:error:) + onObject:self] ignoringNonObjectArgs] + loadRestoredBottledKeysOfType:0 error:[OCMArg anyObjectRef]]; + self.remotePeer1 = [[CKKSSOSSelfPeer alloc] initWithSOSPeerID:@"remote-peer1" encryptionKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]] signingKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]]; @@ -69,6 +86,7 @@ } - (void)tearDown { + self.pastSelfPeers = nil; self.remotePeer1 = nil; self.remotePeer2 = nil; self.untrustedPeer = nil; @@ -76,6 +94,53 @@ [super tearDown]; } + +- (NSArray* _Nullable)fakeLoadRestoredBottledKeysOfType:(OctagonKeyType)keyType error:(NSError**)error { + if(self.aksLockState) { + if(error) { + *error = [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain code:errSecInteractionNotAllowed userInfo:nil]; + } + return nil; + } else { + if(self.breakLoadSelfPeerEncryptionKey && keyType == OctagonEncryptionKey) { + if(error) { + *error = [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain code:errSecItemNotFound userInfo:nil]; + } + return nil; + } + + // Convert self.pastSelfPeers into an array of dictionaries + NSMutableArray* keys = [NSMutableArray array]; + + for(id peer in self.pastSelfPeers) { + SFECKeyPair* key = nil; + + switch(keyType) { + case OctagonSigningKey: + key = peer.signingKey; + break; + case OctagonEncryptionKey: + key = peer.encryptionKey; + break; + } + + XCTAssertNotNil(key, "Should have a key at this point"); + + NSData* signingPublicKeyHashBytes = [SFSHA384DigestOperation digest:peer.signingKey.publicKey.keyData]; + NSString* signingPublicKeyHash = [signingPublicKeyHashBytes base64EncodedStringWithOptions:0]; + + NSDictionary* dict = @{ + (id)kSecAttrAccount : peer.peerID, + (id)kSecAttrLabel : signingPublicKeyHash, + (id)kSecValueData : key.keyData, + }; + [keys addObject:dict]; + } + + return keys; + } +} + - (void)testAcceptExistingTLKSharedKeyHierarchy { // Test starts with no keys in CKKS database, but one in our fake CloudKit. [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; @@ -110,6 +175,73 @@ }]; } +- (void)testAcceptExistingTLKSharedKeyHierarchyForPastSelf { + // Test starts with no keys in CKKS database, but one in our fake CloudKit. + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + // Test also starts with the TLK shared to all trusted peers from peer1 + [self putTLKSharesInCloudKit:self.keychainZoneKeys.tlk from:self.remotePeer1 zoneID:self.keychainZoneID]; + + // Self rolls its keys and ID... + [self.pastSelfPeers addObject:self.currentSelfPeer]; + self.currentSelfPeer = [[CKKSSOSSelfPeer alloc] initWithSOSPeerID:@"new-local-peer" + encryptionKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]] + signingKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]]; + + // The CKKS subsystem should accept the keys, and share the TLK back to itself + [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID + checkModifiedRecord:^BOOL(CKRecord* _Nonnull record) { + CKKSTLKShare* share = [[CKKSTLKShare alloc] initWithCKRecord:record]; + XCTAssertEqualObjects(share.receiver.peerID, self.currentSelfPeer.peerID, "Receiver peerID on TLKShare should match current self"); + XCTAssertEqualObjects(share.receiver.publicEncryptionKey, self.currentSelfPeer.publicEncryptionKey, "Receiver encryption key on TLKShare should match current self"); + XCTAssertEqualObjects(share.senderPeerID, self.currentSelfPeer.peerID, "Sender of TLKShare should match current self"); + return TRUE; + }]; + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], "Key state should become ready"); + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + + // Verify that there are three local keys, and three local current key records + __weak __typeof(self) weakSelf = self; + [self.keychainView dispatchSync: ^bool{ + __strong __typeof(weakSelf) strongSelf = weakSelf; + XCTAssertNotNil(strongSelf, "self exists"); + + NSError* error = nil; + + NSArray* keys = [CKKSKey localKeys:strongSelf.keychainZoneID error:&error]; + XCTAssertNil(error, "no error fetching keys"); + XCTAssertEqual(keys.count, 3u, "Three keys in local database"); + + NSArray* currentkeys = [CKKSCurrentKeyPointer all:&error]; + XCTAssertNil(error, "no error fetching current keys"); + XCTAssertEqual(currentkeys.count, 3u, "Three current key pointers in local database"); + + return false; + }]; +} + +- (void)testDontCrashOnHalfBottle { + self.breakLoadSelfPeerEncryptionKey = true; + + // Test starts with no keys in CKKS database, but one in our fake CloudKit. + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + // Test also starts with the TLK shared to all trusted peers from peer1 + [self putTLKSharesInCloudKit:self.keychainZoneKeys.tlk from:self.remotePeer1 zoneID:self.keychainZoneID]; + + // Self rolls its keys and ID... + [self.pastSelfPeers addObject:self.currentSelfPeer]; + self.currentSelfPeer = [[CKKSSOSSelfPeer alloc] initWithSOSPeerID:@"new-local-peer" + encryptionKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]] + signingKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]]; + + // CKKS should enter 'waitfortlk' without crashing + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:10*NSEC_PER_SEC], "Key state should become waitfortlk"); +} + - (void)testAcceptExistingTLKSharedKeyHierarchyAndUse { // Test starts with nothing in database, but one in our fake CloudKit. [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; @@ -248,6 +380,7 @@ - (void)testReceiveSharedTLKWhileInWaitForTLK { // Test starts with nothing in database, but one in our fake CloudKit. [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; // Spin up CKKS subsystem. [self startCKKSSubsystem]; @@ -364,6 +497,7 @@ [self startCKKSSubsystem]; OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; // Now the external peer rolls the TLK and updates the shares [self rollFakeKeyHierarchyInCloudKit:self.keychainZoneID]; @@ -470,11 +604,13 @@ - (void)testDontAcceptTLKFromUntrustedPeer { // Test starts with nothing in database, but key hierarchy in our fake CloudKit. [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + // The remote peer should also have given the TLK to a non-TLKShare peer (which is also offline) + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; // Test also starts with the key hierarchy shared from a non-trusted peer [self putTLKSharesInCloudKit:self.keychainZoneKeys.tlk from:self.untrustedPeer zoneID:self.keychainZoneID]; - // The CKKS subsystem should go into waitfortlk, since it doesn't trust this peer + // The CKKS subsystem should go into waitfortlk, since it doesn't trust this peer, but the peer is active [self startCKKSSubsystem]; XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:20*NSEC_PER_SEC], "Key state should become ready"); } @@ -482,13 +618,14 @@ - (void)testAcceptSharedTLKOnTrustSetAdditionOfSharer { // Test starts with nothing in database, but key hierarchy in our fake CloudKit. [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; // Test also starts with the key hierarchy shared from a non-trusted peer // note that it would share it itself too [self putTLKSharesInCloudKit:self.keychainZoneKeys.tlk from:self.untrustedPeer zoneID:self.keychainZoneID]; [self putTLKShareInCloudKit:self.keychainZoneKeys.tlk from:self.untrustedPeer to:self.untrustedPeer zoneID:self.keychainZoneID]; - // The CKKS subsystem should go into waitfortlk, since it doesn't trust this peer + // The CKKS subsystem should go into waitfortlk, since it doesn't trust this peer, but the peer is active [self startCKKSSubsystem]; XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:20*NSEC_PER_SEC], "Key state should become waitfortlk"); @@ -616,6 +753,399 @@ // Not implemented. Trust set removal demands a key roll, but let's not get ahead of ourselves... } +- (void)testWaitForTLKWithMissingKeys { + // Test starts with no keys in CKKS database, but one in our fake CloudKit. + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + // Test also starts with the TLK shared to all trusted peers from peer1 + [self putTLKSharesInCloudKit:self.keychainZoneKeys.tlk from:self.remotePeer1 zoneID:self.keychainZoneID]; + + // self no longer has that key pair, but it does have a new one with the same peer ID.... + self.currentSelfPeer = [[CKKSSOSSelfPeer alloc] initWithSOSPeerID:self.currentSelfPeer.peerID + encryptionKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]] + signingKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]]; + self.pastSelfPeers = [NSMutableSet set]; + + // CKKS should become very upset, and enter waitfortlk. + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:4000*NSEC_PER_SEC], "Key state should become waitfortlk"); + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + +- (void)testSendNewTLKShareToPeerOnPeerEncryptionKeyChange { + // If a peer changes its keys, CKKS should send it a new TLK share with the right keys + // This recovers from the remote peer losing its Octagon keys and making new ones + + // step 1: add a new peer; we should share the TLK with them + // start with no trusted peers + [self expectCKModifyKeyRecords:3 currentKeyPointerRecords:3 tlkShareRecords:3 zoneID:self.keychainZoneID]; + [self startCKKSSubsystem]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:1000*NSEC_PER_SEC], "Key state should become ready"); + + // Remote peer rolls its encryption key... + [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID + checkModifiedRecord:^BOOL(CKRecord* _Nonnull record) { + CKKSTLKShare* share = [[CKKSTLKShare alloc] initWithCKRecord:record]; + XCTAssertEqualObjects(share.receiver.peerID, self.remotePeer1.peerID, "Receiver peerID on TLKShare should match remote peer"); + XCTAssertEqualObjects(share.receiver.publicEncryptionKey, self.remotePeer1.publicEncryptionKey, "Receiver encryption key on TLKShare should match remote peer"); + XCTAssertEqualObjects(share.senderPeerID, self.currentSelfPeer.peerID, "Sender of TLKShare should match current self"); + return TRUE; + }]; + + self.remotePeer1.encryptionKey = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]; + [self.injectedManager sendTrustedPeerSetChangedUpdate]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], "Key state should become ready"); +} + +- (void)testRecoverFromBrokenSignatureOnTLKShareDuetoSignatureKeyChange { + // If a peer changes its signature key, CKKS shouldn't necessarily enter 'error': it should enter 'waitfortlk'. + // The peer should then send us another TLKShare + // This recovers from the remote peer losing its Octagon keys and making new ones + + // For this test, only have one peer + self.currentPeers = [NSMutableSet setWithObject:self.remotePeer1]; + + // Test starts with nothing in database, but one in our fake CloudKit. + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + // Test also starts with the TLK shared to all trusted peers from remotePeer1 + [self putTLKSharesInCloudKit:self.keychainZoneKeys.tlk from:self.remotePeer1 zoneID:self.keychainZoneID]; + + // BUT, remotePeer1 has rolled its signing key + self.remotePeer1.signingKey = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]; + + [self startCKKSSubsystem]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:10*NSEC_PER_SEC], "Key state should become waitfortlk"); + + // Remote peer discovers its error and sends a new TLKShare! CKKS should recover and share itself a TLKShare + [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID + checkModifiedRecord:^BOOL(CKRecord* _Nonnull record) { + CKKSTLKShare* share = [[CKKSTLKShare alloc] initWithCKRecord:record]; + XCTAssertEqualObjects(share.receiver.peerID, self.currentSelfPeer.peerID, "Receiver peerID on TLKShare should match self peer"); + XCTAssertEqualObjects(share.receiver.publicEncryptionKey, self.currentSelfPeer.publicEncryptionKey, "Receiver encryption key on TLKShare should match self peer"); + XCTAssertEqualObjects(share.senderPeerID, self.currentSelfPeer.peerID, "Sender of TLKShare should match current self"); + return TRUE; + }]; + + [self putTLKSharesInCloudKit:self.keychainZoneKeys.tlk from:self.remotePeer1 zoneID:self.keychainZoneID]; + [self.keychainView notifyZoneChange:nil]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], "Key state should become ready"); + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; +} + +- (void)testSendNewTLKShareToSelfOnPeerSigningKeyChange { + // If a CKKS peer rolls its own keys, but has the TLK, it should write a new TLK share to itself with its new Octagon keys + // This recovers from the local peer losing its Octagon keys and making new ones + + // For this test, only have one peer + self.currentPeers = [NSMutableSet setWithObject:self.remotePeer1]; + + // Test starts with nothing in database, but one in our fake CloudKit. + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + // Test also starts with the TLK shared to all trusted peers from peer1 + [self putTLKSharesInCloudKit:self.keychainZoneKeys.tlk from:self.remotePeer1 zoneID:self.keychainZoneID]; + // The CKKS subsystem should accept the keys, and share the TLK back to itself + [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID]; + [self startCKKSSubsystem]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:100*NSEC_PER_SEC], "Key state should become ready"); + + // Remote peer rolls its signing key, but hasn't updated its TLKShare. We should send it one. + [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID + checkModifiedRecord:^BOOL(CKRecord* _Nonnull record) { + CKKSTLKShare* share = [[CKKSTLKShare alloc] initWithCKRecord:record]; + XCTAssertEqualObjects(share.receiver.peerID, self.remotePeer1.peerID, "Receiver peerID on TLKShare should match remote peer"); + XCTAssertEqualObjects(share.receiver.publicEncryptionKey, self.remotePeer1.publicEncryptionKey, "Receiver encryption key on TLKShare should match remote peer"); + XCTAssertEqualObjects(share.senderPeerID, self.currentSelfPeer.peerID, "Sender of TLKShare should match current self"); + return TRUE; + }]; + + self.remotePeer1.signingKey = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]; + [self.injectedManager sendTrustedPeerSetChangedUpdate]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], "Key state should become ready"); +} + +- (void)testSendNewTLKShareToPeerOnDisappearanceOfPeerKeys { + // If a CKKS peer deletes its own octagon keys (BUT WHY), local CKKS should be able to respond + + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + // Test also starts with the TLK shared to all trusted peers from peer1 + [self putTLKSharesInCloudKit:self.keychainZoneKeys.tlk from:self.remotePeer1 zoneID:self.keychainZoneID]; + // The CKKS subsystem should accept the keys, and share the TLK back to itself + [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID]; + [self startCKKSSubsystem]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:100*NSEC_PER_SEC], "Key state should become ready"); + + // Now, peer 1 updates its keys (to be nil). Local peer should re-send TLKShares to peer2. + + [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID + checkModifiedRecord:^BOOL(CKRecord* _Nonnull record) { + CKKSTLKShare* share = [[CKKSTLKShare alloc] initWithCKRecord:record]; + XCTAssertEqualObjects(share.receiver.peerID, self.remotePeer2.peerID, "Receiver peerID on TLKShare should match remote peer"); + XCTAssertEqualObjects(share.receiver.publicEncryptionKey, self.remotePeer2.publicEncryptionKey, "Receiver encryption key on TLKShare should match remote peer"); + XCTAssertEqualObjects(share.senderPeerID, self.currentSelfPeer.peerID, "Sender of TLKShare should match current self"); + return TRUE; + }]; + + CKKSSOSPeer* brokenRemotePeer1 = [[CKKSSOSPeer alloc] initWithSOSPeerID:self.remotePeer1.peerID encryptionPublicKey:nil signingPublicKey:nil]; + [self.currentPeers removeObject:self.remotePeer1]; + [self.currentPeers addObject:brokenRemotePeer1]; + [self.injectedManager sendTrustedPeerSetChangedUpdate]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], "Key state should become ready"); +} + +- (void)testSendNewTLKShareToPeerOnDisappearanceOfPeerSigningKey { + // If a CKKS peer rolls its own keys, but has the TLK, it should write a new TLK share to itself with its new Octagon keys + // This recovers from the local peer losing its Octagon keys and making new ones + + // Test starts with nothing in database, but one in our fake CloudKit. + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + // Test also starts with the TLK shared to all trusted peers from peer1 + [self putTLKSharesInCloudKit:self.keychainZoneKeys.tlk from:self.remotePeer1 zoneID:self.keychainZoneID]; + // The CKKS subsystem should accept the keys, and share the TLK back to itself + [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID]; + [self startCKKSSubsystem]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:100*NSEC_PER_SEC], "Key state should become ready"); + + // Now, peer 1 updates its signing key (to be nil). Local peer should re-send TLKShares to peer1 and peer2. + // Both should be sent because both peers don't have a signed TLKShare that gives them the TLK + + XCTestExpectation *peer1Share = [self expectationWithDescription:@"share uploaded for peer1"]; + XCTestExpectation *peer2Share = [self expectationWithDescription:@"share uploaded for peer2"]; + + [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:0 tlkShareRecords:2 zoneID:self.keychainZoneID + checkModifiedRecord:^BOOL(CKRecord* _Nonnull record) { + CKKSTLKShare* share = [[CKKSTLKShare alloc] initWithCKRecord:record]; + if([share.receiver.peerID isEqualToString:self.remotePeer1.peerID]) { + [peer1Share fulfill]; + XCTAssertEqualObjects(share.receiver.publicEncryptionKey, self.remotePeer1.publicEncryptionKey, "Receiver encryption key on TLKShare should match remote peer1"); + } + if([share.receiver.peerID isEqualToString:self.remotePeer2.peerID]) { + [peer2Share fulfill]; + XCTAssertEqualObjects(share.receiver.publicEncryptionKey, self.remotePeer2.publicEncryptionKey, "Receiver encryption key on TLKShare should match remote peer2"); + } + + XCTAssertEqualObjects(share.senderPeerID, self.currentSelfPeer.peerID, "Sender of TLKShare should match current self"); + return TRUE; + }]; + + CKKSSOSPeer* brokenRemotePeer1 = [[CKKSSOSPeer alloc] initWithSOSPeerID:self.remotePeer1.peerID + encryptionPublicKey:self.remotePeer1.publicEncryptionKey + signingPublicKey:nil]; + [self.currentPeers removeObject:self.remotePeer1]; + [self.currentPeers addObject:brokenRemotePeer1]; + [self.injectedManager sendTrustedPeerSetChangedUpdate]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; + [self waitForExpectations:@[peer1Share, peer2Share] timeout:5]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], "Key state should become ready"); +} + +- (void)testSendNewTLKShareToSelfOnSelfKeyChanges { + // If a CKKS peer rolls its own keys, but has the TLK, it should write a new TLK share to itself with its new Octagon keys + // This recovers from the local peer losing its Octagon keys and making new ones + + // Test starts with nothing in database, but one in our fake CloudKit. + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + // Test also starts with the TLK shared to all trusted peers from peer1 + [self putTLKSharesInCloudKit:self.keychainZoneKeys.tlk from:self.remotePeer1 zoneID:self.keychainZoneID]; + // The CKKS subsystem should accept the keys, and share the TLK back to itself + [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID]; + [self startCKKSSubsystem]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], "Key state should become ready"); + + // Local peer rolls its encryption key (and loses the old ones) + [self expectCKModifyKeyRecords: 0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID + checkModifiedRecord:^BOOL(CKRecord* _Nonnull record) { + CKKSTLKShare* share = [[CKKSTLKShare alloc] initWithCKRecord:record]; + XCTAssertEqualObjects(share.receiver.peerID, self.currentSelfPeer.peerID, "Receiver peerID on TLKShare should match current self"); + XCTAssertEqualObjects(share.receiver.publicEncryptionKey, self.currentSelfPeer.publicEncryptionKey, "Receiver encryption key on TLKShare should match current self"); + XCTAssertEqualObjects(share.senderPeerID, self.currentSelfPeer.peerID, "Sender of TLKShare should match current self"); + NSError* signatureVerifyError = nil; + XCTAssertTrue([share verifySignature:share.signature verifyingPeer:self.currentSelfPeer error:&signatureVerifyError], "New share's signature should verify"); + XCTAssertNil(signatureVerifyError, "Should be no error verifying signature on new TLKShare"); + return TRUE; + }]; + + self.currentSelfPeer.encryptionKey = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]; + self.pastSelfPeers = [NSMutableSet set]; + [self.injectedManager sendSelfPeerChangedUpdate]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], "Key state should become ready"); + + // Now, local peer loses and rolls its signing key (and loses the old one) + [self expectCKModifyKeyRecords: 0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID + checkModifiedRecord:^BOOL(CKRecord* _Nonnull record) { + CKKSTLKShare* share = [[CKKSTLKShare alloc] initWithCKRecord:record]; + XCTAssertEqualObjects(share.receiver.peerID, self.currentSelfPeer.peerID, "Receiver peerID on TLKShare should match current self"); + XCTAssertEqualObjects(share.receiver.publicEncryptionKey, self.currentSelfPeer.publicEncryptionKey, "Receiver encryption key on TLKShare should match current self"); + XCTAssertEqualObjects(share.senderPeerID, self.currentSelfPeer.peerID, "Sender of TLKShare should match current self"); + NSError* signatureVerifyError = nil; + XCTAssertTrue([share verifySignature:share.signature verifyingPeer:self.currentSelfPeer error:&signatureVerifyError], "New share's signature should verify"); + XCTAssertNil(signatureVerifyError, "Should be no error verifying signature on new TLKShare"); + return TRUE; + }]; + + self.currentSelfPeer.signingKey = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]; + self.pastSelfPeers = [NSMutableSet set]; + [self.injectedManager sendSelfPeerChangedUpdate]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:10*NSEC_PER_SEC], "Key state should become ready"); +} + +- (void)testDoNotResetCloudKitZoneFromWaitForTLKDueToRecentTLKShare { + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + // CKKS shouldn't reset this zone, due to a recent TLK Share from a trusted peer (indicating the presence of TLKs) + [self putTLKShareInCloudKit:self.keychainZoneKeys.tlk from:self.remotePeer1 to:self.remotePeer1 zoneID:self.keychainZoneID]; + + NSDateComponents* offset = [[NSDateComponents alloc] init]; + [offset setDay:-5]; + NSDate* updateTime = [[NSCalendar currentCalendar] dateByAddingComponents:offset toDate:[NSDate date] options:0]; + for(CKRecord* record in self.keychainZone.currentDatabase.allValues) { + if([record.recordType isEqualToString:SecCKRecordDeviceStateType] || [record.recordType isEqualToString:SecCKRecordTLKShareType]) { + record.creationDate = updateTime; + record.modificationDate = updateTime; + } + } + + self.keychainZone.flag = true; + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:8*NSEC_PER_SEC], @"Key state should become 'waitfortlk'"); + + XCTAssertTrue(self.keychainZone.flag, "Zone flag should not have been reset to false"); +} + +- (void)testDoNotResetCloudKitZoneFromWaitForTLKDueToVeryRecentUntrustedTLKShare { + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + // CKKS shouldn't reset this zone, due to a very recent (but untrusted) TLK Share. You can hit this getting a circle reset; the device with the TLKs will have a CFU. + CKKSSOSSelfPeer* untrustedPeer = [[CKKSSOSSelfPeer alloc] initWithSOSPeerID:@"untrusted-peer" + encryptionKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]] + signingKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]]; + [self putTLKShareInCloudKit:self.keychainZoneKeys.tlk from:untrustedPeer to:untrustedPeer zoneID:self.keychainZoneID]; + + NSDateComponents* offset = [[NSDateComponents alloc] init]; + [offset setDay:-2]; + NSDate* updateTime = [[NSCalendar currentCalendar] dateByAddingComponents:offset toDate:[NSDate date] options:0]; + for(CKRecord* record in self.keychainZone.currentDatabase.allValues) { + if([record.recordType isEqualToString:SecCKRecordDeviceStateType] || [record.recordType isEqualToString:SecCKRecordTLKShareType]) { + record.creationDate = updateTime; + record.modificationDate = updateTime; + } + } + + self.keychainZone.flag = true; + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:8*NSEC_PER_SEC], @"Key state should become 'waitfortlk'"); + XCTAssertTrue(self.keychainZone.flag, "Zone flag should not have been reset to false"); + + // And ensure it doesn't go on to 'reset' + XCTAssertNotEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateResettingZone] wait:100*NSEC_PER_MSEC], @"Key state should not become 'resetzone'"); +} + +- (void)testResetCloudKitZoneFromWaitForTLKDueToUntustedTLKShareNotRecentEnough { + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + // CKKS shouldn't reset this zone, due to a recent TLK Share (indicating the presence of TLKs) + CKKSSOSSelfPeer* untrustedPeer = [[CKKSSOSSelfPeer alloc] initWithSOSPeerID:@"untrusted-peer" + encryptionKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]] + signingKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]]; + [self putTLKShareInCloudKit:self.keychainZoneKeys.tlk from:untrustedPeer to:untrustedPeer zoneID:self.keychainZoneID]; + + NSDateComponents* offset = [[NSDateComponents alloc] init]; + [offset setDay:-5]; + NSDate* updateTime = [[NSCalendar currentCalendar] dateByAddingComponents:offset toDate:[NSDate date] options:0]; + for(CKRecord* record in self.keychainZone.currentDatabase.allValues) { + if([record.recordType isEqualToString:SecCKRecordDeviceStateType] || [record.recordType isEqualToString:SecCKRecordTLKShareType]) { + record.creationDate = updateTime; + record.modificationDate = updateTime; + } + } + + self.silentZoneDeletesAllowed = true; + self.keychainZone.flag = true; + [self expectCKModifyKeyRecords:3 currentKeyPointerRecords:3 tlkShareRecords:3 zoneID:self.keychainZoneID]; + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateResettingZone] wait:8*NSEC_PER_SEC], @"Key state should become 'resetzone'"); + + // Then we should reset. + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], @"Key state should become 'ready'"); + + // And the zone should have been cleared and re-made + XCTAssertFalse(self.keychainZone.flag, "Zone flag should have been reset to false"); +} + +- (void)testNoSelfEncryptionKeys { + // If you lose your local encryption keys, CKKS should do something reasonable + + // Test also starts with the TLK shared to all trusted peers from peer1 + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putTLKSharesInCloudKit:self.keychainZoneKeys.tlk from:self.remotePeer1 zoneID:self.keychainZoneID]; + [self saveTLKSharesInLocalDatabase:self.keychainZoneID]; + + // But, we lost our local keys :( + id oldSelfPeer = self.currentSelfPeer; + + self.currentSelfPeer = nil; + self.currentSelfPeerError = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecParam description:@"injected test failure"]; + + // CKKS subsystem should realize that it can't read the shares it has, and enter waitfortlk + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:10*NSEC_PER_SEC], "Key state should become 'waitfortlk'"); + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; + + // Fetching status should be quick + XCTestExpectation* callbackOccurs = [self expectationWithDescription:@"callback-occurs"]; + [self.ckksControl rpcStatus:@"keychain" reply:^(NSArray* result, NSError* error) { + XCTAssertNil(error, "should be no error fetching status for keychain"); + [callbackOccurs fulfill]; + }]; + [self waitForExpectations:@[callbackOccurs] timeout:1.0]; + + // But, if by some miracle those keys come back, CKKS should be able to recover + // It'll also upload itself a TLK share + [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID]; + + self.currentSelfPeer = oldSelfPeer; + self.currentSelfPeerError = nil; + + [self.injectedManager sendSelfPeerChangedUpdate]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:100*NSEC_PER_SEC], "Key state should become 'ready''"); + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; +} @end diff --git a/keychain/ckks/tests/CKKSTests+API.h b/keychain/ckks/tests/CKKSTests+API.h index 42262a68..6e34aa02 100644 --- a/keychain/ckks/tests/CKKSTests+API.h +++ b/keychain/ckks/tests/CKKSTests+API.h @@ -27,7 +27,7 @@ NS_ASSUME_NONNULL_BEGIN -@interface CloudKitKeychainSyncingTests (APITests) +@interface CloudKitKeychainSyncingTestsBase (APITests) - (BOOL (^)(CKRecord*))checkPCSFieldsBlock:(CKRecordZoneID*)zoneID PCSServiceIdentifier:(NSNumber*)servIdentifier diff --git a/keychain/ckks/tests/CKKSTests+API.m b/keychain/ckks/tests/CKKSTests+API.m index 48af3b78..43e2160a 100644 --- a/keychain/ckks/tests/CKKSTests+API.m +++ b/keychain/ckks/tests/CKKSTests+API.m @@ -42,31 +42,13 @@ #import "keychain/ckks/CKKSZoneStateEntry.h" #import "keychain/ckks/CKKSControl.h" +#import "keychain/ckks/CloudKitCategories.h" #import "keychain/ckks/tests/MockCloudKit.h" #import "keychain/ckks/tests/CKKSTests.h" #import "keychain/ckks/tests/CKKSTests+API.h" -@implementation CloudKitKeychainSyncingTests (APITests) - -- (void)testSecuritydClientBringup { - CFErrorRef cferror = nil; - xpc_endpoint_t endpoint = SecCreateSecuritydXPCServerEndpoint(&cferror); - XCTAssertNil((__bridge id)cferror, "No error creating securityd endpoint"); - XCTAssertNotNil(endpoint, "Received securityd endpoint"); - - NSXPCInterface *interface = [NSXPCInterface interfaceWithProtocol:@protocol(SecuritydXPCProtocol)]; - [SecuritydXPCClient configureSecuritydXPCProtocol: interface]; - XCTAssertNotNil(interface, "Received a configured CKKS interface"); - - NSXPCListenerEndpoint *listenerEndpoint = [[NSXPCListenerEndpoint alloc] init]; - [listenerEndpoint _setEndpoint:endpoint]; - - NSXPCConnection* connection = [[NSXPCConnection alloc] initWithListenerEndpoint:listenerEndpoint]; - XCTAssertNotNil(connection , "Received an active connection"); - - connection.remoteObjectInterface = interface; -} +@implementation CloudKitKeychainSyncingTestsBase (APITests) -(NSMutableDictionary*)pcsAddItemQuery:(NSString*)account data:(NSData*)data @@ -126,6 +108,57 @@ return (NSDictionary*) CFBridgingRelease(result); } +- (BOOL (^) (CKRecord*)) checkPCSFieldsBlock: (CKRecordZoneID*) zoneID + PCSServiceIdentifier:(NSNumber*)servIdentifier + PCSPublicKey:(NSData*)publicKey + PCSPublicIdentity:(NSData*)publicIdentity +{ + __weak __typeof(self) weakSelf = self; + return ^BOOL(CKRecord* record) { + __strong __typeof(weakSelf) strongSelf = weakSelf; + XCTAssertNotNil(strongSelf, "self exists"); + + XCTAssert([record[SecCKRecordPCSServiceIdentifier] isEqual: servIdentifier], "PCS Service identifier matches input"); + XCTAssert([record[SecCKRecordPCSPublicKey] isEqual: publicKey], "PCS Public Key matches input"); + XCTAssert([record[SecCKRecordPCSPublicIdentity] isEqual: publicIdentity], "PCS Public Identity matches input"); + + if([record[SecCKRecordPCSServiceIdentifier] isEqual: servIdentifier] && + [record[SecCKRecordPCSPublicKey] isEqual: publicKey] && + [record[SecCKRecordPCSPublicIdentity] isEqual: publicIdentity]) { + return YES; + } else { + return NO; + } + }; +} +@end + +@interface CloudKitKeychainSyncingAPITests : CloudKitKeychainSyncingTestsBase +@end + +@implementation CloudKitKeychainSyncingAPITests +- (void)testSecuritydClientBringup { +#if 0 + CFErrorRef cferror = nil; + xpc_endpoint_t endpoint = SecCreateSecuritydXPCServerEndpoint(&cferror); + XCTAssertNil((__bridge id)cferror, "No error creating securityd endpoint"); + XCTAssertNotNil(endpoint, "Received securityd endpoint"); +#endif + + NSXPCInterface *interface = [NSXPCInterface interfaceWithProtocol:@protocol(SecuritydXPCProtocol)]; + [SecuritydXPCClient configureSecuritydXPCProtocol: interface]; + XCTAssertNotNil(interface, "Received a configured CKKS interface"); + +#if 0 + NSXPCListenerEndpoint *listenerEndpoint = [[NSXPCListenerEndpoint alloc] init]; + [listenerEndpoint _setEndpoint:endpoint]; + + NSXPCConnection* connection = [[NSXPCConnection alloc] initWithListenerEndpoint:listenerEndpoint]; + XCTAssertNotNil(connection , "Received an active connection"); + + connection.remoteObjectInterface = interface; +#endif +} - (void)testAddAndNotifyOnSync { [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. @@ -267,7 +300,7 @@ [self startCKKSSubsystem]; XCTAssertEqual(0, [self.keychainView.loggedIn wait:2*NSEC_PER_SEC], "CKKS should log in"); - [self.keychainView.viewSetupOperation waitUntilFinished]; + [self.keychainView.zoneSetupOperation waitUntilFinished]; NSMutableDictionary* query = [@{ (id)kSecClass : (id)kSecClassGenericPassword, @@ -288,8 +321,8 @@ [blockExpectation fulfill]; }), @"_SecItemAddAndNotifyOnSync succeeded"); - // We should be in the 'initialized' state, but no further - XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateInitialized] wait:100*NSEC_PER_MSEC], @"Should have reached key state 'initialized', but no further"); + // We should be in the 'fetch' state, but no further + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateFetch] wait:100*NSEC_PER_MSEC], @"Should have reached key state 'fetch', but no further"); // When we release the fetch, the callback should still fire and the item should upload [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID]; @@ -302,30 +335,6 @@ [self waitForExpectationsWithTimeout:5.0 handler:nil]; } -- (BOOL (^) (CKRecord*)) checkPCSFieldsBlock: (CKRecordZoneID*) zoneID - PCSServiceIdentifier:(NSNumber*)servIdentifier - PCSPublicKey:(NSData*)publicKey - PCSPublicIdentity:(NSData*)publicIdentity -{ - __weak __typeof(self) weakSelf = self; - return ^BOOL(CKRecord* record) { - __strong __typeof(weakSelf) strongSelf = weakSelf; - XCTAssertNotNil(strongSelf, "self exists"); - - XCTAssert([record[SecCKRecordPCSServiceIdentifier] isEqual: servIdentifier], "PCS Service identifier matches input"); - XCTAssert([record[SecCKRecordPCSPublicKey] isEqual: publicKey], "PCS Public Key matches input"); - XCTAssert([record[SecCKRecordPCSPublicIdentity] isEqual: publicIdentity], "PCS Public Identity matches input"); - - if([record[SecCKRecordPCSServiceIdentifier] isEqual: servIdentifier] && - [record[SecCKRecordPCSPublicKey] isEqual: publicKey] && - [record[SecCKRecordPCSPublicIdentity] isEqual: publicIdentity]) { - return YES; - } else { - return NO; - } - }; -} - - (void)testPCSUnencryptedFieldsAdd { [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. @@ -610,6 +619,7 @@ [self startCKKSSubsystem]; [self.keychainView waitForKeyHierarchyReadiness]; + [self.keychainView waitForOperationsOfClass:[CKKSIncomingQueueOperation class]]; NSNumber* servIdentifier = @3; NSData* publicKey = [@"asdfasdf" dataUsingEncoding:NSUTF8StringEncoding]; @@ -697,14 +707,12 @@ self.silentFetchesAllowed = false; [self expectCKFetch]; - dispatch_semaphore_t resetSemaphore = dispatch_semaphore_create(0); + XCTestExpectation* resetExpectation = [self expectationWithDescription: @"local reset callback occurs"]; [self.injectedManager rpcResetLocal:nil reply:^(NSError* result) { XCTAssertNil(result, "no error resetting local"); - secnotice("ckks", "Received a rpcResetLocal callback"); - dispatch_semaphore_signal(resetSemaphore); + [resetExpectation fulfill]; }]; - - XCTAssertEqual(0, dispatch_semaphore_wait(resetSemaphore, 4*NSEC_PER_SEC), "Semaphore wait did not time out"); + [self waitForExpectations:@[resetExpectation] timeout:8.0]; OCMVerifyAllWithDelay(self.mockDatabase, 8); @@ -742,20 +750,22 @@ NSError* error = nil; [ckse saveToDatabase:&error]; XCTAssertNil(error, "No error saving new zone state to database"); + return true; }]; - dispatch_semaphore_t resetSemaphore = dispatch_semaphore_create(0); + XCTestExpectation* resetExpectation = [self expectationWithDescription: @"local reset callback occurs"]; [self.injectedManager rpcResetLocal:nil reply:^(NSError* result) { XCTAssertNil(result, "no error resetting local"); secnotice("ckks", "Received a rpcResetLocal callback"); - dispatch_semaphore_signal(resetSemaphore); + [resetExpectation fulfill]; }]; - XCTAssertEqual(0, dispatch_semaphore_wait(resetSemaphore, 400*NSEC_PER_SEC), "Semaphore wait did not time out"); + [self waitForExpectations:@[resetExpectation] timeout:1.0]; [self.keychainView dispatchSync: ^bool{ CKKSZoneStateEntry* ckse = [CKKSZoneStateEntry state:self.keychainView.zoneName]; XCTAssertNotEqualObjects(changeToken, ckse.changeToken, "Change token is reset"); + return true; }]; // Now log in, and see what happens! It should re-fetch, pick up the old key hierarchy, and use it @@ -774,7 +784,66 @@ OCMVerifyAllWithDelay(self.mockDatabase, 8); } +-(void)testResetLocalMultipleTimes { + // Test starts with nothing in database, but one in our fake CloudKit. + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self expectCKKSTLKSelfShareUpload:self.keychainZoneID]; + [self saveTLKMaterialToKeychainSimulatingSOS:self.keychainZoneID]; + + // Spin up CKKS subsystem. + [self startCKKSSubsystem]; + + // We expect a single record to be uploaded + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "CKKS entered 'ready'"); + [self expectCKModifyItemRecords:1 currentKeyPointerRecords:1 zoneID:self.keychainZoneID + checkItem:[self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; + [self addGenericPassword: @"data" account: @"account-delete-me"]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; + + // We're going to request a bunch of CloudKit resets, but hold them from finishing + [self holdCloudKitFetches]; + + XCTestExpectation* resetExpectation0 = [self expectationWithDescription: @"reset callback(0) occurs"]; + XCTestExpectation* resetExpectation1 = [self expectationWithDescription: @"reset callback(1) occurs"]; + XCTestExpectation* resetExpectation2 = [self expectationWithDescription: @"reset callback(2) occurs"]; + [self.injectedManager rpcResetLocal:nil reply:^(NSError* result) { + XCTAssertNil(result, "should receive no error resetting local"); + secnotice("ckksreset", "Received a rpcResetLocal(0) callback"); + [resetExpectation0 fulfill]; + }]; + [self.injectedManager rpcResetLocal:nil reply:^(NSError* result) { + XCTAssertNil(result, "should receive no error resetting local"); + secnotice("ckksreset", "Received a rpcResetLocal(1) callback"); + [resetExpectation1 fulfill]; + }]; + [self.injectedManager rpcResetLocal:nil reply:^(NSError* result) { + XCTAssertNil(result, "should receive no error resetting local"); + secnotice("ckksreset", "Received a rpcResetLocal(2) callback"); + [resetExpectation2 fulfill]; + }]; + + // After the reset(s), we expect no uploads. Let the resets flow! + [self releaseCloudKitFetchHold]; + [self waitForExpectations:@[resetExpectation0, resetExpectation1, resetExpectation2] timeout:20]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "CKKS entered 'ready'"); + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + + [self expectCKModifyItemRecords:1 currentKeyPointerRecords:1 zoneID:self.keychainZoneID + checkItem:[self checkClassABlock:self.keychainZoneID message:@"Object was encrypted under class A key in hierarchy"]]; + [self addGenericPassword:@"asdf" + account:@"account-class-A" + viewHint:nil + access:(id)kSecAttrAccessibleWhenUnlocked + expecting:errSecSuccess + message:@"Adding class A item"]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + -(void)testResetCloudKitZone { + self.silentZoneDeletesAllowed = true; + // Test starts with nothing in database, but one in our fake CloudKit. [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; [self expectCKKSTLKSelfShareUpload:self.keychainZoneID]; @@ -787,19 +856,19 @@ [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID checkItem: [self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; [self addGenericPassword: @"data" account: @"account-delete-me"]; OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; - // We expect a key hierarchy upload, and then the class C item upload + // After the reset, we expect a key hierarchy upload, and then the class C item upload [self expectCKModifyKeyRecords: 3 currentKeyPointerRecords: 3 tlkShareRecords: 1 zoneID:self.keychainZoneID]; [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID checkItem: [self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; - dispatch_semaphore_t resetSemaphore = dispatch_semaphore_create(0); + XCTestExpectation* resetExpectation = [self expectationWithDescription: @"reset callback occurs"]; [self.injectedManager rpcResetCloudKit:nil reply:^(NSError* result) { XCTAssertNil(result, "no error resetting cloudkit"); secnotice("ckks", "Received a resetCloudKit callback"); - dispatch_semaphore_signal(resetSemaphore); + [resetExpectation fulfill]; }]; - - XCTAssertEqual(0, dispatch_semaphore_wait(resetSemaphore, 4*NSEC_PER_SEC), "Semaphore wait did not time out"); + [self waitForExpectations:@[resetExpectation] timeout:8.0]; OCMVerifyAllWithDelay(self.mockDatabase, 8); @@ -814,9 +883,12 @@ } - (void)testResetCloudKitZoneDuringWaitForTLK { + self.silentZoneDeletesAllowed = true; + // Test starts with nothing in database, but one in our fake CloudKit. // No TLK, though! [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; // Spin up CKKS subsystem. [self startCKKSSubsystem]; @@ -912,6 +984,8 @@ }*/ -(void)testResetCloudKitZoneWhileLoggedOut { + self.silentZoneDeletesAllowed = true; + // We're "logged in to" cloudkit but not in circle. self.circleStatus = kSOSCCNotInCircle; [self.accountStateTracker notifyCircleStatusChangeAndWaitForSignal]; @@ -929,14 +1003,13 @@ XCTAssertNotNil(self.keychainZone.currentDatabase, "Zone exists"); XCTAssertNotNil(self.keychainZone.currentDatabase[ckr.recordID], "An item exists in the fake zone"); - dispatch_semaphore_t resetSemaphore = dispatch_semaphore_create(0); + XCTestExpectation* resetExpectation = [self expectationWithDescription: @"reset callback occurs"]; [self.injectedManager rpcResetCloudKit:nil reply:^(NSError* result) { XCTAssertNil(result, "no error resetting cloudkit"); secnotice("ckks", "Received a resetCloudKit callback"); - dispatch_semaphore_signal(resetSemaphore); + [resetExpectation fulfill]; }]; - - XCTAssertEqual(0, dispatch_semaphore_wait(resetSemaphore, 400*NSEC_PER_SEC), "Semaphore wait did not time out"); + [self waitForExpectations:@[resetExpectation] timeout:1.0]; XCTAssertNil(self.keychainZone.currentDatabase, "No zone anymore!"); OCMVerifyAllWithDelay(self.mockDatabase, 8); @@ -959,9 +1032,150 @@ OCMVerifyAllWithDelay(self.mockDatabase, 8); } +- (void)testResetCloudKitZoneMultipleTimes { + self.silentZoneDeletesAllowed = true; + + // Test starts with nothing in database, but one in our fake CloudKit. + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self expectCKKSTLKSelfShareUpload:self.keychainZoneID]; + [self saveTLKMaterialToKeychainSimulatingSOS:self.keychainZoneID]; + + // Spin up CKKS subsystem. + [self startCKKSSubsystem]; + + // We expect a single record to be uploaded + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "CKKS entered 'ready'"); + [self expectCKModifyItemRecords:1 currentKeyPointerRecords:1 zoneID:self.keychainZoneID + checkItem:[self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; + [self addGenericPassword: @"data" account: @"account-delete-me"]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; + + // We're going to request a bunch of CloudKit resets, but hold them from finishing + [self holdCloudKitFetches]; + + XCTestExpectation* resetExpectation0 = [self expectationWithDescription: @"reset callback(0) occurs"]; + XCTestExpectation* resetExpectation1 = [self expectationWithDescription: @"reset callback(1) occurs"]; + XCTestExpectation* resetExpectation2 = [self expectationWithDescription: @"reset callback(2) occurs"]; + [self.injectedManager rpcResetCloudKit:nil reply:^(NSError* result) { + XCTAssertNil(result, "should receive no error resetting cloudkit"); + secnotice("ckksreset", "Received a resetCloudKit(0) callback"); + [resetExpectation0 fulfill]; + }]; + [self.injectedManager rpcResetCloudKit:nil reply:^(NSError* result) { + XCTAssertNil(result, "should receive no error resetting cloudkit"); + secnotice("ckksreset", "Received a resetCloudKit(1) callback"); + [resetExpectation1 fulfill]; + }]; + [self.injectedManager rpcResetCloudKit:nil reply:^(NSError* result) { + XCTAssertNil(result, "should receive no error resetting cloudkit"); + secnotice("ckksreset", "Received a resetCloudKit(2) callback"); + [resetExpectation2 fulfill]; + }]; + + // After the reset(s), we expect a key hierarchy upload, and then the class C item upload + [self expectCKModifyKeyRecords:3 currentKeyPointerRecords:3 tlkShareRecords:1 zoneID:self.keychainZoneID]; + [self expectCKModifyItemRecords:1 currentKeyPointerRecords:1 zoneID:self.keychainZoneID + checkItem:[self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; + + // And let the resets flow + [self releaseCloudKitFetchHold]; + [self waitForExpectations:@[resetExpectation0, resetExpectation1, resetExpectation2] timeout:20]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "CKKS entered 'ready'"); + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + + [self expectCKModifyItemRecords:1 currentKeyPointerRecords:1 zoneID:self.keychainZoneID + checkItem:[self checkClassABlock:self.keychainZoneID message:@"Object was encrypted under class A key in hierarchy"]]; + [self addGenericPassword:@"asdf" + account:@"account-class-A" + viewHint:nil + access:(id)kSecAttrAccessibleWhenUnlocked + expecting:errSecSuccess + message:@"Adding class A item"]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + +- (void)testRPCFetchAndProcessWhileCloudKitNotResponding { + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "CKKS entered 'ready'"); + [self holdCloudKitFetches]; + + XCTestExpectation* callbackOccurs = [self expectationWithDescription:@"callback-occurs"]; + [self.ckksControl rpcFetchAndProcessChanges:nil reply:^(NSError * _Nullable error) { + // done! we should have an underlying error of "fetch isn't working" + XCTAssertNotNil(error, "Should have received an error attempting to fetch and process"); + NSError* underlying = error.userInfo[NSUnderlyingErrorKey]; + XCTAssertNotNil(underlying, "Should have received an underlying error"); + XCTAssertEqualObjects(underlying.domain, CKKSResultDescriptionErrorDomain, "Underlying error should be CKKSResultDescriptionErrorDomain"); + XCTAssertEqual(underlying.code, CKKSResultDescriptionPendingSuccessfulFetch, "Underlying error should be 'pending fetch'"); + [callbackOccurs fulfill]; + }]; + + [self waitForExpectations:@[callbackOccurs] timeout:20.0]; + [self releaseCloudKitFetchHold]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + +- (void)testRPCFetchAndProcessWhileCloudKitErroring { + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "CKKS entered 'ready'"); + + [self.keychainZone failNextFetchWith:[[CKPrettyError alloc] initWithDomain:CKErrorDomain + code:CKErrorRequestRateLimited + userInfo:@{CKErrorRetryAfterKey : [NSNumber numberWithInt:30]}]]; + + XCTestExpectation* callbackOccurs = [self expectationWithDescription:@"callback-occurs"]; + [self.ckksControl rpcFetchAndProcessChanges:nil reply:^(NSError * _Nullable error) { + // done! we should have an underlying error of "fetch isn't working" + XCTAssertNotNil(error, "Should have received an error attempting to fetch and process"); + NSError* underlying = error.userInfo[NSUnderlyingErrorKey]; + XCTAssertNotNil(underlying, "Should have received an underlying error"); + XCTAssertEqualObjects(underlying.domain, CKKSResultDescriptionErrorDomain, "Underlying error should be CKKSResultDescriptionErrorDomain"); + XCTAssertEqual(underlying.code, CKKSResultDescriptionPendingSuccessfulFetch, "Underlying error should be 'pending fetch'"); + + NSError* underunderlying = underlying.userInfo[NSUnderlyingErrorKey]; + XCTAssertNotNil(underunderlying, "Should have received another layer of underlying error"); + XCTAssertEqualObjects(underunderlying.domain, CKErrorDomain, "Underlying error should be CKErrorDomain"); + XCTAssertEqual(underunderlying.code, CKErrorRequestRateLimited, "Underlying error should be 'rate limited'"); + + [callbackOccurs fulfill]; + }]; + + [self waitForExpectations:@[callbackOccurs] timeout:20.0]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + +- (void)testRPCFetchAndProcessWhileInWaitForTLK { + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:8*NSEC_PER_SEC], "CKKS entered waitfortlk"); + + XCTestExpectation* callbackOccurs = [self expectationWithDescription:@"callback-occurs"]; + [self.ckksControl rpcFetchAndProcessChanges:nil reply:^(NSError * _Nullable error) { + // done! we should have an underlying error of "fetch isn't working" + XCTAssertNotNil(error, "Should have received an error attempting to fetch and process"); + NSError* underlying = error.userInfo[NSUnderlyingErrorKey]; + XCTAssertNotNil(underlying, "Should have received an underlying error"); + XCTAssertEqualObjects(underlying.domain, CKKSResultDescriptionErrorDomain, "Underlying error should be CKKSResultDescriptionErrorDomain"); + XCTAssertEqual(underlying.code, CKKSResultDescriptionPendingKeyReady, "Underlying error should be 'pending key ready'"); + [callbackOccurs fulfill]; + }]; + + [self waitForExpectations:@[callbackOccurs] timeout:20.0]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + - (void)testRPCTLKMissingWhenMissing { // Bring CKKS up in waitfortlk [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; [self startCKKSSubsystem]; XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:8*NSEC_PER_SEC], "CKKS entered waitfortlk"); @@ -979,7 +1193,7 @@ } - (void)testRPCTLKMissingWhenFound { - // Bring CKKS up in waitfortlk + // Bring CKKS up in 'ready' [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; [self saveTLKMaterialToKeychain:self.keychainZoneID]; [self expectCKKSTLKSelfShareUpload:self.keychainZoneID]; @@ -999,6 +1213,150 @@ OCMVerifyAllWithDelay(self.mockDatabase, 8); } +- (void)testRPCKnownBadStateWhenTLKsMissing { + // Bring CKKS up in waitfortlk + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:8*NSEC_PER_SEC], "CKKS entered waitfortlk"); + + XCTestExpectation* callbackOccurs = [self expectationWithDescription:@"callback-occurs"]; + + [self.ckksControl rpcKnownBadState:@"keychain" reply:^(CKKSKnownBadState result) { + XCTAssertEqual(result, CKKSKnownStateTLKsMissing, "TLKs should be missing"); + [callbackOccurs fulfill]; + }]; + + [self waitForExpectations:@[callbackOccurs] timeout:5.0]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + +- (void)testRPCKnownBadStateWhenInWaitForUnlock { + // Bring CKKS up in 'waitfortunlok' + self.aksLockState = true; + [self.lockStateTracker recheck]; + [self startCKKSSubsystem]; + + // Wait for the key hierarchy state machine to get stuck waiting for the unlock dependency. No uploads should occur. + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForUnlock] wait:8*NSEC_PER_SEC], @"Key state should get stuck in waitforunlock"); + + XCTestExpectation* callbackOccurs = [self expectationWithDescription:@"callback-occurs"]; + + [self.ckksControl rpcKnownBadState:@"keychain" reply:^(CKKSKnownBadState result) { + XCTAssertEqual(result, CKKSKnownStateWaitForUnlock, "known state should be wait for unlock"); + [callbackOccurs fulfill]; + }]; + + [self waitForExpectations:@[callbackOccurs] timeout:5.0]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + + +- (void)testRPCKnownBadStateWhenInGoodState { + // Bring CKKS up in 'ready' + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self saveTLKMaterialToKeychain:self.keychainZoneID]; + [self expectCKKSTLKSelfShareUpload:self.keychainZoneID]; + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "CKKS entered 'ready''"); + + XCTestExpectation* callbackOccurs = [self expectationWithDescription:@"callback-occurs"]; + + [self.ckksControl rpcKnownBadState:@"keychain" reply:^(CKKSKnownBadState result) { + XCTAssertEqual(result, CKKSKnownStatePossiblyGood, "known state should not be possibly-good"); + [callbackOccurs fulfill]; + }]; + + [self waitForExpectations:@[callbackOccurs] timeout:5.0]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + +- (void)testRpcStatus { + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + + [self startCKKSSubsystem]; + + // Let things shake themselves out. + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "Key state should return to 'ready'"); + [self waitForCKModifications]; + + XCTestExpectation* callbackOccurs = [self expectationWithDescription:@"callback-occurs"]; + [self.ckksControl rpcStatus:@"keychain" reply:^(NSArray* result, NSError* error) { + XCTAssertNil(error, "should be no error fetching status for keychain"); + + // Ugly "global" hack + XCTAssertEqual(result.count, 2u, "Should have received two result dictionaries back"); + NSDictionary* keychainStatus = result[1]; + + XCTAssertNotNil(keychainStatus, "Should have received at least one zone status back"); + XCTAssertEqualObjects(keychainStatus[@"view"], @"keychain", "Should have received status for the keychain view"); + XCTAssertEqualObjects(keychainStatus[@"keystate"], SecCKKSZoneKeyStateReady, "Should be in 'ready' status"); + [callbackOccurs fulfill]; + }]; + + [self waitForExpectations:@[callbackOccurs] timeout:5.0]; +} + +- (void)testRpcStatusWaitsForAccountDetermination { + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + + // Set up the account state callbacks to happen in one second + dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (1 * NSEC_PER_SEC)), dispatch_get_global_queue(QOS_CLASS_DEFAULT, 0), ^{ + // Let CKKS come up (simulating daemon starting due to RPC) + [self startCKKSSubsystem]; + }); + + // Before CKKS figures out we're in an account, fire off the status RPC. + XCTestExpectation* callbackOccurs = [self expectationWithDescription:@"callback-occurs"]; + [self.ckksControl rpcStatus:@"keychain" reply:^(NSArray* result, NSError* error) { + XCTAssertNil(error, "should be no error fetching status for keychain"); + + // Ugly "global" hack + XCTAssertEqual(result.count, 2u, "Should have received two result dictionaries back"); + NSDictionary* keychainStatus = result[1]; + + XCTAssertNotNil(keychainStatus, "Should have received at least one zone status back"); + XCTAssertEqualObjects(keychainStatus[@"view"], @"keychain", "Should have received status for the keychain view"); + XCTAssertEqualObjects(keychainStatus[@"keystate"], SecCKKSZoneKeyStateReady, "Should be in 'ready' status"); + [callbackOccurs fulfill]; + }]; + + [self waitForExpectations:@[callbackOccurs] timeout:8.0]; +} + +- (void)testRpcStatusIsFastDuringError { + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + + self.keychainFetchError = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecInternalError description:@"injected keychain failure"]; + + // Let CKKS come up; it should enter 'error' + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateError] wait:8*NSEC_PER_SEC], "CKKS entered 'error'"); + + // Fire off the status RPC; it should return immediately + XCTestExpectation* callbackOccurs = [self expectationWithDescription:@"callback-occurs"]; + [self.ckksControl rpcStatus:@"keychain" reply:^(NSArray* result, NSError* error) { + XCTAssertNil(error, "should be no error fetching status for keychain"); + + // Ugly "global" hack + XCTAssertEqual(result.count, 2u, "Should have received two result dictionaries back"); + NSDictionary* keychainStatus = result[1]; + + XCTAssertNotNil(keychainStatus, "Should have received at least one zone status back"); + XCTAssertEqualObjects(keychainStatus[@"view"], @"keychain", "Should have received status for the keychain view"); + XCTAssertEqualObjects(keychainStatus[@"keystate"], SecCKKSZoneKeyStateError, "Should be in 'ready' status"); + [callbackOccurs fulfill]; + }]; + + [self waitForExpectations:@[callbackOccurs] timeout:1.0]; +} + @end #endif // OCTAGON diff --git a/keychain/ckks/tests/CKKSTests+CurrentPointerAPI.m b/keychain/ckks/tests/CKKSTests+CurrentPointerAPI.m index 4f2aff99..9d302e19 100644 --- a/keychain/ckks/tests/CKKSTests+CurrentPointerAPI.m +++ b/keychain/ckks/tests/CKKSTests+CurrentPointerAPI.m @@ -43,7 +43,10 @@ #import "keychain/ckks/tests/CKKSTests.h" #import "keychain/ckks/tests/CKKSTests+API.h" -@implementation CloudKitKeychainSyncingTests (CurrentPointerAPITests) +@interface CloudKitKeychainSyncingCurrentPointerAPITests : CloudKitKeychainSyncingTestsBase +@end + +@implementation CloudKitKeychainSyncingCurrentPointerAPITests -(void)fetchCurrentPointer:(bool)cached persistentRef:(NSData*)persistentRef { @@ -63,7 +66,7 @@ -(void)fetchCurrentPointerExpectingError:(bool)fetchCloudValue { XCTestExpectation* currentExpectation = [self expectationWithDescription: @"callback occurs"]; - //TEST_API_AUTORELEASE_BEFORE(SecItemFetchCurrentItemAcrossAllDevices); + TEST_API_AUTORELEASE_BEFORE(SecItemFetchCurrentItemAcrossAllDevices); SecItemFetchCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks", (__bridge CFStringRef)@"pcsservice", (__bridge CFStringRef)@"keychain", @@ -73,7 +76,7 @@ XCTAssertNotNil((__bridge id)cferror, "Error exists when there's a current item"); [currentExpectation fulfill]; }); - //TEST_API_AUTORELEASE_AFTER(SecItemFetchCurrentItemAcrossAllDevices); + TEST_API_AUTORELEASE_AFTER(SecItemFetchCurrentItemAcrossAllDevices); [self waitForExpectationsWithTimeout:8.0 handler:nil]; } @@ -134,7 +137,7 @@ publicIdentity:(NSData*)publicIdentity expectingSync:true]; XCTAssertNotNil(result, "Received result from adding item"); - [self waitForExpectations:@[keychainChanged] timeout:1]; + [self waitForExpectations:@[keychainChanged] timeout:8]; // Check that the record is where we expect it in CloudKit [self waitForCKModifications]; @@ -157,7 +160,7 @@ // Ensure that setting the current pointer sends a notification keychainChanged = [self expectChangeForView:self.keychainZoneID.zoneName]; - //TEST_API_AUTORELEASE_BEFORE(SecItemSetCurrentItemAcrossAllDevices); + TEST_API_AUTORELEASE_BEFORE(SecItemSetCurrentItemAcrossAllDevices); SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks", (__bridge CFStringRef)@"pcsservice", (__bridge CFStringRef)@"keychain", @@ -167,9 +170,9 @@ XCTAssertNil(error, "No error setting current item"); [setCurrentExpectation fulfill]; }); - //TEST_API_AUTORELEASE_AFTER(SecItemSetCurrentItemAcrossAllDevices); + TEST_API_AUTORELEASE_AFTER(SecItemSetCurrentItemAcrossAllDevices); OCMVerifyAllWithDelay(self.mockDatabase, 8); - [self waitForExpectations:@[keychainChanged] timeout:1]; + [self waitForExpectations:@[keychainChanged] timeout:8]; [self waitForCKModifications]; [self waitForExpectationsWithTimeout:8.0 handler:nil]; @@ -198,7 +201,7 @@ publicIdentity:(NSData*)publicIdentity expectingSync:true]; XCTAssertNotNil(result, "Received result from adding item"); - [self waitForExpectations:@[keychainChanged] timeout:1]; + [self waitForExpectations:@[keychainChanged] timeout:8]; // Check that the record is where we expect it [self waitForCKModifications]; @@ -250,7 +253,7 @@ [otherSetCurrentExpectation fulfill]; }); OCMVerifyAllWithDelay(self.mockDatabase, 8); - [self waitForExpectations:@[keychainChanged] timeout:1]; + [self waitForExpectations:@[keychainChanged] timeout:8]; [self waitForCKModifications]; [self waitForExpectationsWithTimeout:8.0 handler:nil]; @@ -267,6 +270,115 @@ SecResetLocalSecuritydXPCFakeEntitlements(); } +- (void)testPCSCurrentPointerAddMissingItem { + SecResetLocalSecuritydXPCFakeEntitlements(); + SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue); + SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue); + SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue); + + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], @"Key state should become 'ready'"); + + [self fetchCurrentPointerExpectingError:false]; + + NSData* fakepersistentRef = [@"not a real pref" dataUsingEncoding:NSUTF8StringEncoding]; + NSData* fakesha1 = [@"not a real sha1" dataUsingEncoding:NSUTF8StringEncoding]; + + XCTestExpectation* setCurrentExpectation = [self expectationWithDescription: @"callback occurs"]; + + TEST_API_AUTORELEASE_BEFORE(SecItemSetCurrentItemAcrossAllDevices); + SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks", + (__bridge CFStringRef)@"pcsservice", + (__bridge CFStringRef)@"keychain", + (__bridge CFDataRef)fakepersistentRef, + (__bridge CFDataRef)fakesha1, NULL, NULL, ^ (CFErrorRef cferror) { + NSError* error = (__bridge NSError*)cferror; + XCTAssertNotNil(error, "Should error setting current item to a nonexistent item"); + [setCurrentExpectation fulfill]; + }); + TEST_API_AUTORELEASE_AFTER(SecItemSetCurrentItemAcrossAllDevices); + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; + + [self waitForExpectationsWithTimeout:8.0 handler:nil]; + + SecResetLocalSecuritydXPCFakeEntitlements(); +} + +- (void)testPCSCurrentPointerAddMissingOldItem { + SecResetLocalSecuritydXPCFakeEntitlements(); + SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue); + SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSWriteCurrentItemPointers, kCFBooleanTrue); + SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSReadCurrentItemPointers, kCFBooleanTrue); + + NSNumber* servIdentifier = @3; + NSData* publicKey = [@"asdfasdf" dataUsingEncoding:NSUTF8StringEncoding]; + NSData* publicIdentity = [@"somedata" dataUsingEncoding:NSUTF8StringEncoding]; + + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], @"Key state should become 'ready'"); + + [self fetchCurrentPointerExpectingError:false]; + + XCTestExpectation* keychainChanged = [self expectChangeForView:self.keychainZoneID.zoneName]; + + [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID + checkItem: [self checkPCSFieldsBlock:self.keychainZoneID + PCSServiceIdentifier:(NSNumber *)servIdentifier + PCSPublicKey:publicKey + PCSPublicIdentity:publicIdentity]]; + + NSDictionary* result = [self pcsAddItem:@"testaccount" + data:[@"asdf" dataUsingEncoding:NSUTF8StringEncoding] + serviceIdentifier:(NSNumber*)servIdentifier + publicKey:(NSData*)publicKey + publicIdentity:(NSData*)publicIdentity + expectingSync:true]; + XCTAssertNotNil(result, "Received result from adding item"); + [self waitForExpectations:@[keychainChanged] timeout:8]; + + // Check that the record is where we expect it in CloudKit + [self waitForCKModifications]; + CKRecordID* pcsItemRecordID = [[CKRecordID alloc] initWithRecordName: @"DD7C2F9B-B22D-3B90-C299-E3B48174BFA3" zoneID:self.keychainZoneID]; + CKRecord* record = self.keychainZone.currentDatabase[pcsItemRecordID]; + XCTAssertNotNil(record, "Found record in CloudKit at expected UUID"); + + NSData* persistentRef = result[(id)kSecValuePersistentRef]; + NSData* sha1 = result[(id)kSecAttrSHA1]; + + // Set the 'current' pointer. + XCTestExpectation* setCurrentExpectation = [self expectationWithDescription: @"callback occurs"]; + + NSData* fakepersistentRef = [@"not a real pref" dataUsingEncoding:NSUTF8StringEncoding]; + NSData* fakesha1 = [@"not a real sha1" dataUsingEncoding:NSUTF8StringEncoding]; + + TEST_API_AUTORELEASE_BEFORE(SecItemSetCurrentItemAcrossAllDevices); + SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks", + (__bridge CFStringRef)@"pcsservice", + (__bridge CFStringRef)@"keychain", + (__bridge CFDataRef)persistentRef, + (__bridge CFDataRef)sha1, + (__bridge CFDataRef)fakepersistentRef, + (__bridge CFDataRef)fakesha1, + ^(CFErrorRef cferror) { + NSError* error = (__bridge NSError*)cferror; + XCTAssertNotNil(error, "Should error setting current item when passing garbage for old item"); + [setCurrentExpectation fulfill]; + }); + TEST_API_AUTORELEASE_AFTER(SecItemSetCurrentItemAcrossAllDevices); + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectations:@[keychainChanged] timeout:8]; + [self waitForCKModifications]; + + [self waitForExpectationsWithTimeout:8.0 handler:nil]; + + SecResetLocalSecuritydXPCFakeEntitlements(); +} + - (void)testPCSCurrentPointerAddNoCloudKitAccount { SecResetLocalSecuritydXPCFakeEntitlements(); SecAddLocalSecuritydXPCFakeEntitlement(kSecEntitlementPrivateCKKSPlaintextFields, kCFBooleanTrue); @@ -414,7 +526,7 @@ XCTAssertNotNil(result, "Received result from adding item"); NSData* persistentRef = result[(id)kSecValuePersistentRef]; - [self waitForExpectations:@[keychainChanged] timeout:1]; + [self waitForExpectations:@[keychainChanged] timeout:8]; // And a second item [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID @@ -461,7 +573,7 @@ [self.keychainView notifyZoneChange:nil]; [self.keychainView waitForFetchAndIncomingQueueProcessing]; - [self waitForExpectations:@[keychainChanged] timeout:1]; + [self waitForExpectations:@[keychainChanged] timeout:8]; [self fetchCurrentPointer:false persistentRef:persistentRef]; // And again! @@ -480,7 +592,7 @@ [self.keychainView notifyZoneChange:nil]; [self.keychainView waitForFetchAndIncomingQueueProcessing]; - [self waitForExpectations:@[keychainChanged] timeout:1]; + [self waitForExpectations:@[keychainChanged] timeout:8]; [self fetchCurrentPointer:false persistentRef:persistentRef2]; SecResetLocalSecuritydXPCFakeEntitlements(); @@ -553,7 +665,7 @@ [self.keychainZone deleteCKRecordIDFromZone: currentPointerRecordID]; [self.keychainView notifyZoneChange:nil]; [self.keychainView waitForFetchAndIncomingQueueProcessing]; - [self waitForExpectations:@[keychainChanged] timeout:1]; + [self waitForExpectations:@[keychainChanged] timeout:8]; [self fetchCurrentPointerExpectingError:false]; @@ -929,7 +1041,6 @@ [self.keychainView waitUntilAllOperationsAreFinished]; // Before CKKS can add the item, shove a conflicting one into CloudKit - NSError* error = nil; NSString* account = @"testaccount"; @@ -947,9 +1058,15 @@ CKRecord* mismatchedRecord = [self newRecord:ckrid withNewItemData:item]; [self.keychainZone addToZone: mismatchedRecord]; + self.keychainView.holdIncomingQueueOperation = [CKKSResultOperation named:@"hold-incoming" withBlock:^{ + secnotice("ckks", "Releasing process incoming queue hold"); + }]; + + NSData* firstItemData = [@"asdf" dataUsingEncoding:NSUTF8StringEncoding]; + [self expectCKAtomicModifyItemRecordsUpdateFailure:self.keychainZoneID]; NSDictionary* result = [self pcsAddItem:account - data:[@"asdf" dataUsingEncoding:NSUTF8StringEncoding] + data:firstItemData serviceIdentifier:(NSNumber*)servIdentifier publicKey:(NSData*)publicKey publicIdentity:(NSData*)publicIdentity @@ -959,14 +1076,59 @@ NSData* persistentRef = result[(id)kSecValuePersistentRef]; NSData* sha1 = result[(id)kSecAttrSHA1]; + // Ensure that fetching the item without grabbing data returns the same SHA1 + NSDictionary* prefquery = @{(id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecReturnAttributes : @YES, + (id)kSecAttrSynchronizable : @YES, + (id)kSecAttrPersistentReference : persistentRef, + (id)kSecMatchLimit : (id)kSecMatchLimitOne, + }; + CFTypeRef prefresult = NULL; + XCTAssertEqual(errSecSuccess, SecItemCopyMatching((__bridge CFDictionaryRef)prefquery, &prefresult), "Should be able to find item by persistent ref"); + NSDictionary* newPersistentRefResult = (NSDictionary*) CFBridgingRelease(prefresult); + prefresult = NULL; + XCTAssertNotNil(newPersistentRefResult, "Should have received item attributes"); + XCTAssertEqualObjects(newPersistentRefResult[(id)kSecAttrSHA1], sha1, "SHA1 should match between Add and Find (with data)"); + XCTAssertNil(newPersistentRefResult[(id)kSecValueData], "Should have returned no data"); + + // Ensure that fetching the item and grabbing data returns the same SHA1 + prefquery = @{(id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecReturnAttributes : @YES, + (id)kSecReturnData : @YES, + (id)kSecAttrSynchronizable : @YES, + (id)kSecAttrPersistentReference : persistentRef, + (id)kSecMatchLimit : (id)kSecMatchLimitOne, + }; + XCTAssertEqual(errSecSuccess, SecItemCopyMatching((__bridge CFDictionaryRef)prefquery, &prefresult), "Should be able to find item by persistent ref"); + newPersistentRefResult = (NSDictionary*) CFBridgingRelease(prefresult); + XCTAssertNotNil(newPersistentRefResult, "Should have received item attributes"); + XCTAssertEqualObjects(newPersistentRefResult[(id)kSecAttrSHA1], sha1, "SHA1 should match between Add and Find (with data)"); + XCTAssertEqualObjects(newPersistentRefResult[(id)kSecValueData], firstItemData, "Should have returned data matching the item we put in"); + // Set the current pointer to the result of adding this item. This should fail. - XCTestExpectation* setCurrentExpectation = [self expectationWithDescription: @"callback occurs"]; + XCTestExpectation* setCurrentExpectation = [self expectationWithDescription: @"callback occurs before incoming queue operation"]; + SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks", + (__bridge CFStringRef)@"pcsservice", + (__bridge CFStringRef)@"keychain", + (__bridge CFDataRef)persistentRef, + (__bridge CFDataRef)sha1, NULL, NULL, ^ (CFErrorRef cferror) { + XCTAssertNotNil((__bridge NSError*)cferror, "Should error setting current item to hash of item which failed to sync (before incoming queue operation)"); + [setCurrentExpectation fulfill]; + }); + + [self waitForExpectations:@[setCurrentExpectation] timeout:8.0]; + + // Now, release the incoming queue processing and retry the failure + [self.operationQueue addOperation:self.keychainView.holdIncomingQueueOperation]; + [self.keychainView waitForOperationsOfClass:[CKKSIncomingQueueOperation class]]; + + setCurrentExpectation = [self expectationWithDescription: @"callback occurs after incoming queue operation"]; SecItemSetCurrentItemAcrossAllDevices((__bridge CFStringRef)@"com.apple.security.ckks", (__bridge CFStringRef)@"pcsservice", (__bridge CFStringRef)@"keychain", (__bridge CFDataRef)persistentRef, (__bridge CFDataRef)sha1, NULL, NULL, ^ (CFErrorRef cferror) { - XCTAssertNotNil((__bridge NSError*)cferror, "Should error setting current item to hash of item which failed to sync"); + XCTAssertNotNil((__bridge NSError*)cferror, "Should error setting current item to hash of item which failed to sync (after incoming queue operation)"); [setCurrentExpectation fulfill]; }); diff --git a/keychain/ckks/tests/CKKSTests.h b/keychain/ckks/tests/CKKSTests.h index 87f694b5..1fcb10a9 100644 --- a/keychain/ckks/tests/CKKSTests.h +++ b/keychain/ckks/tests/CKKSTests.h @@ -21,18 +21,15 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if OCTAGON + #import #import #import #include -#import "keychain/ckks/CKKS.h" -#import "keychain/ckks/CKKSKeychainView.h" -#import "keychain/ckks/CKKSManifest.h" -#import "keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.h" -#import "keychain/ckks/tests/CloudKitMockXCTest.h" -#import "keychain/ckks/tests/MockCloudKit.h" +#import "keychain/ckks/tests/CloudKitKeychainSyncingTestsBase.h" NS_ASSUME_NONNULL_BEGIN @@ -40,17 +37,9 @@ NS_ASSUME_NONNULL_BEGIN // 3 keys, 3 current keys, and 1 device state entry #define SYSTEM_DB_RECORD_COUNT (7 + ([CKKSManifest shouldSyncManifests] ? 73 : 0)) -@interface CloudKitKeychainSyncingTestsBase : CloudKitKeychainSyncingMockXCTest -@property (nullable) CKRecordZoneID* keychainZoneID; -@property (nullable) CKKSKeychainView* keychainView; -@property (nullable) FakeCKZone* keychainZone; - -@property (nullable, readonly) ZoneKeys* keychainZoneKeys; - -- (ZoneKeys*)keychainZoneKeys; -@end - @interface CloudKitKeychainSyncingTests : CloudKitKeychainSyncingTestsBase @end NS_ASSUME_NONNULL_END + +#endif /* OCTAGON */ diff --git a/keychain/ckks/tests/CKKSTests.m b/keychain/ckks/tests/CKKSTests.m index c1893a40..8644e903 100644 --- a/keychain/ckks/tests/CKKSTests.m +++ b/keychain/ckks/tests/CKKSTests.m @@ -32,6 +32,8 @@ #include #include #include +#include +#include #import "keychain/ckks/tests/CloudKitMockXCTest.h" #import "keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.h" @@ -46,7 +48,7 @@ #import "keychain/ckks/CKKSViewManager.h" #import "keychain/ckks/CKKSZoneStateEntry.h" #import "keychain/ckks/CKKSManifest.h" -#import "keychain/ckks/CKKSAnalyticsLogger.h" +#import "keychain/ckks/CKKSAnalytics.h" #import "keychain/ckks/CKKSHealKeyHierarchyOperation.h" #import "keychain/ckks/CKKSZoneChangeFetcher.h" @@ -54,69 +56,9 @@ #import "keychain/ckks/tests/CKKSTests.h" -@implementation CloudKitKeychainSyncingTestsBase - -- (ZoneKeys*)keychainZoneKeys { - return self.keys[self.keychainZoneID]; -} - -// Override our base class --(NSSet*)managedViewList { - return [NSSet setWithObject:@"keychain"]; -} - -+ (void)setUp { - SecCKKSEnable(); - SecCKKSResetSyncing(); - [super setUp]; -} - -- (void)setUp { - [super setUp]; - - self.keychainZoneID = [[CKRecordZoneID alloc] initWithZoneName:@"keychain" ownerName:CKCurrentUserDefaultName]; - self.keychainZone = [[FakeCKZone alloc] initZone: self.keychainZoneID]; - - [self.ckksZones addObject:self.keychainZoneID]; - - // Wait for the ViewManager to be brought up - XCTAssertEqual(0, [self.injectedManager.completedSecCKKSInitialize wait:4*NSEC_PER_SEC], "No timeout waiting for SecCKKSInitialize"); - - self.keychainView = [[CKKSViewManager manager] findView:@"keychain"]; - XCTAssertNotNil(self.keychainView, "CKKSViewManager created the keychain view"); - - // Check that your environment is set up correctly - XCTAssertFalse([CKKSManifest shouldSyncManifests], "Manifests syncing is disabled"); - XCTAssertFalse([CKKSManifest shouldEnforceManifests], "Manifests enforcement is disabled"); -} - -+ (void)tearDown { - [super tearDown]; - SecCKKSResetSyncing(); -} - -- (void)tearDown { - // Fetch status, to make sure we can - NSDictionary* status = [self.keychainView status]; - (void)status; - - [self.keychainView halt]; - [self.keychainView waitUntilAllOperationsAreFinished]; - - self.keychainView = nil; - self.keychainZoneID = nil; - - [super tearDown]; -} - -- (FakeCKZone*)keychainZone { - return self.zones[self.keychainZoneID]; -} - -- (void)setKeychainZone: (FakeCKZone*) zone { - self.zones[self.keychainZoneID] = zone; -} - +// break abstraction +@interface CKKSLockStateTracker () +@property (nullable) NSDate* lastUnlockedTime; @end @implementation CloudKitKeychainSyncingTests @@ -137,7 +79,7 @@ [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID]; [self startCKKSSubsystem]; - XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:4*NSEC_PER_SEC], @"Key state should have arrived at ready"); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], @"Key state should have arrived at ready"); [self addGenericPassword: @"data" account: @"account-delete-me"]; @@ -408,6 +350,10 @@ return true; }]; + NSError *error = NULL; + XCTAssertEqual([CKKSOutgoingQueueEntry countByState:SecCKKSStateInFlight zone:self.keychainZoneID error:&error], 1, + "Expected on inflight entry in outgoing queue: %@", error); + // When CKKS restarts, it should find and re-upload this item [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID checkItem:[self checkPasswordBlock:self.keychainZoneID account:account password:@"data"]]; @@ -784,6 +730,62 @@ [self.keychainView waitUntilAllOperationsAreFinished]; } +- (void)testReceiveCloudKitConflictOnJustAddedItems { + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + [self startCKKSSubsystem]; + + [self.keychainView waitForKeyHierarchyReadiness]; + [self.keychainView waitUntilAllOperationsAreFinished]; + + // Place a hold on processing the outgoing queue. + self.keychainView.holdOutgoingQueueOperation = [CKKSResultOperation named:@"outgoing-queue-hold" withBlock:^{ + secnotice("ckks", "Outgoing queue hold released."); + }]; + + [self addGenericPassword:@"localchange" account:@"account-delete-me"]; + + // Pull out the new item's UUID. + __block NSString* itemUUID = nil; + [self.keychainView dispatchSync:^bool { + NSError* error = nil; + NSArray* uuids = [CKKSOutgoingQueueEntry allUUIDs:self.keychainZoneID ?: [[CKRecordZoneID alloc] initWithZoneName:@"keychain" + ownerName:CKCurrentUserDefaultName] + error:&error]; + XCTAssertNil(error, "no error fetching uuids"); + XCTAssertEqual(uuids.count, 1u, "There's exactly one outgoing queue entry"); + itemUUID = uuids[0]; + + XCTAssertNotNil(itemUUID, "Have a UUID for our new item"); + return false; + }]; + + // Add a second item: this item should be uploaded after the failure of the first item + [self addGenericPassword:@"localchange" account:@"account-delete-me-2"]; + + [self.keychainZone addToZone: [self createFakeRecord: self.keychainZoneID recordName: itemUUID]]; + + // Also, this write will increment the class C current pointer's etag + CKRecordID* currentClassCID = [[CKRecordID alloc] initWithRecordName: @"classC" zoneID: self.keychainZoneID]; + CKRecord* currentClassC = self.keychainZone.currentDatabase[currentClassCID]; + XCTAssertNotNil(currentClassC, "Should have the class C current key pointer record"); + [self.keychainZone addCKRecordToZone:[currentClassC copy]]; + XCTAssertNotEqualObjects(currentClassC.etag, self.keychainZone.currentDatabase[currentClassCID].etag, "Etag should have changed"); + + [self expectCKAtomicModifyItemRecordsUpdateFailure: self.keychainZoneID]; + [self expectCKModifyItemRecords:1 currentKeyPointerRecords:1 zoneID:self.keychainZoneID + checkItem: [self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; + + // Allow the outgoing queue operation to proceed + [self.operationQueue addOperation:self.keychainView.holdOutgoingQueueOperation]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self.keychainView waitUntilAllOperationsAreFinished]; + + [self checkGenericPassword:@"data" account:@"account-delete-me"]; + [self checkGenericPassword:@"localchange" account:@"account-delete-me-2"]; +} + + -(void)testReceiveUnknownField { [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. @@ -994,7 +996,7 @@ [self startCKKSSubsystem]; // Should enter 'ready' - XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:180*NSEC_PER_SEC], @"Key state should become 'ready'"); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], @"Key state should become 'ready'"); OCMVerifyAllWithDelay(self.mockDatabase, 8); // Now, lock and allow fetches again @@ -1124,6 +1126,168 @@ OCMVerifyAllWithDelay(self.mockCKKSViewManager, 10); } +- (void)testResetCloudKitZoneFromNoTLK { + self.silentZoneDeletesAllowed = true; + + // If CKKS sees a zone it's never going to be able to read, it should reset that zone + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + // explicitly do not save a fake device status here + self.keychainZone.flag = true; + + // It'll eventually upload a new key hierarchy + [self expectCKModifyKeyRecords:3 currentKeyPointerRecords:3 tlkShareRecords:1 zoneID:self.keychainZoneID]; + + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateResettingZone] wait:8*NSEC_PER_SEC], @"Key state should become 'resetzone'"); + + // But then, it'll fire off the reset and reach 'ready' + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], @"Key state should become 'ready'"); + + // And the zone should have been cleared and re-made + XCTAssertFalse(self.keychainZone.flag, "Zone flag should have been reset to false"); +} + +- (void)testResetCloudKitZoneFromNoTLKWithOtherWaitForTLKDevices { + self.silentZoneDeletesAllowed = true; + + // If CKKS sees a zone it's never going to be able to read, it should reset that zone + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + // Save a fake device status here, but modify its key state to be 'waitfortlk': it has no idea what the TLK is either + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; + + for(CKRecord* record in self.keychainZone.currentDatabase.allValues) { + if([record.recordType isEqualToString:SecCKRecordDeviceStateType]) { + record[SecCKRecordKeyState] = CKKSZoneKeyToNumber(SecCKKSZoneKeyStateWaitForTLK); + } + } + + self.keychainZone.flag = true; + + // It'll eventually upload a new key hierarchy + [self expectCKModifyKeyRecords:3 currentKeyPointerRecords:3 tlkShareRecords:1 zoneID:self.keychainZoneID]; + + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateResettingZone] wait:8*NSEC_PER_SEC], @"Key state should become 'resetzone'"); + + // But then, it'll fire off the reset and reach 'ready' + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], @"Key state should become 'ready'"); + + // And the zone should have been cleared and re-made + XCTAssertFalse(self.keychainZone.flag, "Zone flag should have been reset to false"); +} + +- (void)testResetCloudKitZoneFromNoTLKIgnoringInactiveDevices { + self.silentZoneDeletesAllowed = true; + + // If CKKS sees a zone it's never going to be able to read, it should reset that zone + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + // Save a fake device status here, but modify its creation and modification times to be months ago + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; + + // Put a 'in-circle' TLKShare record, but also modify its creation and modification times + CKKSSOSSelfPeer* untrustedPeer = [[CKKSSOSSelfPeer alloc] initWithSOSPeerID:@"untrusted-peer" + encryptionKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]] + signingKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]]; + [self putTLKShareInCloudKit:self.keychainZoneKeys.tlk from:untrustedPeer to:untrustedPeer zoneID:self.keychainZoneID]; + + for(CKRecord* record in self.keychainZone.currentDatabase.allValues) { + if([record.recordType isEqualToString:SecCKRecordDeviceStateType] || [record.recordType isEqualToString:SecCKRecordTLKShareType]) { + record.creationDate = [NSDate distantPast]; + record.modificationDate = [NSDate distantPast]; + } + } + + self.keychainZone.flag = true; + + // It'll eventually upload a new key hierarchy + [self expectCKModifyKeyRecords:3 currentKeyPointerRecords:3 tlkShareRecords:1 zoneID:self.keychainZoneID]; + + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateResettingZone] wait:8*NSEC_PER_SEC], @"Key state should become 'resetzone'"); + + // But then, it'll fire off the reset and reach 'ready' + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], @"Key state should become 'ready'"); + + // And the zone should have been cleared and re-made + XCTAssertFalse(self.keychainZone.flag, "Zone flag should have been reset to false"); +} + +- (void)testDoNotResetCloudKitZoneFromWaitForTLKDueToRecentDeviceState { + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + // CKKS shouldn't reset this zone, due to a recent device status claiming to have TLKs + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; + + NSDateComponents* offset = [[NSDateComponents alloc] init]; + [offset setDay:-5]; + NSDate* updateTime = [[NSCalendar currentCalendar] dateByAddingComponents:offset toDate:[NSDate date] options:0]; + for(CKRecord* record in self.keychainZone.currentDatabase.allValues) { + if([record.recordType isEqualToString:SecCKRecordDeviceStateType] || [record.recordType isEqualToString:SecCKRecordTLKShareType]) { + record.creationDate = updateTime; + record.modificationDate = updateTime; + } + } + + self.keychainZone.flag = true; + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:8*NSEC_PER_SEC], @"Key state should become 'waitfortlk'"); + + XCTAssertTrue(self.keychainZone.flag, "Zone flag should not have been reset to false"); +} + +- (void)testDoNotCloudKitZoneFromWaitForTLKDueToRecentButUntrustedDeviceState { + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + // CKKS should reset this zone, even though to a recent device status claiming to have TLKs. The device isn't trusted + self.silentZoneDeletesAllowed = true; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; + [self.currentPeers removeObject:self.remoteSOSOnlyPeer]; + + self.keychainZone.flag = true; + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:8*NSEC_PER_SEC], @"Key state should become 'waitfortlk'"); + XCTAssertTrue(self.keychainZone.flag, "Zone flag should not have been reset to false"); + + // And ensure it doesn't go on to 'reset' + XCTAssertNotEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateResettingZone] wait:100*NSEC_PER_MSEC], @"Key state should not become 'resetzone'"); +} + +- (void)testResetCloudKitZoneFromWaitForTLKDueToLessRecentAndUntrustedDeviceState { + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + // CKKS should reset this zone, even though to a recent device status claiming to have TLKs. The device isn't trusted + self.silentZoneDeletesAllowed = true; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; + [self.currentPeers removeObject:self.remoteSOSOnlyPeer]; + + NSDateComponents* offset = [[NSDateComponents alloc] init]; + [offset setDay:-5]; + NSDate* updateTime = [[NSCalendar currentCalendar] dateByAddingComponents:offset toDate:[NSDate date] options:0]; + for(CKRecord* record in self.keychainZone.currentDatabase.allValues) { + if([record.recordType isEqualToString:SecCKRecordDeviceStateType] || [record.recordType isEqualToString:SecCKRecordTLKShareType]) { + record.creationDate = updateTime; + record.modificationDate = updateTime; + } + } + + self.keychainZone.flag = true; + [self expectCKModifyKeyRecords:3 currentKeyPointerRecords:3 tlkShareRecords:1 zoneID:self.keychainZoneID]; + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateResettingZone] wait:8*NSEC_PER_SEC], @"Key state should become 'resetzone'"); + + // Then we should reset. + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], @"Key state should become 'ready'"); + + // And the zone should have been cleared and re-made + XCTAssertFalse(self.keychainZone.flag, "Zone flag should have been reset to false"); +} + - (void)testAcceptExistingKeyHierarchy { // Test starts with no keys in CKKS database, but one in our fake CloudKit. // Test also begins with the TLK having arrived in the local keychain (via SOS) @@ -1162,6 +1326,9 @@ - (void)testAcceptExistingAndUseKeyHierarchy { // Test starts with nothing in database, but one in our fake CloudKit. [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; + // But, CKKS shouldn't ever reset the zone + self.keychainZone.flag = true; [self startCKKSSubsystem]; XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:5*NSEC_PER_SEC], "Key state should have become waitfortlk"); @@ -1187,6 +1354,7 @@ expecting:errSecSuccess message:@"Adding class A item"]; OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertTrue(self.keychainZone.flag, "Keychain zone shouldn't have been reset"); } - (void)testAcceptExistingKeyHierarchyDespiteLocked { @@ -1259,7 +1427,7 @@ XCTAssertNotNil(self.keychainZoneKeys.classA, "Have class A key for zone"); XCTAssertNotNil(self.keychainZoneKeys.classC, "Have class C key for zone"); - [self.keychainView dispatchSync: ^bool { + [self.keychainView dispatchSyncWithAccountKeys: ^bool { [self.keychainView _onqueueKeyStateMachineRequestProcess]; return true; }]; @@ -1342,6 +1510,14 @@ // Make life easy on this test; testAcceptKeyConflictAndUploadReencryptedItem will check the case when we don't receive the notification [self.keychainView waitForFetchAndIncomingQueueProcessing]; + // Just in extra case of threading issues, force a reexamination of the key hierarchy + [self.keychainView dispatchSyncWithAccountKeys: ^bool { + [self.keychainView _onqueueAdvanceKeyStateMachineToState: nil withError: nil]; + return true; + }]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], @"Key state should become 'ready'"); + // Verify that there are six local keys, and three local current key records [self.keychainView dispatchSync: ^bool{ __strong __typeof(weakSelf) strongSelf = weakSelf; @@ -1419,6 +1595,46 @@ OCMVerifyAllWithDelay(self.mockDatabase, 8); } +- (void)testAcceptKeyConflictAndUploadReencryptedItems { + // Test starts with no keys in database, a key hierarchy in our fake CloudKit, and the TLK safely in the local keychain. + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self expectCKKSTLKSelfShareUpload:self.keychainZoneID]; + [self saveTLKMaterialToKeychain:self.keychainZoneID]; + + [self startCKKSSubsystem]; + [self.keychainView waitUntilAllOperationsAreFinished]; + + // We expect a single record to be uploaded. + [self expectCKModifyItemRecords:1 currentKeyPointerRecords:1 zoneID:self.keychainZoneID + checkItem:[self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; + + [self addGenericPassword: @"data" account: @"account-delete-me"]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; + + [self rollFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + // Do not trigger a notification here. This should cause a conflict updating the current key records + + // We expect a single record to be uploaded, but that the write will be rejected + // We then expect that item to be reuploaded with the current key + + [self expectCKAtomicModifyItemRecordsUpdateFailure: self.keychainZoneID]; + [self addGenericPassword: @"data" account: @"account-delete-me-rolled-key"]; + [self addGenericPassword: @"data" account: @"account-delete-me-rolled-key-2"]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + + [self expectCKModifyItemRecords:2 currentKeyPointerRecords:1 zoneID:self.keychainZoneID + checkItem:[self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under rolled class C key in hierarchy"]]; + + // New key arrives via SOS! + [self expectCKKSTLKSelfShareUpload:self.keychainZoneID]; + [self saveTLKMaterialToKeychainSimulatingSOS:self.keychainZoneID]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + - (void)testRecoverFromRequestKeyRefetchWithoutRolling { // Simply requesting a key state refetch shouldn't roll the key hierarchy. @@ -1439,7 +1655,7 @@ self.silentFetchesAllowed = false; [self expectCKFetch]; - [self.keychainView dispatchSync: ^bool { + [self.keychainView dispatchSyncWithAccountKeys: ^bool { [self.keychainView _onqueueKeyStateMachineRequestFetch]; return true; }]; @@ -1481,6 +1697,45 @@ OCMVerifyAllWithDelay(self.mockDatabase, 8); } +- (void)testRecoverMultipleItemsFromIncrementedCurrentKeyPointerEtag { + // CloudKit sometimes reports the current key pointers have changed (etag mismatch), but their content hasn't. + // In this case, CKKS shouldn't roll the TLK. + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + + // Spin up CKKS subsystem. + [self startCKKSSubsystem]; + [self.keychainView waitForFetchAndIncomingQueueProcessing]; // just to be sure it's fetched + + // Items should upload. + [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID]; + [self addGenericPassword: @"data" account: @"account-delete-me"]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + + [self waitForCKModifications]; + + // Bump the etag on the class C current key record, but don't change any data + CKRecordID* currentClassCID = [[CKRecordID alloc] initWithRecordName: @"classC" zoneID: self.keychainZoneID]; + CKRecord* currentClassC = self.keychainZone.currentDatabase[currentClassCID]; + XCTAssertNotNil(currentClassC, "Should have the class C current key pointer record"); + + [self.keychainZone addCKRecordToZone:[currentClassC copy]]; + XCTAssertNotEqualObjects(currentClassC.etag, self.keychainZone.currentDatabase[currentClassCID].etag, "Etag should have changed"); + + // Add another item. This write should fail, then CKKS should recover without rolling the key hierarchy or issuing a fetch. + self.keychainView.holdOutgoingQueueOperation = [CKKSGroupOperation named:@"outgoing-hold" withBlock: ^{ + secnotice("ckks", "releasing outgoing-queue hold"); + }]; + + self.silentFetchesAllowed = false; + [self expectCKAtomicModifyItemRecordsUpdateFailure:self.keychainZoneID]; + [self expectCKModifyItemRecords:2 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID]; + [self addGenericPassword: @"data" account: @"account-delete-me-2"]; + [self addGenericPassword: @"data" account: @"account-delete-me-3"]; + + [self.operationQueue addOperation: self.keychainView.holdOutgoingQueueOperation]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + - (void)testOnboardOldItemsCreatingKeyHierarchy { // In this test, we'll check if the CKKS subsystem will pick up a keychain item which existed before the key hierarchy, both with and without a UUID attached at item creation @@ -1541,6 +1796,8 @@ - (void)testOnboardOldItemsWithExistingKeyHierarchyLateTLK { // Test starts key hierarchy in our fake CloudKit, and CKKS blocked. [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; + self.keychainZone.flag = true; // Add one item without a UUID... SecCKKSTestSetDisableAutomaticUUID(true); @@ -1564,6 +1821,7 @@ [self expectCKModifyItemRecords: 2 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID checkItem: [self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertTrue(self.keychainZone.flag, "Keychain zone shouldn't have been reset"); } - (void)testResync { @@ -1595,7 +1853,7 @@ OCMVerifyAllWithDelay(self.mockDatabase, 8); [self waitForCKModifications]; // One TLK share record - XCTAssertEqual(self.keychainZone.currentDatabase.count, SYSTEM_DB_RECORD_COUNT+passwordCount+1, "Have 6+passwordCount objects in cloudkit"); + XCTAssertEqual(self.keychainZone.currentDatabase.count, SYSTEM_DB_RECORD_COUNT+passwordCount+1, "Have SYSTEM_DB_RECORD_COUNT+passwordCount+1 objects in cloudkit"); // Now, corrupt away! // Extract all passwordCount items for Corruption @@ -1724,34 +1982,120 @@ return true; }]; } -- (void)testResyncLocal { - [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; - [self expectCKKSTLKSelfShareUpload:self.keychainZoneID]; - [self saveTLKMaterialToKeychain:self.keychainZoneID]; +- (void)testResyncItemsMissingFromLocalKeychain { + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + + // We want: + // one password correctly synced between local keychain and CloudKit + // one password incorrectly disappeared from local keychain, but in mirror table + // one password sitting in the outgoing queue + // one password sitting in the incoming queue + + // Add and sync two passwords [self addGenericPassword: @"data" account: @"first"]; [self addGenericPassword: @"data" account: @"second"]; - NSUInteger passwordCount = 2u; - [self expectCKModifyItemRecords: passwordCount currentKeyPointerRecords: 1 zoneID:self.keychainZoneID]; - [self startCKKSSubsystem]; + [self checkGenericPassword: @"data" account: @"first"]; + [self checkGenericPassword: @"data" account: @"second"]; - // Wait for uploads to happen + [self expectCKModifyItemRecords:2 currentKeyPointerRecords:1 zoneID:self.keychainZoneID]; + [self startCKKSSubsystem]; OCMVerifyAllWithDelay(self.mockDatabase, 8); [self waitForCKModifications]; + [self.keychainView waitForFetchAndIncomingQueueProcessing]; - // Local resyncs shouldn't fetch clouds. - self.silentFetchesAllowed = false; - SecCKKSDisable(); - [self deleteGenericPassword:@"first"]; - [self deleteGenericPassword:@"second"]; - SecCKKSEnable(); + // Now, place an item in the outgoing queue - // And they're gone! - [self findGenericPassword:@"first" expecting:errSecItemNotFound]; - [self findGenericPassword:@"second" expecting:errSecItemNotFound]; + //[self addGenericPassword: @"data" account: @"third"]; + //[self checkGenericPassword: @"data" account: @"third"]; - CKKSLocalSynchronizeOperation* op = [self.keychainView resyncLocal]; + // Now, corrupt away! + // Extract all passwordCount items for Corruption + NSArray* items = [self.keychainZone.currentDatabase.allValues filteredArrayUsingPredicate: [NSPredicate predicateWithFormat:@"self.recordType like %@", SecCKRecordItemType]]; + XCTAssertEqual(items.count, 2u, "Have %lu Items in cloudkit", (unsigned long)2u); + + // For the first record, surreptitiously remove from local keychain + CKRecord* remove = items[0]; + NSString* removeAccount = [[self decryptRecord:remove] objectForKey:(__bridge id)kSecAttrAccount]; + XCTAssertNotNil(removeAccount, "received an account for the local delete object"); + + NSURL* kcpath = (__bridge_transfer NSURL*)SecCopyURLForFileInKeychainDirectory((__bridge CFStringRef)@"keychain-2-debug.db"); + sqlite3* db; + sqlite3_open([[kcpath path] UTF8String], &db); + NSString* query = [NSString stringWithFormat:@"DELETE FROM genp WHERE uuid=\"%@\"", remove.recordID.recordName]; + char* sqlerror = NULL; + XCTAssertEqual(SQLITE_OK, sqlite3_exec(db, [query UTF8String], NULL, NULL, &sqlerror), "SQL deletion shouldn't error"); + XCTAssertTrue(sqlerror == NULL, "No error string should have been returned: %s", sqlerror); + if(sqlerror) { + sqlite3_free(sqlerror); + sqlerror = NULL; + } + sqlite3_close(db); + + // The second record is kept in-sync + + // Now, add an in-flight change (for record 3) + [self holdCloudKitModifications]; + [self expectCKModifyItemRecords:1 currentKeyPointerRecords:1 zoneID:self.keychainZoneID]; + [self addGenericPassword:@"data" account:@"third"]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + + // For the fourth, add a new record but prevent incoming queue processing + self.keychainView.holdIncomingQueueOperation = [CKKSResultOperation named:@"hold-incoming" withBlock:^{}]; + + CKRecord* ckr = [self createFakeRecord: self.keychainZoneID recordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85" withAccount:@"fourth"]; + [self.keychainZone addToZone:ckr]; + [self.keychainView notifyZoneChange:nil]; + + // Now, where are we.... + CKKSScanLocalItemsOperation* scanLocal = [self.keychainView scanLocalItems:@"test-scan"]; + [scanLocal waitUntilFinished]; + + XCTAssertEqual(scanLocal.missingLocalItemsFound, 1u, "Should have found one missing item"); + + // Allow everything to proceed + [self releaseCloudKitModificationHold]; + [self.operationQueue addOperation:self.keychainView.holdIncomingQueueOperation]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self.keychainView waitForOperationsOfClass:[CKKSIncomingQueueOperation class]]; + + // And ensure that all four items are present again + [self findGenericPassword: @"first" expecting: errSecSuccess]; + [self findGenericPassword: @"second" expecting: errSecSuccess]; + [self findGenericPassword: @"third" expecting: errSecSuccess]; + [self findGenericPassword: @"fourth" expecting: errSecSuccess]; +} + +- (void)testResyncLocal { + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self expectCKKSTLKSelfShareUpload:self.keychainZoneID]; + [self saveTLKMaterialToKeychain:self.keychainZoneID]; + + [self addGenericPassword: @"data" account: @"first"]; + [self addGenericPassword: @"data" account: @"second"]; + NSUInteger passwordCount = 2u; + + [self expectCKModifyItemRecords: passwordCount currentKeyPointerRecords: 1 zoneID:self.keychainZoneID]; + [self startCKKSSubsystem]; + + // Wait for uploads to happen + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; + + // Local resyncs shouldn't fetch clouds. + self.silentFetchesAllowed = false; + SecCKKSDisable(); + [self deleteGenericPassword:@"first"]; + [self deleteGenericPassword:@"second"]; + SecCKKSEnable(); + + // And they're gone! + [self findGenericPassword:@"first" expecting:errSecItemNotFound]; + [self findGenericPassword:@"second" expecting:errSecItemNotFound]; + + CKKSLocalSynchronizeOperation* op = [self.keychainView resyncLocal]; [op waitUntilFinished]; XCTAssertNil(op.error, "Shouldn't be an error resyncing locally"); @@ -1792,7 +2136,7 @@ CFErrorRef cfcferror = NULL; bool ret = SecServerImportKeychainInPlist(dbt, SecSecurityClientGet(), KEYBAG_NONE, KEYBAG_NONE, - (__bridge CFDictionaryRef)@{}, kSecBackupableItemFilter, &cfcferror); + (__bridge CFDictionaryRef)@{}, kSecBackupableItemFilter, false, &cfcferror); XCTAssertNil(CFBridgingRelease(cfcferror), "Shouldn't error importing a 'backup'"); XCTAssert(ret, "Importing a 'backup' should have succeeded"); @@ -1800,15 +2144,15 @@ }); XCTAssertNil(CFBridgingRelease(cferror), "Shouldn't error mucking about in the db"); - // And they're gone! - [self findGenericPassword:@"first" expecting:errSecItemNotFound]; - [self findGenericPassword:@"second" expecting:errSecItemNotFound]; + // Restore is additive so original items stick around + [self findGenericPassword:@"first" expecting:errSecSuccess]; + [self findGenericPassword:@"second" expecting:errSecSuccess]; // Allow the local resync to continue... [self.operationQueue addOperation:self.keychainView.holdLocalSynchronizeOperation]; [self.keychainView waitForOperationsOfClass:[CKKSLocalSynchronizeOperation class]]; - // And they're back! + // Items are still here! [self checkGenericPassword: @"data" account: @"first"]; [self checkGenericPassword: @"data" account: @"second"]; } @@ -2268,16 +2612,17 @@ [self findGenericPassword: @"account0" expecting:errSecSuccess]; } -- (void)disabledtestRecoverDeletedTLKAndPause { - // If the TLK disappears halfway through, well, that's no good. But we should make it into waitfortlk. +- (void)testRecoverDeletedTLK { + // If the TLK disappears halfway through, well, that's no good. But we should recover using TLK sharing // Test starts with nothing in database. We expect some sort of TLK/key hierarchy upload. [self expectCKModifyKeyRecords: 3 currentKeyPointerRecords: 3 tlkShareRecords: 1 zoneID:self.keychainZoneID]; [self startCKKSSubsystem]; - [self.keychainView waitForKeyHierarchyReadiness]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "Key state should have returned to ready"); - [self.keychainView waitForFetchAndIncomingQueueProcessing]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; CKRecord* ckr = [self createFakeRecord: self.keychainZoneID recordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85" withAccount:@"account0"]; [self.keychainView waitUntilAllOperationsAreFinished]; @@ -2288,14 +2633,8 @@ (id)kSecClass : (id)kSecClassInternetPassword, (id)kSecAttrNoLegacy : @YES, (id)kSecAttrAccessGroup : @"com.apple.security.ckks", - (id)kSecAttrSynchronizable : (id)kCFBooleanFalse, - }), @"Deleting local keys"); - XCTAssertEqual(errSecSuccess, SecItemDelete((__bridge CFDictionaryRef)@{ - (id)kSecClass : (id)kSecClassInternetPassword, - (id)kSecAttrNoLegacy : @YES, - (id)kSecAttrAccessGroup : @"com.apple.security.ckks", - (id)kSecAttrSynchronizable : (id)kCFBooleanTrue, - }), @"Deleting TLK"); + (id)kSecAttrSynchronizable : (id)kSecAttrSynchronizableAny, + }), @"Deleting CKKS keys"); SecCKKSTestSetDisableKeyNotifications(false); // Trigger a notification (with hilariously fake data) @@ -2303,9 +2642,107 @@ [self.keychainView notifyZoneChange:nil]; [self.keychainView waitForFetchAndIncomingQueueProcessing]; - [self.keychainView waitForOperationsOfClass:[CKKSHealKeyHierarchyOperation class]]; - XCTAssertEqualObjects(self.keychainView.keyHierarchyState, SecCKKSZoneKeyStateWaitForTLK, "CKKS re-entered waitfortlk"); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "Key state should return to 'ready'"); + + [self.keychainView waitForFetchAndIncomingQueueProcessing]; // Do this again, to allow for non-atomic key state machinery switching + + [self findGenericPassword: @"account0" expecting:errSecSuccess]; +} + +- (void)testRecoverMissingRolledKey { + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + NSString* accountShouldExist = @"under-rolled-key"; + NSString* accountWillExist = @"under-rolled-key-later"; + CKRecord* ckr = [self createFakeRecord:self.keychainZoneID recordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85" withAccount:accountShouldExist]; + [self.keychainZone addToZone: ckr]; + + CKRecord* ckrAddedLater = [self createFakeRecord:self.keychainZoneID recordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85" withAccount:accountWillExist]; + CKKSKey* pastClassCKey = self.keychainZoneKeys.classC; + + [self rollFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self saveTLKMaterialToKeychain:self.keychainZoneID]; + + [self expectCKKSTLKSelfShareUpload:self.keychainZoneID]; + + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "Key state should have returned to ready"); + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; + + [self.keychainView waitForOperationsOfClass:[CKKSIncomingQueueOperation class]]; + [self findGenericPassword:accountShouldExist expecting:errSecSuccess]; + [self findGenericPassword:accountWillExist expecting:errSecItemNotFound]; + + // Now, find and delete the class C key that ckrAddedLater is under + NSError* error = nil; + XCTAssertTrue([pastClassCKey deleteKeyMaterialFromKeychain:&error], "Should be able to delete old key material from keychain"); + XCTAssertNil(error, "Should be no error deleting old key material from keychain"); + + [self.keychainZone addToZone:ckrAddedLater]; + [self.keychainView waitForFetchAndIncomingQueueProcessing]; + + [self findGenericPassword:accountShouldExist expecting:errSecSuccess]; + [self findGenericPassword:accountWillExist expecting:errSecSuccess]; + + XCTAssertTrue([pastClassCKey loadKeyMaterialFromKeychain:&error], "Class C key should be back in the keychain"); + XCTAssertNil(error, "Should be no error loading key from keychain"); +} + +- (void)testRecoverMissingRolledClassAKeyWhileLocked { + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + NSString* accountShouldExist = @"under-rolled-key"; + NSString* accountWillExist = @"under-rolled-key-later"; + CKRecord* ckr = [self createFakeRecord:self.keychainZoneID recordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85" withAccount:accountShouldExist key:self.keychainZoneKeys.classA]; + [self.keychainZone addToZone: ckr]; + + CKRecord* ckrAddedLater = [self createFakeRecord:self.keychainZoneID recordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85" withAccount:accountWillExist key:self.keychainZoneKeys.classA]; + CKKSKey* pastClassAKey = self.keychainZoneKeys.classA; + + [self rollFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self saveTLKMaterialToKeychain:self.keychainZoneID]; + + [self expectCKKSTLKSelfShareUpload:self.keychainZoneID]; + + [self startCKKSSubsystem]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "Key state should have returned to ready"); + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; + + [self.keychainView waitForOperationsOfClass:[CKKSIncomingQueueOperation class]]; + [self findGenericPassword:accountShouldExist expecting:errSecSuccess]; + [self findGenericPassword:accountWillExist expecting:errSecItemNotFound]; + + // Now, find and delete the class C key that ckrAddedLater is under + NSError* error = nil; + XCTAssertTrue([pastClassAKey deleteKeyMaterialFromKeychain:&error], "Should be able to delete old key material from keychain"); + XCTAssertNil(error, "Should be no error deleting old key material from keychain"); + + // now, lock the keychain + self.aksLockState = true; + [self.lockStateTracker recheck]; + + [self.keychainZone addToZone:ckrAddedLater]; + [self.keychainView waitForFetchAndIncomingQueueProcessing]; + + // Item should still not exist due to the lock state.... + [self findGenericPassword:accountShouldExist expecting:errSecSuccess]; + [self findGenericPassword:accountWillExist expecting:errSecItemNotFound]; + + self.aksLockState = false; + [self.lockStateTracker recheck]; + + // And now it does + [self.keychainView waitUntilAllOperationsAreFinished]; + [self findGenericPassword:accountShouldExist expecting:errSecSuccess]; + [self findGenericPassword:accountWillExist expecting:errSecSuccess]; + + XCTAssertTrue([pastClassAKey loadKeyMaterialFromKeychain:&error], "Class A key should be back in the keychain"); + XCTAssertNil(error, "Should be no error loading key from keychain"); } - (void)testRecoverFromBadCurrentKeyPointer { @@ -2332,10 +2769,56 @@ OCMVerifyAllWithDelay(self.mockDatabase, 8); } +- (void)testRecoverFromIncorrectCurrentTLKPointer { + // The current key pointers in cloudkit shouldn't ever point to wrong entries. But, if they do, CKKS must recover. + + // Test starts with a rolled hierarchy, and CKPs pointing to the wrong items + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self saveTLKMaterialToKeychain:self.keychainZoneID]; + + CKKSCurrentKeyPointer* oldTLKCKP = self.keychainZoneKeys.currentTLKPointer; + CKRecord* oldTLKPointer = [self.keychainZone.currentDatabase[self.keychainZoneKeys.currentTLKPointer.storedCKRecord.recordID] copy]; + + [self rollFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self saveTLKMaterialToKeychain:self.keychainZoneID]; + + ZoneKeys* newZoneKeys = [self.keychainZoneKeys copy]; + + // And put the oldTLKPointer back + [self.zones[self.keychainZoneID] addToZone:oldTLKPointer]; + self.keychainZoneKeys.currentTLKPointer = oldTLKCKP; + + // Make sure it stuck: + XCTAssertNotEqualObjects(self.keychainZoneKeys.currentTLKPointer, + newZoneKeys.currentTLKPointer, + "current TLK pointer should now not point to proper TLK"); + + // Spin up CKKS subsystem. + [self startCKKSSubsystem]; + + // The CKKS subsystem should figure out the issue, and fix it (while uploading itself a TLK Share) + [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:3 tlkShareRecords:1 zoneID:self.keychainZoneID]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:80*NSEC_PER_SEC], "Key state should have become ready"); + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForCKModifications]; + + XCTAssertEqualObjects(self.keychainZoneKeys.currentTLKPointer, + newZoneKeys.currentTLKPointer, + "current TLK pointer should now point to proper TLK"); + XCTAssertEqualObjects(self.keychainZoneKeys.currentClassAPointer, + newZoneKeys.currentClassAPointer, + "current Class A pointer should now point to proper Class A key"); + XCTAssertEqualObjects(self.keychainZoneKeys.currentClassCPointer, + newZoneKeys.currentClassCPointer, + "current Class C pointer should now point to proper Class C key"); +} - (void)testRecoverFromCloudKitFetchFail { // Test starts with nothing in database, but one in our fake CloudKit. [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; // The first two CKRecordZoneChanges should fail with a 'network unavailable' error. [self.keychainZone failNextFetchWith:[[NSError alloc] initWithDomain:CKErrorDomain code:CKErrorNetworkUnavailable userInfo:@{}]]; @@ -2363,9 +2846,72 @@ OCMVerifyAllWithDelay(self.mockDatabase, 8); } +- (void)testRecoverFromCloudKitFetchNetworkFailAfterReady { + // Test starts with nothing in database, but one in our fake CloudKit. + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + + // Spin up CKKS subsystem. + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "CKKS entered ready"); + XCTAssertEqualObjects(self.keychainView.keyHierarchyState, SecCKKSZoneKeyStateReady, "CKKS entered ready"); + + // Network is unavailable + self.reachabilityFlags = 0; + [self.reachabilityTracker recheck]; + + CKRecord* ckr = [self createFakeRecord: self.keychainZoneID recordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85"]; + [self.keychainZone addToZone:ckr]; + + [self findGenericPassword:@"account-delete-me" expecting:errSecItemNotFound]; + + // Say network is available + self.reachabilityFlags = kSCNetworkReachabilityFlagsReachable; + [self.reachabilityTracker recheck]; + + [self.keychainView waitForFetchAndIncomingQueueProcessing]; + + [self findGenericPassword:@"account-delete-me" expecting:errSecSuccess]; +} + +- (void)testRecoverFromCloudKitFetchNetworkFailBeforeReady { + // Test starts with nothing in database, but one in our fake CloudKit. + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + CKRecord* ckr = [self createFakeRecord: self.keychainZoneID recordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D85"]; + [self.keychainZone addToZone:ckr]; + + // Network is unavailable + self.reachabilityFlags = 0; + [self.reachabilityTracker recheck]; + + // Spin up CKKS subsystem. + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateInitializing] wait:8*NSEC_PER_SEC], "CKKS entered initializing"); + XCTAssertEqualObjects(self.keychainView.keyHierarchyState, SecCKKSZoneKeyStateInitializing, "CKKS entered initializing"); + + // Now, save the TLK to the keychain (to simulate it coming in later via SOS). + [self expectCKKSTLKSelfShareUpload:self.keychainZoneID]; + [self saveTLKMaterialToKeychainSimulatingSOS:self.keychainZoneID]; + + [self findGenericPassword:@"account-delete-me" expecting:errSecItemNotFound]; + + // Say network is available + self.reachabilityFlags = kSCNetworkReachabilityFlagsReachable; + [self.reachabilityTracker recheck]; + + [self.keychainView waitUntilAllOperationsAreFinished]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + + [self findGenericPassword:@"account-delete-me" expecting:errSecSuccess]; +} + + - (void)testRecoverFromCloudKitFetchFailWithDelay { // Test starts with nothing in database, but one in our fake CloudKit. [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; // The first CKRecordZoneChanges should fail with a 'delay' error. self.silentFetchesAllowed = false; @@ -2440,6 +2986,8 @@ // Save a new device state record with some fake etag [self.keychainView dispatchSync: ^bool { CKKSDeviceStateEntry* cdse = [[CKKSDeviceStateEntry alloc] initForDevice:self.ckDeviceID + osVersion:@"fake-record" + lastUnlockTime:[NSDate date] circlePeerID:self.circlePeerID circleStatus:kSOSCCInCircle keyState:SecCKKSZoneKeyStateWaitForTLK @@ -2521,10 +3069,11 @@ [self addGenericPassword: @"data" account: @"account-delete-me"]; OCMVerifyAllWithDelay(self.mockDatabase, 8); - // The first CKRecordZoneChanges should fail with a 'CKErrorUserDeletedZone' error. + // The first CKRecordZoneChanges should fail with a 'CKErrorUserDeletedZone' error. This will cause a local reset, ending up with zone re-creation. + self.zones[self.keychainZoneID] = nil; // delete the zone [self.keychainZone failNextFetchWith:[[NSError alloc] initWithDomain:CKErrorDomain code:CKErrorUserDeletedZone userInfo:@{}]]; - // We expect a key hierarchy upload, and then the class C item upload + // We expect CKKS to recreate the zone, then perform a key hierarchy upload, and then the class C item upload [self expectCKModifyKeyRecords: 3 currentKeyPointerRecords: 3 tlkShareRecords: 1 zoneID:self.keychainZoneID]; [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID checkItem: [self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; @@ -2544,9 +3093,10 @@ OCMVerifyAllWithDelay(self.mockDatabase, 8); } -- (void)testRecoverFromCloudKitZoneNotFoundZoneDeletionSuccess { +- (void)testRecoverFromCloudKitZoneNotFoundWithoutZoneDeletion { // Test starts with nothing in database, but one in our fake CloudKit. [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; // Spin up CKKS subsystem. [self startCKKSSubsystem]; @@ -2560,26 +3110,21 @@ [self addGenericPassword: @"data" account: @"account-delete-me"]; OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "CKKS should enter 'ready'"); + [self waitForCKModifications]; - self.zones[self.keychainZoneID] = nil; // delete the autocreated zone + [self.keychainView waitForOperationsOfClass:[CKKSScanLocalItemsOperation class]]; - // The next CKRecordZoneChanges should fail with a 'zone not found' error. - // BUT: when it goes to delete the zone as part of the reset, that should succeed. So, we won't delete the zone here. - NSError* zoneNotFoundError = [[CKPrettyError alloc] initWithDomain:CKErrorDomain - code:CKErrorZoneNotFound - userInfo:@{}]; - NSError* error = [[CKPrettyError alloc] initWithDomain:CKErrorDomain - code:CKErrorPartialFailure - userInfo:@{CKPartialErrorsByItemIDKey: @{self.keychainZoneID:zoneNotFoundError}}]; - [self.keychainZone failNextFetchWith:error]; + // The next CKRecordZoneChanges will fail with a 'zone not found' error. + self.zones[self.keychainZoneID] = nil; // delete the zone // We expect CKKS to reset itself and recover, then a key hierarchy upload, and then the class C item upload [self expectCKModifyKeyRecords: 3 currentKeyPointerRecords: 3 tlkShareRecords: 1 zoneID:self.keychainZoneID]; [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID checkItem: [self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; [self.keychainView notifyZoneChange:nil]; - - OCMVerifyAllWithDelay(self.mockDatabase, 8); + OCMVerifyAllWithDelay(self.mockDatabase, 80); + [self waitForCKModifications]; // And check that a new upload occurs. [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID checkItem: [self checkClassABlock:self.keychainZoneID message:@"Object was encrypted under class A key in hierarchy"]]; @@ -2593,42 +3138,30 @@ OCMVerifyAllWithDelay(self.mockDatabase, 8); } -- (void)testRecoverFromCloudKitZoneNotFoundZoneDeletionFail { - // Test starts with nothing in database, but one in our fake CloudKit. - [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; +- (void)testRecoverFromCloudKitZoneNotFoundFetchBeforeSigninOccurs { + self.zones[self.keychainZoneID] = nil; // delete the autocreated zone - // Spin up CKKS subsystem. + // Before CKKS sign-in, it receives a fetch rpc + XCTestExpectation *fetchReturns = [self expectationWithDescription:@"fetch returned"]; + [self.injectedManager rpcFetchAndProcessChanges:nil reply:^(NSError *result) { + XCTAssertNil(result, "Should be no error fetching and processing changes"); + [fetchReturns fulfill]; + }]; + + // start 'login'. CKKS Should upload a key hierarchy + [self expectCKModifyKeyRecords:3 currentKeyPointerRecords:3 tlkShareRecords:1 zoneID:self.keychainZoneID]; [self startCKKSSubsystem]; - // Now, save the TLK to the keychain (to simulate it coming in later via SOS). - [self expectCKKSTLKSelfShareUpload:self.keychainZoneID]; - [self saveTLKMaterialToKeychainSimulatingSOS:self.keychainZoneID]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "CKKS should enter 'ready'"); // We expect a single record to be uploaded - [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID checkItem: [self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; + [self expectCKModifyItemRecords:1 currentKeyPointerRecords:1 zoneID:self.keychainZoneID + checkItem:[self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; [self addGenericPassword: @"data" account: @"account-delete-me"]; OCMVerifyAllWithDelay(self.mockDatabase, 8); - [self waitForCKModifications]; - self.zones[self.keychainZoneID] = nil; // delete the autocreated zone - - // We expect CKKS to reset itself and recover, then a key hierarchy upload, and then the class C item upload - [self expectCKModifyKeyRecords: 3 currentKeyPointerRecords: 3 tlkShareRecords: 1 zoneID:self.keychainZoneID]; - [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID checkItem: [self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; - - [self.keychainView notifyZoneChange:nil]; - OCMVerifyAllWithDelay(self.mockDatabase, 8); - - // And check that a new upload occurs. - [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID checkItem: [self checkClassABlock:self.keychainZoneID message:@"Object was encrypted under class A key in hierarchy"]]; - - [self addGenericPassword:@"asdf" - account:@"account-class-A" - viewHint:nil - access:(id)kSecAttrAccessibleWhenUnlocked - expecting:errSecSuccess - message:@"Adding class A item"]; - OCMVerifyAllWithDelay(self.mockDatabase, 8); + // The fetch should have come back by now + [self waitForExpectations: @[fetchReturns] timeout:5]; } - (void)testNoCloudKitAccount { @@ -2671,6 +3204,11 @@ self.silentFetchesAllowed = false; [self startCKKSSubsystem]; + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + XCTAssertNotNil(self.accountStateTracker.currentAccountError, "Account state tracker should believe there's no account"); + XCTAssertEqualObjects(self.accountStateTracker.currentAccountError.domain, CKKSErrorDomain, "Account tracker error should be in CKKSErrorDomain"); + XCTAssertEqual(self.accountStateTracker.currentAccountError.code, CKKSNotHSA2, "Account tracker error should be upset about HSA2"); + OCMVerifyAllWithDelay(self.mockDatabase, 8); // There should be no uploads, even when we save keychain items and enter/exit circle @@ -2702,6 +3240,11 @@ self.silentFetchesAllowed = false; [self startCKKSSubsystem]; + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + XCTAssertNotNil(self.accountStateTracker.currentAccountError, "Account state tracker should believe there's no account"); + XCTAssertEqualObjects(self.accountStateTracker.currentAccountError.domain, (__bridge NSString*)kSOSErrorDomain, "Account tracker error should be in SOSErrorDomain"); + XCTAssertEqual(self.accountStateTracker.currentAccountError.code, kSOSErrorNotInCircle, "Account tracker error should be upset about out-of-circle"); + OCMVerifyAllWithDelay(self.mockDatabase, 8); [self addGenericPassword: @"data" account: @"account-delete-me"]; @@ -2727,18 +3270,31 @@ self.accountStatus = CKAccountStatusNoAccount; self.circleStatus = kSOSCCNotInCircle; [self.accountStateTracker notifyCircleStatusChangeAndWaitForSignal]; + + // Before we inform CKKS of its account state.... + XCTAssertNotEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK shouldn't know the account state"); + [self startCKKSSubsystem]; XCTAssertEqual(0, [self.keychainView.loggedOut wait:500*NSEC_PER_MSEC], "Should have been told of a 'logout' event on startup"); XCTAssertNotEqual(0, [self.keychainView.loggedIn wait:100*NSEC_PER_MSEC], "'login' event shouldn't have happened"); + XCTAssertEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK should know the account state"); [self.keychainView waitUntilAllOperationsAreFinished]; OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertNotNil(self.accountStateTracker.currentAccountError, "Account state tracker should believe there's no account"); + XCTAssertEqualObjects(self.accountStateTracker.currentAccountError.domain, CKKSErrorDomain, "Account tracker error should be in CKKSErrorDomain"); + XCTAssertEqual(self.accountStateTracker.currentAccountError.code, CKKSNotLoggedIn, "Account tracker error should just be 'no account'"); + // simulate a cloudkit login and NSNotification callback self.accountStatus = CKAccountStatusAvailable; [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + XCTAssertNotNil(self.accountStateTracker.currentAccountError, "Account state tracker should believe there's no account"); + XCTAssertEqualObjects(self.accountStateTracker.currentAccountError.domain, (__bridge NSString*)kSOSErrorDomain, "Account tracker error should be in SOSErrorDomain"); + XCTAssertEqual(self.accountStateTracker.currentAccountError.code, kSOSErrorNotInCircle, "Account tracker error should be upset about out-of-circle"); + // No writes yet, since we're not in circle [self.keychainView waitUntilAllOperationsAreFinished]; OCMVerifyAllWithDelay(self.mockDatabase, 8); @@ -2749,8 +3305,11 @@ self.circleStatus = kSOSCCInCircle; [self.accountStateTracker notifyCircleStatusChangeAndWaitForSignal]; + XCTAssertNil(self.accountStateTracker.currentAccountError, "Account state tracker should believe there's an account"); + XCTAssertEqual(0, [self.keychainView.loggedIn wait:2000*NSEC_PER_MSEC], "Should have been told of a 'login'"); XCTAssertNotEqual(0, [self.keychainView.loggedOut wait:100*NSEC_PER_MSEC], "'logout' event should be reset"); + XCTAssertEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK should know the account state"); OCMVerifyAllWithDelay(self.mockDatabase, 8); [self waitForCKModifications]; @@ -2767,9 +3326,11 @@ // Test starts with nothing in database. We expect some sort of TLK/key hierarchy upload. [self expectCKModifyKeyRecords: 3 currentKeyPointerRecords: 3 tlkShareRecords: 1 zoneID:self.keychainZoneID]; + XCTAssertNotEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK shouldn't know the account state"); [self startCKKSSubsystem]; XCTAssertEqual(0, [self.keychainView.loggedIn wait:2000*NSEC_PER_MSEC], "Should have been told of a 'login'"); XCTAssertNotEqual(0, [self.keychainView.loggedOut wait:100*NSEC_PER_MSEC], "'logout' event should be reset"); + XCTAssertEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK should know the account state"); OCMVerifyAllWithDelay(self.mockDatabase, 20); [self waitForCKModifications]; @@ -2787,9 +3348,14 @@ self.circleStatus = kSOSCCNotInCircle; [self.accountStateTracker notifyCircleStatusChangeAndWaitForSignal]; + XCTAssertNotNil(self.accountStateTracker.currentAccountError, "Account state tracker should believe there's no account"); + XCTAssertEqualObjects(self.accountStateTracker.currentAccountError.domain, CKKSErrorDomain, "Account tracker error should be in CKKSErrorDomain"); + XCTAssertEqual(self.accountStateTracker.currentAccountError.code, CKKSNotLoggedIn, "Account tracker error should just believe we're not logged in"); + // Test that there are no items in the database after logout XCTAssertEqual(0, [self.keychainView.loggedOut wait:2000*NSEC_PER_MSEC], "Should have been told of a 'logout'"); XCTAssertNotEqual(0, [self.keychainView.loggedIn wait:100*NSEC_PER_MSEC], "'login' event should be reset"); + XCTAssertEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK should know the account state"); [self checkNoCKKSData: self.keychainView]; // There should be no further uploads, even when we save keychain items @@ -2798,6 +3364,7 @@ [self.keychainView waitUntilAllOperationsAreFinished]; OCMVerifyAllWithDelay(self.mockDatabase, 20); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateLoggedOut] wait:8*NSEC_PER_SEC], "CKKS entered 'logged out'"); // simulate a cloudkit login // We should expect CKKS to re-find the key hierarchy it already uploaded, and then send up the two records we added during the pause @@ -2807,14 +3374,17 @@ [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; self.circleStatus = kSOSCCInCircle; [self.accountStateTracker notifyCircleStatusChangeAndWaitForSignal]; + XCTAssertNil(self.accountStateTracker.currentAccountError, "Account state tracker should believe there's an account"); XCTAssertEqual(0, [self.keychainView.loggedIn wait:2000*NSEC_PER_MSEC], "Should have been told of a 'login'"); XCTAssertNotEqual(0, [self.keychainView.loggedOut wait:100*NSEC_PER_MSEC], "'logout' event should be reset"); + XCTAssertEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK should know the account state"); OCMVerifyAllWithDelay(self.mockDatabase, 20); // Let everything settle... - [self.keychainView waitUntilAllOperationsAreFinished]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "CKKS entered 'ready'"); + [self waitForCKModifications]; // Logout again self.accountStatus = CKAccountStatusNoAccount; @@ -2825,6 +3395,7 @@ // Test that there are no items in the database after logout XCTAssertEqual(0, [self.keychainView.loggedOut wait:2000*NSEC_PER_MSEC], "Should have been told of a 'logout'"); XCTAssertNotEqual(0, [self.keychainView.loggedIn wait:100*NSEC_PER_MSEC], "'login' event should be reset"); + XCTAssertEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK should know the account state"); [self checkNoCKKSData: self.keychainView]; // There should be no further uploads, even when we save keychain items @@ -2845,412 +3416,163 @@ XCTAssertEqual(0, [self.keychainView.loggedIn wait:2000*NSEC_PER_MSEC], "Should have been told of a 'login'"); XCTAssertNotEqual(0, [self.keychainView.loggedOut wait:100*NSEC_PER_MSEC], "'logout' event should be reset"); + XCTAssertEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK should know the account state"); OCMVerifyAllWithDelay(self.mockDatabase, 20); -} - -- (void)testCloudKitLoginRace { - // Test starts with nothing in database, and 'in circle', but securityd hasn't received notification if we're logged into CloudKit. - // CKKS should not call handleLogout. - - id partialKVMock = OCMPartialMock(self.keychainView); - OCMReject([partialKVMock handleCKLogout]); - // note: don't unblock the ck account state object yet... - - self.circleStatus = kSOSCCInCircle; - [self.accountStateTracker notifyCircleStatusChangeAndWaitForSignal]; - - // Add a keychain item, but make sure it doesn't upload yet. - [self addGenericPassword: @"data" account: @"account-delete-me"]; + // Let everything settle... [self.keychainView waitUntilAllOperationsAreFinished]; - OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "CKKS entered 'ready'"); - // Now that we're here (and handleCKLogout hasn't been called), bring the account up + // Logout again + self.accountStatus = CKAccountStatusNoAccount; + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + self.circleStatus = kSOSCCNotInCircle; + [self.accountStateTracker notifyCircleStatusChangeAndWaitForSignal]; - // We expect some sort of TLK/key hierarchy upload once we are notified of entering the circle. - [self expectCKModifyKeyRecords: 3 currentKeyPointerRecords: 3 tlkShareRecords: 1 zoneID:self.keychainZoneID]; + // Test that there are no items in the database after logout + XCTAssertEqual(0, [self.keychainView.loggedOut wait:2000*NSEC_PER_MSEC], "Should have been told of a 'logout'"); + XCTAssertNotEqual(0, [self.keychainView.loggedIn wait:100*NSEC_PER_MSEC], "'login' event should be reset"); + XCTAssertEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK should know the account state"); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateLoggedOut] wait:8*NSEC_PER_SEC], "CKKS entered 'logged out'"); + [self checkNoCKKSData: self.keychainView]; - // We expect a single class C record to be uploaded. - [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID checkItem: [self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; + // Force zone into error state + self.keychainView.keyHierarchyState = SecCKKSZoneKeyStateError; self.accountStatus = CKAccountStatusAvailable; - [self startCKAccountStatusMock]; - - // simulate another NSNotification callback [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + self.circleStatus = kSOSCCInCircle; + [self.accountStateTracker notifyCircleStatusChangeAndWaitForSignal]; - OCMVerifyAllWithDelay(self.mockDatabase, 8); - [self waitForCKModifications]; - - // Make sure new items upload too - [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID checkItem: [self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; - [self addGenericPassword: @"data" account: @"account-delete-me-2"]; - OCMVerifyAllWithDelay(self.mockDatabase, 8); - - [self.keychainView waitUntilAllOperationsAreFinished]; - [self waitForCKModifications]; - [self.keychainView halt]; - - [partialKVMock stopMocking]; -} - -- (void)testDeviceStateUploadGood { - [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. - - [self startCKKSSubsystem]; - [self.keychainView waitForKeyHierarchyReadiness]; - - __weak __typeof(self) weakSelf = self; - [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} - deletedRecordTypeCounts:nil - zoneID:self.keychainZoneID - checkModifiedRecord: ^BOOL (CKRecord* record){ - if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { - // Check that all the things matches - __strong __typeof(weakSelf) strongSelf = weakSelf; - XCTAssertNotNil(strongSelf, "self exists"); - - ZoneKeys* zoneKeys = strongSelf.keys[strongSelf.keychainZoneID]; - XCTAssertNotNil(zoneKeys, "Have zone keys for %@", strongSelf.keychainZoneID); - - XCTAssertEqualObjects(record[SecCKRecordCirclePeerID], strongSelf.circlePeerID, "peer ID matches what we gave it"); - XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCInCircle], "device is in circle"); - XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateReady), "Device is in ready"); - - XCTAssertEqualObjects([record[SecCKRecordCurrentTLK] recordID].recordName, zoneKeys.tlk.uuid, "Correct TLK uuid"); - XCTAssertEqualObjects([record[SecCKRecordCurrentClassA] recordID].recordName, zoneKeys.classA.uuid, "Correct class A uuid"); - XCTAssertEqualObjects([record[SecCKRecordCurrentClassC] recordID].recordName, zoneKeys.classC.uuid, "Correct class C uuid"); - return YES; - } else { - return NO; - } - } - runAfterModification:nil]; - - [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:2*NSEC_PER_SEC ckoperationGroup:nil]; - - OCMVerifyAllWithDelay(self.mockDatabase, 8); -} - -- (void)testDeviceStateUploadRateLimited { - [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. - - [self startCKKSSubsystem]; - [self.keychainView waitForKeyHierarchyReadiness]; - - __weak __typeof(self) weakSelf = self; - [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} - deletedRecordTypeCounts:nil - zoneID:self.keychainZoneID - checkModifiedRecord: ^BOOL (CKRecord* record){ - if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { - // Check that all the things matches - __strong __typeof(weakSelf) strongSelf = weakSelf; - XCTAssertNotNil(strongSelf, "self exists"); - - ZoneKeys* zoneKeys = strongSelf.keys[strongSelf.keychainZoneID]; - XCTAssertNotNil(zoneKeys, "Have zone keys for %@", strongSelf.keychainZoneID); - - XCTAssertEqualObjects(record[SecCKRecordCirclePeerID], strongSelf.circlePeerID, "peer ID matches what we gave it"); - XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCInCircle], "device is in circle"); - XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateReady), "Device is in ready"); - - XCTAssertEqualObjects([record[SecCKRecordCurrentTLK] recordID].recordName, zoneKeys.tlk.uuid, "Correct TLK uuid"); - XCTAssertEqualObjects([record[SecCKRecordCurrentClassA] recordID].recordName, zoneKeys.classA.uuid, "Correct class A uuid"); - XCTAssertEqualObjects([record[SecCKRecordCurrentClassC] recordID].recordName, zoneKeys.classC.uuid, "Correct class C uuid"); - return YES; - } else { - return NO; - } - } - runAfterModification:nil]; - - CKKSUpdateDeviceStateOperation* op = [self.keychainView updateDeviceState:true waitForKeyHierarchyInitialization:2*NSEC_PER_SEC ckoperationGroup:nil]; - OCMVerifyAllWithDelay(self.mockDatabase, 8); - [op waitUntilFinished]; - - // Check that an immediate rate-limited retry doesn't upload anything - op = [self.keychainView updateDeviceState:true waitForKeyHierarchyInitialization:2*NSEC_PER_SEC ckoperationGroup:nil]; - [op waitUntilFinished]; - - // But not rate-limiting works just fine! - [self expectCKModifyRecords:@{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} - deletedRecordTypeCounts:nil - zoneID:self.keychainZoneID - checkModifiedRecord:nil - runAfterModification:nil]; - op = [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:2*NSEC_PER_SEC ckoperationGroup:nil]; - OCMVerifyAllWithDelay(self.mockDatabase, 8); - [op waitUntilFinished]; - - // And now, if the update is old enough, that'll work too - [self.keychainView dispatchSync:^bool { - NSError* error = nil; - CKKSDeviceStateEntry* cdse = [CKKSDeviceStateEntry fromDatabase:self.accountStateTracker.ckdeviceID zoneID:self.keychainZoneID error:&error]; - XCTAssertNil(error, "No error fetching device state entry"); - XCTAssertNotNil(cdse, "Fetched device state entry"); - - CKRecord* record = cdse.storedCKRecord; - - NSDate* m = record.modificationDate; - XCTAssertNotNil(m, "Have modification date"); - - // Four days ago! - NSDateComponents* offset = [[NSDateComponents alloc] init]; - [offset setHour:-4 * 24]; - NSDate* m2 = [[NSCalendar currentCalendar] dateByAddingComponents:offset toDate:m options:0]; - - XCTAssertNotNil(m2, "Made modification date"); - - record.modificationDate = m2; - [cdse setStoredCKRecord:record]; + XCTestExpectation *operationRun = [self expectationWithDescription:@"operation run"]; + NSOperation* op = [NSBlockOperation named:@"test" withBlock:^{ + [operationRun fulfill]; + }]; - [cdse saveToDatabase:&error]; - XCTAssertNil(error, "No error saving device state entry"); + [op addDependency:self.keychainView.keyStateReadyDependency]; + [self.operationQueue addOperation:op]; - return true; - }]; + XCTAssertEqual(0, [self.keychainView.loggedIn wait:2000*NSEC_PER_MSEC], "Should have been told of a 'login'"); + XCTAssertNotEqual(0, [self.keychainView.loggedOut wait:100*NSEC_PER_MSEC], "'logout' event should be reset"); + XCTAssertEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK should know the account state"); - // And now the rate-limiting doesn't get in the way - [self expectCKModifyRecords:@{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} - deletedRecordTypeCounts:nil - zoneID:self.keychainZoneID - checkModifiedRecord:nil - runAfterModification:nil]; - op = [self.keychainView updateDeviceState:true waitForKeyHierarchyInitialization:2*NSEC_PER_SEC ckoperationGroup:nil]; - OCMVerifyAllWithDelay(self.mockDatabase, 12); - [op waitUntilFinished]; + OCMVerifyAllWithDelay(self.mockDatabase, 20); + [self waitForExpectations: @[operationRun] timeout:5]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "CKKS entered 'ready'"); } -- (void)testDeviceStateUploadRateLimitedAfterNormalUpload { - [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. +- (void)testCloudKitLogoutDueToGreyMode { + // Test starts with nothing in database. We expect some sort of TLK/key hierarchy upload. + [self expectCKModifyKeyRecords:3 currentKeyPointerRecords:3 tlkShareRecords:1 zoneID:self.keychainZoneID]; + XCTAssertNotEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK shouldn't know the account state"); [self startCKKSSubsystem]; - [self.keychainView waitForKeyHierarchyReadiness]; + XCTAssertEqual(0, [self.keychainView.loggedIn wait:8*NSEC_PER_SEC], "Should have been told of a 'login'"); + XCTAssertNotEqual(0, [self.keychainView.loggedOut wait:10*NSEC_PER_MSEC], "'logout' event should be reset"); + XCTAssertEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK should know the account state"); - [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID]; - [self addGenericPassword:@"password" account:@"account-delete-me"]; - OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], @"Key state should become 'ready'"); - // Check that an immediate rate-limited retry doesn't upload anything - CKKSUpdateDeviceStateOperation* op = [self.keychainView updateDeviceState:true waitForKeyHierarchyInitialization:2*NSEC_PER_SEC ckoperationGroup:nil]; - [op waitUntilFinished]; -} + OCMVerifyAllWithDelay(self.mockDatabase, 20); + [self waitForCKModifications]; -- (void)testDeviceStateUploadWaitsForKeyHierarchy { - [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + // simulate a cloudkit grey mode switch and NSNotification callback. CKKS should treat this as a logout + self.iCloudHasValidCredentials = false; + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; - // Ask to wait for quite a while if we don't become ready - [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:20*NSEC_PER_SEC ckoperationGroup:nil]; + XCTAssertNotNil(self.accountStateTracker.currentAccountError, "Account state tracker should believe there's no account"); + XCTAssertEqualObjects(self.accountStateTracker.currentAccountError.domain, CKKSErrorDomain, "Account tracker error should be in CKKSErrorDomain"); + XCTAssertEqual(self.accountStateTracker.currentAccountError.code, CKKSiCloudGreyMode, "Account tracker error should be upset about grey mode"); - __weak __typeof(self) weakSelf = self; - // Expect a ready upload - [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} - deletedRecordTypeCounts:nil - zoneID:self.keychainZoneID - checkModifiedRecord: ^BOOL (CKRecord* record){ - if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { - __strong __typeof(weakSelf) strongSelf = weakSelf; - XCTAssertNotNil(strongSelf, "self exists"); - - ZoneKeys* zoneKeys = strongSelf.keys[strongSelf.keychainZoneID]; - XCTAssertNotNil(zoneKeys, "Have zone keys for %@", strongSelf.keychainZoneID); - - XCTAssertEqualObjects(record[SecCKRecordCirclePeerID], strongSelf.circlePeerID, "peer ID matches what we gave it"); - XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCInCircle], "device is in circle"); - XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateReady), "Device is in ready"); - - XCTAssertEqualObjects([record[SecCKRecordCurrentTLK] recordID].recordName, zoneKeys.tlk.uuid, "Correct TLK uuid"); - XCTAssertEqualObjects([record[SecCKRecordCurrentClassA] recordID].recordName, zoneKeys.classA.uuid, "Correct class A uuid"); - XCTAssertEqualObjects([record[SecCKRecordCurrentClassC] recordID].recordName, zoneKeys.classC.uuid, "Correct class C uuid"); - return YES; - } else { - return NO; - } - } - runAfterModification:nil]; + // Test that there are no items in the database after logout + XCTAssertEqual(0, [self.keychainView.loggedOut wait:8*NSEC_PER_SEC], "Should have been told of a 'logout'"); + XCTAssertNotEqual(0, [self.keychainView.loggedIn wait:10*NSEC_PER_MSEC], "'login' event should be reset"); + XCTAssertEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK should know the account state"); + [self checkNoCKKSData: self.keychainView]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateLoggedOut] wait:8*NSEC_PER_SEC], "CKKS entered 'logged out'"); - // And allow the key state to progress - [self startCKKSSubsystem]; - OCMVerifyAllWithDelay(self.mockDatabase, 8); -} + // There should be no further uploads, even when we save keychain items + [self addGenericPassword: @"data" account: @"account-delete-me-2"]; + [self addGenericPassword: @"data" account: @"account-delete-me-3"]; -- (void)testDeviceStateReceive { - [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + [self.keychainView waitUntilAllOperationsAreFinished]; + OCMVerifyAllWithDelay(self.mockDatabase, 20); - ZoneKeys* zoneKeys = self.keys[self.keychainZoneID]; - XCTAssertNotNil(zoneKeys, "Have zone keys for %@", self.keychainZoneID); + // Also, fetches shouldn't occur + self.silentFetchesAllowed = false; + NSOperation* op = [self.keychainView.zoneChangeFetcher requestSuccessfulFetch:CKKSFetchBecauseTesting]; + CKKSResultOperation* timeoutOp = [CKKSResultOperation named:@"timeout" withBlock:^{}]; + [timeoutOp addDependency:op]; + [timeoutOp timeout:4*NSEC_PER_SEC]; + [self.operationQueue addOperation:timeoutOp]; + [timeoutOp waitUntilFinished]; + + // CloudKit figures its life out. We expect the two passwords from before to be uploaded + [self expectCKModifyItemRecords:2 currentKeyPointerRecords:1 zoneID:self.keychainZoneID]; + self.silentFetchesAllowed = true; + self.iCloudHasValidCredentials = true; + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; - [self startCKKSSubsystem]; - [self.keychainView waitForKeyHierarchyReadiness]; + XCTAssertNil(self.accountStateTracker.currentAccountError, "Account state tracker should believe there's an account"); - CKKSDeviceStateEntry* cdse = [[CKKSDeviceStateEntry alloc] initForDevice:@"otherdevice" - circlePeerID:@"asdfasdf" - circleStatus:kSOSCCInCircle - keyState:SecCKKSZoneKeyStateReady - currentTLKUUID:zoneKeys.tlk.uuid - currentClassAUUID:zoneKeys.classA.uuid - currentClassCUUID:zoneKeys.classC.uuid - zoneID:self.keychainZoneID - encodedCKRecord:nil]; - CKRecord* record = [cdse CKRecordWithZoneID:self.keychainZoneID]; - [self.keychainZone addToZone:record]; + XCTAssertEqual(0, [self.keychainView.loggedIn wait:8*NSEC_PER_SEC], "Should have been told of a 'login'"); + XCTAssertNotEqual(0, [self.keychainView.loggedOut wait:10*NSEC_PER_MSEC], "'logout' event should be reset"); + XCTAssertEqual(0, [self.keychainView.accountStateKnown wait:10*NSEC_PER_MSEC], "CKK should know the account state"); + OCMVerifyAllWithDelay(self.mockDatabase, 20); - // Trigger a notification (with hilariously fake data) + // And fetching still works! + [self.keychainZone addToZone: [self createFakeRecord: self.keychainZoneID recordName:@"7B598D31-F9C5-481E-98AC-5A507ACB2D00" withAccount:@"account0"]]; [self.keychainView notifyZoneChange:nil]; [self.keychainView waitForFetchAndIncomingQueueProcessing]; - - [self.keychainView dispatchSync: ^bool { - NSError* error = nil; - NSArray* cdses = [CKKSDeviceStateEntry allInZone:self.keychainZoneID error:&error]; - XCTAssertNil(error, "No error fetching CDSEs"); - XCTAssertNotNil(cdses, "An array of CDSEs was returned"); - XCTAssert(cdses.count >= 1u, "At least one CDSE came back"); - - CKKSDeviceStateEntry* item = nil; - for(CKKSDeviceStateEntry* dbcdse in cdses) { - if([dbcdse.device isEqualToString:@"otherdevice"]) { - item = dbcdse; - } - } - XCTAssertNotNil(item, "Found a cdse for otherdevice"); - - XCTAssertEqualObjects(cdse, item, "Saved item matches pre-cloudkit item"); - - XCTAssertEqualObjects(item.circlePeerID, @"asdfasdf", "correct peer id"); - XCTAssertEqualObjects(item.keyState, SecCKKSZoneKeyStateReady, "correct key state"); - XCTAssertEqualObjects(item.currentTLKUUID, zoneKeys.tlk.uuid, "correct tlk uuid"); - XCTAssertEqualObjects(item.currentClassAUUID, zoneKeys.classA.uuid, "correct classA uuid"); - XCTAssertEqualObjects(item.currentClassCUUID, zoneKeys.classC.uuid, "correct classC uuid"); - - return false; - }]; - - OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self findGenericPassword: @"account0" expecting:errSecSuccess]; + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:8*NSEC_PER_SEC], "CKKS entered 'ready'"); } -- (void)testDeviceStateUploadBadKeyState { - // This test has stuff in CloudKit, but no TLKs. It should become very sad. - [self putFakeKeyHierarchyInCloudKit: self.keychainZoneID]; +- (void)testCloudKitLoginRace { + // Test starts with nothing in database, and 'in circle', but securityd hasn't received notification if we're logged into CloudKit. + // CKKS should not call handleLogout. - [self startCKKSSubsystem]; - XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:8*NSEC_PER_SEC], "CKKS entered waitfortlk"); - XCTAssertEqualObjects(self.keychainView.keyHierarchyState, SecCKKSZoneKeyStateWaitForTLK, "CKKS entered waitfortlk"); + id partialKVMock = OCMPartialMock(self.keychainView); + OCMReject([partialKVMock handleCKLogout]); + // note: don't unblock the ck account state object yet... - __weak __typeof(self) weakSelf = self; - [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} - deletedRecordTypeCounts:nil - zoneID:self.keychainZoneID - checkModifiedRecord: ^BOOL (CKRecord* record){ - if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { - // Check that all the things matches - __strong __typeof(weakSelf) strongSelf = weakSelf; - XCTAssertNotNil(strongSelf, "self exists"); - - XCTAssertEqualObjects(record[SecCKRecordCirclePeerID], strongSelf.circlePeerID, "peer ID matches what we gave it"); - XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCInCircle], "device is in circle"); - XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateWaitForTLK), "Device is in waitfortlk"); - - XCTAssertNil(record[SecCKRecordCurrentTLK] , "No TLK"); - XCTAssertNil(record[SecCKRecordCurrentClassA], "No class A key"); - XCTAssertNil(record[SecCKRecordCurrentClassC], "No class C key"); - return YES; - } else { - return NO; - } - } - runAfterModification:nil]; + self.circleStatus = kSOSCCInCircle; + [self.accountStateTracker notifyCircleStatusChangeAndWaitForSignal]; - [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:500*NSEC_PER_MSEC ckoperationGroup:nil]; + // Add a keychain item, but make sure it doesn't upload yet. + [self addGenericPassword: @"data" account: @"account-delete-me"]; + [self.keychainView waitUntilAllOperationsAreFinished]; OCMVerifyAllWithDelay(self.mockDatabase, 8); -} -- (void)testDeviceStateUploadBadKeyStateAfterRestart { - // This test has stuff in CloudKit, but no TLKs. It should become very sad. - [self putFakeKeyHierarchyInCloudKit: self.keychainZoneID]; + // Now that we're here (and handleCKLogout hasn't been called), bring the account up - [self startCKKSSubsystem]; - XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:8*NSEC_PER_SEC], "CKKS entered waitfortlk"); - XCTAssertEqualObjects(self.keychainView.keyHierarchyState, SecCKKSZoneKeyStateWaitForTLK, "CKKS entered waitfortlk"); + // We expect some sort of TLK/key hierarchy upload once we are notified of entering the circle. + [self expectCKModifyKeyRecords: 3 currentKeyPointerRecords: 3 tlkShareRecords: 1 zoneID:self.keychainZoneID]; - // And restart CKKS... - self.keychainView = [[CKKSViewManager manager] restartZone: self.keychainZoneID.zoneName]; - XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:8*NSEC_PER_SEC], "CKKS entered waitfortlk"); - XCTAssertEqualObjects(self.keychainView.keyHierarchyState, SecCKKSZoneKeyStateWaitForTLK, "CKKS entered waitfortlk"); + // We expect a single class C record to be uploaded. + [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID checkItem: [self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; - __weak __typeof(self) weakSelf = self; - [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} - deletedRecordTypeCounts:nil - zoneID:self.keychainZoneID - checkModifiedRecord: ^BOOL (CKRecord* record){ - if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { - // Check that all the things matches - __strong __typeof(weakSelf) strongSelf = weakSelf; - XCTAssertNotNil(strongSelf, "self exists"); - - XCTAssertEqualObjects(record[SecCKRecordCirclePeerID], strongSelf.circlePeerID, "peer ID matches what we gave it"); - XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCInCircle], "device is in circle"); - XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateWaitForTLK), "Device is in waitfortlk"); - - XCTAssertNil(record[SecCKRecordCurrentTLK] , "No TLK"); - XCTAssertNil(record[SecCKRecordCurrentClassA], "No class A key"); - XCTAssertNil(record[SecCKRecordCurrentClassC], "No class C key"); - return YES; - } else { - return NO; - } - } - runAfterModification:nil]; + self.accountStatus = CKAccountStatusAvailable; + [self startCKAccountStatusMock]; - [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:500*NSEC_PER_MSEC ckoperationGroup:nil]; + // simulate another NSNotification callback + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; OCMVerifyAllWithDelay(self.mockDatabase, 8); -} - - -- (void)testDeviceStateUploadBadCircleState { - self.circleStatus = kSOSCCNotInCircle; - [self.accountStateTracker notifyCircleStatusChangeAndWaitForSignal]; - - // This test has stuff in CloudKit, but no TLKs. - [self putFakeKeyHierarchyInCloudKit: self.keychainZoneID]; - - [self startCKKSSubsystem]; - - XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateInitializing] wait:8*NSEC_PER_SEC], "CKKS entered initializing"); - XCTAssertEqualObjects(self.keychainView.keyHierarchyState, SecCKKSZoneKeyStateInitializing, "CKKS entered intializing"); - - __weak __typeof(self) weakSelf = self; - [self expectCKModifyRecords: @{SecCKRecordDeviceStateType: [NSNumber numberWithInt:1]} - deletedRecordTypeCounts:nil - zoneID:self.keychainZoneID - checkModifiedRecord: ^BOOL (CKRecord* record){ - if([record.recordType isEqualToString: SecCKRecordDeviceStateType]) { - // Check that all the things matches - __strong __typeof(weakSelf) strongSelf = weakSelf; - XCTAssertNotNil(strongSelf, "self exists"); - - XCTAssertNil(record[SecCKRecordCirclePeerID], "no peer ID if device is not in circle"); - XCTAssertEqualObjects(record[SecCKRecordCircleStatus], [NSNumber numberWithInt:kSOSCCNotInCircle], "device is not in circle"); - XCTAssertEqualObjects(record[SecCKRecordKeyState], CKKSZoneKeyToNumber(SecCKKSZoneKeyStateInitializing), "Device is in keystate:initializing"); - - XCTAssertNil(record[SecCKRecordCurrentTLK] , "No TLK"); - XCTAssertNil(record[SecCKRecordCurrentClassA], "No class A key"); - XCTAssertNil(record[SecCKRecordCurrentClassC], "No class C key"); - return YES; - } else { - return NO; - } - } - runAfterModification:nil]; + [self waitForCKModifications]; - CKKSUpdateDeviceStateOperation* op = [self.keychainView updateDeviceState:false waitForKeyHierarchyInitialization:500*NSEC_PER_MSEC ckoperationGroup:nil]; + // Make sure new items upload too + [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID checkItem: [self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; + [self addGenericPassword: @"data" account: @"account-delete-me-2"]; OCMVerifyAllWithDelay(self.mockDatabase, 8); - [op waitUntilFinished]; - XCTAssertNil(op.error, "No error uploading 'out of circle' device state"); + [self.keychainView waitUntilAllOperationsAreFinished]; + [self waitForCKModifications]; + [self.keychainView halt]; + + [partialKVMock stopMocking]; } - (void)testNotStuckAfterReset { @@ -3273,19 +3595,8 @@ } - (void)testCKKSControlBringup { - xpc_endpoint_t endpoint = SecServerCreateCKKSEndpoint(); - XCTAssertNotNil(endpoint, "Received endpoint"); - NSXPCInterface *interface = CKKSSetupControlProtocol([NSXPCInterface interfaceWithProtocol:@protocol(CKKSControlProtocol)]); XCTAssertNotNil(interface, "Received a configured CKKS interface"); - - NSXPCListenerEndpoint *listenerEndpoint = [[NSXPCListenerEndpoint alloc] init]; - [listenerEndpoint _setEndpoint:endpoint]; - - NSXPCConnection* connection = [[NSXPCConnection alloc] initWithListenerEndpoint:listenerEndpoint]; - XCTAssertNotNil(connection , "Received an active connection"); - - connection.remoteObjectInterface = interface; } @end diff --git a/keychain/ckks/tests/CloudKitKeychainSyncingFixupTests.m b/keychain/ckks/tests/CloudKitKeychainSyncingFixupTests.m index a8f82b94..88ff5a8a 100644 --- a/keychain/ckks/tests/CloudKitKeychainSyncingFixupTests.m +++ b/keychain/ckks/tests/CloudKitKeychainSyncingFixupTests.m @@ -26,6 +26,7 @@ #import #import #import +#import #import "keychain/ckks/tests/CloudKitMockXCTest.h" #import "keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.h" @@ -315,11 +316,9 @@ CKKSMirrorEntry* ckme = [CKKSMirrorEntry fromDatabase:secondRecordID.recordName zoneID:self.keychainZoneID error:&error]; XCTAssertNil(error, "Should have no error pulling second CKKSMirrorEntry from database"); - NSMutableData* data = [NSMutableData data]; - NSKeyedArchiver *archiver = [[NSKeyedArchiver alloc] initForWritingWithMutableData:data]; + NSKeyedArchiver *archiver = [[NSKeyedArchiver alloc] initRequiringSecureCoding:YES]; [ckme.item.storedCKRecord encodeSystemFieldsWithCoder:archiver]; - [archiver finishEncoding]; - ckme.item.encodedCKRecord = data; + ckme.item.encodedCKRecord = archiver.encodedData; [ckme saveToDatabase:&error]; XCTAssertNil(error, "No error saving system-fielded CKME back to database"); diff --git a/keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.h b/keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.h index b6992f58..d1559cc8 100644 --- a/keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.h +++ b/keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.h @@ -20,6 +20,9 @@ * * @APPLE_LICENSE_HEADER_END@ */ + +#if OCTAGON + #import "CloudKitMockXCTest.h" #import "keychain/ckks/CKKS.h" #import "keychain/ckks/CKKSControl.h" @@ -47,8 +50,15 @@ NS_ASSUME_NONNULL_BEGIN @property (nullable) id mockCKKSKey; -@property (nullable) id currentSelfPeer; +@property (nullable) CKKSSOSSelfPeer* currentSelfPeer; +@property (nullable) NSError* currentSelfPeerError; @property (nullable) NSMutableSet>* currentPeers; +@property (nullable) NSError* currentPeersError; + +@property (nullable) NSError* keychainFetchError; + +// A single trusted SOSPeer, but without any CKKS keys +@property CKKSSOSPeer* remoteSOSOnlyPeer; @property NSMutableSet* ckksZones; @property (nullable) NSMutableDictionary* keys; @@ -60,6 +70,10 @@ NS_ASSUME_NONNULL_BEGIN - (void)saveTLKMaterialToKeychain:(CKRecordZoneID*)zoneID; - (void)deleteTLKMaterialFromKeychain:(CKRecordZoneID*)zoneID; - (void)saveTLKMaterialToKeychainSimulatingSOS:(CKRecordZoneID*)zoneID; +- (void)putFakeDeviceStatusInCloudKit:(CKRecordZoneID*)zoneID; +- (void)putFakeDeviceStatusInCloudKit:(CKRecordZoneID*)zoneID + zonekeys:(ZoneKeys*)zonekeys; + - (void)SOSPiggyBackAddToKeychain:(NSDictionary*)piggydata; - (NSMutableDictionary*)SOSPiggyBackCopyFromKeychain; - (NSMutableArray*)SOSPiggyICloudIdentities; @@ -79,7 +93,7 @@ NS_ASSUME_NONNULL_BEGIN - (void)rollFakeKeyHierarchyInCloudKit:(CKRecordZoneID*)zoneID; -- (NSDictionary*)fakeRecordDictionary:(NSString*)account zoneID:(CKRecordZoneID*)zoneID; +- (NSDictionary*)fakeRecordDictionary:(NSString* _Nullable)account zoneID:(CKRecordZoneID*)zoneID; - (CKRecord*)createFakeRecord:(CKRecordZoneID*)zoneID recordName:(NSString*)recordName; - (CKRecord*)createFakeRecord:(CKRecordZoneID*)zoneID recordName:(NSString*)recordName withAccount:(NSString* _Nullable)account; - (CKRecord*)createFakeRecord:(CKRecordZoneID*)zoneID @@ -135,3 +149,5 @@ NS_ASSUME_NONNULL_BEGIN @end NS_ASSUME_NONNULL_END + +#endif /* OCTAGON */ diff --git a/keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.m b/keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.m index 63ba5409..1515a7fe 100644 --- a/keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.m +++ b/keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.m @@ -44,6 +44,8 @@ #import "keychain/ckks/CKKSManifest.h" #import "keychain/ckks/CKKSPeer.h" +#import "keychain/ot/OTDefines.h" + #pragma clang diagnostic push #pragma clang diagnostic ignored "-Wdeprecated-declarations" #import "Security/SecureObjectSync/SOSAccount.h" @@ -109,7 +111,7 @@ [description isEqualToString: [SecCKKSKeyClassTLK stringByAppendingString: @"-piggy"]]; bool isClassA = [description isEqualToString: SecCKKSKeyClassA]; - return (isTLK || isClassA) && strongSelf.aksLockState; + return ((isTLK || isClassA) && strongSelf.aksLockState) || self.keychainFetchError; }; OCMStub([self.mockCKKSKey setKeyMaterialInKeychain:[OCMArg checkWithBlock:shouldFailKeychainQuery] error:[OCMArg anyObjectRef]] @@ -123,10 +125,15 @@ encryptionKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]] signingKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]]; - // No trusted non-self peers by default. Your test can change this if it wants. + // One trusted non-self peer, but it doesn't have any Octagon keys. Your test can change this if it wants. + // However, note that [self putFakeDeviceStatusInCloudKit:] will likely not do what you want. + self.remoteSOSOnlyPeer = [[CKKSSOSPeer alloc] initWithSOSPeerID:@"remote-peer-with-no-keys" + encryptionPublicKey:nil + signingPublicKey:nil]; self.currentPeers = [NSMutableSet set]; + [self.currentPeers addObject:self.remoteSOSOnlyPeer]; - OCMStub([self.mockCKKSViewManager fetchSelfPeers:[OCMArg anyObjectRef]]).andCall(self, @selector(fetchSelfPeers:)); + OCMStub([self.mockCKKSViewManager currentSOSSelf:[OCMArg anyObjectRef]]).andCall(self, @selector(currentSOSSelf:)); OCMStub([self.mockCKKSViewManager fetchTrustedPeers:[OCMArg anyObjectRef]]).andCall(self, @selector(fetchTrustedPeers:)); // Bring up a fake CKKSControl object @@ -147,20 +154,30 @@ self.currentPeers = nil; } -- (CKKSSelves*)fetchSelfPeers:(NSError* __autoreleasing *)error { - // - if(self.aksLockState) { +- (id _Nullable)currentSOSSelf:(NSError**)error { + if(self.currentSelfPeerError) { + if(error) { + *error = self.currentSelfPeerError; + } + return nil; + } else if(self.aksLockState) { if(error) { *error = [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain code:errSecInteractionNotAllowed userInfo:nil]; } return nil; } else { - // Only supports a single self peer for now - return [[CKKSSelves alloc] initWithCurrent:self.currentSelfPeer allSelves:nil]; + return self.currentSelfPeer; } } - (NSSet>*)fetchTrustedPeers:(NSError* __autoreleasing *)error { + if(self.currentPeersError) { + if(error) { + *error = self.currentPeersError; + } + return nil; + } + // Trusted Peers include ourselves, but as a CKKSSOSPeer object instead of a self peer CKKSSOSPeer* s = [[CKKSSOSPeer alloc] initWithSOSPeerID:self.currentSelfPeer.peerID encryptionPublicKey:self.currentSelfPeer.publicEncryptionKey @@ -194,6 +211,13 @@ // Helpers to handle 'locked' keychain loading and saving -(bool)handleLockLoadKeyMaterialFromKeychain:(NSDictionary*)query error:(NSError * __autoreleasing *) error { + if(self.keychainFetchError) { + if(error) { + *error = self.keychainFetchError; + } + return false; + } + // I think the behavior is: errSecItemNotFound if the item doesn't exist, otherwise errSecInteractionNotAllowed. XCTAssertTrue(self.aksLockState, "Failing a read when keychain is locked"); @@ -211,6 +235,13 @@ } -(bool)handleLockSetKeyMaterialInKeychain:(NSDictionary*)query error:(NSError * __autoreleasing *) error { + if(self.keychainFetchError) { + if(error) { + *error = self.keychainFetchError; + } + return false; + } + XCTAssertTrue(self.aksLockState, "Failing a write only when keychain is locked"); if(error) { *error = [NSError errorWithDomain:@"securityd" code:errSecInteractionNotAllowed userInfo:nil]; @@ -282,6 +313,25 @@ XCTAssertNil(error, "Current Class C pointer saved to database successfully"); } +- (void)putFakeDeviceStatusInCloudKit:(CKRecordZoneID*)zoneID zonekeys:(ZoneKeys*)zonekeys { + CKKSDeviceStateEntry* dse = [[CKKSDeviceStateEntry alloc] initForDevice:self.remoteSOSOnlyPeer.peerID + osVersion:@"faux-version" + lastUnlockTime:nil + circlePeerID:self.remoteSOSOnlyPeer.peerID + circleStatus:kSOSCCInCircle + keyState:SecCKKSZoneKeyStateReady + currentTLKUUID:zonekeys.tlk.uuid + currentClassAUUID:zonekeys.classA.uuid + currentClassCUUID:zonekeys.classC.uuid + zoneID:zoneID + encodedCKRecord:nil]; + [self.zones[zoneID] addToZone:dse zoneID:zoneID]; +} + +- (void)putFakeDeviceStatusInCloudKit:(CKRecordZoneID*)zoneID { + [self putFakeDeviceStatusInCloudKit:zoneID zonekeys:self.keys[zoneID]]; +} + - (void)putFakeKeyHierarchyInCloudKit: (CKRecordZoneID*)zoneID { ZoneKeys* zonekeys = [self createFakeKeyHierarchy: zoneID oldTLK:nil]; @@ -365,6 +415,7 @@ static SOSFullPeerInfoRef SOSCreateFullPeerInfoFromName(CFStringRef name, SOSFullPeerInfoRef fpi = SOSCreateFullPeerInfoFromName(CFSTR("Test Peer"), &signingKey, &octagonSigningKey, &octagonEncryptionKey, NULL); NSData *data = CFBridgingRelease(SOSPeerInfoCopyData(SOSFullPeerInfoGetPeerInfo(fpi), NULL)); + CFReleaseNull(fpi); if (data) [icloudidentities addObject:data]; @@ -480,7 +531,10 @@ static CFDictionaryRef SOSCreatePeerGestaltFromName(CFStringRef name) NSSet* peers = [self.currentPeers setByAddingObject:self.currentSelfPeer]; for(id peer in peers) { - [self putTLKShareInCloudKit:key from:sharingPeer to:peer zoneID:zoneID]; + // Can only send to peers with encryption keys + if(peer.publicEncryptionKey) { + [self putTLKShareInCloudKit:key from:sharingPeer to:peer zoneID:zoneID]; + } } } @@ -512,7 +566,7 @@ static CFDictionaryRef SOSCreatePeerGestaltFromName(CFStringRef name) [self saveTLKSharesInLocalDatabase:zoneID]; } -// Override our base class here: +// Override our base class here, but only for Keychain Views - (void)expectCKModifyRecords:(NSDictionary*)expectedRecordTypeCounts deletedRecordTypeCounts:(NSDictionary*)expectedDeletedRecordTypeCounts @@ -520,70 +574,76 @@ static CFDictionaryRef SOSCreatePeerGestaltFromName(CFStringRef name) checkModifiedRecord:(BOOL (^)(CKRecord*))checkRecord runAfterModification:(void (^) ())afterModification { - __weak __typeof(self) weakSelf = self; + + void (^newAfterModification)() = afterModification; + if([self.ckksZones containsObject:zoneID]) { + __weak __typeof(self) weakSelf = self; + newAfterModification = ^{ + __strong __typeof(weakSelf) strongSelf = weakSelf; + XCTAssertNotNil(strongSelf, "self exists"); + + // Reach into our cloudkit database and extract the keys + CKRecordID* currentTLKPointerID = [[CKRecordID alloc] initWithRecordName:SecCKKSKeyClassTLK zoneID:zoneID]; + CKRecordID* currentClassAPointerID = [[CKRecordID alloc] initWithRecordName:SecCKKSKeyClassA zoneID:zoneID]; + CKRecordID* currentClassCPointerID = [[CKRecordID alloc] initWithRecordName:SecCKKSKeyClassC zoneID:zoneID]; + + ZoneKeys* zonekeys = strongSelf.keys[zoneID]; + if(!zonekeys) { + zonekeys = [[ZoneKeys alloc] init]; + strongSelf.keys[zoneID] = zonekeys; + } + + XCTAssertNotNil(strongSelf.zones[zoneID].currentDatabase[currentTLKPointerID], "Have a currentTLKPointer"); + XCTAssertNotNil(strongSelf.zones[zoneID].currentDatabase[currentClassAPointerID], "Have a currentClassAPointer"); + XCTAssertNotNil(strongSelf.zones[zoneID].currentDatabase[currentClassCPointerID], "Have a currentClassCPointer"); + XCTAssertNotNil(strongSelf.zones[zoneID].currentDatabase[currentTLKPointerID][SecCKRecordParentKeyRefKey], "Have a currentTLKPointer parent"); + XCTAssertNotNil(strongSelf.zones[zoneID].currentDatabase[currentClassAPointerID][SecCKRecordParentKeyRefKey], "Have a currentClassAPointer parent"); + XCTAssertNotNil(strongSelf.zones[zoneID].currentDatabase[currentClassCPointerID][SecCKRecordParentKeyRefKey], "Have a currentClassCPointer parent"); + XCTAssertNotNil([strongSelf.zones[zoneID].currentDatabase[currentTLKPointerID][SecCKRecordParentKeyRefKey] recordID].recordName, "Have a currentTLKPointer parent UUID"); + XCTAssertNotNil([strongSelf.zones[zoneID].currentDatabase[currentClassAPointerID][SecCKRecordParentKeyRefKey] recordID].recordName, "Have a currentClassAPointer parent UUID"); + XCTAssertNotNil([strongSelf.zones[zoneID].currentDatabase[currentClassCPointerID][SecCKRecordParentKeyRefKey] recordID].recordName, "Have a currentClassCPointer parent UUID"); + + zonekeys.currentTLKPointer = [[CKKSCurrentKeyPointer alloc] initWithCKRecord: strongSelf.zones[zoneID].currentDatabase[currentTLKPointerID]]; + zonekeys.currentClassAPointer = [[CKKSCurrentKeyPointer alloc] initWithCKRecord: strongSelf.zones[zoneID].currentDatabase[currentClassAPointerID]]; + zonekeys.currentClassCPointer = [[CKKSCurrentKeyPointer alloc] initWithCKRecord: strongSelf.zones[zoneID].currentDatabase[currentClassCPointerID]]; + + XCTAssertNotNil(zonekeys.currentTLKPointer.currentKeyUUID, "Have a currentTLKPointer current UUID"); + XCTAssertNotNil(zonekeys.currentClassAPointer.currentKeyUUID, "Have a currentClassAPointer current UUID"); + XCTAssertNotNil(zonekeys.currentClassCPointer.currentKeyUUID, "Have a currentClassCPointer current UUID"); + + CKRecordID* currentTLKID = [[CKRecordID alloc] initWithRecordName:zonekeys.currentTLKPointer.currentKeyUUID zoneID:zoneID]; + CKRecordID* currentClassAID = [[CKRecordID alloc] initWithRecordName:zonekeys.currentClassAPointer.currentKeyUUID zoneID:zoneID]; + CKRecordID* currentClassCID = [[CKRecordID alloc] initWithRecordName:zonekeys.currentClassCPointer.currentKeyUUID zoneID:zoneID]; + + zonekeys.tlk = [[CKKSKey alloc] initWithCKRecord: strongSelf.zones[zoneID].currentDatabase[currentTLKID]]; + zonekeys.classA = [[CKKSKey alloc] initWithCKRecord: strongSelf.zones[zoneID].currentDatabase[currentClassAID]]; + zonekeys.classC = [[CKKSKey alloc] initWithCKRecord: strongSelf.zones[zoneID].currentDatabase[currentClassCID]]; + + XCTAssertNotNil(zonekeys.tlk, "Have the current TLK"); + XCTAssertNotNil(zonekeys.classA, "Have the current Class A key"); + XCTAssertNotNil(zonekeys.classC, "Have the current Class C key"); + + NSMutableArray* shares = [NSMutableArray array]; + for(CKRecordID* recordID in strongSelf.zones[zoneID].currentDatabase.allKeys) { + if([recordID.recordName hasPrefix: [CKKSTLKShare ckrecordPrefix]]) { + CKKSTLKShare* share = [[CKKSTLKShare alloc] initWithCKRecord:strongSelf.zones[zoneID].currentDatabase[recordID]]; + XCTAssertNotNil(share, "Should be able to parse a CKKSTLKShare CKRecord into a CKKSTLKShare"); + [shares addObject:share]; + } + } + zonekeys.tlkShares = shares; + + if(afterModification) { + afterModification(); + } + }; + } + [super expectCKModifyRecords:expectedRecordTypeCounts deletedRecordTypeCounts:expectedDeletedRecordTypeCounts zoneID:zoneID checkModifiedRecord:checkRecord - runAfterModification:^{ - __strong __typeof(weakSelf) strongSelf = weakSelf; - XCTAssertNotNil(strongSelf, "self exists"); - - // Reach into our cloudkit database and extract the keys - CKRecordID* currentTLKPointerID = [[CKRecordID alloc] initWithRecordName:SecCKKSKeyClassTLK zoneID:zoneID]; - CKRecordID* currentClassAPointerID = [[CKRecordID alloc] initWithRecordName:SecCKKSKeyClassA zoneID:zoneID]; - CKRecordID* currentClassCPointerID = [[CKRecordID alloc] initWithRecordName:SecCKKSKeyClassC zoneID:zoneID]; - - ZoneKeys* zonekeys = strongSelf.keys[zoneID]; - if(!zonekeys) { - zonekeys = [[ZoneKeys alloc] init]; - strongSelf.keys[zoneID] = zonekeys; - } - - XCTAssertNotNil(strongSelf.zones[zoneID].currentDatabase[currentTLKPointerID], "Have a currentTLKPointer"); - XCTAssertNotNil(strongSelf.zones[zoneID].currentDatabase[currentClassAPointerID], "Have a currentClassAPointer"); - XCTAssertNotNil(strongSelf.zones[zoneID].currentDatabase[currentClassCPointerID], "Have a currentClassCPointer"); - XCTAssertNotNil(strongSelf.zones[zoneID].currentDatabase[currentTLKPointerID][SecCKRecordParentKeyRefKey], "Have a currentTLKPointer parent"); - XCTAssertNotNil(strongSelf.zones[zoneID].currentDatabase[currentClassAPointerID][SecCKRecordParentKeyRefKey], "Have a currentClassAPointer parent"); - XCTAssertNotNil(strongSelf.zones[zoneID].currentDatabase[currentClassCPointerID][SecCKRecordParentKeyRefKey], "Have a currentClassCPointer parent"); - XCTAssertNotNil([strongSelf.zones[zoneID].currentDatabase[currentTLKPointerID][SecCKRecordParentKeyRefKey] recordID].recordName, "Have a currentTLKPointer parent UUID"); - XCTAssertNotNil([strongSelf.zones[zoneID].currentDatabase[currentClassAPointerID][SecCKRecordParentKeyRefKey] recordID].recordName, "Have a currentClassAPointer parent UUID"); - XCTAssertNotNil([strongSelf.zones[zoneID].currentDatabase[currentClassCPointerID][SecCKRecordParentKeyRefKey] recordID].recordName, "Have a currentClassCPointer parent UUID"); - - zonekeys.currentTLKPointer = [[CKKSCurrentKeyPointer alloc] initWithCKRecord: strongSelf.zones[zoneID].currentDatabase[currentTLKPointerID]]; - zonekeys.currentClassAPointer = [[CKKSCurrentKeyPointer alloc] initWithCKRecord: strongSelf.zones[zoneID].currentDatabase[currentClassAPointerID]]; - zonekeys.currentClassCPointer = [[CKKSCurrentKeyPointer alloc] initWithCKRecord: strongSelf.zones[zoneID].currentDatabase[currentClassCPointerID]]; - - XCTAssertNotNil(zonekeys.currentTLKPointer.currentKeyUUID, "Have a currentTLKPointer current UUID"); - XCTAssertNotNil(zonekeys.currentClassAPointer.currentKeyUUID, "Have a currentClassAPointer current UUID"); - XCTAssertNotNil(zonekeys.currentClassCPointer.currentKeyUUID, "Have a currentClassCPointer current UUID"); - - CKRecordID* currentTLKID = [[CKRecordID alloc] initWithRecordName:zonekeys.currentTLKPointer.currentKeyUUID zoneID:zoneID]; - CKRecordID* currentClassAID = [[CKRecordID alloc] initWithRecordName:zonekeys.currentClassAPointer.currentKeyUUID zoneID:zoneID]; - CKRecordID* currentClassCID = [[CKRecordID alloc] initWithRecordName:zonekeys.currentClassCPointer.currentKeyUUID zoneID:zoneID]; - - zonekeys.tlk = [[CKKSKey alloc] initWithCKRecord: strongSelf.zones[zoneID].currentDatabase[currentTLKID]]; - zonekeys.classA = [[CKKSKey alloc] initWithCKRecord: strongSelf.zones[zoneID].currentDatabase[currentClassAID]]; - zonekeys.classC = [[CKKSKey alloc] initWithCKRecord: strongSelf.zones[zoneID].currentDatabase[currentClassCID]]; - - XCTAssertNotNil(zonekeys.tlk, "Have the current TLK"); - XCTAssertNotNil(zonekeys.classA, "Have the current Class A key"); - XCTAssertNotNil(zonekeys.classC, "Have the current Class C key"); - - NSMutableArray* shares = [NSMutableArray array]; - for(CKRecordID* recordID in strongSelf.zones[zoneID].currentDatabase.allKeys) { - if([recordID.recordName hasPrefix: [CKKSTLKShare ckrecordPrefix]]) { - CKKSTLKShare* share = [[CKKSTLKShare alloc] initWithCKRecord:strongSelf.zones[zoneID].currentDatabase[recordID]]; - XCTAssertNotNil(share, "Should be able to parse a CKKSTLKShare CKRecord into a CKKSTLKShare"); - [shares addObject:share]; - } - } - zonekeys.tlkShares = shares; - - if(afterModification) { - afterModification(); - } - }]; + runAfterModification:newAfterModification]; } - (void)expectCKReceiveSyncKeyHierarchyError:(CKRecordZoneID*)zoneID { @@ -947,13 +1007,13 @@ static CFDictionaryRef SOSCreatePeerGestaltFromName(CFStringRef name) }; CFTypeRef result = NULL; - XCTAssertEqual(errSecSuccess, SecItemCopyMatching((__bridge CFDictionaryRef) query, &result), "Finding item %@", account); - XCTAssertNotNil((__bridge id)result, "Received an item"); + XCTAssertEqual(errSecSuccess, SecItemCopyMatching((__bridge CFDictionaryRef) query, &result), "Item %@ should exist", account); + XCTAssertNotNil((__bridge id)result, "Should have received an item"); NSString* storedPassword = [[NSString alloc] initWithData: (__bridge NSData*) result encoding: NSUTF8StringEncoding]; - XCTAssertNotNil(storedPassword, "Password parsed as a password"); + XCTAssertNotNil(storedPassword, "Password should parse as a UTF8 password"); - XCTAssertEqualObjects(storedPassword, password, "Stored password matches received password"); + XCTAssertEqualObjects(storedPassword, password, "Stored password should match received password"); } -(XCTestExpectation*)expectChangeForView:(NSString*)view { diff --git a/keychain/ckks/tests/CloudKitKeychainSyncingTestsBase.h b/keychain/ckks/tests/CloudKitKeychainSyncingTestsBase.h new file mode 100644 index 00000000..97822f9f --- /dev/null +++ b/keychain/ckks/tests/CloudKitKeychainSyncingTestsBase.h @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef CloudKitKeychainSyncingTestsBase_h +#define CloudKitKeychainSyncingTestsBase_h + +#import +#import +#import + +#include + +#import "keychain/ckks/CKKS.h" +#import "keychain/ckks/CKKSKeychainView.h" +#import "keychain/ckks/CKKSManifest.h" +#import "keychain/ckks/CKKSViewManager.h" + +#import "keychain/ckks/tests/CloudKitKeychainSyncingMockXCTest.h" +#import "keychain/ckks/tests/CloudKitMockXCTest.h" +#import "keychain/ckks/tests/MockCloudKit.h" + +NS_ASSUME_NONNULL_BEGIN + +@interface CloudKitKeychainSyncingTestsBase : CloudKitKeychainSyncingMockXCTest +@property (nullable) CKRecordZoneID* keychainZoneID; +@property (nullable) CKKSKeychainView* keychainView; +@property (nullable) FakeCKZone* keychainZone; + +@property (nullable, readonly) ZoneKeys* keychainZoneKeys; + +@property NSCalendar* utcCalendar; + +- (ZoneKeys*)keychainZoneKeys; +@end + +NS_ASSUME_NONNULL_END + +#endif /* CloudKitKeychainSyncingTestsBase_h */ diff --git a/keychain/ckks/tests/CloudKitKeychainSyncingTestsBase.m b/keychain/ckks/tests/CloudKitKeychainSyncingTestsBase.m new file mode 100644 index 00000000..1c109e32 --- /dev/null +++ b/keychain/ckks/tests/CloudKitKeychainSyncingTestsBase.m @@ -0,0 +1,96 @@ +/* + * Copyright (c) 2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import "CloudKitKeychainSyncingTestsBase.h" + +@implementation CloudKitKeychainSyncingTestsBase + +- (ZoneKeys*)keychainZoneKeys { + return self.keys[self.keychainZoneID]; +} + +// Override our base class +-(NSSet*)managedViewList { + return [NSSet setWithObject:@"keychain"]; +} + ++ (void)setUp { + SecCKKSEnable(); + SecCKKSResetSyncing(); + [super setUp]; +} + +- (void)setUp { + self.utcCalendar = [NSCalendar calendarWithIdentifier:NSCalendarIdentifierISO8601]; + self.utcCalendar.timeZone = [NSTimeZone timeZoneWithAbbreviation:@"UTC"]; + + [super setUp]; + + self.keychainZoneID = [[CKRecordZoneID alloc] initWithZoneName:@"keychain" ownerName:CKCurrentUserDefaultName]; + self.keychainZone = [[FakeCKZone alloc] initZone: self.keychainZoneID]; + + [self.ckksZones addObject:self.keychainZoneID]; + + // Wait for the ViewManager to be brought up + XCTAssertEqual(0, [self.injectedManager.completedSecCKKSInitialize wait:4*NSEC_PER_SEC], "No timeout waiting for SecCKKSInitialize"); + + self.keychainView = [[CKKSViewManager manager] findView:@"keychain"]; + XCTAssertNotNil(self.keychainView, "CKKSViewManager created the keychain view"); + + // Check that your environment is set up correctly + XCTAssertFalse([CKKSManifest shouldSyncManifests], "Manifests syncing is disabled"); + XCTAssertFalse([CKKSManifest shouldEnforceManifests], "Manifests enforcement is disabled"); +} + ++ (void)tearDown { + [super tearDown]; + SecCKKSResetSyncing(); +} + +- (void)tearDown { + // Fetch status, to make sure we can + NSDictionary* status = [self.keychainView status]; + (void)status; + + [self.keychainView halt]; + [self.keychainView waitUntilAllOperationsAreFinished]; + + self.keychainView = nil; + self.keychainZoneID = nil; + + [super tearDown]; +} + +- (FakeCKZone*)keychainZone { + return self.zones[self.keychainZoneID]; +} + +- (void)setKeychainZone: (FakeCKZone*) zone { + self.zones[self.keychainZoneID] = zone; +} + +@end + +#endif /* OCTAGON */ diff --git a/keychain/ckks/tests/CloudKitMockXCTest.h b/keychain/ckks/tests/CloudKitMockXCTest.h index 59dba40a..8db293eb 100644 --- a/keychain/ckks/tests/CloudKitMockXCTest.h +++ b/keychain/ckks/tests/CloudKitMockXCTest.h @@ -21,11 +21,14 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if OCTAGON + #import #import #import #import +#import #import "keychain/ckks/CKKSCKAccountStateTracker.h" #import "keychain/ckks/tests/MockCloudKit.h" @@ -38,6 +41,7 @@ NS_ASSUME_NONNULL_BEGIN @class CKKSViewManager; @class FakeCKZone; @class CKKSLockStateTracker; +@class CKKSReachabilityTracker; @interface CloudKitMockXCTest : XCTestCase @@ -56,6 +60,7 @@ NS_ASSUME_NONNULL_BEGIN @property CKAccountStatus accountStatus; @property BOOL supportsDeviceToDeviceEncryption; +@property BOOL iCloudHasValidCredentials; @property SOSCCStatus circleStatus; @property (readonly) NSString* ckDeviceID; @property (readonly) CKKSCKAccountStateTracker* accountStateTracker; @@ -66,6 +71,10 @@ NS_ASSUME_NONNULL_BEGIN @property (readonly) CKKSLockStateTracker* lockStateTracker; @property (nullable) id mockLockStateTracker; +@property SCNetworkReachabilityFlags reachabilityFlags; // The current 'network reachability flags' +@property (readonly) CKKSReachabilityTracker *reachabilityTracker; +@property (nullable) id mockReachabilityTracker; + @property (nullable) NSMutableDictionary* zones; @property (nullable) NSOperationQueue* operationQueue; @@ -75,6 +84,7 @@ NS_ASSUME_NONNULL_BEGIN @property (nullable) NSBlockOperation* ckFetchHoldOperation; @property bool silentFetchesAllowed; +@property bool silentZoneDeletesAllowed; @property (nullable) id mockCKKSViewManager; @property (nullable) CKKSViewManager* injectedManager; @@ -101,6 +111,11 @@ NS_ASSUME_NONNULL_BEGIN currentKeyPointerRecords:(NSUInteger)expectedCurrentKeyRecords tlkShareRecords:(NSUInteger)expectedTLKShareRecords zoneID:(CKRecordZoneID*)zoneID; +- (void)expectCKModifyKeyRecords:(NSUInteger)expectedNumberOfRecords + currentKeyPointerRecords:(NSUInteger)expectedCurrentKeyRecords + tlkShareRecords:(NSUInteger)expectedTLKShareRecords + zoneID:(CKRecordZoneID*)zoneID + checkModifiedRecord:(BOOL (^_Nullable)(CKRecord*))checkModifiedRecord; - (void)expectCKModifyRecords:(NSDictionary*)expectedRecordTypeCounts deletedRecordTypeCounts:(NSDictionary* _Nullable)expectedDeletedRecordTypeCounts @@ -164,3 +179,5 @@ NS_ASSUME_NONNULL_BEGIN @end NS_ASSUME_NONNULL_END + +#endif /* OCTAGON */ diff --git a/keychain/ckks/tests/CloudKitMockXCTest.m b/keychain/ckks/tests/CloudKitMockXCTest.m index 56a59241..82dea2e3 100644 --- a/keychain/ckks/tests/CloudKitMockXCTest.m +++ b/keychain/ckks/tests/CloudKitMockXCTest.m @@ -52,6 +52,7 @@ #include #include "keychain/ckks/CKKSGroupOperation.h" #include "keychain/ckks/CKKSLockStateTracker.h" +#include "keychain/ckks/CKKSReachabilityTracker.h" #import "MockCloudKit.h" @@ -73,6 +74,7 @@ + (void)setUp { // Turn on testing SecCKKSTestsEnable(); + SecCKKSSetReduceRateLimiting(true); [super setUp]; #if NO_SERVER @@ -92,6 +94,7 @@ SecCKKSTestSetDisableSOS(true); self.silentFetchesAllowed = true; + self.silentZoneDeletesAllowed = false; // Set to true if you want to do any deletes __weak __typeof(self) weakSelf = self; self.operationQueue = [[NSOperationQueue alloc] init]; @@ -119,6 +122,7 @@ self.accountStatus = CKAccountStatusAvailable; self.supportsDeviceToDeviceEncryption = YES; + self.iCloudHasValidCredentials = YES; // Inject a fake operation dependency so we won't respond with the CloudKit account status immediately // The CKKSCKAccountStateTracker won't send any login/logout calls without that information, so this blocks all CKKS setup @@ -153,6 +157,7 @@ CKAccountInfo* account = [[CKAccountInfo alloc] init]; account.accountStatus = blockStrongSelf.accountStatus; account.supportsDeviceToDeviceEncryption = blockStrongSelf.supportsDeviceToDeviceEncryption; + account.hasValidCredentials = blockStrongSelf.iCloudHasValidCredentials; account.accountPartition = CKAccountPartitionTypeProduction; passedBlock((CKAccountInfo*)account, nil); }]; @@ -190,8 +195,13 @@ self.mockLockStateTracker = OCMClassMock([CKKSLockStateTracker class]); OCMStub([self.mockLockStateTracker queryAKSLocked]).andCall(self, @selector(aksLockState)); + self.reachabilityFlags = kSCNetworkReachabilityFlagsReachable; // Lie and say network is available + self.mockReachabilityTracker = OCMClassMock([CKKSReachabilityTracker class]); + OCMStub([self.mockReachabilityTracker getReachabilityFlags:[OCMArg anyPointer]]).andCall(self, @selector(reachabilityFlags)); + self.mockFakeCKModifyRecordZonesOperation = OCMClassMock([FakeCKModifyRecordZonesOperation class]); OCMStub([self.mockFakeCKModifyRecordZonesOperation ckdb]).andReturn(self.zones); + OCMStub([self.mockFakeCKModifyRecordZonesOperation ensureZoneDeletionAllowed:[OCMArg any]]).andCall(self, @selector(ensureZoneDeletionAllowed:)); self.mockFakeCKModifySubscriptionsOperation = OCMClassMock([FakeCKModifySubscriptionsOperation class]); OCMStub([self.mockFakeCKModifySubscriptionsOperation ckdb]).andReturn(self.zones); @@ -293,6 +303,11 @@ } } + +- (void)ensureZoneDeletionAllowed:(FakeCKZone*)zone { + XCTAssertTrue(self.silentZoneDeletesAllowed, "Should be allowing zone deletes"); +} + -(CKKSCKAccountStateTracker*)accountStateTracker { return self.injectedManager.accountTracker; } @@ -301,6 +316,10 @@ return self.injectedManager.lockStateTracker; } +-(CKKSReachabilityTracker*)reachabilityTracker { + return self.injectedManager.reachabilityTracker; +} + -(NSSet*)managedViewList { return (NSSet*) CFBridgingRelease(SOSViewCopyViewSet(kViewSetCKKS)); } @@ -471,7 +490,21 @@ - (void)expectCKModifyKeyRecords:(NSUInteger)expectedNumberOfRecords currentKeyPointerRecords:(NSUInteger)expectedCurrentKeyRecords tlkShareRecords:(NSUInteger)expectedTLKShareRecords - zoneID:(CKRecordZoneID*)zoneID { + zoneID:(CKRecordZoneID*)zoneID +{ + return [self expectCKModifyKeyRecords:expectedNumberOfRecords + currentKeyPointerRecords:expectedCurrentKeyRecords + tlkShareRecords:expectedTLKShareRecords + zoneID:zoneID + checkModifiedRecord:nil]; +} + +- (void)expectCKModifyKeyRecords:(NSUInteger)expectedNumberOfRecords + currentKeyPointerRecords:(NSUInteger)expectedCurrentKeyRecords + tlkShareRecords:(NSUInteger)expectedTLKShareRecords + zoneID:(CKRecordZoneID*)zoneID + checkModifiedRecord:(BOOL (^_Nullable)(CKRecord*))checkModifiedRecord +{ NSNumber* nkeys = [NSNumber numberWithUnsignedInteger: expectedNumberOfRecords]; NSNumber* ncurrentkeys = [NSNumber numberWithUnsignedInteger: expectedCurrentKeyRecords]; NSNumber* ntlkshares = [NSNumber numberWithUnsignedInteger: expectedTLKShareRecords]; @@ -482,7 +515,7 @@ } deletedRecordTypeCounts:nil zoneID:zoneID - checkModifiedRecord:nil + checkModifiedRecord:checkModifiedRecord runAfterModification:nil]; } @@ -737,14 +770,18 @@ if ([obj isKindOfClass:[CKModifyRecordsOperation class]]) { CKModifyRecordsOperation *op = (CKModifyRecordsOperation *)obj; + secnotice("fakecloudkit", "checking for expectCKAtomicModifyItemRecordsUpdateFailure"); + if(!op.atomic) { // We only care about atomic operations + secnotice("fakecloudkit", "expectCKAtomicModifyItemRecordsUpdateFailure: update not atomic"); return NO; } // We want to only match zone updates pertaining to this zone for(CKRecord* record in op.recordsToSave) { if(![record.recordID.zoneID isEqual: zoneID]) { + secnotice("fakecloudkit", "expectCKAtomicModifyItemRecordsUpdateFailure: %@ is not %@", record.recordID.zoneID, zoneID); return NO; } } @@ -767,6 +804,8 @@ if(rejected) { [strongSelf rejectWrite: op failedRecords:failedRecords]; + } else { + secnotice("fakecloudkit", "expectCKAtomicModifyItemRecordsUpdateFailure: doesn't seem like an error to us"); } } return rejected ? YES : NO; @@ -811,7 +850,7 @@ // We're updating the device state type on every update, so add it in here NSMutableDictionary* expectedRecords = [@{ - SecCKRecordDeviceStateType: [NSNumber numberWithUnsignedInt: 1], + SecCKRecordDeviceStateType: [NSNumber numberWithUnsignedInteger:expectedNumberOfRecords], } mutableCopy]; if(SecCKKSSyncManifests()) { // TODO: this really shouldn't be 2. @@ -840,6 +879,8 @@ if(SecCKKSIsEnabled()) { self.accountStatus = CKAccountStatusCouldNotDetermine; + // If the test never initialized the account state, don't call status later + bool callStatus = [self.ckaccountHoldOperation isFinished]; [self.ckaccountHoldOperation cancel]; self.ckaccountHoldOperation = nil; @@ -850,6 +891,16 @@ XCTAssertEqual(0, [self.injectedManager.completedSecCKKSInitialize wait:2*NSEC_PER_SEC], "Timeout did not occur waiting for SecCKKSInitialize"); + // Ensure that we can fetch zone status for all zones + if(callStatus) { + XCTestExpectation *statusReturned = [self expectationWithDescription:@"status returned"]; + [self.injectedManager rpcStatus:nil reply:^(NSArray *result, NSError *error) { + XCTAssertNil(error, "Should be no error fetching status"); + [statusReturned fulfill]; + }]; + [self waitForExpectations: @[statusReturned] timeout:5]; + } + // Make sure this happens before teardown. XCTAssertEqual(0, [self.accountStateTracker.finishedInitialDispatches wait:1*NSEC_PER_SEC], "Account state tracker initialized itself"); @@ -871,6 +922,9 @@ [self.mockLockStateTracker stopMocking]; self.mockLockStateTracker = nil; + [self.mockReachabilityTracker stopMocking]; + self.mockReachabilityTracker = nil; + [self.mockFakeCKModifyRecordZonesOperation stopMocking]; self.mockFakeCKModifyRecordZonesOperation = nil; diff --git a/keychain/ckks/tests/MockCloudKit.h b/keychain/ckks/tests/MockCloudKit.h index 5bc654fd..11ef4eb1 100644 --- a/keychain/ckks/tests/MockCloudKit.h +++ b/keychain/ckks/tests/MockCloudKit.h @@ -21,6 +21,7 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if OCTAGON #import #import @@ -41,6 +42,7 @@ typedef NSMutableDictionary FakeCKDatabase; @property (nonatomic, nullable) NSMutableArray* recordZonesSaved; @property (nonatomic, nullable) NSMutableArray* recordZoneIDsDeleted; + (FakeCKDatabase*)ckdb; ++(void)ensureZoneDeletionAllowed:(FakeCKZone*)zone; @end @interface FakeCKModifySubscriptionsOperation : NSBlockOperation @@ -116,3 +118,5 @@ typedef NSMutableDictionary FakeCKDatabase; @end NS_ASSUME_NONNULL_END + +#endif /* OCTAGON */ diff --git a/keychain/ckks/tests/MockCloudKit.m b/keychain/ckks/tests/MockCloudKit.m index abaada93..556ab2ab 100644 --- a/keychain/ckks/tests/MockCloudKit.m +++ b/keychain/ckks/tests/MockCloudKit.m @@ -26,6 +26,7 @@ #import "keychain/ckks/tests/MockCloudKit.h" #import "keychain/ckks/CKKS.h" #import "keychain/ckks/CKKSRecordHolder.h" +#import "keychain/ckks/CKKSReachabilityTracker.h" #import #import @@ -38,6 +39,7 @@ @synthesize recordZonesToSave = _recordZonesToSave; @synthesize recordZoneIDsToDelete = _recordZoneIDsToDelete; @synthesize modifyRecordZonesCompletionBlock = _modifyRecordZonesCompletionBlock; +@synthesize group = _group; - (instancetype)initWithRecordZonesToSave:(nullable NSArray *)recordZonesToSave recordZoneIDsToDelete:(nullable NSArray *)recordZoneIDsToDelete { if(self = [super init]) { @@ -107,6 +109,7 @@ if(zone) { // The zone exists. Its deletion will succeed. + [FakeCKModifyRecordZonesOperation ensureZoneDeletionAllowed:zone]; ckdb[zoneID] = nil; if(!self.recordZoneIDsDeleted) { @@ -137,6 +140,11 @@ reason:[NSString stringWithFormat:@"+ckdb[] must be mocked out for use"] userInfo:nil]; } + ++(void)ensureZoneDeletionAllowed:(FakeCKZone*)zone { + // Shouldn't ever be called; will be mocked out + (void)zone; +} @end @implementation FakeCKModifySubscriptionsOperation @@ -257,6 +265,13 @@ return; } + SCNetworkReachabilityFlags reachabilityFlags = [CKKSReachabilityTracker getReachabilityFlags:NULL]; + if ((reachabilityFlags & kSCNetworkReachabilityFlagsReachable) == 0) { + NSError *networkError = [NSError errorWithDomain:CKErrorDomain code:CKErrorNetworkFailure userInfo:NULL]; + self.fetchRecordZoneChangesCompletionBlock(networkError); + return; + } + // Not precisely correct in the case of multiple zone fetches. However, we don't currently do that, so it'll work for now. NSError* mockError = [zone popFetchChangesError]; if(mockError) { @@ -324,6 +339,7 @@ @implementation FakeCKFetchRecordsOperation @synthesize recordIDs = _recordIDs; @synthesize desiredKeys = _desiredKeys; +@synthesize configuration = _configuration; @synthesize perRecordProgressBlock = _perRecordProgressBlock; @synthesize perRecordCompletionBlock = _perRecordCompletionBlock; @@ -343,7 +359,6 @@ return self; } - - (void)main { FakeCKDatabase* ckdb = [FakeCKFetchRecordsOperation ckdb]; diff --git a/keychain/ckks/tests/RateLimiterTests.m b/keychain/ckks/tests/RateLimiterTests.m index 91bd6bf3..00ceb9ee 100644 --- a/keychain/ckks/tests/RateLimiterTests.m +++ b/keychain/ckks/tests/RateLimiterTests.m @@ -22,6 +22,7 @@ */ #import +#import #import #import "keychain/ckks/RateLimiter.h" @@ -163,16 +164,14 @@ NSDate* limit = nil; [self.RL judge:self.obj at:date limitTime:&limit]; - NSMutableData *data = [NSMutableData new]; - NSKeyedArchiver *encoder = [[NSKeyedArchiver alloc] initForWritingWithMutableData:data]; - encoder.requiresSecureCoding = YES; + NSKeyedArchiver *encoder = [[NSKeyedArchiver alloc] initRequiringSecureCoding:YES]; [self.RL encodeWithCoder:encoder]; - [encoder finishEncoding]; + NSData* data = encoder.encodedData; + XCTAssertEqualObjects(self.config, self.RL.config, @"config unmodified after encoding"); XCTAssertNil(self.RL.assetType, @"assetType still nil after encoding"); - NSKeyedUnarchiver *decoder = [[NSKeyedUnarchiver alloc] initForReadingWithData:data]; - decoder.requiresSecureCoding = YES; + NSKeyedUnarchiver *decoder = [[NSKeyedUnarchiver alloc] initForReadingFromData:data error:nil]; RateLimiter *RL2 = [[RateLimiter alloc] initWithCoder:decoder]; XCTAssertNotNil(RL2, @"Received an object from initWithCoder"); XCTAssertEqualObjects(self.RL.config, RL2.config, @"config is the same after encoding and decoding"); diff --git a/keychain/ckksctl/ckksctl.m b/keychain/ckksctl/ckksctl.m index 9bb556b6..cc9e4ac6 100644 --- a/keychain/ckksctl/ckksctl.m +++ b/keychain/ckksctl/ckksctl.m @@ -33,13 +33,44 @@ static void nsprintf(NSString *fmt, ...) #endif } +static NSDictionary* flattenNSErrorsInDictionary(NSDictionary* dict) { + if(!dict) { + return nil; + } + NSMutableDictionary* mutDict = [dict mutableCopy]; + for(id key in mutDict.allKeys) { + id obj = mutDict[key]; + if([obj isKindOfClass:[NSError class]]) { + NSError* obje = (NSError*) obj; + NSMutableDictionary* newErrorDict = [@{@"code": @(obje.code), @"domain": obje.domain} mutableCopy]; + newErrorDict[@"userInfo"] = flattenNSErrorsInDictionary(obje.userInfo); + mutDict[key] = newErrorDict; + } else if(![NSJSONSerialization isValidJSONObject:obj]) { + mutDict[key] = [obj description]; + } + } + return mutDict; +} + static void print_result(NSDictionary *dict, bool json_flag) { if (json_flag) { NSError *err; + + // NSErrors don't know how to JSON-ify themselves, for some reason + // This will flatten a single layer of them + if(![NSJSONSerialization isValidJSONObject:dict]) { + dict = flattenNSErrorsInDictionary(dict); + } + + if(![NSJSONSerialization isValidJSONObject:dict]) { + printf("Still unsure how to JSONify the following object:\n"); + print_dict(dict, 0); + } + NSData *json = [NSJSONSerialization dataWithJSONObject:dict - options:(NSJSONWritingPrettyPrinted | NSJSONWritingSortedKeys) - error:&err]; + options:(NSJSONWritingPrettyPrinted | NSJSONWritingSortedKeys) + error:&err]; if (!json) { NSLog(@"error: %@", err.localizedDescription); } else { @@ -128,7 +159,8 @@ static void print_entry(id k, id v, int ind) return perfDict; } -- (void)resetLocal: (NSString*)view { +- (long)resetLocal:(NSString*)view { + __block long ret = 0; #if OCTAGON printf("Beginning local reset for %s...\n", view ? [[view description] UTF8String] : "all zones"); dispatch_semaphore_t sema = dispatch_semaphore_create(0); @@ -137,19 +169,24 @@ static void print_entry(id k, id v, int ind) reply:^(NSError *error) { if(error == NULL) { printf("reset complete.\n"); + ret = 0; } else { nsprintf(@"reset error: %@\n", error); + ret = error.code; } dispatch_semaphore_signal(sema); }]; - if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60)) != 0) { + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60 * 2)) != 0) { printf("\n\nError: timed out waiting for response\n"); + return -1; } #endif // OCTAGON + return ret; } -- (void)resetCloudKit: (NSString*)view { +- (long)resetCloudKit:(NSString*)view { + __block long ret = 0; #if OCTAGON printf("Beginning CloudKit reset for %s...\n", view ? [[view description] UTF8String] : "all zones"); dispatch_semaphore_t sema = dispatch_semaphore_create(0); @@ -157,19 +194,24 @@ static void print_entry(id k, id v, int ind) [self.control rpcResetCloudKit:view reply:^(NSError* error){ if(error == NULL) { printf("CloudKit Reset complete.\n"); + ret = 0; } else { nsprintf(@"Reset error: %@\n", error); + ret = error.code; } dispatch_semaphore_signal(sema); }]; - if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60)) != 0) { + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60 * 5)) != 0) { printf("\n\nError: timed out waiting for response\n"); + return -1; } #endif // OCTAON + return ret; } -- (void)resync: (NSString*)view { +- (long)resync:(NSString*)view { + __block long ret = 0; #if OCTAGON printf("Beginning resync for %s...\n", view ? [[view description] UTF8String] : "all zones"); dispatch_semaphore_t sema = dispatch_semaphore_create(0); @@ -177,79 +219,20 @@ static void print_entry(id k, id v, int ind) [self.control rpcResync:view reply:^(NSError* error){ if(error == NULL) { printf("resync success.\n"); + ret = 0; } else { nsprintf(@"resync errored: %@\n", error); + ret = error.code; } dispatch_semaphore_signal(sema); }]; - if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60)) != 0) { + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60 * 2)) != 0) { printf("\n\nError: timed out waiting for response\n"); + return -1; } #endif // OCTAGON -} - -- (void)getAnalyticsSysdiagnose -{ - printf("Getting analytics sysdiagnose....\n"); - dispatch_semaphore_t sema = dispatch_semaphore_create(0); - - [self.control rpcGetAnalyticsSysdiagnoseWithReply:^(NSString* sysdiagnose, NSError* error) { - if (sysdiagnose && !error) { - nsprintf(@"Analytics sysdiagnose:\n\n%@", sysdiagnose); - } - else { - nsprintf(@"error retrieving sysdiagnose: %@", error); - } - - dispatch_semaphore_signal(sema); - }]; - - if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60)) != 0) { - printf("\n\nError: timed out waiting for response\n"); - } -} - -- (void)getAnalyticsJSON -{ - printf("Getting analytics json....\n"); - dispatch_semaphore_t sema = dispatch_semaphore_create(0); - - [self.control rpcGetAnalyticsJSONWithReply:^(NSData* json, NSError* error) { - if (json && !error) { - nsprintf(@"Analytics JSON:\n\n%@", [[NSString alloc] initWithData:json encoding:NSUTF8StringEncoding]); - } - else { - nsprintf(@"error retrieving JSON: %@", error); - } - - dispatch_semaphore_signal(sema); - }]; - - if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60)) != 0) { - printf("\n\nError: timed out waiting for response\n"); - } -} - -- (void)forceAnalyticsUpload -{ - printf("Uploading....\n"); - dispatch_semaphore_t sema = dispatch_semaphore_create(0); - - [self.control rpcForceUploadAnalyticsWithReply:^(BOOL success, NSError* error) { - if (success) { - nsprintf(@"successfully uploaded analytics data"); - } - else { - nsprintf(@"error uploading analytics: %@", error); - } - - dispatch_semaphore_signal(sema); - }]; - - if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60)) != 0) { - printf("\n\nError: timed out waiting for response\n"); - } + return ret; } - (NSDictionary *)fetchStatus: (NSString*) view { @@ -273,7 +256,7 @@ static void print_entry(id k, id v, int ind) dispatch_semaphore_signal(sema); }]; - if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 5)) != 0) { + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 30)) != 0) { status[@"error"] = @"timed out"; } #endif // OCTAGON @@ -300,6 +283,9 @@ static void print_entry(id k, id v, int ind) NSString* selfPeersError = pop(global, @"selfPeersError"); NSArray* trustedPeers = pop(global, @"trustedPeers"); NSString* trustedPeersError = pop(global, @"trustedPeersError"); + NSString* reachability = pop(global, @"reachability"); + NSString* ckdeviceID = pop(global, @"ckdeviceID"); + NSString* ckdeviceIDError = pop(global, @"ckdeviceIDError"); printf("================================================================================\n\n"); printf("Global state:\n\n"); @@ -311,6 +297,10 @@ static void print_entry(id k, id v, int ind) if(![trustedPeersError isEqual: [NSNull null]]) { printf("Trusted Peers Error: %s\n", [[trustedPeersError description] UTF8String]); } + printf("Reachability: %s\n", [[reachability description] UTF8String]); + printf("CK DeviceID: %s\n", [[ckdeviceID description] UTF8String]); + printf("CK DeviceID Error: %s\n", [[ckdeviceIDError description] UTF8String]); + printf("\n"); } @@ -328,7 +318,6 @@ static void print_entry(id k, id v, int ind) NSString* lockStateTracker = pop(status,@"lockstatetracker"); NSString* accountTracker = pop(status,@"accounttracker"); NSString* fetcher = pop(status,@"fetcher"); - NSString* setup = pop(status,@"setup"); NSString* zoneCreated = pop(status,@"zoneCreated"); NSString* zoneCreatedError = pop(status,@"zoneCreatedError"); NSString* zoneSubscribed = pop(status,@"zoneSubscribed"); @@ -340,6 +329,9 @@ static void print_entry(id k, id v, int ind) NSString* currentTLK = pop(status,@"currentTLK"); NSString* currentClassA = pop(status,@"currentClassA"); NSString* currentClassC = pop(status,@"currentClassC"); + NSString* currentTLKPtr = pop(status,@"currentTLKPtr"); + NSString* currentClassAPtr = pop(status,@"currentClassAPtr"); + NSString* currentClassCPtr = pop(status,@"currentClassCPtr"); NSString* currentManifestGeneration = pop(status,@"currentManifestGen"); NSDictionary* oqe = pop(status,@"oqe"); @@ -351,7 +343,6 @@ static void print_entry(id k, id v, int ind) NSString* zoneSetupOperation = pop(status,@"zoneSetupOperation"); - NSString* viewSetupOperation = pop(status,@"viewSetupOperation"); NSString* keyStateOperation = pop(status,@"keyStateOperation"); NSString* lastIncomingQueueOperation = pop(status,@"lastIncomingQueueOperation"); NSString* lastNewTLKOperation = pop(status,@"lastNewTLKOperation"); @@ -371,7 +362,6 @@ static void print_entry(id k, id v, int ind) printf("CloudKit account: %s\n", [accountStatus UTF8String]); printf("Account tracker: %s\n", [accountTracker UTF8String]); - printf("Ran setup operation: %s\n", [setup UTF8String]); if(!([zoneCreated isEqualToString:@"yes"] && [zoneSubscribed isEqualToString:@"yes"])) { printf("CK Zone Created: %s\n", [[zoneCreated description] UTF8String]); @@ -389,9 +379,15 @@ static void print_entry(id k, id v, int ind) } printf("Lock state: %s\n", [lockStateTracker UTF8String]); - printf("Current TLK: %s\n", [currentTLK isEqual: [NSNull null]] ? "null" : [currentTLK UTF8String]); - printf("Current ClassA: %s\n", [currentClassA isEqual: [NSNull null]] ? "null" : [currentClassA UTF8String]); - printf("Current ClassC: %s\n", [currentClassC isEqual: [NSNull null]] ? "null" : [currentClassC UTF8String]); + printf("Current TLK: %s\n", ![currentTLK isEqual: [NSNull null]] + ? [currentTLK UTF8String] + : [[NSString stringWithFormat:@"missing; pointer is %@", currentTLKPtr] UTF8String]); + printf("Current ClassA: %s\n", ![currentClassA isEqual: [NSNull null]] + ? [currentClassA UTF8String] + : [[NSString stringWithFormat:@"missing; pointer is %@", currentClassAPtr] UTF8String]); + printf("Current ClassC: %s\n", ![currentClassC isEqual: [NSNull null]] + ? [currentClassC UTF8String] + : [[NSString stringWithFormat:@"missing; pointer is %@", currentClassCPtr] UTF8String]); printf("TLK shares: %s\n", [[tlkshares description] UTF8String]); @@ -405,7 +401,6 @@ static void print_entry(id k, id v, int ind) printf("zone change fetcher: %s\n", [[fetcher description] UTF8String]); printf("zoneSetupOperation: %s\n", [zoneSetupOperation isEqual: [NSNull null]] ? "never" : [zoneSetupOperation UTF8String]); - printf("viewSetupOperation: %s\n", [viewSetupOperation isEqual: [NSNull null]] ? "never" : [viewSetupOperation UTF8String]); printf("keyStateOperation: %s\n", [keyStateOperation isEqual: [NSNull null]] ? "never" : [keyStateOperation UTF8String]); printf("lastIncomingQueueOperation: %s\n", [lastIncomingQueueOperation isEqual: [NSNull null]] ? "never" : [lastIncomingQueueOperation UTF8String]); printf("lastNewTLKOperation: %s\n", [lastNewTLKOperation isEqual: [NSNull null]] ? "never" : [lastNewTLKOperation UTF8String]); @@ -423,21 +418,24 @@ static void print_entry(id k, id v, int ind) dispatch_semaphore_signal(sema); }]; - if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 5)) != 0) { + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 30)) != 0) { printf("\n\nError: timed out waiting for response\n"); } #endif // OCTAGON } -- (void)fetch: (NSString*) view { +- (long)fetch:(NSString*)view { + __block long ret = 0; #if OCTAGON dispatch_semaphore_t sema = dispatch_semaphore_create(0); [self.control rpcFetchAndProcessChanges:view reply:^(NSError* error) { if(error) { printf("Error fetching: %s\n", [[error description] UTF8String]); + ret = (error.code == 0 ? -1 : error.code); } else { printf("Complete.\n"); + ret = 0; } dispatch_semaphore_signal(sema); @@ -445,19 +443,24 @@ static void print_entry(id k, id v, int ind) if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 65)) != 0) { printf("\n\nError: timed out waiting for response\n"); + return -1; } #endif // OCTAGON + return ret; } -- (void)push: (NSString*) view { +- (long)push:(NSString*)view { + __block long ret = 0; #if OCTAGON dispatch_semaphore_t sema = dispatch_semaphore_create(0); [self.control rpcPushOutgoingChanges:view reply:^(NSError* error) { if(error) { printf("Error pushing: %s\n", [[error description] UTF8String]); + ret = (error.code == 0 ? -1 : error.code); } else { printf("Complete.\n"); + ret = 0; } dispatch_semaphore_signal(sema); @@ -465,8 +468,10 @@ static void print_entry(id k, id v, int ind) if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 65)) != 0) { printf("\n\nError: timed out waiting for response\n"); + return -1; } #endif // OCTAGON + return ret; } @end @@ -480,9 +485,6 @@ static int resetCloudKit = false; static int fetch = false; static int push = false; static int json = false; -static int getAnalyticsSysdiagnose = false; -static int getAnalyticsJSON = false; -static int uploadAnalytics = false; static char* viewArg = NULL; @@ -499,9 +501,6 @@ int main(int argc, char **argv) { .command="resync", .flag=&resync, .flagval=true, .description="Resync all data with what's in CloudKit"}, { .command="reset", .flag=&reset, .flagval=true, .description="All local data will be wiped, and data refetched from CloudKit"}, { .command="reset-cloudkit", .flag=&resetCloudKit, .flagval=true, .description="All data in CloudKit will be removed and replaced with what's local"}, - { .command="get-analytics-sysdiagnose", .flag=&getAnalyticsSysdiagnose, .flagval=true, .description="Retrieve the current sysdiagnose dump for CKKS analytics"}, - { .command="get-analytics", .flag=&getAnalyticsJSON, .flagval=true, .description="Retrieve the current JSON blob that would be uploaded to the logging server if an upload occurred now"}, - { .command="upload-analytics", .flag=&uploadAnalytics, .flagval=true, .description="Force an upload of analytics data to cloud server"}, {} }; @@ -546,27 +545,22 @@ int main(int argc, char **argv) if(!json) { [ctl printHumanReadableStatus:view]; } + return 0; } else if(perfCounters) { NSMutableDictionary *statusDict = [[NSMutableDictionary alloc] init]; statusDict[@"performance"] = [ctl fetchPerformanceCounters]; print_result(statusDict, false); } else if(fetch) { - [ctl fetch:view]; + return (int)[ctl fetch:view]; } else if(push) { - [ctl push:view]; + return (int)[ctl push:view]; } else if(reset) { - [ctl resetLocal:view]; + return (int)[ctl resetLocal:view]; } else if(resetCloudKit) { - [ctl resetCloudKit:view]; + return (int)[ctl resetCloudKit:view]; } else if(resync) { - [ctl resync:view]; - } else if(getAnalyticsSysdiagnose) { - [ctl getAnalyticsSysdiagnose]; - } else if(getAnalyticsJSON) { - [ctl getAnalyticsJSON]; - } else if(uploadAnalytics) { - [ctl forceAnalyticsUpload]; + return (int)[ctl resync:view]; } else { print_usage(&args); return -1; diff --git a/keychain/trust/TrustedPeersTests/TPDummyDecrypter.h b/keychain/ot/OT.h similarity index 87% rename from keychain/trust/TrustedPeersTests/TPDummyDecrypter.h rename to keychain/ot/OT.h index 790568ba..939ebfe8 100644 --- a/keychain/trust/TrustedPeersTests/TPDummyDecrypter.h +++ b/keychain/ot/OT.h @@ -21,16 +21,17 @@ * @APPLE_LICENSE_HEADER_END@ */ -#import - -#import +#ifndef OT_h +#define OT_h +#ifdef __OBJC__ +#import NS_ASSUME_NONNULL_BEGIN +#else +CF_ASSUME_NONNULL_BEGIN +#endif -@interface TPDummyDecrypter : NSObject - -+ (instancetype)dummyDecrypter; - -@end +bool SecOTIsEnabled(void); -NS_ASSUME_NONNULL_END +CF_ASSUME_NONNULL_END +#endif /* OT_h */ diff --git a/keychain/trust/TrustedPeers/TPUtils.m b/keychain/ot/OT.m similarity index 51% rename from keychain/trust/TrustedPeers/TPUtils.m rename to keychain/ot/OT.m index 063a88bb..e0e8bf85 100644 --- a/keychain/trust/TrustedPeers/TPUtils.m +++ b/keychain/ot/OT.m @@ -21,23 +21,27 @@ * @APPLE_LICENSE_HEADER_END@ */ -#import "TPUtils.h" +#import "OT.h" +#import +#import -@implementation TPUtils +bool SecOTIsEnabled(void) { -+ (NSData *)serializedPListWithDictionary:(NSDictionary *)dict -{ - NSError *error = nil; - NSData *data = [NSPropertyListSerialization dataWithPropertyList:dict - format:NSPropertyListXMLFormat_v1_0 - options:0 - error:&error]; - if (nil == data) { - @throw [NSException exceptionWithName:@"Failed to serialize" - reason:[error description] - userInfo:nil]; + bool userDefaultsShouldBottledPeer = true; + CFBooleanRef enabled = (CFBooleanRef)CFPreferencesCopyValue(CFSTR("EnableOTRestore"), + CFSTR("com.apple.security"), + kCFPreferencesAnyUser, kCFPreferencesAnyHost); + if(enabled && CFGetTypeID(enabled) == CFBooleanGetTypeID()){ + if(enabled == kCFBooleanFalse){ + secnotice("octagon", "Octagon Restore Disabled"); + userDefaultsShouldBottledPeer = false; + } + if(enabled == kCFBooleanTrue){ + secnotice("octagon", "Octagon Restore Enabled"); + userDefaultsShouldBottledPeer = true; + } } - return data; -} -@end + CFReleaseNull(enabled); + return userDefaultsShouldBottledPeer; +} diff --git a/keychain/ot/OTAuthenticatedCiphertext+SF.h b/keychain/ot/OTAuthenticatedCiphertext+SF.h new file mode 100644 index 00000000..799dac23 --- /dev/null +++ b/keychain/ot/OTAuthenticatedCiphertext+SF.h @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import +#import + +#import "OTAuthenticatedCiphertext.h" + +NS_ASSUME_NONNULL_BEGIN + +@interface OTAuthenticatedCiphertext (SecurityFoundation) + ++ (instancetype)fromSFAuthenticatedCiphertext:(SFAuthenticatedCiphertext *)cipher; + +- (SFAuthenticatedCiphertext *)asSFAuthenticatedCiphertext; + +@end + +NS_ASSUME_NONNULL_END +#endif diff --git a/keychain/trust/TrustedPeersTests/TPDummyEncrypter.m b/keychain/ot/OTAuthenticatedCiphertext+SF.m similarity index 56% rename from keychain/trust/TrustedPeersTests/TPDummyEncrypter.m rename to keychain/ot/OTAuthenticatedCiphertext+SF.m index 4a8fbb35..10ee1063 100644 --- a/keychain/trust/TrustedPeersTests/TPDummyEncrypter.m +++ b/keychain/ot/OTAuthenticatedCiphertext+SF.m @@ -21,28 +21,28 @@ * @APPLE_LICENSE_HEADER_END@ */ -#import "TPDummyEncrypter.h" -#import "TPDummyDecrypter.h" +#if OCTAGON -@interface TPDummyEncrypter () -@property (nonatomic, strong) NSData *decryptionKey; -@end +#import "OTAuthenticatedCiphertext+SF.h" -@implementation TPDummyEncrypter +@implementation OTAuthenticatedCiphertext (SecurityFoundation) -+ (instancetype)dummyEncrypterWithKey:(NSData *)key ++ (instancetype)fromSFAuthenticatedCiphertext:(SFAuthenticatedCiphertext *)cipher { - TPDummyEncrypter *enc = [[TPDummyEncrypter alloc] init]; - enc.decryptionKey = key; - return enc; + OTAuthenticatedCiphertext *obj = [OTAuthenticatedCiphertext new]; + obj.ciphertext = cipher.ciphertext; + obj.authenticationCode = cipher.authenticationCode; + obj.initializationVector = cipher.initializationVector; + return obj; } -- (nullable NSData *)encryptData:(NSData *)plaintext error:(NSError **)error +- (SFAuthenticatedCiphertext *)asSFAuthenticatedCiphertext { - // It's just XOR with rotating key, so "encryption" == "decryption" - return [[TPDummyDecrypter dummyDecrypter] decryptData:plaintext - withKey:self.decryptionKey - error:error]; + return [[SFAuthenticatedCiphertext alloc] initWithCiphertext:self.ciphertext + authenticationCode:self.authenticationCode + initializationVector:self.initializationVector]; } @end + +#endif diff --git a/keychain/ot/OTBottledPeer.h b/keychain/ot/OTBottledPeer.h new file mode 100644 index 00000000..3d84714c --- /dev/null +++ b/keychain/ot/OTBottledPeer.h @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON +#import +#import + +#import "OTEscrowKeys.h" + +NS_ASSUME_NONNULL_BEGIN + +@interface OTBottledPeer : NSObject + +@property (nonatomic, readonly) NSString* peerID; +@property (nonatomic, readonly) NSString* spID; +@property (nonatomic, readonly) SFECKeyPair* peerSigningKey; +@property (nonatomic, readonly) SFECKeyPair* peerEncryptionKey; +@property (nonatomic, readonly) NSData* data; + +// Given a peer's details including private key material, and +// the keys generated from the escrow secret, encrypt the peer private keys, +// make a bottled peer object and serialize it into data. +- (nullable instancetype) initWithPeerID:(NSString * _Nullable)peerID + spID:(NSString * _Nullable)spID + peerSigningKey:(SFECKeyPair *)peerSigningKey + peerEncryptionKey:(SFECKeyPair *)peerEncryptionKey + escrowKeys:(OTEscrowKeys *)escrowKeys + error:(NSError**)error; + +// Deserialize a bottle and decrypt the contents (peer keys) +// using the keys generated from the escrow secret. +- (nullable instancetype) initWithData:(NSData *)data + escrowKeys:(OTEscrowKeys *)escrowKeys + error:(NSError**)error; + +@end +NS_ASSUME_NONNULL_END + +#endif diff --git a/keychain/ot/OTBottledPeer.m b/keychain/ot/OTBottledPeer.m new file mode 100644 index 00000000..0d3992d5 --- /dev/null +++ b/keychain/ot/OTBottledPeer.m @@ -0,0 +1,196 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import "OTBottledPeer.h" + +#if OCTAGON +#import +#import +#import +#import +#import + +#import + +#import +#import +#import + +#import + +#import + +#import "OTBottle.h" +#import "OTBottleContents.h" +#import "OTDefines.h" +#import "OTPrivateKey.h" +#import "OTPrivateKey+SF.h" +#import "OTAuthenticatedCiphertext.h" +#import "OTAuthenticatedCiphertext+SF.h" +#import "SFPublicKey+SPKI.h" + +@interface OTBottledPeer () + +@property (nonatomic, strong) NSString* peerID; +@property (nonatomic, strong) NSString* spID; +@property (nonatomic, strong) SFECKeyPair* peerSigningKey; +@property (nonatomic, strong) SFECKeyPair* peerEncryptionKey; +@property (nonatomic, strong) NSData* data; + +@end + +@implementation OTBottledPeer + ++ (SFAuthenticatedEncryptionOperation *) encryptionOperation +{ + SFAESKeySpecifier *keySpecifier = [[SFAESKeySpecifier alloc] initWithBitSize:SFAESKeyBitSize256]; + return [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:keySpecifier]; +} + +// Given a peer's details including private key material, and +// the keys generated from the escrow secret, encrypt the peer private keys, +// make a bottled peer object and serialize it into data. +- (nullable instancetype) initWithPeerID:(NSString * _Nullable)peerID + spID:(NSString * _Nullable)spID + peerSigningKey:(SFECKeyPair *)peerSigningKey + peerEncryptionKey:(SFECKeyPair *)peerEncryptionKey + escrowKeys:(OTEscrowKeys *)escrowKeys + error:(NSError**)error +{ + self = [super init]; + if (self) { + // Serialize the peer private keys into "contents" + OTBottleContents *contentsObj = [[OTBottleContents alloc] init]; + contentsObj.peerSigningPrivKey = [OTPrivateKey fromECKeyPair:peerSigningKey]; + contentsObj.peerEncryptionPrivKey = [OTPrivateKey fromECKeyPair:peerEncryptionKey]; + NSData *clearContentsData = contentsObj.data; + + // Encrypt the contents + SFAuthenticatedEncryptionOperation *op = [OTBottledPeer encryptionOperation]; + SFAuthenticatedCiphertext* cipher = [op encrypt:clearContentsData withKey:escrowKeys.symmetricKey error:error]; + if (!cipher) { + return nil; + } + + // Serialize the whole thing + OTBottle *obj = [[OTBottle alloc] init]; + obj.peerID = peerID; + obj.spID = spID; + obj.escrowedSigningSPKI = [escrowKeys.signingKey.publicKey asSPKI]; + obj.escrowedEncryptionSPKI = [escrowKeys.encryptionKey.publicKey asSPKI]; + obj.peerSigningSPKI = [peerSigningKey.publicKey asSPKI]; + obj.peerEncryptionSPKI = [peerEncryptionKey.publicKey asSPKI]; + obj.contents = [OTAuthenticatedCiphertext fromSFAuthenticatedCiphertext:cipher]; + + _peerID = [peerID copy]; + _spID = [spID copy]; + _peerSigningKey = peerSigningKey; + _peerEncryptionKey = peerEncryptionKey; + _data = obj.data; + } + return self; +} + +// Deserialize a bottle and decrypt the contents (peer keys) +// using the keys generated from the escrow secret. +- (nullable instancetype) initWithData:(NSData *)data + escrowKeys:(OTEscrowKeys *)escrowKeys + error:(NSError**)error +{ + self = [super init]; + if (self) { + NSError* localError =nil; + + // Deserialize the whole thing + OTBottle *obj = [[OTBottle alloc] initWithData:data]; + if (!obj) { + secerror("octagon: failed to deserialize data into OTBottle"); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorDeserializationFailure userInfo:@{NSLocalizedDescriptionKey: @"Failed to deserialize bottle peer"}]; + } + return nil; + } + + // Decrypt contents + SFAuthenticatedEncryptionOperation *op = [OTBottledPeer encryptionOperation]; + SFAuthenticatedCiphertext* ciphertext = [obj.contents asSFAuthenticatedCiphertext]; + NSData* clearContentsData = [op decrypt:ciphertext withKey:escrowKeys.symmetricKey error:&localError]; + if (!clearContentsData || clearContentsData.length == 0) { + secerror("octagon: could not decrypt bottle contents: %@", localError); + if(error){ + *error = localError; + } + return nil; + } + + // Deserialize contents into private peer keys + OTBottleContents *contentsObj = [[OTBottleContents alloc] initWithData:clearContentsData]; + if (!contentsObj) { + secerror("octagon: could not deserialize bottle contents"); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorDeserializationFailure userInfo:@{NSLocalizedDescriptionKey: @"Failed to deserialize bottle contents"}]; + } + return nil; + } + + _peerID = obj.peerID; + _spID = obj.spID; + _peerSigningKey = [contentsObj.peerSigningPrivKey asECKeyPair]; + _peerEncryptionKey = [contentsObj.peerEncryptionPrivKey asECKeyPair]; + if (!_peerSigningKey || !_peerEncryptionKey) { + secerror("octagon: could not get private EC keys from bottle contents"); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorPrivateKeyFailure userInfo:@{NSLocalizedDescriptionKey: @"Failed to instantiate octagon peer keys"}]; + } + return nil; + } + _data = [data copy]; + + SFECPublicKey *peerSigningPubKey = [SFECPublicKey fromSPKI:obj.peerSigningSPKI]; + SFECPublicKey *peerEncryptionPubKey = [SFECPublicKey fromSPKI:obj.peerEncryptionSPKI]; + + // Check the private keys match the public keys + if (![_peerSigningKey.publicKey isEqual:peerSigningPubKey]) { + secerror("octagon: public and private peer signing keys do not match"); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorPrivateKeyFailure userInfo:@{NSLocalizedDescriptionKey: @"public and private peer signing keys do not match"}]; + } + return nil; + } + if (![_peerEncryptionKey.publicKey isEqual:peerEncryptionPubKey]) { + secerror("octagon: public and private peer encryption keys do not match"); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorPrivateKeyFailure userInfo:@{NSLocalizedDescriptionKey: @"public and private peer encryption keys do not match"}]; + } + return nil; + } + + } + return self; +} + +@end + +#endif + + diff --git a/keychain/trust/TrustedPeers/TPSigningKey.h b/keychain/ot/OTBottledPeerRecord.h similarity index 57% rename from keychain/trust/TrustedPeers/TPSigningKey.h rename to keychain/ot/OTBottledPeerRecord.h index a45159e8..43c7802d 100644 --- a/keychain/trust/TrustedPeers/TPSigningKey.h +++ b/keychain/ot/OTBottledPeerRecord.h @@ -23,30 +23,21 @@ #import -NS_ASSUME_NONNULL_BEGIN +@interface OTBottledPeerRecord : NSObject -/*! - A protocol for signing blobs and checking signatures. - */ -@protocol TPSigningKey -- (NSData *)publicKey; -- (BOOL)checkSignature:(NSData *)sig matchesData:(NSData *)data; +@property (nonatomic, strong) NSString* peerID; +@property (nonatomic, strong) NSString* spID; +@property (nonatomic, strong) NSData* bottle; +@property (nonatomic, strong) NSString* escrowRecordID; +@property (nonatomic, strong) NSData* escrowedSigningSPKI; +@property (nonatomic, strong) NSData* peerSigningSPKI; +@property (nonatomic, strong) NSData* signatureUsingEscrowKey; +@property (nonatomic, strong) NSData* signatureUsingPeerKey; +@property (nonatomic, strong) NSData* encodedRecord; +@property (nonatomic, readonly) NSString* recordName; +@property (nonatomic, strong) NSString* launched; -/*! - This method uses the private key to create a signature. - It will return nil with an error if the private key is not available, - e.g. due to the device being locked. - */ -- (nullable NSData *)signatureForData:(NSData *)data withError:(NSError **)error; -@end ++ (NSString*) constructRecordID:(NSString*)escrowRecordID escrowSigningSPKI:(NSData*)escrowSigningSPKI; - -/*! - A protocol for factories that construct TPSigningKey objects. - */ -@protocol TPSigningKeyFactory -// Return nil if data is malformed -- (nullable id )keyWithPublicKeyData:(NSData *)publicKey; @end -NS_ASSUME_NONNULL_END diff --git a/keychain/trust/TrustedPeersTests/TPDummyDecrypter.m b/keychain/ot/OTBottledPeerRecord.m similarity index 53% rename from keychain/trust/TrustedPeersTests/TPDummyDecrypter.m rename to keychain/ot/OTBottledPeerRecord.m index f7df1949..b7646eef 100644 --- a/keychain/trust/TrustedPeersTests/TPDummyDecrypter.m +++ b/keychain/ot/OTBottledPeerRecord.m @@ -21,29 +21,31 @@ * @APPLE_LICENSE_HEADER_END@ */ -#import "TPDummyDecrypter.h" -@implementation TPDummyDecrypter +#import "OTBottledPeerRecord.h" +#import +#import +#import -+ (instancetype)dummyDecrypter +static NSString* OTCKRecordName = @"bp-"; + +@implementation OTBottledPeerRecord + +-(NSString*) recordName { - return [[TPDummyDecrypter alloc] init]; + return [OTBottledPeerRecord constructRecordID:self.escrowRecordID escrowSigningSPKI:self.escrowedSigningSPKI]; } -- (nullable NSData *)decryptData:(NSData *)ciphertext - withKey:(NSData *)key - error:(NSError **)error ++ (NSString*) constructRecordID:(NSString*)escrowRecordID escrowSigningSPKI:(NSData*)escrowSigningSPKI { - // Repeating-key XOR - NSMutableData *plaintext = [NSMutableData dataWithLength:ciphertext.length]; - uint8_t *plainbytes = plaintext.mutableBytes; - const uint8_t *cipherbytes = ciphertext.bytes; - const uint8_t *keybytes = key.bytes; - NSUInteger keylen = key.length; - for (NSUInteger i = 0; i < ciphertext.length; i++) { - plainbytes[i] = cipherbytes[i] ^ keybytes[i % keylen]; - } - return plaintext; + const struct ccdigest_info *di = ccsha384_di(); + NSMutableData* result = [[NSMutableData alloc] initWithLength:ccsha384_di()->output_size]; + + ccdigest(di, [escrowSigningSPKI length], [escrowSigningSPKI bytes], [result mutableBytes]); + + NSString* hash = [result base64EncodedStringWithOptions:0]; + + return [NSString stringWithFormat:@"%@-spid:%@-%@", OTCKRecordName, escrowRecordID, hash]; } @end diff --git a/keychain/ot/OTBottledPeerSigned.h b/keychain/ot/OTBottledPeerSigned.h new file mode 100644 index 00000000..c21599e2 --- /dev/null +++ b/keychain/ot/OTBottledPeerSigned.h @@ -0,0 +1,64 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON +#import +#import "OTBottledPeer.h" +#import "OTBottledPeerRecord.h" + +NS_ASSUME_NONNULL_BEGIN + +@interface OTBottledPeerSigned : NSObject +@property (nonatomic, readonly) OTBottledPeer* bp; +@property (nonatomic, readonly) NSData* signatureUsingEscrowKey; +@property (nonatomic, readonly) NSData* signatureUsingPeerKey; +@property (nonatomic, readonly) NSData* escrowSigningSPKI; + +- (instancetype) init NS_UNAVAILABLE; + +// Create signatures +- (nullable instancetype) initWithBottledPeer:(OTBottledPeer*)bp + escrowedSigningKey:(SFECKeyPair *)escrowedSigningKey + peerSigningKey:(SFECKeyPair *)peerSigningKey + error:(NSError**)error; + +// Verify signatures, or return nil +- (nullable instancetype) initWithBottledPeer:(OTBottledPeer*)bp + signatureUsingEscrow:(NSData*)signatureUsingEscrow + signatureUsingPeerKey:(NSData*)signatureUsingPeerKey + escrowedSigningPubKey:(SFECPublicKey *)escrowedSigningPubKey + error:(NSError**)error; + +// Convenience wrapper, verifies signatures +- (nullable instancetype) initWithBottledPeerRecord:(OTBottledPeerRecord *)record + escrowKeys:(OTEscrowKeys *)escrowKeys + error:(NSError**)error; + +- (OTBottledPeerRecord *)asRecord:(NSString*)escrowRecordID; ++ (BOOL) verifyBottleSignature:(NSData*)data signature:(NSData*)signature key:(_SFECPublicKey*) pubKey error:(NSError**)error; + +@end + +NS_ASSUME_NONNULL_END + +#endif diff --git a/keychain/ot/OTBottledPeerSigned.m b/keychain/ot/OTBottledPeerSigned.m new file mode 100644 index 00000000..a639fe73 --- /dev/null +++ b/keychain/ot/OTBottledPeerSigned.m @@ -0,0 +1,166 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON +#import +#import "OTBottledPeer.h" +#import "OTBottledPeerSigned.h" +#import "SFPublicKey+SPKI.h" +#import "OTIdentity.h" + +#import +#import +#import +#import +#import + +#import +#import +#import + +#include + +@interface OTBottledPeerSigned () +@property (nonatomic, strong) OTBottledPeer* bp; +@property (nonatomic, strong) NSData* signatureUsingEscrowKey; +@property (nonatomic, strong) NSData* signatureUsingPeerKey; +@property (nonatomic, strong) NSData* escrowSigningPublicKey; +@end + +@implementation OTBottledPeerSigned + +// Create signatures +- (nullable instancetype) initWithBottledPeer:(OTBottledPeer*)bp + escrowedSigningKey:(SFECKeyPair *)escrowedSigningKey + peerSigningKey:(SFECKeyPair *)peerSigningKey + error:(NSError**)error +{ + self = [super init]; + if (self) { + _bp = bp; + _escrowSigningSPKI = [escrowedSigningKey.publicKey asSPKI]; + SFEC_X962SigningOperation* xso = [OTBottledPeerSigned signingOperation]; + _signatureUsingEscrowKey = [xso sign:bp.data withKey:escrowedSigningKey error:error].signature; + if (!_signatureUsingEscrowKey) { + return nil; + } + _signatureUsingPeerKey = [xso sign:bp.data withKey:peerSigningKey error:error].signature; + if (!_signatureUsingPeerKey) { + return nil; + } + } + return self; +} + +-(NSString*) escrowSigningPublicKeyHash +{ + const struct ccdigest_info *di = ccsha384_di(); + NSMutableData* result = [[NSMutableData alloc] initWithLength:ccsha384_di()->output_size]; + + ccdigest(di, [self.escrowSigningPublicKey length], [self.escrowSigningPublicKey bytes], [result mutableBytes]); + + return [result base64EncodedStringWithOptions:0]; +} + +// Verify signatures, or return nil +- (nullable instancetype) initWithBottledPeer:(OTBottledPeer*)bp + signatureUsingEscrow:(NSData*)signatureUsingEscrow + signatureUsingPeerKey:(NSData*)signatureUsingPeerKey + escrowedSigningPubKey:(SFECPublicKey *)escrowedSigningPubKey + error:(NSError**)error +{ + self = [super init]; + if (self) { + _bp = bp; + _escrowSigningSPKI = [escrowedSigningPubKey asSPKI]; + _signatureUsingPeerKey = signatureUsingPeerKey; + _signatureUsingEscrowKey = signatureUsingEscrow; + _escrowSigningPublicKey = [escrowedSigningPubKey keyData]; + + SFEC_X962SigningOperation* xso = [OTBottledPeerSigned signingOperation]; + + SFSignedData *escrowSigned = [[SFSignedData alloc] initWithData:bp.data signature:signatureUsingEscrow]; + if (![xso verify:escrowSigned withKey:escrowedSigningPubKey error:error]) { + return nil; + } + SFSignedData *peerSigned = [[SFSignedData alloc] initWithData:bp.data signature:signatureUsingPeerKey]; + if (![xso verify:peerSigned withKey:bp.peerSigningKey.publicKey error:error]) { + return nil; + } + //stuff restored keys in the keychain + [OTIdentity storeOctagonIdentityIntoKeychain:self.bp.peerSigningKey restoredEncryptionKey:self.bp.peerEncryptionKey escrowSigningPubKeyHash:self.escrowSigningPublicKeyHash restoredPeerID:self.bp.spID error:error]; + } + return self; +} + ++ (SFEC_X962SigningOperation*) signingOperation +{ + SFECKeySpecifier *keySpecifier = [[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]; + id digestOperation = [[SFSHA384DigestOperation alloc] init]; + return [[SFEC_X962SigningOperation alloc] initWithKeySpecifier:keySpecifier digestOperation:digestOperation]; +} + ++ (BOOL) verifyBottleSignature:(NSData*)data signature:(NSData*)signature key:(_SFECPublicKey*) pubKey error:(NSError**)error +{ + SFEC_X962SigningOperation* xso = [OTBottledPeerSigned signingOperation]; + + SFSignedData *peerSigned = [[SFSignedData alloc] initWithData:data signature:signature]; + + return ([xso verify:peerSigned withKey:pubKey error:error] != nil); + +} + +- (nullable instancetype) initWithBottledPeerRecord:(OTBottledPeerRecord *)record + escrowKeys:(OTEscrowKeys *)escrowKeys + error:(NSError**)error +{ + OTBottledPeer *bp = [[OTBottledPeer alloc] initWithData:record.bottle + escrowKeys:escrowKeys + error:error]; + if (!bp) { + return nil; + } + return [self initWithBottledPeer:bp + signatureUsingEscrow:record.signatureUsingEscrowKey + signatureUsingPeerKey:record.signatureUsingPeerKey + escrowedSigningPubKey:escrowKeys.signingKey.publicKey + error:error]; +} + +- (OTBottledPeerRecord *)asRecord:(NSString*)escrowRecordID +{ + OTBottledPeerRecord *rec = [[OTBottledPeerRecord alloc] init]; + rec.spID = self.bp.spID; + rec.escrowRecordID = [escrowRecordID copy]; + rec.peerSigningSPKI = [self.bp.peerSigningKey.publicKey asSPKI]; + rec.escrowedSigningSPKI = self.escrowSigningSPKI; + rec.bottle = self.bp.data; + rec.signatureUsingPeerKey = self.signatureUsingPeerKey; + rec.signatureUsingEscrowKey = self.signatureUsingEscrowKey; + rec.launched = @"NO"; + return rec; +} + +@end +#endif + diff --git a/keychain/ot/OTCloudStore.h b/keychain/ot/OTCloudStore.h new file mode 100644 index 00000000..0670aa8b --- /dev/null +++ b/keychain/ot/OTCloudStore.h @@ -0,0 +1,85 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#ifndef OTCloudStore_h +#define OTCloudStore_h + +#if OCTAGON +#import "keychain/ot/OTLocalStore.h" + +#import +#import + +#import "keychain/ckks/CKKSZone.h" +#import "keychain/ckks/CloudKitDependencies.h" +#import "keychain/ckks/CKKSCondition.h" +#import "keychain/ckks/CKKSZoneChangeFetcher.h" +#import "keychain/ckks/CKKSNotifier.h" +#import "keychain/ckks/CKKSSQLDatabaseObject.h" +#import "keychain/ckks/CKKSRecordHolder.h" +#import "OTBottledPeerRecord.h" + +NS_ASSUME_NONNULL_BEGIN + +@interface OTCloudStore : CKKSZone + +@property (nonatomic, readonly) NSString* contextID; +@property (nonatomic, readonly) NSString* dsid; +@property (nonatomic, readonly) NSString* containerName; +@property (nonatomic, readonly) CKRecordID* recordID; +@property (nonatomic, readonly) CKKSResultOperation* viewSetupOperation; +@property CKKSCondition* loggedIn; +@property CKKSCondition* loggedOut; + + +- (instancetype) initWithContainer:(CKContainer*) container + zoneName:(NSString*)zoneName + accountTracker:(nullable CKKSCKAccountStateTracker*)tracker + reachabilityTracker:(nullable CKKSReachabilityTracker*)reachabilityTracker + localStore:(OTLocalStore*)localStore + contextID:(NSString*)contextID + dsid:(NSString*)dsid +fetchRecordZoneChangesOperationClass:(Class) fetchRecordZoneChangesOperationClass + fetchRecordsOperationClass:(Class)fetchRecordsOperationClass + queryOperationClass:(Class)queryOperationClass + modifySubscriptionsOperationClass:(Class) modifySubscriptionsOperationClass + modifyRecordZonesOperationClass:(Class) modifyRecordZonesOperationClass + apsConnectionClass:(Class) apsConnectionClass + operationQueue:(nullable NSOperationQueue *)operationQueue; + + +- (BOOL) uploadBottledPeerRecord:(OTBottledPeerRecord *)bprecord + escrowRecordID:(NSString *)escrowRecordID + error:(NSError**)error; +- (BOOL) downloadBottledPeerRecord:(NSError**)error; +- (BOOL) removeBottledPeerRecordID:(CKRecordID*)recordID error:(NSError**)error; +- (nullable NSArray*) retrieveListOfEligibleEscrowRecordIDs:(NSError**)error; + +- (void)notifyZoneChange:(CKRecordZoneNotification* _Nullable)notification; +- (void)handleCKLogin; +- (BOOL) performReset:(NSError**)error; + +@end + +NS_ASSUME_NONNULL_END +#endif +#endif /* OTCloudStore_h */ diff --git a/keychain/ot/OTCloudStore.m b/keychain/ot/OTCloudStore.m new file mode 100644 index 00000000..ccecbaca --- /dev/null +++ b/keychain/ot/OTCloudStore.m @@ -0,0 +1,763 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#if OCTAGON + +#import +#import + +#import "keychain/ot/OTCloudStore.h" +#import "keychain/ot/OTCloudStoreState.h" +#import "keychain/ckks/CKKSZoneStateEntry.h" +#import "keychain/ckks/CKKS.h" +#import "keychain/ot/OTDefines.h" +#import "keychain/ckks/CKKSReachabilityTracker.h" +#import + + +NS_ASSUME_NONNULL_BEGIN + +/* Octagon Trust Local Context Record Constants */ +static NSString* OTCKRecordContextID = @"contextID"; +static NSString* OTCKRecordDSID = @"accountDSID"; +static NSString* OTCKRecordContextName = @"contextName"; +static NSString* OTCKRecordZoneCreated = @"zoneCreated"; +static NSString* OTCKRecordSubscribedToChanges = @"subscribedToChanges"; +static NSString* OTCKRecordChangeToken = @"changeToken"; +static NSString* OTCKRecordEgoPeerID = @"egoPeerID"; +static NSString* OTCKRecordEgoPeerCreationDate = @"egoPeerCreationDate"; +static NSString* OTCKRecordRecoverySigningSPKI = @"recoverySigningSPKI"; +static NSString* OTCKRecordRecoveryEncryptionSPKI = @"recoveryEncryptionSPKI"; +static NSString* OTCKRecordBottledPeerTableEntry = @"bottledPeer"; + +/* Octagon Trust Local Peer Record */ +static NSString* OTCKRecordPeerID = @"peerID"; +static NSString* OTCKRecordPermanentInfo = @"permanentInfo"; +static NSString* OTCKRecordStableInfo = @"stableInfo"; +static NSString* OTCKRecordDynamicInfo = @"dynamicInfo"; +static NSString* OTCKRecordRecoveryVoucher = @"recoveryVoucher"; +static NSString* OTCKRecordIsEgoPeer = @"isEgoPeer"; + +/* Octagon Trust BottledPeerSchema */ +static NSString* OTCKRecordEscrowRecordID = @"escrowRecordID"; +static NSString* OTCKRecordBottle = @"bottle"; +static NSString* OTCKRecordSPID = @"spID"; +static NSString* OTCKRecordEscrowSigningSPKI = @"escrowSigningSPKI"; +static NSString* OTCKRecordPeerSigningSPKI = @"peerSigningSPKI"; +static NSString* OTCKRecordSignatureFromEscrow = @"signatureUsingEscrow"; +static NSString* OTCKRecordSignatureFromPeerKey = @"signatureUsingPeerKey"; +static NSString* OTCKRecordEncodedRecord = @"encodedRecord"; + +/* Octagon Table Names */ +static NSString* const contextTable = @"context"; +static NSString* const peerTable = @"peer"; +static NSString* const bottledPeerTable = @"bp"; + +/* Octagon Trust Schemas */ +static NSString* const octagonZoneName = @"OctagonTrustZone"; + +/* Octagon Cloud Kit defines */ +static NSString* OTCKContainerName = @"com.apple.security.keychain"; +static NSString* OTCKZoneName = @"OctagonTrust"; +static NSString* OTCKRecordName = @"bp-"; +static NSString* OTCKRecordBottledPeerType = @"OTBottledPeer"; + +@interface OTCloudStore () +@property (nonatomic, strong) NSString* dsid; +@property (nonatomic, strong) NSString* containerName; +@property (nonatomic, strong) CKModifyRecordsOperation* modifyRecordsOperation; +@property (nonatomic, strong) CKDatabaseOperation* fetchRecordZoneChangesOperation; +@property (nonatomic, strong) NSOperationQueue *operationQueue; +@property (nonatomic, strong) OTLocalStore* localStore; +@property (nonatomic, strong) CKKSResultOperation* viewSetupOperation; +@property (nonatomic, strong) NSError* error; +@end + +@class CKKSAPSReceiver; + +@interface OTCloudStore() + +@property CKDatabaseOperation* zoneCreationOperation; +@property CKDatabaseOperation* zoneDeletionOperation; +@property CKDatabaseOperation* zoneSubscriptionOperation; + +@property NSOperation* accountLoggedInDependency; + +@property NSHashTable* accountOperations; +@end + +@implementation OTCloudStore + +- (instancetype) initWithContainer:(CKContainer*) container + zoneName:(NSString*)zoneName + accountTracker:(nullable CKKSCKAccountStateTracker*)accountTracker + reachabilityTracker:(nullable CKKSReachabilityTracker*)reachabilityTracker + localStore:(OTLocalStore*)localStore + contextID:(NSString*)contextID + dsid:(NSString*)dsid +fetchRecordZoneChangesOperationClass:(Class) fetchRecordZoneChangesOperationClass + fetchRecordsOperationClass:(Class)fetchRecordsOperationClass + queryOperationClass:(Class)queryOperationClass + modifySubscriptionsOperationClass:(Class) modifySubscriptionsOperationClass + modifyRecordZonesOperationClass:(Class) modifyRecordZonesOperationClass + apsConnectionClass:(Class) apsConnectionClass + operationQueue:(nullable NSOperationQueue *)operationQueue +{ + + self = [super initWithContainer:container + zoneName:zoneName + accountTracker:accountTracker + reachabilityTracker:reachabilityTracker +fetchRecordZoneChangesOperationClass:fetchRecordZoneChangesOperationClass + fetchRecordsOperationClass:fetchRecordsOperationClass + queryOperationClass:queryOperationClass + modifySubscriptionsOperationClass:modifySubscriptionsOperationClass + modifyRecordZonesOperationClass:modifyRecordZonesOperationClass + apsConnectionClass:apsConnectionClass]; + + if(self){ + if (!operationQueue) { + operationQueue = [[NSOperationQueue alloc] init]; + } + _contextID = [contextID copy]; + _localStore = localStore; + _containerName = OTCKContainerName; + _dsid = [dsid copy]; + _operationQueue = operationQueue; + self.queue = dispatch_queue_create([[NSString stringWithFormat:@"OctagonTrustQueue.%@.zone.%@", container.containerIdentifier, zoneName] UTF8String], DISPATCH_QUEUE_SERIAL); + [self initializeZone]; + } + return self; + +} + +-(CKKSResultOperation*) otFetchAndProcessUpdates +{ + CKKSResultOperation* fetchOp = [CKKSResultOperation named:@"fetch-and-process-updates-watcher" withBlock:^{}]; + + __weak __typeof(self) weakSelf = self; + + [self dispatchSync: ^bool{ + + OTCloudStoreState* state = [OTCloudStoreState state: self.zoneName]; + + CKFetchRecordZoneChangesOptions* options = [[CKFetchRecordZoneChangesOptions alloc] init]; + options.previousServerChangeToken = state.changeToken; + + self.fetchRecordZoneChangesOperation = [[[self.fetchRecordZoneChangesOperationClass class] alloc] initWithRecordZoneIDs:@[self.zoneID] optionsByRecordZoneID:@{self.zoneID : options}]; + + self.fetchRecordZoneChangesOperation.recordChangedBlock = ^(CKRecord *record) { + secinfo("octagon", "CloudKit notification: record changed(%@): %@", [record recordType], record); + __strong __typeof(weakSelf) strongSelf = weakSelf; + + if(!strongSelf) { + secnotice("octagon", "received callback for released object"); + fetchOp.error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorOTCloudStore userInfo:@{NSLocalizedDescriptionKey: @"received callback for released object"}]; + + fetchOp.descriptionErrorCode = CKKSResultDescriptionPendingBottledPeerFetchRecords; + + return; + } + if ([record.recordType isEqualToString:OTCKRecordBottledPeerType]) { + NSError* localError = nil; + + //write to localStore + OTBottledPeerRecord *rec = [[OTBottledPeerRecord alloc] init]; + rec.bottle = record[OTCKRecordBottle]; + rec.spID = record[OTCKRecordSPID]; + rec.escrowRecordID = record[OTCKRecordEscrowRecordID]; + rec.escrowedSigningSPKI = record[OTCKRecordEscrowSigningSPKI]; + rec.peerSigningSPKI = record[OTCKRecordPeerSigningSPKI]; + rec.signatureUsingEscrowKey = record[OTCKRecordSignatureFromEscrow]; + rec.signatureUsingPeerKey = record[OTCKRecordSignatureFromPeerKey]; + rec.encodedRecord = [strongSelf recordToData:record]; + rec.launched = @"YES"; + BOOL result = [strongSelf.localStore insertBottledPeerRecord:rec escrowRecordID:record[OTCKRecordEscrowRecordID] error:&localError]; + if(!result || localError){ + secerror("Could not write bottled peer record:%@ to database: %@", record.recordID.recordName, localError); + fetchOp.error = localError; + fetchOp.descriptionErrorCode = CKKSResultDescriptionPendingBottledPeerFetchRecords; + + } + secnotice("octagon", "fetched changes: %@", record); + } + }; + + self.fetchRecordZoneChangesOperation.recordWithIDWasDeletedBlock = ^(CKRecordID *RecordID, NSString *recordType) { + secinfo("octagon", "CloudKit notification: deleted record(%@): %@", recordType, RecordID); + }; + + self.fetchRecordZoneChangesOperation.recordZoneChangeTokensUpdatedBlock = ^(CKRecordZoneID *recordZoneID, CKServerChangeToken *serverChangeToken, NSData *clientChangeTokenData) { + __strong __typeof(weakSelf) strongSelf = weakSelf; + NSError* error = nil; + OTCloudStoreState* state = [OTCloudStoreState state: strongSelf.zoneName]; + secdebug("octagon", "Received a new server change token: %@ %@", serverChangeToken, clientChangeTokenData); + state.changeToken = serverChangeToken; + + if(error) { + secerror("octagon: Couldn't save new server change token: %@", error); + fetchOp.error = error; + fetchOp.descriptionErrorCode = CKKSResultDescriptionPendingBottledPeerFetchRecords; + } + }; + + // Completion blocks don't count for dependencies. Use this intermediate operation hack instead. + NSBlockOperation* recordZoneChangesCompletedOperation = [[NSBlockOperation alloc] init]; + self.fetchRecordZoneChangesOperation.recordZoneFetchCompletionBlock = ^(CKRecordZoneID *recordZoneID, CKServerChangeToken *serverChangeToken, NSData *clientChangeTokenData, BOOL moreComing, NSError * recordZoneError) { + __strong __typeof(weakSelf) strongSelf = weakSelf; + if(!strongSelf) { + secnotice("octagon", "received callback for released object"); + return; + } + if(recordZoneError) { + secerror("octagon: FetchRecordZoneChanges(%@) error: %@", strongSelf.zoneName, recordZoneError); + fetchOp.error = recordZoneError; + fetchOp.descriptionErrorCode = CKKSResultDescriptionPendingBottledPeerFetchRecords; + } + + // TODO: fetch state here + if(serverChangeToken) { + NSError* error = nil; + secdebug("octagon", "Zone change fetch complete: received a new server change token: %@ %@", serverChangeToken, clientChangeTokenData); + state.changeToken = serverChangeToken; + if(error) { + secerror("octagon: Couldn't save new server change token: %@", error); + fetchOp.error = error; + fetchOp.descriptionErrorCode = CKKSResultDescriptionPendingBottledPeerFetchRecords; + } + } + secdebug("octagon", "Record zone fetch complete: changeToken=%@ error=%@", serverChangeToken, recordZoneError); + + [strongSelf.operationQueue addOperation: recordZoneChangesCompletedOperation]; + [strongSelf.operationQueue addOperation: fetchOp]; + + }; + self.fetchRecordZoneChangesOperation.fetchRecordZoneChangesCompletionBlock = ^(NSError * _Nullable operationError) { + __strong __typeof(weakSelf) strongSelf = weakSelf; + if(!strongSelf) { + secnotice("octagon", "received callback for released object"); + fetchOp.error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorOTCloudStore userInfo:@{NSLocalizedDescriptionKey: @"received callback for released object"}]; + fetchOp.descriptionErrorCode = CKKSResultDescriptionPendingBottledPeerFetchRecords; + return; + } + secnotice("octagon", "Record zone changes fetch complete: error=%@", operationError); + }; + return true; + }]; + [self.database addOperation: self.fetchRecordZoneChangesOperation]; + + return fetchOp; +} + + +- (void)notifyZoneChange:(CKRecordZoneNotification* _Nullable)notification +{ + secnotice("octagon", "received notify zone change. notification: %@", notification); + + CKKSResultOperation* op = [CKKSResultOperation named:@"cloudkit-fetch-and-process-changes" withBlock:^{}]; + + [op addSuccessDependency: [self otFetchAndProcessUpdates]]; + + [op timeout:(SecCKKSTestsEnabled() ? 2*NSEC_PER_SEC : 120*NSEC_PER_SEC)]; + [self.operationQueue addOperation: op]; + + [op waitUntilFinished]; + if(op.error != nil) { + secerror("octagon: failed to fetch changes error:%@", op.error); + } + else{ + secnotice("octagon", "downloaded bottled peer records"); + } +} + +-(BOOL) downloadBottledPeerRecord:(NSError**)error +{ + secnotice("octagon", "downloadBottledPeerRecord"); + BOOL result = NO; + CKKSResultOperation* op = [CKKSResultOperation named:@"cloudkit-fetch-and-process-changes" withBlock:^{}]; + + [op addSuccessDependency: [self otFetchAndProcessUpdates]]; + + [op timeout:(SecCKKSTestsEnabled() ? 2*NSEC_PER_SEC : 120*NSEC_PER_SEC)]; + [self.operationQueue addOperation: op]; + + [op waitUntilFinished]; + if(op.error != nil) { + secerror("octagon: failed to fetch changes error:%@", op.error); + if(error){ + *error = op.error; + } + } + else{ + result = YES; + secnotice("octagon", "downloaded bottled peer records"); + } + return result; +} + +- (nullable NSArray*) retrieveListOfEligibleEscrowRecordIDs:(NSError**)error +{ + NSError* localError = nil; + + NSMutableArray* recordIDs = [NSMutableArray array]; + + //fetch any recent changes first before gathering escrow record ids + CKKSResultOperation* op = [CKKSResultOperation named:@"cloudkit-fetch-and-process-changes" withBlock:^{}]; + + secnotice("octagon", "Beginning CloudKit fetch"); + [op addSuccessDependency: [self otFetchAndProcessUpdates]]; + + [op timeout:(SecCKKSTestsEnabled() ? 2*NSEC_PER_SEC : 120*NSEC_PER_SEC)]; + [self.operationQueue addOperation: op]; + + [op waitUntilFinished]; + if(op.error != nil) { + secerror("octagon: failed to fetch changes error:%@", op.error); + if(error){ + *error = op.error; + } + return nil; + } + NSArray* localStoreBottledPeerRecords = [self.localStore readAllLocalBottledPeerRecords:&localError]; + if(!localStoreBottledPeerRecords) + { + secerror("octagon: local store contains no bottled peer entries: %@", localError); + if(error){ + *error = localError; + } + return nil; + } + for(OTBottledPeerRecord* entry in localStoreBottledPeerRecords){ + NSString* escrowID = entry.escrowRecordID; + if(escrowID && ![recordIDs containsObject:escrowID]){ + [recordIDs addObject:escrowID]; + } + } + + return recordIDs; +} + +-(CKRecord*) dataToRecord:(NSData*)encodedRecord +{ + NSKeyedUnarchiver *coder = [[NSKeyedUnarchiver alloc] initForReadingFromData:encodedRecord error:nil]; + CKRecord* record = [[CKRecord alloc] initWithCoder:coder]; + [coder finishDecoding]; + return record; +} + +-(NSData*) recordToData:(CKRecord*)record +{ + NSKeyedArchiver *archiver = [[NSKeyedArchiver alloc] initRequiringSecureCoding:YES]; + [record encodeWithCoder:archiver]; + [archiver finishEncoding]; + + return archiver.encodedData; +} + +-( CKRecord* _Nullable ) CKRecordFromMirror:(CKRecordID*)recordID bpRecord:(OTBottledPeerRecord*)bprecord escrowRecordID:(NSString*)escrowRecordID error:(NSError**)error +{ + CKRecord* record = nil; + + OTBottledPeerRecord* recordFromDB = [self.localStore readLocalBottledPeerRecordWithRecordID:recordID.recordName error:error]; + if(recordFromDB && recordFromDB.encodedRecord != nil){ + record = [self dataToRecord:recordFromDB.encodedRecord]; + } + else{ + record = [[CKRecord alloc] initWithRecordType:OTCKRecordBottledPeerType recordID:recordID]; + } + + if(record == nil){ + secerror("octagon: failed to create cloud kit record"); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorOTCloudStore userInfo:@{NSLocalizedDescriptionKey: @"failed to create cloud kit record"}]; + } + return nil; + } + record[OTCKRecordPeerID] = bprecord.peerID; + record[OTCKRecordSPID] = bprecord.spID; + record[OTCKRecordEscrowSigningSPKI] = bprecord.escrowedSigningSPKI; + record[OTCKRecordPeerSigningSPKI] = bprecord.peerSigningSPKI; + record[OTCKRecordEscrowRecordID] = escrowRecordID; + record[OTCKRecordBottle] = bprecord.bottle; + record[OTCKRecordSignatureFromEscrow] = bprecord.signatureUsingEscrowKey; + record[OTCKRecordSignatureFromPeerKey] = bprecord.signatureUsingPeerKey; + + return record; +} + +-(CKKSResultOperation*) modifyRecords:(NSArray*) recordsToSave deleteRecordIDs:(NSArray*) recordIDsToDelete +{ + __weak __typeof(self) weakSelf = self; + CKKSResultOperation* modifyOp = [CKKSResultOperation named:@"modify-records-watcher" withBlock:^{}]; + + [self dispatchSync: ^bool{ + self.modifyRecordsOperation = [[CKModifyRecordsOperation alloc] initWithRecordsToSave:recordsToSave recordIDsToDelete:recordIDsToDelete]; + + self.modifyRecordsOperation.atomic = YES; + self.modifyRecordsOperation.longLived = NO; // The keys are only in memory; mark this explicitly not long-lived + self.modifyRecordsOperation.qualityOfService = NSQualityOfServiceUserInitiated; // Currently done during buddy. User is waiting. + self.modifyRecordsOperation.savePolicy = CKRecordSaveIfServerRecordUnchanged; + + self.modifyRecordsOperation.perRecordCompletionBlock = ^(CKRecord *record, NSError * _Nullable error) { + // These should all fail or succeed as one. Do the hard work in the records completion block. + if(!error) { + secnotice("octagon", "Successfully completed upload for %@", record.recordID.recordName); + + } else { + secerror("octagon: error on row: %@ %@", record.recordID.recordName, error); + modifyOp.error = error; + modifyOp.descriptionErrorCode = CKKSResultDescriptionPendingBottledPeerModifyRecords; + [weakSelf.operationQueue addOperation:modifyOp]; + } + }; + self.modifyRecordsOperation.modifyRecordsCompletionBlock = ^(NSArray *savedRecords, NSArray *deletedRecordIDs, NSError *error) { + secnotice("octagon", "Completed trust update"); + __strong __typeof(weakSelf) strongSelf = weakSelf; + + if(error){ + modifyOp.error = error; + modifyOp.descriptionErrorCode = CKKSResultDescriptionPendingBottledPeerModifyRecords; + secerror("octagon: received error from cloudkit: %@", error); + if([error.domain isEqualToString:CKErrorDomain] && (error.code == CKErrorPartialFailure)) { + NSMutableDictionary* failedRecords = error.userInfo[CKPartialErrorsByItemIDKey]; + ckksnotice("octagon", strongSelf, "failed records %@", failedRecords); + } + return; + } + if(!strongSelf) { + secerror("octagon: received callback for released object"); + modifyOp.error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorOTCloudStore userInfo:@{NSLocalizedDescriptionKey: @"received callback for released object"}]; + modifyOp.descriptionErrorCode = CKKSResultDescriptionPendingBottledPeerModifyRecords; + [strongSelf.operationQueue addOperation:modifyOp]; + return; + } + + if(savedRecords && [savedRecords count] > 0){ + for(CKRecord* record in savedRecords){ + NSError* localError = nil; + secnotice("octagon", "saving recordID: %@ changeToken:%@", record.recordID.recordName, record.recordChangeTag); + + //write to localStore + OTBottledPeerRecord *rec = [[OTBottledPeerRecord alloc] init]; + rec.bottle = record[OTCKRecordBottle]; + rec.spID = record[OTCKRecordSPID]; + rec.escrowRecordID = record[OTCKRecordEscrowRecordID]; + rec.signatureUsingEscrowKey = record[OTCKRecordSignatureFromEscrow]; + rec.signatureUsingPeerKey = record[OTCKRecordSignatureFromPeerKey]; + rec.encodedRecord = [strongSelf recordToData:record]; + rec.launched = @"YES"; + rec.escrowedSigningSPKI = record[OTCKRecordEscrowSigningSPKI]; + rec.peerSigningSPKI = record[OTCKRecordPeerSigningSPKI]; + + BOOL result = [strongSelf.localStore insertBottledPeerRecord:rec escrowRecordID:record[OTCKRecordEscrowRecordID] error:&localError]; + + if(!result || localError){ + secerror("Could not write bottled peer record:%@ to database: %@", record.recordID.recordName, localError); + } + + if(localError){ + secerror("octagon: could not save to database: %@", localError); + modifyOp.error = localError; + modifyOp.descriptionErrorCode = CKKSResultDescriptionPendingBottledPeerModifyRecords; + } + } + } + else if(deletedRecordIDs && [deletedRecordIDs count] >0){ + for(CKRecordID* recordID in deletedRecordIDs){ + secnotice("octagon", "removed recordID: %@", recordID); + NSError* localError = nil; + BOOL result = [strongSelf.localStore deleteBottledPeer:recordID.recordName error:&localError]; + if(!result){ + secerror("octagon: could not remove record id: %@, error:%@", recordID, localError); + modifyOp.error = localError; + modifyOp.descriptionErrorCode = CKKSResultDescriptionPendingBottledPeerModifyRecords; + } + } + } + [strongSelf.operationQueue addOperation:modifyOp]; + }; + return true; + }]; + + [self.database addOperation: self.modifyRecordsOperation]; + return modifyOp; +} + +- (BOOL) uploadBottledPeerRecord:(OTBottledPeerRecord *)bprecord + escrowRecordID:(NSString *)escrowRecordID + error:(NSError**)error +{ + secnotice("octagon", "sending bottled peer to cloudkit"); + BOOL result = YES; + + CKRecordID* recordID = [[CKRecordID alloc] initWithRecordName:bprecord.recordName zoneID:self.zoneID]; + CKRecord *record = [self CKRecordFromMirror:recordID bpRecord:bprecord escrowRecordID:escrowRecordID error:error]; + + if(!record){ + return NO; + } + CKKSResultOperation* op = [CKKSResultOperation named:@"cloudkit-modify-changes" withBlock:^{}]; + + secnotice("octagon", "Beginning CloudKit ModifyRecords"); + [op addSuccessDependency: [self modifyRecords:@[ record ] deleteRecordIDs:@[]]]; + + [op timeout:(SecCKKSTestsEnabled() ? 2*NSEC_PER_SEC : 120*NSEC_PER_SEC)]; + [self.operationQueue addOperation: op]; + + [op waitUntilFinished]; + if(op.error != nil) { + secerror("octagon: failed to commit record changes error:%@", op.error); + if(error){ + *error = op.error; + } + return NO; + } + secnotice("octagon", "successfully uploaded record: %@", bprecord.recordName); + return result; +} + +-(BOOL) removeBottledPeerRecordID:(CKRecordID*)recordID error:(NSError**)error +{ + secnotice("octagon", "removing bottled peer from cloudkit"); + BOOL result = YES; + + NSMutableArray* recordIDsToRemove = [[NSMutableArray alloc] init]; + [recordIDsToRemove addObject:recordID]; + + CKKSResultOperation* op = [CKKSResultOperation named:@"cloudkit-modify-changes" withBlock:^{}]; + + secnotice("octagon", "Beginning CloudKit ModifyRecords"); + [op addSuccessDependency: [self modifyRecords:[NSMutableArray array] deleteRecordIDs:recordIDsToRemove]]; + + [op timeout:(SecCKKSTestsEnabled() ? 2*NSEC_PER_SEC : 120*NSEC_PER_SEC)]; + [self.operationQueue addOperation: op]; + + [op waitUntilFinished]; + if(op.error != nil) { + secerror("octagon: ailed to commit record changes error:%@", op.error); + if(error){ + *error = op.error; + } + return NO; + } + + return result; +} + +- (void)_onqueueHandleCKLogin { + if(!SecCKKSIsEnabled()) { + ckksnotice("ckks", self, "Skipping CloudKit initialization due to disabled CKKS"); + return; + } + + dispatch_assert_queue(self.queue); + + __weak __typeof(self) weakSelf = self; + + CKKSZoneStateEntry* ckse = [CKKSZoneStateEntry state: self.zoneName]; + [self handleCKLogin:ckse.ckzonecreated zoneSubscribed:ckse.ckzonesubscribed]; + + self.viewSetupOperation = [CKKSResultOperation operationWithBlock: ^{ + __strong __typeof(weakSelf) strongSelf = weakSelf; + if(!strongSelf) { + ckkserror("ckks", strongSelf, "received callback for released object"); + return; + } + + __block bool quit = false; + + [strongSelf dispatchSync: ^bool { + ckksnotice("octagon", strongSelf, "Zone setup progress: %@ %d %@ %d %@", + [CKKSCKAccountStateTracker stringFromAccountStatus:strongSelf.accountStatus], + strongSelf.zoneCreated, strongSelf.zoneCreatedError, strongSelf.zoneSubscribed, strongSelf.zoneSubscribedError); + + NSError* error = nil; + CKKSZoneStateEntry* ckse = [CKKSZoneStateEntry state: strongSelf.zoneName]; + ckse.ckzonecreated = strongSelf.zoneCreated; + ckse.ckzonesubscribed = strongSelf.zoneSubscribed; + + // Although, if the zone subscribed error says there's no zone, mark down that there's no zone + if(strongSelf.zoneSubscribedError && + [strongSelf.zoneSubscribedError.domain isEqualToString:CKErrorDomain] && strongSelf.zoneSubscribedError.code == CKErrorPartialFailure) { + NSError* subscriptionError = strongSelf.zoneSubscribedError.userInfo[CKPartialErrorsByItemIDKey][strongSelf.zoneID]; + if(subscriptionError && [subscriptionError.domain isEqualToString:CKErrorDomain] && subscriptionError.code == CKErrorZoneNotFound) { + + ckkserror("octagon", strongSelf, "zone subscription error appears to say the zone doesn't exist, fixing status: %@", strongSelf.zoneSubscribedError); + ckse.ckzonecreated = false; + } + } + + [ckse saveToDatabase: &error]; + if(error) { + ckkserror("octagon", strongSelf, "couldn't save zone creation status for %@: %@", strongSelf.zoneName, error); + } + + if(!strongSelf.zoneCreated || !strongSelf.zoneSubscribed || strongSelf.accountStatus != CKAccountStatusAvailable) { + // Something has gone very wrong. Error out and maybe retry. + quit = true; + + // Note that CKKSZone has probably called [handleLogout]; which means we have a key hierarchy reset queued up. Error here anyway. + NSError* realReason = strongSelf.zoneCreatedError ? strongSelf.zoneCreatedError : strongSelf.zoneSubscribedError; + strongSelf.viewSetupOperation.error = realReason; + + + return true; + } + + return true; + }]; + + if(quit) { + ckkserror("octagon", strongSelf, "Quitting setup."); + return; + } + }]; + self.viewSetupOperation.name = @"zone-setup"; + + [self.viewSetupOperation addNullableDependency: self.zoneSetupOperation]; + [self scheduleAccountStatusOperation: self.viewSetupOperation]; +} + +- (void)handleCKLogin +{ + ckksinfo("octagon", self, "received a notification of CK login"); + + __weak __typeof(self) weakSelf = self; + CKKSResultOperation* login = [CKKSResultOperation named:@"octagon-login" withBlock:^{ + __strong __typeof(self) strongSelf = weakSelf; + + [strongSelf dispatchSync:^bool{ + strongSelf.accountStatus = CKKSAccountStatusAvailable; + [strongSelf _onqueueHandleCKLogin]; + return true; + }]; + }]; + + [self scheduleAccountStatusOperation:login]; +} + +- (bool)_onqueueResetLocalData: (NSError * __autoreleasing *) error { + dispatch_assert_queue(self.queue); + + NSError* localerror = nil; + bool setError = false; + + CKKSZoneStateEntry* ckse = [CKKSZoneStateEntry state: self.zoneName]; + ckse.ckzonecreated = false; + ckse.ckzonesubscribed = false; + ckse.changeToken = NULL; + [ckse saveToDatabase: &localerror]; + if(localerror) { + ckkserror("ckks", self, "couldn't reset zone status for %@: %@", self.zoneName, localerror); + if(error && !setError) { + *error = localerror; setError = true; + } + } + + BOOL result = [_localStore removeAllBottledPeerRecords:&localerror]; + if(!result){ + *error = localerror; + secerror("octagon: failed to move all bottled peer entries for context: %@ error: %@", self.contextID, localerror); + } + return (localerror == nil && !setError); +} + +-(CKKSResultOperation*) resetOctagonTrustZone:(NSError**)error +{ + // On a reset, we should cancel all existing operations + [self cancelAllOperations]; + CKKSResultOperation* reset = [super deleteCloudKitZoneOperation:nil]; + [self scheduleOperationWithoutDependencies:reset]; + + __weak __typeof(self) weakSelf = self; + CKKSGroupOperation* resetFollowUp = [[CKKSGroupOperation alloc] init]; + resetFollowUp.name = @"cloudkit-reset-follow-up-group"; + + [resetFollowUp runBeforeGroupFinished: [CKKSResultOperation named:@"cloudkit-reset-follow-up" withBlock: ^{ + __strong __typeof(weakSelf) strongSelf = weakSelf; + if(!strongSelf) { + ckkserror("octagon", strongSelf, "received callback for released object"); + return; + } + + if(!reset.error) { + ckksnotice("octagon", strongSelf, "Successfully deleted zone %@", strongSelf.zoneName); + __block NSError* error = nil; + + [strongSelf dispatchSync: ^bool{ + [strongSelf _onqueueResetLocalData: &error]; + return true; + }]; + } else { + // Shouldn't ever happen, since reset is a successDependency + ckkserror("ckks", strongSelf, "Couldn't reset zone %@: %@", strongSelf.zoneName, reset.error); + } + }]]; + + [resetFollowUp addSuccessDependency:reset]; + [self scheduleOperationWithoutDependencies:resetFollowUp]; + + return reset; +} + +-(BOOL) performReset:(NSError**)error +{ + BOOL result = NO; + CKKSResultOperation* op = [CKKSResultOperation named:@"cloudkit-reset-zones-waiter" withBlock:^{}]; + + secnotice("octagon", "Beginning CloudKit reset for Octagon Trust"); + [op addSuccessDependency:[self resetOctagonTrustZone:error]]; + + [op timeout:(SecCKKSTestsEnabled() ? 2*NSEC_PER_SEC : 120*NSEC_PER_SEC)]; + [self.operationQueue addOperation: op]; + + [op waitUntilFinished]; + if(!op.error) { + secnotice("octagon", "Completed rpcResetCloudKit"); + __weak __typeof(self) weakSelf = self; + CKKSResultOperation* login = [CKKSResultOperation named:@"octagon-login" withBlock:^{ + __strong __typeof(self) strongSelf = weakSelf; + + [strongSelf dispatchSync:^bool{ + strongSelf.accountStatus = CKKSAccountStatusAvailable; + [strongSelf handleCKLogin:false zoneSubscribed:false]; + return true; + }]; + }]; + + [self.operationQueue addOperation:login]; + result = YES; + } else { + secnotice("octagon", "Completed rpcResetCloudKit with error: %@", op.error); + if(error){ + *error = op.error; + } + } + + return result; +} + +@end + +NS_ASSUME_NONNULL_END +#endif + diff --git a/keychain/ot/OTCloudStoreState.h b/keychain/ot/OTCloudStoreState.h new file mode 100644 index 00000000..915a3200 --- /dev/null +++ b/keychain/ot/OTCloudStoreState.h @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2016 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef OTCloudStoreState_h +#define OTCloudStoreState_h + +#if OCTAGON +#import "keychain/ckks/CKKSSQLDatabaseObject.h" + +@interface OTCloudStoreState : CKKSSQLDatabaseObject + +@property NSString* ckzone; +@property bool ckzonecreated; +@property bool ckzonesubscribed; +@property (getter=getChangeToken, setter=setChangeToken:) CKServerChangeToken* changeToken; +@property NSData* encodedChangeToken; +@property NSDate* lastFetchTime; + ++ (instancetype)state:(NSString*)ckzone; + ++ (instancetype)fromDatabase:(NSString*)ckzone error:(NSError* __autoreleasing*)error; ++ (instancetype)tryFromDatabase:(NSString*)ckzone error:(NSError* __autoreleasing*)error; + +- (instancetype)initWithCKZone:(NSString*)ckzone + zoneCreated:(bool)ckzonecreated + zoneSubscribed:(bool)ckzonesubscribed + changeToken:(NSData*)changetoken + lastFetch:(NSDate*)lastFetch; + +- (CKServerChangeToken*)getChangeToken; +- (void)setChangeToken:(CKServerChangeToken*)token; + +- (BOOL)isEqual:(id)object; +@end + +#endif +#endif /* OTCloudStoreState_h */ diff --git a/keychain/ot/OTCloudStoreState.m b/keychain/ot/OTCloudStoreState.m new file mode 100644 index 00000000..3c119dc7 --- /dev/null +++ b/keychain/ot/OTCloudStoreState.m @@ -0,0 +1,155 @@ +/* + * Copyright (c) 2016 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#include + +#import +#import + +#import "CKKSKeychainView.h" + +#include +#include +#include + +#if OCTAGON + +#import +#import "OTCloudStoreState.h" + +@implementation OTCloudStoreState + +- (instancetype)initWithCKZone:(NSString*)ckzone + zoneCreated:(bool)ckzonecreated + zoneSubscribed:(bool)ckzonesubscribed + changeToken:(NSData*)changetoken + lastFetch:(NSDate*)lastFetch +{ + if(self = [super init]) { + _ckzone = [ckzone copy]; + _ckzonecreated = ckzonecreated; + _ckzonesubscribed = ckzonesubscribed; + _encodedChangeToken = [changetoken copy]; + _lastFetchTime = [lastFetch copy]; + } + return self; +} + +- (BOOL)isEqual: (id) object { + if(![object isKindOfClass:[OTCloudStoreState class]]) { + return NO; + } + + OTCloudStoreState* obj = (OTCloudStoreState*) object; + + return ([self.ckzone isEqualToString: obj.ckzone] && + self.ckzonecreated == obj.ckzonecreated && + self.ckzonesubscribed == obj.ckzonesubscribed && + ((self.encodedChangeToken == nil && obj.encodedChangeToken == nil) || [self.encodedChangeToken isEqual: obj.encodedChangeToken]) && + ((self.lastFetchTime == nil && obj.lastFetchTime == nil) || [self.lastFetchTime isEqualToDate: obj.lastFetchTime]) && + true) ? YES : NO; +} + ++ (instancetype) state: (NSString*) ckzone { + NSError* error = nil; + OTCloudStoreState* ret = [OTCloudStoreState tryFromDatabase:ckzone error:&error]; + + if(error) { + secerror("octagon: error fetching CKState(%@): %@", ckzone, error); + } + + if(!ret) { + ret = [[OTCloudStoreState alloc] initWithCKZone:ckzone + zoneCreated:false + zoneSubscribed:false + changeToken:nil + lastFetch:nil]; + } + return ret; +} + +- (CKServerChangeToken*) getChangeToken { + if(self.encodedChangeToken) { + NSKeyedUnarchiver* unarchiver = [[NSKeyedUnarchiver alloc] initForReadingFromData:self.encodedChangeToken error:nil]; + return [unarchiver decodeObjectOfClass:[CKServerChangeToken class] forKey:NSKeyedArchiveRootObjectKey]; + } else { + return nil; + } +} + +- (void) setChangeToken: (CKServerChangeToken*) token { + self.encodedChangeToken = token ? [NSKeyedArchiver archivedDataWithRootObject:token requiringSecureCoding:YES error:nil] : nil; +} + +#pragma mark - Database Operations + ++ (instancetype) fromDatabase: (NSString*) ckzone error: (NSError * __autoreleasing *) error { + return [self fromDatabaseWhere: @{@"ckzone": CKKSNilToNSNull(ckzone)} error: error]; +} + ++ (instancetype) tryFromDatabase: (NSString*) ckzone error: (NSError * __autoreleasing *) error { + return [self tryFromDatabaseWhere: @{@"ckzone": CKKSNilToNSNull(ckzone)} error: error]; +} + +#pragma mark - CKKSSQLDatabaseObject methods + ++ (NSString*) sqlTable { + return @"ckstate"; +} + ++ (NSArray*) sqlColumns { + return @[@"ckzone", @"ckzonecreated", @"ckzonesubscribed", @"changetoken", @"lastfetch", @"ratelimiter", @"lastFixup"]; +} + +- (NSDictionary*) whereClauseToFindSelf { + return @{@"ckzone": self.ckzone}; +} + +- (NSDictionary*) sqlValues { + NSISO8601DateFormatter* dateFormat = [[NSISO8601DateFormatter alloc] init]; + + return @{@"ckzone": self.ckzone, + @"ckzonecreated": [NSNumber numberWithBool:self.ckzonecreated], + @"ckzonesubscribed": [NSNumber numberWithBool:self.ckzonesubscribed], + @"changetoken": CKKSNilToNSNull([self.encodedChangeToken base64EncodedStringWithOptions:0]), + @"lastfetch": CKKSNilToNSNull(self.lastFetchTime ? [dateFormat stringFromDate: self.lastFetchTime] : nil), + }; +} + ++ (instancetype) fromDatabaseRow: (NSDictionary*) row { + NSISO8601DateFormatter* dateFormat = [[NSISO8601DateFormatter alloc] init]; + + return [[OTCloudStoreState alloc] initWithCKZone: row[@"ckzone"] + zoneCreated: [row[@"ckzonecreated"] boolValue] + zoneSubscribed: [row[@"ckzonesubscribed"] boolValue] + changeToken: ![row[@"changetoken"] isEqual: [NSNull null]] ? + [[NSData alloc] initWithBase64EncodedString: row[@"changetoken"] options:0] : + nil + lastFetch: [row[@"lastfetch"] isEqual: [NSNull null]] ? nil : [dateFormat dateFromString: row[@"lastfetch"]] + ]; +} + +@end + +#endif //OTCloudStoreState + diff --git a/keychain/ot/OTConstants.h b/keychain/ot/OTConstants.h new file mode 100644 index 00000000..5b3010c3 --- /dev/null +++ b/keychain/ot/OTConstants.h @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef OTConstants_h +#define OTConstants_h + +#import + +extern NSString* OTDefaultContext; + +#endif /* OTConstants_h */ diff --git a/keychain/ot/OTConstants.m b/keychain/ot/OTConstants.m new file mode 100644 index 00000000..5e2e40f2 --- /dev/null +++ b/keychain/ot/OTConstants.m @@ -0,0 +1,28 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import "OTConstants.h" + +NSString* OTDefaultContext = @"defaultContext"; + + diff --git a/keychain/ot/OTContext.h b/keychain/ot/OTContext.h new file mode 100644 index 00000000..52b33e7b --- /dev/null +++ b/keychain/ot/OTContext.h @@ -0,0 +1,79 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON +#import +#import "OTLocalStore.h" +#import "OTCloudStore.h" +#import "OTEscrowKeys.h" +#import "OTIdentity.h" +#import "OTBottledPeer.h" +#import "OTBottledPeerSigned.h" +#import "OTRamping.h" +#import "OTDefines.h" +#import "OTPreflightInfo.h" +#import "keychain/ckks/CKKSLockStateTracker.h" + +NS_ASSUME_NONNULL_BEGIN + +@protocol OTContextIdentityProvider +- (nullable OTIdentity *) currentIdentity:(NSError**) error; +@end + + +@interface OTContext : NSObject + +@property (nonatomic, readonly) NSString* contextID; +@property (nonatomic, readonly) NSString* dsid; +@property (nonatomic, readonly) OTCloudStore* cloudStore; + +@property (nonatomic, readonly) CKKSLockStateTracker* lockStateTracker; +@property (nonatomic, readonly) CKKSCKAccountStateTracker* accountTracker; +@property (nonatomic, readonly) CKKSReachabilityTracker *reachabilityTracker; + +- (nullable instancetype) initWithContextID:(NSString*)contextID + dsid:(NSString*)dsid + localStore:(OTLocalStore*)localStore + cloudStore:(nullable OTCloudStore*)cloudStore + identityProvider:(id )identityProvider + error:(NSError**)error; + +- (nullable OTBottledPeerSigned *) restoreFromEscrowRecordID:(NSString*)escrowRecordID + secret:(NSData*)secret + error:(NSError**)error; + +- (NSData* _Nullable) makeMeSomeEntropy:(int)requiredLength; +- (nullable OTPreflightInfo*) preflightBottledPeer:(NSString*)contextID + entropy:(NSData*)entropy + error:(NSError**)error; +- (BOOL)scrubBottledPeer:(NSString*)contextID + bottleID:(NSString*)bottleID + error:(NSError**)error; + +-(OctagonBottleCheckState)doesThisDeviceHaveABottle:(NSError**)error; +-(void) postFollowUp; + +@end +NS_ASSUME_NONNULL_END +#endif + diff --git a/keychain/ot/OTContext.m b/keychain/ot/OTContext.m new file mode 100644 index 00000000..479d8878 --- /dev/null +++ b/keychain/ot/OTContext.m @@ -0,0 +1,557 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#if OCTAGON + +#import "OTContext.h" +#import "SFPublicKey+SPKI.h" + +#include +#include + +#import "keychain/ckks/CKKS.h" +#import "keychain/ckks/CKKSViewManager.h" +#import "keychain/ckks/CKKSAnalytics.h" + +#import "CoreCDP/CDPFollowUpController.h" +#import "CoreCDP/CDPFollowUpContext.h" +#import + +NSString* OTCKContainerName = @"com.apple.security.keychain"; +NSString* OTCKZoneName = @"OctagonTrust"; +static NSString* const kOTRampZoneName = @"metadata_zone"; + +@interface OTContext (lockstateTracker) +@end + +@interface OTContext () + +@property (nonatomic, strong) NSString* contextID; +@property (nonatomic, strong) NSString* contextName; +@property (nonatomic, strong) NSString* dsid; + +@property (nonatomic, strong) OTLocalStore* localStore; +@property (nonatomic, strong) OTCloudStore* cloudStore; +@property (nonatomic, strong) NSData* changeToken; +@property (nonatomic, strong) NSString* egoPeerID; +@property (nonatomic, strong) NSDate* egoPeerCreationDate; +@property (nonatomic, strong) dispatch_queue_t queue; +@property (nonatomic, weak) id identityProvider; + +@property (nonatomic, strong) CKKSCKAccountStateTracker* accountTracker; +@property (nonatomic, strong) CKKSLockStateTracker* lockStateTracker; +@property (nonatomic, strong) CKKSReachabilityTracker *reachabilityTracker; + +@end + +@implementation OTContext + +-(CKContainer*)makeCKContainer:(NSString*)containerName { + CKContainer* container = [CKContainer containerWithIdentifier:containerName]; + container = [[CKContainer alloc] initWithContainerID: container.containerID]; + return container; +} + +-(BOOL) isPrequeliteEnabled +{ + BOOL result = YES; + if([PQLConnection class] == nil) { + secerror("OT: prequelite appears to not be linked. Can't create OT objects."); + result = NO; + } + return result; +} + +- (nullable instancetype) initWithContextID:(NSString*)contextID + dsid:(NSString*)dsid + localStore:(OTLocalStore*)localStore + cloudStore:(nullable OTCloudStore*)cloudStore + identityProvider:(id )identityProvider + error:(NSError**)error +{ + if(![self isPrequeliteEnabled]){ + // We're running in the base build environment, which lacks a bunch of libraries. + // We don't support doing anything in this environment. Bye. + return nil; + } + + self = [super init]; + if (self) { + NSError* localError = nil; + _contextID = contextID; + _dsid = dsid; + _identityProvider = identityProvider; + _localStore = localStore; + + NSString* contextAndDSID = [NSString stringWithFormat:@"%@-%@", contextID, dsid]; + + CKContainer* container = [self makeCKContainer:OTCKContainerName]; + + _accountTracker = [CKKSViewManager manager].accountTracker; + _lockStateTracker = [CKKSViewManager manager].lockStateTracker; + _reachabilityTracker = [CKKSViewManager manager].reachabilityTracker; + + if(!cloudStore) { + _cloudStore = [[OTCloudStore alloc]initWithContainer:container + zoneName:OTCKZoneName + accountTracker:_accountTracker + reachabilityTracker:_reachabilityTracker + localStore:_localStore + contextID:contextID + dsid:dsid + fetchRecordZoneChangesOperationClass:[CKFetchRecordZoneChangesOperation class] + fetchRecordsOperationClass:[CKFetchRecordsOperation class] + queryOperationClass:[CKQueryOperation class] + modifySubscriptionsOperationClass:[CKModifySubscriptionsOperation class] + modifyRecordZonesOperationClass:[CKModifyRecordZonesOperation class] + apsConnectionClass:[APSConnection class] + operationQueue:nil]; + } else{ + _cloudStore = cloudStore; + } + + OTContextRecord* localContextRecord = [_localStore readLocalContextRecordForContextIDAndDSID:contextAndDSID error:&localError]; + + if(localContextRecord == nil || localContextRecord.contextID == nil){ + localError = nil; + BOOL result = [_localStore initializeContextTable:contextID dsid:dsid error:&localError]; + if(!result || localError != nil){ + secerror("octagon: reading from database failed with error: %@", localError); + if (error) { + *error = localError; + } + return nil; + } + localContextRecord = [_localStore readLocalContextRecordForContextIDAndDSID:contextAndDSID error:&localError]; + if(localContextRecord == nil || localError !=nil){ + secerror("octagon: reading from database failed with error: %@", localError); + if (error) { + *error = localError; + } + return nil; + } + } + + _contextID = localContextRecord.contextID; + _contextName = localContextRecord.contextName; + _changeToken = localContextRecord.changeToken; + _egoPeerID = localContextRecord.egoPeerID; + _egoPeerCreationDate = localContextRecord.egoPeerCreationDate; + + _queue = dispatch_queue_create("com.apple.security.otcontext", DISPATCH_QUEUE_SERIAL); + } + return self; +} + +- (nullable OTBottledPeerSigned *) createBottledPeerRecordForIdentity:(OTIdentity *)identity + secret:(NSData*)secret + error:(NSError**)error +{ + NSError* localError = nil; + if(self.lockStateTracker.isLocked){ + secnotice("octagon", "device is locked"); + if(error){ + *error = [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain code:errSecInteractionNotAllowed userInfo:nil]; + } + return nil; + } + + OTEscrowKeys *escrowKeys = [[OTEscrowKeys alloc] initWithSecret:secret dsid:self.dsid error:&localError]; + if (!escrowKeys || localError != nil) { + secerror("octagon: unable to derive escrow keys: %@", localError); + if (error) { + *error = localError; + } + return nil; + } + + OTBottledPeer *bp = [[OTBottledPeer alloc] initWithPeerID:identity.peerID + spID:identity.spID + peerSigningKey:identity.peerSigningKey + peerEncryptionKey:identity.peerEncryptionKey + escrowKeys:escrowKeys + error:&localError]; + if (!bp || localError !=nil) { + secerror("octagon: unable to create a bottled peer: %@", localError); + if (error) { + *error = localError; + } + return nil; + } + return [[OTBottledPeerSigned alloc] initWithBottledPeer:bp + escrowedSigningKey:escrowKeys.signingKey + peerSigningKey:identity.peerSigningKey + error:error]; +} + +- (NSData* _Nullable) makeMeSomeEntropy:(int)requiredLength +{ + NSMutableData* salt = [NSMutableData dataWithLength:requiredLength]; + if (salt == nil){ + return nil; + } + if (SecRandomCopyBytes(kSecRandomDefault, [salt length], [salt mutableBytes]) != 0){ + return nil; + } + return salt; +} + +- (nullable OTPreflightInfo*) preflightBottledPeer:(NSString*)contextID + entropy:(NSData*)entropy + error:(NSError**)error +{ + NSError* localError = nil; + if(self.lockStateTracker.isLocked){ + secnotice("octagon", "device is locked"); + if(error){ + *error = [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain code:errSecInteractionNotAllowed userInfo:nil]; + } + return nil; + } + + OTIdentity *identity = [self.identityProvider currentIdentity:&localError]; + if (!identity || localError != nil) { + secerror("octagon: unable to get current identity:%@", localError); + if (error) { + *error = localError; + } + return nil; + } + + OTBottledPeerSigned* bps = [self createBottledPeerRecordForIdentity:identity + secret:entropy + error:&localError]; + if (!bps || localError != nil) { + secerror("octagon: failed to create bottled peer record: %@", localError); + if (error) { + *error = localError; + } + return nil; + } + secnotice("octagon", "created bottled peer:%@", bps); + + OTBottledPeerRecord *bprec = [bps asRecord:identity.spID]; + + if (!identity.spID) { + secerror("octagon: cannot enroll without a spID"); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorNoIdentity userInfo:@{NSLocalizedDescriptionKey: @"OTIdentity does not have an SOS peer id"}]; + } + return nil; + } + + OTPreflightInfo* info = [[OTPreflightInfo alloc]init]; + info.escrowedSigningSPKI = bprec.escrowedSigningSPKI; + + if(!info.escrowedSigningSPKI){ + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorEscrowSigningSPKI userInfo:@{NSLocalizedDescriptionKey: @"Escrowed spinging SPKI is nil"}]; + } + secerror("octagon: Escrowed spinging SPKI is nil"); + return nil; + } + + info.bottleID = bprec.recordName; + if(!info.bottleID){ + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorBottleID userInfo:@{NSLocalizedDescriptionKey: @"BottleID is nil"}]; + } + secerror("octagon: BottleID is nil"); + return nil; + } + + //store record in localStore + BOOL result = [self.localStore insertBottledPeerRecord:bprec escrowRecordID:identity.spID error:&localError]; + if(!result || localError){ + secerror("octagon: could not persist the bottle record: %@", localError); + if (error) { + *error = localError; + } + return nil; + } + + return info; +} + +- (BOOL)scrubBottledPeer:(NSString*)contextID + bottleID:(NSString*)bottleID + error:(NSError**)error +{ + secnotice("octagon", "scrubBottledPeer"); + NSError* localError = nil; + if(self.lockStateTracker.isLocked){ + secnotice("octagon", "device is locked"); + if(error){ + *error = [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain code:errSecInteractionNotAllowed userInfo:nil]; + } + return YES; + } + + BOOL result = [self.localStore deleteBottledPeer:bottleID error:&localError]; + if(!result || localError != nil){ + secerror("octagon: could not remove record for bottleID %@, error:%@", bottleID, localError); + if (error) { + *error = localError; + } + } + return result; +} + +- (OTBottledPeerSigned *) restoreFromEscrowRecordID:(NSString*)escrowRecordID + secret:(NSData*)secret + error:(NSError**)error +{ + NSError *localError = nil; + + if(self.lockStateTracker.isLocked){ + if(error){ + *error = [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain code:errSecInteractionNotAllowed userInfo:nil]; + } + return nil; + } + + OTEscrowKeys *escrowKeys = [[OTEscrowKeys alloc] initWithSecret:secret dsid:self.dsid error:&localError]; + if (!escrowKeys || localError != nil) { + secerror("unable to derive escrow keys: %@", localError); + if (error) { + *error = localError; + } + return nil; + } + + BOOL result = [self.cloudStore downloadBottledPeerRecord:&localError]; + if(!result || localError){ + secerror("octagon: could not download bottled peer record:%@", localError); + if(error){ + *error = localError; + } + } + NSString* recordName = [OTBottledPeerRecord constructRecordID:escrowRecordID + escrowSigningSPKI:[escrowKeys.signingKey.publicKey asSPKI]]; + OTBottledPeerRecord* rec = [self.localStore readLocalBottledPeerRecordWithRecordID:recordName error:&localError]; + + if (!rec) { + secerror("octagon: could not read bottled peer record:%@", localError); + if (error) { + *error = localError; + } + return nil; + } + + OTBottledPeerSigned *bps = [[OTBottledPeerSigned alloc] initWithBottledPeerRecord:rec + escrowKeys:escrowKeys + error:&localError]; + if (!bps) { + secerror("octagon: could not unpack bottled peer:%@", localError); + if (error) { + *error = localError; + } + return nil; + } + + return bps; +} + +-(BOOL)bottleExistsLocallyForIdentity:(OTIdentity*)identity logger:(CKKSAnalytics*)logger error:(NSError**)error +{ + NSError* localError = nil; + //read all the local bp records + NSArray* bottles = [self.localStore readLocalBottledPeerRecordsWithMatchingPeerID:identity.spID error:&localError]; + if(!bottles || [bottles count] == 0 || localError != nil){ + secerror("octagon: there are no eligible bottle peer records: %@", localError); + [logger logRecoverableError:localError + forEvent:OctagonEventBottleCheck + zoneName:kOTRampZoneName + withAttributes:NULL]; + if(error){ + *error = localError; + } + return NO; + } + + BOOL hasBottle = NO; + //if check all the records if the peer signing public key matches the bottled one! + for(OTBottledPeerRecord* bottle in bottles){ + NSData* bottledSigningSPKIData = [[SFECPublicKey fromSPKI:bottle.peerSigningSPKI] keyData]; + NSData* currentIdentitySPKIData = [identity.peerSigningKey.publicKey keyData]; + + //spIDs are the same AND check bottle signature + if([currentIdentitySPKIData isEqualToData:bottledSigningSPKIData] && + [OTBottledPeerSigned verifyBottleSignature:bottle.bottle + signature:bottle.signatureUsingPeerKey + key:identity.peerSigningKey.publicKey + error:error]){ + hasBottle = YES; + } + } + + + + return hasBottle; +} + +-(BOOL)queryCloudKitForBottle:(OTIdentity*)identity logger:(CKKSAnalytics*)logger error:(NSError**)error +{ + NSError* localError = nil; + BOOL hasBottle = NO; + //attempt to pull down all the records, but continue checking local store even if this fails. + BOOL fetched = [self.cloudStore downloadBottledPeerRecord:&localError]; + if(fetched == NO || localError != nil){ //couldn't download bottles + secerror("octagon: 0 bottled peers downloaded: %@", localError); + [logger logRecoverableError:localError + forEvent:OctagonEventBottleCheck + zoneName:kOTRampZoneName + withAttributes:NULL]; + if(error){ + *error = localError; + } + return NO; + }else{ //downloaded bottles, let's check local store + hasBottle = [self bottleExistsLocallyForIdentity:identity logger:logger error:&localError]; + } + + if(error){ + *error = localError; + } + return hasBottle; +} + +-(OctagonBottleCheckState) doesThisDeviceHaveABottle:(NSError**)error +{ + secnotice("octagon", "checking if device has enrolled a bottle"); + + if(self.lockStateTracker.isLocked){ + secnotice("octagon", "device locked, not checking for bottle"); + if(error){ + *error = [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain code:errSecInteractionNotAllowed userInfo:nil]; + } + return UNCLEAR; + } + + if(self.accountTracker.currentCKAccountInfo.accountStatus != CKAccountStatusAvailable){ + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain + code:OTErrorNotSignedIn + userInfo:@{NSLocalizedDescriptionKey: @"iCloud account is logged out"}]; + } + secnotice("octagon", "not logged into an account"); + return UNCLEAR; + } + + NSError* localError = nil; + OctagonBottleCheckState bottleStatus = NOBOTTLE; + CKKSAnalytics* logger = [CKKSAnalytics logger]; + SFAnalyticsActivityTracker *tracker = [logger logSystemMetricsForActivityNamed:CKKSActivityBottleCheck withAction:nil]; + [tracker start]; + + //get our current identity + OTIdentity* identity = [self.identityProvider currentIdentity:&localError]; + + //if we get the locked error, return true so we don't prompt the user + if(localError && [_lockStateTracker isLockedError:localError]){ + secnotice("octagon", "attempting to perform bottle check while locked: %@", localError); + return UNCLEAR; + } + + if(!identity && localError != nil){ + secerror("octagon: do not have an identity: %@", localError); + [logger logRecoverableError:localError + forEvent:OctagonEventBottleCheck + zoneName:kOTRampZoneName + withAttributes:NULL]; + [tracker stop]; + if(error){ + *error = localError; + } + return NOBOTTLE; + } + + //check locally first + BOOL bottleExistsLocally = [self bottleExistsLocallyForIdentity:identity logger:logger error:&localError]; + + //no bottle and we have no network + if(!bottleExistsLocally && !self.reachabilityTracker.currentReachability){ + secnotice("octagon", "no network, can't query"); + localError = [NSError errorWithDomain:octagonErrorDomain + code:OTErrorNoNetwork + userInfo:@{NSLocalizedDescriptionKey: @"no network"}]; + [tracker stop]; + if(error){ + *error = localError; + } + return UNCLEAR; + } + else if(!bottleExistsLocally){ + if([self queryCloudKitForBottle:identity logger:logger error:&localError]){ + bottleStatus = BOTTLE; + } + }else if(bottleExistsLocally){ + bottleStatus = BOTTLE; + } + + if(bottleStatus == NOBOTTLE){ + localError = [NSError errorWithDomain:octagonErrorDomain code:OTErrorNoBottlePeerRecords userInfo:@{NSLocalizedDescriptionKey: @"Peer %@ does not have any bottled records"}]; + secerror("octagon: this device does not have any bottled peers: %@", localError); + [logger logRecoverableError:localError + forEvent:OctagonEventBottleCheck + zoneName:kOTRampZoneName + withAttributes:@{ OctagonEventAttributeFailureReason : @"does not have bottle"}]; + if(error){ + *error = localError; + } + } + else{ + [logger logSuccessForEventNamed:OctagonEventBottleCheck]; + } + + [tracker stop]; + + return bottleStatus; +} + +-(void) postFollowUp +{ + NSError* error = nil; + + CKKSAnalytics* logger = [CKKSAnalytics logger]; + SFAnalyticsActivityTracker *tracker = [logger logSystemMetricsForActivityNamed:CKKSActivityBottleCheck withAction:nil]; + + [tracker start]; + CDPFollowUpController *cdpd = [[CDPFollowUpController alloc] init]; + CDPFollowUpContext *context = [CDPFollowUpContext contextForOfflinePasscodeChange]; + + [cdpd postFollowUpWithContext:context error:&error]; + if(error){ + [logger logUnrecoverableError:error forEvent:OctagonEventCoreFollowUp withAttributes:@{ + OctagonEventAttributeFailureReason : @"core follow up failed"}]; + + secerror("request to CoreCDP to follow up failed: %@", error); + } + else{ + [logger logSuccessForEventNamed:OctagonEventCoreFollowUp]; + } + [tracker stop]; +} + + +@end +#endif diff --git a/keychain/trust/TrustedPeers/TPHash.h b/keychain/ot/OTContextRecord.h similarity index 56% rename from keychain/trust/TrustedPeers/TPHash.h rename to keychain/ot/OTContextRecord.h index af304c29..9fe05570 100644 --- a/keychain/trust/TrustedPeers/TPHash.h +++ b/keychain/ot/OTContextRecord.h @@ -21,40 +21,36 @@ * @APPLE_LICENSE_HEADER_END@ */ + +#ifndef OTContextRecord_h +#define OTContextRecord_h + +#if OCTAGON + #import NS_ASSUME_NONNULL_BEGIN -/*! - A hash digest algorithm - */ -typedef NS_ENUM(NSInteger, TPHashAlgo) { - kTPHashAlgoUnknown = -1, - kTPHashAlgoSHA224 = 0, - kTPHashAlgoSHA256, - kTPHashAlgoSHA384, - kTPHashAlgoSHA512, -}; - -/*! - A hash prefixed with the name of the digest algorithm, e.g. - "SHA256:xxxx" where the 'x' are 8-bit bytes. - */ - -@interface TPHashBuilder : NSObject +@interface OTContextRecord : NSObject -+ (TPHashAlgo)algoOfHash:(NSString *)hash; +@property (nonatomic, strong) NSString* contextID; +@property (nonatomic, strong) NSString* dsid; +@property (nonatomic, strong) NSString* contextName; +@property (nonatomic) BOOL zoneCreated; +@property (nonatomic) BOOL subscribedToChanges; +@property (nonatomic, strong) NSData* changeToken; +@property (nonatomic, strong) NSString* egoPeerID; +@property (nonatomic, strong) NSDate* egoPeerCreationDate; +@property (nonatomic, strong) NSData* recoverySigningSPKI; +@property (nonatomic, strong) NSData* recoveryEncryptionSPKI; -- (instancetype)initWithAlgo:(TPHashAlgo)algo; -- (void)resetWithAlgo:(TPHashAlgo)algo; -- (void)updateWithData:(NSData *)data; -- (void)updateWithBytes:(const void *)data len:(size_t)len; -- (NSString *)finalHash; -+ (NSString *)hashWithAlgo:(TPHashAlgo)algo ofData:(NSData *)data; -+ (NSString *)hashWithAlgo:(TPHashAlgo)algo ofBytes:(const void *)data len:(size_t)len; +-(BOOL)isEqual:(OTContextRecord*)record; @end NS_ASSUME_NONNULL_END + +#endif /* OCTAGON */ +#endif /* OTContextRecord_h */ diff --git a/keychain/trust/TrustedPeersTests/TPDummySigningKeyTests.m b/keychain/ot/OTContextRecord.m similarity index 64% rename from keychain/trust/TrustedPeersTests/TPDummySigningKeyTests.m rename to keychain/ot/OTContextRecord.m index c67057ba..09e9e371 100644 --- a/keychain/trust/TrustedPeersTests/TPDummySigningKeyTests.m +++ b/keychain/ot/OTContextRecord.m @@ -21,23 +21,20 @@ * @APPLE_LICENSE_HEADER_END@ */ -#import +#if OCTAGON +#import "OTContextRecord.h" -#import "TPDummySigningKey.h" +@implementation OTContextRecord -@interface TPDummySigningKeyTests : XCTestCase - -@end - -@implementation TPDummySigningKeyTests - -- (void)testRoundTrip { - NSData *keyData = [@"The Key" dataUsingEncoding:NSUTF8StringEncoding]; - id key = [[TPDummySigningKey alloc] initWithPublicKeyData:keyData]; - NSData *data = [@"The Text" dataUsingEncoding:NSUTF8StringEncoding]; - NSData *sig = [key signatureForData:data withError:NULL]; - BOOL ok = [key checkSignature:sig matchesData:data]; - XCTAssert(ok); +-(BOOL)isEqual:(OTContextRecord*)record +{ + return [self.contextID isEqualToString:record.contextID] && + [self.contextName isEqualToString:record.contextName] && + [self.dsid isEqualToString:record.dsid] && + [self.egoPeerID isEqualToString:record.egoPeerID] && + [self.recoverySigningSPKI isEqual:record.recoverySigningSPKI] && + [self.recoveryEncryptionSPKI isEqual:record.recoveryEncryptionSPKI]; } - @end + +#endif /* OCTAGON */ diff --git a/keychain/ot/OTControl.h b/keychain/ot/OTControl.h new file mode 100644 index 00000000..428c905b --- /dev/null +++ b/keychain/ot/OTControl.h @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +// You must be 64-bit to use this class. +#if __OBJC2__ + +#import +#import + +NS_ASSUME_NONNULL_BEGIN + +@interface OTControl : NSObject ++ (OTControl* _Nullable)controlObject:(NSError* _Nullable __autoreleasing* _Nullable)error; +- (instancetype)initWithConnection:(NSXPCConnection*)connection; + +- (void)restore:(NSString *)contextID dsid:(NSString *)dsid secret:(NSData*)secret escrowRecordID:(NSString*)escrowRecordID + reply:(void (^)(NSData* signingKeyData, NSData* encryptionKeyData, NSError* _Nullable error))reply; +- (void)encryptionKey:(void (^)(NSData* result, NSError* _Nullable error))reply; +- (void)signingKey:(void (^)(NSData* result, NSError* _Nullable error))reply; +- (void)listOfRecords:(void (^)(NSArray* list, NSError* _Nullable error))reply; +- (void)signOut:(void (^)(BOOL result, NSError * _Nullable error))reply; +- (void)signIn:(NSString*)dsid reply:(void (^)(BOOL result, NSError * _Nullable error))reply; +- (void)reset:(void (^)(BOOL result, NSError* _Nullable error))reply; + +// Call this to 'preflight' a bottled peer entry. This will create sufficient entropy, derive and save all relevant keys, +// then return the entropy to the caller. If something goes wrong during this process, do not store the returned entropy. +- (void)preflightBottledPeer:(NSString*)contextID + dsid:(NSString*)dsid + reply:(void (^)(NSData* _Nullable entropy, + NSString* _Nullable bottleID, + NSData* _Nullable signingPublicKey, + NSError* _Nullable error))reply; + +// Call this to 'launch' a preflighted bottled peer entry. This indicates that you've successfully stored the entropy, +// and we should save the bottled peer entry off-device for later retrieval. +- (void)launchBottledPeer:(NSString*)contextID + bottleID:(NSString*)bottleID + reply:(void (^ _Nullable)(NSError* _Nullable error))reply; + +// Call this to scrub the launch of a preflighted bottled peer entry. This indicates you've terminally failed to store the +// preflighted entropy, and this bottled peer will never be used again and can be deleted. +- (void)scrubBottledPeer:(NSString*)contextID + bottleID:(NSString*)bottleID + reply:(void (^ _Nullable)(NSError* _Nullable error))reply; + +@end + +NS_ASSUME_NONNULL_END +#endif // __OBJC__ diff --git a/keychain/ot/OTControl.m b/keychain/ot/OTControl.m new file mode 100644 index 00000000..41cc74af --- /dev/null +++ b/keychain/ot/OTControl.m @@ -0,0 +1,177 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if __OBJC2__ + +#import +#import + +#import + +#import "keychain/ot/OTControl.h" +#import "keychain/ot/OTControlProtocol.h" +#import "keychain/ot/OctagonControlServer.h" + +#include + +@interface OTControl () +@property NSXPCConnection *connection; +@end + +@implementation OTControl + +- (instancetype)initWithConnection:(NSXPCConnection*)connection { + if(self = [super init]) { + _connection = connection; + } + return self; +} + +- (void)restore:(NSString *)contextID dsid:(NSString *)dsid secret:(NSData*)secret escrowRecordID:(NSString*)escrowRecordID + reply:(void (^)(NSData* signingKeyData, NSData* encryptionKeyData, NSError* _Nullable error))reply +{ + [[self.connection remoteObjectProxyWithErrorHandler: ^(NSError* error) { + reply(nil, nil, error); + }] restore:contextID dsid:dsid secret:secret escrowRecordID:escrowRecordID reply:^(NSData* signingKeyData, NSData* encryptionKeyData, NSError *error) { + reply(signingKeyData, encryptionKeyData, error); + }]; + +} + +-(void)reset:(void (^)(BOOL result, NSError* _Nullable error))reply +{ + [[self.connection remoteObjectProxyWithErrorHandler: ^(NSError* error) { + reply(NO, error); + }] reset:^(BOOL result, NSError * _Nullable error) { + reply(result, error); + }]; +} + +- (void)signingKey:(void (^)(NSData* result, NSError* _Nullable error))reply +{ + [[self.connection remoteObjectProxyWithErrorHandler: ^(NSError* error) { + reply(nil, error); + }] octagonSigningPublicKey:^(NSData *signingKey, NSError * _Nullable error) { + reply(signingKey, error); + }]; + +} + +- (void)encryptionKey:(void (^)(NSData* result, NSError* _Nullable error))reply +{ + [[self.connection remoteObjectProxyWithErrorHandler: ^(NSError* error) { + reply(nil, error); + }] octagonEncryptionPublicKey:^(NSData *encryptionKey, NSError * _Nullable error) { + reply(encryptionKey, error); + }]; + +} + +- (void)listOfRecords:(void (^)(NSArray* list, NSError* _Nullable error))reply +{ + [[self.connection remoteObjectProxyWithErrorHandler: ^(NSError* error) { + reply(nil, error); + }] listOfEligibleBottledPeerRecords:^(NSArray *list, NSError * _Nullable error) { + reply(list, error); + }]; + +} + +- (void)signIn:(NSString*)dsid reply:(void (^)(BOOL result, NSError * _Nullable error))reply{ + [[self.connection remoteObjectProxyWithErrorHandler: ^(NSError* error) { + reply(NO, error); + }] signIn:dsid reply:^(BOOL result, NSError * _Nullable error) { + reply(result, error); + }]; +} + +- (void)signOut:(void (^)(BOOL result, NSError * _Nullable error))reply +{ + [[self.connection remoteObjectProxyWithErrorHandler: ^(NSError* error) { + reply(NO, error); + }] signOut:^(BOOL result, NSError * _Nullable error) { + reply(result, error); + }]; + +} + + +- (void)preflightBottledPeer:(NSString*)contextID + dsid:(NSString*)dsid + reply:(void (^)(NSData* _Nullable entropy, + NSString* _Nullable bottleID, + NSData* _Nullable signingPublicKey, + NSError* _Nullable error))reply +{ + [[self.connection remoteObjectProxyWithErrorHandler: ^(NSError* error) { + reply(nil, nil, nil, error); + }] preflightBottledPeer:contextID dsid:dsid reply:^(NSData* _Nullable entropy, + NSString* _Nullable bottleID, + NSData* _Nullable signingPublicKey, + NSError* _Nullable error) { + reply(entropy, bottleID, signingPublicKey, error); + }]; +} + +- (void)launchBottledPeer:(NSString*)contextID + bottleID:(NSString*)bottleID + reply:(void (^ _Nullable)(NSError* _Nullable))reply +{ + [[self.connection remoteObjectProxyWithErrorHandler: ^(NSError* error) { + reply(error); + }] launchBottledPeer:contextID bottleID:bottleID reply:^(NSError * _Nullable error) { + reply(error); + }]; +} + +- (void)scrubBottledPeer:(NSString*)contextID + bottleID:(NSString*)bottleID + reply:(void (^ _Nullable)(NSError* _Nullable))reply +{ + [[self.connection remoteObjectProxyWithErrorHandler: ^(NSError* error) { + reply(error); + }] scrubBottledPeer:contextID bottleID:bottleID reply:reply]; +} + ++ (OTControl*)controlObject:(NSError* __autoreleasing *)error { + + NSXPCConnection* connection = [[NSXPCConnection alloc] initWithMachServiceName:@(kSecuritydOctagonServiceName) options:0]; + + if (connection == nil) { + if(error) { + *error = [NSError errorWithDomain:@"securityd" code:-1 userInfo:@{NSLocalizedDescriptionKey: @"Couldn't create connection (no reason given)"}]; + } + return nil; + } + + NSXPCInterface *interface = OTSetupControlProtocol([NSXPCInterface interfaceWithProtocol:@protocol(OTControlProtocol)]); + connection.remoteObjectInterface = interface; + [connection resume]; + + OTControl* c = [[OTControl alloc] initWithConnection:connection]; + return c; +} + +@end + +#endif // __OBJC2__ diff --git a/keychain/ot/OTControlProtocol.h b/keychain/ot/OTControlProtocol.h new file mode 100644 index 00000000..6caa8dc9 --- /dev/null +++ b/keychain/ot/OTControlProtocol.h @@ -0,0 +1,53 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import +NS_ASSUME_NONNULL_BEGIN + +@protocol OTControlProtocol +- (void)restore:(NSString *)contextID dsid:(NSString *)dsid secret:(NSData*)secret escrowRecordID:(NSString*)escrowRecordID reply:(void (^)(NSData* _Nullable signingKeyData, NSData* _Nullable encryptionKeyData, NSError * _Nullable error))reply; +- (void)octagonEncryptionPublicKey:(void (^)(NSData* _Nullable encryptionKey, NSError * _Nullable))reply;; +- (void)octagonSigningPublicKey:(void (^)(NSData* _Nullable signingKey, NSError * _Nullable))reply;; +- (void)listOfEligibleBottledPeerRecords:(void (^)(NSArray* listOfRecords, NSError *))reply; +- (void)signOut:(void (^)(BOOL result, NSError * _Nullable signedOutError))reply; +- (void)signIn:(NSString*)dsid reply:(void (^)(BOOL result, NSError * _Nullable signedInError))reply; +- (void)reset:(void (^)(BOOL result, NSError * _Nullable error))reply; +- (void)scheduleCFUForFuture; + +- (void)preflightBottledPeer:(NSString*)contextID + dsid:(NSString*)dsid + reply:(void (^)(NSData* _Nullable entropy, + NSString* _Nullable bottleID, + NSData* _Nullable signingPublicKey, + NSError* _Nullable error))reply; +- (void)launchBottledPeer:(NSString*)contextID + bottleID:(NSString*)bottleID + reply:(void (^ _Nullable)(NSError* _Nullable error))reply; +- (void)scrubBottledPeer:(NSString*)contextID + bottleID:(NSString*)bottleID + reply:(void (^ _Nullable)(NSError* _Nullable error))reply; +@end + +NSXPCInterface* OTSetupControlProtocol(NSXPCInterface* interface); + +NS_ASSUME_NONNULL_END diff --git a/keychain/ot/OTControlProtocol.m b/keychain/ot/OTControlProtocol.m new file mode 100644 index 00000000..fde2ded8 --- /dev/null +++ b/keychain/ot/OTControlProtocol.m @@ -0,0 +1,89 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import + +#import "keychain/ot/OTControlProtocol.h" + +#if OCTAGON +#import +#import +#import +#include +#endif // OCTAGON + +NSXPCInterface* OTSetupControlProtocol(NSXPCInterface* interface) { +#if OCTAGON + static NSMutableSet *errClasses; + + static dispatch_once_t onceToken; + + dispatch_once(&onceToken, ^{ + errClasses = [NSMutableSet set]; + char *classes[] = { + "NSArray", + "NSData", + "NSDate", + "NSDictionary", + "NSError", + "NSNull", + "NSNumber", + "NSOrderedSet", + "NSSet", + "NSString", + "NSURL", + }; + + for (unsigned n = 0; n < sizeof(classes)/sizeof(classes[0]); n++) { + Class cls = objc_getClass(classes[n]); + if (cls) { + [errClasses addObject:cls]; + } + } + }); + + @try { + [interface setClasses:errClasses forSelector:@selector(restore:dsid:secret:escrowRecordID:reply:) argumentIndex:0 ofReply:YES]; + [interface setClasses:errClasses forSelector:@selector(octagonEncryptionPublicKey:) argumentIndex:0 ofReply:YES]; + [interface setClasses:errClasses forSelector:@selector(octagonSigningPublicKey:) argumentIndex:0 ofReply:YES]; + [interface setClasses:errClasses forSelector:@selector(listOfEligibleBottledPeerRecords:) argumentIndex:0 ofReply:YES]; + [interface setClasses:errClasses forSelector:@selector(signOut:) argumentIndex:0 ofReply:YES]; + [interface setClasses:errClasses forSelector:@selector(signIn:reply:) argumentIndex:0 ofReply:YES]; + [interface setClasses:errClasses forSelector:@selector(reset:) argumentIndex:0 ofReply:YES]; + + [interface setClasses:errClasses forSelector:@selector(preflightBottledPeer:dsid:reply:) argumentIndex:3 ofReply:YES]; + [interface setClasses:errClasses forSelector:@selector(launchBottledPeer:bottleID:reply:) argumentIndex:0 ofReply:YES]; + [interface setClasses:errClasses forSelector:@selector(scrubBottledPeer:bottleID:reply:) argumentIndex:0 ofReply:YES]; + } + @catch(NSException* e) { + secerror("OTSetupControlProtocol failed, continuing, but you might crash later: %@", e); +#if DEBUG + @throw e; +#endif + } +#endif + + return interface; +} + + diff --git a/keychain/ot/OTDefines.h b/keychain/ot/OTDefines.h new file mode 100644 index 00000000..c5f36bff --- /dev/null +++ b/keychain/ot/OTDefines.h @@ -0,0 +1,80 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef OTDefines_h +#define OTDefines_h +#if OCTAGON +#include +#include +NS_ASSUME_NONNULL_BEGIN + +static NSString* const octagonErrorDomain = @"com.apple.security.octagon"; +static NSString* const OctagonEventAttributeZoneName = @"OTBottledPeer"; +static NSString* const OctagonEventAttributeFailureReason = @"OTFailureReason"; +static NSString* const OctagonEventAttributeTimeSinceLastPostedFollowUp = @"TimeSinceLastPostedFollowUp"; + + +/* Octagon Errors */ +#define OTErrorNoColumn 1 +#define OTErrorKeyGeneration 2 +#define OTErrorEmptySecret 3 +#define OTErrorEmptyDSID 4 +#define OTErrorNoIdentity 5 +#define OTErrorRestoreFailed 6 +#define OTErrorRestoredPeerEncryptionKeyFailure 7 +#define OTErrorRestoredPeerSigningKeyFailure 8 +#define OTErrorEntropyCreationFailure 9 +#define OTErrorDeserializationFailure 10 +#define OTErrorDecryptFailure 11 +#define OTErrorPrivateKeyFailure 12 +#define OTErrorEscrowSigningSPKI 13 +#define OTErrorBottleID 14 +#define OTErrorOTLocalStore 15 +#define OTErrorOTCloudStore 16 +#define OTErrorEmptyEscrowRecordID 17 +#define OTErrorNoBottlePeerRecords 18 +#define OTErrorCoreFollowUp 19 +#define OTErrorFeatureNotEnabled 20 +#define OTErrorCKCallback 21 +#define OTErrorRampInit 22 +#define OTErrorCKTimeOut 23 +#define OTErrorNoNetwork 24 +#define OTErrorNotSignedIn 25 +#define OTErrorRecordNotFound 26 + +#define OTMasterSecretLength 72 + +typedef enum { + OctagonSigningKey = 1, + OctagonEncryptionKey = 2 +} OctagonKeyType; + +typedef enum { + UNCLEAR = 0, + BOTTLE = 1, + NOBOTTLE = 2 +} OctagonBottleCheckState; + +NS_ASSUME_NONNULL_END +#endif +#endif /* OTDefines_h */ diff --git a/keychain/ot/OTEscrowKeys.h b/keychain/ot/OTEscrowKeys.h new file mode 100644 index 00000000..d2d7975f --- /dev/null +++ b/keychain/ot/OTEscrowKeys.h @@ -0,0 +1,64 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef OTEscrow_h +#define OTEscrow_h +#if OCTAGON + +#import +#import +NS_ASSUME_NONNULL_BEGIN + +typedef enum { + kOTEscrowKeySigning = 1, + kOTEscrowKeyEncryption = 2, + kOTEscrowKeySymmetric = 3, +} escrowKeyType; + +@interface OTEscrowKeys : NSObject + +@property (nonatomic, readonly) SFECKeyPair* encryptionKey; +@property (nonatomic, readonly) SFECKeyPair* signingKey; +@property (nonatomic, readonly) SFAESKey* symmetricKey; + +@property (nonatomic, readonly) NSData* secret; +@property (nonatomic, readonly) NSString* dsid; + +-(instancetype) init NS_UNAVAILABLE; + +- (nullable instancetype) initWithSecret:(NSData*)secret + dsid:(NSString*)dsid + error:(NSError* __autoreleasing *)error; + ++ (SecKeyRef) createSecKey:(NSData*)keyData; ++ (BOOL) setKeyMaterialInKeychain:(NSDictionary*)query error:(NSError* __autoreleasing *)error; + ++ (NSData* _Nullable) generateEscrowKey:(escrowKeyType)keyType + masterSecret:(NSData*)masterSecret + dsid:(NSString *)dsid + error:(NSError**)error; + +@end +NS_ASSUME_NONNULL_END +#endif +#endif /* OTEscrow_h */ diff --git a/keychain/ot/OTEscrowKeys.m b/keychain/ot/OTEscrowKeys.m new file mode 100644 index 00000000..1779714a --- /dev/null +++ b/keychain/ot/OTEscrowKeys.m @@ -0,0 +1,335 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#if OCTAGON + +#import "OTEscrowKeys.h" + +#import +#include +#include +#import +#import +#import + +#import +#import +#import +#import +#import + +#import "keychain/ot/OTDefines.h" + +#import +#import +#import + +#import +#import +#import + +static uint8_t escrowedSigningPrivKey[] = {'E', 's', 'c', 'r', 'o', 'w', ' ', 'S', 'i', 'g', 'n', 'i', 'n', 'g', ' ', 'P', 'r', 'i', 'v', 'a', 't', 'e', ' ', 'K', 'e', 'y'}; +static uint8_t escrowedEncryptionPrivKey[] = { 'E', 's', 'c', 'r', 'o', 'w', ' ','E', 'n', 'c', 'r', 'y', 'p', 't', 'i', 'o', 'n', ' ', 'P', 'r', 'v', 'a', 't', 'e', ' ', 'K', 'e', 'y' }; +static uint8_t escrowedSymmetric[] = {'E', 's', 'c', 'r', 'o', 'w', ' ', 'S', 'y', 'm', 'm', 'e', 't', 'r', 'i','c',' ', 'K', 'e', 'y' }; + +#define OT_ESCROW_SIGNING_HKDF_SIZE 56 +#define OT_ESCROW_ENCRYPTION_HKDF_SIZE 56 +#define OT_ESCROW_SYMMETRIC_HKDF_SIZE 32 + +@interface OTEscrowKeys () +@property (nonatomic, strong) SFECKeyPair* encryptionKey; +@property (nonatomic, strong) SFECKeyPair* signingKey; +@property (nonatomic, strong) SFAESKey* symmetricKey; +@property (nonatomic, strong) NSData* secret; +@property (nonatomic, strong) NSString* dsid; +@end + +@implementation OTEscrowKeys + +- (nullable instancetype) initWithSecret:(NSData*)secret + dsid:(NSString*)dsid + error:(NSError* __autoreleasing *)error +{ + self = [super init]; + if (self) { + NSError* localError = nil; + + if([secret length] == 0){ + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorEmptySecret userInfo:@{NSLocalizedDescriptionKey: @"entropy/secret is nil"}]; + } + return nil; + } + _secret = [secret copy]; + + if([dsid length] == 0){ + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorEmptyDSID userInfo:@{NSLocalizedDescriptionKey: @"dsid is nil"}]; + } + return nil; + } + _dsid = [dsid copy]; + + NSData *data = [OTEscrowKeys generateEscrowKey:kOTEscrowKeySigning masterSecret:secret dsid:self.dsid error:&localError]; + if (!data) { + if(error){ + *error = localError; + } + return nil; + } + _signingKey = [[SFECKeyPair alloc] initWithSecKey:[OTEscrowKeys createSecKey:data]]; + if(!_signingKey){ + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorKeyGeneration userInfo:@{NSLocalizedDescriptionKey: @"failed to create EC signing key"}]; + } + return nil; + } + data = [OTEscrowKeys generateEscrowKey:kOTEscrowKeyEncryption masterSecret:secret dsid:self.dsid error:&localError]; + if (!data) { + if(error){ + *error = localError; + } + return nil; + } + _encryptionKey = [[SFECKeyPair alloc] initWithSecKey:[OTEscrowKeys createSecKey:data]]; + if(!_encryptionKey){ + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorKeyGeneration userInfo:@{NSLocalizedDescriptionKey: @"failed to create EC encryption key"}]; + } + return nil; + } + data = [OTEscrowKeys generateEscrowKey:kOTEscrowKeySymmetric masterSecret:secret dsid:self.dsid error:&localError]; + if (!data) { + if(error){ + *error = localError; + } + return nil; + } + _symmetricKey = [[SFAESKey alloc] initWithData:data specifier:[[SFAESKeySpecifier alloc] initWithBitSize:SFAESKeyBitSize256] error:&localError]; + if (!_symmetricKey) { + if(error){ + *error = localError; + } + return nil; + } + + BOOL result = [OTEscrowKeys storeEscrowedSigningKeyPair:[_signingKey keyData] error:&localError]; + if(!result || localError){ + secerror("octagon: could not store escrowed signing SPKI in keychain: %@", localError); + if(error){ + *error = localError; + } + return nil; + } + result = [OTEscrowKeys storeEscrowedEncryptionKeyPair:[_encryptionKey keyData] error:error]; + if(!result || localError){ + secerror("octagon: could not store escrowed signing SPKI in keychain: %@", localError); + if(error){ + *error = localError; + } + return nil; + } + result = [OTEscrowKeys storeEscrowedSymmetricKey:[_symmetricKey keyData] error:error]; + if(!result || localError){ + secerror("octagon: could not store escrowed signing SPKI in keychain: %@", localError); + if(error){ + *error = localError; + } + return nil; + } + } + return self; +} + ++ (NSData* _Nullable) generateEscrowKey:(escrowKeyType)keyType + masterSecret:(NSData*)masterSecret + dsid:(NSString *)dsid + error:(NSError**)error +{ + NSUInteger keyLength = 0; + const void *info = nil; + size_t infoLength = 0; + NSMutableData* derivedKey = NULL; + + switch(keyType) + { + case kOTEscrowKeySymmetric: + keyLength = OT_ESCROW_SYMMETRIC_HKDF_SIZE; + info = escrowedSymmetric; + infoLength = sizeof(escrowedSymmetric); + break; + case kOTEscrowKeyEncryption: + keyLength = OT_ESCROW_ENCRYPTION_HKDF_SIZE; + info = escrowedEncryptionPrivKey; + infoLength = sizeof(escrowedEncryptionPrivKey); + break; + case kOTEscrowKeySigning: + keyLength = OT_ESCROW_SIGNING_HKDF_SIZE; + info = escrowedSigningPrivKey; + infoLength = sizeof(escrowedSigningPrivKey); + break; + default: + break; + } + + ccec_const_cp_t cp = ccec_cp_384(); + int status = 0; + + ccec_full_ctx_decl_cp(cp, fullKey); + + derivedKey = [NSMutableData dataWithLength:keyLength]; + status = cchkdf(ccsha384_di(), + [masterSecret length], [masterSecret bytes], + strlen([dsid UTF8String]),[dsid UTF8String], + infoLength, info, + keyLength, [derivedKey mutableBytes]); + + + if (status != 0) { + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorKeyGeneration userInfo:nil]; + } + secerror("octagon: could not generate seed for signing keys"); + return nil; + } + if(keyType == kOTEscrowKeySymmetric){ + return derivedKey; + } + else if(keyType == kOTEscrowKeyEncryption || keyType == kOTEscrowKeySigning){ + + status = ccec_generate_key_deterministic(cp, + [derivedKey length], [derivedKey mutableBytes], + ccDRBGGetRngState(), + CCEC_GENKEY_DETERMINISTIC_FIPS, + fullKey); + if(status != 0){ + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorKeyGeneration userInfo:nil]; + } + secerror("octagon: could not generate signing keys"); + return nil; + } + + size_t space = ccec_x963_export_size(true, ccec_ctx_pub(fullKey)); + NSMutableData* key = [[NSMutableData alloc]initWithLength:space]; + ccec_x963_export(true, [key mutableBytes], fullKey); + derivedKey = key; + } + return derivedKey; +} + ++ (SecKeyRef) createSecKey:(NSData*)keyData +{ + NSDictionary *keyAttributes = @{ + (__bridge id)kSecAttrKeyClass : (__bridge id)kSecAttrKeyClassPrivate, + (__bridge id)kSecAttrKeyType : (__bridge id)kSecAttrKeyTypeEC, + }; + + SecKeyRef key = SecKeyCreateWithData((__bridge CFDataRef)keyData, (__bridge CFDictionaryRef)keyAttributes, NULL); + return key; +} + ++ (BOOL) setKeyMaterialInKeychain:(NSDictionary*)query error:(NSError* __autoreleasing *)error +{ + BOOL result = NO; + + CFTypeRef results = NULL; + OSStatus status = SecItemAdd((__bridge CFDictionaryRef)query, &results); + + NSError* localerror = nil; + + if(status == errSecDuplicateItem || status == errSecSuccess) { + result = YES; + } else { + localerror = [NSError errorWithDomain:@"securityd" + code:status + userInfo:nil]; + } + if(status != errSecSuccess) { + CFReleaseNull(results); + + if(error) { + *error = localerror; + } + } + + return result; +} + ++(NSString*) hashIt:(NSData*)keyData +{ + const struct ccdigest_info *di = ccsha384_di(); + NSMutableData* result = [[NSMutableData alloc] initWithLength:ccsha384_di()->output_size]; + + ccdigest(di, [keyData length], [keyData bytes], [result mutableBytes]); + + NSString* hash = [result base64EncodedStringWithOptions:0]; + return hash; +} + ++ (BOOL)storeEscrowedEncryptionKeyPair:(NSData*)keyData error:(NSError**)error +{ + NSDictionary* query = @{ + (id)kSecClass : (id)kSecClassInternetPassword, + (id)kSecAttrAccessible: (id)kSecAttrAccessibleWhenUnlocked, + (id)kSecAttrNoLegacy : @YES, + (id)kSecAttrAccessGroup: @"com.apple.security.ckks", + (id)kSecAttrSynchronizable : (id)kCFBooleanFalse, + (id)kSecAttrServer : [self hashIt:keyData], + (id)kSecAttrLabel : @"Escrowed Encryption Key", + (id)kSecValueData : keyData, + }; + return [OTEscrowKeys setKeyMaterialInKeychain:query error:error]; +} + ++ (BOOL)storeEscrowedSigningKeyPair:(NSData*)keyData error:(NSError**)error +{ + NSDictionary* query = @{ + (id)kSecClass : (id)kSecClassInternetPassword, + (id)kSecAttrAccessible: (id)kSecAttrAccessibleWhenUnlocked, + (id)kSecAttrNoLegacy : @YES, + (id)kSecAttrAccessGroup: @"com.apple.security.ckks", + (id)kSecAttrSynchronizable : (id)kCFBooleanFalse, + (id)kSecAttrLabel : @"Escrowed Signing Key", + (id)kSecAttrServer : [self hashIt:keyData], + (id)kSecValueData : keyData, + }; + return [OTEscrowKeys setKeyMaterialInKeychain:query error:error]; +} + ++ (BOOL)storeEscrowedSymmetricKey:(NSData*)keyData error:(NSError**)error +{ + NSDictionary* query = @{ + (id)kSecClass : (id)kSecClassInternetPassword, + (id)kSecAttrAccessible: (id)kSecAttrAccessibleWhenUnlocked, + (id)kSecAttrNoLegacy : @YES, + (id)kSecAttrAccessGroup: @"com.apple.security.ckks", + (id)kSecAttrSynchronizable : (id)kCFBooleanFalse, + (id)kSecAttrLabel : @"Escrowed Symmetric Key", + (id)kSecAttrServer : [self hashIt:keyData], + (id)kSecValueData : keyData, + }; + return [OTEscrowKeys setKeyMaterialInKeychain:query error:error]; +} + +@end +#endif diff --git a/keychain/ot/OTIdentity.h b/keychain/ot/OTIdentity.h new file mode 100644 index 00000000..35ba3476 --- /dev/null +++ b/keychain/ot/OTIdentity.h @@ -0,0 +1,58 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#include +NS_ASSUME_NONNULL_BEGIN + +@interface OTIdentity : NSObject + +@property (nonatomic, readonly) NSString* peerID; +@property (nonatomic, readonly) NSString* spID; +@property (nonatomic, readonly) SFECKeyPair* peerSigningKey; +@property (nonatomic, readonly) SFECKeyPair* peerEncryptionKey; + + +- (instancetype) initWithPeerID:(nullable NSString*)peerID + spID:(nullable NSString*)spID + peerSigningKey:(SFECKeyPair*)peerSigningKey + peerEncryptionkey:(SFECKeyPair*)peerEncryptionKey + error:(NSError**)error; + ++ (nullable instancetype) currentIdentityFromSOS:(NSError**)error; + +-(BOOL)isEqual:(OTIdentity*)identity; + + ++(BOOL) storeOctagonIdentityIntoKeychain:(_SFECKeyPair *)restoredSigningKey + restoredEncryptionKey:(_SFECKeyPair *)restoredEncryptionKey + escrowSigningPubKeyHash:(NSString *)escrowSigningPubKeyHash + restoredPeerID:(NSString *)peerID + error:(NSError**)error; + +@end + +NS_ASSUME_NONNULL_END +#endif + diff --git a/keychain/ot/OTIdentity.m b/keychain/ot/OTIdentity.m new file mode 100644 index 00000000..a26c0eaf --- /dev/null +++ b/keychain/ot/OTIdentity.m @@ -0,0 +1,214 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#if OCTAGON + +#import "OTIdentity.h" + +#import +#import +#import "keychain/ot/OTDefines.h" + +#import +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wdeprecated-declarations" +#import +#pragma clang diagnostic pop + +@interface OTIdentity () + +@property (nonatomic, strong) NSString* peerID; +@property (nonatomic, strong) NSString* spID; +@property (nonatomic, strong) SFECKeyPair* peerSigningKey; +@property (nonatomic, strong) SFECKeyPair* peerEncryptionKey; + +@end + +@implementation OTIdentity + +- (instancetype) initWithPeerID:(nullable NSString*)peerID + spID:(nullable NSString*)spID + peerSigningKey:(SFECKeyPair*)peerSigningKey + peerEncryptionkey:(SFECKeyPair*)peerEncryptionKey + error:(NSError**)error +{ + self = [super init]; + if (self) { + _peerID = peerID; + _spID = spID; + _peerSigningKey = peerSigningKey; + _peerEncryptionKey = peerEncryptionKey; + } + return self; +} + ++ (nullable instancetype) currentIdentityFromSOS:(NSError**)error +{ + CFErrorRef circleCheckError = NULL; + SOSCCStatus circleStatus = SOSCCThisDeviceIsInCircle(&circleCheckError); + if(circleStatus != kSOSCCInCircle){ + if(circleCheckError){ + secerror("octagon: cannot retrieve octagon keys from SOS, not in circle, error: %@", circleCheckError); + if(error){ + *error = (__bridge NSError*)circleCheckError; + } + } + secerror("octagon: current circle status: %d",circleStatus); + return nil; + } + __block NSString* sosPeerID = nil; + __block NSError* sosPeerIDError = nil; + + SOSCCPerformWithPeerID(^(CFStringRef peerID, CFErrorRef error) { + sosPeerID = (__bridge NSString *)(peerID); + if(error){ + secerror("octagon: retrieving sos peer id error: %@", error); + sosPeerIDError = CFBridgingRelease(error); + } + }); + + if(sosPeerID == nil || sosPeerIDError != nil){ + secerror("octagon: cannot retrieve peer id from SOS, error: %@", sosPeerIDError); + if(error){ + *error = sosPeerIDError; + } + return nil; + } + + __block SFECKeyPair *peerEncryptionKey; + __block SFECKeyPair *peerSigningKey; + __block NSError* localError = nil; + + SOSCCPerformWithAllOctagonKeys(^(SecKeyRef octagonEncryptionKey, SecKeyRef octagonSigningKey, CFErrorRef cferror) { + if(cferror) { + localError = (__bridge NSError*)cferror; + return; + } + if (!cferror && octagonEncryptionKey && octagonSigningKey) { + peerSigningKey = [[SFECKeyPair alloc] initWithSecKey:octagonSigningKey]; + peerEncryptionKey = [[SFECKeyPair alloc] initWithSecKey:octagonEncryptionKey]; + + } + }); + + if(!peerEncryptionKey || !peerSigningKey || localError != nil){ + secerror("octagon: failed to retrieve octagon keys from sos: %@", localError); + if(error){ + *error = localError; + } + return nil; + } + return [[OTIdentity alloc] initWithPeerID:nil + spID:sosPeerID + peerSigningKey:peerSigningKey + peerEncryptionkey:peerEncryptionKey + error:error]; +} + +-(BOOL)isEqual:(OTIdentity*)identity +{ + return [self.peerID isEqualToString:identity.peerID] && + [self.spID isEqualToString:identity.spID] && + [self.peerSigningKey isEqual:identity.peerSigningKey] && + [self.peerEncryptionKey isEqual:identity.peerEncryptionKey]; +} + ++ (BOOL) setKeyMaterialInKeychain:(NSDictionary*)query error:(NSError* __autoreleasing *)error +{ + BOOL result = NO; + + CFTypeRef results = NULL; + OSStatus status = SecItemAdd((__bridge CFDictionaryRef)query, &results); + + NSError* localerror = nil; + + if(status == errSecDuplicateItem || status == errSecSuccess) { + result = YES; + } else { + localerror = [NSError errorWithDomain:@"securityd" + code:status + userInfo:nil]; + } + if(status != errSecSuccess) { + CFReleaseNull(results); + + if(error) { + *error = localerror; + } + } + + return result; +} + ++ (BOOL)storeOtagonKey:(NSData*)keyData + octagonKeyType:(OctagonKeyType)octagonKeyType + restoredPeerID:(NSString*)restoredPeerID + escrowSigningPubKeyHash:(NSString*)escrowSigningPubKeyHash + error:(NSError**)error +{ + NSNumber *keyType = [[NSNumber alloc]initWithInt:octagonKeyType]; + + NSDictionary* query = @{ + (id)kSecClass : (id)kSecClassInternetPassword, + (id)kSecAttrAccessible: (id)kSecAttrAccessibleWhenUnlocked, + (id)kSecAttrNoLegacy : @YES, + (id)kSecAttrLabel : escrowSigningPubKeyHash, + (id)kSecAttrAccount : restoredPeerID, + (id)kSecAttrType : keyType, + (id)kSecAttrServer : (octagonKeyType == 1) ? @"Octagon Signing Key" : @"Octagon Encryption Key", + (id)kSecAttrAccessGroup: @"com.apple.security.ckks", + (id)kSecAttrSynchronizable : (id)kCFBooleanFalse, + (id)kSecValueData : keyData, + }; + return [OTIdentity setKeyMaterialInKeychain:query error:error]; + +} + ++(BOOL) storeOctagonIdentityIntoKeychain:(_SFECKeyPair *)restoredSigningKey + restoredEncryptionKey:(_SFECKeyPair *)restoredEncryptionKey + escrowSigningPubKeyHash:(NSString *)escrowSigningPubKeyHash + restoredPeerID:(NSString *)peerID + error:(NSError**)error +{ + NSError* localError = nil; + + BOOL result = [OTIdentity storeOtagonKey:[restoredSigningKey keyData] octagonKeyType:OctagonSigningKey restoredPeerID:peerID escrowSigningPubKeyHash:escrowSigningPubKeyHash error:&localError]; + if(!result || localError){ + secerror("octagon: could not store octagon signing key in keychain:%@", localError); + if(error){ + *error = localError; + } + return NO; + } + result = [OTIdentity storeOtagonKey:[restoredEncryptionKey keyData] octagonKeyType:OctagonEncryptionKey restoredPeerID:peerID escrowSigningPubKeyHash:escrowSigningPubKeyHash error:&localError]; + if(!result || localError){ + secerror("octagon: could not store octagon encryption key in keychain:%@", localError); + if(error){ + *error = localError; + } + return NO; + } + return result; +} + +@end +#endif diff --git a/keychain/ot/OTLocalStore.h b/keychain/ot/OTLocalStore.h new file mode 100644 index 00000000..74c4fa09 --- /dev/null +++ b/keychain/ot/OTLocalStore.h @@ -0,0 +1,77 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef OTLocalStore_h +#define OTLocalStore_h +#if OCTAGON + +#import +#import +#import +#import "keychain/ot/OTBottledPeerRecord.h" +#import "keychain/ot/OTContextRecord.h" + +NS_ASSUME_NONNULL_BEGIN + +@interface OTLocalStore : NSObject + +@property (nonatomic, readonly) NSString* dbPath; +@property (nonatomic, readonly) PQLConnection* pDB; +@property (nonatomic, readonly) dispatch_queue_t serialQ; +@property (nonatomic, readonly) NSString* contextID; +@property (nonatomic, readonly) NSString* dsid; +@property (nonatomic, readonly) sqlite3* _db; + +-(instancetype) initWithContextID:(NSString*)contextID dsid:(NSString*)dsid path:(nullable NSString*)path error:(NSError**)error; + +-(BOOL)isProposedColumnNameInTable:(NSString*)proposedColumnName tableName:(NSString*)tableName; + +// OT Context Record routines +-(BOOL)initializeContextTable:(NSString*)contextID dsid:(NSString*)dsid error:(NSError**)error; +-(OTContextRecord* _Nullable)readLocalContextRecordForContextIDAndDSID:(NSString*)contextAndDSID error:(NSError**)error; +-(BOOL)insertLocalContextRecord:(NSDictionary*)attributes error:(NSError**)error; +-(BOOL)updateLocalContextRecordRowWithContextID:(NSString*)contextIDAndDSID columnName:(NSString*)columnName newValue:(void*)newValue error:(NSError**)error; +-(BOOL)deleteLocalContext:(NSString*)contextIDAndDSID error:(NSError**)error; +-(BOOL) deleteAllContexts:(NSError**)error; + +//OT Bottled Peer routines +- (nullable OTBottledPeerRecord *)readLocalBottledPeerRecordWithRecordID:(NSString *)recordID + error:(NSError**)error; +- (nullable NSArray*) readAllLocalBottledPeerRecords:(NSError**)error; +-(BOOL)deleteBottledPeer:(NSString*) recordID error:(NSError**)error; +-(BOOL) deleteBottledPeersForContextAndDSID:(NSString*)contextIDAndDSID + error:(NSError**)error; +-(BOOL)removeAllBottledPeerRecords:(NSError**)error; +-(BOOL)insertBottledPeerRecord:(OTBottledPeerRecord *)bp + escrowRecordID:(NSString *)escrowRecordID + error:(NSError**)error; +- (nullable NSArray*) readLocalBottledPeerRecordsWithMatchingPeerID:(NSString*)peerID error:(NSError**)error; + +// generic DB routines +-(BOOL)openDBWithError:(NSError**)error; +-(BOOL)closeDBWithError:(NSError**)error;; +-(BOOL)createDirectoryAtPath:(NSString*)path error:(NSError **)error; +@end +NS_ASSUME_NONNULL_END +#endif +#endif /* OTLocalStore_h */ diff --git a/keychain/ot/OTLocalStore.m b/keychain/ot/OTLocalStore.m new file mode 100644 index 00000000..8e4c3e7a --- /dev/null +++ b/keychain/ot/OTLocalStore.m @@ -0,0 +1,684 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ +#if OCTAGON + +#import +#import +#import +#import +#include +#import "keychain/ot/OTDefines.h" +#if TARGET_OS_IPHONE || TARGET_IPHONE_SIMULATOR +#include +#else +#include +#endif + +#import "OTLocalStore.h" +#import "OTBottledPeerSigned.h" + +static NSString* const contextSchema = @"create table if not exists context (contextIDAndDSID text primary key, contextID text, accountDSID text, contextName text, zoneCreated boolean, subscribedToChanges boolean, changeToken blob, egoPeerID text, egoPeerCreationDate date, recoverySigningSPKI text, recoveryEncryptionSPKI text);"; + +static NSString* const bottledPeerSchema = @"create table if not exists bp (bottledPeerRecordID text primary key, contextIDAndDSID text, escrowRecordID text, peerID text, spID text, bottle text, escrowSigningSPKI text, peerSigningSPKI text, signatureUsingEscrow text, signatureUsingPeerKey text, encodedRecord text, launched text);"; + +static const NSInteger user_version = 0; + +/* Octagon Trust Local Context Record Constants */ +static NSString* OTCKRecordContextAndDSID = @"contextIDAndDSID"; +static NSString* OTCKRecordContextID = @"contextID"; +static NSString* OTCKRecordDSID = @"accountDSID"; +static NSString* OTCKRecordContextName = @"contextName"; +static NSString* OTCKRecordZoneCreated = @"zoneCreated"; +static NSString* OTCKRecordSubscribedToChanges = @"subscribedToChanges"; +static NSString* OTCKRecordChangeToken = @"changeToken"; +static NSString* OTCKRecordEgoPeerID = @"egoPeerID"; +static NSString* OTCKRecordEgoPeerCreationDate = @"egoPeerCreationDate"; +static NSString* OTCKRecordRecoverySigningSPKI = @"recoverySigningSPKI"; +static NSString* OTCKRecordRecoveryEncryptionSPKI = @"recoveryEncryptionSPKI"; +static NSString* OTCKRecordBottledPeerTableEntry = @"bottledPeer"; + +/* Octagon Trust Local Peer Record */ +static NSString* OTCKRecordPeerID = @"peerID"; +static NSString* OTCKRecordPermanentInfo = @"permanentInfo"; +static NSString* OTCKRecordStableInfo = @"stableInfo"; +static NSString* OTCKRecordDynamicInfo = @"dynamicInfo"; +static NSString* OTCKRecordRecoveryVoucher = @"recoveryVoucher"; +static NSString* OTCKRecordIsEgoPeer = @"isEgoPeer"; + +/* Octagon Trust BottledPeerSchema */ +static NSString* OTCKRecordEscrowRecordID = @"escrowRecordID"; +static NSString* OTCKRecordRecordID = @"bottledPeerRecordID"; +static NSString* OTCKRecordSPID = @"spID"; +static NSString* OTCKRecordBottle = @"bottle"; +static NSString* OTCKRecordEscrowSigningSPKI = @"escrowSigningSPKI"; +static NSString* OTCKRecordPeerSigningSPKI = @"peerSigningSPKI"; +static NSString* OTCKRecordSignatureFromEscrow = @"signatureUsingEscrow"; +static NSString* OTCKRecordSignatureFromPeerKey = @"signatureUsingPeerKey"; +static NSString* OTCKRecordEncodedRecord = @"encodedRecord"; +static NSString* OTCKRecordLaunched = @"launched"; + +/* Octagon Table Names */ +static NSString* const contextTable = @"context"; +static NSString* const peerTable = @"peer"; +static NSString* const bottledPeerTable = @"bp"; + +/* Octagon Trust Schemas */ +static NSString* const octagonZoctagonErrorDomainoneName = @"OctagonTrustZone"; + +/* Octagon Cloud Kit defines */ +static NSString* OTCKContainerName = @"com.apple.security.keychain"; +static NSString* OTCKZoneName = @"OctagonTrust"; +static NSString* OTCKRecordName = @"bp-"; +static NSString* OTCKRecordBottledPeerType = @"OTBottledPeer"; + +static NSArray* _Nullable selectAll(PQLResultSet *rs, Class class) +{ + NSMutableArray *arr = [NSMutableArray array]; + for (id o in [rs enumerateObjectsOfClass:class]) { + [arr addObject:o]; + } + if (rs.error) { + return nil; + } + return arr; +} +#define selectArrays(db, sql, ...) \ +selectAll([db fetch:sql, ##__VA_ARGS__], [NSArray class]) + +#define selectDictionaries(db, sql, ...) \ +selectAll([db fetch:sql, ##__VA_ARGS__], [NSDictionary class]) + + +@interface NSDictionary (PQLResultSetInitializer) +@end +@implementation NSDictionary (PQLResultSetInitializer) +- (instancetype)initFromPQLResultSet:(PQLResultSet *)rs + error:(NSError **)error +{ + NSUInteger cols = rs.columns; + NSMutableDictionary *dict = [[NSMutableDictionary alloc] initWithCapacity:cols]; + + for (NSUInteger i = 0; i < cols; i++) { + id obj = rs[i]; + if (obj) { + dict[[rs columnNameAtIndex:(int)i]] = obj; + } + } + + return [self initWithDictionary:dict]; +} +@end + + +@implementation OTLocalStore + +-(instancetype) initWithContextID:(NSString*)contextID dsid:(NSString*)dsid path:(nullable NSString*)path error:(NSError**)error +{ + self = [super init]; + if(self){ + if (!path) { + NSURL* urlPath = (__bridge_transfer NSURL*)SecCopyURLForFileInKeychainDirectory((__bridge CFStringRef)@"otdb.db"); + path = [urlPath path]; + } + _dbPath = [path copy]; + _pDB = [[PQLConnection alloc] init]; + _contextID = [contextID copy]; + _dsid = [dsid copy]; + _serialQ = dispatch_queue_create("com.apple.security.ot.db", DISPATCH_QUEUE_SERIAL); + + NSError* localError = nil; + if(![self openDBWithError:&localError]) + { + secerror("octagon: could not open db: %@", localError); + if(error){ + *error = localError; + } + return nil; + } + } + return self; +} + +- (BOOL) createDirectoryAtPath:(NSString*)path error:(NSError **)error +{ + BOOL success = YES; + NSError *localError; + NSFileManager *fileManager = [NSFileManager defaultManager]; + + if (![fileManager createDirectoryAtPath:path withIntermediateDirectories:YES attributes:nil error:&localError]) { + if (![localError.domain isEqualToString:NSCocoaErrorDomain] || localError.code != NSFileWriteFileExistsError) { + success = NO; + if(error){ + *error = localError; + } + } + } + +#if TARGET_OS_IPHONE + if (success) { + NSDictionary *attributes = [fileManager attributesOfItemAtPath:path error:&localError]; + if (![attributes[NSFileProtectionKey] isEqualToString:NSFileProtectionCompleteUntilFirstUserAuthentication]) { + [fileManager setAttributes:@{ NSFileProtectionKey: NSFileProtectionCompleteUntilFirstUserAuthentication } + ofItemAtPath:path error:&localError]; + } + } +#endif + if (!success) { + if (error) *error = localError; + } + return success; +} + +-(BOOL)openDBWithError:(NSError**)error +{ + BOOL result = NO; + NSError *localError = nil; + + if(!(result = [_pDB openAtURL:[NSURL URLWithString:_dbPath] sharedCache:NO error:&localError])){ + secerror("octagon: could not open db: %@", localError); + if(error){ + *error = localError; + } + return NO; + } + if(![_pDB execute:bottledPeerSchema]){ + secerror("octagon: could not create bottled peer schema"); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorEntropyCreationFailure userInfo:@{NSLocalizedDescriptionKey: @"could not create bottled peer schema"}]; + } + result = NO; + } + if(![_pDB execute:contextSchema]){ + secerror("octagon: could not create contextschema"); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorOTLocalStore userInfo:@{NSLocalizedDescriptionKey: @"could not create context schema"}]; + } + result = NO; + } + if(![_pDB setupPragmas]){ + secerror("octagon: could not set up db pragmas"); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorOTLocalStore userInfo:@{NSLocalizedDescriptionKey: @"could not set up db pragmas"}]; + } + result = NO; + } + if(![_pDB setUserVersion:user_version]){ + secerror("octagon: could not set version"); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorOTLocalStore userInfo:@{NSLocalizedDescriptionKey: @"could not set version"}]; + } + result = NO; + } + return result; +} + +-(BOOL)closeDBWithError:(NSError**)error +{ + BOOL result = NO; + NSError *localError = nil; + + if(!(result =[_pDB close:&localError])){ + secerror("octagon: could not close db: %@", localError); + if(error){ + *error = localError; + } + } + return result; +} + +-(BOOL)isProposedColumnNameInTable:(NSString*)proposedColumnName tableName:(NSString*)tableName +{ + BOOL result = NO; + + if([tableName isEqualToString:contextTable]) + { + if([proposedColumnName isEqualToString:OTCKRecordContextAndDSID]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordContextID]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordDSID]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordContextName]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordZoneCreated]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordSubscribedToChanges]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordChangeToken]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordEgoPeerID]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordEgoPeerCreationDate]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordRecoverySigningSPKI]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordRecoveryEncryptionSPKI]){ + result = YES; + } + else{ + secerror("octagon: column name unknown: %@", proposedColumnName); + } + } + else if([tableName isEqualToString:peerTable]){ //not using yet! + result = NO; + secerror("octagon: not using this table yet!"); + } + else if([tableName isEqualToString:bottledPeerTable]) + { + if([proposedColumnName isEqualToString:OTCKRecordContextAndDSID]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordRecordID]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordEscrowRecordID]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordSPID]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordPeerID]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordBottle]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordSignatureFromEscrow]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordSignatureFromPeerKey]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordEncodedRecord]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordLaunched]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordPeerSigningSPKI]){ + result = YES; + } + else if([proposedColumnName isEqualToString:OTCKRecordEscrowSigningSPKI]){ + result = YES; + } + else{ + secerror("octagon: column name unknown: %@", proposedColumnName); + } + } + else{ + secerror("octagon: table name unknown: %@", tableName); + } + return result; +} + +///// +// Local Context Record +///// +-(OTContextRecord* _Nullable)readLocalContextRecordForContextIDAndDSID:(NSString*)contextAndDSID error:(NSError**)error +{ + OTContextRecord* record = [[OTContextRecord alloc]init]; + NSDictionary* attributes = nil; + NSArray *selectArray = nil; + + selectArray = selectDictionaries(_pDB, @"SELECT * from context WHERE contextIDAndDSID == %@;", PQLName(contextAndDSID)); + if(selectArray && [selectArray count] > 0){ + attributes = [selectArray objectAtIndex:0]; + } + if(attributes && [attributes count] > 0){ + record.contextID = attributes[OTCKRecordContextID]; + record.dsid = attributes[OTCKRecordDSID]; + record.contextName = attributes[OTCKRecordContextName]; + record.zoneCreated = (BOOL)attributes[OTCKRecordZoneCreated]; + record.subscribedToChanges = (BOOL)attributes[OTCKRecordSubscribedToChanges]; + record.changeToken = attributes[OTCKRecordChangeToken]; + record.egoPeerID = attributes[OTCKRecordEgoPeerID]; + record.egoPeerCreationDate = attributes[OTCKRecordEgoPeerCreationDate]; + record.recoverySigningSPKI = dataFromBase64(attributes[OTCKRecordRecoverySigningSPKI]); + record.recoveryEncryptionSPKI = dataFromBase64(attributes[OTCKRecordRecoveryEncryptionSPKI]); + } + else{ + secerror("octagon: no context attributes found"); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorOTLocalStore userInfo:@{NSLocalizedDescriptionKey: @"no context attributes found"}]; + } + } + + return record; +} + +-(BOOL)initializeContextTable:(NSString*)contextID dsid:(NSString*)dsid error:(NSError**)error +{ + BOOL result = NO; + NSError* localError = nil; + NSString* contextName = nil; +#if TARGET_OS_IPHONE || TARGET_OS_SIMULATOR + contextName = (__bridge_transfer NSString *)MGCopyAnswer(kMGQUserAssignedDeviceName, NULL); +#else + contextName = (__bridge_transfer NSString *)SCDynamicStoreCopyComputerName(NULL, NULL); +#endif + + NSDictionary *contextAttributes = @{ + OTCKRecordContextAndDSID : [NSString stringWithFormat:@"%@-%@", contextID, dsid], + OTCKRecordContextID : contextID, + OTCKRecordDSID : dsid, + OTCKRecordContextName : contextName, + OTCKRecordZoneCreated : @(NO), + OTCKRecordSubscribedToChanges : @(NO), + OTCKRecordChangeToken : [NSData data], + OTCKRecordEgoPeerID : @"ego peer id", + OTCKRecordEgoPeerCreationDate : [NSDate date], + OTCKRecordRecoverySigningSPKI : [NSData data], + OTCKRecordRecoveryEncryptionSPKI : [NSData data]}; + + result = [self insertLocalContextRecord:contextAttributes error:&localError]; + if(!result || localError != nil){ + secerror("octagon: context table init failed: %@", localError); + if(error){ + *error = localError; + } + } + return result; +} + +-(BOOL)insertLocalContextRecord:(NSDictionary*)attributes error:(NSError**)error +{ + BOOL result = NO; + + NSString* dsidAndContext = [NSString stringWithFormat:@"%@-%@", attributes[OTCKRecordContextID], attributes[OTCKRecordDSID]]; + result = [_pDB execute:@"insert into context (contextIDAndDSID, contextID, accountDSID, contextName, zoneCreated, subscribedToChanges, changeToken, egoPeerID, egoPeerCreationDate, recoverySigningSPKI, recoveryEncryptionSPKI) values (%@,%@,%@,%@,%@,%@,%@,%@,%@,%@,%@)", + dsidAndContext, attributes[OTCKRecordContextID], attributes[OTCKRecordDSID], attributes[OTCKRecordContextName], attributes[OTCKRecordZoneCreated], + attributes[OTCKRecordSubscribedToChanges], attributes[OTCKRecordChangeToken], + attributes[OTCKRecordEgoPeerID], attributes[OTCKRecordEgoPeerCreationDate], + [attributes[OTCKRecordRecoverySigningSPKI] base64EncodedStringWithOptions:0], [attributes[OTCKRecordRecoveryEncryptionSPKI] base64EncodedStringWithOptions:0]]; + + + if(_pDB.lastError){ + secerror("octagon: failed to insert local context: %@", _pDB.lastError); + if(error){ + *error = _pDB.lastError; + } + } + return result; +} + +-(BOOL)updateLocalContextRecordRowWithContextID:(NSString*)contextIDAndDSID columnName:(NSString*)columnName newValue:(void*)newValue error:(NSError**)error +{ + BOOL result = NO; + if([self isProposedColumnNameInTable:columnName tableName:contextTable]){ + result = [_pDB execute:@"update context set %@ = %@ where contextIDAndDSID == %@", + PQLName(columnName), newValue, PQLName(_contextID)]; + if(!result && error){ + secerror("octagon: error updating table: %@", _pDB.lastError); + *error = _pDB.lastError; + } + } + else{ + secerror("octagon: failed to update local context record: %@", _pDB.lastError); + + if(error != nil){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorNoColumn userInfo:nil]; + } + } + return result; +} + +-(BOOL) deleteLocalContext:(NSString*)contextIDAndDSID error:(NSError**)error +{ + BOOL result = NO; + secnotice("octagon", "deleting local context: %@", contextIDAndDSID); + + result = [_pDB execute:@"delete from context where contextIDAndDSID == %@", + PQLName(contextIDAndDSID)]; + + if(!result){ + secerror("octagon: error updating table: %@", _pDB.lastError); + if(error){ + *error = _pDB.lastError; + } + } + return result; +} + +-(BOOL) deleteAllContexts:(NSError**)error +{ + BOOL result = NO; + secnotice("octagon", "deleting all local context"); + + result = [_pDB execute:@"delete from context"]; + + if(!result){ + secerror("octagon: error updating table: %@", _pDB.lastError); + if(error){ + *error = _pDB.lastError; + } + } + return result; +} + +///// +// Local Bottled Peer Record +///// + +- (BOOL) insertBottledPeerRecord:(OTBottledPeerRecord *)rec + escrowRecordID:(NSString *)escrowRecordID + error:(NSError**)error +{ + BOOL result; + + result = [_pDB execute:@"insert or replace into bp (bottledPeerRecordID, contextIDAndDSID, escrowRecordID, peerID, spID, bottle, escrowSigningSPKI, peerSigningSPKI, signatureUsingEscrow, signatureUsingPeerKey, encodedRecord, launched) values (%@,%@,%@,%@,%@,%@,%@,%@,%@,%@,%@,%@)", + rec.recordName, + [NSString stringWithFormat:@"%@-%@", self.contextID, self.dsid], + escrowRecordID, + rec.peerID, + rec.spID, + [rec.bottle base64EncodedStringWithOptions:0], + [rec.escrowedSigningSPKI base64EncodedStringWithOptions:0], + [rec.peerSigningSPKI base64EncodedStringWithOptions:0], + [rec.signatureUsingEscrowKey base64EncodedStringWithOptions:0], + [rec.signatureUsingPeerKey base64EncodedStringWithOptions:0], + [rec.encodedRecord base64EncodedStringWithOptions:0], + rec.launched]; + + if (!result) { + secerror("octagon: error inserting bottled peer record: %@", _pDB.lastError); + if(error){ + *error = _pDB.lastError; + } + } + return result; +} + +-(BOOL) removeAllBottledPeerRecords:(NSError**)error +{ + BOOL result = NO; + + result = [_pDB execute:@"DELETE from bp WHERE contextIDAndDSID == %@;", [NSString stringWithFormat:@"%@-%@", self.contextID, self.dsid]]; + + if (!result) { + secerror("octagon: error removing bottled peer records: %@", _pDB.lastError); + if(error){ + *error = _pDB.lastError; + } + } + return result; +} + +-(BOOL) deleteBottledPeer:(NSString*) recordID + error:(NSError**)error +{ + BOOL result = NO; + + result = [_pDB execute:@"DELETE from bp WHERE contextIDAndDSID == %@ AND bottledPeerRecordID == %@;", [NSString stringWithFormat:@"%@-%@", self.contextID, self.dsid], recordID]; + + if (!result) { + secerror("octagon: error removing bottled peer record:%@, error: %@", recordID, _pDB.lastError); + if(error){ + *error = _pDB.lastError; + } + } + return result; +} + +-(BOOL) deleteBottledPeersForContextAndDSID:(NSString*) contextIDAndDSID + error:(NSError**)error +{ + BOOL result = NO; + + result = [_pDB execute:@"DELETE from bp WHERE contextIDAndDSID == %@;", contextIDAndDSID]; + + if (!result) { + secerror("octagon: error removing bottled peer record:%@, error: %@", contextIDAndDSID, _pDB.lastError); + if(error){ + *error = _pDB.lastError; + } + } + return result; +} + +- (nullable OTBottledPeerRecord *)readLocalBottledPeerRecordWithRecordID:(NSString *)recordID + error:(NSError**)error +{ + NSArray *selectArray; + + selectArray = selectDictionaries(_pDB, @"SELECT * from bp WHERE contextIDAndDSID == %@ AND bottledPeerRecordID == %@;", [NSString stringWithFormat:@"%@-%@", self.contextID, self.dsid], recordID); + if (!selectArray) { + if (error) { + secerror("octagon: failed to read local store entry for %@", recordID); + *error = self.pDB.lastError; + } + return nil; + } + if ([selectArray count] > 1) { + secerror("octagon: error multiple records exist in local store for %@", recordID); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorOTLocalStore userInfo:@{NSLocalizedDescriptionKey: @"error multiple records exist in local store"}]; + } + return nil; + } + else if([selectArray count] == 0){ + secerror("octagon: record does not exist: %@", recordID); + return nil; + } + NSDictionary *attributes = [selectArray objectAtIndex:0]; + + OTBottledPeerRecord *rec = [[OTBottledPeerRecord alloc] init]; + rec.escrowRecordID = attributes[OTCKRecordEscrowRecordID]; + rec.peerID = attributes[OTCKRecordPeerID]; + rec.spID = attributes[OTCKRecordSPID]; + rec.bottle = dataFromBase64(attributes[OTCKRecordBottle]); + rec.escrowedSigningSPKI = dataFromBase64(attributes[OTCKRecordEscrowSigningSPKI]); + rec.peerSigningSPKI = dataFromBase64(attributes[OTCKRecordPeerSigningSPKI]); + rec.signatureUsingEscrowKey = dataFromBase64(attributes[OTCKRecordSignatureFromEscrow]); + rec.signatureUsingPeerKey = dataFromBase64(attributes[OTCKRecordSignatureFromPeerKey]); + rec.encodedRecord = dataFromBase64(attributes[OTCKRecordEncodedRecord]); + rec.launched = attributes[OTCKRecordLaunched]; + return rec; +} + +- (NSMutableArray*) convertResultsToBottles:(NSArray*) selectArray +{ + NSMutableArray *arrayOfBottleRecords = [NSMutableArray array]; + for(NSDictionary* bottle in selectArray){ + OTBottledPeerRecord *rec = [[OTBottledPeerRecord alloc] init]; + rec.escrowRecordID = bottle[OTCKRecordEscrowRecordID]; + rec.peerID = bottle[OTCKRecordPeerID]; + rec.spID = bottle[OTCKRecordSPID]; + rec.bottle = dataFromBase64(bottle[OTCKRecordBottle]); + rec.escrowedSigningSPKI = dataFromBase64(bottle[OTCKRecordEscrowSigningSPKI]); + rec.peerSigningSPKI = dataFromBase64(bottle[OTCKRecordPeerSigningSPKI]); + rec.signatureUsingEscrowKey = dataFromBase64(bottle[OTCKRecordSignatureFromEscrow]); + rec.signatureUsingPeerKey = dataFromBase64(bottle[OTCKRecordSignatureFromPeerKey]); + rec.encodedRecord = dataFromBase64(bottle[OTCKRecordEncodedRecord]); + rec.launched = bottle[OTCKRecordLaunched]; + + [arrayOfBottleRecords addObject:rec]; + } + return arrayOfBottleRecords; +} + +- (nullable NSArray*) readAllLocalBottledPeerRecords:(NSError**)error +{ + NSArray *selectArray; + + selectArray = selectDictionaries(_pDB, @"SELECT * from bp where contextIDAndDSID == %@;", [NSString stringWithFormat:@"%@-%@", self.contextID, self.dsid]); + if (!selectArray) { + if (error) { + secerror("octagon: failed to read local store entries"); + *error = self.pDB.lastError; + } + return nil; + } + if ([selectArray count] == 0) { + secerror("octagon: there are no bottled peer entries in local store"); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorOTLocalStore userInfo:@{NSLocalizedDescriptionKey: @"there are no bottled peer entries in local store"}]; + } + return nil; + } + + return [self convertResultsToBottles:selectArray]; +} + +- (nullable NSArray*) readLocalBottledPeerRecordsWithMatchingPeerID:(NSString*)peerID error:(NSError**)error +{ + NSArray *selectArray; + + selectArray = selectDictionaries(_pDB, @"SELECT * from bp where spID == %@;", peerID); + if (!selectArray) { + if (error) { + secerror("octagon: failed to read local store entries"); + *error = self.pDB.lastError; + } + return nil; + } + if ([selectArray count] == 0) { + secerror("octagon: there are no bottled peer entries in local store"); + if(error){ + *error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorOTLocalStore userInfo:@{NSLocalizedDescriptionKey: @"there are no bottled peer entries in local store"}]; + } + return nil; + } + + return [self convertResultsToBottles:selectArray]; +} + +static NSData * _Nullable dataFromBase64(NSString * _Nullable base64) +{ + if (base64 && [base64 length] > 0) { + return [[NSData alloc] initWithBase64EncodedString:base64 options:0]; + } + return nil; +} + +@end +#endif diff --git a/keychain/trust/TrustedPeersTests/TPDummySigningKey.h b/keychain/ot/OTManager.h similarity index 55% rename from keychain/trust/TrustedPeersTests/TPDummySigningKey.h rename to keychain/ot/OTManager.h index f6b4211f..5c3aba0d 100644 --- a/keychain/trust/TrustedPeersTests/TPDummySigningKey.h +++ b/keychain/ot/OTManager.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * Copyright (c) 2016 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -21,34 +21,36 @@ * @APPLE_LICENSE_HEADER_END@ */ + #import -#import +#if OCTAGON +#import "keychain/ot/OTManager.h" +#import "keychain/ot/OTContext.h" +#import "keychain/ot/OTControlProtocol.h" +#include NS_ASSUME_NONNULL_BEGIN -/*! - A dummy implementation of TPSigning for testing. - - It uses a very weak hash algorithm and no crypto, just enough for unit tests. - */ -@interface TPDummySigningKey : NSObject +@class OTContext; -/*! - Setting this to NO causes signatureForData to return nil with an error. - */ -@property (nonatomic, assign) BOOL privateKeyIsAvailable; +@interface OTManager : NSObject -- (instancetype)initWithPublicKeyData:(NSData *)publicKey; +@property (nonatomic, readonly) NSDate *lastPostedCoreFollowUp; -@end +-(instancetype)init; +-(instancetype) initWithContext:(OTContext* __nullable)context + localStore:(OTLocalStore* __nullable)localStore + enroll:(OTRamp*)enroll + restore:(OTRamp*)restore + cfu:(OTRamp*)cfu + cfuScheduler:(CKKSNearFutureScheduler*)cfuScheduler; -/*! - A factory that constructs TPDummySigningKey objects. - */ -@interface TPDummySigningKeyFactory : NSObject -+ (instancetype) dummySigningKeyFactory; ++ (instancetype _Nullable)manager; +-(BOOL)scheduledCloudKitRampCheck:(NSError**)error; @end - NS_ASSUME_NONNULL_END + +#endif // OCTAGON + diff --git a/keychain/ot/OTManager.m b/keychain/ot/OTManager.m new file mode 100644 index 00000000..cef912b2 --- /dev/null +++ b/keychain/ot/OTManager.m @@ -0,0 +1,888 @@ +/* + * Copyright (c) 2016 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +#import "SecEntitlements.h" +#import +#import + + +#if OCTAGON +#import "keychain/ot/OTControlProtocol.h" +#import "keychain/ot/OTControl.h" +#import "keychain/ot/OTContext.h" +#import "keychain/ot/OTManager.h" +#import "keychain/ot/OTDefines.h" +#import "keychain/ot/OTRamping.h" +#import "keychain/ot/SFPublicKey+SPKI.h" +#import "keychain/ot/OT.h" +#import "keychain/ot/OTConstants.h" + +#import "keychain/ckks/CloudKitCategories.h" +#import "keychain/ckks/CKKSAnalytics.h" +#import "keychain/ckks/CKKSNearFutureScheduler.h" +#import "keychain/ckks/CKKS.h" +#import "keychain/ckks/CKKSViewManager.h" +#import "keychain/ckks/CKKSLockStateTracker.h" + +#import +#import + +#import +#import + +#if TARGET_OS_IPHONE || TARGET_IPHONE_SIMULATOR +#import +#import +#import +#import +#import +#import +#else +#import +#import +#import +#import +#import +#import +#endif + +#import +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wdeprecated-declarations" +#import +#pragma clang diagnostic pop + +static NSString* const kOTRampForEnrollmentRecordName = @"metadata_rampstate_enroll"; +static NSString* const kOTRampForRestoreRecordName = @"metadata_rampstate_restore"; +static NSString* const kOTRampForCFURecordName = @"metadata_rampstate_cfu"; +static NSString* const kOTRampZoneName = @"metadata_zone"; +#define NUM_NSECS_IN_24_HRS (86400 * NSEC_PER_SEC) + +@interface OTManager () +@property NSXPCListener *listener; +@property (nonatomic, strong) OTContext* context; +@property (nonatomic, strong) OTLocalStore *localStore; +@property (nonatomic, strong) OTRamp *enrollRamp; +@property (nonatomic, strong) OTRamp *restoreRamp; +@property (nonatomic, strong) OTRamp *cfuRamp; +@property (nonatomic, strong) CKKSNearFutureScheduler *cfuScheduler; +@property (nonatomic, strong) NSDate *lastPostedCoreFollowUp; +@end + +@implementation OTManager + +-(instancetype)init +{ + OTLocalStore* localStore = nil; + OTContext* context = nil; + + NSString* dsid = [self askAccountsForDSID]; + if(dsid){ + localStore = [[OTLocalStore alloc]initWithContextID:OTDefaultContext dsid:dsid path:nil error:nil]; + context = [[OTContext alloc]initWithContextID:OTDefaultContext dsid:dsid localStore:self.localStore cloudStore:nil identityProvider:self error:nil]; + } + //initialize our scheduler + CKKSNearFutureScheduler *cfuScheduler = [[CKKSNearFutureScheduler alloc] initWithName:@"scheduling-cfu" initialDelay:NUM_NSECS_IN_24_HRS continuingDelay:NUM_NSECS_IN_24_HRS keepProcessAlive:true dependencyDescriptionCode:CKKSResultDescriptionNone block:^{ + secnotice("octagon", "running scheduled cfu block"); + NSError* error = nil; + [self scheduledCloudKitRampCheck:&error]; + }]; + + //initialize our ramp objects + [self initRamps]; + + return [self initWithContext:context + localStore:localStore + enroll:self.enrollRamp + restore:self.restoreRamp + cfu:self.cfuRamp + cfuScheduler:cfuScheduler]; +} + +-(instancetype) initWithContext:(OTContext*)context + localStore:(OTLocalStore*)localStore + enroll:(OTRamp*)enroll + restore:(OTRamp*)restore + cfu:(OTRamp*)cfu + cfuScheduler:(CKKSNearFutureScheduler*)cfuScheduler +{ + self = [super init]; + if(self){ + self.context = context; + self.localStore = localStore; + self.cfuRamp = cfu; + self.enrollRamp = enroll; + self.restoreRamp = restore; + self.cfuScheduler = cfuScheduler; + + secnotice("octagon", "otmanager init"); + } + return self; +} + +-(NSString*) askAccountsForDSID +{ + NSString *dsid = nil; + ACAccountStore *accountStore = [[ACAccountStore alloc] init]; + +#if TARGET_OS_IPHONE || TARGET_IPHONE_SIMULATOR + ACAccount *account = [accountStore aa_primaryAppleAccount]; + dsid = [account aa_personID]; +#else + ACAccount *primaryiCloudAccount = nil; + if ([accountStore respondsToSelector:@selector(icaPrimaryAppleAccount)]){ + primaryiCloudAccount = [accountStore icaPrimaryAppleAccount]; + } + dsid = [primaryiCloudAccount icaPersonID]; +#endif + return dsid; +} + ++ (instancetype _Nullable)manager { + static OTManager* manager = nil; + + if(!SecOTIsEnabled()) { + secerror("octagon: Attempt to fetch a manager while Octagon is disabled"); + return nil; + } + + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + manager = [[OTManager alloc]init]; + }); + + return manager; +} + + +-(BOOL) initRamps +{ + BOOL initResult = NO; + + CKContainer* container = [CKKSViewManager manager].container; + CKDatabase* database = [container privateCloudDatabase]; + CKRecordZoneID* zoneID = [[CKRecordZoneID alloc] initWithZoneName:kOTRampZoneName ownerName:CKCurrentUserDefaultName]; + + CKKSCKAccountStateTracker *accountTracker = [CKKSViewManager manager].accountTracker; + CKKSReachabilityTracker *reachabilityTracker = [CKKSViewManager manager].reachabilityTracker; + CKKSLockStateTracker *lockStateTracker = [CKKSViewManager manager].lockStateTracker; + + self.cfuRamp = [[OTRamp alloc]initWithRecordName:kOTRampForCFURecordName + featureName:@"cfu" + container:container + database:database + zoneID:zoneID + accountTracker:accountTracker + lockStateTracker:lockStateTracker + reachabilityTracker:reachabilityTracker + fetchRecordRecordsOperationClass:[CKFetchRecordsOperation class]]; + + self.enrollRamp = [[OTRamp alloc]initWithRecordName:kOTRampForEnrollmentRecordName + featureName:@"enroll" + container:container + database:database + zoneID:zoneID + accountTracker:accountTracker + lockStateTracker:lockStateTracker + reachabilityTracker:reachabilityTracker + fetchRecordRecordsOperationClass:[CKFetchRecordsOperation class]]; + + + self.restoreRamp = [[OTRamp alloc]initWithRecordName:kOTRampForRestoreRecordName + featureName:@"restore" + container:container + database:database + zoneID:zoneID + accountTracker:accountTracker + lockStateTracker:lockStateTracker + reachabilityTracker:reachabilityTracker + fetchRecordRecordsOperationClass:[CKFetchRecordsOperation class]]; + + if(self.cfuRamp && self.enrollRamp && self.restoreRamp){ + initResult = YES; + } + return initResult; +} + +-(BOOL) initializeManagerPropertiesForContext:(NSString*)dsid error:(NSError**)error +{ + CKKSAnalytics* logger = [CKKSAnalytics logger]; + NSError *localError = nil; + BOOL initialized = YES; + + if(dsid == nil){ + dsid = [self askAccountsForDSID]; + } + + //create local store + self.localStore = [[OTLocalStore alloc] initWithContextID:OTDefaultContext dsid:dsid path:nil error:&localError]; + if(!self.localStore){ + secerror("octagon: could not create localStore: %@", localError); + [logger logUnrecoverableError:localError forEvent:OctagonEventSignIn withAttributes:@{ + OctagonEventAttributeFailureReason : @"creating local store", + }]; + initialized = NO; + } + + //create context + self.context = [[OTContext alloc]initWithContextID:OTDefaultContext dsid:dsid localStore:self.localStore cloudStore:nil identityProvider:self error:&localError]; + if(!self.context){ + secerror("octagon: could not create context: %@", localError); + [logger logUnrecoverableError:localError forEvent:OctagonEventSignIn withAttributes:@{ + OctagonEventAttributeFailureReason : @"creating context", + }]; + self.localStore = nil; + initialized = NO; + } + + //just in case, init the ramp objects + [self initRamps]; + + if(localError && error){ + *error = localError; + } + return initialized; +} + +/* + * SPI routines + */ + +- (void)signIn:(NSString*)dsid reply:(void (^)(BOOL result, NSError * _Nullable signedInError))reply +{ + CKKSAnalytics* logger = [CKKSAnalytics logger]; + SFAnalyticsActivityTracker *tracker = [logger logSystemMetricsForActivityNamed:CKKSActivityOctagonSignIn withAction:nil]; + [tracker start]; + + NSError *error = nil; + if(![self initializeManagerPropertiesForContext:dsid error:&error]){ + [tracker cancel]; + reply(NO, error); + return; + } + + [tracker stop]; + [logger logSuccessForEventNamed:OctagonEventSignIn]; + + secnotice("octagon","created context and local store on manager for:%@", dsid); + + reply(YES, error); +} + +- (void)signOut:(void (^)(BOOL result, NSError * _Nullable signedOutError))reply +{ + CKKSAnalytics* logger = [CKKSAnalytics logger]; + + NSError* error = nil; + NSError *bottledPeerError = nil; + NSError *localContextError = nil; + + secnotice("octagon", "signing out of octagon trust: dsid: %@ contextID: %@", + self.context.dsid, + self.context.contextID); + + NSString* contextAndDSID = [NSString stringWithFormat:@"%@-%@", self.context.contextID, self.context.dsid]; + + //remove all locally stored context + BOOL result1 = [self.localStore deleteLocalContext:contextAndDSID error:&localContextError]; + if(!result1){ + secerror("octagon: could not delete local context: %@: %@", self.context.contextID, localContextError); + [logger logUnrecoverableError:localContextError forEvent:OctagonEventSignOut withAttributes:@{ + OctagonEventAttributeFailureReason : @"deleting local context", + }]; + error = localContextError; + } + + BOOL result2 = [self.localStore deleteBottledPeersForContextAndDSID:contextAndDSID error:&bottledPeerError]; + if(!result2){ + secerror("octagon: could not delete bottle peer records: %@: %@", self.context.contextID, bottledPeerError); + [logger logUnrecoverableError:bottledPeerError forEvent:OctagonEventSignOut withAttributes:@{ + OctagonEventAttributeFailureReason : @"deleting local bottled peers", + }]; + error = bottledPeerError; + } + + //free context & local store + self.context = nil; + self.localStore = nil; + + BOOL result = (result1 && result2); + if (result) { + [logger logSuccessForEventNamed:OctagonEventSignOut]; + } + + reply(result, error); +} +- (void)preflightBottledPeer:(NSString*)contextID + dsid:(NSString*)dsid + reply:(void (^)(NSData* _Nullable entropy, + NSString* _Nullable bottleID, + NSData* _Nullable signingPublicKey, + NSError* _Nullable error))reply +{ + secnotice("octagon", "preflightBottledPeer: %@ %@", contextID, dsid); + NSError* error = nil; + CKKSAnalytics* logger = [CKKSAnalytics logger]; + SFAnalyticsActivityTracker *tracker = [logger logSystemMetricsForActivityNamed:CKKSActivityOctagonPreflightBottle withAction:nil]; + + [tracker start]; + + if(!self.context || !self.localStore){ + if(![self initializeManagerPropertiesForContext:dsid error:&error]){ + secerror("octagon: could not init manager obejcts: %@", error); + reply(nil,nil,nil,error); + [tracker cancel]; + return; + } + } + + NSInteger retryDelayInSeconds = 0; + BOOL isFeatureOn = [self.enrollRamp checkRampState:&retryDelayInSeconds qos:NSQualityOfServiceUserInitiated error:&error]; + + //got an error from ramp check, we should log it + if(error){ + [logger logRecoverableError:error + forEvent:OctagonEventRamp + zoneName:kOTRampZoneName + withAttributes:@{ + OctagonEventAttributeFailureReason : @"ramp check for preflight bottle" + }]; + } + + if(!isFeatureOn){ //cloud kit has not asked us to come back and the feature is off for this device + secnotice("octagon", "bottled peers is not on"); + if(!error){ + error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorFeatureNotEnabled userInfo:@{NSLocalizedDescriptionKey: @"Feature not enabled"}]; + } + reply(nil, nil, nil, error); + return; + } + + NSData* entropy = [self.context makeMeSomeEntropy:OTMasterSecretLength]; + if(!entropy){ + secerror("octagon: entropy creation failed: %@", error); + error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorEntropyCreationFailure userInfo:@{NSLocalizedDescriptionKey: @"Failed to create entropy"}]; + [logger logUnrecoverableError:error forEvent:OctagonEventPreflightBottle withAttributes:@{ + OctagonEventAttributeFailureReason : @"preflight bottle, entropy failure"} + ]; + [tracker stop]; + reply(nil, nil, nil, error); + return; + } + + OTPreflightInfo* result = [self.context preflightBottledPeer:contextID entropy:entropy error:&error]; + if(!result || error){ + secerror("octagon: preflight failed: %@", error); + [logger logUnrecoverableError:error forEvent:OctagonEventPreflightBottle withAttributes:@{ OctagonEventAttributeFailureReason : @"preflight bottle"}]; + reply(nil, nil, nil, error); + [tracker stop]; + return; + } + + [tracker stop]; + [logger logSuccessForEventNamed:OctagonEventPreflightBottle]; + + secnotice("octagon", "preflightBottledPeer completed, created: %@", result.bottleID); + + reply(entropy, result.bottleID, result.escrowedSigningSPKI, error); +} + +- (void)launchBottledPeer:(NSString*)contextID + bottleID:(NSString*)bottleID + reply:(void (^ _Nullable)(NSError* _Nullable error))reply +{ + secnotice("octagon", "launchBottledPeer"); + NSError* error = nil; + CKKSAnalytics* logger = [CKKSAnalytics logger]; + SFAnalyticsActivityTracker *tracker = [logger logSystemMetricsForActivityNamed:CKKSActivityOctagonLaunchBottle withAction:nil]; + + [tracker start]; + + if(!self.context || !self.localStore){ + if(![self initializeManagerPropertiesForContext:nil error:&error]){ + [tracker cancel]; + reply(error); + return; + } + } + + NSInteger retryDelayInSeconds = 0; + BOOL isFeatureOn = [self.enrollRamp checkRampState:&retryDelayInSeconds qos:NSQualityOfServiceUserInitiated error:&error]; + + //got an error from ramp check, we should log it + if(error){ + [logger logRecoverableError:error + forEvent:OctagonEventRamp + zoneName:kOTRampZoneName + withAttributes:@{ + OctagonEventAttributeFailureReason : @"ramp state check for launch bottle" + }]; + } + + if(!isFeatureOn){ + secnotice("octagon", "bottled peers is not on"); + if(!error){ + error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorFeatureNotEnabled userInfo:@{NSLocalizedDescriptionKey: @"Feature not enabled"}]; + } + reply(error); + return; + } + + OTBottledPeerRecord* bprecord = [self.localStore readLocalBottledPeerRecordWithRecordID:bottleID error:&error]; + if(!bprecord || error){ + secerror("octagon: could not retrieve record for: %@, error: %@", bottleID, error); + [logger logUnrecoverableError:error forEvent:OctagonEventLaunchBottle withAttributes:@{ + OctagonEventAttributeFailureReason : @"reading bottle from local store" + }]; + [tracker stop]; + reply(error); + return; + } + BOOL result = [self.context.cloudStore uploadBottledPeerRecord:bprecord escrowRecordID:bprecord.escrowRecordID error:&error]; + if(!result || error){ + secerror("octagon: could not upload record for bottleID %@, error: %@", bottleID, error); + [logger logUnrecoverableError:error forEvent:OctagonEventLaunchBottle withAttributes:@{ + OctagonEventAttributeFailureReason : @"upload bottle to cloud kit" + }]; + [tracker stop]; + reply(error); + return; + } + + [tracker stop]; + [logger logSuccessForEventNamed:OctagonEventLaunchBottle]; + + secnotice("octagon", "successfully launched: %@", bprecord.recordName); + + reply(error); +} + +- (void)restore:(NSString *)contextID dsid:(NSString *)dsid secret:(NSData*)secret escrowRecordID:(NSString*)escrowRecordID reply:(void (^)(NSData* signingKeyData, NSData* encryptionKeyData, NSError *))reply +{ + //check if configuration zone allows restore + NSError* error = nil; + CKKSAnalytics* logger = [CKKSAnalytics logger]; + SFAnalyticsActivityTracker *tracker = [logger logSystemMetricsForActivityNamed:CKKSActivityOctagonRestore withAction:nil]; + + [tracker start]; + + if(!self.context || !self.localStore){ + if(![self initializeManagerPropertiesForContext:dsid error:&error]){ + secerror("octagon: could not init manager obejcts: %@", error); + reply(nil,nil,error); + [tracker cancel]; + return; + } + } + + NSInteger retryDelayInSeconds = 0; + BOOL isFeatureOn = [self.restoreRamp checkRampState:&retryDelayInSeconds qos:NSQualityOfServiceUserInitiated error:&error]; + + //got an error from ramp check, we should log it + if(error){ + [logger logRecoverableError:error + forEvent:OctagonEventRamp + zoneName:kOTRampZoneName + withAttributes:@{ + OctagonEventAttributeFailureReason : @"checking ramp state for restore" + }]; + } + + if(!isFeatureOn){ + secnotice("octagon", "bottled peers is not on"); + if(!error){ + error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorFeatureNotEnabled userInfo:@{NSLocalizedDescriptionKey: @"Feature not enabled"}]; + } + [tracker stop]; + reply(nil, nil, error); + return; + } + + if(!escrowRecordID || [escrowRecordID length] == 0){ + secerror("octagon: missing escrowRecordID"); + error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorEmptyEscrowRecordID userInfo:@{NSLocalizedDescriptionKey: @"Escrow Record ID is empty or missing"}]; + + [logger logUnrecoverableError:error forEvent:OctagonEventRestoreBottle withAttributes:@{ + OctagonEventAttributeFailureReason : @"escrow record id missing", + }]; + + [tracker stop]; + reply(nil, nil, error); + return; + } + if(!dsid || [dsid length] == 0){ + secerror("octagon: missing dsid"); + error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorEmptyDSID userInfo:@{NSLocalizedDescriptionKey: @"DSID is empty or missing"}]; + + [logger logUnrecoverableError:error forEvent:OctagonEventRestoreBottle withAttributes:@{ + OctagonEventAttributeFailureReason : @"dsid missing", + }]; + [tracker stop]; + reply(nil, nil, error); + return; + } + if(!secret || [secret length] == 0){ + secerror("octagon: missing secret"); + error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorEmptySecret userInfo:@{NSLocalizedDescriptionKey: @"Secret is empty or missing"}]; + + + [logger logUnrecoverableError:error forEvent:OctagonEventRestoreBottle withAttributes:@{ + OctagonEventAttributeFailureReason : @"secret missing", + }]; + + [tracker stop]; + reply(nil, nil, error); + return; + } + + OTBottledPeerSigned *bps = [_context restoreFromEscrowRecordID:escrowRecordID secret:secret error:&error]; + if(!bps || error != nil){ + secerror("octagon: failed to restore bottled peer: %@", error); + + [logger logUnrecoverableError:error forEvent:OctagonEventRestoreBottle withAttributes:@{ + OctagonEventAttributeFailureReason : @"restore failed", + }]; + [tracker stop]; + reply(nil, nil, error); + return; + } + + NSData *encryptionKeyData = bps.bp.peerEncryptionKey.publicKey.keyData; // FIXME + if(!encryptionKeyData){ + secerror("octagon: restored octagon encryption key is nil: %@", error); + error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorRestoredPeerEncryptionKeyFailure userInfo:@{NSLocalizedDescriptionKey: @"Failed to retrieve restored Octagon Peer Encryption Key"}]; + + [logger logUnrecoverableError:error forEvent:OctagonEventRestoreBottle withAttributes:@{ + OctagonEventAttributeFailureReason : @"restored octagon encryption key" + }]; + [tracker stop]; + reply(nil,nil,error); + return; + } + + NSData *signingKeyData = bps.bp.peerSigningKey.publicKey.keyData; // FIXME + if(!signingKeyData){ + secerror("octagon: restored octagon signing key is nil: %@", error); + error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorRestoredPeerSigningKeyFailure userInfo:@{NSLocalizedDescriptionKey: @"Failed to retrieve restored Octagon Peer Signing Key"}]; + + [logger logUnrecoverableError:error forEvent:OctagonEventRestoreBottle withAttributes:@{ + OctagonEventAttributeFailureReason : @"restored octagon signing key" + }]; + [tracker stop]; + reply(nil,nil,error); + return; + } + [tracker stop]; + + [logger logSuccessForEventNamed:OctagonEventRestoreBottle]; + + secnotice("octagon", "restored bottled peer: %@", escrowRecordID); + + reply(signingKeyData, encryptionKeyData, error); +} + +- (void)scrubBottledPeer:(NSString*)contextID + bottleID:(NSString*)bottleID + reply:(void (^ _Nullable)(NSError* _Nullable error))reply +{ + NSError* error = nil; + + CKKSAnalytics* logger = [CKKSAnalytics logger]; + SFAnalyticsActivityTracker *tracker = [logger logSystemMetricsForActivityNamed:CKKSActivityScrubBottle withAction:nil]; + + if(!self.context || !self.localStore){ + if(![self initializeManagerPropertiesForContext:nil error:&error]){ + [tracker cancel]; + reply(error); + return; + } + } + [tracker start]; + + NSInteger retryDelayInSeconds = 0; + BOOL isFeatureOn = [self.enrollRamp checkRampState:&retryDelayInSeconds qos:NSQualityOfServiceUserInitiated error:&error]; + + //got an error from ramp check, we should log it + if(error){ + [logger logRecoverableError:error + forEvent:OctagonEventRamp + zoneName:kOTRampZoneName + withAttributes:@{ + OctagonEventAttributeFailureReason : @"ramp check for scrubbing bottled peer" + }]; + } + + if(!isFeatureOn){ + secnotice("octagon", "bottled peers is not on"); + if(!error){ + error = [NSError errorWithDomain:octagonErrorDomain code:OTErrorFeatureNotEnabled userInfo:@{NSLocalizedDescriptionKey: @"Feature not enabled"}]; + } + [tracker stop]; + reply(error); + return; + } + + BOOL result = [self.context scrubBottledPeer:contextID bottleID:bottleID error:&error]; + if(!result || error){ + secerror("octagon: could not scrub record for bottleID %@, error: %@", bottleID, error); + [logger logUnrecoverableError:error forEvent:OctagonEventScrubBottle withAttributes:@{ + OctagonEventAttributeFailureReason : @"could not scrub bottle", + }]; + [tracker stop]; + reply(error); + return; + } + [logger logSuccessForEventNamed:OctagonEventScrubBottle]; + + secnotice("octagon", "scrubbed bottled peer: %@", bottleID); + + reply(error); +} + +/* + * OTCTL tool routines + */ + +-(void) reset:(void (^)(BOOL result, NSError *))reply +{ + NSError* error = nil; + + if(self.context.lockStateTracker.isLocked){ + secnotice("octagon","device is locked! can't check ramp state"); + error = [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain + code:errSecInteractionNotAllowed + userInfo:@{NSLocalizedDescriptionKey: @"device is locked"}]; + + reply(NO,error); + return; + } + if(self.context.accountTracker.currentCKAccountInfo.accountStatus != CKAccountStatusAvailable){ + secnotice("octagon","not signed in! can't check ramp state"); + error = [NSError errorWithDomain:octagonErrorDomain + code:OTErrorNotSignedIn + userInfo:@{NSLocalizedDescriptionKey: @"not signed in"}]; + reply(NO,error); + return; + + } + if(!self.context.reachabilityTracker.currentReachability){ + secnotice("octagon","no network! can't check ramp state"); + error = [NSError errorWithDomain:octagonErrorDomain + code:OTErrorNoNetwork + userInfo:@{NSLocalizedDescriptionKey: @"no network"}]; + reply(NO,error); + return; + } + + NSError* bottledPeerError = nil; + + BOOL result = [_context.cloudStore performReset:&bottledPeerError]; + if(!result || bottledPeerError != nil){ + secerror("octagon: resetting octagon trust zone failed: %@", bottledPeerError); + } + + NSString* contextAndDSID = [NSString stringWithFormat:@"%@-%@", self.context.contextID, self.context.dsid]; + + result = [self.localStore deleteBottledPeersForContextAndDSID:contextAndDSID error:&bottledPeerError]; + if(!result){ + secerror("octagon: could not delete bottle peer records: %@: %@", self.context.contextID, bottledPeerError); + } + + reply(result, bottledPeerError); +} + +- (void)listOfEligibleBottledPeerRecords:(void (^)(NSArray* listOfRecords, NSError *))reply +{ + NSError* error = nil; + + if(self.context.lockStateTracker.isLocked){ + secnotice("octagon","device is locked! can't check ramp state"); + error = [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain + code:errSecInteractionNotAllowed + userInfo:@{NSLocalizedDescriptionKey: @"device is locked"}]; + + reply(nil,error); + return; + } + if(self.context.accountTracker.currentCKAccountInfo.accountStatus != CKAccountStatusAvailable){ + secnotice("octagon","not signed in! can't check ramp state"); + error = [NSError errorWithDomain:octagonErrorDomain + code:OTErrorNotSignedIn + userInfo:@{NSLocalizedDescriptionKey: @"not signed in"}]; + reply(nil,error); + return; + } + if(!self.context.reachabilityTracker.currentReachability){ + secnotice("octagon","no network! can't check ramp state"); + error = [NSError errorWithDomain:octagonErrorDomain + code:OTErrorNoNetwork + userInfo:@{NSLocalizedDescriptionKey: @"no network"}]; + reply(nil,error); + return; + } + + NSArray* list = [_context.cloudStore retrieveListOfEligibleEscrowRecordIDs:&error]; + if(!list || error !=nil){ + secerror("octagon: there are not eligible bottle peer records: %@", error); + reply(nil,error); + return; + } + reply(list, error); +} + +- (void)octagonEncryptionPublicKey:(void (^)(NSData* encryptionKey, NSError *))reply +{ + __block NSData *encryptionKey = NULL; + __block NSError* localError = nil; + + SOSCCPerformWithOctagonEncryptionPublicKey(^(SecKeyRef octagonPrivKey, CFErrorRef error) { + CFDataRef key; + SecKeyCopyPublicBytes(octagonPrivKey, &key); + encryptionKey = CFBridgingRelease(key); + if(error){ + localError = (__bridge NSError*)error; + } + }); + if(!encryptionKey || localError != nil){ + reply(nil, localError); + secerror("octagon: retrieving the octagon encryption public key failed: %@", localError); + return; + } + reply(encryptionKey, localError); +} + +-(void)octagonSigningPublicKey:(void (^)(NSData* encryptionKey, NSError *))reply +{ + __block NSData *signingKey = NULL; + __block NSError* localError = nil; + + SOSCCPerformWithOctagonSigningPublicKey(^(SecKeyRef octagonPrivKey, CFErrorRef error) { + CFDataRef key; + SecKeyCopyPublicBytes(octagonPrivKey, &key); + signingKey = CFBridgingRelease(key); + if(error){ + localError = (__bridge NSError*)error; + } + }); + if(!signingKey || localError != nil){ + reply(nil, localError); + secerror("octagon: retrieving the octagon signing public key failed: %@", localError); + return; + } + reply(signingKey, localError); +} + +/* + * OT Helpers + */ + +-(BOOL)scheduledCloudKitRampCheck:(NSError**)error +{ + secnotice("octagon", "scheduling a CloudKit ramping check"); + NSInteger retryAfterInSeconds = 0; + NSError* localError = nil; + BOOL cancelScheduler = YES; + + CKKSAnalytics* logger = [CKKSAnalytics logger]; + + if(self.cfuRamp){ + BOOL canCFU = [self.cfuRamp checkRampState:&retryAfterInSeconds qos:NSQualityOfServiceUserInitiated error:&localError]; + + if(localError){ + secerror("octagon: checking ramp state for CFU error'd: %@", localError); + [logger logUnrecoverableError:localError forEvent:OctagonEventRamp withAttributes:@{ + OctagonEventAttributeFailureReason : @"ramp check failed", + }]; + } + + if(canCFU){ + secnotice("octagon", "CFU is enabled, checking if this device has a bottle"); + OctagonBottleCheckState bottleStatus = [self.context doesThisDeviceHaveABottle:&localError]; + + if(bottleStatus == NOBOTTLE){ + //time to post a follow up! + secnotice("octagon", "device does not have a bottle, posting a follow up"); + if(!SecCKKSTestsEnabled()){ + [self.context postFollowUp]; + } + NSInteger timeDiff = -1; + + NSDate *currentDate = [NSDate date]; + if(self.lastPostedCoreFollowUp){ + timeDiff = [currentDate timeIntervalSinceDate:self.lastPostedCoreFollowUp]; + } + + //log how long we last posted a followup, if any + [logger logRecoverableError:localError + forEvent:OctagonEventCoreFollowUp + zoneName:kOTRampZoneName + withAttributes:@{ + OctagonEventAttributeFailureReason : @"No bottle for peer", + OctagonEventAttributeTimeSinceLastPostedFollowUp: [NSNumber numberWithInteger:timeDiff], + }]; + + self.lastPostedCoreFollowUp = currentDate; + //if the followup failed or succeeded, we should continue the scheduler until we have a bottle. + cancelScheduler = NO; + }else if(bottleStatus == BOTTLE){ + secnotice("octagon", "device has a bottle"); + [logger logSuccessForEventNamed:OctagonEventBottleCheck]; + } + + if(localError){ + [logger logRecoverableError:localError + forEvent:OctagonEventBottleCheck + zoneName:kOTRampZoneName + withAttributes:@{ + OctagonEventAttributeFailureReason : @"bottle check", + }]; + } + } + } + if(cancelScheduler == NO){ + secnotice("octagon", "requesting bottle check again"); + [self.cfuScheduler trigger]; + } + + if(error && localError){ + *error = localError; + } + return cancelScheduler; +} + +-(void)scheduleCFUForFuture +{ + secnotice("octagon", "scheduling a query to cloudkit to see if this device can post a core follow up"); + + [self.cfuScheduler trigger]; +} + +- (nullable OTIdentity *) currentIdentity:(NSError**)error +{ + return [OTIdentity currentIdentityFromSOS:error]; +} + +@end + +#endif diff --git a/keychain/ot/OTPreflightInfo.h b/keychain/ot/OTPreflightInfo.h new file mode 100644 index 00000000..c39b0bf4 --- /dev/null +++ b/keychain/ot/OTPreflightInfo.h @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#ifndef OTPreflightInfo_h +#define OTPreflightInfo_h + +#import + +@interface OTPreflightInfo : NSObject + +@property (nonatomic, strong) NSData* escrowedSigningSPKI; +@property (nonatomic, strong) NSString* bottleID; + +@end + + +#endif /* OTPreflightInfo_h */ +#endif /* OCTAGON */ diff --git a/keychain/ot/OTPreflightInfo.m b/keychain/ot/OTPreflightInfo.m new file mode 100644 index 00000000..539856d4 --- /dev/null +++ b/keychain/ot/OTPreflightInfo.m @@ -0,0 +1,32 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import "OTPreflightInfo.h" + +@implementation OTPreflightInfo + +@end + +#endif diff --git a/keychain/trust/TrustedPeersTests/TPDummyEncrypter.h b/keychain/ot/OTPrivateKey+SF.h similarity index 85% rename from keychain/trust/TrustedPeersTests/TPDummyEncrypter.h rename to keychain/ot/OTPrivateKey+SF.h index a7d415cc..7b281409 100644 --- a/keychain/trust/TrustedPeersTests/TPDummyEncrypter.h +++ b/keychain/ot/OTPrivateKey+SF.h @@ -21,19 +21,22 @@ * @APPLE_LICENSE_HEADER_END@ */ +#if OCTAGON + #import +#import -#import +#import "OTPrivateKey.h" NS_ASSUME_NONNULL_BEGIN -/*! - Weakly "encrypts" data to be decrypted with TPDummyDecrypter. - */ -@interface TPDummyEncrypter : NSObject +@interface OTPrivateKey (SecurityFoundation) + ++ (instancetype)fromECKeyPair:(SFECKeyPair *)keyPair; -+ (instancetype)dummyEncrypterWithKey:(NSData *)key; +- (nullable SFECKeyPair *)asECKeyPair; @end NS_ASSUME_NONNULL_END +#endif diff --git a/keychain/ot/OTPrivateKey+SF.m b/keychain/ot/OTPrivateKey+SF.m new file mode 100644 index 00000000..f12ab72d --- /dev/null +++ b/keychain/ot/OTPrivateKey+SF.m @@ -0,0 +1,51 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import "OTPrivateKey+SF.h" + +#import "OTEscrowKeys.h" +#import + +@implementation OTPrivateKey (SecurityFoundation) + ++ (instancetype)fromECKeyPair:(SFECKeyPair *)keyPair +{ + OTPrivateKey *pk = [OTPrivateKey new]; + pk.keyType = OTPrivateKey_KeyType_EC_NIST_CURVES; + pk.keyData = keyPair.keyData; + return pk; +} + +- (nullable SFECKeyPair *)asECKeyPair +{ + if (self.keyType != OTPrivateKey_KeyType_EC_NIST_CURVES) { + return nil; + } + return [[SFECKeyPair alloc] initWithSecKey:[OTEscrowKeys createSecKey:self.keyData]]; +} + +@end + +#endif diff --git a/keychain/ot/OTRamping.h b/keychain/ot/OTRamping.h new file mode 100644 index 00000000..184ee8ac --- /dev/null +++ b/keychain/ot/OTRamping.h @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef OTRamping_h +#define OTRamping_h +#if OCTAGON + +#import "keychain/ckks/CKKSNearFutureScheduler.h" +#import "keychain/ckks/CloudKitDependencies.h" +#import "keychain/ckks/CKKSLockStateTracker.h" +#import "keychain/ckks/CKKSCKAccountStateTracker.h" +#import "keychain/ckks/CKKSReachabilityTracker.h" + +NS_ASSUME_NONNULL_BEGIN + +@interface OTRamp : NSObject + +@property (nonatomic, readonly) NSString* featureName; +@property (nonatomic, readonly) CKKSCKAccountStateTracker *accountTracker; +@property (nonatomic, readonly) CKKSLockStateTracker *lockStateTracker; +@property (nonatomic, readonly) CKKSReachabilityTracker *reachabilityTracker; + +-(instancetype) initWithRecordName:(NSString *) recordName + featureName:(NSString*) featureName + container:(CKContainer*) container + database:(CKDatabase*) database + zoneID:(CKRecordZoneID*) zoneID + accountTracker:(CKKSCKAccountStateTracker*) accountTracker + lockStateTracker:(CKKSLockStateTracker*) lockStateTracker + reachabilityTracker:(CKKSReachabilityTracker*) reachabilityTracker + fetchRecordRecordsOperationClass:(Class) fetchRecordRecordsOperationClass; + +-(void) fetchRampRecord:(NSQualityOfService)qos + reply:(void (^)(BOOL featureAllowed, BOOL featurePromoted, BOOL featureVisible, NSInteger retryAfter, NSError *rampStateFetchError))recordRampStateFetchCompletionBlock; +-(BOOL) checkRampState:(NSInteger*)retryAfter qos:(NSQualityOfService)qos error:(NSError**)error; +@end +NS_ASSUME_NONNULL_END +#endif /* OCTAGON */ +#endif /* OTRamping_h */ diff --git a/keychain/ot/OTRamping.m b/keychain/ot/OTRamping.m new file mode 100644 index 00000000..73991155 --- /dev/null +++ b/keychain/ot/OTRamping.m @@ -0,0 +1,282 @@ +/* + * Copyright (c) 2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import +#import +#import +#import +#import +#import "OTRamping.h" +#import "keychain/ckks/CKKS.h" +#import "keychain/ckks/CKKSNearFutureScheduler.h" +#import "keychain/ckks/CKKSAnalytics.h" +#import "keychain/ot/OTDefines.h" + +static NSString* kFeatureAllowedKey = @"FeatureAllowed"; +static NSString* kFeaturePromotedKey = @"FeaturePromoted"; +static NSString* kFeatureVisibleKey = @"FeatureVisible"; +static NSString* kRetryAfterKey = @"RetryAfter"; +static NSString* kRampPriorityKey = @"RampPriority"; + +#define kCKRampManagerDefaultRetryTimeInSeconds 86400 + +#if OCTAGON +@interface OTRamp (lockstateTracker) +@end +#endif + +@interface OTRamp () +@property (nonatomic, strong) CKContainer *container; +@property (nonatomic, strong) CKDatabase *database; + +@property (nonatomic, strong) CKRecordZone *zone; +@property (nonatomic, strong) CKRecordZoneID *zoneID; + +@property (nonatomic, strong) NSString *recordName; +@property (nonatomic, strong) NSString *featureName; +@property (nonatomic, strong) CKRecordID *recordID; + +@property (nonatomic, strong) CKKSCKAccountStateTracker *accountTracker; +@property (nonatomic, strong) CKKSLockStateTracker *lockStateTracker; +@property (nonatomic, strong) CKKSReachabilityTracker *reachabilityTracker; + +@property CKKSAccountStatus accountStatus; + +@property (readonly) Class fetchRecordRecordsOperationClass; + +@end + +@implementation OTRamp + +-(instancetype) initWithRecordName:(NSString *) recordName + featureName:(NSString*) featureName + container:(CKContainer*) container + database:(CKDatabase*) database + zoneID:(CKRecordZoneID*) zoneID + accountTracker:(CKKSCKAccountStateTracker*) accountTracker + lockStateTracker:(CKKSLockStateTracker*) lockStateTracker + reachabilityTracker:(CKKSReachabilityTracker*) reachabilityTracker +fetchRecordRecordsOperationClass:(Class) fetchRecordRecordsOperationClass + +{ + self = [super init]; + if(self){ + _container = container; + _recordName = [recordName copy]; + _featureName = [featureName copy]; + _database = database; + _zoneID = zoneID; + _accountTracker = accountTracker; + _lockStateTracker = lockStateTracker; + _reachabilityTracker = reachabilityTracker; + _fetchRecordRecordsOperationClass = fetchRecordRecordsOperationClass; + } + return self; +} + +-(void) fetchRampRecord:(NSQualityOfService)qos reply:(void (^)(BOOL featureAllowed, BOOL featurePromoted, BOOL featureVisible, NSInteger retryAfter, NSError *rampStateFetchError))recordRampStateFetchCompletionBlock +{ + __weak __typeof(self) weakSelf = self; + + CKOperationConfiguration *opConfig = [[CKOperationConfiguration alloc] init]; + opConfig.allowsCellularAccess = YES; + opConfig.qualityOfService = qos; + + _recordID = [[CKRecordID alloc] initWithRecordName:_recordName zoneID:_zoneID]; + CKFetchRecordsOperation *operation = [[[self.fetchRecordRecordsOperationClass class] alloc] initWithRecordIDs:@[ _recordID]]; + + operation.desiredKeys = @[kFeatureAllowedKey, kFeaturePromotedKey, kFeatureVisibleKey, kRetryAfterKey]; + + operation.configuration = opConfig; + operation.fetchRecordsCompletionBlock = ^(NSDictionary * _Nullable recordsByRecordID, NSError * _Nullable operationError) { + __strong __typeof(weakSelf) strongSelf = weakSelf; + if(!strongSelf) { + secnotice("octagon", "received callback for released object"); + operationError = [NSError errorWithDomain:octagonErrorDomain code:OTErrorCKCallback userInfo:@{NSLocalizedDescriptionKey: @"Received callback for released object"}]; + recordRampStateFetchCompletionBlock(NO, NO, NO, kCKRampManagerDefaultRetryTimeInSeconds , operationError); + return; + } + + BOOL featureAllowed = NO; + BOOL featurePromoted = NO; + BOOL featureVisible = NO; + NSInteger retryAfter = kCKRampManagerDefaultRetryTimeInSeconds; + + secnotice("octagon", "Fetch operation records %@ fetchError %@", recordsByRecordID, operationError); + // There should only be only one record. + CKRecord *rampRecord = recordsByRecordID[strongSelf.recordID]; + + if (rampRecord) { + featureAllowed = [rampRecord[kFeatureAllowedKey] boolValue]; + featurePromoted = [rampRecord[kFeaturePromotedKey] boolValue]; + featureVisible = [rampRecord[kFeatureVisibleKey] boolValue]; + retryAfter = [rampRecord[kRetryAfterKey] integerValue]; + + secnotice("octagon", "Fetch ramp state - featureAllowed %@, featurePromoted: %@, featureVisible: %@, retryAfter: %ld", (featureAllowed ? @YES : @NO), (featurePromoted ? @YES : @NO), (featureVisible ? @YES : @NO), (long)retryAfter); + } else { + secerror("octagon: Couldn't find CKRecord for ramp. Defaulting to not ramped in"); + operationError = [NSError errorWithDomain:octagonErrorDomain code:OTErrorRecordNotFound userInfo:@{NSLocalizedDescriptionKey: @" Couldn't find CKRecord for ramp. Defaulting to not ramped in"}]; + } + recordRampStateFetchCompletionBlock(featureAllowed, featurePromoted, featureVisible, retryAfter, operationError); + }; + + [self.database addOperation: operation]; + secnotice("octagon", "Attempting to fetch ramp state from CloudKit"); +} + +-(BOOL) checkRampState:(NSInteger*)retryAfter qos:(NSQualityOfService)qos error:(NSError**)error +{ + __block BOOL isFeatureEnabled = NO; + __block NSError* localError = nil; + __block NSInteger localRetryAfter = 0; + + if(self.lockStateTracker.isLocked){ + secnotice("octagon","device is locked! can't check ramp state"); + localError = [NSError errorWithDomain:(__bridge NSString*)kSecErrorDomain + code:errSecInteractionNotAllowed + userInfo:@{NSLocalizedDescriptionKey: @"device is locked"}]; + if(error){ + *error = localError; + } + return NO; + } + if(self.accountTracker.currentCKAccountInfo.accountStatus != CKAccountStatusAvailable){ + secnotice("octagon","not signed in! can't check ramp state"); + localError = [NSError errorWithDomain:octagonErrorDomain + code:OTErrorNotSignedIn + userInfo:@{NSLocalizedDescriptionKey: @"not signed in"}]; + if(error){ + *error = localError; + } + return NO; + } + if(!self.reachabilityTracker.currentReachability){ + secnotice("octagon","no network! can't check ramp state"); + localError = [NSError errorWithDomain:octagonErrorDomain + code:OTErrorNoNetwork + userInfo:@{NSLocalizedDescriptionKey: @"no network"}]; + if(error){ + *error = localError; + } + return NO; + } + + //defaults write to for whether or not a ramp record returns "enabled or disabled" + CFBooleanRef enabled = (CFBooleanRef)CFPreferencesCopyValue((__bridge CFStringRef)self.recordName, + CFSTR("com.apple.security"), + kCFPreferencesAnyUser, kCFPreferencesAnyHost); + if(enabled && CFGetTypeID(enabled) == CFBooleanGetTypeID()){ + BOOL localConfigEnable = (enabled == kCFBooleanTrue); + secnotice("octagon", "feature is %@: %@ (local config)", localConfigEnable ? @"enabled" : @"disabled", self.recordName); + CFReleaseNull(enabled); + return localConfigEnable; + } + CFReleaseNull(enabled); + + CKKSAnalytics* logger = [CKKSAnalytics logger]; + SFAnalyticsActivityTracker *tracker = [logger logSystemMetricsForActivityNamed:CKKSActivityOTFetchRampState withAction:nil]; + + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + + [tracker start]; + + [self fetchRampRecord:qos reply:^(BOOL featureAllowed, BOOL featurePromoted, BOOL featureVisible, NSInteger retryAfter, NSError *rampStateFetchError) { + secnotice("octagon", "fetch ramp records returned with featureAllowed: %d,\n featurePromoted: %d,\n featureVisible: %d,\n", featureAllowed, featurePromoted, featureVisible); + + isFeatureEnabled = featureAllowed; + localRetryAfter = retryAfter; + if(rampStateFetchError){ + localError = rampStateFetchError; + } + dispatch_semaphore_signal(sema); + }]; + + long timeout = (SecCKKSTestsEnabled() ? 2*NSEC_PER_SEC : NSEC_PER_SEC * 65); + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, timeout)) != 0) { + secnotice("octagon", "timed out waiting for response from CloudKit\n"); + localError = [NSError errorWithDomain:octagonErrorDomain code:OTErrorCKTimeOut userInfo:@{NSLocalizedDescriptionKey: @"Failed to deserialize bottle peer"}]; + + [logger logUnrecoverableError:localError forEvent:OctagonEventRamp withAttributes:@{ + OctagonEventAttributeFailureReason : @"cloud kit timed out"} + ]; + } + + [tracker stop]; + + if(localRetryAfter > 0){ + secnotice("octagon", "cloud kit asked security to retry: %ld", localRetryAfter); + *retryAfter = localRetryAfter; + } + + if(localError){ + secerror("octagon: had an error fetching ramp state: %@", localError); + [logger logUnrecoverableError:localError forEvent:OctagonEventRamp withAttributes:@{ + OctagonEventAttributeFailureReason : @"fetching ramp state"} + ]; + if(error){ + *error = localError; + } + } + if(isFeatureEnabled){ + [logger logSuccessForEventNamed:OctagonEventRamp]; + } + + return isFeatureEnabled; + +} + +- (void)ckAccountStatusChange:(CKKSAccountStatus)oldStatus to:(CKKSAccountStatus)currentStatus { + secnotice("octagon", "%@ Received notification of CloudKit account status change, moving from %@ to %@", + self.zoneID.zoneName, + [CKKSCKAccountStateTracker stringFromAccountStatus: oldStatus], + [CKKSCKAccountStateTracker stringFromAccountStatus: currentStatus]); + + switch(currentStatus) { + case CKKSAccountStatusAvailable: { + secnotice("octagon", "Logged into iCloud."); + self.accountStatus = CKKSAccountStatusAvailable; + } + break; + + case CKKSAccountStatusNoAccount: { + secnotice("octagon", "Logging out of iCloud. Shutting down."); + self.accountStatus = CKKSAccountStatusNoAccount; + } + break; + + case CKKSAccountStatusUnknown: { + // We really don't expect to receive this as a notification, but, okay! + secnotice("octagon", "Account status has become undetermined. Pausing for %@", self.zoneID.zoneName); + self.accountStatus = CKKSAccountStatusNoAccount; + + } + break; + } +} + +@end +#endif + + diff --git a/keychain/ot/OctagonControlServer.h b/keychain/ot/OctagonControlServer.h new file mode 100644 index 00000000..35658dba --- /dev/null +++ b/keychain/ot/OctagonControlServer.h @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#define kSecuritydOctagonServiceName "com.apple.security.octagon" + +__BEGIN_DECLS + +void OctagonControlServerInitialize(void); + +__END_DECLS diff --git a/keychain/ot/OctagonControlServer.m b/keychain/ot/OctagonControlServer.m new file mode 100644 index 00000000..a1fdf15a --- /dev/null +++ b/keychain/ot/OctagonControlServer.m @@ -0,0 +1,84 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import +#import + +#import +#import "SecEntitlements.h" +#import "keychain/ot/OctagonControlServer.h" +#import "keychain/ot/OTManager.h" +#import "keychain/ot/OT.h" + +@interface OctagonControlServer : NSObject +@end + +@implementation OctagonControlServer + +- (BOOL)listener:(__unused NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection +{ +#if OCTAGON + NSNumber *num = [newConnection valueForEntitlement:kSecEntitlementPrivateOctagon]; + if (![num isKindOfClass:[NSNumber class]] || ![num boolValue]) { + secerror("octagon: Client pid: %d doesn't have entitlement: %@", + [newConnection processIdentifier], kSecEntitlementPrivateOctagon); + return NO; + } + // In the future, we should consider vending a proxy object that can return a nicer error. + if (!SecOTIsEnabled()) { + secerror("Octagon: Client pid: %d attempted to use Octagon, but Octagon is not enabled.", + newConnection.processIdentifier); + return NO; + } + + secnotice("octagon", "received connection from client pid %d", [newConnection processIdentifier]); + newConnection.exportedInterface = OTSetupControlProtocol([NSXPCInterface interfaceWithProtocol:@protocol(OTControlProtocol)]); + newConnection.exportedObject = [OTManager manager]; + + [newConnection resume]; + + return YES; +#else // OCTAGON + secerror("octagon does not exist on this platform"); + return NO; +#endif // OCTAGON +} +@end + +void +OctagonControlServerInitialize(void) +{ + static dispatch_once_t once; + static OctagonControlServer *server; + static NSXPCListener *listener; + + dispatch_once(&once, ^{ + @autoreleasepool { + server = [OctagonControlServer new]; + + listener = [[NSXPCListener alloc] initWithMachServiceName:@(kSecuritydOctagonServiceName)]; + listener.delegate = server; + [listener resume]; + } + }); +} diff --git a/keychain/ot/SFECPublicKey+SPKI.m b/keychain/ot/SFECPublicKey+SPKI.m new file mode 100644 index 00000000..91531dc3 --- /dev/null +++ b/keychain/ot/SFECPublicKey+SPKI.m @@ -0,0 +1,53 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import "SFPublicKey+SPKI.h" + +#import +#import + +@implementation SFECPublicKey (OTSubjectPublicKeyInfo) + +- (NSData *)asSPKI +{ + NSDictionary *keyAttributes = @{ + (__bridge id)kSecAttrKeyClass : (__bridge id)kSecAttrKeyClassPublic, + (__bridge id)kSecAttrKeyType : (__bridge id)kSecAttrKeyTypeEC, + }; + SecKeyRef seckey = SecKeyCreateWithData((__bridge CFDataRef)self.keyData, (__bridge CFDictionaryRef)keyAttributes, NULL); + NSData *spki = CFBridgingRelease(SecKeyCopySubjectPublicKeyInfo(seckey)); + CFRelease(seckey); + return spki; +} + ++ (instancetype)fromSPKI:(NSData *)spki +{ + SecKeyRef seckey = SecKeyCreateFromSubjectPublicKeyInfoData(NULL, (__bridge CFDataRef)spki); + return [[SFECPublicKey alloc] initWithSecKey:seckey]; +} + +@end + +#endif diff --git a/keychain/trust/TrustedPeers/TPEncrypter.h b/keychain/ot/SFPublicKey+SPKI.h similarity index 83% rename from keychain/trust/TrustedPeers/TPEncrypter.h rename to keychain/ot/SFPublicKey+SPKI.h index 48f2bea1..4d8218f3 100644 --- a/keychain/trust/TrustedPeers/TPEncrypter.h +++ b/keychain/ot/SFPublicKey+SPKI.h @@ -21,16 +21,18 @@ * @APPLE_LICENSE_HEADER_END@ */ -#import +#if OCTAGON -NS_ASSUME_NONNULL_BEGIN +#import -@protocol TPEncrypter +NS_ASSUME_NONNULL_BEGIN -@property (nonatomic, readonly) NSData *decryptionKey; +@interface SFPublicKey (OTSubjectPublicKeyInfo) -- (nullable NSData *)encryptData:(NSData *)plaintext error:(NSError **)error; +- (NSData *)asSPKI; ++ (instancetype)fromSPKI:(NSData *)spki; @end NS_ASSUME_NONNULL_END +#endif diff --git a/keychain/ot/proto/OTAuthenticatedCiphertext.proto b/keychain/ot/proto/OTAuthenticatedCiphertext.proto new file mode 100644 index 00000000..fdd0aabf --- /dev/null +++ b/keychain/ot/proto/OTAuthenticatedCiphertext.proto @@ -0,0 +1,35 @@ +/* +* Copyright (c) 2017 Apple Inc. All Rights Reserved. +* +* @APPLE_LICENSE_HEADER_START@ +* +* This file contains Original Code and/or Modifications of Original Code +* as defined in and that are subject to the Apple Public Source License +* Version 2.0 (the 'License'). You may not use this file except in +* compliance with the License. Please obtain a copy of the License at +* http://www.opensource.apple.com/apsl/ and read it before using this +* file. +* +* The Original Code and all software distributed under the License are +* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER +* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, +* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, +* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. +* Please see the License for the specific language governing rights and +* limitations under the License. +* +* @APPLE_LICENSE_HEADER_END@ +*/ + +syntax = "proto2"; + +option objc_class_naming = "extended"; +option objc_class_visibility = "hidden"; + +package OT; + +message AuthenticatedCiphertext { + required bytes ciphertext = 1; + required bytes authenticationCode = 2; + required bytes initializationVector = 3; +} diff --git a/keychain/trust/TrustedPeers/TPCategoryRule.m b/keychain/ot/proto/OTBottle.proto similarity index 50% rename from keychain/trust/TrustedPeers/TPCategoryRule.m rename to keychain/ot/proto/OTBottle.proto index 410f1eb9..bbcc0e97 100644 --- a/keychain/trust/TrustedPeers/TPCategoryRule.m +++ b/keychain/ot/proto/OTBottle.proto @@ -21,52 +21,35 @@ * @APPLE_LICENSE_HEADER_END@ */ -#import "TPCategoryRule.h" +syntax = "proto2"; +option objc_class_naming = "extended"; +option objc_class_visibility = "hidden"; -@interface TPCategoryRule () +package OT; -@property (nonatomic, copy) NSString *prefix; -@property (nonatomic, copy) NSString *category; +import "OTAuthenticatedCiphertext.proto"; -@end +message Bottle { + optional string peerID = 1; + optional string spID = 2; + // Tags 3, 4, 5 and 6 were briefly used during development for the raw public key data, with nothing to specify the key type. + // They are replaced with the following, encoded as SubjectPublicKeyInfo: + optional bytes reserved3 = 3; + optional bytes reserved4 = 4; + optional bytes reserved5 = 5; + optional bytes reserved6 = 6; -@implementation TPCategoryRule + // as SubjectPublicKeyInfo (SPKI): + optional bytes escrowedSigningSPKI = 8; + optional bytes escrowedEncryptionSPKI = 9; + optional bytes peerSigningSPKI = 10; + optional bytes peerEncryptionSPKI = 11; -+ (instancetype)ruleWithPrefix:(NSString *)prefix category:(NSString *)category -{ - TPCategoryRule *rule = [[TPCategoryRule alloc] init]; - rule.prefix = prefix; - rule.category = category; - return rule; -} - -- (BOOL)isEqualToCategoryRule:(TPCategoryRule *)other -{ - if (other == self) { - return YES; - } - return [self.prefix isEqualToString:other.prefix] - && [self.category isEqualToString:other.category]; -} - -#pragma mark - NSObject - -- (BOOL)isEqual:(id)object -{ - if (self == object) { - return YES; - } - if (![object isKindOfClass:[TPCategoryRule class]]) { - return NO; - } - return [self isEqualToCategoryRule:object]; -} + // Tag 7 was briefly used during development for contents encoded with NSKeyedArchiver. + optional bytes reserved7 = 7; -- (NSUInteger)hash -{ - return [self.prefix hash] ^ [self.category hash]; + optional AuthenticatedCiphertext contents = 12; } -@end diff --git a/keychain/trust/TrustedPeersTests/TPUtilsTests.m b/keychain/ot/proto/OTBottleContents.proto similarity index 68% rename from keychain/trust/TrustedPeersTests/TPUtilsTests.m rename to keychain/ot/proto/OTBottleContents.proto index 0376bfbf..541e8ddf 100644 --- a/keychain/trust/TrustedPeersTests/TPUtilsTests.m +++ b/keychain/ot/proto/OTBottleContents.proto @@ -21,19 +21,20 @@ * @APPLE_LICENSE_HEADER_END@ */ -#import -#import +syntax = "proto2"; -@interface TPUtilsTests : XCTestCase +option objc_class_naming = "extended"; +option objc_class_visibility = "hidden"; -@end +package OT; -@implementation TPUtilsTests +import "OTPrivateKey.proto"; -- (void)testErrorHandling { - XCTAssertThrows([TPUtils serializedPListWithDictionary:@{ - @"foo": [NSSet setWithObject:@"bar"] - }]); -} +message BottleContents { + // tags 1 and 2 were briefly used during development for the raw private key data, with nothing to specify the key type. + optional bytes reserved1 = 1; + optional bytes reserved2 = 2; -@end + optional PrivateKey peerSigningPrivKey = 3; + optional PrivateKey peerEncryptionPrivKey = 4; +} diff --git a/keychain/ot/proto/OTPrivateKey.proto b/keychain/ot/proto/OTPrivateKey.proto new file mode 100644 index 00000000..bcb80a6c --- /dev/null +++ b/keychain/ot/proto/OTPrivateKey.proto @@ -0,0 +1,38 @@ +/* +* Copyright (c) 2017 Apple Inc. All Rights Reserved. +* +* @APPLE_LICENSE_HEADER_START@ +* +* This file contains Original Code and/or Modifications of Original Code +* as defined in and that are subject to the Apple Public Source License +* Version 2.0 (the 'License'). You may not use this file except in +* compliance with the License. Please obtain a copy of the License at +* http://www.opensource.apple.com/apsl/ and read it before using this +* file. +* +* The Original Code and all software distributed under the License are +* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER +* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, +* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, +* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. +* Please see the License for the specific language governing rights and +* limitations under the License. +* +* @APPLE_LICENSE_HEADER_END@ +*/ + +syntax = "proto2"; + +option objc_class_naming = "extended"; +option objc_class_visibility = "hidden"; + +package OT; + +message PrivateKey { + enum KeyType { + EC_NIST_CURVES = 1; // kSecAttrKeyTypeEC + } + + required KeyType keyType = 1; + required bytes keyData = 2; +} diff --git a/keychain/ot/proto/source/OTAuthenticatedCiphertext.h b/keychain/ot/proto/source/OTAuthenticatedCiphertext.h new file mode 100644 index 00000000..bd0b0acd --- /dev/null +++ b/keychain/ot/proto/source/OTAuthenticatedCiphertext.h @@ -0,0 +1,41 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from OTAuthenticatedCiphertext.proto + +#import +#import + +#ifdef __cplusplus +#define OTAUTHENTICATEDCIPHERTEXT_FUNCTION extern "C" __attribute__((visibility("hidden"))) +#else +#define OTAUTHENTICATEDCIPHERTEXT_FUNCTION extern __attribute__((visibility("hidden"))) +#endif + +__attribute__((visibility("hidden"))) +@interface OTAuthenticatedCiphertext : PBCodable +{ + NSData *_authenticationCode; + NSData *_ciphertext; + NSData *_initializationVector; +} + + +@property (nonatomic, retain) NSData *ciphertext; + +@property (nonatomic, retain) NSData *authenticationCode; + +@property (nonatomic, retain) NSData *initializationVector; + +// Performs a shallow copy into other +- (void)copyTo:(OTAuthenticatedCiphertext *)other; + +// Performs a deep merge from other into self +// If set in other, singular values in self are replaced in self +// Singular composite values are recursively merged +// Repeated values from other are appended to repeated values in self +- (void)mergeFrom:(OTAuthenticatedCiphertext *)other; + +OTAUTHENTICATEDCIPHERTEXT_FUNCTION BOOL OTAuthenticatedCiphertextReadFrom(__unsafe_unretained OTAuthenticatedCiphertext *self, __unsafe_unretained PBDataReader *reader); + +@end + diff --git a/keychain/ot/proto/source/OTAuthenticatedCiphertext.m b/keychain/ot/proto/source/OTAuthenticatedCiphertext.m new file mode 100644 index 00000000..050bcc18 --- /dev/null +++ b/keychain/ot/proto/source/OTAuthenticatedCiphertext.m @@ -0,0 +1,167 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from OTAuthenticatedCiphertext.proto + +#import "OTAuthenticatedCiphertext.h" +#import +#import +#import + +#if !__has_feature(objc_arc) +# error This generated file depends on ARC but it is not enabled; turn on ARC, or use 'objc_use_arc' option to generate non-ARC code. +#endif + +@implementation OTAuthenticatedCiphertext + +@synthesize ciphertext = _ciphertext; +@synthesize authenticationCode = _authenticationCode; +@synthesize initializationVector = _initializationVector; + +- (NSString *)description +{ + return [NSString stringWithFormat:@"%@ %@", [super description], [self dictionaryRepresentation]]; +} + +- (NSDictionary *)dictionaryRepresentation +{ + NSMutableDictionary *dict = [NSMutableDictionary dictionary]; + if (self->_ciphertext) + { + [dict setObject:self->_ciphertext forKey:@"ciphertext"]; + } + if (self->_authenticationCode) + { + [dict setObject:self->_authenticationCode forKey:@"authenticationCode"]; + } + if (self->_initializationVector) + { + [dict setObject:self->_initializationVector forKey:@"initializationVector"]; + } + return dict; +} + +BOOL OTAuthenticatedCiphertextReadFrom(__unsafe_unretained OTAuthenticatedCiphertext *self, __unsafe_unretained PBDataReader *reader) { + while (PBReaderHasMoreData(reader)) { + uint32_t tag = 0; + uint8_t aType = 0; + + PBReaderReadTag32AndType(reader, &tag, &aType); + + if (PBReaderHasError(reader)) + break; + + if (aType == TYPE_END_GROUP) { + break; + } + + switch (tag) { + + case 1 /* ciphertext */: + { + NSData *new_ciphertext = PBReaderReadData(reader); + self->_ciphertext = new_ciphertext; + } + break; + case 2 /* authenticationCode */: + { + NSData *new_authenticationCode = PBReaderReadData(reader); + self->_authenticationCode = new_authenticationCode; + } + break; + case 3 /* initializationVector */: + { + NSData *new_initializationVector = PBReaderReadData(reader); + self->_initializationVector = new_initializationVector; + } + break; + default: + if (!PBReaderSkipValueWithTag(reader, tag, aType)) + return NO; + break; + } + } + return !PBReaderHasError(reader); +} + +- (BOOL)readFrom:(PBDataReader *)reader +{ + return OTAuthenticatedCiphertextReadFrom(self, reader); +} +- (void)writeTo:(PBDataWriter *)writer +{ + /* ciphertext */ + { + assert(nil != self->_ciphertext); + PBDataWriterWriteDataField(writer, self->_ciphertext, 1); + } + /* authenticationCode */ + { + assert(nil != self->_authenticationCode); + PBDataWriterWriteDataField(writer, self->_authenticationCode, 2); + } + /* initializationVector */ + { + assert(nil != self->_initializationVector); + PBDataWriterWriteDataField(writer, self->_initializationVector, 3); + } +} + +- (void)copyTo:(OTAuthenticatedCiphertext *)other +{ + other.ciphertext = _ciphertext; + other.authenticationCode = _authenticationCode; + other.initializationVector = _initializationVector; +} + +- (id)copyWithZone:(NSZone *)zone +{ + OTAuthenticatedCiphertext *copy = [[[self class] allocWithZone:zone] init]; + copy->_ciphertext = [_ciphertext copyWithZone:zone]; + copy->_authenticationCode = [_authenticationCode copyWithZone:zone]; + copy->_initializationVector = [_initializationVector copyWithZone:zone]; + return copy; +} + +- (BOOL)isEqual:(id)object +{ + OTAuthenticatedCiphertext *other = (OTAuthenticatedCiphertext *)object; + return [other isMemberOfClass:[self class]] + && + ((!self->_ciphertext && !other->_ciphertext) || [self->_ciphertext isEqual:other->_ciphertext]) + && + ((!self->_authenticationCode && !other->_authenticationCode) || [self->_authenticationCode isEqual:other->_authenticationCode]) + && + ((!self->_initializationVector && !other->_initializationVector) || [self->_initializationVector isEqual:other->_initializationVector]) + ; +} + +- (NSUInteger)hash +{ + return 0 + ^ + [self->_ciphertext hash] + ^ + [self->_authenticationCode hash] + ^ + [self->_initializationVector hash] + ; +} + +- (void)mergeFrom:(OTAuthenticatedCiphertext *)other +{ + if (other->_ciphertext) + { + [self setCiphertext:other->_ciphertext]; + } + if (other->_authenticationCode) + { + [self setAuthenticationCode:other->_authenticationCode]; + } + if (other->_initializationVector) + { + [self setInitializationVector:other->_initializationVector]; + } +} + +@end + diff --git a/keychain/ot/proto/source/OTBottle.h b/keychain/ot/proto/source/OTBottle.h new file mode 100644 index 00000000..e4eda9bd --- /dev/null +++ b/keychain/ot/proto/source/OTBottle.h @@ -0,0 +1,88 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from OTBottle.proto + +#import +#import + +@class OTAuthenticatedCiphertext; + +#ifdef __cplusplus +#define OTBOTTLE_FUNCTION extern "C" __attribute__((visibility("hidden"))) +#else +#define OTBOTTLE_FUNCTION extern __attribute__((visibility("hidden"))) +#endif + +__attribute__((visibility("hidden"))) +@interface OTBottle : PBCodable +{ + OTAuthenticatedCiphertext *_contents; + NSData *_escrowedEncryptionSPKI; + NSData *_escrowedSigningSPKI; + NSData *_peerEncryptionSPKI; + NSString *_peerID; + NSData *_peerSigningSPKI; + NSData *_reserved3; + NSData *_reserved4; + NSData *_reserved5; + NSData *_reserved6; + NSData *_reserved7; + NSString *_spID; +} + + +@property (nonatomic, readonly) BOOL hasPeerID; +@property (nonatomic, retain) NSString *peerID; + +@property (nonatomic, readonly) BOOL hasSpID; +@property (nonatomic, retain) NSString *spID; + +@property (nonatomic, readonly) BOOL hasReserved3; +/** + * Tags 3, 4, 5 and 6 were briefly used during development for the raw public key data, with nothing to specify the key type. + * They are replaced with the following, encoded as SubjectPublicKeyInfo: + */ +@property (nonatomic, retain) NSData *reserved3; + +@property (nonatomic, readonly) BOOL hasReserved4; +@property (nonatomic, retain) NSData *reserved4; + +@property (nonatomic, readonly) BOOL hasReserved5; +@property (nonatomic, retain) NSData *reserved5; + +@property (nonatomic, readonly) BOOL hasReserved6; +@property (nonatomic, retain) NSData *reserved6; + +@property (nonatomic, readonly) BOOL hasEscrowedSigningSPKI; +/** as SubjectPublicKeyInfo (SPKI): */ +@property (nonatomic, retain) NSData *escrowedSigningSPKI; + +@property (nonatomic, readonly) BOOL hasEscrowedEncryptionSPKI; +@property (nonatomic, retain) NSData *escrowedEncryptionSPKI; + +@property (nonatomic, readonly) BOOL hasPeerSigningSPKI; +@property (nonatomic, retain) NSData *peerSigningSPKI; + +@property (nonatomic, readonly) BOOL hasPeerEncryptionSPKI; +@property (nonatomic, retain) NSData *peerEncryptionSPKI; + +@property (nonatomic, readonly) BOOL hasReserved7; +/** Tag 7 was briefly used during development for contents encoded with NSKeyedArchiver. */ +@property (nonatomic, retain) NSData *reserved7; + +@property (nonatomic, readonly) BOOL hasContents; +@property (nonatomic, retain) OTAuthenticatedCiphertext *contents; + +// Performs a shallow copy into other +- (void)copyTo:(OTBottle *)other; + +// Performs a deep merge from other into self +// If set in other, singular values in self are replaced in self +// Singular composite values are recursively merged +// Repeated values from other are appended to repeated values in self +- (void)mergeFrom:(OTBottle *)other; + +OTBOTTLE_FUNCTION BOOL OTBottleReadFrom(__unsafe_unretained OTBottle *self, __unsafe_unretained PBDataReader *reader); + +@end + diff --git a/keychain/ot/proto/source/OTBottle.m b/keychain/ot/proto/source/OTBottle.m new file mode 100644 index 00000000..0799e2ed --- /dev/null +++ b/keychain/ot/proto/source/OTBottle.m @@ -0,0 +1,527 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from OTBottle.proto + +#import "OTBottle.h" +#import +#import +#import + +#import "OTAuthenticatedCiphertext.h" + +#if !__has_feature(objc_arc) +# error This generated file depends on ARC but it is not enabled; turn on ARC, or use 'objc_use_arc' option to generate non-ARC code. +#endif + +@implementation OTBottle + +- (BOOL)hasPeerID +{ + return _peerID != nil; +} +@synthesize peerID = _peerID; +- (BOOL)hasSpID +{ + return _spID != nil; +} +@synthesize spID = _spID; +- (BOOL)hasReserved3 +{ + return _reserved3 != nil; +} +@synthesize reserved3 = _reserved3; +- (BOOL)hasReserved4 +{ + return _reserved4 != nil; +} +@synthesize reserved4 = _reserved4; +- (BOOL)hasReserved5 +{ + return _reserved5 != nil; +} +@synthesize reserved5 = _reserved5; +- (BOOL)hasReserved6 +{ + return _reserved6 != nil; +} +@synthesize reserved6 = _reserved6; +- (BOOL)hasEscrowedSigningSPKI +{ + return _escrowedSigningSPKI != nil; +} +@synthesize escrowedSigningSPKI = _escrowedSigningSPKI; +- (BOOL)hasEscrowedEncryptionSPKI +{ + return _escrowedEncryptionSPKI != nil; +} +@synthesize escrowedEncryptionSPKI = _escrowedEncryptionSPKI; +- (BOOL)hasPeerSigningSPKI +{ + return _peerSigningSPKI != nil; +} +@synthesize peerSigningSPKI = _peerSigningSPKI; +- (BOOL)hasPeerEncryptionSPKI +{ + return _peerEncryptionSPKI != nil; +} +@synthesize peerEncryptionSPKI = _peerEncryptionSPKI; +- (BOOL)hasReserved7 +{ + return _reserved7 != nil; +} +@synthesize reserved7 = _reserved7; +- (BOOL)hasContents +{ + return _contents != nil; +} +@synthesize contents = _contents; + +- (NSString *)description +{ + return [NSString stringWithFormat:@"%@ %@", [super description], [self dictionaryRepresentation]]; +} + +- (NSDictionary *)dictionaryRepresentation +{ + NSMutableDictionary *dict = [NSMutableDictionary dictionary]; + if (self->_peerID) + { + [dict setObject:self->_peerID forKey:@"peerID"]; + } + if (self->_spID) + { + [dict setObject:self->_spID forKey:@"spID"]; + } + if (self->_reserved3) + { + [dict setObject:self->_reserved3 forKey:@"reserved3"]; + } + if (self->_reserved4) + { + [dict setObject:self->_reserved4 forKey:@"reserved4"]; + } + if (self->_reserved5) + { + [dict setObject:self->_reserved5 forKey:@"reserved5"]; + } + if (self->_reserved6) + { + [dict setObject:self->_reserved6 forKey:@"reserved6"]; + } + if (self->_escrowedSigningSPKI) + { + [dict setObject:self->_escrowedSigningSPKI forKey:@"escrowedSigningSPKI"]; + } + if (self->_escrowedEncryptionSPKI) + { + [dict setObject:self->_escrowedEncryptionSPKI forKey:@"escrowedEncryptionSPKI"]; + } + if (self->_peerSigningSPKI) + { + [dict setObject:self->_peerSigningSPKI forKey:@"peerSigningSPKI"]; + } + if (self->_peerEncryptionSPKI) + { + [dict setObject:self->_peerEncryptionSPKI forKey:@"peerEncryptionSPKI"]; + } + if (self->_reserved7) + { + [dict setObject:self->_reserved7 forKey:@"reserved7"]; + } + if (self->_contents) + { + [dict setObject:[_contents dictionaryRepresentation] forKey:@"contents"]; + } + return dict; +} + +BOOL OTBottleReadFrom(__unsafe_unretained OTBottle *self, __unsafe_unretained PBDataReader *reader) { + while (PBReaderHasMoreData(reader)) { + uint32_t tag = 0; + uint8_t aType = 0; + + PBReaderReadTag32AndType(reader, &tag, &aType); + + if (PBReaderHasError(reader)) + break; + + if (aType == TYPE_END_GROUP) { + break; + } + + switch (tag) { + + case 1 /* peerID */: + { + NSString *new_peerID = PBReaderReadString(reader); + self->_peerID = new_peerID; + } + break; + case 2 /* spID */: + { + NSString *new_spID = PBReaderReadString(reader); + self->_spID = new_spID; + } + break; + case 3 /* reserved3 */: + { + NSData *new_reserved3 = PBReaderReadData(reader); + self->_reserved3 = new_reserved3; + } + break; + case 4 /* reserved4 */: + { + NSData *new_reserved4 = PBReaderReadData(reader); + self->_reserved4 = new_reserved4; + } + break; + case 5 /* reserved5 */: + { + NSData *new_reserved5 = PBReaderReadData(reader); + self->_reserved5 = new_reserved5; + } + break; + case 6 /* reserved6 */: + { + NSData *new_reserved6 = PBReaderReadData(reader); + self->_reserved6 = new_reserved6; + } + break; + case 7 /* reserved7 */: + { + NSData *new_reserved7 = PBReaderReadData(reader); + self->_reserved7 = new_reserved7; + } + break; + case 8 /* escrowedSigningSPKI */: + { + NSData *new_escrowedSigningSPKI = PBReaderReadData(reader); + self->_escrowedSigningSPKI = new_escrowedSigningSPKI; + } + break; + case 9 /* escrowedEncryptionSPKI */: + { + NSData *new_escrowedEncryptionSPKI = PBReaderReadData(reader); + self->_escrowedEncryptionSPKI = new_escrowedEncryptionSPKI; + } + break; + case 10 /* peerSigningSPKI */: + { + NSData *new_peerSigningSPKI = PBReaderReadData(reader); + self->_peerSigningSPKI = new_peerSigningSPKI; + } + break; + case 11 /* peerEncryptionSPKI */: + { + NSData *new_peerEncryptionSPKI = PBReaderReadData(reader); + self->_peerEncryptionSPKI = new_peerEncryptionSPKI; + } + break; + case 12 /* contents */: + { + OTAuthenticatedCiphertext *new_contents = [[OTAuthenticatedCiphertext alloc] init]; + self->_contents = new_contents; + PBDataReaderMark mark_contents; + BOOL markError = !PBReaderPlaceMark(reader, &mark_contents); + if (markError) + { + return NO; + } + BOOL inError = !OTAuthenticatedCiphertextReadFrom(new_contents, reader); + if (inError) + { + return NO; + } + PBReaderRecallMark(reader, &mark_contents); + } + break; + default: + if (!PBReaderSkipValueWithTag(reader, tag, aType)) + return NO; + break; + } + } + return !PBReaderHasError(reader); +} + +- (BOOL)readFrom:(PBDataReader *)reader +{ + return OTBottleReadFrom(self, reader); +} +- (void)writeTo:(PBDataWriter *)writer +{ + /* peerID */ + { + if (self->_peerID) + { + PBDataWriterWriteStringField(writer, self->_peerID, 1); + } + } + /* spID */ + { + if (self->_spID) + { + PBDataWriterWriteStringField(writer, self->_spID, 2); + } + } + /* reserved3 */ + { + if (self->_reserved3) + { + PBDataWriterWriteDataField(writer, self->_reserved3, 3); + } + } + /* reserved4 */ + { + if (self->_reserved4) + { + PBDataWriterWriteDataField(writer, self->_reserved4, 4); + } + } + /* reserved5 */ + { + if (self->_reserved5) + { + PBDataWriterWriteDataField(writer, self->_reserved5, 5); + } + } + /* reserved6 */ + { + if (self->_reserved6) + { + PBDataWriterWriteDataField(writer, self->_reserved6, 6); + } + } + /* reserved7 */ + { + if (self->_reserved7) + { + PBDataWriterWriteDataField(writer, self->_reserved7, 7); + } + } + /* escrowedSigningSPKI */ + { + if (self->_escrowedSigningSPKI) + { + PBDataWriterWriteDataField(writer, self->_escrowedSigningSPKI, 8); + } + } + /* escrowedEncryptionSPKI */ + { + if (self->_escrowedEncryptionSPKI) + { + PBDataWriterWriteDataField(writer, self->_escrowedEncryptionSPKI, 9); + } + } + /* peerSigningSPKI */ + { + if (self->_peerSigningSPKI) + { + PBDataWriterWriteDataField(writer, self->_peerSigningSPKI, 10); + } + } + /* peerEncryptionSPKI */ + { + if (self->_peerEncryptionSPKI) + { + PBDataWriterWriteDataField(writer, self->_peerEncryptionSPKI, 11); + } + } + /* contents */ + { + if (self->_contents != nil) + { + PBDataWriterWriteSubmessage(writer, self->_contents, 12); + } + } +} + +- (void)copyTo:(OTBottle *)other +{ + if (_peerID) + { + other.peerID = _peerID; + } + if (_spID) + { + other.spID = _spID; + } + if (_reserved3) + { + other.reserved3 = _reserved3; + } + if (_reserved4) + { + other.reserved4 = _reserved4; + } + if (_reserved5) + { + other.reserved5 = _reserved5; + } + if (_reserved6) + { + other.reserved6 = _reserved6; + } + if (_reserved7) + { + other.reserved7 = _reserved7; + } + if (_escrowedSigningSPKI) + { + other.escrowedSigningSPKI = _escrowedSigningSPKI; + } + if (_escrowedEncryptionSPKI) + { + other.escrowedEncryptionSPKI = _escrowedEncryptionSPKI; + } + if (_peerSigningSPKI) + { + other.peerSigningSPKI = _peerSigningSPKI; + } + if (_peerEncryptionSPKI) + { + other.peerEncryptionSPKI = _peerEncryptionSPKI; + } + if (_contents) + { + other.contents = _contents; + } +} + +- (id)copyWithZone:(NSZone *)zone +{ + OTBottle *copy = [[[self class] allocWithZone:zone] init]; + copy->_peerID = [_peerID copyWithZone:zone]; + copy->_spID = [_spID copyWithZone:zone]; + copy->_reserved3 = [_reserved3 copyWithZone:zone]; + copy->_reserved4 = [_reserved4 copyWithZone:zone]; + copy->_reserved5 = [_reserved5 copyWithZone:zone]; + copy->_reserved6 = [_reserved6 copyWithZone:zone]; + copy->_reserved7 = [_reserved7 copyWithZone:zone]; + copy->_escrowedSigningSPKI = [_escrowedSigningSPKI copyWithZone:zone]; + copy->_escrowedEncryptionSPKI = [_escrowedEncryptionSPKI copyWithZone:zone]; + copy->_peerSigningSPKI = [_peerSigningSPKI copyWithZone:zone]; + copy->_peerEncryptionSPKI = [_peerEncryptionSPKI copyWithZone:zone]; + copy->_contents = [_contents copyWithZone:zone]; + return copy; +} + +- (BOOL)isEqual:(id)object +{ + OTBottle *other = (OTBottle *)object; + return [other isMemberOfClass:[self class]] + && + ((!self->_peerID && !other->_peerID) || [self->_peerID isEqual:other->_peerID]) + && + ((!self->_spID && !other->_spID) || [self->_spID isEqual:other->_spID]) + && + ((!self->_reserved3 && !other->_reserved3) || [self->_reserved3 isEqual:other->_reserved3]) + && + ((!self->_reserved4 && !other->_reserved4) || [self->_reserved4 isEqual:other->_reserved4]) + && + ((!self->_reserved5 && !other->_reserved5) || [self->_reserved5 isEqual:other->_reserved5]) + && + ((!self->_reserved6 && !other->_reserved6) || [self->_reserved6 isEqual:other->_reserved6]) + && + ((!self->_reserved7 && !other->_reserved7) || [self->_reserved7 isEqual:other->_reserved7]) + && + ((!self->_escrowedSigningSPKI && !other->_escrowedSigningSPKI) || [self->_escrowedSigningSPKI isEqual:other->_escrowedSigningSPKI]) + && + ((!self->_escrowedEncryptionSPKI && !other->_escrowedEncryptionSPKI) || [self->_escrowedEncryptionSPKI isEqual:other->_escrowedEncryptionSPKI]) + && + ((!self->_peerSigningSPKI && !other->_peerSigningSPKI) || [self->_peerSigningSPKI isEqual:other->_peerSigningSPKI]) + && + ((!self->_peerEncryptionSPKI && !other->_peerEncryptionSPKI) || [self->_peerEncryptionSPKI isEqual:other->_peerEncryptionSPKI]) + && + ((!self->_contents && !other->_contents) || [self->_contents isEqual:other->_contents]) + ; +} + +- (NSUInteger)hash +{ + return 0 + ^ + [self->_peerID hash] + ^ + [self->_spID hash] + ^ + [self->_reserved3 hash] + ^ + [self->_reserved4 hash] + ^ + [self->_reserved5 hash] + ^ + [self->_reserved6 hash] + ^ + [self->_reserved7 hash] + ^ + [self->_escrowedSigningSPKI hash] + ^ + [self->_escrowedEncryptionSPKI hash] + ^ + [self->_peerSigningSPKI hash] + ^ + [self->_peerEncryptionSPKI hash] + ^ + [self->_contents hash] + ; +} + +- (void)mergeFrom:(OTBottle *)other +{ + if (other->_peerID) + { + [self setPeerID:other->_peerID]; + } + if (other->_spID) + { + [self setSpID:other->_spID]; + } + if (other->_reserved3) + { + [self setReserved3:other->_reserved3]; + } + if (other->_reserved4) + { + [self setReserved4:other->_reserved4]; + } + if (other->_reserved5) + { + [self setReserved5:other->_reserved5]; + } + if (other->_reserved6) + { + [self setReserved6:other->_reserved6]; + } + if (other->_reserved7) + { + [self setReserved7:other->_reserved7]; + } + if (other->_escrowedSigningSPKI) + { + [self setEscrowedSigningSPKI:other->_escrowedSigningSPKI]; + } + if (other->_escrowedEncryptionSPKI) + { + [self setEscrowedEncryptionSPKI:other->_escrowedEncryptionSPKI]; + } + if (other->_peerSigningSPKI) + { + [self setPeerSigningSPKI:other->_peerSigningSPKI]; + } + if (other->_peerEncryptionSPKI) + { + [self setPeerEncryptionSPKI:other->_peerEncryptionSPKI]; + } + if (self->_contents && other->_contents) + { + [self->_contents mergeFrom:other->_contents]; + } + else if (!self->_contents && other->_contents) + { + [self setContents:other->_contents]; + } +} + +@end + diff --git a/keychain/ot/proto/source/OTBottleContents.h b/keychain/ot/proto/source/OTBottleContents.h new file mode 100644 index 00000000..926ae2d0 --- /dev/null +++ b/keychain/ot/proto/source/OTBottleContents.h @@ -0,0 +1,52 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from OTBottleContents.proto + +#import +#import + +@class OTPrivateKey; +@class OTPrivateKey; + +#ifdef __cplusplus +#define OTBOTTLECONTENTS_FUNCTION extern "C" __attribute__((visibility("hidden"))) +#else +#define OTBOTTLECONTENTS_FUNCTION extern __attribute__((visibility("hidden"))) +#endif + +__attribute__((visibility("hidden"))) +@interface OTBottleContents : PBCodable +{ + OTPrivateKey *_peerEncryptionPrivKey; + OTPrivateKey *_peerSigningPrivKey; + NSData *_reserved1; + NSData *_reserved2; +} + + +@property (nonatomic, readonly) BOOL hasReserved1; +/** tags 1 and 2 were briefly used during development for the raw private key data, with nothing to specify the key type. */ +@property (nonatomic, retain) NSData *reserved1; + +@property (nonatomic, readonly) BOOL hasReserved2; +@property (nonatomic, retain) NSData *reserved2; + +@property (nonatomic, readonly) BOOL hasPeerSigningPrivKey; +@property (nonatomic, retain) OTPrivateKey *peerSigningPrivKey; + +@property (nonatomic, readonly) BOOL hasPeerEncryptionPrivKey; +@property (nonatomic, retain) OTPrivateKey *peerEncryptionPrivKey; + +// Performs a shallow copy into other +- (void)copyTo:(OTBottleContents *)other; + +// Performs a deep merge from other into self +// If set in other, singular values in self are replaced in self +// Singular composite values are recursively merged +// Repeated values from other are appended to repeated values in self +- (void)mergeFrom:(OTBottleContents *)other; + +OTBOTTLECONTENTS_FUNCTION BOOL OTBottleContentsReadFrom(__unsafe_unretained OTBottleContents *self, __unsafe_unretained PBDataReader *reader); + +@end + diff --git a/keychain/ot/proto/source/OTBottleContents.m b/keychain/ot/proto/source/OTBottleContents.m new file mode 100644 index 00000000..19d9d61b --- /dev/null +++ b/keychain/ot/proto/source/OTBottleContents.m @@ -0,0 +1,263 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from OTBottleContents.proto + +#import "OTBottleContents.h" +#import +#import +#import + +#import "OTPrivateKey.h" + +#if !__has_feature(objc_arc) +# error This generated file depends on ARC but it is not enabled; turn on ARC, or use 'objc_use_arc' option to generate non-ARC code. +#endif + +@implementation OTBottleContents + +- (BOOL)hasReserved1 +{ + return _reserved1 != nil; +} +@synthesize reserved1 = _reserved1; +- (BOOL)hasReserved2 +{ + return _reserved2 != nil; +} +@synthesize reserved2 = _reserved2; +- (BOOL)hasPeerSigningPrivKey +{ + return _peerSigningPrivKey != nil; +} +@synthesize peerSigningPrivKey = _peerSigningPrivKey; +- (BOOL)hasPeerEncryptionPrivKey +{ + return _peerEncryptionPrivKey != nil; +} +@synthesize peerEncryptionPrivKey = _peerEncryptionPrivKey; + +- (NSString *)description +{ + return [NSString stringWithFormat:@"%@ %@", [super description], [self dictionaryRepresentation]]; +} + +- (NSDictionary *)dictionaryRepresentation +{ + NSMutableDictionary *dict = [NSMutableDictionary dictionary]; + if (self->_reserved1) + { + [dict setObject:self->_reserved1 forKey:@"reserved1"]; + } + if (self->_reserved2) + { + [dict setObject:self->_reserved2 forKey:@"reserved2"]; + } + if (self->_peerSigningPrivKey) + { + [dict setObject:[_peerSigningPrivKey dictionaryRepresentation] forKey:@"peerSigningPrivKey"]; + } + if (self->_peerEncryptionPrivKey) + { + [dict setObject:[_peerEncryptionPrivKey dictionaryRepresentation] forKey:@"peerEncryptionPrivKey"]; + } + return dict; +} + +BOOL OTBottleContentsReadFrom(__unsafe_unretained OTBottleContents *self, __unsafe_unretained PBDataReader *reader) { + while (PBReaderHasMoreData(reader)) { + uint32_t tag = 0; + uint8_t aType = 0; + + PBReaderReadTag32AndType(reader, &tag, &aType); + + if (PBReaderHasError(reader)) + break; + + if (aType == TYPE_END_GROUP) { + break; + } + + switch (tag) { + + case 1 /* reserved1 */: + { + NSData *new_reserved1 = PBReaderReadData(reader); + self->_reserved1 = new_reserved1; + } + break; + case 2 /* reserved2 */: + { + NSData *new_reserved2 = PBReaderReadData(reader); + self->_reserved2 = new_reserved2; + } + break; + case 3 /* peerSigningPrivKey */: + { + OTPrivateKey *new_peerSigningPrivKey = [[OTPrivateKey alloc] init]; + self->_peerSigningPrivKey = new_peerSigningPrivKey; + PBDataReaderMark mark_peerSigningPrivKey; + BOOL markError = !PBReaderPlaceMark(reader, &mark_peerSigningPrivKey); + if (markError) + { + return NO; + } + BOOL inError = !OTPrivateKeyReadFrom(new_peerSigningPrivKey, reader); + if (inError) + { + return NO; + } + PBReaderRecallMark(reader, &mark_peerSigningPrivKey); + } + break; + case 4 /* peerEncryptionPrivKey */: + { + OTPrivateKey *new_peerEncryptionPrivKey = [[OTPrivateKey alloc] init]; + self->_peerEncryptionPrivKey = new_peerEncryptionPrivKey; + PBDataReaderMark mark_peerEncryptionPrivKey; + BOOL markError = !PBReaderPlaceMark(reader, &mark_peerEncryptionPrivKey); + if (markError) + { + return NO; + } + BOOL inError = !OTPrivateKeyReadFrom(new_peerEncryptionPrivKey, reader); + if (inError) + { + return NO; + } + PBReaderRecallMark(reader, &mark_peerEncryptionPrivKey); + } + break; + default: + if (!PBReaderSkipValueWithTag(reader, tag, aType)) + return NO; + break; + } + } + return !PBReaderHasError(reader); +} + +- (BOOL)readFrom:(PBDataReader *)reader +{ + return OTBottleContentsReadFrom(self, reader); +} +- (void)writeTo:(PBDataWriter *)writer +{ + /* reserved1 */ + { + if (self->_reserved1) + { + PBDataWriterWriteDataField(writer, self->_reserved1, 1); + } + } + /* reserved2 */ + { + if (self->_reserved2) + { + PBDataWriterWriteDataField(writer, self->_reserved2, 2); + } + } + /* peerSigningPrivKey */ + { + if (self->_peerSigningPrivKey != nil) + { + PBDataWriterWriteSubmessage(writer, self->_peerSigningPrivKey, 3); + } + } + /* peerEncryptionPrivKey */ + { + if (self->_peerEncryptionPrivKey != nil) + { + PBDataWriterWriteSubmessage(writer, self->_peerEncryptionPrivKey, 4); + } + } +} + +- (void)copyTo:(OTBottleContents *)other +{ + if (_reserved1) + { + other.reserved1 = _reserved1; + } + if (_reserved2) + { + other.reserved2 = _reserved2; + } + if (_peerSigningPrivKey) + { + other.peerSigningPrivKey = _peerSigningPrivKey; + } + if (_peerEncryptionPrivKey) + { + other.peerEncryptionPrivKey = _peerEncryptionPrivKey; + } +} + +- (id)copyWithZone:(NSZone *)zone +{ + OTBottleContents *copy = [[[self class] allocWithZone:zone] init]; + copy->_reserved1 = [_reserved1 copyWithZone:zone]; + copy->_reserved2 = [_reserved2 copyWithZone:zone]; + copy->_peerSigningPrivKey = [_peerSigningPrivKey copyWithZone:zone]; + copy->_peerEncryptionPrivKey = [_peerEncryptionPrivKey copyWithZone:zone]; + return copy; +} + +- (BOOL)isEqual:(id)object +{ + OTBottleContents *other = (OTBottleContents *)object; + return [other isMemberOfClass:[self class]] + && + ((!self->_reserved1 && !other->_reserved1) || [self->_reserved1 isEqual:other->_reserved1]) + && + ((!self->_reserved2 && !other->_reserved2) || [self->_reserved2 isEqual:other->_reserved2]) + && + ((!self->_peerSigningPrivKey && !other->_peerSigningPrivKey) || [self->_peerSigningPrivKey isEqual:other->_peerSigningPrivKey]) + && + ((!self->_peerEncryptionPrivKey && !other->_peerEncryptionPrivKey) || [self->_peerEncryptionPrivKey isEqual:other->_peerEncryptionPrivKey]) + ; +} + +- (NSUInteger)hash +{ + return 0 + ^ + [self->_reserved1 hash] + ^ + [self->_reserved2 hash] + ^ + [self->_peerSigningPrivKey hash] + ^ + [self->_peerEncryptionPrivKey hash] + ; +} + +- (void)mergeFrom:(OTBottleContents *)other +{ + if (other->_reserved1) + { + [self setReserved1:other->_reserved1]; + } + if (other->_reserved2) + { + [self setReserved2:other->_reserved2]; + } + if (self->_peerSigningPrivKey && other->_peerSigningPrivKey) + { + [self->_peerSigningPrivKey mergeFrom:other->_peerSigningPrivKey]; + } + else if (!self->_peerSigningPrivKey && other->_peerSigningPrivKey) + { + [self setPeerSigningPrivKey:other->_peerSigningPrivKey]; + } + if (self->_peerEncryptionPrivKey && other->_peerEncryptionPrivKey) + { + [self->_peerEncryptionPrivKey mergeFrom:other->_peerEncryptionPrivKey]; + } + else if (!self->_peerEncryptionPrivKey && other->_peerEncryptionPrivKey) + { + [self setPeerEncryptionPrivKey:other->_peerEncryptionPrivKey]; + } +} + +@end + diff --git a/keychain/ot/proto/source/OTPrivateKey.h b/keychain/ot/proto/source/OTPrivateKey.h new file mode 100644 index 00000000..d5e281c8 --- /dev/null +++ b/keychain/ot/proto/source/OTPrivateKey.h @@ -0,0 +1,62 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from OTPrivateKey.proto + +#import +#import + +typedef NS_ENUM(int32_t, OTPrivateKey_KeyType) { + /** kSecAttrKeyTypeEC */ + OTPrivateKey_KeyType_EC_NIST_CURVES = 1, +}; +#ifdef __OBJC__ +NS_INLINE NSString *OTPrivateKey_KeyTypeAsString(OTPrivateKey_KeyType value) +{ + switch (value) + { + case OTPrivateKey_KeyType_EC_NIST_CURVES: return @"EC_NIST_CURVES"; + default: return [NSString stringWithFormat:@"(unknown: %i)", value]; + } +} +#endif /* __OBJC__ */ +#ifdef __OBJC__ +NS_INLINE OTPrivateKey_KeyType StringAsOTPrivateKey_KeyType(NSString *value) +{ + if ([value isEqualToString:@"EC_NIST_CURVES"]) return OTPrivateKey_KeyType_EC_NIST_CURVES; + return OTPrivateKey_KeyType_EC_NIST_CURVES; +} +#endif /* __OBJC__ */ + +#ifdef __cplusplus +#define OTPRIVATEKEY_FUNCTION extern "C" __attribute__((visibility("hidden"))) +#else +#define OTPRIVATEKEY_FUNCTION extern __attribute__((visibility("hidden"))) +#endif + +__attribute__((visibility("hidden"))) +@interface OTPrivateKey : PBCodable +{ + NSData *_keyData; + OTPrivateKey_KeyType _keyType; +} + + +@property (nonatomic) OTPrivateKey_KeyType keyType; +- (NSString *)keyTypeAsString:(OTPrivateKey_KeyType)value; +- (OTPrivateKey_KeyType)StringAsKeyType:(NSString *)str; + +@property (nonatomic, retain) NSData *keyData; + +// Performs a shallow copy into other +- (void)copyTo:(OTPrivateKey *)other; + +// Performs a deep merge from other into self +// If set in other, singular values in self are replaced in self +// Singular composite values are recursively merged +// Repeated values from other are appended to repeated values in self +- (void)mergeFrom:(OTPrivateKey *)other; + +OTPRIVATEKEY_FUNCTION BOOL OTPrivateKeyReadFrom(__unsafe_unretained OTPrivateKey *self, __unsafe_unretained PBDataReader *reader); + +@end + diff --git a/keychain/ot/proto/source/OTPrivateKey.m b/keychain/ot/proto/source/OTPrivateKey.m new file mode 100644 index 00000000..442cd4c8 --- /dev/null +++ b/keychain/ot/proto/source/OTPrivateKey.m @@ -0,0 +1,141 @@ +// This file was automatically generated by protocompiler +// DO NOT EDIT! +// Compiled from OTPrivateKey.proto + +#import "OTPrivateKey.h" +#import +#import +#import + +#if !__has_feature(objc_arc) +# error This generated file depends on ARC but it is not enabled; turn on ARC, or use 'objc_use_arc' option to generate non-ARC code. +#endif + +@implementation OTPrivateKey + +@synthesize keyType = _keyType; +- (NSString *)keyTypeAsString:(OTPrivateKey_KeyType)value +{ + return OTPrivateKey_KeyTypeAsString(value); +} +- (OTPrivateKey_KeyType)StringAsKeyType:(NSString *)str +{ + return StringAsOTPrivateKey_KeyType(str); +} +@synthesize keyData = _keyData; + +- (NSString *)description +{ + return [NSString stringWithFormat:@"%@ %@", [super description], [self dictionaryRepresentation]]; +} + +- (NSDictionary *)dictionaryRepresentation +{ + NSMutableDictionary *dict = [NSMutableDictionary dictionary]; + [dict setObject:OTPrivateKey_KeyTypeAsString(self->_keyType) forKey:@"keyType"]; + if (self->_keyData) + { + [dict setObject:self->_keyData forKey:@"keyData"]; + } + return dict; +} + +BOOL OTPrivateKeyReadFrom(__unsafe_unretained OTPrivateKey *self, __unsafe_unretained PBDataReader *reader) { + while (PBReaderHasMoreData(reader)) { + uint32_t tag = 0; + uint8_t aType = 0; + + PBReaderReadTag32AndType(reader, &tag, &aType); + + if (PBReaderHasError(reader)) + break; + + if (aType == TYPE_END_GROUP) { + break; + } + + switch (tag) { + + case 1 /* keyType */: + { + self->_keyType = PBReaderReadInt32(reader); + } + break; + case 2 /* keyData */: + { + NSData *new_keyData = PBReaderReadData(reader); + self->_keyData = new_keyData; + } + break; + default: + if (!PBReaderSkipValueWithTag(reader, tag, aType)) + return NO; + break; + } + } + return !PBReaderHasError(reader); +} + +- (BOOL)readFrom:(PBDataReader *)reader +{ + return OTPrivateKeyReadFrom(self, reader); +} +- (void)writeTo:(PBDataWriter *)writer +{ + /* keyType */ + { + PBDataWriterWriteInt32Field(writer, self->_keyType, 1); + } + /* keyData */ + { + assert(nil != self->_keyData); + PBDataWriterWriteDataField(writer, self->_keyData, 2); + } +} + +- (void)copyTo:(OTPrivateKey *)other +{ + other->_keyType = _keyType; + other.keyData = _keyData; +} + +- (id)copyWithZone:(NSZone *)zone +{ + OTPrivateKey *copy = [[[self class] allocWithZone:zone] init]; + copy->_keyType = _keyType; + copy->_keyData = [_keyData copyWithZone:zone]; + return copy; +} + +- (BOOL)isEqual:(id)object +{ + OTPrivateKey *other = (OTPrivateKey *)object; + return [other isMemberOfClass:[self class]] + && + self->_keyType == other->_keyType + && + ((!self->_keyData && !other->_keyData) || [self->_keyData isEqual:other->_keyData]) + ; +} + +- (NSUInteger)hash +{ + return 0 + ^ + PBHashInt((NSUInteger)_keyType) + ^ + [self->_keyData hash] + ; +} + +- (void)mergeFrom:(OTPrivateKey *)other +{ + self->_keyType = other->_keyType; + if (other->_keyData) + { + [self setKeyData:other->_keyData]; + } +} + +@end + diff --git a/keychain/ot/tests/OTBottledPeerTLK.m b/keychain/ot/tests/OTBottledPeerTLK.m new file mode 100644 index 00000000..9a88281f --- /dev/null +++ b/keychain/ot/tests/OTBottledPeerTLK.m @@ -0,0 +1,162 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLEself.LICENSEself.HEADERself.START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLEself.LICENSEself.HEADERself.END@ + */ + +#if OCTAGON + +#import "OTTestsBase.h" + +@interface BottledPeerRestoreTLKTests : OTTestsBase +@property CKKSSOSSelfPeer* remotePeer1; +@property CKKSSOSPeer* remotePeer2; +@property CKKSSOSSelfPeer* untrustedPeer; + +@end + +@implementation BottledPeerRestoreTLKTests + +- (void)setUp +{ + [super setUp]; + + //set up a bottled peer and stick it in localStore + NSError* error = nil; + + self.remotePeer1 = [[CKKSSOSSelfPeer alloc] initWithSOSPeerID:self.sosPeerID + encryptionKey:self.peerEncryptionKey + signingKey:self.peerSigningKey]; + + [self.currentPeers addObject:self.remotePeer1]; + + OTBottledPeer *bp = [[OTBottledPeer alloc]initWithPeerID:self.egoPeerID spID:self.sosPeerID peerSigningKey:self.peerSigningKey peerEncryptionKey:self.peerEncryptionKey escrowKeys:self.escrowKeys error:&error]; + + XCTAssertNotNil(bp, @"plaintext should not be nil"); + XCTAssertNil(error, @"error should be nil"); + XCTAssertNotNil(self.escrowKeys.signingKey, @"signing public key should not be nil"); + XCTAssertNotNil(self.escrowKeys.encryptionKey, @"encryption public key should not be nil"); + + OTBottledPeerSigned *bpSigned = [[OTBottledPeerSigned alloc]initWithBottledPeer:bp escrowedSigningKey:self.escrowKeys.signingKey peerSigningKey:self.peerSigningKey error:&error]; + + OTBottledPeerRecord* record = [bpSigned asRecord:[self currentIdentity:&error].spID]; + self.recordName = record.recordName; + + OTIdentity* identity = [self currentIdentity:&error]; + [self.localStore insertBottledPeerRecord:record escrowRecordID:identity.spID error:&error]; + + self.remotePeer1 = [[CKKSSOSSelfPeer alloc] initWithSOSPeerID:@"remote-peer1" + encryptionKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]] + signingKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]]; + + self.remotePeer2 = [[CKKSSOSPeer alloc] initWithSOSPeerID:@"remote-peer2" + encryptionPublicKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]].publicKey + signingPublicKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]].publicKey]; + + // Local SOS trusts these peers + [self.currentPeers addObject:self.remotePeer1]; + [self.currentPeers addObject:self.remotePeer2]; + + self.untrustedPeer = [[CKKSSOSSelfPeer alloc] initWithSOSPeerID:@"untrusted-peer" + encryptionKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]] + signingKey:[[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]]; +} + +- (void)tearDown +{ + _remotePeer1 = nil; + _remotePeer2 = nil; + _untrustedPeer = nil; + [super tearDown]; +} + +-(void) testTLKSharingWithRestoredBottledPeer +{ + NSError* error = nil; + + OTBottledPeerRecord *rec = [self.localStore readLocalBottledPeerRecordWithRecordID:self.recordName error:&error]; + XCTAssertNotNil(rec, @"rec should not be nil: %@", error); + XCTAssertNil(error, @"error should be nil: %@", error); + + OTBottledPeerSigned *bps = [[OTBottledPeerSigned alloc] initWithBottledPeerRecord:rec + escrowKeys:self.escrowKeys + error:&error]; + XCTAssertNil(error, @"error should be nil: %@", error); + XCTAssertNotNil(bps, @"signed bottled peer should not be nil: %@", error); + XCTAssertTrue([bps.bp.peerEncryptionKey isEqual:self.peerEncryptionKey], @"enrolled and restored peer encryption keys should match"); + XCTAssertTrue([bps.bp.peerSigningKey isEqual:self.peerSigningKey], @"enrolled and restored peer signing keys should match"); + + + CKKSSelves* selves = [[CKKSViewManager manager] fetchSelfPeers:&error]; + XCTAssertNotNil(selves, @"selves should not be nil: %@", error); + + XCTAssertTrue([selves.allSelves count] == 2, @"should have 2 selves"); + NSArray *arrayOfSelves = [selves.allSelves allObjects]; + XCTAssertNotNil(arrayOfSelves, @"arrayOfSelves should not be nil: %@", error); + + CKKSSOSSelfPeer *ourRestoredPeer = [arrayOfSelves objectAtIndex:0]; + if([ourRestoredPeer.peerID isEqualToString:@"spid-local-peer"]){ + ourRestoredPeer = [arrayOfSelves objectAtIndex:1]; + } + + XCTAssertTrue([ourRestoredPeer.peerID containsString:self.sosPeerID], @"peer ids should match!"); + XCTAssertTrue([ourRestoredPeer.signingKey isEqual:self.peerSigningKey], @"signing keys should match"); + XCTAssertTrue([ourRestoredPeer.encryptionKey isEqual:self.peerEncryptionKey], @"encryption keys should match"); + + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + [self putFakeDeviceStatusInCloudKit:self.keychainZoneID]; + [self startCKKSSubsystem]; + + // The CKKS subsystem should not try to write anything to the CloudKit database, but it should enter waitfortlk + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateWaitForTLK] wait:20*NSEC_PER_SEC], "Key state should become waitfortlk"); + + // peer1 arrives to save the day + // The CKKS subsystem should accept the keys, and share the TLK back to itself + [self expectCKModifyKeyRecords:0 currentKeyPointerRecords:0 tlkShareRecords:1 zoneID:self.keychainZoneID]; + + [self putTLKSharesInCloudKit:self.keychainZoneKeys.tlk from:ourRestoredPeer zoneID:self.keychainZoneID]; + [self.keychainView notifyZoneChange:nil]; + [self.keychainView waitForFetchAndIncomingQueueProcessing]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:20*NSEC_PER_SEC], "Key state should become ready"); + + // We expect a single record to be uploaded for each key class + [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID + checkItem: [self checkClassCBlock:self.keychainZoneID message:@"Object was encrypted under class C key in hierarchy"]]; + [self addGenericPassword: @"data" account: @"account-delete-me"]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + + [self expectCKModifyItemRecords: 1 currentKeyPointerRecords: 1 zoneID:self.keychainZoneID + checkItem: [self checkClassABlock:self.keychainZoneID message:@"Object was encrypted under class A key in hierarchy"]]; + [self addGenericPassword:@"asdf" + account:@"account-class-A" + viewHint:nil + access:(id)kSecAttrAccessibleWhenUnlocked + expecting:errSecSuccess + message:@"Adding class A item"]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); +} + +- (nullable OTIdentity *)currentIdentity:(NSError * _Nullable __autoreleasing * _Nullable)error { + return [[OTIdentity alloc]initWithPeerID:@"ego peer id" spID:self.sosPeerID peerSigningKey:self.peerSigningKey peerEncryptionkey:self.peerEncryptionKey error:error]; +} + +@end +#endif diff --git a/keychain/ot/tests/OTBottledPeerTests.m b/keychain/ot/tests/OTBottledPeerTests.m new file mode 100644 index 00000000..20cdbe42 --- /dev/null +++ b/keychain/ot/tests/OTBottledPeerTests.m @@ -0,0 +1,149 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import +#import +#import +#import "OTTestsBase.h" +#import +#import +#import +#import +#import + +#import "keychain/ot/OTBottledPeer.h" +#import "keychain/ot/OTBottledPeerSigned.h" + +#import "keychain/ckks/CKKS.h" + +static NSString* const testDSID = @"123456789"; + +@interface UnitTestOTBottledPeer : OTTestsBase + +@end + +@implementation UnitTestOTBottledPeer + +- (void)setUp +{ + [super setUp]; + self.continueAfterFailure = NO; + NSError* error = nil; + + self.sosPeerID = @"spID"; + self.egoPeerID = @"egoPeerID"; + self.peerSigningKey = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]; + self.peerEncryptionKey = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]; + self.escrowKeys = [[OTEscrowKeys alloc]initWithSecret:self.secret dsid:testDSID error:&error]; +} + +- (void)tearDown +{ + [super tearDown]; +} + +-(void)testBottledPeerCreation +{ + NSError* error = nil; + + OTBottledPeer *bp = [[OTBottledPeer alloc]initWithPeerID:self.egoPeerID spID:self.sosPeerID peerSigningKey:self.peerSigningKey peerEncryptionKey:self.peerEncryptionKey escrowKeys:self.escrowKeys error:&error]; + + XCTAssertNotNil(bp, @"bottled peer should not be nil"); + XCTAssertNil(error, @"error should be nil"); + XCTAssertNotNil(self.escrowKeys.signingKey, @"signing public key should not be nil"); + XCTAssertNotNil(self.escrowKeys.encryptionKey, @"encryption public key should not be nil"); + +} + +-(void)testSignedBottledPeerCreation +{ + NSError* error = nil; + + OTBottledPeer *bp = [[OTBottledPeer alloc]initWithPeerID:self.egoPeerID spID:self.sosPeerID peerSigningKey:self.peerSigningKey peerEncryptionKey:self.peerEncryptionKey escrowKeys:self.escrowKeys error:&error]; + + XCTAssertNotNil(bp, @"plaintext should not be nil"); + XCTAssertNil(error, @"error should be nil"); + XCTAssertNotNil(self.escrowKeys.signingKey, @"signing public key should not be nil"); + XCTAssertNotNil(self.escrowKeys.encryptionKey, @"encryption public key should not be nil"); + + OTBottledPeerSigned *bpSigned = [[OTBottledPeerSigned alloc]initWithBottledPeer:bp escrowedSigningKey:self.escrowKeys.signingKey peerSigningKey:self.peerSigningKey error:&error]; + XCTAssertNil(error, @"error should be nil"); + XCTAssertNotNil(bpSigned, @"bottled peer signed should not be nil"); + +} + +-(void)testCreatingBottledPeerFromRecord +{ + NSError* error = nil; + OTBottledPeer *bp = [[OTBottledPeer alloc]initWithPeerID:self.egoPeerID spID:self.sosPeerID peerSigningKey:self.peerSigningKey peerEncryptionKey:self.peerEncryptionKey escrowKeys:self.escrowKeys error:&error]; + + XCTAssertNotNil(bp, @"plaintext should not be nil"); + XCTAssertNil(error, @"error should be nil"); + XCTAssertNotNil(self.escrowKeys.signingKey, @"signing public key should not be nil"); + XCTAssertNotNil(self.escrowKeys.encryptionKey, @"encryption public key should not be nil"); + + OTBottledPeerSigned *bpSigned = [[OTBottledPeerSigned alloc]initWithBottledPeer:bp escrowedSigningKey:self.escrowKeys.signingKey peerSigningKey:self.peerSigningKey error:&error]; + + OTBottledPeerRecord* record = [bpSigned asRecord:@"escrowRecordID"]; + OTBottledPeerSigned *bpRestored = [[OTBottledPeerSigned alloc] initWithBottledPeerRecord:record escrowKeys:self.escrowKeys error:&error]; + XCTAssertNotNil(bpRestored, @"bottled peer signed should not be nil"); +} + +-(void)testRestoringBottledPeerSigned +{ + NSError* error = nil; + OTBottledPeer *bp = [[OTBottledPeer alloc]initWithPeerID:self.egoPeerID spID:self.sosPeerID peerSigningKey:self.peerSigningKey peerEncryptionKey:self.peerEncryptionKey escrowKeys:self.escrowKeys error:&error]; + + XCTAssertNotNil(bp, @"plaintext should not be nil"); + XCTAssertNil(error, @"error should be nil"); + + SFECKeySpecifier *keySpecifier = [[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]; + id digestOperation = [[SFSHA384DigestOperation alloc] init]; + SFEC_X962SigningOperation* xso = [[SFEC_X962SigningOperation alloc] initWithKeySpecifier:keySpecifier digestOperation:digestOperation]; + + NSData* signatureUsingEscrow = [xso sign:bp.data withKey:self.escrowKeys.signingKey error:&error].signature; + XCTAssertNil(error, @"error should not be nil"); + + NSData* signatureUsingPeerKey = [xso sign:bp.data withKey:self.peerSigningKey error:&error].signature; + XCTAssertNil(error, @"error should not be nil"); + + XCTAssertNotNil(signatureUsingEscrow, @"signature using escrow signing key should not be nil"); + XCTAssertNotNil(signatureUsingPeerKey, @"signature using peer signing key should not be nil"); + + + OTBottledPeerSigned *bpSigned = [[OTBottledPeerSigned alloc]initWithBottledPeer:bp signatureUsingEscrow:signatureUsingEscrow signatureUsingPeerKey:signatureUsingPeerKey escrowedSigningPubKey:[self.escrowKeys.signingKey publicKey] error:&error]; + + XCTAssertNotNil(bpSigned, @"bottled peer signed should not be nil"); + + bpSigned = [[OTBottledPeerSigned alloc]initWithBottledPeer:bp signatureUsingEscrow:[NSData data] signatureUsingPeerKey:[NSData data] escrowedSigningPubKey:[self.escrowKeys.signingKey publicKey] error:&error]; + + XCTAssertNil(bpSigned, @"bottled peer signed should be nil"); + XCTAssertNotNil(error, @"error should not be nil"); + +} + +@end + +#endif /* OCTAGON */ diff --git a/keychain/ot/tests/OTCloudStoreTests.m b/keychain/ot/tests/OTCloudStoreTests.m new file mode 100644 index 00000000..3fc7b178 --- /dev/null +++ b/keychain/ot/tests/OTCloudStoreTests.m @@ -0,0 +1,298 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import + +#import +#import + +#import "OTTestsBase.h" + +static NSString* OTCKRecordBottledPeerType = @"OTBottledPeer"; +static NSString* OTCKRecordEscrowRecordID = @"escrowRecordID"; + +@interface OTCloudStoreUnitTests : OTTestsBase +@property (nonatomic, strong) OTBottledPeerRecord* fakeBottledPeerRecord; +@end + +@implementation OTCloudStoreUnitTests + + +- (void)setUp { + [super setUp]; + self.continueAfterFailure = NO; + self.fakeBottledPeerRecord = [[OTBottledPeerRecord alloc] init]; + self.fakeBottledPeerRecord.bottle = [@"bottled peer data" dataUsingEncoding:NSUTF8StringEncoding]; + self.fakeBottledPeerRecord.signatureUsingEscrowKey = [@"bottled peer escrow sig" dataUsingEncoding:NSUTF8StringEncoding]; + self.fakeBottledPeerRecord.signatureUsingPeerKey = [@"bottled peer peer sig" dataUsingEncoding:NSUTF8StringEncoding]; + self.fakeBottledPeerRecord.peerID = @"peer id"; + self.fakeBottledPeerRecord.spID = @"sos peer id"; + self.fakeBottledPeerRecord.escrowRecordID = @"escrowRecordID"; + self.fakeBottledPeerRecord.escrowedSigningSPKI = [@"escrowedSigningSPKI" dataUsingEncoding:kCFStringEncodingUTF8]; + self.fakeBottledPeerRecord.peerSigningSPKI = [@"peerSigningSPKI" dataUsingEncoding:kCFStringEncodingUTF8]; +} + +- (void)tearDown { + self.zones = nil; + self.operationQueue = nil; + + [super tearDown]; +} + +- (void)testWriteSameBottledPeerTwiceToFakeRecord { + NSError* error = nil; + + NSMutableDictionary* recordDictionary = [NSMutableDictionary dictionaryWithObjectsAndKeys:[[NSNumber alloc] initWithInt:1], OTCKRecordBottledPeerType, nil]; + + [self expectAddedCKModifyRecords:recordDictionary holdFetch:YES]; + [self startCKKSSubsystem]; + XCTAssertTrue([self.cloudStore uploadBottledPeerRecord:self.fakeBottledPeerRecord escrowRecordID:self.fakeBottledPeerRecord.escrowRecordID error:&error], @"should create bottled peer record"); + XCTAssertNil(error, "error should be nil"); + + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self releaseCloudKitFetchHold]; + + [self expectAddedCKModifyRecords:recordDictionary holdFetch:YES]; + + XCTAssertTrue([self.cloudStore uploadBottledPeerRecord:self.fakeBottledPeerRecord escrowRecordID:self.fakeBottledPeerRecord.escrowRecordID error:&error], @"should create bottled peer record"); + XCTAssertNil(error, "error should be nil"); + + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self releaseCloudKitFetchHold]; +} + +- (void)testWriteBottledPeerToFakeRecord { + NSError* error = nil; + + NSMutableDictionary* recordDictionary = [NSMutableDictionary dictionary]; + recordDictionary[OTCKRecordBottledPeerType] = [[NSNumber alloc] initWithInt:1]; + + [self expectAddedCKModifyRecords:recordDictionary holdFetch:YES]; + [self startCKKSSubsystem]; + + XCTAssertTrue([self.cloudStore uploadBottledPeerRecord:self.fakeBottledPeerRecord escrowRecordID:self.fakeBottledPeerRecord.escrowRecordID error:&error], @"should create bottled peer record"); + XCTAssertNil(error, "error should be nil"); + + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self releaseCloudKitFetchHold]; +} + +- (void)testWriteMultipleBottledPeersToSAMEFakeRecord { + NSError* error = nil; + + NSMutableDictionary* recordDictionary = [NSMutableDictionary dictionary]; + + recordDictionary[OTCKRecordBottledPeerType] = [[NSNumber alloc] initWithInt:1]; + + [self startCKKSSubsystem]; + + for(int i = 0; i < 10; i++){ + [self expectAddedCKModifyRecords:recordDictionary holdFetch:NO]; + + XCTAssertTrue([self.cloudStore uploadBottledPeerRecord:self.fakeBottledPeerRecord escrowRecordID:self.fakeBottledPeerRecord.escrowRecordID error:&error], @"should create bottled peer record"); + + [self waitForCKModifications]; + + XCTAssertNil(error, "error should be nil"); + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self releaseCloudKitFetchHold]; + } +} + +- (void)testWriteBottledPeersToDifferentFakeRecord { + NSError* error = nil; + + NSMutableDictionary* recordDictionary = [NSMutableDictionary dictionary]; + + recordDictionary[OTCKRecordBottledPeerType] = [[NSNumber alloc] initWithInt:1]; + + [self startCKKSSubsystem]; + + for(int i = 0; i < 10; i++){ + [self expectAddedCKModifyRecords:recordDictionary holdFetch:YES]; + NSString *escrowID = [NSString stringWithFormat:@"bp-sospeer%d-hash", i]; + self.fakeBottledPeerRecord.escrowRecordID = escrowID; + XCTAssertTrue([self.cloudStore uploadBottledPeerRecord:self.fakeBottledPeerRecord escrowRecordID:escrowID error:&error], @"should create bottled peer record"); + [self waitForCKModifications]; + + XCTAssertNil(error, "error should be nil"); + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self releaseCloudKitFetchHold]; + } + XCTAssertTrue( [[self.cloudStore retrieveListOfEligibleEscrowRecordIDs:&error] count] == 10, @"should have 1 record"); +} + + +- (void)testReadBottledPeerRecordFromCloudKit { + NSError *error = nil; + [self startCKKSSubsystem]; + + CKRecord* newRecord = [[CKRecord alloc]initWithRecordType:OTCKRecordBottledPeerType]; + newRecord[OTCKRecordEscrowRecordID] = @"escrowRecordID"; + [self.otFakeZone addToZone:newRecord]; + + [self.cloudStore notifyZoneChange:nil]; + + [self waitForCKModifications]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + XCTAssertTrue( [[self.cloudStore retrieveListOfEligibleEscrowRecordIDs:&error] count] > 0, @"should have 1 record"); +} + +-(void) testOTCloudStoreDownloadBP{ + NSError* error = nil; + [self startCKKSSubsystem]; + + CKRecord* newRecord = [[CKRecord alloc]initWithRecordType:OTCKRecordBottledPeerType]; + newRecord[OTCKRecordEscrowRecordID] = @"escrowRecordID"; + [self.otFakeZone addToZone:newRecord]; + + XCTAssertTrue([self.cloudStore downloadBottledPeerRecord:&error] == YES, @"downloading records should succeed:%@", error); + XCTAssertNil(error, @"error should be nil"); + + [self waitForCKModifications]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + + XCTAssertNil(error, "error should be nil"); + XCTAssertEqual([[self.cloudStore retrieveListOfEligibleEscrowRecordIDs:&error] count], (unsigned long)1, @"should have 1 record"); + XCTAssertNil(error, "error should be nil"); +} + +-(void) testOTCloudStoreDownloadMultipleBP{ + NSError* error = nil; + [self startCKKSSubsystem]; + + for(int i = 0; i < 10; i++){ + CKRecord* newRecord = [[CKRecord alloc]initWithRecordType:OTCKRecordBottledPeerType zoneID:self.otZoneID]; + newRecord[OTCKRecordEscrowRecordID] = [NSString stringWithFormat:@"escrowRecordID%d", i]; + [self.otFakeZone addToZone:newRecord]; + } + [self waitForCKModifications]; + + XCTAssertTrue([self.cloudStore downloadBottledPeerRecord:&error] == YES, @"downloading records should succeed:%@", error); + XCTAssertNil(error, @"error should be nil"); + [self waitForCKModifications]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + + XCTAssertNil(error, "error should be nil"); + XCTAssertEqual( [[self.cloudStore retrieveListOfEligibleEscrowRecordIDs:&error] count], (unsigned long)10, @"should have 1 record"); +} + +-(void) testOTCloudStoreUploadMultipleToSameRecord{ + NSError* error = nil; + [self startCKKSSubsystem]; + CKRecord* newRecord = [[CKRecord alloc]initWithRecordType:OTCKRecordBottledPeerType zoneID:self.otZoneID]; + newRecord[OTCKRecordEscrowRecordID] = @"escrowRecordID"; + for(int i = 0; i < 10; i++){ + [self.otFakeZone addToZone:newRecord]; + } + [self waitForCKModifications]; + + XCTAssertTrue([self.cloudStore downloadBottledPeerRecord:&error] == YES, @"downloading records should succeed:%@", error); + XCTAssertNil(error, @"error should be nil"); + [self waitForCKModifications]; + + OCMVerifyAllWithDelay(self.mockDatabase, 8); + + XCTAssertNil(error, "error should be nil"); + XCTAssertEqual([[self.cloudStore retrieveListOfEligibleEscrowRecordIDs:&error] count], (unsigned long)1, @"should have 1 record"); +} + +-(void) testRemoveRecordIDs{ + + [self startCKKSSubsystem]; + NSError *error = nil; + CKRecord* newRecord = [[CKRecord alloc]initWithRecordType:OTCKRecordBottledPeerType zoneID:self.otZoneID]; + newRecord[OTCKRecordEscrowRecordID] = @"escrowRecordID"; + [self expectCKFetch]; + + [self.otFakeZone addToZone:newRecord]; + [self waitForCKModifications]; + + [self.cloudStore notifyZoneChange:nil]; + [self waitForCKModifications]; + + XCTAssertTrue( [[self.cloudStore retrieveListOfEligibleEscrowRecordIDs:&error] count] == 1, @"should have 1 record"); + + [self expectCKFetch]; + XCTAssertTrue([self.cloudStore downloadBottledPeerRecord:&error] == YES, @"downloading records should succeed:%@", error); + XCTAssertNil(error, @"error should be nil"); + [self waitForCKModifications]; +} + +-(void) testFetchTimeout +{ + [self startCKKSSubsystem]; + + NSError* error = nil; + CKRecord* newRecord = [[CKRecord alloc]initWithRecordType:OTCKRecordBottledPeerType zoneID:self.otZoneID]; + newRecord[OTCKRecordEscrowRecordID] = @"escrowRecordID"; + + [self holdCloudKitFetches]; + + [self.cloudStore downloadBottledPeerRecord:&error]; + + XCTAssertNotNil(error, "error should not be nil"); + XCTAssertTrue([(NSString*)error.userInfo[@"NSLocalizedDescription"] isEqualToString:@"Operation(CKKSResultOperation(cloudkit-fetch-and-process-changes)) timed out waiting to start for []"], "expecting timed out error"); +} + +-(void) testModifyRecordsTimeout +{ + NSError* error = nil; + + NSMutableDictionary* recordDictionary = [NSMutableDictionary dictionaryWithObjectsAndKeys:[[NSNumber alloc] initWithInt:1], OTCKRecordBottledPeerType, nil]; + + [self expectAddedCKModifyRecords:recordDictionary holdFetch:NO]; + + [self startCKKSSubsystem]; + + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:4*NSEC_PER_SEC], @"Key state should have arrived at ready"); + + [self holdCloudKitModifications]; + + [self.cloudStore uploadBottledPeerRecord:self.fakeBottledPeerRecord + escrowRecordID:self.fakeBottledPeerRecord.escrowRecordID error:&error]; + + XCTAssertNotNil(error, "error should not be nil"); + XCTAssertTrue([(NSString*)error.userInfo[@"NSLocalizedDescription"] isEqualToString:@"Operation(CKKSResultOperation(cloudkit-modify-changes)) timed out waiting to start for []"], "expecting timed out error"); + + [self expectAddedCKModifyRecords:recordDictionary holdFetch:NO]; + + [self releaseCloudKitModificationHold]; + [self waitForCKModifications]; +} + +@end + +#endif /* OCTAGON */ + diff --git a/keychain/ot/tests/OTContextTests.m b/keychain/ot/tests/OTContextTests.m new file mode 100644 index 00000000..261eb069 --- /dev/null +++ b/keychain/ot/tests/OTContextTests.m @@ -0,0 +1,240 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + + +#if OCTAGON + +#import +#import +#import + +#import "OTTestsBase.h" + +static NSString* const testContextID = @"Foo"; +static NSString* OTCKRecordBottledPeerType = @"OTBottledPeer"; + +@interface UnitTestOTContext : OTTestsBase +@property (nonatomic, strong) OTBottledPeerRecord* fakeBottledPeerRecord; +@end + +@implementation UnitTestOTContext + +- (void)setUp +{ + [super setUp]; + self.continueAfterFailure = NO; +} + +- (void)tearDown +{ + self.zones = nil; + self.operationQueue = nil; + [super tearDown]; +} + +-(void) testEnroll +{ + NSError* error = nil; + + NSString* escrowRecordID = [self currentIdentity:&error].spID; + XCTAssertNil(error, @"error should be nil: %@", error); + XCTAssertNotNil(escrowRecordID, @"escrowRecordID should not be nil: %@", error); + + NSMutableDictionary* recordDictionary = [NSMutableDictionary dictionaryWithObjectsAndKeys:[[NSNumber alloc] initWithInt:1], OTCKRecordBottledPeerType, nil]; + + [self expectAddedCKModifyRecords:recordDictionary holdFetch:YES]; + [self startCKKSSubsystem]; + + OTPreflightInfo* info = nil; + XCTAssertNotNil(info = [self.context preflightBottledPeer:testContextID entropy:self.secret error:&error], @"preflight sould return info:%@", error); + XCTAssertNil(error, @"error should be nil: %@", error); + XCTAssertNotNil(info, @"preflight info should not be nil: %@", error); + XCTAssertNotNil(info.bottleID, @"escrowRecordID should not be nil: %@", error); + XCTAssertNotNil(info.escrowedSigningSPKI, @"signingPubKey should be nil: %@", error); + + OTBottledPeerRecord* bprecord = [self.localStore readLocalBottledPeerRecordWithRecordID:info.bottleID error:&error]; + XCTAssertNotNil(bprecord, @"bprecord should not be nil: %@", error); + + XCTAssertTrue([self.context.cloudStore uploadBottledPeerRecord:bprecord escrowRecordID:escrowRecordID error:&error], @"launch should succeed"); + XCTAssertNil(error, @"error should be nil: %@", error); + [self releaseCloudKitFetchHold]; + + [self expectCKFetch]; + XCTAssertEqual( [[self.cloudStore retrieveListOfEligibleEscrowRecordIDs:&error] count], (unsigned long)1, @"should have 1 record"); +} + +-(void) testEnrollAndRestore +{ + NSError* error = nil; + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + NSString* escrowRecordID = [self currentIdentity:&error].spID; + XCTAssertNil(error, @"error should be nil: %@", error); + XCTAssertNotNil(escrowRecordID, @"escrowRecordID should not be nil: %@", error); + + NSMutableDictionary* recordDictionary = [NSMutableDictionary dictionaryWithObjectsAndKeys:[[NSNumber alloc] initWithInt:1], OTCKRecordBottledPeerType, nil]; + + [self startCKKSSubsystem]; + + OTPreflightInfo* info = nil; + XCTAssertNotNil(info = [self.context preflightBottledPeer:testContextID entropy:self.secret error:&error], @"preflight sould return info"); + XCTAssertNil(error, @"error should be nil: %@", error); + XCTAssertNotNil(info, @"preflight info should not be nil: %@", error); + XCTAssertNotNil(info.bottleID, @"escrowRecordID should not be nil: %@", error); + XCTAssertNotNil(info.escrowedSigningSPKI, @"signingPubKey should be nil: %@", error); + + OTBottledPeerRecord* bprecord = [self.localStore readLocalBottledPeerRecordWithRecordID:info.bottleID error:&error]; + XCTAssertNotNil(bprecord, @"bprecord should not be nil: %@", error); + + [self expectAddedCKModifyRecords:recordDictionary holdFetch:NO]; + XCTAssertTrue([self.cloudStore uploadBottledPeerRecord:bprecord escrowRecordID:bprecord.escrowRecordID error:&error], @"should create bottled peer record"); + XCTAssertNil(error, "error should be nil"); + [self waitForCKModifications]; + + [self releaseCloudKitFetchHold]; + + OTBottledPeerSigned* bp = [self.context restoreFromEscrowRecordID:escrowRecordID secret:self.secret error:&error]; + [self waitForCKModifications]; + + XCTAssertTrue( [[self.cloudStore retrieveListOfEligibleEscrowRecordIDs:&error] count] == 1, @"should have 1 record"); + [self waitForCKModifications]; + + XCTAssertNil(error, @"error should be nil: %@", error); + XCTAssertNotNil(bp, @"signed bottled peer should not be nil: %@", error); + XCTAssertTrue([bp.bp.peerEncryptionKey isEqual:self.peerEncryptionKey], @"enrolled and restored peer encryption keys should match"); + XCTAssertTrue([bp.bp.peerSigningKey isEqual:self.peerSigningKey], @"enrolled and restored peer signing keys should match"); +} + +-(void)testEnrollAndRestoreFromCloudKit +{ + NSError* error = nil; + [self putFakeKeyHierarchyInCloudKit:self.keychainZoneID]; + + NSMutableDictionary* recordDictionary = [NSMutableDictionary dictionaryWithObjectsAndKeys:[[NSNumber alloc] initWithInt:1], OTCKRecordBottledPeerType, nil]; + + [self expectAddedCKModifyRecords:recordDictionary holdFetch:YES]; + [self startCKKSSubsystem]; + + OTPreflightInfo* info = nil; + XCTAssertNotNil(info = [self.context preflightBottledPeer:testContextID entropy:self.secret error:&error], @"preflight sould return info"); + XCTAssertNil(error, @"error should be nil: %@", error); + XCTAssertNotNil(info, @"preflight info should not be nil: %@", error); + XCTAssertNotNil(info.bottleID, @"bottleID should not be nil: %@", error); + XCTAssertNotNil(info.escrowedSigningSPKI, @"signingPubKey should be nil: %@", error); + + OTBottledPeerRecord* bprecord = [self.localStore readLocalBottledPeerRecordWithRecordID:info.bottleID error:&error]; + XCTAssertNotNil(bprecord, @"bprecord should not be nil: %@", error); + + XCTAssertTrue([self.context.cloudStore uploadBottledPeerRecord:bprecord escrowRecordID:info.bottleID error:&error], @"launch should succeed"); + XCTAssertNil(error, @"error should be nil: %@", error); + + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self releaseCloudKitFetchHold]; + + XCTAssertTrue([[self.cloudStore retrieveListOfEligibleEscrowRecordIDs:&error] count] > 0, @"should have multiple records"); + OTIdentity *identity = [self currentIdentity:&error]; + + XCTAssertNil(error, @"error should be nil: %@", error); + XCTAssertNotNil(self.escrowKeys, @"escrow keys should not be nil: %@", error); + + NSString* recordName = [OTBottledPeerRecord constructRecordID:identity.spID escrowSigningSPKI:[self.escrowKeys.signingKey.publicKey asSPKI]]; + + OTBottledPeerRecord *rec = [self.localStore readLocalBottledPeerRecordWithRecordID:recordName error:&error]; + + XCTAssertNotNil(rec.signatureUsingEscrowKey, @"signatureUsingEscrow should not be nil: %@", error); + + XCTAssertNotNil(rec.signatureUsingPeerKey, @"signatureUsingPeerKey should not be nil: %@", error); + + XCTAssertNotNil(rec.bottle, @"bottle should not be nil: %@", error); + + + OTBottledPeerSigned *bps = [[OTBottledPeerSigned alloc] initWithBottledPeerRecord:rec + escrowKeys:self.escrowKeys + error:&error]; + XCTAssertNil(error, @"error should be nil: %@", error); + XCTAssertNotNil(bps, @"signed bottled peer should not be nil: %@", error); + XCTAssertTrue([bps.bp.peerEncryptionKey isEqual:self.peerEncryptionKey], @"enrolled and restored peer encryption keys should match"); + XCTAssertTrue([bps.bp.peerSigningKey isEqual:self.peerSigningKey], @"enrolled and restored peer signing keys should match"); +} + +-(void) testScrubbing +{ + NSError* error = nil; + + NSMutableDictionary* recordDictionary = [NSMutableDictionary dictionaryWithObjectsAndKeys:[[NSNumber alloc] initWithInt:1], OTCKRecordBottledPeerType, nil]; + + [self expectAddedCKModifyRecords:recordDictionary holdFetch:YES]; + [self startCKKSSubsystem]; + + OTPreflightInfo* info = nil; + XCTAssertNotNil(info = [self.context preflightBottledPeer:testContextID entropy:self.secret error:&error], @"preflight sould return info"); + XCTAssertNil(error, @"error should be nil: %@", error); + XCTAssertNotNil(info, @"preflight info should not be nil: %@", error); + XCTAssertNotNil(info.bottleID, @"escrowRecordID should not be nil: %@", error); + XCTAssertNotNil(info.escrowedSigningSPKI, @"signingPubKey should be nil: %@", error); + + XCTAssertTrue([self.context scrubBottledPeer:testContextID bottleID:info.bottleID error:&error], @"scrubbing bottled peer should succeed"); + XCTAssertNil(error, @"error should be nil: %@", error); + NSArray* list = [self.context.cloudStore retrieveListOfEligibleEscrowRecordIDs:&error]; + XCTAssertTrue([list count] == 0, @"there should be 0 records in localstore"); +} + +-(void) testGettingListOfRecordIDS +{ + NSError* error = nil; + + NSMutableDictionary* recordDictionary = [NSMutableDictionary dictionaryWithObjectsAndKeys:[[NSNumber alloc] initWithInt:1], OTCKRecordBottledPeerType, nil]; + [self expectAddedCKModifyRecords:recordDictionary holdFetch:YES]; + [self startCKKSSubsystem]; + + OTPreflightInfo* info = nil; + XCTAssertNotNil(info = [self.context preflightBottledPeer:testContextID entropy:self.secret error:&error], @"preflight sould return info"); + XCTAssertNil(error, @"error should be nil: %@", error); + XCTAssertNotNil(info, @"preflight info should not be nil: %@", error); + XCTAssertNotNil(info.bottleID, @"bottleID should not be nil: %@", error); + XCTAssertNotNil(info.escrowedSigningSPKI, @"signingPubKey should be nil: %@", error); + + OTBottledPeerRecord* bprecord = [self.localStore readLocalBottledPeerRecordWithRecordID:info.bottleID error:&error]; + XCTAssertNotNil(bprecord, @"bprecord should not be nil: %@", error); + + XCTAssertTrue([self.context.cloudStore uploadBottledPeerRecord:bprecord escrowRecordID:info.bottleID error:&error], @"launch should succeed"); + XCTAssertNil(error, @"error should be nil: %@", error); + + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self releaseCloudKitFetchHold]; + + NSArray* list = [self.context.cloudStore retrieveListOfEligibleEscrowRecordIDs:&error]; + XCTAssertNotNil(list, @"list should not be nil"); + XCTAssertTrue([list count] > 0, @"list of escrow record ids should not be empty"); +} + +- (nullable OTIdentity *)currentIdentity:(NSError**)error { + + return [[OTIdentity alloc]initWithPeerID:@"ego peer id" spID:@"sos peer id" peerSigningKey:self.peerSigningKey peerEncryptionkey:self.peerEncryptionKey error:error]; +} + +@end +#endif + diff --git a/keychain/ot/tests/OTEscrowKeyTests.m b/keychain/ot/tests/OTEscrowKeyTests.m new file mode 100644 index 00000000..cd1954e7 --- /dev/null +++ b/keychain/ot/tests/OTEscrowKeyTests.m @@ -0,0 +1,153 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import +#import +#import +#import "keychain/ot/OTEscrowKeys.h" +#import "keychain/ckks/CKKS.h" +#import "OTTestsBase.h" + +static NSString* const testDSID = @"123456789"; + +static const uint8_t signingKey_384[] = { + 0x04, 0xe4, 0x1b, 0x3e, 0x88, 0x81, 0x9f, 0x3b, 0x80, 0xd0, 0x28, 0x1c, + 0xd9, 0x07, 0xa0, 0x8c, 0xa1, 0x89, 0xa8, 0x3b, 0x69, 0x91, 0x17, 0xa7, + 0x1f, 0x00, 0x31, 0x91, 0x82, 0x89, 0x1f, 0x5c, 0x44, 0x2d, 0xd6, 0xa8, + 0x22, 0x1f, 0x22, 0x7d, 0x27, 0x21, 0xf2, 0xc9, 0x75, 0xf2, 0xda, 0x41, + 0x61, 0x55, 0x29, 0x11, 0xf7, 0x71, 0xcf, 0x66, 0x52, 0x2a, 0x27, 0xfe, + 0x77, 0x1e, 0xd4, 0x3d, 0xfb, 0xbc, 0x59, 0xe4, 0xed, 0xa4, 0x79, 0x2a, + 0x9b, 0x73, 0x3e, 0xf4, 0xf4, 0xe3, 0xaf, 0xf2, 0x8d, 0x34, 0x90, 0x92, + 0x47, 0x53, 0xd0, 0x34, 0x1e, 0x49, 0x87, 0xeb, 0x11, 0x89, 0x0f, 0x9c, + 0xa4, 0x99, 0xe8, 0x4f, 0x39, 0xbe, 0x21, 0x94, 0x88, 0xba, 0x4c, 0xa5, + 0x6a, 0x60, 0x1c, 0x2f, 0x77, 0x80, 0xd2, 0x73, 0x14, 0x33, 0x46, 0x5c, + 0xda, 0xee, 0x13, 0x8a, 0x3a, 0xdb, 0x4e, 0x05, 0x4d, 0x0f, 0x6d, 0x96, + 0xcd, 0x28, 0xab, 0x52, 0x4c, 0x12, 0x2b, 0x79, 0x80, 0xfe, 0x9a, 0xe4, + 0xf4 +}; + +static const uint8_t encryptionKey_384[] = { + 0x04, 0x99, 0xf9, 0x9a, 0x9b, 0x48, 0xe2, 0xf8, 0x69, 0xd3, 0xf9, 0x60, + 0xa0, 0xf4, 0x86, 0xda, 0xb3, 0x35, 0x3d, 0x97, 0x7d, 0xc3, 0xf4, 0x13, + 0x24, 0x78, 0x06, 0x10, 0xd5, 0x46, 0x55, 0x7a, 0x8a, 0x4d, 0x80, 0x0d, + 0x71, 0x19, 0x46, 0x4b, 0x15, 0x93, 0x36, 0xb0, 0xf4, 0x6e, 0x41, 0x30, + 0x09, 0x55, 0x25, 0x3b, 0x06, 0xdd, 0xf8, 0x85, 0xdc, 0xf2, 0x0b, 0xc7, + 0x33, 0x21, 0x99, 0x3c, 0x79, 0xa6, 0xb1, 0x0f, 0xf0, 0x55, 0xfa, 0xe8, + 0x6d, 0x3f, 0x0d, 0x57, 0x21, 0x08, 0xd2, 0x7e, 0x73, 0x4a, 0xe7, 0x4a, + 0xb3, 0xdf, 0xed, 0x86, 0x06, 0xa6, 0xf2, 0x03, 0xe6, 0x20, 0xd4, 0x82, + 0x39, 0x29, 0xcf, 0x6d, 0x76, 0x3e, 0x9a, 0xaa, 0x29, 0x4f, 0x33, 0x84, + 0x5a, 0x38, 0x50, 0x35, 0xca, 0x3f, 0x69, 0x92, 0xb1, 0xb3, 0x8b, 0x26, + 0x2b, 0xb5, 0xd6, 0x25, 0xcf, 0x2d, 0x18, 0xc4, 0x5e, 0x24, 0x34, 0xc5, + 0xcc, 0x83, 0x2f, 0xff, 0x08, 0x85, 0x0f, 0x89, 0xb5, 0xb1, 0xc1, 0x17, + 0x2a +}; + +static const uint8_t symmetricKey_384[] = { + 0x31, 0xf1, 0xe3, 0x7b, 0x76, 0x3f, 0x99, 0x65, 0x74, 0xab, 0xe8, 0x2b, + 0x8f, 0x06, 0x78, 0x57, 0x1b, 0xaa, 0x07, 0xb3, 0xab, 0x79, 0x81, 0xcb, + 0xc5, 0x89, 0x1e, 0x78, 0x28, 0x8d, 0x8e, 0x36 +}; + +@interface UnitTestEscrowKeys : OTTestsBase + +@end + +@implementation UnitTestEscrowKeys + +- (void)setUp +{ + [super setUp]; + NSError *error = nil; + + self.continueAfterFailure = NO; + NSString* secretString = @"I'm a secretI'm a secretI'm a secretI'm a secretI'm a secretI'm a secret"; + + self.secret = [[NSData alloc]initWithBytes:[secretString UTF8String] length:[secretString length]]; + self.escrowKeys = [[OTEscrowKeys alloc]initWithSecret:self.secret dsid:testDSID error:&error]; + + XCTAssertNil(error, @"error should be initialized"); + XCTAssertNotNil(self.escrowKeys, @"escrow keys should be initialized"); +} + +- (void)tearDown +{ + [super tearDown]; +} + +-(void) testEscrowKeyAllocations +{ + XCTAssertNotNil(self.escrowKeys.symmetricKey, @"escrowed symmetric key pair should not be nil"); + XCTAssertNotNil(self.escrowKeys.secret, @"escrowed secret should not be nil"); + XCTAssertNotNil(self.escrowKeys.dsid, @"account dsid should not be nil"); + XCTAssertNotNil(self.escrowKeys.signingKey, @"escrowed signing key should not be nil"); + XCTAssertNotNil(self.escrowKeys.encryptionKey, @"escrowed encryption key should not be nil"); +} +-(void) testEscrowKeyTestVectors +{ + NSError* error = nil; + + //test vectors + NSData* testv1 = [OTEscrowKeys generateEscrowKey:kOTEscrowKeySigning masterSecret:self.secret dsid:testDSID error:&error]; + NSData* signingFromBytes = [[NSData alloc] initWithBytes:signingKey_384 length:sizeof(signingKey_384)]; + XCTAssertTrue([testv1 isEqualToData:signingFromBytes], @"signing keys should match"); + + NSData* testv2 = [OTEscrowKeys generateEscrowKey:kOTEscrowKeyEncryption masterSecret:self.secret dsid:testDSID error:&error]; + NSData* encryptionFromBytes = [[NSData alloc] initWithBytes:encryptionKey_384 length:sizeof(encryptionKey_384)]; + XCTAssertTrue([testv2 isEqualToData:encryptionFromBytes], @"encryption keys should match"); + + NSData* testv3 = [OTEscrowKeys generateEscrowKey:kOTEscrowKeySymmetric masterSecret:self.secret dsid:testDSID error:&error]; + NSData* symmetricKeyFromBytes = [[NSData alloc]initWithBytes:symmetricKey_384 length:sizeof(symmetricKey_384)]; + XCTAssertTrue([testv3 isEqualToData:symmetricKeyFromBytes], @"symmetric keys should match"); + + NSString* newSecretString = @"I'm f secretI'm a secretI'm a secretI'm a secretI'm a secretI'm a secret"; + NSData* newSecret = [[NSData alloc]initWithBytes:[newSecretString UTF8String] length:[newSecretString length]]; + + NSData* testv4 = [OTEscrowKeys generateEscrowKey:kOTEscrowKeySigning masterSecret:newSecret dsid:testDSID error:&error]; + XCTAssertFalse([testv4 isEqualToData:signingFromBytes], @"signing keys should not match"); + + NSData* testv5 = [OTEscrowKeys generateEscrowKey:kOTEscrowKeyEncryption masterSecret:newSecret dsid:testDSID error:&error]; + XCTAssertFalse([testv5 isEqualToData:encryptionFromBytes], @"encryption keys should not match"); + + NSData* testv6 = [OTEscrowKeys generateEscrowKey:kOTEscrowKeySymmetric masterSecret:newSecret dsid:testDSID error:&error]; + XCTAssertFalse([testv6 isEqualToData:symmetricKeyFromBytes], @"symmetric keys should not match"); +} + +-(void) testEmptyArguments +{ + NSError* error = nil; + OTEscrowKeys* newSet = [[OTEscrowKeys alloc] initWithSecret:[NSData data] dsid:testDSID error:&error]; + XCTAssertNotNil(error, @"error should be initialized"); + XCTAssertNil(newSet, @"escrow keys should not be initialized"); + + newSet = [[OTEscrowKeys alloc] initWithSecret:self.secret dsid:[NSString string] error:&error]; + XCTAssertNotNil(error, @"error should be initialized"); + XCTAssertNil(newSet, @"escrow keys should not be initialized"); +} + + +@end + +#endif /* OCTAGON */ + diff --git a/keychain/ot/tests/OTLocalStoreTests.m b/keychain/ot/tests/OTLocalStoreTests.m new file mode 100644 index 00000000..1fe81114 --- /dev/null +++ b/keychain/ot/tests/OTLocalStoreTests.m @@ -0,0 +1,266 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import "OTTestsBase.h" + +/* Octagon Trust Local Context Record Constants */ +static NSString* OTCKRecordContextID = @"contextID"; +static NSString* OTCKRecordDSID = @"accountDSID"; +static NSString* OTCKRecordContextName = @"contextName"; +static NSString* OTCKRecordZoneCreated = @"zoneCreated"; +static NSString* OTCKRecordSubscribedToChanges = @"subscribedToChanges"; +static NSString* OTCKRecordChangeToken = @"changeToken"; +static NSString* OTCKRecordEgoPeerID = @"egoPeerID"; +static NSString* OTCKRecordEgoPeerCreationDate = @"egoPeerCreationDate"; +static NSString* OTCKRecordRecoverySigningSPKI = @"recoverySigningSPKI"; +static NSString* OTCKRecordRecoveryEncryptionSPKI = @"recoveryEncryptionSPKI"; +static NSString* OTCKRecordBottledPeerTableEntry = @"bottledPeer"; + +/* Octagon Trust Local Peer Record */ +static NSString* OTCKRecordPeerID = @"peerID"; +static NSString* OTCKRecordPermanentInfo = @"permanentInfo"; +static NSString* OTCKRecordStableInfo = @"stableInfo"; +static NSString* OTCKRecordDynamicInfo = @"dynamicInfo"; +static NSString* OTCKRecordRecoveryVoucher = @"recoveryVoucher"; +static NSString* OTCKRecordIsEgoPeer = @"isEgoPeer"; + +/* Octagon Trust BottledPeerSchema */ +static NSString* OTCKRecordEscrowRecordID = @"escrowRecordID"; +static NSString* OTCKRecordRecordID = @"bottledPeerRecordID"; +static NSString* OTCKRecordSPID = @"spID"; +static NSString* OTCKRecordEscrowSigningSPKI = @"escrowSigningSPKI"; +static NSString* OTCKRecordPeerSigningSPKI = @"peerSigningSPKI"; +static NSString* OTCKRecordEscrowSigningPubKey = @"escrowSigningPubKey"; +static NSString* OTCKRecordPeerSigningPubKey = @"peerSigningPubKey"; +static NSString* OTCKRecordSignatureFromEscrow = @"signatureUsingEscrow"; +static NSString* OTCKRecordSignatureFromPeerKey = @"signatureUsingPeerKey"; +static NSString* OTCKRecordBottle = @"bottle"; + +static NSString* const testDSID = @"123456789"; + +@interface UnitTestOTLocalStore : OTTestsBase +@end + +@implementation UnitTestOTLocalStore + +- (void)setUp +{ + [super setUp]; + + self.continueAfterFailure = NO; +} + +- (void)tearDown +{ + [super tearDown]; +} + +-(void)testDBConnection +{ + NSError* error = nil; + + XCTAssertTrue([self.localStore closeDBWithError:&error], @"failed attempt at closing the db"); + XCTAssertNil(error, @"error should be nil:%@", error); + + XCTAssertTrue([self.localStore openDBWithError:&error], @"could not open db"); + XCTAssertNil(error, @"error should be nil:%@", error); + + XCTAssertTrue([self.localStore closeDBWithError:&error], @"failed attempt at closing the db"); + XCTAssertNil(error, @"error should be nil:%@", error); + + XCTAssertTrue([self.localStore openDBWithError:&error], @"could not open db"); + XCTAssertNil(error, @"error should be nil:%@", error); +} + +-(void) testDBLocalContextRetrieval +{ + NSString* contextAndDSID = [NSString stringWithFormat:@"testContextRetreival-%@", testDSID]; + _SFECKeyPair *recoverySigningPublicKey = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]; + _SFECKeyPair *recoveryEncryptionPublicKey = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]; + + NSError* error = nil; + NSDictionary *attributes = @{ + OTCKRecordContextID : @"testContextRetreival", + OTCKRecordDSID : testDSID, + OTCKRecordContextName : @"newFoo", + OTCKRecordZoneCreated : @(NO), + OTCKRecordSubscribedToChanges : @(NO), + OTCKRecordChangeToken : [NSData data], + OTCKRecordEgoPeerID : @"OctagonPeerID", + OTCKRecordEgoPeerCreationDate : [NSDate date], + OTCKRecordRecoverySigningSPKI : [[recoverySigningPublicKey publicKey] keyData], + OTCKRecordRecoveryEncryptionSPKI :[[recoveryEncryptionPublicKey publicKey] keyData]}; + + XCTAssertTrue([self.localStore insertLocalContextRecord:attributes error:&error], @"inserting new context failed"); + XCTAssertNil(error, @"error should be nil:%@", error); + + OTContextRecord* record = [self.localStore readLocalContextRecordForContextIDAndDSID:contextAndDSID error:&error]; + XCTAssertNotNil(record, @"fetching attributes returned nil"); + XCTAssertNotNil(record.contextID, @"fetching attributes returned nil"); + XCTAssertNotNil(record.contextName, @"fetching attributes returned nil"); + XCTAssertNotNil(record.dsid, @"fetching attributes returned nil"); + XCTAssertNotNil(record.egoPeerCreationDate, @"fetching attributes returned nil"); + XCTAssertNotNil(record.egoPeerID, @"fetching attributes returned nil"); + XCTAssertNotNil(record.recoveryEncryptionSPKI, @"fetching attributes returned nil"); + XCTAssertNotNil(record.recoverySigningSPKI, @"fetching attributes returned nil"); + + XCTAssertNil(error, @"failed to read local context for test local store"); + + OTContextRecord* recordToTestEquality = [[OTContextRecord alloc]init]; + recordToTestEquality.contextName = @"newFoo"; + recordToTestEquality.contextID = @"testContextRetreival"; + recordToTestEquality.dsid = testDSID; + recordToTestEquality.contextName = @"newFoo"; + recordToTestEquality.egoPeerID = @"OctagonPeerID"; + recordToTestEquality.recoveryEncryptionSPKI = [[recoveryEncryptionPublicKey publicKey] keyData]; + recordToTestEquality.recoverySigningSPKI = [[recoverySigningPublicKey publicKey] keyData]; + + OTContextRecord* recordFromDB = [self.localStore readLocalContextRecordForContextIDAndDSID:contextAndDSID error:&error]; + XCTAssertTrue([recordFromDB isEqual:recordToTestEquality], @"OTContext should be equal"); +} + +-(void) testDBMultipleContexts +{ + NSError* error = nil; + NSString* newFooContextAndDSID = [NSString stringWithFormat:@"newFoo-%@", testDSID]; + + _SFECKeyPair *recoverySigningPublicKey = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]; + _SFECKeyPair *recoveryEncryptionPublicKey = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]; + NSDictionary *attributes = @{ + OTCKRecordContextID : @"newFoo", + OTCKRecordContextName : @"newFoo", + OTCKRecordDSID : testDSID, + OTCKRecordZoneCreated : @(NO), + OTCKRecordSubscribedToChanges : @(NO), + OTCKRecordChangeToken : [NSData data], + OTCKRecordEgoPeerID : @"OctagonPeerID", + OTCKRecordEgoPeerCreationDate : [NSDate date], + OTCKRecordRecoverySigningSPKI : [[recoverySigningPublicKey publicKey] keyData], // FIXME not SPKI + OTCKRecordRecoveryEncryptionSPKI : [[recoveryEncryptionPublicKey publicKey] keyData]}; + + + XCTAssertTrue([self.localStore insertLocalContextRecord:attributes error:&error], @"inserting new context failed"); + XCTAssertNil(error, @"error should be nil:%@", error); + + NSString* foo2ContextAndDSID = [NSString stringWithFormat:@"Foo2-%@", testDSID]; + attributes = @{ + OTCKRecordContextID : @"Foo2", + OTCKRecordContextName : @"Foo2", + OTCKRecordDSID : testDSID, + OTCKRecordZoneCreated : @(NO), + OTCKRecordSubscribedToChanges : @(NO), + OTCKRecordChangeToken : [NSData data], + OTCKRecordEgoPeerID : @"OctagonPeerID2", + OTCKRecordEgoPeerCreationDate : [NSDate date], + OTCKRecordRecoverySigningSPKI : [[recoverySigningPublicKey publicKey] keyData], // FIXME not SPKI + OTCKRecordRecoveryEncryptionSPKI :[[recoveryEncryptionPublicKey publicKey] keyData]}; + + XCTAssertTrue([self.localStore insertLocalContextRecord:attributes error:&error], @"inserting new context failed"); + XCTAssertNil(error, @"error should be nil:%@", error); + + OTContextRecord* recordNewFoo = [self.localStore readLocalContextRecordForContextIDAndDSID:newFooContextAndDSID error:&error]; + + XCTAssertNotNil(recordNewFoo, @"fetching attributes returned nil"); + XCTAssertNotNil(recordNewFoo.contextID, @"fetching attributes returned nil"); + XCTAssertNotNil(recordNewFoo.contextName, @"fetching attributes returned nil"); + XCTAssertNotNil(recordNewFoo.dsid, @"fetching attributes returned nil"); + XCTAssertNotNil(recordNewFoo.egoPeerCreationDate, @"fetching attributes returned nil"); + XCTAssertNotNil(recordNewFoo.egoPeerID, @"fetching attributes returned nil"); + XCTAssertNotNil(recordNewFoo.recoveryEncryptionSPKI, @"fetching attributes returned nil"); + XCTAssertNotNil(recordNewFoo.recoverySigningSPKI, @"fetching attributes returned nil"); + + XCTAssertNil(error, @"failed to read local context for test local store"); + + OTContextRecord* recordFoo2 = [self.localStore readLocalContextRecordForContextIDAndDSID:foo2ContextAndDSID error:&error]; + + XCTAssertNotNil(recordFoo2, @"fetching attributes returned nil"); + XCTAssertNotNil(recordFoo2.contextID, @"fetching attributes returned nil"); + XCTAssertNotNil(recordFoo2.contextName, @"fetching attributes returned nil"); + XCTAssertNotNil(recordFoo2.dsid, @"fetching attributes returned nil"); + XCTAssertNotNil(recordFoo2.egoPeerCreationDate, @"fetching attributes returned nil"); + XCTAssertNotNil(recordFoo2.egoPeerID, @"fetching attributes returned nil"); + XCTAssertNotNil(recordFoo2.recoveryEncryptionSPKI, @"fetching attributes returned nil"); + XCTAssertNotNil(recordFoo2.recoverySigningSPKI, @"fetching attributes returned nil"); + XCTAssertNil(error, @"failed to read local context for test local store"); + +} + +-(void) testRowUpdates +{ + NSError* error = nil; + NSString* escrowRecordID = @"escrow record 1"; + NSString* escrowRecordID2 = @"escrow record 2"; + NSString* escrowRecordID3 = @"escrow record 3"; + + OTBottledPeerRecord* record = [[OTBottledPeerRecord alloc]init]; + OTBottledPeerRecord* record2 = [[OTBottledPeerRecord alloc]init]; + OTBottledPeerRecord* record3 = [[OTBottledPeerRecord alloc]init]; + + record.escrowRecordID = escrowRecordID; + record2.escrowRecordID = escrowRecordID2; + record3.escrowRecordID = escrowRecordID3; + + record.escrowedSigningSPKI = [@"escrowedSigingSPKI" dataUsingEncoding:kCFStringEncodingUTF8]; + record2.escrowedSigningSPKI = [@"escrowedSigingSPI" dataUsingEncoding:kCFStringEncodingUTF8]; + record3.escrowedSigningSPKI = [@"escrowedSigingSPKI" dataUsingEncoding:kCFStringEncodingUTF8]; + + XCTAssertTrue([self.localStore insertBottledPeerRecord:record escrowRecordID:escrowRecordID error:&error]); + XCTAssertNil(error, @"error should be nil:%@", error); + + XCTAssertTrue([self.localStore insertBottledPeerRecord:record2 escrowRecordID:escrowRecordID2 error:&error]); + XCTAssertNil(error, @"error should be nil:%@", error); + + XCTAssertTrue([self.localStore insertBottledPeerRecord:record3 escrowRecordID:escrowRecordID3 error:&error]); + XCTAssertNil(error, @"error should be nil:%@", error); + + + OTBottledPeerRecord *bp = [self.localStore readLocalBottledPeerRecordWithRecordID:record.recordName error:&error]; + XCTAssertNotNil(bp); + XCTAssertNil(error, @"error should be nil:%@", error); + + OTBottledPeerRecord *bp2 = [self.localStore readLocalBottledPeerRecordWithRecordID:record2.recordName error:&error]; + XCTAssertNotNil(bp2); + XCTAssertNil(error, @"error should be nil:%@", error); + + OTBottledPeerRecord *bp3 = [self.localStore readLocalBottledPeerRecordWithRecordID:record3.recordName error:&error]; + XCTAssertNotNil(bp3); + XCTAssertNil(error, @"error should be nil:%@", error); + + XCTAssertTrue([self.localStore updateLocalContextRecordRowWithContextID:self.localStore.contextID columnName:OTCKRecordContextName newValue:(void*)@"SuperSuperFoo" error:&error], @"could not update column:%@ with value:%@", OTCKRecordContextName, @"SuperSuperFoo"); + XCTAssertNil(error, @"error should be nil:%@", error); + + XCTAssertTrue([self.localStore updateLocalContextRecordRowWithContextID:self.localStore.contextID columnName:OTCKRecordEgoPeerID newValue:(void*)@"NewPeerID" error:&error], @"could not update column:%@ with value:%@", OTCKRecordEgoPeerID, @"NewPeerID"); + XCTAssertNil(error, @"error should be nil:%@", error); + + XCTAssertTrue([self.localStore updateLocalContextRecordRowWithContextID:self.localStore.contextID columnName:OTCKRecordRecoverySigningSPKI newValue:(void*)[[NSData alloc]initWithBase64EncodedString:@"I'm a string" options:NSDataBase64DecodingIgnoreUnknownCharacters] error:&error], @"could not update column:%@ with value:%@", OTCKRecordContextName, @"NewPeerID"); + XCTAssertNil(error, @"error should be nil:%@", error); + + XCTAssertFalse([self.localStore updateLocalContextRecordRowWithContextID:self.localStore.contextID columnName:@"ColumnName" newValue:(void*)@"value" error:&error], @"could not update column:%@ with value:%@", @"ColumnName", @"value"); + XCTAssertNotNil(error, @"error should not be nil: %@", error); +} + +@end + +#endif /* OCTAGON */ diff --git a/keychain/ot/tests/OTLockStateNetworkingTests.m b/keychain/ot/tests/OTLockStateNetworkingTests.m new file mode 100644 index 00000000..b1fd55f1 --- /dev/null +++ b/keychain/ot/tests/OTLockStateNetworkingTests.m @@ -0,0 +1,654 @@ +/* +* Copyright (c) 2017 Apple Inc. All Rights Reserved. +* +* @APPLE_LICENSE_HEADER_START@ +* +* This file contains Original Code and/or Modifications of Original Code +* as defined in and that are subject to the Apple Public Source License +* Version 2.0 (the 'License'). You may not use this file except in +* compliance with the License. Please obtain a copy of the License at +* http://www.opensource.apple.com/apsl/ and read it before using this +* file. +* +* The Original Code and all software distributed under the License are +* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER +* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, +* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, +* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. +* Please see the License for the specific language governing rights and +* limitations under the License. +* +* @APPLE_LICENSE_HEADER_END@ +*/ + +#if OCTAGON + +#import + +#import +#import + +#import "OTTestsBase.h" + +static NSString* const testContextID = @"Foo"; +static NSString* const testDSID = @"123456789"; + +static NSString* OTCKRecordBottledPeerType = @"OTBottledPeer"; +/* Octagon Trust BottledPeerSchema */ +static NSString* OTCKRecordEscrowRecordID = @"escrowRecordID"; +static NSString* OTCKRecordRecordID = @"bottledPeerRecordID"; +static NSString* OTCKRecordSPID = @"spID"; +static NSString* OTCKRecordEscrowSigningSPKI = @"escrowSigningSPKI"; +static NSString* OTCKRecordPeerSigningSPKI = @"peerSigningSPKI"; +static NSString* OTCKRecordEscrowSigningPubKey = @"escrowSigningPubKey"; +static NSString* OTCKRecordPeerSigningPubKey = @"peerSigningPubKey"; +static NSString* OTCKRecordSignatureFromEscrow = @"signatureUsingEscrow"; +static NSString* OTCKRecordSignatureFromPeerKey = @"signatureUsingPeerKey"; +static NSString* OTCKRecordBottle = @"bottle"; + +static NSString* OTCKRecordPeerID = @"peerID"; + +@interface OTLockStateNetworkingTests : OTTestsBase +@property (nonatomic, strong) OTBottledPeerRecord* fakeBottledPeerRecord; +@end + +@implementation OTLockStateNetworkingTests + +- (void)setUp { + [super setUp]; + + self.continueAfterFailure = NO; + NSError* error = nil; + + OTBottledPeer *bp = [[OTBottledPeer alloc]initWithPeerID:self.egoPeerID spID:self.sosPeerID peerSigningKey:self.peerSigningKey peerEncryptionKey:self.peerEncryptionKey escrowKeys:self.escrowKeys error:&error]; + + XCTAssertNotNil(bp, @"plaintext should not be nil"); + XCTAssertNil(error, @"error should be nil"); + XCTAssertNotNil(self.escrowKeys.signingKey, @"signing public key should not be nil"); + XCTAssertNotNil(self.escrowKeys.encryptionKey, @"encryption public key should not be nil"); + + OTBottledPeerSigned *bpSigned = [[OTBottledPeerSigned alloc]initWithBottledPeer:bp escrowedSigningKey:self.escrowKeys.signingKey peerSigningKey:self.peerSigningKey error:&error]; + + self.fakeBottledPeerRecord = [bpSigned asRecord:self.sosPeerID]; + + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + +} + +- (void)tearDown { + + [super tearDown]; +} + +//Bottle Check tests + +-(void) testGrabbingBottleLocallyCheckPerfectConditions +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + [self startCKKSSubsystem]; + + __block NSData* localEntropy = nil; + __block NSString* localBottleID = nil; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer fired"]; + + [self.otControl preflightBottledPeer:testContextID + dsid:testDSID + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + localEntropy = entropy; + localBottleID = bottleID; + XCTAssertNotNil(entropy, "entropy should not be nil"); + XCTAssertNotNil(bottleID, "bottle id should not be nil"); + XCTAssertNotNil(signingPublicKey, "signing pub key should not be nil"); + XCTAssertNil(error, "error should be nil"); + }]; + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + self.spiBlockExpectation = [self expectationWithDescription:@"launch bottled peer fired"]; + + NSMutableDictionary* recordDictionary = [NSMutableDictionary dictionaryWithObjectsAndKeys:[[NSNumber alloc] initWithInt:1], OTCKRecordBottledPeerType, nil]; + + [self expectAddedCKModifyRecords:recordDictionary holdFetch:NO]; + + [self.otControl launchBottledPeer:testContextID bottleID:localBottleID reply:^(NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(error, "error should be nil"); + }]; + + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + NSError* localError = nil; + XCTAssertTrue([self.context doesThisDeviceHaveABottle:&localError] == BOTTLE, @"should have a bottle"); + XCTAssertNil(localError, "error should be nil"); +} + +-(void) testGrabbingBottleFromCloudKitCheckPerfectConditions +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + CKRecord* newRecord = [[CKRecord alloc]initWithRecordType:OTCKRecordBottledPeerType]; + newRecord[OTCKRecordPeerID] = self.fakeBottledPeerRecord.peerID; + newRecord[OTCKRecordSPID] = @"spID"; + newRecord[OTCKRecordEscrowSigningSPKI] = self.fakeBottledPeerRecord.escrowedSigningSPKI; + newRecord[OTCKRecordPeerSigningSPKI] = self.fakeBottledPeerRecord.peerSigningSPKI; + newRecord[OTCKRecordEscrowRecordID] = self.fakeBottledPeerRecord.escrowRecordID; + newRecord[OTCKRecordBottle] = self.fakeBottledPeerRecord.bottle; + newRecord[OTCKRecordSignatureFromEscrow] = self.fakeBottledPeerRecord.signatureUsingEscrowKey; + newRecord[OTCKRecordSignatureFromPeerKey] = self.fakeBottledPeerRecord.signatureUsingPeerKey; + + [self.otFakeZone addToZone:newRecord]; + + [self startCKKSSubsystem]; + + NSError* localError = nil; + XCTAssertTrue([self.context doesThisDeviceHaveABottle:&localError] == BOTTLE, @"should have a bottle"); + XCTAssertNil(localError, "error should be nil"); +} + +-(void) testBottleCheckWhenLocked +{ + NSError* error = nil; + self.aksLockState = true; + [self.lockStateTracker recheck]; + [self setUpRampRecordsInCloudKitWithFeatureOff]; + + XCTAssertTrue([self.context doesThisDeviceHaveABottle:&error] == UNCLEAR, @"bottle check should return unclear"); + + XCTAssertNotNil(error, "error should not be nil"); + XCTAssertTrue(error.code == -25308, @"error should be interaction not allowed"); +} + +-(void) testBottleCheckWithNoNetwork +{ + NSError* error = nil; + self.accountStatus = CKAccountStatusAvailable; + [self startCKKSSubsystem]; + + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + + self.reachabilityFlags = 0; + [self.reachabilityTracker recheck]; + XCTAssertTrue([self.context doesThisDeviceHaveABottle:&error] == UNCLEAR, @"bottle check should return unclear"); + XCTAssertTrue(error.code == OTErrorNoNetwork, @"should have returned no network error"); +} + +-(void) testBottleCheckWhenNotSignedIn +{ + NSError* error = nil; + + self.accountStatus = CKAccountStatusNoAccount; + [self startCKKSSubsystem]; + + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + + XCTAssertTrue([self.context doesThisDeviceHaveABottle:&error] == UNCLEAR, @"bottle check should return unclear"); + XCTAssertTrue(error.code == OTErrorNotSignedIn, @"should have returned not signed in error"); +} + + +//Preflight tests +-(void)testPreflightNotSignedIn +{ + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer fired"]; + + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + self.accountStatus = CKAccountStatusNoAccount; + + [self startCKKSSubsystem]; + + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + + [self.otControl preflightBottledPeer:testContextID + dsid:testDSID + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(entropy, "entropy should not be nil"); + XCTAssertNil(bottleID, "bottle id should not be nil"); + XCTAssertNil(signingPublicKey, "signing pub key should not be nil"); + XCTAssertTrue(error.code == OTErrorNotSignedIn, @"should have returned not signed in error"); + }]; + + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + +} + +-(void) testPreflightWithNoNetwork +{ + self.accountStatus = CKAccountStatusAvailable; + [self startCKKSSubsystem]; + + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + + self.reachabilityFlags = 0; + [self.reachabilityTracker recheck]; + + [self.otControl preflightBottledPeer:testContextID + dsid:testDSID + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(entropy, "entropy should not be nil"); + XCTAssertNil(bottleID, "bottle id should not be nil"); + XCTAssertNil(signingPublicKey, "signing pub key should not be nil"); + XCTAssertTrue(error.code == OTErrorNoNetwork, @"should have returned OTErrorNoNetwork in error"); + }]; + +} + +-(void) testPreflightWhenLocked +{ + self.aksLockState = true; + [self.lockStateTracker recheck]; + + [self.otControl preflightBottledPeer:testContextID + dsid:testDSID + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(entropy, "entropy should not be nil"); + XCTAssertNil(bottleID, "bottle id should not be nil"); + XCTAssertNil(signingPublicKey, "signing pub key should not be nil"); + XCTAssertTrue(error.code == errSecInteractionNotAllowed, @"should have returned errSecInteractionNotAllowed in error"); + }]; +} + +//Launch Bottle tests +-(void)testLaunchNotSignedIn +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + self.accountStatus = CKAccountStatusNoAccount; + + [self startCKKSSubsystem]; + + [self.enroll.accountTracker notifyCKAccountStatusChangeAndWaitForSignal]; + [self.context.accountTracker notifyCKAccountStatusChangeAndWaitForSignal]; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer fired"]; + + [self.otControl preflightBottledPeer:OTDefaultContext + dsid:@"dsid" + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(entropy, "shouldn't return any entropy"); + XCTAssertNil(bottleID, "shouldn't return a bottle ID"); + XCTAssertNil(signingPublicKey, "shouldn't return a signingPublicKey"); + XCTAssertTrue(error.code == OTErrorNotSignedIn, "should return a OTErrorNotSignedIn error"); + }]; + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + self.spiBlockExpectation = [self expectationWithDescription:@"launch SPI fired"]; + self.expectation = [self expectationWithDescription:@"ramp scheduler fired"]; + + NSString* localBottleID = @"random bottle id"; + [self.otControl launchBottledPeer:testContextID bottleID:localBottleID reply:^(NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertTrue(error.code == OTErrorNotSignedIn, "should return a OTErrorNotSignedIn error"); + }]; + + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; +} + +-(void) testLaunchWithNoNetwork +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + self.accountStatus = CKAccountStatusAvailable; + [self startCKKSSubsystem]; + + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + + self.reachabilityFlags = 0; + [self.reachabilityTracker recheck]; + + [self startCKKSSubsystem]; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer fired"]; + + [self.otControl preflightBottledPeer:OTDefaultContext + dsid:@"dsid" + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(entropy, "shouldn't return any entropy"); + XCTAssertNil(bottleID, "shouldn't return a bottle ID"); + XCTAssertNil(signingPublicKey, "shouldn't return a signingPublicKey"); + XCTAssertTrue(error.code == OTErrorNoNetwork, "should return a OTErrorNoNetwork error"); + }]; + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + + self.spiBlockExpectation = [self expectationWithDescription:@"launch SPI fired"]; + self.expectation = [self expectationWithDescription:@"ramp scheduler fired"]; + + NSString* localBottleID = @"random bottle id"; + [self.otControl launchBottledPeer:testContextID bottleID:localBottleID reply:^(NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertTrue(error.code == OTErrorNoNetwork, "should return a OTErrorNoNetwork error"); + }]; + + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; +} + +-(void) testLaunchWhenLocked +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + self.aksLockState = true; + [self.lockStateTracker recheck]; + + [self startCKKSSubsystem]; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer fired"]; + + [self.otControl preflightBottledPeer:OTDefaultContext + dsid:@"dsid" + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(entropy, "shouldn't return any entropy"); + XCTAssertNil(bottleID, "shouldn't return a bottle ID"); + XCTAssertNil(signingPublicKey, "shouldn't return a signingPublicKey"); + XCTAssertTrue(error.code == errSecInteractionNotAllowed, "should return a errSecInteractionNotAllowed error"); + }]; + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + + self.spiBlockExpectation = [self expectationWithDescription:@"launch SPI fired"]; + self.expectation = [self expectationWithDescription:@"ramp scheduler fired"]; + + NSString* localBottleID = @"random bottle id"; + [self.otControl launchBottledPeer:testContextID bottleID:localBottleID reply:^(NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertTrue(error.code == errSecInteractionNotAllowed, "should return a errSecInteractionNotAllowed error"); + }]; + + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; +} + +//Scrub tests +-(void)testScrubNotSignedIn +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + self.accountStatus = CKAccountStatusNoAccount; + [self startCKKSSubsystem]; + + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer SPI fired"]; + self.expectation = [self expectationWithDescription:@"ramp scheduler fired"]; + + [self.otControl preflightBottledPeer:testContextID + dsid:testDSID + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(entropy, "entropy should be nil"); + XCTAssertNil(bottleID, "bottle id should be nil"); + XCTAssertNil(signingPublicKey, "signing pub key should be nil"); + XCTAssertTrue(error.code == OTErrorNotSignedIn, "should return a OTErrorNotSignedIn error"); + }]; + + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + __block NSString* localBottleID = @"random bottle id"; + self.spiBlockExpectation = [self expectationWithDescription:@"scrub bottled peer SPI fired"]; + self.expectation = [self expectationWithDescription:@"ramp scheduler fired"]; + + [self.otControl scrubBottledPeer:testContextID bottleID:localBottleID reply:^(NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertTrue(error.code == OTErrorNotSignedIn, "should return a OTErrorNotSignedIn error"); + }]; + + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + +} + +-(void) testScrubWithNoNetwork +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + self.accountStatus = CKAccountStatusAvailable; + [self startCKKSSubsystem]; + + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + + self.reachabilityFlags = 0; + [self.reachabilityTracker recheck]; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer SPI fired"]; + self.expectation = [self expectationWithDescription:@"ramp scheduler fired"]; + + [self.otControl preflightBottledPeer:testContextID + dsid:testDSID + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(entropy, "entropy should be nil"); + XCTAssertNil(bottleID, "bottle id should be nil"); + XCTAssertNil(signingPublicKey, "signing pub key should be nil"); + XCTAssertTrue(error.code == OTErrorNoNetwork, "should return a OTErrorNoNetwork error"); + }]; + + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + __block NSString* localBottleID = @"random bottle id"; + self.spiBlockExpectation = [self expectationWithDescription:@"scrub bottled peer SPI fired"]; + self.expectation = [self expectationWithDescription:@"ramp scheduler fired"]; + + [self.otControl scrubBottledPeer:testContextID bottleID:localBottleID reply:^(NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertTrue(error.code == OTErrorNoNetwork, "should return a OTErrorNoNetwork error"); + }]; + + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; +} + +-(void) testScrubWhenLocked +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + self.aksLockState = true; + [self.lockStateTracker recheck]; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer SPI fired"]; + self.expectation = [self expectationWithDescription:@"ramp scheduler fired"]; + + [self.otControl preflightBottledPeer:testContextID + dsid:testDSID + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(entropy, "entropy should be nil"); + XCTAssertNil(bottleID, "bottle id should be nil"); + XCTAssertNil(signingPublicKey, "signing pub key should be nil"); + XCTAssertTrue(error.code == errSecInteractionNotAllowed, "should return a errSecInteractionNotAllowed error"); + }]; + + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + __block NSString* localBottleID = @"random bottle id"; + self.spiBlockExpectation = [self expectationWithDescription:@"scrub bottled peer SPI fired"]; + self.expectation = [self expectationWithDescription:@"ramp scheduler fired"]; + + [self.otControl scrubBottledPeer:testContextID bottleID:localBottleID reply:^(NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertTrue(error.code == errSecInteractionNotAllowed, "should return a errSecInteractionNotAllowed error"); + }]; + + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; +} + +//Restore tests +-(void)testRestoreNotSignedIn +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + self.accountStatus = CKAccountStatusNoAccount; + [self startCKKSSubsystem]; + + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + + self.spiBlockExpectation = [self expectationWithDescription:@"restore SPI fired"]; + self.expectation = [self expectationWithDescription:@"ramp scheduler fired"]; + + [self.otControl restore:testContextID + dsid:testDSID + secret:self.secret + escrowRecordID:self.sosPeerID + reply:^(NSData* signingKeyData, NSData* encryptionKeyData, NSError* _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(signingKeyData, "Signing key data should be nil"); + XCTAssertNil(encryptionKeyData, "encryption key data should be nil"); + XCTAssertTrue(error.code == OTErrorNotSignedIn, "should return a OTErrorNotSignedIn error"); + }]; + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + +} + +-(void) testRestoreWithNoNetwork +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + self.accountStatus = CKAccountStatusAvailable; + [self startCKKSSubsystem]; + + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + + self.reachabilityFlags = 0; + [self.reachabilityTracker recheck]; + + self.spiBlockExpectation = [self expectationWithDescription:@"restore SPI fired"]; + self.expectation = [self expectationWithDescription:@"ramp scheduler fired"]; + + [self.otControl restore:testContextID + dsid:testDSID + secret:self.secret + escrowRecordID:self.sosPeerID + reply:^(NSData* signingKeyData, NSData* encryptionKeyData, NSError* _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(signingKeyData, "Signing key data should be nil"); + XCTAssertNil(encryptionKeyData, "encryption key data should be nil"); + XCTAssertTrue(error.code == OTErrorNoNetwork, "should return a OTErrorNoNetwork error"); + }]; + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; +} + +-(void) testRestoreWhenLocked +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + self.aksLockState = true; + [self.lockStateTracker recheck]; + + self.spiBlockExpectation = [self expectationWithDescription:@"restore SPI fired"]; + self.expectation = [self expectationWithDescription:@"ramp scheduler fired"]; + + [self.otControl restore:testContextID + dsid:testDSID + secret:self.secret + escrowRecordID:self.sosPeerID + reply:^(NSData* signingKeyData, NSData* encryptionKeyData, NSError* _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(signingKeyData, "Signing key data should be nil"); + XCTAssertNil(encryptionKeyData, "encryption key data should be nil"); + XCTAssertTrue(error.code == errSecInteractionNotAllowed, "should return a errSecInteractionNotAllowed error"); + }]; + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; +} + +//Generic Ramp tests +-(void)testEnrollRampNotSignedIn +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + NSError* error = nil; + NSInteger retryAfter = 0; + + self.accountStatus = CKAccountStatusNoAccount; + [self startCKKSSubsystem]; + + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + + [self.enroll checkRampState:&retryAfter qos:NSQualityOfServiceUserInitiated error:&error]; + + XCTAssertTrue(error.code == OTErrorNotSignedIn, "should return a OTErrorNotSignedIn error"); + +} + +-(void) testEnrollRampWithNoNetwork +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + NSError* error = nil; + NSInteger retryAfter = 0; + + self.accountStatus = CKAccountStatusAvailable; + [self startCKKSSubsystem]; + + [self.accountStateTracker notifyCKAccountStatusChangeAndWaitForSignal]; + + self.reachabilityFlags = 0; + [self.reachabilityTracker recheck]; + + [self.enroll checkRampState:&retryAfter qos:NSQualityOfServiceUserInitiated error:&error]; + + XCTAssertTrue(error.code == OTErrorNoNetwork, "should return a OTErrorNoNetwork error"); +} + +-(void) testEnrollRampWhenLocked +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + NSError* error = nil; + NSInteger retryAfter = 0; + + self.aksLockState = true; + [self.lockStateTracker recheck]; + + [self.enroll checkRampState:&retryAfter qos:NSQualityOfServiceUserInitiated error:&error]; + + XCTAssertTrue(error.code == errSecInteractionNotAllowed, "should return a errSecInteractionNotAllowed error"); +} + +-(void) testTimeBetweenCFUAttempts +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + NSError* error = nil; + + [self.manager scheduledCloudKitRampCheck:&error]; + XCTAssertNotNil(self.manager.lastPostedCoreFollowUp, "core followup should have been posted"); + NSDate* firstTime = self.manager.lastPostedCoreFollowUp; + + sleep(2); + + [self.manager scheduledCloudKitRampCheck:&error]; + XCTAssertNotNil(self.manager.lastPostedCoreFollowUp, "core followup should have been posted"); + NSDate* secondTime = self.manager.lastPostedCoreFollowUp; + + XCTAssertTrue([secondTime timeIntervalSinceDate:firstTime] >= 2, "time difference should be slightly more than 2 seconds"); +} + +@end +#endif diff --git a/keychain/ot/tests/OTRampingTests.m b/keychain/ot/tests/OTRampingTests.m new file mode 100644 index 00000000..1bbb1dcd --- /dev/null +++ b/keychain/ot/tests/OTRampingTests.m @@ -0,0 +1,377 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import + +#import +#import + +#import "OTTestsBase.h" +#import "keychain/ot/OTConstants.h" + +static NSString* const testContextID = @"Foo"; +static NSString* const testDSID = @"123456789"; + +static NSString* OTCKRecordBottledPeerType = @"OTBottledPeer"; + +@interface OTRampingUnitTests : OTTestsBase + +@end + +@implementation OTRampingUnitTests + +- (void)setUp { + [super setUp]; + self.continueAfterFailure = NO; +} + +- (void)tearDown { + [super tearDown]; +} + +-(void) testPreflightWithFeatureOnOn +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + [self startCKKSSubsystem]; + + [self.otControl preflightBottledPeer:testContextID + dsid:testDSID + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + XCTAssertNotNil(entropy, "entropy should not be nil"); + XCTAssertNotNil(bottleID, "bottle id should not be nil"); + XCTAssertNotNil(signingPublicKey, "signing pub key should not be nil"); + XCTAssertNil(error, "error should be nil"); + }]; + +} + +-(void) testLaunchWithRampOn +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + [self startCKKSSubsystem]; + + __block NSData* localEntropy = nil; + __block NSString* localBottleID = nil; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer fired"]; + + [self.otControl preflightBottledPeer:testContextID + dsid:testDSID + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + localEntropy = entropy; + localBottleID = bottleID; + XCTAssertNotNil(entropy, "entropy should not be nil"); + XCTAssertNotNil(bottleID, "bottle id should not be nil"); + XCTAssertNotNil(signingPublicKey, "signing pub key should not be nil"); + XCTAssertNil(error, "error should be nil"); + }]; + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + self.spiBlockExpectation = [self expectationWithDescription:@"launch bottled peer fired"]; + + NSMutableDictionary* recordDictionary = [NSMutableDictionary dictionaryWithObjectsAndKeys:[[NSNumber alloc] initWithInt:1], OTCKRecordBottledPeerType, nil]; + + [self expectAddedCKModifyRecords:recordDictionary holdFetch:NO]; + + [self.otControl launchBottledPeer:testContextID bottleID:localBottleID reply:^(NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(error, "error should be nil"); + }]; + + [self waitForExpectationsWithTimeout:1.0 handler:nil]; +} + +-(void) testRestoreWithRampOn +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + [self startCKKSSubsystem]; + + __block NSData* localEntropy = nil; + __block NSString* localBottleID = nil; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer fired"]; + + [self.otControl preflightBottledPeer:OTDefaultContext + dsid:@"dsid" + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + localEntropy = entropy; + localBottleID = bottleID; + XCTAssertNotNil(entropy, "entropy should not be nil"); + XCTAssertNotNil(bottleID, "bottle id should not be nil"); + XCTAssertNotNil(signingPublicKey, "signing pub key should not be nil"); + XCTAssertNil(error, "error should be nil"); + }]; + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + __block NSData* localSigningKeyData = nil; + __block NSData* localEncryptionKeyData = nil; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer fired"]; + + [self.otControl restore:testContextID + dsid:testDSID + secret:localEntropy + escrowRecordID:self.sosPeerID + reply:^(NSData* signingKeyData, NSData* encryptionKeyData, NSError* _Nullable error) { + [self.spiBlockExpectation fulfill]; + localSigningKeyData = signingKeyData; + localEncryptionKeyData = encryptionKeyData; + XCTAssertNotNil(signingKeyData, "Signing key data should not be nil"); + XCTAssertNotNil(encryptionKeyData, "encryption key data should not be nil"); + XCTAssertNil(error, "error should not be nil"); + }]; + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + NSError* localError = nil; + + OTIdentity *ourSelf = [self currentIdentity:&localError]; + XCTAssertTrue([localSigningKeyData isEqualToData:[ourSelf.peerSigningKey.publicKey keyData]], @"signing keys should be equal!"); + XCTAssertTrue([localEncryptionKeyData isEqualToData:[ourSelf.peerEncryptionKey.publicKey keyData]], @"signing keys should be equal!"); +} + +-(void) testScrubWithRampOn +{ + [self setUpRampRecordsInCloudKitWithFeatureOn]; + [self startCKKSSubsystem]; + + __block NSString* localBottleID = nil; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer fired"]; + + [self.otControl preflightBottledPeer:testContextID + dsid:testDSID + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + localBottleID = bottleID; + XCTAssertNotNil(entropy, "entropy should not be nil"); + XCTAssertNotNil(bottleID, "bottle id should not be nil"); + XCTAssertNotNil(signingPublicKey, "signing pub key should not be nil"); + XCTAssertNil(error, "error should be nil"); + }]; + + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + self.spiBlockExpectation = [self expectationWithDescription:@"scrub scheduler fired"]; + + [self.otControl scrubBottledPeer:testContextID bottleID:localBottleID reply:^(NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(error, "error should be nil"); + }]; + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + NSError* localError = nil; + NSArray* bottles = [self.localStore readAllLocalBottledPeerRecords:&localError]; + XCTAssertNotNil(localError, "error should not be nil"); + XCTAssertTrue([bottles count] == 0, "should be 0 bottles"); +} + +-(void) testPreflightWithRampOff +{ + [self setUpRampRecordsInCloudKitWithFeatureOff]; + + [self startCKKSSubsystem]; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer fired"]; + + [self.otControl preflightBottledPeer:OTDefaultContext + dsid:@"dsid" + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(entropy, "shouldn't return any entropy"); + XCTAssertNil(bottleID, "shouldn't return a bottle ID"); + XCTAssertNil(signingPublicKey, "shouldn't return a signingPublicKey"); + XCTAssertTrue(error.code == OTErrorFeatureNotEnabled, "should return a OTErrorFeatureNotEnabled error"); + }]; + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; +} + +-(void) testPreflightWithRecordNotThere +{ + [self startCKKSSubsystem]; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer fired"]; + + [self.otControl preflightBottledPeer:OTDefaultContext + dsid:@"dsid" + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(entropy, "shouldn't return any entropy"); + XCTAssertNil(bottleID, "shouldn't return a bottle ID"); + XCTAssertNil(signingPublicKey, "shouldn't return a signingPublicKey"); + XCTAssertNotNil(error, "should not be nil"); + }]; + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; +} + +-(void) testLaunchWithRampOff +{ + [self setUpRampRecordsInCloudKitWithFeatureOff]; + + [self startCKKSSubsystem]; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer fired"]; + + [self.otControl preflightBottledPeer:OTDefaultContext + dsid:@"dsid" + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(entropy, "shouldn't return any entropy"); + XCTAssertNil(bottleID, "shouldn't return a bottle ID"); + XCTAssertNil(signingPublicKey, "shouldn't return a signingPublicKey"); + XCTAssertTrue(error.code == OTErrorFeatureNotEnabled, "should return a OTErrorFeatureNotEnabled error"); + }]; + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + + self.spiBlockExpectation = [self expectationWithDescription:@"launch SPI fired"]; + + NSString* localBottleID = @"random bottle id"; + [self.otControl launchBottledPeer:testContextID bottleID:localBottleID reply:^(NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertTrue(error.code == OTErrorFeatureNotEnabled, "should return a OTErrorFeatureNotEnabled error"); + }]; + + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; +} +-(void) testRestoreWithRampOff +{ + [self setUpRampRecordsInCloudKitWithFeatureOff]; + [self startCKKSSubsystem]; + + self.spiBlockExpectation = [self expectationWithDescription:@"restore SPI fired"]; + + [self.otControl restore:testContextID + dsid:testDSID + secret:self.secret + escrowRecordID:self.sosPeerID + reply:^(NSData* signingKeyData, NSData* encryptionKeyData, NSError* _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(signingKeyData, "Signing key data should be nil"); + XCTAssertNil(encryptionKeyData, "encryption key data should be nil"); + XCTAssertTrue(error.code == OTErrorFeatureNotEnabled, "should return a OTErrorFeatureNotEnabled error"); + }]; + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; +} + +-(void) testScrubWithRampOff +{ + [self setUpRampRecordsInCloudKitWithFeatureOff]; + [self startCKKSSubsystem]; + + self.spiBlockExpectation = [self expectationWithDescription:@"preflight bottled peer SPI fired"]; + + [self.otControl preflightBottledPeer:testContextID + dsid:testDSID + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertNil(entropy, "entropy should be nil"); + XCTAssertNil(bottleID, "bottle id should be nil"); + XCTAssertNil(signingPublicKey, "signing pub key should be nil"); + XCTAssertTrue(error.code == OTErrorFeatureNotEnabled, "should return a OTErrorFeatureNotEnabled error"); + }]; + + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + __block NSString* localBottleID = @"random bottle id"; + self.spiBlockExpectation = [self expectationWithDescription:@"scrub bottled peer SPI fired"]; + + [self.otControl scrubBottledPeer:testContextID bottleID:localBottleID reply:^(NSError * _Nullable error) { + [self.spiBlockExpectation fulfill]; + XCTAssertTrue(error.code == OTErrorFeatureNotEnabled, "should return a OTErrorFeatureNotEnabled error"); + }]; + + [self waitForCKModifications]; + OCMVerifyAllWithDelay(self.mockDatabase, 8); + [self waitForExpectationsWithTimeout:1.0 handler:nil]; + + [self createAndSaveFakeKeyHierarchy: self.keychainZoneID]; // Make life easy for this test. + [self startCKKSSubsystem]; + + XCTAssertEqual(0, [self.keychainView.keyHierarchyConditions[SecCKKSZoneKeyStateReady] wait:4*NSEC_PER_SEC], @"Key state should have arrived at ready"); +} + +-(void) testRampFetchTimeout +{ + [self startCKKSSubsystem]; + + __block NSError* localError = nil; + + [self holdCloudKitFetches]; + + [self.otControl preflightBottledPeer:OTDefaultContext + dsid:@"dsid" + reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + localError = error; + XCTAssertNil(entropy, "shouldn't return any entropy"); + XCTAssertNil(bottleID, "shouldn't return a bottle ID"); + XCTAssertNil(signingPublicKey, "shouldn't return a signingPublicKey"); + XCTAssertTrue(error.code == OTErrorCKTimeOut, "should return a OTErrorCKTimeout error"); + }]; +} + +-(void)testCFUWithRampOn +{ + NSError* localError = nil; + NSInteger retryAfterInSeconds = 0; + + [self setUpRampRecordsInCloudKitWithFeatureOn]; + + XCTAssertTrue([self.cfu checkRampState:&retryAfterInSeconds qos:NSQualityOfServiceUserInitiated error:&localError], @"should be true"); +} + +-(void)testCFUWithRampOff +{ + NSError* localError = nil; + NSInteger retryAfterInSeconds = 0; + [self setUpRampRecordsInCloudKitWithFeatureOff]; + + XCTAssertTrue(![self.cfu checkRampState:&retryAfterInSeconds qos:NSQualityOfServiceUserInitiated error:&localError], @"should be false"); + + XCTAssertTrue(retryAfterInSeconds != 0, @"should be asked to retry later"); +} + +-(void)testCFUWithNonExistentRampRecord +{ + NSError* localError = nil; + NSInteger retryAfterInSeconds = 0; + XCTAssertTrue(![self.cfu checkRampState:&retryAfterInSeconds qos:NSQualityOfServiceUserInitiated error:&localError], @"should be false"); +} + +@end + +#endif /* OCTAGON */ + diff --git a/keychain/trust/TrustedPeersTests/Info.plist b/keychain/ot/tests/OTTests-Info.plist similarity index 100% rename from keychain/trust/TrustedPeersTests/Info.plist rename to keychain/ot/tests/OTTests-Info.plist diff --git a/keychain/ot/tests/OTTestsBase.h b/keychain/ot/tests/OTTestsBase.h new file mode 100644 index 00000000..f50be97e --- /dev/null +++ b/keychain/ot/tests/OTTestsBase.h @@ -0,0 +1,94 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#ifndef OTTestsBase_h +#define OTTestsBase_h + +#import +#import +#import + +#import "keychain/ot/OTContext.h" +#import "keychain/ot/OTEscrowKeys.h" +#import "keychain/ot/OTDefines.h" +#import "keychain/ot/OTControl.h" +#import "keychain/ot/OTManager.h" +#import "SFPublicKey+SPKI.h" +#import + +#import +#import + +#import "keychain/ckks/tests/CloudKitKeychainSyncingTestsBase.h" +#import "keychain/ckks/tests/CloudKitMockXCTest.h" +#import "keychain/ckks/tests/MockCloudKit.h" +#import "keychain/ckks/tests/CKKSTests.h" +#import "keychain/ckks/CKKS.h" +#import "keychain/ckks/CKKSViewManager.h" + +NS_ASSUME_NONNULL_BEGIN + +@interface OTTestsBase : CloudKitKeychainSyncingTestsBase +@property id otControl; +@property OTManager* manager; +@property (nonatomic, strong) OTCloudStore* cloudStore; +@property (nonatomic, strong) OTLocalStore* localStore; +@property (nonatomic, strong) FakeCKZone* otFakeZone; +@property (nonatomic, strong) CKRecordZoneID* otZoneID; +@property (nonatomic, strong) OTContext* context; +@property (nonatomic, strong) _SFECKeyPair* peerSigningKey; +@property (nonatomic, strong) _SFECKeyPair* peerEncryptionKey; +@property (nonatomic, strong) NSData* secret; +@property (nonatomic, strong) NSString* recordName; +@property (nonatomic, strong) NSString* egoPeerID; +@property (nonatomic, strong) NSString* sosPeerID; +@property (nonatomic, strong) OTEscrowKeys* escrowKeys; + +@property (nonatomic, strong) FakeCKZone* rampZone; +@property (nonatomic, strong) CKRecord *enrollRampRecord; +@property (nonatomic, strong) CKRecord *restoreRampRecord; +@property (nonatomic, strong) CKRecord *cfuRampRecord; + +@property (nonatomic, strong) OTRamp *enroll; +@property (nonatomic, strong) OTRamp *restore; +@property (nonatomic, strong) OTRamp *cfu; +@property (nonatomic, strong) CKKSNearFutureScheduler* scheduler; +@property (nonatomic, strong) XCTestExpectation *expectation; +@property (nonatomic, strong) XCTestExpectation *spiBlockExpectation; + +@property (nonatomic, strong) CKRecordZoneID* rampZoneID; + +-(OTRamp*) fakeRamp:(NSString*)recordName featureName:(NSString*)featureName; + +-(void)expectAddedCKModifyRecords:(NSDictionary*)records holdFetch:(BOOL)shouldHoldTheFetch; +-(void)expectDeletedCKModifyRecords:(NSDictionary*)records holdFetch:(BOOL)shouldHoldTheFetch; +-(void) setUpRampRecordsInCloudKitWithFeatureOn; +-(void) setUpRampRecordsInCloudKitWithFeatureOff; + +@end +NS_ASSUME_NONNULL_END + +#endif /* OTTestsBase_h */ +#endif /* OCTAGON */ diff --git a/keychain/ot/tests/OTTestsBase.m b/keychain/ot/tests/OTTestsBase.m new file mode 100644 index 00000000..81738098 --- /dev/null +++ b/keychain/ot/tests/OTTestsBase.m @@ -0,0 +1,311 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#if OCTAGON + +#import "OTTestsBase.h" + +static NSString* const testContextID = @"Foo"; +static NSString* const testDSID = @"123456789"; +static int _test_num = 0; +static NSString* _path; +static NSString* _dbPath; + +static NSString* OTCKZoneName = @"OctagonTrust"; + +static NSString* const kOTRampZoneName = @"metadata_zone"; +static NSString* const kOTRampForEnrollmentRecordName = @"metadata_rampstate_enroll"; +static NSString* const kOTRampForRestoreRecordName = @"metadata_rampstate_restore"; +static NSString* const kOTRampForCFURecordName = @"metadata_rampstate_cfu"; + +static NSString* kFeatureAllowedKey = @"FeatureAllowed"; +static NSString* kFeaturePromotedKey = @"FeaturePromoted"; +static NSString* kFeatureVisibleKey = @"FeatureVisible"; +static NSString* kRetryAfterKey = @"RetryAfter"; +static NSString* kRampPriorityKey = @"RampPriority"; + +static NSString* OTCKRecordBottledPeerType = @"OTBottledPeer"; + +@implementation OTTestsBase + +// Override our base class +-(NSSet*)managedViewList { + return [NSSet setWithObject:@"keychain"]; +} + ++ (void)setUp { + SecCKKSEnable(); + SecCKKSResetSyncing(); + [super setUp]; +} + +- (void)setUp +{ + [super setUp]; + + self.continueAfterFailure = NO; + NSError* error = nil; + + _path = @"/tmp/ottrusttests"; + _dbPath = [_path stringByAppendingFormat:@"/ottest.db.%d",_test_num++]; + + XCTAssertTrue([[NSFileManager defaultManager] createDirectoryAtPath:_path withIntermediateDirectories:YES attributes:nil error:nil], @"directory created!"); + self.localStore = [[OTLocalStore alloc]initWithContextID:testContextID dsid:testDSID path:_dbPath error:&error]; + XCTAssertNil(error, "error should be nil"); + + self.cloudStore = [[OTCloudStore alloc] initWithContainer:self.mockContainer + zoneName:OTCKZoneName + accountTracker:self.mockAccountStateTracker + reachabilityTracker:self.mockReachabilityTracker + localStore:self.localStore + contextID:testContextID + dsid:testDSID + fetchRecordZoneChangesOperationClass:self.mockFakeCKFetchRecordZoneChangesOperation + fetchRecordsOperationClass:self.mockFakeCKFetchRecordZoneChangesOperation + queryOperationClass:self.mockFakeCKQueryOperation + modifySubscriptionsOperationClass:self.mockFakeCKModifySubscriptionsOperation + modifyRecordZonesOperationClass:self.mockFakeCKFetchRecordsOperation + apsConnectionClass:self.mockFakeCKModifySubscriptionsOperation + operationQueue:nil]; + + NSString* secretString = @"I'm a secretI'm a secretI'm a secretI'm a secretI'm a secretI'm a secret"; + self.secret = [[NSData alloc]initWithBytes:[secretString UTF8String] length:[secretString length]]; + + self.context = [[OTContext alloc]initWithContextID:testContextID dsid:testDSID localStore:self.localStore cloudStore:self.cloudStore identityProvider:self error:&error]; + XCTAssertNil(error, "error should be nil"); + + self.sosPeerID = @"spID"; + self.egoPeerID = @"egoPeerID"; + self.peerSigningKey = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]; + self.peerEncryptionKey = [[SFECKeyPair alloc] initRandomKeyPairWithSpecifier:[[SFECKeySpecifier alloc] initWithCurve:SFEllipticCurveNistp384]]; + self.escrowKeys = [[OTEscrowKeys alloc]initWithSecret:self.secret dsid:testDSID error:&error]; + + XCTAssertNotNil(self.context, @"context not initialized"); + + self.otZoneID = [[CKRecordZoneID alloc] initWithZoneName:OTCKZoneName ownerName:CKCurrentUserDefaultName]; + + XCTAssertNotNil(self.otZoneID, @"cloudkit record zone id is not initialized"); + + self.otFakeZone = [[FakeCKZone alloc] initZone: self.otZoneID]; + XCTAssertNotNil(self.otFakeZone, @"fake ot zone is not initialized"); + + self.zones[self.otZoneID] = self.otFakeZone; + XCTAssertNotNil(self.zones, @"ot zones set is not initialized"); + + self.rampZoneID = [[CKRecordZoneID alloc] initWithZoneName:kOTRampZoneName ownerName:CKCurrentUserDefaultName]; + self.rampZone = [[FakeCKZone alloc]initZone:self.rampZoneID]; + self.zones[self.rampZoneID] = self.rampZone; + + self.cfu = [self fakeRamp:kOTRampForCFURecordName featureName:@"FAKE-cfu"]; + self.enroll = [self fakeRamp:kOTRampForEnrollmentRecordName featureName:@"FAKE-enroll"]; + self.restore = [self fakeRamp:kOTRampForRestoreRecordName featureName:@"FAKE-restore"]; + + self.scheduler = [[CKKSNearFutureScheduler alloc] initWithName: @"test" delay:50*NSEC_PER_MSEC keepProcessAlive:true + dependencyDescriptionCode:CKKSResultDescriptionNone + block:^{ + [self.expectation fulfill]; + }]; + self.manager = [[OTManager alloc] initWithContext:self.context + localStore:self.localStore + enroll:self.enroll + restore:self.restore + cfu:self.cfu + cfuScheduler:self.scheduler]; + + id mockConnection = OCMPartialMock([[NSXPCConnection alloc] init]); + OCMStub([mockConnection remoteObjectProxyWithErrorHandler:[OCMArg any]]).andCall(self, @selector(manager)); + self.otControl = [[OTControl alloc] initWithConnection:mockConnection]; + XCTAssertNotNil(self.otControl, "Should have received control object"); + + [self startCKKSSubsystem]; + + self.accountStatus = CKAccountStatusAvailable; + self.circleStatus = kSOSCCInCircle; + [self.cfu.accountTracker notifyCKAccountStatusChangeAndWaitForSignal]; + + [self.context.accountTracker notifyCKAccountStatusChangeAndWaitForSignal]; + [self.enroll.accountTracker notifyCKAccountStatusChangeAndWaitForSignal]; + [self.restore.accountTracker notifyCKAccountStatusChangeAndWaitForSignal]; + + [self.context.accountTracker notifyCircleStatusChangeAndWaitForSignal]; + [self.cfu.accountTracker notifyCircleStatusChangeAndWaitForSignal]; + [self.enroll.accountTracker notifyCircleStatusChangeAndWaitForSignal]; + [self.restore.accountTracker notifyCircleStatusChangeAndWaitForSignal]; + + self.reachabilityFlags = kSCNetworkReachabilityFlagsReachable; + [self.context.reachabilityTracker recheck]; + [self.cfu.reachabilityTracker recheck]; + [self.enroll.reachabilityTracker recheck]; + [self.restore.reachabilityTracker recheck]; + +} + + +- (void)tearDown +{ + NSError *error = nil; + + [_localStore removeAllBottledPeerRecords:&error]; + [_localStore deleteAllContexts:&error]; + + _context = nil; + _cloudStore = nil; + _localStore = nil; + _escrowKeys = nil; + _peerSigningKey = nil; + _peerEncryptionKey = nil; + _otFakeZone = nil; + _otZoneID = nil; + + _rampZone = nil; + _rampZoneID = nil; + _cfuRampRecord = nil; + _enrollRampRecord = nil; + _restoreRampRecord = nil; + _scheduler = nil; + + [super tearDown]; +} + +-(OTRamp*) fakeRamp:(NSString*)recordName featureName:(NSString*)featureName +{ + + OTRamp* ramp = [[OTRamp alloc]initWithRecordName:recordName + featureName:featureName + container:self.mockContainer + database:self.mockDatabase + zoneID:self.rampZoneID + accountTracker:[CKKSViewManager manager].accountTracker + lockStateTracker:[CKKSViewManager manager].lockStateTracker + reachabilityTracker:[CKKSViewManager manager].reachabilityTracker + fetchRecordRecordsOperationClass:self.mockFakeCKFetchRecordsOperation]; + + return ramp; +} + +-(void) setUpRampRecordsInCloudKitWithFeatureOff +{ + CKRecordID* enrollRecordID = [[CKRecordID alloc] initWithRecordName:kOTRampForEnrollmentRecordName zoneID:self.rampZoneID]; + self.enrollRampRecord = [[CKRecord alloc] initWithRecordType:kOTRampForEnrollmentRecordName recordID:enrollRecordID]; + self.enrollRampRecord[kFeatureAllowedKey] = @NO; + self.enrollRampRecord[kFeaturePromotedKey] = @NO; //always false right now + self.enrollRampRecord[kFeatureVisibleKey] = @NO; + self.enrollRampRecord[kRetryAfterKey] = [[NSNumber alloc]initWithInt:3600]; + + CKRecordID* restoreRecordID = [[CKRecordID alloc] initWithRecordName:kOTRampForRestoreRecordName zoneID:self.rampZoneID]; + self.restoreRampRecord = [[CKRecord alloc] initWithRecordType:kOTRampForEnrollmentRecordName recordID:restoreRecordID]; + self.restoreRampRecord[kFeatureAllowedKey] = @NO; + self.restoreRampRecord[kFeaturePromotedKey] = @NO; //always false right now + self.restoreRampRecord[kFeatureVisibleKey] = @NO; + self.restoreRampRecord[kRetryAfterKey] = [[NSNumber alloc]initWithInt:3600]; + + CKRecordID* cfuRecordID = [[CKRecordID alloc] initWithRecordName:kOTRampForCFURecordName zoneID:self.rampZoneID]; + self.cfuRampRecord = [[CKRecord alloc] initWithRecordType:kOTRampForCFURecordName recordID:cfuRecordID]; + self.cfuRampRecord[kFeatureAllowedKey] = @NO; + self.cfuRampRecord[kFeaturePromotedKey] = @NO; //always false right now + self.cfuRampRecord[kFeatureVisibleKey] = @NO; + self.cfuRampRecord[kRetryAfterKey] = [[NSNumber alloc]initWithInt:3600]; + + [self.rampZone addToZone:self.enrollRampRecord]; + [self.rampZone addToZone:self.restoreRampRecord]; + [self.rampZone addToZone:self.cfuRampRecord]; +} + +-(void) setUpRampRecordsInCloudKitWithFeatureOn +{ + CKRecordID* enrollRecordID = [[CKRecordID alloc] initWithRecordName:kOTRampForEnrollmentRecordName zoneID:self.rampZoneID]; + self.enrollRampRecord = [[CKRecord alloc] initWithRecordType:kOTRampForEnrollmentRecordName recordID:enrollRecordID]; + self.enrollRampRecord[kFeatureAllowedKey] = @YES; + self.enrollRampRecord[kFeaturePromotedKey] = @NO; //always false right now + self.enrollRampRecord[kFeatureVisibleKey] = @YES; + self.enrollRampRecord[kRetryAfterKey] = [[NSNumber alloc]initWithInt:3600]; + + CKRecordID* restoreRecordID = [[CKRecordID alloc] initWithRecordName:kOTRampForRestoreRecordName zoneID:self.rampZoneID]; + self.restoreRampRecord = [[CKRecord alloc] initWithRecordType:kOTRampForEnrollmentRecordName recordID:restoreRecordID]; + self.restoreRampRecord[kFeatureAllowedKey] = @YES; + self.restoreRampRecord[kFeaturePromotedKey] = @NO; //always false right now + self.restoreRampRecord[kFeatureVisibleKey] = @YES; + self.restoreRampRecord[kRetryAfterKey] = [[NSNumber alloc]initWithInt:3600]; + + CKRecordID* cfuRecordID = [[CKRecordID alloc] initWithRecordName:kOTRampForCFURecordName zoneID:self.rampZoneID]; + self.cfuRampRecord = [[CKRecord alloc] initWithRecordType:kOTRampForCFURecordName recordID:cfuRecordID]; + self.cfuRampRecord[kFeatureAllowedKey] = @YES; + self.cfuRampRecord[kFeaturePromotedKey] = @NO; //always false right now + self.cfuRampRecord[kFeatureVisibleKey] = @YES; + self.cfuRampRecord[kRetryAfterKey] = [[NSNumber alloc]initWithInt:3600]; + + [self.rampZone addToZone:self.enrollRampRecord]; + [self.rampZone addToZone:self.restoreRampRecord]; + [self.rampZone addToZone:self.cfuRampRecord]; +} + + +-(void)expectAddedCKModifyRecords:(NSDictionary*)records holdFetch:(BOOL)shouldHoldTheFetch +{ + __weak __typeof(self) weakSelf = self; + + [self expectCKModifyRecords:records + deletedRecordTypeCounts:nil + zoneID:self.otZoneID + checkModifiedRecord:^BOOL (CKRecord* record){ + if([record.recordType isEqualToString: OTCKRecordBottledPeerType]) { + return YES; + } else { //not a Bottled Peer Record Type + return NO; + } + } + runAfterModification:^{ + __strong __typeof(self) strongSelf = weakSelf; + [strongSelf holdCloudKitFetches]; + } + ]; +} + +-(void)expectDeletedCKModifyRecords:(NSDictionary*)records holdFetch:(BOOL)shouldHoldTheFetch +{ + __weak __typeof(self) weakSelf = self; + + [self expectCKModifyRecords:[NSMutableDictionary dictionary] + deletedRecordTypeCounts:records + zoneID:self.otZoneID + checkModifiedRecord:^BOOL (CKRecord* record){ + if([record.recordType isEqualToString: OTCKRecordBottledPeerType]) { + return YES; + } else { //not a Bottled Peer Record Type + return NO; + } + } + runAfterModification:^{ + __strong __typeof(self) strongSelf = weakSelf; + [strongSelf holdCloudKitFetches]; + } + ]; +} + +- (nullable OTIdentity *)currentIdentity:(NSError * _Nullable __autoreleasing * _Nullable)error { + return [[OTIdentity alloc]initWithPeerID:self.egoPeerID spID:self.sosPeerID peerSigningKey:self.peerSigningKey peerEncryptionkey:self.peerEncryptionKey error:error]; +} + + +@end +#endif diff --git a/OTAPKIAssetTool/OTAPKIAssetTool-entitlements.plist b/keychain/otctl/otctl-Entitlements.plist similarity index 55% rename from OTAPKIAssetTool/OTAPKIAssetTool-entitlements.plist rename to keychain/otctl/otctl-Entitlements.plist index 02347e9d..cfc36cb7 100644 --- a/OTAPKIAssetTool/OTAPKIAssetTool-entitlements.plist +++ b/keychain/otctl/otctl-Entitlements.plist @@ -2,9 +2,7 @@ - com.apple.private.assets.accessible-asset-types - - com.apple.MobileAsset.PKITrustServices.PKITrustData - + com.apple.private.octagon + diff --git a/keychain/otctl/otctl.m b/keychain/otctl/otctl.m new file mode 100644 index 00000000..416d4d56 --- /dev/null +++ b/keychain/otctl/otctl.m @@ -0,0 +1,529 @@ +// +// Security +// + +#import +#import +#import +#import +#import +#import +#import +#import "keychain/ot/OTControl.h" +#import "keychain/ot/OTConstants.h" +#include "lib/SecArgParse.h" +#include +#include + +@interface OTControlCLI : NSObject +@property OTControl* control; +@end + +@implementation OTControlCLI + + +- (instancetype) initWithOTControl:(OTControl*)control { + if ((self = [super init])) { + _control = control; + } + + return self; +} + +- (long)preflightBottledPeer:(NSString*)contextID dsid:(NSString*)dsid +{ + __block long ret = 0; + +#if OCTAGON + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + + [self.control preflightBottledPeer:contextID dsid:dsid reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + if(error){ + printf("Error pushing: %s\n", [[error description] UTF8String]); + ret = (error.code == 0 ? -1 : error.code); + }else if(entropy && bottleID && signingPublicKey){ + printf("\nSuccessfully preflighted bottle ID: %s\n", [bottleID UTF8String]); + printf("\nEntropy used: %s\n", [[entropy base64EncodedStringWithOptions:0] UTF8String]); + printf("\nSigning Public Key: %s\n", [[signingPublicKey base64EncodedStringWithOptions:0] UTF8String]); + ret = 0; + }else{ + printf("Failed to preflight bottle and no error was returned.."); + ret = -1; + } + + dispatch_semaphore_signal(sema); + }]; + + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 65)) != 0) { + printf("\n\nError: timed out waiting for response\n"); + return -1; + } + return ret; +#else + return -1; +#endif +} + +- (long)launchBottledPeer:(NSString*)contextID bottleID:(NSString*)bottleID +{ + __block long ret = 0; + +#if OCTAGON + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + + [self.control launchBottledPeer:contextID bottleID:bottleID reply:^(NSError * _Nullable error) { + if(error) + { + printf("Error pushing: %s\n", [[error description] UTF8String]); + ret = (error.code == 0 ? -1 : error.code); + } else { + printf("\nSuccessfully launched bottleID: %s\n", [bottleID UTF8String]); + ret = 0; + } + + dispatch_semaphore_signal(sema); + }]; + + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 65)) != 0) { + printf("\n\nError: timed out waiting for response\n"); + return -1; + } + return ret; +#else + return -1; +#endif +} + +- (long)scrubBottledPeer:(NSString*)contextID bottleID:(NSString*)bottleID +{ + __block long ret = 0; + +#if OCTAGON + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + + [self.control scrubBottledPeer:contextID bottleID:bottleID reply:^(NSError * _Nullable error) { + if(error) + { + printf("Error pushing: %s\n", [[error description] UTF8String]); + ret = (error.code == 0 ? -1 : error.code); + } else { + printf("\nSuccessfully scrubbed bottle ID: %s\n", [bottleID UTF8String]); + ret = 0; + } + + dispatch_semaphore_signal(sema); + }]; + + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 65)) != 0) { + printf("\n\nError: timed out waiting for response\n"); + return -1; + } + return ret; +#else + ret = -1; + return ret; +#endif +} + + +- (long)enroll:(NSString*)contextID dsid:(NSString*)dsid +{ + __block long ret = 0; + +#if OCTAGON + dispatch_semaphore_t semaForPreFlight = dispatch_semaphore_create(0); + dispatch_semaphore_t semaForLaunch = dispatch_semaphore_create(0); + __block NSString* bottleRecordID = nil; + __block NSError* localError = nil; + + [self.control preflightBottledPeer:contextID dsid:dsid reply:^(NSData * _Nullable entropy, NSString * _Nullable bottleID, NSData * _Nullable signingPublicKey, NSError * _Nullable error) { + if(error) + { + localError = error; + printf("Error pushing: %s\n", [[error description] UTF8String]); + ret = (error.code == 0 ? -1 : error.code); + } else { + bottleRecordID = bottleID; + printf("\nSuccessfully preflighted bottle ID: %s\n", [bottleID UTF8String]); + printf("\nEntropy used: %s\n", [[entropy base64EncodedStringWithOptions:0] UTF8String]); + printf("\nSigning Public Key: %s\n", [[signingPublicKey base64EncodedStringWithOptions:0] UTF8String]); + ret = 0; + } + + dispatch_semaphore_signal(semaForPreFlight); + }]; + + if(dispatch_semaphore_wait(semaForPreFlight, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 65)) != 0) { + printf("\n\nError: timed out waiting for response\n"); + return -1; + } + + if(localError == nil){ + [self.control launchBottledPeer:contextID bottleID:bottleRecordID reply:^(NSError * _Nullable error) { + if(error) + { + printf("Error pushing: %s\n", [[error description] UTF8String]); + ret = (error.code == 0 ? -1 : error.code); + } else { + printf("\nSuccessfully launched bottleID: %s\n", [bottleRecordID UTF8String]); + ret = 0; + } + + dispatch_semaphore_signal(semaForLaunch); + }]; + + if(dispatch_semaphore_wait(semaForLaunch, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 65)) != 0) { + printf("\n\nError: timed out waiting for response\n"); + return -1; + } + } + printf("Complete.\n"); + return ret; +#else + return -1; +#endif +} + + +- (long)restore:(NSString*)contextID dsid:(NSString*)dsid secret:(NSData*)secret escrowRecordID:(NSString*)escrowRecordID +{ + __block long ret = 0; + +#if OCTAGON + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + + [self.control restore:contextID dsid:dsid secret:secret escrowRecordID:escrowRecordID reply:^(NSData* signingKeyData, NSData* encryptionKeyData, NSError *error) { + if(error) + { + printf("Error pushing: %s\n", [[error description] UTF8String]); + ret = (error.code == 0 ? -1 : error.code); + } else { + + printf("Complete.\n"); + ret = 0; + } + + NSString* signingKeyString = [signingKeyData base64EncodedStringWithOptions:0]; + NSString* encryptionKeyString = [encryptionKeyData base64EncodedStringWithOptions:0]; + + printf("Signing Key:\n %s\n", [signingKeyString UTF8String]); + printf("Encryption Key:\n %s\n", [encryptionKeyString UTF8String]); + dispatch_semaphore_signal(sema); + }]; + + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 65)) != 0) { + printf("\n\nError: timed out waiting for response\n"); + return -1; + } + return ret; +#else + ret = -1; + return ret; +#endif +} + +- (long) reset +{ + __block long ret = 0; + +#if OCTAGON + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + [self.control reset:^(BOOL reset, NSError* error){ + if(error) + { + printf("Error pushing: %s\n", [[error description] UTF8String]); + ret = (error.code == 0 ? -1 : error.code); + } else { + printf("success\n"); + } + + dispatch_semaphore_signal(sema); + }]; + + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 65)) != 0) { + printf("\n\nError: timed out waiting for response\n"); + return -1; + } + + printf("Complete.\n"); + return ret; +#else + ret = -1; + return ret; +#endif +} + +- (long) listOfRecords +{ + __block long ret = 0; + +#if OCTAGON + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + [self.control listOfRecords:^(NSArray* list, NSError* error){ + if(error) + { + printf("Error pushing: %s\n", [[error description] UTF8String]); + ret = (error.code == 0 ? -1 : error.code); + } else { + [list enumerateObjectsUsingBlock:^(NSString* _Nonnull escrowRecordID, NSUInteger idx, BOOL * _Nonnull stop) { + printf("escrowRecordID: %s\n", [escrowRecordID UTF8String]); + }]; + ret = 0; + } + + dispatch_semaphore_signal(sema); + }]; + + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 65)) != 0) { + printf("\n\nError: timed out waiting for response\n"); + return -1; + } + + printf("Complete.\n"); + return ret; +#else + ret = -1; + return ret; +#endif +} + +- (long)octagonKeys +{ + __block long ret = 0; + +#if OCTAGON + dispatch_semaphore_t semaForGettingEncryptionKey = dispatch_semaphore_create(0); + dispatch_semaphore_t semaForGettingSigningKey = dispatch_semaphore_create(0); + [self.control encryptionKey:^(NSData *encryptionKey, NSError * error) { + if(error) + { + printf("Error pushing: %s\n", [[error description] UTF8String]); + ret = (error.code == 0 ? -1 : error.code); + } else { + NSString* encryptionKeyString = [encryptionKey base64EncodedStringWithOptions:0]; + printf("Encryption Key:\n %s\n", [encryptionKeyString UTF8String]); + ret = 0; + } + + dispatch_semaphore_signal(semaForGettingEncryptionKey); + }]; + + [self.control signingKey:^(NSData *signingKey, NSError * error) { + if(error) + { + printf("Error pushing: %s\n", [[error description] UTF8String]); + ret = (error.code == 0 ? -1 : error.code); + } else { + NSString* signingKeyString = [signingKey base64EncodedStringWithOptions:0]; + printf("Signing Key:\n %s\n", [signingKeyString UTF8String]); + ret = 0; + } + + dispatch_semaphore_signal(semaForGettingSigningKey); + }]; + + + if(dispatch_semaphore_wait(semaForGettingEncryptionKey, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 65)) != 0) { + printf("\n\nError: timed out waiting for response\n"); + return -1; + } + if(dispatch_semaphore_wait(semaForGettingSigningKey, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 65)) != 0) { + printf("\n\nError: timed out waiting for response\n"); + return -1; + } + printf("Complete.\n"); + return ret; +#else + ret = -1; + return ret; +#endif +} + +@end + +static bool SecOTIsEnabled(void) { + + bool userDefaultsShouldBottledPeer = true; + CFBooleanRef enabled = (CFBooleanRef)CFPreferencesCopyValue(CFSTR("EnableOTRestore"), + CFSTR("com.apple.security"), + kCFPreferencesAnyUser, kCFPreferencesAnyHost); + if(enabled && CFGetTypeID(enabled) == CFBooleanGetTypeID()){ + if(enabled == kCFBooleanFalse){ + secnotice("octagon", "Octagon Restore Disabled"); + userDefaultsShouldBottledPeer = false; + } + if(enabled == kCFBooleanTrue){ + secnotice("octagon", "Octagon Restore Enabled"); + userDefaultsShouldBottledPeer = true; + } + } + + CFReleaseNull(enabled); + return userDefaultsShouldBottledPeer; +} + +static int enroll = false; +static int restore = false; +static int octagonkeys = false; +static int reset = false; + +static int prepbp = false; +static int launch = false; +static int scrub = false; + +static int listOfRecords = false; +static char* bottleIDArg = NULL; +static char* contextNameArg = NULL; +static char* secretArg = NULL; + +int main(int argc, char **argv) +{ + if(!SecIsInternalRelease()) + { + secnotice("octagon", "Tool not available on non internal builds"); + return -1; + } + + if(!SecOTIsEnabled()) + { + printf("To use this tool, enable defaults write for EnableOTRestore\n defaults write (~)/Library/Preferences/com.apple.security EnableOTRestore -bool YES\n"); + return -1; + } + static struct argument options[] = { + { .shortname='s', .longname="secret", .argument=&secretArg, .description="escrow secret"}, + { .shortname='e', .longname="bottleID", .argument=&bottleIDArg, .description="bottle record id"}, + { .shortname='c', .longname="context", .argument=&contextNameArg, .description="context name"}, + + { .command="restore", .flag=&restore, .flagval=true, .description="Restore fake bottled peer"}, + { .command="enroll", .flag=&enroll, .flagval=true, .description="Enroll fake bottled peer"}, + { .command="keys", .flag=&octagonkeys, .shortname='k', .flagval=true, .description="Octagon Signing + Encryption Keys"}, + { .command="reset", .flag=&reset, .flagval=true, .description="Reset Octagon Trust Zone"}, + { .command="list", .flag=&listOfRecords, .flagval=true, .description="List of current Bottled Peer Records IDs"}, + + { .command="prepbp", .flag=&prepbp, .shortname='p', .flagval=true, .description="Preflights a bottled peer"}, + { .command="launch", .flag=&launch, .flagval=true, .description="Launches a bottled peer"}, + { .command="scrub", .flag=&scrub, .flagval=true, .description="Scrub bottled peer"}, + + {} + }; + + static struct arguments args = { + .programname="otctl", + .description="Control and report on Octagon Trust", + .arguments = options, + }; + + if(!options_parse(argc, argv, &args)) { + printf("\n"); + print_usage(&args); + return -1; + } + + @autoreleasepool { + NSError* error = nil; + + OTControl* rpc = [OTControl controlObject:&error]; + if(error || !rpc) { + errx(1, "no OTControl failed: %s", [[error description] UTF8String]); + } + + OTControlCLI* ctl = [[OTControlCLI alloc] initWithOTControl:rpc]; + + if(enroll) { + long ret = 0; + NSString* context = contextNameArg ? [NSString stringWithCString: contextNameArg encoding: NSUTF8StringEncoding] : OTDefaultContext; + ret = [ctl enroll:context dsid:@"12345678"]; + return (int)ret; + } + if(prepbp){ + long ret = 0; + NSString* context = contextNameArg ? [NSString stringWithCString: contextNameArg encoding: NSUTF8StringEncoding] : OTDefaultContext; + + //requires secret, context is optional + ret = [ctl preflightBottledPeer:context dsid:@"12345678"]; + return (int)ret; + } + if(launch){ + long ret = 0; + + NSString* bottleID = bottleIDArg ? [NSString stringWithCString: bottleIDArg encoding: NSUTF8StringEncoding] : nil; + NSString* context = contextNameArg ? [NSString stringWithCString: contextNameArg encoding: NSUTF8StringEncoding] : OTDefaultContext; + //requires bottleID, context is optional + if(bottleID && [bottleID length] > 0 && ![bottleID isEqualToString:@"(null)"]){ + ret = [ctl launchBottledPeer:context bottleID:bottleID]; + } + else{ + print_usage(&args); + return -1; + } + + return (int)ret; + } + if(scrub){ + long ret = 0; + + NSString* bottleID = bottleIDArg ? [NSString stringWithCString: bottleIDArg encoding: NSUTF8StringEncoding] : nil; + NSString* context = contextNameArg ? [NSString stringWithCString: contextNameArg encoding: NSUTF8StringEncoding] : OTDefaultContext; + + //requires bottle ID, context is optional + if(bottleID && [bottleID length] > 0 && ![bottleID isEqualToString:@"(null)"]){ + ret = [ctl scrubBottledPeer:context bottleID:bottleID]; + } + else{ + print_usage(&args); + return -1; + } + return (int)ret; + } + + if(restore) { + long ret = 0; + NSData* secretData = nil; + NSString* secretString = secretArg ? [NSString stringWithCString: secretArg encoding: NSUTF8StringEncoding] : nil; + NSString* bottleID = bottleIDArg ? [NSString stringWithCString: bottleIDArg encoding: NSUTF8StringEncoding] : nil; + NSString* context = contextNameArg ? [NSString stringWithCString: contextNameArg encoding: NSUTF8StringEncoding] : OTDefaultContext; + + //requires secret and bottle ID, context is optional + if(secretString && [secretString length] > 0){ + secretData = [[NSData alloc] initWithBase64EncodedString:secretString options:0];; + } + else{ + print_usage(&args); + return -1; + } + + + if(bottleID && [bottleID length] > 0 && ![bottleID isEqualToString:@"(null)"]){ + ret = [ctl restore:context dsid:@"12345678" secret:secretData escrowRecordID:bottleID]; + } + else{ + print_usage(&args); + return -1; + } + return (int)ret; + } + if(octagonkeys){ + long ret = 0; + ret = [ctl octagonKeys]; + return (int)ret; + } + if(listOfRecords){ + long ret = 0; + ret = [ctl listOfRecords]; + return (int)ret; + } + if(reset){ + long ret = 0; + ret = [ctl reset]; + return (int)ret; + } + else { + print_usage(&args); + return -1; + } + + + } + return 0; +} + diff --git a/keychain/trust/TrustedPeers/TPCategoryRule.h b/keychain/trust/TrustedPeers/TPCategoryRule.h deleted file mode 100644 index a06b61eb..00000000 --- a/keychain/trust/TrustedPeers/TPCategoryRule.h +++ /dev/null @@ -1,47 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import - -NS_ASSUME_NONNULL_BEGIN - -/*! - This class represents a single rule that, if it matches a prefix - of a model ID, assigns a category to that model. - - This class is just a pair of strings, for the prefix: category - mappings contained in a policy's modelToCategory array. - - This class is a value type -- its members are immutable and - instances with identical contents are interchangeable. - */ -@interface TPCategoryRule : NSObject - -@property (nonatomic, readonly) NSString *prefix; -@property (nonatomic, readonly) NSString *category; - -+ (instancetype)ruleWithPrefix:(NSString *)prefix category:(NSString *)category; - -@end - -NS_ASSUME_NONNULL_END diff --git a/keychain/trust/TrustedPeers/TPCircle.h b/keychain/trust/TrustedPeers/TPCircle.h deleted file mode 100644 index fa2a660a..00000000 --- a/keychain/trust/TrustedPeers/TPCircle.h +++ /dev/null @@ -1,66 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import - -NS_ASSUME_NONNULL_BEGIN - -/*! - A "circle" identifies a set of peers that should be included and - a set of peers that should be excluded from trust membership. - - This class is a value type -- its members are immutable and - instances with identical contents are interchangeable. - It overrides isEqual and hash, so that two instances with - identical contents will compare as equal. - */ -@interface TPCircle : NSObject - -@property (nonatomic, readonly) NSString *circleID; -@property (nonatomic, readonly) NSSet* includedPeerIDs; -@property (nonatomic, readonly) NSSet* excludedPeerIDs; - -/*! - A convenience for allocating and initializing an instance from array literals. - */ -+ (instancetype)circleWithIncludedPeerIDs:(nullable NSArray *)includedPeerIDs - excludedPeerIDs:(nullable NSArray *)excludedPeerIDs; - -/*! - A convenience for checking a provided circleID. Returns nil if it does not match. - */ -+ (nullable instancetype)circleWithID:(NSString *)circleID - includedPeerIDs:(nullable NSArray *)includedPeerIDs - excludedPeerIDs:(nullable NSArray *)excludedPeerIDs; - -/*! - Construct a circle that includes a set of peer IDs and excludes a set of peer IDs. - */ -- (instancetype)initWithIncludedPeerIDs:(NSSet *)includedPeerIDs - excludedPeerIDs:(NSSet *)excludedPeerIDs; - -- (BOOL)isEqualToCircle:(TPCircle *)other; - -@end - -NS_ASSUME_NONNULL_END diff --git a/keychain/trust/TrustedPeers/TPCircle.m b/keychain/trust/TrustedPeers/TPCircle.m deleted file mode 100644 index 6955a2f1..00000000 --- a/keychain/trust/TrustedPeers/TPCircle.m +++ /dev/null @@ -1,123 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import "TPCircle.h" -#import "TPHash.h" - -@interface TPCircle () -@property (nonatomic, strong) NSString* circleID; -@property (nonatomic, strong) NSSet* includedPeerIDs; -@property (nonatomic, strong) NSSet* excludedPeerIDs; -@end - -@implementation TPCircle - -+ (instancetype)circleWithIncludedPeerIDs:(NSArray *)includedPeerIDs - excludedPeerIDs:(NSArray *)excludedPeerIDs -{ - return [[TPCircle alloc] initWithIncludedPeerIDs:[NSSet setWithArray:includedPeerIDs] - excludedPeerIDs:[NSSet setWithArray:excludedPeerIDs]]; -} - -+ (instancetype)circleWithID:(NSString *)circleID - includedPeerIDs:(NSArray *)includedPeerIDs - excludedPeerIDs:(NSArray *)excludedPeerIDs -{ - TPCircle *circle = [TPCircle circleWithIncludedPeerIDs:includedPeerIDs - excludedPeerIDs:excludedPeerIDs]; - if ([circleID isEqualToString:circle.circleID]) { - return circle; - } else { - return nil; - } -} - -- (instancetype)initWithIncludedPeerIDs:(NSSet *)includedPeerIDs - excludedPeerIDs:(NSSet *)excludedPeerIDs -{ - self = [super init]; - if (self) { - // Copy the sets passed in, so that nobody can mutate them later. - _includedPeerIDs = [includedPeerIDs copy]; - _excludedPeerIDs = [excludedPeerIDs copy]; - - NSArray* sortedInc = [[includedPeerIDs allObjects] sortedArrayUsingSelector:@selector(compare:)]; - NSArray* sortedExc = [[excludedPeerIDs allObjects] sortedArrayUsingSelector:@selector(compare:)]; - - TPHashBuilder* hasher = [[TPHashBuilder alloc] initWithAlgo:kTPHashAlgoSHA256]; - { - const char* inc = "include: "; - [hasher updateWithBytes:inc len:strlen(inc)]; - for (NSString* peerID in sortedInc) { - [hasher updateWithData:[peerID dataUsingEncoding:NSUTF8StringEncoding]]; - } - } - { - const char* exc = "exclude: "; - [hasher updateWithBytes:exc len:strlen(exc)]; - for (NSString* peerID in sortedExc) { - [hasher updateWithData:[peerID dataUsingEncoding:NSUTF8StringEncoding]]; - } - } - _circleID = [hasher finalHash]; - } - return self; -} - -- (BOOL)isEqualToCircle:(TPCircle *)other -{ - return [self.includedPeerIDs isEqualToSet:other.includedPeerIDs] - && [self.excludedPeerIDs isEqualToSet:other.excludedPeerIDs]; -} - -#pragma mark - NSObject - -- (BOOL)isEqual:(id)object -{ - if (self == object) { - return YES; - } - if (![object isKindOfClass:[TPCircle class]]) { - return NO; - } - return [self isEqualToCircle:object]; -} - -- (NSUInteger)hash -{ - return [self.includedPeerIDs hash] ^ ([self.excludedPeerIDs hash] << 1); -} - -static NSString *setDescription(NSSet *set) -{ - return [[[set allObjects] sortedArrayUsingSelector:@selector(compare:)] componentsJoinedByString:@" "]; -} - -- (NSString *)description -{ - return [NSString stringWithFormat:@"{ in: [%@] ex: [%@] }", - setDescription(self.includedPeerIDs), - setDescription(self.excludedPeerIDs)]; -} - -@end diff --git a/keychain/trust/TrustedPeers/TPHash.m b/keychain/trust/TrustedPeers/TPHash.m deleted file mode 100644 index 703c034d..00000000 --- a/keychain/trust/TrustedPeers/TPHash.m +++ /dev/null @@ -1,175 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import "TPHash.h" - -#import - -@interface TPHashBuilder () - -@property (nonatomic, assign) TPHashAlgo algo; -@property (nonatomic, assign) CC_SHA256_CTX ctxSHA256; // used by SHA224 and SHA256 -@property (nonatomic, assign) CC_SHA512_CTX ctxSHA512; // used by SHA384 and SHA512 - -@end - -@implementation TPHashBuilder - -+ (TPHashAlgo)algoOfHash:(NSString *)hash -{ - if ([hash hasPrefix:@"SHA224:"]) { - return kTPHashAlgoSHA224; - } - if ([hash hasPrefix:@"SHA256:"]) { - return kTPHashAlgoSHA256; - } - if ([hash hasPrefix:@"SHA384:"]) { - return kTPHashAlgoSHA384; - } - if ([hash hasPrefix:@"SHA512:"]) { - return kTPHashAlgoSHA512; - } - return kTPHashAlgoUnknown; -} - -- (instancetype)init -{ - self = [super init]; - if (self) { - _algo = kTPHashAlgoUnknown; - } - return self; -} - -- (instancetype)initWithAlgo:(TPHashAlgo)algo -{ - self = [self init]; - [self resetWithAlgo:algo]; - return self; -} - -- (void)resetWithAlgo:(TPHashAlgo)algo -{ - _algo = algo; - switch (algo) { - case kTPHashAlgoSHA224: - CC_SHA224_Init(&_ctxSHA256); - break; - case kTPHashAlgoSHA256: - CC_SHA256_Init(&_ctxSHA256); - break; - case kTPHashAlgoSHA384: - CC_SHA384_Init(&_ctxSHA512); - break; - case kTPHashAlgoSHA512: - CC_SHA512_Init(&_ctxSHA512); - break; - default: - [self throwInvalidAlgo]; - } -} - -- (void)updateWithData:(NSData *)data -{ - [self updateWithBytes:data.bytes len:data.length]; -} - -- (void)updateWithBytes:(const void *)data len:(size_t)len -{ - switch (self.algo) { - case kTPHashAlgoSHA224: - CC_SHA224_Update(&_ctxSHA256, data, (CC_LONG)len); - break; - case kTPHashAlgoSHA256: - CC_SHA256_Update(&_ctxSHA256, data, (CC_LONG)len); - break; - case kTPHashAlgoSHA384: - CC_SHA384_Update(&_ctxSHA512, data, (CC_LONG)len); - break; - case kTPHashAlgoSHA512: - CC_SHA512_Update(&_ctxSHA512, data, (CC_LONG)len); - break; - default: - [self throwInvalidAlgo]; - } -} - -- (NSString *)finalHash -{ - NSMutableData* data = [NSMutableData alloc]; - NSString* name = nil; - switch (self.algo) { - case kTPHashAlgoSHA224: - data = [data initWithLength:224/8]; - CC_SHA224_Final(data.mutableBytes, &_ctxSHA256); - name = @"SHA224"; - break; - case kTPHashAlgoSHA256: - data = [data initWithLength:256/8]; - CC_SHA256_Final(data.mutableBytes, &_ctxSHA256); - name = @"SHA256"; - break; - case kTPHashAlgoSHA384: - data = [data initWithLength:384/8]; - CC_SHA384_Final(data.mutableBytes, &_ctxSHA512); - name = @"SHA384"; - break; - case kTPHashAlgoSHA512: - data = [data initWithLength:512/8]; - CC_SHA512_Final(data.mutableBytes, &_ctxSHA512); - name = @"SHA512"; - break; - default: - [self throwInvalidAlgo]; - } - NSString* hash = [NSString stringWithFormat:@"%@:%@", - name, [data base64EncodedStringWithOptions:0]]; - - // _ctxSHA* was "emptied" by the call to CC_SHA*_Final, - // so require the client to call resetWithAlgo: before reuse. - self.algo = kTPHashAlgoUnknown; - - return hash; -} - -- (void)throwInvalidAlgo -{ - NSException* ex = [NSException exceptionWithName:@"InvalidTPHashAlgo" - reason:@"Invalid TPHash algorithm" - userInfo:nil]; - @throw ex; -} - -+ (NSString *)hashWithAlgo:(TPHashAlgo)algo ofData:(NSData *)data -{ - return [TPHashBuilder hashWithAlgo:algo ofBytes:data.bytes len:data.length]; -} - -+ (NSString *)hashWithAlgo:(TPHashAlgo)algo ofBytes:(const void *)data len:(size_t)len -{ - TPHashBuilder *builder = [[TPHashBuilder alloc] initWithAlgo:algo]; - [builder updateWithBytes:data len:len]; - return [builder finalHash]; -} - -@end diff --git a/keychain/trust/TrustedPeers/TPModel.h b/keychain/trust/TrustedPeers/TPModel.h deleted file mode 100644 index e750acf9..00000000 --- a/keychain/trust/TrustedPeers/TPModel.h +++ /dev/null @@ -1,253 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import - -#import "TPHash.h" -#import "TPSigningKey.h" -#import "TPDecrypter.h" -#import "TPTypes.h" - -@class TPCircle; -@class TPPeerPermanentInfo; -@class TPPeerStableInfo; -@class TPPeerDynamicInfo; -@class TPVoucher; -@class TPPolicyDocument; - - -typedef NS_OPTIONS(NSUInteger, TPPeerStatus) { - // Set if at least one of the peers I trust trusts me. - TPPeerStatusPartiallyReciprocated = 1 << 0, - - // Set if all of the peers I trust trust me. - TPPeerStatusFullyReciprocated = 1 << 1, - - // Set if I have been kicked out of trust. - TPPeerStatusExcluded = 1 << 2, - - // Set if my epoch is behind the latest epoch. - TPPeerStatusOutdatedEpoch = 1 << 3, - - // Set if my epoch is two or more epochs behind the latest. - TPPeerStatusAncientEpoch = 1 << 4, -}; - - -NS_ASSUME_NONNULL_BEGIN - -/*! - TPModel implements the Octagon Trust model, as per - https://confluence.sd.apple.com/display/KEY/Octagon+Trust - - It maintains a collection of peers and a collection of circles, - to track the peers and circles in CloudKit. - (This class does not communicate with CloudKit. The client of this class does that.) - - Normally there would be just one instance of TPModel, associated with a particular Apple ID. - (This class doesn't need to know what the Apple ID is.) - - This interface does not expose TPPeer* because the caller might mutate the peer object. - All the objects exposed by this interface are immutable. -*/ -@interface TPModel : NSObject - -- (instancetype)initWithDecrypter:(id)decrypter; - -- (TPCounter)latestEpochAmongPeerIDs:(NSSet *)peerIDs; - -- (void)registerPolicyDocument:(TPPolicyDocument *)policyDoc; - -/*! - Register a peer with the given permanentInfo. - - To access this peer invoke other TPModel methods and - pass permanentInfo.peerID as the peerID argument. - - (If a peer with this permanentInfo is already registered then registering it again - does nothing, and the existing TPPeer object internal to TPModel retains its state.) - */ -- (void)registerPeerWithPermanentInfo:(TPPeerPermanentInfo *)permanentInfo; - -- (void)deletePeerWithID:(NSString *)peerID; - -- (BOOL)hasPeerWithID:(NSString *)peerID; - -/*! - Asserts that peerID is registered. - */ -- (TPPeerStatus)statusOfPeerWithID:(NSString *)peerID; - -/*! - Asserts that peerID is registered. - */ -- (TPPeerPermanentInfo *)getPermanentInfoForPeerWithID:(NSString *)peerID; - -/*! - Asserts that peerID is registered. - */ -- (nullable TPPeerStableInfo *)getStableInfoForPeerWithID:(NSString *)peerID; - -/*! - Asserts that peerID is registered. - */ -- (nullable NSData *)getWrappedPrivateKeysForPeerWithID:(NSString *)peerID; - -/*! - Asserts that peerID is registered. - */ -- (void)setWrappedPrivateKeys:(nullable NSData *)wrappedPrivateKeys - forPeerWithID:(NSString *)peerID; - -/*! - Asserts that peerID is registered. - */ -- (nullable TPPeerDynamicInfo *)getDynamicInfoForPeerWithID:(NSString *)peerID; - -/*! - Asserts that peerID is registered. - */ -- (nullable TPCircle *)getCircleForPeerWithID:(NSString *)peerID; - - -- (void)registerCircle:(TPCircle *)circle; - -- (void)deleteCircleWithID:(NSString *)circleID; - -/*! - Returns nil if no circle matching circleID is registered. - */ -- (nullable TPCircle *)circleWithID:(NSString *)circleID; - - -/*! - An "update" with unchanged data is considered success. - Asserts that peerID is registered. - */ -- (TPResult)updateStableInfo:(TPPeerStableInfo *)stableInfo - forPeerWithID:(NSString *)peerID; - -/*! - Returns nil with error if the peer's trustSigningKey is unable to create - a signature because the private key is unavailable, e.g. because the device is locked. - - Asserts peerID is registered. - */ -- (TPPeerStableInfo *)createStableInfoWithDictionary:(NSDictionary *)dict - policyVersion:(TPCounter)policyVersion - policyHash:(NSString *)policyHash - policySecrets:(nullable NSDictionary *)policySecrets - forPeerWithID:(NSString *)peerID - error:(NSError **)error; - - -/*! - An "update" with unchanged data is considered success. - Asserts peerID is registered. - */ -- (TPResult)updateDynamicInfo:(TPPeerDynamicInfo *)dynamicInfo - forPeerWithID:(NSString *)peerID; - - -/*! - The returned voucher is not registered. - Asserts sponsorID is registered. - - Returns nil with nil error if policy determines that the sponsor - is not permitted to introduce this candidate. - - Returns nil with error if the sponsor's trustSigningKey is unable to create - a signature because the private key is unavailable, e.g. because the device is locked. - - The candidate need not be registered before making this call. - */ -- (nullable TPVoucher *)createVoucherForCandidate:(TPPeerPermanentInfo *)candidate - withSponsorID:(NSString *)sponsorID - error:(NSError **)error; - -/*! - Asserts that the sponsor is registered, so that the signature check can be performed. - The beneficiary need not be registered. - */ -- (TPResult)registerVoucher:(TPVoucher *)voucher; - - -- (NSSet *)calculateUnusedCircleIDs; - -/*! - Calculates updated dynamic info for a given peer, - according to the membership convergence algorithm. - - This method does not update the model. The calculated circle is not registered - and the peer is not updated with the calculated dynamicInfo. It is the caller's - responsibility to register/update them once they have been persisted to CloudKit. - - Peers listed in addingPeerIDs are taken to have been explicitly trusted by the user. - When the user adds a member of addingPeerIDs into trust, the peers already trusted - by that new peer are also taken to be trusted, even if the new peer is not qualified by - policy to *introduce* them into trust. This is neccessary in a scenario where a mid-level - device approves a lowly device, and the new lowly device should trust the high-level devices - already in the circle. The mid-level device is not *introducing* the high-level devices. - - Peers listed in removingPeerIDs are excluded from trust. - - Returns nil with error if the peer's trustSigningKey is unable to create - a signature because the private key is unavailable, e.g. because the device is locked. - - Asserts peerID is registered. - */ -- (nullable TPPeerDynamicInfo *)calculateDynamicInfoForPeerWithID:(NSString *)peerID - addingPeerIDs:(nullable NSArray *)addingPeerIDs - removingPeerIDs:(nullable NSArray *)removingPeerIDs - createClique:(nullable NSString* (^)())createClique - updatedCircle:(TPCircle * _Nullable * _Nullable)updatedCircle - error:(NSError **)error; - -/*! - A convenience method for tests, this calls calculateDynamicInfoForPeerWithID, - registers the results and returns the new circle. - */ -- (TPCircle *)advancePeerWithID:(NSString *)peerID - addingPeerIDs:(nullable NSArray *)addingPeerIDs - removingPeerIDs:(nullable NSArray *)removingPeerIDs - createClique:(nullable NSString* (^)())createClique; - -/*! - From our trusted peers, return the subset that is allowed - to access the given view, according to the current policy. - - Asserts peerID is registered. - */ -- (nullable NSSet *)getPeerIDsTrustedByPeerWithID:(NSString *)peerID - toAccessView:(NSString *)view - error:(NSError **)error; - -/*! - Returns a dictionary mapping from each peer ID - to the most recent clock seen from that peer. - */ -- (NSDictionary *)vectorClock; - -@end - -NS_ASSUME_NONNULL_END diff --git a/keychain/trust/TrustedPeers/TPModel.m b/keychain/trust/TrustedPeers/TPModel.m deleted file mode 100644 index 7ec2166a..00000000 --- a/keychain/trust/TrustedPeers/TPModel.m +++ /dev/null @@ -1,730 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import "TPModel.h" -#import "TPPeer.h" -#import "TPHash.h" -#import "TPCircle.h" -#import "TPVoucher.h" -#import "TPPeerPermanentInfo.h" -#import "TPPeerStableInfo.h" -#import "TPPeerDynamicInfo.h" -#import "TPPolicy.h" -#import "TPPolicyDocument.h" - - -@interface TPModel () -@property (nonatomic, strong) NSMutableDictionary* peersByID; -@property (nonatomic, strong) NSMutableDictionary* circlesByID; -@property (nonatomic, strong) NSMutableDictionary* policiesByVersion; -@property (nonatomic, strong) NSMutableSet* vouchers; -@property (nonatomic, strong) id decrypter; -@end - -@implementation TPModel - -- (instancetype)initWithDecrypter:(id)decrypter -{ - self = [super init]; - if (self) { - _peersByID = [[NSMutableDictionary alloc] init]; - _circlesByID = [[NSMutableDictionary alloc] init]; - _policiesByVersion = [[NSMutableDictionary alloc] init]; - _vouchers = [[NSMutableSet alloc] init]; - _decrypter = decrypter; - } - return self; -} - -- (TPCounter)latestEpochAmongPeerIDs:(NSSet *)peerIDs -{ - TPCounter latestEpoch = 0; - for (NSString *peerID in peerIDs) { - TPPeer *peer = self.peersByID[peerID]; - if (nil == peer) { - continue; - } - latestEpoch = MAX(latestEpoch, peer.permanentInfo.epoch); - } - return latestEpoch; -} - -- (void)registerPolicyDocument:(TPPolicyDocument *)policyDoc -{ - NSAssert(policyDoc, @"policyDoc must not be nil"); - self.policiesByVersion[@(policyDoc.policyVersion)] = policyDoc; -} - -- (void)registerPeerWithPermanentInfo:(TPPeerPermanentInfo *)permanentInfo -{ - NSAssert(permanentInfo, @"permanentInfo must not be nil"); - if (nil == [self.peersByID objectForKey:permanentInfo.peerID]) { - TPPeer *peer = [[TPPeer alloc] initWithPermanentInfo:permanentInfo]; - [self.peersByID setObject:peer forKey:peer.peerID]; - } else { - // Do nothing, to avoid overwriting the existing peer object which might have accumulated state. - } -} - -- (void)deletePeerWithID:(NSString *)peerID -{ - [self.peersByID removeObjectForKey:peerID]; -} - -- (BOOL)hasPeerWithID:(NSString *)peerID -{ - return nil != self.peersByID[peerID]; -} - -- (nonnull TPPeer *)peerWithID:(NSString *)peerID -{ - TPPeer *peer = [self.peersByID objectForKey:peerID]; - NSAssert(nil != peer, @"peerID is not registered: %@", peerID); - return peer; -} - -- (TPPeerStatus)statusOfPeerWithID:(NSString *)peerID -{ - TPPeer *peer = [self peerWithID:peerID]; - TPPeerStatus status = 0; - if (0 < [peer.circle.includedPeerIDs count]) { - status |= TPPeerStatusFullyReciprocated; - // This flag might get cleared again, below. - } - for (NSString *otherID in peer.circle.includedPeerIDs) { - if ([peerID isEqualToString:otherID]) { - continue; - } - TPPeer *otherPeer = self.peersByID[otherID]; - if (nil == otherPeer) { - continue; - } - if ([otherPeer.circle.includedPeerIDs containsObject:peerID]) { - status |= TPPeerStatusPartiallyReciprocated; - } else { - status &= ~TPPeerStatusFullyReciprocated; - } - if ([otherPeer.circle.excludedPeerIDs containsObject:peerID]) { - status |= TPPeerStatusExcluded; - } - if (otherPeer.permanentInfo.epoch > peer.permanentInfo.epoch) { - status |= TPPeerStatusOutdatedEpoch; - } - if (otherPeer.permanentInfo.epoch > peer.permanentInfo.epoch + 1) { - status |= TPPeerStatusAncientEpoch; - } - } - if ([peer.circle.excludedPeerIDs containsObject:peerID]) { - status |= TPPeerStatusExcluded; - } - return status; -} - - -- (TPPeerPermanentInfo *)getPermanentInfoForPeerWithID:(NSString *)peerID -{ - return [self peerWithID:peerID].permanentInfo; -} - -- (TPPeerStableInfo *)getStableInfoForPeerWithID:(NSString *)peerID -{ - return [self peerWithID:peerID].stableInfo; -} - -- (NSData *)getWrappedPrivateKeysForPeerWithID:(NSString *)peerID -{ - return [self peerWithID:peerID].wrappedPrivateKeys; -} - -- (void)setWrappedPrivateKeys:(nullable NSData *)wrappedPrivateKeys - forPeerWithID:(NSString *)peerID -{ - [self peerWithID:peerID].wrappedPrivateKeys = wrappedPrivateKeys; -} - -- (TPPeerDynamicInfo *)getDynamicInfoForPeerWithID:(NSString *)peerID -{ - return [self peerWithID:peerID].dynamicInfo; -} - -- (TPCircle *)getCircleForPeerWithID:(NSString *)peerID -{ - return [self peerWithID:peerID].circle; -} - -- (void)registerCircle:(TPCircle *)circle -{ - NSAssert(circle, @"circle must not be nil"); - [self.circlesByID setObject:circle forKey:circle.circleID]; - - // A dynamicInfo might have been set on a peer before we had the circle identified by dynamicInfo.circleID. - // Check if this circle is referenced by any dynamicInfo.circleID. - [self.peersByID enumerateKeysAndObjectsUsingBlock:^(NSString *peerID, TPPeer *peer, BOOL *stop) { - if (nil == peer.circle && [peer.dynamicInfo.circleID isEqualToString:circle.circleID]) { - peer.circle = circle; - } - }]; -} - -- (void)deleteCircleWithID:(NSString *)circleID -{ - [self.peersByID enumerateKeysAndObjectsUsingBlock:^(NSString *peerID, TPPeer *peer, BOOL *stop) { - NSAssert(![circleID isEqualToString:peer.dynamicInfo.circleID], - @"circle being deleted is in use by peer %@, circle %@", peerID, circleID); - }]; - [self.circlesByID removeObjectForKey:circleID]; -} - -- (TPCircle *)circleWithID:(NSString *)circleID -{ - return [self.circlesByID objectForKey:circleID]; -} - -- (TPResult)updateStableInfo:(TPPeerStableInfo *)stableInfo - forPeerWithID:(NSString *)peerID -{ - TPPeer *peer = [self peerWithID:peerID]; - return [peer updateStableInfo:stableInfo]; -} - -- (TPPeerStableInfo *)createStableInfoWithDictionary:(NSDictionary *)dict - policyVersion:(TPCounter)policyVersion - policyHash:(NSString *)policyHash - policySecrets:(nullable NSDictionary *)policySecrets - forPeerWithID:(NSString *)peerID - error:(NSError **)error -{ - TPPeer *peer = [self peerWithID:peerID]; - TPCounter clock = [self maxClock] + 1; - return [TPPeerStableInfo stableInfoWithDict:dict - clock:clock - policyVersion:policyVersion - policyHash:policyHash - policySecrets:policySecrets - trustSigningKey:peer.permanentInfo.trustSigningKey - error:error]; -} - -- (TPResult)updateDynamicInfo:(TPPeerDynamicInfo *)dynamicInfo - forPeerWithID:(NSString *)peerID -{ - TPPeer *peer = [self peerWithID:peerID]; - TPResult result = [peer updateDynamicInfo:dynamicInfo]; - if (result != TPResultOk) { - return result; - } - TPCircle *circle = [self.circlesByID objectForKey:dynamicInfo.circleID]; - if (nil != circle) { - peer.circle = circle; - } else { - // When the corresponding circleID is eventually registered, - // a call to registerCircle: will set peer.circle. - } - return result; -} - -- (TPCounter)maxClock -{ - __block TPCounter maxClock = 0; - [self.peersByID enumerateKeysAndObjectsUsingBlock:^(NSString *peerID, TPPeer *peer, BOOL *stop) { - if (nil != peer.stableInfo) { - maxClock = MAX(maxClock, peer.stableInfo.clock); - } - if (nil != peer.dynamicInfo) { - maxClock = MAX(maxClock, peer.dynamicInfo.clock); - } - }]; - return maxClock; -} - -- (TPCounter)maxRemovals -{ - __block TPCounter maxRemovals = 0; - [self.peersByID enumerateKeysAndObjectsUsingBlock:^(NSString *peerID, TPPeer *peer, BOOL *stop) { - if (nil != peer.dynamicInfo) { - maxRemovals = MAX(maxRemovals, peer.dynamicInfo.removals); - } - }]; - return maxRemovals; -} - -- (TPPeerDynamicInfo *)createDynamicInfoForPeerWithID:(NSString *)peerID - circle:(TPCircle *)circle - clique:(NSString *)clique - newRemovals:(TPCounter)newRemovals - error:(NSError **)error -{ - TPPeer *peer = self.peersByID[peerID]; - - TPCounter clock = [self maxClock] + 1; - TPCounter removals = [self maxRemovals] + newRemovals; - - return [TPPeerDynamicInfo dynamicInfoWithCircleID:circle.circleID - clique:clique - removals:removals - clock:clock - trustSigningKey:peer.permanentInfo.trustSigningKey - error:error]; -} - -- (BOOL)canTrustCandidate:(TPPeerPermanentInfo *)candidate inEpoch:(TPCounter)epoch -{ - return candidate.epoch + 1 >= epoch; -} - -- (BOOL)canIntroduceCandidate:(TPPeerPermanentInfo *)candidate - withSponsor:(TPPeerPermanentInfo *)sponsor - toEpoch:(TPCounter)epoch - underPolicy:(id)policy -{ - if (![self canTrustCandidate:candidate inEpoch:sponsor.epoch]) { - return NO; - } - if (![self canTrustCandidate:candidate inEpoch:epoch]) { - return NO; - } - - NSString *sponsorCategory = [policy categoryForModel:sponsor.modelID]; - NSString *candidateCategory = [policy categoryForModel:candidate.modelID]; - - return [policy trustedPeerInCategory:sponsorCategory canIntroduceCategory:candidateCategory]; -} - -- (nullable TPVoucher *)createVoucherForCandidate:(TPPeerPermanentInfo *)candidate - withSponsorID:(NSString *)sponsorID - error:(NSError **)error -{ - TPPeer *sponsor = [self peerWithID:sponsorID]; - - NSSet *peerIDs = [sponsor.trustedPeerIDs setByAddingObject:candidate.peerID]; - id policy = [self policyForPeerIDs:peerIDs error:error]; - if (nil == policy) { - return nil; - } - - if (![self canIntroduceCandidate:candidate - withSponsor:sponsor.permanentInfo - toEpoch:sponsor.permanentInfo.epoch - underPolicy:policy]) - { - if (error) { - *error = nil; - } - return nil; - } - - // clock is correctly zero if sponsor does not yet have dynamicInfo - TPCounter clock = sponsor.dynamicInfo.clock; - return [TPVoucher voucherWithBeneficiaryID:candidate.peerID - sponsorID:sponsorID - clock:clock - trustSigningKey:sponsor.permanentInfo.trustSigningKey - error:error]; -} - -- (TPResult)registerVoucher:(TPVoucher *)voucher -{ - NSAssert(voucher, @"voucher must not be nil"); - TPPeer *sponsor = [self peerWithID:voucher.sponsorID]; - if (![sponsor.permanentInfo.trustSigningKey checkSignature:voucher.voucherInfoSig matchesData:voucher.voucherInfoPList]) { - return TPResultSignatureMismatch; - } - [self.vouchers addObject:voucher]; - return TPResultOk; -} - -- (NSSet *)calculateUnusedCircleIDs -{ - NSMutableSet* circleIDs = [NSMutableSet setWithArray:[self.circlesByID allKeys]]; - - [self.peersByID enumerateKeysAndObjectsUsingBlock:^(NSString *peerID, TPPeer *peer, BOOL *stop) { - if (nil != peer.dynamicInfo) { - [circleIDs removeObject:peer.dynamicInfo.circleID]; - } - }]; - return circleIDs; -} - -- (nullable NSError *)considerCandidateID:(NSString *)candidateID - withSponsor:(TPPeer *)sponsor - toExpandIncludedPeerIDs:(NSMutableSet*)includedPeerIDs - andExcludedPeerIDs:(NSMutableSet*)excludedPeerIDs - forEpoch:(TPCounter)epoch -{ - if ([includedPeerIDs containsObject:candidateID]) { - // Already included, nothing to do. - return nil; - } - if ([excludedPeerIDs containsObject:candidateID]) { - // Denied. - return nil; - } - - TPPeer *candidate = self.peersByID[candidateID]; - if (nil == candidate) { - return nil; - } - NSMutableSet *peerIDs = [NSMutableSet setWithSet:includedPeerIDs]; - [peerIDs minusSet:excludedPeerIDs]; - [peerIDs addObject:candidateID]; - NSError *error = nil; - id policy = [self policyForPeerIDs:peerIDs error:&error]; - if (nil == policy) { - return error; - } - - if ([self canIntroduceCandidate:candidate.permanentInfo - withSponsor:sponsor.permanentInfo - toEpoch:epoch - underPolicy:policy]) - { - [includedPeerIDs addObject:candidateID]; - [excludedPeerIDs unionSet:candidate.circle.excludedPeerIDs]; - - // The accepted candidate can now be a sponsor. - error = [self recursivelyExpandIncludedPeerIDs:includedPeerIDs - andExcludedPeerIDs:excludedPeerIDs - withPeersTrustedBySponsorID:candidateID - forEpoch:epoch]; - if (nil != error) { - return error; - } - } - return nil; -} - -- (nullable NSError *)considerVouchersSponsoredByPeer:(TPPeer *)sponsor - toReecursivelyExpandIncludedPeerIDs:(NSMutableSet*)includedPeerIDs - andExcludedPeerIDs:(NSMutableSet*)excludedPeerIDs - forEpoch:(TPCounter)epoch -{ - for (TPVoucher *voucher in self.vouchers) { - if ([voucher.sponsorID isEqualToString:sponsor.peerID] - && voucher.clock == sponsor.dynamicInfo.clock) - { - NSError *error = [self considerCandidateID:voucher.beneficiaryID - withSponsor:sponsor - toExpandIncludedPeerIDs:includedPeerIDs - andExcludedPeerIDs:excludedPeerIDs - forEpoch:epoch]; - if (nil != error) { - return error; - } - } - } - return nil; -} - -- (nullable NSError *)recursivelyExpandIncludedPeerIDs:(NSMutableSet*)includedPeerIDs - andExcludedPeerIDs:(NSMutableSet*)excludedPeerIDs - withPeersTrustedBySponsorID:(NSString *)sponsorID - forEpoch:(TPCounter)epoch -{ - TPPeer *sponsor = self.peersByID[sponsorID]; - if (nil == sponsor) { - // It is possible that we might receive a voucher sponsored - // by a peer that has not yet been registered or has been deleted, - // or that a peer will have a circle that includes a peer that - // has not yet been registered or has been deleted. - return nil; - } - [excludedPeerIDs unionSet:sponsor.circle.excludedPeerIDs]; - for (NSString *candidateID in sponsor.circle.includedPeerIDs) { - NSError *error = [self considerCandidateID:candidateID - withSponsor:sponsor - toExpandIncludedPeerIDs:includedPeerIDs - andExcludedPeerIDs:excludedPeerIDs - forEpoch:epoch]; - if (nil != error) { - return error; - } - } - return [self considerVouchersSponsoredByPeer:sponsor - toReecursivelyExpandIncludedPeerIDs:includedPeerIDs - andExcludedPeerIDs:excludedPeerIDs - forEpoch:epoch]; -} - -- (TPPeerDynamicInfo *)calculateDynamicInfoForPeerWithID:(NSString *)peerID - addingPeerIDs:(NSArray *)addingPeerIDs - removingPeerIDs:(NSArray *)removingPeerIDs - createClique:(NSString* (^)())createClique - updatedCircle:(TPCircle **)updatedCircle - error:(NSError **)error -{ - TPPeer *peer = [self peerWithID:peerID]; - TPCounter epoch = peer.permanentInfo.epoch; - - // If we have dynamicInfo then we must know the corresponding circle. - NSAssert(nil != peer.circle || nil == peer.dynamicInfo, @"dynamicInfo without corresponding circle"); - - // If I am excluded by myself then make no changes. I am no longer playing the game. - // This is useful in the case where I have replaced myself with a new peer. - if ([peer.circle.excludedPeerIDs containsObject:peerID]) { - if (updatedCircle) { - *updatedCircle = peer.circle; - } - return peer.dynamicInfo; - } - - NSMutableSet *includedPeerIDs = [NSMutableSet setWithSet:peer.circle.includedPeerIDs]; - NSMutableSet *excludedPeerIDs = [NSMutableSet setWithSet:peer.circle.excludedPeerIDs]; - - // I trust myself by default, though this might be overridden by excludedPeerIDs - [includedPeerIDs addObject:peerID]; - - // The user has explictly told us to trust addingPeerIDs. - // This implies that the peers included in the circles of addingPeerIDs should also be trusted, - // as long epoch tests pass. This is regardless of whether trust policy says a member of addingPeerIDs - // can *introduce* a peer in its circle, because it isn't introducing it, the user already trusts it. - [includedPeerIDs addObjectsFromArray:addingPeerIDs]; - for (NSString *addingPeerID in addingPeerIDs) { - TPPeer *addingPeer = self.peersByID[addingPeerID]; - for (NSString *candidateID in addingPeer.circle.includedPeerIDs) { - TPPeer *candidate = self.peersByID[candidateID]; - if (candidate && [self canTrustCandidate:candidate.permanentInfo inEpoch:epoch]) { - [includedPeerIDs addObject:candidateID]; - } - } - } - - [excludedPeerIDs addObjectsFromArray:removingPeerIDs]; - [includedPeerIDs minusSet:excludedPeerIDs]; - - // We iterate over a copy because the loop will mutate includedPeerIDs - NSSet* sponsorIDs = [includedPeerIDs copy]; - - for (NSString *sponsorID in sponsorIDs) { - NSError *err = [self recursivelyExpandIncludedPeerIDs:includedPeerIDs - andExcludedPeerIDs:excludedPeerIDs - withPeersTrustedBySponsorID:sponsorID - forEpoch:epoch]; - if (nil != err) { - if (error) { - *error = err; - } - return nil; - } - } - NSError *err = [self considerVouchersSponsoredByPeer:peer - toReecursivelyExpandIncludedPeerIDs:includedPeerIDs - andExcludedPeerIDs:excludedPeerIDs - forEpoch:epoch]; - if (nil != err) { - if (error) { - *error = err; - } - return nil; - } - - [includedPeerIDs minusSet:excludedPeerIDs]; - - NSString *clique = [self bestCliqueAmongPeerIDs:includedPeerIDs]; - if (nil == clique) { - clique = peer.dynamicInfo.clique; - } - if (nil == clique && nil != createClique) { - clique = createClique(); - } - if (nil == clique) { - // Either nil == createClique or createClique returned nil. - // We would create a clique but caller has said not to. - // Not an error, it's just what they asked for. - if (error) { - *error = nil; - } - return nil; - } - - TPCircle *newCircle; - if ([excludedPeerIDs containsObject:peerID]) { - // I have been kicked out, and anybody who trusts me should now exclude me. - newCircle = [TPCircle circleWithIncludedPeerIDs:addingPeerIDs excludedPeerIDs:@[peerID]]; - } else { - // Drop items from excludedPeerIDs that predate epoch - 1 - NSSet *filteredExcluded = [excludedPeerIDs objectsPassingTest:^BOOL(NSString *exPeerID, BOOL *stop) { - TPPeer *exPeer = self.peersByID[exPeerID]; - if (nil == exPeer) { - return YES; - } - // If we could trust it then we have to keep it in the exclude list. - return [self canTrustCandidate:exPeer.permanentInfo inEpoch:epoch]; - }]; - newCircle = [TPCircle circleWithIncludedPeerIDs:[includedPeerIDs allObjects] - excludedPeerIDs:[filteredExcluded allObjects]]; - } - if (updatedCircle) { - *updatedCircle = newCircle; - } - return [self createDynamicInfoForPeerWithID:peerID - circle:newCircle - clique:clique - newRemovals:[removingPeerIDs count] - error:error]; -} - -- (NSString *)bestCliqueAmongPeerIDs:(NSSet*)peerIDs -{ - // The "best" clique is considered the one that is last in lexical ordering. - NSString *bestClique = nil; - for (NSString *peerID in peerIDs) { - NSString *clique = self.peersByID[peerID].dynamicInfo.clique; - if (clique) { - if (bestClique && NSOrderedAscending != [bestClique compare:clique]) { - continue; - } - bestClique = clique; - } - } - return bestClique; -} - -- (TPCircle *)advancePeerWithID:(NSString *)peerID - addingPeerIDs:(NSArray *)addingPeerIDs - removingPeerIDs:(NSArray *)removingPeerIDs - createClique:(NSString* (^)())createClique -{ - TPCircle *circle = nil; - TPPeerDynamicInfo *dyn; - dyn = [self calculateDynamicInfoForPeerWithID:peerID - addingPeerIDs:addingPeerIDs - removingPeerIDs:removingPeerIDs - createClique:createClique - updatedCircle:&circle - error:NULL]; - if (dyn) { - [self registerCircle:circle]; - [self updateDynamicInfo:dyn forPeerWithID:peerID]; - return circle; - } else { - return nil; - } -} - -NSString *TPErrorDomain = @"com.apple.security.trustedpeers"; - -enum { - TPErrorUnknownPolicyVersion = 1, - TPErrorPolicyHashMismatch = 2, - TPErrorMissingStableInfo = 3, -}; - - -- (nullable id)policyForPeerIDs:(NSSet *)peerIDs - error:(NSError **)error -{ - NSAssert(peerIDs.count > 0, @"policyForPeerIDs does not accept empty set"); - - TPPolicyDocument *newestPolicyDoc = nil; - - // This will become the union of policySecrets across the members of peerIDs - NSMutableDictionary *secrets = [NSMutableDictionary dictionary]; - - for (NSString *peerID in peerIDs) { - TPPeerStableInfo *stableInfo = [self peerWithID:peerID].stableInfo; - if (nil == stableInfo) { - // Allowing missing stableInfo here might be useful if we are writing a voucher - // for a peer for which we got permanentInfo over some channel that does not - // also convey stableInfo. - continue; - } - for (NSString *name in stableInfo.policySecrets) { - secrets[name] = stableInfo.policySecrets[name]; - } - if (newestPolicyDoc && newestPolicyDoc.policyVersion > stableInfo.policyVersion) { - continue; - } - TPPolicyDocument *policyDoc = self.policiesByVersion[@(stableInfo.policyVersion)]; - if (nil == policyDoc) { - if (error) { - *error = [NSError errorWithDomain:TPErrorDomain - code:TPErrorUnknownPolicyVersion - userInfo:@{ - @"peerID": peerID, - @"policyVersion": @(stableInfo.policyVersion) - }]; - } - return nil; - } - if (![policyDoc.policyHash isEqualToString:stableInfo.policyHash]) { - if (error) { - *error = [NSError errorWithDomain:TPErrorDomain - code:TPErrorPolicyHashMismatch - userInfo:@{ - @"peerID": peerID, - @"policyVersion": @(stableInfo.policyVersion), - @"policyDocHash": policyDoc.policyHash, - @"peerExpectsHash": stableInfo.policyHash - }]; - } - return nil; - } - newestPolicyDoc = policyDoc; - } - if (nil == newestPolicyDoc) { - // Can happen if no members of peerIDs have stableInfo - if (error) { - *error = [NSError errorWithDomain:TPErrorDomain - code:TPErrorMissingStableInfo - userInfo:nil]; - } - return nil; - } - return [newestPolicyDoc policyWithSecrets:secrets decrypter:self.decrypter error:error]; -} - -- (NSSet *)getPeerIDsTrustedByPeerWithID:(NSString *)peerID - toAccessView:(NSString *)view - error:(NSError **)error -{ - TPCircle *circle = [self peerWithID:peerID].circle; - NSMutableSet *peerIDs = [NSMutableSet set]; - - id policy = [self policyForPeerIDs:circle.includedPeerIDs error:error]; - - for (NSString *candidateID in circle.includedPeerIDs) { - TPPeer *candidate = self.peersByID[candidateID]; - if (candidate != nil) { - NSString *category = [policy categoryForModel:candidate.permanentInfo.modelID]; - if ([policy peerInCategory:category canAccessView:view]) { - [peerIDs addObject:candidateID]; - } - } - } - return peerIDs; -} - -- (NSDictionary *)vectorClock -{ - NSMutableDictionary *dict = [NSMutableDictionary dictionary]; - - [self.peersByID enumerateKeysAndObjectsUsingBlock:^(NSString *peerID, TPPeer *peer, BOOL *stop) { - if (peer.stableInfo || peer.dynamicInfo) { - TPCounter clock = MAX(peer.stableInfo.clock, peer.dynamicInfo.clock); - dict[peerID] = @(clock); - } - }]; - return dict; -} - -@end diff --git a/keychain/trust/TrustedPeers/TPPeer.h b/keychain/trust/TrustedPeers/TPPeer.h deleted file mode 100644 index ae39c988..00000000 --- a/keychain/trust/TrustedPeers/TPPeer.h +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import - -#import "TPHash.h" -#import "TPSigningKey.h" -#import "TPTypes.h" - -@class TPCircle; -@class TPVoucher; -@class TPPeerPermanentInfo; -@class TPPeerStableInfo; -@class TPPeerDynamicInfo; - -NS_ASSUME_NONNULL_BEGIN - -@interface TPPeer : NSObject - -@property (nonatomic, readonly) NSString* peerID; - -@property (nonatomic, readonly) TPPeerPermanentInfo* permanentInfo; -@property (nonatomic, readonly, nullable) TPPeerStableInfo* stableInfo; -@property (nonatomic, readonly, nullable) TPPeerDynamicInfo* dynamicInfo; -@property (nonatomic, strong) NSData* wrappedPrivateKeys; - -// setCircle asserts that circle.circleID == dynamicInfo.circleID -@property (nonatomic, strong, nullable) TPCircle* circle; - -@property (nonatomic, readonly) NSSet* trustedPeerIDs; - -- (instancetype)initWithPermanentInfo:(TPPeerPermanentInfo *)permanentInfo; - -- (TPResult)updateStableInfo:(TPPeerStableInfo *)stableInfo; - -// Returns YES on success, or NO if: -// - the data or signature is invalid -// - this update makes a change without advancing dynamicInfo.clock -// -// An "update" with unchanged data is considered success. -// -// This call also sets self.circle to nil. -// The caller should subsequently call updateCircle to update it. -- (TPResult)updateDynamicInfo:(TPPeerDynamicInfo *)dynamicInfo; - -@end - -NS_ASSUME_NONNULL_END diff --git a/keychain/trust/TrustedPeers/TPPeer.m b/keychain/trust/TrustedPeers/TPPeer.m deleted file mode 100644 index c2e67065..00000000 --- a/keychain/trust/TrustedPeers/TPPeer.m +++ /dev/null @@ -1,108 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import "TPPeer.h" -#import "TPPeerPermanentInfo.h" -#import "TPPeerStableInfo.h" -#import "TPPeerDynamicInfo.h" -#import "TPCircle.h" -#import "TPVoucher.h" - -@interface TPPeer () - -@property (nonatomic, strong) TPPeerPermanentInfo* permanentInfo; -@property (nonatomic, strong) TPPeerStableInfo* stableInfo; -@property (nonatomic, strong) TPPeerDynamicInfo* dynamicInfo; - -@end - - -@implementation TPPeer - -- (NSString *)peerID -{ - return self.permanentInfo.peerID; -} - -- (instancetype)initWithPermanentInfo:(TPPeerPermanentInfo *)permanentInfo -{ - self = [super init]; - if (self) { - _permanentInfo = permanentInfo; - } - return self; -} - -- (TPResult)updateStableInfo:(TPPeerStableInfo *)stableInfo -{ - if (![self.permanentInfo.trustSigningKey checkSignature:stableInfo.stableInfoSig - matchesData:stableInfo.stableInfoPList]) { - return TPResultSignatureMismatch; - } - if ([self.stableInfo isEqualToPeerStableInfo:stableInfo]) { - return TPResultOk; - } - if (self.stableInfo != nil && stableInfo.clock <= self.stableInfo.clock) { - return TPResultClockViolation; - } - self.stableInfo = stableInfo; - return TPResultOk; -} - -- (TPResult)updateDynamicInfo:(TPPeerDynamicInfo *)dynamicInfo -{ - if (![self.permanentInfo.trustSigningKey checkSignature:dynamicInfo.dynamicInfoSig - matchesData:dynamicInfo.dynamicInfoPList]) { - return TPResultSignatureMismatch; - } - if ([self.dynamicInfo isEqualToPeerDynamicInfo:dynamicInfo]) { - return TPResultOk; - } - if (self.dynamicInfo != nil && dynamicInfo.clock <= self.dynamicInfo.clock) { - return TPResultClockViolation; - } - self.dynamicInfo = dynamicInfo; - self.circle = nil; - return TPResultOk; -} - -- (void)setCircle:(TPCircle *)circle -{ - if (nil != circle) { - NSAssert([circle.circleID isEqualToString:self.dynamicInfo.circleID], - @"circle property must match dynamicInfo.circleID"); - } - _circle = circle; -} - -- (NSSet *)trustedPeerIDs -{ - if (self.dynamicInfo) { - NSAssert(self.circle, @"dynamicInfo needs corresponding circle"); - return self.circle.includedPeerIDs; - } else { - return [NSSet setWithObject:self.peerID]; - } -} - -@end diff --git a/keychain/trust/TrustedPeers/TPPeerDynamicInfo.h b/keychain/trust/TrustedPeers/TPPeerDynamicInfo.h deleted file mode 100644 index 85b52d72..00000000 --- a/keychain/trust/TrustedPeers/TPPeerDynamicInfo.h +++ /dev/null @@ -1,67 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import - -#import "TPTypes.h" -#import "TPSigningKey.h" - -NS_ASSUME_NONNULL_BEGIN - -/*! - Having an instance of this class does *not* mean that - its signature has been checked. Checking the signature - is up to whoever consumes it. - - This class is a value type -- its members are immutable and - instances with identical contents are interchangeable. - */ -@interface TPPeerDynamicInfo : NSObject - -/*! - Can return nil with error if [trustSigningKey signatureForData:error:] errors. - */ -+ (nullable instancetype)dynamicInfoWithCircleID:(NSString *)circleID - clique:(NSString *)clique - removals:(TPCounter)removals - clock:(TPCounter)clock - trustSigningKey:(id)trustSigningKey - error:(NSError **)error; - -// Returns nil if data cannot be deserialized to a dictionary -// or that dictionary does not contain the expected keys and value types. -+ (nullable instancetype)dynamicInfoWithPListData:(NSData *)dynamicInfoPList - dynamicInfoSig:(NSData *)dynamicInfoSig; - -- (BOOL)isEqualToPeerDynamicInfo:(TPPeerDynamicInfo *)other; - -@property (nonatomic, readonly) NSString *circleID; -@property (nonatomic, readonly) NSString *clique; -@property (nonatomic, readonly) TPCounter removals; -@property (nonatomic, readonly) TPCounter clock; -@property (nonatomic, readonly) NSData *dynamicInfoPList; -@property (nonatomic, readonly) NSData *dynamicInfoSig; - -@end - -NS_ASSUME_NONNULL_END diff --git a/keychain/trust/TrustedPeers/TPPeerDynamicInfo.m b/keychain/trust/TrustedPeers/TPPeerDynamicInfo.m deleted file mode 100644 index 68399f35..00000000 --- a/keychain/trust/TrustedPeers/TPPeerDynamicInfo.m +++ /dev/null @@ -1,131 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import "TPPeerDynamicInfo.h" -#import "TPUtils.h" - -static const NSString *kCircleID = @"circleID"; -static const NSString *kClique = @"clique"; -static const NSString *kRemovals = @"removals"; -static const NSString *kClock = @"clock"; - - -@interface TPPeerDynamicInfo () - -@property (nonatomic, strong) NSString *circleID; -@property (nonatomic, strong) NSString *clique; -@property (nonatomic, assign) TPCounter removals; -@property (nonatomic, assign) TPCounter clock; -@property (nonatomic, strong) NSData *dynamicInfoPList; -@property (nonatomic, strong) NSData *dynamicInfoSig; - -@end - - -@implementation TPPeerDynamicInfo - -+ (instancetype)dynamicInfoWithCircleID:(NSString *)circleID - clique:(NSString *)clique - removals:(TPCounter)removals - clock:(TPCounter)clock - trustSigningKey:(id)trustSigningKey - error:(NSError **)error -{ - NSDictionary *dict = @{ - kCircleID: circleID, - kClique: clique, - kRemovals: @(removals), - kClock: @(clock) - }; - NSData *data = [TPUtils serializedPListWithDictionary:dict]; - NSData *sig = [trustSigningKey signatureForData:data withError:error]; - if (nil == sig) { - return nil; - } - TPPeerDynamicInfo* info = [self dynamicInfoWithPListData:data dynamicInfoSig:sig]; - assert(info); - return info; -} - -+ (instancetype)dynamicInfoWithPListData:(NSData *)dynamicInfoPList - dynamicInfoSig:(NSData *)dynamicInfoSig -{ - id dict = [NSPropertyListSerialization propertyListWithData:dynamicInfoPList - options:NSPropertyListImmutable - format:nil - error:NULL]; - if (![dict isKindOfClass:[NSDictionary class]]) { - return nil; - } - - TPPeerDynamicInfo* info = [[TPPeerDynamicInfo alloc] init]; - - if (![dict[kCircleID] isKindOfClass:[NSString class]]) { - return nil; - } - info.circleID = dict[kCircleID]; - - if (![dict[kClique] isKindOfClass:[NSString class]]) { - return nil; - } - info.clique = dict[kClique]; - - if (![dict[kRemovals] isKindOfClass:[NSNumber class]]) { - return nil; - } - info.removals = [dict[kRemovals] unsignedLongLongValue]; - - if (![dict[kClock] isKindOfClass:[NSNumber class]]) { - return nil; - } - info.clock = [dict[kClock] unsignedLongLongValue]; - - info.dynamicInfoPList = [dynamicInfoPList copy]; - info.dynamicInfoSig = [dynamicInfoSig copy]; - - return info; -} - -- (BOOL)isEqualToPeerDynamicInfo:(TPPeerDynamicInfo *)other -{ - if (other == self) { - return YES; - } - return [self.dynamicInfoPList isEqualToData:other.dynamicInfoPList] - && [self.dynamicInfoSig isEqualToData:other.dynamicInfoSig]; -} - -#pragma mark - NSObject - -- (BOOL)isEqual:(id)object -{ - if (self == object) { - return YES; - } - if (![object isKindOfClass:[TPPeerDynamicInfo class]]) { - return NO; - } - return [self isEqualToPeerDynamicInfo:object]; -} - -@end diff --git a/keychain/trust/TrustedPeers/TPPeerPermanentInfo.h b/keychain/trust/TrustedPeers/TPPeerPermanentInfo.h deleted file mode 100644 index 3af2cc2c..00000000 --- a/keychain/trust/TrustedPeers/TPPeerPermanentInfo.h +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import - -#import "TPTypes.h" -#import "TPSigningKey.h" -#import "TPHash.h" - -NS_ASSUME_NONNULL_BEGIN - -/*! - This class is a value type -- its members are immutable and - instances with identical contents are interchangeable. - */ -@interface TPPeerPermanentInfo : NSObject - -/*! - Can return nil with error if [trustSigningKey signatureForData:error:] errors. - */ -+ (nullable instancetype)permanentInfoWithMachineID:(NSString *)machineID - modelID:(NSString *)modelID - epoch:(TPCounter)epoch - trustSigningKey:(id)trustSigningKey - peerIDHashAlgo:(TPHashAlgo)peerIDHashAlgo - error:(NSError **)error; - -// Returns nil if: -// - permanentInfoPList cannot be deserialized to a dictionary -// - that dictionary does not contain the expected keys and value types -// - permanentInfoSig does not match permanentInfoPList signed with the trustSigningKey from the dictionary -// - peerID does not match the hash of (permanentInfoPList + permanentInfoSig) -+ (nullable instancetype)permanentInfoWithPeerID:(NSString *)peerID - permanentInfoPList:(NSData *)permanentInfoPList - permanentInfoSig:(NSData *)permanentInfoSig - keyFactory:(id)keyFactory; - -@property (nonatomic, readonly) NSString* machineID; -@property (nonatomic, readonly) NSString* modelID; -@property (nonatomic, readonly) TPCounter epoch; -@property (nonatomic, readonly) id trustSigningKey; -@property (nonatomic, readonly) NSData *permanentInfoPList; -@property (nonatomic, readonly) NSData *permanentInfoSig; -@property (nonatomic, readonly) NSString *peerID; - -@end - -NS_ASSUME_NONNULL_END diff --git a/keychain/trust/TrustedPeers/TPPeerPermanentInfo.m b/keychain/trust/TrustedPeers/TPPeerPermanentInfo.m deleted file mode 100644 index 70672e28..00000000 --- a/keychain/trust/TrustedPeers/TPPeerPermanentInfo.m +++ /dev/null @@ -1,151 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import "TPPeerPermanentInfo.h" -#import "TPUtils.h" - -static const NSString *kMachineID = @"machineID"; -static const NSString *kModelID = @"modelID"; -static const NSString *kEpoch = @"epoch"; -static const NSString *kTrustSigningKey = @"trustSigningKey"; - - -@interface TPPeerPermanentInfo () - -@property (nonatomic, strong) NSString* machineID; -@property (nonatomic, strong) NSString* modelID; -@property (nonatomic, assign) TPCounter epoch; -@property (nonatomic, strong) id trustSigningKey; -@property (nonatomic, strong) NSData *permanentInfoPList; -@property (nonatomic, strong) NSData *permanentInfoSig; -@property (nonatomic, strong) NSString *peerID; - -@end - - -@implementation TPPeerPermanentInfo - -+ (instancetype)permanentInfoWithMachineID:(NSString *)machineID - modelID:(NSString *)modelID - epoch:(TPCounter)epoch - trustSigningKey:(id)trustSigningKey - peerIDHashAlgo:(TPHashAlgo)peerIDHashAlgo - error:(NSError **)error -{ - TPPeerPermanentInfo* info = [[TPPeerPermanentInfo alloc] init]; - info.machineID = [machineID copy]; - info.modelID = [modelID copy]; - info.epoch = epoch; - info.trustSigningKey = trustSigningKey; - - NSDictionary *dict = @{ - kMachineID: machineID, - kModelID: modelID, - kEpoch: @(epoch), - kTrustSigningKey: [trustSigningKey publicKey] - }; - NSData *data = [TPUtils serializedPListWithDictionary:dict]; - NSData *sig = [trustSigningKey signatureForData:data withError:error]; - if (nil == sig) { - return nil; - } - info.permanentInfoPList = data; - info.permanentInfoSig = sig; - info.peerID = [TPPeerPermanentInfo peerIDForPermanentInfoPList:data - permanentInfoSig:sig - peerIDHashAlgo:peerIDHashAlgo]; - return info; -} - -+ (NSString *)peerIDForPermanentInfoPList:(NSData *)permanentInfoPList - permanentInfoSig:(NSData *)permanentInfoSig - peerIDHashAlgo:(TPHashAlgo)peerIDHashAlgo - -{ - TPHashBuilder *hasher = [[TPHashBuilder alloc] initWithAlgo:peerIDHashAlgo]; - [hasher updateWithData:permanentInfoPList]; - [hasher updateWithData:permanentInfoSig]; - return [hasher finalHash]; -} - -+ (instancetype)permanentInfoWithPeerID:(NSString *)peerID - permanentInfoPList:(NSData *)permanentInfoPList - permanentInfoSig:(NSData *)permanentInfoSig - keyFactory:(id)keyFactory -{ - id obj = [NSPropertyListSerialization propertyListWithData:permanentInfoPList - options:NSPropertyListImmutable - format:nil - error:NULL]; - if (![obj isKindOfClass:[NSDictionary class]]) { - return nil; - } - NSDictionary *dict = obj; - - TPPeerPermanentInfo *info = [[TPPeerPermanentInfo alloc] init]; - info.peerID = peerID; - info.permanentInfoPList = permanentInfoPList; - info.permanentInfoSig = permanentInfoSig; - - if (![dict[kMachineID] isKindOfClass:[NSString class]]) { - return nil; - } - info.machineID = dict[kMachineID]; - - if (![dict[kModelID] isKindOfClass:[NSString class]]) { - return nil; - } - info.modelID = dict[kModelID]; - - if (![dict[kEpoch] isKindOfClass:[NSNumber class]]) { - return nil; - } - info.epoch = [dict[kEpoch] unsignedLongLongValue]; - - if (![dict[kTrustSigningKey] isKindOfClass:[NSData class]]) { - return nil; - } - info.trustSigningKey = [keyFactory keyWithPublicKeyData:dict[kTrustSigningKey]]; - if (nil == info.trustSigningKey) { - return nil; - } - if (![info.trustSigningKey checkSignature:permanentInfoSig matchesData:permanentInfoPList]) { - return nil; - } - - // check peerID is hash of (permanentInfoPList + permanentInfoSig) - TPHashAlgo algo = [TPHashBuilder algoOfHash:peerID]; - if (algo == kTPHashAlgoUnknown) { - return nil; - } - NSString* checkHash = [TPPeerPermanentInfo peerIDForPermanentInfoPList:info.permanentInfoPList - permanentInfoSig:info.permanentInfoSig - peerIDHashAlgo:algo]; - if (![checkHash isEqualToString:peerID]) { - return nil; - } - - return info; -} - -@end diff --git a/keychain/trust/TrustedPeers/TPPeerStableInfo.h b/keychain/trust/TrustedPeers/TPPeerStableInfo.h deleted file mode 100644 index 4c15b304..00000000 --- a/keychain/trust/TrustedPeers/TPPeerStableInfo.h +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import - -#import "TPTypes.h" -#import "TPSigningKey.h" - -NS_ASSUME_NONNULL_BEGIN - -/*! - Having an instance of this class does *not* mean that - its signature has been checked. Checking the signature - is up to whoever consumes it. - - This class is a value type -- its members are immutable and - instances with identical contents are interchangeable. - */ -@interface TPPeerStableInfo : NSObject - -/*! - Can return nil with error if [trustSigningKey signatureForData:error:] errors. - */ -+ (nullable instancetype)stableInfoWithDict:(NSDictionary *)dict - clock:(TPCounter)clock - policyVersion:(TPCounter)policyVersion - policyHash:(NSString *)policyHash - policySecrets:(nullable NSDictionary *)policySecrets - trustSigningKey:(id)trustSigningKey - error:(NSError **)error; - -// Returns nil if data cannot be deserialized to a dictionary -+ (nullable instancetype)stableInfoWithPListData:(NSData *)stableInfoPList - stableInfoSig:(NSData *)stableInfoSig; - -- (BOOL)isEqualToPeerStableInfo:(TPPeerStableInfo *)other; - -@property (nonatomic, readonly) NSDictionary *dict; -@property (nonatomic, readonly) TPCounter clock; -@property (nonatomic, readonly) TPCounter policyVersion; -@property (nonatomic, readonly) NSString *policyHash; -@property (nonatomic, readonly) NSDictionary *policySecrets; -@property (nonatomic, readonly) NSData *stableInfoPList; -@property (nonatomic, readonly) NSData *stableInfoSig; - -@end - -NS_ASSUME_NONNULL_END diff --git a/keychain/trust/TrustedPeers/TPPeerStableInfo.m b/keychain/trust/TrustedPeers/TPPeerStableInfo.m deleted file mode 100644 index 9895f146..00000000 --- a/keychain/trust/TrustedPeers/TPPeerStableInfo.m +++ /dev/null @@ -1,144 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import "TPPeerStableInfo.h" -#import "TPUtils.h" - -static const NSString *kClock = @"clock"; -static const NSString *kPolicyVersion = @"policyVersion"; -static const NSString *kPolicyHash = @"policyHash"; -static const NSString *kPolicySecrets = @"policySecrets"; - - -@interface TPPeerStableInfo () - -@property (nonatomic, strong) NSDictionary *dict; -@property (nonatomic, assign) TPCounter clock; -@property (nonatomic, assign) TPCounter policyVersion; -@property (nonatomic, strong) NSString *policyHash; -@property (nonatomic, strong) NSDictionary *policySecrets; -@property (nonatomic, strong) NSData *stableInfoPList; -@property (nonatomic, strong) NSData *stableInfoSig; - -@end - - -@implementation TPPeerStableInfo - -+ (instancetype)stableInfoWithDict:(NSDictionary *)dict - clock:(TPCounter)clock - policyVersion:(TPCounter)policyVersion - policyHash:(NSString *)policyHash - policySecrets:(NSDictionary *)policySecrets - trustSigningKey:(id)trustSigningKey - error:(NSError **)error -{ - NSMutableDictionary *mutDict = [NSMutableDictionary dictionaryWithDictionary:dict]; - mutDict[kClock] = @(clock); - mutDict[kPolicyVersion] = @(policyVersion); - mutDict[kPolicyHash] = policyHash; - mutDict[kPolicySecrets] = policySecrets; - - NSData *data = [TPUtils serializedPListWithDictionary:mutDict]; - NSData *sig = [trustSigningKey signatureForData:data withError:error]; - if (nil == sig) { - return nil; - } - TPPeerStableInfo *info = [self stableInfoWithPListData:data stableInfoSig:sig];; - assert(info); - return info; -} - -+ (instancetype)stableInfoWithPListData:(NSData *)stableInfoPList - stableInfoSig:(NSData *)stableInfoSig -{ - id dict = [NSPropertyListSerialization propertyListWithData:stableInfoPList - options:NSPropertyListImmutable - format:nil - error:NULL]; - if (![dict isKindOfClass:[NSDictionary class]]) { - return nil; - } - - TPPeerStableInfo* info = [[TPPeerStableInfo alloc] init]; - - if (![dict[kClock] isKindOfClass:[NSNumber class]]) { - return nil; - } - info.clock = [dict[kClock] unsignedLongLongValue]; - - if (![dict[kPolicyVersion] isKindOfClass:[NSNumber class]]) { - return nil; - } - info.policyVersion = [dict[kPolicyVersion] unsignedLongLongValue]; - - if (![dict[kPolicyHash] isKindOfClass:[NSString class]]) { - return nil; - } - info.policyHash = dict[kPolicyHash]; - - if ([dict[kPolicySecrets] isKindOfClass:[NSDictionary class]]) { - NSDictionary *secrets = dict[kPolicySecrets]; - for (id name in secrets) { - NSAssert([name isKindOfClass:[NSString class]], @"plist keys must be strings"); - if (![secrets[name] isKindOfClass:[NSData class]]) { - return nil; - } - } - info.policySecrets = secrets; - } else if (nil == dict[kPolicySecrets]) { - info.policySecrets = @{}; - } else { - return nil; - } - - info.dict = dict; - info.stableInfoPList = [stableInfoPList copy]; - info.stableInfoSig = [stableInfoSig copy]; - - return info; -} - -- (BOOL)isEqualToPeerStableInfo:(TPPeerStableInfo *)other -{ - if (other == self) { - return YES; - } - return [self.stableInfoPList isEqualToData:other.stableInfoPList] - && [self.stableInfoSig isEqualToData:other.stableInfoSig]; -} - -#pragma mark - NSObject - -- (BOOL)isEqual:(id)object -{ - if (self == object) { - return YES; - } - if (![object isKindOfClass:[TPPeerStableInfo class]]) { - return NO; - } - return [self isEqualToPeerStableInfo:object]; -} - -@end diff --git a/keychain/trust/TrustedPeers/TPPolicy.h b/keychain/trust/TrustedPeers/TPPolicy.h deleted file mode 100644 index 673cf478..00000000 --- a/keychain/trust/TrustedPeers/TPPolicy.h +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import - -NS_ASSUME_NONNULL_BEGIN - -@class TPCategoryRule; - -/*! - TPPolicy represents the ability to calculate Octagon Policy, as per - https://confluence.sd.apple.com/display/KEY/Octagon+Policy - - Instances of this class are typically obtained from TPPolicyDocument, - by passing a (possibly empty) dictionary of secrets to - policyWithSecrets:decrypter:error:. -*/ -@protocol TPPolicy - -- (nullable NSString *)categoryForModel:(NSString *)model; -- (BOOL)trustedPeerInCategory:(NSString *)trustedCategory canIntroduceCategory:(NSString *)candidateCategory; -- (BOOL)peerInCategory:(NSString *)category canAccessView:(NSString *)view; - -@end - - -@interface TPPolicy : NSObject - -+ (instancetype)policyWithModelToCategory:(NSArray *)modelToCategory - categoriesByView:(NSDictionary*> *)categoriesByView - introducersByCategory:(NSDictionary*> *)introducersByCategory; - -@end - -NS_ASSUME_NONNULL_END diff --git a/keychain/trust/TrustedPeers/TPPolicy.m b/keychain/trust/TrustedPeers/TPPolicy.m deleted file mode 100644 index 72b67648..00000000 --- a/keychain/trust/TrustedPeers/TPPolicy.m +++ /dev/null @@ -1,70 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import "TPPolicy.h" -#import "TPCategoryRule.h" - - -@interface TPPolicy () - -@property (nonatomic, strong) NSArray *modelToCategory; -@property (nonatomic, strong) NSDictionary*> *categoriesByView; -@property (nonatomic, strong) NSDictionary*> *introducersByCategory; - -@end - - -@implementation TPPolicy - -+ (instancetype)policyWithModelToCategory:(NSArray *)modelToCategory - categoriesByView:(NSDictionary*> *)categoriesByView - introducersByCategory:(NSDictionary*> *)introducersByCategory -{ - TPPolicy *policy = [[TPPolicy alloc] init]; - policy.modelToCategory = [modelToCategory copy]; - policy.categoriesByView = [categoriesByView copy]; - policy.introducersByCategory = [introducersByCategory copy]; - return policy; -} - -- (nullable NSString *)categoryForModel:(NSString *)model -{ - for (TPCategoryRule *rule in self.modelToCategory) { - if ([model hasPrefix:rule.prefix]) { - return rule.category; - } - } - return nil; -} - -- (BOOL)trustedPeerInCategory:(NSString *)trustedCategory canIntroduceCategory:(NSString *)candidateCategory -{ - return [self.introducersByCategory[candidateCategory] containsObject:trustedCategory]; -} - -- (BOOL)peerInCategory:(NSString *)category canAccessView:(NSString *)view -{ - return [self.categoriesByView[view] containsObject:category]; -} - -@end diff --git a/keychain/trust/TrustedPeers/TPPolicyDocument.h b/keychain/trust/TrustedPeers/TPPolicyDocument.h deleted file mode 100644 index aa9359ba..00000000 --- a/keychain/trust/TrustedPeers/TPPolicyDocument.h +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import - -#import "TPPolicy.h" -#import "TPEncrypter.h" -#import "TPDecrypter.h" -#import "TPHash.h" -#import "TPTypes.h" - -NS_ASSUME_NONNULL_BEGIN - -/*! - This class is a value type -- its members are immutable and - instances with identical contents are interchangeable. - */ -@interface TPPolicyDocument : NSObject - -@property (nonatomic, readonly) TPCounter policyVersion; -@property (nonatomic, readonly) NSString *policyHash; -@property (nonatomic, readonly) NSData *pList; - -+ (nullable instancetype)policyDocWithHash:(NSString *)policyHash - pList:(NSData *)pList; - -+ (instancetype)policyDocWithVersion:(TPCounter)policyVersion - modelToCategory:(NSArray *)modelToCategory - categoriesByView:(NSDictionary*> *)categoriesByView - introducersByCategory:(NSDictionary*> *)introducersByCategory - redactions:(NSDictionary *)redactions - hashAlgo:(TPHashAlgo)hashAlgo; - -+ (nullable NSData *)redactionWithEncrypter:(id)encrypter - modelToCategory:(nullable NSArray *)modelToCategory - categoriesByView:(nullable NSDictionary*> *)categoriesByView - introducersByCategory:(nullable NSDictionary*> *)introducersByCategory - error:(NSError **)error; - -- (nullable id)policyWithSecrets:(NSDictionary *)secrets - decrypter:(id)decrypter - error:(NSError **)error; - -- (BOOL)isEqualToPolicyDocument:(TPPolicyDocument *)other; - -@end - -NS_ASSUME_NONNULL_END diff --git a/keychain/trust/TrustedPeers/TPPolicyDocument.m b/keychain/trust/TrustedPeers/TPPolicyDocument.m deleted file mode 100644 index a1c72c8e..00000000 --- a/keychain/trust/TrustedPeers/TPPolicyDocument.m +++ /dev/null @@ -1,335 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import "TPPolicyDocument.h" -#import "TPPolicy.h" -#import "TPUtils.h" -#import "TPCategoryRule.h" - -static const NSString *kPolicyVersion = @"policyVersion"; -static const NSString *kModelToCategory = @"modelToCategory"; -static const NSString *kCategoriesByView = @"categoriesByView"; -static const NSString *kIntroducersByCategory = @"introducersByCategory"; -static const NSString *kRedactions = @"redactions"; -static const NSString *kPrefix = @"prefix"; -static const NSString *kCategory = @"category"; - -@interface TPPolicyDocument () - -@property (nonatomic, assign) TPCounter policyVersion; -@property (nonatomic, strong) NSString *policyHash; -@property (nonatomic, strong) NSData *pList; - -@property (nonatomic, strong) NSArray *modelToCategory; -@property (nonatomic, strong) NSDictionary*> *categoriesByView; -@property (nonatomic, strong) NSDictionary*> *introducersByCategory; -@property (nonatomic, strong) NSDictionary *redactions; - -@end - - -@implementation TPPolicyDocument - -+ (nullable NSArray *)modelToCategoryFromObj:(id)obj -{ - if (![obj isKindOfClass:[NSArray class]]) { - return nil; - } - NSArray *arr = obj; - NSMutableArray *rules = [[NSMutableArray alloc] initWithCapacity:arr.count]; - for (id item in arr) { - TPCategoryRule *rule = [self categoryRuleFromObj:item]; - if (nil == rule) { - return nil; - } - [rules addObject:rule]; - } - return rules; -} - -+ (nullable TPCategoryRule *)categoryRuleFromObj:(id)obj -{ - if (![obj isKindOfClass:[NSDictionary class]]) { - return nil; - } - NSDictionary *dict = obj; - if (![dict[kPrefix] isKindOfClass:[NSString class]]) { - return nil; - } - if (![dict[kCategory] isKindOfClass:[NSString class]]) { - return nil; - } - return [TPCategoryRule ruleWithPrefix:dict[kPrefix] category:dict[kCategory]]; -} - -// Used for parsing categoriesByView and introducersByCategory -// which both have the same structure. -+ (nullable NSDictionary*> *)dictionaryOfSetsFromObj:(id)obj -{ - if (![obj isKindOfClass:[NSDictionary class]]) { - return nil; - } - NSDictionary *dict = obj; - NSMutableDictionary*> *result = [NSMutableDictionary dictionary]; - for (id key in dict) { - if (![key isKindOfClass:[NSString class]]) { - return nil; - } - id value = dict[key]; - if (![value isKindOfClass:[NSArray class]]) { - return nil; - } - NSArray *arr = value; - for (id item in arr) { - if (![item isKindOfClass:[NSString class]]) { - return nil; - } - } - result[key] = [NSSet setWithArray:arr]; - } - return result; -} - -+ (nullable NSDictionary *)redactionsFromObj:(id)obj -{ - if (![obj isKindOfClass:[NSDictionary class]]) { - return nil; - } - NSDictionary *dict = obj; - for (id key in dict) { - if (![key isKindOfClass:[NSString class]]) { - return nil; - } - id value = dict[key]; - if (![value isKindOfClass:[NSData class]]) { - return nil; - } - } - return dict; -} - -+ (nullable instancetype)policyDocWithHash:(NSString *)policyHash - pList:(NSData *)pList -{ - TPHashAlgo algo = [TPHashBuilder algoOfHash:policyHash]; - NSString *hash = [TPHashBuilder hashWithAlgo:algo ofData:pList]; - if (![policyHash isEqualToString:hash]) { - return nil; - } - TPPolicyDocument *doc = [[TPPolicyDocument alloc] init]; - doc.policyHash = hash; - doc.pList = pList; - - id obj = [NSPropertyListSerialization propertyListWithData:pList - options:NSPropertyListImmutable - format:nil - error:NULL]; - if (![obj isKindOfClass:[NSDictionary class]]) { - return nil; - } - NSDictionary *dict = obj; - - if (![dict[kPolicyVersion] isKindOfClass:[NSNumber class]]) { - return nil; - } - doc.policyVersion = [dict[kPolicyVersion] unsignedLongLongValue]; - - doc.modelToCategory = [self modelToCategoryFromObj:dict[kModelToCategory]]; - if (nil == doc.modelToCategory) { - return nil; - } - doc.categoriesByView = [self dictionaryOfSetsFromObj:dict[kCategoriesByView]]; - if (nil == doc.categoriesByView) { - return nil; - } - doc.introducersByCategory = [self dictionaryOfSetsFromObj:dict[kIntroducersByCategory]]; - if (nil == doc.introducersByCategory) { - return nil; - } - doc.redactions = [self redactionsFromObj:dict[kRedactions]]; - if (nil == doc.redactions) { - return nil; - } - return doc; -} - -+ (instancetype)policyDocWithVersion:(TPCounter)policyVersion - modelToCategory:(NSArray *)modelToCategory - categoriesByView:(NSDictionary*> *)categoriesByView - introducersByCategory:(NSDictionary*> *)introducersByCategory - redactions:(NSDictionary *)redactions - hashAlgo:(TPHashAlgo)hashAlgo -{ - TPPolicyDocument *doc = [[TPPolicyDocument alloc] init]; - - doc.policyVersion = policyVersion; - - doc.modelToCategory = [TPPolicyDocument modelToCategoryFromObj:modelToCategory]; - NSAssert(doc.modelToCategory, @"malformed modelToCategory"); - - doc.categoriesByView = [TPPolicyDocument dictionaryOfSetsFromObj:categoriesByView]; - NSAssert(doc.categoriesByView, @"malformed categoriesByView"); - - doc.introducersByCategory = [TPPolicyDocument dictionaryOfSetsFromObj:introducersByCategory]; - NSAssert(doc.introducersByCategory, @"malformed introducersByCategory"); - - doc.redactions = [redactions copy]; - - NSDictionary *dict = @{ - kPolicyVersion: @(policyVersion), - kModelToCategory: modelToCategory, - kCategoriesByView: categoriesByView, - kIntroducersByCategory: introducersByCategory, - kRedactions: redactions - }; - doc.pList = [TPUtils serializedPListWithDictionary:dict]; - doc.policyHash = [TPHashBuilder hashWithAlgo:hashAlgo ofData:doc.pList]; - - return doc; -} - -+ (nullable NSData *)redactionWithEncrypter:(id)encrypter - modelToCategory:(nullable NSArray *)modelToCategory - categoriesByView:(nullable NSDictionary*> *)categoriesByView - introducersByCategory:(nullable NSDictionary*> *)introducersByCategory - error:(NSError **)error -{ - NSMutableDictionary *dict = [NSMutableDictionary dictionary]; - if (nil != modelToCategory) { - dict[kModelToCategory] = modelToCategory; - } - if (nil != categoriesByView) { - dict[kCategoriesByView] = categoriesByView; - } - if (nil != introducersByCategory) { - dict[kIntroducersByCategory] = introducersByCategory; - } - NSData *plist = [TPUtils serializedPListWithDictionary:dict]; - return [encrypter encryptData:plist error:error]; -} - -- (id)policyWithSecrets:(NSDictionary *)secrets - decrypter:(id)decrypter - error:(NSError **)error -{ - NSArray *modelToCategory = self.modelToCategory; - NSMutableDictionary*> *categoriesByView - = [NSMutableDictionary dictionaryWithDictionary:self.categoriesByView]; - NSMutableDictionary*> *introducersByCategory - = [NSMutableDictionary dictionaryWithDictionary:self.introducersByCategory]; - - // We are going to prepend extra items to modelToCategory. - // To make the resulting array order deterministic we sort secrets by name first. - NSArray *names = [secrets.allKeys sortedArrayUsingSelector:@selector(compare:)]; - for (NSString *name in names) { - NSData *key = secrets[name]; - NSData *ciphertext = self.redactions[name]; - if (nil == ciphertext) { - // This is normal. A new version might have no need to redact - // info that was revealed by keys for a previous version. - continue; - } - NSData *plist = [decrypter decryptData:ciphertext withKey:key error:error]; - if (nil == plist) { - return nil; - } - id obj = [NSPropertyListSerialization propertyListWithData:plist - options:NSPropertyListImmutable - format:nil - error:NULL]; - if (![obj isKindOfClass:[NSDictionary class]]) { - return nil; - } - NSDictionary *dict = obj; - - NSArray *extraModelToCategory; - extraModelToCategory = [TPPolicyDocument modelToCategoryFromObj:dict[kModelToCategory]]; - if (nil != extraModelToCategory) { - // Extra rules are prepended to the list so that they are considered first. - modelToCategory = [extraModelToCategory arrayByAddingObjectsFromArray:modelToCategory]; - } - - NSDictionary*> *extraCategoriesByView; - extraCategoriesByView = [TPPolicyDocument dictionaryOfSetsFromObj:dict[kCategoriesByView]]; - if (nil != extraCategoriesByView) { - [self mergeExtras:extraCategoriesByView intoDictionary:categoriesByView]; - } - - NSDictionary*> *extraIntroducersByCategory; - extraIntroducersByCategory = [TPPolicyDocument dictionaryOfSetsFromObj:dict[kIntroducersByCategory]]; - if (nil != extraIntroducersByCategory) { - [self mergeExtras:extraIntroducersByCategory intoDictionary:introducersByCategory]; - } - } - - return [TPPolicy policyWithModelToCategory:modelToCategory - categoriesByView:categoriesByView - introducersByCategory:introducersByCategory]; -} - -- (void)mergeExtras:(NSDictionary*> *)extras - intoDictionary:(NSMutableDictionary*> *)target -{ - for (NSString *name in extras) { - NSSet* extraSet = extras[name]; - if (target[name] == nil) { - target[name] = extraSet; - } else { - target[name] = [target[name] setByAddingObjectsFromSet:extraSet]; - } - } -} - -- (BOOL)isEqualToPolicyDocument:(TPPolicyDocument *)other -{ - if (other == self) { - return YES; - } - return self.policyVersion == other.policyVersion - && [self.policyHash isEqualToString:other.policyHash] - && [self.pList isEqualToData:other.pList] - && [self.modelToCategory isEqualToArray:other.modelToCategory] - && [self.categoriesByView isEqualToDictionary:other.categoriesByView] - && [self.introducersByCategory isEqualToDictionary:other.introducersByCategory] - && [self.redactions isEqualToDictionary:other.redactions]; -} - -#pragma mark - NSObject - -- (BOOL)isEqual:(id)object -{ - if (self == object) { - return YES; - } - if (![object isKindOfClass:[TPPolicyDocument class]]) { - return NO; - } - return [self isEqualToPolicyDocument:object]; -} - -- (NSUInteger)hash -{ - return [self.policyHash hash]; -} - -@end diff --git a/keychain/trust/TrustedPeers/TPVoucher.h b/keychain/trust/TrustedPeers/TPVoucher.h deleted file mode 100644 index 05acb427..00000000 --- a/keychain/trust/TrustedPeers/TPVoucher.h +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import - -#import "TPSigningKey.h" -#import "TPTypes.h" - -NS_ASSUME_NONNULL_BEGIN - -/*! - A voucher is a record signed by a "sponsor" peer to say that - a "beneficiary" peer is trusted. - - The signature is not checked when an TPVoucher instance is - constructed, because the sponsor's signing key might not be - available at that time. - - This class is a value type -- its members are immutable and - instances with identical contents are interchangeable. - It overrides isEqual and hash, so that two instances with - identical contents will compare as equal. - */ -@interface TPVoucher : NSObject - -/*! - Can return nil with error if [trustSigningKey signatureForData:error:] errors. - */ -+ (nullable instancetype)voucherWithBeneficiaryID:(NSString *)beneficiaryID - sponsorID:(NSString *)sponsorID - clock:(TPCounter)clock - trustSigningKey:(id)trustSigningKey - error:(NSError **)error; - -// Returns nil if data cannot be deserialized to a dictionary -// or that dictionary does not contain the expected keys and value types. -// This method performs no signature checking; that should be done later, -// when the sponsor's trustSigningKey is available. -+ (nullable instancetype)voucherWithPList:(NSData *)voucherInfoPList - sig:(NSData *)voucherInfoSig; - -- (BOOL)isEqualToVoucher:(TPVoucher *)other; - -@property (nonatomic, readonly) NSString *beneficiaryID; -@property (nonatomic, readonly) NSString *sponsorID; -@property (nonatomic, readonly) TPCounter clock; -@property (nonatomic, readonly) NSData *voucherInfoPList; -@property (nonatomic, readonly) NSData *voucherInfoSig; - -@end - -NS_ASSUME_NONNULL_END diff --git a/keychain/trust/TrustedPeers/TPVoucher.m b/keychain/trust/TrustedPeers/TPVoucher.m deleted file mode 100644 index fe45a7d6..00000000 --- a/keychain/trust/TrustedPeers/TPVoucher.m +++ /dev/null @@ -1,129 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import "TPVoucher.h" -#import "TPUtils.h" - -static const NSString *kBeneficiaryID = @"beneficiaryID"; -static const NSString *kSponsorID = @"sponsorID"; -static const NSString *kClock = @"clock"; - - -@interface TPVoucher () -@property (nonatomic, strong) NSString *beneficiaryID; -@property (nonatomic, strong) NSString *sponsorID; -@property (nonatomic, assign) TPCounter clock; -@property (nonatomic, strong) NSData *voucherInfoPList; -@property (nonatomic, strong) NSData *voucherInfoSig; -@end - - -@implementation TPVoucher - -+ (instancetype)voucherWithBeneficiaryID:(NSString *)beneficiaryID - sponsorID:(NSString *)sponsorID - clock:(TPCounter)clock - trustSigningKey:(id)trustSigningKey - error:(NSError **)error -{ - NSDictionary *dict = @{ - kBeneficiaryID: beneficiaryID, - kSponsorID: sponsorID, - kClock: @(clock) - }; - NSData *data = [TPUtils serializedPListWithDictionary:dict]; - NSData *sig = [trustSigningKey signatureForData:data withError:error]; - if (nil == sig) { - return nil; - } - - TPVoucher *voucher = [[TPVoucher alloc] init]; - voucher.beneficiaryID = [beneficiaryID copy]; - voucher.sponsorID = [sponsorID copy]; - voucher.clock = clock; - voucher.voucherInfoPList = data; - voucher.voucherInfoSig = sig; - return voucher; -} - -+ (instancetype)voucherWithPList:(NSData *)voucherInfoPList - sig:(NSData *)voucherInfoSig -{ - TPVoucher *voucher = [[TPVoucher alloc] init]; - voucher.voucherInfoPList = [voucherInfoPList copy]; - voucher.voucherInfoSig = [voucherInfoSig copy]; - - id dict = [NSPropertyListSerialization propertyListWithData:voucherInfoPList - options:NSPropertyListImmutable - format:nil - error:NULL]; - if (![dict isKindOfClass:[NSDictionary class]]) { - return nil; - } - - if (![dict[kBeneficiaryID] isKindOfClass:[NSString class]]) { - return nil; - } - voucher.beneficiaryID = dict[kBeneficiaryID]; - - if (![dict[kSponsorID] isKindOfClass:[NSString class]]) { - return nil; - } - voucher.sponsorID = dict[kSponsorID]; - - if (![dict[kClock] isKindOfClass:[NSNumber class]]) { - return nil; - } - voucher.clock = [dict[kClock] unsignedLongLongValue]; - - return voucher; -} - -- (BOOL)isEqualToVoucher:(TPVoucher *)other -{ - if (other == self) { - return YES; - } - return [self.voucherInfoPList isEqualToData:other.voucherInfoPList] - && [self.voucherInfoSig isEqualToData:other.voucherInfoSig]; -} - -#pragma mark - NSObject - -- (BOOL)isEqual:(id)object -{ - if (self == object) { - return YES; - } - if (![object isKindOfClass:[TPVoucher class]]) { - return NO; - } - return [self isEqualToVoucher:object]; -} - -- (NSUInteger)hash -{ - return [self.voucherInfoPList hash]; -} - -@end diff --git a/keychain/trust/TrustedPeersTests/TPCircleTests.m b/keychain/trust/TrustedPeersTests/TPCircleTests.m deleted file mode 100644 index 4af9e0fd..00000000 --- a/keychain/trust/TrustedPeersTests/TPCircleTests.m +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import -#import - -@interface TPCircleTests : XCTestCase - -@end - -@implementation TPCircleTests - -- (void)testCircleIDChecks { - NSArray *included = @[@"A", @"B"]; - NSArray *excluded = @[@"C", @"D"]; - TPCircle *circle1 = [TPCircle circleWithIncludedPeerIDs:included excludedPeerIDs:excluded]; - TPCircle *circle2 = [TPCircle circleWithID:circle1.circleID includedPeerIDs:included excludedPeerIDs:excluded]; - XCTAssertEqual([circle1 hash], [circle2 hash]); - XCTAssertEqualObjects(circle1, circle2); - XCTAssert([circle1 isEqual:circle1]); - XCTAssertEqualObjects(circle1, circle2); - XCTAssertNotEqualObjects(circle1, @"foo"); - - // (Feel free to change the format of the description output, this is just for test coverage.) - XCTAssertEqualObjects([circle1 description], @"{ in: [A B] ex: [C D] }"); - - // Misuse circle1.circleID here, trying to construct a different circle with nil excludedPeerIDs: - TPCircle *circle3 = [TPCircle circleWithID:circle1.circleID includedPeerIDs:included excludedPeerIDs:nil]; - XCTAssertNil(circle3); -} - -@end diff --git a/keychain/trust/TrustedPeersTests/TPDummySigningKey.m b/keychain/trust/TrustedPeersTests/TPDummySigningKey.m deleted file mode 100644 index 9c613ad9..00000000 --- a/keychain/trust/TrustedPeersTests/TPDummySigningKey.m +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import "TPDummySigningKey.h" - -@interface TPDummySigningKey () -@property (nonatomic, strong) NSData *publicKey; -@end - - -@implementation TPDummySigningKey - -- (instancetype)initWithPublicKeyData:(NSData *)publicKey -{ - self = [super init]; - if (self) { - _publicKey = publicKey; - _privateKeyIsAvailable = YES; - } - return self; -} - -- (NSData *)signatureForData:(NSData *)data withError:(NSError **)error -{ - if (self.privateKeyIsAvailable) { - return [self signatureForData:data]; - } else { - if (error) { - *error = [NSError errorWithDomain:@"TPDummySigningKey" code:1 userInfo:nil]; - } - return nil; - } -} - -- (NSData *)signatureForData:(NSData *)data -{ - // A really dumb hash that is just good enough for unit tests. - NSUInteger hash = [self.publicKey hash] ^ [data hash]; - return [NSData dataWithBytes:&hash length:sizeof(hash)]; -} - -- (BOOL)checkSignature:(NSData *)sig matchesData:(NSData *)data -{ - return [sig isEqualToData:[self signatureForData:data]]; -} - -@end - - -@implementation TPDummySigningKeyFactory - -- (id )keyWithPublicKeyData:(NSData *)publicKey -{ - if (0 == publicKey.length) { - return nil; - } - return [[TPDummySigningKey alloc] initWithPublicKeyData:publicKey]; -} - -+ (instancetype) dummySigningKeyFactory -{ - return [[TPDummySigningKeyFactory alloc] init]; -} - -@end diff --git a/keychain/trust/TrustedPeersTests/TPHashTests.m b/keychain/trust/TrustedPeersTests/TPHashTests.m deleted file mode 100644 index 6599ca52..00000000 --- a/keychain/trust/TrustedPeersTests/TPHashTests.m +++ /dev/null @@ -1,92 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import -#import - -@interface TPHashTests : XCTestCase - -@property (nonatomic, strong) NSData *hello; - -@end - -@implementation TPHashTests - -- (void)setUp -{ - self.hello = [@"hello" dataUsingEncoding:NSUTF8StringEncoding]; -} - -- (void)testSHA224 -{ - NSString *hash = [TPHashBuilder hashWithAlgo:kTPHashAlgoSHA224 ofData:self.hello]; - XCTAssertEqualObjects(hash, @"SHA224:6gmunMZ2jFD87pA+0FRVblv8g0eQfxJZiqJBkw=="); - TPHashAlgo algo = [TPHashBuilder algoOfHash:hash]; - XCTAssertEqual(kTPHashAlgoSHA224, algo); -} - -- (void)testSHA256 -{ - NSString *hash = [TPHashBuilder hashWithAlgo:kTPHashAlgoSHA256 ofData:self.hello]; - XCTAssertEqualObjects(hash, @"SHA256:LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="); - TPHashAlgo algo = [TPHashBuilder algoOfHash:hash]; - XCTAssertEqual(kTPHashAlgoSHA256, algo); -} - -- (void)testSHA384 -{ - NSString *hash = [TPHashBuilder hashWithAlgo:kTPHashAlgoSHA384 ofData:self.hello]; - XCTAssertEqualObjects(hash, @"SHA384:WeF0h3dEjGnea4ANejO7+5/xtGPkQ1TDVTvNucZm+pASWjx5+QOXvfX2oT3oKGhP"); - TPHashAlgo algo = [TPHashBuilder algoOfHash:hash]; - XCTAssertEqual(kTPHashAlgoSHA384, algo); -} - -- (void)testSHA512 -{ - NSString *hash = [TPHashBuilder hashWithAlgo:kTPHashAlgoSHA512 ofData:self.hello]; - XCTAssertEqualObjects(hash, @"SHA512:m3HSJL1i83hdltRq0+o9czGb+8KJDKra4t/3JRlnPKcjI8PZm6XBHXx6zG4UuMXaDEZjR1wuXDre9G9zvN7AQw=="); - TPHashAlgo algo = [TPHashBuilder algoOfHash:hash]; - XCTAssertEqual(kTPHashAlgoSHA512, algo); -} - -- (void)testBadAlgo -{ - XCTAssertEqual(kTPHashAlgoUnknown, [TPHashBuilder algoOfHash:@""]); - XCTAssertEqual(kTPHashAlgoUnknown, [TPHashBuilder algoOfHash:@"foo"]); - XCTAssertEqual(kTPHashAlgoUnknown, [TPHashBuilder algoOfHash:@"foo:"]); - XCTAssertEqual(kTPHashAlgoUnknown, [TPHashBuilder algoOfHash:@":"]); - XCTAssertEqual(kTPHashAlgoUnknown, [TPHashBuilder algoOfHash:@"foo:bar"]); - XCTAssertEqual(kTPHashAlgoUnknown, [TPHashBuilder algoOfHash:@"SHA256"]); - - XCTAssertThrows([TPHashBuilder hashWithAlgo:kTPHashAlgoUnknown ofData:self.hello]); -} - -- (void)testBadReuse -{ - TPHashBuilder *builder = [[TPHashBuilder alloc] initWithAlgo:kTPHashAlgoSHA256]; - [builder finalHash]; - XCTAssertThrows([builder updateWithData:self.hello]); - XCTAssertThrows([builder finalHash]); -} - -@end diff --git a/keychain/trust/TrustedPeersTests/TPModelTests.m b/keychain/trust/TrustedPeersTests/TPModelTests.m deleted file mode 100644 index 655c45a4..00000000 --- a/keychain/trust/TrustedPeersTests/TPModelTests.m +++ /dev/null @@ -1,831 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import -#import -#import "TPDummySigningKey.h" -#import "TPDummyDecrypter.h" -#import "TPDummyEncrypter.h" - -@interface TPModelTests : XCTestCase - -@property (nonatomic, strong) TPModel *model; -@property (nonatomic, strong) TPPolicyDocument *policyDocV1; -@property (nonatomic, strong) TPPolicyDocument *policyDocV2; -@property (nonatomic, strong) NSString *secretName; -@property (nonatomic, strong) NSData *secretKey; - -@end - -@implementation TPModelTests - -- (TPModel *)makeModel -{ - id decrypter = [TPDummyDecrypter dummyDecrypter]; - TPModel *model = [[TPModel alloc] initWithDecrypter:decrypter]; - [model registerPolicyDocument:self.policyDocV1]; - [model registerPolicyDocument:self.policyDocV2]; - return model; -} - -- (void)setUp -{ - self.secretName = @"foo"; - TPDummyEncrypter *encrypter = [TPDummyEncrypter dummyEncrypterWithKey:[@"sekritkey" dataUsingEncoding:NSUTF8StringEncoding]]; - self.secretKey = encrypter.decryptionKey; - NSData *redaction = [TPPolicyDocument redactionWithEncrypter:encrypter - modelToCategory:@[ @{ @"prefix": @"iCycle", @"category": @"full" } ] - categoriesByView:nil - introducersByCategory:nil - error:NULL]; - - self.policyDocV1 - = [TPPolicyDocument policyDocWithVersion:1 - modelToCategory:@[ - @{ @"prefix": @"iPhone", @"category": @"full" }, - @{ @"prefix": @"iPad", @"category": @"full" }, - @{ @"prefix": @"Mac", @"category": @"full" }, - @{ @"prefix": @"iMac", @"category": @"full" }, - @{ @"prefix": @"AppleTV", @"category": @"tv" }, - @{ @"prefix": @"Watch", @"category": @"watch" }, - ] - categoriesByView:@{ - @"WiFi": @[ @"full", @"tv", @"watch" ], - @"SafariCreditCards": @[ @"full" ], - @"PCSEscrow": @[ @"full" ] - } - introducersByCategory:@{ - @"full": @[ @"full" ], - @"tv": @[ @"full", @"tv" ], - @"watch": @[ @"full", @"watch" ] - } - redactions:@{ - self.secretName: redaction - } - hashAlgo:kTPHashAlgoSHA256]; - - self.policyDocV2 - = [TPPolicyDocument policyDocWithVersion:2 - modelToCategory:@[ - @{ @"prefix": @"iCycle", @"category": @"full" }, // new - @{ @"prefix": @"iPhone", @"category": @"full" }, - @{ @"prefix": @"iPad", @"category": @"full" }, - @{ @"prefix": @"Mac", @"category": @"full" }, - @{ @"prefix": @"iMac", @"category": @"full" }, - @{ @"prefix": @"AppleTV", @"category": @"tv" }, - @{ @"prefix": @"Watch", @"category": @"watch" }, - ] - categoriesByView:@{ - @"WiFi": @[ @"full", @"tv", @"watch" ], - @"SafariCreditCards": @[ @"full" ], - @"PCSEscrow": @[ @"full" ] - } - introducersByCategory:@{ - @"full": @[ @"full" ], - @"tv": @[ @"full", @"tv" ], - @"watch": @[ @"full", @"watch" ] - } - redactions:@{} - hashAlgo:kTPHashAlgoSHA256]; - - self.model = [self makeModel]; -} - -- (TPPeerPermanentInfo *)makePeerWithMachineID:(NSString *)machineID -{ - return [self makePeerWithMachineID:machineID modelID:@"iPhone" epoch:1 key:machineID]; -} - -- (TPPeerPermanentInfo *)makePeerWithMachineID:(NSString *)machineID - modelID:(NSString *)modelID - epoch:(TPCounter)epoch - key:(NSString *)key -{ - NSData *keyData = [key dataUsingEncoding:NSUTF8StringEncoding]; - id trustSigningKey = [[TPDummySigningKey alloc] initWithPublicKeyData:keyData]; - TPPeerPermanentInfo *permanentInfo - = [TPPeerPermanentInfo permanentInfoWithMachineID:machineID - modelID:modelID - epoch:epoch - trustSigningKey:trustSigningKey - peerIDHashAlgo:kTPHashAlgoSHA256 - error:NULL]; - [self.model registerPeerWithPermanentInfo:permanentInfo]; - - TPPeerStableInfo *stableInfo = [self.model createStableInfoWithDictionary:@{} - policyVersion:self.policyDocV1.policyVersion - policyHash:self.policyDocV1.policyHash - policySecrets:nil - forPeerWithID:permanentInfo.peerID - error:NULL]; - [self.model updateStableInfo:stableInfo forPeerWithID:permanentInfo.peerID]; - return permanentInfo; -} - -static BOOL circleEquals(TPCircle *circle, NSArray *includedPeerIDs, NSArray *excludedPeerIDs) -{ - return [circle isEqualToCircle:[TPCircle circleWithIncludedPeerIDs:includedPeerIDs excludedPeerIDs:excludedPeerIDs]]; -} - -- (void)testModelBasics -{ - NSString *A = [self makePeerWithMachineID:@"aaa"].peerID; - NSString *B = [self makePeerWithMachineID:@"bbb"].peerID; - NSString *C = [self makePeerWithMachineID:@"ccc"].peerID; - - TPCircle *circle; - - // A trusts B, establishes clique - circle = [self.model advancePeerWithID:A addingPeerIDs:@[B] removingPeerIDs:@[] createClique:^NSString *{ - return @"clique1"; - }]; - XCTAssert(circleEquals(circle, @[A, B], @[])); - - // B trusts A - circle = [self.model advancePeerWithID:B addingPeerIDs:@[A] removingPeerIDs:@[] createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B], @[])); - - // A trusts C - circle = [self.model advancePeerWithID:A addingPeerIDs:@[C] removingPeerIDs:@[] createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B, C], @[])); - - // C trusts A - circle = [self.model advancePeerWithID:C addingPeerIDs:@[A] removingPeerIDs:@[] createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B, C], @[])); - - // Updating B (B should now trust C) - circle = [self.model advancePeerWithID:B addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B, C], @[])); - - // Updating B again (should be no change) - circle = [self.model advancePeerWithID:B addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B, C], @[])); - - // A decides to exclude B - circle = [self.model advancePeerWithID:A addingPeerIDs:nil removingPeerIDs:@[B] createClique:nil]; - XCTAssert(circleEquals(circle, @[A, C], @[B])); - - // Updating C (C should now exclude B) - circle = [self.model advancePeerWithID:C addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[A, C], @[B])); - - // Updating B (B should now exclude itself and include nobody) - circle = [self.model advancePeerWithID:B addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[], @[B])); - - // Updating B again (should be no change) - circle = [self.model advancePeerWithID:B addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[], @[B])); - - // C decides to exclude itself - circle = [self.model advancePeerWithID:C addingPeerIDs:nil removingPeerIDs:@[C] createClique:nil]; - XCTAssert(circleEquals(circle, @[], @[C])); - - // Updating C (should be no change) - circle = [self.model advancePeerWithID:C addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[], @[C])); - - // Updating A (A should now exclude C) - circle = [self.model advancePeerWithID:A addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[A], @[B, C])); -} - -- (void)testPeerReplacement -{ - NSString *A = [self makePeerWithMachineID:@"aaa"].peerID; - NSString *B = [self makePeerWithMachineID:@"bbb"].peerID; - NSString *C = [self makePeerWithMachineID:@"ccc"].peerID; - - TPCircle *circle; - - // A trusts B, establishes clique. A is in a drawer. - circle = [self.model advancePeerWithID:A addingPeerIDs:@[B] removingPeerIDs:@[] createClique:^NSString *{ - return @"clique1"; - }]; - XCTAssert(circleEquals(circle, @[A, B], @[])); - - // B trusts A - circle = [self.model advancePeerWithID:B addingPeerIDs:@[A] removingPeerIDs:@[] createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B], @[])); - - // B decides to replace itself with C. - circle = [self.model advancePeerWithID:B addingPeerIDs:@[C] removingPeerIDs:@[B] createClique:nil]; - XCTAssert(circleEquals(circle, @[C], @[B])); - - // B should be able to update itself without forgetting it trusts C. - circle = [self.model advancePeerWithID:B addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[C], @[B])); - - // When A wakes up, it should trust C instead of B. - circle = [self.model advancePeerWithID:A addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[A, C], @[B])); -} - -- (void)testVoucher -{ - TPPeerPermanentInfo *aaa = [self makePeerWithMachineID:@"aaa"]; - TPPeerPermanentInfo *bbb = [self makePeerWithMachineID:@"bbb"]; - TPPeerPermanentInfo *ccc = [self makePeerWithMachineID:@"ccc"]; - - NSString *A = aaa.peerID; - NSString *B = bbb.peerID; - NSString *C = ccc.peerID; - - TPCircle *circle; - - // A establishes clique. - circle = [self.model advancePeerWithID:A addingPeerIDs:nil removingPeerIDs:nil createClique:^NSString *{ - return @"clique1"; - }]; - XCTAssert(circleEquals(circle, @[A], @[])); - - // B trusts A - circle = [self.model advancePeerWithID:B addingPeerIDs:@[A] removingPeerIDs:@[] createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B], @[])); - - // C trusts A - circle = [self.model advancePeerWithID:C addingPeerIDs:@[A] removingPeerIDs:@[] createClique:nil]; - XCTAssert(circleEquals(circle, @[A, C], @[])); - - // B gets a voucher from A - TPVoucher *voucher = [self.model createVoucherForCandidate:bbb withSponsorID:A error:NULL]; - XCTAssertNotNil(voucher); - XCTAssertEqual(TPResultOk, [self.model registerVoucher:voucher]); - - // Updating C, it sees the voucher and now trusts B - circle = [self.model advancePeerWithID:C addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B, C], @[])); - - // Updating A, it sees the voucher (sponsored by A itself) and now trusts B. - // (A updating its dynamicInfo also expires the voucher.) - circle = [self.model advancePeerWithID:A addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B], @[])); -} - -- (void)testExpiredVoucher -{ - TPPeerPermanentInfo *aaa = [self makePeerWithMachineID:@"aaa"]; - TPPeerPermanentInfo *bbb = [self makePeerWithMachineID:@"bbb"]; - TPPeerPermanentInfo *ccc = [self makePeerWithMachineID:@"ccc"]; - TPPeerPermanentInfo *ddd = [self makePeerWithMachineID:@"ddd"]; - - NSString *A = aaa.peerID; - NSString *B = bbb.peerID; - NSString *C = ccc.peerID; - NSString *D = ddd.peerID; - - TPCircle *circle; - - // A establishes clique. - circle = [self.model advancePeerWithID:A addingPeerIDs:nil removingPeerIDs:nil createClique:^NSString *{ - return @"clique1"; - }]; - XCTAssert(circleEquals(circle, @[A], @[])); - - // B trusts A - circle = [self.model advancePeerWithID:B addingPeerIDs:@[A] removingPeerIDs:@[] createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B], @[])); - - // C trusts A - circle = [self.model advancePeerWithID:C addingPeerIDs:@[A] removingPeerIDs:@[] createClique:nil]; - XCTAssert(circleEquals(circle, @[A, C], @[])); - - // B gets a voucher from A (but doesn't register the voucher yet because A would notice it) - TPVoucher *voucher = [self.model createVoucherForCandidate:bbb withSponsorID:A error:NULL]; - - // A advances its clock by deciding to trust D - circle = [self.model advancePeerWithID:A addingPeerIDs:@[D] removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[A, D], @[])); - - // Register the voucher, which is now expired because A has advanced its clock - [self.model registerVoucher:voucher]; - - // Updating C, it ignores the expired voucher for B - circle = [self.model advancePeerWithID:C addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[A, C, D], @[])); -} - -- (void)testVoucherWithBadSignature -{ - TPPeerPermanentInfo *aaa = [self makePeerWithMachineID:@"aaa"]; - TPPeerPermanentInfo *bbb = [self makePeerWithMachineID:@"bbb"]; - - NSString *A = aaa.peerID; - NSString *B = bbb.peerID; - - TPCircle *circle; - - // A establishes clique. - circle = [self.model advancePeerWithID:A addingPeerIDs:nil removingPeerIDs:nil createClique:^NSString *{ - return @"clique1"; - }]; - XCTAssert(circleEquals(circle, @[A], @[])); - - // B trusts A - circle = [self.model advancePeerWithID:B addingPeerIDs:@[A] removingPeerIDs:@[] createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B], @[])); - - // B gets a voucher from A, but signed by B's key - TPVoucher *voucher = [TPVoucher voucherWithBeneficiaryID:B - sponsorID:A - clock:[self.model getDynamicInfoForPeerWithID:A].clock - trustSigningKey:bbb.trustSigningKey - error:NULL]; - XCTAssertNotNil(voucher); - XCTAssertEqual(TPResultSignatureMismatch, [self.model registerVoucher:voucher]); -} - -- (void)testVoucherPolicy -{ - TPPeerPermanentInfo *aaa = [self makePeerWithMachineID:@"aaa" modelID:@"watch" epoch:1 key:@"aaa"]; - TPPeerPermanentInfo *bbb = [self makePeerWithMachineID:@"bbb"]; - - NSString *A = aaa.peerID; - - // B is a phone trying to get a voucher from A which is a watch - TPVoucher *voucher = [self.model createVoucherForCandidate:bbb withSponsorID:A error:NULL]; - XCTAssertNil(voucher); -} - -- (void)testDynamicInfoReplay -{ - NSString *A = [self makePeerWithMachineID:@"aaa"].peerID; - NSString *B = [self makePeerWithMachineID:@"bbb"].peerID; - - TPCircle *circle; - - // A establishes clique, trusts B. - circle = [self.model advancePeerWithID:A addingPeerIDs:@[B] removingPeerIDs:nil createClique:^NSString *{ - return @"clique1"; - }]; - XCTAssert(circleEquals(circle, @[A, B], @[])); - - // Attacker snapshots A's dynamicInfo - TPPeerDynamicInfo *dyn = [self.model getDynamicInfoForPeerWithID:A]; - - // A excludes B - circle = [self.model advancePeerWithID:A addingPeerIDs:nil removingPeerIDs:@[B] createClique:nil]; - XCTAssert(circleEquals(circle, @[A], @[B])); - - // Attacker replays the old snapshot - XCTAssertEqual(TPResultClockViolation, [self.model updateDynamicInfo:dyn forPeerWithID:A]); - - circle = [self.model getCircleForPeerWithID:A]; - XCTAssert(circleEquals(circle, @[A], @[B])); -} - -- (void)testPhoneApprovingWatch -{ - NSString *phoneA = [self makePeerWithMachineID:@"phoneA" modelID:@"iPhone7,1" epoch:1 key:@"phoneA"].peerID; - NSString *watch = [self makePeerWithMachineID:@"watch" modelID:@"Watch1,1" epoch:1 key:@"watch"].peerID; - - TPCircle *circle; - - // phoneA establishes clique, trusts watch. - circle = [self.model advancePeerWithID:phoneA addingPeerIDs:@[watch] removingPeerIDs:nil createClique:^NSString *{ - return @"clique1"; - }]; - XCTAssert(circleEquals(circle, @[phoneA, watch], @[])); -} - -- (void)testWatchApprovingPhone -{ - NSString *phoneA = [self makePeerWithMachineID:@"phoneA" modelID:@"iPhone7,1" epoch:1 key:@"phoneA"].peerID; - NSString *phoneB = [self makePeerWithMachineID:@"phoneB" modelID:@"iPhone7,1" epoch:1 key:@"phoneB"].peerID; - NSString *watch = [self makePeerWithMachineID:@"watch" modelID:@"Watch1,1" epoch:1 key:@"watch"].peerID; - - TPCircle *circle; - - // phoneA establishes clique, trusts watch. - circle = [self.model advancePeerWithID:phoneA addingPeerIDs:@[watch] removingPeerIDs:nil createClique:^NSString *{ - return @"clique1"; - }]; - XCTAssert(circleEquals(circle, @[phoneA, watch], @[])); - - // watch trusts phoneA and phoneB - circle = [self.model advancePeerWithID:watch addingPeerIDs:@[phoneA, phoneB] removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[phoneA, phoneB, watch], @[])); - - // phoneA updates, and it should ignore phoneB, so no change. - circle = [self.model advancePeerWithID:phoneA addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[phoneA, watch], @[])); -} - -- (void)testNilCreateClique -{ - NSString *A = [self makePeerWithMachineID:@"aaa"].peerID; - - TPCircle *circle; - - // Try to establish dynamicInfo without providing createClique - circle = [self.model advancePeerWithID:A addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssertNil(circle); -} - -- (void)testCliqueConvergence -{ - NSString *A = [self makePeerWithMachineID:@"aaa"].peerID; - NSString *B = [self makePeerWithMachineID:@"bbb"].peerID; - - TPCircle *circle; - - // A establishes clique1 - circle = [self.model advancePeerWithID:A addingPeerIDs:@[] removingPeerIDs:@[] createClique:^NSString *{ - return @"clique1"; - }]; - XCTAssert(circleEquals(circle, @[A], @[])); - XCTAssert([[self.model getDynamicInfoForPeerWithID:A].clique isEqualToString:@"clique1"]); - - // B establishes clique2 - circle = [self.model advancePeerWithID:B addingPeerIDs:@[] removingPeerIDs:@[] createClique:^NSString *{ - return @"clique2"; - }]; - XCTAssert(circleEquals(circle, @[B], @[])); - XCTAssert([[self.model getDynamicInfoForPeerWithID:B].clique isEqualToString:@"clique2"]); - - // A trusts B. A should now switch to clique2, which is later than clique1 in lexical order. - circle = [self.model advancePeerWithID:A addingPeerIDs:@[B] removingPeerIDs:@[] createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B], @[])); - XCTAssert([[self.model getDynamicInfoForPeerWithID:A].clique isEqualToString:@"clique2"]); -} - -- (void)testRemovalCounts -{ - NSString *A = [self makePeerWithMachineID:@"aaa"].peerID; - NSString *B = [self makePeerWithMachineID:@"bbb"].peerID; - NSString *C = [self makePeerWithMachineID:@"ccc"].peerID; - - // A establishes clique with B and C - [self.model advancePeerWithID:A addingPeerIDs:@[B, C] removingPeerIDs:@[] createClique:^NSString *{ - return @"clique1"; - }]; - XCTAssertEqual(0ULL, [self.model getDynamicInfoForPeerWithID:A].removals); - - // B trusts A - [self.model advancePeerWithID:B addingPeerIDs:@[A] removingPeerIDs:@[] createClique:nil]; - XCTAssertEqual(0ULL, [self.model getDynamicInfoForPeerWithID:B].removals); - - // A removes C - [self.model advancePeerWithID:A addingPeerIDs:nil removingPeerIDs:@[C] createClique:nil]; - XCTAssertEqual(1ULL, [self.model getDynamicInfoForPeerWithID:A].removals); - - // B updates, and now shows 1 removal - [self.model advancePeerWithID:B addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssertEqual(1ULL, [self.model getDynamicInfoForPeerWithID:B].removals); -} - -- (void)testCommunicatingModels -{ - TPPeerPermanentInfo *aaa = [self makePeerWithMachineID:@"aaa"]; - TPPeerPermanentInfo *bbb = [self makePeerWithMachineID:@"bbb"]; - TPPeerPermanentInfo *ccc = [self makePeerWithMachineID:@"ccc"]; - - NSString *A = aaa.peerID; - NSString *B = bbb.peerID; - NSString *C = ccc.peerID; - - // A lives on self.model, where it trusts B and C - [self.model advancePeerWithID:A addingPeerIDs:@[B, C] removingPeerIDs:nil createClique:^NSString *{ - return @"clique1"; - }]; - - // B lives on model2, where it trusts A - TPModel *model2 = [self makeModel]; - [model2 registerPeerWithPermanentInfo:aaa]; - [model2 registerPeerWithPermanentInfo:bbb]; - [model2 updateStableInfo:[self.model getStableInfoForPeerWithID:A] forPeerWithID:A]; - [model2 updateStableInfo:[self.model getStableInfoForPeerWithID:B] forPeerWithID:B]; - [model2 advancePeerWithID:B addingPeerIDs:@[A] removingPeerIDs:nil createClique:^NSString *{ - return @"clique1"; - }]; - - // A's circle and dynamicInfo are transmitted from model to model2 - TPCircle *circle = [self.model getCircleForPeerWithID:A]; - TPPeerDynamicInfo *dyn = [self.model getDynamicInfoForPeerWithID:A]; - [model2 updateDynamicInfo:dyn forPeerWithID:A]; - [model2 registerCircle:circle]; - - // B updates in model2, but C is not yet registered so is ignored. - circle = [model2 advancePeerWithID:B addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B], @[])); - - // Now C registers in model2 - [model2 registerPeerWithPermanentInfo:ccc]; - - // B updates in model2, and now it trusts C. - circle = [model2 advancePeerWithID:B addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B, C], @[])); -} - -- (void)testCommunicatingModelsWithVouchers -{ - TPPeerPermanentInfo *aaa = [self makePeerWithMachineID:@"aaa"]; - TPPeerPermanentInfo *bbb = [self makePeerWithMachineID:@"bbb"]; - TPPeerPermanentInfo *ccc = [self makePeerWithMachineID:@"ccc"]; - - NSString *A = aaa.peerID; - NSString *B = bbb.peerID; - NSString *C = ccc.peerID; - - // A lives on self.model, where it trusts B - [self.model advancePeerWithID:A addingPeerIDs:@[B] removingPeerIDs:nil createClique:^NSString *{ - return @"clique1"; - }]; - - // B lives on model2, where it trusts A - TPModel *model2 = [self makeModel]; - [model2 registerPeerWithPermanentInfo:aaa]; - [model2 registerPeerWithPermanentInfo:bbb]; - [model2 updateStableInfo:[self.model getStableInfoForPeerWithID:A] forPeerWithID:A]; - [model2 updateStableInfo:[self.model getStableInfoForPeerWithID:B] forPeerWithID:B]; - [model2 advancePeerWithID:B addingPeerIDs:@[A] removingPeerIDs:nil createClique:^NSString *{ - return @"clique1"; - }]; - - // A's circle and dynamicInfo are transmitted from model to model2 - TPCircle *circle = [self.model getCircleForPeerWithID:A]; - TPPeerDynamicInfo *dyn = [self.model getDynamicInfoForPeerWithID:A]; - [model2 updateDynamicInfo:dyn forPeerWithID:A]; - [model2 registerCircle:circle]; - - // A writes a voucher for C, and it is transmitted to model2 - TPVoucher *voucher = [self.model createVoucherForCandidate:ccc withSponsorID:A error:NULL]; - [model2 registerVoucher:voucher]; - - // B updates in model2, but C is not yet registered so is ignored. - circle = [model2 advancePeerWithID:B addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B], @[])); - - // Now C registers in model2 - [model2 registerPeerWithPermanentInfo:ccc]; - [model2 updateStableInfo:[self.model getStableInfoForPeerWithID:C] forPeerWithID:C]; - - // B updates in model2, and now it trusts C. - circle = [model2 advancePeerWithID:B addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[A, B, C], @[])); -} - -- (void)testReregisterPeer -{ - TPPeerPermanentInfo *aaa = [self makePeerWithMachineID:@"aaa"]; - - NSString *A = aaa.peerID; - - [self.model advancePeerWithID:A addingPeerIDs:nil removingPeerIDs:nil createClique:^NSString *{ - return @"clique1"; - }]; - - // Registering the peer again should not overwrite its dynamicInfo or other state. - [self.model registerPeerWithPermanentInfo:aaa]; - XCTAssertNotNil([self.model getDynamicInfoForPeerWithID:A]); -} - -- (void)testPeerAccessors -{ - TPPeerPermanentInfo *aaa = [self makePeerWithMachineID:@"aaa"]; - - NSString *A = aaa.peerID; - - XCTAssert([self.model hasPeerWithID:A]); - - TPPeerPermanentInfo *aaa2 = [self.model getPermanentInfoForPeerWithID:A]; - XCTAssertEqualObjects(aaa, aaa2); - - TPPeerStableInfo *info = [self.model createStableInfoWithDictionary:@{ @"hello": @"world" } - policyVersion:1 - policyHash:@"" - policySecrets:nil - forPeerWithID:A - error:NULL]; - XCTAssertEqual(TPResultOk, [self.model updateStableInfo:info forPeerWithID:A]); - - XCTAssertEqualObjects([self.model getStableInfoForPeerWithID:A], info); - - [self.model deletePeerWithID:A]; - XCTAssertFalse([self.model hasPeerWithID:A]); -} - -- (void)testCircleAccessors -{ - TPCircle *circle = [TPCircle circleWithIncludedPeerIDs:@[@"A, B"] excludedPeerIDs:nil]; - XCTAssertNil([self.model circleWithID:circle.circleID]); - [self.model registerCircle:circle]; - XCTAssertNotNil([self.model circleWithID:circle.circleID]); - [self.model deleteCircleWithID:circle.circleID]; - XCTAssertNil([self.model circleWithID:circle.circleID]); -} - -- (void)testLatestEpoch -{ - NSString *A = [self makePeerWithMachineID:@"aaa" modelID:@"iPhone" epoch:0 key:@"aaa"].peerID; - NSString *B = [self makePeerWithMachineID:@"bbb" modelID:@"iPhone" epoch:1 key:@"aaa"].peerID; - NSString *C = [self makePeerWithMachineID:@"ccc" modelID:@"iPhone" epoch:2 key:@"aaa"].peerID; - - TPCounter epoch = [self.model latestEpochAmongPeerIDs:[NSSet setWithArray:@[A, B, C]]]; - XCTAssertEqual(epoch, 2ULL); -} - -- (void)testPeerStatus -{ - NSString *A = [self makePeerWithMachineID:@"aaa" modelID:@"iPhone" epoch:0 key:@"aaa"].peerID; - NSString *B = [self makePeerWithMachineID:@"bbb" modelID:@"iPhone" epoch:0 key:@"bbb"].peerID; - NSString *C = [self makePeerWithMachineID:@"ccc" modelID:@"iPhone" epoch:0 key:@"ccc"].peerID; - NSString *D = [self makePeerWithMachineID:@"ddd" modelID:@"iPhone" epoch:1 key:@"ddd"].peerID; - NSString *E = [self makePeerWithMachineID:@"eee" modelID:@"iPhone" epoch:2 key:@"eee"].peerID; - - XCTAssertEqual([self.model statusOfPeerWithID:A], 0); - - [self.model advancePeerWithID:A addingPeerIDs:@[B, C] removingPeerIDs:@[] createClique:^NSString *{ - return @"clique1"; - }]; - XCTAssertEqual([self.model statusOfPeerWithID:A], 0); - - [self.model advancePeerWithID:B addingPeerIDs:@[A, C] removingPeerIDs:@[] createClique:nil]; - XCTAssertEqual([self.model statusOfPeerWithID:A], TPPeerStatusPartiallyReciprocated); - - [self.model advancePeerWithID:C addingPeerIDs:@[A] removingPeerIDs:@[] createClique:nil]; - XCTAssertEqual([self.model statusOfPeerWithID:A], TPPeerStatusPartiallyReciprocated | TPPeerStatusFullyReciprocated); - - [self.model advancePeerWithID:C addingPeerIDs:@[] removingPeerIDs:@[A] createClique:nil]; - XCTAssertEqual([self.model statusOfPeerWithID:A], TPPeerStatusPartiallyReciprocated | TPPeerStatusExcluded); - - [self.model advancePeerWithID:A addingPeerIDs:@[] removingPeerIDs:@[] createClique:nil]; - XCTAssertEqual([self.model statusOfPeerWithID:A], TPPeerStatusExcluded); - - [self.model advancePeerWithID:B addingPeerIDs:@[D] removingPeerIDs:@[] createClique:nil]; - XCTAssertEqual([self.model statusOfPeerWithID:B], TPPeerStatusPartiallyReciprocated | TPPeerStatusOutdatedEpoch); - - [self.model advancePeerWithID:C addingPeerIDs:@[E] removingPeerIDs:@[] createClique:nil]; - [self.model advancePeerWithID:B addingPeerIDs:@[] removingPeerIDs:@[] createClique:nil]; - XCTAssertEqual([self.model statusOfPeerWithID:B], TPPeerStatusPartiallyReciprocated | TPPeerStatusOutdatedEpoch | TPPeerStatusAncientEpoch); -} - -- (void)testCalculateUnusedCircleIDs -{ - NSString *A = [self makePeerWithMachineID:@"aaa" modelID:@"iPhone" epoch:0 key:@"aaa"].peerID; - NSString *B = [self makePeerWithMachineID:@"bbb" modelID:@"iPhone" epoch:0 key:@"bbb"].peerID; - - [self.model advancePeerWithID:A addingPeerIDs:@[B] removingPeerIDs:@[] createClique:^NSString *{ - return @"clique1"; - }]; - [self.model advancePeerWithID:B addingPeerIDs:@[B] removingPeerIDs:@[] createClique:nil]; - - NSSet* unused; - unused = [self.model calculateUnusedCircleIDs]; - XCTAssertEqualObjects(unused, [NSSet set]); - - NSString *circleID = [self.model getCircleForPeerWithID:A].circleID; - - [self.model advancePeerWithID:A addingPeerIDs:@[] removingPeerIDs:@[B] createClique:nil]; - - unused = [self.model calculateUnusedCircleIDs]; - XCTAssertEqualObjects(unused, [NSSet setWithObject:circleID]); -} - -- (void)testGetPeerIDsTrustedByPeerWithID -{ - NSString *A = [self makePeerWithMachineID:@"aaa" modelID:@"iPhone7,1" epoch:0 key:@"aaa"].peerID; - NSString *B = [self makePeerWithMachineID:@"bbb" modelID:@"iPhone6,2" epoch:0 key:@"bbb"].peerID; - NSString *C = [self makePeerWithMachineID:@"ccc" modelID:@"Watch1,1" epoch:0 key:@"ccc"].peerID; - [self makePeerWithMachineID:@"ddd" modelID:@"iPhone7,1" epoch:0 key:@"ddd"]; - - [self.model advancePeerWithID:A addingPeerIDs:@[B, C] removingPeerIDs:@[] createClique:^NSString *{ - return @"clique1"; - }]; - - // Everyone can access WiFi. Only full peers can access SafariCreditCards - - NSSet* peerIDs; - NSSet* expected; - - peerIDs = [self.model getPeerIDsTrustedByPeerWithID:A toAccessView:@"WiFi" error:NULL]; - expected = [NSSet setWithArray:@[A, B, C]]; - XCTAssertEqualObjects(peerIDs, expected); - - peerIDs = [self.model getPeerIDsTrustedByPeerWithID:A toAccessView:@"SafariCreditCards" error:NULL]; - expected = [NSSet setWithArray:@[A, B]]; - XCTAssertEqualObjects(peerIDs, expected); -} - -- (void)testVectorClock -{ - NSString *A = [self makePeerWithMachineID:@"aaa"].peerID; - NSString *B = [self makePeerWithMachineID:@"bbb"].peerID; - NSString *C = [self makePeerWithMachineID:@"ccc"].peerID; - - [self.model advancePeerWithID:A addingPeerIDs:@[B] removingPeerIDs:@[] createClique:^NSString *{ - return @"clique1"; - }]; - [self.model advancePeerWithID:B addingPeerIDs:@[A] removingPeerIDs:@[] createClique:nil]; - - NSDictionary *dict; - NSDictionary *expected; - - dict = [self.model vectorClock]; - expected = @{ A: @4, B: @5, C: @3 }; - XCTAssertEqualObjects(dict, expected); - - [self.model advancePeerWithID:C addingPeerIDs:@[A] removingPeerIDs:@[B] createClique:nil]; - [self.model advancePeerWithID:A addingPeerIDs:@[] removingPeerIDs:@[] createClique:nil]; - [self.model advancePeerWithID:B addingPeerIDs:@[] removingPeerIDs:@[] createClique:nil]; - - dict = [self.model vectorClock]; - expected = @{ A: @7, B: @8, C: @6 }; - XCTAssertEqualObjects(dict, expected); -} - -- (void)testICycleApprovingPhoneWithNewPolicy -{ - NSString *phoneA = [self makePeerWithMachineID:@"phoneA" modelID:@"iPhone7,1" epoch:1 key:@"phoneA"].peerID; - NSString *phoneB = [self makePeerWithMachineID:@"phoneB" modelID:@"iPhone7,1" epoch:1 key:@"phoneB"].peerID; - NSString *icycle = [self makePeerWithMachineID:@"icycle" modelID:@"iCycle1,1" epoch:1 key:@"icycle"].peerID; - - TPCircle *circle; - - // phoneA establishes clique, trusts icycle - circle = [self.model advancePeerWithID:phoneA addingPeerIDs:@[icycle] removingPeerIDs:nil createClique:^NSString *{ - return @"clique1"; - }]; - XCTAssert(circleEquals(circle, @[phoneA, icycle], @[])); - - // icycle trusts phoneA and phoneB - circle = [self.model advancePeerWithID:icycle addingPeerIDs:@[phoneA, phoneB] removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[phoneA, phoneB, icycle], @[])); - - // phoneA updates, and it doesn't know iCycles can approve phones, so it should ignore phoneB, so no change. - circle = [self.model advancePeerWithID:phoneA addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[phoneA, icycle], @[])); - - // icycle presents a new policy that says iCycles can approve phones - TPPeerStableInfo *stableInfo = [self.model createStableInfoWithDictionary:@{} - policyVersion:self.policyDocV2.policyVersion - policyHash:self.policyDocV2.policyHash - policySecrets:nil - forPeerWithID:icycle - error:NULL]; - [self.model updateStableInfo:stableInfo forPeerWithID:icycle]; - - // phoneA updates again, sees the new policy that says iCycles can approve phones, and now trusts phoneB - circle = [self.model advancePeerWithID:phoneA addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[phoneA, phoneB, icycle], @[])); -} - -- (void)testICycleApprovingPhoneWithRedactedPolicy -{ - NSString *phoneA = [self makePeerWithMachineID:@"phoneA" modelID:@"iPhone7,1" epoch:1 key:@"phoneA"].peerID; - NSString *phoneB = [self makePeerWithMachineID:@"phoneB" modelID:@"iPhone7,1" epoch:1 key:@"phoneB"].peerID; - NSString *icycle = [self makePeerWithMachineID:@"icycle" modelID:@"iCycle1,1" epoch:1 key:@"icycle"].peerID; - - TPCircle *circle; - - // phoneA establishes clique, trusts icycle - circle = [self.model advancePeerWithID:phoneA addingPeerIDs:@[icycle] removingPeerIDs:nil createClique:^NSString *{ - return @"clique1"; - }]; - XCTAssert(circleEquals(circle, @[phoneA, icycle], @[])); - - // icycle trusts phoneA and phoneB - circle = [self.model advancePeerWithID:icycle addingPeerIDs:@[phoneA, phoneB] removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[phoneA, phoneB, icycle], @[])); - - // phoneA updates, and it doesn't know iCycles can approve phones, so it should ignore phoneB, so no change. - circle = [self.model advancePeerWithID:phoneA addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[phoneA, icycle], @[])); - - // icycle presents a new policy that says iCycles can approve phones - TPPeerStableInfo *stableInfo = [self.model createStableInfoWithDictionary:@{} - policyVersion:self.policyDocV1.policyVersion - policyHash:self.policyDocV1.policyHash - policySecrets:@{ - self.secretName: self.secretKey - } - forPeerWithID:icycle - error:NULL]; - [self.model updateStableInfo:stableInfo forPeerWithID:icycle]; - - // phoneA updates again, sees the new policy that says iCycles can approve phones, and now trusts phoneB - circle = [self.model advancePeerWithID:phoneA addingPeerIDs:nil removingPeerIDs:nil createClique:nil]; - XCTAssert(circleEquals(circle, @[phoneA, phoneB, icycle], @[])); -} - -@end diff --git a/keychain/trust/TrustedPeersTests/TPPeerPermanentInfoTests.m b/keychain/trust/TrustedPeersTests/TPPeerPermanentInfoTests.m deleted file mode 100644 index 58618257..00000000 --- a/keychain/trust/TrustedPeersTests/TPPeerPermanentInfoTests.m +++ /dev/null @@ -1,209 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import -#import -#import "TPDummySigningKey.h" - -@interface TPPeerPermanentInfoTests : XCTestCase -@property (nonatomic, strong) TPPeerPermanentInfo* info; -@end - -@implementation TPPeerPermanentInfoTests - -- (void)setUp -{ - NSData *keyData = [@"key123" dataUsingEncoding:NSUTF8StringEncoding]; - TPDummySigningKey *key = [[TPDummySigningKey alloc] initWithPublicKeyData:keyData]; - - self.info - = [TPPeerPermanentInfo permanentInfoWithMachineID:@"machine123" - modelID:@"iPhone1,1" - epoch:7 - trustSigningKey:key - peerIDHashAlgo:kTPHashAlgoSHA256 - error:NULL]; - XCTAssertNotNil(self.info); -} - -- (void)testRoundTrip -{ - TPCounter epoch = 7; - NSString *machineID = @"machine123"; - NSString *modelID = @"iPhone1,1"; - - NSData *keyData = [@"key123" dataUsingEncoding:NSUTF8StringEncoding]; - - TPPeerPermanentInfo *info2 - = [TPPeerPermanentInfo permanentInfoWithPeerID:self.info.peerID - permanentInfoPList:self.info.permanentInfoPList - permanentInfoSig:self.info.permanentInfoSig - keyFactory:[TPDummySigningKeyFactory dummySigningKeyFactory]]; - - XCTAssertEqual(info2.epoch, epoch); - XCTAssert([info2.machineID isEqualToString:machineID]); - XCTAssert([info2.modelID isEqualToString:modelID]); - XCTAssert([info2.trustSigningKey.publicKey isEqualToData:keyData]); - - XCTAssert([info2.peerID isEqualToString:self.info.peerID]); - XCTAssert([info2.permanentInfoPList isEqualToData:self.info.permanentInfoPList]); - XCTAssert([info2.permanentInfoSig isEqualToData:self.info.permanentInfoSig]); -} - -- (void)testNonDictionary -{ - NSData *data = [NSPropertyListSerialization dataWithPropertyList:@[ @"foo", @"bar"] - format:NSPropertyListXMLFormat_v1_0 - options:0 - error:NULL]; - TPPeerPermanentInfo *info - = [TPPeerPermanentInfo permanentInfoWithPeerID:@"x" - permanentInfoPList:data - permanentInfoSig:data - keyFactory:[TPDummySigningKeyFactory dummySigningKeyFactory]]; - XCTAssertNil(info); -} - -- (void)testBadMachineID -{ - NSData *data = [TPUtils serializedPListWithDictionary:@{ - @"machineID": @5 - }]; - TPPeerPermanentInfo *info - = [TPPeerPermanentInfo permanentInfoWithPeerID:@"x" - permanentInfoPList:data - permanentInfoSig:data - keyFactory:[TPDummySigningKeyFactory dummySigningKeyFactory]]; - XCTAssertNil(info); -} - -- (void)testBadModelID -{ - NSData *data = [TPUtils serializedPListWithDictionary:@{ - @"machineID": @"aaa", - @"modelID": @5, - }]; - TPPeerPermanentInfo *info - = [TPPeerPermanentInfo permanentInfoWithPeerID:@"x" - permanentInfoPList:data - permanentInfoSig:data - keyFactory:[TPDummySigningKeyFactory dummySigningKeyFactory]]; - XCTAssertNil(info); -} - -- (void)testBadEpoch -{ - NSData *data = [TPUtils serializedPListWithDictionary:@{ - @"machineID": @"aaa", - @"modelID": @"iPhone7,1", - @"epoch": @"five", - }]; - TPPeerPermanentInfo *info - = [TPPeerPermanentInfo permanentInfoWithPeerID:@"x" - permanentInfoPList:data - permanentInfoSig:data - keyFactory:[TPDummySigningKeyFactory dummySigningKeyFactory]]; - XCTAssertNil(info); -} - -- (void)testBadTrustSigningKey -{ - NSData *data = [TPUtils serializedPListWithDictionary:@{ - @"machineID": @"aaa", - @"modelID": @"iPhone7,1", - @"epoch": @5, - @"trustSigningKey": @"foo", - }]; - TPPeerPermanentInfo *info - = [TPPeerPermanentInfo permanentInfoWithPeerID:@"x" - permanentInfoPList:data - permanentInfoSig:data - keyFactory:[TPDummySigningKeyFactory dummySigningKeyFactory]]; - XCTAssertNil(info); -} - -- (void)testBadTrustSigningKey2 -{ - NSData *data = [TPUtils serializedPListWithDictionary:@{ - @"machineID": @"aaa", - @"modelID": @"iPhone7,1", - @"epoch": @5, - @"trustSigningKey": [NSData data], - }]; - TPPeerPermanentInfo *info - = [TPPeerPermanentInfo permanentInfoWithPeerID:@"x" - permanentInfoPList:data - permanentInfoSig:data - keyFactory:[TPDummySigningKeyFactory dummySigningKeyFactory]]; - XCTAssertNil(info); -} - -- (void)testBadSignature -{ - TPPeerPermanentInfo *info2 - = [TPPeerPermanentInfo permanentInfoWithPeerID:self.info.peerID - permanentInfoPList:self.info.permanentInfoPList - permanentInfoSig:[NSData data] - keyFactory:[TPDummySigningKeyFactory dummySigningKeyFactory]]; - XCTAssertNil(info2); -} - -- (void)testBadHashAlgo -{ - TPPeerPermanentInfo *info2 - = [TPPeerPermanentInfo permanentInfoWithPeerID:@"foo" - permanentInfoPList:self.info.permanentInfoPList - permanentInfoSig:self.info.permanentInfoSig - keyFactory:[TPDummySigningKeyFactory dummySigningKeyFactory]]; - XCTAssertNil(info2); -} - -- (void)testBadPeerID -{ - TPPeerPermanentInfo *info2 - = [TPPeerPermanentInfo permanentInfoWithPeerID:@"SHA256:foo" - permanentInfoPList:self.info.permanentInfoPList - permanentInfoSig:self.info.permanentInfoSig - keyFactory:[TPDummySigningKeyFactory dummySigningKeyFactory]]; - XCTAssertNil(info2); -} - -- (void)testSigningKeyIsUnavailable -{ - NSData *keyData = [@"key123" dataUsingEncoding:NSUTF8StringEncoding]; - TPDummySigningKey *key = [[TPDummySigningKey alloc] initWithPublicKeyData:keyData]; - key.privateKeyIsAvailable = NO; - - NSError *error = nil; - TPPeerPermanentInfo *info - = [TPPeerPermanentInfo permanentInfoWithMachineID:@"machine123" - modelID:@"iPhone1,1" - epoch:7 - trustSigningKey:key - peerIDHashAlgo:kTPHashAlgoSHA256 - error:&error]; - XCTAssertNil(info); - XCTAssertNotNil(error); -} - -@end diff --git a/keychain/trust/TrustedPeersTests/TPPeerStableInfoTests.m b/keychain/trust/TrustedPeersTests/TPPeerStableInfoTests.m deleted file mode 100644 index 5c21166d..00000000 --- a/keychain/trust/TrustedPeersTests/TPPeerStableInfoTests.m +++ /dev/null @@ -1,131 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import -#import -#import "TPDummySigningKey.h" - -@interface TPPeerStableInfoTests : XCTestCase - -@end - -@implementation TPPeerStableInfoTests - -- (void)testSigningKeyIsUnavailable -{ - NSData *keyData = [@"key123" dataUsingEncoding:NSUTF8StringEncoding]; - TPDummySigningKey *key = [[TPDummySigningKey alloc] initWithPublicKeyData:keyData]; - key.privateKeyIsAvailable = NO; - - NSError *error = nil; - TPPeerStableInfo *info - = [TPPeerStableInfo stableInfoWithDict:@{} - clock:1 - policyVersion:1 - policyHash:@"foo" - policySecrets:nil - trustSigningKey:key - error:&error]; - XCTAssertNil(info); - XCTAssertNotNil(error); -} - -- (void)testNonDictionary -{ - NSData *data = [NSPropertyListSerialization dataWithPropertyList:@[ @"foo", @"bar"] - format:NSPropertyListXMLFormat_v1_0 - options:0 - error:NULL]; - TPPeerStableInfo *info - = [TPPeerStableInfo stableInfoWithPListData:data - stableInfoSig:data]; - XCTAssertNil(info); -} - -- (void)testBadClock -{ - NSData *data = [TPUtils serializedPListWithDictionary:@{ - @"clock": @"five" - }]; - TPPeerStableInfo *info - = [TPPeerStableInfo stableInfoWithPListData:data - stableInfoSig:data]; - XCTAssertNil(info); -} - -- (void)testBadPolicyVersion -{ - NSData *data = [TPUtils serializedPListWithDictionary:@{ - @"clock": @5, - @"policyVersion": @"five", - }]; - TPPeerStableInfo *info - = [TPPeerStableInfo stableInfoWithPListData:data - stableInfoSig:data]; - XCTAssertNil(info); -} - -- (void)testBadPolicyHash -{ - NSData *data = [TPUtils serializedPListWithDictionary:@{ - @"clock": @5, - @"policyVersion": @5, - @"policyHash": @5 - }]; - TPPeerStableInfo *info - = [TPPeerStableInfo stableInfoWithPListData:data - stableInfoSig:data]; - XCTAssertNil(info); -} - -- (void)testBadSecrets -{ - NSData *data = [TPUtils serializedPListWithDictionary:@{ - @"clock": @5, - @"policyVersion": @5, - @"policyHash": @"foo", - @"policySecrets": @5 - }]; - TPPeerStableInfo *info - = [TPPeerStableInfo stableInfoWithPListData:data - stableInfoSig:data]; - XCTAssertNil(info); -} - -- (void)testBadSecretData -{ - NSData *data = [TPUtils serializedPListWithDictionary:@{ - @"clock": @5, - @"policyVersion": @5, - @"policyHash": @"foo", - @"policySecrets": @{ - @"foo": @5 - } - }]; - TPPeerStableInfo *info - = [TPPeerStableInfo stableInfoWithPListData:data - stableInfoSig:data]; - XCTAssertNil(info); -} - -@end diff --git a/keychain/trust/TrustedPeersTests/TPPeerTests.m b/keychain/trust/TrustedPeersTests/TPPeerTests.m deleted file mode 100644 index c882c766..00000000 --- a/keychain/trust/TrustedPeersTests/TPPeerTests.m +++ /dev/null @@ -1,119 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import -#import -#import "TPDummySigningKey.h" - -@interface TPPeerTests : XCTestCase - -@property (nonatomic, strong) TPPeer *peer; -@property (nonatomic, strong) TPDummySigningKey *goodKey; -@property (nonatomic, strong) TPDummySigningKey *badKey; - -@end - -@implementation TPPeerTests - -- (void)setUp -{ - NSData *goodKeyData = [@"goodKey" dataUsingEncoding:NSUTF8StringEncoding]; - self.goodKey = [[TPDummySigningKey alloc] initWithPublicKeyData:goodKeyData]; - - NSData *badKeyData = [@"badKey" dataUsingEncoding:NSUTF8StringEncoding]; - self.badKey = [[TPDummySigningKey alloc] initWithPublicKeyData:badKeyData]; - - TPPeerPermanentInfo *permanentInfo; - permanentInfo = [TPPeerPermanentInfo permanentInfoWithMachineID:@"A" - modelID:@"iPhone8,1" - epoch:1 - trustSigningKey:self.goodKey - peerIDHashAlgo:kTPHashAlgoSHA256 - error:NULL]; - self.peer = [[TPPeer alloc] initWithPermanentInfo:permanentInfo]; -} - -- (void)testBadDynamicInfoKey -{ - // Create a dynamicInfo with the wrong key - TPPeerDynamicInfo *dynamicInfo = [TPPeerDynamicInfo dynamicInfoWithCircleID:@"123" - clique:@"clique" - removals:0 - clock:1 - trustSigningKey:self.badKey - error:NULL]; - XCTAssertEqual(TPResultSignatureMismatch, [self.peer updateDynamicInfo:dynamicInfo]); -} - -- (void)testStableInfo -{ - TPPeerStableInfo *info1 = [TPPeerStableInfo stableInfoWithDict:@{ @"hello": @"world1" } - clock:1 - policyVersion:1 - policyHash:@"" - policySecrets:nil - trustSigningKey:self.goodKey - error:NULL]; - XCTAssertEqual(TPResultOk, [self.peer updateStableInfo:info1]); - - // Attempt update without advancing clock - TPPeerStableInfo *info2 = [TPPeerStableInfo stableInfoWithDict:@{ @"hello": @"world2" } - clock:1 - policyVersion:1 - policyHash:@"" - policySecrets:nil - trustSigningKey:self.goodKey - error:NULL]; - XCTAssertEqual(TPResultClockViolation, [self.peer updateStableInfo:info2]); - XCTAssertEqualObjects(self.peer.stableInfo, info1); - - // Advance - TPPeerStableInfo *info3 = [TPPeerStableInfo stableInfoWithDict:@{ @"hello": @"world3" } - clock:3 - policyVersion:1 - policyHash:@"" - policySecrets:nil - trustSigningKey:self.goodKey - error:NULL]; - XCTAssertEqual(TPResultOk, [self.peer updateStableInfo:info3]); - - // No change, should return OK - XCTAssertEqual(TPResultOk, [self.peer updateStableInfo:info3]); - - // Attempt replay - XCTAssertEqual(TPResultClockViolation, [self.peer updateStableInfo:info1]); - XCTAssertEqualObjects(self.peer.stableInfo, info3); - - // Attempt update with wrong key - TPPeerStableInfo *info4 = [TPPeerStableInfo stableInfoWithDict:@{ @"hello": @"world4" } - clock:4 - policyVersion:1 - policyHash:@"" - policySecrets:nil - trustSigningKey:self.badKey - error:NULL]; - XCTAssertEqual(TPResultSignatureMismatch, [self.peer updateStableInfo:info4]); - XCTAssertEqualObjects(self.peer.stableInfo, info3); -} - -@end diff --git a/keychain/trust/TrustedPeersTests/TPPolicyDocumentTests.m b/keychain/trust/TrustedPeersTests/TPPolicyDocumentTests.m deleted file mode 100644 index 59ceb183..00000000 --- a/keychain/trust/TrustedPeersTests/TPPolicyDocumentTests.m +++ /dev/null @@ -1,68 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import -#import - -@interface TPPolicyDocumentTests : XCTestCase - -@end - -@implementation TPPolicyDocumentTests - -- (void)testRoundTrip -{ - TPPolicyDocument *doc1 - = [TPPolicyDocument policyDocWithVersion:1 - modelToCategory:@[ - @{ @"prefix": @"iPhone", @"category": @"full" }, - @{ @"prefix": @"iPad", @"category": @"full" }, - @{ @"prefix": @"Mac", @"category": @"full" }, - @{ @"prefix": @"iMac", @"category": @"full" }, - @{ @"prefix": @"AppleTV", @"category": @"tv" }, - @{ @"prefix": @"Watch", @"category": @"watch" }, - ] - categoriesByView:@{ - @"WiFi": @[ @"full", @"tv", @"watch" ], - @"SafariCreditCards": @[ @"full" ], - @"PCSEscrow": @[ @"full" ] - } - introducersByCategory:@{ - @"full": @[ @"full" ], - @"tv": @[ @"full", @"tv" ], - @"watch": @[ @"full", @"watch" ] - } - redactions:@{ - @"foo": [@"bar" dataUsingEncoding:NSUTF8StringEncoding] - } - hashAlgo:kTPHashAlgoSHA256]; - - - TPPolicyDocument *doc2 = [TPPolicyDocument policyDocWithHash:doc1.policyHash pList:doc1.pList]; - XCTAssert([doc1 isEqualToPolicyDocument:doc2]); - - TPPolicyDocument *doc3 = [TPPolicyDocument policyDocWithHash:@"SHA256:foo" pList:doc1.pList]; - XCTAssertNil(doc3); -} - -@end diff --git a/keychain/trust/TrustedPeersTests/TPVoucherTests.m b/keychain/trust/TrustedPeersTests/TPVoucherTests.m deleted file mode 100644 index de49c6cd..00000000 --- a/keychain/trust/TrustedPeersTests/TPVoucherTests.m +++ /dev/null @@ -1,103 +0,0 @@ -/* - * Copyright (c) 2017 Apple Inc. All Rights Reserved. - * - * @APPLE_LICENSE_HEADER_START@ - * - * This file contains Original Code and/or Modifications of Original Code - * as defined in and that are subject to the Apple Public Source License - * Version 2.0 (the 'License'). You may not use this file except in - * compliance with the License. Please obtain a copy of the License at - * http://www.opensource.apple.com/apsl/ and read it before using this - * file. - * - * The Original Code and all software distributed under the License are - * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER - * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, - * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. - * Please see the License for the specific language governing rights and - * limitations under the License. - * - * @APPLE_LICENSE_HEADER_END@ - */ - -#import -#import -#import "TPDummySigningKey.h" - -@interface TPVoucherTests : XCTestCase - -@end - -@implementation TPVoucherTests - -- (void)testRoundTrip -{ - NSData *keyData = [@"key" dataUsingEncoding:NSUTF8StringEncoding]; - id key = [[TPDummySigningKey alloc] initWithPublicKeyData:keyData]; - - TPVoucher *voucher1 = [TPVoucher voucherWithBeneficiaryID:@"B" - sponsorID:@"A" - clock:1 - trustSigningKey:key - error:NULL]; - TPVoucher *voucher1b = [TPVoucher voucherWithPList:voucher1.voucherInfoPList - sig:voucher1.voucherInfoSig]; - - XCTAssertEqualObjects(voucher1, voucher1b); - XCTAssertEqual([voucher1 hash], [voucher1b hash]); - XCTAssert([voucher1 isEqual:voucher1]); - XCTAssert([voucher1 isEqualToVoucher:voucher1]); - XCTAssert(![voucher1 isEqual:@"foo"]); - - TPVoucher *voucher2 = [TPVoucher voucherWithBeneficiaryID:@"C" - sponsorID:@"A" - clock:1 - trustSigningKey:key - error:NULL]; - XCTAssertNotEqualObjects(voucher1, voucher2); -} - -- (void)testMalformed -{ - NSData *data = [@"foo" dataUsingEncoding:NSUTF8StringEncoding]; - XCTAssertNil([TPVoucher voucherWithPList:data sig:data]); - - data = [TPUtils serializedPListWithDictionary:@{ - @"beneficiaryID": @[], - @"sponsorID": @"A", - @"clock": @1 - }]; - XCTAssertNil([TPVoucher voucherWithPList:data sig:data]); - - data = [TPUtils serializedPListWithDictionary:@{ - @"beneficiaryID": @"B", - @"sponsorID": @7, - @"clock": @1 - }]; - XCTAssertNil([TPVoucher voucherWithPList:data sig:data]); - - data = [TPUtils serializedPListWithDictionary:@{ - @"beneficiaryID": @"B", - @"sponsorID": @"A", - @"clock": @"foo" - }]; - XCTAssertNil([TPVoucher voucherWithPList:data sig:data]); -} - -- (void)testCannotSign -{ - NSData *keyData = [@"key" dataUsingEncoding:NSUTF8StringEncoding]; - TPDummySigningKey *key = [[TPDummySigningKey alloc] initWithPublicKeyData:keyData]; - key.privateKeyIsAvailable = NO; - - NSError *error = nil; - TPVoucher *voucher = [TPVoucher voucherWithBeneficiaryID:@"B" - sponsorID:@"A" - clock:1 - trustSigningKey:key - error:&error]; - XCTAssertNil(voucher); -} - -@end diff --git a/lib/SecArgParse.c b/lib/SecArgParse.c index 3a326ac6..c0b43cf0 100644 --- a/lib/SecArgParse.c +++ b/lib/SecArgParse.c @@ -145,7 +145,7 @@ bool options_parse(int argc, char * const *argv, struct arguments* args) { realargs.arguments[i+1] = args->arguments[i]; } - struct option* long_options = (struct option*) malloc((noptions+1) * sizeof(struct option)); + struct option* long_options = (struct option*) calloc((noptions+1), sizeof(struct option)); size_t short_options_length = 2* noptions * sizeof(char) + 2; // 2: one for -h, one for the null terminator char* short_options = (char*) malloc(short_options_length); @@ -165,7 +165,7 @@ bool options_parse(int argc, char * const *argv, struct arguments* args) { struct option* long_option = &long_options[option_index]; for(size_t i = 0; i < noptions; i++) { - if(realargs.arguments[i].longname && strncmp(long_option->name, realargs.arguments[i].longname, strlen(realargs.arguments[i].longname)) == 0) { + if(realargs.arguments[i].longname && long_option->name && strncmp(long_option->name, realargs.arguments[i].longname, strlen(realargs.arguments[i].longname)) == 0) { trigger(realargs.arguments[i], optarg); } } @@ -185,7 +185,8 @@ bool options_parse(int argc, char * const *argv, struct arguments* args) { } } if(i == noptions) { - return false; + success = false; + goto out; } } } diff --git a/libsecurity_smime/lib/CMSDecoder.c b/libsecurity_smime/lib/CMSDecoder.c index 73434598..48cb56e2 100644 --- a/libsecurity_smime/lib/CMSDecoder.c +++ b/libsecurity_smime/lib/CMSDecoder.c @@ -970,8 +970,8 @@ OSStatus CMSDecoderCopySignerAppleCodesigningHashAgility( int numContentInfos = 0; CFDataRef returnedValue = NULL; - require(cmsDecoder && hashAgilityAttrValue, xit); - require_noerr(CMSDecoderGetCmsMessage(cmsDecoder, &cmsg), xit); + require(cmsDecoder && hashAgilityAttrValue, exit); + require_noerr(CMSDecoderGetCmsMessage(cmsDecoder, &cmsg), exit); numContentInfos = SecCmsMessageContentLevelCount(cmsg); for (int dex = 0; !signedData && dex < numContentInfos; dex++) { @@ -987,7 +987,7 @@ OSStatus CMSDecoderCopySignerAppleCodesigningHashAgility( } } } -xit: +exit: if (status == errSecSuccess && returnedValue) { *hashAgilityAttrValue = (CFDataRef) CFRetain(returnedValue); } else { @@ -995,3 +995,49 @@ xit: } return status; } + +/* + * Obtain the Hash Agility V2 attribute value of signer 'signerIndex' + * of a CMS message, if present. + * + * Returns errSecParam if the CMS message was not signed or if signerIndex + * is greater than the number of signers of the message minus one. + * + * This cannot be called until after CMSDecoderFinalizeMessage() is called. + */ +OSStatus CMSDecoderCopySignerAppleCodesigningHashAgilityV2( + CMSDecoderRef cmsDecoder, + size_t signerIndex, /* usually 0 */ + CFDictionaryRef CF_RETURNS_RETAINED *hashAgilityV2AttrValues) /* RETURNED */ +{ + OSStatus status = errSecParam; + SecCmsMessageRef cmsg; + SecCmsSignedDataRef signedData = NULL; + int numContentInfos = 0; + CFDictionaryRef returnedValue = NULL; + + require(cmsDecoder && hashAgilityV2AttrValues, exit); + require_noerr(CMSDecoderGetCmsMessage(cmsDecoder, &cmsg), exit); + numContentInfos = SecCmsMessageContentLevelCount(cmsg); + for (int dex = 0; !signedData && dex < numContentInfos; dex++) + { + SecCmsContentInfoRef ci = SecCmsMessageContentLevel(cmsg, dex); + SECOidTag tag = SecCmsContentInfoGetContentTypeTag(ci); + if (tag == SEC_OID_PKCS7_SIGNED_DATA) + if ((signedData = (SecCmsSignedDataRef)SecCmsContentInfoGetContent(ci))) { + SecCmsSignerInfoRef signerInfo = SecCmsSignedDataGetSignerInfo(signedData, (int)signerIndex); + if (signerInfo) + { + status = SecCmsSignerInfoGetAppleCodesigningHashAgilityV2(signerInfo, &returnedValue); + break; + } + } + } +exit: + if (status == errSecSuccess && returnedValue) { + *hashAgilityV2AttrValues = (CFDictionaryRef) CFRetain(returnedValue); + } else { + *hashAgilityV2AttrValues = NULL; + } + return status; +} diff --git a/libsecurity_smime/lib/CMSDecoder.h b/libsecurity_smime/lib/CMSDecoder.h index 8355d3ce..7b754404 100644 --- a/libsecurity_smime/lib/CMSDecoder.h +++ b/libsecurity_smime/lib/CMSDecoder.h @@ -407,7 +407,22 @@ OSStatus CMSDecoderGetDecoder( OSStatus CMSDecoderCopySignerAppleCodesigningHashAgility( CMSDecoderRef cmsDecoder, size_t signerIndex, /* usually 0 */ - CFDataRef CF_RETURNS_RETAINED * _Nonnull hashAgilityAttrValue); /* RETURNED */ + CFDataRef _Nullable CF_RETURNS_RETAINED * _Nonnull hashAgilityAttrValue); /* RETURNED */ + + +/* + * Obtain the Hash Agility v2 attribute value of signer 'signerIndex' + * of a CMS message, if present. V2 encodes the hash agility values using DER. + * + * Returns errSecParam if the CMS message was not signed or if signerIndex + * is greater than the number of signers of the message minus one. + * + * This cannot be called until after CMSDecoderFinalizeMessage() is called. + */ +OSStatus CMSDecoderCopySignerAppleCodesigningHashAgilityV2( + CMSDecoderRef cmsDecoder, + size_t signerIndex, /* usually 0 */ + CFDictionaryRef _Nullable CF_RETURNS_RETAINED * _Nonnull hashAgilityAttrValues); /* RETURNED */ CF_ASSUME_NONNULL_END diff --git a/libsecurity_smime/lib/CMSEncoder.c b/libsecurity_smime/lib/CMSEncoder.c index c376a834..44d1dd0c 100644 --- a/libsecurity_smime/lib/CMSEncoder.c +++ b/libsecurity_smime/lib/CMSEncoder.c @@ -97,6 +97,7 @@ struct _CMSEncoder { CMSCertificateChainMode chainMode; CFDataRef hashAgilityAttrValue; + CFDictionaryRef hashAgilityV2AttrValues; }; static void cmsEncoderInit(CFTypeRef enc); @@ -526,6 +527,16 @@ static OSStatus cmsSetupForSignedData( break; } } + if(cmsEncoder->signedAttributes & kCMSAttrAppleCodesigningHashAgilityV2) { + ortn = SecCmsSignerInfoAddAppleCodesigningHashAgilityV2(signerInfo, cmsEncoder->hashAgilityV2AttrValues); + /* libsecurity_smime made a copy of the attribute value. We don't need it anymore. */ + CFReleaseNull(cmsEncoder->hashAgilityV2AttrValues); + if(ortn) { + ortn = cmsRtnToOSStatus(ortn); + CSSM_PERROR("SecCmsSignerInfoAddAppleCodesigningHashAgilityV2", ortn); + break; + } + } CFRELEASE(ourCert); ourCert = NULL; @@ -1008,6 +1019,22 @@ OSStatus CMSEncoderSetAppleCodesigningHashAgility( return errSecSuccess; } +/* + * Set the hash agility attribute for a CMSEncoder. + * This is only used if the kCMSAttrAppleCodesigningHashAgilityV2 attribute + * is included. + */ +OSStatus CMSEncoderSetAppleCodesigningHashAgilityV2( + CMSEncoderRef cmsEncoder, + CFDictionaryRef hashAgilityV2AttrValues) +{ + if (cmsEncoder == NULL || cmsEncoder->encState != ES_Init) { + return errSecParam; + } + cmsEncoder->hashAgilityV2AttrValues = CFRetainSafe(hashAgilityV2AttrValues); + return errSecSuccess; +} + OSStatus CMSEncoderSetCertificateChainMode( CMSEncoderRef cmsEncoder, CMSCertificateChainMode chainMode) diff --git a/libsecurity_smime/lib/CMSEncoder.h b/libsecurity_smime/lib/CMSEncoder.h index dda5f2f1..e548c56d 100644 --- a/libsecurity_smime/lib/CMSEncoder.h +++ b/libsecurity_smime/lib/CMSEncoder.h @@ -248,7 +248,8 @@ typedef CF_OPTIONS(uint32_t, CMSSignedAttributes) { /* * Include the Apple Codesigning Hash Agility. */ - kCMSAttrAppleCodesigningHashAgility = 0x0010 + kCMSAttrAppleCodesigningHashAgility = 0x0010, + kCMSAttrAppleCodesigningHashAgilityV2 = 0x0020, }; /* @@ -415,6 +416,18 @@ OSStatus CMSEncoderSetAppleCodesigningHashAgility( CMSEncoderRef cmsEncoder, CFDataRef hashAgilityAttrValue); +/* + * Set the hash agility attribute for a CMSEncoder. + * This is only used if the kCMSAttrAppleCodesigningHashAgilityV2 attribute + * is included. V2 encodes the hash agility values using DER. + * The dictionary should have CFNumberRef keys, corresponding to SECOidTags + * (from SecCmsBase.h) for digest algorithms, and CFDataRef values, + * corresponding to the digest value for that digest algorithm. + */ +OSStatus CMSEncoderSetAppleCodesigningHashAgilityV2( + CMSEncoderRef cmsEncoder, + CFDictionaryRef hashAgilityV2AttrValues); + CF_ASSUME_NONNULL_END diff --git a/libsecurity_smime/lib/CMSUtils.c b/libsecurity_smime/lib/CMSUtils.c index 80caf601..2caac62c 100644 --- a/libsecurity_smime/lib/CMSUtils.c +++ b/libsecurity_smime/lib/CMSUtils.c @@ -86,6 +86,7 @@ OSStatus cmsRtnToOSStatusDefault(OSStatus smimeRtn, // from libsecurity_smime if(smimeRtn == SECFailure) { /* This is a SECStatus. Try to get detailed error info. */ smimeRtn = PORT_GetError(); + PORT_SetError(0); // clean up the thread since we're handling this error if(smimeRtn == 0) { /* S/MIME just gave us generic error; no further info available; punt. */ dprintf("cmsRtnToOSStatus: SECFailure, no status avilable\n"); diff --git a/libsecurity_smime/lib/SecCmsBase.h b/libsecurity_smime/lib/SecCmsBase.h index 0111155b..c9e6e1ad 100644 --- a/libsecurity_smime/lib/SecCmsBase.h +++ b/libsecurity_smime/lib/SecCmsBase.h @@ -482,8 +482,9 @@ typedef enum { SEC_OID_ECDSA_WITH_SHA384 = 212, SEC_OID_ECDSA_WITH_SHA512 = 213, - /* Apple CMS Attribute */ + /* Apple CMS Attributes */ SEC_OID_APPLE_HASH_AGILITY = 214, + SEC_OID_APPLE_HASH_AGILITY_V2 = 215, SEC_OID_TOTAL } SECOidTag; diff --git a/libsecurity_smime/lib/SecCmsSignerInfo.h b/libsecurity_smime/lib/SecCmsSignerInfo.h index 257a1d26..ab132f23 100644 --- a/libsecurity_smime/lib/SecCmsSignerInfo.h +++ b/libsecurity_smime/lib/SecCmsSignerInfo.h @@ -100,6 +100,17 @@ SecCmsSignerInfoGetSigningTime(SecCmsSignerInfoRef sinfo, CFAbsoluteTime *stime) extern OSStatus SecCmsSignerInfoGetAppleCodesigningHashAgility(SecCmsSignerInfoRef sinfo, CFDataRef *sdata); +/*! + @function + @abstract Return the data in the signed Codesigning Hash Agility V2 attribute. + @param sinfo SignerInfo data for this signer, pointer to a CFDictionaryRef for attribute values + @discussion Returns a CFDictionaryRef containing the values of the attribute. V2 encodes the + hash agility values using DER. + @result A return value of SECFailure is an error. + */ +extern OSStatus +SecCmsSignerInfoGetAppleCodesigningHashAgilityV2(SecCmsSignerInfoRef sinfo, CFDictionaryRef *sdict); + /*! @function @abstract Return the signing cert of a CMS signerInfo. @@ -178,11 +189,21 @@ SecCmsSignerInfoAddCounterSignature(SecCmsSignerInfoRef signerinfo, /*! @function @abstract Add the Apple Codesigning Hash Agility attribute to the authenticated (i.e. signed) attributes of "signerinfo". - @discussion This is expected to be included in outgoing signed Apple code signatures. + @discussion This is expected to be included in outgoing Apple code signatures. */ OSStatus SecCmsSignerInfoAddAppleCodesigningHashAgility(SecCmsSignerInfoRef signerinfo, CFDataRef attrValue); +/*! + @function + @abstract Add the Apple Codesigning Hash Agility V2 attribute to the authenticated (i.e. signed) attributes of "signerinfo". + @discussion This is expected to be included in outgoing Apple code signatures. V2 encodes the hash agility values using DER. + The dictionary should have CFNumberRef keys, corresponding to SECOidTags for digest algorithms, and CFDataRef values, + corresponding to the digest value for that digest algorithm. + */ +OSStatus +SecCmsSignerInfoAddAppleCodesigningHashAgilityV2(SecCmsSignerInfoRef signerinfo, CFDictionaryRef attrValues); + /*! @function @abstract The following needs to be done in the S/MIME layer code after signature of a signerinfo has been verified. diff --git a/libsecurity_smime/lib/cmsattr.c b/libsecurity_smime/lib/cmsattr.c index 05d0033b..8bab00d0 100644 --- a/libsecurity_smime/lib/cmsattr.c +++ b/libsecurity_smime/lib/cmsattr.c @@ -114,19 +114,23 @@ loser: OSStatus SecCmsAttributeAddValue(PLArenaPool *poolp, SecCmsAttribute *attr, SecAsn1Item * value) { - SecAsn1Item copiedvalue; + SecAsn1Item *copiedvalue; void *mark; PORT_Assert (poolp != NULL); mark = PORT_ArenaMark(poolp); - /* XXX we need an object memory model #$%#$%! */ - if (SECITEM_CopyItem(poolp, &copiedvalue, value) != SECSuccess) - goto loser; + if (value != NULL) { + if ((copiedvalue = SECITEM_AllocItem(poolp, NULL, value->Length)) == NULL) + goto loser; - if (SecCmsArrayAdd(poolp, (void ***)&(attr->values), (void *)&copiedvalue) != SECSuccess) - goto loser; + if (SECITEM_CopyItem(poolp, copiedvalue, value) != SECSuccess) + goto loser; + + if (SecCmsArrayAdd(poolp, (void ***)&(attr->values), (void *)copiedvalue) != SECSuccess) + goto loser; + } PORT_ArenaUnmark(poolp, mark); return SECSuccess; @@ -237,6 +241,7 @@ cms_attr_choose_attr_value_template(void *src_or_dest, Boolean encoding, const c switch (oiddata->offset) { case SEC_OID_PKCS9_SMIME_CAPABILITIES: case SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE: + case SEC_OID_APPLE_HASH_AGILITY_V2: /* these guys need to stay DER-encoded */ default: /* same goes for OIDs that are not handled here */ diff --git a/libsecurity_smime/lib/cmscinfo.c b/libsecurity_smime/lib/cmscinfo.c index 24540480..00cb7ad2 100644 --- a/libsecurity_smime/lib/cmscinfo.c +++ b/libsecurity_smime/lib/cmscinfo.c @@ -192,8 +192,11 @@ SecCmsContentInfoSetContentData(SecCmsContentInfoRef cinfo, CFDataRef dataRef, B data->Data = NULL; } - if (SecCmsContentInfoSetContent(cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess) - return PORT_GetError(); + if (SecCmsContentInfoSetContent(cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess) { + OSStatus status = PORT_GetError(); + PORT_SetError(0); // clean the thread since we've returned this error + return status; + } cinfo->rawContent = (detached) ? NULL : (data) ? data : SECITEM_AllocItem(cinfo->cmsg->poolp, NULL, 1); diff --git a/libsecurity_smime/lib/cmsdecode.c b/libsecurity_smime/lib/cmsdecode.c index 2dd6f8ac..333cd1ee 100644 --- a/libsecurity_smime/lib/cmsdecode.c +++ b/libsecurity_smime/lib/cmsdecode.c @@ -182,12 +182,15 @@ nss_cms_decoder_notify(void *arg, Boolean before, void *dest, int depth) if (nss_cms_before_data(p7dcx) != SECSuccess) { SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); /* stop all processing */ p7dcx->error = PORT_GetError(); + PORT_SetError(0); } } if (after && dest == &(cinfo->rawContent)) { /* we're right after of the data */ - if (nss_cms_after_data(p7dcx) != SECSuccess) + if (nss_cms_after_data(p7dcx) != SECSuccess) { p7dcx->error = PORT_GetError(); + PORT_SetError(0); + } /* we don't need to see the contents anymore */ SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); @@ -595,6 +598,9 @@ SecCmsDecoderCreate(SecCmsContentCallback cb, void *cb_arg, SecCmsMessageRef cmsg; OSStatus result; + /* Clear the thread error to clean up dirty threads */ + PORT_SetError(0); + cmsg = SecCmsMessageCreate(); if (cmsg == NULL) goto loser; @@ -627,6 +633,7 @@ SecCmsDecoderCreate(SecCmsContentCallback cb, void *cb_arg, loser: result = PORT_GetError(); + PORT_SetError(0); // Clean the thread error since we've returned the error return result; } @@ -658,7 +665,8 @@ SecCmsDecoderUpdate(SecCmsDecoderRef p7dcx, const void *buf, CFIndex len) (void) SEC_ASN1DecoderFinish (p7dcx->dcx); p7dcx->dcx = NULL; } - PORT_SetError (p7dcx->error); + + PORT_SetError (0); // Clean the thread error since we've returned the error return p7dcx->error; } @@ -711,6 +719,7 @@ loser: p7dcx->dcx = NULL; p7dcx->childp7dcx = NULL; PORT_Free(p7dcx); + PORT_SetError(0); // Clean the thread error since we've returned the error return result; } diff --git a/libsecurity_smime/lib/cmsencode.c b/libsecurity_smime/lib/cmsencode.c index 9b89a58b..e9a97a57 100644 --- a/libsecurity_smime/lib/cmsencode.c +++ b/libsecurity_smime/lib/cmsencode.c @@ -176,8 +176,10 @@ nss_cms_encoder_notify(void *arg, Boolean before, void *dest, int depth) /* we're right before encoding the data (if we have some or not) */ /* (for encrypted data, we're right before the contentEncAlg which may change */ /* in nss_cms_before_data because of IV calculation when setting up encryption) */ - if (nss_cms_before_data(p7ecx) != SECSuccess) + if (nss_cms_before_data(p7ecx) != SECSuccess) { p7ecx->error = PORT_GetError(); + PORT_SetError(0); // Clean the thread error since we've returned the error + } } if (before && dest == &(cinfo->rawContent)) { if (childtype == SEC_OID_PKCS7_DATA && (item = cinfo->content.data) != NULL) @@ -188,8 +190,10 @@ nss_cms_encoder_notify(void *arg, Boolean before, void *dest, int depth) SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx); } if (after && dest == &(cinfo->rawContent)) { - if (nss_cms_after_data(p7ecx) != SECSuccess) + if (nss_cms_after_data(p7ecx) != SECSuccess) { p7ecx->error = PORT_GetError(); + PORT_SetError(0); // Clean the thread error since we've returned the error + } SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx); /* no need to get notified anymore */ } break; @@ -513,6 +517,9 @@ SecCmsEncoderCreate(SecCmsMessageRef cmsg, OSStatus result; SecCmsContentInfoRef cinfo; + /* Clear the thread error to clean up dirty threads */ + PORT_SetError(0); + SecCmsMessageSetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg); p7ecx = (SecCmsEncoderRef)PORT_ZAlloc(sizeof(struct SecCmsEncoderStr)); @@ -561,6 +568,7 @@ SecCmsEncoderCreate(SecCmsMessageRef cmsg, if (p7ecx->ecx == NULL) { result = PORT_GetError(); PORT_Free(p7ecx); + PORT_SetError(0); // Clean the thread error since we've returned the error goto loser; } p7ecx->ecxupdated = PR_FALSE; @@ -582,6 +590,7 @@ SecCmsEncoderCreate(SecCmsMessageRef cmsg, if (SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0) != SECSuccess) { result = PORT_GetError(); PORT_Free(p7ecx); + PORT_SetError(0); // Clean the thread error since we've returned the error goto loser; } @@ -631,8 +640,10 @@ SecCmsEncoderUpdate(SecCmsEncoderRef p7ecx, const void *data, CFIndex len) /* hand it the data so it can encode it (let DER trickle up the chain) */ result = nss_cms_encoder_work_data(p7ecx, NULL, (const unsigned char *)data, len, PR_FALSE, PR_TRUE); - if (result) + if (result) { result = PORT_GetError(); + PORT_SetError(0); // Clean the thread error since we've returned the error + } } return result; } @@ -737,6 +748,7 @@ SecCmsEncoderFinish(SecCmsEncoderRef p7ecx) loser: SEC_ASN1EncoderFinish(p7ecx->ecx); PORT_Free (p7ecx); + PORT_SetError(0); // Clean the thread error since we've returned the error return result; } diff --git a/libsecurity_smime/lib/cmssiginfo.c b/libsecurity_smime/lib/cmssiginfo.c index 21d9fd9a..e2e06912 100644 --- a/libsecurity_smime/lib/cmssiginfo.c +++ b/libsecurity_smime/lib/cmssiginfo.c @@ -316,6 +316,10 @@ SecCmsSignerInfoDestroy(SecCmsSignerInfoRef si) CFRelease(si->hashAgilityAttrValue); } + if (si->hashAgilityV2AttrValues != NULL) { + CFRelease(si->hashAgilityV2AttrValues); + } + /* XXX storage ??? */ } @@ -899,6 +903,113 @@ SecCmsSignerInfoGetAppleCodesigningHashAgility(SecCmsSignerInfoRef sinfo, CFData return errSecAllocate; } +/* AgileHash ::= SEQUENCE { + hashType OBJECT IDENTIFIER, + hashValues OCTET STRING } +*/ +typedef struct { + SecAsn1Item digestOID; + SecAsn1Item digestValue; +} CMSAppleAgileHash; + +static const SecAsn1Template CMSAppleAgileHashTemplate[] = { + { SEC_ASN1_SEQUENCE, + 0, NULL, sizeof(CMSAppleAgileHash) }, + { SEC_ASN1_OBJECT_ID, + offsetof(CMSAppleAgileHash, digestOID), }, + { SEC_ASN1_OCTET_STRING, + offsetof(CMSAppleAgileHash, digestValue), }, + { 0, } +}; + +static OSStatus CMSAddAgileHashToDictionary(CFMutableDictionaryRef dictionary, SecAsn1Item *DERAgileHash) { + PLArenaPool *tmppoolp = NULL; + OSStatus status = errSecSuccess; + CMSAppleAgileHash agileHash; + CFDataRef digestValue = NULL; + CFNumberRef digestTag = NULL; + + tmppoolp = PORT_NewArena(1024); + if (tmppoolp == NULL) { + return errSecAllocate; + } + + if ((status = SEC_ASN1DecodeItem(tmppoolp, &agileHash, CMSAppleAgileHashTemplate, DERAgileHash)) != errSecSuccess) { + goto loser; + } + + int64_t tag = SECOID_FindOIDTag(&agileHash.digestOID); + digestTag = CFNumberCreate(NULL, kCFNumberSInt64Type, &tag); + digestValue = CFDataCreate(NULL, agileHash.digestValue.Data, agileHash.digestValue.Length); + CFDictionaryAddValue(dictionary, digestTag, digestValue); + +loser: + CFReleaseNull(digestValue); + CFReleaseNull(digestTag); + if (tmppoolp) { + PORT_FreeArena(tmppoolp, PR_FALSE); + } + return status; +} + +/*! + @function + @abstract Return the data in the signed Codesigning Hash Agility V2 attribute. + @param sinfo SignerInfo data for this signer, pointer to a CFDictionaryRef for attribute values + @discussion Returns a CFDictionaryRef containing the values of the attribute + @result A return value of errSecInternal is an error trying to look up the oid. + A status value of success with null result data indicates the attribute was not present. + */ +OSStatus +SecCmsSignerInfoGetAppleCodesigningHashAgilityV2(SecCmsSignerInfoRef sinfo, CFDictionaryRef *sdict) +{ + SecCmsAttribute *attr; + + if (sinfo == NULL || sdict == NULL) { + return errSecParam; + } + + *sdict = NULL; + + if (sinfo->hashAgilityV2AttrValues != NULL) { + *sdict = sinfo->hashAgilityV2AttrValues; /* cached copy */ + return SECSuccess; + } + + attr = SecCmsAttributeArrayFindAttrByOidTag(sinfo->authAttr, SEC_OID_APPLE_HASH_AGILITY_V2, PR_TRUE); + + /* attribute not found */ + if (attr == NULL) { + return SECSuccess; + } + + /* attrValues SET OF AttributeValue + * AttributeValue ::= ANY + */ + SecAsn1Item **values = attr->values; + if (values == NULL) { /* There must be values */ + return errSecDecode; + } + + CFMutableDictionaryRef agileHashValues = CFDictionaryCreateMutable(NULL, SecCmsArrayCount((void **)values), + &kCFTypeDictionaryKeyCallBacks, + &kCFTypeDictionaryValueCallBacks); + while (*values != NULL) { + (void)CMSAddAgileHashToDictionary(agileHashValues, *values++); + } + if (CFDictionaryGetCount(agileHashValues) != SecCmsArrayCount((void **)attr->values)) { + CFReleaseNull(agileHashValues); + return errSecDecode; + } + + sinfo->hashAgilityV2AttrValues = agileHashValues; /* make cached copy */ + if (sinfo->hashAgilityV2AttrValues) { + *sdict = sinfo->hashAgilityV2AttrValues; + return SECSuccess; + } + return errSecAllocate; +} + /* * Return the signing cert of a CMS signerInfo. * @@ -1215,7 +1326,7 @@ loser: /* * SecCmsSignerInfoAddMSSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the - * authenticated (i.e. signed) attributes of "signerinfo", using the OID prefered by Microsoft. + * authenticated (i.e. signed) attributes of "signerinfo", using the OID preferred by Microsoft. * * This is expected to be included in outgoing signed messages for email (S/MIME), * if compatibility with Microsoft mail clients is wanted. @@ -1289,7 +1400,7 @@ SecCmsSignerInfoAddCounterSignature(SecCmsSignerInfoRef signerinfo, /*! @function @abstract Add the Apple Codesigning Hash Agility attribute to the authenticated (i.e. signed) attributes of "signerinfo". - @discussion This is expected to be included in outgoing signed Apple code signatures. + @discussion This is expected to be included in outgoing Apple code signatures. */ OSStatus SecCmsSignerInfoAddAppleCodesigningHashAgility(SecCmsSignerInfoRef signerinfo, CFDataRef attrValue) @@ -1334,6 +1445,90 @@ loser: return status; } +static OSStatus CMSAddAgileHashToAttribute(PLArenaPool *poolp, SecCmsAttribute *attr, CFNumberRef cftag, CFDataRef value) { + PLArenaPool *tmppoolp = NULL; + int64_t tag; + SECOidData *digestOid = NULL; + CMSAppleAgileHash agileHash; + SecAsn1Item attrValue = { .Data = NULL, .Length = 0 }; + OSStatus status = errSecSuccess; + + memset(&agileHash, 0, sizeof(agileHash)); + + if(!CFNumberGetValue(cftag, kCFNumberSInt64Type, &tag)) { + return errSecParam; + } + digestOid = SECOID_FindOIDByTag((SECOidTag)tag); + + agileHash.digestValue.Data = (uint8_t *)CFDataGetBytePtr(value); + agileHash.digestValue.Length = CFDataGetLength(value); + agileHash.digestOID.Data = digestOid->oid.Data; + agileHash.digestOID.Length = digestOid->oid.Length; + + tmppoolp = PORT_NewArena(1024); + if (tmppoolp == NULL) { + return errSecAllocate; + } + + if (SEC_ASN1EncodeItem(tmppoolp, &attrValue, &agileHash, CMSAppleAgileHashTemplate) == NULL) { + status = errSecParam; + goto loser; + } + + status = SecCmsAttributeAddValue(poolp, attr, &attrValue); + +loser: + if (tmppoolp) { + PORT_FreeArena(tmppoolp, PR_FALSE); + } + return status; +} + +/*! + @function + @abstract Add the Apple Codesigning Hash Agility attribute to the authenticated (i.e. signed) attributes of "signerinfo". + @discussion This is expected to be included in outgoing Apple code signatures. + */ +OSStatus +SecCmsSignerInfoAddAppleCodesigningHashAgilityV2(SecCmsSignerInfoRef signerinfo, CFDictionaryRef attrValues) +{ + __block SecCmsAttribute *attr; + __block PLArenaPool *poolp = signerinfo->signedData->contentInfo.cmsg->poolp; + void *mark = PORT_ArenaMark(poolp); + OSStatus status = SECFailure; + + /* The value is required for this attribute. */ + if (!attrValues) { + status = errSecParam; + goto loser; + } + + if ((attr = SecCmsAttributeCreate(poolp, SEC_OID_APPLE_HASH_AGILITY_V2, + NULL, PR_TRUE)) == NULL) { + status = errSecAllocate; + goto loser; + } + + CFDictionaryForEach(attrValues, ^(const void *key, const void *value) { + if (!isNumber(key) || !isData(value)) { + return; + } + (void)CMSAddAgileHashToAttribute(poolp, attr, (CFNumberRef)key, (CFDataRef)value); + }); + + if (SecCmsSignerInfoAddAuthAttr(signerinfo, attr) != SECSuccess) { + status = errSecInternal; + goto loser; + } + + PORT_ArenaUnmark(poolp, mark); + return SECSuccess; + +loser: + PORT_ArenaRelease(poolp, mark); + return status; +} + SecCertificateRef SecCmsSignerInfoCopyCertFromEncryptionKeyPreference(SecCmsSignerInfoRef signerinfo) { SecCertificateRef cert = NULL; SecCmsAttribute *attr; @@ -1343,6 +1538,12 @@ SecCertificateRef SecCmsSignerInfoCopyCertFromEncryptionKeyPreference(SecCmsSign if (signerinfo->verificationStatus != SecCmsVSGoodSignature) return NULL; + /* Prep the rawCerts */ + SecAsn1Item **rawCerts = NULL; + if (signerinfo->signedData) { + rawCerts = signerinfo->signedData->rawCerts; + } + /* find preferred encryption cert */ if (!SecCmsArrayIsEmpty((void **)signerinfo->authAttr) && (attr = SecCmsAttributeArrayFindAttrByOidTag(signerinfo->authAttr, @@ -1351,11 +1552,17 @@ SecCertificateRef SecCmsSignerInfoCopyCertFromEncryptionKeyPreference(SecCmsSign ekp = SecCmsAttributeGetValue(attr); if (ekp == NULL) return NULL; + cert = SecSMIMEGetCertFromEncryptionKeyPreference(rawCerts, ekp); + } + if (cert) return cert; - SecAsn1Item **rawCerts = NULL; - if (signerinfo->signedData) { - rawCerts = signerinfo->signedData->rawCerts; - } + if (!SecCmsArrayIsEmpty((void **)signerinfo->authAttr) && + (attr = SecCmsAttributeArrayFindAttrByOidTag(signerinfo->authAttr, + SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE, PR_TRUE)) != NULL) + { /* we have a MS_SMIME_ENCRYPTION_KEY_PREFERENCE attribute! Find the cert. */ + ekp = SecCmsAttributeGetValue(attr); + if (ekp == NULL) + return NULL; cert = SecSMIMEGetCertFromEncryptionKeyPreference(rawCerts, ekp); } return cert; diff --git a/libsecurity_smime/lib/cmstpriv.h b/libsecurity_smime/lib/cmstpriv.h index 58f022a4..324e2ce1 100644 --- a/libsecurity_smime/lib/cmstpriv.h +++ b/libsecurity_smime/lib/cmstpriv.h @@ -207,6 +207,7 @@ struct SecCmsSignerInfoStr { SecPrivateKeyRef signingKey; /* Used if we're using subjKeyID*/ SecPublicKeyRef pubKey; CFDataRef hashAgilityAttrValue; + CFDictionaryRef hashAgilityV2AttrValues; }; #define SEC_CMS_SIGNER_INFO_VERSION_ISSUERSN 1 /* what we *create* */ #define SEC_CMS_SIGNER_INFO_VERSION_SUBJKEY 3 /* what we *create* */ diff --git a/libsecurity_smime/lib/secoid.c b/libsecurity_smime/lib/secoid.c index af40f9ca..491d64d4 100644 --- a/libsecurity_smime/lib/secoid.c +++ b/libsecurity_smime/lib/secoid.c @@ -481,6 +481,7 @@ __unused CONST_OID mqvSinglePassSha1kdf[] = {ANSI_X9_63_SCHEME, 4 }; /* Apple Hash Agility */ CONST_OID appleHashAgility[] = {APPLE_CMS_ATTRIBUTES, 1}; +CONST_OID appleHashAgilityV2[] = {APPLE_CMS_ATTRIBUTES, 2}; /* a special case: always associated with a caller-specified OID */ CONST_OID noOid[] = { 0 }; @@ -1161,6 +1162,9 @@ static const SECOidData oids[] = { OD( appleHashAgility, SEC_OID_APPLE_HASH_AGILITY, "appleCodesigningHashAgilityAttribute", CSSM_ALGID_NONE, INVALID_CERT_EXTENSION), + OD( appleHashAgilityV2, SEC_OID_APPLE_HASH_AGILITY_V2, + "appleCodesigningHashAgilityAttributeV2", CSSM_ALGID_NONE, + INVALID_CERT_EXTENSION), }; diff --git a/libsecurity_smime/lib/smimeutil.c b/libsecurity_smime/lib/smimeutil.c index 22694be9..3e7f1c04 100644 --- a/libsecurity_smime/lib/smimeutil.c +++ b/libsecurity_smime/lib/smimeutil.c @@ -758,8 +758,10 @@ static CFArrayRef CF_RETURNS_RETAINED copyCertsFromRawCerts(SecAsn1Item **rawCer for(dex=0; dexData, rawCerts[dex]->Length); - CFArrayAppendValue(certs, certificate); - CFRelease(certificate); + if (certificate) { + CFArrayAppendValue(certs, certificate); + CFRelease(certificate); + } certificate = NULL; } @@ -812,7 +814,7 @@ SecSMIMEGetCertFromEncryptionKeyPreference(SecAsn1Item **rawCerts, SecAsn1Item * } loser: if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE); - CFRelease(certs); + if (certs) CFRelease(certs); return cert; } diff --git a/libsecurity_smime/libCMS.xcodeproj/project.pbxproj b/libsecurity_smime/libCMS.xcodeproj/project.pbxproj index e87fd2ac..a11713cc 100644 --- a/libsecurity_smime/libCMS.xcodeproj/project.pbxproj +++ b/libsecurity_smime/libCMS.xcodeproj/project.pbxproj @@ -487,7 +487,7 @@ 4C2741E803E9FBAF00A80181 /* Project object */ = { isa = PBXProject; attributes = { - LastUpgradeCheck = 0830; + LastUpgradeCheck = 0900; TargetAttributes = { D447C4DB1D31C9DD0082FC1D = { CreatedOnToolsVersion = 8.0; @@ -629,12 +629,18 @@ isa = XCBuildConfiguration; buildSettings = { CLANG_ANALYZER_LOCALIZABILITY_NONLOCALIZED = YES; + CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_COMMA = YES; CLANG_WARN_CONSTANT_CONVERSION = YES; CLANG_WARN_EMPTY_BODY = YES; CLANG_WARN_ENUM_CONVERSION = YES; CLANG_WARN_INFINITE_RECURSION = YES; CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; + CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; + CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; + CLANG_WARN_STRICT_PROTOTYPES = YES; CLANG_WARN_SUSPICIOUS_MOVE = YES; CLANG_WARN_UNREACHABLE_CODE = YES; CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; @@ -741,7 +747,7 @@ "$(PROJECT_DIR)/..", "$(PROJECT_DIR)/../OSX/utilities", "$(PROJECT_DIR)/../OSX/sec", - "$(PROJECT_DIR)/../OSX/libsecurity_keychain/libDER", + "$(SDKROOT)/usr/local/include/security_libDER", "$(PROJECT_DIR)/../OSX/libsecurity_asn1", "$(PROJECT_DIR)/../header_symlinks/iOS/", "$(PROJECT_DIR)/../header_symlinks/", @@ -760,12 +766,18 @@ isa = XCBuildConfiguration; buildSettings = { CLANG_ANALYZER_LOCALIZABILITY_NONLOCALIZED = YES; + CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; CLANG_WARN_BOOL_CONVERSION = YES; + CLANG_WARN_COMMA = YES; CLANG_WARN_CONSTANT_CONVERSION = YES; CLANG_WARN_EMPTY_BODY = YES; CLANG_WARN_ENUM_CONVERSION = YES; CLANG_WARN_INFINITE_RECURSION = YES; CLANG_WARN_INT_CONVERSION = YES; + CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; + CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; + CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; + CLANG_WARN_STRICT_PROTOTYPES = YES; CLANG_WARN_SUSPICIOUS_MOVE = YES; CLANG_WARN_UNREACHABLE_CODE = YES; CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; @@ -867,7 +879,7 @@ "$(PROJECT_DIR)/..", "$(PROJECT_DIR)/../OSX/utilities", "$(PROJECT_DIR)/../OSX/sec", - "$(PROJECT_DIR)/../OSX/libsecurity_keychain/libDER", + "$(SDKROOT)/usr/local/include/security_libDER", "$(PROJECT_DIR)/../OSX/libsecurity_asn1", "$(PROJECT_DIR)/../header_symlinks/iOS/", "$(PROJECT_DIR)/../header_symlinks/", diff --git a/resources/English.lproj/Certificate.strings b/resources/English.lproj/Certificate.strings index 643fb21f6b6dd3db33cef8eed9bc8573e6d73557..04daf46f712b2b7122307580778de9c8cb278638 100644 GIT binary patch delta 248 zcmbPml5x#R#t9;fdJ~0f85K76zvW}poqSPCe)0t&md*3{udzY6nn4rvO(iu#X3mmvMN6A(2FzRl;s1*s(slGWt=NdCqm5YH18>>HqCxgpm zeiq5e)69az!90dy1_cH!27LxD1|qrhMb#84HRP0a;4Idg%Ea~Vn*awjv| z>rZxY5ZK(~u#S~EhaqvYt(&}HF+(a)M*)y50xATWGnvs$d~=uE4OY%Hpg=0n@RZ35 UImI`(_@szTZjuz+l(>c&0Ggdj9{>OV diff --git a/resources/English.lproj/CloudKeychain.strings b/resources/English.lproj/CloudKeychain.strings index e2c400c34f45896a144f08ae362d4cd03503e558..e1ba3019a97f53149bf26958a3b401a17fde30e8 100644 GIT binary patch delta 43 xcmaDC`6+V4Gmgm>3Otj$I5j3qai)OSo4Ytucvy285*d;wYm0B+yiCkP3;=jU4@>|6 delta 35 rcmewq`7Uz9GY-b&$@QGZlchLQ7?U^GbLR7~`ZEMGL~Q;p`dbVD`^pUF diff --git a/resources/English.lproj/Trust.strings b/resources/English.lproj/Trust.strings new file mode 100644 index 0000000000000000000000000000000000000000..7eac8dea065081c6ecefebe087a98d3dd624d042 GIT binary patch literal 15832 zcmdU0ZEqVz5Z=%I4IrH=Dzz0MY9;spLL!7jph6mv<_9>A2_}9Cc0y@?Jn%d_OlI$8 zZ|}})H&xWyzPp{Bd1iLrcJJSR_T6(=xKp=s6Ze}NxiLNqd|Tp5;coD2<@Ws5mAiFQ z+?nFn2;cb}@2>o_Yxf0yALH)It#P-&Gb?xH?%W(tE&P=!?(lkn-@Ja|$A6CBYkV7n z&ca=`jJ$QfuMJ+dimFKywTZrjUVrlQubgj=PWCV|R!rnk0JSW}b&niYM+n z_i0gJ&XMOkl=W*+dW?VH`p-D67w)rw-b?&S(fkJ7Jpzx^$`LpebWJ1F(_fJ08lS|9 z`l`zz+Bm?SCJp4o(QspE5m z%UoIuv(k-GYw`_!W94L3{jPl4d4&UuWFa?J@u#A$p_`v_ z3e7Wj=6(i>5>sv=nRH+ZpNp^YKeJDXBWi8&Fw$y%q}-ecJWfv$6< zaM8}9Wi@Rc;1yN^tv!6YedUjR1gm%Eje^NGwdO1qjb zh1(idaN+&{W@F&D411NA3Xo!u@jlH&{iCJVb*s#A&o!iTap+x&DWlJ%!^8Sd4tV&T44o_Zqox@!I|5 ze!!<@fxkfC^zfSN-Qd~fz5n0C9dPjsoE4y%^wOv4R zTG1F5DJL;x2W*6EboyWb(2GMDwiRIKt%Jluk;r8_2{SCHsfW!ms}S)koGtj2BA~uS01ml}J{% z7rEX%vq_$pY6=IjV@6O$RdyCMYI9$JzCx^Ds}t$kntwiRe5yT;Y3En)kp2TRc*7ts z)!`UeEK#j04pvEOC)+T|Q7fe}+U_jFG3yu4!}={(G~a|~TJCDSsZom^3W*<0{asdr z;gjtvgmx!+jpmG+``H@FM=>QcYesgfSwR-)ZU5*FaQgA3`_g@d3S57`z&++*^riGC z%+$oY)K|zsiDEkz<(1GpgQ1e2ata;QYM9|ON0mKe&0~MPzam+f)=aT{r|a`6?y4D0 z%-@HZ%sI3(^1h$d8_x?d2jI?}oC2jSXxx*#Cht?+Q)hn~OCO_3& zpSO=rNx(dfd9%i2sT!HBa3@pF2v|fu^I3{^4PQZX?|hxP5B!;Ti*J)%6}zjJ8~St7 zXI`r-z;w0EIZ|kpeWYT-DuU;B4F{3UPW0+IWc5bfPY8tBT3)LCWThU~&_>gqhsk{g zB+4gg^#prtWO=O(!)3R#rf`eZV&MrUT72GaOw4zjBC1Gj!Mthn{!G7lQdp@cX7ua6 z3mcEwWg78)*WnaW5;02&Pk6{%Anc~{y%p{*TdhOC!M<6T6CC3TY0&2mqh+2l2d$L6 zWshk7x?1mBj8l)EIx|<#&HGgJ?YVAu+9~;)S35OoC$rM0pUs2D)>qk2*3VDto?P>( z~@(CEOS|XD#cBFb=!Mf-QG;G6@CtX&rH3~ zyCcnfFc+gf^S?1NWWE%Z^eDdJ-M#A?{Z*L<2ifwJB=q0vPWz6B|7 zqUzq4a^LQ2iGsaBX?EIg)G!X~8c?2(VM**dNT*nO4UFa7@#7nc%5^BQ@jh&HN``9P z8bgTtuB`F7Ln-?{?4mK-wG(&YDGZhQ(7lO1Q%8z@nYMkSJk(N{Fe9wzF7zhMr0G-W WjrhhAwHf;Q^IjuOw|&P^g8u-rOsOyc literal 0 HcmV?d00001 diff --git a/secdtests/secdtests-entitlements.plist b/secdtests/secdtests-entitlements.plist index f8a9fb8a..bf6ff173 100644 --- a/secdtests/secdtests-entitlements.plist +++ b/secdtests/secdtests-entitlements.plist @@ -36,6 +36,8 @@ com.apple.security.regressions com.apple.private.uninstall.deletion + com.apple.private.security.delete.all + keychain-access-groups com.apple.security.regressions @@ -46,17 +48,5 @@ com.apple.ProtectedCloudStorage com.apple.security.ckks - com.apple.private.ubiquity-kvstore-access - - com.apple.securityd - - com.apple.developer.ubiquity-kvstore-identifier - com.apple.security.cloudkeychainproxy - com.apple.developer.ubiquity-container-identifiers - - com.apple.security.cloudkeychainproxy - com.apple.security.cloudkeychain - CloudKeychainProxy.xpc - diff --git a/keychain/trust/TrustedPeers/Info.plist b/secdxctests/Info.plist similarity index 71% rename from keychain/trust/TrustedPeers/Info.plist rename to secdxctests/Info.plist index dcf21d96..6c40a6cd 100644 --- a/keychain/trust/TrustedPeers/Info.plist +++ b/secdxctests/Info.plist @@ -3,7 +3,7 @@ CFBundleDevelopmentRegion - en + $(DEVELOPMENT_LANGUAGE) CFBundleExecutable $(EXECUTABLE_NAME) CFBundleIdentifier @@ -13,14 +13,10 @@ CFBundleName $(PRODUCT_NAME) CFBundlePackageType - FMWK + BNDL CFBundleShortVersionString 1.0 CFBundleVersion - $(CURRENT_PROJECT_VERSION) - NSHumanReadableCopyright - Copyright © 2017 Apple, Inc. All rights reserved. - NSPrincipalClass - + 1 diff --git a/secdxctests/KeychainAPITests.m b/secdxctests/KeychainAPITests.m new file mode 100644 index 00000000..6252bc0c --- /dev/null +++ b/secdxctests/KeychainAPITests.m @@ -0,0 +1,133 @@ +/* + * Copyright (c) 2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import "KeychainXCTest.h" +#import "SecDbKeychainItem.h" +#import "SecdTestKeychainUtilities.h" +#import "CKKS.h" +#import "SecDbKeychainItemV7.h" +#import "SecItemPriv.h" +#import "SecItemServer.h" +#import "spi.h" +#import "SecDbKeychainSerializedItemV7.h" +#import "SecDbKeychainSerializedMetadata.h" +#import "SecDbKeychainSerializedSecretData.h" +#import "SecDbKeychainSerializedAKSWrappedKey.h" +#import +#import +#import +#import + +void* testlist = NULL; + +#if USE_KEYSTORE + +@interface KeychainAPITests : KeychainXCTest +@end + +@implementation KeychainAPITests + ++ (void)setUp +{ + [super setUp]; + + SecCKKSDisable(); + securityd_init(NULL); +} + +- (void)setUp +{ + [super setUp]; + + NSArray* partsOfName = [self.name componentsSeparatedByCharactersInSet:[NSCharacterSet characterSetWithCharactersInString:@" ]"]]; + secd_test_setup_temp_keychain([partsOfName[1] UTF8String], NULL); +} + +- (void)testReturnValuesInSecItemUpdate +{ + NSDictionary* addQuery = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES), + (id)kSecReturnAttributes : @(YES) + }; + + NSDictionary* updateQueryWithNoReturn = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES) + }; + + CFTypeRef result = NULL; + + // Add the item + XCTAssertEqual(SecItemAdd((__bridge CFDictionaryRef)addQuery, &result), errSecSuccess, @"Should have succeeded in adding test item to keychain"); + XCTAssertNotNil((__bridge id)result, @"Should have received a dictionary back from SecItemAdd"); + CFReleaseNull(result); + + // And we can update the item + XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)updateQueryWithNoReturn, (__bridge CFDictionaryRef)@{(id)kSecValueData: [@"otherpassword" dataUsingEncoding:NSUTF8StringEncoding]}), errSecSuccess, "failed to update item with clean update query"); + + // great, a normal update works + // now let's do updates with various queries which include return parameters to ensure they succeed on macOS and throw errors on iOS. + // this is a status-quo compromise between changing iOS match macOS (which has lamé no-op characteristics) and changing macOS to match iOS, which risks breaking existing clients + +#if TARGET_OS_OSX + NSMutableDictionary* updateQueryWithReturnAttributes = updateQueryWithNoReturn.mutableCopy; + updateQueryWithReturnAttributes[(id)kSecReturnAttributes] = @(YES); + XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)updateQueryWithReturnAttributes, (__bridge CFDictionaryRef)@{(id)kSecValueData: [@"return-attributes" dataUsingEncoding:NSUTF8StringEncoding]}), errSecSuccess, "failed to update item with return attributes query"); + + NSMutableDictionary* updateQueryWithReturnData = updateQueryWithNoReturn.mutableCopy; + updateQueryWithReturnAttributes[(id)kSecReturnData] = @(YES); + XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)updateQueryWithReturnData, (__bridge CFDictionaryRef)@{(id)kSecValueData: [@"return-data" dataUsingEncoding:NSUTF8StringEncoding]}), errSecSuccess, "failed to update item with return data query"); + + NSMutableDictionary* updateQueryWithReturnRef = updateQueryWithNoReturn.mutableCopy; + updateQueryWithReturnAttributes[(id)kSecReturnRef] = @(YES); + XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)updateQueryWithReturnRef, (__bridge CFDictionaryRef)@{(id)kSecValueData: [@"return-ref" dataUsingEncoding:NSUTF8StringEncoding]}), errSecSuccess, "failed to update item with return ref query"); + + NSMutableDictionary* updateQueryWithReturnPersistentRef = updateQueryWithNoReturn.mutableCopy; + updateQueryWithReturnAttributes[(id)kSecReturnPersistentRef] = @(YES); + XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)updateQueryWithReturnPersistentRef, (__bridge CFDictionaryRef)@{(id)kSecValueData: [@"return-persistent-ref" dataUsingEncoding:NSUTF8StringEncoding]}), errSecSuccess, "failed to update item with return persistent ref query"); +#else + NSMutableDictionary* updateQueryWithReturnAttributes = updateQueryWithNoReturn.mutableCopy; + updateQueryWithReturnAttributes[(id)kSecReturnAttributes] = @(YES); + XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)updateQueryWithReturnAttributes, (__bridge CFDictionaryRef)@{(id)kSecValueData: [@"return-attributes" dataUsingEncoding:NSUTF8StringEncoding]}), errSecParam, "failed to generate error updating item with return attributes query"); + + NSMutableDictionary* updateQueryWithReturnData = updateQueryWithNoReturn.mutableCopy; + updateQueryWithReturnData[(id)kSecReturnData] = @(YES); + XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)updateQueryWithReturnData, (__bridge CFDictionaryRef)@{(id)kSecValueData: [@"return-data" dataUsingEncoding:NSUTF8StringEncoding]}), errSecParam, "failed to generate error updating item with return data query"); + + NSMutableDictionary* updateQueryWithReturnRef = updateQueryWithNoReturn.mutableCopy; + updateQueryWithReturnRef[(id)kSecReturnRef] = @(YES); + XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)updateQueryWithReturnRef, (__bridge CFDictionaryRef)@{(id)kSecValueData: [@"return-ref" dataUsingEncoding:NSUTF8StringEncoding]}), errSecParam, "failed to generate error updating item with return ref query"); + + NSMutableDictionary* updateQueryWithReturnPersistentRef = updateQueryWithNoReturn.mutableCopy; + updateQueryWithReturnPersistentRef[(id)kSecReturnPersistentRef] = @(YES); + XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)updateQueryWithReturnPersistentRef, (__bridge CFDictionaryRef)@{(id)kSecValueData: [@"return-persistent-ref" dataUsingEncoding:NSUTF8StringEncoding]}), errSecParam, "failed to generate error updating item with return persistent ref query"); +#endif +} + +@end + +#endif diff --git a/secdxctests/KeychainCryptoTests.m b/secdxctests/KeychainCryptoTests.m new file mode 100644 index 00000000..56625bed --- /dev/null +++ b/secdxctests/KeychainCryptoTests.m @@ -0,0 +1,769 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import "KeychainXCTest.h" +#import "SecDbKeychainItem.h" +#import "SecdTestKeychainUtilities.h" +#import "CKKS.h" +#import "SecDbKeychainItemV7.h" +#import "SecItemPriv.h" +#import "SecItemServer.h" +#import "spi.h" +#import "SecDbKeychainSerializedItemV7.h" +#import "SecDbKeychainSerializedMetadata.h" +#import "SecDbKeychainSerializedSecretData.h" +#import "SecDbKeychainSerializedAKSWrappedKey.h" +#import +#import +#import +#import +#import +#import + +@interface SecDbKeychainItemV7 () + ++ (SFAESKeySpecifier*)keySpecifier; + +@end + +#if USE_KEYSTORE +#include +#endif + +@interface KeychainCryptoTests : KeychainXCTest +@end + +@implementation KeychainCryptoTests + +#if USE_KEYSTORE +#include + +static keyclass_t parse_keyclass(CFTypeRef value) { + if (!value || CFGetTypeID(value) != CFStringGetTypeID()) { + return 0; + } + + if (CFEqual(value, kSecAttrAccessibleWhenUnlocked)) { + return key_class_ak; + } + else if (CFEqual(value, kSecAttrAccessibleAfterFirstUnlock)) { + return key_class_ck; + } + else if (CFEqual(value, kSecAttrAccessibleAlwaysPrivate)) { + return key_class_dk; + } + else if (CFEqual(value, kSecAttrAccessibleWhenUnlockedThisDeviceOnly)) { + return key_class_aku; + } + else if (CFEqual(value, kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly)) { + return key_class_cku; + } + else if (CFEqual(value, kSecAttrAccessibleAlwaysThisDeviceOnlyPrivate)) { + return key_class_dku; + } + else if (CFEqual(value, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly)) { + return key_class_akpu; + } + else { + return 0; + } +} + +- (void)testBasicEncryptDecrypt +{ + CFDataRef enc = NULL; + CFErrorRef error = NULL; + SecAccessControlRef ac = NULL; + + NSDictionary* secretData = @{(id)kSecValueData : @"secret here"}; + + ac = SecAccessControlCreate(NULL, &error); + XCTAssertNotNil((__bridge id)ac, @"failed to create access control with error: %@", (__bridge id)error); + XCTAssertNil((__bridge id)error, @"encountered error attempting to create access control: %@", (__bridge id)error); + XCTAssertTrue(SecAccessControlSetProtection(ac, kSecAttrAccessibleWhenUnlocked, &error), @"failed to set access control protection with error: %@", error); + XCTAssertNil((__bridge id)error, @"encountered error attempting to set access control protection: %@", (__bridge id)error); + + XCTAssertTrue(ks_encrypt_data(KEYBAG_DEVICE, ac, NULL, (__bridge CFDictionaryRef)secretData, (__bridge CFDictionaryRef)@{}, NULL, &enc, true, &error), @"failed to encrypt data with error: %@", error); + XCTAssertTrue(enc != NULL, @"failed to get encrypted data from encryption function"); + XCTAssertNil((__bridge id)error, @"encountered error attempting to encrypt data: %@", (__bridge id)error); + CFReleaseNull(ac); + + CFMutableDictionaryRef attributes = NULL; + uint32_t version = 0; + + keyclass_t keyclass = 0; + XCTAssertTrue(ks_decrypt_data(KEYBAG_DEVICE, kAKSKeyOpDecrypt, &ac, NULL, enc, NULL, NULL, &attributes, &version, true, &keyclass, &error), @"failed to decrypt data with error: %@", error); + XCTAssertNil((__bridge id)error, @"encountered error attempting to decrypt data: %@", (__bridge id)error); + XCTAssertEqual(keyclass, key_class_ak, @"failed to get back the keyclass from decryption"); + + CFTypeRef aclProtection = ac ? SecAccessControlGetProtection(ac) : NULL; + XCTAssertNotNil((__bridge id)aclProtection, @"failed to get ACL from keychain item decryption"); + if (aclProtection) { + XCTAssertTrue(CFEqual(aclProtection, kSecAttrAccessibleWhenUnlocked), @"the acl we got back from decryption does not match what we put in"); + } + CFReleaseNull(ac); + + CFReleaseNull(error); + CFReleaseNull(enc); +} + +- (void)testGetMetadataThenData +{ + NSDictionary* item = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES) }; + + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain"); + + NSMutableDictionary* metadataQuery = item.mutableCopy; + [metadataQuery removeObjectForKey:(id)kSecValueData]; + metadataQuery[(id)kSecReturnAttributes] = @(YES); + CFTypeRef foundItem = NULL; + result = SecItemCopyMatching((__bridge CFDictionaryRef)metadataQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the metadata for the item we just added in the keychain"); + + NSMutableDictionary* dataQuery = [(__bridge NSDictionary*)foundItem mutableCopy]; + dataQuery[(id)kSecReturnData] = @(YES); + dataQuery[(id)kSecClass] = (id)kSecClassGenericPassword; + dataQuery[(id)kSecAttrNoLegacy] = @(YES); + result = SecItemCopyMatching((__bridge CFDictionaryRef)dataQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the data for the item we just added to the keychain"); + + NSData* foundData = (__bridge NSData*)foundItem; + if ([foundData isKindOfClass:[NSData class]]) { + NSString* foundPassword = [[NSString alloc] initWithData:(__bridge NSData*)foundItem encoding:NSUTF8StringEncoding]; + XCTAssertEqualObjects(foundPassword, @"password", @"found password (%@) does not match the expected password", foundPassword); + } + else { + XCTAssertTrue(false, @"found data is not the expected class: %@", foundData); + } +} + +- (void)testGetReference +{ + NSDictionary* keyParams = @{ (id)kSecAttrKeyType : (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits : @(1024) }; + SecKeyRef key = SecKeyCreateRandomKey((__bridge CFDictionaryRef)keyParams, NULL); + NSDictionary* item = @{ (id)kSecClass : (id)kSecClassKey, + (id)kSecValueRef : (__bridge id)key, + (id)kSecAttrLabel : @"TestLabel", + (id)kSecAttrNoLegacy : @(YES) }; + + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain"); + + NSMutableDictionary* refQuery = item.mutableCopy; + [refQuery removeObjectForKey:(id)kSecValueData]; + refQuery[(id)kSecReturnRef] = @(YES); + CFTypeRef foundItem = NULL; + result = SecItemCopyMatching((__bridge CFDictionaryRef)refQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the reference for the item we just added in the keychain"); + + NSData* originalKeyData = (__bridge_transfer NSData*)SecKeyCopyExternalRepresentation(key, NULL); + NSData* foundKeyData = (__bridge_transfer NSData*)SecKeyCopyExternalRepresentation((SecKeyRef)foundItem, NULL); + XCTAssertEqualObjects(originalKeyData, foundKeyData, @"found key does not match the key we put in the keychain"); +} + +- (void)testMetadataQueriesDoNotGetSecret +{ + NSDictionary* item = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES) }; + + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain"); + + NSMutableDictionary* metadataQuery = item.mutableCopy; + [metadataQuery removeObjectForKey:(id)kSecValueData]; + metadataQuery[(id)kSecReturnAttributes] = @(YES); + CFTypeRef foundItem = NULL; + result = SecItemCopyMatching((__bridge CFDictionaryRef)metadataQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the metadata for the item we just added in the keychain"); + + NSData* data = [(__bridge NSDictionary*)foundItem valueForKey:(id)kSecValueData]; + XCTAssertNil(data, @"unexpectedly found data in a metadata query"); +} + +- (void)testDeleteItem +{ + NSDictionary* item = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES) }; + + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain"); + + NSMutableDictionary* dataQuery = item.mutableCopy; + [dataQuery removeObjectForKey:(id)kSecValueData]; + dataQuery[(id)kSecReturnData] = @(YES); + CFTypeRef foundItem = NULL; + result = SecItemCopyMatching((__bridge CFDictionaryRef)dataQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the data for the item we just added in the keychain"); + + result = SecItemDelete((__bridge CFDictionaryRef)dataQuery); + XCTAssertEqual(result, 0, @"failed to delete item"); +} + +- (SecDbKeychainSerializedItemV7*)serializedItemWithPassword:(NSString*)password metadataAttributes:(NSDictionary*)metadata +{ + SecDbKeychainItemV7* item = [[SecDbKeychainItemV7 alloc] initWithSecretAttributes:@{(id)kSecValueData : password} metadataAttributes:metadata tamperCheck:[[NSUUID UUID] UUIDString] keyclass:9]; + [item encryptMetadataWithKeybag:0 error:nil]; + [item encryptSecretDataWithKeybag:0 accessControl:SecAccessControlCreate(NULL, NULL) acmContext:nil error:nil]; + SecDbKeychainSerializedItemV7* serializedItem = [[SecDbKeychainSerializedItemV7 alloc] init]; + serializedItem.encryptedMetadata = item.encryptedMetadataBlob; + serializedItem.encryptedSecretData = item.encryptedSecretDataBlob; + serializedItem.keyclass = 9; + return serializedItem; +} + +- (void)testTamperChecksThwartTampering +{ + SecDbKeychainSerializedItemV7* serializedItem1 = [self serializedItemWithPassword:@"first password" metadataAttributes:nil]; + SecDbKeychainSerializedItemV7* serializedItem2 = [self serializedItemWithPassword:@"second password" metadataAttributes:nil]; + + serializedItem1.encryptedSecretData = serializedItem2.encryptedSecretData; + NSData* tamperedSerializedItemBlob = serializedItem1.data; + + NSError* error = nil; + SecDbKeychainItemV7* item = [[SecDbKeychainItemV7 alloc] initWithData:tamperedSerializedItemBlob decryptionKeybag:0 error:&error]; + XCTAssertNil(item, @"unexpectedly deserialized an item blob which has been tampered"); + XCTAssertNotNil(error, @"failed to get an error when deserializing tampered item blob"); +} + +- (void)testCacheExpiration +{ + + NSDictionary* item = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrAccessible : (id)kSecAttrAccessibleWhenUnlocked, + (id)kSecAttrNoLegacy : @YES }; + + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain"); + + NSMutableDictionary* dataQuery = item.mutableCopy; + [dataQuery removeObjectForKey:(id)kSecValueData]; + dataQuery[(id)kSecReturnData] = @(YES); + + CFTypeRef foundItem = NULL; + + result = SecItemCopyMatching((__bridge CFDictionaryRef)dataQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the data for the item we just added in the keychain"); + CFReleaseNull(foundItem); + + self.lockState = LockStateLockedAndDisallowAKS; + + result = SecItemCopyMatching((__bridge CFDictionaryRef)dataQuery, &foundItem); + XCTAssertEqual(result, errSecInteractionNotAllowed, @"get the lock error"); + XCTAssertEqual(foundItem, NULL, @"got item anyway: %@", foundItem); + + self.lockState = LockStateUnlocked; + + result = SecItemCopyMatching((__bridge CFDictionaryRef)dataQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the data for the item we just added in the keychain"); + CFReleaseNull(foundItem); + + result = SecItemDelete((__bridge CFDictionaryRef)dataQuery); + XCTAssertEqual(result, 0, @"failed to delete item"); +} + +- (void)trashMetadataClassAKey +{ + CFErrorRef cferror = NULL; + + kc_with_dbt(true, &cferror, ^bool(SecDbConnectionRef dbt) { + CFErrorRef errref; + SecDbExec(dbt, CFSTR("DELETE FROM metadatakeys WHERE keyclass = '6'"), &errref); + CFReleaseNull(errref); + return true; + }); + CFReleaseNull(cferror); + + [[SecDbKeychainMetadataKeyStore sharedStore] dropClassAKeys]; +} + +- (void)testKeychainCorruptionCopyMatching +{ + NSDictionary* item = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrAccessible : (id)kSecAttrAccessibleWhenUnlocked, + (id)kSecAttrNoLegacy : @YES }; + + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain"); + + + NSMutableDictionary* dataQuery = item.mutableCopy; + [dataQuery removeObjectForKey:(id)kSecValueData]; + dataQuery[(id)kSecReturnData] = @(YES); + + CFTypeRef foundItem = NULL; + + result = SecItemCopyMatching((__bridge CFDictionaryRef)dataQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the data for the item we just added in the keychain"); + CFReleaseNull(foundItem); + + [self trashMetadataClassAKey]; + + /* when metadata corrupted, we should not find the item */ + result = SecItemCopyMatching((__bridge CFDictionaryRef)dataQuery, &foundItem); + XCTAssertEqual(result, errSecItemNotFound, @"failed to find the data for the item we just added in the keychain"); + CFReleaseNull(foundItem); + + /* semantics are odd, we should be able to delete it */ + result = SecItemDelete((__bridge CFDictionaryRef)dataQuery); + XCTAssertEqual(result, 0, @"failed to delete item"); +} + +- (void)testKeychainCorruptionAddOverCorruptedEntry +{ + CFTypeRef foundItem = NULL; + NSDictionary* item = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrAccessible : (id)kSecAttrAccessibleWhenUnlocked, + (id)kSecAttrNoLegacy : @YES }; + + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain"); + + NSMutableDictionary* dataQuery = item.mutableCopy; + [dataQuery removeObjectForKey:(id)kSecValueData]; + dataQuery[(id)kSecReturnData] = @(YES); + + result = SecItemCopyMatching((__bridge CFDictionaryRef)dataQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the data for the item we just added in the keychain"); + CFReleaseNull(foundItem); + + [self trashMetadataClassAKey]; + + result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain"); + + result = SecItemDelete((__bridge CFDictionaryRef)dataQuery); + XCTAssertEqual(result, 0, @"failed to delete item"); +} + +- (void)testKeychainCorruptionUpdateCorruptedEntry +{ + CFTypeRef foundItem = NULL; + NSDictionary* item = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrAccessible : (id)kSecAttrAccessibleWhenUnlocked, + (id)kSecAttrNoLegacy : @YES }; + + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain"); + + NSMutableDictionary* dataQuery = item.mutableCopy; + [dataQuery removeObjectForKey:(id)kSecValueData]; + dataQuery[(id)kSecReturnData] = @(YES); + + result = SecItemCopyMatching((__bridge CFDictionaryRef)dataQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the data for the item we just added in the keychain"); + CFReleaseNull(foundItem); + + [self trashMetadataClassAKey]; + + NSMutableDictionary* updateQuery = item.mutableCopy; + updateQuery[(id)kSecValueData] = NULL; + NSDictionary *updateData = @{ + (id)kSecValueData : [@"foo" dataUsingEncoding:NSUTF8StringEncoding], + }; + + result = SecItemUpdate((__bridge CFDictionaryRef)updateQuery, + (__bridge CFDictionaryRef)updateData ); + XCTAssertEqual(result, errSecItemNotFound, @"failed to add test item to keychain"); + + result = SecItemDelete((__bridge CFDictionaryRef)dataQuery); + XCTAssertEqual(result, 0, @"failed to delete item"); +} + +- (id)encryptionOperation +{ + return nil; +} + +- (void)testNoCrashWhenMetadataDecryptionFails +{ + CFDataRef enc = NULL; + CFErrorRef error = NULL; + SecAccessControlRef ac = NULL; + + self.allowDecryption = NO; + + NSDictionary* secretData = @{(id)kSecValueData : @"secret here"}; + + ac = SecAccessControlCreate(NULL, &error); + XCTAssertNotNil((__bridge id)ac, @"failed to create access control with error: %@", (__bridge id)error); + XCTAssertNil((__bridge id)error, @"encountered error attempting to create access control: %@", (__bridge id)error); + XCTAssertTrue(SecAccessControlSetProtection(ac, kSecAttrAccessibleWhenUnlocked, &error), @"failed to set access control protection with error: %@", error); + XCTAssertNil((__bridge id)error, @"encountered error attempting to set access control protection: %@", (__bridge id)error); + + XCTAssertTrue(ks_encrypt_data(KEYBAG_DEVICE, ac, NULL, (__bridge CFDictionaryRef)secretData, (__bridge CFDictionaryRef)@{}, NULL, &enc, true, &error), @"failed to encrypt data with error: %@", error); + XCTAssertTrue(enc != NULL, @"failed to get encrypted data from encryption function"); + XCTAssertNil((__bridge id)error, @"encountered error attempting to encrypt data: %@", (__bridge id)error); + CFReleaseNull(ac); + + CFMutableDictionaryRef attributes = NULL; + uint32_t version = 0; + + keyclass_t keyclass = 0; + XCTAssertNoThrow(ks_decrypt_data(KEYBAG_DEVICE, kAKSKeyOpDecrypt, &ac, NULL, enc, NULL, NULL, &attributes, &version, true, &keyclass, &error), @"unexpected exception when decryption fails"); + XCTAssertEqual(keyclass, key_class_ak, @"failed to get back the keyclass when decryption failed"); + + self.allowDecryption = YES; +} + +#if 0 +// these tests fail until we address Fix keychain lock state check to be both secure and fast for EDU mode +- (void)testOperationsDontUseCachedKeysWhileLockedWithAKSAvailable // simulating the backup situation +{ + self.lockState = LockStateLockedAndAllowAKS; + + NSDictionary* item = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES) }; + + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain"); + + NSMutableDictionary* metadataQuery = item.mutableCopy; + [metadataQuery removeObjectForKey:(id)kSecValueData]; + metadataQuery[(id)kSecReturnAttributes] = @(YES); + CFTypeRef foundItem = NULL; + result = SecItemCopyMatching((__bridge CFDictionaryRef)metadataQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the metadata for the item we just added in the keychain"); + + XCTAssertTrue(self.didAKSDecrypt, @"we did not go through AKS to decrypt the metadata key while locked - bad!"); + + NSMutableDictionary* dataQuery = item.mutableCopy; + dataQuery[(id)kSecReturnData] = @(YES); + result = SecItemCopyMatching((__bridge CFDictionaryRef)dataQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the data for the item we just added to the keychain"); + + NSData* foundData = (__bridge NSData*)foundItem; + if ([foundData isKindOfClass:[NSData class]]) { + NSString* foundPassword = [[NSString alloc] initWithData:(__bridge NSData*)foundItem encoding:NSUTF8StringEncoding]; + XCTAssertEqualObjects(foundPassword, @"password", @"found password (%@) does not match the expected password", foundPassword); + } + else { + XCTAssertTrue(false, @"found data is not the expected class: %@", foundData); + } +} + +- (void)testNoResultsWhenLocked +{ + NSDictionary* item = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES) }; + + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain"); + + self.lockState = LockStateLockedAndDisallowAKS; + + NSMutableDictionary* metadataQuery = item.mutableCopy; + [metadataQuery removeObjectForKey:(id)kSecValueData]; + metadataQuery[(id)kSecReturnAttributes] = @(YES); + CFTypeRef foundItem = NULL; + result = SecItemCopyMatching((__bridge CFDictionaryRef)metadataQuery, &foundItem); + XCTAssertEqual(foundItem, NULL, @"somehow still got results when AKS was locked"); +} +#endif + +- (void)testRecoverFromBadMetadataKey +{ + // Disable caching, so we can change AKS encrypt/decrypt + id mockSecDbKeychainMetadataKeyStore = OCMClassMock([SecDbKeychainMetadataKeyStore class]); + OCMStub([mockSecDbKeychainMetadataKeyStore cachingEnabled]).andReturn(false); + + NSDictionary* addQuery = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES), + (id)kSecReturnAttributes : @(YES), + }; + + NSDictionary* findQuery = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES), + (id)kSecReturnAttributes : @(YES), + }; + +#if TARGET_OS_OSX + NSDictionary* updateQuery = findQuery; +#else + // iOS won't tolerate kSecReturnAttributes in SecItemUpdate + NSDictionary* updateQuery = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES), + }; +#endif + + NSDictionary* addQuery2 = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : @"TestAccount-second", + (id)kSecAttrService : @"TestService-second", + (id)kSecAttrNoLegacy : @(YES), + (id)kSecReturnAttributes : @(YES), + }; + + NSDictionary* findQuery2 = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecAttrAccount : @"TestAccount-second", + (id)kSecAttrService : @"TestService-second", + (id)kSecAttrNoLegacy : @(YES), + (id)kSecReturnAttributes : @(YES), + }; + + CFTypeRef result = NULL; + + // Add the item + XCTAssertEqual(SecItemAdd((__bridge CFDictionaryRef)addQuery, &result), errSecSuccess, @"Should have succeeded in adding test item to keychain"); + XCTAssertNotNil((__bridge id)result, @"Should have received a dictionary back from SecItemAdd"); + CFReleaseNull(result); + + // Add a second item, for fun and profit + XCTAssertEqual(SecItemAdd((__bridge CFDictionaryRef)addQuery2, &result), + errSecSuccess, + @"Should have succeeded in adding test2 item to keychain"); + + // And we can find te item + XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)findQuery, &result), errSecSuccess, @"Should be able to find item"); + XCTAssertNotNil((__bridge id)result, @"Should have received a dictionary back from SecItemCopyMatching"); + CFReleaseNull(result); + + // And we can update the item + XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)updateQuery, + (__bridge CFDictionaryRef)@{(id)kSecValueData: [@"otherpassword" dataUsingEncoding:NSUTF8StringEncoding]}), + errSecSuccess, + "Should be able to update an item"); + + // And find it again + XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)findQuery, &result), errSecSuccess, @"Should be able to find item"); + XCTAssertNotNil((__bridge id)result, @"Should have received a dictionary back from SecItemCopyMatching"); + CFReleaseNull(result); + + // And we can find the second item + XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)findQuery2, &result), + errSecSuccess, @"Should be able to find second item"); + XCTAssertNotNil((__bridge id)result, @"Should have received a dictionary back from SecItemCopyMatching for item 2"); + CFReleaseNull(result); + + /////////////////////////////////////////////////////////////////////////////////// + // Now, the metadata keys go corrupt (fake that by changing the underlying AKS key) + [self setNewFakeAKSKey:[NSData dataWithBytes:"1234567890123456789000" length:32]]; + + XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)findQuery, &result), errSecItemNotFound, + "should have received errSecItemNotFound when metadata keys are invalid"); + XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)findQuery, &result), errSecItemNotFound, + "Multiple finds of the same item should receive errSecItemNotFound when metadata keys are invalid"); + XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)findQuery, &result), errSecItemNotFound, + "Multiple finds of the same item should receive errSecItemNotFound when metadata keys are invalid"); + + XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)findQuery2, &result), + errSecItemNotFound, @"Should not be able to find corrupt second item"); + XCTAssertNil((__bridge id)result, @"Should have received no data back from SICM for corrupt item"); + + // Updating the now-corrupt item should fail + XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)updateQuery, + (__bridge CFDictionaryRef)@{ (id)kSecValueData: [@"otherpassword" dataUsingEncoding:NSUTF8StringEncoding] }), + errSecItemNotFound, + "Should not be able to update a corrupt item"); + + // Re-add the item (should succeed) + XCTAssertEqual(SecItemAdd((__bridge CFDictionaryRef)addQuery, &result), errSecSuccess, @"Should have succeeded in adding test item to keychain"); + XCTAssertNotNil((__bridge id)result, @"Should have received a dictionary back from SecItemAdd"); + CFReleaseNull(result); + + // And we can find it again + XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)findQuery, &result), errSecSuccess, @"Should be able to find item"); + XCTAssertNotNil((__bridge id)result, @"Should have received a dictionary back from SecItemAdd"); + CFReleaseNull(result); + + // And update it + XCTAssertEqual(SecItemUpdate((__bridge CFDictionaryRef)updateQuery, + (__bridge CFDictionaryRef)@{ (id)kSecValueData: [@"otherpassword" dataUsingEncoding:NSUTF8StringEncoding] }), + errSecSuccess, + "Should be able to update a fixed item"); + + ///////////// + // And our second item, which is wrapped under an old key, can't be found + XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)findQuery2, &result), + errSecItemNotFound, @"Should not be able to find corrupt second item"); + XCTAssertNil((__bridge id)result, @"Should have received no data back from SICM for corrupt item"); + + // But can be re-added + XCTAssertEqual(SecItemAdd((__bridge CFDictionaryRef)addQuery2, &result), + errSecSuccess, + @"Should have succeeded in adding test2 item to keychain after corruption"); + XCTAssertNotNil((__bridge id)result, @"Should have received a dictionary back from SecItemAdd for item 2 (after corruption)"); + CFReleaseNull(result); + + // And we can find the second item again + XCTAssertEqual(SecItemCopyMatching((__bridge CFDictionaryRef)findQuery2, &result), + errSecSuccess, @"Should be able to find second item after re-add"); + XCTAssertNotNil((__bridge id)result, @"Should have received a dictionary back from SecItemCopyMatching for item 2 (after re-add)"); + CFReleaseNull(result); + + [mockSecDbKeychainMetadataKeyStore stopMocking]; +} + +- (void)testRecoverDataFromBadKeyclassStorage +{ + NSDictionary* metadataAttributesInput = @{@"TestMetadata" : @"TestValue"}; + SecDbKeychainSerializedItemV7* serializedItem = [self serializedItemWithPassword:@"password" metadataAttributes:metadataAttributesInput]; + serializedItem.keyclass = (serializedItem.keyclass | key_class_last + 1); + + NSError* error = nil; + SecDbKeychainItemV7* item = [[SecDbKeychainItemV7 alloc] initWithData:serializedItem.data decryptionKeybag:0 error:&error]; + NSDictionary* metadataAttributesOut = [item metadataAttributesWithError:&error]; + XCTAssertEqualObjects(metadataAttributesOut, metadataAttributesInput, @"failed to retrieve metadata with error: %@", error); + XCTAssertNil(error, @"error encountered attempting to retrieve metadata: %@", error); +} + +- (NSData*)performItemEncryptionWithAccessibility:(CFStringRef)accessibility +{ + SecAccessControlRef ac = NULL; + CFDataRef enc = NULL; + CFErrorRef error = NULL; + + NSDictionary* secretData = @{(id)kSecValueData : @"secret here"}; + + ac = SecAccessControlCreate(NULL, &error); + XCTAssertNotNil((__bridge id)ac, @"failed to create access control with error: %@", (__bridge id)error); + XCTAssertNil((__bridge id)error, @"encountered error attempting to create access control: %@", (__bridge id)error); + XCTAssertTrue(SecAccessControlSetProtection(ac, accessibility, &error), @"failed to set access control protection with error: %@", error); + XCTAssertNil((__bridge id)error, @"encountered error attempting to set access control protection: %@", (__bridge id)error); + + XCTAssertTrue(ks_encrypt_data(KEYBAG_DEVICE, ac, NULL, (__bridge CFDictionaryRef)secretData, (__bridge CFDictionaryRef)@{}, NULL, &enc, true, &error), @"failed to encrypt data with error: %@", error); + XCTAssertTrue(enc != NULL, @"failed to get encrypted data from encryption function"); + XCTAssertNil((__bridge id)error, @"encountered error attempting to encrypt data: %@", (__bridge id)error); + CFReleaseNull(ac); + + return (__bridge_transfer NSData*)enc; +} + +- (void)performMetadataDecryptionOfData:(NSData*)encryptedData verifyingAccessibility:(CFStringRef)accessibility +{ + CFErrorRef error = NULL; + CFMutableDictionaryRef attributes = NULL; + uint32_t version = 0; + + SecAccessControlRef ac = SecAccessControlCreate(NULL, &error); + XCTAssertNotNil((__bridge id)ac, @"failed to create access control with error: %@", (__bridge id)error); + XCTAssertNil((__bridge id)error, @"encountered error attempting to create access control: %@", (__bridge id)error); + XCTAssertTrue(SecAccessControlSetProtection(ac, accessibility, &error), @"failed to set access control protection with error: %@", error); + XCTAssertNil((__bridge id)error, @"encountered error attempting to set access control protection: %@", (__bridge id)error); + + keyclass_t keyclass = 0; + XCTAssertTrue(ks_decrypt_data(KEYBAG_DEVICE, kAKSKeyOpDecrypt, &ac, NULL, (__bridge CFDataRef)encryptedData, NULL, NULL, &attributes, &version, false, &keyclass, &error), @"failed to decrypt data with error: %@", error); + XCTAssertNil((__bridge id)error, @"encountered error attempting to decrypt data: %@", (__bridge id)error); + XCTAssertEqual(keyclass & key_class_last, parse_keyclass(accessibility), @"failed to get back the keyclass from decryption"); + + CFReleaseNull(error); +} + +- (void)performMetadataEncryptDecryptWithAccessibility:(CFStringRef)accessibility +{ + NSData* encryptedData = [self performItemEncryptionWithAccessibility:accessibility]; + + [SecDbKeychainMetadataKeyStore resetSharedStore]; + + [self performMetadataDecryptionOfData:encryptedData verifyingAccessibility:accessibility]; +} + +- (void)testMetadataClassKeyDecryptionWithSimulatedAKSRolledKeys +{ + self.simulateRolledAKSKey = YES; + + [self performMetadataEncryptDecryptWithAccessibility:kSecAttrAccessibleWhenUnlocked]; + XCTAssertEqual(self.keyclassUsedForAKSDecryption, key_class_ak | key_class_last + 1); + + [self performMetadataEncryptDecryptWithAccessibility:kSecAttrAccessibleAfterFirstUnlock]; + XCTAssertEqual(self.keyclassUsedForAKSDecryption, key_class_ck | key_class_last + 1); + + [self performMetadataEncryptDecryptWithAccessibility:kSecAttrAccessibleAlways]; + XCTAssertEqual(self.keyclassUsedForAKSDecryption, key_class_dk | key_class_last + 1); + + [self performMetadataEncryptDecryptWithAccessibility:kSecAttrAccessibleWhenUnlockedThisDeviceOnly]; + XCTAssertEqual(self.keyclassUsedForAKSDecryption, key_class_aku | key_class_last + 1); + + [self performMetadataEncryptDecryptWithAccessibility:kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly]; + XCTAssertEqual(self.keyclassUsedForAKSDecryption, key_class_cku | key_class_last + 1); + + [self performMetadataEncryptDecryptWithAccessibility:kSecAttrAccessibleAlwaysThisDeviceOnly]; + XCTAssertEqual(self.keyclassUsedForAKSDecryption, key_class_dku | key_class_last + 1); + + [self performMetadataEncryptDecryptWithAccessibility:kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly]; + XCTAssertEqual(self.keyclassUsedForAKSDecryption, key_class_akpu | key_class_last + 1); +} + +- (void)testUpgradingMetadataKeyEntry +{ + // first, force the creation of a metadata key + NSData* encryptedData = [self performItemEncryptionWithAccessibility:kSecAttrAccessibleWhenUnlocked]; + + // now let's jury-rig this metadata key to look like an old one with no actualKeyclass information + __block CFErrorRef error = NULL; + __block bool ok = true; + ok &= kc_with_dbt(true, &error, ^bool(SecDbConnectionRef dbt) { + NSString* sql = [NSString stringWithFormat:@"UPDATE metadatakeys SET actualKeyclass = %d WHERE keyclass = %d", 0, key_class_ak]; + ok &= SecDbPrepare(dbt, (__bridge CFStringRef)sql, &error, ^(sqlite3_stmt* stmt) { + ok &= SecDbStep(dbt, stmt, &error, ^(bool* stop) { + // woohoo + }); + }); + + return ok; + }); + + // now, let's simulate AKS rejecting the decryption, and see if we recover and also update the database + self.simulateRolledAKSKey = YES; + [SecDbKeychainMetadataKeyStore resetSharedStore]; + [self performMetadataDecryptionOfData:encryptedData verifyingAccessibility:kSecAttrAccessibleWhenUnlocked]; +} + +#endif + +@end diff --git a/secdxctests/KeychainXCTest.h b/secdxctests/KeychainXCTest.h new file mode 100644 index 00000000..d8090993 --- /dev/null +++ b/secdxctests/KeychainXCTest.h @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import "KeychainXCTest.h" +#import "SecItemServer.h" +#import +#import +#import + +#if USE_KEYSTORE +#include + +typedef enum { + LockStateUnlocked, + LockStateLockedAndDisallowAKS, + LockStateLockedAndAllowAKS // this state matches how backup works while locked +} LockState; + +@interface KeychainXCTest : XCTestCase + +@property LockState lockState; +@property id mockSecDbKeychainItemV7; +@property bool allowDecryption; +@property BOOL didAKSDecrypt; +@property BOOL simulateRolledAKSKey; +@property keyclass_t keyclassUsedForAKSDecryption; + +@property SFAESKeySpecifier* keySpecifier; +@property SFAESKey* fakeAKSKey; + +- (bool)setNewFakeAKSKey:(NSData*)newKeyData; + +@end + +#endif diff --git a/secdxctests/KeychainXCTest.m b/secdxctests/KeychainXCTest.m new file mode 100644 index 00000000..77b1f8b3 --- /dev/null +++ b/secdxctests/KeychainXCTest.m @@ -0,0 +1,219 @@ +/* + * Copyright (c) 2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import "KeychainXCTest.h" +#import "SecDbKeychainItem.h" +#import "SecdTestKeychainUtilities.h" +#import "CKKS.h" +#import "SecDbKeychainItemV7.h" +#import "SecItemPriv.h" +#import "SecItemServer.h" +#import "spi.h" +#import "SecDbKeychainSerializedItemV7.h" +#import "SecDbKeychainSerializedMetadata.h" +#import "SecDbKeychainSerializedSecretData.h" +#import "SecDbKeychainSerializedAKSWrappedKey.h" +#import +#import +#import +#import +#import + +#if USE_KEYSTORE + +@interface SecDbKeychainItemV7 () + ++ (SFAESKeySpecifier*)keySpecifier; + +@end + +@implementation KeychainXCTest + ++ (void)setUp +{ + [super setUp]; + + SecCKKSDisable(); + securityd_init(NULL); +} + +- (void)setUp +{ + [super setUp]; + + self.lockState = LockStateUnlocked; + self.allowDecryption = true; + self.didAKSDecrypt = NO; + self.simulateRolledAKSKey = NO; + + + self.keyclassUsedForAKSDecryption = 0; + + self.keySpecifier = [[SFAESKeySpecifier alloc] initWithBitSize:SFAESKeyBitSize256]; + [self setNewFakeAKSKey:[NSData dataWithBytes:"1234567890123456789012" length:32]]; + + [SecDbKeychainMetadataKeyStore resetSharedStore]; + + self.mockSecDbKeychainItemV7 = OCMClassMock([SecDbKeychainItemV7 class]); + [[[[self.mockSecDbKeychainItemV7 stub] andCall:@selector(fakeAKSEncryptWithKeybag:keyclass:keyData:outKeyclass:wrappedKey:error:) onObject:self] ignoringNonObjectArgs] aksEncryptWithKeybag:0 keyclass:0 keyData:[OCMArg any] outKeyclass:NULL wrappedKey:[OCMArg any] error:NULL]; + [[[[self.mockSecDbKeychainItemV7 stub] andCall:@selector(fakeAKSDecryptWithKeybag:keyclass:wrappedKeyData:outKeyclass:unwrappedKey:error:) onObject:self] ignoringNonObjectArgs] aksDecryptWithKeybag:0 keyclass:0 wrappedKeyData:[OCMArg any] outKeyclass:NULL unwrappedKey:[OCMArg any] error:NULL]; + [[[self.mockSecDbKeychainItemV7 stub] andCall:@selector(decryptionOperation) onObject:self] decryptionOperation]; + [[[self.mockSecDbKeychainItemV7 stub] andCall:@selector(isKeychainUnlocked) onObject:self] isKeychainUnlocked]; + + NSArray* partsOfName = [self.name componentsSeparatedByCharactersInSet:[NSCharacterSet characterSetWithCharactersInString:@" ]"]]; + secd_test_setup_temp_keychain([partsOfName[1] UTF8String], NULL); +} + +- (void)tearDown +{ + [self.mockSecDbKeychainItemV7 stopMocking]; + [super tearDown]; +} + +- (bool)isKeychainUnlocked +{ + return self.lockState == LockStateUnlocked; +} + +- (id)decryptionOperation +{ + return self.allowDecryption ? [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:[SecDbKeychainItemV7 keySpecifier]] : nil; +} + +- (bool)setNewFakeAKSKey:(NSData*)newKeyData +{ + NSError* error = nil; + self.fakeAKSKey = [[SFAESKey alloc] initWithData:newKeyData specifier:self.keySpecifier error:&error]; + XCTAssertNil(error, "Should be no error making a fake AKS key"); + XCTAssertNotNil(self.fakeAKSKey, "Should have received a fake AKS key"); + return true; +} + +- (bool)fakeAKSEncryptWithKeybag:(keybag_handle_t)keybag + keyclass:(keyclass_t)keyclass + keyData:(NSData*)keyData + outKeyclass:(keyclass_t*)outKeyclass + wrappedKey:(NSMutableData*)wrappedKey + error:(NSError**)error +{ + if (self.lockState == LockStateLockedAndDisallowAKS) { + if (error) { + *error = [NSError errorWithDomain:(__bridge NSString *)kSecErrorDomain code:errSecInteractionNotAllowed userInfo:NULL]; + } + return false; + } + + uint32_t keyLength = (uint32_t)keyData.length; + const uint8_t* keyBytes = keyData.bytes; + + NSData* dataToEncrypt = [NSData dataWithBytes:keyBytes length:keyLength]; + NSError* localError = nil; + + SFAuthenticatedEncryptionOperation* encryptionOperation = [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:self.keySpecifier]; + encryptionOperation.authenticationCodeLength = 8; + SFAuthenticatedCiphertext* ciphertext = [encryptionOperation encrypt:dataToEncrypt withKey:self.fakeAKSKey error:&localError]; + + if (error) { + *error = localError; + } + + if (ciphertext) { + void* wrappedKeyMutableBytes = wrappedKey.mutableBytes; + memcpy(wrappedKeyMutableBytes, ciphertext.ciphertext.bytes, 32); + memcpy(wrappedKeyMutableBytes + 32, ciphertext.initializationVector.bytes, 32); + memcpy(wrappedKeyMutableBytes + 64, ciphertext.authenticationCode.bytes, 8); + + if (self.simulateRolledAKSKey && outKeyclass) { + *outKeyclass = keyclass | (key_class_last + 1); + } + + return true; + } + else { + return false; + } +} + +- (bool)fakeAKSDecryptWithKeybag:(keybag_handle_t)keybag + keyclass:(keyclass_t)keyclass + wrappedKeyData:(NSData*)wrappedKeyData + outKeyclass:(keyclass_t*)outKeyclass + unwrappedKey:(NSMutableData*)unwrappedKey + error:(NSError**)error +{ + if (self.lockState == LockStateLockedAndDisallowAKS) { + if (error) { + *error = [NSError errorWithDomain:(__bridge NSString *)kSecErrorDomain code:errSecInteractionNotAllowed userInfo:NULL]; + } + return false; + } + + if (self.simulateRolledAKSKey && keyclass < key_class_last) { + // let's make decryption fail like it would if this were an old metadata key entry made with a generational AKS key, but we didn't store that info in the database + return false; + } + + const uint8_t* wrappedKeyBytes = wrappedKeyData.bytes; + + NSData* ciphertextData = [NSData dataWithBytes:wrappedKeyBytes length:32]; + NSData* ivData = [NSData dataWithBytes:wrappedKeyBytes + 32 length:32]; + NSData* authCodeData = [NSData dataWithBytes:wrappedKeyBytes + 64 length:8]; + SFAuthenticatedCiphertext* ciphertext = [[SFAuthenticatedCiphertext alloc] initWithCiphertext:ciphertextData authenticationCode:authCodeData initializationVector:ivData]; + + NSError* localError = nil; + + SFAuthenticatedEncryptionOperation* encryptionOperation = [[SFAuthenticatedEncryptionOperation alloc] initWithKeySpecifier:self.keySpecifier]; + encryptionOperation.authenticationCodeLength = 8; + NSData* decryptedData = [encryptionOperation decrypt:ciphertext withKey:self.fakeAKSKey error:&localError]; + + // in real securityd, we go through AKS rather than SFCryptoServices + // we need to translate the error for proper handling + if ([localError.domain isEqualToString:SFCryptoServicesErrorDomain] && localError.code == SFCryptoServicesErrorDecryptionFailed) { + if (!self.simulateRolledAKSKey && keyclass > key_class_last) { + // for this case we want to simulate what happens when we try decrypting with a rolled keyclass on a device which has never been rolled, which is it ends up with a NotPermitted error from AKS which the security layer translates as locked keybag + localError = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecInteractionNotAllowed userInfo:nil]; + } + else { + localError = [NSError errorWithDomain:NSOSStatusErrorDomain code:errSecDecode userInfo:nil]; + } + } + + if (error) { + *error = localError; + } + + self.keyclassUsedForAKSDecryption = keyclass; + if (decryptedData && decryptedData.length <= unwrappedKey.length) { + memcpy(unwrappedKey.mutableBytes, decryptedData.bytes, decryptedData.length); + unwrappedKey.length = decryptedData.length; + self.didAKSDecrypt = YES; + return true; + } + else { + return false; + } +} + +@end + +#endif diff --git a/sectask/SecEntitlements.h b/sectask/SecEntitlements.h index f366beb4..2784e788 100644 --- a/sectask/SecEntitlements.h +++ b/sectask/SecEntitlements.h @@ -123,6 +123,9 @@ __BEGIN_DECLS /* Entitlement to control usage of deletion of keychain items on app uninstallation */ #define kSecEntitlementPrivateUninstallDeletion CFSTR("com.apple.private.uninstall.deletion") +/* Entitlement to control usage of deletion of keychain items wholesale */ +#define kSecEntitlementPrivateDeleteAll CFSTR("com.apple.private.security.delete.all") + /* Entitlement to allow access to circle joining APIs in SOSCC */ #define kSecEntitlementCircleJoin CFSTR("com.apple.private.keychain.circle.join") @@ -152,6 +155,14 @@ __BEGIN_DECLS #define kSecEntitlementBackupTableOperationsDeleteAll CFSTR("com.apple.private.keychain.backuptableops.deleteall") +/* Entitlement to allow executing keychain control actions */ +#define kSecEntitlementKeychainControl CFSTR("com.apple.private.keychain.keychaincontrol") + +#if __OBJC__ +/* Entitlement to control use of OT */ +#define kSecEntitlementPrivateOctagon @"com.apple.private.octagon" +#endif + __END_DECLS #endif /* !_SECURITY_SECENTITLEMENTS_H_ */ diff --git a/security-sysdiagnose/security-sysdiagnose.entitlements.plist b/security-sysdiagnose/security-sysdiagnose.entitlements.plist index 2f7c59a9..481bf502 100644 --- a/security-sysdiagnose/security-sysdiagnose.entitlements.plist +++ b/security-sysdiagnose/security-sysdiagnose.entitlements.plist @@ -2,6 +2,8 @@ + com.apple.private.securityuploadd + keychain-access-groups com.apple.hap.pairing diff --git a/security-sysdiagnose/security-sysdiagnose.m b/security-sysdiagnose/security-sysdiagnose.m index eca91e9f..1456af69 100644 --- a/security-sysdiagnose/security-sysdiagnose.m +++ b/security-sysdiagnose/security-sysdiagnose.m @@ -40,6 +40,7 @@ #include "accountCirclesViewsPrint.h" #import "CKKSControlProtocol.h" #import "SecItemPriv.h" +#import "supdProtocol.h" #include @@ -99,16 +100,7 @@ circle_sysdiagnose(void) static void engine_sysdiagnose(void) { - [@"Engine state:\n" writeToStdOut]; - - CFErrorRef error = NULL; - - if (!SOSCCForEachEngineStateAsString(&error, ^(CFStringRef oneStateString) { - [(__bridge NSString*) oneStateString writeToStdOut]; - [@"\n" writeToStdOut]; - })) { - [[NSString stringWithFormat: @"No engine state, got error: %@", error] writeToStdOut]; - } + SOSCCDumpEngineInformation(); } /* @@ -247,54 +239,38 @@ idsproxy_sysdiagnose(void) } static void -kvs_sysdiagnose(void) { - SOSLogSetOutputTo(NULL,NULL); - SOSCCDumpCircleKVSInformation(NULL); -} - - -static void -ckks_analytics_sysdiagnose(void) +analytics_sysdiagnose(void) { - CFErrorRef error = NULL; - xpc_endpoint_t xpcEndpoint = _SecSecuritydCopyCKKSEndpoint(&error); - if (!xpcEndpoint) { - [[NSString stringWithFormat:@"failed to get CKKSControl endpoint with error: %@\n", error] writeToStdErr]; - return; - } - - NSXPCInterface* xpcInterface = [NSXPCInterface interfaceWithProtocol:@protocol(CKKSControlProtocol)]; - NSXPCListenerEndpoint* listenerEndpoint = [[NSXPCListenerEndpoint alloc] init]; - [listenerEndpoint _setEndpoint:xpcEndpoint]; - - NSXPCConnection* xpcConnection = [[NSXPCConnection alloc] initWithListenerEndpoint:listenerEndpoint]; + NSXPCConnection* xpcConnection = [[NSXPCConnection alloc] initWithMachServiceName:@"com.apple.securityuploadd" options:NSXPCConnectionPrivileged]; if (!xpcConnection) { - [@"failed to setup xpc connection for CKKSControl\n" writeToStdErr]; + [@"failed to setup xpc connection for securityuploadd\n" writeToStdErr]; + return; } - - xpcConnection.remoteObjectInterface = xpcInterface; + xpcConnection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(supdProtocol)]; [xpcConnection resume]; - + dispatch_semaphore_t semaphore = dispatch_semaphore_create(0); [[xpcConnection remoteObjectProxyWithErrorHandler:^(NSError* rpcError) { [[NSString stringWithFormat:@"Error talking with daemon: %@\n", rpcError] writeToStdErr]; dispatch_semaphore_signal(semaphore); - }] rpcGetAnalyticsSysdiagnoseWithReply:^(NSString* sysdiagnose, NSError* rpcError) { - if (sysdiagnose && !error) { + }] getSysdiagnoseDumpWithReply:^(NSString* sysdiagnose) { + if (sysdiagnose) { [[NSString stringWithFormat:@"\nAnalytics sysdiagnose:\n\n%@\n", sysdiagnose] writeToStdOut]; } - else { - [[NSString stringWithFormat:@"error retrieving sysdiagnose: %@\n", rpcError] writeToStdErr]; - } - dispatch_semaphore_signal(semaphore); }]; - + if (dispatch_semaphore_wait(semaphore, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 60)) != 0) { [@"\n\nError: timed out waiting for response\n" writeToStdErr]; } } +static void +kvs_sysdiagnose(void) { + SOSLogSetOutputTo(NULL,NULL); + SOSCCDumpCircleKVSInformation(NULL); +} + int main(int argc, const char ** argv) { @@ -306,8 +282,8 @@ main(int argc, const char ** argv) homekit_sysdiagnose(); unlock_sysdiagnose(); idsproxy_sysdiagnose(); - ckks_analytics_sysdiagnose(); - + analytics_sysdiagnose(); + // Keep this one last kvs_sysdiagnose(); } diff --git a/securityd/etc/com.apple.securityd.plist b/securityd/etc/com.apple.securityd.plist index bc500da6..e1729686 100644 --- a/securityd/etc/com.apple.securityd.plist +++ b/securityd/etc/com.apple.securityd.plist @@ -33,8 +33,6 @@ LaunchOnlyOnce - BeginTransactionAtShutdown - EnableTransactions POSIXSpawnType diff --git a/securityd/securityd_service/securityd_service/main.c b/securityd/securityd_service/securityd_service/main.c index 57ccd3e0..28be2bed 100644 --- a/securityd/securityd_service/securityd_service/main.c +++ b/securityd/securityd_service/securityd_service/main.c @@ -296,6 +296,8 @@ _kb_save_bag_to_disk(service_user_record_t * ur, const char * bag_file, void * d if (renamex_np(tmp_bag, bag_file, RENAME_SWAP) != 0) { os_log(OS_LOG_DEFAULT, "Warning: atomic swap failed"); require_noerr_action(rename(tmp_bag, bag_file), done, os_log(OS_LOG_DEFAULT, "could not save keybag file")); + } else { + (void)unlink(tmp_bag); } result = true; @@ -474,7 +476,7 @@ out: } static int -_kb_set_user_uuid(service_context_t * context, const void * secret, int secret_len) +_kb_set_properties(service_context_t * context, const void * secret, int secret_len) { int result = KB_GeneralError; CFMutableDictionaryRef options = NULL; @@ -484,7 +486,17 @@ _kb_set_user_uuid(service_context_t * context, const void * secret, int secret_l /* set user uuid, if not already set */ passcode = CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, secret, secret_len, kCFAllocatorNull); - MKBKeyBagSetUserUUID(options, passcode); + if (MKBKeyBagSetUserUUID(options, passcode)) { + os_log(OS_LOG_DEFAULT, "set user uuid failed"); + } + +#ifdef MKB_SUPPORTS_BIND_KEK + if (MKBKeyBagBindKEK(options, passcode)) { + os_log(OS_LOG_DEFAULT, "KEK bind failed"); + } +#else + os_log(OS_LOG_DEFAULT, "Not bindinig KEK, update SDK"); +#endif result = KB_Success; done: @@ -521,7 +533,7 @@ service_kb_create(service_context_t * context, const void * secret, int secret_l } if (rc == KB_Success) { - _kb_set_user_uuid(context, secret, secret_len); + _kb_set_properties(context, secret, secret_len); } done: @@ -572,8 +584,8 @@ _service_kb_load_uid(uid_t s_uid) os_log(OS_LOG_DEFAULT, "bag load failed 0x%x for uid (%i)", rc, s_uid); break; } - require_noerr(rc, done; _stage = 4); - require_noerr(rc = _service_kb_set_system(private_handle, s_uid), done; _stage = 5); + require_noerr_action(rc, done, _stage = 4); + require_noerr_action(rc = _service_kb_set_system(private_handle, s_uid), done, _stage = 5); } require(rc == KB_Success, done); @@ -759,7 +771,7 @@ service_kb_reset(service_context_t * context, const void * secret, int secret_le } if (rc == KB_Success) { - _kb_set_user_uuid(context, secret, secret_len); + _kb_set_properties(context, secret, secret_len); } done: diff --git a/securityd/securityd_service/securityd_service/service.entitlements b/securityd/securityd_service/securityd_service/service.entitlements index cd19a719..bbc96664 100644 --- a/securityd/securityd_service/securityd_service/service.entitlements +++ b/securityd/securityd_service/securityd_service/service.entitlements @@ -4,6 +4,8 @@ com.apple.keystore.access-keychain-keys + com.apple.keystore.config.bind_kek_to_kb + com.apple.keystore.config.set.user_uuid com.apple.keystore.device diff --git a/securityd/src/agentquery.cpp b/securityd/src/agentquery.cpp index afacd8b3..dbf52186 100644 --- a/securityd/src/agentquery.cpp +++ b/securityd/src/agentquery.cpp @@ -551,8 +551,14 @@ Reason QueryKeychainUse::queryUser (const char *database, const char *descriptio continue; passwordItem->getCssmData(data); + + { + // Must hold the 'common' lock to call decode; otherwise there's a data corruption issue + StLock _(const_cast(mPassphraseCheck)->common()); + reason = (const_cast(mPassphraseCheck)->decode(data) ? SecurityAgent::noReason : SecurityAgent::invalidPassphrase); + } } - while ((reason = (const_cast(mPassphraseCheck)->decode(data) ? SecurityAgent::noReason : SecurityAgent::invalidPassphrase))); + while (reason != SecurityAgent::noReason); readChoice(); } @@ -649,6 +655,9 @@ Reason QueryOld::operator () () // Reason QueryUnlock::accept(CssmManagedData &passphrase) { + // Must hold the 'common' lock to call decode; otherwise there's a data corruption issue + StLock _(safer_cast(database).common()); + if (safer_cast(database).decode(passphrase)) return SecurityAgent::noReason; else diff --git a/securityd/src/transition.cpp b/securityd/src/transition.cpp index 37852c0f..c3dffa69 100644 --- a/securityd/src/transition.cpp +++ b/securityd/src/transition.cpp @@ -772,6 +772,8 @@ kern_return_t ucsp_server_stashDbCheck(UCSP_ARGS, DbHandle db) kern_return_t ucsp_server_isLocked(UCSP_ARGS, DbHandle db, boolean_t *locked) { BEGIN_IPC(isLocked) + // Must hold the DB's common's lock to safely determine if it's locked. Locking is a mess in there. + StLock _(Server::database(db)->common()); *locked = Server::database(db)->isLocked(); END_IPC(DL) } diff --git a/supd/Info.plist b/supd/Info.plist new file mode 100644 index 00000000..e1e1219f --- /dev/null +++ b/supd/Info.plist @@ -0,0 +1,29 @@ + + + + + CFBundleDevelopmentRegion + $(DEVELOPMENT_LANGUAGE) + CFBundleDisplayName + supd + CFBundleExecutable + $(EXECUTABLE_NAME) + CFBundleIdentifier + $(PRODUCT_BUNDLE_IDENTIFIER) + CFBundleInfoDictionaryVersion + 6.0 + CFBundleName + $(PRODUCT_NAME) + CFBundlePackageType + XPC! + CFBundleShortVersionString + 1.0 + CFBundleVersion + 1 + XPCService + + ServiceType + Application + + + diff --git a/supd/Tests/Info.plist b/supd/Tests/Info.plist new file mode 100644 index 00000000..6c40a6cd --- /dev/null +++ b/supd/Tests/Info.plist @@ -0,0 +1,22 @@ + + + + + CFBundleDevelopmentRegion + $(DEVELOPMENT_LANGUAGE) + CFBundleExecutable + $(EXECUTABLE_NAME) + CFBundleIdentifier + $(PRODUCT_BUNDLE_IDENTIFIER) + CFBundleInfoDictionaryVersion + 6.0 + CFBundleName + $(PRODUCT_NAME) + CFBundlePackageType + BNDL + CFBundleShortVersionString + 1.0 + CFBundleVersion + 1 + + diff --git a/supd/Tests/SFAnalyticsTests.m b/supd/Tests/SFAnalyticsTests.m new file mode 100644 index 00000000..7ffa7b04 --- /dev/null +++ b/supd/Tests/SFAnalyticsTests.m @@ -0,0 +1,767 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import +#import "SFAnalytics.h" +#import "SFAnalyticsDefines.h" +#import +#import +#import + +@interface UnitTestAnalytics : SFAnalytics ++ (NSString*)databasePath; ++ (void)setDatabasePath:(NSString*)path; +@end + +// MARK: SFAnalytics subclass for custom DB + +@implementation UnitTestAnalytics +static NSString* _utapath; + ++ (NSString*)databasePath +{ + return _utapath; +} + ++ (void)setDatabasePath:(NSString*)path +{ + _utapath = path; +} + +@end + +@interface SFAnalyticsTests : XCTestCase +@end + +@implementation SFAnalyticsTests +{ + UnitTestAnalytics* _analytics; + NSString* _dbpath; + PQLConnection* _db; +} + +static NSString* _path; +static NSInteger _testnum; +static NSString* build = NULL; +static NSString* product = NULL; + +// MARK: Test helper methods + +- (void)assertNoSuccessEvents +{ + XCTAssertFalse([[_db fetch:@"select * from success_count"] next]); +} + +- (void)assertNoHardFailures +{ + XCTAssertFalse([[_db fetch:@"select * from hard_failures"] next]); +} + +- (void)assertNoSoftFailures +{ + XCTAssertFalse([[_db fetch:@"select * from soft_failures"] next]); +} + +- (void)assertNoAllEvents +{ + XCTAssertFalse([[_db fetch:@"select * from all_events"] next]); +} + +- (void)assertNoSamples +{ + XCTAssertFalse([[_db fetch:@"select * from samples"] next]); +} + +- (void)assertNoEventsAnywhere +{ + [self assertNoAllEvents]; + [self assertNoSuccessEvents]; + [self assertNoHardFailures]; + [self assertNoSoftFailures]; + [self assertNoSamples]; +} + +- (void)recentTimeStamp:(NSNumber*)timestamp +{ + XCTAssert([timestamp isKindOfClass:[NSNumber class]], @"Timestamp is an NSNumber"); + NSDate* eventTime = [NSDate dateWithTimeIntervalSince1970:[timestamp doubleValue]]; + XCTAssertLessThanOrEqual([[NSDate date] timeIntervalSinceDate:eventTime], 5, @"Timestamp (%@) is pretty recent", timestamp); +} + +- (void)properEventLogged:(PQLResultSet*)result eventType:(NSString*)eventType class:(SFAnalyticsEventClass)class attributes:(NSDictionary*)attrs +{ + [self _properEventLogged:result eventType:eventType class:class]; + + NSDictionary* rowdata = [NSPropertyListSerialization propertyListWithData:[result dataAtIndex:2] options:NSPropertyListImmutable format:nil error:nil]; + for (NSString* key in [attrs allKeys]) { + XCTAssert([attrs[key] isEqualToString:rowdata[key]], @"Attribute \"%@\" value \"%@\" matches expected \"%@\"", key, rowdata[key], attrs[key]); + } + XCTAssertFalse([result next], @"only one row returned"); +} + +- (void)properEventLogged:(PQLResultSet*)result eventType:(NSString*)eventType class:(SFAnalyticsEventClass)class +{ + [self _properEventLogged:result eventType:eventType class:class]; + XCTAssertFalse([result next], @"only one row returned"); +} + +- (void)_properEventLogged:(PQLResultSet*)result eventType:(NSString*)eventType class:(SFAnalyticsEventClass)class +{ + XCTAssert([result next], @"result found after adding an event"); + NSError* error = nil; + [result doubleAtIndex:1]; + NSDictionary* rowdata = [NSPropertyListSerialization propertyListWithData:[result dataAtIndex:2] options:NSPropertyListImmutable format:nil error:&error]; + XCTAssertNotNil(rowdata, @"able to deserialize db data, %@", error); + [self recentTimeStamp:rowdata[SFAnalyticsEventTime]]; + XCTAssertTrue([rowdata[SFAnalyticsEventType] isKindOfClass:[NSString class]] && [rowdata[SFAnalyticsEventType] isEqualToString:eventType], @"found eventType \"%@\" in db", eventType); + XCTAssertTrue([rowdata[SFAnalyticsEventClassKey] isKindOfClass:[NSNumber class]] && [rowdata[SFAnalyticsEventClassKey] intValue] == class, @"eventClass is %ld", class); + XCTAssertTrue([rowdata[@"build"] isEqualToString:build], @"event row includes build"); + XCTAssertTrue([rowdata[@"product"] isEqualToString:product], @"event row includes product"); +} + +- (void)checkSuccessCountsForEvent:(NSString*)eventType success:(int)success hard:(int)hard soft:(int)soft +{ + PQLResultSet* result = [_db fetch:@"select * from success_count where event_type = %@", eventType]; + XCTAssert([result next]); + XCTAssertTrue([[result stringAtIndex:0] isEqualToString:eventType], @"event name \"%@\", expected \"%@\"", [result stringAtIndex:0], eventType); + XCTAssertEqual([result intAtIndex:1], success, @"correct count of successes: %d / %d", [result intAtIndex:1], success); + XCTAssertEqual([result intAtIndex:2], hard, @"correct count of successes: %d / %d", [result intAtIndex:2], hard); + XCTAssertEqual([result intAtIndex:3], soft, @"correct count of successes: %d / %d", [result intAtIndex:3], soft); + XCTAssertFalse([result next], @"no more than one row returned"); +} + +- (void)checkSamples:(NSArray*)samples name:(NSString*)samplerName totalSamples:(NSUInteger)total accuracy:(double)accuracy +{ + NSUInteger samplescount = 0, targetcount = 0; + NSMutableArray* samplesfound = [NSMutableArray array]; + PQLResultSet* result = [_db fetch:@"select * from samples"]; + while ([result next]) { + ++samplescount; + [self recentTimeStamp:[result numberAtIndex:1]]; + if ([[result stringAtIndex:2] isEqual:samplerName]) { + ++targetcount; + [samplesfound addObject:[result numberAtIndex:3]]; + } + } + + XCTAssertEqual([samples count], targetcount); + XCTAssertEqual(samplescount, total); + + [samplesfound sortUsingSelector:@selector(compare:)]; + NSArray* sortedInput = [samples sortedArrayUsingSelector:@selector(compare:)]; + for (NSUInteger idx = 0; idx < [samples count]; ++idx) { + XCTAssertEqualWithAccuracy([samplesfound[idx] doubleValue], [sortedInput[idx] doubleValue], accuracy); + } +} + +- (void)waitForSamplerWork:(double)interval +{ + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + dispatch_after(dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * interval), dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0), ^{ + dispatch_semaphore_signal(sema); + }); + dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER); +} + +// MARK: Test administration + ++ (void)setUp +{ + NSError* error; + _path = [NSTemporaryDirectory() stringByAppendingPathComponent:[NSString stringWithFormat:@"%@/", [[NSUUID UUID] UUIDString]]]; + [[NSFileManager defaultManager] createDirectoryAtPath:_path + withIntermediateDirectories:YES + attributes:nil + error:&error]; + // No XCTAssert in class method + if (error) { + NSLog(@"Could not make directory at %@", _path); + } + NSDictionary *version = CFBridgingRelease(_CFCopySystemVersionDictionary()); + if (version) { + build = version[(__bridge NSString *)_kCFSystemVersionBuildVersionKey]; + product = version[(__bridge NSString *)_kCFSystemVersionProductNameKey]; + } else { + NSLog(@"could not get build version/product, tests should fail"); + } +} + +- (void)setUp +{ + [super setUp]; + self.continueAfterFailure = NO; + NSError* error = nil; + _dbpath = [_path stringByAppendingFormat:@"/test_%ld.db", (long)++_testnum]; + NSLog(@"sqlite3 %@", _dbpath); + [UnitTestAnalytics setDatabasePath:_dbpath]; + _analytics = [UnitTestAnalytics logger]; + _db = [PQLConnection new]; + + XCTAssertTrue([_db openAtURL:[NSURL URLWithString:_dbpath] sharedCache:NO error:&error]); + XCTAssertNil(error, @"could open db"); + XCTAssertNotNil(_db); +} + +- (void)tearDown +{ + NSError *error = nil; + XCTAssertTrue([_db close:&error], @"could close db"); + XCTAssertNil(error, @"No error from closing db"); + [_analytics removeState]; + [super tearDown]; +} + ++ (void)tearDown +{ + [[NSFileManager defaultManager] removeItemAtPath:_path error:nil]; +} + +// MARK: SFAnalytics Tests + +- (void)testDbIsEmptyAtStartup +{ + [self assertNoEventsAnywhere]; +} + +- (void)testAddingEventsWithNilName +{ + [_analytics logSuccessForEventNamed:nil]; + [self assertNoEventsAnywhere]; + + [_analytics logHardFailureForEventNamed:nil withAttributes:nil]; + [self assertNoEventsAnywhere]; + + [_analytics logSoftFailureForEventNamed:nil withAttributes:nil]; + [self assertNoEventsAnywhere]; + + [_analytics noteEventNamed:nil]; + [self assertNoEventsAnywhere]; +} + +- (void)testLogSuccess +{ + [_analytics logSuccessForEventNamed:@"unittestevent"]; + [self assertNoHardFailures]; + [self assertNoSoftFailures]; + + PQLResultSet* result = [_db fetch:@"select success_count from success_count"]; + XCTAssert([result next], @"a row was found after adding an event"); + XCTAssertEqual([result intAtIndex:0], 1, @"success count is 1 after adding an event"); + XCTAssertFalse([result next], @"only one row found in success_count after inserting a single event"); + result = [_db fetch:@"select * from all_events"]; + [self properEventLogged:result eventType:@"unittestevent" class:SFAnalyticsEventClassSuccess]; +} + +- (void)testLogRecoverableFailure +{ + [_analytics logSoftFailureForEventNamed:@"unittestevent" withAttributes:nil]; + [self assertNoHardFailures]; + + // First check success_count has logged a soft failure + [self checkSuccessCountsForEvent:@"unittestevent" success:0 hard:0 soft:1]; + + // then check soft_failures itself + PQLResultSet* result = [_db fetch:@"select * from soft_failures"]; + [self properEventLogged:result eventType:@"unittestevent" class:SFAnalyticsEventClassSoftFailure]; + + // finally check all_events + result = [_db fetch:@"select * from all_events"]; + [self properEventLogged:result eventType:@"unittestevent" class:SFAnalyticsEventClassSoftFailure]; +} + +- (void)testLogRecoverablyFailureWithAttributes +{ + NSDictionary* attrs = @{@"attr1" : @"value1", @"attr2" : @"value2"}; + [_analytics logSoftFailureForEventNamed:@"unittestevent" withAttributes:attrs]; + [self assertNoHardFailures]; + + [self checkSuccessCountsForEvent:@"unittestevent" success:0 hard:0 soft:1]; + + // then check soft_failures itself + PQLResultSet* result = [_db fetch:@"select * from soft_failures"]; + [self properEventLogged:result eventType:@"unittestevent" class:SFAnalyticsEventClassSoftFailure attributes:attrs]; + + // finally check all_events + result = [_db fetch:@"select * from all_events"]; + [self properEventLogged:result eventType:@"unittestevent" class:SFAnalyticsEventClassSoftFailure attributes:attrs]; +} + +- (void)testLogUnrecoverableFailure +{ + [_analytics logHardFailureForEventNamed:@"unittestevent" withAttributes:nil]; + [self assertNoSoftFailures]; + + // First check success_count has logged a hard failure + [self checkSuccessCountsForEvent:@"unittestevent" success:0 hard:1 soft:0]; + + // then check hard_failures itself + PQLResultSet* result = [_db fetch:@"select * from hard_failures"]; + [self properEventLogged:result eventType:@"unittestevent" class:SFAnalyticsEventClassHardFailure]; + + // finally check all_events + result = [_db fetch:@"select * from all_events"]; + [self properEventLogged:result eventType:@"unittestevent" class:SFAnalyticsEventClassHardFailure]; +} + +- (void)testLogUnrecoverableFailureWithAttributes +{ + NSDictionary* attrs = @{@"attr1" : @"value1", @"attr2" : @"value2"}; + [_analytics logHardFailureForEventNamed:@"unittestevent" withAttributes:attrs]; + [self assertNoSoftFailures]; + + // First check success_count has logged a hard failure + [self checkSuccessCountsForEvent:@"unittestevent" success:0 hard:1 soft:0]; + + // then check hard_failures itself + PQLResultSet* result = [_db fetch:@"select * from hard_failures"]; + [self properEventLogged:result eventType:@"unittestevent" class:SFAnalyticsEventClassHardFailure attributes:attrs]; + + // finally check all_events + result = [_db fetch:@"select * from all_events"]; + [self properEventLogged:result eventType:@"unittestevent" class:SFAnalyticsEventClassHardFailure attributes:attrs]; +} + +- (void)testLogSeveralEvents +{ + NSDictionary* attrs = @{@"attr1" : @"value1", @"attr2" : @"value2"}; + int iterations = 100; + for (int idx = 0; idx < iterations; ++idx) { + [_analytics logHardFailureForEventNamed:@"unittesthardfailure" withAttributes:attrs]; + [_analytics logSoftFailureForEventNamed:@"unittestsoftfailure" withAttributes:attrs]; + [_analytics logSuccessForEventNamed:@"unittestsuccess"]; + [_analytics logHardFailureForEventNamed:@"unittestcombined" withAttributes:attrs]; + [_analytics logSoftFailureForEventNamed:@"unittestcombined" withAttributes:attrs]; + [_analytics logSuccessForEventNamed:@"unittestcombined"]; + } + + [self checkSuccessCountsForEvent:@"unittesthardfailure" success:0 hard:iterations soft:0]; + [self checkSuccessCountsForEvent:@"unittestsoftfailure" success:0 hard:0 soft:iterations]; + [self checkSuccessCountsForEvent:@"unittestsuccess" success:iterations hard:0 soft:0]; + [self checkSuccessCountsForEvent:@"unittestcombined" success:iterations hard:iterations soft:iterations]; +} + +- (void)testNoteEvent +{ + [_analytics noteEventNamed:@"unittestevent"]; + [self assertNoSoftFailures]; + [self assertNoHardFailures]; + + // First check success_count has logged a success + [self checkSuccessCountsForEvent:@"unittestevent" success:1 hard:0 soft:0]; + + PQLResultSet* result = [_db fetch:@"select * from all_events"]; + [self properEventLogged:result eventType:@"unittestevent" class:SFAnalyticsEventClassNote]; +} + +// MARK: SFAnalyticsSampler Tests + +- (void)testSamplerSimple +{ + NSString* samplerName = [NSString stringWithFormat:@"UnitTestSamplerSimple_%li", (long)_testnum]; + + // This block should be set immediately and fire in 1000ms. Give it a little slack in checking though + XCTestExpectation* exp = [self expectationWithDescription:@"waiting for sampler to fire"]; + [_analytics addMetricSamplerForName:samplerName withTimeInterval:1.0f block:^NSNumber *{ + [exp fulfill]; + return @15.3; + }]; + [self waitForExpectations:@[exp] timeout:1.2f]; + [_analytics removeMetricSamplerForName:samplerName]; + + // The expectation is fulfilled before returning and after returning some more work needs to happen. Let it settle down. + [self waitForSamplerWork:0.2f]; + + [self checkSamples:@[@15.3] name:samplerName totalSamples:1 accuracy:0.01f]; +} + +// Test state removal mostly +- (void)testSamplerSimpleLoop +{ + [self tearDown]; + for (int idx = 0; idx < 3; ++idx) { + [self setUp]; + @autoreleasepool { + [self testSamplerSimple]; + } + [self tearDown]; + } +} + + +- (void)testSamplerDoesNotFirePrematurely +{ + NSString* samplerName = [NSString stringWithFormat:@"UnitTestSamplerDoesNotFirePrematurely_%li", (long)_testnum]; + __block BOOL run = NO; + [_analytics addMetricSamplerForName:samplerName withTimeInterval:1.0f block:^NSNumber *{ + run = YES; + return @0.9; + }]; + + [self waitForSamplerWork:0.5f]; + XCTAssertFalse(run, @"sample did not fire prematurely"); + [_analytics removeMetricSamplerForName:samplerName]; +} + +- (void)testSamplerRemove +{ + NSString* samplerName = [NSString stringWithFormat:@"UnitTestSamplerRemove_%li", (long)_testnum]; + __block BOOL run = NO; + [_analytics addMetricSamplerForName:samplerName withTimeInterval:1.0f block:^NSNumber *{ + run = YES; + return @23.8; + }]; + XCTAssertNotNil([_analytics existingMetricSamplerForName:samplerName], @"SFAnalytics held onto the sampler we setup"); + [_analytics removeMetricSamplerForName:samplerName]; + XCTAssertNil([_analytics existingMetricSamplerForName:samplerName], @"SFAnalytics got rid of our sampler"); + + [self waitForSamplerWork:2.0f]; + XCTAssertFalse(run, @"sampler did not run after removal"); +} + +- (void)testSamplerRepeatedSampling +{ + NSString* samplerName = [NSString stringWithFormat:@"UnitTestSamplerRepeatedSampling_%li", (long)_testnum]; + __block int run = 0; + [_analytics addMetricSamplerForName:samplerName withTimeInterval:1.0f block:^NSNumber *{ + run += 1; + return @1.5; + }]; + + [self waitForSamplerWork:3.5f]; + [_analytics removeMetricSamplerForName:samplerName]; + XCTAssertEqual(run, 3, @"sampler ran correct number of times"); + [self checkSamples:@[@1.5, @1.5, @1.5] name:samplerName totalSamples:3 accuracy:0.01f]; +} + +- (void)testSamplerDisable +{ + NSString* samplerName = [NSString stringWithFormat:@"UnitTestSamplerDisable_%li", (long)_testnum]; + __block int run = 0; + [_analytics addMetricSamplerForName:samplerName withTimeInterval:1.0f block:^NSNumber *{ + run += 1; + return @44.9; + }]; + + [[_analytics existingMetricSamplerForName:samplerName] pauseSampling]; + [self waitForSamplerWork:2.0f]; + XCTAssertEqual(run, 0, @"sampler did not run while disabled"); + + [[_analytics existingMetricSamplerForName:samplerName] resumeSampling]; + [self waitForSamplerWork:1.3f]; + XCTAssertEqual(run, 1, @"sampler ran after resuming"); + + [self checkSamples:@[@44.9] name:samplerName totalSamples:1 accuracy:0.01f]; +} + +- (void)testSamplerWithBadData +{ + NSString* samplerName = [NSString stringWithFormat:@"UnitTestSamplerWithBadData_%li", (long)_testnum]; + + // bad name + XCTAssertNil([_analytics addMetricSamplerForName:nil withTimeInterval:3.0f block:^NSNumber *{ + return @0.0; + }]); + + // bad interval + XCTAssertNil([_analytics addMetricSamplerForName:samplerName withTimeInterval:0.0f block:^NSNumber *{ + return @0.0; + }]); + + XCTAssertNil([_analytics addMetricSamplerForName:samplerName withTimeInterval:2.0f block:nil]); +} + +- (void)testSamplerOncePerReport +{ + NSString* samplerName = [NSString stringWithFormat:@"UnitTestSamplerOncePerReport_%li", (long)_testnum]; + __block int run = 0; + [_analytics addMetricSamplerForName:samplerName withTimeInterval:SFAnalyticsSamplerIntervalOncePerReport block:^NSNumber *{ + run += 1; + return @74.1; + }]; + + // There's no point in waiting, it could have been set to some arbitrarily long timer instead + + notify_post(SFAnalyticsFireSamplersNotification); + [self waitForSamplerWork:0.5f]; + XCTAssertEqual(run, 1, @"once-per-report sampler fired once in response to notification"); + [self checkSamples:@[@74.1] name:samplerName totalSamples:1 accuracy:0.01f]; +} + +- (void)testSamplerOncePerReportEnsuresSingleSampleInDatabase +{ + NSString* samplerName = [NSString stringWithFormat:@"UnitTestSamplerSetTimeInterval_%li", (long)_testnum]; + [_analytics addMetricSamplerForName:samplerName withTimeInterval:SFAnalyticsSamplerIntervalOncePerReport block:^NSNumber *{ + return @57.6; + }]; + notify_post(SFAnalyticsFireSamplersNotification); + [self waitForSamplerWork:0.5f]; + notify_post(SFAnalyticsFireSamplersNotification); + [self waitForSamplerWork:0.5f]; + [self checkSamples:@[@57.6] name:samplerName totalSamples:1 accuracy:0.01f]; +} + +- (void)testSamplerAddSamplerTwice +{ + NSString* samplerName = [NSString stringWithFormat:@"UnitTestSamplerDisable_%li", (long)_testnum]; + XCTAssertNotNil([_analytics addMetricSamplerForName:samplerName withTimeInterval:3.0f block:^NSNumber *{ + return @7.7; + }], @"adding first sampler works okay"); + + XCTAssertNil([_analytics addMetricSamplerForName:samplerName withTimeInterval:3.0f block:^NSNumber *{ + return @7.8; + }], @"adding duplicate sampler did not work"); +} + +- (void)testSamplerLogBadSample +{ + [_analytics logMetric:nil withName:@"testsampler"]; + [self checkSamples:@[] name:@"testsampler" totalSamples:0 accuracy:0.01f]; + + id badobj = [NSString stringWithUTF8String:"yolo!"]; + [_analytics logMetric:badobj withName:@"testSampler"]; + [self checkSamples:@[] name:@"testsampler" totalSamples:0 accuracy:0.01f]; +} + +- (void)testSamplerSetTimeInterval +{ + NSString* samplerName = [NSString stringWithFormat:@"UnitTestSamplerSetTimeInterval_%li", (long)_testnum]; + __block NSUInteger run = 0; + + [_analytics addMetricSamplerForName:samplerName withTimeInterval:1.0f block:^NSNumber *{ + ++run; + return @23.8; + }]; + [self waitForSamplerWork:1.2f]; + [_analytics existingMetricSamplerForName:samplerName].samplingInterval = 1.5f; + [self waitForSamplerWork:2.5f]; + XCTAssertEqual(run, 2ul); + [self checkSamples:@[@23.8, @23.8] name:samplerName totalSamples:2 accuracy:0.01f]; +} + +// MARK: SFAnalyticsMultiSampler Tests + +- (void)testMultiSamplerSimple +{ + NSString* samplerName = [NSString stringWithFormat:@"UnitTestMultiSamplerSimple_%li", (long)_testnum]; + + XCTestExpectation* exp = [self expectationWithDescription:@"waiting for sampler to fire"]; + [_analytics AddMultiSamplerForName:samplerName withTimeInterval:1.0f block:^NSDictionary *{ + [exp fulfill]; + return @{@"val1" : @89.4f, @"val2" : @11.2f}; + }]; + [self waitForExpectations:@[exp] timeout:1.3f]; + [_analytics removeMultiSamplerForName:samplerName]; + + // The expectation is fulfilled before returning and after returning some more work needs to happen. Let it settle down. + [self waitForSamplerWork:0.2f]; + + [self checkSamples:@[@89.4f] name:@"val1" totalSamples:2 accuracy:0.01f]; + [self checkSamples:@[@11.2f] name:@"val2" totalSamples:2 accuracy:0.01f]; +} + +- (void)testMultiSamplerOncePerReport +{ + NSString* samplerName = [NSString stringWithFormat:@"UnitTestMultiSamplerOncePerReport_%li", (long)_testnum]; + __block int run = 0; + [_analytics AddMultiSamplerForName:samplerName withTimeInterval:SFAnalyticsSamplerIntervalOncePerReport block:^NSDictionary *{ + run += 1; + return @{@"val1" : @33.8f, @"val2" : @54.6f}; + }]; + + // There's no point in waiting, it could have been set to some arbitrarily long timer instead + + notify_post(SFAnalyticsFireSamplersNotification); + [self waitForSamplerWork:1.0f]; + XCTAssertEqual(run, 1, @"once-per-report sampler fired once in response to notification"); + [self checkSamples:@[@33.8f] name:@"val1" totalSamples:2 accuracy:0.01f]; + [self checkSamples:@[@54.6f] name:@"val2" totalSamples:2 accuracy:0.01f]; +} + +- (void)testMultiSamplerSetTimeInterval +{ + NSString* samplerName = [NSString stringWithFormat:@"UnitTestMultiSamplerSetTimeInterval_%li", (long)_testnum]; + __block NSUInteger run = 0; + [_analytics AddMultiSamplerForName:samplerName withTimeInterval:1.0f block:^NSDictionary *{ + ++run; + return @{@"val1" : @29.3f, @"val2" : @19.3f}; + }]; + [self waitForSamplerWork:1.2f]; + [_analytics existingMultiSamplerForName:samplerName].samplingInterval = 1.5f; + [self waitForSamplerWork:2.5f]; + XCTAssertEqual(run, 2ul); + [self checkSamples:@[@29.3f, @29.3f] name:@"val1" totalSamples:4 accuracy:0.01f]; + [self checkSamples:@[@19.3f, @19.3f] name:@"val2" totalSamples:4 accuracy:0.01f]; +} + + +// MARK: SFAnalyticsActivityTracker Tests + +- (void)testTrackerSimple +{ + NSString* trackerName = @"UnitTestTrackerSimple"; + @autoreleasepool { + [_analytics logSystemMetricsForActivityNamed:trackerName withAction:^{ + [NSThread sleepForTimeInterval:0.3f]; + }]; + } + + + [self checkSamples:@[@(0.3f * NSEC_PER_SEC)] name:trackerName totalSamples:1 accuracy:(0.01f * NSEC_PER_SEC)]; +} + +- (void)testTrackerMultipleBlocks +{ + NSString* trackerName = @"UnitTestTrackerMultipleBlocks"; + @autoreleasepool { + SFAnalyticsActivityTracker* tracker = [_analytics logSystemMetricsForActivityNamed:trackerName withAction:^{ + [NSThread sleepForTimeInterval:0.3f]; + }]; + + [tracker performAction:^{ + [NSThread sleepForTimeInterval:0.2f]; + }]; + } + + [self checkSamples:@[@(0.5f * NSEC_PER_SEC)] name:trackerName totalSamples:1 accuracy:(0.1f * NSEC_PER_SEC)]; +} + +- (void)testTrackerAction +{ + NSString* trackerName = @"UnitTestTrackerOneBlock"; + @autoreleasepool { + SFAnalyticsActivityTracker* tracker = [_analytics logSystemMetricsForActivityNamed:trackerName withAction:NULL]; + [tracker performAction:^{ + [NSThread sleepForTimeInterval:0.2f]; + }]; + } + + [self checkSamples:@[@(0.2f * NSEC_PER_SEC)] name:trackerName totalSamples:1 accuracy:(0.1f * NSEC_PER_SEC)]; +} + +- (void)testTrackerStartStop { + + NSString* trackerName = @"UnitTestTrackerStartStop"; + @autoreleasepool { + SFAnalyticsActivityTracker* tracker = [_analytics logSystemMetricsForActivityNamed:trackerName withAction:NULL]; + [tracker start]; + [NSThread sleepForTimeInterval:0.2f]; + [tracker stop]; + } + + [self checkSamples:@[@(0.2f * NSEC_PER_SEC)] name:trackerName totalSamples:1 accuracy:(0.1f * NSEC_PER_SEC)]; +} + + + +- (void)testTrackerCancel +{ + NSString* trackerName = @"UnitTestTrackerCancel"; + @autoreleasepool { + [[_analytics logSystemMetricsForActivityNamed:trackerName withAction:^{ + [NSThread sleepForTimeInterval:0.3f]; + }] cancel]; + } + + [self assertNoEventsAnywhere]; +} + + + +- (void)testTrackerBadData +{ + // Inspect database to find out it's empty + [_analytics logMetric:nil withName:@"fake"]; + [_analytics logMetric:@3.0 withName:nil]; + + // get object back so inspect that, too + XCTAssertNil([_analytics logSystemMetricsForActivityNamed:nil withAction:^{return;}]); + + [self assertNoEventsAnywhere]; +} + +// MARK: Miscellaneous + +- (void)testInstantiateBaseClass +{ + XCTAssertNil([SFAnalytics logger]); +} + +- (void)testFuzzyDaysSinceDate +{ + NSInteger secondsPerDay = 60 * 60 * 24; + XCTAssertEqual([SFAnalytics fuzzyDaysSinceDate:[NSDate date]], 0); + XCTAssertEqual([SFAnalytics fuzzyDaysSinceDate:[NSDate dateWithTimeIntervalSinceNow:secondsPerDay * -3]], 1); + XCTAssertEqual([SFAnalytics fuzzyDaysSinceDate:[NSDate dateWithTimeIntervalSinceNow:secondsPerDay * -18]], 7); + XCTAssertEqual([SFAnalytics fuzzyDaysSinceDate:[NSDate dateWithTimeIntervalSinceNow:secondsPerDay * -77]], 30); + XCTAssertEqual([SFAnalytics fuzzyDaysSinceDate:[NSDate dateWithTimeIntervalSinceNow:secondsPerDay * -370]], 365); + XCTAssertEqual([SFAnalytics fuzzyDaysSinceDate:[NSDate distantPast]], 1000); + XCTAssertEqual([SFAnalytics fuzzyDaysSinceDate:nil], -1); +} + +- (void)testRingBuffer { + [self assertNoEventsAnywhere]; + for (unsigned idx = 0; idx < (SFAnalyticsMaxEventsToReport + 50); ++idx) { + [_analytics logHardFailureForEventNamed:@"ringbufferevent" withAttributes:nil]; + } + + PQLResultSet* result = [_db fetch:@"select count(*) from hard_failures"]; + XCTAssertTrue([result next], @"Got a count from hard_failures"); + XCTAssertLessThanOrEqual([result unsignedIntAtIndex:0], SFAnalyticsMaxEventsToReport, @"Ring buffer contains a sane number of events"); + + // all_events has a much larger buffer so it should handle the extra events okay + result = [_db fetch:@"select count(*) from all_events"]; + XCTAssertTrue([result next], @"Got a count from all_events"); + XCTAssertLessThanOrEqual([result unsignedIntAtIndex:0], SFAnalyticsMaxEventsToReport + 50); +} + +- (void)testRaceToCreateLoggers +{ + dispatch_semaphore_t semaphore = dispatch_semaphore_create(0); + for (NSInteger idx = 0; idx < 500; ++idx) { + dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ + UnitTestAnalytics* logger = [UnitTestAnalytics logger]; + [logger logSuccessForEventNamed:@"testevent"]; + dispatch_semaphore_signal(semaphore); + }); + } + + for (NSInteger idx = 0; idx < 500; ++idx) { + dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER); + } +} + +- (void)testDateProperty +{ + NSString* propertyKey = @"testDataPropertyKey"; + XCTAssertNil([_analytics datePropertyForKey:propertyKey]); + NSDate* test = [NSDate date]; + [_analytics setDateProperty:test forKey:propertyKey]; + NSDate* retrieved = [_analytics datePropertyForKey:propertyKey]; + XCTAssert(retrieved); + // Storing in SQLite as string loses subsecond resolution, so we need some slack + XCTAssertEqualWithAccuracy([test timeIntervalSinceDate:retrieved], 0, 1); + [_analytics setDateProperty:nil forKey:propertyKey]; + XCTAssertNil([_analytics datePropertyForKey:propertyKey]); +} + +@end diff --git a/supd/Tests/SupdTests.m b/supd/Tests/SupdTests.m new file mode 100644 index 00000000..ed617a7b --- /dev/null +++ b/supd/Tests/SupdTests.m @@ -0,0 +1,757 @@ +/* + * Copyright (c) 2017-2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import +#import +#import "supd.h" +#import "SFAnalytics.h" +#import "SFAnalyticsDefines.h" +#import + +static NSString* _path; +static NSInteger _testnum; +static NSString* build = NULL; +static NSString* product = NULL; +static NSInteger _reporterWrites; +static NSInteger _reporterCleanups; + +// MARK: Stub FakeCKKSAnalytics + +@interface FakeCKKSAnalytics : SFAnalytics + +@end + +@implementation FakeCKKSAnalytics + ++ (NSString*)databasePath +{ + return [_path stringByAppendingFormat:@"/ckks_%ld.db", _testnum]; +} + +@end + + +// MARK: Stub FakeSOSAnalytics + +@interface FakeSOSAnalytics : SFAnalytics + +@end + +@implementation FakeSOSAnalytics + ++ (NSString*)databasePath +{ + return [_path stringByAppendingFormat:@"/sos_%ld.db", _testnum]; +} + +@end + + +// MARK: Stub FakePCSAnalytics + +@interface FakePCSAnalytics : SFAnalytics + +@end + +@implementation FakePCSAnalytics + ++ (NSString*)databasePath +{ + return [_path stringByAppendingFormat:@"/pcs_%ld.db", _testnum]; +} + +@end + +// MARK: Stub FakeTLSAnalytics + +@interface FakeTLSAnalytics : SFAnalytics + +@end + +@implementation FakeTLSAnalytics + ++ (NSString*)databasePath +{ + return [_path stringByAppendingFormat:@"/tls_%ld.db", _testnum]; +} + +@end + +// MARK: Start SupdTests + +@interface SupdTests : XCTestCase + +@end + +@implementation SupdTests { + supd* _supd; + id mockReporter; + FakeCKKSAnalytics* _ckksAnalytics; + FakeSOSAnalytics* _sosAnalytics; + FakePCSAnalytics* _pcsAnalytics; + FakeTLSAnalytics* _tlsAnalytics; +} + +// MARK: Test helper methods +- (SFAnalyticsTopic *)keySyncTopic { + for (SFAnalyticsTopic *topic in _supd.analyticsTopics) { + if ([topic.internalTopicName isEqualToString:SFAnalyticsTopicKeySync]) { + return topic; + } + } + return nil; +} + +- (void)inspectDataBlobStructure:(NSDictionary*)data +{ + if (!data || ![data isKindOfClass:[NSDictionary class]]) { + XCTFail(@"data is an NSDictionary"); + } + + XCTAssert(_supd.analyticsTopics, @"supd has nonnull topics list"); + SFAnalyticsTopic *keySyncTopic = [self keySyncTopic]; + XCTAssert([keySyncTopic splunkTopicName], @"supd has a nonnull topic name"); + XCTAssertEqual([data count], 2ul, @"dictionary event and posttime objects"); + XCTAssertTrue(data[@"events"] && [data[@"events"] isKindOfClass:[NSArray class]], @"data blob contains an NSArray 'events'"); + XCTAssertTrue(data[@"postTime"] && [data[@"postTime"] isKindOfClass:[NSNumber class]], @"data blob contains an NSNumber 'postTime"); + NSDate* postTime = [NSDate dateWithTimeIntervalSince1970:[data[@"postTime"] doubleValue]]; + XCTAssertTrue([[NSDate date] timeIntervalSinceDate:postTime] < 3, @"postTime is sane"); + + for (NSDictionary* event in data[@"events"]) { + if ([event isKindOfClass:[NSDictionary class]]) { + XCTAssertTrue([event[@"build"] isEqual:build], @"event contains correct build string"); + XCTAssertTrue([event[@"product"] isEqual:product], @"event contains correct product string"); + XCTAssertTrue([event[@"eventTime"] isKindOfClass:[NSNumber class]], @"event contains an NSNumber 'eventTime"); + NSDate* eventTime = [NSDate dateWithTimeIntervalSince1970:[event[@"eventTime"] doubleValue]]; + XCTAssertTrue([[NSDate date] timeIntervalSinceDate:eventTime] < 3, @"eventTime is sane"); + XCTAssertTrue([event[@"eventType"] isKindOfClass:[NSString class]], @"all events have a type"); + XCTAssertTrue([event[@"topic"] isEqual:[keySyncTopic splunkTopicName]], @"all events have a topic name"); + } else { + XCTFail(@"event %@ is an NSDictionary", event); + } + } +} + +- (BOOL)event:(NSDictionary*)event containsAttributes:(NSDictionary*)attrs { + if (!attrs) { + return YES; + } + __block BOOL equal = YES; + [attrs enumerateKeysAndObjectsUsingBlock:^(id _Nonnull key, id _Nonnull obj, BOOL * _Nonnull stop) { + equal &= [event[key] isEqualToString:obj]; + }]; + return equal; +} + +- (int)failures:(NSDictionary*)data eventType:(NSString*)type attributes:(NSDictionary*)attrs class:(SFAnalyticsEventClass)class +{ + int encountered = 0; + for (NSDictionary* event in data[@"events"]) { + if ([event[@"eventType"] isEqualToString:type] && + [event[@"eventClass"] isKindOfClass:[NSNumber class]] && + [event[@"eventClass"] intValue] == class && [self event:event containsAttributes:attrs]) { + ++encountered; + } + } + return encountered; +} + +- (void)checkTotalEventCount:(NSDictionary*)data hard:(int)hard soft:(int)soft forcedFail:(BOOL)forcedFail +{ + int hardfound = 0, softfound = 0; + NSUInteger summfound = 0; + for (NSDictionary* event in data[@"events"]) { + if ([event[SFAnalyticsEventType] hasSuffix:@"HealthSummary"]) { + ++summfound; + } else if ([event[SFAnalyticsEventClassKey] integerValue] == SFAnalyticsEventClassHardFailure) { + ++hardfound; + } else if ([event[SFAnalyticsEventClassKey] integerValue] == SFAnalyticsEventClassSoftFailure) { + ++softfound; + } + } + + XCTAssertLessThanOrEqual(((NSArray*)data[@"events"]).count, 1000ul, @"Total event count fits in alloted data"); + if (!forcedFail) { + XCTAssertEqual(summfound, [[[self keySyncTopic] topicClients] count]); + } + // Add fuzziness, we're not testing exact implementation details + XCTAssertEqualWithAccuracy(hardfound, hard, 10); + XCTAssertEqualWithAccuracy(softfound, soft, 10); +} + +- (void)checkTotalEventCount:(NSDictionary*)data hard:(int)hard soft:(int)soft +{ + [self checkTotalEventCount:data hard:hard soft:soft forcedFail:NO]; +} + +// This is a dumb hack, but inlining stringWithFormat causes the compiler to growl for unknown reasons +- (NSString*)string:(NSString*)name item:(NSString*)item +{ + return [NSString stringWithFormat:@"%@-%@", name, item]; +} + +- (void)sampleStatisticsInEvents:(NSArray*)events name:(NSString*)name values:(NSArray*)values +{ + [self sampleStatisticsInEvents:events name:name values:values amount:1]; +} + +// Usually amount == 1 but for testing sampler with same name in different subclasses this is higher +- (void)sampleStatisticsInEvents:(NSArray*)events name:(NSString*)name values:(NSArray*)values amount:(int)num +{ + int found = 0; + for (NSDictionary* event in events) { + if (([values count] == 1 && ![event objectForKey:[NSString stringWithFormat:@"%@", name]]) || + ([values count] > 1 && ![event objectForKey:[NSString stringWithFormat:@"%@-min", name]])) { + continue; + } + + ++found; + if (values.count == 1) { + XCTAssertEqual([event[name] doubleValue], [values[0] doubleValue]); + XCTAssertNil(event[[self string:name item:@"min"]]); + XCTAssertNil(event[[self string:name item:@"max"]]); + XCTAssertNil(event[[self string:name item:@"avg"]]); + XCTAssertNil(event[[self string:name item:@"med"]]); + } else { + XCTAssertEqualWithAccuracy([event[[self string:name item:@"min"]] doubleValue], [values[0] doubleValue], 0.01f); + XCTAssertEqualWithAccuracy([event[[self string:name item:@"max"]] doubleValue], [values[1] doubleValue], 0.01f); + XCTAssertEqualWithAccuracy([event[[self string:name item:@"avg"]] doubleValue], [values[2] doubleValue], 0.01f); + XCTAssertEqualWithAccuracy([event[[self string:name item:@"med"]] doubleValue], [values[3] doubleValue], 0.01f); + } + + if (values.count > 4) { + XCTAssertEqualWithAccuracy([event[[self string:name item:@"dev"]] doubleValue], [values[4] doubleValue], 0.01f); + } else { + XCTAssertNil(event[[self string:name item:@"dev"]]); + } + + if (values.count > 5) { + XCTAssertEqualWithAccuracy([event[[self string:name item:@"1q"]] doubleValue], [values[5] doubleValue], 0.01f); + XCTAssertEqualWithAccuracy([event[[self string:name item:@"3q"]] doubleValue], [values[6] doubleValue], 0.01f); + } else { + XCTAssertNil(event[[self string:name item:@"1q"]]); + XCTAssertNil(event[[self string:name item:@"3q"]]); + } + } + XCTAssertEqual(found, num); +} + +- (NSDictionary*)getJSONDataFromSupd +{ + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + __block NSDictionary* data; + [_supd getLoggingJSON:YES topic:SFAnalyticsTopicKeySync reply:^(NSData *json, NSError *error) { + XCTAssertNil(error); + XCTAssertNotNil(json); + if (!error) { + data = [NSJSONSerialization JSONObjectWithData:json options:0 error:&error]; + } + XCTAssertNil(error, @"no error deserializing json: %@", error); + dispatch_semaphore_signal(sema); + }]; + if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 5)) != 0) { + XCTFail(@"supd returns JSON data in a timely fashion"); + } + return data; +} + +// MARK: Test administration + ++ (void)setUp +{ + NSError* error; + _path = [NSTemporaryDirectory() stringByAppendingPathComponent:[NSString stringWithFormat:@"%@/", [[NSUUID UUID] UUIDString]]]; + [[NSFileManager defaultManager] createDirectoryAtPath:_path + withIntermediateDirectories:YES + attributes:nil + error:&error]; + if (error) { + NSLog(@"sad trombone, couldn't create path"); + } + + NSDictionary *version = CFBridgingRelease(_CFCopySystemVersionDictionary()); + if (version) { + build = version[(__bridge NSString *)_kCFSystemVersionBuildVersionKey]; + product = version[(__bridge NSString *)_kCFSystemVersionProductNameKey]; + } else { + NSLog(@"could not get build version/product, tests should fail"); + } +} + +- (void)setUp +{ + [super setUp]; + self.continueAfterFailure = NO; + ++_testnum; + + id mockTopic = OCMStrictClassMock([SFAnalyticsTopic class]); + NSString *ckksPath = [_path stringByAppendingFormat:@"/ckks_%ld.db", _testnum]; + NSString *sosPath = [_path stringByAppendingFormat:@"/sos_%ld.db", _testnum]; + NSString *pcsPath = [_path stringByAppendingFormat:@"/pcs_%ld.db", _testnum]; + NSString *tlsPath = [_path stringByAppendingFormat:@"/tls_%ld.db", _testnum]; + OCMStub([mockTopic databasePathForCKKS]).andReturn(ckksPath); + OCMStub([mockTopic databasePathForSOS]).andReturn(sosPath); + OCMStub([mockTopic databasePathForPCS]).andReturn(pcsPath); + OCMStub([mockTopic databasePathForTLS]).andReturn(tlsPath); + + _reporterWrites = 0; + mockReporter = OCMClassMock([SFAnalyticsReporter class]); + OCMStub([mockReporter saveReport:[OCMArg isNotNil]]).andDo(^(NSInvocation *invocation) { + _reporterWrites++; + }).andReturn(YES); + OCMStub([mockReporter cleanupReportsDirectory]).andDo(^(NSInvocation *invocation) { + _reporterCleanups++; + }).andReturn(YES); + + [supd removeInstance]; + _supd = [[supd alloc] initWithReporter:mockReporter]; + _ckksAnalytics = [FakeCKKSAnalytics new]; + _sosAnalytics = [FakeSOSAnalytics new]; + _pcsAnalytics = [FakePCSAnalytics new]; + _tlsAnalytics = [FakeTLSAnalytics new]; + NSLog(@"ckks sqlite3 %@", [FakeCKKSAnalytics databasePath]); + NSLog(@"sos sqlite3 %@", [FakeSOSAnalytics databasePath]); + NSLog(@"pcs sqlite3 %@", [FakePCSAnalytics databasePath]); + NSLog(@"tls sqlite3 %@", [FakeTLSAnalytics databasePath]); + + // Forcibly override analytics flags and enable them by default + deviceAnalyticsOverride = YES; + deviceAnalyticsEnabled = YES; + iCloudAnalyticsOverride = YES; + iCloudAnalyticsEnabled = YES; +} + +- (void)tearDown +{ + + [super tearDown]; +} + +// MARK: Actual tests + +// Note! This test relies on Security being installed because supd reads from a plist in Security.framework +- (void)testSplunkDefaultTopicNameExists +{ + XCTAssertNotNil([[self keySyncTopic] splunkTopicName]); +} + +// Note! This test relies on Security being installed because supd reads from a plist in Security.framework +- (void)testSplunkDefaultBagURLExists +{ + XCTAssertNotNil([[self keySyncTopic] splunkBagURL]); +} + +- (void)testLoggingJSONSimple:(BOOL)analyticsEnabled +{ + iCloudAnalyticsEnabled = analyticsEnabled; + + [_ckksAnalytics logSuccessForEventNamed:@"ckksunittestevent"]; + NSDictionary* ckksAttrs = @{@"cattr" : @"cvalue"}; + [_ckksAnalytics logHardFailureForEventNamed:@"ckksunittestevent" withAttributes:ckksAttrs]; + [_ckksAnalytics logSoftFailureForEventNamed:@"ckksunittestevent" withAttributes:ckksAttrs]; + [_sosAnalytics logSuccessForEventNamed:@"unittestevent"]; + NSDictionary* utAttrs = @{@"uattr" : @"uvalue"}; + [_sosAnalytics logHardFailureForEventNamed:@"unittestevent" withAttributes:utAttrs]; + [_sosAnalytics logSoftFailureForEventNamed:@"unittestevent" withAttributes:utAttrs]; + + NSDictionary* data = [self getJSONDataFromSupd]; + [self inspectDataBlobStructure:data]; + + // TODO: inspect health summaries + + if (analyticsEnabled) { + XCTAssertEqual([self failures:data eventType:@"ckksunittestevent" attributes:ckksAttrs class:SFAnalyticsEventClassHardFailure], 1); + XCTAssertEqual([self failures:data eventType:@"ckksunittestevent" attributes:ckksAttrs class:SFAnalyticsEventClassSoftFailure], 1); + XCTAssertEqual([self failures:data eventType:@"unittestevent" attributes:utAttrs class:SFAnalyticsEventClassHardFailure], 1); + XCTAssertEqual([self failures:data eventType:@"unittestevent" attributes:utAttrs class:SFAnalyticsEventClassSoftFailure], 1); + + [self checkTotalEventCount:data hard:2 soft:2]; + } else { + [self checkTotalEventCount:data hard:0 soft:0 forcedFail:YES]; + } +} + +- (void)testLoggingJSONSimpleWithiCloudAnalyticsEnabled +{ + [self testLoggingJSONSimple:YES]; +} + +- (void)testLoggingJSONSimpleWithiCloudAnalyticsDisabled +{ + [self testLoggingJSONSimple:NO]; +} + +- (void)testTLSLoggingJSONSimple:(BOOL)analyticsEnabled +{ + deviceAnalyticsEnabled = analyticsEnabled; + + [_tlsAnalytics logSuccessForEventNamed:@"tlsunittestevent"]; + NSDictionary* tlsAttrs = @{@"cattr" : @"cvalue"}; + [_tlsAnalytics logHardFailureForEventNamed:@"tlsunittestevent" withAttributes:tlsAttrs]; + [_tlsAnalytics logSoftFailureForEventNamed:@"tlsunittestevent" withAttributes:tlsAttrs]; + + NSDictionary* data = [self getJSONDataFromSupd]; + [self inspectDataBlobStructure:data]; + + if (analyticsEnabled) { + [self checkTotalEventCount:data hard:1 soft:1]; + } else { + [self checkTotalEventCount:data hard:0 soft:0 forcedFail:YES]; + } +} + +- (void)testTLSLoggingJSONSimpleWithDeviceAnalyticsEnabled +{ + [self testTLSLoggingJSONSimple:YES]; +} + +- (void)testTLSLoggingJSONSimpleWithDeviceAnalyticsDisabled +{ + [self testTLSLoggingJSONSimple:NO]; +} + +- (void)testMockDiagnosticReportGeneration +{ + SFAnalyticsReporter *reporter = mockReporter; + + uint8_t report_data[] = {0x00, 0x01, 0x02, 0x03}; + NSData *reportData = [[NSData alloc] initWithBytes:report_data length:sizeof(report_data)]; + BOOL writtenToLog = YES; + size_t numWrites = 5; + for (size_t i = 0; i < numWrites; i++) { + writtenToLog &= [reporter saveReport:reportData]; + } + + XCTAssertTrue(writtenToLog, "Failed to write to log"); + XCTAssertTrue((int)_reporterWrites == (int)numWrites, "Expected %zu report, got %d", numWrites, (int)_reporterWrites); +} + +- (void)testMockDiagnosticReportCleanup +{ + SFAnalyticsReporter *reporter = mockReporter; + + // Write the log + uint8_t report_data[] = {0x00, 0x01, 0x02, 0x03}; + NSData *reportData = [[NSData alloc] initWithBytes:report_data length:sizeof(report_data)]; + BOOL writtenToLog = YES; + size_t numWrites = 5; + for (size_t i = 0; i < numWrites; i++) { + writtenToLog &= [reporter saveReport:reportData]; + } + + XCTAssertTrue(writtenToLog, "Failed to write to log"); + XCTAssertTrue((int)_reporterWrites == (int)numWrites, "Expected %zu report, got %d", numWrites, (int)_reporterWrites); + + // Now clean up... + [reporter cleanupReportsDirectory]; + XCTAssertTrue((int)_reporterCleanups == 1, "Expected %d report, got %d", 1, (int)_reporterCleanups); +} + +- (void)testFakeDiagnosticReportGeneration +{ + CFUUIDRef uuid = CFUUIDCreate(NULL); + CFStringRef uuidString = CFUUIDCreateString(NULL, uuid); + CFRelease(uuid); + NSString *temporaryDirectory = [NSString stringWithFormat:@"%@%@", @"/tmp/", (__bridge NSString *)uuidString]; + + NSTimeInterval validityInterval = 2; + SFAnalyticsReporter *reporter = [[SFAnalyticsReporter alloc] initWithPath:temporaryDirectory validity:validityInterval]; + [reporter setupReportsDirectory]; + + // Write the log + uint8_t report_data[] = {0x00, 0x01, 0x02, 0x03}; + NSData *reportData = [[NSData alloc] initWithBytes:report_data length:sizeof(report_data)]; + BOOL writtenToLog = YES; + size_t numWrites = 1; + for (size_t i = 0; i < numWrites; i++) { + writtenToLog &= [reporter saveReport:reportData]; + } + + // Ensure the right number of reports is generated + XCTAssertTrue(writtenToLog, "Failed to write to log"); + NSArray *directoryContent = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:[reporter reportsDirectoryPath] error:nil]; + size_t reportCount = [directoryContent count]; + XCTAssertTrue(reportCount == numWrites); + + // Ensure the count stays even after cleanup, as they are not stale + [reporter cleanupReportsDirectory]; + directoryContent = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:[reporter reportsDirectoryPath] error:nil]; + reportCount = [directoryContent count]; + XCTAssertTrue(reportCount == numWrites); + + // Sleep for twice the validity interval + sleep(validityInterval * 2); + + // Cleanup stale reports. We expect everything to be gone at this point. + [reporter cleanupReportsDirectory]; + directoryContent = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:[reporter reportsDirectoryPath] error:nil]; + reportCount = [directoryContent count]; + XCTAssertTrue(reportCount == 0); +} + +- (void)testSuccessCounts +{ + NSString* eventName1 = @"successCountsEvent1"; + NSString* eventName2 = @"successCountsEvent2"; + + for (int idx = 0; idx < 3; ++idx) { + [_ckksAnalytics logSuccessForEventNamed:eventName1]; + [_ckksAnalytics logSuccessForEventNamed:eventName2]; + [_ckksAnalytics logHardFailureForEventNamed:eventName1 withAttributes:nil]; + [_ckksAnalytics logSoftFailureForEventNamed:eventName2 withAttributes:nil]; + } + [_ckksAnalytics logSuccessForEventNamed:eventName2]; + + NSDictionary* data = [self getJSONDataFromSupd]; + [self inspectDataBlobStructure:data]; + + NSDictionary* hs; + for (NSDictionary* event in data[@"events"]) { + if ([event[SFAnalyticsEventType] isEqual:@"ckksHealthSummary"]) { + hs = event; + break; + } + } + XCTAssert(hs); + + XCTAssertEqual([hs[SFAnalyticsColumnSuccessCount] integerValue], 7); + XCTAssertEqual([hs[SFAnalyticsColumnHardFailureCount] integerValue], 3); + XCTAssertEqual([hs[SFAnalyticsColumnSoftFailureCount] integerValue], 3); + XCTAssertEqual([hs[[self string:eventName1 item:@"success"]] integerValue], 3); + XCTAssertEqual([hs[[self string:eventName1 item:@"hardfail"]] integerValue], 3); + XCTAssertEqual([hs[[self string:eventName1 item:@"softfail"]] integerValue], 0); + XCTAssertEqual([hs[[self string:eventName2 item:@"success"]] integerValue], 4); + XCTAssertEqual([hs[[self string:eventName2 item:@"hardfail"]] integerValue], 0); + XCTAssertEqual([hs[[self string:eventName2 item:@"softfail"]] integerValue], 3); +} + +// There was a failure with thresholds if some, but not all clients exceeded their 'threshold' number of failures, +// causing the addFailures:toUploadRecords:threshold method to crash with out of bounds. +// This is also implicitly tested in testTooManyHardFailures and testTooManyCombinedFailures but I wanted an explicit case. +- (void)testExceedThresholdForOneClientOnly +{ + int testAmount = ((int)SFAnalyticsMaxEventsToReport / 4); + for (int idx = 0; idx < testAmount; ++idx) { + [_ckksAnalytics logHardFailureForEventNamed:@"ckkshardfail" withAttributes:nil]; + [_ckksAnalytics logSoftFailureForEventNamed:@"ckkssoftfail" withAttributes:nil]; + } + + [_sosAnalytics logHardFailureForEventNamed:@"soshardfail" withAttributes:nil]; + [_sosAnalytics logSoftFailureForEventNamed:@"sossoftfail" withAttributes:nil]; + + NSDictionary* data = [self getJSONDataFromSupd]; + [self inspectDataBlobStructure:data]; + + [self checkTotalEventCount:data hard:testAmount + 1 soft:testAmount + 1]; + + XCTAssertEqual([self failures:data eventType:@"ckkshardfail" attributes:nil class:SFAnalyticsEventClassHardFailure], testAmount); + XCTAssertEqual([self failures:data eventType:@"ckkssoftfail" attributes:nil class:SFAnalyticsEventClassSoftFailure], testAmount); + XCTAssertEqual([self failures:data eventType:@"soshardfail" attributes:nil class:SFAnalyticsEventClassHardFailure], 1); + XCTAssertEqual([self failures:data eventType:@"sossoftfail" attributes:nil class:SFAnalyticsEventClassSoftFailure], 1); +} + + +// We have so many hard failures they won't fit in the upload buffer +- (void)testTooManyHardFailures +{ + NSDictionary* ckksAttrs = @{@"cattr" : @"cvalue"}; + NSDictionary* utAttrs = @{@"uattr" : @"uvalue"}; + for (int idx = 0; idx < 400; ++idx) { + [_ckksAnalytics logHardFailureForEventNamed:@"ckksunittestfailure" withAttributes:ckksAttrs]; + [_ckksAnalytics logHardFailureForEventNamed:@"ckksunittestfailure" withAttributes:ckksAttrs]; + [_sosAnalytics logHardFailureForEventNamed:@"utunittestfailure" withAttributes:utAttrs]; + } + + NSDictionary* data = [self getJSONDataFromSupd]; + [self inspectDataBlobStructure:data]; + + [self checkTotalEventCount:data hard:998 soft:0]; + // Based on threshold = records_to_upload/10 with a nice margin + XCTAssertEqualWithAccuracy([self failures:data eventType:@"ckksunittestfailure" attributes:ckksAttrs class:SFAnalyticsEventClassHardFailure], 658, 50); + XCTAssertEqualWithAccuracy([self failures:data eventType:@"utunittestfailure" attributes:utAttrs class:SFAnalyticsEventClassHardFailure], 339, 50); +} + +// So many soft failures they won't fit in the buffer +- (void)testTooManySoftFailures +{ + NSDictionary* ckksAttrs = @{@"cattr" : @"cvalue"}; + NSDictionary* utAttrs = @{@"uattr" : @"uvalue"}; + for (int idx = 0; idx < 400; ++idx) { + [_ckksAnalytics logSoftFailureForEventNamed:@"ckksunittestfailure" withAttributes:ckksAttrs]; + [_ckksAnalytics logSoftFailureForEventNamed:@"ckksunittestfailure" withAttributes:ckksAttrs]; + [_sosAnalytics logSoftFailureForEventNamed:@"utunittestfailure" withAttributes:utAttrs]; + } + + NSDictionary* data = [self getJSONDataFromSupd]; + [self inspectDataBlobStructure:data]; + + [self checkTotalEventCount:data hard:0 soft:998]; + // Based on threshold = records_to_upload/10 with a nice margin + XCTAssertEqualWithAccuracy([self failures:data eventType:@"ckksunittestfailure" attributes:ckksAttrs class:SFAnalyticsEventClassSoftFailure], 665, 50); + XCTAssertEqualWithAccuracy([self failures:data eventType:@"utunittestfailure" attributes:utAttrs class:SFAnalyticsEventClassSoftFailure], 332, 50); +} + +- (void)testTooManyCombinedFailures +{ + NSDictionary* ckksAttrs = @{@"cattr1" : @"cvalue1", @"cattrthatisalotlongerthanthepreviousone" : @"cvaluethatisalsoalotlongerthantheother"}; + NSDictionary* utAttrs = @{@"uattr" : @"uvalue", @"uattrthatisalotlongerthanthepreviousone" : @"uvaluethatisalsoalotlongerthantheother"}; + for (int idx = 0; idx < 400; ++idx) { + [_ckksAnalytics logHardFailureForEventNamed:@"ckksunittestfailure" withAttributes:ckksAttrs]; + [_ckksAnalytics logSoftFailureForEventNamed:@"ckksunittestfailure" withAttributes:ckksAttrs]; + [_sosAnalytics logHardFailureForEventNamed:@"utunittestfailure" withAttributes:utAttrs]; + [_sosAnalytics logSoftFailureForEventNamed:@"utunittestfailure" withAttributes:utAttrs]; + } + + NSDictionary* data = [self getJSONDataFromSupd]; + [self inspectDataBlobStructure:data]; + + [self checkTotalEventCount:data hard:800 soft:198]; + // Based on threshold = records_to_upload/10 with a nice margin + XCTAssertEqualWithAccuracy([self failures:data eventType:@"ckksunittestfailure" attributes:ckksAttrs class:SFAnalyticsEventClassHardFailure], 400, 50); + XCTAssertEqualWithAccuracy([self failures:data eventType:@"utunittestfailure" attributes:utAttrs class:SFAnalyticsEventClassHardFailure], 400, 50); + XCTAssertEqualWithAccuracy([self failures:data eventType:@"ckksunittestfailure" attributes:ckksAttrs class:SFAnalyticsEventClassSoftFailure], 100, 50); + XCTAssertEqualWithAccuracy([self failures:data eventType:@"utunittestfailure" attributes:utAttrs class:SFAnalyticsEventClassSoftFailure], 100, 50); +} + +// There's an even number of samples +- (void)testSamplesEvenSampleCount +{ + NSString* sampleNameEven = @"evenSample"; + + for (NSNumber* value in @[@36.831855250339714, @90.78721762172914, @49.24392301762506, + @42.806362283260036, @16.76725375576855, @34.50969130579674, + @25.956509180834637, @36.8268555935645, @35.54069258036879, + @7.26364884595062, @45.414180770615395, @5.223213570809022]) { + [_ckksAnalytics logMetric:value withName:sampleNameEven]; + } + + NSDictionary* data = [self getJSONDataFromSupd]; + [self inspectDataBlobStructure:data]; + + // min, max, avg, med, dev, 1q, 3q + [self checkTotalEventCount:data hard:0 soft:0]; + [self sampleStatisticsInEvents:data[@"events"] name:sampleNameEven values:@[@5.22, @90.78, @35.60, @36.18, @21.52, @21.36, @44.11]]; +} + +// There are 4*n + 1 samples +- (void)testSamples4n1SampleCount +{ + NSString* sampleName4n1 = @"4n1Sample"; + for (NSNumber* value in @[@37.76544251068022, @27.36378948426223, @45.10503077614114, + @43.90635413191473, @54.78709742040113, @52.34879597889124, + @70.95760312196856, @23.23648158872921, @75.34678687445064, + @10.723238854026203, @41.98468801166455, @17.074404554908476, + @94.24252031232739]) { + [_ckksAnalytics logMetric:value withName:sampleName4n1]; + } + + NSDictionary* data = [self getJSONDataFromSupd]; + [self inspectDataBlobStructure:data]; + + [self checkTotalEventCount:data hard:0 soft:0]; + [self sampleStatisticsInEvents:data[@"events"] name:sampleName4n1 values:@[@10.72, @94.24, @45.76, @43.90, @23.14, @26.33, @58.83]]; +} + +// There are 4*n + 3 samples +- (void)testSamples4n3SampleCount +{ + NSString* sampleName4n3 = @"4n3Sample"; + + for (NSNumber* value in @[@42.012971885655496, @87.85629592375282, @5.748491212287082, + @38.451850063872975, @81.96900109690873, @99.83098790545392, + @80.89400981437815, @5.719237885152143, @1.6740622555032196, + @14.437000556079038, @29.046050177512395]) { + [_sosAnalytics logMetric:value withName:sampleName4n3]; + } + + NSDictionary* data = [self getJSONDataFromSupd]; + [self inspectDataBlobStructure:data]; + [self checkTotalEventCount:data hard:0 soft:0]; + + [self sampleStatisticsInEvents:data[@"events"] name:sampleName4n3 values:@[@1.67, @99.83, @44.33, @38.45, @35.28, @7.92, @81.70]]; +} + +// stddev and quartiles undefined for single sample +- (void)testSamplesSingleSample +{ + NSString* sampleName = @"singleSample"; + + [_ckksAnalytics logMetric:@3.14159 withName:sampleName]; + + NSDictionary* data = [self getJSONDataFromSupd]; + [self inspectDataBlobStructure:data]; + [self checkTotalEventCount:data hard:0 soft:0]; + + [self sampleStatisticsInEvents:data[@"events"] name:sampleName values:@[@3.14159]]; +} + +// quartiles meaningless for fewer than 4 samples (but stddev exists) +- (void)testSamplesFewerThanFour +{ + NSString* sampleName = @"fewSamples"; + + [_ckksAnalytics logMetric:@3.14159 withName:sampleName]; + [_ckksAnalytics logMetric:@6.28318 withName:sampleName]; + + NSDictionary* data = [self getJSONDataFromSupd]; + [self inspectDataBlobStructure:data]; + [self checkTotalEventCount:data hard:0 soft:0]; + + [self sampleStatisticsInEvents:data[@"events"] name:sampleName values:@[@3.14, @6.28, @4.71, @4.71, @1.57]]; +} + +- (void)testSamplesSameNameDifferentSubclass +{ + NSString* sampleName = @"differentSubclassSamples"; + + [_sosAnalytics logMetric:@313.37 withName:sampleName]; + [_ckksAnalytics logMetric:@313.37 withName:sampleName]; + + NSDictionary* data = [self getJSONDataFromSupd]; + [self inspectDataBlobStructure:data]; + [self checkTotalEventCount:data hard:0 soft:0]; + + [self sampleStatisticsInEvents:data[@"events"] name:sampleName values:@[@313.37] amount:2]; +} + + + +// TODO +- (void)testGetSysdiagnoseDump +{ + +} + +// TODO (need mock server) +- (void)testSplunkUpload +{ + +} + +// TODO (need mock server) +- (void)testDBIsEmptiedAfterUpload +{ + +} + +@end diff --git a/supd/main.m b/supd/main.m new file mode 100644 index 00000000..a8f7b24e --- /dev/null +++ b/supd/main.m @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import +#import "supd.h" +#include "debugging.h" +#import +#include + +@interface ServiceDelegate : NSObject +@end + +@implementation ServiceDelegate + +- (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection { + NSNumber *num = [newConnection valueForEntitlement:@"com.apple.private.securityuploadd"]; + if (![num isKindOfClass:[NSNumber class]] || ![num boolValue]) { + secerror("xpc: Client (pid: %d) doesn't have entitlement", [newConnection processIdentifier]); + return NO; + } else { + secinfo("xpc", "Client (pid: %d) properly entitled, let's go", [newConnection processIdentifier]); + } + + newConnection.exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(supdProtocol)]; + supd *exportedObject = [supd instance]; + newConnection.exportedObject = exportedObject; + [newConnection resume]; + return YES; +} + +@end + +int main(int argc, const char *argv[]) +{ + secnotice("lifecycle", "supd lives!"); + ServiceDelegate *delegate = [ServiceDelegate new]; + + // kick the singleton so it can register its xpc activity handler + [supd instantiate]; + + NSXPCListener *listener = [[NSXPCListener alloc] initWithMachServiceName:@"com.apple.securityuploadd"]; + listener.delegate = delegate; + + // We're always launched in response to client activity and don't want to sit around idle. + dispatch_after(dispatch_time(DISPATCH_TIME_NOW, 5ull * NSEC_PER_SEC), dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ + secnotice("lifecycle", "will exit when clean"); + xpc_transaction_exit_clean(); + }); + + [listener resume]; + [[NSRunLoop currentRunLoop] run]; + return 0; +} diff --git a/supd/securityuploadd-Entitlements.plist b/supd/securityuploadd-Entitlements.plist new file mode 100644 index 00000000..d8708bea --- /dev/null +++ b/supd/securityuploadd-Entitlements.plist @@ -0,0 +1,18 @@ + + + + + com.apple.accounts.appleaccount.fullaccess + + com.apple.authkit.client.private + + com.apple.private.accounts.allaccounts + + com.apple.private.ckks + + seatbelt-profiles + + securityuploadd + + + diff --git a/supd/securityuploadd-ios.plist b/supd/securityuploadd-ios.plist new file mode 100644 index 00000000..b84a889d --- /dev/null +++ b/supd/securityuploadd-ios.plist @@ -0,0 +1,48 @@ + + + + + ProcessType + Adaptive + Label + com.apple.securityuploadd + UserName + _securityd + GroupName + wheel + EnablePressuredExit + + ProgramArguments + + /usr/libexec/securityuploadd + + MachServices + + com.apple.securityuploadd + + + LaunchEvents + + com.apple.xpc.activity + + com.apple.securityuploadd.triggerupload + + Priority + Maintenance + PowerNap + + AllowBattery + + Interval + 43200 + GracePeriod + 21600 + RequireInexpensiveNetworkConnectivity + + NetworkTransferDirection + Bidirectional + + + + + diff --git a/supd/securityuploadd-osx.plist b/supd/securityuploadd-osx.plist new file mode 100644 index 00000000..6bff9bae --- /dev/null +++ b/supd/securityuploadd-osx.plist @@ -0,0 +1,46 @@ + + + + + ProcessType + Adaptive + Label + com.apple.securityuploadd + EnableTransactions + + EnablePressuredExit + + ProgramArguments + + /usr/libexec/securityuploadd + + MachServices + + com.apple.securityuploadd + + + LaunchEvents + + com.apple.xpc.activity + + com.apple.securityuploadd.triggerupload + + Priority + Maintenance + PowerNap + + AllowBattery + + Interval + 43200 + GracePeriod + 21600 + RequireInexpensiveNetworkConnectivity + + NetworkTransferDirection + Bidirectional + + + + + diff --git a/supd/securityuploadd.8 b/supd/securityuploadd.8 new file mode 100644 index 00000000..d46e270c --- /dev/null +++ b/supd/securityuploadd.8 @@ -0,0 +1,9 @@ +.Dd October 10, 2017 +.Dt securityuploadd 8 +.Os +.Sh NAME +.Nm securityuploadd +.Nd Keychain Metrics Uploader +.Sh DESCRIPTION +.Nm +Lightweight on-demand daemon to upload keychain and keychain syncing metrics. Split out from the main keychain daemons for security reasons: we do not wish to give our daemons access to the network. diff --git a/supd/supd.h b/supd/supd.h new file mode 100644 index 00000000..478dbc81 --- /dev/null +++ b/supd/supd.h @@ -0,0 +1,82 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import +#import "supdProtocol.h" + +@interface SFAnalyticsClient: NSObject +@property (nonatomic) NSString* storePath; +@property (nonatomic) NSString* name; +@property (atomic) BOOL requireDeviceAnalytics; +@property (atomic) BOOL requireiCloudAnalytics; +@end + +@interface SFAnalyticsTopic : NSObject +@property NSString* splunkTopicName; +@property NSURL* splunkBagURL; +@property NSString *internalTopicName; + +@property NSArray *topicClients; + +// -------------------------------- +// Things below are for unit testing ++ (NSString*)databasePathForCKKS; ++ (NSString*)databasePathForSOS; ++ (NSString*)databasePathForPCS; ++ (NSString*)databasePathForTLS; +@end + +@interface SFAnalyticsReporter : NSObject +- (NSString *)databaseDirectoryPath; +- (NSString *)reportsDirectoryPath; +- (id)init; +- (id)initWithPath:(NSString *)path validity:(NSTimeInterval)validity; +- (BOOL)removeFilesFrom:(NSString *)directory olderThanSecond:(NSTimeInterval)seconds; +- (BOOL)setupReportsDirectory; +- (BOOL)cleanupReportsDirectory; +- (BOOL)saveReport:(NSData *)reportData; + +@property NSString *databasePath; +@property NSTimeInterval reportValidityPeriod; +@end + +@interface supd : NSObject ++ (instancetype)instance; ++ (void)removeInstance; ++ (void)instantiate; +- (instancetype)initWithReporter:(SFAnalyticsReporter *)reporter; + +// -------------------------------- +// Things below are for unit testing +@property (readonly) dispatch_queue_t queue; +@property (readonly) NSArray* analyticsTopics; +@property (readonly) SFAnalyticsReporter *reporter; +- (void)sendNotificationForOncePerReportSamplers; +@end + +// -------------------------------- +// Things below are for unit testing +extern BOOL deviceAnalyticsOverride; +extern BOOL deviceAnalyticsEnabled; +extern BOOL iCloudAnalyticsOverride; +extern BOOL iCloudAnalyticsEnabled; diff --git a/supd/supd.m b/supd/supd.m new file mode 100644 index 00000000..b053f5c0 --- /dev/null +++ b/supd/supd.m @@ -0,0 +1,1499 @@ +/* + * Copyright (c) 2017-2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import "supd.h" +#import "SFAnalyticsDefines.h" +#import "SFAnalyticsSQLiteStore.h" +#import "SFAnalytics.h" + +#include +#import "utilities/debugging.h" +#import +#import +#include +#import "keychain/ckks/CKKSControl.h" +#import + +#import +#import +#import + +#if TARGET_OS_OSX +#include "dirhelper_priv.h" +#import +#import +#import +#import +#import +#import +#import +#import +#else // TARGET_OS_OSX +#import +#import +#import +#import +#if TARGET_OS_EMBEDDED +#import +#import +#endif // TARGET_OS_EMBEDDED +#endif // TARGET_OS_OSX + +NSString* const SFAnalyticsSplunkTopic = @"topic"; +NSString* const SFAnalyticsSplunkPostTime = @"postTime"; +NSString* const SFAnalyticsClientId = @"clientId"; +NSString* const SFAnalyticsInternal = @"internal"; + +NSString* const SFAnalyticsMetricsBase = @"metricsBase"; +NSString* const SFAnalyticsDeviceID = @"ckdeviceID"; + +NSString* const SFAnalyticsSecondsCustomerKey = @"SecondsBetweenUploadsCustomer"; +NSString* const SFAnalyticsSecondsInternalKey = @"SecondsBetweenUploadsInternal"; +NSString* const SFAnalyticsMaxEventsKey = @"NumberOfEvents"; +NSString* const SFAnalyticsDevicePercentageCustomerKey = @"DevicePercentageCustomer"; +NSString* const SFAnalyticsDevicePercentageInternalKey = @"DevicePercentageInternal"; + +#define SFANALYTICS_SPLUNK_DEV 0 + +#if SFANALYTICS_SPLUNK_DEV +NSUInteger const secondsBetweenUploadsCustomer = 10; +NSUInteger const secondsBetweenUploadsInternal = 10; +#else // SFANALYTICS_SPLUNK_DEV +NSUInteger const secondsBetweenUploadsCustomer = (3 * (60 * 60 * 24)); +NSUInteger const secondsBetweenUploadsInternal = (60 * 60 * 24); +#endif // SFANALYTICS_SPLUNK_DEV + +#if TARGET_OS_OSX +static NSString * const _SFAnalyticsDatabasePath = @"/var/db/SecurityFrameworkAnalytics/"; +#else // TARGET_OS_OSX +static NSString * const _SFAnalyticsDatabasePath = nil; +#endif // TARGET_OS_OSX + +@implementation SFAnalyticsReporter +- (NSString *)databaseDirectoryPath +{ + return _databasePath; +} + +- (NSString *)reportsDirectoryPath +{ + static NSString *_SFAnalyticsReportsDirectoryPath = nil; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + if ([self databaseDirectoryPath]) { + _SFAnalyticsReportsDirectoryPath = [NSString stringWithFormat:@"%@%@", [self databaseDirectoryPath], @"Reports"]; + } + }); + return _SFAnalyticsReportsDirectoryPath; +} + +- (id)initWithPath:(NSString *)path validity:(NSTimeInterval)validity +{ + if (self = [super init]) { + _databasePath = path; + _reportValidityPeriod = validity; + } + return self; +} + +- (id)init +{ + return [self initWithPath:_SFAnalyticsDatabasePath validity:(secondsBetweenUploadsCustomer * 2)]; +} + +- (BOOL)setupReportsDirectory +{ + NSString *databaseDirectoryPath = [self databaseDirectoryPath]; + NSString *reportsDirectoryPath = [self reportsDirectoryPath]; + if (!(databaseDirectoryPath != nil && reportsDirectoryPath != nil)) { + return NO; + } + + // Note: securityuploadd is not sandboxed on macOS, so we can operate in the system reports directory at will. + __block BOOL result = YES; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + // Create database directory if needed + NSFileManager *fm = [NSFileManager defaultManager]; + NSError *err = nil; + BOOL ok = [fm createDirectoryAtPath:databaseDirectoryPath + withIntermediateDirectories:YES + attributes:nil + error:&err]; + if (ok) { + // Create reports directory if needed + ok = [fm createDirectoryAtPath:reportsDirectoryPath + withIntermediateDirectories:YES + attributes:nil + error:&err]; + if (!ok) { + secerror("Reports directory creation failed with %@", err); + result = NO; + } + + } else { + secerror("Database directory creation failed with %@", err); + result = NO; + } + }); + return result; +} + +- (BOOL)removeFilesFrom:(NSString *)directory + olderThanSecond:(NSTimeInterval)seconds +{ + NSDate *olderThanSecond = [NSDate dateWithTimeIntervalSinceNow:-seconds]; + + NSFileManager *fm = [NSFileManager defaultManager]; + NSDirectoryEnumerator *dirEnum = [fm enumeratorAtPath:directory]; + NSString *fileName; + int64_t totalSize = 0; + while (fileName = [dirEnum nextObject]) { + NSString *filePath = [NSString stringWithFormat:@"%@/%@", directory, fileName]; + BOOL isDir; + if ([fm fileExistsAtPath:filePath isDirectory:&isDir]) { + if (isDir) { + // Do not remove sub-directories and their contents + [dirEnum skipDescendents]; + } else { + NSDate *creationDate = [[fm attributesOfItemAtPath:filePath error:nil] fileCreationDate]; + BOOL isOlder = ([creationDate compare:olderThanSecond] == NSOrderedAscending); + if (isOlder) { + totalSize += [[[NSFileManager defaultManager] attributesOfItemAtPath:filePath error:nil] fileSize]; + [fm removeItemAtPath:filePath error:nil]; + } + } + } + } + return YES; +} + +- (BOOL)cleanupReportsDirectory +{ + NSString *reportsDirectoryPath = [self reportsDirectoryPath]; + if (reportsDirectoryPath != nil) { + @autoreleasepool { + [self removeFilesFrom:reportsDirectoryPath olderThanSecond:_reportValidityPeriod]; + } + return YES; + } + return NO; +} + +- (NSString *)createReportFilename +{ +#if TARGET_OS_OSX + NSDictionary *problemReport = nil; + // We do not have our own CrashReporter key, so we make our own. This causes the default report extension to be ".diag". + // See: https://clownfish.apple.com/index.php?action=search_cached&path=CrashReporterSupport%2FCrashReporterSupport.c&version=CrashCatcher-938.3&project=CrashCatcher&q=&language=all&index=LoboElk + problemReport = @{ + (__bridge NSString *)kCRProblemReportProblemTypeKey : @"supd", + (__bridge NSString *)kCRProblemReportAppNameKey : @"securityuploadd", + (__bridge NSString *)kCRProblemReportDescriptionKey : @"analytics", + (__bridge NSString *)kCRProblemReportNoUserUUIDKey : @YES, + (__bridge NSString *)kCRProblemReportRoutingKey : @"anon", + (__bridge NSString *)kCRProblemReportSubroutingKey : @"security_uploadd", + }; + + CFURLRef outputPathURL = NULL; + +#pragma clang diagnostic push +#pragma clang diagnostic ignored "-Wdeprecated-declarations" + // TODO: Use Need a variant of OSAWriteLogForSubmission() that returns pathname for the log file + CRStatusCode status = CRSaveProblemReport((__bridge CFDictionaryRef)problemReport, &outputPathURL); +#pragma clang diagnostic pop + + NSString *outputpath = [(__bridge NSURL *)outputPathURL path]; + return outputpath; +#else + return @"temporary_path.supd"; +#endif // TARGET_OS_OSX +} + +- (BOOL)saveReport:(NSData *)reportData +{ + @autoreleasepool { + NSString *reportFileName = [self createReportFilename]; + if (reportFileName != nil) { + NSURL *path = [NSURL URLWithString:[self reportsDirectoryPath]]; + if (path != nil) { + NSURL *absoluteReportName = [path URLByAppendingPathComponent:reportFileName]; + [[NSFileManager defaultManager] createFileAtPath:[absoluteReportName absoluteString] contents:reportData attributes:nil]; + return YES; + } + } + } + return NO; +} +@end + +#define DEFAULT_SPLUNK_MAX_EVENTS_TO_REPORT 1000 + +#define DEFAULT_SPLUNK_DEVICE_PERCENTAGE 100 + +static supd *_supdInstance = nil; + +BOOL deviceAnalyticsOverride = NO; +BOOL deviceAnalyticsEnabled = NO; +BOOL iCloudAnalyticsOverride = NO; +BOOL iCloudAnalyticsEnabled = NO; + +static BOOL +_isDeviceAnalyticsEnabled(void) +{ + // This flag is only set during tests. + if (deviceAnalyticsOverride) { + return deviceAnalyticsEnabled; + } + + static BOOL dataCollectionEnabled = NO; + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ +#if TARGET_OS_EMBEDDED + dataCollectionEnabled = DiagnosticLogSubmissionEnabled(); +#elif TARGET_OS_OSX + dataCollectionEnabled = CRIsAutoSubmitEnabled(); +#endif + }); + return dataCollectionEnabled; +} + +static NSString *const kAnalyticsiCloudIdMSKey = @"com.apple.idms.config.privacy.icloud.data"; + +#if TARGET_OS_IPHONE +static NSDictionary * +_getiCloudConfigurationInfoWithError(NSError **outError) +{ + __block NSDictionary *outConfigurationInfo = nil; + __block NSError *localError = nil; + + ACAccountStore *accountStore = [[ACAccountStore alloc] init]; + ACAccount *primaryAccount = [accountStore aa_primaryAppleAccount]; + if (primaryAccount != nil) { + NSString *altDSID = [primaryAccount aa_altDSID]; + secnotice("_getiCloudConfigurationInfoWithError", "Fetching configuration info"); + + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + AKAppleIDAuthenticationController *authController = [AKAppleIDAuthenticationController new]; + [authController configurationInfoWithIdentifiers:@[kAnalyticsiCloudIdMSKey] + forAltDSID:altDSID + completion:^(NSDictionary> *configurationInfo, NSError *error) { + if (error) { + secerror("_getiCloudConfigurationInfoWithError: Error fetching configurationInfo: %@", error); + localError = error; + } else if (![configurationInfo isKindOfClass:[NSDictionary class]]) { + secerror("_getiCloudConfigurationInfoWithError: configurationInfo dict was not a dict, it was a %{public}@", [configurationInfo class]); + localError = error; + configurationInfo = nil; + } else { + secnotice("_getiCloudConfigurationInfoWithError", "fetched configurationInfo %@", configurationInfo); + outConfigurationInfo = configurationInfo; + } + dispatch_semaphore_signal(sema); + }]; + dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, (uint64_t)(5 * NSEC_PER_SEC))); + } else { + secerror("_getiCloudConfigurationInfoWithError: Failed to fetch primary account info."); + } + + if (localError && outError) { + *outError = localError; + } + return outConfigurationInfo; +} +#endif // TARGET_OS_IPHONE + +#if TARGET_OS_OSX +static NSString * +_iCloudAccount(void) +{ + return CFBridgingRelease(MMLCopyLoggedInAccount()); +} + +static NSString * +_altDSIDFromAccount(void) +{ + static CFStringRef kMMPropertyAccountAlternateDSID = CFSTR("AccountAlternateDSID"); + NSString *account = _iCloudAccount(); + if (account != nil) { + return CFBridgingRelease(MMLAccountCopyProperty((__bridge CFStringRef)account, kMMPropertyAccountAlternateDSID)); + } + secerror("_altDSIDFromAccount: failed to fetch iCloud account"); + return nil; +} +#endif // TARGET_OS_OSX + +static BOOL +_isiCloudAnalyticsEnabled() +{ + // This flag is only set during tests. + if (iCloudAnalyticsOverride) { + return iCloudAnalyticsEnabled; + } + + static bool cachedAllowsICloudAnalytics = false; + +#if TARGET_OS_OSX + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + /* AOSAccounts is not mastered into the BaseSystem. Check that those classes are linked at runtime and abort if not. */ + if (![AKAppleIDAuthenticationController class]) { + secnotice("OTATrust", "Weak-linked AOSAccounts framework missing. Are we running in the base system?"); + return; + } + + NSString *currentAltDSID = _altDSIDFromAccount(); + if (currentAltDSID != nil) { + AKAppleIDAuthenticationController *authController = [AKAppleIDAuthenticationController new]; + __block bool allowsICloudAnalytics = false; + dispatch_semaphore_t sem = dispatch_semaphore_create(0); + secnotice("isiCloudAnalyticsEnabled", "fetching iCloud Analytics value from idms"); + [authController configurationInfoWithIdentifiers:@[kAnalyticsiCloudIdMSKey] + forAltDSID:currentAltDSID + completion:^(NSDictionary *configurationInfo, NSError *error) { + if (!error && configurationInfo) { + NSNumber *value = configurationInfo[kAnalyticsiCloudIdMSKey]; + if (value != nil) { + secnotice("_isiCloudAnalyticsEnabled", "authController:configurationInfoWithIdentifiers completed with no error and configuration information"); + allowsICloudAnalytics = [value boolValue]; + } else { + secerror("%s: no iCloud Analytics value found in IDMS", __FUNCTION__); + } + } else { + secerror("%s: Unable to fetch iCloud Analytics value from IDMS.", __FUNCTION__); + } + secnotice("_isiCloudAnalyticsEnabled", "authController:configurationInfoWithIdentifiers completed and returning"); + dispatch_semaphore_signal(sem); + }]; + // Wait 5 seconds before giving up and returning from the block. + dispatch_semaphore_wait(sem, dispatch_time(DISPATCH_TIME_NOW, (uint64_t)(5 * NSEC_PER_SEC))); + cachedAllowsICloudAnalytics = allowsICloudAnalytics; + } else { + secerror("_isiCloudAnalyticsEnabled: Failed to fetch alternate DSID"); + } + }); +#else // TARGET_OS_OSX + static dispatch_once_t onceToken; + dispatch_once(&onceToken, ^{ + NSError *error = nil; + NSDictionary *accountConfiguration = _getiCloudConfigurationInfoWithError(&error); + if (error == nil && accountConfiguration != nil) { + id iCloudAnalyticsOptIn = accountConfiguration[kAnalyticsiCloudIdMSKey]; + if (iCloudAnalyticsOptIn != nil) { + BOOL iCloudAnalyticsOptInHasCorrectType = ([iCloudAnalyticsOptIn isKindOfClass:[NSNumber class]] || [iCloudAnalyticsOptIn isKindOfClass:[NSString class]]); + if (iCloudAnalyticsOptInHasCorrectType) { + NSNumber *iCloudAnalyticsOptInNumber = @([iCloudAnalyticsOptIn integerValue]); + cachedAllowsICloudAnalytics = ![iCloudAnalyticsOptInNumber isEqualToNumber:[NSNumber numberWithInteger:0]]; + } + } + } else if (error != nil) { + secerror("_isiCloudAnalyticsEnabled: %@", error); + } + }); +#endif // TARGET_OS_OSX + + return cachedAllowsICloudAnalytics; +} + +/* NSData GZip category based on GeoKit's implementation */ +@interface NSData (GZip) +- (NSData *)supd_gzipDeflate; +@end + +#define GZIP_OFFSET 16 +#define GZIP_STRIDE_LEN 16384 + +@implementation NSData (Gzip) +- (NSData *)supd_gzipDeflate +{ + if ([self length] == 0) { + return self; + } + + z_stream strm; + memset(&strm, 0, sizeof(strm)); + strm.next_in=(uint8_t *)[self bytes]; + strm.avail_in = (unsigned int)[self length]; + + + if (Z_OK != deflateInit2(&strm, Z_BEST_COMPRESSION, Z_DEFLATED, + MAX_WBITS + GZIP_OFFSET, MAX_MEM_LEVEL, Z_DEFAULT_STRATEGY)) { + return nil; + } + + NSMutableData *compressed = [NSMutableData dataWithLength:GZIP_STRIDE_LEN]; + + do { + if (strm.total_out >= [compressed length]) { + [compressed increaseLengthBy: 16384]; + } + + strm.next_out = [compressed mutableBytes] + strm.total_out; + strm.avail_out = (int)[compressed length] - (int)strm.total_out; + + deflate(&strm, Z_FINISH); + + } while (strm.avail_out == 0); + + deflateEnd(&strm); + + [compressed setLength: strm.total_out]; + if (strm.avail_in == 0) { + return [NSData dataWithData:compressed]; + } else { + return nil; + } +} +@end + +@implementation SFAnalyticsClient { + NSString* _path; + NSString* _name; + BOOL _requireDeviceAnalytics; + BOOL _requireiCloudAnalytics; +} + +@synthesize storePath = _path; +@synthesize name = _name; + +- (instancetype)initWithStorePath:(NSString*)path name:(NSString*)name + deviceAnalytics:(BOOL)deviceAnalytics iCloudAnalytics:(BOOL)iCloudAnalytics { + if (self = [super init]) { + _path = path; + _name = name; + _requireDeviceAnalytics = deviceAnalytics; + _requireiCloudAnalytics = iCloudAnalytics; + } + return self; +} + +@end + +@interface SFAnalyticsTopic () +@property NSURL* _splunkUploadURL; + +@property BOOL allowInsecureSplunkCert; +@property BOOL ignoreServersMessagesTellingUsToGoAway; +@property BOOL disableUploads; +@property BOOL disableClientId; + +@property NSUInteger secondsBetweenUploads; +@property NSUInteger maxEventsToReport; +@property float devicePercentage; // for sampling reporting devices + +@property NSDictionary* metricsBase; // data the server provides and wants us to send back +@property NSArray* blacklistedFields; +@property NSArray* blacklistedEvents; +@end + +@implementation SFAnalyticsTopic +- (void)setupClientsForTopic:(NSString *)topicName +{ + NSMutableArray* clients = [NSMutableArray new]; + if ([topicName isEqualToString:SFAnalyticsTopicKeySync]) { + [clients addObject:[[SFAnalyticsClient alloc] initWithStorePath:[self.class databasePathForCKKS] + name:@"ckks" deviceAnalytics:NO iCloudAnalytics:YES]]; + [clients addObject:[[SFAnalyticsClient alloc] initWithStorePath:[self.class databasePathForSOS] + name:@"sos" deviceAnalytics:NO iCloudAnalytics:YES]]; + [clients addObject:[[SFAnalyticsClient alloc] initWithStorePath:[self.class databasePathForPCS] + name:@"pcs" deviceAnalytics:NO iCloudAnalytics:YES]]; + } else if ([topicName isEqualToString:SFAnaltyicsTopicTrust]) { +#if TARGET_OS_OSX + _set_user_dir_suffix("com.apple.trustd"); // supd needs to read trustd's cache dir for these +#endif + [clients addObject:[[SFAnalyticsClient alloc] initWithStorePath:[self.class databasePathForTrust] + name:@"trust" deviceAnalytics:YES iCloudAnalytics:NO]]; + [clients addObject:[[SFAnalyticsClient alloc] initWithStorePath:[self.class databasePathForTrustdHealth] + name:@"trustdHealth" deviceAnalytics:YES iCloudAnalytics:NO]]; + [clients addObject:[[SFAnalyticsClient alloc] initWithStorePath:[self.class databasePathForTLS] + name:@"tls" deviceAnalytics:YES iCloudAnalytics:NO]]; +#if TARGET_OS_OSX + _set_user_dir_suffix(NULL); // set back to the default cache dir +#endif + } + + _topicClients = clients; +} + +- (instancetype)initWithDictionary:(NSDictionary *)dictionary name:(NSString *)topicName samplingRates:(NSDictionary *)rates { + if (self = [super init]) { + _internalTopicName = topicName; + [self setupClientsForTopic:topicName]; + _splunkTopicName = dictionary[@"splunk_topic"]; + __splunkUploadURL = [NSURL URLWithString:dictionary[@"splunk_uploadURL"]]; + _splunkBagURL = [NSURL URLWithString:dictionary[@"splunk_bagURL"]]; + _allowInsecureSplunkCert = [[dictionary valueForKey:@"splunk_allowInsecureCertificate"] boolValue]; + NSString* splunkEndpoint = dictionary[@"splunk_endpointDomain"]; + if (dictionary[@"disableClientId"]) { + _disableClientId = YES; + } + + NSUserDefaults* defaults = [[NSUserDefaults alloc] initWithSuiteName:SFAnalyticsUserDefaultsSuite]; + NSString* userDefaultsSplunkTopic = [defaults stringForKey:@"splunk_topic"]; + if (userDefaultsSplunkTopic) { + _splunkTopicName = userDefaultsSplunkTopic; + } + + NSURL* userDefaultsSplunkUploadURL = [NSURL URLWithString:[defaults stringForKey:@"splunk_uploadURL"]]; + if (userDefaultsSplunkUploadURL) { + __splunkUploadURL = userDefaultsSplunkUploadURL; + } + + NSURL* userDefaultsSplunkBagURL = [NSURL URLWithString:[defaults stringForKey:@"splunk_bagURL"]]; + if (userDefaultsSplunkBagURL) { + _splunkBagURL = userDefaultsSplunkBagURL; + } + + BOOL userDefaultsAllowInsecureSplunkCert = [defaults boolForKey:@"splunk_allowInsecureCertificate"]; + _allowInsecureSplunkCert |= userDefaultsAllowInsecureSplunkCert; + + NSString* userDefaultsSplunkEndpoint = [defaults stringForKey:@"splunk_endpointDomain"]; + if (userDefaultsSplunkEndpoint) { + splunkEndpoint = userDefaultsSplunkEndpoint; + } + +#if SFANALYTICS_SPLUNK_DEV + _secondsBetweenUploads = secondsBetweenUploadsInternal; + _maxEventsToReport = SFAnalyticsMaxEventsToReport; + _devicePercentage = DEFAULT_SPLUNK_DEVICE_PERCENTAGE; +#else + bool internal = os_variant_has_internal_diagnostics("com.apple.security"); + if (rates) { + NSNumber *secondsNum = internal ? rates[SFAnalyticsSecondsInternalKey] : rates[SFAnalyticsSecondsCustomerKey]; + _secondsBetweenUploads = [secondsNum integerValue]; + _maxEventsToReport = [rates[SFAnalyticsMaxEventsKey] unsignedIntegerValue]; + NSNumber *percentageNum = internal ? rates[SFAnalyticsDevicePercentageInternalKey] : rates[SFAnalyticsDevicePercentageCustomerKey]; + _devicePercentage = [percentageNum floatValue]; + } else { + _secondsBetweenUploads = internal ? secondsBetweenUploadsInternal : secondsBetweenUploadsCustomer; + _maxEventsToReport = SFAnalyticsMaxEventsToReport; + _devicePercentage = DEFAULT_SPLUNK_DEVICE_PERCENTAGE; + } +#endif + secnotice("supd", "created %@ with %lu seconds between uploads, %lu max events, %f percent of uploads", + _internalTopicName, (unsigned long)_secondsBetweenUploads, (unsigned long)_maxEventsToReport, _devicePercentage); + +#if SFANALYTICS_SPLUNK_DEV + _ignoreServersMessagesTellingUsToGoAway = YES; + + if (!_splunkUploadURL && splunkEndpoint) { + NSString* urlString = [NSString stringWithFormat:@"https://%@/report/2/%@", splunkEndpoint, _splunkTopicName]; + _splunkUploadURL = [NSURL URLWithString:urlString]; + } +#else + (void)splunkEndpoint; +#endif + } + return self; +} + +- (BOOL)isSampledUpload +{ + uint32_t sample = arc4random(); + if ((double)_devicePercentage < ((double)1 / UINT32_MAX) * 100) { + /* Requested percentage is smaller than we can sample. just do 1 out of UINT32_MAX */ + if (sample == 0) { + return YES; + } + } else { + if ((double)sample <= (double)UINT32_MAX * ((double)_devicePercentage / 100)) { + return YES; + } + } + return NO; +} + +- (BOOL)postJSON:(NSData*)json toEndpoint:(NSURL*)endpoint error:(NSError**)error +{ + if (!endpoint) { + if (error) { + NSString *description = [NSString stringWithFormat:@"No endpoint for %@", _internalTopicName]; + *error = [NSError errorWithDomain:@"SupdUploadErrorDomain" + code:-10 + userInfo:@{NSLocalizedDescriptionKey : description}]; + } + return false; + } + /* + * Create the NSURLSession + * We use the ephemeral session config because we don't need cookies or cache + */ + NSURLSessionConfiguration *configuration = [NSURLSessionConfiguration ephemeralSessionConfiguration]; + + configuration.HTTPAdditionalHeaders = @{ @"User-Agent" : [NSString stringWithFormat:@"securityd/%s", SECURITY_BUILD_VERSION]}; + + NSURLSession* postSession = [NSURLSession sessionWithConfiguration:configuration + delegate:self + delegateQueue:nil]; + + NSMutableURLRequest* postRequest = [[NSMutableURLRequest alloc] init]; + postRequest.URL = endpoint; + postRequest.HTTPMethod = @"POST"; + postRequest.HTTPBody = [json supd_gzipDeflate]; + [postRequest setValue:@"gzip" forHTTPHeaderField:@"Content-Encoding"]; + + /* + * Create the upload task. + */ + dispatch_semaphore_t sem = dispatch_semaphore_create(0); + __block BOOL uploadSuccess = NO; + NSURLSessionDataTask* uploadTask = [postSession dataTaskWithRequest:postRequest + completionHandler:^(NSData * _Nullable __unused data, NSURLResponse * _Nullable response, NSError * _Nullable requestError) { + if (requestError) { + secerror("Error in uploading the events to splunk for %@: %@", self->_internalTopicName, requestError); + } else if (![response isKindOfClass:NSHTTPURLResponse.class]){ + Class class = response.class; + secerror("Received the wrong kind of response for %@: %@", self->_internalTopicName, NSStringFromClass(class)); + } else { + NSHTTPURLResponse* httpResponse = (NSHTTPURLResponse*)response; + if(httpResponse.statusCode >= 200 && httpResponse.statusCode < 300) { + /* Success */ + uploadSuccess = YES; + secnotice("upload", "Splunk upload success for %@", self->_internalTopicName); + } else { + secnotice("upload", "Splunk upload for %@ unexpected status to URL: %@ -- status: %d", + self->_internalTopicName, endpoint, (int)(httpResponse.statusCode)); + } + } + dispatch_semaphore_signal(sem); + }]; + secnotice("upload", "Splunk upload start for %@", self->_internalTopicName); + [uploadTask resume]; + dispatch_semaphore_wait(sem, dispatch_time(DISPATCH_TIME_NOW, (uint64_t)(5 * 60 * NSEC_PER_SEC))); + return uploadSuccess; +} + +- (BOOL)eventIsBlacklisted:(NSMutableDictionary*)event { + return _blacklistedEvents ? [_blacklistedEvents containsObject:event[SFAnalyticsEventType]] : NO; +} + +- (void)removeBlacklistedFieldsFromEvent:(NSMutableDictionary*)event { + for (NSString* badField in self->_blacklistedFields) { + [event removeObjectForKey:badField]; + } +} + +- (void)addRequiredFieldsToEvent:(NSMutableDictionary*)event { + [_metricsBase enumerateKeysAndObjectsUsingBlock:^(id _Nonnull key, id _Nonnull obj, BOOL * _Nonnull stop) { + if (!event[key]) { + event[key] = obj; + } + }]; +} + +- (BOOL)prepareEventForUpload:(NSMutableDictionary*)event { + if ([self eventIsBlacklisted:event]) { + return NO; + } + + [self removeBlacklistedFieldsFromEvent:event]; + [self addRequiredFieldsToEvent:event]; + if (_disableClientId) { + event[SFAnalyticsClientId] = @(0); + } + event[SFAnalyticsSplunkTopic] = self->_splunkTopicName ?: [NSNull null]; + return YES; +} + +- (void)addFailures:(NSMutableArray*)failures toUploadRecords:(NSMutableArray*)records threshold:(NSUInteger)threshold +{ + // The first 0 through 'threshold' items are getting uploaded in any case (which might be 0 for lower priority data) + + for (NSArray* client in failures) { + [client enumerateObjectsUsingBlock:^(id _Nonnull obj, NSUInteger idx, BOOL * _Nonnull stop) { + if (idx >= threshold) { + *stop = YES; + return; + } + if ([self prepareEventForUpload:obj]) { + [records addObject:obj]; + } + }]; + } + + // Are there more items than we shoved into the upload records? + NSInteger excessItems = 0; + for (NSArray* client in failures) { + NSInteger localExcess = client.count - threshold; + excessItems += localExcess > 0 ? localExcess : 0; + } + + // Then, if we have space and items left, apply a scaling factor to distribute events across clients to fill upload buffer + if (records.count < _maxEventsToReport && excessItems > 0) { + double scale = (_maxEventsToReport - records.count) / (double)excessItems; + if (scale > 1) { + scale = 1; + } + + for (NSArray* client in failures) { + if (client.count > threshold) { + NSRange range = NSMakeRange(threshold, (client.count - threshold) * scale); + NSArray* sub = [client subarrayWithRange:range]; + [sub enumerateObjectsUsingBlock:^(id _Nonnull obj, NSUInteger idx, BOOL * _Nonnull stop) { + if ([self prepareEventForUpload:obj]) { + [records addObject:obj]; + } + }]; + } + } + } +} + +- (NSMutableDictionary*)sampleStatisticsForSamples:(NSArray*)samples withName:(NSString*)name +{ + NSMutableDictionary* statistics = [NSMutableDictionary dictionary]; + NSUInteger count = samples.count; + NSArray* sortedSamples = [samples sortedArrayUsingSelector:@selector(compare:)]; + NSArray* samplesAsExpressionArray = @[[NSExpression expressionForConstantValue:sortedSamples]]; + + if (count == 1) { + statistics[name] = samples[0]; + } else { + // NSExpression takes population standard deviation. Our data is a sample of whatever we sampled over time, + // but the difference between the two is fairly minor (divide by N before taking sqrt versus divide by N-1). + statistics[[NSString stringWithFormat:@"%@-dev", name]] = [[NSExpression expressionForFunction:@"stddev:" arguments:samplesAsExpressionArray] expressionValueWithObject:nil context:nil]; + + statistics[[NSString stringWithFormat:@"%@-min", name]] = [[NSExpression expressionForFunction:@"min:" arguments:samplesAsExpressionArray] expressionValueWithObject:nil context:nil]; + statistics[[NSString stringWithFormat:@"%@-max", name]] = [[NSExpression expressionForFunction:@"max:" arguments:samplesAsExpressionArray] expressionValueWithObject:nil context:nil]; + statistics[[NSString stringWithFormat:@"%@-avg", name]] = [[NSExpression expressionForFunction:@"average:" arguments:samplesAsExpressionArray] expressionValueWithObject:nil context:nil]; + statistics[[NSString stringWithFormat:@"%@-med", name]] = [[NSExpression expressionForFunction:@"median:" arguments:samplesAsExpressionArray] expressionValueWithObject:nil context:nil]; + } + + if (count > 3) { + NSString* q1 = [NSString stringWithFormat:@"%@-1q", name]; + NSString* q3 = [NSString stringWithFormat:@"%@-3q", name]; + // From Wikipedia, which is never wrong + if (count % 2 == 0) { + // The lower quartile value is the median of the lower half of the data. The upper quartile value is the median of the upper half of the data. + statistics[q1] = [[NSExpression expressionForFunction:@"median:" arguments:@[[NSExpression expressionForConstantValue:[sortedSamples subarrayWithRange:NSMakeRange(0, count / 2)]]]] expressionValueWithObject:nil context:nil]; + statistics[q3] = [[NSExpression expressionForFunction:@"median:" arguments:@[[NSExpression expressionForConstantValue:[sortedSamples subarrayWithRange:NSMakeRange((count / 2), count / 2)]]]] expressionValueWithObject:nil context:nil]; + } else if (count % 4 == 1) { + // If there are (4n+1) data points, then the lower quartile is 25% of the nth data value plus 75% of the (n+1)th data value; + // the upper quartile is 75% of the (3n+1)th data point plus 25% of the (3n+2)th data point. + // (offset n by -1 since we count from 0) + NSUInteger n = count / 4; + statistics[q1] = @(([sortedSamples[n - 1] doubleValue] + [sortedSamples[n] doubleValue] * 3.0) / 4.0); + statistics[q3] = @(([sortedSamples[(3 * n)] doubleValue] * 3.0 + [sortedSamples[(3 * n) + 1] doubleValue]) / 4.0); + } else if (count % 4 == 3){ + // If there are (4n+3) data points, then the lower quartile is 75% of the (n+1)th data value plus 25% of the (n+2)th data value; + // the upper quartile is 25% of the (3n+2)th data point plus 75% of the (3n+3)th data point. + // (offset n by -1 since we count from 0) + NSUInteger n = count / 4; + statistics[q1] = @(([sortedSamples[n] doubleValue] * 3.0 + [sortedSamples[n + 1] doubleValue]) / 4.0); + statistics[q3] = @(([sortedSamples[(3 * n) + 1] doubleValue] + [sortedSamples[(3 * n) + 2] doubleValue] * 3.0) / 4.0); + } + } + + return statistics; +} + +- (NSMutableDictionary*)healthSummaryWithName:(NSString*)name store:(SFAnalyticsSQLiteStore*)store +{ + __block NSMutableDictionary* summary = [NSMutableDictionary new]; + + // Add some events of our own before pulling in data + summary[SFAnalyticsEventType] = [NSString stringWithFormat:@"%@HealthSummary", name]; + if ([self eventIsBlacklisted:summary]) { + return nil; + } + summary[SFAnalyticsEventTime] = @([[NSDate date] timeIntervalSince1970] * 1000); // Splunk wants milliseconds + [SFAnalytics addOSVersionToEvent:summary]; + + // Process counters + NSDictionary* successCounts = store.summaryCounts; + __block NSInteger totalSuccessCount = 0; + __block NSInteger totalHardFailureCount = 0; + __block NSInteger totalSoftFailureCount = 0; + [successCounts enumerateKeysAndObjectsUsingBlock:^(NSString* _Nonnull eventType, NSDictionary* _Nonnull counts, BOOL* _Nonnull stop) { + summary[[NSString stringWithFormat:@"%@-success", eventType]] = counts[SFAnalyticsColumnSuccessCount]; + summary[[NSString stringWithFormat:@"%@-hardfail", eventType]] = counts[SFAnalyticsColumnHardFailureCount]; + summary[[NSString stringWithFormat:@"%@-softfail", eventType]] = counts[SFAnalyticsColumnSoftFailureCount]; + totalSuccessCount += [counts[SFAnalyticsColumnSuccessCount] integerValue]; + totalHardFailureCount += [counts[SFAnalyticsColumnHardFailureCount] integerValue]; + totalSoftFailureCount += [counts[SFAnalyticsColumnSoftFailureCount] integerValue]; + }]; + + summary[SFAnalyticsColumnSuccessCount] = @(totalSuccessCount); + summary[SFAnalyticsColumnHardFailureCount] = @(totalHardFailureCount); + summary[SFAnalyticsColumnSoftFailureCount] = @(totalSoftFailureCount); + if (os_variant_has_internal_diagnostics("com.apple.security")) { + summary[SFAnalyticsInternal] = @YES; + } + + // Process samples + NSMutableDictionary* samplesBySampler = [NSMutableDictionary dictionary]; + for (NSDictionary* sample in [store samples]) { + if (!samplesBySampler[sample[SFAnalyticsColumnSampleName]]) { + samplesBySampler[sample[SFAnalyticsColumnSampleName]] = [NSMutableArray array]; + } + [samplesBySampler[sample[SFAnalyticsColumnSampleName]] addObject:sample[SFAnalyticsColumnSampleValue]]; + } + [samplesBySampler enumerateKeysAndObjectsUsingBlock:^(NSString * _Nonnull key, NSMutableArray * _Nonnull obj, BOOL * _Nonnull stop) { + NSMutableDictionary* event = [self sampleStatisticsForSamples:obj withName:key]; + [summary addEntriesFromDictionary:event]; + }]; + + // Should always return yes because we already checked for event blacklisting specifically + if (![self prepareEventForUpload:summary]) { + return nil; + } + return summary; +} + +- (void)updateUploadDateForClients:(NSArray*)clients clearData:(BOOL)clearData +{ + for (SFAnalyticsClient* client in clients) { + SFAnalyticsSQLiteStore* store = [SFAnalyticsSQLiteStore storeWithPath:client.storePath schema:SFAnalyticsTableSchema]; + secnotice("postprocess", "Setting upload date for client: %@", client.name); + store.uploadDate = [NSDate date]; + if (clearData) { + secnotice("postprocess", "Clearing collected data for client: %@", client.name); + [store clearAllData]; + } + } +} + +- (NSData*)getLoggingJSON:(bool)pretty + forUpload:(BOOL)upload + participatingClients:(NSMutableArray**)clients + error:(NSError**)error +{ + __block NSMutableArray* uploadRecords = [NSMutableArray arrayWithCapacity:_maxEventsToReport]; + __block NSError *localError; + __block NSMutableArray* hardFailures = [NSMutableArray new]; + __block NSMutableArray* softFailures = [NSMutableArray new]; + NSString* ckdeviceID = nil; + if ([_internalTopicName isEqualToString:SFAnalyticsTopicKeySync]) { + ckdeviceID = os_variant_has_internal_diagnostics("com.apple.security") ? [self askSecurityForCKDeviceID] : nil; + } + for (SFAnalyticsClient* client in self->_topicClients) { + if ([client requireDeviceAnalytics] && !_isDeviceAnalyticsEnabled()) { + // Client required device analytics, yet the user did not opt in. + secnotice("getLoggingJSON", "Client '%@' requires device analytics yet user did not opt in.", [client name]); + continue; + } + if ([client requireiCloudAnalytics] && !_isiCloudAnalyticsEnabled()) { + // Client required iCloud analytics, yet the user did not opt in. + secnotice("getLoggingJSON", "Client '%@' requires iCloud analytics yet user did not opt in.", [client name]); + continue; + } + + SFAnalyticsSQLiteStore* store = [SFAnalyticsSQLiteStore storeWithPath:client.storePath schema:SFAnalyticsTableSchema]; + + if (upload) { + NSDate* uploadDate = store.uploadDate; + if (uploadDate && [[NSDate date] timeIntervalSinceDate:uploadDate] < _secondsBetweenUploads) { + secnotice("json", "ignoring client '%@' for %@ because last upload too recent: %@", + client.name, _internalTopicName, uploadDate); + continue; + } + + if (!uploadDate) { + secnotice("json", "ignoring client '%@' because doesn't have an upload date; giving it a baseline date", + client.name); + [self updateUploadDateForClients:@[client] clearData:NO]; + continue; + } + + secnotice("json", "including client '%@' for upload", client.name); + [*clients addObject:client]; + } + + NSMutableDictionary* healthSummary = [self healthSummaryWithName:client.name store:store]; + if (healthSummary) { + if (ckdeviceID) { + healthSummary[SFAnalyticsDeviceID] = ckdeviceID; + } + [uploadRecords addObject:healthSummary]; + } + + [hardFailures addObject:store.hardFailures]; + [softFailures addObject:store.softFailures]; + } + if (upload && [*clients count] == 0) { + if (error) { + NSString *description = [NSString stringWithFormat:@"Upload too recent for all clients for %@", _internalTopicName]; + *error = [NSError errorWithDomain:@"SupdUploadErrorDomain" + code:-10 + userInfo:@{NSLocalizedDescriptionKey : description}]; + } + return nil; + } + + [self addFailures:hardFailures toUploadRecords:uploadRecords threshold:_maxEventsToReport/10]; + [self addFailures:softFailures toUploadRecords:uploadRecords threshold:0]; + + NSDictionary* jsonDict = @{ + SFAnalyticsSplunkPostTime : @([[NSDate date] timeIntervalSince1970] * 1000), + @"events" : uploadRecords + }; + + NSData *json = [NSJSONSerialization dataWithJSONObject:jsonDict + options:(pretty ? NSJSONWritingPrettyPrinted : 0) + error:&localError]; + + if (error) { + *error = localError; + } + return json; +} + +- (NSString*)askSecurityForCKDeviceID +{ + NSError* error = nil; + CKKSControl* rpc = [CKKSControl controlObject:&error]; + if(error || !rpc) { + secerror("unable to obtain CKKS endpoint: %@", error); + return nil; + } + + __block NSString* localCKDeviceID; + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + [rpc rpcGetCKDeviceIDWithReply:^(NSString* ckdeviceID) { + localCKDeviceID = ckdeviceID; + dispatch_semaphore_signal(sema); + }]; + + if (dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 10)) != 0) { + secerror("timed out waiting for a response from security"); + return nil; + } + + return localCKDeviceID; +} + +// this method is kind of evil for the fact that it has side-effects in pulling other things besides the metricsURL from the server, and as such should NOT be memoized. +// TODO redo this, probably to return a dictionary. +- (NSURL*)splunkUploadURL +{ + if (__splunkUploadURL) { + return __splunkUploadURL; + } + + __weak __typeof(self) weakSelf = self; + dispatch_semaphore_t sem = dispatch_semaphore_create(0); + + __block NSError* error = nil; + NSURLSessionConfiguration *configuration = [NSURLSessionConfiguration ephemeralSessionConfiguration]; + NSURLSession* storeBagSession = [NSURLSession sessionWithConfiguration:configuration + delegate:self + delegateQueue:nil]; + + NSURL* requestEndpoint = _splunkBagURL; + __block NSURL* result = nil; + NSURLSessionDataTask* storeBagTask = [storeBagSession dataTaskWithURL:requestEndpoint completionHandler:^(NSData * _Nullable data, + NSURLResponse * _Nullable __unused response, + NSError * _Nullable responseError) { + + __strong __typeof(self) strongSelf = weakSelf; + if (!strongSelf) { + return; + } + + if (data && !responseError) { + NSData *responseData = data; // shut up compiler + NSDictionary* responseDict = [NSJSONSerialization JSONObjectWithData:responseData options:0 error:&error]; + if([responseDict isKindOfClass:NSDictionary.class] && !error) { + if (!self->_ignoreServersMessagesTellingUsToGoAway) { + self->_disableUploads = [[responseDict valueForKey:@"sendDisabled"] boolValue]; + if (self->_disableUploads) { + // then don't upload anything right now + secerror("not returning a splunk URL because uploads are disabled for %@", self->_internalTopicName); + dispatch_semaphore_signal(sem); + return; + } + + // backend works with milliseconds + NSUInteger secondsBetweenUploads = [[responseDict valueForKey:@"postFrequency"] unsignedIntegerValue] / 1000; + if (secondsBetweenUploads > 0) { + if (os_variant_has_internal_diagnostics("com.apple.security") && + self->_secondsBetweenUploads < secondsBetweenUploads) { + secnotice("getURL", "Overriding server-sent post frequency because device is internal (%lu -> %lu)", secondsBetweenUploads, self->_secondsBetweenUploads); + } else { + strongSelf->_secondsBetweenUploads = secondsBetweenUploads; + } + } + + strongSelf->_blacklistedEvents = responseDict[@"blacklistedEvents"]; + strongSelf->_blacklistedFields = responseDict[@"blacklistedFields"]; + } + + strongSelf->_metricsBase = responseDict[@"metricsBase"]; + + NSString* metricsEndpoint = responseDict[@"metricsUrl"]; + if([metricsEndpoint isKindOfClass:NSString.class]) { + /* Lives our URL */ + NSString* endpoint = [metricsEndpoint stringByAppendingFormat:@"/2/%@", strongSelf->_splunkTopicName]; + secnotice("upload", "got metrics endpoint %@ for %@", endpoint, self->_internalTopicName); + NSURL* endpointURL = [NSURL URLWithString:endpoint]; + if([endpointURL.scheme isEqualToString:@"https"]) { + result = endpointURL; + } + } + } + } + else { + error = responseError; + } + if (error) { + secnotice("upload", "Unable to fetch splunk endpoint at URL for %@: %@ -- error: %@", + self->_internalTopicName, requestEndpoint, error.description); + } + else if (!result) { + secnotice("upload", "Malformed iTunes config payload for %@!", self->_internalTopicName); + } + + dispatch_semaphore_signal(sem); + }]; + + [storeBagTask resume]; + dispatch_semaphore_wait(sem, dispatch_time(DISPATCH_TIME_NOW, (uint64_t)(60 * NSEC_PER_SEC))); + + return result; +} + +- (void)URLSession:(NSURLSession *)session didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge + completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition, NSURLCredential *))completionHandler { + assert(completionHandler); + (void)session; + secnotice("upload", "Splunk upload challenge for %@", _internalTopicName); + NSURLCredential *cred = nil; + SecTrustResultType result = kSecTrustResultInvalid; + + if ([challenge previousFailureCount] > 0) { + // Previous failures occurred, bail + completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil); + + } else if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust]) { + /* + * Evaluate trust for the certificate + */ + + SecTrustRef serverTrust = challenge.protectionSpace.serverTrust; + // Coverity gets upset if we don't check status even though result is all we need. + OSStatus status = SecTrustEvaluate(serverTrust, &result); + if (_allowInsecureSplunkCert || (status == errSecSuccess && ((result == kSecTrustResultProceed) || (result == kSecTrustResultUnspecified)))) { + /* + * All is well, accept the credentials + */ + if(_allowInsecureSplunkCert) { + secnotice("upload", "Force Accepting Splunk Credential for %@", _internalTopicName); + } + cred = [NSURLCredential credentialForTrust:serverTrust]; + completionHandler(NSURLSessionAuthChallengeUseCredential, cred); + + } else { + /* + * An error occurred in evaluating trust, bail + */ + completionHandler(NSURLSessionAuthChallengeCancelAuthenticationChallenge, nil); + } + } else { + /* + * Just perform the default handling + */ + completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil); + } +} + +- (NSDictionary*)eventDictWithBlacklistedFieldsStrippedFrom:(NSDictionary*)eventDict +{ + NSMutableDictionary* strippedDict = eventDict.mutableCopy; + for (NSString* blacklistedField in _blacklistedFields) { + [strippedDict removeObjectForKey:blacklistedField]; + } + return strippedDict; +} + +// MARK: Database path retrieval + ++ (NSString*)databasePathForCKKS +{ + return [(__bridge_transfer NSURL*)SecCopyURLForFileInKeychainDirectory((__bridge CFStringRef)@"Analytics/ckks_analytics.db") path]; +} + ++ (NSString*)databasePathForSOS +{ + return [(__bridge_transfer NSURL*)SecCopyURLForFileInKeychainDirectory((__bridge CFStringRef)@"Analytics/sos_analytics.db") path]; +} + ++ (NSString*)AppSupportPath +{ +#if TARGET_OS_IOS + return @"/var/mobile/Library/Application Support"; +#else + NSArray*paths = NSSearchPathForDirectoriesInDomains(NSApplicationSupportDirectory, NSUserDomainMask, true); + if ([paths count] < 1) { + return nil; + } + return [NSString stringWithString: paths[0]]; +#endif /* TARGET_OS_IOS */ +} + ++ (NSString*)databasePathForPCS +{ + NSString *appSup = [self AppSupportPath]; + if (!appSup) { + return nil; + } + NSString *dbpath = [NSString stringWithFormat:@"%@/com.apple.ProtectedCloudStorage/PCSAnalytics.db", appSup]; + secnotice("supd", "PCS Database path (%@)", dbpath); + return dbpath; +} + ++ (NSString*)databasePathForTrustdHealth +{ +#if TARGET_OS_IPHONE + return [(__bridge_transfer NSURL*)SecCopyURLForFileInKeychainDirectory(CFSTR("Analytics/trustd_health_analytics.db")) path]; +#else + return [(__bridge_transfer NSURL*)SecCopyURLForFileInUserCacheDirectory(CFSTR("Analytics/trustd_health_analytics.db")) path]; +#endif +} + ++ (NSString*)databasePathForTrust +{ +#if TARGET_OS_IPHONE + return [(__bridge_transfer NSURL*)SecCopyURLForFileInKeychainDirectory(CFSTR("Analytics/trust_analytics.db")) path]; +#else + return [(__bridge_transfer NSURL*)SecCopyURLForFileInUserCacheDirectory(CFSTR("Analytics/trust_analytics.db")) path]; +#endif +} + ++ (NSString*)databasePathForTLS +{ +#if TARGET_OS_IPHONE + return [(__bridge_transfer NSURL*)SecCopyURLForFileInKeychainDirectory(CFSTR("Analytics/TLS_analytics.db")) path]; +#else + return [(__bridge_transfer NSURL*)SecCopyURLForFileInUserCacheDirectory(CFSTR("Analytics/TLS_analytics.db")) path]; +#endif +} + +@end + +@interface supd () +@property NSDictionary *topicsSamplingRates; +@end + +@implementation supd +- (void)setupTopics +{ + NSDictionary* systemDefaultValues = [NSDictionary dictionaryWithContentsOfFile:[[NSBundle bundleWithPath:@"/System/Library/Frameworks/Security.framework"] pathForResource:@"SFAnalytics" ofType:@"plist"]]; + NSMutableArray * topics = [NSMutableArray array]; + for (NSString *topicKey in systemDefaultValues) { + NSDictionary *topicSamplingRates = _topicsSamplingRates[topicKey]; + SFAnalyticsTopic *topic = [[SFAnalyticsTopic alloc] initWithDictionary:systemDefaultValues[topicKey] name:topicKey samplingRates:topicSamplingRates]; + [topics addObject:topic]; + } + _analyticsTopics = [NSArray arrayWithArray:topics]; +} + ++ (void)instantiate { + [supd instance]; +} + ++ (instancetype)instance { +#if TARGET_OS_SIMULATOR + return nil; +#else + if (!_supdInstance) { + _supdInstance = [self new]; + } + return _supdInstance; +#endif +} + +// Use this for testing to get rid of any state ++ (void)removeInstance { + _supdInstance = nil; +} + + +static NSString *SystemTrustStorePath = @"/System/Library/Security/Certificates.bundle"; +static NSString *AnalyticsSamplingRatesFilename = @"AnalyticsSamplingRates"; +static NSString *ContentVersionKey = @"MobileAssetContentVersion"; +static NSString *AssetContextFilename = @"OTAPKIContext.plist"; + +static NSNumber *getSystemVersion(NSBundle *trustStoreBundle) { + NSDictionary *systemVersionPlist = [NSDictionary dictionaryWithContentsOfURL:[trustStoreBundle URLForResource:@"AssetVersion" + withExtension:@"plist"]]; + if (!systemVersionPlist || ![systemVersionPlist isKindOfClass:[NSDictionary class]]) { + return nil; + } + NSNumber *systemVersion = systemVersionPlist[ContentVersionKey]; + if (systemVersion == nil || ![systemVersion isKindOfClass:[NSNumber class]]) { + return nil; + } + return systemVersion; +} + +static NSNumber *getAssetVersion(NSURL *directory) { + NSDictionary *assetContextPlist = [NSDictionary dictionaryWithContentsOfURL:[directory URLByAppendingPathComponent:AssetContextFilename]]; + if (!assetContextPlist || ![assetContextPlist isKindOfClass:[NSDictionary class]]) { + return nil; + } + NSNumber *assetVersion = assetContextPlist[ContentVersionKey]; + if (assetVersion == nil || ![assetVersion isKindOfClass:[NSNumber class]]) { + return nil; + } + return assetVersion; +} + +static bool ShouldInitializeWithAsset(NSBundle *trustStoreBundle, NSURL *directory) { + NSNumber *systemVersion = getSystemVersion(trustStoreBundle); + NSNumber *assetVersion = getAssetVersion(directory); + + if (assetVersion == nil || systemVersion == nil) { + return false; + } + if ([assetVersion compare:systemVersion] == NSOrderedDescending) { + return true; + } + return false; +} + +- (void)setupSamplingRates { +#if TARGET_OS_SIMULATOR + NSBundle *trustStoreBundle = [NSBundle bundleWithPath:[NSString stringWithFormat:@"%s%@", getenv("SIMULATOR_ROOT"), SystemTrustStorePath]]; +#else + NSBundle *trustStoreBundle = [NSBundle bundleWithPath:SystemTrustStorePath]; +#endif + +#if TARGET_OS_IPHONE + NSURL *keychainsDirectory = CFBridgingRelease(SecCopyURLForFileInKeychainDirectory(nil)); +#else + NSURL *keychainsDirectory = [NSURL fileURLWithFileSystemRepresentation:"/Library/Keychains/" isDirectory:YES relativeToURL:nil]; +#endif + NSURL *directory = [keychainsDirectory URLByAppendingPathComponent:@"SupplementalsAssets/" isDirectory:YES]; + + NSDictionary *analyticsSamplingRates = nil; + if (ShouldInitializeWithAsset(trustStoreBundle, directory)) { + /* Try to get the asset version of the sampling rates */ + NSURL *analyticsSamplingRateURL = [directory URLByAppendingPathComponent:[NSString stringWithFormat:@"%@.plist", AnalyticsSamplingRatesFilename]]; + analyticsSamplingRates = [NSDictionary dictionaryWithContentsOfURL:analyticsSamplingRateURL]; + secnotice("supd", "read sampling rates from SupplementalsAssets dir"); + if (!analyticsSamplingRates || ![analyticsSamplingRates isKindOfClass:[NSDictionary class]]) { + analyticsSamplingRates = nil; + } + } + if (!analyticsSamplingRates) { + analyticsSamplingRates = [NSDictionary dictionaryWithContentsOfURL: [trustStoreBundle URLForResource:AnalyticsSamplingRatesFilename + withExtension:@"plist"]]; + } + if (analyticsSamplingRates && [analyticsSamplingRates isKindOfClass:[NSDictionary class]]) { + _topicsSamplingRates = analyticsSamplingRates[@"Topics"]; + if (!_topicsSamplingRates || ![analyticsSamplingRates isKindOfClass:[NSDictionary class]]) { + _topicsSamplingRates = nil; // Something has gone terribly wrong, so we'll use the hardcoded defaults in this case + } + } +} + +- (instancetype)initWithReporter:(SFAnalyticsReporter *)reporter +{ + if (self = [super init]) { + [self setupSamplingRates]; + [self setupTopics]; + _reporter = reporter; + [_reporter setupReportsDirectory]; + + xpc_activity_register("com.apple.securityuploadd.triggerupload", XPC_ACTIVITY_CHECK_IN, ^(xpc_activity_t activity) { + xpc_activity_state_t activityState = xpc_activity_get_state(activity); + secnotice("supd", "hit xpc activity trigger, state: %ld", activityState); + if (activityState == XPC_ACTIVITY_STATE_RUN) { + // Clean up the reports directory, and then run our regularly scheduled scan + [_reporter cleanupReportsDirectory]; + [self performRegularlyScheduledUpload]; + } + }); + } + + return self; +} + +- (instancetype)init { + SFAnalyticsReporter *reporter = [[SFAnalyticsReporter alloc] init]; + return [self initWithReporter:reporter]; +} + +- (void)sendNotificationForOncePerReportSamplers +{ + notify_post(SFAnalyticsFireSamplersNotification); + [NSThread sleepForTimeInterval:3.0]; +} + +- (void)performRegularlyScheduledUpload { + secnotice("upload", "Starting uploads in response to regular trigger"); + NSError *error = nil; + if ([self uploadAnalyticsWithError:&error]) { + secnotice("upload", "Regularly scheduled upload successful"); + } else { + secerror("upload: Failed to complete regularly scheduled upload: %@", error); + } +} + +- (BOOL)uploadAnalyticsWithError:(NSError**)error { + [self sendNotificationForOncePerReportSamplers]; + + BOOL result = NO; + NSError* localError = nil; + for (SFAnalyticsTopic *topic in _analyticsTopics) { + @autoreleasepool { // The logging JSONs get quite large. Ensure they're deallocated between topics. + __block NSURL* endpoint = [topic splunkUploadURL]; // has side effects! + if ([topic disableUploads]) { + secnotice("upload", "Aborting upload task because uploads are disabled for %@", [topic internalTopicName]); + return NO; + } + + NSMutableArray* clients = [NSMutableArray new]; + NSData* json = [topic getLoggingJSON:false forUpload:YES participatingClients:&clients error:&localError]; + if (json) { + if ([topic isSampledUpload]) { + BOOL writtenToLog = NO; +#if TARGET_OS_OSX + // As of now, data is NOT logged for transparency on macOS, yet we upload anyway. + writtenToLog = YES; +#elif !TARGET_OS_SIMULATOR + // We override the output here and always assume we write to the log. Data transparency will be fixed in F. + writtenToLog = YES; +#endif // !TARGET_OS_SIMULATOR + if (!writtenToLog) { + secerror("uploadAnalyticsWithError: failed to write analytics data to log"); + } else if ([topic postJSON:json toEndpoint:endpoint error:&localError]) { + secnotice("uploadAnalyticsWithError", "Succeeded writing analytics data to log -- proceeding with upload"); + result = YES; + [topic updateUploadDateForClients:clients clearData:YES]; + } + } else { + /* If we didn't sample this report, update date to prevent trying to upload again sooner + * than we should. Clear data so that per-day calculations remain consistent. */ + secnotice("upload", "skipping unsampled upload for %@ and clearing data", [topic internalTopicName]); + [topic updateUploadDateForClients:clients clearData:YES]; + } + } + } + if (error && localError) { + *error = localError; + } + } + return result; +} + +- (NSString*)sysdiagnoseStringForEventRecord:(NSDictionary*)eventRecord +{ + NSMutableDictionary* mutableEventRecord = eventRecord.mutableCopy; + [mutableEventRecord removeObjectForKey:SFAnalyticsSplunkTopic]; + + NSDate* eventDate = [NSDate dateWithTimeIntervalSince1970:[[eventRecord valueForKey:SFAnalyticsEventTime] doubleValue] / 1000]; + [mutableEventRecord removeObjectForKey:SFAnalyticsEventTime]; + + NSString* eventName = eventRecord[SFAnalyticsEventType]; + [mutableEventRecord removeObjectForKey:SFAnalyticsEventType]; + + SFAnalyticsEventClass eventClass = [[eventRecord valueForKey:SFAnalyticsEventClassKey] integerValue]; + NSString* eventClassString = [self stringForEventClass:eventClass]; + [mutableEventRecord removeObjectForKey:SFAnalyticsEventClassKey]; + + NSMutableString* additionalAttributesString = [NSMutableString string]; + if (mutableEventRecord.count > 0) { + [additionalAttributesString appendString:@" - Attributes: {" ]; + __block BOOL firstAttribute = YES; + [mutableEventRecord enumerateKeysAndObjectsUsingBlock:^(NSString* key, id object, BOOL* stop) { + NSString* openingString = firstAttribute ? @"" : @", "; + [additionalAttributesString appendString:[NSString stringWithFormat:@"%@%@ : %@", openingString, key, object]]; + firstAttribute = NO; + }]; + [additionalAttributesString appendString:@" }"]; + } + + return [NSString stringWithFormat:@"%@ %@: %@%@", eventDate, eventClassString, eventName, additionalAttributesString]; +} + +- (NSString*)getSysdiagnoseDump +{ + NSMutableString* sysdiagnose = [[NSMutableString alloc] init]; + + for (SFAnalyticsTopic* topic in _analyticsTopics) { + for (SFAnalyticsClient* client in topic.topicClients) { + [sysdiagnose appendString:[NSString stringWithFormat:@"Client: %@\n", client.name]]; + SFAnalyticsSQLiteStore* store = [SFAnalyticsSQLiteStore storeWithPath:client.storePath schema:SFAnalyticsTableSchema]; + NSArray* allEvents = store.allEvents; + for (NSDictionary* eventRecord in allEvents) { + [sysdiagnose appendFormat:@"%@\n", [self sysdiagnoseStringForEventRecord:eventRecord]]; + } + if (allEvents.count == 0) { + [sysdiagnose appendString:@"No data to report for this client\n"]; + } + } + } + return sysdiagnose; +} + +- (NSString*)stringForEventClass:(SFAnalyticsEventClass)eventClass +{ + if (eventClass == SFAnalyticsEventClassNote) { + return @"EventNote"; + } + else if (eventClass == SFAnalyticsEventClassSuccess) { + return @"EventSuccess"; + } + else if (eventClass == SFAnalyticsEventClassHardFailure) { + return @"EventHardFailure"; + } + else if (eventClass == SFAnalyticsEventClassSoftFailure) { + return @"EventSoftFailure"; + } + else { + return @"EventUnknown"; + } +} + +// MARK: XPC Procotol Handlers + +- (void)getSysdiagnoseDumpWithReply:(void (^)(NSString*))reply { + reply([self getSysdiagnoseDump]); +} + +- (void)getLoggingJSON:(bool)pretty topic:(NSString *)topicName reply:(void (^)(NSData*, NSError*))reply { + secnotice("rpcGetLoggingJSON", "Building a JSON blob resembling the one we would have uploaded"); + NSError* error = nil; + [self sendNotificationForOncePerReportSamplers]; + NSData* json = nil; + for (SFAnalyticsTopic* topic in self->_analyticsTopics) { + if ([topic.internalTopicName isEqualToString:topicName]) { + json = [topic getLoggingJSON:pretty forUpload:NO participatingClients:nil error:&error]; + } + } + if (!json) { + secerror("Unable to obtain JSON: %@", error); + } + reply(json, error); +} + +- (void)forceUploadWithReply:(void (^)(BOOL, NSError*))reply { + secnotice("upload", "Performing upload in response to rpc message"); + NSError* error = nil; + BOOL result = [self uploadAnalyticsWithError:&error]; + secnotice("upload", "Result of manually triggered upload: %@, error: %@", result ? @"success" : @"failure", error); + reply(result, error); +} + +@end diff --git a/supd/supdProtocol.h b/supd/supdProtocol.h new file mode 100644 index 00000000..fd051cf3 --- /dev/null +++ b/supd/supdProtocol.h @@ -0,0 +1,30 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import + +@protocol supdProtocol +- (void)getSysdiagnoseDumpWithReply:(void (^)(NSString*))reply; +- (void)getLoggingJSON:(bool)pretty topic:(NSString *)topicName reply:(void (^)(NSData*, NSError*))reply; +- (void)forceUploadWithReply:(void (^)(BOOL, NSError*))reply; +@end diff --git a/supdctl/main.m b/supdctl/main.m new file mode 100644 index 00000000..0307de74 --- /dev/null +++ b/supdctl/main.m @@ -0,0 +1,161 @@ +/* + * Copyright (c) 2017 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import +#include "lib/SecArgParse.h" +#import "supd/supdProtocol.h" +#import +#import "SFAnalytics.h" + +/* Internal Topic Names */ +NSString* const SFAnalyticsTopicKeySync = @"KeySyncTopic"; +NSString* const SFAnaltyicsTopicTrust = @"TrustTopic"; + +static void nsprintf(NSString *fmt, ...) NS_FORMAT_FUNCTION(1, 2); +static void nsprintf(NSString *fmt, ...) +{ + va_list ap; + va_start(ap, fmt); + NSString *str = [[NSString alloc] initWithFormat:fmt arguments:ap]; + va_end(ap); + + puts([str UTF8String]); +#if !__has_feature(objc_arc) + [str release]; +#endif +} + +static NSXPCConnection* getConnection() +{ + NSXPCConnection* connection = [[NSXPCConnection alloc] initWithMachServiceName:@"com.apple.securityuploadd" options:0]; + connection.remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(supdProtocol)]; + [connection resume]; + return connection; +} + +static void getSysdiagnoseDump(void) +{ + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + NSXPCConnection* connection = getConnection(); + [[connection remoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) { + nsprintf(@"Could not communicate with supd: %@", error); + dispatch_semaphore_signal(sema); + }] getSysdiagnoseDumpWithReply:^(NSString * sysdiagnoseString) { + nsprintf(@"Analytics sysdiagnose: \n%@", sysdiagnoseString); + dispatch_semaphore_signal(sema); + }]; + + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 20)) != 0) { + printf("\n\nError: timed out waiting for response from supd\n"); + } + [connection invalidate]; +} + +static void getLoggingJSON(char *topicName) +{ + NSString *topic = topicName ? [NSString stringWithUTF8String:topicName] : SFAnalyticsTopicKeySync; + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + NSXPCConnection* connection = getConnection(); + [[connection remoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) { + nsprintf(@"Could not communicate with supd: %@", error); + dispatch_semaphore_signal(sema); + }] getLoggingJSON:YES topic:topic reply:^(NSData* data, NSError* error) { + if (data) { + nsprintf(@"Logging data we would have uploaded:\n%@", [[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding]); + } else { + nsprintf(@"supd gave us an error: %@", error); + } + dispatch_semaphore_signal(sema); + }]; + + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 20)) != 0) { + printf("\n\nError: timed out waiting for response from supd\n"); + } + [connection invalidate]; +} + +static void forceUploadAnalytics(void) +{ + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + NSXPCConnection* connection = getConnection(); + [[connection remoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) { + nsprintf(@"Could not communicate with supd: %@", error); + dispatch_semaphore_signal(sema); + }] forceUploadWithReply:^(BOOL success, NSError *error) { + if (success) { + printf("Supd reports successful upload\n"); + } else { + nsprintf(@"Supd reports failure: %@", error); + } + dispatch_semaphore_signal(sema); + }]; + + if(dispatch_semaphore_wait(sema, dispatch_time(DISPATCH_TIME_NOW, NSEC_PER_SEC * 20)) != 0) { + printf("\n\nError: timed out waiting for response from supd\n"); + } + [connection invalidate]; +} + +static int forceUpload = false; +static int getJSON = false; +static int getSysdiagnose = false; +static char *topicName = nil; + +int main(int argc, char **argv) +{ + static struct argument options[] = { + { .shortname='t', .longname="topicName", .argument=&topicName, .description="Operate on a non-default topic"}, + + { .command="sysdiagnose", .flag=&getSysdiagnose, .flagval=true, .description="Retrieve the current sysdiagnose dump for security analytics"}, + { .command="get", .flag=&getJSON, .flagval=true, .description="Get the JSON blob we would upload to the server if an upload were due"}, + { .command="upload", .flag=&forceUpload, .flagval=true, .description="Force an upload of analytics data to server"}, + {} // Need this! + }; + + static struct arguments args = { + .programname="supdctl", + .description="Control and report on security analytics", + .arguments = options, + }; + + if(!options_parse(argc, argv, &args)) { + printf("\n"); + print_usage(&args); + return -1; + } + + @autoreleasepool { + if (forceUpload) { + forceUploadAnalytics(); + } else if (getJSON) { + getLoggingJSON(topicName); + } else if (getSysdiagnose) { + getSysdiagnoseDump(); + } else { + print_usage(&args); + return -1; + } + } + return 0; +} + diff --git a/supdctl/supdctl-Entitlements.plist b/supdctl/supdctl-Entitlements.plist new file mode 100644 index 00000000..271f6e35 --- /dev/null +++ b/supdctl/supdctl-Entitlements.plist @@ -0,0 +1,8 @@ + + + + + com.apple.private.securityuploadd + + + diff --git a/tests/secdmockaks/Info.plist b/tests/secdmockaks/Info.plist new file mode 100644 index 00000000..6c40a6cd --- /dev/null +++ b/tests/secdmockaks/Info.plist @@ -0,0 +1,22 @@ + + + + + CFBundleDevelopmentRegion + $(DEVELOPMENT_LANGUAGE) + CFBundleExecutable + $(EXECUTABLE_NAME) + CFBundleIdentifier + $(PRODUCT_BUNDLE_IDENTIFIER) + CFBundleInfoDictionaryVersion + 6.0 + CFBundleName + $(PRODUCT_NAME) + CFBundlePackageType + BNDL + CFBundleShortVersionString + 1.0 + CFBundleVersion + 1 + + diff --git a/tests/secdmockaks/mockaks.h b/tests/secdmockaks/mockaks.h new file mode 100644 index 00000000..8390d5d9 --- /dev/null +++ b/tests/secdmockaks/mockaks.h @@ -0,0 +1,35 @@ +/* + * Copyright (c) 2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#ifndef mockaks_h +#define mockaks_h + +#import + +@interface SecMockAKS : NSObject ++ (bool)isLocked:(keyclass_t)key_class; ++ (bool)isSEPDown; ++ (bool)useGenerationCount; +@end + +#endif /* mockaks_h */ diff --git a/tests/secdmockaks/mockaks.m b/tests/secdmockaks/mockaks.m new file mode 100644 index 00000000..044d1d4f --- /dev/null +++ b/tests/secdmockaks/mockaks.m @@ -0,0 +1,368 @@ +/* + * Copyright (c) 2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import +#import +#import +#import +#import +#import +#import +#import +#import +#import +#import +#import "mockaks.h" + +@implementation SecMockAKS + ++ (bool)isLocked:(keyclass_t)key_class +{ + return false; +} + ++ (bool)isSEPDown +{ + return false; +} + ++ (bool)useGenerationCount +{ + return false; +} + +@end + +kern_return_t +aks_load_bag(const void * data, int length, keybag_handle_t* handle) +{ + *handle = 17; + return 0; +} + +kern_return_t aks_unlock_bag(keybag_handle_t handle, const void * passcode, int length) +{ + return 0; +} + +kern_return_t +aks_create_bag(const void * passcode, int length, keybag_type_t type, keybag_handle_t* handle) +{ + *handle = 17; + return 0; +} + +kern_return_t +aks_unload_bag(keybag_handle_t handle) +{ + return -1; +} + +kern_return_t +aks_save_bag(keybag_handle_t handle, void ** data, int * length) +{ + return 0; +} + +kern_return_t +aks_get_system(keybag_handle_t special_handle, keybag_handle_t *handle) +{ + *handle = 17; + return 0; +} + +//static uint8_t staticAKSKey[32] = "1234567890123456789012"; + +#define PADDINGSIZE 8 + +kern_return_t +aks_wrap_key(const void * key, int key_size, keyclass_t key_class, keybag_handle_t handle, void * wrapped_key, int * wrapped_key_size_inout, keyclass_t * class_out) +{ + if ([SecMockAKS isLocked:key_class]) { + return kIOReturnNotPermitted; + } + if ([SecMockAKS isSEPDown]) { + return kIOReturnBusy; + } + + *class_out = key_class; + if ([SecMockAKS useGenerationCount]) { + *class_out |= (key_class_last + 1); + } + + if (key_size + PADDINGSIZE > *wrapped_key_size_inout) { + abort(); + } + *wrapped_key_size_inout = key_size + PADDINGSIZE; + memcpy(wrapped_key, key, key_size); + memset(((uint8_t *)wrapped_key) + key_size, 0xff, PADDINGSIZE); + return 0; +} + +kern_return_t +aks_unwrap_key(const void * wrapped_key, int wrapped_key_size, keyclass_t key_class, keybag_handle_t handle, void * key, int * key_size_inout) +{ + if ([SecMockAKS isLocked:key_class]) { + return kIOReturnNotPermitted; + } + if ([SecMockAKS isSEPDown]) { + return kIOReturnBusy; + } + + if (wrapped_key_size < 8) { + abort(); + } + static const char expected_padding[PADDINGSIZE] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; + if (memcmp(((const uint8_t *)wrapped_key) + (wrapped_key_size - PADDINGSIZE), expected_padding, PADDINGSIZE) != 0) { + abort(); + } + if (*key_size_inout < wrapped_key_size - PADDINGSIZE) { + abort(); + } + *key_size_inout = wrapped_key_size - PADDINGSIZE; + memcpy(key, wrapped_key, *key_size_inout); + + return 0; +} + +int +aks_ref_key_create(keybag_handle_t handle, keyclass_t cls, aks_key_type_t type, const uint8_t *params, size_t params_len, aks_ref_key_t *ot) +{ + return -1; +} + +int +aks_ref_key_encrypt(aks_ref_key_t handle, + const uint8_t *der_params, size_t der_params_len, + const void * data, size_t data_len, + void ** out_der, size_t * out_der_len) +{ + return -1; +} + +int +aks_ref_key_decrypt(aks_ref_key_t handle, + const uint8_t *der_params, size_t der_params_len, + const void * data, size_t data_len, + void ** out_der, size_t * out_der_len) +{ + return -1; +} + +int +aks_ref_key_delete(aks_ref_key_t handle, const uint8_t *der_params, size_t der_params_len) +{ + return -1; +} + +int +aks_operation_optional_params(const uint8_t * access_groups, size_t access_groups_len, const uint8_t * external_data, size_t external_data_len, const void * acm_handle, int acm_handle_len, void ** out_der, size_t * out_der_len) +{ + return -1; +} + +int aks_ref_key_create_with_blob(keybag_handle_t refkey, const uint8_t *ref_key_blob, size_t ref_key_blob_len, aks_ref_key_t* handle) +{ + *handle = NULL; + return 0; +} + +const uint8_t * aks_ref_key_get_blob(aks_ref_key_t refkey, size_t *out_blob_len) +{ + *out_blob_len = 2; + return (const uint8_t *)"20"; +} +int +aks_ref_key_free(aks_ref_key_t* key) +{ + return 0; +} + +const uint8_t * +aks_ref_key_get_external_data(aks_ref_key_t refkey, size_t *out_external_data_len) +{ + *out_external_data_len = 2; + return (const uint8_t *)"21"; +} + + +kern_return_t +aks_assert_hold(keybag_handle_t handle, uint32_t type, uint64_t timeout) +{ + return 0; +} + +kern_return_t +aks_assert_drop(keybag_handle_t handle, uint32_t type) +{ + return 0; +} + +kern_return_t +aks_generation(keybag_handle_t handle, + generation_option_t generation_option, + uint32_t * current_generation) +{ + *current_generation = 0; + return 0; +} + +kern_return_t +aks_get_bag_uuid(keybag_handle_t handle, uuid_t uuid) +{ + memcpy(uuid, "0123456789abcdf", sizeof(uuid_t)); + return 0; +} + +kern_return_t +aks_get_lock_state(keybag_handle_t handle, keybag_state_t *state) +{ + *state = keybag_state_been_unlocked; + return 0; +} + +static CFStringRef staticKeybagHandle = CFSTR("keybagHandle"); + +int +MKBKeyBagCreateWithData(CFDataRef keybagBlob, MKBKeyBagHandleRef* newHandle) +{ + *newHandle = (MKBKeyBagHandleRef)staticKeybagHandle; + return 0; +} + +int +MKBKeyBagUnlock(MKBKeyBagHandleRef keybag, CFDataRef passcode) +{ + if (keybag == NULL || !CFEqual(keybag, staticKeybagHandle)) { + abort(); + } + return 0; +} + +int MKBKeyBagGetAKSHandle(MKBKeyBagHandleRef keybag, int32_t *handle) +{ + if (keybag == NULL || !CFEqual(keybag, staticKeybagHandle)) { + abort(); + } + *handle = 17; + return 0; +} + + + +const CFTypeRef kAKSKeyAcl = (CFTypeRef)CFSTR("kAKSKeyAcl"); +const CFTypeRef kAKSKeyAclParamRequirePasscode = (CFTypeRef)CFSTR("kAKSKeyAclParamRequirePasscode"); + +const CFTypeRef kAKSKeyOpDefaultAcl = (CFTypeRef)CFSTR("kAKSKeyOpDefaultAcl"); +const CFTypeRef kAKSKeyOpEncrypt = (CFTypeRef)CFSTR("kAKSKeyOpEncrypt"); +const CFTypeRef kAKSKeyOpDecrypt = (CFTypeRef)CFSTR("kAKSKeyOpDecrypt"); +const CFTypeRef kAKSKeyOpSync = (CFTypeRef)CFSTR("kAKSKeyOpSync"); +const CFTypeRef kAKSKeyOpDelete = (CFTypeRef)CFSTR("kAKSKeyOpDelete"); +const CFTypeRef kAKSKeyOpCreate = (CFTypeRef)CFSTR("kAKSKeyOpCreate"); +const CFTypeRef kAKSKeyOpSign = (CFTypeRef)CFSTR("kAKSKeyOpSign"); +const CFTypeRef kAKSKeyOpSetKeyClass = (CFTypeRef)CFSTR("kAKSKeyOpSetKeyClass"); +const CFTypeRef kAKSKeyOpWrap = (CFTypeRef)CFSTR("kAKSKeyOpWrap"); +const CFTypeRef kAKSKeyOpUnwrap = (CFTypeRef)CFSTR("kAKSKeyOpUnwrap"); +const CFTypeRef kAKSKeyOpComputeKey = (CFTypeRef)CFSTR("kAKSKeyOpComputeKey"); +const CFTypeRef kAKSKeyOpAttest = (CFTypeRef)CFSTR("kAKSKeyOpAttest"); +const CFTypeRef kAKSKeyOpTranscrypt = (CFTypeRef)CFSTR("kAKSKeyOpTranscrypt"); + + +TKTokenRef TKTokenCreate(CFDictionaryRef attributes, CFErrorRef *error) +{ + return NULL; +} + +CFTypeRef TKTokenCopyObjectData(TKTokenRef token, CFDataRef objectID, CFErrorRef *error) +{ + return NULL; +} + +CFDataRef TKTokenCopyObjectCreationAccessControl(TKTokenRef token, CFDictionaryRef objectAttributes, CFErrorRef *error) +{ + return NULL; +} + +CFDataRef TKTokenCreateOrUpdateObject(TKTokenRef token, CFDataRef objectID, CFMutableDictionaryRef attributes, CFErrorRef *error) +{ + return NULL; +} + +CFDataRef TKTokenCopyObjectAccessControl(TKTokenRef token, CFDataRef objectID, CFErrorRef *error) +{ + return NULL; +} +bool TKTokenDeleteObject(TKTokenRef token, CFDataRef objectID, CFErrorRef *error) +{ + return false; +} + +CFDataRef TKTokenCopyPublicKeyData(TKTokenRef token, CFDataRef objectID, CFErrorRef *error) +{ + return NULL; +} + +CFTypeRef TKTokenCopyOperationResult(TKTokenRef token, CFDataRef objectID, CFIndex secKeyOperationType, CFArrayRef algorithm, + CFIndex secKeyOperationMode, CFTypeRef in1, CFTypeRef in2, CFErrorRef *error) +{ + return NULL; +} + +CF_RETURNS_RETAINED CFDictionaryRef TKTokenControl(TKTokenRef token, CFDictionaryRef attributes, CFErrorRef *error) +{ + return NULL; +} + +CFTypeRef LACreateNewContextWithACMContext(CFDataRef acmContext, CFErrorRef *error) +{ + return NULL; +} + +CFDataRef LACopyACMContext(CFTypeRef context, CFErrorRef *error) +{ + return NULL; +} + +bool LAEvaluateAndUpdateACL(CFTypeRef context, CFDataRef acl, CFTypeRef operation, CFDictionaryRef hints, CFDataRef *updatedACL, CFErrorRef *error) +{ + return false; +} + +ACMContextRef +ACMContextCreateWithExternalForm(const void *externalForm, size_t dataLength) +{ + return NULL; +} + +ACMStatus +ACMContextDelete(ACMContextRef context, bool destroyContext) +{ + return 0; +} + +ACMStatus +ACMContextRemovePassphraseCredentialsByPurposeAndScope(const ACMContextRef context, ACMPassphrasePurpose purpose, ACMScope scope) +{ + return 0; +} + diff --git a/tests/secdmockaks/secdmock_db_version_10_5.h b/tests/secdmockaks/secdmock_db_version_10_5.h new file mode 100644 index 00000000..a48f2a78 --- /dev/null +++ b/tests/secdmockaks/secdmock_db_version_10_5.h @@ -0,0 +1,169 @@ +const char *secdmock_db_version10_5[] = { +"PRAGMA foreign_keys=OFF;", +"BEGIN TRANSACTION;", +"CREATE TABLE genp(rowid INTEGER PRIMARY KEY AUTOINCREMENT,cdat REAL,mdat REAL,desc BLOB,icmt BLOB,crtr INTEGER,type INTEGER,scrp INTEGER,labl BLOB,alis BLOB,invi INTEGER,nega INTEGER,cusi INTEGER,prot BLOB,acct BLOB NOT NULL DEFAULT '',svce BLOB NOT NULL DEFAULT '',gena BLOB,data BLOB,agrp TEXT NOT NULL,pdmn TEXT,sync INTEGER NOT NULL DEFAULT 0,tomb INTEGER NOT NULL DEFAULT 0,sha1 BLOB,vwht TEXT,tkid TEXT,musr BLOB NOT NULL,UUID TEXT,sysb INTEGER DEFAULT 0,pcss INTEGER,pcsk BLOB,pcsi BLOB,persistref BLOB NOT NULL,UNIQUE(acct,svce,agrp,sync,vwht,tkid,musr));", +"INSERT INTO genp VALUES(1,540009245.94961404799,540009245.94961404799,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'8382da59a29b55be466989dfa2aebd753d64c29e',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000003aa6d8ef67454036a5400ffa795e8da6a8c0415f8eac42c453a55193b984e5b0ffffffffffffffff6d1db45fd916e0eea6e4d6461652236de8eb2b06f4d46f97f44d142cd7889e5b300f067bd4b05d2885b079437f47fac2a95a5fbd65ef3fc907f93b10f7df6aadfa5fb481d2af38fd042703d255fbb6883646147c34f06def5424c3c261ada76dee25aa1347e50869ea0285b6a6f6aaf9bacd6f88044dea72b1b7eda52f15c9c504cd8d589f7a1871c2b69b4a18f7f274a4a67ce7a96bbc7c20497cbdae1ac51b716d71edd274e275df5fc5687d0ee77748c6345538508a8b575287b85cffc8f6d108046c65c45ef33fcf728bdc451f0013b736daa0329ebb99dd60f49c','sync','ak',0,0,X'9606421eed00b577e315aa2f1cb355b42dfcf455','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(2,540009245.95954704282,540009245.95954704282,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'5aae321010aed69c632f05d26ff25a3264daf9df',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000fed80c22727d56ebcb7642031807e29b886a45f7367bc57c39dd4ff0c87a2147ffffffffffffffff432a9bab1064e002f1829613adc70b526bd34b18bfd2e80bbd5dfd6242aa83294f94554607ae0095f564e92748bd1fe95cb0a5669d475a755c54ae2aa6776f79911acb5271539e7f3616c4424a1fc9f8629558138d51f7da0cec0e6fb1890fcd7a331059b727368d36cb635c5dcbb9aa09a132528d871b3c3fa4e6f57047c314995523818e722049732acd5aa58db7a2f638eb11bb38219f44837e0a69e63efa3ea8a2cea9d37bd92830212803770d4f08f93576be06390f2f7f31b9a33a95959695d5b879485a39aff82795705b01e266c14e7c1a5f3aaf14ee328ba8','sync','ak',0,0,X'465af1664ec91a1b3e40961935d62f1d0f51f431','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(3,540009245.96500504016,540009245.96500504016,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'4872b599a64f42a50c2bb8190f4a3053f8f68b83',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000f03a72b4037f8e2566b5abd12b3fd63fdb8b7b686f58d74264db2c57741758a5ffffffffffffffffc56e4643d616e47c39de15202aaa6a7728282a53da54199b3fc9a118131a3e244d75bf98681bee9201fd2d564a9e14f9232ac9ff5bcaa61b9bd9338a171a3fcf7bf726dd618fb22e45537850b65e4bb817e7c4986484c9ae2c5fe19864f5bdd485720ae0a452a942a9b0f1c69a2be72c51bb25861c9141532e57e76be84086345ef5ac55b0edcf24f0fafcffe303b7309cb42d8f782d79829cc814a9855b8d2d8a60c2c4cbae8ee74b6e9638b09c64cdb5957ffa5da290cddf37babf88494aeedd52d2926cd479d4727f384fd57b1a5dc4ac3eac751abbbdb7dbab5e49','sync','ak',0,0,X'db56704c6d1961215f3cb01153997cffd5923bb2','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(4,540009245.96904194357,540009245.96904194357,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'7c93f04b766453571932dd9f62fc2ec2e6fff1bd',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000333ae41a218d6acd22d392f6051eea737b9e4a72e1a82dad9bb987b11bfa46feffffffffffffffffed5f369356888535aa502a458fb9fcd53dd06b43dc7e3012d6a69b15a184f828d7c163404ae16f07ed3344b50e909d146e4a16bb503f03a76c707e0943386616d1224dad995205297d9562e1e3ae676ec5d33a38d94ee276910b54d0dbe032673b3630dc868352c83d24c265b46e3800accec6e2071d28d1551e9b933a09f482cd6be09f2499fbcff37e224c237734d9148dda5decee75a4a997647964299cc090fda9a1dd5ab9df91227beb9d67dd539905a1b1d5bba1e2970e79c5dbab3449d62efa35d247cc4801bdb5b9d4bfbee3e9d82c87d9f7ed1abb1a54e9df','sync','ak',0,0,X'8194c6d9143186d4a3dd9c91bd4ca336807ca149','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(5,540009245.97303295135,540009245.97303295135,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'c9304138ee216d27ad7e02188309e730eae3c88c',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'03000080060000002800000034a5f9344d362336bce4e70edac9832c3914b78d5332a5e4bfeeb6382fdc1adfffffffffffffffffe5356b12f073d4982a140267127bb47de510b91b8b9ac1b22fd563a4dfde6ab7ca2c3cd9c30c5fdb9f879f8f768ab8ea9fc8f62ac1a8f2ad0418674d0afd5e5aa359a8f8e8a862ef6465c2693330d09cbd165fc56dc7003f0174fd8554674da790bdf311b16cd81c68904a36801ff3eca33aa8522966ed7a30a31e576b850af4091f937e8cbdbad37a9dafcf8271e353bb8105351f2e0c7725e467b57e3fecc18a210958fe65976de9c9b9b8317e8d77397ba605f79172042aab81e25e76ef0672f07c326d80d2ed8b769d381102869eed906d7218a784f3d2cff93394','sync','ak',0,0,X'29b024b51b20557236b0ffba807e7439b260906d','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(6,540009245.97699296474,540009245.97699296474,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'eeb4d0c9c2cd4376e4790e8afa7e80514b2ddb03',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000010cbc193247a8174b7368cb5215386128e054ca5f582eaca931796a5b1abbd7ffffffffffffffff2a73831c0172d2e39809b75adbd999224ff6f123fc00de6316a65e9cb31ce29dd63772036bed62e97528ce65592d991590e1ef738cc428b96b54eab0798b477ad981a301ede7fa8cb4a8d83a165b8fde9e57ff60b245b553217678f2b8193b0130093acbddca9a95ee6909b6275210012e57b2bfbbc85ce21f0ceed5253a48faf3c13bc7fd5bf521c1a54954b72f1fc1a953bc1daca5147c537724211e4fb6cfbc9dd11d8cc57436aa47e0cf864fe64f39ceec1944e4b533f8d4f8fea2fa6dbca6b46ea0c95a78238a4d14cf6f553dea440b28c0ae2bfd3a4d90f63def','sync','ak',0,0,X'e0009e99650e1c3e16a99b661ba78024ebd03e98','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(7,540009245.98067498207,540009245.98067498207,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'c5bd6ce0d501326fa6a0aec020542fc94cff130b',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000100b9dedff390f782856d382411dd00b328185a25a878a57d34904ee13603f85ffffffffffffffff2820cdc6b257aa66bb1098308a8282a0bdb2c1a62621d0e050042535de7070a6140073e7aca0c6dff260cbf90931ed530a49f4030c176b16c72e8f1428021aece0b4c41378e66d7b997f2ec4a7d25d8e9f34b5e04ed1224df1fde1d493dfcb5ebb621ed361db51ee406c2bf45cf15a3f2154a09ec089a1481fda3c0c236407665a7de081eecbd055cd963c364de000b274bf753158eadc8b9637140d22502f1c1ae15f3be15af72f9078d07724b799e0bca1791f6ed12be050d13cd173adff0abc87c36cd282812bae25e732bd89053a9eeb4393d2991810cd2eb72275','sync','ak',0,0,X'f2434775aa80960763f972b24e880056436a8365','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(8,540009245.98510801791,540009245.98510801791,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'2a6383e0e35bc696730fd84da42d4c7123e8fbf1',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'03000080060000002800000078ca5addb75af33904cf214f7b59f583d5ec3b21358d9af12109793e1adf2c57ffffffffffffffff28ba59afec9308cd00aada0f04e2a9c3ce18d3a50eece6cb12afd497d05fa9d86c1c5927f7c794ba199eb768ed48c888b8bfa29b997f0b2f2ac2a5d2f0ee2e0c87f2f8ac872a692a1f437de244e2772f8b3ce83e296a728a1fa4b3a05c2a4e8b930ed2aa9e4fc2d2576010ac42eb7110c79a57f0c228774902648c5e80b7bf9a14b2ca75fc76c39d5a10eeb3e7c4243a752ba502408ca2a4e43480778a4510fb90875ed39740dcecf45547f647a6c46d2fa630042278bc2acf01f51333c1edb2c7538b6061cbc6d5df0a2a819df97ee0bec3d6e19ac20a1f55ae5a81fa','sync','ak',0,0,X'014037894870b7772d48317e1970d33b59d2e953','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(9,540009245.98908996584,540009245.98908996584,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'a58a2dceecafe55cd69bc0824b050eecf0044f3a',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000d74cd676be86b1d01a4824f64952f4f9543128e31fc79d9023efa713b0545a56ffffffffffffffff7c4f0cd5daaa8404fbdcce3c3cf316abb81a2758f45337e905cfca0367b77475e4f7709ebfc8af53dc2820527f3ee5a9c544233ead690e9b2f54467fb39fc9929a9ad46d55083e3b430891f2d4eb71d28c7eb949cae6c592be94fc31720b6f6da5af9c18a5d41ca018b10ff7ee4889e70272c15c2453e31caf766c5fde3e6a9c1d37eae6b92dea67e40cf31178c98cfda69b0336f8c66c4181409b6ac0f92a66f45835aa66ff7d93cd9a6831cbd7aa38cbf1cb946a2ae59a8791c17a99bc647f1d0535eff7fc5e2b250f5900869508b75ab315f121ee8eaf15ba98','sync','ak',0,0,X'cf5df2df2ac4bbcf15a1d123b4ebda4b1ba044c7','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(10,540009245.99284398554,540009245.99284398554,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'e54afb2c10a7241d5305558d00fa9a63170adc8d',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000df7f87f28510d41c02269279cb124582e1a0c08497cab0ec6382616e8f8a7864ffffffffffffffff67b8dea891cc92bbafa73c119d022ac7e6122d50ea4431467fe7a862afa4bb485f5caf64580951f7b088d8b33c80feb3de5e4964f58b9e2d2d11c437d822c270def058a37b1630e72f51cabe11d9d5d5bb3297223a73363b33ac418407b12bd17f7316dee7b4c1156f3256f7cca083669823a9d8c3aaa6b63442b1da10514983ede00edf5e80868946fff7cf8396cc97c658ef4f621a1244c8ee457a7d2ef339e2d359ecd35f087faf98f2d45043d7eea899a217690ca32e55dad5b92d61634ad368b6064eae4a4a4e09a1ec784eb6643f11978301eea2801628a9b9c9','sync','ak',0,0,X'19347fe868dee17bf9d53435628b3e65e6465534','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(11,540009245.99883902074,540009245.99883902074,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'dd2cad2f1e45d7c4a7ad157b9f3b3ae503c69783',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'03000080060000002800000019f693e9260a0c2446d03f4074c775433f8cefbd9f4f505e78b5d8e9d4953215ffffffffffffffff19595f3de4d67cc15262fe104b9dccd8147c5c77452501e0d4eb06f263d973bb9a704d858afe788cdb59326cd80e9d1f0efaa580edac7ba55863c55a07da0cc78db79e3635252f6e4419926089a4236f273171179c7499aa9bb7f1e7d588deeb23ece5d8e0a7ac2f4ddf842d6ce5ea22499f2c867b5dc5f47013236eab19e36c93957a07c2a929ac11f82366656df094beab2fa07cd974f8e268e06fa4eb26a3bd918279d36e565151764e63d927e67ce631188c022d32a4dcbd599c65011548bacfef2fcd2186ee346b8d6a22a711cd5f4a1508d2bf2332f1a7a0c8ed3b','sync','ak',0,0,X'7fe2c9e56d13085e8e0cb985702cac582f3b85d3','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(12,540009246.00752496719,540009246.00752496719,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'e62d275c52a9542c792b5dee3fa10c886182d0c7',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'03000080060000002800000026f6dd4ccb424644dfbf0d2db960b04d4645b3f68ab3899e7b1d3adf8391afe9fffffffffffffffff6509376b61ee8920edc67fcce8fc9ed0c32878790078791ca1cdb7c290fa8c6a3eb8202bf456145dc18b515e750ab9566933558235611ab8ff45fab0766cfd0fe7c963797ccc7756b0ac2bcd82b3064de9b27802a715346c78fcc87b59f41521a96480c031674d6f8bdc52e05e65a2cbd63db9aacfbbfc667d9d0a443a9cde6321425ff358579d0699be7e153255647c8e7bafe563969752eb9c068c95d62cf6bdaeef20cc55f9723bc023eef47db1ff126ceb213761201ce4653a9206b84349d5edee0735761c5270e8676b0db9e1cce696c7552c5833718a18f69d4a9','sync','ak',0,0,X'5ba5995b1170c31766f42815c6db013b2a209027','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(13,540009246.01104497908,540009246.01104497908,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'ca8e8c88bcdd512029792ebd515c8f72a26bc372',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000a41baf094862b049b2fe6cae59e5705d744a6c4156ee32a26d1925a0fafa820affffffffffffffffdfe1c50a5f8f68ac7bad4caa88208ddd5a315609dfefcc4ce3f446117cd85e2c98ef020cb65919a42ea29e4f1ebce17af330cb35effb5a843d9e1e7712e7c12e4b8e9a964d64e2aee956b20e092e7545beaa90931169ac8155dea04f16a2178d6ea4b48d03e8a6f56b7fe5abb5e952c37f0940272b8b550380ae1d4b5c2e310528323568437e31afda02d21a49aa04bf3115075424da8f213f2df72dd090c2c911fd977ea8e712f935ef28d88c4168946208efd0e53ae0ae480bd92877930dbd94dd4c49be679801f79caad5873386183808abf6eaf730808c06821c729c','sync','ak',0,0,X'dd102ed52a178411e634f52c4f6c6bfb22b33198','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(14,540009246.01563894747,540009246.01563894747,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'3e988a865d4b20cd337fc4e675d986d8b5e47080',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'03000080060000002800000007df07212155ed960e619dfce4680f98fb776f3af6c3e8840c6ea7004cbfb13affffffffffffffff4f28f9306b5400f60c6c18e1fe7f2fe9839274a73b0d28a9833aefd22535fb71fbadbcf7c35ef9c7457d488d4a8ac9e8989f7affb1d534986b1e09194d6b212e01951855a4fe5385f8114eabdf7045c21d488e5360464e59f979ef2b6f8c9082cf62a7ea6091c725494dfddb32fe7ab6e440defd652938fc18afaf1e2341ee42f44ea28d8c32a5a7bf01ab52dfbac39e55572d874d3f8f1aff69f9a003f7b32040616a6e2de302c8742e230a17b512cd417490b5cc8953524a35a8afc4ac86ec37e8b4e41a4cfa4659a54608004fb904b6541cacba23bbe35e1f393a7daf','sync','ak',0,0,X'eb8d4a9dd3bbb1a4c9b748bf66c4f223fcd81cdd','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(15,540009246.01945900918,540009246.01945900918,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'848b91f19350904eec92e211f378cfb180f044d7',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000388ecbd28481b5690eb559e4e6d2c4c4c0d2f4e0f58784ff25bc6579e2938670ffffffffffffffffcd855236922ce10cda23969ee07b41e867cb4cdf845bde81cb3e49e8b5d4f12ad092630befcb16e679913939b34d3dcf3cc58f39d1f01b0b1a6555395b0849a03c4178c2059a75ca37fa3006980c769a477c4fba601501de495219ca467985ced76c7c005bec33033a57ec9056cf10990c02f4272a7bdf363e8260580d4a5352fee5e7bf214f373b286e26baf869697756bc9320ce071bce02bb5a49ddbd36e566650eb569554c409192e28ed77c4c826dba03aabb82fcd628f9a607fd5ab6cc5713f59db08d8c7329455df0a2a39b9588a3d3c847fad00b7728539bcffe','sync','ak',0,0,X'ede27d9bb278ad679e007ad8f64b68bc7d17106b','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(16,540009246.02373099325,540009246.02373099325,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'2d355d53dd86109d8946cc385d4e612799949a9a',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'03000080060000002800000046aab1b63efd4741847d88abbc315302f5676b8018f85a8615d88a96f3b9d4d1ffffffffffffffffeb12a3c6fe77e2a632ee611ade6fc64d12e0a63159863d7792503a97abd2bd6eb605fd317016f3c8cc81003b535cdb497948a862b819c371dc23f448da4dcf66fa75cb235df5ba8d086521c0292464db68e6bb339df98849daa90d589086f3147e605123336cb025041f46b806ac23e4a655757878d110962e96498b4269f3a21659872caf430741c738ade294b40d0fd97c23c10696c622299656cea133322d0a1b5457bb2d54b279ab95f0f1b9a466999646beb77d124894f4e50ea1a7c63ebeab07c19a86286ddc23f10a05dc891f5fd14fbca1ce74eac070e0bbc71a','sync','ak',0,0,X'064e731d3e677c837de05ae105b5f5e79fecc0bb','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(17,540009246.02740502356,540009246.02740502356,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'e9c5538b19dc0af4955ed3abdea0ab1827bb510d',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000c908fdff3a41c6de36487f1c8bfad9069f617536a4ef2e54ae344614dd1939aeffffffffffffffff46e76da3d8ae70564686863f1566a2ae2b727982d9b36ff7a4ba0498a9f7a89ab1562cd8c5dd6fd7f499cb3a2fc989bc48059c9a61fac52bd03298304cef0b997c30ce95b3fa9b1e4ed24052019d8c06c8df8fb2bc5de4214c3615e5a9f0b86209a074c5fcd7961398e87135d31b18e414629ccc132a61c7f5d706e994b8ff267a317857a36268b2bbfa7f9e59156d791b737d7f9dc979c712ea71ef2f03f113b2356b438123a68fc747eb2472a737dff167883ed5b9c121fabd70ba740b305e547e9d5b5b09d324ac58c3c146b806debdf31f48b3fbefaaef83eab27efa','sync','ak',0,0,X'9b0b25ad12cdf94fa248f877c6802645986729ae','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(18,540009246.03106105325,540009246.03106105325,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'6384e8ebbd7b08d9e8f5f25c207b5db3bea3fde0',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'03000080060000002800000093b97b5d3b79973652b07b15cacbc990c5d3288c7326b9db25e1dbd3df4f1de5ffffffffffffffff80e8ec8057b8c60c69b7d4fcb862fd5bf9e84000ae94ee1e0fb807174c83b4af17372e9729e6557fe69bcda161c7031ff1ecff9442e4783d4436ea45b7addd051cea1706b27d93e65ad559437a5fa3601209e4e23e401647b09b8b836b8b7cfcead4d4d9bb3b24c5c47c3b4000fac61fff5da191680b5b0dc3562e716a3dfcc665ec6588a4d8d70f07d1d65bddbed8abef9aad5be34954734435315934eb5be1a4de0b2a5d28957c8f4a47e687e7f580fd4ebc90dcf7f30dfc2068f0a49607f42c2ba9c73353d739fd07227d37cfbceab73837deb14ea326fe1d6ff5e95a','sync','ak',0,0,X'b83757a8e52e2502a2eb604322ee87f2cc298779','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(19,540009246.03506100176,540009246.03506100176,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'e29530802ccf90dc256fa5b247487074a1b5100a',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000b6433d250303dd30033868240d785d8bb5b235522c19f05c9074717ab528c49affffffffffffffff722594202e4609bdaec66c529c0d60e96cc4424eea8c739341f652ae8502f4aa435061dedf2ac879a5c5610de80cc8bb9cba22a60e8d3ba3f728425847b388808505574e6c505f9e2756e4218877d8dcb31829b25081c6012708c02db495dbff67d061365217dbcd09fef56024456c6bfa4b98b542f52dff2d977eb2f70219cd27e5abdb19b5e28d7806ba7c39bae21440a4fc4bec46538ec19b5ecfbb8d190d17157960e8cb21e8a9d38538f167e02c3eb1b73a51d50d275bf7ca3b206030cd1428880c51e0240975d8b7cc3782eb58513c2175af7b8072ef6174fdc560','sync','ak',0,0,X'daf523c6580d71580e31a3936e997f682a702f8a','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(20,540009246.0390599966,540009246.0390599966,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'84182bc7bda9bac9ff3e6496511884f90f573b84',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000001d0f77962162a1df9b4e0315b2083084217578d8c6e54fcf6fc4bc8df8ebc00effffffffffffffff51b1b49445813c16875090510cbbdcb5619cca1c239c633001d28c4628655bbc8347adb6edcab1bd48e8027571a3bb4c96cf231975604302666c4d12eb5e90a2803f9dd5e5336675e3bdd179f34e12ea969312aa3f471b0800e38f49060fa7136c71d0ba24164d9999efa4298447ce9c1168841a198382b275167b99dc6b7703e6fa044914791de625daa4e50dc7dea72105f7ca8195ffa6d973050699a37302688b46c6a94029f364a0691dd2e9d316c5c8a400f4e09e7b802f3b202e790cc87f89bc06da3b4fb8bb8829b7c5dc84d67a796d846b148b42cf9bc5b5','sync','ak',0,0,X'2111c6975ba46a7b4be18438cb4dcd60ecd58999','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(21,540009246.04271399974,540009246.04271399974,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'fd3b25de8b7936d68251083799bc37899591cd92',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'03000080060000002800000031f1f25faede3227e172f92649184c66afe60b2afb8faa45cd84e0c01f09303effffffffffffffff98f9094a91cd8526db74bec5d53ac2f858360952b557e73713a9a57a074263e80d42660ff9719294095efd76c868be6f232c5bcfcb398824d51b7a2503c0a2b3362660bcb02177bed89a9a48815eb33fed927cb2e66af873ddfd3bb156a39fd5abf60d1158dbaf1cf63dd58dab9aadca82b571e85f5ad294d3fe346cf6a121440aeb8c8c53d05b926ad1a57c4c98130493ca04676afa09767bc09bae57f6a64be7bf0bb25111108d754ad46ac159170ea5fbc536880714672f32d806e7bb6ef8b7573e16ff4158dae08d2c1d5e0f46b04d0f218fc38775671c0bb5aae949','sync','ak',0,0,X'e2a22915b25aa87d70721ef02dac4b65ca83c763','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(22,540009246.04644501207,540009246.04644501207,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'166994f82033c7f123770fd93a4ca5be1ef65cd4',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000003eba0ada457dd11d98c5eff89c2be18c58c7f56a5a1b11fbe9bb88175cb35f8cffffffffffffffff9b0a96d3f2635faae49f0e03e8fc27d9791483a2c4b0f30174131982d0f4e738cb3d289f37d6c311a5b152920742aa242bd46c08b22a864931ab55c9c35908a486a73e56aefbf555bab7b2b62322026e20cac5585eae5a0ba59f5094e3eea041bf0dc9158290d708a240def28a5c990972b75206544b53ee30a80360d2c6b19a28d35f6dd9255ecd03e30585023f950c34992b1b6bc488c59792e5d0750364b2eac9586ebe9c680c18f7c0a5d4a303412d1fbe15b5dbd3f7afbf4c9f158c3fa7d616130eb3e826e4e419adfd7b3e773a95417c5c6b397c2dd650409b6d93','sync','ak',0,0,X'c9069fa763684b884561b332b43c8e4d7b421961','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(23,540009246.0500359535,540009246.0500359535,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'fe441bf8ed28ee3f57594bed1e7e32dafcf598de',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'03000080060000002800000079ed9dd821eda407329291bd377b25325f1832c70b354c37ee8bbe06c5beb188ffffffffffffffff1d9040d1d8a706817fa2f11c9d00dcc27a68cda36153dce1cb497a17f9c0e27dbdd595c7df0beb82361cfeeea9d45d9b7247e6b0ef1c99d21c460b2d56ba85d0cf2edd732fcda6a2315765aa3c20387a9d444c2e44e6c260d64ad2c4c499611e1e13d1dea16e615363f569be1a1b428b495434573c15e80c7116bbdd93c5ca77213eed47de7014d9829f695465f1697643d1863eeee681d2d973a77e7ac417b2184a4e7bc054841fb0e8f11c5eba3df57a2df8f1a5dff2a3469854f42370c8925020a105da93ef54ddff78a4061467a36e9eb44aa762c19e42d67224dce5','sync','ak',0,0,X'963e55dc2b9f20af288c3ac668dc63cb977a02d9','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(24,540009246.06836700437,540009246.06836700437,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'215abad1bcead4124197850dee86ce1e8a87e7af',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000006c1f41825815f257ca6372249f01b45036cdc751dbd926d85a06d0e0db699e1affffffffffffffffd1791f6f4a1976976da6fd5cd2cb539bbc219567de638ec2a8f294a4056f5f60ebe6056acbc23b6444293656031a508c1b2bf2c20b61a8902fd6fb2f746996ac520da159cb6b82b137743a9000d77c93235ddf48efe1c286473b03928f10ee67e39e9fb579dd9c3778cf6104889d4fb8df1744de2585d932ea62e6305ae7bb2a5a207453e34697086fd415885ef805eca7864e56f10d6c723f3da17595a86ad877dccea58cada27dbb563381b900e93881d48a2d43d4a665801933466ed38d67cffab0d1a1f2147ba320c060f4a633c6bba7340384b82decb4e6728ca1c3','sync','ak',0,0,X'72f52b8d9cbde9b80f3a289ab6f7e174c3c6d237','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(25,540009246.07308697701,540009246.07308697701,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'298c1e15fc3964aead90dc076a13679e14a2ac2c',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000004bb209bc16910ca296541b38d67f7ca1f675fe5b2265fbd1bd80e5863e3d2044ffffffffffffffff79f1a89e94bfc3c27d8e238bdfa441dd2739e4d46577f36a9192678dafdec8276503c5e1f42d779baa68f0289b8e41402b260fe84dac87cfac349f79c3c1b663c5c0a9f614305a4810f4d1a21ac9d30d1903f0f0ea77a544bec49c84da9109025d391220e8c7c111476fa77d68a80388a3ca8bcf0b16984a8fb077e87c163582be970d999194e283c078beca893bfa8f3c7dd4fc67652c767518de06a3bb87cb72ffe7a0e6c78478e8aa6dfb8f2d32a33eb5e0fb0fd3650a26b1323c0b1cc45e33fb4eed360590cee6a014b89a11550af12bada506fe727be9c94cb9c9a6','sync','ak',0,0,X'21f34fed5a4b46a2661562af9062656da7d8ea9c','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(26,540009246.07746100423,540009246.07746100423,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'bbb92bd8956ce7ea51e3b5a52770f63878e8e935',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000607c37b5240275af50a4bef5fa8a876aa7502c0f0afb132426390cf452ad88ffffffffffffffffff28f2dbbfdff39bdf32899676854a3aa0e52238eb2823488d310597342e71bf8541bde80e7eddd8916baeb102f3359df3db3843bbc0588b223a8a901cea598d718b54417b35a5d3afd8ae47165c9fc5ba46a44edecab2da7a736a96ebe5e74bd4e9c57104594c6a99b9430979fafd58672f66fa848b8895cd7ff3f36ff1dbc3cc3ebbb8d63e2873d8d251d699c4403bc2739f3c8b8ac28ccef0265cf1147f557bb1b17aecab035c65799eac5d491a93005552cb789d58226b6233e6f62ce57e61b3d01b1989cbfdf77089ac1cfa306710a42f580633c89b1828b499542b36','sync','ak',0,0,X'88facef56a3d4b6e564da7dc286c68f4719270e3','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(27,540009246.08136796952,540009246.08136796952,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'9ff2f7c4b27e2d78a8d00d1989a41896dc3e3691',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000001395f10a95872f2cb8f7bb740403d3d5daf6cdcfcd2e0dd915d81786ab1b59bcffffffffffffffff2e26e36d9f973ef41685f520fe218bd0477945500196867e1a1dacc35a8e348de80cb921c70d3d05eed4bdb070c8c6cc7f309cc9cb3e6d9c10a9cff8c70809217617047bc99a3e779454f5d6d8cba071b500db671e44651dc0c1fe791d323cacdbad75518e49f073a3ca4b798f4b2e10b85a1b7793c539b7db1e7410d0cf42ab4a65e83c86184d73c79c336577717b76dc1fa701d63a88979380a89a5f73a78e2404bfe349c24e6a3b215dca8521f18bf73246e54503986c7bc5229fd192061ee224f7a1782bfbcf4558e83c27b743e826c23832ec65900563de164ec33c','sync','ak',0,0,X'f0973208d33e467e4b0813858d22c799b48fe79f','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(28,540009246.08478295804,540009246.08478295804,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'f1fd3a0e76155cead83c6fba2a82fb56350df259',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000ccb381b7635074bd24f70511d7f6be4a133f94862ccebe48e5c378952c64372dffffffffffffffff691c40d07dc45276276f49eed47c12f3fbe9ca71d7331861e20e4cd16bb95b880c7821c32fef4b84060e98bcceed100a5e6d57888ebb84423fdda8295796cddfa1b48c86c2d8cef98abe9ccd895f6bb3a9147a34200cab6fcd37ad9f311aac23223088e689555eea2e03b908efe347deff926eac98fe634f1884488820d3645f5b699ccaab603eaae68da649b872ed8794aafaaf1532073f8409dd3937298e2cababe89a4a9bf16aae65c080619f05a1026eace4a5956d7e17afba3df4c3eb60a003dac1acf5dc06324ff36cd0138b67cd96df0b57e836acc72fa172de30','sync','ak',0,0,X'dc591988007f260a636861192c80c483bd957123','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(29,540009246.08790004254,540009246.08790004254,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'457ca81200fc6ef89b19fa8c5687fb3afcc28fd8',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000002c4e3519fb054d2a23e6c525061d2513cbff9b15acc4dac42cef667457ec8b52fffffffffffffffffee39a69e50c522bd06f53f36a305e664c31598d115ea31f832b92d9db8d4b1a295640bde3246b2795cbca34651b5af1dd2f5da9bce168f9b47bbf7ad0e790ddeb22e648a82381ca9e877dceb89ba718938a797af58075556cd1f17b606d3bd4b625168058206c2426baae58a1d25e2aa0740b5a8db0b3d9c987bde7cba59a42291c478bcf1bd7d8aeb80271b6eabb824a07fc85fabf0d0d5bd5cdca6b8b41e0d4a7966b042e1faf60be3118a7119169077478aab0086a8c670eb92989733d79df80168200f1a79c33a705e4108a08f6e77e7120482d5d8a0452','sync','ak',0,0,X'6a2af463ea21cc27aeab8dd374436f185c297924','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(30,540009246.09233105183,540009246.09233105183,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'0b3028c40099176e838e81ead36f67ad18928d48',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000004b4c4c273000e4bca1693d8548582038c63ad8653eb9aa73c3ad1e76f5dc0fb4ffffffffffffffffa77afd4b131e57080333cbda89bcc90ef0b4f2ce860d5e0023831f26ef83fa29f8d20aab3a80611d64b3a256dbd8495ad3b906b5f18336e4816ff825a35fb33a714d2ade4a1b3ff52ab52a15a4f9c4613af6c218da7cb4dbc817e54d52d6105eceaa46b28ee4ed5c1cdefe947263e72cfc7ec3a7f07d29c8dbd1fe571cdb6485622569a6ae17fe4d43e489de84fea7282e327757a530f2e0aa74dc19d2a756895f5d13f3c0e09f67f20d3edc107a36023959acd8c94a90f75bee1372f23a5abbbdf0502658255716da26bfc3281a6ef20e4bba3279933c7c28a250a13a01','sync','ak',0,0,X'dccb82d6d4775ef77809ca0020d03d03a4cc3679','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(31,540009246.09653496743,540009246.09653496743,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'7cb537d6c581482a1c1192a904a2baeb68622b14',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000007350fc643562ecc25943bb3d9243f5c054ba1b1cf75afe812b3f3b07213a8b92ffffffffffffffff88609d1daa302e80908ec745a3d053dd05bce0a447b005c1c5512b106f76f7319b7083a7e5ad542b73f6e8f98cd44dde01a7fa3a358763ce17bff030fe76f13fd7c50ec82505b6d54ffcf1e2262b807edda5e50b4d3c8190bc96e6a2febb3f1be3d68be132bcc2cd3192cd782c7c4e75cf3ae99bda4a34c668dee15476e2eb3e2e8a33cc24a6f402bb71f9cb4468ebd7124363b7cee20c0fd5e798cc1d401d5f5a29e5a03a1b7a324e434aa19bff6d205d1085bb367221d0275522b7f3537f61bc44ba336bb5bcceb9d13da1820bf5f05f792ee6eb2ef5b80ac3c3f794ee','sync','ak',0,0,X'40bf8eb16fa28a2d22cb819e95bfc567520f60ce','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(32,540009246.10136699678,540009246.10136699678,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'9fa550e31db22b3968b29876e892efd739b7cbb4',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000cc991923c11cf3d9175a04658ee1f5e335074a6ac6283bd6479499530286f551ffffffffffffffffb43ecba3279e004f958c51ff4d581c3c054e82146efbd2326fb647bdd49c5f7936adc63357a2d86bf8d6a37387a707043800356a2ad4e83133692be5ab2efcd0189da7e9233430aee4296fbe16d89b84e061f129cfc6660d88c1ef704f1c79b76d3a3b763724e01f10c3e4b85ae58da682e2e904000bc98421fdbbd961f8597686273a1c4548640f686d1eb10a48e0a9a575c6cca1581e92b620dd01d7a8a94ca9f3094dd430bf32d0cc806a3c463863b3186e9ce52cee9a0a947441623ed4bd84d0afce3baeb1138be2ced6a8bb1d40b69b68d4110aecbc6e87324fc430','sync','ak',0,0,X'fd691e6048602d19dd155a88f142156b41a01305','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(33,540009246.10513496397,540009246.10513496397,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'481b02e558337bcaed9d54209d530e17d408e0cc',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000007db92007511383867241723797a9ccd4d28889c93351963f219f21810faa5d4affffffffffffffff869c81a43f39f42b416b7b4bb3852c9109bfe2ef54b96ffac148237cd02f657ee49c40b6e27a5b4a4d8fe75016696c808b1543d1599bdf035dc456281b6c812c8cfd2139a7487b0ca057d248970d97c45b914fb9e222a2ed4ca29f800f0c559714d24dc2853d23f56a703b8b0db1603d33db0b62e5d1f71b61ddeed4f29ce4175552b5de0a00a3e767262fabf1c4d630310d4cec1697053ebfc433a10ab733d330fe79f0663fa853ea0ea062e97fe47012b364829cafc63f7d44fc2c23fa9af3a8e8ac0784bd24e5fe1f0bb062861cddff94b77aac1897c1be41f9eae1e0','sync','ak',0,0,X'4cc770007795860f7af697ac327c2a512a56e5c5','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(34,540009246.10805094241,540009246.10805094241,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'c39bd8c7d03d60d6c9d46810e92d40ff2fa727f0',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000000501649f3f054c956f5b15bc501cc7ad8c8dab2aed0c14190f4f43bdf1ea772fffffffffffffffff8dc5fc06ce90205fb10eb00b4c268726c423400d21fc1c5856dffe7f0cea407571850b42b6eb0914617e98e70134dc6cc75b0ecaacff04932516f2ad17c0ed17ddbf37b362f6ce5266e3dff6550c302b4374d7e8b375c062aeae5567a745bb583a806c76f799554ca3df2b28e4b966ee93a77b068bb290b67b5af90b2b9acb5e99a535ad4472cbc83fe0110790e634061c3d7de2a6f1ca7e95bebf198231933dda7b23339054a69e4368ba46081bd7ee1a5bbb38294e9b6b0bffad5cd48fdc6d5d43b394ffb986db2c7502d0d3f9f18a0facff89c9ba2f2aafe0e87d4cd6','sync','ak',0,0,X'4416e3caf3305aeb56c7d82f5213a75cc2dbace6','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(35,540009246.11151099206,540009246.11151099206,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'fa9163eaa8e20394509f96572cd9904a455a9edd',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000004fcbc521042b2d24892b38ecb7e7f0a0715e0e768df8577f090224a99e52fec4ffffffffffffffff95c7ecb4264c8f0bdb76638376bd633e3880cda4b1d8b0d754e6c4018f1d2f04ac9971141dc5379a110054c82e8a0b0b13f5d9246a38d61b9acc4cd44b00d0ff6655d46ec84e6da6dbc7543077c2c00e1446ebe4d6804304ad9c760a47167b220238b35f07cd6eaf3ce70b20d83771acf84f505149221b9f2fe066dbb9a96f9a5bfb4a357fa036fc66eb5ded7f8231114483db87a7adf0e49a18548661f8ed24d4c0d1c0a5d31b2985f103afb366ff6531a517c050445b56fa545fdde7aa20cb2c45f82985964f0f28ead79dbd1bedacd5db05575be3721e6dc5a8f927a1','sync','ak',0,0,X'd741b608a5935373789035097ce5089534e0a615','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(36,540009246.11565101146,540009246.11565101146,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'c146e972cd43db30fcbe92ac84bb6759546a6a97',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000905342763f215c0a9a984fd678d89060ccc669650f5c1a4d9db6cc90b623d87cffffffffffffffff424bb5434cad764c0e4af92170782c292eb15316acad1ff9bd4d328fb9a39196e9dc0ce0877046f2c64a645147b1d9726059ddb2ff6d55cc37a9d474e8a51e93c412077e6dc0885dd57654c99bc96964bbd091310f573af8285c7db75dfe08e033916a411bed4f88c837adbcb49d9cdb5c3d1951662330cc1ed11dc75ddfa8aa0a9c33902bae6ce7baec8c51398cde632422d63b3e158217c928975cad15bf97bcae9c4a3c5cb69df9083d7ea9d5ebdc746fc886c37b2019aebeaebd002c1a7af053219253482fe604834b508153f477c08d540a78b5e9b3c8c3269062ad','sync','ak',0,0,X'70ea352c55c79851cc41a1c5982731a6abae7577','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(37,540009246.11884999274,540009246.11884999274,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'10d55ff7665a76399dd3b9bc325e080075e2ca80',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000eb64cd0cde58b64f05b37d4310d83fdd5f6b37e38041459d018b1723b5a28cefffffffffffffffff8595b53084d082cde671f8e32d5a1db5535de1a97e6e8630c5547ed82ba323a47c1853c5d67792e9fdf32346164f6e74f7e28b2674754ce893798b74f1d68652512f15489ff028f47647fec837e4dab7bf5dae93bc2830a9715602107efa63dfe37c8f9ff7ae9f37f13fff61e3bdb93a369fbabd5f34bd02c5b49c17f078b2fd12c9bde7d398d884a18d50c262b3d48115ca26da6426a894c6174cfcd5e0f05fdc3e717cce3c6707503ffe43c5a0472a9ea8da315ca4c3e5f4a53df6b329ee1bdcb08df38bbfe0fd4126cc13c26947d90d71ddfde103a97b54cc431b','sync','ak',0,0,X'10fa113010c1fa7cc8d78e530fa1a7268c38ad23','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(38,540009246.12437605858,540009246.12437605858,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'ae3d912d9c06192d7a912b5ca7813cf6fe85c363',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000cee7c95d6d334478b08e52bb9bf596648f680c686649049fab2db6e980629f6effffffffffffffff5768e69ee03ad4d33b19b82b4c8d853885e78db47b41a26a27fdbfb705bd77f9938b7aaaf20dd4f0f0550b2e9893f9b45bb39b73c13145cf7ac36c2be5713f7462b2b987b7f9cfa4e3f039924bc798c80245189b845577888b9957ac0186ceda93dfbbb9944dbd07f9320781eddd3bee15561ba673996c0b916a0266538b63fc1d1b18fbcf603521491466ec6b9b99b75b054a2d52705ba8f236f754c076940a9d109ccb85d9f3b708c3ab9c9a9e206eda19d42524316fd92978703976603f8ac575d5265f34466866ef9122d1c8044efab107861e5ee185394c06f9cf4d','sync','ak',0,0,X'4e6ab77f90390aca3cdfbd67e65641d94b56d912','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(39,540009246.12985503675,540009246.12985503675,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'cb26c3b4e982f9215562a5638e21368325e320ae',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'03000080060000002800000013eb07449f06d26474b303078921e5c00234dad3bb626387f47c24d365ee267cffffffffffffffff43f2ec6d496b16ce8f1f3a2d0cf51b68894dfa21dfc99b903d9d66de25fbe11c275040aa867962ea3860b51c029bc3f821fa42f2108e6425e67ba2b496b5a7e8ad43ffb37249985a3fe3c19ca2e4f6d4bb3c2b649ee1257f6e0e5e7da835a834ed520ee748696427d1e7d10a14e393408ab873600b2820e9ce18f689cd91227546d2518e161d5c8d4fcbcb344704524d07ce0bc5709b7608d2a46017cb545244de5744c50227fcf9706c9a1a29b6780e5f65e273aa8e1be043d7ba07a9797631c87b05c9ed4069bc7399fa448e94c473399f66c9693147c265d700fab2be','sync','ak',0,0,X'f3f13c555913aec22beddf172c5e8e846cd6a6ad','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(40,540009246.13457798959,540009246.13457798959,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'2a2f3bc6c0b0fa2c7d67857bba536c8286992ef5',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000001fa895844938c23e78b2fc7c8121d1ded5ef9e23a297de40c23f7f4297964c10ffffffffffffffff7d9e1fd229e1ae5f470932419ed3074e6776b690467a913cb972d6c3497493c872f34113232a21370470c9af51fc2650a675bd62e7b8c134b9e12a7a89436173c99113729084a64f1bc79cab4769bda9cea67f872121d5fd73dffc424df3a409355de87f2d6c3785c327f19a880c85b30fe9eeaeb175ac68548b23b65b1dc22da8758c7d131a1b7cb7f5700f871f842b42ce2cffb42ef37f33c31184df916a74210f0d9e07ba6f76c3567f8886fcb981c0ee0b10972df721e8f58181c6a76faa9324f99726da68398b68b130471f35f5d518dbc7e59ce2d27801815201c1','sync','ak',0,0,X'b48fc42bb7d984027c070247342e0ea560d40af7','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(41,540009246.13815200329,540009246.13815200329,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'aed7b09246a7e6fb7d12fcb5131cdfe5133f1ea5',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'03000080060000002800000006b85d74fdf19f68bca707aedd0304e8be229a0ad1a84f03ef9fe31ca0164fd9fffffffffffffffff7d6a3af6b7973a3827c703e365dcd3bfc5ffa2db339e5d44dd8ee3aa60b962d609552872a69b3164fb8d6a52ddb4121d22d29dcfccd848d88f8363a2c7144a2fa3114f671997d5ec60228bcf0aa71f25d59b3156363ab5c2d9fc21618fb6706b978732f3fd3ef1e56851c207496bb3bcef74b3fded822fc0b79f6c739c8e5985f0453702b4c8d206a1d2a69e116e68d4b566b6b46198f48c711a0f9fdda8569a80ed35193e9402472128425bc83a8b5f11f818b38ebf73b79c72256104476a81fbf00e7cee48d9e435bfa62f234e80b5d20dd8536251cb4ca89c37ae1c3','sync','ak',0,0,X'a4b63a617ea4b0ca502a01737075ceadd8ee978b','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(42,540009246.14087796211,540009246.14087796211,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'ffa6ae40a6afe4e6c9c676fa122bce8529992a5a',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000ece8f63a005e529b422a473b1aa791c95bd2fa861fc383863b254b6ada78f311ffffffffffffffff5f845e150333311755a4044c51ba874ca3c43400942eba9f14bc2da369e2d80ca281c9d43bcbc3a0398a75892c7779e20a3cc2097eec79f6fd39d260448b4e9b6d566ce3551e11ab291c17767bfe5aa9f644cc75d0b8337e56d9bf3c4c09b75ade0648ff2d0773e0964391487cbba01ae22dfff5462b6e96c2fefffab2685c44b9e3c99baa2283870ab24e5a58aa933f436ac91ef4507b85ec8c70209d91e0d70f9d7ce6d5585a17595594c84449bd29ea98486e06141693683981acf8e2bbf6e538749c3bb9f707a1fb0a16cf4c2787dfc2afc82195c1252b7529747d23','sync','ak',0,0,X'205053fd3a4ff552a332844a1d4e8dc57cd87ddd','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(43,540009246.14429497718,540009246.14429497718,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'a3d2b38f6e49125112a1804deece91e421f965e4',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000acbe8f196252107eb0710213824e1728e25af217b6e86a6c980c9b96ddf08c1ffffffffffffffffff8633d67b0816e4e7a2e328996e0c972d5d7c0ae2b98ce3e6d6a1978fac1d6cfa2dabb67cc5c22fd5d5f5c6673ce264ac553538dccbfbc907d586f888cd4eb10280f66c2ae555caddd2b4161cc5bb8b40641eab92b45ea6d01c283764fb58c745d38c8fbbaceb4dcd25df50f24bcca615ced354628c93b267e526c90705b5f7249519c78eb61061f8ead1760bd2724af14c9d3f1720c2e95825dc96a7aff0072e4c208932008c99bd92987f3573a6ea0c1ca5865c1d8b3635601516d358504625f19ee4fad35598dc657ac10869c4e7c51c356b6f6764fb6276638f6b925','sync','ak',0,0,X'a99fa6b8bb1a577e641ceaac6d42dc133f808965','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(44,540009246.14734101296,540009246.14734101296,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'a726f509119981ebbfeef50afe3118f653c171c8',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000009c805cfe08a7f97697e2b44bdcb1ec5528614fe7353549885d6f0be1c22a5c0affffffffffffffff32b0d2e5fff3341787b135c4b9a78efa9a96a87cec39c513525bb3e14f66cc82622f0124dda52bbdb44947b6854e25367dc02b3246985ecf1694ceea15729029bb86ff6605ba2eb3d8141054df7792eac3a025f1961e777a8e965d909676b7054f5a79ec8ad3d6edc10c8c17bfc402d2a1b24c06453bd1af07578a15a635cabe4cc851e35740894a7e7f7b0ac043aa57914c85d424edbcc569e1364fd6b18e0e1334972c06d253758ef2e3f665cd186c607552bd7639dd32623a861c91e6d540811b99e12a2c850e8b4bf2378f9519d7c6b511521d54d06eef10b0b9b082','sync','ak',0,0,X'017b6c1fda8f9ce1743e6c2fe2bf2258ef7989b7','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(45,540009246.15040802956,540009246.15040802956,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'c932b839c200a4b2d2dae9f543d3cf16e7fe9b11',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000980f3b8f00ddb2a079e93cfd435436b00f08f88f101834f4262de73c560d56cbffffffffffffffff8a1534379b3d4c4a9d1a99093560229e653f2911bfe9970b0fd028a09240ed03f4a72b2e76dd8a8a8022692fa5fb9c9b67ed5a402732f980eaa22b53e42df70b1ea858d39599f641d211dc745141d86b99281c029ba08205aaeb5fc3bcbd49ee12a1c5d7b6e29b602d58a35f769451831bb113269e13ee83731d757b3c365caca7c56c885a4364f8cba2cb701f24557aa15e7167cfc777aad1e3d45f141946ec583ff71630685258c91e5f50124fd4f9e8646c7dbe522df10f5a0a7475730e710cead70d60321912159ca9697c0e03e1006f9d02e25f7e2fe021e68da313','sync','ak',0,0,X'b85a6e345f2e091959d44faf1ed4ed06bc5d0eb3','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(46,540009246.15337598322,540009246.15337598322,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'218039970958276aa9280c9c38e67cb945818af7',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'03000080060000002800000070de334bc93720f3071104b02fd776113f5904c674a57558ac1114549a6d089afffffffffffffffff56651d147cf18cc584562bd1c3932af147762a507863635a01d388cde2ca6147b38c450cf42254cacce12d210a413a0821fc4b93468642a4d391c4d3045f956132ce60e70717b8c9d2dcdd74f77f5ac8bcfb3898a9b39beccfc6f51d658721aa992528a99682d62bf6e8de487a1c291e5359812ab6bf69f55e26566b2ab4bb9ceb0513314afd9963e6507cbc8005b021924d90d32c7a3ff19eb73d9a48988d3661db916cd6a410f6a7138dde5d229799405201833b7a799be9ea72d96fd855a78d688ff2f6e239a114bc433aba69c8b35d00c68301734ae82c1cf5e7a42','sync','ak',0,0,X'e3e79af64959c52963cb5f90d94cc7baa0afd741','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(47,540009246.15662097929,540009246.15662097929,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'b62ddddaa3d03b92122817af746791c7e6e86be4',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000004cb5f37926091210edf1d042d0186ba7e21ec7f706c7bcfad2fb38e736617357ffffffffffffffff7a4e286409d4e50d06183eda805e49464880ca9b7457f69b46d8718c1d8149c926c8a6f58b6fd329bc641391db3ab6eb21b681f70b4b2e5a51c2570f8481ec4d5ae8e39cc9530979f7fa8e19ab65b4701c7d0c6e01e06037aebf6787eeefcb841e5e7c7da1c236c20c52d9bbcbe9ed589d9da3ccf30b5861cdf8503522a589e0e4973a03fd8a24e55aeb2ec7174f196ff4a190c94275e9487f001fa2952988c0cc91e7754d6e82843b35b07d841cc97ca7894b571318c6452ddd38523da4deed9ad3655f2692c76df9762eb5c8112b54fd950563da225b37c005650dcfb5','sync','ak',0,0,X'931f503216aec2276cf4de013c8e17bdee01340c','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(48,540009246.15953397752,540009246.15953397752,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'28c7da70aa2baa1ba58d752eeca3e605eecc5806',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000269239d0792d33cc3ba5fa68f8d767f2c8db3e4e1f3bddb680baed083fb70e9dffffffffffffffff81389ea97f06441b683bb62ae06f88ca5c40f5cc7db5fd4accfc65e96739e1db20b13fe153beec620959c0993747effde1581c36513f329a2c47051b628861099185df63bf55071c69e0d739b3a6242794422b1bf980ccf46cc01e5c17ca7bee3ad0102c3e459845562c6438f377463727e1e7a98736bc452c008cc51c817b80061a4363e78c4ccaf278054bd3e28d29ea64a06db5cd3440e612db1b9271dacff57aff31064bee6c9e2b5c05450377cc37c68e6a1065511fa46a154f042749df9411499d6f27d48c69786fda878397e7ed40132b868df29a2f4fe350ffcc','sync','ak',0,0,X'73ffce8e3a24faace335fb57857cfe01bb112a62','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(49,540009246.16241300106,540009246.16241300106,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'9bad040aca6d5538965effb516a6af074bd9b95a',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'0300008006000000280000004e79bf61bb34b6a707449f4ab545707c3f32103e781fe7d4ab86518078dcab22ffffffffffffffff47ffff0dc56a1a4166acc4ebd6032b791ccde9607dcb08c1fbbc88393a43820c9cf82e37cb3bfbf4482db8052c1dfe5c79260d5c1e6eb60de8665cf7fdb52e315e6c401004e625c42bda3ff85d18ea8156ddee1d827d23afe0f691f2043d3eacae3ec6ebbdc514f21dbfff234fcd05da1ca5716412af4a5bc423fc1c272872877e2ea10aafde799e0e8f264180a2f66bf7eb19ade170fba6c60c80f3d8e0aaf212c4dfb89aa531332a82193c6b31e2bc509a08cafbc3addbe63cd4f17559fa82147e519805bff87ca79560eeb0c890dc77a8631521667414d065d9bf0512','sync','ak',0,0,X'5bdf5602f319d6fa9a48899ef41b099359c4b727','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO genp VALUES(50,540009246.16554105282,540009246.16554105282,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,X'c836ab78de836bb61f6e95ad145322eef78ac34a',X'60b0f62a25648e85ca93fbb508de87c5537a7a38',NULL,X'030000800600000028000000b38cc4c21b52e5847764fdca1a8de78e169c8f8818de9a76a717c5460f2bff0dffffffffffffffffef59d8614872a04f39f4996c41fd1edc52fce6a1f0e4d1540c62cb93e60974e4d193205cc0f26c1ed7abe0af03f15361b47902550f43d4dad57a9f888af7753999b9a5c2fd68a8709880534e814eaad0fe357924d63de8d088fcdd9e45c9457dc5d23c4ecf6fcb563a5e78dc63de703dbec694521d3695ad3cc568b1ba66488f360464aa9721fc80bbd6fbfd34d371a7f99a225b39a8942867bd14cb255ad00ddfac6147218e2a9d1d0c9ddca36de321df9e249ae9d966c44d03de515b0ec4eed5e7dd0bb5635bf6b8ce3854d47c0f806bfd6c64e4e8e86996ec0925b776','sync','ak',0,0,X'5e9787515348cc4321af5861ad0249d687f3dee2','','','',NULL,NULL,NULL,NULL,NULL,'');", +"CREATE TABLE inet(rowid INTEGER PRIMARY KEY AUTOINCREMENT,cdat REAL,mdat REAL,desc BLOB,icmt BLOB,crtr INTEGER,type INTEGER,scrp INTEGER,labl BLOB,alis BLOB,invi INTEGER,nega INTEGER,cusi INTEGER,prot BLOB,acct BLOB NOT NULL DEFAULT '',sdmn BLOB NOT NULL DEFAULT '',srvr BLOB NOT NULL DEFAULT '',ptcl INTEGER NOT NULL DEFAULT 0,atyp BLOB NOT NULL DEFAULT '',port INTEGER NOT NULL DEFAULT 0,path BLOB NOT NULL DEFAULT '',data BLOB,agrp TEXT NOT NULL,pdmn TEXT,sync INTEGER NOT NULL DEFAULT 0,tomb INTEGER NOT NULL DEFAULT 0,sha1 BLOB,vwht TEXT,tkid TEXT,musr BLOB NOT NULL,UUID TEXT,sysb INTEGER DEFAULT 0,pcss INTEGER,pcsk BLOB,pcsi BLOB,persistref BLOB NOT NULL,UNIQUE(acct,sdmn,srvr,ptcl,atyp,port,path,agrp,sync,vwht,tkid,musr));", +"CREATE TABLE cert(rowid INTEGER PRIMARY KEY AUTOINCREMENT,cdat REAL,mdat REAL,ctyp INTEGER NOT NULL DEFAULT 0,cenc INTEGER,labl BLOB,alis BLOB,subj BLOB,issr BLOB NOT NULL DEFAULT '',slnr BLOB NOT NULL DEFAULT '',skid BLOB,pkhh BLOB,data BLOB,agrp TEXT NOT NULL,pdmn TEXT,sync INTEGER NOT NULL DEFAULT 0,tomb INTEGER NOT NULL DEFAULT 0,sha1 BLOB,vwht TEXT,tkid TEXT,musr BLOB NOT NULL,UUID TEXT,sysb INTEGER DEFAULT 0,pcss INTEGER,pcsk BLOB,pcsi BLOB,persistref BLOB NOT NULL,UNIQUE(ctyp,issr,slnr,agrp,sync,vwht,tkid,musr));", +"CREATE TABLE keys(rowid INTEGER PRIMARY KEY AUTOINCREMENT,cdat REAL,mdat REAL,kcls INTEGER NOT NULL DEFAULT 0,labl BLOB,alis BLOB,perm INTEGER,priv INTEGER,modi INTEGER,klbl BLOB NOT NULL DEFAULT '',atag BLOB NOT NULL DEFAULT '',crtr INTEGER NOT NULL DEFAULT 0,type INTEGER NOT NULL DEFAULT 0,bsiz INTEGER NOT NULL DEFAULT 0,esiz INTEGER NOT NULL DEFAULT 0,sdat REAL NOT NULL DEFAULT 0,edat REAL NOT NULL DEFAULT 0,sens INTEGER,asen INTEGER,extr INTEGER,next INTEGER,encr INTEGER,decr INTEGER,drve INTEGER,sign INTEGER,vrfy INTEGER,snrc INTEGER,vyrc INTEGER,wrap INTEGER,unwp INTEGER,data BLOB,agrp TEXT NOT NULL,pdmn TEXT,sync INTEGER NOT NULL DEFAULT 0,tomb INTEGER NOT NULL DEFAULT 0,sha1 BLOB,vwht TEXT,tkid TEXT,musr BLOB NOT NULL,UUID TEXT,sysb INTEGER DEFAULT 0,pcss INTEGER,pcsk BLOB,pcsi BLOB,persistref BLOB NOT NULL,UNIQUE(kcls,klbl,atag,crtr,type,bsiz,esiz,sdat,edat,agrp,sync,vwht,tkid,musr));", +"INSERT INTO keys VALUES(1,540009246.19841694832,540009246.19841694832,X'3c585604e87f855973731fea83e21fab9392d2fc',X'9a08110bc764be9db9bc110742ba7e9a378f3d09',NULL,1,1,1,X'995a7134b96d07759386b20c4b450f7d275b7391',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000d9d8cb6901c0890249dc4125dcafcb4e00b820680f2c170af363cb9de8617a33ffffffffffffffff1f6c1d8abc39bc95cbf8b622523b5934e56156d052f1e481fe1d6c19a84e7be8776a09594830e7c29414e076bcd1d49a0dc768b99c833fbb4cb9129e052c107729858ebbed9af65c49978c332f7ac820ff963de358dd37c8b331df2cff5e19af60293fa32da1abe755e87af9928d79fff0ee19ebf4474b76ca1cbacf57966e06fe1eca6960b5c2926c889e985609884c17b7a0b2efa2a18d87b8e2016193b569e276bcb612a02280e31c13454ba1c53dc8c3a1c6c38a4875b6676ea291d22bd48ad8c1f9fbe9145ed17c99875eb14591bbc5df24e31d17b8ee019a6edebd602ab600f888bbf21cbfcfc6df9942bc0626a10ef3912a7604d247361f8f07e8e834e7be89b350dee08fd4d17d172d10ef008478a04705a278d6149f940c7470ed5613bb47018c02f00d29078f57484de7861d21a2108ab7e6fd116d8fe7928f9940ccad9e49df85eeebe1f0f6963bd35d03086d1807d92e5c9e0d0909dd18552054fff9858535af562dc95d606dea981447b48335a7b9b8133042c6d6404db569f1a43c2eb73090401774e322e6bbcf4fb16e8172aeecd55025d8227779e818528313a86d8c04f4e56bc3655a114a19da2f4f2097dbf2530f6128f0759b2aef873626d4d3b3c9b6cc122f9b1a0a0f81294130699f3f7d326f5356a3855b859bab2aa45400567f2fb2581331aef32d7a202c672a6bc45e0499aab35ef797361dba2beef4a0a796e4504f21a63e14fd2917b84c486c477da3d234a167a0d18a560e0ecea21e7ea9eebfa6f094b6c2633e98504f25428f7e9b18761d6a807a077244ff7ee75be7fa5a5543286dd87ab6723b77dbb23226996c5514a5831169b44b5c4325a8fae72d000a31cfb81bd593b9fe77478c35453f4a59d148b7013d86d29510e0817e8999312b56b727b05959ed222b20f24191e594e8d526728a2d4c2389c244b56dcfcf5d0c61da8ee03d270c027cdcb4b865f4747256659b663bc00be96b0740cada9df7ad39657683dd2af0bc6fa65d7125c7d4d9fcac05dabde572c47968710ec6f4da2b55539b5ba695400e92981e714e8685b80da2c70bd236a2baf1e1e3edbdd7944ee21fb05767c1617dd4df9dcda549ed1230c6f7c63b101eeec5f73158b28c831af5fd34a7875caefd6b096b6bb25e5cf5b865bc424f6cb3bd8bb6e7750a6b2c36793b0fca7765e1aa99ee53ebbac5f464b83edccd272f7574c7c1dd1463c08088b63c3727dd8e50008e0c705339f3311cb5be1c4f9e4a5d0309271492d3c0c357fd058464cccf97f777989641a2fa2b1a9eb65f78e1e6b38d0ec8c941ad33b26b6f1c586600db37455e84449fa5ee0dc235acc5f63470b5cabab8086cf6c7301f010629cb8e9957a75356823d7f6ae20ee238cb7409ebfddf0f056d3cc7c1c07e009cdeb6c56a0fcba426a745d77a637bc5dc13447c5474ad81601ac9810feec0605b038b0436d576da3c4aaa0c868ffa9d851fa6ed487c471a76e5b5fb498e19ff3922677209520fef0699f7b75cfcdfdfce79734881692b6c7ab37cea375634e1c780f95d146a01d81aabd517965ada68dca900d4c52169ae29bca20642996184','sync','ak',0,0,X'da54fd644fcef9c37d7ef945244ac15d2877fdc9','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(2,540009246.23930704592,540009246.23930704592,X'3c585604e87f855973731fea83e21fab9392d2fc',X'b32091dc8a67b6dfe720a532ca08683fa798431f',NULL,1,1,1,X'257ffd4973c8ecf11a6be35871f6c9c243fdd1cc',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000a0294251278f4316ec77109ed0a2ce3ba57938d6270107c4f4b65f8c7c67bd52ffffffffffffffffab4bf8cebc002fac883febdcd95cce5af390712a0e1fdae16a90f9c852f65fb47f77d7871ee9d5cbb6de7712fe814c2614e15ea63a8e08feb17d8e6efa6e6c42b88fb43947c756d2894bd8ab0e383af4b8a9d5fbc9b44a4ad5b923fcae155ec1d213b512cb924645c99a21ed6c40717896553511f07fbdb69b47e25cf61376f027dfd12ecd5fe81695ae2a7000768910a3866797acdbc0ef7afd73d9430e8f81327e501091471290ce4e59b104297247589b26dadcd4071343a6b381d824cb7b42d35df20b30ec5921ad45641ba6ed62bb51e0e954ab4bf3cc6eb83515d39e29d5645f82829d04433323836d593a9368ca5b572fd23a8c98be029ab089a28f6ce12cee9db97c16d1b0b50554b8a090c85e09a3d94fdcea7bf7a66907e55f03a699afc65d4775f0a269c777977e5effd7bcf5a7d2efc965d0d43d5352e367c53245f7707aa6e07687d598c5b73d367a23940223582da9e62f97fae53ac2ebe22c1dac615fdcfe6268eb559dfd277fd5339e74f5e9be70633d6081dc71776e6bda8a34463f8b1f2aaf53824fb8ac1a97ce0c4ab6fe105c3c8fe46c8a216823afac1dcc9834cc4507230fd77a94cb6fbbf5388100027eaf716298944ffbaea07a2157b49f1679dd0ec36ff71cf04091dd6de178e23738ea1566cbadd0d379c26f51abea16431a7e72425f574a9261bb1e18ddb87fa29100db70d77fa7f3c1e24a73b6f32f4ee3e904abfbb9a27bc700128a9000c781ce6931f905df1b510799a291cc0c78156e2046ffde04283f7f0d3b173c769df1decb521d81ceaf60cbb99a650d57cf7d6a5f89ce13b74cd55534f55716417a3a5e300a07206825081d70afd17b037319e119deb89733a7b7da4e6b453256c1140aa17d7963cf15945cc68f507fa1aab53ebd69515915ce4946357c2583ab8f88d3404e058e4902bad948e7dbe83b29b76cd54a2f75359a4af83d471e3f77a7bafa12746abb8e9b1b0e3ab5ac147cec356b4490e2aea80b94fcbf24ef49bdbf8dbffe94d427450055833183ca45a6eb0382998fe4b6257b89c4621012ac7b375a244ebaa4c902aa1452747201064640f95947ac14e60e75e970dd347d6651344861f8d973bfb8c05d737de01187e714074a48f77d332b76caf373e695b7aa8d74b0773e4ef103ed0c44434c2ca7873b2c7bf77464f79bf26552b5c076b628f5eb73459a58ec99bb1440dc8a53e2b380f8df117ef12e0f1ae1a2e00ca557f13eca771b9c98969040678a33df014a4cfdf74819c1c3cade75276d75cd08b1fa66fd9680c7ee8eaf76b55ccb3e5a1b147df419c079a035ebf0690aefa9ca01ca8c2a2659d88085fe118b41b8eb1c87a4c4cb49ae5846808a614ef1588efafadf155876d142da0700e5a8c44118c62296940c2cb819a42c499050a3de8d83faf6842d419284f860d330c239322dd863484528035ad50ef4adee3dbbfadb0bc5c5cdb9bc42c0363eba929e3203db6e047904ede891e24249631b61d4a0e575fb958be9842a352ae3235228a5a4d4077a4e10dac8b2b0cbc0b2fae23aea411ed189e48a7a8637e2de9303af489008bcb24e0abc812c','sync','ak',0,0,X'ec6e682433ba2e89a300f211303359809cf1a198','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(3,540009246.37129604816,540009246.37129604816,X'3c585604e87f855973731fea83e21fab9392d2fc',X'5dd8ad384c6356517e17af4755efbfbfdab3ace6',NULL,1,1,1,X'c150fb6a2a8c2419b9e96e7f7e5bd32b944108a8',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'0300008006000000280000002814bf69fed3af30c35a1301e831c31fdb981a5969b9b5fee18ff6cee5c76e8cffffffffffffffff74d317c525ec4735c9709d08f6385f62e3302c1f42324514df4b46a21049e2c0075a65913de66d463cc9eafbfb6545b94ee7b94048be87013f0331b1bcd2c6eaf2e3caecae22a3a09652c8195ea666d609a1fec92821f308b3dfa76ec7b226c4ff68177fb1dba75310142eaa386e85b143bb1311cceac9783c7b35d77cce4c472a938acd9dea9f002d5f249a1f998876ff94c7d2b89a5aa03f10028c639e0285ad82406e67ff38a0c7932bc0825b6c8e258a0ee4df5f1da8e08bde9a5938f747cd6d7805896b51dac95b480cc5b9b12d6c3278a767ae3ac1e811a781d74102b352274f755f3beea8556ae6f2ab876c0b966ad3d88cd6f12e86472949fee19bb6bf252bd1b58db1c2d0fc7b42fe2e57e8e51565a5278cc821694b780b6b60370c48daa99ed393e9e224173f526e9cde2160803c42bbf4b5743a261e95044d3ac7f4261ce89b847a59f6a1d16a2996e1cabecc4b97a5202905175295a557b8ecdcec70a1aea2527b7d14c8b6a8d3e881bc2119d65156fecc3e497bc1dfbfc7bca7727608e6c5e89e568ad70b43e416e2e7ec374006fa127281321fe06939fd885399d36d9d9a068d566df26254825d9172dfc36eb6c258728af9a0659080826e5a762f2ff9800936a92623bf5bc9f39fd32a99fd942df59afa887444d6fc8def7f8fe51b2e5f8827106a875196337fafff81607339aba2b735d5213c34b011f2cfe117f35b0ecb012507ceb5090ccd5b0e1900baa591948ceb2913bac43e1d98302b03db3ecfd821ddd67717b8fe1664ce40f9e4f9d2b780533ac26ac0247c874329344e6dad9004c8a6c61d48028a9e6a21d6b8e0a823c795ada2a00193fd78a412b0b4ddad3f02d1b25735720b97206e40e77bff94cad4f21046873813126d189e70756391f1e9dc9bcd21be7d3fb41360aed37e691efb29e80e10e12f40e41530354ac8b9b5397fbddfb4410ca607141e64c369b9502ec8f5c4ad64c05dfbf6c17d2151cab569aa187068497293725e03f43fcf156f3945a04579876ad03512475c8c908d597cf46229a4ec159948ab0fb566015aec0f86de2dcc8b00b368f49fa00c465bc0926e00f07e8ae7d89f2eb26df2fb549a276fae2850b9185fc194af4407bba1aea01cba802cdb23df59080a8c92e5e08dadab57233bac20168e4373c4d6f71a52e63b1c7d60085327a6058957457ef8163a313dffe83e0aa19a04b98ed119dc5e3724edd21d27d0180c9cebf638299e934240c89593a90e5107aa528079d043dd2849b588cd39a81a1fdad4515a02a430c52b36a7b85244b16119f0f94174b43d11a21513a25d235fc621a58aebc0fb4cf58950f3e35af43b0a1ea9a1d15741b053ff12d34beb1fbe45e46430875b50071cd2c14978af95550a1ef5fd5b80c5d81c7a2060691688bc3df0df982baa16a0a3dff01c245c826ea7418c18d0cb583746fd7a85771e622b36c2155c247a1cdf6dc66e03f2d72d2cc4fdd1fe538ae33482beae52acdd02b2d1cdbf2eb45ca5e2e89097d0a798500d1836fbdf2334c693aa5b5bd4bbfb74e5981948268f5cbf7f5c0d57d75a9ae1d66e640571034f78','sync','ak',0,0,X'26f896467e5b2b947c042f98916b41e11499d49c','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(4,540009246.39969503878,540009246.39969503878,X'3c585604e87f855973731fea83e21fab9392d2fc',X'f804b06b15c1ed1c561a3310eb36ffc10e88cde4',NULL,1,1,1,X'9d2647ea7ee5c3a92fd7864a1c1ab436daa9ebd2',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000c6bbbc21cb16083b7d3e2322efa3db4259177597bc364d0825ae7bc95d55db2affffffffffffffff74e7802d9adea9e03160a3b608e9f3ad921cd130ba441f91a713b23c028261e15a0d0c53965828ac49e0173a5bafe4237bdf039c145633cca616805ff783cc30634717fe850fa9130a1a380d275611d144a19ad9aa92117be49fd25008187fb030bd80b7544d029f558f0dd98fcfd5a493411d7ad50dcc5f001333ae3447ada8d20dc96ebcadba1cf1e1e586f0ddf969bdfde7acbdfecbe0049e4bd825c1fa7d965faf6259767e273de4fd42e989194f7f41df999008b6a7daf8527c720325ed59a298b3948dc8d7888e58c7890c760ba6b813e9c5ca040816c383eb7f19ff8f9923b073e4bae0709f61135690c82d3b4c5c08194ac2bc1483c595c5b0df674cf2a6fdaf9d37809577286044a535a48a0bc36711fa17a6cf019baca5dbc0c7755c27ac205445a2032e624674d73df0dfa50f0eebfc2b5c0e80ecc2c27f392b9633d7651094419533a7e83f1b5c5323aa0d1d3cdb5122cff3de052bfec503c7107c8a6f94389310790073b8b7a89b355583ff07a1fe99c302a9262120a0c153e130f4be462d08c9ebe07ffeba2faf41821974a5f3aa7162d4f4866e5a5b50e49b3f27a7c4b18d1903b2625b0e98ae3651ca69906c2da2c974a9bd2f0ba43c0bc43330abcca2c666b49e51e66d3b63bf6100843bd1e44ce2f16251d4dbe8ab7753602aabf3a32d3b61208e7726ec3d303ff05aee7f4d4826545f950d75fb1b5bca86d65966a68373d5d1e8cb4df16b8a3dcf9f63b904a7d30e21a624d4639e067293c596bfa178cb7ddc7d196e08153a6cd33886b91da870df7705d124e11418b98046e1afd2caa143429e37f6624b3bf97df8de7a7d535928bd08b115bf8e6b97b035c0b31c72c400601d78fde0f982e2e7473fc53dc203843042c86b43f0cb5db0c5b45a9b475cfb6b231f26f01bfd9642e7d463cbe1a9f4641de496d2e75092756274cb7d2bb4ec35aac72fc77db33639c6126f0632d5ca8d68b84e9dba010fd866f67f90f9601f2f0e61f7cd303b4e3ed27b97dfb8aaaa45cb2b9a64b3895966c5354e64b7ff178ec95eb1537290823369c83900b36d8425d9b978992485694322637290ebac932323f0d6a0dc984168551cf4e345ab4b7b4cafd5635bc31f7db5bcc338d79dbcab26e12c40f4c6bf6c2c4a1165cc1d7e757e05c058dfe505ba4e4912381e8cea4846460f4c48b32254da6c243f5d88c5a7eb9e3588194e4ac09277ffc83cbd71de087d2e9a11683fa71fa5e56fa0677ce873262c396c0edabebbc68e089236e47d96db930d81728815c9bf0d2380a86dc7960f629c32d7be1c0db60b74492c8c14b980960bef1abf2748370834b0eab98b88ad75338e942fa30433d03ed2de645be843acc0556ea4904e6c57073aa131588302535bb269868b122fe324ef51634c8293969b49a1f9a73a2146d30ef43f4bf051f36e06d98bf25bcd99c720b5442994ba9f4388d93420e1d6fb0a33ed639547af09db4a8cee8ccc056778f5273956d1c1e38eee15e558f17062f2b87689f178e5d59d63849fe173b68bcb015c45a53639a2163d12a0bc2b0f8fa22314214ff3011e7ac45c68475dd47c3ca8','sync','ak',0,0,X'6bf3cda6ec4d6a0ea59a3d9e79b1f39f9873c381','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(5,540009246.42938804625,540009246.42938804625,X'3c585604e87f855973731fea83e21fab9392d2fc',X'018dd86054c8c7ffc3c08d3138504c7d9c240b16',NULL,1,1,1,X'29c843d85c52ffca384eabd2b73a1dd4e16ff128',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000f292712363b137d0d0fcbff2c232e0add96e07840e5908d303adde064c330a4dffffffffffffffff7503bfed2da36a72d24b32fd863b120e8bb29f6d13d441854af23a438e00987c7c69457862e31e51e783f2e031a617ab17dbb044702ad93720ed91038112c33f6241080477cf003302fbbc1150b89868b6d104c54dcf34f4aaf83aec5e795a7c17d835bfb42c25e5c1e9bb7ddd6f191be1274e9029470a58de22b0e61c8236316af8698043d2deabb52f99445944f93c47ef556962c15216824bb78ffb21a8ba2701b9fa2894c2771ce0491f573147473f2f7dded38b5cf183f974e95bf5a81671c1552495bb52a0017f39c9199626cd6e6aba066cf77341742d5f7190beeff114899ff869a1ecb91b5fddee5043b4ba43c9c9e96f9dfec9cd2b1c0c80be51e26efd83a0433322a590425ccf20c03e8fed93ce425af27c7130b58db4a3c9cb818808fcc4b615c8945c671694f6c5daed7abff2f1cfacb922b774b8ab3c171b5dd62121aed934bf62aa0988877a108f3858cf768fcba4e835dff71c1826904580ad50dec3d99ab56170a2997484994a6697cd28a26a94323cdd6eacc336fb5bb850d2783ab1b0219160db933ced5c9f3991ae547665ce71d9fe3d1182591c35e81f22d697b59afe9111a3e4eb93ef0a84c402b97439f08016d5b95dcf7d70f3f5ee58bb5a59c55dff944d974c000764a49773579c082fdaa9cbd9808120a867ca2e8e0b7fd290b6183e2ca4389e056f9263c5858c923bd3ac3982b83f0b229425352cadbcbd00f066458c8bd13c5afdb90dc7ee85af206e1c014a13d0ae150bea96cae93c07a9bc093a912db59ea4341cfeb47d7183ff7bfb67627db00a98efafe091a90c318da65bbaa81bd644dc25a32185cd6450a5df0c85e528e46d6c93b05edd5500c7722e019093afb366d451f342cf341b44afa87d4ec96da09cf1aa2c0bfb4bb0105f297de407af9483be7bf7afbac4a22b2f05b0dc8e1355111d4745835c4f9b598dadebbd08d63f466c6a1a1a6e97d6ca614523b219ffe52498a806e981685adbad37d67e5dccb22a1e8a2cb3bb4386837455126e5bbc3e465186775c8e67e3e4b2b2654478b1db8ffd6c08b25dd03f8d4393cd7a53e01d54699180d01e6705757bad6a66b79739ec76ac3fa0efc1894727dbc1e35c68c5cae071daa35ed482cbb14c7b02557caae7dd8d7fbe0a5315347f3fc7674207e2063955768f1923966a91fdc621d19b41218a9f71b066c69222bdb9ec192bc0003377293d87460943cd17760da4082d29c0e7b80057f8fcc5d92a5171405a44200368cc43d3abeb6d15de97b03276c8e34c91139d89c901b07d6b19d8eaef7a078fdb5a37c9b24cbf898d0e2f7d015ff3547893e67821af6061dbf923c250c8906666fb23ece8db12dc4280590bf7c55f9ff3c31c583b4ae9d053d856063143d44acf77b06c4857abbc16a8f6c9fa7377ccd8b7f00a9f96fe2122e52fe33a19bfe3d66812d32945552b244672a1067e2c9123f6f732247dbd16215d77ae6e5ee851eb338fe70cb27faa78297ff648c0e8d906945a5f34e61b656b6eceb1bb27cdc1c550ac2b158f22d17f46e5aedb14e308d1aa184f7418b828ff3b44bd3fe52f70574214e8eb9f715065a3','sync','ak',0,0,X'5006f57e748dcd926d86fea7e31d8b9f8c0244ef','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(6,540009246.47465705871,540009246.47465705871,X'3c585604e87f855973731fea83e21fab9392d2fc',X'6bb46c6a660006ace3a0dd504e9f63f59975e1b1',NULL,1,1,1,X'03edbbcad1ffe196e6b840c412501beecab97f98',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000921cea45b77fe548e229bdc4406ea86bb035a5dd1254e5aaf49f86df83ce70d8ffffffffffffffff86943b0296919559b7eeab90141e12db8cf64711a3834b069dd987fd42ba4e6873e807406eb3be7e0481cede80717f97e9f007bf2af8010170f601e09f8c24fb39c02b97d5da9473507114d4c5c01db4d99496106937deffa73825486eded41b1388ef89650209dc841b07f53d8768f5aa8526c91f34772250e35247bfbb0d96c8dae75f7442b484bb72a145f719a1ffa6a87c2010815b8cad84faf11eca3fcad27ee41e77adabdadb8527b2f0cf77f078c3a87751a14b6d92c453bf5a57a882480794fb978ba2568a4ed864c97c012999ab7a2ba547f796d6d825b5b465bde443d660fb102d9831c62cd3ef59cf6e612d52718197511b1e548ec25ae65abe560b1d9fea2f25e15c36d48c304db740a3ba18ddcfff4c6d36be068fb8610d04914ffdd70f7d17ec58f8beda6aa7257f65b7b3e2c933d7e13d1c5117c2c212408430abc2254eda4b81d6343c95e0a29cdee3d79fd686d953ae7fe06b34d736fee2a4ca42e7afa037e54299ad2a332871347c874e23b01266f38f217077813b7a387c5d3ea71af302d6e7f2c9375d33d2540b5e61dbb3984c646a4df60d5fec7e3e5dbea40973cefcfacf8b19d4dd6d44f97fe573f3759313b790b97a720a61cdcc01acaaad1488cc0db6c87ea8f39082ee3cbb2a51816428993e8faf2257492fed7f961cb176596786e9919056c4ccc5816f867b8c7cafbdacaeae67bbcc778a3fafc894abe8b2a009e463c83c9f2d2316ccb81e5d5f949f620e204d7e112d642e6185ef81f1a7ee9fece3e8d2843b5c2926f1cb567b57e16fd6e66a7582fa4b70c0472f2a89fe5c29d124adc5b4232fcc257196344369aeb8bd575d03dc25361950ef402b551439700916067717d024b5ba6b54eab960eebdcb9ddd12bb13604a127c2a00ff5d27c73f43220f6baa7e4a5e457065d2b733ec34fb152b1cd7e2dcba7de0d53af572d1b8ec518fc9ec2317bccfcbec0baebdd33e32ddcce199ae3cbc356f020f0781e76400709e8658b2b551b60a2ecca72c92050ef597dea9900822796bb4f842e0e2105f38b28b4883521488b843a8164979237798eb1cd9bedd29d8b1f07b0b10518c7b43e7880cd80ebc1457ed20b29b699c200147b7dde900b48d714e5526b7f7cd982ea79915483009a64ff3be46f66d1c602c44800e72fe17dc902ea4b0166aeb3a73e75dd3a6177ddd7b7444dc581f0066542a7f7f50f8ef75d80fd097346bff3a08dc0672e17ec4031b11169db1269328b5845dbc42dced1a77219ca2f1d5aace201ebce1a643860e29b33e539c469dda3634fd0fd467c89667300ee5f075b0d7be0f5e6f5010b424ad539b77898b994c1e82a85918ed3b7436640363b5032eb44c4cc709ce43175ad8a715f513ddc0387aed61f3d3c5fc600b5f0d51cd5d6d915f296caba8669c251ca4d9c6cbdb62bf51857121256f7d419257b8c72f27e7320a6e6ab54d8919123ee9658c564345588c60b033801226d9e7ca20a380479c0647b74ac7ada676f80100354387fffceabb93ee5571b6dd084f0a1872f7fc30d091ca59f4d08b5529a7d1bcead55f8faa14ed444f5cc3ed48928d9765','sync','ak',0,0,X'3ce68f65039af6401bb7a0e2e0162814367e7822','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(7,540009246.5564240217,540009246.5564240217,X'3c585604e87f855973731fea83e21fab9392d2fc',X'262e1af502bea4f046b08007fbfb3e5469a2dfd5',NULL,1,1,1,X'b48a60c1e64af32847e1ee7193d5b88bc569f9ad',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000ebfd867ce4524712986412b226b31b6856123b1b680c23cd95afc1b8067a39adffffffffffffffffac98d92822c74a5409afbec794ef4ba4669bef490b7ad47f32ba1c74380589a0976bffef0191b1d8d5325739137e751fb1ce24eb802bfb2ed4ab34e5666cd5bf321dc7f09a2d3f3bffb3e068e788915d18b80e9a7f53dbe8a4372a35b1540345940ab2bc73ebff9f856373f078e2f1ea7626b3e596a736506c0eab230f52c6a41c6f520ac9f33e7b577a07982c4b7c07c4854298f14eb79279434eadb9b01422f3eba47fbdfac591a4e5a53bef806069e189aa68e43d599d05d8d1931bcb112af97aecdc09db21a32f6d4cc8ba137b9a13b605b95a7e95bc45df96bcfe58672164d666e6d3ccacdc7b76f12020b78282186d3393384b13fe9ea445b33dd4d11273dc2f00b1e9460729b1d49ab3f03a01bf5fe4433448f38060b6347f8e0077b1b2a451fb107150eb7a242033a185f0aa2074f921f53c162a7d5bac6c7d5be24481cde216140c62c2563ea86082ef5dcc696666357de02f53838e317ac35972e67eeb07ed12139972aee39c5edcef301aa417d4f6f3ba89d9794bd8884f9a567cfedef2b9c288ec4ca7722efedc09b4d41233762a3743617e871085e5b8ee09f05c2d67e7fdd1fb01dda108877227b8e06b865383e0df19dadb35eef0880e5a50a5887c28b884c55176aa12776b2eb22531c50a930c29f74b493147a420eb2a4405086911fd833d89da702d96e02f14e89b77f6d118d222f021a4a7df73e84e39eed95e7d8a4fcf47e590bc5867ca4ca5eec708826eb7e30c3a11a4719e0186cf4b9b1c9467a174196ac42bce8f4b12f493b306293b050ecd61dfb15377ad912ae009df81922ee19b474f565627dc0c53dc11752f4ed8372a55451ff008a20f88ed8cd526b84dbf82f0eb0cd26381438f71fc4deb16188326722e6bcb0152cc8bc4eb7655afbbc14a449275127ce919bcf9a15a909892b1c4a02877a2ea2e5578297b70ea9f1398eed051e79250700215e85558a1d593cfac24c847d99c28b021cf46a070079fe3eacd12673a301e7035d5ff5a0bf28ce20d0b2cb854930dc91930d7e5987df5f915c2996eebe4ad75fce264f618f665d87117a0886a587899da788c2ddf018d6a7312211e57d5aa6a553c7106a37ac8be8a50be41cbb2146220dd321d4a0b1ae880de684b3aae55c5f806f65e0277cd6f476fa4d45698bff992cf837ca940a5ccb2a84e4d565a493c424402e427f0ca89efeab37d731446c8c0acbc75c0d6f9ac1658b2c1227f70fa25309983fc396161c38798ee814087b18d9eea9d098b941c715cfa6f578d4e885afcc8ae5d003f4c99fe10d09db534d6939abd8cfc8e20e24cbd464b07bd12c9111653738c6ceffa329e967bd1bfdc9a61c80e7d223746e136c6318f547a5c01a93387972ace245ab2d61515889f765c375e5c6bc09c67524e5223d61a0e6d27461173c4116acbb91aa1157186e81cc5922de611f4de44a3d45addfec705fa84e589a0044f522b7d8c96e1d9a4d7a0ea2c79d10e51924cf6f7b1151f7e5f84061ca2ee8b31bc37acba2c5f316e0e754e4cd7f2bc6087a0094dc28c06f50fa92de2f4c3c02dc6cf5fc62bb5652221afa9668c63aea141ee','sync','ak',0,0,X'594fa5c4cfcc578b953b01cee110e06fa2f9dc36','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(8,540009246.58500099183,540009246.58500099183,X'3c585604e87f855973731fea83e21fab9392d2fc',X'4bd0fe69c51752bd66e2860cf51e030062b0e32e',NULL,1,1,1,X'95ab20914a5317e37e2d72dc26dd3ce8fc8c39ba',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000a8ad54fee4a485b7ba6611fbc2e1441949c4ec1a9f10352dd49471ecb61d7dd5ffffffffffffffff32980a58e608c9cee1d405977aeafa80a1bfcbfdd79492680e3d9a5f6883dedb8ad6a5c222c1452a9f7d195ea2e5e7b11d3ab09f69cfb27115c079bfb8844a8ce63a7b016ac60e6c1a92f08b2961d1f0008140ef33c92620c105d6831fa610f989f85915a45cd50fd9ca8f570af0f99d58bd697b19479597c4c2a1df709bc235c3680f818c17ab7ad28350d8103386dccabce6d94d98c699282242ebe86acdc777fa96c42734bcfd2ff9aceb0d29c0a9c88a18724768e819878d7ce3d6968001674c4c0f9d180a5e2f7fbefee2ecf406bd582e02a75e1d8f49df8d88d6e661034b87dec6d3217fcf9d426a5640338bb38c159604ca74bdb5aeae0ff1771ad350914b14386b7f4938de3a4952f42ca5919d46bf1c85c6fda568db3b58d1c26dde50f9814e051320082ef3ad7d1b8cd57dcf62d82727b4693a7808c89334c9a0e117973f0eb38b75e9489ee2846f189d6296f2eadd00b730609c944a4610b6d0666ed93e89ce9a6770886db9a845814a5ac149a37c6b09654565047aa5b439cb48823191d6d5f7ac4e7069865770e3f7f779f5f01e9a152258b639b75efce9cf4f86e64584962f4d4851ae6d47349f9c75df08e377d1b623e141202ad448c97598e1a98d83061189b129abe0374fbe52c5fe30495e179c0c64b90653857e61378669d0eda1cd327e1c84362ebe011993583a99de3b390c2c70e0ef373b865a2c42105a0b4e63965dd286022018d95a84263167e63f9840ec4fc0940a467239ed6cc3b63617c155ad5f96251c74fc3d64635c5f249b3fbde672f9327eaf09f0bba2836206f867e4ef7b2d177dd872b55a0d9cfb7a24bc5b2016a115bd512c3898e91e445cb08a023c684f834a3a81482c8d52c7b599720ce8efe3c430a70c24401828eb4c15051a6a5124b30e17fab9dd98917c2f4064bb848e0e0ff904e65c690f2f981c0934729430b9cfaff0c7ffe5fc4d80d5ce9113d1ec61b901e02b6e19ad2d4a2ef77c465bc97ff0c990ddd9cea6ee81a623fc21bf301cbb8a814cb9009329ea77b9cb8688b67f813fd6bebe612760a5a793e9d6c7b13fe2344f3dbd6a8e3b6cb398f7705cf27dd0a47a59fe229038fba98c2edca155f15407b9cffd4db21dbd7a0337d452ed2c7e33b21e3b4bdde58f87f706b574a0b4d1da5b64b89d3e5f86938256872e261e13d5ff3222cb7495a81df3f7c0c34dbf7dfd922c945d0424968a58a3ae55bb8b852d3067f7f4cec5f0f2f3c0318d2298708814c5483274dfe0b71facd4bb0f6f27d012331ae724fa72b440f77a44b027f7d7671ba9f43508a419deed4b2f4cbe3b51aaab4d489b91a2ff5aff3c6152341133c7a2b005e0a60e05a8539c9d3abd5cec5ccfe0b149c9944a85105076721b9757713bcd26322b88c0340912deb5667fe616630df80d2cd11a678dd97abf65455f3bf2bf4f3850c8d3053b958f528a07466413175ff4083c574cbc4db366011a8b8a1a35c37e6e468df282597c6d0e8b79feb44b667608520e51d4871d2ed3732fe85f2d3b38dedd44add4d265a705659733889ecaa724befb6e71271d54b9759847b42a27a5224e26069c0a3451','sync','ak',0,0,X'7af71ab0e26e44708e819d1e85a917324a4c4f25','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(9,540009246.62409603596,540009246.62409603596,X'3c585604e87f855973731fea83e21fab9392d2fc',X'0dc979403e4c0ac4d59fc55b01f01eaa78012f42',NULL,1,1,1,X'39de145b5758fe1fcbed02b5f338c57572c9128c',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000efd9994a52c5a1dcce75d0f442be01e32e44785a5431509d3b2950bbb638fcc9ffffffffffffffff08d888cd3c537fc01f11d9071c2fbfa127d84a83d87f52fbedb45d3a8279cacc39dc523ccd18f88fba71bdc08dde9f8d5f192a4b8db18be713703b26b6d84376b496a19f46aca5648888e5200525184f7f6e1b31b30398f790b075e41ed4f53f2c6196a9b00688042d823e2e11a040fc719a20cffc89b219e6daf65b0a4badbd1958b81248700fd112bf29561e04e897b8f54483f0ce0d1303e0e3784f04ac4c02afb0019f86fd90d41a57cf252bf6dde6ca56ab9b12bbfcd7d73ea7f5084bf3a4a7b319409150fae7c0fb2940e2c492fba94e2899c53939b88b69d97f8c732e82adc83d5ba4c170c454e0687b9a7d885944e94c70b989f2af1591860f779dd929d28cf6e6721cab48eb9a7f9974cfc4595d9fff94322a3cbab861877829db9b247dcedec53f3899e1c8e316485da74dc0ca9e847cc300ab2e06bf1517669f770817c0ba3ab9571eb4cfd406aad5bba4a0e9b9b16f647d36a80f3079df60b171f84fa9e4243b58ecdb757baa83071d7c5f55d1b85c6ade766a9237768303571b97b1ad826a01aa4cd4461fec09831337741eaba1fdf7c566812479a80423645eadda33ab589f419b680c2f0b09399bd01e0d422e0090ec19bb5f162c07a01b381bdd2bf42567a761005abd1b624dfd11ae88037b88a7b5f6d78d536f171318492c6baf605350cc8de078b604256bcb544c76a8afcc80e8d988b278197345747fb620edf0dd12e4e0f2a3ac4440c7da08711509ec1700b4ebe3054e7991dfba7e04c226532afa831778a9cfc69118145caf5068de695ffe3e89b9ebf699c39fba216972bcafaf7aa70361c06ec75b1e95b99dc05af05a2cd4c1396b044dd3e0274b6f443e53211217a0c24e6dadd4983988c7d4435d4678a23410649b08f3fad0e8749f486d7e7ef37f47098c469a665d3c79c6f87f2aefa38150dc921d59f4c06931673b18fa236c6bc1f463452893b5cbb9b6fadab23968962ee1efc0f87b223a3424917440813579257389792cae09df518fea9c773156a77c72921922aea13d20038c15104e50481b0196e57adf3efb9e0d745f57160fc1b9fcc3adfcfc5f32b63b93f3526ff84a277ce64755aef8e0bfb30adba8f7ac3466f6323ccbb464aeb42c7f3d81d87f3a6f6f9e129b6eae770609c82e35377a7b48bc29b6fbc46efa4975a83f6bebb0f6b4ce958db9c84dc60a3515ef205e100dd91cd7cb525b9c0fef8420fda974450a11d40ea3b853c2a311ee371b1f31d15d420c0f5630bdf7732cd77a677fe54f5d28bb091d9b327b2186148416b59c54ce62e6bf232cd33b75516852f09303b84920486b091072f635cef16c0e753c750ae06aa4b89eeb4d8a7db9becbc754459b15a96360763cfb23a84da5970fe4dc8f454d5d0b081459fcfc5d5bef625b9e19b83537b52c6b8ee1d75c9892dd4a052069515957bd8fcaed62856c3d54f892d91ce705e69d4c8d03c3787d31e67b8fabeb093f4e2f88c4b999e61b04b53ecb97b1b4053550bd6655e76c88d5581e88925788cfb2f4c68983f542253cab77f35de221bef39e8756f4b512dea3729733a9cda046973feb9b35175a17349c','sync','ak',0,0,X'9e8592af94c8cbac2f09073b195e90612e9e80db','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(10,540009246.64887404442,540009246.64887404442,X'3c585604e87f855973731fea83e21fab9392d2fc',X'e0238c695e5197661c44e400525566a3b238b704',NULL,1,1,1,X'52d7905d087d8c90f678d08dc95225a110fd7566',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000e65cce4228b2285910a0b006c58d94cfcb829043f41f5ec0e7d71bad2fe8baffffffffffffffffff1d6bffa39e12e66de043dab4a4191a377fc584c3366de16946b5bb02bb9381e16448f7c96b0ebf215ae3ed3c0d22851e997c3672fa8023b033387524c9bd01f6df646aad91edd3d5eb2956152cbc863c25cd6823c6a073363279e0ed65d0fa133e74d1c5037044cd65715ebc4bf215480300adc452faadc93508a47c91bddeda402d88bbe88e67a2d9b14508066233b44c0a3559f73ddb533010a5c448ec6976e89bd02930acfd6f544b7a0e6ab4d9882a8b4c578319b081db2c7410962a0e3fbb3aeff82574193235477c67a4e63072420beea1d5bc7665afa1f2f76a97a13f999f7a2d1d9226b2f83a72347996e7b243760bf58fda4b79046959c61b2d39d5db1316053cf37aad3a8bad735eb54882a7d14c64d382395ed7ba6b9dbb9ef51fec11abe36e8696c8ff6467b87ce24c4e38e662cc4fc3f82eb3090b92f8b2d1c4bb09dc9f554e3ad27109d6e2757a4e44dc3a2c156efc2eeccf37f286c0a7f143815444fafd0912b4ad461fc28cbc825ca84f8d5c68e468837c4c428e68fd4a718874c4604fa314387aec3f89411975a10a4391c92a0ab7a1b22a46c92385b82574770e4de226304ad6ffe21cbb3b7d45d74a771f9b412b6316431177264cf01ccdb568ea7b80c00a8995bad5afe39c71400c88e8bc728aca964caffa28f9a67ad40c7b23fa6e1c19ac72706a3b5c4b6807b41eb63910491d9e5b9b9360d0fde4599c361d20f7e0d4f1ac535fa60be7d5209d28ecfb73a0686c49ccfc9495cb6238b97b4817d46bba40d50bffccf1efe233b4b2a03d0ab2563aadc2880807d620e241fe22361f171c1e5f7b0df1870c45e81c57700f7ab3c89132248cab9fd78439fc14258174f3dd3948673ff9ac4281f2a47170cf6f4dad20bdc382f912cce5d32a066bcbdedf649c04353e21ca089dfeb97c8db9068444b8438aeb3393e646f8e422cdcae9e3073f4d93a5662609755f3aade37c52d996aefcef27566cfde65d86e48aafc4594bfde6552d818c73f311d75c693751644ab40db44c77842ee81af35a0e47d7f906103b12b16cbea2b2f503be56157b02a357318a6f9e27db0146489876baf4f6b57df86501bcba60fb00276422571df9f0c648881b07ed139219125d5422ede2cb7b846c3084029380e54b1e3cb372486ec13848350a7019a7ed54c9b0d1a654a3102ec75f484bc79bba5453b01d1688b860cfec9f2de4adf7be11c19cca69ffcfd0ee6d94446f89cc91d9665f43dc9d8f473e09b60263426bd5f45a80b7d38261216a14355d4365806a58e2ee5f4fc3570519e355a039fc2965b1f50c3a4f874a90fa63bc9fee9b69068cf706ac6f07c6f776d57b9666f885c2c6adca2fcbe4d19a20d5c89c9929659f43873b6f2ce16296710d20f9a703903d82f2b2aca908c7df8c4c73640858528f4991d740314d0f2630d17b8f7bd9dfc33040ebd102fce8976203690232215a5e85e05628a5d74df0914b113ddef4b986aaaf8c2545864027b0dc10d7f20df06bba7b732be31fb92cf1b12599d2aa654ab17a234213b45350ff97769add404600368712d5f40f6640e9f4a1cd43a6dba9dbe8df83ec17','sync','ak',0,0,X'b11a5e4479be7474514b85339907e6ad87474acb','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(11,540009246.67430794238,540009246.67430794238,X'3c585604e87f855973731fea83e21fab9392d2fc',X'8a3c27dd0b49b6a2781f838a22b08adc3ce81161',NULL,1,1,1,X'1ddd508da6d6e9781fda3588051503051b71fef5',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000252c36c18abf3264b71946dcd50957ce931034c00bf70f3e4a02121e99c4ad9cffffffffffffffff997953bb38268436cec229174cef2de61b33c460510ff053c5b7b413ff78efadc966f6afdfa8f4f7185744a11a4d0ef165cc0bd15696076618a296a7a3bdd55b4db8c20a3c12a2ab73daddf98497d0356b7b6eb6ec78dbb4fe67e26a9eda3770930644b038a77bd6aa759391f29c865d9438b2065d2c505da9b35191cba115dddfb2f47304ddf830f8549ed15b2d920895eb1cb3c29218c924f57dd7401c6bfc411d0d93dcafaa0b01da9249b37a04c001f2f2d65bf245ae276f45571ca9d2953826a43d4d65e3952ca42348687c8460a2f4aa835ec2909a6f15c013ac4eea850b157786aa83e17c91bd4600e547e3939403fe3a34575b40b5fdf8cc2f3cacace103bb26da62035065adb6bec536c526fa0fe10c3969fb103438761c934e86bd83e895e714d2f5d26e9469385c6709d15f26f0ef98b0503356bbd2054ed787ee902594d56f5a5a7b530db75e9ac5836ebaa7fcd231f034f7d14e409c744bacc3915456aa2f3e1427d6828f689c555aa37c64fffb56e48f395bec602a4ab6caa8c0e823e0dfd45bd56a284d9f9443069b16572c127fa191591010ce5714b460454ba536d85496c40e749731c2d6081eb9eddf78bd42c4b92bdfa68cece0ec57dcc3c21e67778f110397eb06ba4066fda376d57fc31d0bde24b12c89dbc0d83926770cecc1ba06721730d71b0fd11fa518d8fd6665a770e6d1770b73aa860f21588778f551aa0af79c27fb50c6ead25e1ff863294e33c87d17e524af416a0093abe8a66aaf9beee50485b899124ee897a94d80f11d30e0768488aedd5aeeb123bf70e06052a6493cd5a647c49a935ace80d3244c156f254952b7f6afa2ad725819a11a884d5889cebe2b51d28e5a01ba531818b8d757e556cf59fecb499084c490e78940006a722c74fc7319e9eda569dfaaf5b94aae555d2e74ffcb09024692b5b8496afbbeedb58626c9cb04bda22990a46ecd1ad49b1bbcdead4d48809ea735d5587eed78efbb90ff88c2e6c8bfcf10d86046d1867c7bc7b345e62b084b704bfe528fce33a9210ff89cbff4468861e8ecc8a7513630c25b6b072fbcbc0f5332254ab5dae732b5c0ee0591313a9f172eeb1edebb9915287f5d83c0058e700d1ef58086d77c39b4fdd187ca3fdf0642a9ab57beeaa1b399c7f7ac4eb85aeb0a88418e2891d3835b6e7b30402f1c8a57b08b30c3b70776f48e392a3e28af25ad40a93ac599e63f82cc84e5ecb9dcde3fb8f8454a75fff9ae0b801e57763aeac3ebf4263c545b5ffd6f5bb950bf695c5bba0681227eabc159c7c7669bc7fa7575f20f49b5f9adcb27a874891e4ff68927908ec4d8bd9274606589e3f816b4b150028fb10433e38975b6dbbdeaf4a8de03e8515c90fe880c83700ffc562d9402be28f42cd96874bb6a5ee1893f030e33416ffcdc26e5f261b7847983170882209f80bff41eb8723624eca9ea748af81e190b360a173418630af585c7c9573a1f2c9332cc1fd8893e8d18ab7ae5c27bfee48e430a5d0efccf5806403b523436679bc65fc7957b520c2984c821382763becd2e078e5b245b0f8ef2628817f69eec218c6a9a841921bd95a4','sync','ak',0,0,X'cadd9f1646dc72442cc10fcb357f7f54f270f790','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(12,540009246.70574796198,540009246.70574796198,X'3c585604e87f855973731fea83e21fab9392d2fc',X'99926c00cc6487bad3ffa563ca6959256bdaf622',NULL,1,1,1,X'68b8756a797c8a826b13de6a7a29ebeaff03f40d',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'03000080060000002800000094da37ec2a695d8b8e908460697a45078fc562a4d5e901e4cdecb748b61cc9c2ffffffffffffffff0f78c3c81b036eca6066233142cbd2ecef327235c8b2b1b0105bfa64be9820e197ffec179d246732a35366e417ec3c9e2bbf049a2fe3f40f433915dbb409a429b576a018ad807ea19481e28865ff8abf3e3e78e237df1e13cd30be553c339a4638dc6758917f5c54d017a1753c5c93ebcb8ebceb72f955715555c502922a499591c2ba33165ee3eda901b8f45a911469ffad40faf563323456d6a1e4aaf1b88140e6e20d903f386e9e485ea73b349b97a54a65b8b4a4f873e63b293aa3f9d45ef2c8829a2b4c2ce875205432c4178386f22270df6cc34cde1a86970cd0e9d7587105f1c33fe4b0007a5c358f0c451a296eeffe53f4cf385c2d36f8915b94c91d2ebd8480211d6cdfe03e61e60bf276001a16be472d2b652d87f4f9abdfff8df6ebfa729b5cb3b1e0e52dac4f4b3a671d0cce46f08ad35d2b3531aa9daf84a7d3b77e7cecace6a6dc671fff038f0b8083b08b6098a1363a59b7b681b304e06d18a4e2abcf441c31ebcf5327e3ed27ee391cbe1e6c1caec6344c7eb9552f4727e0c28b1172d15d915242f0ee7d85576a1f9ab2ff67eae65389fc538d0bff99e3eba958a452b6921ef66287b102f9996ce9f1b399ce1bdd380b2c5b1187562af1f977b6a018a2cd96e5ac6a02ea4d400f1838835825a27c175dc19726240226ad93a121d849029b1570a43ce762e8dc58b5c36b924a23100c9ac2d8745a2f06679e12d13de76d25a92b4d0f2c4e1814ab32932d03837969fa9199e587bfb63cfc4794eaca66374d30cd2a59e154960e9c2ff31ef6eb103912b63510efb96f91648ed07ca21fdac297d7729e6bbfbeb3ef347d47872cc0a0b5ec6a3af3a49a926009e376e8916086464b2a17d7004bff908edebbbafb7d30347a789b1fe8f89c6a310769c5c322553c24cbbfcd616d06137e62b4e16957a9260ec0ac132d1d9d56881a3660172f3320641e55d1f9332d3bf02f9ace90eff66108e7a0489566d65e5996fc57084a23949b5f3ea4446645265ac7b66f2461653622b16001205cdcc1e171eef71856a5f210a1d3543366df16dd3b93406caa5673eb1254974f94fdfdbb04a88e5ec4c18206a11df909a60d9777a5a0ea8951aa0eda0e1c911530776aee91a404c7b8f00159c2f1e9aed4f6f7098daac0a2e44129a2ce7c019385c8a63518e58bfc3fa9c25009b63fd045b748d9f3cc7bd61e052f6bb10554378b0d7b33235a5aafa0ff367cbcee0a51e3c258560aedd39edde4f4013acf5b82270f98b498c91886ff36d99ac44aedb539481889f39a055b9097d726f7f6bd7522c2d3e0f157f4ceff80019d08d196ebf89eef006889a0f6e95c445ecc6999540230ec27b4faee9a5495fe0158e1bdb1e0f953644611b1aa872baae09920c433de0ad3c54ebb16463a4f13be9aeb513b24bcbf88327edb2e6211ac3b29152c894ff75cfcdce4323d75de0148d764bcd4ce81651a42ba18db1b98f5e08702ef5dc144397f3f45b766b967f80ad55cd26915d83bd332ed32993d095bc48725436a6a21f37bf2a431f920372095410b3708d88c05c185a0be95dd4b36041f6a08e3631401326e1571a7db267b','sync','ak',0,0,X'2331cdb16e45bd3843d864c67d0d4a2393884354','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(13,540009246.73491597174,540009246.73491597174,X'3c585604e87f855973731fea83e21fab9392d2fc',X'1cd61447d253b48953bc8aa52d3f64dee114ca08',NULL,1,1,1,X'94f5e9aa2bfc33247255010863960c302c01bd5c',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'03000080060000002800000070a5634ad60486ba094347e63156dbe1059a7d9b65bbf824f33d2978da956a1bffffffffffffffff9f9f96fc298ea78aa9de2b6e43c00e21f05793f4c8b16e52c4625233087a3d33dc900e08383e79a9061871b833c61fe3c232de9f029e11667f01f9c3ee7a4c7c2c45e00d4d82c4e0c75748981f0ba943ad6a9d9729deefd5abae0a413e4db7a22caadc9233fbfb2acb2c76ff1511d0f60fec3aaa45e65c5ec6ba273dc9cacccd144b1cbef951780c74be134b39673db9f4966280e007d5db7e2a9aee2b5def9b3be4253a9073a3676ac581cfbc4c33ce926204ea20085d099767b4a289a8222438d051bd85ef88f076bb7f82d8313f94952d5e2904f500776042ce5b62905ecd52e4089e9b4c452c033eca496453a1a6e48569a33490101adf95cacd509af108ffef97626503c8dcf51ee4045370d07b21febe23c5537783cce6bfd426457bd1fe942d8432979f4d8d2321f3274c1935956511ce54bedc9787a813c8f210610433b9e366b66794897e58f1fdde488cd5720de6a0a95020d538167cc386477779527c18fd8f33f632b348747ba17eb28d49cb9a8cdc14cee5a35f67682724a45271965774673a177c3f25596df5916331a8dd218d2428e07e9003b6f6252aeec4b1ebdc3139e629012e0d7d5292cd0d4a8431a847d2043315064f9f12e4499ce656346bcf4994fd6864915e88ad0bfabf4b930cdf8d295c75eb1ce3118906b4cd81eb8cbe6833d92ef8dfb2bb98237e47dacf23a2e9ba32fd92abaef3338410eb9772356f8cf2fb0c5c4612815ef04f62ca7043bfae05b532198135d7e24724be3f0910689af52227360a1d65e30e90e798049dda58662f5483424dd244ecbf42c40368d1c1eb655ab04fd88043087e14e6808228a3384b75faccdf77a585319837095e7d261f1b8346915157ff89503c0ecd3b3ffeb7f765ea2ceb77221d11b49ce85eb6f318a9119bb5cb00f6f7a6ab2809a86789a3ff10deb0fe181aff5f0832ba9f372392ce6c29f21642386caf615e4d2fad860fb995bd0100b65db4cb883f67ec7d7f497d207c01991f3faad6b9e9efecf2f6984ba47e51f9768f326db93cadf092e21b8a3b89dce4bcf891b5af9558c50313b428772ee48c6c2398b204ed2587ebb9366907d1d72d88014b1621143d9b25c4afb540b1f04450cc04200a300cbc9ce81a0c73fbf033d601790b93d5f5691c2124d0a9fdb852b373ec2be84b8cefd732a38d75162006e6ac1c96def556c694378b79fb29a9de5767db6059f58f20c2ba26277891f2762aa676b4ad61c266e7c450bc1ca49cb7a654e128733e0d7ff8b433cf4d3c89e26dd183f85882deceaad655ba09653dc2588cce367d3fc2ebab2228e3f57e36c05eaf125e47a5641cfbd30398591b314af327e3966e5428e1e2f41ba45f6b86560a863cefcdd5da288e0dc455d66812b8481ab6bee2d63a9ddfaae46441c329ed00a4bc0a48fa6d13790384b716c8661339f455280982abd7135def86649829b3f6cc9916311c07ac0667b6af66ceae27a2dcb0d83b7c7caeae84e33a2ee0ce7dd1ddef2e79d9ecc2af17c19dd48cb4d8c6b836f37892893576d7f9498c5c057053cf5fca3cbcd4c988c4b8f2d80f96188c4283c4e760348134c78c83','sync','ak',0,0,X'3cc443ced2bf56033659abba66111a35d49f8909','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(14,540009246.79443299768,540009246.79443299768,X'3c585604e87f855973731fea83e21fab9392d2fc',X'd6d71e32ac73fbfce32b8ecb609562ffbec8c808',NULL,1,1,1,X'b00e2051154eb453baf26feabe2950ea8accadc0',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000ce7c7cadd473c790759959afc4fc014f9218eaf3b59b026d2af65c8a2f6df0d6ffffffffffffffffd8f7ad4b6be5d80e872954a61edb4bc118857de425f7f464f69c91caa411cc563c47ab511ebf639eb87b37944e0f5200d9b9c22ededb8617fb9a57c1be6a706a790f0ad145c759070ca24577f9389d592465e9c5fb4b348efdc9d0b0b5a043a2a388afd28f6c0a5053d9ab4a81e33aa906f46cc691ccf80ad9306adf6574b68a0ec2cc6545448a092b8e1920f0fbd01d1008b0430306e77485fe5e7d5ccab2e28b1ac4311f9009601ab451fc7498fcc2a7dfa6f4fecfa92c0f44968ad4c69eb9bfac39215de653c6ed8f764f86349f9893383f41b733c025bea01ae74c8e78ec9ac9fb15d9e061e1830f8860436dde2efe75000a42eadfba4d555270fa24c37c29b7ff416a1a001c7c9ccd5f0fc709a9906351f81008a182f4ff740bae00e74d1869cac785889d4dd34208bbdd16ab7be1c38e615743c023db2dbdcc1be06b6b79adc2c42e4223fec7275733c51226c70315b0fabd54cedc14e2612f80a4dba4824fed54a5a04363e333ec3d5af27505e5afa1d9d96fcbf57391ca67da157b5c21846ef0ec97fe2669b72d534606551a8bc44a799478a5efad61b224173000a1a773013114a8bacd5f2393dd72f40c3a8ac03e067a9c64639069df8a1becc81b379c93624cd7c3e579287757dfae5553ef31e638fa8e315adf6284c8077e6361bdeef99f73f89e12a7d492e33ada87725edb0c2c0c24e49ceabd61372519e6ffb389f51d01b3654d9d47aacba3b7e30d465e3cd87ff4f4896cf9cb3d5530417c80367f2a457fead9d38af826517576957cb0de56b946ddbe09a9b797639090435d403f1051eef6bd3f2da8f2f659971eea86d00eb84f5a89231acd741c531e228a3a5fbcddde0248d893aa59cf1d809bc92f16721330c683173a4c4e50d73b80904316bec24cf46d5e00327dc61c2bfb609444aa8e0bcf937e9c0d585d917e70208653a9b20186ae057610bd41748f9fc75df0c56304466301d610b3c58bceb7164cf144bd521658bf34bd099e957850cab44b3d765952b4ea9051df32e023946896b3be627f81b8bf9e357ba90167a535b5503b9e7eca7a9540bf73573b19889a86d58e8f5218c70eabafebc0e4ee6de896f4af1178cd209762bfd3aaf6cb4ccf9a37b0948e670776f7c352e8e01e3c039b3ceae1a236998b166273322b3bb5884a8262f4b533fccb77b229a4605a8dcb7c3b5992c589d113f9d431fb9356fa9f073e6f96f4b9c00cbb56d34b6c09c9e9067c23038d0d86ae555e86fc87c7570b4d4ced4a4be205eb9107a04fbca047d0abf6c811a42431b943d49d0d5a2df83e8904116e1e0b316c3ea2b47018e7b337c80f57ccf9f841502e5564f69d7ce0f5b1900b513c2e072901b61980420529e02aa10d5c8e84f05711baf4dc095a79588fd336bae05abd054ac5898745a6460359d6e45139c8d1aaa3cc019891b03c66845ae8f6591b7cc8d8d64f0efdf75f2c935081d6f51d2b70ee0bc88dbef7f3457d40b8794cd48704786554e94d2d5c7d9e6edff977cdb4da2d31a8416ff2a1bbcdca177d6b365b8d1dd5bca569b8ada36abecf3fd5bcf43a559834e69970d09cee6d6eea4c','sync','ak',0,0,X'ec376cffefd33a8990c84e35e5f926cd2e90e9cc','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(15,540009246.87818598747,540009246.87818598747,X'3c585604e87f855973731fea83e21fab9392d2fc',X'de2e183ef552d8b9b32534d4d438f537da3997e7',NULL,1,1,1,X'e9d5b00c90767132e38bf7b69f4bd5bd34c4f3e9',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'03000080060000002800000012e00a3c32c30bf8286d63a9171e05b0998f03c0d0214e825a160eb684be8f8affffffffffffffff98db3b56e2efc9be0d3c63feed615842a7b7093ec6d8cd7205bd930940ef5ac11ddd9fff55f27aefa4f8a89304887615e7b0e65e5edef868af3ec53d5e9b88820de08361e4a42fe3c58f40fc3fd02d424ba984593f92ebe451ca54dc44de7b09589e8c386efb6d9ffd32cff2efa8ab91260e1cad30ce00544444dff46df7ca238817c40d0ed219cbf32daabb854420ddbaedc0ff59a94c496a3182dd6669cf1281c2ee600356948bc0765a1c73d869a1138bb453b3862ced8d0e75bfb6e9dcd4cb78a3c87531eca102b3295237e8152d50e5e746cc9e17bf5adaa4eff62b59b013cfc32d15bb177f81dfd297992fe6206907cb5b6d3bbd070f169804a65a24a23b7607e10acd6a03b598fed5a22ba824f11730f1b1a28e6484e937855f496a960171c471b0e9911427127be475f0c7d2b3ff1711a934890e56db9a8e6a0e10b41a43b472f4e96f789c8e6cd5275bfa7a4b4f186626b45d597b66d7c57ef418765a749ac36b196983866870ca30c4413e5b316cb89fbcaecc649c41cb93482c7eb268a87ceb61cbe6a809dc9cd024593fdca7bea494d56d0802d3f1ec6d1a286a2a23cfaf913e921785162692d3b0ecf4ff743d18bffb564370340e0d02722e4e54d475878adfcb50ca0e0c60a05af809dc9b1f9a2eda2c9fd7b198c2f92f9af4380bfa5062b6bfba941405c9081cce03cfe4bf0f3ab6c6cbb2de68c7fe31df6003537bb8088f620cdc36612c470c63c1494da4324acc8330c66c336ef5b64e75e00fe590a526f679711070f42ebf5f0e4731155b4f8a5adf2eb54ffa57a2f963c71ece7250b961a186f5b7402675ff0c043b7b845b970260064f91533ef7c667276eead846eb3edfc910bed2dabe6131e5d666ed059b08ea9d588b4618967ec7ec6fe7e5bbe75f2e004e016b8d5513457f6828c944f0e7721262207ec0fba8a1c71cbaa96d319d244154d2e089d9f62c5046c5be9a43928f0c492aae51d317635786c9cad2b2e79faad8b9600d2b4d88a87bfe84236d57b8110f0d10ff858e9eb099e7f2d22ae785036dc4f022c86758e2c8608ad2639b10be89cfb04f31aa1487c3974144540c0e17ef79e08ed64da572cec3e39f931b2eb78ecb234d49999499ff2afb80f8d794ba908cc85f4e4a64ebf818a7a76fb231353d8dbbb4b66f18cd507c5dd5982248930e3c43fe49d9c81c2063a808677fb4b22b57f635945e97c434e80e335f25696a8d00bd66ee9eddde08deba16f4481107c94bb102db408744100796cee87d6373ba1fde645183813166061905e25837c24678cffa4eeac8c2826ba94a03480bf7d893a8fae9aa0692f8bdff11e0aa4af0fcb981eccf997291b476ab63245ba42c8f5b19279ffe5cb1c706283b576ce6bb7eda10585077886dd36b7ca9919fa76330901c8c8d0178d0714b294b32feae5f57e8cd56203da19db4198e46e7af7d70c1106a6b19382782719c94c6cc60b6ec4dbea595827dddcb6e4c1753a8a0f9c8980033ecdab4c4cc6e054b126476e2909b3037f70e8ddd9148bc7f1725f7f4cf7d2da45918d0da09119a491ee9f9e7e3b89fb0ee10fa8a9d8d937a5b173d','sync','ak',0,0,X'e51577625cc24d8a92a0d52f0710f23a63ad36d4','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(16,540009246.90006196497,540009246.90006196497,X'3c585604e87f855973731fea83e21fab9392d2fc',X'c727925ff3c0bc23e34770128d8e6e8c888acbfa',NULL,1,1,1,X'f42e53045ad197594ea67e54ebc104ad794f39b5',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'0300008006000000280000000ec371220d8afc8dc993cb4bbf1f396f9ffc0d60cda6e04ac177550568437cafffffffffffffffff2d1b99be501960d66d6142881d265a9c9f8c3b873cc468404386ff83aceb55b97395db222b1db1d6f18c35380cf0413947cbc19fe2ff83a4add617c637a39ea1d4182226dea74da3edf07d69807c588059caee4cced38a85a74200c932cf8c7983c2ae16ff442702d031b9c9a311964f949805e67110c948d61b51a49a70ea0b641c8ede38b07c3d837ae099d0d2c503d036204edbd419ac2cdbc8edc2878208cb27238fa9e739d692208bf2c0601dd82e1a80745273a5c79990537c1363888fc4a3a1454b350ba0549e76d08b32c88a3f73888ec3742cfe4e9a77b2872e08709dc03ac3effb15e16c6e4f649e2981df8adbeb903e4dcc870be0101704473bff9e86dd4c31830c5818277ac7bcc37f58a4a74e4013c2c07c4f02f080ba924a41bc6bf77f85b3f9dd0e0cb5a2629b88e3850d7bb45770741440d41c77bb617b6a866de40289da3d9c354f26b46ac2eca03e5650cf38c790450679eed7d5f0b18778ca4536d9b224fd57493979028be627a05485319cefdc381bddc6e5d42e675b07cd8e52e589bbef6e17e99b59d8ea196ef55c31fa559fdd60a0ce3020a2d4df96336845569e97dfcf75240980d925d13e27e0af2fc3af104594d6b29c281599433369c7fea86ea69bbf877f3761abe62f1fad7d201fd9ffaf906f5c3a87e26cb28606469aabb27c1452480dc972765d7ccf3a94ebaf35e77b56ed688f2753851736016d247cd9ea10a3e22232bcf387f9739c2f5f75853a06181885566b662059a346c5f216717d43cff1e2fffcf85314260ac830239a87308151946ea1b9e439336bac8474ec5c03270728493ec3141b29a36b11bbdfe86e6a9900cfedab7611c4f823dd57bc3dc2871bde0d3da2ee284dea18c643a70cbe46b60e5f3180434ab56dd6a25e73ef45174a1f52f3a38d43f160c0ea274306ded203790bd40a8807fa7c31b48d1cabb22e10c9b16290fc1e5cea6703793f3879a44f5e35f09bb6bb3d101f37facf9f4d194f2e60cada58e40ff6b07a067a4f0098eda9caab32894d68f4106e99eaa455c18e75b92b16c080de340bb748ae033b05cf00df5dc07ee80462810eef675a77f1988a5ea0c3a051296746849244a2ee98b92d856737f92bc401ea3dda0137728c25309419568a36e72f1c16290d05339e4e9f75743282aad178c2a2f060f55beda8af053b662226c22a8e41a4e4ac613d4ef1849866db8718d73f89cc2a03ce1cca7038e1b3fd2a80a9e3bee60ae6b7620b75546db19387fa7655049aff44ef29222184790547695bf7e2c8f85b9530605bed662cfe2b4783836deea4172d5b52a9c2fba2845642c19f334a6e47ea632c9f57eb1a648a60169503f7ec865cc20acb0f77ea2b99c1d3636096f7f67a15ce3f76c4acde9366fd1ec87df14665104114418fdcedc247275f2dbe19bd08e1efce078214a2175739e560d6520abfdc32c8cca062158ec14b4e306a0920e7bafb878fb7ac6f169993314f0a0da34447dce108bfaf0f75f08ea302273022981c0517d7714f413c3e237e42f00589a56bb0906a8af684a186f11a6faba38d3b432bfa4a744e920d6959be8f4f28c8','sync','ak',0,0,X'8feda9df7a3732a248294712fa0d545497057d76','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(17,540009246.95946598053,540009246.95946598053,X'3c585604e87f855973731fea83e21fab9392d2fc',X'95c1942ec25cdd1d06cc5c1964fee94fa5c9d034',NULL,1,1,1,X'39c7f4b9ce90d7bf91bc71f072dc98841f12f208',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'03000080060000002800000045f3d0cfef9c4bc8dad0741804555b7be39e7dd41bc6d8ccafb9cf5dacb223b9ffffffffffffffff71f762ca54659c29e922f061122d2037e0c9f302b6792a608fd28b7bc4e86620fa3a3f6cbb8df60f73e1a7927e455611c053f5822723054a7892f14148e6c7f3aebc653b7e76584f6d8d0b6243cd381b2b06b27a2e54eacb7e06ef36c8c30ffc7ea70d76398740da3bfbbfd4bfd0bf0ed97e602773d2f1cee500d2ff9a729ebccd28dd80bcabbf59654f11ca351c55da15a3e1493d43cca94f082b8289d51644916a75c9cdbfa5b1199dd7a0d7a5bcfc6509f4c7624836adb3f043c4da983b7dca4c0959bd55b1af79cafb86e0864ccbf3f15847d89f6e9f05c8a94af180d29ae641a43585ffb71b1cd4ec3e7cf9f1dd6176a0d04258875fab5c70454ca35c47784e7fcc107c4aa62ee08cf244ad9727b18000b59e0224437a7ad0d9fe9176af36fb4ba37a503396a0ed7f81d19fafe4db50a1da71912afdaf0e33ec13f28af1adc5d165ba125a71ec89e13ab035d001920e1f183161faffd06a24a056c4bab384b5902b3d72bdd4c9c32eab467bbaaf74d980144b60391508cedd56107edd965ba709c582193f45a6c805b68e29d4faef6c6a20cf93f27ff1dd516c5b59a607b9ae0ad53951c2bbeee1821eca555876e9288f4515e974e351724d78d53f2df17a6a3cfea8998cecb3a043b0d40aa24977fb3630c5d0f9fd439c86af4a6fcdf483ccf3b1c029d0d0b85e7f3442567fa066de8c79f103bd82bcf84a60804a92084a5866aa4ae4338061dbbfd842c6ae049b9430c2f149b975b9553be18dec3c0997507ba587d241311fd3d7d3e43abe72e0fd4826b0ac29093f0060685653a5087834bcc2296e45597288a34cea196b305685285bad0f3c41330880042cea3fca16858507e14edeee7d3293438e0eb184505599e0cf4701f6143f5003a22e77f4049df964af037e2c08996768e1d4e8716151f3f085786b2b2a27eea0130763c089a039fdcd68accb3fb695de4d1ed6809d035d0b3bc3774c4471c56e393a0d618b89717882a203c0945805e974fd3e88903e8122e700fce2416ed66cb50ae631927986fec2ed57cb73700bd2d5aee8834dd42c6731a4c2068030cb34150f23a385314677253ff26db15ba2648e139d7fff40b1d5170c8c951488146be74b4246e8aa3b1954662e81e346432729f973b2bc60ce2b8f9dfcd535aeabb74a4ce7e95b83050f651c0b0b7dbe75180f4e569389a31afc2d39404a81528aeb06bab88572858ab7ab089748b0f49e1e40a796a997a76b5ac9841b025ab535673925bbab70392056109283a517cc9b66885d2a9f05cd4fb9dc48b226da16da2bb3e5d6fa994dfe66ddbf27843bb95c69d5f619f2f835e5de4a406bdb9bcfef5209380ac49a5ac74dd5e097ca5457fbcf652fa704311aa0cc95718aa12a32c519494ded2e22e585e19f057063fa16b27226b5cc5b419a5946ed864b95f563da507bb5c691d3aa6835e975234c2d5351004b28f761fc257af30fdb64858e01129581043e7979711d06812627a67b01c0c3c0d63977dc6d29513f666f728c65fc2d22042db747bc16e1ebf2f56b5bad81a588d53872e0672eaff67a6c79eb2e0caa65e4af7f00ac3454afd0cb34','sync','ak',0,0,X'cfb198fa5cbf210ba4f4b9aa532921045e6a4c37','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(18,540009247.00499796865,540009247.00499796865,X'3c585604e87f855973731fea83e21fab9392d2fc',X'b018d2c8b2c5e6cc4e5733ee02972e5f1852cfda',NULL,1,1,1,X'28a63458ee8badf52d3a68747c618cba5ffb8a19',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'0300008006000000280000007b538f0c8b0f1b7b257673fbdefea6625276916d93ea21b49888908f4140d313ffffffffffffffff51dc340e9ee93a6c05d693843483be5481157a35b4007b8de3fa7075c9837f62dc2ab6e44cddf731f06dd1c23069349c9589faf90844f743826db3567f199810bc715cea72f411d9711111f629b5312d283cde3195efae93e19131ce52da52046568403c34b6d384bef1b3baafa5a19f39da16b2906386b30c08dfd84a6fdd2b59c2d719f94c7dd77850353cfc698b9e1e6a012117b07a1a4820b952298e38df0759e568a7be11083230a176e0ce922d07d2ae3fde1e220e4c11aea70da56b4f54133f2198beb928a179990f44e5bf5a88b32a7a3d64f83c0dc14b586d330a022093609a6816cdabc9ffefe3f6330454034617e34fd1090dec042d0810dea915b5b859517976c183459495291c18034f937cc0b0b77f94de3c6a39cf616ac6bde0f8a8d4fe14fe0d87f920ed472ead87ba65da24fb9dfa87a5f10bdc2be270658a3013e358133621d413de486c416bb273403a65bb362c9da609e7a9869ba81e7e0a0aef08cbe02d2cb68761481753145aeb1de6cb6f568a70a30ef77cc14e924f780b7307b0f78ddbb8cc98f674c84853a6ba7f55d17a13b3553a5af09fa2bc83e22fb6d233c54a62e5be62fdf2b9309bfb4a9f563a1538dce21c2c3fbdbfb6e2d50ca722b47ee036504e1f5b51ae598cfe8c1cb662e75ff565a09edfdcc3c5289bc4e054c1132db6473586073701627adc6887e92e242eb7c782a19a1df7f730da1b196c03b75a360f0dc6d598ef8e2a72e187f150939819d654ec6b9fa5c1c8ba276c0afa03992beea44eecfa4256598f8ebb6cfd9a701b293ab795be68f8e29c2c99cee9a6629e74943db0132fb2458cfe99a0a9490fb76fc3494fe6fbbb249993c45f723f7c91f4472744676ad2ce8d91dfb987e106eb878bd5221f1a6157a38649db491ac9b3e6bf5bf637d1d06b85ea88f3da0201cc766b41d08b7ff94512e24b5711f915f7412633b37891de9912dc79a6e9241b994051d69a668cab8b96db8f9aa9ba3e86e822881e49f6e3735c33fa67ae6093d3a7d1c41ebfddb6244e26ac0397f080c3c99f5c86beb549db9fda4f98a94f22967343509ae14250e98aa50b6ce65fe35e9f525e42a0900c2a08c1f4ed33a5d0ec7f70a843fa779eb0e3180b814306b4e247bb6744d3d46ee234dbc77cb196f5ad4f763eab5622791c36820bbcb21b4313baae9f4f3718555faa5cee44461ee906a0fef58a20cec46e81ed4946d022f308b48268e91f430cb5916953364a3236e6279ffbae6de0f84dbbcf4f1b1a1848feec46f847bed0a1b8d32194f3dd2f37173447db983bc42e196a4f8c15e5cd534a1a71957cfa7357699b14eb641e4f1cfb7d04448b68899dc0262c8690041dc19d6a5f915a2c69bb30503b4329a1d439ee7ed79e4bfa2a5dfe7f4db31facf4f40525cde343475a7c56b443d28d16189ac76992f6e26a66d83270a771d2dd3bef353cbaef622495a4830411707c5c7fae13bd132523b055089ce01f914e58eb316d5907cd94a19d7237d5ecd230428dd7311079297ff848a18a0c5bfca1915ddd003540143107ed740bb49b1a3b6e59a564862cdb0d30ab2f949684a89291','sync','ak',0,0,X'00322ab0f66ed08e824b78787d0a5db68d7f3749','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(19,540009247.04253399372,540009247.04253399372,X'3c585604e87f855973731fea83e21fab9392d2fc',X'85f1272c37315b8ef6b3793378efa3d7feaacee5',NULL,1,1,1,X'aea3aa45414620fc26ee5ebedb6adb044e02f224',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'0300008006000000280000002a26b2b67cdfe6e9a4cd040f4ccd8fb95887df6cce59964ca3434022a69d5908ffffffffffffffff3442b1417d53973c0ebb28fbd87653058ae0dd46a80dcdab52eb0269460263ce8bf95597d5544d6a988a8db929b5daf28174b21f7bd05ee3cd7445c6db8d606fc111ce1515f51696260e2fe771d975a4cb84af400f8a6b592800010fa1679058d0e0549b05e10ea13a45bc1f9ff564f066a2c7093398abd51a7daadc1529c897593f93a0361ca43a51a948f9bf2ddbb92afc2b5557229ed54413c570a5d9d07d4ce0c3ae5a1b384146e67fe0e080cdf0d7b97f8c6b4bd38338e4ad0040f1f2b67bbfda367590f80189df7e8c4bcc7398a7823e8539b2ebf21b0c01e8d7a3d8a646b84f2092f8aa37e79816e5f0e0939b72c56ac9eb07c02b69dee7609f744fa9fd6048b85f59cabb8747904791535f9a87d1e8419aeea6d828c7f2115eb2c1354efe16648e1fddfc026fd6e4b9ee416858d4a3fd744b0d2aba839a58b0891485812dc0bbf3894a3425785d88052ed946077bdfcf2d475e5b897c3ba167d6be56b68e41413a6a8ddae15cb93feb3edb5eeeac671d958a9cc09b7994cfb742a5c5ff8f66c031eb4f28df0f966e6f88c026e37bf955366b1e642627a740cda0aae513e9533db6cc3bca51e033b04992741dab39693d1744e85b67d5d7d111828c3d71aa76797ce912bff8b23ac92871f3d970fd682083f35ce9b63a977b27f2170d0bb8af50b05542c6683475dae9ff559404c5c59f2d46cb08ab09b670d33bd77dc0facad74e24681ab19c8c126f276ad9476ce31f4a40333537776a4ffce9d16fe72e48691fb572723278c563006937a1c52e57a6cfc42871a873bfdae0253660ecffa45d6c88d786d2e77e00d1a7295a442f8a867318024118c7986f34d96dc2ea02496ddec08104efaaf8d87d89bee13f0e3196578ad815856ef2d0a887644f158f4f6a6317a90c77b3948227ed3540f9e1ca7592184a41cb2096291845d1251c57ca73a91814f91c4344bf6aa2e4218fccb107e5c2051cd085228d04ce2fd3f5a20db9cdd59d17b2f553ae85ab467bba484a34efd327b11292f0a37af578f90a001c684990c76d7c0d9b4b3c87435784ee48abb1bb3a22c09de4b6f604ec954e4d1e9e9d0219edad3beb5a5d3eb5e60bba096860c56352be7fa8d5130179a4101375b5623139eaac2c42a5e0780ca432d45794313a051914d269f7383175fb33d44519a44c41b8562b31ad86beba430b633a4c423c9dbb3015e2fc009fa5a096f521177e00e4ed91d668cc4dc0fe843221f90398d786da96700a15b63620c1340b2946e619edc881a688284348c86a4e7fecda9227e5ecfe0f35a5a62532e31eaa73904048baa71aa50908150da1bda73822ece105f29c1e26e134ef2bb5c96cf79d632120159eb68a8ef1f156edc6121d6f231da2f6d94f2b200e6fae16afbd61508a74280c41f3608509556914c88fc9d78661a86fff8c7b812afda974cb82fa5284ddbc03a9c279e053ad4447829f34a5d1bc3e9e6ad0501276ac228fabe9d49479031cfe29f424946dd4539d72a648660b50c43f41ac3e7c9faa2e2a60ad933fbbf923cc0d4940be2936b301bc99e1f8166a4dedd1994939df5eb7669c21aa209d3b07e1','sync','ak',0,0,X'27762b9c292eebc71a0d051fbe3987fb4a711467','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(20,540009247.08044397829,540009247.08044397829,X'3c585604e87f855973731fea83e21fab9392d2fc',X'5d309930ebb5e6a23bd5f273e0196a01b121d601',NULL,1,1,1,X'3118b0467d90e3646a8a0dc0f4109c9be8eb4a5a',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'03000080060000002800000008833cc64694103851bd358d479739ce17f345a6631674bd03d7395673819730ffffffffffffffffb7215b0db81a2e576188e9111d97870382755dbe414c31fd9f98e98a240231c0aeadb71e83fb0b6e6e9b263c5b6dde20e64929cb040ace678018335492f447c55d71c8bd4f56c0b9a65ae23b7f2ab8eaece99d320d5ca2234c9b3c118a0ce3ba6ff24fecb800391f3ef2e3e067c6aa0a6bbd377f0cd1b9ce1e2eefa6d8d60c5b8f47d0f5b58f84f884cee928ae208cef902369d096ce627bbd4e847b74cc511601f267fccee84c6e36b6b6bd3f5d1047a68e6557df3a7d27258e264aab78e8eab360bb48f55114d552d440d566a4f932d3bc573ed5a7dd0e32ff8ae91e5a37c92d994739dfb8c4b5976cc1619c5fcad9528ce32a5d15ccbe5568fcdc47eb791c2d206619a94dd546a5788e61056d62845fe24a9ac594a81b7b3c83e08cd6202cfa016ad688391a6c7a690b507e29abb941eca6a409418ff7cc310e7cf5111afd9765464fb981103b8469c915f4b6c161ad609d3d6304261fd2c2c3dc9ed0eb241aabd987f555e3137f2e44d1ea5ac948ebd7749182af43dfe8bd66739b9de4e00741cfe971491c77bf8554a73eac5d977ffb4ceb7d60ef8ca668e57fd8132744cbf98aab90dba4f223459bc3aac39a3f43f6fc29102b8db5eeadd929e69d8fa50a74fcbf34840da377650b5682b043e0475eab81dd00dde09aaf5879be7dc21011e5f9d8609a8ad8edf45c23337eb82ecabb704e24277def615247587eaa24dcfd98ae6421f62397bb7ca1f8ba15b8a6394bad48387c38eb823d7b7e2e309f34cd54872b4f4ed467943972a24e25df8275f5c81c0756ff17db6e9765df739a7eac287fd54e269522adaef953fa15150f3b0a6ffafdb5aba44103f7e2bf8e77a876caba374e3fa8408eb268e608b0d172524ea14b7c2d878c134e5c5b4bfedd85acda451e73b5f26d05ade767f6b49e6e9576cef285f093f703934ae3f70ad4a7a763dff7f8e7f0a1d94ecd58b4c4bc949c71486f06d8f8ce7992430bcadf269d106ea02b3981c4359ba98f6506863a0cbf5adca2b6b764816e419eadc071d844ac31221606f8e74f5b7539dffb6c447b874a0ed5dda8ecf92247ffa8c19926977ca7e14936afdbf7439ef2482e4d8818b5ef52bd483813f1e2fb017351b09e92f9ae5882c2c2dcf59641fb325250652057255a908f7f77399172dc8fcd1a2ed5a02691bc6271137087e8e259ef3772696ab85e0d2650eab1986d01b37775be7302d1b6dcd60c14c4148567f76c76d9672f6361e08f415cd5baf9bbb0a47eeaa5fdd9cb678b742d0373ee7c672322e03c8d67b5baf3c315d9d080b47763ec8ee895b50b7536c7a276b84678ac55e52faf3701758a598fc4a1627bf4154f10fa516985da47b46f86c2c67a7c1971a1d33ec3da49f973efd97e51673797f94cdf2c82031a3ce44fe4dd712cac9022232f7e0335772906ee5d91547ed4edb68607aa913e69a1d91cc8e42d14917e0cf37bf70ee527e6e4ae3b86bd14ca355bb8d895fe25d7a3f7cbe7f9c43c1b55d8efa6c30e88c624f8dd4d1ae96850b5900923e39a369c781f631759ed82437895e7bca3cb4cd0d0de03697a8c37eb48f6601db22b68d46e4e1e46','sync','ak',0,0,X'9bd9160eae87fac9b111ed46456393c9cdb13e30','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(21,540009247.12179398535,540009247.12179398535,X'3c585604e87f855973731fea83e21fab9392d2fc',X'3ac8effbce88c398e9efa76029d262d3c702afea',NULL,1,1,1,X'd9efd5793aa25b09cf99c63551014c2637b79f7a',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000842ce074d9b389977a96105c788fa19cee9071cd5cecf8369d77fe3a89bead90fffffffffffffffff9e6a045db57f17987dc3c7c8d96d62fc67816fb195abe27138f3ac1290074cb8357fdd6830ec9057979b98ee698322c736748cf67577ae84e4a6bbb059a424ec24aa9ee562a0898aff5eb876b64eced3fe1175a2f01aaf3ceb008e951da84cd723ae77af6ee1510d5a152ccabd1c4977d394e4ef260439672dc054e5acb2baa4bc8f1ddc1df786cda94ccf39beaa46d5d610297b7ba76762a337029f93ad7724cb555c42c5c3988535f71f50a77987a95743e021fd335e640f62eeb9378f71e1d03f50437c7b8053e5f39bd434dd640e495fc9f0d43702867288424e97f247d02a7771faa6a2b3dd58c1a485a1ff0746bddf0e92946998f5bb7e069d6d5399f74007c78d31079283cb00dcb26b6dddfd91429a7baa6fb328cb9fc3b030773494b7506d28a5b77843764d049080ba2d3608bde8ce2356e408711b8dcb988b2afa677dc781acde030f44f45fc8aaa59907cc87a9bbf962fa6cdba1e3bca26e25e130030831803979daabbbc801df335da78e4370c81b10e29f193a55dc448fc78bea090365dce7dc9e37941dd521804cbd8d24126e449f01f1c4a1365c8910cc0ca0739245bb23799e2bf24ff3c1b337f03816a74bb138b1a965a57e032a8ae438035ca17cf27e3e3299e1a63d4fb9a8a64c252e9e37ad58a662739ec959480d3b444ebdb4a7d9ed847c1ebe3083e8a481c301bb45f2124d8c443c2a7d115d839516f0f3f92472d28e5d23fa9c8c3db9bb69a50248d71d9b1926e9cc6ecde20daca22c0cacbd8c61b162e138393890a14b767fd16dce34041e5b6c31668c3126510193c88b1aab157abf0252b3c19ce19f6b3b62eb8d8576015aeac8936e5d6bebd08073d45e0d50362a8a57f5d712b7d76f89e89e86a0c3f806f68d9f6105e1810f55939ba869a451ee89eb4c00b3050035f14a7c78f986e59af37ff4ce221891ab6480347f6cb0b7773838f2b97ea63e2a29939e8ea7c6269782dec2862b1535bf94662e8a01d2b7e2936c0c0927e703decd132f390556e1b0d9ba8f5a8c289c4ecaec69fd7eadbaaca35ebeaf2f16a5bbff9eee1355b612802adf4334635e8e8dd62954e4f9ef39ad09c77ea5f3e21a86b5d618f38a8fbe257581fe35e4e471d06df02157d8c611031c1dec87eb730ed3a251bf0ce227a2c7d2019602ca0c6d9ffad49536001f115b8e5fffb6a7a37909abad6782661b9fcf89a9efc86921d996c9dd62f8efc8ed099effc2ddd19533d689ec13277140982315c8fa588a8ba9af071d9ec613b912504f17af96fc722c5cc21294f1b6b697b5c38c0dfe3a10456f65a0d6949252b3a6b064c59cedb56966a424fb451e919ff57b6b45c4ddcbffceaaa3bc9c3c822fdc2896a05260037e48253b9c44010bbe8a01e33323633ff68f3c822b52ee475efa3d8390994b68c237f6f95dc0d8cf2d57f5b195cca455978812f26d01615b55bd986364703bdae0c1edb955b142b73c7746fb82c7ed145044675618f2a697ff1b64ddc65336b7b8682695283f944068bd920168a48c242454ada236f0e377787d0fa4c73a2c3a466987242f61e529d6a002d3118b7b9c3205510e39fe509b6','sync','ak',0,0,X'd174b86fa2498449ec83f43b3c901ad85d497a03','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(22,540009247.16436302661,540009247.16436302661,X'3c585604e87f855973731fea83e21fab9392d2fc',X'957330d9e82f1403efa5a03d4edecf0c4820a289',NULL,1,1,1,X'a34fe8a5828aa708591faa49ee0f0402483ddaf0',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000384251995b760a5128a43f2c03eb9727c50f8066c5a0175e394012bc49e3f646ffffffffffffffff7d9760b597a1b516992d3037fd2901a926a2d7ac2b188e461af0bc7d0e8455f9d4cecf4b604a753eda7bc6a52bd36f704e1a56e62c15496b0ceeb90791c53e6a1cfd3ac3ea0028883e6e4b5591c4a81d860a6873d26bed7e91622b9f43619390a40eba24a95e26655f3f19fd8d3e254974b6704ae4214d2ba32dd32eb0bc70567262e918ed82af0bbf1a7c1b4526adfc34cb9dd0dc552d5c6dcb779bcc0e77d8639dc89b4482b16814f7a0e3a22bfec66d6468967cc20613e716082f5ccad130e5660eb6aad9836089fcd3ce38d9f9e4e0b1dfae2573354f015abc84de50abea832267239c682889dfdbaed0cf4d33c528fb57c8b21f4d24227b303e21364963ec2e15fbd642d87866479eb89ce1e615672e2d96ec990b2128b9c45c4ebd5a07067a8b8c19e45a4305e4901aa1457289044db4df3e1d71bf130913143608bd82b63dac78a8d2f472063bc13d26946fd0a6246bb696d67f7e66fe1cb22eb387db074cfd8b692f34eae5e2f94f63edec1015e9a32aeb0f359f5f400be20a945545fabe7e6dffb8eaccf90e03ffecfe1bf800f5141ee7e84af4f200b71a62cca9a5f2c5c585a4ba3a0ea749e56e72de9027b683af46fadc4eb6d1d50de3b5a7bbaa1d05fda00a488d9e1fc8a2bc0a774d1c7cbfc94c18f6986f83decf61b393cdc0a9fa9a604200d8af62f5690de6caf4357920cd48ff18107fa525f3b860b34e43b2d1d023e8a6a65ec2b7b7577c42a07b1fa3d5565af7d328399db4c5f82402d63bd5c66a4fcddc44238bb5deaa7ded022e73d491bfae8149c1f1545e1e193bf6d593017b55baf094a5e8486544837cac127ddad0395bcff758aea15f03998364a29e6ba29c2830da8e6a34bdac46afff3846ade81a530f9101bb78ab7503eef1a0d5b5d547e96bc4175699ead89ee711fc68d65cea755560dbc2577cb2417cbf26508ff46ff9c770dc2b791d506731b65abc02f92edfca7fc95a9a6bbb17881d35454aa8ab0e2197a73213387c0e7f2f5bc01c04ec97a0076ddbeb83f8d0e1b81042dd6b8216d517c43393110ff25923de6a44dd517ada7eca4a4e04523ae3bafd0022cf78504b3a74d53ead78fff458f801a474512fc16228417dcc21a65512a65abfc7a0f703fa22fca005f3919329fd3cea9ac6f17808f61a20f59e84830092fb4b93ddf6458d3f2156f2a4e5810eddb2cfdf6a57c9129f77d956a1acc961dc81485b4e088f99d3634431a380b3e68a1e542aed32b2c7987cd0ad6d0b9d177c4e09d4198916710680228666374af619270c5a3111c3f985aeae5d0427633e2f0c602ee362e8721fdd012874f2ebf8cd13486e895a83286309e737c857cf435d5a09638dcb775127b231b4dbf1bfaaf486b06875ee6620e166678c4da4b2e9aa392e6aa384ee2d11574bff5f173176935c032084fc5c49f84adda28a2f0046329bb52d50834ba8dc4a8f727895bf8ac8e12b976ba60f5dfb48d34beb3f55c7860d54982574d9026101d1f913be312cbfb7530a65a5cbc8876a1b25db0d3882c28b04f83ffc53680c17bd3bfd56fe7dc1dcd68a70570bd079464e12e35af57a20f3cee82674','sync','ak',0,0,X'9bf4a29ae10aaece4780711b68632d06b9a439ac','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(23,540009247.18998897077,540009247.18998897077,X'3c585604e87f855973731fea83e21fab9392d2fc',X'710c2658f862c7870b58d8855fba915c1b1bcdc5',NULL,1,1,1,X'9bee8e45100a88deda6685f204309fcb347e367b',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000fef063a3238856a5f2d40ca5ba4b77406a8bc4a1436798c8c46f779c99634104fffffffffffffffff8ed89a8568414a8a56ea9690a8d289dd420eaa91acd9a4806576113d4cd35ba821ba47b30da230a50df303249aa090a0d272a2893811e3c154c5db81a5e72b82a5d4e25adcf8ee1c4e7df92a2b9acdf25f5d430f7875bb5b90f9ca10b4fabc8de7612b8ce1ad7f20c2391fb448951b809b7554c96ac044b96b986e76dbdd4161938241b27d1faba9a622d226e8f43807093a477c2b63f1c0c72c44b1d7b62b83913349acb3f979ec8f5b2aee4f23263725a4361e5a43ba3d15e5f2f04e1db3bc8b091a7b6165c13c7beeef5bcafb9c8b8d986916380ef3f7e246251535f9944da2a737a30ad367bed889b2d48c8dd3174c5addf73050310b4843acafeda10b7c565347bef6715461a2fea5f836f10deaae4f798f726404368342df83164d43b9b840c520cab92834033d22828bc9a4e9d25930b1b979a88b0b188a00e855c7fd3dfd61916fcee50a8372b94782794f085ff2533e47ef78e42e7b1104beadbfacd291504d9d71887e1eed967a2cb9d123e58f8d71e2984bf6d00d233329f2f5e2eeae5e295f648ed6e989c75efe8f8c366b2f8bfe0fbf33646095a561e6f5b73762a2cde6068894b35936b551639986350460245e77e38d2ab44ec8ff22c003cce1e82c83e8849a5c8c869a703d6a79d9b234348cc242e1761cef2a58418a2798c418139cf2ca7c2e4c15233babb0bd60558bd1466096d715537c5ff28808d0f2081405eac186f182a37f837c49c8e454edc340bb58df7d59d41749828a7c742405e8834840c6dbc6b0f9e8610071dca1d4fe385950791865665ed6058825325d4e768a9d4241a5789694b3cd0b5387b18c1ae1aae7bddd74039d657081a40dbe5059fb936c58dd6de71fa24fe12cc361a019d3e978edbeee17249e189e9bf8f3cf810400ad01fa015e01436152c9ce61781822b11be786984357ad39f89d1300454fce146bdb39b95b6ddf249f9dbfcd7b1315a244342a6eccfca5d0b51b42d3f42d016ae55c93ce73a9b50d3d0b965de86e433e9e95606e5c1ad85f21163c8656852b34770b3cd16b4c4cc99127aeddd387758b71e77db5ae6d41f824432742585447a2d83f42b0c693e92d7de03fb11f11b72bd14818942b2ca2cb15f480bef4ae05b64b89cc3d57da35a82af42cf814f550bb428c860d01c48a0809f5985b124d09187fd57eb6ef159043bf6d13568e72f285e6c7db673e9981ea08fea387ba56bbe1a76137cfef95cc8fba2db9d919155cc4cbed1069eae65156f1c2cc7ffa7a0d7ef7ec2eb7569b2077798931de2bfafd2686acd29fd7e14ed72caf0667487da296f7476f09aa022508f499b59626da8776bcfd7c1207768779d6fc47973f6d572d8571441d80413582df4377fef8fdda086570fcab0e5b94b9a18829f4a11aae9ef7c638a1e0d191dd0f511316738cfd81d0c424e64f8fbc08566086409e844ff346e093945a2f8d855188aa23f3a9ef7925c4b344ca2505da5b09934885fb1fec812afbd9db5be2c623a9d348e046d048aeb93eda4e51fc3eb535fcb0759cca00c2d80fcfc2bbdb0db630128e9869ccaa4c0ef5cb91f3ebe13210b65c331d397d61a3b14','sync','ak',0,0,X'56bc1afd7780d09b9929061adadb3c4514f2118b','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(24,540009247.27961099147,540009247.27961099147,X'3c585604e87f855973731fea83e21fab9392d2fc',X'8fc97d86cc2fd379f724adcfdda1aecc16e79290',NULL,1,1,1,X'9b9df5bfae51d08338d2fbe56aa394ce5c2fdb33',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000a2ce3044c6956d3fdfdc3e9c643e327199813a1e173e33bb4dc3da1726670ed6ffffffffffffffffcd5078b4f8ee84eb31b5fc0cbaaad1f8b3d5e9df7bdbf77f6b217486e96eb6155765ebfc7b30e60609b28e8ee92f85c8c6baeed66043e91ec9a16adaa3306c78d9719587e41fe2c50ea94949940a538e9f268528e2feee3789616d6e61646f12714307a3927b958e22580e0a481337c4eec05d913f0747a8273780743ed5d89d94332fabed1a77bb0301a864d92719836ad693a625397a572f8e42eb69b5baa14ad832e01b9405c2ba0a856cb69f604bbaa94d7bb7fd0edbdf2cce4345f1c459e3d7376c0fdf23aaf73515e87c1f2152c525be00beb0eb93a30907e3e85d023fdd59ac06e446166fdb09f93a0e0a9e6716335d1a96a733ea35b9d33c38b61d29358c35211e968582b10f74c00f5443fcf3a3a7c1dfb609f20e24d2e9416e064b5b3acf5857806b61abc30ef875596f8eac1a14fb2ecc6f7b741397eaf28327c705a52fbb9ce7618f0fed4d875e856a149f50f98a9785ab3bac6418dc4768164f42a7db0821a8287971b04fc0d3bd394d04b7cd8e42c3dd41629c7a8b091da9eaf872b0e0694772083dc68a1821ce4abf75cbc5e05cc20df56e40e56223b1a33eb48d4aaa79f0eb053fb3c2750a6f91e1338194a2409e32eca214d1ac151c7d594361469ddf774bb7123dd00acbda316cdb0f897f489ffa4a08eaa8136881d59e57d505849142ec581d28a662906bc484d57bc9f0c59fbeafb4a93f162e9a4227f4b0c5ed725f4ea78d1aa28fd626849eac9067d2fd1e024df60005b8d40f12287371914d66201015a0cae103c7b70ba3181a5cb8a5541054e047b76d2b201f472e616a3696a03d5e71268dd0fb041762a7ec966c1cb6d355599b893434138d1a6c10a97641e534727f41ba1d257d5a3b5a7327b838e3f677c449278889c0d5ba9308d26d15ff9f609a8d0a236de4296b447f09b76fb1df5204110f2ca31c57903f15852912678e0322889cfe1748ebc2da0ae3673a90b8c2f50836c3a607413ce0d01a738907f4c58f567ebc378d7336e6c76601ce440ab315486a0bcd1af59abea2818f389af2e204ab1af99f6fdfa076e5bcff301b3371e5e044e61b7eedc28f2f36d5813002fe3d628c33a9d9309b12ab38dc1a2231bd4da587f4f1db9059a66af6f260f1d87302ac3430ef2a43e89c3c6db38f95893798eff4cb068fa9e8a88ec87f1f64c5949607deb8d61c60149c509e5ea75ac30103c9cc369261384de168140b16f2185b6c6d6b0303949fc2e676b4b0b8922db9caf876dc317f564ecfcfa4650b3873ff2415ff57a811a94e41b5493eea5bc16b190b8ace6fea6dcd019f5432580a07b09fa117cd99e2f275f29139e80e431f634d122fa06be5a52ba88374e9389ca2701f1133be4ea3cf38c871bf4dacfbc795cc8d8c59053fd68832f476fa9ecb99f1a78becf7e63b274ae86db57a7fa853beb1859147b78ccd6ebbc1564b9c7011010d07cccd12ddea92c23f219415440c2987771f946e63ec7e9b7b929a92932f3e870e43063287d93d591881bb347f8bcb41efe557fe11d76970811004d0f3286d921c38bd4903fd813f1d9e470b704ffb38168a8c41fea449c42d605ab0d9ea','sync','ak',0,0,X'af1d6e44dce0738fe366984fe06db8d9e5fcf007','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(25,540009247.33149302005,540009247.33149302005,X'3c585604e87f855973731fea83e21fab9392d2fc',X'6c3f524d5765aa8d2bb9a1d88340101d08852482',NULL,1,1,1,X'0f2099865d8dacb7580d9a26b8bab208b06ff443',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'0300008006000000280000002a5bdec7c55cdfcab8b64fba6d7a4f07ce020cdbaa81ff44c49751fbe9314f1affffffffffffffffc9d9659d857f364b2cb96bf67b900b7371a312bff5e900c537b283d81bf4f189dc57abba4526842be69d114b903441b6f9130811399b4dc04a1e6453407cb762bc81b6b9870e1a32b798744e704ccbbf5d4e745943931e571ec5b8cac1d203c979060ffdbd00526e448d383c5ef68220af4479f0ab2f3d7e2fa0c376c2a0f14c5f8b97134485304c9306cd7b4efb9250a1fb1cf822273aa348b726e7b4d8942332e12ba81700c27896a100d24beff4a38e2c519c6b03890a5cadd415091003c51819abc642259942f2a10299296904535059fc6291cf77a63ef0f3faa785ed1d3ea894f156f2297cbabeb2affa882f3f2f40a38ae8b1629d96d9602c50de53fd213f61dbf8308d3dd4e30b437334845447da7402933e7d34d68ab3572a3a98d553b5f250fccf744db801733322f593ba4cd0bb25608d7903ac7bb7c9645085d356d7fd58ae815d83171a3290e4b289a77b78a29a0852d004c3feae13d105ec0aa373de0878978fad0dbd0c1004458aa848f8d7847d2d7787205dee3735fb37231ba603fe02ca6d8157ba54a59d4caa54586f28a2fafff65667ec0d413f6305419a38f77cf8f0a73ee7d304709eb049e5b324fd90243e6d9f5274243b76832cac7d4ad3cfea63772fe5db2f71b24c6d5877a0a1541da10cc1c195900ab47f6c12f1918188cf850bd96e27fcfb0d16a7a5d36771db0f64262565db0d2605f91033a8938309cbf2a9326ac514a1f957665a318c622ce9bb3886633e250b61bf5d305e34a86e50d2401b494092de18711e14431a64bbbfa4da1b091b0cc081e3d9e55f44ba1c5a7273151031b12ee8ccd035b39c450521bc7f20fa358bdf5f44a5b24dea7ebff774672ba35e414539f3bf53b64cf155aceecf3da303bf359ac47773c22f146979945abdcc49b6739b93685f1723ac0feb5a77539d27b8e0f4ddad92bb8b26534f0eb74211e3986a5a5f8dee790d70f9ce780cffbe779dd4b66b9a64fc6ccf6fbdcd4138cc53720a4e2c4a1c5c8d705061b98760b96239896c2e1cdeedc325c8872e46f2a2975ff147ecc862845b7156a373ce5452ae44a39ba743cf6216cf85046de4f62415bb5afd06c71f139a5b9a214191808b05c7b3563326bed2a4af2027b4f34865f5baeabbbd383cee9bb924540f90b43670b156b2e481409fe762dd9ce7b2389c611bc050358af484fb038365b099b857ab5dfbaaf3353e5cad55b3f1f55c1eda242ff880d86f932cfcbe00e946356c4355b26dbe8220b6d13243a606f747bf628c95af9b8310af421f15354a059db9ff9f7b2d5c1fc8bc951b906270bd733d4b75a1ed428c922c7d51c0db920cae48194332609b9a288db30afc099d124bd5b313373fcfa83c22b59d1cc66a63cb5951a865b65e634e21fa79d1e0c040a0fb77c5a418729b1b0529cb38eadbcda1715c509e886c9de788c74a4bd9be9c52f7e9ff22abea7e43ec1469b48dcb4d66f1b5e3a18cbb1e804be99380ccb42c302094f008f5757f9e3be5f959a4904fbf3de47a52d3f8906792597d3261cc9c543aed43c6d52e96cbc0d5a75677cb12d951dea620af5c645833ba565cfecd2b93d830','sync','ak',0,0,X'f3b866ee440d3a13017ac0545cc5cc15ef1a7a7f','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(26,540009247.43573498723,540009247.43573498723,X'3c585604e87f855973731fea83e21fab9392d2fc',X'a13c665b1d7a66756287e5bfcda960f5193f903d',NULL,1,1,1,X'e3129d56ed171509107139a75c5680598ad5b73f',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000a5da16429ca05d84a9260efe276bbb71ca85b8ba9e7186bd1e46e48e5f8dafffffffffffffffffff4edf62f7db218f9a5ee690f42b777e7fba1177cc020fbcc4dcf42fe68e1a5e521a92662bb0ddfa836d6c987ac7dbfcdabaebc5f8134e94caba7bcff2d4b7b6e868cec3af7595f34f8f1e53628084943109a4dc0b7931649d5d9bb3cfcc9529035488726a4e2f02a15774c1be1e1bc72dffa7d8c2969f43311e8036629bde37f77fae972d2dd5a48910a425c0f805cca3a27dedc26617f7229cf63c4cb19a3eb2e5118570b5ac8213b066ba1752248d78a9866501abb7acb402888d7ce48ea607d2d3934cc240ff436e38f39b466ff6766aad7cb190097c279d38fb0e741a50a689462739af2e6da1ddc4f95dbfbb9dc0be6e6e862f02e08db7388aa561e0a737f222430b1136cf52b7f4fd1c9e61e0f03808a3700a70c093dc9d7f41e6cdc8eab7d427e18b3d7885e7ad41b5a665af34ee9c616902e2dc29216ffbe13aeea1768b1800370263b42459a60d22a7e57b648a1917be1944b3e02ac1ad79bb3b283f71555bc0d93caf8b4b6d9e3e6ab5eed5737ca0566f22d48418c1c5b789d3472b32e52308b21461fdb70a184096333cd4edb4de546e1e54af321debb263cda290dacd9d47efbc18f408db262f046afcd6304a50e16c565e07f3686532349d5e47045aa234b925cf90c0f63dd0a6d9e1f3928b06946ccadbcdf0284bce0a9c9704596ceab544d012a4f2cc192a841f61796aad12a718981ff3761b3e2f000a52250ba574c6a37e3a3f177d1e62bf570d2fe618779080cd712c85ee23053d571bc82ef172f1e239d26ddfba7822238faa08f0ae029a570f4aa1e5d03d109b6f0cc84ed2ae30fe5d213b7e3958033da0f8be901b3beb67c5dfa974fb788426fcefaae0251572bac7334c9fe8f368d0b8fcfb5cceb065b14d1f7f720ca60fd3fca303b51f2154b7b0426a545e2505fdbb436969ef691e00511ea671855ec9fd8fcb147f469416f892b96eb4b8fd44795e48b5c90bc1a5e9af43c3197a11a4fc88ee7965baafeb0e46d907bb12f8c50d1dbe8569c2aeca0eabf5a9b01d41c529f70291637c8f91823ed9809f8bbd46e5bd6aec44b0b8c245c8ad87d0de0c93f9ab0de89200fba6581e17f5239390db7b1e7bb24170c958ccb171b3e12297664a95c4a7330606942617b1655f545bea6332e76a66137e887c2676397d75cbae2d1789a3c47e81c898d55e59e7563ffb6aeddb818b51f49b27800c76e2b5389135b96a0cbc5ff2ca70cbd182a82a72d6973023f2931d5acd23ed251be6838ad9af485798c5e23ad7bb186d190e5a557454a331ad1d815f62c3efd871802659199c536b782302f756c56382d5a7ceee9290001647f5c14b7fceb1c58462215d78948527ec3cb3538531a37ba951dee8186545b4ea1e565e1ce73500db8c1539cae06ba1323d02e05137c6a07bab4bacdb94780215e4928920a9f2d579812495558bf75dd780ad977946ed89d055a818ffa9d886767683af67e21238d3c0a87d33ea633a2458331ec8c36910078bf97f80ef8c82f061772e6c7670063ee268020d8c4f7c4b9456e9d02afcc1357abe8f688f1ea9fdb0ee26b1450cd184e03afd1c96c6161ab2a634110c17','sync','ak',0,0,X'45e395f9a296ffce30d5e163a478659aafec9550','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(27,540009247.51279902459,540009247.51279902459,X'3c585604e87f855973731fea83e21fab9392d2fc',X'61877464b2d2af5c48e1133c86224f9544d915f6',NULL,1,1,1,X'363309dfbe8b48fc943cfc5a7e326a4deda4316c',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000d01cd3ba424c3579b6cf93b422a9000a9dae2b28f30ab53a649840eb4e03e579ffffffffffffffff34bc6e0e54ebe68109ca84a04e26c0378c882333820c745ee16ac9fb8db6ad47b45b0d0f4c080fcee6adcee407a1b69af65c19b4682047dbfd240a962b8db1e90fdddea16e7d44fa6e0722d2862c33fd03be806af0520cdcc8e9e52647560a651c7097bed6d4c60a449cc7d615b5c5278aa420e3ae6a5aa57b23aa57a68591d885e748a999ad487ccb29f10c33a865500698a338137dd2f2a56999c856e72e8edb20ac4ae09f2406fef15c83cf257ec54274b2553623f047538e47b6a5ab292d22c999a7f7ab07ad08790bc460facef6df2e1cdc763f402e0d7cd63abee159c52e1f13272afb97485facea9cd6879cbc13a7769e6e9521246dbf56a4b4fa15580b73ecb88df237bf776044f17ae3db10ef9680777a32bc61ede8f3a994f667ec8101cfd9c2c50444f14fbaa5da00d61e2e6bd81c5aa7cc6bb493e31719a6c5ee95ef53583a4151f501386ef309f68a2930d1dac3d275f2ad472721577db211d95f4e9d88f7dcfde0f4e1ac6e49b72bef25b424cdc758cac33b55b9aef64c333dbeb10f9acc600273ac867b00ac25d0e93ef3e4684b102751d95111fd5cb3922450c6aa07cb07508fde267ea965f0ab6c031a5cee8b71ceedeffe6bac4d83534653b01f6745bab0d90c3bd4dbbe498cc9be8f13b8fd51f8c5f69defe98b4647dad6a761578d6624deaf18ed433178f5b327d696f3279fa5e1ff4789ee05adeb066592125ca39a763d76a8f9f7ebe4423a915e46efc0e5930aa5c944c25967399b8356e168d3aed9427e693144a63b6ba515e5c27e038e7a228042955ae2ca21bac1b053b63914c04d7fb44df6851dfa9f63d1f0270a15791de513c7e63bb1d59f997654c9da312d8caad9da74e37ac5f77a184596e44d9a209dbc55819b08287cfda5a247cbef94ea371b3849aee7266bd6340117f628bc23f3dbc82ac6d6f874ed7663fc7f153382bcee72ea73d4f3d55853c5215f744759de890a139deb8a408da434935a135dab36f1066d9f9c6831b75b8fb65db413c680f7d2d54f338233891fc8243d06c5c1957159ba73c66b10e6bfe6faa0d3e9118248b031e41e11b81a9dfa09f873b037fd3e65d76971f2698d8a8955b49e2ad21c1413e78d2b1ac73b0f32a4ee44f369ff10606370b316e762611aac73236b5862594ce98238aad3d06544e6d12efe5574b717f7ab450912a8fb00dc18eaeeedffb5e7226b505b657401eb84b3e780b08ff145d4ca773f8bf5f08f6067e2ba06c4a0d97d2630b5c90184d0ccaeb3d7cbfbfacd20a772bb4cf2ea055db93c51c6f6b925850526fed869f3127b2718af544667c6f9c65329883a41f9c2b59d007dbd1bf0a11e66ba6d7d25cb71c6e4316436677d9cbbfba4e365515c5a8706796556811dd1a6f6a30a27675c9b73eeb266b75f9815f1c1a63e7d92ac01a2430855b1045967c20388cccf622e88c31083d914bf774d11628fc470828614315dbdb9170b360169a0c65ab7dc1eb4c3aeaa05e1bdeca1a32c25ca21c520d7da5fc2bc976e742dbb4eb2b68a67c08d878c98a30aaacbd72d1761ce7b14b8c83d59ee72c30c940f36f9071dd59f57257d76','sync','ak',0,0,X'd8554a7ae56f7411a7ce8515718054fbadf9e87c','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(28,540009247.6053160429,540009247.6053160429,X'3c585604e87f855973731fea83e21fab9392d2fc',X'7ae3392d2cb9aabe4368c004ed31718e60d6eaf4',NULL,1,1,1,X'35048287b477459d153daaef3b216169fb8eb8d3',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000f1f9c5b78e5dfbad069152cc57cdc051b774afe84f7f04b87af37bf8dcccfce9ffffffffffffffffafbc13265a3115c6881f13864ad7832a97e22219b6a37a2c5e215d5385172637644d357dcadf374161b2e668ab0659ae15bbdaa748621f33a803c6eab17f19847a7d67e27ef14bc77175dda3e0ef7e81f5b67d4a4e4053f955eb0acd71d466f78624ce637d42582ff22a6f69108b99892eeb3bfe7fbce212d429bc03fb70478f43798e40fe94dd46f680e26c0af4c6c73f4f645c2b32dfd1c3288e686807e056c7b4c6e2d721a836d62e90f3020acd74ddba74cc1879bc46f43eebfc61176c32e82cbbdde86772b7ab6a1637f2dca1bdf96aefc8906db21a7d9f65b55a2db4367d599c54a3b46e00388731c91bf70953035d0df402ab3a5d0419a3a4578ee36fd580da4dc3b6042f6908081cb10a19b58519e3f0736f6ba4f446db078dd27d73b37a45a93c67aeb32cf0b792f3758dc05a40aadbfd2559b81ac5a1a8ff5ef37786dff1e47487150c3c79a049a6cdee84c7a0b09ed70381749bc1e7cdcc5d4e0142e8ed6871b6fb7970d18c28082d6013a56799eb72978b87aac1507f8bb9ad5f2e9d9d97daf4dd69be330bfc3a711eb6b758b3ff5543fdfdc7c5d4edd5f25d5312b869aa342f82daf5a503a6b51fc906a693e28e529d05f29af2a889c08baec8a4a45c358ba1132f0655134cb615e9ed1c2e53072de3cfcae661e4e443ce5e24bb3c9ec891857a98b0d78c14770c5a4d330777d7341d884a345bd416d86a6d2d6709b65217f70805501bf13cf111f16018406477bb4c04099f53bb5f6e7e6b15ceb50eed28a3a0fa0e082c81e1a6ba55d9b9925e096f26eb52df4e45fec5e448cfc082617c9b9744fa69dc1f7e3add545139760c7be1e5df5757f9d855b994a629a57c382eb4ab0397b96eaf0fc6582f5ab46dd599c7e5a31821ca3da2a1cdbbe3f00b1fbf2b5a7b1c86be0f38a141ad8ca87db8cc91ea0ab5a027fa7b98109fe46092b4eed1586c293c816cdf7383ef2c58925271941ad7693fd527c3ce2dc404d8191be7c50dd34596ef749440ddcb21449da019b37d6cd744918a200af1e8e93468c912d9c33bd5f12fd31235f468735b2ae2fddbb9b716345b789c07dbc1912104fd42b5ebd4f8513e3c1ba8d236c9e1d8ece71dc82c239fe2b8fd7747bb198cc4c330c02b5349d4df4ea88a59718fade0c06504ae8949521ea7a503877c698e84d9a2d593ff3b574cd41c06f20e8eccecfa71ce7cfbba99959fa6a10fefbae7d15604fdc8d67862eb853bd696b972380d073feb6e3b1e89e1198fed59e76364735cc2d2ea5bf28cda4e03fc8536eb876d506ffad4b20c72248ad858924c4e0d47700a1d849e9119bcf1a2177236f0278d374ac182d9bc79a9e1f2ce63d3ae13893f8e478a370d08f08e7609b8763d1b5f6212a29ed05e5dffc3a73ae4c8fcd575bccfb0ddbbf07830c5d288eae4da8acb5af3f4d47d2038f02db44a58f2053a04eb3e1bd6c3908b8304f4f1e1e00b97f41e8524fdb008627fc2d940a7cc4fc09965dee240ac435127236998637f6ad3252d22f07d01f808a809e42c03719646a4ddb6fb554aafc8c6ab340ec7df233b93f0385d23f962efab4f72babd86b0ff8c636e6889ad','sync','ak',0,0,X'0a644505d4611c840c5dc53d0343bd5d703abf5d','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(29,540009247.67837095259,540009247.67837095259,X'3c585604e87f855973731fea83e21fab9392d2fc',X'aca29d0e4c943c6b98a80641a9d972484a2b1f68',NULL,1,1,1,X'f82340c2bc035a2cf71f837c2243ef5ef416a412',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'0300008006000000280000000867586306762ed702b49db58ef2b32869966027b21fa38fc3b4f92dd1583157ffffffffffffffffee52c5f4fc6885ce88f2bd1d34d59451aef21aed3a52ba0020f5f9784849c97d7cc44b9156b6320c34369822e99d74aaa6a842c685b1ffb524f6c3fd5212121185944d5298d37fa36bfcda1a28d4a387d8fd0b4b373bbfecbd687c54ee7b196abd4440c37b13597bbf16cfef77d838a78d19d22f43034f58cc7bfe627e976c4c3be71b0a398ad80e1521847f9d046dcc85a775b3784a0445fc9982b42f8ae02383476392f7ac7f753b6bbad9e3fbcef9ce65d98ff36d9da0e09cfb46f82381613cdfe5043107d6ce35abee3486e5aadcd7e6501cd60a62f9370dbb578c14c0db45927474acd7746936a0bc14ffe46fdcdfb77fa8dde4ed29a3ebc3f43463f281a76e5daa99498b22493fb4417b4fe30f683ee3793af1b53af0984bf432730cfe410283aeb14fae1f2cda55d98d21d372a0df4b82cf7e1700263330b44c02e1b81807a77b2a2adf767a27e42ef926b6f058c938565d4a7aebc968d86b55153320df19b6018d647b883c9b8c7ba61ae814e745deed1eb0ce4a80978af148dc2148be0421739eefcc9e8e8fbdb8031a7cadf86f70aeabdd211cfe7e8a7550b5c68a77da0beda45517bf64afc3d1365a450ffb84e917a007c3bbd14a3b6e2b30b65f4e3dba836a8b986a1f906e06dc56aced1acfded02f7fb883a96b27d82d1e22f0013314da60d856975316a6be3a57ebd2c3a0ae12c5c3221dd6d12f6febe74c0442e58b793202b8331bbc28f5f5abaafc70abb897823c7474f211ced1a29b78ba1f21da11b8ef5cf0d4dd58898e0116aa3c2e5f53b3193d56ba24f82eb1fe7a4db0771c0798b8048b5561ba1f1d2ef8514a502ce784da46b39a304c90c80ad0e2dde5217c3e82244f51e30700575b8c13ce30e4df24c79051896ce1213b9db6a4d24bd01ddb0e44fbb1b3e522fab2ac50364d47d611b388e3549c0a138549d5cc0c0bb413a4108e1842ef9c4dedd1396932d1969f41b44c48231a696c5503cb20ca253c9d3c1870fad9c4ec487c266ddb74f97b85543ac863049ef9cee235319b397f254ec682f493ce0e1ef1d0f68fc40ae48ed7f7e8257f9c3a78d0c94c11811ab81b6db4c13ba33d82065d09e2f530c926e9c335b45db3a6ff09cf2f448c294b6dc6f17a38a9afda51813a1a76f8873f324bb8030afdb4161bddc0a07841a3ffd5b5c9e8756237b2622c2a1263735854546a3dec4b8317a3571e282b6d6a3d47227c833102c0127041be5008f3335edc12a9c5bb408aad568dda2438c3c71cfb9f6f077116c4a0baa053ff7d93f732e5b6a04a0656698f9fd74592a33f0807b47ca256a8c89b4d02e8c16e36f1355d963363b6cd458d654142878ec68762c24a14b4c16b0733f2c658e0837e646dee2bb95b6a72bebf6dbf661f847dc29f2f51b7ccbfc9aa8d39a6d04d89dcb6f2b079906062a3b3f996d1a9a52bd9c8772c0507e384d8eaf6e36b7f6c6a57b83a3f92183a2dd73428f588663fef35ceaf042ddd2b827d033a607c1a6b95f903fe3dbdd397ad336c31c65b784109586977859f5967ad677ba62f376ef13aa45b7838d7108157dc42a7931770952041d4049724c2c29a5be7','sync','ak',0,0,X'9a62a1b9229c383af39c199bdbcf10b382f55a9e','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(30,540009247.70696198942,540009247.70696198942,X'3c585604e87f855973731fea83e21fab9392d2fc',X'5e5d549e52b459dae5c4caefc0f48ae4bc693c2b',NULL,1,1,1,X'ad2af702eb0c7fd45ea13986b60338b8c5ca058e',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000c0a7d7efcd8a20b86a43d43afd009b9482ad1989af4c81d87fba6c7cf55eed2dfffffffffffffffffdcd665548a5803c623fff5d0e9fe39d5c5cb9343d756568c262c91eae5f16ce0a8bc58879b29358006d20bee303e137538d05115f1d70717ac0fc602e0ddf86a9329e7f82426e039193a0905ea78961c7129b6fd10fe3067b54f2e43e449a9e2c68f66797cd88a2a60c75eddd12b7530f8c8bee6be2093ba896be7513037001c8b5d16e9b2775fe08de64af87f42e7eb99c5d8ca8cf43752afd5f7686ea32071235299dc4d706589c7d00633cd2f92e7c9c13e506dbdcedf2060b5cf8a278a6e20b5a91798887f545912a3c836885684b3ba72e13963eae8423ab1fdb4fcc1e6111c9dbd9cc496640dc2fcb75a3d5748e3d9c20f3873bac5670c9df2599a0a4666924c8b6f490d0c9a12d3cda9a3df508d7fca79bf3535e027a971d2730dc24617f67311080da889d7e8c8fbfb8bf67b2ca9d2c90f84737d502de682698f69bf7405afa9e7b4bae3972ae6b887a899478489a03761e7be41e9160858ba6945f03acf7242c1695586c9efbb8fecddfcbbd46733628a8df08205bb3e4209f106ef92eb7e0c3fdeceaa7a41523704cf668b7592a2c71e5fd2d94a744f1d226bb5ab5c025aa1320856a8dc4b071d6f78ae0fcd1baaff41d51ab44354a96fe3be7202e1b9437b283961fb761e370266d98f3e429b39019b5d33cc4422ab004ef63278ef480b562c5dabf5ecc84df7f0c667f9da011c10f2e6de591f231e6d42fbf6a3bdc7102dde18db8f8626a816602d7045916170808da587a133dcc94898b5a6d1cabb9212260cc0a71fac4fcbbacb6d3d69683cfb037e335f6327ff215639ff033ee569822eb98c4b636dc68dfdb0b31c392d29b97294e865f07a93c5a58fdc22b992647d669bd85947a044c3bf828ed35c7d77d1b00bb965b03c58a2178082f4b65396c4f5aea93875d7f26ffdfe94f4623ffef383f819ca8a6158f81d9fd8f9073f18118a61dd60a0f231778c1c8874f148a61b9840f81b26532421b91116e03e2fd8f2fbd16ba1850140832d325ce8380f715154dc61784bafef0a7439117b9558057473aef1e2b7424b3ad45be88a1fd673874b76cb195783de8563c54b7bd0caf36e962afc742acbe3edb13c680dc31a9aab41ca739b54d8a18f7a990d816d970f6e10f3f18ab1eca1f97d7ebe48530d2ff6e1d43e742d21005f5419612d5c53e9ac8fb8d7aa823a3bb93c0be37a2ff36ac0034d9195c717971e10eeab3fa4e2b85d6c8622efd4349907549f4ffacdb1f299b29336117f9c4ebce8371a61e7997292bad9a06ddd6ecc44fbb3bfba9632f1d1fea0768f6048241616e6c02b276251fce9adce5eae5613eb95efef83cadadcc33c3d89e24769fc78704fd04d22e19f831ce9e56db9d51bac88bc3b37b7571cc73e477f7f5f7286a4003f546a2c48bd40c79e606056803540b6dcd2ac6d6971f6a0a65f49812254d0605064eba255a8fd88060683603bea2f16e8fee29e91226e32b90033cdbf359961cdd6083811eb2b6347bfa738bf970c486e98966193d6ed00407ad584b335cc374586077b045a5db3539001883e2d85a95bb9e9c5f78d84b5ebc3014270cc665ba6a60b08d0d1a826cc5','sync','ak',0,0,X'd0ff386a0d6ffeae54265e05a7f43660d779dae6','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(31,540009247.7490609884,540009247.7490609884,X'3c585604e87f855973731fea83e21fab9392d2fc',X'99fdfe59349928e9738ad0df3273b8af98c84667',NULL,1,1,1,X'869030dcf5b3d97e2032f936ea0827ec50b045a4',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000b2b9b6ab92c3c0e383b37c661830132ffac9b1525d453aa3adc86b822719f08bffffffffffffffff00c5a2a77ee31136d60b6e894656722334d4f56c64fd30bdd8606f29e7ee0eacd6397a69a800a64b35c1d6ec5f95e36c569d3a4cff9a0466a03785ebf0276b81e9c51f1dbececaf208ebe8cea358c0e3d10fb37063e47957b65db94ba40871e7996b63585b1cb6afc93f6dde168302ef36e92476fc2946db6f347600a840c7ce8f2baab0c780b416158320cc4cf946e4a129bee3fde53459c9a4bf492b3375c6e7be31532930ce4bf3bb3cfa2d230f3f1ceabd01cd4d32a97f47873ddd068832b61fc38d39df77e7334013692361a7b85349bdd73c1cef75bce1a4d859e512a1def3af789e0437cf451787ed146d50123e542923289e0df687a6f22ca68733f9ffd13f33c71aa62b39bc69c70de2b81c84cc2c5b20db3f7f9ee7f080a1bfd8bee947072313d91594e9cc56d0ce10d9191199a89e0878c1950c958dd63903d093cbd5821152678891e71ed33adea6906368e1306ce41598d9c53c0bd92e741fdea1be9c6cced2baaaad698a3220ba4265f91e97eff4ca37531c9c8ad925d9beaad62f20f8c810145eb3c2a8cbea790bf8fdc0729fea17ed6b21b6fd04a4140509edb099f8c1a0f5a7af8cc0932ce4e5c8a278fa6482291db646723011830f0f72d629f4e634fd52614dd7295f3fea3e8065cb093d5a7af287bb1e600a18f62294a31ad05a0c057e35e1ae22d8987b4ab197e5976022999f3c9fb12aeaa93fac4e350c4809c6a3e164c46db4cb21a0f29fa3c0bed976faff43d886e7c1a43f8d1da2c1078901763a6c497122e1337d771ea39015669a2db7be45be077b5050e45b78ce37c8a65977868c39388cf97e914ec697a5b6eb9bf1bdbe52719f638faa94063f7a7b21e80086901d75accb43505deec25842f70309c27d33fa74139b6179c0ac321333834a34879cb51ee173bba2ccb97349bc4b89c633b189a77e8a47da70b84554a3b75f9cc65628b5fa4e9ca1516cdc41136e6f5a9c40e8e56e39c7c3f15c781e301297e14182bb142f9d10bc1efe465f19da3951bbc8d116b06ce9f12bf77142d464b35f67b50ba05b909559f84109998a4c64cbd67f70b7a8ac6424265f2e33f6fee7b01f938b8e992e5dfa3df14d3b6408b0a0847977f0c62f5e65b7fb9ce37a7b928972485bb96e2b17dfe47527dbe6076ae78f513045f438733ffdb3b71fc6b6ac3e082094c12d778fbd0f836364f06e3c5e0c8146dec4642fa63f25543dd325d197cdc9cbb00795e45f95835722dd5e3dc63561022f6f8663f8ebfaaad5f28787feeaad959b4a9529099a70bbcd173c734879c248e8dcc33dd11314f359bb2e6f92de3e658ee6241eceb74f15ef6f6bd5bda23dce52999d68d3f8a8c6d46bed1918908e297d56ffd25814a0a618b0a96cbd7d9a012d7f513e2cb39448becf572bdd3c8bd60f5e7bcf9ee6b0c1e1edcceb96dd4eb5899eb8ec9a7e874426f6ea8fe13305c9316a906358a757ab9ec3fed207403c596bfae766318dcf291b679153773c4c5374387a6320d5b4771573fbdf9164fbb6c874eea081dec2adde5d1a9a2f001e56a2f386087eee3a5013d7fd5ed2f53f629a60abfbacc10404fc0f08','sync','ak',0,0,X'baf41f7fcfdd65e78feecffb5dff2f802563b55c','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(32,540009247.81093597414,540009247.81093597414,X'3c585604e87f855973731fea83e21fab9392d2fc',X'f237c1fdab441014ec4c677a3ab26766601329c9',NULL,1,1,1,X'121ee0b74c76e0d9fe804489a301ef889fbb1810',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'0300008006000000280000002c8748227f882683f39dfdc22e357cd392786a8e69cd8df2fe94a01e76303de0ffffffffffffffff2b2802af13fb8f488f5ac063705e387bd545f8a590a19aa460db02b2034ef4ffe244160424db7c64f46a52c79096b2c12e246804c581a5aa88a73c9ce5300f5559f6a4cd40118abbf229cf7abaf62f060cc72fd7ea5602804cb26e96e072d447b44b3f566b30f9b0726c520ff2fb8b1e908e4d816cac4be87bdfb3ee7162b440d5a73876d1e34abcf3bdb2c4c3ccde19784423382c2a55f40fe56a294a91c5489d5549337066af2dc9eae522090da0c63c47c01c4ed813dd364e81c14e771bebfb6687a31e9530f3f7e917f8bfaa033a97ce476619125848bbdbbad5459673fa28b39890da9135da25c78e4f84836cffe6de44b4596bfb5878ee143e3e3b2f8b654a05070e953dc4b56ca6b974a67fbba2956760ddfdd110bea5c5a74ad9c892b2b2b0f1043a4d7fffff8195e79992acb5b559684e07efa9002aaecab405ebee1513cc3debccbaf0a7946006a988b638a68c79cc9fbd17e80dccc9e4e61c4c3c89838c26bfd14abc8d0050432abfda75d13b86182b265ef1d223f6ff15cab5cdbe775760c05a2cdfd162e3a63b42a41bafc2804de2c0cfa723b95bdd1d741c7abd2e6f06c9ed1a57e55bfead3106c1c0634b54ef68003d9a219a0a75abcf9269da1c0e98c7df7b828ff169bc1c242a05af0e1a1a2f33db17917b1ab582d6c6172ecdf72b99a3fe1fb78f9db3ce2b0095e4b0d36ae95da80ef9f077f55e05e70160e4ca48812089389f9562fd3d1abd59c051c3aac00464a9b13bdf1c52b1c906d23db5bd6914ebd0080db4faba33d7121c21ab9db596fafb7675bd4872ac98f1addbe6d868122ae993355544ec8c40a0deb6301181bfbcf17c3d8098ce97c9ad172b85f5b78f7c6c5b040ab22e91b00eb8463107c53974097cd5db90df4feef29e065427cf61e4cd9ca247a9ee8f06ac209cb49759dec8d510b6e2546315c0398ab1a6a5c6870b49db728ad2e50a83687cc43e09c4d47f8925a19aa57de8db81b75bb2d267a3876c91d629fd16f9c0ba0380b66506cd8046b0578ffaefaf4245687d83dbebf61f72d8d6e3233f3460a977f833e88e2848c90f62fdb17d279b2b6b4a464efce4e491f33535783dd4bd26b1d0cde9a68bd8a0e78665099a3ef347ee6eaa67604581953e2ec3a3749a8bc59b70278436ba6808538bc3a8f618a930d689280c484db56fe8ba1c57c921f894b3cb5470c838d0679fbbf429d4de085332cfa4bb9846a1466e33d7997156d34a76e3c774525cf02c7574c34556d6c169b7bb432d28ccb20d4a2528c0b0af897a0576700e355e9f7b883f74fc7c375612c461574da55bf91eba52274bbfdd5150cc5d6bdc1e9da5eaa891f19c19d73af538dc567317e573217e9ebc75f0331632cc06d4fd3825064ea29674aa23b3c3f28ae65f6edfc63cfd9621bd642df503a64c0ccd19bf28ab4d462d5cdb3684764977f94b08611ac13814ef60ebef44550cfa4da8406b90801a82b095c69ad4da0e1c6c2602f8ea694e6e743c72f09c9f13c21cf1a0ba53191297f00658943a381cfb0428b6c0ef23cb945bf94728873d4a524ab795a8f144abf7231f3100da7f59302e91ee1804bf','sync','ak',0,0,X'6a057646fedba9f6c541f1590bbcaf66e1069458','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(33,540009247.88870799542,540009247.88870799542,X'3c585604e87f855973731fea83e21fab9392d2fc',X'f8fdca5808fd57068b26a631f9ba3d2c34536c88',NULL,1,1,1,X'de8c1ba3ea9c4c108db296178124d4750cee0828',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'0300008006000000280000000d4c1ebe16735ae5b2ec21143c7b7c7f9ef5107126cc507b55e40a3bea6bc2d1ffffffffffffffff1b9f5dbac42b7587ad06d1b0748862cafb5e635567c111b10fe9ecc48468f1935b1ae7e784936cd3a3ece172081041d69534318aa161cb0518f8d1b62b9e7a51f1e5d41dd204fa6ef1a825a3819bc2b4fa80a0a578cf41d16a4faf4eea2aacd75baeb3e122cd18d4c2d9eda9e059c411ff1d51b46062593eabd007192018804d09ce1b229d0396b1e60ed720cf69778bd1ab4d43c5f253a598737b84ea4bcf60958ccc3e617ef4acba75ed2e422c6445ad540ac0a92237dad20ed8f43fb7d67f1788bfe321dc5b34667ff6d5925d6e2517d9240410e43341f48a65d706fec31c34fd96ad28d26e99241ede416088ddabf6af32af27ec2c6d51680ea2e3f1417c0e69bbf7c72bcd5ef996cfadad94ab49cfb98adb559dd9b5ab91bf0140eb5ce7a56a23bf232364b9140339d4303ca535bfa5716cf7d0462029184078961d0ebdc6f797c98ef4c178dc4c1061b3c0bf3b34cf3aea712b09f6c93cb1534a67bdd3ba2827b60a4811b04f07c5b9ca377d31b16c7799171aea3ba417084fb26ae027cc829aedd452e2acb87d35d2b3c916b1f4efb2d2d6c5c302fa729bd4180ceaaa8916f56f2f5e1fd4b7802d14461a53ed1cf6d7e4b46ccc87aab2d5976ebe16dd66b1be8d075b4577e29f708ef889a41c4944176a91103eb9238614d53a76e35f05ed0ab5b5a013fd4ac33bbcd40f832596ca8b9d4bce993271303f3c3d8b6dfa719b5dc13f95ceceadcec718b27bcacd404045a9c7a18f81f8bf8d4edccaf432f82f6298d5d7f1da65cd53c4d22646449103bd0fa2d0d0528236fdb765e35f7178bfc86f4a1d78abc03c9363d4c30f43f178a92b16ed6a968610c2d3204db655c7e2a8d90c92c77b589213d822488d7faf828bdffafaca742af10c939714e601db58ce43b8b33348d7155537b3f570b3eedb6cce27dccf3004a6d0a5eee0d03f6c8f2248bad1ca64b5faf1593510c900b95afb463a358917565e9416d2ce9dc1b484f1dd37d5642be17d00c878dada819e5e41857893faa21b8b35efd79e30326365cd161821442be8381698496c5b13c26e2d6c4777f97c1a81b439c3d8473fe0fc381a23426717b95b46e9cd531a0255bf3041532c7a601af01160503a183fa9ccc900ff42588a1809746b2a0c9146d166f49eacecd6fee0facbef5fd88198b2a6554eba422f02bbeee83c4698e41bc65693bfcec67430563fcbdf72dae662e4db23fd1544a331322f5ccd21ad4d73e9ff29c337cceae508f8739b474468f4c1988b4d8cff22a15fefbb067801d5a159929804d2810aca1f2e10a1b3c590bf76fc568c23eced837f4cee3dfe6c2a69bf28bee572862115cd8906276ae059bf500ed01342dacffe0529f94765d644da6a0e6790dea97016e090f92b68df498f063a8ff66b939dae2f8b116ec721999c5487e52f3c578a908d6bfeee5a77db543608f74f38d6b0ea9e4cb86452485f785eb766b9439db3164bd9bc571c165e1acfb53c542dc6106fd3257bf0c162207e8e1d4027c50421a22cdf262b11e33cf93a5d1b45e32c1f6e6558c5abc09fdd997000e2c3c2b1caba572ef70ea42fdbad22b91517eca04198','sync','ak',0,0,X'e32e69d3c70375ce8d7d98861ebf2018f3759786','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(34,540009247.98529994488,540009247.98529994488,X'3c585604e87f855973731fea83e21fab9392d2fc',X'4631b17e5ce00604a8d3b2b9691cc27efb471d7c',NULL,1,1,1,X'0c973b023e62103d7355e7b1c7d2e471f99d0060',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'0300008006000000280000008dafa7a607a34f3242e1f7cc9845857dde8ff54d1b52a8af0adb23ded312818affffffffffffffffa9f17f7aa133bf3720a0f3f7c25160fb603358406770b46bec69ccfd429c3552f788d9f1e12718b6752283d7dd1ee003f25a6fbbd3d7c6e827c080c4945bf18bf11c3001699276c56509b44e3211d3a0c223a24d1df9224964fcaa6b409b5d73f0e08db1291f2ae97f0f9e53ec8de6def45bc8e4d1258ed7d0ffff95b184b4b47d7c5e2f477066898a21c829da5b8530bab6c83254c0fc4ab6104b1146e17740b393fe805cf32fcec79ebb7031dcd07aa5f7e94f296df779bcaf0ee84a0ff47c2da484cc1fb29a2f47733da9ecdc83bbff0f67cc5d7b5fb0c8543d8e9423ca97936e124a3448861f183dc03f725a6941b0f4a9affeaf4f3d446f0f8045b5fb28cdb7e3dd70ac80c931656043aa70fd5096f8a530b0b3f1fef0e8d0167f1d6c85b45bcabfbb9e16334c7d0605b15d83828b77174671a593eb5262c7a7a6034af1e05cb5d5a0876820a7a62ea192c35e96a3bf4d194c4b9e782c7405b8aacf41fe2d65ac4edd536bb2a2eed5ea494b41dc98458e7b7d8d158e55247c6b0017fc0ead0eddbfac25d40a78ec1c1704605253b0a689570b0eb9380772dc635b90f9172fd253e266b2e67f9dba82f5d1544c0746d7722bd15dc912f0eafb384e6b2cef13e37053d346b3a37d35129d8e8c8dc977b9b465c376e83bf5ee04364befdf0c61e72c3262dd04380252de0a205ac1b58bde11c4d01a05e9319862e1a31f66e7e09bd4d435621af7179ddc918542345135276c510d45c2d8405107df0984e2cd52825515ed42579720bffc8f5a6146a04c58dd94b50445c3cf9f985558652d469329381e2bc44466caa9f3ba29cf416f926057c8edd561b86539e583c610af59cfd548ab1fd4fa2ba2beec436dd946b7be16237fed49212ff385d42d3fb457585c33a31f9f31753d46aaa9244a36defd0b1571f281fab1223ff1b2b685331bb635bf5737c9b142836f375f3ce4cf8138cc51abc197fafec4db427a2b9f8c98da4587dc4953edd1628736634128bedf9393668b330548717a0890c08da36382cfec479336b94abe6a6bf114ff7a2a59b683d0724658ac315006e1a6d26be760d524d1b5c7c47737024608ee7566aba270e0ce8d155efad71c618c86047d3ec8c7d897aa51bfa2f74edeeeb9f25ca9274e4861d0e91a075280cebc2a883270ed273328cb93a004b0eb8f90050a8f9a1bc796f85db1703533f96c557ba989321e9c392bc407aca57fc3a11285935ceaeda4cdd3f8546894854374c42fa912327ba4909093220890f2a251b9c6456d2a5de09e6734dc0099dd9ffedb25f862096952a2ea59cc48771f713efc272b1ea02ee9f544cefbe2f9b855e960901a5e0ae717f8bc1f95ee34d5d1f1b5e7c58f8235124f4e17cb2b8d4a6fba1f82383f5770ce0d5c453c794749f1248990d8901d79ea9317ce82e53b34ba975d948386569206a2965b08aa5ce634e2246e673992d28a6d54d54fc9653e4a6728329ea7789809768bf0be2a53bafa3af144cbc49c3fc8939085b02b79b63b4c70d4e3a33403d4442a4a2e0b37f75fa1ca0cdb76a3ddbf6d11ce8aa1d30ced53a9e56373c0069725f81a','sync','ak',0,0,X'5e7d9ecf48f7aad9e82e8e17b1832a5aaec3a4c6','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(35,540009248.03348696232,540009248.03348696232,X'3c585604e87f855973731fea83e21fab9392d2fc',X'2cd4f1af1f630ce1912f0c46a5f745d3f8940129',NULL,1,1,1,X'76d5ab1128ef898bc3aa8e4babc0bc1cf26c479d',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000cb615bfa42ac19c9eadd5ef99020438ef69390016fcdad5519e9ee45d6a71bc0ffffffffffffffffe0119fb8775b7047fb5fc554d0671e8ceef729aaed14b63b3cf6c61fa813d68e7c5c0771dc17ed19d481052528cf27c66c066ae5f9ca1c6599f3673dcb453ea1a1e9f55cef4c4ef4f7de6045e0a7f13393ca08991826958a13047b2b5290b7f42618841b6fab42c008173d831cd2438079f43d21bdf587584e8cf84b6cdae66a4d371f7dfb984d6e6f873acd83d86e2becdf86bdf2df404a2c0dcf16827d52cc57c854c943cc18e0e00042c955ef66837d04477d2b1fe0e69a039be00c608944f2359d0fa785754dd8bb3b060c48b441e5f4b78b2acc04054788f13d4d8c7852125ccc30c69a80440f6c3ce30f389fb3ac9b295f9c190bd2884b4123afe9afebdd7eed7e16abe4dbc82c810cb51789768422d2efd9aed574c4c13e1eab0d7ca18a8b80b4880a9d40ef1eb5e475c65d4047aff89e7c85c688281d124a68b3ed661e38270b0c5b9ed0fcf7b8f3000605c19859e23aeaf3275125204540885b0bd0cc880f1496d5b9bffe9af1f838e8ad2f8fd4f65cbe3699375048bfb9c67b9f3ad9e59834833f4ae5563169de276edecb7852acf8cb744d791e98041fbc32af75be2c8b34877171b92cfc7508f4cd910b43d5bc56a3159ce6aff2f799ea04869a6034f205c1c29777dec615e6cd897350cf023b10860afe7da96f637260a1f1ebc93a3ce152e13977c284a233abeea1fec6728238a934c22936bd83b5d28ac85782e73b1486c640758c87ca94665c131c24b84164ff2b3c7910c86d7d5968d7b07331797ace3eaf179795497bc36163b7c7bfb07faf092c61f1b0090e79d72fda60c3fed29dc7b827012f062d4939c83ca01465fb90b9d41d21ccba2888f8d37fd6625d57a13011c093288c313b99d4f26b87783dab2f60df87f07899603ce4efb0b0a6cb9fef19cc15f10e2ba16f47ff752a3d9fdec02997595e2fd5238e1cd9249844f7c3b478625bdbcfea42dd2491ed8cde0856cbd3533e48423dafaa0da6b68a366e51ebf878a96ecb25fe8d83a8878720c90d9d6c42ef5d51eebaf99bba5e41d35488b5cfdba457386c453ea11be0991def21d867946dedd986071367f7edb7fcb588f83300355beb248ff21498d5188863e499c006980ab76d5b52492a8158d53849db8382594b51aceab2b51f8a2efd396453f66f21817b80128593e35ebfd9453a9f8d9048c1a6da1e9a7cb018156b42198babfc9c7a17be4bc3c51b249eb4f229a019688a6bfc48104091492842efc2700209c9f89203d3dab21e5ad7f4fe163e923b210c2cafe1bc1e3cdb39d4b0ee92be19820c5949f189cc8915fa19df8a039c4276abf5c48cdc03e50cdae7d1428c51231001b3eab94c73b16278026f66756d7b574e0f15821527304f641dfdee55cf657eca1dc13031349fc640663245f3ee1663b9aed40f5cbb5b0d0032d56ce673a7169dd594efbab8f9471f886eb77e763ee3dddc8730bab68132288aa2d7a0344048efb8306283a3379ec63ef53c56d21691f991e67ae09cf0d2765505363a47b5a59284f525cf1b913dfdb1e715e84805360da49497700f0bae979b35913652d7fc138d001140e177853b335a9037fb5b','sync','ak',0,0,X'718bcc07c07b98d3a275f2812f930b1905ae3f6a','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(36,540009248.09169495105,540009248.09169495105,X'3c585604e87f855973731fea83e21fab9392d2fc',X'ba03b2e1909c9ae7375454fbc6a2f4d66df94aee',NULL,1,1,1,X'44eb66520fe8eafaec370f97e1d7c8467392740c',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'03000080060000002800000070d6c7cb465aa50d48662388557728b11a99c5064b3f0e40e9c6d5e4bff85154ffffffffffffffffc5d4aa323d851965846a677bbc0a989190f5d53730894e18dd1fba06f6de5a0c73de9e5186fef65c6b953da4ae3ccf8cb31cd5f2bc553e0c1250ff6ce83a75c707a1170379fae5c12fb38971138a31fcd1bb401978e3e42612fc7ebb5b01c920ac2600881e70c730537855905ea09915ac3a2bcae4880146194fff63656299172746198384c5a9af8e55f74eac0573f75e5554fd3efbae004daf2f6bfc08baa33d893c323f5e015a4d656b1b01b498ad0827ec95025753bf0c37be8e8ef7b8c2deac45b7517f0eff752265ca7d33aed5a9fd7add7dcbeef393b6d6dfc3461342a5c5e9646c110847a65e2e0f46f07585ab82750095918e9ab998c476d14df8fdc73703f5a99af6ceab0c608cba513f0eaf5a2904867eb775889290cca9e30db526f97f9469635f90833ff653c06f76106b6826c7f2bac972ae564f46c040ecc06a563a914822d847ac9651e5f89e139a33fb4c96e22681ffb8e90d1d4984b2d282008991e8ec497a3378413e04d4951ec0aadd25829ff32b01651277d6f150116ffc54be50122a2e9311d0b73f354eac31f0c05bfa488f380e10faaee9a6a9388f08c5cb3d1120740a5d443fad97db970785f6adece9592f83744abaef1216b7a365fe4a3c83d5a3a84e920e81d184560badc95b77dd2e04ebb18c2ed7b0a6d4dd2abdcd8663afee5e69bcedc493e6d4370f9890068a1588368594875c9b51c2d4ba2eed0e86912106889ff42c18a460137f67fe229a7af35c00d0cb3e9ca3e9143b8db6bcfaba35bd71da21d419b5be5e5963aaf1f8a24afb8b0ac115f45d350bb80b2b6a66f822e83c46a82aa0af02c64fa30fa5d9c704444758fc9419d574f0e49075c8bdc6e781359f5bdae5634f75a62e3d7b4117dd13ec6b029a9687067b05be25d185e4be3e8ba61599f01db4695675f232cffd920d4f29d35aeeec995d6346b22af180c783c7f831b3cb0e8ecff06cd64303a81ca6da54709f5669a2100c8ae90c3d40186da47ef9219d103f65edfa054f6ce7e4caee61af3f3c6f58ad6d0bae5ac72c9364c63e45e8e66f52b503b8d2de111260936776aaf9e7628b274caf4141cfe34fecf94c3ce7abdf8edf68cbd2e09e588563256727831b913565608101ee86367d180b927a5b34056f13107d7aff5e8e0c9cecad3487627275daa58e5614200fccc6706088cbd0e56e214d7597af2f9b88c42d483efa06a5f8a181bedc481e233bd9054c590efc7f42765465c2f3d3a69c0e8fcfdc06ad23b47180654e572ae1f8b730c8f2c812832bf1098c1918401fd6169d18d41696bb1e07f50c16cb0fc5a7d29d79cb7f439d0c198156cce1b136d051bd4983c3f84a7721effa255df0e6142b07d320370c01daae3a9cbbc86336ad35d6f3ad55b828550f96c0f52aaaafd1a60c4a1f166dd34b7a70130d5d575f3fa6ba112b4542b98793404dd05cfbeaa1537de2bb05ee84de2831e5b20988da09a9d6e0b0acd3845b2a307bfb9b760f86388bff3e3118c5cf2ab03eead50c93265ee6e7541fb69e3dba4c989438862744638c1b0257f58f21cab9500a0bc3362db3c152c9cfc461d2ce6c72cb5e5f','sync','ak',0,0,X'2459f4c51dfe9cf662d3402c8b83c67a92334b00','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(37,540009248.15771901609,540009248.15771901609,X'3c585604e87f855973731fea83e21fab9392d2fc',X'aafdab94f36402c0dba1213feb30fee7ad111d9e',NULL,1,1,1,X'92b3bf04c33dbfe2f62834d7eec13d41cdec487b',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000c838ef134dc5d63841c3046ea569bedec1a8a21be7c2ffd312e50e447543f7c0ffffffffffffffffd68a1e0398c2b4e3c553cb7f46318f5874c7f99c2402d49f12748057b941ea879ec637cca418fb23de0f448abe5f40e301eb6a577d7b20de8c1df692e246e884ee4add20f1ac8b3db77d83e5287a8249977a4518a595fe3763a02fc9bd8a672575ee12945945dc9b5da42bf0e5cbfdba893aebfcd7575d111c519d7f4b6200ac4e55026c7164dd6e3f862551080b3403eb28d722c38e0fb85a982eb4752821fba9be4cda18e859584045847d680f4a7aa420033bc98f862b12d0ed7fe6ee07bbb485a6d37d2d3a9a69a8692b711f87b5f634f4945f6626a8f6a09cab1bacc1a91627ef51f3a7f29d7af8d1eeeca48a21f5abe8c0e47cdf7663a6084f6bcb5680590c5dbcffdd864f4c4bb041fb0d04a82bb65fad168a794355b27f5f78c2e0277466c8b7dc7404b72a3f79d674fa444ad8f43dcfb5f8a05439a852e289b6228587982e17aeff8b2cfd176bd25e3b92a87eea68d4651e0923c7e07d7d91513b97bbe0759eaa6ff9ae01d80d33f4d0cf6668fce039b4089423324d0915263a279eeef36064e0993da4d0995bfaaa1ea89270999a9ae5d05c2b6b345cfd2ec450132bfdc7115e3e0fb160bdea18e2cb18efe08742197a72bb36a3a9392e000b478153b428e40d936bf64ec4aa9c7ff8bf8399608f82c7188eedcff44fb7210264c07e430cf6b258895aeb38d9780745a810a807841ec846b2e27280ae52a791fa759870c66af989b9ae91c51c66e0a013d190cee476e70c9a8fbb830e5b330590d71c6a9a578a920fd9e1916a1e292c03ad43d2837106aa704d523201222f883b7f37cec66ca273c65ea216a48eed86a9552ddc2026c12edc73aab06b774d64f8b6c9c046814913669d0482e3d5594a76218639e1ae0425969bad413835cbe0da0676e1f6228dfde120c4235f188a0d7787d09c90df73d3c30074cdbf376a76861a8a5967f8caa8de1e83406c964a1b3c051b9777b7bbbb3dc0a1acb95b48a676a7a9f169062d071e5daa2f37777822477545023c61bdd4f3f7b99f738dfa121f59e97aa72bf4134363c110a3588cd41ccbfdb438ce05a4f2831a0538324df7a38be19374851e06cff1794e8ef90763b852ee442a9a4ccc727629f7ce468422a38e6b43f2e09b2d258c9ee2ed90ca08925b295767b127917767c7ff7a721ae60eb6ef9252b8d3bf7d6ebea865588a47865a3aa3c35a9b54d51ea5bcce2bb3d65d77fa9ce73b5c5a3f2c541985faa6391e483583aeaa8ea9d7a8ef4a943715566543e7d82cbcf01491a148431d8fc630e656307d43a0e98927def40eab85cec89ad15f08a541ac3948d66e997368fd5e4f866f16de30cbed52ffc4a81bc4fa547fe946513b751fc3446c4c44c7bdd8f1cf15fbcc27916f0736f5dd16945a07cc75e89178b8048a6f61c6c69b2c13aae6048d4fb57b083915b5c1c588c4001442abaefc7c9c47bfbf89ccb42c7be52dc2a4aa39b28b6fc40f5ab90911f4367dc9cc3a43d95a96a5d586e3d4393b57ecbd4a75f09ec8938d00ccdd3ee98e2699c385b4ecde1eab8f74f0f91cf8402dfc3c1dcc6a8c23a7055f14a00596d17f0a06949113aae9c13694c6','sync','ak',0,0,X'bf5cfafbe2347bfefed68b0b82421d7dac283969','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(38,540009248.20999002457,540009248.20999002457,X'3c585604e87f855973731fea83e21fab9392d2fc',X'7478d998e42061cf5f6a7538d49a442d3dc813e4',NULL,1,1,1,X'13d6f6f137bf024bb8906cfcfd3c893ad303c67b',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'0300008006000000280000003f759a8d8fc3b11160e10f0f547b041f9253fc9dff8cf9ac0d2364a7892d7717ffffffffffffffff386734a8f4d42614a354517c3b5bfbf694d2a315e18585009e04867a7ef752893c84cae14e4f54d173f9cb061a35545bae19cdd7591e9873dda6068dbf7df4487a27c17d3ae69dfe3c6f4795e22c9f33a3e2b609eeac777f6030f1e0df0892abc7136e82140e1a6248574688c09cc46dedaa89b9accad5f0d7b5c057440a95eaa38555e8f4ddfc9be6cebb985c01893182128257a2e39f9663fd6fcc83ca43695c19d912ef7baa8af392b7cf4286a0d85f683db091b616c7f68230a65d0c53e4e95a147004f5f3e8f91456f31b58ca095e8e3bee897297fed0fa3d6133aefc6a2cbbfc7d0ff104e9c56e220a8ded2aea60e47edb309995a188eef31332133cbf844ee9d6b3590731a7c16339a41bf5d1665c88bba3f7f8efc46665892c6ac8dc5338a7de2669d4b87967d14953393552b4a09018ea2eff0027e29b0bbe50d3978a22be64a7c390ca4ba612eaf39dad5f202056647d42f2d7afa8c6fe064e2eab1ffebc98fecdf60522ce8b8d3a39d9bc2cf05df47cbc1cc9b27c5d25294d144de41a028501f0a25f38caf84d0799dba032c7cb1d72a855141e0845dc5ce23b9752afa727ebb18f41e11de7b90d0ca3767b34280c22ed059a2b897592423b9fa4f4519613d3244e7aae1151c3e9382b7ad9a4d188e9943b263d56d669a25c73187c8afaa0f5bc456f55089b2d1d39a7ab997d3e3341a0a69730ce2bac40a1fa48dc33e9a5d84a9f45a666b729683052e7670168ac550365cd33a215f32a20bb64667de8f0013c88e9f9e38f23c49625c9c403db233e6095b11d2d961e50e245e5c67a33cc252506482ed5dc1bd8c324fce5ee27c3d9253dd9c7e57106ccf4e221aa14940f143c748896f1cd3f74e59a39576fdc9347692e51dfe4d4ede3c0660c48d9a6c2cf26cc25f989f5e16fa0d153591a60f85b699f3a44b7451dceb6ac5fbded680cc6495c34672d106355d683deb03541d3f7871f48c325c6444a8836ebd4e0c92caaa5914d11ff6eba33554b7b02502da560775725ca51c43025b48e7d6b5692a6e431acafdfbaffe6f86c6e111f9015e47b8b11543baf1020eb34967aca74a264002cc52bd707fd82fcd971e9319fa294ef736b632483d5dfd42676b66a4ec4df63a8316498e3197657c4d65f2da0ea8821443ea1796468b458f65d00ffe4814978a3eaadd36261e3f00af65f4890af576576c7f242d3fcd0d02ed1d981150a27220fc44f2a47538a26eca5ee564d68f34a333533048c59b1d72187cd94079bfea235b66b464287c3ade48f8c5083568b1be7c3372951d75ddc7cb6de210b7199c6908791464eb4de38b39a24eb999c554752ee5e17f5b5a6d1a2d68b6bb218bae75124293d15fde62945efb51a624eb7c7ee51077985f68fb02197bc87aa07a5f8e7c3dfff2609ae90ac9988ffcf59ad139fa7a1168e3eba3477752bbeaae582b85a6d0ab5e003a95c61b89c8f7ae1db4466b976c5d5985491fa518bca2873ab708eda98f9f0b0331fa98d85691f7aca97c71aa5ff383ff19feda2165d2ba14e6004609b18ee3034b51ffbaef1dd1e57a2958679818ab76e9da243599ccb3a672a','sync','ak',0,0,X'365aec9adbd4ffebc74782a5f1c64baaeed8912d','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(39,540009248.27032601833,540009248.27032601833,X'3c585604e87f855973731fea83e21fab9392d2fc',X'6c498326893a1920377c7a35a5206c03c3b8f130',NULL,1,1,1,X'd7dd2a6f5887a9291d26a99b1076a2986b05b062',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000e33b7388e66bb46179ba96dca8c26259ae0fdb2159966c49e295fe70092fd6e1ffffffffffffffff90455fed1f24b4c8448f624c87ec8101aedaab96985b56a256f3364089a425cb3dccc6346e145db74d7e3d2690d488f6f05dc6fa754f2e860b937cce0ca0c576adbea0c4fb60731292e09478a3bd2e7147e9ac31b9caba970e4e4b430c054a4e044de67edc0cb16e3adfb254799581e299dcb6625b325536fff1072361a1da178562336d438db1fc5fba80cf83a20de8f315af7078ca7e69c0f3d924bcca25dc7d25a90f6cc820e325cf4f186a4ba1d8a2acbabaf841c10fac073b9bb83450fcd88d3ff8fca9051207c91143499ab6eaaa4a675412c3bfb9ce6a96fd5b83bdd7bfa8542e9b6c87d473bcb8f43577d77e372134bd0ceb6228598f37ce2f3e43466544273d027c655ff8392cbdc727a43013cd710af5859294a359332481e30d9707aa1289a83a2f2b9f8ed5626d5f2cdd41436c10c58be3997022094614585a04745df15752dc5bcf8a0fbc3b358d4cf46f5849f17a34ec0ede99caba960efac82440da532958894f5142524b252a561b3bd043cf9e594cf7fe8c9f557a44eaf036e44bbdcccd1068a9ab6926e60c341c587ccf9743bf2d88ab6da50b1ce619cc2cdc19789eb72851d862526d8fffbf31e61ec36eb50352d3f6e7a92abf7ee7df4191da21d089c6554b201079dfcbf5550da7fce86ac59ab090b66bcfd361a0c0b12a5a8b974cabe8bf2a54f5c11bdf655623a6a1298687c83d0a0103c5b2e6e7853cc3b0f7b89bf0774730154835aeddf97b86388190f95be4fef8a5ea1a66d82c7d3dd44f9eb61b9a49a87c6a355adee6d277a4329ab0ae3e208fed5908c9728777e7e4baecf3b1a278b1b91de6287be619a904f6a750408d67d96bd057947b77d4e3939c78496dbacecc5d8b2c03c4a23bd8823d318e83cdb7eb0f9156d5772368d6f26238d7ce399d5d9d7fc6e1d324445c5f5ca2a98e8c6ae2bac66a591751a17b2099d6b8345e95443f60ea52e67222893dd06a92e96eaeb522eea80169591d2c8c4745af5a60707acf22fee3c4d52b1a9c2f6f6670219ede56e4fdc41e50877c05f1bbfed8f6ad2e7214437f02112967440038d213d97a6fc0a8d1cc25a5e7225c472cc026f5897fa24817d0adfd36e3e21ff0027d629eb4174d0b41d51940ba8e68631f54eafbaa733237398dedbb0036c8855454802bd390ae91d792e96b23b40b13143dbef5874b8756a49b2383e6934189e5065170c7435bddc4f2049a0a449dc518609fd57b1488f1efe1579da2329cb5ffde34e0f37e69fca798dfe6a994b34ba6f9f6061cd533df63450cf444683917ba5b57b04b4056ec3a88062fe164eaf8e048c4a66ea400dca106ba19211a86416c973ce696f9f30d2adfdaa5d1f6229c2e8a2c7c6e76becc728e77b9d7a9b9d5011645b9cf453ec81e104677d085cba7010be48078809a033f9b005403496f15d3fe0b723d8162a0f395b6323a375020ec11d4dad9ae3369fb593606cef8ceeb3ededd57f02e7b6272f5abb015a286ea28d71acd2ef27e5a2ab5448d0b45e0f9f99a2ba388abbd88c5a9853054058944b0f04a1a62a7ca93b64132b827a115989a958753156ca6873740859b6721b107b237','sync','ak',0,0,X'a945392868f0e61f716c61bdda7a40d759a34138','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(40,540009248.34564304351,540009248.34564304351,X'3c585604e87f855973731fea83e21fab9392d2fc',X'014de7d3657cabb3fd84c5011d5e4a67c366e8a3',NULL,1,1,1,X'dae6654459a08dfdbabc1c0642ba1846cc3fa42f',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000826ed464ca2728a956a1a00ba15a8bc193fe7d92a52fde2e8854a75c123691e5ffffffffffffffff754addfd88e8a105cccc90f47988567cfcd03b752780ffdfc31c0c244957e36702a7807a5fb4baf3bf7f7f97fa023490f26ac5df7ec36b4b8fae4af96ef66ef33bbbbf7add42c6fb999a531c7e304f0e1d51f13b99ddca3e435240f9eac1f13a3b81985a8ec9faeeb00c776b6b4256d01aef910aef355582b3b8030fbdada24da300e3d3af922134da432216101af38fd6b3e315a1f52a1ab8b495c1382a461c67df78d77d775e994e2c303ef41564cd46368178744a94ecf0f40cf1d60bdea525740c3d3a5c3093088f5b3ad3a76426ce0688dcca467d6517fa4a5682f72468e8ebf81ed26e013048c613d134e507daf8d1369eb420446fe2cd2c6ec300b5a944743a4a89035848dff70544df26c45dddb07a141c0655ea1c4196a72434bd7c93146e4ee573d1018c39e3549e708396b5c1c52af0b32d3530ab06321ab33fbe53c1889fa99fb9ee04cdcd09628cb357537d145167980b2aab1d30ff63df5744cb5bef6410e60e30d7cc4ed29ac119255c9fba07a29e0544210e0fcf7d4192852bc9a53bc2f90ded6fe01f03809e63de14ce882d01e8da80a9927c0d826353dac7dfebf6c5b1e9b042258a2114dfa67e8f87e85f7d12dc27892a11adf20cf12be27736896d8a90885ab2cb595bc9c2e7725807c8c1ba8a5be8572d0f0c0f5c3b0d08b16af255ae438a8d53413a828972694d8346ae4707a5241f3d38d7e2040c98c759cf185f28c30a93b1c773353e7a3ee5d5ae6898510a6491c680068c4cfd853621ab11b47abec629e97a81e0e72858c3e4bb9b2e85589d9f53f67b8cbdf6f06d1f2b6812f2fa0c6833acc036e5dd16949250c9edc899f688da3f2f1805cd1dffa71cbe80cfa187ab284895662b32986de9372c8616c09b5211887f99238b48717748ef00c6ba49d262c4b07ed9f2739effa819b75c0b4e1b07bed2030d066941114728e456e6681ba6e8c1175f2df2a423772f03b369437bb78a8065eb412b4d6ac7cc382d47942fdac3fb362c5920e2f480e376ffc559ca30cfbf387edf5c27e7651253a587925e2305b35f9e138e7c76c89b1bf5e53f12934e13a591e68861a9a038f02303f4d9302781ebc7818293f13d420825c136576becbaf510752992e44f40b9663f97be251c05ad3e54d1b07283149003dbb3006afdc8d25c172df0a01343843152087412f2b4460738c03b4844412f7e7de9fed7e658b7bda2a23b3b0db01abdf23f1d75130356c69f0347e17dcb08fcf91b51b298e89975a13f6db8e755a6b565e75ad69fe34e6123359ff53366111294eaa0eb08dd2626ca6fdd444fcbd3e94150f3ac73169eb484d8589222feff21c8f074568f64d434663c953ea0335d850a6f05b01837ae3ca9d03f06f27aa4900da9cad42195a4dbb7bd81f437e731348ac736b195dc9764e4b411d364b27cc5f16dcb5fee40036bc992a328927d60c68a1696d6f1f4244462eb03efb365a53fa8e712796fecc29915b57227b54dd981dc6f319ee699544961317989b094ed46dbfe8f297e8768d8c08375630bf099d5910f8e7570abfd3e00495e2f67d21c10197a7571f9117463b3dd52debe3ffa0e6f6f','sync','ak',0,0,X'c9f75feade79d28b7a393b23accc1a230c6d0de8','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(41,540009248.39385795591,540009248.39385795591,X'3c585604e87f855973731fea83e21fab9392d2fc',X'1100dfeba7e2286479b530628c4fc8eefe42ffe7',NULL,1,1,1,X'1a8d191b0bf7c44ff48077c9fb60b0b1c1f7d239',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000825472c5a0c7a8e0ab04ec38362c37676fe200bd33f7846722bb3edc3d33af50ffffffffffffffffeec520dc689dc6e0f163017309c82ebb27096e45783b665f9830b06405752369d508c72772fc7e6db5f23adf2b00859b08c5d6c1131fc536cb3fc869c1309a5d403594069f8cd28a202940ba0226c2cb9d7ef88a486796c0601d7b40c290be79f9a9185e1aa1f5c07d9cfe06a6d76e545d0c7cbbec4b0de463b38b7b57f17954f0e812f62222fb80c5b54c72c077a031fb244cad23a2688fafcca8371317b56f04dfce21731c81f5c704a9ff13a4f4cb797f85fda78e989f13de7626c02282a603240fa43cbbe59dba9346a7f247ad4551b2dbcf75a68ade35f2fe92b96d176b13d42a1a8dccb0ca6982c6df408a74dafd2f0ee12a0ae6f6f5d2e251826bac696b434748d539237c66830475ff83fa079181130c555c2a911ef9e0d40702985851727ec8622c047cb07825f30bce5ecc77926de91c39741922cb664089e5968a83cd68eec4a1622639e9cebe9a2f2abd94a68fa3688e52626f0a158063d29d0f1744a648b55e3734057a758aa449e09efd2cb3e12fbe0a65b5e76f546b57fc602e76097a0488acbef698f430518bd6cd264f4ab3e64d47fbdf385bc849ae0b018d1385f7d7741fa533d4fafd7c98025fca1b0f51237a982c65b86de7ad832f18d0704cb30ac759d20af15839c73ec213d37e33b013f9113c9966332df23a38127ecc042748d317926a2ef2bf665122746090d5a6b7e2aaa204331ece082a4af145040dbfae3a743d73e59397507cf6cfd8f9f6600b52fa7aec7c372b6d2b22cd1a5a1aafc9a4cd2ffe03377b744f958c5757939664cb854eab81249372fe1b9d054b2af8a6a48a5ab5db55af2722795c9ee43d27a563a64bd66a8f2689e0b53acd6bf82a5b2be6aaee8d0a1d6c0d2679c0e5fcf29529daa56e32d68f173061dbb62c6f0e59eba801bda1590eb78ed1222096a9691b9ca8763282fc83f6a629a853f8801b9b5622e74dd711d27a92331a9d100c1705089f642eda0ed1d8f41e6e2a0ed238354c5700b29fc02948c133705e61a77bf9d093e79068359015300a40a5a8d89dc6d956f17d1b6912e2879c2b05aeac69561f2342623475fd63dcb8b689cfc3a2598be1ffcbb539ea0793d7acbd58af4892da7a55b45440429b4093b237331b77fdff7a58ae14a43ea0ce7b3ce57f493f2b72a66908fddcb372d8c3962ebd365cc7f62910f98f4bfad13bf198922db67d040a859683bce67f4146b9f61b2440f42f5b8a2155318c5d5a9b1088b7f5c590f50bf0edbb059630abad60535351ecd2d4a29a4238836a55c858ead13a929913ccef78e5c9903434037079ad36d27c5f95b54993328b6a2a06b901428a396d47b65f45b540eab021e23abb7a4056b427244b28f3455a3b831e51f9061af5dbdebfa57b637a45b797fdc3c6080b5eea9eefe10ff0b95357108b69e3487a6df34a3e4db028ec5909b210384eb17e1e9161d67c927792d25ccde26643c1d9f438f33642f99f09579704603d9b131de8bd88759fca60291b81edc5eda00fbcd86fe16fedd54ee5b43f1d81743b0c9c780a12cfabcad27732c91501925da18f288993df692025d86bd0438d5994d492b96183c5f0','sync','ak',0,0,X'49654b3d29faf2d84085c746734d588315a7202f','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(42,540009248.50240600108,540009248.50240600108,X'3c585604e87f855973731fea83e21fab9392d2fc',X'c4a1f453662bbf3ebb18128793afad059c129dd5',NULL,1,1,1,X'e880819d6a52c8d1c80c09603a49d410137f13f1',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000d59ee11b1f5f3fca6e7fe9e135ccf9c88c9971b504d88179f30c51ff4a976097ffffffffffffffff71328dacc539b19e6610228340d74b8f206cf3fba2a125b257ac15ce68e80b5b7633824b5f4a78ab0fd40a0bc458e0d1d0a5ccf355e0f4256785050aa0aea70e9534df0588ea46abbf3cab4ad72cb1965d664c897bb7a8333bd9fb9f8ec1ea3b11f0f56cd95db68a0ba1a6090a8b5519097a92415ca02cb2c8d318a668a317fd4c9708dbdffac3e8862dde63708bee6f441095c8a6d48edcead29e4cc3bcf2d412207ae9afdda79eeb11fc6d37d26836e11b5c3bd9db8cce7b2059b1090bb63d8601a1413f0f03eee5576e95a0ceaa8a83d224f5f22e518b62c8f9a3a15119f3f9ce4adb1b4cadda8975b64640c9199d6809c3ed15d646acf942cea77a5f8d25e61f17208d424153b1d9920f2ce5996245b367688289c919f3b665c8e62100b6932d86e029141f711488db1d0a643d30209968816ffb356e50d33b83746fba53d253cc5ca89d84bea2d24a490c0e71b6b938a8a4c8f143e0ce206a58d886e912e40af3a4ea3961819a7ef2dd64be75a34c1fe5600bf9f00a2bacd7b2c7d70a49d4cf6d1a89d8ef96652f9c408e3c2043113abb28e7125a100c911aeb811cdf8520c7fba3ee5c6cf66253beb2f284cb162c94b67fc14043bea99377c542ea63ffedc06acd4b399a327a5ca9358f3ff768b14cba3127cf2051ba47f17dae1bbf595d930e96a02a44f1c4089ecdc3363c50165a371069936e6e490e30ea1ac08d99e5144978b7e7a0e5b623163887bb2b456c16af4958f13650390571d90429f28f1a405ebc518fe4152e5c7ee4b999fea962879b4dfc2f518d3d278f13363737f33a698893c8801a683a0fb370273928ba1512c9a56d40175b2534c87e6edab6ceb08e14900427a925eb5e1c199757ad7ef00a64b3e239fdd5e352aa8e8be9e8948c6c3c3b52da2633161c1685e27799d660793a0ac8f0abdea7761477c5685655b4a6e5ccf968f663efdfc3b57a0d066239e6d474e11d046d61b8557ab3e0bcc6e8e6b221e0aec713a73ff4f8599fc4c7ad8f7232efd0d37154b0cc4cdd73e73a87835a9647b95fa8688d4d4064095d4a6da57bd94f8de3f748e2aef2de10a308a326def73f30ca23871ea25e54dc243b049c14d12ae995121da2345b9e02234f54c0a798c9554d5ebbcea7a7da4adf0b83f04e8b218786ead26d83eea91700a37940174dc9f0bef8d94e0069b5447134c2231e0fd00dbbdbb0f5a04e1e177abcc50c6d0d712eabaaefabe33b1471940135036aad96e2ad8f43c595df8c6ad4c19e3a8878b1708fa5f16b7d78ba1d557ed1f3d5ca496b81bf740e56d6674ccbc8fa25e2a2e1d5477b5dc9ad376305cb8c248f84eed420bc6ba2d3a53ef050489681c6d3d0fdec37939a57e72374af900381c7ff255a6dba637f53a67d804d5d02b430e24186b860613b2192da5a06f38d9df35675b8d65dfbf3fdda83d69efba854fbc64bad2a350de535e6cc5d1b825e0bcfbfee681314e7759abc3785b0117b9f05d382e78d142c610964365023708eedcd8978a7ca2562dca7fef6ed1de708d25ecf978d0397f3177f8cf06a591e724cffbf0365ba811dc8587989551be54233423cd36118','sync','ak',0,0,X'dd63841f0f9503f06cb72731db948d1ce0d60f92','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(43,540009248.5388059616,540009248.5388059616,X'3c585604e87f855973731fea83e21fab9392d2fc',X'8f2a41b73b30f3b029e935864cdefc8c6fcc1703',NULL,1,1,1,X'43ab1e4d92b3ca044f82071be19a1e6df4b3fc1a',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'0300008006000000280000007cd2daf7eebdd3c5b7471dbdd8bf07b7a78561e6a33032b77e90ecba0eed2d1fffffffffffffffff27ccc3ab6eb9cffa0d9b3c8ec701b21161fffe57936561cb68b3a74bc4a7a01a20ea9cc33465d56d0446fd27ad735343b3b5501337b604cbfe636c6125eefdaf2a27059757ec334b95315d7f56b33db100616ade57534088195859452c07983a068961bf44d9fe875d8b7803e894eef174d5e9ea3bbd92c2870f3e47b24e9d053688dc0e281a42e399b29383737416adc8af8feb5c5f045d9e1fbf17020363184a639b50d8bf3d4ab643fd5a2fcbdbb1ae30b0f98867d072311be6531b6d0d7d6f1adacbe23f978628c6fd9e150f19f18bd5de4a9022b041d5a1d5f4ac857ec6d9052d55c7603f338ecaccd396885ab783ab8218c95712cc84b4b590c3de3f09decaf4416e5c2b7ec2102cd579b36fe7aac7030197bf297eabfb1d1ec66bc6858c2bc92200c696a827ae5e50a8fcf6dd19728a43dc1ad53b1dc3bed561e60a08cbc078552c563b04e9c7dd239b22eb2f8cbd1a7f2fec2aa02548abd8fa3aa576c517c410f6730775faf1aba8cb8b3ce4479b3437d4569f552e236c60505007ee44bf33187049225de953abfbc7806cd5631651edd32f801d92aefcca8f7a6359df2f868af218bc7665e9190d01ea150488343bbb49b44d2f23ae1721cb851981873b5595ae4ff8e54f5334ec19ad68e95c37cf556a376b12df3373400c1d5c34386c3432826bc8c044eb6a3b30b9dc1405a9a2bc17e2e1f6cbc4240ca09b7d5f05d2499cd5953e0dfbd7c00fc9f075e8962697a4170c1412050ff615e89d77896d8dd40b60bf8ace95a5d4116cbee09b8286919f1e3b658f40ea836d2605e1731e3cd61e213dc3c6bdf7f244867522f1f96d8cda8b44e3bca0e0ab09ce884a49e863573bc29d7bc4fe2f9a316ea45b87981a3eafd2db6a8850c72542e6b8fcc0c3113a176457b620695af7ee9c74729f74029b9a0983b75d4d044e880321248ffd87ece2e004b194eae90c7f87ad387a6a8b9458b3204133e953902773b4bf0741803053252a30d3d9c8bdcd4e8c092df777fd549fe95102fbfa92df3eb22642c8a1799b10c62a67e9249e89d93826f9de33e74fc7f97aee3ad9cb6740c226b884753357de72ebbdef9cce69ba11254b4505ffe65c6f6c5cbaef7d1c069f81b3ecc9e5b1a582a73c50a94a19d4739eb3e7e69b240f3a2a7db0d448aa426695dd8912df55586d196a2c24cbd61a0efe33b3502618059ca495701d7b44a5924118f3b618958f825d657f8c30512d0558dca36132d44a57c554443adc30621e1a0b06c9b19f030eab668fc681d593c849c6b3602f35b89dd0153694a4b88cb218d168c8be799ad1e955484de339a9eb3b8d958a930089abedc90f811c3399049752a7b79b7629188be26947ee826c5bdc4e353d31f459470210aa913de4a7ed70f8eed052b389d46c4691b5fa2dc10053e4b96d64765b5b0cc3947bde1a06c7587ec83b750dd8dc7c7a9f2eeea52083b3f57d3a32ac919de4894c03205e5a527498ccb5c9d131bec045c2f67020838eb0f681aff3e65cb3e0e0d26154272f56d9bca00075229d5c0097e3c9efcaa3299e89c5667f07be46f1e4a88f51b4d3d171fb7487120ccd1e62','sync','ak',0,0,X'772f831c8f0d2c5e705fc8310b68b49dd20d743a','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(44,540009248.59195899964,540009248.59195899964,X'3c585604e87f855973731fea83e21fab9392d2fc',X'84ad88d2e855b268a74aadef0df73b058c533650',NULL,1,1,1,X'6c250285bf047a5751399f34470399c03b75061c',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'0300008006000000280000000bf32371f6d6a94b775bd10b2406125c909cba179ba9fa39c8dca7795cde06b9ffffffffffffffffa9d79c7b40ba0db6f8a6534d750888cb0a9554e5a004b31c8f4f57b8f1dd58b5c00e03114e42a789e0b39c550e07cf46b5e36500bf2d2900e1de973364077827a44a1b0e18f8a1c25e3f12641cbb73c775b8333ed4ee3ae597206ba98aae865abcee1cc4c3ee69653710743f79fc8f939e2b39749a9020176397bed784dfbb0457c5c7849c5ce898aeba9edf81b070b1292854c0b53bc343b37a31615b5ef74581c00470818c513d068ad150210a072042a858316b32918e65c5c9b8b308057a994c24ded6a8a7f809d7db771a71dbdecee7ee7c3ce7b9d6391a26040f60719b4e491b742a1e4088be098cd960d4e3bcda19c5c75a67026aa57d7bf0d0ee25b5a6b39875d0dc040164d6d872627a34d56a0b85e3607ffd71ec6bee11a1b61db3ba2e6a3842942ac46ab7df6aa8cb76b4551cedb9839c887a156a93a6cb4fe091bd5c68efc9cbb1c867f73ce9f59d10e77ace546f7348cc28aa28da1069a39eca5cf8f27df041187808b6a3ae966ca3434fb0e7dce74d4059cc28a12d40a4780832fcd35ef47449d45e51b40f9ba4df43dafe465ca424422068d35017cf2c1ee0b319cc1d5cce568daaaae70eac630788dcaf79feec841fa580ae72aca01acdc8f06bba16eaf4dfb93bebd28cc1612b7d7ca0424817212bddf7305106f8a8468a9010bdcb73fdba0344ab0c336291e2ae31381f118845efbc531ede2c4fdb31d2e48de766f51c8aaa6448ccefdec4837173a01fb1ebda0e39c2db92a7694968e1bbe7ea11e3fdd9be65ca25697f8c4376f2c736e43fdbac696ce904a7b6f0b8610882480f26248ecb428e39d14f9d8d9facd83ff4c921ba188b1eddd6b0822fac2d936957f197e206fc8204477cd456b839fff57b522d313c74a34e5f53cca080c600f82a427d5e1e3452b8818fecf451780c824acf120a53575f9062a9db62c74c1e9185758b124f852771fc68d62b8b0e76595eabac0d89c3f49643eb039c29d244f5c9de4a363988ae53c0910a04ae34e02fa899c1971f20c32b361ec70a3bf410fc361dd25c79563e398c02a582e3895fdc0005f40c5faf79202099c11904c1096e5f55bbbfe35a25640c1254f890156218999e48b689fae0699f2ecffb5e24d8c4f4429e038c418ebac402639e76ee6348d31eef5cc3aa0d2d15ab82402a4aaab59e4923acb0c506140cbc9121e2b7fe2c4292d4e7ad57d54049e7042bec591271a150645a493e0284278750ef9e8192d799d7fa1146853387d9690c27958cb52d9fb3290c7a69798ab25c687582d2e0275f6c630c463fd5815a8cac6eb58e103c3cf96178d26f4583d232e8bf9828305be2e77a4544d2fcab4a897d62ec081c6e0527e4a976c88d53880f248ea0ec930460e54f499cf7d637b57418b1ed3ba8e80ea7c82f6218b534b2914ac230b3ff306619745785911689dfb5f962ae6fe54db03f0fcee53523316362c316b0517deab0460e7b9b44d9e4647a86b612599692ab6c4fda34f6cd7d59f754759432428e8bb2878f7f8536ec95a828f33bc2dd0cd1574ef5dd9b0e243db6c0316ff2f262e4b00fde2708e24ecc170e4a2945c24dae969b97','sync','ak',0,0,X'2fc5c1e61e9e01d3090974c701256e78c5717f3c','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(45,540009248.67277097702,540009248.67277097702,X'3c585604e87f855973731fea83e21fab9392d2fc',X'f30eb1e9a890195c52f60709a8edeefe4715c538',NULL,1,1,1,X'38f1fc5e9d8dcafcfcb5283d5ceeaf86527f364e',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'03000080060000002800000008fffa9d415631a70fa3e97bd0cc834861c3b63e0f0989d1bf86c0b367fd47c3ffffffffffffffff4c10e49d13133b4afca137c14965fdde264d5c6c35d9e6e4b2f8c083bb0722c6e0ece1c6afa7bf185198fa46c25dac328b7f713576d6f71a59335dbffd0c9bfc2e2ce0b296633dc5ffef7326045e223f06426d40a47540d8deb30b57e2a9cb99ccc689083a93e77139a7fb66d11712c83ef0f872d2e6b22f22fe6b7e8907322e23e27f1931c367fab27ce4e91f0e36c860c61ec6f8795d36fb0515f82f3dd3257d4dc3fba53e2fa815b4c2ffba5e392cdf0a0c48c103943db0f8ed7e2078b0603d5f82f7966d0a6918c1976a4126c40a74f427f2dce021555c7e555549a6a420676da2cd5798ce79875c8b5ab2f96238062eb60c33be8fe927d7749f4fb4f21a8077f1fd312e14b8ad92c72a10f2aca022881288cc243b2630d78a4bdc581201a2b1ff6123d49280e60c3780efd5bcb3b4295d4ece13de058e5d202bcbf891f337661e36e230f2579ee38659541d70d71a28f1a1d41c49499f3597ce640168c425439d9c70e083001639da033deaac2569d766bd4301ca432dbecd50cdd85f1b44c667f6970d8ed793242f97948b119ac0a71de0e744c5ea011fc9b367e876ac74663f6790d1cc1970b36d041c57e09b087c56ad6c13de211644a5214be3f0c507a5def884d54f6b596e420ba25cbe3b748a82ee7cf7bc0a747ceceba20efa4e9ce0458c1b27a777adadedd8eb6138152e20788c14541194a99d80b8688560e7c14f54e4ed9ff9520839dd72b686b1407ce5c22d535a10e2a9dca9a8a944ab0152e9799b683eafef583dee3a0d9352142b44742000934e6c02136ba6b634284ec6a16480f6fe1cbdc4bc7256960d245da7a09c5ffe6ae9ac2e4596230842277440e41b503dfdb6db1c028defc544e8fce196e51c3993fa78413387841b373bd9d55e9e7358c1732fa9a202a1d17018d7607b080b3bb87d7ef9871812bd36e72433e89ca0e231498af795767053587239c462c6fbd734661ea0bfe834323813b40a956b6b0492c5fd2913137c7071ccf77a8083e4397d3dfd55525f7a19e95e0f5b278a9f23fdd0d7b130681a509d2663db5958051886c93ca4ac5f5dd90127b2f2a497f516c25549922d8c681f30bb730e0839585c6c2ba1d1c0222c7ff7db1c5ca38edb9ad9d4e92a5e1c9085918982b5e94364352a6e9d1ffdba08130cc10c70bb6e32a5c5465afcf3a52a0c30461b80111a1cd6a4e2f28107902059bc9a0be6d9c2e5c868a9f94db93e042913ed4730702220e5cf22b2e61dd8dca6e8b880d8f2c97616d96236d989f4dd283bd493f14d9c1f7236ce23f22a659360315b76b91869b208a8cea2cf080b3920dcf750cf4bfb7b09219a976aee4815a7a20b29700bfe3ec5a10acb6ca7e561fcd64b7b7e53afc68544ed871aa2b1300e95ec2ac39f5291f306ce27cae5d590486d457fdd0aeb5ca3e2c4a5cf0a612aa4a9c69a3aa3274931557589345bf2f03ef40750be0f360aa75e2d4eeca328d0e913c22c2a33dce5ed4b6cd311dc9a3e7b35ca0da31b6f5855911e2409c79d2b581037174a8a1f1e88799a5cfc43570c3ea010a41478b394ef53fbcdc3c5d1336278468c6cc91d74c6e9','sync','ak',0,0,X'679577bdbdda37b15de9cba129e23e549b1a004c','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(46,540009248.73954999445,540009248.73954999445,X'3c585604e87f855973731fea83e21fab9392d2fc',X'83cb86811c2df44980ceed332adee9447b9031e4',NULL,1,1,1,X'832e0d541a80ff89ba43bd71ef289c78d435b8ed',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'0300008006000000280000002c6452bb76182baeaae87e602f1c927538057137b86dd9a3f21524341a75dfe1fffffffffffffffff3dfc120ec4cdcfae5ca3c3111377ed552fbc9ab4361d00da5bb528c60a08f7abf757fc3a6d5c46aa8ef73ea15ff6fe52b1684240a5ec9db7a2481a295f476440fb77d93464dff613e23cba9ef4297272c9a4d313336fec9eb1ad435626360bccc2059fa68668951cf0263f6dd08f9fc5ba0e4ed5b5e717e4668e7dcd5b473fbf23a092a81ca6c7a6a1ad0ebd12461c75357b913ab12a0e37b1ad28c390ca5b6508a5cfa98e5b090a4d8dd3880aad5c50d25e79e6e1b3adc30dc9bddf6148a53207ef8f39a3d53cfc302655b1c9acce9a113e51ead4668d7789ba02e9c05e8ecd65f70db8c5a0fb4653f895218c10f871a3acf2e9956f9ad5bc2cc80ee67c40e606f5f90002e88137095fe069c2035fa55151acfafd8d2cddc111f66bc10900e37f21ac405cd2bff4b7209aa454cb3f78f8f152fb9a331137f9f25c8f260a4a63133ce6e973dca7804fc83d8617bdb564e6c8a8c6c31c6170d7661314841a9b180f79a6296570585fd7e7f1123ef822ec214e5ccb404af4257b4d318e6ff2dab782d590db23f8e422005d77a26c7741fb964c9ec7bf1865bdad7a861496100dc414d82fb74d8b5cdc69a4729e0e959ef800760d87bfc876ed0025edcc78d2744f11d855f2b4760a6c8c674ac7d3422228da1fe0f259032c0d6cbc1894c74369fa6f6bf4bafa890d29782ba78d795c280336186a35aeec3ee8b979702c1e322fec3fa8814fa1f902de6f7166415c8a986a1bac8c07c9e7a3f5885454da8c800eef1ea71f9e74fb3098dfdcf6cc9a98018342b77f17f65d72af9efac3dc79649a04be2c9e6038053e4fd15a0ba8a4f06961c34eb50a4fb7231d9c44dcf9ad428f19e2d9ea36c4e4ad679f279949074e8f359a486df12d6457fc4f73c2438525ee06ca0da504ef4882d0c2eee9443a44c9932d437a0c5ca1caa6af4f80c89f036dfe30ac8cf09d4552729c0849ecd8d0c42a6eb260567f61dff894ee58b2e737b15a0869d025b99877c31ab3ae814ac68e2608417c97507e13ca39f8194f75dd43a2c6c9a132f76bf8c3afd096597177bfd6e7477e9e1f7195c0a1351ccf1221460012e8afcd84087af13448ecd58e9fc69c8d3d0d7ac387f39deace14c181af17d3d121c19d9ed1be882f16de4236b255111a4b01be66aaf0dc44f26b05c6a6f4b631f33f1fd0261a5e6f100197c13df31a69d13ab34d4e7d5b6c7cc1b742be71d66b290002b0dabed9e5311c0906eaa3a514cec627b4773be530b6182ad50065ad9dd251bacee41ef3523500f567cf56a17f5641bcce8a44b54c322ac15f73bc1b6a264716ca1d468d7b8afe2f9e44517c0c80d33afd3c1588f3a7659ab1053be61a43e8ffc57e99ed5d250425790e0bb466f682dbbdf6c7b5ba2a1d8c2db340ac26e76644550d4a317c850dda45c37ef03f71d2a2d5c84ae7168c854e315fc23ead9ba35e578126abe230180c5473ff452928f1809fe9b5f850b0fad0e4762d1cd90977c5b2b5eebf5c99480e4d12bad61b5fca96a01437cfc4d82f78b27c52698f5eb3216f82afaa7bbec8d5ea18b688271b77bca1b45bf7f7390457f350ff895d08383e9','sync','ak',0,0,X'18aa6c2f5a8e9b62507da7704d23e9be20024dc6','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(47,540009248.76412105561,540009248.76412105561,X'3c585604e87f855973731fea83e21fab9392d2fc',X'e6aae5fcf4d720683edab9804f620cbc0844265b',NULL,1,1,1,X'd27cb1777d93737af194a9519993b10547ff9fb7',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000c170a23ce3d3cd4a1222c03f0ea8890166c00c93164e1983fd7909aca50e2ae8ffffffffffffffff7b3317adc49eb302a6a2416ccebc3ed650c60e631280173b752976323a8d490396416881182cfe0387f7959197159b6c7b0df1ace555b516d36b9c5228e0b0025a0c7d201b0748edf9998fb088c25e03066c0cb20792b2b07e79e9c02733f40afa59a7f9105c8ac42f97a9e1f4e80a19acb08eb5ca5d0a30903c6f679e4d9be4d454638383349df0a2e4cead880e0832015fe07cbd06375d871cb032d83275ae059ee97c36e405f682bc011259350c85c752bc61ce592fb61de41e3179226506c3fffd9da27132b2cb71f9d49caaf5a1e99f28c1f3928c89bd0188525506cb163482d7b7cefae89bf34fb3a8f866b8f8bccec971bf712b6f9d4ac9d78f30bb0208530059745daa284947c12a87ced30c553a23fd9eed2fb5d96ffd76b48d383e529afbe2e8ea55b80ee31b9f0d8226e6f35ba9992f76f6ab95489ef9c235c099d6e56e5b6b680fc6c5658e5d897135f7db2205710db05eff5c37522eaa673b02a14efd84d014ca7a64f0c6d71907fd685cf3ff979a97c31310eb92f630fe90c49afc2969698aecdeaa4f915cd2929bfe93162c45ec84b17e8b2f12f6cbfb4543b783c7fccf98c561c16ab194cc2c1d4904ca42c000233bbbdf5ddb02f64a49559f8bc2cef64b546dbff37d2cdb2968c1aeb180b9f763e5e29cc7f707c3366bfe6d504209c779d3327b6feb57eb4f886d99018b9bdee2ad48fb6d30268983c798c548d710ed013ff46ab2b14d8a745933d63db4fd182fac03f59cda95be57bf25545a34b08e3549466bfe6963a64d6b0ce010cd71deb6329166d009a7c5a026bb7f6a83886da9d80f47cb76e19a65944d45167d9f8315336d0f88049cc3b560d6607594b809fd8bfd7e061d8d9f1ca89bea2550c7b2f888b262097c457925f8da3e3e0fe7453f933aef93bf37691fd7d7f7acec3ae246a3d93caad8d72585eaaf4328a6ae042a83789f7c2fbedf8bc3a42ded6ad17326d04cf5595bd24ef6c7cff212f4bbbd069c8f4fad6890018450834c8f0b6119f7ec11b67d1228e3986011c951c170fc374a61af04d4cccdc3fdd72620556211f08dd44d75dcf809001f3a1996c523c07543c8bd7c0290c69d93a6201ce6b23bc0dff840bc4782c4ad4f4d334e8b768749f092f0fb328165632b0e466bfe85e9631c977df38587eefb18c960029fcc6220bddbc071b71533cfd4cb973521ea195c5457b60d6a408dc8f2b8045b41591c6d90da2181f08ec5aed48189414e3f85f24e8035e52ed9d0e774a8222d7090bbd3ced9b447317d5c80a2dc51cbe443d3eb68011ee2e5f5e48750da4734cbb4bd6232738263c08697622c272bef6722455738b8e1785c20201ef6665b63f5cf5a4387f2e7eadaf83640f2f07008e122f68fd57cc8973242f6f1b46fe677b0dc2729afb0cde9f2b1fe493bf732b0d6de893cce154768da1c2bf6e452ad94ee7bd1838beb6965506c11084f5ce5b93f35a78f13f1f943d59d03147105c212d9a91164e532fe5f1f48d60370a8342a6a4a793ee7903bf063de906ce5ed1ee6e1c4665af81e6d64d46a56cdac678194e6712365108261f4124b36b8cf4a2f21e5a9813b0d','sync','ak',0,0,X'd8f8ecd1e06ddd14fae661920e8162abd41b0b2f','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(48,540009248.83140194415,540009248.83140194415,X'3c585604e87f855973731fea83e21fab9392d2fc',X'416a44e9737de60ae5c6a67953c9aa481883d378',NULL,1,1,1,X'2ceb76e29c9442f200885895f43473ccdbb99288',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'0300008006000000280000005c6781d080530e1375e46ab826888d940d01cae875642cdddb7314631a1e51c9ffffffffffffffff9333f1e3f9c38f3cbd865a2ec3078250ec6629b85f5cced15a761c5040cda8d9671c6199c476606521fdd74a75f2576901071e9c9fb683be514e51c128aaa77d9f12f36df8b87aa18f2a39af838296cfdf575e84ae3072f683c5885259beb38371d7c2392d51551fbfc63f274e5064c41b4f70f89aa97dc5f44987e14cab51589bca96bdc120a2637b982f79dbb24b1b717a23cd34d48c1545be0d86c0261bf3326259dac7d68e2a2c1d514433c11b1528ed4854136f9a779bf91eb319312249cdfde3bcd236836d722d357888a668145d68a960bcce4ae6b601a34ba655370570c6897a30294933f6e1c1ce8dfdf20404e73cac04698733be9811a5148403eb692ffd07ec6e2faad3544b742f4f905202a59e78d27339dc800d409c1d30ee55b3dd768ab4ff0d7f646f59af90e58b569f7d12dd52bbe31fc9c0ab7b8e99882c5ef86c426c03d4348aa0c9b458edfb69d0f7514f1827bcdb181c77d3e3417d7db2df1c145f5e45766a2bd4fe1d45bd5c2d191645dd644660087751feeab03d453063342b0ed60f4f47ac811d8e3b03592b10990f634a5f5dc00723f47f784870863064942f707928ee8d046d14a2b7e379d3bb8227e254a9a01d8b2c2836ba10b8303e4eadce068391b258b3f0fc9e9ba607e0fb41d2ef254f2a0edfc71dfb95cf56e16fd45db825bc0334c447a4a630ba3323a4859dee02e0eb4f0a6c4b977e7b26014ba32cf6acf7c4689ba6899624783e0c64dcc875121eeba60255ced4efa20de602952040d9170dfb2728ccb1185d209d326f28c60291610f7821adc79ffc4a978a9e211057cc8a476a6f666401b95da1b744cb0384c918fe29ded64026e6b5fce99cb20ab221d737718717153f3dc557b1c1437cff61b0c9e5a9d92975b090f4a49f8e09a01032d76db33f9d90172600db2ebd777f9c4fb265d1885c0a284b636c6c74c0856ec0c0f3e2660072c68e37c25561cfefcf6a17fb7fe883e7ade402d22f8f8c122298b0c855d4a733341f2e911d0898c479264ebc27e06fc859ebbf050db5f93e45d28168debab0e7b365bc71d7353f4a9ab121c382b8c88e7f815200a7335159ad62c7fbfea8edc7a73ef1a487f278de69067709f5440cfa49e361e2ed0e21c9136ad72312b03dc8e7324d79806d587ef5727dc74c3f6cd310239149b72371ba07a2b6d0b1c5e2d3a0ebef180248228c6135911c5fc9815fe33f12f3eadd46499c184fcf512a8de2ab158a051984aece4c7f06bb0b6ae0ee0e6da8c97f30d9169c20b5346e557b5c3858db359a048616c61d27b50d661f0d95e5befd18a6a7c29fd84280ebb3bfb7a45498866972786e187d6e4c45275e884f4bde2d4af48f655e46cb1c3539f1c2b55229ef5b47f173ef603cb8a10710ff97b49815ceffe96207565c82de39c4f0caf19d514a2d914192d60881aef1a412c553bfe481cf3b94db57b16393a5cb55c723aee7f3361a52feb80f1682b9d126feaef5bbac6bd5c47822a156d892eacc94fe2f0d91cea7738bab503b626af674dcc1177317e9e2b58719c91d77b6dcc7dc5525c4000cc8cc36323f0a3ccf46c199f8ca475d59841a34','sync','ak',0,0,X'e400d1472cde60a637898b247a3cfe6e385b5d19','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(49,540009248.87445402146,540009248.87445402146,X'3c585604e87f855973731fea83e21fab9392d2fc',X'6634f5d1c2b1cb7d347d3e9a38ec7f7c5fccb905',NULL,1,1,1,X'427e71398059645d6e9f92db62204320c200cabd',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'030000800600000028000000ed106bf0ae12db4c11621e6d8690bd578ef6f58158670286fb027e370fca5ea5ffffffffffffffffa2d533c2fafd900a257a464d6b3a700a99133cc8e1cea0018e6a8932cefe8e997217f3c23c6c7675025a50c90e7ce733797103387433f57757bd3ba48cdbe1646cb302dcef1ad7cad96ca080efe4762a93b290f43b4dedfc9b74fe2d089a2411b780e2b253f789d905c76d2a4c5844604fdf687e89e2db428c87267dec1a18fba4e50ab30a3a789e66604ae858f307cb99d488d136f89a8aeaa2641a217769646b47cc7afaf7d994ca1ddd2c76b07af4266c0ecf53db58f1f6800ff6fe426f4767646378e91ba2ae9d7228a6e8ec994d41963d15314970bc791df5558ef6fc6655a0aa2d149eb3789cabdd6de95be2c8693e6dd14cfb130a5f0856a9f6863064a0d38fe1a369919c9b8e898eeec286fa04a0f279fbcf3273adfbf3013a375f70117b526d98326bbb0b06aa88a0ba8fe6c45645da7012f8ab88eb28608eee9fff6106e3d3c200e0660190d30728493f1ec08ca8e7692fb94bd3a580f138aeee2dc71cd7d94631acdb0372bf670575514de4f4575d58c7b54f7709f2d0f8be6d517faac1ea1dda117106bfe8fb8b1c218180b050873b9af4a2464aad0385d5e509d69c647684f2babeb58f4ae01972c1f92e5839f6244a3bb7beaba845bf74e3edd6fdbf2c19b4ff6473686fa7a10e86d2053a4a22f7a2b65ac7a13fc60d5941a1b750aefeb1fa34f57f1d2ed3e0e65b15b5f0eb20784fd81fefdee3f8f94d33d74708ef7514c404ab7cdafabc0b6b46bdcd9cefa8d27f99771d5bfcd71a0476e145be30b134680531a4a7035f4aa297c9c74f112fc9c72f40597ce148678a269d0307dbe1bf36f31241270a2812a3ee6622cf98fc572ef9ab3c314866898549cb08dbff09bc9b8516a7aad4f0ec1db11c299b3b9459daddf13c63b51a4c40f882a4717cae396809893cc9625c38e9da0ea382129797ae9900a00a83f6e6aa5488ba51f1ea69384a090e5399f03b8ac14e8157d527bfdb999b4613ce384555602d0652440160dbb04afa8176c5019617be600bb0d2d05c9f8c54681c49573218c597701d0cedb0fb6f3bdef553237e152e98105169b97f504b0a89ef7b5638b677b97ddf3e94b0bb9cd8e0986a027da596a8dbdde42dfd64acc80acc394da394d83b8fe35a8bbd08e3e5284dc12de7654fdfe68a8dd8bea3dc9b640ab67b74cabceb2d2b7e50269dab0c9d5f661b122e818ba8a449d65b60eb23d515c20043ab9b7bc8a1d08bb7a6810dfca3ae5f22f67ef05db21fcb73d2d3769534f78849d6399dfdf3c8408b92eda7a453cd6a494a683321aefc689db232e403a8a39dc48dd46a46bc39ed3e4572f994ae0a2e79da2f4ff36fc25185872ea90776e6094c4483c4db952a5d3e10418c9d1d7c98cce7a2e4e2b1f04582ccb670c8a85ceea3c8041695f8ae1e070eb909fbf6eee0667f2f67d4e3546d638f6896eb39221d2f91144ef6a738cb0123ff54193ed01ef0a89433dbbecaf749fc555ae6bd6894039e4b2a3254074bb03798420e5d85b960a41b8a3649b50a1ce91b62ee3767c58a4fc9334e2341b24592e4309b6422dd8d642ab55c4b45aa4f6b65ee4b55c47d06bf4453cf7f98db35d6','sync','ak',0,0,X'202d96072affd57cca755b6610b5ac69b33cd5b4','','','',NULL,NULL,NULL,NULL,NULL,'');", +"INSERT INTO keys VALUES(50,540009248.93132698535,540009248.93132698535,X'3c585604e87f855973731fea83e21fab9392d2fc',X'73264e5a2eda14e1e8f06b4f6cf1342cc547d0cb',NULL,1,1,1,X'8e5f6694686a1bd054c113e7538bb416db138b27',X'da39a3ee5e6b4b0d3255bfef95601890afd80709',0,42,1024,1024,0.0,0.0,0,0,1,0,0,1,0,1,0,0,0,0,1,X'03000080060000002800000044928bf95f52dcabe33d7e16a7327095662a93ded1c4bc41faf3f6c728026004ffffffffffffffffe012d14f1ab701f72d25a9e2e74ba3bd31bb1719352485685fadd036695d0ef868f06a0aaba70a802486a4f9e8d1ea2f63ce195864547067baf38d87acf494354ec01d90aa72b03dd039cc2135361cb48985d5b5ee5aad88fe46572a4c8d8412788e99344f53df110ef8d4eed7138f671f6dd311877ec97513817f598c51febe4b5b0b6f6cb354e3adfbcd68bbd17f058e356fd1f9ed7ba2db647f504ce056d4186b08d82e7bc95cb23cb173d3d3121b1c22ae6636b58a887139b4e4406a39f5a5ba719ffd5951cbbe34d529f5b892168a031eacbddaf53b80b0a3592eec556d3acb04dd34509c506c137fe4b03f7584b306691f5ce303db471a2b5a7a54af594a5b7f057717cc927dadd6daed6e037e12f3f3bac38a42198d32930445a608558bea544349a5ab2e20949279e828e9b7e977738beabd3dbd3ab06f8af936d24cba677b204552738444ddbb3b118207041f93598db6a271ba936fe32eceed10d4eaa1496816c5c04d55ad57db909be2fda9bddc4de72078fd6440cffc7221067706cb614a906b0d447adc0679f5861c6965f2e8cf8b5af5b2a4b511b985670df87d4c89849abab347fd60172c376b82140808c2545a7b639533a18e743554a21a96424153fadba500a4eecc6409b0ea3cb877d18f5394a5dbb0e811ba519c39538eee8a87dfcbf0637a5ce6c86d7623065fe604ea7d0134a8a3bcc23f1dec9d033e8dfd9428352a9dcadccc21b37c4819dfa1733e26e3ac289997ea4bf4417963a21236e58a16e21dfad23ca73fad2ecbb6df092c27fcb8e0ff0727cecbcaa0acb33146b289de227d6091c00fb865743a6c5c3c4cc4df20e85a90dcd7041491e806d62550aaf587f842df99a170653ecbe451b3f7ae97bcbe7a2b8c905d745d5416a1c5b1a5388bdc51840a236a8c8a83464e7777443c4439e17ed2e3a4c6d0379fd369d18d99f15dc2dbcd5d17a50ee9b6373d5d3aeb5ac259dd513080766316f3f0805012fbb42fecfd26aa21404c71774aa8c28f9fa152ac9ad5d6fed40108e3a6031e496d943d499e0a8b43c2a05f20626aa5b4a801e2a1599d605aa2ca3a175d00d6c65de47f923528aa27c10d58f393c6666116eb5172a183184b0ed2efe8d79723cfec337ebf5cd45d4bac7100d32b62b9fadc32cc2f3e3ee9d9592de987173d81dc8039b8a8c7c0a81787763d2a0872547c9435bcf5a782de938a6e68a47cc47e68872d9f065116726949b741a0155b9d8020ac80518fc3439ca2a6d3ef4e6e588dc0c1b3cb3827419f8dce75bae26791f33b453dda74a96ed763e2ff711afd39baf27f6adf33fd055204bef80ff117c4170f2e73e7d5f0e6f8b4aa5c76793105f5266e6de64e3debe92fa420086fb9092f116c546b87b991ab73d2e486c605cdcdae9fbaa76772676c1fcda8aa47f220c2c7acc765b85fbdcfe48bfb6659b93fd515053090d6bb5b5f73a986acfd3bbc648434385b86855a8058fdd339de9dfed795435b9b594d19632c1f1f2ed127f3ce1152c1260953aa1a44be439bb24659cd277538f26af49b5b366cc43235022afd7847739102b486fc33353d41c8f768bf08','sync','ak',0,0,X'830dae8c17a3805e28c99f99695c2890274ccca4','','','',NULL,NULL,NULL,NULL,NULL,'');", +"CREATE TABLE tversion(rowid INTEGER PRIMARY KEY AUTOINCREMENT,version INTEGER NOT NULL,minor INTEGER NOT NULL DEFAULT 0,UNIQUE(version));", +"INSERT INTO tversion VALUES(1,10,5);", +"CREATE TABLE outgoingqueue(ckzone TEXT NOT NULL,UUID TEXT,parentKeyUUID TEXT NOT NULL,action TEXT NOT NULL,state TEXT NOT NULL,waituntil TEXT,accessgroup TEXT NOT NULL,gencount INTEGER NOT NULL DEFAULT 0,wrappedkey BLOB NOT NULL,encitem BLOB NOT NULL,encver INTEGER NOT NULL DEFAULT 0,ckrecord TEXT,pcss INTEGER,pcsk BLOB,pcsi BLOB,UNIQUE(ckzone,UUID,state));", +"CREATE TABLE incomingqueue(ckzone TEXT NOT NULL,UUID TEXT,parentKeyUUID TEXT NOT NULL,action TEXT NOT NULL,state TEXT NOT NULL,gencount INTEGER NOT NULL DEFAULT 0,wrappedkey BLOB NOT NULL,encitem BLOB NOT NULL,encver INTEGER NOT NULL DEFAULT 0,ckrecord TEXT,pcss INTEGER,pcsk BLOB,pcsi BLOB,UNIQUE(ckzone,UUID,state));", +"CREATE TABLE synckeys(ckzone TEXT NOT NULL,UUID TEXT,keyclass TEXT NOT NULL,currentkey INTEGER NOT NULL,parentKeyUUID TEXT NOT NULL,state TEXT NOT NULL,wrappedkey BLOB NOT NULL,ckrecord BLOB NOT NULL,UNIQUE(ckzone,UUID,keyclass,state));", +"CREATE TABLE ckmirror(ckzone TEXT NOT NULL,UUID TEXT,parentKeyUUID TEXT NOT NULL,gencount INTEGER NOT NULL DEFAULT 0,wrappedkey BLOB NOT NULL,encitem BLOB NOT NULL,ckrecord BLOB NOT NULL,encver INTEGER NOT NULL DEFAULT 0,wascurrent INTEGER,pcss INTEGER,pcsk BLOB,pcsi BLOB,UNIQUE(ckzone,UUID));", +"CREATE TABLE currentkeys(ckzone TEXT NOT NULL,keyclass TEXT NOT NULL,currentKeyUUID TEXT,ckrecord BLOB NOT NULL,UNIQUE(ckzone,keyclass));", +"CREATE TABLE ckstate(ckzone TEXT NOT NULL,ckzonecreated INTEGER NOT NULL DEFAULT 0,ckzonesubscribed INTEGER NOT NULL DEFAULT 0,lastfetch TEXT,changetoken TEXT,ratelimiter BLOB,lastfixup INTEGER NOT NULL DEFAULT 0,UNIQUE(ckzone));", +"CREATE TABLE item_backup(rowid INTEGER PRIMARY KEY AUTOINCREMENT,primaryKey TEXT NOT NULL,musr BLOB NOT NULL,sha1 BLOB,backupData BLOB NOT NULL,pkhh BLOB,UNIQUE(primaryKey,musr));", +"CREATE TABLE backup_keybag(rowid INTEGER PRIMARY KEY AUTOINCREMENT,publickeyHash BLOB NOT NULL,musr BLOB NOT NULL,publickey BLOB NOT NULL,agrp TEXT NOT NULL,UNIQUE(publickeyHash,musr,agrp));", +"CREATE TABLE ckmanifest(ckzone TEXT NOT NULL,gencount INTEGER NOT NULL DEFAULT 0,digest BLOB NOT NULL,signatures BLOB NOT NULL,signerID TEXT NOT NULL,leafIDs BLOB NOT NULL,peerManifests BLOB NOT NULL,currentItems BLOB NOT NULL,futureData BLOB NOT NULL,schema BLOB NOT NULL,ckrecord BLOB,UNIQUE(ckzone));", +"CREATE TABLE pending_manifest(ckzone TEXT NOT NULL,gencount INTEGER NOT NULL DEFAULT 0,digest BLOB NOT NULL,signatures BLOB NOT NULL,signerID TEXT NOT NULL,leafIDs BLOB NOT NULL,peerManifests BLOB NOT NULL,currentItems BLOB NOT NULL,futureData BLOB NOT NULL,schema BLOB NOT NULL,ckrecord BLOB,UNIQUE(ckzone));", +"CREATE TABLE ckmanifest_leaf(ckzone TEXT NOT NULL,UUID TEXT,digest BLOB NOT NULL,entryDigests BLOB NOT NULL,ckrecord BLOB,UNIQUE(ckzone,UUID));", +"CREATE TABLE backup_keyarchive(key_archive_hash TEXT NOT NULL,musr BLOB NOT NULL,key_archive TEXT NOT NULL,ckzone TEXT NOT NULL,ckrecord TEXT,archive_escrowid TEXT,UNIQUE(key_archive_hash,musr,key_archive,ckzone));", +"CREATE TABLE currentkeyarchives(key_archive_hash TEXT NOT NULL,keyarchive_name TEXT NOT NULL,UNIQUE(key_archive_hash));", +"CREATE TABLE archived_key_backup(pdmn TEXT,UUID TEXT,musr BLOB NOT NULL,agrp TEXT NOT NULL,key_archive_hash TEXT NOT NULL,archived_key TEXT NOT NULL,ckzone TEXT NOT NULL,ckrecord TEXT,archive_escrowid TEXT,UNIQUE(UUID,musr,agrp,key_archive_hash,ckzone));", +"CREATE TABLE pending_manifest_leaf(ckzone TEXT NOT NULL,UUID TEXT,digest BLOB NOT NULL,entryDigests BLOB NOT NULL,ckrecord BLOB,UNIQUE(ckzone,UUID));", +"CREATE TABLE currentitems(ckzone TEXT NOT NULL,identifier TEXT,currentItemUUID TEXT,state TEXT NOT NULL,ckrecord BLOB NOT NULL,UNIQUE(ckzone,identifier,state));", +"CREATE TABLE ckdevicestate(ckzone TEXT NOT NULL,device TEXT,peerid TEXT,circlestatus TEXT,keystate TEXT,currentTLK TEXT,currentClassA TEXT,currentClassC TEXT,ckrecord BLOB,UNIQUE(ckzone,device));", +"CREATE TABLE tlkshare(ckzone TEXT NOT NULL,UUID TEXT,senderpeerid TEXT,recvpeerid TEXT,recvpubenckey BLOB,curve INTEGER,poisoned INTEGER NOT NULL DEFAULT 0,epoch INTEGER NOT NULL DEFAULT 0,wrappedkey BLOB NOT NULL,signature BLOB,ckrecord BLOB,version INTEGER NOT NULL DEFAULT 0,UNIQUE(ckzone,UUID,senderpeerid,recvpeerid));", +"DELETE FROM sqlite_sequence;", +"INSERT INTO sqlite_sequence VALUES('tversion',1);", +"INSERT INTO sqlite_sequence VALUES('genp',50);", +"INSERT INTO sqlite_sequence VALUES('keys',50);", +"CREATE INDEX genpsync ON genp(sync);", +"CREATE INDEX genpsha1 ON genp(sha1);", +"CREATE INDEX genpmusr ON genp(musr);", +"CREATE INDEX genppersistref ON genp(persistref);", +"CREATE INDEX inetsync ON inet(sync);", +"CREATE INDEX inetsha1 ON inet(sha1);", +"CREATE INDEX inetmusr ON inet(musr);", +"CREATE INDEX inetpersistref ON inet(persistref);", +"CREATE INDEX certalis ON cert(alis);", +"CREATE INDEX certsubj ON cert(subj);", +"CREATE INDEX certskid ON cert(skid);", +"CREATE INDEX certpkhh ON cert(pkhh);", +"CREATE INDEX certsync ON cert(sync);", +"CREATE INDEX certsha1 ON cert(sha1);", +"CREATE INDEX certmusr ON cert(musr);", +"CREATE INDEX certpersistref ON cert(persistref);", +"CREATE INDEX keyskcls ON keys(kcls);", +"CREATE INDEX keysklbl ON keys(klbl);", +"CREATE INDEX keysencr ON keys(encr);", +"CREATE INDEX keysdecr ON keys(decr);", +"CREATE INDEX keysdrve ON keys(drve);", +"CREATE INDEX keyssign ON keys(sign);", +"CREATE INDEX keysvrfy ON keys(vrfy);", +"CREATE INDEX keyswrap ON keys(wrap);", +"CREATE INDEX keysunwp ON keys(unwp);", +"CREATE INDEX keyssync ON keys(sync);", +"CREATE INDEX keyssha1 ON keys(sha1);", +"CREATE INDEX keysmusr ON keys(musr);", +"CREATE INDEX keyspersistref ON keys(persistref);", +"CREATE INDEX item_backupmusr ON item_backup(musr);", +"CREATE INDEX item_backupsha1 ON item_backup(sha1);", +"CREATE INDEX item_backuppkhh ON item_backup(pkhh);", +"CREATE INDEX backup_keybagmusr ON backup_keybag(musr);", +"CREATE INDEX backup_keyarchivemusr ON backup_keyarchive(musr);", +"CREATE INDEX archived_key_backupmusr ON archived_key_backup(musr);", +"COMMIT;", +NULL +}; diff --git a/tests/secdmockaks/secdmockaks.m b/tests/secdmockaks/secdmockaks.m new file mode 100644 index 00000000..885b0f1a --- /dev/null +++ b/tests/secdmockaks/secdmockaks.m @@ -0,0 +1,429 @@ +/* + * Copyright (c) 2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import "SecDbKeychainItem.h" +#import "SecdTestKeychainUtilities.h" +#import "CKKS.h" +#import "SecItemPriv.h" +#import "SecItemServer.h" +#import "spi.h" +#import +#import +#import +#import +#import +#import +#import +#import "mockaks.h" + +#import "secdmock_db_version_10_5.h" + +@interface secdmockaks : XCTestCase +@property NSString *testHomeDirectory; +@property long lockCounter; +@end + +@implementation secdmockaks + ++ (void)setUp +{ + [super setUp]; + + SecCKKSDisable(); + /* + * Disable all of SOS syncing since that triggers retains of database + * and these tests muck around with the database over and over again, so + * that leads to the vnode delete kevent trap triggering for sqlite + * over and over again. + */ + SecCKKSTestSetDisableSOS(true); + securityd_init(NULL); +} + +- (void)createKeychainDirectory +{ + [[NSFileManager defaultManager] createDirectoryAtPath:[NSString stringWithFormat: @"%@/Library/Keychains", self.testHomeDirectory] withIntermediateDirectories:YES attributes:nil error:NULL]; +} + +- (void)removeHomeDirectory +{ + if (self.testHomeDirectory) { + [[NSFileManager defaultManager] removeItemAtPath:self.testHomeDirectory error:NULL]; + } +} + +- (void)setUp { + [super setUp]; + + NSString* testName = [self.name componentsSeparatedByString:@" "][1]; + testName = [testName stringByReplacingOccurrencesOfString:@"]" withString:@""]; + secnotice("ckkstest", "Beginning test %@", testName); + + // Make a new fake keychain + self.testHomeDirectory = [NSString stringWithFormat: @"/tmp/%@.%X", testName, arc4random()]; + [self createKeychainDirectory]; + + SetCustomHomeURLString((__bridge CFStringRef) self.testHomeDirectory); + SecKeychainDbReset(NULL); + + // Actually load the database. + kc_with_dbt(true, NULL, ^bool (SecDbConnectionRef dbt) { return false; }); +} + +- (void)tearDown +{ + SetCustomHomeURLString(NULL); + SecKeychainDbReset(^{ + [self removeHomeDirectory]; + self.testHomeDirectory = nil; + }); + kc_with_dbt(true, NULL, ^bool (SecDbConnectionRef dbt) { return false; }); +} + +- (void)testAddKeyByReference +{ + NSDictionary* keyParams = @{ (id)kSecAttrKeyType : (id)kSecAttrKeyTypeRSA, (id)kSecAttrKeySizeInBits : @(1024) }; + SecKeyRef key = SecKeyCreateRandomKey((__bridge CFDictionaryRef)keyParams, NULL); + NSDictionary* item = @{ (id)kSecClass : (id)kSecClassKey, + (id)kSecValueRef : (__bridge id)key, + (id)kSecAttrLabel : @"TestLabel", + (id)kSecAttrNoLegacy : @(YES) }; + + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain"); + + NSMutableDictionary* refQuery = item.mutableCopy; + [refQuery removeObjectForKey:(id)kSecValueData]; + refQuery[(id)kSecReturnRef] = @(YES); + CFTypeRef foundItem = NULL; + result = SecItemCopyMatching((__bridge CFDictionaryRef)refQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the reference for the item we just added in the keychain"); + + NSData* originalKeyData = (__bridge_transfer NSData*)SecKeyCopyExternalRepresentation(key, NULL); + NSData* foundKeyData = (__bridge_transfer NSData*)SecKeyCopyExternalRepresentation((SecKeyRef)foundItem, NULL); + XCTAssertEqualObjects(originalKeyData, foundKeyData, @"found key does not match the key we put in the keychain"); + + result = SecItemDelete((__bridge CFDictionaryRef)refQuery); + XCTAssertEqual(result, 0, @"failed to delete key"); +} + + +- (void)testAddDeleteItem +{ + NSDictionary* item = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES) }; + + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain"); + + NSMutableDictionary* dataQuery = item.mutableCopy; + [dataQuery removeObjectForKey:(id)kSecValueData]; + dataQuery[(id)kSecReturnData] = @(YES); + CFTypeRef foundItem = NULL; + result = SecItemCopyMatching((__bridge CFDictionaryRef)dataQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the data for the item we just added in the keychain"); + + result = SecItemDelete((__bridge CFDictionaryRef)dataQuery); + XCTAssertEqual(result, 0, @"failed to delete item"); +} + + +- (void)createManyItems +{ + unsigned n; + for (n = 0; n < 50; n++) { + NSDictionary* item = @{ + (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : [NSString stringWithFormat:@"TestAccount-%u", n], + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES) + }; + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain: %u", n); + } +} + +- (void)findManyItems:(unsigned)searchLimit +{ + unsigned n; + for (n = 0; n < searchLimit; n++) { + NSDictionary* item = @{ + (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecAttrAccount : [NSString stringWithFormat:@"TestAccount-%u", n], + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES) + }; + OSStatus result = SecItemCopyMatching((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to find test item to keychain: %u", n); + } +} + +- (void)createManyKeys +{ + unsigned n; + for (n = 0; n < 50; n++) { + NSDictionary* keyParams = @{ + (id)kSecAttrKeyType : (id)kSecAttrKeyTypeRSA, + (id)kSecAttrKeySizeInBits : @(1024) + }; + SecKeyRef key = SecKeyCreateRandomKey((__bridge CFDictionaryRef)keyParams, NULL); + NSDictionary* item = @{ (id)kSecClass : (id)kSecClassKey, + (id)kSecValueRef : (__bridge id)key, + (id)kSecAttrLabel : [NSString stringWithFormat:@"TestLabel-%u", n], + (id)kSecAttrNoLegacy : @(YES) }; + + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test key to keychain: %u", n); + } +} + + +- (void)testBackupRestoreItem +{ + [self createManyItems]; + [self createManyKeys]; + + + NSDictionary* item = @{ (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecValueData : [@"password" dataUsingEncoding:NSUTF8StringEncoding], + (id)kSecAttrAccount : @"TestAccount", + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES) }; + + OSStatus result = SecItemAdd((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to add test item to keychain"); + + NSMutableDictionary* dataQuery = item.mutableCopy; + [dataQuery removeObjectForKey:(id)kSecValueData]; + dataQuery[(id)kSecReturnData] = @(YES); + CFTypeRef foundItem = NULL; + + /* + * Create backup + */ + + CFDataRef keybag = CFDataCreate(kCFAllocatorDefault, NULL, 0); + CFDataRef password = CFDataCreate(kCFAllocatorDefault, NULL, 0); + + CFDataRef backup = _SecKeychainCopyBackup(keybag, password); + XCTAssert(backup, "expected to have a backup"); + + result = SecItemDelete((__bridge CFDictionaryRef)dataQuery); + XCTAssertEqual(result, 0, @"failed to delete item"); + + result = SecItemCopyMatching((__bridge CFDictionaryRef)dataQuery, &foundItem); + XCTAssertEqual(result, errSecItemNotFound, + @"failed to find the data for the item we just added in the keychain"); + CFReleaseNull(foundItem); + + /* + * Restore backup and see that item is resurected + */ + + XCTAssertEqual(0, _SecKeychainRestoreBackup(backup, keybag, password)); + + CFReleaseNull(backup); + CFReleaseNull(password); + CFReleaseNull(keybag); + + result = SecItemCopyMatching((__bridge CFDictionaryRef)dataQuery, &foundItem); + XCTAssertEqual(result, 0, @"failed to find the data for the item we just added in the keychain"); + CFReleaseNull(foundItem); + + result = SecItemDelete((__bridge CFDictionaryRef)dataQuery); + XCTAssertEqual(result, 0, @"failed to delete item"); +} + +- (void)testCreateSampleDatabase +{ + id mock = OCMClassMock([SecMockAKS class]); + + [self createManyItems]; + [self createManyKeys]; + + /* + sleep(600); + lsof -p $(pgrep xctest) + sqlite3 database + .output mydatabase.h + .dump + + add header and footer + */ + + [self findManyItems:50]; +} + +- (void)testTestAKSGenerationCount +{ + id mock = OCMClassMock([SecMockAKS class]); + OCMStub([mock useGenerationCount]).andReturn(true); + + [self createManyItems]; + [self findManyItems:50]; +} + + +- (void)loadDatabase:(const char **)dumpstring +{ + const char *s; + unsigned n = 0; + + [self removeHomeDirectory]; + [self createKeychainDirectory]; + + NSString *path = CFBridgingRelease(__SecKeychainCopyPath()); + sqlite3 *handle = NULL; + + XCTAssertEqual(SQLITE_OK, sqlite3_open([path UTF8String], &handle), "create keychain"); + + while ((s = dumpstring[n++]) != NULL) { + char * errmsg = NULL; + XCTAssertEqual(SQLITE_OK, sqlite3_exec(handle, s, NULL, NULL, &errmsg), + "exec: %s: %s", s, errmsg); + if (errmsg) { + sqlite3_free(errmsg); + } + } + XCTAssertEqual(SQLITE_OK, sqlite3_close(handle), "close sqlite"); +} + +- (void)testUpgradeFromVersion10_5 +{ + SecKeychainDbReset(^{ + NSLog(@"resetting database"); + [self loadDatabase:secdmock_db_version10_5]; + }); + + NSLog(@"find items from old database"); + [self findManyItems:50]; +} + +- (bool)isLockedSoon:(keyclass_t)key_class +{ + if (key_class == key_class_d || key_class == key_class_dku) + return false; + if (self.lockCounter <= 0) + return true; + self.lockCounter--; + return false; +} + + +/* + * Lock in the middle of migration + */ +- (void)testUpgradeFromVersion10_5WhileLocked +{ + OSStatus result = 0; + id mock = OCMClassMock([SecMockAKS class]); +// OCMStub([mock isLocked:[OCMArg any]]).andCall(self, @selector(isLockedSoon:)); + + [[[[mock stub] andCall:@selector(isLockedSoon:) onObject:self] ignoringNonObjectArgs] isLocked:0]; + + SecKeychainDbReset(^{ + NSLog(@"resetting database"); + [self loadDatabase:secdmock_db_version10_5]; + }); + + self.lockCounter = 0; + + NSDictionary* item = @{ + (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecAttrAccount : @"TestAccount-11", + (id)kSecAttrService : @"TestService", + (id)kSecReturnData : @YES, + (id)kSecAttrNoLegacy : @YES + }; + result = SecItemCopyMatching((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, errSecInteractionNotAllowed, @"SEP not locked?"); + + XCTAssertEqual(self.lockCounter, 0, "Device didn't lock"); + + NSLog(@"user unlock"); + [mock stopMocking]; + + + result = SecItemCopyMatching((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"can't find item"); + + + NSLog(@"find items from old database"); + [self findManyItems:50]; +} + + +- (void)testUpgradeFromVersion10_5HungSEP +{ + id mock = OCMClassMock([SecMockAKS class]); + OSStatus result = 0; + + OCMStub([mock isSEPDown]).andReturn(true); + + SecKeychainDbReset(^{ + NSLog(@"resetting database"); + [self loadDatabase:secdmock_db_version10_5]; + }); + + NSDictionary* item = @{ + (id)kSecClass : (id)kSecClassGenericPassword, + (id)kSecAttrAccount : @"TestAccount-0", + (id)kSecAttrService : @"TestService", + (id)kSecAttrNoLegacy : @(YES) + }; + result = SecItemCopyMatching((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, errSecNotAvailable, @"SEP not down?"); + + kc_with_dbt(true, NULL, ^bool (SecDbConnectionRef dbt) { + CFErrorRef error = NULL; + int version = 0; + SecKeychainDbGetVersion(dbt, &version, &error); + XCTAssertEqual(error, NULL, "error getting version"); + XCTAssertEqual(version, 0x50a, "managed to upgrade when we shouldn't have"); + }); + + /* user got the SEP out of DFU */ + NSLog(@"SEP alive"); + [mock stopMocking]; + + result = SecItemCopyMatching((__bridge CFDictionaryRef)item, NULL); + XCTAssertEqual(result, 0, @"failed to find test item to keychain"); + + kc_with_dbt(true, NULL, ^bool (SecDbConnectionRef dbt) { + CFErrorRef error = NULL; + int version = 0; + SecKeychainDbGetVersion(dbt, &version, &error); + XCTAssertEqual(error, NULL, "error getting version"); + XCTAssertEqual(version, 0x10b, "didnt managed to upgrade"); + }); + + NSLog(@"find items from old database"); + [self findManyItems:50]; +} + + +@end diff --git a/tests/secdmockaks/testPlistDER.m b/tests/secdmockaks/testPlistDER.m new file mode 100644 index 00000000..e2a779e1 --- /dev/null +++ b/tests/secdmockaks/testPlistDER.m @@ -0,0 +1,118 @@ +/* + * Copyright (c) 2018 Apple Inc. All Rights Reserved. + * + * @APPLE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this + * file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_LICENSE_HEADER_END@ + */ + +#import +#include "utilities/der_plist.h" +#include "SecCFWrappers.h" + +@interface testPlistDER : XCTestCase +@end + +static CFDataRef CreateDERFromDictionary(CFDictionaryRef di, CFErrorRef *error) +{ + size_t size = der_sizeof_plist(di, error); + if (size == 0) + return NULL; + uint8_t *der = malloc(size); + if (der == NULL) { + return NULL; + } + der_encode_plist(di, error, der, der+size); + return CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, der, size, kCFAllocatorMalloc); +} + +@implementation testPlistDER + + +- (void)testSecPListLargeData { + NSMutableData *data = [NSMutableData dataWithLength:650000]; + memset([data mutableBytes], 'A', [data length]); + + NSDictionary *dictionary = @{ + @"BackupKey" : [NSMutableData dataWithLength:32], + @"DeviceID" : data, + @"EscrowRecord" : @"", + @"PreferIDFragmentation" : @(1), + @"PreferIDS" : @(0), + @"PreferIDSAckModel" : @(1), + @"SecurityProperties" : @{}, + @"SerialNumber" : @"C02TD01QHXCW", + @"TransportType" : @"KVS", + @"Views" : @[ + @"iCloudIdentity", + @"BackupBagV0", + @"PCS-Maildrop", + @"PCS-iMessage", + @"PCS-Notes", + @"PCS-FDE", + @"PCS-MasterKey", + @"NanoRegistry", + @"PCS-Feldspar", + @"PCS-iCloudDrive", + @"AccessoryPairing", + @"ContinuityUnlock", + @"WatchMigration", + @"PCS-Sharing", + @"PCS-Photos", + @"PCS-Escrow", + @"AppleTV", + @"HomeKit", + @"PCS-Backup", + @"PCS-CloudKit" + ], + }; + CFErrorRef error = NULL; + + size_t size = der_sizeof_plist((__bridge CFTypeRef)dictionary, &error); + XCTAssertNotEqual(size, (size_t)0, "no data?: %@", error); + CFReleaseNull(error); + + uint8_t *der = malloc(size); + uint8_t *der_end = der + size; + uint8_t *der_fin = der_encode_plist((__bridge CFTypeRef)dictionary, &error, der, der_end); + + XCTAssert(error == NULL, "error should be NULL: %@", error); + XCTAssertEqual(der, der_fin, "under/over-flow"); + + free(der); + + CFReleaseNull(error); + + NSData *outdata = (__bridge NSData *)CreateDERFromDictionary((__bridge CFTypeRef)dictionary, &error); + XCTAssertEqual(error, NULL, "error should be NULL: %@", error); + XCTAssertNotEqual(outdata, NULL, "should have data"); + +} + +- (void)testSecPListLargeDataOtherThread +{ + dispatch_semaphore_t sema = dispatch_semaphore_create(0); + dispatch_async(dispatch_get_global_queue(QOS_CLASS_UTILITY, 0), ^{ + [self testSecPListLargeData]; + dispatch_semaphore_signal(sema); + }); + dispatch_semaphore_wait(sema, DISPATCH_TIME_FOREVER); +} + + +@end diff --git a/trust/SecCertificatePriv.h b/trust/SecCertificatePriv.h index 93fa1641..a874f611 100644 --- a/trust/SecCertificatePriv.h +++ b/trust/SecCertificatePriv.h @@ -366,6 +366,7 @@ typedef CF_ENUM(uint32_t, SeciAuthVersion) { kSeciAuthVersion1 = 1, /* unused */ kSeciAuthVersion2 = 2, kSeciAuthVersion3 = 3, + kSeciAuthVersionSW = 4, } __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_10_0); /* Return the iAuth version indicated by the certificate. This function does @@ -389,6 +390,28 @@ CFArrayRef SecCertificateCopyiPhoneDeviceCAChain(void) __OSX_AVAILABLE_STARTING(__MAC_10_13, __IPHONE_11_0); +/*! + @function SecCertificateCopyExtensionValue + @abstract Return the value in an extension of a certificate. + @param certificate A reference to the certificate containing the desired extension + @param extensionOID A CFData containing the binary value of ObjectIdentifier of the + desired extension or a CFString containing the decimal value of the ObjectIdentifier. + @param isCritical On return, a boolean value representing whether the extension was critical. + @result If an extension exists in the certificate with the extensionOID, the returned CFData + is the (unparsed) Value of the extension. + @discussion If the certificate has multiple extensions with the same extension OID, the first + extension with the input OID is returned. + */ +CF_RETURNS_RETAINED +CFDataRef SecCertificateCopyExtensionValue(SecCertificateRef certificate, + CFTypeRef extensionOID, bool *isCritical) + __OSX_AVAILABLE_STARTING(__MAC_10_13_4, __IPHONE_11_3); + +/* Return a (modern) SecKeyRef for the public key embedded in the cert. */ +#if TARGET_OS_OSX + SecKeyRef SecCertificateCopyPublicKey_ios(SecCertificateRef certificate); +#endif + /* * Legacy functions (OS X only) */ diff --git a/trust/SecCertificateRequest.h b/trust/SecCertificateRequest.h index baac95d9..efb37676 100644 --- a/trust/SecCertificateRequest.h +++ b/trust/SecCertificateRequest.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002-2004,2008-2009,2011-2014,2016 Apple Inc. All Rights Reserved. + * Copyright (c) 2002-2017 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -33,15 +33,18 @@ #include #include #include +#include __BEGIN_DECLS -extern const void * kSecOidCommonName; -extern const void * kSecOidCountryName; -extern const void * kSecOidStateProvinceName; -extern const void * kSecOidLocalityName; -extern const void * kSecOidOrganization; -extern const void * kSecOidOrganizationalUnit; +CF_ASSUME_NONNULL_BEGIN + +extern const CFStringRef kSecOidCommonName; +extern const CFStringRef kSecOidCountryName; +extern const CFStringRef kSecOidStateProvinceName; +extern const CFStringRef kSecOidLocalityName; +extern const CFStringRef kSecOidOrganization; +extern const CFStringRef kSecOidOrganizationalUnit; extern const unsigned char SecASN1PrintableString; extern const unsigned char SecASN1UTF8String; @@ -52,9 +55,8 @@ extern const unsigned char SecASN1UTF8String; conversion to PrintableString or UTF8String needs to be possible. @param kSecCertificateKeyUsage CFNumberRef with key usage mask using kSecKeyUsage constants. - @param kSecSubjectAltName CFArrayRef of CFStringRef or CFDataRef - either dnsName or emailAddress (if contains @) or - ipAddress, ipv4 (4) or ipv6 (16) bytes + @param kSecSubjectAltName CFDictionaryRef + with keys defined below. @param kSecCSRBasicContraintsPathLen CFNumberRef if set will include basic constraints and mark it as a CA cert. If 0 <= number < 256, specifies path length, otherwise @@ -69,30 +71,56 @@ extern const unsigned char SecASN1UTF8String; as extensions with accompanying value. It is assumed that the value is a CFDataRef and is already properly encoded. This value will be placed straight into the extension value OCTET STRING. + @param kSecCMSSignHashAlgorithm CFStringRef + (Declared in SecCMS.h) + if set, determines the hash algorithm used to create the signing + request or certificate. If this parameter is omitted, the default + hash algorithm will be used (SHA1 for RSA and SHA256 for ECDSA). + Supported digest algorithm strings are defined in + SecCMS.h, e.g. kSecCMSHashingAlgorithmSHA256;. +*/ +extern const CFStringRef kSecCSRChallengePassword; +extern const CFStringRef kSecSubjectAltName; +extern const CFStringRef kSecCertificateKeyUsage; +extern const CFStringRef kSecCSRBasicContraintsPathLen; +extern const CFStringRef kSecCertificateExtensions; +extern const CFStringRef kSecCertificateExtensionsEncoded; + +/* + Keys for kSecSubjectAltName dictionaries: + @param kSecSubjectAltNameDNSName CFArrayRef or CFStringRef + The value for this key is either a CFStringRef containing a single DNS name, + or a CFArrayRef of CFStringRefs, each containing a single DNS Name. + @param kkSecSubjectAltNameEmailAddress CFArrayRef or CFStringRef + The value for this key is either a CFStringRef containing a single email + address (RFC 822 Name), or a CFArrayRef of CFStringRefs, each containing a + single email address. + @param kSecSubjectAltNameURI CFArrayRef or CFStringRef + The value for this key is either a CFStringRef containing a single URI, + or a CFArrayRef of CFStringRefs, each containing a single URI. + @param kSecSubjectAltNameNTPrincipalName CFStringRef + The value for this key is a CFStringRef containing the NTPrincipalName. */ -extern const void * kSecCSRChallengePassword; -extern const void * kSecSubjectAltName; -extern const void * kSecCertificateKeyUsage; -extern const void * kSecCSRBasicContraintsPathLen; -extern const void * kSecCertificateExtensions; -extern const void * kSecCertificateExtensionsEncoded; +extern const CFStringRef kSecSubjectAltNameDNSName; +extern const CFStringRef kSecSubjectAltNameEmailAddress; +extern const CFStringRef kSecSubjectAltNameURI; +extern const CFStringRef kSecSubjectAltNameNTPrincipalName; typedef struct { - const void *oid; /* kSecOid constant or CFDataRef with oid */ - unsigned char type; /* currently only SecASN1PrintableString */ + CFTypeRef oid; /* kSecOid constant or CFDataRef with oid */ + unsigned char type; /* currently only SecASN1PrintableString or SecASN1UTF8String */ CFTypeRef value; /* CFStringRef -> ASCII, UTF8, CFDataRef -> binary */ } SecATV; typedef SecATV *SecRDN; /* - @function SecGenerateCertificateRequest + @function SecGenerateCertificateRequestWithParameters @abstract Return a newly generated CSR for subject and keypair. @param subject RDNs in the subject - @param num Number of RDNs - @param publicKey Public key + @param paramters Parameters for the CSR generation. See above. + @param publicKey Public key (NOTE: This is unused) @param privateKey Private key - @discussion only handles RSA keypairs and uses a SHA-1 PKCS1 signature @result On success, a newly allocated CSR, otherwise NULL Example for subject: @@ -101,11 +129,32 @@ Example for subject: SecATV o[] = { { kSecOidOrganization, SecASN1PrintableString, CFSTR("Apple Inc.") }, {} }; SecRDN atvs[] = { cn, c, o, NULL }; */ -CFDataRef SecGenerateCertificateRequestWithParameters(SecRDN *subject, - CFDictionaryRef parameters, SecKeyRef publicKey, SecKeyRef privateKey) CF_RETURNS_RETAINED; +CF_RETURNS_RETAINED _Nullable +CFDataRef SecGenerateCertificateRequestWithParameters(SecRDN _Nonnull * _Nonnull subject, + CFDictionaryRef _Nullable parameters, SecKeyRef _Nullable publicKey, SecKeyRef privateKey) CF_RETURNS_RETAINED; +/* + @function SecGenerateCertificateRequest + @abstract Return a newly generated CSR for subject and keypair. + @param subject RDNs in the subject in array format + @param paramters Parameters for the CSR generation. See above. + @param publicKey Public key (NOTE: This is unused) + @param privateKey Private key + @result On success, a newly allocated CSR, otherwise NULL + @discussion The subject array contains an array of the RDNS. Each RDN is + itself an array of ATVs. Each ATV is an array of length two containing + first the OID and then the value. + +Example for subject (in Objective-C for ease of reading): + NSArray *subject = @[ + @[@[(__bridge NSString*)kSecOidCommonName, @"test"]] + @[@[(__bridge NSString*)kSecOidCountryName, @"US"]], + @[@[(__bridge NSString*)kSecOidOrganization, @"Apple Inc"]], + ]; + */ +CF_RETURNS_RETAINED _Nullable CFDataRef SecGenerateCertificateRequest(CFArrayRef subject, - CFDictionaryRef parameters, SecKeyRef publicKey, SecKeyRef privateKey) CF_RETURNS_RETAINED; + CFDictionaryRef _Nullable parameters, SecKeyRef _Nullable publicKey, SecKeyRef privateKey) CF_RETURNS_RETAINED; /* @function SecVerifyCertificateRequest @@ -115,22 +164,68 @@ CFDataRef SecGenerateCertificateRequest(CFArrayRef subject, @param subject (optional/out) encoded subject RDNs @param extensions (optional/out) encoded extensions */ -bool SecVerifyCertificateRequest(CFDataRef csr, SecKeyRef *publicKey, - CFStringRef *challenge, CFDataRef *subject, CFDataRef *extensions); +bool SecVerifyCertificateRequest(CFDataRef csr, SecKeyRef CF_RETURNS_RETAINED * _Nullable publicKey, + CFStringRef CF_RETURNS_RETAINED _Nullable * _Nullable challenge, + CFDataRef CF_RETURNS_RETAINED _Nullable * _Nullable subject, + CFDataRef CF_RETURNS_RETAINED _Nullable * _Nullable extensions); -SecCertificateRef -SecGenerateSelfSignedCertificate(CFArrayRef subject, CFDictionaryRef parameters, - SecKeyRef publicKey, SecKeyRef privateKey); -SecCertificateRef -SecIdentitySignCertificate(SecIdentityRef issuer, CFDataRef serialno, - SecKeyRef publicKey, CFTypeRef subject, CFTypeRef extensions); +/* + @function SecGenerateSelfSignedCertificate + @abstract Return a newly generated certificate for subject and keypair. + @param subject RDNs in the subject in array format + @param paramters Parameters for the CSR generation. See above. + @param publicKey Public key (NOTE: This is unused) + @param privateKey Private key + @result On success, a newly allocated certificate, otherwise NULL + @discussion The subject array contains an array of the RDNS. Each RDN is + itself an array of ATVs. Each ATV is an array of length two containing + first the OID and then the value. + + Example for subject (in Objective-C for ease of reading): + NSArray *subject = @[ + @[@[(__bridge NSString*)kSecOidCommonName, @"test"]] + @[@[(__bridge NSString*)kSecOidCountryName, @"US"]], + @[@[(__bridge NSString*)kSecOidOrganization, @"Apple Inc"]], + ]; + */ +CF_RETURNS_RETAINED _Nullable +SecCertificateRef SecGenerateSelfSignedCertificate(CFArrayRef subject, CFDictionaryRef parameters, + SecKeyRef _Nullable publicKey, SecKeyRef privateKey); + +/* + @function SecIdentitySignCertificate + @param issuer issuer's identity (certificate/private key pair) + @param serialno serial number for the issued certificate + @param publicKey public key for the issued certificate + @param subject subject name for the issued certificate + @param extensions extensions for the issued certificate + @param hashingAlgorithm hash algorithm to use for signature + @result On success, a newly allocated certificate, otherwise NULL + @discussion This call can be used in combination with SecVerifyCertificateRequest + to generate a signed certifcate from a CSR after verifying it. The outputs + of SecVerifyCertificateRequest may be passed as inputs to this function. + + The subject may be an array, as specified in SecCertificateGenerateRequest, + or a data containing an encoded subject sequence, as specified by RFC 5280. + + Supported digest algorithm strings are defined in SecCMS.h, e.g. + kSecCMSHashingAlgorithmSHA256. + */ +CF_RETURNS_RETAINED _Nullable +SecCertificateRef SecIdentitySignCertificate(SecIdentityRef issuer, CFDataRef serialno, + SecKeyRef publicKey, CFTypeRef subject, CFTypeRef _Nullable extensions); + +CF_RETURNS_RETAINED _Nullable +SecCertificateRef SecIdentitySignCertificateWithAlgorithm(SecIdentityRef issuer, CFDataRef serialno, + SecKeyRef publicKey, CFTypeRef subject, CFTypeRef _Nullable extensions, CFStringRef _Nullable hashingAlgorithm); /* PRIVATE */ -CF_RETURNS_RETAINED -CFDataRef -SecGenerateCertificateRequestSubject(SecCertificateRef ca_certificate, CFArrayRef subject); +CF_RETURNS_RETAINED _Nullable +CFDataRef SecGenerateCertificateRequestSubject(SecCertificateRef ca_certificate, CFArrayRef subject); + +CF_ASSUME_NONNULL_END __END_DECLS diff --git a/trust/SecPolicy.h b/trust/SecPolicy.h index 26bd586d..04b25e74 100644 --- a/trust/SecPolicy.h +++ b/trust/SecPolicy.h @@ -68,7 +68,7 @@ extern const CFStringRef kSecPolicyAppleEAP __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); extern const CFStringRef kSecPolicyAppleIPsec __OSX_AVAILABLE_STARTING(__MAC_10_7, __IPHONE_7_0); -#if TARGET_OS_MAC && !TARGET_OS_IPHONE +#if TARGET_OS_OSX extern const CFStringRef kSecPolicyAppleiChat __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_7, __MAC_10_9, __IPHONE_NA, __IPHONE_NA); #endif diff --git a/trust/SecPolicyPriv.h b/trust/SecPolicyPriv.h index 2f70ab0b..694a775d 100644 --- a/trust/SecPolicyPriv.h +++ b/trust/SecPolicyPriv.h @@ -36,6 +36,7 @@ #include #include #include +#include __BEGIN_DECLS @@ -45,67 +46,6 @@ CF_IMPLICIT_BRIDGING_ENABLED /*! @enum Policy Constants (Private) @discussion Predefined constants used to specify a policy. - @constant kSecPolicyAppleMobileStore - @constant kSecPolicyAppleTestMobileStore - @constant kSecPolicyAppleEscrowService - @constant kSecPolicyAppleProfileSigner - @constant kSecPolicyAppleQAProfileSigner - @constant kSecPolicyAppleServerAuthentication - @constant kSecPolicyAppleOTAPKISigner - @constant kSecPolicyAppleTestOTAPKISigner - @constant kSecPolicyAppleIDValidationRecordSigning - @constant kSecPolicyAppleSMPEncryption - @constant kSecPolicyAppleTestSMPEncryption - @constant kSecPolicyApplePCSEscrowService - @constant kSecPolicyApplePPQSigning - @constant kSecPolicyAppleTestPPQSigning - @constant kSecPolicyAppleSWUpdateSigning - @constant kSecPolicyApplePackageSigning - @constant kSecPolicyAppleOSXProvisioningProfileSigning - @constant kSecPolicyAppleATVVPNProfileSigning - @constant kSecPolicyAppleAST2DiagnosticsServerAuth - @constant kSecPolicyAppleEscrowProxyServerAuth - @constant kSecPolicyAppleFMiPServerAuth - @constant kSecPolicyAppleMMCService - @constant kSecPolicyAppleGSService - @constant kSecPolicyApplePPQService - @constant kSecPolicyAppleHomeKitServerAuth - @constant kSecPolicyAppleiPhoneActivation - @constant kSecPolicyAppleiPhoneDeviceCertificate - @constant kSecPolicyAppleFactoryDeviceCertificate - @constant kSecPolicyAppleiAP - @constant kSecPolicyAppleiTunesStoreURLBag - @constant kSecPolicyAppleiPhoneApplicationSigning - @constant kSecPolicyAppleiPhoneProfileApplicationSigning - @constant kSecPolicyAppleiPhoneProvisioningProfileSigning - @constant kSecPolicyAppleLockdownPairing - @constant kSecPolicyAppleURLBag - @constant kSecPolicyAppleOTATasking - @constant kSecPolicyAppleMobileAsset - @constant kSecPolicyAppleIDAuthority - @constant kSecPolicyAppleGenericApplePinned - @constant kSecPolicyAppleGenericAppleSSLPinned - @constant kSecPolicyAppleSoftwareSigning - @constant kSecPolicyAppleExternalDeveloper - @constant kSecPolicyAppleOCSPSigner - @constant kSecPolicyAppleIDSService - @constant kSecPolicyAppleIDSServiceContext - @constant kSecPolicyApplePushService - @constant kSecPolicyAppleLegacyPushService - @constant kSecPolicyAppleTVOSApplicationSigning - @constant kSecPolicyAppleUniqueDeviceIdentifierCertificate - @constant kSecPolicyAppleEscrowProxyCompatibilityServerAuth - @constant kSecPolicyAppleMMCSCompatibilityServerAuth - @constant kSecPolicyAppleSecureIOStaticAsset - @constant kSecPolicyAppleWarsaw - @constant kSecPolicyAppleiCloudSetupServerAuth - @constant kSecPolicyAppleiCloudSetupCompatibilityServerAuth - @constant kSecPolicyAppleAppTransportSecurity - @constant kSecPolicyAppleMobileSoftwareUpdate - @constant kSecPolicyAppleMobileAssetDevelopment - @constant kSecPolicyAppleBasicAttestationSystem - @constant kSecPolicyAppleBasicAttestationUser - @constant kSecPolicyAppleiPhoneVPNApplicationSigning */ extern const CFStringRef kSecPolicyAppleMobileStore __OSX_AVAILABLE_STARTING(__MAC_10_9, __IPHONE_7_0); @@ -120,9 +60,9 @@ extern const CFStringRef kSecPolicyAppleQAProfileSigner extern const CFStringRef kSecPolicyAppleServerAuthentication __OSX_AVAILABLE_STARTING(__MAC_10_10, __IPHONE_8_0); extern const CFStringRef kSecPolicyAppleOTAPKISigner - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_7_0); + __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_12, __MAC_10_13_4, __IPHONE_7_0, __IPHONE_11_3); extern const CFStringRef kSecPolicyAppleTestOTAPKISigner - __OSX_AVAILABLE_STARTING(__MAC_10_12, __IPHONE_7_0); + __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_12, __MAC_10_13_4, __IPHONE_7_0, __IPHONE_11_3); extern const CFStringRef kSecPolicyAppleIDValidationRecordSigningPolicy __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_NA, __MAC_NA, __IPHONE_7_0, __IPHONE_10_0); extern const CFStringRef kSecPolicyAppleIDValidationRecordSigning @@ -248,7 +188,10 @@ extern const CFStringRef kSecPolicyAppleiPhoneVPNApplicationSigning @constant kSecPolicyNameAppleMMCSService @constant kSecPolicyNameApplePPQService @constant kSecPolicyNameApplePushService - @constant kSecPolicyNameAppleGalaxyProviderService + @constant kSecPolicyNameAppleAIDCService + @constant kSecPolicyNameAppleMapsService + @constant kSecPolicyNameAppleHealthProviderService + @constant kSecPolicyNameAppleParsecService */ extern const CFStringRef kSecPolicyNameAppleAST2Service __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); @@ -270,8 +213,14 @@ extern const CFStringRef kSecPolicyNameApplePPQService __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); extern const CFStringRef kSecPolicyNameApplePushService __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); -extern const CFStringRef kSecPolicyNameAppleGalaxyProviderService - __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); +extern const CFStringRef kSecPolicyNameAppleAIDCService + __OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3); +extern const CFStringRef kSecPolicyNameAppleMapsService + __OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3); +extern const CFStringRef kSecPolicyNameAppleHealthProviderService + __OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3); +extern const CFStringRef kSecPolicyNameAppleParsecService + __OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3); /*! @enum Policy Value Constants @@ -979,7 +928,8 @@ SecPolicyRef SecPolicyCreateQAConfigurationProfileSigner(void); on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateOTAPKISigner(void); +SecPolicyRef SecPolicyCreateOTAPKISigner(void) + __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_12, __MAC_10_13_4, __IPHONE_7_0, __IPHONE_11_3); /*! @function SecPolicyCreateTestOTAPKISigner @@ -992,7 +942,8 @@ SecPolicyRef SecPolicyCreateOTAPKISigner(void); on this when it is no longer needed. */ __nullable CF_RETURNS_RETAINED -SecPolicyRef SecPolicyCreateTestOTAPKISigner(void); +SecPolicyRef SecPolicyCreateTestOTAPKISigner(void) + __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_12, __MAC_10_13_4, __IPHONE_7_0, __IPHONE_11_3); /*! @function SecPolicyCreateAppleIDValidationRecordSigningPolicy @@ -1688,17 +1639,27 @@ __nullable CF_RETURNS_RETAINED SecPolicyRef SecPolicyCreateAppleBasicAttestationUser(CFDataRef __nullable testRootHash) __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); -CF_IMPLICIT_BRIDGING_DISABLED -CF_ASSUME_NONNULL_END +/*! + @function SecPolicyCreateDemoDigitalCatalog + @abstract Returns a policy object for evaluating certificate chains for signing Digital + Catalog manifests for Demo units. + @discussion This policy uses the Basic X.509 policy with validity check and + pinning options: + * There are exactly 3 certs in the chain. + * The intermediate has common name "DemoUnit CA" + * The leaf has a marker extension with OID 1.2.840.113635.100.6.60 + @result A policy object. The caller is responsible for calling CFRelease + on this when it is no longer needed. + */ +__nullable CF_RETURNS_RETAINED +SecPolicyRef SecPolicyCreateDemoDigitalCatalogSigning(void) + __OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3); /* * Legacy functions (OS X only) */ #if TARGET_OS_MAC && !TARGET_OS_IPHONE -CF_ASSUME_NONNULL_BEGIN -CF_IMPLICIT_BRIDGING_ENABLED - /*! @function SecPolicyCopy @abstract Returns a copy of a policy reference based on certificate type and OID. @@ -1750,12 +1711,133 @@ __nullable CF_RETURNS_RETAINED CFArrayRef SecPolicyCreateAppleTimeStampingAndRevocationPolicies(CFTypeRef policyOrArray) __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_10, __MAC_10_13, __IPHONE_NA, __IPHONE_NA); +#endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */ + +/* MARK: WARNING: The following constants and functions are for project use + * within the Security project and are subject to change without warning */ + +/*! + @enum Policy Check Keys + @discussion Keys that represent various checks that can be done in a trust + policy. Use outside of the Security project at your own peril. + */ +extern const CFStringRef kSecPolicyCheckAnchorApple; +extern const CFStringRef kSecPolicyCheckAnchorSHA1; +extern const CFStringRef kSecPolicyCheckAnchorSHA256; +extern const CFStringRef kSecPolicyCheckAnchorTrusted; +extern const CFStringRef kSecPolicyCheckBasicCertificateProcessing; +extern const CFStringRef kSecPolicyCheckBasicConstraints; +extern const CFStringRef kSecPolicyCheckBasicConstraintsCA; +extern const CFStringRef kSecPolicyCheckBasicConstraintsPathLen; +extern const CFStringRef kSecPolicyCheckBlackListedKey; +extern const CFStringRef kSecPolicyCheckBlackListedLeaf; +extern const CFStringRef kSecPolicyCheckCertificatePolicy; +extern const CFStringRef kSecPolicyCheckChainLength; +extern const CFStringRef kSecPolicyCheckCriticalExtensions; +extern const CFStringRef kSecPolicyCheckEAPTrustedServerNames; +extern const CFStringRef kSecPolicyCheckEmail; +extern const CFStringRef kSecPolicyCheckExtendedKeyUsage; +extern const CFStringRef kSecPolicyCheckExtendedValidation; +extern const CFStringRef kSecPolicyCheckGrayListedKey; +extern const CFStringRef kSecPolicyCheckGrayListedLeaf; +extern const CFStringRef kSecPolicyCheckIdLinkage; +extern const CFStringRef kSecPolicyCheckIntermediateCountry; +extern const CFStringRef kSecPolicyCheckIntermediateEKU; +extern const CFStringRef kSecPolicyCheckIntermediateMarkerOid; +extern const CFStringRef kSecPolicyCheckIntermediateOrganization; +extern const CFStringRef kSecPolicyCheckIntermediateSPKISHA256; +extern const CFStringRef kSecPolicyCheckIssuerCommonName; +extern const CFStringRef kSecPolicyCheckKeySize; +extern const CFStringRef kSecPolicyCheckKeyUsage; +extern const CFStringRef kSecPolicyCheckLeafMarkerOid; +extern const CFStringRef kSecPolicyCheckLeafMarkerOidWithoutValueCheck; +extern const CFStringRef kSecPolicyCheckLeafMarkersProdAndQA; +extern const CFStringRef kSecPolicyCheckMissingIntermediate; +extern const CFStringRef kSecPolicyCheckNameConstraints; +extern const CFStringRef kSecPolicyCheckNoNetworkAccess; +extern const CFStringRef kSecPolicyCheckNonEmptySubject; +extern const CFStringRef kSecPolicyCheckNotValidBefore; +extern const CFStringRef kSecPolicyCheckPinningRequired; +extern const CFStringRef kSecPolicyCheckPolicyConstraints; +extern const CFStringRef kSecPolicyCheckRevocation; +extern const CFStringRef kSecPolicyCheckRevocationOnline; +extern const CFStringRef kSecPolicyCheckRevocationResponseRequired; +extern const CFStringRef kSecPolicyCheckSSLHostname; +extern const CFStringRef kSecPolicyCheckSignatureHashAlgorithms; +extern const CFStringRef kSecPolicyCheckSubjectCommonName; +extern const CFStringRef kSecPolicyCheckSubjectCommonNamePrefix; +extern const CFStringRef kSecPolicyCheckSubjectCommonNameTEST; +extern const CFStringRef kSecPolicyCheckSubjectOrganization; +extern const CFStringRef kSecPolicyCheckSubjectOrganizationalUnit; +extern const CFStringRef kSecPolicyCheckSystemTrustedWeakHash; +extern const CFStringRef kSecPolicyCheckSystemTrustedWeakKey; +extern const CFStringRef kSecPolicyCheckTemporalValidity; +extern const CFStringRef kSecPolicyCheckUsageConstraints; +extern const CFStringRef kSecPolicyCheckValidRoot; +extern const CFStringRef kSecPolicyCheckWeakKeySize; +extern const CFStringRef kSecPolicyCheckWeakSignature; +extern const CFStringRef kSecPolicyCheckCTRequired; + +/* Special option for checking Apple Anchors */ +extern const CFStringRef kSecPolicyAppleAnchorIncludeTestRoots; + +/* Special option for checking Prod and QA Markers */ +extern const CFStringRef kSecPolicyLeafMarkerProd; +extern const CFStringRef kSecPolicyLeafMarkerQA; + +/* Special option for checking Revocation */ +extern const CFStringRef kSecPolicyCheckRevocationOCSP; +extern const CFStringRef kSecPolicyCheckRevocationCRL; +extern const CFStringRef kSecPolicyCheckRevocationAny; + +/* Policy Names */ +extern const CFStringRef kSecPolicyNameX509Basic; +extern const CFStringRef kSecPolicyNameSSLServer; +extern const CFStringRef kSecPolicyNameSSLClient; +extern const CFStringRef kSecPolicyNameEAPServer; +extern const CFStringRef kSecPolicyNameEAPClient; +extern const CFStringRef kSecPolicyNameIPSecServer; +extern const CFStringRef kSecPolicyNameIPSecClient; +extern const CFStringRef kSecPolicyNameSMIME; +extern const CFStringRef kSecPolicyNameCodeSigning; +extern const CFStringRef kSecPolicyNameTimeStamping; +extern const CFStringRef kSecPolicyNameOCSPSigner; + +/* + * MARK: SecPolicyCheckCert functions + */ +bool SecPolicyCheckCertSSLHostname(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertEmail(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertTemporalValidity(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertWeakKeySize(SecCertificateRef cert, CFTypeRef __nullable pvcValue); +bool SecPolicyCheckCertKeyUsage(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertExtendedKeyUsage(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertSubjectCommonName(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertSubjectCommonNamePrefix(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertSubjectCommonNameTEST(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertSubjectOrganization(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertSubjectOrganizationalUnit(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertNotValidBefore(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertEAPTrustedServerNames(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertLeafMarkerOid(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertLeafMarkerOidWithoutValueCheck(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertLeafMarkersProdAndQA(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertNonEmptySubject(SecCertificateRef cert, CFTypeRef __nullable pvcValue); +bool SecPolicyCheckCertKeySize(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertWeakSignature(SecCertificateRef cert, CFTypeRef __nullable pvcValue); +bool SecPolicyCheckCertSignatureHashAlgorithms(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertCertificatePolicy(SecCertificateRef cert, CFTypeRef pvcValue); +bool SecPolicyCheckCertCriticalExtensions(SecCertificateRef cert, CFTypeRef __nullable pvcValue); +bool SecPolicyCheckCertSubjectCountry(SecCertificateRef cert, CFTypeRef pvcValue); + +void SecPolicySetName(SecPolicyRef policy, CFStringRef policyName); +__nullable CFArrayRef SecPolicyXPCArrayCopyArray(xpc_object_t xpc_policies, CFErrorRef *error); + +void SecPolicySetOptionsValue(SecPolicyRef policy, CFStringRef key, CFTypeRef value); CF_IMPLICIT_BRIDGING_DISABLED CF_ASSUME_NONNULL_END -#endif /* TARGET_OS_MAC && !TARGET_OS_IPHONE */ - __END_DECLS #endif /* !_SECURITY_SECPOLICYPRIV_H_ */ diff --git a/trust/SecTrustPriv.h b/trust/SecTrustPriv.h index a616b86a..b04be624 100644 --- a/trust/SecTrustPriv.h +++ b/trust/SecTrustPriv.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003-2017 Apple Inc. All Rights Reserved. + * Copyright (c) 2003-2018 Apple Inc. All Rights Reserved. * * @APPLE_LICENSE_HEADER_START@ * @@ -34,6 +34,7 @@ #include #include #include +#include __BEGIN_DECLS @@ -245,9 +246,35 @@ Boolean SecTrustIsExpiredOnly(SecTrustRef trust) __nullable CF_RETURNS_RETAINED CFStringRef SecTrustCopyFailureDescription(SecTrustRef trust); -OSStatus SecTrustGetOTAPKIAssetVersionNumber(int* versionNumber); +/* + @function SecTrustGetTrustStoreVersionNumber + @abstract Ask trustd what trust store version it is using. + @param error A returned error if trustd failed to answer. + @result The current version of the trust store. 0 upon failure. + */ +uint64_t SecTrustGetTrustStoreVersionNumber(CFErrorRef _Nullable * _Nullable CF_RETURNS_RETAINED error); -OSStatus SecTrustOTAPKIGetUpdatedAsset(int* didUpdateAsset); +/* + @function SecTrustOTAPKIGetUpdatedAsset + @abstract Trigger trustd to fetch a new trust supplementals asset right now. + @param error A returned error if trustd failed to update the asset. + @result The current version of the update, regardless of the success of the update. + @discussion This function blocks up to 1 minute until trustd has finished with the + asset download and update. You should use the error parameter to determine whether + the update was was successful. The current asset version is always returned. + */ +uint64_t SecTrustOTAPKIGetUpdatedAsset(CFErrorRef _Nullable * _Nullable CF_RETURNS_RETAINED error); + +/*! + @function SecTrustFlushResponseCache + @abstract Removes all OCSP responses from the per-user response cache. + @param error An optional pointer to an error object + @result A boolean value indicating whether the operation was successful. + @discussion If the error parameter is supplied, and the function returns false, + the caller is subsequently responsible for releasing the returned CFErrorRef. + */ +Boolean SecTrustFlushResponseCache(CFErrorRef _Nullable * _Nullable CF_RETURNS_RETAINED error) + __OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3); /*! @function SecTrustSignedCertificateTimestampList @@ -387,6 +414,38 @@ OSStatus SecTrustSetPinningPolicyName(SecTrustRef trust, CFStringRef policyName) OSStatus SecTrustSetPinningException(SecTrustRef trust) __OSX_AVAILABLE(10.13) __IOS_AVAILABLE(11.0) __TVOS_AVAILABLE(11.0) __WATCHOS_AVAILABLE(4.0); +/*! + @function SecTrustEvaluateWithError + @abstract Evaluates a trust reference synchronously. + @param trust A reference to the trust object to evaluate. + @param error A pointer to an error object + @result A boolean value indicating whether the certificate is trusted + @discussion This function will completely evaluate trust before returning, + possibly including network access to fetch intermediate certificates or to + perform revocation checking. Since this function can block during those + operations, you should call it from within a function that is placed on a + dispatch queue, or in a separate thread from your application's main + run loop. + If the certificate is trusted and the result is true, the error will be set to NULL. + If the certificate is not trusted or the evaluation was unable to complete, the result + will be false and the error will be set with a description of the failure. + The error contains a code for the most serious error encountered (if multiple trust + failures occurred). The localized description indicates the certificate with the most + serious problem and the type of error. The underlying error contains a localized + description of each certificate in the chain that had an error and all errors found + with that certificate. + */ +__attribute__((warn_unused_result)) bool +SecTrustEvaluateWithError(SecTrustRef trust, CFErrorRef _Nullable * _Nullable CF_RETURNS_RETAINED error) + __OSX_AVAILABLE(10.13.4) __IOS_AVAILABLE(11.3) __TVOS_AVAILABLE(11.3) __WATCHOS_AVAILABLE(4.3); + +/*! + @function SecTrustReportTLSAnalytics + @discussion This function MUST NOT be called outside of the TLS stack. +*/ +bool SecTrustReportTLSAnalytics(CFStringRef eventName, xpc_object_t eventAttributes, CFErrorRef _Nullable * _Nullable CF_RETURNS_RETAINED error) + __API_AVAILABLE(macos(10.13.4), ios(11.3), tvos(11.3), watchos(4.3)); + CF_IMPLICIT_BRIDGING_DISABLED CF_ASSUME_NONNULL_END diff --git a/OSX/libsecurity_keychain/libDER/libDER/oids.h b/trust/oids.h similarity index 94% rename from OSX/libsecurity_keychain/libDER/libDER/oids.h rename to trust/oids.h index 7f78053d..4a1d490d 100644 --- a/OSX/libsecurity_keychain/libDER/libDER/oids.h +++ b/trust/oids.h @@ -27,14 +27,17 @@ * */ -#ifndef _LIB_DER_OIDS_H_ -#define _LIB_DER_OIDS_H_ +#ifndef _SECURITY_OIDS_H_ +#define _SECURITY_OIDS_H_ #include #include __BEGIN_DECLS +/* This is a subset of libDER's oids.h. If the types header has + * already been included, we should skip these typedef declarations. */ +#ifndef _LIB_DER_H_ /* * Basic data types */ @@ -48,6 +51,7 @@ typedef struct { DERByte *data; DERSize length; } DERItem; +#endif /* _LIB_DER_H_ */ /* Algorithm oids. */ extern const DERItem @@ -149,4 +153,4 @@ extern const DERItem __END_DECLS -#endif /* _LIB_DER_OIDS_H_ */ +#endif /* _SECURITY_OIDS_H_ */ diff --git a/xcconfig/PlatformFeatures.xcconfig b/xcconfig/PlatformFeatures.xcconfig index 3c5e655d..872aec9f 100644 --- a/xcconfig/PlatformFeatures.xcconfig +++ b/xcconfig/PlatformFeatures.xcconfig @@ -2,7 +2,7 @@ #include "xcconfig/PlatformLibraries.xcconfig" PLATFORM_STR = "unknown" -PLATFORM_STR[sdk=macosx*] = "macos" +PLATFORM_STR[sdk=macosx*] = "macOS" PLATFORM_STR[sdk=iphoneos*] = "iphone" PLATFORM_STR[sdk=watchos*] = "watch" PLATFORM_STR[sdk=appletvos*] = "tv" diff --git a/xcconfig/PlatformLibraries.xcconfig b/xcconfig/PlatformLibraries.xcconfig index 3d2828a7..3a36cf4c 100644 --- a/xcconfig/PlatformLibraries.xcconfig +++ b/xcconfig/PlatformLibraries.xcconfig @@ -1,5 +1,5 @@ -AOSKIT_FRAMEWORK[sdk=macosx*] = -framework AOSAccounts +AOSKIT_FRAMEWORK[sdk=macosx*] = -weak_framework AOSAccounts -weak_framework AOSAccountsLite APPLE_AKS_LIBRARY[sdk=macosx*] = -L$(SDKROOT)/usr/local/lib -laks -framework MobileKeyBag APPLE_AKS_LIBRARY[sdk=iphoneos*] = -L$(SDKROOT)/usr/local/lib -laks -framework MobileKeyBag APPLE_AKS_LIBRARY[sdk=watchos*] = -L$(SDKROOT)/usr/local/lib -laks -framework MobileKeyBag @@ -11,6 +11,12 @@ OTHER_LDFLAGS_DIAGNOSTICSMESSAGESCLIENT[sdk=macosx*] = -lDiagnosticMessagesClien OTHER_LDFLAGS_LIBCMS[sdk=embedded*] = -lCMS OTHER_LDFLAGS_MOBILEGESTALT[sdk=embedded*] = -lMobileGestalt +OTHER_LDFLAGS_CRASHREPORTER[sdk=embedded] = -framework CrashReporterSupport +OTHER_LDFLAGS_CRASHREPORTER[sdk=macos*] = -framework CrashReporterSupport + +OTHER_CODE_SIGN_FLAGS_LIBRARY_VALIDATION = -o library +OTHER_CODE_SIGN_FLAGS_LIBRARY_VALIDATION[sdk=*simulator*] = + // // Play games to avoid issues with bridge trains // @@ -27,6 +33,26 @@ OTHER_LDFLAGS_CLOUDKIT_BRIDGE_NO = -framework CloudKit OTHER_LDFLAGS_CLOUDKIT_BRIDGE_YES = OTHER_LDFLAGS_CLOUDKIT = $(OTHER_LDFLAGS_CLOUDKIT_BRIDGE_$(BRIDGE)) +OTHER_LDFLAGS_PREQUELITE_BRIDGE_NO = -l prequelite +OTHER_LDFLAGS_PREQUELITE_BRIDGE_YES = +OTHER_LDFLAGS_PREQUELITE = $(OTHER_LDFLAGS_PREQUELITE_BRIDGE_$(BRIDGE)) + +OTHER_LDFLAGS_ACCOUNTS_BRIDGE_NO = -framework Accounts +OTHER_LDFLAGS_ACCOUNTS_BRIDGE_YES = +OTHER_LDFLAGS_ACCOUNTS = $(OTHER_LDFLAGS_ACCOUNTS_BRIDGE_$(BRIDGE)) + +OTHER_LDFLAGS_APPLEACCOUNT_IOS_NO = -framework AppleAccount +OTHER_LDFLAGS_APPLEACCOUNT_IOS_YES = + +OTHER_LDFLAGS_APPLEACCOUNT[sdk=iphoneos*] = $(OTHER_LDFLAGS_APPLEACCOUNT_IOS_$(BRIDGE)) +OTHER_LDFLAGS_APPLEACCOUNT[sdk=iphonesimulator*] = $(OTHER_LDFLAGS_APPLEACCOUNT_IOS_$(BRIDGE)) +OTHER_LDFLAGS_APPLEACCOUNT[sdk=appletv*] = $(OTHER_LDFLAGS_APPLEACCOUNT_IOS_$(BRIDGE)) +OTHER_LDFLAGS_APPLEACCOUNT[sdk=watchos*] = $(OTHER_LDFLAGS_APPLEACCOUNT_IOS_$(BRIDGE)) + +OTHER_LDFLAGS_CORECDP_BRIDGE_NO = -framework CoreCDP +OTHER_LDFLAGS_CORECDP_BRIDGE_YES = +OTHER_LDFLAGS_CORECDP = $(OTHER_LDFLAGS_CORECDP_BRIDGE_$(BRIDGE)) + // The bridge appears to support protocol buffers. OTHER_LDFLAGS_PROTOBUF = -framework ProtocolBuffer @@ -52,3 +78,9 @@ OTHER_LDFLAGS_MOBILEASSET = $(OTHER_LDFLAGS_MOBILEASSET_BRIDGE_$(BRIDGE)) OTHER_LDFLAGS_SECURITYFOUNDATION_BRIDGE_NO = -framework SecurityFoundation OTHER_LDFLAGS_SECURITYFOUNDATION_BRIDGE_YES = OTHER_LDFLAGS_SECURITYFOUNDATION = $(OTHER_LDFLAGS_SECURITYFOUNDATION_BRIDGE_$(BRIDGE)) + +// Breaks the BaseSystem: fixing in Re-enable IMCore autosysdiagnose capture to securityd +//OTHER_LDFLAGS_IMCORE_BRIDGE_NO = -framework IMCore +//OTHER_LDFLAGS_IMCORE_BRIDGE_YES = +OTHER_LDFLAGS_IMCORE = $(OTHER_LDFLAGS_IMCORE_BRIDGE_$(BRIDGE)) +OTHER_LDFLAGS_IMCORE[sdk=appletv*] = diff --git a/xcconfig/Security.xcconfig b/xcconfig/Security.xcconfig index 6a48d3cb..a9a2b0a0 100644 --- a/xcconfig/Security.xcconfig +++ b/xcconfig/Security.xcconfig @@ -1,23 +1,38 @@ SYSTEM_FRAMEWORK_SEARCH_PATHS = $(inherited) $(SDKROOT)/$(SYSTEM_LIBRARY_DIR)/PrivateFrameworks +MACOSX_DEPLOYMENT_TARGET = 10.13.4 + OTHER_CFLAGS = -isystem $(SDKROOT)/System/Library/Frameworks/System.framework/PrivateHeaders -fconstant-cfstrings -HEADER_SEARCH_PATHS = $(PROJECT_DIR) $(PROJECT_DIR)/OSX/libsecurity_keychain/libDER $(PROJECT_DIR)/OSX/libsecurity_asn1 $(PROJECT_DIR)/OSX/sec/ProjectHeaders $(PROJECT_DIR)/OSX/sec $(PROJECT_DIR)/OSX/utilities $(PROJECT_DIR)/OSX $(inherited) +HEADER_SYMLINKS = $(PROJECT_DIR)/header_symlinks +HEADER_SYMLINKS[sdk=macosx*] = $(PROJECT_DIR)/header_symlinks $(PROJECT_DIR)/header_symlinks/macOS +HEADER_SYMLINKS[sdk=embedded*] = $(PROJECT_DIR)/header_symlinks $(PROJECT_DIR)/header_symlinks/iOS + +HEADER_SEARCH_PATHS = $(PROJECT_DIR) $(HEADER_SYMLINKS) $(SDKROOT)/usr/local/include/security_libDER $(PROJECT_DIR)/OSX/libsecurity_asn1 $(PROJECT_DIR)/OSX/sec/ProjectHeaders $(PROJECT_DIR)/OSX/sec $(PROJECT_DIR)/OSX/utilities $(PROJECT_DIR)/OSX $(inherited) ARCHS[sdk=macosx*] = $(ARCHS_STANDARD) +LIBRARY_SEARCH_PATHS = $(inherited) $(SDKROOT)/usr/local/lib/security_libDER + #include "xcconfig/PlatformFeatures.xcconfig" #include "xcconfig/Version.xcconfig" // Note that the 'Settings' view in Xcode will display the wrong values for platform-dependent settings // Refer to the actual build command for final computed value -GCC_PREPROCESSOR_DEFINITIONS = __KEYCHAINCORE__=1 CORECRYPTO_DONOT_USE_TRANSPARENT_UNION=1 OCTAGON=$(OCTAGON_ON) PLATFORM=$(PLATFORM_STR) SECURITY_BUILD_VERSION=\"$(SECURITY_BUILD_VERSION)\" $(GCC_PREPROCESSOR_DEFINITIONS) +GCC_PREPROCESSOR_DEFINITIONS = __KEYCHAINCORE__=1 CORECRYPTO_DONOT_USE_TRANSPARENT_UNION=1 OCTAGON=$(OCTAGON_ON) PLATFORM=$(PLATFORM_STR) SECURITY_BUILD_VERSION="\"$(SECURITY_BUILD_VERSION)\"" $(GCC_PREPROCESSOR_DEFINITIONS) SECURITY_FUZZER_BASE_DIR = /AppleInternal/CoreOS/Fuzzers/Security WARNING_CFLAGS = -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wno-error=deprecated-declarations -Wno-error=implicit-retain-self -Wno-error=#warnings -Wno-error=unused-function -Wno-error=unused-variable -WARNING_CFLAGS[sdk=iphone*] = $(WARNING_CFLAGS) -Wformat=2 -WARNING_CFLAGS[sdk=tvos*] = $(WARNING_CFLAGS) -Wformat=2 -WARNING_CFLAGS[sdk=watchos*] = $(WARNING_CFLAGS) -Wformat=2 +WARNING_CFLAGS[sdk=embedded*] = $(WARNING_CFLAGS) -Wformat=2 + +// The SOS headers get copied into a specific directory in the framework during their own copy files phase. +// This breaks TAPI during the build, which does INSTALLHDR -> INSTALLAPI without running any copy files phases. +// So, we must include each file as a 'public' header in the TAPI command. +OTHER_TAPI_FLAGS_SOS = -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoCollections.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSCircleDer.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSKVSKeys.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSInternal.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSGenCount.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/CKBridge/SOSCloudKeychainClient.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSPiggyback.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSCircle.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSFullPeerInfo.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircleInternal.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSTypes.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSViews.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfo.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSCloudCircle.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSPeerInfoV2.h -extra-public-header $(PROJECT_DIR)/OSX/sec/SOSCircle/SecureObjectSync/SOSBackupSliceKeyBag.h + +// This isn't OTHER_TAPI_FLAGS because we'll mess up other, non-Security.framework frameworks in the project +// Please don't add any more headers here. +OTHER_TAPI_FLAGS_SECURITY_FRAMEWORK = -D SECURITY_PROJECT_TAPI_HACKS=1 -extra-private-header $(PROJECT_DIR)/OSX/sec/Security/SecTrustInternal.h $(OTHER_TAPI_FLAGS_SOS) diff --git a/xcconfig/lib_ios.xcconfig b/xcconfig/lib_ios.xcconfig index f848c535..3c1e5eb9 100644 --- a/xcconfig/lib_ios.xcconfig +++ b/xcconfig/lib_ios.xcconfig @@ -5,7 +5,7 @@ EXECUTABLE_EXTENSION = a CODE_SIGN_IDENTITY = -HEADER_SEARCH_PATHS = $(inherited) $(PROJECT_DIR) $(PROJECT_DIR)/header_symlinks $(PROJECT_DIR)/OSX/sec/ProjectHeaders $(PROJECT_DIR)/OSX/utilities $(PROJECT_DIR)/OSX/sec/ipc $(PROJECT_DIR)/OSX/sectask $(PROJECT_DIR)/OSX/libsecurity_asn1 $(PROJECT_DIR)/OSX/libsecurity_ssl $(PROJECT_DIR)/OSX/regressions $(PROJECT_DIR)/OSX/ibsecurity_keychain/libDER $(BUILT_PRODUCTS_DIR)/usr/local/include +HEADER_SEARCH_PATHS = $(inherited) $(PROJECT_DIR) $(PROJECT_DIR)/header_symlinks $(PROJECT_DIR)/OSX/sec/ProjectHeaders $(PROJECT_DIR)/OSX/utilities $(PROJECT_DIR)/OSX/sec/ipc $(PROJECT_DIR)/OSX/sectask $(PROJECT_DIR)/OSX/libsecurity_asn1 $(PROJECT_DIR)/OSX/libsecurity_ssl $(PROJECT_DIR)/OSX/regressions $(SDKROOT)/usr/local/include/security_libDER $(BUILT_PRODUCTS_DIR)/usr/local/include HEADER_SEARCH_PATHS[sdk=macosx*] = $(inherited) $(PROJECT_DIR)/OSX/libsecurity_smime $(PROJECT_DIR)/header_symlinks/macOS $(SYSTEM_LIBRARY_DIR)/Frameworks/CoreServices.framework/Frameworks/CarbonCore.framework/Headers HEADER_SEARCH_PATHS[sdk=embedded*] = $(inherited) $(PROJECT_DIR)/libsecurity_smime $(PROJECT_DIR)/OSX/sec/sectask $(PROJECT_DIR)/header_symlinks/iOS diff --git a/xcconfig/macos_legacy_lib.xcconfig b/xcconfig/macos_legacy_lib.xcconfig index 34d7d2c9..c2b91129 100644 --- a/xcconfig/macos_legacy_lib.xcconfig +++ b/xcconfig/macos_legacy_lib.xcconfig @@ -5,7 +5,7 @@ EXECUTABLE_PREFIX = lib SUPPORTED_PLATFORMS = macosx ARCHS = $(ARCHS_STANDARD_32_64_BIT) -HEADER_SEARCH_PATHS = $(PROJECT_DIR)/OSX/libsecurity_cssm/lib/ $(PROJECT_DIR)/header_symlinks/macOS/ $(PROJECT_DIR)/OSX/include/ $(inherited) $(PROJECT_DIR) $(PROJECT_DIR)/OSX/libsecurity_apple_csp/open_ssl $(PROJECT_DIR)/OSX/lib$(PRODUCT_NAME)/lib/ +HEADER_SEARCH_PATHS = $(PROJECT_DIR)/OSX/libsecurity_cssm/lib/ $(PROJECT_DIR)/header_symlinks/ $(PROJECT_DIR)/header_symlinks/macOS/ $(PROJECT_DIR)/OSX/include/ $(inherited) $(PROJECT_DIR) $(PROJECT_DIR)/OSX/libsecurity_apple_csp/open_ssl $(PROJECT_DIR)/OSX/lib$(PRODUCT_NAME)/lib/ STRIP_INSTALLED_PRODUCT = NO COPY_PHASE_STRIP = NO -- 2.47.2

ZS=V8HJ1AReYxHHXMfo=U4U}E*ICsR$dTK1z8j3t zGv_~)^G@(k^y|z(2<49FWDV#2QU4qnf7?N&blrB*D~5|ebz^#VqiGpOzGYzc3FP&( zpd%W72^cMwna%#&|VX`0xzI#U~$8BWP&UYDAIws`l>g<<(vuCRDdG|?8 z>O!*Pv8n49M%j6KEghj^;&I7w+fS7H>-phfP3C&z>}X(`<@s+ zD+0U|`k@eR#|{4X(C6pF?NcUcLPP134MO=SlywoK!wQcG3RlNQJEiB9y0V5`1Cq8S z_Jn|Y6S4B}s*B>K?s%~aRjKET>lLr2z__omxy6CrC0urAhC*UASNCdaNlAL@U-GG= z7ILBT>9d_qBk=y-k4abmZVfU9WXXSgaHPnu2_vCph;c*7cf;ZGQp|u!{>VN;BMjOE z&UIBR+l;$)J_ypo9W_h?ptQsi9T4+1C9~*e;WVC(%r?K7o`o=K&F$DJjb%H>f}naHl-1?EX5(2ao~@k|>{pJeVq^I)YS>5`)!c@ALD z_bN|9#Cz>E`OHZ4F{6BL>^Nl960K;eka!cSOIRZH_Kbn~te=Lx+C4gmeb&4wpM5^r zgPtNwXGdb5x(wt+x?<(&{K29S8)|2gW~;Usr*WvaEK|#S=?I%_$x^~0Ph^BPkMuBH zzu1-JJ#cIKSoP%M&!tefOu54$2rFWn*pfr=-NtBH8DGRPSR|Be{~&wDY}myo+fa}# z#QY`|mNcJY<=GQ1O*)O@Eef!Z`D4OeOeq=5TL?(}Mvaro7RZ`y>+y^8^z_uU_sr8z zmaIzD|L^j@e8=B54KA^@CIaevh$I;I>yXorbSB)@5=m9#4Z~bU1C`${eT5?J$V4ot z=!hJ;ggcHc#Po?rd3nl~BHioP4k5gL0t=;R8otYNCMD2%>wCX@k!DgRWAgWK18dFT ztlvG>eo!cJ2(|p2b9gnBznc5O%K2t!aL&b=eI+!eBH9XBAE<4f0M$R$zTgz5*gMw= zZQ;V9F4vHc@x^?{O4X<_6=PO5Si^)yWQ^B1)r|zB!OK&z_aFC8-{$fkmS87wdXC3{ zZ`heqMtf`?!mxOkqzO-~qI&Qb;<>+zSQF1@kjuSGlg!evHSI~T3x-_VLh^VT)5(mZ zPG8cg1sPFr699jho7k}~NsahtL!CIMzyB%|Sxj=wMLCQ}mp&HHOHJlj1)M4+f5m6k zn(-uCa5#g|abO|&F(FBE;EBydCAEMP8<7L^>?&`yxWsH|Y}c>GGhf-rLx_O*HS#tf z0YzCgnhCl<2J4TD6lOFjZd9U6d9Z_I^G;t6)SD4V;4K>7Ql-D}s#(fxIrFxicj!kNiwh5d+GM`igXt-;c7S86>=L{5rGGbTXcO&e(;j@+CHJ8KdN6{9V zAs9TnX$jt5K^8&*eoSSbl!9X5AF3F65Y{NpP=)4ir%7$_1)QeNO2qEqcka4jghB*a zL~y3iG@Pas{Q5qCglpHlg}IIH&)0PbkzPQVzF`KcVMorRt1r{_0hV4s0pLKu5QyZJGj%3=PRE@!ezBXT#!tJJXUrxL z;d96f@s1#+-=Dil9xj7N#p-NBzy8} zzpuGoXENvfA1@jBl|$n$uL zc+(E*?)5a1u;qZX^x~<1r)A?~O7G-CM`ODEHc+)`8hD0QD}C4z>wap1GO2wP@Oyt@ zW@k5~5a4b+qyT!_ZK>8n$mI7LA4qVypsfU%Ph`0rO>Oe8MxN`NGgOYKyF1O?Z~p~z z`FR7oSAUgmb_Vi4@A`ai2mkVZ>S+ZZbF+THc8_Ene_YkL34oT`R=V7--X!cF$M0qM z+qaUh?VRWy5&SkER>fBc94#K!b(?3HSKWN-zBD)2m_{O$p_a`{p)&dXJ;@PzOK z&otchiTUMT7Ua)U++e}(GP>Gsty+x$;6(WZjZCuiy?ADEZQEau>#a%(WX*vW%YBVw z%;gL;K~eALgFtzmg?9U;l^E}X2Db0#+0J5*n^eU+(lebesy3yOshe)`TURP}qi9Iy z|GnRT2Jaf=gQ4U;+@D*u_aBJ1mw;d*PSez=HxVvT_@f?t2k zZyL+n|#tt1@has`4+7B88$U0d78^^l;BoJlTjwqiI3B=s75_tdNlE z^G?xMcc4YGt==iyubLHRN2-LIyf1=u3v3zX5n{1_Rtk~g`8p>GOOcA3E(hxbJHQGb zKh~lGBgH&-K2BjkZd1?x6z|9_d&+Hhs}@q__(d~J!ZU0s5vq%eq^ThpdCFG`%H$UF zSVJ?J-mOxSU#pS@VU6$>UF8`v6h&K}EC(slhtMIz>9eh!Es>o)GBet`)kI_5tUxd2 z_pPXp5L&e+1?#tBN{or)j6!86oBVWHXg4;)9oBq!!>qE$tye$lWFzLCS>s;7K^+|J-Dh%4?u^s*f6zCNb}le@w#SdJ!O+shMQMyR2%J7d*#(%kZ~2F73Xx^{)60q@ST?|X zHFP~V9I&Q~!mWQt#g>>S7b%glM-+aPmGJK{{#lJ%oTNxMar)Uvjh7fneZ;N!1nbLz zX)GEO-iJBuNA*GM>l=oY=7&(fSI3Uo4O}Kix@W>V(W%0 zdMW$;w1NEEoD;(VpBsz^|9kNc!>#ap1|I3ljvSj}BcF6>z+VNvhIn>qW4eDjDL9&A?e<6G`34c0as^rq|9XcjC2<2V zkcOJr7&5;?$RWbH8!92Gr;Em5%b=uNCqMHg3&~=?MIC5t@Mtq>Rqd2DaAUL%(SW)ki=RmeKQd70(N1vl$er!Qn7?tLWDN6s0Ua> z)EuzMN!dUmeYJK}=ET7%)^Awg7z1Xmjui)8nZl*KekT3SumLo0W^*o*TtdEBqir1pY?qBJlWU(Qo7hDsdw1|Z4C-b)c!~2H02W+K&5QMQh+;;|&Rx_f zKIeBm`2rQhmMRQF<)AA62CNFg#tA~vq=fcBt@xDCJjZh9ydSQtzHUeRIZhBh8~$c;9H`QmT4ZrfqTpQHZ);TdJPLdh?6!;clJ|Z5Gorv? z`#7HN=Xo5#MP!Deb=sxF)TOd@+b1I^&CvW99BvgG|0dufd;g)~wQ`lP3ck&zUGOay zcwYvaTnprFmt2MTW57cXZhMK~B3Lr@CzyR&C6RRQ;?h%WWLnH*wp&(F)z`>^_@R>c zA%hye78Or6(0GZgnzdAU%fCHdo__OYg3!n77I;3$I_9CG@*vuH2GxR}kKe%8t=n7p z+s%hgp=QfILz&$xA8g56=KM`#ktqBPxea3j4qkfq@d6`qLF>RBu%#XPT1C+V*F8`+3xcD@gCixAC zj|MKM1#Ui?hF?_>&=s8$)%j|E zI~o0YZPU6KTAOoX0eBE>zr@-bcstgO-)vvaWMo z-(ivm80B+151*Lq1g;Nlo*IF_opM1>{W?233!biBR&+hjtM@BA0>S4wj>q4qGV#qg zb*^9O0Oo7|(4KK*X21@0$M{^69|!yI-DAn}+xz3?UY9*%swNYGCie2+*T|jRm+W)! z^(}bkLhyy_4IGE@_}SQTEAmdY<3{_=H05^&wWcY_NC)D#D9nG~<-EmioG}Ayva;sVPFD2k{EcHH#iy{6rtn zPaLuyT^E)6PUy@jphTug%*;;H@YIk{7F?F3R(A8|2K)=kk;ZSur5vnb;N$nl04>ph zrt$P}P)jDXo{8tnq5@%nLYhG{agL2jWcNC~8M3iFW?$q{ayHAk27UT|<9r#>z8oVi z`plFGRZ``lDbG$_^5`ta)@I9=Olrw7)>1@1wQLL5ucq{05YlS$9-^G+`BC}O(yy57 z@+~S!%H3e2jkL&mQ&!2jEB=UxCjG__K}D?kE6-yJgH8>L!w#RN`V+Rw#Z~Pram?3= z;7+vy6Ro^qDYz3N2_JAOS}+L67Zzzjm!r~dF#a(aK+!D#IbRU};RwP|itOv1@M14b zCP8h%cN%?j{2n_>GdaHzNNW?D;3Or2AYLzaKa_{kayM$JiAtx*r~~_8x>+%jXms*> zj@I&rZG!oO(U0pEsWp&xtBL`v+{F7<3p9%mZ1x9 zZFcg2aX|OZ^Q5TK?YRq!&|nqR>!bLb6y*e4~WoM$`OD^+#-RBUp zsjQBz(1uEJqG3yjNzD&ab-nx%o}P`shUi$95l$t_aNNpVl%Kd{H$pxOJ3FCHCJa+; z$sD<>pNTi)rU1nzIP4eH^9Y6jQw*B3k%ecTfbUVj!0G+Ip=Cd8+YVqUm|psWtC&mw z+pk#a2E4e`j~vzN40I_DjKhF@F<$E}93&+92bttfvG0vBD*J;0BkV5$8*|Xah@|nR z73al1bHVCtl zQp>dhBEE#E7OD&Kcch|LqZPL#(gFQjS8Yc6Xlz zYNnV;wiAEm=}=}kyt2JZlgoTqRHF`@nZGQ0KxV#j%A!kpXgEDAkFThPXiE44DGzt~A4(uSeM9Z7s<^*n;Tbra7IKw_g6P+`Q=~kWZ%Op zYkR;9Pw~mi{!hAx>HAMdDsP*w;Vv+Zm9H0OwU-VBU7$%qH=dMqj=xuNZrJp|+j{&D zz>ZF;(~&QH7GSEO2e`%N=WY7B<+uJiWYwBZ^%yG@b9m)z{xS2s?J@&g`o`Dg9INf+ zKFt9~^m0Y##p6ZCG+uepX<#yMqJQ+FqT$K!OZ&#C_;$Ce=hkg_dcUJ@vSW6&?(?&e zar58w#Tbe=p@F`i$G)6z>j&I8S!lQSMr z(^v;z!7i^o5olcDOps}M6O8P!Q2ubzpwo)@+zI=pDEOA#H=ek&c2RxK^=>?IjzuGG z-?PK_ySo)kVLf^@WNWtLsBYAJrPk?VV_ak;JL&cDV8Lx>+wEeR%B~vG zK<6=xDcc~one1lIzt%H(inAqZA#Q_l^^T;;^F9iRI0K~L)pXuPCz0#rnFz{wZj`X8 z>~v-58Z(-*!r!dhg!5uD*aQTBq-X)PT>G$5^jqa%iRIYZ`}nZS!*_+tts9_?U*SoAJ(x+8y7neTxITL_ujA#{oJ6-7j1B zr?>+ZUV;s~rzSJgb^y!$eteY7wZH7oo3fWgy9veYZl|e-#oN9gd@JCceX#K=*rFfo z_g~|81lR26BOfx=cN4IZuyfI(sA@US;PZ3tI+zL6SoZ^_YLPWeS!WR>$l<8;UK-v+ zrn@y!Wb-436{t^0a@VHRH6I&G+I%NDTY&v(FHe#vjJD-?AU=# zC6uF);&9MiSz3{t=*t*pwJ=s!7VBHoCL^y)@t2YPLRrp><2T1zy>DH7pC9dB-iC#A{%x8SI4Jva`HPCxi*IIbVH?eRI9rL-7WqrcI?b z(N;X^(o^ww^F^Bx*!F7@OT3zWc}+;+e)MtFSd%*kOAP&_30mWVvOFNUzJGzNAwW}o z!mP+>4pGI2!RXag%B5ME^gu0`;p_xTnW6C@jIb{x@tR$=G!7CUL8(TBEIX+}mP_9j`OT1% zloP+&(q$BBUkY=)n4*=>p|I>XdGn+@Ey_Ae@^c~P=HqYPK^#K`+XF9IPMq)$0^W-X~=12s}_ObLFJw!niDsYk;^o<{^Tz7WW!YS+LWCj8KM!QrG_nSkQQNA~W#sK;aq zRvzioZmxnNs|f>k4&lnT3yVfl=VRe~#}U5hg!7U>+#s$UQ5lWrY53uu=q zbYbWVsg7g4ljlNPx{sOUx_4}-v9y}S{6cPcRy6h+R_OjnIku?Tkf`(qyHf(wiRwnz zu;B!UseAEFSL#tzxKxZbbD2aFA6SqDGuomu1`uh+GuyOWsYzwfQ^(Lkl9y27q(%HndL!Q9r;}V3XE( z(~Pl)jGvRvVqpO={7R?yQV}+vcKSXF7^ZGHIxxe3MqLao*&XM1_n$q z%7%I36k84}{}W&WmhmF6O2?n=S?Lv$9+Iq$7oDde#T&`UL(#0z9^+e8rw6SI|0Hr@ z7mZ8oR%0j>{${)Gn?^8F7e%T;Cs|8$*pc#MLx5N%33@Eng8s{rlWu#Ga=6l3-gupQ zWd-8uE}bqTp&2bFnh123EV zJam53dgU=Itrn~sK-(e(?R3zitme%Bg5OmyJh~432V6Ec_>E_n>%(GO#NguT`k6RL z*Zni@Z1lMe9LNv?V#}Fk7h%Sc0?)n)T2#06KM=a*cD*~jDas9RxjryhYAwdu{=tH zwz5m**9|)skzYFOQN2)dyiXiisgveI@UhPGwX*r z*6W`69H|=obqgh$ziaVh(Dp|zC4Z*pOb*xb_?C|8=oS3**&{q$Pym~b@H2JX-@n;e zSHJSGu6EwNB`9FE$TFKQ_K*2D4TvDWrE z>}Gcxr0#iP^1N1l?F60resVu|lVnoYbK)aPiSKXL>3a^WONB=>-MV_KTlU5bh`VMM z){h2tyj3RLT-$PXsjFcM&794r`0a}>; z&brBT1)6#JjgVZJ9&cP1czrGSuN4^kJaJF#`@X8BS;LdodGhRcAaP@prFa zi_&Vs6w!e?D(>D)?)+bNR;fdwanUTiYNN7S26Tl4Ui$*8D?%Vk>?oWg?9>Yx+vN(* z;x0$IHViE}X})GHF#`u&UCOK+G9Fc-aVOb#In`EY3dVR@N2rc`M3F_*y%25M44L+7e$7LWdA?WS8ZGZmy@3hopgsrT z0CXIJ+Qc=}(t=g%X2jko)8Y=2NdUe>zFJiSfI^>)n%bb3cZ zk(XU9HkC6>(0sXO@i3G=`98-gJX4CN_#8rbRFmT=dZJ0HW7383hMDvBSq7DN#L-tVv$3&5~h*}>^jXK%v+SCrJXhz zzGqlPUlbEG6t(Jnep_f&9eZ7Qjmg4P6B^|3!_kM2U^5cV-WMNtAO*CBDBq8XK_c&W z?-ubbnSQSdf2kjLT$(H0CY33-p=O&bF#m$eF2pIyv+M!ujKer#m3?;Q%D*a-8{&WU z;f!Jt3Q8x+cZm-wyLM!WCRD3`4f(^lp+IROtiLj$*Q7ueg`8S!vu%X+gBtxXf9qTb zstifo(}{EqscgNp4FHP!WylY=BuecX25col^g14HF_D+x{`Boa!6_BQx)g!C8;8UCEAkW zrX~?P0dI$Zf_ylea=0PpxoQc#LZu<-Rpr311O8GE7vRfRd+?s1pxg%+&yv%ZLAQ=( zRm=-k-S|tgcHPS%ezFo37xIW^hjtdyLZymiIz*Ld*=@xAn37k2b<3jL9Qp~fKT>P1 zQASw=QOONr;;l4^NWJ7o2Ws3KL~1-NH`MYZ%-Lnmw7Rm;tQZ9_#I`Z1#7m|ALU$O8 zBufJu=CZcXm(om9T%+zSrKBMoXD-%-+SWv@4Ln8DW6S*qKKwYC0|vj#fcq$?!M-uKNMI>BX@1A)o*h5Mj3Ptwti&LsfAhuY5+$1#TEEa!xV zh^2kHKA%>pH}KW{_iJCaS;5ZZLkj`-;vco{U^opT@V`>7=34LX_t@Ttgi4?LY3JlZ z{i)o6oEGf%g{6%w7r#Bp1JLoa&Xdn|83(er{a6=(K_I*uIILAJf>O_0E!g#SYVEE; zk7@Hr{!4p1|8dq5sNv8CxI3`DD1u5eQNohsM^MJ zR@qCi`4WjOM(|-#$N9Gt8!Q#mA@A{4v&3~?C6oIs|7+x5z(ogxf!o? zNvR#&bq|QMm(d+Q3xSiU!}syL^s?{!)n=K;{#9^os`t&kpm)=eGtGYe+e)vS#|l{L z1CGv*<)g{W{?xB+*rRV^B&!MRgMZy~TX8O&DR9>>zM}U!CqcZ!zQ4J+&)pyaDqlG` z{l0m(QY+AT5vY|~<#a>qhs)1o;JqHdO9*E$q3`>2K&X-SumY#Q`QFYa;Q7c^Y-KU+ z_Z+|xSU!rJJ@66B`3&|X?z-+in>6C>@I6upwRL?*PZwDR9;98`MQ+V=AEhv5$!PeR z4#;%v13-^+#G)wTEk5u-lcT?0HJwgR(%*gWfT_yomu_4ZfvFvpcB@-_fY+MinV;bO zrTTTw-01DE#j3CIzlHd@31*yQ{%+?FFh7XN_i=~v$`AB&KlBBq z%*g$oFGGdC8`St&$$=>n^qpwZ#~!TIT@6;i0UiQl!{|8h2}@V<@$^i=QVbDb(G6)D zCPz#{LY!*5zD9^9-G4ZA@Rb}fr;qsi#5HF~wHtV%+Q2?ZyW~~WPqC{L2gT~8GS1kX zVz#BRa900iJC!ShNiY0X-XJbVrc3)kidtFHZjA;KM`h|1jNA&&pI~>!1w79=rwAy$ zE=_o>&GQu7Pd+ozTZXkKz0<_7ifWXVYbud)!Q&tuTdA#!*$9Il zetL?jOSVY95qFP>dW%P5qZD6OF7Bm=D#6V0``m7BIuEUyxbWQ8Chowc&Mq_rwjf)V zl{vXnG3h3)aNP`Yw*ZxEanl_oa%>42@#!Q#H~fZ!_lVhU++l;JcwMse^$>a?6zgwv zK})tHtSNQ4VyWi*muBKQU(=7){B&#t`U{I7QfTaYmvL6_fyf)hh0;P7IHI+we{m5J z+>+dNS8G7YLQSHX@d~V#c!AF(%>w+JHfd33gW5=o77+rxI;rq2xPFeakA_y%Vj-xQ3AAuZRdyK8_>9^P}8PT z5k7dw-e`U(|NBOujychiVY<$nSA3Fy+FsZ@9iyVpIS@+3(u+3TzlIrdNYI3aqB$J# z5)B=Mke2ojReIyg_Tf^jL z7|6z}9`abGyy9F56h@1(NQ#Gsuv{r0`c}Y;irR^_PY1n|SVa4-vf?-J;+~k!P4wOa zB17@@05wW(O!)z08>m1066SpWa7ASV7WDop&968%@@SRNB)D4f%&;~8rYtZdc1OmH zO)1(gEh?Ii*J6t}zb{Zo-p0FHMZwX6`}<2Ya%dE!IU^0 zRQcIB#HOPwTfyEC{ldhVRiDFyZmp)FZAA5V|Gy=U97B^V<}g*gzY^@D8$L8S(622W z87#!5?ZObms_>+3{NTSgDbeYLJ93^mITo%<@qAgGoe-{+le`2!ehybputoe?4@HBl zxZHd+gzDgnb*qqiLU-P+OT}dTpW!p{d}RhQNqmv9k_t-Nh>H~xDI##l*T}E7K~tHy zZDh+1i7pb3^y0{{+Dui*kco&ULfs)qW`r(5)(TPW*fBScfEt~8UG=e9N4)4JoiRx= zBB=%Bv&JFu+Ua}b)ww|PtkAbd^0*2|Y00!H(}r<8?Ijlk4hd>R=K;pdD2(kgU3*q2 ztvZu(qAGN;E>q5L!Xg}Z;?Ncwk7#i>B2{P%%RjU(zTI#u2eU6C-8G3~`a}k3SH*UZXeK1XuQA1yzwa1ljUYnrl;w*`c*yo~j z@aYWgK*W3;l831%B~yeP4uR$A`-w5h_8+(>W@Qc_$Cd%7zq~)suy≻zPIEJbrRk zL=k4lVYC1c(dXBW3;YWk4%{b&IRGE^n*Z!)expco)b8(mNn@^uL!qF3IC#4Ky%L7&r;k4BbstJA_%6u@d4$m{DwN1x!11d1+zhlSiyY&*cgxfY^H0m7D{jZ{o<^dY0NwtB zGTGO-Tq>5h>-9^9R}#=d8_4vVjB zZLWjEK0I~&9-Ex+&L_K>I(;_^2bLO~1@E<0V%lEvetUiK-pcTk{ONYf7>DI^dZ~AO zzcM|G{IM4t=|p9D)H0W7fH+8~!5Hvd=r%g<(2c^ErJ;$OKM@B8aE?@yUC zJ;yZ+76vS74Y=r$+uFWfGpRc-rdEKB2?2h~anIro{l3;Dt(*T(T652oCB1*gq?!RdQN&;V?aWuE>y)*$KTd2wFEkWnFb zbsXkconFWM-u=%+7<&9Ocy3(Hlzy*_FY)dI(}zI!A3ww@+GGt?>EwBS7a>@-C?9SS zD6kriOLOEqng_OQp(|cB!BrQD1T3LvUOOb)efHbephjkdX9WTbL+oWZMgrtS=!NQj ze2u@$`|fJ$XsSp-mjjyxXj44g_$y02IP22Lt`_jdFHH#Km_aERGj6-ar07YN`-deh zPTF!D^RvwsmE>2MxFGT(M!HgIPNQ7Bs%??I8PAV$wa_KmFGqXYKk$Au#DCh*G@R@F zk2>S5fu`B9@lJYCeYn9838?p77_0Wr#Nh;yo1f~WQu2GK`EfUQB^k6R z1=YIP&1|~p*gPEP7!W$BSc5iW;aP*JGPZdHOE#0rLNsjjskB|cWaudG36xJ+xi1}u z3hWCw`XdK9bQwsVj$Tz`Y zO?RWITEMx1u#IZ1&d!qYrQrGIjXj9%{SY`qYRd(F$Q3&UlVv*1K1uq^r+&#awr=wk z+=%0gnZc=1F7=?UE(!fGr@(T47b3zcB!u1%0Sah3x-9=bt+414XAF$v&>ziyd#Oe(BE~srsHm3>BVtGC%~Se57%}VfAPy%9yqbJm<_J4pswCzwh3X{)njZ1_ow5+)Cp2R=M6Di}FCm}Kd z5p^b+BP0&N=Yn_rU2h#{Jw7I`kYJJwRt`(idFboRMW80r~Z z>Zo@NLs*!ohm7b^-Oa(dbrs<2PKwE>#wcyO&|5!*eh0!}}KjM>TU9*lZu z)Ehdnf2S#l$KDvyAdk=nSfC4W*O9L>CRtnV;7N&f;yQh55n0HAMzo(v!cgQ16L{eS z>Po$$YIPM3iMPEj8Zq@)Ca8#C>aU;aSePry$qKacf=rPrXaIs%@Cn#z!zxU5>A%Q- z$DBp=NpqK3!O-ZRdu4Du(3)?4!LzCn(A7+;#YlmsJV~NJWyE3Lz;P`06oAy$FDNtK z!j5b`EMh`r^H{c7&bLVr65|L^hZu?~t*<#l!2UNBE*-Wa$GDJCK)d+k41>XwGR!={ z@_)ei{ly=RyiM~Jg~bu{>>OqPI)i*|(79v0E6DCY&&>(C<9`p;CHM%EjI*lYE@FNNLva&%?) z4|lKJ&TjYTE|l>V`j4!K$KMmgtx-=Wup9K?`6j3p1E;g`H-3**P<wrg&o}A`qlM#Dg^3IL$-@YIH zuqz=~g!n$f1lfR*%COGcpuK@}126KoJ;qBqrd$j!B;&X$KD6? z{B|C9Sz6DzO*6xl)h#+sJ4`>tR$FgC_-h^#*?)gMeYI;&WyG7xr`+*+TdB?QoOX`w z_Fjr7*8Ba_V=*VS=Hnlv?XRO~Hu>!C{)R1v7Omp;YnfaI9_Q0a&YzFsZe8an+}taW z>bh4Kt>t4QgdR7}jZEw6NjtmSK4u`8*zK1!4xPZn8TsMC!&=aNyqA6M%fMW((_!LH zdiTme>BRXqFK#$Wg$0qrr(9m(Z{O7N@43V$Zf`r+4%}-yzws)%r>&bBiIp|rt?SD9 zVNS=h|48t>$ivsn>v-$O#0{V0SFqPRm}>{@-{S!eEu!25&#?H0fk#!#;XZ9%66H&1 zONJs8*1q6Z`|;LCFi`9jrG~x}3Nu-RBST9S%<}!SR;r1|@~dULT(eAftTg+VL-=|s z<1~>rZ5l1?5WFB7eYk20s7_V7rz+Db^ZcbGwF^A+j5?2M_6I!3v(~)|`RL=mQ8b}s zyO2vf&AmFCgb^9EzuMBv#=0#52;$A=8X3j~Mf<_}X)Fk$6`PahPVVY4DXePk-$XsJ zSHHXH%s36?iydStvPGAkq)ERv1e@z9RvVRdo3!q4!KTZ_zMG?>kd{Y?l)QOz6n()o zx1L&ux5rHT!_2eAOt=cLSxOF8T3a^B$lF`rYh zacDjEJ~vHqd>4ynFo958K0XKQFoJbnPK7k$34tWh?YxF%oT8y*csIRZD#<3n4p82` zLON!RE{Tj*n-uC?r7L=Gx{WjjFCD1)i)kbXcK#Ys`Nv>V8#-F_?xA~Gx>Qw$tCuL> z42mxK!j~XpEc3HY429H;3I?kb9lCKnIXu+hGfCwx;Z8G;E^+(CX1a=Wi%3VdzWX&L zI&&V^pc{w=3jh42)OoYjKCGxkEy=N=_!0xDnAF5f)KyfZ%3#^bO{P906LzXqkfA|##O*yb8jO9bda3uM6 z8kew5keuLmak^Y+p!t&km4{hsXJVm@dQFV5Rp04jk-9#NS_}{Nqmu{9od-eeUO>|!xS&h$(6@fu1ZX#DX)K0 zqnNf;uwi^d01nyuhW-r5p%9|T?92N0Y)r2 za#(z_42pz-h>J;tOl3~oalPgfU$TDHTC+6K9tGwVarMr{r7Vd;UaRR%Ot?CluFi1N z@+nr)E|(5>Y?k#No2|rh%bC_11cO7Kl`D>>fDd; z(V~tFB{Vza94B=zsTy|tfZng>kmW?zrxDmT&OD9bCmqfte6M!Id)YY0BTmSN&c{P?oYHp|VxBH%e#Z(c!ZxBN5TK?4SsxJ`1f(8aCGv^IU=w!r z7_VgXLDhV1@}@8Z;A<3$!*UVY4<*|meirNGie=_MKwqOg9727QFUaARr%{q-iLy`w zbpY1&glt7Dl{y|;kHV+kV25|XA_gTV^Y@%? z#aQd^y@TOOrBO`~G?Coy-2cL$=AQkr-=guU;K3kpXNKjI5D&p|c|Y%53%%T5ErMEm-iUA|^hzxv?P0b$Vt-VxQBE*9%+Si@V@D zxb(}*scsLk@+?P|l*&1s);O7C{)|2n_=7!wTg7&0BU#U$r`>$xzS4z$~TyFgjy z+x2N*$m2fyc-m5ofN@AZV}9K^kIwhFeX8)Y9nW-qQCqQczq}3Yy@737_DdF>k*~f< z|6H_Qy?RUujPN~$4Wd5fuNntaDYXxE+Gkq6Rkx<`-&JiY3hlc*WCXX-GkuH&rwaDw zuwU5#E1w9wxqq&y`+KbY=AQ8H`EchJ3!U%t^9b)_O_v5JuA92G?rLFwi7;aRwz%bh(&4-)ap zVNto8e*Nu6Q+c;RS{i~l!9nZVTLpz(kOFDx( zw?+L&bqXIANBB+`3CZp$7*|+B6En*s9YX{y@ri)F{En{l_D5K7EKTS9lXnj*Fm5!i z1JpF1r~Ntof3oxl@m=fRHFVV)FoRdk&uni%)qNW{p4N*mIK-U{y`ym9Omx^58Cbey$<7#Gqi&Mr z%hsQAX3AIc6xTj*GD{WVB{8;ti*0OXc{`VF0QUewoI2 zahC&4QK}B#T{5DV$k??ZSXu5hRuA8%WkX{z_lHs=LS;sk%IGl`eiXY=$4erFe)6Y& z+(reKhF^&CPtyh^c{9gFL~3G3sW?VoTD$~wYRi7_>rWnYt$9w&%hGb4W3ubPO;RtY zILjB|pKuWv*DVsn+yO@t!c7ZE=-$Ub!ffFb389;I?P22Zu=4{H*8!CpS@q42wFbzk_1>j*_-{^1mL~Yl{8&6u2H-2xfU?GI3=W zbxbYFSIHE45AW+Gx)37eDy@`k9;Z>apmIFE0K=@rsVY4RnJN=V*sOa~>4r}oFz&ny zXIDzF;9E^xN5DpXifP8$@(dls-|D__A*(lWjho721|4#p+}|RQL)|o*4O5YyyCrD` zCR__}Rhvm=9J>5Yn&J1Ls>n`d&ZIlY`mT)EUitILMU?rjAz=4A^XgAh)w2P0h$ENg ztSYqzNNSbFpM`qW+ww>F6>1!#aw8)GMNpJ)zItsuj42YtjmiW{XV{w`Y!BN-3j-Wr zyBkBX>bZ-?+Ys>kpuc3F09d=^;wb+UnfmaT;F%-OCbiap2`JKWV=;u^+zo(t5?rXs zK!G`!mJrjB%Q5~oI%~%r@w14ip4X;Lb~8)h(QggR+Z>7M>M?) zUxM#VQ9;aLI?$j$wjz)4543>K#!@+7a{;r_LWUoXbeuW52aYW4}o@3-8>j z#EHFYev{)&=>CBpOfS4;O>q9Fq7Bn1M|L$;j2FA?RzG{Dowv+Rv^G!%_iusiTBIoP zCY@@n+Bmn)7X)z&HZkYgT=5?G`PO+y_ROOWgYD~!YJHJTK!$*7^Vb>|orX{`%;Myuql*Mp>%&Hz)pa{h$vTX>R5@Rd=lX+4fbB$w-8Go@EIM zAVe5}r6%t(?IahDl*y;6@H4fMA^_41bwIUl^XAVG`u#$q61rJ-R9J7e(=Cb!UfC`z zj+!bVd%<{wkRQJq7bl$za&qSYt?OXmxFR0$z*dE&Q)B22Zzqb_9J^#lxB0pV#w**$ z3U!Y8fam{zfWRcUqW}Ikmn{CX+8z7>5@*a|NB%)^{d7(8+V_Iiiu;Tf7zgAG`@MkH z19slg&adI|zKrzubOv6^JTn3Hg+4;#QH4$ykmA{dgsuZ=>jwZojt;wo6YRF2^>l4-t>)lF|-@AN)w%s9hlF_oPZ*|*J$I|X|M|EYl;eTOtHJv2f z`vOq5zHqzhUV|}|?=0YJyQX|#)^b(Mcly^fZzq%qeUl41x){02RdDfbv5sOq6a6xD#;2%_Z&SYmlL}z=6dIW%4Onv zyWNepkU~rUVz~*uu8s~qXzC|%Z+YAO`yEFdH9TOshMxw`hjCC*DvF@hwEC- zJ{K7NCwp}y-nNm^Ti*UN{i~ev?*E4G&^$bf!wuIi=82Z`ZdPGuYkjO;MsHvJ8=1R+ zZ7an%d7U?y?%k|!AjAJr#&2jKrq6}%r!M}_{7n&+#`O0D6-yG`U%@%wK0T2<=)Qqz zKmQxYkyCUKHBksifalSt!ZSr1;PD^yj1)`w5&szJ6mbI~xp`-B?^EV$|MIpCcL=PQ zN6=TJ+*Rs2Knwl#wo0H&e~!S3G-JvO?vDGj;B6$1(I^24$-^$|Dek6jxyqJT9BLEB z1lWhOHuZ=)E1_UbX)Y?oR{Cwxso4S$C9QIB*CGf+C%h6uesOgKwd11}LjC5Edo&~k*?`Jd01$oFb zj6xMJDI2pTV(bvcqBS)$9yut~&<;D=ZN#uSFrH;+R|0lGrb_=+OMe5C z5@@+~!@Kc?Gs8YGHZ4VFmos~Msq!X}`pc$Pc<7l{lks2n`MNKMxXKhViWOQl7FG$t z_`y!isOGHkmp7}bGi{g!I>d+1tWuBa>9Y5~VShI5Q&ebEzsbloio((MFV)YCM$&RA zhLW|<-XVN0gu^z~!>*8;7er&KD@S=HT}0W^tXnW5X1@py;Pc@Lu(SkPH2iE!3R@G| z{GL4^Y>5&K|5J`YaZ63GXZCBHMhi)m7@~D;+EjH47Uvq!R+5)6S z3Q-CJSTYB-Hkn&D0~0aN@CvQRoxUSix{d@pC=N{Q6b4?5+X5E>5qqHj7Wuj6p}+Ivr}2Vo_79G^V#4&H5pSz-Sb+V6a}b zF@b|!gze3{qAO-1uTEx7LqtfJ*+1SSF6fB5%K`W4x&$IxcZ z{rW@YCEKg$>6bJqA|in+>$-ybJ$X(%DH!PS+AEjh!(e*<^}ph2m|; zM}S6vf@=TOR$(YAk?a@iOU|zhEFJ4nd0QT zPD~c;={4XLuj4XUzQdE^NuH{&TZDZ`w@_pS&P94tX~zc;g~m&9s1g;uXh~3yf@NE; zk=bQaG&pwgRV@zaSjiy`sz=r|hAvbsyP;gIK4=$}vH*&r(;~xKBiEt=bJd!dGxZ1V zaOy4d!^xW!nHoLa7|GPf=0Se{>oEf6VGT0D76+5Q`cSNMzXEW#!(=K)d}l)Dn~h1h-pxn+Zp+oSp@7lRMLuEEBC`d% zt)Smx@a$9Fhb(Dchs7K3B=wz`bUH*pd zTwQ9r^+BU%uxmM|=i1%Hbqw=%ysW~lo7;6UzCPph^ckdXN?oj;SpBYbnu^TND+$-l z>9|34yh45qYAS}juW$Kvs2x5dUd&zRF=Lg^*kUv5rr!N^(M&oeKw~d7Es9JwC~bb+Vb915LN?T@`1Z4+NYJ) zUDJsow)I^O5X18tK}QUzd$ZMkvX=*`K`6b9whuFr1eczR*x9vBdpJ$*9@|;zof7^n z?-FQwY%MPYWy|kpUVVA4YkB^!=w9wUnI!h9?SAXfT%EviTXP-f$gV97O+THroggNq z@+%?tKEb*0ydZZ0;IwaBK4>6sU2*N;bN352x)LZLDzEKPA_{`6O(K;nf&~unaX9Mf4<@+bL@Idb+2e4e#L}f$}S>yg)a7T88R$q5P$=F z`_<#>vZdC(<+8zLMriE~2;Rzn27?_wxIJ{hclnKV1O8sEsJz=9ul5P*6Y@i-a0)Or zfKLT2)CQh)PXzxl-hjZ7{DaXn_Fmpa`(DlvPoaJ{@=~^5$beD?_3aBY{%x^JsT56z zo#tUCA8h(X;h)9|gw2z#b)YH5@vCm5*^}|#IAn{N)>R*wP zIc<)l?z<-`t26bBX>~dt>73M}X)`V@F1tW2k0%x*jgU<+T=PZbpTr=2hYM5W1Ef+p zdl3USd|B4iI+xg^t$fC9K2ehmJQgMrIg};JU8z?9kAj?H>?9Pf+dqoFxf!6t2;AN& z?F1IAL%vfEai&rz?+7w=48}s12kE3=V9j4e3>h=b%(x3q>sUa#xjUw)ld4!}#Tk^3 z^MXvtnns1jiN-Zlx)RsuA*u{e&1?`?1FDHmy87Imk&xnc&@8Lives%@lx>pcLJ|tj zN5OL0XcfQGl$zwuq>EE_P74Eznkd$pCbDQTj1t@2LQ*S1rzN1f5N9iL~jjL08H-BqwY`LALy z3U(5uBN3QFfU)fE48h+L;)qD;)nXis)P*c)V=bvr~#x11FryDXN*|Gm{MHJ9xG1vT$j`EFY$6DBErDK1zb%8XN0 zU6Bx<_@xl!t{O-rk^t-B7qjH~BjyEM38s$314lnAovML2I2lHLvECWM+6!I|`S~p- zJoqdH<1qq%tc#0A7L=7MXeKe4=NRJFEAz~ecTVE)=xgjWuhjX* z5gGBQ^3KQP+0`zPV?`SX%jmeyMKtSHosuP^fCM}l%)zL?oKRS3TM2YRRTilwaY(16 z$_d5FF&`M~IM9O^78I!TL&*UX`;2 zVYaSc%e@rxDPEg~#~{lq?I+ijuIGgPn6J0M$5t3Dvef#H65ZPrRsi0f?DItc1^Y;X zp%sDP-mlQ^hPQMMPgHhqDPWtLPJJN|GME=cFigV=TlOm@gcNr$ak?OL=QV#PnNv6) z{Qmoen&#PaE0dK}9i#YeMv--(YkTpG*uI1Kp?=cm+aH8w4gkdXK~jJ%}h z_+B+!@IOnz+1Ew&C2W%U|J~r+*7xh$X0Wbx3ILNk4Fc?K-ayj>iFdBRiizARp$4*M zRqx?_&B~(N&}gQWn;qySUZ>oBRQ;o|r>51$qszR;`uvOOL;p6tlTdEW4&%X^WuFVB z5rLP>@|TYMfIQ?35Y69UA1JR@2<~m)!NkLOvj^m5t9x&dg+;SBg}>$|zJfw{;=ccY zpK4XC;fuhd_>|8FVm+F{qYLQ%s?Y05D!qqK;C6@mvdg*(t#0f9>@j$rx-(;>d3J+U ztm890fpeJ8Ycez8+{)|NGTk=r+dgXKo#TI8yObMV>oB>~e*+WU*Xy%01%3f-Z=cUi zKTg{;zEscG>U-C8J#O5=jS>oRv8-}9KL8$oDCMPtXuICs%>8}FgWwDgmMslEcUjT} zFDp%Ko%fs3lssOko?kB=%ZY^Dqo0I2k0YODV!E$3AIt@v4&%JL_46A>F4t|Hn}nRZ zx+0$Zo<0c_Z`7j=cJnv1?OwZFyqdP9kDCTKLcb0i-{#ZmO*B7jLEn#;_e-EKQf-r! z!rDHSRh^vKl+gRcpnE?6F>7L%@wJd#dHqP*|g9MA`5#Kc|!m1sZ@y2#(; z$H=m%D3*SSh~gRdfePUXyT$#y%ndauz2s}Ha7adeXxl!-o%nhdv7-75JLi?K5xJCE z09{1Qmkp&TF07?*1S0OF@6_=eDdaN0NQ$#g}j zQy+6-V7pv*V4Kgdjj9^yEp9tAz;QkQ3sVI&q~D?iu1sYedxZe&nm*E*DVy4P76@YY zsLO6*6q=_RQDUNbT(k`R+b=$;@l=~dy9b6%WY#3U8slC_ZAnEE-u`h?Aog6^IRq=;YIv!xCyexb*qR`|K|Qfx{jpF$-{r@wS~*Po zbI6;*d7-)4?oUee4}lmIVM?<0-4XpT4Z@_UW@F5ZP67SZh~}7YkwnbvvOfj84USZu zIPIw6`&J5f9R8Y)XgKf;NRy0Hy~uKFgpnGI|J6x`{5!tzBbly~L{XsvL*t$D<++WN zOFW&{%*g3BUk&wSoQ5tO0L%=?zz zX*C%N&5Ja#v1OfF36dE*Aia}l}FAID~=^Snb8DzVbeDcBN0;jJ>^@?J;M0$j!SM@HYC4=3BP=;Sd7m)p26Ggu_NgNkdF6!!+y?!z+c5c37Ber>b%^*&0WJj@HSX zjcUED8JWg;jCCxdMkxYzWHNfyw}8r=#caJGr3TU5u~*n!w4%CxzvIwLPU&~@_ zl}DtFGjI!Gk$O?D*4v;DgL6c5=c3PqU&0T^rppq2dRb*QHGB(*fj7<=Vrpue+{u^- zfu((cpop$PKc=tYzA-av)!(y3-UH-DFI0~)@cMSyQ)OX@d0@I=crq2?np(+K3jio`%VR>{W)kj5q{ft%%}eDVg^gCR0{M`~y+3d{ zxj;rx7xh#v`JCi~^I8eDYZp$Z#^85WhnW@fLzQ}OI#Wk7E$hF=&8xP%>70LwJvZoL zn>lD5Ur5_j40+na~0fY;>Gh{=Arl{y-N(Gbc6ud*ARi z6LmonyJndO!J^8-e}`)gE7FnDuLzmXrk1g$>oNn+X==<(;Zr@;k)w%D`)Kja_ucJx*wqZH@)5{NS@DZC(UAhz1%!xQ??9qtzXqTfO4>I zt8!p)(*^J5=C=L)7eAw9w>}F_HfO{Hb=`G>3fn>($D>!>TxU6x5hz?a z&NDhlW-R$1)1I?EFLzS*z^AO$P6`iTl3KcTkasU>zTeyD+JYvpd9qIf+%%uLx?I2n zcFE_u3xm!VFs&-r^rRLxf3W_!FC+x)h4cS7-(THV+OW@OVDbHBY7PBvUiU#2rc?td ztm8NA5HI2%xHYosFn{6i@^O5TirV=oHA(y{0PVNC!NVKTW#{h`yf+`0xjcKDTdQ_U zyAj!0`vFGh{-H>mV>yr))!D%)_`Q6)=6Yn4LI37*kb#NE|ELa5>BDc9BKXPZX)e|E z!Q2^#6{n|Rsq!l4<~AnX)y-q@x6%dIt>W{XoAAfZP-^XmN>k^3ZuatI{A*L2hh-^V z9rLxpO#bVD%B1XD@Z!_Pe5+6x^Tpj9qB;BQXrCIF@3r?nT94~xj;=81NF4PO9X@^X z?t3J$7f8?phfgKhZ#oZiT(6D__nua>=z;&A`S9+1FFX$d6ExHnfg>#{r~H8T!q@8Z zh;oj2-|$`xxeh@5Z_gW_q@BAGxOfyJIS>gMMhV69>w_>`3+-#ZgtqypG*>P+?D)TS z0KG^X%wz~3F}5Y7*vF8Gm@}ar4C=puv)lrBccPxXa1))YRz$ke>R%bg{gq`}C5oko zdPJ;ezvBvA=Wj*_S*KMu8&LUvFL03S7KXXTOfW>+{X1DQ3PX`g;bQ$oRV-~OX2Z&) zehabgjOgVkqS>I=F{d$6tI7>?R0C5SVTd>8Bw*guEARhG5>ds=V!=N1iIi+gu>r!CsiKs=4kg_8o3N6l zL@iS7M34#?e=+fBH-g)DGEjI-TKtN@P1Sc4I}Uj;-;$(hm3sStsK`dVT1(mDL4Mj2 zG@7+HhWAx_*cr02ZoDXyJz5_CwTw}i$o(C1B1?vUbop+OHE|TVWSN9hekrP3hBJkr z5XTjLM&{WKFbBbdn@I^PWAlyGmw)v>>LE)-F6UZi#R`ww^s&M!pAmbEXgRQt@ zwa`nf7rPCx8VXIq9u(~*-zsRN;%y2SgnSHB>6$hB{iY|B2X;qYolrDS{jZHSRJ%DQwUy1s(^&eEdyz2RpbAk4Kq1eHzExS#zz+h{HJV8~b z0xyS6oGW+w@aZC%ZXi`zCV?xg6G{+f2>h!^5abV@qT|AI)cp_@G)a?!u-h?Hz{WzU z99JTxsyTEi9I9G_v^tgk`JB#@DaMQ9G?`ie5J`woy0P;8=Lffs6`y}1X!JuJoE%Np zRQH^(2DVjsg*_o)HnG|+mGCEoUWmwIg zTx1#dFKWf!+N*SRMh=39ZC;_Pj*=2qUfXVsg~n%w;AU8|1FlU0^KQ(p`b~dXUK7(V zF5PR0f3(R1y5ARD!mR9eWD@;X%Bud33;NmfonRe1Cod` zS{3`ETw$*Kq1L9^3hEd9TEc#*jWVmx+~qhY3-qhP_;eadZ1vNAPFWKhZD>ro*&4t| zOANrgKGtQNtQxA~KQYcQTnR{@FFA_6MIbo(s5{Ir|KH8T)6iz%%=;X|boqC$Bb%ciyIsugmaA~`I(xoE$&X=WK4gmZP)9|Xu*%@pFg)>;Pw@MwySnq z)jV<>cQN`MGn0tT3VMnNZqF5Q(wB`;=`J2e zS6T8M75%m@LD#q>Gkt5h^ zJujo~UeEobCsbC;_co3_XK}qs&j#(InBIAA2&?TLa>kG;e*W{>H+{X=!1WZm{cHlnQ)Ojf(7v)EKI3G$vg~qk_Dp74@N^b6iH>8&~eD@`>fMoj&~AvGR;8g zVolV*r~ncU5Py`HoCK$_LM09B;MFdLPoq+l^^+0tM}C6~)fp)J#=(g`C@E$N%XRL6 z1<1hqQt~aB{rq61DDy}K16rUi?Sx=4sE{kgsrKKw3j5L62Q6FB=6HR{BrkCc?<`7A zAer~|pXnz#Otq%DgLYxsVZ>i(**scsqQz9=Y$G~@kerG|+R8*sF%XGDENIf+88RAP zK|yO1?VBaR5sAKv)mU@vGthwAJzqhPcsSfQM%Xg`3V^(zfZnEmq`2D?7Q{lTBBPoQCoMA*5S~=e(}bP6&Itk z<)-F@hQy?%Eo2(veDkUm?FhNL?w#fegsSFzAr0t;)I}v#rU@FiSeO)-m!UNmAdxy% z%#??*5}HoN%D9wv5N2s8nNkplg+xHZZLee%ISCopjB*XX!Iu|MOw?ahU9X;iwE-+F zmV==4|L&1SMlsudcC5LCX|2HMt_Hv%qjOWT{DoU|Vcw?KJgpVO*D6v))z?y|H)!SD zz03`b@f((d)`5>;QS=JU z>=_on^iOZ!hT9(~9IXmgsJAO00_ za2lyO`qkeG-KYc`^#z7GrTN3gX%@)U_v_OH^ znmT6GDwwb;-Ml*BQDr${3WTK=g_WY#Vp$DANR@3>pU*CEW5uVYsGds1+$c}Ro=1}` z&JzBW(TssI0zds3s?x*ojfO&m&`k$YG`6#_b||sDQ2+b%7lbZ#5mHW#R1WnSv+&H7 zB5f|t1!@%@TuM>$RMyhSWkog-3ZP>wC3_^E0}s|`lr@%^0)&{6 zadion@b+oXHu)u)k0o;4MU+5;E z-7TMYOoUH%pW9P1HUX1>wY{rzZ-U@+g}t?M0iXV_;Y-BH9Fz7gXR$1^UiFQ4AW08f zp!XRnP-U)Ko&wN3rL+VWjY zHYj7(>A8hAudC`m_z2cj;<@rh%jNgVZG6(F^SXW;3H-ycrDG083@$-M!%>?>)e{4`0bngYUaIJWpSqoDmj&bQS@c^@i zw**a<*PgLo)}Gv&m6Fms1^Omkb!Yi+TN%Q*nf(4CweY9&%x*4x4=TmpK96+$ankv3 z8iA5N)9Xp1&=k(OjNJ-CmDs*aM-F}KBw_3Pm zctcpw|03+ImmT=H195zG8GTiKA6`mRCrt7aRnYXN$?y!qJ#qc={dhdwfA z1^=3V*zW!MhWIXJ`kj)&SJe5|p5-$Y;IWU66-C0h{l{Ohi%>jRz1RD_95PZKF9nw< z^D`{_mc&lwS!wvEbtr<&YoHLRZ08h&SU_teWBKV16L`)S>_jXb&UlM7cEB#g=x!Es z!hXpHbMu6@WUZqux>|?LhUSpjk8xhXKb54_SIq1;G^%G*qcw{J7OSUAA+pI| zpuZ=5C9hGV9@5bN>~W|hKJ`^2nO6^m`%H_l`RP)+SS3IFPNdGFJt&Wlu&dMm^FAQx zy>*RTw={26?Y3nrqaME@iF}fc=RPAu2zJL24<~^v_)hKSSMKpo9l=(^e7-~jO}osj zzX~)M)n<-#l+49)E6n+Mcx=%@DANMN^8(qR0tDiZw<$T@fulsq}|uC1%}kXAz}~aG1SS&h=I5({>QS zyjHZSIX2(zQj&gI2Bl5^tt`Lqq&a@{fJ!EtLmjPwAYDNJ$#6atb;7>-SL#9;QD=CK z=UYor-bE96NSZ0P{1bF(C9Q3yBFcaOCV$}`lB@A|DDs*E6v-(bD5Okwwu&K2GIl4S z{&=~IN}|Dfp)>|nrbl+;Lg4b8*VYL&E2Dmp#Ha;4kMb$y8`L`s;U8DZkmR&FW;1fnD@HnP&qE(8jGAl&2W~`|!K3jz@1r;}? zEgPYlN}Z}jhPc4b5c(*D)sIT0lqu}B9pyf3Sn`Zpj!dhp$u#&sr1*j8-*;=7PBBMX z>CGVLHnZZ|dpD0FB8vPCO5EEc)v{?A7=^j`erJ7-7D(3N?p3#A*Xvqh>sd>7E-M zM&*mp!6Usk^cC_bP)vxLa*@L0zW~fiTK)bVAHK)U z1FdR|uX>SH-O``!-ECPNl~x4`2GhVAQp-?Gvf3qFQB@8bt8WTcxFQqiLUCD9JU4w_ z;C%lBVQ?Nu_`9s@9sDj%HYc&vLzd=j3@%$Xq^G}h_@U%6lG%u)w<-cODf==KBTh<| zKG9jEUIj|tz9oa_GaF9Qh%Qs9R9Xnf56-U(7@v$J`a%dvIi zZ{&BVU^=_;E4O$v?7ehK&-Yu>;(gc|&AhR%^V|vbCVsxgx#vygxB^e^<(m7qUWDEx zEitFQ32zZ^JyyrY3TFVB`UVM#skZ6rZk8V|Uv^`yKLuD|C@>>7M;cn~eq}<^dFYMALcs1l%WuDh%I&9s>hrQ-}wD}}lkNN)SX$~^I5VrSO zdFV4ZkGaHtBY6&v4Q<)FeM&yc1^?k(%VRP0{_8}u(RpTRo$oYZ%B|m&FYF$f>-Ox? zR27HQ+Ibqgm%R`9QvT-Nw{yu%0@ zO|^dSF}u;D(<^S9^K%Mr1Ajiy&NR@v#yu|X-|TZ;*W5}M7h2Y0NL04ev z8n*ad7ePeNb_tG|_*v8&3T3gO3OH8?*~~FUE4_?Z&q$l=g&GBS0v~zam>n9d2NxeB zn;BWVwbu<)fFY$pu`|PG@ z{43|mmqCZ0yu}(FXyX2_wJJGij zL?8nyyt#GDfWy|W6o*pjJULbFs3l_EENUf=1~fWaWl2g4vb-3G+PTF&!O_) zl4YRjhi!F5Yt-ozfj#$3Fyn;VojVAV1ra>nB2p)S8!Li*oYk5TGnPXu*1jF3N{1YD z9WoMsE_8mYh#fbAE{scH)`@U}&a7~uc8vE6hG>37-XuJtaO@hL0cGbJkhv1Qr45dl%&gGHNO9{?$%1x^#~NFH=wY? zk_G&ol%>OTz>FzSt@z60n6>N}7silf#DgJ`sA#131+FJ=j?1>1=~+w@5x!6*7`LwQ ze!?>|ZIu~fB2tuGMuULN5T|m#7uRywq%J{|ke*zQx2nKp!>E-u?Hl_Q5+9q)6IF*! z@nt-(k}2>eY^t>z~21=>y`+%yUQtUGza}b-KW@(tM%QF_~j1wC64l3@XlbmKzE{#@bdRUA~XVGH(*Eh z475Q`-_<@^U9ygY(JSz?2yu*K_R?7w;i=buD&~sFY0+S0v+msW@~~;f(KH+TFJgebLrmmA66V#qlvSb5&cvH^H&YYrA-980~!J`H|*x^cp_9<;A%zWVXoM>C!TJ$>RXPy5fIHy}BUJ zm)i-SXtCBDGwdGi`13IfB-Va!H(ccw@?9lZO_sePY}%u^vd{%xx^KY}bo+Sd@!u5+ z>p{TM*nGF{%D;F=Z<$vhW3GPvRI9^h?wuczlZBpbM}Iedpte9*GlbN!nw{lF5mHs%WePD`_WK=-%8FPT1xGTPxiXM ze{ENR<6Ud$mh)TgM|9U#m(>H;pWi^nLd;2y$qd#OW1H=K7|ZB%JV)MBteIn!q+qK+(yn7T>Fxu#}e{J zT2ANk77ywb6Y4c%R;IV`W&}$TC8@IW_z(Co%SdmS*kfJ$01+>U;Si*LDBUWDR-R*+ zeLLJ3LFs98>$IiJ<^>Z?RuMHFmRFWgvsz_6pyHG1u4I`~55VtXuy8v5M_&5$N zyp#?z_F!ns)oeI4v{K}^G>jSPEu+yNp(D}mCv&`39B~Ndt4Nr@>ZSw_BA_-k5hC01 zWxdyGx8$M^<-6T{r`@0E^{}s0c#jwoXveG-OVFKXw zY34M`@3dUP#K?^5eI5Rj`CCpuX#Y1CE4QtbHr@Z{Q~m>g_xR5uZ8!hLf22j}|HHGR zuv11n5@UdL%P?b3XqY7A$U>dB&2C{#jjG*Fe%N=UH0BMgewnFEInIcv4o$a6L1Zh} zOpWR#k;!5}4-@3Zhza{avzTE)x#hR@E{C+JWY>_&<(yZ~GG?VSNH$1J(}r48={KYx z9#F!hiTIQQjMI4*4qIj~DKdRgWn?Zw%6-Sj!=jcz8d%$k(nFam*Qbt;3=~r^Dn+a5 zDB8#=GJF^UbxU6Z)LLW(AAao8<1RYs+2Cc=z*l}Vp2*hr26 z6QP>Z@SJQ^0J0Lvm6C`f>|hL2bsw#FL7cRvT%e8%P9vFYpu@5YrlCx}kQ&$h43rw> zaZBLUCO5&g2~e!H^kx*P=^Xf}{)ZMB;*0o?|0)0BOH`+y&P;$s)%*Ojp9Vf@1Qhio zYgnWkRX1NwG8usgH8_(U*XzZ)A=xQ~bJ?sjN^r?8Po}y=Y$eqW9maHP0$9l~-Rlop zF)S>L7V%V``n?h?o>i{^S$9mka zcE*yTI$lXim%A0q=%Z%Atw}7%_vp>&K$njuO|3vkJSW|a#Q zCmE)iXtR$9B7&YO>>}WTkLQ7KlEG4f2Q+)--vyd|IC?p z!z%xI{zF0-i4q8zBEJOxLH~*W;NJrNLn0_fP7MixzH0rq7yHev=`d=w*-^N|3d^uBedx{o)q+zy>usrY?p~Sv z$%V^oxzw@m-?-#fuRM0;vB%F^xAVgJt(B?E?oZ6QW3b!28&}NZ1?q!$v2~yMarMo0 zFI;ZBdCx!V-Lm9L$2GRu{VaW*)90(toVTLm?sxs~?GFwV);;p0z3yLk<(1L(4?lgq zmFJy&>2B!ZC*+QM{7+cw4{Lw8!N&LAbn-3Nzq#{ae*v#FPuOZsf4wV)%k8n|b-xxj zI(dV`KK|8(JKlWE zc7-e2Kct|K?|ABl^wC$|wrrU>`~mERxqHt`;=N7Qxc|Pj!uw}Fv$8ZfY<%8}m&{v! zc5Q4*J6N|B3(q z5Az=k`K#gGVFl3xeKnFaMbe^2C(L=!h6ELjND>bNm08-#z}*4W&*O zDlj4{G2KPwKjlT>Ka8jpm>S_UGieUav8fskbV@m+Q%1ouk7rAxU_2FevN}XhS`yB) znN+eMk-E^7^=z6Km23yHKrha7B{Gkg8X~w90IFV#XN+3brs}n1xyE6UEI@4jV|NalDjfyA+5){1qiY1HgS zLDqYCE*FHAR>b0kQbZHY4qOfCTvH8lqtUnz)Qc@WY-QD{Go-f4oY?IdMVDxXa=|Cs zBe)n8M$JszRmK+QMQxQ})d~_Ag~m= z@8^d`yONH(G8QFZ~!V%cb)PppH zO*}5f6P*r9_i9d}IVfi84N_{h^Qi#maI&1^HO62(g7bi8wxI;gV!zxDI`n{vs8-HL zrdG{J!gM0jsdc1ahy-nvO*C_KQqYl@9`uql+sGC$G1Y4T8O0%*6|PsxvW@{yh2@0e ziVSM!1sM?_#)E6R%_m1v%uU^cW%Ai(Xsc%2t_?GAxx&Ucki#l?7wKlkj*`g2=)h_q zPEDo?79tF@P{!!9Arh5^z!MxkjZ~SQGRYLIuASvfz1}CvfHP*sa=WHD{Ytymt@jYJ z$~4IG*Wo|hLe0k{_-`)O5Uu_fwOISVl~??(@}EW8ZvM`H7N!4>&@4(Ol53Q69st== zy9<$(7|}dN&{HTP!Ge`Rj9#Z-jtbe1%BAuZxDGbj9tJmYhKuwdWy%XBlrc>iKq}5R zQ=FEAb%%zea^w)Ll#>)g8_|bFR;R|CMr1smX!Nm?R%%xmu&q1dfGtOg>eaLX0P>?m zMx*Fp;2Q!-j(Tm!)v9KgM>|&QAt@hjH3zWyp0iY$-eCtg%*dROiqNO)~LV2Ws`G zK_=*`QqC|mXo$T$=}jgL9!jbfVdk+^l;~vAwT$RlwMm@p<(OOsg2p`&FSbF(8v~&d zj_n~1_YkLJ;8xdki;`b&fG*L9r4fsTCYRRps+vr(NJ?q5G2L>tj>c5`A;%Z>A<%)u zDx7TTRhRgb|8&JH_XYfiE`G{?REEwjBL9JHu0%CkHWcU@PHmtAHDM~{L_X7CVyDn+0u7K+TUIjdz`AX2n$dy0E$dAK_x)MqjFHTS@FV!?b9gF zDa1*{Wc%1qPnUE%?WM)2O<`j$k;SMC&RSsHKvbO10!ZGisP#Hx`bk%$Z9OsuWEByG zK8oZz)#9kn)0{M5F3=Sdvm!p+-ubvX!l;Qo)eda(-9CNTAzPTTr`&RNFd^-R4P1tAo&k3&|_0K8v{{;WRVF<=h0{$}m2m3biA97*$ zqNxw`EApRnuUh;gYuV)O>+Lgt&eDxb@4f#W|CWm$Iqcm>gEcmnXWeo3W7PSl?6VrU z$$KmBvdP8!uJ+;9*ZlstN9-Rb&oSm-cEQ27&3<~RM@aOtr;tCax!Of{t-JB;GjA*2 z|3vPLBhK6T@%Pp^b)Hk%|ELpgl{VjVw{COW$prR`#;QC`M~Du^4+r^-E!~y&;8XtKY7Hb&tLz@ z&3Csqz4`H=*E;w4vmU!^^Hv&tNeDTs~ zc=7knnptnfzu0E&D_`36#jDmHUi`Dimigh_;}6+tw^`Wl=iRvJ@t0n6uJoG|7VL1# z_b)sLZ6CRl`hk1lW$JI1y=mhk?*7dZEBc8){H%FdX_YJE8{IpgBlMjr!QoFlaMMe< z5!|^1qlTj|0ZMn|mwz@z!!{ou{nRPwCz&pd0n>L%kkrJMJSety{G zwtUil=E9c*Q zN}#w~_1@0wFNg=qM}>RuWL@e1v3DNOj#Jm(rw2qQgx+hw0jn44$dW9}R^Z2&l4UmF9F_TNInAZ-M!Y# zy>ssxFIhTg@3Z&Md;ib=-2MNt|Nl4hA7p0!+rP`c4F7TU6xjNl;^fzu|Hy3`Ql@F< zBI*CgpQ-=zP2@j_)aJ%=yS#89(W3GneNp&NO2ErjMv&75*+dwJ=mUaAqDnI4GsU14 zXHw#bY4p6THq0gzlTSHq4eVjjD5I!RrDSFeO3uSA2W<{1O$TeVmjYmyQL(1$ci5EI zYW1^GUnovfmTVA=2a6Ir0cIYebrP_rWp z%l88nEp;$0#dc`7S!!63+!uq6YJ06F({(`-W>ASO=0LPCbhJ{c7+OHN9k%@bIIhK+ zpkC+FmWeu9vzhEt8VS}tm#DFp7c;evL~~x6O^%gvJ=;Mbdzwn}#4!hWI1vSR`@ z;eJH=4zE!$X;+9|6xBnfA0kwV%z!#pu|b>&5VtG_3-~G@Oo%KvBXVDMie*3?2{BO0_Nv4JMz$Ay%Q?ZW2m!O$I=7H9b9j z_7&Duv$dL05860Ln}d26LPt&sZ9#ql6kK$aq}ej%K`N8%wB9ZhENSMN zY~OYV0}D&XN}^kD6$hFo%9#MFpvkb2941>XTR|PC%n*Y>FBdRB?Y;?jY06)GgJk zjED3IR)nU{w2l>8HP{#yJCK*N(4L;^a`5UQTR-&AZW#G zq0!56B_n6y0FJPziF8$S;D)l8!>!P%8A)pDKM z?~P#87?z7HKq90sG{LD~sYR8R+euU`eN>pbZ_w8aN1=^cx;2WXX_6e93#WFb$DROc zn8Nm)j<42Cppa>JLX?5y0og05I9E!>zAmNn?V(_EZDUf!%cjuLntYj}bH3>I*@>x$ zN=NP^RjV0S0ks@jYNy^A7X=mP`xuU)SqLAOkgQ4#;C?1w!*hPAoGub07u9Iam~J^+ zCMQUvs@Ek!15`hespjBB7W>cspQ4neKd=9X`h@>XA2qnh{D+;;vTYAMi%$>geC&xn z<^i8M^YK48PayIRYgkp9V}^MrSInD?pd~SeDwzcfHeeAoCxB86xTFfRT+}MsrN|Cy zS|Su{8Kq|Q5EIRmsw}FdWZqAY2Sv-phpd223VL2Dc2En33P2MxGC|H5%Z@$(K|Mp~ zX|D@M7C#J$s;Fdjevl;iM3Z3Llszem0hkS7X5>~~vlP=22vjQdMpqSm$E|g_T1y(r z6$atVv9D;2EHR-2LHF$v-zlpoSzx-8LJhK8ic~AtW|bcWjA<%dK35f(zoBS#WqVG8=mo(Bffw7s=xf!pRoChizf|s`SYRS3-3Ei zt^UX*-W{i2^wBTJ`^PzwwUhDa-F}-n;yeUTN077w}J2LUaI}p^pVtl!spEaBc;yZC^k*L(01>D52qvCd6D|6m#Q>ErHL_BC{~UFVE9 zyl&^K9~rKPS5oS#ui>A&|3CKs|7QLJNrRAR3}rxw z{Q=XiPKKP5Y32q(QX8g1Vu+YHT`fy3t*m;)P)!ldWNW}@g&u|$pn+Jzr~=5UG^qn3 zHcY~8%5968gjDhaOd)tS8EHc!&)79$;+B(eo`LmNO$7;dK&u(FVpP$Am?E+*FJ}Qw zWYA01+bz_ET%z9L*aGc?9ZAYm%3#>Fya~rUA<>5WRWZ=|8K@gNQMNu3i)B>jbiNEI zt`+1AKPMK7%ryJu&90?FX%?iLC^oD*cr_cbBJ0aiF->soF;R}aOc2yTTE^2uu15fD zqnz#84J&JpKn)`@IYOyYTFxYrRJLpDOyKCc$ybww(NGr|xCL^BxI4@WslXG1MyCwW zNiF>6_)n?@8ERe%FhSg+jg7K&uv@NlDdKhprcW6jaifWe#C7ix_B! ziSikloW2ENq)jqva^#?-PKGF1@axqcn?tC+hBY^C^pJUP8vi)vu5Te zEMfI3QBbgY(^H?qOuat`CD5n~jTFb^0cA`Gu4_0_Y+I!wnzEH-ZwwkSf=_QIK2!*} zmeg3q7Ez5t!*VU6+N7t&Dueklrq}AgAW?0Tb)2ryaHZncHMk4vVR|^i3spsfMs*tz ztN`~%Qq37Mus^DHi3yfV$W$86^kNtV5}>J-7|Crw(kJ{UFLB`K@gMvX{v%E3c+vR} zOXpgV4boFfCZ>O}QwR5X?1xEcMZIqg$ZVJ?cN>EuuHt@%Cz+OwM|Dph#0`&OL;|Rq zQMFkZ(m@)hq>*aEAn9ew83n40rz^5xdteU|nH4tj7QY zEGlaqnMS#sKvPNxspAGmWLjoeMifFf@}Q7k%&?ys_A|qN z{tp_05#-mB|3EYKzpuhR&42z-q1OEx@E?MpaDsv;@(b`E@@vR{AP_}JiUcv_OY)!j z$F5lU%TuRqO*|#d?)}#O>B`ahYrQ(jYwYDX4hxx&$-%|k8XGJ{HtGgp6#zx zoupqqC;7k32)+xY29Q^Oq&}IN|0ufB!A!u?N1`R&yXJM70VU47On{dp_Z*1YYc z();ZbUwrUD*6@CMc`E3>d)tG~0Z07)mVYV#sgcLNky(E7-YJhgdue|2Yr*n@<9{n{ zb@+KlJ@MW1?!0RMWiGca|I?pOOPuzHqvkCi_B?@EZ!%tdoojFV!R06T;zyf5|I%4M zzHZyj&O0Snn0svS>rD#U@o(%*F0VrO-7UM*9Qd`y)yxV{zn5H*Iij{;g>#O4X~`pR zZ)F-U3^!Zyz|HzkNjKd1!~OUEXzqg-eW1Ve-DO;F^=l`)Kh)pxmF@)wKf3YAO#a4I z*dINLBje?_+v(u>tFQIodslyZbFs9=J%4GRdBaCn9}1hj#Q+3PuD0AgTOWVcJ@*vW z{_eG(yZ=A-|Nmb8gMgng{|%k-|6hfD8U6!iYlZALOaEtKK~A3Lph~F@%PjXl3UdD^ z|4}|u|L2>?e-L@%!qY#~dtfgr|FIW^|Fkkx&4XG_FVVM^f}ZApv66^Ji9F-Lsu(oI z2Gxst_=MrHUb0IUl}=PHX1TDhR12PhitQTINsw{BI&j7g!37NoP}EW!@Gy;6L{5Q6 zriHhL)iGpP9-3V!Fk`pcLC0o1(i<%a2OvnECW1*?k8sROxz40EKI zv^CyJm7T0HT^DiCF7u4g6Hed9Xip=FybU3CPXG+LL@ga88VJV!k|F_(e2poL5Xz4 zW}!;HOhMteSc4SYv*TnjD0G`zI_dRUzR+eG^{`k)xJC&~=O*$v+0^SSFse3!prR3( zV$PBJ9-1m;)JZoSHK2Ni6ygXR>f-c)4;;$OTN35Nb*-F~L%J&`-40U_fR3iC!*u?RWL$8oZvfLWL= zCn|K?o7fVds*_AJ0}CA~Jz&TR-^i=eaL}$WO~px6l3aTlG6Jey)&^rqsW#Cv-XLpC z-xEi?Z{TDMgd*oO2c|v@R1g*nKgC0~K{K81&>EVhftO?ZMcb(6eJmXK)PPE|=CC{= zY8gF`8;!66u!F!Un{_`Mbu%R#YMDyc8PY9on8?F6np6a;;Oj`&X7OyjkcPYNKrF>s zuHB*IX4R`BfU6TAk0+WP!${TgnIy-j%e|@%qtrM{^yGw|PvyE;qMYa?gJu=%idD2q zTW+OV&lzO4CjrI2>2j7xOa1@s|A{0X{k-{a<|q88!lsIg%zvf}>L2+}6Zpr0aEm$* z4p<0_Xe>pw<7`$+TPT$BkzrO$@oc5#BXFUdF1Z$7Ne#uYF%j)yJIv%OjZ&mcLl9(Q zV<3Y1N{MI9{6r#9CmvR!@z89ItLCI1%A;m8>&W#stg!??kz+Yk;=FXKPPEco*%87@ z2Lp78chWt_sS3lQgIB^5QDv?yPy5$~$I2SsbH%vT;c8isQ=5ZKSf+B5 zUa1E3)K-XD`WOkCVaC$)S*7b46E+v4Xc(iGMoyZFFes;uB4<0K-LtY{Mi~yuEv0F7 zd|v~IOj9lPixN#_btpqM(Qq0%%j3lK=mx7a>dUSxSuMBU%U22=p`T1@m553pq|iWz z4F+@o6z@6JHdRj7m0_6I31gHVYem5~q8V5;1B+&0(F`n_fkiX0=zoPF7(sn4`42o( z|NAQJQ~am+Eo!$n|NZ<2!f+U*D2yV$0RN%>f&Wln2mXUoI06wc{AK%pPW%vE;{NAO z+VNL6-ab9G|E6~I&Nu%0FS%FRi%H^}^1W{b6aJ#vE5CO$Q(5qfO^=#&S8`iox%I#O z(b)&CXze-v(LDz!FI{-{KH*95J9K%kt>wo0yFPr_TXUcbclrGzud`P%KRvm*?3I~1 z^ZO63+5e?wme^|X9t2#l?^5R;b>i!9U-|ORfBJ2|m)dTX{ZHHAxW3MoS-i28`YJF16<=7yV>|O@6-fwQv4nkArqR zWyNJ*+iT5}deX9Y?RNVXw~)nPZSdB{I}-OQ$YF8{N^(|5mJ`pyc+FZnO!Kdb)X+|u^s)!U!)#`oteHvjDp`;{MG zDO(GcZ(q0UQ?~NRgZKQLzId@^>d(FOgWs%h=~~K8{N~V8@tY31*&X}QtR+5%f_o(FYm|lM;uXePCWXR>Km)i+GKV7(38@_ z4bN>T-?PW-pS%A*_W%Fp{vYg9{0Exh|6h%L8UB-;c(vv?YyO+U(y`QbF?mvkC6>m% zIRE)f{U7g}$A36TZVS^~)rFK&eNp+3yD0oeOcp?03=;#;rISiJ6ak}IVLCM=5yfuY zQ1L`!7=x8`o97H(>2UN|>x=BfV3O5z$sr0B)oitrilk#jqT;qa1O;%cIc~PxI-KT) zJsh?B6I@I3v`W|VEL<*?$hs={j#W%XqR!b#H^5Mm3=)&jXm}-5Zvd4%rwlk$%;Sgx z_RNaHj(SChZ@E>grWdAnJ!J}`5ia6Iw1;tttH5t873Xx_LsMf(q z88I@&CN*O0L#dIImU2x3&+Bcv&!yYmFyGW#aK*algGM`1Nkl!Z2=o|z zgcBgshKov_ll@){5|~_PMZIfw6C;cnm?9mks$utDF;+2$4($x`uqIca|6Ts0X zg5&vE^dkmIDJtc(V4>Ew~%i^4XX#TWZSj;iAY3L@A7Fc0n_hiQzXy$B$e6MjX++#|BwD z*@hc_T*ZOTLIOQfy{Z!^FjjNqv>Yc=gFyGk1Bh~ZC47)soNCkSBDwe&3BRDwO#S$f^qmo@8GRwJc z>}S%Dog4X)kx6-KVvuqhzECaaMj43?xKK!gfrO}L$A(dJppW~6?b_PN zZ;nxsM>rp-i71(AgsSRtpYR_`N=Ki^f3lzOAGMvL7n%R?lh5e?`Nx59|J^(|&QDZp zGTjZUaRTqCH3t+tKp3>OEF|_4J-H*3okG2!MOAmy=Gv@Anq{`hWs2oujWn~3A(V;( zH=S#+6b0K_&C+cc0}^=`3@MlFmWxC+mDHedu7lMqwpbmNVK-YXVqnm42LZ?#jqZ@- z!pgAB6$mYo3e(uj%Rq*ZKrfdljZOj1~UKBB(YLPOmA%>pstF6qWszka<6k;ofK!(bv3ouy@^LUUm zS=NgstW|@BbhnS{WfK7H8O}4qd1g4z4Ck5QJTsi@@(J(SXV0(t@-Ya-AcDkEa;yIl^c?-cZKH2pv%-Gimdt_KbDz1&yLqYghsV71 zD6;EA&%C!n^ZuK-rLW&IJam&?_I~=zWmE3H{x-m-H(mbL2ajEM+htdse(<)*Umtz? zwx^^{n!_W%?yU0sIh*Xoy?5{9i~nZ%)t-8Gv%7A2`sZh?xY=nB{rR=an$KRN9CFiI zTRwTk^9QVb&99E1^}u$o{dupuYMZ{B+2Dd3H(pg)DxUqq*_*tJT>i}AFK=RZcALNY z9QW4DZH@GS=akl+efu_N{Nc&%UwqQLGqw5=>-_c)@$=AWvU0{7J7J5j{=vpqw|eXs?Pi1&GD0`-tow(``)?HQj6U? zi`)3fqbK;>i#`TD9LW3w=s`XPJ>LVj{=p^#t3TMbQ}eBQx6>blHK#M^Z);kE>2er& z{g2rXy87r(pT&NV({@9^x3}pmdG30|{zvV7$yM(kcFNJ)43Ajzg{S9S`hv9}np}C| zoU>2()rD~W`0t*>nEw3lTs$jx_eS7uukC#KJE_CoS!LG~KJ@N>W0Muu`oYuBE%n{a zU!JV|ZpWDa*zsQXdl%ox1mD{J$Q%88-=EB0?!|e~hEI*wzT)DdcEX9J{Wec<>lMN8 zeDsH#A3h!4f284?FVnjyo1bp1o|=f4l$x>i_@$ z;-CMK|3LVs^?#t5`JZ2j{ZF~8ZvV)QXa%}H&a#^4KTIR9~C-lp07hL#( zY^kIp)BMepQtl`DTk&)F4?4X9w91w^WSXBw@`N5QoaiHY-Gx6x|MoL3R?^+bHo%yf z(Akf#N-xn~r36R?DdIi`LIO(%tggkuLb77|UP~$n5l8>^cNv!UBomSB0-Oe?U*j}O z7Z<(|kfOU117co-H~O`zZ5K7HEfv8i_c6W^S*DZ`gixyKQLzAJp?}1iv`X5Uw z0!VE=l35#7SZ@0M^|8XZ@$^!xk1tb_(x5k7_}OAptGG37`a;t@RxSS5dmsoY;ZwzE z?mr4qB)#zWjGg;yQEFoH$qtzfvk63PAYpntD&qg0m6K;2O*2GM*@_6QYkhSH=U zR>oXL(GrbzKReD&^I;w9R7;8c^jS7^nX2n$5ff2BG|TNy*YOCpTW?~+M5gT~hwcQ) z#jP$Um%BvT$};FA_8F_(>2zV-C)5_@i~>4aarsOED6~wnmEjXug#=||Sjp%{xTahX@r67hCniCjDmFWKvAOCBv z%B4y)yRbOl^?;dvg(!pvYG^`^@$Q?#=a!Rb`7UTGkv>tq`5 zDux15T_{hr%T2hidZkHYC=+5Am?ZNluvStjEp!u^8c9W%$m8wShz!J_t`-{2KIB-6 z+H4N9y`e+;d_tmyVNdtTnv3TNz^gP}mBqP6UMoAjT;$rF0Fj4HzEXEbgRU<1m2|r? zJvbUUXDnp8>cB5swOR&B4H3g{0aXz@;Y~(h0!zzri|i27X9>c>fGW3I z`UL0Fh%MEu$Qid9wX`pgN|G6cZ3hVYJ#aWeYfY1B*0p9V)yvU8Q7TLb2(QsH0Af^vx-e=hrBzm}!KMGZBdupe|$+-wW;tF}_)*e*x{Owq-yfYBgt1e0jc z_ne9EOB{0a;?#bgKNYfc5+h1XS{})(klsJQjhTL(BjYp|*j)lfnq&uO2QR!gO1Q^_#pwph}- zbVif(AXS-k$7WhcOy92$H86s*M%Av1#N#A4MC&QcQmqWbwA$??0AslfEa&RNCvJAq zjTH8C+$>Z6YsoNUtCo}++Y3jz0e{DGa-1a5y$mBUU7BW-$%v-^8{Zr_rltcBRqgY` zbUUdg!Dcy^$C+$nsN{+q8fosxED6&zRVfR+0mm__l<0=8O>*@?hYW&tsHY5o@6_^a zvWxY+dJ@40rGTzQQ9q;ljE+xZ9-bAHMBgB~g&ZaHBEht=uv%8NvV~U$HbInuCe-hY zdM-a=iixtE?wRc-l@UsAg>Kc0m_C5Bmh2RoYMddUcBzV3Ajl`%S)u0DGX+eV07j=r zM>&iTnnOC~EuQj=%@7VVOgrV$H7c%}Bd(!DQO+T(ATw$BZi1IGR5GM_vRE4y0l2TA zq*;r@bUB?Lvw~18R%_EsEi?pqP)_K2-Bob`%77_eH>z}>EqZ?|nbK^mV&$J!{)Pp84)J%W5m_cKVqoVCxqA53I~4CtPx6`%kaF|HAef^7w*l z_u6jn-_KhsyTcz}U~hWyB;x)xo%efpp1k)~2VC{!(w9G>#XsCXKKSyjAG%`zE_nFy z@*_7qna*#s`h6EScia1s{a;*CT(Ir)$@=|2{LB5-JC-^4sm3FBZTiX$TZM0Z_gLz@ z->-YeO%I)Nzyo(|x#p5fy?6|}<2%<}_R8Lu+zcO424{~iW%hgWp6eet?*4Z!KE_?~ zu+C{i@ustP-C)hj-nr&PVas)99lS^3oz%11@weS`<*nzQxKHh*#jbdd+VQ~CgfpJ{ z<)07U^E*o(_TE)ZPn!4U<_G>u`+wA9&?m0h@@L_ySMI&>sZXoG*-PwXuYdfh5O?#r z#eL}m*YX#vw%U&`*n1g$FJe!KeD=Iop56Dn;`QHK>$2w;yXy>M!OAO^w|IN2=1_{%G8^?3R9jUId9m4i3=N$0ec_D$b#*X%2PaNE^O z?oqcOLYceGyt!PnnEBONcOSm=`rqB-%G)9RjX67CFJ8A=UU1hs=!#ie*B0$d?}Zl^6@edeY=y?pCo+uU|FlU(}!pWO`4 z|MRzN;}_y(=A8fbHHXG`%}NWq1 z|6~9EHPru^>Hqmk>`V0jl!VwIqHmo3&sbtPRAQ&6<`M^e!TuiN)xZODQbWwjbCXVxOZNM@yrCO;wdu%0zfv;veku=ekyDU+0n|c}OgmRodPS}P zN^(}K4tNyyENGG*ffT6)QC>|BOoNewd_P@jHb+?!?xG1GnMG4dMVutysGS>T`sHzw zN?;vi;Uw& zHsz0#V7bIG)8*?qgLIluGFa>-y>uZ9;pz5hfEr=kPR0WqaO`IFpPc_Drs{aZ7b(ve zb7sBZN+v9nYeL@OI!Yt$dv0F{{Y;5~yUpI92;m|OwV*OvmG zJ9d81hec%|Aj+6wG>+BNLzzr@P|oIsd_`c3*#w8Mlvk|7<*>u1YXF@@5(Ow8C9NnL zc=dkQ!AZm`wDVq;YMTQ}YWB(k!eDk^k+i7Kbydmhvo;D-rj0uz6{z(FnxWa`Xiy&& zGOcF2VX#KOT}WCDFK`lYVbUH+XupH>IwK|D1y!=q9B?JGEs{+^>rMc@h>2iB53o8V zN-b@K*8~;O9Rx?mE+=EGD+gZa!gOa`uv2{{ZIVNAWNMt0^hQ+P$N?rcp-XHPvL%(G zhkRddMr2xd|Hb-0CEhnNa;DDs4etM0q;T^$2DB*i-?9!H%9XCuz$btLVM0+e93E!| zIMdV9OqB_{F>Q5OsTA>n+ZYY~RDmV3se<3?Bu89a%ulyyHOvSy3Z{V2QIbU1sYWeA zk6_5FGjPb!8dk4>a7Ji(a9?m*_9&h@8mSdGn^V8;p^>jAi!ht&WC{RPF7#xuGT~Vw z*{;iGm(O*XRuu{ODlA&QD5OA;q-&HJx)ULC5R=a*#Drz{NTJb84sn11NBB64o7bGZ9OZb+eITAsa2aozWPD#zVN-O%4Y@AfT4%d6h2G_8>|WOa&@7Jwff7P}viP?S4LA8P!sHS{)cbPH^K&ksUK4 z`BmxvwCUbLW|SoVd;K44poJzXwHzfq9JHFMH<9WXR3L2=ixOe8;|=BSaR!uzb)YlM zioKx$j}^^pBy=}qkThJJROl#C#RnMH9fnXZWQkfO3{;90{Xwpn@;S!Q3pv!DD1f13 zV{W?Aj2b@H6f{{is|*@Uppr?AbJCczT7)s(QXEtfd&QYnpBY9p!-!@W(F`M+VMPB2 z4Z%q0Ysr6*nfl*XVV~wdxvlEEe+~E#0Z|kLqTm;p|3*SzNB%=1I0R2Gf%=mC=O;+8 z>f4oLe?#nb{*9weR$hW;v(NtIz*$G$ebgx*UcAEtN3FlY+=EUHOl1B&H=X{_elIc@}e&)@&xRo1%sxL*_x+#I~-%02JjqjFGm7yp-M-(Kq%#=-TMfvdN? z^auGJSN+QphdqDT0k>SZ`w_RT`k=lRIs4W-jyPqthaWm_mos+X?6Ft)D|gy>>*Jo> z`1;BF53l50M?bTJzxVpHXT$uQ59git;rW+5`Pk80y*zvU^S8MEyk{QmU-jxP*Mh<2 z+w6Vm4~HP|;!e-8(S~bm|HFMwJ#+sPcmL^P<#{fK9`U_fA6b9dZ^^&;u$Ef$&zIi& zsJ7f=+^X}=zXUvD|A#wEtnv0Q)_5Ox4}5$7HFkOFk$)-wslIrWyhi1sHS)W2M-TU0 zYKu2+^$u)6Z|kKuHal_S{dhE8ceIkDh$%o%7dQ{;FSHsIbfIyxhFI zet!6RFPy#W%D;a1#U)Jo)g#r*9(`%+N0|*@-&d&}_Lt3J`IYO=KVKzZe>D=b`Z$9Vrb8g=w(L~3qz4`23cbxUZ>xW@= z=hMRL+XtWhyTm&4Zv5r$>~CJzRu~@m)am55ckll5YgYg6Y1f_kljtWud31x`g0#2I zf_Ij@Q$tp{>F8@N*z}j?Cd-|A$=c8V{^fJ3TJMk_ZG7ro%Z9%u?v`se-~GV%@2(%W z^m@y`7Fgo4KU!w6Qt#rkK6n3r?Ek-h`ak$g|L0d?Uxxn_*r*kMl#$5mPuIUpkK6ljedEULi59lQ1bPPn+N;0ZDCb-G|eig?vUvMVrkg# zTGW{Ab#W4`6-t9trmndrsA8NtvD%0Px5v(eXyof@#wur2NiQ_H0+lg^bgEs;0Np?t zV5m<^S~S2TM&o+cK<#w|>t)RnPZ&XgR;t}=BQuUVyT z5$I_!nZSuYkw^v-gR*6v_DnO43e-p&Yn>>`HT!ip+Zy#-X%8373FGvK;~|(UphgqH zBA|~1UEEIca+n$0xQ^0g6YVk>G#pq`uhuP!NvLm=rSaHA$vm0~x&at!Mj;w1q1ex zECB*Kgomw;$>x!;(AUURDcevK!>i`=zQcrK0Uvi!rk*XLPO&sS*~L(f(^BakS7cL` zUqJv*&uTE&7>&=F}lz+kFO41Q|3H$w&zg^lBclh*7rM8RF%xS{u~3nDjiqXRy?efIYUaVI1DJ zL<$_BbVLJiqdu;VQnir-C8C<%g&b4Sk+31531%83Qw%k*$6=yaDD<&mvWWERxe*3V zx3|`116#EKT|)CPNO$Qd>`r37)+i*5q>gn`P!LwjsYJh9O%jk{a}CQi2DyH&!D2od zSM{<%Oyo%ofFXg@4Jr&h_p8$X`8)peFVg>EGMJ3_5y{CX5}9J(=!{2rQt*ggmukZr zWyU!}ZHJf#69L;2T&Jv}UD~dg+933RR6m)?vq(u3iGdN)K980sY&MnBl* zP80-Iw<;|+DY`_M1e;Ya!%o7eVM)fSviMD zkqJZ0)_9vOX>}>x2<6tWp6X?Y9$!moK&@v~eN$kaVYg=E#%*jgY|O?^V>@Z=#&)tB z+qP}nwr$(aPWGPsb7tn8xmlOr<+tATP~2@UEyicH&P{+`oQ#sJ`P6_tQS8oSQMyQp z%zk57>&M86)0f3|G!A3LqJ;8?vezFo1L>I_?f*hu<|a&n*aMd)a?&RY-~(ht%ajXK z>9Wt>LWG5@R&x(}IXRFuoO`P=;gsTGN?4Xu$QH{7_G2g>ePdGEw4)9iKlz~lk1GfB zAoWVTeC}4$hwg4PARE}eXPfu&`dHvAQaoosJjpA}3+g-SXGHd=W(``1`m7pFOfL@n z?iH$i9E?rSdVYm}>5L6t?_UzI$+nEv0~YSc<=wtjUT30YH7tvZUp?W0_Ph_{v8~*P z7V&?=RXD!dB!h1^$y{D^ZSPyBt=<bKUnV)as8{SG~9J#`V|hE}wmniUqzG-;rD1kb%0?{;-nzgy-%7A}YUEvaH-% ztLK8@dB)pP;rP4hdGM7#>z^zBR~zv$(~Lgv>&d98S5QZs!#VoRY(1#uRW*4UaFCNe z{c=gPF1{Sxy>+k^E(I6~te4kmYq_rW(*@4hN?%q^d+Hyq<6(Dt{zpDns^dOsbCaHb zUQnK7zTNz;>Bae+3uA_w>}~KAc1yu%5zP3s(VYO^@UpWAy>PGBe2JRb1 z3s7%VcQ*|xPw0-{H>*CfN45RqG6n6XXN_*IcI{sYOnO@m^Koo@a+pb9`5n4y?UEhU zI^TO;9gZ;rZ9MNt%_`iEP?G?r@l$~u6}LB@3$M@FUGMFHv~5LF6`NY-!P+ z&(94Gas@wh7S_XUy^SSW66>zt<$KBG5DqJj`43j0f)NheL7A5R5;VAae$^{bRuw~DG*2$jPMr1Sr z=+(FZKOba0p0VCf-KyG1*G5Z&B3%o+W{PK5`vv&3N@NbB;)h_oWKyEx8qMJ(1RvIr znoOT?)f%RSZd4VjJJXGX*uab^t+e1{*iz|ZDW$ml23=BJY71lum<=q+elJ#RNf8be ze&PO@x4g@xWF?YsbKsk=YlwrfleaEI!Iork`wInGp=uaD5N-KxJO{Q#l~DF~rSCzK z0^@#jTE9@Ksxgck%ikzc75T*E)-3B1kco{@|xJ z0j`i?2-yMC`t7B~_lL>aFl1OVGR;^hn$0ogP^mHqN`&tft~thd1P+_LCtt=|@(){W ztp7cV!=zn{{>8bkyz15f7Z*_2kqRhdy$5`@Ve)>qVeTH;z880XeHTw@@XWZx>nwql zaq#H#y-#D(muaCD;mQb(e46?9^4a~+h{CbdmUJAQprq47i-T)MW31!AUFx!SmApsr z?Oc=9W<|`OUh|3#IM-(N=j3o`j@kz0drfab>C*~wFy8D;nu*(7RJu(OFV;9-uXN_;&q6)5}le3^|f14EV3ek*=r zl_I&VMx7$|r5vY~@gi=Q43n`u#Z)4plC-@hM z)B8eJrocN;tdXzps276oQ9lI2^T5gj!A2qkTwi}243bNh(RadgDi)^tu4rLF!98|p zsFk6^s0Nk@b1Mowl^CBm50}v=-g|{lv!}FRV4oC8tK7bCp9TY3qZgq7TDUrABhmX6(9 zBx8STezsbdQjVim6o96sd)a7Lr2NyF)|m0^tzh_HfELFZ{3PBNGHIg544YzKbo5Qe zn?e-qGF+ik)zlKY8{Q)ck7^Yw_7>xIj=WdlD7;@#OVlbn`U5Z|UwkwDgm(-nSxw>d z&9v@UgfP3LH(ipzJgg<~u{&ThZl7}jtBp(UDb-d;^ z(ehr;4RQc~Ivs}N6PISsMc%J7)Shn=Z@7m8Mob(9(l+jbz1N2$<-5kqY_lUelw9Xz$eYsJJ3yQ9;0&-;Y0`8ph*fn9im zU5|6zu2UZN&%Grq&rw^iFOtE8wMsX;7sz+T3;;=^56>t-l-pCxC1a0n=>amSoy@V)o6`_0$*x&RfKi3-r;H^FboG0PSyLLgnt%=;6Tc8@Uqs)$}QVs?U z8z?N@*f*U&dLrqKAJX}tKU9y5Tlb}zt^3b!Tm2iiSF7ix{d7qpp7ygO~Jv|al; zb~{Ibg)ZIB;H;Rr$^xd zb%U!~q}XfcP8mASWPxuA`~LXR{GU?6;%Mh)%@5I=n&K(V{U_^^wGMSu!mYYh?)3`T zm*yh*$<4Y6#Dfa6;ZDNmbx-i^lUep|{OEF(Hh56V)u(11`F?;W%H7ZNqptG5E>v*m zr@oQD63og9zAyie;VSJA55wpFC0ZM;h-;&-`tjs*la7M1Kv3i8-f7)sAq%<(AmYD@ zZ-5Gewj+#K$)-M)ah1YAhyb$vS5fDSWPEURC-94FK^gwAJe)YhscM-YlVB0H+E_xu zXac!%T&hC6%ourUL#lDu*Apd}f@YWkc)A~uKUBvcA!$iEIeG(=b=9B~-lqG;&&zAN z=w3u#Jg4iQTY($E3vWutV=wus*NbPMYQI+Q3V{MOy{d9PdAgXtSY^l}bnVwshKrw} z9lEh=0|khEnJ%1cFpO9U7J3ZFKqud}g9TfCyz4Glx;B#uC_XYD$VL9G+c(tb0|O=1!$jLq-YtsaKZ|1-@tD5gE&ui_j1CahXi=)rA?My~9# z0?n28z|^zpG*@?0B>U=yPv-H6M!gcJXO1SAjLVH&5MW_blr40ZT2U;gp-8tN6^2Pd z8NgF&ikWw&A81|gqdlKa^T!S?)`(q-{ukCiDHHv$%z>1PH^b%JdG5$>4Tw@%2uaY-7d@3qxYLoobF%AzY(MoQ1uO z!d_8*w>WBo1+NpL0_xZ=Jcd8=&amDbgWR}<8~T!?^~k?e3)WSCC6agxHsjD7bC?jN zV$l8ERERfre`6qvjJQ9%a?;!*b4?hFB5%zrp%zwC8k9u#ug91R`)>Hw4x@o}hpR$B zg+QS9!{05$`GtXSMkoQN{nTC|uias`QW7I>1lk~>@`mQ(MS@KD@z>A$DW^;ta-#xT z1-||65Am##4a4(pRsPQu8dUA4AeoMwEqGn@GHol|>@7 z_T8zrMZUK=@n?TUc*3ZwX97+$i1a0d66bSpF$xva&<)AvZ)1Gfm>rR~Z(F<$R79C}(sgm0Zr{L+P`+xPxd_SqFM{yZUL3Q84i-aJ_5$VQ zd4uNbkcAxNnp9Ib@=cYk-k^+Jc>0;gl{E9d`QRpk9&|Jc#9C<87~?j{sC?Me`#Py`pIes*bu*{QH+|%Bt^fKO#GL-BI1&dP!SSUUVN94z9EK zyexoy#|ZH*aA&Y<1FFDd#7DFof#ci#xNfUVY?Qi||C%NJ=@M5uy`@0?SbXXu3Mlyv z)k$2F=OBW9gud3(<%za5n@;2Q?$0up#}t=3-+Rybwa%kI_R^p8&9UXDt)mM*BH02I z?&G|}-Z@`XOq6z~W;1S?dQQ-O#p}Lzv`+ABcr>920r$DzA$l`m-QI5fcH~Q9^y}1A z_ax!#(d_!enLKT@Ge;NbkvK}%Z3iyc=5B`Y4}bmkcPgE(RZT$GbIEmX|L_rkU4ClU zaZPr0nQ>IdbDFcRn^)?v4brccgCzB6!21OLI54vl2>W0O)D*w*IjqPBS>8jTniF`f z$y+`o;eWVaF3WGZ_GddhMh2&1zPd(tbLko#5ET;N;cayuZm@1`?De9zj|!mwp?^H% z2(%>D$u)TquaLcJzA?Rj5@7T;08Oacc$sHoI1U&dgM)9u+Zka0sh8<)OD`<&X=5uV zXza7>r_F4BT2|sON38s%z!=r%1I*{~z4+Vch0EW{pRK@$)AT5~O=`FOT(cdJp-i)|H%aH^>nh7uwacoZQQa9d0<=%aW>V=d*P z77HU^Nfo3+6>;m&jy;y3HK2U4(tH}(#3l(R&`sW@*; z%&KI^!_^-ME{!cLfHRSO#FVaO11OCarlg!5Irxv2gvcTgD2k0ss?i{{OdcvpVKM%Q zn@tF)%7nBMwgvEmM-yIUs#tn>VpWz0y%Z-K*5o|fXqWH3idfm`XQoZ4RKA*y`|kb1 zX~zg?>v51!fjR>Fx~!}cvgm|(!7%91TCR6`WU7ngh(au&t-@5TvIe96j*JIMUA z2@!4_(YiuB%*)&!R-vh_(1-N=-^)Kd)N@TGE6zpxUZwCfOYunQF+Mx@gEVIeX zg{Ef7LYRblG^cX_r{L67k+cM?JPe!JVLbg(^>J-)uzQ58=y4G@m3lp zDXKAWqZLK|C(a<6_rPDfKnjA{lP}gKH?CU6y>ky%5IP<=VPwU^Z>LU1z&0JTZTKJ2 zN=85>8p~PeB#{yVv8 zP<{ihIWs7~5jyj)*IJ!T&)!*^x5AS3*FA4K9V>k6z@inFqn5e?&rV@ly(bUfB@|jB z!KAcWWflEw__`E1Y_AS$S7nm`V!=c##$-3Ha$k!a3Y@=m6nIYJgpMhq>&{!KHSi%& z6ts6UQ85yxb2g%8WYxO{hp~UkQ>`asF?GVe#?ks(WmJypcE-`mK{cgL#ZRP254q*T zk^E3MSKssSOc@ARc(@8CE!GzB*gN35XCiFyR%^Zuu zHZfrTs+M!(3&An0#{j*7mlp6wQ(F6eat}ZPkMu7=Kfmk;$NTt+0Gq5LQyAKb*+X`I zRK5-Wo%(4r(aV$dr~YZP@;c3RMQR#s{N#JT+NcXej!T?tu;@! z9yRD~tMWbG(*AxpX;kw#$w1snb)0~F+FY0Cc@6Pg1}`y-S0f%Q6~A1{@fmI|ur_D$ z=%&3@uVdxVTG_8Y?nPlf|Golb>EB${pof*NnP)3yYy9Gt6%oH8%Eu{ZI493vuV744&X_ypX$_i6nY8T z_W_p8k9PA$XEzN^Pjv!U`=dVQZIk|Vf+cRxEPYs>2l~1f08;>Ski2WX&&z|9D}RNz zWl|eR39-uU`0U!2{ds-!W}We>wtwxo(&a|X>{ea-amsr75;wzr%hh%D3I8~~o%Wij z(Cn#=%~|~E(wV3ZP;({Q%xAYrxIW#8UTo3a>Dkl%M+Rv~?j1W8V z6SeBjFUf?F`zTa|Xxm{bou{M0@afduRoDF*I3Aq-aT^2V;5_vr1Xn&tpQJ5#PtGDs zU)~x6?se1|H$B#%7CEB-02?;9)qEF&Jr|GXmvUdG7*#OuyUf&KZB`iTkBo&HHatO# z#~+Wk{fu1A*=s}|e><~xN>73TeY*8(uf2TJR+GP`JlxYOK~91(8j;kK>`|-U`K&%I zePYwPjd%XVfJ^IJGi*i|5C8`Zo&-U8`+ZvZZ^7X>*@FN|m1zR6$9M7BN(CFl76R7n zE>QYi=m(%H4CH_0WbkGnI2N}IU`-kT=%-hTpedIuDGtCz?tc3c@A4xK&6}A;hq7uQ zM-U4(b&HxF>mbA2-*2XhQ;j!{MVB2Nfr~w0-?&NDh^|#{dQp^w%cj7Ax=(B6Tiv;n zkLVM5W9GP$26`#JQC(V3d|}Bbmt=Ah`f3zf2v-fy6qbE{$h;zo`SN*W?h0+1i@3?h z4DJDW|1MS1-xp`?@iC3j#yzxO6+d=*0^GSvFv>)yO{IynsoBHun3&HmA!n^TQYc_i zepq^`PX9*F`?lK!m#jE#oNmGe(To_`fXzkEg#Ku!up1Usl5ki9b))GU8_*S7CH&;J zH#Fu%Ho7R$taY(7-&x1Cxtv^PP_InyAS3DDb1Gfc0F=N$>R@3DL;h#ZGj@DW+?9w8 zi?c_rsa=FTbD|RL=BZMRwDTj$Z$>fFzMj1yQNC$FQbAvfowT}~B>Ucwi7^bJ=g^WX zseA=>`8?kvr^8*Mi|9%u?9cT?(ooD0mD(kFXED*R%EH2fn$U(D6=CY7MH$V8L@b4@ znAI+t+Zx6h$J2>Z37=5Rew34A&^+*wS>ws$gilc?5Ej%HH7Z15OLDkxa^D8%j zKgvTw8}=KQY`$iv#hGdQ1P73;_S~4MMvjsSmykI)UwhMrGiqtcx!>74%Un>%!>X?- z99MF33gUN3fDsA2C9HBErP#utHu@6n(u}PXJ#00qHEpa^gf?$~iOtWRdg1KFd&O#N zQ7E`w@t$uKltEfdZO~^zTTFV@%Rd(M>tqbH*$G+M(4AK5xrD}}9APM8UB0$tjEnD- zM6#=dq`zP|jqCgW#QbxC<&C-IA>*?6 zmvf1dzTokNvQNqP?3a7S+Xw(BRqwOx95p-mHz@uP*Q^%QFJF9HOn?3)1k6fUk6p0A zlNOOI`5~=PEmT%61Y}Fzn%pc3c!md>s$QI0-5AMvJ z6<)mk(Iz?6-jVO`v7AqNrfV+iQuKM!LTko|Nr6XrLOaEF)QG{FhMXUr5DVmeb0k&K z#nQrs$fn}+d;@F8FiT3z^ zMk)p}uQm48Ldqf7H6aFm0^Xy1dXdO|$)S=mcPVVU`ErZ4GTS}I88bORl7E%(W<&1(V+_GT4gTDdJ`sRsa|AsHMnnUrEzJNN@6SNgC?QU% zT{c(%0+m~wEBD}nDu=Gwke+)33zVh1KCZTP%&0L^c{MFo`~Kt53?+**KLmJQ9R4*@n0-t`#*lnE_9__S^LbCV>?Dy4-wdX0S!BL1B7YS{+$Dto_f#WHs8)J zWL@5eva@%efc*8hH))-E*2H$#p)W$g^ql*Jt-x-_6%-ZcRmAK`z6xmZPO0n8-0w>3 zM5tRYjE~u4u+yXK-v!dzw`PliK}Q|eRzCBL1(AR7D;rqv+I0}t`dvXc6_d9QCy78^ z>nU#MpVm`nsM(#mmb+DOmrY{^)ty~yH|q;Sj;GIRUIy-*T{0uDuG;qVnmiR8;E?kq zJ+M6XssPviZY9X=q>(4%W#{_I$Nn5MJIzzG(q7~IjMc`&Yg4^&yD9r)oPO4>bXd>l zcmuJkN&EH%8N{a1-toRJINP?em&FSugtG1wx$xM|s9_pdzSV8?h<@qhHt<2U$$6f5 zRo8qqeC;y^y5i=s?s!*nba}Sf2;T-p9 z+mhS8fKppM>51F|+{cNqI->BsXW{?SL2h~Hm}O|rwwp&h?(AN91slABIhFxrp@0Ws zoU~K$ePG1&o`4&g6b4rP>Brq0DqS;-aT_D@fy@2;GC-NX794%Icux$K<}<*x)q~03 zS^zSl4+XQ`cScdc6iUwgvXXq_`(kD9?@+9R@VDM5VaI|&V5;a*W2#rbXbI;eUr|ET zM4b@*Py!{7CUkKwa3r*>g@>iz0y;vI(d3&^fDNhC(!{Ylwki6lgWm-@PKoNAD8u@V zb3?`@;$<5845>OHja<7n#~B}WorfUvc!@$Ep@%g-ZU08Egrk2mDNXC54Uk>@he+8MV zbJ(rSNd;lIrKKp-El8#{EgWT-#*HJt)()}Q`@^(h_`_-ns28mMpm7*PDtgh$Tfpk? zAfZK<*W1eY}ZP$dXAVoD^!TkhAbtDhe;85)H>c5stw|dg}``o4Rcmo>Lmg zNbW<^!X%<^BM)~MP87THJv6b=JwkPT*qEe?y-X1VkkqU~WijgcZB7EgNR=_pqFTkp z)9TfG1;`vbDh0zR=$feWkJ{rj?3HTB*;^j`P%4)cyLulpHR}CzH=7 zjz5vo<1nMkYhgMiF=GSf0Z_Jc)r&89K#vcsnRj?(`?-ie0Chf%-`DhMjY+=1r*veT zBMk^A%ffaXf3v{1&qv}oJ)T&$-J>Nx7bF>hhFiOyd$C$>VVCY$3zC?{- zBG@j^*e6VUg{I?zuMnis{Aq|b*Oyu41-Xk1vzEETAdtwVUF zCaQ)^*XFN@KW>|+K7U@lAJLzRwXo^Ek6^up<6?N`@VEDW6L8)>Sjl@(C8<_R7?ziL zn@B$*8t96*7JK=#v3^$$u~UhK7!0~7?7)u3W{N_kTn`_u{2*65b<-h&u$UpytjHUU zr9#9ki1P3f_QMn28B<`PmlNFhSHDXxL3KmG!LY8Her&O7!9ZrepdmI)KGVmF%zl`M zVI%^%HB|YoK?}{j8qDPV#w%I1kgv!?AM)W6VZsTUs$q&KDdj~*n?MVKmU!|wvWvq@ zob_15k7VX}K#SF@9*5dmFl^6DuiZxABx8uyE(>*|Hp$sB&U;~ZghmS_B7ugXzzos) zc^qf+hk>J!*W}3aF)lcdT}9+HNwY8rcDSb0=Vv0**F{pihaT0hNjA&H;e67O$Q4U| z{!R*K*vdCwo)HjOjRaVq{>NbD$D@{u)sq7InoWVbLT;JCv+A3)o!8ylfRNwr5E!sV zFQ0hx-6!4*{KT6f$imV7?M!QfFH@4MIgK)JT3)AD#ymdQ)i$587Yna9pQ01pgZb;< z)hu=Iw(6pJ13s?WRQ29KMjwq$ou=6vI@Xw(9o(OQCUQF2HB?ay#2qh))1eci)9g(DfnJz4f#rqPtzwN65_Yw3;p8HXB+W zDob=<0TX?#%y;zof%h7WWz|S^z~DNS)hzJT@wM9PDZMz_r|~IB`to%u{kd=%mjD7K z8hB~RvuWFpf86Hi>Iq2J@$tSK;`@tUgu3 z&7Tu2YrXNbJDfeLXZsvLRrczg2Hq+GG#-0g89Y7L1s2Wr&oA$mYoCt2m$@8nI`yh( zK++#(V7NF>UQBw|m$aSgPQ-qt$(nCxzP zN}UCnVUNoTwug4pWx8&~-*0()&X01KZ8vVNp>DTtF|>oOuIi(G?3Vr%Z`f}h%`&_h zEbDkoZB0Qjfk77>RjZEu?OCoaE3doF(XBR)?`HQ5>(8iDuZ%F1fO#^GzGwn_6Ts51 zTkG;i)YbY*Jx^J8_Pc59EzeF6>se8Lq-|!)tQM48wyRI~kn8oP!PG5PRp*m(Iru1x z5a6;4oNMv8P?`*nPU*f%2hw#ItB3pCPamaQPHVa+p52|3glB?@hrj?w5Nedq2EgfRz70 zf_EjQ5KU|d>P)-V$6Q5F1j90pBbE7KWy9hG7?9xX^AGUm850w%*h`n(9Q@oASn1tz zr`=Q=MpQjkU4qq=EchPub3PjrbTAjW%KA8ze;1A!d>C|9;+W4(B*y!or~#`6Yg7h_ z@(aBnjiu}v!%d}6oobUw=LD;+)HhvzsDD9*qM@K2{eg!gM|Kmdo#RILBMI-&2X7xC z6bmc03}Jn&C9dQ*L?{h1A_7Fw0<$%1ay*M@x(&35p#}~2u`I-YQAJ%3`r957VP<%&1`O0S9+6{@= z-)63SYS}hXWs)|cgQHPlf8{vAcxk|y>=hLdwVy{fQK+?O*3mKsAM+<7X0KS4uiJMx zmyU#Qt{$DjxIuKJL2Pt?W>&oTi|{WEsK{Qwq$g+OYT;4rRuvR#icFDGrk#$v=uMzD zFs~p{7fA$h)$?TFq$aG8{q;6)>g!Ojq(K>g;%fbS2R|hNja0boBaLOd79w{t=-(Z)5PKr&Jb_mUIhKZB;r7Xee#%|?g!JNZL(mT0==4)bczXP-4 z5o~QZMMptG863%e(D#JrO5JfJ$PGz~w@ZUaSU-(Who*2x%(|R;%4xGaCh>$jlOKP% z-UV4lzsHeCku{?>zT3m0eMnlZYeeD7^(W5Qe6gbqbVY~UzL(97x3thnr1b;|Y#xC0 z9=BP-g{^L$2eNQD%uS0x>*}k3B;(fCbnt(0X9MVY%%mqYE!><%nfi(oXtmo#Z9GPD z1j0bOie1k5o5{2aHj*msXlo^>`Nz0Q_%dATeQkosirC_`$S);vG_&W8;y9z^7>i>i zhULrZG!5y~xh@E|lYd{B-qrF$*yzS4fy^l<{;Q#>)X^*UtCL?SoVm>cw*(6i8&(#I zIBXM~S0tlRROvHOc1g4A>X1`^qhZzz=XJ_`o$s$ID4`zSw{^6IPK++vJR#=6?E zGAPT0jHf+xbm6Y3OhFi8i6v&g+}H(ty#Fs z3Nm?Cspx~oFQg7>3w#w!3Kf3Nct!0Z7GJ0w-lBl>2kWOczak%$>fr7+` z;Dtk#8XT}e{bz_+?j%e2WA>^4eKe?k#lx;g04o4!_P9en&&*!6D?7VwEzR3!Mab?lQ<(ewUg73n{hFk@C5)KEXRsGMuD zfDF}#4L7YZ|9|5Iy!?3(pGltzuznDC#oXG1SD!+wNA)1Vy}PITUvhCCe!d64vAm)B z&XETRF+Jga9OHG{6?um)4K_3a359Ij^E*92>5m_4qy} zotvdW1|ZDSPcigMU;5#~xH@0mv81au=p7M`eWtpzMAw*N>%E#R)lrR~^kZ(b=NEn! zJMi#wa?(?rsQrxSd74PuZKA3%@K41XC`_El^Xx1++kKymCp*^rzF-Oq4s5tOUoBAS ze0`nWWx3c|z1@Dp0&F_EKIaf{+K#^>jFkRtaCp8ycXhvts@7>uz7qzzKPUA5ex`HW zk!-dRqcfwX1>LkkU1>j~5+3`W%qFgNd)ujTXxyeRS2rP=6PD<{etjAFM4#1OJZknB zlcc~7jfp<$MpXw&Q|I?rJ~pp&9m>((PJ!0Z>CSh^=~c;GZ%jZwv1`CE2e9lW`@EowgdyDf~YVYP1wLn+< zba@t6_}8`G(>?Y5LY;iWO#79VNJoCnEv98vT^c&8+tAi=5T$b;Lb>r?r`*S3A!D`A zXKG$^)C;3?spA93m6lm#GlyB;qe30{q(9$!;$1N|9y0&bxBQ zX^pp7%r34~w|e51+qCoU3{F7s@UqYKu;ca`4*f0$L2wNaXJy%A>!z3WGmUu@UjsZo>j%|I$je z!PZd7{>5ltO@oMP2+KUnp{Gy16KCh#Ruk&VK@Arj7VOE}DzOXnabPO_w#mtUao?|% z$7lb=Q?yqhS89fPYIo3r3;!_FFAmz7|62dkG%Vd;v4lurx01T$-=MuCE@DiACF+;s z(HI6%vQML0udIkH7t@f!%!(jE;2Vc45B3grkS0Zb zPHgyc5H}httb*=4SXl2b%vyRtB|{n9wCh7kk?Zf9gcR)d888}9W#}V_)P`AC7+b5> zTU0F#C+vsg#SbD+$UlZCiazL z7UQAN!H&ctGME`O7`)uKSC%DAO*My_U-QI83$o26q z>ehotH6^F>-ek}NL~@P^d;Y4iR*SPG79MKBP=S)ZMOta-tBs)tCh?TZv}0UJ6k$F} z=Vq}5-<$>O_5uWd|J(HWP107CWRM2cMG!UY(x2R@s2w#>6j!yAhLanJB_8pSMu2&T z#c}HLhh`Ih?#2zN#77$bJ%9;Ih*VvE;HNKcF}kP~T<(x?tV)39&p>QP7O8Tl;R|K$ zLXAv)s5V;Rmx1grDHO4WJP({syq(RM6BwPd13=!#?YNCRRsT8hM_Ny`Ft~>RU!;)pxd(Te= zYWXI4+Iy=Iig>L|n4po(?FknTMN>X92)gs33iCKw72d;Bt}e7g(XB%kJF*PT{fD0S zw2NHq@Zh}t?ZD!_tKU6`hG*xGzR^1Z1FO3sGFqcaTDB_JjxCw!oiN7ax)CF@>or zcurA@^`$0lIleOvNRr}6T8Rvy>8Slxr2m%>JT;6tz-xGp1&=t?b+^0|KahcA-Ay|* zz>>qn(_l?)KF*!^jN++qx4dm~i!`*F-vjhVe!?eDJHPaHPF+yrEsCHPHH27qh+@>w zDnI%1RYf+7T9YivcBWbA!i+Gk&!lYCTvPhQxFDVG2wah=+fmcR6N4W`&8JAzDE|^D zOC^fSrNrW8`!dDa5~&w7PUBUo(i`LTS4JfUO$X0h9^&-Il4`|>XdbDm7LWhs z${4Noz{2U^?a}r_4>=1a1$xdmdf`dK*`qlRB^r*Jvp8kTsRg&FV^O!v;WeCX+HY1v zcA>zC^rIQjYc7qEsMC&zLdS~TyB8!1YHuLZbj8x4P;U=D82`qZXOX4S;)hQl(#lJS-6RDAgeAzXy22cMs#E@F6?( zO+attlk_dY*XvmOBz?{OeiUVw$SZ>*L2%&SZs8d$!)KExq^L%ZVo{ z&u8&*^~bEFE!lCCZpTYs;&iLA(VO#!k4yDxv~_FleV?n(>rV4iyVv?uSvQaH+ZKPi z7vR~*l_E;B3WNaGxw^5m5pO2=V19vZSlU|39SyJQdaISa25pu&X~%qH^kC7xS}@C+ zk&;$VYP0u0wDta*RJ*g@!coq1y_m_NbKBsp_qHY$ym4CH@HoE-)4b8Pj}TqmAa8$4 zyYf0N;By9XJyrV7?f4)hZ^L5?l+MzAEP&E;e}54{<+};lPj-yrzRa?I{-M@wyCf@Z zt=0WeGP<i z06sRYN78kRY_)ut09RSd^pBmp6;KuGph8gnE4sKg{N?)s56`9=mk(I|S+_80P5(Lb z7wj)ya77>@HtaCh3cYRrun8)_>V3w+wL(Y0=~JWay%R*1jVmzzDsNkVIK6ak(;Dis zQQqC^C2)Hd4nA+mVQT&H-C~?qC);z2a$K+*a1#0+Tb#vt{mV$#k>{$A6*ws!En<3T zM_6doS=0o^_juV>gu=r`vq$Ew(YgW-GSBRgugtOg{uD?7yN&(lQ0Dv!?$HAWY{={CzrvnWlYzZMP0zoH|$?XT$$b=VgxYod4~luX-J|(tEjLUhe%e_fKUYlls>EiQEWCJeS6?@3Pcw z@G>ZxzxKaCXtX5&ndu%Fo0&fxj3I-{=ymu8CgIXW!N}@OaB+lxKSl?Fy)ZxE^cF(i z`++qBkK5eRdjh{pXRFghv1Rtsb{hQ1?g#D+>8wy*SQ%Fn2yNthD9 z*iU17{zfnn5A@w1a9buK53f*xIFI*&>hb%*RT@(oVZ79rp@dF1UTy60I~#uN)k|SQ zBq@u`y=sL)ZP9N_>JG-j535sa1N}tqlUs(}2;@?e6ggpv-8)M~3ds{0i1ENXcY|?T z!Tsj2l6!df09QTLpMx+Hen1EEIL5P%^-lkbsMZ);`)ULD)r*?w* ziz7+Hi{rILu?3TM%;rVJ7{NW&UuGf{k$1jM@qYnRAOXUPt0rnRc~iEjD5s`{2bga% zPySJBRj1~xt4IDRH+4aDDB^`t{Fw{LNVsuwRV5M3g1u}FeBUIbPV*Qd;VqOW_hSg} zoLDMT446e=(d$<$6bmH<`cdAc3K6s%MC6aHC~zfUau%!Le^Y*%T;L{-S>qKor`aq6 zPJ1;fmR~H`O>SEo@&XE?2UDYTD^;nhWex}M)@$_}U=GF+LU4KIo9BOX82NHJzA;Q* znGTuzi6S`H1@1xk-90`jJdU}QZ&4rR+YCF15)s8xbi?k9dT@{Cjc{g0U}TKa;;8*b zFy@bCfVF1FWS5;`_HJgBE)f+PD@giEXSy-As_ND^z=a}6UYCCWWs8*S%Ha&1^$(wipztRAwEw zGq$Z#P%2!J6`IialW5g56luyFnT9B2q2kU(8UMs6Izi(|5{;65{cFtgpw9+T?#`&# z-=K?j#G=}p7n3{Lkf@Ro+}JSm!b|0@9WPAEv~JU682AMvCSQx0)jmuJyN-uT)a)(K zBHg8o`{xR|Bhv*iN&ze2m^^JTk( z2mo#2vp*_nP?EvIq@F&eL6&hWpN)>%hu`+(HxdMEXvxmeyvqUnKutPhzD7?yrngn9 zkgF)rISgv&d-bw&m`yXc?7AdpR=>Sr-I7fc51GjdaS>HcGC~Q#^-s#={eZeH6_zIT z-$>Ec5ygm^crdxN3e+@#Y@-F%gd%j2Nb8gtev8nX@(-V13-qk9b)j22SxcEC+Z9fc zuH_V$)FFA25vx`}rzB+mJ0V}BRktpsmBUQ>qg}*kEN03jP*fnq@zf$8T_|IqFb4sp z=|v86^zaM4zyo|C%>iM{uPRd-E7ILM8!|I3oz+@tPQBT^w&4|tMc+d@+!4OvTGmCM zQi!#kZx0aF702m1EYmX3p;b+{52BI@rXJu4jp>NT|2rmLvVHf!)33+MFQ{+PAb*jA ziPvpx<{V;rAl!-g_{MuIcw(+f!{g_(5y){2dyMKU#4e6({x^vH2eli@88PC!QSR&u z0dP9t8&WX;7U&qL_i~8NDW}imtN-UCd*(iVVYZs?Wqc6Z>v{`#yx}SpLI-U0-vf0r zb~FQXdwHk?o_-a<0404SLu1Ym~Ou^i$jZAG4@ee0xW%zdT-2 zFq4g3S|!~9rd9QXK zv#}T~s~|uQckOyU&ySw!sowlRp1qW3z|Do~wf`2^pUoR>S&xg9>g^ZN<7q&rb^hcy z2i+sO+oxw~CzQMqG)?U0Tx|yI230Ea^A-cF)!gf)ee8QG7M}s9H_SEf)u4b4uhmKQ zE%(>71=QL2s%~J@{8Psjr8O|zH2afBmF}+B@BU2sXz@h3sBWI-VsY6C>NaQ0)IO@L zcl|ho0K@nZ3(KSJfgn6)P;<@j&CiLgkCyoW?Ye`N%Wr(s#Htxt*VgKl!1>|cYY*Zz z)TX0@L;1RFlPgeZN2`j~Zo+6}U*Ei3s^eeaEB3%@{(gWoQH5%hj#!H0Hsbf1&BpsO zRBO8#sO8MJU~7iA^JXHx*Iq(YT^lmzkMXM(tL_iuclqmaOKa@v_j`fux=ZfHO8L#Z zbGXc#r|MsXj5y5A*>`)uy~gcsz&d{2^;Bl__OxDw_s2u|w3|Vq3~he<$5*|5QDfP8EC&m4Jl% z31}sYS^=I~cCsI3zk|Be_25CeJjEO97WpE5h^7L76^q?^0gc<)PJaM5SRe!pwtYPY zPl1I5js)ff{f-1_4+|ijm9a`kN&2(2(2ljK5nW> zQ%>RBB;^h<@81HTvv6!R*-Xg%rwZlmPZU- zBcpdj(qUOVt~+S;s}XH0iJkhJzyW^f@q#dWrXT-HE?#-EG=jEcyMj(SNTl;0q{BJ_ zM(4j{CoY8|V1C9Dd~vc8_=d%V3&wdk++s>adQh&A?L%l@)>a6({Ve!xC7Odw67*b( zIY{@$zlH3Lz58zv^P_74twI;+BCxlM#dGP(*j9nIoPY{PZ?Vo zJ$9dkOcT3koE3{5kC=)`%nA|(Lky|&42AN)t=v9A60ev*=*-a&x&KAgH-1MN|4U9h z6DJc*IGNZsI<{@wwkCEawr$%J+qN~alTP>M?%n&_-8c0I^f`U%sc+S%s?WXiM~#N~ zorUpW%$@+%5H2he-JH~;fLxykcmm8k*l$*}@hxa zQnG$S=ADG6jmOjYN<(&Eq*W58!FWDG9ACwC_N^4ETy#eMx8eKV!|(ZYU|3ijk&R7a z)$~miG6nb+ClG<3H#AL-2`6tgPhkX#CN3HV$zJRL#8{qc1r$j2q1m%s*nzuVdi~p$ zaI4*J!;CcXTZ2HeW8ST~B;*S+dXY?%eoLZ)$RM#AF47=B(G3?aL^t7IcW;6T%Djb- z+@-M~cs5Db0<#nao`U7twuZ0KhII6m%Px&5DF|5qk}u9~>uQpRBeIZ-)4vVfup!0o3VGn*1PpEAp|u|md1 zDd1$e^Ac(Jh2UrO#Z{7XfIZ!97lP9$PnNVc*)}?2T+a=krhF#;JrR`mr2TgN*E;tr zvBR;>Z4irys5zGYdkk19hlc)4=|28rR~p@H3(>d%%a(+S78YGYU@pc+;roSEDLisi z!7P)tP{-0rmK`t7)2>{INEok`bcYoNRqNUOu!qRuKQpZ>G-k$%4MQWPCko-BY-=}> zzZlXz_K!SH4QOa;ItcfkQ78&NoVVHdDHy!gfr%nJIF47S z_sZFN^v38Bn<6D;0XA4T6gKbqTf`GwIW(}oEx#x7`p?x`wVHo_?$nFrmt|V~YqoVc z%s=RnIo47QCp6qj`eTvI{dl(Ud-O<#e=$i;l^UCm>@$Ip$9dKNCA$CYPC$Lw4<{q> zTRcHw*=%G8y*`}mfN;6eHlf7;<&LEw8(W|@r=hcJ!Gw>%=MHtA3(Y?#pvYGc&*Wb{ z1udO4SuLV02D6Ni;7O7x(LpGnZfsoIgQ;2Co=MFNqt7oi#^}jFos!_zk_nsl>l28p zBw5Ui=@43#sZnEu{Es0xrxJytNY$>OVi+A-g)>%y&IPzK9U=(H)N115S@WCW2URhx z94YNfW(<`5gsUPrDjoz$rlemXX7Xo_q<_mHExsof$u?(rw2DC~=m(P3_De#c{opav z8?sp{CG!X`YAOlGR5%!zR#O3ca z_QX=8?k|(l!enN|>}vr+p`>4GSq~2qDa;nS48k?`DA0n{1qNK@P~l^ybs8D;Gz%e( zwkP64#MUWf-{e9*ge2ujjcZAhHKXSDI7Rwen6Q%E)Ci&lB(rbxe-LH-2j1j=M9Izc z2EPJ0x&Axab^?Y@9@_?kfJ6x*sL*0eZ^{qg{Coyu5Q^w8R*28`@hLEueLp@pel8=G z7YMSRoa3l|NIda>7`-i>YTv5Y-_-53X%vq0dF?Up>He(Ux9gh$IFI$)+rN}NbSKvm z>bXuhQfw;SfZOJ8&22~c+oi8I-hpDe_AZCNt4nhM51T=LU7lX8iPzbpwapt(@8C3C zkju8KxZiu3?koU&ezlU@HQQz|&^-PA@hYwb-9`9<_&(LqyL+#Z*{gg)AGJV z^2!D$O_ZB+;)BH1;?z<1X58B4vReLb52)C2TaAhco5jA~{=iH1wP(!q_ah4RxSnl& z18mq<`ua_0-DTc)ap-xPUf5@6rR)vrZOGBT*!q_%_r4AmhF$#z>3BW%0WR+zfO8Wx zdaf7Q-q&m=OQ{P0LOZ<<;NQ=``jPtT!<8|(_!ZE(bK31VwrQH*joflxno6`~9Wy-L zsZ-}~z0>KQdsXWH7{lSm>;Ac&$#*Itx&e-SpXoS1`X0x3xUD&Y^`w7uN;84-QdB<| zF;2)}^D!NFy~FYbds4;KaoKD2h^ttShJquWAE?>>CijFc9Qs=_QT=3ETG6q+I9^yqwsH@5;c|p ze4Y-4cgh%m<{$o8LtqA7Fj06`Ir#N6)|LQPc15CoPM!b@Vr~T{wP8_p+*;oII|zUV z-|UBK^+57S$s0nX7tBcusZHRxX-~GI& zArvd5z8{psFR$5^F7+EpU64R6lqnZB3BVl)X@=txp0#9W!Q+_e2pX1gXGCXmo0Pn} zg}EQByU4JM6mS2FjL>|HCnYo28vk4?o-GOu(paz?nQF)o70#20ZmPg&lk58hPhKq6 z6~fV}NtcIbIR*dedtwxn{fQfKu=pc7|BqW!d6pS>pIn7E1wtghJv|k}5jBOxR%-_5 z@1nA=63u7vLjuN-mewC}tzrd5vz)H_Z|yj^eUfM?!=bf^i#U`dRR=;QEyt0bWwW$6 zdU2JhuE^*YPc9YENb{H&oUF>K9rHs}j58ip(P0VtK}e8pZ~~%}mijdy@!362aYv73 z1l!gL(j+YlH$_%DE@Mlf1W#%SYBsu^D-F5`I=ks7j{r!(O=Fz;f4qc~ZrEm1B}AH-@rq2*O}p=XM-G{Uu(9H0fmRwx#A z%ME#SsBD{dBTm9vtA{o0t+i@B+8akFV$L%S;5R>AR`A=UT}VUM3lnZOqxxb} zR;A<-)E|Q9sErAe>bzj_+6vK?oNDlE5eN=+yacA5ceMl;*Kmkz1LZeG$m5G4ht**r3db)q z)8b+z3#D+$MzvG1l|E_thla`5Q6vBh8sFuLl2#MQ!YdijIveFJPt7+Wvxsw)f%KgO=pj*UA2iw#cGFZHf*+DmQ6~@1ag;9 zII-rV)HNEH<1;6mzAd~%wv8y9S*LJW%4qBg59YWk)kVEuwAW6k|IwG zGwCM{M_yI6T2QJslykM`ytkj|mzW9jRk35HJ)8S3jRt4*RYSRa3)S`SX@gQD@-YEh zqH5(4E@13g(q-PllK%A2LR{{zB}B-9P&=2UWD5Nv%YGim^cT_I6szwt(^;DDrR`ZX zmUdWpu1N&}h}@Kf=8)0qf@CbC>dyZx{wWnoB!-Tmek0+>#Kiq#T8PPNRtCWi4fP#) zz^uPQ&|K75=2%Lmx1#g&Q3I2yy|Iq$aPlKMZzfU0x5ARJIWE>c}y;%DhisqIg`7 zLq*}?J8zEM&uY89N?$~C9_j))sueMQyt@o#VJ6 z*_i^~s#n*olyE${y=aD==XyWcx4!Rwd}p^%UFq~bV?oh6iE+<)J*tn%)bBkw<&xig z?xQ-L+Tpu7Hi$@8e>t+IXqEGH%jURhKeAiXgyp~R0v#0!8&wkNfo8>?4*YwsuEw>u z_}tg8r!R81PX;+%cZXND-GF|ochRb~uN!jO`5WC=YiHTLt?#g0MUjU3l(=E;p5n(V#z-{9H+ZBFV}Z)|?? zy=O7ieckezjnl}0=}WIGICnzgO?BWqf_9bDefPzR0+89}(x^)B z^`U4L#|CJ6rmBQPzT$V>X2{VqegFA&NB8&`kDk}2^|6)nsusYtR|9nrB>xk+tY+)w zXhOa`HHF^q;mJHM*CzQN-i_cnTDt~vOI39wW#HJ zj>qpg;S9>{;_p^X_hBgy!vhE`4$=o6gNw{B0KF+Mzd#GN0blQ8GQmL+Ih^;7aA*^6 zhxhL@=1=~We)qtUkRoP4e2^8tMY*azfmEoSNzh>fCDRr0gBEFwV)YxKEt&E}V< zEjhJZ`+iwMGv(UZA)aWDj9lqulF<_E7IRrhq~_l>Dh(SkOZKl4zrzp7XCN|m>5GL_MSGUYsnrN~(9IEY(xvEdEl?pYtp0+3Hj=LtHmlEHnnn0V+r&C0@EEH#*6fomhiRoSVOvm-S+}4E zlSWxc3YSo=GJdlrRFK_3|nF_l{(_Ew&rI?!xp?sW>RqBlZ_yox60ye z@hdQJ+2~J4=uuTJbd|}q1k1Umatg%LN5$xeYe3(hTL+D zCn&DIGZ~Q+heZ78IX-V-l`v!e*C;Ks9nb7)KO*@@VM&2ZRI&$m)nbtqxw4Q1q&bY{ zeCSsViFbB+b%gUT5)&VcQN@3kiOjRqw>Zg(&pHHAiS% z9#gPE;*y5exKMBTl*kL=T7E$`q4uH2bZZ=*I9R7*E%9Ia~4!0E+G0& zE7ZR9zCpw-ykq^Kd{7y_oRj=Fw_3ac_fD}_Xw@NH?AYR*8TE!xaCv5^7?OLR{E%Ds zTt+sSWrDYH@_zta{As;6XuQq*176pX@m~UZbqz~dK=&YFLFnYr1;#)hWUwG;%0GOl z&z}-nSRz{B55qY?Jqt98YkvJP=S%b<_d>(%X7jLYM5 zl0Bwx?}hDuwKzu9QmKXA-T5zfyL(r{H1|V(^>84?bGpzTWI6F9XHVBUaTJzCq<1%p z`R2GyzHWsLoO)f3uxG#VboTGMWzc`Sod97CVWtP2fFQRHZ^IZMKifwA9^+F_KB(LG z9+7axy#l@LJf_=Aw;kSxrS%%#BY9MjVRJT$Fm_%t+QD3{1WhCD8<&1pl@~-W$!{}m z*SsLzr_>38j-91U0^l4Ikja{t=Vi8JDjaOeRpW)1@;3dmo69UUQMPBnIq)uF3PCy>oQUhNgJlN}){T8(Yf|f? zrvsk?N6N2?@eXLJ-Ek)+06L(A>k5i1M^N)g&22xKz00v}%a}c(Z{WsL=+sWfWj?YC zXybx6xcg&OKRA15(?I-eJt%JNq?88tIqQBh!kX@XlPnlz2HbxmzXG0o1FxX#5Bd+I zDj8ti{~b$4;Q}a*=lXLRNlVf7UKNE-hzEJlcAd+m*3qCE3x$+rzFBwRVvTO5jlKPe zbhxBk2pU1e7%kd@>{IehVyA{?mQ4OpfQmC0V2#;H!fhulRxU>=`-^NjI#%;KGTAGR z%A|UI@<>PAmL4Iw(l+4WoIXui>QPT4J0M*t5sN0sjR`M6E~YQr3cK2cXO=WgpgC}K zq*=zCdyEB1fnI$==ktm3Ty^Rt;okrJ7+S4PK-@Ve-b#JKMa{IyE-ZA&2G*t$eLD;z z=8v=%jU2w3MbRqj;_lu4;4$p!r131hWUN?&aF#KihqN2qN1g3ac~)?x;Oac46K8tg z5g`C;twAouBYZb3IW+nOs$JzP=1+85?tx~rmWu;&vDEL=3ExB;+ATSj26)5p3kkzQ z6#GwqxQJg_N!71V+*TQs@3kGOU>JP4$oAl^zJ<(0rK_HslzZgYNbOSOkadbbnSaF4 zo@#RyzI6M>4={ChTA^DOHl5uUn1*REE#(jHHp0%=Y5MooNT2A>87~ zX~qOc_nJi#syV+vVY1(|F?>}=>N4^REPJCB6@!3d$&QPb&hI7djHlwyPdn@v`G;E2 z_mVqN-(~-vF;FAr#1!CTL_6s%S5Pa~rgnUfclKl|4}R@0BiV1E@+1>WQcBa{nw6Ot z_=oTUSQXPn3X-9t*U;}4EO8CuV`lYAq+DZCn7<WCRiDhK^FB2cE^Q)FhpUU@7!{#?1d@vhcLF9UyR#;IzI|>V(kF zl>SRsKPikg8(gz--v0?xtWmDUS;`)u36W_kD$VrIumU09T}Cg;lskew<)lT$7+BHaJVk-B=45W@QxI3}+$@czGCXW_N&IE56hpuR z5wWBxJvkRtfi8asMRD@(Q<5StFTobzq&Z4hx}a!^i1G28zue{iao7I@9Bky44^n;| z^mmdGyPDyx6==D>nGYm)kQ&c^b>3i356BA`q$ZAjSP5ga@?c-B6O6zJYMI^<}o{prI|(x^YAsLLGnUKf#U@k*1=(A z=8#CyMs|qHa21W_mGG7V=8-up-fbI!yn9FSvXOVa}{o(roW$L128bdC>HU# zk(mXRkA-?ZvvG!FhG8t~;`y>{kxNp|1{Ff(yD{T_wA6f><0-C#mQHVzkL|}=H_6B$a&aouLn?cKA4sdl z7FMg*Wn5rfW0!6Up}#I*syIu4^DJIvgB+~6J*wy4<@rcZ{kbj^6*cfOkz_QTFim?l z`5yqLLPsi}8l3?e?|VNLMiUr#*=Aqeh4X?Ek&h9r$au>Igwq8A;q)Bllu40|^_##O zmo&8AYcahWhIHPdmP>rSEZ5g~piAI+{>s(!!f>vaFRrUVAD-4at~+!n_znkI;&;w9+-KoXdT`rE>K&`v9KCla zs|Yijpz`Sw^O@d>Exj#^X{0+xah>`x+@lA(8#M1pu5$k8dbphTi04i?zbD{2cDCF6 z`@NegJD{ijA>I1QLGZH$lPopoaoLnZ-~BN&>?3?8*PoL0`UxRT8+O$?%$LG_I@28A z@kDI)<0R`=?Bqs&^QO;je8Mu!_o?W82Jm>uwWGSNf0q!~s|0@Cb3_5{`T2M+Y~H9G zt!?B?Ji2cfObN$Y|I_G|<78ObxtLXr^LOk{F6YkOz$gQ^RBmg(AEfvLr>>VR7Gs`~ z{oNnEqm$`7{0gf>Qf<7#3TM(g&)!!i72S2k{2Y7_-?BOQ-&d2}g_pZOFSd_s{obQD zhf$j1{0%T|A{J8DZnAlD0jC=rHVwy~?z{k9u3mi?=(^XMFtEW%Oe$JiRG;S~HlZop z4%fdVBGAqAwz7@X%WW9D(_ik|oTtXdYpsj5lTRZZ{;D*Hsi_|!^Rj+^+M9ll-f^&I z0cvOM`ClT3rzRJWf~U7@EhwQ=@XYka_5y=Rz~Isge||o&`7*dS=TqtmOB|p-#oQC=+&!EH z{@!Ha5d_}9%in>czy|0f`$n4Cp3YcH{)3{oxo?3?40SNXvAWA?mYgsSRKucgBM46c_{HcePs26Yf?C0~nN1eN(K#{c@WjtFHhvP+=ctZ~3{W>`MX~6jn|6kx zjS0kKhRMM=b62JdFq8@lbo0$hp;@iPl%a4^DKhTwB?K{Rg8G<0T_9yX{Y3^et@RnZd0_IJ{d3@ zisXyS=E51;pP_~BB&wNL)rD0tHCJTEzM<*FT&&WyN*@=wg=Q(9!%rH(&k!ogcSaT* zSwxOiQ}#hiB;m>btwM|^x2YtZeL?J8Gk?RZTruLwRI1VxL!pGXS*t0a3~(>sqXTZW zQ6*|34#E4CZWKn#VPsZ@wB<*Viiu!2vEa#u*F2wP&z&MlLcgcllr)ge4(FE1`gJ!* zCgvMU6-!g;cRw4IVau|UJ*2rA)V7&}6m5a<(Wqj5ctRpL@RH=lydMU*j7DAWKm6f1D_;2MOd}`f?|7hI=(QIEo+mmP>45$dDLT zFd|>fUC9wxH_Uk02q=Fj0gFK5XwI{LffOITj{r%tw;!NH+uNg%XRr4vHT%B5Ufrf0 znu1v={b`XC71`D-BBk~jiLtZV3brg2=;6?XHJeZw`6|-PzO<@!B+l#c-!je(_3*uB zXHCQ|TmG(ywq%mjsjSFtXb|JywMh%mj!)Qb(>esC+Y7rO{Ht3t%#r!sM&H+BYhA5_ z%yD3$lMx-JqgUvwf)%M%8sPy%l@UoG6w>9rmd7y&V2xoNS=tbc9oNDbu+}O}{KaF4 zdD$Wzx`j=?CfAOBxYu%NZH8OkW-yfI<>cQt?^cb%>WuoY^G6h8qp1S4b9+~1v$AZR z$mn;5N>8DVwJ*j&MDK*t>ZI8z9*C!17_cMw zH!*%c8e|CN%jatElRZe79vPG#b5#u!wU|5@eh&70%o-j>|<9x%7rxyhoJ z=5GF+19z-(bI(i|mb;+kTyJUv&b0c^BH-zd8=NEKk1D zeov>E_H~>%>3!6=+}rSP8N2I;q1a!kMwhGY>1x^(wda2ycMH?&8P`wAbwAJrfMefn zpN4v~ocA^74b#dr=P?<8Z%>8xzAD|fr@6Jx^K{tR&D-Odx(j;j=zfm#xCVNsWukYopY`;508+hwqcc%X1{Ig%%Il&5`4tOgMxY-Qj*?zoWmIo#sY(@@lP zE?kL&z2XArAkBcz$}@Gmslb&Z(m+e`cAD#+zaf=1FJEtjUUnaQ`Dt^!C!J7`9w_`w zx9Z+|4(MjMK<4tg%k2;TZtowC9Kh3J@lV6LTHRhzp8lWjVeIz#j(+zY$777?v-ZdA z_vsM-kJTA^U84vV{|!Hrh~!z->&lf+p^ByBdLeushqc#wy=hu#3gYec-EY3wyidgQ zi~2a+rWig}{#y$GUbYX*>jV3H-m{+PhETY9cIt%)Ht(vxv#&Q?;(Jd@Z3RIRa;23(j-$>DB0(fa#VCA zZE?}GcQCY+F=Q)VCdLc;t*O*)IN-4E2M~csT>7Oh+AKC_AtIFPY$dl)`5bD?IX1Rj zWO$fm_N`jRsg0e08!9xklYhLxw`u8WLMaq_UMN7;$|53bo~lWo)?~w_U2y5FNjh0d zIb`3tZD+awmJ3TVU;W>Zki^1521Vcxr!Q;H z$$T>^%y5jf7H4TE8mTg>(TbOoCgpG#*&xGWzM_V@0c_e$CU;$?`a0OzE};>nI7PQ{ z)jfKl#JhwQC6kyEJGN~zTXLyV{vlicEN+WMgs@2fC4B7M!Qe)*_CE)ruhFt6>uG#v zF0MfoD;e~(EMh#3VdJCAAM%Tg=(i*Jd7pPW+=jSkm>FLaV8)mZ!zD;jJ z?uV-4B7D}Z$$V1h8wSF9w7Su#3F-5&=U-7Ay0mCz-+uYhfLO^?1A1ktJIqv=c4DOm z3*n)j$sa~m{Xh209vG-nmQ9LTF95kOGeR?{*xF#trlVv34{@!eSAfv=Bn*-g0s*!` z!=OQ5nP0>*ZerO993%UWKXasWd43yI>j%73e_EoGxV9y9Iu+?fi*W{JCMs09Z#5t` zWhyNh)n@3_HDI#J0t1^QgEM~`Gz*yv;AXjOVpJ3r3pLa7=oM=pe()w9&i$%=TQfxd z>CL{vJe6|oxt0`21Xw4GWSG2$&8$~5TKkw0Uh73-^-fdPQ!q6`*1>y4e z3q(m7^(}!`z7`k$7&aMS0?Te5da7;6=z`Uq~)%8+c?F?j);`W-;h^%@OQ9gA8+m%0HLA?d->wBF%51Mr(1+%4Bh;R+|TQa zd!kmzi1b;@sY(M`nI4Y1mX+0F@bE&0N_kK)JI=m?Vtj^YTu8w;gVtHX_3|`m?js@L zdA^#dV=I?MGOIMUM$Jmo^H`ZSgo|E_HgAoB|b0P)R_otgCzsnC17P zvONL(`-m_|7Vg z;@s^wluvPnoPOM(CeFcU1Z_-L%xqZ(zZxt>))v?atJm*Urf#|FNoZl6!$q)ESjT@A zXUGs2L_o}!?wX@{^8Y}LJme6S57R>~EA&(j*q7ke61?_k^>Y1b@ct%-9Fo8n<(~l( z0e665T8Kb6F$F~81)OMqLGbI;(&Rh93q0eUMNI&_TdQSI1ir2hcXxYoOad;}q#2-U zeJn~TO6+TZd)jfo{oCJ*&EMp&8qf9s{8@*C{TTpllI88(&VjYcuDl+yEcd&;lPuSD zVR?X)q47y)iudu@zvM~+neCR3+!U_;IUe`6`|A@s_uIx8>>;*!>76!iA26~F?p7yu z)^qnsPGPK%%^3C*5qNKlu0|Kc5C`@+i;3>eDAjGe7*@{)k9)ol?1z?;na|X>WN&x^ zhbLxuZ$F}z0S*@<^lQ)6m2v!#U5PJC)tx&XkKQrnC~v#P>WkXfI_@`zS|`(uvGfFQ zji%S*dXK3V_vc!JQ@vg=dPmjLSN>0V+U}q!)1B?(S26@5T~8NX!0pO5)5tb>kBaBY z=j@Y+Cvr-SzxHd>;Ys^qMVRSLoJc8>{J$GXebEy88DC3)45{_rTV; z9B|t0`ljx*_IEgh%S5jXLf$ud-cGX z9lX%f>B3Gb7k9ZbAE)mt?XFwYHFGqVSc>2FezpU6{;9kTu1(GE+SCdHg3L>Dwe3e# zN3@mIZMruG-fMjCpFuY(n{S6fUPp(;L@x&i_fPVd^~cF!fZlVhI6Y~4*Oj&8RDQkp z-J=~ZaB(H|NP8!;JZ5Y*p*g9v2GRBnXnSSa|0((~RQH$=d>)0(;0t6iw)3mI?0Dti z&>7J^%fO2T%U)(*Z+GfBoZazkeq`_YYEv-)KgMF7y6Lp_Pd~tMKydC;uKWx*{SjPC z(Gw1quvI?j^#rlphtlOCMxfQtTmy2sz$4(}S9!Z%Wc!l`c@zb$qxb#~qPIkq=`Rk= zGf2M7w)qE^-x)<4IZ@x27@tfs3`?S`W`HJGutC46zd9Tir3qDMuq4NCgdw~cRAD6` zk1!fH>?qz*LM%f1n!T5Ix_0nNku-_W$aJWG{jNtv0}xf+6)rij*nQ_aaCFN1bcJ7I-f!vcA~ zf}^Fx6SH2=ZV=X=38Y!O(Z?{Ieai;@pF)jnji&aj(KhRMFx@Pavo6%721ABD+-2Tr zv`M&_EBF|2n#ho)0<}2BJy~Fr;1Z4$X*WPp6a4S;AtBoegDpkb;3OY~R!ZqQjVcKq zLh^pm?B%cB+({JuE;@;r1xteMA z=O*nHDjp=7<<}*vnwlLs8`)s278!SxXjJ1D3aHNJ3?%016`cim5W~6>SK7W9kf(>7ONAwD+x~an7U&C*mno^*2_RO^A|C z=4;v~{XwUs$)f3ig=;Affbl7+np3uvadcRrmKM}IIznbJMxrKTtKcgSGKJh?G3}bY z_ilhOM&m-Q#8tJ+J1F=U8jw=a`Z3=oCH#U>vp||!Ix1M;pWZ0yAQ(w-^r?U059n!T z-ex$~{IN{iUrWKX<3OUG88a_kjX_JyvNgk{@qD%fyK$>}cvyu_=6hiT8#y}p z)$ypb;@*NIg)Wj)p|bSCB4M#BwsQKR5l5$e`i(@L{y-;heMNL0 z`m0i*Jc^;>O8-j&!ek`hWI;K9I9;_0NhAW@WwHtL*OJg&B9DVi=SN^na|M>7ocjTy zJR8-(zz;Pu&fhV8@T^oJJvppeD!evnUlgxhnLSs6Ao;Nj6;MyJ(#7NF>Uf{DbXvqy zZvO^9Rhq)!FLs#LBv_a8E1n9UwJAOkprbZ;kPEx8`o2hh#HC^Va5n@U`0oR z{L^3>{dFw*^^5x^!Py^;jPJL!!w_j!tN)@K0(l}bN#zy>d>{zf28{$I(L+rOW%f;_ zBs%zhU?W1LhqvKze#?#!;T(}sl0g*kl|O*%I!o>N$P<{QGdcEMrR15%Y2`{u_x!yd zq#JE)Jo|zhaR7aZyf#^uT|)4aZ0L6aqDDJz?1BqZAx;eOw9Dmq_#%{{iV6$P zKD!8wBDYrevU&nWDHgYbJt7&MtUOL0v7rmZQ>VfrnQn`nSGb6@F?zLIQc-}4(}4}W z`q8W;N(Ht#dQhm##4EBQb((VSnW!le&M*eP+y?bF?OV6bA!Fkc%jX2c|AkwI-}@?F zpV2Ch{}Zi>8(`=L8|?x(1@mxXiDyr4av%0j0i^I~q!}gQ45t9`tHuTnzk|M|`$DqX z*ZZsTTtA@mTVHE03a|fWKguP+wO;)5`qRMWUR;ge;h}A-$MVKo%m7jL{e^Lj4@g_4 zX^2bw(rul9-SajTVc+#W^CAN=aHJJN^se*GqWA&w2{4A_+RW}3+H zoas^jP}z2f%2dl@@#nDJd5n&;f4}P4+-g6moo!`9?l^HZ?;aV*C44oP=Y!PsuLcx@ z?=qanC%Vtz<@xTW&EWWAb5ZCX3m;g-uldYNr%=B1YRiE^D;K#wgBjj(tv%OeS9ox> zuXECP*)TG2Gz=lzzZgFLZcXU9fpSABx@>j9%U2wFw_OddSh8t6urM5tes70c&VI8V zNWP#X0B_HZGhX$*zA25$__i$w0U%M`UF5nvEDc8SF!fG$MXB!gpK`vYMHp|rg3{RjEzNIqeYa0Ml^{5Q`M zU4cWVmchW%{iv6?c+pIR4Iq8bC(-JOh>)j-OWL8G`+o}E8IC!B1FG~jDn@Qnuk=ru zYpnw9$Nu!B>!x_wt!5%ZS)%J#31=f-V;&qpD-N@nZiaT}_=3)KSf3 zAyd*Fu^LwAP=%pPKuYYjSof7PPnG(D#hV&ia_Q1$nG!P-QnSvt>Sr)ofDkbx9EWj9a(50D9X z9Z%14uEFr=M49lN*{hSe(fVo}v+>Jo=-e&Z7Y3|SIc8hOSlYpaBM-k&BeB9nbbilDa=gXh{q3uSN!`i2~NpUx`f; zY9tXq>(2EJBY{Qe8Lo6!Nxm%jjQEsA<8Jnl3hnUnVWR=|5@z{-+>t7ks7Lk9PDSW@ z^S~QLHw;uQA`MEGZlD}yU&^$gR)BkOzU=q9+RFhX+#$TcSrPYc@6bqZemFh5p zn3MV_#3T>_iUW@YnVVXp+|CfUBiSk%&XK0JLuQhcKSG9hl+fzeZl^&?6lL;#a}8Oz zrD=gswc`X$q$craIoBRLF1PH@Z>;PcihZ4$O_My|n?kY5YbX^21iXIoHzDEIS~)5g zc?}g&c4#G8Z{P^5@Q5WychuuAl;|FNT))KqrL`B%X;cT>^Jc3GY6PeL5 zZq=%M^*UC`&QL_bB`fJ%?xD|o9EE8FwH$sdo#}%GB@Vu39Su@nm~40Y^t0j4YY|vm z)`SP)mWUf10j87;eUkyFw_AX={6V=Ny8-_8Ut1Yzt&ac3BdA#^qhCZT7sCr45B?iu zfbjI=mMQm{J%Kx;RX=~_SCy^rpuQm>uTgb`VUJSnPCDXNTD&$3r2T&BT~tYor*8D9 z`AC33La@T+MzNYQf{-QN$@& zRl7uivD2~a&~U6hG(EAoZ3PsDclCk^rP*6(^ zJ?`U-rdTUPnVlq)j4{V-A&mgxDkJY$gbHCWg(x-gl1`l5mrxP z&q{AD(4@)u54?c^3R%Cfq`~QY;CHS41(5UM08Q>o?lTc|zaw-|J}Za|81|wL?$7_s zS)t+!^U@pZeS7%(Z_%w5kbdWjXKfGt$4pPg`dOCB(HZ- zOc(2OmX1=>k0L@?@7^P@ezZ;k?NFVIvhRDW`_k9uG}`j{KA7{9pZz+I4!P5!)Eil+ zv-{r5d4~IAZ9lX3W%-3T@^CfDh-8ZJ0 zTb>YT_S6+MjThlv+i?#|gzr8NHKONsp2NUIVz?@P00J3=JwD9p!rh(?S z3Sp>ML&OkGB&45PPMb;SsJm@n^5<;Uf}R%SMR$F?$FtxPlt*~ZZ(9?Qjze`DMFQMfQ_g7*POoF_8inAfl_Nl z+eTfwAOX&j5QYx19(yO9KTe1*I1vA2U9E&2-w}^o>JQY|iwctro*e z8F?`LLcA&Ek)sr?6ZhX><4pyzg_?NleJ<2dJQ8~&%Aaa(Vjn`pM8z3PZn&x}s6wVw zY6N)Efwx~Lhf&#NWLf*OC5>#?En0aEGtTlbf7)h-7Ja9K4`KaEaD&NeGC)i&tca~D z>8B*)4v9mM+&s^!_*${{Tq3evQ~rH3fKHZ@7R=y5PB!}aRgm^%&@CY(ye92(Bq<#v(>HzbA#ZjH7|DOBj$pg*% zn{U%WEQuQYs^EL@IUF3Y^ZqL|Z%!apiZPW*hJ%eicg9Oa@t+c1dl_%vRLXP31$ob{joHBBy$bwc8N_B(xcY$RPX5nS2)mj5>s1F%!_)OoeX2&fI zWD@38pl}m$m51It$QCtdOria%v13ax8!(czf33->d`qM(4`iZ6YG#R%G%HFqX5KMu zP#qDvMGVMT>%qq^&0`#{XcBK0oF+P?k>X?JaqKH;Pit-*S{I;eH|=Qs8t0Wv1N-n7YmhAU+uY@1fZ>2fQud7^y@1 z0hj$rz}){uzUy1d5-F(}=DE+)muV-ee!$*Gn!o9t|Im!)w3f6QBJFANS)eW)Hg+$R&!c zUJ^Uw;-2%hfXVlHH+$rg9y~O%_0yH{B+Fyp_UfVL+BBK?y5nrO30zA#eC2@%UO2E( zJLw#`w!Xw4Xen$We{YeNMZtFQTGw3~KO3A2L?+;VKPy7!cBv}xLDsd~NkCq?{)+Eu zm8rc9Kfc2|$$OTJ!5L%KT;F(pwPv02w%n~-2KMp<63`xPyLx~NOLV)M#FtbcnjN!) z4ZM#wuU9~8Iu8yNn~k6GmprWCf#EbRzUHOkP#thZlFO#q62cL24);e?PL;>S{o66J zv&z;**g0&6PTNWunKGNE<5p;n*AeW_##Q|aYuPv1>7IjvpFWMtm{{JmcSGav$ko30 zimo(GYc4yQ*)q#(9&Mk{smFI$-yj0-mE{wQ(KN(U)snw0*`O?-&9-%d#&w|WmJ5~L zwwNQn)@4A)bI&ow z8o2a6v1pORUF`5;Yw{eKtob?=Bof$v9yn3Im3f=f)24V=L)S7?w8QJ9Np?+qx4+U2e z1RKq1rs8~xK3_mToPHxiLlBSAIRp3l2NF?HfecyIef_+V$&ml^=1qxdooPebie7N^ zgWO&KF7qJ+9UeN#Dk|_)eC32H7*4`4Dtm82nU%s}%?9^wG7$n@@KSOad=q6A_th|( zMUO|3M#v^i?RYXlcEQF|f#`0{tz04@O*hO&Us^o-#Uy^F!i@mYnQLp&uk6uxwF9|! zB-~QJH}Q*rBppKDvq|q+a(yhJdc9SJX0kO$o?0`trcFJyCW+HG7XDL`#-gC@---O> zlBX=xB#l8jLWm@ZH=YAC(hxTFv68#nw#_^<&zBw~?oPv|I#X$d|73+#NF!!rr~8Mb z6k>U%UGDy6)HE)dN8~I|jnn5bpKIw#gyMuU36Gi7TjAexihS9BH7Prm!(g6rgNr9} z5aG15@A<_t=VPyMC6VO8RWeafNnv7;B!1x0wGTkOG+HoNxckD>cPvns=M=)DMIUJM z9r;&dtW?Td?)(%bT6scLq7?x_bk=uR4m96c3}FarBy-|#8LY^yQ}cvabM${GaWrZZ zpoeR|PoS8PC~A{g8Y>}u?ND=_rA0OJ?rrn1LAm!S<{Ru3j2Up}M>k6K3)XLmcluz+ zPAy)2MQ3|+UGY6nOI^>r&9SWqQ%~C6>w<{sCP92&N*B_9m=y~da!WGA6N@X2s#5+g zl`Xss+YW{+1y5hnnnKn`r11uhd;7uaj|!e9LLt41bBQl<42RCNAY+gHhqK zAYUNM92A1=(is-JxBBDNfz60T+L&qVyFROE{FylF#`uKJ+|k5=L_8!>+h(yqUXG2& zl$Ug56z4Lv^x>cFv(y3!v1-m!nD`S}xfy<2c((GhHfWVnF0ijyM&~XZ3dfJ{j2(NY5L==SFmPst!_%{q=hR z`DZ%?l32no-V0T0oJy4LX%D?duKXCZIVME_c=sF zPH2pjVoOL4Hg$isBm^+%>mEoTqLg>A&qf#&Ok&O9MyswD(VzY&$?QLwW{o|T-$dhe zCBXuw$KdXWCv$L{;R;PExD!n13qYWt76BoEgnaOTu*3{R!Lc`3k2!6V9f4SwJcoNt zSDm|2Q8ixA>ia1%*B+Ni8^7Fe?QTMm@f`iyhDr9T9GkbhydIx@U21769~0VsuEa3v zxZ&wsj`JA>w8*M8H6QUV+CNoE4%S>e1=`XynGb2_0so({q_^SaMw*Oz+*zAI2M2Nz~}N+Q%ozzAs)Zojz+@@Hg_4NU$?o z%EP4_E;CglC-RN*_*T*k(>GeA}EH%NQoizllGkmHGso4wbN!Nzp^E&j8Z>h;ad zrK)WT=keHpBwZG8_k3iasDHh{w*vhA1Sz2cwh%8`Ig5P;>!DRg5di$ zKkRvJFa2>|h2(2rVmrlo?Pm&Z9Pj}+#28io9YB^22 zrm}8rYWX(fn)d`*?6L)9xP!1AlXVRQT_JAfbV=f~R9x;JU~fWY!RmZ;P3)|iwOJM& z?Y)%;K3|<}KlA979aOvPzg8s^R4#T3_@K1gZ5@wOCH5Cpd%Z;=?DXud9dq29Aau;6 zy)TZn;Hl*}<}}X}Uw=$)TzZxr#&_U-Jnc_# +}at0KC;factd#zZ&*&(vC;J$ zoos^%M!+?SK(-e{aG&WuSat4mIUMv>8|icKL57J38DAWpqcrIcZU=iUgZPFfKc{A4 zxrj$V+e*nwZbL0-K^+?m=N7X-r8h&XuVOtK74J956oqbSp|Y6k9IZ;xV5=Bjx=(~d z|H;Lpj7hO1#}E9zHfvSm8J#E9T5pfFLC90opAPXJO6or(?SFRwMm+f#3EUcQ*SH&O|_ z$`H;1OS^W3xj*!g5b*%Je~A$l?YZKs0tK{kWdQsvJqc>s7m-}0Lmc#RmP%GCOlFDw zGxea8jD&|ETNO&k@^Pp%h*50kq2~+x+3CPFzZAb!ibc|B%)Q4jOG1*i7==}KW~xWj z5-R5^Em6iIUY%po?ri9+Mu6*Rvaa;AS}Xmm`FGf1|06FBaGr8b`6J@M?YeOS98cJ^ zJMMJkrB{HlQn8w$1%Bptiz({ue~R+@@neJWMgd4a>UcT6;wFgm{d!-ZjnUUCM}sBO zt$e`2xc;OgT|UlQv}DRYM3I+TiiQn~aHvlzE*$(-m~^tpCH`&uJo1dc5@Jp1bt7zMiS2@3}V(?#VtUBiM;GcF-S54 zI;Gs2lGyyEzy0@Wy%3D zdJ-0ocUvIUGp5f`3d2RBET@c00%L|LIwZ;zq0xmOtwzjAhr6)%{Va|Fj=oHT7;jl{ zV&T+j34bHxZ=C-Wp;^m?^TL2sK!ZdWO;m)BP>W`Q7Vd%B&gfw(^}zAHu^-xiKYU2* zpn_UqtFp)b;VsHl;Gdn{U3(hM!Fh=y6+A#1a$-M@W|VT2C=$*Dgz3R+*Ek|l}JW~*{C2+fWH+x$_C1onItpWIAd(d7AKXn z8nfmFkzjn-yL z-y*A~dm2C+JFhc6C7=xLE2BjX+G}`@LdCJA)y9;}f7(BH6>-WE8z(5&o`#!(m?aWn z=uI@-tSI7=mKCbJmVVcxTr`dO1d!6Jm+&ah6mh9kq&@!NA1hodMm-p^lFs~7#h{J- z$J5JDZ`j%XZ!=1Oe!s*v4(yu#U*ve2AV*S&wM%t0(cIuvXuZy}Gyt!-M7X_9goG2H z3x*h6p?pHA5Utvb;N|q{{(}Bsk!T^e$vsXb@2@|BN@A2w-o20=N)XfCExPM>r41r14TQ*;6v}#K_?O;D3@^D@cm6Ts5XAa%Mp-QjI|9=GxiTFye13bz3 zL_X?+Px;8X8^ANF^SwM+dW^X9=GNoNtAPyNi88D%=Ruwg?23~UZJ$C;aLj%D zp?^_~&C395N>%MPE)XLkw4KmxIGn60h0iU^lJ;c)vq6^6cOV0}(Kq1xuz&ZQ_5IQg zWE^SZbWg>{XS_sWyYZ1rKd=oeEG|hPu zzBZG6)5p-n^=Jz$Cp^sAw1C#=wptKtKOWll!~$vbY;d{{Y-}H=h~qb`t%*V31(Q*? zOyS=XjG4Odf~E&6vL5hMf3>VUvGLlSwRwIVdxl!!WW7rG~1qsVEu<)Rbr zNA~%5Yk&8%PHD0UtES6GuIgBA*B^E#8>TF-9Ils4wjG8$_p-bPiCbb1OaMMD*NJ*r z$d-%O(}RoRPndJ3_>Y<}0@`P>n~p9^UG@UUHB!kP*9{H2_8L4dAG)2z{?pQ|TBH`_;##jhZO$^NhpEAQc;MOAmBO<^A%8f1D?o z>GNv;)4F~E-1~`~i@65f)4d?S#DE}6K6ATO7eMNQKY>HOpr^eD`4Ok_rMr_qjaxOQ zf>aEP%yAQasD@DShIFa172%CQaa7e8D=@>?-37SHw>IR0=d_;ecd`;BuQ^BX;i5mC z$5l=yXYKB0QGVD5Nu2QoG;#r(2=2$>=EOR)Zk5WNPm`8i3EkpU-TVW%TIS4}Qm2*x z`i4&S@3EoUC@H64cuGTX;&SguvM#&;AxHE@nABp3UJOP9jk(%i&EL`Ad!gd}l=^;f zp|LDg2-RhmQU=Lmc(W}F4dXGv)my!j$EJK9n{A1`cEhT_8hOm8nYHdIqIDTH2@0M> zGVV7ay#86$lNjsNUf{7BO;Z?)C&lNLg49@Y8VT0=+V|6GG%kJiSB%`w1&i^P#PeTX zs`gBJ23SCd=Jh8TMD2V+CiyR?$oSl1BZ3m76yhn-Qt9FZCm+0c%D-HsOgQOE&8qYz z_Ag{%$U`ovx$BA9S7nJhLGLK@j`qg8rVx$R5+3|W7r$5<3kXYH$wX5z?(xyq3}DNm zBUubD3eCj68nP%~EH#0!2iwfEH!N}FOy6j|KKS3hN_}*~&hxpp(<86wf4QWRQpnaJ zEzlMnR-;V1-OSq+RPeVHK;%*%8DXiBd?E@d5rPu(fP~ES%QYI7kR?2apIr!xFLdnO zYtvXxf!*!3xM3!sq|sDCX)ODmo=GolD3llT{1SWbZq|R0)+-t+M|o7%J3FUolVpnU zwUQVo5BZ2nS^kKPN*rm|iYLqgDAjjLFNN?2v7D@sp^&ogi)o5z>dsG+ z_Pa(QHfRVGIQWpOv9*?(6=5PK6>4QT50 z+qChk%j6{^QO3UsCW!(=5ZANB>y=Z;;7~=KH756IGf6FfC11&8is$jK`caD4AN=7d z7+h{rie$Z@W6~X+N4PNk2iA6Du^{4Zc%I=yZrQ3i@!IQ0V(BF_oDxLw%sW0#@T%u3 zl?^aA8>1A|F-`BPm#_FqD{TIPa`an1>cQ)x(IQ^J`7k6-7}dX8>K)S%)5BOH2-d;p zQ1v%#DJGWE#Mh)!o1zI(Xv;evV%BoIHKLKySPF8SieIRyjD%*&6wHaU7Y|kX12d*D z)?u=^U#u|Tt2C;t1MnbC%Z=&gp1)asSBXv5!gdmu)r0E0KpT@9PRjbeJg@BklQKxO z{1;vG?=KK!h4OWp`CR3i?!q;=O>i0tqH94WaP)&p2(Q1X1-oDbUe)TeaKBrv5mFgK zWyI1rRDLy#gt+~aKTEfR_9wS-7MJ8NNWz zADTu^TSA<)L>C^Lm`sVPDp@^GOd0W~D%IIeRC(`?G;=WtHl4b2$6}sZjS6L-Re{<> zbdx|)KWyUO291Rv8On-{pD15Kv4a7^?43W>SejK)&Tkg)Fo7vSf<*ZrR!jL3YLiSb zqAcU0xD}CZaZ{}@msl@EP%$Vjr^+5IUlty82>NI$7xT^3U?$|^&<5K{aPfI5kEL{C zg*N5w$nX}+&@l_b=IteR9~!uJ${GG3{cDZ0U}HRr$OYgi=S5t0(#nNQe$UDkC0z&p zyKuzSt_v3KR?BtH8dc|~`j;4Iy-sv2KJhNfe^#Xx{ji)zT09OI&NVo% z3@Mu$UOB3?5oazVVNecZN|c3YS9g{qkgHG9;L@y25i8!qv>5i8^%HDB_++GBj(B!9 z`=MaTV(Mi&>}vAA1*FOh1q&X5_&huM1Qs3fl`T$w?5NIt{yBj0T2Bnvz$sv}7}~d4 z=+7Sqv~CT7zCHl*FY!JUK^vqh*y{T_aOD#R=-%~9kpHPKu3s@MasfTZ}r z_(ct?_LJXT-}?u4>&Fm+4c{!j&Fw{=YiB3$xZ^YRqGo36So?(6{54QVp!x4r`(P%9 z>c-1x&M$AqH(HM!^^z*+tB*nDK>XJ27-XHZ)N$$X>Cm56Z7+2_zPnX{Gj6WabjVsR zfyeQ$Nl`S-+CH#gtJ~oNBwx27#4FH|^fL{Fw!_%k1nLf5r?$>Vog*)|XZ?0giL@#7Yr`KsZ8LcUS{d$$=x5$g0Y0m^_2;1#P*!UW) zS^(=t;VRWJewP>2haCuCbH`VMm1Q$5}gcjptVw(;G#X_@?Gbp~?JTb13B@=7Pg`zrMT zNd4TW^}%yu3ya6qJDsBXevoNpvjfro1TJ*xdVBvLhU$0ZHusgKl=aJ1VxNu!CdUGA z&Deui<24B||fTQ9l+tUXS36F)&rmO$- z?CXTrvRL`v%zL`J^sGy=eR@)pTUWSds~t5aMDNN#$?(_(=h(gs-+jVGGlB1l zJ7h!7HJ~AcwFC<+AGcxJENSq@JDBbk?2GM(x$PSZNcr!%A5;dWUXATd0F&-LM(Pd8 z8s@ZsLSHpVJL81}7z+XvCIg5J`4|4opaZ7K#Iv8;K*aNA!4&nQ%;AWIsS$rfkqamF z`c`Ipe4-GKCJAdR^ireCK1Rfh(aUVgzJ)Zjh!*G$i0!wLyE@8=V9P_#XhnZ zEKW4*n50N1Vb%bM7@%1h)2aK@$tlpiAoQkdd%Z3-w8GR7!hg-)qgGjvXNJe>2EUO zbmmjC+d;jLLWB;0xp*LjEJZ^qjEfPZJWoEz7Y|RS!E}ctH6kH>XE$0w%lq2m2OpSW zUaC#;4zEJ{9f6oC&`qg9O;kZ$lez_-L-GfD-nC>iWBBUV5Oxl@isVRmil~l6NJ50S z7>T(+yY;+?#Jk&p6JK#N_4dCE2-K$pB?R+*BMZoh>D6D<;N-bGWQXC*X3LGr+iK+` z`v=5X<7n-z(G@L=1S?GI7}Cu0S@J6-)x#*^gY)J8c|h!cK@3p9F*udS4BXF`yJ+Dz z+Q+*0sGffEOq#`ZRwkO^vX{%G$K7Ml7Lm0JRN}%6g)aF6d63)xYBx_A`=dh8o+d&) zpZhm8=c($~d>m-!oR|m+8CSCfzk9$R)kns>#KLk8@K7f`GV6+jJeYD;PA?u((gs5Qd-yTYUr%1<`;$ z!9zXswVW_*H4@`da%$SP_v&a2XEa8mC$wSjD6sxp02=)d2>Czk7~Hzy=)&o}R+fuW z!@9%1m_aM{`=6oWqh~l)CYLk1$4Djmzd@T#e3L5EOGZV7LaI2t%gyYysFG zu&Hiqq^n9lY?y<-rwM8Pwm1&T=G@oHTft{NvP*oR#~=72f>1zMK8URq>|bi9(YQrV;ai{mRJ^N)i% zh)3;QTg-91D%yJ=UR6A}x}|(5G+{I=)`19v{47+7cuVusLQMBAT9sdL%7Ls2h_ylT zYMxq6>so zJ&K>?C@2nh z|6|DVB|WI0wu*B~wx4>VG^hJykv;=+ArP80 z@jJOh;jR-dZJsC&yp#+<#)8aK%PsCpsGoHLKFvNVyAA!~tnI_5c-Hy2j=tFtiL!8f z8~KmFnFvhOeQAyU`+o74CNCN*V@C72zYFY{gn~@++4D!j%q8V07Oc{xDaeyXqt{k? zamgxlPMwS>kv{Yn6~7G9d6L+Z2LPl@=7s)Q(9tS8=tcbc=WzsjsJT_IWySBk3{m_> zl0_+I;B3{8r|+=`kZ4A>L#)nK4C9pHza?b&WjXzg5?O8CC4#t0FwBR-NMCY1(3nF0 zOo{rNW0uT( z@1NjZ-CEFw&PHM6GbO<<_i;vBo43BFb6rw`hA}F>wO4=Z%mYbSeXO6u#P`@AL6LEM zJhjey9g#UsuT7ddjb~gvwlOguOIC~?hFvFD#LFB!wl!}1@oXzQ?pSV?Q`emm7b~4- z*`_w^@b936y}FU^bgc>ElGiYLqFEA0EE`_*Qw8nA@X zWktV(u5QUW_tj{)@d-QccbFQMVc?3M0tvbe?5(9@Z|>9NXN9#K`|uSxozDm z@FyQVxDC15-C(8a#OkdUEC>o*dq_Xoel1)D&V9zTz}&z-H+A7t_c%>>%IdW3Xlzt_ zA4^tP>s{$+y}eoY__p?3I;`Dar_XlKfcI=wyYsltI{AE0SehAhwKUo(JU1=~@SA$n zv_UZU_4i2cHzCT+n%>*yre3}ch|O(YBu9JKU9UG?mR85Q4tsNCABWi^n7*Kp?MktL zmrd114t|@cjAhw`XI>I+XUpS%G@c_MuR2{Fr%me`YfytErv6w;wAYRP=M9Vw9%Gm@#{fv+V?e=Cr0h$_t7qKvzzt6UQWz(RpS{A zUrx*60dEQZ^X@Ad9pi%yc=H{6@B${N2E%x-``)AheY@kIM9zAC%Z*rg%k;mqRD(%} zoYf-M_#M<4IW$(*tQL^F?DMus)oe^3QmF5-ezB_I0M>*h`rx#bBm$=BZ={ag=} zQkL|K;EihcpvssH=`tF$ManjgylT|@G`hT2uTSAI&y+@3#I!le>m{U|&g2!RvHfSv zc~$?Qv43eI?3C_TS>CJY5|*SevMe*0d5%lJhH)U&Tw{X9FB71DbNTzpR zm7AaqO!iZ8`G$1Q!O2l9(uW=j{HstWk#o67&!PGA8Kdvp3!(H|uI^QT+??G=^hryE zeDx;QT@&|ginQ4%SA<-WcpVWogV~t@mv&Q~Op+-^WxA<{gn6cmq?P3xSLU3Rstg8X zHf2WFzj#7Dfsv+6s{NL@6i) ziVOJ|DyZ$*RmJ*F`$Z5fq>W}#7WCRILXN4{kAzmSmkz;58;uD@)A&N^7#vnum%R~v zh>U`HOJz4oi|2jRa7TWmi72BU>dv$9^Uw+8$ITTi7?6(10C9H}$zk60(&RLmp=b0K zvd53S>h{NzsXWOp5*2bUUM;`nl7Mb%mVMi z1aI+|kzp?NQ^}2Su`68RR45QLi&qyJIeY&xXD7K$Io}DZTIVgVu24E)5@i~RNyD-i zqWr}$UHY{?46vZlg;QFt0cfm2A#$Cx`(3x7P5B?3^s>71Iqi`l#K$c@n?zhx{$voe9S$dTf2u|ew$PVXvHgM1$LsS4+bkx;Sv?OSFdu>}oPU$}W~ zzg{*gQ8+8X5B=ti`d5$Gvw&9GBmSXMDacL!OeOanpN?^6uv&=0ns> zC3tu!XB#}y46Gh9{@}!N3C3Tx{+J@8*d@TSnU@K5E#Rhe^)TkEBEv1?%yQXfk=C z$$>0E%19Z*89~Ti?Z~5W33^bJhGle@qFEqAN1|G)28b>FgcjW&>AjeEq(W3s2yY^J zpV_TR>8~TR?}*lpcl^L0Y2atQ$78~bPa;nV@5Rfd|225L)_w@E_}aKgZnEjZOvEkw zThdv?97iZ9-XV~iweHPq`}j-u5ox3iCX+TXg-Qa)51{~;3ppwDqkVbhNRIyMW@3fu z@N(jRVr95h7A7&401@>01E^ig^mSRvKz=kt+gOoO2=)laa4j2;TBm?YLI(MKle5k# z_St`s|0&?TkX^!urq5(>6VP>q*{8%XA5Q=m_2~x4{pMey_iHH6x6e1%_lDr*e3ws+ zGFTA%+YjAYUl|;{x2_M{=?=cP`-$u9)b6)LMPL4D-d3NTB3WIS8agZc>HU%|uN}|# zPU%bg2@=mOqbd^6gZ^FJf@~Eh!7p&H&`wW%&xGNc%3JI^0ab)&wJj1-o7>uJ4L;kp zO56Kppk}Ym$)5l+$5z)l>x}mERF|tdASegFxy$XWQ^Ov!^$Nmr`}4l@uoDfd z>n6t2wsZ7Y?9z97W;f-U!v^daLY3qF@N@Z*tW#e1DZsef8%5F6@Dd?Hwnk+-yX*D> zuch;0{y~4mW+U!!gLl2-Rqc3=tMul=XNq9Blpl??b>^%&G>bxm+4vypZz*G zMVC{rz>sZCT1eM-wfiWq%O;2Ad{XyQCBZ!JotGhNm;?3X#%MVneVPJ{?oQ}Tr`UA9 ze)SGUvk70`IJ;HM?tk)sBFrb)Lg=9b-n|{({?O_i*fL?eE4tM?@{DPBFRL)2>zT2* zZt~%SY05&@Iyf!aE^qQJc09MS-^dTGYB>n)zs@+r>3KiBIciQ0vU?uV@)}8!4e(v! ze(Qy8T#Gyl_l(g_Qt#-QcJ5iNSlvMf9$<21H{#X{p44`X)5&6PnXH}6fVM9F+#NE+ zk)jAFfw`yR-A1`p-{n9UpjEBF7W#`wI*n06`AqJQ3KDf_yP9KaKQXPjEpeQZhc?Kv?vw zU)<6cM4wpElAjLXrO#V7aL&i4D_~L0IsTmu`^@5vgXK z3Two&@LQ=~9a%%DQQYX4!c<t1bA=L3nsa~VEMgMu^H|o(~1|Ydf zOdxmEt(39=SbK{(V8rjc2=@vYM+{)dLIdOh?#h~B0jq-^()#^RcCn+;^B!;&YcfS- zQDYwN0j^;TNH0pLq=Hd#xtT;R(#n=Dr~Z|>E_6`m7BG*gX6&^$Z@oF#;`JJ}v*~}7 zzWz}b33A|NfQm4-$vsg+5aB_U32!ELiKcnzYLc9(7=Kp`j zfIDIjt*pibDN86Pk-x`>_~H2$j5TI~Fd5V?inZlz2es-y)F))>m<2HJAkv2x1k#Hs0(~W?wrQZEkD4%`4_|a(I8Q*2kg znc*E(?b>(~AomlY%c~_W3#kp*Uy83E4HpQWGBRpsA60%asQ zB>Tz^h|x&HG%N{GRc^p3jRbAsu208wZ5LUrks|q;>u^*|26(5Dn*(lzf!k!D{6NqUB zGW45H_0_Q95v8MUHTjS<3ic1a@>{Jd$ zn#)*HLpXbdh{#yhL!gC|!te`WYfauCnU&__*ZJj!!dOL$X6+`m>O{sMy9c7Ax9;5; zmYlqh2pZL?CJ|w{ufH(t6&I`~XTbL%zevemudK-ne-muTyaMR_8h0BnyA`VWJ&is4 z4`S+n3oys(8&dzLKQCpSGT``M2VEqD2_Qw0SQ z`RNZoNgZX@=f#m3UjGzQ3S*5C#?XA2J$E2I`_IlBO|*saJyy3=|1LjY(<9Jnea2{8 zi#!~E%AzSEq5qx>ztK(Ed|ZJ{cWV37IttGRxlFHk-Ul_ey(dZUm-kiiKaL&7hwfoP zaLCK!reHv&;r)6+%eMX9lw?iY=JZd#&O4;R$G6{X7ZwI&wqE1ebhGcTHIv5AJ5Ox3 z;N8Wp7`m>mg|SulebI?dP~Te#e%-hUvOcmq8}Q@Ak#7{Zy$0=D$DV<#%Wge!()>)& z_4|1oVMUw1JH~#JpbC7~!g}(dOja|`l>@q8Qr&bL+l+ABS^LtR+zM9vdk!7uQ`^%!d7<(V*mj?J z$+8`JzHaMpK-RV&L#v@q&v86IuIcW_?>Z~1=zKYC$!R-SEOE`u@$7mD-OQU}xq9+( zJ*6R=);$}E$#i*y^DN-XdfKh2*?zy&lvHJ1ez@X0hS%}Ww;hjfmeb8}xnuzGw*mQWR9bY}BHWGh zb7T^cTS>exiwA7v*~=in={DpI*0V2n*8>Fc$6SjKa8iY>`~4vlII&}M)%EVW!gX^w zhu=Y9YwJGC75dSp+ztjz8fs=f98QF^-U;ov>z4>6XEa=|Me$h$ec$FfJravv+kkAm zpGoWNPdui5gz4CEUJw4Cj@$qW^cyV!n*O&y)9nXNY%}Vu-D!Q~ThK+P#!^;uc<^oi z{j3WddEMFPOFeZWoYViopkoFeqnUimq5KM1s@`v@|D{8PW`}v&=aFj~^v9TLk$jTD z%Hq&Ca#N15JaafP2#`@`;e|(i;A1;q6)ioAo07^Xs{x@r`iR$CDVwS9FnO&1d(JHG zARFf~j&&>jACpQ|e6t7}3kBPoM;H}L7*UomBNt8-2M3PydKKvvq|Q?PJ14rlHG7ny zSyBk;mLS7LxXm2xoMGjP{gPm}Op|wp)h-8B(ljcsVF3l)Op&k+l$nJ*E|Pn)!i9h2 z0h0Wb()^=_7~U&8=G>G-8h@m*bn_wnDCGkEaHC*63Lu0h7sDInOO}%1+c09Q1OjHQ zIP2m;Bb{0DL~fZy!ER$nfdyOnDvN??FT7$D-tgZxyR6Yw6cq{g-zfTnDGvnM|IpH) zGHhDZ<)~+yzLuOhEt^)z|0s8k2zF3!iXZSIM;lx8`z7Llm6#{czLK13uR#4(AeGTO z=+b#I7mH&+KyVV;n_N?9As+b&vP^NmFz)Jxh+r^bSXlPij5+s1;!B^kV=2iOJFBG# z>}1@3mQBA?=Y|Q3u|^G04YQ!~)91cgNcL|B6~+bdK8bONRK;wJSx87V73mp4O4R7H zPZpkyc@Z(fUIuWLbMUSmbSPK-0c5A0xzh{4sd?t!6jrKau&`+Zf&qX&1w0DGR14mU zaT(;$j)I`%@3*{I()3J3m7~wQ%<8p{T1`nz9cVHu@5CDQeMUqXW_b@NiAE}r<1CO$ zWG*m9R5Ctc56tuSC3t%iFEO>bFj{7x&3NkOW;ACF@-*Xu4}od(W63u&_=aH2THi;7 zyu6Jl_Nij4R`l<})h|^h;_47&!RdxRg&?)u&zUtQ#dl{S^w zPuFzd&Hgd7J2k~h48_^}O-RnJ!A+yYr4Li5`>nGm{pSz0ZXiIEBJd>0U~MIhQ5gbO zKoeo@hhLG#lEt>)JpwZ;8c8Ll%pI|~iigN36oX32kM7DSybWPWn{y`44AjZVA>u27M*IS9yzr{WaT&mY^;$nOVo>R{X~7@hF5v z+qi6uhUyqDqYx|_SzGPiVoK``T6u^X;`xNmfV#}2-5-k~ zMQ{8p{kaPeNrQj!5eh_^1cscT&xhR$pdfY!rFP*HWt;ic1teZ!f`|7BaS?wJJ)t&9 z4IF%G@KUb_fL-;F0)>T(oAy<+h^ga%7Q|B7{n<)Ey;A-R@(bi?fkM=*k|2vw<@jb0t}GbxjtMMU+LXGerr zletTUDS%Q^uWLpN6hwPs6TMPNaxu?^R2l_KK#sPRnazJd2NLEC+I3os*CAbUm zymiy4+vU5sA-2;!t;5IZ+uXTb>9)|py1sigB=crAQ3*zUvVF`^eo(iC(wy0-e0%q9 zX^%}@!l>5D#G;KP;FHSiq`Z7vJ&iC(NaN6#gVl4)dI);rY`J=W!{=)=?BRip1Rq8P?wJ45k?dym zy}R_pe|gHP`S7YkCg9cWZfyjSz*35Va63VBV#&x(m+{v9O>|>9UF!^p?n_hn%1`g7 z$r}^0_s0|GHfcP-Ma3%JY~cQT&&zE&Rwv44>$jF|WF2kkY{wh4S$x$?VCs)bn_qXM zU6MJj6YsD&Ugz)?SvtDUn*W)R&wXoWZa!BjV2O3CTY{llv~4yUAo3s1ENIQA-uwZ< zPtW{d&Jo}I=Wy&KM=QgZh{c8Q^hHAr`~z#)_acbBoXLaUqN6E(C(kZdaAjSs_qZ^R z=S*t7eB#vo2L<9n0a4YOm(>rn@L2hl=vqOXA5eArEUA?&Hjmt){heP?`Y2=*$Bju+ z7y(wKX>^ekea}?lZi0#qWjRS0LVFy;+KK+O7tm_;={C+xpyp&J~kr(kJX2{Mv%(iGO(*TCe3 z@JI+Sl(xg4R2tT+n*6*2Us+1`-X__NR-SlEjVgimB}|fNU#V8LpmJX`03bSNU>$6@8A)iZGr)e zaO({^bJze>Hp9hWjz+p*AW6``);@1DA7mYbgD}1X216zS;-6ycr+1#$7df}4>VNF> z;h%4o8D#m-w1^SU-qFN|IPN>xW$a0_U+LdMQ_IXT>et{b$iYG%yrT zs2Dk>h27@Ty0vg$rFW=Vt~Uu z8v(UyWvM=M2NhNj-=^Y|9B(_bC)yHxGR0pC4h#vfQjIhGFo{sJ z$rRLU-ZqKya-k=59htJxy<1+-M1)Or2B;)%N%bKMfSw$O+3Mawj-SN}h zCM8anRVDJ@B+j^W^p-A^3(5JDi)G1vjG!|0oxI9|(7^I|>2LF(0VzIt2(Y$&t8XRZ z3WZ6jU%4xpGjUb3QpnF`>MsUoLTcuvw7ldJ)>}VgJUrC#4$s}uY!(=g%o`I)9F@}N z`s@V?JyVU5Hi{JT@d{zfNxzPbj=Hlr_F^fTMp}1MJ@K&VlDEtF<-y3!-NSXyS97?m98yql40}d-koAd$d+>2!ZaM`_tx>q3 zz6dEjTDoBkd5A7I;}*;+kXhr7+FAXalp5)+UMi>?W7arWtG3ohtfgbefy0sDD3EWF z6Opz^{dc@>m@gJOkMfJk2C+=-OJ<;Cpif*e$^=QjDDUWVE%$b=LDR)q*y-IY9ODr-un(P<-SIp|7Z zu=H76bLrAsGW6ZR%f@D(>HZiE9EIs|E3IAkrUIU(cxv4V9KT<0diT|5_?coH=w5*O zpUB*PZYt-8czvrATWXy($;Vso`askbf6kQxny7C-gp&gea zqPNpyqdOi~Dy&u;@ikoLNTxlmUKQ!qt#ckt9>XiT9}h1lHd{4+Yusm|?R1@w(^L}F zbOAx{Dmqav7|lF)pCj>(r{PYdsr3Uew7R2&N9%09<9Ww+pww|E_?{pli0aAX@F;M( zwTV$ocgYKC6_AN|hn!zUxerV7H)?+N@l zPpqox;}Zwl5Ioepz8}j3wi^_ChA8Q5crcE+0-rd}w0d4UP5FXLw;@g{n~z8za-Lq1 z9Of}rxa<0nQ!>0yt~{xG-r-f_?q@&?S+<}rm6e?juH$?zGp%RERk2H=u3e5VuFpOP zNM}_U<`==GwQ%-v4J+$nQMtt7);V40t3_B{$D;(BZv$e!csih$k0%~60#qfHb^G&} z?KJNj^y3qyw3Bnwsj*mfLoiQd@DZS^{WZ*DQLl>f$AnWK0WW$RQ(T{Z!Wmh+(@4HFLTPKXNX{&J7 zq*lP3zpE7}*7G;?=9`K48CryuXycX+Y1$rL!uUUIonvEU4YZ{@cBf<8w(X8>qhoaJ zRBYR}ZFOwhw(Xj{bMJhcZ|4Wpsde_=&syu(vrt$`yamnd<+{v2TjdcAy5zG0qr?$a zW9?n!1f?KMv>k&vb$?t5(s7~YQS%=la@%I?ETq8}v`jF#COX(*l$n$*-hboI+lj8B z6-JYy>X-4*$Sc(o1u1kN1=A~{9==Pk-9tL$@ZZz*L=k^ko^1O5aTcMB|D&BuH(GBZ z%}f`sYQ0)dw_a}ol9z%9P1Y!QlIIF-EezB3oGg3Yh2nv*%!6wy_j5PfdgoWG*`&a^ zrd~{!O1GUjOAUZU68~>4x7iBTP}=)$lW6j9^|30oIkwR5IRfHMrxE{`0Xut2wH({H zABZ8Mu&$E4Y%-=ryok^ws=Z!G^$N}U1T8v3`4=#z1ynA*wIX8FIQT0jNHLglwZZgf zyR}RwA#Roz@_Upum_PI_d$*&32l11Js)E#5t;#6B>8X-Dye4xvA8o<4AcSVTCeQyM zMV!Iq&n7|fqe~m-=^lK7bEKhyaB2(9KQR6f!mO4hSPRG=H@68utxObM#9Sdp<>F}k z@ZuqY8U&#_lgcYaxqZlo1tZ1>tyi@7P!T3^bLO-+A0>qn#}bmJ3mSQ!S5Bg4K1g{} z{AU>M;w()0H|pB#FWq!7tu_a*;M74<^^)^YH%PQ~i{XMNsao}M25RB$YhuD#gK@R| zpWNm!Q%83_g2P#l>;X??HG51I5avVf-B`cWG1NS{8j7enE@ophkMu10(1M?9lx($r zrj50VWYKeqKb1fFC^3_NHC&jIw}TppuuIRwhBZ!#62AT5b$Y-L`RtOS)nxm><$(JT$38GG@PCc2fw>exMP$ew+3zMpr{ zJko4+@M_eYyY9XQi{MH7TZ^gmJ4iq%HFtsZf}iiln~>0@<0hpwN&@(xc=_sKB5@_; zqlxvo4HqVjcXerr(rW#Qid&nK&AY1fS)_0>;zS-aB}8(SFWBT|xshLq<)F`$O}st3 zv&ukqI{uV1&7m%lVfSKaW_itjuY8gQX!fX#k})9!N>59!)49B zz$?S6JQw-=b~bRv1j#)3C+G9$DEMoOp^*NtkLX;BM-p;1{CF0-3H0X7C`wr^Bq>|K z)#IGs2@N})nUaDm_+z^!8C5C40~YUg!I@86^bSP9zC4)zro5k#V`APf5=0(n)Ei|k zBiy5hT-Bo6+IZ^RDpN{E>!eF$Q*l-i)MLEDp*aX*vg33Z$s4Y~bMTcFC@6;k5VQ=u zd35btsBCr2s4Q0Yp(^^zA@X7K!{7L#d`VW{712~hqnPtlY=z|;4^IYeEO!;Sz3390 zx@Cwg5LHNoE^4q3#UYRya89sDo6tJUJg0*)BK^jbGWH5J+d1ZRwfQZMB03U|KSr8G z2bK@h87oOn1*->4nP^~=?Dd?*Max&&q@!2lQt9b_n$W^p+wNHYrfHt6Kb`vRWjZqr z|CS~sz;a>+`T4=XhzT}JKnhGN19~$&seZ9ou`|Ab+z=%8GDiABzvzF4qeE{b^MH^6kJbTA-(X zL~{J1&7Y0`qU@?Ug05>+Up_O5+n~*A%B}ushiehBDQ{N8cq%Gk$htF%&x{vqK za7%|-Vz$P4^Yi3H8-umO*{&ICG$4nw$9X_rtz&0@9q_zD4p=B;A=of^b*z3pj}ED7 z9Nhgxt8Vr7@v>2|#qD@MQRADSe>_v<(XKgxOWZkcEr|L0bR7er>$Ls4jO69X70C-7f$Zndh zCzxz=ZbKM$<%i1g{Ni?`|GHee^nPA>x;=J%zZqHzrxN0{S{AjNn#Skl*4qEB+sxiD zQKhM%|5~RL_*!Mch3#X($un+!?jHw*K`8IH)X>p8re0pmJuex2^# zL6i{mw8QLd2MW`Cq`j@Y&xcQ?anN$oe9kdsH^@<^kMjcVaMsv47@S_U)o-MA9V8Dw z2cHmp?0cVDdYq&+=m~C{-hpsHpxqS^a`FW5-6ksg62nLP`yfUR2zKj4w5Nk~cbym6THJE5069%(eZNbPq`wh~XN#BL9?c*vZVc1Eon#1x#f36sf^ny4)@nG(1GN7F z{S^t=rS~}_#59c+Y>wVcIJ@@wQZEc_M$<$=itMSO&d7{m3Wb%67U5o(tX|5w z5B{ql$aZMuT-pe#q-^J6s zBwyn6WQw{pxxP?;inskdUvkcBdU=z!!EsTK)RB~gWXcsTre)iv-v}zF8@^L1Ke(qK zAlp_7sCC#1WMi~PemOMcDi0QGF`{TWE{syu4KIR)HY4M;B-crab?hQAmL-=afcY+1 zFoU3p#<-ND1eS$Sn=IJZhcsa!4Ux{U{cVeV2v{)jFfK30e^><>ih}!en0WKnf|^-K zrAy*L;2(1jWQ|4G;3%gp5hbFR+&|+?n-b>_mI|B5jd{q0=ZKD~U@{LZN@Z!ZKM8dhIN{4UnYhoM3p-ixdliepTUWzUiWM_#4x}ahQXoO~Ztm#> zGzYa~*#@K(sWQkr{wn-^7o%98jYZ}2P0eGAV`E}r1Q{|afM2E_#@y8oP3;>L_ow24 zXF215z2oEpJq!;Sl+sc?Cn6OT{#U6Ggu66J8Udc_3(}x17apg5uI`n;k;Y%JqE;S{ z>#voO#@}=(!3&w}G4!w%&Qfa*i9XqzkEOv17GY{I8#8ABKj0Jl0hRu(v;^Nu>$s$A zMf-StEWnuxIg9FNFwoNrs0H=`W(a-&{~1CLDxeB=mwg?-$cDVw5a7LhjLUaFrfBAD zk=O~m`&lh(nEOrJZkp%K#Z@r;?UmcgL|oE%KR5@tu3ts?@UPT)xj8s~>E5JyyLg&H zH4}VK%S&rZLatBei+^fXtsXQEiw^tqzYVy65}z8a^|$P*DKkWVQLp{zmg_cv#7(zY zADn&yADtnCH!|UjKg>-e%W`h3C=Vcwj!`GN}jI7(2 zS)%lm_LQZ7Beui6qNh$YpAJ1i`_}k44ck$u?6nWU%b}GW!&d?wy%7EOdzm&z_H}0q z;Jw2*^(EYs>bBC8AF)UI>wcu3Cae93-IKt5U5{bo*W{|_>SFYEYf`7dJBz$mi00mv zXUiOeKC^~ZM+>^g*W!U<%=X<3ovWzXL(baYD5cw4P3@}pbJgmP{%eA-gV9ZO&9oMI zz4sxo7)t_&Qz{C4hpnZ3Hy-;CHs9kX4`5%)67Z8E1y^qyD)}6TZunmK34d8}*xunGox9h72>dSDd<3n%#qU}8Coc;{x{$$#KA70bo z^36?eVXgHyBwt%iU;I7No38Xcm`&MiK<@g$f@>R=a{Re{n|dt9|~~t?gM)e-^o8p#vgOf{!?F=dh|)Uv0GcP&*j%?fh?f%`}beu5Gw` z4dTVC7V&dRbN<Ak3R^e5Zn%J_;cu zvxvm(NtsXKHAE)NxNGrd(aln*^^z$9AoVHUqw;JPLf(3FtpbYU zE9+G_BAQ9%W-IHD%b^!!xR|J8qP*A{o^#hi8}9xPNZC7(C_&(n`pXq)Aia<)85 zp1neG?2jPfGL~IO%Im~42hi$VSdOzN8VfBFN7BU`%c69y3FlPmU(6(4p}~VsE9R(C z#U^ItTqXSU_Wnns++?i#KGp0$9k8+{LsCfv)GmpxVbDSRV&QBKQCQ( zmVQfy?8nyKc>!4C9K+-qMzm#C;nPMWO?w@FI%?CKobVZmKIEdtAAm?wmhPFf4>(lW zvRQIEwT*&In8CYP#*Bcmca3ctwVt47$Em7<6 z6pc>Wb00}ko_XVZDQBJ=6?_P^uE-UY8R`eD09}(n0F57JdVQ1MF(;i9KqLbKISq)= zMQej}up~kmS{Dt_aO@(V6W1kV-QYc+8mn(+F7CdCjmxnA# z3bic0C2t-qBduYg7_g_@)5VtP%Aj$U)nYB8Qx6{CbBUpl2~H2Wf=>e~?NcqNltD{Z^fTaO_)d`#C&+zWE7)_j`R|jyj z{a=vcQJGw&9Mt`-AQbfmJ%fdj(cB13f65B_$Yx=hBEf`kc>*aO!7Jd$C+p1axoy=u z*ecQ>4ua>>3J0Z%^giQ(FFISV++WJ?@xT%KL2s+CgcxAhmzmz%KShLm2m^STe=?xT zFJ*|uG~9GC3G6uUzmi~-=(TO$bR}UP<5GeX`bXvngAKug;CcDJ{Tw0^0DIoX;NQ(#p^2a0c6uT@4L(>%MUa3*9v}*lbz~ynG^Y$>n)H&ho55wh}U8su?DbS`X_O&)saIujU z8bO*?D&QY7HKCVUCN5_xRf{xChZ%o0HP%T!S3$J@0wP#(;T@KC_k4embYD-9r z;0OIsb3^bEG6EXDmiwGqm{}<^8_7+ z*9thldjxh9M;$sYc5VsqT!#CHTh}ui7U)v6T{oS{Jc8~p=YA7#Zi5_mIe&e={aw_h z_r3|BN#=UYMKtYF_EzCe_VIyp>yl4lMgO{q=27RVe!g(8`7-K0T#BWC`DoPk*T42T z*R!MR*--51@W~2MTe~~Bknp7STyu2gtrOcCWI7iE6haC(POZZ(IyUB)`J9fcw7cCmDtBSxm@FVoyr_!y$mH~vE6h8QR zOsF+f*PK3YZ#-%rRo>Ee>jDDx2{Y`{=b45=h}J%R^SF=mLHO#r$N5NS;&R|{*!{<8xVBpVwA$rgLKs5Zt5q-9%kq9x92LM zV+$WsdZX6WqK>|8o0`F<2Ua~nl-ax3V&l0F+mo(gC-ZQc2=KNbY1Q)dVgPueSWe%` z=*V?-O*zS_Tbb3ay16=~u)(cypN*6Il)pr~-e_`31zx#)%oFGW9PiV+hMlfXOVIfq zdOx>rY%?9vc#bP2^uHjy&WtCx9r;&p-$GLKp27;`$Ms$BbtSIrmoz8wk~MXl<#_h; zNtzRK@cBN6)!Eyf+q9G2JHFmK^j0B!lAnNY|0B3y7r@|&7vOb&Hw+L9&Rz3m_7q^C zM=r!q@7wvYjd<|I1AHyH2lzyOK<(*39qJ$-9AyDnkHml?YmzfjxI{{$x!I55?77L| zgLS!2SS0wSyV(_scNe+3B(1G%)MHW3ExjU1_6;fykaw(X_exYnSRJRSy?={|mWCdyCn88JXpZ|Qr|&tQv`wKE48-J9d*a2q?B)YamL;P>#;bi*iBOST#Tqjl6%<^s0sF*`2p3XA z_IR(gE<}7kyaxh-tCRuWu%ep|fgf~Plex`;gLY7} z(m`hio$JaVHH#*1w+#UC4-^Tm$WQ;`D9h}`+PNt`uIzK80j)>0--L>D)(A%ofGr*pF$alq*mK$d^e4% z9ruLbyvP9`Uez8J9m8iRoSY=Gohq* z1hYnRt@}8SAaP{wD^M{uNsJD+3JX?hg&_u^G(XJ~oXL8XR8*sci^#ctDfTk7_I8%S zD$Cj5cf%aSKVJu&MkG8urW*=1i1ev`Iem z+gV0Q1=0F#hTR%k+~dp=VeSv&g{HilSmHENV>zhPSpfgwA)h!%#eO_e3g%X0XzX{QqnEc;E^g+)s3c0 z**Y#QP_a}%nvpH!3O0o;L7*Wm%8gx;-k_bqvmGr;3g8a6DCa4yGWlczs&OMp?PSYg!V{l|oENNg- zWE&X}Bb8`DygBTnMy)J(444sZ#0Ukvo)yT9E9RfWWC>L6ScUX#xxa;l*ftqkgbWPY z&+2`~tY5kB<}AlNZ_ahR`19FnsdNJF!O(TTZf^A)>Gdw2oxV5ydN|tj~(i1nV#2GF5e-VupB7n9NM=5r z!}N$-zybMYD?rHy#hP0YjeO_hVuGpN%^IJ!wRlbW-$jV!z~(MHB#)pZ7r>!^zn*}} zJco-y%i1lU!!tzbo=6R@GiKXGu;)GlzdN}TuGhM73PPCcl>XjfL%^$@H$B}Y;zq4n z=k}LGXVhC%4e!3`ZR}muC>KxGt*`4vyq!(= z>QK+dXX4X+PeJsCbI;=BvuTxz+uq4Q!SdUCPVG8R48hxuy^8H_6mvv(46pamOLN9D z%!V7>(jomMUe7DZtzL^RDDB7S{WHDG8+mMC_Y2k%}FRbzKK~06BJZrhsL@mzU`W?p9TE54oF%XZJ&a zsm|}vd_u7VYB@`zoD+ml7x!84snLT^VX~ZZFJ}i9lewVW;@;MjF!fY$1Hqd1%qeci#(?=D}M#2WOn^x{V22c z(joF$b3?j5e6Jp*NYv?R|Wb`Z$c381GJ!nH1zlAPWU^L}hWJep7KMAo5BsU1_NmX%Q%Ck!9t5F1sxIcTs55rqTT6iv33l6f#uzm-=B76ajZ^|N(HZPM11Uw?cso5m*Kzt3>J|4T^rWcM!Gb)M3SiP?_ z9rP`rxolCIt=8Jy>yt#xk;r0E@q9+ zOX1(GFOygo_^RosJsHzwA~WPzvO5T*8?vm*99H1&IiCgzSBr3}o5Xwddyik44=)Sw zczELfYU_7K_{97N!C+#Wph*=B!iy8~-1;QD@Qf+1!inLC%yLYU4VnbHG-;@{*;$0Q zS?M!NKqm7TqOFhg(b1py^)e4zFB zSQyMt#6>A+XXQ2!O4Fut+dprytcBjxJRsCaYNy!ciJ~;wX@9BXd17_druQYgM($%5 z_M7;jwcA!i&50x-bpsW&*&)kq$@Qg-N#gPw6>1zH~J zED-!ufNEYVLl4zx;|F6g0aGoM8CZ6h7Lxrb5FA1I@f>3H{3(W};Lk1uJRHIH6EU%VJ^Fa1b&v)i$U+ zT7?Hc0pXYS?q#hkM+YVL12_Y-c(Vk$42C&m>pc26KWuWEBx(M92w!q&JBfg}Bpi{J z0bL2g0^Iy<>NNBRQ?V1Vv_zLL9%oHa?{lIvUfBPO(p>f5O zEx_N4?*UgIpILlbfWLzXTkhVQ%IX3ZEDX*|Ij(TqoCfn~K277z9FrbS{0_Iye?!J}KSXtpQmQNp~vq`eAN_zWe7(2YX zH-3Vi^8IUEpVNMId}lJNocd6}@hPt7K|=aREKnm*3V|2Io z)AgM8t9IozZGPsCtgb6go9_E1ZZn5>v-i%w0}&y(6}kgXra-^nJ|!Q+FRRHtZH9|q z5){s^?E3s>tMY)`k6|c=Pu`Dt3<2*zo#Ut?*qA>TPs!&^)7$1H4>kI3?i@Bijuzmm zNNJ3|d%qEm&h4mC13^#!Vu3onQYgZ*HkjvSUsX%{Yc3li|8)CT*zyI~QC|<2H?EyX$NB5B;`B(H_#3L<%pNwyW1(S0nFD++k0e4iID5_Eq>j zKo^nz=hTM9<3Wdz@Ad=66RgFgi{+woj`wSv>{Q3a>f@5eQ>&_rRzvN~D55A1L-Q<* z`m$P=O~dT;za}6xU&B@Vc_hELg-}oXV$?(pgWj##M2BavJbt6_6XkndSIvj@I9Cep zouRwmJU?e$!&Yz-i;AIN77c~BTkrA}kl~xOss*l3eB@jYe$T6tkV%!#1@l0{P95Ku zR_yy~^sn=e<8Li}Wx6A9^Wd)|oTlqexE}+o-46g5r!IC#v(@%+b;MNgZqkd-pwo2f zG^E@3_?`}~D2XbF0{6f8ew( zHiD&2;2`-D-d3S0b98jFj=}S1N8m0hRa6RG7o!%(43d!D2k&kz^h)gx)b_{AxlHZzQ@t?U_lz!CdCyod zxom%!YUGpCsRbCsEq+>)1*HU1$`i|E1pkF6C8Afpp^}N&bTBL}NEH!h6UwRXp*UW~H#m#TH5OF<*%NahPZmaz2@WRd)b3B?!64AWd_eyM??S-63w zMJDwej%L96JFQ=`+f+NbSju{tUKbgpxOIwgXDkDPqag=IOoFBj=IcJHBt;qb zI##2YI5D~4`azNXTrpwmudyPn8kP}f(DGy}Mwt#>J8Ug-B+Dw|!=_px1-jABZ}r>b-q#B{R0X3n2;amcRpw4rsHK5%3}1)P zz>G@b1Z#`-58Ku+c{DmGQa-7$l9Tpn=#TVOfV~=MZy64;huexddr`N+xE7BwN&*p9 z{3vxnBeQ$51ng_zaU+VgZUtl17OA=OP?2dj-i|*u7=mQx&ZVAm!zHebv$P_cekP<5 zU5!V89+`ATX4Db%A5or#z;V=dP=?mp-n-Q4sCV&_ABp0hchDC_mR_$;MNY%=PRtCCDf`xVvCt zy-?&5VO4ed81+8%gL6#7!fA4;kR>?NVvaT?BD*$;O+V(0*Jm+jv)ZtkWF7+k{_oD0 zrQh9@a~l5m6*y)<`zR0v_=5NX0|WtmS+;>+dhi>L|0w?PVYI$Ve>D_!u1vSQzR-Le zw_c;=2x5lr{sP%AJKbC1Y(j4x!gw($0!#svfG|M85hoaL2;jv>7lBW@;2bzBhW=+u z?(xkz|A$I6frhaSL+5kQ@KNb7-It|H>oY~gR)*J6X$42lW3PPL0b7s9OJkNx=Hps1 zO=r&sPmMP_FepafhmE)GX4aV*u;LhD^L-Lry!LXKcdObLf9_ITfy~ZX-Q|e6$fnAy z-NRYWcE6{@RJfE zyl#w+^4~qC3loQIFs{0$<>fmJH_4*)&-b_eYPL(so>wo1+;Zmm+l=$%)iWHwJ5Y3- zpR~pmia56UTx%|$d4as(?JxezK6g*B6cwX3uJpKlc} zPVSG7DKfx4KLj(nBS7s)cFWdV-dx*d+-l9|A<@wb&h>@9rVN3gWj5Wd&jO*q@sJoK;e_V2iq(KWNXciQLSMLn;Y z$26yfrZr-U9H#eRvZQ64Z2e8gQ{5}RL7po?#Ol`t<9B)v9jC!THTM_40s>xxEV23N z?$3+e4m?Y`HYmW*Q`BH))b;xNfH6u*=FQmHo9XO&j$XsAea7|siO?a~_2zA2M2y?c zOVhLFI|Bp%7wode+a?7@)*}B&5{i<5cZXM2*Sa^{Y6HFJ`7u=6Y5!|Sj1*rT^7d$z z{REpC)bzI4uXX*d;|6J7*DatU5I6}0PVeOavw?-(Ye0m|Q{ZdY3LvFJ?#PGB`zEI+ zlRqBiFj5L2>qs2)C3IBXDJ{%fCF|A(0_R}NJh==XZ3#%Lk<{-8&plT8aheQB{HJ9N#I1t^k}uQEhSC5+0+Lbk$UnD+b-hDg7dPe*<{jz{Z1 zXKj-rnurIy_bH!+0qc zHKWdtoAv{|D}=?L!{%7J;myPs+a-!&?rgL?=0PCY4D-j0pM(*jJPsA)Z_V&n5MWy=j-*WHUa0QdH&7#B zm$E4R2oytTybfz-~+7x4ZadpRhWe~$47bU};p%TJPEsc8m zS;`*3e^=}cu(by?_9m>3)$$F22m66O(rBW*r0}LlEfS{b;8{ROlX~vD&@YhW(z`0s*<;` zME)SUESQcejJLkbE8r!0;kuWR&?K9btDLBowprN6XIKLdXXPaslOR8+of&yp7o0@p zT)F?8{=)ksp~zHSLgV0xxz;9%b)RNZ3{L1s%uTMs!j#E}c@vshg~lZW{R+pZ!k?>pu|y&8s9mobbXff77&+Qc8Fnkt zl$t!u_`>!m>evBejS5HdY>SiyVx(u3%@x}Ur|xun948sm8Hc(hRn(FQ4wTSD+=|vU zCXK>jvs3Oue_zUk&~x=W>!Rpq6E-3!ssf#JC$JjLcy8t4j0{_?sw+~K&w5SM2h!{U zYhJd{Ma!|%Wz1gX3^IZBNMgJo2^Ie3YH>H&t3v59O3UPj+kq2g6q^;8!teGb0OZ`{dp9+ckf|7rj_*&|ZF2iH>j@4g5i#0{nLUGIW}DCD|Np zvM7WhQIe>&VslkMNA{lc?bVvCHYxM!NS5I=507)pCPn+My(i_$Bo6P2TsoH^J|V`1 z<&I6Qc9OzQJS!pgn>}yRAP^L579+K28-Nv!HZ7&qEw~q4mDlF#gAeE9$G`|F!rz{> z6j7AkonxGtDHY$X3zrEl%ZE@_U6N@koT2B)b&5%Is>uIANtN@&RA&n7)*~}ls)Jp0 zVozyE!Vn_$hgwLz4>H--DY(!^{U#Q)q>g2NaQ&10%w!%sH$x@;^g-&3bFd$)I^@xS zE~)a|pdqqY*+d3brYgx6r@#WbMuYgNN zf(aMLvaO>J{_J={GfCdF#KMGLY^qhQ0mH2*9LT}J20 z5%V6-AyudB9)1mjHGsI+ootBGPk_MIF7bQzcy@Ib&-vx+zdu`>E*c|;T68GNqi?T>+LHQAi@oz))CtHJq{ zFJ;@RNtgG|&pQ$VegMFS!_{t&0}j6_)a$KyxqRH#h&uy&A>dr#0uM0tnX!2@h5%*q zeN#x~ID=Dv?r_M9_~|LLb{P&vadC{mc@SZj{gB4L;JS7Z>FV>kg)$6(1a9Z$Wp-4! zxHmuTxh3%ak;FZo`IdDC_+dSTH!AS?n)bNmX(WF*0QC&`;P52ysBXW;?x6c)!vd#~ zzHwHYlAvx~yVrdKQ3JfoYuWPjtb0<-NHY^KQkv##9wT^~Y0=uNMpSeAY^94$sv(Tz zYnfyBK16sD280E*a3A?gBa)zVa=33~r)51kUu#^Pesdu05g`;0?7iA|`pY`zqgHLx z)d){*9nClR1X;YmrkHp@tKA@pZI^Y`fkXgCjJFxonHT!9I#c*H@OB!;vo#q+Y^iD6tO7Bykn_Rgi~%9Dp;!G zS}Rv=7NJDyP$0fc1U8~xz8FV*_!*rnfxW1hA7-xkqp7@1G-Xmuhl@Euq@beR>EFFf z7fW^dqS5#PcltKEa9xdZEL$=%y0|66s(Czq1IbmvkJ7X_uK=z(~I4y^$jvVU&iS+O3al0#ZmaN1rNzn#|m|K^&ZI3;D8%z@F+AD3{Y z;vbfIWzJAs{=VdZRo!x&BsMnYauDsaiKBYqCFx@y1Jj8)BMqfKQi10&V-}%5N0l}X zvpL4a880!nL?*LlqL4I9fNC=tKaWF`u4*A|L}L=)f(+g_I$l2o{N|mN!tmadYh)Ht zrT*ugI1*Sy*@%L-W>Db)J7MG}*0N{89j&SvOTGT;gaOxKO3FI^!-`UhLgaxPQfwDy zW6=?N!`yh4nvD>zSo=W>A_Cg8%!`EP$kMngjJ>^@eRt5wQzLEyM)08_ZYkP5ZW{Hl zHI35cL5LS#Tg^0f)JQTyx=c60Kb+TWaoxQ+`}AMg0HHeMyLIy+A%5&KT-`r%tJ6T* z)bxdkIVZB5dvMx6GQ#V5x0W^vzfIpw@GfPv4Cbl_vy(3hgqrMD<(MIhah&5Lha$y> z(Krv;L|riD*KFAFmxnjM2rr%Cbo_;tE!3a2Mw!>HDbd#w*0VzgvM4J-a(OKl$^-Tm zM6kFikt;*w%aiYIEW^Uu?g9RQRA9l;hP7X68t}g83+n6k^nY&NAd||#7ScjjE0-R6 zLSM^28aQ=3x2<_+7NBg{O|8n-iNttIvXC^ZBEt;n9vs;2f5j#K3M^W^Kqg-v$}-`r zYW$$xcjqb%Qww0&hsBcfno${vPX}Qtz=$A;+Nl6#MNc%LLYjxDHe<&r(?BpXfp@+K z{ppro(|f6hW|c(Lx>l`eL@`*Ql{F;9A1*21H?;pmh>$+XDmRoBn5!nrfPYTON%=Dz z4g8l5yE%26eK-q?r1X`Cg7m|CEf%pq+eK_FT2icE2qQgSfeR}9?=Y+b(u9XOG3tr2 zKfM;5nyOBxMDvEQ2;GH`V;V8JLqAbiu_c8kBk_7lUQ9vNxt(XuG?Ma7#?j`@%^YCz z)jHOmYm2+L+ktJ3jrQl2}S4&!H#3^cK1Ef^T zAB6H(`e;zw@w#FDWde%?>P2M~CjsnrZ$2u|{qimO`%UqlRaPOr2xqzom3fegrxzVD zTcqwoigaVb&41s~ZR#xan`W4?@sP%o3j6lim?;jSnsPtUbeK80a&ihWqs6pP&?1!w z^AF|{eCiIsw78Iii@ZqC-Dgyw{MpN=YO}GHSo%FoHKyUu(+v4oo^s%alz{u7xpo5p z(>I{ke}*b$YkpFu-vj0Oix(Zz0{Y==mle zQ*GD2KOL=GGOFWt7pE>;-G2Gx?V~2}xs&y*Ydw$m-1F%FthRj~RmGk~$I!acEZyxm z#$A(hJHXc?1U&n4D(gs^4vEkQj%m9a#q2h_ZfsxT^-i^neLUOwtQ`~3d(8Xy@VzB% zoE&jocPf7Li*)fUectbxW$|d7?Me$IG=D5=A6fylz1{GRW@V#!fNjcKn=9Ui1$Z0+ zr`aS{L&O=o6g7X_p67NqBLJ?Cd^l4}7@WzW1fE53MLr%h%}+$?I{lL^&v-Q#Bh`*q z!adkF^@GYwxJYi77z0$&!17y<^Ig^DwS(FS9w>%4@p+%Urj&=}^t(?60Uyi9fGIv# zfRCxyrrT(O+T2W4Y=_VHXL1eg{lzzI=Hrv2@7) z_S|^ea_8`VVwJWi2y>Tmh5x^HE!>+{BFe$6V&x4K-ijJsxaTDTlSvA69^p|I1D zKhRWtJS~5Rr8wKg`nV6b+2#EGCt>B~@^ZB}rFk}=<~B=lMB4zQZ^z8Kq#p7PLd27$?Hqn{{dec{ISrgyi-c(Y*o2IU z*QWn}c=r`B*ry4&4i5zSTx8r3fJ`$V66gXs5>wcI=duNsGyz=*pTBuqflJ_%@qxh2 z!^gj#(Ud*+BLSdCzI1paxu61_1;#&1-oQSGYLH*BX`>n-izl~|jjPqU?j)9@-6?pg zALMazf=puA{h18$!q!1e$OGYzrEKO}M!`YrB4~`*pYf8f^rwuMrexK9E(JV)nFi39 zCHYf&IY}_swK)Tbi!&o^y3!gQx}I2n-kZ)ZL7<-WBbE7yV3>@s@=y`kw9Yrc&oXg! zZPTbrQC20s-Wdq@&wfYe*4MEYZy2OfmS#>L;r_}!w?;vTpey<3{u;kd#c@xHOyQYo zkqR0tp%No0Emg&bsyj88@lBPpiEWHGikrq&EC1?c4?mTO`$cB2R5t2wIx6IvPHn}P zQ?^(Hy5OuOBQ9hK4C#80bjjq#2$5&-pYeq2qB8ilT~js2(YB4o(`nb!3K7Qt8K+LB zTc<|P>V@Zfko$cC4&4=q?g8619VAGZCvrju?uN(_k&*Q4ivg_7q?KzrMDw^mjm^>P z$;aij>XR4pCt~}8FOqbZ3Wn^nC?uS? zM;RhjSW=eA_G;B7NIGtij_iq7rDObI+@?#0!N~AOWkhXd9bxfkn^-GEl)=X37I#Xw`oxr##S(Ut%Gb-5h&Bf|igibCw@R8Y%F?hn6LM-{BSMN4S&L+d zXo@gbA~S9#>>w@|=l4^esDoKbS&eNeQ@0fEKHdgw!iY^>Rhx`UzRg?*&b(p8a%>pS z-v=0Lm*O$b45F9Zf?eZ~c!$h9*h@>^UKC2B_ih#^1@5zA#lo-3@EdxZ-J!*iVfZn24t;!w2dC%NJ!Zun|hMn{kkoYt_CEh&ov?Eq@P zs{X?QhH{|V*8~7OgZMjYht-4ZHewqRME`;FBxlKU94Yeq`+}usU1=6Bb?^T$^-Y0w zhF!W%)7XvOGTssY+)aY3`Va? ziW%|*vbV2G8{3lAW>1Y$^O%$TAh5;Z_l+Eos9aDMKQOn z<FkRVi4EOOW92^3IHgdblZVLs2op=|0Z&8w=~URJBWiN!MNyXp)a2MvkLW%YCd!7LZ7MbqMzbxq{;i+ zg#RoZ&g6d&@TI^nj?O=C^3G47>x|Ip_n16Kw%6u&c|0M$s{CMqm6Y3@2mTk7u3slxA#UY9(0bxc#D@ z+)>Dr0(|wHO2&7&Qb4@2-#D3_?ShBMv>3wwV(q!XRif*R$>x1uKxpB^qrY6x`eODf zUxkqE{WiL>R3)3ULfq;KT2jm8Z25S=)ae9$UYI|dOTgzPYr;_oSLqo;IU|2tG2$*P^s-rucZf189`+qngtW$-t@ zs_s;D^WWC0WpDevSzCKbSk7Ki;PW;2)_~4cOlcq4j2#a)wmaQ+lK>riy3a#nNsXB* z*TcGu?dwGDeR_}VSDI(1&&_}jFBk5Eg*_Eo%MvYxJZ zhX7;VZGwr91)PMM*T5MvN~lts`+ozds$N2l5`u{@c&g1+h0IuHBZc{PQU4U-EoNcone5vUT6C}( zLZT0%$D*?=$f3VJl1v^L)8QfQ=y93#Om-!fHqr&+8p>8hpstTE0ZiIB8dtRNZeD{= zev+adK>s!qq*xt$7m_sV|+xehy`O@QwTcfAO7=$*g{pnmu2V3 znq&S!ij^lAMUyoHDdEjOCee{n(6XAyVXvG1k^*xp6SZ<1%#`+<*n%_JY~OGi%IP%- z+u*(&yO#M5L#$MujGOy zQ9$rB_+yyyhj{4HV0iTSj1+D{ADt=YfG#Bxq46Kr8C$v-0UbN~!!s z8?Mpp$1;^z|H`1mv@?(XFAHVOu1)cAyoJ1oC~6HCr?ej)Qf+dk<;e=EChu*z#_PCP z;D!esn9y1~na4dmlW;s5zzfQdM}95YU+Mdh2+g^m1lU1Qvx%~w>i_xz5xKmF^LRafeWz4auE2EU)NQ;W#%(j zho0T%p4bE8Bcy1rP-irHQwDazlV_0OYT++BZOQlK^M`c1JQzELD#hAJsrj6=4XHtb zHefChQoK~o{W~l4@~)7E!MH4r?SnsL?-R$Veq%!_y1P~|BW=`cE}QxDPZLvmwxoSh`04s%+$J3CH{p-8qMlQ=_IZ7$RJrpa zM{@jJ3e)eHi&aeyZe3WiqieNXf4?e`v3SK|e~W~FAnJ?D*C0lo1M1TRv=^5g0oanI znt$somJIdK)#oc#LWL%v^^1`#!3ZP?Pgc&At0;dkgLgShZbYwrVy8bs3PyLN-%+wW z?EpDGnvim|-1$0bQxiqm6vGO-wn?!~NZWp(gof=RROBILrp z-xChJ;1FU1ne6Rl=~ggAn>Sbp9bx*f8Z_(-6U9G*v!sn%KijvIhhzof8<^A=Dll`D zf36nbaY%fJ*k81dJ)g0!nG^DwD`)5E98|Waf?W^gBU}{e%U-po`UY!c(9ck8Q0Vt` z_+2Nx0ZGzALK2I`p<(e%4wFwR;xv*>La8RGJ;7IGKDgA;ypjWhi2_m`eIpLN-6X12 zOD~pZyqE4=QuyF!Gxrp(>0<<44zyvd04x2v0;A}x9RY= zvDMc`1U=}P-bYx|bS`>c9lGR?SvqWaJaVH=^11XytsS07d0;%}u_0ZpK9urnIS&g0 zc!s9;pLBpv zq}G7j8D-n+ZoI!diB=t(f;U=*LR4YWjlwCyo@ z`w~1}^VAM_;>2s)>EI>W1mf;hA`stLbAKdbMAWWbX@leDVU{}?ots*`ZjG-2Uh`2$ zS(4hkT);e(8rMRXIVW!7?@8BPk(%Du8?Q;HO0yxK;g%&@&vze6%Nk>?w}+e2J|_eF zF~F2Jl)HmddG6)Pj}tkVEIZKIAhxcLRVU=KhxO{~x>NSc%@r*m!$+C1%l_J+Y(c54 z@iV^6;Wnfl=K9KUmiJkA(5gVoy=Tg&>td~5E*cr&@ixLR@woL|(_`a#@-Vp7&sTos zxQiRn+4wSaBFGrI!D*W5xPe9Nik;bcrSg7q4s)HD8RExm&2^oJuL>N^pu7dW5^vtj zz??ki-Z8C4q^68Y%kj8g(S%I-O%B(%KTWSMHl=C#Xhae{N?)X$^Iw~Gad*6oZi(N= zsOvA2Tl4Kj%3tw1*0{Trh);DI{JWxdxZVaGVmh4%iUwt+a6AnzM`I9sohOMmb>71r zyvlYpPt94Wc|IP*xevhCT-jH4Jby}g8$X!%S1dsv^>K_k%Kx=&@8#dX6J6jBlf8QS7jBR|l93toC7g^Z_)#WQVH?@AH2{Y5oD~r>Y)B5G>L- z)7BoZ#EgjD0YoRh5#qg|ov*KbS3a_xuEHp`e^WOkA_R|?b> z`#e1)M;&?y|6O6AR(b58a+9wH8P7?K0p#*6s#s=PKTiUK->SLs(T&z<@!D078RZ`h zRpYJzj0D%UuQYJ%ilg2PsB?}1ur%tVtY$EJ|ex|Ei&r79v2!_SH(aXT~sxsnf zKo%sb?3xG~DF}%7ADq9+OX9K_vKQ&?O%TD|b0w?gJ*YROdXiJomc<{Us$^P4uNx~C zaCWMiE#Y-88JTcQ%5>~uNc6!vsWjkWWe`cRRsB$r5QpptQ9d6ms~COsuGXwZEb?S4 zY_wwK9lE2TkI_tIwtHWVgLEyPQ05tHvMRG=GcHV`Y4R8h3*v|(5ovoF`SrlIVmjv~ zLp&;4twq}-w}jj-TbZ%HjvQYml;V04N0H?v-3}ra+gStwsr2&q$lBRXX#);J4l{or}b&k`&x!ro))c$V-@G!@R4dRM8Mk z0Y-{8MJlO7^lg^d8%%;>s?^-R?(xec4Q-OPU7t~fqcIZ}$8KVTKdPoOG(-j7a-`bQQ9tl9wFWvC%X7Fn{d zBcYy!o}n0#_-+ruZ8e4c(!>29z%hr!a~E)!%KOPy*i^6mPgJfg+rzUt1BC?qYJD4tdc=ZK!!Um(NZ5TaYOOHCz^NEBpYuU z4To=t|9&bGZlluT3?t>XSW2HtYD)Izgd#ZNjairGzAiz1QzK8FajZgS@0;e9i*;KB$;d7W=`g zUrGU*0&z0sN=}&+cJ-Xq2K{x=b`8dlzaiwBm7S^93}`YNb2Q%5{%5?RAb$&BMkoUJ z)Ia-di+FDNOcCcFf4l=>#88b)8jNxo??IIJC?H|FZy-oR*vu(C)M!spaO>?ix5knb zPI|55TDP|ZevPwO(JJw7hjkmqmsuNT0I%xFw(FD6rR^d2X9yYqoZ8A=y`p2`d2&U} zW0&5#HI#wV7!h3Xp3(^ya4mf8mD65Py>;cN%j5fgdbOK5e$4w>I=hK~%#^Y9c4f^t zzTIgUgzvn%YjAK%i?Vuk6}8>5hfVFhznsEy(QiKp=`S@-=Fh1sx534-TUj-fWt?mp#?q2IUyt~AB@6Sds zwE1N4U)ZZfq^nOXdeFPQn5c>HpH_@(A8gMNWxwH>V1rv6$Rplp1UB-92q(S_2W!tzSg)+bA@4hyC3AIih?yQOmq` z1=0HvUT1}zQ0U(aVV#w$)IoN)gCac76R~bjy*P3dXlK`uZu^9)npN7y-ry2CIRdwN zprKjDqW3?ydy}Kq`YoBvjBLPZ?|zQD?yBeIo$>N@oo15zOXpPu?S}me1Pa)qMA#W{ z-#p$nW%4?S&3hRQv!q_xJOG_z^pU|7W8E^#wgLkHY2~=A4x3|?sOe#?e=OYE#1m^b zVmRES|L<)J^aM6vT)gMlkadNFA6Rovz1}}cXwq#}98u+zcNj1EKR%J_eed^=5XqLn zh!+vR7N~15DP1U7f+HFWhkMqDMzNfb@SBvKQZJ&$r?Vwr-V57gRDWwg(9f*!XJ>+) zI5f{~nz=Y0%21N?MFb9Pxz0tAFuh&|L#!})iOz34blwZ!P9YR?mXk;$a*~(;$U^3H zu`HY#F4PIBeKeLliFGr_9iagFH!(hmAc6j?*UQ9>>OQa4&>6?v6TZx7F5C7kLbd$r z$-_6XHk-qhN}|)!GJOaeRK>aCG3)nvZgLw7Xvb91ST^D$OX%;Teu(60wP?_LA|W2a zSjVAh-9lqXEt)iP2vX2UL6s?@XP(i~cLD*?7%)hK=><{l5C(NzoTwqGdc!I!Pj-26 zF);AQCNdqS&jpoLtin<|(n<>E$oU3C5Qy2k-Pzzjs|Em+F+KA6if?fzq>~M)l(+i5 zf3!n_SfU!s4Qu~kyZWcRbQt_n+$>`H(_Zvz1WI%9>=5DqL<;w)`3^jWPz^f`fVp41patS1}$g?b=KjE3Unb9iF8 z>`(T*3oApd`oz+b2ATqYtELmaxPQtORb*yOn~S&tc_a~H_OCP~rhO*;?Bxs=?Bh`w zWSEoRiq{x8^CUSe1NGMX^&!N|g#qQw-wHKOj0iDD;#KlRS!b&I!UM!A)4yiSSCSAz z3*{_wiA|(@b2C6X6^H@oFc93z4Nwci+hAajP(S*%EXPX!SYj*D9y(iKQEvXQAOFnG z==V-H*zemeTG5%L99@00*){=d#2y~`e1z!6g7~!@a1j3RPZ^I1FwDX83L3hJM2E7; z&G?tr!zxw0L;Y31U@h6pm1|Z~T!1ylPx(4gy&R>Fno>MC(l`DKwV~KdqzDFcT2L=} zxQ8eZeoW8gLXBRHo$I#e{vq@i4HF#@jqP^^Ou`Gs1NN(2^izD_I26$65VkY3NP zCfP)hZHsam{P!aZqht>8&id_0nJjKemSdBhp4@^Cj-ZcGoGxkqJ*U93xF-Y0Ra1^0Vdu$ zhCjky^s)3l;?I}0(_Qm1fu7@kn+7igK!X1L*zjKnm|x?BLJh}l3vjKAi#lz?y^|;( zGyPr}D4)QEZn`?=TXH5eZa$1gqDnQzAj*f>$TV8WBRgP=*rOLAx2x02DpPVFHWY2r zG%Um$%Pm`s<9^3NiBKfjFN+qH3H2TCO#QMWADvK{2wS{07+GL4Qy*_;f}upSQUXs3 z)6yz$wobFt8(aTy1()nqOm6<9N&h)q_V;K;9jf84Rg>>pvX(uG^>D>jXKxcvG%CW< zQTDS*5dj8JNVxQKR7MhNw1jE4_KEq6t2FY-;svT~R*~O?^$Ne7Jcx-As{r(hKaW=9 z2LCcIL>F6HyTXFhYEz10_Z`BqJ7+$Wi$tl7j6ch?hz`deN(?7zcwu#8zxFt!iJW$?L( zKFJ<;M#+h9bDR#4W3SsM5T_4kKJOwOV8IXppDbv**Ko2Qa%-1zeC+G)dzrg|CsV@7 z?ysMSGCseTiS3x1i^VWn)&1D=rbBSs_UqjN6ra!5>!VYfwx-H` zxIjEHY3ba@U6%nlsy?f6T8A98%DVkJE-l{A-SK$A;{qbxjFIne_PU8VL;5UEoHwjk zzFIq>JI-(4ffOuoxw5=;Yi6tm(YSP!h@=2dha+l=I^9m_J%D#}oIW4wzyM2|_I<-; z9k0X1)BUEg>;TW&5fzveM!p_x%jZY-)iJAXuN}i?>-*kwUi+&hHK5~cci=FA&n`?v zcF=|Uq47NhJKf{dL4Op*nZt&>8ZCj3xrymp+#>Nsz9modE8#j3C$Y{)X{(RUgYRZc zcdZZSU3>QncD470SF6%)6#o|ZkPv0VDq}fA-t*y!;Xa=+6YTRT7B>Npek8ov)Iaif z$Gy;i(9>Jx4%e5!B^dW%oQD@riOqx$!0}<573Mc}X4K!{0mM55u84as|Rx{;I)tXa5ac(;I-RTSMLSQ!iT}>DYIT z+jwcPd-k2AhUS%l^d`(wmX$~FBD6l>&SX{@60@_SWi2QQ<4 z@Zh(|CXcx+S~W^tf+q){zmpMr^Ma|L;mj1PR4&o3n@jYT%^fi!tBe7xOaTEqg^?Hu z`WNbX#mo1T55K0`gO$ic(2~RreteNh&Hg!QQV~0+)n97j@F>Wh8#p_13)O0Q+%~lk zTOa+0)iqzVeo)mfptVvga&t;V5=lk?WiK~~9X>6ZGQckhl5#UWIsr;rDkQF?PiQGs z5=E=cG+bfTwiP}Zo8#B_pY@B>qNg~yL%5x%Lwds!BM+q;R85pLRH&`0qsZ@r5b<~I z`i9}Penq01&0E8rLwaj9-%MJ0b7gB_&78NBXdR0e$%YLy6l+ajqu$C(id8t0rTVqj z|8hBD{gojpn8RGJ`b@}@X!}!R7Ki*qCZM){`P32($HMhXVK!cgx^ggHci86+tPMu` zXvg5DJ}SPj0ya;7zyO~%0lvI8BKdv8Z5CYB992#nCU8^<}@37GB*+=@)&OtPtU9H)z~fmAPZ*5HXC5 zkOD@2RiG0D-v!2xCiJg7qRtr1!bwCU78A@9reh0QR6?4t2Hr~X)yxotq+i+#6CaXE z2jMB@$U*;;!#B2HF^{UnktQ?wF1Ko5rV)QBHL2&`!UnbBTp_5;Uj4F9u_f?b=jGT&llg3C<0t3`)R-6vZTEQ>N=CyD#S`(%Tj+tNf z;ke!l=8ML-qd~v0@9n9Iq|hrz44il8xu;k1pheuzrabYX5S=hozd0j@OqqfTY~2nc zK0-d3Tnm;kFLN+8S&k3*UW1oohZvy`$b3B7uFs4Ra+#|-tuQF{v*^|{<5!Ux*{v^; zhMR=&$jIFK)DH!zaDZ}n!Nx?$Lgd+8p|Sbm_i>TpY8E_m`Z$AGmT(@3=zkoedhlPK z>*q^Fo6cRu?(WJA;^N;trN%Q@YZPuxRE^|JPaJibKNHxmlKo|pq?kk}r;o~1naa|9 z^Hklj(vmbaW9iM&>vNBbN+p{zY@0R(73Ah8$_CPr5ak~&651r@bCamcf`ivx%LpBP z?b3b;j$`2e9WF4pHaVd}M#gl9Y{QJBBVzqlfBJ_Ccd37YY%^`(_vzSoYRWMjiZTfsGtIF@8Pd(;fL-~0 zXWZwY!9p8;-n>8l-^~kBuc>^ze$H{E2-shlnECMuE$e+k%efrkd#fzr-lAYmgS7W& zp0^b7>yL{)c5Ay!r(ghV*WG%5QE;{C;(A9>6BIyoe4scm;4-JUkf zM11+YzZQ`~zpi@;Q_)esvDM8B%ucu_P<83Fzh(7^;c*xgZpF3{x?bBoEji9X){#Za zsP=wfOIT#StTrx%^~;*%xmEjaTgnwnR`=k}kP2VN zTapr^+g=di_SRU3V?n|b-$A4mc{MI&#U~q;ptT_W@-yO5X9lg6}P0Q-8nd=HIanaEoYpYL#e1f1R*#F~T{l>*J;| z$8E{oXg$WJ+hH;3Y8})+|D=66y!J9Ssl&fhwY#^vAFX+`fDf{a^75`CO!eMtZH%4D zsp-;>(pF3$O<8-+g2ZZfjA)#8x_Sj#0zkJf(y41@#Ef=#5jIvneNUaD+i$mN9@>e( z&f1N<`;!=-!fd;_u*+v|)9m&4-{>R&7qy4?_pu4SG-1_`o4ZDu7wY>FOX!m3E*n-O3m7e+$C_`M7!eY{?P9K~EDU8uv!f-^zuNd>V!!h0Iv5tdCSu7WA3HVg^7yN|5EyIHkpv%R~JX*fb@syIN zrEUZd2){uyU!a%_Uxo+2*lc(4`(J@SC>gsP%H1vZUvZVt_2 z9r;R<1WJxx<5K8F5%B9q9ext>;`pucroY(QgjF#K&979cxH3Df4fBk!el&uZFJ`?H zMso~2^u>j16aL%NvX&GpN3>4Cv$8Dlt720V^Lp<2Fw}F6@fJVhQO^U4;n&0pAQI2$ z6_?;43q}JK>Z`@<$hT7pU;_d)-DQ0Bn+u-kiifZ-@)PrR1eo4d4di6xUVX(1I|;qyRw=b;hxiKDUkU*Q2gG*O>HwWLsX8Ia{# z>gBS-sVT|>g$tH)aZ*7vhk8Ticp76^BWWnwm(82u>SK%Vn}`D;n!~IVs=fQ_Nw$8; z!-JAhekSp1DN!C(;j*qubo2+8CNiJquMs*+(WHx44rZho^cMJl%-L@jB}L-QZGU8gJnF-fxuJH{ESY~sGGjt~{zqA$x3 zN|uE$VTnrN`hw!T)<5$0t%<(bt&Al?CPqYw1zBQoY~tfXwr3wIG$1*9yrx~2C5&Q_ z=#4$IB7HW*Hav7|gC{9~@<7TUaQAsPQl4b9L}{+Zp;KBpN}XRN?Jw>Ii-*EMO~LT_ z2J@~l=FfgZ`V8|QxX;CqE4^)k<$Fi0Ia5-CgQ#~&M-$C4!A$cRt4X=q|5zj>{z0tX zNl-qbQm@M~qm}L9{36__dYZTOq4JNyK$sm>M{(4ma@hR#u;ywGD@d9iMB6b}=~xL8 zsX>-rYLMJD?%c$Uf~Z2Lz!B&CvtCVtCP?DV4xJH|d~|9EQNgrtSAG z?uiLtp-r)+z@rmeU@!DrPOv$B^hL5Z><7%Si5Nv>aUSC?|LUh9$(7`W_**b4qG&DM z119izC(44G(fQ31>?HjzU|A)5C_CkK$l$yTi2|I@-VLX%jO1;5S@UT_;Qc$f4lGE< zWpvpy>gsq@x<`HY+%1by)p;g$Gd;S3vF~@7n!0if?NU5#e~C6FY6sm*XOUPsFdBGy zqnv$bd1QKsAeJ~mLTP08cV63ak5F5pA|PX^Urn&tbXx*ORCVk|H~(!#=zg2^=x!a+ zExmNP=4*S5Zzsa4ez=>8v1todRC5Q!HTWP0W zBT_XTGg_B`!3E9eoyWI_xEXT26rCU zqffhj(@TNILS`$yOql$xQy5c$Hu`XCnZ1cV#V@jcL|s|b{^ z`}c6381l%Gup&*1hEN)pVVer^ zd;yisU3rVyOd%_JLVt{osR?b}tcv`8ies?aRzij&K7i8oP!gz&*~c=(^2_q;wo4d=VQq$v8M z_p<`<+6xJ#XG!tNcjvcOc$x+f5t;J>hWZY5e`yv@G zvFn^dHHIliaNt_ZO9l9Bh0%|#n;Vr7WTk!%HDQ1$JhQifr~W3{6aLM`EOWufuxk8V@}>r@Hs~QYW~R=HSyc)JrXqjV zz?v%+*(^Z)8p>>$-5auNT%XgFfq$GgLpVExiL&CLV8yIdbuXj#4TY~UiB|}@f@)kS z{fc=#JP?2jz`RscCL` zWE@%QE}dFyh$)Nu|@9vzjEY9uwaFW;YRWu2~44f3Ud=AEARa_?#}==8Amvm z)Uk4)7*7#_ zKXu`3w8eld^QD_W)LF=t{ft9AIQEPA1+~+QY-XBCMXAwiJ9>h zN%cC=_LYkSg)Lg+h1a5bVgP=)rLSBF?;2915=()rk5kp z@~nF?z8pm$t&W#MJdPo-RVXYi_cJ`RtmP6;wo1*S?lResX3<+{1%s?EA@-+JICY*| z$nJ$VD<#B(QTeJJ?F5F$$Pc~qQH)GvvXP=+Q9Vq5&`jUwN*Au09a*vj-$~BUArtg0 zcr2(U^RuB&s;vy2aiZK5uPO*o+|00$#U-5+Z}jRjNyWI-%;iU}R?g>LYi5z+2)OO- z>-^a?=~%wHDw*CVv~A!fsr126O7=M8X@=u-QiRfSECvJvZDT_$%AiY(CMwlw2h|s? z`xSHs35TIz+tw;X!L#V3oVXUyYeW1|64$g6x^HVwn^& zR!2ybiAbD$nH$ZKpJ&ri-a^x1qBQ8z2lM}TfB}Abzq2KARgkbE$=bEF>1VtbB9YOBul%L3- zUfmp>F!0fCr!!`E`*OKy<;&iD#BR5wh69_<-?WUb=3V6R?Y521kE;T9;tkb@rwXJB z%dUU(ZPS+gEk2v3axG^X7v+ogw3FM1y_j;HFODDqw(jS@{HxCi3$m2fZ@X78Jabvk zYvX?}8hCxrP?Fv4O3vgM3%%Vp(;ehA2Iwz5Uk`n3uUmyQpPgubw8f=4JipydI$?d`m~^*ad4j<=`sPcN`2zIEfVjRkRsC$OBm z(ta6q-r;q=5fdj1>ewWniW~JjoCNMLO|&e zPR_!hA`r7n8R>K6Hk$ROSN*8-E~Hd@}!wM>F`; zeNfuFw#akbjmvg(ULI%>aAYja1J`BGWTBM4&tzj3`yqva-;Ou!xZM&5egh{-? z&^Q}!>+I&@i^q8#d^RFZndrNDYf%j$iAvB=oitzb1d)sX%;kv_e`+djo zrh`0N9aQpU)9h+l#jeu^?i#|vzH9)AZgx&{E_qxHq~I99V@7*A&A#>~xNLMBjg2!j zojkM{qjVj~PwP4l$e!*r$R1aAciLDUTMfzSxLzFUm2CPQA5+9sKa3cfW;u$buj+0+ z4_q9c(|2tlyl-Z6vn}HZ1y&eC zN~rQV-vX0q-JQBk26E1ZbvJ;O`Ty^g`f8H{wlxRMBMXH2-|T(u2LHxB0HR<=&dJO< zYr02GYHG`Vb7wj874o~0inbKQE4y{VA&_#%J}=>k#hR@nZ0eu_NLY1FpNNuTm)nh2 zu0B?Zhb6(q26rj|2K=pl?m4sJw#a@nwim8mVn-ki%|5YSu4^z@DtarBf?BNW`$h&> z{dy3t7|S{&AepeKFN=dgDV#6juTCVmj=0&dmYR`;TyRB2#|lUoV1&(AmyRnQMENbB z^#_Z>bo49h7saBuc_g^LvD8H_^}e`BmEMd>6|*r7m0@T%R?>H~WrAUf)QBpH>Sif9 z2s*dGw5k9!c;DNJe>LPr^?~@2gKSYsW>ABMP1<7t^iq0EbGh__sdF|_07W z+5Sm;h!XpQu-KVa>eCPgjpzZcf3AY-mT(I<2_+N#IDTm$ zCJmJ`juGNyDZ4|)>d}2U9We=UVYSy38SmPj4v2$>YAh>FX0o-5kJmJgtk=TpMXN_$ zM4!o7X#2W;X3Aw(6wCaD8!jwaw|Jh4oR(USUf+{8OPLZgB96-r@$=7D0x5a6LWk@s zI~oGz!j%r4S2V6zQex~EIKml_o1E|NJd1;fWCxFBcVYPmex-ce#t42O2P0@!0!_71 zK+WKRZ9cF@?td8ClC~c}pD{x%<#s2rV23Y>hHH39{#uQ)Nj!h&W=h>duz16u^{WZh zaaQi2fw!>auhr5r@3|UM_`5i?EZl?c-Aqu4VJzS43QEOrSDR=lMXRup=cAZ{i|sjf zktpcpN8Sl@Xxfz7{@s;b{E=Erie^u$*V146N>*AbqzYk@pbz*P(^e(*PqQ~yYMTBz z%Y1|2Wvd4>Hl6=ayzwEnN-FZS0Zl5}|10?sWsfqAlU0$4RMKf-fj?8>pmzX1i6Y!Q ze6g7EfL+@oEhr6B<87RHv`dmB!^JTPmPwvx5||42koqxblh7$fV@+ZKv^BNs!sPiwdE^;Co&>*e4eHJYdMWBLCGF@2@|t~nFs z4#W6ewOgb1-ku?B+%p_+unu?Ti$bjUnz9k@-$Z>FBde4l?_Vr~KhK~CSElEU<>1fK zuNyH{Z7@b!a)%7qL>5T?me|t5s8g6bd8ihbMwR_e>@R;ci$5lzJc;Ybu7%KrqmLdf z{EPhkYqUbX!VL6$LE+*k0E_m?HxoPfZ~LMCB%Y)~)DTXYEGl{+1!PK-a2$ikr_t!w zfndRstdeV7u7TU{&;y3M!-zXK@)etZ*~K!o{_ zenGiK0VU{slCS|&AI&C1ywN_Q;ML<@Bp1y+n%B4wsqySOyw8swuBv~H7r9?DzT!8V z-12U$0Q(ZP0};-#RT+Tiy3YakD6L9XDDoWrtWk`-&*noB!sxx2vok9}UI~}^jafe?+KC0C zJ@tk~v)c(Z4pJVRY^HTyc8HwsVPh6Bvi3NWpH>{jk(4fDF|mkrbNjRGjDB71dC zbGeVv%P^#oZ)1<}Xi9h(u*l$fkk_vV1lAMtSx!DzPBv*|do`zdckJkYsYm_}a0Q zDvVU!oPbrkj!y1D+O<hZ#dDnB!9&>g7)z zf@v9U?2&goAdDv=f(%7VRDvo@PK2br#HKXWGvlvNu%>_d5O`hKLP1|>?kxku#{M1f zb3MF>&Ptv;ob*fX5;LYko@c~U2&dQ4j)F8A)h;Q$_PHWy`lx33>^>Knhu(ppU@$%t2|Y@q5NS#M z_uH|Q(@$=N@zti@mX3bM2eKiEQogtm^UkH@BWIuXKrE}^sd^YQ@7F7txZM2SQZv zGUlZ9s4C>D_f4R;GEkxz&m5^>f6>qi7t-mI($-&KUo#$X4p}@hn~^xJ)FEb@ks1sW z(8ZB)fC5<929fMDgF?wS;nZhfd&*2U(734@aZ;plVax6(wMgWsCVz>@^`IybMNr{X$@&)?M)!CN^?kvIVzFEL zpAe_-o9@lP9sl{(O*hc=?edd=)wBj3@gvNEL+B6D8V3XStsqOmJ{OxXE$auHRJLrQ z0tm)zs6P__3e+`8;noGykH^yi>a3VM$u#2W-A3v*8Yb$*{S;xL;EO818Yk7Nr5VS} z)j|e+g&L#s&@Iuj?#8m`|JsRh<+61=nsAW$A|mcS{MyYA1~V?$EU!m(X*d#x(m%TG224rv|k$lU#LJWB|r`+iAR$Z%;qBt>X^=5 zJPMswq19u$x$vw~?LQcyY3Nks{w#J1F<}yQP8`~EZBs3Z|NbR}6uZ);zrl3zUOVYcV0~8afiqPGO2zg$}Q!#SxVmdB0}6hGBy>bOn;1d-SqYDLd*xFZhYr z{Ks$5-dT4N{}XX^5vI?Z7Wj%k&W!$!_~sf^pW2#wl!&8$z8bsuM-!#rJ4j4hD9%sQ zXJgirR{S-Sz7&q?)KtoeUSZmZT=#_CurBno_)_G1Z_DCDJ8q7u2J$6p-Qg?`KBsRg zn%)vhQS{!7BGUvp62J<9$iOHtHW?D@%z(NyP2!nV0WO~{537xQiufhUc@tO209s&j zR75hMn&XBbL>4)nya7f9pLD61-eO?g3n#2kNP5?vGgjVBl1C#xt1Wf-Ys+7<38o(k zTJ7R(1A0u>Oc2}0LLH24X-z57k`-TJL>YAZGw({n`bq;LJNs(oj0rjzo3%q29Y|si zetIWnM273vO~O?j)Gk*zA(UEn3A>w(g@!N8OvQToaZk8dX0w1jB_ zYZ`3(|BW@DWmE!?&m@0NuTQM}3ku6U=$f%e@SUz5b^3N6{YkM_5{GJ3%xe5C} zF{yG1Yz=qa`LRyoN3$;Xvfmy5y@`Anx{lE{SKX_o^tKauo7A3eaY(CD>!P23neD?& z&Tc%@KX-Yqndm-`yl@uJTz8G+xtIeqb)B?4vh!T89rjjrxjh0VC+LrP9NvY2uhX&j z$Q{o;+{@gu5X}>O&^(??|L!(ZbX#T211{yfUJHpgyav)+LulDAA0J$Z>8sp9aE^yt zZXQ=(fqL!q-mROGi~Cbr`av$oIWD^$_gAIML^PRqJ$KW<*Rtm&`tZ5>)e?p+qY!?b zrwsNK9gpd^x)(V>ma}f&#MhO8iq5(>C0ZVPUauALnSQ~EZUK}#vrlWUhc$n)C2NYHqy5l6gXrI(Hf8fu=Wd$=V4B})WpVr>%iTfz zW3!#+II(FQXijNjTIWE2xamRQ2^5qb|FGX1VY0Nm~vr=Ou zLdQL?r&7OT{wso}GAUEc&x!ibn*a(6d!PUI;S+PLu$#wrh~vpKOj{&vJz#vpd5ej$ zGYonrt$>e8gUbS*l+)l{Cb0<6NT5BV!NSoI)?ykG(8VXY57!s@quM=e^QY*W%a@bJ ztN6N^y}hTJp6=x{ek(N7HTW@MSzHmIxmp(veIy}D^__n&gJ2wE!96_$1QLy)uCf>z z6&nuF96Uu}#e^U$Vd|7|;z3#(hF=#bj?v@kOk5IAp_b%12#T+6!YU2d3ZJ;!^zLm6 zldJiG6O z@{<6Ekc5#DY!Xo^#cK~v$^T*Mo4@M{xTc$=X&T#Z)Yvu~+iYyxwr$(yjcwaD8uRA9 z`PPf)`(^(DXPvX=%81E^wDabw zzvb1EYh{#0H4z*1seL`#;FfmeyF^E4p|hR`JkU8*#jA!0M3@9~}41wZ3(4poRSp(D>5ia&0f zgw35k3#UeU{&Z?f7OshACW1Qn`$Pz@9Nn~2iDR4{63j4bBzgs01q6kO?HfW-ons@)ykZ#u+)e(n$pGe7drMktmjj)t&JcAW zQ|K`=txyu_idgsCyJl&Ex#_7%wTeM0zv>V7Q5JvQbhbWS;=%`S6P!3T`I<}+csqZ) z=t)LLT z9U&EodDbtTbdD&NJwkzPeq5-S^A5e1OAM`5C)NV1TC|vjy5!Ezevos_K>4p$v^~u3 z-?XE1^GuU*hUBa`Rgwk7%J=}~j-My@Ehy^H6BJt7#n_aFJlss0;6apN%QSzjmdL(s zpY}pZm2*zHWbSccli+noBoL6ek(;T%>id?px8*fw00sVu_oOcwG^nuPd7wRy*^EKh z75w>^bXMt=A^BJF4;FlOzK~jnPW-rMG}@{aYxbF&ZIC)r!d;NTOT&IF6uf59zN8r# zXY+ZgkrchZGi;PYu`D2FC9)b}soEu4lfsxiPS@xnk%zIM#F9w$=?^D0(vp9Il#wAk znEWc%IYz?L5{P%|my@z92J_UNukVE@vmv@u_*dmK+15AihCI=7{=WgAr5QFLYl&7I zQ>pUr5Jqs5IW>LL{D>%3I<%O17M!q4m|a*UA(5Gf{^mC>%KYXhb1tl<(!ILBM)C_i z%1R-s<5t4=&4SL|+S%m~VF*)!1r|d1^(uIakqX`DGT(TjDV7M*P(pqSvjsMYweg{3 z;_cu4RBPVM2QOXBsf}8P(^n(wR~*l=L{E%UnlKw;fGFcqFdbqUmGPu4+)cMKixpNS z>!Mpil|VrJMM0d<&ZJu?q>xNCP**Z9xoBZhA!a(+E5M5JLz!`90TtZeIlgoAVav-9 zXOFq-?CPdSs{@+YZJz2_45EC+Y!%<7%Bepm_pG85CCOi%DoA4s?t&biOsH6JOi-gH zB@)PYataKovY%g_ZUf5*sLRq_(PyYs<<1zrbBU#a?mi(Xb$!`(qGSd_B%Ksw$Ig>iimkwf9OOpG9IRwdbBuguzA%LD=`4@8TXI}Y7 z)rde)QopdG48OAW`eYBVYm~Oc-YS9SUMigRN{ea;e+C*Hw<& zz`tF>1e_3A#h~jzPucNZif-RYnG0G(ey_JrD3Fh!7qtCB%M9JBu`Q^y=j9B{lfZ`0 zOW1LRe{$_+ed5}SvH9;!_0Gq1fJSOn{d(()_nxb-_d(9{^s8|P+j|&=p4V#%=5k<4 z&qL})x5pisYg{OA$GRV!>WiIQ@3Pv}>tXxtjodI>_wCqJ&exw0XR{0{rY$EZ3P9L# zwaR(#TR-VtIAO!9xV9V9wQZV%$fk0PpWjzoU7r`d1F`A!5?^o3<^C=%Dmy6k(T;HXysjp)mtO;_RHA(>wp|<;K5V37}6qy>)Y;_Asw%k{z%sSgDfFNk7J3;<#g$iZ`WdF zY=q~>XD?)}ZF#Lr_xtsaS)0tQ`f)kBmt8Q|Z3kcAcE6?W(vw@&+f*u4B^-h7+aX1Y z`)Q((Wdri- zvFu=OET>oOiLIgy|KkwF@{3)u)G@Em@dW+r(F8g7mG2|OqEa=mZiwMBlVip({R%tUy@!k`Qerp`gTJge&TEQRkaTGct9{LQB>||g z`e>WxW)&KS=Nj0jl3+h&gw-Uh85p*$Z^P6A!xTq*3DOeWsJ2dB6KRtpe%X51S0P|m z3xUZ5%OZl|mZU(9dqk)7DW@|z9Q#R7l95>=Z)4T?RT-AdY39eYgvTH|CtNjb{xeq@ zh6|^Z9{w$E8Y+Uho9Dv=4+pdnoc>O*Z|=@RT^d(Fq@k<^WBC~OAZ3VbT+fm^&5oLE z{&ND=$C=bmfmwwJ%&MTVdm`#m`>Vt=Yi?A^SllHlhK5Qw*1|`e+W@dE^rjMMi-wf? zrx8w_dKU6W6uFc5x8(ekSA$o6p$ulNZH|Q~JM4&o-qXAWGOYY-2DcJy#JBdgJq+y% z`bD1XzswpC7D*@%PEqKLtl8j39js?i)eH-@kgo_MFREIGs8~3+{u7O_Eo;$%P6jyr zi0dU5@d>7gaIHIImVug7vBT!Q#w4ZUCz)w#v_}BD?tBcZcCFcY5%P^`lmN|X7u=}n zuS>Ea8Mm4Zgx{1f7Y?GW#UcR2L&>lhI~7@U)TIgxYTnrMR12bv6EQEQ_=SC4c}$Wr z0aJIj>yz^XuSWknbnY!N3l~Z&Fg_`F`PFi@kzk84w36(akv85xP!f$4%;7Gg^z235 zde`ijR{?Hu6n)t-U{uyyC7lYWkT3^c!BxztJ!h>7wna_atQ$FS-QqxYmw2#f3lPhY zs@8T`&KT&G>jXqI=5UV)p_%Yz%h|C3uCHHKDeM<#QLs$)y^N#`9u+6frnpbcql_X1 zc_CPsF(+!(hOB|>wrH7TR4_mW(3U&O&gINTYWO#+wA!Nm7@gZ2EPPDBxpKf@-f}sU zvG~v)o6;_Zz*#^DACU`tbV#Qr^x;VCu%$6wQx(FhGp6Zh0mGmNhO({PANK|_RdB8~ zYj6hi3=w= zD!Y?da2xK?(`0tw_d41P=T~hB;?Nz@MqE ztm1(=NbWZnE{H~F*y95k$sNPEN9+jWQyg$yP@Gq zq{9Le&d*!@igw3^(=Uxi1XN3k;e~K^P*OzUZNjNTjk$7C5K)y&h9V}MvEUJzwA0N3 zEv)w;F!rMcJ2PuI%%F`Gw=(8)pAa)-+fTm*9L$H=3J}X38TZ(VJxEWrVy~y?XaCQ5 z&Ha)dWPQkhrpLe?J<0bX(1(M=3OUFf)MxiyssK&M2LmMGgANQOVzBUFCH>?Cp0JVH zKiA{(GjF=Sqq0v&*JwON2fBKZ`EFF4YF`Bx^KBS(j zyOz$WpYwP0UiM?yf%|gzudbNW?`H&~qRqLK6ShE$n`rB6j@^Ne)ZYL_cTP{ zx#{y2wIL}-KY7FUhBltv5f-2;2KBOBLEy4L2HC?ZXp(~NLUX5$e0@2>oh>n{@p-MUra9^y#mW}=6~n#{Jl zd8REb&u2NoQ~wS^7c}4~z*Np1m@=X(75l6?u1U**&G-5u6Z^KI`iGA&*~ev=kWl^j zH1#I4YfVn~Fva9)&H8FmKRI)zJ!8{^#58H^s!K;T%;v7K6!?J|yrVp$=425Z9Gh#F zWxt7i(sS(9HWnlI7z;f9S`xjK;`z1Mm9ZC9Bs39s=a}te>w%NpR=8PzaGM=jGnsfXJz|MsxJKk zruMsKE`ha0r^Xhqu1);`sPGlUuMLWRDFRJqf$oo*W)ArA0R&5!sJlMSKnhOyWAccW zQ-L3_z{}73^2eRS+Fa0S9m`zlvw;WVD%n%+48bH_#UCZKU;cS%4@Id2M*+Rx!~Ex^ z*PFf2$kQ2B6{*aXuoUEt`U8}qhoIFd%cBflWOwB;m@JAj1=*P^U0$x5S>BI7 z@NA;#9sxIM=_ot_OCO|Cp~%`a`pT%t=(&*=12DhSvq^2k3c+h(w&<$Esw37ye*HaU z7hIZTq2Ud&Mk#F)h^=!$zB-jiP;syVComngf=E~$$D%TC`FmmE$b=`pATtZS zCkWupkaZFJaF<%zWPx-@2w#r+S1*8>aah8neqCyR{`XQ-k&)PqVjKL0 za{c_dZ*iKdCfZ9%>XOnwU$qChl~1K~2331w(no((5ThM<0IZ%hv45~gB2+~X)TSV{ zUNVt=7nss5)*e(&z+oLsVi}KTSY*E&!^10W{Kf2m+7%^DiW^3~JpS62c5PrKnu61S ze;e{wKtMTxro`+xm@XkFtYW6l{i}&W&j=A&yD1b417sdyjT()|))@Ly50dWo`D_%K znBxC1l{oJ)hMIy&R2sl2gz#VnkA8x*pW0# z$?642xT;UG!HrCxSF5L-vCV#GzKo-fj$pYY3vV!2W+_z@Z#Vp1$f&>}rL^KBTV^~37uK0EXN4wP_t)2&u-do(F#=lk#bBH%eM97a9a-bc zJu)Ng#X!ZTWA$%fC0XmUXHAxdPpVIbg>xMpU9&e?q#;whsz_Ah64gzF8S4Jlir&mt zehk?E4%H@B(l2^hM7^(_Dc49@5M` zNhF^f1y|;OUFua^o8RBI({H~<;Nq>YaHxvOQk`)a45qgD_pmvl*tk({%tEwB7S zVg{Q{g(%*R99zd&6EBv04-Q4ExQfrQWhUx=lH>nI6KLW8N&dRuuJ2zE!KN-j-q=@( zpNUs8~^G(wl~alzfEP>E=^vP0_j9&eOWHR9{8h_-xocfR&BuEG7Q5XIcWxB; zz5ks~v_iUY|En&1ZlUu)<*o7X+F7{SbX|UK(Qfbj^2}}RT=oVUrvP9OrgOB`pPIYW zOl{X+=dx=zUxFQ%SHkb#{?xPqFQL@d_W_7Sw#YNQdxwr}uC5vIR(F6+gvOK&t7bxX zOWk@R&w-H4X)d#o!L!nApzULBO2_NK%y!)b`DXSh^)uh=!~J__%O`p^VN8Ff4d1^f znXT5~cTj_`_fp%_C}is;>a)$Ni0^U0`q~AY&-P_C=ehO=(U&QD}@XHIsGL*psQ(JOp1_!yIYlqkJ+`4erDrvvyZ+NG}XUR z>$&ewsOvNfwlp2h&g~ul2!dno*CH6ZP}3Rr zl)=dZh*T>P;H%5r0uAKPqnEN0=vVf%H^9OeDyo z=eSfWjppGy*6EJc21ULSn)n(t(~E z!iE85!@PU53G8UWA%jDSHCWR|cjQ(}olnwXA6U1CV(i*&*A%qrq?AC~~`pO|OR zjSwj`)%#|3$|2}g^Yjf=IhG+m@MH`G35N^CS{5F&Y$PeaC3;o-HSx5Tr$YQNDIf{` z>n}4)L{4GWUz((wdK&(n2pTTWMy-XuvzeEeow!Wh=UN=$mM#pfwFHD}-(2^%=z?Ze7 z7N?oOXI@h|8P&-)>(m@Wm4CMofB5P`X&o4AtjI5@e7 zLDt@{#zp@zk@~gPTOM|7NQq?xW-($|_>$P4NsA#WLRu}s-`VK>fi3>WiKqc~L&&`x zXC1$lzb_JhZP~RAs)t@pvC^69V}8WlzDRr7`gxX><>T5x*~f=fwDPg{_R}FpA&-V|O@P$x|?8#z@c6l2z zE)#Joi*)-Bub*o3q&CJVHq_XbW|EVS8CJBczs{?r3yNE<+JF85_ha1r&A!XL{1fjy z-k^j9YN9<+a3$VJ^vJz>9MD!K@F)%)M}4X=xsP2YrRb};a*sE4O>T%xqS3o*t0y3Uz?1K_-=Rl02uCFkucIBc=$ zaj00T+cnj9<70Ug?O53rr*pG%LkQpL{Te;8-88XP%hNnr)m1<(o8b*iq__R-LY!K8 zTK!;kh#mMULZaB|zH54tt>u5ucNxN{C1}QJp01Tm^PRn%dI`1I+H|x!k5jVke5}ZI zx$bfp>U(Rn{ruENtk%KjwVyM;tgxJbdeB|GHZ0PTlSKgru@U6}^IdfL=aZux#r zc^zbZdQ#}wk1A5kbR&8{C0BkjXq>+c)T}wT@*{`=c1FNvkfDHDK+|kn&rlj) z!>NSnE<)g*=Y4Cgr@Lg^#qO0VpN-l}i0xK~D}Kl2&{c}N{q>$@&c{jV+=#6Qu(j3q z`PLXgPN#Ej@A1gBs}d})+hOtOK{T}XAMwOh%QP}|r$n~f<(k@OP&JkOag!YPuupe87}=O5bz?hPGM>c;&Q#IojXb9*{|!zp_LJxj_C%l5tJ`wGZqEwPeL z{Vh4P+w03XgbgmlQUdb1crF zKs?eRMGwgcPJSJQiE0ZL6 zug2hYM2bwZmd8X?o!jOy#Z(mY?I1xy*6^*pY&ivkAk8sN40;7pisOS7n*yaQDc``Z z9~rEVL)L}dfJ+1J(xdbrgFCdW$q}38T`_zI^(L75C2UzuZPu0PL=i@-Ru}?IG)WaB zKky?F#CLcHZlOQ2NjkfU%Havc_^T@O)CYeoIdAR;GnwjYg>jdn~g@VjgU2b%XZd zGo^z5%n|86*r%pWwnRpU9vXq?vcg9=MOaHOlW{i)eY%w~F&yPQV0}XEITHZc`hGI8 z?wXbk-VS-N1&D7~5k*r)k`21Hnms^Yb<=5#X%quQ*bVuk9;Mb!)j5WUyy=|kP31hz-wOBM6HRHoF4sqCOeUG zPu4F}Fe<_r*6&8nLU>6fGT=L5N(&)jPG2{t#7(PqO__%zdgnz zXb?D5Tm9c+Gbo)V9JCr8GYR>Nk;#8rfK;Fs!(g{8<8eK#I8(WH8v>QbOkA7Fv;>Z9 z#7RkwaJ>_lKSlwtNv-41vU6%I>>Y__v2a&F-!zYhn8g9 zYbX_Wl;v5Y;JA`=sHu|MyB2YHlO&ph#|#?nTFj)2>oBqZwdX!yuNQ0K?eCW$<5c|t z9`9dS8ajy$OIYMV$VrD7{RP{g_+24g7!qzVWwKQlTCZZ%shWeNLd1=qfwYvQ0qfEjr>6wa z;NZ2lYA-utEHhxwI{R3iEvyJ5!+9!#PA(3JMsMPwNXAJT0z)|-=!AKrNy=}O7=$i$ zRhT$`3=k}I9)CbFbX3q-ktIDy@6Bw(IA`u$nsPW&SWX{9&8RQHrvBdn0)y|S>Id2%gSATv?vsb?*aU_pEJ%m?U$Rz zF&!^w57B+o+=-YUdo3!kwwo&ImQ#_g?Iq7Exv~Ul&U^Q`Ib48;%@o=xfMFyes3W}P zKs$5i?TkdPJEOGqCwn^Jll4|q>$1!Kn|;bR6(2vEl&$_HP3f)+dCfm=CV}V2VWv=W!Oe;DtGzw zJ*wQAzq%arfuG){U~qcjofLwgqAB?vG3VB zO(1QqpQKekI{mKgUTinsN~bBKp2~SJM*FnXsioDI63n{YbA5@g3tXz*bo{fvcgsj0 z9R4V~dF;2t>#~k$ia-7*Rp;mQ&Lzcjt=H}a1>@@tp8JNBG4PBvRj2LhlRD@LKuy?l zb@l~+zILgRH#?;+Z`iSXb}E*c&Ft>pJ@3;x^lr8VhqiAARex?eJ)0{DY_esaKNVTN zlnl9x8V}iG=irAZ`(p@8Yv(2Ick*YRLy4!EG1h5FTkU$8?)QIOsnmcqfYswirLUL4 z|ESED{9|&rx#=G>^u^u?pmK*n0b0qVk;KnDOqrq?^fbg{K>n z^-DH5dr@1|0xo|75LRLGo zY~T!Sv|ZhwOzM{rhA5Z*F-5b$p?Qhla-MpaMr#fwM^K<$%3N5*zdMXNI|)nV zCw4`kIhE>YMXRvrT&c`Z90K{QMIwdgDpi1ba&Hn?)iIWlDz+u@i=PUC$_txL7Ejvz zO@J=Id2G(OV#|EOBp-T2M^K6#Jj`6H#xLl%riwUec@a|i5)K;F8CCMGlDw}vU6`US z?zg2l#t9Q8*%1vA?&0^ezA=a*S;H#4kZkap)nZ+CDi*ld60?n~a1WBR5Dq~js}TYP z(L7C}^#zSa771>fDhi-aCDX8&Rg6oWI5gGwP&ra`;n18kiIajh%w#4TNY(p@-NSiR zEQl7hJ}p7}IN-=Dzeczv4IK#T?Mr8VjFx-MeK<^f}gK^QfKpy`^m3A9h%mT)^ya>n8Y9zp$Y6 zSI7Jr!c~&(n30eqWI9oKqy3*6DCkycWTxdse_hhI1MRKLXTgN1{9YUxx2EdY4xms? zR!Wta;pCDe`@{wW<6Ihbt{ATc;0%qj@OlG-)W~T4`gci7odP{#-~cL-u=nmpG-{jn z(g8Z+Y#Ot{=O6 zhM^?7+cfT5N<<91weB_zD}+y8X6Yg)Zf9C*O-iYS_r9G&{;=DjwYb)ArD9@UPb-H) zdv%akwzfQ_d3qeV#5q3qp@=;49&YbbpqFLOV?}vD^-}v`p!M^bX&DwF;1Ut>Ad8F-S z=fW5v0dVEl!vJ@S&uMUJPy4}c3%-Z14*Tk;%2DW4E03=3}k0 zym*D@P_0t$aie*3OU~nBO{Q#&@y_QW%W4vH$NS-|P&FZX?lV-1fBXJqdBD`*3wYC0 zyNq^@eD-F%gD*GPElbyC&T*%PZ946`ykoe)*9~qCw4nY?9O>nCeFZ7pZ_Z`rJa4qJ zZ{ls#YxU$YaJo;MNHx<9NZB%mHsyHlzv&S;zZk#5=IXtZw(bLLBvw#{w-7*&2vK>l}PT#MjGbi z-P@9p+_E|@#9<9M2TjtRC$?b$Muas47?$kx zP%#F$QevB05ff{4Z5fHAXr+#6T%`>7VE8z1Dejm-J6**t(V-a0yc%GRNM`{?g$OxR z$ibiuLe92$(tp|N1~O^I>Lg4$t<1X?K<&{AbR)l$G|1^4-#^hgMiISOCbifcsoog_PGY%}FUGj+!pbl_JuU79T;i zCFSU+YHlH2@6XQBAbXaE{qC;m*e(7!^JQMFl>9-d#Qe%n_>TDTc%Mu5buG5XFXi-! zXo9(3h=;&Pz8mPY^YDNYoV?g@VF4GN0G&j&m!B2^KS=t%6p||ASFB6Skf^xv_#goY zkonUh^@q0_EXX?!L*+YKzig5c8YMp+`D)5>pKKIbzfG~Glw(VPmbk=Xr%(lS2h}ob z*%Q_^SKJti-+^UQc%-ft5fvm%#i5i_=`kDa1i`PLb54r7g2}+ys}6r*Ws;&~TZaRM zM!y7?bhSLN*|Igo?5_&V;TuNuZoOhnutNlB$|ZzI8}4Ex)xK%S&Y^d^O=g4YD$@XH zLM9GX*GD9%wEZBqw5sxA+(6=z9|a2-Fg_idQe+);8h4zl z1qYf&?3oK+#ypsa*0ZuvEJ^7e&sivjq5DdR3X=R$pjjm^{Pc@wm4nM-&?~i{i?0Qi zValf3koT3=>w16ae77N%#JA-tv@l$(OKe#ybuSj-V7oy5<(EXxw3g$t!&8-hWWuOK z>7Sejo#8Q~G%#<51+WvIKEpA?6>N_bql-7;4LF+@YlT#R_Zz`WF#I`-6msB4n73RO z6LK9_4C$gwOZKy?6b<)CNU|o<96Q%(!XG1;iDeAE;xBFV5*Uy8fMn#gF^1&R+{~-AmNM4{`=yx z`_x}tHbF!_EsyWZ$!u!VF4VRZo7ENL@g6^yKI{&g>U-GC%GRFn?o#{;=C!rpxa?Nw z?)f~s;PVB6mY@o+TOM){*?XExqrQ_Kg1 zoT_cN$CKoC{+UiY<&RI!gUnW4*W&Ge9XC9HD^c4{5Kn{M2JjU%ryOWK(`=&m#A3Cw zof}*IscJuw+~Yf{K$x?}x4ZkgGd9`1uk1O!eDiSz{pzy+kEHt^z<*=^dAVhy`+CG` zv*Eo`>g%TI^e*V@e$>8G-G`ypB**)H8sEMqbMn0NIgI_Tr@+b0v*@AUMIF3TT zo6GKTB;6y|z)E&aW-gQGV~N@)xgHP7i*(zqxXtSnPc{JB9Noxglc72OLxylH*V#%n zM2we6r}F`Ii|666w=AFK5_@guMNxAsKSIYv8G8QtQBUT_>4*1<&)<6})lQ>6^A#0a zo`N2nHMUDMTlEXNF*57W%sa1F)G+3(iN#gC2HNJjz>?=#M4ZRZyU z%cvHKuC9xmnJIf+?o+u7n$|@_U!Q-61J|ATYPuEmzq-b1~5aAR^?~8yj--Esk^s%7D z*(R3Hx7S#nxzgKmG`Ya;|HW9AFN{5qy$MXt+71-;ze#wLGnV)WWuz8vOPfJHqQP-% z7egjej~a)wxDsif$3N~3LAJAsO;ph_leChcQ*rMkA3ur_Gfa!WOp)PEN&1_1p{i+E zD|_gFM|#;WNRBML_dR-|K3!6Ug(n^SQQyBRA5wUk3Q4R{b}_i4e3ED%)n=OET$Qo} zV9*7d)G3<)eh)_jn3l&xi3VdUg9((xNi}W@*bNWiJ`FVrm;NbC@C&N?TmD;1tw`7m zcK{@Wv*O?H4gE`8#j^NRL?ybBo|HYx8243ltHRWfF2zn6;v=kI#foB<1r;a+i^v@e zIOoAge#YDT_Wdy7K3X!tRak6h{vQgOC94$*%dW@XP+q439I%yDIiBNlu$_LId;O1iyC4v zKh_x(EeK`hhxjQGjOs_6JM(gAO~Y!-OGjCph4(IIb0rhQ*I72F>pQ;jGzrn>o<##K z?2*oO=c)WLj9tFf2S;%xVXLk7`BA4!;ERSyZZX5Eb7|Egiqt6Bvf8(*#}A_tlWrZC zS+nTJnO2*mDhWcL`k~2WE){JqM?gwTz!AqwB-F%Lt87Zvt|K$q)N7*fz&^fnTJ$5S zj~TzAx0RqVY*eQB6Juf%3_h#Fv)si%ljG9%Bz(HA_*R~yQOreh8eI7oskA@8tEi2okgcUai?&!vrO=GESZNeIZ%dsrAbI4@a+3;(|2-u`;sO(* z7lwYk4@zaHC*GV8;2ZBU1vwtOPUFQ|NmyE5nJ()BePZbke&|q*(Oo!|# zSIh##z0_ocB4Q!TNUWkHCHNG31#wE4c@WgPj7o(QsfbC(3N~aAL=YbE*D4<`CK&=e zf7swE&d3i_;*UcJGoB3Qsf!3#%p8BY0CWERw&~+!Fh@b-B2Cc9766c7$^4Ymj4JE& zv-IFaXMJE?)K|{aDpRbg{Xv=bv;bYd6=6QMc*E@$^6ru7}K47(y)}d zvMCY8p{4^MB$hFck);5fIE={vMDgtV9tHX^ee!J#_R+-bJ$ncVFqgz}WVP*oOk&Cl zb?&(Nvt<6^kcc{r-G>e9WZ9g>PBfc80F|;cPwmcznJh^4bwNO^qJ|$shgko~u?FGK zfO_N+vNbyfo;r0mwn~th{4GT(WbFK)QvgnjCyCgj1=}qKC$=xELW~C^CG@OFV^Kd( zxuW!5bB1XvN4@%&ZaDccLI0sjwV`34`CS%qgAYJfK4J9<5)YjNZ7M)lYraYmKSQjj zX~3T0oT+;DBAu=Ud5`e10_h>flQmCL61dnQ6#EANod77nL7=G+F`KlNAWwwAK$(TiHR~AE2 zX4U_Uhn~NA-xEG$-w+uaKc8iyX5MG&GrQSe5nkj_g2l6>4Zg04@#icr08e^kmzCO#P0zo5s5R39(;Kh428;VP3dHTF zKldRQ`_J^BdoqMjnS^D{%e<#E7qoZJJ+{s}D2*xoscWaQe^2!Ix4RhZ)jSF}Vz}K9 zod&#H+bEkKr*Z8|XF5z^9}Nt5=4-0zihT0wpCMrVm$-v=rc9nEHhFz)UI8uZ1_y!F z0ECaZrDWKUH)=p|<2JWfBK7vB<(74OwNoaZxVtVovk^C+{Bayf5z#*wIi z>$^hN8K3)LLsr-dnP!}!jP%%mpHXW!Ze zt&aD5+A%%mMXj0zUn^z9d`fC<{UL4-MK0*dvecFEZ9^#)xcdXi?JnSe(A^Vwd~=h0 z4Z5Oc?~196?Y=tz5-8%e0^jscXr2$4bvHjuLw5veTZC+jX)$`9Z1vqXE-<|odCz`> ziX)G68iDk-S3Qjjv|3d#@F|;5;m)dCrgJAdx~BA>k7LoLw(?`!reDJU({A<+@b7am zJrv!JcEwT3DI05kIUbkNn>8Lc7jW~-&75}9^=lX7d zPTo)X%aD{7W_ra$UHsocESQ77lM?1gO42(n>XQ>JS}Y7xy6y<)2yXo0MOY*rY?H08`$#+tMY z0=It;kf-@?jH^_7kSIxGw|DbMgxCkvz)|F*p<9aQYn5ox=B0rZlSfJOkIkM8h{VA& z373pjlpnWMp=PBbhhOIXmGF_vH7T9CEed!>jZ$C$3i8x*{y05oLUzCwv!(E6Q;{@p zLyL44!*3?rcE8&k!AyWMJz*%%%yG{aLw9y@s9VuUW@k*YJ>?fdTgDO*G<4-}1BGZ~$|M++0Y}~Vr-ZJ6B+F;+p8cE z(*u)YWnUsXKe)|E9O=Ac`>+<>}lE!lww=G~J2 zOwkE@ylD`AlJA5SY!<=l@YwbzOh1mMJUVajp0r8H8uL;h2Ee;fD{WeBvBM54oY!Z{ zkfO+t+ea?bt`*Lt%`Kdvm?RyoJU%Lh!s*8$M#&l}h*`awblL~OIM*u9mnavhB5=d1 zB#|b~nr^?_cSTpFAJ5fGW!0+WuZTpSS8Y|lbFLi3u_g%ghul~XTA`@ttU#~OMF06- zB5A_YqDfhS3Q_c(mkNz{CA2U?KZeVDBGO*@JZ9s}YWhig>`z>dmZcy*?e+b39N4+G zvY(c^umPy>y~n%d)3oo&mm1S6S*pXBo-+9YtUn5AjHybQIkPTK@t4{{qjT|%7?lj=w|fa}tpggNnWOT`8fNtX1)|N~jix zB>-K>Q!LSfeB__M;3k>0MNti_7pK*SLVABXP-zqjCs7t&icdc^EZNtRql^3+xq~Zv zcVjKh{H6wbO7{bo^N($TPiAxUJVjJ@+Ao@l^-g)zI!L&$ zyn!uQ|C=Jb;p9bsfs6q!JpwL)(Ve-%6E%^h?D23BJr+K8z?e^gM5`pw!dy8NH4*vG z5rtRuIheZ|Svs1Skq3dy?v>!uTu=_iv$iW9#gaDVl!6IIBWUCQH#2|G6a4ls>Q4Mj z%+dh8lMkN&Pu9s0xBqE96QT(rqXdMbrN5zkCca^UB)s201BE!G^CZ5@=IhP*)^Po6 zlG*XS&YKhjtlz--bX*Hx5V#IvIGWy^X+Hu)|Cl-7pPXFrW^ylXByxOuNWM+o!Qwa1 zN<8y_z7XI3h>Y{3Np-$0ZZWJ%Y#JK!jQzYou4OEBTQ0nb@$s7bFQ(2isE%lh(l`W7 z(BKZio!}RDcXxMp4er5$ySuvvcXubayL0ay-ps3d^JiE8>N?fc)%%>@Ykf=Nnc;vD z6x15q`_<*#fpP8AFNEfMS!a+Ps_#FchGUyBRs~z@wm3t?V|5?A+~yXcI@6n+)2b}z zmyql6R{*W+_Qfrl>9(<2-y1_4(0JfAv*|TjAIX7Z;MCZw>aekwywXRfq4$&+&U4%v zzYfCj&>bLlUbwtLjqh$5ZNO(zJ-hd~bKP@JB>;=S9ltJp8ZU zv}~L-J`T2X8J@TCx5ZaBByt7$U2a$%jG9%Jg9lXfr9l$FQvbQz{~Pe@0i`AgIf0Mwa?FT5XHAvyQY2A_g)qEHJc)LygWMVEmz(22TdK%Dk*AYwX zf3&!hK+NZGg|Ck4gS~#)Jz=qv+XK4luI0tkHa{N;aJ=<@uF7Jo>7<{|YI{dh=c3%S zh!3Cfj^}p}O7{?v?Fx+cT*EkYrKkwP7>YQO+CV1;=of+$L*&w@% zbcT92&E^*Gz!vU*reV{7#KeHS z+;%5wd=-5TI>B}rN@@Z1zk`!rzzpwbcMeYh!506(KUqFID>4eqLyrS6AVg77)wU-< z7Nd*l8Zh+PT1P&%UlnAh9K>0G$m~^RuAi|LJfEntHGeI|LVF6Y;u55mS8Rx%vprwp zSsY@1{%9iOY}5X_o`!CjRG?X%+TW6Onu+!MLeSGx)!Dlts>L=JUsZ>rNeLCg=pyAX zZo&RwgeJibm;28`>8X2Y#=}Tb4}++hxv6xpl8x|0LlCU84rzCoG73J>RDxg`lD9CQ zgOgl6GBGd7$dKZcT|;_+PsCn1wVA5*m`Yl5SM8{{b(>;_eSo+R!N@lK%+msg{& zfQ-bIZQT*7%BC72KjGxJZLjfKr&Z+|R#ffcY^-{b4;O4ECN6eHfSCrRJ{-0$u#2Ly z##wy;qiFm}AsMMA$#6?##SM&@Pm=RZp3}}syoj3!{lldkJ{Fl)mK;vbXP?xpj8Z1* zzjywMR-CxzEa-aorG6f#!&Ig^dWgPKQoG>tcSvqbai4H=)MTY$veBe>BmMfmx7qx; z=>;6xpl`{7l}oYo#8?CKcFSg+sEnw<_h4BC8!Ad=IaYEW*`Iw0!ij4Ms&YEmI>Eup z!uKqY-%EcH*+1acKs=T~qW)1e7d-Rc++8$vzL1{I)4)t3jJp-LZP0oQO^`;LHzz)l zaWDHzyNenw6wUU#V~a2n=*pU}wsrMGsW1DlB#ht43OnPRLxEp8p=5&QY$mJPu^oZ9 znKi}ZaG=Vg^rI6$OIc!=QbHFQMXD%2qGi!^VUSc*2$r^Keq=Me_z*`D`-O)aa$~~) zbN(M6JHb{Z-QWZ(%+ZF7{uo#+rbp(z^B1&tG;jg{!x(6)c587KAn=&Wq$~3={WkMU z?k9L9AnKD-Mm_Oxhas>A4-XYcJ8Zc5%ZrOr(|P!aJ&g!M#F1H%)pxDH;G^PG$a^`pG5~?jp`VljFtrFjS32UWtHS3Uq%)gWj z@)qLU{@yX&fB1G~8pd5s)%$`5i{hG~gDoqQFN@u}NrZe=g9og`?UMKl8JBIkU@7bL zDar7RSMy!Qa<~?4J53&KtSV7s@F>4Wy<-?;f^1YP^&;?pOD0pSh>TdT%i)JUcw)Z0 z!A%y3FE}h!koO>}r0^LdOQ2st+GWXEq)Rh4EkH&5K;gF?l3kxCnLUp;BgB0m!7i-i zx8#bdt5**d+Ch9HV{FGtKf323G4x(YJ4ogu_dNp?^r7^Q2Gl74Exgs@_~G6(!1?{i ze>m{&Yu_ul?Ayo|FK$7u6|qR&Sth0>Dm6Mpoa9{_f_Y$LmPC6~5;hfcbReHd`vSMX zg=1XS60QA0{ANAoEyquj--{6qL6AFk$~+iP1yy6OCd1))@>9~H^;CV?8RjRH+ZUWt z($bRga{ zU)D1AeeEiO*6l2!$|dqFP;SC{2?m*w3FV+_t0q3mt3vZ6_F_yF$7pt<_&}XOulB@` zeD9>5H7!lF6cY!50cxz^H#Qrsb~R)%OIlV>4)4S2GCPk?(Msi!iT{Ncc^xPHL8T{6 z^b-ocSvM|p220-m3OEIt^6MS%2>^zD0sM}S`)Ms&A!@T&ZoLLDLlr6_4(A`F-Vomz ze1w0XzM#dFIQse%zt^4t;PLO5Ic~zOqkUZ^)8F^a-t`|gJ5Gr+9CF)fgX~&{@zJ7w ze(>;KpLOPP1KU(O5$eQVH{UI){oeM_X2YxNCcS@dK7DhaK(j_8aNE(Y-lRmj^uF{4 z^th!+S%f#9aQD9LYGL8m|D(d!69IVjcbPfpt$`5Ibzdj10KQ*>aH;)CWqJ0cnN>~r!>!6om4K&?w3dC^nLfOn;QNa z?vt2awwWF7i-S+lX(^LEYOUwmRi)nZf<$hcRcUxFuQ}bpNI-x+cqx}USKt|N1~{;D zu=kR1p1Z7R+l}PL*>s%G1nB4bCjcJP`)B4n6s%hv9#OgIyBGE70(5U$dOd&=IB$pX z-POmN{(R2|YiKk6cFoZkGt)rQ*VVa7!24Bg3ZNR?xUfSt!?pjyhAr^#Beq4S()Hi| zOn37E+?c_~-Q8I{s_M1pgQWFqaH~&z*KW!R_%3s2=WdT|;#$vE-(;(2aKIr8gy}!@ zo>>L#S4i!)ze>4_9Q`Ik)UcA>NUU?&Ud`Cka@8Ei)0_h=3@jn;-kmqLN)V|)Jbm#Kl&eCr1zfk*M;lt^)2gEH-5I!8qcANNg8y+ha^F^Cvd^dyrP<C@T9YZ0Zz$k&RI*n3o z1&5VT{9cLzT9UFp1hqrHUJ1{UcEFIa04s?DAug;~dLVvN7VwRg>=34!#5!u|+wq(T z^9p(5qmq~@si23EjV^^*%hm~OPHht&>_Cmji5vjZ zO+1AN3Iq6ERI+bMeX8~tfK2L1zg*KvmXb%Qkk=tbgj%rI*B_1{89xZEXdzcHX*!AOV*qmP9B;t=6Lc6S`W$8eA69Y=r%D-B56rkf-b< z%N7SQSRWw9W5}OLQ#6XGsNDRZNtuNH)6jX487o$jUnx%(IZit+rF;nry*v$Q`uo_s zYF*~X1DC1U=7M)5yG=ZO-po@XIUeJP*f{!zdkdm?)74*15^KDu4xTk>&X2mZ_;T06 z%%87c3d5vB#O)U2!i&jZJzcy1$~T_6_NJ7D<^jqq5`&ZZ@YpGR5ll4g-!8Z!_N0yY z##f@#bZuvysiY4Ib*JbbF^NZA2r6WxGA@lf0It$u;ieztwmxjL9&yY`NCphpe~-^liHDp)zzqHA}<{dn=XjR zC^zO}vTsM+M}%XZ3mkm6WXp%0l#EwJG9<5@-S0FhBHu`{R;#7S&tR^mno>#%(xod2 zRj-drnY8_xQTH0B6K^*1bsdsM8t7X74eC$E=WSB18_hacZyN{l_E9%{r%a(YRXh2A z%W&XPibt)MO|oT-S#47&d&3QDh+xo^1~zF166ROPs2A5r1rZ#>29ty))U?)FyDuh} zChW-mjDDdgX>1q$!@1T`2J24E#(pP<2&t{iqc;^-uXGJw28Rgay%zv?@N(Z2LW>V; zPXQ6>YGs@^26m{=W=~r@;!;3#A<9SS~6Y&=$ziY%sQJIZ+Mqt9SX_45`K=Wca zW(`N9kQv%I50O=Chff@M3r--;Hzi$3s(Q@Acl(xRRV*4;sqOY#eK5USb?rps29eCm zZCK(UY+P8YMmOChCP>n3K?Ndfrxal(?RRLU9@6jV{7-qTJid!@Z45%P{eWY@wpLWx?H8dSYD(kz5Db+#*~wy}@Bo7)@XiwA z$+nn8TC8Pf97BoR_Ab(SiPV)OEDPa_Y&YSXlVaUJQ`Nt>UCZanY+@p8hV0Pd|1A#y z<2;x*@K3Ps7qAdO0}O4%b{?=Z80c>B;AHtMW)EBp;M7R&2CUw@fL#9l9H&NrEH1%; z3EHO!vW2Ndseb*E`*E=Ij`jw=LHo7$^_Cm7wucY!4e664pe_jq?+DN2Vxyq~o=<#I z-(Ht3cHCaCZY`&EG5Ad$D{~E?1fIMe=ZP`j;qN2j zfB5^CI9cUr+M(NL@SgahbH}^TC*a-PqiLn&{Lq=$K36tZpSW>?5IkzMa@jQB{Cv^8 zPz~U=eq35!^RGu4)4x09I1*NL`3ZWvX<_VvYfH|uexVWk~u%OSnDYql$(wt96-gU5Pj zj?se1w)Dznd-O_=l{cnPADv1qlU)21c`uwS{oi?@<8<#(`Elsu$1Grws z7A9;T!gY2!oPP*7OT34*x^LTzaA?$AkX{UeZVz3EyZ<_6RjycV0;kc>U&4t#1{LJj z47>Nu?Yx##I(uHjO99&U8!-Wk!rl1sv^$Pl3B)_$`YrartKx*<=S7R_uFc%kb;s%8 zi028DaE*(H-TK~DtM(0db#IBZMmC)+N1a{Wo^vOcKkWy{@A_a2y^lFy!29m=Mt1!; z>ACLHeswA@sKH}<=PJJR3U@+o}ufGKjc& zYB8Ojb#pTXl+oyG!nj&@;ozj5s>K?_&mV;^VH1->dfNE=;h-60RnK_BFIr*61o=UT*{uB{ z3$++I#RsoUFtf?j%wMm*pS~&9y74$;T_dt$9s%|;p(c`x#Xr%Ww*{=#iTntazJr*fS_X~^ES*|;1IvtB={xW{u4$v| zlgn}DJ0NqhsO(eO!SfnmtGWNP@af@uGu7Uql6<3<2{N=_p4wNkx+8 z+@V&d(w|IqPpQRFK?Uh0X6pm0oP_C&X2(9vK_iT+C1pFL6FNtJz1U7D1t(}9^hGyC z`Sh*zvQ4|+Ui2*#UrR@gnX*S0a_}*e^zJV9I})PmSSGzBX#uZf;c^krj3?JF2_<`?4i@cz zWW35*AC{ggy+YNtNf{`Rf}ClOH*TJWD9a6zJW^h-lKR7WaRRfwr5MJFTyU_Yh~lAY z=-9S8Vf3FPZ_QF3qXYGZBlbZw#iqzBkG>?Ni44(;ZlnaJ$0h+qRJ(NO2i{XsdN0NI z@!T)91q+0{Y%;&Vnjj1;M3C^iQE!sWFC?BNUu(ea=c*;<(47>OU#Ht3lA*aq%y_u% z2_C%3u%EuSe2q=9XO&u_>KQ?^cKk{7nc)0;6oICIlU})6pQ)k=wm?t(FMD1~)p}r< zrrF|DhF`{nw4}mQIXt?RJ0^dH~l0;YzWfO zp>9I<;6flb>W>hH?^CKacnUthDieD~imf0kaCNi3uO6T z>S8=i2|#IN#$H}!LTKCs$d@LZCgU1;4^2AUL#G+R7aU#R|H%Vw2mo^P39{+FVD>{G zEB`I&{mMCiR>lI9F(8=4)sJr{f<8hpuv#io?Nq%|gAJsIXGu4z#Gv25k>h6(rgfs3 zP9@`7DArr04Jp|slpF9uVv6I4`pSx#nOD_u+*;&BDjsB-D_Mw{XciW%yB(7hoV9E# z15Ld_-yT{A(?J73#kb%2en2nu!&-ob;x6s5UzjmXU{&@yG-|tyWz5!pkRtSRQ#zRZ z$C7P4jZ``~Bct{R(GqUV5+?0ia=xzI_v%PRa$1HVJ8IUHuQy3;D<#>oe1U1^H5N}F z$~+b~eCv4eYB0&(wx}c2=rtPeQWa;vN;1m6*}})XuxtLh;}Kl&?(?0kIh*Gt@rV4~T~NIbMMe>w$g*ApF{w!t7TW)Tjb; z+jt&VwqEp1jO$?g`;U@mQp9(S*!lks^WZx#lXxj@0dHw*^u{uQk5jKVUAkYYRIskf zWoj6!vKUFaQ-*CoyA2~PJ5Koqn_ZZ#PEW^sus_RvJ|jcuMy|3|G$4O=-!2bvcE0Cj zZ|k^-(;8t_f^9-$sh3VaNjf!_8qn}g#C z4eB5K_V`nvZ@x4f4voDNaRUe8b9=Am=27rJEKkpgC%{I*8(`3E`4k6Hr~4kAy};eC zcAu@znE~F~2SGlYHq4fB5N|JvJ#Y_OX1mV*{evHE?2_#`Ji5w*{P7>G4j(H2o8Zg9 zzPz7pVl7jK{Q|W{%$^*=2E#?~&ef0v4$75s(Ag4KDTbb$T4go|_N8 ziTXLC<2j@i4Fnc%UNZsQ94-jo*5Ie?{+u&?-2G|YMEQ4y^g(aluCYXY+~t0C*LTx# zg;goO@h~uCuN%4}$9so1L>`XA_{!_Dl^x$^9?VAMbGK*{WWv}{>qr9_j{t>Nnwru zbynt4joY+g`H+0CQ)Blsk6ja-Y_`{y^=WgCU(@ZhSFLTgt@-qVjDQ*FFi~VW*KZf) znC_pw&E;~Nb91*l;3lkCAGp6eit(iR6o#|1aT^976^f(aqqDQ0P#DkUR!lDNaZ==> z{!f1#dFS#i^C5oYd^GXS*5>a2P1<#~!6;x~AR5a8_!1x2ARi>5un(OG`UTDcZB>KQ zBb+#~jom=G`%GG34Cwye4X|8(Z@?p9?KB^8kJ?S}3~CuXxcF-kJZc4Syq5}cx3!3H z62XXg>~p*1)G#O9-2duH0aHAdS3D$KlQN{4qY*)LDV(->wMaSp9bKyI{6=8^Th`7+ z2#R3SMz<~GWjGl>O$)UYEe3DPHQcGdHbX3#>qQE^(n*t4Loqg{k~2?Lx?`PC%vpw% z3-+$0@BlsfK3<7uw$j01$X3()0)^bvN`2?p9 zU5})&MCW?eByXpcPQRJwJI>fyA1XXe$!4+JHzspZ?i4{a2WCSX7JbeOsBk2$6jSO$ zh=*cpE&8@35?E$2Q$?qy7~K49*sWkyS_MzrIpUdH*R-t#6yAm`7MNVekKE`}OL5 zNh#LlE<|Sx$sfhioX}|1k{Va76&SeZ7Aov%`QmmKz8r35@v`UrS= zt_4{Hm1G9s&HlOo|Isil&E&Y%u0=wQP789>?BNXx6Jy!>u}Gq4Z0!!vlS$U4RxRui z!C(pZv?b`{TMh3MHn9x$LaUHRM}*l`HR0M_JPK!zko->^^&36pCh;;6^$+V1DYOoD={#?cH)8X2+EgRbU8FekvJFUE_^r_B)Iq>l_1 z!fG^WTCsF7ADrW)dTb*@P;z4$aSxP^`HMNnc1sVhc4JHy>X8vM<0xOE_ASZ0RxyPE zEtlwf3DRg?V%U^9-O?gHhXu3I2KjdcZQ12=xAL%|*n2I{$)&$=JLiAir7 zWCXO%N~&LMJU(IFWcm2uTlA9{O% zIl>{c@`g2PMU0YrS%nk%m1xDu`j-j3A!9N$qhu6Q^etx@1f3$&63HpFi3<{r0|uP^ z?@c78?>vXig-z3cG+A_{Xcktpc6XVlEDX)~zJ+P^8NWyI5?HCFGn^tTiB-)uQ4rab zy;5a28xGb>rqX&0O3A1yx6RIGMcOyG&pxYl9kvTnW|iNk2j$@+Wc;^)=b$MSUwA*w z)W!ZQOcb&kP8dbZcoREw{|G%f-Ab4C2L8u;Pqc3A2Y`r+D$AFvue^Bw>3kSM@z z>1V+EvP3D-+pJRU0a}OQyTzXl9bZfNqdt{sVwMR%-;j?JmDm5|Q-1W^<#%?+6XfUq z?72RtJx%$2Ubk4qB`0~c^JK7p&laaHq=SAUPv!YA)qx8ZpEae-&h+J>Ir zZD{RKW>4?qTk6$I>%{Zg1)vkWVOEX*-0P0hl%{Re?2}s$PV8ZVdW!LAv+Py-`C&Qm z6Oi}ZHUqAFTBp6Vn*mrQMf(F!syDKq8ylajKD;g`uDGsiUvlW|x`7Eye4Sx+p!L%2 z9#EBp4(MhG%_7(J;9qZTwd2Eh=Y>nf2br(IR_|j^?3&*Zdf!g_R=YtuK9k>SfrZ~B z;ZObg`}^Zs9gjkcr1L5LhxtMU{(A4lE`x82LO!6U*YT0#AGMa1IgYpg(6(kk_KQ%d z`WGn!psv=Z^PLNik1qh=1e%Hs7&sZbgKOvf&!JEbN87pl@}Go%&j}%M^Ybwe9gqw3 za&(xxeHDv8t@U1WPwaaxv1euht3d=it?w|$tA59rn zA2ybjwGi-l;UbWK~mXpAf47+eI-(j17Z>W8`jKvvpm z=S!AxP<2wjps*PO$JjR*%J__N#pHg0V=*q0Lr>lF*C3v}ji{iODC4l-UImquY^qd} z)Ct-(l@yh0#ywGC&_V|hA*d|kYZHneZSe7sEN0Z5vJww(MAItm*m{=8B6PeJj;_+X zZe-$buJxOu3zi;>a-;_##oo9b%WjR;q7wLMLC%e+PNo$1KgOgrt5s~3rub|XA?X{O zlw5t86GtxNj1;YtPeoZ5?Z~tg>wP1`ztYG8l#_xUZq|1C#uM5>B;S0K#gE# zu(LP$Dxm%*Vi6=HM5Pw$&Ai|-uHY(B(bZWw!HO4xUl>FGZ&4jMIA|}z(DI# z_a=zZb^WDf7Ui&5^noz_6`OjU3Lm9TKW_WT` zs#ek&ugc;$vVD1*M`(ek6p>Ak!l*8QVdIqI{x&B>YA;EHr`(1a*`~{93jrrA7;L33 zRD!3)@Q@H#CZtGfOCyAz;y7y(U2rbJ$EP}W6eu(z3GdVitxx=~xj-at7=nS$eyqYp znv+S0Yu&0d-JaGWZr*r;c<#1McPhiH7SZA#L`zu#kMM{IdEwqoUUovfr_dU6a){WEXe@QEJ#iA zt!j(20|+R+pe8Eo79~#PI^(;NwcjB^Li1vyNYa01=Vrs8E+)bxBD0h}TRAx!$9q@77x8Lgr7E=07IeHp;Px%IxWy+p;L;E1SA;y$o zv3!I3z4#f2?YHc+_sIPUAn+99~RsMz27o%yG_yHwf% z;Ca#TqEx-$-*9-Z^YK>(1e%G?HrfWBksb5dU9{QNH@(F@zcYzxAneJYu@O$5`_D1Zu6MEp?wwC5#ky7g|wstwGob`wQOpfbmOQ6Uf~-rzZ= zld(4*MdAI6w?m$-yK%JEutx=N6!ehaHKdzouL=lyRh zQ>W~cI`_f+&~(7@>p1k23$+2OoQJ$0q^95TMlH9;2-f!62i9)j$3`?m3rYnIuYG$z zHbld<4V}K*2n|wgm&bjZmIm#x_oDt5hsXBEu*9eIjc4e7W!uih?|DGsV+d~o=ypY3 zTir6;?gCgh@_o9+nf5tYjW^il@I5T7zFQ#-n|i$jN*L5BdF|nY?mjm0pS>PJmQve% zw(SBM&qo9rhrHhXf3F=+a~vo#hu=P+{>n$A^yw7(?M+QPYspH^aey z4Fq5zaRq0CZ*~CSbTA0k6ci?E>>>0H9$bSh2jlKP#w^+PXP8+@OQbJCq+8MaV0_k! zXRDHwQnh0((LU{2A3bc=ZDf^9KK&*^k}Us9!=Ia&h@G{EsH9WTFUcebArMWXuMg)3 z6F1fuM9a~;GZq|!@U$l_aV(eG!uNG7`Mz1dxVFJMyqXhzl7av+BT3Z`f>lOTob<&> z{}7%f&Z5r$V7gu#6I9Q^6ydFNRBaDreDP`G->EvZ@tG5ZF=bbR+MWokiqBgD^p`z;#S9)j>+`1 zL#$1~98yvN^-G|l)+I%UWKE0%2*EVdJH~9Z{#1kNEan80FEgbewpY;W4AiIg?IHK- z*Gs%+IhpI4GcVcf3D%d5!S+8K<&gqp;TZ}V3{q9vp%JFehs<$0OS7;O0-GH4roxSc zl+{Df>GISu_UlkQJ;NiE1yLgr3)8XOqtq-`cpH`h1+!2Xq>@6l)Y>LE^@v8bVbr0j z%?X5*d8^hEayU?3e;BD%rzcWb_^1bH#%q@BVg%+=g<<}*Gznv(f91N4l z{p=A)LBCr_L&u_70#|okK~=EYx8OGg=}}LE1He@&sIcDk+~$2|Wkd7|JczivgN^9r zyd?v-pASi6`7<~_Ic4UAQeU;s(z`G@N?FhH43ABjfKc+290XOUGZv{nb!zFPDHq@6 z8Hk0r@TF6GIEp#P@_Eajv22zy3$9wX<&16$kB=P%C96%aSxfpU+sZQb&3RizSbT~k za<%BB=6Knv2}xdf(9(m~swS$EY|qT?mrEjH!NtC_$z+5eEWTNy^uj3`dI9f`SZlfB zbY$5YrOPw>SZTG`0t=3^u{zZgAIP<&!VoDF-I^oL0;8%%!RYDPH_7`$WO z>J^?z8w%2-zNK1 zUw|Znl#mqHe;ppIX)J>{)kJ-pjEzI1;wrmJ%9!yW$@Kfkg479Ja~wHNqa2CuLUbi7D0 zYu!9a4sYJLuBmQ1^s23*%~~qO?uH>otIZYzyw2Khb?53^JXN}Qte(s_#_Z&FtuPW_ zJ-sA-ipXXw8#z&kwLJGYKo8o_Q0~FQWB2xk@m&{J9H5t)j>qLk{IFvpuj02-m9tcb zZd2zg9*2OY8?#l~8NH9~ehWL7d!OSP=Od%|5A&&J;*Q7WVu$v-UuyqKx4q5+{{qRK z?zem3YnQ!Rd*3UmWr<$)#XY)=!g}FayQ(~toHPHHOMn!;-Uu(VC{bf~blVz^cUpKs z&jJ4X^VHAp@9v{PuO^?JxABNI(_V8nQQaa1%OkD(=^QluGrP;R=Be>#{4vg#mhFEM z@Tx5zqiq%o2k15*P~F9zmtr zt+%jvM2%VwZk}$>ySvy!@@qfo)ypdh58i*_N7=OjALAzQ1U`4KtBLqE9m9V;db(Fk z=geQ@FoG(F4U6?R_J-bAGCzRL9M=X9v08W4<#SQl+>N=bZ#{ag+kQ!(PwKy_^A#|~ zr|+Nb7MzLuscf74wzJS<=yb<>0Wg*o5~d##_7Hjshz6Iw%&=2W87~ZE_oPh!dW)|k z0g)GvHxb3E(IU&z(tIP^T_f+9JsT%0KHygtZySX813#P>IhrWuZUZ;2na25h5GraG ziv{WF^-toDA6ioCD3DT+kd|Z&g_5gWlFD@nbGt^p@{34IR1S6etl5ZJ31`~h`qjoi zlL{uRoD%zreX-9UU?RsM7YLFOaO1B3KvOIf;3H%~*d(vps%_@ybBWQHQPK+WTx{5> zuPMdo8J%ci*8J3_CspYr(2FF!b}=J zWS>eW!Oee8RS_9U7l_Nk8Xma*x3O?f5v9U9azAFac6>nbD;6Emr`(b;^H$f3;CBqt zuUFMxHiUcDmG;(wv|M>G6 ziTDfEb}2osrn#p$!h7OEFJ^wXu?gTM$i7iPmS zDl3&!VYm6}<?`ppR@y@Kzuu%QLKZ@QXx+gjE?*oWde4S3T6GZ92yC z^N@$FPzoo?m6-SgW9pVqRHY_!+I*SLT(jZ&5*osnGAT~+wp!M2`L^aV?H9_8oex@2 zl8V2rjU{k%NK(nRigU)8&JR^0z_}xe2c`+SGxv$`ey5~v8`a=amMqcvjV?#u#4H=4C~Ox4!}CRzKuK8*jv+OpTDCC$ADN1sa?gySFx`{( zmi561w6=n^lY(sXFY}&EOAQ^b)!PH*Of;!H88JRwWGgMpzVfcpAviUJu`Y+*i|LPlAh7EW2+jr<7tEY+NIP@vu^96_QvU>8KvuP}VriTQc~8a{HAGr1E)X$sqo= z{t+GzkN`I_Kkgo6R6`T6j#ru#=vl{c@$a=2)?7qtc4rvP8#9fOwtN4Dq1*H{Jy2oD zJTEiJa4xD#ax~-;fkm8U!Y=KpPGhXoH^8@&u2xIU67DWmL&WM)nHI+&Rx+iBctB+m-K@Z{ZW_s6v+rO!~HyS1>MDKS0oh1uVEsUW;x z%6T|!bvct~-smGES!sen-qo1|>&CwiE7GbL%2>z|Gxqq{vMj>xCmnNer$5mZ`7lv_ zbg!T1=WB;Sfr$YB$16OvkM~!!Fj5NfysxMMUqHcr_^)U|yD+Fm2v1nAGlw%*(G0lR zfY#>&+Hg)ZoIjoR4wfl}+V6HQV@Wei&Buo$s!wYRI(AEhS8Zln!R zpMIIw>bdU5Og-bebH}O2pHwH%I6nHo7vX^VpZgftdT&wq3YP|)KHuniA?MkRM&Qz_v?Qvh{0yjR?Hwd~O2V%ox4rV^(WOIeBy3Co+j6R0- z7DqWfw~;^7D_AiPPf#BkgUzLZG9O+;5z8tvenV2WV`pdt@1*` zVVj=I=gZz-gihzn+}{%yzd(0lhaH4Hz3bX^9G?i5)z;c~5SE9>M=4NGJ-c^q$wh$g zRn;sPpzAY^7p+^kbu$A0hueJa(O;G4{GoAYZTB|(Djj_B1^=?^O>2bM*W&s_YlB#A z%?^m8{?65T_KkYl`A?4%yzbWX({n7wK~jL%r60hb?fI_?vA$cY|M2Ve)%@lzQ?&Gi zLDvaG@RLyoQ#u-bEA4il%dT^fGZRJPTm`IAj1wyag8UZ0X#R^Qf{S z?mYz(6Sp1UeEymK0JqkGHe$eF@r%lvT>Zx3w4L@hhu@2d*f(hGGp7bUpv;eUU_iqT zKd4Z4Cjcc;N14K=JoFGS-oF^2GC^5J`!zD`bWI$cb~!LCH$7Pm8>U&mrraw(vmzvH z%EpuQlq`nfNVeSu`=yB>_7|ymV$9#ia@r*rmbP>xL}o$nqz>|U3YfaK2ETrdcQ-Rn^*HKBbuxll|IAG79qk|qBYJC%D?ZjTPrB>@Ip9c z6Rpw5xgeCdm$@#?_6gWZdlnm(+KjKxJhGX$?^Kn_VZuX^pDk8Xe9s%x4wp|huGOp5 zmMTfRX8vBx!oP8p7j>#SAvQw)j8|8?q%ERBM9!M^#}6;U1-gwjV!TI}QHg@MVZXo@ z+ixN0gbSixh!?B5%e8M7kTrjpnxmyC6w3h;S>*dSh%rxtLY*Ngiz3t% zah+Bh4jNN9(;5m*^yHeu^8DN)e4sd5Ri#%8mAPHY{APslNy|%%B7^zxqCgv zYLJ>FhjqD-is=T$&cS1alIUjQ#>G74ww$@4mU4J-pdGt(a2tSe1(I}*!#X+5-cn#F zSj(|b+zw7g*nB>8Lp+nw$F&6}@s(Y*MP@3Q7BfK~?^cy9S2mU^4fes5yYEdI#fq}B z@Q=NAC@JomfeiTG>v4w%+VWuXBtYO0kaSH1)+)O^0=&d`F@L^f;(Sj$j5DPydC-l< zavUhr73}Hi(ilH<4h=h&1!EvDthDJ6JtfejoXCRo%gaK`wYQGNUw=@^F{WHYYjNw; z<5x@TQ@2qBV}8>l$_!5Yp%Dw0pyJfDEl(#!Um8)CEW~R>dM-89F!125$FMYM3K?Ea z&Y&N(gsEWxSG5t2&SHV=l&?Q})@&R*u59#+R00UM)cO`w3>UGU+K~PLA)Pk#9lFC$ z25U@SF0t_7fmA5SGAOxP%Ug*OMoVFxp}KNVjTTA$l?9c2$!S)*RAP5&023s%0oQO<$Q2`N@$P)5;GygoZT?Jq1iMF1UuE zl{At?!3k+_%bNp3M{giFa17i6(kV_?axJ$!*{U1TkPhL0j2}bYg89dlJ<*q~ICSV5 zB1-N62{#DMg!~}Pq!F?BkfZ^wv5S9586%E>j#d6QoP)k3FT&5D9lZ6A5G z7kTA+%bXh6n#21??ILV| z_Ya%(5QP!LZ}_-voURka;$xJ;YeMi{3?y}gh`>6_V7I1|*p7ibsG_i}uU?!2>=>{8 zByq^?fGZvC6a*hn71H3v?<3jzvo$A?PN9>Jw#+Ov@#o8B*urugiIBh39tg_BE&18y z{}oH8t7O!fN3W5ky9?J2xrIBe#lv*xJdHyK+p1VXAtrX`(R!Z66j{JMPUhv{F0uuC zn=8(Mp+vr5g4OSceW}3Da;p}vGtkvb@*mHi(>xwE5}1C&51AX{kKP;N2c5nEM;Hkj z^= z4sGkDo}0#}`E48LLfi!6HvCMXV&%$t^OcVCM(&FL;PLy6u$uy5MX;Mpy34 zrNC>3(2cZdm|F+*XUl1>G*^pi)dRG4E0eMU>Z(HRYMY{wu(zc5+Z&4~^0;|k@lp1A zJrHpSuzU7c?!CFNx%w9mFd8e~{#c?4Y9VU7ozm#`n55mZaClF>%LOLhUvC_bqty`a zIA6=RwC%O;Q(klV&4?Y_b;syVsSZ7UoNmIzyXP9%UD3IS##ORau~5{=t0Cu_0t zz}@HGE}Mxl#PF^G|LXxYgZGI-y6#N=x3wLVZN;Afk2!|LouAM{=YY1SiamkB`A@G{0pexSnsf2KgSO2M z{t>>8_*DCZgX~4;M9m7zq+9I;_{K4uV@G!@Em)5&;QTKfV6`XUfXrnYaJbZZ!5v+W z)75+=HXGZyQ@?q7?rOck^tjw1qt`3b+&=LX@Zy=t(3)dVd4bc*_fxI8eW&+hRDC83 z<%TJ{apTX6x57^27_1L{!{qb~|DTtk|2EiK(1t8H*I~E^5gb{3aMP&)wtMR&!KEfe z>QMk4zRny!ffIUtJ|yA~Rx?mja)vkF`tOMSj9wH-^O@VW7)##e6m3hUzLDf13$xF~ znZ)2`#H#(2Q9RI0A1$oO#I=a=MV(P+vqi-{@QSQ+`Rr~{Jf0zfmcQj&tVphLeY5Ff zN79Owy%khdB3=3Cj`Y^4sMJfNGxKbz=!^`dT%n?N`{u|xEI9WH`e@rj;7-hfBtpsXYKoSlM)?hg)u}@v zVXJ|gjvMpILZPyAjg^*74O3H)mBQfS{igJt<(DP9upPf(n|y5s#Jf;~{wXv{YvsGI zNNu$FUrbuq4W_UGPM({@UsHWj^+Hi5{1cU96nY#R1HKj7M2iG-v`5gz{DI#gCdmz2 z!3x98`QOw={tp1HKvKU`C`+TPtq<8mk@w|L$+@D;I;t=j6k3i&*_lqw?TrwIASf!S zh-?FIX(6CtuncPTL|GilB*S(L-HH&j6f~N{UWsTIY1I#LH_xEMOwR0!2|?xfMB6gk z4O1noz6)fNiGei?xPw-Y24)+niiQJ6}Ni($!3PLkSCE!s}0 z*Fd<@k~U{hOyx%yVJE+OY{?1+f;nm$GM>q zG1|m}t&mgz6-^Atm`U;_%#X*KQpo3<10DKT*MEx&$(Hj4i2Z+8&hR_Se->uD`3L`5 zsQy3o9;YQhNl{z?$D9GuqzYrQz>vDPnA^7 z&qgCL8B;;4mJS(VXHk*9ORROEsZ7M;~O7}B7oQfNjW=(*hS~tid0$ayqHPNV=*03^6sX|lKQqh1c z_bWz(8DI;^lzM<`H6{?3<QM)@Rd-MDcK;xe_Q>xf8sy?n)+|8VIRtp7Qvz|xZJH1JtHqjkfiDy z-?w#NVT~0+pnPMM5edcA^7#BRdgvw5jh^CaxIpSuD0B3R0w=RIN5VC#*2zu>qTDy@O=M zY6ppBae&gfwwIm$i<}6wBcewS8>-eB>qfF(#HK$nRDe1OvslR`3RtElB)YmXkrX+E z-Cl`PCAZ?jWOkwi{ZST(i<1N)G3C6^J zq207PEukmrR34#WzTQ@V7Lo0yh`8)VBcfsw`F6RaF^#q~5p1$O-G|%>-lqvIRicG^syS}l*Bg0Ddu3c_l?d%`E)xB_& z2fY>kHhU{)_3u6U#t-+s&tG?L^6`7-{PozaFMRP~@_Uc0a?O!T|7GcQ_IUS&57K9` z7p&zSe#X8R&wuE&+@IgP@3GyD!{54U_Iczj&{BKczQoh3CqCNgch}@kT+@;s{z2-L zjc~WdrPRlbm(hK-+uo4k32nZ zk1GziezCQ=LyG6l+Pk)gaOJF@wVpqGx264U@_#;NxmEJqTf{EQfBf*rKLhf&?D{X| zKXLn^&E%U8@4S~OEd7K1RzCHPYx_U9udF;TesrBT-gxGjC;kLo^Y}s6 zo%kMokpF=^tNn%03UAA!zf@ed&VxY20v?bL>rg-Z>SRd(WFI=x5!Ny1r59 zpnhN$|M0^@ydAq6eYnMW40h}1Kk@(H!uoGB{{I`Xufl(bCWb~|5Tky3 z`422}nQ0hVi)2lQzdZl>-2Ok`Mg9ZJEeFkW)9|`wEiC`B7KZ=e+6YB(!;3_S;L9q8 z19G`Hld(gG%ktl3lwy*$&%Do&K4TMc?()mq#z5mk%*S~8QgSVhcC z(y<4CgRn0^R$L!xMK`b48AYjT$%)kImb#g+moQ0$i`B@?xIs zRh$q&n<?vCSueIMLISsRijF56B!89M>x%ZWVXVS zjVjksqK=XfngGht5}zCmNl)P1daZ;(j?a@}FD#k}jbyqOTNW%Dcla?^n&`1DvCRb8 zl{3yXrVoR>4$xA5I(fvLUCB?Rv^Ox&u7&kIT^zJQxHiFM4N0>QR#z+;lxqmv7u(~$ z1DiFfSsr_34lsG4r)ra^o%1R%pG5juRgo~TkVol2F6PQ9xgj!;T4PvNteZW2 zB6d@FRPGn50$^mC2vncC$sR~3L&DD#qjI{1{j2N0VTK?KXVQS5@}Ky-$A1=TyZHzI zS(yGmVyPfSYMd-J1HkW)bcK~ON+wFAI%JXVWk-~mQ+#z$EVPqqracNX)gwh|1&15X2g*HIPxryHt>6pk{tkWrW9a|HUZ82AZD^{wN&Vs%m7PGKe8;4gqEjpksX|R{ zC6b9=Ak*bZnBmj9RLvv-gRGD^NS2f^Rmp_Oz9;s_RGtVZx;bfhfu$GNKAoYa=NU~5 zs~I%1`%XzJP7eg1Ns!7Im^gv2W6h|=jPOYm8yPk1u$qmAo|?!St$+t7oob@gZe^UX z;Fj8oVJ4;?sm_FKfuG(EG$k)ETAG7m-oLH>+du1n7N-82IHV>3-w0?*C`EKOtJKSU z$3cWftz%QH4q{XxTPE$CMs-X%>X2PCZsIjOk%Bmg4IQ#ynC|{Ssu%{o=#9NZ0Z+F3 z{QyPA3Mxb;(B{>YZn9kuHtJ0X#vwsRvg1TjDz=AaJqc&4jR~Fv8a|Ow`--KJT>)3y zpoZ2Bp*v^{iC$1o=IdZH=$olxL$VAJ9f%PFHB%$M!S{o17O&J|z~daG)^BnkhX_$Y zOPCX;9<#ZO7zY-b9(5Wl*BSFVGsbZl<+1KiMbfwj^*f2YP=f;-;1Vh?;SI3WA3|^l zc`cK*874Q5DUn5og`o$_RTWE0P_>lOCoGgICdPfd+(CL7G)WRk0FO&!W{i$K#^TXj z+m~iI&kX08;XE^(XNL34aGw9a3?)$VTgiXOnf%{3VV~hYJFf6id$WH({~;h8Phu#A zV_$;*kpG4MVBZ4%L%;+@pcsWCUy=XpT|Vl_IqP}f`@@}AM|VH|=WRba>;5#iZ!fvT z?g!1iw7j{n_yaq(ul@M8qsQO7;r;R^i?3JN?5%BA`|}=SXti^ndJ8@O<#YI@?On33 zU;oB^C+pSXk@-XZ^3vqs4L>;LwcbnFJ^#4+iYNAZA7zi(r@hmTtM7f+K`ShO(3(SV zyV;NLdgCEycKlNrXR#acbssq5;_Y`jcK*5kXq{jG>iy-o@*byDFWh$RJD9sSd*;NG zPx7z$fV=0_$8P=bg8A{v8>Y8Abk0lrIa@Ds#2U-aUH^z@o_%0=4S3@jbG6PaE_2`p z>u!DC=)w#4-)`5R`+I%7;YIImvc$U~_q)Y+-011m{`~r1?PCu>65SCZxi>x&7>tC z-;UG|4B-Te~(tJUy>H-pa|Tz_X}wLQ1l<1eef_w1b~5kKAh`u+Y^yng!^%$x8n zo_plXM}hU0-Wbi<8@#&R=FePn>6(w_etqsP+st`$)5XT;ZgYR*=|9|Y>rrzj{0H+7 zIz##B&-?ClC<5F@QqGCZG%-;a@QHXu~X`{W!8UUNB_KwZrFM}*yM)w z?t6YQ|Cm*eym0^1_c`jm;@YdO(|PLrQ|cRRx55rPKlO|E{_+?$|MgQ=`oi`9iU0ri z@}KFV_$>dK(SLp;_7(U~m5Hr->bu8(@|qsYu>wn)v=IE~bNl}kzkB@0T9AmuWKP0m zO<7p}Q(Kt+Kbd4W@GS|9^&lr18NWTad&P#35j#Y_K0S7t&~x=TN%I*Q%O6un)tB)$)#!zOy#%sAPva9(OTy8tDs+Z@PN?;2S;O_}7CETs5Jxe1 zH`mGeDqr*XFsNs{Kz*x2fkf1P@S`*o;SrbDmds*Ed;9{kzQmmfV zTee@!#b`mdd6W=CE6s2q!uCl8mK!a}Y8IM6w>TQbm=mV`VLPjh3s9j8cjGuKVx=5| zH!C9yt0=CL$+5I=ln2Nd$texRk2~oq467m!q`iEW^gCR;i^z7OPKS=)H@ihj_wh+$ z+#5`2w26D<$a0xZFd6kmBf4E`$vDBneq%5|0KYq;3wB&>QTax`VB}1v2zR^VXjtux zq+o1tLyA{5xF6O6yzI*%JTABv77Q?m%>GpX$F=X_ZEenfhH7$rh!z_cR$y%=i z+k(KB(;}WU$x$Yg7=!|1=j&vv&wx3(QAAopwZ(A6bcuD95m^IT1X2J?+{DQRQp%Qz z+#t;0Vjao{R<=Od%(xcAiRo$vW3!rSS2;Mrx4TZd+N6mpnM#j<1|4RiJfb(Epi-35 z3}p1c2?O#$TvWV*t7EiKca-TTNvW>T?KaI6rG!G%+E%nc#Zn>wvrG+Ym5P~H9I2S1 z^la0>y1s|PK}~L91$&eeTfLTwXf;V`I91(&Qg+qJRfnZEl*$fr0OhyS6QM;_hpGR| zef{6mQB~KnoL+$@nP9izR*8UA0Gf!pGtH*zadzx z)hW4_9uthDBazRV?JAxeXKFNa&ReWiajdJ}F=i7lhC^K1GhDNzq({gez25qGS4)Ul9H*{Ozac|UzT*e0aC77uu^Wdm! zcs5Z%RF87Olto#HTt^XfdVZ*erP?$vp?o+*OG>JqYerD7JRAxs*Y*G>&~!G_Em|$6 zQ4*$p-w0>$%?!So!8bGbW(MEP;F}ryPlgg`@>|G%2nd?V|9unoS^fk5WSuv^1^kDA zag@R-l=>3@l|R}|sKi>6(6*fQl!0q>5 zw))&3f4)|3GW+f|^x^F<({B%V-TRhZ3S;EGlepF1zITUN`)#b;Mqm2ka!Q}r?etk! zU$fHX$3A)-_ebTD4=0C7KX`qE<@&$<+iI^p{i{E%^s6^^N&oi4zqSv3Cb}H>e*g9I z21~wk!XIwA{qfzOBKxz?{&Dx*8xCK@UOYSZ-SDY{^iv-i&D!bl?GAYC=@<8$b=Whz z&%Ud!A35(QI~{b+3!`I>JRuq7bC>l_*kadkxNH6xlyggpI z=*nOGOZiXVW@`6;@Z!7_4N3cNa?)8h{q)bXmfzx?!ksH#arRnUu9iD~PW$NxJEtBy z`=$16tGu?`Q)}$-B(*VpcyFCIOZPnu-gND@{Vm>p@|@ubv@rYbYUg*eHm48$BW2vT z+fOzbUNig6MbEooyC-)3UFLVsRQ!FP_18ToUE1%2pY(Q{b@D6stp51X^UvG!fU#E=xn~cdq{rB6A8NwJcPQmH)9J_kZx8{O9)n`7ZJwMAGy)uj%+S;9Xe$<1CE+ z#})c^kTKkJZy+kM+wB4TKp&@&aak)=2f0??OTn>&qh---=7i*+1XkdrT+d^pY_lp9 zr?WuH#U2W^v$CEkiOece=`=r(8#}>n3 zN*j+m1O|3|PLQy8GDZMqSm-C1s41~yTn_rat>PUPswhUOSj=>JmJitpZsRghuSmrP zi-^g5lOg!N>_?%E6;PnT5Y;gmpmB%o^K}e`g50D7u^roh+e1S%5MCg)XashhmRxW5 z&_=E-<-KI+8noQ1)GC0U9D?f56(!P=LCZGMa5juJAxsU&DLErFlf$GBlen2N$O)ZB zM+M)tvPH%&BW%%NnG8@V`Ngltf2P5?8E`$@3)mT`*THj%>L@{H{lH7;3Qd=6c#6}YmYi{MC^C$k+89Qr0y$)*lNPzI zL{?owMzYgQ15yMd9YYu+S4O(g1o%`YUE?!YGqMI?80vhT$PV!2I9;R=GUKEgA%Q#N zRw4BPYQFN0F>dC?MumH4&noVnt1x-p_(P@!sg{k05+Z(cKY)E;KkgP#5 zp(mlqSo9lGrdZG*3PoDVFs7>c1_bn3q$~=q-0B#ezRNPTOugqh|81cAKk0vj1ui!F zXBR7UhpE;~e(_WO1AX`S&q8fC|G|Iq3)TN8#Shf9EE6~ngeBCSI!G#>BnTwY5zUA& z=pu+#)roAG6RB7=`{}xmu!^9#8K^=U6@nT0H8R~W&=|7;l~nmc&+dyBB)Z9LT&@-k zGS5r>5yxhmRJAZBsZ32VYOtMS@Gj#8JTlBUb~iVvz_K?0@|Z9|JVPo;ZNFR2vKfRG zxw1dW!*bo0+xe^>fKDRG@Ek9D!%Dt5K$%Ji_w}xovRJ1Igjy$7l69dmlEk6~nm%Vs zacv+B_(8djnsh_FYP3v`b7Xs@3Tb=bASK3%dI)R)g*H~9{OLZ${)hg@meSD| z>3_1H@*kze&|i}OsBT94;<9eQ7u9w9JiU)mb*cuJEe7=@J-{7~lj{OdsH<&Lo_;nk z^MejHR^56I$2GJvZs<;*?^iRqLPhSO)s(3Q+&Ga%Z7H0LaT2fhGjQHv03p!J882X1 zJmaSO6vnpgdds4GEk^V_OcYz8EMwWY4p;k4l1Po%N!ls5Qbet8fh9Xt2he1PLd&*f zGm|bM2#wI;T+JMVaFh4CkS&(GENfzoOd%4*LYmbkcvKY3YFDb@H5=C|0MBJga@%!- z4$W4EV@b(0yPayjINe5>OpTSAq2W6*VH?uKN;&B;OwkS-;<}e6jb7~5fs|q-&4JQ% zA%~jaLfHk2EvC4j`A{cAj#7TpE{8%kALKy8sMOI?w`LIn648RH4RdaH0(diepBZ2@ z1B_;X(F`z}0Y?9S8%m(mx03(N^ndt9?6dqwJO#&@E_{G@E`nJ zz<)>trjk^WgrTp;ekOc)*`oKpyy07wpMC#V8?D>?RnXh|x}%Qx1HLtM z@>}ljH(lzI-*12J5|_PGS?ZN-ZWCXgwc%do;e)GIvYyEN=DszbT03hmcj?8_4)+Oj zsZ*BN?4if*7``(v`thGmd|<^jcHEsQ38(yJ(I@-ooW1Jd-+NEE zbboloy*E2B_@lA*8m$+vh8Ms2$=B~bOt|^hji}!gcEd8)ZG7W-Z|c}N*$c?Jm0D0%C2gk?ec7Ji>2akBBoW5g6&(2@DyvM(k|M={3 z`~Ui<;8kv`sBv#pPO?Qz40%OzW2FTr322u_P=uF9cMpqL29{W z!sL19Kizrl)yvOPR=RoTGuGeWH`@+xK4Yn4*7$I%+h?zML@4aud4Io+Q@0B1?I~R_ zVqSRXg|)NM_kJHOIoe|T?oqdqzq#baBEW8O`J%;hH+jN6;p!j0J^!X#k7j

-~wXS<#9u`6gpjvj-|U^*P4VkwN+ann)mpsb>=Fj|mhqWK4@D zN62i^YI8tWKz_)t(j{H^x$v)tJ1#*3O`uls+40R+6Xi)C+UuCdhUW$`v7nTjtp?WU zSz2luOcC!)2kTiv*xEz}>_C*gT?(Q;6(jV@kI9pb5a?s=X?x1l56&z%i?(?@*iEob zN?B`E5pxr*aVXI=nhX^;%@#xPmmzcOA12y!FE!+U&OCoPAcF-EmP~@w68*3njU`4V z@BT@Is!`_|gNOmMQNNE_k+KJ8K1tOg_%cd@yVpr96l>ZyxfzwWx4^Da1V^Y5kvd#e zP!xmd=!RB2@5mh?t{!TO5O(G?uedeS%#PWli9lfXxA?kA)kkp}p_}+-$rJH(NU}{u zNqX25y34Oca~fMpD9Cc;cshB1be6afofc1_^<`_hi*Us+?CKrC+#n$Ggh32%Z49 zriHMurRX$ds*6{}7Mn3L1*%)GeTJkJuUITCWx7_OOqM47Qm>jX0$}H17nv3Q^I1(p zksKFN)TEQYj54mkZsUBUOM%m0`Xj{y$z9~ZQTznlN`_H^eNe-le z@|0=B%9wv!5wFUqd2dS*$8-VYL};44^u^nRcDZ`YyC(0pbEGZvxL{mNKdn|_%j$AV$slU$YRezA9+D2?Y|JLEikCGte&QlSt~ ztEIRPKO%byKyLH3hC-*b292zH*$WJyO%5f^RN(4YU7cjs@DlEiO* z?BDXBkleJ)d=(c^vr9NMAv#STl;g9!jl)f>q${ zQs(N`{eH8_W%GeS(sqPrl^TJ*?a3{&nfIOD>MkI`>luq;8z5*_0WrDbx4*i%m##89}_UVW&=D%2$8dIf9TrGYivu_I*9!1jZr=Pt(pJs zcIoyM8-ST|IXLuRy}D0FVpdR4(wj<3C&NidL*L0rS}RktYJ#g-6NjESQU3 z--UMpCPFu0CUEI{1-U3)T+Eu)aZw1P5u*w zeMdwJD}{kku>1frIU(eVX{++_V#zNBmNR4e<&zOt`CCTZwz)^jTBmVFf@aRZN>6?J zz&pNDwmi3G`Rr!a07PU}DnxKIY&GdKOtOiXT^WU+xC4_Tl7lsofkIT&&MM^n3e}>P ztzD#xIdg8UjAxYS6(gn&hLm=~=_r)TbCs0mB^TY;&Fh< zGgi1{ECip3(3YtFl|+s3hO}^6?k~)Nw0e$!jjCVYY%JRPmPc6+!6u6pXBfzqegT4o zN)7H+I;l=!(zBqzMAkY{M7}-gP141LD505cpBb8fYv$+j3@rLvEEm79Ev;_-vOxOl zaiRHO5`_HDYcb?uuzf~RyhMbY9Lid|>U$0^O|2s#O(i&&g_rVbN_EEDV{7A=ACSY8 zRH@gMYS!;5b|-3F$$^a7RvUvS{VmO6RpMBvY7X`%Wrifyn*3LzzeDS>=~lv{-Css9 z!ty!)^0eqoVilG{?;gkLBF1=O*xxn7Kju< zrIYlm$-DV3(23ND9+{NxTv(sK4cWtU(nbLtcKrwdsJHvKSzn1b4zp;z%>fhrq{Linnwt?jV~jH>_Jgw zL#U_;Ru2}*_cD`th1ZEyUyXH-Q$iR;Nu-i*o7P9bB*$5#IVK_afEoyYY|UYp*%E1> z-Fp!rY7L_~{dQj;{HcDYy&lP3nluX;v_b`0Fq$33;3V=V)|5;ic_|PiQt?u@Jx)o2 zMhG2Kk~Xs)%%4yQ*!nI2WCQ+Z>7UZ9j8D1rAh`jDoh9G4sSV~9wpT9Yonu#!kfGz5 zlv`b*ZC*RvswYXwcBR~@<(gF?OnK-WRQrR7;_3Xi4ASpt_CM=(uyVSLm@K587+RX8 zwW~~(n$)EfnvrFp|NB?U z9fllYH$t;tJW(<^_TYZr=g3hWAww+~L71$Z@dLuysjf4rrq(6zCK8PI6E39{LRVj2irV{#=SQ z<2eE3G#`=9$bEd7xm>~ZywQs4cl9Toul}&`C-0oLM+{)7=+b%bbck3_gXO)$ex=<` z|0c4RQF^0h>-*);BI}1arzEZ2;UN-A+go7U6dP|q8-Le>eM$23{pk?f68BS9Q@Yn$ zI~!e@?H02Tp#R>(?c9E`A#_`wsCu$-3R!*W$-Vq#-tO_OPpAv}G59gZ=(f3c^kT^M zr?D1anqltukScQo16`ZIqvZ3;|=$Cuz-A-SB^N6TdM51RQp&L zeg#d*dtX_ZmET<}p6vtct72O(UofIIZ$sSYTt0cK6xaZ+Px5(-Wz!x$aI^bpqqe0Z zoB((|M?`TDKd)$Sb%m`P-uYbd8V_J3bH80{tF3HT`c$Q^do4>Iw*oqM%adJcHUzKS z8+}MVyQ%?vPHUnKE_M_A5jHOwbr-Q*ELWH8&{e$Gz2wZG6Rs}g%G>p|GeGqkzBHg@ z-D1OiM4iODxdjxStR{A4{W^R=P}OjVcg55+*!kF6b~svK<<{)d4rFoPjVUUJA&j*Y zXc=fXY6Rv!-1D54*k#eQcfBf?@%bKw5LDj0TAEvB&!(YPd>pQJrB}M&Wb*RW+{RLy zajrf#q%Ung4`x2WMZ@YZ-!xy&!trc9_wC*7R%G`@zub9J^Lw2jd&O|Z#(3Ji&x4k> z-VI+86Xo2k`}!8OkBZ(SuBsgN|LfGgdLVfQ?1F)}B<4&YAn}Fr^Hgzn`uVf88;C&7 zxS%BeCTzZ7?$bCH2WAAtCt+|UVS|Y4MJK_r*py(i(xpm#1XwxV?LWM) zNm-ZI%%$L;We5V2=FcW9*9&j)UBRJiGyN$VBGe?2t`%hsw8!s=MiH8vV-8<*V$Ts~ zq~g8J66Cce>&L^xO|-ZxrA_dw7D}S`-hP(C->QtNkYXX{7PE!HenlxN%SXYK&DBbL z%ZZZGtjNo;);|7eoE9F;V#%SU`s-m=(E<8_EkmE))yO{Jq?rBwI}Uy5hZ;oAis4S( zOH57*Q~`T}IBdnE0sS!cir|&oT5WiKES-9(vf-|yo+vA&69u+Ab3}^PS6DWg?S3&N zb8C6H9`+y818PyKx4yzhx8WGa#*ikE+~-(>rQ~uGrge56FTP?S8$4wTt>5V$Xh}r; zGG=7<(z?5ah>hR-vzqzDq)ptHA1@wL`d)Qy&<~aWmKQfT@Fhw&vJ7{dA|szj!rc-5 zo}Z%>w;!*M6~-^rnE7WJv~=&P9yj}sPeoQMAR?GHiM2zHadP)Nxgl+=gM%I%!Go+QscQE zKTBl9dRmDl&pJwv0zEmFMf|3>Y!k0^|_WoO5AQGM%NG(h+c25ZAL|YFV>M6|i}M z$~ZEcttNbDe|2y)AY=H6;X|#KauMSom<}|(IepCfhU`dq zAy+?fUW|#)vVQ=4oF$`ROua*u<&VvKVQ}mpO*arOIM?g*R7xP1z{m7i5o{oh%P1!R^6_L;$aPPaOB%86Ljc1WVdkb*z?hEzVjq;7d{jgLabjNRlzs*G%av zqF>Syr1J{G%)(b4ZjiZdxagx-{xSPh-EMf#7F+yRT4tsbKb_j0tu4mhd?q(}SumZA zRiyRtvn82S{Ed}P_Mp;i2U3bTkkxV&$824f<>Go_H*lp@!s0UPDr~35y8U7HQE2|77?3D0j?EV-z{+&R6rC=Y%3RRId zNpoz?#7jO^wX)5gCEYsVHsp!7u03!hwT$w+jqk(Wg_EPD{H=z2nC>8;COXy#O~dT4 zL$k%mYMsVB-&_lCOs6v|;b}>CaBV$mS`rN%bC0e%;f1B!RNTW&9IJt9a*RIM)c+1I zNfj)!>eL++`sR!@3_~rST1eKPs?re)JG-!zN*rV;L*Z$HnH&_J2?ZS_?3MfBF83%2@|~$}FFH zi(#1Y0)j!pzem_1`c70{>7P+=h3~W3WKzI7Q^S18xHKGl#;`5~!d8qWn z8$6bEw{h}>jT5O}ghAzv@1QdxpFI!Yx?Lhp^rp!OV%5rP&XHStP3Ki_vgsk82*1ZW zHXKR2_2IEJ#6=7N$S7Esxq5o89ww>NcH%->jO>E%dHw+Mi>`Y-- zvO3J(eLW__->O<>v*9q!45e4g})Iv&&2yIen{tpuL$JI6@f-aksn zM=+T7Rxi<(kp7c*rh41v^IY)+Y>Ru{I7xn-Y~STdL~W%fQP8Ie)G}j{#mH?$Bm-2 zj+0sSMQV}GbHw-zaLYXTQwrNoAaDfEMeDrvXp_7@02Z}51Y&q!R`oN9Cx1FjhAymc zB(Hl7YH4@69UrU_I$YwXliZBqaOz#=Sm~X2JrxO8GS9f}XQN+o-^X#-E?Xw=-=x|! ztv%lmjnp-1;%%IMJRNSAJgDiOs{~dvd$c!B2g$Zq?+6sFd!1Zm0|!@ZM4xUYoeF|m z;U>T*4`7RTaMl@cI`uXC%F2fbtjI8k2Rc3lDuj*n!W0TT?UlX7+y~zQ@c{zhlfuH# za5*5A#`*lw0#NEs2`qfbOU?=}0oT-GYW|H;kO`ltu=MyPU)S*5ReuEAeW28_lWd6~ z@1OM}W0Fx(*z(_9|ZMC2&*pk)gxmy9TiMOCX=KG3v9 z)QR2FewoTV8%}MXHvHn2EyLo*7J{#Ry-@p!$mLg@sw(AOSe(n~A7r0s!b`d+vZ~3z zbs2)5X&jMRBe*ZrjCjV!&Pk|wd^<8qQ}nH+76tOFs)HmfW+=r*@~LF_$pfo}I!&yB zhZ6D|{~!6^NIRc#iA`)sB}H)FjG^<=$Q8*(-vJOBXodLvl`6E6QhC^Xy-t5riT!8$ z?c7}$_g>XFiEA3vV9yh{_KcV{Gi;?{-bv;kVR+(1%|cboEi@oxFfB=Y{~&Q&PO?58pn&ZzRvMXav)451^C$OG z0em-oHb#Ud3L%GKvMO3LU#?mlp~H?8Q@}GBED##Cif=72^g%JlZ(kml9}UKJ5?OU} zfM8c)0`zOH7#fiY=Bscpuqe?K!ThzsxPd+zv}rVO75k?H51C`f-QRqa#5*FxN{3zh z&0>u!H3r$Mk@M|8yRrZ)H@vL=4Fa+!xnS`m~9^iqoL9K92B=!EQQ$f zZJb@4yPzp>J`LZe3ouoSD2?h#VVz|0|Mo*j<17~$u@sY+$rR&rgC5lgb$G!r+W*B^ zY;SNF*Wg#hLixRM7Cl8ZJYz7+RbJy>5h3+b%05;7oK!lrevPQ*bX|&J$cVijo;*Zi zY|3Q~8b7N$vFh9((>4Yz=>{u~;QnGI4)Pml)nVi5&IE!4_i(!>gRx4|4nA$7G8FzO zloUaZTF5klg4I}t`+ynl@y6L&aw=`3XcJwNbz1}EN~I%M^c8v6h(K6tS$(T&Hio2c zU+Ci67vk8wYc%IbDaw#Vo0mowRkRt#+Ep_k~DKX!e0)A$Wp4pA8g9efy?=56{NG?C5O5gySpx<+*|! zO0r_a!Xy_?f=DV^TyT^hIW;(gk>tmly_47TEl&y+v zj}Z>V#v=uLaJ^Qlphb5^$x|vs9v(~D{{pxP2TAxCbrxv)2=0u3@Bpve^nqJ-KI56k~PLd24DR26Ixw8;_ese|+(DACd^)=&7c)L-)qE5q8 z*Z=PQ86@4Pr}sYTb7}{uEAG10>%}*#sy+=?Fbx*1TD^`XsNDJ>de7aeJ|wJd?DIt= zY+qwawy8ee9qV|X1Wan7wh(E0dt7BMBuP$yP6%Az^PfkhwKMJ0q-jF0T37mcrp)H^AAQh{(Ju|5!CD|z#GKbhUeU7Qw;n|{Z<2AOCqX< zNAQ5$%f$Ix*TV~-g-gCVN#NjQ0!RNb7x;c|w%tg;;PWQ@MS~~DVNSYEn##`VKQzw=80iAtU=9aH9h?;A}+V%2#ukjc?$o_nx%GyO7> z*@gvqzPr+>r4@@KWDpAD>o^f}XFb#mzd;fCr{bqnf;1U0+Iv7XaIf}A5bJAls zKl_ZD$z#}sBp+4$O7Cq1Na(J&8*bDP?Qzp-D7eylMBjpIsB?dQ2+#onM1i;J!1)6D z;J}G{@VngN(oJ@&zv>X6@ikkCf_491IJA&N-v{(R1iT911jph!GRW5cWuMR;kn_;{ zDB@!V39GiJ^-_FDb}CyLMJdAMWI&$>(6-u$b-4O`F|$JZN6{}8el5O&&%+?A4D(Bt z&i|^2EkIu|T%~O8L2)6V^;eSs1l59&wk7n2Bx9=cc62dDtDmqY5<^qC-f=%YzMzxZ$D3qhxvx;hr+1*g^|EScCxwy1jlXZPGt!JOSQCmLW*zg7q_F zg)oZ@O%CiTJRkNlqJf_3eLD7kD?uO|90B^7)nMwS~O2Y^aX`%uzExit3N1`PWfS3 zuVKFQVS{EymVO1ka7^ZVGDf6B?8(T%r#xcMja}TVQkxYPhrY9aXA_-6Exhr&%r>+p z&bbm>ZHR>@DJ_>XZiUCVU`OKnxFs`6E%sE9C^XA-kb2rSeqh^yN>X~(?Y_v(h}|yW zemyPbdg~C3($M)H3rUy=KTAS#4H`6-=@2^6l6+$WR82edKA{bi@tG@Pg_83jdchk@QDc4K`onjFO|m@Xo2Ae9M=yxzxB^*YQ{Oe6a^Q z3;T)Rq=p}z{v3CGocn(~Dy2{@Aw-V9;s=bL%yVx7ii{^5FalqyZnhReDj&D)) zd)oO*?1qmq%A9A9HOV0a6QTK6qQ6|Jrrh-_9nMTb0w$a-Cxs9)O@3r?6@H=8A2jwQ zyr@8S-7Dw4;yK%JCZ5^qUlW95zsvOIN!vANl@wy>BD}E(Kh6IkFxHU;-czQCfxy=o znp%BMaA*+VF8f59|8*49C)3$pv4#_U^_dLdt?p-BCRBgdg2HFss*;z9S!X$s?o7eR zWsTX45R=$K2SXaxY8W`+%&npdIZ9oDQuZyX)GGF$zuR`K<}gjB>A!GsIjS9XS%wm- z1U1nZ@s0fLIpQ4Np6P{hNt~qC2bN6MUR!~v*+v=~S$Wq;NDUmJw2ANE`pAz{E>`@j z9O~mDa4ktoT)G2g`-WA&vcT0O>Ewpij>ZktCyhB1Q74)cq}Jld-5c`|BIjCL;u3J^ z_gOQ_xxv)Z+Y2(3X@%aavQn6<#JBzaqSoH5**{9Yp5yr7`^^MC_W047@+54%IIYGi zzGr%gJdkeCh4>g+sgaF;F)mTGElGOK#2r&vr&RflPmxNA<)BX~sg%D{wGCKCod)JmMCQ-oLi=pIW_M+H zOzROK^_wgzB=Mibii2GTj5IxMzdOu(Gu`Mo z(2Ee(-dx_=4Y^qAI?TFgnMr-pt;?KUy^bsr@IH8&;;LHRgDBSRYJP5FJB&c{rnLaM zO}f9Zj%*&a`fTb4`W~cZ9$M>y`yQ$~JqJUkh`i-?U9R?2o4D=o02$7`UL+vb7&BCT z(4WyNJ^rV_N3@7zf-KK--JuSRtwTcVF0bh9yVFXm%4UVbDQ4T6T$l4O_uYnc9D&_^ zlTEF?{?q+?pUFs)jqRwsDn8G#wH3cW?nYm!`Wxqsa%wSP&QT4?G-1c3X-VwO*ErYI7&!?~ZI)w|k_!uA$V zb^FLkvIR-xCo8F@^q$^DiI?BoFSOu5yNMG^o@a?;R_Rzz0&h2iRj5DDPutY1vco=i z{UelHPL~2bt@n@m=it*zE|Nwa9NvRCr(`Dn>p85b^_#AS-wjMZp5PY=)Bt5@-0I=PFc{TNifEoXo7P^jcl!412a+mTGaV|O;@W;Z( z5#kZ}9rpt+md8XwWuS%~?Q`0__qZY9SjbG*@cYS0-!RWN1!+2s(Grl4vV&%pzo$2h zF9nmKLVNy?*+d#&dcaKz^w5RsRn_J!3fd?rP$sAzEdJ9@BW z=b_uk?DFMUY*{RPDN;||NaVJdM!bV^%5mRUO4A-RMLW)l8A+U92l|{toHr86BKMJ6YJoiZwy`w>JRBl(Lu&*OPG}!jDH! zy}LW?P|aL@RID*+0sENG6H(v19Mw8h)XS_^_P|tCPgvrTZ0cp1{8> zGfyYLfmH7NkG6>h+5F%|ODsFTnu=I4muAVE+O#A`_b#4PA~iKPlCxDPs@u2}Mcre` zOk0#JG~q^vIR8Krz4*qtP|F`t_ayrc2pwAiOa)VXGH%P!p!yR@$an)ez2qd(9aLO) z@CZ{Q(}2+BL*}aq5;#kKN^+O zk8n!<3>QQbcJ`W5o^NE1({|!5JO(c<2JK6xi)Q5?y@V*@wf$J6gLU6>5s*Hs zx+>{lx?<4^r@A((0uPd=`{DTWv&w?80!P{M@ZM5uvi}dj1BfBH_n+*$o%+#rW$3dB ztkfuKKY6+We1jza7Fl3$O#dwZ3i#YBe}6^|H5YeV#)m`M^2t?a8-E7^OpPeMW;FI@kfg zNKnM!`NgExn^^J8*{(l2M~6mPJ`W^a`racEsP6Wuiz{zk4a@p=t=2nHw%*Un2exfq zzIUiq#LYt)gTF%)?b;mNZ!hdR^Oy!;o8W*OudDIcES$iL=-u8S9cAFlHlW~1_pw;y zj*mh|lGk9XU{kJjJ4o6T#yF=jl~Wjn~@(DCK8 zqKe;Y2$2M;@eR&(9Qk$ag7ZME&S#EWJZEb&9Oy*x-CwOv%NzztVjEc>_?=z~sFfeRCx-YzXTIH*?_ z*^cuo@F4W&Ia)Um=7!ybPjC!VyURq!m^k6ft&!8@`fu4M>MqBo zH}h4Elg!Uccm9+wy%8~tw?$oq&sM;@IpEatQ&rcNqkISDlz_Sy=QZf1QS1tSvF(cMsMBe9Ox&r+22`%*o~b$P*|H6`j`h8oI|I)> zgZba&UlCusCg#E3)MsbUQ}*278c4LkO-c-|&Ju=)lgmsK!r&(64DjCj^Lwalc>IZh zoU{8Y`FI(4{%8Og?*30!SWK7DBqz*#mM*7hjV5(Ot8;TQvXD6;DZb4es&F)|>S4CQ zZwA(xNli<4&~VKecTL7egIPN<9hh-p~Uu>mB$fSSqm~@^L9VL?>5T=|n3m(<%v^_bFER)~1q2 z;i=9-4hvTt2~`<8M^|596D*SJPF^*bS&_xR{F=P(GWduIWN&%(n|8v^uJiJYyE^#6 z7TCahUd=qHRU(gk$08F<+mN_D;C}&c5_>FY4Nxg=N2FMT7;9^gO8feKW@72J$N#;oy{^sFTU0<6P33J?uaNzCeje@n+iHJA&zNh=?an}4STf6p4{y7Qn_ zpUj7`nx>@gH%9ugeGit4KL{(SNmHzqk%~fSNBXChdn}}a0Y^hN&-PuswZ;VfD?bT^ zB6O8c9>}hxX7nP;Fse6*wY$`Et5aRrWb0oijvyjVLIzh3L!=oqB@N`%=l85?2BqSL0x?)&BoRk?TB@R|Z|M*QN*vKtP zH&oIn5{IIF7jFbR^59vTEn1s2YweaX$s#Ln*iebVXgfpECPGI7`4^E3 z-BT3t9JmNZ>W_Rd`Pib%eu-Jl?XNlq%we1WK8~_Kw*A1?@LbFv+pTHlP$h*wvjm;A z!w$97W^pvhvV}1E6>J)Mt1lb}VArsy1a>5}1~c`luyGv~CJaPo6tzS2Vd;9s1(nMQQEQ$V<^%b%dKrP4vbWSG`H1oyihqK23k8P5!0YQsx{T zd~r$$2Zy2l!y1lXbH8CD!EcrfbT|ac)shF=Hl7ht9X0T(j>n6*^`|OLOhE=E7mNEC zZy)c~S5bS3*3QO1!=BDNa!>6ypk;DM@WV^~%agUMUGXlMp~o<_i>m&((?Mu zwY~)i6=VkzrilN1CD|hh@9%*5*7^Vdw$pSO?)^jjhuX)bw?+Rn6!RyTd7bv%<}pY2 zacjlHIxL2`Wj`Zc58u`;6g0%8Cjxvm+ig`=YrcA1=J76gYNhT1g7@nu*;ZSooU|F= zt__AN8zDaG;F{j~ozyRe36k{kfiGg;oQ}>%OSE-d77PwsmQZbhd$;^CNs(@+M?@a; z7e}_Yb44f~bo?ZH?~i{ADnaHJt}O?|JT`egSA3@&Cp)3Y9#1|=t41GD0%=b6?$6PP zI<4`p2jN2uFUIybz!$iyPR;Cxd6>kz^h1bt!p};o#q>=3ON=h=?aM$Ct?h?B?1^t> z+4tx!$2A0^1mm4{-f|aDZ5|{-PKWKW0uBpC>YyRfGQNiGv7*Tz@@w~TFeN{=8Sfm6 zv%RmIE&%RUCm_?9hfw<8ZYZ{Zw*j}qj7Io>$v5QaQE!t1TRzrX(x?`lbw_Ok7Y(C% z^voS^zzZLY`<=8Z+uBSweD^Qh+!yzVoZy4B_m3eT_Ya8u)BD7hE*<(vZ1C85$Gbi= zRmTAW-1rSP(D@EoU%=^(UO%%V_zhIT+vRy+aO=Cn(?s|%o!0wn6b9(|Hah3)HZEG{ z+crW3_l4{H`jDqA^EtU9d1SpAOfYtS2O0`3YIHvWH8t^LlDwZxUA@U)H4Skv>pRn8 zTy$J3-OX{?IzZMpekP+;Uk4h?Zrl#IN5ovc4nc`mEcsf3HSYj*efs)bB|iG^E@o|9 zZhB`G%9UEX&qmdep6i?v+HfSzKD=!5S8`q5y4Co(pH}hzZhAj0tKQ(I`$#bGKLm^_ z68ili?+lDB9sk;#6ZdDCwy3ifjM-@qnu?hLD%9kO&)xHY@b7@-pVKeQ9R~I&r!pQr zo9*bqk7?^kH2g@R!sNg=<6KJASymBqRa<5+Mvc_ zZDzO)59Jo5aep?Ab)6#29m=ATvcix1A!ix&lks9525Qz9hy8gC3dC4ZI`M-Am6~<@ z8eO#Xl;02&5Dh`%*AI@2$hAK!1SW_F{Qg2i*&)H2wCXtRjSnjzLWe&c%lzy4nq{Tb z600Qn@Z$Qz?$u9?rPDF%bpX`Yh)HXeR{M7n<(N>Y^@Ers8Q)_D&%u{EF)M+(v&!?< zoKW?Zc8!k3vT(V~Q;%fClLlehb>*HaM;=elkb7FXbMGjXsV9X7gOkQEMVY@1i#u3^ zb}o&#zP+2J;%jho`?w_I)HnokuDR)|DwT3-eL2mE+!O*%_y9b;6X~o0v>L&-OCzTt zeLG4>p6TY@InyD>9lmk%-$AHUgAvT#tXUdZsi2V;&Z^;uad- z)5T6cy{hqx&SQCgD=3&YF8fKjKPno!j|Vj@V?8EvJJP657ef9s0B+7KKq!!BCjVP~ z80>JfT2b%6^U>cJ$OAtzevJBvo}>M$Q2O@scTk#n7pL4qh)P6BQRuVCES}ocoMc2b zBDd;!%Du)?L~Uvz^sMDly8m8d*mpV1G=815FDfA+)H;Ymz5a$bwOJNQGN{Hf_@kdG z-FoIGN+>^-*nBG%`_5WbXCQL{x!1&-_P4)7VG47LExI{ihQONOyod~t38>He5Fi@T z|M^uKQ)O3yU&=`cud|VNI)^=)6MFDv3oPW)FbQH_#R}7`>q9+Q#g_`NuxI%aRW$iC zrCf~E{LEMBIp;*P&DDR9Pu+C9=9Kqbau4NUC|HX9!U@14X+Zy3Znh}$`?4miI3u(U z(@q-`t40sbz%wd$LzTLvhMKA`B=IYs^yp_uJTEj}g*^Q*g|ylzOfdvh3Jh|uLq~=c zmiMxaBj&LQWP#dc!%8JDX<3vKvV3#LXC-R_blLLtfKGX{q2e}+OM+Ob-&dD)OSj_D zXwl$KGm|%?#TY?u%lqE%x-q;JWXmL>iAkG;9OAZQ*KB%2loiFoM!v8oQ0`QMrS?q< zMZ%#>)U^#FiIQolQZ-Vr^)_*?;w7@eKze<#?#2s><6m<*9t*^=|0g*A&l8vz8%enT zbMBq~@7y~H5QdLY8~Jp7v@f}HxDKK&YFSG24uZK zyXH|mM3U;03M-Jw-Dz#znU@W4Uyo~~YfT_>5DlvI)?=!6kz}`kZ;=>)xVb{6E7fs&@T`OwFkEVj^K>2Llbqk=$5}d7` z^;|H?#|6|~SZD@8gZ?VQ;+23$n~ke(XXkBh;HGH$mX`$hSo_#UuDKYzLoYwyq;Hi; zsn;sSdp6aT*$&(<%=$PZU)sD}d(7sa;=e25IBYVt^8&}eF~1KzYzA+(=v`-b(ywwQ zU1xVaJuyai8Z^YX^4-Pus1krJ28fo{-AbZNH=M5(2?#yzJ{uUDR}Sk&j~YHB&f?E2 z+ZQaatebUh7c*nlJ>=brWOMy}9vju65r4sc%l z)lOUPye$-*9hi@2eMlyPgYJ zR(=9I2IY!2+nuj7oGb9ahp%vMT9(M?7aU%w#N{C01EZ;;iXlrY5^RRr1IWgWh8QzvvfbOg|B&Pf`Y z4T_{}VE-)O%ftbX2xoeWO1#1|Mv{(6vVX}yqZIoUI)Qmnc;Vo{omQVI7FuN#tT;Th zSG#Es+n|uVBH6N8_W0`Ff+N;|uSrY0Vo8l`&po~rC^vIP6$NQ+x)I{fMoe~3{*}w6 z%lcGH=}a6!j}k+HN?e?8hqLULo+2CTDv}8)I)*I&n4>85Hw2wTB(DM;VI>wEC|=!7 zEA>$h3l&Qgu^c@Jdj44($4V*$s-oY0t;RH1#|q z*K5}MI>9`E<-4ZJ_=R}V{d$HnHWO{_Xxk-`Z#%>0xBETRU#nd1l-?NF9- z)3VvW5G;VbKZ%!RXr(08r%(PvoHCCj8$3RDai|YsW4;64dandw98}s+ekm+5qqE^v zz?BRU>X2PY$r2nqmN>>7kP~+Gf+?Oajbu&ufxHEa!gXLeM}+u$WSl&I2+E!c{xkJC zR2fE~LN!n5-)S_XH?FLmi-;CZD01ASnRxUr5>H?N^&%aOY}<&;{J68DVIj)0OzTXH zv8%>(JTh{HyU%QVhz0-fkZBdw+=*TSdTl4A(_Sg_e*Lf_jqPzwWDuqeEk1;?$3L?{ zer{%0q}c&QCL!+1lO56Y%D3>0$wco_4$GH(-otNwclN}k)X+m}eUdnRnYe!k_+k># zDxiye*mB`(r`g-;P3A+~9a&{RQtPB-HR93uyfoK@D28?FSM+7k92%%?RXZ z#al2$ztj$R|C&0&Dr6y5QqeE2Nz0zpE)ZfDis!Qohi9@XaDTO2EE$ErM~K8YDM_QP zCTbHJBm6yB`W;`Wlk;{wcXPhu^)FYt>|l1t{UWA6^5*`;AZ+HaDAF}J1G&*oVOIC5 zr|%=R<}9iO=Y&*wZ;LxoYQl!YC4bQ!1;Wc%TtYA2YeXDR_LFx|aLrq*8+O}vX0y7( zAMT3fYC3%>n7(PLU9_MQtmcFkHZ|w1t@JYIKF=>oR^u@v_`o|$t;za7_>Zovyu}HA zp8^GTgHHg%<5xf+7k$f_e3ryzYd3QC%T!@-o!XWvI0H-w&b*cUbXb^sa#DOHl&wOo z$a)_r@~*wbd6Pfwx{*f^`gZR0Uf1X5`%DWNq6ke^{Qwp}{<-(dW@CnPs+cRw>!?7z z%XP{(asIcEL#c2;}ct)uH4t|^wJvujKd&TGx?ajsuKK8DeLXL1>@slwr= zW!K@hiOFGzNd4Wlftq?UZp{0B+@p!ey}J_pdutQC1nhh|JkufpOm{vG zwxO2Vvb{Z^QV+v$QEerv3+#-xWo=$}Zl5co=xF)gmSU`x*{OSZc9P5MdkceBB7jcw zn=zHlG&tFg8wP8(Yka1i`vGM-@0*>}c0RiW$#!qU{A0uqz1RR|Z|{{*N3#b&Kr%l( zq2~*FvQP7(FV{xh6xuEXGhEq*+l|F_d??OSv&~{hK=oBy4}$zu?V-MJ?f}XKV_ohM z^`TKRX}Z-+2mdbQ3g9JcfV{?X#Dwj{o=~^?l#utvbf7^{AiwV$!k=i z+UQ>Jwxq4*N!c_Ry*W3=Oxb?C^`T+mI3z4hzW|Cm+V1siYHz83+kGeDyBqa*=m1&M zAPQujRd_uKSWWR9*uCz_Z?b!B45{;!+>2>?XSp9FhhCjsw3sQlVQUM_+=iqc9MbpHw87 zg)1M=tDN7OP3bn8{5<9E2`!PRsOg^8E;buPC@n)v`*U-B>O1(AkN}69xi->RMqXlP zE^k(KwxrmPCIan^7TyG}cIsGbJ)551bjl*ak<)NQzH^W*pFFMFe1w+i=Lhd0u2Slo z;1^L(vP_Xou|arC)iEXZdUCoEnkU+=eLO9uR6M4akwCfxOLKIUtDhrrq9av+wsTqOsCEc`f{=G8MBG7IScER4tSTT>!WhhQyDIry8(X zJOcHRZ)T%owzY<+i%a=HijD}aFdZeFfjkz(0*R4q266(le{sI1anTAj{;Jl394`^R zQnRh*2`#(Xiwx}Tn`7HzvQQDXEv}-dB{YSC9gJv?RRNuF&0dc4%+4$-V$=i4&ZAisGyq6h^u~;v)KO;Q73z-}9<)GzAJ}kf8-Sbz8@y*=CkUY9(l9Ht9 z<>5ZimUnulXbolViXM_yO+E)o>c>ksYi@{e3ml#p<|1wfdlH@j*A}{s7fqM=`=i*`n6Szj(jKAlkAC;h`~}@zyfh8B;+a)RvaC;79(vuI;lGJJ|=Z^oQO&~QN- zhG?V*b3RG4?-#e*{0-ZMp3olsuk0L~k&<}N?#JIye-V9&?p6;pdT%$>Hs!7{mKQN5 zf;LNec;;i-pd=oDG-UYq1*xcdzO>UyG_lw;Rj~P1U@>ym3}@lmp&-In=abPhMQI{j|WsZBxgH&Kv#|`Xw7j$ zPzZiyK5Xx%o!0dGfdvf^7G}^WtO$NR8LxHE}~XHb7!<)%mrPMB+C;hkqvqu z^CM2e%Ei`b>oF<${q~hK6oO|v=;%~O=K!o6lP-v*;jZ{6yWDKfe8CNxoPWy8iH~*B zjlvDGzFHcv;;H=+Ace6mpx6r*;)ggxH#5@~`ngB<5TFwSrOTA48c8~5Agf*@wr!S1 z$*F!?|LPfdO7DNpCdkbA;1J5O+dl4fA%UZPfE}u)P!xhDBHjDp8GeP5k;O7MYcmKm zeK-4G0O3@%v>gHZUrC%z!B@PRpX!Mu;m2sn7VrZ#gX}O1nnmP&>H#pvcC>W{%pno{ zK#k0S_RmqcJ(~ot_~dc{(LO+ZPm?^q=Zxgu`+oJgYy#g75xLqIP{hUn?T=VvlWCZb z&n4Nqx|`M;UF}_Z4#+H>J}Ug2&X+e+<&H}&zdZ_uD)Ej1{D&lNTiTiz<8yLrphlCc7ZY%a zldafH;7qVSakksUD;MdC%G>eY)U>{a&w&5q8GmJq%iCqZT4(c^KUV;d_w}G_ktDl) z#ICwK!l^&TuEVu#VXEC>$;hrbz8$`OIA2fW?Jz zHTK!6+c>2*9_bEJg>pV=?d1&3E!I)%IcU90fuj*^iGcS4ZZn*4747>TTbziDW#811 zxO~pGU;hmWgn&MFrK_lq)}NlA$KljHk0epnJ*Vn?T}G3R2zlLa<~NpFE-sB0z0lB7 z5VOIW|36ba;=oqU8b&WG`>AX%()3P?4j7fsN1MK{}JyG6!mN;#IxQNl$uQ&6ivYmWO9VZ>@ zu2y$;=6vg}$nM3q1K+xMj}|f;8uYfduU*u&Q?p!_!a$pFSMRF>Ew?^Pm35ce^6wX^ zyVGvD>&^AbAV2D(WcEWj?LKVxOSI!Hm&krlIrsC^!E}QV$!;J#DR*@za5va0?Y4#QSCwUj#MBZ&e_>K7+x%( z?Bny!is~O-Awp@e)Lh0r{USIL;^yvSs}PUu^X>|aHUz_gC~4{O%IADk11b`p6#hWH z5Njt%_|}|3s{%t2<0*)soSQa^dLWV;RbMUAni<-i6d!}}H`EQWZ=Dn?(PI9xVr_n0Kwhe-Q6L$1=q&i2~H#3!<#qj-uY6$ z;H*_=@2XvuvM>VyU}6tT!ca*TOr@3Ew@#6O=i0fN=oycMG$vfv%zr)gJDCw z(p|p(!O86Lu$@3Z#}y#y>8$uGxRC@GXhH{VJJ0DASt^K$iP^*AN-xZe_fsJ~qagH* zOGkdGwPaISzk^kiC_qz|ijU+30={OX5{Jc>T3(-*X`F2NkRDhOrshGDdC*#y#86f! z8w)+?IJt$hQlp(rTbe!5X!qh@z!^kQMB&VCTF$%CHTYAeDov)La9Ff9%M9M)dO~^W3v0)hs91V&J$R5gXy&`f=6l zN!jmv?21p(2Cq*zzy1?T45=zvNmZZt3YS5zRoSloL5;=T8Iw_)dQXLc_uHeGDt?M? zvSdbCv{Pu-rrAc2Eu(`O4l!8M$?_{VF7S)BvQLagi%_FDDU6o0AhZIy_(UOoFdtHD z7uBMN7W~Jx`6m7|(1aRq1;2&3*=M|42jY}xR88dDNlwkqEWP`WF`^Y(tosA>kVCYN zXxBu&nb;&wloj^Ynq5}pUw2m_mPbr%v5BH?mxFj!@_H?FaRuAvyo_z#33%ACVymnh zjGs}Rqt%a#I!cyz__>R&SB!=GY3q}KP|YtXYe~8cc57=P6Vl=BqEW6RCJ*5I_k8qO zZ%!dI(fnobut?u)zIWHw`&7_zDOkU4vrtu<;p?*S7w#~Z#VHG+1p1ht$u&}4-zzB@ z)M+0-5DLF9h9^75L{>$|>&h&x(b9Dc;n%mBvy4iUtIqE>eQknPXD7H6^=d@1_$^M% z$S%Ax+ZuI?HdT^qL@nDI(aT(PEDxn|f2BrEQ;x6A3|&I*UW9Kj6E!^GrN}j=h;as| z+*w$~zN{){=dD#07b)lX<=MyCiPl@Hy|fhg`5hQSg3!5I;?=0->UPhUxSuGv5EnFv zrk3SQ^5&tZl*J-K;YEt1A40kAYU3j&;B)=9lKp!Sja~IZqn4gVF{4OD5vytlmqAzA zUZH`DOm!2R7S;qWlyy2yJ~&0ES-?H3>MWq$l)Iw}4>DP7+w9-(YwdL>U(hVB{ya|> zc#)b6=|@os8JR~e+n{pyDeGNHR#Fnv%yjoUH|Gi~Eq8NkxFT1SR7psp5N?qyZua)? zTGl~P@&qk@`WlSRoO+(5AtSc7!;WQoANyielKDTQgc-OKj~jm655!e`1Yf zKy`SCQx%r2hf*1uy_L2p0R6dV7IPgrn8_N^2fu+mt&O z#@x!1{vU_8qL86BYKt?K_x57GVSFQ zd{$}%-J){|)o6kOs8*gO%SLOQ=>Gz!9|22hH|+CX>n$*l?p6-G?h@Jj{CfTY8%q0? z=0}vMa42}-Gsh(wF?Iof>?hx!8VNn0U#a zm+T?+--?@riWd4O9uR8w`;4u6M!X;fmTB-Z7d)+?ziiwYzVnoV`YT`P zNwcM%>HW|*+a5U99T(74LhieHkKjzDr<&KjH%apGkA-I|1LOMR@xW_{p!VU9qo_$3 zB1`|S$d$-R&22IPNykOklRU1y`{R7NVe^IdQK`1SMPfcEfWpT3?&$mKm*W}<$HsFX zFOX~VqTU!du9LYq?{NyKVsJ0`w!#!>Y1{!W#k}4Qh!p92KB%4GL-kn|ylY-0*6~1m z9kz?-6n^)9@jYu4x+WHWe!pHd2-rjMs(&r%Iwk-FSXZMGv77(R+g#VBc#dAqb^U1I zt46rk^17@V>vcP-)hBen+}C$($FacM%(-~BSymQwc~p2DBGI$+JGVSt@B%CtJGL;t zbKvIx*?HfU=)P)sEZ$DuajL7acRr)`s`o$6I*c1PR3T~=dvt1c}o5GM_{w3;qQ;~fi`C|M$Q5&;= z<~5!?tqI{E8ZAcfa7?1(&Lyv<6E!^3(lcyGH*IOOZVt8VgMGxbV{Hy_KwW2+$GOvR z-@Kzjy{Klkw01Dth?P;TTTt-;is789D7E00Y0pGM zwc84$v^=akpU~QUbvGt$eiJDjLBjts=ZU+t-<)uEL0f53kEBlpbRBZx2avhyd1iZF zAmh(+m$tBu1NclbaK0(ky%sQNP!L-yiy=!>xJr(>H0QMbrZt8tuMF_{!!0{^oaj6} zp4^3S?5{8C!)`>9uEAuT#8TYIdH*YT!Te7E8+cD6q%_Ex2gQ8*y@DxHZ>kx49-~mW zOcBx0@e5Ds{CKp)5KTmFQvUBu&9G;8%B&&{v~N_JqUB-<)QCe#+T^b5P1;0rOuZaf zn=8|j?e8w=_-u|uB#rV=_EUxxg`{ku7p2T;%1}Czlx1U@n<%GeHXZE90u~Z0Yb&hv zPmKMms^+Z%bl+*h^O4F>ETjtbQCz%Ja2XlC+d^t%r#cH~Xhth8;4wf|>BZW*Gc3#T zwIH&syAHZRa$4Pker4ks!hIG2`c-DrL!+BkBNNd6)Qei(a$maS+9O@YL2wCaRHzw79HEh6#ufo_yM` zw3Yo`;>H&-Pua0Dj-C>Y^5`0GtF)!*gs;^VhyV1kKPS^1j@0t1WX7qLHDnT2s#g7- zk^$IQhRlX=kAO^()k3p0UGg~2OP^kGt2)6Zw`@W$HaD%()P$<|GlL{s|TP%(PB>x`ULG|O_9atrSqbsUx3p^dcZbF-{NV?+(+F;5n4*`Mc9J_U1Th1nV=Dz~jWSALg5q!~ z<^Q&HHfOJ(#s!_-vnu7EIGKvXuV@cT4uE5e;U%3huM7t??iDCLzq4cg8%g4DZA5Vl z?hJ_XsI60$kqx1SVK-?BmP-1yG6NhmPxH3SwE7R6fTas)?@0Q;T)P2L`MSZ+7Q-|j zG`i61j%5Ex-irY{vMJ%86ibR&44&=@AS`7IdCvj4?cTD8UR*x?o2qWC6+&r`*98+q zY_}YexwQ+T={Zpy&E1H&kG5xG>sP)f$CG$YCPg+(9|a0NSYjA8}U< z+_v)s4B7dEit0DP9u}~B(;9zg?Onh{Q}wYdABfah-6vJEy-i!}tNtBK#@;5KN+g0; zzievqJ>CJZOpVjGR{4D^`=~~Dx!EcK8`Ske7ta5-u(_RvE}prajW_)IJ=Rvkc~IJg zn4nn#=I!E1fOmjY52wzvC!S;b)}w2;uRytr{6s3Y+6 z8d^Q>^BqN%86zyj{(Du+eiIy9zjoa!#lhngoa;4;${&$7+jU+VF*mhp(AxQO(|Z30=&<89A8K4xC-<)Qp-^HSI}cmQn7tMm1hask z807F-8kS3blzg)6F!XJ{9(*~cRz-Dyz{5}1kT0#&_VOQ`e@Tg|tB?d7%g;tJ)|k^p z4OgtIIBix^1{|@*%mdY@9uT#hRC)Bit=xPyWTk;xH<8y?kA0P_Z_|Uu8ny<+eP#nE zMs(>uE+|GX$^8O1=IR@cFr0+*VQ z`4d^f_A$#a;heyO(W+FjPa08hi=l{Oc|wK5ec3Gsz95A1M4wiNvqi2lmrJ4nrOTqi z;3n*lJ zyV8#8+?krg$@yk{*HII1N6!yoQAN6>Nt&}07?opZm zk;+46$>0P8;8L0Ws>Z;9LnxK@ZZWepZ>wUt8MFVY{82Vdvwa$hj{mB#Eh!YbCM)XA zM-Q)3>8sbB5iGLpZ)vXi_g_q^$wrZOv1@dHC2b)}4HpMDQY-#K9mV0zUAbh{Y276) zxHO36{#_LvqkE24uZrd@`JHRMa66uK?ARz7lCb0>|Vk2|q^~>dA|& zvaT3rW&N9xV1yIi%cjd{j=lxu6}wIRT$W!{vLeIDh8YKbD^k`~)J!$|XYCU$l008y zYHgB+WUhCevH1=fg0OsJXrO#!+z7$Uy8lo=Q04vcJ|CK%2mCMp2gJL~^%7=e{9R`N z?mvRU)r^T*DIRIU1qF|V9-RkdbHbxWQ9R5hMggYf+GVQ+KL^r1rbXGI7GY)+i+If` zEL9dRTO%GCq~9{+4DbRK5d3X_A_&&#kQby@Holxb>J%a1hX0Qg9=5I%`QA!rGz)q6!O0m4-MT>UnrLi4@rw zSly6%X^G#H!GEW_zmHnCB1R8o(r3;i5dEMp6Hla2FqEuVRcuJ1x7dhMXTO%VfW=e89Ot3l&OqkJ zM5qo@9dM&4->O^t$gH|~s31N;6|G-qqVOlBAy?%Lo-Poi`?=+w{CRwqKS8BkEX09k z8EKhj{r|xMB5V}->7P@P;mZ#ZV|l-YKxLoTI6%J-c+ezd*cw4vWa`7|wEqRQ3+)9p z?hhIa1*M{&G8i}!M-Y5t&|`X&;aV23*2C43EHi(s0y3`zfZi7jS^S(5F>wSgwH$#{ z$|U(sx7-&(Ak2g9?u$o`ZDH3`WE25qJ+Jyfuk>DQs{EVNPW@h}?CWCeCE%{~4o7`o{`R(s|YUUM^ajkgKO>Fs^Wf6BiBpY{sW zc{?xW*Ej7?;MV$&9Pjwv#dv9NIvq`M`{a>xcbk6rI~q}eZVBEzjv0Y7<#_>Tk3wU| zQVI@tFS9B=W}VS}fg_j^1|FLc-F^im&YMFrdTu9}3*;nNc9%&2j4|fhecMjAH2$N> zrSqE}@Gd_3?Rt-E%hNE97;Z93R8-c8s%A7wD7-)u#L0&Qs$F^1U#Y zFaN&tG}B-6@7xV=-7~)a5_OsT_8j0=?D>zY+;uNlr4?l(THlQ4Ecl~d*A=v_UxTGH z7G8dJn1V8g3q~1&yx;DyO+H~ED3H0K-66x8&G%gyJ@@avc3EoM;eYHBy2bSruE-c- z=`_tIdg{DS!hI#Ue7$nxHsTCi_l~fCxJGwN>$yDuf?Yu1s9CURzAMP84Gc)f$R7*b z!1=D!=XnxX5RwQwwIYYrI&FSaxw8Qk`+dBR<1@ zZQ}{B)kJu3+0Oo!E=8Q`kSn$xneVhU&t1vtb-a!)VcZLHYy735o%ZE6SXp#)L9UM8 zl1ODZMPxs!k&ucr#!NkmfK<7p_Z@4eLnZ*O+~eO>`X82#Db=xaqRtzwQG8m_RNYJ8 zCa?G_P^XRBiM~+uUY)TWaj|J%mXNXIl?`gjgzaW(nP9mywQil4bZ4r^D`>$OLCAUO zb!DWl4T$Pwk)bt0VPvl-Q9Po_S^3 zz@mhE)-NuV%PkNiyD)1&NEGmyG8DVZc_BoKm#+n>B*83R!7C$5H;~2`pNUm#->*Yt zk~j3R4PRF3R8X+)B)LM`Mh~=b#Bpd(b5FJ%R_J)xe#66yywf0hkY-XSeTdX4Yq5{0 zWV>5KG(o4au7vH3vLqk^z@Ew>EM>OX=p1V@r$GgbANH!9VnEf~nQ}6tn}uSkMvP~i zIuDpXv^n5NDU~rbt6#6`eW52{4lRVv^hD;x22jv*9ZCv|hGH0vPi36Ip-`Xzn_>&N zdTrG_0>#T)e%m2P!Lyqctmb$|FlyoEp3|mYBMS+q)3pz?xPngVeP0ibMM`ycu150P zhTa36H16y!L=e>-L3<(-kT3B|Y+FZ1#!x8U{)aGW);h=U=a${{;|ck)xhD5 zy6V`r(rhmcrnJQfkkj_(=4dV=H&gLUXiE-N2r@|iI!^8?9<-1V!=}jqn9%p>8&EE9 z$?}LX6@x8bo2yc+%@TUl@!FWOv9QRXJAS1!gykhM%QRwbs4>Dpq*PPIoNQ2ESI^JK zh{+Qd@5{t!Ok#~w3dZ%AuI-$`38RK$hDBu~E?96co$9bx2EPGGq%A80Peh9QbHNjM zX9YYOY7h{ZcGofoo9g84)uPKNJNb0Aa(&5mtG_Za0LwDV-%t&{zAgzOzdyRoAnBzB zX(O4;DW5FH7=$orH;ef^#sKW+pj$>;QyDky+{fYau_kN{!!K+H9WsW$G;lC67nUKJ z)0r(KsG(l0YTS`75i#N~dwW}6dtjARCr_iDlSB3I6_GoJFr{e{1z({B4sL`k^|;z7 zKS+&ec!5-&hhIKp0tPZOy_Hd2cJ6XGIVDNRfg>4d(79KRiwR}YdY1E+dKXcz+6-ek zlLgJga$(AuiY>SJk0R!+<*hYN{Qn1LiT&4L6U0*RK=WImvGgZD9|yMYGJXYxF0vx4 zu`2t+fCq7;!DR3VMXVX1o{vCf@M0oM9dwLimhX`nfsr7c@y%85;$HT3cWnFome5J9 z%%mWQnK#hwtm`9t_3CyUFl)uUai1$<=si?C^D!`k>wP!p#j=|pK;OG_JDc-w3-h|$ z0rWC`Y*#I`;7IH~-$R2da&qXu(rb1-*t#2c+hfe=y@Ya3err038`a@o@9 zwihMC=yTksLe$nLSKGI^eOIY4|Mm{lCpe0)MI$ia3cOOPXkGDkS&UHWGti^{GcnZn zwgqH#S*n^PdVTHWal&NbUuWVGP4D#s3|$*}#D^+l$K3R|fa&UI$=Y^yW1`y)?Ptp4 zbgx6Kh>b6Lrd_K=yn$1`HU3x9-8C=nP$DD3=dpklVP&27QDhu3N7%Z|<}HpXK`)(~ z&y{nu!D~eNckm#=Gb=2M_atb(R%TP1_nwuE-x*$2H#^I0c)|64Cx@^@0?O!dUw?Kw zrVenC{yqP3MXep*YO4pdT&?0+(&oFDcMd-;#PVT%ANry2z1OeW|5v_0ID{%rpx=Fk zZ;z-t(5zX&nALb2WW)LqTL3xwT}B^NO6DCP<#(x{y|u_|nJ&W(8gzOB>_th1UTW|7 z=jdOLghs5 z(l+Al%|RyzIL46(Z17wml{K6jjU+l$L=)%f8m7`A4|xzazrhf;ty$#W5AJ&{a*P|&02!W{wZ2-IAoJA zG%_Jhf6c)AIX&H!67{W`BdJO=$LkHloQ~wmG)Yf`BS(^YP<%a6RPhw0qVm_YAJ)vR zY~F%qP)V>d-(odSMNHM7`4YevWTSfVmi2uy36{2wL<`G_ri@iMViVoGWrD)b#-Gd* zVd4~d&J`GH#mWchS@1(v?oZK951*=~P(KCt3$4gQ#_7D_%kl9lZav!h0Gl8J`~H{) zECRls)mm)=>o%Hnh~7CCrCi8K=U=+0@FNK_6eU8rDeTk?X3~wP-@9XbAc4g-WlO`f zly8~VN$}2!xbD#OUub{7ju^~+i7Zkf9pWy;88y*LH#baes$sOCQJ3Ab4aTI@XQiS@ zY5IX$*PiXkT*c-IAsbnudQ2cbL_musY13fUDA!AxdHu^y)vRh4hfBsRq2M@7N)4;~ zn>}o%Y$VLzplo%GpliO!45gA^t#IoMaN3F%K197mJdxV9rRP6(+y@#MwaPa-#D0z! z7^uL@3X=U4mtqQsK1T~pYhFYst*+!x|0<8IkPO1TB}scfot8O$*ND1WR7T8x%>SH! z@BVlG4SXiC5PJoW^O@Qsx|dg#Li9S(+Uli*FBVGuv1vTysd6#j?Xr0=n;N^P)6Hjh z*u2&;pIIDCgKS%*T#6xY%)9dB2>Pttj9{9MTbIvz5HA~D3F9u;X`m%DLvEBCzB*Ie zs0~FFd+E>|hpZN_W($Se9bD8lz^V zqZ#e#%PUXcmWgZO%4)lMDcznLy&#&%{Z-2rW<-%cti7RwXY$2GlZ;%82g8`r{LP`; z7=FexJc5&Vu~vmO%_jY*;)iIesUw_b8N~7}RLy)8ziy2hL~+#Y36;>e82?QbUu=#g zT&znusd{>nrHLjQtOexVLRKQdG6Ve&&3DrRsklq<$GZxpRlz3}|J`{%DTY{GtbqSF z@wVL(m>s`Jm}!S!W#H1&ur=t09Dx(eO{6W6i)+E^bmZr)?viQ3C1Nw*t6UKJ)e0^$ zK};YOEs0{*BDN&ktJKf>*MTEaB{Y_-1wydEiiOza7zWQ|ygYK>8olyD+y>Nb-~1T8 zZt=n2CH1x)B04%%J1-6m;rab6JE@0nXbQ19_Gr376Uec)p1&mrbyAw;62qE11oNyp zt0gpQ#Hn+RDqCXAWwv;ihk9#JseH;{DL;?WG#e(k^@ZxrY>VqK{`?_5*Y6lg8_kJ7 z_f(tk%%LkLvyWkuAeLWfAuC@qQeOJ;g{alRQ7`tFW&Y`-UlX#LdU>|xBD^v2oYn%~ zS?(pR21;Sa7L-l!6*s@KR0Ta#7z4jIVgbD4innF1)qjB-lr5_E)tL4JHggO7#=f5n zx?jniy?I@JLlr|qizBBE5Bwxr@JL`o*gzm$(jWMTV({k}%m;klllzmpf#7xBIsviS zTTFGW^Yq$l9B?|fwJ+o-0K}_|xCS4d@nEjb*l2PI3Ib(rPP}x1?b(^xn|8TBCwBv$ z(h#Y$m27=AU)@SaU}C9=843jY@f=zdRq8fDhY?&pN2MeHe(<&XbAQf15J@!%{jKM& zto5amhqz#JM;Dr4y?Y`n}ukT$Bd%4$^yV&fixq_jhl*MSPg}oI%|y z2Ohlp)&-*e+VQUo9ML1WG|;mI9HHu56aS2uI*?fvBv=y>ay8!gSNbOMWu<7(EzQVo zRi7o`_3x4NYs78fMj*R@AMa260Gm~z(TE&i6|<2A)AN9DHwhbI_mr@MVH0Nb2hgfM z_r_%t^;qN%1h3DcT>? z>s#}DGPV35_3*TMgCWA^)z6^}ek^*w@+AcNo<@D=F+R%;WxjtFdAyw>eUBS5(&y1N zFtW=Pa1?k+Aae4**rR!GckFfwm0^L~(c-ot_PoxHzj+vdpDbg3JIz|Y<3a7c(bunO zUObqt_sZ}h=y>_df{n`Sbz`T}Vdcc`*U&if+y=O#+b#1Q9b+cwX}H~RtM5KLx^H^h z>ATJyGXS+22L#me^sDtft$|#iL0qQ!(KvLy|N43d3+JHj!SDM$&mwtXk`r+KT4009 zHdy*^9vG;;fB%BIUdBGRdJW>~_~Ew{Ll#RP4j1^DEw=;`dHvLMEw_CW!jH_42}JCe zE5I3u`y!0S#Kq8|RT1JOn%O>I3p$JzA}Dxo%!EQHGPYICsI;V7WSP-`iP>08h|HYc zAz~Yjhn14d5@j(q#44TYRqT&nhLshwC0pq839yHL?GpOYrVH7mXlf|qWZ{>rRaHSq808D1uZ;Y{U*s*&n42 zmT%-rIWV1VDV3{5UAR(=yRo7b&DMkZJC9$nqv3(fV@QqLNSU2={PL?-xw~|}B)$1h z09@RrTE-E7n|M40118$mLV>V&(6^h#0>wB2i+YwaCatXg?TgKRPNeYx*jM zG9%2juK0%wC`ftDUgn6f9^Tq-qMa;Z#?yfviK`cpoF~g@JeY^AeqU&G_2xI_sO^<4 zN)2jDv#@{1;A@q$$`V)LLZ)KpY zAij-2L(086C(CZdv>at};j6_2Wwx8!C2uP1?=deqU;e6t3otfal2GOS|*PD{KNx>GIe7MYwd!V<=qamAGjP# z!O#7eg7K4Wb8Yn+c`ihZt-!houJ@>5-2#w^GaviBoR=!o7f)l2S3G-p(r--MNMEsC zYuR#es^|pFD2uixb-$f*bPqjhA{IVHt$R?ov;>e?V|1X71 zQqx4DDMQ7oRvLoPf)2n;g_4CX?l+Ei97eDD7JI zeDgjA>IOHQiK}G$ZGvUw%02Oq8A+5YBycUTzUE!?3rby4eLX_4x$+`2D{w?1aa z&4`!;@`b(H-U;XtnCO$M6~8Z`C5Dj!*s2bmQ@*JrAH*AoaDm(j zcQS~HsyGW@!tuw(_li-upRI=;6+cu>!_bY<)m^?{KGA1(0BT!u2)Pz0YS?R&gUEP} zvPeh|MH|BSRcxr#b0^$9WH8>sGLXxIxd=lf7ozM1EKvM=Ct9ugvSJP)OMv#akdnK+ zDqR*fk6L0h2U5_rpcKP1R;)OCq(B3KnV~<>7|E8TRp5rl{efBNrx4JPDeq=9cE` zzGnUxV!?E(SY$Zz;Qygp^?giGvL3jB3I}-p5%G&IWYjr_QX~|N_GzYi`7~2eqAZed zL5Nq*o{6OUzYzd79|3QDA6uOa#4QI@C-0UAA0$3M%g45Xk76q$GLHA5N;d{idm3r@ zAl06O5?mY>kZBl6N?#S{wRAkXBfM`7{PMg>u*%zPlO1#J z5{aNiY4(btL%L90AA!ErdiA@9w()WNRNng=&4w;`*6!nI6tFYqm&^K>4~aKqEj z`sYl9u*dSKPl?=r=ve!n9k;&C|L7NHkR34?$i|{_4cG@N{p|zx+TIQwDSO=1`dbm^ zE_T1|irn<%q;^@~Y+d_%54FdWYP7>qxio4mg+_FXGT`W56kr0K z_Mra7FQiHT?tii%)3*JRu=st$Go8t)>-CS+O@(rt{$Xz@=~1p7?v~^F2QYSGOTRv+ zeHuDi#M|ejuzbLqKxVbibLQ;Hg~cBD6T%Cr zbDAAV*Zq}8yYa=G=2b&AxBqd0LY&`KS*@{L?fdOJm=_#4^4w3>d=l7K^+E{3Y-AQ9 z3cUIYo@UhUjb}a(L*PJM{git1H^Ai&pA*UX^c2$pNiLLn(s{_MinrK1jnY!DIJ2By z295O(H1sb;=63WF3q}EM~x7Sg4Gpg_@<1IO>k`^uIi-N3X)>9)JjfNS zv9lG^>>nUXc|2suv(2!oj@vJOR#=#nZk=m3dn?=X9lOIV-Zq#%$YW?Yn=-*%1kYr8 zt2TV-k+47rhdkMJQWw7_DlusD5wXqW8Pvyagr_4aDcK%tV%i;r`M`RPkujoHRN)P9 z#vNRxL{|-v+I|)MuECW&Gs8%M7@!g}9mUIW2XiJ&&lM#ncQKMVSi+;;qE%t7pyztf0{U~Wi%>u;QomfC(Y{BQfjnV9iOVo zgupN~^IBI+A)AE~GDDrY(qjkRm6RtI`xHQ%HJPqdhczI!2}pi<+Fv`R9B;8opmWrb zAIr#@I4+*Ei!1J0k`^ua9pXcr1*6@iS=-JYDy@7<<3YE$qNX>Yo|H0k-?9c5?Z0tj z+cgb@=N#9!=^vy2{Z|VjDw*Slg2nixHEmXJ0Y0~_NiVy#zH&V`*F6<_-syVH+U(S_ zdlws18Xv=|ZK~AwFKS@F0CZH=xXkpRfa0G`YnvRpj`$fiTHc;V!-U|uf;Y7KmbOfl=6y=6R&Mt zw3bXth)Z#CkuEK|tz;4Pfv0}Pr1enS7g+o87W24^1cDUBw%iJ0Dm6b$Zffi13-OlR zsB=4E=5cQ7*f`q3>|~oc@O|dB9+)V-+xbX=>+27pf5H; ze=Pwsp87lI_u0`|91+GXcRQ|3j%J8FMWJh+CB_-oKU?$<9lDR-cxyQGwthja-TR3x zbLf}w)vTV1J7a0hluuO|9?n?);P>|EWzFh|O_RaFt6o2oN4IX(+!%V@_!7jo`49VK zjE%G_{Z_ho7t^+pHL2IJR_?1%YgRdQ)YYql-V9g z4z_MljC;YVtYQgh2z&WQ@2J4fVE@lGvqT}5VlhW30r=Bu_3kj0?|f85-~fD&T*F_t zauP5Z3gz)TaK1V>lrQ(#6Cml^rOnn2V;_~#E-Ruws-mvxe9oJF4liZ4UAOALHdepPsu}hoTxw9YrNt`W> zx}_uXV~YgZX>}zDmPVxIv{mKWcm4g~`F@t;glNO~GIXcU`y>`y*_RlRq?EL#(UfPb+fmDyh8pfLskvym%iTe|RCzVYHV^EAx1dm8op4&QI z{gr#bam3BPLwG~qOakKhkGNSH57Hn`yiJA`e7lpXe`ubuz6cuhq%4XEQ^1=p8*Ra-Ili9gzmcf$veQay!!BHzd)a@fa`^ue=2o9 zah-1?kk8IgZ}gweeJA*RS>1m4k3=|{p#(l>i5TR+9V^4;H_bN16EBLmD_5EcCkA3t z7z;h2UQV1Cbe)R5U3Cx6tP}Npq+5yjxr|KZ`#hH%B_M8m??)kYoy3;uahc{P__)p- zQ~o$Rr@0o{22LaIp~lqW7S<-buj6kT1!^ht29=rem|Io?Db=<1=UC z_2d5tz6trC|2%sTnEi9|RbkVpDlirS(|t3#TP@oR&hh)-xi|Im6-^696ui#|oJ+Fd zyu7P;K)grf>ME}xY%t(b#hebcRw4d7ie#rZpXA_bvh-rx+(mF%Vah)HW*@FfbXktP z$e^jnj;r;Eo<>4r{w+zz>2kxA6Ncc+8uWUipt8Wa37JBCc;xDZ5{BZ^XLv~LJr!L= z)L~23;->xKgoKv%Sf&rcukH#m>>ry@9q`7<4)z#nE|#p#wSGHUY3PqrAXa}ni2 z2VRB%QeY3Ax9nEFZ*S%uo9=tFHMt=h`|`QIg4GEdR#DkliD@s zL0{cM>w?Zq8gXGHJa;WdT-!D&89da^pXPn4kIA)y&Iw8qE}pSBZN<(|&T-GZDHr85 zD;GK6K06-F9aSw4JCahCEAbeLAvR!;r8HiLz7U9UAb!}iotK>!Xn)b*r=jHwmsO(c z7P<>BS>1EBowj1?Fe^DTiODJ#kgJKo z{wA}aQF!zAlj2$d=g1wA6<^dP%R+s`R^)W0#uOi3KS*z6emuM!PKPQ>T!w_V@^1rG zTW5-hG#&MEwj2*nSe0iL18D}_VwuKq^)k+8uKPJs92D7&%0|!kGN4gL?NA}VwrQ~t zko@iUu8c3p>?~is#`Y_f#Y$k`Ur;mY(J{#J!ip`4~Wft zF&So#X<(ao^a=Tlqw*>G*@~aVapApKpAe}XBo|;kmzkp>Ch`ikh?929$;>fhFP2=uq{yRd1>~^gq84+)rkoQKgds^Jhqk~0dUDBLX?@| zu~x{^PYH5`yzF{Menw9;Tgnn3)y7a#qbD zX3u@buU=I>TB0=Ah|HqMwQFkf8cnl9AjR6aQdf=o#49vYOh6Q?siZ`qu2LoIbm?JE zFg}_5?xkkNHy1%Tnp(Z6f=hhKj26;ke$F5_XJ{4`(P54sSlSG(T(-l>qFFc|GRwe) z2F7(^BYf@zc)E$4jppirE;3QSMmlTxI+V3V*Z#j@#TX+G5qIvQv>kkvC9E_IQuu}3 zzs>b78h{naKR8ra+7Ok#XE!Yy^s7o-3f4i1<*7XK|GqxgZsW>4&AAKvYxS3Zw&s5N zKky!iOBx{l!fu|1;r=C!&cJ|Fil>Vr%k1f)L6EDUNpP_Bz|> zbq(BRcOvT4J4>&xchvxOrjw}jyMVojxAx)*44eNL-Uu~aSN6Y*@R9ha?DSLgU7#=s zdFkB`{>}*mPfR4I=lCv~M&tyJzCS=0cpT|?)y z!b|WbYiO45K6q87!-d%O`cb9MnXS?Kf<-?+K=hIPEMX_%BE6U{r|q+^>d$K5su)Xz zSKnR{No|w7``vYY5KT?<+7l0n+cd*C&vG^MI5F^84QvCxJ%5qsc|X6pe+E3p)QQ}9 zQF5fawi`TELS|Da# zHxPW^zWVUh)_X-25&ZaUd47Cb#&+u7TYJWV&^9n3_E;KHVC?L9=;de!Jx*Zml}Mnx zZwvX}ybR_kZ1s-Pkt|sK16+cdFPye_+lV&pp7=j_{>*zlwq<;8GS2eb1qCc`DWm)i ztnYZ&t2c0aNCFZB+=@Q^U&1wpy9vym0e@Qkh`}y|L$08io5)w@bqIrCcDO3E~Nc!jW09)V}BN zNK~KapH-G2mIy(vGHwv-BXRX~t6|epWanJV%;+%`Z}A&ciV9YPYWY<&oRV9vjvR&B zBIdI&S`f}R5iXs$t8OV%ySwlk1*xg9l;4)Rcv-S#5t)~B-kWy^Vqvpkbgb}qDfJK1 zR|~;J`1qioe3*q6y~d0dK9cx%0;O3P7MJ80*yXf^YMeMvrJO1!Us`p}yxjUGhT}3! zbRjvC)mV_E5!PJ0C{H{Kq=Rsq8cjo$>jqMONMbj+AfgvsTQAgDLBKFQ^cR3rY%@sZ z;)D?{lt(AR#i0JcDA63)E@RY+YihDYK{rTl@Xgf^>`lw&u9O7SnIVP{4-9l{;qAgv za7U!AButr0U{nv~$sX9(?s})$20`_IM-c7562n@dCNIGUeC0hJV-H4ghaLZ6V>M^1 zsR6+R(6CUgfj6Wr)lNyg9+2(Sug@;XNNrjpwOFv&p+mV-rZ7eav^siOd%71$JiFp0 zUStAE1x&RKV_=yKB))xS37Ckz?0cq$YfJD4oCPx>UHD}9% z8ztR<^478FjP|IfdfN+j5JWBaHnhusVQaJse`uVW+AflgC08wpH&qrb&+=uKEPN{$ z`og(>tcdKol(xPrO{836z~@A(W-hr!oYthi7;XY#OqSEk#q< zQeUaX$*@(I9fOp^$(O9py%UwXWnu0^hFP$+vhabD6n0&nMR%nr1_cS49C$dtks^-% z5JE~8CKnXU$&_!N^n)G9y-9$dX;i&nrsM+J45!Wpa%em_yP*Rz3{-eg+f=`9)>Ey+ z#5`c>4&eEX7;U=w=;OwuFDl*X2U+;w~_HcB!4;fP=Wapsnih`AvKi~O7 z1*!sO-uQxZ@@R5P5N8G{42P`UF+g!jRjT|?8~`($lAS7&>nD6wbSAs%C1;i@m$|%R z5%!WiR64z&dd_~WX*Oz67Y|WMIYmX<1xlo=f7EN|_=PC*NXv3k>R%k_ANcKK>vFm1 zcFa-px+*ipcnKlu8Ton226BJ-Jb3H58JcJ^O?U`Wd|KEKFPdf*rA_BiAaIxNw3(;( zm(W^WJu@>fco($P%Pd)c(x0E>+gVc7)9EbtDRJ?(QzZ-K}xA;O-FI-J$z(&c5U9 zFZBo38l&E-nsYuSW)KMl12Y)##K>A2xYXhe)DtcH6mm`lFuJK`+CvT0x*<5c1;MEy z0W;nX2wklZ1!>A+SI7me!H=FsFAWI0J;=83=iN`-dl{ZlhB3w7HCMhaQxC+)dvht8 znXTE*?~qw`+%^%=er{KO{UkPi9>>~*aZ`FXc*n^H51$-eB?yb7x7;75?XHRf|H`Xb z{uHrKt(lZR1#0)Kz5GaCzihX0>)3z4Fwk*{>#4exf9qbp)ZPU5*(kM#iEvj7u3UB< z?N)!iu>B6uGuu3q%o1#y7hQ6_>QSie+>)Ef^&Cze0lBQk*n4~LhS0P!bqyL%%#dET zo%XHaGh8|H6i&VlnFDSVeT*g(K3=VAcSylEh8IE$f@myQHVjd6w$GPL%T8&25WmuL zulK*Bd4ghlwC`5tUXe(z#|hJFeGb~%Z9w--T%bj%4wiQ#`^f`Ef!+Qi(C?Y4E9QMS z=Pa<>lTyov{$2eUm!NapG6*=VFSPAk-H!I*mNa-PQ2{&z9p!oVl~{DY&u#o%k~ef( zn~bY*-CcCXfwZVyBdq$Ex+Uc~&u>Tgg>{$%e4uWZit7Np`J!sSH49ZgEhPYeWDF>z zzeBG`;=4}ziCGLR=3QI05B7V`-+D2YpGY=+*59{i2=7RED4IvcZi71PUj8{VINUp$ z&$}OXI`^6>Ie_<^b9r01?FGEX^jV0XXLBFgTf2Rx3;RyereDrZ=b)na0+xrcxnn zxCsEAfP`|c^1$iFDsz1&@_2Nz?Oz^9okdQ2%qUl5EHlqX?Ir*HW`!p&VBFBW#ycb769ibbw zKi;RMD>fqvs#Jwzu3xPoOp|q#mD?+3ix`s#VM$9$hw=XP7lohNm{p%l1Q&^G)V;KE znVt{KWlRrAfbRpN3tub|8uIF;79dVz)7JKPape!YKVBgwy7A)jx-rB;&P+;(>9$pY zPd(pw3w)IW*C;IvgJMa(k@XZ_+bUGwXk7+Mr!c({J5ltch(uqhNzVec(3X`OE1+~*A#o3??4g@=< z7`_n#g?)4)zu_Lkm@RI9V=)2?t150ox`?cQh=|o%UuJh%GEFG06MjdPyvgXXr7#M< zN(yb>o)`zQ8r(k*HewINrMleNlyFvlPF!h^k`gsS**J0fp}PKP1*y@&kK9!JKUn$d zbBULh2@}1Jm1AbKRSTNsW#pC-DqZj<=7TUYblXv6VT8S+W>rR%7RvahWIvPZ>P&{j$W=XcqM`T4I7UgisQ9;n7UE`oQZ$}? zUX*J{?I*f#)TS=($;2k1<0Y~rsm@--cu{hS<(Qd+@eRVvv&HJgnf9omL~8>`Vv<9U zG?7)d#rr6nOhO-lF5}8?Y6xdZRa>&liJ|{gc{(s#7=j8G`|$W7=%^MseJO)_vBT}5 zl(`iAU%u%PA7?Ldjzr`eecRdUou%ig&b|dkZuC`z*t@e5>4a}(<}S#XV%WoyjwGzj zeSX$t3O+j5`!=mwa(vZeJ}vpAz&{q$jEC~m$%92J^3q(<4`GR#*6~d?$e9f``@<=y z@rxZeN>VxGm%bmb4&X%q$l|o;;KamS4*QmW%PXI}Wr@jx4OFmeXKMI4sg;__Qqkacr;>sKTb zUxm2HOBlQdNoB`uixv9@t^jd`v(yxwFHn1Ul?rWY;j#3I*=GI1d3}HI88iQ{y!Nab z;ej;orU6$%@b7V-bczM=iyJ}P+aD$W4i=}oBT%EnNv?COtZyG6_C@0bCR2$9JvYz@ zkBUpS`U~ipT`=Qr`crz!@(xW7e>-%aN8Ix;Km(r$L5>m1_3BV?R3|Z|_e;ORd9r4m zxo5#{h8G}c);1*|`)?!#mjqbWY~|cJVC5L&cxMBW*=nmB+|zpDiHYapI|@I3u`4R9 zeHn^qEjqmXy}9Sm`76;oxAC7kZuMb#xkqi@68Cn|^O9~@b=P{**$e}}(ACFo(pwH- z9j=ji>vi)kuFG*LF4x;*sOt!L!%WEUGUlMP^|JM$$$QaMoR|IaoP9=TUYi8|OX^q# z7O^3@JL~al8pK{U5NLZC)8%3kwC^Gpa#`z~U^cYUKTB$#3264U$axrfQ2b1Q7!lj# zb}M12pKc%a+x`2Rf@YZQjo!|Z>AlnZnep+AE|j4&&2_p-hz9n(jHTiBJ43%J?lDgs z?Lag1zI!-1XXflfUngTcXV(we64i7>4s1>=L zhw53AUT;&a%f4QoF+PX>^EG;Ro%)Y{2PNAzbyt`JoDM?1O^@fCL!1qbB+Z~UK|zbL zCoZr39I;%tyqu3HN!maoXm3x# zP`|Vh^j&WAW3-PU*X^Wcd^2M~{beatY72CUpgR(k*EVj#z2P-}o+sos3_ZsEzW8tl z>-HEU!H}l!I!G9%;nrz2#&D_cy1E%zne(zP%H31)`>8(MeF^%g%e*S_iuKI_z!tv_ zUOwBf-+nv-TY$kFAh6BLQO`8Eua4ze2{AJQye;{5^{svOJ!@VH{BY>fL-g%K=W^l} zz_vXmW3MuoU{V5!m?5b(?!#MegVgl$GFbCU4Z>84gDAJ4g8h6V2bsuA49S0C)Cqba z6$3qf|HfD!BzY^N(A^7jk!!^u$_ zvKfM%){I2>mr_8eZD_?5fWp57R+K=zTCwG%`4nhSUEo`Q2pcl}96DVzB+EAum?vnJ zlA76UBHPTQT&dWjQqk)_la?^|zD#Cbf~iMNTRi#Oi+0T-j1HdBGKNo^+IktQQ9Vm= z)+JE49JIVlmR8u~(T$(_N7kxBRQXOQZwYC>hdueA^cGuQdLG41Pgs9Z*7Z)fqEL6W zj;i0dc|qpXO64?hvi_5}jJfnBY#FXQ7JI&GRq>!qkWz_pqO$TBon`6t0BC!+wskygHJd+k)KE!!SB?BH7xoSk!^4><;Up$BG+`tlTi9dwLRY zk!{i4z(P?p5(h`!tC`+Unr6`e;fbVFktF=lBn<2=OUf>?Z7Z7jP>jZQpVW&N;r!Bz zqU^6Jffrf!D5M1jO3p-lwD-2WQwJ6Lo0Ob1)UvRb0&048fa5J`8qr*zg&gWUGc4pP0gP<@X`pF|0ft1~G@pSg z5)h9jP*muET5N(XY#@J*z&chb%cz)%*LDJZ-SdxdnpJ*Y1wr}i%9q*RQBMBOWXq5P zAWjK}E0C;}a^wQ}!fB>X$G0X}#nBu-4p?2I9jEmt8&f@BGPVq2o}w$U@EV9Yu^OAf zV7|_qx7RMCtDy1_y7(Or$L93|fwFbewl%czGJT3IM9m8sxyoRTRt=V^e6PdUD1{Aj z>wLXL0i}TpO3Z$QvDF4I?@V%!oCn2}fLzyWrUB?XMuYve%r)E3kLX#k0{bxvzcy=W zB39T{8MpS=P*F{sqf8YoHZ>=Dr%zJ3@OyCTgO19DxLWfCRLNMqtz6W6+p1OH-l$d7 zJ$LyB7oZD}{n2sFYp&|*W{z?*|IlyM_Tlt4=0mfLj_XqPvf=md3qoTHp3X3y=8Yo* znmALTO5*D5ib~lH)sb2jsxF4J7+f@6tJ=sJdLE0DpB9@sHX^VK5thq}et5?^Z&5$^ zOR~n60!?7cHW?hMv3~>qpI3Xi5HiO^DWjs|Q0y&+UqoTZP8v0uHZlsLpBK=Y!n90N z2(12!8E&y3Y;}@7Rc&M97Eq$!4ULrhSyGwS@k?eqk2ohe=IH8gIrbAXrBO38jFLG+ zJ;?%MLihCAmrr94BL0aMgVMhbno9gF5G`g`U4JYqXtK)^Ytsux&HRm$$O~!wM~7ij z%nG?IY_?731V=o2Mgh8D*si*OLUL0gO90aWrrNs0us=T@Lls}`=`C1|V&5ZN`0`zE z+8+{c{tuK`nRXu_baf@mV9pT3d_G2L8H1;5E+-bI%T^xS-(aRR6ib3S35N5d;ZMz5 zYO0wpC!tQK0C5jkI}LQdz^2BORRF0z?3>5VW}k@P5BuXYmi;H4oJi&N-pM&k(W0Bs zl6E$+vs3$D^~j8Pd*h<4x#$-DW4zuO2i!UXc)qV%lMyv%v6-8UTBNvS@oZw579IghRSNg>{)lP zAKnJ&WT|l`N_;C!h(^dp7~!u}SNpQVk7b(l%cd&9N2zGFTXF(MkSeU<-$YI~X1FV^ zjhUB$mL>cmsP~a}E|H2)rDDJ&EzKV&hm_={Dtq7LC5mW9v0^>!VIFPq-%|1+meu10 z(*FwCkJds>z~0bU zSZ#L;yC;zgFi45_uaaR~k>@Q7SNl!T>>7)0%QcT2m7;Q**6#f;gYLJMdHWwAEt-dZ zKC-%D%8kRU+NP(5L91FE2hYdx3;KJ`Od`-th@riDZc;?cvEdzMN5k>+vNy9mqVD_7 zp@7Eb?L)DW;7xRjzV(Nc65#E4BCv3I6&ZXSXlURx z7$D?xCFw9R@$`IW(9_w_eR949>2C38{VwZ+D&V{;U?FffOFweKRP8at+^ch)iC%c@3Puq2XLpEsQZS>(d#xKDaAZ2z(BX#C?d-pUTwBap6V)${| z=&=4cW7kl-sOfRGffUQ+lnP)9R|OzMJ<)y!HzZ z1Mz_*nvy-gYmPwe%DY7+I#J`UU3FNoP%D}VN!3rGviHY7o7aaTRSNKhCYm#U;8B23`hS2R2us%;4(;ome(`cpJvZNDEHJMpyk=D{{*l= zt=p7^yK1Ly7`FHTH$H!_i+fT-@Fo-1;LtBRo`3wE$iDF_J73Hdw z0s^*+JZ(|cnz&{ZiZc5TD>j6`O(hFi!R>cs^0c5RS#ty9C26du`_& zM3(5uDDE?%_Z3!bNfZ~c9cpqvDHfgBID^I7j47$iRuO(8e05ZTLJ#&^Y5dBoo8;V` zZciQWubi)F*rG}s&A|rE&)9m~#jK@ix)Lkqo?TW?Of1Px(#M&Ik{?__-2JcFscVH@ zKTgHCcA=>f`cElmRsaz-U-MU*Rq>=lk+7<`?1AXDg%FU@Y6TiQetLJrpd*pSYD`we=qb2 zU(;5hli#ca_Q~fUC-N@t?(oAGjBBxEoJ&85Pp6KUmQ+3^FO-eAW}OtJ6SuPpQ=wNv zbfjyJ9^MHM2i4iDPP^;dCI1!{5V)~M*S`Eiz2Lvuq8t1c)M>)*Yx&o?3ug%*+7|8C zf{97ly50AEM|j4dJ<(FlUTddNJoT9wC(d(&Y35 zUy`syu`qyx(wGFCF_BL~UEnyoRqR(eRYtHw_4m(wA!q>F9RSC)?IjD6N&17EoB?Yy zH?puDQTUrk{V}{RuWY?#IhAm2exRpo{;U|3O% zVtZQUjPQQrJ;aF>=19W(RuR3+sSd)qLbP!aOvu-*vl1YsNEI836~^PUcvZsy5x{ z5AHHgGhP&beQ{}x&iXQI#lU5wFcK3)Qh5%L~D>+B~7nCgvgPZE|LWxNq?9%nuk%7S$IW6E;uu2e^*;;-sq)o8G=2- z3sEH(qUUmKogg{#)eVSWrTD7u;t7tiR1auGTFL@AKaB3`|1+9pHSUNUG}vpZOO=P|_l#0 z3JRnR#{2=fxBm%{9vI?%d)#d$^3r%Yy5hf^172P5@jCyYaXnMIe}vS#Jzaa}#SR9ikLuvgavcFBA1S}R|O>CTAv3 zn>pi4z^H2Qtd5O6*OfYGQTNIffO6?F@Xxsh_^PRi>o)Q36Q_X2d&&Fo&%`qa_>#01 zw61>ie!D8=pl6rVH6NHZpJQ{NYRO^z*b2^PD`#hm!(ZgL&?E!f^6B z2=VQIZv>rxwb+2gc7}u)eG+@V(|1c(wY+_Kvd%IXb@14fLF?4fbsaOBxQ&PcKOdK#da&OO1Zi~o zMo`9G)k5TUH+4Qqx~HMqJ+%s*TR6OrTq$-$Qa*h=7jQp$nrMm{Po#-I#N~B4B(P7l z;D!hqM|vp48C1hv@uj|7)V#eep@jRLBmyeBVoJ z-FgcyCdoTEZ#-Y`0qSj>tjaM<<^-W`nykNBRNtIOp4Rg6#Vs3pCGbtHn}z3s@3I8> zU25*%sWr28K@&U--4{0QR{dh`jGR9lE2m$<7B}E+Juu2U4TwDnd{^C6yC)RDpJVPj zw*SO;CgenBnx2eac{lHd(+l{YHoNsS1)!p5lzDyUD0%7m34 zT6*zj{`O?Gg6uXn@6G_5@^UuoMAX?POn<{jDlj12ErN3rV7b3fq{OxYW{G_((!$fR z+MK1AC#jKRsuDGw$wh(sCizcA+X2CmDPl*4-4gq?Z5L^*g)vlAgcMKJi9e@s-L&Q^ zTAb0`G1Z|M4qsWNt>qV_mu~r!dPtO&zU`xIMv zaLX$?T@o=Kxu;m(vYATq5Y2dt#thnN&1%xPNj|Ao)P;;=cgN_mI37&1q_D2_IEohC zI8k+xN1@cwr3FnSx=xtP5Xa*8_~Zq0MB4Ees3}((uTUQfk6>d#{drPC0IrE|rF|Rw zr{5m%VbK?w)$=k9wFvmNh%UdtlS&J1U^jE}qnMwmlmJIAnoWa3Gkf88hFF3s!JPh5 z1$~ZU;_nD9RcnHoI=#I_l?lzSfr#uVy~at!sQu=IuotUhHFRz%Kqf0QmB$I5B25=` z>Wqs6-$wr?Dw}^Ow&a%_MZpx_y%=-1d70*S5VP(KDuxa)j68>Z5<=(Tdm6q-R2F}fdWE$VYAuE4{J z6R&KJeqkG#iX@6c7dt)DmH8X23kBXn3|4yFbeOr@M9$Qz6qT$+T`$$zu#ZH-hKNpH zOVpu26`P`c6Ah9~bbk4Gg)ww(43$XL2E=G~^%gbyhL`$R&kt^$QFOyYp{*lOQd${^ zY!aq7aLM~^VK!Y2!L+R#6lF&qto8BF4&3~cP;#hlUa9# zVGwx7=7%>Zmf8nNgG(jRLZd#BVV=I1^hY&aI7yn01Aj_7H4Jirr0=7DW#nR9d@o8B zb-WykYqxodY+F9sA0Zu4e(_&8J(P1|ri7D(R2lLvYg(3LK0aLLe~T58FAxOh`k71{ApVrj$Fz_Z2b@6{^y|Ldb7$d|&r8tnjXuOH(w_HMUBNc^ zo{Qrrxh>#dNe6zlF0Ug)mgc|u%RNJXL1Uaz?5&-*NTIyoh^XZsWZj2Fr236hw+`K7 z(>w>c%{6=nIhCniHjhg03f_d5_xtVFeeMSCXZ76YU78-z#|DmMPp3+?-uFpwt)O{* zT;|4!wc1U!l{k;rA$`B5(Tya<0L|z9PIdzxbM^E6^;W~@IU4ZFw&hS`tDZ&Bo`n$i z6PHEYS=!p^2I*CCZ1ggT*O}5Idud+xq1#2&RF~}uHFyy;Pg;Eo=fdp~b#Mv1z1>s% zdW_4WulwDe_i=X}u^@~ZTOeh+P3_!ydFs03?&3_x3S-Pqp+ zw<^}=_#G>?Z10|X-YLG^`2hr6G6>^%oNXRYeIGl|%Cb`1-x4(!)$^YByPq;?Y`;5r zp029%tqZOZ+J|@5hkNYmPgsSWe>@&6+jS_PjSVb&8Na92Rf<-@8g@-OK75d_$LSsK ztpkAQFXQLXk35z!>Ts<>z*7`l0g;>(-v{6UoOhS!>S~bN{bT=~qR-tZG)u?(0@Bm- zS#=h(-`rW)l3(KiB^rs-b}ZpMORjxgFC;0ZMMpK;gWkrWy94OZ%&LG4~K%mUgs@zl$f zIbG@%ElG0+GnVCs*??I=F_V$N6WoXroW#~Jils~3!XZ9yYOYLJyoz9?qr#jFBlfsD zb0U@F62Ph}TEe(fts{G~fG?PNPrP;}sg*l=NXSFbEaUn|7X-sFpabt8VQ`f7q6Ep3 zsnI{H6Vf#JYE@tx`KwlIpVybj1m^ePn7$KRIE_9xyOq>0j-b|*8WrOR#|GpKq8TWZ z5~&u3jNSk#uADs|7B;`&7tcErGHEf<0!3eM4jaZtB0M}O(^yWlo}=+%ZFXnSWAFl zXVf$T;>{Qcru-dgj@Yi7%vI&QX|ir^s0hX%7wBPUyw8z2Khxf(f|WrW z#a^INizF!tV7T)oXRgI2vM@d``U#ey2i)z?x^`$Gk82 z_Mk(dk1yAx1{baqiTaEd6TL=^Z@f$UU+J+&Lo-#zFNzAeEK^BOQL!*3H%>4jZcP`; zdZ86@*^o{7QfKe9wiBGxu~}amxS31mUVKs&Qbnd~qz$V3cgF`)_3J5Gv1ThDelV@G z&fmsQ1^FcPzsCQdFGJHMqECRhd)9?trCX#qBnv~`t(--$QIK<=(@X0hdCH$T|AL-~cb4 zh||-qg*FvAZIp1L$~rvAm`u*g-~DahyIv2MO)pFbPPmow&hrkSKo&P`pKEa`uZ*zQ zM3nne#Vy39vXBucC%^E!X0?!N@5o+dI%TH&IcfuG0{&bU*hN1kw0{~ElrD+wp+7~O z1c?1N5x<|NAgb%&*gPap>d2$05mO8dp=hv^ajHIBBfAssG5_3AXfKas>d_;T{#%z2 zKF_L5?KEUtu6Hr`i->VY$5-o0M@I}>dD-N3&j1y94cabz!PZGlt#S;R$Wx*lKV1O& zWak$NE!OuchMo9d#q`P)33K@c=Qnn|Lc@)}`6RFH*@O5b70Ni?#O9bHLUY_IB)JSj z>!DH|A-N0qa>F?%7-dr5w18rxo(ZBU(Q|U6zIF5NH(nYyS;`}h!#kFurLw@eN}JV! z-i~Z4NJ$vygKyDC4;lX)*^M}$CI5f9?`i1U?uQjNoB)_Ffj<}065!Q+?q$Dw;%ic< zP$P6|)j`c`(&vt2Au1UYynsK3t)O+vX{Pog)Hs%=ddJtw6sbJ@)0wbGf#2;+Tq{0N zd5$t?@pf)en))tXm)|w>a7dZO8HjvFP_jsQy=Pu`26j!};WRmO+Ydm7Jr9DK<+k5* zQmQ0LLH1ai{1y=kt4xPeT{lF)@Txb>$4%#mJOf9cxpR3#?8zryky`{X?{v}Pro)skvf$Q0rqi!dA(st{t zBLh7v+`HJ2OHY|D&tk;4)8oc-d@X zF7W&*Rg<%4=fAkwyre?)Iab*P^`vs;Hs4dAZMQvP+904Ay53iTW(f_SU+tbYZ{goN z2v=ibH?5N@GX~H!6uq^4el>ht;7;rQ+#2w_&&Z1Vq3gS|OIXXRoblJM(&Z~RypWeq zwdehT+*b2pVb%Lg-%)Z)ZtH|+sa{*h-R*NHbuQpe?{1vkEwi=l*4kVB;@Fo#fr$kO^D<|CSe2t8+vzjjNzJVTo?EXPa6Za8Bd*DQx%QT0ZoOdd==t5do8+$H zZcbdk>)DIO<#|1q$LtNpXIbgtC-M5o$IYHJY@E|1iASwR0&x1|yDly^;s6*MUFEdj zW`}YtBR=40s_PdH58NLGPwF%^_?#w~4*6T(ACx|Q?<(Woc@KbR-4%%Ao(EEo63}{2 zr7sE?!D)af#OLZ3AV^6h6IKc~@PE&H&U=Y_5V+4f@!`Zp!pG0(hDACR>JNNI!_1IT z6r~yP(jVqqMS$5SG>;?xf}Ko7^FwQtvi)5clfMP>^;a(4V-z-XNl-ExUqEeT6C}p_ zyKZCSfa<10GOWIlUUA!x#p~x$7&z08J#}IN5`SsGl*cCfN?ndw;6lYc{BnIk z_~Ki;aF)Mb*XXQpb5LoueOv~K$ucfQkpEYDl=Zy?!s0c=I2!Ur!kG-^7B8qGv4n7W zLU9OHNeD5``ileQM6JbOLoyG0JICT&sK^W8Mmz@>V1Hw5d0n-Q-O% z-y6D>PAXEH=@TjbH61w;#QhgMR!<4PP#%$iIO5ThXldzKIfK?o&Mly$@Fk4dUNaqa z-UY+bfmPl-LXd|R4n_x~F^Ma_g_k*7$(^0^113~mI>O^MstJ?49W%q}#jc>dX) zwMV~y!qHzg05hKg$p7foB5(%*w50T=w_IgESeYb}&T3T%&7d$0)yL?O zn+ER7R4>jYxJ(l*KFmgG#%yLN}mS^BsQ%HF45Hw$R9*%onlh zTQNua6uVZd@`3>TUmV#37i^k)@u_%1MXB>A;S|^z>D^{BsD$itvdt>Fr*{~sqZx6m zM;$X_HAG|JV#@lY3TIR0A7%PC`If0t-<)H$RRUpSOT2CW z%EGCZLa`MawZ&T#SKCfj!uw3jHmBX~1{toCsz#ypz7zDv5|P2)wS(2Zq`o%1lioUm z=@h|9NasQs&r#kmkl$-WO!+2b_Ic9|9ZeWjU|fic z9hM7OJ#C6JfuZ~Y-^bt#iJTeb^=O+E-TX3p$XJk{9%dtNxH^+W6(!DVS`>wQjMF)=hVbhvd5I8Ln_#{;VRXUcnx_XI?OY&GKpj2 zP-#}0-+0!;M=(QYD5?#I=6BJHZ=8(vuA_X!DCe~b_SjSK4>OE&|69PiD51vtd?!NJ ze_yv-XSNaT+BUjtz8xX-$N?&GGMF3Ak0b7(vky%n zpM#?fPCosSZC#IBQP%O`&(&!sF#QQ6!sOOvLBiMde7|m^*Kmj(rT=t8agVB5YXv?G z^vK}U=saKLOr`g`1);fPw7!TO&6?3K0rPCzyq}WJVbgM27_n>bPP=;6Z{K~p(6%?Z zh*_Lx&8CaFeQOc!FTK&VV1$Z&b}Mb(&T?jGnS53mEV{j}2Cf61br=NQA5NoKH1%r$ z@z;^9dnk_r6J3gWZj-Q2-7ddcTi1)1nY_3yQJ0gv0~KDP~dY3pc%aJzHDgCA|SW*ib=G72y6N>umw0Qq}e`Z zYTs9VKylBN(`#Sse!xs+@NJ?8e(|hzo~uC11uaCmy;mL|r=c1^_UsJ0Pw~BLvMdYn zJI^MOcv|L_PHVlTO;>+%(+vI2QLd)-kDj=@@BbxvzrTRg<7|7}uJCJ#numF$SiV2` zW3qU@o_taxG;2YOs)#HzjotpJ!W2a0`_W|{eD$GU3T5peJa#MMt}}m^?jF71Dfx2J~p$v zk3wq?%e6JG*Eau=hWD%j$j(1y2JAOrT`R*80DV&Q7I^DLiRzxA+=P*`Sf2WI9Q5)a+yue4`xao&;JhO^C(G9Av4=OZ>>@+7W)VCN5Qk$QSrNZxVA8Lyq6< zfs19F#6ibo$CY?tpW=vU=cGo$y;rBD+|;(>7SdmKelKbD7c#^HqF1J$0Y?&^o+i6# z&E$b(?2+A;EeokhJWy86XBzRiMSI?=%mGFXmV045Usn3nL!71`W~VsuyLL4;Mj@n% zOQzk(%&`x&u?vP0ce*1yTDdTXPl@a|Y>T3Y$`6k1%5cl}z0nLeAW9Q3LUOFvkt$5q z_HJgSH-?knMeF?EMZTMZ?51tmB|^rGk@m)1MiiEm84QiyFwo>x+a6G!zC3Nsk;kr`Uss)=SwbnM`Wz*Ly`Z#16~>F#b^J5`q@?#8sW#Vm(MdV@yU9Y@A_O2g zEjh1d8=PKmwo#9WbeQ2tG)$}|ITn*sRXYWUOgc6WW=i|%O__;~T-CvvPvF7J?}^1C z5*Ju5aDLY&rLXIsEvze}S*!lNai*ou5IpbMw7}4BFVPy38i+TKIpt*5GHv49D~jpo zk1CaECj7$om#(am(^!T$|4YU_YfWmN>97ZGY;)Zr#;K)Z!Z){)6v(@WWQRTCe3c_S zj`@?Oe1cexy&7c|Jh&J_$I8=iztFyodTpAnPIdNQ3wY&}DYxiJ^y@mYFc*+Wql5Xm zh5!1EqF2hxuA*#%$e~WNo|Vk~rbdb$+{s&DS|mJ%0ibz6`p(;t5E946I~ep+?^7x+ z%aoP2GwSq}1pU{KgA@j?tXfQS4bDyeIT7O}t9wUmw*0_&I9=K`{DBY>UJVgAyN{KuLL7YnmAK0GGA6VIwBOs4oI?RC1hD z@|8nXh1UqAmr`mbmdmU>2#2(zU(B+?f2^L$`cAl?GO@7xcFg`Ri)L^sOszs5P;G~% zmdTSI9l}YQ)E;6z?c0I~8#ZmpayvH~_A@`X_`h-lHV87t`%rvEWBbo~`gK}yn%ViX zXB%)>dXsM&DLh-dBXlhEtaSR>f?4@}$!1RWJ`cmbW6plu-p{2*k1T=|T)bW9qhRY^<8*G<_+xvPS$qB1uLXf=kl%<9zfhF*1rYpe z*V>^5+~*6}xYu-G@n!HjopYb=wrp(Vf57#I#O=Hpc~{AMH#_JEvjEAGT)2#|fLvzL zo`62Hc~b(8&Qw7tTZNmV8 z*4-GSBL|*W^MjCfxdz?Mrg{6rpnnQ4df7i3^|bbhwtdlF#ktE z?$*P=fVj_0%xD6#t}bC2?4J+&JYYGcqrE_n4&DOhKo zQ#Yf_Kn#vTTTmc*pYLx}Vv4IK@LI@0F*1Bl-DcskxYA!z0$iVqISa114qOa#S2=0e zhwSs5UuHCK!gUqabXrsI20K4_anreD5cl!yhagwzjwS?|(NG^7KZ2v^`zlE(>vb2cZ?8!G&$O*`2Kl z3I5*7PEUVWOL!7;U;nq-mA`k@p2Yu%ako?2rodIQ)8wRD*}+^6@w9V zPAQYC9T#H_E5opq;(U0;)K!@SvArfgHCQwkYV<0Ux2mGDsQqeqRMpawzmP5uFq?fc zkDhIj`^aMsfT{s$uzt4xprhnX=Tr$3Ve&I)X86U@4_AKfg;Jmq)vPE7t!V0v{+Sc| zDfir8mvL}gdDvhso>8SbumH`70}jK1te! z{3=|e!l0xv>AdVr6&;?(ypKAmyHt~{Gc#Ul6{-~a!tYNeE&GY6j2!L*;sm#@sgQbA z`j>DA(?;a2#>Q_-&xO{?Epl#OR5I=G&*@@hfk$5GF!%KBIvIFRrh!?HfUgKxEgNVf z*kM=sB+1jQ)a4<%B_qcVvX%2R8RQ4bl)wM5%O;p1am`G&Mi)&XBLV+nifW)Wm*vb% z+G2&Ts{SB~Wco%1Z8G>hgU3J*e$(G5nde)3efx2P`W7yVp~ zU*W66`+Ihr@>>V`I_>`Pcr@52@54gmKUd)kFuU!~h2One6!1+8D&K?_+MFtk!$Y`| z!|Cwt24osET*GJae6^9$ErS8c=p5zn?r9OJTne{glIL z93{KIo77k=VBioWp+fkoI`UB!Q)h0x|N7jvmXw3_Z!I#i-vbSTojyvm+B&VML!4j6 zq$)T=p=*7b-UmVa%=HK7acKpUq{X~j?KvusJ#E`NnZE0UIr0sJhGK$gOt~hF6NkAs zkpL~BOPb2C8|?(@>@-F6@HgVMOe4uZxXNm9yd?%Cu-CuCmI9It{Gb^@zmm{XyWa^OT02TeOCGfHjiP|Y6GsHN?h&yT4QOx zq4Gx!G7&`HmS5>HFSgLF{12A$#ceowl+Zj!?bu!YWdrdwlj@A6q=WM>i%Si+*x)oa zme$*?!ZDk(&u=7qzO~Pd60IZ~H@viDvUvb&kffpE**B|ZkazPrWcoKrf+RPc^8Vp( zMDMf&9NY$$lQ+wD8^YXVmM!xdge=cvqwn1sGjMbWGhn71>oL$73r1-36lV186yPR% zmi$fg*(MUPotT+hyqCr)ELg5R!G^2W7R1X8)x9|IKjDjpkfq{W3_kS?nUE4)O4QNO z$oN0o*8du~UbknB@P@mSKtWSgU|+(ED3J58H_OG{=bjlO6dps$==Sq0{D=mE_Jw!4W`Ef6NSU&xbFx17?jN{A-Sqx|dqDB)UXBoY z-@Fy#^*CwsxiuF!T_&W}t#aL7eRS5fCChEt0!3ZCZCsIdTtB-8yW3|}a+&uypBP;_ zUg^0n(;YE;_1Uo>P4Rtnn*h&=*jL>iw)a(Wa~dy=H@e+x0ki9?g|L07d>7G!gzwh@ zQK&+{JWuGKmfw_$iZy>6UgI+e#DjKPD~UOdL~iD^lcEImD6c*}L@v{=PpelJPk$HE zQOs)|!+vtf+SX0#cGTXMqNMQ_dsMg%WTs@fZS2->)x3SEJbRuUtw-b5Uv^$dH5TA* zYEGqhbUIxL01WnsK0R@AxxNoH>+Q#XpDM>Rw?L*j4B*>&6g1G#WqFLd;Tw>&9hd1A z;z#K_=$w+F_jKs2#qjR#4Se?u{-4)f_aLBT5A4p?9RYS3LtJ`}oE*b70B6wN&C5!{ zn}xoXK6 z?7)Jbtuxp?rSzt6EIsqvLVO)9J9#lLFihc7ZkUO9_@gIgTUohejNkkvpLL3Nz}&B_ zQodRkR=ZP=))nJh`oqr`Rgpatar6%LzH=qs97j%ur*VVvz`j^z@^s0XA!v#)QCoE< z`M64yIz)YvrDmDJr7Ih)?m!ezmkm;96y#wV9w{`hMN_9l_%9NW?1jN%mh>|$2>P=o zoT;@3pS0$B_8`F`j`bb%#NqUfiPh#3Vx9bfgLSKHrPN;ys|(bt^$+x8>?ja-yWdPG zJ$llP5gggF;*L=Z;lI@7#r!{}&M7>zsM*#@$F@4|*tXHJZQHhO+qUg=Y}>Z&d?)|j zXPRA_SUe~NyW4wc>UXeZ`M$j%BIl~dMc}B*;jAq0iCG|d?5!VGP&q)5v_JmK6 zyh&eosl(dIujNZ3rZvNzl<#awZ4o*0t7$YN8(IU2^sh1w1BXPF@ER*zU<8VR2ufLA z4N{ZhTK;ILJ$ylTwZv`CC4#wJ|e>p%W z(cyo;8T_Ftx3>{96;;S=EUFJ&L(yjePzQAfBiQkyW55hK7NH#9hZ)R<%-)MMJT-o`fsi zH-`~OY-6=4S`A{y%8(LK@aI3>-}JLP5Ja$8LfYgX*IKW<-*3x8F;p#m$HkXCzRlmc zbL^I&vjxXxBevQ!ZcJ}b0UqT|LVPy?DZeYKRCD98c4jW+mLHm zQ&RLxQtGKzjhy0DCU4gmi1Tk5O*B`Jlf)IrKygrWMWKkWfRpEq8*MmUF0vt-I2)o> ztuR@XA+f4U@3D;`t(rHT@P;u9OJlG~&}JRwBv`ulKuXgLoYhZQFXYxpY3wT|fo$O8^WtzMPCiN2?Nnc1Xi>Hv0$bmf4z zkq|q8HXpkv5Q$VYN-~htt&dyEM?mh-xboD3L(Ock z9yEhP)g1J`MZ?Ba353uzuwe`&%q7q$qgzAl8>UR@y>dC-bDvk`R-BtF=EEO#*UrhJ zYyCHF;?;y~8)9L4V|ZvW3oTMJl_@uVrWl2iq3K$@KOvHIa_v{9;Br zAlXUH=R`+3zP&8m<(*x1^wsCS@2^N+XNtCz+xZ!P$Cb^4^2X&)^7OG*zV(~reUeNP zUAJWn=SO`iC11M-kWL?m^NPnC{Pd3lu2jC49^;*kr*n55XWFjgSlsXHM$Zf1 zwiU%l@6U(jkW74dov(mRPSVb~%$a8$t*d2ey6xMt#JSFztF7A!bw%5H-CXB%3G2XV zAD2$H?d^xciL8gpN~?!L!`xFI*SQZq4#z9w<*m;wx6I3WDy6~)-Hzbbu|L>d$!jhc z%=NE4wmcc?LaU~oC_0}PDdn!M&gi<9jomYwFg|W`x=ZkzHb)@apJT?U(RjFcZi`SK zx-S}*Te;nYB+H+wA2U%O82P3rvt@?NAzh8< zH6cd_;eKLq|t2fI5 z7W|D5RW7NPcGqL>Pvv@l9dPXj`C3@(xpIe556^1PwZK}y^YuLmwl}wW=+4zhs6cHU zpZZCl&~qk;j~n29CQGzef?Bl=X6<82Hdf2~#g#WA_M&F4gY)$VWTk&q_DUw%<#qRM zn*BXmUb|gP?cFy6?{?iFv{G*6d*{*l3C;1miL!H!K-WFq>H1QtTB-Z>_62bN)P?-$ zl^y}y7IG49rfI#-Y5u0dEaozOZ*c&yBy!FtNl;n8oZd+yJ@j z0k5(o)WUj&!D8KlB^gw4l=QUs^*9JW>8>h;q$$gbp1l52;Fy#0E*|721*DWlh0AS2 zMfRk{3ed_#k-v(>&1nrZNr1$QpkQuZl7rCVt>`7n^Jk@GlT2d&$_JEKm}JwXACad^ z7LiedKNPHxyEJiMLzgl9so*DQqR+0Cj&RmU?)MMgpfQx9`oTy>4M@n5Ba8|F*SfsZ zPnb^3g)LfSOM#TvyP2n*x@h_hjS~8cIYF9+#>+8dXZQF~hNoR3qJ}z!ubM|Y*rBHr zuOY9MDleNCgNw||ilZQwa^cBQ2RhH?NmDP>3Q_Pq$5FD-KD|F#M6L|;aL*$yR3ztl zER_oWE$Tr$_ykm)T&?Dp21NORAZMdmEDo z54AWuCNPb_RE$IXRuS}DsEqn<>G#<$C#GZsTyh{3TH=-YmN>=<3b(;X!$LVMKVhAT zmXhtb@FXJob@Hk@Go-8b>|Z&Ely2<;z&sX7gBs$EQx1x$Wp{U;tNCCO0u5QE(hYS%$&%qRl%TLQp$0C5WHpT{<2AWC!J>@YpX zHfmIzt7OzI1InsYz30P4L=Z7~_&ZI3ZV+*IX|o}TDru+-N9_qp8E9e5MWEinc_DZ4 zB4PPd^#gIj_&@@u6~=vQ`L;k|9w&6h!b0(O5ep>BJN&E8YC{_Ov==wGuu6{jU_p4{ z1bwE#$ly#yP_uP*oLH{GwuO&SK&^~B^0!!=nTcb)M2|nP$YZh2nvNDjnupXYWF{5I zb9C{IA@cW+e+%+&l>u7#>BfR5KuU3j`RRWOpwFKGvR>|e=J9)HXY8k^a=)xfir>-={m^8|Hh9Z$x;DZ*|^!AO}s@Qx4dCHShC*Ng7{s*5P>Df8hYUwWe+u9Ouq( zSySk3+r-{nWx4!Ql+5)WtwPZ4v`YSGxyG1bY1OgbSejH#^&suqTMBjfemb0D zI_`R%la=8*TYK!o-+DMKnO}G?DQ}m0e|xX>{a9$E!=K!!^kMhJE5GvGcQ8e>@g@gM zi$`kb`KG-M-SBlBk;RhETvUHNN0Fp%(K%oERC2elzBXRTM&Z3r*j(XPy$oh}qTXP1 zeD8f$t7d%!zK7t?d^kV*56HOR7s|?Z+J`H$ayW3T??0>2F|1y@Ot))9MW0jI3T5KH z+>&vr^7?#t?H!u!8@sJcX52!ved(OmIKNI>;t?QpSR7Sf|Hao_U%h^ouGr88zjiv# zpkn`VFO5mS_K-LAS*KpUj^IyeTV3xTUU>d4?e^GYxr~T)lHK_1*ryo!#gy(j`_;I^ z672Tno#GX;ZdZ4v+}PT+>#x3Lcy&a{bOB*KjUy#k3mD5}yNP0Y-q@gkt<@-exwc(y zYqjV9dX?Q?_uarnXmhE&+S$1}_!{e@xKUDRef~Hiv%~i+M z`l^DEh}`}@y{p{D|@Pyy6b+ph{wG<0L!1m|lG!hz^;{=i|LONOU1W z*uKgTdUS=J;l6uzQSEu0C@ofQ{mgqfS zT+HHg@Qk-*k>T>z^;m}B^R>L;LjSrrYSc+q#oT=S-(GqHc*u^j-RBFNIefg)2C&H) z8_BsyOBt8lT7Ja77yr0Q@V_83dy$4tP6XBD0Or)A-+Wj4;^rYX5kmySN#SFlWgjl< zHD2iy zCFe)>LGEL5OUZAYAs1%l{P`)gR8TBXE*siY(d1?dPo6rO52DpU3P0PGI(Zpqzi*|U z>7`~BUW4XG$n#*Ce=Jmcqef}uKxkZv&y_hUl*)S=DK~%R8nSTC=l_ZQc0sdZkj~Tp zIoq);xDiJ$KG^=aSUKz1FeRhWV6i4ouZM$*BLTT+vDA)Zb_CkS65g+HSUkzDi!WuQZM>5O|F;6spG3U;hCfco_NBRI=oO%H z{!#a>kN7-^6Q~po{!*~K5HIx}LqcTfHpx@-F44GLdi92;OhKeYW-Zu{@AA8v238Yp zT9U_Pej*Ju>p_|{y*%k2W0rDA1%lh9oIE4KKcpAz;#EjAZ1z4mqnL6R%XEo!%H=VK z^y-Up%DmI#Ff3yUYKD+S2Cn2?1+}=z;=ir)a(gY@B`8^w{=c#l1f0tf>(rmr+a{7F zg2Iw{z{D^<(r0NGj-(PwHwNWW;w4Z;#Y79yI+Pwk9n-KmNVvJu9=(F`7a2s&?je~c zGxZRhq5l0Lk+7E4RG#Cp`%Cm zlT~LOdn!Mn<^4&e5@Lt9e3ZhBk_$PZl#KX5DyLTLk`cKGfq5fwGbsD<)0n*oDb=ln z>DM6L2YEf9qjW+Z3zdc=7sZhz2aLN(Ik811tFgP;6o}>cH2GKYX=D=Q;`FRCSz$uC zFnK(i1SC0UL8bu+8SSwlui4hcdYBht4k-bRMZw4o5EiJ_FK_41zaLq=*oi*p=aG2=!nmcD3( zQy@jlMWb_BzX!D1r6H-?&U3)C?&nGFB0zcyd#xgS{?vmAKUs3XMog*8=kUopkl8IZ>fjIS&MEvI8p8zCE0)#@PtH z*t{WcG%ct+A6l7uX*z&3-=jHz9L>%z+mCux?;)WgR}((U=)FqG|qKPY$j^ zaSlT~2o+hy0dbAe(WD~5WmAdY^_~L~6H!Jm{?#hmPg{~y%5?M4x{HbL2|uFl*l4b4 z)BsF{5_6liza^uYSg-Nxr~a1g$%-PyOyOiIi2jB8kmgX0(0vB zDF9p$0YnG=ALZy5eoy8d7{DK0Q+^AubHj%j;m;nCNB_$58LEZ(1wq7*JVKB29rEq? zk<9dVK9Z^JGn`{<^{{98kg|5VPmtEUPMT=?9bqu?J;e2Ol*qbyzbW+WV;es|LFPy2 zJ*oAw-o>}u*plsexIXL=En4Gwbt&oMb6=*gzQf{m*!;jQ%l+vPcSen`6SnKmLa3|yYHsDQ$zvhjw=J7-E$9|90 zeG$+nww!TIZnb$`635_rxomsCFV(qQmfXGB(Gk^c?u>G_HPHUds8&@!IfAhLp+8X7 zdi|*{Y{ul`0$h7Qba@SVe|V4AanbtP8GG%C&Fpx+6+-lO&fjr)cf7*j_j;;y4Y*vj z*7QKM9nIqAtY0lmoag{96ELXT)#TdUa?cA%ZvKPeg!s@8eCWpzdAX^-bhn(Z&Go$G z?aXpLu%yeWH#Q-fej|5Z0PB8n{RPh>&-=&uDhuY=>#_3XWfdN>wdXGM0^{YwE<6#x zSKDKS*CV$0nwt)=PUD)})8IBJIuc#$RaYnQO6s-#+{tGXTZ@*XbguX~SjhFm5(8)!O{IReKTT#$*nW-0`nn(VN!mWW z3-qcV7k=8;;y%oWn_^whAE_TCYHT=E>PoQG(#UbK%I3tU+2eS}5`KEfUMH$P=T3TE zk`uh$0lW4ve1CoexWDO~zIF)gIKO?#4u0e>1<|DzJ3n#AhvMML+Q2DTaG&qr4?m5R zeCH>`!f#wjqS~v4T%4v1(1cO+T?*|e%#Yzf5&7#12sD(RmyJFu;PjckLph8yLCt1S zttf!h<1D`zHYBB*atl3Y^r+u~S>TOx(Lh3rL^mbj%ARx*r0r*TJc!XzA@8Fq{;kzM zC8?(SC){KQ+icB3^!ikONCZ65gDdsag;8w?G6a{&s6enr75qI;_}QR(10%g|!Gf*M zhY5`xvbyA-*3>aB$V?HA%wH?H2&@|H#|CK-1P7vdu1?bS(+WI?$@m~a)U=3hg&QD0?e_sTEkfQZ9ZedYwDdzVlP^xRol7 zGT0`k8nM>So)pCCw#f!|lpW5VO?kwd{4-#7tBcNoEgnfLhm0b$bch9bz`}F~5&N^1 z{8RBqE~PSN6iYIY3QEidzJtcaQe5)(6(o*Qzw>rmS;Une+ZGb79OJC9qzMR^#9U@) zsX=5_7gwvBsz9qd2$;%`Jf>I$H7$71nmfgfchMjyGHS3=B+AtT@zxPj!2IRoXdGyU zn$zV)BeB~P#)e@7F%w9!h`3ADFO7&>HbpEcyR!xl3{(keB>EtVIIGsqY_Lc3o)QxF zi=f61jiqjeaW|ARgUibQ7#7bxHHJHEny1=@vQ(&#o<)8uCDo@FF)C2fl=1^vVBLia zEI^ewT&1j@mlxV(P?!NOziop~;Q!HS9(?h&Qop7HquA{v}xA+~QC$y>_`G)3B6CTt^`A+&{GTB(Y{~ zYgj7MxUtmph`glpKDC#iGW_^_MQTzpVsc_|wE>(-*XMd_=0SA-^uKgGVWih(!>?U? zjY{1>ivlHeuZLp3a%!De8EJlDZsx>Hf85z?7GIMRG_e!zh7lmTN9 zj*9#5vgU$6tAdj4+~HJ{^pA<;WCK0x&hG-I{qQJeMw(tj<|_|+5VbGG3S@|qay(}y z9ZK%Mekr?IG?;lH#iHye16qB{{u5_u`?m|)9=G%YL6FX&k$VdmxSo|6M7|n2AC)W6 zVDl)lSV8|MN7ODTKI(!Lt%ph2eo8^FIEu=^HBG$mZ)YVaQ5+=qzbsHiTcb^xgyYI! z0TzOzqHAf7=2=N+c4ec{%OD`AE;xW}?hRq({}GtsDgdnAasUkg*D)jEl! zSxr^2Ea};=h4HDZTT)td$@e1mhXnGzlZ3?;!)*Jj;!&OQGR11c&h%KfpHa|IhA6dA z(wZS7U%cg_n4n}wzy4grgE|VvDTeU0X*)t2jk0p}6*1Q!+!y2U(#i?tNlA0fG(AZD zzw%j&2O02P`F7&_jF0*z3J@s$83@=wHZAYS`nu6Ok8Hmmn4StZhbMgcd`)~yy?z;j zLY3x~o5u!?N#{HFIrE+*D);^f?*W5+^brNG7_X+OH=nnP1mFpvP<@%-v9pe1P~Nu) zd~MeOD)05FCcHR0?N`B`JKgi~(E|5f1GVcPO=y`0Cv->+Z=w)3UI^}+*(W;=b`SCF zPXn&0nl$fc;Wwq&R3@#fFZ&n>hOK+D>7D}(<&7k}Ke5JcJ?99n?{`tnbc?mF@dS zXM1l3kNUsxUXl&_3SJ+0A2{`&?VUVF7_xjISykVc5?o#Pon)H`*rG|-z3*?CG2auV z5Vo%hq>g~>+FlmL+43Wo8ytlW_eRly)U3kRZL?HO7e0z7g8NTrZ0J}`*QzV+C(`@U z6CXzap62&+I`(wOkvTzg`pbUlPlB0%D!dMW@l>6`D~Q99$9AOAmuyq~s3wQS@VKFN z^BS)k++`g5PWh$lfE>a0X^{|nU)0un%Le3RZGn_8cVx$H!XXpiF|}u9>ip}*32&XF z^H_g)Gne<}XS{>hYML_OaBgJU>gzHLDt6KRd{y4vujH~?>loO~OM zt;n+KexDXtZ?EC8=Dh3GrcdBHA+c<(_866OuvHI`{HVAhA+)^a{mHDq$El7cGugP` z^i(z9giCw(>@(@yhn5iPR|HRHUKc=0!!EHOTzW0hKmO?==w23jb4m6-KF;WF*>_hK z0{3dWjl=`4zWyV)TDhMAobn-l4}IGra^eDdBk%Z*8ty(3N)Z+TNfR*+m}^!1x<`DI zg6R{KA|Q!y?v$~XLJ{(5y@Y`zr5nBzJNLSKe7lQCdB($|1d4CwWm08o`pk0vpKm)t zfbVXpq6VMUGCw4q{K1*napp3aIUpl#c&6OIxPNjy!_Mh8F<^Y2^Iq#^ zNvLJV&irIQmuWaSV53&QiVz^#;@y0!CPS8;m=gG*w@-TGbTF=iw_KVQi6NI}<|koA z_o@`Y%n3i@d_RWH%_KlK>`&PnUn%z540B`^<)|FH}8f8TW6qW3QRjL!#@50$kIi2s^b!W$ypVCS!mrD z3C-6#P7z0{OxCSnuDsKhtgB1bsc|NwIQLaq{t77s>sZ_$60DB_^=Hpw=P#$fYQBqV zDot-zb{=(f+Z?7S%4ij!EGFBCk}s2am!qmYw4b&btOAQ!{{d+kVNW>`3;MAgf>LWz zAc3a`BjapQU_>0Wpcf^Stm2R`$6c2U@aL=P)M*C{eff`k*Mmi%9Qfe~YDpae93l?_Z=T0U{a3T+x@jL8RE!ldm)+BK&!P zPYgcx+w=Src1o>&0L!CYx};EM9kfoT^KNCsdKm2JVAm(Fy668k2YO+ z4xitH-p&Q48e1@@5zF{pwf`Pdv`eaMS-Bz%)KWcG>^nNppSQy{A^Eo4dT{NcovV{@ zVpS?M90%c-FbDYyl2>pmF!G#C&N=IimyqTP%lG7>HOf}Qe}sjQCIL=Z<)s@XTXU7b z?=&gUi4Ox8t8a9BXvJt_IW4&}DPX1jH22BR1Jp^9!7!XlpHn{nejuDz^tvh?vp|(1 zptEI^(U+r4hr$K>W+X6EN3RYWLW(v4bS@KyG+2!emPT%hFLE?=p5VdiP`Z;VC|#yU zai9eJ<#=p3Wx*Ef)sikD=Ia)O@=1skN|q6|DpFd>Ox|^bv7yLOph{M5=<72gylj&) z?~nv3EXAV4=Cr4+ixEc@tlEDTx*+P63({*xLEvJs`@+NrQMy-MBC@Ugnm-hK!G))RHZ|y;y0x z6a3j zOXtKY*wh~?+r1{Dl8HApbwES@+GE#@nS4ckA`bC@uA5=&bACeicEc= z)=KS4)iI*7NT9*E1QiW!6gI0Sw$USORw-gnfr^$I5=s)B6s`(%|GIEII__e2QX3ws z5ooo#$b@;-*}8s#^6$>Gu*fJAhDz5b9R<~BqtI;BvkYmpV^!#h7WkMrg&-{PY-4bS zDpTl0JhnTBWI+I-()ObZ#O?H!TN901FXhYUC47^G30V z+zVg1Tl{n1+2FiyGO$3za3n?5N46>e#})nVs$|REv5pD#knUR`3#)v~$8H@Q^v35~ zTHy`vMQEtkeL?#l=cD#YuXn4j=H5-0xp7Uc_c35wfLSSat7lhJht}6uvut+rLiEK{ ziqGpJ4Tj)It&fGngOIM__Lk4Ki^_Ew3$3Us$CaPE=cidINh+r!H(Nb#iyDPxw~K*A zsHCsc@rI|0-^R^2JwCwY2v^!9*cD;R8p?d-WS}|bhR$tmm*%cj@ixq5}KuJC2Ua0c7#B^j~2@r7lzVZ+YT<}MWaqK=jWbOxzn}8 zctRlbq^k{RM0Qx5skYYLg4L{PP_cZ-q+`GDk<85Xp|5n}#@AA6-y0;;=`CnGoU)CZ z`>w72fmu4bem$1F>}c*^%gXdV^Eu zojx|sbh%V7*QeS%teEUKTmigxAWn7|JI+ssY&VW#$@6f-_dTZb1hls1S)6t!> z;ZrDW$H`i%jfXGGInC`sp>N9@p{tee5n(N!!`!^nZ9iGEsB8OIw=!QZfG-vR*nY={ z4D8+ITlkTCvmIbB0)(@4WlDPu{2d5u0Py($shZ-3r^m)KS4KjrHiw{E(O~4rOz)AlTtVklu5Lz68 zDasS_(7I4|{L(4u0|#d0Z_+Dcrmx&7Gt%&ZyWIrk`8Q8MCuyjG3`s+`+^+Q3JdHkc z1vBODvy2gPt7l~KJQ>~pNh$o$iUWg z_rmSk3#Tr`nYADuvGSco#i1+ck>>tWc z(iLu@ijt7g4|!@+kj4pf2oGZ^+KRg`Q*kBxWY#V=L?>*F0IAC_SJF*|P$rQz`4t#GzLqtE6kfRZx{{CT$%{!I*9A*eN_ za=8xrFbk_zr@okm%BY`7&SB(8Fd!}p??zqCrqLjZ@tJ`F>+jZYwxz-Z3nJ?*++}3y zDPk79V`7bz+Y6XE?Y#t`Fp!T}E`06u%slbIF#hbT{m{z*n#1T$xF=j?;CeV|O-c3w z0oXJHD}sZV$5%Bt{6;lL4Jo`fj>dCSnd~7+O-{uV?$zZ37iQp)2>LvV;O|KB_B7?0 zNfTFEC^+zBTjA8kT><6gZRNv>|NMspdDU_6k+4-n-8Pfmqf`~bNwvlW4D*N=&@=kG zQ&Iz&S~$hfz zi~GYgqnt26$%l%nF}fySpJ$iuf>!_~o-FFzLo6&uC`zK{f|)o(o|&%~DGa>G3~P^b z)`AZ|j=BQr;mzA{Q4xCB%zASX6VDp%zl?D9%aqE(m2pyV3_ACp7FUEu5>%9AAgNhu zsi5K>Uw0f+ZdB!mTPD zcQy`l8ml)1((05$x|q^g4&t+>Q*^9U3{x`Z~Y6DqWz)S9r8(qn~=>VKW01YLm}_rIR@&z)7xPPcfp1`}a#EnHAK{ zFH01?ST`n4x;W{FqlrljK7}u0{P?)B<_~Elqoql zWfz;l4iTyaYN3y=z$`2?S@ZmV<)9Y}GC&Zf7{LEO3Ng9Jrj(DD4_Rms24vz<)H{|> z2o20Hvfv^+?qHvTZ(9gF-)n^@v|5j&PqyofB{z>;jOBDIBCn?Y5-yzg&Hw@C)`ll;Z_5C8L=#S$_CdKWx-r(VjkJny!ukMo4bcgw*CYBEmU#$D#th>_s z_I?hdxA$D~7!9NLzCY7e*PgTYb#ADg=zNVUEmEg_Yy2Be^EgV#74vJagJy?sx2>Hj z^9~B3t4`?kRiBP~n?v+%teS7TqKX%a*0zBipdq z4NY-gMv6zZBVJ;6+ef9e&WA+3+jdJQy#L*RkH2k4n*g7k!)$l>OLFa#s?;*HUEd%R zC@9KNQe}+6uNNOPsn5O(y}sXuf{co35`Nfe`>g0c6i%Ogt{)j={dw}jon2TajdHCk z(0EM%5i#kxUA6oT3zY)a85S)bng|IyQL6>@dftUW19bpc%0U{hx|DxaVonG0?0%Re zDo|tjViG(j4r~M^?|pa!i4nL{_fC{ODFr+;Rd%Ufd}Z{jN#izylh(Xu6{fR&9L}8p z8H`yO56-L$bijsoWC71mFhnxm${!E(#dv0LstSpS)I6y$nS_R=M)T^0B`~IRumb}j zsb5;jY)>xYQ)}kc>uHM;l$+6HhV7z7r3vDUrwAbi;tfA3TJ)=RG7z*^q679cx#y+} z4nV-w5<{>DR>8C=P=uDI5)vWh<{HjYuWihaR^5`Z7gp6d2MWk(4iFN>>EwYTBULQa z5_M<<_l|w7n}E=ib(9F^5RhNCESVMA@%P@s3`G&CWAb9k;sqs3i5~D|B?TgkHqpc6 zDt5@2nU*f(zvS%1&L%j5>m;hdDWl1wxMD!I!EZo#6u3A0bKM`2L_Y z8=;K9WAX~Da|5y7Qkr}~5}{hl3~Vw}$v9Oai;}<;FOJrVXo)|@_4;Yi0v#MxL2$iX9k3OMsG%xBMD1}5|-MMMNF z(E;AP7{&m89?9e!Uxj_mas_rxDYH<#gYOWRU!YUJzdFv21%BVga1k3J+=hwFbE%?$ zE!v*fwwz`AkA0@yeU$|UNFQPrCu_aeB7ZsQKM56tsW?S>l84rBTle(ho^jvN-nZC& zg6>ms$?a?-FLB1^0pDUROa zW886Ec{@Dxi=`S%08i7VrCG*RqhbB5JT^Pa-5l_G6&VHBr6L3AgU*D*gn>Z;88-n5 ziDF;?Fj<~Q|D32vGp2wT`!xj7OrvJu;^L?980FH%@nl2dGNVenK#>T1D&=ce-T_`5 zN?sETS(FK7lyjisM>uiGE%Ee(fV?rH;2m~D0M3et-HPU<~wvyn&x!6 z+BSmhCj0X;lgpQImpxRR-6v#@1M=px5$Z9C}v>yFiG7|PUY z)%#J&=lSV9_qpRawOJEE?O=v%t6{0LJKFU9DtqN!{o!|m^AurcPTerw&DwdCZg*qF zqtMYRM2atG_lQcQt;bLXnb+(6aj%B!jc#s7((Pp<{?_xq?uU?EKT{qsyVkEe_uaf5 zYG2)#Ix<>L&`vhaKJgYdo`>L1vi`N|C5=6W38)_}+1gde0N&b5St?&r#}o*!+xNGm z?}Be2s49nV`4S%bu4voSHsFD5*kW1AahVB2%cDPJ^|e3N@nPGC8uzOGZprrMWzg~8 zUZcxu16M1bo23PCAoHTupj2k?-+FCR(odL(mXix9w75 zx$^Y(cLZB@F`^r5>(Sm0>^XOZf$8`;JLHYuDtOsg$(y)Rr(PtGJl%z2p?C+ z%S>GV;OaU^=Ig)K;DF38h)-ld`ZeJBza(XUyLDfBT%Y*r#*O&bmP+te3Tkiot^w$P zzLFjp+;1hpi{+or8w9on2%WYR7zsUe(w3<&ml^vdScb(q|CFx?+lKUa6)Edip+L({ z(UgP|lLSX|_z6e$FD6K-dby11pS;U55w&Jw(GsgDy!+`z ziK$vU#|k7>Rw*+^AdI%pgEheJQ0oJUP?ns>fc1|y_)CCM0;S@x9nVO~ni2|C0>ojl zJ93-{ZN`;RjvUCCp~Q(T#TuiV5+!2IS0;GM6y>I9b$}HLC2BBQ2A|E8EFzs1AnUEl zvs1qsj$atM))p&Q;EYK$zom5|NTd=% zg~VCFEe;3uvxgj}VAt@TH-xEvpNO<9Tn!~F1TmBa?DN9&Iyx_ z$@F5vgSjI6R?cMl)#)L~|N+L<2$}JL|VUjjT!5LBAkgrSJ{~|01+jC=Dko3+wY-X{52mPTq(d$1? z)e9nzNn$+f3|3gdiAm}rR3eTHjW!6x!C-+#Db*3|Ex5Dj$R#HW{lUN_&0c0IHi-oE4 z!h0t`jxo?D836kOCH*7R+%xZ+2372}W$n#-0emuaM}H$y%$NaFr4Lk+dDU^^QmJmB zHZ)E>C&@go7W41Zih{B8tO0b$yeuL5N1zTBHR^Y>en?!MhJ*H;$iSEOm?=&vKi`d zjfW8_vN3*`(RH9aPsFjs8f-*MG%p@`uMtD@Ym8PYtAlTV*}}YNA0^mn2xM%u7GgE+ z0Gg!^jx{q-!i2uBF;NMz1Vvod@e4;a3?;hi_!me2Lc^F&ns^FqKEVY^aInOZAX+U3 zr*zALZ3FR?6bbcIc;+rsctYGsh0h!&*L5A@xEA>CA1c->ubo;@_Y`@996!!}`x#Ch^v!nm75;%ia5ngMpa=vf92=^PbneOFWuWJl&s*{(P&?agzTcZM&WW zt}CXaSh0AWUNx`ayC){rmRxn67N~Z#zP^iHqv`mL?icUDZYRBUygm;N>_AxH`fuUIbWVRM#4gka(ph{ zD%;FvM19^RI=mOrdwbvWbe+(BtG_vj29$xKAom%a<4)0 zC3bEid)eKlRHr$v5p0iZ+`k3~WLLiy`j#YZvLlakynplnc+G6>*Iq|kqRX3a%-LOc zV`Q|w=WA@T8;(nsIj?hgopbV>>ANkuws7C;aPa-pX=|Bpwa>ZzLZ<-3o1Ouj(&=FT zg~-!xSG5SJ^OnESG-D0bCgLqtkuZbO4)N3*2~~nnh$-8ia4e6rny1v=p$#zksk7>w z`e(UpUYnbsZK=UQ)GyO-hQl+HOon5;oT4{xZ(TRgnj^ezUk}kSorg)@xm^a+@|_@S zl9dQF-<_4d-T$u614?<`=LPV6>x?^EvR_R{*-g(RbJoo@tOvei4C%Zc(`aJr=x(%G zFE&?BWpfs{4|MsS?qBnVZ5H@+jFAlm-|Ov9vC5a&v`dCJJzmn8a^D||zpl4l%O~KsycfBi zAD&@6ue-+a!ON8)Qa5L5e6P3aM~3l5U~YzMo9BRQwL6|w5NMZq^gruc=LdS-9iMRF z`*V2EG5ni(Hy#F8(6z6=S~p6kId8^j_}2FjI(ypyXBbJknzwAe+;4wx-`Gs7TJAW~ z&8^PVKEjiqHP0$90F^&!7FmER&2s=Tvf=?icFrdZ&@|4g^%0Zj`u&8jlqZ3?ldYNM zFVfQs5Z*cFJD-{H{aq(^H+Sg#FUTzC1#tVY&&MJ5V1%WDgF($%r8o@|Y`<(7DF}5n zTqkHw-vFr`yI%5p5GFmIPXEZrYI7w@LO1j`Y%PjV)e;dGp0Ndm-L4?5+^M@gMarOF zRgpZc+OVFy>pKNvw1QFp>3}+U?hDHA9NXlnJA(NPy)gv_&FNJwBUwR2Kf^P7H9Sok z43ZHLonH@MPWq!K3DvwLFu#+opBS<-oTQ;!xJmayrZl8$(T-k;HDELnSN>hvlO75P z(f>uL&fhi^oN53kLd_YhCgRn_WS3w{Auez;FH6#JY26HzbR)~LFyfCJ|Lg3B%MnxXS&qKAMQO{wpz<7ewI5UM=PvLiUEP|uxqez0fz)n{KKGH5}Y z3kLhw=0wX9hy;twz@Q1EVM|9_aes~cJk&*622Fg@+?B{sX-dFgfc!B}KfAW0NXGey z9_|*bCf!mPBu<3MEC2|sMe8pIE%kFH@8P*w1v_n0HZTu$>=HTdzapklA-B`mcL&zT zJ@(lmXdYKJMhVjJ)G9ndWd%Jg9H#Jlg7gaUfQUD5mIzla{Y<=hD~>(mks|?P>e#X_ zrJuBQe{#meJ)YMmhpxa(&j$YK3@WGj9F+1BnB+~MU}968)?b(mhEdWcyWH#H z>b&Z=kmIovzvlebc@se1?;OA+?5=3lqTb3qpeRz(19YVXj$*cGrDVn-c!sainzp3- zc}Ph~qTvP8V>qAJWl*kxGB~8-Hq)Y=sn8f!0PbgPmq*&Id z!2a!2p{!FHM0HmeaMVE(1nS))tMIAZig9CPf*f{hgnUvwv**wq zc9OZJ91~e(Topu7xf6_?*!U-Q0AfZ@s~BAS6-wqd{zeO^?|sf~*YxVy@GV2#c!ncq zG1s%YKjOMHrTqf((4u8&2=*Y;G?OOX@MyF~@eWXQu&9M^DHEY2X}r_wSO>CC`h(k$ zH3U&iy$wZNnpASi83$XL&X9dRb`2>s+(sS-8r?vuYE&dlgcd1iTebA6LobyY;vGO9 zg_J)RMV|>XrI!EC1*nhJGPy?|9-KOqOT#cO+|-+DN*veY-yzcgr;hT&o6_mCr1!ez zP{@9n`0=h+I|KYVC@w@^LGltg<+yYmj5reHEE?7ba)}U`?-XF`wcy)Bl#G@5X%ckg3#frl+@? z+#>G111 zFVE$~j!xT_;^02^Gp*Ni657nClFwUBbBwlcxaj|3>YT#s3b=0FHfrOfu^ZdAZ8x^j z*x9jd+qTizXl&cs@yI&fh?9OMjYO1V3rPnq%WNA~W8eyZm9YTz~_5#g?f*gMV({!)j_D~#+uPz_p z+K1klzE%D-zewaOcRz20jWnDgbVe7=lhe8|mL>n}sp^^2ep1n(6BL_n%AZdxs48kE6Ai z${cOSg~`>~>Kl6-^X7uF0)I-Fd2c}+dOAK!1QbTcEHpi>L0@d^r+zL2KQ;TYLy&Il|0#&M590@B;Vhsr6rmY$Os{^rN8 z4BbFi<7kKoh9ydHeq}*lGUkw%3|^PWeh~;s|8jAM#0;Y3j_l3s=;1Std2@nb2QY|q zs$KbG=Bdf^az(~0G2eRG)u-KSY3~bSUdMM`+4Qpay|_ImahqxbbirLBE(v^Rc&^XvFBvluQ zdE*dH*8cFOyrOVNS=;dDBT;tkKk&iKTk7E}?A1-SA#tLAo8v{X98dVMN@^3;=Z$AN z;@g=#DVn!o3Y*-vhD2jzQ4B{y#@FO-T{dfrhID^{3~@lPh#L3Fx%a4drBMzt+O9Zs z;$^xjvb3gDUJS^s1!{`@k&&;b-C@#Wvq9k~aA%M_B`|x$kY25AWb3@<34#B9jWXG#1A+AnW&Nbt+-&^>N|3oyX%4_Qm_!+a&e`IRMiW} zJ!$GZP@Eov!I-Y_gk8CtIK-fvS(*&Ckow5lV;cEe<8r{){EgRoARvhzo2}AA=r7tY zL=GAt`-q}#pXAT{^wGey3e^#kdR?MjqPsfj5*#J^p~O>I`Z;8TI3pL6HsjK?;GcRW z!%s>`hC)zN73j7))I^Dhc&0S?VbLqT19;8l;>G3%Z!Ob|#d)xpes+ad60%V{aO3hO=PQQO=n|E!{2r_X+|7wjCi9RHQS+QincmiRPfJds>k`kd! z*J8w$;l6Nw5>1#0rsHu71A=|Sn%k6HxthVp)?guD-wzgr`6<9_EF%LDFj!SS>KSg2 zgQnPGIy}tlU(WjLXCL=hNy~KAkXzFTXJ`^Jm+p8 z;-UXgstdv1xL-8q{nNCKnPcjlkLJ;%QFySV6B4{N6Rze8x9Us65A7=tvFbD2#2jN4 z#>FQ(P~}O7+_WhVUJ%ndNUMO^os*nw-}FqyZzdXuHIVs3hg99tiH0-$J%W0cWZVQg zY*!YVlW}_Pt8oi7G9onI)-6knIa5I9d>LZqv@)_h^VVzvF}?Q9I;Zwh0I}|Ty>m;! zFSWmC?W=7nev&Iy2wwCiWG)t2lL1qYZICDhg)QgGb63cUvvG0aVX;jMZEP*nIhm3O zO5JeIg)wK{)aO>+sxzi?dmXN9ao7Nk2gixYp#R?pItEQ*k-lsbs)S&R(CpQd%@ zg>XbICr+F^V;byNWaAMg5o9Z=vw)5KuY725pbg!;%mHr7fxWo}pS3r~+p)Is7y|q& z0a-i`GQtN5+z0Lhpx*m~k-tZfp+rdz0`kB*V%Hf~z2Vx{8=ifE=epg4>O&$LUVFtz zQHRldTYNSu4=GFEBHtYvO}Ci02rs~y+HV(xsT~!M!#$5MZyOG8*}VeZo^FBFcAI-@ zkNaLFm%tr-ud0S!xX$iQL8Dgu0PH)&W3ghFbSQvZE~Vicf7kWmWJzUDj>ln^bt|WL z?a+1!VfXb;Hl~YR$3b4Uuh-7Yg!jYh4-Vh=y_6e?8T2x;*4~%43Bvd-eyiN{##-Nt zLW!e|#*1om+Pw1{v6X%pUP%E5*O!(3)HL9#M=aUtNx@>&jRp^2_i*Vo-s?*)!F7>B zHfZ6dOyPcJa_ePvfq0$&d9K--9kb_8DM+18*Xaqa92e7DM(;?&&8$U-oB`iyLY;x( zP?y7Y;-MZ1R0)D{f5jwh3+-wdGFK=Tawtr_T@>)ynmSBFn400gP&R+P(guunckV~UWdKjmopM@= zvX?#HZrG4|A1`R8DeWHa+9l{aCPNuMtddoxHJ@ZjGsJy6qz7p|#+rtjrYi_fQ=2dd z@j9K(N>n}rbZL&qWFwwWRdpNkV|=yc^qyr7Yd^g3H{Exu`fvf0{6NYdo35wLUT#m% z&-YLQa<<$ua_=t%{#rECG zRd3PKM_{8&kGM_4wjQCr%c34(u=y6yY^|36VO$Ie&@tz^2(egO1Fjtg0~*0Z+mqmw zv0LnZ~x+@ z4f*vP=cKduxtT^;RKG@iHKm+Pk&a842})vdCT{tOk@%d4uyjMaAUo_`s|IP>j8kYO zzxm`sn;uF^2}kZOD{aAsEQtWyqW**sD@WzoV*~lZoVa&bmtFk;y2=|NgXY$ndV<;g z5_OuC%Mw~|=0kLZ8&G8uhPHETHD>cqKF)xUETm#AfVh0f)0c}fy8SD&$pjk;iS}cf zYXoCBOxjWp;sO%^~mS0hi28@Xz`RZynr@!o6+*9wp zP_5lm!ma)u$fz!|haA?YUdO<<1`s(1_9wT-x=1mtDb`n*%U zWx_Iln$D9IqqbiJC${ASC?6&f_+^e=36OZK(lJDR{^9v^0gg=uVygU?9qEb^w0!I} z7@5Tdkoj^wbE>v%Iaxv)$kB7WW}(M)%(u=h{YzX?MA~jo`@%=X(xtdg`lyjh?D>xy~kypI^C#mvdww+eH5v^ZBVHx|=41 zu<%S(0v0NbdE#YN+GSB&ifY&=T(W(9h$ZJ#I7DU6p zEDV;!&{r(=m3nX&?QG3d$Tq^IE_U8=1iSGMdqTxNyI?*71l|M7rZmTl^y1`!S%?N2)1Xr(t_-ttFlPUDm|p?UE{y8j!`*~*qxS!p2AAadN7bQ z=}ne%jtZ;`s2TGYU8-eV{+KSX4GD@DXkp{%yt&8_96ufk+!N-#siDvH*m6(IczJ)p zL;JEbU^cL=(u};q>!3vZAz&{a3uI59v^*;#KZQtiPNx3bvSusv_^Sw*`!R6e1k!y2 z%zk#irOI1wuSh?AoWL_~hk+11QyvxVUnkY2b*Jf(XuH*FMN)oV7bIj=8HtT4-etv% zCoLUw6(YuwdFU|Nl;d|~|6?p6SE}Vf78;k0Hjgmw zWQasCAVjOz`jwZD!RU|22!? zp$x4|BB4r--aHw3IB;+U`aFm9@u#o&a#R@k?rmLW<$Q7ue>yCAU?N(kQ4ZBn`v1y{ zz?vdj50pAFsJiAy7SD<_HFvY2mE~FiF6Gbg=(aC|L8GY%e;)(@V#V{fH)X` zTS(D*3fC^2qjz{}jqJ(l?pybM&4zhW(B0cxi0-HMs)6Uc)~mk&JmgJWk%e6A`Y?Rl zO!il?r54Wcn5HIjc?8q#_l{P3x4$2EB5j-nEIncpjtDs3(7qq7BPDOCJzA@LJ_|^w z*7wg0CWqbgf(+bM=PrZ?ON&<;7kG|kX2r`}#St8-$tL-3VH<{pmcsk;cM z#b>JYcrXfl;_mfy2n1{Tu0jz|g00Mn-X6v$baBMHcOJ$D}UrRw+_>xkQ-i1|9!0Q%vQsIO%%aWYvv_E2zzgq(s<9`u2dvD2CbJ zrcSV3rXCmH3b_HG*c54?~#J4){nrN;sdfse|U-nzK_N!A%^*ggaV=9jJ4~JaO&62jg5yClwrvN?8 z9}4%!#{zsNj$5M#H-_;U$M5!w9(TEA)XD1bjwJfHL${KXt@zOnU%XL!AA(Hkul9mOoE?+l zX@?SD(4JuL?tup<>5M828FX_B%t7FMTmSKPYhjGlqgzKPm2Ft*RA&NC-sW4vfV zp);|n)g8!kEZ3338;Qj=drq|xE%P)5Pz{W|Jh|}MQ6merstKxpV>cfuQ~ZfX7kEew z@?`%}3Q`Ws!-k@Y#aAC}D`SP9S1PEARYjV)&5%Jj6>6+@w)|p;Xe3pjK5{ea3_}+{ zPtB=G;brnqMX1N%Y0lT?d#Fe$H|nHpV&ZC680kFF1P+xsT@`A_2j$)2Be4RfDAjmh ziVWKS(6fEL*w}`90@3~R*kTIv*X5aKx?!^gS{45}$7}}IRn1hJrY;A*`7cCFUR8lxlZV|98Hv!?}5Ih!Fp@rh&c&7Z>#YI6?|zmr_im~ z2>DB-bY{gpu-=8^!CjdjwOxAAw0t6Ls~S0J7I(a2B}@@eKY~e8xdtQE4aK@zHaJuq zuTGsvB*FMC-Bu%-mR_}3M`?$;K^`i-jt~ZYfR=&=j}@78G=^hW=_f|A3Bup<(I%S` z3jZP4LhJ#?V>d7M_(-j(s=+62F)6}UE;2P6X(Hj2F;+cBvfyTXA;%2e1c(HnI^(y0 zWdW%_$tDQqm{eHEPII%t2v2J-w{GzD;MOG+@R`8L=K$r%vg0KaJShVrWDf<3N=V&1 z5J;kC+n5`;tuAop4r^O1GyP+}{1+}wya?}Prqf3oRu-RyvtxnCwkk_*jO2p(W1QBQ z6zhu$BeKk`qSTCmPq&@b!U|1eIVJKdu^}2$Cse-+BuQGDxX7t6k9tKQGs1|Lg=bQP zB)Z@yI$J1Ql#d$gN3AIhSIgQJiVuxSm?-V!eiZibY)Z7?j^-rmIy8n;9d&+cXrAcc zIqK|y3aH-?wSAH^u{5bka9C0)5mu=5gw^O{L(9-JqKZfeb%w3-~i z4ToW!M;Ogb_TQqAIF+B=0o?5P$uiVMxojlpk_J@DQ{^TW&%ecMgR-Oq$;h)+9tvVt zwfd*l!kIo7&hyY1*}ht);?gy9qj{GGaloX1srw7PK(0IB*LC|n(uh(H+h;bpYk^V* zyE_Hhjfm;TEv#x4`(PZ*B~FxEr7_3lE;F8}pmH4xDH8UNAa=>(`4e`ZkkpbY^KsAr zPu7+Z#OepVPX$zfguV%n2wyxQQ~OIk2>WDAiPklEekE^@Vz+I9llC{Hieve;g~d|_1@HF= zIR3WZD-s>=?C-&WZDdQn>FH2e-ZPUvPnCK#H30k%DWnK8R-CiGIyOJar^Bh-0k)^gK7h`}*EAl)kLK>FVV*9I*~`>zSE*$Byi& zn@*W#7r7ha*~+`{3O)#y0Kn7LZ;`J<3c3|fF~~Sx&tYzM42Lei!66N0&g3@VJ#TR| zu5WZ+8cJ~JWxlL6$}q#cA2lw!w!6b+A~hlW=k~;;+O;l4gG_Jh2#`a<&=u)$IFNk{ zyr8?~?bzEr6UE?N%FS!l2u$I5t4Y4n`&Iu`|JK`kdbb~qp?f;3%ias^VHn8wzB*Q{ zx8j8!=xZC=?Y8!o6ugY7BEk1?@@>dx$;We;|0%1gIrg_DpKP~5=F+#7dwadIUYC6- z!c82y&biXFQy7A~h4IkPC;Q&|kK2axE5O-WB))nD9RZDAz23{+Q>@m>;?aCGO{}iv z&>`XPr)*pmBsKYKID3Mg)lHi0x+z=Eh|9Z+9vF_9l3Z<<*u(+m`h&x#uGZ^yiX7pl zr?;P->yvyl3Pzn240?d+dxhyHe#Il+#}C`i+NR-Ou|E`egY}&z8hUw5MVhGjwq*nw z`nZPz8FC^c$r=b|EyqsbnImuyMosEeIh0@b z-5ui!XsSKyIhf<6H3l}Mrvp?O!XkbhjL2ZGQ9oMpAM%8Ae{pM6+uG%Mq%;hnl{7&; zb)7gMf-UqGn~ohB%Sv|q5hZ z6G7b*ShdD@;+S3M?Rh7TTZ4gHCf#DG$=GjhL?wEIomM+f^p~dFL|^I%+DaZO*sw}U z3D|V$uR2E?T%Ir6?kS*#H7XZ;m87`&C$!xp99_6Kw_@P51z{!dA@(6x)?bJ;LiDxV zVVSz&n+bJ_3NFuF+tKIhZ^RCNCP@P5oYS{n%7gD%OQ_g2f922o8E$)lbierNQ`7({XEl&a`$p!`&eKFyDMR%*95KF zYD}I6nU$42YYfJhBB`JmEmlPnPHYr)|2a|ewCOyZHX){ z3Kr?gl2Jdpv&X?Eh?pz^ zk;iXVu^+>Hb(Z{N{$ z@@umh1#y;mXeEiFtOyysb}GnT^u0}D{oclR!(>j*B^n`uW|X)x^Ks%DQ^?$z zc)!~IOG&#-P+GaUP~|oJLQL{?5an@nghL%9n}r@LQ@7A@X#JdEoZJEf`-1qleTM{7&f>qDQbplIBcX`3>bR<+29rDZk3<9yUYkXU?U!Ym(=^ZL zri6w`;Uctbs0wq$)i0Rs-MLUyI0yHo%Zm~irSjQ4h|;0hq`1DMUcI=qrLblEP>k85 zB4j~B_z{ZWiX}?Y!I=_QqAClcsePuMFfyk+aL~p&!#ZRn*pLbb ze%p++)GVDx4z(!qQpb@loGqeBiEs?qu|Pkip`<}Sd)dXRFk+p>R&4<0Q@R<}!?Hey{{01p@>@LGbp6XCMU|ge^4~!v1COY)TvTrJJKq;pK5Ycl?DS}AIh5bQh3fPSp7nsR>-r<~ z2>{Ri65USywNC=>rQ#VYS6^R)zOhbC(}hH6$mcqMKC#|0)?czxueRt~LC|him2___5zz;Y6qimjn@)CS z^z9ej*b?cL!uH)w=M{l{dgj*+8@+1)T88=&*eRL)*xaX!lYyBSAL~*Q`43>`xsK-% zEbf)>5_+$|AxMS)H0wi%bW3Dv%Xo&u=wMd=(k~hN@N5N$8;$7Yx^8WLdsVwSsPDIW zz591>{(2i2po{tas>4ynes>^cUH$idp$zY1hH1uLb!YB6#+LU9s2b3@Ofy59tpjMkvzEeQ0yqZZ0U6FR}nndT!mmzuNYMCu}-j7+l@)dY(4%w?})Nz#$13$H-*r9j_%MC!!6?1WA2T!m0Cnw#ErPcv2k*y= zfGCgK+$_|`(3m7b&O&wB(;KKfVx$VLjgdGs^(HrO6-r zezWd9SrhG+RN;ui3rqbW}mrX#~py5P3L=n)m?`%$qCpGp%7Be<~E0K@gX@k%nHuzvn+ zGqynJgL!+@q)z$1QM_M<>cpe_r54Qwt^PaGv7@Qz8RRd7l79^~PHJPKD_;uM(S}6% z0!pndAsqkuoy+&n#^{l0U8;A&J7nS7sygaX-`*RSg6jC@lzXtx?(Ev=o{39 zl7L?)xL#z1Z8)1lFsS$2O~>1R5lN2q$KDgJQIoBp#1sv8K(p}}@>s5#=9U+N3~}Jf zlx^?k*2YwsEd~SNl}+YW|0vF_L#Q`#iPd~nlW2rzP&;M{n>yH|m2DbpfJaEMkcoK{ zp;y7isK!G4VU@$~6y6TXI1@_JliM|*QK^K;_Fg!DLsxd&m!>x#(Bcv^kSDVqiqbK2 zv|Vy&{S`nU#j&Wx%|1Nb909qXfR4T+Ifgha82N)nSM=C9`!EzIjjW!RzM~{=Z`H0m zSuNUujc^#mt4Xk80^jfX=hyPc+~PNm_B}D~uLeKTkj4ycgRJ5c^H^v%Wr~wXYY-r0 zi6YcX5Ax8`5^uY#gyOJduU@o_YlkZ?I3-C;(aJbP88Z9uSsBMNB$jU1h^QW30FEE6 zad5)Ke1`%8=AVP$(<1?pMAqj#xZN;-^3<4~hw|%3Sm8;$MC>Gnc$#fp$)KYWrgOG( zfqI^$?W|Pc81*nG-fuIsmLP7#Q<6>R`T94TR0fE}F9cSajSS+$Sjv0ki`Mb0ac&;T zYU%VQtrMyp5$T(Ef#lgf)}qD|l(SLN}<^6N?{+l5i%BGO$Om#4kRDr<&> zu|*~zv~nMq=+&-o!z6&h^-D9VWe$vv8Bz1gO`5B?>Rw^FQ|Ih(-!I~*J)3M-JN~L6 zSQ((en+7+_4j^}^_FxadCE`1ZmhPq-dJc2^Q3~PwQ>mFO?v!|oHdZhO zJ~J^~?7EWvOx4B~EAX3-wZXHcx!+^k@Of^B_<-}L`ZffW z^q?hv4O`G}px-b{?UmPTp}CL4PDC{vz)kKVZ#8whNeV^p;c7_+pvC+O{D{;|?YN5P z(#XEOIzIOO-CguJjXJeC!+EQ?m)y+HK#H_ktXt3Fp?|Co@W}=Zu`I(du$EHoG&Dy} zLfLKKwq;HO%rl>@pL*{HBemC>?*`lm8n&-XwKe!Wu9PV70Q$#)2sx6xt+OfiXpJlT~6MD6W- zS0aA8Z0Av-NF87BxXhK?(Cc+AU-ZiDKF89f-WrcZOzZ1@Wp4K-TO)?g%a&!Wo$m~6 zwJxTtZHI*Q7@t|}^2S+kqsBzf&C8{>chfqBSMEKY?|vWVH20C2>nW1N1l_}AHe3$J z$4wj;2l|sL;dVFP`(b=(t~0&ng}+5#Un*`TVQx#A*Si@_>$0!SaPF1+tsCKF+E)9^ z&d|2AtNv3EI)>iehg^)d@iyF&_Qio1!|&qPlS_%E8qMd}QvPU-94-HL`)Q0%zKDJ_ z7<}|@kM%M2|GL#MaGB5#haQsAYyij{HIN-S{!A>9==yE>{}$KSm-~A{?u^0hUkXxb zlDGF~0^OhG6~jD6+9fD_F06(OrUrrZuWZOUmGai@p?pH6qgiPpl^<6W<(*MWwI`$a z;P@0uQS_uI`T9YVrk4SWUX%%G4>QphV$q_0WO!I~uH43PSIz=d%P9EuQ~wD#%|g;0 z=C2jeO3nRySjuAic*;mT&7>t3Q#vvbb85|OkVB&E_}0Kg8%;PRrI<)IZQ#!a*{45i z`;|aOEZl6Sz2YflYP`kxN685}a!}6}gk)v)0_WT!4&8hobi1=-9I91Dw38}-)zLk> zoupF9Haur@V9fh)QEr-v^@3`Z>lw$$kfR zC1FPTO>1rX?8~KnM_ri;utqLh=>xENdCs#!_|W|Tr$*3bLn3e}k1#>CFkvF#B{RRkSM zyDnOAK^1sdZWqVBW_ zCabaZrE%iV+!73}nrdVWW^BsytUJ-1M#wd1BBM13BE%Sw)e;%b;%F7RizL8as&koX z{F|-o%wLX3L=pbGIx6e8>gxq*CeDp>-!Ax9+k*+s&!{lynM~Py=<9$96iwoFaTXfL zcnM|S2{Z!o0#ofNV&~lD)`DQbFE2B^avYz>9y}_*Ds{X}A)kcPuLt{o;w${1%9Q*_ zD|g(S$$22(aMFxX6HmoQVZ|BX3P@mvb*cx7!A{_2_=pSf9Tv|}9-ZBV}Sp8cm7H)iooj`S#@J%&|{FJzTIPV;* zj4abmgngb%*wxFf#P+}tz%1}wucsaI=2?C^jOL!CQs#>uPF*aI`oqsNZ2cQ=6SD1` zgR~|4J}a%mAbQjo7MJMTBo=C@P_()QNe&xYQV7UXfQb*4^>TzNjv6OzEBb3y914wEM0vpU z^2;_}&bvIg-1}01H5v7C>UZl$Jo+Y~$3 z!gJMW=&Y z3YOTviMH+B6DP=&q}%_rRIJNw4>m_+Af(y!S6N+R&2-)xRY5RA5ld^<{3sFCpJ>_e zq@sOpN48MB{7XGxvnc79fve;aZv)RLiB(QVS`$P!6M`x>#12iHf)3HF>>M^%Mt(nl zL!rL$7eZQRZDt7XUrNN+geDu^0cl`VfTVo;KNTrRQQ#Hj*e<2{x|~07N>GSSBxr-^ z!tLM;?Nl~?`oE(3mWvay2e$fn$pyiPfIoYN@^=9Nxxh!g=ie6B!B_8VfEFqn=T-f? z?VDT`UuAxwKSqueu|kvq17lOWz4$`t=R=(R&;p+KJii+eg>-;A`K`6F#K3QSE)>7@FPC*JH`+38izt zx7N(jKvDfjsA2DT?O)qgUvVR#u$VK3VQZ}hixeFJXQ(PYU1p*ra{g6;tGur*@C)R`DQnxAu&uWh)Z<#2DPw%LmmlU%t*v zbVT}dj`hs$((fYofomQPr{#->y<9shfx3N{Y85?hk7fYIg8@zK_AC3z@AJIgB(v>V zEznV_8{duF9u)=4?8JnP<88Ax|BL%wv1O@vV0LTn3&zL4?qkA@T&H6Ou=l*)o~`}% z>!izTIa2a9U*r45Me&x-y{Gq6aZ9h=?R-pbt&_a2B&&Vly4~ttl_I0~( zNUomOOAaK;ch`TqTl|;d46QHE5utiL_gxnf?HcMGU$Ii=k3Fq@+@AWJk&Vf@0^by;d4QL9@l*%QyU+>-5+4?53u#iG0dlTTl#)XVF^|d#hcd6 z!UHW2NokBjdgw>>3;@brn29kWpy`$84jdSeBN0qcp_X2pug@tJUl76m6cT=FWyI0) z1v>g+%K3s)acT9(AMkJMGbaXjEZehreo@LVwJ{Z1vguYRJEmKuz2EZjl5rFl9U0ST zXj~?2?j5H~RRAE}6zOzt{6hrnF~P)Zp%7`R&%^0)@~gZ*cFhw1WoZpDCNXavqK}&Q z?%~D|o0d4MQXo9m5~?HKOB*IxkeyWg zKtQ0aWU9@`oNgG8-2B|9Ai_}+b(iHFw$S<@rr@KZgW%UC91QtN7aN{&xF+^%I*r-qCC-ZkA&la;teGa zw_1v@5Vhf+jEonHSnFfMagH6)NOPt_&CN_FVw`M2nr>AwFRuR(23U>CP3T!~Yz*fr z*G{9NhqXflP9XL+K1hn^Tp3Rlhg5efhemqEyPP}H3XbUIKlWcCPXW#R@d=Wsl%6^T zBKM9F%|=R)i(#_T4bX9>$J`(t6m(ges^I#V@uDWFsH)O?^=Q)AP&{$i`i=j*_xDVj$Rwi}8IQZIIyqk^{CBs7;}$d)GQ$%1lB zVB^AZ8C0+OhM-RFleg9C%&!ogXHcU+=SD;DzLk3?9xj!h~BK(N7ABdi( zanh_xnn-VoT%MB{Y@}7`Pb6}VVIo7mHX(EF(IyU4v5PG7@S{aPo0Du+;kD+A4IRIbITxp}B_Ir5C>d?wK`D+tdj2S+ zK$xd3?YFeZs%F~!ya}AhJOAa?!FR(RckO_&SyqVgEkKl9Dgb93Hi0^b{SZZxS)Z0f zZr(Y8N#0Gfoo$duy>-q0Sq$%H*bwocU63KoU#RZ42wQ!~(vLSON>eQerT+6Vt-tK` zt_2rbY_y3xkTj|CuP^G59YT;z3AVKwQZPjdY~RADTX}6Etz8@i)6@f0t#ZgKeTEu0KMl@7He+Lxbi|`)9bS3P9ZTj0KP;jPQTi?MErWFO z$dvjkDKu^3ks?`mCb=%WT$j}kf0Bd}v?2pSG;6Q*%OO`9hmj(mSE~nw{5H4o-nM=x*AHd*w8x`aDZLruG3o*0x z)^t$Qx%GYsh)T$DeGxgXc^#VW^>!%5#2{GPDV)*wy>6c8=rjQ0&M0^t7U%uLdE4k1 ztC{%+!&^VJH(#3r4caZr?s%;p%v!H)ze^z5C1Jjj0Gc8tjbGCR*LL3W4_k-y5{lpV9rMV9%bL!~ZsYw)!^H)mXm^ zw6E^G!kvYy#CO?52<7Y9wL{YDA6Mvh+5m>?cm6Y$=mnpxwbU8BA3(`_!>;DHY+WN? zx7+5-r(O|`&UApo!6RGQf_(Ce(fcsJgX+e55WX{i*UVd8uajRRmFqCE&R{jPoiDP@ zAh+xwrQ)GJ_q&L+Ace-OymNV84AbMYve2^Ac+Z*JCg75&qQHfaU3W&7Ubs1!gi6616CR(;{=Pi zutfQvB;rM@Ha2UK^L)K=SN)#eS2uHuo*M^~PRpDeqWGg`5iL_xXN;zPXYip=iHq!L zV#?5LgAoR!)Jl#`W7^d}h7B1f5L%VZAV%Y!n3B0`5rbk5rt?s$o2;P)BRXWh3Yk@; zOuPD518oN5M!#o5eh|@LNF9jBL(A`}Dts|WX{xz|%VLFj=2P^8NmzeaRYaG(eCM1{ z76XbN1(U0c22d_jVjhhA9<_Owvwruy`N#dlk!EA;a;-e>XQIf&kW3jfQ#+7Rf!LF) z&2HflSyx_xUP5DbOmX>Ukd(_>5^fvAO<+|zW{GrJ5{byn5~W$2ND$iz!D+pmNg`v= z&@F{vf0yXUkSatyC7HXk@?EjN=o$MO+(#UY^>S*X6GN;i8V)9ZfEQ;2*;@7|a!brJcB=Ez3`Lhmn zDG?BK%D2Vm=;R6ZGZ+cDMPcyO)&sx!dASeZOjyDAJ4lRDZPqaU$kdA%Ve!Tx(S{U3Pa@1u$DIfL=Fwm@) z@46ATFE~R!vJs%(X5HstK5!%H#MCyth16?rvLjWLl89O(oZx{e?p z>J}NzkZ`Nor3$RLI=qV61XU_+BbpkeDK-s+`5je}3}bjGrk{LBq|YB^iV#r1(kOe> zw-t#_N6{dlH(;YWz2e&1fn%FK`7JG%enj)rk6 z$?_LeX&LZ$=57IeM6m%9y_l^YfqJ7RJ}$TGs)S?sDlT$%iWCGDiirdiMt+8F#@?`a zCBvu(|9GqQ<(`3-%o`3}n1?%Y69N}KyJS-|M}%d^;J#9=<~JXrO%BoujfXuWEe6Sb zQS2j>>ZMat>xe42)tb>L;Zj@KHw%SE=noT%0laisPjXgUB~RTid1;6gg?h-QQ@xLX zpERt`4#%I(@)ek!Y(JJ0oOtd1MI?76*sO%-#=#9#rkREbov@S4;z}3ksFjv{@4A@F z?Lvx;G}ID!nwXyqlg7#x24bBL9u71tg;L{*5I?k*)4mk-SrDO`{Qwe=hb`=| zpzi02Pz;H+aKd@a)=pcdU9opX>IsQ9^Yx)NJ|!i zlzq+cfP7p;SeccNzu@ccJs@fentS-D9<)_7tVqf`c9#@;5~(Oeco(77f{%E+7f@&& zTVOV5fs@KJ|0D0)aFBg@#dCn2RZ#B?$;T?7r}X`F0_*|ykB5is|D8s}?++G~DFhpQ zXT7fuhku{~9nTr->s{4p9O13{;IzHJvmNQYEG)Bg`Gc-Cu(!snfy4R-Hd)dA37Yt4ulOB6S3*Gxs*VSGcZ_2Y<@1qa#0!1}D`tRAVz)0V= zYq?kxhToTi5;W*Eo@W7=+q?$#nZa^@#R*}ZF<$_3U|F( zW9@WI?c8ff`za=)bxfxMbdFkN4zWa44AH^Zn-h!@Z?zyl?#rgP!}}E-tv(-_?T` zz8SjSd_l_}_wfp}TVFR_6X9~*>wnr{UN%jTRDyQG7sjLIG`h~$4wWZ1d*gh8UD-K& zL)gB`cEU6?D&LR+m^wHJsyJ?`T{l|XBwBTe_O%c%a-MpzAg6+ z616>h{nIf!825IiJubH*6uhlw*2!n|`s<*97qH<680iTx;T;6tX?y|Shbim}T+Ln= z_x=HGCqx)eqq&+)(!5e!f}y`A$DVrBc*npIb?SSf5BvNDR&X}Of*NvlbllG1|+ zsF1K{XHqqpaAX8SYT4RgNm#XXnhk#y`eA1zZK>kynE5lDbfgS&s+h3+ zFiXCuP%)(F%gcl~!{-@OW7ZiEDlRX=&Btt&#h#YxPOxE}NdJ|^*>q|(1Yf>x`}G>? zr+!hWJ7K?jQ`oP+es?hG>I?$v4xu&9FtUxabZ_&}*E3P&D|_P8$QMLYRstFdWlT}l zZITmGbI2vU#DmFSP9FMF!WMY;zAtfVQ{uS$B-E^7h!8JI&#S)9HtAWXko8gU*`UeD zDl1JS7umKJSWY^V305TbncowtqlQi*1DzQ0Rr9_jGIb#1EXI!#hITUvg|&?$Ms%m^ z`=;ahn~2%3iEiQs{OL$xjDr{i<`fp|EJfS~@QkW4cA+Urtx(SvXwoQ<4;YSF?&-3O zqP=f08a8W{YYm6hi)3io%jqG1RO0$CyRz7 z=BU#%NnkOj$NaW1rQH2vQaD^>TPM(-VVhriUJ%^Wxv`OEM&k(na zu_`(2Y3Y=&;%nw#_RMSIaH7~a3Bt-b$xnz4*Upxh>UhN$zi5|`RtURQ$A08nV6cPx z$adOZyck=C@fZ5e$abK&o4UgNTheED^{2DGg*c^%0n8{j3s29G6S3A1KnrLg79U@;71#r!5gG% zV&s}XCDW&$6t=MKA7%{$a^}>k?5}=r-4kJ{Qdvt-*@86%Os+|`k`h003{k8vIM2JC zi;`*Rsq=GEGITPH4ayQ9mlqpG(LQ`)qLmO(AC4s)Oq6Z1VY|#l6tf(&qhK&5 zXOkAE7C1VhZ9bjsr;%J0Zrnm*9-;8zXrzM|&7OS+mB_jtNt%eEBq>$9;@zMyScBXh4}I3ya>I(T<+gvH%ecEvEiCHF>2#_W zX>9mUU(9NGRC=T0#qE1emg7pr)z=6yVRj=`#eSzpPo=at$4|-T=+60qUFFCYCe`Ic z+ptP|`>E2+OwDLom|Un^CS!#D$;6Xv{csW(R0OegB;XU1+K&tpa`K)EHBNE-u}y9b6K$XlIQ;td%D@6Wqbwz0$)|q zsc*?dd?opsr%LtK8eZ{+?LAGwHz443$Zmo^Mc)=v{RPs9e41y1Ms=NFVk9L4;Z?z!|Jo ze~aDSz@Qb$*V@;Uxz)}4&ie#`mUU0iIAGm;Um_Y&_%NV<9VvG4tA0| z9q5)kce%dT*7<7_P+99#-&g&rlrMao?Pu<}auBrv3w4C*xFzpvxeI#rbX*5NGK`(@fw1e#V?VG~p;MnTs-4Ib_ zH`^?FfYo7gPtaBbMvlkgke{GY&3K(7(-gmezzfp7r*CJoRvVogbIY*;u>DYQ6$Vfk z_{XE^Vr>iTpd2gf_N66Za*14 zZ>tHyp9(kb)IViTK8oZ($q%5=ruPr+4Dh~q-J;$XuXu%`|JuQx>KWiIC7Ov`e?&oM zl>U+YFen;YAhgi$Et&OP#a0P*mfHb%#}+qc2@#3g&SRB|;r}2Ci@@jDr;DX7GElp! zFG9l9{&uQES#9PyJEHopElIqpFb?0>r!t%VgM6`b(~N@EIA#KRtjhYhU?oYB8>hH9 z7IVzZ9S8ghSiapNZNSkN6<=6AGcLJ^H}elg)sB#qI^r>GKKqZhh);vQG3E2h_TMXn zuQC}x*{Epg1e}(wGpJume;0g8FxfiK+rroyW!P)iTvWWb*D;2{;MEh>yeym4*D87r zq={0C5?fNis^pczqh|6kg=MzZh@uV8At;Naj^b+f{~#NIU%{#@A?#!s!quqLDR?0e z6%`eFl7hqiCDn8Q+o4jQ3oer<Z5wJ^?1*i_GqtMw z@`inhLRpF7iQz~JBTj>ZcjnsX=F)43=j#)O7QORCmZG7lHxs_|PM*?gnYLcRo`%G$ z#x;xaCrM?h*w&%NMUtqt&9wtezMYv>320}mqfM3@*LC>u%;&V1pe~u=!;~r3tUnn7W-qAN z=c%#aP8zaP4w^@DW*9%w#oJG9i#RMBYI{G%b-Rh|G;vh*+H6ausexbf2$of9v_3TS zYe!tkz;jcKx|d;R^mohXKQsG9S7NB1wOx5JdLG=CuP?s_^^8FN2lKuS>tI8%Zp#*1 zB=9R?19cReaM^INxVU-jQ{|#0m&m=^9O>D6(OKRjO;fnNB+#mA?8)UaOh$j>x*Ilx z%GeKz7HeAAR~RKcF)vz0H^YuwCnGFX9HXHfTiOYP#p)={?o);LC06q(|N8sF?`HjB z2x-T^VD_fNx>J4hdnS*L>>ccoSY^GaZxLJB9AyYcP4KFUiY+tZdKC^M&wTZEXp@rW z3W-6^DEe~dvZF2<=*+{6j2VkCKPIAQ-7zZy_QjEm5${^lO!euinF8T%ClXrb<222I50bejq6Aq+bF(lIjREXcU@@FeEfe^&kW2r8L z7?v3=34#0)HJRz_p^*Z?u`mq|^0HM{hA^K_*$RInB-h!W?EHc;!|oe$%|%1Ts`FJ` z6caT5Rp}ZZg{WtbA>S)KXdLz`zt5aC%0@?h!4u;qa&A1e@{1bg7w6u#ZaiwT;5c+O z_%V^~Vw_UhMU776KPY!!uF_oAAR){{t=OOeUvE`i5xKq`gdAU%Q&94<&qkQ zzK!?8Wc90{&E7Ms0(#_6L7VB7>EGaq|BfLj0P}-*8Y{F<GeWbj&V+OETl}8>g?rp0yGX*V-q8C^KhH7x)xM=m_fOIBcKbs_w!;q{n&!my zcz|V&fxC?;Wr+H1EdCQNUclF4Ba+tzPA3BxVf^21?-ATRfm6-ej+|}vxB7&MQ!AaX zW6Qa>=}OSE7hZg9z=uHBd9UfsEhXt5=RQqDC&+&Efurk~;w#J3LLqQPsb>Rd^a^P% zzS28A>pt^EL?sWbuAd5A&2wE|)*|?pzQr?AyE5LS>Z`YxI5 z`EzOAn{_P9A@=*;eZHUT%>Q;-^~ES)NBYpIZF*}9

Joq~sc1fRn9J zPOp|sR~rtcMtP_aeN}GbseFvOFvjvsnzj9Oe(DHN+c4vpAWJAW5mJ>z;C2%=0A|Zd z5DZ<=vV+MeWr>tVfO-Jou~w*7i4HmHRI0j^?-#A0M~<^#B=cO@Lz;o3JL7%}fM7~v z`h`*&s?-S$ltkaj^3~=@uaxv0Zlnnju^0g@WKc9g&|^A*l}oi&V7ord*Rxs*m{4N~ z(s#>xUKuSuoKAz5xF7}8B0MoWe z4AK-F2t&Awr&*~y1fAmN$v5JQHNS@We{ivJOG(l*`NogEbC9XbQp_e5bVaqT$UmQ-~x8g&Jl$OB}rrqK;H3^KI|Rq`unI*C>TTBS2!mW&fUy{cyN{Y1W1$o58gy4{tv;jo#F>;fWTI~!TTMX$>|JjdCJFSn2V^>;+&6gn_m>⁡}o-QcD3m^kQ!XTe)>R_sv8%>}R#|+23 zVRDc|W$U4&*7QQV+fIzpLSASLy)iJZhl2?MA~_donRJ&>tS;@=l1@Uy$U2g%53_FI zbq%aZ6$Gy?vR*!gxw6piW2L^q88hf-2K~&SpBeNsgMMbv&y4*mgE5NuQu3df=fA%Y z`xyVZ9k~6d<-Y{{hl0rISA_a3^*_Wv@gMX{z<+QE$50BLZtBm&e@?u6uOmvgu72x{ zd(_X__vqEN{Z6QF^4=xs7mPO!KmMNMmRf!e_=kKsx_JNfdY5deTc_YJUwqKYXS}xN zjz6Az{!PX)k0;JMwzS-%zkl;k^ZFkySo`=hf4N`s@fX$&5C7FZ<3CSUP59ql{&zba zKzyCZn7Kc`ywWP$9ewOh>aWNvc4;r%ao@G@9RFA;T(JK`d+vVPx7^>1g^O1{=dkM6 zf4oQbo`=EHihJ{Oe(~60n_TzJ1FrnhACFq@8~m(ACzw0!tDbh-iS6h2fA5U9uzRrM z<7Mf09$ar9d&85@c`yCDYj@o9<>#LiN{O4?17F+f?APu;`{h;ECE3Ydvu|1c`rmEy zRC}NATzK`ui;K?{N5hvM-tU{UUi(k;pZt0A9^T*S9kblKj~#T3eXw!G?B+(RKXcft z=^uAG&#iRL4)US(9WN#4ZM5}|9>KhG4_RiFE02b@yz$$Gr{>)8o5Q!~e}B_67rpXx z;m$wa^!R;yRS!OG?#4IXd($7u?|s+$-KK9{KJS5R=H0f=S@3u6J$CQPu`g(<`h9!r z7sp#4u*sokT(a#t*~5>y;ZEj&i?)mHW4^!a4(}y4+VJ{|{A*XF5*KY(&Ay&L7{BP$ zv*s;(=5qc|mU(isYg_4e&WE1Z^OY@rz5Mf)ov(RnvweG86@R$zUMFp2+@mQ^FPLn- z$KEH_(zm^K1HZ<4uWh*EgJ$)_tGD@@vdg*_Rb%(M?(ptz^&_df|G4S(cfWM{<w2{A51Cweq#s@U#w(`BO>VXf*?Av;ZQn_%jqbaqJXa1WGSMhGGH;|rQ<=&=Y?Pr#x*jq zf>w^VOu@+vRVB!}6C#5WO_J?!xrT0*yE%`gb)b@u^v|jPM*CE+1=(V{&(%Om*O|CF z3VTVD>Se^+fmGpoNM@mh*n^3Z;%7{+syk!+^ zfz4@_05UDhMjL|eC~8$MRua*WqH-aa9UEyRAk>TzLovV(*>Zzz@k1_U=7v?u>=Xkp z`aDTTj$NE|92fq<#S)FQ3w}z8<^Nkr$FD5^S(4-CZ~SLT`u~W%PQws`s3(#DiWD4d z>UZsQC9jNQoT%^y|xE5ZQ624aQg+3y2AyMI%xnIvOVfQFFSl zsdPyAja0TicGJaNyI*$kQ51Uv3K|CEa&MfPeL)EW0>e#}%knXogCQ*DoAhLi$B>&P(+2`!TotA+sP28h=Nvi&qu zPfI$_223+Y=|a%%7fW%XQ%R_ap)8W4Y(7RRj)J?QF=81vP1pL#VF}ezjF%{f02Frd zc3JZY_M`qkvMh1Ir|}>3BmOhpmE&Fk{5bzvQa!j&&RWt`sT&}$8yEL&7_ zC7ltb5pJMlD`qgHO2oLHXv=Xlww9BTAq*OrLTEf+Rze$G@ERRHsDGxjr zgsb^nGcjGJzGrn|KZh2Kpa{?eJ)C%zj>|&DiO7#eCebLzX|~p!Zo)7LBQ-9|3%=dL zl@Vn-Mx)seQ>IcWw3OjUQPF8cZsZF@m~D4zFq$qBgiH&)W-n78G^S@|K5jHC16WRv z^3(T+4iG(IPTdV5l^Q(bG_|}4h;V9R^08zOQ#4GPseUz6^!sVWgtO(raBSgls=!%f zmNREy(F`n_fkiX0Xa*L|z@q;*4aO+)OUZxGnf%`uVISu|+pP8cE&qM~gJUEDlQ;>Z zpMn37Uq=2zz$k{16or2t{&U8%zX0ByjqSY)`pr8pzv#%uGu};apEg`(+11OZJv6xU z>>v1NTz2{Oe|q()$5#t?x%K_%;)~`MR(!FzPjkgB9^3S+p|vIQE&Ijg?)u3oi?%yq z(IMo8$1K|8JJ+7Pl5_d)%bxH*tGes&v+MkWqa&C9>1u!WwmIp-bAPx_^ zmK)!@b)$9seOA@3p1;@H59S|U?ZxwdO#Wfcbq7AORBHR(Hal|GO=}%js%~a)w)C%V zdH#blFFkt0!u&nnE^WH`o`>YsonG!f$0eS;_$Tor3pd&4EpYywf7tf27k{<(%f}wm zJ^9)L_*eGdu9JQAiQc=~8}s(`spC*$)_K-WKW%nT5Nb&NB6<0xA3EodTkJRYES&wH z=0BTU?aw`E`P&XU=<-?adTUs}*=KuP-1pU6u6hVv_keA0-uLy{Z!Yx~z1!DbJ7wja zF9?5l+5&OUSI@issfEG&$!Md)R^0eS<@MKATmHg@bHk&K+vKG^etjH!{27;Ce_L+D zwRgT_e72iIFP?wMWydak=he|2=UKBKIrov5PpUn+=j}URd)Tg5oSoX^=~aujhTDAY zo%M^SzPQ@98~l9z1CGAC^^2o5`t^PN%@101|1G@_wxZwrZbXRC_s>|hoqy@cFnI5g z-i^(besbLef3L91TMKV`<@xTT+rE0-F@L=Iq>a9o*kx3^d;Nt6y|CzlA6$&6FALYL z)I0y84fL(z<=1{ zfUcy(N!~|j(gG8C5un7nfOVsesJ1fngc#%8i0L#%IZcKhXqLtdqMLr9)S>0Hl19*C zE#h*0Ol@JHm{0pu3UI5HASV@}cBgMxP>3{m!%j$YFe(XSS%pKSEcl5W--Hc)7;7#) z4W=iR@zCi|<(f&Sx&SEZX;_)qWkgYEeAvtvWS_6rqH-@UN-4OUv;24x$HByxI1 zAbPIA|87jtQTbn3g z;0SiFF5z|@`-5yx2K08i$L2iNvM8nHni*A-R_q~dS|O-fJHbdeF-)|^4FrR#mWqa{ zfGYR8vTZYGGX0HLw*)=Q3iy{f@mv4vEAgb0uAFl%89gT=aMv8 z;E5hRN`=WmJ_~o4oRV%%lnGF0hEl80=r%mq!E~YDCt8jXd@lXB#NwKdk?;>LHiOEB zHKYIb5&r?ddi-aJj+_7GKlvr<|5NhKkDa8iR76h>VK9*500aTfJsnfY7*BA9s^F2yf>+*vJ?v@O;}(t+AWeH*CMEHmd%-r z+N-J)H48RiUtvq*sz(hNKy9+wF60pPx`Ak%Erves#!SVPDq3?QVx6D@qa!z0QJ6v- zavMq5B;5d=#9HW#=5`}~Ih5t6`g5GFqZ|Dpbg|6pGN{<9eWP$-3w*yrIt zvkP}GTYA&jXYZwsx=y+6x+`Ds9=~LRb?L&PuP)kklk@L8K)ChBKb>{YnwMPv!qpG# z2Np83e%E{N`@engss|q_)KV>z+~RFB4ljQ5poc2%y^pdR-*e?<%MVsKXw8N9C>!jC z-nZ)2qthN-`ti3{{>J^a8}@nSsK>d{hVgpmu6Jg8gU;$J6gHl9H+}Q(&UtjFEyg=V z%ct($X}NR$yvAzfm!8~GxM2CKqYXCt?rF2m*mA8c)BBshe7N?=@pCr2cIWf9+~MRy z-a1jS*ZJD{i`ITh`0eHPhG)LK#W|b5y5XO0;r1+^^3v5SJ~D5`^|*&lSf<&%=YyZ^ z5lRE#j6a>cb@FWVg7xp6b>~&l+rK{Pvc2}%dOmjGxBt`p=jeTYKkFyJ!S$T8LCKtd z+X27*?Haprv%Y`OZ(qId7w2_%NIt*m+K(T(V8QW+E~n4Aq58c?*VCTC7TnirAF$yY z7yj}%vh_?_;=sl=D@RqTlZY{Iqm4Xe_goZ%13^-=`Yvs{^@%E-SJIFpSbt$m;F9J zC$0(afy~SOQ&&6cTgS}#_MGD%ZwC9d&f0CwV9|o|?2A*6AG_NRYhQa~%RPQn-}boE zPrrJPH@03C+~ittQ~r(@mkW-+cCR%So$%J|!F|h}oOtM{J?_5skw>L#Hs0;Ay{1obmr(g#A1GM;S_8=c~tmrUBnXZt;lR z^5Dqaj-m^r13_1l05#QZ+$SViK%sS8So|;1XdLW0x8Oj99U&Ie~QG zL2Pw6RN!-diHL$s$!bASjL25N4Q+5FmD|Q3QN>bGC+T~HlFg*hps8|znKI;vVUz7# zVMvfdJD=6foaBRQt}h!tZ%G)S_~}s!2R(u6 zjpIHOR=ah%9qKKiRf|Jjz`PM@1}x)MS`8CzW_T$WT1<|h;{=D34Kf61w$lEb^*^DU zf$CYR6!+AM+1FE@yl!+y!dQ1bFcZZ!bLytMe8r1M7^P*hZ0A}C)s!u4A`T`2K;zYZ zP^geGQz{18%rMu_#-pJ<5S4tlQHbGD2F~-*hm~O} zD`Gl8kMm`=ZVoyI?v0VUh4~5%pBAQ8jbTA}8?!+)h^f>5L{` z4=Ut>y;6H}FE8iA*M; z`-A}Wgi)fY_3~ui%Q3~M9t_k@6)mtu%;WoFp*qRxQBKQ`@d2hY<&GHHa>H&Xi8?X# ztNCmJDE1MxT^6lWE!`YxMWH6-WQuI{eVjnYEmWwDGNGgOhK-_yX>dxZ%7e(0n+c&x zq_uvt0F1megl7vy&CyGG2xCEBaWhC*(^1LtZ8dAi9Y4*L3xitMN#ZU%Pz$Mk&S6U_ zqXNdJ05r!fucM8^rp*2O`fs7&F6KYU|6Bj9h=zl{!;`fN)-%(tleUvKYXVe#M05wK z!13!vCP^7xwi;)K%pl^)p~7d9H7}}DjVNNA$W7)P!X@fClh12;xId}LR2T3CGS|-+ z?WUV`Bu*l*WX|i8DXLs6=^AMCyE(s~swC}+J&+Pjy6X`{rC1xe4a-3CH7dDS>@^*i z`uSER*;H7fPKLhPCSY(tBdjcnL9&6;G)V<0+H5NZAvD`;OJQ_nq6T&wBqo60#JYvC zfS_X;XYdHl;OzmL>yO4ft54mfYRPJoaQv!=;i}z9^ak!w-m(*t~5 z2?hqJWT`P!sHI(5tLA9OkI_+~SS~gE5}78@GTAjLtRlHaU>j)9&erjsAmTC%-Fv+_&?tL=U?+59K-&Z|DYf-lmGi73_Nhz3&8`I`QbKm>)GuyyDh!mPHg?9vu-`+9-(>QZks>2{S$-7 zqo*Hv>H6mz^S}3;@8A91?kf-HPX5+wJMFaSsoi&dB){P;Kb(^=(-$7F@Js@;Z#wkdZ}OAv zmflNQW2JZ8-KE+|=kEXf_809C2hVP{#n$JpvHm%Q`#(fHtAZ>46XN*|KefZKl7yz^lc8iVZ-9vYaG9pu=xSM7hYWdoy%6=ZL?pupiNF)_mT(h zdFKA3&z%3~E0@{lD!2HZD}wwQM^}!zrLC|0t+TD_Aun&=KlhA1cVFe)Xm$>$l(Hs0Z4&{^@_7-fl(z4CcI9TOD@tE3aPo zg`5x3|*rHY@zf7)Nxh}eTAcKUOxh~`-pnnrQEf`$tm;{@uBMG<9I{++|imWmcW813j6}-H}q@M{_S1rU9>6$qmi2 z=1(uw<~e!#x6N^_Nk@zOQ2?L4Aq6oI6C-;fbC44aC_>Ft`>|67Y^lqRIJxZL0faTN z1T^do2~O*U4MwB`zQVHIjE~gDOiJsR*+EkG`Jgg{@l>+V=%FPF;H6wM2))XH&$WY* zI$?&}w92SvE ze^9l_WUo_XBGzvvvTRGl%e6dHsCH6vL>5JOkW6GsZi^mbi3~7oyDpVT*eQlf z);oj`vfZ4N=$CX`v;ADyn&gYwMzu4It3lBin}*l-Q;6x=5{Pz$b})SxK1@h1hKZk+ zko@=^N$02U4oB;5!~?@TsAWd7GsR|r4YT7MN4I54;6XT9i zYj<==>a}@`FOhF-FwSIE`|v$^b?$P-i+A%F;%pD`7QDhB>X2 z0~;d5xz&VR>=x>fHv)P>wV{mlx|mTNzMEv|DjtdI$V6;SOqhb=6x}S-N%k2umFNXz z+EtspfKi|sVD&H^mjOCX<|={e%1Lu#lrU3wcl%tcJSP3b^6e zs2i^B73{nQW5wK{?n>iez*zNCLWy(DN+tlNAKd%`Wa#~7y_iY#TP~Ez#H~o;|6tYH` z;i0fBm70|bQz%WcevpBMvRm3@cYTbUDZUfa!4y_B=7_Or^Z94U?GVZad)ELGr zU1ktJ5s{2rgqtPW>a+t3NmV7m^V(U;NJVDsS^z_veIg-OK1wiFTB+KnB^V3pU)*m! z#qpsk(27LE48Xu8)F?xtl_`#_=>}RX2=~uC=>O7#13pO*?h~_^4AX%!QAJWq<*|}L ziV~fl9z$&a)LA1o`<#%lP#tgSWGF<7+nMoZ4(#e+N3V0d5=^}&2q7h3*2)R8m1;2! zEN&&yx>o}lW+I&xLQxgVhEk|bmjmV$sa{M(*%4c|`+Oj0(}CWLv62un-L!1sASzAJ zc2Tmk!;}V4c(D|89Y`w{P{cNBlrPF`F2oYOcCwleTO5UJEv}nW?QTF<$quW+Bgvbd zl*O_kMJ^Bc1wTK`#1xE;dMV!TW7Cb&txs4@$qn*#BS$1~%@%lWs4#ejs|f{atP5qw zZ-VqFRO333RVwVrm#ykZH>sN329u_vvdywA^oCFtf1|H48qZxQK1CRcnFc=5_;{fPi*8dgJc=s;7&QJA2*W61vboaYt zY||AsK1Nv^-Xh$7aNl-Y{Smor)9zjm+A|SxvsU7i7dSRr9b~@({-Xh^;Rivz3kdIJr3mFSXw>C zzo%&LbJcIplj`4o@#)|SDn^%l*%h}^)^p~nn z#p8PqJ@vpjZ~pX;Pv5`UMlT$3W@4Q`JvMv$onPI&Fqg=^vG+xfJ&nF4|2f*p-}tf> z9(m=IWwt|BczuV>esJy08)hE<>C?^I!IjT_Z@sfOf8tyBZ@<-k9|EAA!5#kz0B!qW zjn6D_v(HlF^GUo22I7~_od5k>eq~&9=KOV!S@Fd84yW2H{5D$g0%g^u{;l=h=HowEYqITb+ib1vxcjreKHXdN%B;JCz2#G$dEwIg&-=x( z{nhmckGe_!`XoAW>9dx5doSy#;Rg%E^WU$eU*2`rYQMbTX7BFJo<8VoWcN!iTJynM z4hmMj;jKB*?Ux z&d-O3yt&?5hu=Ca)S*4lP^{Q4UQTy)usckX`r^?mTUS9WZkwCZhlU$g^x@n^XI|Kk7u z!vN@C@*e{ESpOdop7H-*g#AnYvp7LH`1=IqkgEhZmi&|iWrzJz2DP#-VX|(3Qp`;Q zIb$&cv80suQ6N|NRQ@BS&|fTzss_8Te1+z)!;NZ{XR*vbYby@ zfE3-67!YgQ88fI>T(?lhT2cWFg%8VjM3&K1E0YHQa?wIcH_I|q>$JgoVfr6+6#=By z;+{XXi5xF(N-jlm!JABnQvYz6l9UG9BRf-yta8b#mZuk*2DED7@7I9mQ~bwxANN5g$ioPWJ-d^f;A>OK87s zN?ma5=Mq9xBhwnr4lSa`St3z(%3j**4*{#gCiD(pxAH*{l{*%n51TDFP=*s_sMY(O zOl+spjX26}tKq?c5ynm7%^SsUnS87Cv?mHI&Kn!`BsA{8Ebc%5~aVy{5; zy-s0>C=)@(gJe)jSc#-K$vCv7dZwJDaskl7DtJ^;k)TEN8^Z#KJ8?FbnNF&s+M&tk zu>yis;0Z185>^wTi1Y_UH*W_}EaRr0qJYfe{iD*U-ekI=bXxiF;q$))tz1f{*~KjA zpHmD>_+g5HR+%yoCnwc`))NXaXJ*8jnsBNjQPpdpTG2pgRKz6)jiC_@iewGS5BoWd zp2pj>HDu&!chaf>ZYj2?8j@uh16EUfpcNIEa_sR0g2Js9rP#~E5K zIQ{A8vAS8Hn)wC`xc;OsIk`Hh5e-a1r3y8!1U#WPeVyZ}q%8Uv*D~yYgWN*1*@gxQ zR!L{ueHk4K9eo4=ScY!EbQ`3|Dr|JHTDR|Wg*FjnB}Or;UT4^e2)i~E?OfNw-B3{z zD1|q&d{?iGU1q`pegM@34Q7?9NKf5eJ7c*+R-i_zBGD`Y%cu<2Or0rYDk;63M7nt> zH;J1aV_0#Cj!`v$hE=U4484gGB?Z+}6|rI`J_r917i+&ws{i0#OI1s?XKH^w%n!yz zf8)UvRac|J;NCT5ia6`>72CO$R$dx zu%6Nx2{W(~PSi3^J0y*AkL{)m4ea7wdW4N*KxY%9!lXZF7xF?<>xZns$Mr$dX(|0& z1DQn4vf|e)M98LKs2Gkc+iuo}P$>f&KCR*!3RD@U>qS-85!1C1T?`l3{#aefaop(} zn58R&x=^a=8Z6t*T)i_C@@Nhj71|6{P7S1fiv*yAS#4I6jav5fLJm>;ti{G|4vIY5L-9P)@Ad|{QpJ*xlmx_FMroM5hl@N1$#BnUh0RgG+k)X# z>!XxK;c%rD*CJa{Jl~t3gF%T*^mBYtYKN$Z2Eee_#_AmhEQEh`vj`nptxs{Y>A#fT z+F4gCN@>C6b=m>k1~f9tP}_j1Q4P@|qdYxUv(m_zZl=Y@tDTv|Vn-fZRcYmL?4zw0u45o&k=H!9tu)&mJITXXT5{@qy zOF5a#=0zFIV@AWs^C!kkYSC;wuf|y34OrO3a&7=Fdh^;NxY6H z`?NCl#73Vjc44zXM>=jgmP)(T0L-h+*y^{?o>=pSgk2rrbnuIjrWGX}39-&b|s*QC$!O^M4eSw9D%Z} zLm)s1mf#-T-GaLZcXxMp26uONcXtWy?hYZiy9_gP+2`K7&r3b`Lw{XeRsULRwT|0x zcubxfas@p6w)i(1dFeSyY3AHsW_#*^TTcG3y}Wnb-kz z6rqFw)8=$hk4A3jP_sXCh}fA>BCG}$u!tbY7^eAbU-X;(+HXi6;}Cx>WCh^e!6*bF z`aDXE-LDY%lJ;i5NbqjD1R$l(CS!sx;*SGwuG=S4_PC9?=knjrbZpvqzlZL$YUB4k zX2Dgv-MFp)b&Sh(8@2ofXm~JGU#)!=GOb{r={ZW{f%rtB$yf{APjWJNX8dwLe27xF z?^8zc+Kc(Z>$a8CrQ2E6c2Y_Z+w)EDAEEX-uAdA0^NJ>;kA2etEncnX$?^^!7J-|e zao#beW*A@l_SLlU)!LnP*-m$P*K6gyUFRNvkekvI^m^)=w@a`Qna9-jGWm3EGZM9y zH_c}Q@@-N5~-qk6qJ3pKT%OV#T~@a>xaaNJfd z)Adkpv(KNWB%HLq<1(CctX3c*`P_|%`)?IC>^5rXY{#P z-G_U&@41OJh!fa9MLH&E->l2y@~F!K-I=K~XuO33=kVOYI}S6*&hqV!Ref&|NG%u- z5l{_5`E>y4!v?xP>_)@DSmyoc^7DM$Mb$husyGZ-1e};J0<@?2KTZ&{>WUDgRP8M` zJNiH;9qk_=PLEq$y79r&h+2KQV=4u?=S!j0AWA`nLh{^u%1eB`wz+zKanUB3K)z8t z3X#-kRemb%1GC!12xtMKflwWq^)*!XteS-I!zh2;fC_Pn&(>cH4q8AfsCJWFYaAF| zG3$==x#>1bW6=~sD`w)`)imMwIeVJR)1kR(R`7y_D%C@c;V@EB`N{ob5w5>Q`o9{J zN2$z9;oVX3Jb}y#!ozjEb%H0-#og}3J5x<5>2aZjb?95EhOR955Sgp~{WaSNQMBGd zeGu}Gp73f-Jsq(dmNosZ1Y0I#RT%Ir#4Rjg)f*5XSTTp%gR3lJD?LRHWFR$nXtzcu zP?~Chc3w~#aSNjVt|b#`VM8WoR4kFwFNCCG%7lLBk7==Sya+hp<|R{Q)oNY3DuZRu zCZ&%1OV{x8SeTFI1#w5({2Pf95&J*hQ6vLpr4mA$17qQuk~jbO8R>HP!-XWpE!IuC z`9BkH^&5BPqJ0>&PBqw1VgYhS(n2_CLqBpwl;wI*{w`{041}`(DXXRQ($A2eqSdSn*CQ#DV-4yts9(;5HfM2r^3 zOwcCtABder+A?fGExmX2P7bg>{6TUPOg}t*q=EA!hCJB(`3F)=VZ6&vIfi56Z0C|r zp5KeM{+}>VgS4gvp&*qIipd{XK3W~*ZwcT{7xj_chpT8tk@Lj~lWvgOQdG4nINE5ux1chJYI7Ld z$7E8aOF1iEcs2l(yX7=RLNFQ>xkx=(Z+|>z(hoPrCWaarll&@80ar*fKhH|9MRH!L zR?oUp%sU}$QYs~?vnbf&l$qaeVRZD~4$t$IJ2Ur(tW77VN=aEv%cu`mOU|-fPTHXK zQ)=@MB`Mj$?8GqF;%w6RbgV3da#MrR@#sZaIR!XDwFaALg~X0r4JkM;Jf*0>Jow8< zjRH@-eHq&YGAl<~RcVp!d_>uJmr4oFeOSJV`9*Iug(bbd>6QI}4__G=7gc3!jt6N{ zHK$_o3~|~x3k6PHDXu)3HfPxLDT5rGYStiEv-%mtmDdT}=%Bf@M99>KG(h;`;Qe^b zw*>|K0Rf0Apa)Av`}0FX0zM#sy$=XLq!0#~gen{@FARczyFK%GpJAKI?XDF(2S45QcJVgs^#41c)p7Rp zoq3aQBrrP2Ix>md@oUP%Zxv`hlW#ZCAgJV1GB(Q$wn*4JuA+nCe+_4AX}DBQTkI3zA`W30>K=JM>=59Q_uk+}={E2|`yt~`c3d>X8Jp|>n zfu|==q&gcPHg@BicnwOCdq$_EzEg^J}^f0Zq@_-AXK80R<} zznEk~g{pGqNLvROR`GYA$AgSrtiML#)kRaMWa7Sr7CwO6?DW;V;uDej3>7#b=ND8|zV?-vA`YEUE7|o#p~es&}zlVn|rR`Ap|1ogI1*eq+@s%Og>gu0_E%mkgK3 z#dhUYor)ScBF#y@z+s(7Q+e?wNxX+c{`^NMvRzcM!~1nKy&0tzDAYa|k5X`+|FrGf}T+aVUcu`LHD=XU**0J^%ZF8C^{DqcZjy;p;0dRSYV4_lN@eP9Gz)AIrOQJ zOsh2INMV%Bd97F_C;7&#B}c_W$Zo0A%a<)7*rw3Yt>+@eRj)Y!2s- zn{s~UK)74Oi{eKLPG^ol48(>1ufTeGtGCw8R}cVEkBv4aR8{JW85CXy#v>%&H7ZN6 zlO=j6)#?Oc5l{7VXjDTpW?H!pH!GbvY_3+lY8aX~pGK-wP@wqwa2)ZHL5029&yDba zcD8sl<8Z4CsF`B}T-z9$(Cp=`h{P$u*aX6|&yD;OE0Zw|mx4%)Dn^y?#1=YHFih~D z7zz+v;TTm1{Af306OjUz3E)E30@8%45*LZa&~r+ModQ<79;K;uhg;J*<|97#>l#YM$PcN8CdU!&+QwL;{gQT=gZ6H&cUR13>G!b1cp6Si=Wj4F2aM5mR>-^=W^e#dsuMdPW zv6vA5!!|;+gv%Rp$Um>{HtRrq<2&+8%x(%69*Ae%E`P?KP~po82|)SG5jlT2NSv z#L;Qx@(5sm#*%Aujpfm4-$s$|isuEYfzy_)|7fG|w0ezp>nF(DJMXBz)xv#%o0^xL z$e`^kfp>7WMVMz?PV1c(&!>JXtm@w57WoTL^oHk}p~F$zPDooV-@#GP3(4A} zVIOWbcVhR=`#ktHM%`ZEu7N#}cE;QK@hDSfKhB;X=ymt6DNXw-M1OX}cCchl7um-> zOP6EaqsR~vf%4>Yn_(Xtmkk2xKDBrFj=GyqN9DK@N|9ZJtoG59KWwT)xZNMMy4X>C z_nTea`Occ%pMj^UeSMINH`e)e^BVVi3W@36f3-y@41AAo^b(}cgg+R7|IwP&LZJSu zHQTS}@$Ykb6tK`ME9kD31GuH-gUcSJ-bcY_w?vG|u7t_j!x~20X&7Hd=9&DrpQ8~^e^e3s^hUqP%RMM8Ph#F=YR0oCFs5$Q z=oF0|y!!R5&^Kx3uTSu>tVbx(gsplT$JL)M!N^eH25;go1d>q=Mq=@{B&m1+;Xa+>}iZiHQg#$-@3n>m%C8FRoRN(Fy)XV1UVGD zjvI-LcIr-AH!&!vH&`twcP@Wi0iLL!hRa?ZS+QU<&2c0{+?mzrex9)HiZwZvZd!*uMbVW^r6>U|J!)EOq&tFM(81D zI`_Qfl)BVU*H8PYfKp=%4~ctme2oJL?X7~T6u^~#Zp$B7=@ z#-AS9gAW+}A^)Vu;IC5HBCDZX^lnKy(hh#*QUQcrvL8(s*hMAaY! zx589H)=Uda8LjpAe!B4!ms9oUT>d?;NAY#5F((x~E{f!pB#zv_Ms|XVp{sVmP|#9J za%E*-K92`WM&jnpyH*;_UWJfd`Y}PA+1TN)F~JP2rET8N z!6~NcGJmVj`v-PKdQxXNh~wnxi7T0n|D?#MXk?2k8(-1OhD|-`8p<;&E9ZWF8%L6; zdE`REE%P^Fi=sNE(^NiP8&9nw*O3|prBjjjaKU9d=l^f%Xr0Rg!GV>R&+`ytY^MZ|DV*DClN$e3LR#C_w@#E<9d*dO z)?$?Y`|^AkW8dk&zaZp;6+Y+ns@>ho6FfDZM|tZNKLI^S+Y9F#90598eXjEMM!zYX zpOE&p`~6`7{+ppzjs4adfFtSCkq~8%_d;r#z7sggx)(~o$J1$-iw9u66Z*H*`nGFl zz59Kf{912?jiVDdbdU1O5c++KJ#a5j5?T~AME|HgEf_rSwL(usOpH<^}TN>~t?qi$1Xg0@; zMdWx4TK$aG<38uBsd@`u1~;wD19#ia+}1&QzDGGNvF)ZESD_E9Pwjs*)WPS_)`uv_ z0?e;pRIAqAgMl>;><_xG_oIHEvqb{exj8&%y=iG3C-d6thZN^rD0E#5C`p%`T4&>{ z&Xcau-`ZY5egc>D&VwZ>ZSvtMw_VonHp@j=;2nffAK#F)I-e)X)3P?7uD7$;K5i9V zr?@sE0btG2*UO+sS)z+>QSS}``n&hZFc-TsU1!$Y{#m;#eFuohp{ZU+_3eJEJNRsn zQjIt7r9QFiCL@bs&3&JbsLzcnq1S9vWaXE2=ab0u&fC4c{?ijR<)Ly{b+fx`8l0aO z*m3l#QORmk)*W>EOu3rfd5{uwIRk!uR0sC)x-_t=|Cqhbet43W_5JYwINv6y(_V;p zezkswZ~{?oZ{GxlvLQaimwC5DE(0NpaTqi&jX)HJS;lqN66TP_o7pRYMF>4ONV*qu zoL>L}{4j^H6ndvTcz*4c9BRZY^!oRt<9}O1e7x^N%eaCk$vG=8$yb0RRi4_ewqXcL zwvL*pPgX4ME<4$RF)@^{CiSJ(rH`h^bx29pvLI{!@N}cbNRstVrT_M&P+x4ZV#9-K z)$FUI;_}E}(Ja#yqX7Q|HFD$5nsE3k3zVDJvEPG!mKw8$@z$d?p;)k{UkHul7=$_^ z`2s14sWyDuHV_t!d&iPXg)F}Kq*lRk2|0aWr|R4HCzdxc^GI5-Lt9q^$`b9`18^|BAvo&UT|9>n$d=m?$SBNiion zQ}UukPp!68P+&@fwod2pwv=l`QM?)*s$^=)^j(_l3QEaS%Su};Nb-2J)LezT#>RDz zW8U)H7t6}^Z-vOpnbD-1KPMFBVqjCGk?{@IT+(YPNgGg13OUpt?#SDM&BS%+BwU8A zlwLDMrE6f}R=K^ZPQ+3tOStM%B&8$FmZc`n*VmG-%)8hP5Ul7)uj6P4Tz=VAB%x0$7%S<>#Q#@;IzQqEs!L<|k;y1J?`;`Iw7og4 zIN+ZzA>{jUnnu(J0L!R=e}x(#9nk`*b{!S~&X%oydRut=AAj=uywkuJ`N>?wA%{Iq zIDg{RDtbLmr=r>ml?*2hRb4hdsYeW<6mO|jg0*$BnA8#2h2Q4&jUw&C`D|8EZ}n6% zu^iqwYeAe#rqd;_R z&Oa12utDTu|NW<0bn4HC5MBZ47fU{EEB_&w!fAzTONM2N`%d;irx-)GKX|2@snu3x zQ=i4{OBHcXRR z-saHGyX!p*ZF;8lQyl3ERIgC+Q81xuiwhT_GE45|AX)R7Irm1w70dGJN;F?g)n>j&3&IH{r_EAwg4j;{|&gb&Mp{>fTXYaBq4?nvbJS*SlEM@mGt<7}-Y8D5|($0?D zW)StbjjA4E7?Jp07zOrkJcHb4HIG2vCq($3o3wvs?K~eg7EyL@V`Nsl|7d@N+%-S% z7y@PO1e|Ae)z{z4pBeU^2IUU(zUxi$_Dyue<#gVj0ux_kH#VOMbv#^xb-`ntoJD#7 z{9kt!F|pmJ{#6sYVEs#h!zs@ki5!e4NPXK}L0_@Hrdh}%oHj-t#1&kI;>Ac0?yuCQ zcXM$WD>bic7zJ$-o)Wr0d}QK+dw_DD;KSuszA4=^1~bO}%Ct7_*LY<$-5@TrV^cLR z&Yn4YB5t=wbN?+xZ5x-F?-GR0B1fZHX=y^WyRWBVKQ4ujK&E~V?*^~ld74L90vkZ@ zKiYp}dz9<2Qh^1{=bf}y&qssjynrbd^R2!&-?~2MOZ!w0^AKmEU$UGB~Rhufak4EY}WA4clzn|Ed61opP9RbI2wz~jKQn&%rdd-D3* zM|+!jE@17qzvSwgAOBRnpnG@Bojm=6^s9NSTrd39wY{<7xQ(m+q+PG)1|slFOc}}$ z4Il;rF@p#l&j5h#Er1b#Qo8D_@9+%Z{!}s(;z~0hO)kmb1R2ZIfRw#r+~|79+7;fIxOWvI^vZ*?O?|}c>%MD&D;egkNu(G5xbif~kf#%9&gPnvpX-lrF?2cVNHv|1MD`p~7y>IbKvV z{n?3oSZJgYUR|7J8H?YZ`NX2ikMyHNSSVEbQ;3qRml4v#MZCo$Nt&T!j8x-x1$~#x z7E_cTDf@Ye2BF4ceVNcUlcYOBt6I;vbxs(BE!ZOFDsT)Y>M2UevW13iN@qc0+d>~^ zNO$b^OMSqDu3M2k-xp*|;rW~?b>ikZCJs{TWM)9e*(LnUpGtZY!S-N6er1lxM9n0` z$Z0BV;JtTX!83}Oq=M7WOHOOmO@t}_dD+II#Em%`KS3#=Hl8MS+a|BIovla_I-+pE zhRWT!!>)=ehNauI;7y@Ey+C2+5mt97GFp#WsB|ycRxlDJp4!Qxs(XNRjLa6+q;72x zA=?5*)LCN`-z{CyqyTEvg0|Y6HlupS3D~$+!J}(+hD?qdet|0!ZW7L%Tck?L3TNa* zz3RI8B?hsZpFjAKMg7<-SS&{4S4E_QozZQGVG~u%!HCS{ zaU=E;W_VqM$$(b%8=NBh15h>m_kPZlMjciH2ajlzY?F@RmM|wyjLK47eGQW|uj}WZ z@J4?`3(G-YFTNG|uAad(e8I-3>p%{LzQgd!vErLSgVTth6;Gu*@ zN8j`6lPv+xl(S9UPleONnu^L)LOYg{i$^#~QzPKW3bS~|gE75kJblW5{!HjDph zPN`XC?&JI}&aeI0gt%n9k$`&$jlu9QNyRKVtZ6@;T2-9B*v=_T8-Y#|F>@fQ7h@^&#qN6LZ0IG!}v5&+~Nm|ykid&#J`RfNE^3BU>Y|mxJs<2 z1G`gkH`p}~z?%RSY7xK&IPXCMObTRc{sSJI-VyTDTeCA^El7&l3_;$3J$RS`<%*SjdTM6aToqYbuWM_TyhtFoI^>U5nmBY4K0@~gJ z$Kq?TwS%5p*VbI|@H$#*1L1}v`{IZDgv+oLwGhG{oU;Dd3XUd;2Kf+y&Xg3WJw5_{ zQ>skD>$}`7B8P>7kz{hWU*^SPG7NVFBPq+#0DJz4*$85(LCsI3M5*+NQw#mGW}wU7 zIU0XtOQWD;WK_bxi%4|ZifYbLUgs&+|Cal_Wz^3DeaT?fk8wEUKjW~t{lG-pAAsZ! zl11#0#E)tC=0DT0xiOB&?Zfe1URB46Hs0JWF#mDNO!%IEFMdfiji3{7S(ZhE2f3Q7 zviAel=EQ}bo%6X8c&}hi_B>7i_KOY~U$z(BalDg2xi`7@()T%=elGJjG+s^5YF-Cx zWZmtcnyfZID?Li!1iPtaTF>$$V_upz$h@r9T(5a2G)sKawiR&IlG^?^49@3fKoel& zXWp~&+NV!UOE+}gWa(Ug<5yMIre}fSFbd57Hp_e7yP~@L3&q2ib z{jC}LLv^+F%bA`P=+qA2GhTP|5)Ck6OgGCHBxIVTBKT*Mq3uJxtbJhaI2cf}YsUX>(9Q41m~whL@iFg%XI zXIm0MB}t6(gv|c4!?i^-OUrc09J8PZ1%1~nVQGcpcq*m*?QltPQVKoR)v7N!h15Jj zf>CUrCS>6v*3`}jC=kRCsp`Jas9-yG7?RbuYA!`_G3OvDV;-7h1+i#W*9WoujYlMD z+55i!sj^T_7K5%_`ti*{FOUoNR3*upFZN>R)zGoIK8~B9P zeuF8yLnxkESdX${Y<75jC)sTEFDP{wJf3~rL!aX%oN>3W8oY8i-?r7{0=008=k7e1 z$Dhe+%|E5$jONV(SjN()RKE^SKS&A1kZ=p&vPgY9c0`<4;<8q{3d^vxVo@3XE#>M& z9Y02WxQ2@FWjL@0w)HwXPpzhQFG2F?r0Fl9AS`&<~uQ+B}^Egf?ut5+Mji7{NQ^Cwg9uR1{+Ja%S+4k>yYMuk`=pD%DhRltG9OCm%d4dQS=`<|)sF$1%P3Klq@hy8cw z-1PGifMA;LKT!HdRx^KUtpQs`uIuD6tJS{P6Pn<>M~YTL!(r6+cTxGMOob8p>YhrU zpfP>_d3?>%g_2ca#*lvnMIk*+GF98xg6~GswVy{>SXT<6)Y&sZ40S)yktwx`rra8% zM>H_nxx{d)4_6bECSfwgfB&@LG0U*ivoryQsHDPV7;>D91SAl`{tZ9G?Nw%Q_RSEj zOz~@re#8hH>xx|q_r-R=ZB?fj6nwG;Fkoo$30Zhk7vkIV4tjId_v#;dO@AL z)OsFnK=b$~pLaKzPx^}$4#AB436<0bZPZpcB=X@>HT2PJWluf&L19Jr(_=v=nlb@R z0JAopn+k8A-_xOQaur%pSv99@BB`v0%z0#V2OJbee^`Yq>EIGR2}+k{o`?S4rXL{f zzj!$)7lX4Y6{pPPY1o7xAV1U@T=l4BW2iU75&cO0C5Bb*n^~*{3^xizmlU`o)%UQ z=QwZ|hIT47j(_1**t79X=yGtaz&}w^)+m;x!wGqP!~bEb%p5+YWduwXfrf$^)3E+x7Cq zI96q^%X8QBXq6O_1|D3j!_w1#A6Z2fVAMQ5y`Q&V+yogEZ5~|HyT2Wr^;~u_?p&ql z?{-f}S#P@!4xl*1>3dBlwk7WBRJNl!upeIbjX$qwgCY=ox1Q}l6fWEHy-l;LMazr? zER^(K+GqPKD~xfW?nF=U-Hw3qXQDDYU%R>#H?P~|k}KWg7LOF~9iP48I@=x&up|_h z?X31S-$n4*Hcwv*nXj$O$W>Kg8K8dgZ(YaamR(T>f&2Pf#cHwf$M*WTq=&$$9pq|1 zkGAp-UdQ`<;7sIsjqB!~`u0eV)eF2Qt@VG>2fnlGtv&bWEv3(YSlU170&eZITPJ7( z6Se`*Pk1~vTrpP=b)Y<8JPL4n;kopy+qk=~camlL<5RiFwX8J}OeB%od)g|oyXBbU z+g7vP{qH*pwmD*N(>PAs?nk0%9caX;t6*p#i>Tr5-+*k~BF5D~)zgO8x5EG;o(f}{ z$!(LM*lJip}~FWYIYH#Yx_tAE+I20$JDu6f)vl{~u}#+tV0P`vK? zCr->!2HQT368%)HPVP1H3j245vip%^ew9wd56a(!(=!i)k=J%VMjrrNC_&!&>m8Nt zev=W$?{n_??Y!=?<%UFJatB$U`v9&AWLD!n%UkhSbBrrP^xBhk?Z=N?Hz~kC0O@MW z{q?vv*&K!J2hzBh0@`=J6qa3V+%$=8CRVjaC}z#;calk4Fm6o#X3*S2u;FGaI-X=g&BFAq9O;q<22LatYl(jUtt| zo7)~&H+sRGVESEo4fP=Z+=SqF%oPHLDU%6=U*S2t=08i?FWiNHu;=U5ov8bkjUnN- zDD^5pM=h_}p=)VU8IQbE!J)%6fL`Az;iS8Vw3;udON@x=OSLVd#2Yn+BM_u8P7!KP znB7)cD~*{I=gfr2Rc3-Wp>Y$dNuX|;fVP=+3!1+Y;=Q&}7MQf8Ovx&L;3!ws02g}= zT6Cire}A(bxDYAa<~Xgk8h#Ds!Ilu*RB#Mq31jADrtG#VSdWM-)bnMU!m{l;k=<)l z4ZRB{MMjU8ahey5qcqui2rK=TWcVHX#4To(z;fuGC6#_PCG%H5lS{lybh3WUQjkrp zvf<q?=D)`a+Dfq3?1;=d8U8Ru+_UFa){V4 zwxkh~_p)@@XIC$YPf2WD3Y~(Y&9Nq_f2vEoY1Xf{UczLn;T;HTF|26Z-oMBjf;03T z53Yr)jfkm0)WlB$)=0Or;2^-`yLmuqR^RJv;1XmUD_AsFx}}lh%Ns7Y$}lzFWVep< zeGBR{Wg;{t0kbJ?#N->x8k1Dhpz>=Yv7{sI=NLOKbxs%RkN9Eixy2cqjq{j!7rkN zK_qfRfHH?ND9{42QA4%i8^}@jEMtDHzsSepu**bh(ArqfQl-Ep;Is61-kV6Lq7m3d z+{1r8pKMgV+QV>iZ&llC`eMGau2(P9m<~gUw2ksAv0t?JuS*XPW&WcRcmHCE9RM>9 z_$QE%Jj{Rj&Iu%i%yWtB8bC6T$^j2VSTCc{`>*(;G6=P6Z}@t1XcGRM#Z z-RaobQKkCnfc)sHNStiK(XgQqdD&nh+(uV_ zST8NQ@W)mZt6m1BUlUhMraRvPNJTK4Wvg+WT2xL-VwQmTRf#! zvP4(RY*N?Q)x- z=@F*1a57rlj4diUT;(h~SKFo^V;&94vb=njtF}Q=pI8TAgZk<0(xGC${C<;LYg$Zzu4*zu64z5-G~0{?b_D6qa?-{Arj zT~_eWWdVc`F3xTJHs1wdd3w*)ThL>yOda@O_ri6^66^7KqPA;88=!OQ4ZL*Qy_30q z9zl933ae?JoRqQedVcKkin;6^EY=4Mt{G^av+TuRJry<8%H{0vf)kcgJ@2;ISGrGD zXZ=upfa9zvo+t8@bq(@w!#5|>`bZW3j;`~(fwQ|ir=fV-o4Mb!>-#s}o>24ZQZR=2Gopb#B z>t8IV8t>@^`D{cU-$MdD+H?IYRNDPB6FY zA$3+nZf9)jYI=Us7nv>G;d=bfKVcc~Aj%>3dYj`#+&9*_Fq@Iti zJ%3(PC#Z=Us4l9{tGfH8HKVh_;>xx_34MXf(_P!gec-l!p5usX4v?{LSpaNWefPun zrt7Wr`uc8;eU<_AMq+Q5(_7dJjG&e2It1fFAk#p=jr>hs$D6&rB+&eQwD~3TiJI#? zZ4H24n<|-|MwN}}>jrrpdK1tWgY;w622Wso%_-UXXumU`mmyMT;)bc;kq;26&s-`$ zFX3v22ySl7m1O>cR{Lhxlk(^0Cq`O0|33^^nPr1Y;`>R~pe)iDYS9PW-Sz zY(du3a_;`Gc{klwUoW!gMXeC`hzn%ro{A-0v*qTji|D5YCJ{B$8@bipX%WQlQxJ_^ z7yQ@hRB{lM?Z#sS>8gmeNu@~HywxmPJJZ9PmBw5&Rwx{-G_VZN8rb0f`Y4&84h)AU zLbXfxDc2g7Q0q;|D4YziA*dyj=w?tX=2qj<5K619$oxcz?55#?Cm_i*@rb~0M0OgfkU0zInyV2EQ?wL-;3^Af%38#7*-IUjM5aE9U-gFO2qCOg!oYp-g8 zw(F`&gdFUQh+Yxw(vnpjoVrVl?MqN`z%m}qN5nF*x~*&I>u)AkYb(QQnwVt9U~Ci4 zrfT(EG7Q`+_*dy^*mmM2`3IIO_rq`}E3RoKSe()Mc9n*0oJzEggH32Hn#`Q&{x7M_ z6nE)?FAIOpTWy4-pzCu^j002-b(&Jo!s`|6nlc*hJ>MnLiHwT+P#TuqO4DDH=~E$^ zlY#o0{|~hK&(JGc6?dfVi{L1jKQ#8(jhe1kzF)myQ;{eI3{XAkN`;TIl%Ahlo`9K9 zhn>!hH{t2TM;wndJ)db`4Bx^PL^G=ijU0R;GsRjrO!^55rujklYr(N;{ z-jRO+!wK}PeCOg*ONzEtY7p2A%2_Prycq4{{?F>a>HIfYZ#pbKUaYbCds2OFdJ`u}t!zoR z^tyXxOlcAJ_e_W40CpOhA8U__-%>3)l2R!Bp-4)t%fST}~a7Kw5p$)`hxwtKj~vl|k;#o{G;GzJ z#j4elmjnLJV`QZk<)*13=okq*&J$7_ma?Z(GVIMPgEE|RxsLyTfqZz5|2&g96>xs+ z>x+MKgmAqN58FYWfhd9BnV|a7!J6-3Z!B*p5%K6yr0}<%@5gf=8OF}qwlT+?ey`K) zGt|9j0$u!0r`+oPW%jM$jxGMVFasMx6U}%QJg?C z1LSh`!M!O7>3QpUbfsuA$JNuV;@%DLkiYjn!^6n{YMF%Fu$36OvVYP9?(b}y6ETU) zca(q!pzSfc>;>Jaj@xvPBla5vtjTyzcln)?kQgCgP?wFjp2^PbfTOm~=bieEhUYt4 z`wy>^v#fzAeSz!p7aMHQ6Ec==!*lmV%S_wV?!}HN!^jce-O_2Cp4%NC(M8vs-lo0Z z2BCloWB1c)n2qylg+Kx(5X~0<;q2C1CyCqp;DED^4h$aOP3ZHULz(UV&9L3$a*a;P ze^co`j^XafyRPd|(k*rRaoSa9&-1t)9={o7)WRcbn%|2HB0wfujZ5|O+^3Jq?di{g zZf$*E+y$H!UW*U1KI1@6)>>u`TEQg_4^^~;t-RjLc@)44uN~LAox72lGWuH}+KP{H z!nat@qY2K~Et{gU6xSooQR-C`b?@^85AxV;91T(3azA1B+hetAf3O-}kMDGadG8JI zeuBr-ym8jn^Z9JueAdJF^5Dty8mpma&6|gCueyjJ;6l`{Wf)Gq`*Dp>+WGW^GES3m z=W&9wx+b;*bcYng$+><~#)A*p0k_rphW3nU_d*Vi>)zR&b{R%k%DNBiIu~Mg;3RnE zeVe>JO1F9IpMsETyS!Q?YJr0^J!O?0-UYUtnva2xYB04v7a`hxPZMERPRG2!iI4Si z+Vwl9Q!RKCYXOV{x#bP7?{fkIevG3il>GRUST~%v4oH?Shmbl?sm}sLC7(P+|9bq^ zbAa4p{sFYx;9AAd3}H_g2-idv)8${8-<5a;KCr7EQc8=PmfX&j7dN;y6`1If>?%$y zsuZM`S}T*LRT)jAD^=jQ;-*pBcw&DN&aHexK$||eOXL{{mV!B?K(;j0TvV{IsBV8{ zTFDk#wV5wbflZ10T&y&$NN%xOMXUy+6aLeqkp)+>*w`G-FlRhQ73p~#y+q|#I{Cax zLeyPRV|JcNBp0gv@;5oQ`6VU&LN9g<1$-v^85VB23|Y?F5LgjD%0t`$#5>t!yN26d~$fDqhd2i;syGYwk>%xpDru;t>QXS*#t4N5G+Saref(%GV|0Dm5Pv` zEmoe9f~_>T2IfnJqvW(K`_^f=zxbMX_>ZQ{&mIdH6~%!FerZ1~fS*cKj` znj_0QSt%3r?g9=$XhtZ04s8nVVL_m6r)e4E{aWm`OjqV2Rr!C2I>+`ppml3E4V$D% z+Qv2;n=7_$+cuiUwr#7iZQHi(thL_kbDejeFXJc7XO4S5bBwVKjFzp)u?)>{&ZzSobi8V*!roIQ4IHKXY#4paYSqSDxG89}f7c{XHkK?wx& zfvbAu>Q6R6Io)q^RBvam|5>R5UjoMd<8jr{L^4DD`$hQ&kE{4jkFcn2IB@NPWs7yr z9QU>11I;-oHGUL83F0LCl*n+J{FoFiFS}>UZV*Qd6v-Vmt}sXqgZG}K5<1lNTu41s zNzg9haMdc&%x#3g0wDvNEB#lyq7N z8s8Mg!K9NpzHu}+kDLs);5gk?qP&n^^c}=ZmF>6VP$B!8{w<4n-o8Mo0j4@r7)o78 z9*+QqcwEg>;3tc6FO$~bPk81_N{J9pKvbOo1sYZ_i<<4%EMIw=5h{j?!XWQOyS72! zb`5#KIPxI>>d;l|@u%VV$oZo13@K6}ewc*|a4F>0XsS4tIKL}TrVO&P&x1%7_-H=h z6_k(<+CJ{qINe~ec9r}}%$WC=+#SWtCSkJKqEMWqKe;@))bwY}mwNwTEJz`zVqL?K zO0{Mt=y>@KQ|6KqDJ5)`r3Rjt+K{}UK{S;mU8I~sn zEjYEfcai8)eX%FwpQ^9=A7M&5$$9D4E&9hJOYnrkH16a77e9R=I7(pA!>5rz{xlLT zVC~{f*RfBIJhSR06Dp`5{(=Zf0KtO&yP-e<#H7+Fl>Tu!!+y4yysfJO{c6uTZ*dhD zqv`Lo?>_IxFS;d_cYSLEWl}j!7kiibVbA3Umh8IkYs?YfytZElo~OUszMg&;_64G` zwYB<8Bbik>lY4CX0Sz+rYHA0Wx$Szud+`Zg`{&K=#tf|<*ERIOgq_i(=onjH5rF$F zBtE!zYNe`A^@+G0-)V8}{o-YOb9dVsaD6nsm8yp7tGIUmOmZSIr`r(Uc2ML}ZiO3B zV%z$FG3!c^_3(0czr-fl`DC-*_8}Hj;O6G%vXGtO8?kbgZAV-JbcKD>;@)@@Zky{k z1m$EO=s7Qi9iTmHvtD-<&_7iS z;|E`x>wZMLj0)6r22K(zC@x}V!~xW5+1o&S8uq}2MwX`>i& zDbHP$S#-;5Hft*|dpHHa1KeEu9+KmCPH@EQaC&vDTn(=~6RmgMaF>HlAj8&q6!;us z*Zl+Vb|llR*J6FmUbau?b0g?c;{Mo~tnOy?p1bfA!c+S;7SiaZ^SIv4;TXaTpyYMi z3~2_jg8aTs`(;Fc|HsRk=?9|UO2Ec?w*t+Q7Y6-a`CTvTbHK&kfN!~w@9X*r6t4wxfs8fPUF0*xpdBu!uP`0aX3NXqDE_sbO8sl$nikn<6G-7BxXrUBf{&fN%F)3k8wA+Vip=N5~PL=f+G5;9t zLcmX&)NugqHZ^Kk+6+EMY=;96P3!~Cq~D?>#;iB{2z$^SQB|^q z$I?wOT@tIcPJ-nyyHfs?MIHA2@>}WJblY&pqN7UG!ELYZm>8Wq|<$`QB9*_p;)3x{h#wIkx*1mfSVe1A5H@_Gqk@`-=e z`hLgs7Ec;~{rOv3u{B%rU_X7^>dhMcR|J%THPQ|p!Kvk5i z5vXdcUGBTwz$vd)9O(GX^6ysaeh|t1>Qu0wG@zhM1Z+6BjI09>(ZS zi(69ctV8@uuUAUDKL5aIO`n=60`{Ubm@$3|>+o;djUf8;Fn`LxAsmK0+i@zDSFGH_ z8V4rTU%A>zYbw33S+X)Ni2^LfF5LysD;)NldBYF)Fz{?NLOoS5aLc)phGcXlaRyG< zcTm;?fg4P1P~vBsmcwQIyt1jJxz>@v^I@`<%Iv2>z61~Q&?p|G*enS6b0X%8DyVs< zOs2W(wTA=b)`beg*-`1$TT>4tima7XC;L?0Gv=XO$z&*KrCg?SR)YoF#6Akg-M}pH zhaVTX%2L26{$eyAqQE;IUW+Mcgk!5jWj-b?nA^311@$So^;qr`#s_ z^fA_N<&ocv1tgX;uqRJ^sG-j3u$m1`<;SSYarPH+Ai9Xn|~~!-i7(s_MYF>v#NC$|bnkm1MJD0Sv}8`LS-+)rvn*d(oQ&fa}4zFMu~>HaE~T z#(Zukx(~{lRUFPI5vXbrg3ZVRGJ-i@5e|Pr4HH6z$m0smy^!Cm&7}M7CM12bs2y;G z9}41NSmpAu9d^>uJ`;z%@EgEI;(G`ubM<0>?o?8v^$fXG-P})K ze5OpPZZQgzQ61m9nOX#`QAF#u8Mt3?YFW?bEc@rG-cI7Fb$VR(aXw$XT-pr1|Mr}O z7^m&r6iJ#5PPyou=)!2oKC902yZ>9sKg^oM$8ZtD922oQ1?DY- z40+ZC*FOSotw9+3t0tqL=eBdZ9xFihIb?vF8*!hlwFj#aE2-0!+ad|aWz`uZ&d8{37Kpg^*{w78JJFBm^ z3*epxw7DBL-sSs@B*g-@x^+S5PHrejQTIww*)(ej363&ZemzR)_H+QRePh3B+l6hv zZWy#*HUhPv);=UZXWi7BAa@*OiXo3{D{6}9{cE4-(_pWEaBK9tJh<{EpPx4cn1I{F*OLLF9gbQS~2-KIF^3saaxVEcM8Y?6Z^xsHd2_( zl4y#|lM9I8#rolobL)8~lT&vJcw~U6;4m}Zo^tIVF*6TyQn^#%BU1Izha)iJ`}*{Y z`&0c0b6#rJTx<73xoY0JCv@zX;s6*rP&oR^iIwDPIt8tL-d56taqkoWmfbmNGA@W$ z6J?sYu*%#ucL6~{AZ{k8!`Us@AB~iIW?Sxb6$&bV=)IM8RvbsCOmhK%(lKReq2Mf8 z9Lv&rKxLx*XSslRvSj~U<#~P0=UEbJrepC@lo6lkzqbEsCDoJ%o6P8ytI?&Y2)?!= z43B)NTh0KVha^yWg03~_!NQ`0>$x7P=##n6b; zW}E1l*N@6|I{%sw*Zg|?=*o3Wxc^%zt?BphKjudRnOpL372IVAqc!?s?#fk}Io5p4 zB?fXcV`;ky>PA_4ob)2y@>xt)&(TuJ=wOGnfjY|=*;PC~$^}??9D62nJ<4Z+^04Ds zQ42vw`*Q5)kuN4norN~#e+Sm>k;WP-7laSvCCmu1H{*BEoB~P63FTcSsluttT-Nff zvLF;y@C9fC= z!s~pD@9pO}DQ1_=Yd`x{9`IG+z=!iLJmmR#1Dtt3&74lrdZqi^ zyzFxNQ=Po?$6vRK1bfZXc3Y+*gs|)?$oiHUYL^QE(_96i-X}*e<+9ryobF1076=#YHJ6ZNrpjs=IVD4{#pZaPQL0(=LsYQ$OH?1lm;|ILGc)ZU z#%@)L*ZZpAMt>h#%*!J;Oq{odf)^w8QONqL8}~cJ+KlO;!bAa+a^IBLP^fGT&zU$r znjyZZ$6b+h1&is~`z<#Yvx*7UY{vcqft>wo@Y6;Wx7+^FKRlv&YuSB+=y#6JZFGWf zqGQ`Z%d$duxvyJx;P)5$MZO1d`&-p|RQzvrr>ggA?_nvV6KiRFH427x#o<(hjp}hD z>z&#~Ot{E<4FI=sinr2r0q;gus-<7fbl3-w9LJ+w3quI%jjIJj8nQSbduw#W+_4`h zTSN<{(F7FUrs++TPL&j+q*7^Ari)4grz}cr0Veg0sYMZf17g)G3P2&5}cVcvkOLOXnaZAC`95Un`Mc|q;KQ=XP#JMEExRQVu}ofZ@;lH z2D9nwAo^Mxblf1jGy&~WKJZ3elW3L1&_6t-uNrc(v>*e|Q*dO7f4b61I?+@C6YElp z)e#zfZjv2t#-ct&8cP??@4@cOnBe@G-!wWTl3&Zv#(BF(uG;qV?S$9|Oz();t}$H?$ZU+u#dK znUT{rp(R>FE$g!g0scgqVwMGVGP^y43Egg$1)ODo3;&rcci9?TZ5PwUC;z4}Tfc8L73qzSbb|2`?u#h1{~;jy%l%E609)n%-T?k-zf+V43++SzLjvQ#UO;3-+NehWX_x_r?B2m}8JN=}XxYv0IBgy| zu9>^=ZN2>p0NOllLe{J6W$i1{(*(s|vbSF*zYPvwcAu{I{Y6vlpaqQKz4hZnYuohx z8@_%`I{F7|eXwF@<3Qy;F`YdHyzqQV&q2Bcg?*-HA*2DP(5|mLiCcEOu8-tUmd^-U zhxebYbMap$89T{`!{@8yqkTa>)|Et z70$gituCiYCAm)TjmFMNB=_93^;jF)X12O1kum&~y5+Z=?Pu7MN?&33r39_6$FcA6 zu1otAw!j0nC0Z-q`_-D`7g)8o{w7%8lEH1lN9~lruQP)j`4u)_S3A4 zruD;r?w1M;zAA}`~8WeyW7`p zxBU9@CT-jAv25ZRUym@`Wu029#;|z0mS+2|kG;{P>19m7P8}h-{TlfWEyL@Y0MzFh zLf4$-+jpm>{ea}AXYhEJV#j@7Y^Pnnbhib$SkuwiPjal|dg_`L!pp2haQ(RZc3tDMEJxRNHhkRe`H)PJ~;la8Qq-&-UrMG+AN2mryK^*+Ygrq z;x_Ww`EKqrg6O?LnN{o=zP2%VFw=TYy;jH9-d7$tJl^|%r};XrNXGx!Z8%kWoDwX9 zcaJw|GMU-9&NC;k*1+_)epH!Y$mwCQoFS0r5kO@rIa^W<)}k(Vy4J*?a4Js#hCTuq z2|wmRb~!_D1j--xthtN=w6q4m7)g2wFgpchko=caawk&6jKf( zla6#vQX#tS2UA}~Bd!&FR8#v#D0WE4E0YFyg3Lv8POTBwvt+%=FVF=PG8Ax(JsGT7 z)<+hMdU6%w{i7KBmTLF;f8#5bJ}n4t0!vYHK>y)9o0+#1QqS&is>-LVRd6UdL>$=jLQDZ^gKx*1kR14S00rQvgz(;Lub9RF! zUQ%jovGzy0%j4e=P3M|+2Sb-oL882Q)ToSHfFkJpW!6m|;pgzkb)hfyBX6w|u_M)) z`g4`?{i$`zH3mulRx7BmIEnMA76i%EPE89n@Ny=9V^swBbN;!P$sGR@%q#=Y1tM24 zglj6^h6Y=83C|kWA1in2XVTvv3KSpyGPi(x#$AOb=^!~$2}|j1sbPi1+Lo34_GeYM zudb?2?u2cgbUbqa@m`qh()sn@+HW?==#d+5V4_Za{FJX$DT3uWLT)yg_#?mZx~N+>9fS!+ssuCD4~gKB1I(^?Dp&5#rnm`A#!_P{Ji|NdYRdpecKCIlRuon7 zP}@=d#*lGdsVsNd4O>c0$hiInfv~W+ftH!GdMWmdIiknw23%2^{mgo8(Pm+$jiN}Ht%7a zrX3iSEae$A%b35j)0@>VuwY2_>-RwCiL&17mzx{-B##z-2Wb6hbIBc9!p_oAqB$-$ zpq?(a#h4DZP_m3=op5^d5S%o1FEK>7Nux=j4vMo9hNCfOV;y1R(1dlb2#^iNYBkMps|RsR0tqv3n*CExuLjn}6A z5q-_dePs!K=iv-wj!)6?hTU-upW(g_+uKH4?@2=lx{sB{!_lv0-j5SnK=-B{63<5* z&Din|g@ct|9q?or5a#Q?+8fd-Szfc*N_o8PwFn7|%d+8qSbvbSfmAoW6ufTzmQW>m z=u)$NjeBznIDyS_bM};c?y!mGyqYB0(s^8@*Q=i->3+RT@G`jtf;K_*yUM_;@O~>k zuOq&NL_Y5*l1{ygf1{grpxxeaKkqASxuh*@~l?*QG}Wpm%fN&wkx- zG6Pim_rwF9^WpP)L(rP4?%3b5+vt!k^KQKty=Ruw?E>y2jK{jq`fuGwimpk&! z>F!~g!9Wb&MxYJ#{RhdiERsgUM19ECO_EZLrELylm(#)!#?>`!SKW482yc~c+nSFa zT$AV9;)KleUv5DC>+}+z&*HUB>v`JKQbvyb>6D)1tdeizeVZ9y(^^T%@9+Ki;vQ>WkaxX4 zU;(8a4e!(1;Zy@o9=Ozn*mtwQFX$xCp#^G76W`23#a3x#>yl+RD<_K{`vI8}PKYN-c*Ll=$O0BC{VtVj z59nIHyL3xlEvhdzwW^mwJQ)l}ltlUdbf}B@?3Vtw%Kk1BCG{heu{R^O!+AFU0ulvj zRpc!#w`cTamA+UcX30v{P87|kr?oo0+WaEoUUgKntd&_$JL>x=+&Dx3Mnr+rCD6Oi zBQ4O8RnpN=Rs=`rkQ(R6Ho=M-Ki`MTZUys0meU)9`kfNSU%pD)pv~7tz9us7NI#Wc z0Iykl%mr&g$WkYF_WU(8jg}3oP42sL87c9?$Uh(A`j+Bio8x;|4|y@m(*^dwt(A?e zR*6;QK_1^T?@LqpyBOD&gu3vc$DoB z|CWfB4Qz&o0b2Eom&*bFo^`!v2W#Ym>@@h~oI7vxgnR~dV-k79pviR;00HEG%Rz+4-C zM=ai5uq z1A7=Y;>BgwEhXAK(^@ivu4dX=+Wt|lBoBH^|_*DW&hClcy4%4aMBYxqUYgMaT zm6#NgF$*eFAKbkZilBw3>sm#3s_%NzcIn;?@m3I1Z92}MHx^r0F;|nK7tPZ`jYJy^ z9tvYEdMi)XK~lMvo6ss{X(lmXF}GS6G1N<7!hBATr^ZaqYSL@jKvQ<-P^7 zN?#zQAFpn>D-LKZglIuP3oK5__sB3cr9ZYM3r6AF44H38=xoH_o!T?}eVFO_qS0(I z4!5pYSiku9x0hgN5tc3=GkkCKNF!}6p7-QBUKFn) zmc2dNr{eZmLnrAxo>xp2TT`=;oZS3CQv396CwN|XH}`Jr9=l6pQW<{5OMu9HthVD>rqv zKQ3nxYO3g;`%|j_eo7jALyO^8i(l6G9Kk=WvH`3_oahtM;q@qPs!VZla*{-U!G+V(Ya zU*oK)D8c(!qRP$Z0r!#N5w=%6ru*puwc9Vz-KF6< zo-R~0(bt{^0mpi8HS@BZsgK=Vzd(cc=vxRmkC=+B@x`*>8rrK?tHITbaht|D-TwON zn;PAt^cs=+VS4E;;I5G!GW)C42N-!7oO=(t&(Q?`1t;DW-3EeVjoqo92pEeP8POCO zS!-ji08e0gP(aw(-YNh%*vKz+1}Gvc1D7Qeqf2rLRv4OStKJ|IKAfX26NxuXf791n z9@ppWU2Q4t`EI>5&FLeCG=eRG7RqlWpIG&<;Si8nXFn&%SYQXSXwj)47UC1ceh*~g zGLoRE6pm_{PaVTRH$sfi-Za?z>MTCN~IDOsfEMv4`!~j)bF8C*`^W}DxIlhMYM&Bv0`5CHE94FmMVw@M?wxteFV@cvpY(c zKh~Xz>sL6=8fZmP;?7${?YKZg1=z-aThK7%mtfnjH=I2AZVHcF#vm^JrI*xM@Ta0l zC{;&XtP7$HHVa$wk)k;p^!ynMvTG-4n0zftopFu?iOk8f)E1?Z-N8@PP%|0QvsL|> z`&!E14po|TqyLEQ#**a=^~F@lH^ZaILRT{eXz?wgxH`1N*YsoTB!T%bwZ7%E&$vLndO4f3dSjtz+LMY{#2~S)#4`@7*uEYa`OPhtEa78TK zf{(uQBlVe1tC%-s1;hO`7Ikh!8+K?;>Zg@(^Pq(2EfpF5SkM&_*Igo*Frqs3QBB57jJA}P~KjAqsB2k$DlYk zh8UXvvshfblr#MY##r#lg4D+dU9TrjNzg46YMHiDsFqF2-`KEBqeGOe+*ck;RI|k& z3jGND8_f*Wrw@gWpqfWOc+V`s5nw?ND3ci;<+HTo*y%rd`(6F4;8MOd zd8=vnS3E3Hg5|SAMCIohW^E6&PSxLi2L8GW^9#{{nImSC@+A@j2qx|A!Vv{bLSBiQ zGF$pcSRJ$Erb3OPwDDhr^AWF^BIpJ`U9i}ud&P;NNe9iu5v#B>JJcXTNo#9zK4H zd4)>j`|DdDI``!sk@fNq_z(k$J_n+SuX${?yVxw}q@oqQT%_FjB@p3rk#_E--(17> zPox^lxUXWJ)-$rQ!W#Zs}$|qtu zhO6p8&t4Sc26>y$+#mAY>#|&n{I5I!tcW-w>7qW*}InOy48-20h zO}&kze!kT)Rgc5kRfVKRZB(*R`{6)=2 zQsX!PV|77t)wt99MbEZ%>)mL_t!B$J#bfKdoi_c$bb865Te|YH%fA1-+x6-VBxusR zNbR(>bmUgEeUvq(N>Ov1?e2$Ew(>{kH%B*TlczZ(A_*~yv~la zWJ*6n*0gKw)mw?K0bcz@$OJC)F6^(}{Ixl>YiDa&MOi7E2ToePMPn4J_JawsFZ1YT zL(7#-@APz>`|{2ub)c*uFCJ%0j}#e#4kJ6CyO776wtZ%e%faR|3T;0#VL-=a)bYm? zxk&|D7x3WykJ|cKSpd86VhFy+0kYf$2*vHa^(cL<4)$}2do24kLe6WS&?i8Py-nwR zYPs1{uj3)H9tTuWa^|*dx4zo>9;$=?vCDnk>AJ*JVcSLFIJirp)1cU~|M$4Od&Q=z zIcLRqcP$2_2D&s`g0fxpcwVO8ByfL>Y4_oN*8*J?sF=6Yu(!5N=RD2_%%7XBES)#V zdB67Yu5Mn-``%q}uc}>f*_@lva{#lMk#sFKH`Lhjv$+n6n!!Im`!hk1pRDER8~{lB zG`cY?k`dpl zTEQ?xyIE5@5%Ifl=3I26emY`Alpwnq(vS@8l7#I~d)d5_l|YVSF5dJJv6eXY_b?JG zbH4AWic=?iET~^#5jNZf17~Y9m+Kn>Wye+mzZjJnBd2SJR=|_7&~|9qET1ck4PcEx z3B*r3x1orJwIDis32|#BK3)l1xpPFp*RPC2{j6d({`C0`o+8qUU*jr3ejv~;y3v&r-$fJQl? zP+j(wi#BOqA&(1P(0m2qk0?{cbPsW4d({UDi-zrriRU2;4I_-$!arGmrNOVvm@Ge` z>m5gGvu9rzXz~-TR-`>q;1(j6DDmP`Q(b~P@qbSN@%16nlr`bhEztv^=E7kJo(lpq zq(U6pwbS58aU2r2F=%6%p#E5Lb^WSqF=^r@5g3|8MI7uKe(T_DaUalJ0k)%z%ccDW zTm$?ba~|f80a6W{ACrD_WT)UGLOkZ$^B-GZ%oES=X`4e?EdvB8s19mbJ(fyx1ZT zsmZLjB2lO2Xv$48VIZ?Vwm*-UbB`cGTDoEt0wS|cB}h&V^8SxCYcxeVqj(#5_%Exc2Z~0@v6+;zp{~`J9xBM+Hs>(u zz48l(MaLd~O{lyF9T{KYi7QU9kjx6yikv?2$YMIJX)et4KGofesrtV}9NuMa$@! zzPC<#fRn)w0q!cV2i7SvKTXi^w)f$IPYQ(J@`tBSme!NT!+Hk&Po!7dVfEYEesIgy z7Ja4LQ}K9oh8@1sF4MRfovzpGT%F;yi?Djjyjil>%aX}f=VzF-t)Yy%n;mw9ZtHFNP?H_o^*T8C zCCsT6hfQntCC`&MNc32 z4lLzR;DW^Gp~9?jcvz9GVSx2$reN#i{a&)=QP(^Rfz0c5Ha?@Yz2fHe(y79}btu(b z4O)GOnxJZl=e;_tV#D>mUG1FiW_T`n2i$+`pVnZ3RwAa?jBA$nn~_)Fv(WB`!g1)q z->~LGG+NP=zp6}f>dDv?ZNC{!GFLg_qX6*8sKp7Nx!QGcwrLkPo}~z%pDU}nc!;-{sBJy$XP3y z_KQ?k#?T9KB`ufI29ta~-!?y)FUhQ>F5x<8@P_O&=N_3*NE`IEXmjHyGmMtY91GT` z-d-#;rU?`&=LvL<$@58<4b~kQY+Bnb$PvbmzB3zNvEQK8QfoMA)G1{B^)~<0YWTCb zC=NC4FX4h|;SBQ`Boexrqj0lk$25g>TK!({-t?QS24pGqG|>#qGn?G>2u07Od`Us$m;7kre@80c z1dM(eC{z5MBV4laU1Or8$C4W{{{+)cpW9>Ud#9$;m0!_H^WD_>se;iOT<(AoR7QnEerC`~k=Yqr!{p%EF+@CI%bT zpP7f*y}Q&DVoO%>EuArN8w3_ttKx_z**z-zY}9TDhdQg*wnHO-p=n}r&bah0i$-@> zwM(`z-htQV7$nj*l&&N(VD;-`d$nG7-Vq#8B5U5^5=9HI`>Fy}?97eJpc8MVur;21 zrm0)22}5Mj3cqUG9?fCvDe{$ys0V3u4oEjL9!aZz_1?QO40aX2wv@`^9OD zv=1~^qpN*>gEhRXF{wZEz*wPamyf5>0F$74()CHd_m~#adp~MJ}pOXbNpl`N$5(&i_=B?zLyNG9wN zPWsD_Poa3oyY;jLHWXvAFxRi!XV?7Ohz&bw%nrN|hG(9g=xY$F8-&K za?kJrwsWu7AiKmKn9pImr3W-~2%8RhM{akYk|W5+n0_6d@youyHz4EtGvr^+hLQfp zNlhwm!{9=K*B_2ov7HgQz{m|p9A=gYf{)wb-Cm~}8*gw1ibqqOhGmwx{=DoLZ2 ziJ;aW+61{KeV370Ol8F=)N1vFSptBL_&<5vL|KM6ovodUy%p!y=D@ImH{TU9;A8{_za^b*d zn1s4`>{Zlp`iqg{X-Ky!?7Jgm{{fJ2f~-wi0WQ_mJSfDojvJnaPdN%=xgim8n`Lck z=D^x~?q;oE;zK;g<2|kUzoG~3M8Tb+O9BN<3fNze zyvVs)JP^PK{No7QSs1>}xsOUB@B-6tvp%^$q<}8pb=rr`mzA!4fF+GWx;pJ{pmwpC z5(@AAi4s4DtMP#$GadJ}^B@A+QhIs%7a6~-5PEOKj>n1$Z*Zef#B=9efZC9qP1lf{ z-MT#2WmizM-)XE?PJ89hHtomNWkgeB?)D4)X8rPVw4avxYo%Ir@uXFE+fq4B@Rf_4 z?d=}dn5Pxb%hI6QM|Hl;x;zY27{A%*~q$&C~Z4*>)c;0VkHeRZAn^?Q`x~}_O zrrIp8B%i1?z4n%y<+QK8zmjylwx(R`-LBPkj;ZLi+a@8bRY8|rdoBB7fIpDOE&*ws z-jCUzIJwN){etY^kiEw1{`MsdgC{(zYxO1a7oZvKCZWEynZE0t9GvuPrNlo+IVMkw zI@csR#Z3p?uIG0WK@$j^(rpa$nTqh^v3us8nq~|3!>x9|Khopz2rwfrv2!}!>Q;w3 zU>@%Bovdr8o;zztReha>Ip%Fyynb#4+WOW|*lqoSSzvG4e$u~a(%baiyfoAHZG9*b zlH&?}pY1D|0u2^#OEtY(c=R6otI54SQb$o>mt1;Gwyj^(FXi~6p5?rwc~*ES`-Y6K zzxj1~^`CFxTXi>`dzbNI zn^Bcc%PewQ_GymK%VpFaR2|7Yw1<_Ygw{c)T#1%73DL#8f{s1c$1VdEhI6w~?%{;@u& zzmsx4m^sZHsAL5(sYxSUvC|?o<><(T^IV^g3H1vNB5A5r=d}HM$zSw7Br8h=W;!n> z9Py$H!ufz$Y~}=^Trq_Fw5CeLlaznNt9Zj{qV4*wg4NoY_5`AIPr2dV+e8*dI;SGStS1!{yTGl7R*`x<(}os#;kF+gb=6 zsvY%yGnk|{K+3q(Www#=qa^?aF>zWHx)sujglwKwiY))znQDF-molB(3LR6$2)5E? z-@ba~VQ^jSx3ynXm^9vGbB}vaBTgi^$}qTOrg52?4C#HP;;y?_g%J#ON=_7;gwwN< zVpPiT9>kVzl?q>6v?5|+4-_1rAl7oT9|o9kg%%yMo^WuFR*AkTGz!M<9ST&3FN$mt zz+Ht7ZIq9O{Uk-ZsVsX?MhQqqpRqWcMM|p}!s?z-Kv4{LAqRXLknPltc2w=$j3pQ9 zP-Hd@OJNd1CbbWyJ)Ag_uZANlL-=#pggvpwESX&4y=nL>Ea*k|egDCah7PH2b~|K+ zZ37u}DsT&KssC)FKz=yA&mmj01swsTn7}0qdkx8QrkcF?`UvpX^{t6+S=wn9pYN3i zCYF~9F#TrzfAHJp9a0my+W0P?-y1|u^y3T8qy>mVoc)MB`Rf*Hl#QlF%((N+Tgp&{ z=F9gJ9GYl*{7VNQnNQfMub><~B}sA%2kvnUF|tM)IVNN>_%|HZM^O$rM`?mkN0SOf zTRE%O2D`SV3=ykRhN`0F%k)*M;v{qyY4oedlFxkLZO9AKkzZIF4(|3sQRm_4-_|gBa3RpYkm*IH3>^KY6ZPNvq{=H*dA62%7`g0f6MSZ+@OG;*J!mx;I zVLYtEYpbr|a|KpmrS<#>&48lTvpp-umah|@zLZv&L?u~+o^e<$;LpJzzWZd$I{p!S z1AdN&-ET40$0x{-IjuOy1i)jV_g)C_3d$9D0l9h!H=dWB+20;J`kzEM%{&QVLKs}a zw7hT0mPQM|7;Py(8)T9 zTMEM$uT@t~@Qz6Cps>RJa;a0X3dKH>b*wzvb;_$(Ly{1%V{4o-my3f~zkmGFW5$<- zF=$}3P*VP?xxA=O8bk9f$py1e59i5BcWNOaGCpt#s^|oh{#B71P`GFchxH2%g~gkN zb~3#x{^+^fvPOw;y^dHSEg5@|lo?foi!Ge2g1zx0m33H<#5lO1Ng%1fV%+ll%XwHQ z1UEHXm_Xh2vGFkRiGSs<-Acg8Oj=lc;fXOk@q#!m6VG<>o#JXDNzM9SvXUswFPt$V z_v$SFl?U*%pgpD@H4rxIvs{Pt)AJr{zt3#=ZTZ2W7R>w(l)n+XA^0HpplC;ZL5>Uh zh8to4|N7~9Kj@!%rZgUYx}JD-`@Uyg?FQBB`d(Iu(O&<3*Sk3^(L6jsUbn8TYk9p| z-mCFBw`%vUcw7|ue^i}QaAo1vwUdr*tAmbhr(@f;ZD%JPcgN}29ox2T+qS*;pHubK zIrZO+i*>iER@GSVoa24QbCw=pZ_&S5;4ug%Y+K;E0m(qfy+Bvj+I(%iuIdq()|2@?Tb_um_XO{Qh1{R@UYCa#<=ShP#)^}O z-zK$HK2s}~0jIP2#M>{O98aqbn`dmr!%G6~`bf`77%;K=os%b_u21x$e4RO~@0Xg( z{J@C%b;S>0-pRqV-_yiW&Yi8J(mr`^r-O`?Q*E#TiFgm3l(+vTx6yC{1|cU?l}6rRvVuEW25U(CYDhT zMoabWBRb2XpFX6z`@!GXYq#wSZnllV?c;u?DWp5Jgz1@c8Q`|UG~U>gRiHk)@uVf6{@=}pr1t~ky@q=rzzQG^zzVVy1Omv;4R1-hl{wRM z+FpfD^vWV5tZC@hJ`eKWr-iaWs-TD0>5YtlC28>_g`>NbACDxa(r?|35s?e{Ttsb5 z*t2r=|G=DW!ty7mGu_7f9T?rYS^kKdwqqPhx@Ndhg;KgjO05qT%{oz$sTH=d_1;YQ zV3W7SRC?ThvwF zRxJHABQX!uz{VQe(aSE?sa%R+&M)I9LQPK?W9?(6o%+pJJ|eAxnfdmW`-|= zfvN1Jp_Gp~GvUyxOry?#sNm|V?PA-*x0LJP7J@I0BjqQzC<&3ERAXE!NRWcDF{De) zgKVkq#Mpc&)`PVls|`w|)1lR7#I9>9S$c)Wv4HF=XiszQ%gV<`tI0 zVre3Ox@Vssb1un8CIoYFolHyb$=xDIs?4=PW-UU>?~MBCEasqd7QYpE^*4>h(3G-F z<>#Lm1@}kVgYm`=&arQprT7}cxKh~o#pYg_KG+e(hkl5+ZrQh&6oxcX1t&#WET!1x z9!crRq}!C^KGtE)mtZ~O!dZ(&seNy>X4a2IB67Yzs-khxaBFM|@!*P92TaJ|)ws*e z&@DI%Bhm@lm7yrdP{A~zl{Z*gO2oYKIN;fI66ODWzd-3M<2B7q1AA5S)?*lu7ico6 z+@IB%A*)#KYyf4e;s|pjsF@0S68n= zE&F|62K@2=8Sq~(Y}rr&vb~^y+M&Y(ttMS*8jgn30%GMK8WI~8LR5#o7vHazF4B4w zX*Z9env6tp5Uz|#g{E}nf|Jd9idwR1=KI-74Nul5=FB_zsUoB z@tI2AP?#ao4(O5Ds#0qtUou}Lh<33PX~%I9{e~dpE8ujhU0zF$yi zF;Qc(tPh!C4<%CEl$E%n1r1SELE#;Drp9Ln_e4rZ7cY@_^l8mxD8HiY&)5SU5$V5B zB6)W~vvm@i(9)t&dkYQJ>nIlWDydeLPK3sH1?2zs?NH+9Nu}c}bWr;-XIu@MnJi3d z#&Aei@$Zy~O1bmCqeQ0f-`zcV*E>OfM&R>* zR%{*w@PDRH%cFQ*78~;3YsNafFIfCpTX$@=X!~U9@O2P)PhGuV*1x}*0+PH50i53r zJ5yJ^|F~bjY>eyfjvGF&Ku>?4bmiQ7oI2;M+xBtlO$Yd(=`*hsw@u!ec+Vn-<4p_Q zw60Mg5O!>}blzOYSvD0&<0Q?0e0ahgszsdsz)=MhKFpg zRaT#m=To`^b|el?n;A^I0%nue?SYamvt{E%&!3Lt<5lk0kqCg#)!QLmwCIw*W7hcd>dQdm_6N`g zHU^H z3qI~xx71f{(0MmntXOIYxGnPUdZ1|Mk?ySZZFjvG$`GiptIYAe@UJGm_q$!hL0$tY z7|-96c$?MxJ})dsGhScZZN*3$RSUL1wr;mw!`NLNReH3%+1$_`&Gy!}XWfP~k=z~R z{F>He>ToH93eUy?0XIZR>SEJYffmp$_rX2B+d+m3v2Qw{@7^E5@0!V9NWS}6h7{fV zhfOXT&|NxAvuNPsbS2Dtz_I1fgQO$vagOu&WNXs+c_$UW9Alep*0|x`*4*`n?1v%z zd-vqmRiXc!coVHQ*@1EWqlGJgfrTJ3b*ZB}<^QwXd+UdsijpJaNUQ{aF;LN0`V7#f zy2wI+Xsj7hN_t)o-}8e|T$8+QfHf2CLAsjDXinQ%=fuaT^9Y86ruTqM=IDmg9OZF< zsZFGKO09?#za%(-Afm^4p|_7lZ{9>TXS~jJ9??)t%SMZaw<3DBvrVat6`Gm!K9&tM*g9S&o-|qeA zy87hwaXJS7WRF(30&|B?1pbxy@3N1oH9AMv{_2=cha18pj{ilj!eC+(x;N)6 zRD%2m51l|)Ny@?qNQ)T?%ITFsynJ|? z#{EY|mBXC6_B6A7F-nrWoNyFY3^|oa&;nSdg+O+7OWNewEYR}jwndt?HRrWZjs-|N z;qt5FxL)iYaI}}gLw|Po4+fPeHQd+XAeX4>qkE+t#cH^;T)79eEilC3TZjRYR>F_f zZ{MWq%(Mra(#`R3osxcxYt%EWqJ9&-4#8eS{RR<|_naQG^(`-ahA#w_vSDWYzTm?f z?xrs!+&K$d$qrj|Zl67l=taKT#>&)iXah}Zu0L;5_0?i^^f-iY2)=I0xG4vf zHD22qPboMmBhmn!dewTv+Oz?FR3OJ@-Xrx2xm6=S$<6uScV6Lw`Bt^U^V`yR)#jZ5 zHRcY9q^vFXFmoitKzfxxwG`r1wId;Y&?Myt6fkk(qx-zOk-u~`_6HzhS*<+`Nz#HE zN}^eOk2z_fQp>(Z0fPR)N1;_s`f0@g-TJRiqFjKFOnYfM+(VtHEXlf&_ct~bmU0BV z#Yppb(%;g0=kY5wvAA+j*N5udu_!ZUY|<2sHRC?7@akC-Kfy#2yM}y%At90n@^qKA znG@QL%1%u56{yZo*=Wzd+V%uoscn}^#!FVnr`4TTIZay_0vG3Q&CXOl;U`-UFT*V6|ob4*VV;`OSvF( zM*8O*nq~n1dnecN72<}E$@TFiiT=ahwS&&-Wjji%XMVWi+pW7S(_8NqT>yZ?bv?h@ z{~bk9r&_NrCSanTJ^Zq9q&okd^A6d5T0nhm7yLde$MELGS2MOiK4xXq|J=aq)l;|d zy85^~r`1u^c6-gSIjw#Aewv=^ISK2ccwxhsugmR8<HUmU`Bwn^+WUpSYjvRCDijy?>0*oqGbc*YCf#IEXeMZ<` z`;Y7PzAHuL#7kYqR~hj_8&}7+73SNWgV_`1Tn58MAsEYkZrX#oekh)n7YQYat;-;* zaMw79>5X@9?!DyqtDQkjlD2LbHBVrke#gOxc)xxQ_ie};4BZw=oaSFZ(_3?p(B$Vl z4ONBeHgKOrsP1;s%=@_5;cYNKJjaNrdt@HW_o8*u)Ix<#!ensRBuw(G!b9yTGElB+8XEf}7b7Xr5`SDzC-;%IX&Lui#g5;>YA@wHa zl#Krs3O0iUO^QBrJWCW*IRlzm1lBSVjMu}1U#4#oThY_+v|^{~b5k#TWF$7wr|ts5o(sKFYM zsHXo4b2V*(6Gx^V2J@0fvXdm)B>D8o9-KLaVqD@fI#IGxb9=Qdok~9nFEIZrff$jf zMD)}Rjw<58)cyS{1WM!Hs1EZET$?4D0>ffWLZg0Miw704$VKt z<)^xYIyFOk%&0}AMcJB2G~@YAr~`jzHYU3h7Mx?K0eq~kbm0kl0XC;^Nn-2_W}p?r z!=G10Vk&{C;k3-rhhN;1LEy85%sdpsv8`%?7hL-*j4e`G)$yP4i({kKW=1|V4Wmka z-)_OXt`Y(8r-jP#%UZGUwKgFKx74COuR*fcYXY;)MTtn_VW9zO>(&UCP`g^WHVi!jC9fRh43K#Xz^NldX;Cw6gL`9=TuKVuFh?k zw{m4U)^`}XL76oTiCSzm7I`=XqCu(Ti!HEAX!v!fM zVGAo#h7@+ckSSrmbR@7!0~0t(0a8Dk8CJ^EOoLJGwxEV{WQMVXhdDhI6 z$SX|Htl`*^;6*lv9&ylmwwYt+RbQl$!I;19(Herwj#BBfRvgeW1Q)Bu!NK#19Z?qN z*(d40W#3G>D8s4OaK%}2ZI#*1d&K<`lpzKWYDP|E0y3$wG9%T@hN7j{C(g`m6Xy7I z3?qKA7VQYED_h53MI7Mv_+irGy?*iK-|*8=(tUn6x1Jh_B~@tfJ*ZOfBUpm9F1!se3@Q9_huRruEURTj*jDQ8U$ zaZrz$^~24e;m-&zE2YOG139Ex?+){99%*;_*wQHwbua^4#En2bNcvaF*Xp>&#M>S`G)*56K%2WbD+ z(ENA*3cES}df+RFwi->=axc`#W?Pwr>B(Q<5+zFd@SppD9@g>7aESWhXlo zh80L@QDX)D=YIn1c3_6yHIxOVt%7!Ct#fX2*1OwZ{=H~k3vq|^p+<z5mf;`;@PJvfW}iUz32|<6aiI_K4s)bKwQ8UH>h+e>0aj9 z`MZ{_x$U}9*=+Ca>>sU(;_I~)dDvHBe!cO~K|=IAS2=o_qw5oScnrHsIxFA&;TO9} z>}wTi+O*=8@@ygSJjCeRVF)y6fplqfH1K^o9G^723&|kXwyT`PG5mNjC3Z?lcb)ji zaPYne%BV3_;3*;#((!knip}nJyf4S0dE}hdyGgv6_3ajAl;}kH%$(YGdRtvIMfoa0 zIIcE-^3DUE48>-8JiH`4S5;qcY+2KRs81q`bNqHj<)4L$HCjEo4J*D#KR8kWS#>8>rpxzJ|lZH@z7tTrOCA}cH>jd?gH z>SF6(9N&h)R(&3JSb6MXQ$GBnw<-x<8gE_!g%D{7O!`tvs`1C~41Ak;^Y${(s)tEv zGXpTvIBw_m-A%cHD^?=LO75_&{uR|{>{o3r>MG`%Wo~OaZT7!@2uowh`v0lGV3|cJ z4^01+&QWUaCK({M!0W>}dvx12lQqI^@nAK((5_z0LuhND5K|x3i{o9Ul`^6v;#?qz z42DA-n#x8iNiI{14pD)LW7XG#p2i)X>y=Vcv)H1YI<>7Agg~`PW_4cXApfllXQ>x4 z9{NHI4uWnTl}&*HHZI05I4I1!Af*EGQJ7W^wHNG?CptcKyq|)rN_`d?aalEC-&a4% z9w|^`9knYJ1nZ<$Na=8Z-mg}a(paCCkpJA4Wr09ol5MwWLcK#CCk)L#zzx^Bq8ef_ zFfK}XXj6dF6ZxH<)N1fNFUcS;&06MA#RZdM&p>bx3$rs~QOvn#Y#&$iQLPbjS+pZ) z8SWRIWrq7OIIGJV0acyE5R(Gc0hGA3cPAm@I3v9aQMrM;q(7xY+J1>*BtwCkyd_l_ z2GuYGCtR&fBzTzz<)7DIum}xGdk=9D5FKT=jRs22qHH5Six|ARrV3|>Cx^XFRX8bm z%dr<6AZ&7-&;rBKplO@Ea#Yr(9l18vsQf){ETR$)rpK#l2c5n-jvBb4PaS~#5=A$&)n&|3RED7^<#hQk&d7NE7MmWAixN-VH#8bXKM1q-CB6ElG8 zdZc4ya9{mSGvB@-&wu1=7+UtxwCxjXB(cW^^ZH(;*dRD)%{SQS^b>Mr&~X%@Te1i- zh#1CTqOrBAIfuXoJ^#Q*JxLVS{bV)Iy8hX30Z==owB57-mm9^iGJ2DWm!bU0fUXKh zgL)TQ7jvXUe}F(5=xs_@nqs?Zyg*6?i&dyTac=V|OcUhm5IXgv0dh*JOn6*5ejMf2 zqE4&7B{JOx0Vz)%f^wcfauO@6P2Y@JZg1W64^dLm7b(SeAUCDfR-{Y6FMQ3*PEC4< zy;BB5v>mEAC+@opCKzLUrJ7pKSTk_{aT~}2vdlZ{#`?(SQ~FEVOIkxh#auUX+ou&l z1XH}8sPVIi?Wn}s!Y{Py+ttq(YK5gS!<5P~ z6=M7I=w&k=61|;LpFR=c+z`I85A>$PWdv6cJ`F`wFrpF@qHx#Z4yiNP%@}Lp`F0f% z?B!M+hSMkX_p#V7bcaauVnJ6PUSVtgyV}oMSi{HO~DgxnpJMvr=#B+98>#WnuC^T%U$ba1Z z{A?3!|CRghhF;u{?V}vPr4Y?S&L@m?Fxxr6Py)h|>4};9U3VEY322%$;6AP>7Tgtb z?NSpAQidErvsy!i-6qsQ`PediF?&>eCV2tvk>E<_y->YaJ~O@FkfOq%v1du-O@az< zHxST-3>|0ds}1b**8^ z<5|b_y1xEyrz~F?rY)4^0GAA|*d5nc`ryjPnfOOhgg=bJ*#XBq_v-|V_45g__Ur4X zSB>ch)0`b1TMGA#M0R|~(T0=2`G2-*nxN6w@ve^PPft6+-(Rm~dv^C8(|TVxTMpoN ze)8Tg?FCo>C@0FYyc>6#az`R( z*h^5}^QqF?b+oVwG?nKG+FA3g+NP7Neu8Yf+*}Gc@BY;RjPK^=eTm!t_nu#w!f$-| zqggPmjp}9BN8q7GJeUsfu(!5ucfTjuOM6`H|L7pp;{CbP(!cEeuypTXc-)jR;`^j? z-7c$N%YXNwLa^l;5lJ%Uk<9PD-_DutDYX|e|J+_E-gUoYPWSQBvJnImshGF9p1kt% zFJ)=%I8{@E#Ge0U@-CXAstc68?dW!F;(E<%nzs0_*Sy|W->9+?Q1C2u5U=goWdPh1 z_V{e>_A}l7e52z5@E%{-Z}ED3ti=fFzEa_AyWD1!cXnTsUh6kaD`+ZkHl7!|Z@(|f zz*M`WfX3b(Ki{nP4UTbQ8~>dvY*2VV3vxByWMJRN;{dca?_BjjfEW-+ANacbxE-gs z1c0!70==rNb*CT1;Ls~TgP!*e0-xqMO5U}BiJv+OE(m3qSd?TcHSGw9X1%}k^eNf_ z87nk7yF&Y?Xy216WQvP0mQM*#_eC^9en++Ma2#A$&)z;Xj#T_&;UI14CQQmhSI~wM z(~dgn4pb79_0krN?S!gRx#l5Ko|0t0J+7|R?n67Lnf+@Fohdjhm#l={f%X%s8Jj$>ZSW8I@=#fevt$FUAA0A@S zWT{^Fqgs7@ft`m1)j1IZqmp)2I4EGCjR%$h8iHTbHp+>`Mm=%SITN0aBfHiWa_+oO zo>|@gCW~1Vh1Vtanilzwx^Iw@9cGZmxTtEK(B55^OZ_w+yrJZHFgOi$+g9?pT(c_1 zZOyU7eoGE@n+JF;JT}SUD*kv<4L5|5Kw8r}!(ioehL}m}?+9dmwBA}_FRyTXO3KFM zOt%+Ss}*HyIh`r)M8(BE+U?_Zv(lt*b?)O6Z}vm#yCUDjGW7Z;n(t`*E7V94DG^E? z)Ju8vT`*}-`{XIC6L9u?;$jgK0&`hW9{!z5C&JD}7Zb_+kO64>ecV$dQ>v4-8#&+Q zq!5;zFv%j%Uz>ubx`uye>i0)+w>DrJ-;A_+QLjA4lwe?G8?nIBtv}Z%lY5+7q@1Td zEX&Te8D5MUNM;5%!bOee^&^A!)d^*cTHn;*kZCI^3{lgOrY#K2AZQWl++WhV$B>z9_QT7JxPMDPF3*KlW-fp=eU zF7m@NVdRGsDak(L&y?N(EZTuh;fr4?LTLzlCRM74;~ve*3R-3>zj+(=Y%wV!!jy^2 z%<*JZI2>1sjp&C5$Yz*-&WMOd9P<9knnEW^$BU=UJn_gp4X+&27sSDTylP=hHNZoX z`prB+rhB3#$;MHdFb?jd6Myb-@#ZB-^Nf@)M{tFsB`U|Hbxm>tLN)MB6~?r10RZa^ zxMu}jk(_&#?m6^C^;YtZ9G}<>QkiXC#L6@na8%O6!59rJhDES#Ge}j4V_KCE4>v-N z{3TEm$iMwStKp4ItksZ83N8ab&d(!){ilB#GHjd?*xx9 z-7Z!)ifW;(GlnkB!tBvLXzW>%ar<^oq+B4mBU@c%k}{4y%qP!Lt-}Ua+hbk!Ut(U& zfiLa^h3(i1O%kboCC4dpSm~x6_yt$R*K+rx>zo={vk}}~&mmDf-^7eghA(ZZVZUl? zlFqHGfPI8@iz=g1B-(hk;MzPAeY{?&DsGxG5p!^P9b*yf#A5tsYtyTcu}5Z_N60j6 zJs_`x(pIKS>S*HP!3Iij+)Xgr?TwO;_YL~h~yIc81kx_qn zqm9Daaa@eS&7jT2y;wGKi62*K(GDCO7c)qV z{yK^m_t>*w2W?|W)M<-<>2_%TBF5J1aVmw$uwTJ~ry8_P=rx7TjIpGoz#i0Z$$z6# zgZeGlSbl2t#}7!*@m=yRrRFRcLl@DRNDo3PE7l|Ss}E3Hft7`NtAtjqyHm#|i%DHC z^p{;kj~_-YHtY1eYVNG&L#Q9Uv14f@?`P zfnZsrPxbD;ct}gwq$A&T8sU7cQ_`ejNJVzd{TqLQ3`s@12d0#dH=o9m^*>2_s$ToG zcwcP_MB%-E-!_zaHv^)0AEP9H;vay_m|;bXaD{>H!0Co#Kcstr6QNu$9)IE+*{hJR zAz)aP33!t~jsw_LyFR)8DopI3(teHBblj?Y&QdkdwSL{M?gr-s&0do$n&L2Y{w>&A z7fYDK*JN~k*(lG(C%-oEx0YTjXn^Vt>RJ~d_^__;#A&~|z^c|uYI_|lJUU|H4=7Dc z>2RMtFgOlya(YDax!nvXU24{P?T_tpU*zlt2nR0VO#%)nuzcKN?_2Df_{`6j1Kdvu zQp}G!YPV!y{M`(HfqGptuFU-{qbAV=1Mb!BE^&Zfk8HMEZX4du^xfy!>szk-zv(>LxPveIQ9 zA<`sl2P$~ADDLkp{F zXCFsj4Dr%8fhDqLul=?Al+~wyzF%b__2MyV9u=V4x;~xGYazd3lq13xIfvV0?C$xs zY?#&H{Nic>kHNx}52x}BPyeIdPQ!_u`sq+xrf&bYr2g#ocbN7<&)+d#i^xlbDSR*K z$IaX3Rn3#(t@<#MS)A`Ho(ckop|P5Rk0r&^LcY%!)7xG`9m@hmo`bbLX$vxR+rT%N z=SiRU&SEZtqZq%Jtc{S0O~{HtI&POGX43n@aDKZ@Ig{w#KisZ(Gr)0%?cW(#3ln#l?M_}yKlIJriPd=H6;EFS%mR3 zQ|ph?Z4wCA7{=hdL3deQ&J&^KGAUA(iJ+$QYBh8{L)MC*67D?Z11E|4uJi}Inu^A1 zNf;8G?X@b5#%;z1w~hxlH`sz(+TtRQ`Rs|;p&UjcSOr3*|ah z675pst4-bVVz`>#J;#QFM8KBRfgN9wNW&~+;%}&N2n?>2qS z?u_Th#bw}rStl#jGyKb9D>rD8;#^NRv%rAkX)3|qO@EbU#*^dbW;42n-eRqQn|UG# z$aHrh>mPyW2yR%n%CUVq02b(J!bJTki%G+RYhyrWs667MNP})|Nhk53Hx-j4Q|ik+ z!WjqU+1P}XiPV-pp^J3(iFn}^MGZX|WsNb1n)j=a90vboiY;|0=DM{Z`=;@$2kNv4 z>kQ-jWcy&U;j*rBnG#qS7w?YUr=%Yt?5 zL3lARo>UU~HG_J!Iy%H<#XZ;vm@s7YBJj|B`vL}^W6zShFvTUENC`jrPuxu+`#8~I)7)jPowP@6J58bkp z$`(q%jq-h%cq)1Y$bzU%%Gf#wMd3|DDi3CU4Y!5L{HmI93sor-E|*e*+#JJ#j_8?5 z>{v!*fEaOu=RrKB_-x}ehTr`j9NSR!CVtj!UJErK_!9m>qCih43K$9mCW8{+jt)We z3r_c*5IU)Ej)V!gC1Jh!KEyp}O!`i>$n-1nEl~$G6Wr=}PjppCIHPD`+-k958RWJV zd?u|2v5mWsWtQYEhfyvOalwJfYY|};XR{32oLa2aDC21o7oqtY*`#X2aXy3W@x-JW z1Zf2_5S0wwc@-_=KRVO2|a1O8SXaQEfk zrvY;ZdYnm@d@1asDFgCi+4l&QP<7_3HlJ9j{FqG6XBX(9oaD2zzGYf@QTqB|6@L>d{mMU5_Cv*7#0K@7mmJFA zniA0a15F6FAfwZ36?XDe>ocTNxe!JXl}%XjD6Ng{14|I)Ae~9cxMnfG!BdqgcU3f) z7+6_1Diq3#s^^G>k$>Hy#H0MJG7pN`hb^9~p^=lO3JUo-FsYCwc5fV0jrh9?6Sht_ zMZ5}~h69rX`)Zt(vY;<;x6jv`;lhuSt%6Ll?O}by{7y6an*XwrSdmIUUPzf8y=im~DnWLm|NICnxU?j+V-b*(5^t z_GK9rBi~iQ{zCgy;@8z;gd70rVxzb!2pnXLt!}+r;@kRsnLRdWolB(3Vs3x^<+9E*C!5mozLz1yxa~Hm zTnt<@yp<$j*y09mkxcVl|J%oW908*?KMcqp&`k z(4WEOC(@mFbDNC#>NZb9-6T$N4HhCB zKHj8Iy?4v$kX-r5f7ae~9&NtRJToluD7{U#wO0g9FFs*aMn}cQ__$Tx6Z_b9Ozb^h zu6iFI5GZh)R~|sT@Z4A^y4P1THlIezyO!z`sjT=eEnbuOO~p2M@BTJ-(Er@%Up828 zxh&PJdY{6}xVcAZKMUO6@H@eBbIF3?)O{E>b7_K z6udU%Kd-(8l~;kDMn6dGC_%?xBl#GR+MUuYu;>+qh+!oz&q!8@WnEmT8{}v6**wKH z1yD12!#ki7UrYsdw$}jfUoE@mM;(!>kw#fNBIOMaMqt6620WDYH(BR{~kIe^Fe zbH#c%FoPfd3&Gkb@8Tt^BuqDGn)Cd$fLz(VjnXorBo%d7`e$Bw2iP;Nf!w2avvnFW zN7fJd;@URk;t)aV7}i=$EG>IjO@Ax;cOM8MRuLL2)o3!U$#0YYsG^FAre|0P*8&L@#WcQSQFEOJif_rz66LP4AV3=`{*Km@xjD7* z`FZDd5)2pXvEWu37E`Ac2R59qfnWSUtz;_JXCy>g9?v9Nhjc=$>TF(pI5Q}dS%${G z+~D0L+GE|1R_g4C`@Feg+VGF{wv~}TY)Fdl;@QWi{IuCW7Tm7^!k-1S`*AwJB0X<6 zYn&NxC$FL>NbMp*HT7?*1{WP;Fn+#O3;{W#Fty0of>#MqN3S@(VuuDA)~Gn}G&o{! zQ$__#hjQr(i~E~=EZoytO#Ux=8-83eYG>jc; zK^|@}YwtBEe{~oe765gZ43t2XPbj2KdbTAw>L&Mq<$wD*pU3sCfn8O=dZ+%$?XO|| zS@*3eG&#~goF(d?R*|J*tFq0sWeb(feC++tFHUg<_4>YGws?gEwjaTGphz=~+ODYDAN8;7rIp(ZMP-w_EZSCfs*C}NoVr&91u zNaideLJbqGU;z;+LJr$r(bu^XHhR-w!P8a>PA!8}@jg^pVDo;$pp*k!t&txI(_Ful zJ3u^g#hRH>a}k~Xo8U!B2%#E%OKDsje}!jW@(&-l5`$aRu+p^{y2m?}_LTyisa)Ms z5u;`bHY*((S?9Jz=)2$haFPC1k7o#twiEECqz~1ADD`zNawiH(A7Nr;i`{Av$IZ%;$)}#v8Ipt1Z zmt0tE34VR9pRZ5*z)hMps$H0!xg^)|jcQzc*>3o+5#2l=O3yt};RbS@N0nakSZ;DM zS+FWR)&+Jl4q`5S6gffQWXq; zFJjVvhYM$wNz!0>C~q683m%I*Eyx|!imH@`O}87nI?kU3vo{OOEI7%^#y`;SEje&i zP+(#|HL;=hRC42=NQRDz`$q0)G`S8n$d%1s`P=|dj$6NPqeTOVN z*7+`RPz;Fp{riWi9jm?qLX$WGFEDn`;W_$|56et(l7>b?j}ub>YJu8IYhTCu!-Nb& z_q&4@m?go-<7Wm8eJ{Va(qrPB^UK!PCr3TE)r-DN|K#juFW>5$_~SOs3Uod9eT{3u z`q_YKX4_4lNzxQT4I57QYPV#y=wTtZKn!}T;mhq+|EyO-0}ZG-zrS&hy2uHrYQ_KN)! z0nYe3iStNjGeh_3mM3HDa3>R!$0yMi*79|?&v}cffuTwNR1n>T)2(n%m1JehLA_)L zV?G@NOZz**(L=I$M}YEYHq3VWPFwRK%Gq)ClI~gEhw}kJ_sdDexPf77OaI(Q(pMJG zm$!D$G2h>H`O00&um5qpQsL5b<~JrXam!=rQdT0HA$L+6sHD7U!xH4bPqo|){FLnK zoNixV*#mFp%3gif^Gzg5>#N4`4rwU3$7#RKBUkJ^UXa(|zBwJtUbPM9oARe38M`ufHxt@6bL<(*gKO_-#wvMBFBmHei$_P7&D)AotrS2<2aOaw2- zf)pE;a;y&K#kBAXaG%@M2~TVYO>-w zq5}wwG?_M;q|KPpLW1yo9U7Qi^i4llQ`jVoEi5A0{iQjg@KUt}(TAL9Yiy=RQ`@yA zwLTeCR&a+M4pZt-sAOxJPAWUez9cV+MAj?16O!P|%0fMwK4tU`YQcWZGeOA%ow7p5 zQ1x4WmV06aZ{B;TIjDo9iwpXETGmv)b?$I^Slqm!RTLsJ3nx~_L@sm-L zkhy~2xt1k)k)uYB(9A{N938m=QcJ|2Zyc%Z2P`EW_)1ZIf~*sV1}+{u60)jY6c~*G z1d%N}Qo92@Ls_WP2DKJ1&EOEVYTcV0PR?Jai0}oO$>2sZ-B8R}&GCHezY%n(F<^TX zX;q7^Mw^#U7-?a%witSi5)`n)3c_n~=yXlQaEC30k-}m9W9qbcD=ce&!#+JQ0-t3)bfn8X~WUQ+5Bbs!@Dg7b+E_JgGU@OO2PyLh@K_ENTUY zM+ZaI&br=Hmso|;UlWcAIclH$$sO1yP54)hKEp$15jFUi$rsGFkaD-7Tut2KUFRQC zoI>Q)ebo2=AMFG?XNS z?1jw_>XE4OvCsWEhvI^6B(t>O%|ageafVU5ph1me`y1k$Qc+M$NgX7US*HZI1)OSK zWrsGY8>(%su;wh=C;kExdc-2ETA>yx-4Jzr859FHO;b@bft}-qhj_!vIr|KL!TG1s zSqi0c{3#AOR_~4T;IX=I;NyE{dS5Y`M#8;l{Q^dw!U2vxypxoEAjH6Qjd84uR1&3{ z+%lY-TthJzw?93N@#q_OLw(VuvPfJBjU1Ks-1oBnHu08z_rS1$5vYuivPBz)#i6lF zy~gpWi$}J7ezvLq$|V3ls<*WI3;(t7pFJbh=kb}Y>N4OF2w_}mT`jFhA`}iP=n4a} zT~5*9_Ojd{yiR-L2<7`*R^K0IdW|W2y?obR?etxwq1t-i?QfslwwPZH&#YVFgznss zsIIuVW6IgwXSUte-XWL#0O~D!y9~Eydp+INho&4kxJ-~fZ{BaPND6^mj6b&>8aUcc zg}2G8eC%%p23);%lMhHZ*Blo88GS!5xx`*WITY29Tb-VLV-lv@tuk^P8cVlyOtu!M z3F`+YbKPDfnn|Ryxyqf@_UkwrWOM61K~A>^w{jXI8_yY!=u9Bs=nWUab?qu#`!kcD zTP4hN`;eh+=X_Pm-QoI_v8(Ns)5ha*hx059)1@D9;}55S#eCxxwS(IlgKq%HG8_e$ zx%R9zm0{2=yY6ngr=lh-$PP_uiM$5qt#^E|W>xDIrkY18}~ zaCR6PzHKf(f9#~k&dgW8>ObS8gz#OtzKYwH3~zp<`&>J31FAq#?wu`b6~#W)-z;VO z?xNSHnKkk)YhkW=LnkUNt@YiLtpes4(5+&zkqkX_({8!3V`-y>M7K_)(>%GD1eP}<;=9;nr zpi=dE&0@v<#qLi@fPT+@;?EzMo>@A1W4F&50o+sBm&*uHD$a+4USeZO?*SdiQced4QE!R0z{amisU;e-5{>jxo2}|-gc*rFxN{le9@_4k(ACLUR7>vGvC^j8?c=M^JHeu6 z^aW1dQ1{W5c8G;U@E>qYIcU*_L(NZ9)%`XgsE#USOpj1$V2AXN|G~hRVIHSLGYC#> zncQUroTjjJqwLo~I32cOSsb7#MbYhd{`I)l#+bpuqV0%SFB8<5NtT6%+lcU^PXk;r z#zwRm3OC=ll&FVC$~hXAidAHZgcHNQwx{0@I#!#&RoH=-A#AK=Zdt`Y%dS~VGv!T* zhUWh<^-j^1wNbZjSgF`nRczZ8TNT^3y{cl{wr$(CZKqM^J4aQ zjJJ=cFN+fW8MNwM8Rz4C^4jFmy$D}oqi%X9WF9&Ey)HDpQi46xI<;%&wwqX>j0#2A zif6_vz}*$tAe7PjmiX<2Exn;gLLQ66IN`d-6Z09^MmXguvSscSu;XS)k*QB zRMf@dn33!rCE%+F@dc5&tTf+H<5Q+`c_%~tZ^f3e(BXwInV!Eo-V;MTCo|hydtktq z#nC+Pe;jEhhIfEUVaf6&2qgJ;^7Vg?JQ-Puc%p$YbfvXxekJQ;TC&S^n4Bli(th*- z$x}XPRVknK%2Uv7SnR&fLelqSu_aq!Rf!9@S`{U+zZ@5jV=?43wPxwm=H&A?!dc;F zTq*Z{AHS+t?>Kwy6%VW6 zrAdV|j`3}!@#i*zlg1$h&u5^-8=JvC0k*7i*7tLks$@Y_n-u3>k~9W?L`l~sEgU%2 zk|DIFhul@`uLL@y#zVuomS3)k$JDt>O4`Eau_ZcTNt9djKZv=)5srUDT8{o=r_?5} z4%EF`S8iXv_eLANPvA(F=Ea@2XTHLkl|mg`c1W%EU*GwFL2o!Ve~tMH-7vJxzdZvc zkiW>A_`~Z-QxqeEkl)7=uXN$iRsjEoU&~mPVB?#nFkMk-9Ghc$;{u8H@M-toS z17Gz>V6NP-$A{TASxWeHkC+WEseQKGFBB(gB3Ynoq%0$vD(zCgfU}i54_UZ%5}`t# zHYI&VQLZ##RLCMn$LU59*b9f4I|mP8go7ey8~M|71u4<15@F9x#b^x9#xc%{1O>79 zQHh+{MTUK&h_8VPpS&F!_NO`oTwCb;w?eX$j`}1@acSI#einTq_V&V<^dhDJZ?W2M zM#cp+xbo$cL1BL7By|UlzwDowb3>y7^+pKXsVf$9`KGh$a&X_%{))$aoJQbP?I@FDi)41A#>9*8kMcwUhG1702!@IFa^&I5l_ZeEW? zCa$XmyOrNgpWQuPw#Vv5s=cqn1>dN@6MA0cWZzs}5>yj@jOb43>H+S@D}2Pbs$JH! zt6necvSzvg(G5>}F_V4{E$)%`(`r5Li{9^DEp3rkuBUTC%pR}*+=+Yxc~9ypQhctL z>E(B>&KnrKPax&Cohp{olSH}!44{6iV_xH91~;A^ z)i0AU-VE-$`PK{oqT5!-(Y*^j?>S%V>J~fG73&$l=Tlnj4g0wZ26H0s7naBA6|>JD zfod`{{0lnC9Y>`LT>&kdS}-@Dm%R!17yI{_>5M^zo%)^Tqaw8?eV$Jh%a12zQRkWz zyG^q-ezP+3H*eo}ZJ5`NPn$K5l`DDegKTc%&d)BG7B9mj_|&Uq!Mh-MJxSyDPp75{ z;*V2=+iPt%d_j5o?)~zTuJm?zo=2UJ$13=H{VtoWl@-^6D*)hDfv7$7uo%QOmBIKberm|t>`KF`6@g-Tix^5w$Mt?)^@Ds+bX8@X( zps?$;6mqKx^z^_yoyAB8c*VshjB$4-$Z@^1m-n>mk_e{kaoeHaSDn=4BxF{%x4CV2 zE^t)^YqUYyVuc5E{?*3uUg2DX3O3|aQ55kQoN5!NVcG)*4$=LwF3ci=(<(QT(lP4!UMms-WluHR~Ggbmsc{y40 zyGuL!shCMm;2IbGk%(0CWvf0bbcJS^w9ilZRt8SGhlH(ih{fSFrc{qdK3Vkup>lc_M*`GnpGq5AI1r1TH*ej?s- zo8t^78OC2PH9*B5=XNtoQIx|XRdP2ClTDW!utmz473FJU6oUD6Z36w@L5J{Yp?IVu zxDRcm;_MX%Qf2&#ffSS6SMqIqaIVvcsJ5}R7J6xCTB|>-6R8jnZhLS4!pgSkDcCsU zEtbjRIVAna<5E|c&m+}hkz4{oCAm2Ao{HT>~g zD!}#oK$0Wv6x>vEj;qC{WJP`!j%O_YY4HLfGz+}236f`NmdPskB)l3SmCD4J4(x@; z8UojBfl^8mD?*->ouaBqpgxP70oD>?kmqC=<-`Xiu*C)5!ifw-(0ZHqmw*)iZI#AL!yR;qBDb zDwt&af_rI&nazca${_ldA19>ypr3=oi8nu3zZ}lzf?5w#_c=j$cEAw;9DEZ)ri2 z@_yfPVXsEib&xi4!y8Gcm88>ffk}{)6goy$N?D$OlvH)DB!%oLfm-i`db7gwhnAeR z2~H*6fe^XXO$*D@c9V#<8p70vcZ<%_16Qq_n+FZ$C$82~XTm52r97qt31=`(?`k2Q zTBNv%@1hh&c%o1}`|NLTT;gAi7P8z@RzKb}v`PQP^L6!!Q>5MV{l!mu-Gjm>|C_jT z-KVz5v^Dc7!7>#2uJDE7@Vgcaf|c?q1IfZn3BJt$G?9^BM*JN>2odMHJWL&WNh)mp zY|eS6&k+RV{zCOjeP?zQbblTOSH2@<#Kg^MxaCXx8L^^SM`rpkUM0Ei zAit9tjaQw~jY2|jSG$idpse6K?pYi*@!CjPNkb)=B#0KPU*kmSivHzwTYNjc4)Hx0KZm}2;wAGy_=rYMPUP?_0~sdS;Q6l70G5M0WJ zSn*OLZl;DG`TT&yv`R(N>EF+6#N8^?x|PZV$}us zf!e3h?9^8f4c~8MyWw!NN{jznfY^-~$-+JV;XN-wzUWu*KpA$&ZK9?@$=bO4t<-fpUQjir^`&oKH(^Mw z{_}(Hp&l7KLx#wCOu~9&MDOmw`+}fuu~Lp`2Bg*Dl*Q-wD&9m~p#6%?2f68SHNnZ) z{d!o0JzZC*@Z|XzC>PCVmxFGB`dbd$JYu%j~U5(kr8P+Z-@_3+4ROJ?U~9 zPN=c%*k6y>dAbXa;BOqNf6%%$y|EenK}^tfAu`e3Ci)n}PdT8^-@djRki&Dfm8)4o z0Q5K__^2G3)&;Do`~8D*Jb06d>nQ}hJdMEmzK+Cbnrvm|WOqELJ=?lmk{|!nJ_Kz6 z2lQWt*;jNpPS8GMseEM|BW!N5hpmY(jhi|Le@6&3KNxcYePDV%-c&=(lRf`x<^$Tr zo&-H6haOm~uf5cDLUIxXK|=u?U(gdzYXaX?(6)lWy76n@w7N=4xogElr=#BywsZ97 zr|t%!>zMFNmuFvQPmuDJBmErTFGwC z{~RYa)A9Ifs<3*IPnZ|P$#)!Vesxa_IO&3s*Yj)e_H$cJzgO!p&e~SJ(49NA>p5{6 z$w@j9}#fk7;@2d`@#8DxQRW#764Ao;Rp|xw9v*+Pa zQ82T%#W#p`NWK0>ZJ}{v>X|S8qNfDb7E1L!aFbIkOvMn>>QOYh_{b;KJh(oc@wCVZ zZSP%r4SEy^RbrVW>>Y`=;>E@{dJMT?AQCkzDmFx`%IOwjY+l-K8x}q5*Ojvp=@oVP z_f>iV_74PGX$E!W}qK)^ma~ z6*x(EWg1ogbSp}5mKEi-RCdx@Q+Mezy8s;W`>wpXK%->Bq;yZi(^qObPAM8J!$R0q z1u}$1ybQio5n~=Gg1`5kb<6ZtnpMjpRJh}Ct6YJE<>>xPZo&`k0m-yOLl*I2t?f$z zbRFl8gb?=fA&D3ezIx{3s3r#F9GpZMRZ`;2A0Dv^k#7)b!rD>Q6ujMvnA(qnv6e8< zT1F8zOx4TO$&@~b|JH*;#9{MUV*gQKznPG*qLq)X+!A{Mv-d)Q9ViiG_y=>cpDj1_ zAi7bP|6&7nX*Y=G;vNTDWWllHnDt{iufd^9zmtq_Muv{ z)sX?O%}ZAp-P#QiIz)StR+DHjlCARcH8;TugnT38`4s4M)PHzqs&~@jjaudFHVB`; zs4y#sTlwREyFiN>saCAl;jt94%?`trSq(gYTA($1^dZP48fesWxee}_@N}1;o-kL6`>~P?9V_1)M*91D>%xL!b<$viD7$uZu59~t z;V`r~G4?^IUAnPgeRweAW5m7zQ|KQgBeQsZKVh@Yna>dPwKu^D5V+uT&a3f(%qJ!9 zs}XPpp!%h^5+}@sE)8a!j#08{!JhP8UEh>iJ< zO$aO^rHdJnXjS6A@wo_?t~fbOWSbLrXVJpuTBg;OEn+2>k+ib@vQZjd{o{@M?_dl< z{`|cO)IReIt5`5kG;pRcSw!P-rie*r!kdTei6tm;?sDGkI7kSScSE(TXt#fHz~niJ zZ}}n+jhgIgJ=^|TQsFNe+IXF9NC|L`m;9KvzZYrQlM8f{Xy#*xhg3o4ik5UhGSJ3k z{97DuR4qKPJeyRmQO3eFkCa6vMZV>(&63TSaz8|r#+KoK(yGTDT;`u&^n*VE?N26H z)I2-)ObZM1q^#hT%en@d3*I49IU9^Yx2}KiYg%S5?n#Zsr;i@5cAD>MP|$yB*L_m6h7Urv^S!** z?!0%rxJ**lK1mDF1Dy1`7fmZ%S9e2KKSF)%gvgWY7e6o zGG=)#=Dr|2>XxJSXD{pR!)lo8`@`}Y!c)DktI?C2Ycf0F=98j#5c>)6G+^pE(*13X zd*$Y1`)nfH<*3rr*~*G%uJ|1GYHtOWvH*Yr!}bY-5vY8k=J!N(Wz@YaffxAVRc-my8sDJ zmRoi}2ZvFo!Q2fke*41%?q_;V+Zi2(2U|N@2ayFkJCA2O;M6uw7se;2G5jfhM|0SK zmuoX;VxOWMml+>}j5m&uBmGWXPZkXc@3TyxUq@Dt+uqfbyhKasG>^$LI-{8&&t3MT zJ^%fsCvE2;k#UvVe6)8}+rqaJy++WPJ-^ehr}@*EfD-*y#~6HU9=`3%pp_arz`p{M zi|!%;LdK8FL(aE6bNlBC^=a*o$0Id9^PU)Yo~O7fpyV=^09o4s%nZW=5H*7WE`kvB zbxnL#0pdsi-A^?F`T#GLC#nHAI>4EasMc2#$Z=^u@H;^F~vz4 z3o7>9u_BICI3&(@u>mzOyNW-3N-fQ`avNq}96d03W-bmn(?0n(BH|CL7Z zwpu+x4HvKPkIvNn?02E28;D84hU`J1V40Thu;rvtEZJFxFqX(Q$CGG7Wb4C)rV-?V zxYB-c9G$|bS85Af$cX&)Srl&?j1&iaFfJWs!j(tgArlDtEaIm225T&8i9MA@7%}I5 zoIUM3(hfjHISQi@QVEBo!>C$A!Ut>QBde?r1=FM>VZC`k)R$|H+Mvs^Ni|N0Y+pn+ zlG&Q|3sqp8J2I!;k<+88^29l%izWxu!h(f3Tv@-x1V(9g!B96^Cu(M1spB7%N=BfY z##YCF)BJ`iBR4n|92}(RO?4cY8)HzUS3QU##|_@-0a@*qB-ujUy3Tw~H|Tay#~~WF z{73FL5+18XL!dU2vLyzceIUM%KXj8>Gb2r8tP(h~JPVaMCv}mGH;Wy4o1Sevxkf@5 zWnP}KD<@-wZ(q^7(e&(>#~5Mb)yX+>)!`d0MmpHA7C*iEg;`WKT6|R^BwW?cvY}vI zdss8D{y3E8rH@u}j&yQ-8u!{w#VF=_?QB_DEK3MdWac?PimK(s;6o1*B<6(1ltO3Q z<=)e?A`zCd+lS*@+cnXz4U>>M$VU7hlBf~=0vZq+eu?74!Mh1aiz2*1jT{85S<4`Y zPtI)1iK}5*;LHh-6?pwR10nYn$Cv}n4U#a))FCZ__G5Y?SG^s8Q^esZ8)(TQfG`w^V|EZ1pY&p_0K=2zfQ;TzD$(w3To-DXIDpY?H~H(d9$XoQTjYCS@`o3#@<$&QLRfR!(01$`;&;pSr@Hn_7N`^S0|g-uDl~Ui{r@1cAL;)Qn*edLpAbH^9(S^FHebd}7h!4by57fE zkKA`aiy{#>a+@~-DVh!c{<)4vcVs&5ZEY$8J`M~casq2QSH_$fv`%lEowkUcfJYZA zjc#jJ&s{k_r`-|L8r?l>e)rM+?%PgRw0fR_zGvMNF(q!>ddlveKKBRNA4_s4BiJR; zuSeDP0!=fO@5`Y`um1{w#O75F2lQBOpMP^YyPqRY2!KF_6VUF`PNe;F%oga1ce}gQ zZR}N{CT6FTuJe>uLhn96;;H9xvIFqiV6H_7$T;Egt|=3I@2&4iBWNGv4XJ!x#Dtmh z_F2OeoS5qNs$_TwQLsPw)&Y8{m6+}@UE0F)20jFN;@{MtoLe(aZ+3eb`Fu*`M6O5t z-pD+*Y45v1ei^Dyxf2Xk6EM0ZWE6bdxe|QWd%R8Wx!T0Dd$?$l|Hn!@71r3a+4A(V z?UvEGxwPX4y8S5b@qXLa zFYF)R&rk|l#2y5sn>evZi6-R@hWdSxz`}7jHAk#9@|Xm1J?; z!hp0%WJVzhmaSX7A{)taBsWiV&Nlg{tTYC(ILd&$UQkC96QmX`(ymKZX(6h4C~f;S zxt-8WU}X*SlCR`kGods!{;AmvS6tNA`KJ)!#}PR^+G$7`EQI_+|k_K6RAtV0qbuU=J2$WWd}IXR67>9o2r3i01^ zo?KKUyrHeJK`M;IK;=lG{D5=z*{h^Hs9-bl+yV8>8ch(r`ag(3<2zt!ax<0W5G!Qz zu1<>>Vt_L1obg6j^~J-yG&l7;yOiR1TQM(Z$tGM%g3-#oUi-8cEsLBv+^M;&uSz|oQ9@dPi+w#v6o{E$LjI?_xPwe{0IEKOBFq^XCjzy~ZwtX%%X)y}z zloC!W9a63;a_-k}d5BYvD-GyaOGjRas44fqV2Bz!xJjT7QF}JjKCAI5?o|bi0}=#G z_KQT545zf1jg1*LbE{I-A`IBbI>(t%V2W@MxPz|-F=@aLaRhu5GaO> zj;xPBK2o2YdKfz9EMKQO-KQMrwEsdW;GKXmUt4PRag>ww;EkA7GO)L~JWTbgCcP8r zlefVfg{XHveoutll!t@)sOeW2nUZb3TQ|-I#1N#Z?T zw8s}}szs38^Owz5|CTfU@jbSTo79-VBHd;*lh5K=1U$qBOzfk4peWoSrv|}G=i6^( zO!3HC!#`|N^R6}~P(isF%;CCJd#*;+qp`(86yUST=~_J*<*weL(c|DPuS(6z#WCm* z$sXY61##1+Jc!YyRplMDe@PcrTl_yr*q9;lw6uS|tpsyp5VHlLs5FUua^@h)FZ5Ry z=woIPP|%R6k?zu@RFIhF5WaJE%ma}?@z-BH7EN}=Mp+u8SiFcqUrf_1R7NUH%Dt_Y z1tCCaQ8m!s9istJwPTA3s>!D%4~LxI5;rcVN$mE{k-I^*pnZD=IIBvBHx)?_kOvdZO_Aj`@c zY+PTBYbKt#TxPAAq)XAVMVhD|CFvLUh-F9!kR|6U1-Ay08oDBgk#*xr6e^eA^7*|J zn8ooA6HP<^cXuueiuAj;R(zcqrkXzc8G%yfBt+a!kXbu-Za&2IODsNFPeY5yk2$?e3v zME{Y&Z{uta{@EPc>!D6C(_;_6g5mA@TU(bz#-!JNqiXbNg zI}A$Q|D)u&BQm220$0&|i@lGGI{kr?z`3Sy?;hxS^s8crcIHrI*Uv^QO4Ug4k0rYlh#JRTzfI~q<0w)))_jR*P%pq3gSKGM`6$Ugsz zdtHDi#`u_ZPps%9YT-u{F}m2}1&sM9Isy4$f5N2cK}sq&jx|oep9@w&-x3Fyrn- zh}?UN$~s@AO%F{Kdey!p6=TK>C7$|Tw*`YUW4TZU>F$#!%rSdM;cdE=OYKe4 z%iygsLEGZIUO*IzVY^2BwK&GIAYLC8#iuKwMmZq6LMD;7^dt z_ROwYJ{YghYQcq29o(7z48W-=ZZVT9k+b@t=~hVen`7mxKiNAp$~F6&s`#@KN1O$% zYL6XuL9pCXJrj3zQp7Lq1hCTRe%&aV<1nu4IqCAaKOw$2P+>klLwO2^gA<3#leef) z`&Kj9LRm5vrJ6@Imx3oLI{x6#x2ueEzFb?ZN{*K%2B!tGS(w7fa-TD;eXqg1Xw)AU z(P*FjM^?a?AX*e-um*Or^$SsPLlX+w={0g4C#BVql7Q9}+FW*R3i)>s+70`JSi3&5 zO2P!PiX$C9U(%R~n0sQvT_^&CbjD< zMGXfE+mzae@@BuVuBr>Qi!>S}8B76>nu*cQ5Ocj46{WPi@%Sepl%~o^2SYG`u$72SoQ;JskQnm zxLcQ1#Q6go(uXW~oFCB9yAnuvJGr_(@6sV57fxpDHIOI&a*N(t`QMtzIk<*i;)x*G zM5pKSCpM(U(=DH3VR;;vX49f7)verM!m!OltcwLuK}9`r>HkoqT@vMTh0u(zcx2~s zNEjob8LU%@4E_~h&3?DGJ`2tc&(OS)udEiq2UZ|PKu1OXTkU`J)E77du>`0P>!PrE zEN?}RsER&fljLWC=$e@@(j0}()H@oM3W(Q9fU`2{gZju7cMPB8ctJa-O*2Wi2=yz| zvcSsfUaCqNx2ejcImx6sQUJ)cL19)<=~Qv(B$mBIXF`bo;w|2QqfHO;FU}a6Rit#S z(9Y#!h|5vQXvM>bEYz}3@Zk*fFpIrVF`AcsT9j^D+%E^q!%Bb+stA_Hym^!p_?@a) zw=Swls;x5bKs2T{<)#t)K9pCv)YO^h(PSm`(*t=$nu+<_XzYD%up*%eL3GXd8S@e| z+c=Hd#gJP{Bq7sokVyx7;BOsl+oLcztbro8feE%Xvf<-dnE$A<>kp;7C3F2Z zdT*fA$JWS}ljg%m^n?x1NvJwNrS+4{%-&&uRX!M>lhoQ5MC8qQ31yo1@3I1`%qC2S zTkl|xHpjzs%$lh4BKr*sc?X>0Yv6eqBvS!hFs9J_a(L%CA@I+{xk}E@XXCD;s`33Y zW2X(Y_)ve++1zgibM1XqTobdGG-tp?Yt+C~D z*K?Zs3NY5`c&CW?j-L&9Ro>ZHeCMj$ifdS@S-FnZ+c_t+z8y&30rg*OGj{r@nl-p8 ztXs}(u#D`~9~LM%7P!xJSF>tsjq1pRXXh1=k2%jDKzJGPZ3@ZB|9; z>yy>oo<5~qHqIxfs4wqwZb!HJT%GtiYOxMx2!;rHJx;SKpU}PT@&el3a^BtFUj+UY zBNDfEB6Yhz!}+<4yM;Ro zJLp+%a2-KM_TKh8F&x0T;4AJy_6Rd%582K<&+YV(PWQe{+G&lOv67Qc*PXwDTaS6j z3Q6j&0OxgSe7dH6{I+Yo68fyyU*-`q@6X*H7H`k^#L91%-BWH{2G?H#`xWM-tpC-j z9)Naa-_<`xh&)h0S-c<^G(yZcimEe+n4q3^kk8qx;QZIWaPf?tDj)4&I6gsN5#;#Q ztBx|jg^@GHAbGhZ$vCnomRSU#VwRMdgyq$@*+AlI<>42;7-h>osurm?48qcVCmc!9 zI>K5lPN*s;XmIOE>Q4iMT91oghK-o$%Vi#WR84yNC|9;$G9+{q)0cGnS!<42pG2U; zY>nHZN02Dv$lu6E65r_vCL~squfATOLR_8>mBq;d!5wQr_~pS`yl@G|p}g~;9WX-; zp!PJ4s(vo3+s;pqa^Na+0GluWQ?NN|IN-v&G=q`8076dfHG==5NsDe(Mq1|uDa>=> z{bpN5HO%<)Udhgc=eiwJM~8BPU#FsQ__H$#-z1$8Rpsxm)3cGl_&`=Kn^q|%Lo7)$ zDK}*ct;P|=b~d$i=iaGm^NlzJZ$a8bvtBu5zucpP0UF zl4hUFE|b`%!?eR#3uftswp6AB2r!z3>kvjm5DA@|`vmRlLIpaoYKb(aF&?y+P(xTN zsJ{ynOZQyGRvatR#$7+;6YW%(eu~D@NrUeX2C$Un7r5SACKY4%yA8UZ| zuPmpG_#cR7cL0IsoU#8avl$?|*;hdqayDyM(aPvQA7FjV^tr7JD}-?nHvgh182eqs zk`lU=h$+%N%fwG~IS4s07IW{$*qDFfq{u(4YMF6?tp~Vi20-!2A>I*;sX+E*!QYce zvKFgbtG}USTdo*)>D0j{{z@;)Q_bceLStzniMO#38uI7gNLXKD!NK_EC)1)jQdA3} zvv==t8iNk5YM%ac>!x^~nkVtLyhhBfo<3;RBQa_Hk7=!4`8SDb_@5jSe{{S?_m)L_ zXU7_eMZ41b)2Xzp%Mfd7q|b7>2~BL8|DYK97DiaW8qATTOCeElTDg1q9X6;5mt&wc zv7nZWi)OH(uxvQQGs#^Dtf{aP<_E;Ho9^#r69xZ(N)(Ul#kNYe1Mb`d$l?frte{_C z-|MWDz?1DI1}GxVO=h2VKjN#3m&OlU>CXCjroxNbt}`+&SF)*RsS%?zBKsFKWJb2; zM$+|1v`Pn(rp$LQ2tl(d#&|tkE*8C7APSD?W+2fxf85-eKlj99+-{y*p zUrbW2IM*%zR+8bgV;r*Rej`dMVdi#9Ee<=Ka@K*xaKl7TVaenTP6pp>TAGITK873Yq1MWWPI!0`+6n!>4lV%W-hA% zeZQw(wH3zZBlD7+F&iGv&(yL_tP;JCe>%=rpDn5C9gpGU%^TK1cbE6Wj0{)PYu85s zEb5&C7nMQL!uoW@)o-~ytJREz-2*|7<}MadQ+9%z-7fd%kX868y8C%zdc!O62=)o@ zNS%f~0q&n`!p{PZ8#T>d-c#?35-}a(qu6#@z@pzdUbjsNoNtG_a`K;Di^ka>eOFss z_V14u5kQWXR|#vzru!Lr;HmFvmAd_7i>_~FgG9IQ?6xz~cx8`B>w`08x0)VF>{G`} z(ieX7X}1|jZD=_y?YNnc^`y!Jnkh5Fvj^3z& z4gnswb>=r}dIfyvo4!6yMKj5sudSEH&o_}<-kVNs^YQqMk7gdapMw?8I>2mc^PMU) zcTN<2zVuG(6Ok5yIc>vMnukO5QLPYBPR=K-*Q@8JjvJu!P6eUc1j}6e5^FW?9|-{C z+slw9Co$jV!RQWQ>kT|@w(D5|ac0vO`OGf4&9mjw^Kp5i#_!)#&)fDwSBGD>JSb~v z@V%PL?)rC(owZ=_w$H_Y^Ha|Y4h;n7hZtx3(Y5MpQL?wwGGU9^kv3YxKK}X9$_bd@ zC)_hA=K$1`0sumTr1oASK|Z8cJ=%xE_we%whamGf{My@9YaV^IOp|U9)6Te9^~1@V zISm=@f>?GuObI;i@50R)Y_}u8zF>kSax7j!?LU`2JSlXRWE|9Z+U<{%*dG3o=%YyN zCKm@;1<7m1u6d05-%4P0Wa5|lLR2%czTy?p@Asxdmu@z7i7^^?GlCP$CK7Chb*j>) zy=Mnp1F=W1j8KY&l=DB<>+0WTOPjQgXwE}Tnf5{boDd=@;bt6=z*n(}#C&z~((S81 zQFjl-G-5a?gqWEUe;&Vk)yljl{n1Vc@m#JaHAQD&(gGUFlH zkBsf4TF~I_i=VHJG|mK5kM}J7VMX6JDu&qxHC}}wXT*>04qmoDXUcsd6RUx1;95)H z#3er;Xw|K8n9vqnl9~X=rUC_6y=;aO2*1Do$#9Kam7HUN^_Qm5n@+1LJq<3EaU5}= zGHEm}&^yekMs-PUT=qQ5t6d7=94!(njVvdzwsrOraU?-0&jwt8?TeV$791m{TY{IS zT$ZKeZ6?KlCXJ@X<3_@P-kMHDn(&MGMr~b^t?b9ol*yk^_Z1efee-`7%j;>3Ja`p@F|+g;_st=#qnJDqcouDT#$iBz}TTh788A zq=AW~+6fJJK!#qCTRCTCX)*g~deZQ082E6_Kq$MNlSfwXW95LbWDPR3TDF+&kaV%v z(F57ks+~oVL_22Ml#oJ7sA#FBFwfck=2b`>yi8Pj)sG=G}!ONVhl27+N z_VGFnzJ`#Ol+XUKaNzHE!|o*SPqD_)pKb{UBA1?n&3*hT#9l0i>qWwoAM zwAX6BPzt8)h~D5`hs~qMvcXQTQI=rR%|iEGSE7-$T8p#QFzMN!Lvg&IJcqmij`nrQ zATYlPDy1J`b!6_RHfb;13gv8Rt_wf+2F|=wn-c3_@fA7}!dyHegr{2|o~kcPC=kyq z&!>EU@iTgLuS)Nx!%5 zDGCL9IqA!A*-*V35ZM7HJb8+k~QK zOBelid(RD6-S2J1E>^6!m4ZZ5newShC0A6YA`cBupo(Fm=!*!VL3v+NEC`vR3OkR_ zk`O8ojHO#RvVvrnbICGcxV#u>Rh}wtua?-ut1L)R>+^?bjH5|{0mGr-3%z>dAoYNj z5vI_Kzob-V%14JB9?4CHeMB5$Z8xGoQx5VN2AF-A|9|BKV4Tt84YZvE^?jYOyW^gQ zK60$9Kj-jw{6B~xB!s>P924iK?~Z@0?2;*PE^#=tLffYnBPiYuKGNKO$`I z6Hc0?fX64F;odrcE-()xtoBUZb+2tp-p!}IXc@a&J^PJaqSxLLH{QorVmfzp&iC=R zPxH=7F8s~U#i0m3*E<+|zV2z#lAVr~A)L;$vJ#umj}G&{7d}3du)ke))L&DPhI!)BObG5OJl*d!evx_ktHO(|vks>^5#}&DT2G_p|-_ zGv+v@`}n0n-|ygb87o7-_6{|Jp?jD<1hhA}l=E5&b=i1?i~L}o)43?Jwj|TT^+Cer z?1*#q!h61UISga-xNwE6vC=`|`ZB&<^fj9pU+1Oon6-fiy%vpcin|P2h9!)u*YNc; zz65tb>_z)`e44h{?7drS54w4$U1WC%Uz97v@Ow;=tNFce(Yp~TQvyEDH)5KRG}_bq z?XH&L%=r`|y%_2FC)y3-BJ{Bb73BR69*Bo|w>qDuw70@_?)nQDecT}LI#|{9rs`TW z?rT$KUjMdu-?UdezW}8&Dpxvwq`W*l@ndxp0}iGqnrDgp_&(>Hr>Z6{y6-P>8{Q}X zn=WvGV7~1!9)faNf%j330CG?Xa*D?j?-!jj9+!oj+KNv%#$W#{EdU}^Ukh~AkqQcs zCni;zE8bGaW&)WDGe`mzex{-R^P4(|st&C?;DL%Y35&o%z+Hr4(nUmJjdE1|5E0c=Z!NE5THrMq^w$Xa4 zjby`)02?(%@>@U7`fmenYeX273qyB6kPY`Gb0yQJzRBd1L2$)78&SQ4;VHOmtaH34tQ+Cr@AgmVZZWT_spgi#&jIc2JO zS^@pg;Mf}9FJxCb!B?uyzx-ilM@rP%s&ZXy`$2Sga`wgb;xPL6AH-cKEO~`>#c~6Q zDh3sHbmFG+`EN9w;9Gipc*xpGO3QKI8`Eu;vV>_dy|=K!rAg$#aQO@uUP>+BFnNof z8-_5(2ho>L3yQg>S;XlxVt;DORh0D#_aX!??MLccy3bi?AbxX#bl7aP$DWVfOC9iI z9%$;!y*TVuD?k}?oxwI%LXr6QP*rKT<}h!^wj|Fg(a!KidrC}81%vtN6mOF}uSrF@ zCTVM=9-^E+y5c0gMe%`Wv`|?sZ=g9-6d>Jz8p&Tt4!329Zyz|93){*@g;qQ`WI3VS z7(32|mAN1AedK#&OvRR;Ec7pha|MsC=wmqLm0Y}77Fli*lLvnrs8T6dhz2gf+fwO5 z(KRn&dRO@Kl`#zP^tC#kBsgaZB874{~iNr6ku@vl17^&>Xb7Uv zHab+b$%9A(T4uANqF4pJ6pX!2J&U_40z*{n8`QUu)Jaw%58wB0f0m~<#{KRi+koyb z{`M_9H8M~*jM`kNag~;fe=J!;fU{&tVA3H9b6!@xO<4=>*_ zq%Qp6D);uao>cv2TO)c@iD$!g_ESN1C{A_xSD+H&P)cLsTBZtr2+ZcM5-ZvSzjYa{ zW|+EAZFx1guIN9{hc;TH^B&1#ru_`_%!pYGDIo!h&s%>NR1d%!bciMA3ZTe#v5Mps zTN3hBH3PL131_8$l3yre1}U-{W9TlDTL+Ejo?!8)=?*8N#wRASWPwd0n2Fn!O0E%L zQS5=s-G%E1hp@{Q*Pns!2=h!a%ObbeYV0}ZZ*qz&*D3XHbWzyyVq*Whw-YDA(iAs* zr&ef!7nc}Q@$m~JeVdIN5Xe#*E56bM4{$78_kXp~xvVR+dL2__x90GH|iEg(THxPUzSFFZ*m=wH--Gd z^IMNUNa$<)|8o}O3j_w?O9`w>u0zpKDevlM-4qNxPpPcbob3Tb=(OqRuh6 zvWAJ)6KgV=U}D?0ZQGgHwylZnoLDEeGf5`4ZQI7Vd8_Wd-=D5s`}eNuy}DOF3-Cym z#m3L=*f8|u#l-TIn)B=#BbL?)qI)W8^S1GrceTd%3uuS#d@-k6+d6Mdn|hV>5qRG| z|1_GSWwmt&TY4xK}h4dmH<}W-(3u#KE7=~|HE0TjNR%S z>BM07HXGYZ<9lpw5YUV=uq3<;@ASROO|$cT3AZLD6_Ld;16nriF@0eOLN8NHaR*VSl!MBGI-t>7~t!5Id)vWQ5d|g*0_69 znYroXv_4^+t-EdoYi!mj98Bvd=$l+p0FVK?Z0|E9{WNw|Q=@eaeGx9K%nqFR2 z?w1<@7!17bGrQ)YrK#MOk53H@>zxmGNB*71RL)KmFEtVv1b;hWv%WYbpq*Fym<|lW!l>9N^2W2$C4EyGmu&AKH9c72u7{+qQ0(TN)wAVqc0!% zHE&Hi5u}VtPH)2<(>+G|<^m=AO)I%FP5k9MFJ*ER(-M`A(7;dK6v$E$?hysAJ--5d8k%WEiK`wGgG5askvXDB+x%tsK zOG3cK)0~vvFY;`=6X^!^0u$c2d$u~h5UVDqWGH4kG!x%V?BXaC{_=x)aZ)yT&oGIs z*f5H-rs}~KSr3bSX*)gDyYoCHD=#X%tcYkl@?V1Zs}`Yg>ptVH#OgBBB|l89#fd1I z*s}ZA2oDAiat-W(8On~7B|Gg5ipEAkcWx3j3z>p}=ksF4JXi}N_Qc$gja8+0eM{UR z3J!sP;{F6iM9om_U-62*mjc`WoA671aLf!u=SxBrzy7o+0>&)n&B?A&Rt{fii#B<% zORPX4o`7-3d5zTJ*B%H-yQdq?T4grrhNWrKk7Xk7h599*9c7{aRx{S6Bz}+|CzIA5B!yNV zsU#+$Qu$|znyXluUS;7YH2>CbvcQxHwe&0OS7V@K8?SIwKpG;jjrqg_^DCHyZl&L; za`J~Y1TTrkv+lM3a>vzI@^ypKGwI)N#EhhZ$3KPRVAbnLqp(-%D~+`3>451N5w=>X zCM)$OI;nD3U17|OVBqKeTKLZhYbG;Q+Q2hQJlHUauna(ksF^ZaT%O zMF-srl^<9-;>jAfZ2#t7=T7KbAOM$P?=JY1O(>c32(B@rSjC%}MUExG;LvOMBC_#{ z@j_w@N|oq&Yy<>evdfq^mjSY-+<#K7JaomE{+hL5H2(2$RJ1JuN?8~!^9w2`ZXVJ_ z<&b7J#+pD*VaGWd=xfKTi1Zej6r~%I{SX(GtE>FTIzoWgQp{cYtwyYoROW${N}H<^E^+b5^VG;6;U51UaZ;WCn>T&XJen zL`{GSSD}ohAb=GprgES(d1?ZG03DNF{!bCg5ZY$nHlJCPx#?#NZ;;KKF*XXAM+w(- z^xZh;)c-B-=17nd2?w+OW?x@9(H`L4{Bsoe>fGZ4((-yWF9*Z}4&IS&zwk3UKiZrkJ8PMJ)41}xnCY>@>mJ*KA zT>C6;h}Cl*3LUa{xH%_j@jiK2SbXj0C{Pp7lxTbEm~3v-h%-LC>^wQ6*neJVFEo$a zh}2esWcUz?&Em*U`(DHA(7M{6^fAHn0Km|1+pop3XJZ(=(hD~LRbAoU6gEuCNGj-g zuB|sQbh*7jOn&qO56RL991k0GY#V=f4f*%{{`@GuJ(SrjtshN2(?Rfx!*iN&9_nhp zo_Wx~u6!Q{n0H;1lw9{FP9SkocfM~Uk`2k!}Fp(FvGgN_yxsvGe?834ey%8eNsE^ ze6Ib5em*13=Z7cIWinr2z#!vkZp`m>|IYiAqNSQQ)5|G~tPOP-mDY~`ZQ@S;h+zG> zF8C63f$qN9J*eePWp2qX2KCU4z(5 z)pd)GJ46@|_DhSWdMf%SO9-FnpdJ&D)Go`1e|OPM&9g!faCSfe2x?w`MWUv@PzszZ zm<4GhAF;f~y-9r*`aOK1P!NyLTk}+ZTCPli9L9D9@~}%De5NT1qGi>g>R_%DvK<{V zX2?aT;dYdp3e>~UW=Bvbq~wdT&@@LQiw8MN`vwxzQ-|?akhtkODGH=p=5xQnTXI0G zUPW|k7){6nhqT+gD#kI<0cQ;L9R{J?rFlunlSAQHI$T8yg#ZMD>fl8wg@O|mwm}ulD_XNXzN|J zNVT-XTcw)9ii3FjQvzy5ncrA#lzvNjnU=JP9K4#6u0`-I$s}`sH0Inw^_o!y43ekH zpC2@0DvcNzzki}u9a6O$Avr7NdJeMyhZq^GITJ}8to|ljQ>7)!6ampgEP7yMZ(|Y_ zIt{hUM0{+gdN*6Ee6oE38O&6mLv0#Pvd)|-X>#9nNE%fu>K>tpS4ZLItQ#)gD`|ES zO$y=RTp$lkA}x6sS($t8JxLfADd@0!^2=fg`X?!-KB3AqY~^(;wS*%&v1KE|D_DB4 z3OJ*(P(i9qB$c{NQLXB431x<$vZBMG2Yq$Br3%R*mME+I7#Y4?$l}&Sx+WcU@?jux z8TDU6fbDUTTi341g>)6gkz5yHR*uq`bo9KN+|Qwflk@FT26nleGh>C&*$4K7DHirD z`de8z3rz@Cc}F{vtr;18NV&ZCh~rO#yG4)yXrxW%L*hC7rwl1I`5P6{BdF@44|E}L ztuf`FYT5SE0csuF7GO?ss=zl&VZ$r?<7-NZC1OgLuFKi%$t>WT3sE(wW=vv>#f^cz z`Huu1itd0$u8TibrqD~3pwCtR99rx*Y4fa==&E=(N%{Bm;eTi*iXmF}1$H9PYi;_4 zP(ocw9AZp|78Yk7-q`g(UDoZU&2J0e>=KV>QF92%Ap={AGuLV2NFfv)_=!cBNzC8& zx)c6k^No)FGiA3i#!jf;vv{@PQJRSS24i3R7lr3X*m04Xku~XDmG(mVBQa}#fQjLD z+*!d+ud2|(xNJ%=w>Ccr`X`fq~rr2zjTFIt|&?!iy_~rJ?~3KIPd&O4Z57 z&zSGlo!oRD4O6oPM!%|X83YPsw*p#q&k`12d4Gjcu3VJ51Us%AlxDSb3#r>lv zf=rZe-t$4JpMK!kelI=C3RE&FSve*cQc1SsHKk_%3dJz#vSsV2DT`thS zqr7C!?R)a=i6Cx_IxlKc)O9kX#ox^8TMJPmEd4`Yso6QnLn3Qw~Drgs?y}>im zl^Tnz|DJhZwfF^W*Tz}aM`F9yL}$q^Lv@(7zca;{=T1@eW<{*?N-Jj6RabP0CrE+r zx)hCYc2Z5Vh>9m38fM_eysiNF$5 zSk!7%>UFNnP_6>QjGPYXl~QNffSlaUwsUo+Te_mAgl(o6zH&S#TW27NuBU5_<0yLZM z(+?>K=)C@Ne45?>Ilnpwhe!D9bBs7`6NHuvm!%6VP`(Nc2cC0p$(7A(tFRxa!@kC2 zlD+4I;BMJ0n9W-U^f|$k_-=Lvy37;diL&=KN!y$1a0tdR*K?X}#`q`mxNOxp+Xr*W z=}~+W?)~vvzoThpuf@E)`$weG-HL`bqMf4qrh#tjc`vw>Y|6tLq_a(6FvGWtn+@&H zY3*{yW$yoWz=i+Z3kKudArx-Yu_zDYdv<=NU`Y%9UIMKoQ;okXrG8eP=q&eG- z;6vPeNR@MSaJ{whF^?m_eG_KUZ-2D&<)Ayi?rJK$>UwPYRjtYA-K$^2Cf{=zhtuso z^QRb6_rUH2@lnQPud17jH7W|QX8hQT!QZk&w`PRoXzftib!dQ1QPX`#v1Hq`SjEsb zb@d!BhYvbjk%_;zoLW-Bxwu_FPrB#Ts1zex|NC*iPTs89Io?+ys(-#@p5Z-TuiZ_4 z41~uSPOJ>8m0sNd0X;9l8X(r!i>V&AH>kV55f}p=k44m8278aUKW!R~ZK(L!U7&2e zDNKGJipEjzCxefcXAs$vzlhl+$VY3>;2OYd%?)><@&}b}=#yk-#j;x~1U?D+aplAO z7O*Rz*;`CLm(9cV;i>gS0fh#QB-fjX57Jnal4u>XHrxd&RfpHTD7DX|NfAU_O^7#d z@1+YMSMV96WJ()y8w(=*gMTCiP#KC9=mbb=SKO8l|GYtGls6^(cN`n@b0?H{-fhi^ zTS+p)v?OcCD6|qCN}fYcEaJ9Vfv7#yWqJBvINyA>nV2UwCL1mpOWChJOtg9{?m^~t z%vrAqX_A4J0b)ByJ5p;aW}ro2ajjmBA*9zPy(P9*C5sX4vy*v9^aeID3$hBOOM0?) zUE8oL&=helqn@0JUlSPT+Z<^oZk7IBJAZVE0*)an%Ao+>M5`z2KB9mvK&}Y>Zx+ab2d52uo|18i6C{!5*}jF4DL4%x3G?)TiW~~clALZ|v zp>-3+aHNY^rE33V(5PKAWNYA*_Ta6pT}!`ajPzo^9rOE%TA?V`?tjKhC*or$_bWBa zANeZE#XopupZVj15>glaab&)b+Zpiq9RI27ln-;Q)c;bcO|afee_QNYUI)2P=O^kL2XQF&3E_^k&pgGgdtCF$D0hj8i1 zv~2TA#D~+*wqxny4AI4-*!`P`&G!|QDfPz+g-%D>=z~&7{twu}eFs;Qp80y~1i00) z3`rAiI#w-}f^sz`Qjo4nVtf9)la8^na{nJ`_cs!vHQ{vDO7{uXxLdR|j>Ik#d8ke> zb*lm~$^MnCFc!&{7~+SFw6kP z+-13r_Oa5?m8JbiL_^awbCe4_x>r8eQ?UQ222k6g&7IG=?Q$qY|e z&8LzkRL;~I_w$jk62Vy=)QS@?#KZ6tD$#i^+ig3sr(r{(vh0jddGD9-mxv&JQ(`S7N~&i=u9UEZ4CS7HsS~GZ+~~5NI;mOym4$aJSwq<7H|!tCmon5` zq5EF!!VIt=Vvcj4)$*Pm#(4KC%tb~-1`{j~NI{9!3dAi>7w@;zyP8LZLPr3?#UD!I zI!6j4HPWP}AT_9)jwf=3jVgO4#fTQ9L%mn_57J{n{V08;^2-)ZDvL^}ziPQhXGu1a zJdICJt6GvnXMr0{9hxiCovNMWL@-tcpC0oS!!Tr3IV0D3IB{`?LF1Np7Xo{dQmL|} z!&Ij&%+2gAz@q(MdA0fhDUmexHP!wigng;qk8rNL#FQ_wD`g0qN?JPi?c@7rk}m#- zIro7QWrpbVSEr?D8t4zZ;_g}V+E|a&cq2GhC$rZ)8oZj!bl<@5(dz{Boi7kLcTlVy z&^I@TMwPI;p59v|x4-baU2#XAGVmPPpYAAT^Q)CGeR4mtZ(hvSTEln$>Akif?(}@Q zq2ce{TjibOcTeAQnbUDd$L+0S)LC)2gVTHZXqBZE?sxylHtcp-PH^rh?Lg5ndby)+ z?(gw%+1+r7b(=whd-HKf*TUaDw$>2mXVS#S@OELvGvA!$`Y8BvgT&$KG2+kpzC^-w(p=~`^{ZY*k^a_X_N|d3hn)OQ*G1iQN__B z+0$n6Wbe~@2YtVDcvmx?<1V$k@v)UO>9fPp!Yv^1vCTXSYuA0zXslmqkkxVK7T!1V z0diPpH|O;lsQ`i^-Ve#$L8sZ~_-_luSCRN9fabCHg{zpjx9!AUdu0E*2AvDV0Ux=q>^RNCupZ745It=A35@m@P8yQD)~IZVE!6tCnV7ed?xRT zj@5u@Cx&+WiV*20=J*>xX#8~`g$Lk~0G*}_O?;7RJUAUa5QLU?@UFnEH)5^aMDUcL z?#3yd9HA`jTd)Jc)Ti)wZF&Yhk2v zy?T`c;8ZMbVoYVmywQDdBoeZH)hpLRJk{}pmr zW*YCLz#MiXqnw>IEz6BGj%j|WIyoO$N&k#8twngc1=ArY$&&@beGLTT;bXdSPau%2 zhfkOZqQ9kVOE}3@Bbu7&E=X;lBe>2ecytRECI3aiUQq>3x>Qtd5XtyD62@w?uAj{J8x)?C!9rjuuO+(`n4y zxgLT7<-siX*zlVP<~QLA-J;Cz#UBNh@FQB;`>ryM|3)9o+BQZKuqdXXIL%E|M5chh z;d$kY^yd00=+W2sA;16OBkony9-@*jgDd&k90Kc8a`W9gCfo#wGYlO?v(pWPT-^X*N<1;PZC$=_VH>cq`;ClO zdxAHl+l4!TskYr`90)D7927S#@lv1g4FT;dRwEsd#{!YqVqs}9V8*}mSbt&Hr{p0J z!6es+8d|oC-lz{ZTC&QFKD=4`Ei*V!Wri}3fQzm_0Grhyq028c@n55&O0N%>czq_Vo zr9eYwzQQi%hBCpVYrpjy3>~rT(7Pa|;Yc0ibv5g@XY(+YSJm$WI2IjSa!fs>IWESF zfn>g0tdjkbCRx1)DAjNsmw`HC=A?%Vo3NN~5xqn5stiO6V3*GhSg1Pb!y#A`HxynS zdkP`4(A65RhGxnqu@&Gs{iw#Nl#ou}uu(U_;pNE#!=$8$^Wr`zemYkv+z~t&gOt`A zpW8ktI9@{T1jdw+zE-}tf|G^3>w;C$2W8ai!TtBcHmtxMi*H^Tr)A%mAY_%IJe6GJ z>cRS$O_LGQfjDFnwpk~z+eL2c)r=za2~QQ4<*{*SDf?EYVoQJYn25@9P?%zgn1@?h zzuOC&(IkWas3%dp^_*1>tl*tY)Z;`ts;~qasCRhe6STZbD@r;-8OX>U`NGVf!=nWX zp_sQdC)5Xtv+Go>L8vnQ{05K5Rr>seXjzbLKY~KxvojrXu(Vn1cR>;l!(I}Zi%kfd z&n@{Y>9$Ops$I2%}v<8ib`kocdmpXsFnYr;L15tXq&#+768m zOLUmzMF-|C(YXK}m25JEhkJ}rCCZc?k<)5uvEVU0e*f`5QrOoMs4{SyvRU^PiM;{z zBo^)e2w1h{Zoqv;$_QbE1;{5)Z3`^>-w_ybT@#=XOM%OfMb01H0QPeI;_SNoXAo*; z1i0U(Z@PedeivSA>$lqlNp>$2&@ffC{fTV~c#M-hovT;&D>g|ylU9Qgbe@(6EgEAv z4s)vrsrMQJ+c8U-i!i;1ZyS7_3U>Ss86UXsgQii7>xX@M23{UlLs$Gy3=$qlK6fx@ zTTa`*K0O6ab3d+gXX=1e^#`GMN1v|qH3G3tTh;cTn?CLC#9ey^v3|CIfi>K^8!GFr z>z%%=L%Y^1y*rtw6od8Mk@0dyDD`C1Ft!Bd(h(BXW;OIHO{+Sk2DWZZR=wZ zIj(BMH}RwQb4^bUcVl)2CT103XyR?exLl-T|}STrT?|wxkI@QJ0%@eH?;iNGA0^2IAo%b+yTkz4L)SYwM}cs=5jGo*EmE&Hc~~e9hK9f;+#x^|UL0A7=lH%`0}V zkI4a4Q&|F##tXYnX}{`ZhKhW;Y1sNC-3HG6-T<(rKq1+)Ar4fI5F8*uKd zPLEf4Bp*<@-lT)N_hn*>!rvO4%?83%3z=%bvf-9<%bYyhq({D|`bn7arsorrWz%V= z^$!g7cb#{G&(j{{|3anWzvj$wscLE<8uw2Msu?uai6tW`_5&K@PKO zkD<^Tpqz&C8Al(HHOF8F_}b z#Kx+ygiG$7csxr&E-4)kI29;a4QnnjIAp=hVXp8Rv;9aLgtC2g9M>KL)fYGxM`eiS z;3sacjQ#wR(KKPbq6zeuSH(Q${Adg&+dOd9b!;L<7AGJPhp-h`8m1R+<^gNTCMI%{ z(6M=6CawA&)9fU(nL;f*9z?9lvq#@jr9Sp_^m`dw89I(63f&>RULVB)KfpGw(6K~% zw#@~L_0%Ih^~H*50>zU4+yzU02dkVm?wk{ml<>lN(Z5hauS(X{1?h*Hwmi*t*}`Pp zvmH<|o041A>Ngb$SFdVAX1w!W9-xthE0-a|NynDV2hE{Pn*%LC_|K(rny!fzZ@eNqn<0 z-&(j*)m9Ux@0vDA!jeavl{wZ61trtCCToxB)S~(jErNo#vqiJ$9f|=KHWWW#|JBaW z792zUO3N-<`XfOF*fD8ZFDrS@RG_dPFwBpWa*M$-q68y#hNHr`zxB+=McURU0w)rQ zPqd|7s<)x8$s}9^lr&$|GLy3YnS6XN!bZW4W_|?ZU+AA>LrFDmr>8D-b=$LXe7EZp~kOL#j z$oHw;>}SK^hDJ$7XeX{a6JyB|Ed)vO)!lbGx1-bT2u4|hNWm!W;1x83O?noc+WVQr zmfmIab=X6(w}QE23@3nWxRv68lJE?O;*M41B{*GP*~geA$l>7eCACaCO%#^4ueu4? zqLEFy;m0noh0t@l?IWe8uX9Hjt`a}8W%EwJ3>Tq)nwb~c6`#Vn60%hOz;T68kom=X zpyb7I$mtojrR9n3xp{hJU%4F|zTNgf9=TluUp(MFX9 z!eFQZ%jNh~Gv;g|QM^pO&IrYN09#4$Ox;Oy;QU{05kyb{Q*Pqv_OZ*MRde-=)7FJX z7NUMGD~c@~);6wPaz&t07GW~PKHv;68<(}y#qa^qhdvon!}6ZIIZbs@M>vI< zIrQdY@wRTzy3U#hj6}bNE|>w}Lk@wC|FYGuI-C}*CKRW>KaBtX@-D#m6L%m@2Gnc* z2R9XmRy6Qig?)(;K9yO|ac6B%o|ZI5H+{D@jnW`4S4`r_P*%5|9{L)x z_#LMYIo;=_rz*+gZ>Bgncf5}V&vKvz3=Nv6*KYI2Rh<1CW&8yg0ESci_uW8@9FJjn zfsdbSa{^`u8U%WEpdCBk-LHTrH< zi^u4b>Z!BgxGO2G(|WpU>H4u%?ALug4#;V6 zDDGoMIE3Im$u{l@i&VM}h zL&8}ksPLbJS>$loxrZXaze5L&qUu~V4w=D#2HFpYqpAh21CDZ+K^eD}XSD0b1w8|x zgWAtESrCB12UsnvL)nrfmIoVnof-dH~Sw=wQ8L*?M6ftE4%ZUs`_6hsBTSv zqqW>lJ}kmQRbznr37-)x9lwiZe+LWwAk6uLIh&q%cK3tjoORn~NEC%Wd}L2q;q(X- z)9PpqR?`7$rG{HsZ1{KXgmA0gueKjc;3&3}cgy1BmZ2%#gV1v9yLUV^prbRAkN@sm`>4MS97pkXveoDm8c}_IT-9eNGM>4qEnsHbM$CT~%l z6)1f(qC3&@Zq-%=EmzKeE72uYh~YMf`m+H?DRe{H+LL8vl?q$f8X#=Ee6Fc&%zD|Hx`6|ogk}DF3p*du@pG2 z&#Umsam+PwiVVVsJB(w3-MMlPn8tJ-z_5`NH5j)gl(D6o)m0%g2cYrE!R9&jR25fB zx51=+U}L~@RnU3RAzm%+SrrSRo&=PsWv-xTuw)YI?-%|li8|0lheTUK2{Wo=B~%Wv z5|;DE*7v}sbF%EU?Efx0E7o*Wi_dvXX2CL@__<8R?3ep%&?V~BG_WpGL8EyXy5WYA z!-$g2iUqD(_3|3NBGIsjM~~btvO9%!ygNxgO>CZS`88gSQgjLREg*v-3(HaQ*ka;0 z^G_JXoc?S1Dzbk$Mr7YRw8m(z+Yfobk}D}9vF8WydiL8FqElI%jgW?^HD?%A=9U7x z8(;0e0uMl6aUbA6Dg%vhIb_ORI!K`Ry3r3C4wyF)#d9oqABk9krtbx@tb%>G?WjEFPgo!Vs=0C; zn?tzt=>gI*F^wnF*}n<7t>?#2V6dib4}bo$MeZ{C@px_~aqN9SJM8_68PZk+`(3vE zLM#)_imaMyxn6gF+fW!|0$t^FM_q*E9QpWlg)6r_L9^w+^uWU4n4PFZFS(nm_v;L_G<#-9p@Ts`AH@dez{N#ghx5q zn#gLiRY*pCe7n47q$2~VjGd(kYZfN@G1g3U#^87KiQhB-D;my(oYJ&upDbTeHS|BJ z3h=qdd6M}$SU34gh$e@8Y<@$q+w-DuI`%{W8RQ5H@FU~b00BtKVWw&jcCB&j-;^y| ztO4scD>4jsc|%*C`?;I1?%B@M);-sD-shtf`g*tTOYCka-(EMGYw(fT30Cf|$Ko6?s{D8B-t;~%3`|fo?6bLC?!?|CTH-WX zo}pul(*-jdi+u9=oD!HOoKN)R zb&b0;-1M))(yIMkcJh}PA-v~c?4u6#c&)3#w>mEs?%W?{=9_3fOgoHcpHE-BHQrvk z@95Jf>`Ddr{%UaTeYny1UzySPd8{Szh#;WbdoQm_Z1m{AE_!U(Zgz2Zye>E|uAcP4 z*ij`ev#tLz&jMC?JiiHW13$XtJ~ux1D#l$~@O?HcKi%0s@5auE#8bI!)@al_PYcyA z6b8ud?0FDZY=Iwf3T~Ev2a$R*gy8YHy-mbcy`?fxuKn*qiXD_GvF3K&jlhYHFDN&@SjMKO>LH8DpvuiG-i@=*-0$L|+168>)| zd{a(_td!}U} z^HwB~xhbvLfyFO^`l#m%pHGMQLT?Q8HtK!)8#+?==j&o>w z#g)eJ1F6C+-dZzTP}%-UdTorye~;S#=I%H`Q?%CqO-@6TEyp$y-tH(mT1duM zrefy9Fkuqz!whMJwL_=@x7-N5%$1yMfu2wko&o5XF`B~MuT7Rl;;Rs-ihXXfnmj#^ zB3~if>J-m}gT|`0ifgIa=-fpJ!HP}wdH15A{tqSz9KB9@HUVBNrnl|{YL+F*uu6SM zIvR1vNsYF&EFq)1_>O1+v+=kDvYafElp9-7{uhs@zG%`<3wMbV8)iAe0@a94<{S>H zFqPk(>2hSsWJ9oUD1{Wc84hCTZe5Wm$Jdb8QPQUA>Li|mBiSmhL=`n0QOSmB){X!y z#{Bf)a+EpDk+21u0Y^t+w9rO|{WCZ*`2!ZgmIBP%R`dPAxd)@{$yG?od8vkCPsWSu zeyJiJE;@}RwKkjpyiNkNvjN$yad+tib~_EIzea0z3q_6H8cjOdA~`N5?9>$#jD=-d z%%nV_0d&!hl`9rR<%az@X3?~|fv#@496N@I5R$>?!cZj`4ZoWZQPFi(-&}e=1oS`? z#Uy1#<2Dd}q5p3UTYnGQ(N@wIMh3$}`$l#i(BJEq}W?DPy2pHnHsbe2UM)e^IV?<1oOYx@M z!NHHJ(R?cL7=5Kf(X5dUH-ABz>e1CcMkK~)^IpV?yeGUKTy|tX;n5S_JQG-MbCEjy zU(_yQxN?l}_9U2@jyMIEm?SE9(s-pvr-Jg~)XB&S+!;a%EVJ#y(SL`@3w7rTUX04= z#Rhc8!<@wEVa0XebR)&Mg~V*tcc3@&Sp%vDt5B3|V4WhTWGRm0ErbY1;4B#v(p1EW zk%GHt1tIH{v8lm+{n})*5Jl&I)mRT43x-G+=phd-h~k?+P};a%_`!Xf zkz&K6B0f4o7*I#WPxZP9U?E3e#8JeYk$ez;DLL4co82#WOEYox<2~k%4-%!1`OX&r zl;~=Ys1p~ju`-(qH+y~mpSk$!$$wGMfwhVE6$xzOYvqdkwQ@ab7ihhA+7=igjZA<%43C~?YW+~JV-cSd{Bn-fwKnfvYUg)(>NOjf&13Z%bGyzV^h;KNmo>|ZS00L z#O@bsO8_b7kMb2|0qoc!&*ta~v&40vS?3eh-~2Lc$uCOa zY-N5IJqD)wdYi=F&%FQF)$7*@ z5&BfNU=KkSC$&&-oeCBCsewQ#W=58>praMJb8Uic088?PIK;Zau)vp zxIQ1NdfaeU z{4u!kG+p<0p9{Gn)(C9%m#-!?oMCeO2QNGlf>5u1gI$h2|~3a%D{8T)s&k)02b??<0u=Hn|`|L zEaYqL{Hg*o(V6Q2y0@t=Q~vEo=SbZaDxcZTfVOrUbhMq8vXD!-(gKqzp0OjC5dkQ^ zbc(|5bJCs(_S9qySh1ED_5R+!sl&Uz&@cY+gdMCr5=X66^Vc+N6c(I|qF9Ho4fP*% z@pCb@6c#q>x8|tt;l+}0db)vUM3jG<%u;8GNMj{CHp`H1S3;J9M3o6Mh1Sh34B9HWDB}qOQLPFHiy7f@Om=7T7N-uW@zP7h1jx*FdS~IS5myU0 z=+#X}$&#vFx&GRr{c*#>nz2-aa6V`4J<;*e9!)n}6?S5yE1UPq7%ba~IgwgC83=~8 z%2(2yToEgnd#L{gbmun*5oBt%TaF|O}c8Dog9Gv{!l}y?{ zh@G<}dsX7?a`tF3$&hn^&Fhk!a_8&Xef@Fu=1Y-47b1$4t1qRWNaI#maa7-4%qW{J zKj7+q9*7@2*^(diCTM{5I0R zD?RrThpkzMqAQ9CAt&Sri{qkcmcz@7Y4j!%GL#E}vV162ZwEWH1 z?8gGVEc^4jdONf|08DlMTeeF6_ov2Sl3+zQAdgExS-hT`eyWwBPjoNbo$%n$DY#ro z@&wVQ&9Q1F7-0nXU2)JFt9~uK3Aoopn;@lSOb$g0m^&G^kKahZO_eZ#hHro91jMWx zim@-4!7OAsazD1pCIYpP*M@$Hn@Vy*_u5pM-=-sK5~H4A#x|>{mm(;UahEe2f@Ml( z&NsG8k%bbGWy$n^nvAoB=yLI$oVqk`%>nl!*#eyemr0QE6IX4rj@4f6q<)T>ZKRG1 zM!Z5vNiZ)M))4$aYf*8o%;!xU2>Lc?1J=xqSfc+F*qlT#KjBxnm0txZtV#nnVYNS~ zAAiY}#IzxPVHl5wV^K1LLNg&Wljx-1Q!uL(KpFIN5sU@f%~OI+N-%WpEIlRSTe|M8JNy>^sxjCWI2wc)Vi zqMuYTLYP<$BflA+7OseZ9%<55nnsvm)pac5EpWbNwfKe(gHDW%qhmZd#R*H(LVYp| zJDKK#(yUUwpFl@Hq9(d*g6Xzw;Swp;tdVELE07$dS`QO3EV)!}B%kA<+Cjw@5~g0+ zuFE52T1dWv{fAv-ASVos=NCDJMq@?p=rvR%a+@PZs4`UE_Q7eyS8ADE=o$P(ro~c5 z{t8W>>koLJs7Y_Cnz?c&`Us(iY9&Z#RDzlxt_nFte-!7y@=B5e<}z(v4leT+2J>%3 z%M#>a#s5Lty2?SFp^8z88zS!UIHtM|;lWk9NGl->sdiR??K#%$-;AKE&^4)ON=Xd^ zO8JkzZ;fA1{IB?L3OXd~(tntjfS$fACoBH=U7mLzsb3CbWRH`R477Kw_waZ7PZ4^U zPY4mxA78Y3pXyh8b94aT`Sk)4aktyO$VJZBo%cl461R!J;ab|!=V|jx!;`)b{o`BK zbK%f9QE^kYM(dFo!Odh}Tr^A66YiRiSrlq+D=28FKWek>wcen|eT1fG<)Vzo-}7Qr zV^aoCsr%gZdY&ZsF+tfcsU`S==CzQg0XS1bYu8wl*{@r_U6T@eRoV5=OB1oCHGB;% zlz}8l;A3$0pR`65pyz46N3qA(wtv$WY2Ep=Iih8V{>pSElm_rTnZi+sM6Yf5Mz9q~ z;79}dQIPX8=X^NnW$m*0s47U1+x2<>wIB6*phvw(;c>n@?DE~RJlb-+6gR#YMAh)K znWXbyed`@Z?!jm1w9A5`pyeD|89e&o?bji9rFVaCC7|8p_ptMI+_UoD7yh{N(6j=q zH}D44-~j4gaF#%qlWa)YUlzdW=cqbQ^p=A_^ZoVGPu!iEA2@a9c=d08QojsIHLoX~ zYfs(p$L{KN!-tRlol@lXrKrO^pCsOwkLXXTQaQfSoGTyK_M7*6X@8~~wtS9H%-sxJ zw-M*>mRda~{w3l#?M|;U_u`{(yzZo~;lt>?U0Srd1*w?!1TbGL1Yx2+k;~-X~TF{OFd7F%G+=3U3B(3cbs=^bmQo0aO$kFv`wn`?_Tlv z40$V`O#r-?Lp8GfFGWfXTtsi}Z$L8qpx}vY&`bSb&#nM!jjBYC)rWtplHsgiaq$R2 zPL7Wo=;hz1fPomOSCpgU9>m`Tz4Fz2AM2lyRAu}4X*poDnoo*zV8P-k_rq5nO@d+) z3zw(T5Svy75ph%ZTmlotQ^gy=#t(-pSgnGa(=OsndF%V6iz2WXq`$EbbE|S}Na=iC z`(_?YS3%-+>&Opk*60Hig>$V(ae=j4l{{??8_ux zdyX+mYpoK=Z6_&b=wU8tGR#KxoDouFS+mNh0!xz11zhC3RUgk@nI~Nb5!T%kGMen^oVtZ{@?2y`)RWNJ1QIfY@i*R*!t47ub^wcD)tCd zZRC=>`m+}0qQp~7A3NROec-kdIl>8WtKiuIlJu9wy9JlXv!sOQLiAb1eV>xm`N58` z&E8OuinYrB4x|ul$%|`?wHy-YNFpK^l4M!5lqdp&lVqE?iDR&L+#&F*pKlp+YaR0S zi$-C;w^~q?r_Cnku{}d-N@MCOk0l4G_x|>WVotYeyUMKtB^E!&XwA z7R@{s4aN(|p^TP>R9vxn?dQc0X_JltPb$haX2s>GOpRwn4Gl>uQF=22CrxYZeyp@v7L@>r#rUI zj%{0=j%}M2TNQL{+qTU*`On^G?{hPsbx~JU>#4ckHRm@*Iz|Xbs0m5l0BNbI*UcZx zQJ3@qG`VFJ1f&4&MtoCa4YGmQDG2XQ<)Ul9hrivi2693xLbwlu^ zQ=w_8#Ce{ZX~ZUPyPY*j#Nn0M^qwF&VU?rBL^Zz*DfA^pXIyjSSE^aNm{I#_Xxgd+ zYkGS?MuCpFh`e#UA!haC$SV#tnLM3Faj}tL*wBgDPY+W%B{63CFxJ_k1mhw4!*T>d zX$z*6AhBtQ+Q8oriV(#^Bf>-^=Ej+m53Z>WCHmB71okt zCw0050&*7cxf8=4fawncm^!!s&lPG%=&VUiO>KtZ7=2M%RMKa+BFdX@14tXHaxG!9 z%Zf5VeHd@9lj^ROOFyZ70*(R##SY2ybK}NWp$18sVM|_=+jOLVAAklneSZqbXCXrV zErt@k0=5Let204C)SHadGmJPTGQjn#sn?mTq^KPW(dX11cDkF$G0uHxIeU;U#0B0x`%=xA@X@Neywe-hhI^$Amw1FTC=n{p zK(C}v6HbT)uFC4Q{4b0Hm-)4O<2S)a$;;7Kl!1Da0R1xW0)1StJ4}TTK|f`=?j3#J zi9Di*=)ZhPk9S)}shBz4Aqk`UNg@7mWxItn{Ris#?hN_`LIm|tBLo?2=Vo_3#KtO8 zOUiq5cAbDM_>bJQy@fjWBZR!+y^aqiq7Te+pZ6;tEy``Ny?fVpbZfj{7xt}*KRz># zr)BCsuZ%2pu+Rc*ie-dicjCwsC$mvGZA8!?<=N|)~okL=GE$TQ9~6D&^|HKZ=$>T z+W2;a56I$qr2z1Cx^}!W@IH2W>Q-^Wa+F{3I@35HkKy6m+}X5c)Vx7SWz)ED9n(+5 zPW3xYQAzCfaXI<;vuD>7f2b`B8+-sdshCfW@80{jyzUPUzZO zX^zc6&=KrEDexbyMN_|FrU9qcO9lsVM#ClqonA8cO-?b9e!ELl%i`+W7tga9yyX*i z@1@ru%G}tYuf~WUB^7HO=et?d& zen5b9{G5TyoGc5 zU#oxFZd2AImIPKGF5j+!Km7e3Zp&p|-0IuwD&hbO`8awA7NV925tEleWG}{{&T4(F8t)&Ku`@R zySBhef;B+$f&Cp#)2nB3!GT#rJ;S$y3M+&}&i}CiNoLIm9rb~1JaFzP&iG_@oeM&_ zk&czbti{uIzU;(HYCyIQ3Z||5S}w;lLOSuNXKJ%CiPpLTs_B(;nMMv|r1cAIrqV|} zPLlTQdYxI9wbJ2LiP!%ntzbB?S;&2&yj;ENFRyQ*B>^Dm^Ni*DpQP)Mf#Z7v>;g%z z%PCxer%E%jrSr`xg}pjmG}TRxA-85ca`2va|LT(m{6P5Rb@=Ip$r-qWrk~nP-h!HAs9n= zsNSs0%!~iYCfb|SCXKJ++gd@cIt0YYSMp0MQicpt zq5x8nDWag%5iM#&G)5-L0-=&&{_5=Jk^WYD6FjCVpff$7-#WpUY>q_E%eyi?2#@%t zr!ZR~t3{hmgryW>R$$vGg;gL8Ex0sT1(s)_wnx#GJTc(KYg|zrYaKRRX+ zm&sb30x55Su=kg}>bFu2(G%-MUJO^#I#?OhTw=*I4Of<18LQs&*zTTrofWTI$x2&f zBB-^#2g+YdD^1_XH-IrfDS4Q(LFu0uGX_R04)l*c1rgm8WXd!Z*16rF>hf zLXyDwmo!8PKfj;c++ess3~RaswLoQkiW2U0nWY>4++JbGC%)!Ha~2${XolQqo=}`Z z={{)$qkk6H$wA8|f$&07h~J>2r8!#cV-tlF=Qm&o&?C|rlBgBqt$BO@`VL5&cK8sp zl0}G>#gMEXxBffR>IwCswA||({7zo7QFZRF?9+tmY06WWylo^CqE;dmX~OS#khAc6 zH3q`+_p11{_NM&P9hkZ;`G#sH@&~tMdy;6u95Yyd&s6W)J_7Do$4}=im|b}A@f{(5Cp~&qpEr2ctQ?h#PUE+nI2qVT zYQisgDXmJ6F#cm>&W>(GDwlAKPs}tO`4igD9o7$q1Aw>u?n3=T48T8SRsPFsof63dGMTA2w-O##YP@)Cd? z)jhZpIhsEeC3Qiw%rYZn05ke&lmsI)#S8gcU%oO=*V!CyyP7=4==88gp;B(8WqI7OA~f<$u^WjPM9>)xcn1H0Nzw=M-+F z2&A!fg$OxCgaTClMjqmFoZiO#J9>LAI+ZUvq!z{?Gk(VTn`&GE1|iI*RpctvJBW3G z`q+;s{Wm0F<+}_el%Wmau;`4cuxO*uT9E3LUE0H8ZU@b83ar5lb^34Adc+`&ZNF<1 zDT|5Ii+-kbFk2Q|AJ6|+F6?bDPhZ}@_=r z0YtTD4QI@-m0lxk*9e(<&hs;&gwXb{^Jr5xWV#PZ2Q4VvO!OXP>=OK{Kdw4%--K38 z0v8l~NH=Y-oU3Q z%Zp4eS2n2O5=QM^{=Q`LL&t8Ap3dA(^WiVwrte;Vg9iU&N%6OY!*hq;lr@5;>AP;x z>pr4R-zQAQwdbidU(lcd5$9RLg`nr|AF!8+4t#^>%uI#XzF7Iz_Z^8Gp)^73Ed#=v z<%if@-L9)c5y}Pwf!cbH}$b)_gqxShCx()De~2=ldf$(k#N)jo-)@fn=CM~y6=l~)kDjXqJ}!a$9mnI9WtASn?v>j?&F zs8Ji!&0GIN#($F{p9(zG96ri84qZ8wNQfpV)E&I5XX+gcRj0HU?371gWOe}KffSB! zPs3d@0XaoZ8)XKitY#|~eU%yjj!3oiN>LK1ikwuHVnLH9G6d6 zY?Qq`zZyYWSEFF(PoZ#9A7ztrbKLYv;JOJ}TLD$FOC(^Q`lr~AA=Ca{QU+J$uVTbf z{)mNhLp5^O;_9d|XxH%$n2|a$YH0qE$UOCq3V?fqPB!Y^JTOK==##oay zS`}#^owu>P6$)a=DmNcxV)71)DRfgD$a3r7{+1On7DSCHsJp4Jq(NiQj$NjKvk!^PNg{c7?^7K5qBgraqd`bW4tKp|E%FM;{?9s<^} z%eP>*Y(JKbnVFq?lD7A4Q~UC*AMD34#aSbFKnp*;*c)5F%j7iBR;<0HxM zz!-{fW812Dq~IjiDY?U?yMrL;mAg9KU2JDIaICEdgYj;qp+fa zP9Ws!S0%AJtc3SrF^QZI$^-RS=yrcAy3v5!Va=Eoay(Wt@?))~aAwcdN(n;9As~-M zV@QK#ljsZ_+@E2lyZ2P1nqX9rBA047HmqdgD4MIPsNsevUl4Fs6#g3I z(hF4sYf{kuAX6SIMp$vFK66oRzE}!ECDSCA#!qL4bG^kZM-G=MSVW18|e&Gk1dnIoBAH3(bY2KTzy@G-0r%KnhsT{Qu z&-73u>EszBPaqg$q1Nhkg6AnxOu8~uZHjnU$$kC*Nv7x?bcT}f11%I3Q z#ph?QJcZ8Sw{M~uSnw~SFTP6Nn7?AITs$X2l_Lq9oerro@KVO6+h9z>r!bvuwVnuL z@TAewoRC%T>fp?j*OJFqLCPB*bCO3qg#qESXsbB%rwUtVwT6`HU|7WAY|f>Kz7++F zaSG z?F-{?G`bhJq@y}3oqP>dQ&ET$t<(QqK0-NhB=TQo{kPK}y6p>nXTHw+TI8R7etbd( zQ~XhaH_t^MF?|81y3*C*SrMiIDv!&(8^owk?^!)m^6SnEcj* z3yJPg@GeSBIYZ}+HrMzHspp!FvxKwp?VquR51kq=jah<6*q+^kwQs!62ZUCo6Mm1a zvBZ9-X-|yjoJ3vEb>`Tcx8e`G*Su0*x1$%;YbA_d(hy@8ym}&rzVKYXU4!SFv(Maq z0gcS6Ea0;mG2w^YTWt4wHS`d!9iDYYQR}uVB;x*2GQ3H-0bl}MPt=^qS)`|!@wxi-oxz` z%c{6E%>8QpJ-caZ-8ZocrS-g|FVBI`Q|!4fnd9UVzoq*rPp2lK9Npg&Bwaf0`Ee^_ zA0P9ZtJC_$_yka>ya`@V_f_{jOgfNo_VeGM1O)LV4Cw+Fgqc3>YxY3hEB++! zk)Lc|=HIVI-0R=Z9%Np8l>-_+z#>bvbg@I2(s;^cTJ(<;<$U;pe3GX5=}Iz2#%Weh z0YE+v0d9Cx-*^Qvi!OTXN|SCKWLJI`Zx9%_b-_H*gi%kEveJhuMnWjj;Q>kz%l}$1 z2Vqg7D&bCJXdmb#7p>7zm{Q}xn!#RwM>RzrAe(1r7mjOBwwL|qC!{e(kzOz#IY=`^ z#$k(hU%`{yI4o+8#}MO{tQ|Z4-LMi&UV@D6Kt1kZv_w*jJNVaw@Q+z)I{UP*v(EEc zO8p5m;($}%iK>7C?rPUj;Zo5-nAsXg@j@-)RJlQjhC&RTyaFSxxTYcjJCxCw>6Uyq z-5O3S$!r^dESz~H;~Ikz9`1oP5#A4rfN?qQ5^_pXIZIQ@-`tg4V*0fAT6F=BzGJ7$ zMf%6##j_-KVs>j4$nEnM+)wjRZJW!}0f%Kv9~o~T%@|P&2O?$WobsbnXg>H;DXC%t ziD>J1G!MorD<8@nlUC6o{D%a+BFscTW($PG6PDj`SxPR3KPpdHwjzD9{^&FF znW6;}v=7a7t2=tktovS6`(s8q3zEQ7QJ;`$;imNq?C?2T-VK3XQsoB#HK~ zdbJ;4ckPG2a~Gl4k$dSK=iPN*@joRS|ETDXh;(=0;`D@OC&a5@LR_J zmf(lHXyhS@g!${_HpVXIx7RtPQ!?wi2HlSa4D*g^VhpPC3N=iJTo|<90nJ`b2y{2H zf!jt6S>$w`y;1E}l!h1y;ytQE!U(^(8UOt?!>vnN%`2H+NEpO*5r=8@;lUw6`Vl)E zmBjL3)Qv;YuEaq)&&x6w7Iiy)zwC2-6yYS%=Pbn}baI4{s4atm7Xk+3Q>|TvC1pJP zD?CVu^Vr4I2(vOkIbzN+!=w#Q0eJ=@6=H+dupXCY)+2v|Ek7?=!ZQvmtxP;gH*9>( zi8@+au6=CTlH;nh{Rfq)Y=Ty?oGNY=%dJF+Ht!nQnryPsoPPdPGLrBlm~j{r8hCKZ z%Hq*yBIaBb(;e}(GbnwHtE(MU>r#z>sz7brlfmIx%rlX3W{bj(>4nie%G?(hRvcXiKf4 zXVYvS^Ctsv*c)w{rN}sQ(b>n#or?di-Q#(ElUyQq&oeaABKhs9i7CUaT5;dLXA*QA zYRD(Wg+@>w0)g2q>=w53jXHo@Pv&v{Tbc$Wt*d==5G?-gY>VN~4h9)`+C5r7G2Vf$ety`%;n}c}K91}n!%92{Dw2~&Od$@pEqsman^QF!nLtZPRyv zT(I@`Q|#vEQD1P4=VSY>7}cdGODG?4b=!&C(()O>!>4_&?^W%Xt0%N-H^>}Y)qay+ z%)l!biLiS+^h<+{={6zQtmqbbP_1{m)GXgMoV28C2|PRXw_{-Up!KNU+j=$vG^|To z*EmkKo2v>E5iD-hG^&8wYTu3PqPqD^Y4}y>2?~pxTPDOG2-~ld?a=Q_|{lo z`At-$f(*Azv9|hs?jIpj1zEMv8y8Z2j$?Ox56?9GoB&-{+u0#Pyi#vIggz}HUr(1HB@^ugF>SZzbuVw#JYZc5GDMtC!;z7-Ph5f_8;@@RQE0V zpAYVrUgq8NRf;bI0Qn7@BV$hDZ1?Hap`n4#xA9b@X1#OBU&}Kb@mm;bWYjt?rIo5z z#-#iXhxGMOuW8$$Dc$qKYI|F@fF%&{+i06_#e;h8LOS(~#-kLw=>$P4B5o;0Zms}; zqGrtbgn}e(ayW852|RF|dCPpC8@3dq zkfAOGPV?)1{+T;_uUz8+(f&SbcD(^%l#1if`LZcC!z$}Pa=S28s|70Zh64Po#4@gt ziYy#=?SL>B=|wW0K5qlrOe+k&%GHvQ^cll^L13O&_7WC7PR;><@I;J_;{2|GeII9s&-4C$PE# zy(%FP#;`Q3$+sS=F}z~(fg)4oEiv^Dg)l}g2{axjpGq1H~Z-b9d%aAIvJ zLIp`pO3GE$t4CHX(+^Nd3@ zt)LU^3l~m&q|=y;D;iJqkaQ!MMCCuxie$O=6+fBjHPZU0NgaoJ!VEhGNG2doPf~gS zugvnrC3AVIk`I7R@XXU?8O200jmwc7DxS(v)c_^$gp|8+xCJuy$&sdCu<)$%K&G)5 z^?AbrDW`KTop9-*UdTUem_km`;21 zP*Q=&p+~@^4AnN}xpJ#SC+_U1SyG__Z*)sCV;V4P04Bx=bX?Box<7yXQnw8#_w?vf zg;Ql$<1yD#;#C6l0(t`n2epz;cb>y0&8p!{OE+qYdXAViiklpI|Bko-;1*&Xoz~AP zooQE(KLYDEZADcJq@FOfW925m98U#g7z_xtDz=qwb5Zzg_w#* z?Sg_LPcYKM?)h`9JY{LpId9QhOJUHt?UInpy@phONz{R1hsWy^?deM~E$si!!gCBZ znz?8q;W1X5_+vmFCSSZs?J8E4M)zgu(cek%Z2@zDq)Tj|4$XPw%LSCc^IY`jqX@sS zC!Wedw5gVHd8v^nKibOJ$J{IBWV)cWHFE~4G>3xC=4s6GK>@C_=!%Db7Mj;uz(kt; zPx(~fz>$dm3czMx)AXt@$%TUV;&GFIH;9D!Pr>r~QO&l{u+TFKJMlA05ZRnRe(vLC z&7KhK=fCIULuWzHqY3gDuhSSp_pO5qx)gaMuI`VK3{js8Tki?2-JApeN1g4>=Uwax zjU3!k&SPyGLr}2TK<+Uqsw?pX0?YM*88TF6rI~X5hKJ;tPthnf% z_BU_oHE?pg?;7|%3Y6l>*lBA%c3IDC&btn|&+Ru>%EKQ#mv#yU|zngK$4hZ~)DfWrAyq(~s&c2P;Qgn-hI6^bbNvaFy z77rUz%NJOKD*iY2mpA++f~u{}5+Yf@hJPLY&(!)Bu?tU@>+P$sp0`QRG3ys70EWAB z02P7r(Ard1_h@>L;L*nIdXt_UZ++(x0ca#Q7dTefVdlnrFsYx&_kP-Eu+u!e=Owq(vH2yxIHY! zGV;H>*zSj(eF1M?|10-S`zwQxGjT!P(T`vFYYu8PAd^;Bmj4G8)(S6ms-1=d|NrsI;&C%g{pEmX-{Y36vtc`6P1A2NOgM}9$>kuJX9p!ZYHbdrbI6GiYmX$u_XI3phtOP1~qn5BG zV}_e_yDEW54(2bTVYI%XiB9<_3ClNAPf-&{9m^*|(`_ovroF#jgm5g)eCNoz(#3zo z1>`8atLJH48R{Y_xvThZO$(5D%V|*$Dlmy>U=re>yn%K)(xu*QHn7Ka#c^uI@>oL~ zwYpbQ-*IBJt^Tom_xS#enp$rJUnx>fr|O)2b*vQ{$1Yk&uzwOqo((zyWD%p z$29?5q>82>A^FmVi!fC_WL;b{jyRLvzay4rz^(7fzSy`f{qu^k5Y6Q-NMr&P7=d2H zrim9)HJa5$1!Y-1_zO{2%M86yTAjGmm&~}79%T$BFO3@}j`f;0crLleF=ORk|M0;# z>_pVaftuy{^7XSett@y)t0A)Wvsh>qSaQ0|23E;<-*?q9>voV^?N)!V2=yYS*?B?q zpoA1DxD0CM2So8S=pMV9m~6*xWT9C|rmAX25-C6}SuWV}*smA~UX5Yc;{d_6ex$)E z-YRRT(OORA&zZ1tq*9T=4=2l%eQh2ZONW}j23Yk+0odh@%7jBV z5QO7YH4N!$&BUUuERnv~BOLBvBmm0dGp!>@)c0Ul%J}Pl0Qi8a)Gj0~O{i@2ucUvT ztRs$Lu~Zflos>zTYQPmS(P>jnDu#l6_{2*>Nk@@PA?syu))e3I&ZAhC_vmI?c?k-` z#nDMe%gM-jY*|vIb)CGhq@|=0;iI-Y2(>0l`U!UKJAAyE1wt2s21B!D(EykYfm}Tj zgh_O%;*(HL5BooDOSBQ<0C_YUL(mZzLQlEv!wcQx{>xJzr9HFH8jr++pGKckM-STp z{`7E9Q&|!}z5bfgXbON0$m1!;Ycm?8_d{tY%aT}V{Y|aFMITfsmgbq|8cWl;xtjoE z!c#4|+EzlIr+_+-Pa@$osuXSx9l=1wOs=0EQ!AZAN~laikT;i1_NcOgQe3j9Q>#~u zo)(R9pMMnvJc=h!KcH#q{7es`>~9iZ3JX^<@{$IlPd!Ey2H+UkY8ID?8=Iiqq3$?s zmERQmDVprDO^Lxr9YZcoxC+SCYQ;sZgV83IPc$E3J~ zT*NS7xS#rz_24HvuWI#HhH5**f&;A=@$5@_RvzwQx?#?LmlqUE=9q&2WZz1VFWp7t zXT#FXH1Ay?DDL~80Os%lgI@pXml=O*fZe7ZGv_05=Mi@3diRE2Y~@3b zfcFJR^5nqz%JY13t6Gu!rnEozig742MQA-(+pQMPduF>r=BexLQ*Banqw6Gjt3K4W zZTg=O@T1O|Nn9i6-9yb8@(t{~dF_e&A_F={p4iXev=~_JJrA1q-rs++H{jIVeGIYr zv7){2&DAyE_Rj3Hw1jyG9CJA{(IqNM?LdOQE7(c6EJw}W!OOTcfx8uSU6Y$z$t>H@ZeUb3OwdibVhf_|mSlH?2AjK=LbkXy| z_I4>V`(x1etzCn`SGS-qsh6@=eRO zP)|AbylI>!_KCJs&$aK-&DZCsYV8H`xf8k29bF>pbF<)-(z}zz&ur1yUa+~ZCMO3n zyY5&@!cnICdY%Q5$?^Q#X(i&)K!0Lt7hBs9=Uc9exnrRLal>TRk4FcCuD!5R0egE^ zKfhp!g0oZuEQQ0%w!JK#w+)YDyhqM-Uu=WlEelUN*HkqZ)k{q(SOe;-ne912LT%^d z&hahkT;F)UrmLaBR7`x1kJ8voN&Zh+*jVc>Cj-@8`tQfLK);SLD+M<5PuKTcl(R1w z*dD0mKSrq&q;}|Q87!)=^Ct15Ud*Yi{Z52$qhCkD96`BPWuUw-t8&iZx-%l$SLUVu z>bbsF+^qN_>rGTJtG`;=dt_gI5DwNz(wi>6N1&C2{i#yV|C!&Jlg^G@YOFea&x}_@ zC2!DphQ--P-F=a+m_S`THy8Fj2g)}GCn=I*EJiRHIe9KDDX%%5xdvGJJ5Pq>iu``VMEf@ZjQVF3f%=1@0* ztrA{FwKC0S(=onZ+(Rt83cHR5#F2EXQEW8v^phqy$!4*RAePBbbqxM`rklfc9QpS zi&NH=5!V;TYDC9u%}E?`uG;0GxgHkS;iu4OpQ=d}5B5=LpBj>AwpxDrj)K4hbsDnx zpXtk=wM+Fwq^k2|Y;qJnlQQhqMH)!5U^~Np1=tp>d^dILiow}|!|oVnNp`cWJfo;m zMOU+q+CRNcT#g+@S(9ctnEup~j@BK+)jB8H_2BaHjen~;DNcp$h@qKJped+i&&!`a zmV{>;%_Q%dqh(3vJ^RNxfe)^Gj%$~-8;D1{ln2iiVlSaTMsZD&ghg|kA{?t*S z-TOlFzc9W{b;@#qw)~4cS3nXy^(*;=cZ~Y5(>@e@CoswvzdeH=h$qRd$QocP zrK>v$&|JA#d>{QY9M|L}C(FiN#qE;$Qj%4pkO4OP4?>m|kp$Xr?qN%IHSbAQE zRC0hX#a3C`o-^3o3ehjd3qSBc&6Y4B-!L2})=OY%GJ?ZSSDcUooe^$G8SGJlz4m}$ zGUEnJFHt61KZ{Y5W=~MpcN)h#MK>!|F9`a}0#QsbT$Of5avw9Du}ySg zemtf$KltY(%eWF6ntl+{4d+&mf~P`t%}^_URq#w}HI0OOsRmgOHH`>dWjC^3_MW41 zSw(A*v=eWcp53s`)SKOAzruo184`uq$_qFfs^&3^6-UNl$N|iP_GpWi8yB)o>#T(DH(<^4(W}07}uQo-{NlHJ(cGTdi#JC zJA6b!Bkh*{;5sLMhs{BGhZQR&%n<$w@xl9f*RW^(q`xBoTqoQmc1FBh<}u&6A*3U$ z|M<67`A~Sq7wl~RHn(B!-?+dR+Ub7dH|AISws{=%N?T*=HW0J5cDG?$10CZn1H6d> zq!XLf@c05k^e`> zM9nn=%^w?pmi4A}Sb@U@S3A6k3<5cU`px2v-0Jr=fL;4H&!bfxbssmwtWC50CWGxQ z|I>i2pTxpL>#auj9odZCpGVe&K7Gca)wNO^7tm{*Q#5V~v!(8pB%srvySrp`Vgj2^ zi6*~OLI2MMLjS*)o+gjUI=bDs?H4f(DBUlMi1wT{3fFYi9WNqN5PZeN{MW&`x$W0g zJ1ksXABBk3E&pk&B%firt^>B{{r|vpu_((vkUmb24sX^4 z(DCy-^fou$GVphIs4ZGwJ1Qx>(t8b$%#xWBPR;&8m%VX4pX@}wKbL)bn0LEnEoErz zXL4KiEQYkA%9888Ubh?S;^DCwSy;^B(7sDn^KW_(In(PL9t^$zBjfKhFiL0Z@S|&q z#-8wVn3MSHSL}P7t6=urPHnMw?N^FLg!OmXH_`yrzE4+H#dn-i0b z%WHYrgs?35Bt=putfuTQYg5=g(kPdN_@DhgkSCtP2>aA<45#d>0qGfldG2;q8^=Ao zB~%f2(#FGBE>Ls53t6rG)92;C`ZNZ;ia2J&D269u zsEfbo4aFUkXo*=-PKZ4{QAtF;P|FWzX_C5Z@6ZW@=4m&308@GWxgq?54BhaP{O zL`||6vklfvR>^{kc^sr5#Qd z+zhaFd>aXI!BmnOthI2bUhvMlc|XI|WVllaUHcIz5gYe*rE4fg1yS!EDJo`^vce=V zLnfRBPxqZ@JZDiF&0sOE}`8Gi@%lXn(%b1 ztov;;>gdQ#DS}|rc5kv@&uo%9!V>onJ#cD4<~8lYOhQVT5TnTn?$dtBpN*kmJ>w>K z>VxX_f5Pj38fzLmBoLp@Zw*2_v54g#B43Is&K|7v(aMzl zBbr@RR-*Z^#UUwN(u=oq)I%`fL=T>YBwW|}$)lsk%8UXe4z%}y${NP|HtVKuQgt$kZBE_PJdjUbf0X>Z+mqJ+-LS@D44U z)DBUZnLVE1QK7+TFcN*k6_#NOPQscJfzNOHP zTL-g(srbL9i2r-_+P(0bVBkmwl>YMh)H2(3EQCTYrTCwWN+G7mEUf&MQLp{4iA@Br ziIFHJksyEFTE9%4q~`DgU$m~{)SA}f6gVX>m9<{VT_<*FOFKQ7>QhombMO7^d)guS{OY zaLF51C`_)}OufnL=IWlLz4_~FTTQ;ay-$O-%eMGipCjFEoG)0f>>RF3VD}l*z|8>a#J3kSoY~5y?-6uFxJN6wPPVj3I@-G&-FIRpz+$|os*CsAy1<31r z+`s2`g^XE)Jbe1qAE_ci``*M|ZKs@LLJd1;-s>yp>!#gATfW9<ik6&vR`3!QZqgSMND4dm6U*FN5wh3=R-{miV1UaYKok zpXqA&>*u7W(qpHrHavehebD)}92>TfW)k^MW}n^GW_VtbJ3h{bkuy_ooh{XDq~N|2s-Yo2487PXOqPoIceu_tjEwJ}`p)jvhhj zI$=}^E9{&fzV8bkN4b}vJH2~iRWk-rM#P(YPyLTlL8i~dGL2~>q3Th;=$r5D)evSy zEBTVY24bpdAV&E-SEP2sgCxs>^{2|B{=pfm&<~n7h*DkSimS9X3y4!i@m+?Az)~O4 z7n9E0>ayO&m$)J+FdQj%CD%sanvX|y3WBR?jKof9m zNlMKH2dH`4Sg$2539+&WQU{+lLzmIS$^+MJsBE7H<6y-0ORl?^PL z`iaUY33?zX$F_VzDY36ypEr|(7j=vJxcTe5G;)igC<*}ol_GpRQkyl_1y6n`Av}UoKR)k?vSq9OUh|IUMYsE>Iln%pIK{<*kbIwlb=@-X5tCT-Cfr&>7 zMlN}A_M(tNh^rek+-}AsddqE@rppoU-Ws2I(9`+d31-z|QMPm`eB~P*4ti3-bVMPn z6`%RMa9+NtVy;yTl+uON!pYjfg=$xhCG(FlCbfnPBg!#FGWx%cqZfu+;0nVqDnEi? zl2BeX*`bm|d5w7IxKM?)gfnml&i8k3`e%#1;{Q}GGZh`n4^bib(7Vpj&PTfjDZ;$M z*}ulj5J6V*)%}R>DFjCrS1c{Xn)$|dDq*TAe-EF22#IwoE3{*-(g#y5O;`mXmTooe zeDiou3RNON%|sfWB6DzTxveMpTRw?dCU9zooSIWx)?j4xK$Hn53X!I6D`VLc86)iV zzITbW5B%p`kd~D?(o9B7SaiZ)oDu%HSy0PacXX>TfU|-BS?@8|Gu`g4}G z3;Fz5R*>BGQa=l%e^CAEGAj3D&o=1O1}vSrp`qca^Knj%GWhdb^4WT_Gxp(a*)A2^ zbxAHYWmO#(OS!^P+#Qe!ezU~N|XV(Al0!pqo)9@=6W z*xdk+AeqiVJ|enO)Un|d4tBVNoiKAYplp{`be>Y-qQg3oiis>vbFX7DK3!{8RgVj! z5*HXetpkVnWQ3%b7v-H+?aWCmLO~)OmJ=p`wecE4Z90vgHsv+Xe$TdD6iT{oGp8KH z*~iZ|&i3C0M2bA9Wb}DU{LBU-&HH~_$D3^zGYp`Q&)^-5h=S|;C5>xhBfooMw9wxW z|D(~QO>>vsTimPlO$+fSn+zHix|9P?1zd(S$`tk>x+`j7GW4<`cUN4-%0_ z#qTTlS_lL(P`|iKNa{n3kLyedAy~z>L0O|y;P3nUO#jZFd@fy|_-l^Z&JLs!r&@Ba zI&!a`!V+6}+!_xv7hTEUhTTzk?-CeLRuI;#6JL1efU(}&+aJ}-=RSLUd>^k90Kb)P zpQAQx-DjBCao_Vu9fS5+2f)7u4Nzm}C})io6TRy-XIp73NwoXY$3z5IZp)fAB9k@{ zG;#Lw@l*&jw&(37*WU8?d3whToq%k*()FER(^=nIxfqziKY~FaT=3h!-s5cdUNDaJ zGirLP#vu$Mayd-B1VVQ19W?p(5;oEJ=Z9`d&p+RiP5N3 zz7e@$xplj~PK5(vJ%G=H@4~fHZaZCLWG%m#m^y^Ms2sWWO6FDmmnx-#Pil9tR9$V4 z(Q8$YgKdDXk*e66o!eXCoVmKd`%BHFude>l>H(9F6Rt^gc8<>@?e2}(lKmM~%@mz_ zx8L~F5F!(S-Sc^|d2?6807q!2E2+b?>ru|bKliT{5zV_cV#bcW#15aEK?DBBWn=|C zr)xQHb5K!^4-ho|XdTeudsQ7BBj|A<&@=MB)|}pbN@{x1?CE{pID0q-ebzZ0Qoa6m zcxB^sx$wynD|5CEoU8NRV%2n*)Tl!JKTLh|f1P3bWYe%=8#PvA+i7guXq*!@c23O3 zwr$(CZQIs4n|JrS`|dCE7d)S5?(3SFYaB+a=I~$Ey%uDVHSC^5pBMO(pYkHMyx6?1 zzWr=m3auF%>++v+H9GSGCbnJ#Z?(LJdw-nvZX#U1Km6+B;}}pIiy+{>R$oi}=T^{S zdl1>X$aCCnyHvU6T216JxGnHex(FV_$>TRny5)9r>?(OjU1 zR&n#K#8GohKlvpA{IvDp?PB<8-{ds;C`qUF4IM zZqCyvgIJ><3wJX)kiE`i42MP3RqjaAXkl_QG8V-)Cr+{{+^v>7MqMUOrryUwc2?SW z+3LX)DWfZ}9YH_t(7Z;Caq_~@f)=D4z7T&KGA&FLVO`_CP=Z3x3-R?I636}xV~G5D9#Ik>{DkN-{n_T?^% z4Cg;oE?o%mY&^h$ zn%-BBb#-tPiH)?&%$y;~^=+DtNTOuzL;zxGj>OUL!Jqg_%d0dF3#p5Xl~#H|!GZTH zLM~}T*{@cu{ps0a+WWIVi1J@LF#O1*%EctHE%#-pI5L8WLdvu(;1llLmL1bN3o%wT zI+H5}om5T>kx;^AStCqB+Nr;!>kpB0MkKUV&pXcOtw>HFqW`L$|8(A0ipZO0dW~J> zhj_=3tt~4gy#UVhi#if%XY8B44WsK)ihJwY&3}nxLTd7m@x}h9$VQo;28B9D#ys%D zA4kUjSBGMH%SfxL)&ys$2(srWEO&%=t6(zn8aeos|5m}Ym9PP%{o)1Q(a^e>7M>O_QL=lu9@|*q&vAfk6g=aw+Gry? zDIyg^0qg^yl$p9tGzjigp@9^Gjwi0>8!?%XIo*=!>n`oiIO^no!RozC;F|R%<(|;k z8FV!lg7Q3tU&i|yeD(440UJD$GAB`R6IBPoeUS&nfe@cjB73ny4beqCb3s`MSvn8Q z`#-h$y#rm2S9=qhRB5^`hNR@#*juf4K$1D0r&L3ikKIZWOiUFx3; z$uz+FTdyJfj$W9vLzI^u@}k1IuI?(n$Jwzc_qb-@os3yW!ltHs#E2?=Ko1B1W808- zn|YMAn$|PY`^||rZl!HS^#hDL@G4fHAAE{A@Rs=dHuWg3;>s#(D%VL(>qI+hBLJ`c<*Jf~-|+*u3Osa_J}=$+ebL>LR(aFMfB86zqs?0b z##S#G6Wec(OKf?%=2M4929M6^11)=cCbbRTKQh?Cx3d&>&qUBPTk$+)NgPC^jrq!`}JqDXrtyjm~NYg=RH*S^yTT=VKEKpS?Knf z#8LA&URC2o1az7(bJ0B?EceCcq!M|#8L;CxIFE$iwK zdx~c0us?EhA#A_dNJ5&e(!bN*xe-mWx}U!3i$K-~zQ|TCU##A&hU-1wzEE7f47Rx( zMDiaLoRaOcPj$}m*v9E+)vf-bVDNgi*Jf)}>h!wKRXw6_TI+dCEfShI>1|NovIg>j zd(kL*)Gz+VMYrE~y!mw>bxlYnthSbbq8+l&a={-mZeMNq z9AdZ(wimtx-w-|sf0kBwgWiWSxpcTwOZR!DL@CHiDP{9tQ2u3}u*Q-F)n3BL?G%+Oc$z1qqqz%%=DHg-wC#{5XqK~MV=6@-O zW;!c0f%m4q?N#~uggc?blOYFRK=AL+p4=4fJ`&EMU^`EDDR!F*@-`q7){K5f3FmY& z-Cs+w*0t8ht>isqoQbJHBTS1}{SHq}n(IO19~**&glFtw9OqiTwhC(OfK-?Ab?len zKQX+-2nN~D*rhAcE!-k$YLzcM_jex-q8AVx?Y&m_I@zDTS zE&7#bW00`CD97Y+ae74}I%1g-ASteAxY5dUy5HTac5;8mrc?eTKo_gjD{Qt6eh7_= z0!ms2L&AwiWZFsG-}sOO0{E+i+M?dOt6HODTH3|OV@2X5& z!J%4fNw{Cm%My8R5DVk+nV{J%`yFY}kOAJAmAw!4kg@P3jVM8?RAB%}2c4bP7AuXs z^44URwaBkTb2G!a=7ZhA=~1W4Uv6IEhrD7zgwA$TL;1HTAjrixTJAQ`+R-vF(Y*PE z5UiMF3?|gP&poZS<$$oROSAmY0l1WB$vF@9)(LN)v~S?AndfLUUZ9 zHJ?u;IHR3nS}H#dDI>OQ?WF;nAnHbg&MmNVG}m$7J1lSuxF3+|9Rg-Vnt5JZwIMXK z;MmS{_r~cV60~cK=}YmRHVu&M(g~nU3FQ{wfAq7`Jo2QtsT)kqbyM<>efl|W)pOOhRAI(!~Q-Z#vcM|Vmh_4ZwpLEKj2ABH0K!}pQ#k$VPw`PBLQxsMPkgB z$Un%4}krBw=GUtPWbDtz#x@fe~_@1 z;|1YwNRV(oF}xrX)&~|y*bDO`m}Hhx2o>&C^8ILE)m@qK_bGzQeW%B3;gF7N-;W}f z_BLDZ+YJ1r=F`UT1_uJfs$ZGOU2mBln@$&cXO17*A?6|6dvV;vT{Bhao?xj{Acrb z8UM}TuQ7)*S-Gq>5JFV%Q-sIcRcp`PTNh~A|7qn;ece77v79y>VxeiX#A01 zPoX5gXinEwcdoVb?Q;OmdkdzSV~KSeFp*z<{c{!M)!1RiaS#uy_qv&=&&RpCU&0}$ z5B7D5)z#Z_TX>KI%`i=QJE)LuF4}k>#~`SILAXno-qRDfYBoBcv*UDqu=yDOJs|_M z!C6?9mr&> z+v5Z2&9e7sFX8XHCzmd}VY~;?lDfq)4yj3@^ZKRj2|`}ONnG3X9zuN{@Wb1o?)B#7 zbXMZZUbk#mq*GbT6hhZh&|+V3&RLaff4gc_`@ww6-Q84ml;>NsdK7EWRmB1oT2)1? zH8j6taP=d4#JCtZA4(_W2*yy@B|Y zO?Lke>)vFw@4#h5C8xh5zC{@>SErkYGT*%nJ^g0_KDs;RFYcX9#v87-8kRogulQtJ zo@;k%*7;biAeucDzuL#xrKmO2~Zw!}?UQS|=l^u(-ovnS%~bI&)&Jf<=)%8LG)BcwzCgl&_mu zt=?!Ba@X0GEvnR8$RD(fC&w~n6YTbM%v;szemX3;N*rs{O}}PnNVEAS+iD?6?3lV+ z2&~Y{A`Hfns)edlah`Mt4WM%LYWLZ>{v||e^|s~#S|N+fMyYZVvD2LCSe?|Wrs9ir zFkp3FVN0 z-S{%5s*IgD_9F*!FsFaoI^3a#atRwnFuR+3w|cu+agofEa}4F7Bz2a^|F*a~5Q7Eq z8^`IhSRBDu)#Z!XSVXf)51s43doAYl(XXk~PpB>HwDAt5AryUy$c16s{m1ZX1XSp_ zCxQXUc!}4waTah+g|d#(_z%QGI7EBv#UYS7XyyNE(AoR7^8A9reyj@sR&tiZ(C{-t zoZ3kC9r7YEzW-aj8qr*X`R1@1G@Zy~MMZ@~c^fD;qnb@wxlM{Nk$zXZCze$VhSlK> z=3E3555Pm#GG#nueNG&&c&}5ji2w04lYPpq9WhU4A9wKE9pT z?}|aA+XX15HU@D*mJ*wCRA-i+HNqGEa204t`8V7WvbYe3+`SClxS4)yv+^`kOZ#H5 z#8fmdAU_(jSD>XBan`NzgSwIC);QaZHU-g&Rw*I!pIh7s6jrki6AdaHZ0Txq0^qG- z-G`PmFF!we&RGa*CK^9!`=)r4B!`@xa>$4|*h#8A2|(gjkIcHAFHoqQHy=XaJf^Zm z&}UE@FG<q;w%^gLWOLqG`4_w~2wQTcBFWB&jR1_N%!=DpeBZSRsM^snJ)t6PahM71}(V>R! z(DJ{2^{m^BXZ1QyG%r%8ZW+$5DrtZ!R>H#j`6C(*t0n|GFxeW74CT_*xl}))-fm?# zu7r0dS|*Q$1iA;`U=F=U-7S~wTm2?<0L&J>G1R*Jdw{8OM64xLp7$D7SndVZg%0)H z)lkikdr#7%9CGpoq=r&iv52oUYB+{S*Kfm|p((Y!Ws-7eCG;zIo@J_qLYhCs5<;_< zr01am_5c;~Yf@x=dq_orFb&mw55aTn*?%J!2oSwWRVa-;%DL2NRK-J1%{#;EwG+Hy zDU_i*DJ>tE=CNQ6`Y3lcqeoFYGS?)`1O;NtNHrn+@xlww@?NHae-j&guWq2+i^>aB&n#Tb zpagm#u_Lal(J>8hC$52i9a!D9M@X6xl#Oyd#qs;0kD?^yR}LKF+MzzqR7;g@Dvwj` zV=fEwzqGdZWUmWsH&DgTJ{07gv$d`n2J$J_tO2h_f;w^|5L9+%Qd#>5o&JeSAI zUX{k(uJRK11BTH`QmVe@$&$KljIZ3XK_GPSucQQDbrddi-5X1a%zJ;xtyNR?7S~L> z@k4FC`j7Ogteg9uqpjwi3Y4w(`2+qQb>7p)y2Z4&<2K7%y7T8=yNW#Ws!Z9gx*ZGK z^rwcppBPQ~9B&7C2<&WAZr&wD+{2(MoBL^Ek3dVa>OXc-3Hp|NsrUak_13K z)vu1N8eRz_TTH{B9zi29U7BwVRT+N|cs6XyA1jLuGPTZ z%_7?HeUI=+uVS~4)5(EB_%8kqk3F;_wIz~D9WGw0c@M|STqJsgqwOwz$@KX~x2H&i ztn(;&0==7yBemwY_f^Pnb_A4Whl?mXFqjJrHhVeJe?tNFfCyck!CCTTAk`gQ2EAz0 z>!)zEh+4dPT2aCUaGy6hg8sm?Az3!D(~bC|j?Q_Dec^+5O%X5v+|42$OB2<~eiY(~XD?(bhPXU^nQxd_Flfn|@V|kNM=#UOooQ&tpgY1)Q(*sxc z25d!~E0oF%CwQl2X39>0Kx7f7U)~1Hsc&cH7?KR2-+M=3UjGFur*VlwU6QnasTX1{ zxe`cUpu)}du~DuO0Sn>H)7JTKohwzTm`uuhj{sLmEDpQejNX$FM%dEBZoIe}x_s=u zz97*re4Ud{X=>0o^qT@Cb2cygEy|B!Ec1_V3(jn^A@6bNtW5 z2pQEd2*1hMz;alliE|0ZKkVm5=9*NuWRqn_;^&MN(*NXnsJ`#qOO;w@OBPmxzB;lW-PV5sZ>Ip<;gv39mY$ zF9a73Kb)o*GFutXvg$=B>*<@66`V_yG&`kQ&Ql_w7BZ=sA5z(;hr-^fG(ZTSX|U-P z?AQmCyae$&qXpB#256TRr_Vm=M$RpeOW!&2sXwIsTTw|NVW51KpgdKYA zTswz2nm7tY`qX%u4O+(|6gtB`rfBNen#cB!3^N|~Atl-z!u z`vC*!KaOG|`eG?|lYz8&3Kg^RB# z@N`>mS{5nDH57G^C&(HSnZg#v6^s+fw=EP)lvS^0s*t;{VNhhQ1zHuW=ie?6Q0NcAQ%hnIO#(wit3-#s{WkSS5d(24~xVbFmD&-vzG8={`0zPlswBeOvW!wCO%ce-QQ(N1%DaU#`kxC=JG{CO_6irJ|P&=2?xY(>P zvS8F`zu9%h(8(_75Zv{_An%v*1&o^S#cLYI{U${>R~lC%kN)S-r@*LNNz*etOs%QY zHf=MyTm=|6!mZNJc(Bxmt>>J`e_`5|s$+xfmIr6h$hvAeX z&~4OOL)YCMm$sFY#c6z1hg#wmqOY{tYYCf+=ZC5ICJ^-P!?x3Fl=+a8{7J_m$#%nG zViGnZr-&^t_|> zyNHCY=G#tb{+2h{$2@kIw{(Y2hqqD7%%|sdvkKfQzIzW2J-72&H1J(mq&E11G-n=dNbqoR59b{%31 zq;~JwO&?r zHuS>Fcf`o+J=eAa+|P97D+$~rE?cWQYF2~Fww{Js-e1J)uM)fy*Sy}|n7g{xQ@awu z5iXdW>yi)!5%jbZ9j2!{5K9h$%>)VQYQP`l%{$REic z{ES4v<5$~)DSdEM(tFEq6mt?Nk3DhTO@*7lN!Cw zCSRq4N-zi76p<QoB(c^|Vo}MWr=&huLA+9n9Qp@HgEqlZpn}CDKC zR?+`gdH$QgP=k2tWRZEm;6brGVs*VKZZqXi-XZEq9Tnyn3TB1r3G|t2l>UqCr;%6S zEhG;L%Ci+YVyjmI{Cc$>0DT-4>Zyl(iSP_R0}d%lzH*&xQaA8?fW*^qn#$ z^~Hk2RA+445NgrPac$T*s4)C?L0!0v;8u*s{+C$yBx%~NGNIy8jIE{YC_pb#4xGAM=yahl?Q1c>dk6p$u(7ol7 z{?X%)+oo(hqcySUkQas+KZ9FFL!gZ~=!W7D;nFZDsYn@-Bu$xbnM)c~NB$W5Na;8Y zBNq$NY_TZmW}4l}A_|nUm>!l^0yOXi3zNz}5WNKP~VbQZCh&Ul$V(R3OHx|5h~kIa%DM&a{tb;V=>iWUpi$fCSsd@ zdWR#-V#s$S{_)MgGJgYc7SkM~Rtl*cWBoIcIDxJ*DQY;*rrhUiy}AGxHP@DH6C)L( zxpi;lJAEnUxS`748dGgSjWCAcJ_^ZEwuvPl_&KjKP(nr}I4t(-8?C?|suojz^yRXGpgn=A#2?xKCRA}3D5X&%3*!5aT8bFk{y1iN(Cxz&KC}Nm?nt# zyvo0KM=}6m-h=(j>bFU37_%`$Q{qEyw(Zgt_G*5O; z+34<9WpTMXcqOHc@a3{}5UFhYCxKo6?Px1Mr^}Mr*$!R@+HP-GDG*YWn+L)kYWLBd`1JU|OSktMkWMm&fLw%VjIQ zW3xzlwi2w3O38!wgWBcWls$!T!&;?vx;RE>Tb~8v`*=Y`UFGsl_Ce*xuhrK@=U-~& zKqIO2mJd3YTbc~;BhD80PQ6=Ny}JJ8>{-nF49dsuao(ZZCs_+^PxdusIJ`%edM*s| zY+zowU0i7)M1AxcRHY@p$-hnc7G*teL&L)J*C4MwUg(QPL$uCWprLd zJ~sNC`3$q#yz4GMuV*^m%vG5^bzBb{6e$yQUM>c^Pgz=KIhQ#~k!C2jzK6M1Fnv8| zHS0T5Z+_ixa^^eD?QqdNU;<6Hi2sJnx}zboji2(#T7O6Bjd3&^qlrw5+wJm~@efwB zc9C2A=>Mh9Z8gVWa6*U4>pHH~pRpiZdaD*?eY=|^@AmhoPHz)<#C37|=?-w8%k|3I zF!vM!fFk7YJMZ_#RikWKIxGvIEzfTbki5Ib)6KSKY+LS{)0}mXe?LDZc^AAEB^0ww z7v4i_%+xz%>MaL^XMs4ptx{eo4|06=RrsCF6G%tz=gCjr-oY>T`gdTU z8#wDe_#Di#2EHrl@7m+HiA9f?+IY1sMs^Ja?`bH>*dBlL+eAH^ zn88BqkrZB7ZJ5Vul&tQbM`$D$5`_$Lm;G)CfK)q0hJq*}Zem<$i;;_m(dts(4Yto2 z+9QButH?%pdm4bO-6J12)i=!eZ<*aDa_)j z43cNgs)kO78riz{430oI_ExlW&bhu48C@VHtseT{1^$G9~&m;umqF1e!ce8gq0e05cUMUFbil@#3{oXFk?T zd6?1q(OS=iQ??9tiG8KN+yIOda%MPKYpiRYl2eL1LUOxpmCg*sR2c{OBB@g8IMq1e zT(NCcF&$W?`bx=Lys7y7L%7T7Z!4pIRN?1kkx>|53RY?4NoJz{5LlTi4rI0r<>!mV zzvxzw;tr;?(b#o-3WreRwn zHsi(&{-m|sH(zxOLsuH3J8{u?4O^mgv3B4Qj&AT9%%iV84TFn>sN6%)Z^ILfnUL1& zW-91=*4&w}0;dhrg-A&)2_YBsxL@BxF`|SWj4OsCrM`Z-g&cW$i&VqBHk__9n(*y0 z3CjAE!M$%l{NZL1VETd8QpQ5lkE6SDere|Q_X%L4@dpQ20=`Q`TUvQ*SD)yyY zB+hL|?i5kxv8CkK5{X~$1?|e-1TkZZ(?bAA2G|;~2xTR-POjj!FEO&tt#F9`d&`n{tl2RD_t~jRb3WWgD z;JB^FhiK1Op8uXT;@y$M`HxEU)QyXGqVNa5ibA}t9J7=710)5(K3*)LNjKo!$leM; zOa3N@TR_f!!JD`D-agiNjQcpWqH;sTL}AA`cl~Fp;e;Q89Nto}Zd42w-w!$eYCTFz*eTdP ziHX3|j8~#@Sc=xEvHlN$VZZh;?f-vD`Q1lHBPQq#By30-Xv7#h$R7kI$`S<=6T=Vw zBbq7;Wpxm`0p8-R7lEfeu#?U2(k=|EI2m;V*0z@|S8`LQRrFnd5l&-!*^3yE zvb?)>fkIcEce7~yV>4+sK-UznN1c~}E1S=@W_=#}zFX!#TNX2d`%kU>HT2LlsiWyU zvFUxs455Lry=80rW+(~yiR*e7I=u6KBBR}DORrwte5+=$ePZQo%#6Qj7T!TSp&@GZ z4#8GmCn+&5PWF;_2@VA>(@uBeRUVG_ zwrqR)Cn=Q(dCm`6uCh=)IYI$CxdFoit9vpf?m-PXS(Fb?mx<;G{w$o zh>1i$#Z-+x%I^;2n}oWG)j?lV(E@$;bidXhVrjUnDPU{z28U_-n zaKF#EI!O}kHLvb zyK!Zt4(=nKR;L!O6Iv?E+$%JJ`KrtUtbu;0*$o+uN;7KaAd><`Q@PCah{zY(u^7MM zi9G%(Jf08o%4S&gi>-E_?qLz@%o<;3pj0Lk_LwJTEvSOhDYDfN(JB`tQB1w3;fr1< zvtvapi!kIXgD_ARZT_o7spO2B0!`3VnQ1hDkf@TbvIh!2@6brtpZOk5?-}mK9g#z;p&{ zteU)zJLE`z;^N@T`LrL7J(m=PsL5di3A`67_z&h3wp=n$qQ+YW<6-3kxcNl5 ze|N+$&H5ka^&`89P0x;abtW zTHdGhFU_R9nfE=phT%1R<-Z$DL~T7{C6ZR2`UJIUQJ#PWL&zy~D4~Z6ozCfMoG-r# z9P3u765u4GN#-8E2t_FQPen8%!W5;;omWFrvpQT?`}!_atAyz~%tn*3XH67_P$B+f zDpW{8b={JM@p70J9E&9=8vnfNN24C%9K_hl*7YaV#IC;$+q>ITGnbJysG|P6kZu)h zwlh$tvcC9y+|s@uj>a8Dl*g^i)WN+mZOTe^%=2Z>F?B&)HEY$hM*yrpy5e`$J^SbW|1hMK{w7v;PN2U>hRNAaC*yvrmio zeHZZ>$Izu&AISj^h;>`pP)|4F@;?9ZY00XnXGH6E4g z8SO?w=bd4l{2uAfeX|T%lg2LkWK9PUQAd+Az=pji{pCwP4z<<&r10$ymtXW9=53o6 zLP{@}^!ye;lNVj*^sDx_1y~#K!Q!!20ZS1_`vXzu+TcW5Xu+c4rK zQe3*O`5mb7TOA$m*g9Ws9z|^TXVE^T;i?1e8|HiI4)qs0t~#X?+a}YLpZD0C2-->q zHlBj>Y7vm#%r`f+`DznJs@~7WKyx5}9p^`je!+>XbLWSZU_HkC0hk>Zm7IAJpKUTdbtb-p&mUpJAv z*n9W*^6IC0sdHNF(&TxPf78LRu#&W;`5JCZ5J+e<+3~)VcHT89JZ0_HT~ZYA*7>}x zhVmU&(}V7A{U^$XHNO3x2hNl=5X@cmy9=jo2>vRO^w9@a?oG`^G;G*ftIctvfWV}Q z`=Oo?%mxNNE&|goz%P!U39T$R!_-T0^wun0aF4NYI(7KjjDY{|PB1CqA^*Zu7Puaj zi_vIdIyNQMQ}RPx4;4HzHJ{EWzV{U-M=JEUa#@-qNAAq!m&yoUZ4Q|bX(wD)!Zgge zlT?xVYd!MVWMoTO;Rw>>py-k(k{ksq)7OXfVL}M|nHd~=YP6W=e3fGvkzOKy6}_@# z!P)abCL9FhwHz%tl%T)r8tkB(c7RTj_}0<-egU+1NN5KGYg;iYW)< zpy7j6e~h~nLRR>p$MLGdMrF^8ffk^ZABT8&2vpI6JD7E zNymYxLhDm%{SE$%d8fpbvauo?TaHA;oZPBRJFWiZPiNMiqCi2go0!j_v5AuPGhcG< zZ6+zXR@spUStv41%}LSeGy2sxdg!`Fy+H1W9gQ)JTiUrGJb`hP?O96nTvIgWiSzCf zoZaEF2G3YSOH*FJp~c+PFH{nPV@E%acvL^Gf}v#Np-NV2^zMD5BJS}=KNV`UCo=32 z>T-ppKARduWq3`cw$y&KIlyd0UCn|Si#yfNL-L2*ud=5yA`n!+o$K&mjj1qCq+B+_w(AdWMVhao|O8J1UnAvn@^;WoCZx=LiuM= z1!z9YbfGh%RBS70z26eEmH4T*AE#_8XlajS5G-F&|$EYr>04$v;z?d za2jg)P(}sE6=GXahs9okcF3zQx93Q%mS4)X4;nhzECL^~?$Qp&)xXG@%-t){i9o!7 z9X^_TE0pIA?tN1U<^d(Olqnr5k!g1xy=?D=x> z|B4o@UCj5&0hKHhT+zkpsmt~pb}$y~;dnX-Ay0%OV%fu2}i$)e}s!540Ze7=?~H0{`4R}Ba=gp0pc3rxO` zZK8vjK9a2hMv5`CS{*w1P1G{*!>=lv17D|ROhHYZI+sp(;%UaPj^iXOMU0lS6N)sL zh`e}>(7h62wM-^T-=T$wb?o}svr!gu)F{%VDv7ttWAEQJ&r%vP{|hV6Zvua5KRy#! zhW{sl^*S|{rq|N*Nv0BE{R&Xz{FAS?C%{|6+fU;kC6pqT$S&h;=pvA3+b==Bx03Td zhvCe&lgYNKEV1iKQ$oAI=$voe>;7Fk2Gnn|9|_~d(lW`#sP5_zyg7oxD^Glt!5-Ch zIAYL4Fxm2q{MP09B;??4EqmC*z=~;gH|UX3VcSWzskl1{W5i?x~&Lf~_R!~crtn?uq41w!bU(J=^9%17K* zxXSkm`5OZR#HLX%0(Pg%6rsaXtBbC_=I_m+qj%G*kL6$56o50lDzDbH!f;pH_e_4L zL%u+ysnr*khlQ)Ii}|c8ZikZu)2fCwExAM2s%Oid7O9Pkqt*OkKx3{IPVhnz&a+l|#V1~x`3qr5jSl3PX zJLa(!^(yy!wh1#1&6}T=y!-U8GwE()dbMXK>N=o#3qmrRjyG0p-Esl^>hpp<3LEaT z!t0nUyi}mglJX=isO-b6uWqMboF_x7r%TIlYomoHa^0i({>9R!GZQ#9$g;H+vuuB} z_LJ}6o-I=EAWyUCP1=^omg|lJc`M< z>vi))sDFPs%kyLlW@A6{Jz71^9IN=d@-Qza|1v|ZE_KGcwZXowKm5oK+KYQ@2a!CS zQ>1}j&v{&UZy)%(yv|-xHa=7?=wHPoH_lMfu3mRm_&FA}+QH1;^AxjtO%tw1RX0H5 zaxnV__<{!;{12R6ATZcj$T=f)&Tpub-nHXDP;$}7@kn?>^9J@L{GcGSxO4D%E*aC? zezhHdzR4P$#xgJ!wkk>w$|!-M|B{elqi}VK#B2&bDR;ues>#EOCwL(i$Rl;zT8^IKdYs z6HaUJVQN`FaaN0^pPg}fc#yLG{zE2`?1Uj}UjEadSCVjv#iuRxQj)!JFrInIjolFG z-jJ#s_D^IXa5doH)45|h=D2%R5SelInk-qzS2jchG;)8{!CZafQmKZi@DH2q0UL_w zFvC{;2u_hB3Z&G7RFkc#7B}ADe>@Lx(YfuVz0ynN}NR5Y}JmLB4pV(5?^=?X^hNuo!bTty!{o5YA_ zio3B25h9XTogBHzAUmQ+FkJ0nxNkXNqIj(;8fSZs%MOmrnDiG`ND|yD8fF3U8L$n6 z+Z)biz6$J|0@V?XO#ok`nu$Ju&w6cG=&RVX2|g;7vEOfqu7BzvZ*==8%ps57aM__Aikko0WPMzM6l0{@d2_Xb699ruvAhLt8qa;3(7gp2GRSX4?WvOo{Gt(V9T^sSc94dP=nEp z1xPkXU`)j+dMf&i^)Q1vyw&05regVj>~mR9!aL3Ee{r05e`W$dt`~gL-A{g3wDgV?`fBfrK z%5Ut?eiRih?w25xQxu>OUsdpkU3DfmwP5L|2$m2zwtx_CIDXp7Duy{2GC{%0wl0)zoqxw_JQO{<*Ywe3CamBsvVwOji<|BDUb zvcKbA+`*qieQ1^2k|fi8Dth?%)BQD{KHa0v?qRRFsg*a-&7n<4x#Q-f&ng?)#RGRV%j1r+pa(9;WfO9HN2I+ z^9n*m=kZMaz2dpWPVia|B+Kaqo#CtMn6}(nadFzIYSkj~GtS?^r*Yl?{n~zzO{4ne zMvmaq8mXrQxQBF{LE-Hvuuo4KUsBlc}(kb;9kG$z|aX+{q<6pGMWc82d;jn zgqTgVALrgK&R1!?Z*Qm4CqBWx#^PMssyo`OZI+DQKM(j!DubVSz&tJtA3OVpyu0uWB=G-xg zl0F}qZ1^rOXYjN-T=cdMWh}eKcKzojhqpZE>FOC?PO@5eqMom!w`M*;A5KS8t!h94 z9kck6I&Mae7G_s$uhBrq#c6czgHDlbzN0EOhQM|WdjC)3DWc~|E=;~d*Q+rh?{rsw z8~6sDi}fzMOm3Amyup^v>?*#T>W70Yh%2#uh>h7gp5U0 zA&*n$CzJZu-3s(H0%kuwPxf5_s`{P*}zK1%-n`4RE#Uh2H*) zW1)QtZ#C@g8GVR}5`oT>tz{ydtz8oOUOLU%?R3sI$J&<+Nu_I`FYHmKnr%L*ksiT} z$+0A#ZIb5qTWqVr{qY6le%$4O*ji z{+U47W%PxR4x1jBk6g`o|G2C8^S4~@{hC}`%=o@Co!Q~1 zWj#(L)hfqNM^ZudF^V;zwWSBYqemXD*h`94(~1=++GSysMchhs-aaW|(JB3P{6v!u zy>B(YaFHF>uwT_E#!rL2H&0C%bhT13)H-^pL%IHRMj9a5#zrh^zTXv-)TX3eMzq+p zE$e|+SskTHNFiPcH3lop$!4*(ubD4T-~VcJ2+)xOO64VV{gHZ~#`wB#Gzo&K1k$e9 zf1kl>F<*dIv3!`JSG(rXA3t~P($Vi zvB|Lln8lkda;4z82}2BZe>DD?LoFE%VTI~gJ)|WUk=~STSG95+N|hvC`e5%X&}|}D zD#oWgflK(UAg~j$*LYDX3Kqf^j3^?lMOnORm=)n!`A1*dJtv@%UR!QeUjr+@h+XeQ znrl0NTy|1QsX;K$Qu#Ir9o1K$OT&hY`SGVDI6XSDG?j@!LEMO_A}<4l7RvmkqeSFJ zhFLLl$b8weFurQs-?1Gmc`Oj`UO0ZevrM`JEwcEO5$)tgF1Hd?*7ONPi9}hcnt8Mc z{^7ug83q|%3c4$a+Kr2Ws~E#O_Ux$s!nv~}4fYNF zJ)S~|cS-D8K&v&kqD+(jhA##L%)hmPb3R4Wz^?dPBjD=o5X%$r`CSHCnhXh5pvLBV zcIO=eNQ40b6f253SQyM9y|el-IhrMF5qDo-O}Ad;J8!{anUB|EHo<$9H@*t@0A39Z zy1ehgsPK3luwCPOte1Hlb@n4j;yVwy;qbcL7vXGjK63!x4$m;MPi@rr9y>R)HID1= zqgp&RwO0HYR*b^`BBXy##ZmCK9)n=oTtms)4%m} zja%Ct$f$51tyDH;e|{Y`SK2OkAXq;v1%)>`Z<-FmCGotJ7E$082g&#@ZU4U=zAEEL+0>rk^grvaZG$I`E4l3(_X z5(rus5B@;cz4`j4-PC*bLGPL?F>afh{YnI98)SS}*F^w*1a@_rdh>g~ta}c10t~cEK~xZl8&C`#R&6=BMCUSs}jKe%KdZZ||_p=WJPc zcE=0Bgr`J#N98LZQO;b-JrsndMG93Hzq@Iu91F`1E&Q9H*q4kM9iKVvrIM$`3n zmNq@%wt?Sua6OLe_`rwLU8DZBmz>XHt!ne!o7jHgxW~s(ZGZC3vESRqI}FP{=~KWD z>mk5CK!24HdYc=F1yjNIs1!_A`2t`+_)7l|%@Q2H9|P{+ziewu+;j2V-bb!3x%7qq$ogv0oWoLXN0KV~}pC=wmxo@wt!_UAbu`ygZtP zQ3Hp$fj~D`PI%B-B?#5_Rg;3ZNyUso)wcCLlp@(*H*@n-*{ts!6PCqO*be0`+;}iw z^nUiAb+*MA#7X`61-}Z)nd5C5PtAElA0lFX|6$c!J_;55m@{{xM3o5B{zE3cxGC7A zw4d+o#{AQ4#E%j%o+9?c;^DoJzC;NMU1}eSg9w%xjwnUZ3#_ajS2~5QNklD24@1-W z4>TQ2o{*54D;jZCsu>EQU~xEtLI4@oPrWP(oH8YbljduAQ_e*2Y#Ggcca zE`(s){=2n(VpCKK%id$VQCvMpMClNDurq;6O`*Ry8HLdznZg8P4`Hb2wvpONlr&i7 z>a-)jvUX5v@COW1K{I2wIBFDOeuAT~njv-p5hn!I zXe*PBS4elJW3&G)<}O;BFnMS(iT+8gAuZs}CpeIh({P|pE#z48MR_UKNU8DF|`;~{G!rX(^P+a%}3dDF^cIv;V1bt$e$d)Ceq1$CZg!fipi4TVU zJ^Rp&PQ3oB&pGX_1CYPl=d1qD_~iD73I7`~L>2G6&p12>_mA&}dY$m2EZHSver}v! zklbG!SR+3RDrnrL``^MTc1t~l@YgGkIpl)!5-=`g$u%3TPGE(J$)T zeZ=%fMnC5XktNOB10lB8WD8VISdc@N~LWCF3xQRPlf%@z=hact= zWM%zw8Z%+`%q19;bquwS!o$tw{`i?WcpRwru23W^`ptX)%wTpbWKk&>3F%I5O$%mO zW1G2N^-)JXxoMgqep8+qsQ2vsOs)DYDu8>G`2&xzjv7wn5ecC|sxpH_-j@f>_3I3f z*Ym1#3@ByzFfmsS!Uz4#2g=H^52io9-gl7(IjIC-cRKo*mqx;LW*8V3CuyqO;-EBW z1m^;u814H4LVZ(NJ^oHMX$ZFROxY_nYY2?#aacdGP;ui}aAin?W@OVSQq}>e6T)BB zx5I*qaxCoYN@%pDFrTSUqmbN5=ZA#`hjUg~+9U0>#GD7#eq79A%CeUEai27YI?vof zjyk45s?7bmSi1C-+bz^y z2Z17J?{S7GvIiLn=~CNyfN&WHXLPE=E z4a-2fIqWSJLM7&7)G|AXp=#+Eh_I7Zb~<~G8ED%7!W)277j_Us9Ozs8P0r!}A!ny$ z4HtFD4~SqU*j_@AH}EfihKR4feZQj+ZJA%cX?edhx#ekOs>r(S!0}_`?a49 zLDNc&I##0rQhRAGt-AV8Wq02fPIu#`a4>z>(gn&H1P#X5huaTzyGo6$PUo4qoD1Xk zj8E4EP;wi5Y43*3@pV4$$X7!aZHHKc=I6}& zllJCH`=LD!;L}}z<7A)=U;8iw0YlSE`5XIL+>5h@iS}rB&7G7-hv&|%$&z;8vgdIa zne}zGjpJ2r)25Zk%NfNHDS^f@^wHkZ76HKhEcJs;gYIo5?cL`6^vH(KZD6RLAQI!e zi|0JlilgOh%FO~u&Q$HaW_S1ZEYxGm!Dja@_*m0%Y?8$}%k37K;pytwgeJJMLvlo$ z*JWO2`$gqlrs4i=Is0uV_W08KM7Ns*-qWWO?iQkY%^(yH!OgN}C{N)%#BCAnI&GQL zDtWqRNaLJGh{y3{w>hhQwc1*>qvo&KsMMA=`Rz+12by>5N;Q^V_1;@EzUu2d_wm+m zk8&Iwhb3Phk1@IStfx`#cI}&8?%-?Zb+bZyV;1Yf{Z}CZkn;7%<0EPB&y2()+juGO zk9dfsZsRG7W`7#Xx!=2rz>jx6Rfq9?8Njoz^;;EaR=d$PTkDnt%XYH1yYuTlA7)3> zz$AA&M2FpMQ+LNz5?xiu5q)hLUzhdZm-?8sOk#EWNB=`81Mp?xQM+>=&;#oH%IYz4i!bhLR?!%L2`4 zLx6^+8+pNawUX4ac&S|9lfrg@*jpv?$$8j*M@qB%IK=W7Ct1E5v|xtI-#)(=Bv z?&6Z@iUydr%^{G|^HIfqI(G1xHcHe&{KZyp)&ft|06%uf?U!2(n05TrBVx$S`?DrS z9cn^Ho3>LKJ9+@iK>DVZQ_aY8$fyn%AVk$O^o!k^^VC|NbSKUXZOyO$Q8GkYN}Ncb zSC;S4Y%|LY%vF5`a&7J>qee`3CeZMPG0!kp2W3XH>?C@lP3P(`pH!aCpi0X;s6&-} zPG7sCX)TG-9zt19R&pGUn_1mh6P%Sbj4<3EJ1|XrDIZ>l%Nb?#gg792ku@WXcEb#l zinyxOb?Ln1HYdPtV}ZQ3*bE(T0($D)c;3=tbrc)p-;&bHTuJo(ImA~iq^lRrN@Bc?W{-$8xH=wRm)&q_{@oEP>fQY*WXO^3o%ola0Wad+N>^XOLIjcj6YR*yUN9m& z^A}Z`m85T-=pvLPL2fK`yy1II#uI;z>6+Py@dfMEv3PHYlpI=cl!EXm=8kf)xtXrQ z10$b5E6rR9ViMZ#iQ~{LNpkRtB|^}Dg)DUKDC)#|C7%9E?t&z<0XMk)tA*|)@vwh} zr^qhU{Sgyd5=7xIi^|9*yNZSH7Lt&`WMdmgVrQ7)o0UH1*VM$w1ZL3KY!yY2W5h6 zl_(juCDa6~XP#k@R?w6DkgxP`=N0U)(de6rSm_lOhZKrTI+PirTV*+8MGvcV+?K`; zY%nWy3K~(uo3na~549Epy(z#*gv>Y?60BR8U_LR;s5M|sd$W{7QlP6dAQ2GnPoUgx zFawxG}56NA&G_d2fY#8-N?>sK&=b=#(ekM~u*Td0ugo1cY` z(<2mw1w{rc%JzE+0!FvP3zY3XUaHXZn!ya9xnrV&G~SD@esW17+i7NY8aHa9{h;;z zD*CGRJwEk$!*hWonLt_n{+1?>&PMIK&l^J